From: Simon Schubert Date: Sun, 23 Aug 2009 16:47:03 +0000 (+0200) Subject: remove kerberos/heimdal X-Git-Url: https://gitweb.dragonflybsd.org/~lentferj/dragonfly.git/commitdiff_plain/32c20b8bc9fa719e28261785ea6e03baa6ae3b2b remove kerberos/heimdal --- diff --git a/Makefile.inc1 b/Makefile.inc1 index 2aac0654c8..d05dfc0053 100644 --- a/Makefile.inc1 +++ b/Makefile.inc1 @@ -53,10 +53,6 @@ SUBDIR+= games .if exists(${.CURDIR}/gnu) SUBDIR+= gnu .endif -.if exists(${.CURDIR}/kerberos5) && exists(${.CURDIR}/crypto) && \ - !defined(NO_CRYPT) && !defined(NO_OPENSSL) && defined(WANT_KERBEROS) -SUBDIR+= kerberos5 -.endif .if exists(${.CURDIR}/libexec) SUBDIR+= libexec .endif @@ -791,12 +787,6 @@ _gcc44_tools= gnu/usr.bin/cc44/cc_prep gnu/usr.bin/cc44/cc_tools _custom_cross= libexec/customcc _binutils= gnu/usr.bin/binutils217 -.if exists(${.CURDIR}/kerberos5) && exists(${.CURDIR}/crypto) && \ - !defined(NO_CRYPT) && defined(WANT_KERBEROS) -_libkrb5= kerberos5/tools kerberos5/lib/libroken kerberos5/lib/libvers \ - kerberos5/lib/libasn1 kerberos5/lib/libhdb kerberos5/lib/libsl -.endif - build-tools: .for _tool in ${_gcc41_tools} ${_gcc44_tools} ${_libkrb5} ${_share} ${ECHODIR} "===> ${_tool} (build-tools)"; \ @@ -874,15 +864,6 @@ _prebuild_libs+= lib/libutil _generic_libs= gnu/lib -.if !defined(NO_CRYPT) && defined(WANT_KERBEROS) -_prebuild_libs+= kerberos5/tools -_prebuild_libs+= kerberos5/lib/libasn1 -_prebuild_libs+= kerberos5/lib/libgssapi -_prebuild_libs+= kerberos5/lib/libkrb5 -_prebuild_libs+= kerberos5/lib/libroken -_generic_libs+= kerberos5/lib -.endif - _prebuild_libs+= lib/libcom_err lib/libcrypt lib/libmd \ lib/libncurses/libncurses lib/libopie lib/libradius \ lib/libsbuf lib/libtacplus lib/libm \ diff --git a/README b/README index cc64cc54b2..c3350d813e 100644 --- a/README +++ b/README @@ -53,8 +53,6 @@ gnu Various commands and libraries under the GNU Public License. include System include files. -kerberos5 Kerberos5 (Heimdal) package. - lib System libraries. libexec System daemons. diff --git a/crypto/heimdal-0.6.3/ChangeLog b/crypto/heimdal-0.6.3/ChangeLog deleted file mode 100644 index 159cf48a41..0000000000 --- a/crypto/heimdal-0.6.3/ChangeLog +++ /dev/null @@ -1,897 +0,0 @@ -2004-09-13 Johan Danielsson - - * Release 0.6.3 - -2004-09-05 Love Hörnquist Åstrand - - * lib/asn1/der_get.c (decode_enumerated): check that the tag - length isn't longer the the length - -2004-08-31 Love Hörnquist Åstrand - - * lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): - kdc_reply can be set in case of failure too, clean on entry and - free the exit unconditionally to avoid memory leak - -2004-08-20 Love Hörnquist Åstrand - - * lib/krb5/context.c: 1.93: (krb5_get_err_text): if neither of - com_right nor strerror finds the error-code, return Unknown error. - -2004-08-13 Love Hörnquist Åstrand - - * kdc/kerberos5.c: based on 1.162: (get_pa_etype_info): check for - dup enctypes from the client and filter them out. - -2004-06-21 Love Hörnquist Åstrand - - * admin/get.c: 1.23: (kt_get): catch errors from krb5_parse_name - -2004-06-21 Love Hörnquist Åstrand - - * lib/krb5/Makefile.am: man_MANS += krb5_set_password.3 - - * lib/krb5/krb5_set_password.3: 1.1-1.3: change password manpage - - * lib/krb5/changepw.c: 1.49: implement - krb5_set_password_using_ccache 1.47: add tcp support to the set - protocol, should be cleaned up to enable sharing code with - krb5_sendto 1.46: (process_reply): log into result_string if - something goes bad, return 0 (even on failure), not the KPASSWD - protocol error code 1.45: krb5_princ_realm -> - krb5_principal_get_realm 1.44: (setpw_send_request): free - ap_req_data on failure 1.41: ooops, remove cut and paste error - 1.40: draft-ietf-cat-kerb-chg-password-02 and rfc3244 share the - response packet sure more constants now that they exists 1.39: - implement rfc3244, partly from shadow@dementia.org - - * lib/krb5/krb5.h: 1.211: some defines for rfc3244 - - * lib/asn1/Makefile.am: 1.71: (gen_files): - asn1_ChangePasswdDataMS.x for RFC3244 - - * lib/asn1/k5.asn1: 1.30: add ChangePasswdDataMS, for RFC3244 - - * kuser/kinit.c: 1.114: move "setpag if (argc < 1)" to common path - -2004-05-06 Johan Danielsson - - * Release 0.6.2 - -2004-04-02 Love Hörnquist Åstrand - - * kdc/connect.c: case size_t to unsigned long for LP64 platforms - -2004-04-01 Johan Danielsson - - * Release 0.6.1 - -2004-03-30 Love Hörnquist Åstrand - - * kdc/kerberos4.c: 1.46: stop the client from renewing tickets - into the future From: Jeffrey Hutzelman - -2004-03-10 Love Hörnquist Åstrand - - * lib/krb5/fcache.c: 1.43: (fcc_store_cred): NULL terminate - krb5_config_get_bool_default' arglist - -2004-03-09 Love Hörnquist Åstrand - - * lib/krb5/krb5.conf.5: 1.44: document - [libdefaults]fcc-mit-ticketflags=boolean 1.43: don't use path's in - first .Nm, it confuses some locate.updatedb, use FILES section to - describe where the file is instead. - - * lib/krb5/fcache.c (fcc_store_cred): default to use old format - - * lib/krb5/fcache.c: 1.42: (fcc_store_cred): use - [libdefaults]fcc-mit-ticketflags=boolean to decide what format to - write the fcc in. Default to mit format (aka heimdal 0.7 format) - 1.41: (_krb5_xlock): handle that everything was ok, and don't put - an error in the error strings then - - * lib/krb5/store.c: 1.43: add _krb5_store_creds_heimdal_0_7 and - _krb5_store_creds_heimdal_pre_0_7 that store the creds in just - that format make krb5_store_creds default to mit format 1.42: - (krb5_ret_creds): Runtime detect the what is the higher bits of - the bitfield 1.41: (krb5_store_creds): add disabled code that - store the ticket flags in reverse order (bitswap32): new function - 1.40: (krb5_ret_creds): if the higher ticket flags are set, its a - mit cache, reverse the bits, bug pointed out by Sergio Gelato - - - delta modfied to not change the behavior of krb5_store_creds - -2004-03-07 Love Hörnquist Åstrand - - * lib/krb5/mk_safe.c (krb5_mk_safe): fix assignment of usec2 - -2004-03-06 Love Hörnquist Åstrand - - * lib/krb5/mcache.c: patch based on 1.17 and 1.18 but with - threading code pulled out; - - 1.18: (mcc_get_principal): also check for primary_principal == - NULL now that that isn't used as dead flag 1.17: don't overload - the primary_principal == NULL as dead since that doesn't always - work Based on patch from Jeffrey Hutzelman , but - tweek by me - - * lib/krb5/crypto.c: 1.94: (decrypt_internal_special): do not not - modify the original data test case from Ronnie Sahlberg - - -2004-02-13 Love Hörnquist Åstrand - - * lib/krb5/verify_krb5_conf.c: 1.22->1.23: (check_host): don't - check for EAI_NODATA, because its depricated in RFC3493 Pointed - out by Hajimu UMEMOTO on heimdal-discuss - - * lib/krb5/eai_to_heim_errno.c: 1.3->1.4: EAI_ADDRFAMILY and - EAI_NODATA is deprecated in RFC3493 - -2004-02-09 Love Hörnquist Åstrand - - * lib/asn1/der_length.c: 1.16: Fix len_unsigned for certain - negative integers, it got the length wrong, fix from Panasas, Inc. - - * lib/asn1/der_locl.h: 1.5: add _heim_len_unsigned, _heim_len_int - -2004-01-26 Love Hörnquist Åstrand - - * lib/asn1/gen_length.c: 1.14: (length_type): TSequenceOf: add up - the size of all the elements, don't use just the size of the last - element. - - * lib/krb5/fcache.c: 1.40: (_krb5_xlock): catch EINVAL and assume - that it means that the filesystem doesn't support locking 1.39: - (_krb5_xlock): fix compile error in last commit 1.38: internally - export x{,un}lock and thus prefix them with _krb5_ - -2004-01-13 Love Hörnquist Åstrand - - * kuser/kinit.c: 1.106: (renew_validate): if renewable_flag and - not time specifed, use "1 month" - 1.105: make -9 work again - -2004-01-09 Love Hörnquist Åstrand - - * lib/krb5/get_for_creds.c: 1.36: (add_addrs): don't increase - addr->len until in contains interesting data, use right iteration - counter when clearing the addresses 1.39: krb5_princ_realm -> - krb5_principal_get_realm 1.38: (krb5_get_forwarded_creds): use - KRB5_AUTH_CONTEXT_DO_TIME if we want timestamp in forwarded - krb-cred 1.39: (krb5_get_forwarded_creds): If tickets are - address-less, forward address-less tickets. 1.40: - (krb5_get_forwarded_creds): try to handle errors better for - previous commit 1.41: (add_addrs): don't add same address multiple - times - - * lib/krb5/get_cred.c: 1.96->1.97: rename get_krbtgt to - _krb5_get_krbtgt and export it - -2003-12-14 Love Hörnquist Åstrand - - * kdc/kerberos5.c: part of 1.146->1.147: handle NULL client/server - names - -2003-12-03 Love Hörnquist Åstrand - - * lib/krb5/crypto.c: 1.90->1.91: require cipher-text to be padded - to padsize 1.91->1.92: (decrypt_internal_derived): move up padsize - check to avoid memory leak - -2003-12-01 Love Hörnquist Åstrand - - * kuser/kinit.c: 1.103->1.104: (main): return the return value - from simple_execvp - -2003-10-22 Love Hörnquist Åstrand - - * lib/krb5/transited.c: 1.13->1.14: (krb5_domain_x500_encode): - always zero out encoding to make sure it have a defined value on - failure - - * lib/krb5/transited.c: 1.12->1.13: (krb5_domain_x500_encode): if - num_realms == 0, set encoding and return (avoids malloc(0)) check - return value from malloc - -2003-10-21 Love Hörnquist Åstrand - - * doc/setup.texi: 1.35->1.36: spelling - - * kdc/kdc_locl.h: 1.58->1.59: add flag to always check transited - policy - - * doc/setup.texi: 1.27->1.35: many changes - - * lib/krb5/get_cred.c: 1.95->1.96: get capath info from [capaths] - section - - * lib/krb5/rd_req.c: 1.50->1.51: (krb5_decrypt_ticket): try to - verify transited realms, unless the transited-policy-checked flag - is set - - * lib/krb5/transited.c: - 1.12: (krb5_domain_x500_decode): set *num_realms to zero not num_realms - 1.11: (krb5_domain_x500_decode): handle zero length tr data; - (krb5_check_transited): new function that does more useful stuff - - * kdc/kdc.8: 1.23->1.24: document enforce-transited-policy - - * kdc/config.c: 1.47->1.48: add flag to always check transited - policy - - * kdc/kerberos5.c: - 1.150: (fix_transited_encoding): also verify with policy, - unless asked not to - 1.151: always check transited policy if flag set either globally - (on principal part of patch not pulled up) - 1.152: (fix_transited_encoding): set transited type - 1.153: (fix_transited_encoding): always print cross-realm information - -2003-10-06 Love Hörnquist Åstrand - - * lib/krb5/config_file.c: 1.48->1.49: - (krb5_config_parse_file_debug): punt if there is binding before a - section declaration. - Bug found by Arkadiusz Miskiewicz - - * kdc/kaserver.c: 1.21->1.23: - (do_getticket): if times data is shorter then 8 bytes, request is - malformed. - (do_authenticate): if request length is less then 8 bytes, its a - bad request and fail. Pointed out by Marco Foglia - -2003-09-22 Love Hörnquist Åstrand - - * lib/krb5/verify_krb5_conf.c: 1.17->1.18: add missing " within - #if 0 From: stefan sokoll - -2003-09-19 Love Hörnquist Åstrand - - * lib/krb5/rd_req.c: - 1.47->1.48: (krb5_rd_req): allow caller to pass in a key - in the auth_context, they way processes that doesn't use the - keytab can still pass in the key of the service (matches behavior - of MIT Kerberos). - -2003-09-18 Love Hörnquist Åstrand - - * lib/krb5/crypto.c: - 1.87->1.88: (usage2arcfour): simplify, only - include special cases From: Luke Howard - 1.86->1.87: (arcfour_checksum_p): return true when is arcfour, - not when its not pointed out by Luke Howard - 1.82->1.83: Do the arcfour checksum mapping for - krb5_create_checksum and krb5_verify_checksum, From: Luke Howard - - 1.81->1.82: (hmac): make it return an error - when out of memory, update callsites to either return error or use - krb5_abortx - (krb5_hmac): expose hmac - * lib/krb5/mk_req_ext.c: 1.26->1.27: (krb5_mk_req_internal): - when using arcfour-hmac-md5, use an unkeyed checksum - (rsa-md5), since Microsoft calculates the keyed checksum with - the subkey of the authenticator. - - * lib/krb5/get_cred.c: - 1.93->1.94 (init_tgs_req): make generation of subkey - optional on configuration parameter - [realms]realm={tgs_require_subkey=bool} - defaults to off. The RFC1510 weakly defines the correct behavior, - so old DCE secd apparently required the subkey to be there, and MS - will use it when its there. But the request isn't encrypted in the - subkey, so you get to choose if you want to talk to a MS mdc or a - old DCE secd. - - partly 1.91->1.92: (init_tgs_req): in case of error, don't - free in the req_body addresses since they where pass in by caller - - lib/krb5/get_in_tkt.c: - 1.108->1.1.09: (krb5_get_in_tkt): for compatibility with with - the mit implemtation, don't free `creds' argument when done, its up - the the caller to do that, also allow a NULL ccache. - - * doc/ack.texi - 1.16->1.17: update Luke Howard email address - - * lib/hdb/hdb-ldap.c: - 1.13->1.14: code rewrite from Luke Howard - 1.12->1.13: (LDAP_store): log what principal/dn failed - 1.11->1.12: use int2HDBFlags/HDBFlags2int - From: Alberto Patino , - Luke Howard - Pointed out by Andrew Bartlett of Samba - 1.10->1.11: (LDAP__connect): bind sasl "EXTERNAL" to ldap connection - (LDAP_store): remove superfluous argument to asprintf - From Alberto Patino - - * lib/krb5/krb5.h: - 1.214->1.2015: add KEYTYPE_ARCFOUR_56 - -2003-09-12 Love Hörnquist Åstrand - - * lib/krb5/config_file.c: fix prototypes Fredrik Ljungberg - - -2003-09-11 Love Hörnquist Åstrand - - * lib/hdb/hdb_locl.h: 1.18->1.19: include for ULONG_MAX - noted by Wissler Magnus on heimdal-discuss - -2003-08-29 Love Hörnquist Åstrand - - * lib/hdb/db3.c: 1.8->1.9: patch for working with DB4 on - heimdal-discuss From: Luke Howard 1.9->1.10: try - to include more db headers - -2003-08-25 Love Hörnquist Åstrand - - * kdc/connect.c: 1.92->1.93 (handle_tcp): handle recvfrom - returning 0 (connection closed) 1.91->1.92: (grow_descr): - increment the size after we succeed to allocate the space - -2003-08-15 Love Hörnquist Åstrand - - * lib/krb5/principal.c: 1.83->1.85: (unparse_name): len can't be - zero, so, don't check for that - (unparse_name): make sure there are space for a NUL, set *name to NULL - when there is a failure (so caller can't get hold of a freed - pointer) - -2003-05-08 Johan Danielsson - - * Release 0.6 - -2003-05-08 Love Hörnquist Åstrand - - * kuser/klist.c: 1.68->1.69: print tokens even if there isn't v4 - support - - * kuser/kdestroy.c: 1.14->1.15: destroy tokens even if there isn't - v4 support - - * kuser/kinit.c: 1.90->1.91: print tokens even if there isn't v4 - support - -2003-05-06 Johan Danielsson - - * lib/krb5/name-45-test.c: need to use empty krb5.conf for some - tests - - * lib/asn1/check-gen.c: there is no \e escape sequence; replace - everything with hex-codes, and cast to unsigned char* to make some - compilers happy - -2003-05-06 Love Hörnquist Åstrand - - * lib/krb5/get_in_tkt.c (make_pa_enc_timestamp): make sure first - argument to krb5_us_timeofday have correct type - -2003-05-05 Assar Westerlund - - * include/make_crypto.c (main): include aes.h if ENABLE_AES - -2003-05-05 Love Hörnquist Åstrand - - * NEWS: 1.108->1.110: fix text about gssapi compat - -2003-04-28 Love Hörnquist Åstrand - - * kdc/v4_dump.c: 1.4->1.5: (v4_prop_dump): limit strings length, - from openbsd - -2003-04-24 Love Hörnquist Åstrand - - * doc/programming.texi: 1.2-1.3: s/managment/management/, from jmc - - -2003-04-22 Love Hörnquist Åstrand - - * lib/krb5/krbhst.c: 1.43->1.44: copy NUL too, from janj@wenf.org - via openbsd - -2003-04-17 Love Hörnquist Åstrand - - * lib/asn1/der_copy.c (copy_general_string): use strdup - * lib/asn1/der_put.c: remove sprintf - * lib/asn1/gen.c: remove strcpy/sprintf - - * lib/krb5/name-45-test.c: use a more unique name then ratatosk so - that other (me) have such hosts in the local domain and the tests - fails, to take hokkigai.pdc.kth.se instead - - * lib/krb5/test_alname.c: add --version and --help - -2003-04-16 Love Hörnquist Åstrand - - * lib/krb5/krb5_warn.3: add krb5_get_err_text - - * lib/krb5/transited.c: use strlcat/strlcpy, from openbsd - * lib/krb5/krbhst.c (srv_find_realm): use strlcpy, from openbsd - * lib/krb5/aname_to_localname.c (krb5_aname_to_localname): use - strlcpy, from openbsd - * kdc/hpropd.c: s/strcat/strlcat/, inspired from openbsd - * appl/kf/kfd.c: use strlcpy, from openbsd - -2003-04-16 Johan Danielsson - - * configure.in: fix for large file support in AIX, _LARGE_FILES - needs to be defined on the command line, since lex likes to - include stdio.h before we get to config.h - -2003-04-16 Love Hörnquist Åstrand - - * lib/krb5/*.3: Change .Fd #include to .In header.h, - from Thomas Klausner - - * lib/krb5/krb5.conf.5: spelling, from Thomas Klausner - - -2003-04-15 Love Hörnquist Åstrand - - * kdc/kerberos5.c: fix some more memory leaks - -2003-04-11 Love Hörnquist Åstrand - - * appl/kf/kf.1: spelling, from jmc - -2003-04-08 Love Hörnquist Åstrand - - * admin/ktutil.8: typos, from jmc - -2003-04-06 Love Hörnquist Åstrand - - * lib/krb5/krb5.3: s/kerberos/Kerberos/ - * lib/krb5/krb5_data.3: s/kerberos/Kerberos/ - * lib/krb5/krb5_address.3: s/kerberos/Kerberos/ - * lib/krb5/krb5_ccache.3: s/kerberos/Kerberos/ - * lib/krb5/krb5.conf.5: s/kerberos/Kerberos/ - * kuser/kinit.1: s/kerberos/Kerberos/ - * kdc/kdc.8: s/kerberos/Kerberos/ - -2003-04-01 Love Hörnquist Åstrand - - * lib/krb5/test_alname.c: more krb5_aname_to_localname tests - - * lib/krb5/aname_to_localname.c (krb5_aname_to_localname): when - converting too root, make sure user is ok according to - krb5_kuserok before allowing it. - - * lib/krb5/Makefile.am (noinst_PROGRAMS): += test_alname - - * lib/krb5/test_alname.c: add test for krb5_aname_to_localname - - * lib/krb5/crypto.c (krb5_DES_AFS3_CMU_string_to_key): used p1 - instead of the "illegal" salt #~, same change as kth-krb did - 1999. Problems occur with crypt() that behaves like AT&T crypt - (openssl does this). Pointed out by Marcus Watts. - - * admin/change.c (kt_change): collect all principals we are going - to change, and pick the highest kvno and use that to guess what - kvno the resulting kvno is going to be. Now two ktutil change in a - row works. XXX fix the protocol to pass the kvno back. - -2003-03-31 Love Hörnquist Åstrand - - * appl/kf/kf.1: afs->AFS, from jmc - -2003-03-30 Love Hörnquist Åstrand - - * doc/setup.texi: add description on how to turn on v4, 524 and - kaserver support - -2003-03-29 Love Hörnquist Åstrand - - * lib/krb5/verify_krb5_conf.c (appdefaults_entries): add afslog - and afs-use-524 - -2003-03-28 Love Hörnquist Åstrand - - * kdc/kerberos5.c (as_rep): when the second enctype_to_string - failes, remember to free memory from the first enctype_to_string - - * lib/krb5/crypto.c (usage2arcfour): map KRB5_KU_TICKET to 2, - from Harald Joerg - (enctype_arcfour_hmac_md5): disable checksum_hmac_md5_enc - - * lib/hdb/mkey.c (hdb_unseal_keys_mkey): truncate key to the key - length when key is longer then expected length, its probably - longer since the encrypted data was padded, reported by Aidan - Cully - - * lib/krb5/crypto.c (krb5_enctype_keysize): return key size of - encyption type, inspired by Aidan Cully - -2003-03-27 Love Hörnquist Åstrand - - * lib/krb5/keytab.c (krb5_kt_get_entry): avoid printing 0 - (wildcard kvno) after principal when the keytab entry isn't found, - reported by Chris Chiappa - -2003-03-26 Love Hörnquist Åstrand - - * doc/misc.texi: update 2b example to match reality (from - mattiasa@e.kth.se) - - * doc/misc.texi: spelling and add `Configuring AFS clients' - subsection - -2003-03-25 Love Hörnquist Åstrand - - * lib/krb5/krb5.3: add krb5_free_data_contents.3 - - * lib/krb5/data.c: add krb5_free_data_contents for compat with MIT - API - - * lib/krb5/krb5_data.3: add krb5_free_data_contents for compat - with MIT API - - * lib/krb5/krb5_verify_user.3: write more about how the ccache - argument should be inited when used - -2003-03-25 Johan Danielsson - - * lib/krb5/addr_families.c (krb5_print_address): make sure - print_addr is defined for the given address type; make addrports - printable - - * kdc/string2key.c: print the used enctype for kerberos 5 keys - -2003-03-25 Love Hörnquist Åstrand - - * lib/krb5/aes-test.c: add another arcfour test - -2003-03-22 Love Hörnquist Åstrand - - * lib/krb5/aes-test.c: sneek in a test for arcfour-hmac-md5 - -2003-03-20 Love Hörnquist Åstrand - - * lib/krb5/krb5_ccache.3: update .Dd - - * lib/krb5/krb5.3: sort in krb5_data functions - - * lib/krb5/Makefile.am (man_MANS): += krb5_data.3 - - * lib/krb5/krb5_data.3: document krb5_data - - * lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): if - prompter is NULL, don't try to ask for a password to - change. reported by Iain Moffat @ ufl.edu via Howard Chu - - -2003-03-19 Love Hörnquist Åstrand - - * lib/krb5/krb5_keytab.3: spelling, from - - - * lib/krb5/krb5.conf.5: . means new line - - * lib/krb5/krb5.conf.5: spelling, from - - - * lib/krb5/krb5_auth_context.3: spelling, from - - -2003-03-18 Love Hörnquist Åstrand - - * kuser/Makefile.am: INCLUDES: -I$(srcdir)/../lib/krb5 - - * lib/krb5/convert_creds.c: add _krb5_krb_life_to_time - - * lib/krb5/krb5-v4compat.h: add _krb5_krb_life_to_time - - * kdc/kdc_locl.h: 524 is independent of kerberos 4, so move out - #ifdef KRB4 from enable_v4_cross_realm since 524 needs it - - * kdc/config.c: 524 is independent of kerberos 4, so move out - enable_v4_cross_realm from #ifdef KRB4 since 524 needs it - -2003-03-17 Assar Westerlund - - * kdc/kdc.8: document --kerberos4-cross-realm - * kdc/kerberos4.c: pay attention to enable_v4_cross_realm - * kdc/kdc_locl.h (enable_v4_cross_realm): add - * kdc/524.c (encode_524_response): check the enable_v4_cross_realm - flag before giving out v4 tickets for foreign v5 principals - * kdc/config.c: add --enable-kerberos4-cross-realm option (default - to off) - -2003-03-17 Love Hörnquist Åstrand - - * lib/krb5/Makefile.am (man_MANS) += krb5_aname_to_localname.3 - - * lib/krb5/krb5_aname_to_localname.3: manpage for - krb5_aname_to_localname - - * lib/krb5/krb5_kuserok.3: s/KRB5_USEROK/KRB5_KUSEROK/ - -2003-03-16 Love Hörnquist Åstrand - - * lib/krb5/Makefile.am (man_MANS): add krb5_set_default_realm.3 - - * lib/krb5/krb5.3: add manpages from krb5_set_default_realm.3 - - * lib/krb5/krb5_set_default_realm.3: Manpage for - krb5_free_host_realm, krb5_get_default_realm, - krb5_get_default_realms, krb5_get_host_realm, and - krb5_set_default_realm. - - * admin/ktutil.8: s/entype/enctype/, from Igor Sobrado - via NetBSD - - * lib/krb5/krb5_keytab.3: add documention for krb5_kt_get_type - - * lib/krb5/keytab.c (krb5_kt_get_type): get prefix/type of keytab - - * lib/krb5/krb5.h (KRB5_KT_PREFIX_MAX_LEN): max length of prefix - - * lib/krb5/krb5_ccache.3: document krb5_cc_get_ops, add more - types, add krb5_fcc_ops and krb5_mcc_ops - - * lib/krb5/cache.c (krb5_cc_get_ops): new function, return ops for - a id - -2003-03-15 Love Hörnquist Åstrand - - * doc/intro.texi: add reference to source code, binaries and the - manual - - * lib/krb5/krb5.3: krb5.h isn't in krb5 directory in heimdal - -2003-03-14 Love Hörnquist Åstrand - - * kdc/kdc.8: better/difrent english - - * kdc/kdc.8: . -> .\n, copyright/license - - * kdc/kdc.8: changed configuration file -> restart kdc - - * kdc/kerberos4.c: add krb4 into the most error messages written - to the logfile - - * lib/krb5/krb5_ccache.3: add missing name of argument - (krb5_context) to most functions - -2003-03-13 Love Hörnquist Åstrand - - * lib/krb5/kuserok.c (krb5_kuserok): preserve old behviour of - function and return FALSE when there isn't a local account for - `luser'. - - * lib/krb5/krb5_kuserok.3: fix prototype, spelling and more text - describing the function - -2003-03-12 Love Hörnquist Åstrand - - * lib/krb5/cache.c (krb5_cc_default): if krb5_cc_default_name - returned memory, don't return ENOMEM - -2003-03-11 Love Hörnquist Åstrand - - * lib/krb5/krb5.3: add krb5_address stuff and sort - - * lib/krb5/krb5_address.3: fix krb5_addr2sockaddr description - - * lib/krb5/Makefile.am (man_MANS): += krb5_address.3 - - * lib/krb5/krb5_address.3: document types krb5_address and - krb5_addresses and their helper functions - -2003-03-10 Love Hörnquist Åstrand - - * lib/krb5/Makefile.am (man_MANS): += krb5_kuserok.3 - - * lib/krb5/krb5_kuserok.3: spelling, from cizzi@it.su.se - - * lib/krb5/Makefile.am (man_MANS): += krb5_ccache.3 - - * lib/krb5/krb5_ccache.3: spelling, from cizzi@it.su.se - - * lib/krb5/krb5.3: add more functions - - * lib/krb5/krb5_ccache.3: document krb5_ccache and krb5_cc - functions - - * lib/krb5/krb5_kuserok.3: document krb5_kuserok - - * lib/krb5/krb5_verify_user.3: document - krb5_verify_opt_set_flags(opt, KRB5_VERIFY_LREALMS) behavior - - * lib/krb5/krb5_verify_user.3: document krb5_verify_opt* and - krb5_verify_user_opt - - * lib/krb5/*.[0-9]: add copyright/licenses on more manpages - - * kuser/kdestroy.c (main): handle that krb5_cc_default_name can - return NULL - - * lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): bump minor - (TESTS): add test_cc - - * lib/krb5/test_cc.c: test some - krb5_cc_default_name/krb5_cc_set_default_name combinations - - * lib/krb5/context.c (init_context_from_config_file): set - default_cc_name to NULL - (krb5_free_context): free default_cc_name if set - - * lib/krb5/cache.c (krb5_cc_set_default_name): new function - (krb5_cc_default_name): use krb5_cc_set_default_name - - * lib/krb5/krb5.h (krb5_context_data): add default_cc_name - -2003-02-25 Love Hörnquist Åstrand - - * appl/kf/kf.1: s/securly/securely/ from NetBSD - -2003-02-18 Love Hörnquist Åstrand - - * kdc/connect.c: s/intialize/initialize, from - - -2003-02-17 Love Hörnquist Åstrand - - * configure.in: add AM_MAINTAINER_MODE - -2003-02-16 Love Hörnquist Åstrand - - * **/*.[0-9]: add copyright/licenses on all manpages - -2003-14-16 Jacques Vidrine - - * lib/krb5/get_in_tkt.c (init_as_req): Send only a single - PA-ENC-TIMESTAMP in the AS-REQ, using the first encryption - type specified by the KDC. - -2003-02-15 Love Hörnquist Åstrand - - * fix-export: some autoconf put their version number in - autom4te.cache, so remove autom4te*.cache - - * fix-export: make sure $1 is a directory - -2003-02-04 Love Hörnquist Åstrand - - * kpasswd/kpasswdd.8: spelling, from jmc - - * kdc/kdc.8: spelling, from jmc - -2003-01-31 Love Hörnquist Åstrand - - * kdc/hpropd.8: s/databases/a database/ s/Not/not/ - - * kdc/hprop.8: add missing . - -2003-01-30 Love Hörnquist Åstrand - - * lib/krb5/krb5.conf.5: documentation for of boolean, etypes, - address, write out encryption type in sentences, s/Host/host - -2003-01-26 Love Hörnquist Åstrand - - * lib/asn1/check-gen.c: add checks for Authenticator too - -2003-01-25 Love Hörnquist Åstrand - - * doc/setup.texi: in the hprop example, use hprop and the first - component, not host - - * lib/krb5/get_addrs.c (find_all_addresses): address-less - point-to-point might not have an address, just ignore - those. Reported by Harald Barth. - -2003-01-23 Love Hörnquist Åstrand - - * lib/krb5/verify_krb5_conf.c (check_section): when key isn't - found, don't print out all known keys - - * lib/krb5/verify_krb5_conf.c (syslogvals): mark up where severity - and facility start resp - (check_log): find_value() returns -1 when key isn't found - - * lib/krb5/crypto.c (_krb5_aes_cts_encrypt): make key argument a - 'const void *' to avoid AES_KEY being exposed in krb5-private.h - - * lib/krb5/krb5.conf.5: add [kdc]use_2b - - * kdc/524.c (encode_524_response): its 2b not b2 - - * doc/misc.texi: quote @ where missing - - * lib/asn1/Makefile.am: add check-gen - - * lib/asn1/check-gen.c: add Principal check - - * lib/asn1/check-common.h: move generic asn1/der functions from - check-der.c to here - - * lib/asn1/check-common.c: move generic asn1/der functions from - check-der.c to here - - * lib/asn1/check-der.c: move out the generic asn1/der functions to - a common file - -2003-01-22 Love Hörnquist Åstrand - - * doc/misc.texi: more text about afs, how to get get your KeyFile, - and how to start use 2b tokens - - * lib/krb5/krb5.conf.5: spelling, from Jason McIntyre - - -2003-01-21 Jacques Vidrine - - * kuser/kuser_locl.h: include crypto-headers.h for - des_read_pw_string prototype - -2003-01-16 Love Hörnquist Åstrand - - * admin/ktutil.8: document -v, --verbose - - * admin/get.c (kt_get): make getarg usage consistent with other - other parts of ktutil - - * admin/copy.c (kt_copy): remove adding verbose_flag to args - struct, since it will overrun the args array (from Sumit Bose) - -2003-01-15 Love Hörnquist Åstrand - - * lib/krb5/krb5.conf.5: write more about [realms] REALM = { kdc = - ... } - - * lib/krb5/aes-test.c: test vectors in aes-draft - - * lib/krb5/Makefile.am: add aes-test.c - - * lib/krb5/crypto.c: Add support for AES - (draft-raeburn-krb-rijndael-krb-02), not enabled by default. - (HMAC_SHA1_DES3_checksum): rename to SP_HMAC_SHA1_checksum and modify - to support checksumtype that are have a shorter wireformat then - their output block size. - - * lib/krb5/crypto.c (struct encryption_type): split the blocksize - into blocksize and padsize, padsize is the minimum padding - size. they are the same for now - (enctype_*): add padsize - (encrypt_internal): use padsize - (encrypt_internal_derived): use padsize - (wrapped_length): use padsize - (wrapped_length_dervied): use padsize - - * lib/krb5/crypto.c: add extra `opaque' argument to string_to_key - function for each enctype in preparation enctypes that uses - `Encryption and Checksum Specifications for Kerberos 5' draft - - * lib/asn1/k5.asn1: add checksum and enctype for AES from - draft-raeburn-krb-rijndael-krb-02.txt - - * lib/krb5/krb5.h (krb5_keytype): add KEYTYPE_AES128, - KEYTYPE_AES256 - -2003-01-14 Love Hörnquist Åstrand - - * lib/hdb/common.c (_hdb_fetch): handle error code from - hdb_value2entry - - * kdc/Makefile.am: always include kerberos4.c and 524.c in - kdc_SOURCES to support 524 - - * kdc/524.c: always compile in support for 524 - - * kdc/kdc_locl.h: move out krb/524 protos from under #ifdef KRB4 - - * kdc/config.c: always compile in support for 524 - - * kdc/connect.c: always compile in support for 524 - - * kdc/kerberos4.c: export encode_v4_ticket() and get_des_key() - even when we build without kerberos 4, 524 needs them - - * lib/krb5/convert_creds.c, lib/krb5/krb5-v4compat.h: Split out - Kerberos 4 help functions/structures so other parts of the source - tree can use it (like the KDC) - diff --git a/crypto/heimdal-0.6.3/ChangeLog.1998 b/crypto/heimdal-0.6.3/ChangeLog.1998 deleted file mode 100644 index f26dba777e..0000000000 --- a/crypto/heimdal-0.6.3/ChangeLog.1998 +++ /dev/null @@ -1,3201 +0,0 @@ -Sat Dec 5 19:49:34 1998 Johan Danielsson - - * lib/krb5/context.c: remove ktype_is_etype - - * lib/krb5/crypto.c, lib/krb5/krb5.h, acconfig.h: NEW_DES3_CODE - - * configure.in: fix for AIX install; better tests for AIX dynamic - AFS libs; `--enable-new-des3-code' - -Tue Dec 1 14:44:44 1998 Johan Danielsson - - * appl/afsutil/Makefile.am: link with extra libs for aix - - * kuser/Makefile.am: link with extra libs for aix - -Sun Nov 29 01:56:21 1998 Assar Westerlund - - * lib/krb5/get_addrs.c (krb5_get_all_server_addrs): add. almost - the same as krb5_get_all_client_addrs except that it includes - loopback addresses - - * kdc/connect.c (init_socket): bind to a particular address - (init_sockets): get all local addresses and bind to them all - - * lib/krb5/addr_families.c (addr2sockaddr, print_addr): new - methods - (find_af, find_atype): new functions. use them. - - * configure.in: add hesiod - -Wed Nov 25 11:37:48 1998 Johan Danielsson - - * lib/krb5/krb5_err.et: add some codes from kerberos-revisions-03 - -Mon Nov 23 12:53:48 1998 Assar Westerlund - - * lib/kadm5/log.c: rename delete -> remove - - * lib/kadm5/delete_s.c: rename delete -> remove - - * lib/hdb/common.c: rename delete -> remove - -Sun Nov 22 12:26:26 1998 Assar Westerlund - - * configure.in: check for environ and `struct spwd' - -Sun Nov 22 11:42:45 1998 Johan Danielsson - - * kdc/kerberos5.c (as_rep): set keytype to sess_ktype if - ktype_is_etype - - * lib/krb5/encrypt.c (krb5_keytype_to_etypes): zero terminate - etypes - (em): sort entries - -Sun Nov 22 06:54:48 1998 Assar Westerlund - - * lib/krb5/init_creds_pw.c: more type correctness - - * lib/krb5/get_cred.c: re-structure code. remove limits on ASN1 - generated bits. - -Sun Nov 22 01:49:50 1998 Johan Danielsson - - * kdc/hprop.c (v4_prop): fix bogus indexing - -Sat Nov 21 21:39:20 1998 Assar Westerlund - - * lib/krb5/verify_init.c (fail_verify_is_ok): new function - (krb5_verify_init_creds): if we cannot get a ticket for - host/`hostname` and fail_verify_is_ok just return. use - krb5_rd_req - -Sat Nov 21 23:12:27 1998 Assar Westerlund - - * lib/krb5/free.c (krb5_xfree): new function - - * lib/krb5/creds.c (krb5_free_creds_contents): new function - - * lib/krb5/context.c: more type correctness - - * lib/krb5/checksum.c: more type correctness - - * lib/krb5/auth_context.c (krb5_auth_con_init): more type - correctness - - * lib/asn1/der_get.c (der_get_length): fix test of len - (der_get_tag): more type correctness - - * kuser/klist.c (usage): void-ize - - * admin/ktutil.c (kt_remove): some more type correctness. - -Sat Nov 21 16:49:20 1998 Johan Danielsson - - * kuser/klist.c: try to list enctypes as keytypes - - * kuser/kinit.c: remove extra `--cache' option, add `--enctypes' - to set list of enctypes to use - - * kadmin/load.c: load strings as hex - - * kadmin/dump.c: dump hex as string is possible - - * admin/ktutil.c: use print_version() - - * configure.in, acconfig.h: test for hesiod - -Sun Nov 15 17:28:19 1998 Johan Danielsson - - * lib/krb5/crypto.c: add some crypto debug code - - * lib/krb5/get_in_tkt.c (_krb5_extract_ticket): don't use fixed - buffer when encoding ticket - - * lib/krb5/auth_context.c (re-)implement `krb5_auth_setenctype' - - * kdc/kerberos5.c: allow mis-match of tgt session key, and service - session key - - * admin/ktutil.c: keytype -> enctype - -Fri Nov 13 05:35:48 1998 Assar Westerlund - - * lib/krb5/krb5.h (KRB5_TGS_NAME, KRB5_TGS_NAME_SIZE): added - -Sat Nov 7 19:56:31 1998 Assar Westerlund - - * lib/krb5/get_cred.c (add_cred): add termination NULL pointer - -Mon Nov 2 01:15:06 1998 Assar Westerlund - - * lib/krb5/rd_req.c: adapt to new crypto api - - * lib/krb5/rd_rep.c: adapt to new crypto api - - * lib/krb5/rd_priv.c: adopt to new crypto api - - * lib/krb5/rd_cred.c: adopt to new crypto api - - * lib/krb5/principal.c: ENOMEM -> ERANGE - - * lib/krb5/mk_safe.c: cleanup and adopt to new crypto api - - * lib/krb5/mk_req_ext.c: adopt to new crypto api - - * lib/krb5/mk_req.c: get enctype from auth_context keyblock - - * lib/krb5/mk_rep.c: cleanup and adopt to new crypto api - - * lib/krb5/mk_priv.c: adopt to new crypto api - - * lib/krb5/keytab.c: adopt to new crypto api - - * lib/krb5/get_in_tkt_with_skey.c: adopt to new crypto api - - * lib/krb5/get_in_tkt_with_keytab.c: adopt to new crypto api - - * lib/krb5/get_in_tkt_pw.c: adopt to new crypto api - - * lib/krb5/get_in_tkt.c: adopt to new crypto api - - * lib/krb5/get_cred.c: adopt to new crypto api - - * lib/krb5/generate_subkey.c: use new crypto api - - * lib/krb5/context.c: rename etype functions to enctype ditto - - * lib/krb5/build_auth.c: use new crypto api - - * lib/krb5/auth_context.c: remove enctype and cksumtype from - auth_context - -Mon Nov 2 01:15:06 1998 Assar Westerlund - - * kdc/connect.c (handle_udp, handle_tcp): correct type of `n' - -Tue Sep 15 18:41:38 1998 Johan Danielsson - - * admin/ktutil.c: fix printing of unrecognized keytypes - -Tue Sep 15 17:02:33 1998 Johan Danielsson - - * lib/kadm5/set_keys.c: add KEYTYPE_USE_AFS3_SALT to keytype if - using AFS3 salt - -Tue Aug 25 23:30:52 1998 Assar Westerlund - - * lib/krb5/send_to_kdc.c (krb5_sendto_kdc): care about - `use_admin_kdc' - - * lib/krb5/changepw.c (get_kdc_address): use - krb5_get_krb_admin_hst - - * lib/krb5/krbhst.c (krb5_get_krb_admin_hst): new function - - * lib/krb5/krb5.h (krb5_context_data): add `use_admin_kdc' - - * lib/krb5/context.c (krb5_get_use_admin_kdc, - krb5_set_use_admin_kdc): new functions - -Tue Aug 18 22:24:12 1998 Johan Danielsson - - * lib/krb5/crypto.c: remove all calls to abort(); check return - value from _key_schedule; - (RSA_MD[45]_DES_verify): zero tmp and res; - (RSA_MD5_DES3_{verify,checksum}): implement - -Mon Aug 17 20:18:46 1998 Assar Westerlund - - * kdc/kerberos4.c (swap32): conditionalize - - * lib/krb5/mk_req_ext.c (krb5_mk_req_internal): new function - - * lib/krb5/get_host_realm.c (krb5_get_host_realm): if the hostname - returned from gethostby*() isn't a FQDN, try with the original - hostname - - * lib/krb5/get_cred.c (make_pa_tgs_req): use krb5_mk_req_internal - and correct key usage - - * lib/krb5/crypto.c (verify_checksum): make static - - * admin/ktutil.c (kt_list): use krb5_enctype_to_string - -Sun Aug 16 20:57:56 1998 Assar Westerlund - - * kadmin/cpw.c (do_cpw_entry): use asprintf for the prompt - - * kadmin/ank.c (ank): print principal name in prompt - - * lib/krb5/crypto.c (hmac): always allocate space for checksum. - never trust c.checksum.length - (_get_derived_key): try to return the derived key - -Sun Aug 16 19:48:42 1998 Johan Danielsson - - * lib/krb5/crypto.c (hmac): fix some peculiarities and bugs - (get_checksum_key): assume usage is `formatted' - (create_checksum,verify_checksum): moved the guts of the krb5_* - functions here, both take `formatted' key-usages - (encrypt_internal_derived): fix various bogosities - (derive_key): drop key_type parameter (already given by the - encryption_type) - - * kdc/kerberos5.c (check_flags): handle case where client is NULL - - * kdc/connect.c (process_request): return zero after processing - kerberos 4 request - -Sun Aug 16 18:38:15 1998 Johan Danielsson - - * lib/krb5/crypto.c: merge x-*.[ch] into one file - - * lib/krb5/cache.c: remove residual from krb5_ccache_data - -Fri Aug 14 16:28:23 1998 Johan Danielsson - - * lib/krb5/x-crypto.c (derive_key): move DES3 specific code to - separate function (will eventually end up someplace else) - - * lib/krb5/x-crypto.c (krb5_string_to_key_derived): allocate key - - * configure.in, acconfig.h: test for four valued krb_put_int - -Thu Aug 13 23:46:29 1998 Assar Westerlund - - * Release 0.0t - -Thu Aug 13 22:40:17 1998 Assar Westerlund - - * lib/krb5/config_file.c (parse_binding): remove trailing - whitespace - -Wed Aug 12 20:15:11 1998 Johan Danielsson - - * lib/krb5/x-checksum.c (krb5_verify_checksum): pass checksum type - to krb5_create_checksum - - * lib/krb5/x-key.c: implement DES3_string_to_key_derived; fix a - few typos - -Wed Aug 5 12:39:54 1998 Assar Westerlund - - * Release 0.0s - -Thu Jul 30 23:12:17 1998 Assar Westerlund - - * lib/krb5/mk_error.c (krb5_mk_error): realloc until you die - -Thu Jul 23 19:49:03 1998 Johan Danielsson - - * kdc/kdc_locl.h: proto for `get_des_key' - - * configure.in: test for four valued el_init - - * kuser/klist.c: keytype -> enctype - - * kpasswd/kpasswdd.c (change): use new `krb5_string_to_key*' - - * kdc/hprop.c (v4_prop, ka_convert): convert to a set of keys - - * kdc/kaserver.c: use `get_des_key' - - * kdc/524.c: use new crypto api - - * kdc/kerberos4.c: use new crypto api - - * kdc/kerberos5.c: always treat keytypes as enctypes; use new - crypto api - - * kdc/kstash.c: adapt to new crypto api - - * kdc/string2key.c: adapt to new crypto api - - * admin/srvconvert.c: add keys for all possible enctypes - - * admin/ktutil.c: keytype -> enctype - - * lib/gssapi/init_sec_context.c: get enctype from auth_context - keyblock - - * lib/hdb/hdb.c: remove hdb_*_keytype2key - - * lib/kadm5/set_keys.c: adapt to new crypto api - - * lib/kadm5/rename_s.c: adapt to new crypto api - - * lib/kadm5/get_s.c: adapt to new crypto api - - * lib/kadm5/create_s.c: add keys for des-cbc-crc, des-cbc-md4, - des-cbc-md5, and des3-cbc-sha1 - - * lib/krb5/heim_err.et: error message for unsupported salt - - * lib/krb5/codec.c: short-circuit these functions, since they are - not needed any more - - * lib/krb5/rd_safe.c: cleanup and adapt to new crypto api - -Mon Jul 13 23:00:59 1998 Assar Westerlund - - * lib/krb5/send_to_kdc.c (krb5_sendto_kdc): don't advance - hostent->h_addr_list, use a copy instead - -Mon Jul 13 15:00:31 1998 Johan Danielsson - - * lib/krb5/config_file.c (parse_binding, parse_section): make sure - everything is ok before adding to linked list - - * lib/krb5/config_file.c: skip ws before checking for comment - -Wed Jul 8 10:45:45 1998 Johan Danielsson - - * lib/asn1/k5.asn1: hmac-sha1-des3 = 12 - -Tue Jun 30 18:08:05 1998 Assar Westerlund - - * lib/krb5/send_to_kdc.c (krb5_sendto_kdc): do not close the - unopened file - - * lib/krb5/mk_priv.c: realloc correctly - - * lib/krb5/get_addrs.c (find_all_addresses): init j - - * lib/krb5/context.c (krb5_init_context): print error if parsing - of config file produced an error. - - * lib/krb5/config_file.c (parse_list, krb5_config_parse_file): - ignore more spaces - - * lib/krb5/codec.c (krb5_encode_EncKrbCredPart, - krb5_encode_ETYPE_INFO): initialize `ret' - - * lib/krb5/build_auth.c (krb5_build_authenticator): realloc - correctly - - * lib/kadm5/set_keys.c (_kadm5_set_keys): initialize `ret' - - * lib/kadm5/init_c.c (get_cred_cache): try to do the right thing - with default_client - - * kuser/kinit.c (main): initialize `ticket_life' - - * kdc/kerberos5.c (get_pa_etype_info): initialize `ret' - (tgs_rep2): initialize `krbtgt' - - * kdc/connect.c (do_request): check for errors from `sendto' - - * kdc/524.c (do_524): initialize `ret' - - * kadmin/util.c (foreach_principal): don't clobber `ret' - - * kadmin/del.c (del_entry): don't apply on zeroth argument - - * kadmin/cpw.c (do_cpw_entry): initialize `ret' - -Sat Jun 13 04:14:01 1998 Assar Westerlund - - * Release 0.0r - -Sun Jun 7 04:13:14 1998 Assar Westerlund - - * lib/krb5/addr_families.c: fall-back definition of - IN6_ADDR_V6_TO_V4 - - * configure.in: only set CFLAGS if it wasn't set look for - dn_expand and res_search - -Mon Jun 1 21:28:07 1998 Assar Westerlund - - * configure.in: remove duplicate seteuid - -Sat May 30 00:19:51 1998 Johan Danielsson - - * lib/krb5/convert_creds.c: import _krb_time_to_life, to avoid - runtime dependencies on libkrb with some shared library - implementations - -Fri May 29 00:09:02 1998 Johan Danielsson - - * kuser/kinit_options.c: Default options for kinit. - - * kuser/kauth_options.c: Default options for kauth. - - * kuser/kinit.c: Implement lots a new options. - - * kdc/kerberos5.c (check_tgs_flags): make sure kdc-req-body->rtime - is not NULL; set endtime to min of new starttime + old_life, and - requested endtime - - * lib/krb5/init_creds_pw.c (get_init_creds_common): if the - forwardable or proxiable flags are set in options, set the - kdc-flags to the value specified, and not always to one - -Thu May 28 21:28:06 1998 Johan Danielsson - - * kdc/kerberos5.c: Optionally compare client address to addresses - in ticket. - - * kdc/connect.c: Pass client address to as_rep() and tgs_rep(). - - * kdc/config.c: Add check_ticket_addresses, and - allow_null_ticket_addresses variables. - -Tue May 26 14:03:42 1998 Johan Danielsson - - * lib/kadm5/create_s.c: possibly make DES keys version 4 salted - - * lib/kadm5/set_keys.c: check config file for kadmin/use_v4_salt - before zapping version 4 salts - -Sun May 24 05:22:17 1998 Assar Westerlund - - * Release 0.0q - - * lib/krb5/aname_to_localname.c: new file - - * lib/gssapi/init_sec_context.c (repl_mutual): no output token - - * lib/gssapi/display_name.c (gss_display_name): zero terminate - output. - -Sat May 23 19:11:07 1998 Assar Westerlund - - * lib/gssapi/display_status.c: new file - - * Makefile.am: send -I to aclocal - - * configure.in: remove duplicate setenv - -Sat May 23 04:55:19 1998 Johan Danielsson - - * kadmin/util.c (foreach_principal): Check for expression before - wading through the whole database. - - * kadmin/kadmin.c: Pass NULL password to - kadm5_*_init_with_password. - - * lib/kadm5/init_c.c: Implement init_with_{skey,creds}*. Make use - of `password' parameter to init_with_password. - - * lib/kadm5/init_s.c: implement init_with_{skey,creds}* - - * lib/kadm5/server.c: Better arguments for - kadm5_init_with_password. - -Sat May 16 07:10:36 1998 Assar Westerlund - - * kdc/hprop.c: conditionalize ka-server reading support on - KASERVER_DB - - * configure.in: new option `--enable-kaserver-db' - -Fri May 15 19:39:18 1998 Johan Danielsson - - * lib/krb5/get_cred.c: Better error if local tgt couldn't be - found. - -Tue May 12 21:11:02 1998 Assar Westerlund - - * Release 0.0p - - * lib/krb5/mk_req_ext.c (krb5_mk_req_extended): only set - encryption type in auth_context if it's compatible with the type - of the session key - -Mon May 11 21:11:14 1998 Johan Danielsson - - * kdc/hprop.c: add support for ka-server databases - - * appl/ftp/ftpd: link with -lcrypt, if needed - -Fri May 1 07:29:52 1998 Assar Westerlund - - * configure.in: don't test for winsock.h - -Sat Apr 18 21:43:11 1998 Johan Danielsson - - * Release 0.0o - -Sat Apr 18 00:31:11 1998 Johan Danielsson - - * lib/krb5/sock_principal.c: Save hostname. - -Sun Apr 5 11:29:45 1998 Johan Danielsson - - * lib/krb5/mk_req_ext.c: Use same enctype as in ticket. - - * kdc/hprop.c (v4_prop): Check for null key. - -Fri Apr 3 03:54:54 1998 Johan Danielsson - - * lib/krb5/str2key.c: Fix DES3 string-to-key. - - * lib/krb5/keytab.c: Get default keytab name from context. - - * lib/krb5/context.c: Get `default_keytab_name' value. - - * kadmin/util.c (foreach_principal): Print error message if - `kadm5_get_principals' fails. - - * kadmin/kadmind.c: Use `kadmind_loop'. - - * lib/kadm5/server.c: Replace several other functions with - `kadmind_loop'. - -Sat Mar 28 09:49:18 1998 Assar Westerlund - - * lib/krb5/keytab.c (fkt_add_entry): use an explicit seek instead - of O_APPEND - - * configure.in: generate ftp Makefiles - - * kuser/klist.c (print_cred_verbose): print IPv4-address in a - portable way. - - * admin/srvconvert.c (srvconv): return 0 if successful - -Tue Mar 24 00:40:33 1998 Johan Danielsson - - * lib/krb5/keytab.c: MIT compatible changes: add and use sizes to - keytab entries, and change default keytab to `/etc/krb5.keytab'. - -Mon Mar 23 23:43:59 1998 Johan Danielsson - - * lib/gssapi/wrap.c: Use `gss_krb5_getsomekey'. - - * lib/gssapi/unwrap.c: Implement and use `gss_krb5_getsomekey'. - Fix bug in checking of pad. - - * lib/gssapi/{un,}wrap.c: Add support for just integrity - protecting data. - - * lib/gssapi/accept_sec_context.c: Use - `gssapi_krb5_verify_8003_checksum'. - - * lib/gssapi/8003.c: Implement `gssapi_krb5_verify_8003_checksum'. - - * lib/gssapi/init_sec_context.c: Zero cred, and store session key - properly in auth-context. - -Sun Mar 22 00:47:22 1998 Johan Danielsson - - * lib/kadm5/delete_s.c: Check immutable bit. - - * kadmin/kadmin.c: Pass client name to kadm5_init. - - * lib/kadm5/init_c.c: Get creds for client name passed in. - - * kdc/hprop.c (v4_prop): Check for `changepw.kerberos'. - -Sat Mar 21 22:57:13 1998 Johan Danielsson - - * lib/krb5/mk_error.c: Verify that error_code is in the range - [0,127]. - - * kdc/kerberos5.c: Move checking of principal flags to new - function `check_flags'. - -Sat Mar 21 14:38:51 1998 Assar Westerlund - - * lib/kadm5/get_s.c (kadm5_s_get_principal): handle an empty salt - - * configure.in: define SunOS if running solaris - -Sat Mar 21 00:26:34 1998 Johan Danielsson - - * lib/kadm5/server.c: Unifdef test for same principal when - changing password. - - * kadmin/util.c: If kadm5_get_principals failes, we might still be - able to perform the requested opreration (for instance someone if - trying to change his own password). - - * lib/kadm5/init_c.c: Try to get ticket via initial request, if - not possible via tgt. - - * lib/kadm5/server.c: Check for principals changing their own - passwords. - - * kdc/kerberos5.c (tgs_rep2): check for interesting flags on - involved principals. - - * kadmin/util.c: Fix order of flags. - -Thu Mar 19 16:54:10 1998 Johan Danielsson - - * kdc/kerberos4.c: Return sane error code if krb_rd_req fails. - -Wed Mar 18 17:11:47 1998 Assar Westerlund - - * acconfig.h: rename HAVE_STRUCT_SOCKADDR_IN6 to HAVE_IPV6 - -Wed Mar 18 09:58:18 1998 Johan Danielsson - - * lib/krb5/get_in_tkt_with_keytab.c (krb5_keytab_key_proc): don't - free keyseed; use correct keytab - -Tue Mar 10 09:56:16 1998 Assar Westerlund - - * acinclude.m4 (AC_KRB_IPV6): rewrote to avoid false positives - -Mon Mar 16 23:58:23 1998 Johan Danielsson - - * Release 0.0n - -Fri Mar 6 00:41:30 1998 Johan Danielsson - - * lib/gssapi/{accept_sec_context,release_cred}.c: Use - krb5_kt_close/krb5_kt_resolve. - - * lib/krb5/principal.c (krb5_425_conv_principal_ext): Use resolver - to lookup hosts, so CNAMEs can be ignored. - - * lib/krb5/send_to_kdc.c (krb5_sendto_kdc, send_and_recv_http): - Add support for using proxy. - - * lib/krb5/context.c: Initialize `http_proxy' from - `libdefaults/http_proxy'. - - * lib/krb5/krb5.h: Add `http_proxy' to context. - - * lib/krb5/send_to_kdc.c: Recognize `http/' and `udp/' as protocol - specifications. - -Wed Mar 4 01:47:29 1998 Johan Danielsson - - * admin/ktutil.c: Implement `add' and `remove' functions. Make - `--keytab' a global option. - - * lib/krb5/keytab.c: Implement remove with files. Add memory - operations. - -Tue Mar 3 20:09:59 1998 Johan Danielsson - - * lib/krb5/keytab.c: Use function pointers. - - * admin: Remove kdb_edit. - -Sun Mar 1 03:28:42 1998 Assar Westerlund - - * lib/kadm5/dump_log.c: print operation names - -Sun Mar 1 03:04:12 1998 Assar Westerlund - - * configure.in: add X-tests, and {bin,...}dir appl/{kx,kauth} - - * lib/krb5/build_auth.c,mk_priv.c,rd_safe.c,mk_safe.c,mk_rep.c: - remove arbitrary limit - - * kdc/hprop-common.c: use krb5_{read,write}_message - - * lib/kadm5/ipropd_master.c (send_diffs): more careful use - krb5_{write,read}_message - - * lib/kadm5/ipropd_slave.c (get_creds): get credentials for - `iprop/master' directly. - (main): use `krb5_read_message' - -Sun Mar 1 02:05:11 1998 Johan Danielsson - - * kadmin/kadmin.c: Cleanup commands list, and add help strings. - - * kadmin/get.c: Add long, short, and terse (equivalent to `list') - output formats. Short is the default. - - * kadmin/util.c: Add `include_time' flag to timeval2str. - - * kadmin/init.c: Max-life and max-renew can, infact, be zero. - - * kadmin/{cpw,del,ext,get}.c: Use `foreach_principal'. - - * kadmin/util.c: Add function `foreach_principal', that loops over - all principals matching an expression. - - * kadmin/kadmin.c: Add usage string to `privileges'. - - * lib/kadm5/get_princs_s.c: Also try to match aganist the - expression appended with `@default-realm'. - - * lib/krb5/principal.c: Add `krb5_unparse_name_fixed_short', that - excludes the realm if it's the same as the default realm. - -Fri Feb 27 05:02:21 1998 Assar Westerlund - - * configure.in: more WFLAGS and WFLAGS_NOUNUSED added missing - headers and functions error -> com_err - - (krb5_get_init_creds_keytab): use krb5_keytab_key_proc - - * lib/krb5/get_in_tkt_with_keytab.c: make `krb5_keytab_key_proc' - global - - * lib/kadm5/marshall.c (ret_principal_ent): set `n_tl_data' - - * lib/hdb/ndbm.c: use `struct ndbm_db' everywhere. - -Fri Feb 27 04:49:24 1998 Assar Westerlund - - * lib/krb5/mk_priv.c (krb5_mk_priv): bump static limit to 10240. - This should be fixed the correct way. - - * lib/kadm5/ipropd_master.c (check_acl:) truncate buf correctly - (send_diffs): compare versions correctly - (main): reorder handling of events - - * lib/kadm5/log.c (kadm5_log_previous): avoid bad type conversion - -Thu Feb 26 02:22:35 1998 Assar Westerlund - - * lib/kadm5/ipropd_{slave,master}.c: new files - - * lib/kadm5/log.c (kadm5_log_get_version): take an `fd' as - argument - - * lib/krb5/krb5.h (krb5_context_data): `et_list' should be `struct - et_list *' - - * aux/make-proto.pl: Should work with perl4 - -Mon Feb 16 17:20:22 1998 Johan Danielsson - - * lib/krb5/krb5_locl.h: Remove (it gets included via - {asn1,krb5}_err.h). - -Thu Feb 12 03:28:40 1998 Assar Westerlund - - * lib/krb5/get_in_tkt.c (_krb5_extract_ticket): if time difference - is larger than max_skew, return KRB5KRB_AP_ERR_SKEW - - * lib/kadm5/log.c (get_version): globalize - - * lib/kadm5/kadm5_locl.h: include - - * lib/asn1/Makefile.am: add PA_KEY_INFO and PA_KEY_INFO_ENTRY - - * kdc/kerberos5.c (get_pa_etype_info): remove gcc-ism of - initializing local struct in declaration. - -Sat Jan 31 17:28:58 1998 Johan Danielsson - - * kdc/524.c: Use krb5_decode_EncTicketPart. - - * kdc/kerberos5.c: Check at runtime whether to use enctypes - instead of keytypes. If so use the same value to encrypt ticket, - and kdc-rep as well as `keytype' for session key. Fix some obvious - bugs with the handling of additional tickets. - - * lib/krb5/rd_req.c: Use krb5_decode_EncTicketPart, and - krb5_decode_Authenticator. - - * lib/krb5/rd_rep.c: Use krb5_decode_EncAPRepPart. - - * lib/krb5/rd_cred.c: Use krb5_decode_EncKrbCredPart. - - * lib/krb5/mk_rep.c: Make sure enc_part.etype is an encryption - type, and not a key type. Use krb5_encode_EncAPRepPart. - - * lib/krb5/init_creds_pw.c: Use krb5_decode_PA_KEY_INFO. - - * lib/krb5/get_in_tkt.c: Use krb5_decode_Enc{AS,TGS}RepPart. - - * lib/krb5/get_for_creds.c: Use krb5_encode_EncKrbCredPart. - - * lib/krb5/get_cred.c: Use krb5_decode_Enc{AS,TGS}RepPart. - - * lib/krb5/build_auth.c: Use krb5_encode_Authenticator. - - * lib/krb5/codec.c: Enctype conversion stuff. - - * lib/krb5/context.c: Ignore KRB5_CONFIG if *not* running - setuid. Get configuration for libdefaults ktype_is_etype, and - default_etypes. - - * lib/krb5/encrypt.c: Add krb5_string_to_etype, rename - krb5_convert_etype to krb5_decode_keytype, and add - krb5_decode_keyblock. - -Fri Jan 23 00:32:09 1998 Johan Danielsson - - * lib/krb5/{get_in_tkt,rd_req}.c: Use krb5_convert_etype. - - * lib/krb5/encrypt.c: Add krb5_convert_etype function - converts - from protocol keytypes (that really are enctypes) to internal - representation. - -Thu Jan 22 21:24:36 1998 Johan Danielsson - - * lib/asn1/k5.asn1: Add PA-KEY-INFO structure to hold information - on keys in the database; and also a new `pa-key-info' padata-type. - - * kdc/kerberos5.c: If pre-authentication fails, return a list of - keytypes, salttypes, and salts. - - * lib/krb5/init_creds_pw.c: Add better support for - pre-authentication, by looking at hints from the KDC. - - * lib/krb5/get_in_tkt.c: Add better support for specifying what - pre-authentication to use. - - * lib/krb5/str2key.c: Merge entries for KEYTYPE_DES and - KEYTYPE_DES_AFS3. - - * lib/krb5/krb5.h: Add pre-authentication structures. - - * kdc/connect.c: Don't fail if realloc(X, 0) returns NULL. - -Wed Jan 21 06:20:40 1998 Assar Westerlund - - * lib/kadm5/init_s.c (kadm5_s_init_with_password_ctx): initialize - `log_context.socket_name' and `log_context.socket_fd' - - * lib/kadm5/log.c (kadm5_log_flush): send a unix domain datagram - to inform the possible running ipropd of an update. - -Wed Jan 21 01:34:09 1998 Johan Danielsson - - * lib/krb5/get_in_tkt.c: Return error-packet to caller. - - * lib/krb5/free.c (krb5_free_kdc_rep): Free krb5_kdc_rep->error. - - * kdc/kerberos5.c: Add some support for using enctypes instead of - keytypes. - - * lib/krb5/get_cred.c: Fixes to send authorization-data to the - KDC. - - * lib/krb5/build_auth.c: Only generate local subkey if there is - none. - - * lib/krb5/krb5.h: Add krb5_authdata type. - - * lib/krb5/auth_context.c: Add - krb5_auth_con_set{,localsub,remotesub}key. - - * lib/krb5/init_creds_pw.c: Return some error if prompter - functions return failure. - -Wed Jan 21 01:16:13 1998 Assar Westerlund - - * kpasswd/kpasswd.c: detect bad password. use krb5_err. - - * kadmin/util.c (edit_entry): remove unused variables - -Tue Jan 20 22:58:31 1998 Assar Westerlund - - * kuser/kinit.c: rename `-s' to `-S' to be MIT-compatible. - - * lib/kadm5/kadm5_locl.h: add kadm5_log_context and - kadm5_log*-functions - - * lib/kadm5/create_s.c (kadm5_s_create_principal): add change to - log - - * lib/kadm5/rename_s.c (kadm5_s_rename_principal): add change to - log - - * lib/kadm5/init_s.c (kadm5_s_init_with_password_ctx): initialize - log_context - - * lib/kadm5/delete_s.c (kadm5_s_delete_principal): add change to - log - - * lib/kadm5/modify_s.c (kadm5_s_modify_principal): add change to - log - - * lib/kadm5/randkey_s.c (kadm5_s_randkey_principal): add change to - log - - * lib/kadm5/chpass_s.c (kadm5_s_chpass_principal): add change to - log - - * lib/kadm5/Makefile.am: add log.c, dump_log and replay_log - - * lib/kadm5/replay_log.c: new file - - * lib/kadm5/dump_log.c: new file - - * lib/kadm5/log.c: new file - - * lib/krb5/str2key.c (get_str): initialize pad space to zero - - * lib/krb5/config_file.c (krb5_config_vget_next): handle c == NULL - - * kpasswd/kpasswdd.c: rewritten to use the kadm5 API - - * kpasswd/Makefile.am: link with kadm5srv - - * kdc/kerberos5.c (tgs_rep): initialize `i' - - * kadmin/kadmind.c (main): use kadm5_server_{send,recv}_sp - - * include/Makefile.am: added admin.h - -Sun Jan 18 01:41:34 1998 Johan Danielsson - - * lib/asn1/gen_copy.c: Don't return ENOMEM if allocating 0 bytes. - - * lib/krb5/mcache.c (mcc_store_cred): restore linked list if - copy_creds fails. - -Tue Jan 6 04:17:56 1998 Assar Westerlund - - * lib/kadm5/server.c: add kadm5_server_{send,recv}{,_sp} - - * lib/kadm5/marshall.c: add kadm5_{store,ret}_principal_ent_mask. - - * lib/kadm5/init_c.c (kadm5_c_init_with_password_ctx): use - krb5_getportbyname - - * kadmin/kadmind.c (main): htons correctly. - moved kadm5_server_{recv,send} - - * kadmin/kadmin.c (main): only set admin_server if explicitly - given - -Mon Jan 5 23:34:44 1998 Johan Danielsson - - * lib/hdb/ndbm.c: Implement locking of database. - - * kdc/kerberos5.c: Process AuthorizationData. - -Sat Jan 3 22:07:07 1998 Johan Danielsson - - * kdc/string2key.c: Use AFS string-to-key from libkrb5. - - * lib/krb5/get_in_tkt.c: Handle pa-afs3-salt case. - - * lib/krb5/krb5.h: Add value for AFS salts. - - * lib/krb5/str2key.c: Add support for AFS string-to-key. - - * lib/kadm5/rename_s.c: Use correct salt. - - * lib/kadm5/ent_setup.c: Always enable client. Only set max-life - and max-renew if != 0. - - * lib/krb5/config_file.c: Add context to all krb5_config_*get_*. - -Thu Dec 25 17:03:25 1997 Assar Westerlund - - * kadmin/ank.c (ank): don't zero password if --random-key was - given. - -Tue Dec 23 01:56:45 1997 Assar Westerlund - - * Release 0.0m - - * lib/kadm5/ent_setup.c (attr_to_flags): try to set `client' - - * kadmin/util.c (edit_time): only set mask if != 0 - (edit_attributes): only set mask if != 0 - - * kadmin/init.c (init): create `default' - -Sun Dec 21 09:44:05 1997 Assar Westerlund - - * kadmin/util.c (str2deltat, str2attr, get_deltat): return value - as pointer and have return value indicate success. - - (get_response): check NULL from fgets - - (edit_time, edit_attributes): new functions for reading values and - offering list of answers on '?' - - (edit_entry): use edit_time and edit_attributes - - * kadmin/ank.c (add_new_key): test the return value of - `krb5_parse_name' - - * kdc/kerberos5.c (tgs_check_authenticator): RFC1510 doesn't say - that the checksum has to be keyed, even though later drafts do. - Accept unkeyed checksums to be compatible with MIT. - - * kadmin/kadmin_locl.h: add some prototypes. - - * kadmin/util.c (edit_entry): return a value - - * appl/afsutil/afslog.c (main): return a exit code. - - * lib/krb5/get_cred.c (init_tgs_req): use krb5_keytype_to_enctypes - - * lib/krb5/encrypt.c (krb5_keytype_to_enctypes): new function. - - * lib/krb5/build_auth.c (krb5_build_authenticator): use - krb5_{free,copy}_keyblock instead of the _contents versions - -Fri Dec 12 14:20:58 1997 Johan Danielsson - - * lib/krb5/{mk,rd}_priv.c: fix check for local/remote subkey - -Mon Dec 8 08:48:09 1997 Johan Danielsson - - * lib/krb5/context.c: don't look at KRB5_CONFIG if running setuid - -Sat Dec 6 10:09:40 1997 Johan Danielsson - - * lib/krb5/keyblock.c (krb5_free_keyblock): check for NULL - keyblock - -Sat Dec 6 08:26:10 1997 Assar Westerlund - - * Release 0.0l - -Thu Dec 4 03:38:12 1997 Johan Danielsson - - * lib/krb5/send_to_kdc.c: Add TCP client support. - - * lib/krb5/store.c: Add k_{put,get}_int. - - * kadmin/ank.c: Set initial kvno to 1. - - * kdc/connect.c: Send version 5 TCP-reply as length+data. - -Sat Nov 29 07:10:11 1997 Assar Westerlund - - * lib/krb5/rd_req.c (krb5_rd_req): fixed obvious bug - - * kdc/kaserver.c (create_reply_ticket): use a random nonce in the - reply packet. - - * kdc/connect.c (init_sockets): less reallocing. - - * **/*.c: changed `struct fd_set' to `fd_set' - -Sat Nov 29 05:12:01 1997 Johan Danielsson - - * lib/krb5/get_default_principal.c: More guessing. - -Thu Nov 20 02:55:09 1997 Johan Danielsson - - * lib/krb5/rd_req.c: Use principal from ticket if no server is - given. - -Tue Nov 18 02:58:02 1997 Johan Danielsson - - * kuser/klist.c: Use krb5_err*(). - -Sun Nov 16 11:57:43 1997 Johan Danielsson - - * kadmin/kadmin.c: Add local `init', `load', `dump', and `merge' - commands. - -Sun Nov 16 02:52:20 1997 Assar Westerlund - - * lib/krb5/mk_req_ext.c (krb5_mk_req_ext): figure out the correct - `enctype' - - * lib/krb5/mk_req.c (krb5_mk_req): use `(*auth_context)->enctype' - if set. - - * lib/krb5/get_cred.c: handle the case of a specific keytype - - * lib/krb5/build_auth.c (krb5_build_authenticator): enctype as a - parameter instead of guessing it. - - * lib/krb5/build_ap_req.c (krb5_build_ap_req): new parameter - `enctype' - - * appl/test/common.c (common_setup): don't use `optarg' - - * lib/krb5/keytab.c (krb5_kt_copy_entry_contents): new function - (krb5_kt_get_entry): retrieve the latest version if kvno == 0 - - * lib/krb5/krb5.h: define KRB5_TC_MATCH_KEYTYPE - - * lib/krb5/creds.c (krb5_compare_creds): check for - KRB5_TC_MATCH_KEYTYPE - - * lib/gssapi/8003.c (gssapi_krb5_create_8003_checksum): remove - unused variable - - * lib/krb5/creds.c (krb5_copy_creds_contents): only free the - contents if we fail. - -Sun Nov 16 00:32:48 1997 Johan Danielsson - - * kpasswd/kpasswdd.c: Get password expiration time from config - file. - - * lib/asn1/{der_get,gen_decode}.c: Allow passing NULL size. - -Wed Nov 12 02:35:57 1997 Assar Westerlund - - * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): - restructured and fixed. - - * lib/krb5/addr_families.c (krb5_h_addr2addr): new function. - -Wed Nov 12 01:36:01 1997 Johan Danielsson - - * lib/krb5/get_addrs.c: Fall back to hostname's addresses if other - methods fail. - -Tue Nov 11 22:22:12 1997 Johan Danielsson - - * kadmin/kadmin.c: Add `-l' flag to use local database. - - * lib/kadm5/acl.c: Use KADM5_PRIV_ALL. - - * lib/kadm5: Use function pointer trampoline for easier dual use - (without radiation-hardening capability). - -Tue Nov 11 05:15:22 1997 Assar Westerlund - - * lib/krb5/encrypt.c (krb5_etype_valid): new function - - * lib/krb5/creds.c (krb5_copy_creds_contents): zero target - - * lib/krb5/context.c (valid_etype): remove - - * lib/krb5/checksum.c: remove dead code - - * lib/krb5/changepw.c (send_request): free memory on error. - - * lib/krb5/build_ap_req.c (krb5_build_ap_req): check return value - from malloc. - - * lib/krb5/auth_context.c (krb5_auth_con_init): free memory on - failure correctly. - (krb5_auth_con_setaddrs_from_fd): return error correctly. - - * lib/krb5/get_in_tkt_with_{keytab,skey}.c: new files - -Tue Nov 11 02:53:19 1997 Johan Danielsson - - * lib/krb5/auth_context.c: Implement auth_con_setuserkey. - - * lib/gssapi/init_sec_context.c: Use krb5_auth_con_getkey. - - * lib/krb5/keyblock.c: Rename krb5_free_keyblock to - krb5_free_keyblock_contents, and reimplement krb5_free_keyblock. - - * lib/krb5/rd_req.c: Use auth_context->keyblock if - ap_options.use_session_key. - -Tue Nov 11 02:35:17 1997 Assar Westerlund - - * lib/krb5/net_{read,write}.c: change `int fd' to `void *p_fd'. - fix callers. - - * lib/krb5/krb5_locl.h: include and - - * include/Makefile.am: add xdbm.h - -Tue Nov 11 01:58:22 1997 Johan Danielsson - - * lib/krb5/get_cred.c: Implement krb5_get_cred_from_kdc. - -Mon Nov 10 22:41:53 1997 Johan Danielsson - - * lib/krb5/ticket.c: Implement copy_ticket. - - * lib/krb5/get_in_tkt.c: Make `options' parameter MIT-compatible. - - * lib/krb5/data.c: Implement free_data and copy_data. - -Sun Nov 9 02:17:27 1997 Johan Danielsson - - * lib/kadm5: Implement kadm5_get_privs, and kadm5_get_principals. - - * kadmin/kadmin.c: Add get_privileges function. - - * lib/kadm5: Rename KADM5_ACL_* -> KADM5_PRIV_* to conform with - specification. - - * kdc/connect.c: Exit if no sockets could be bound. - - * kadmin/kadmind.c: Check return value from krb5_net_read(). - - * lib/kadm5,kadmin: Fix memory leaks. - -Fri Nov 7 02:45:26 1997 Johan Danielsson - - * lib/kadm5/create_s.c: Get some default values from `default' - principal. - - * lib/kadm5/ent_setup.c: Add optional default entry to get some - values from. - -Thu Nov 6 00:20:41 1997 Johan Danielsson - - * lib/error/compile_et.awk: Remove generated destroy_*_error_table - prototype - - * kadmin/kadmind.c: Crude admin server. - - * kadmin/kadmin.c: Update to use remote protocol. - - * kadmin/get.c: Fix principal formatting. - - * lib/kadm5: Add client support. - - * lib/kadm5/error.c: Error code mapping. - - * lib/kadm5/server.c: Kadmind support function. - - * lib/kadm5/marshall.c: Kadm5 marshalling. - - * lib/kadm5/acl.c: Simple acl system. - - * lib/kadm5/kadm5_locl.h: Add client stuff. - - * lib/kadm5/init_s.c: Initialize acl. - - * lib/kadm5/*: Return values. - - * lib/kadm5/create_s.c: Correct kvno. - -Wed Nov 5 22:06:50 1997 Johan Danielsson - - * lib/krb5/log.c: Fix parsing of log destinations. - -Mon Nov 3 20:33:55 1997 Johan Danielsson - - * lib/krb5/principal.c: Reduce number of reallocs in unparse_name. - -Sat Nov 1 01:40:53 1997 Johan Danielsson - - * kadmin: Simple kadmin utility. - - * admin/ktutil.c: Print keytype. - - * lib/kadm5/get_s.c: Set correct n_key_data. - - * lib/kadm5/init_s.c: Add kadm5_s_init_with_password_ctx. Use - master key. - - * lib/kadm5/destroy_s.c: Check for allocated context. - - * lib/kadm5/{create,chpass}_s.c: Use _kadm5_set_keys(). - -Sat Nov 1 00:21:00 1997 Assar Westerlund - - * configure.in: test for readv, writev - -Wed Oct 29 23:41:26 1997 Assar Westerlund - - * lib/krb5/warn.c (_warnerr): handle the case of an illegal error - code - - * kdc/kerberos5.c (encode_reply): return success - -Wed Oct 29 18:01:59 1997 Johan Danielsson - - * kdc/kerberos5.c (find_etype) Return correct index of selected - etype. - -Wed Oct 29 04:07:06 1997 Assar Westerlund - - * Release 0.0k - - * lib/krb5/context.c (krb5_init_context): support `KRB5_CONFIG' - environment variable - - * *: use the roken_get*-macros from roken.h for the benefit of - Crays. - - * configure.in: add --{enable,disable}-otp. check for compatible - prototypes for gethostbyname, gethostbyaddr, getservbyname, and - openlog (they have strange prototypes on Crays) - - * acinclude.m4: new macro `AC_PROTO_COMPAT' - -Tue Oct 28 00:11:22 1997 Johan Danielsson - - * kdc/connect.c: Log bad requests. - - * kdc/kerberos5.c: Move stuff that's in common between as_rep and - tgs_rep to separate functions. - - * kdc/kerberos5.c: Fix user-to-user authentication. - - * lib/krb5/get_cred.c: Some restructuring of krb5_get_credentials: - - add a kdc-options argument to krb5_get_credentials, and rename - it to krb5_get_credentials_with_flags - - honour the KRB5_GC_CACHED, and KRB5_GC_USER_USER options - - add some more user-to-user glue - - * lib/krb5/rd_req.c: Move parts of krb5_verify_ap_req into a new - function, krb5_decrypt_ticket, so it is easier to decrypt and - check a ticket without having an ap-req. - - * lib/krb5/krb5.h: Add KRB5_GC_CACHED, and KRB5_GC_USER_USER - flags. - - * lib/krb5/crc.c (crc_init_table): Check if table is already - inited. - -Sun Oct 26 04:51:02 1997 Johan Danielsson - - * lib/asn1/der_get.c (der_get_length, fix_dce): Special-case - indefinite encoding. - - * lib/asn1/gen_glue.c (generate_units): Check for empty - member-list. - -Sat Oct 25 07:24:57 1997 Johan Danielsson - - * lib/error/compile_et.awk: Allow specifying table-base. - -Tue Oct 21 20:21:40 1997 Johan Danielsson - - * kdc/kerberos5.c: Check version number of krbtgt. - -Mon Oct 20 01:14:53 1997 Assar Westerlund - - * lib/krb5/prompter_posix.c (krb5_prompter_posix): implement the - case of unhidden prompts. - - * lib/krb5/str2key.c (string_to_key_internal): return error - instead of aborting. always free memory - - * admin/ktutil.c: add `help' command - - * admin/kdb_edit.c: implement new commands: add_random_key(ark), - change_password(cpw), change_random_key(crk) - -Thu Oct 16 05:16:36 1997 Assar Westerlund - - * kpasswd/kpasswdd.c: change all the keys in the database - - * kdc: removed all unsealing, now done by the hdb layer - - * lib/hdb/hdb.c: new functions `hdb_create', `hdb_set_master_key' - and `hdb_clear_master_key' - - * admin/misc.c: removed - -Wed Oct 15 22:47:31 1997 Assar Westerlund - - * kuser/klist.c: print year as YYYY iff verbose - -Wed Oct 15 20:02:13 1997 Johan Danielsson - - * kuser/klist.c: print etype from ticket - -Mon Oct 13 17:18:57 1997 Johan Danielsson - - * Release 0.0j - - * lib/krb5/get_cred.c: Get the subkey from mk_req so it can be - used to decrypt the reply from DCE secds. - - * lib/krb5/auth_context.c: Add {get,set}enctype. - - * lib/krb5/get_cred.c: Fix for DCE secd. - - * lib/krb5/store.c: Store keytype twice, as MIT does. - - * lib/krb5/get_in_tkt.c: Use etype from reply. - -Fri Oct 10 00:39:48 1997 Johan Danielsson - - * kdc/connect.c: check for leading '/' in http request - -Tue Sep 30 21:50:18 1997 Assar Westerlund - - * Release 0.0i - -Mon Sep 29 15:58:43 1997 Assar Westerlund - - * lib/krb5/rd_req.c (krb5_rd_req): redone because we don't know - the kvno or keytype before receiving the AP-REQ - - * lib/krb5/mk_safe.c (krb5_mk_safe): figure out what cksumtype to - use from the keytype. - - * lib/krb5/mk_req_ext.c (krb5_mk_req_extended): figure out what - cksumtype to use from the keytype. - - * lib/krb5/mk_priv.c (krb5_mk_priv): figure out what etype to use - from the keytype. - - * lib/krb5/keytab.c (krb5_kt_get_entry): check the keytype - - * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): figure out - what etype to use from the keytype. - - * lib/krb5/generate_seq_number.c (krb5_generate_seq_number): - handle other key types than DES - - * lib/krb5/encrypt.c (key_type): add `best_cksumtype' - (krb5_keytype_to_cksumtype): new function - - * lib/krb5/build_auth.c (krb5_build_authenticator): figure out - what etype to use from the keytype. - - * lib/krb5/auth_context.c (krb5_auth_con_init): set `cksumtype' - and `enctype' to 0 - - * admin/extkeytab.c (ext_keytab): extract all keys - - * appl/telnet/telnet/commands.c: INET6_ADDRSTRLEN kludge - - * configure.in: check for . check for -linet6 - -Tue Sep 23 03:00:53 1997 Assar Westerlund - - * lib/krb5/encrypt.c: fix checksumtype for des3-cbc-sha1 - - * lib/krb5/rd_safe.c: fix check for keyed and collision-proof - checksum - - * lib/krb5/context.c (valid_etype): remove hard-coded constants - (default_etypes): include DES3 - - * kdc/kerberos5.c: fix check for keyed and collision-proof - checksum - - * admin/util.c (init_des_key, set_password): DES3 keys also - - * lib/krb/send_to_kdc.c (krb5_sendto_kdc): no data returned means - no contact? - - * lib/krb5/addr_families.c: fix typo in `ipv6_anyaddr' - -Mon Sep 22 11:44:27 1997 Johan Danielsson - - * kdc/kerberos5.c: Somewhat fix the etype usage. The list sent by - the client is used to select wich key to encrypt the kdc rep with - (in case of as-req), and with the server info to select the - session key type. The server key the ticket is encrypted is based - purely on the keys in the database. - - * kdc/string2key.c: Add keytype support. Default to version 5 - keys. - - * lib/krb5/get_in_tkt.c: Fix a lot of etype/keytype misuse. - - * lib/krb5/encrypt.c: Add des3-cbc-md5, and des3-cbc-sha1. Add - many *_to_* functions. - - * lib/krb5/str2key.c: Add des3 string-to-key. Add ktype argument - to krb5_string_to_key(). - - * lib/krb5/checksum.c: Some cleanup, and added: - - rsa-md5-des3 - - hmac-sha1-des3 - - keyed and collision proof flags to each checksum method - - checksum<->string functions. - - * lib/krb5/generate_subkey.c: Use krb5_generate_random_keyblock. - -Sun Sep 21 15:19:23 1997 Assar Westerlund - - * kdc/connect.c: use new addr_families functions - - * kpasswd/kpasswdd.c: use new addr_families functions. Now works - over IPv6 - - * kuser/klist.c: use correct symbols for address families - - * lib/krb5/sock_principal.c: use new addr_families functions - - * lib/krb5/send_to_kdc.c: use new addr_families functions - - * lib/krb5/krb5.h: add KRB5_ADDRESS_INET6 - - * lib/krb5/get_addrs.c: use new addr_families functions - - * lib/krb5/changepw.c: use new addr_families functions. Now works - over IPv6 - - * lib/krb5/auth_context.c: use new addr_families functions - - * lib/krb5/addr_families.c: new file - - * acconfig.h: AC_SOCKADDR_IN6 -> AC_STRUCT_SOCKADDR_IN6. Updated - uses. - - * acinclude.m4: new macro `AC_KRB_IPV6'. Use it. - -Sat Sep 13 23:04:23 1997 Johan Danielsson - - * kdc/hprop.c: Don't encrypt twice. Complain on non-convertable - principals. - -Sat Sep 13 00:59:36 1997 Assar Westerlund - - * Release 0.0h - - * appl/telnet/telnet/commands.c: AF_INET6 support - - * admin/misc.c: new file - - * lib/krb5/context.c: new configuration variable `max_retries' - - * lib/krb5/get_addrs.c: fixes and better #ifdef's - - * lib/krb5/config_file.c: implement krb5_config_get_int - - * lib/krb5/auth_context.c, send_to_kdc.c, sock_principal.c: - AF_INET6 support - - * kuser/klist.c: support for printing IPv6-addresses - - * kdc/connect.c: support AF_INET6 - - * configure.in: test for gethostbyname2 and struct sockaddr_in6 - -Thu Sep 11 07:25:28 1997 Assar Westerlund - - * lib/asn1/k5.asn1: Use `METHOD-DATA' instead of `SEQUENCE OF - PA-DATA' - -Wed Sep 10 21:20:17 1997 Johan Danielsson - - * kdc/kerberos5.c: Fixes for cross-realm, including (but not - limited to): - - allow client to be non-existant (should probably check for - "local realm") - - if server isn't found and it is a request for a krbtgt, try to - find a realm on the way to the requested realm - - update the transited encoding iff - client-realm != server-realm != tgt-realm - - * lib/krb5/get_cred.c: Several fixes for cross-realm. - -Tue Sep 9 15:59:20 1997 Johan Danielsson - - * kdc/string2key.c: Fix password handling. - - * lib/krb5/encrypt.c: krb5_key_to_string - -Tue Sep 9 07:46:05 1997 Assar Westerlund - - * lib/krb5/get_addrs.c: rewrote. Now should be able to handle - aliases and IPv6 addresses - - * kuser/klist.c: try printing IPv6 addresses - - * kdc/kerberos5.c: increase the arbitrary limit from 1024 to 8192 - - * configure.in: check for - -Mon Sep 8 02:57:14 1997 Assar Westerlund - - * doc: fixes - - * admin/util.c (init_des_key): increase kvno - (set_password): return -1 if `des_read_pw_string' failed - - * admin/mod.c (doit2): check the return value from `set_password' - - * admin/ank.c (doit): don't add a new entry if `set_password' - failed - -Mon Sep 8 02:20:16 1997 Johan Danielsson - - * lib/krb5/verify_init.c: fix ap_req_nofail semantics - - * lib/krb5/transited.c: something that might resemble - domain-x500-compress - -Mon Sep 8 01:24:42 1997 Assar Westerlund - - * kdc/hpropd.c (main): check number of arguments - - * appl/popper/pop_init.c (pop_init): check number of arguments - - * kpasswd/kpasswd.c (main): check number of arguments - - * kdc/string2key.c (main): check number of arguments - - * kuser/kdestroy.c (main): check number of arguments - - * kuser/kinit.c (main): check number of arguments - - * kpasswd/kpasswdd.c (main): use sigaction without SA_RESTART to - break out of select when a signal arrives - - * kdc/main.c (main): use sigaction without SA_RESTART to break out - of select when a signal arrives - - * kdc/kstash.c: default to HDB_DB_DIR "/m-key" - - * kdc/config.c (configure): add `--version'. Check the number of - arguments. Handle the case of there being no specification of port - numbers. - - * admin/util.c: seal and unseal key at appropriate places - - * admin/kdb_edit.c (main): parse arguments, config file and read - master key iff there's one. - - * admin/extkeytab.c (ext_keytab): unseal key while extracting - -Sun Sep 7 20:41:01 1997 Assar Westerlund - - * lib/roken/roken.h: include - - * kdc/kerberos5.c (set_salt_padata): new function - - * appl/telnet/telnetd/telnetd.c: Rename some variables that - conflict with cpp symbols on HP-UX 10.20 - - * change all calls of `gethostbyaddr' to cast argument 1 to `const - char *' - - * acconfig.h: only use SGTTY on nextstep - -Sun Sep 7 14:33:50 1997 Johan Danielsson - - * kdc/kerberos5.c: Check invalid flag. - -Fri Sep 5 14:19:38 1997 Johan Danielsson - - * lib/krb5/verify_user.c: Use get_init_creds/verify_init_creds. - - * lib/kafs: Move functions common to krb/krb5 modules to new file, - and make things more modular. - - * lib/krb5/krb5.h: rename STRING -> krb5_config_string, and LIST - -> krb5_config_list - -Thu Sep 4 23:39:43 1997 Johan Danielsson - - * lib/krb5/get_addrs.c: Fix loopback test. - -Thu Sep 4 04:45:49 1997 Assar Westerlund - - * lib/roken/roken.h: fallback definition of `O_ACCMODE' - - * lib/krb5/get_in_tkt.c (krb5_get_in_cred): be more careful when - checking for a v4 reply - -Wed Sep 3 18:20:14 1997 Johan Danielsson - - * kdc/hprop.c: Add `--decrypt' and `--encrypt' flags. - - * lib/hdb/hdb.c: new {seal,unseal}_keys functions - - * kdc/{hprop,hpropd}.c: Add support to dump database to stdout. - - * kdc/hprop.c: Don't use same master key as version 4. - - * admin/util.c: Don't dump core if no `default' is found. - -Wed Sep 3 16:01:07 1997 Johan Danielsson - - * kdc/connect.c: Allow run time port specification. - - * kdc/config.c: Add flags for http support, and port - specifications. - -Tue Sep 2 02:00:03 1997 Assar Westerlund - - * include/bits.c: Don't generate ifndef's in bits.h. Instead, use - them when building the program. This makes it possible to include - bits.h without having defined all HAVE_INT17_T symbols. - - * configure.in: test for sigaction - - * doc: updated documentation. - -Tue Sep 2 00:20:31 1997 Johan Danielsson - - * Release 0.0g - -Mon Sep 1 17:42:14 1997 Johan Danielsson - - * lib/krb5/data.c: don't return ENOMEM if len == 0 - -Sun Aug 31 17:15:49 1997 Johan Danielsson - - * lib/hdb/hdb.asn1: Include salt type in salt. - - * kdc/hprop.h: Change port to 754. - - * kdc/hpropd.c: Verify who tries to transmit a database. - - * appl/popper: Use getarg and krb5_log. - - * lib/krb5/get_port.c: Add context parameter. Now takes port in - host byte order. - -Sat Aug 30 18:48:19 1997 Johan Danielsson - - * kdc/connect.c: Add timeout to select, and log about expired tcp - connections. - - * kdc/config.c: Add `database' option. - - * kdc/hpropd.c: Log about duplicate entries. - - * lib/hdb/{db,ndbm}.c: Use common routines. - - * lib/hdb/common.c: Implement more generic fetch/store/delete - functions. - - * lib/hdb/hdb.h: Add `replace' parameter to store. - - * kdc/connect.c: Set filedecriptor to -1 on allocated decriptor - entries. - -Fri Aug 29 03:13:23 1997 Assar Westerlund - - * lib/krb5/get_in_tkt.c: extract_ticket -> _krb5_extract_ticket - - * aux/make-proto.pl: fix __P for stone age mode - -Fri Aug 29 02:45:46 1997 Johan Danielsson - - * lib/45/mk_req.c: implementation of krb_mk_req that uses 524 - protocol - - * lib/krb5/init_creds_pw.c: make change_password and - get_init_creds_common static - - * lib/krb5/krb5.h: Merge stuff from removed headerfiles. - - * lib/krb5/fcache.c: fcc_ops -> krb5_fcc_ops - - * lib/krb5/mcache.c: mcc_ops -> krb5_mcc_ops - -Fri Aug 29 01:45:25 1997 Johan Danielsson - - * lib/krb5/krb5.h: Remove all prototypes. - - * lib/krb5/convert_creds.c: Use `struct credentials' instead of - `CREDENTIALS'. - -Fri Aug 29 00:08:18 1997 Assar Westerlund - - * lib/asn1/gen_glue.c: new file. generates 2int and int2 functions - and units for bit strings. - - * admin/util.c: flags2int, int2flags, and flag_units are now - generated by asn1_compile - - * lib/roken/parse_units.c: generalised `parse_units' and - `unparse_units' and added new functions `parse_flags' and - `unparse_flags' that use these - - * lib/krb5/krb5_locl.h: moved krb5_data* functions to krb5.h - - * admin/util.c: Use {un,}parse_flags for printing and parsing - hdbflags. - -Thu Aug 28 03:26:12 1997 Assar Westerlund - - * lib/krb5/get_addrs.c: restructured - - * lib/krb5/warn.c (_warnerr): leak less memory - - * lib/hdb/hdb.c (hdb_free_entry): zero keys - (hdb_check_db_format): leak less memory - - * lib/hdb/ndbm.c (NDBM_seq): check for valid hdb_entries implement - NDBM__get, NDBM__put - - * lib/hdb/db.c (DB_seq): check for valid hdb_entries - -Thu Aug 28 02:06:58 1997 Johan Danielsson - - * lib/krb5/send_to_kdc.c: Don't use sendto on connected sockets. - -Thu Aug 28 01:13:17 1997 Assar Westerlund - - * kuser/kinit.1, klist.1, kdestroy.1: new man pages - - * kpasswd/kpasswd.1, kpasswdd.8: new man pages - - * kdc/kstash.8, hprop.8, hpropd.8: new man pages - - * admin/ktutil.8, admin/kdb_edit.8: new man pages - - * admin/mod.c: new file - - * admin/life.c: renamed gettime and puttime to getlife and putlife - and moved them to life.c - - * admin/util.c: add print_flags, parse_flags, init_entry, - set_created_by, set_modified_by, edit_entry, set_password. Use - them. - - * admin/get.c: use print_flags - - * admin: removed unused stuff. use krb5_{warn,err}* - - * admin/ank.c: re-organized and abstracted. - - * admin/gettime.c: removed - -Thu Aug 28 00:37:39 1997 Johan Danielsson - - * lib/krb5/{get_cred,get_in_tkt}.c: Check for v4 reply. - - * lib/roken/base64.c: Add base64 functions. - - * kdc/connect.c lib/krb5/send_to_kdc.c: Add http support. - -Wed Aug 27 00:29:20 1997 Johan Danielsson - - * include/Makefile.am: Don't make links to built files. - - * admin/kdb_edit.c: Add command to set the database path. - - * lib/hdb: Include version number in database. - -Tue Aug 26 20:14:54 1997 Johan Danielsson - - * admin/ktutil: Merged v4 srvtab conversion. - -Mon Aug 25 23:02:18 1997 Assar Westerlund - - * lib/roken/roken.h: add F_OK - - * lib/gssapi/acquire_creds.c: fix typo - - * configure.in: call AC_TYPE_MODE_T - - * acinclude.m4: Add AC_TYPE_MODE_T - -Sun Aug 24 16:46:53 1997 Assar Westerlund - - * Release 0.0f - -Sun Aug 24 08:06:54 1997 Assar Westerlund - - * appl/popper/pop_pass.c: log poppers - - * kdc/kaserver.c: some more checks - - * kpasswd/kpasswd.c: removed `-p' - - * kuser/kinit.c: removed `-p' - - * lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): If - KDC_ERR_PREUATH_REQUIRED, add preauthentication and try again. - - * lib/krb5/get_in_tkt.c (krb5_get_in_cred): don't print out - krb-error text - - * lib/gssapi/import_name.c (input_name): more names types. - - * admin/load.c (parse_keys): handle the case of an empty salt - - * kdc/kaserver.c: fix up memory deallocation - - * kdc/kaserver.c: quick hack at talking kaserver protocol - - * kdc/kerberos4.c: Make `db-fetch4' global - - * configure.in: add --enable-kaserver - - * kdc/rx.h, kdc/kerberos4.h: new header files - - * lib/krb5/principal.c: fix krb5_build_principal_ext & c:o - -Sun Aug 24 03:52:44 1997 Johan Danielsson - - * lib/krb5/{get_in_tkt,mk_safe,mk_priv}.c: Fix some Cray specific - type conflicts. - - * lib/krb5/{get_cred,get_in_tkt}.c: Mask nonce to 32 bits. - - * lib/des/{md4,md5,sha}.c: Now works on Crays. - -Sat Aug 23 18:15:01 1997 Johan Danielsson - - * appl/afsutil/afslog.c: If no cells or files specified, get - tokens for all local cells. Better test for files. - -Thu Aug 21 23:33:38 1997 Assar Westerlund - - * lib/gssapi/v1.c: new file with v1 compatibility functions. - -Thu Aug 21 20:36:13 1997 Johan Danielsson - - * lib/kafs/afskrb5.c: Don't check ticket file for afs ticket. - - * kdc/kerberos4.c: Check database when converting v4 principals. - - * kdc/kerberos5.c: Include kvno in Ticket. - - * lib/krb5/encrypt.c: Add kvno parameter to encrypt_EncryptedData. - - * kuser/klist.c: Print version number of ticket, include more - flags. - -Wed Aug 20 21:26:58 1997 Johan Danielsson - - * lib/kafs/afskrb5.c (get_cred): Check cached afs tickets for - expiration. - -Wed Aug 20 17:40:31 1997 Assar Westerlund - - * lib/krb5/recvauth.c (krb5_recvauth): Send a KRB-ERROR iff - there's an error. - - * lib/krb5/sendauth.c (krb5_sendauth): correct the protocol - documentation and process KRB-ERROR's - -Tue Aug 19 20:41:30 1997 Johan Danielsson - - * kdc/kerberos4.c: Fix memory leak in v4 protocol handler. - -Mon Aug 18 05:15:09 1997 Assar Westerlund - - * lib/gssapi/accept_sec_context.c: Added - `gsskrb5_register_acceptor_identity' - -Sun Aug 17 01:40:20 1997 Assar Westerlund - - * lib/gssapi/accept_sec_context.c (gss_accept_sec_context): don't - always pass server == NULL to krb5_rd_req. - - * lib/gssapi: new files: canonicalize_name.c export_name.c - context_time.c compare_name.c release_cred.c acquire_cred.c - inquire_cred.c, from Luke Howard - - * lib/krb5/config_file.c: Add netinfo support from Luke Howard - - - * lib/editline/sysunix.c: sgtty-support from Luke Howard - - - * lib/krb5/principal.c: krb5_sname_to_principal fix from Luke - Howard - -Sat Aug 16 00:44:47 1997 Assar Westerlund - - * Release 0.0e - -Sat Aug 16 00:23:46 1997 Johan Danielsson - - * appl/afsutil/afslog.c: Use new libkafs. - - * lib/kafs/afskrb5.c: Get AFS tokens via 524 protocol. - - * lib/krb5/warn.c: Fix format string for *x type. - -Fri Aug 15 22:15:01 1997 Assar Westerlund - - * admin/get.c (get_entry): print more information about the entry - - * lib/des/Makefile.am: build destest, mdtest, des, rpw, speed - - * lib/krb5/config_file.c: new functions `krb5_config_get_time' and - `krb5_config_vget_time'. Use them. - -Fri Aug 15 00:09:37 1997 Johan Danielsson - - * admin/ktutil.c: Keytab manipulation program. - - * lib/krb5/keytab.c: Return sane values from resolve and - start_seq_get. - - * kdc/kerberos5.c: Fix for old clients passing 0 for `no endtime'. - - * lib/45/get_ad_tkt.c: Kerberos 4 get_ad_tkt using - krb524_convert_creds_kdc. - - * lib/krb5/convert_creds.c: Implementation of - krb524_convert_creds_kdc. - - * lib/asn1/k5.asn1: Make kdc-req-body.till OPTIONAL - - * kdc/524.c: A somewhat working 524-protocol module. - - * kdc/kerberos4.c: Add version 4 ticket encoding and encryption - functions. - - * lib/krb5/context.c: Fix kdc_timeout. - - * lib/hdb/{ndbm,db}.c: Free name in close. - - * kdc/kerberos5.c (tgs_check_autenticator): Return error code - -Thu Aug 14 21:29:03 1997 Johan Danielsson - - * kdc/kerberos5.c (tgs_make_reply): Fix endtime in reply. - - * lib/krb5/store_emem.c: Fix reallocation bug. - -Tue Aug 12 01:29:46 1997 Assar Westerlund - - * appl/telnet/libtelnet/kerberos5.c, appl/popper/pop_init.c: Use - `krb5_sock_to_principal'. Send server parameter to - krb5_rd_req/krb5_recvauth. Set addresses in auth_context. - - * lib/krb5/recvauth.c: Set addresses in auth_context if there - aren't any - - * lib/krb5/auth_context.c: New function - `krb5_auth_con_setaddrs_from_fd' - - * lib/krb5/sock_principal.c: new function - `krb5_sock_to_principal' - - * lib/krb5/time.c: new file with `krb5_timeofday' and - `krb5_us_timeofday'. Use these functions. - - * kuser/klist.c: print KDC offset iff verbose - - * lib/krb5/get_in_tkt.c: implement KDC time offset and use it if - [libdefaults]kdc_timesync is set. - - * lib/krb5/fcache.c: Implement version 4 of the ccache format. - -Mon Aug 11 05:34:43 1997 Assar Westerlund - - * lib/krb5/rd_rep.c (krb5_free_ap_rep_enc_part): free all memory - - * lib/krb5/principal.c (krb5_unparse_name): allocate memory - properly - - * kpasswd/kpasswd.c: Use `krb5_change_password' - - * lib/krb5/init_creds_pw.c (init_cred): set realm of server - correctly. - - * lib/krb5/init_creds_pw.c: support changing of password when it - has expired - - * lib/krb5/changepw.c: new file - - * kuser/klist.c: use getarg - - * admin/init.c (init): add `kadmin/changepw' - -Mon Aug 11 04:30:47 1997 Johan Danielsson - - * lib/krb5/get_cred.c: Make get_credentials handle cross-realm. - -Mon Aug 11 00:03:24 1997 Assar Westerlund - - * lib/krb5/config_file.c: implement support for #-comments - -Sat Aug 9 02:21:46 1997 Johan Danielsson - - * kdc/hprop*.c: Add database propagation programs. - - * kdc/connect.c: Max request size. - -Sat Aug 9 00:47:28 1997 Assar Westerlund - - * lib/otp: resurrected from krb4 - - * appl/push: new program for fetching mail with POP. - - * appl/popper/popper.h: new include files. new fields in `POP' - - * appl/popper/pop_pass.c: Implement both v4 and v5. - - * appl/popper/pop_init.c: Implement both v4 and v5. - - * appl/popper/pop_debug.c: use getarg. Talk both v4 and v5 - - * appl/popper: Popper from krb4. - - * configure.in: check for inline and generate - files in appl/popper, appl/push, and lib/otp - -Fri Aug 8 05:51:02 1997 Assar Westerlund - - * lib/krb5/get_cred.c: clean-up and try to free memory even when - there're errors - - * lib/krb5/get_cred.c: adapt to new `extract_ticket' - - * lib/krb5/get_in_tkt.c: reorganize. check everything and try to - return memory even if there are errors. - - * kuser/kverify.c: new file - - * lib/krb5/free_host_realm.c: new file - - * lib/krb5/principal.c (krb5_sname_to_principal): implement - different nametypes. Also free memory. - - * lib/krb5/verify_init.c: more functionality - - * lib/krb5/mk_req_ext.c (krb5_mk_req_extended): free the checksum - - * lib/krb5/get_in_tkt.c (extract_ticket): don't copy over the - principals in creds. Should also compare them with that received - from the KDC - - * lib/krb5/cache.c (krb5_cc_gen_new): copy the newly allocated - krb5_ccache - (krb5_cc_destroy): call krb5_cc_close - (krb5_cc_retrieve_cred): delete the unused creds - -Fri Aug 8 02:30:40 1997 Johan Danielsson - - * lib/krb5/log.c: Allow better control of destinations of logging - (like passing explicit destinations, and log-functions). - -Fri Aug 8 01:20:39 1997 Assar Westerlund - - * lib/krb5/get_default_principal.c: new file - - * kpasswd/kpasswdd.c: use krb5_log* - -Fri Aug 8 00:37:47 1997 Johan Danielsson - - * lib/krb5/init_creds_pw.c: Implement krb5_get_init_creds_keytab. - -Fri Aug 8 00:37:17 1997 Assar Westerlund - - * lib/krb5/init_creds_pw.c: Use `krb5_get_default_principal'. - Print password expire information. - - * kdc/config.c: new variable `kdc_warn_pwexpire' - - * kpasswd/kpasswd.c: converted to getarg and get_init_creds - -Thu Aug 7 22:17:09 1997 Assar Westerlund - - * lib/krb5/mcache.c: new file - - * admin/gettime.c: new function puttime. Use it. - - * lib/krb5/keyblock.c: Added krb5_free_keyblock and - krb5_copy_keyblock - - * lib/krb5/init_creds_pw.c: more functionality - - * lib/krb5/creds.c: Added krb5_free_creds_contents and - krb5_copy_creds. Changed callers. - - * lib/krb5/config_file.c: new functions krb5_config_get and - krb5_config_vget - - * lib/krb5/cache.c: cleanup added mcache - - * kdc/kerberos5.c: include last-req's of type 6 and 7, if - applicable - -Wed Aug 6 20:38:23 1997 Johan Danielsson - - * lib/krb5/log.c: New parameter `log-level'. Default to `SYSLOG'. - -Tue Aug 5 22:53:54 1997 Assar Westerlund - - * lib/krb5/verify_init.c, init_creds_pw.c, init_creds.c, - prompter_posix.c: the beginning of an implementation of the cygnus - initial-ticket API. - - * lib/krb5/get_in_tkt_pw.c: make `krb5_password_key_proc' global - - * lib/krb5/get_in_tkt.c (krb5_get_in_cred): new function that is - almost krb5_get_in_tkt but doesn't write the creds to the ccache. - Small fixes in krb5_get_in_tkt - - * lib/krb5/get_addrs.c (krb5_get_all_client_addrs): don't include - loopback. - -Mon Aug 4 20:20:48 1997 Johan Danielsson - - * kdc: Make context global. - -Fri Aug 1 17:23:56 1997 Assar Westerlund - - * Release 0.0d - - * lib/roken/flock.c: new file - - * kuser/kinit.c: check for and print expiry information in the - `kdc_rep' - - * lib/krb5/get_in_tkt.c: Set `ret_as_reply' if != NULL - - * kdc/kerberos5.c: Check the valid times on client and server. - Check the password expiration. - Check the require_preauth flag. - Send an lr_type == 6 with pw_end. - Set key.expiration to min(valid_end, pw_end) - - * lib/hdb/hdb.asn1: new flags `require_preauth' and `change_pw' - - * admin/util.c, admin/load.c: handle the new flags. - -Fri Aug 1 16:56:12 1997 Johan Danielsson - - * lib/hdb: Add some simple locking. - -Sun Jul 27 04:44:31 1997 Johan Danielsson - - * lib/krb5/log.c: Add some general logging functions. - - * kdc/kerberos4.c: Add version 4 protocol handler. The requrement - for this to work is that all involved principals has a des key in - the database, and that the client has a version 4 (un-)salted - key. Furthermore krb5_425_conv_principal has to do it's job, as - present it's not very clever. - - * lib/krb5/principal.c: Quick patch to make 425_conv work - somewhat. - - * lib/hdb/hdb.c: Add keytype->key and next key functions. - -Fri Jul 25 17:32:12 1997 Assar Westerlund - - * lib/krb5/build_auth.c (krb5_build_authenticator): don't free - `cksum'. It's allocated and freed by the caller - - * lib/krb5/get_cred.c (krb5_get_kdc_cred): Don't free `addresses'. - - * kdc/kerberos5.c (tgs_rep2): make sure we also have an defined - `client' to return as part of the KRB-ERROR - -Thu Jul 24 08:13:59 1997 Johan Danielsson - - * kdc/kerberos5.c: Unseal keys from database before use. - - * kdc/misc.c: New functions set_master_key, unseal_key and - free_key. - - * lib/roken/getarg.c: Handle `-f arg' correctly. - -Thu Jul 24 01:54:43 1997 Assar Westerlund - - * kuser/kinit.c: implement `-l' aka `--lifetime' - - * lib/roken/parse_units.c, parse_time.c: new files - - * admin/gettime.c (gettime): use `parse_time' - - * kdc/kerberos5.c (as_rep): Use `METHOD-DATA' when sending - KRB5KDC_ERR_PREAUTH_REQUIRED, not PA-DATA. - - * kpasswd/kpasswdd.c: fix freeing bug use sequence numbers set - addresses in auth_context bind one socket per interface. - - * kpasswd/kpasswd.c: use sequence numbers - - * lib/krb5/rd_req.c (krb5_verify_ap_req): do abs when verifying - the timestamps - - * lib/krb5/rd_priv.c (krb5_rd_priv): Fetch the correct session key - from auth_context - - * lib/krb5/mk_priv.c (krb5_mk_priv): Fetch the correct session key - from auth_context - - * lib/krb5/mk_error.c (krb5_mk_error): return an error number and - not a comerr'd number. - - * lib/krb5/get_in_tkt.c (krb5_get_in_tkt): interpret the error - number in KRB-ERROR correctly. - - * lib/krb5/get_cred.c (krb5_get_kdc_cred): interpret the error - number in KRB-ERROR correctly. - - * lib/asn1/k5.asn1: Add `METHOD-DATA' - - * removed some memory leaks. - -Wed Jul 23 07:53:18 1997 Assar Westerlund - - * Release 0.0c - - * lib/krb5/rd_cred.c, get_for_creds.c: new files - - * lib/krb5/get_host_realm.c: try default realm as last chance - - * kpasswd/kpasswdd.c: updated to hdb changes - - * appl/telnet/libtelnet/kerberos5.c: Implement forwarding - - * appl/telnet/libtelnet: removed totally unused files - - * admin/ank.c: fix prompts and generation of random keys - -Wed Jul 23 04:02:32 1997 Johan Danielsson - - * admin/dump.c: Include salt in dump. - - * admin: Mostly updated for new db-format. - - * kdc/kerberos5.c: Update to use new db format. Better checking of - flags and such. More logging. - - * lib/hdb/hdb.c: Use generated encode and decode functions. - - * lib/hdb/hdb.h: Get hdb_entry from ASN.1 generated code. - - * lib/krb5/get_cred.c: Get addresses from krbtgt if there are none - in the reply. - -Sun Jul 20 16:22:30 1997 Assar Westerlund - - * kuser/kinit.c: break if des_read_pw_string() != 0 - - * kpasswd/kpasswdd.c: send a reply - - * kpasswd/kpasswd.c: restructured code. better report on - krb-error break if des_read_pw_string() != 0 - - * kdc/kerberos5.c: Check `require_enc_timestamp' malloc space for - starttime and renew_till - - * appl/telnet/libtelnet/kerberos5.c (kerberos5_is): Send a - keyblock to krb5_verify_chekcsum - -Sun Jul 20 06:35:46 1997 Johan Danielsson - - * Release 0.0b - - * kpasswd/kpasswd.c: Avoid using non-standard struct names. - -Sat Jul 19 19:26:23 1997 Assar Westerlund - - * lib/krb5/keytab.c (krb5_kt_get_entry): check return from - `krb5_kt_start_seq_get'. From - -Sat Jul 19 04:07:39 1997 Johan Danielsson - - * lib/asn1/k5.asn1: Update with more pa-data types from - draft-ietf-cat-kerberos-revisions-00.txt - - * admin/load.c: Update to match current db-format. - - * kdc/kerberos5.c (as_rep): Try all valid pa-datas before giving - up. Send back an empty pa-data if the client has the v4 flag set. - - * lib/krb5/get_in_tkt.c: Pass both version5 and version4 salted - pa-data. DTRT if there is any pa-data in the reply. - - * lib/krb5/str2key.c: XOR with some sane value. - - * lib/hdb/hdb.h: Add `version 4 salted key' flag. - - * kuser/kinit.c: Ask for password before calling get_in_tkt. This - makes it possible to call key_proc more than once. - - * kdc/string2key.c: Add flags to output version 5 (DES only), - version 4, and AFS string-to-key of a password. - - * lib/asn1/gen_copy.c: copy_* functions now returns an int (0 or - ENOMEM). - -Fri Jul 18 02:54:58 1997 Assar Westerlund - - * lib/krb5/get_host_realm.c (krb5_get_host_realm): do the - name2name thing - - * kdc/misc.c: check result of hdb_open - - * admin/kdb_edit: updated to new sl - - * lib/sl: sl_func now returns an int. != 0 means to exit. - - * kpasswd/kpasswdd: A crude (but somewhat working) implementation - of `draft-ietf-cat-kerb-chg-password-00.txt' - -Fri Jul 18 00:55:39 1997 Johan Danielsson - - * kuser/krenew.c: Crude ticket renewing program. - - * kdc/kerberos5.c: Rewritten flags parsing, it now might work to - get forwarded and renewed tickets. - - * kuser/kinit.c: Add `-r' flag. - - * lib/krb5/get_cred.c: Move most of contents of get_creds to new - function get_kdc_cred, that always contacts the kdc and doesn't - save in the cache. This is a hack. - - * lib/krb5/get_in_tkt.c: Pass starttime and renew_till in request - (a bit kludgy). - - * lib/krb5/mk_req_ext.c: Make an auth_context if none passed in. - - * lib/krb5/send_to_kdc.c: Get timeout from context. - - * lib/krb5/context.c: Add kdc_timeout to context struct. - -Thu Jul 17 20:35:45 1997 Johan Danielsson - - * kuser/klist.c: Print start time of ticket if available. - - * lib/krb5/get_host_realm.c: Return error if no realm was found. - -Thu Jul 17 20:28:21 1997 Assar Westerlund - - * kpasswd: non-working kpasswd added - -Thu Jul 17 00:21:22 1997 Johan Danielsson - - * Release 0.0a - - * kdc/main.c: Add -p flag to disable pa-enc-timestamp requirement. - -Wed Jul 16 03:37:41 1997 Johan Danielsson - - * kdc/kerberos5.c (tgs_rep2): Free ticket and ap_req. - - * lib/krb5/auth_context.c (krb5_auth_con_free): Free remote - subkey. - - * lib/krb5/principal.c (krb5_free_principal): Check for NULL. - - * lib/krb5/send_to_kdc.c: Check for NULL return from - gethostbyname. - - * lib/krb5/set_default_realm.c: Try to get realm of local host if - no default realm is available. - - * Remove non ASN.1 principal code. - -Wed Jul 16 03:17:30 1997 Johan Danielsson - - * kdc/kerberos5.c: Split tgs_rep in smaller functions. Add better - error handing. Do some logging. - - * kdc/log.c: Some simple logging facilities. - - * kdc/misc.c (db_fetch): Take a krb5_principal. - - * kdc/connect.c: Pass address of request to as_rep and - tgs_rep. Send KRB-ERROR. - - * lib/krb5/mk_error.c: Add more fields. - - * lib/krb5/get_cred.c: Print normal error code if no e_text is - available. - -Wed Jul 16 03:07:50 1997 Assar Westerlund - - * lib/krb5/get_in_tkt.c: implement `krb5_init_etype'. - Change encryption type of pa_enc_timestamp to DES-CBC-MD5 - - * lib/krb5/context.c: recognize all encryption types actually - implemented - - * lib/krb5/auth_context.c (krb5_auth_con_init): Change default - encryption type to `DES_CBC_MD5' - - * lib/krb5/read_message.c, write_message.c: new files - -Tue Jul 15 17:14:21 1997 Assar Westerlund - - * lib/asn1: replaced asn1_locl.h by `der_locl.h' and `gen_locl.h'. - - * lib/error/compile_et.awk: generate a prototype for the - `destroy_foo_error_table' function. - -Mon Jul 14 12:24:40 1997 Assar Westerlund - - * lib/krb5/krbhst.c (krb5_get_krbhst): Get all kdc's and try also - with `kerberos.REALM' - - * kdc/kerberos5.c, lib/krb5/rd_priv.c, lib/krb5/rd_safe.c: use - `max_skew' - - * lib/krb5/rd_req.c (krb5_verify_ap_req): record authenticator - subkey - - * lib/krb5/build_auth.c (krb5_build_authenticator): always - generate a subkey. - - * lib/krb5/address.c: implement `krb5_address_order' - - * lib/gssapi/import_name.c: Implement `gss_import_name' - - * lib/gssapi/external.c: Use new OID - - * lib/gssapi/encapsulate.c: New functions - `gssapi_krb5_encap_length' and `gssapi_krb5_make_header'. Changed - callers. - - * lib/gssapi/decapsulate.c: New function - `gssaspi_krb5_verify_header'. Changed callers. - - * lib/asn1/gen*.c: Give tags to generated structs. - Use `err' and `asprintf' - - * appl/test/gss_common.c: new file - - * appl/test/gssapi_server.c: removed all krb5 calls - - * appl/telnet/libtelnet/kerberos5.c: Add support for genering and - verifying checksums. Also start using session subkeys. - -Mon Jul 14 12:08:25 1997 Johan Danielsson - - * lib/krb5/rd_req.c (krb5_rd_req_with_keyblock): Split up. - -Sun Jul 13 03:07:44 1997 Assar Westerlund - - * lib/krb5/rd_safe.c, mk_safe.c: made bug-compatible with MIT - - * lib/krb5/encrypt.c: new functions `DES_encrypt_null_ivec' and - `DES_encrypt_key_ivec' - - * lib/krb5/checksum.c: implement rsa-md4-des and rsa-md5-des - - * kdc/kerberos5.c (tgs_rep): support keyed checksums - - * lib/krb5/creds.c: new file - - * lib/krb5/get_in_tkt.c: better freeing - - * lib/krb5/context.c (krb5_free_context): more freeing - - * lib/krb5/config_file.c: New function `krb5_config_file_free' - - * lib/error/compile_et.awk: Generate a `destroy_' function. - - * kuser/kinit.c, klist.c: Don't leak memory. - -Sun Jul 13 02:46:27 1997 Johan Danielsson - - * kdc/connect.c: Check filedescriptor in select. - - * kdc/kerberos5.c: Remove most of the most common memory leaks. - - * lib/krb5/rd_req.c: Free allocated data. - - * lib/krb5/auth_context.c (krb5_auth_con_free): Free a lot of - fields. - -Sun Jul 13 00:32:16 1997 Assar Westerlund - - * appl/telnet: Conditionalize the krb4-support. - - * configure.in: Test for krb4 - -Sat Jul 12 17:14:12 1997 Assar Westerlund - - * kdc/kerberos5.c: check if the pre-auth was decrypted properly. - set the `pre_authent' flag - - * lib/krb5/get_cred.c, lib/krb5/get_in_tkt.c: generate a random nonce. - - * lib/krb5/encrypt.c: Made `generate_random_block' global. - - * appl/test: Added gssapi_client and gssapi_server. - - * lib/krb5/data.c: Add `krb5_data_zero' - - * appl/test/tcp_client.c: try `mk_safe' and `mk_priv' - - * appl/test/tcp_server.c: try `rd_safe' and `rd_priv' - -Sat Jul 12 16:45:58 1997 Johan Danielsson - - * lib/krb5/get_addrs.c: Fix for systems that has sa_len, but - returns zero length from SIOCGIFCONF. - -Sat Jul 12 16:38:34 1997 Assar Westerlund - - * appl/test: new programs - - * lib/krb5/rd_req.c: add address compare - - * lib/krb5/mk_req_ext.c: allow no checksum - - * lib/krb5/keytab.c (krb5_kt_ret_string): 0-terminate string - - * lib/krb5/address.c: fix `krb5_address_compare' - -Sat Jul 12 15:03:16 1997 Johan Danielsson - - * lib/krb5/get_addrs.c: Fix ip4 address extraction. - - * kuser/klist.c: Add verbose flag, and split main into smaller - pieces. - - * lib/krb5/fcache.c: Save ticket flags. - - * lib/krb5/get_in_tkt.c (extract_ticket): Extract addresses and - flags. - - * lib/krb5/krb5.h: Add ticket_flags to krb5_creds. - -Sat Jul 12 13:12:48 1997 Assar Westerlund - - * configure.in: Call `AC_KRB_PROG_LN_S' - - * acinclude.m4: Add `AC_KRB_PROG_LN_S' from krb4 - -Sat Jul 12 00:57:01 1997 Johan Danielsson - - * lib/krb5/get_in_tkt.c: Use union of krb5_flags and KDCOptions to - pass options. - -Fri Jul 11 15:04:22 1997 Assar Westerlund - - * appl/telnet: telnet & telnetd seems to be working. - - * lib/krb5/config_file.c: Added krb5_config_v?get_list Fixed - krb5_config_vget_next - - * appl/telnet/libtelnet/kerberos5.c: update to current API - -Thu Jul 10 14:54:39 1997 Assar Westerlund - - * appl/telnet/libtelnet/kerberos5.c (kerberos5_status): call - `krb5_kuserok' - - * appl/telnet: Added. - -Thu Jul 10 05:09:25 1997 Johan Danielsson - - * lib/error/compile_et.awk: Remove usage of sub, gsub, and - functions for compatibility with awk. - - * include/bits.c: Must use signed char. - - * lib/krb5/context.c: Move krb5_get_err_text, and krb5_init_ets - here. - - * lib/error/error.c: Replace krb5_get_err_text with new function - com_right. - - * lib/error/compile_et.awk: Avoid using static variables. - - * lib/error/error.c: Don't use krb5_locl.h - - * lib/error/error.h: Move definitions of error_table and - error_list from krb5.h. - - * lib/error: Moved from lib/krb5. - -Wed Jul 9 07:42:04 1997 Johan Danielsson - - * lib/krb5/encrypt.c: Temporary hack to avoid des_rand_data. - -Wed Jul 9 06:58:00 1997 Assar Westerlund - - * lib/krb5/{rd,mk}_{*}.c: more checking for addresses and stuff - according to pseudocode from 1510 - -Wed Jul 9 06:06:06 1997 Johan Danielsson - - * lib/hdb/hdb.c: Add hdb_etype2key. - - * kdc/kerberos5.c: Check authenticator. Use more general etype - functions. - -Wed Jul 9 03:51:12 1997 Assar Westerlund - - * lib/asn1/k5.asn1: Made all `s_address' OPTIONAL according to - draft-ietf-cat-kerberos-r-00.txt - - * lib/krb5/principal.c (krb5_parse_name): default to local realm - if none given - - * kuser/kinit.c: New option `-p' and prompt - -Wed Jul 9 02:30:06 1997 Johan Danielsson - - * lib/krb5/keyblock.c: Keyblock generation functions. - - * lib/krb5/encrypt.c: Use functions from checksum.c. - - * lib/krb5/checksum.c: Move checksum functions here. Add - krb5_cksumsize function. - -Wed Jul 9 01:15:38 1997 Assar Westerlund - - * lib/krb5/get_host_realm.c: implemented - - * lib/krb5/config_file.c: Redid part. New functions: - krb5_config_v?get_next - - * kuser/kdestroy.c: new program - - * kuser/kinit.c: new flag `-f' - - * lib/asn1/k5.asn1: Made HostAddresses = SEQUENCE OF HostAddress - - * acinclude.m4: Added AC_KRB_STRUCT_SOCKADDR_SA_LEN - - * lib/krb5/krb5.h: krb5_addresses == HostAddresses. Changed all - users. - - * lib/krb5/get_addrs.c: figure out all local addresses, possibly - even IPv6! - - * lib/krb5/checksum.c: table-driven checksum - -Mon Jul 7 21:13:28 1997 Johan Danielsson - - * lib/krb5/encrypt.c: Make krb5_decrypt use the same struct as - krb5_encrypt. - -Mon Jul 7 11:15:51 1997 Assar Westerlund - - * lib/roken/vsyslog.c: new file - - * lib/krb5/encrypt.c: add des-cbc-md4. - adjust krb5_encrypt and krb5_decrypt to reality - -Mon Jul 7 02:46:31 1997 Johan Danielsson - - * lib/krb5/encrypt.c: Implement as a vector of function pointers. - - * lib/krb5/{decrypt,encrypt}.c: Implement des-cbc-crc, and - des-cbc-md5 in separate functions. - - * lib/krb5/krb5.h: Add more checksum and encryption types. - - * lib/krb5/krb5_locl.h: Add etype to krb5_decrypt. - -Sun Jul 6 23:02:59 1997 Assar Westerlund - - * lib/krb5/[gs]et_default_realm.c, kuserok.c: new files - - * lib/krb5/config_file.[ch]: new c-based configuration reading - stuff - -Wed Jul 2 23:12:56 1997 Assar Westerlund - - * configure.in: Set WFLAGS if using gcc - -Wed Jul 2 17:47:03 1997 Johan Danielsson - - * lib/asn1/der_put.c (der_put_int): Return size correctly. - - * admin/ank.c: Be compatible with the asn1 principal format. - -Wed Jul 1 23:52:20 1997 Johan Danielsson - - * lib/asn1: Now all decode_* and encode_* functions now take a - final size_t* argument, that they return the size in. Return - values are zero for success, and anything else (such as some - ASN1_* constant) for error. - -Mon Jun 30 06:08:14 1997 Assar Westerlund - - * lib/krb5/keytab.c (krb5_kt_add_entry): change open mode to - O_WRONLY | O_APPEND - - * lib/krb5/get_cred.c: removed stale prototype for - `extract_ticket' and corrected call. - - * lib/asn1/gen_length.c (length_type): Make the length functions - for SequenceOf non-destructive - - * admin/ank.c (doit): Fix reading of `y/n'. - -Mon Jun 16 05:41:43 1997 Assar Westerlund - - * lib/gssapi/wrap.c, unwrap.c: do encrypt and add sequence number - - * lib/gssapi/get_mic.c, verify_mic.c: Add sequence number. - - * lib/gssapi/accept_sec_context.c (gss_accept_sec_context): Set - KRB5_AUTH_CONTEXT_DO_SEQUENCE. Verify 8003 checksum. - - * lib/gssapi/8003.c: New file. - - * lib/krb/krb5.h: Define a `krb_authenticator' as an ASN.1 - Authenticator. - - * lib/krb5/auth_context.c: New functions - `krb5_auth_setlocalseqnumber' and `krb5_auth_setremoteseqnumber' - -Tue Jun 10 00:35:54 1997 Johan Danielsson - - * lib/krb5: Preapre for use of some asn1-types. - - * lib/asn1/*.c (copy_*): Constness. - - * lib/krb5/krb5.h: Include asn1.h; krb5_data is now an - octet_string. - - * lib/asn1/der*,gen.c: krb5_data -> octet_string, char * -> - general_string - - * lib/asn1/libasn1.h: Moved stuff from asn1_locl.h that doesn't - have anything to do with asn1_compile. - - * lib/asn1/asn1_locl.h: Remove der.h. Add some prototypes. - -Sun Jun 8 03:51:55 1997 Assar Westerlund - - * kdc/kerberos5.c: Fix PA-ENC-TS-ENC - - * kdc/connect.c(process_request): Set `new' - - * lib/krb5/get_in_tkt.c: Do PA-ENC-TS-ENC the correct way. - - * lib: Added editline,sl,roken. - -Mon Jun 2 00:37:48 1997 Johan Danielsson - - * lib/krb5/fcache.c: Move file cache from cache.c. - - * lib/krb5/cache.c: Allow more than one cache type. - -Sun Jun 1 23:45:33 1997 Johan Danielsson - - * admin/extkeytab.c: Merged with kdb_edit. - -Sun Jun 1 23:23:08 1997 Assar Westerlund - - * kdc/kdc.c: more support for ENC-TS-ENC - - * lib/krb5/get_in_tkt.c: redone to enable pre-authentication - -Sun Jun 1 22:45:11 1997 Johan Danielsson - - * lib/hdb/db.c: Merge fetch and store. - - * admin: Merge to one program. - - * lib/krb5/str2key.c: Fill in keytype and length. - -Sun Jun 1 16:31:23 1997 Assar Westerlund - - * lib/krb5/rd_safe.c, lib/krb5/rd_priv.c, lib/krb5/mk_rep.c, - lib/krb5/mk_priv.c, lib/krb5/build_auth.c: Some support for - KRB5_AUTH_CONTEXT_DO_SEQUENCE - - * lib/krb5/get_in_tkt.c (get_in_tkt): be prepared to parse an - KRB_ERROR. Some support for PA_ENC_TS_ENC. - - * lib/krb5/auth_context.c: implemented seq_number functions - - * lib/krb5/generate_subkey.c, generate_seq_number.c: new files - - * lib/gssapi/gssapi.h: avoid including - - * lib/asn1/Makefile.am: SUFFIXES as a variable to make automake - happy - - * kdc/kdc.c: preliminary PREAUTH_ENC_TIMESTAMP - - * configure.in: adapted to automake 1.1p - -Mon May 26 22:26:21 1997 Johan Danielsson - - * lib/krb5/principal.c: Add contexts to many functions. - -Thu May 15 20:25:37 1997 Johan Danielsson - - * lib/krb5/verify_user.c: First stab at a verify user. - - * lib/auth/sia/sia5.c: SIA module for Kerberos 5. - -Mon Apr 14 00:09:03 1997 Assar Westerlund - - * lib/gssapi: Enough of a gssapi-over-krb5 implementation to be - able to (mostly) run gss-client and gss-server. - - * lib/krb5/keytab.c: implemented krb5_kt_add_entry, - krb5_kt_store_principal, krb5_kt_store_keyblock - - * lib/des/md5.[ch], sha.[ch]: new files - - * lib/asn1/der_get.c (generalizedtime2time): use `timegm' - - * lib/asn1/timegm.c: new file - - * admin/extkeytab.c: new program - - * admin/admin_locl.h: new file - - * admin/Makefile.am: Added extkeytab - - * configure.in: moved config to include - removed timezone garbage - added lib/gssapi and admin - - * Makefile.am: Added admin - -Mon Mar 17 11:34:05 1997 Johan Danielsson - - * kdc/kdc.c: Use new copying functions, and free some data. - - * lib/asn1/Makefile.am: Try to not always rebuild generated files. - - * lib/asn1/der_put.c: Add fix_dce(). - - * lib/asn1/der_{get,length,put}.c: Fix include files. - - * lib/asn1/der_free.c: Remove unused functions. - - * lib/asn1/gen.c: Split into gen_encode, gen_decode, gen_free, - gen_length, and gen_copy. - -Sun Mar 16 18:13:52 1997 Assar Westerlund - - * lib/krb5/sendauth.c: implemented functionality - - * lib/krb5/rd_rep.c: Use `krb5_decrypt' - - * lib/krb5/cache.c (krb5_cc_get_name): return default if `id' == - NULL - - * lib/krb5/principal.c (krb5_free_principal): added `context' - argument. Changed all callers. - - (krb5_sname_to_principal): new function - - * lib/krb5/auth_context.c (krb5_free_authenticator): add `context' - argument. Changed all callers - - * lib/krb5/{net_write.c,net_read.c,recvauth.c}: new files - - * lib/asn1/gen.c: Fix encoding and decoding of BitStrings - -Fri Mar 14 11:29:00 1997 Assar Westerlund - - * configure.in: look for *dbm? - - * lib/asn1/gen.c: Fix filename in generated files. Check fopens. - Put trailing newline in asn1_files. - -Fri Mar 14 05:06:44 1997 Johan Danielsson - - * lib/krb5/get_in_tkt.c: Fix some memory leaks. - - * lib/krb5/krbhst.c: Properly free hostlist. - - * lib/krb5/decrypt.c: CRCs are 32 bits. - -Fri Mar 14 04:39:15 1997 Johan Danielsson - - * lib/asn1/gen.c: Generate one file for each type. - -Fri Mar 14 04:13:47 1997 Assar Westerlund - - * lib/asn1/gen.c: Generate `length_FOO' functions - - * lib/asn1/der_length.c: new file - - * kuser/klist.c: renamed stime -> printable_time to avoid conflict - on HP/UX - -Fri Mar 14 03:37:23 1997 Johan Danielsson - - * lib/hdb/ndbm.c: Return NOENTRY if fetch fails. Don't free - datums. Don't add .db to filename. - -Fri Mar 14 02:49:51 1997 Johan Danielsson - - * kdc/dump.c: Database dump program. - - * kdc/ank.c: Trivial database editing program. - - * kdc/{kdc.c, load.c}: Use libhdb. - - * lib/hdb: New database routine library. - - * lib/krb5/error/Makefile.am: Add hdb_err. - -Wed Mar 12 17:41:14 1997 Johan Danielsson - - * kdc/kdc.c: Rewritten AS, and somewhat more working TGS support. - - * lib/asn1/gen.c: Generate free functions. - - * Some specific free functions. - -Wed Mar 12 12:30:13 1997 Assar Westerlund - - * lib/krb5/krb5_mk_req_ext.c: new file - - * lib/asn1/gen.c: optimize the case with a simple type - - * lib/krb5/get_cred.c (krb5_get_credentials): Use - `mk_req_extended' and remove old code. - - * lib/krb5/get_in_tkt.c (decrypt_tkt): First try with an - EncASRepPart, then with an EncTGSRepPart. - -Wed Mar 12 08:26:04 1997 Johan Danielsson - - * lib/krb5/store_emem.c: New resizable memory storage. - - * lib/krb5/{store.c, store_fd.c, store_mem.c}: Split of store.c - - * lib/krb5/krb5.h: Add free entry to krb5_storage. - - * lib/krb5/decrypt.c: Make keyblock const. - -Tue Mar 11 20:22:17 1997 Johan Danielsson - - * lib/krb5/krb5.h: Add EncTicketPart to krb5_ticket. - - * lib/krb5/rd_req.c: Return whole asn.1 ticket in - krb5_ticket->tkt. - - * lib/krb5/get_in_tkt.c: TGS -> AS - - * kuser/kfoo.c: Print error string rather than number. - - * kdc/kdc.c: Some kind of non-working TGS support. - -Mon Mar 10 01:43:22 1997 Assar Westerlund - - * lib/asn1/gen.c: reduced generated code by 1/5 - - * lib/asn1/der_put.c: (der_put_length_and_tag): new function - - * lib/asn1/der_get.c (der_match_tag_and_length): new function - - * lib/asn1/der.h: added prototypes - -Mon Mar 10 01:15:43 1997 Johan Danielsson - - * lib/krb5/krb5.h: Include . Add prototype for - krb5_rd_req_with_keyblock. - - * lib/krb5/rd_req.c: Add function krb5_rd_req_with_keyblock that - takes a precomputed keyblock. - - * lib/krb5/get_cred.c: Use krb5_mk_req rather than inlined code. - - * lib/krb5/mk_req.c: Calculate checksum of in_data. - -Sun Mar 9 21:17:58 1997 Johan Danielsson - - * lib/krb5/error/compile_et.awk: Add a declaration of struct - error_list, and multiple inclusion block to header files. - -Sun Mar 9 21:01:12 1997 Assar Westerlund - - * lib/krb5/rd_req.c: do some checks on times - - * lib/krb/{mk_priv.c, rd_priv.c, sendauth.c, decrypt.c, - address.c}: new files - - * lib/krb5/auth_context.c: more code - - * configure.in: try to figure out timezone - -Sat Mar 8 11:41:07 1997 Johan Danielsson - - * lib/krb5/error/error.c: Try strerror if error code wasn't found. - - * lib/krb5/get_in_tkt.c: Remove realm parameter from - krb5_get_salt. - - * lib/krb5/context.c: Initialize error table. - - * kdc: The beginnings of a kdc. - -Sat Mar 8 08:16:28 1997 Assar Westerlund - - * lib/krb5/rd_safe.c: new file - - * lib/krb5/checksum.c (krb5_verify_checksum): New function - - * lib/krb5/get_cred.c: use krb5_create_checksum - - * lib/krb5/checksum.c: new file - - * lib/krb5/store.c: no more arithmetic with void* - - * lib/krb5/cache.c: now seems to work again - -Sat Mar 8 06:58:09 1997 Johan Danielsson - - * lib/krb5/Makefile.am: Add asn1_glue.c and error/*.c to libkrb5. - - * lib/krb5/get_in_tkt.c: Moved some functions to asn1_glue.c. - - * lib/krb5/asn1_glue.c: Moved some asn1-stuff here. - - * lib/krb5/{cache,keytab}.c: Use new storage functions. - - * lib/krb5/krb5.h: Protypes for new storage functions. - - * lib/krb5/krb5.h: Make krb5_{ret,store}_* functions able to write - data to more than file descriptors. - -Sat Mar 8 01:01:17 1997 Assar Westerlund - - * lib/krb5/encrypt.c: New file. - - * lib/krb5/Makefile.am: More -I - - * configure.in: Test for big endian, random, rand, setitimer - - * lib/asn1/gen.c: perhaps even decodes bitstrings - -Thu Mar 6 19:05:29 1997 Johan Danielsson - - * lib/krb5/config_file.y: Better return values on error. - -Sat Feb 8 15:59:56 1997 Assar Westerlund - - * lib/asn1/parse.y: ifdef HAVE_STRDUP - - * lib/asn1/lex.l: ifdef strdup - brange-dead version of list of special characters to make stupid - lex accept it. - - * lib/asn1/gen.c: A DER integer should really be a `unsigned' - - * lib/asn1/der_put.c: A DER integer should really be a `unsigned' - - * lib/asn1/der_get.c: A DER integer should really be a `unsigned' - - * lib/krb5/error/Makefile.am: It seems "$(SHELL) ./compile_et" is - needed. - - * lib/krb/mk_rep.c, lib/krb/rd_req.c, lib/krb/store.c, - lib/krb/store.h: new files. - - * lib/krb5/keytab.c: now even with some functionality. - - * lib/asn1/gen.c: changed paramater from void * to Foo * - - * lib/asn1/der_get.c (der_get_octet_string): Fixed bug with empty - string. - -Sun Jan 19 06:17:39 1997 Assar Westerlund - - * lib/krb5/get_cred.c (krb5_get_credentials): Check for creds in - cc before getting new ones. - - * lib/krb5/krb5.h (krb5_free_keyblock): Fix prototype. - - * lib/krb5/build_auth.c (krb5_build_authenticator): It seems the - CRC should be stored LSW first. (?) - - * lib/krb5/auth_context.c: Implement `krb5_auth_con_getkey' and - `krb5_free_keyblock' - - * lib/**/Makefile.am: Rename foo libfoo.a - - * include/Makefile.in: Use test instead of [ - -e does not work with /bin/sh on psoriasis - - * configure.in: Search for awk - create lib/krb/error/compile_et - -Tue Jan 14 03:46:26 1997 Assar Westerlund - - * lib/krb5/Makefile.am: replaced mit-crc.c by crc.c - -Wed Dec 18 00:53:55 1996 Johan Danielsson - - * kuser/kinit.c: Guess principal. - - * lib/krb5/error/compile_et.awk: Don't include krb5.h. Fix some - warnings. - - * lib/krb5/error/asn1_err.et: Add ASN.1 error messages. - - * lib/krb5/mk_req.c: Get client from cache. - - * lib/krb5/cache.c: Add better error checking some useful return - values. - - * lib/krb5/krb5.h: Fix krb5_auth_context. - - * lib/asn1/der.h: Make krb5_data compatible with krb5.h - -Tue Dec 17 01:32:36 1996 Johan Danielsson - - * lib/krb5/error: Add primitive error library. - -Mon Dec 16 16:30:20 1996 Johan Danielsson - - * lib/krb5/cache.c: Get correct address type from cache. - - * lib/krb5/krb5.h: Change int16 to int to be compatible with asn1. - diff --git a/crypto/heimdal-0.6.3/ChangeLog.1999 b/crypto/heimdal-0.6.3/ChangeLog.1999 deleted file mode 100644 index e022b96824..0000000000 --- a/crypto/heimdal-0.6.3/ChangeLog.1999 +++ /dev/null @@ -1,2194 +0,0 @@ -1999-12-30 Assar Westerlund - - * configure.in (krb4): use `-ldes' in tests - -1999-12-26 Assar Westerlund - - * lib/hdb/print.c (event2string): handle events without principal. - From Luke Howard - -1999-12-25 Assar Westerlund - - * Release 0.2j - -Tue Dec 21 18:03:17 1999 Assar Westerlund - - * lib/hdb/Makefile.am (asn1_files): add $(EXEEXT) for cygwin and - related systems - - * lib/asn1/Makefile.am (asn1_files): add $(EXEEXT) for cygwin and - related systems - - * include/Makefile.am (krb5-types.h): add $(EXEEXT) for cygwin and - related systems - -1999-12-20 Assar Westerlund - - * Release 0.2i - -1999-12-20 Assar Westerlund - - * lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): bump version to 6:3:1 - - * lib/krb5/send_to_kdc.c (send_via_proxy): free data - * lib/krb5/send_to_kdc.c (send_via_proxy): new function use - getaddrinfo instead of gethostbyname{,2} - * lib/krb5/get_for_creds.c: use getaddrinfo instead of - getnodebyname{,2} - -1999-12-17 Assar Westerlund - - * Release 0.2h - -1999-12-17 Assar Westerlund - - * Release 0.2g - -1999-12-16 Assar Westerlund - - * lib/krb5/Makefile.am: bump version to 6:2:1 - - * lib/krb5/principal.c (krb5_sname_to_principal): handle - ai_canonname not being set - * lib/krb5/expand_hostname.c (krb5_expand_hostname): handle - ai_canonname not being set - - * appl/test/uu_server.c: print messages to stderr - * appl/test/tcp_server.c: print messages to stderr - * appl/test/nt_gss_server.c: print messages to stderr - * appl/test/gssapi_server.c: print messages to stderr - - * appl/test/tcp_client.c (proto): remove shadowing `context' - * appl/test/common.c (client_doit): add forgotten ntohs - -1999-12-13 Assar Westerlund - - * configure.in (VERISON): bump to 0.2g-pre - -1999-12-12 Assar Westerlund - - * lib/krb5/principal.c (krb5_425_conv_principal_ext): be more - robust and handle extra dot at the beginning of default_domain - -1999-12-12 Assar Westerlund - - * Release 0.2f - -1999-12-12 Assar Westerlund - - * lib/krb5/Makefile.am: bump version to 6:1:1 - - * lib/krb5/changepw.c (get_kdc_address): use - `krb5_get_krb_changepw_hst' - - * lib/krb5/krbhst.c (krb5_get_krb_changepw_hst): add - - * lib/krb5/get_host_realm.c: add support for _kerberos.domain - (according to draft-ietf-cat-krb-dns-locate-01.txt) - -1999-12-06 Assar Westerlund - - * Release 0.2e - -1999-12-06 Assar Westerlund - - * lib/krb5/changepw.c (krb5_change_password): use the correct - address - - * lib/krb5/Makefile.am: bump version to 6:0:1 - - * lib/asn1/Makefile.am: bump version to 1:4:0 - -1999-12-04 Assar Westerlund - - * configure.in: move AC_KRB_IPv6 to make sure it's performed - before AC_BROKEN - (el_init): use new feature of AC_FIND_FUNC_NO_LIBS - - * appl/test/uu_client.c: use client_doit - * appl/test/test_locl.h (client_doit): add prototype - * appl/test/tcp_client.c: use client_doit - * appl/test/nt_gss_client.c: use client_doit - * appl/test/gssapi_client.c: use client_doit - * appl/test/common.c (client_doit): move identical code here and - start using getaddrinfo - - * appl/kf/kf.c (doit): rewrite to use getaddrinfo - * kdc/hprop.c: re-write to use getaddrinfo - * lib/krb5/principal.c (krb5_sname_to_principal): use getaddrinfo - * lib/krb5/expand_hostname.c (krb5_expand_hostname): use - getaddrinfo - * lib/krb5/changepw.c: re-write to use getaddrinfo - * lib/krb5/addr_families.c (krb5_parse_address): use getaddrinfo - -1999-12-03 Assar Westerlund - - * configure.in (BROKEN): check for freeaddrinfo, getaddrinfo, - getnameinfo, gai_strerror - (socklen_t): check for - -1999-12-02 Johan Danielsson - - * lib/krb5/crypto.c: ARCFOUR_set_key -> RC4_set_key - -1999-11-23 Assar Westerlund - - * lib/krb5/crypto.c (ARCFOUR_string_to_key): change order of bytes - within unicode characters. this should probably be done in some - arbitrarly complex way to do it properly and you would have to - know what character encoding was used for the password and salt - string. - - * lib/krb5/addr_families.c (ipv4_uninteresting): ignore 0.0.0.0 - (INADDR_ANY) - (ipv6_uninteresting): remove unused macro - -1999-11-22 Johan Danielsson - - * lib/krb5/krb5.h: rc4->arcfour - - * lib/krb5/crypto.c: rc4->arcfour - -1999-11-17 Assar Westerlund - - * lib/krb5/krb5_locl.h: add - * lib/krb5/krb5.h (krb5_keytype): add KEYTYPE_RC4 - * lib/krb5/crypto.c: some code for doing RC4/MD5/HMAC which might - not be totally different from some small company up in the - north-west corner of the US - - * lib/krb5/get_addrs.c (find_all_addresses): change code to - actually increment buf_size - -1999-11-14 Assar Westerlund - - * lib/krb5/krb5.h (krb5_context_data): add `scan_interfaces' - * lib/krb5/get_addrs.c (krb5_get_all_client_addrs): make interaces - scanning optional - * lib/krb5/context.c (init_context_from_config_file): set - `scan_interfaces' - - * lib/krb5/Makefile.am (libkrb5_la_SOURCES): add add_et_list.c - * lib/krb5/add_et_list.c (krb5_add_et_list): new function - -1999-11-12 Assar Westerlund - - * lib/krb5/get_default_realm.c (krb5_get_default_realm, - krb5_get_default_realms): set realms if they were unset - * lib/krb5/context.c (init_context_from_config_file): don't - initialize default realms here. it's done lazily instead. - - * lib/krb5/krb5.h (KRB5_TC_*): make constants unsigned - * lib/asn1/gen_glue.c (generate_2int, generate_units): make sure - bit constants are unsigned - * lib/asn1/gen.c (define_type): make length in sequences be - unsigned. - - * configure.in: remove duplicate test for setsockopt test for - struct tm.tm_isdst - - * lib/krb5/get_in_tkt.c (krb5_get_in_cred): generate - preauthentication information if we get back ERR_PREAUTH_REQUIRED - * lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): remove - preauthentication generation code. it's now in krb5_get_in_cred - - * configure.in (AC_BROKEN_SNPRINTF): add strptime check for struct - tm.tm_gmtoff and timezone - -1999-11-11 Johan Danielsson - - * kdc/main.c: make this work with multi-db - - * kdc/kdc_locl.h: make this work with multi-db - - * kdc/config.c: make this work with multi-db - -1999-11-09 Johan Danielsson - - * kdc/misc.c: update for multi-database code - - * kdc/main.c: update for multi-database code - - * kdc/kdc_locl.h: update - - * kdc/config.c: allow us to have more than one database - -1999-11-04 Assar Westerlund - - * Release 0.2d - - * lib/krb5/Makefile.am: bump version to 5:0:0 to be safe - (krb5_context_data has changed and some code do (might) access - fields directly) - - * lib/krb5/krb5.h (krb5_context_data): add `etypes_des' - - * lib/krb5/get_cred.c (init_tgs_req): use - krb5_keytype_to_enctypes_default - - * lib/krb5/crypto.c (krb5_keytype_to_enctypes_default): new - function - - * lib/krb5/context.c (set_etypes): new function - (init_context_from_config_file): set both `etypes' and `etypes_des' - -1999-11-02 Assar Westerlund - - * configure.in (VERSION): bump to 0.2d-pre - -1999-10-29 Assar Westerlund - - * lib/krb5/principal.c (krb5_parse_name): check memory allocations - -1999-10-28 Assar Westerlund - - * Release 0.2c - - * lib/krb5/dump_config.c (print_tree): check for empty tree - - * lib/krb5/string-to-key-test.c (tests): update the test cases - with empty principals so that they actually use an empty realm and - not the default. use the correct etype for 3DES - - * lib/krb5/Makefile.am: bump version to 4:1:0 - - * kdc/config.c (configure): more careful with the port string - -1999-10-26 Assar Westerlund - - * Release 0.2b - -1999-10-20 Assar Westerlund - - * lib/krb5/Makefile.am: bump version to 4:0:0 - (krb524_convert_creds_kdc and potentially some other functions - have changed prototypes) - - * lib/hdb/Makefile.am: bump version to 4:0:1 - - * lib/asn1/Makefile.am: bump version to 1:3:0 - - * configure.in (LIB_roken): add dbopen. getcap in roken - references dbopen and with shared libraries we need to add this - dependency. - - * lib/krb5/verify_krb5_conf.c (main): support speicifying the - configuration file to test on the command line - - * lib/krb5/config_file.c (parse_binding): handle line with no - whitespace before = - (krb5_config_parse_file_debug): set lineno earlier so that we don't - use it unitialized - - * configure.in (AM_INIT_AUTOMAKE): bump to 0.2b-pre opt*: need - more include files for these tests - - * lib/krb5/set_default_realm.c (krb5_set_default_realm): use - krb5_config_get_strings, which means that your configuration file - should look like: - - [libdefaults] - default_realm = realm1 realm2 realm3 - - * lib/krb5/set_default_realm.c (config_binding_to_list): fix - copy-o. From Michal Vocu - - * kdc/config.c (configure): add a missing strdup. From Michal - Vocu - -1999-10-17 Assar Westerlund - - * Release 0.2a - - * configure.in: only test for db.h with using berkeley_db. remember - to link with LIB_tgetent when checking for el_init. add xnlock - - * appl/Makefile.am: add xnlock - - * kdc/kerberos5.c (find_etype): support null keys - - * kdc/kerberos4.c (get_des_key): support null keys - - * lib/krb5/crypto.c (krb5_get_wrapped_length): more correct - calculation - -1999-10-16 Johan Danielsson - - * kuser/kinit.c (main): pass ccache to krb524_convert_creds_kdc - -1999-10-12 Johan Danielsson - - * lib/krb5/crypto.c (krb5_enctype_to_keytype): remove warning - -1999-10-10 Assar Westerlund - - * lib/krb5/mk_req.c (krb5_mk_req): use krb5_free_host_realm - - * lib/krb5/krb5.h (krb5_ccache_data): make `ops' const - - * lib/krb5/crypto.c (krb5_string_to_salttype): new function - - * **/*.[ch]: const-ize - -1999-10-06 Assar Westerlund - - * lib/krb5/creds.c (krb5_compare_creds): const-ify - - * lib/krb5/cache.c: clean-up and comment-up - - * lib/krb5/copy_host_realm.c (krb5_copy_host_realm): copy all the - strings - - * lib/krb5/verify_user.c (krb5_verify_user_lrealm): free the - correct realm part - - * kdc/connect.c (handle_tcp): things work much better when ret is - initialized - -1999-10-03 Assar Westerlund - - * lib/krb5/convert_creds.c (krb524_convert_creds_kdc): look at the - type of the session key - - * lib/krb5/crypto.c (krb5_enctypes_compatible_keys): spell - correctly - - * lib/krb5/creds.c (krb5_compare_creds): fix spelling of - krb5_enctypes_compatible_keys - - * lib/krb5/convert_creds.c (krb524_convert_creds_kdc): get new - credentials from the KDC if the existing one doesn't have a DES - session key. - - * lib/45/get_ad_tkt.c (get_ad_tkt): update to new - krb524_convert_creds_kdc - -1999-10-03 Johan Danielsson - - * lib/krb5/keytab_keyfile.c: make krb5_akf_ops const - - * lib/krb5/keytab_memory.c: make krb5_mkt_ops const - - * lib/krb5/keytab_file.c: make krb5_fkt_ops const - -1999-10-01 Assar Westerlund - - * lib/krb5/config_file.c: rewritten to allow error messages - - * lib/krb5/Makefile.am (bin_PROGRAMS): add verify_krb5_conf - (libkrb5_la_SOURCES): add config_file_netinfo.c - - * lib/krb5/verify_krb5_conf.c: new program for verifying that - krb5.conf is corret - - * lib/krb5/config_file_netinfo.c: moved netinfo code here from - config_file.c - -1999-09-28 Assar Westerlund - - * kdc/hpropd.c (dump_krb4): kludge default_realm - - * lib/asn1/check-der.c: add test cases for Generalized time and - make sure we return the correct value - - * lib/asn1/der_put.c: simplify by using der_put_length_and_tag - - * lib/krb5/verify_user.c (krb5_verify_user_lrealm): ariant of - krb5_verify_user that tries in all the local realms - - * lib/krb5/set_default_realm.c: add support for having several - default realms - - * lib/krb5/kuserok.c (krb5_kuserok): use `krb5_get_default_realms' - - * lib/krb5/get_default_realm.c (krb5_get_default_realms): add - - * lib/krb5/krb5.h (krb5_context_data): change `default_realm' to - `default_realms' - - * lib/krb5/context.c: change from `default_realm' to - `default_realms' - - * lib/krb5/aname_to_localname.c (krb5_aname_to_localname): use - krb5_get_default_realms - - * lib/krb5/Makefile.am (libkrb5_la_SOURCES): add copy_host_realm.c - - * lib/krb5/copy_host_realm.c: new file - -1999-09-27 Johan Danielsson - - * lib/asn1/der_put.c (encode_generalized_time): encode length - - * lib/krb5/recvauth.c: new function `krb5_recvauth_match_version' - that allows more intelligent matching of the application version - -1999-09-26 Assar Westerlund - - * lib/asn1/asn1_print.c: add err.h - - * kdc/config.c (configure): use parse_bytes - - * appl/test/nt_gss_common.c: use the correct header file - -1999-09-24 Johan Danielsson - - * kuser/klist.c: add a `--cache' flag - - * kuser/kinit.c (main): only get default value for `get_v4_tgt' if - it's explicitly set in krb5.conf - -1999-09-23 Assar Westerlund - - * lib/asn1/asn1_print.c (tag_names); add another univeral tag - - * lib/asn1/der.h: update universal tags - -1999-09-22 Assar Westerlund - - * lib/asn1/asn1_print.c (loop): print length of octet string - -1999-09-21 Johan Danielsson - - * admin/ktutil.c (kt_get): add `--help' - -1999-09-21 Assar Westerlund - - * kuser/Makefile.am: add kdecode_ticket - - * kuser/kdecode_ticket.c: new debug program - - * appl/test/nt_gss_server.c: new program to test against `Sample * - SSPI Code' in Windows 2000 RC1 SDK. - - * appl/test/Makefile.am: add nt_gss_client and nt_gss_server - - * lib/asn1/der_get.c (decode_general_string): remember to advance - ret over the length-len - - * lib/asn1/Makefile.am: add asn1_print - - * lib/asn1/asn1_print.c: new program for printing DER-structures - - * lib/asn1/der_put.c: make functions more consistent - - * lib/asn1/der_get.c: make functions more consistent - -1999-09-20 Johan Danielsson - - * kdc/kerberos5.c: be more informative in pa-data error messages - -1999-09-16 Assar Westerlund - - * configure.in: test for strlcpy, strlcat - -1999-09-14 Assar Westerlund - - * lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): return - KRB5_LIBOS_PWDINTR when interrupted - - * lib/krb5/get_in_tkt_pw.c (krb5_password_key_proc): check return - value from des_read_pw_string - - * kuser/kinit.c (main): don't print any error if reading the - password was interrupted - - * kpasswd/kpasswd.c (main): don't print any error if reading the - password was interrupted - - * kdc/string2key.c (main): check the return value from fgets - - * kdc/kstash.c (main): check return value from des_read_pw_string - - * admin/ktutil.c (kt_add): check the return-value from fgets and - overwrite the password for paranoid reasons - - * lib/krb5/keytab_keyfile.c (get_cell_and_realm): only remove the - newline if it's there - -1999-09-13 Assar Westerlund - - * kdc/hpropd.c (main): remove bogus error with `--print'. remove - sysloging of number of principals transferred - - * kdc/hprop.c (ka_convert): set flags correctly for krbtgt/CELL - principals - (main): get rid of bogus opening of hdb database when propagating - ka-server database - -1999-09-12 Assar Westerlund - - * lib/krb5/krb5_locl.h (O_BINARY): add fallback definition - - * lib/krb5/krb5.h (krb5_context_data): add keytab types - - * configure.in: revert back awk test, not worked around in - roken.awk - - * lib/krb5/keytab_krb4.c: remove O_BINARY - - * lib/krb5/keytab_keyfile.c: some support for AFS KeyFile's. From - Love - - * lib/krb5/keytab_file.c: remove O_BINARY - - * lib/krb5/keytab.c: move the list of keytab types to the context - - * lib/krb5/fcache.c: remove O_BINARY - - * lib/krb5/context.c (init_context_from_config_file): register all - standard cache and keytab types - (krb5_free_context): free `kt_types' - - * lib/krb5/cache.c (krb5_cc_resolve): move the registration of the - standard types of credential caches to context - - * lib/krb5/Makefile.am (libkrb5_la_SOURCES): add keytab_keyfile.c - -1999-09-10 Assar Westerlund - - * lib/krb5/keytab.c: add comments and clean-up - - * admin/ktutil.c: add `ktutil copy' - - * lib/krb5/keytab_krb4.c: new file - - * lib/krb5/krb5.h (krb5_kt_cursor): add a `data' field - - * lib/krb5/Makefile.am: add keytab_krb4.c - - * lib/krb5/keytab.c: add krb4 and correct some if's - - * admin/srvconvert.c (srvconv): move common code - - * lib/krb5/krb5.h (krb5_fkt_ops, krb5_mkt_ops): new variables - - * lib/krb5/keytab.c: move out file and memory functions - - * lib/krb5/Makefile.am (libkrb5_la_SOURCES): add keytab_file.c, - keytab_memory.c - - * lib/krb5/keytab_memory.c: new file - - * lib/krb5/keytab_file.c: new file - - * kpasswd/kpasswdd.c: move out password quality functions - -1999-09-07 Assar Westerlund - - * lib/hdb/Makefile.am (libhdb_la_SOURCES): add keytab.c. From - Love - - * lib/krb5/convert_creds.c (krb524_convert_creds_kdc): check - return value from `krb5_sendto_kdc' - -1999-09-06 Assar Westerlund - - * lib/krb5/send_to_kdc.c (send_and_recv): rename to recv_loop and - remove the sending of data. add a parameter `limit'. let callers - send the date themselves (and preferably with net_write on tcp - sockets) - (send_and_recv_tcp): read first the length field and then only that - many bytes - -1999-09-05 Assar Westerlund - - * kdc/connect.c (handle_tcp): try to print warning `TCP data of - strange type' less often - - * lib/krb5/send_to_kdc.c (send_and_recv): handle EINTR properly. - return on EOF. always free data. check return value from - realloc. - (send_and_recv_tcp, send_and_recv_http): check advertised length - against actual length - -1999-09-01 Johan Danielsson - - * configure.in: check for sgi capabilities - -1999-08-27 Johan Danielsson - - * lib/krb5/get_addrs.c: krb5_get_all_server_addrs shouldn't return - extra addresses - - * kpasswd/kpasswdd.c: use HDB keytabs; change some error messages; - add --realm flag - - * lib/krb5/address.c (krb5_append_addresses): remove duplicates - -1999-08-26 Johan Danielsson - - * lib/hdb/keytab.c: HDB keytab backend - -1999-08-25 Johan Danielsson - - * lib/krb5/keytab.c - (krb5_kt_{start_seq_get,next_entry,end_seq_get}): check for NULL - pointer - -1999-08-24 Johan Danielsson - - * kpasswd/kpasswdd.c: add `--keytab' flag - -1999-08-23 Assar Westerlund - - * lib/krb5/addr_families.c (IN6_ADDR_V6_TO_V4): use `s6_addr' - instead of the non-standard `s6_addr32'. From Yoshinobu Inoue - by way of the KAME repository - -1999-08-18 Assar Westerlund - - * configure.in (--enable-new-des3-code): remove check for `struct - addrinfo' - - * lib/krb5/crypto.c (etypes): remove NEW_DES3_CODE, enable - des3-cbc-sha1 and keep old-des3-cbc-sha1 for backwards - compatability - - * lib/krb5/krb5.h (krb5_enctype): des3-cbc-sha1 (with key - derivation) just got assigned etype 16 by . keep the - old etype at 7. - -1999-08-16 Assar Westerlund - - * lib/krb5/sendauth.c (krb5_sendauth): only look at errno if - krb5_net_read actually returns -1 - - * lib/krb5/recvauth.c (krb5_recvauth): only look at errno if - krb5_net_read actually returns -1 - - * appl/kf/kf.c (proto): don't trust errno if krb5_net_read hasn't - returned -1 - - * appl/test/tcp_server.c (proto): only trust errno if - krb5_net_read actually returns -1 - - * appl/kf/kfd.c (proto): be more careful with the return value - from krb5_net_read - -1999-08-13 Assar Westerlund - - * lib/krb5/get_addrs.c (get_addrs_int): try the different ways - sequentially instead of just one. this helps if your heimdal was - built with v6-support but your kernel doesn't have it, for - example. - -1999-08-12 Assar Westerlund - - * kdc/hpropd.c: add inetd flag. default means try to figure out - if stdin is a socket or not. - - * Makefile.am (ACLOCAL): just use `cf', this variable is only used - when the current directory is $(top_srcdir) anyways and having - $(top_srcdir) there breaks if it's a relative path - -1999-08-09 Johan Danielsson - - * configure.in: check for setproctitle - -1999-08-05 Assar Westerlund - - * lib/krb5/principal.c (krb5_sname_to_principal): remember to call - freehostent - - * appl/test/tcp_client.c: call freehostent - - * appl/kf/kf.c (doit): call freehostent - - * appl/kf/kf.c: make v6 friendly and simplify - - * appl/kf/kfd.c: make v6 friendly and simplify - - * appl/test/tcp_server.c: simplify by using krb5_err instead of - errx - - * appl/test/tcp_client.c: simplify by using krb5_err instead of - errx - - * appl/test/tcp_server.c: make v6 friendly and simplify - - * appl/test/tcp_client.c: make v6 friendly and simplify - -1999-08-04 Assar Westerlund - - * Release 0.1m - -1999-08-04 Assar Westerlund - - * kuser/kinit.c (main): some more KRB4-conditionalizing - - * lib/krb5/get_in_tkt.c: type correctness - - * lib/krb5/get_for_creds.c (krb5_fwd_tgs_creds): set forwarded in - flags. From Miroslav Ruda - - * kuser/kinit.c (main): add config file support for forwardable - and krb4 support. From Miroslav Ruda - - * kdc/kerberos5.c (as_rep): add an empty X500-compress string as - transited. - (fix_transited_encoding): check length. - From Miroslav Ruda - - * kdc/hpropd.c (dump_krb4): check the realm so that we don't dump - principals in some other realm. From Miroslav Ruda - - (main): rename sa_len -> sin_len, sa_lan is a define on some - platforms. - - * appl/kf/kfd.c: add regpag support. From Miroslav Ruda - - - * appl/kf/kf.c: add `-G' and forwardable option in krb5.conf. - From Miroslav Ruda - - * lib/krb5/config_file.c (parse_list): don't run past end of line - - * appl/test/gss_common.h: new prototypes - - * appl/test/gssapi_client.c: use gss_err instead of abort - - * appl/test/gss_common.c (gss_verr, gss_err): add - -1999-08-03 Assar Westerlund - - * lib/krb5/Makefile.am (n_fold_test_LDADD): need to set this - otherwise it doesn't build with shared libraries - - * kdc/hpropd.c: v6-ify - - * kdc/hprop.c: v6-ify - -1999-08-01 Assar Westerlund - - * lib/krb5/mk_req.c (krb5_mk_req): use krb5_expand_hostname - -1999-07-31 Assar Westerlund - - * lib/krb5/get_host_realm.c (krb5_get_host_realm_int): new - function that takes a FQDN - - * lib/krb5/Makefile.am (libkrb5_la_SOURCES): add exapnd_hostname.c - - * lib/krb5/expand_hostname.c: new file - -1999-07-28 Assar Westerlund - - * Release 0.1l - -1999-07-28 Assar Westerlund - - * lib/asn1/Makefile.am: bump version to 1:2:0 - - * lib/krb5/Makefile.am: bump version to 3:1:0 - - * configure.in: more inet_pton to roken - - * lib/krb5/principal.c (krb5_sname_to_principal): use - getipnodebyname - -1999-07-26 Assar Westerlund - - * Release 0.1k - -1999-07-26 Johan Danielsson - - * lib/krb5/Makefile.am: bump version number (changed function - signatures) - - * lib/hdb/Makefile.am: bump version number (changes to some - function signatures) - -1999-07-26 Assar Westerlund - - * lib/krb5/Makefile.am: bump version to 3:0:2 - - * lib/hdb/Makefile.am: bump version to 2:1:0 - - * lib/asn1/Makefile.am: bump version to 1:1:0 - -1999-07-26 Assar Westerlund - - * Release 0.1j - -1999-07-26 Assar Westerlund - - * configure.in: rokenize inet_ntop - - * lib/krb5/store_fd.c: lots of changes from size_t to ssize_t - - * lib/krb5/store_mem.c: lots of changes from size_t to ssize_t - - * lib/krb5/store_emem.c: lots of changes from size_t to ssize_t - - * lib/krb5/store.c: lots of changes from size_t to ssize_t - (krb5_ret_stringz): check return value from realloc - - * lib/krb5/mk_safe.c: some type correctness - - * lib/krb5/mk_priv.c: some type correctness - - * lib/krb5/krb5.h (krb5_storage): change return values of - functions from size_t to ssize_t - -1999-07-24 Assar Westerlund - - * Release 0.1i - - * configure.in (AC_PROG_AWK): disable. mawk seems to mishandle \# - in lib/roken/roken.awk - - * lib/krb5/get_addrs.c (find_all_addresses): try to use SA_LEN to - step over addresses if there's no `sa_lan' field - - * lib/krb5/sock_principal.c (krb5_sock_to_principal): simplify by - using `struct sockaddr_storage' - - * lib/krb5/send_to_kdc.c (krb5_sendto_kdc): simplify by using - `struct sockaddr_storage' - - * lib/krb5/changepw.c (krb5_change_password): simplify by using - `struct sockaddr_storage' - - * lib/krb5/auth_context.c (krb5_auth_con_setaddrs_from_fd): - simplify by using `struct sockaddr_storage' - - * kpasswd/kpasswdd.c (*): simplify by using `struct - sockaddr_storage' - - * kdc/connect.c (*): simplify by using `struct sockaddr_storage' - - * configure.in (sa_family_t): just test for existence - (sockaddr_storage): also specify include file - - * configure.in (AM_INIT_AUTOMAKE): bump version to 0.1i - (sa_family_t): test for - (struct sockaddr_storage): test for - - * kdc/hprop.c (propagate_database): typo, NULL should be - auth_context - - * lib/krb5/get_addrs.c: conditionalize on HAVE_IPV6 instead of - AF_INET6 - - * appl/kf/kf.c (main): use warnx - - * appl/kf/kf.c (proto): remove shadowing context - - * lib/krb5/get_addrs.c (find_all_addresses): try to handle the - case of getting back an `sockaddr_in6' address when sizeof(struct - sockaddr_in6) > sizeof(struct sockaddr) and we have no sa_len to - tell us how large the address is. This obviously doesn't work - with unknown protocol types. - -1999-07-24 Assar Westerlund - - * Release 0.1h - -1999-07-23 Assar Westerlund - - * appl/kf/kfd.c: clean-up and more paranoia - - * etc/services.append: add kf - - * appl/kf/kf.c: rename tk_file to ccache for consistency. clean-up - -1999-07-22 Assar Westerlund - - * lib/krb5/n-fold-test.c (main): print the correct data - - * appl/Makefile.am (SUBDIRS): add kf - - * appl/kf: new program. From Miroslav Ruda - - * kdc/hprop.c: declare some variables unconditionally to simplify - things - - * kpasswd/kpasswdd.c: initialize kadm5 connection for every change - (otherwise the modifier in the database doesn't get set) - - * kdc/hpropd.c: clean-up and re-organize - - * kdc/hprop.c: clean-up and re-organize - - * configure.in (SunOS): define to xy for SunOS x.y - -1999-07-19 Assar Westerlund - - * configure.in (AC_BROKEN): test for copyhostent, freehostent, - getipnodebyaddr, getipnodebyname - -1999-07-15 Assar Westerlund - - * lib/asn1/check-der.c: more test cases for integers - - * lib/asn1/der_length.c (length_int): handle the case of the - largest negative integer by not calling abs - -1999-07-14 Assar Westerlund - - * lib/asn1/check-der.c (generic_test): check malloc return value - properly - - * lib/krb5/Makefile.am: add string_to_key_test - - * lib/krb5/prog_setup.c (krb5_program_setup): always initialize - the context - - * lib/krb5/n-fold-test.c (main): return a relevant return value - - * lib/krb5/krbhst.c: do SRV lookups for admin server as well. - some clean-up. - -1999-07-12 Assar Westerlund - - * configure.in: handle not building X programs - -1999-07-06 Assar Westerlund - - * lib/krb5/addr_families.c (ipv6_parse_addr): remove duplicate - variable - (ipv6_sockaddr2port): fix typo - - * etc/services.append: beginning of a file with services - - * lib/krb5/cache.c (krb5_cc_resolve): fall-back to files if - there's no prefix. also clean-up a little bit. - - * kdc/hprop.c (--kaspecials): new flag for handling special KA - server entries. From "Brandon S. Allbery KF8NH" - - -1999-07-05 Assar Westerlund - - * kdc/connect.c (handle_tcp): make sure we have data before - starting to look for HTTP - - * kdc/connect.c (handle_tcp): always do getpeername, we can't - trust recvfrom to return anything sensible - -1999-07-04 Assar Westerlund - - * lib/krb5/get_in_tkt.c (add_padat): encrypt pre-auth data with - all enctypes - - * kpasswd/kpasswdd.c (change): fetch the salt-type from the entry - - * admin/srvconvert.c (srvconv): better error messages - -1999-07-03 Assar Westerlund - - * lib/krb5/principal.c (unparse_name): error check malloc properly - - * lib/krb5/get_in_tkt.c (krb5_init_etype): error check malloc - properly - - * lib/krb5/crypto.c (*): do some malloc return-value checks - properly - - * lib/hdb/hdb.c (hdb_process_master_key): simplify by using - krb5_data_alloc - - * lib/hdb/hdb.c (hdb_process_master_key): check return value from - malloc - - * lib/asn1/gen_decode.c (decode_type): fix generation of decoding - information for TSequenceOf. - - * kdc/kerberos5.c (get_pa_etype_info): check return value from - malloc - -1999-07-02 Assar Westerlund - - * lib/asn1/der_copy.c (copy_octet_string): don't fail if length == - 0 and malloc returns NULL - -1999-06-29 Assar Westerlund - - * lib/krb5/addr_families.c (ipv6_parse_addr): implement - -1999-06-24 Assar Westerlund - - * lib/krb5/rd_cred.c (krb5_rd_cred): compare the sender's address - as an addrport one - - * lib/krb5/krb5.h (KRB5_ADDRESS_ADDRPORT, KRB5_ADDRESS_IPPORT): - add - (krb5_auth_context): add local and remote port - - * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): get the - local and remote address and add them to the krb-cred packet - - * lib/krb5/auth_context.c: save the local and remove ports in the - auth_context - - * lib/krb5/address.c (krb5_make_addrport): create an address of - type KRB5_ADDRESS_ADDRPORT from (addr, port) - - * lib/krb5/addr_families.c (krb5_sockaddr2port): new function for - grabbing the port number out of the sockaddr - -1999-06-23 Assar Westerlund - - * admin/srvcreate.c (srvcreate): always take the DES-CBC-MD5 key. - increase possible verbosity. - - * lib/krb5/config_file.c (parse_list): handle blank lines at - another place - - * kdc/connect.c (add_port_string): don't return a value - - * lib/kadm5/init_c.c (get_cred_cache): you cannot reuse the cred - cache if the principals are different. close and NULL the old one - so that we create a new one. - - * configure.in: move around cgywin et al - (LIB_kdb): set at the end of krb4-block - (krb4): test for krb_enable_debug and krb_disable_debug - -1999-06-16 Assar Westerlund - - * kuser/kdestroy.c (main): try to destroy v4 ticket even if the - destruction of the v5 one fails - - * lib/krb5/crypto.c (DES3_postproc): new version that does the - right thing - (*): don't put and recover length in 3DES encoding - other small fixes - -1999-06-15 Assar Westerlund - - * lib/krb5/get_default_principal.c: rewrite to use - get_default_username - - * lib/krb5/Makefile.am: add n-fold-test - - * kdc/connect.c: add fallbacks for all lookups by service name - (handle_tcp): break-up and clean-up - -1999-06-09 Assar Westerlund - - * lib/krb5/addr_families.c (ipv6_uninteresting): don't consider - the loopback address as uninteresting - - * lib/krb5/get_addrs.c: new magic flag to get loopback address if - there are no other addresses. - (krb5_get_all_client_addrs): use that flag - -1999-06-04 Assar Westerlund - - * lib/krb5/crypto.c (HMAC_SHA1_DES3_checksum): don't include the - length - (checksum_sha1, checksum_hmac_sha1_des3): blocksize should be 64 - (encrypt_internal_derived): don't include the length and don't - decrease by the checksum size twice - (_get_derived_key): the constant should be 5 bytes - -1999-06-02 Johan Danielsson - - * configure.in: use KRB_CHECK_X - - * configure.in: check for netinet/ip.h - -1999-05-31 Assar Westerlund - - * kpasswd/kpasswdd.c (setup_passwd_quality_check): conditionalize - on RTLD_NOW - -1999-05-23 Assar Westerlund - - * appl/test/uu_server.c: removed unused stuff - - * appl/test/uu_client.c: removed unused stuff - -1999-05-21 Assar Westerlund - - * kuser/kgetcred.c (main): correct error message - - * lib/krb5/crypto.c (verify_checksum): call (*ct->checksum) - directly, avoiding redundant lookups and memory leaks - - * lib/krb5/auth_context.c (krb5_auth_con_setaddrs_from_fd): free - local and remote addresses - - * lib/krb5/get_default_principal.c (get_logname): also try - $USERNAME - - * lib/asn1/Makefile.am (asn1_files): add $(EXEEXT) - - * lib/krb5/principal.c (USE_RESOLVER): try to define only if we - have a libresolv (currently by checking for res_search) - -1999-05-18 Johan Danielsson - - * kdc/connect.c (handle_tcp): remove %-escapes in request - -1999-05-14 Assar Westerlund - - * Release 0.1g - - * admin/ktutil.c (kt_remove): -t should be -e - - * configure.in (CHECK_NETINET_IP_AND_TCP): use - - * kdc/hpropd.c: support for dumping to krb4. From Miroslav Ruda - - - * admin/ktutil.c (kt_add): new option `--no-salt'. From Miroslav - Ruda - - * configure.in: add cygwin and DOS tests replace sendmsg, recvmsg, - and innetgr with roken versions - - * kuser/kgetcred.c: new program - -Tue May 11 14:09:33 1999 Johan Danielsson - - * lib/krb5/mcache.c: fix paste-o - -1999-05-10 Johan Danielsson - - * configure.in: don't use uname - -1999-05-10 Assar Westerlund - - * acconfig.h (KRB_PUT_INT): if we don't have KRB4 use four - arguments :-) - - * appl/test/uu_server.c (setsockopt): cast to get rid of a warning - - * appl/test/tcp_server.c (setsockopt): cast to get rid of a - warning - - * appl/test/tcp_client.c (proto): call krb5_sendauth with ccache - == NULL - - * appl/test/gssapi_server.c (setsockopt): cast to get rid of a - warning - - * lib/krb5/sendauth.c (krb5_sendauth): handle ccache == NULL by - setting the default ccache. - - * configure.in (getsockopt, setsockopt): test for - (AM_INIT_AUTOMAKE): bump version to 0.1g - - * appl/Makefile.am (SUBDIRS): add kx - - * lib/hdb/convert_db.c (main): handle the case of no master key - -1999-05-09 Assar Westerlund - - * Release 0.1f - - * kuser/kinit.c: add --noaddresses - - * lib/krb5/get_in_tkt.c (init_as_req): interpret `addrs' being an - empty sit of list as to not ask for any addresses. - -1999-05-08 Assar Westerlund - - * acconfig.h (_GNU_SOURCE): define this to enable (used) - extensions on glibc-based systems such as linux - -1999-05-03 Assar Westerlund - - * lib/krb5/get_cred.c (get_cred_from_kdc_flags): allocate and free - `*out_creds' properly - - * lib/krb5/creds.c (krb5_compare_creds): just verify that the - keytypes/enctypes are compatible, not that they are the same - - * kuser/kdestroy.c (cache): const-correctness - -1999-05-03 Johan Danielsson - - * lib/hdb/hdb.c (hdb_set_master_key): initialise master key - version - - * lib/hdb/convert_db.c: add support for upgrading database - versions - - * kdc/misc.c: add flags to fetch - - * kdc/kstash.c: unlink keyfile on failure, chmod to 400 - - * kdc/hpropd.c: add --print option - - * kdc/hprop.c: pass flags to hdb_foreach - - * lib/hdb/convert_db.c: add some flags - - * lib/hdb/Makefile.am: remove extra LDFLAGS, update version to 2; - build prototype headers - - * lib/hdb/hdb_locl.h: update prototypes - - * lib/hdb/print.c: move printable version of entry from kadmin - - * lib/hdb/hdb.c: change hdb_{seal,unseal}_* to check if the key is - sealed or not; add flags to hdb_foreach - - * lib/hdb/ndbm.c: add flags to NDBM_seq, NDBM_firstkey, and - NDBM_nextkey - - * lib/hdb/db.c: add flags to DB_seq, DB_firstkey, and DB_nextkey - - * lib/hdb/common.c: add flags to _hdb_{fetch,store} - - * lib/hdb/hdb.h: add master_key_version to struct hdb, update - prototypes - - * lib/hdb/hdb.asn1: make mkvno optional, update version to 2 - - * configure.in: --enable-netinfo - - * lib/krb5/config_file.c: HAVE_NETINFO_NI_H -> HAVE_NETINFO - - * config.sub: fix for crays - - * config.guess: new version from automake 1.4 - - * config.sub: new version from automake 1.4 - -Wed Apr 28 00:21:17 1999 Assar Westerlund - - * Release 0.1e - - * lib/krb5/mcache.c (mcc_get_next): get the current cursor - correctly - - * acconfig.h: correct definition of KRB_PUT_INT for old krb4 code. - From Ake Sandgren - -1999-04-27 Johan Danielsson - - * kdc/kerberos5.c: fix arguments to decrypt_ticket - -1999-04-25 Assar Westerlund - - * lib/krb5/mk_req_ext.c (krb5_mk_req_internal): try to handle old - DCE secd's that are not able to handle MD5 checksums by defaulting - to MD4 if the keytype was DES-CBC-CRC - - * lib/krb5/mk_req.c (krb5_mk_req): use auth_context->keytype - - * lib/krb5/krb5.h (krb5_auth_context_data): add `keytype' and - `cksumtype' - - * lib/krb5/get_cred.c (make_pa_tgs_req): remove old kludge for - secd - (init_tgs_req): add all supported enctypes for the keytype in - `in_creds->session.keytype' if it's set - - * lib/krb5/crypto.c (F_PSEUDO): new flag for non-protocol - encryption types - (do_checksum): new function - (verify_checksum): take the checksum to use from the checksum message - and not from the crypto struct - (etypes): add F_PSEUDO flags - (krb5_keytype_to_enctypes): new function - - * lib/krb5/auth_context.c (krb5_auth_con_init): initalize keytype - and cksumtype - (krb5_auth_setcksumtype, krb5_auth_getcksumtype): implement - (krb5_auth_setkeytype, krb5_auth_getkeytype): implement - (krb5_auth_setenctype): comment out, it's rather bogus anyway - -Sun Apr 25 16:55:50 1999 Johan Danielsson - - * lib/krb5/krb5_locl.h: fix for stupid aix warnings - - * lib/krb5/fcache.c (erase_file): don't malloc - -Sat Apr 24 18:35:21 1999 Johan Danielsson - - * kdc/config.c: pass context to krb5_config_file_free - - * kuser/kinit.c: add `--fcache-version' to set cache version to - create - - * kuser/klist.c: print cache version if verbose - - * lib/krb5/transited.c (krb5_domain_x500_decode): don't abort - - * lib/krb5/principal.c: abort -> krb5_abortx - - * lib/krb5/mk_rep.c: abort -> krb5_abortx - - * lib/krb5/config_file.c: abort -> krb5_abortx - - * lib/krb5/context.c (init_context_from_config_file): init - fcache_version; add krb5_{get,set}_fcache_version - - * lib/krb5/keytab.c: add support for reading (and writing?) old - version keytabs - - * lib/krb5/cache.c: add krb5_cc_get_version - - * lib/krb5/fcache.c: add support for reading and writing old - version cache files - - * lib/krb5/store_mem.c (krb5_storage_from_mem): zero flags - - * lib/krb5/store_emem.c (krb5_storage_emem): zero flags - - * lib/krb5/store_fd.c (krb5_storage_from_fd): zero flags - - * lib/krb5/store.c: add flags to change how various fields are - stored, used for old cache version support - - * lib/krb5/krb5.h: add support for reading and writing old version - cache files, and keytabs - -Wed Apr 21 00:09:26 1999 Assar Westerlund - - * configure.in: fix test for readline.h remember to link with - $LIB_tgetent when trying linking with readline - - * lib/krb5/init_creds_pw.c (get_init_creds_common): if start_time - is given, request a postdated ticket. - - * lib/krb5/data.c (krb5_data_free): free data as long as it's not - NULL - -Tue Apr 20 20:18:14 1999 Assar Westerlund - - * kpasswd/Makefile.am (kpasswdd_LDADD): add LIB_dlopen - - * lib/krb5/krb5.h (KRB5_VERIFY_AP_REQ_IGNORE_INVALID): add - - * lib/krb5/rd_req.c (krb5_decrypt_ticket): add `flags` and - KRB5_VERIFY_AP_REQ_IGNORE_INVALID for ignoring that the ticket is - invalid - -Tue Apr 20 12:42:08 1999 Johan Danielsson - - * kpasswd/kpasswdd.c: don't try to load library by default; get - library and function name from krb5.conf - - * kpasswd/sample_passwd_check.c: sample password checking - functions - -Mon Apr 19 22:22:19 1999 Assar Westerlund - - * lib/krb5/store.c (krb5_storage_to_data, krb5_ret_data): use - krb5_data_alloc and be careful with checking allocation and sizes. - - * kuser/klist.c (--tokens): conditionalize on KRB4 - - * kuser/kinit.c (renew_validate): set all flags - (main): fix cut-n-paste error when setting start-time - - * kdc/kerberos5.c (check_tgs_flags): starttime of a validate - ticket should be > than current time - (*): send flags to krb5_verify_ap_req and krb5_decrypt_ticket - - * kuser/kinit.c (renew_validate): use the client realm instead of - the local realm when renewing tickets. - - * lib/krb5/get_for_creds.c (krb5_fwd_tgs_creds): compat function - (krb5_get_forwarded_creds): correct freeing of out_creds - - * kuser/kinit.c (renew_validate): hopefully fix up freeing of - memory - - * configure.in: do all the krb4 tests with "$krb4" != "no" - - * lib/krb5/keyblock.c (krb5_free_keyblock_contents): don't zero - keyvalue if it's NULL. noticed by Ake Sandgren - - * lib/krb5/get_in_tkt.c (add_padata): loop over all enctypes - instead of just taking the first one. fix all callers. From - "Brandon S. Allbery KF8NH" - - * kdc/kdc_locl.h (enable_kaserver): declaration - - * kdc/hprop.c (ka_convert): print the failing principal. AFS 3.4a - creates krbtgt.REALMOFCELL as NOTGS+NOSEAL, work around. From - "Brandon S. Allbery KF8NH" - - * kdc/hpropd.c (open_socket): stupid cast to get rid of a warning - - * kdc/connect.c (add_standard_ports, process_request): look at - enable_kaserver. From "Brandon S. Allbery KF8NH" - - - * kdc/config.c: new flag --kaserver and config file option - enable-kaserver. From "Brandon S. Allbery KF8NH" - - -Mon Apr 19 12:32:04 1999 Johan Danielsson - - * configure.in: check for dlopen, and dlfcn.h - - * kpasswd/kpasswdd.c: add support for dlopen:ing password quality - check library - - * configure.in: add appl/su - -Sun Apr 18 15:46:53 1999 Johan Danielsson - - * lib/krb5/cache.c: add krb5_cc_get_type that returns type of a - cache - -Fri Apr 16 17:58:51 1999 Assar Westerlund - - * configure.in: LIB_kdb: -L should be before -lkdb - test for prototype of strsep - -Thu Apr 15 11:34:38 1999 Johan Danielsson - - * lib/krb5/Makefile.am: update version - - * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): use - ALLOC_SEQ - - * lib/krb5/fcache.c: add some support for reading and writing old - cache formats; - (fcc_store_cred): use krb5_store_creds; (fcc_read_cred): use - krb5_ret_creds - - * lib/krb5/store_mem.c (krb5_storage_from_mem): check malloc, - initialize host_byteorder - - * lib/krb5/store_fd.c (krb5_storage_from_fd): initialize - host_byteorder - - * lib/krb5/store_emem.c (krb5_storage_emem): initialize - host_byteorder - - * lib/krb5/store.c (krb5_storage_set_host_byteorder): add; - (krb5_store_int32,krb5_ret_int32,krb5_store_int16,krb5_ret_int16): - check host_byteorder flag; (krb5_store_creds): add; - (krb5_ret_creds): add - - * lib/krb5/krb5.h (krb5_storage): add `host_byteorder' flag for - storage of numbers - - * lib/krb5/heim_err.et: add `host not found' error - - * kdc/connect.c: don't use data after clearing decriptor - - * lib/krb5/auth_context.c: abort -> krb5_abortx - - * lib/krb5/warn.c: add __attribute__; add *abort functions - - * configure.in: check for __attribute__ - - * kdc/connect.c: log bogus requests - -Tue Apr 13 18:38:05 1999 Johan Danielsson - - * lib/kadm5/create_s.c (kadm5_s_create_principal): create v4 salts - for all DES keys - -1999-04-12 Assar Westerlund - - * lib/krb5/get_cred.c (init_tgs_req): re-structure a little bit - - * lib/krb5/get_cred.c (init_tgs_req): some more error checking - - * lib/krb5/generate_subkey.c (krb5_generate_subkey): check return - value from malloc - -Sun Apr 11 03:47:23 1999 Johan Danielsson - - * lib/krb5/krb5.conf.5: update to reality - - * lib/krb5/krb5_425_conv_principal.3: update to reality - -1999-04-11 Assar Westerlund - - * lib/krb5/get_host_realm.c: handle more than one realm for a host - - * kpasswd/kpasswd.c (main): use krb5_program_setup and - print_version - - * kdc/string2key.c (main): use krb5_program_setup and - print_version - -Sun Apr 11 02:35:58 1999 Johan Danielsson - - * lib/krb5/principal.c (krb5_524_conv_principal): make it actually - work, and check built-in list of host-type first-components - - * lib/krb5/krbhst.c: lookup SRV-records to find a kdc for a realm - - * lib/krb5/context.c: add srv_* flags to context - - * lib/krb5/principal.c: add default v4_name_convert entries - - * lib/krb5/krb5.h: add srv_* flags to context - -Sat Apr 10 22:52:28 1999 Johan Danielsson - - * kadmin/kadmin.c: complain about un-recognised commands - - * admin/ktutil.c: complain about un-recognised commands - -Sat Apr 10 15:41:49 1999 Assar Westerlund - - * kadmin/load.c (doit): fix error message - - * lib/krb5/crypto.c (encrypt_internal): free checksum if lengths - fail to match. - (krb5_get_wrapped_length): new function - - * configure.in: security/pam_modules.h: check for - - * lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): kludge - around `ret_as_reply' semantics by only freeing it when ret == 0 - -Fri Apr 9 20:24:04 1999 Assar Westerlund - - * kuser/klist.c (print_cred_verbose): handle the case of a bad - enctype - - * configure.in: test for more header files - (LIB_roken): set - -Thu Apr 8 15:01:59 1999 Johan Danielsson - - * configure.in: fixes for building w/o krb4 - - * ltmain.sh: update to libtool 1.2d - - * ltconfig: update to libtool 1.2d - -Wed Apr 7 23:37:26 1999 Assar Westerlund - - * kdc/hpropd.c: fix some error messages to be more understandable. - - * kdc/hprop.c (ka_dump): remove unused variables - - * appl/test/tcp_server.c: remove unused variables - - * appl/test/gssapi_server.c: remove unused variables - - * appl/test/gssapi_client.c: remove unused variables - -Wed Apr 7 14:05:15 1999 Johan Danielsson - - * lib/krb5/context.c (krb5_get_err_text): long -> krb5_error_code - - * kuser/klist.c: make it compile w/o krb4 - - * kuser/kdestroy.c: make it compile w/o krb4 - - * admin/ktutil.c: fix {srv,key}2{srv,key}tab confusion; add help - strings - -Mon Apr 5 16:13:46 1999 Johan Danielsson - - * configure.in: test for MIPS ABI; new test_package - -Thu Apr 1 11:00:40 1999 Johan Danielsson - - * include/Makefile.am: clean krb5-private.h - - * Release 0.1d - - * kpasswd/kpasswdd.c (doit): pass context to - krb5_get_all_client_addrs - - * kdc/connect.c (init_sockets): pass context to - krb5_get_all_server_addrs - - * lib/krb5/get_in_tkt.c (init_as_req): pass context to - krb5_get_all_client_addrs - - * lib/krb5/get_cred.c (get_cred_kdc_la): pass context to - krb5_get_all_client_addrs - - * lib/krb5/get_addrs.c (get_addrs_int): add extra host addresses - - * lib/krb5/krb5.h: add support for adding an extra set of - addresses - - * lib/krb5/context.c: add support for adding an extra set of - addresses - - * lib/krb5/addr_families.c: add krb5_parse_address - - * lib/krb5/address.c: krb5_append_addresses - - * lib/krb5/config_file.c (parse_binding): don't zap everything - after first whitespace - - * kuser/kinit.c (renew_validate): don't allocate out - - * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): don't - allocate out_creds - - * lib/krb5/get_cred.c (get_cred_kdc, get_cred_kdc_la): make - out_creds pointer; - (krb5_get_kdc_cred): allocate out_creds; (get_cred_from_kdc_flags): - free more memory - - * lib/krb5/crypto.c (encrypt_internal): free checksum - - * lib/krb5/convert_creds.c (krb524_convert_creds_kdc): free reply, - and ticket - - * kuser/Makefile.am: remove kfoo - - * lib/Makefile.am: add auth - - * lib/kadm5/iprop.h: getarg.h - - * lib/kadm5/replay_log.c: use getarg - - * lib/kadm5/ipropd_slave.c: use getarg - - * lib/kadm5/ipropd_master.c: use getarg - - * lib/kadm5/dump_log.c: use getarg - - * kpasswd/kpasswdd.c: use getarg - - * Makefile.am.common: make a more working check-local target - - * lib/asn1/main.c: use getargs - -Mon Mar 29 20:19:57 1999 Johan Danielsson - - * kuser/klist.c (print_cred_verbose): use krb5_print_address - - * lib/kadm5/server.c: k_{put,get}_int -> _krb5_{put,get}_int - - * lib/krb5/addr_families.c (krb5_print_address): handle unknown - address types; (ipv6_print_addr): print in 16-bit groups (as it - should) - - * lib/krb5/crc.c: crc_{init_table,update} -> - _krb5_crc_{init_table,update} - - * lib/krb5/crypto.c: k_{put,get}_int -> _krb5_{put,get}_int - crc_{init_table,update} -> _krb5_crc_{init_table,update} - - * lib/krb5/send_to_kdc.c: k_{put,get}_int -> _krb5_{put,get}_int - - * lib/krb5/store.c: k_{put,get}_int -> _krb5_{put,get}_int - - * lib/krb5/krb5_locl.h: include krb5-private.h - - * kdc/connect.c (addr_to_string): use krb5_print_address - - * lib/krb5/addr_families.c (krb5_print_address): int -> size_t - - * lib/krb5/addr_families.c: add support for printing ipv6 - addresses, either with inet_ntop, or ugly for-loop - - * kdc/524.c: check that the ticket came from a valid address; use - the address of the connection as the address to put in the v4 - ticket (if this address is AF_INET) - - * kdc/connect.c: pass addr to do_524 - - * kdc/kdc_locl.h: prototype for do_524 - -Sat Mar 27 17:48:31 1999 Johan Danielsson - - * configure.in: check for OSF C2; bind/bitypes.h, getudbnam, - setlim; check for auth modules; siad.h, getpwnam_r; - lib/auth/Makefile, lib/auth/sia/Makefile - - * lib/krb5/crypto.c: n_fold -> _krb5_n_fold - - * lib/krb5/n-fold.c: n_fold -> _krb5_n_fold - -Thu Mar 25 04:35:21 1999 Assar Westerlund - - * lib/kadm5/set_keys.c (_kadm5_set_keys): free salt when zapping - it - - * lib/kadm5/free.c (kadm5_free_principal_ent): free `key_data' - - * lib/hdb/ndbm.c (NDBM_destroy): clear master key - - * lib/hdb/db.c (DB_destroy): clear master key - (DB_open): check malloc - - * kdc/connect.c (init_sockets): free addresses - - * kadmin/kadmin.c (main): make code more consistent. always free - configuration information. - - * kadmin/init.c (create_random_entry): free the entry - -Wed Mar 24 04:02:03 1999 Assar Westerlund - - * lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): - re-organize the code to always free `kdc_reply' - - * lib/krb5/get_in_tkt.c (krb5_get_in_cred): be more careful about - freeing memory - - * lib/krb5/fcache.c (fcc_destroy): don't call fcc_close - - * lib/krb5/crypto.c (krb5_crypto_destroy): free `crypto' - - * lib/hdb/hdb_locl.h: try db_185.h first in case db.h is a DB 2.0 - header - - * configure.in (db_185.h): check for - - * admin/srvcreate.c: new file. contributed by Daniel Kouril - - - * admin/ktutil.c: srvcreate: new command - - * kuser/klist.c: add support for printing AFS tokens - - * kuser/kdestroy.c: add support for destroying v4 tickets and AFS - tokens. based on code by Love - - * kuser/Makefile.am (kdestroy_LDADD, klist_LDADD): more libraries - - * configure.in: sys/ioccom.h: test for - - * kuser/klist.c (main): don't print `no ticket file' with --test. - From: Love - - * kpasswd/kpasswdd.c (doit): more braces to make gcc happy - - * kdc/connect.c (init_socket): get rid of a stupid warning - - * include/bits.c (my_strupr): cast away some stupid warnings - -Tue Mar 23 14:34:44 1999 Johan Danielsson - - * lib/krb5/get_host_realm.c (krb5_get_host_realm): no infinite - loops, please - -Tue Mar 23 00:00:45 1999 Assar Westerlund - - * lib/kadm5/Makefile.am (install_build_headers): recover from make - rewriting the names of the headers kludge to help solaris make - - * lib/krb5/Makefile.am: kludge to help solaris make - - * lib/hdb/Makefile.am: kludge to help solaris make - - * configure.in (LIB_kdb): make sure there's a -L option in here by - adding $(LIB_krb4) - - * lib/asn1/gen_glue.c (generate_2int, generate_int2): int -> - unsigned - - * configure.in (SunOS): set to a number KRB4, KRB5 conditionals: - remove the `dnl' to work around an automake flaw - -Sun Mar 21 15:08:49 1999 Johan Danielsson - - * lib/krb5/get_default_realm.c: char* -> krb5_realm - -Sun Mar 21 14:08:30 1999 Johan Danielsson - - * include/bits.c: - - * lib/krb5/Makefile.am: create krb5-private.h - -Sat Mar 20 00:08:59 1999 Assar Westerlund - - * configure.in (gethostname): remove duplicate - -Fri Mar 19 14:48:03 1999 Johan Danielsson - - * lib/hdb/Makefile.am: add version-info - - * lib/gssapi/Makefile.am: add version-info - - * lib/asn1/Makefile.am: use $(x:y=z) make syntax; move check-der - to check_PROGRAMS - - * lib/Makefile.am: add 45 - - * lib/kadm5/Makefile.am: split in client and server libraries - (breaks shared libraries otherwise) - -Thu Mar 18 11:33:30 1999 Johan Danielsson - - * include/kadm5/Makefile.am: clean a lot of header files (since - automake lacks a clean-hook) - - * include/Makefile.am: clean a lot of header files (since automake - lacks a clean-hook) - - * lib/kadm5/Makefile.am: fix build-installation of headers - - * lib/krb5/Makefile.am: remove include_dir hack - - * lib/hdb/Makefile.am: remove include_dir hack - - * lib/asn1/Makefile.am: remove include_dir hack - - * include/Makefile.am: remove include_dir hack - - * doc/whatis.texi: define sub for html - - * configure.in: LIB_kdb, have_err_h, have_fnmatch_h, have_glob_h - - * lib/asn1/Makefile.am: der.h - - * kpasswd/kpasswdd.c: admin.h -> kadm5/admin.h - - * kdc/Makefile.am: remove junk - - * kadmin/Makefile.am: sl.a -> sl.la - - * appl/afsutil/Makefile.am: remove EXTRA_bin_PROGRAMS - - * admin/Makefile.am: sl.a -> sl.la - - * configure.in: condition KRB5; AC_CHECK_XAU - - * Makefile.am: include Makefile.am.common - - * include/kadm5/Makefile.am: include Makefile.am.common; don't - install headers from here - - * include/Makefile.am: include Makefile.am.common; don't install - headers from here - - * doc/Makefile.am: include Makefile.am.common - - * lib/krb5/Makefile.am: include Makefile.am.common - - * lib/kadm5/Makefile.am: include Makefile.am.common - - * lib/hdb/Makefile.am: include Makefile.am.common - - * lib/gssapi/Makefile.am: include Makefile.am.common - - * lib/asn1/Makefile.am: include Makefile.am.common - - * lib/Makefile.am: include Makefile.am.common - - * lib/45/Makefile.am: include Makefile.am.common - - * kuser/Makefile.am: include Makefile.am.common - - * kpasswd/Makefile.am: include Makefile.am.common - - * kdc/Makefile.am: include Makefile.am.common - - * kadmin/Makefile.am: include Makefile.am.common - - * appl/test/Makefile.am: include Makefile.am.common - - * appl/afsutil/Makefile.am: include Makefile.am.common - - * appl/Makefile.am: include Makefile.am.common - - * admin/Makefile.am: include Makefile.am.common - -Wed Mar 17 03:04:38 1999 Assar Westerlund - - * lib/krb5/store.c (krb5_store_stringz): braces fix - - * lib/kadm5/get_s.c (kadm5_s_get_principal): braces fix - - * lib/kadm5/ent_setup.c (_kadm5_setup_entry): braces fix - - * kdc/connect.c (loop): braces fix - - * lib/krb5/config_file.c: cast to unsigned char to make is* happy - - * lib/krb5/log.c (krb5_addlog_dest): more braces to make gcc happy - - * lib/krb5/crypto.c (krb5_verify_checksum): rename C -> cksum to - be consistent - - * kadmin/util.c (timeval2str): more braces to make gcc happy - - * kadmin/load.c: cast in is* to get rid of stupid warning - - * kadmin/dump.c (append_hex): cast in isalnum to get rid of stupid - warning - - * kdc/kaserver.c: malloc checks and fixes - - * lib/krb5/get_host_realm.c (krb5_get_host_realm): include leading - dot (if any) when looking up realms. - -Fri Mar 12 13:57:56 1999 Johan Danielsson - - * lib/krb5/get_host_realm.c: add dns support - - * lib/krb5/set_default_realm.c: use krb5_free_host_realm - - * lib/krb5/free_host_realm.c: check for NULL realmlist - - * lib/krb5/context.c: don't print warning if there is no krb5.conf - -Wed Mar 10 19:29:46 1999 Johan Danielsson - - * configure.in: use AC_WFLAGS - -Mon Mar 8 11:49:43 1999 Johan Danielsson - - * Release 0.1c - - * kuser/klist.c: use print_version - - * kuser/kdestroy.c: use print_version - - * kdc/hpropd.c: use print_version - - * kdc/hprop.c: use print_version - - * kdc/config.c: use print_version - - * kadmin/kadmind.c: use print_version - - * kadmin/kadmin.c: use print_version - - * appl/test/common.c: use print_version - - * appl/afsutil/afslog.c: use print_version - -Mon Mar 1 10:49:14 1999 Johan Danielsson - - * lib/krb5/get_addrs.c: SOCKADDR_HAS_SA_LEN -> - HAVE_STRUCT_SOCKADDR_SA_LEN - - * configure.in, acconfig.h, cf/*: update to automake 1.4/autoconf 2.13 - -Sun Feb 28 18:19:20 1999 Johan Danielsson - - * lib/asn1/gen.c: make `BIT STRING's unsigned - - * lib/asn1/{symbol.h,gen.c}: add TUInteger type - - * lib/krb5/verify_user.c (krb5_verify_user): pass prompter to - krb5_get_init_creds_password - - * lib/krb5/fcache.c (fcc_gen_new): implement - -Sat Feb 27 22:41:23 1999 Johan Danielsson - - * doc/install.texi: krb4 is now automatically detected - - * doc/misc.texi: update procedure to set supported encryption - types - - * doc/setup.texi: change some silly wordings - -Sat Feb 27 22:17:30 1999 Johan Danielsson - - * lib/krb5/keytab.c (fkt_remove_entry): make this work - - * admin/ktutil.c: add minimally working `get' command - -Sat Feb 27 19:44:49 1999 Johan Danielsson - - * lib/hdb/convert_db.c: more typos - - * include/Makefile.am: remove EXTRA_DATA (as of autoconf - 2.13/automake 1.4) - - * appl/Makefile.am: OTP_dir - -Fri Feb 26 17:37:00 1999 Johan Danielsson - - * doc/setup.texi: add kadmin section - - * lib/asn1/check-der.c: fix printf warnings - -Thu Feb 25 11:16:49 1999 Johan Danielsson - - * configure.in: -O does not belong in WFLAGS - -Thu Feb 25 11:05:57 1999 Johan Danielsson - - * lib/asn1/der_put.c: fix der_put_int - -Tue Feb 23 20:35:12 1999 Johan Danielsson - - * configure.in: use AC_BROKEN_GLOB - -Mon Feb 22 15:12:44 1999 Johan Danielsson - - * configure.in: check for glob - -Mon Feb 22 11:32:42 1999 Johan Danielsson - - * Release 0.1b - -Sat Feb 20 15:48:06 1999 Johan Danielsson - - * lib/hdb/convert_db.c: convert DES3 keys to des3-cbc-sha1, and - des3-cbc-md5 - - * lib/krb5/crypto.c (DES3_string_to_key): make this actually do - what the draft said it should - - * lib/hdb/convert_db.c: little program for database conversion - - * lib/hdb/db.c (DB_open): try to open database w/o .db extension - - * lib/hdb/ndbm.c (NDBM_open): add test for database format - - * lib/hdb/db.c (DB_open): add test for database format - - * lib/asn1/gen_glue.c (generate_2int): don't depend on flags being - unsigned - - * lib/hdb/hdb.c: change `hdb_set_master_key' to take an - EncryptionKey, and add a new function `hdb_set_master_keyfile' to - do what `hdb_set_master_key' used to do - - * kdc/kstash.c: add `--convert-file' option to change keytype of - existing master key file - -Fri Feb 19 07:04:14 1999 Assar Westerlund - - * Release 0.1a - -Sat Feb 13 17:12:53 1999 Assar Westerlund - - * lib/krb5/mk_safe.c (krb5_mk_safe): sizeof(buf) -> buf_size, buf - is now a `u_char *' - - * lib/krb5/get_in_tkt.c (krb5_init_etype): etypes are now `int' - - * lib/krb5/get_host_realm.c (krb5_get_host_realm): constize - orig_host - - (krb5_salttype_to_string): new function (RSA_MD5_DES_verify, - RSA_MD5_DES3_verify): initialize ret - - * lib/gssapi/init_sec_context.c (init_auth): remove unnecessary - gssapi_krb5_init. ask for KEYTYPE_DES credentials - - * kadmin/get.c (print_entry_long): print the keytypes and salts - available for the principal - - * configure.in (WFLAGS): add `-O' to catch unitialized variables - and such - (gethostname, mkstemp, getusershell, inet_aton): more tests - - * lib/hdb/hdb.h: update prototypes - - * configure.in: homogenize broken detection with krb4 - - * lib/kadm5/init_c.c (kadm5_c_init_with_context): remove unused - `error' - - * lib/asn1/Makefile.am (check-der): add - - * lib/asn1/gen.c (define_type): map ASN1 Integer to `int' instead - of `unsigned' - - * lib/asn1/der_length.c (length_unsigned): new function - (length_int): handle signed integers - - * lib/asn1/der_put.c (der_put_unsigned): new function - (der_put_int): handle signed integers - - * lib/asn1/der_get.c (der_get_unsigned): new function - (der_get_int): handle signed integers - - * lib/asn1/der.h: all integer functions take `int' instead of - `unsigned' - - * lib/asn1/lex.l (filename): unused. remove. - - * lib/asn1/check-der.c: new test program for der encoding and - decoding. - -Mon Feb 1 04:09:06 1999 Assar Westerlund - - * lib/krb5/send_to_kdc.c (krb5_sendto_kdc): only call - gethostbyname2 with AF_INET6 if we actually have IPv6. From - "Brandon S. Allbery KF8NH" - - * lib/krb5/changepw.c (get_kdc_address): dito - -Sun Jan 31 06:26:36 1999 Assar Westerlund - - * kdc/connect.c (parse_prots): always bind to AF_INET, there are - v6-implementations without support for `mapped V4 addresses'. - From Jun-ichiro itojun Hagino - -Sat Jan 30 22:38:27 1999 Assar Westerlund - - * Release 0.0u - -Sat Jan 30 13:43:02 1999 Assar Westerlund - - * lib/krb5/Makefile.am: explicit rules for *.et files - - * lib/kadm5/init_c.c (get_kadm_ticket): only remove creds if - krb5_get_credentials was succesful. - (get_new_cache): return better error codes and return earlier. - (get_cred_cache): only delete default_client if it's different - from client - (kadm5_c_init_with_context): return a more descriptive error. - - * kdc/kerberos5.c (check_flags): handle NULL client or server - - * lib/krb5/sendauth.c (krb5_sendauth): return the error in - `ret_error' iff != NULL - - * lib/krb5/rd_error.c (krb5_free_error, krb5_free_error_contents): - new functions - - * lib/krb5/mk_req_ext.c (krb5_mk_req_extended): more - type-correctness - - * lib/krb5/krb5.h (krb5_error): typedef to KRB_ERROR - - * lib/krb5/init_creds_pw.c: KRB5_TGS_NAME: use - - * lib/krb5/get_cred.c: KRB5_TGS_NAME: use - - * lib/kafs/afskrb5.c (afslog_uid_int): update to changes - - * lib/kadm5/rename_s.c (kadm5_s_rename_principal): call remove - instead of rename, but shouldn't this just call rename? - - * lib/kadm5/get_s.c (kadm5_s_get_principal): always return an - error if the principal wasn't found. - - * lib/hdb/ndbm.c (NDBM_seq): unseal key - - * lib/hdb/db.c (DB_seq): unseal key - - * lib/asn1/Makefile.am: added explicit rules for asn1_err.[ch] - - * kdc/hprop.c (v4_prop): add krbtgt/THISREALM@OTHERREALM when - finding cross-realm tgts in the v4 database - - * kadmin/mod.c (mod_entry): check the number of arguments. check - that kadm5_get_principal worked. - - * lib/krb5/keytab.c (fkt_remove_entry): remove KRB5_KT_NOTFOUND if - we weren't able to remove it. - - * admin/ktutil.c: less drive-by-deleting. From Love - - - * kdc/connect.c (parse_ports): copy the string before mishandling - it with strtok_r - - * kdc/kerberos5.c (tgs_rep2): print the principal with mismatching - kvnos - - * kadmin/kadmind.c (main): convert `debug_port' to network byte - order - - * kadmin/kadmin.c: allow specification of port number. - - * lib/kadm5/kadm5_locl.h (kadm5_client_context): add - `kadmind_port'. - - * lib/kadm5/init_c.c (_kadm5_c_init_context): move up - initalize_kadm5_error_table_r. - allow specification of port number. - - From Love - - * kuser/klist.c: add option -t | --test - diff --git a/crypto/heimdal-0.6.3/ChangeLog.2000 b/crypto/heimdal-0.6.3/ChangeLog.2000 deleted file mode 100644 index a1cb687f55..0000000000 --- a/crypto/heimdal-0.6.3/ChangeLog.2000 +++ /dev/null @@ -1,1320 +0,0 @@ -2000-12-31 Assar Westerlund - - * lib/krb5/test_get_addrs.c (main): handle krb5_init_context - failure consistently - * lib/krb5/string-to-key-test.c (main): handle krb5_init_context - failure consistently - * lib/krb5/prog_setup.c (krb5_program_setup): handle - krb5_init_context failure consistently - * lib/hdb/convert_db.c (main): handle krb5_init_context failure - consistently - * kuser/kverify.c (main): handle krb5_init_context failure - consistently - * kuser/klist.c (main): handle krb5_init_context failure - consistently - * kuser/kinit.c (main): handle krb5_init_context failure - consistently - * kuser/kgetcred.c (main): handle krb5_init_context failure - consistently - * kuser/kdestroy.c (main): handle krb5_init_context failure - consistently - * kuser/kdecode_ticket.c (main): handle krb5_init_context failure - consistently - * kuser/generate-requests.c (generate_requests): handle - krb5_init_context failure consistently - * kpasswd/kpasswd.c (main): handle krb5_init_context failure - consistently - * kpasswd/kpasswd-generator.c (generate_requests): handle - krb5_init_context failure consistently - * kdc/main.c (main): handle krb5_init_context failure consistently - * appl/test/uu_client.c (proto): handle krb5_init_context failure - consistently - * appl/kf/kf.c (main): handle krb5_init_context failure - consistently - * admin/ktutil.c (main): handle krb5_init_context failure - consistently - - * admin/get.c (kt_get): more error checking - -2000-12-29 Assar Westerlund - - * lib/asn1/asn1_print.c (loop): check for length longer than data. - inspired by lha@stacken.kth.se - -2000-12-16 Johan Danielsson - - * admin/ktutil.8: reflect recent changes - - * admin/copy.c: don't copy an entry that already exists in the - keytab, and warn if the keyblock differs - -2000-12-15 Johan Danielsson - - * admin/Makefile.am: merge srvconvert and srvcreate with copy - - * admin/copy.c: merge srvconvert and srvcreate with copy - - * lib/krb5/Makefile.am: always build keytab_krb4.c - - * lib/krb5/context.c: always register the krb4 keytab functions - - * lib/krb5/krb5.h: declare krb4_ftk_ops - - * lib/krb5/keytab_krb4.c: We don't really need to include krb.h - here, since we only use the principal size macros, so define these - here. Theoretically someone could have a krb4 system where these - values are != 40, but this is unlikely, and - krb5_524_conv_principal also assume they are 40. - -2000-12-13 Johan Danielsson - - * lib/krb5/krb5.h: s/krb5_donot_reply/krb5_donot_replay/ - - * lib/krb5/replay.c: fix query-replace-o from MD5 API change, and - the struct is called krb5_donot_replay - -2000-12-12 Assar Westerlund - - * admin/srvconvert.c (srvconvert): do not use data after free:ing - it - -2000-12-11 Assar Westerlund - - * Release 0.3d - -2000-12-11 Assar Westerlund - - * lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): set version to 14:0:0 - * lib/hdb/Makefile.am (libhdb_la_LDFLAGS): update to 6:3:0 - * lib/krb5/Makefile.am (libkrb5_la_LIBADD): add library - dependencies - -2000-12-10 Johan Danielsson - - * lib/krb5/auth_context.c: implement krb5_auth_con_{get,set}rcache - -2000-12-08 Assar Westerlund - - * lib/krb5/krb5.h (krb5_enctype): add ETYPE_DES3_CBC_NONE_IVEC as - a new pseudo-type - - * lib/krb5/crypto.c (DES_AFS3_CMU_string_to_key): always treat - cell names as lower case - (krb5_encrypt_ivec, krb5_decrypt_ivec): new functions that allow an - explicit ivec to be specified. fix all sub-functions. - (DES3_CBC_encrypt_ivec): new function that takes an explicit ivec - -2000-12-06 Johan Danielsson - - * lib/krb5/Makefile.am: actually build replay cache code - - * lib/krb5/replay.c: implement krb5_get_server_rcache - - * kpasswd/kpasswdd.c: de-pointerise auth_context parameter to - krb5_mk_rep - - * lib/krb5/recvauth.c: de-pointerise auth_context parameter to - krb5_mk_rep - - * lib/krb5/mk_rep.c: auth_context should not be a pointer - - * lib/krb5/auth_context.c: implement krb5_auth_con_genaddrs, and - make setaddrs_from_fd use that - - * lib/krb5/krb5.h: add some more KRB5_AUTH_CONTEXT_* flags - -2000-12-05 Johan Danielsson - - * lib/krb5/Makefile.am: add kerberos.8 manpage - - * lib/krb5/cache.c: check for NULL remove_cred function - - * lib/krb5/fcache.c: pretend that empty files are non-existant - - * lib/krb5/get_addrs.c (find_all_addresses): use getifaddrs, from - Jason Thorpe - -2000-12-01 Assar Westerlund - - * configure.in: remove configure-time generation of krb5-config - * tools/Makefile.am: add generation of krb5-config at make-time - instead of configure-time - - * tools/krb5-config.in: add --prefix and --exec-prefix - -2000-11-30 Assar Westerlund - - * tools/Makefile.am: add krb5-config.1 - * tools/krb5-config.in: add kadm-client and kadm5-server as - libraries - -2000-11-29 Assar Westerlund - - * tools/krb5-config.in: add --prefix, --exec-prefix and gssapi - -2000-11-29 Johan Danielsson - - * configure.in: add roken/Makefile here, since it can't live in - rk_ROKEN - -2000-11-16 Assar Westerlund - - * configure.in: use the libtool -rpath, do not rely on ld - understanding -rpath - - * configure.in: fix the -Wl stuff for krb4 linking add some - gratuitous extra options when linking with an existing libdes - -2000-11-15 Assar Westerlund - - * lib/hdb/hdb.c (hdb_next_enctype2key): const-ize a little bit - * lib/Makefile.am (SUBDIRS): try to only build des when needed - * kuser/klist.c: print key versions numbers of v4 tickets in - verbose mode - - * kdc/kerberos5.c (tgs_rep2): adapt to new krb5_verify_ap_req2 - * appl/test/gss_common.c (read_token): remove unused variable - - * configure.in (krb4): add -Wl - (MD4Init et al): look for these in more libraries - (getmsg): only run test if we have the function - (AC_OUTPUT): create tools/krb5-config - - * tools/krb5-config.in: new script for storing flags to use - * Makefile.am (SUBDIRS): add tools - - * lib/krb5/get_cred.c (make_pa_tgs_req): update to new - krb5_mk_req_internal - * lib/krb5/mk_req_ext.c (krb5_mk_req_internal): allow different - usages for the encryption. change callers - * lib/krb5/rd_req.c (decrypt_authenticator): add an encryption - `usage'. also try the old - (and wrong) usage of KRB5_KU_AP_REQ_AUTH for backwards compatibility - (krb5_verify_ap_req2): new function for specifying the usage different - from the default (KRB5_KU_AP_REQ_AUTH) - * lib/krb5/build_auth.c (krb5_build_authenticator): add a `usage' - parameter to permit the generation of authenticators with - different crypto usage - - * lib/krb5/mk_req.c (krb5_mk_req_exact): new function that takes a - krb5_principal - (krb5_mk_req): use krb5_mk_req_exact - - * lib/krb5/mcache.c (mcc_close): free data - (mcc_destroy): don't free data - -2000-11-13 Assar Westerlund - - * lib/hdb/ndbm.c: handle both ndbm.h and gdbm/ndbm.h - * lib/hdb/hdb.c: handle both ndbm.h and gdbm/ndbm.h - -2000-11-12 Johan Danielsson - - * kdc/hpropd.8: remove extra .Xc - -2000-10-27 Johan Danielsson - - * kuser/kinit.c: fix v4 fallback lifetime calculation - -2000-10-10 Johan Danielsson - - * kdc/524.c: fix log messge - -2000-10-08 Assar Westerlund - - * lib/krb5/changepw.c (krb5_change_password): check for fd's being - too large to select on - * kpasswd/kpasswdd.c (add_new_tcp): check for the socket fd being - too large to select on - * kdc/connect.c (add_new_tcp): check for the socket fd being too - large to selct on - * kdc/connect.c (loop): check that the socket fd is not too large - to select on - * lib/krb5/send_to_kdc.c (recv_loop): check `fd' for being too - large to be able to select on - - * kdc/kaserver.c (do_authenticate): check for time skew - -2000-10-01 Assar Westerlund - - * kdc/524.c (set_address): allocate memory for storing addresses - in if the original request had an empty set of addresses - * kdc/524.c (set_address): fix bad return of pointer to automatic - data - - * config.sub: update to version 2000-09-11 (aka 1.181) from - subversions.gnu.org - - * config.guess: update to version 2000-09-05 (aka 1.156) from - subversions.gnu.org plus some minor tweaks - -2000-09-20 Assar Westerlund - - * Release 0.3c - -2000-09-19 Assar Westerlund - - * lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): bump version to - 13:1:0 - - * lib/hdb/Makefile.am (libhdb_la_LDFLAGS): bump version to 6:2:0 - -2000-09-17 Assar Westerlund - - * lib/krb5/rd_req.c (krb5_decrypt_ticket): plug some memory leak - (krb5_rd_req): try not to return an allocated auth_context on error - - * lib/krb5/log.c (krb5_vlog_msg): fix const-ness - -2000-09-10 Assar Westerlund - - * kdc/524.c: re-organize - * kdc/kerberos5.c (tgs_rep2): try to avoid leaking auth_context - * kdc/kerberos4.c (valid_princ): check return value of functions - (encode_v4_ticket): add some const - * kdc/misc.c (db_fetch): check malloc - (free_ent): new function - - * lib/krb5/log.c (krb5_vlog_msg): log just the format string it we - fail to allocate the actual string to log, should at least provide - some hint as to where things went wrong - -2000-09-10 Johan Danielsson - - * kdc/log.c: use DEFAULT_LOG_DEST - - * kdc/config.c: use _PATH_KDC_CONF - - * kdc/kdc_locl.h: add macro constants for kdc.conf, and kdc.log - -2000-09-09 Assar Westerlund - - * lib/krb5/crypto.c (_key_schedule): re-use an existing schedule - -2000-09-06 Johan Danielsson - - * configure.in: fix dpagaix test - -2000-09-05 Assar Westerlund - - * configure.in: with_dce -> enable_dce. noticed by Ake Sandgren - - -2000-09-01 Johan Danielsson - - * kdc/kstash.8: update manual page - - * kdc/kstash.c: fix typo, and remove unused option - - * lib/krb5/kerberos.7: short kerberos intro page - -2000-08-27 Assar Westerlund - - * include/bits.c: add __attribute__ for gcc's pleasure - * lib/hdb/keytab.c: re-write to delay the opening of the database - till it's known which principal is being sought, thereby allowing - the usage of multiple databases, however they need to be specified - in /etc/krb5.conf since all the programs using this keytab do not - read kdc.conf - - * appl/test/test_locl.h (keytab): add - * appl/test/common.c: add --keytab - * lib/krb5/crypto.c: remove trailing commas - (KRB5_KU_USAGE_SEQ): renamed from KRB5_KU_USAGE_MIC - -2000-08-26 Assar Westerlund - - * lib/krb5/send_to_kdc.c (send_via_proxy): handle `http://' at the - beginning of the proxy specification. use getaddrinfo correctly - (krb5_sendto): always return a return code - - * lib/krb5/krb5.h (KRB5_KU_USAGE_MIC): rename to KRB5_KU_USAGE_SEQ - * lib/krb5/auth_context.c (krb5_auth_con_free): handle - auth_context == NULL - -2000-08-23 Assar Westerlund - - * kdc/kerberos5.c (find_type): make sure of always setting - `ret_etype' correctly. clean-up structure some - -2000-08-23 Johan Danielsson - - * lib/krb5/mcache.c: implement resolve - -2000-08-18 Assar Westerlund - - * kuser/kdecode_ticket.c: check return value from krb5_crypto_init - * kdc/kerberos5.c, kdc/524.c: check return value from krb5_crypto_init - * lib/krb5/*.c: check return value from krb5_crypto_init - -2000-08-16 Assar Westerlund - - * Release 0.3b - -2000-08-16 Assar Westerlund - - * lib/krb5/Makefile.am: bump version to 13:0:0 - - * lib/hdb/Makefile.am: set version to 6:1:0 - - * configure.in: do getmsg testing the same way as in krb4 - - * lib/krb5/config_file.c (krb5_config_parse_file_debug): make sure - of closing the file on error - - * lib/krb5/crypto.c (encrypt_internal_derived): free the checksum - after use - - * lib/krb5/warn.c (_warnerr): initialize args to make third, - purify et al happy - -2000-08-13 Assar Westerlund - - * kdc/kerberos5.c: re-write search for keys code. loop over all - supported enctypes in order, looping over all keys of each type, - and picking the one with the v5 default salt preferably - -2000-08-10 Assar Westerlund - - * appl/test/gss_common.c (enet_read): add and use - * lib/krb5/krb5.h (heimdal_version, heimdal_long_version): make - const - - * lib/krb5/mk_req_ext.c (krb5_mk_req_internal): add comment on - checksum type selection - - * lib/krb5/context.c (krb5_init_context): do not leak memory on - failure - (default_etypes): prefer arcfour-hmac-md5 to des-cbc-md5 - - * lib/krb5/principal.c: add fnmatch.h - -2000-08-09 Assar Westerlund - - * configure.in: call AC_PROG_CC and AC_PROG_CPP to make sure later - checks that should require them don't fail - * acconfig.h: add HAVE_UINT17_T - -2000-08-09 Johan Danielsson - - * kdc/mit_dump.c: handle all sorts of weird MIT salt types - -2000-08-08 Johan Danielsson - - * doc/setup.texi: port 212 -> 2121 - - * lib/krb5/principal.c: krb5_principal_match - -2000-08-04 Johan Danielsson - - * lib/asn1/der_get.c: add comment on *why* DCE sometimes used BER - encoding - - * kpasswd/Makefile.am: link with pidfile library - - * kpasswd/kpasswdd.c: write a pid file - - * kpasswd/kpasswd_locl.h: util.h - - * kdc/Makefile.am: link with pidfile library - - * kdc/main.c: write a pid file - - * kdc/headers.h: util.h - -2000-08-04 Assar Westerlund - - * lib/krb5/principal.c (krb5_425_conv_principal_ext): always put - hostnames in lower case - (default_v4_name_convert): add imap - -2000-08-03 Assar Westerlund - - * lib/krb5/crc.c (_krb5_crc_update): const-ize (finally) - -2000-07-31 Johan Danielsson - - * configure.in: check for uint*_t - * include/bits.c: define uint*_t - -2000-07-29 Assar Westerlund - - * kdc/kerberos5.c (check_tgs_flags): set endtime correctly when - renewing, From Derrick J Brashear - -2000-07-28 Assar Westerlund - - * Release 0.3a - -2000-07-27 Assar Westerlund - - * kdc/hprop.c (dump_database): write an empty message to signal - end of dump - -2000-07-26 Assar Westerlund - - * lib/krb5/changepw.c (krb5_change_password): try to be more - careful when not to resend - - * lib/hdb/db3.c: always create a cursor with db3. From Derrick J - Brashear - -2000-07-25 Johan Danielsson - - * lib/hdb/Makefile.am: bump version to 6:0:0 - - * lib/asn1/Makefile.am: bump version to 3:0:1 - - * lib/krb5/Makefile.am: bump version to 12:0:1 - - * lib/krb5/krb5_config.3: manpage - - * lib/krb5/krb5_appdefault.3: manpage - - * lib/krb5/appdefault.c: implementation of the krb5_appdefault set - of functions - -2000-07-23 Assar Westerlund - - * lib/krb5/init_creds_pw.c (change_password): reset forwardable - and proxiable. copy preauthentication list correctly from - supplied options - - * kdc/hpropd.c (main): check that the ticket was for `hprop/' for - paranoid reasons - - * lib/krb5/sock_principal.c (krb5_sock_to_principal): look in - aliases for the real name - -2000-07-22 Johan Danielsson - - * doc/setup.texi: say something about starting kadmind from the - command line - -2000-07-22 Assar Westerlund - - * kpasswd/kpasswdd.c: use kadm5_s_chpass_principal_cond instead of - mis-doing it here - - * lib/krb5/changepw.c (krb5_change_password): make timeout 1 + - 2^{0,1,...}. also keep track if we got an old packet back and - then just wait without sending a new packet - * lib/krb5/changepw.c: use a datagram socket and remove the - sequence numbers - * lib/krb5/changepw.c (krb5_change_password): clarify an - expression, avoiding a warning - -2000-07-22 Johan Danielsson - - * kuser/klist.c: make -a and -n aliases for -v - - * lib/krb5/write_message.c: ws - - * kdc/hprop-common.c: nuke extra definitions of - krb5_read_priv_message et.al - - * lib/krb5/read_message.c (krb5_read_message): return error if EOF - -2000-07-20 Assar Westerlund - - * kpasswd/kpasswd.c: print usage consistently - * kdc/hprop.h (HPROP_KEYTAB): use HDB for the keytab - * kdc/hpropd.c: add --keytab - * kdc/hpropd.c: don't care what principal we recvauth as - - * lib/krb5/get_cred.c: be more careful of not returning creds at - all when an error is returned - * lib/krb5/fcache.c (fcc_gen_new): do mkstemp correctly - -2000-07-19 Johan Danielsson - - * fix-export: use autoreconf - - * configure.in: remove stuff that belong in roken, and remove some - obsolete constructs - -2000-07-18 Johan Danielsson - - * configure.in: fix some typos - - * appl/Makefile.am: dceutil*s* - - * missing: update to missing from automake 1.4a - -2000-07-17 Johan Danielsson - - * configure.in: try to get xlc flags from ibmcxx.cfg use - conditional for X use readline cf macro - - * configure.in: subst AIX compiler flags - -2000-07-15 Johan Danielsson - - * configure.in: pass sixth parameter to test-package; use some - newer autoconf constructs - - * ltmain.sh: update to libtool 1.3c - - * ltconfig: update to libtool 1.3c - - * configure.in: update this to newer auto*/libtool - - * appl/Makefile.am: use conditional for dce - - * lib/Makefile.am: use conditional for dce - -2000-07-11 Johan Danielsson - - * lib/krb5/write_message.c: krb5_write_{priv,save}_message - * lib/krb5/read_message.c: krb5_read_{priv,save}_message - * lib/krb5/convert_creds.c: try port kerberos/88 if no response on - krb524/4444 - - * lib/krb5/convert_creds.c: use krb5_sendto - - * lib/krb5/send_to_kdc.c: add more generic krb5_sendto that send - to a port at arbitrary list of hosts - -2000-07-10 Johan Danielsson - - * doc/misc.texi: language; say something about kadmin del_enctype - -2000-07-10 Assar Westerlund - - * appl/kf/Makefile.am: actually install - -2000-07-08 Assar Westerlund - - * configure.in (AM_INIT_AUTOMAKE): bump to 0.3a-pre - (AC_ROKEN): roken is now at 10 - - * lib/krb5/string-to-key-test.c: add a arcfour-hmac-md5 test case - * kdc/Makefile.am (INCLUDES): add ../lib/krb5 - * configure.in: update for standalone roken - * lib/Makefile.am (SUBDIRS): make roken conditional - * kdc/hprop.c: update to new hdb_seal_keys_mkey - * lib/hdb/mkey.c (_hdb_unseal_keys_int, _hdb_seal_keys_int): - rename and export them - - * kdc/headers.h: add krb5_locl.h (since we just use some stuff - from there) - -2000-07-08 Johan Danielsson - - * kuser/klist.1: update for -f and add some more text for -v - - * kuser/klist.c: use rtbl to format cred listing, add -f and -s - - * lib/krb5/crypto.c: fix type in des3-cbc-none - - * lib/hdb/mkey.c: add key usage - - * kdc/kstash.c: remove writing of old keyfile, and treat - --convert-file as just reading and writing the keyfile without - asking for a new key - - * lib/hdb/mkey.c (read_master_encryptionkey): handle old keytype - based files, and convert the key to cfb64 - - * lib/hdb/mkey.c (hdb_read_master_key): set mkey to NULL before - doing anything else - - * lib/krb5/send_to_kdc.c: use krb5_eai_to_heim_errno - - * lib/krb5/get_for_creds.c: use krb5_eai_to_heim_errno - - * lib/krb5/changepw.c: use krb5_eai_to_heim_errno - - * lib/krb5/addr_families.c: use krb5_eai_to_heim_errno - - * lib/krb5/eai_to_heim_errno.c: convert getaddrinfo error codes to - something that can be passed to get_err_text - -2000-07-07 Assar Westerlund - - * lib/hdb/hdb.c (hdb_next_enctype2key): make sure of skipping - `*key' - - * kdc/kerberos4.c (get_des_key): rewrite some, be more careful - -2000-07-06 Assar Westerlund - - * kdc/kerberos5.c (as_rep): be careful as to now overflowing when - calculating the end of lifetime of a ticket. - - * lib/krb5/context.c (default_etypes): add ETYPE_ARCFOUR_HMAC_MD5 - - * lib/hdb/db3.c: only use a cursor when needed, from Derrick J - Brashear - - * lib/krb5/crypto.c: introduce the `special' encryption methods - that are not like all other encryption methods and implement - arcfour-hmac-md5 - -2000-07-05 Johan Danielsson - - * kdc/mit_dump.c: set initial master key version number to 0 - instead of 1; if we lated bump the mkvno we don't risk using the - wrong key to decrypt - - * kdc/hprop.c: only get master key if we're actually going to use - it; enable reading of MIT krb5 dump files - - * kdc/mit_dump.c: read MIT krb5 dump files - - * lib/hdb/mkey.c (read_master_mit): fix this - - * kdc/kstash.c: make this work with the new mkey code - - * lib/hdb/Makefile.am: add mkey.c, and bump version number - - * lib/hdb/hdb.h: rewrite master key handling - - * lib/hdb/mkey.c: rewrite master key handling - - * lib/krb5/crypto.c: add some more pseudo crypto types - - * lib/krb5/krb5.h: change some funny etypes to use negative - numbers, and add some more - -2000-07-04 Assar Westerlund - - * lib/krb5/krbhst.c (get_krbhst): only try SRV lookup if there are - none in the configuration file - -2000-07-02 Assar Westerlund - - * lib/krb5/keytab_keyfile.c (akf_add_entry): remove unused - variable - - * kpasswd/kpasswd-generator.c: new test program - * kpasswd/Makefile.am: add kpasswd-generator - - * include/Makefile.am (CLEANFILES): add rc4.h - - * kuser/generate-requests.c: new test program - * kuser/Makefile.am (noinst_PROGRAMS): add generate-requests - -2000-07-01 Assar Westerlund - - * configure.in: add --enable-dce and related stuff - * appl/Makefile.am (SUBDIRS): add $(APPL_dce) - -2000-06-29 Assar Westerlund - - * kdc/kerberos4.c (get_des_key): fix thinkos/typos - -2000-06-29 Johan Danielsson - - * admin/purge.c: use parse_time to parse age - - * lib/krb5/log.c (krb5_vlog_msg): use krb5_format_time - - * admin/list.c: add printing of timestamp and key data; some - cleanup - - * lib/krb5/time.c (krb5_format_time): new function to format time - - * lib/krb5/context.c (init_context_from_config_file): init - date_fmt, also do some cleanup - - * lib/krb5/krb5.h: add date_fmt to context - -2000-06-28 Johan Danielsson - - * kdc/{kerberos4,kaserver,524}.c (get_des_key): change to return - v4 or afs keys if possible - -2000-06-25 Johan Danielsson - - * kdc/hprop.c (ka_convert): allow using null salt, and treat 0 - pw_expire as never (from Derrick Brashear) - -2000-06-24 Johan Danielsson - - * kdc/connect.c (add_standard_ports): only listen to port 750 if - serving v4 requests - -2000-06-22 Assar Westerlund - - * lib/asn1/lex.l: fix includes, and lex stuff - * lib/asn1/lex.h (error_message): update prototype - (yylex): add - * lib/asn1/gen_length.c (length_type): fail on malloc error - * lib/asn1/gen_decode.c (decode_type): fail on malloc error - -2000-06-21 Assar Westerlund - - * lib/krb5/get_for_creds.c: be more compatible with MIT code. - From Daniel Kouril - * lib/krb5/rd_cred.c: be more compatible with MIT code. From - Daniel Kouril - * kdc/kerberos5.c (get_pa_etype_info): do not set salttype if it's - vanilla pw-salt, that keeps win2k happy. also do the malloc check - correctly. From Daniel Kouril - -2000-06-21 Johan Danielsson - - * kdc/hprop.c: add hdb keytabs - -2000-06-20 Johan Danielsson - - * lib/krb5/principal.c: back out rev. 1.64 - -2000-06-19 Johan Danielsson - - * kdc/kerberos5.c: pa_* -> KRB5_PADATA_* - - * kdc/hpropd.c: add realm override flag - - * kdc/v4_dump.c: code for reading krb4 dump files - - * kdc/hprop.c: generalize source database handing, add support for - non-standard local realms (from by Daniel Kouril - and Miroslav Ruda ), and - support for using different ports (requested by the Czechs, but - implemented differently) - - * lib/krb5/get_cred.c: pa_* -> KRB5_PADATA_* - - * lib/krb5/get_in_tkt.c: pa_* -> KRB5_PADATA_* - - * lib/krb5/krb5.h: use some definitions from asn1.h - - * lib/hdb/hdb.asn1: use new import syntax - - * lib/asn1/k5.asn1: use distinguished value integers - - * lib/asn1/gen_length.c: support for distinguished value integers - - * lib/asn1/gen_encode.c: support for distinguished value integers - - * lib/asn1/gen_decode.c: support for distinguished value integers - - * lib/asn1/gen.c: support for distinguished value integers - - * lib/asn1/lex.l: add support for more standards like import - statements - - * lib/asn1/parse.y: add support for more standards like import - statements, and distinguished value integers - -2000-06-11 Assar Westerlund - - * lib/krb5/get_for_creds.c (add_addrs): ignore addresses of - unknown type - * lib/krb5/get_for_creds.c (add_addrs): zero memory before - starting to copy memory - -2000-06-10 Assar Westerlund - - * lib/krb5/test_get_addrs.c: test program for get_addrs - * lib/krb5/get_addrs.c (find_all_addresses): remember to add in - the size of ifr->ifr_name when using SA_LEN. noticed by Ken - Raeburn - -2000-06-07 Assar Westerlund - - * configure.in: add db3 detection stuff do not use streamsptys on - HP-UX 11 - * lib/hdb/hdb.h (HDB): add dbc for db3 - * kdc/connect.c (add_standard_ports): also listen on krb524 aka - 4444 - * etc/services.append (krb524): add - * lib/hdb/db3.c: add berkeley db3 interface. contributed by - Derrick J Brashear - * lib/hdb/hdb.h (struct HDB): add - -2000-06-07 Johan Danielsson - - * kdc/524.c: if 524 is not enabled, just generate error reply and - exit - - * kdc/kerberos4.c: if v4 is not enabled, just generate error reply - and exit - - * kdc/connect.c: only listen to port 4444 if 524 is enabled - - * kdc/config.c: add options to enable/disable v4 and 524 requests - -2000-06-06 Johan Danielsson - - * kdc/524.c: handle non-existant server principals (from Daniel - Kouril) - -2000-06-03 Assar Westerlund - - * admin/ktutil.c: print name when failing to open keytab - - * kuser/kinit.c: try also to fallback to v4 when no KDC is found - -2000-05-28 Assar Westerlund - - * kuser/klist.c: continue even we have no v5 ccache. make showing - your krb4 tickets the default (if build with krb4 support) - * kuser/kinit.c: add a fallback that tries to get a v4 ticket if - built with krb4 support and we got back a version error from the - KDC - -2000-05-23 Johan Danielsson - - * lib/krb5/keytab_keyfile.c: make this actually work - -2000-05-19 Assar Westerlund - - * lib/krb5/store_emem.c (emem_store): make it write-compatible - * lib/krb5/store_fd.c (fd_store): make it write-compatible - * lib/krb5/store_mem.c (mem_store): make it write-compatible - * lib/krb5/krb5.h (krb5_storage): make store write-compatible - -2000-05-18 Assar Westerlund - - * configure.in: add stdio.h in dbopen test - -2000-05-16 Assar Westerlund - - * Release 0.2t - -2000-05-16 Assar Westerlund - - * lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): set version to 11:1:0 - * lib/krb5/fcache.c: fix second lseek - * lib/krb5/principal.c (krb5_524_conv_principal): fix typo - -2000-05-15 Assar Westerlund - - * Release 0.2s - -2000-05-15 Assar Westerlund - - * lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): set version to 11:0:0 - * lib/hdb/Makefile.am (libhdb_la_LDFLAGS): set version to 4:2:1 - * lib/asn1/Makefile.am (libasn1_la_LDFLAGS): bump to 2:0:0 - * lib/krb5/principal.c (krb5_524_conv_principal): comment-ize, and - simplify string copying - -2000-05-12 Assar Westerlund - - * lib/krb5/fcache.c (scrub_file): new function - (erase_file): re-write, use scrub_file - * lib/krb5/krb5.h (KRB5_DEFAULT_CCFILE_ROOT): add - - * configure.in (dbopen): add header files - - * lib/krb5/krb5.h (krb5_key_usage): add some more - * lib/krb5/fcache.c (erase_file): try to detect symlink games. - also call revoke. - * lib/krb5/changepw.c (krb5_change_password): remember to close - the socket on error - - * kdc/main.c (main): also call sigterm on SIGTERM - -2000-05-06 Assar Westerlund - - * lib/krb5/config_file.c (krb5_config_vget_string_default, - krb5_config_get_string_default): add - -2000-04-25 Assar Westerlund - - * lib/krb5/fcache.c (fcc_initialize): just forget about - over-writing the old cred cache. it's too much of a hazzle trying - to do this safely. - -2000-04-11 Assar Westerlund - - * lib/krb5/crypto.c (krb5_get_wrapped_length): rewrite into - different parts for the derived and non-derived cases - * lib/krb5/crypto.c (krb5_get_wrapped_length): the padding should - be done after having added confounder and checksum - -2000-04-09 Assar Westerlund - - * lib/krb5/get_addrs.c (find_all_addresses): apperently solaris - can return EINVAL when the buffer is too small. cope. - * lib/asn1/Makefile.am (gen_files): add asn1_UNSIGNED.x - * lib/asn1/gen_locl.h (filename): add prototype - (init_generate): const-ize - * lib/asn1/gen.c (filename): new function clean-up a little bit. - * lib/asn1/parse.y: be more tolerant in ranges - * lib/asn1/lex.l: count lines correctly. - (error_message): print filename in messages - -2000-04-08 Assar Westerlund - - * lib/krb5/rd_safe.c (krb5_rd_safe): increment sequence number - after comparing - * lib/krb5/rd_priv.c (krb5_rd_priv): increment sequence number - after comparing - * lib/krb5/mk_safe.c (krb5_mk_safe): make `tmp_seq' unsigned - * lib/krb5/mk_priv.c (krb5_mk_priv): make `tmp_seq' unsigned - * lib/krb5/generate_seq_number.c (krb5_generate_seq_number): make - `seqno' be unsigned - * lib/krb5/mk_safe.c (krb5_mk_safe): increment local sequence - number after the fact and only increment it if we were successful - * lib/krb5/mk_priv.c (krb5_mk_priv): increment local sequence - number after the fact and only increment it if we were successful - * lib/krb5/krb5.h (krb5_auth_context_data): make sequence number - unsigned - - * lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): - `in_tkt_service' can be NULL - -2000-04-06 Assar Westerlund - - * lib/asn1/parse.y: regonize INTEGER (0..UNIT_MAX). - (DOTDOT): add - * lib/asn1/lex.l (DOTDOT): add - * lib/asn1/k5.asn1 (UNSIGNED): add. use UNSIGNED for all sequence - numbers. - * lib/asn1/gen_length.c (length_type): add TUInteger - * lib/asn1/gen_free.c (free_type): add TUInteger - * lib/asn1/gen_encode.c (encode_type, generate_type_encode): add - TUInteger - * lib/asn1/gen_decode.c (decode_type, generate_type_decode): add - TUInteger - * lib/asn1/gen_copy.c (copy_type): add TUInteger - * lib/asn1/gen.c (define_asn1): add TUInteger - * lib/asn1/der_put.c (encode_unsigned): add - * lib/asn1/der_length.c (length_unsigned): add - * lib/asn1/der_get.c (decode_unsigned): add - * lib/asn1/der.h (decode_unsigned, encode_unsigned, - length_unsigned): add prototypes - - * lib/asn1/k5.asn1: update pre-authentication types - * lib/krb5/krb5_err.et: add some error codes from pkinit - -2000-04-05 Assar Westerlund - - * lib/hdb/hdb.c: add support for hdb methods (aka back-ends). - include ldap. - * lib/hdb/hdb-ldap.c: tweak the ifdef to OPENLDAP - * lib/hdb/Makefile.am: add hdb-ldap.c and openldap - * kdc/Makefile.am, kpasswd/Makefile.am, kadmin/Makefile.am: add - * configure.in: bump version to 0.2s-pre add options and testing - for (open)ldap - -2000-04-04 Assar Westerlund - - * configure.in (krb4): fix the krb_mk_req test - -2000-04-03 Assar Westerlund - - * configure.in (krb4): add test for const arguments to krb_mk_req - * lib/45/mk_req.c (krb_mk_req): conditionalize const-ness of - arguments - -2000-04-03 Assar Westerlund - - * Release 0.2r - -2000-04-03 Assar Westerlund - - * lib/krb5/Makefile.am: set version to 10:0:0 - * lib/45/mk_req.c (krb_mk_req): const-ize the arguments - -2000-03-30 Assar Westerlund - - * lib/krb5/principal.c (krb5_425_conv_principal_ext): add some - comments. add fall-back on adding the realm name in lower case. - -2000-03-29 Assar Westerlund - - * kdc/connect.c: remember to repoint all descr->sa to _ss after - realloc as this might have moved the memory around. problem - discovered and diagnosed by Brandon S. Allbery - -2000-03-27 Assar Westerlund - - * configure.in: recognize solaris 2.8 - * config.guess, config.sub: update to current version from - :pserver:anoncvs@subversions.gnu.org:/home/cvs - - * lib/krb5/init_creds_pw.c (print_expire): do not assume anything - about the size of time_t, i.e. make it 64-bit happy - -2000-03-13 Assar Westerlund - - * kuser/klist.c: add support for display v4 tickets - -2000-03-11 Assar Westerlund - - * kdc/kaserver.c (do_authenticate, do_getticket): call check_flags - * kdc/kerberos4.c (do_version4): call check_flags. - * kdc/kerberos5.c (check_flags): make global - -2000-03-10 Assar Westerlund - - * lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): evil - hack to avoid recursion - -2000-03-04 Assar Westerlund - - * kuser/kinit.c: add `krb4_get_tickets' per realm. add --anonymous - * lib/krb5/krb5.h (krb5_get_init_creds_opt): add `anonymous' and - KRB5_GET_INIT_CREDS_OPT_ANONYMOUS - * lib/krb5/init_creds_pw.c (get_init_creds_common): set - request_anonymous flag appropriatly - * lib/krb5/init_creds.c (krb5_get_init_creds_opt_set_anonymous): - add - - * lib/krb5/get_in_tkt.c (_krb5_extract_ticket): new parameter to - determine whetever to ignore client name of not. always copy - client name from kdc. fix callers. - - * kdc: add support for anonymous tickets - - * kdc/string2key.8: add man-page for string2key - -2000-03-03 Assar Westerlund - - * kdc/hpropd.c (dump_krb4): get expiration date from `valid_end' - and not `pw_end' - - * kdc/kadb.h (ka_entry): fix name pw_end -> valid_end. add some - more fields - - * kdc/hprop.c (v4_prop): set the `valid_end' from the v4 - expiration date instead of the `pw_expire' - (ka_convert): set `valid_end' from ka expiration data and `pw_expire' - from pw_change + pw_expire - (main): add a default database for ka dumping - -2000-02-28 Assar Westerlund - - * lib/krb5/context.c (init_context_from_config_file): change - rfc2052 default to no. 2782 says that underscore should be used. - -2000-02-24 Assar Westerlund - - * lib/krb5/fcache.c (fcc_initialize, fcc_store_cred): verify that - stores and close succeed - * lib/krb5/store.c (krb5_store_creds): check to see that the - stores are succesful. - -2000-02-23 Assar Westerlund - - * Release 0.2q - -2000-02-22 Assar Westerlund - - * lib/krb5/Makefile.am: set version to 9:2:0 - - * lib/krb5/expand_hostname.c (krb5_expand_hostname_realms): copy - the correct hostname - - * kdc/connect.c (add_new_tcp): use the correct entries in the - descriptor table - * kdc/connect.c: initialize `descr' uniformly and correctly - -2000-02-20 Assar Westerlund - - * Release 0.2p - -2000-02-19 Assar Westerlund - - * lib/krb5/Makefile.am: set version to 9:1:0 - - * lib/krb5/expand_hostname.c (krb5_expand_hostname): make sure - that realms is filled in even when getaddrinfo fails or does not - return any canonical name - - * kdc/connect.c (descr): add sockaddr and string representation - (*): re-write to use the above mentioned - -2000-02-16 Assar Westerlund - - * lib/krb5/addr_families.c (krb5_parse_address): use - krb5_sockaddr2address to copy the result from getaddrinfo. - -2000-02-14 Assar Westerlund - - * Release 0.2o - -2000-02-13 Assar Westerlund - - * lib/krb5/Makefile.am: set version to 9:0:0 - - * kdc/kaserver.c (do_authenticate): return the kvno of the server - and not the client. Thanks to Brandon S. Allbery KF8NH - and Chaskiel M Grundman - for debugging. - - * kdc/kerberos4.c (do_version4): if an tgs-req is received with an - old kvno, return an error reply and write a message in the log. - -2000-02-12 Assar Westerlund - - * appl/test/gssapi_server.c (proto): with `--fork', create a child - and send over/receive creds with export/import_sec_context - * appl/test/gssapi_client.c (proto): with `--fork', create a child - and send over/receive creds with export/import_sec_context - * appl/test/common.c: add `--fork' / `-f' (only used by gssapi) - -2000-02-11 Assar Westerlund - - * kdc/kdc_locl.h: remove keyfile add explicit_addresses - * kdc/connect.c (init_sockets): pay attention to - explicit_addresses some more comments. better error messages. - * kdc/config.c: add some comments. - remove --key-file. - add --addresses. - - * lib/krb5/context.c (krb5_set_extra_addresses): const-ize and use - proper abstraction - -2000-02-07 Johan Danielsson - - * lib/krb5/changepw.c: use roken_getaddrinfo_hostspec - -2000-02-07 Assar Westerlund - - * Release 0.2n - -2000-02-07 Assar Westerlund - - * lib/krb5/Makefile.am: set version to 8:0:0 - * lib/krb5/keytab.c (krb5_kt_default_name): use strlcpy - (krb5_kt_add_entry): set timestamp - -2000-02-06 Assar Westerlund - - * lib/krb5/krb5.h: add macros for accessing krb5_realm - * lib/krb5/time.c (krb5_timeofday): use `krb5_timestamp' instead - of `int32_t' - - * lib/krb5/replay.c (checksum_authenticator): update to new API - for md5 - - * lib/krb5/krb5.h: remove des.h, it's not needed and applications - should not have to make sure to find it. - -2000-02-03 Assar Westerlund - - * lib/krb5/rd_req.c (get_key_from_keytab): rename parameter to - `out_key' to avoid conflicting with label. reported by Sean Doran - - -2000-02-02 Assar Westerlund - - * lib/krb5/expand_hostname.c: remember to lower-case host names. - bug reported by - - * kdc/kerberos4.c (do_version4): look at check_ticket_addresses - and emulate that by setting krb_ignore_ip_address (not a great - interface but it doesn't seem like the time to go around fixing - libkrb stuff now) - -2000-02-01 Johan Danielsson - - * kuser/kinit.c: change --noaddresses into --no-addresses - -2000-01-28 Assar Westerlund - - * kpasswd/kpasswd.c (main): make sure the ticket is not - forwardable and not proxiable - -2000-01-26 Assar Westerlund - - * lib/krb5/crypto.c: update to pseudo-standard APIs for - md4,md5,sha. some changes to libdes calls to make them more - portable. - -2000-01-21 Assar Westerlund - - * lib/krb5/verify_init.c (krb5_verify_init_creds): make sure to - clean up the correct creds. - -2000-01-16 Assar Westerlund - - * lib/krb5/principal.c (append_component): change parameter to - `const char *'. check malloc - * lib/krb5/principal.c (append_component, va_ext_princ, va_princ): - const-ize - * lib/krb5/mk_req.c (krb5_mk_req): make `service' and `hostname' - const - * lib/krb5/principal.c (replace_chars): also add space here - * lib/krb5/principal.c: (quotable_chars): add space - -2000-01-12 Assar Westerlund - - * kdc/kerberos4.c (do_version4): check if preauth was required and - bail-out if so since there's no way that could be done in v4. - Return NULL_KEY as an error to the client (which is non-obvious, - but what can you do?) - -2000-01-09 Assar Westerlund - - * lib/krb5/principal.c (krb5_sname_to_principal): use - krb5_expand_hostname_realms - * lib/krb5/mk_req.c (krb5_km_req): use krb5_expand_hostname_realms - * lib/krb5/expand_hostname.c (krb5_expand_hostname_realms): new - variant of krb5_expand_hostname that tries until it expands into - something that's digestable by krb5_get_host_realm, returning also - the result from that function. - -2000-01-08 Assar Westerlund - - * Release 0.2m - -2000-01-08 Assar Westerlund - - * configure.in: replace AC_C_BIGENDIAN with KRB_C_BIGENDIAN - - * lib/krb5/Makefile.am: bump version to 7:1:0 - - * lib/krb5/principal.c (krb5_sname_to_principal): use - krb5_expand_hostname - * lib/krb5/expand_hostname.c (krb5_expand_hostname): handle - ai_canonname being set in any of the addresses returnedby - getaddrinfo. glibc apparently returns the reverse lookup of every - address in ai_canonname. - -2000-01-06 Assar Westerlund - - * Release 0.2l - -2000-01-06 Assar Westerlund - - * lib/krb5/Makefile.am: set version to 7:0:0 - * lib/krb5/principal.c (krb5_sname_to_principal): remove `hp' - - * lib/hdb/Makefile.am: set version to 4:1:1 - - * kdc/hpropd.c (dump_krb4): use `krb5_get_default_realms' - * lib/krb5/get_in_tkt.c (add_padata): change types to make - everything work out - (krb5_get_in_cred): remove const to make types match - * lib/krb5/crypto.c (ARCFOUR_string_to_key): correct signature - * lib/krb5/principal.c (krb5_sname_to_principal): handle not - getting back a canonname - -2000-01-06 Assar Westerlund - - * Release 0.2k - -2000-01-06 Assar Westerlund - - * lib/krb5/send_to_kdc.c (krb5_sendto_kdc): advance colon so that - we actually parse the port number. based on a patch from Leif - Johansson - -2000-01-02 Assar Westerlund - - * admin/purge.c: remove all non-current and old entries from a - keytab - - * admin: break up ktutil.c into files - - * admin/ktutil.c (list): support --verbose (also listning time - stamps) - (kt_add, kt_get): set timestamp in newly created entries - (kt_change): add `change' command - - * admin/srvconvert.c (srvconv): set timestamp in newly created - entries - * lib/krb5/keytab_keyfile.c (akf_next_entry): set timetsamp, - always go the a predicatble position on error - * lib/krb5/keytab.c (krb5_kt_copy_entry_contents): copy timestamp - * lib/krb5/keytab_file.c (fkt_add_entry): store timestamp - (fkt_next_entry_int): return timestamp - * lib/krb5/krb5.h (krb5_keytab_entry): add timestamp diff --git a/crypto/heimdal-0.6.3/ChangeLog.2001 b/crypto/heimdal-0.6.3/ChangeLog.2001 deleted file mode 100644 index b048488f8d..0000000000 --- a/crypto/heimdal-0.6.3/ChangeLog.2001 +++ /dev/null @@ -1,1122 +0,0 @@ -2001-12-20 Johan Danielsson - - * lib/krb5/crypto.c: use our own des string-to-key function, since - the one from openssl sometimes generates wrong output - -2001-12-05 Jacques Vidrine - - * lib/hdb/mkey.c: fix a bug in which kstash would crash if - there were no /etc/krb5.conf - -2001-11-09 Johan Danielsson - - * lib/krb5/krb5_verify_user.3: sort references (from Thomas - Klausner) - - * lib/krb5/krb5_principal_get_realm.3: add section to reference - (from Thomas Klausner) - - * lib/krb5/krb5_krbhst_init.3: sort references (from Thomas - Klausner) - - * lib/krb5/krb5_keytab.3: white space fixes (from Thomas Klausner) - - * lib/krb5/krb5_get_krbhst.3: remove extra white space (from - Thomas Klausner) - - * lib/krb5/krb5_get_all_client_addrs.3: add section to reference - (from Thomas Klausner) - -2001-10-29 Jacques Vidrine - - * admin/get.c: fix a bug in which a reference to a data - structure on the stack was being kept after the containing - function's lifetime, resulting in a segfault during `ktutil - get'. - -2001-10-22 Assar Westerlund - - * lib/krb5/crypto.c: make all high-level encrypting and decrypting - functions check the return value of the underlying function and - handle errors more consistently. noted by Sam Hartman - - -2001-10-21 Assar Westerlund - - * lib/krb5/crypto.c (enctype_arcfour_hmac_md5): actually use a - non-keyed checksum when it should be non-keyed - -2001-09-29 Assar Westerlund - - * kuser/kinit.1: add the kauth alias - * kuser/kinit.c: allow specification of afslog in krb5.conf, noted - by jhutz@cs.cmu.edu - -2001-09-27 Assar Westerlund - - * lib/asn1/gen.c: remove the need for libasn1.h, also make - generated files include all files from IMPORTed modules - - * lib/krb5/krb5.h (KRB5_KPASSWD_*): set correct values - * kpasswd/kpasswd.c: improve error message printing - * lib/krb5/changepw.c (krb5_passwd_result_to_string): add change - to use sequence numbers connect the udp socket so that we can - figure out the local address - -2001-09-25 Assar Westerlund - - * lib/asn1: implement OBJECT IDENTIFIER and ENUMERATED - -2001-09-20 Johan Danielsson - - * lib/krb5/principal.c (krb5_425_conv_principal_ext): try using - lower case realm as domain, but only when given a verification - function - -2001-09-20 Assar Westerlund - - * lib/asn1/der_put.c (der_put_length): do not even try writing - anything when len == 0 - -2001-09-18 Johan Danielsson - - * kdc/hpropd.c: add realm override option - - * lib/krb5/set_default_realm.c (krb5_set_default_realm): make - realm parameter const - - * kdc/hprop.c: more free's - - * lib/krb5/init_creds_pw.c (krb5_get_init_creds_keytab): free key - proc data - - * lib/krb5/expand_hostname.c (krb5_expand_hostname_realms): free - addrinfo - - * lib/hdb/mkey.c (hdb_set_master_keyfile): clear error string when - not returning error - -2001-09-16 Assar Westerlund - - * lib/krb5/appdefault.c (krb5_appdefault_{boolean,string,time): - make realm const - - * lib/krb5/crypto.c: use des functions to avoid generating - warnings with openssl's prototypes - -2001-09-05 Johan Danielsson - - * configure.in: check for termcap.h - - * lib/asn1/lex.l: add another undef ECHO to keep AIX lex happy - -2001-09-03 Assar Westerlund - - * lib/krb5/addr_families.c (krb5_print_address): handle snprintf - returning < 0. noticed by hin@stacken.kth.se - -2001-09-03 Assar Westerlund - - * Release 0.4e - -2001-09-02 Johan Danielsson - - * kuser/Makefile.am: install kauth as a symlink to kinit - - * kuser/kinit.c: get v4_tickets by default - - * lib/asn1/Makefile.am: fix for broken automake - -2001-08-31 Johan Danielsson - - * lib/hdb/hdb-ldap.c: some pretty much untested changes from Luke - Howard - - * kuser/kinit.1: remove references to kauth - - * kuser/Makefile.am: kauth is no more - - * kuser/kinit.c: use appdefaults for everything. defaults are now - as in kauth. - - * lib/krb5/appdefault.c: also check libdefaults, and realms/realm - - * lib/krb5/context.c (krb5_free_context): free more stuff - -2001-08-30 Johan Danielsson - - * lib/krb5/verify_krb5_conf.c: do some checks of the values in the - file - - * lib/krb5/krb5.conf.5: remove srv_try_txt, fix spelling - - * lib/krb5/context.c: don't init srv_try_txt, since it isn't used - anymore - -2001-08-29 Jacques Vidrine - - * configure.in: Check for already-installed com_err. - -2001-08-28 Assar Westerlund - - * lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): set versoin to 18:2:1 - -2001-08-24 Assar Westerlund - - * kuser/Makefile.am: remove CHECK_LOCAL - non bin programs require - no special treatment now - - * kuser/generate-requests.c: parse arguments in a useful way - * kuser/kverify.c: add --help/--verify - -2001-08-22 Assar Westerlund - - * configure.in: bump prereq to 2.52 remove unused test_LIB_KRB4 - - * configure.in: re-write the handling of crypto libraries. try to - use the one of openssl's libcrypto or krb4's libdes that has all - the required functionality (md4, md5, sha1, des, rc4). if there - is no such library, the included lib/des is built. - - * kdc/headers.h: include libutil.h if it exists - * kpasswd/kpasswd_locl.h: include libutil.h if it exists - * kdc/kerberos4.c (get_des_key): check for null keys even if - is_server - -2001-08-21 Assar Westerlund - - * lib/asn1/asn1_print.c: print some size_t correctly - * configure.in: remove extra space after -L check for libutil.h - -2001-08-17 Johan Danielsson - - * kdc/kdc_locl.h: fix prototype for get_des_key - - * kdc/kaserver.c: fix call to get_des_key - - * kdc/524.c: fix call to get_des_key - - * kdc/kerberos4.c (get_des_key): if getting a key for a server, - return any des-key not just keys that can be string-to-keyed by - the client - -2001-08-10 Assar Westerlund - - * Release 0.4d - -2001-08-10 Assar Westerlund - - * configure.in: check for openpty - * lib/hdb/Makefile.am (libhdb_la_LDFLAGS): update to 7:4:0 - -2001-08-08 Assar Westerlund - - * configure.in: just add -L (if required) from krb4 when testing - for libdes/libcrypto - -2001-08-04 Assar Westerlund - - * lib/krb5/Makefile.am (man_MANS): add some missing man pages - * fix-export: fix the sed expression for finding the man pages - -2001-07-31 Assar Westerlund - - * kpasswd/kpasswd-generator.c (main): implement --version and - --help - - * lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): update version to - 18:1:1 - -2001-07-27 Assar Westerlund - - * lib/krb5/context.c (init_context_from_config_file): check - parsing of addresses - -2001-07-26 Assar Westerlund - - * lib/krb5/sock_principal.c (krb5_sock_to_principal): rename - sa_len -> salen to avoid the macro that's defined on irix. noted - by "Jacques A. Vidrine" - -2001-07-24 Johan Danielsson - - * lib/krb5/addr_families.c: add support for type - KRB5_ADDRESS_ADDRPORT - - * lib/krb5/addr_families.c (krb5_address_order): complain about - unsuppored address types - -2001-07-23 Johan Danielsson - - * admin/get.c: don't open connection to server until we loop over - the principals, at that time we know the realm of the (first) - principal and we can default to that admin server - - * admin: add a rename command - -2001-07-19 Assar Westerlund - - * kdc/hprop.c (usage): clarify a tiny bit - -2001-07-19 Assar Westerlund - - * Release 0.4c - -2001-07-19 Assar Westerlund - - * lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): bump version to - 18:0:1 - - * lib/krb5/get_for_creds.c (krb5_fwd_tgt_creds): make it behave - the same way as the MIT function - - * lib/hdb/Makefile.am (libhdb_la_LDFLAGS): update to 7:3:0 - * lib/krb5/sock_principal.c (krb5_sock_to_principal): use - getnameinfo - - * lib/krb5/krbhst.c (srv_find_realm): handle port numbers - consistenly in local byte order - - * lib/krb5/get_default_realm.c (krb5_get_default_realm): set an - error string - - * kuser/kinit.c (renew_validate): invert condition correctly. get - v4 tickets if we succeed renewing - * lib/krb5/principal.c (krb5_principal_get_type): add - (default_v4_name_convert): add "smtp" - -2001-07-13 Assar Westerlund - - * configure.in: remove make-print-version from LIBOBJS, it's no - longer in lib/roken but always built in lib/vers - -2001-07-12 Johan Danielsson - - * lib/hdb/mkey.c: more set_error_string - -2001-07-12 Assar Westerlund - - * lib/hdb/Makefile.am (libhdb_la_LIBADD): add required library - dependencies - - * lib/asn1/Makefile.am (libasn1_la_LIBADD): add required library - dependencies - -2001-07-11 Johan Danielsson - - * kdc/hprop.c: remove v4 master key handling; remove old v4-db and - ka-db flags; add defaults for v4_realm and afs_cell - -2001-07-09 Assar Westerlund - - * lib/krb5/sock_principal.c (krb5_sock_to_principal): copy hname - before calling krb5_sname_to_principal. from "Jacques A. Vidrine" - - -2001-07-08 Johan Danielsson - - * lib/krb5/context.c: use krb5_copy_addresses instead of - copy_HostAddresses - -2001-07-06 Assar Westerlund - - * configure.in (LIB_des_a, LIB_des_so): add these so that they can - be used by lib/auth/sia - - * kuser/kinit.c: re-do some of the v4 fallbacks: look at - get-tokens flag do not print extra errors do not try to do 524 if - we got tickets from a v4 server - -2001-07-03 Assar Westerlund - - * lib/krb5/replay.c (krb5_get_server_rcache): cast argument to - printf - - * lib/krb5/get_addrs.c (find_all_addresses): call free_addresses - on ignore_addresses correctly - * lib/krb5/init_creds.c - (krb5_get_init_creds_opt_set_default_flags): change to take a - const realm - - * lib/krb5/principal.c (krb5_425_conv_principal_ext): if the - instance is the first component of the local hostname, the - converted host should be the long hostname. from - - -2001-07-02 Johan Danielsson - - * lib/krb5/Makefile.am: address.c is no more; add a couple of - manpages - - * lib/krb5/krb5_timeofday.3: new manpage - - * lib/krb5/krb5_get_all_client_addrs.3: new manpage - - * lib/krb5/get_in_tkt.c (init_as_req): treat no addresses as - wildcard - - * lib/krb5/get_cred.c (get_cred_kdc_la): treat no addresses as - wildcard - - * lib/krb5/get_addrs.c: don't include client addresses that match - ignore_addresses - - * lib/krb5/context.c: initialise ignore_addresses - - * lib/krb5/addr_families.c: add new `arange' fake address type, - that matches more than one address; this required some internal - changes to many functions, so all of address.c got moved here - (wasn't much left there) - - * lib/krb5/krb5.h: add list of ignored addresses to context - -2001-07-03 Assar Westerlund - - * Release 0.4b - -2001-07-03 Assar Westerlund - - * lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): set version to 17:0:0 - * lib/hdb/Makefile.am (libhdb_la_LDFLAGS): set version to 7:2:0 - -2001-07-03 Assar Westerlund - - * Release 0.4a - -2001-07-02 Johan Danielsson - - * kuser/kinit.c: make this compile without krb4 support - - * lib/krb5/write_message.c: remove priv parameter from - write_safe_message; don't know why it was there in the first place - - * doc/install.texi: remove kaserver switches, it's always compiled - in now - - * kdc/hprop.c: always include kadb support - - * kdc/kaserver.c: always include kaserver support - -2001-07-02 Assar Westerlund - - * kpasswd/kpasswdd.c (doit): make failing to bind a socket a - non-fatal error, and abort if no sockets were bound - -2001-07-01 Assar Westerlund - - * lib/krb5/krbhst.c: remember the real port number when falling - back from kpasswd -> kadmin, and krb524 -> kdc - -2001-06-29 Assar Westerlund - - * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): if - no_addresses is set, do not add any local addresses to KRB_CRED - - * kuser/kinit.c: remove extra clearing of password and some - redundant code - -2001-06-29 Johan Danielsson - - * kuser/kinit.c: move ticket conversion code to separate function, - and call that from a couple of places, like when renewing a - ticket; also add a flag for just converting a ticket - - * lib/krb5/init_creds_pw.c: set renew-life to some sane value - - * kdc/524.c: don't send more data than required - -2001-06-24 Assar Westerlund - - * lib/krb5/store_fd.c (krb5_storage_from_fd): check malloc returns - - * lib/krb5/keytab_any.c (any_resolve); improving parsing of ANY: - (any_start_seq_get): remove a double free - (any_next_entry): iterate over all (sub) keytabs and avoid leave data - around to be freed again - - * kdc/kdc_locl.h: add a define for des_new_random_key when using - openssl's libcrypto - - * configure.in: move v6 tests down - - * lib/krb5/krb5.h (krb5_context_data): remove srv_try_rfc2052 - - * update to libtool 1.4 and autoconf 2.50 - -2001-06-22 Johan Danielsson - - * lib/hdb/hdb.c: use krb5_add_et_list - -2001-06-21 Johan Danielsson - - * lib/hdb/Makefile.am: add generation number - * lib/hdb/common.c: add generation number code - * lib/hdb/hdb.asn1: add generation number - * lib/hdb/print.c: use krb5_storage to make it more dynamic - -2001-06-21 Assar Westerlund - - * lib/krb5/krb5.conf.5: update to changed names used by - krb5_get_init_creds_opt_set_default_flags - * lib/krb5/init_creds.c - (krb5_get_init_creds_opt_set_default_flags): make the appdefault - keywords have the same names - - * configure.in: only add -L and -R to the krb4 libdir if we are - actually using it - - * lib/krb5/krbhst.c (fallback_get_hosts): do not copy trailing - dot of hostname add some comments - * lib/krb5/krbhst.c: use getaddrinfo instead of dns_lookup when - testing for kerberos.REALM. this allows reusing that information - when actually contacting the server and thus avoids one DNS lookup - -2001-06-20 Johan Danielsson - - * lib/krb5/krb5.h: include k524_err.h - - * lib/krb5/convert_creds.c (krb524_convert_creds_kdc): don't test - for keytype, the server will do this for us if it has anything to - complain about - - * lib/krb5/context.c: add protocol compatible krb524 error codes - - * lib/krb5/Makefile.am: add protocol compatible krb524 error codes - - * lib/krb5/k524_err.et: add protocol compatible krb524 error codes - - * lib/krb5/krb5_principal_get_realm.3: manpage - - * lib/krb5/principal.c: add functions `krb5_principal_get_realm' - and `krb5_principal_get_comp_string' that returns parts of a - principal; this is a replacement for the internal - `krb5_princ_realm' and `krb5_princ_component' macros that everyone - seem to use - -2001-06-19 Assar Westerlund - - * kuser/kinit.c (main): dereference result from krb5_princ_realm. - from Thomas Nystrom - -2001-06-18 Johan Danielsson - - * lib/krb5/mk_req.c (krb5_mk_req_exact): free creds when done - * lib/krb5/crypto.c (krb5_string_to_key_derived): fix memory leak - * lib/krb5/krbhst.c (config_get_hosts): free hostlist - * kuser/kinit.c: free principal - -2001-06-18 Assar Westerlund - - * lib/krb5/send_to_kdc.c (krb5_sendto): remove an extra - freeaddrinfo - - * lib/krb5/convert_creds.c (krb524_convert_creds_kdc_ccache): - remove some unused variables - - * lib/krb5/krbhst.c (admin_get_next): spell kerberos correctly - * kdc/kerberos5.c: update to new krb5_auth_con* names - * kdc/hpropd.c: update to new krb5_auth_con* names - * lib/krb5/rd_req.c (krb5_rd_req): use krb5_auth_con* functions - and remove some comments - * lib/krb5/rd_safe.c (krb5_rd_safe): pick the keys in the right - order: remote - local - session - * lib/krb5/rd_rep.c (krb5_rd_rep): save the remote sub key in the - auth_context - * lib/krb5/rd_priv.c (krb5_rd_priv): pick keys in the correct - order: remote - local - session - * lib/krb5/mk_safe.c (krb5_mk_safe): pick keys in the right order, - local - remote - session - -2001-06-18 Johan Danielsson - - * lib/krb5/convert_creds.c: use starttime instead of authtime, - from Chris Chiappa - - * lib/krb5/convert_creds.c: make krb524_convert_creds_kdc match - the MIT function by the same name; add - krb524_convert_creds_kdc_ccache that does what the old version did - - * admin/list.c (do_list): make sure list of keys is NULL - terminated; similar to patch sent by Chris Chiappa - -2001-06-18 Assar Westerlund - - * lib/krb5/mcache.c (mcc_remove_cred): use - krb5_free_creds_contents - - * lib/krb5/auth_context.c: name function krb5_auth_con more - consistenly - * lib/krb5/rd_req.c (krb5_verify_authenticator_checksum): use - renamed krb5_auth_con_getauthenticator - - * lib/krb5/convert_creds.c (krb524_convert_creds_kdc): update to - use krb5_krbhst API - * lib/krb5/changepw.c (krb5_change_password): update to use - krb5_krbhst API - * lib/krb5/send_to_kdc.c: update to use krb5_krbhst API - * lib/krb5/krbhst.c (krb5_krbhst_get_addrinfo): add set def_port - in krb5_krbhst_info - (krb5_krbhst_free): free everything - - * lib/krb5/krb5.h (KRB5_VERIFY_NO_ADDRESSES): add - (krb5_krbhst_info): add def_port (default port for this service) - - * lib/krb5/krbhst-test.c: make it more verbose and useful - * lib/krb5/krbhst.c: remove some more memory leaks do not try any - dns operations if there is local configuration admin: fallback to - kerberos.REALM 524: fallback to kdcs kpasswd: fallback to admin - add some comments - - * configure.in: remove initstate and setstate, they should be in - cf/roken-frag.m4 - - * lib/krb5/Makefile.am (noinst_PROGRAMS): add krbhst-test - * lib/krb5/krbhst-test.c: new program for testing krbhst - * lib/krb5/krbhst.c (common_init): remove memory leak - (main): move test program into krbhst-test - -2001-06-17 Johan Danielsson - - * lib/krb5/krb5_krbhst_init.3: manpage - - * lib/krb5/krb5_get_krbhst.3: manpage - -2001-06-16 Johan Danielsson - - * lib/krb5/krb5.h: add opaque krb5_krbhst_handle type - - * lib/krb5/krbhst.c: change void* to krb5_krbhst_handle - - * lib/krb5/krb5.h: types for new krbhst api - - * lib/krb5/krbhst.c: implement a new api that looks up one host at - a time, instead of making a list of hosts - -2001-06-09 Johan Danielsson - - * configure.in: test for initstate and setstate - - * lib/krb5/krbhst.c: remove rfc2052 support - -2001-06-08 Johan Danielsson - - * fix some manpages for broken mdoc.old grog test - -2001-05-28 Assar Westerlund - - * lib/krb5/krb5.conf.5: add [appdefaults] - * lib/krb5/init_creds_pw.c: remove configuration reading that is - now done in krb5_get_init_creds_opt_set_default_flags - * lib/krb5/init_creds.c - (krb5_get_init_creds_opt_set_default_flags): add reading of - libdefaults versions of these and add no_addresses - - * lib/krb5/get_in_tkt.c (krb5_get_in_cred): clear error string - when preauth was required and we retry - -2001-05-25 Assar Westerlund - - * lib/krb5/convert_creds.c (krb524_convert_creds_kdc): call - krb5_get_krb524hst - * lib/krb5/krbhst.c (krb5_get_krb524hst): add and restructure the - support functions - -2001-05-22 Assar Westerlund - - * kdc/kerberos5.c (tgs_rep2): alloc and free csec and cusec - properly - -2001-05-17 Assar Westerlund - - * Release 0.3f - -2001-05-17 Assar Westerlund - - * lib/krb5/Makefile.am: bump version to 16:0:0 - * lib/hdb/Makefile.am: bump version to 7:1:0 - * lib/asn1/Makefile.am: bump version to 5:0:0 - * lib/krb5/keytab_krb4.c: add SRVTAB as an alias for krb4 - * lib/krb5/codec.c: remove dead code - -2001-05-17 Johan Danielsson - - * kdc/config.c: actually check the ticket addresses - -2001-05-15 Assar Westerlund - - * lib/krb5/rd_error.c (krb5_error_from_rd_error): use correct - parenthesis - - * lib/krb5/eai_to_heim_errno.c (krb5_eai_to_heim_errno): add - `errno' (called system_error) to allow callers to make sure they - pass the current and relevant value. update callers - -2001-05-14 Johan Danielsson - - * lib/krb5/verify_user.c: krb5_verify_user_opt - - * lib/krb5/krb5.h: verify_opt - - * kdc/kerberos5.c: pass context to krb5_domain_x500_decode - -2001-05-14 Assar Westerlund - - * kpasswd/kpasswdd.c: adapt to new address functions - * kdc/kerberos5.c: adapt to changing address functions use LR_TYPE - * kdc/connect.c: adapt to changing address functions - * kdc/config.c: new krb5_config_parse_file - * kdc/524.c: new krb5_sockaddr2address - * lib/krb5/*: add some krb5_{set,clear}_error_string - - * lib/asn1/k5.asn1 (LR_TYPE): add - * lib/asn1/Makefile.am (gen_files): add asn1_LR_TYPE.x - -2001-05-11 Assar Westerlund - - * kdc/kerberos5.c (tsg_rep): fix typo in variable name - - * kpasswd/kpasswd-generator.c (nop_prompter): update prototype - * lib/krb5/init_creds_pw.c: update to new prompter, use prompter - types and send two prompts at once when changning password - * lib/krb5/prompter_posix.c (krb5_prompter_posix): add name - * lib/krb5/krb5.h (krb5_prompt): add type - (krb5_prompter_fct): add anem - - * lib/krb5/cache.c (krb5_cc_next_cred): transpose last two - paramaters to krb5_cc_next_cred (as MIT does, and not as they - document). From "Jacques A. Vidrine" - -2001-05-11 Johan Danielsson - - * lib/krb5/Makefile.am: store-test - - * lib/krb5/store-test.c: simple bit storage test - - * lib/krb5/store.c: add more byteorder storage flags - - * lib/krb5/krb5.h: add more byteorder storage flags - - * kdc/kerberos5.c: don't use NULL where we mean 0 - - * kdc/kerberos5.c: put referral test code in separate function, - and test for KRB5_NT_SRV_INST - -2001-05-10 Assar Westerlund - - * admin/list.c (do_list): do not close the keytab if opening it - failed - * admin/list.c (do_list): always print complete names. print - everything to stdout. - * admin/list.c: print both v5 and v4 list by default - * admin/remove.c (kt_remove): reorganize some. open the keytab - (defaulting to the modify one). - * admin/purge.c (kt_purge): reorganize some. open the keytab - (defaulting to the modify one). correct usage strings - * admin/list.c (kt_list): reorganize some. open the keytab - * admin/get.c (kt_get): reorganize some. open the keytab - (defaulting to the modify one) - * admin/copy.c (kt_copy): default to modify key name. re-organise - * admin/change.c (kt_change): reorganize some. open the keytab - (defaulting to the modify one) - * admin/add.c (kt_add): reorganize some. open the keytab - (defaulting to the modify one) - * admin/ktutil.c (main): do not open the keytab, let every - sub-function handle it - - * kdc/config.c (configure): call free_getarg_strings - - * lib/krb5/get_in_tkt.c (krb5_get_in_cred): set error strings for - a few more errors - - * lib/krb5/get_host_realm.c (krb5_get_host_realm_int): make - `use_dns' parameter boolean - - * lib/krb5/krb5.h (krb5_context_data): add default_keytab_modify - * lib/krb5/context.c (init_context_from_config_file): set - default_keytab_modify - * lib/krb5/krb5_locl.h (KEYTAB_DEFAULT): change to - ANY:FILE:/etc/krb5.keytab,krb4:/etc/srvtab - (KEYTAB_DEFAULT_MODIFY): add - * lib/krb5/keytab.c (krb5_kt_default_modify_name): add - (krb5_kt_resolve): set error string for failed keytab type - -2001-05-08 Assar Westerlund - - * lib/krb5/crypto.c (encryption_type): make field names more - consistent - (create_checksum): separate usage and type - (krb5_create_checksum): add a separate type parameter - (encrypt_internal): only free once on mismatched checksum length - - * lib/krb5/send_to_kdc.c (krb5_sendto_kdc2): try to tell what - realm we didn't manage to reach any KDC for in the error string - - * lib/krb5/generate_seq_number.c (krb5_generate_seq_number): free - the entire subkey. from - -2001-05-07 Johan Danielsson - - * lib/krb5/keytab_keyfile.c (akf_start_seq_get): return - KT_NOTFOUND if the file is empty - -2001-05-07 Assar Westerlund - - * lib/krb5/fcache.c: call krb5_set_error_string when open fails - fatally - * lib/krb5/keytab_file.c: call krb5_set_error_string when open - fails fatally - - * lib/krb5/warn.c (_warnerr): print error_string in context in - preference to error string derived from error code - * kuser/kinit.c (main): try to print the error string - * lib/krb5/get_in_tkt.c (krb5_get_in_cred): set some sensible - error strings for errors - - * lib/krb5/krb5.h (krb5_context_data): add error_string and - error_buf - * lib/krb5/Makefile.am (libkrb5_la_SOURCES): add error_string.c - * lib/krb5/error_string.c: new file - -2001-05-02 Johan Danielsson - - * lib/krb5/time.c: krb5_string_to_deltat - - * lib/krb5/sock_principal.c: one less data copy - - * lib/krb5/eai_to_heim_errno.c: conversion function for h_errno's - - * lib/krb5/get_default_principal.c: change this slightly - - * lib/krb5/crypto.c: make checksum_types into an array of pointers - - * lib/krb5/convert_creds.c: make sure we always use a des-cbc-crc - ticket - -2001-04-29 Assar Westerlund - - * kdc/kerberos5.c (tgs_rep2): return a reference to a krbtgt for - the right realm if we fail to find a non-krbtgt service in the - database and the second component does a succesful non-dns lookup - to get the real realm (which has to be different from the - originally-supplied realm). this should help windows 2000 clients - that always start their lookups in `their' realm and do not have - any idea of how to map hostnames into realms - * kdc/kerberos5.c (is_krbtgt): rename to get_krbtgt_realm - -2001-04-27 Johan Danielsson - - * lib/krb5/get_host_realm.c (krb5_get_host_realm_int): add extra - parameter to request use of dns or not - -2001-04-25 Assar Westerlund - - * admin/get.c (kt_get): allow specification of encryption types - * lib/krb5/verify_init.c (krb5_verify_init_creds): do not try to - close an unopened ccache, noted by - - * lib/krb5/krb5.h (krb5_any_ops): add declaration - * lib/krb5/context.c (init_context_from_config_file): register - krb5_any_ops - - * lib/krb5/keytab_any.c: new file, implementing union of keytabs - * lib/krb5/Makefile.am (libkrb5_la_SOURCES): add keytab_any.c - - * lib/krb5/init_creds_pw.c (get_init_creds_common): handle options - == NULL. noted by - -2001-04-19 Johan Danielsson - - * lib/krb5/rd_cred.c: set ret_creds to NULL before doing anything - else, from Jacques Vidrine - -2001-04-18 Johan Danielsson - - * lib/hdb/libasn1.h: asn1.h -> krb5_asn1.h - - * lib/asn1/Makefile.am: add asn1_ENCTYPE.x - - * lib/krb5/krb5.h: adapt to asn1 changes - - * lib/asn1/k5.asn1: move enctypes here - - * lib/asn1/libasn1.h: rename asn1.h to krb5_asn1.h to avoid - conflicts - - * lib/asn1/Makefile.am: rename asn1.h to krb5_asn1.h to avoid - conflicts - - * lib/asn1/lex.l: use strtol to parse constants - -2001-04-06 Johan Danielsson - - * kuser/kinit.c: add simple support for running commands - -2001-03-26 Assar Westerlund - - * lib/hdb/hdb-ldap.c: change order of includes to allow it to work - with more versions of openldap - - * kdc/kerberos5.c (tgs_rep2): try to set sec and usec in error - replies - (*): update callers of krb5_km_error - (check_tgs_flags): handle renews requesting non-renewable tickets - - * lib/krb5/mk_error.c (krb5_mk_error): allow specifying both ctime - and cusec - - * lib/krb5/krb5.h (krb5_checksum, krb5_keyusage): add - compatibility names - - * lib/krb5/crypto.c (create_checksum): change so that `type == 0' - means pick from the `crypto' (context) and otherwise use that - type. this is not a large change in practice and allows callers - to specify the exact checksum algorithm to use - -2001-03-13 Assar Westerlund - - * lib/krb5/get_cred.c (get_cred_kdc): add support for falling back - to KRB5_KU_AP_REQ_AUTH when KRB5_KU_TGS_REQ_AUTH gives `bad - integrity'. this helps for talking to old (pre 0.3d) KDCs - -2001-03-12 Assar Westerlund - - * lib/krb5/crypto.c (krb5_derive_key): new function, used by - derived-key-test.c - * lib/krb5/string-to-key-test.c: add new test vectors posted by - Ken Raeburn in to - ietf-krb-wg@anl.gov - * lib/krb5/n-fold-test.c: more test vectors from same source - * lib/krb5/derived-key-test.c: more tests from same source - -2001-03-06 Assar Westerlund - - * acconfig.h: include roken_rename.h when appropriate - -2001-03-06 Assar Westerlund - - * lib/krb5/krb5.h (krb5_enctype): remove trailing comma - -2001-03-04 Assar Westerlund - - * lib/krb5/krb5.h (krb5_enctype): add ENCTYPE_* aliases for - compatibility with MIT krb5 - -2001-03-02 Assar Westerlund - - * kuser/kinit.c (main): only request a renewable ticket when - explicitly requested. it still gets a renewable one if the renew - life is specified - * kuser/kinit.c (renew_validate): treat -1 as flags not being set - -2001-02-28 Johan Danielsson - - * lib/krb5/context.c (krb5_init_ets): use krb5_add_et_list - -2001-02-27 Johan Danielsson - - * lib/krb5/get_cred.c: implement krb5_get_cred_from_kdc_opt - -2001-02-25 Assar Westerlund - - * configure.in: do not use -R when testing for des functions - -2001-02-14 Assar Westerlund - - * configure.in: test for lber.h when trying to link against - openldap to handle openldap v1, from Sumit Bose - - -2001-02-19 Assar Westerlund - - * lib/asn1/libasn1.h: add string.h (for memset) - -2001-02-15 Assar Westerlund - - * lib/krb5/warn.c (_warnerr): add printf attributes - * lib/krb5/send_to_kdc.c (krb5_sendto): loop over all address - returned by getaddrinfo before trying the next kdc. from - thorpej@netbsd.org - - * lib/krb5/krb5.conf.5: fix default_realm in example - - * kdc/connect.c: fix a few kdc_log format types - - * configure.in: try to handle libdes/libcrypto ont requiring -L - -2001-02-10 Assar Westerlund - - * lib/asn1/gen_decode.c (generate_type_decode): zero the data at - the beginning of the generated function, and add a label `fail' - that the code jumps to in case of errors that frees all allocated - data - -2001-02-07 Assar Westerlund - - * configure.in: aix dce: fix misquotes, from Ake Sandgren - - - * configure.in (dpagaix_LDFLAGS): try to add export file - -2001-02-05 Assar Westerlund - - * lib/krb5/krb5_keytab.3: new man page, contributed by - - - * kdc/kaserver.c: update to new db_fetch4 - -2001-02-05 Assar Westerlund - - * Release 0.3e - -2001-01-30 Assar Westerlund - - * kdc/hprop.c (v4_get_masterkey): check kdb_verify_master_key - properly - (kdb_prop): decrypt key properly - * kdc/hprop.c: handle building with KRB4 always try to decrypt v4 - data with the master key leave it up to the v5 how to encrypt with - that master key - - * kdc/kstash.c: include file name in error messages - * kdc/hprop.c: fix a typo and check some more return values - * lib/hdb/hdb-ldap.c (LDAP__lookup_princ): call ldap_search_s - correctly. From Jacques Vidrine - * kdc/misc.c (db_fetch): HDB_ERR_NOENTRY makes more sense than - ENOENT - - * lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): bump version to - 15:0:0 - * lib/hdb/Makefile.am (libhdb_la_LDFLAGS): bump version to 7:0:0 - * lib/asn1/Makefile.am (libasn1_la_LDFLAGS): bump version to 4:0:2 - * kdc/misc.c (db_fetch): return an error code. change callers to - look at this and try to print it in log messages - - * lib/krb5/crypto.c (decrypt_internal_derived): check that there's - enough data - -2001-01-29 Assar Westerlund - - * kdc/hprop.c (realm_buf): move it so it becomes properly - conditional on KRB4 - - * lib/hdb/mkey.c (hdb_unseal_keys_mkey, hdb_seal_keys_mkey, - hdb_unseal_keys, hdb_seal_keys): check that we have the correct - master key and that we manage to decrypt the key properly, - returning an error code. fix all callers to check return value. - - * tools/krb5-config.in: use @LIB_des_appl@ - * tools/Makefile.am (krb5-config): add LIB_des_appl - * configure.in (LIB_des): set correctly - (LIB_des_appl): add for the use by krb5-config.in - - * lib/krb5/store_fd.c (fd_fetch, fd_store): use net_{read,write} - to make sure of not dropping data when doing it over a socket. - (this might break when used with ordinary files on win32) - - * lib/hdb/hdb_err.et (NO_MKEY): add - - * kdc/kerberos5.c (as_rep): be paranoid and check - krb5_enctype_to_string for failure, noted by - - * lib/krb5/krb5_init_context.3, lib/krb5/krb5_context.3, - lib/krb5/krb5_auth_context.3: add new man pages, contributed by - - - * use the openssl api for md4/md5/sha and handle openssl/*.h - - * kdc/kaserver.c (do_getticket): check length of ticket. noted by - - -2001-01-28 Assar Westerlund - - * configure.in: send -R instead of -rpath to libtool to set - runtime library paths - - * lib/krb5/Makefile.am: remove all dependencies on libkrb - -2001-01-27 Assar Westerlund - - * appl/rcp: add port of bsd rcp changed to use existing rsh, - contributed by Richard Nyberg - -2001-01-27 Johan Danielsson - - * lib/krb5/get_port.c: don't warn if the port name can't be found, - nobody cares anyway - -2001-01-26 Johan Danielsson - - * kdc/hprop.c: make it possible to convert a v4 dump file without - having any v4 libraries; the kdb backend still require them - - * kdc/v4_dump.c: include shadow definition of kdb Principal, so we - don't have to depend on any v4 libraries - - * kdc/hprop.h: include shadow definition of kdb Principal, so we - don't have to depend on any v4 libraries - - * lib/hdb/print.c: reduce number of memory allocations - - * lib/hdb/mkey.c: add support for reading krb4 /.k files - -2001-01-19 Assar Westerlund - - * lib/krb5/krb5.conf.5: document admin_server and kpasswd_server - for realms document capath better - - * lib/krb5/krbhst.c (krb5_get_krb_changepw_hst): preferably look - at kpasswd_server before admin_server - - * lib/krb5/get_cred.c (get_cred_from_kdc_flags): look in - [libdefaults]capath for better hint of realm to send request to. - this allows the client to specify `realm routing information' in - case it cannot be done at the server (which is preferred) - - * lib/krb5/rd_priv.c (krb5_rd_priv): handle no sequence number as - zero when we were expecting a sequence number. MIT krb5 cannot - generate a sequence number of zero, instead generating no sequence - number - * lib/krb5/rd_safe.c (krb5_rd_safe): dito - -2001-01-11 Assar Westerlund - - * kpasswd/kpasswdd.c: add --port option - -2001-01-10 Assar Westerlund - - * lib/krb5/appdefault.c (krb5_appdefault_string): fix condition - just before returning - -2001-01-09 Assar Westerlund - - * appl/kf/kfd.c (proto): use krb5_rd_cred2 instead of krb5_rd_cred - -2001-01-05 Johan Danielsson - - * kuser/kinit.c: call a time `time', and not `seconds' - - * lib/krb5/init_creds.c: not much point in setting the anonymous - flag here - - * lib/krb5/krb5_appdefault.3: document appdefault_time - -2001-01-04 Johan Danielsson - - * lib/krb5/verify_user.c: use - krb5_get_init_creds_opt_set_default_flags - - * kuser/kinit.c: use krb5_get_init_creds_opt_set_default_flags - - * lib/krb5/init_creds.c: new function - krb5_get_init_creds_opt_set_default_flags to set options from - krb5.conf - - * lib/krb5/rd_cred.c: make this match the MIT function - - * lib/krb5/appdefault.c (krb5_appdefault_string): handle NULL - def_val - (krb5_appdefault_time): new function - -2001-01-03 Assar Westerlund - - * kdc/hpropd.c (main): handle EOF when reading from stdin diff --git a/crypto/heimdal-0.6.3/ChangeLog.2002 b/crypto/heimdal-0.6.3/ChangeLog.2002 deleted file mode 100644 index 37fda2e494..0000000000 --- a/crypto/heimdal-0.6.3/ChangeLog.2002 +++ /dev/null @@ -1,726 +0,0 @@ -2002-12-19 Johan Danielsson - - * lib/krb5/mk_rep.c: free allocated storage; reported by Howard - Chu - -2002-12-08 Johan Danielsson - - * kdc/kdc_locl.h: remove old encrypt_v4_ticket prototype - -2002-12-02 Johan Danielsson - - * kpasswd/kpasswdd.c (doit): initialise sa_size to size of - sockaddr_storage - - * kdc/connect.c (init_socket): initialise sa_size to size of - sockaddr_storage - -2002-11-15 Johan Danielsson - - * lib/krb5/krb5.h: remove trailing comma in enum - -2002-11-07 Johan Danielsson - - * kdc/524.c: implement crude b2 style (non-)conversion for use - with afs - - * kdc/kerberos4.c: move encrypt_v4_ticket to 524.c, since that's - where it's used - -2002-10-21 Johan Danielsson - - * lib/krb5/keytab_keyfile.c: more strcspn - - * lib/krb5/store_emem.c (emem_store): limit how much we allocate - (from Olaf Kirch) - - * lib/krb5/principal.c: don't allow trailing backslashes in - components - - * kdc/connect.c: check that %-quotes are followed by two hex - digits - - * lib/krb5/keytab_any.c: properly close the open keytabs (from - Larry Greenfield) - - * kdc/kaserver.c: make sure life is positive (from John Godehn) - -2002-10-17 Johan Danielsson - - * kuser/klist.c (display_tokens): allow tokens up to size of - buffer (from Magnus Holmberg) - -2002-09-29 Johan Danielsson - - * lib/krb5/changepw.c (process_reply): fix reply length check - calculation (reported by various people) - -2002-09-24 Johan Danielsson - - * lib/krb5/keytab_file.c (fkt_remove_entry): check return value - from start_seq_get (from Wynn Wilkes) - -2002-09-19 Johan Danielsson - - * lib/krb5/context.c (krb5_set_config_files): return ENXIO instead - of ENOENT when "unconfigured" - -2002-09-16 Jacques Vidrine - - * lib/krb5/kuserok.c, lib/krb5/prompter_posix.c: use strcspn - to convert the newline to NUL in fgets results. - -2002-09-13 Johan Danielsson - - * kuser/kinit.1: remove unneeded Ns - - * lib/krb5/krb5_appdefault.3: remove extra "application" - - * fix-export: remove autom4ate.cache - -2002-09-10 Johan Danielsson - - * include/make_crypto.c: don't use function macros if possible - - * lib/krb5/krb5_locl.h: get limits.h for UINT_MAX - - * include/Makefile.am: use make_crypto to create crypto-headers.h - - * include/make_crypto.c: crypto header generation tool - - * configure.in: move crypto test to just after testing for krb4, - and move roken tests to after both, this speeds up various failure - cases with krb4 - - * lib/krb5/config_file.c: don't use NULL when we mean 0 - - * configure.in: we don't set package_libdir anymore, so no point - in testing for it - - * tools/Makefile.am: subst INCLUDE_des - - * tools/krb5-config.in: add INCLUDE_des to cflags - - * configure.in: use AC_CONFIG_SRCDIR - - * fix-export: remove some unneeded stuff - - * kuser/kinit.c (do_524init): free principals - -2002-09-09 Jacques Vidrine - - * kdc/kerberos5.c (get_pa_etype_info, fix_transited_encoding), - kdc/kaserver.c (krb5_ret_xdr_data), - lib/krb5/transited.c (krb5_domain_x500_decode): Validate some - counts: Check that they are non-negative, and that they are small - enough to avoid integer overflow when used in memory allocation - calculations. Potential problem areas pointed out by - Sebastian Krahmer . - - * lib/krb5/keytab_keyfile.c (akf_add_entry): Use O_EXCL when - creating a new keyfile. - -2002-09-09 Johan Danielsson - - * configure.in: don't try to build pam module - -2002-09-05 Johan Danielsson - - * appl/kf/kf.c: fix warning string - - * lib/krb5/log.c (krb5_vlog_msg): delay message formating till we - know we need it - -2002-09-04 Assar Westerlund - - * kdc/kerberos5.c (encode_reply): correct error logging - -2002-09-04 Johan Danielsson - - * lib/krb5/sendauth.c: close ccache if we opened it - - * appl/kf/kf.c: handle new protocol - - * appl/kf/kfd.c: use krb5_err instead of sysloging directly, - handle the new protocol, and bail out if an old client tries to - connect - - * appl/kf/kf_locl.h: we need a protocol version string - - * lib/hdb/hdb-ldap.c: use ASN1_MALLOC_ENCODE - - * kdc/kerberos5.c: use ASN1_MALLOC_ENCODE - - * kdc/hprop.c: set AP_OPTS_USE_SUBKEY - - * lib/hdb/common.c: use ASN1_MALLOC_ENCODE - - * lib/asn1/gen.c: add convenience macro that allocates a buffer - and encoded into that - - * lib/krb5/get_cred.c (init_tgs_req): use - in_creds->session.keytype literally instead of trying to convert - to a list of enctypes (it should already be an enctype) - - * lib/krb5/get_cred.c (init_tgs_req): init ret - -2002-09-03 Johan Danielsson - - * lib/asn1/k5.asn1: remove ETYPE_DES3_CBC_NONE_IVEC - - * lib/krb5/krb5.h: remove ENCTYPE_DES3_CBC_NONE_IVEC - - * lib/krb5/crypto.c: get rid of DES3_CBC_encrypt_ivec, just use - zero ivec in DES3_CBC_encrypt if passed ivec is NULL - - * lib/krb5/Makefile.am: back out 1.144, since it will re-create - krb5-protos.h at build-time, which requires perl, which is bad - - * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): don't - blindly use the local subkey - - * lib/krb5/crypto.c: add function krb5_crypto_getblocksize that - extracts the required blocksize from a crypto context - - * lib/krb5/build_auth.c: just get the length of the encoded - authenticator instead of trying to grow a buffer - -2002-09-03 Assar Westerlund - - * configure.in: add --disable-mmap option, and tests for - sys/mman.h and mmap - -2002-09-03 Jacques Vidrine - - * lib/krb5/changepw.c: verify lengths in response - - * lib/asn1/der_get.c (decode_integer, decode_unsigned): check for - truncated integers - -2002-09-02 Johan Danielsson - - * lib/krb5/mk_req_ext.c: generate a local subkey if - AP_OPTS_USE_SUBKEY is set - - * lib/krb5/build_auth.c: we don't have enough information about - whether to generate a local subkey here, so don't try to - - * lib/krb5/auth_context.c: new function - krb5_auth_con_generatelocalsubkey - - * lib/krb5/get_in_tkt.c: only set kdc_sec_offset if looking at an - initial ticket - - * lib/krb5/context.c (init_context_from_config_file): simplify - initialisation of srv_lookup - - * lib/krb5/changepw.c (send_request): set AP_OPTS_USE_SUBKEY - - * lib/krb5/krb5.h: add AP_OPTS_USE_SUBKEY - -2002-08-30 Assar Westerlund - - * lib/krb5/name-45-test.c: also test krb5_524_conv_principal - * lib/krb5/Makefile.am (TESTS): add name-45-test - * lib/krb5/name-45-test.c: add testcases for - krb5_425_conv_principal - -2002-08-29 Assar Westerlund - - * lib/krb5/parse-name-test.c: also test unparse_short functions - * lib/asn1/asn1_print.c: use com_err/error_message API - * lib/krb5/Makefile.am: add parse-name-test - * lib/krb5/parse-name-test.c: add a program for testing parsing - and unparsing principal names - -2002-08-28 Assar Westerlund - - * kdc/config.c: add missing ifdef DAEMON - -2002-08-28 Johan Danielsson - - * configure.in: use rk_SUNOS - - * kdc/config.c: add detach options - - * kdc/main.c: maybe detach from console? - - * kdc/kdc.8: markup changes - - * configure.in: AC_TEST_PACKAGE_NEW -> rk_TEST_PACKAGE - - * configure.in: use rk_TELNET, rename some other macros, and don't - add -ldes to krb4 link command - - * kuser/kinit.1: whitespace fix (from NetBSD) - - * include/bits.c: we may need unistd.h for ssize_t - -2002-08-26 Assar Westerlund - - * lib/krb5/principal.c (krb5_425_conv_principal_ext): lookup AAAA - rrs before A ones when using the resolver to verify a mapping, - also use getaddrinfo when resolver is not available - - * lib/hdb/keytab.c (find_db): const-correctness in parameters to - krb5_config_get_next - - * lib/asn1/gen.c: include in the generated files (for - memset) - -2002-08-22 Assar Westerlund - - * lib/krb5/test_get_addrs.c, lib/krb5/krbhst-test.c: make it use - getarg so that it can handle --help and --version (and thus make - check can pass) - - * lib/asn1/check-der.c: make this build again - -2002-08-22 Assar Westerlund - - * lib/asn1/der_get.c (der_get_int): handle len == 0. based on a - patch from Love - -2002-08-22 Johan Danielsson - - * lib/krb5/krb5.h: we seem to call KRB5KDC_ERR_KEY_EXP - KRB5KDC_ERR_KEY_EXPIRED, so define the former to the latter - - * kdc/kdc.8: add blurb about adding and removing addresses; update - kdc.conf section to match reality - - * configure.in: KRB_SENDAUTH_VLEN seems to always have existed, so - don't define it - -2002-08-21 Assar Westerlund - - * lib/asn1/asn1_print.c: print OIDs too, based on a patch from - Love - -2002-08-21 Johan Danielsson - - * kuser/kinit.c (do_v4_fallback): don't use krb_get_pw_in_tkt2 - since it might not exist, and we don't actually care about the key - -2002-08-20 Johan Danielsson - - * lib/krb5/krb5.conf.5: correct documentation for - verify_ap_req_nofail - - * lib/krb5/log.c: rename syslog_data to avoid name conflicts (from - Mattias Amnefelt) - - * kuser/klist.c (display_tokens): increase token buffer size, and - add more checks of the kernel data (from Love) - -2002-08-19 Johan Danielsson - - * fix-export: use make to parse Makefile.am instead of perl - - * configure.in: use argument-less AM_INIT_AUTOMAKE, now that it - groks AC_INIT with package name etc. - - * kpasswd/kpasswdd.c: include - - * lib/asn1/asn1_print.c: include com_right.h - - * lib/krb5/addr_families.c: socklen_t -> krb5_socklen_t - - * include/bits.c: define krb5_socklen_t type; this should really - go someplace else, but this was easy - - * lib/krb5/verify_krb5_conf.c: don't bail out if parsing of a file - fails, just warn about it - - * kdc/log.c (kdc_openlog): no need for a config_file parameter - - * kdc/config.c: just treat kdc.conf like any other config file - - * lib/krb5/context.c (krb5_get_default_config_files): ignore - duplicate files - -2002-08-16 Johan Danielsson - - * lib/krb5/krb5.h: turn strings into pointers, so we can assign to - them - - * lib/krb5/constants.c: turn strings into pointers, so we can - assign to them - - * lib/krb5/get_addrs.c (get_addrs_int): initialise res if - SCAN_INTERFACES is not set - - * lib/krb5/context.c: fix various borked stuff in previous commits - -2002-08-16 Jacques Vidrine - - * lib/krb5/krbhst.c (kpasswd_get_next): if we fall back to using - the `admin_server' entry for kpasswd, override the `proto' result - to be UDP. - -2002-08-15 Johan Danielsson - - * lib/krb5/auth_context.c: check return value of - krb5_sockaddr2address - - * lib/krb5/addr_families.c: check return value of - krb5_sockaddr2address - - * lib/krb5/context.c: get the default keytab from KRB5_KTNAME - -2002-08-14 Johan Danielsson - - * lib/krb5/verify_krb5_conf.c: allow parsing of more than one file - - * lib/krb5/context.c: allow changing config files with the - function krb5_set_config_files, there are also related functions - krb5_get_default_config_files and krb5_free_config_files; these - should work similar to their MIT counterparts - - * lib/krb5/config_file.c: allow the use of more than one config - file by using the new function krb5_config_parse_file_multi - -2002-08-12 Johan Danielsson - - * use sysconfdir instead of /etc - - * configure.in: require autoconf 2.53; rename dpagaix_LDFLAGS etc - to appease automake; force sysconfdir and localstatedir to /etc - and /var/heimdal for now - - * kdc/connect.c (addr_to_string): check return value of - sockaddr2address - -2002-08-09 Johan Danielsson - - * lib/krb5/rd_cred.c: if the remote address isn't an addrport, - don't try comparing to one; this should make old clients work with - new servers - - * lib/asn1/gen_decode.c: remove unused variable - -2002-07-31 Johan Danielsson - - * kdc/{kerberos5,524}.c: ENOENT -> HDB_ERR_NOENTRY (from Derrick - Brashear) - - * lib/krb5/principal.c: actually lower case the lower case - instance name (spotted by Derrick Brashear) - -2002-07-24 Johan Danielsson - - * fix-export: if DATEDVERSION is set, change the version to - current date - - * configure.in: don't use AC_PROG_RANLIB, and use magic foo to set - LTLIBOBJS - -2002-07-04 Johan Danielsson - - * kdc/connect.c: add some cache-control-foo to the http responses - (from Gombas Gabor) - - * lib/krb5/addr_families.c (krb5_print_address): don't copy size - if ret_len == NULL - -2002-06-28 Johan Danielsson - - * kuser/klist.c (display_tokens): don't bail out before we get - EDOM (signaling the end of the tokens), the kernel can also return - ENOTCONN, meaning that the index does not exist anymore (for - example if the token has expired) - -2002-06-06 Johan Danielsson - - * lib/krb5/changepw.c: make sure we return an error if there are - no changepw hosts found; from Wynn Wilkes - -2002-05-29 Johan Danielsson - - * lib/krb5/cache.c (krb5_cc_register): break out of loop when the - same type is found; spotted by Wynn Wilkes - -2002-05-28 Johan Danielsson - - * lib/krb5/keytab_file.c: check size of entry before trying to - read 32-bit kvno; also fix typo in previous - -2002-05-24 Johan Danielsson - - * include/Makefile.am: only add to INCLUDES - - * lib/45/mk_req.c: fix for storage change - - * lib/hdb/print.c: fix for storage change - -2002-05-15 Johan Danielsson - - * kdc/kerberos5.c: don't free encrypted padata until we're really - done with it - -2002-05-07 Johan Danielsson - - * kdc/kerberos5.c: when decrypting pa-data, try all keys matching - enctype - - * kuser/kinit.1: document -a - - * kuser/kinit.c: add command line switch for extra addresses - -2002-04-30 Johan Danielsson - - * configure.in: remove some duplicate tests - - * configure.in: use AC_HELP_STRING - -2002-04-29 Johan Danielsson - - * lib/krb5/crypto.c (usage2arcfour): don't abort if the usage is - unknown - -2002-04-25 Johan Danielsson - - * configure.in: use rk_DESTDIRS - -2002-04-22 Johan Danielsson - - * lib/krb5/krb5_verify_user.3: make it clear that _lrealm modifies - the principal - -2002-04-19 Johan Danielsson - - * lib/krb5/verify_init.c: fix typo in error string - -2002-04-18 Johan Danielsson - - * acconfig.h: remove some stuff that is defined elsewhere - - * lib/krb5/krb5_locl.h: include - - * lib/krb5/acl.c: rename acl_string parameter - - * lib/krb5/Makefile.am: remove __P from protos, and put parameter - names in comments - - * kuser/klist.c: better align some headers - - * kdc/kerberos4.c: storage tweaks - - * kdc/kaserver.c: storage tweaks - - * kdc/524.c: storage tweaks - - * lib/krb5/keytab_krb4.c: storage tweaks - - * lib/krb5/keytab_keyfile.c: storage tweaks - - * lib/krb5/keytab_file.c: storage tweaks; also try to handle zero - sized keytab files - - * lib/krb5/keytab_any.c: use KRB5_KT_END instead of KRB5_CC_END - - * lib/krb5/fcache.c: storage tweaks - - * lib/krb5/store_mem.c: make the krb5_storage opaque, and add - function wrappers for store/fetch/seek, and also make the eof-code - configurable - - * lib/krb5/store_fd.c: make the krb5_storage opaque, and add - function wrappers for store/fetch/seek, and also make the eof-code - configurable - - * lib/krb5/store_emem.c: make the krb5_storage opaque, and add - function wrappers for store/fetch/seek, and also make the eof-code - configurable - - * lib/krb5/store.c: make the krb5_storage opaque, and add function - wrappers for store/fetch/seek, and also make the eof-code - configurable - - * lib/krb5/store-int.h: make the krb5_storage opaque, and add - function wrappers for store/fetch/seek, and also make the eof-code - configurable - - * lib/krb5/krb5.h: make the krb5_storage opaque, and add function - wrappers for store/fetch/seek, and also make the eof-code - configurable - - * include/bits.c: include to get socklen_t - - * kdc/kerberos5.c (get_pa_etype_info): sort ETYPE-INFOs by - requested KDC-REQ etypes - - * kdc/hpropd.c: constify - - * kdc/hprop.c: constify - - * kdc/string2key.c: constify - - * kdc/kdc_locl.h: make port_str const - - * kdc/config.c: constify - - * lib/krb5/config_file.c: constify - - * kdc/kstash.c: constify - - * lib/krb5/verify_user.c: remove unnecessary cast - - * lib/krb5/recvauth.c: constify - - * lib/krb5/principal.c (krb5_parse_name): const qualify - - * lib/krb5/mcache.c (mcc_get_name): constify return type - - * lib/krb5/context.c (krb5_free_context): don't try to free the - ccache prefix - - * lib/krb5/cache.c (krb5_cc_register): don't make a copy of the - prefix - - * lib/krb5/krb5.h: constify some struct members - - * lib/krb5/log.c: constify - - * lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): const - qualify - - * lib/krb5/get_in_tkt.c (krb5_init_etype): constify - - * lib/krb5/crypto.c: constify some - - * lib/krb5/config_file.c: constify - - * lib/krb5/aname_to_localname.c (krb5_aname_to_localname): - constify local variable - - * lib/krb5/addr_families.c (ipv4_sockaddr2port): constify - -2002-04-17 Johan Danielsson - - * lib/krb5/verify_krb5_conf.c: add some log checking - - * lib/krb5/log.c (krb5_addlog_dest): reorganise syslog parsing - -2002-04-16 Johan Danielsson - - * lib/krb5/crypto.c (krb5_crypto_init): check that the key size - matches the expected length - -2002-03-27 Johan Danielsson - - * lib/krb5/send_to_kdc.c: rename send parameter to send_data - - * lib/krb5/mk_error.c: rename ctime parameter to client_time - -2002-03-22 Johan Danielsson - - * kdc/kerberos5.c (find_etype): unsigned -> krb5_enctype (from - Reinoud Zandijk) - -2002-03-18 Johan Danielsson - - * lib/asn1/k5.asn1: add the GSS-API checksum type here - -2002-03-11 Assar Westerlund - - * lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): bump version to - 18:3:1 - * lib/hdb/Makefile.am (libhdb_la_LDFLAGS): bump version to 7:5:0 - * lib/asn1/Makefile.am (libasn1_la_LDFLAGS): bump version to 6:0:0 - -2002-03-10 Assar Westerlund - - * lib/krb5/rd_cred.c: handle addresses with port numbers - - * lib/krb5/keytab_file.c, lib/krb5/keytab.c: - store the kvno % 256 as the byte and the complete 32 bit kvno after - the end of the current keytab entry - - * lib/krb5/init_creds_pw.c: - handle LR_PW_EXPTIME and LR_ACCT_EXPTIME in the same way - - * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): - handle ports giving for the remote address - - * lib/krb5/get_cred.c: - get a ticket with no addresses if no-addresses is set - - * lib/krb5/crypto.c: - rename functions DES_* to krb5_* to avoid colliding with modern - openssl - - * lib/krb5/addr_families.c: - make all functions taking 'struct sockaddr' actually take a socklen_t - instead of int and that acts as an in-out parameter (indicating the - maximum length of the sockaddr to be written) - - * kdc/kerberos4.c: - make the kvno's in the krb4 universe by the real one % 256, since they - cannot only be 8 bit, and the v5 ones are actually 32 bits - -2002-02-15 Johan Danielsson - - * lib/krb5/keytab_keyfile.c (akf_add_entry): don't create the file - before we need to write to it - (from Åke Sandgren) - -2002-02-14 Johan Danielsson - - * configure.in: rk_RETSIGTYPE and rk_BROKEN_REALLOC are called via - rk_ROKEN (from Gombas Gabor); find inttypes by CHECK_TYPES - directly - - * lib/krb5/rd_safe.c: actually use the correct key (from Daniel - Kouril) - -2002-02-12 Johan Danielsson - - * lib/krb5/context.c (krb5_get_err_text): protect against NULL - context - -2002-02-11 Johan Danielsson - - * admin/ktutil.c: no need to use the "modify" keytab anymore - - * lib/krb5/keytab_any.c: implement add and remove - - * lib/krb5/keytab_krb4.c: implement add and remove - - * lib/krb5/store_emem.c (emem_free): clear memory before freeing - (this should perhaps be selectable with a flag) - -2002-02-04 Johan Danielsson - - * kdc/config.c (get_dbinfo): if there are database specifications - in the config file, don't automatically try to use the default - values (from Gombas Gabor) - - * lib/krb5/log.c (krb5_closelog): don't pass pointer to pointer - (from Gombas Gabor) - -2002-01-30 Johan Danielsson - - * admin/list.c: get the default keytab from krb5.conf, and list - all parts of an ANY type keytab - - * lib/krb5/context.c: default default_keytab_modify to NULL - - * lib/krb5/keytab.c (krb5_kt_default_modify_name): if no modify - name is specified take it from the first component of the default - keytab name - -2002-01-29 Johan Danielsson - - * lib/krb5/keytab.c: compare keytab types case insensitively - -2002-01-07 Assar Westerlund - - * lib/krb5/crypto.c (create_checksum): make usage `unsigned' (it's - not really a krb5_key_usage). From Ben Harris - * lib/krb5/get_in_tkt.c: use krb5_enctype consistently. From Ben - Harris - * lib/krb5/crypto.c: use krb5_enctype consistently. From Ben - Harris - * kdc/kerberos5.c: use krb5_enctype consistently. From Ben Harris - diff --git a/crypto/heimdal-0.6.3/NEWS b/crypto/heimdal-0.6.3/NEWS deleted file mode 100644 index 262038b26e..0000000000 --- a/crypto/heimdal-0.6.3/NEWS +++ /dev/null @@ -1,625 +0,0 @@ -Changes in release 0.6.3 - - * fix vulnerabilities in ftpd - - * support for linux AFS /proc "syscalls" - - * support for RFC3244 (Windows 2000 Kerberos Change/Set Password) in - kpasswdd - - * fix possible KDC denial of service - - * bug fixes - -Changes in release 0.6.2 - - * Fix possible buffer overrun in v4 kadmin (which now defaults to off) - -Changes in release 0.6.1 - - * Fixed ARCFOUR suppport - - * Cross realm vulnerability - - * kdc: fix denial of service attack - - * kdc: stop clients from renewing tickets into the future - - * bug fixes - -Changes in release 0.6 - -* The DES3 GSS-API mechanism has been changed to inter-operate with - other GSSAPI implementations. See man page for gssapi(3) how to turn - on generation of correct MIC messages. Next major release of heimdal - will generate correct MIC by default. - -* More complete GSS-API support - -* Better AFS support: kdc (524) supports 2b; 524 in kdc and AFS - support in applications no longer requires Kerberos 4 libs - -* Kerberos 4 support in kdc defaults to turned off (includes ka and 524) - -* other bug fixes - -Changes in release 0.5.2 - - * kdc: add option for disabling v4 cross-realm (defaults to off) - - * bug fixes - -Changes in release 0.5.1 - - * kadmind: fix remote exploit - - * kadmind: add option to disable kerberos 4 - - * kdc: make sure kaserver token life is positive - - * telnet: use the session key if there is no subkey - - * fix EPSV parsing in ftp - - * other bug fixes - -Changes in release 0.5 - - * add --detach option to kdc - - * allow setting forward and forwardable option in telnet from - .telnetrc, with override from command line - - * accept addresses with or without ports in krb5_rd_cred - - * make it work with modern openssl - - * use our own string2key function even with openssl (that handles weak - keys incorrectly) - - * more system-specific requirements in login - - * do not use getlogin() to determine root in su - - * telnet: abort if telnetd does not support encryption - - * update autoconf to 2.53 - - * update config.guess, config.sub - - * other bug fixes - -Changes in release 0.4e - - * improve libcrypto and database autoconf tests - - * do not care about salting of server principals when serving v4 requests - - * some improvements to gssapi library - - * test for existing compile_et/libcom_err - - * portability fixes - - * bug fixes - -Changes in release 0.4d - - * fix some problems when using libcrypto from openssl - - * handle /dev/ptmx `unix98' ptys on Linux - - * add some forgotten man pages - - * rsh: clean-up and add man page - - * fix -A and -a in builtin-ls in tpd - - * fix building problem on Irix - - * make `ktutil get' more efficient - - * bug fixes - -Changes in release 0.4c - - * fix buffer overrun in telnetd - - * repair some of the v4 fallback code in kinit - - * add more shared library dependencies - - * simplify and fix hprop handling of v4 databases - - * fix some building problems (osf's sia and osfc2 login) - - * bug fixes - -Changes in release 0.4b - - * update the shared library version numbers correctly - -Changes in release 0.4a - - * corrected key used for checksum in mk_safe, unfortunately this - makes it backwards incompatible - - * update to autoconf 2.50, libtool 1.4 - - * re-write dns/config lookups (krb5_krbhst API) - - * make order of using subkeys consistent - - * add man page links - - * add more man pages - - * remove rfc2052 support, now only rfc2782 is supported - - * always build with kaserver protocol support in the KDC (assuming - KRB4 is enabled) and support for reading kaserver databases in - hprop - -Changes in release 0.3f - - * change default keytab to ANY:FILE:/etc/krb5.keytab,krb4:/etc/srvtab, - the new keytab type that tries both of these in order (SRVTAB is - also an alias for krb4:) - - * improve error reporting and error handling (error messages should - be more detailed and more useful) - - * improve building with openssl - - * add kadmin -K, rcp -F - - * fix two incorrect weak DES keys - - * fix building of kaserver compat in KDC - - * the API is closer to what MIT krb5 is using - - * more compatible with windows 2000 - - * removed some memory leaks - - * bug fixes - -Changes in release 0.3e - - * rcp program included - - * fix buffer overrun in ftpd - - * handle omitted sequence numbers as zeroes to handle MIT krb5 that - cannot generate zero sequence numbers - - * handle v4 /.k files better - - * configure/portability fixes - - * fixes in parsing of options to kadmin (sub-)commands - - * handle errors in kadmin load better - - * bug fixes - -Changes in release 0.3d - - * add krb5-config - - * fix a bug in 3des gss-api mechanism, making it compatible with the - specification and the MIT implementation - - * make telnetd only allow a specific list of environment variables to - stop it from setting `sensitive' variables - - * try to use an existing libdes - - * lib/krb5, kdc: use correct usage type for ap-req messages. This - should improve compatability with MIT krb5 when using 3DES - encryption types - - * kdc: fix memory allocation problem - - * update config.guess and config.sub - - * lib/roken: more stuff implemented - - * bug fixes and portability enhancements - -Changes in release 0.3c - - * lib/krb5: memory caches now support the resolve operation - - * appl/login: set PATH to some sane default - - * kadmind: handle several realms - - * bug fixes (including memory leaks) - -Changes in release 0.3b - - * kdc: prefer default-salted keys on v5 requests - - * kdc: lowercase hostnames in v4 mode - - * hprop: handle more types of MIT salts - - * lib/krb5: fix memory leak - - * bug fixes - -Changes in release 0.3a: - - * implement arcfour-hmac-md5 to interoperate with W2K - - * modularise the handling of the master key, and allow for other - encryption types. This makes it easier to import a database from - some other source without having to re-encrypt all keys. - - * allow for better control over which encryption types are created - - * make kinit fallback to v4 if given a v4 KDC - - * make klist work better with v4 and v5, and add some more MIT - compatibility options - - * make the kdc listen on the krb524 (4444) port for compatibility - with MIT krb5 clients - - * implement more DCE/DFS support, enabled with --enable-dce, see - lib/kdfs and appl/dceutils - - * make the sequence numbers work correctly - - * bug fixes - -Changes in release 0.2t: - - * bug fixes - -Changes in release 0.2s: - - * add OpenLDAP support in hdb - - * login will get v4 tickets when it receives forwarded tickets - - * xnlock supports both v5 and v4 - - * repair source routing for telnet - - * fix building problems with krb4 (krb_mk_req) - - * bug fixes - -Changes in release 0.2r: - - * fix realloc memory corruption bug in kdc - - * `add --key' and `cpw --key' in kadmin - - * klist supports listing v4 tickets - - * update config.guess and config.sub - - * make v4 -> v5 principal name conversion more robust - - * support for anonymous tickets - - * new man-pages - - * telnetd: do not negotiate KERBEROS5 authentication if there's no keytab. - - * use and set expiration and not password expiration when dumping - to/from ka server databases / krb4 databases - - * make the code happier with 64-bit time_t - - * follow RFC2782 and by default do not look for non-underscore SRV names - -Changes in release 0.2q: - - * bug fix in tcp-handling in kdc - - * bug fix in expand_hostname - -Changes in release 0.2p: - - * bug fix in `kadmin load/merge' - - * bug fix in krb5_parse_address - -Changes in release 0.2o: - - * gss_{import,export}_sec_context added to libgssapi - - * new option --addresses to kdc (for listening on an explicit set of - addresses) - - * bug fixes in the krb4 and kaserver emulation part of the kdc - - * other bug fixes - -Changes in release 0.2n: - - * more robust parsing of dump files in kadmin - * changed default timestamp format for log messages to extended ISO - 8601 format (Y-M-DTH:M:S) - * changed md4/md5/sha1 APIes to be de-facto `standard' - * always make hostname into lower-case before creating principal - * small bits of more MIT-compatability - * bug fixes - -Changes in release 0.2m: - - * handle glibc's getaddrinfo() that returns several ai_canonname - - * new endian test - - * man pages fixes - -Changes in release 0.2l: - - * bug fixes - -Changes in release 0.2k: - - * better IPv6 test - - * make struct sockaddr_storage in roken work better on alphas - - * some missing [hn]to[hn]s fixed. - - * allow users to change their own passwords with kadmin (with initial - tickets) - - * fix stupid bug in parsing KDC specification - - * add `ktutil change' and `ktutil purge' - -Changes in release 0.2j: - - * builds on Irix - - * ftpd works in passive mode - - * should build on cygwin - - * work around broken IPv6-code on OpenBSD 2.6, also add configure - option --disable-ipv6 - -Changes in release 0.2i: - - * use getaddrinfo in the missing places. - - * fix SRV lookup for admin server - - * use get{addr,name}info everywhere. and implement it in terms of - getipnodeby{name,addr} (which uses gethostbyname{,2} and - gethostbyaddr) - -Changes in release 0.2h: - - * fix typo in kx (now compiles) - -Changes in release 0.2g: - - * lots of bug fixes: - * push works - * repair appl/test programs - * sockaddr_storage works on solaris (alignment issues) - * works better with non-roken getaddrinfo - * rsh works - * some non standard C constructs removed - -Changes in release 0.2f: - - * support SRV records for kpasswd - * look for both _kerberos and krb5-realm when doing host -> realm mapping - -Changes in release 0.2e: - - * changed copyright notices to remove `advertising'-clause. - * get{addr,name}info added to roken and used in the other code - (this makes things work much better with hosts with both v4 and v6 - addresses, among other things) - * do pre-auth for both password and key-based get_in_tkt - * support for having several databases - * new command `del_enctype' in kadmin - * strptime (and new strftime) add to roken - * more paranoia about finding libdb - * bug fixes - -Changes in release 0.2d: - - * new configuration option [libdefaults]default_etypes_des - * internal ls in ftpd builds without KRB4 - * kx/rsh/push/pop_debug tries v5 and v4 consistenly - * build bug fixes - * other bug fixes - -Changes in release 0.2c: - - * bug fixes (see ChangeLog's for details) - -Changes in release 0.2b: - - * bug fixes - * actually bump shared library versions - -Changes in release 0.2a: - - * a new program verify_krb5_conf for checking your /etc/krb5.conf - * add 3DES keys when changing password - * support null keys in database - * support multiple local realms - * implement a keytab backend for AFS KeyFile's - * implement a keytab backend for v4 srvtabs - * implement `ktutil copy' - * support password quality control in v4 kadmind - * improvements in v4 compat kadmind - * handle the case of having the correct cred in the ccache but with - the wrong encryption type better - * v6-ify the remaining programs. - * internal ls in ftpd - * rename strcpy_truncate/strcat_truncate to strlcpy/strlcat - * add `ank --random-password' and `cpw --random-password' in kadmin - * some programs and documentation for trying to talk to a W2K KDC - * bug fixes - -Changes in release 0.1m: - - * support for getting default from krb5.conf for kinit/kf/rsh/telnet. - From Miroslav Ruda - * v6-ify hprop and hpropd - * support numeric addresses in krb5_mk_req - * shadow support in login and su. From Miroslav Ruda - * make rsh/rshd IPv6-aware - * make the gssapi sample applications better at reporting errors - * lots of bug fixes - * handle systems with v6-aware libc and non-v6 kernels (like Linux - with glibc 2.1) better - * hide failure of ERPT in ftp - * lots of bug fixes - -Changes in release 0.1l: - - * make ftp and ftpd IPv6-aware - * add inet_pton to roken - * more IPv6-awareness - * make mini_inetd v6 aware - -Changes in release 0.1k: - - * bump shared libraries versions - * add roken version of inet_ntop - * merge more changes to rshd - -Changes in release 0.1j: - - * restore back to the `old' 3DES code. This was supposed to be done - in 0.1h and 0.1i but I did a CVS screw-up. - * make telnetd handle v6 connections - -Changes in release 0.1i: - - * start using `struct sockaddr_storage' which simplifies the code - (with a fallback definition if it's not defined) - * bug fixes (including in hprop and kf) - * don't use mawk which seems to mishandle roken.awk - * get_addrs should be able to handle v6 addresses on Linux (with the - required patch to the Linux kernel -- ask within) - * rshd builds with shadow passwords - -Changes in release 0.1h: - - * kf: new program for forwarding credentials - * portability fixes - * make forwarding credentials work with MIT code - * better conversion of ka database - * add etc/services.append - * correct `modified by' from kpasswdd - * lots of bug fixes - -Changes in release 0.1g: - - * kgetcred: new program for explicitly obtaining tickets - * configure fixes - * krb5-aware kx - * bug fixes - -Changes in release 0.1f; - - * experimental support for v4 kadmin protokoll in kadmind - * bug fixes - -Changes in release 0.1e: - - * try to handle old DCE and MIT kdcs - * support for older versions of credential cache files and keytabs - * postdated tickets work - * support for password quality checks in kpasswdd - * new flag --enable-kaserver for kdc - * renew fixes - * prototype su program - * updated (some) manpages - * support for KDC resource records - * should build with --without-krb4 - * bug fixes - -Changes in release 0.1d: - - * Support building with DB2 (uses 1.85-compat API) - * Support krb5-realm.DOMAIN in DNS - * new `ktutil srvcreate' - * v4/kafs support in klist/kdestroy - * bug fixes - -Changes in release 0.1c: - - * fix ASN.1 encoding of signed integers - * somewhat working `ktutil get' - * some documentation updates - * update to Autoconf 2.13 and Automake 1.4 - * the usual bug fixes - -Changes in release 0.1b: - - * some old -> new crypto conversion utils - * bug fixes - -Changes in release 0.1a: - - * new crypto code - * more bug fixes - * make sure we ask for DES keys in gssapi - * support signed ints in ASN1 - * IPv6-bug fixes - -Changes in release 0.0u: - - * lots of bug fixes - -Changes in release 0.0t: - - * more robust parsing of krb5.conf - * include net{read,write} in lib/roken - * bug fixes - -Changes in release 0.0s: - - * kludges for parsing options to rsh - * more robust parsing of krb5.conf - * removed some arbitrary limits - * bug fixes - -Changes in release 0.0r: - - * default options for some programs - * bug fixes - -Changes in release 0.0q: - - * support for building shared libraries with libtool - * bug fixes - -Changes in release 0.0p: - - * keytab moved to /etc/krb5.keytab - * avoid false detection of IPv6 on Linux - * Lots of more functionality in the gssapi-library - * hprop can now read ka-server databases - * bug fixes - -Changes in release 0.0o: - - * FTP with GSSAPI support. - * Bug fixes. - -Changes in release 0.0n: - - * Incremental database propagation. - * Somewhat improved kadmin ui; the stuff in admin is now removed. - * Some support for using enctypes instead of keytypes. - * Lots of other improvement and bug fixes, see ChangeLog for details. diff --git a/crypto/heimdal-0.6.3/README b/crypto/heimdal-0.6.3/README deleted file mode 100644 index f27b67f912..0000000000 --- a/crypto/heimdal-0.6.3/README +++ /dev/null @@ -1,19 +0,0 @@ -$Id: README,v 1.1 2000/07/27 02:33:54 assar Exp $ - -Heimdal is a Kerberos 5 implementation. - -Please see the manual in doc, by default installed in -/usr/heimdal/info/heimdal.info for information on how to install. -There are also briefer man pages for most of the commands. - -Bug reports and bugs are appreciated, see more under Bug reports in -the manual on how we prefer them. - -For more information see the web-page at - or the mailing lists: - -heimdal-announce@sics.se low-volume announcement -heimdal-discuss@sics.se high-volume discussion - -send a mail to heimdal-announce-request@sics.se and -heimdal-discuss-request@sics.se respectively to subscribe. diff --git a/crypto/heimdal-0.6.3/README.DELETED b/crypto/heimdal-0.6.3/README.DELETED deleted file mode 100644 index 975e935d17..0000000000 --- a/crypto/heimdal-0.6.3/README.DELETED +++ /dev/null @@ -1,6 +0,0 @@ -Makefile.am -Makefile.am.common -Makefile.in -configure -configure.in -appl/telnet/telnet/ diff --git a/crypto/heimdal-0.6.3/README.DRAGONFLY b/crypto/heimdal-0.6.3/README.DRAGONFLY deleted file mode 100644 index 5f58f9bcc2..0000000000 --- a/crypto/heimdal-0.6.3/README.DRAGONFLY +++ /dev/null @@ -1,16 +0,0 @@ -# $DragonFly: src/crypto/heimdal-0.6.3/README.DRAGONFLY,v 1.1.1.1 2005/01/16 14:07:40 eirikn Exp $ - -Heimdal as used by DragonFly - -DO NOT CREATE OR EDIT ANY FILES IN THIS DIRECTORY HIERARCHY! THIS -HIERARCHY REPRESENTS AN EXACT COPY, MINUS UNNEEDED FILES, OF THE ORIGINAL -ARCHIVE. All modifications are made in the DragonFly build wrapper, in -/usr/src/kerberos5, by creating overrides or performing surgery on the -distribution into local files. The only additional files added to this -directory are README.DRAGONFLY and README.DELETED. - -Original source is availale from: -ftp://ftp.pdc.kth.se/pub/heimdal/src/ -MD5 (/home/eirikn/src/crypto/heimdal-0.6.3.tar.gz) = 2265fd2d4573dd3a8da45ce62519e48b - -Removed files are listed in README.DELETED diff --git a/crypto/heimdal-0.6.3/TODO b/crypto/heimdal-0.6.3/TODO deleted file mode 100644 index eeb43158e1..0000000000 --- a/crypto/heimdal-0.6.3/TODO +++ /dev/null @@ -1,79 +0,0 @@ --*- indented-text -*- - -$Id: TODO,v 1.67 2003/03/20 20:00:53 lha Exp $ - -* configure - -handle readline hiding in readline/readline.h - -* appl - -** appl/popper - -Implement RFC1731 and 1734, pop over GSS-API - -* doc - -* kdc - -* kadmin - -make it happy with reading and parsing kdc.conf - -is in need of a major cleanup - -* kpasswdd - -figure out what's the deal with do_sequence and the MIT client - -* lib - -** lib/asn1 - -prepend a prefix on all generated symbols - -** lib/auth - -** lib/auth/sia - -PAM - -** lib/com_err - -write a man-page - -** lib/des - -make everything work with openssl and make prototypes compatible - -** lib/gssapi - -anonymous credentials not implemented - -add rc4 - -** lib/hdb - -** lib/kadm5 - -add policies? - -fix to use rpc? - -** lib/krb5 - -the replay cache is, in its current state, not very useful - -OTP? - -make checksum/encryption type configuration more realm-specific. make -some simple way of handling the w2k situtation - -crypto: allow scatter/gather creation of checksums - -verify_user: handle non-secure verification failing because of -host->realm mapping - -config_file: do it in case-sensitive and/or insensitive - -** lib/roken diff --git a/crypto/heimdal-0.6.3/TODO-1.0 b/crypto/heimdal-0.6.3/TODO-1.0 deleted file mode 100644 index 7e514da726..0000000000 --- a/crypto/heimdal-0.6.3/TODO-1.0 +++ /dev/null @@ -1,10 +0,0 @@ -$Id: TODO-1.0,v 1.3 2001/09/27 16:27:30 assar Exp $ - -- sort out hprop:ing -- figure out hostname case sensitive issues -- verify_user: handle non-secure verification failing because of - host->realm mapping -- gssapi rc4 mechanism -- PAM? -- kadmin: make it happy with reading and parsing kdc.conf -- handle readline hiding in readline/readline.h diff --git a/crypto/heimdal-0.6.3/TODO-shadow b/crypto/heimdal-0.6.3/TODO-shadow deleted file mode 100644 index 313438d1af..0000000000 --- a/crypto/heimdal-0.6.3/TODO-shadow +++ /dev/null @@ -1,6 +0,0 @@ --krb5_fwd_tgt_creds() is still broken --the 4 to 5 principal thing --gss_acquire_cred still doesn't allow an alternate keytab --and the db lib versus headers thing - -/afs/andrew.cmu.edu/usr/shadow/ka2heim.txt diff --git a/crypto/heimdal-0.6.3/aclocal.m4 b/crypto/heimdal-0.6.3/aclocal.m4 deleted file mode 100644 index 1e2ce60528..0000000000 --- a/crypto/heimdal-0.6.3/aclocal.m4 +++ /dev/null @@ -1,6649 +0,0 @@ -# generated automatically by aclocal 1.8.3 -*- Autoconf -*- - -# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004 -# Free Software Foundation, Inc. -# This file is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -# libtool.m4 - Configure libtool for the host system. -*-Autoconf-*- - -# serial 47 AC_PROG_LIBTOOL - - -# AC_PROVIDE_IFELSE(MACRO-NAME, IF-PROVIDED, IF-NOT-PROVIDED) -# ----------------------------------------------------------- -# If this macro is not defined by Autoconf, define it here. -m4_ifdef([AC_PROVIDE_IFELSE], - [], - [m4_define([AC_PROVIDE_IFELSE], - [m4_ifdef([AC_PROVIDE_$1], - [$2], [$3])])]) - - -# AC_PROG_LIBTOOL -# --------------- -AC_DEFUN([AC_PROG_LIBTOOL], -[AC_REQUIRE([_AC_PROG_LIBTOOL])dnl -dnl If AC_PROG_CXX has already been expanded, run AC_LIBTOOL_CXX -dnl immediately, otherwise, hook it in at the end of AC_PROG_CXX. - AC_PROVIDE_IFELSE([AC_PROG_CXX], - [AC_LIBTOOL_CXX], - [define([AC_PROG_CXX], defn([AC_PROG_CXX])[AC_LIBTOOL_CXX - ])]) -dnl And a similar setup for Fortran 77 support - AC_PROVIDE_IFELSE([AC_PROG_F77], - [AC_LIBTOOL_F77], - [define([AC_PROG_F77], defn([AC_PROG_F77])[AC_LIBTOOL_F77 -])]) - -dnl Quote A][M_PROG_GCJ so that aclocal doesn't bring it in needlessly. -dnl If either AC_PROG_GCJ or A][M_PROG_GCJ have already been expanded, run -dnl AC_LIBTOOL_GCJ immediately, otherwise, hook it in at the end of both. - AC_PROVIDE_IFELSE([AC_PROG_GCJ], - [AC_LIBTOOL_GCJ], - [AC_PROVIDE_IFELSE([A][M_PROG_GCJ], - [AC_LIBTOOL_GCJ], - [AC_PROVIDE_IFELSE([LT_AC_PROG_GCJ], - [AC_LIBTOOL_GCJ], - [ifdef([AC_PROG_GCJ], - [define([AC_PROG_GCJ], defn([AC_PROG_GCJ])[AC_LIBTOOL_GCJ])]) - ifdef([A][M_PROG_GCJ], - [define([A][M_PROG_GCJ], defn([A][M_PROG_GCJ])[AC_LIBTOOL_GCJ])]) - ifdef([LT_AC_PROG_GCJ], - [define([LT_AC_PROG_GCJ], - defn([LT_AC_PROG_GCJ])[AC_LIBTOOL_GCJ])])])]) -])])# AC_PROG_LIBTOOL - - -# _AC_PROG_LIBTOOL -# ---------------- -AC_DEFUN([_AC_PROG_LIBTOOL], -[AC_REQUIRE([AC_LIBTOOL_SETUP])dnl -AC_BEFORE([$0],[AC_LIBTOOL_CXX])dnl -AC_BEFORE([$0],[AC_LIBTOOL_F77])dnl -AC_BEFORE([$0],[AC_LIBTOOL_GCJ])dnl - -# This can be used to rebuild libtool when needed -LIBTOOL_DEPS="$ac_aux_dir/ltmain.sh" - -# Always use our own libtool. -LIBTOOL='$(SHELL) $(top_builddir)/libtool' -AC_SUBST(LIBTOOL)dnl - -# Prevent multiple expansion -define([AC_PROG_LIBTOOL], []) -])# _AC_PROG_LIBTOOL - - -# AC_LIBTOOL_SETUP -# ---------------- -AC_DEFUN([AC_LIBTOOL_SETUP], -[AC_PREREQ(2.50)dnl -AC_REQUIRE([AC_ENABLE_SHARED])dnl -AC_REQUIRE([AC_ENABLE_STATIC])dnl -AC_REQUIRE([AC_ENABLE_FAST_INSTALL])dnl -AC_REQUIRE([AC_CANONICAL_HOST])dnl -AC_REQUIRE([AC_CANONICAL_BUILD])dnl -AC_REQUIRE([AC_PROG_CC])dnl -AC_REQUIRE([AC_PROG_LD])dnl -AC_REQUIRE([AC_PROG_LD_RELOAD_FLAG])dnl -AC_REQUIRE([AC_PROG_NM])dnl - -AC_REQUIRE([AC_PROG_LN_S])dnl -AC_REQUIRE([AC_DEPLIBS_CHECK_METHOD])dnl -# Autoconf 2.13's AC_OBJEXT and AC_EXEEXT macros only works for C compilers! -AC_REQUIRE([AC_OBJEXT])dnl -AC_REQUIRE([AC_EXEEXT])dnl -dnl - -AC_LIBTOOL_SYS_MAX_CMD_LEN -AC_LIBTOOL_SYS_GLOBAL_SYMBOL_PIPE -AC_LIBTOOL_OBJDIR - -AC_REQUIRE([_LT_AC_SYS_COMPILER])dnl -_LT_AC_PROG_ECHO_BACKSLASH - -case $host_os in -aix3*) - # AIX sometimes has problems with the GCC collect2 program. For some - # reason, if we set the COLLECT_NAMES environment variable, the problems - # vanish in a puff of smoke. - if test "X${COLLECT_NAMES+set}" != Xset; then - COLLECT_NAMES= - export COLLECT_NAMES - fi - ;; -esac - -# Sed substitution that helps us do robust quoting. It backslashifies -# metacharacters that are still active within double-quoted strings. -Xsed='sed -e s/^X//' -[sed_quote_subst='s/\([\\"\\`$\\\\]\)/\\\1/g'] - -# Same as above, but do not quote variable references. -[double_quote_subst='s/\([\\"\\`\\\\]\)/\\\1/g'] - -# Sed substitution to delay expansion of an escaped shell variable in a -# double_quote_subst'ed string. -delay_variable_subst='s/\\\\\\\\\\\$/\\\\\\$/g' - -# Sed substitution to avoid accidental globbing in evaled expressions -no_glob_subst='s/\*/\\\*/g' - -# Constants: -rm="rm -f" - -# Global variables: -default_ofile=libtool -can_build_shared=yes - -# All known linkers require a `.a' archive for static linking (except M$VC, -# which needs '.lib'). -libext=a -ltmain="$ac_aux_dir/ltmain.sh" -ofile="$default_ofile" -with_gnu_ld="$lt_cv_prog_gnu_ld" - -AC_CHECK_TOOL(AR, ar, false) -AC_CHECK_TOOL(RANLIB, ranlib, :) -AC_CHECK_TOOL(STRIP, strip, :) - -old_CC="$CC" -old_CFLAGS="$CFLAGS" - -# Set sane defaults for various variables -test -z "$AR" && AR=ar -test -z "$AR_FLAGS" && AR_FLAGS=cru -test -z "$AS" && AS=as -test -z "$CC" && CC=cc -test -z "$LTCC" && LTCC=$CC -test -z "$DLLTOOL" && DLLTOOL=dlltool -test -z "$LD" && LD=ld -test -z "$LN_S" && LN_S="ln -s" -test -z "$MAGIC_CMD" && MAGIC_CMD=file -test -z "$NM" && NM=nm -test -z "$SED" && SED=sed -test -z "$OBJDUMP" && OBJDUMP=objdump -test -z "$RANLIB" && RANLIB=: -test -z "$STRIP" && STRIP=: -test -z "$ac_objext" && ac_objext=o - -# Determine commands to create old-style static archives. -old_archive_cmds='$AR $AR_FLAGS $oldlib$oldobjs$old_deplibs' -old_postinstall_cmds='chmod 644 $oldlib' -old_postuninstall_cmds= - -if test -n "$RANLIB"; then - case $host_os in - openbsd*) - old_postinstall_cmds="\$RANLIB -t \$oldlib~$old_postinstall_cmds" - ;; - *) - old_postinstall_cmds="\$RANLIB \$oldlib~$old_postinstall_cmds" - ;; - esac - old_archive_cmds="$old_archive_cmds~\$RANLIB \$oldlib" -fi - -# Only perform the check for file, if the check method requires it -case $deplibs_check_method in -file_magic*) - if test "$file_magic_cmd" = '$MAGIC_CMD'; then - AC_PATH_MAGIC - fi - ;; -esac - -AC_PROVIDE_IFELSE([AC_LIBTOOL_DLOPEN], enable_dlopen=yes, enable_dlopen=no) -AC_PROVIDE_IFELSE([AC_LIBTOOL_WIN32_DLL], -enable_win32_dll=yes, enable_win32_dll=no) - -AC_ARG_ENABLE([libtool-lock], - [AC_HELP_STRING([--disable-libtool-lock], - [avoid locking (might break parallel builds)])]) -test "x$enable_libtool_lock" != xno && enable_libtool_lock=yes - -AC_ARG_WITH([pic], - [AC_HELP_STRING([--with-pic], - [try to use only PIC/non-PIC objects @<:@default=use both@:>@])], - [pic_mode="$withval"], - [pic_mode=default]) -test -z "$pic_mode" && pic_mode=default - -# Use C for the default configuration in the libtool script -tagname= -AC_LIBTOOL_LANG_C_CONFIG -_LT_AC_TAGCONFIG -])# AC_LIBTOOL_SETUP - - -# _LT_AC_SYS_COMPILER -# ------------------- -AC_DEFUN([_LT_AC_SYS_COMPILER], -[AC_REQUIRE([AC_PROG_CC])dnl - -# If no C compiler was specified, use CC. -LTCC=${LTCC-"$CC"} - -# Allow CC to be a program name with arguments. -compiler=$CC -])# _LT_AC_SYS_COMPILER - - -# _LT_AC_SYS_LIBPATH_AIX -# ---------------------- -# Links a minimal program and checks the executable -# for the system default hardcoded library path. In most cases, -# this is /usr/lib:/lib, but when the MPI compilers are used -# the location of the communication and MPI libs are included too. -# If we don't find anything, use the default library path according -# to the aix ld manual. -AC_DEFUN([_LT_AC_SYS_LIBPATH_AIX], -[AC_LINK_IFELSE(AC_LANG_PROGRAM,[ -aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0 *\(.*\)$/\1/; p; } -}'` -# Check for a 64-bit object if we didn't find anything. -if test -z "$aix_libpath"; then aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0 *\(.*\)$/\1/; p; } -}'`; fi],[]) -if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi -])# _LT_AC_SYS_LIBPATH_AIX - - -# _LT_AC_SHELL_INIT(ARG) -# ---------------------- -AC_DEFUN([_LT_AC_SHELL_INIT], -[ifdef([AC_DIVERSION_NOTICE], - [AC_DIVERT_PUSH(AC_DIVERSION_NOTICE)], - [AC_DIVERT_PUSH(NOTICE)]) -$1 -AC_DIVERT_POP -])# _LT_AC_SHELL_INIT - - -# _LT_AC_PROG_ECHO_BACKSLASH -# -------------------------- -# Add some code to the start of the generated configure script which -# will find an echo command which doesn't interpret backslashes. -AC_DEFUN([_LT_AC_PROG_ECHO_BACKSLASH], -[_LT_AC_SHELL_INIT([ -# Check that we are running under the correct shell. -SHELL=${CONFIG_SHELL-/bin/sh} - -case X$ECHO in -X*--fallback-echo) - # Remove one level of quotation (which was required for Make). - ECHO=`echo "$ECHO" | sed 's,\\\\\[$]\\[$]0,'[$]0','` - ;; -esac - -echo=${ECHO-echo} -if test "X[$]1" = X--no-reexec; then - # Discard the --no-reexec flag, and continue. - shift -elif test "X[$]1" = X--fallback-echo; then - # Avoid inline document here, it may be left over - : -elif test "X`($echo '\t') 2>/dev/null`" = 'X\t' ; then - # Yippee, $echo works! - : -else - # Restart under the correct shell. - exec $SHELL "[$]0" --no-reexec ${1+"[$]@"} -fi - -if test "X[$]1" = X--fallback-echo; then - # used as fallback echo - shift - cat </dev/null && - echo_test_string="`eval $cmd`" && - (test "X$echo_test_string" = "X$echo_test_string") 2>/dev/null - then - break - fi - done -fi - -if test "X`($echo '\t') 2>/dev/null`" = 'X\t' && - echo_testing_string=`($echo "$echo_test_string") 2>/dev/null` && - test "X$echo_testing_string" = "X$echo_test_string"; then - : -else - # The Solaris, AIX, and Digital Unix default echo programs unquote - # backslashes. This makes it impossible to quote backslashes using - # echo "$something" | sed 's/\\/\\\\/g' - # - # So, first we look for a working echo in the user's PATH. - - lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR - for dir in $PATH /usr/ucb; do - IFS="$lt_save_ifs" - if (test -f $dir/echo || test -f $dir/echo$ac_exeext) && - test "X`($dir/echo '\t') 2>/dev/null`" = 'X\t' && - echo_testing_string=`($dir/echo "$echo_test_string") 2>/dev/null` && - test "X$echo_testing_string" = "X$echo_test_string"; then - echo="$dir/echo" - break - fi - done - IFS="$lt_save_ifs" - - if test "X$echo" = Xecho; then - # We didn't find a better echo, so look for alternatives. - if test "X`(print -r '\t') 2>/dev/null`" = 'X\t' && - echo_testing_string=`(print -r "$echo_test_string") 2>/dev/null` && - test "X$echo_testing_string" = "X$echo_test_string"; then - # This shell has a builtin print -r that does the trick. - echo='print -r' - elif (test -f /bin/ksh || test -f /bin/ksh$ac_exeext) && - test "X$CONFIG_SHELL" != X/bin/ksh; then - # If we have ksh, try running configure again with it. - ORIGINAL_CONFIG_SHELL=${CONFIG_SHELL-/bin/sh} - export ORIGINAL_CONFIG_SHELL - CONFIG_SHELL=/bin/ksh - export CONFIG_SHELL - exec $CONFIG_SHELL "[$]0" --no-reexec ${1+"[$]@"} - else - # Try using printf. - echo='printf %s\n' - if test "X`($echo '\t') 2>/dev/null`" = 'X\t' && - echo_testing_string=`($echo "$echo_test_string") 2>/dev/null` && - test "X$echo_testing_string" = "X$echo_test_string"; then - # Cool, printf works - : - elif echo_testing_string=`($ORIGINAL_CONFIG_SHELL "[$]0" --fallback-echo '\t') 2>/dev/null` && - test "X$echo_testing_string" = 'X\t' && - echo_testing_string=`($ORIGINAL_CONFIG_SHELL "[$]0" --fallback-echo "$echo_test_string") 2>/dev/null` && - test "X$echo_testing_string" = "X$echo_test_string"; then - CONFIG_SHELL=$ORIGINAL_CONFIG_SHELL - export CONFIG_SHELL - SHELL="$CONFIG_SHELL" - export SHELL - echo="$CONFIG_SHELL [$]0 --fallback-echo" - elif echo_testing_string=`($CONFIG_SHELL "[$]0" --fallback-echo '\t') 2>/dev/null` && - test "X$echo_testing_string" = 'X\t' && - echo_testing_string=`($CONFIG_SHELL "[$]0" --fallback-echo "$echo_test_string") 2>/dev/null` && - test "X$echo_testing_string" = "X$echo_test_string"; then - echo="$CONFIG_SHELL [$]0 --fallback-echo" - else - # maybe with a smaller string... - prev=: - - for cmd in 'echo test' 'sed 2q "[$]0"' 'sed 10q "[$]0"' 'sed 20q "[$]0"' 'sed 50q "[$]0"'; do - if (test "X$echo_test_string" = "X`eval $cmd`") 2>/dev/null - then - break - fi - prev="$cmd" - done - - if test "$prev" != 'sed 50q "[$]0"'; then - echo_test_string=`eval $prev` - export echo_test_string - exec ${ORIGINAL_CONFIG_SHELL-${CONFIG_SHELL-/bin/sh}} "[$]0" ${1+"[$]@"} - else - # Oops. We lost completely, so just stick with echo. - echo=echo - fi - fi - fi - fi -fi -fi - -# Copy echo and quote the copy suitably for passing to libtool from -# the Makefile, instead of quoting the original, which is used later. -ECHO=$echo -if test "X$ECHO" = "X$CONFIG_SHELL [$]0 --fallback-echo"; then - ECHO="$CONFIG_SHELL \\\$\[$]0 --fallback-echo" -fi - -AC_SUBST(ECHO) -])])# _LT_AC_PROG_ECHO_BACKSLASH - - -# _LT_AC_LOCK -# ----------- -AC_DEFUN([_LT_AC_LOCK], -[AC_ARG_ENABLE([libtool-lock], - [AC_HELP_STRING([--disable-libtool-lock], - [avoid locking (might break parallel builds)])]) -test "x$enable_libtool_lock" != xno && enable_libtool_lock=yes - -# Some flags need to be propagated to the compiler or linker for good -# libtool support. -case $host in -ia64-*-hpux*) - # Find out which ABI we are using. - echo 'int i;' > conftest.$ac_ext - if AC_TRY_EVAL(ac_compile); then - case `/usr/bin/file conftest.$ac_objext` in - *ELF-32*) - HPUX_IA64_MODE="32" - ;; - *ELF-64*) - HPUX_IA64_MODE="64" - ;; - esac - fi - rm -rf conftest* - ;; -*-*-irix6*) - # Find out which ABI we are using. - echo '[#]line __oline__ "configure"' > conftest.$ac_ext - if AC_TRY_EVAL(ac_compile); then - if test "$lt_cv_prog_gnu_ld" = yes; then - case `/usr/bin/file conftest.$ac_objext` in - *32-bit*) - LD="${LD-ld} -melf32bsmip" - ;; - *N32*) - LD="${LD-ld} -melf32bmipn32" - ;; - *64-bit*) - LD="${LD-ld} -melf64bmip" - ;; - esac - else - case `/usr/bin/file conftest.$ac_objext` in - *32-bit*) - LD="${LD-ld} -32" - ;; - *N32*) - LD="${LD-ld} -n32" - ;; - *64-bit*) - LD="${LD-ld} -64" - ;; - esac - fi - fi - rm -rf conftest* - ;; - -x86_64-*linux*|ppc*-*linux*|powerpc*-*linux*|s390*-*linux*|sparc*-*linux*) - # Find out which ABI we are using. - echo 'int i;' > conftest.$ac_ext - if AC_TRY_EVAL(ac_compile); then - case "`/usr/bin/file conftest.o`" in - *32-bit*) - case $host in - x86_64-*linux*) - LD="${LD-ld} -m elf_i386" - ;; - ppc64-*linux*|powerpc64-*linux*) - LD="${LD-ld} -m elf32ppclinux" - ;; - s390x-*linux*) - LD="${LD-ld} -m elf_s390" - ;; - sparc64-*linux*) - LD="${LD-ld} -m elf32_sparc" - ;; - esac - ;; - *64-bit*) - case $host in - x86_64-*linux*) - LD="${LD-ld} -m elf_x86_64" - ;; - ppc*-*linux*|powerpc*-*linux*) - LD="${LD-ld} -m elf64ppc" - ;; - s390*-*linux*) - LD="${LD-ld} -m elf64_s390" - ;; - sparc*-*linux*) - LD="${LD-ld} -m elf64_sparc" - ;; - esac - ;; - esac - fi - rm -rf conftest* - ;; - -*-*-sco3.2v5*) - # On SCO OpenServer 5, we need -belf to get full-featured binaries. - SAVE_CFLAGS="$CFLAGS" - CFLAGS="$CFLAGS -belf" - AC_CACHE_CHECK([whether the C compiler needs -belf], lt_cv_cc_needs_belf, - [AC_LANG_PUSH(C) - AC_TRY_LINK([],[],[lt_cv_cc_needs_belf=yes],[lt_cv_cc_needs_belf=no]) - AC_LANG_POP]) - if test x"$lt_cv_cc_needs_belf" != x"yes"; then - # this is probably gcc 2.8.0, egcs 1.0 or newer; no need for -belf - CFLAGS="$SAVE_CFLAGS" - fi - ;; -AC_PROVIDE_IFELSE([AC_LIBTOOL_WIN32_DLL], -[*-*-cygwin* | *-*-mingw* | *-*-pw32*) - AC_CHECK_TOOL(DLLTOOL, dlltool, false) - AC_CHECK_TOOL(AS, as, false) - AC_CHECK_TOOL(OBJDUMP, objdump, false) - ;; - ]) -esac - -need_locks="$enable_libtool_lock" - -])# _LT_AC_LOCK - - -# AC_LIBTOOL_COMPILER_OPTION(MESSAGE, VARIABLE-NAME, FLAGS, -# [OUTPUT-FILE], [ACTION-SUCCESS], [ACTION-FAILURE]) -# ---------------------------------------------------------------- -# Check whether the given compiler option works -AC_DEFUN([AC_LIBTOOL_COMPILER_OPTION], -[AC_REQUIRE([LT_AC_PROG_SED]) -AC_CACHE_CHECK([$1], [$2], - [$2=no - ifelse([$4], , [ac_outfile=conftest.$ac_objext], [ac_outfile=$4]) - printf "$lt_simple_compile_test_code" > conftest.$ac_ext - lt_compiler_flag="$3" - # Insert the option either (1) after the last *FLAGS variable, or - # (2) before a word containing "conftest.", or (3) at the end. - # Note that $ac_compile itself does not contain backslashes and begins - # with a dollar sign (not a hyphen), so the echo should work correctly. - # The option is referenced via a variable to avoid confusing sed. - lt_compile=`echo "$ac_compile" | $SED \ - -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ - -e 's: [[^ ]]*conftest\.: $lt_compiler_flag&:; t' \ - -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:__oline__: $lt_compile\"" >&AS_MESSAGE_LOG_FD) - (eval "$lt_compile" 2>conftest.err) - ac_status=$? - cat conftest.err >&AS_MESSAGE_LOG_FD - echo "$as_me:__oline__: \$? = $ac_status" >&AS_MESSAGE_LOG_FD - if (exit $ac_status) && test -s "$ac_outfile"; then - # The compiler can only warn and ignore the option if not recognized - # So say no if there are warnings - if test ! -s conftest.err; then - $2=yes - fi - fi - $rm conftest* -]) - -if test x"[$]$2" = xyes; then - ifelse([$5], , :, [$5]) -else - ifelse([$6], , :, [$6]) -fi -])# AC_LIBTOOL_COMPILER_OPTION - - -# AC_LIBTOOL_LINKER_OPTION(MESSAGE, VARIABLE-NAME, FLAGS, -# [ACTION-SUCCESS], [ACTION-FAILURE]) -# ------------------------------------------------------------ -# Check whether the given compiler option works -AC_DEFUN([AC_LIBTOOL_LINKER_OPTION], -[AC_CACHE_CHECK([$1], [$2], - [$2=no - save_LDFLAGS="$LDFLAGS" - LDFLAGS="$LDFLAGS $3" - printf "$lt_simple_link_test_code" > conftest.$ac_ext - if (eval $ac_link 2>conftest.err) && test -s conftest$ac_exeext; then - # The compiler can only warn and ignore the option if not recognized - # So say no if there are warnings - if test -s conftest.err; then - # Append any errors to the config.log. - cat conftest.err 1>&AS_MESSAGE_LOG_FD - else - $2=yes - fi - fi - $rm conftest* - LDFLAGS="$save_LDFLAGS" -]) - -if test x"[$]$2" = xyes; then - ifelse([$4], , :, [$4]) -else - ifelse([$5], , :, [$5]) -fi -])# AC_LIBTOOL_LINKER_OPTION - - -# AC_LIBTOOL_SYS_MAX_CMD_LEN -# -------------------------- -AC_DEFUN([AC_LIBTOOL_SYS_MAX_CMD_LEN], -[# find the maximum length of command line arguments -AC_MSG_CHECKING([the maximum length of command line arguments]) -AC_CACHE_VAL([lt_cv_sys_max_cmd_len], [dnl - i=0 - testring="ABCD" - - case $build_os in - msdosdjgpp*) - # On DJGPP, this test can blow up pretty badly due to problems in libc - # (any single argument exceeding 2000 bytes causes a buffer overrun - # during glob expansion). Even if it were fixed, the result of this - # check would be larger than it should be. - lt_cv_sys_max_cmd_len=12288; # 12K is about right - ;; - - gnu*) - # Under GNU Hurd, this test is not required because there is - # no limit to the length of command line arguments. - # Libtool will interpret -1 as no limit whatsoever - lt_cv_sys_max_cmd_len=-1; - ;; - - cygwin* | mingw*) - # On Win9x/ME, this test blows up -- it succeeds, but takes - # about 5 minutes as the teststring grows exponentially. - # Worse, since 9x/ME are not pre-emptively multitasking, - # you end up with a "frozen" computer, even though with patience - # the test eventually succeeds (with a max line length of 256k). - # Instead, let's just punt: use the minimum linelength reported by - # all of the supported platforms: 8192 (on NT/2K/XP). - lt_cv_sys_max_cmd_len=8192; - ;; - - amigaos*) - # On AmigaOS with pdksh, this test takes hours, literally. - # So we just punt and use a minimum line length of 8192. - lt_cv_sys_max_cmd_len=8192; - ;; - - *) - # If test is not a shell built-in, we'll probably end up computing a - # maximum length that is only half of the actual maximum length, but - # we can't tell. - while (test "X"`$CONFIG_SHELL [$]0 --fallback-echo "X$testring" 2>/dev/null` \ - = "XX$testring") >/dev/null 2>&1 && - new_result=`expr "X$testring" : ".*" 2>&1` && - lt_cv_sys_max_cmd_len=$new_result && - test $i != 17 # 1/2 MB should be enough - do - i=`expr $i + 1` - testring=$testring$testring - done - testring= - # Add a significant safety factor because C++ compilers can tack on massive - # amounts of additional arguments before passing them to the linker. - # It appears as though 1/2 is a usable value. - lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 2` - ;; - esac -]) -if test -n $lt_cv_sys_max_cmd_len ; then - AC_MSG_RESULT($lt_cv_sys_max_cmd_len) -else - AC_MSG_RESULT(none) -fi -])# AC_LIBTOOL_SYS_MAX_CMD_LEN - - -# _LT_AC_CHECK_DLFCN -# -------------------- -AC_DEFUN([_LT_AC_CHECK_DLFCN], -[AC_CHECK_HEADERS(dlfcn.h)dnl -])# _LT_AC_CHECK_DLFCN - - -# _LT_AC_TRY_DLOPEN_SELF (ACTION-IF-TRUE, ACTION-IF-TRUE-W-USCORE, -# ACTION-IF-FALSE, ACTION-IF-CROSS-COMPILING) -# ------------------------------------------------------------------ -AC_DEFUN([_LT_AC_TRY_DLOPEN_SELF], -[AC_REQUIRE([_LT_AC_CHECK_DLFCN])dnl -if test "$cross_compiling" = yes; then : - [$4] -else - lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 - lt_status=$lt_dlunknown - cat > conftest.$ac_ext < -#endif - -#include - -#ifdef RTLD_GLOBAL -# define LT_DLGLOBAL RTLD_GLOBAL -#else -# ifdef DL_GLOBAL -# define LT_DLGLOBAL DL_GLOBAL -# else -# define LT_DLGLOBAL 0 -# endif -#endif - -/* We may have to define LT_DLLAZY_OR_NOW in the command line if we - find out it does not work in some platform. */ -#ifndef LT_DLLAZY_OR_NOW -# ifdef RTLD_LAZY -# define LT_DLLAZY_OR_NOW RTLD_LAZY -# else -# ifdef DL_LAZY -# define LT_DLLAZY_OR_NOW DL_LAZY -# else -# ifdef RTLD_NOW -# define LT_DLLAZY_OR_NOW RTLD_NOW -# else -# ifdef DL_NOW -# define LT_DLLAZY_OR_NOW DL_NOW -# else -# define LT_DLLAZY_OR_NOW 0 -# endif -# endif -# endif -# endif -#endif - -#ifdef __cplusplus -extern "C" void exit (int); -#endif - -void fnord() { int i=42;} -int main () -{ - void *self = dlopen (0, LT_DLGLOBAL|LT_DLLAZY_OR_NOW); - int status = $lt_dlunknown; - - if (self) - { - if (dlsym (self,"fnord")) status = $lt_dlno_uscore; - else if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore; - /* dlclose (self); */ - } - - exit (status); -}] -EOF - if AC_TRY_EVAL(ac_link) && test -s conftest${ac_exeext} 2>/dev/null; then - (./conftest; exit; ) 2>/dev/null - lt_status=$? - case x$lt_status in - x$lt_dlno_uscore) $1 ;; - x$lt_dlneed_uscore) $2 ;; - x$lt_unknown|x*) $3 ;; - esac - else : - # compilation failed - $3 - fi -fi -rm -fr conftest* -])# _LT_AC_TRY_DLOPEN_SELF - - -# AC_LIBTOOL_DLOPEN_SELF -# ------------------- -AC_DEFUN([AC_LIBTOOL_DLOPEN_SELF], -[AC_REQUIRE([_LT_AC_CHECK_DLFCN])dnl -if test "x$enable_dlopen" != xyes; then - enable_dlopen=unknown - enable_dlopen_self=unknown - enable_dlopen_self_static=unknown -else - lt_cv_dlopen=no - lt_cv_dlopen_libs= - - case $host_os in - beos*) - lt_cv_dlopen="load_add_on" - lt_cv_dlopen_libs= - lt_cv_dlopen_self=yes - ;; - - mingw* | pw32*) - lt_cv_dlopen="LoadLibrary" - lt_cv_dlopen_libs= - ;; - - cygwin*) - lt_cv_dlopen="dlopen" - lt_cv_dlopen_libs= - ;; - - darwin*) - # if libdl is installed we need to link against it - AC_CHECK_LIB([dl], [dlopen], - [lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"],[ - lt_cv_dlopen="dyld" - lt_cv_dlopen_libs= - lt_cv_dlopen_self=yes - ]) - ;; - - *) - AC_CHECK_FUNC([shl_load], - [lt_cv_dlopen="shl_load"], - [AC_CHECK_LIB([dld], [shl_load], - [lt_cv_dlopen="shl_load" lt_cv_dlopen_libs="-dld"], - [AC_CHECK_FUNC([dlopen], - [lt_cv_dlopen="dlopen"], - [AC_CHECK_LIB([dl], [dlopen], - [lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"], - [AC_CHECK_LIB([svld], [dlopen], - [lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-lsvld"], - [AC_CHECK_LIB([dld], [dld_link], - [lt_cv_dlopen="dld_link" lt_cv_dlopen_libs="-dld"]) - ]) - ]) - ]) - ]) - ]) - ;; - esac - - if test "x$lt_cv_dlopen" != xno; then - enable_dlopen=yes - else - enable_dlopen=no - fi - - case $lt_cv_dlopen in - dlopen) - save_CPPFLAGS="$CPPFLAGS" - test "x$ac_cv_header_dlfcn_h" = xyes && CPPFLAGS="$CPPFLAGS -DHAVE_DLFCN_H" - - save_LDFLAGS="$LDFLAGS" - eval LDFLAGS=\"\$LDFLAGS $export_dynamic_flag_spec\" - - save_LIBS="$LIBS" - LIBS="$lt_cv_dlopen_libs $LIBS" - - AC_CACHE_CHECK([whether a program can dlopen itself], - lt_cv_dlopen_self, [dnl - _LT_AC_TRY_DLOPEN_SELF( - lt_cv_dlopen_self=yes, lt_cv_dlopen_self=yes, - lt_cv_dlopen_self=no, lt_cv_dlopen_self=cross) - ]) - - if test "x$lt_cv_dlopen_self" = xyes; then - LDFLAGS="$LDFLAGS $link_static_flag" - AC_CACHE_CHECK([whether a statically linked program can dlopen itself], - lt_cv_dlopen_self_static, [dnl - _LT_AC_TRY_DLOPEN_SELF( - lt_cv_dlopen_self_static=yes, lt_cv_dlopen_self_static=yes, - lt_cv_dlopen_self_static=no, lt_cv_dlopen_self_static=cross) - ]) - fi - - CPPFLAGS="$save_CPPFLAGS" - LDFLAGS="$save_LDFLAGS" - LIBS="$save_LIBS" - ;; - esac - - case $lt_cv_dlopen_self in - yes|no) enable_dlopen_self=$lt_cv_dlopen_self ;; - *) enable_dlopen_self=unknown ;; - esac - - case $lt_cv_dlopen_self_static in - yes|no) enable_dlopen_self_static=$lt_cv_dlopen_self_static ;; - *) enable_dlopen_self_static=unknown ;; - esac -fi -])# AC_LIBTOOL_DLOPEN_SELF - - -# AC_LIBTOOL_PROG_CC_C_O([TAGNAME]) -# --------------------------------- -# Check to see if options -c and -o are simultaneously supported by compiler -AC_DEFUN([AC_LIBTOOL_PROG_CC_C_O], -[AC_REQUIRE([_LT_AC_SYS_COMPILER])dnl -AC_CACHE_CHECK([if $compiler supports -c -o file.$ac_objext], - [_LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1)], - [_LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1)=no - $rm -r conftest 2>/dev/null - mkdir conftest - cd conftest - mkdir out - printf "$lt_simple_compile_test_code" > conftest.$ac_ext - - lt_compiler_flag="-o out/conftest2.$ac_objext" - # Insert the option either (1) after the last *FLAGS variable, or - # (2) before a word containing "conftest.", or (3) at the end. - # Note that $ac_compile itself does not contain backslashes and begins - # with a dollar sign (not a hyphen), so the echo should work correctly. - lt_compile=`echo "$ac_compile" | $SED \ - -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ - -e 's: [[^ ]]*conftest\.: $lt_compiler_flag&:; t' \ - -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:__oline__: $lt_compile\"" >&AS_MESSAGE_LOG_FD) - (eval "$lt_compile" 2>out/conftest.err) - ac_status=$? - cat out/conftest.err >&AS_MESSAGE_LOG_FD - echo "$as_me:__oline__: \$? = $ac_status" >&AS_MESSAGE_LOG_FD - if (exit $ac_status) && test -s out/conftest2.$ac_objext - then - # The compiler can only warn and ignore the option if not recognized - # So say no if there are warnings - if test ! -s out/conftest.err; then - _LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1)=yes - fi - fi - chmod u+w . - $rm conftest* - # SGI C++ compiler will create directory out/ii_files/ for - # template instantiation - test -d out/ii_files && $rm out/ii_files/* && rmdir out/ii_files - $rm out/* && rmdir out - cd .. - rmdir conftest - $rm conftest* -]) -])# AC_LIBTOOL_PROG_CC_C_O - - -# AC_LIBTOOL_SYS_HARD_LINK_LOCKS([TAGNAME]) -# ----------------------------------------- -# Check to see if we can do hard links to lock some files if needed -AC_DEFUN([AC_LIBTOOL_SYS_HARD_LINK_LOCKS], -[AC_REQUIRE([_LT_AC_LOCK])dnl - -hard_links="nottested" -if test "$_LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1)" = no && test "$need_locks" != no; then - # do not overwrite the value of need_locks provided by the user - AC_MSG_CHECKING([if we can lock with hard links]) - hard_links=yes - $rm conftest* - ln conftest.a conftest.b 2>/dev/null && hard_links=no - touch conftest.a - ln conftest.a conftest.b 2>&5 || hard_links=no - ln conftest.a conftest.b 2>/dev/null && hard_links=no - AC_MSG_RESULT([$hard_links]) - if test "$hard_links" = no; then - AC_MSG_WARN([`$CC' does not support `-c -o', so `make -j' may be unsafe]) - need_locks=warn - fi -else - need_locks=no -fi -])# AC_LIBTOOL_SYS_HARD_LINK_LOCKS - - -# AC_LIBTOOL_OBJDIR -# ----------------- -AC_DEFUN([AC_LIBTOOL_OBJDIR], -[AC_CACHE_CHECK([for objdir], [lt_cv_objdir], -[rm -f .libs 2>/dev/null -mkdir .libs 2>/dev/null -if test -d .libs; then - lt_cv_objdir=.libs -else - # MS-DOS does not allow filenames that begin with a dot. - lt_cv_objdir=_libs -fi -rmdir .libs 2>/dev/null]) -objdir=$lt_cv_objdir -])# AC_LIBTOOL_OBJDIR - - -# AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH([TAGNAME]) -# ---------------------------------------------- -# Check hardcoding attributes. -AC_DEFUN([AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH], -[AC_MSG_CHECKING([how to hardcode library paths into programs]) -_LT_AC_TAGVAR(hardcode_action, $1)= -if test -n "$_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)" || \ - test -n "$_LT_AC_TAGVAR(runpath_var $1)" || \ - test "X$_LT_AC_TAGVAR(hardcode_automatic, $1)"="Xyes" ; then - - # We can hardcode non-existant directories. - if test "$_LT_AC_TAGVAR(hardcode_direct, $1)" != no && - # If the only mechanism to avoid hardcoding is shlibpath_var, we - # have to relink, otherwise we might link with an installed library - # when we should be linking with a yet-to-be-installed one - ## test "$_LT_AC_TAGVAR(hardcode_shlibpath_var, $1)" != no && - test "$_LT_AC_TAGVAR(hardcode_minus_L, $1)" != no; then - # Linking always hardcodes the temporary library directory. - _LT_AC_TAGVAR(hardcode_action, $1)=relink - else - # We can link without hardcoding, and we can hardcode nonexisting dirs. - _LT_AC_TAGVAR(hardcode_action, $1)=immediate - fi -else - # We cannot hardcode anything, or else we can only hardcode existing - # directories. - _LT_AC_TAGVAR(hardcode_action, $1)=unsupported -fi -AC_MSG_RESULT([$_LT_AC_TAGVAR(hardcode_action, $1)]) - -if test "$_LT_AC_TAGVAR(hardcode_action, $1)" = relink; then - # Fast installation is not supported - enable_fast_install=no -elif test "$shlibpath_overrides_runpath" = yes || - test "$enable_shared" = no; then - # Fast installation is not necessary - enable_fast_install=needless -fi -])# AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH - - -# AC_LIBTOOL_SYS_LIB_STRIP -# ------------------------ -AC_DEFUN([AC_LIBTOOL_SYS_LIB_STRIP], -[striplib= -old_striplib= -AC_MSG_CHECKING([whether stripping libraries is possible]) -if test -n "$STRIP" && $STRIP -V 2>&1 | grep "GNU strip" >/dev/null; then - test -z "$old_striplib" && old_striplib="$STRIP --strip-debug" - test -z "$striplib" && striplib="$STRIP --strip-unneeded" - AC_MSG_RESULT([yes]) -else -# FIXME - insert some real tests, host_os isn't really good enough - case $host_os in - darwin*) - if test -n "$STRIP" ; then - striplib="$STRIP -x" - AC_MSG_RESULT([yes]) - else - AC_MSG_RESULT([no]) -fi - ;; - *) - AC_MSG_RESULT([no]) - ;; - esac -fi -])# AC_LIBTOOL_SYS_LIB_STRIP - - -# AC_LIBTOOL_SYS_DYNAMIC_LINKER -# ----------------------------- -# PORTME Fill in your ld.so characteristics -AC_DEFUN([AC_LIBTOOL_SYS_DYNAMIC_LINKER], -[AC_MSG_CHECKING([dynamic linker characteristics]) -library_names_spec= -libname_spec='lib$name' -soname_spec= -shrext=".so" -postinstall_cmds= -postuninstall_cmds= -finish_cmds= -finish_eval= -shlibpath_var= -shlibpath_overrides_runpath=unknown -version_type=none -dynamic_linker="$host_os ld.so" -sys_lib_dlsearch_path_spec="/lib /usr/lib" -if test "$GCC" = yes; then - sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"` - if echo "$sys_lib_search_path_spec" | grep ';' >/dev/null ; then - # if the path contains ";" then we assume it to be the separator - # otherwise default to the standard path separator (i.e. ":") - it is - # assumed that no part of a normal pathname contains ";" but that should - # okay in the real world where ";" in dirpaths is itself problematic. - sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'` - else - sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e "s/$PATH_SEPARATOR/ /g"` - fi -else - sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib" -fi -need_lib_prefix=unknown -hardcode_into_libs=no - -# when you set need_version to no, make sure it does not cause -set_version -# flags to be left without arguments -need_version=unknown - -case $host_os in -aix3*) - version_type=linux - library_names_spec='${libname}${release}${shared_ext}$versuffix $libname.a' - shlibpath_var=LIBPATH - - # AIX 3 has no versioning support, so we append a major version to the name. - soname_spec='${libname}${release}${shared_ext}$major' - ;; - -aix4* | aix5*) - version_type=linux - need_lib_prefix=no - need_version=no - hardcode_into_libs=yes - if test "$host_cpu" = ia64; then - # AIX 5 supports IA64 - library_names_spec='${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext}$versuffix $libname${shared_ext}' - shlibpath_var=LD_LIBRARY_PATH - else - # With GCC up to 2.95.x, collect2 would create an import file - # for dependence libraries. The import file would start with - # the line `#! .'. This would cause the generated library to - # depend on `.', always an invalid library. This was fixed in - # development snapshots of GCC prior to 3.0. - case $host_os in - aix4 | aix4.[[01]] | aix4.[[01]].*) - if { echo '#if __GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 97)' - echo ' yes ' - echo '#endif'; } | ${CC} -E - | grep yes > /dev/null; then - : - else - can_build_shared=no - fi - ;; - esac - # AIX (on Power*) has no versioning support, so currently we can not hardcode correct - # soname into executable. Probably we can add versioning support to - # collect2, so additional links can be useful in future. - if test "$aix_use_runtimelinking" = yes; then - # If using run time linking (on AIX 4.2 or later) use lib.so - # instead of lib.a to let people know that these are not - # typical AIX shared libraries. - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' - else - # We preserve .a as extension for shared libraries through AIX4.2 - # and later when we are not doing run time linking. - library_names_spec='${libname}${release}.a $libname.a' - soname_spec='${libname}${release}${shared_ext}$major' - fi - shlibpath_var=LIBPATH - fi - ;; - -amigaos*) - library_names_spec='$libname.ixlibrary $libname.a' - # Create ${libname}_ixlibrary.a entries in /sys/libs. - finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`$echo "X$lib" | $Xsed -e '\''s%^.*/\([[^/]]*\)\.ixlibrary$%\1%'\''`; test $rm /sys/libs/${libname}_ixlibrary.a; $show "cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a"; cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a || exit 1; done' - ;; - -beos*) - library_names_spec='${libname}${shared_ext}' - dynamic_linker="$host_os ld.so" - shlibpath_var=LIBRARY_PATH - ;; - -bsdi4*) - version_type=linux - need_version=no - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - finish_cmds='PATH="\$PATH:/sbin" ldconfig $libdir' - shlibpath_var=LD_LIBRARY_PATH - sys_lib_search_path_spec="/shlib /usr/lib /usr/X11/lib /usr/contrib/lib /lib /usr/local/lib" - sys_lib_dlsearch_path_spec="/shlib /usr/lib /usr/local/lib" - # the default ld.so.conf also contains /usr/contrib/lib and - # /usr/X11R6/lib (/usr/X11 is a link to /usr/X11R6), but let us allow - # libtool to hard-code these into programs - ;; - -cygwin* | mingw* | pw32*) - version_type=windows - shrext=".dll" - need_version=no - need_lib_prefix=no - - case $GCC,$host_os in - yes,cygwin* | yes,mingw* | yes,pw32*) - library_names_spec='$libname.dll.a' - # DLL is installed to $(libdir)/../bin by postinstall_cmds - postinstall_cmds='base_file=`basename \${file}`~ - dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\${base_file}'\''i;echo \$dlname'\''`~ - dldir=$destdir/`dirname \$dlpath`~ - test -d \$dldir || mkdir -p \$dldir~ - $install_prog $dir/$dlname \$dldir/$dlname' - postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~ - dlpath=$dir/\$dldll~ - $rm \$dlpath' - shlibpath_overrides_runpath=yes - - case $host_os in - cygwin*) - # Cygwin DLLs use 'cyg' prefix rather than 'lib' - soname_spec='`echo ${libname} | sed -e 's/^lib/cyg/'``echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext}' - sys_lib_search_path_spec="/usr/lib /lib/w32api /lib /usr/local/lib" - ;; - mingw*) - # MinGW DLLs use traditional 'lib' prefix - soname_spec='${libname}`echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext}' - sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"` - if echo "$sys_lib_search_path_spec" | [grep ';[c-zC-Z]:/' >/dev/null]; then - # It is most probably a Windows format PATH printed by - # mingw gcc, but we are running on Cygwin. Gcc prints its search - # path with ; separators, and with drive letters. We can handle the - # drive letters (cygwin fileutils understands them), so leave them, - # especially as we might pass files found there to a mingw objdump, - # which wouldn't understand a cygwinified path. Ahh. - sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'` - else - sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e "s/$PATH_SEPARATOR/ /g"` - fi - ;; - pw32*) - # pw32 DLLs use 'pw' prefix rather than 'lib' - library_names_spec='`echo ${libname} | sed -e 's/^lib/pw/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}' - ;; - esac - ;; - - *) - library_names_spec='${libname}`echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext} $libname.lib' - ;; - esac - dynamic_linker='Win32 ld.exe' - # FIXME: first we should search . and the directory the executable is in - shlibpath_var=PATH - ;; - -darwin* | rhapsody*) - dynamic_linker="$host_os dyld" - version_type=darwin - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}${versuffix}$shared_ext ${libname}${release}${major}$shared_ext ${libname}$shared_ext' - soname_spec='${libname}${release}${major}$shared_ext' - shlibpath_overrides_runpath=yes - shlibpath_var=DYLD_LIBRARY_PATH - shrext='$(test .$module = .yes && echo .so || echo .dylib)' - # Apple's gcc prints 'gcc -print-search-dirs' doesn't operate the same. - if test "$GCC" = yes; then - sys_lib_search_path_spec=`$CC -print-search-dirs | tr "\n" "$PATH_SEPARATOR" | sed -e 's/libraries:/@libraries:/' | tr "@" "\n" | grep "^libraries:" | sed -e "s/^libraries://" -e "s,=/,/,g" -e "s,$PATH_SEPARATOR, ,g" -e "s,.*,& /lib /usr/lib /usr/local/lib,g"` - else - sys_lib_search_path_spec='/lib /usr/lib /usr/local/lib' - fi - sys_lib_dlsearch_path_spec='/usr/local/lib /lib /usr/lib' - ;; - -dgux*) - version_type=linux - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname$shared_ext' - soname_spec='${libname}${release}${shared_ext}$major' - shlibpath_var=LD_LIBRARY_PATH - ;; - -freebsd1*) - dynamic_linker=no - ;; - -kfreebsd*-gnu) - version_type=linux - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=no - hardcode_into_libs=yes - dynamic_linker='GNU ld.so' - ;; - -freebsd*) - objformat=`test -x /usr/bin/objformat && /usr/bin/objformat || echo aout` - version_type=freebsd-$objformat - case $version_type in - freebsd-elf*) - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}' - need_version=no - need_lib_prefix=no - ;; - freebsd-*) - library_names_spec='${libname}${release}${shared_ext}$versuffix $libname${shared_ext}$versuffix' - need_version=yes - ;; - esac - shlibpath_var=LD_LIBRARY_PATH - case $host_os in - freebsd2*) - shlibpath_overrides_runpath=yes - ;; - freebsd3.[01]* | freebsdelf3.[01]*) - shlibpath_overrides_runpath=yes - hardcode_into_libs=yes - ;; - *) # from 3.2 on - shlibpath_overrides_runpath=no - hardcode_into_libs=yes - ;; - esac - ;; - -gnu*) - version_type=linux - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - shlibpath_var=LD_LIBRARY_PATH - hardcode_into_libs=yes - ;; - -hpux9* | hpux10* | hpux11*) - # Give a soname corresponding to the major version so that dld.sl refuses to - # link against other versions. - version_type=sunos - need_lib_prefix=no - need_version=no - case "$host_cpu" in - ia64*) - shrext='.so' - hardcode_into_libs=yes - dynamic_linker="$host_os dld.so" - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=yes # Unless +noenvvar is specified. - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - if test "X$HPUX_IA64_MODE" = X32; then - sys_lib_search_path_spec="/usr/lib/hpux32 /usr/local/lib/hpux32 /usr/local/lib" - else - sys_lib_search_path_spec="/usr/lib/hpux64 /usr/local/lib/hpux64" - fi - sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec - ;; - hppa*64*) - shrext='.sl' - hardcode_into_libs=yes - dynamic_linker="$host_os dld.sl" - shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH - shlibpath_overrides_runpath=yes # Unless +noenvvar is specified. - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - sys_lib_search_path_spec="/usr/lib/pa20_64 /usr/ccs/lib/pa20_64" - sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec - ;; - *) - shrext='.sl' - dynamic_linker="$host_os dld.sl" - shlibpath_var=SHLIB_PATH - shlibpath_overrides_runpath=no # +s is required to enable SHLIB_PATH - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - ;; - esac - # HP-UX runs *really* slowly unless shared libraries are mode 555. - postinstall_cmds='chmod 555 $lib' - ;; - -irix5* | irix6* | nonstopux*) - case $host_os in - nonstopux*) version_type=nonstopux ;; - *) - if test "$lt_cv_prog_gnu_ld" = yes; then - version_type=linux - else - version_type=irix - fi ;; - esac - need_lib_prefix=no - need_version=no - soname_spec='${libname}${release}${shared_ext}$major' - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext} $libname${shared_ext}' - case $host_os in - irix5* | nonstopux*) - libsuff= shlibsuff= - ;; - *) - case $LD in # libtool.m4 will add one of these switches to LD - *-32|*"-32 "|*-melf32bsmip|*"-melf32bsmip ") - libsuff= shlibsuff= libmagic=32-bit;; - *-n32|*"-n32 "|*-melf32bmipn32|*"-melf32bmipn32 ") - libsuff=32 shlibsuff=N32 libmagic=N32;; - *-64|*"-64 "|*-melf64bmip|*"-melf64bmip ") - libsuff=64 shlibsuff=64 libmagic=64-bit;; - *) libsuff= shlibsuff= libmagic=never-match;; - esac - ;; - esac - shlibpath_var=LD_LIBRARY${shlibsuff}_PATH - shlibpath_overrides_runpath=no - sys_lib_search_path_spec="/usr/lib${libsuff} /lib${libsuff} /usr/local/lib${libsuff}" - sys_lib_dlsearch_path_spec="/usr/lib${libsuff} /lib${libsuff}" - hardcode_into_libs=yes - ;; - -# No shared lib support for Linux oldld, aout, or coff. -linux*oldld* | linux*aout* | linux*coff*) - dynamic_linker=no - ;; - -# This must be Linux ELF. -linux*) - version_type=linux - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - finish_cmds='PATH="\$PATH:/sbin" ldconfig -n $libdir' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=no - # This implies no fast_install, which is unacceptable. - # Some rework will be needed to allow for fast_install - # before this can be enabled. - hardcode_into_libs=yes - - # Append ld.so.conf contents to the search path - if test -f /etc/ld.so.conf; then - ld_extra=`$SED -e 's/[:,\t]/ /g;s/=[^=]*$//;s/=[^= ]* / /g' /etc/ld.so.conf` - sys_lib_dlsearch_path_spec="/lib /usr/lib $ld_extra" - fi - - # We used to test for /lib/ld.so.1 and disable shared libraries on - # powerpc, because MkLinux only supported shared libraries with the - # GNU dynamic linker. Since this was broken with cross compilers, - # most powerpc-linux boxes support dynamic linking these days and - # people can always --disable-shared, the test was removed, and we - # assume the GNU/Linux dynamic linker is in use. - dynamic_linker='GNU/Linux ld.so' - ;; - -knetbsd*-gnu) - version_type=linux - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=no - hardcode_into_libs=yes - dynamic_linker='GNU ld.so' - ;; - -netbsd*) - version_type=sunos - need_lib_prefix=no - need_version=no - if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix' - finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir' - dynamic_linker='NetBSD (a.out) ld.so' - else - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - dynamic_linker='NetBSD ld.elf_so' - fi - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=yes - hardcode_into_libs=yes - ;; - -newsos6) - version_type=linux - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=yes - ;; - -nto-qnx*) - version_type=linux - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=yes - ;; - -openbsd*) - version_type=sunos - need_lib_prefix=no - need_version=yes - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix' - finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir' - shlibpath_var=LD_LIBRARY_PATH - if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then - case $host_os in - openbsd2.[[89]] | openbsd2.[[89]].*) - shlibpath_overrides_runpath=no - ;; - *) - shlibpath_overrides_runpath=yes - ;; - esac - else - shlibpath_overrides_runpath=yes - fi - ;; - -os2*) - libname_spec='$name' - shrext=".dll" - need_lib_prefix=no - library_names_spec='$libname${shared_ext} $libname.a' - dynamic_linker='OS/2 ld.exe' - shlibpath_var=LIBPATH - ;; - -osf3* | osf4* | osf5*) - version_type=osf - need_lib_prefix=no - need_version=no - soname_spec='${libname}${release}${shared_ext}$major' - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' - shlibpath_var=LD_LIBRARY_PATH - sys_lib_search_path_spec="/usr/shlib /usr/ccs/lib /usr/lib/cmplrs/cc /usr/lib /usr/local/lib /var/shlib" - sys_lib_dlsearch_path_spec="$sys_lib_search_path_spec" - ;; - -sco3.2v5*) - version_type=osf - soname_spec='${libname}${release}${shared_ext}$major' - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' - shlibpath_var=LD_LIBRARY_PATH - ;; - -solaris*) - version_type=linux - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=yes - hardcode_into_libs=yes - # ldd complains unless libraries are executable - postinstall_cmds='chmod +x $lib' - ;; - -sunos4*) - version_type=sunos - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix' - finish_cmds='PATH="\$PATH:/usr/etc" ldconfig $libdir' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=yes - if test "$with_gnu_ld" = yes; then - need_lib_prefix=no - fi - need_version=yes - ;; - -sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*) - version_type=linux - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - shlibpath_var=LD_LIBRARY_PATH - case $host_vendor in - sni) - shlibpath_overrides_runpath=no - need_lib_prefix=no - export_dynamic_flag_spec='${wl}-Blargedynsym' - runpath_var=LD_RUN_PATH - ;; - siemens) - need_lib_prefix=no - ;; - motorola) - need_lib_prefix=no - need_version=no - shlibpath_overrides_runpath=no - sys_lib_search_path_spec='/lib /usr/lib /usr/ccs/lib' - ;; - esac - ;; - -sysv4*MP*) - if test -d /usr/nec ;then - version_type=linux - library_names_spec='$libname${shared_ext}.$versuffix $libname${shared_ext}.$major $libname${shared_ext}' - soname_spec='$libname${shared_ext}.$major' - shlibpath_var=LD_LIBRARY_PATH - fi - ;; - -uts4*) - version_type=linux - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - shlibpath_var=LD_LIBRARY_PATH - ;; - -*) - dynamic_linker=no - ;; -esac -AC_MSG_RESULT([$dynamic_linker]) -test "$dynamic_linker" = no && can_build_shared=no -])# AC_LIBTOOL_SYS_DYNAMIC_LINKER - - -# _LT_AC_TAGCONFIG -# ---------------- -AC_DEFUN([_LT_AC_TAGCONFIG], -[AC_ARG_WITH([tags], - [AC_HELP_STRING([--with-tags@<:@=TAGS@:>@], - [include additional configurations @<:@automatic@:>@])], - [tagnames="$withval"]) - -if test -f "$ltmain" && test -n "$tagnames"; then - if test ! -f "${ofile}"; then - AC_MSG_WARN([output file `$ofile' does not exist]) - fi - - if test -z "$LTCC"; then - eval "`$SHELL ${ofile} --config | grep '^LTCC='`" - if test -z "$LTCC"; then - AC_MSG_WARN([output file `$ofile' does not look like a libtool script]) - else - AC_MSG_WARN([using `LTCC=$LTCC', extracted from `$ofile']) - fi - fi - - # Extract list of available tagged configurations in $ofile. - # Note that this assumes the entire list is on one line. - available_tags=`grep "^available_tags=" "${ofile}" | $SED -e 's/available_tags=\(.*$\)/\1/' -e 's/\"//g'` - - lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR," - for tagname in $tagnames; do - IFS="$lt_save_ifs" - # Check whether tagname contains only valid characters - case `$echo "X$tagname" | $Xsed -e 's:[[-_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890,/]]::g'` in - "") ;; - *) AC_MSG_ERROR([invalid tag name: $tagname]) - ;; - esac - - if grep "^# ### BEGIN LIBTOOL TAG CONFIG: $tagname$" < "${ofile}" > /dev/null - then - AC_MSG_ERROR([tag name \"$tagname\" already exists]) - fi - - # Update the list of available tags. - if test -n "$tagname"; then - echo appending configuration tag \"$tagname\" to $ofile - - case $tagname in - CXX) - if test -n "$CXX" && test "X$CXX" != "Xno"; then - AC_LIBTOOL_LANG_CXX_CONFIG - else - tagname="" - fi - ;; - - F77) - if test -n "$F77" && test "X$F77" != "Xno"; then - AC_LIBTOOL_LANG_F77_CONFIG - else - tagname="" - fi - ;; - - GCJ) - if test -n "$GCJ" && test "X$GCJ" != "Xno"; then - AC_LIBTOOL_LANG_GCJ_CONFIG - else - tagname="" - fi - ;; - - RC) - AC_LIBTOOL_LANG_RC_CONFIG - ;; - - *) - AC_MSG_ERROR([Unsupported tag name: $tagname]) - ;; - esac - - # Append the new tag name to the list of available tags. - if test -n "$tagname" ; then - available_tags="$available_tags $tagname" - fi - fi - done - IFS="$lt_save_ifs" - - # Now substitute the updated list of available tags. - if eval "sed -e 's/^available_tags=.*\$/available_tags=\"$available_tags\"/' \"$ofile\" > \"${ofile}T\""; then - mv "${ofile}T" "$ofile" - chmod +x "$ofile" - else - rm -f "${ofile}T" - AC_MSG_ERROR([unable to update list of available tagged configurations.]) - fi -fi -])# _LT_AC_TAGCONFIG - - -# AC_LIBTOOL_DLOPEN -# ----------------- -# enable checks for dlopen support -AC_DEFUN([AC_LIBTOOL_DLOPEN], - [AC_BEFORE([$0],[AC_LIBTOOL_SETUP]) -])# AC_LIBTOOL_DLOPEN - - -# AC_LIBTOOL_WIN32_DLL -# -------------------- -# declare package support for building win32 dll's -AC_DEFUN([AC_LIBTOOL_WIN32_DLL], -[AC_BEFORE([$0], [AC_LIBTOOL_SETUP]) -])# AC_LIBTOOL_WIN32_DLL - - -# AC_ENABLE_SHARED([DEFAULT]) -# --------------------------- -# implement the --enable-shared flag -# DEFAULT is either `yes' or `no'. If omitted, it defaults to `yes'. -AC_DEFUN([AC_ENABLE_SHARED], -[define([AC_ENABLE_SHARED_DEFAULT], ifelse($1, no, no, yes))dnl -AC_ARG_ENABLE([shared], - [AC_HELP_STRING([--enable-shared@<:@=PKGS@:>@], - [build shared libraries @<:@default=]AC_ENABLE_SHARED_DEFAULT[@:>@])], - [p=${PACKAGE-default} - case $enableval in - yes) enable_shared=yes ;; - no) enable_shared=no ;; - *) - enable_shared=no - # Look at the argument we got. We use all the common list separators. - lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR," - for pkg in $enableval; do - IFS="$lt_save_ifs" - if test "X$pkg" = "X$p"; then - enable_shared=yes - fi - done - IFS="$lt_save_ifs" - ;; - esac], - [enable_shared=]AC_ENABLE_SHARED_DEFAULT) -])# AC_ENABLE_SHARED - - -# AC_DISABLE_SHARED -# ----------------- -#- set the default shared flag to --disable-shared -AC_DEFUN([AC_DISABLE_SHARED], -[AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl -AC_ENABLE_SHARED(no) -])# AC_DISABLE_SHARED - - -# AC_ENABLE_STATIC([DEFAULT]) -# --------------------------- -# implement the --enable-static flag -# DEFAULT is either `yes' or `no'. If omitted, it defaults to `yes'. -AC_DEFUN([AC_ENABLE_STATIC], -[define([AC_ENABLE_STATIC_DEFAULT], ifelse($1, no, no, yes))dnl -AC_ARG_ENABLE([static], - [AC_HELP_STRING([--enable-static@<:@=PKGS@:>@], - [build static libraries @<:@default=]AC_ENABLE_STATIC_DEFAULT[@:>@])], - [p=${PACKAGE-default} - case $enableval in - yes) enable_static=yes ;; - no) enable_static=no ;; - *) - enable_static=no - # Look at the argument we got. We use all the common list separators. - lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR," - for pkg in $enableval; do - IFS="$lt_save_ifs" - if test "X$pkg" = "X$p"; then - enable_static=yes - fi - done - IFS="$lt_save_ifs" - ;; - esac], - [enable_static=]AC_ENABLE_STATIC_DEFAULT) -])# AC_ENABLE_STATIC - - -# AC_DISABLE_STATIC -# ----------------- -# set the default static flag to --disable-static -AC_DEFUN([AC_DISABLE_STATIC], -[AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl -AC_ENABLE_STATIC(no) -])# AC_DISABLE_STATIC - - -# AC_ENABLE_FAST_INSTALL([DEFAULT]) -# --------------------------------- -# implement the --enable-fast-install flag -# DEFAULT is either `yes' or `no'. If omitted, it defaults to `yes'. -AC_DEFUN([AC_ENABLE_FAST_INSTALL], -[define([AC_ENABLE_FAST_INSTALL_DEFAULT], ifelse($1, no, no, yes))dnl -AC_ARG_ENABLE([fast-install], - [AC_HELP_STRING([--enable-fast-install@<:@=PKGS@:>@], - [optimize for fast installation @<:@default=]AC_ENABLE_FAST_INSTALL_DEFAULT[@:>@])], - [p=${PACKAGE-default} - case $enableval in - yes) enable_fast_install=yes ;; - no) enable_fast_install=no ;; - *) - enable_fast_install=no - # Look at the argument we got. We use all the common list separators. - lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR," - for pkg in $enableval; do - IFS="$lt_save_ifs" - if test "X$pkg" = "X$p"; then - enable_fast_install=yes - fi - done - IFS="$lt_save_ifs" - ;; - esac], - [enable_fast_install=]AC_ENABLE_FAST_INSTALL_DEFAULT) -])# AC_ENABLE_FAST_INSTALL - - -# AC_DISABLE_FAST_INSTALL -# ----------------------- -# set the default to --disable-fast-install -AC_DEFUN([AC_DISABLE_FAST_INSTALL], -[AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl -AC_ENABLE_FAST_INSTALL(no) -])# AC_DISABLE_FAST_INSTALL - - -# AC_LIBTOOL_PICMODE([MODE]) -# -------------------------- -# implement the --with-pic flag -# MODE is either `yes' or `no'. If omitted, it defaults to `both'. -AC_DEFUN([AC_LIBTOOL_PICMODE], -[AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl -pic_mode=ifelse($#,1,$1,default) -])# AC_LIBTOOL_PICMODE - - -# AC_PROG_EGREP -# ------------- -# This is predefined starting with Autoconf 2.54, so this conditional -# definition can be removed once we require Autoconf 2.54 or later. -m4_ifndef([AC_PROG_EGREP], [AC_DEFUN([AC_PROG_EGREP], -[AC_CACHE_CHECK([for egrep], [ac_cv_prog_egrep], - [if echo a | (grep -E '(a|b)') >/dev/null 2>&1 - then ac_cv_prog_egrep='grep -E' - else ac_cv_prog_egrep='egrep' - fi]) - EGREP=$ac_cv_prog_egrep - AC_SUBST([EGREP]) -])]) - - -# AC_PATH_TOOL_PREFIX -# ------------------- -# find a file program which can recognise shared library -AC_DEFUN([AC_PATH_TOOL_PREFIX], -[AC_REQUIRE([AC_PROG_EGREP])dnl -AC_MSG_CHECKING([for $1]) -AC_CACHE_VAL(lt_cv_path_MAGIC_CMD, -[case $MAGIC_CMD in -[[\\/*] | ?:[\\/]*]) - lt_cv_path_MAGIC_CMD="$MAGIC_CMD" # Let the user override the test with a path. - ;; -*) - lt_save_MAGIC_CMD="$MAGIC_CMD" - lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR -dnl $ac_dummy forces splitting on constant user-supplied paths. -dnl POSIX.2 word splitting is done only on the output of word expansions, -dnl not every word. This closes a longstanding sh security hole. - ac_dummy="ifelse([$2], , $PATH, [$2])" - for ac_dir in $ac_dummy; do - IFS="$lt_save_ifs" - test -z "$ac_dir" && ac_dir=. - if test -f $ac_dir/$1; then - lt_cv_path_MAGIC_CMD="$ac_dir/$1" - if test -n "$file_magic_test_file"; then - case $deplibs_check_method in - "file_magic "*) - file_magic_regex="`expr \"$deplibs_check_method\" : \"file_magic \(.*\)\"`" - MAGIC_CMD="$lt_cv_path_MAGIC_CMD" - if eval $file_magic_cmd \$file_magic_test_file 2> /dev/null | - $EGREP "$file_magic_regex" > /dev/null; then - : - else - cat <&2 - -*** Warning: the command libtool uses to detect shared libraries, -*** $file_magic_cmd, produces output that libtool cannot recognize. -*** The result is that libtool may fail to recognize shared libraries -*** as such. This will affect the creation of libtool libraries that -*** depend on shared libraries, but programs linked with such libtool -*** libraries will work regardless of this problem. Nevertheless, you -*** may want to report the problem to your system manager and/or to -*** bug-libtool@gnu.org - -EOF - fi ;; - esac - fi - break - fi - done - IFS="$lt_save_ifs" - MAGIC_CMD="$lt_save_MAGIC_CMD" - ;; -esac]) -MAGIC_CMD="$lt_cv_path_MAGIC_CMD" -if test -n "$MAGIC_CMD"; then - AC_MSG_RESULT($MAGIC_CMD) -else - AC_MSG_RESULT(no) -fi -])# AC_PATH_TOOL_PREFIX - - -# AC_PATH_MAGIC -# ------------- -# find a file program which can recognise a shared library -AC_DEFUN([AC_PATH_MAGIC], -[AC_PATH_TOOL_PREFIX(${ac_tool_prefix}file, /usr/bin$PATH_SEPARATOR$PATH) -if test -z "$lt_cv_path_MAGIC_CMD"; then - if test -n "$ac_tool_prefix"; then - AC_PATH_TOOL_PREFIX(file, /usr/bin$PATH_SEPARATOR$PATH) - else - MAGIC_CMD=: - fi -fi -])# AC_PATH_MAGIC - - -# AC_PROG_LD -# ---------- -# find the pathname to the GNU or non-GNU linker -AC_DEFUN([AC_PROG_LD], -[AC_ARG_WITH([gnu-ld], - [AC_HELP_STRING([--with-gnu-ld], - [assume the C compiler uses GNU ld @<:@default=no@:>@])], - [test "$withval" = no || with_gnu_ld=yes], - [with_gnu_ld=no]) -AC_REQUIRE([LT_AC_PROG_SED])dnl -AC_REQUIRE([AC_PROG_CC])dnl -AC_REQUIRE([AC_CANONICAL_HOST])dnl -AC_REQUIRE([AC_CANONICAL_BUILD])dnl -ac_prog=ld -if test "$GCC" = yes; then - # Check if gcc -print-prog-name=ld gives a path. - AC_MSG_CHECKING([for ld used by $CC]) - case $host in - *-*-mingw*) - # gcc leaves a trailing carriage return which upsets mingw - ac_prog=`($CC -print-prog-name=ld) 2>&5 | tr -d '\015'` ;; - *) - ac_prog=`($CC -print-prog-name=ld) 2>&5` ;; - esac - case $ac_prog in - # Accept absolute paths. - [[\\/]]* | ?:[[\\/]]*) - re_direlt='/[[^/]][[^/]]*/\.\./' - # Canonicalize the pathname of ld - ac_prog=`echo $ac_prog| $SED 's%\\\\%/%g'` - while echo $ac_prog | grep "$re_direlt" > /dev/null 2>&1; do - ac_prog=`echo $ac_prog| $SED "s%$re_direlt%/%"` - done - test -z "$LD" && LD="$ac_prog" - ;; - "") - # If it fails, then pretend we aren't using GCC. - ac_prog=ld - ;; - *) - # If it is relative, then search for the first ld in PATH. - with_gnu_ld=unknown - ;; - esac -elif test "$with_gnu_ld" = yes; then - AC_MSG_CHECKING([for GNU ld]) -else - AC_MSG_CHECKING([for non-GNU ld]) -fi -AC_CACHE_VAL(lt_cv_path_LD, -[if test -z "$LD"; then - lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR - for ac_dir in $PATH; do - IFS="$lt_save_ifs" - test -z "$ac_dir" && ac_dir=. - if test -f "$ac_dir/$ac_prog" || test -f "$ac_dir/$ac_prog$ac_exeext"; then - lt_cv_path_LD="$ac_dir/$ac_prog" - # Check to see if the program is GNU ld. I'd rather use --version, - # but apparently some GNU ld's only accept -v. - # Break only if it was the GNU/non-GNU ld that we prefer. - case `"$lt_cv_path_LD" -v 2>&1 &1 /dev/null; then - case $host_cpu in - i*86 ) - # Not sure whether the presence of OpenBSD here was a mistake. - # Let's accept both of them until this is cleared up. - lt_cv_deplibs_check_method='file_magic (FreeBSD|OpenBSD)/i[[3-9]]86 (compact )?demand paged shared library' - lt_cv_file_magic_cmd=/usr/bin/file - lt_cv_file_magic_test_file=`echo /usr/lib/libc.so.*` - ;; - esac - else - lt_cv_deplibs_check_method=pass_all - fi - ;; - -gnu*) - lt_cv_deplibs_check_method=pass_all - ;; - -hpux10.20* | hpux11*) - lt_cv_file_magic_cmd=/usr/bin/file - case "$host_cpu" in - ia64*) - lt_cv_deplibs_check_method='file_magic (s[[0-9]][[0-9]][[0-9]]|ELF-[[0-9]][[0-9]]) shared object file - IA64' - lt_cv_file_magic_test_file=/usr/lib/hpux32/libc.so - ;; - hppa*64*) - [lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|ELF-[0-9][0-9]) shared object file - PA-RISC [0-9].[0-9]'] - lt_cv_file_magic_test_file=/usr/lib/pa20_64/libc.sl - ;; - *) - lt_cv_deplibs_check_method='file_magic (s[[0-9]][[0-9]][[0-9]]|PA-RISC[[0-9]].[[0-9]]) shared library' - lt_cv_file_magic_test_file=/usr/lib/libc.sl - ;; - esac - ;; - -irix5* | irix6* | nonstopux*) - case $LD in - *-32|*"-32 ") libmagic=32-bit;; - *-n32|*"-n32 ") libmagic=N32;; - *-64|*"-64 ") libmagic=64-bit;; - *) libmagic=never-match;; - esac - lt_cv_deplibs_check_method=pass_all - ;; - -# This must be Linux ELF. -linux*) - case $host_cpu in - alpha*|hppa*|i*86|ia64*|m68*|mips*|powerpc*|sparc*|s390*|sh*) - lt_cv_deplibs_check_method=pass_all ;; - *) - # glibc up to 2.1.1 does not perform some relocations on ARM - # this will be overridden with pass_all, but let us keep it just in case - lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[LM]]SB (shared object|dynamic lib )' ;; - esac - lt_cv_file_magic_test_file=`echo /lib/libc.so* /lib/libc-*.so` - lt_cv_deplibs_check_method=pass_all - ;; - -netbsd*) - if echo __ELF__ | $CC -E - | grep __ELF__ > /dev/null; then - lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so\.[[0-9]]+\.[[0-9]]+|_pic\.a)$' - else - lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so|_pic\.a)$' - fi - ;; - -newos6*) - lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[ML]]SB (executable|dynamic lib)' - lt_cv_file_magic_cmd=/usr/bin/file - lt_cv_file_magic_test_file=/usr/lib/libnls.so - ;; - -nto-qnx*) - lt_cv_deplibs_check_method=unknown - ;; - -openbsd*) - lt_cv_file_magic_cmd=/usr/bin/file - lt_cv_file_magic_test_file=`echo /usr/lib/libc.so.*` - if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then - lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[LM]]SB shared object' - else - lt_cv_deplibs_check_method='file_magic OpenBSD.* shared library' - fi - ;; - -osf3* | osf4* | osf5*) - lt_cv_deplibs_check_method=pass_all - ;; - -sco3.2v5*) - lt_cv_deplibs_check_method=pass_all - ;; - -solaris*) - lt_cv_deplibs_check_method=pass_all - ;; - -sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*) - case $host_vendor in - motorola) - lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[ML]]SB (shared object|dynamic lib) M[[0-9]][[0-9]]* Version [[0-9]]' - lt_cv_file_magic_test_file=`echo /usr/lib/libc.so*` - ;; - ncr) - lt_cv_deplibs_check_method=pass_all - ;; - sequent) - lt_cv_file_magic_cmd='/bin/file' - lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[LM]]SB (shared object|dynamic lib )' - ;; - sni) - lt_cv_file_magic_cmd='/bin/file' - lt_cv_deplibs_check_method="file_magic ELF [[0-9]][[0-9]]*-bit [[LM]]SB dynamic lib" - lt_cv_file_magic_test_file=/lib/libc.so - ;; - siemens) - lt_cv_deplibs_check_method=pass_all - ;; - esac - ;; - -sysv5OpenUNIX8* | sysv5UnixWare7* | sysv5uw[[78]]* | unixware7* | sysv4*uw2*) - lt_cv_deplibs_check_method=pass_all - ;; -esac -]) -file_magic_cmd=$lt_cv_file_magic_cmd -deplibs_check_method=$lt_cv_deplibs_check_method -test -z "$deplibs_check_method" && deplibs_check_method=unknown -])# AC_DEPLIBS_CHECK_METHOD - - -# AC_PROG_NM -# ---------- -# find the pathname to a BSD-compatible name lister -AC_DEFUN([AC_PROG_NM], -[AC_CACHE_CHECK([for BSD-compatible nm], lt_cv_path_NM, -[if test -n "$NM"; then - # Let the user override the test. - lt_cv_path_NM="$NM" -else - lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR - for ac_dir in $PATH /usr/ccs/bin /usr/ucb /bin; do - IFS="$lt_save_ifs" - test -z "$ac_dir" && ac_dir=. - tmp_nm="$ac_dir/${ac_tool_prefix}nm" - if test -f "$tmp_nm" || test -f "$tmp_nm$ac_exeext" ; then - # Check to see if the nm accepts a BSD-compat flag. - # Adding the `sed 1q' prevents false positives on HP-UX, which says: - # nm: unknown option "B" ignored - # Tru64's nm complains that /dev/null is an invalid object file - case `"$tmp_nm" -B /dev/null 2>&1 | sed '1q'` in - */dev/null* | *'Invalid file or object type'*) - lt_cv_path_NM="$tmp_nm -B" - break - ;; - *) - case `"$tmp_nm" -p /dev/null 2>&1 | sed '1q'` in - */dev/null*) - lt_cv_path_NM="$tmp_nm -p" - break - ;; - *) - lt_cv_path_NM=${lt_cv_path_NM="$tmp_nm"} # keep the first match, but - continue # so that we can try to find one that supports BSD flags - ;; - esac - esac - fi - done - IFS="$lt_save_ifs" - test -z "$lt_cv_path_NM" && lt_cv_path_NM=nm -fi]) -NM="$lt_cv_path_NM" -])# AC_PROG_NM - - -# AC_CHECK_LIBM -# ------------- -# check for math library -AC_DEFUN([AC_CHECK_LIBM], -[AC_REQUIRE([AC_CANONICAL_HOST])dnl -LIBM= -case $host in -*-*-beos* | *-*-cygwin* | *-*-pw32* | *-*-darwin*) - # These system don't have libm, or don't need it - ;; -*-ncr-sysv4.3*) - AC_CHECK_LIB(mw, _mwvalidcheckl, LIBM="-lmw") - AC_CHECK_LIB(m, cos, LIBM="$LIBM -lm") - ;; -*) - AC_CHECK_LIB(m, cos, LIBM="-lm") - ;; -esac -])# AC_CHECK_LIBM - - -# AC_LIBLTDL_CONVENIENCE([DIRECTORY]) -# ----------------------------------- -# sets LIBLTDL to the link flags for the libltdl convenience library and -# LTDLINCL to the include flags for the libltdl header and adds -# --enable-ltdl-convenience to the configure arguments. Note that LIBLTDL -# and LTDLINCL are not AC_SUBSTed, nor is AC_CONFIG_SUBDIRS called. If -# DIRECTORY is not provided, it is assumed to be `libltdl'. LIBLTDL will -# be prefixed with '${top_builddir}/' and LTDLINCL will be prefixed with -# '${top_srcdir}/' (note the single quotes!). If your package is not -# flat and you're not using automake, define top_builddir and -# top_srcdir appropriately in the Makefiles. -AC_DEFUN([AC_LIBLTDL_CONVENIENCE], -[AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl - case $enable_ltdl_convenience in - no) AC_MSG_ERROR([this package needs a convenience libltdl]) ;; - "") enable_ltdl_convenience=yes - ac_configure_args="$ac_configure_args --enable-ltdl-convenience" ;; - esac - LIBLTDL='${top_builddir}/'ifelse($#,1,[$1],['libltdl'])/libltdlc.la - LTDLINCL='-I${top_srcdir}/'ifelse($#,1,[$1],['libltdl']) - # For backwards non-gettext consistent compatibility... - INCLTDL="$LTDLINCL" -])# AC_LIBLTDL_CONVENIENCE - - -# AC_LIBLTDL_INSTALLABLE([DIRECTORY]) -# ----------------------------------- -# sets LIBLTDL to the link flags for the libltdl installable library and -# LTDLINCL to the include flags for the libltdl header and adds -# --enable-ltdl-install to the configure arguments. Note that LIBLTDL -# and LTDLINCL are not AC_SUBSTed, nor is AC_CONFIG_SUBDIRS called. If -# DIRECTORY is not provided and an installed libltdl is not found, it is -# assumed to be `libltdl'. LIBLTDL will be prefixed with '${top_builddir}/' -# and LTDLINCL will be prefixed with '${top_srcdir}/' (note the single -# quotes!). If your package is not flat and you're not using automake, -# define top_builddir and top_srcdir appropriately in the Makefiles. -# In the future, this macro may have to be called after AC_PROG_LIBTOOL. -AC_DEFUN([AC_LIBLTDL_INSTALLABLE], -[AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl - AC_CHECK_LIB(ltdl, lt_dlinit, - [test x"$enable_ltdl_install" != xyes && enable_ltdl_install=no], - [if test x"$enable_ltdl_install" = xno; then - AC_MSG_WARN([libltdl not installed, but installation disabled]) - else - enable_ltdl_install=yes - fi - ]) - if test x"$enable_ltdl_install" = x"yes"; then - ac_configure_args="$ac_configure_args --enable-ltdl-install" - LIBLTDL='${top_builddir}/'ifelse($#,1,[$1],['libltdl'])/libltdl.la - LTDLINCL='-I${top_srcdir}/'ifelse($#,1,[$1],['libltdl']) - else - ac_configure_args="$ac_configure_args --enable-ltdl-install=no" - LIBLTDL="-lltdl" - LTDLINCL= - fi - # For backwards non-gettext consistent compatibility... - INCLTDL="$LTDLINCL" -])# AC_LIBLTDL_INSTALLABLE - - -# AC_LIBTOOL_CXX -# -------------- -# enable support for C++ libraries -AC_DEFUN([AC_LIBTOOL_CXX], -[AC_REQUIRE([_LT_AC_LANG_CXX]) -])# AC_LIBTOOL_CXX - - -# _LT_AC_LANG_CXX -# --------------- -AC_DEFUN([_LT_AC_LANG_CXX], -[AC_REQUIRE([AC_PROG_CXX]) -AC_REQUIRE([AC_PROG_CXXCPP]) -_LT_AC_SHELL_INIT([tagnames=${tagnames+${tagnames},}CXX]) -])# _LT_AC_LANG_CXX - - -# AC_LIBTOOL_F77 -# -------------- -# enable support for Fortran 77 libraries -AC_DEFUN([AC_LIBTOOL_F77], -[AC_REQUIRE([_LT_AC_LANG_F77]) -])# AC_LIBTOOL_F77 - - -# _LT_AC_LANG_F77 -# --------------- -AC_DEFUN([_LT_AC_LANG_F77], -[AC_REQUIRE([AC_PROG_F77]) -_LT_AC_SHELL_INIT([tagnames=${tagnames+${tagnames},}F77]) -])# _LT_AC_LANG_F77 - - -# AC_LIBTOOL_GCJ -# -------------- -# enable support for GCJ libraries -AC_DEFUN([AC_LIBTOOL_GCJ], -[AC_REQUIRE([_LT_AC_LANG_GCJ]) -])# AC_LIBTOOL_GCJ - - -# _LT_AC_LANG_GCJ -# --------------- -AC_DEFUN([_LT_AC_LANG_GCJ], -[AC_PROVIDE_IFELSE([AC_PROG_GCJ],[], - [AC_PROVIDE_IFELSE([A][M_PROG_GCJ],[], - [AC_PROVIDE_IFELSE([LT_AC_PROG_GCJ],[], - [ifdef([AC_PROG_GCJ],[AC_REQUIRE([AC_PROG_GCJ])], - [ifdef([A][M_PROG_GCJ],[AC_REQUIRE([A][M_PROG_GCJ])], - [AC_REQUIRE([A][C_PROG_GCJ_OR_A][M_PROG_GCJ])])])])])]) -_LT_AC_SHELL_INIT([tagnames=${tagnames+${tagnames},}GCJ]) -])# _LT_AC_LANG_GCJ - - -# AC_LIBTOOL_RC -# -------------- -# enable support for Windows resource files -AC_DEFUN([AC_LIBTOOL_RC], -[AC_REQUIRE([LT_AC_PROG_RC]) -_LT_AC_SHELL_INIT([tagnames=${tagnames+${tagnames},}RC]) -])# AC_LIBTOOL_RC - - -# AC_LIBTOOL_LANG_C_CONFIG -# ------------------------ -# Ensure that the configuration vars for the C compiler are -# suitably defined. Those variables are subsequently used by -# AC_LIBTOOL_CONFIG to write the compiler configuration to `libtool'. -AC_DEFUN([AC_LIBTOOL_LANG_C_CONFIG], [_LT_AC_LANG_C_CONFIG]) -AC_DEFUN([_LT_AC_LANG_C_CONFIG], -[lt_save_CC="$CC" -AC_LANG_PUSH(C) - -# Source file extension for C test sources. -ac_ext=c - -# Object file extension for compiled C test sources. -objext=o -_LT_AC_TAGVAR(objext, $1)=$objext - -# Code to be used in simple compile tests -lt_simple_compile_test_code="int some_variable = 0;\n" - -# Code to be used in simple link tests -lt_simple_link_test_code='int main(){return(0);}\n' - -_LT_AC_SYS_COMPILER - -# -# Check for any special shared library compilation flags. -# -_LT_AC_TAGVAR(lt_prog_cc_shlib, $1)= -if test "$GCC" = no; then - case $host_os in - sco3.2v5*) - _LT_AC_TAGVAR(lt_prog_cc_shlib, $1)='-belf' - ;; - esac -fi -if test -n "$_LT_AC_TAGVAR(lt_prog_cc_shlib, $1)"; then - AC_MSG_WARN([`$CC' requires `$_LT_AC_TAGVAR(lt_prog_cc_shlib, $1)' to build shared libraries]) - if echo "$old_CC $old_CFLAGS " | grep "[[ ]]$_LT_AC_TAGVAR(lt_prog_cc_shlib, $1)[[ ]]" >/dev/null; then : - else - AC_MSG_WARN([add `$_LT_AC_TAGVAR(lt_prog_cc_shlib, $1)' to the CC or CFLAGS env variable and reconfigure]) - _LT_AC_TAGVAR(lt_cv_prog_cc_can_build_shared, $1)=no - fi -fi - - -# -# Check to make sure the static flag actually works. -# -AC_LIBTOOL_LINKER_OPTION([if $compiler static flag $_LT_AC_TAGVAR(lt_prog_compiler_static, $1) works], - _LT_AC_TAGVAR(lt_prog_compiler_static_works, $1), - $_LT_AC_TAGVAR(lt_prog_compiler_static, $1), - [], - [_LT_AC_TAGVAR(lt_prog_compiler_static, $1)=]) - - -AC_LIBTOOL_PROG_COMPILER_NO_RTTI($1) -AC_LIBTOOL_PROG_COMPILER_PIC($1) -AC_LIBTOOL_PROG_CC_C_O($1) -AC_LIBTOOL_SYS_HARD_LINK_LOCKS($1) -AC_LIBTOOL_PROG_LD_SHLIBS($1) -AC_LIBTOOL_SYS_DYNAMIC_LINKER($1) -AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH($1) -AC_LIBTOOL_SYS_LIB_STRIP -AC_LIBTOOL_DLOPEN_SELF($1) - -# Report which librarie types wil actually be built -AC_MSG_CHECKING([if libtool supports shared libraries]) -AC_MSG_RESULT([$can_build_shared]) - -AC_MSG_CHECKING([whether to build shared libraries]) -test "$can_build_shared" = "no" && enable_shared=no - -# On AIX, shared libraries and static libraries use the same namespace, and -# are all built from PIC. -case "$host_os" in -aix3*) - test "$enable_shared" = yes && enable_static=no - if test -n "$RANLIB"; then - archive_cmds="$archive_cmds~\$RANLIB \$lib" - postinstall_cmds='$RANLIB $lib' - fi - ;; - -aix4*) - if test "$host_cpu" != ia64 && test "$aix_use_runtimelinking" = no ; then - test "$enable_shared" = yes && enable_static=no - fi - ;; - darwin* | rhapsody*) - if test "$GCC" = yes; then - _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no - case "$host_os" in - rhapsody* | darwin1.[[012]]) - _LT_AC_TAGVAR(allow_undefined_flag, $1)='-undefined suppress' - ;; - *) # Darwin 1.3 on - if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then - _LT_AC_TAGVAR(allow_undefined_flag, $1)='-flat_namespace -undefined suppress' - else - case ${MACOSX_DEPLOYMENT_TARGET} in - 10.[[012]]) - _LT_AC_TAGVAR(allow_undefined_flag, $1)='-flat_namespace -undefined suppress' - ;; - 10.*) - _LT_AC_TAGVAR(allow_undefined_flag, $1)='-undefined dynamic_lookup' - ;; - esac - fi - ;; - esac - output_verbose_link_cmd='echo' - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -dynamiclib $allow_undefined_flag -o $lib $libobjs $deplibs$compiler_flags -install_name $rpath/$soname $verstring' - _LT_AC_TAGVAR(module_cmds, $1)='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags' - # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's - _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[ ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib $allow_undefined_flag -o $lib $libobjs $deplibs$compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}' - _LT_AC_TAGVAR(module_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[ ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}' - _LT_AC_TAGVAR(hardcode_direct, $1)=no - _LT_AC_TAGVAR(hardcode_automatic, $1)=yes - _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=unsupported - _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='-all_load $convenience' - _LT_AC_TAGVAR(link_all_deplibs, $1)=yes - else - _LT_AC_TAGVAR(ld_shlibs, $1)=no - fi - ;; -esac -AC_MSG_RESULT([$enable_shared]) - -AC_MSG_CHECKING([whether to build static libraries]) -# Make sure either enable_shared or enable_static is yes. -test "$enable_shared" = yes || enable_static=yes -AC_MSG_RESULT([$enable_static]) - -AC_LIBTOOL_CONFIG($1) - -AC_LANG_POP -CC="$lt_save_CC" -])# AC_LIBTOOL_LANG_C_CONFIG - - -# AC_LIBTOOL_LANG_CXX_CONFIG -# -------------------------- -# Ensure that the configuration vars for the C compiler are -# suitably defined. Those variables are subsequently used by -# AC_LIBTOOL_CONFIG to write the compiler configuration to `libtool'. -AC_DEFUN([AC_LIBTOOL_LANG_CXX_CONFIG], [_LT_AC_LANG_CXX_CONFIG(CXX)]) -AC_DEFUN([_LT_AC_LANG_CXX_CONFIG], -[AC_LANG_PUSH(C++) -AC_REQUIRE([AC_PROG_CXX]) -AC_REQUIRE([AC_PROG_CXXCPP]) - -_LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no -_LT_AC_TAGVAR(allow_undefined_flag, $1)= -_LT_AC_TAGVAR(always_export_symbols, $1)=no -_LT_AC_TAGVAR(archive_expsym_cmds, $1)= -_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)= -_LT_AC_TAGVAR(hardcode_direct, $1)=no -_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)= -_LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)= -_LT_AC_TAGVAR(hardcode_libdir_separator, $1)= -_LT_AC_TAGVAR(hardcode_minus_L, $1)=no -_LT_AC_TAGVAR(hardcode_automatic, $1)=no -_LT_AC_TAGVAR(module_cmds, $1)= -_LT_AC_TAGVAR(module_expsym_cmds, $1)= -_LT_AC_TAGVAR(link_all_deplibs, $1)=unknown -_LT_AC_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds -_LT_AC_TAGVAR(no_undefined_flag, $1)= -_LT_AC_TAGVAR(whole_archive_flag_spec, $1)= -_LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)=no - -# Dependencies to place before and after the object being linked: -_LT_AC_TAGVAR(predep_objects, $1)= -_LT_AC_TAGVAR(postdep_objects, $1)= -_LT_AC_TAGVAR(predeps, $1)= -_LT_AC_TAGVAR(postdeps, $1)= -_LT_AC_TAGVAR(compiler_lib_search_path, $1)= - -# Source file extension for C++ test sources. -ac_ext=cc - -# Object file extension for compiled C++ test sources. -objext=o -_LT_AC_TAGVAR(objext, $1)=$objext - -# Code to be used in simple compile tests -lt_simple_compile_test_code="int some_variable = 0;\n" - -# Code to be used in simple link tests -lt_simple_link_test_code='int main(int, char *[]) { return(0); }\n' - -# ltmain only uses $CC for tagged configurations so make sure $CC is set. -_LT_AC_SYS_COMPILER - -# Allow CC to be a program name with arguments. -lt_save_CC=$CC -lt_save_LD=$LD -lt_save_GCC=$GCC -GCC=$GXX -lt_save_with_gnu_ld=$with_gnu_ld -lt_save_path_LD=$lt_cv_path_LD -if test -n "${lt_cv_prog_gnu_ldcxx+set}"; then - lt_cv_prog_gnu_ld=$lt_cv_prog_gnu_ldcxx -else - unset lt_cv_prog_gnu_ld -fi -if test -n "${lt_cv_path_LDCXX+set}"; then - lt_cv_path_LD=$lt_cv_path_LDCXX -else - unset lt_cv_path_LD -fi -test -z "${LDCXX+set}" || LD=$LDCXX -CC=${CXX-"c++"} -compiler=$CC -_LT_AC_TAGVAR(compiler, $1)=$CC -cc_basename=`$echo X"$compiler" | $Xsed -e 's%^.*/%%'` - -# We don't want -fno-exception wen compiling C++ code, so set the -# no_builtin_flag separately -if test "$GXX" = yes; then - _LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=' -fno-builtin' -else - _LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)= -fi - -if test "$GXX" = yes; then - # Set up default GNU C++ configuration - - AC_PROG_LD - - # Check if GNU C++ uses GNU ld as the underlying linker, since the - # archiving commands below assume that GNU ld is being used. - if test "$with_gnu_ld" = yes; then - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib' - _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' - - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}--rpath ${wl}$libdir' - _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic' - - # If archive_cmds runs LD, not CC, wlarc should be empty - # XXX I think wlarc can be eliminated in ltcf-cxx, but I need to - # investigate it a little bit more. (MM) - wlarc='${wl}' - - # ancient GNU ld didn't support --whole-archive et. al. - if eval "`$CC -print-prog-name=ld` --help 2>&1" | \ - grep 'no-whole-archive' > /dev/null; then - _LT_AC_TAGVAR(whole_archive_flag_spec, $1)="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive' - else - _LT_AC_TAGVAR(whole_archive_flag_spec, $1)= - fi - else - with_gnu_ld=no - wlarc= - - # A generic and very simple default shared library creation - # command for GNU C++ for the case where it uses the native - # linker, instead of GNU ld. If possible, this setting should - # overridden to take advantage of the native linker features on - # the platform it is being used on. - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $lib' - fi - - # Commands to make compiler produce verbose output that lists - # what "hidden" libraries, object files and flags are used when - # linking a shared library. - output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "\-L"' - -else - GXX=no - with_gnu_ld=no - wlarc= -fi - -# PORTME: fill in a description of your system's C++ link characteristics -AC_MSG_CHECKING([whether the $compiler linker ($LD) supports shared libraries]) -_LT_AC_TAGVAR(ld_shlibs, $1)=yes -case $host_os in - aix3*) - # FIXME: insert proper C++ library support - _LT_AC_TAGVAR(ld_shlibs, $1)=no - ;; - aix4* | aix5*) - if test "$host_cpu" = ia64; then - # On IA64, the linker does run time linking by default, so we don't - # have to do anything special. - aix_use_runtimelinking=no - exp_sym_flag='-Bexport' - no_entry_flag="" - else - aix_use_runtimelinking=no - - # Test if we are trying to use run time linking or normal - # AIX style linking. If -brtl is somewhere in LDFLAGS, we - # need to do runtime linking. - case $host_os in aix4.[[23]]|aix4.[[23]].*|aix5*) - for ld_flag in $LDFLAGS; do - case $ld_flag in - *-brtl*) - aix_use_runtimelinking=yes - break - ;; - esac - done - esac - - exp_sym_flag='-bexport' - no_entry_flag='-bnoentry' - fi - - # When large executables or shared objects are built, AIX ld can - # have problems creating the table of contents. If linking a library - # or program results in "error TOC overflow" add -mminimal-toc to - # CXXFLAGS/CFLAGS for g++/gcc. In the cases where that is not - # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS. - - _LT_AC_TAGVAR(archive_cmds, $1)='' - _LT_AC_TAGVAR(hardcode_direct, $1)=yes - _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=':' - _LT_AC_TAGVAR(link_all_deplibs, $1)=yes - - if test "$GXX" = yes; then - case $host_os in aix4.[012]|aix4.[012].*) - # We only want to do this on AIX 4.2 and lower, the check - # below for broken collect2 doesn't work under 4.3+ - collect2name=`${CC} -print-prog-name=collect2` - if test -f "$collect2name" && \ - strings "$collect2name" | grep resolve_lib_name >/dev/null - then - # We have reworked collect2 - _LT_AC_TAGVAR(hardcode_direct, $1)=yes - else - # We have old collect2 - _LT_AC_TAGVAR(hardcode_direct, $1)=unsupported - # It fails to find uninstalled libraries when the uninstalled - # path is not listed in the libpath. Setting hardcode_minus_L - # to unsupported forces relinking - _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir' - _LT_AC_TAGVAR(hardcode_libdir_separator, $1)= - fi - esac - shared_flag='-shared' - else - # not using gcc - if test "$host_cpu" = ia64; then - # VisualAge C++, Version 5.5 for AIX 5L for IA-64, Beta 3 Release - # chokes on -Wl,-G. The following line is correct: - shared_flag='-G' - else - if test "$aix_use_runtimelinking" = yes; then - shared_flag='${wl}-G' - else - shared_flag='${wl}-bM:SRE' - fi - fi - fi - - # It seems that -bexpall does not export symbols beginning with - # underscore (_), so it is better to generate a list of symbols to export. - _LT_AC_TAGVAR(always_export_symbols, $1)=yes - if test "$aix_use_runtimelinking" = yes; then - # Warning - without using the other runtime loading flags (-brtl), - # -berok will link without error, but may produce a broken library. - _LT_AC_TAGVAR(allow_undefined_flag, $1)='-berok' - # Determine the default libpath from the value encoded in an empty executable. - _LT_AC_SYS_LIBPATH_AIX - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath" - - _LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then echo "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$no_entry_flag \${wl}$exp_sym_flag:\$export_symbols $shared_flag" - else - if test "$host_cpu" = ia64; then - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R $libdir:/usr/lib:/lib' - _LT_AC_TAGVAR(allow_undefined_flag, $1)="-z nodefs" - _LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$no_entry_flag \${wl}$exp_sym_flag:\$export_symbols" - else - # Determine the default libpath from the value encoded in an empty executable. - _LT_AC_SYS_LIBPATH_AIX - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath" - # Warning - without using the other run time loading flags, - # -berok will link without error, but may produce a broken library. - _LT_AC_TAGVAR(no_undefined_flag, $1)=' ${wl}-bernotok' - _LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-berok' - # -bexpall does not export symbols beginning with underscore (_) - _LT_AC_TAGVAR(always_export_symbols, $1)=yes - # Exported symbols can be pulled into shared objects from archives - _LT_AC_TAGVAR(whole_archive_flag_spec, $1)=' ' - _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=yes - # This is similar to how AIX traditionally builds it's shared libraries. - _LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags ${wl}-bE:$export_symbols ${wl}-bnoentry${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname' - fi - fi - ;; - chorus*) - case $cc_basename in - *) - # FIXME: insert proper C++ library support - _LT_AC_TAGVAR(ld_shlibs, $1)=no - ;; - esac - ;; - - cygwin* | mingw* | pw32*) - # _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1) is actually meaningless, - # as there is no search path for DLLs. - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir' - _LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported - _LT_AC_TAGVAR(always_export_symbols, $1)=no - _LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)=yes - - if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--image-base=0x10000000 ${wl}--out-implib,$lib' - # If the export-symbols file already is a .def file (1st line - # is EXPORTS), use it as is; otherwise, prepend... - _LT_AC_TAGVAR(archive_expsym_cmds, $1)='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then - cp $export_symbols $output_objdir/$soname.def; - else - echo EXPORTS > $output_objdir/$soname.def; - cat $export_symbols >> $output_objdir/$soname.def; - fi~ - $CC -shared -nostdlib $output_objdir/$soname.def $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--image-base=0x10000000 ${wl}--out-implib,$lib' - else - _LT_AC_TAGVAR(ld_shlibs, $1)=no - fi - ;; - - darwin* | rhapsody*) - if test "$GXX" = yes; then - _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no - case "$host_os" in - rhapsody* | darwin1.[[012]]) - _LT_AC_TAGVAR(allow_undefined_flag, $1)='-undefined suppress' - ;; - *) # Darwin 1.3 on - if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then - _LT_AC_TAGVAR(allow_undefined_flag, $1)='-flat_namespace -undefined suppress' - else - case ${MACOSX_DEPLOYMENT_TARGET} in - 10.[[012]]) - _LT_AC_TAGVAR(allow_undefined_flag, $1)='-flat_namespace -undefined suppress' - ;; - 10.*) - _LT_AC_TAGVAR(allow_undefined_flag, $1)='-undefined dynamic_lookup' - ;; - esac - fi - ;; - esac - lt_int_apple_cc_single_mod=no - output_verbose_link_cmd='echo' - if $CC -dumpspecs 2>&1 | grep 'single_module' >/dev/null ; then - lt_int_apple_cc_single_mod=yes - fi - if test "X$lt_int_apple_cc_single_mod" = Xyes ; then - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring' - else - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -r ${wl}-bind_at_load -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring' - fi - _LT_AC_TAGVAR(module_cmds, $1)='$CC ${wl}-bind_at_load $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags' - - # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's - if test "X$lt_int_apple_cc_single_mod" = Xyes ; then - _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[ ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}' - else - _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[ ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -r ${wl}-bind_at_load -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}' - fi - _LT_AC_TAGVAR(module_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[ ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}' - _LT_AC_TAGVAR(hardcode_direct, $1)=no - _LT_AC_TAGVAR(hardcode_automatic, $1)=yes - _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=unsupported - _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='-all_load $convenience' - _LT_AC_TAGVAR(link_all_deplibs, $1)=yes - else - _LT_AC_TAGVAR(ld_shlibs, $1)=no - fi - ;; - - dgux*) - case $cc_basename in - ec++) - # FIXME: insert proper C++ library support - _LT_AC_TAGVAR(ld_shlibs, $1)=no - ;; - ghcx) - # Green Hills C++ Compiler - # FIXME: insert proper C++ library support - _LT_AC_TAGVAR(ld_shlibs, $1)=no - ;; - *) - # FIXME: insert proper C++ library support - _LT_AC_TAGVAR(ld_shlibs, $1)=no - ;; - esac - ;; - freebsd[12]*) - # C++ shared libraries reported to be fairly broken before switch to ELF - _LT_AC_TAGVAR(ld_shlibs, $1)=no - ;; - freebsd-elf*) - _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no - ;; - freebsd* | kfreebsd*-gnu) - # FreeBSD 3 and later use GNU C++ and GNU ld with standard ELF - # conventions - _LT_AC_TAGVAR(ld_shlibs, $1)=yes - ;; - gnu*) - ;; - hpux9*) - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir' - _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=: - _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E' - _LT_AC_TAGVAR(hardcode_direct, $1)=yes - _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes # Not in the search PATH, - # but as the default - # location of the library. - - case $cc_basename in - CC) - # FIXME: insert proper C++ library support - _LT_AC_TAGVAR(ld_shlibs, $1)=no - ;; - aCC) - _LT_AC_TAGVAR(archive_cmds, $1)='$rm $output_objdir/$soname~$CC -b ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib' - # Commands to make compiler produce verbose output that lists - # what "hidden" libraries, object files and flags are used when - # linking a shared library. - # - # There doesn't appear to be a way to prevent this compiler from - # explicitly linking system object files so we need to strip them - # from the output so that they don't get included in the library - # dependencies. - output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | egrep "\-L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list' - ;; - *) - if test "$GXX" = yes; then - _LT_AC_TAGVAR(archive_cmds, $1)='$rm $output_objdir/$soname~$CC -shared -nostdlib -fPIC ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib' - else - # FIXME: insert proper C++ library support - _LT_AC_TAGVAR(ld_shlibs, $1)=no - fi - ;; - esac - ;; - hpux10*|hpux11*) - if test $with_gnu_ld = no; then - case "$host_cpu" in - hppa*64*) - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir' - _LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)='+b $libdir' - _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=: - ;; - ia64*) - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir' - ;; - *) - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir' - _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=: - _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E' - ;; - esac - fi - case "$host_cpu" in - hppa*64*) - _LT_AC_TAGVAR(hardcode_direct, $1)=no - _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no - ;; - ia64*) - _LT_AC_TAGVAR(hardcode_direct, $1)=no - _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no - _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes # Not in the search PATH, - # but as the default - # location of the library. - ;; - *) - _LT_AC_TAGVAR(hardcode_direct, $1)=yes - _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes # Not in the search PATH, - # but as the default - # location of the library. - ;; - esac - - case $cc_basename in - CC) - # FIXME: insert proper C++ library support - _LT_AC_TAGVAR(ld_shlibs, $1)=no - ;; - aCC) - case "$host_cpu" in - hppa*64*|ia64*) - _LT_AC_TAGVAR(archive_cmds, $1)='$LD -b +h $soname -o $lib $linker_flags $libobjs $deplibs' - ;; - *) - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags' - ;; - esac - # Commands to make compiler produce verbose output that lists - # what "hidden" libraries, object files and flags are used when - # linking a shared library. - # - # There doesn't appear to be a way to prevent this compiler from - # explicitly linking system object files so we need to strip them - # from the output so that they don't get included in the library - # dependencies. - output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | grep "\-L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list' - ;; - *) - if test "$GXX" = yes; then - if test $with_gnu_ld = no; then - case "$host_cpu" in - ia64*|hppa*64*) - _LT_AC_TAGVAR(archive_cmds, $1)='$LD -b +h $soname -o $lib $linker_flags $libobjs $deplibs' - ;; - *) - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags' - ;; - esac - fi - else - # FIXME: insert proper C++ library support - _LT_AC_TAGVAR(ld_shlibs, $1)=no - fi - ;; - esac - ;; - irix5* | irix6*) - case $cc_basename in - CC) - # SGI C++ - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -all -multigot $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${objdir}/so_locations -o $lib' - - # Archives containing C++ object files must be created using - # "CC -ar", where "CC" is the IRIX C++ compiler. This is - # necessary to make sure instantiated templates are included - # in the archive. - _LT_AC_TAGVAR(old_archive_cmds, $1)='$CC -ar -WR,-u -o $oldlib $oldobjs' - ;; - *) - if test "$GXX" = yes; then - if test "$with_gnu_ld" = no; then - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${objdir}/so_locations -o $lib' - else - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` -o $lib' - fi - fi - _LT_AC_TAGVAR(link_all_deplibs, $1)=yes - ;; - esac - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir' - _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=: - ;; - linux*) - case $cc_basename in - KCC) - # Kuck and Associates, Inc. (KAI) C++ Compiler - - # KCC will only create a shared library if the output file - # ends with ".so" (or ".sl" for HP-UX), so rename the library - # to its proper name (with version) after linking. - _LT_AC_TAGVAR(archive_cmds, $1)='tempext=`echo $shared_ext | $SED -e '\''s/\([[^()0-9A-Za-z{}]]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib; mv \$templib $lib' - _LT_AC_TAGVAR(archive_expsym_cmds, $1)='tempext=`echo $shared_ext | $SED -e '\''s/\([[^()0-9A-Za-z{}]]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib ${wl}-retain-symbols-file,$export_symbols; mv \$templib $lib' - # Commands to make compiler produce verbose output that lists - # what "hidden" libraries, object files and flags are used when - # linking a shared library. - # - # There doesn't appear to be a way to prevent this compiler from - # explicitly linking system object files so we need to strip them - # from the output so that they don't get included in the library - # dependencies. - output_verbose_link_cmd='templist=`$CC $CFLAGS -v conftest.$objext -o libconftest$shared_ext 2>&1 | grep "ld"`; rm -f libconftest$shared_ext; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list' - - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}--rpath,$libdir' - _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic' - - # Archives containing C++ object files must be created using - # "CC -Bstatic", where "CC" is the KAI C++ compiler. - _LT_AC_TAGVAR(old_archive_cmds, $1)='$CC -Bstatic -o $oldlib $oldobjs' - ;; - icpc) - # Intel C++ - with_gnu_ld=yes - _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib' - _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir' - _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic' - _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive$convenience ${wl}--no-whole-archive' - ;; - cxx) - # Compaq C++ - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib' - _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib ${wl}-retain-symbols-file $wl$export_symbols' - - runpath_var=LD_RUN_PATH - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-rpath $libdir' - _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=: - - # Commands to make compiler produce verbose output that lists - # what "hidden" libraries, object files and flags are used when - # linking a shared library. - # - # There doesn't appear to be a way to prevent this compiler from - # explicitly linking system object files so we need to strip them - # from the output so that they don't get included in the library - # dependencies. - output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "ld"`; templist=`echo $templist | $SED "s/\(^.*ld.*\)\( .*ld .*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list' - ;; - esac - ;; - lynxos*) - # FIXME: insert proper C++ library support - _LT_AC_TAGVAR(ld_shlibs, $1)=no - ;; - m88k*) - # FIXME: insert proper C++ library support - _LT_AC_TAGVAR(ld_shlibs, $1)=no - ;; - mvs*) - case $cc_basename in - cxx) - # FIXME: insert proper C++ library support - _LT_AC_TAGVAR(ld_shlibs, $1)=no - ;; - *) - # FIXME: insert proper C++ library support - _LT_AC_TAGVAR(ld_shlibs, $1)=no - ;; - esac - ;; - netbsd*) - if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then - _LT_AC_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $predep_objects $libobjs $deplibs $postdep_objects $linker_flags' - wlarc= - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir' - _LT_AC_TAGVAR(hardcode_direct, $1)=yes - _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no - fi - # Workaround some broken pre-1.5 toolchains - output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep conftest.$objext | $SED -e "s:-lgcc -lc -lgcc::"' - ;; - osf3*) - case $cc_basename in - KCC) - # Kuck and Associates, Inc. (KAI) C++ Compiler - - # KCC will only create a shared library if the output file - # ends with ".so" (or ".sl" for HP-UX), so rename the library - # to its proper name (with version) after linking. - _LT_AC_TAGVAR(archive_cmds, $1)='tempext=`echo $shared_ext | $SED -e '\''s/\([[^()0-9A-Za-z{}]]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib; mv \$templib $lib' - - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir' - _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=: - - # Archives containing C++ object files must be created using - # "CC -Bstatic", where "CC" is the KAI C++ compiler. - _LT_AC_TAGVAR(old_archive_cmds, $1)='$CC -Bstatic -o $oldlib $oldobjs' - - ;; - RCC) - # Rational C++ 2.4.1 - # FIXME: insert proper C++ library support - _LT_AC_TAGVAR(ld_shlibs, $1)=no - ;; - cxx) - _LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*' - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $soname `test -n "$verstring" && echo ${wl}-set_version $verstring` -update_registry ${objdir}/so_locations -o $lib' - - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir' - _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=: - - # Commands to make compiler produce verbose output that lists - # what "hidden" libraries, object files and flags are used when - # linking a shared library. - # - # There doesn't appear to be a way to prevent this compiler from - # explicitly linking system object files so we need to strip them - # from the output so that they don't get included in the library - # dependencies. - output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "ld" | grep -v "ld:"`; templist=`echo $templist | $SED "s/\(^.*ld.*\)\( .*ld.*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list' - ;; - *) - if test "$GXX" = yes && test "$with_gnu_ld" = no; then - _LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*' - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${objdir}/so_locations -o $lib' - - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir' - _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=: - - # Commands to make compiler produce verbose output that lists - # what "hidden" libraries, object files and flags are used when - # linking a shared library. - output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "\-L"' - - else - # FIXME: insert proper C++ library support - _LT_AC_TAGVAR(ld_shlibs, $1)=no - fi - ;; - esac - ;; - osf4* | osf5*) - case $cc_basename in - KCC) - # Kuck and Associates, Inc. (KAI) C++ Compiler - - # KCC will only create a shared library if the output file - # ends with ".so" (or ".sl" for HP-UX), so rename the library - # to its proper name (with version) after linking. - _LT_AC_TAGVAR(archive_cmds, $1)='tempext=`echo $shared_ext | $SED -e '\''s/\([[^()0-9A-Za-z{}]]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib; mv \$templib $lib' - - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir' - _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=: - - # Archives containing C++ object files must be created using - # the KAI C++ compiler. - _LT_AC_TAGVAR(old_archive_cmds, $1)='$CC -o $oldlib $oldobjs' - ;; - RCC) - # Rational C++ 2.4.1 - # FIXME: insert proper C++ library support - _LT_AC_TAGVAR(ld_shlibs, $1)=no - ;; - cxx) - _LT_AC_TAGVAR(allow_undefined_flag, $1)=' -expect_unresolved \*' - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${objdir}/so_locations -o $lib' - _LT_AC_TAGVAR(archive_expsym_cmds, $1)='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done~ - echo "-hidden">> $lib.exp~ - $CC -shared$allow_undefined_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname -Wl,-input -Wl,$lib.exp `test -n "$verstring" && echo -set_version $verstring` -update_registry $objdir/so_locations -o $lib~ - $rm $lib.exp' - - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-rpath $libdir' - _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=: - - # Commands to make compiler produce verbose output that lists - # what "hidden" libraries, object files and flags are used when - # linking a shared library. - # - # There doesn't appear to be a way to prevent this compiler from - # explicitly linking system object files so we need to strip them - # from the output so that they don't get included in the library - # dependencies. - output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "ld" | grep -v "ld:"`; templist=`echo $templist | $SED "s/\(^.*ld.*\)\( .*ld.*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list' - ;; - *) - if test "$GXX" = yes && test "$with_gnu_ld" = no; then - _LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*' - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${objdir}/so_locations -o $lib' - - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir' - _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=: - - # Commands to make compiler produce verbose output that lists - # what "hidden" libraries, object files and flags are used when - # linking a shared library. - output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "\-L"' - - else - # FIXME: insert proper C++ library support - _LT_AC_TAGVAR(ld_shlibs, $1)=no - fi - ;; - esac - ;; - psos*) - # FIXME: insert proper C++ library support - _LT_AC_TAGVAR(ld_shlibs, $1)=no - ;; - sco*) - _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no - case $cc_basename in - CC) - # FIXME: insert proper C++ library support - _LT_AC_TAGVAR(ld_shlibs, $1)=no - ;; - *) - # FIXME: insert proper C++ library support - _LT_AC_TAGVAR(ld_shlibs, $1)=no - ;; - esac - ;; - sunos4*) - case $cc_basename in - CC) - # Sun C++ 4.x - # FIXME: insert proper C++ library support - _LT_AC_TAGVAR(ld_shlibs, $1)=no - ;; - lcc) - # Lucid - # FIXME: insert proper C++ library support - _LT_AC_TAGVAR(ld_shlibs, $1)=no - ;; - *) - # FIXME: insert proper C++ library support - _LT_AC_TAGVAR(ld_shlibs, $1)=no - ;; - esac - ;; - solaris*) - case $cc_basename in - CC) - # Sun C++ 4.2, 5.x and Centerline C++ - _LT_AC_TAGVAR(no_undefined_flag, $1)=' -zdefs' - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -G${allow_undefined_flag} -nolib -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags' - _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~ - $CC -G${allow_undefined_flag} -nolib ${wl}-M ${wl}$lib.exp -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$rm $lib.exp' - - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir' - _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no - case $host_os in - solaris2.[0-5] | solaris2.[0-5].*) ;; - *) - # The C++ compiler is used as linker so we must use $wl - # flag to pass the commands to the underlying system - # linker. - # Supported since Solaris 2.6 (maybe 2.5.1?) - _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}-z ${wl}allextract$convenience ${wl}-z ${wl}defaultextract' - ;; - esac - _LT_AC_TAGVAR(link_all_deplibs, $1)=yes - - # Commands to make compiler produce verbose output that lists - # what "hidden" libraries, object files and flags are used when - # linking a shared library. - # - # There doesn't appear to be a way to prevent this compiler from - # explicitly linking system object files so we need to strip them - # from the output so that they don't get included in the library - # dependencies. - output_verbose_link_cmd='templist=`$CC -G $CFLAGS -v conftest.$objext 2>&1 | grep "\-[[LR]]"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list' - - # Archives containing C++ object files must be created using - # "CC -xar", where "CC" is the Sun C++ compiler. This is - # necessary to make sure instantiated templates are included - # in the archive. - _LT_AC_TAGVAR(old_archive_cmds, $1)='$CC -xar -o $oldlib $oldobjs' - ;; - gcx) - # Green Hills C++ Compiler - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib' - - # The C++ compiler must be used to create the archive. - _LT_AC_TAGVAR(old_archive_cmds, $1)='$CC $LDFLAGS -archive -o $oldlib $oldobjs' - ;; - *) - # GNU C++ compiler with Solaris linker - if test "$GXX" = yes && test "$with_gnu_ld" = no; then - _LT_AC_TAGVAR(no_undefined_flag, $1)=' ${wl}-z ${wl}defs' - if $CC --version | grep -v '^2\.7' > /dev/null; then - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $LDFLAGS $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib' - _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~ - $CC -shared -nostdlib ${wl}-M $wl$lib.exp -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$rm $lib.exp' - - # Commands to make compiler produce verbose output that lists - # what "hidden" libraries, object files and flags are used when - # linking a shared library. - output_verbose_link_cmd="$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep \"\-L\"" - else - # g++ 2.7 appears to require `-G' NOT `-shared' on this - # platform. - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -G -nostdlib $LDFLAGS $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib' - _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~ - $CC -G -nostdlib ${wl}-M $wl$lib.exp -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$rm $lib.exp' - - # Commands to make compiler produce verbose output that lists - # what "hidden" libraries, object files and flags are used when - # linking a shared library. - output_verbose_link_cmd="$CC -G $CFLAGS -v conftest.$objext 2>&1 | grep \"\-L\"" - fi - - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R $wl$libdir' - fi - ;; - esac - ;; - sysv5OpenUNIX8* | sysv5UnixWare7* | sysv5uw[[78]]* | unixware7*) - _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no - ;; - tandem*) - case $cc_basename in - NCC) - # NonStop-UX NCC 3.20 - # FIXME: insert proper C++ library support - _LT_AC_TAGVAR(ld_shlibs, $1)=no - ;; - *) - # FIXME: insert proper C++ library support - _LT_AC_TAGVAR(ld_shlibs, $1)=no - ;; - esac - ;; - vxworks*) - # FIXME: insert proper C++ library support - _LT_AC_TAGVAR(ld_shlibs, $1)=no - ;; - *) - # FIXME: insert proper C++ library support - _LT_AC_TAGVAR(ld_shlibs, $1)=no - ;; -esac -AC_MSG_RESULT([$_LT_AC_TAGVAR(ld_shlibs, $1)]) -test "$_LT_AC_TAGVAR(ld_shlibs, $1)" = no && can_build_shared=no - -_LT_AC_TAGVAR(GCC, $1)="$GXX" -_LT_AC_TAGVAR(LD, $1)="$LD" - -AC_LIBTOOL_POSTDEP_PREDEP($1) -AC_LIBTOOL_PROG_COMPILER_PIC($1) -AC_LIBTOOL_PROG_CC_C_O($1) -AC_LIBTOOL_SYS_HARD_LINK_LOCKS($1) -AC_LIBTOOL_PROG_LD_SHLIBS($1) -AC_LIBTOOL_SYS_DYNAMIC_LINKER($1) -AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH($1) -AC_LIBTOOL_SYS_LIB_STRIP -AC_LIBTOOL_DLOPEN_SELF($1) - -AC_LIBTOOL_CONFIG($1) - -AC_LANG_POP -CC=$lt_save_CC -LDCXX=$LD -LD=$lt_save_LD -GCC=$lt_save_GCC -with_gnu_ldcxx=$with_gnu_ld -with_gnu_ld=$lt_save_with_gnu_ld -lt_cv_path_LDCXX=$lt_cv_path_LD -lt_cv_path_LD=$lt_save_path_LD -lt_cv_prog_gnu_ldcxx=$lt_cv_prog_gnu_ld -lt_cv_prog_gnu_ld=$lt_save_with_gnu_ld -])# AC_LIBTOOL_LANG_CXX_CONFIG - -# AC_LIBTOOL_POSTDEP_PREDEP([TAGNAME]) -# ------------------------ -# Figure out "hidden" library dependencies from verbose -# compiler output when linking a shared library. -# Parse the compiler output and extract the necessary -# objects, libraries and library flags. -AC_DEFUN([AC_LIBTOOL_POSTDEP_PREDEP],[ -dnl we can't use the lt_simple_compile_test_code here, -dnl because it contains code intended for an executable, -dnl not a library. It's possible we should let each -dnl tag define a new lt_????_link_test_code variable, -dnl but it's only used here... -ifelse([$1],[],[cat > conftest.$ac_ext < conftest.$ac_ext < conftest.$ac_ext < conftest.$ac_ext <> "$cfgfile" -ifelse([$1], [], -[#! $SHELL - -# `$echo "$cfgfile" | sed 's%^.*/%%'` - Provide generalized library-building support services. -# Generated automatically by $PROGRAM (GNU $PACKAGE $VERSION$TIMESTAMP) -# NOTE: Changes made to this file will be lost: look at ltmain.sh. -# -# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001 -# Free Software Foundation, Inc. -# -# This file is part of GNU Libtool: -# Originally by Gordon Matzigkeit , 1996 -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. -# -# As a special exception to the GNU General Public License, if you -# distribute this file as part of a program that contains a -# configuration script generated by Autoconf, you may include it under -# the same distribution terms that you use for the rest of that program. - -# A sed program that does not truncate output. -SED=$lt_SED - -# Sed that helps us avoid accidentally triggering echo(1) options like -n. -Xsed="$SED -e s/^X//" - -# The HP-UX ksh and POSIX shell print the target directory to stdout -# if CDPATH is set. -if test "X\${CDPATH+set}" = Xset; then CDPATH=:; export CDPATH; fi - -# The names of the tagged configurations supported by this script. -available_tags= - -# ### BEGIN LIBTOOL CONFIG], -[# ### BEGIN LIBTOOL TAG CONFIG: $tagname]) - -# Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`: - -# Shell to use when invoking shell scripts. -SHELL=$lt_SHELL - -# Whether or not to build shared libraries. -build_libtool_libs=$enable_shared - -# Whether or not to build static libraries. -build_old_libs=$enable_static - -# Whether or not to add -lc for building shared libraries. -build_libtool_need_lc=$_LT_AC_TAGVAR(archive_cmds_need_lc, $1) - -# Whether or not to disallow shared libs when runtime libs are static -allow_libtool_libs_with_static_runtimes=$_LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1) - -# Whether or not to optimize for fast installation. -fast_install=$enable_fast_install - -# The host system. -host_alias=$host_alias -host=$host - -# An echo program that does not interpret backslashes. -echo=$lt_echo - -# The archiver. -AR=$lt_AR -AR_FLAGS=$lt_AR_FLAGS - -# A C compiler. -LTCC=$lt_LTCC - -# A language-specific compiler. -CC=$lt_[]_LT_AC_TAGVAR(compiler, $1) - -# Is the compiler the GNU C compiler? -with_gcc=$_LT_AC_TAGVAR(GCC, $1) - -# An ERE matcher. -EGREP=$lt_EGREP - -# The linker used to build libraries. -LD=$lt_[]_LT_AC_TAGVAR(LD, $1) - -# Whether we need hard or soft links. -LN_S=$lt_LN_S - -# A BSD-compatible nm program. -NM=$lt_NM - -# A symbol stripping program -STRIP=$lt_STRIP - -# Used to examine libraries when file_magic_cmd begins "file" -MAGIC_CMD=$MAGIC_CMD - -# Used on cygwin: DLL creation program. -DLLTOOL="$DLLTOOL" - -# Used on cygwin: object dumper. -OBJDUMP="$OBJDUMP" - -# Used on cygwin: assembler. -AS="$AS" - -# The name of the directory that contains temporary libtool files. -objdir=$objdir - -# How to create reloadable object files. -reload_flag=$lt_reload_flag -reload_cmds=$lt_reload_cmds - -# How to pass a linker flag through the compiler. -wl=$lt_[]_LT_AC_TAGVAR(lt_prog_compiler_wl, $1) - -# Object file suffix (normally "o"). -objext="$ac_objext" - -# Old archive suffix (normally "a"). -libext="$libext" - -# Shared library suffix (normally ".so"). -shrext='$shrext' - -# Executable file suffix (normally ""). -exeext="$exeext" - -# Additional compiler flags for building library objects. -pic_flag=$lt_[]_LT_AC_TAGVAR(lt_prog_compiler_pic, $1) -pic_mode=$pic_mode - -# What is the maximum length of a command? -max_cmd_len=$lt_cv_sys_max_cmd_len - -# Does compiler simultaneously support -c and -o options? -compiler_c_o=$lt_[]_LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1) - -# Must we lock files when doing compilation ? -need_locks=$lt_need_locks - -# Do we need the lib prefix for modules? -need_lib_prefix=$need_lib_prefix - -# Do we need a version for libraries? -need_version=$need_version - -# Whether dlopen is supported. -dlopen_support=$enable_dlopen - -# Whether dlopen of programs is supported. -dlopen_self=$enable_dlopen_self - -# Whether dlopen of statically linked programs is supported. -dlopen_self_static=$enable_dlopen_self_static - -# Compiler flag to prevent dynamic linking. -link_static_flag=$lt_[]_LT_AC_TAGVAR(lt_prog_compiler_static, $1) - -# Compiler flag to turn off builtin functions. -no_builtin_flag=$lt_[]_LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1) - -# Compiler flag to allow reflexive dlopens. -export_dynamic_flag_spec=$lt_[]_LT_AC_TAGVAR(export_dynamic_flag_spec, $1) - -# Compiler flag to generate shared objects directly from archives. -whole_archive_flag_spec=$lt_[]_LT_AC_TAGVAR(whole_archive_flag_spec, $1) - -# Compiler flag to generate thread-safe objects. -thread_safe_flag_spec=$lt_[]_LT_AC_TAGVAR(thread_safe_flag_spec, $1) - -# Library versioning type. -version_type=$version_type - -# Format of library name prefix. -libname_spec=$lt_libname_spec - -# List of archive names. First name is the real one, the rest are links. -# The last name is the one that the linker finds with -lNAME. -library_names_spec=$lt_library_names_spec - -# The coded name of the library, if different from the real name. -soname_spec=$lt_soname_spec - -# Commands used to build and install an old-style archive. -RANLIB=$lt_RANLIB -old_archive_cmds=$lt_[]_LT_AC_TAGVAR(old_archive_cmds, $1) -old_postinstall_cmds=$lt_old_postinstall_cmds -old_postuninstall_cmds=$lt_old_postuninstall_cmds - -# Create an old-style archive from a shared archive. -old_archive_from_new_cmds=$lt_[]_LT_AC_TAGVAR(old_archive_from_new_cmds, $1) - -# Create a temporary old-style archive to link instead of a shared archive. -old_archive_from_expsyms_cmds=$lt_[]_LT_AC_TAGVAR(old_archive_from_expsyms_cmds, $1) - -# Commands used to build and install a shared archive. -archive_cmds=$lt_[]_LT_AC_TAGVAR(archive_cmds, $1) -archive_expsym_cmds=$lt_[]_LT_AC_TAGVAR(archive_expsym_cmds, $1) -postinstall_cmds=$lt_postinstall_cmds -postuninstall_cmds=$lt_postuninstall_cmds - -# Commands used to build a loadable module (assumed same as above if empty) -module_cmds=$lt_[]_LT_AC_TAGVAR(module_cmds, $1) -module_expsym_cmds=$lt_[]_LT_AC_TAGVAR(module_expsym_cmds, $1) - -# Commands to strip libraries. -old_striplib=$lt_old_striplib -striplib=$lt_striplib - -# Dependencies to place before the objects being linked to create a -# shared library. -predep_objects=$lt_[]_LT_AC_TAGVAR(predep_objects, $1) - -# Dependencies to place after the objects being linked to create a -# shared library. -postdep_objects=$lt_[]_LT_AC_TAGVAR(postdep_objects, $1) - -# Dependencies to place before the objects being linked to create a -# shared library. -predeps=$lt_[]_LT_AC_TAGVAR(predeps, $1) - -# Dependencies to place after the objects being linked to create a -# shared library. -postdeps=$lt_[]_LT_AC_TAGVAR(postdeps, $1) - -# The library search path used internally by the compiler when linking -# a shared library. -compiler_lib_search_path=$lt_[]_LT_AC_TAGVAR(compiler_lib_search_path, $1) - -# Method to check whether dependent libraries are shared objects. -deplibs_check_method=$lt_deplibs_check_method - -# Command to use when deplibs_check_method == file_magic. -file_magic_cmd=$lt_file_magic_cmd - -# Flag that allows shared libraries with undefined symbols to be built. -allow_undefined_flag=$lt_[]_LT_AC_TAGVAR(allow_undefined_flag, $1) - -# Flag that forces no undefined symbols. -no_undefined_flag=$lt_[]_LT_AC_TAGVAR(no_undefined_flag, $1) - -# Commands used to finish a libtool library installation in a directory. -finish_cmds=$lt_finish_cmds - -# Same as above, but a single script fragment to be evaled but not shown. -finish_eval=$lt_finish_eval - -# Take the output of nm and produce a listing of raw symbols and C names. -global_symbol_pipe=$lt_lt_cv_sys_global_symbol_pipe - -# Transform the output of nm in a proper C declaration -global_symbol_to_cdecl=$lt_lt_cv_sys_global_symbol_to_cdecl - -# Transform the output of nm in a C name address pair -global_symbol_to_c_name_address=$lt_lt_cv_sys_global_symbol_to_c_name_address - -# This is the shared library runtime path variable. -runpath_var=$runpath_var - -# This is the shared library path variable. -shlibpath_var=$shlibpath_var - -# Is shlibpath searched before the hard-coded library search path? -shlibpath_overrides_runpath=$shlibpath_overrides_runpath - -# How to hardcode a shared library path into an executable. -hardcode_action=$_LT_AC_TAGVAR(hardcode_action, $1) - -# Whether we should hardcode library paths into libraries. -hardcode_into_libs=$hardcode_into_libs - -# Flag to hardcode \$libdir into a binary during linking. -# This must work even if \$libdir does not exist. -hardcode_libdir_flag_spec=$lt_[]_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1) - -# If ld is used when linking, flag to hardcode \$libdir into -# a binary during linking. This must work even if \$libdir does -# not exist. -hardcode_libdir_flag_spec_ld=$lt_[]_LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1) - -# Whether we need a single -rpath flag with a separated argument. -hardcode_libdir_separator=$lt_[]_LT_AC_TAGVAR(hardcode_libdir_separator, $1) - -# Set to yes if using DIR/libNAME${shared_ext} during linking hardcodes DIR into the -# resulting binary. -hardcode_direct=$_LT_AC_TAGVAR(hardcode_direct, $1) - -# Set to yes if using the -LDIR flag during linking hardcodes DIR into the -# resulting binary. -hardcode_minus_L=$_LT_AC_TAGVAR(hardcode_minus_L, $1) - -# Set to yes if using SHLIBPATH_VAR=DIR during linking hardcodes DIR into -# the resulting binary. -hardcode_shlibpath_var=$_LT_AC_TAGVAR(hardcode_shlibpath_var, $1) - -# Set to yes if building a shared library automatically hardcodes DIR into the library -# and all subsequent libraries and executables linked against it. -hardcode_automatic=$_LT_AC_TAGVAR(hardcode_automatic, $1) - -# Variables whose values should be saved in libtool wrapper scripts and -# restored at relink time. -variables_saved_for_relink="$variables_saved_for_relink" - -# Whether libtool must link a program against all its dependency libraries. -link_all_deplibs=$_LT_AC_TAGVAR(link_all_deplibs, $1) - -# Compile-time system search path for libraries -sys_lib_search_path_spec=$lt_sys_lib_search_path_spec - -# Run-time system search path for libraries -sys_lib_dlsearch_path_spec=$lt_sys_lib_dlsearch_path_spec - -# Fix the shell variable \$srcfile for the compiler. -fix_srcfile_path="$_LT_AC_TAGVAR(fix_srcfile_path, $1)" - -# Set to yes if exported symbols are required. -always_export_symbols=$_LT_AC_TAGVAR(always_export_symbols, $1) - -# The commands to list exported symbols. -export_symbols_cmds=$lt_[]_LT_AC_TAGVAR(export_symbols_cmds, $1) - -# The commands to extract the exported symbol list from a shared archive. -extract_expsyms_cmds=$lt_extract_expsyms_cmds - -# Symbols that should not be listed in the preloaded symbols. -exclude_expsyms=$lt_[]_LT_AC_TAGVAR(exclude_expsyms, $1) - -# Symbols that must always be exported. -include_expsyms=$lt_[]_LT_AC_TAGVAR(include_expsyms, $1) - -ifelse([$1],[], -[# ### END LIBTOOL CONFIG], -[# ### END LIBTOOL TAG CONFIG: $tagname]) - -__EOF__ - -ifelse([$1],[], [ - case $host_os in - aix3*) - cat <<\EOF >> "$cfgfile" - -# AIX sometimes has problems with the GCC collect2 program. For some -# reason, if we set the COLLECT_NAMES environment variable, the problems -# vanish in a puff of smoke. -if test "X${COLLECT_NAMES+set}" != Xset; then - COLLECT_NAMES= - export COLLECT_NAMES -fi -EOF - ;; - esac - - # We use sed instead of cat because bash on DJGPP gets confused if - # if finds mixed CR/LF and LF-only lines. Since sed operates in - # text mode, it properly converts lines to CR/LF. This bash problem - # is reportedly fixed, but why not run on old versions too? - sed '$q' "$ltmain" >> "$cfgfile" || (rm -f "$cfgfile"; exit 1) - - mv -f "$cfgfile" "$ofile" || \ - (rm -f "$ofile" && cp "$cfgfile" "$ofile" && rm -f "$cfgfile") - chmod +x "$ofile" -]) -else - # If there is no Makefile yet, we rely on a make rule to execute - # `config.status --recheck' to rerun these tests and create the - # libtool script then. - ltmain_in=`echo $ltmain | sed -e 's/\.sh$/.in/'` - if test -f "$ltmain_in"; then - test -f Makefile && make "$ltmain" - fi -fi -])# AC_LIBTOOL_CONFIG - - -# AC_LIBTOOL_PROG_COMPILER_NO_RTTI([TAGNAME]) -# ------------------------------------------- -AC_DEFUN([AC_LIBTOOL_PROG_COMPILER_NO_RTTI], -[AC_REQUIRE([_LT_AC_SYS_COMPILER])dnl - -_LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)= - -if test "$GCC" = yes; then - _LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=' -fno-builtin' - - AC_LIBTOOL_COMPILER_OPTION([if $compiler supports -fno-rtti -fno-exceptions], - lt_cv_prog_compiler_rtti_exceptions, - [-fno-rtti -fno-exceptions], [], - [_LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)="$_LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1) -fno-rtti -fno-exceptions"]) -fi -])# AC_LIBTOOL_PROG_COMPILER_NO_RTTI - - -# AC_LIBTOOL_SYS_GLOBAL_SYMBOL_PIPE -# --------------------------------- -AC_DEFUN([AC_LIBTOOL_SYS_GLOBAL_SYMBOL_PIPE], -[AC_REQUIRE([AC_CANONICAL_HOST]) -AC_REQUIRE([AC_PROG_NM]) -AC_REQUIRE([AC_OBJEXT]) -# Check for command to grab the raw symbol name followed by C symbol from nm. -AC_MSG_CHECKING([command to parse $NM output from $compiler object]) -AC_CACHE_VAL([lt_cv_sys_global_symbol_pipe], -[ -# These are sane defaults that work on at least a few old systems. -# [They come from Ultrix. What could be older than Ultrix?!! ;)] - -# Character class describing NM global symbol codes. -symcode='[[BCDEGRST]]' - -# Regexp to match symbols that can be accessed directly from C. -sympat='\([[_A-Za-z]][[_A-Za-z0-9]]*\)' - -# Transform the above into a raw symbol and a C symbol. -symxfrm='\1 \2\3 \3' - -# Transform an extracted symbol line into a proper C declaration -lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^. .* \(.*\)$/extern int \1;/p'" - -# Transform an extracted symbol line into symbol name and symbol address -lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([[^ ]]*\) $/ {\\\"\1\\\", (lt_ptr) 0},/p' -e 's/^$symcode \([[^ ]]*\) \([[^ ]]*\)$/ {\"\2\", (lt_ptr) \&\2},/p'" - -# Define system-specific variables. -case $host_os in -aix*) - symcode='[[BCDT]]' - ;; -cygwin* | mingw* | pw32*) - symcode='[[ABCDGISTW]]' - ;; -hpux*) # Its linker distinguishes data from code symbols - if test "$host_cpu" = ia64; then - symcode='[[ABCDEGRST]]' - fi - lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern int \1();/p' -e 's/^$symcode* .* \(.*\)$/extern char \1;/p'" - lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([[^ ]]*\) $/ {\\\"\1\\\", (lt_ptr) 0},/p' -e 's/^$symcode* \([[^ ]]*\) \([[^ ]]*\)$/ {\"\2\", (lt_ptr) \&\2},/p'" - ;; -irix* | nonstopux*) - symcode='[[BCDEGRST]]' - ;; -osf*) - symcode='[[BCDEGQRST]]' - ;; -solaris* | sysv5*) - symcode='[[BDRT]]' - ;; -sysv4) - symcode='[[DFNSTU]]' - ;; -esac - -# Handle CRLF in mingw tool chain -opt_cr= -case $build_os in -mingw*) - opt_cr=`echo 'x\{0,1\}' | tr x '\015'` # option cr in regexp - ;; -esac - -# If we're using GNU nm, then use its standard symbol codes. -case `$NM -V 2>&1` in -*GNU* | *'with BFD'*) - symcode='[[ABCDGIRSTW]]' ;; -esac - -# Try without a prefix undercore, then with it. -for ac_symprfx in "" "_"; do - - # Write the raw and C identifiers. - lt_cv_sys_global_symbol_pipe="sed -n -e 's/^.*[[ ]]\($symcode$symcode*\)[[ ]][[ ]]*\($ac_symprfx\)$sympat$opt_cr$/$symxfrm/p'" - - # Check to see that the pipe works correctly. - pipe_works=no - - rm -f conftest* - cat > conftest.$ac_ext < $nlist) && test -s "$nlist"; then - # Try sorting and uniquifying the output. - if sort "$nlist" | uniq > "$nlist"T; then - mv -f "$nlist"T "$nlist" - else - rm -f "$nlist"T - fi - - # Make sure that we snagged all the symbols we need. - if grep ' nm_test_var$' "$nlist" >/dev/null; then - if grep ' nm_test_func$' "$nlist" >/dev/null; then - cat < conftest.$ac_ext -#ifdef __cplusplus -extern "C" { -#endif - -EOF - # Now generate the symbol file. - eval "$lt_cv_sys_global_symbol_to_cdecl"' < "$nlist" | grep -v main >> conftest.$ac_ext' - - cat <> conftest.$ac_ext -#if defined (__STDC__) && __STDC__ -# define lt_ptr_t void * -#else -# define lt_ptr_t char * -# define const -#endif - -/* The mapping between symbol names and symbols. */ -const struct { - const char *name; - lt_ptr_t address; -} -lt_preloaded_symbols[[]] = -{ -EOF - $SED "s/^$symcode$symcode* \(.*\) \(.*\)$/ {\"\2\", (lt_ptr_t) \&\2},/" < "$nlist" | grep -v main >> conftest.$ac_ext - cat <<\EOF >> conftest.$ac_ext - {0, (lt_ptr_t) 0} -}; - -#ifdef __cplusplus -} -#endif -EOF - # Now try linking the two files. - mv conftest.$ac_objext conftstm.$ac_objext - lt_save_LIBS="$LIBS" - lt_save_CFLAGS="$CFLAGS" - LIBS="conftstm.$ac_objext" - CFLAGS="$CFLAGS$_LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)" - if AC_TRY_EVAL(ac_link) && test -s conftest${ac_exeext}; then - pipe_works=yes - fi - LIBS="$lt_save_LIBS" - CFLAGS="$lt_save_CFLAGS" - else - echo "cannot find nm_test_func in $nlist" >&AS_MESSAGE_LOG_FD - fi - else - echo "cannot find nm_test_var in $nlist" >&AS_MESSAGE_LOG_FD - fi - else - echo "cannot run $lt_cv_sys_global_symbol_pipe" >&AS_MESSAGE_LOG_FD - fi - else - echo "$progname: failed program was:" >&AS_MESSAGE_LOG_FD - cat conftest.$ac_ext >&5 - fi - rm -f conftest* conftst* - - # Do not use the global_symbol_pipe unless it works. - if test "$pipe_works" = yes; then - break - else - lt_cv_sys_global_symbol_pipe= - fi -done -]) -if test -z "$lt_cv_sys_global_symbol_pipe"; then - lt_cv_sys_global_symbol_to_cdecl= -fi -if test -z "$lt_cv_sys_global_symbol_pipe$lt_cv_sys_global_symbol_to_cdecl"; then - AC_MSG_RESULT(failed) -else - AC_MSG_RESULT(ok) -fi -]) # AC_LIBTOOL_SYS_GLOBAL_SYMBOL_PIPE - - -# AC_LIBTOOL_PROG_COMPILER_PIC([TAGNAME]) -# --------------------------------------- -AC_DEFUN([AC_LIBTOOL_PROG_COMPILER_PIC], -[_LT_AC_TAGVAR(lt_prog_compiler_wl, $1)= -_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)= -_LT_AC_TAGVAR(lt_prog_compiler_static, $1)= - -AC_MSG_CHECKING([for $compiler option to produce PIC]) - ifelse([$1],[CXX],[ - # C++ specific cases for pic, static, wl, etc. - if test "$GXX" = yes; then - _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' - _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-static' - - case $host_os in - aix*) - # All AIX code is PIC. - if test "$host_cpu" = ia64; then - # AIX 5 now supports IA64 processor - _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' - fi - ;; - amigaos*) - # FIXME: we need at least 68020 code to build shared libraries, but - # adding the `-m68020' flag to GCC prevents building anything better, - # like `-m68040'. - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-m68020 -resident32 -malways-restore-a4' - ;; - beos* | cygwin* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*) - # PIC is the default for these OSes. - ;; - mingw* | os2* | pw32*) - # This hack is so that the source file can tell whether it is being - # built for inclusion in a dll (and should export symbols for example). - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT' - ;; - darwin* | rhapsody*) - # PIC is the default on this platform - # Common symbols not allowed in MH_DYLIB files - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fno-common' - ;; - *djgpp*) - # DJGPP does not support shared libraries at all - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)= - ;; - sysv4*MP*) - if test -d /usr/nec; then - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=-Kconform_pic - fi - ;; - hpux*) - # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but - # not for PA HP-UX. - case "$host_cpu" in - hppa*64*|ia64*) - ;; - *) - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC' - ;; - esac - ;; - *) - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC' - ;; - esac - else - case $host_os in - aix4* | aix5*) - # All AIX code is PIC. - if test "$host_cpu" = ia64; then - # AIX 5 now supports IA64 processor - _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' - else - _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-bnso -bI:/lib/syscalls.exp' - fi - ;; - chorus*) - case $cc_basename in - cxch68) - # Green Hills C++ Compiler - # _LT_AC_TAGVAR(lt_prog_compiler_static, $1)="--no_auto_instantiation -u __main -u __premain -u _abort -r $COOL_DIR/lib/libOrb.a $MVME_DIR/lib/CC/libC.a $MVME_DIR/lib/classix/libcx.s.a" - ;; - esac - ;; - dgux*) - case $cc_basename in - ec++) - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' - ;; - ghcx) - # Green Hills C++ Compiler - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-pic' - ;; - *) - ;; - esac - ;; - freebsd* | kfreebsd*-gnu) - # FreeBSD uses GNU C++ - ;; - hpux9* | hpux10* | hpux11*) - case $cc_basename in - CC) - _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' - _LT_AC_TAGVAR(lt_prog_compiler_static, $1)="${ac_cv_prog_cc_wl}-a ${ac_cv_prog_cc_wl}archive" - if test "$host_cpu" != ia64; then - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='+Z' - fi - ;; - aCC) - _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' - _LT_AC_TAGVAR(lt_prog_compiler_static, $1)="${ac_cv_prog_cc_wl}-a ${ac_cv_prog_cc_wl}archive" - case "$host_cpu" in - hppa*64*|ia64*) - # +Z the default - ;; - *) - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='+Z' - ;; - esac - ;; - *) - ;; - esac - ;; - irix5* | irix6* | nonstopux*) - case $cc_basename in - CC) - _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' - _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared' - # CC pic flag -KPIC is the default. - ;; - *) - ;; - esac - ;; - linux*) - case $cc_basename in - KCC) - # KAI C++ Compiler - _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='--backend -Wl,' - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC' - ;; - icpc) - # Intel C++ - _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' - _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-static' - ;; - cxx) - # Compaq C++ - # Make sure the PIC flag is empty. It appears that all Alpha - # Linux and Compaq Tru64 Unix objects are PIC. - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)= - _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared' - ;; - *) - ;; - esac - ;; - lynxos*) - ;; - m88k*) - ;; - mvs*) - case $cc_basename in - cxx) - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-W c,exportall' - ;; - *) - ;; - esac - ;; - netbsd*) - ;; - osf3* | osf4* | osf5*) - case $cc_basename in - KCC) - _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='--backend -Wl,' - ;; - RCC) - # Rational C++ 2.4.1 - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-pic' - ;; - cxx) - # Digital/Compaq C++ - _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' - # Make sure the PIC flag is empty. It appears that all Alpha - # Linux and Compaq Tru64 Unix objects are PIC. - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)= - _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared' - ;; - *) - ;; - esac - ;; - psos*) - ;; - sco*) - case $cc_basename in - CC) - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC' - ;; - *) - ;; - esac - ;; - solaris*) - case $cc_basename in - CC) - # Sun C++ 4.2, 5.x and Centerline C++ - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' - _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' - _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld ' - ;; - gcx) - # Green Hills C++ Compiler - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-PIC' - ;; - *) - ;; - esac - ;; - sunos4*) - case $cc_basename in - CC) - # Sun C++ 4.x - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-pic' - _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' - ;; - lcc) - # Lucid - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-pic' - ;; - *) - ;; - esac - ;; - tandem*) - case $cc_basename in - NCC) - # NonStop-UX NCC 3.20 - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' - ;; - *) - ;; - esac - ;; - unixware*) - ;; - vxworks*) - ;; - *) - _LT_AC_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no - ;; - esac - fi -], -[ - if test "$GCC" = yes; then - _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' - _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-static' - - case $host_os in - aix*) - # All AIX code is PIC. - if test "$host_cpu" = ia64; then - # AIX 5 now supports IA64 processor - _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' - fi - ;; - - amigaos*) - # FIXME: we need at least 68020 code to build shared libraries, but - # adding the `-m68020' flag to GCC prevents building anything better, - # like `-m68040'. - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-m68020 -resident32 -malways-restore-a4' - ;; - - beos* | cygwin* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*) - # PIC is the default for these OSes. - ;; - - mingw* | pw32* | os2*) - # This hack is so that the source file can tell whether it is being - # built for inclusion in a dll (and should export symbols for example). - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT' - ;; - - darwin* | rhapsody*) - # PIC is the default on this platform - # Common symbols not allowed in MH_DYLIB files - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fno-common' - ;; - - msdosdjgpp*) - # Just because we use GCC doesn't mean we suddenly get shared libraries - # on systems that don't support them. - _LT_AC_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no - enable_shared=no - ;; - - sysv4*MP*) - if test -d /usr/nec; then - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=-Kconform_pic - fi - ;; - - hpux*) - # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but - # not for PA HP-UX. - case "$host_cpu" in - hppa*64*|ia64*) - # +Z the default - ;; - *) - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC' - ;; - esac - ;; - - *) - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC' - ;; - esac - else - # PORTME Check for flag to pass linker flags through the system compiler. - case $host_os in - aix*) - _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' - if test "$host_cpu" = ia64; then - # AIX 5 now supports IA64 processor - _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' - else - _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-bnso -bI:/lib/syscalls.exp' - fi - ;; - - mingw* | pw32* | os2*) - # This hack is so that the source file can tell whether it is being - # built for inclusion in a dll (and should export symbols for example). - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT' - ;; - - hpux9* | hpux10* | hpux11*) - _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' - # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but - # not for PA HP-UX. - case "$host_cpu" in - hppa*64*|ia64*) - # +Z the default - ;; - *) - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='+Z' - ;; - esac - # Is there a better lt_prog_compiler_static that works with the bundled CC? - _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='${wl}-a ${wl}archive' - ;; - - irix5* | irix6* | nonstopux*) - _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' - # PIC (with -KPIC) is the default. - _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared' - ;; - - newsos6) - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' - _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' - ;; - - linux*) - case $CC in - icc* | ecc*) - _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' - _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-static' - ;; - ccc*) - _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' - # All Alpha code is PIC. - _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared' - ;; - esac - ;; - - osf3* | osf4* | osf5*) - _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' - # All OSF/1 code is PIC. - _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared' - ;; - - sco3.2v5*) - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-Kpic' - _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-dn' - ;; - - solaris*) - _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' - _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' - ;; - - sunos4*) - _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld ' - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-PIC' - _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' - ;; - - sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*) - _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' - _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' - ;; - - sysv4*MP*) - if test -d /usr/nec ;then - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-Kconform_pic' - _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' - fi - ;; - - uts4*) - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-pic' - _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' - ;; - - *) - _LT_AC_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no - ;; - esac - fi -]) -AC_MSG_RESULT([$_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)]) - -# -# Check to make sure the PIC flag actually works. -# -if test -n "$_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)"; then - AC_LIBTOOL_COMPILER_OPTION([if $compiler PIC flag $_LT_AC_TAGVAR(lt_prog_compiler_pic, $1) works], - _LT_AC_TAGVAR(lt_prog_compiler_pic_works, $1), - [$_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)ifelse([$1],[],[ -DPIC],[ifelse([$1],[CXX],[ -DPIC],[])])], [], - [case $_LT_AC_TAGVAR(lt_prog_compiler_pic, $1) in - "" | " "*) ;; - *) _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=" $_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)" ;; - esac], - [_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)= - _LT_AC_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no]) -fi -case "$host_os" in - # For platforms which do not support PIC, -DPIC is meaningless: - *djgpp*) - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)= - ;; - *) - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)="$_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)ifelse([$1],[],[ -DPIC],[ifelse([$1],[CXX],[ -DPIC],[])])" - ;; -esac -]) - - -# AC_LIBTOOL_PROG_LD_SHLIBS([TAGNAME]) -# ------------------------------------ -# See if the linker supports building shared libraries. -AC_DEFUN([AC_LIBTOOL_PROG_LD_SHLIBS], -[AC_MSG_CHECKING([whether the $compiler linker ($LD) supports shared libraries]) -ifelse([$1],[CXX],[ - _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols' - case $host_os in - aix4* | aix5*) - # If we're using GNU nm, then we don't want the "-C" option. - # -C means demangle to AIX nm, but means don't demangle with GNU nm - if $NM -V 2>&1 | grep 'GNU' > /dev/null; then - _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\[$]2 == "T") || (\[$]2 == "D") || (\[$]2 == "B")) && ([substr](\[$]3,1,1) != ".")) { print \[$]3 } }'\'' | sort -u > $export_symbols' - else - _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\[$]2 == "T") || (\[$]2 == "D") || (\[$]2 == "B")) && ([substr](\[$]3,1,1) != ".")) { print \[$]3 } }'\'' | sort -u > $export_symbols' - fi - ;; - pw32*) - _LT_AC_TAGVAR(export_symbols_cmds, $1)="$ltdll_cmds" - ;; - cygwin* | mingw*) - _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGS]] /s/.* \([[^ ]]*\)/\1 DATA/'\'' | $SED -e '\''/^[[AITW]] /s/.* //'\'' | sort | uniq > $export_symbols' - ;; - *) - _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols' - ;; - esac -],[ - runpath_var= - _LT_AC_TAGVAR(allow_undefined_flag, $1)= - _LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)=no - _LT_AC_TAGVAR(archive_cmds, $1)= - _LT_AC_TAGVAR(archive_expsym_cmds, $1)= - _LT_AC_TAGVAR(old_archive_From_new_cmds, $1)= - _LT_AC_TAGVAR(old_archive_from_expsyms_cmds, $1)= - _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)= - _LT_AC_TAGVAR(whole_archive_flag_spec, $1)= - _LT_AC_TAGVAR(thread_safe_flag_spec, $1)= - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)= - _LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)= - _LT_AC_TAGVAR(hardcode_libdir_separator, $1)= - _LT_AC_TAGVAR(hardcode_direct, $1)=no - _LT_AC_TAGVAR(hardcode_minus_L, $1)=no - _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=unsupported - _LT_AC_TAGVAR(link_all_deplibs, $1)=unknown - _LT_AC_TAGVAR(hardcode_automatic, $1)=no - _LT_AC_TAGVAR(module_cmds, $1)= - _LT_AC_TAGVAR(module_expsym_cmds, $1)= - _LT_AC_TAGVAR(always_export_symbols, $1)=no - _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols' - # include_expsyms should be a list of space-separated symbols to be *always* - # included in the symbol list - _LT_AC_TAGVAR(include_expsyms, $1)= - # exclude_expsyms can be an extended regexp of symbols to exclude - # it will be wrapped by ` (' and `)$', so one must not match beginning or - # end of line. Example: `a|bc|.*d.*' will exclude the symbols `a' and `bc', - # as well as any symbol that contains `d'. - _LT_AC_TAGVAR(exclude_expsyms, $1)="_GLOBAL_OFFSET_TABLE_" - # Although _GLOBAL_OFFSET_TABLE_ is a valid symbol C name, most a.out - # platforms (ab)use it in PIC code, but their linkers get confused if - # the symbol is explicitly referenced. Since portable code cannot - # rely on this symbol name, it's probably fine to never include it in - # preloaded symbol tables. - extract_expsyms_cmds= - - case $host_os in - cygwin* | mingw* | pw32*) - # FIXME: the MSVC++ port hasn't been tested in a loooong time - # When not using gcc, we currently assume that we are using - # Microsoft Visual C++. - if test "$GCC" != yes; then - with_gnu_ld=no - fi - ;; - openbsd*) - with_gnu_ld=no - ;; - esac - - _LT_AC_TAGVAR(ld_shlibs, $1)=yes - if test "$with_gnu_ld" = yes; then - # If archive_cmds runs LD, not CC, wlarc should be empty - wlarc='${wl}' - - # See if GNU ld supports shared libraries. - case $host_os in - aix3* | aix4* | aix5*) - # On AIX/PPC, the GNU linker is very broken - if test "$host_cpu" != ia64; then - _LT_AC_TAGVAR(ld_shlibs, $1)=no - cat <&2 - -*** Warning: the GNU linker, at least up to release 2.9.1, is reported -*** to be unable to reliably create shared libraries on AIX. -*** Therefore, libtool is disabling shared libraries support. If you -*** really care for shared libraries, you may want to modify your PATH -*** so that a non-GNU linker is found, and then restart. - -EOF - fi - ;; - - amigaos*) - _LT_AC_TAGVAR(archive_cmds, $1)='$rm $output_objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)' - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir' - _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes - - # Samuel A. Falvo II reports - # that the semantics of dynamic libraries on AmigaOS, at least up - # to version 4, is to share data among multiple programs linked - # with the same dynamic library. Since this doesn't match the - # behavior of shared libraries on other platforms, we can't use - # them. - _LT_AC_TAGVAR(ld_shlibs, $1)=no - ;; - - beos*) - if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then - _LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported - # Joseph Beckenbach says some releases of gcc - # support --undefined. This deserves some investigation. FIXME - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -nostart $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' - else - _LT_AC_TAGVAR(ld_shlibs, $1)=no - fi - ;; - - cygwin* | mingw* | pw32*) - # _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1) is actually meaningless, - # as there is no search path for DLLs. - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir' - _LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported - _LT_AC_TAGVAR(always_export_symbols, $1)=no - _LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)=yes - _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGS]] /s/.* \([[^ ]]*\)/\1 DATA/'\'' | $SED -e '\''/^[[AITW]] /s/.* //'\'' | sort | uniq > $export_symbols' - - if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--image-base=0x10000000 ${wl}--out-implib,$lib' - # If the export-symbols file already is a .def file (1st line - # is EXPORTS), use it as is; otherwise, prepend... - _LT_AC_TAGVAR(archive_expsym_cmds, $1)='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then - cp $export_symbols $output_objdir/$soname.def; - else - echo EXPORTS > $output_objdir/$soname.def; - cat $export_symbols >> $output_objdir/$soname.def; - fi~ - $CC -shared $output_objdir/$soname.def $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--image-base=0x10000000 ${wl}--out-implib,$lib' - else - ld_shlibs=no - fi - ;; - - netbsd*) - if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then - _LT_AC_TAGVAR(archive_cmds, $1)='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib' - wlarc= - else - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' - _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' - fi - ;; - - solaris* | sysv5*) - if $LD -v 2>&1 | grep 'BFD 2\.8' > /dev/null; then - _LT_AC_TAGVAR(ld_shlibs, $1)=no - cat <&2 - -*** Warning: The releases 2.8.* of the GNU linker cannot reliably -*** create shared libraries on Solaris systems. Therefore, libtool -*** is disabling shared libraries support. We urge you to upgrade GNU -*** binutils to release 2.9.1 or newer. Another option is to modify -*** your PATH or compiler configuration so that the native linker is -*** used, and then restart. - -EOF - elif $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' - _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' - else - _LT_AC_TAGVAR(ld_shlibs, $1)=no - fi - ;; - - sunos4*) - _LT_AC_TAGVAR(archive_cmds, $1)='$LD -assert pure-text -Bshareable -o $lib $libobjs $deplibs $linker_flags' - wlarc= - _LT_AC_TAGVAR(hardcode_direct, $1)=yes - _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no - ;; - - linux*) - if $LD --help 2>&1 | egrep ': supported targets:.* elf' > /dev/null; then - tmp_archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' - _LT_AC_TAGVAR(archive_cmds, $1)="$tmp_archive_cmds" - supports_anon_versioning=no - case `$LD -v 2>/dev/null` in - *\ [01].* | *\ 2.[[0-9]].* | *\ 2.10.*) ;; # catch versions < 2.11 - *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ... - *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ... - *\ 2.11.*) ;; # other 2.11 versions - *) supports_anon_versioning=yes ;; - esac - if test $supports_anon_versioning = yes; then - _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $output_objdir/$libname.ver~ -cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~ -$echo "local: *; };" >> $output_objdir/$libname.ver~ - $CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib' - else - _LT_AC_TAGVAR(archive_expsym_cmds, $1)="$tmp_archive_cmds" - fi - else - _LT_AC_TAGVAR(ld_shlibs, $1)=no - fi - ;; - - *) - if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' - _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' - else - _LT_AC_TAGVAR(ld_shlibs, $1)=no - fi - ;; - esac - - if test "$_LT_AC_TAGVAR(ld_shlibs, $1)" = yes; then - runpath_var=LD_RUN_PATH - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}--rpath ${wl}$libdir' - _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic' - # ancient GNU ld didn't support --whole-archive et. al. - if $LD --help 2>&1 | grep 'no-whole-archive' > /dev/null; then - _LT_AC_TAGVAR(whole_archive_flag_spec, $1)="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive' - else - _LT_AC_TAGVAR(whole_archive_flag_spec, $1)= - fi - fi - else - # PORTME fill in a description of your system's linker (not GNU ld) - case $host_os in - aix3*) - _LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported - _LT_AC_TAGVAR(always_export_symbols, $1)=yes - _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$LD -o $output_objdir/$soname $libobjs $deplibs $linker_flags -bE:$export_symbols -T512 -H512 -bM:SRE~$AR $AR_FLAGS $lib $output_objdir/$soname' - # Note: this linker hardcodes the directories in LIBPATH if there - # are no directories specified by -L. - _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes - if test "$GCC" = yes && test -z "$link_static_flag"; then - # Neither direct hardcoding nor static linking is supported with a - # broken collect2. - _LT_AC_TAGVAR(hardcode_direct, $1)=unsupported - fi - ;; - - aix4* | aix5*) - if test "$host_cpu" = ia64; then - # On IA64, the linker does run time linking by default, so we don't - # have to do anything special. - aix_use_runtimelinking=no - exp_sym_flag='-Bexport' - no_entry_flag="" - else - # If we're using GNU nm, then we don't want the "-C" option. - # -C means demangle to AIX nm, but means don't demangle with GNU nm - if $NM -V 2>&1 | grep 'GNU' > /dev/null; then - _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\[$]2 == "T") || (\[$]2 == "D") || (\[$]2 == "B")) && ([substr](\[$]3,1,1) != ".")) { print \[$]3 } }'\'' | sort -u > $export_symbols' - else - _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\[$]2 == "T") || (\[$]2 == "D") || (\[$]2 == "B")) && ([substr](\[$]3,1,1) != ".")) { print \[$]3 } }'\'' | sort -u > $export_symbols' - fi - aix_use_runtimelinking=no - - # Test if we are trying to use run time linking or normal - # AIX style linking. If -brtl is somewhere in LDFLAGS, we - # need to do runtime linking. - case $host_os in aix4.[[23]]|aix4.[[23]].*|aix5*) - for ld_flag in $LDFLAGS; do - if (test $ld_flag = "-brtl" || test $ld_flag = "-Wl,-brtl"); then - aix_use_runtimelinking=yes - break - fi - done - esac - - exp_sym_flag='-bexport' - no_entry_flag='-bnoentry' - fi - - # When large executables or shared objects are built, AIX ld can - # have problems creating the table of contents. If linking a library - # or program results in "error TOC overflow" add -mminimal-toc to - # CXXFLAGS/CFLAGS for g++/gcc. In the cases where that is not - # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS. - - _LT_AC_TAGVAR(archive_cmds, $1)='' - _LT_AC_TAGVAR(hardcode_direct, $1)=yes - _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=':' - _LT_AC_TAGVAR(link_all_deplibs, $1)=yes - - if test "$GCC" = yes; then - case $host_os in aix4.[012]|aix4.[012].*) - # We only want to do this on AIX 4.2 and lower, the check - # below for broken collect2 doesn't work under 4.3+ - collect2name=`${CC} -print-prog-name=collect2` - if test -f "$collect2name" && \ - strings "$collect2name" | grep resolve_lib_name >/dev/null - then - # We have reworked collect2 - _LT_AC_TAGVAR(hardcode_direct, $1)=yes - else - # We have old collect2 - _LT_AC_TAGVAR(hardcode_direct, $1)=unsupported - # It fails to find uninstalled libraries when the uninstalled - # path is not listed in the libpath. Setting hardcode_minus_L - # to unsupported forces relinking - _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir' - _LT_AC_TAGVAR(hardcode_libdir_separator, $1)= - fi - esac - shared_flag='-shared' - else - # not using gcc - if test "$host_cpu" = ia64; then - # VisualAge C++, Version 5.5 for AIX 5L for IA-64, Beta 3 Release - # chokes on -Wl,-G. The following line is correct: - shared_flag='-G' - else - if test "$aix_use_runtimelinking" = yes; then - shared_flag='${wl}-G' - else - shared_flag='${wl}-bM:SRE' - fi - fi - fi - - # It seems that -bexpall does not export symbols beginning with - # underscore (_), so it is better to generate a list of symbols to export. - _LT_AC_TAGVAR(always_export_symbols, $1)=yes - if test "$aix_use_runtimelinking" = yes; then - # Warning - without using the other runtime loading flags (-brtl), - # -berok will link without error, but may produce a broken library. - _LT_AC_TAGVAR(allow_undefined_flag, $1)='-berok' - # Determine the default libpath from the value encoded in an empty executable. - _LT_AC_SYS_LIBPATH_AIX - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath" - _LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then echo "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$no_entry_flag \${wl}$exp_sym_flag:\$export_symbols $shared_flag" - else - if test "$host_cpu" = ia64; then - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R $libdir:/usr/lib:/lib' - _LT_AC_TAGVAR(allow_undefined_flag, $1)="-z nodefs" - _LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$no_entry_flag \${wl}$exp_sym_flag:\$export_symbols" - else - # Determine the default libpath from the value encoded in an empty executable. - _LT_AC_SYS_LIBPATH_AIX - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath" - # Warning - without using the other run time loading flags, - # -berok will link without error, but may produce a broken library. - _LT_AC_TAGVAR(no_undefined_flag, $1)=' ${wl}-bernotok' - _LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-berok' - # -bexpall does not export symbols beginning with underscore (_) - _LT_AC_TAGVAR(always_export_symbols, $1)=yes - # Exported symbols can be pulled into shared objects from archives - _LT_AC_TAGVAR(whole_archive_flag_spec, $1)=' ' - _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=yes - # This is similar to how AIX traditionally builds it's shared libraries. - _LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags ${wl}-bE:$export_symbols ${wl}-bnoentry${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname' - fi - fi - ;; - - amigaos*) - _LT_AC_TAGVAR(archive_cmds, $1)='$rm $output_objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)' - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir' - _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes - # see comment about different semantics on the GNU ld section - _LT_AC_TAGVAR(ld_shlibs, $1)=no - ;; - - bsdi4*) - _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)=-rdynamic - ;; - - cygwin* | mingw* | pw32*) - # When not using gcc, we currently assume that we are using - # Microsoft Visual C++. - # hardcode_libdir_flag_spec is actually meaningless, as there is - # no search path for DLLs. - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)=' ' - _LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported - # Tell ltmain to make .lib files, not .a files. - libext=lib - # Tell ltmain to make .dll files, not .so files. - shrext=".dll" - # FIXME: Setting linknames here is a bad hack. - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -o $lib $libobjs $compiler_flags `echo "$deplibs" | $SED -e '\''s/ -lc$//'\''` -link -dll~linknames=' - # The linker will automatically build a .lib file if we build a DLL. - _LT_AC_TAGVAR(old_archive_From_new_cmds, $1)='true' - # FIXME: Should let the user specify the lib program. - _LT_AC_TAGVAR(old_archive_cmds, $1)='lib /OUT:$oldlib$oldobjs$old_deplibs' - fix_srcfile_path='`cygpath -w "$srcfile"`' - _LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)=yes - ;; - - darwin* | rhapsody*) - if test "$GXX" = yes ; then - _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no - case "$host_os" in - rhapsody* | darwin1.[[012]]) - _LT_AC_TAGVAR(allow_undefined_flag, $1)='-undefined suppress' - ;; - *) # Darwin 1.3 on - if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then - _LT_AC_TAGVAR(allow_undefined_flag, $1)='-flat_namespace -undefined suppress' - else - case ${MACOSX_DEPLOYMENT_TARGET} in - 10.[[012]]) - _LT_AC_TAGVAR(allow_undefined_flag, $1)='-flat_namespace -undefined suppress' - ;; - 10.*) - _LT_AC_TAGVAR(allow_undefined_flag, $1)='-undefined dynamic_lookup' - ;; - esac - fi - ;; - esac - lt_int_apple_cc_single_mod=no - output_verbose_link_cmd='echo' - if $CC -dumpspecs 2>&1 | grep 'single_module' >/dev/null ; then - lt_int_apple_cc_single_mod=yes - fi - if test "X$lt_int_apple_cc_single_mod" = Xyes ; then - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring' - else - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -r ${wl}-bind_at_load -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring' - fi - _LT_AC_TAGVAR(module_cmds, $1)='$CC ${wl}-bind_at_load $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags' - # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's - if test "X$lt_int_apple_cc_single_mod" = Xyes ; then - _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[ ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}' - else - _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[ ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -r ${wl}-bind_at_load -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}' - fi - _LT_AC_TAGVAR(module_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[ ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}' - _LT_AC_TAGVAR(hardcode_direct, $1)=no - _LT_AC_TAGVAR(hardcode_automatic, $1)=yes - _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=unsupported - _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='-all_load $convenience' - _LT_AC_TAGVAR(link_all_deplibs, $1)=yes - else - _LT_AC_TAGVAR(ld_shlibs, $1)=no - fi - ;; - - dgux*) - _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir' - _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no - ;; - - freebsd1*) - _LT_AC_TAGVAR(ld_shlibs, $1)=no - ;; - - # FreeBSD 2.2.[012] allows us to include c++rt0.o to get C++ constructor - # support. Future versions do this automatically, but an explicit c++rt0.o - # does not break anything, and helps significantly (at the cost of a little - # extra space). - freebsd2.2*) - _LT_AC_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags /usr/lib/c++rt0.o' - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir' - _LT_AC_TAGVAR(hardcode_direct, $1)=yes - _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no - ;; - - # Unfortunately, older versions of FreeBSD 2 do not have this feature. - freebsd2*) - _LT_AC_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' - _LT_AC_TAGVAR(hardcode_direct, $1)=yes - _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes - _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no - ;; - - # FreeBSD 3 and greater uses gcc -shared to do shared libraries. - freebsd* | kfreebsd*-gnu) - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -o $lib $libobjs $deplibs $compiler_flags' - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir' - _LT_AC_TAGVAR(hardcode_direct, $1)=yes - _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no - ;; - - hpux9*) - if test "$GCC" = yes; then - _LT_AC_TAGVAR(archive_cmds, $1)='$rm $output_objdir/$soname~$CC -shared -fPIC ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $libobjs $deplibs $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib' - else - _LT_AC_TAGVAR(archive_cmds, $1)='$rm $output_objdir/$soname~$LD -b +b $install_libdir -o $output_objdir/$soname $libobjs $deplibs $linker_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib' - fi - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir' - _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=: - _LT_AC_TAGVAR(hardcode_direct, $1)=yes - - # hardcode_minus_L: Not really in the search PATH, - # but as the default location of the library. - _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes - _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E' - ;; - - hpux10* | hpux11*) - if test "$GCC" = yes -a "$with_gnu_ld" = no; then - case "$host_cpu" in - hppa*64*|ia64*) - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags' - ;; - *) - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags' - ;; - esac - else - case "$host_cpu" in - hppa*64*|ia64*) - _LT_AC_TAGVAR(archive_cmds, $1)='$LD -b +h $soname -o $lib $libobjs $deplibs $linker_flags' - ;; - *) - _LT_AC_TAGVAR(archive_cmds, $1)='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags' - ;; - esac - fi - if test "$with_gnu_ld" = no; then - case "$host_cpu" in - hppa*64*) - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir' - _LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)='+b $libdir' - _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=: - _LT_AC_TAGVAR(hardcode_direct, $1)=no - _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no - ;; - ia64*) - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir' - _LT_AC_TAGVAR(hardcode_direct, $1)=no - _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no - - # hardcode_minus_L: Not really in the search PATH, - # but as the default location of the library. - _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes - ;; - *) - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir' - _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=: - _LT_AC_TAGVAR(hardcode_direct, $1)=yes - _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E' - - # hardcode_minus_L: Not really in the search PATH, - # but as the default location of the library. - _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes - ;; - esac - fi - ;; - - irix5* | irix6* | nonstopux*) - if test "$GCC" = yes; then - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib' - else - _LT_AC_TAGVAR(archive_cmds, $1)='$LD -shared $libobjs $deplibs $linker_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib' - _LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)='-rpath $libdir' - fi - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir' - _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=: - _LT_AC_TAGVAR(link_all_deplibs, $1)=yes - ;; - - netbsd*) - if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then - _LT_AC_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' # a.out - else - _LT_AC_TAGVAR(archive_cmds, $1)='$LD -shared -o $lib $libobjs $deplibs $linker_flags' # ELF - fi - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir' - _LT_AC_TAGVAR(hardcode_direct, $1)=yes - _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no - ;; - - newsos6) - _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' - _LT_AC_TAGVAR(hardcode_direct, $1)=yes - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir' - _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=: - _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no - ;; - - openbsd*) - _LT_AC_TAGVAR(hardcode_direct, $1)=yes - _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no - if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags' - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir' - _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E' - else - case $host_os in - openbsd[[01]].* | openbsd2.[[0-7]] | openbsd2.[[0-7]].*) - _LT_AC_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir' - ;; - *) - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags' - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir' - ;; - esac - fi - ;; - - os2*) - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir' - _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes - _LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported - _LT_AC_TAGVAR(archive_cmds, $1)='$echo "LIBRARY $libname INITINSTANCE" > $output_objdir/$libname.def~$echo "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~$echo DATA >> $output_objdir/$libname.def~$echo " SINGLE NONSHARED" >> $output_objdir/$libname.def~$echo EXPORTS >> $output_objdir/$libname.def~emxexp $libobjs >> $output_objdir/$libname.def~$CC -Zdll -Zcrtdll -o $lib $libobjs $deplibs $compiler_flags $output_objdir/$libname.def' - _LT_AC_TAGVAR(old_archive_From_new_cmds, $1)='emximp -o $output_objdir/$libname.a $output_objdir/$libname.def' - ;; - - osf3*) - if test "$GCC" = yes; then - _LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*' - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib' - else - _LT_AC_TAGVAR(allow_undefined_flag, $1)=' -expect_unresolved \*' - _LT_AC_TAGVAR(archive_cmds, $1)='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib' - fi - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir' - _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=: - ;; - - osf4* | osf5*) # as osf3* with the addition of -msym flag - if test "$GCC" = yes; then - _LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*' - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib' - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir' - else - _LT_AC_TAGVAR(allow_undefined_flag, $1)=' -expect_unresolved \*' - _LT_AC_TAGVAR(archive_cmds, $1)='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -msym -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib' - _LT_AC_TAGVAR(archive_expsym_cmds, $1)='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done; echo "-hidden">> $lib.exp~ - $LD -shared${allow_undefined_flag} -input $lib.exp $linker_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${objdir}/so_locations -o $lib~$rm $lib.exp' - - # Both c and cxx compiler support -rpath directly - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-rpath $libdir' - fi - _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=: - ;; - - sco3.2v5*) - _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' - _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no - _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-Bexport' - runpath_var=LD_RUN_PATH - hardcode_runpath_var=yes - ;; - - solaris*) - _LT_AC_TAGVAR(no_undefined_flag, $1)=' -z text' - if test "$GCC" = yes; then - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags' - _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~ - $CC -shared ${wl}-M ${wl}$lib.exp ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags~$rm $lib.exp' - else - _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $linker_flags' - _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~ - $LD -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$rm $lib.exp' - fi - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir' - _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no - case $host_os in - solaris2.[[0-5]] | solaris2.[[0-5]].*) ;; - *) # Supported since Solaris 2.6 (maybe 2.5.1?) - _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='-z allextract$convenience -z defaultextract' ;; - esac - _LT_AC_TAGVAR(link_all_deplibs, $1)=yes - ;; - - sunos4*) - if test "x$host_vendor" = xsequent; then - # Use $CC to link under sequent, because it throws in some extra .o - # files that make .init and .fini sections work. - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h $soname -o $lib $libobjs $deplibs $compiler_flags' - else - _LT_AC_TAGVAR(archive_cmds, $1)='$LD -assert pure-text -Bstatic -o $lib $libobjs $deplibs $linker_flags' - fi - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir' - _LT_AC_TAGVAR(hardcode_direct, $1)=yes - _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes - _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no - ;; - - sysv4) - case $host_vendor in - sni) - _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' - _LT_AC_TAGVAR(hardcode_direct, $1)=yes # is this really true??? - ;; - siemens) - ## LD is ld it makes a PLAMLIB - ## CC just makes a GrossModule. - _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -o $lib $libobjs $deplibs $linker_flags' - _LT_AC_TAGVAR(reload_cmds, $1)='$CC -r -o $output$reload_objs' - _LT_AC_TAGVAR(hardcode_direct, $1)=no - ;; - motorola) - _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' - _LT_AC_TAGVAR(hardcode_direct, $1)=no #Motorola manual says yes, but my tests say they lie - ;; - esac - runpath_var='LD_RUN_PATH' - _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no - ;; - - sysv4.3*) - _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' - _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no - _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='-Bexport' - ;; - - sysv4*MP*) - if test -d /usr/nec; then - _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' - _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no - runpath_var=LD_RUN_PATH - hardcode_runpath_var=yes - _LT_AC_TAGVAR(ld_shlibs, $1)=yes - fi - ;; - - sysv4.2uw2*) - _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -o $lib $libobjs $deplibs $linker_flags' - _LT_AC_TAGVAR(hardcode_direct, $1)=yes - _LT_AC_TAGVAR(hardcode_minus_L, $1)=no - _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no - hardcode_runpath_var=yes - runpath_var=LD_RUN_PATH - ;; - - sysv5OpenUNIX8* | sysv5UnixWare7* | sysv5uw[[78]]* | unixware7*) - _LT_AC_TAGVAR(no_undefined_flag, $1)='${wl}-z ${wl}text' - if test "$GCC" = yes; then - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags' - else - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags' - fi - runpath_var='LD_RUN_PATH' - _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no - ;; - - sysv5*) - _LT_AC_TAGVAR(no_undefined_flag, $1)=' -z text' - # $CC -shared without GNU ld will not create a library from C++ - # object files and a static libstdc++, better avoid it by now - _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $linker_flags' - _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~ - $LD -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$rm $lib.exp' - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)= - _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no - runpath_var='LD_RUN_PATH' - ;; - - uts4*) - _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir' - _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no - ;; - - *) - _LT_AC_TAGVAR(ld_shlibs, $1)=no - ;; - esac - fi -]) -AC_MSG_RESULT([$_LT_AC_TAGVAR(ld_shlibs, $1)]) -test "$_LT_AC_TAGVAR(ld_shlibs, $1)" = no && can_build_shared=no - -variables_saved_for_relink="PATH $shlibpath_var $runpath_var" -if test "$GCC" = yes; then - variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH" -fi - -# -# Do we need to explicitly link libc? -# -case "x$_LT_AC_TAGVAR(archive_cmds_need_lc, $1)" in -x|xyes) - # Assume -lc should be added - _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=yes - - if test "$enable_shared" = yes && test "$GCC" = yes; then - case $_LT_AC_TAGVAR(archive_cmds, $1) in - *'~'*) - # FIXME: we may have to deal with multi-command sequences. - ;; - '$CC '*) - # Test whether the compiler implicitly links with -lc since on some - # systems, -lgcc has to come before -lc. If gcc already passes -lc - # to ld, don't add -lc before -lgcc. - AC_MSG_CHECKING([whether -lc should be explicitly linked in]) - $rm conftest* - printf "$lt_simple_compile_test_code" > conftest.$ac_ext - - if AC_TRY_EVAL(ac_compile) 2>conftest.err; then - soname=conftest - lib=conftest - libobjs=conftest.$ac_objext - deplibs= - wl=$_LT_AC_TAGVAR(lt_prog_compiler_wl, $1) - compiler_flags=-v - linker_flags=-v - verstring= - output_objdir=. - libname=conftest - lt_save_allow_undefined_flag=$_LT_AC_TAGVAR(allow_undefined_flag, $1) - _LT_AC_TAGVAR(allow_undefined_flag, $1)= - if AC_TRY_EVAL(_LT_AC_TAGVAR(archive_cmds, $1) 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1) - then - _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no - else - _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=yes - fi - _LT_AC_TAGVAR(allow_undefined_flag, $1)=$lt_save_allow_undefined_flag - else - cat conftest.err 1>&5 - fi - $rm conftest* - AC_MSG_RESULT([$_LT_AC_TAGVAR(archive_cmds_need_lc, $1)]) - ;; - esac - fi - ;; -esac -])# AC_LIBTOOL_PROG_LD_SHLIBS - - -# _LT_AC_FILE_LTDLL_C -# ------------------- -# Be careful that the start marker always follows a newline. -AC_DEFUN([_LT_AC_FILE_LTDLL_C], [ -# /* ltdll.c starts here */ -# #define WIN32_LEAN_AND_MEAN -# #include -# #undef WIN32_LEAN_AND_MEAN -# #include -# -# #ifndef __CYGWIN__ -# # ifdef __CYGWIN32__ -# # define __CYGWIN__ __CYGWIN32__ -# # endif -# #endif -# -# #ifdef __cplusplus -# extern "C" { -# #endif -# BOOL APIENTRY DllMain (HINSTANCE hInst, DWORD reason, LPVOID reserved); -# #ifdef __cplusplus -# } -# #endif -# -# #ifdef __CYGWIN__ -# #include -# DECLARE_CYGWIN_DLL( DllMain ); -# #endif -# HINSTANCE __hDllInstance_base; -# -# BOOL APIENTRY -# DllMain (HINSTANCE hInst, DWORD reason, LPVOID reserved) -# { -# __hDllInstance_base = hInst; -# return TRUE; -# } -# /* ltdll.c ends here */ -])# _LT_AC_FILE_LTDLL_C - - -# _LT_AC_TAGVAR(VARNAME, [TAGNAME]) -# --------------------------------- -AC_DEFUN([_LT_AC_TAGVAR], [ifelse([$2], [], [$1], [$1_$2])]) - - -# old names -AC_DEFUN([AM_PROG_LIBTOOL], [AC_PROG_LIBTOOL]) -AC_DEFUN([AM_ENABLE_SHARED], [AC_ENABLE_SHARED($@)]) -AC_DEFUN([AM_ENABLE_STATIC], [AC_ENABLE_STATIC($@)]) -AC_DEFUN([AM_DISABLE_SHARED], [AC_DISABLE_SHARED($@)]) -AC_DEFUN([AM_DISABLE_STATIC], [AC_DISABLE_STATIC($@)]) -AC_DEFUN([AM_PROG_LD], [AC_PROG_LD]) -AC_DEFUN([AM_PROG_NM], [AC_PROG_NM]) - -# This is just to silence aclocal about the macro not being used -ifelse([AC_DISABLE_FAST_INSTALL]) - -AC_DEFUN([LT_AC_PROG_GCJ], -[AC_CHECK_TOOL(GCJ, gcj, no) - test "x${GCJFLAGS+set}" = xset || GCJFLAGS="-g -O2" - AC_SUBST(GCJFLAGS) -]) - -AC_DEFUN([LT_AC_PROG_RC], -[AC_CHECK_TOOL(RC, windres, no) -]) - -# NOTE: This macro has been submitted for inclusion into # -# GNU Autoconf as AC_PROG_SED. When it is available in # -# a released version of Autoconf we should remove this # -# macro and use it instead. # -# LT_AC_PROG_SED -# -------------- -# Check for a fully-functional sed program, that truncates -# as few characters as possible. Prefer GNU sed if found. -AC_DEFUN([LT_AC_PROG_SED], -[AC_MSG_CHECKING([for a sed that does not truncate output]) -AC_CACHE_VAL(lt_cv_path_SED, -[# Loop through the user's path and test for sed and gsed. -# Then use that list of sed's as ones to test for truncation. -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for lt_ac_prog in sed gsed; do - for ac_exec_ext in '' $ac_executable_extensions; do - if $as_executable_p "$as_dir/$lt_ac_prog$ac_exec_ext"; then - lt_ac_sed_list="$lt_ac_sed_list $as_dir/$lt_ac_prog$ac_exec_ext" - fi - done - done -done -lt_ac_max=0 -lt_ac_count=0 -# Add /usr/xpg4/bin/sed as it is typically found on Solaris -# along with /bin/sed that truncates output. -for lt_ac_sed in $lt_ac_sed_list /usr/xpg4/bin/sed; do - test ! -f $lt_ac_sed && break - cat /dev/null > conftest.in - lt_ac_count=0 - echo $ECHO_N "0123456789$ECHO_C" >conftest.in - # Check for GNU sed and select it if it is found. - if "$lt_ac_sed" --version 2>&1 < /dev/null | grep 'GNU' > /dev/null; then - lt_cv_path_SED=$lt_ac_sed - break - fi - while true; do - cat conftest.in conftest.in >conftest.tmp - mv conftest.tmp conftest.in - cp conftest.in conftest.nl - echo >>conftest.nl - $lt_ac_sed -e 's/a$//' < conftest.nl >conftest.out || break - cmp -s conftest.out conftest.nl || break - # 10000 chars as input seems more than enough - test $lt_ac_count -gt 10 && break - lt_ac_count=`expr $lt_ac_count + 1` - if test $lt_ac_count -gt $lt_ac_max; then - lt_ac_max=$lt_ac_count - lt_cv_path_SED=$lt_ac_sed - fi - done -done -SED=$lt_cv_path_SED -]) -AC_MSG_RESULT([$SED]) -]) - -# -*- Autoconf -*- -# Copyright (C) 2002, 2003 Free Software Foundation, Inc. -# Generated from amversion.in; do not edit by hand. - -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2, or (at your option) -# any later version. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. - -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA - -# AM_AUTOMAKE_VERSION(VERSION) -# ---------------------------- -# Automake X.Y traces this macro to ensure aclocal.m4 has been -# generated from the m4 files accompanying Automake X.Y. -AC_DEFUN([AM_AUTOMAKE_VERSION], [am__api_version="1.8"]) - -# AM_SET_CURRENT_AUTOMAKE_VERSION -# ------------------------------- -# Call AM_AUTOMAKE_VERSION so it can be traced. -# This function is AC_REQUIREd by AC_INIT_AUTOMAKE. -AC_DEFUN([AM_SET_CURRENT_AUTOMAKE_VERSION], - [AM_AUTOMAKE_VERSION([1.8.3])]) - -# AM_AUX_DIR_EXPAND - -# Copyright (C) 2001, 2003 Free Software Foundation, Inc. - -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2, or (at your option) -# any later version. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. - -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA -# 02111-1307, USA. - -# For projects using AC_CONFIG_AUX_DIR([foo]), Autoconf sets -# $ac_aux_dir to `$srcdir/foo'. In other projects, it is set to -# `$srcdir', `$srcdir/..', or `$srcdir/../..'. -# -# Of course, Automake must honor this variable whenever it calls a -# tool from the auxiliary directory. The problem is that $srcdir (and -# therefore $ac_aux_dir as well) can be either absolute or relative, -# depending on how configure is run. This is pretty annoying, since -# it makes $ac_aux_dir quite unusable in subdirectories: in the top -# source directory, any form will work fine, but in subdirectories a -# relative path needs to be adjusted first. -# -# $ac_aux_dir/missing -# fails when called from a subdirectory if $ac_aux_dir is relative -# $top_srcdir/$ac_aux_dir/missing -# fails if $ac_aux_dir is absolute, -# fails when called from a subdirectory in a VPATH build with -# a relative $ac_aux_dir -# -# The reason of the latter failure is that $top_srcdir and $ac_aux_dir -# are both prefixed by $srcdir. In an in-source build this is usually -# harmless because $srcdir is `.', but things will broke when you -# start a VPATH build or use an absolute $srcdir. -# -# So we could use something similar to $top_srcdir/$ac_aux_dir/missing, -# iff we strip the leading $srcdir from $ac_aux_dir. That would be: -# am_aux_dir='\$(top_srcdir)/'`expr "$ac_aux_dir" : "$srcdir//*\(.*\)"` -# and then we would define $MISSING as -# MISSING="\${SHELL} $am_aux_dir/missing" -# This will work as long as MISSING is not called from configure, because -# unfortunately $(top_srcdir) has no meaning in configure. -# However there are other variables, like CC, which are often used in -# configure, and could therefore not use this "fixed" $ac_aux_dir. -# -# Another solution, used here, is to always expand $ac_aux_dir to an -# absolute PATH. The drawback is that using absolute paths prevent a -# configured tree to be moved without reconfiguration. - -AC_DEFUN([AM_AUX_DIR_EXPAND], -[dnl Rely on autoconf to set up CDPATH properly. -AC_PREREQ([2.50])dnl -# expand $ac_aux_dir to an absolute path -am_aux_dir=`cd $ac_aux_dir && pwd` -]) - -# AM_CONDITIONAL -*- Autoconf -*- - -# Copyright (C) 1997, 2000, 2001, 2003 Free Software Foundation, Inc. - -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2, or (at your option) -# any later version. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. - -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA -# 02111-1307, USA. - -# serial 6 - -# AM_CONDITIONAL(NAME, SHELL-CONDITION) -# ------------------------------------- -# Define a conditional. -AC_DEFUN([AM_CONDITIONAL], -[AC_PREREQ(2.52)dnl - ifelse([$1], [TRUE], [AC_FATAL([$0: invalid condition: $1])], - [$1], [FALSE], [AC_FATAL([$0: invalid condition: $1])])dnl -AC_SUBST([$1_TRUE]) -AC_SUBST([$1_FALSE]) -if $2; then - $1_TRUE= - $1_FALSE='#' -else - $1_TRUE='#' - $1_FALSE= -fi -AC_CONFIG_COMMANDS_PRE( -[if test -z "${$1_TRUE}" && test -z "${$1_FALSE}"; then - AC_MSG_ERROR([conditional "$1" was never defined. -Usually this means the macro was only invoked conditionally.]) -fi])]) - -# Like AC_CONFIG_HEADER, but automatically create stamp file. -*- Autoconf -*- - -# Copyright (C) 1996, 1997, 2000, 2001, 2003 Free Software Foundation, Inc. - -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2, or (at your option) -# any later version. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. - -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA -# 02111-1307, USA. - -# serial 7 - -# AM_CONFIG_HEADER is obsolete. It has been replaced by AC_CONFIG_HEADERS. -AU_DEFUN([AM_CONFIG_HEADER], [AC_CONFIG_HEADERS($@)]) - -# Do all the work for Automake. -*- Autoconf -*- - -# This macro actually does too much some checks are only needed if -# your package does certain things. But this isn't really a big deal. - -# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003 -# Free Software Foundation, Inc. - -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2, or (at your option) -# any later version. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. - -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA -# 02111-1307, USA. - -# serial 11 - -# AM_INIT_AUTOMAKE(PACKAGE, VERSION, [NO-DEFINE]) -# AM_INIT_AUTOMAKE([OPTIONS]) -# ----------------------------------------------- -# The call with PACKAGE and VERSION arguments is the old style -# call (pre autoconf-2.50), which is being phased out. PACKAGE -# and VERSION should now be passed to AC_INIT and removed from -# the call to AM_INIT_AUTOMAKE. -# We support both call styles for the transition. After -# the next Automake release, Autoconf can make the AC_INIT -# arguments mandatory, and then we can depend on a new Autoconf -# release and drop the old call support. -AC_DEFUN([AM_INIT_AUTOMAKE], -[AC_PREREQ([2.58])dnl -dnl Autoconf wants to disallow AM_ names. We explicitly allow -dnl the ones we care about. -m4_pattern_allow([^AM_[A-Z]+FLAGS$])dnl -AC_REQUIRE([AM_SET_CURRENT_AUTOMAKE_VERSION])dnl -AC_REQUIRE([AC_PROG_INSTALL])dnl -# test to see if srcdir already configured -if test "`cd $srcdir && pwd`" != "`pwd`" && - test -f $srcdir/config.status; then - AC_MSG_ERROR([source directory already configured; run "make distclean" there first]) -fi - -# test whether we have cygpath -if test -z "$CYGPATH_W"; then - if (cygpath --version) >/dev/null 2>/dev/null; then - CYGPATH_W='cygpath -w' - else - CYGPATH_W=echo - fi -fi -AC_SUBST([CYGPATH_W]) - -# Define the identity of the package. -dnl Distinguish between old-style and new-style calls. -m4_ifval([$2], -[m4_ifval([$3], [_AM_SET_OPTION([no-define])])dnl - AC_SUBST([PACKAGE], [$1])dnl - AC_SUBST([VERSION], [$2])], -[_AM_SET_OPTIONS([$1])dnl - AC_SUBST([PACKAGE], ['AC_PACKAGE_TARNAME'])dnl - AC_SUBST([VERSION], ['AC_PACKAGE_VERSION'])])dnl - -_AM_IF_OPTION([no-define],, -[AC_DEFINE_UNQUOTED(PACKAGE, "$PACKAGE", [Name of package]) - AC_DEFINE_UNQUOTED(VERSION, "$VERSION", [Version number of package])])dnl - -# Some tools Automake needs. -AC_REQUIRE([AM_SANITY_CHECK])dnl -AC_REQUIRE([AC_ARG_PROGRAM])dnl -AM_MISSING_PROG(ACLOCAL, aclocal-${am__api_version}) -AM_MISSING_PROG(AUTOCONF, autoconf) -AM_MISSING_PROG(AUTOMAKE, automake-${am__api_version}) -AM_MISSING_PROG(AUTOHEADER, autoheader) -AM_MISSING_PROG(MAKEINFO, makeinfo) -AM_MISSING_PROG(AMTAR, tar) -AM_PROG_INSTALL_SH -AM_PROG_INSTALL_STRIP -AC_REQUIRE([AM_PROG_MKDIR_P])dnl -# We need awk for the "check" target. The system "awk" is bad on -# some platforms. -AC_REQUIRE([AC_PROG_AWK])dnl -AC_REQUIRE([AC_PROG_MAKE_SET])dnl -AC_REQUIRE([AM_SET_LEADING_DOT])dnl - -_AM_IF_OPTION([no-dependencies],, -[AC_PROVIDE_IFELSE([AC_PROG_CC], - [_AM_DEPENDENCIES(CC)], - [define([AC_PROG_CC], - defn([AC_PROG_CC])[_AM_DEPENDENCIES(CC)])])dnl -AC_PROVIDE_IFELSE([AC_PROG_CXX], - [_AM_DEPENDENCIES(CXX)], - [define([AC_PROG_CXX], - defn([AC_PROG_CXX])[_AM_DEPENDENCIES(CXX)])])dnl -]) -]) - - -# When config.status generates a header, we must update the stamp-h file. -# This file resides in the same directory as the config header -# that is generated. The stamp files are numbered to have different names. - -# Autoconf calls _AC_AM_CONFIG_HEADER_HOOK (when defined) in the -# loop where config.status creates the headers, so we can generate -# our stamp files there. -AC_DEFUN([_AC_AM_CONFIG_HEADER_HOOK], -[# Compute $1's index in $config_headers. -_am_stamp_count=1 -for _am_header in $config_headers :; do - case $_am_header in - $1 | $1:* ) - break ;; - * ) - _am_stamp_count=`expr $_am_stamp_count + 1` ;; - esac -done -echo "timestamp for $1" >`AS_DIRNAME([$1])`/stamp-h[]$_am_stamp_count]) - -# AM_PROG_INSTALL_SH -# ------------------ -# Define $install_sh. - -# Copyright (C) 2001, 2003 Free Software Foundation, Inc. - -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2, or (at your option) -# any later version. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. - -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA -# 02111-1307, USA. - -AC_DEFUN([AM_PROG_INSTALL_SH], -[AC_REQUIRE([AM_AUX_DIR_EXPAND])dnl -install_sh=${install_sh-"$am_aux_dir/install-sh"} -AC_SUBST(install_sh)]) - -# -*- Autoconf -*- -# Copyright (C) 2003 Free Software Foundation, Inc. - -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2, or (at your option) -# any later version. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. - -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA -# 02111-1307, USA. - -# serial 1 - -# Check whether the underlying file-system supports filenames -# with a leading dot. For instance MS-DOS doesn't. -AC_DEFUN([AM_SET_LEADING_DOT], -[rm -rf .tst 2>/dev/null -mkdir .tst 2>/dev/null -if test -d .tst; then - am__leading_dot=. -else - am__leading_dot=_ -fi -rmdir .tst 2>/dev/null -AC_SUBST([am__leading_dot])]) - - -# Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003 -# Free Software Foundation, Inc. - -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2, or (at your option) -# any later version. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. - -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA -# 02111-1307, USA. - -# serial 4 - -# AM_PROG_LEX -# ----------- -# Autoconf leaves LEX=: if lex or flex can't be found. Change that to a -# "missing" invocation, for better error output. -AC_DEFUN([AM_PROG_LEX], -[AC_PREREQ(2.50)dnl -AC_REQUIRE([AM_MISSING_HAS_RUN])dnl -AC_REQUIRE([AC_PROG_LEX])dnl -if test "$LEX" = :; then - LEX=${am_missing_run}flex -fi]) - -# Add --enable-maintainer-mode option to configure. -# From Jim Meyering - -# Copyright (C) 1996, 1998, 2000, 2001, 2002, 2003, 2004 -# Free Software Foundation, Inc. - -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2, or (at your option) -# any later version. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. - -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA -# 02111-1307, USA. - -# serial 3 - -AC_DEFUN([AM_MAINTAINER_MODE], -[AC_MSG_CHECKING([whether to enable maintainer-specific portions of Makefiles]) - dnl maintainer-mode is disabled by default - AC_ARG_ENABLE(maintainer-mode, -[ --enable-maintainer-mode enable make rules and dependencies not useful - (and sometimes confusing) to the casual installer], - USE_MAINTAINER_MODE=$enableval, - USE_MAINTAINER_MODE=no) - AC_MSG_RESULT([$USE_MAINTAINER_MODE]) - AM_CONDITIONAL(MAINTAINER_MODE, [test $USE_MAINTAINER_MODE = yes]) - MAINT=$MAINTAINER_MODE_TRUE - AC_SUBST(MAINT)dnl -] -) - -AU_DEFUN([jm_MAINTAINER_MODE], [AM_MAINTAINER_MODE]) - -# -*- Autoconf -*- - - -# Copyright (C) 1997, 1999, 2000, 2001, 2003 Free Software Foundation, Inc. - -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2, or (at your option) -# any later version. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. - -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA -# 02111-1307, USA. - -# serial 3 - -# AM_MISSING_PROG(NAME, PROGRAM) -# ------------------------------ -AC_DEFUN([AM_MISSING_PROG], -[AC_REQUIRE([AM_MISSING_HAS_RUN]) -$1=${$1-"${am_missing_run}$2"} -AC_SUBST($1)]) - - -# AM_MISSING_HAS_RUN -# ------------------ -# Define MISSING if not defined so far and test if it supports --run. -# If it does, set am_missing_run to use it, otherwise, to nothing. -AC_DEFUN([AM_MISSING_HAS_RUN], -[AC_REQUIRE([AM_AUX_DIR_EXPAND])dnl -test x"${MISSING+set}" = xset || MISSING="\${SHELL} $am_aux_dir/missing" -# Use eval to expand $SHELL -if eval "$MISSING --run true"; then - am_missing_run="$MISSING --run " -else - am_missing_run= - AC_MSG_WARN([`missing' script is too old or missing]) -fi -]) - -# AM_PROG_MKDIR_P -# --------------- -# Check whether `mkdir -p' is supported, fallback to mkinstalldirs otherwise. - -# Copyright (C) 2003, 2004 Free Software Foundation, Inc. - -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2, or (at your option) -# any later version. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. - -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA -# 02111-1307, USA. - -# Automake 1.8 used `mkdir -m 0755 -p --' to ensure that directories -# created by `make install' are always world readable, even if the -# installer happens to have an overly restrictive umask (e.g. 077). -# This was a mistake. There are at least two reasons why we must not -# use `-m 0755': -# - it causes special bits like SGID to be ignored, -# - it may be too restrictive (some setups expect 775 directories). -# -# Do not use -m 0755 and let people choose whatever they expect by -# setting umask. -# -# We cannot accept any implementation of `mkdir' that recognizes `-p'. -# Some implementations (such as Solaris 8's) are not thread-safe: if a -# parallel make tries to run `mkdir -p a/b' and `mkdir -p a/c' -# concurrently, both version can detect that a/ is missing, but only -# one can create it and the other will error out. Consequently we -# restrict ourselves to GNU make (using the --version option ensures -# this.) -AC_DEFUN([AM_PROG_MKDIR_P], -[if mkdir -p --version . >/dev/null 2>&1 && test ! -d ./--version; then - # Keeping the `.' argument allows $(mkdir_p) to be used without - # argument. Indeed, we sometimes output rules like - # $(mkdir_p) $(somedir) - # where $(somedir) is conditionally defined. - # (`test -n '$(somedir)' && $(mkdir_p) $(somedir)' is a more - # expensive solution, as it forces Make to start a sub-shell.) - mkdir_p='mkdir -p -- .' -else - # On NextStep and OpenStep, the `mkdir' command does not - # recognize any option. It will interpret all options as - # directories to create, and then abort because `.' already - # exists. - for d in ./-p ./--version; - do - test -d $d && rmdir $d - done - # $(mkinstalldirs) is defined by Automake if mkinstalldirs exists. - if test -f "$ac_aux_dir/mkinstalldirs"; then - mkdir_p='$(mkinstalldirs)' - else - mkdir_p='$(install_sh) -d' - fi -fi -AC_SUBST([mkdir_p])]) - -# Helper functions for option handling. -*- Autoconf -*- - -# Copyright (C) 2001, 2002, 2003 Free Software Foundation, Inc. - -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2, or (at your option) -# any later version. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. - -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA -# 02111-1307, USA. - -# serial 2 - -# _AM_MANGLE_OPTION(NAME) -# ----------------------- -AC_DEFUN([_AM_MANGLE_OPTION], -[[_AM_OPTION_]m4_bpatsubst($1, [[^a-zA-Z0-9_]], [_])]) - -# _AM_SET_OPTION(NAME) -# ------------------------------ -# Set option NAME. Presently that only means defining a flag for this option. -AC_DEFUN([_AM_SET_OPTION], -[m4_define(_AM_MANGLE_OPTION([$1]), 1)]) - -# _AM_SET_OPTIONS(OPTIONS) -# ---------------------------------- -# OPTIONS is a space-separated list of Automake options. -AC_DEFUN([_AM_SET_OPTIONS], -[AC_FOREACH([_AM_Option], [$1], [_AM_SET_OPTION(_AM_Option)])]) - -# _AM_IF_OPTION(OPTION, IF-SET, [IF-NOT-SET]) -# ------------------------------------------- -# Execute IF-SET if OPTION is set, IF-NOT-SET otherwise. -AC_DEFUN([_AM_IF_OPTION], -[m4_ifset(_AM_MANGLE_OPTION([$1]), [$2], [$3])]) - -# -# Check to make sure that the build environment is sane. -# - -# Copyright (C) 1996, 1997, 2000, 2001, 2003 Free Software Foundation, Inc. - -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2, or (at your option) -# any later version. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. - -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA -# 02111-1307, USA. - -# serial 3 - -# AM_SANITY_CHECK -# --------------- -AC_DEFUN([AM_SANITY_CHECK], -[AC_MSG_CHECKING([whether build environment is sane]) -# Just in case -sleep 1 -echo timestamp > conftest.file -# Do `set' in a subshell so we don't clobber the current shell's -# arguments. Must try -L first in case configure is actually a -# symlink; some systems play weird games with the mod time of symlinks -# (eg FreeBSD returns the mod time of the symlink's containing -# directory). -if ( - set X `ls -Lt $srcdir/configure conftest.file 2> /dev/null` - if test "$[*]" = "X"; then - # -L didn't work. - set X `ls -t $srcdir/configure conftest.file` - fi - rm -f conftest.file - if test "$[*]" != "X $srcdir/configure conftest.file" \ - && test "$[*]" != "X conftest.file $srcdir/configure"; then - - # If neither matched, then we have a broken ls. This can happen - # if, for instance, CONFIG_SHELL is bash and it inherits a - # broken ls alias from the environment. This has actually - # happened. Such a system could not be considered "sane". - AC_MSG_ERROR([ls -t appears to fail. Make sure there is not a broken -alias in your environment]) - fi - - test "$[2]" = conftest.file - ) -then - # Ok. - : -else - AC_MSG_ERROR([newly created file is older than distributed files! -Check your system clock]) -fi -AC_MSG_RESULT(yes)]) - -# AM_PROG_INSTALL_STRIP - -# Copyright (C) 2001, 2003 Free Software Foundation, Inc. - -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2, or (at your option) -# any later version. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. - -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA -# 02111-1307, USA. - -# One issue with vendor `install' (even GNU) is that you can't -# specify the program used to strip binaries. This is especially -# annoying in cross-compiling environments, where the build's strip -# is unlikely to handle the host's binaries. -# Fortunately install-sh will honor a STRIPPROG variable, so we -# always use install-sh in `make install-strip', and initialize -# STRIPPROG with the value of the STRIP variable (set by the user). -AC_DEFUN([AM_PROG_INSTALL_STRIP], -[AC_REQUIRE([AM_PROG_INSTALL_SH])dnl -# Installed binaries are usually stripped using `strip' when the user -# run `make install-strip'. However `strip' might not be the right -# tool to use in cross-compilation environments, therefore Automake -# will honor the `STRIP' environment variable to overrule this program. -dnl Don't test for $cross_compiling = yes, because it might be `maybe'. -if test "$cross_compiling" != no; then - AC_CHECK_TOOL([STRIP], [strip], :) -fi -INSTALL_STRIP_PROGRAM="\${SHELL} \$(install_sh) -c -s" -AC_SUBST([INSTALL_STRIP_PROGRAM])]) - -m4_include([cf/aix.m4]) -m4_include([cf/auth-modules.m4]) -m4_include([cf/broken-getaddrinfo.m4]) -m4_include([cf/broken-getnameinfo.m4]) -m4_include([cf/broken-glob.m4]) -m4_include([cf/broken-realloc.m4]) -m4_include([cf/broken-snprintf.m4]) -m4_include([cf/broken.m4]) -m4_include([cf/broken2.m4]) -m4_include([cf/c-attribute.m4]) -m4_include([cf/capabilities.m4]) -m4_include([cf/check-compile-et.m4]) -m4_include([cf/check-declaration.m4]) -m4_include([cf/check-getpwnam_r-posix.m4]) -m4_include([cf/check-man.m4]) -m4_include([cf/check-netinet-ip-and-tcp.m4]) -m4_include([cf/check-type-extra.m4]) -m4_include([cf/check-var.m4]) -m4_include([cf/check-x.m4]) -m4_include([cf/check-xau.m4]) -m4_include([cf/crypto.m4]) -m4_include([cf/db.m4]) -m4_include([cf/destdirs.m4]) -m4_include([cf/dlopen.m4]) -m4_include([cf/find-func-no-libs.m4]) -m4_include([cf/find-func-no-libs2.m4]) -m4_include([cf/find-func.m4]) -m4_include([cf/find-if-not-broken.m4]) -m4_include([cf/have-struct-field.m4]) -m4_include([cf/have-type.m4]) -m4_include([cf/irix.m4]) -m4_include([cf/krb-bigendian.m4]) -m4_include([cf/krb-func-getlogin.m4]) -m4_include([cf/krb-ipv6.m4]) -m4_include([cf/krb-prog-ln-s.m4]) -m4_include([cf/krb-readline.m4]) -m4_include([cf/krb-struct-spwd.m4]) -m4_include([cf/krb-struct-winsize.m4]) -m4_include([cf/mips-abi.m4]) -m4_include([cf/misc.m4]) -m4_include([cf/need-proto.m4]) -m4_include([cf/osfc2.m4]) -m4_include([cf/otp.m4]) -m4_include([cf/proto-compat.m4]) -m4_include([cf/retsigtype.m4]) -m4_include([cf/roken-frag.m4]) -m4_include([cf/sunos.m4]) -m4_include([cf/telnet.m4]) -m4_include([cf/test-package.m4]) -m4_include([cf/wflags.m4]) -m4_include([cf/with-all.m4]) diff --git a/crypto/heimdal-0.6.3/admin/Makefile.am b/crypto/heimdal-0.6.3/admin/Makefile.am deleted file mode 100644 index 81aa47f1f1..0000000000 --- a/crypto/heimdal-0.6.3/admin/Makefile.am +++ /dev/null @@ -1,29 +0,0 @@ -# $Id: Makefile.am,v 1.35 2001/08/28 08:31:19 assar Exp $ - -include $(top_srcdir)/Makefile.am.common - -INCLUDES += $(INCLUDE_readline) $(INCLUDE_des) - -man_MANS = ktutil.8 - -sbin_PROGRAMS = ktutil - -ktutil_SOURCES = \ - add.c \ - change.c \ - copy.c \ - get.c \ - ktutil.c \ - list.c \ - purge.c \ - remove.c \ - rename.c - -LDADD = \ - $(top_builddir)/lib/kadm5/libkadm5clnt.la \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(LIB_des) \ - $(top_builddir)/lib/asn1/libasn1.la \ - $(top_builddir)/lib/sl/libsl.la \ - $(LIB_readline) \ - $(LIB_roken) diff --git a/crypto/heimdal-0.6.3/admin/Makefile.in b/crypto/heimdal-0.6.3/admin/Makefile.in deleted file mode 100644 index 024a9a7188..0000000000 --- a/crypto/heimdal-0.6.3/admin/Makefile.in +++ /dev/null @@ -1,831 +0,0 @@ -# Makefile.in generated by automake 1.8.3 from Makefile.am. -# @configure_input@ - -# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004 Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -# $Id: Makefile.am,v 1.35 2001/08/28 08:31:19 assar Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $ - -SOURCES = $(ktutil_SOURCES) - -srcdir = @srcdir@ -top_srcdir = @top_srcdir@ -VPATH = @srcdir@ -pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -top_builddir = .. -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = @INSTALL@ -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_HEADER = $(INSTALL_DATA) -transform = $(program_transform_name) -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_triplet = @host@ -DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \ - $(top_srcdir)/Makefile.am.common \ - $(top_srcdir)/cf/Makefile.am.common -sbin_PROGRAMS = ktutil$(EXEEXT) -subdir = admin -ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \ - $(top_srcdir)/cf/auth-modules.m4 \ - $(top_srcdir)/cf/broken-getaddrinfo.m4 \ - $(top_srcdir)/cf/broken-getnameinfo.m4 \ - $(top_srcdir)/cf/broken-glob.m4 \ - $(top_srcdir)/cf/broken-realloc.m4 \ - $(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \ - $(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \ - $(top_srcdir)/cf/capabilities.m4 \ - $(top_srcdir)/cf/check-compile-et.m4 \ - $(top_srcdir)/cf/check-declaration.m4 \ - $(top_srcdir)/cf/check-getpwnam_r-posix.m4 \ - $(top_srcdir)/cf/check-man.m4 \ - $(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \ - $(top_srcdir)/cf/check-type-extra.m4 \ - $(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \ - $(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \ - $(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \ - $(top_srcdir)/cf/dlopen.m4 \ - $(top_srcdir)/cf/find-func-no-libs.m4 \ - $(top_srcdir)/cf/find-func-no-libs2.m4 \ - $(top_srcdir)/cf/find-func.m4 \ - $(top_srcdir)/cf/find-if-not-broken.m4 \ - $(top_srcdir)/cf/have-struct-field.m4 \ - $(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \ - $(top_srcdir)/cf/krb-bigendian.m4 \ - $(top_srcdir)/cf/krb-func-getlogin.m4 \ - $(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \ - $(top_srcdir)/cf/krb-readline.m4 \ - $(top_srcdir)/cf/krb-struct-spwd.m4 \ - $(top_srcdir)/cf/krb-struct-winsize.m4 \ - $(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \ - $(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \ - $(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \ - $(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \ - $(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \ - $(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \ - $(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in -am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ - $(ACLOCAL_M4) -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -am__installdirs = "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man8dir)" -sbinPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -PROGRAMS = $(sbin_PROGRAMS) -am_ktutil_OBJECTS = add.$(OBJEXT) change.$(OBJEXT) copy.$(OBJEXT) \ - get.$(OBJEXT) ktutil.$(OBJEXT) list.$(OBJEXT) purge.$(OBJEXT) \ - remove.$(OBJEXT) rename.$(OBJEXT) -ktutil_OBJECTS = $(am_ktutil_OBJECTS) -ktutil_LDADD = $(LDADD) -am__DEPENDENCIES_1 = -ktutil_DEPENDENCIES = $(top_builddir)/lib/kadm5/libkadm5clnt.la \ - $(top_builddir)/lib/krb5/libkrb5.la $(am__DEPENDENCIES_1) \ - $(top_builddir)/lib/asn1/libasn1.la \ - $(top_builddir)/lib/sl/libsl.la $(am__DEPENDENCIES_1) \ - $(am__DEPENDENCIES_1) -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \ - $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ - $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -SOURCES = $(ktutil_SOURCES) -DIST_SOURCES = $(ktutil_SOURCES) -man8dir = $(mandir)/man8 -MANS = $(man_MANS) -ETAGS = etags -CTAGS = ctags -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) -ACLOCAL = @ACLOCAL@ -AIX4_FALSE = @AIX4_FALSE@ -AIX4_TRUE = @AIX4_TRUE@ -AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@ -AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@ -AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@ -AIX_FALSE = @AIX_FALSE@ -AIX_TRUE = @AIX_TRUE@ -AMTAR = @AMTAR@ -AR = @AR@ -AUTOCONF = @AUTOCONF@ -AUTOHEADER = @AUTOHEADER@ -AUTOMAKE = @AUTOMAKE@ -AWK = @AWK@ -CANONICAL_HOST = @CANONICAL_HOST@ -CATMAN = @CATMAN@ -CATMANEXT = @CATMANEXT@ -CATMAN_FALSE = @CATMAN_FALSE@ -CATMAN_TRUE = @CATMAN_TRUE@ -CC = @CC@ -CFLAGS = @CFLAGS@ -COMPILE_ET = @COMPILE_ET@ -CPP = @CPP@ -CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXFLAGS = @CXXFLAGS@ -CYGPATH_W = @CYGPATH_W@ -DBLIB = @DBLIB@ -DCE_FALSE = @DCE_FALSE@ -DCE_TRUE = @DCE_TRUE@ -DEFS = @DEFS@ -DIR_com_err = @DIR_com_err@ -DIR_des = @DIR_des@ -DIR_roken = @DIR_roken@ -ECHO = @ECHO@ -ECHO_C = @ECHO_C@ -ECHO_N = @ECHO_N@ -ECHO_T = @ECHO_T@ -EGREP = @EGREP@ -EXEEXT = @EXEEXT@ -EXTRA_LIB45 = @EXTRA_LIB45@ -F77 = @F77@ -FFLAGS = @FFLAGS@ -GROFF = @GROFF@ -HAVE_DB1_FALSE = @HAVE_DB1_FALSE@ -HAVE_DB1_TRUE = @HAVE_DB1_TRUE@ -HAVE_DB3_FALSE = @HAVE_DB3_FALSE@ -HAVE_DB3_TRUE = @HAVE_DB3_TRUE@ -HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@ -HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@ -HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@ -HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@ -HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@ -HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@ -HAVE_X_FALSE = @HAVE_X_FALSE@ -HAVE_X_TRUE = @HAVE_X_TRUE@ -INCLUDES_roken = @INCLUDES_roken@ -INCLUDE_des = @INCLUDE_des@ -INCLUDE_hesiod = @INCLUDE_hesiod@ -INCLUDE_krb4 = @INCLUDE_krb4@ -INCLUDE_openldap = @INCLUDE_openldap@ -INCLUDE_readline = @INCLUDE_readline@ -INSTALL_DATA = @INSTALL_DATA@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -IRIX_FALSE = @IRIX_FALSE@ -IRIX_TRUE = @IRIX_TRUE@ -KRB4_FALSE = @KRB4_FALSE@ -KRB4_TRUE = @KRB4_TRUE@ -KRB5_FALSE = @KRB5_FALSE@ -KRB5_TRUE = @KRB5_TRUE@ -LDFLAGS = @LDFLAGS@ -LEX = @LEX@ -LEXLIB = @LEXLIB@ -LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ -LIBOBJS = @LIBOBJS@ -LIBS = @LIBS@ -LIBTOOL = @LIBTOOL@ -LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@ -LIB_NDBM = @LIB_NDBM@ -LIB_XauFileName = @LIB_XauFileName@ -LIB_XauReadAuth = @LIB_XauReadAuth@ -LIB_XauWriteAuth = @LIB_XauWriteAuth@ -LIB_bswap16 = @LIB_bswap16@ -LIB_bswap32 = @LIB_bswap32@ -LIB_com_err = @LIB_com_err@ -LIB_com_err_a = @LIB_com_err_a@ -LIB_com_err_so = @LIB_com_err_so@ -LIB_crypt = @LIB_crypt@ -LIB_db_create = @LIB_db_create@ -LIB_dbm_firstkey = @LIB_dbm_firstkey@ -LIB_dbopen = @LIB_dbopen@ -LIB_des = @LIB_des@ -LIB_des_a = @LIB_des_a@ -LIB_des_appl = @LIB_des_appl@ -LIB_des_so = @LIB_des_so@ -LIB_dlopen = @LIB_dlopen@ -LIB_dn_expand = @LIB_dn_expand@ -LIB_el_init = @LIB_el_init@ -LIB_freeaddrinfo = @LIB_freeaddrinfo@ -LIB_gai_strerror = @LIB_gai_strerror@ -LIB_getaddrinfo = @LIB_getaddrinfo@ -LIB_gethostbyname = @LIB_gethostbyname@ -LIB_gethostbyname2 = @LIB_gethostbyname2@ -LIB_getnameinfo = @LIB_getnameinfo@ -LIB_getpwnam_r = @LIB_getpwnam_r@ -LIB_getsockopt = @LIB_getsockopt@ -LIB_hesiod = @LIB_hesiod@ -LIB_hstrerror = @LIB_hstrerror@ -LIB_kdb = @LIB_kdb@ -LIB_krb4 = @LIB_krb4@ -LIB_krb_disable_debug = @LIB_krb_disable_debug@ -LIB_krb_enable_debug = @LIB_krb_enable_debug@ -LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@ -LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@ -LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@ -LIB_loadquery = @LIB_loadquery@ -LIB_logout = @LIB_logout@ -LIB_logwtmp = @LIB_logwtmp@ -LIB_openldap = @LIB_openldap@ -LIB_openpty = @LIB_openpty@ -LIB_otp = @LIB_otp@ -LIB_pidfile = @LIB_pidfile@ -LIB_readline = @LIB_readline@ -LIB_res_nsearch = @LIB_res_nsearch@ -LIB_res_search = @LIB_res_search@ -LIB_roken = @LIB_roken@ -LIB_security = @LIB_security@ -LIB_setsockopt = @LIB_setsockopt@ -LIB_socket = @LIB_socket@ -LIB_syslog = @LIB_syslog@ -LIB_tgetent = @LIB_tgetent@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -MAINT = @MAINT@ -MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@ -MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@ -MAKEINFO = @MAKEINFO@ -NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ -NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ -NROFF = @NROFF@ -OBJEXT = @OBJEXT@ -OTP_FALSE = @OTP_FALSE@ -OTP_TRUE = @OTP_TRUE@ -PACKAGE = @PACKAGE@ -PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ -PACKAGE_NAME = @PACKAGE_NAME@ -PACKAGE_STRING = @PACKAGE_STRING@ -PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_VERSION = @PACKAGE_VERSION@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -RANLIB = @RANLIB@ -SET_MAKE = @SET_MAKE@ -SHELL = @SHELL@ -STRIP = @STRIP@ -VERSION = @VERSION@ -VOID_RETSIGTYPE = @VOID_RETSIGTYPE@ -WFLAGS = @WFLAGS@ -WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@ -WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@ -X_CFLAGS = @X_CFLAGS@ -X_EXTRA_LIBS = @X_EXTRA_LIBS@ -X_LIBS = @X_LIBS@ -X_PRE_LIBS = @X_PRE_LIBS@ -YACC = @YACC@ -ac_ct_AR = @ac_ct_AR@ -ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ -ac_ct_RANLIB = @ac_ct_RANLIB@ -ac_ct_STRIP = @ac_ct_STRIP@ -am__leading_dot = @am__leading_dot@ -bindir = @bindir@ -build = @build@ -build_alias = @build_alias@ -build_cpu = @build_cpu@ -build_os = @build_os@ -build_vendor = @build_vendor@ -datadir = @datadir@ -do_roken_rename_FALSE = @do_roken_rename_FALSE@ -do_roken_rename_TRUE = @do_roken_rename_TRUE@ -dpagaix_cflags = @dpagaix_cflags@ -dpagaix_ldadd = @dpagaix_ldadd@ -dpagaix_ldflags = @dpagaix_ldflags@ -el_compat_FALSE = @el_compat_FALSE@ -el_compat_TRUE = @el_compat_TRUE@ -exec_prefix = @exec_prefix@ -have_err_h_FALSE = @have_err_h_FALSE@ -have_err_h_TRUE = @have_err_h_TRUE@ -have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@ -have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@ -have_glob_h_FALSE = @have_glob_h_FALSE@ -have_glob_h_TRUE = @have_glob_h_TRUE@ -have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@ -have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@ -have_vis_h_FALSE = @have_vis_h_FALSE@ -have_vis_h_TRUE = @have_vis_h_TRUE@ -host = @host@ -host_alias = @host_alias@ -host_cpu = @host_cpu@ -host_os = @host_os@ -host_vendor = @host_vendor@ -includedir = @includedir@ -infodir = @infodir@ -install_sh = @install_sh@ -libdir = @libdir@ -libexecdir = @libexecdir@ -localstatedir = @localstatedir@ -mandir = @mandir@ -mkdir_p = @mkdir_p@ -oldincludedir = @oldincludedir@ -prefix = @prefix@ -program_transform_name = @program_transform_name@ -sbindir = @sbindir@ -sharedstatedir = @sharedstatedir@ -sysconfdir = @sysconfdir@ -target_alias = @target_alias@ -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_readline) $(INCLUDE_des) -@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME -AM_CFLAGS = $(WFLAGS) -CP = cp -buildinclude = $(top_builddir)/include -LIB_getattr = @LIB_getattr@ -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_setpcred = @LIB_setpcred@ -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -NROFF_MAN = groff -mandoc -Tascii -LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) -@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la - -@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la -@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la -man_MANS = ktutil.8 -ktutil_SOURCES = \ - add.c \ - change.c \ - copy.c \ - get.c \ - ktutil.c \ - list.c \ - purge.c \ - remove.c \ - rename.c - -LDADD = \ - $(top_builddir)/lib/kadm5/libkadm5clnt.la \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(LIB_des) \ - $(top_builddir)/lib/asn1/libasn1.la \ - $(top_builddir)/lib/sl/libsl.la \ - $(LIB_readline) \ - $(LIB_roken) - -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps) - @for dep in $?; do \ - case '$(am__configure_deps)' in \ - *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ - exit 1;; \ - esac; \ - done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign --ignore-deps admin/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign --ignore-deps admin/Makefile -.PRECIOUS: Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - @case '$?' in \ - *config.status*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ - *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ - esac; - -$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -install-sbinPROGRAMS: $(sbin_PROGRAMS) - @$(NORMAL_INSTALL) - test -z "$(sbindir)" || $(mkdir_p) "$(DESTDIR)$(sbindir)" - @list='$(sbin_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(sbinPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(sbindir)/$$f'"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(sbinPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(sbindir)/$$f" || exit 1; \ - else :; fi; \ - done - -uninstall-sbinPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(sbin_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f '$(DESTDIR)$(sbindir)/$$f'"; \ - rm -f "$(DESTDIR)$(sbindir)/$$f"; \ - done - -clean-sbinPROGRAMS: - @list='$(sbin_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -ktutil$(EXEEXT): $(ktutil_OBJECTS) $(ktutil_DEPENDENCIES) - @rm -f ktutil$(EXEEXT) - $(LINK) $(ktutil_LDFLAGS) $(ktutil_OBJECTS) $(ktutil_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c $< - -.c.obj: - $(COMPILE) -c `$(CYGPATH_W) '$<'` - -.c.lo: - $(LTCOMPILE) -c -o $@ $< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: -install-man8: $(man8_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - test -z "$(man8dir)" || $(mkdir_p) "$(DESTDIR)$(man8dir)" - @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.8*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 8*) ;; \ - *) ext='8' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ - $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \ - done -uninstall-man8: - @$(NORMAL_UNINSTALL) - @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.8*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 8*) ;; \ - *) ext='8' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \ - rm -f "$(DESTDIR)$(man8dir)/$$inst"; \ - done - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique -tags: TAGS - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique -ctags: CTAGS -CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ - || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - -distdir: $(DISTFILES) - $(mkdir_p) $(distdir)/.. $(distdir)/../cf - @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \ - list='$(DISTFILES)'; for file in $$list; do \ - case $$file in \ - $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \ - $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \ - esac; \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkdir_p) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="$(top_distdir)" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(PROGRAMS) $(MANS) all-local -installdirs: - for dir in "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man8dir)"; do \ - test -z "$$dir" || $(mkdir_p) "$$dir"; \ - done -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-generic clean-libtool clean-sbinPROGRAMS \ - mostlyclean-am - -distclean: distclean-am - -rm -f Makefile -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -html: html-am - -info: info-am - -info-am: - -install-data-am: install-man - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-data-hook - -install-exec-am: install-sbinPROGRAMS - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: install-man8 - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -rm -f Makefile -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -pdf: pdf-am - -pdf-am: - -ps: ps-am - -ps-am: - -uninstall-am: uninstall-info-am uninstall-man uninstall-sbinPROGRAMS - -uninstall-man: uninstall-man8 - -.PHONY: CTAGS GTAGS all all-am all-local check check-am check-local \ - clean clean-generic clean-libtool clean-sbinPROGRAMS ctags \ - distclean distclean-compile distclean-generic \ - distclean-libtool distclean-tags distdir dvi dvi-am html \ - html-am info info-am install install-am install-data \ - install-data-am install-exec install-exec-am install-info \ - install-info-am install-man install-man8 install-sbinPROGRAMS \ - install-strip installcheck installcheck-am installdirs \ - maintainer-clean maintainer-clean-generic mostlyclean \ - mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ - pdf pdf-am ps ps-am tags uninstall uninstall-am \ - uninstall-info-am uninstall-man uninstall-man8 \ - uninstall-sbinPROGRAMS - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-hook: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal-0.6.3/admin/add.c b/crypto/heimdal-0.6.3/admin/add.c deleted file mode 100644 index a6003800c9..0000000000 --- a/crypto/heimdal-0.6.3/admin/add.c +++ /dev/null @@ -1,155 +0,0 @@ -/* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "ktutil_locl.h" - -RCSID("$Id: add.c,v 1.5 2002/09/10 19:26:52 joda Exp $"); - -int -kt_add(int argc, char **argv) -{ - krb5_error_code ret; - krb5_keytab keytab; - krb5_keytab_entry entry; - char buf[128]; - char *principal_string = NULL; - int kvno = -1; - char *enctype_string = NULL; - krb5_enctype enctype; - char *password_string = NULL; - int salt_flag = 1; - int random_flag = 0; - int help_flag = 0; - struct getargs args[] = { - { "principal", 'p', arg_string, NULL, "principal of key", "principal"}, - { "kvno", 'V', arg_integer, NULL, "key version of key" }, - { "enctype", 'e', arg_string, NULL, "encryption type of key" }, - { "password", 'w', arg_string, NULL, "password for key"}, - { "salt", 's', arg_negative_flag, NULL, "no salt" }, - { "random", 'r', arg_flag, NULL, "generate random key" }, - { "help", 'h', arg_flag, NULL } - }; - int num_args = sizeof(args) / sizeof(args[0]); - int optind = 0; - int i = 0; - args[i++].value = &principal_string; - args[i++].value = &kvno; - args[i++].value = &enctype_string; - args[i++].value = &password_string; - args[i++].value = &salt_flag; - args[i++].value = &random_flag; - args[i++].value = &help_flag; - - if(getarg(args, num_args, argc, argv, &optind)) { - arg_printusage(args, num_args, "ktutil add", ""); - return 1; - } - if(help_flag) { - arg_printusage(args, num_args, "ktutil add", ""); - return 1; - } - if((keytab = ktutil_open_keytab()) == NULL) - return 1; - - memset(&entry, 0, sizeof(entry)); - if(principal_string == NULL) { - printf("Principal: "); - if (fgets(buf, sizeof(buf), stdin) == NULL) - return 1; - buf[strcspn(buf, "\r\n")] = '\0'; - principal_string = buf; - } - ret = krb5_parse_name(context, principal_string, &entry.principal); - if(ret) { - krb5_warn(context, ret, "%s", principal_string); - goto out; - } - if(enctype_string == NULL) { - printf("Encryption type: "); - if (fgets(buf, sizeof(buf), stdin) == NULL) - goto out; - buf[strcspn(buf, "\r\n")] = '\0'; - enctype_string = buf; - } - ret = krb5_string_to_enctype(context, enctype_string, &enctype); - if(ret) { - int t; - if(sscanf(enctype_string, "%d", &t) == 1) - enctype = t; - else { - krb5_warn(context, ret, "%s", enctype_string); - goto out; - } - } - if(kvno == -1) { - printf("Key version: "); - if (fgets(buf, sizeof(buf), stdin) == NULL) - goto out; - buf[strcspn(buf, "\r\n")] = '\0'; - kvno = atoi(buf); - } - if(password_string == NULL && random_flag == 0) { - if(des_read_pw_string(buf, sizeof(buf), "Password: ", 1)) - goto out; - password_string = buf; - } - if(password_string) { - if (!salt_flag) { - krb5_salt salt; - krb5_data pw; - - salt.salttype = KRB5_PW_SALT; - salt.saltvalue.data = NULL; - salt.saltvalue.length = 0; - pw.data = (void*)password_string; - pw.length = strlen(password_string); - krb5_string_to_key_data_salt(context, enctype, pw, salt, - &entry.keyblock); - } else { - krb5_string_to_key(context, enctype, password_string, - entry.principal, &entry.keyblock); - } - memset (password_string, 0, strlen(password_string)); - } else { - krb5_generate_random_keyblock(context, enctype, &entry.keyblock); - } - entry.vno = kvno; - entry.timestamp = time (NULL); - ret = krb5_kt_add_entry(context, keytab, &entry); - if(ret) - krb5_warn(context, ret, "add"); - out: - krb5_kt_free_entry(context, &entry); - krb5_kt_close(context, keytab); - return 0; -} diff --git a/crypto/heimdal-0.6.3/admin/change.c b/crypto/heimdal-0.6.3/admin/change.c deleted file mode 100644 index f790da3436..0000000000 --- a/crypto/heimdal-0.6.3/admin/change.c +++ /dev/null @@ -1,257 +0,0 @@ -/* - * Copyright (c) 1997 - 2001, 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "ktutil_locl.h" - -RCSID("$Id: change.c,v 1.5 2003/04/01 15:04:49 lha Exp $"); - -static void -change_entry (krb5_context context, krb5_keytab keytab, - krb5_principal principal, krb5_kvno kvno, - const char *realm, const char *admin_server, int server_port) -{ - krb5_error_code ret; - kadm5_config_params conf; - void *kadm_handle; - char *client_name; - krb5_keyblock *keys; - int num_keys; - int i; - - ret = krb5_unparse_name (context, principal, &client_name); - if (ret) { - krb5_warn (context, ret, "krb5_unparse_name"); - return; - } - - memset (&conf, 0, sizeof(conf)); - - if(realm) - conf.realm = (char *)realm; - else - conf.realm = *krb5_princ_realm (context, principal); - conf.mask |= KADM5_CONFIG_REALM; - - if (admin_server) { - conf.admin_server = (char *)admin_server; - conf.mask |= KADM5_CONFIG_ADMIN_SERVER; - } - - if (server_port) { - conf.kadmind_port = htons(server_port); - conf.mask |= KADM5_CONFIG_KADMIND_PORT; - } - - ret = kadm5_init_with_skey_ctx (context, - client_name, - keytab_string, - KADM5_ADMIN_SERVICE, - &conf, 0, 0, - &kadm_handle); - free (client_name); - if (ret) { - krb5_warn (context, ret, "kadm5_c_init_with_skey_ctx"); - return; - } - ret = kadm5_randkey_principal (kadm_handle, principal, &keys, &num_keys); - kadm5_destroy (kadm_handle); - if (ret) { - krb5_warn(context, ret, "kadm5_randkey_principal"); - return; - } - for (i = 0; i < num_keys; ++i) { - krb5_keytab_entry new_entry; - - new_entry.principal = principal; - new_entry.timestamp = time (NULL); - new_entry.vno = kvno + 1; - new_entry.keyblock = keys[i]; - - ret = krb5_kt_add_entry (context, keytab, &new_entry); - if (ret) - krb5_warn (context, ret, "krb5_kt_add_entry"); - krb5_free_keyblock_contents (context, &keys[i]); - } -} - -/* - * loop over all the entries in the keytab (or those given) and change - * their keys, writing the new keys - */ - -struct change_set { - krb5_principal principal; - krb5_kvno kvno; -}; - -int -kt_change (int argc, char **argv) -{ - krb5_error_code ret; - krb5_keytab keytab; - krb5_kt_cursor cursor; - krb5_keytab_entry entry; - char *realm = NULL; - char *admin_server = NULL; - int server_port = 0; - int help_flag = 0; - int optind = 0; - int i, j, max; - struct change_set *changeset; - - struct getargs args[] = { - { "realm", 'r', arg_string, NULL, - "realm to use", "realm" - }, - { "admin-server", 'a', arg_string, NULL, - "server to contact", "host" - }, - { "server-port", 's', arg_integer, NULL, - "port to contact", "port number" - }, - { "help", 'h', arg_flag, NULL } - }; - - args[0].value = &realm; - args[1].value = &admin_server; - args[2].value = &server_port; - args[3].value = &help_flag; - - if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind) - || help_flag) { - arg_printusage(args, sizeof(args) / sizeof(args[0]), - "ktutil change", "principal..."); - return 1; - } - - if((keytab = ktutil_open_keytab()) == NULL) - return 1; - - j = 0; - max = 0; - changeset = NULL; - - ret = krb5_kt_start_seq_get(context, keytab, &cursor); - if(ret){ - krb5_warn(context, ret, "krb5_kt_start_seq_get %s", keytab_string); - goto out; - } - - while((ret = krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0) { - int add = 0; - - for (i = 0; i < j; ++i) { - if (krb5_principal_compare (context, changeset[i].principal, - entry.principal)) { - if (changeset[i].kvno < entry.vno) - changeset[i].kvno = entry.vno; - break; - } - } - if (i < j) - continue; - - if (optind == argc) { - add = 1; - } else { - for (i = optind; i < argc; ++i) { - krb5_principal princ; - - ret = krb5_parse_name (context, argv[i], &princ); - if (ret) { - krb5_warn (context, ret, "krb5_parse_name %s", argv[i]); - continue; - } - if (krb5_principal_compare (context, princ, entry.principal)) - add = 1; - - krb5_free_principal (context, princ); - } - } - - if (add) { - if (j >= max) { - void *tmp; - - max = max(max * 2, 1); - tmp = realloc (changeset, max * sizeof(*changeset)); - if (tmp == NULL) { - krb5_kt_free_entry (context, &entry); - krb5_warnx (context, "realloc: out of memory"); - ret = ENOMEM; - break; - } - changeset = tmp; - } - ret = krb5_copy_principal (context, entry.principal, - &changeset[j].principal); - if (ret) { - krb5_warn (context, ret, "krb5_copy_principal"); - krb5_kt_free_entry (context, &entry); - break; - } - changeset[j].kvno = entry.vno; - ++j; - } - krb5_kt_free_entry (context, &entry); - } - - if (ret == KRB5_KT_END) { - for (i = 0; i < j; i++) { - if (verbose_flag) { - char *client_name; - - ret = krb5_unparse_name (context, changeset[i].principal, - &client_name); - if (ret) { - krb5_warn (context, ret, "krb5_unparse_name"); - } else { - printf("Changing %s kvno %d\n", - client_name, changeset[i].kvno); - free(client_name); - } - } - change_entry (context, keytab, - changeset[i].principal, changeset[i].kvno, - realm, admin_server, server_port); - } - } - for (i = 0; i < j; i++) - krb5_free_principal (context, changeset[i].principal); - free (changeset); - - ret = krb5_kt_end_seq_get(context, keytab, &cursor); - out: - krb5_kt_close(context, keytab); - return 0; -} diff --git a/crypto/heimdal-0.6.3/admin/copy.c b/crypto/heimdal-0.6.3/admin/copy.c deleted file mode 100644 index 18b9d6e0b4..0000000000 --- a/crypto/heimdal-0.6.3/admin/copy.c +++ /dev/null @@ -1,247 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "ktutil_locl.h" - -RCSID("$Id: copy.c,v 1.9 2003/01/16 18:59:03 lha Exp $"); - - -static krb5_boolean -compare_keyblock(const krb5_keyblock *a, const krb5_keyblock *b) -{ - if(a->keytype != b->keytype || - a->keyvalue.length != b->keyvalue.length || - memcmp(a->keyvalue.data, b->keyvalue.data, a->keyvalue.length) != 0) - return FALSE; - return TRUE; -} - -static int -kt_copy_int (const char *from, const char *to) -{ - krb5_error_code ret; - krb5_keytab src_keytab, dst_keytab; - krb5_kt_cursor cursor; - krb5_keytab_entry entry, dummy; - - ret = krb5_kt_resolve (context, from, &src_keytab); - if (ret) { - krb5_warn (context, ret, "resolving src keytab `%s'", from); - return 1; - } - - ret = krb5_kt_resolve (context, to, &dst_keytab); - if (ret) { - krb5_kt_close (context, src_keytab); - krb5_warn (context, ret, "resolving dst keytab `%s'", to); - return 1; - } - - ret = krb5_kt_start_seq_get (context, src_keytab, &cursor); - if (ret) { - krb5_warn (context, ret, "krb5_kt_start_seq_get %s", keytab_string); - goto out; - } - - if (verbose_flag) - fprintf(stderr, "copying %s to %s\n", from, to); - - while((ret = krb5_kt_next_entry(context, src_keytab, - &entry, &cursor)) == 0) { - char *name_str; - char *etype_str; - krb5_unparse_name (context, entry.principal, &name_str); - krb5_enctype_to_string(context, entry.keyblock.keytype, &etype_str); - ret = krb5_kt_get_entry(context, dst_keytab, - entry.principal, - entry.vno, - entry.keyblock.keytype, - &dummy); - if(ret == 0) { - /* this entry is already in the new keytab, so no need to - copy it; if the keyblocks are not the same, something - is weird, so complain about that */ - if(!compare_keyblock(&entry.keyblock, &dummy.keyblock)) { - krb5_warnx(context, "entry with different keyvalue " - "already exists for %s, keytype %s, kvno %d", - name_str, etype_str, entry.vno); - } - krb5_kt_free_entry(context, &dummy); - krb5_kt_free_entry (context, &entry); - free(name_str); - free(etype_str); - continue; - } else if(ret != KRB5_KT_NOTFOUND) { - krb5_warn(context, ret, "krb5_kt_get_entry(%s)", name_str); - krb5_kt_free_entry (context, &entry); - free(name_str); - free(etype_str); - break; - } - if (verbose_flag) - fprintf (stderr, "copying %s, keytype %s, kvno %d\n", name_str, - etype_str, entry.vno); - ret = krb5_kt_add_entry (context, dst_keytab, &entry); - krb5_kt_free_entry (context, &entry); - if (ret) { - krb5_warn (context, ret, "krb5_kt_add_entry(%s)", name_str); - free(name_str); - free(etype_str); - break; - } - free(name_str); - free(etype_str); - } - krb5_kt_end_seq_get (context, src_keytab, &cursor); - - out: - krb5_kt_close (context, src_keytab); - krb5_kt_close (context, dst_keytab); - return 0; -} - -int -kt_copy (int argc, char **argv) -{ - int help_flag = 0; - int optind = 0; - - struct getargs args[] = { - { "help", 'h', arg_flag, NULL} - }; - - int num_args = sizeof(args) / sizeof(args[0]); - int i = 0; - - args[i++].value = &help_flag; - - if(getarg(args, num_args, argc, argv, &optind)) { - arg_printusage(args, num_args, "ktutil copy", - "keytab-src keytab-dest"); - return 1; - } - if (help_flag) { - arg_printusage(args, num_args, "ktutil copy", - "keytab-src keytab-dest"); - return 1; - } - - argv += optind; - argc -= optind; - - if (argc != 2) { - arg_printusage(args, num_args, "ktutil copy", - "keytab-src keytab-dest"); - return 1; - } - - return kt_copy_int(argv[0], argv[1]); -} - -#ifndef KEYFILE -#define KEYFILE SYSCONFDIR "/srvtab" -#endif - -/* copy to from v4 srvtab, just short for copy */ -static int -conv(int srvconv, int argc, char **argv) -{ - int help_flag = 0; - char *srvtab = KEYFILE; - int optind = 0; - char kt4[1024], kt5[1024]; - - char *name; - - struct getargs args[] = { - { "srvtab", 's', arg_string, NULL}, - { "help", 'h', arg_flag, NULL} - }; - - int num_args = sizeof(args) / sizeof(args[0]); - int i = 0; - - args[i++].value = &srvtab; - args[i++].value = &help_flag; - - if(srvconv) - name = "ktutil srvconvert"; - else - name = "ktutil srvcreate"; - - if(getarg(args, num_args, argc, argv, &optind)){ - arg_printusage(args, num_args, name, ""); - return 1; - } - if(help_flag){ - arg_printusage(args, num_args, name, ""); - return 0; - } - - argc -= optind; - argv += optind; - - if (argc != 0) { - arg_printusage(args, num_args, name, ""); - return 1; - } - - snprintf(kt4, sizeof(kt4), "krb4:%s", srvtab); - - if(srvconv) { - if(keytab_string != NULL) - return kt_copy_int(kt4, keytab_string); - else { - krb5_kt_default_modify_name(context, kt5, sizeof(kt5)); - return kt_copy_int(kt4, kt5); - } - } else { - if(keytab_string != NULL) - return kt_copy_int(keytab_string, kt4); - - krb5_kt_default_name(context, kt5, sizeof(kt5)); - return kt_copy_int(kt5, kt4); - } -} - -int -srvconv(int argc, char **argv) -{ - return conv(1, argc, argv); -} - -int -srvcreate(int argc, char **argv) -{ - return conv(0, argc, argv); -} diff --git a/crypto/heimdal-0.6.3/admin/get.c b/crypto/heimdal-0.6.3/admin/get.c deleted file mode 100644 index e827738bb5..0000000000 --- a/crypto/heimdal-0.6.3/admin/get.c +++ /dev/null @@ -1,273 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "ktutil_locl.h" - -RCSID("$Id: get.c,v 1.22.2.1 2004/06/21 10:55:46 lha Exp $"); - -static void* -open_kadmin_connection(char *principal, - const char *realm, - char *admin_server, - int server_port) -{ - static kadm5_config_params conf; - krb5_error_code ret; - void *kadm_handle; - memset(&conf, 0, sizeof(conf)); - - if(realm) { - conf.realm = (char*)realm; - conf.mask |= KADM5_CONFIG_REALM; - } - - if (admin_server) { - conf.admin_server = admin_server; - conf.mask |= KADM5_CONFIG_ADMIN_SERVER; - } - - if (server_port) { - conf.kadmind_port = htons(server_port); - conf.mask |= KADM5_CONFIG_KADMIND_PORT; - } - - /* should get realm from each principal, instead of doing - everything with the same (local) realm */ - - ret = kadm5_init_with_password_ctx(context, - principal, - NULL, - KADM5_ADMIN_SERVICE, - &conf, 0, 0, - &kadm_handle); - if(ret) { - krb5_warn(context, ret, "kadm5_init_with_password"); - return NULL; - } - return kadm_handle; -} - -int -kt_get(int argc, char **argv) -{ - krb5_error_code ret = 0; - krb5_keytab keytab; - void *kadm_handle = NULL; - char *principal = NULL; - char *realm = NULL; - char *admin_server = NULL; - int server_port = 0; - int help_flag = 0; - int optind = 0; - struct getarg_strings etype_strs = {0, NULL}; - krb5_enctype *etypes = NULL; - size_t netypes = 0; - - struct getargs args[] = { - { "principal", 'p', arg_string, NULL, - "admin principal", "principal" - }, - { "enctypes", 'e', arg_strings, NULL, - "encryption types to use", "enctypes" }, - { "realm", 'r', arg_string, NULL, - "realm to use", "realm" - }, - { "admin-server", 'a', arg_string, NULL, - "server to contact", "host" - }, - { "server-port", 's', arg_integer, NULL, - "port to contact", "port number" - }, - { "help", 'h', arg_flag, NULL } - }; - int i = 0, j; - - args[i++].value = &principal; - args[i++].value = &etype_strs; - args[i++].value = &realm; - args[i++].value = &admin_server; - args[i++].value = &server_port; - args[i++].value = &help_flag; - - if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind) - || help_flag) { - arg_printusage(args, sizeof(args) / sizeof(args[0]), - "ktutil get", "principal..."); - return 1; - } - if(optind == argc) { - krb5_warnx(context, "no principals specified"); - arg_printusage(args, sizeof(args) / sizeof(args[0]), - "ktutil get", "principal..."); - return 1; - } - - if((keytab = ktutil_open_keytab()) == NULL) - return 1; - - if(realm) - krb5_set_default_realm(context, realm); - - if (etype_strs.num_strings) { - int i; - - etypes = malloc (etype_strs.num_strings * sizeof(*etypes)); - if (etypes == NULL) { - krb5_warnx(context, "malloc failed"); - goto out; - } - netypes = etype_strs.num_strings; - for(i = 0; i < netypes; i++) { - ret = krb5_string_to_enctype(context, - etype_strs.strings[i], - &etypes[i]); - if(ret) { - krb5_warnx(context, "unrecognized enctype: %s", - etype_strs.strings[i]); - goto out; - } - } - } - - - for(i = optind; i < argc; i++){ - krb5_principal princ_ent; - kadm5_principal_ent_rec princ; - int mask = 0; - krb5_keyblock *keys; - int n_keys; - int created = 0; - krb5_keytab_entry entry; - - ret = krb5_parse_name(context, argv[i], &princ_ent); - if (ret) { - krb5_warn(context, ret, "can't parse principal %s", argv[i]); - continue; - } - memset(&princ, 0, sizeof(princ)); - princ.principal = princ_ent; - mask |= KADM5_PRINCIPAL; - princ.attributes |= KRB5_KDB_DISALLOW_ALL_TIX; - mask |= KADM5_ATTRIBUTES; - princ.princ_expire_time = 0; - mask |= KADM5_PRINC_EXPIRE_TIME; - - if(kadm_handle == NULL) { - const char *r; - if(realm != NULL) - r = realm; - else - r = krb5_principal_get_realm(context, princ_ent); - kadm_handle = open_kadmin_connection(principal, - r, - admin_server, - server_port); - if(kadm_handle == NULL) { - break; - } - } - - ret = kadm5_create_principal(kadm_handle, &princ, mask, "x"); - if(ret == 0) - created++; - else if(ret != KADM5_DUP) { - krb5_warn(context, ret, "kadm5_create_principal(%s)", argv[i]); - krb5_free_principal(context, princ_ent); - continue; - } - ret = kadm5_randkey_principal(kadm_handle, princ_ent, &keys, &n_keys); - if (ret) { - krb5_warn(context, ret, "kadm5_randkey_principal(%s)", argv[i]); - krb5_free_principal(context, princ_ent); - continue; - } - - ret = kadm5_get_principal(kadm_handle, princ_ent, &princ, - KADM5_PRINCIPAL | KADM5_KVNO | KADM5_ATTRIBUTES); - if (ret) { - krb5_warn(context, ret, "kadm5_get_principal(%s)", argv[i]); - for (j = 0; j < n_keys; j++) - krb5_free_keyblock_contents(context, &keys[j]); - krb5_free_principal(context, princ_ent); - continue; - } - princ.attributes &= (~KRB5_KDB_DISALLOW_ALL_TIX); - mask = KADM5_ATTRIBUTES; - if(created) { - princ.kvno = 1; - mask |= KADM5_KVNO; - } - ret = kadm5_modify_principal(kadm_handle, &princ, mask); - if (ret) { - krb5_warn(context, ret, "kadm5_modify_principal(%s)", argv[i]); - for (j = 0; j < n_keys; j++) - krb5_free_keyblock_contents(context, &keys[j]); - krb5_free_principal(context, princ_ent); - continue; - } - for(j = 0; j < n_keys; j++) { - int do_add = TRUE; - - if (netypes) { - int i; - - do_add = FALSE; - for (i = 0; i < netypes; ++i) - if (keys[j].keytype == etypes[i]) { - do_add = TRUE; - break; - } - } - if (do_add) { - entry.principal = princ_ent; - entry.vno = princ.kvno; - entry.keyblock = keys[j]; - entry.timestamp = time (NULL); - ret = krb5_kt_add_entry(context, keytab, &entry); - if (ret) - krb5_warn(context, ret, "krb5_kt_add_entry"); - } - krb5_free_keyblock_contents(context, &keys[j]); - } - - kadm5_free_principal_ent(kadm_handle, &princ); - krb5_free_principal(context, princ_ent); - } - out: - free_getarg_strings(&etype_strs); - free(etypes); - if (kadm_handle) - kadm5_destroy(kadm_handle); - krb5_kt_close(context, keytab); - return ret != 0; -} diff --git a/crypto/heimdal-0.6.3/admin/ktutil.8 b/crypto/heimdal-0.6.3/admin/ktutil.8 deleted file mode 100644 index f75a953e5d..0000000000 --- a/crypto/heimdal-0.6.3/admin/ktutil.8 +++ /dev/null @@ -1,194 +0,0 @@ -.\" Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: ktutil.8,v 1.19 2003/04/08 20:55:10 lha Exp $ -.\" -.Dd December 16, 2000 -.Dt KTUTIL 8 -.Os HEIMDAL -.Sh NAME -.Nm ktutil -.Nd manage Kerberos keytabs -.Sh SYNOPSIS -.Nm -.Oo Fl k Ar keytab \*(Ba Xo -.Fl -keytab= Ns Ar keytab -.Xc -.Oc -.Op Fl v | Fl -verbose -.Op Fl -version -.Op Fl h | Fl -help -.Ar command -.Op Ar args -.Sh DESCRIPTION -.Nm -is a program for managing keytabs. -Supported options: -.Bl -tag -width Ds -.It Xo -.Fl v , -.Fl -verbose -.Xc -Verbose output. -.El -.Pp -.Ar command -can be one of the following: -.Bl -tag -width srvconvert -.It add Xo -.Op Fl p Ar principal -.Op Fl -principal= Ns Ar principal -.Op Fl V Ar kvno -.Op Fl -kvno= Ns Ar kvno -.Op Fl e Ar enctype -.Op Fl -enctype= Ns Ar enctype -.Op Fl w Ar password -.Op Fl -password= Ns Ar password -.Op Fl r -.Op Fl -random -.Op Fl s -.Op Fl -no-salt -.Xc -Adds a key to the keytab. Options that are not specified will be -prompted for. This requires that you know the password of the -principal to add; if what you really want is to add a new principal to -the keytab, you should consider the -.Ar get -command, which talks to the kadmin server. -.It change Xo -.Op Fl r Ar realm -.Op Fl -realm= Ns Ar realm -.Op Fl -a Ar host -.Op Fl -admin-server= Ns Ar host -.Op Fl -s Ar port -.Op Fl -server-port= Ns Ar port -.Xc -Update one or several keys to new versions. By default, use the admin -server for the realm of a keytab entry. Otherwise it will use the -values specified by the options. -.Pp -If no principals are given, all the ones in the keytab are updated. -.It copy Xo -.Ar keytab-src -.Ar keytab-dest -.Xc -Copies all the entries from -.Ar keytab-src -to -.Ar keytab-dest . -.It get Xo -.Op Fl p Ar admin principal -.Op Fl -principal= Ns Ar admin principal -.Op Fl e Ar enctype -.Op Fl -enctypes= Ns Ar enctype -.Op Fl r Ar realm -.Op Fl -realm= Ns Ar realm -.Op Fl a Ar admin server -.Op Fl -admin-server= Ns Ar admin server -.Op Fl s Ar server port -.Op Fl -server-port= Ns Ar server port -.Ar principal ... -.Xc -For each -.Ar principal , -generate a new key for it (creating it if it doesn't already exist), -and put that key in the keytab. -.Pp -If no -.Ar realm -is specified, the realm to operate on is taken from the first -principal. -.It list Xo -.Op Fl -keys -.Op Fl -timestamp -.Xc -List the keys stored in the keytab. -.It remove Xo -.Op Fl p Ar principal -.Op Fl -principal= Ns Ar principal -.Op Fl V kvno -.Op Fl -kvno= Ns Ar kvno -.Op Fl e enctype -.Op Fl -enctype= Ns Ar enctype -.Xc -Removes the specified key or keys. Not specifying a -.Ar kvno -removes keys with any version number. Not specifying an -.Ar enctype -removes keys of any type. -.It rename Xo -.Ar from-principal -.Ar to-principal -.Xc -Renames all entries in the keytab that match the -.Ar from-principal -to -.Ar to-principal . -.It purge Xo -.Op Fl -age= Ns Ar age -.Xc -Removes all old entries (for which there is a newer version) that are -older than -.Ar age -(default one week). -.It srvconvert -.It srv2keytab Xo -.Op Fl s Ar srvtab -.Op Fl -srvtab= Ns Ar srvtab -.Xc -Converts the version 4 srvtab in -.Ar srvtab -to a version 5 keytab and stores it in -.Ar keytab . -Identical to: -.Bd -ragged -offset indent -.Li ktutil copy -.Li krb4: Ns Ar srvtab -.Ar keytab -.Ed -.It srvcreate -.It key2srvtab Xo -.Op Fl s Ar srvtab -.Op Fl -srvtab= Ns Ar srvtab -.Xc -Converts the version 5 keytab in -.Ar keytab -to a version 4 srvtab and stores it in -.Ar srvtab . -Identical to: -.Bd -ragged -offset indent -.Li ktutil copy -.Ar keytab -.Li krb4: Ns Ar srvtab -.Ed -.El -.Sh SEE ALSO -.Xr kadmin 8 diff --git a/crypto/heimdal-0.6.3/admin/ktutil.c b/crypto/heimdal-0.6.3/admin/ktutil.c deleted file mode 100644 index 7ac9b4bd77..0000000000 --- a/crypto/heimdal-0.6.3/admin/ktutil.c +++ /dev/null @@ -1,176 +0,0 @@ -/* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "ktutil_locl.h" -#include - -RCSID("$Id: ktutil.c,v 1.36 2002/02/11 14:14:11 joda Exp $"); - -static int help_flag; -static int version_flag; -int verbose_flag; -char *keytab_string; -static char keytab_buf[256]; - -static int help(int argc, char **argv); - -static SL_cmd cmds[] = { - { "add", kt_add, "add", - "adds key to keytab" }, - { "change", kt_change, "change [principal...]", - "get new key for principals (all)" }, - { "copy", kt_copy, "copy src dst", - "copy one keytab to another" }, - { "get", kt_get, "get [principal...]", - "create key in database and add to keytab" }, - { "list", kt_list, "list", - "shows contents of a keytab" }, - { "purge", kt_purge, "purge", - "remove old and superceeded entries" }, - { "remove", kt_remove, "remove", - "remove key from keytab" }, - { "rename", kt_rename, "rename from to", - "rename entry" }, - { "srvconvert", srvconv, "srvconvert [flags]", - "convert v4 srvtab to keytab" }, - { "srv2keytab" }, - { "srvcreate", srvcreate, "srvcreate [flags]", - "convert keytab to v4 srvtab" }, - { "key2srvtab" }, - { "help", help, "help", "" }, - { NULL, NULL, NULL, NULL } -}; - -static struct getargs args[] = { - { - "version", - 0, - arg_flag, - &version_flag, - NULL, - NULL - }, - { - "help", - 'h', - arg_flag, - &help_flag, - NULL, - NULL - }, - { - "keytab", - 'k', - arg_string, - &keytab_string, - "keytab", - "keytab to operate on" - }, - { - "verbose", - 'v', - arg_flag, - &verbose_flag, - "verbose", - "run verbosely" - } -}; - -static int num_args = sizeof(args) / sizeof(args[0]); - -krb5_context context; - -krb5_keytab -ktutil_open_keytab(void) -{ - krb5_error_code ret; - krb5_keytab keytab; - if (keytab_string == NULL) { - ret = krb5_kt_default_name (context, keytab_buf, sizeof(keytab_buf)); - if (ret) { - krb5_warn(context, ret, "krb5_kt_default_name"); - return NULL; - } - keytab_string = keytab_buf; - } - ret = krb5_kt_resolve(context, keytab_string, &keytab); - if (ret) { - krb5_warn(context, ret, "resolving keytab %s", keytab_string); - return NULL; - } - if (verbose_flag) - fprintf (stderr, "Using keytab %s\n", keytab_string); - - return keytab; -} - -static int -help(int argc, char **argv) -{ - sl_help(cmds, argc, argv); - return 0; -} - -static void -usage(int status) -{ - arg_printusage(args, num_args, NULL, "command"); - exit(status); -} - -int -main(int argc, char **argv) -{ - int optind = 0; - krb5_error_code ret; - setprogname(argv[0]); - ret = krb5_init_context(&context); - if (ret) - errx (1, "krb5_init_context failed: %d", ret); - if(getarg(args, num_args, argc, argv, &optind)) - usage(1); - if(help_flag) - usage(0); - if(version_flag) { - print_version(NULL); - exit(0); - } - argc -= optind; - argv += optind; - if(argc == 0) - usage(1); - ret = sl_command(cmds, argc, argv); - if(ret == -1) - krb5_warnx (context, "unrecognized command: %s", argv[0]); - return ret; -} diff --git a/crypto/heimdal-0.6.3/admin/ktutil.cat8 b/crypto/heimdal-0.6.3/admin/ktutil.cat8 deleted file mode 100644 index 4d7d12e7fb..0000000000 --- a/crypto/heimdal-0.6.3/admin/ktutil.cat8 +++ /dev/null @@ -1,87 +0,0 @@ - -KTUTIL(8) UNIX System Manager's Manual KTUTIL(8) - -NNAAMMEE - kkttuuttiill - manage Kerberos keytabs - -SSYYNNOOPPSSIISS - kkttuuttiill [--kk _k_e_y_t_a_b | ----kkeeyyttaabb==_k_e_y_t_a_b] [--vv | ----vveerrbboossee] [----vveerrssiioonn] [--hh | - ----hheellpp] _c_o_m_m_a_n_d [_a_r_g_s] - -DDEESSCCRRIIPPTTIIOONN - kkttuuttiill is a program for managing keytabs. Supported options: - - --vv, ----vveerrbboossee - Verbose output. - - _c_o_m_m_a_n_d can be one of the following: - - add [--pp _p_r_i_n_c_i_p_a_l] [----pprriinncciippaall==_p_r_i_n_c_i_p_a_l] [--VV _k_v_n_o] [----kkvvnnoo==_k_v_n_o] [--ee - _e_n_c_t_y_p_e] [----eennccttyyppee==_e_n_c_t_y_p_e] [--ww _p_a_s_s_w_o_r_d] - [----ppaasssswwoorrdd==_p_a_s_s_w_o_r_d] [--rr] [----rraannddoomm] [--ss] [----nnoo--ssaalltt] - Adds a key to the keytab. Options that are not specified will - be prompted for. This requires that you know the password of - the principal to add; if what you really want is to add a new - principal to the keytab, you should consider the _g_e_t command, - which talks to the kadmin server. - - change [--rr _r_e_a_l_m] [----rreeaallmm==_r_e_a_l_m] [----aa _h_o_s_t] [----aaddmmiinn--sseerrvveerr==_h_o_s_t] [----ss - _p_o_r_t] [----sseerrvveerr--ppoorrtt==_p_o_r_t] - Update one or several keys to new versions. By default, use - the admin server for the realm of a keytab entry. Otherwise - it will use the values specified by the options. - - If no principals are given, all the ones in the keytab are - updated. - - copy _k_e_y_t_a_b_-_s_r_c _k_e_y_t_a_b_-_d_e_s_t - Copies all the entries from _k_e_y_t_a_b_-_s_r_c to _k_e_y_t_a_b_-_d_e_s_t. - - get [--pp _a_d_m_i_n _p_r_i_n_c_i_p_a_l] [----pprriinncciippaall==_a_d_m_i_n _p_r_i_n_c_i_p_a_l] [--ee _e_n_c_t_y_p_e] - [----eennccttyyppeess==_e_n_c_t_y_p_e] [--rr _r_e_a_l_m] [----rreeaallmm==_r_e_a_l_m] [--aa _a_d_m_i_n - _s_e_r_v_e_r] [----aaddmmiinn--sseerrvveerr==_a_d_m_i_n _s_e_r_v_e_r] [--ss _s_e_r_v_e_r _p_o_r_t] - [----sseerrvveerr--ppoorrtt==_s_e_r_v_e_r _p_o_r_t] _p_r_i_n_c_i_p_a_l _._._. - For each _p_r_i_n_c_i_p_a_l, generate a new key for it (creating it if - it doesn't already exist), and put that key in the keytab. - - If no _r_e_a_l_m is specified, the realm to operate on is taken - from the first principal. - - list [----kkeeyyss] [----ttiimmeessttaammpp] - List the keys stored in the keytab. - - remove [--pp _p_r_i_n_c_i_p_a_l] [----pprriinncciippaall==_p_r_i_n_c_i_p_a_l] [--VV --kkvvnnoo] [----kkvvnnoo==_k_v_n_o] - [--ee --eennccttyyppee] [----eennccttyyppee==_e_n_c_t_y_p_e] - Removes the specified key or keys. Not specifying a _k_v_n_o re- - moves keys with any version number. Not specifying an _e_n_c_t_y_p_e - removes keys of any type. - - rename _f_r_o_m_-_p_r_i_n_c_i_p_a_l _t_o_-_p_r_i_n_c_i_p_a_l - Renames all entries in the keytab that match the _f_r_o_m_- - _p_r_i_n_c_i_p_a_l to _t_o_-_p_r_i_n_c_i_p_a_l. - - purge [----aaggee==_a_g_e] - Removes all old entries (for which there is a newer version) - - that are older than _a_g_e (default one week). - - srvconvert - - srv2keytab [--ss _s_r_v_t_a_b] [----ssrrvvttaabb==_s_r_v_t_a_b] - Converts the version 4 srvtab in _s_r_v_t_a_b to a version 5 keytab - and stores it in _k_e_y_t_a_b. Identical to: - - ktutil copy krb4:_s_r_v_t_a_b _k_e_y_t_a_b - - srvcreate - - key2srvtab [--ss _s_r_v_t_a_b] [----ssrrvvttaabb==_s_r_v_t_a_b] - Converts the version 5 keytab in _k_e_y_t_a_b to a version 4 srvtab - and stores it in _s_r_v_t_a_b. Identical to: - - ktutil copy _k_e_y_t_a_b krb4:_s_r_v_t_a_b - -SSEEEE AALLSSOO - kadmin(8) - - HEIMDAL December 16, 2000 2 diff --git a/crypto/heimdal-0.6.3/admin/ktutil_locl.h b/crypto/heimdal-0.6.3/admin/ktutil_locl.h deleted file mode 100644 index da60f426ba..0000000000 --- a/crypto/heimdal-0.6.3/admin/ktutil_locl.h +++ /dev/null @@ -1,83 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* - * $Id: ktutil_locl.h,v 1.18 2002/09/10 20:03:45 joda Exp $ - */ - -#ifndef __KTUTIL_LOCL_H__ -#define __KTUTIL_LOCL_H__ - -#ifdef HAVE_CONFIG_H -#include -#endif -#include -#include -#include -#include -#ifdef HAVE_FCNTL_H -#include -#endif -#ifdef HAVE_UNISTD_H -#include -#endif -#include -#include - -#include "crypto-headers.h" -#include -#include -#include - -#include -#include - -extern krb5_context context; - -extern int verbose_flag; -extern char *keytab_string; - -krb5_keytab ktutil_open_keytab(void); - -int kt_add (int argc, char **argv); -int kt_change (int argc, char **argv); -int kt_copy (int argc, char **argv); -int kt_get (int argc, char **argv); -int kt_list(int argc, char **argv); -int kt_purge(int argc, char **argv); -int kt_remove(int argc, char **argv); -int kt_rename(int argc, char **argv); -int srvconv(int argc, char **argv); -int srvcreate(int argc, char **argv); - -#endif /* __KTUTIL_LOCL_H__ */ diff --git a/crypto/heimdal-0.6.3/admin/list.c b/crypto/heimdal-0.6.3/admin/list.c deleted file mode 100644 index 4c11c2f13f..0000000000 --- a/crypto/heimdal-0.6.3/admin/list.c +++ /dev/null @@ -1,213 +0,0 @@ -/* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "ktutil_locl.h" - -RCSID("$Id: list.c,v 1.10 2002/01/30 10:12:21 joda Exp $"); - -static int help_flag; -static int list_keys; -static int list_timestamp; - -static struct getargs args[] = { - { "help", 'h', arg_flag, &help_flag }, - { "keys", 0, arg_flag, &list_keys, "show key value" }, - { "timestamp", 0, arg_flag, &list_timestamp, "show timestamp" }, -}; - -static int num_args = sizeof(args) / sizeof(args[0]); - -struct key_info { - char *version; - char *etype; - char *principal; - char *timestamp; - char *key; - struct key_info *next; -}; - -static int -do_list(const char *keytab_string) -{ - krb5_error_code ret; - krb5_keytab keytab; - krb5_keytab_entry entry; - krb5_kt_cursor cursor; - struct key_info *ki, **kie = &ki, *kp; - - int max_version = sizeof("Vno") - 1; - int max_etype = sizeof("Type") - 1; - int max_principal = sizeof("Principal") - 1; - int max_timestamp = sizeof("Date") - 1; - int max_key = sizeof("Key") - 1; - - /* XXX specialcase the ANY type */ - if(strncasecmp(keytab_string, "ANY:", 4) == 0) { - int flag = 0; - char buf[1024]; - keytab_string += 4; - while (strsep_copy((const char**)&keytab_string, ",", - buf, sizeof(buf)) != -1) { - if(flag) - printf("\n"); - do_list(buf); - flag = 1; - } - return 0; - } - - ret = krb5_kt_resolve(context, keytab_string, &keytab); - if (ret) { - krb5_warn(context, ret, "resolving keytab %s", keytab_string); - return 0; - } - - ret = krb5_kt_start_seq_get(context, keytab, &cursor); - if(ret){ - krb5_warn(context, ret, "krb5_kt_start_seq_get %s", keytab_string); - goto out; - } - - printf ("%s:\n\n", keytab_string); - - while((ret = krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0){ -#define CHECK_MAX(F) if(max_##F < strlen(kp->F)) max_##F = strlen(kp->F) - - kp = malloc(sizeof(*kp)); - if (kp == NULL) { - krb5_kt_free_entry(context, &entry); - krb5_kt_end_seq_get(context, keytab, &cursor); - krb5_warn(context, ret, "malloc failed"); - goto out; - } - - asprintf(&kp->version, "%d", entry.vno); - CHECK_MAX(version); - ret = krb5_enctype_to_string(context, - entry.keyblock.keytype, &kp->etype); - if (ret != 0) - asprintf(&kp->etype, "unknown (%d)", entry.keyblock.keytype); - CHECK_MAX(etype); - krb5_unparse_name(context, entry.principal, &kp->principal); - CHECK_MAX(principal); - if (list_timestamp) { - char tstamp[256]; - - krb5_format_time(context, entry.timestamp, - tstamp, sizeof(tstamp), FALSE); - - kp->timestamp = strdup(tstamp); - CHECK_MAX(timestamp); - } - if(list_keys) { - int i; - kp->key = malloc(2 * entry.keyblock.keyvalue.length + 1); - for(i = 0; i < entry.keyblock.keyvalue.length; i++) - snprintf(kp->key + 2 * i, 3, "%02x", - ((unsigned char*)entry.keyblock.keyvalue.data)[i]); - CHECK_MAX(key); - } - *kie = kp; - kie = &kp->next; - krb5_kt_free_entry(context, &entry); - } - *kie = NULL; /* termiate list */ - ret = krb5_kt_end_seq_get(context, keytab, &cursor); - - printf("%-*s %-*s %-*s", max_version, "Vno", - max_etype, "Type", - max_principal, "Principal"); - if(list_timestamp) - printf(" %-*s", max_timestamp, "Date"); - if(list_keys) - printf(" %s", "Key"); - printf("\n"); - - for(kp = ki; kp; ) { - printf("%*s %-*s %-*s", max_version, kp->version, - max_etype, kp->etype, - max_principal, kp->principal); - if(list_timestamp) - printf(" %-*s", max_timestamp, kp->timestamp); - if(list_keys) - printf(" %s", kp->key); - printf("\n"); - - /* free entries */ - free(kp->version); - free(kp->etype); - free(kp->principal); - if(list_timestamp) - free(kp->timestamp); - if(list_keys) { - memset(kp->key, 0, strlen(kp->key)); - free(kp->key); - } - ki = kp; - kp = kp->next; - free(ki); - } -out: - krb5_kt_close(context, keytab); - return 0; -} - -int -kt_list(int argc, char **argv) -{ - krb5_error_code ret; - int optind = 0; - char kt[1024]; - - if(verbose_flag) - list_timestamp = 1; - - if(getarg(args, num_args, argc, argv, &optind)){ - arg_printusage(args, num_args, "ktutil list", ""); - return 1; - } - if(help_flag){ - arg_printusage(args, num_args, "ktutil list", ""); - return 0; - } - - if (keytab_string == NULL) { - if((ret = krb5_kt_default_name(context, kt, sizeof(kt))) != 0) { - krb5_warn(context, ret, "getting default keytab name"); - return 0; - } - keytab_string = kt; - } - do_list(keytab_string); - return 0; -} diff --git a/crypto/heimdal-0.6.3/admin/purge.c b/crypto/heimdal-0.6.3/admin/purge.c deleted file mode 100644 index aaca00a6c5..0000000000 --- a/crypto/heimdal-0.6.3/admin/purge.c +++ /dev/null @@ -1,188 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "ktutil_locl.h" - -RCSID("$Id: purge.c,v 1.6 2001/07/23 09:46:41 joda Exp $"); - -/* - * keep track of the highest version for every principal. - */ - -struct e { - krb5_principal principal; - int max_vno; - struct e *next; -}; - -static struct e * -get_entry (krb5_principal princ, struct e *head) -{ - struct e *e; - - for (e = head; e != NULL; e = e->next) - if (krb5_principal_compare (context, princ, e->principal)) - return e; - return NULL; -} - -static void -add_entry (krb5_principal princ, int vno, struct e **head) -{ - krb5_error_code ret; - struct e *e; - - e = get_entry (princ, *head); - if (e != NULL) { - e->max_vno = max (e->max_vno, vno); - return; - } - e = malloc (sizeof (*e)); - if (e == NULL) - krb5_errx (context, 1, "malloc: out of memory"); - ret = krb5_copy_principal (context, princ, &e->principal); - if (ret) - krb5_err (context, 1, ret, "krb5_copy_principal"); - e->max_vno = vno; - e->next = *head; - *head = e; -} - -static void -delete_list (struct e *head) -{ - while (head != NULL) { - struct e *next = head->next; - krb5_free_principal (context, head->principal); - free (head); - head = next; - } -} - -/* - * Remove all entries that have newer versions and that are older - * than `age' - */ - -int -kt_purge(int argc, char **argv) -{ - krb5_error_code ret = 0; - krb5_kt_cursor cursor; - krb5_keytab keytab; - krb5_keytab_entry entry; - int help_flag = 0; - char *age_str = "1 week"; - int age; - struct getargs args[] = { - { "age", 0, arg_string, NULL, "age to retire" }, - { "help", 'h', arg_flag, NULL } - }; - int num_args = sizeof(args) / sizeof(args[0]); - int optind = 0; - int i = 0; - struct e *head = NULL; - time_t judgement_day; - - args[i++].value = &age_str; - args[i++].value = &help_flag; - - if(getarg(args, num_args, argc, argv, &optind)) { - arg_printusage(args, num_args, "ktutil purge", ""); - return 1; - } - if(help_flag) { - arg_printusage(args, num_args, "ktutil purge", ""); - return 1; - } - - age = parse_time(age_str, "s"); - if(age < 0) { - krb5_warnx(context, "unparasable time `%s'", age_str); - return 1; - } - - if((keytab = ktutil_open_keytab()) == NULL) - return 1; - - ret = krb5_kt_start_seq_get(context, keytab, &cursor); - if(ret){ - krb5_warn(context, ret, "krb5_kt_start_seq_get %s", keytab_string); - goto out; - } - - while((ret = krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0) { - add_entry (entry.principal, entry.vno, &head); - krb5_kt_free_entry(context, &entry); - } - ret = krb5_kt_end_seq_get(context, keytab, &cursor); - - judgement_day = time (NULL); - - ret = krb5_kt_start_seq_get(context, keytab, &cursor); - if(ret){ - krb5_warn(context, ret, "krb5_kt_start_seq_get, %s", keytab_string); - goto out; - } - - while((ret = krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0) { - struct e *e = get_entry (entry.principal, head); - - if (e == NULL) { - krb5_warnx (context, "ignoring extra entry"); - continue; - } - - if (entry.vno < e->max_vno - && judgement_day - entry.timestamp > age) { - if (verbose_flag) { - char *name_str; - - krb5_unparse_name (context, entry.principal, &name_str); - printf ("removing %s vno %d\n", name_str, entry.vno); - free (name_str); - } - ret = krb5_kt_remove_entry (context, keytab, &entry); - if (ret) - krb5_warn (context, ret, "remove"); - } - krb5_kt_free_entry(context, &entry); - } - ret = krb5_kt_end_seq_get(context, keytab, &cursor); - - delete_list (head); - - out: - krb5_kt_close (context, keytab); - return ret != 0; -} diff --git a/crypto/heimdal-0.6.3/admin/remove.c b/crypto/heimdal-0.6.3/admin/remove.c deleted file mode 100644 index 45f8119202..0000000000 --- a/crypto/heimdal-0.6.3/admin/remove.c +++ /dev/null @@ -1,113 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "ktutil_locl.h" - -RCSID("$Id: remove.c,v 1.3 2001/07/23 09:46:41 joda Exp $"); - -int -kt_remove(int argc, char **argv) -{ - krb5_error_code ret = 0; - krb5_keytab_entry entry; - krb5_keytab keytab; - char *principal_string = NULL; - krb5_principal principal = NULL; - int kvno = 0; - char *keytype_string = NULL; - krb5_enctype enctype = 0; - int help_flag = 0; - struct getargs args[] = { - { "principal", 'p', arg_string, NULL, "principal to remove" }, - { "kvno", 'V', arg_integer, NULL, "key version to remove" }, - { "enctype", 'e', arg_string, NULL, "enctype to remove" }, - { "help", 'h', arg_flag, NULL } - }; - int num_args = sizeof(args) / sizeof(args[0]); - int optind = 0; - int i = 0; - args[i++].value = &principal_string; - args[i++].value = &kvno; - args[i++].value = &keytype_string; - args[i++].value = &help_flag; - if(getarg(args, num_args, argc, argv, &optind)) { - arg_printusage(args, num_args, "ktutil remove", ""); - return 1; - } - if(help_flag) { - arg_printusage(args, num_args, "ktutil remove", ""); - return 0; - } - if(principal_string) { - ret = krb5_parse_name(context, principal_string, &principal); - if(ret) { - krb5_warn(context, ret, "%s", principal_string); - return 1; - } - } - if(keytype_string) { - ret = krb5_string_to_enctype(context, keytype_string, &enctype); - if(ret) { - int t; - if(sscanf(keytype_string, "%d", &t) == 1) - enctype = t; - else { - krb5_warn(context, ret, "%s", keytype_string); - if(principal) - krb5_free_principal(context, principal); - return 1; - } - } - } - if (!principal && !enctype && !kvno) { - krb5_warnx(context, - "You must give at least one of " - "principal, enctype or kvno."); - return 1; - } - - if((keytab = ktutil_open_keytab()) == NULL) - return 1; - - entry.principal = principal; - entry.keyblock.keytype = enctype; - entry.vno = kvno; - ret = krb5_kt_remove_entry(context, keytab, &entry); - krb5_kt_close(context, keytab); - if(ret) - krb5_warn(context, ret, "remove"); - if(principal) - krb5_free_principal(context, principal); - return 0; -} - diff --git a/crypto/heimdal-0.6.3/admin/rename.c b/crypto/heimdal-0.6.3/admin/rename.c deleted file mode 100644 index dcfb35244f..0000000000 --- a/crypto/heimdal-0.6.3/admin/rename.c +++ /dev/null @@ -1,133 +0,0 @@ -/* - * Copyright (c) 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "ktutil_locl.h" - -RCSID("$Id: rename.c,v 1.1 2001/07/23 10:17:32 joda Exp $"); - -int -kt_rename(int argc, char **argv) -{ - krb5_error_code ret = 0; - krb5_keytab_entry entry; - krb5_keytab keytab; - krb5_kt_cursor cursor; - krb5_principal from_princ, to_princ; - int help_flag = 0; - - struct getargs args[] = { - { "help", 'h', arg_flag, NULL } - }; - int num_args = sizeof(args) / sizeof(args[0]); - int optind = 0; - int i = 0; - - args[i++].value = &help_flag; - if(getarg(args, num_args, argc, argv, &optind)) { - arg_printusage(args, num_args, "ktutil rename", "from to"); - return 1; - } - if(help_flag) { - arg_printusage(args, num_args, "ktutil rename", "from to"); - return 0; - } - argv += optind; - argc -= optind; - if(argc != 2) { - arg_printusage(args, num_args, "ktutil rename", "from to"); - return 0; - } - - ret = krb5_parse_name(context, argv[0], &from_princ); - if(ret != 0) { - krb5_warn(context, ret, "%s", argv[0]); - return 0; - } - - ret = krb5_parse_name(context, argv[1], &to_princ); - if(ret != 0) { - krb5_free_principal(context, from_princ); - krb5_warn(context, ret, "%s", argv[1]); - return 0; - } - - if((keytab = ktutil_open_keytab()) == NULL) { - krb5_free_principal(context, from_princ); - krb5_free_principal(context, to_princ); - return 1; - } - - ret = krb5_kt_start_seq_get(context, keytab, &cursor); - if(ret) { - krb5_kt_close(context, keytab); - krb5_free_principal(context, from_princ); - krb5_free_principal(context, to_princ); - return 1; - } - while(1) { - ret = krb5_kt_next_entry(context, keytab, &entry, &cursor); - if(ret != 0) { - if(ret != KRB5_CC_END && ret != KRB5_KT_END) - krb5_warn(context, ret, "getting entry from keytab"); - break; - } - if(krb5_principal_compare(context, entry.principal, from_princ)) { - krb5_free_principal(context, entry.principal); - entry.principal = to_princ; - ret = krb5_kt_add_entry(context, keytab, &entry); - if(ret) { - entry.principal = NULL; - krb5_kt_free_entry(context, &entry); - krb5_warn(context, ret, "adding entry"); - break; - } - entry.principal = from_princ; - ret = krb5_kt_remove_entry(context, keytab, &entry); - if(ret) { - entry.principal = NULL; - krb5_kt_free_entry(context, &entry); - krb5_warn(context, ret, "removing entry"); - break; - } - entry.principal = NULL; - } - krb5_kt_free_entry(context, &entry); - } - krb5_kt_end_seq_get(context, keytab, &cursor); - - krb5_free_principal(context, from_princ); - krb5_free_principal(context, to_princ); - - return 0; -} - diff --git a/crypto/heimdal-0.6.3/appl/Makefile.am b/crypto/heimdal-0.6.3/appl/Makefile.am deleted file mode 100644 index e867521aaf..0000000000 --- a/crypto/heimdal-0.6.3/appl/Makefile.am +++ /dev/null @@ -1,26 +0,0 @@ -# $Id: Makefile.am,v 1.24 2001/01/27 18:34:39 assar Exp $ - -include $(top_srcdir)/Makefile.am.common - -if OTP -dir_otp = otp -endif -if DCE -dir_dce = dceutils -endif -SUBDIRS = \ - afsutil \ - ftp \ - login \ - $(dir_otp) \ - popper \ - push \ - rsh \ - rcp \ - su \ - xnlock \ - telnet \ - test \ - kx \ - kf \ - $(dir_dce) diff --git a/crypto/heimdal-0.6.3/appl/Makefile.in b/crypto/heimdal-0.6.3/appl/Makefile.in deleted file mode 100644 index 6846105a74..0000000000 --- a/crypto/heimdal-0.6.3/appl/Makefile.in +++ /dev/null @@ -1,795 +0,0 @@ -# Makefile.in generated by automake 1.8.3 from Makefile.am. -# @configure_input@ - -# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004 Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -# $Id: Makefile.am,v 1.24 2001/01/27 18:34:39 assar Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $ -srcdir = @srcdir@ -top_srcdir = @top_srcdir@ -VPATH = @srcdir@ -pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -top_builddir = .. -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = @INSTALL@ -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_HEADER = $(INSTALL_DATA) -transform = $(program_transform_name) -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_triplet = @host@ -DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \ - $(top_srcdir)/Makefile.am.common \ - $(top_srcdir)/cf/Makefile.am.common -subdir = appl -ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \ - $(top_srcdir)/cf/auth-modules.m4 \ - $(top_srcdir)/cf/broken-getaddrinfo.m4 \ - $(top_srcdir)/cf/broken-getnameinfo.m4 \ - $(top_srcdir)/cf/broken-glob.m4 \ - $(top_srcdir)/cf/broken-realloc.m4 \ - $(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \ - $(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \ - $(top_srcdir)/cf/capabilities.m4 \ - $(top_srcdir)/cf/check-compile-et.m4 \ - $(top_srcdir)/cf/check-declaration.m4 \ - $(top_srcdir)/cf/check-getpwnam_r-posix.m4 \ - $(top_srcdir)/cf/check-man.m4 \ - $(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \ - $(top_srcdir)/cf/check-type-extra.m4 \ - $(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \ - $(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \ - $(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \ - $(top_srcdir)/cf/dlopen.m4 \ - $(top_srcdir)/cf/find-func-no-libs.m4 \ - $(top_srcdir)/cf/find-func-no-libs2.m4 \ - $(top_srcdir)/cf/find-func.m4 \ - $(top_srcdir)/cf/find-if-not-broken.m4 \ - $(top_srcdir)/cf/have-struct-field.m4 \ - $(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \ - $(top_srcdir)/cf/krb-bigendian.m4 \ - $(top_srcdir)/cf/krb-func-getlogin.m4 \ - $(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \ - $(top_srcdir)/cf/krb-readline.m4 \ - $(top_srcdir)/cf/krb-struct-spwd.m4 \ - $(top_srcdir)/cf/krb-struct-winsize.m4 \ - $(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \ - $(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \ - $(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \ - $(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \ - $(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \ - $(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \ - $(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in -am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ - $(ACLOCAL_M4) -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -depcomp = -am__depfiles_maybe = -SOURCES = -DIST_SOURCES = -RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \ - html-recursive info-recursive install-data-recursive \ - install-exec-recursive install-info-recursive \ - install-recursive installcheck-recursive installdirs-recursive \ - pdf-recursive ps-recursive uninstall-info-recursive \ - uninstall-recursive -ETAGS = etags -CTAGS = ctags -DIST_SUBDIRS = afsutil ftp login otp popper push rsh rcp su xnlock \ - telnet test kx kf dceutils -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) -ACLOCAL = @ACLOCAL@ -AIX4_FALSE = @AIX4_FALSE@ -AIX4_TRUE = @AIX4_TRUE@ -AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@ -AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@ -AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@ -AIX_FALSE = @AIX_FALSE@ -AIX_TRUE = @AIX_TRUE@ -AMTAR = @AMTAR@ -AR = @AR@ -AUTOCONF = @AUTOCONF@ -AUTOHEADER = @AUTOHEADER@ -AUTOMAKE = @AUTOMAKE@ -AWK = @AWK@ -CANONICAL_HOST = @CANONICAL_HOST@ -CATMAN = @CATMAN@ -CATMANEXT = @CATMANEXT@ -CATMAN_FALSE = @CATMAN_FALSE@ -CATMAN_TRUE = @CATMAN_TRUE@ -CC = @CC@ -CFLAGS = @CFLAGS@ -COMPILE_ET = @COMPILE_ET@ -CPP = @CPP@ -CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXFLAGS = @CXXFLAGS@ -CYGPATH_W = @CYGPATH_W@ -DBLIB = @DBLIB@ -DCE_FALSE = @DCE_FALSE@ -DCE_TRUE = @DCE_TRUE@ -DEFS = @DEFS@ -DIR_com_err = @DIR_com_err@ -DIR_des = @DIR_des@ -DIR_roken = @DIR_roken@ -ECHO = @ECHO@ -ECHO_C = @ECHO_C@ -ECHO_N = @ECHO_N@ -ECHO_T = @ECHO_T@ -EGREP = @EGREP@ -EXEEXT = @EXEEXT@ -EXTRA_LIB45 = @EXTRA_LIB45@ -F77 = @F77@ -FFLAGS = @FFLAGS@ -GROFF = @GROFF@ -HAVE_DB1_FALSE = @HAVE_DB1_FALSE@ -HAVE_DB1_TRUE = @HAVE_DB1_TRUE@ -HAVE_DB3_FALSE = @HAVE_DB3_FALSE@ -HAVE_DB3_TRUE = @HAVE_DB3_TRUE@ -HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@ -HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@ -HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@ -HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@ -HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@ -HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@ -HAVE_X_FALSE = @HAVE_X_FALSE@ -HAVE_X_TRUE = @HAVE_X_TRUE@ -INCLUDES_roken = @INCLUDES_roken@ -INCLUDE_des = @INCLUDE_des@ -INCLUDE_hesiod = @INCLUDE_hesiod@ -INCLUDE_krb4 = @INCLUDE_krb4@ -INCLUDE_openldap = @INCLUDE_openldap@ -INCLUDE_readline = @INCLUDE_readline@ -INSTALL_DATA = @INSTALL_DATA@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -IRIX_FALSE = @IRIX_FALSE@ -IRIX_TRUE = @IRIX_TRUE@ -KRB4_FALSE = @KRB4_FALSE@ -KRB4_TRUE = @KRB4_TRUE@ -KRB5_FALSE = @KRB5_FALSE@ -KRB5_TRUE = @KRB5_TRUE@ -LDFLAGS = @LDFLAGS@ -LEX = @LEX@ -LEXLIB = @LEXLIB@ -LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ -LIBOBJS = @LIBOBJS@ -LIBS = @LIBS@ -LIBTOOL = @LIBTOOL@ -LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@ -LIB_NDBM = @LIB_NDBM@ -LIB_XauFileName = @LIB_XauFileName@ -LIB_XauReadAuth = @LIB_XauReadAuth@ -LIB_XauWriteAuth = @LIB_XauWriteAuth@ -LIB_bswap16 = @LIB_bswap16@ -LIB_bswap32 = @LIB_bswap32@ -LIB_com_err = @LIB_com_err@ -LIB_com_err_a = @LIB_com_err_a@ -LIB_com_err_so = @LIB_com_err_so@ -LIB_crypt = @LIB_crypt@ -LIB_db_create = @LIB_db_create@ -LIB_dbm_firstkey = @LIB_dbm_firstkey@ -LIB_dbopen = @LIB_dbopen@ -LIB_des = @LIB_des@ -LIB_des_a = @LIB_des_a@ -LIB_des_appl = @LIB_des_appl@ -LIB_des_so = @LIB_des_so@ -LIB_dlopen = @LIB_dlopen@ -LIB_dn_expand = @LIB_dn_expand@ -LIB_el_init = @LIB_el_init@ -LIB_freeaddrinfo = @LIB_freeaddrinfo@ -LIB_gai_strerror = @LIB_gai_strerror@ -LIB_getaddrinfo = @LIB_getaddrinfo@ -LIB_gethostbyname = @LIB_gethostbyname@ -LIB_gethostbyname2 = @LIB_gethostbyname2@ -LIB_getnameinfo = @LIB_getnameinfo@ -LIB_getpwnam_r = @LIB_getpwnam_r@ -LIB_getsockopt = @LIB_getsockopt@ -LIB_hesiod = @LIB_hesiod@ -LIB_hstrerror = @LIB_hstrerror@ -LIB_kdb = @LIB_kdb@ -LIB_krb4 = @LIB_krb4@ -LIB_krb_disable_debug = @LIB_krb_disable_debug@ -LIB_krb_enable_debug = @LIB_krb_enable_debug@ -LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@ -LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@ -LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@ -LIB_loadquery = @LIB_loadquery@ -LIB_logout = @LIB_logout@ -LIB_logwtmp = @LIB_logwtmp@ -LIB_openldap = @LIB_openldap@ -LIB_openpty = @LIB_openpty@ -LIB_otp = @LIB_otp@ -LIB_pidfile = @LIB_pidfile@ -LIB_readline = @LIB_readline@ -LIB_res_nsearch = @LIB_res_nsearch@ -LIB_res_search = @LIB_res_search@ -LIB_roken = @LIB_roken@ -LIB_security = @LIB_security@ -LIB_setsockopt = @LIB_setsockopt@ -LIB_socket = @LIB_socket@ -LIB_syslog = @LIB_syslog@ -LIB_tgetent = @LIB_tgetent@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -MAINT = @MAINT@ -MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@ -MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@ -MAKEINFO = @MAKEINFO@ -NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ -NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ -NROFF = @NROFF@ -OBJEXT = @OBJEXT@ -OTP_FALSE = @OTP_FALSE@ -OTP_TRUE = @OTP_TRUE@ -PACKAGE = @PACKAGE@ -PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ -PACKAGE_NAME = @PACKAGE_NAME@ -PACKAGE_STRING = @PACKAGE_STRING@ -PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_VERSION = @PACKAGE_VERSION@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -RANLIB = @RANLIB@ -SET_MAKE = @SET_MAKE@ -SHELL = @SHELL@ -STRIP = @STRIP@ -VERSION = @VERSION@ -VOID_RETSIGTYPE = @VOID_RETSIGTYPE@ -WFLAGS = @WFLAGS@ -WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@ -WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@ -X_CFLAGS = @X_CFLAGS@ -X_EXTRA_LIBS = @X_EXTRA_LIBS@ -X_LIBS = @X_LIBS@ -X_PRE_LIBS = @X_PRE_LIBS@ -YACC = @YACC@ -ac_ct_AR = @ac_ct_AR@ -ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ -ac_ct_RANLIB = @ac_ct_RANLIB@ -ac_ct_STRIP = @ac_ct_STRIP@ -am__leading_dot = @am__leading_dot@ -bindir = @bindir@ -build = @build@ -build_alias = @build_alias@ -build_cpu = @build_cpu@ -build_os = @build_os@ -build_vendor = @build_vendor@ -datadir = @datadir@ -do_roken_rename_FALSE = @do_roken_rename_FALSE@ -do_roken_rename_TRUE = @do_roken_rename_TRUE@ -dpagaix_cflags = @dpagaix_cflags@ -dpagaix_ldadd = @dpagaix_ldadd@ -dpagaix_ldflags = @dpagaix_ldflags@ -el_compat_FALSE = @el_compat_FALSE@ -el_compat_TRUE = @el_compat_TRUE@ -exec_prefix = @exec_prefix@ -have_err_h_FALSE = @have_err_h_FALSE@ -have_err_h_TRUE = @have_err_h_TRUE@ -have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@ -have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@ -have_glob_h_FALSE = @have_glob_h_FALSE@ -have_glob_h_TRUE = @have_glob_h_TRUE@ -have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@ -have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@ -have_vis_h_FALSE = @have_vis_h_FALSE@ -have_vis_h_TRUE = @have_vis_h_TRUE@ -host = @host@ -host_alias = @host_alias@ -host_cpu = @host_cpu@ -host_os = @host_os@ -host_vendor = @host_vendor@ -includedir = @includedir@ -infodir = @infodir@ -install_sh = @install_sh@ -libdir = @libdir@ -libexecdir = @libexecdir@ -localstatedir = @localstatedir@ -mandir = @mandir@ -mkdir_p = @mkdir_p@ -oldincludedir = @oldincludedir@ -prefix = @prefix@ -program_transform_name = @program_transform_name@ -sbindir = @sbindir@ -sharedstatedir = @sharedstatedir@ -sysconfdir = @sysconfdir@ -target_alias = @target_alias@ -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) -@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME -AM_CFLAGS = $(WFLAGS) -CP = cp -buildinclude = $(top_builddir)/include -LIB_getattr = @LIB_getattr@ -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_setpcred = @LIB_setpcred@ -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -NROFF_MAN = groff -mandoc -Tascii -LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) -@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la - -@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la -@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la -@OTP_TRUE@dir_otp = otp -@DCE_TRUE@dir_dce = dceutils -SUBDIRS = \ - afsutil \ - ftp \ - login \ - $(dir_otp) \ - popper \ - push \ - rsh \ - rcp \ - su \ - xnlock \ - telnet \ - test \ - kx \ - kf \ - $(dir_dce) - -all: all-recursive - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c -$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps) - @for dep in $?; do \ - case '$(am__configure_deps)' in \ - *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ - exit 1;; \ - esac; \ - done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign --ignore-deps appl/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign --ignore-deps appl/Makefile -.PRECIOUS: Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - @case '$?' in \ - *config.status*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ - *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ - esac; - -$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: - -# This directory's subdirectories are mostly independent; you can cd -# into them and run `make' without going through this Makefile. -# To change the values of `make' variables: instead of editing Makefiles, -# (1) if the variable is set in `config.status', edit `config.status' -# (which will cause the Makefiles to be regenerated when you run `make'); -# (2) otherwise, pass the desired values on the `make' command line. -$(RECURSIVE_TARGETS): - @set fnord $$MAKEFLAGS; amf=$$2; \ - dot_seen=no; \ - target=`echo $@ | sed s/-recursive//`; \ - list='$(SUBDIRS)'; for subdir in $$list; do \ - echo "Making $$target in $$subdir"; \ - if test "$$subdir" = "."; then \ - dot_seen=yes; \ - local_target="$$target-am"; \ - else \ - local_target="$$target"; \ - fi; \ - (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ - || case "$$amf" in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \ - done; \ - if test "$$dot_seen" = "no"; then \ - $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \ - fi; test -z "$$fail" - -mostlyclean-recursive clean-recursive distclean-recursive \ -maintainer-clean-recursive: - @set fnord $$MAKEFLAGS; amf=$$2; \ - dot_seen=no; \ - case "$@" in \ - distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \ - *) list='$(SUBDIRS)' ;; \ - esac; \ - rev=''; for subdir in $$list; do \ - if test "$$subdir" = "."; then :; else \ - rev="$$subdir $$rev"; \ - fi; \ - done; \ - rev="$$rev ."; \ - target=`echo $@ | sed s/-recursive//`; \ - for subdir in $$rev; do \ - echo "Making $$target in $$subdir"; \ - if test "$$subdir" = "."; then \ - local_target="$$target-am"; \ - else \ - local_target="$$target"; \ - fi; \ - (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ - || case "$$amf" in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \ - done && test -z "$$fail" -tags-recursive: - list='$(SUBDIRS)'; for subdir in $$list; do \ - test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \ - done -ctags-recursive: - list='$(SUBDIRS)'; for subdir in $$list; do \ - test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) ctags); \ - done - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique -tags: TAGS - -TAGS: tags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - if (etags --etags-include --version) >/dev/null 2>&1; then \ - include_option=--etags-include; \ - else \ - include_option=--include; \ - fi; \ - list='$(SUBDIRS)'; for subdir in $$list; do \ - if test "$$subdir" = .; then :; else \ - test -f $$subdir/TAGS && \ - tags="$$tags $$include_option=$$here/$$subdir/TAGS"; \ - fi; \ - done; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique -ctags: CTAGS -CTAGS: ctags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ - || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - -distdir: $(DISTFILES) - $(mkdir_p) $(distdir)/.. $(distdir)/../cf - @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \ - list='$(DISTFILES)'; for file in $$list; do \ - case $$file in \ - $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \ - $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \ - esac; \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkdir_p) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - list='$(DIST_SUBDIRS)'; for subdir in $$list; do \ - if test "$$subdir" = .; then :; else \ - test -d "$(distdir)/$$subdir" \ - || mkdir "$(distdir)/$$subdir" \ - || exit 1; \ - (cd $$subdir && \ - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="../$(top_distdir)" \ - distdir="../$(distdir)/$$subdir" \ - distdir) \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="$(top_distdir)" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-recursive -all-am: Makefile all-local -installdirs: installdirs-recursive -installdirs-am: -install: install-recursive -install-exec: install-exec-recursive -install-data: install-data-recursive -uninstall: uninstall-recursive - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-recursive -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-recursive - -clean-am: clean-generic clean-libtool mostlyclean-am - -distclean: distclean-recursive - -rm -f Makefile -distclean-am: clean-am distclean-generic distclean-libtool \ - distclean-tags - -dvi: dvi-recursive - -dvi-am: - -html: html-recursive - -info: info-recursive - -info-am: - -install-data-am: - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-data-hook - -install-exec-am: - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-recursive - -install-man: - -installcheck-am: - -maintainer-clean: maintainer-clean-recursive - -rm -f Makefile -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-recursive - -mostlyclean-am: mostlyclean-generic mostlyclean-libtool - -pdf: pdf-recursive - -pdf-am: - -ps: ps-recursive - -ps-am: - -uninstall-am: uninstall-info-am - -uninstall-info: uninstall-info-recursive - -.PHONY: $(RECURSIVE_TARGETS) CTAGS GTAGS all all-am all-local check \ - check-am check-local clean clean-generic clean-libtool \ - clean-recursive ctags ctags-recursive distclean \ - distclean-generic distclean-libtool distclean-recursive \ - distclean-tags distdir dvi dvi-am html html-am info info-am \ - install install-am install-data install-data-am install-exec \ - install-exec-am install-info install-info-am install-man \ - install-strip installcheck installcheck-am installdirs \ - installdirs-am maintainer-clean maintainer-clean-generic \ - maintainer-clean-recursive mostlyclean mostlyclean-generic \ - mostlyclean-libtool mostlyclean-recursive pdf pdf-am ps ps-am \ - tags tags-recursive uninstall uninstall-am uninstall-info-am - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-hook: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal-0.6.3/appl/afsutil/ChangeLog b/crypto/heimdal-0.6.3/appl/afsutil/ChangeLog deleted file mode 100644 index c3f5605e2d..0000000000 --- a/crypto/heimdal-0.6.3/appl/afsutil/ChangeLog +++ /dev/null @@ -1,77 +0,0 @@ -2003-08-25 Love Hörnquist Åstrand - - * afslog.c: 1.22->1.23: (do_afslog): is cell is unset, set it - "" for error printing - -2003-04-23 Love Hörnquist Åstrand - - * afslog.c: 1.21->1.22: (log_func): drop the error number - -2003-04-14 Love Hörnquist Åstrand - - * afslog.c: set kafs log function if verbose is turned on - -2003-03-18 Love Hörnquist Åstrand - - * Makefile.am (LDADD): use LIB_kafs - - * afslog.1: --no-v4, --no-v5 - - * Makefile.am: always build afsutils now - - * afslog.c: make build without KRB4 - -2002-11-26 Johan Danielsson - - * afslog.c: remove plural form in help string - - * Makefile.am: add afslog manpage - - * afslog.1: manpage - - * afslog.c: try more files when trying to expand a cell name - - * afslog.c: create a list of cells to get tokens for, before - actually doing anything, and try to get tokens via krb4 if krb5 - fails, and give it a chance to work with krb4-only; also some bug - fixes, partially from Tomas Olsson. - -2002-08-23 Assar Westerlund - - * pagsh.c: make it handle --version/--help - -2001-05-17 Assar Westerlund - - * afslog.c (main): call free_getarg_strings - -2000-12-31 Assar Westerlund - - * afslog.c (main): handle krb5_init_context failure consistently - -2000-12-25 Assar Westerlund - - * afslog.c: clarify usage strings - -1999-08-04 Assar Westerlund - - * pagsh.c (main): use mkstemp to generate temporary file names. - From Miroslav Ruda - -1999-07-04 Assar Westerlund - - * afslog.c (expand_cell_name): terminate on #. From Miroslav Ruda - - -1999-06-27 Assar Westerlund - - * Makefile.am (bin_PROGRAMS): only include pagsh if KRB4 - -1999-06-26 Assar Westerlund - - * Makefile.am: add pagsh - - * pagsh.c: new file. contributed by Miroslav Ruda - -Sat Mar 27 12:49:43 1999 Johan Danielsson - - * afslog.c: cleanup option parsing diff --git a/crypto/heimdal-0.6.3/appl/afsutil/Makefile.am b/crypto/heimdal-0.6.3/appl/afsutil/Makefile.am deleted file mode 100644 index 0e6c4eb2b2..0000000000 --- a/crypto/heimdal-0.6.3/appl/afsutil/Makefile.am +++ /dev/null @@ -1,20 +0,0 @@ -# $Id: Makefile.am,v 1.15 2003/03/18 13:13:06 lha Exp $ - -include $(top_srcdir)/Makefile.am.common - -INCLUDES += $(INCLUDE_krb4) - -bin_PROGRAMS = afslog pagsh - -afslog_SOURCES = afslog.c - -pagsh_SOURCES = pagsh.c - -man_MANS = afslog.1 - -LDADD = $(LIB_kafs) \ - $(LIB_krb4) \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la \ - $(LIB_des) \ - $(LIB_roken) diff --git a/crypto/heimdal-0.6.3/appl/afsutil/Makefile.in b/crypto/heimdal-0.6.3/appl/afsutil/Makefile.in deleted file mode 100644 index be6de8390c..0000000000 --- a/crypto/heimdal-0.6.3/appl/afsutil/Makefile.in +++ /dev/null @@ -1,828 +0,0 @@ -# Makefile.in generated by automake 1.8.3 from Makefile.am. -# @configure_input@ - -# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004 Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -# $Id: Makefile.am,v 1.15 2003/03/18 13:13:06 lha Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $ - -SOURCES = $(afslog_SOURCES) $(pagsh_SOURCES) - -srcdir = @srcdir@ -top_srcdir = @top_srcdir@ -VPATH = @srcdir@ -pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -top_builddir = ../.. -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = @INSTALL@ -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_HEADER = $(INSTALL_DATA) -transform = $(program_transform_name) -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_triplet = @host@ -DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \ - $(top_srcdir)/Makefile.am.common \ - $(top_srcdir)/cf/Makefile.am.common ChangeLog -bin_PROGRAMS = afslog$(EXEEXT) pagsh$(EXEEXT) -subdir = appl/afsutil -ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \ - $(top_srcdir)/cf/auth-modules.m4 \ - $(top_srcdir)/cf/broken-getaddrinfo.m4 \ - $(top_srcdir)/cf/broken-getnameinfo.m4 \ - $(top_srcdir)/cf/broken-glob.m4 \ - $(top_srcdir)/cf/broken-realloc.m4 \ - $(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \ - $(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \ - $(top_srcdir)/cf/capabilities.m4 \ - $(top_srcdir)/cf/check-compile-et.m4 \ - $(top_srcdir)/cf/check-declaration.m4 \ - $(top_srcdir)/cf/check-getpwnam_r-posix.m4 \ - $(top_srcdir)/cf/check-man.m4 \ - $(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \ - $(top_srcdir)/cf/check-type-extra.m4 \ - $(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \ - $(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \ - $(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \ - $(top_srcdir)/cf/dlopen.m4 \ - $(top_srcdir)/cf/find-func-no-libs.m4 \ - $(top_srcdir)/cf/find-func-no-libs2.m4 \ - $(top_srcdir)/cf/find-func.m4 \ - $(top_srcdir)/cf/find-if-not-broken.m4 \ - $(top_srcdir)/cf/have-struct-field.m4 \ - $(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \ - $(top_srcdir)/cf/krb-bigendian.m4 \ - $(top_srcdir)/cf/krb-func-getlogin.m4 \ - $(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \ - $(top_srcdir)/cf/krb-readline.m4 \ - $(top_srcdir)/cf/krb-struct-spwd.m4 \ - $(top_srcdir)/cf/krb-struct-winsize.m4 \ - $(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \ - $(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \ - $(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \ - $(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \ - $(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \ - $(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \ - $(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in -am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ - $(ACLOCAL_M4) -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -am__installdirs = "$(DESTDIR)$(bindir)" "$(DESTDIR)$(man1dir)" -binPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -PROGRAMS = $(bin_PROGRAMS) -am_afslog_OBJECTS = afslog.$(OBJEXT) -afslog_OBJECTS = $(am_afslog_OBJECTS) -afslog_LDADD = $(LDADD) -am__DEPENDENCIES_1 = -am__DEPENDENCIES_2 = $(top_builddir)/lib/kafs/libkafs.la \ - $(am__DEPENDENCIES_1) -afslog_DEPENDENCIES = $(am__DEPENDENCIES_2) $(am__DEPENDENCIES_1) \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) \ - $(am__DEPENDENCIES_1) -am_pagsh_OBJECTS = pagsh.$(OBJEXT) -pagsh_OBJECTS = $(am_pagsh_OBJECTS) -pagsh_LDADD = $(LDADD) -pagsh_DEPENDENCIES = $(am__DEPENDENCIES_2) $(am__DEPENDENCIES_1) \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) \ - $(am__DEPENDENCIES_1) -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \ - $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ - $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -SOURCES = $(afslog_SOURCES) $(pagsh_SOURCES) -DIST_SOURCES = $(afslog_SOURCES) $(pagsh_SOURCES) -man1dir = $(mandir)/man1 -MANS = $(man_MANS) -ETAGS = etags -CTAGS = ctags -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) -ACLOCAL = @ACLOCAL@ -AIX4_FALSE = @AIX4_FALSE@ -AIX4_TRUE = @AIX4_TRUE@ -AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@ -AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@ -AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@ -AIX_FALSE = @AIX_FALSE@ -AIX_TRUE = @AIX_TRUE@ -AMTAR = @AMTAR@ -AR = @AR@ -AUTOCONF = @AUTOCONF@ -AUTOHEADER = @AUTOHEADER@ -AUTOMAKE = @AUTOMAKE@ -AWK = @AWK@ -CANONICAL_HOST = @CANONICAL_HOST@ -CATMAN = @CATMAN@ -CATMANEXT = @CATMANEXT@ -CATMAN_FALSE = @CATMAN_FALSE@ -CATMAN_TRUE = @CATMAN_TRUE@ -CC = @CC@ -CFLAGS = @CFLAGS@ -COMPILE_ET = @COMPILE_ET@ -CPP = @CPP@ -CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXFLAGS = @CXXFLAGS@ -CYGPATH_W = @CYGPATH_W@ -DBLIB = @DBLIB@ -DCE_FALSE = @DCE_FALSE@ -DCE_TRUE = @DCE_TRUE@ -DEFS = @DEFS@ -DIR_com_err = @DIR_com_err@ -DIR_des = @DIR_des@ -DIR_roken = @DIR_roken@ -ECHO = @ECHO@ -ECHO_C = @ECHO_C@ -ECHO_N = @ECHO_N@ -ECHO_T = @ECHO_T@ -EGREP = @EGREP@ -EXEEXT = @EXEEXT@ -EXTRA_LIB45 = @EXTRA_LIB45@ -F77 = @F77@ -FFLAGS = @FFLAGS@ -GROFF = @GROFF@ -HAVE_DB1_FALSE = @HAVE_DB1_FALSE@ -HAVE_DB1_TRUE = @HAVE_DB1_TRUE@ -HAVE_DB3_FALSE = @HAVE_DB3_FALSE@ -HAVE_DB3_TRUE = @HAVE_DB3_TRUE@ -HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@ -HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@ -HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@ -HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@ -HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@ -HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@ -HAVE_X_FALSE = @HAVE_X_FALSE@ -HAVE_X_TRUE = @HAVE_X_TRUE@ -INCLUDES_roken = @INCLUDES_roken@ -INCLUDE_des = @INCLUDE_des@ -INCLUDE_hesiod = @INCLUDE_hesiod@ -INCLUDE_krb4 = @INCLUDE_krb4@ -INCLUDE_openldap = @INCLUDE_openldap@ -INCLUDE_readline = @INCLUDE_readline@ -INSTALL_DATA = @INSTALL_DATA@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -IRIX_FALSE = @IRIX_FALSE@ -IRIX_TRUE = @IRIX_TRUE@ -KRB4_FALSE = @KRB4_FALSE@ -KRB4_TRUE = @KRB4_TRUE@ -KRB5_FALSE = @KRB5_FALSE@ -KRB5_TRUE = @KRB5_TRUE@ -LDFLAGS = @LDFLAGS@ -LEX = @LEX@ -LEXLIB = @LEXLIB@ -LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ -LIBOBJS = @LIBOBJS@ -LIBS = @LIBS@ -LIBTOOL = @LIBTOOL@ -LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@ -LIB_NDBM = @LIB_NDBM@ -LIB_XauFileName = @LIB_XauFileName@ -LIB_XauReadAuth = @LIB_XauReadAuth@ -LIB_XauWriteAuth = @LIB_XauWriteAuth@ -LIB_bswap16 = @LIB_bswap16@ -LIB_bswap32 = @LIB_bswap32@ -LIB_com_err = @LIB_com_err@ -LIB_com_err_a = @LIB_com_err_a@ -LIB_com_err_so = @LIB_com_err_so@ -LIB_crypt = @LIB_crypt@ -LIB_db_create = @LIB_db_create@ -LIB_dbm_firstkey = @LIB_dbm_firstkey@ -LIB_dbopen = @LIB_dbopen@ -LIB_des = @LIB_des@ -LIB_des_a = @LIB_des_a@ -LIB_des_appl = @LIB_des_appl@ -LIB_des_so = @LIB_des_so@ -LIB_dlopen = @LIB_dlopen@ -LIB_dn_expand = @LIB_dn_expand@ -LIB_el_init = @LIB_el_init@ -LIB_freeaddrinfo = @LIB_freeaddrinfo@ -LIB_gai_strerror = @LIB_gai_strerror@ -LIB_getaddrinfo = @LIB_getaddrinfo@ -LIB_gethostbyname = @LIB_gethostbyname@ -LIB_gethostbyname2 = @LIB_gethostbyname2@ -LIB_getnameinfo = @LIB_getnameinfo@ -LIB_getpwnam_r = @LIB_getpwnam_r@ -LIB_getsockopt = @LIB_getsockopt@ -LIB_hesiod = @LIB_hesiod@ -LIB_hstrerror = @LIB_hstrerror@ -LIB_kdb = @LIB_kdb@ -LIB_krb4 = @LIB_krb4@ -LIB_krb_disable_debug = @LIB_krb_disable_debug@ -LIB_krb_enable_debug = @LIB_krb_enable_debug@ -LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@ -LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@ -LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@ -LIB_loadquery = @LIB_loadquery@ -LIB_logout = @LIB_logout@ -LIB_logwtmp = @LIB_logwtmp@ -LIB_openldap = @LIB_openldap@ -LIB_openpty = @LIB_openpty@ -LIB_otp = @LIB_otp@ -LIB_pidfile = @LIB_pidfile@ -LIB_readline = @LIB_readline@ -LIB_res_nsearch = @LIB_res_nsearch@ -LIB_res_search = @LIB_res_search@ -LIB_roken = @LIB_roken@ -LIB_security = @LIB_security@ -LIB_setsockopt = @LIB_setsockopt@ -LIB_socket = @LIB_socket@ -LIB_syslog = @LIB_syslog@ -LIB_tgetent = @LIB_tgetent@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -MAINT = @MAINT@ -MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@ -MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@ -MAKEINFO = @MAKEINFO@ -NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ -NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ -NROFF = @NROFF@ -OBJEXT = @OBJEXT@ -OTP_FALSE = @OTP_FALSE@ -OTP_TRUE = @OTP_TRUE@ -PACKAGE = @PACKAGE@ -PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ -PACKAGE_NAME = @PACKAGE_NAME@ -PACKAGE_STRING = @PACKAGE_STRING@ -PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_VERSION = @PACKAGE_VERSION@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -RANLIB = @RANLIB@ -SET_MAKE = @SET_MAKE@ -SHELL = @SHELL@ -STRIP = @STRIP@ -VERSION = @VERSION@ -VOID_RETSIGTYPE = @VOID_RETSIGTYPE@ -WFLAGS = @WFLAGS@ -WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@ -WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@ -X_CFLAGS = @X_CFLAGS@ -X_EXTRA_LIBS = @X_EXTRA_LIBS@ -X_LIBS = @X_LIBS@ -X_PRE_LIBS = @X_PRE_LIBS@ -YACC = @YACC@ -ac_ct_AR = @ac_ct_AR@ -ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ -ac_ct_RANLIB = @ac_ct_RANLIB@ -ac_ct_STRIP = @ac_ct_STRIP@ -am__leading_dot = @am__leading_dot@ -bindir = @bindir@ -build = @build@ -build_alias = @build_alias@ -build_cpu = @build_cpu@ -build_os = @build_os@ -build_vendor = @build_vendor@ -datadir = @datadir@ -do_roken_rename_FALSE = @do_roken_rename_FALSE@ -do_roken_rename_TRUE = @do_roken_rename_TRUE@ -dpagaix_cflags = @dpagaix_cflags@ -dpagaix_ldadd = @dpagaix_ldadd@ -dpagaix_ldflags = @dpagaix_ldflags@ -el_compat_FALSE = @el_compat_FALSE@ -el_compat_TRUE = @el_compat_TRUE@ -exec_prefix = @exec_prefix@ -have_err_h_FALSE = @have_err_h_FALSE@ -have_err_h_TRUE = @have_err_h_TRUE@ -have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@ -have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@ -have_glob_h_FALSE = @have_glob_h_FALSE@ -have_glob_h_TRUE = @have_glob_h_TRUE@ -have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@ -have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@ -have_vis_h_FALSE = @have_vis_h_FALSE@ -have_vis_h_TRUE = @have_vis_h_TRUE@ -host = @host@ -host_alias = @host_alias@ -host_cpu = @host_cpu@ -host_os = @host_os@ -host_vendor = @host_vendor@ -includedir = @includedir@ -infodir = @infodir@ -install_sh = @install_sh@ -libdir = @libdir@ -libexecdir = @libexecdir@ -localstatedir = @localstatedir@ -mandir = @mandir@ -mkdir_p = @mkdir_p@ -oldincludedir = @oldincludedir@ -prefix = @prefix@ -program_transform_name = @program_transform_name@ -sbindir = @sbindir@ -sharedstatedir = @sharedstatedir@ -sysconfdir = @sysconfdir@ -target_alias = @target_alias@ -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4) -@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME -AM_CFLAGS = $(WFLAGS) -CP = cp -buildinclude = $(top_builddir)/include -LIB_getattr = @LIB_getattr@ -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_setpcred = @LIB_setpcred@ -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -NROFF_MAN = groff -mandoc -Tascii -LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) -@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la - -@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la -@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la -afslog_SOURCES = afslog.c -pagsh_SOURCES = pagsh.c -man_MANS = afslog.1 -LDADD = $(LIB_kafs) \ - $(LIB_krb4) \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la \ - $(LIB_des) \ - $(LIB_roken) - -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps) - @for dep in $?; do \ - case '$(am__configure_deps)' in \ - *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ - exit 1;; \ - esac; \ - done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign --ignore-deps appl/afsutil/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign --ignore-deps appl/afsutil/Makefile -.PRECIOUS: Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - @case '$?' in \ - *config.status*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ - *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ - esac; - -$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -install-binPROGRAMS: $(bin_PROGRAMS) - @$(NORMAL_INSTALL) - test -z "$(bindir)" || $(mkdir_p) "$(DESTDIR)$(bindir)" - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(bindir)/$$f'"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(bindir)/$$f" || exit 1; \ - else :; fi; \ - done - -uninstall-binPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f '$(DESTDIR)$(bindir)/$$f'"; \ - rm -f "$(DESTDIR)$(bindir)/$$f"; \ - done - -clean-binPROGRAMS: - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -afslog$(EXEEXT): $(afslog_OBJECTS) $(afslog_DEPENDENCIES) - @rm -f afslog$(EXEEXT) - $(LINK) $(afslog_LDFLAGS) $(afslog_OBJECTS) $(afslog_LDADD) $(LIBS) -pagsh$(EXEEXT): $(pagsh_OBJECTS) $(pagsh_DEPENDENCIES) - @rm -f pagsh$(EXEEXT) - $(LINK) $(pagsh_LDFLAGS) $(pagsh_OBJECTS) $(pagsh_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c $< - -.c.obj: - $(COMPILE) -c `$(CYGPATH_W) '$<'` - -.c.lo: - $(LTCOMPILE) -c -o $@ $< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: -install-man1: $(man1_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - test -z "$(man1dir)" || $(mkdir_p) "$(DESTDIR)$(man1dir)" - @list='$(man1_MANS) $(dist_man1_MANS) $(nodist_man1_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.1*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 1*) ;; \ - *) ext='1' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man1dir)/$$inst'"; \ - $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man1dir)/$$inst"; \ - done -uninstall-man1: - @$(NORMAL_UNINSTALL) - @list='$(man1_MANS) $(dist_man1_MANS) $(nodist_man1_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.1*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 1*) ;; \ - *) ext='1' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f '$(DESTDIR)$(man1dir)/$$inst'"; \ - rm -f "$(DESTDIR)$(man1dir)/$$inst"; \ - done - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique -tags: TAGS - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique -ctags: CTAGS -CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ - || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - -distdir: $(DISTFILES) - $(mkdir_p) $(distdir)/../.. $(distdir)/../../cf - @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \ - list='$(DISTFILES)'; for file in $$list; do \ - case $$file in \ - $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \ - $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \ - esac; \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkdir_p) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="$(top_distdir)" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(PROGRAMS) $(MANS) all-local -installdirs: - for dir in "$(DESTDIR)$(bindir)" "$(DESTDIR)$(man1dir)"; do \ - test -z "$$dir" || $(mkdir_p) "$$dir"; \ - done -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-binPROGRAMS clean-generic clean-libtool mostlyclean-am - -distclean: distclean-am - -rm -f Makefile -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -html: html-am - -info: info-am - -info-am: - -install-data-am: install-man - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-data-hook - -install-exec-am: install-binPROGRAMS - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: install-man1 - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -rm -f Makefile -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -pdf: pdf-am - -pdf-am: - -ps: ps-am - -ps-am: - -uninstall-am: uninstall-binPROGRAMS uninstall-info-am uninstall-man - -uninstall-man: uninstall-man1 - -.PHONY: CTAGS GTAGS all all-am all-local check check-am check-local \ - clean clean-binPROGRAMS clean-generic clean-libtool ctags \ - distclean distclean-compile distclean-generic \ - distclean-libtool distclean-tags distdir dvi dvi-am html \ - html-am info info-am install install-am install-binPROGRAMS \ - install-data install-data-am install-exec install-exec-am \ - install-info install-info-am install-man install-man1 \ - install-strip installcheck installcheck-am installdirs \ - maintainer-clean maintainer-clean-generic mostlyclean \ - mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ - pdf pdf-am ps ps-am tags uninstall uninstall-am \ - uninstall-binPROGRAMS uninstall-info-am uninstall-man \ - uninstall-man1 - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-hook: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal-0.6.3/appl/afsutil/afslog.1 b/crypto/heimdal-0.6.3/appl/afsutil/afslog.1 deleted file mode 100644 index c0bfaac379..0000000000 --- a/crypto/heimdal-0.6.3/appl/afsutil/afslog.1 +++ /dev/null @@ -1,137 +0,0 @@ -.\" Copyright (c) 2002 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: afslog.1,v 1.3 2003/03/18 04:29:34 lha Exp $ -.\" -.Dd November 26, 2002 -.Dt AFSLOG 1 -.Os HEIMDAL -.Sh NAME -.Nm afslog -.Nd -obtain AFS tokens -.Sh SYNOPSIS -.Nm -.Oo Fl c Ar cell \*(Ba Xo -.Fl -cell= Ns Ar cell -.Xc -.Oc -.Oo Fl p Ar path \*(Ba Xo -.Fl -file= Ns Ar path -.Xc -.Oc -.Oo Fl k Ar realm \*(Ba Xo -.Fl -realm= Ns Ar realm -.Xc -.Oc -.Op Fl -no-v4 -.Op Fl -no-v5 -.Op Fl u | Fl -unlog -.Op Fl v | Fl -verbose -.Op Fl -version -.Op Fl h | Fl -help -.Op Ar cell | path ... -.Sh DESCRIPTION -.Nm -obtains AFS tokens for a number of cells. What cells to get tokens for -can either be specified as an explicit list, as file paths to get -tokens for, or be left unspecified, in which case -.Nm -will use whatever magic -.Xr krb_afslog 3 -decides upon. -.Pp -Supported options: -.Bl -tag -width Ds -.It Xo -.Fl c Ar cell, -.Fl -cell= Ns Ar cell -.Xc -This specified one or more cell names to get tokens for. -.It Xo -.Fl p Ar path , -.Fl -file= Ns Ar path -.Xc -This specified one or more file paths for which tokens should be -obtained. -.It Xo -.Fl k Ar realm , -.Fl -realm= Ns Ar realm -.Xc -This is the Kerberos realm the AFS servers live in, this should -normally not be specified. -.It Fl -no-v4 -This makes -.Nm -not try using Kerberos 4. -.It Fl -no-v5 -This makes -.Nm -not try using Kerberos 5. -.It Xo -.Fl u , -.Fl -unlog -.Xc -Destroy tokens instead of obtaining new. If this is specified, all -other options are ignored (except for -.Fl -help -and -.Fl -version ) . -.It Xo -.Fl v , -.Fl -verbose -.Xc -Adds more verbosity for what is actually going on. -.El -Instead of using -.Fl c -and -.Fl p , -you may also pass a list of cells and file paths after any other -options. These arguments are considered files if they are either -the strings -.Do . Dc -or -.Dq .. -or they contain a slash, or if there exists a file by that name. -.Sh EXAMPLES -Assuming that there is no file called -.Dq openafs.org -in the current directory, and that -.Pa /afs/openafs.org -points to that cell, the follwing should be identical: -.Bd -literal -offset indent -$ afslog -c openafs.org -$ afslog openafs.org -$ afslog /afs/openafs.org/some/file -.Ed -.Sh SEE ALSO -.Xr krb_afslog 3 diff --git a/crypto/heimdal-0.6.3/appl/afsutil/afslog.c b/crypto/heimdal-0.6.3/appl/afsutil/afslog.c deleted file mode 100644 index 0d85a1ea09..0000000000 --- a/crypto/heimdal-0.6.3/appl/afsutil/afslog.c +++ /dev/null @@ -1,343 +0,0 @@ -/* - * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: afslog.c,v 1.21.2.2 2003/08/25 11:43:51 lha Exp $"); -#endif -#include -#ifdef KRB5 -#include -#endif -#ifdef KRB4 -#include -#endif -#include -#include -#include -#include - -static int help_flag; -static int version_flag; -#if 0 -static int create_user; -#endif -static getarg_strings cells; -static char *realm; -static getarg_strings files; -static int unlog_flag; -static int verbose; -#ifdef KRB4 -static int use_krb4 = 1; -#endif -#ifdef KRB5 -static int use_krb5 = 1; -#endif - -struct getargs args[] = { - { "cell", 'c', arg_strings, &cells, "cells to get tokens for", "cell" }, - { "file", 'p', arg_strings, &files, "files to get tokens for", "path" }, - { "realm", 'k', arg_string, &realm, "realm for afs cell", "realm" }, - { "unlog", 'u', arg_flag, &unlog_flag, "remove tokens" }, -#ifdef KRB4 - { "v4", 0, arg_negative_flag, &use_krb4, "use Kerberos 4" }, -#endif -#ifdef KRB5 - { "v5", 0, arg_negative_flag, &use_krb5, "use Kerberos 5" }, -#endif -#if 0 - { "create-user", 0, arg_flag, &create_user, "create user if not found" }, -#endif - { "verbose",'v', arg_flag, &verbose }, - { "version", 0, arg_flag, &version_flag }, - { "help", 'h', arg_flag, &help_flag }, -}; - -static int num_args = sizeof(args) / sizeof(args[0]); - -#ifdef KRB5 -krb5_context context; -krb5_ccache id; -#endif - -static const char * -expand_one_file(FILE *f, const char *cell) -{ - static char buf[1024]; - char *p; - - while (fgets (buf, sizeof(buf), f) != NULL) { - if(buf[0] == '>') { - for(p = buf; *p && !isspace((unsigned char)*p) && *p != '#'; p++) - ; - *p = '\0'; - if(strncmp(buf + 1, cell, strlen(cell)) == 0) - return buf + 1; - } - buf[0] = '\0'; - } - return NULL; -} - -static const char * -expand_cell_name(const char *cell) -{ - FILE *f; - const char *c; - const char **fn, *files[] = { _PATH_CELLSERVDB, - _PATH_ARLA_CELLSERVDB, - _PATH_OPENAFS_DEBIAN_CELLSERVDB, - _PATH_ARLA_DEBIAN_CELLSERVDB, - NULL }; - for(fn = files; *fn; fn++) { - f = fopen(*fn, "r"); - if(f == NULL) - continue; - c = expand_one_file(f, cell); - fclose(f); - if(c) - return c; - } - return cell; -} - -#if 0 -static int -createuser (char *cell) -{ - char cellbuf[64]; - char name[ANAME_SZ]; - char instance[INST_SZ]; - char realm[REALM_SZ]; - char cmd[1024]; - - if (cell == NULL) { - FILE *f; - int len; - - f = fopen (_PATH_THISCELL, "r"); - if (f == NULL) - err (1, "open(%s)", _PATH_THISCELL); - if (fgets (cellbuf, sizeof(cellbuf), f) == NULL) - err (1, "read cellname from %s", _PATH_THISCELL); - len = strlen(cellbuf); - if (cellbuf[len-1] == '\n') - cellbuf[len-1] = '\0'; - cell = cellbuf; - } - - if(krb_get_default_principal(name, instance, realm)) - errx (1, "Could not even figure out who you are"); - - snprintf (cmd, sizeof(cmd), - "pts createuser %s%s%s@%s -cell %s", - name, *instance ? "." : "", instance, strlwr(realm), - cell); - DEBUG("Executing %s", cmd); - return system(cmd); -} -#endif - -static void -usage(int ecode) -{ - arg_printusage(args, num_args, NULL, "[cell|path]..."); - exit(ecode); -} - -struct cell_list { - char *cell; - struct cell_list *next; -} *cell_list; - -static int -afslog_cell(const char *cell, int expand) -{ - struct cell_list *p, **q; - const char *c = cell; - if(expand){ - c = expand_cell_name(cell); - if(c == NULL){ - warnx("No cell matching \"%s\" found.", cell); - return -1; - } - if(verbose && strcmp(c, cell) != 0) - warnx("Cell \"%s\" expanded to \"%s\"", cell, c); - } - /* add to list of cells to get tokens for, and also remove - duplicates; the actual afslog takes place later */ - for(p = cell_list, q = &cell_list; p; q = &p->next, p = p->next) - if(strcmp(p->cell, c) == 0) - return 0; - p = malloc(sizeof(*p)); - if(p == NULL) - return -1; - p->cell = strdup(c); - if(p->cell == NULL) { - free(p); - return -1; - } - p->next = NULL; - *q = p; - return 0; -} - -static int -afslog_file(const char *path) -{ - char cell[64]; - if(k_afs_cell_of_file(path, cell, sizeof(cell))){ - warnx("No cell found for file \"%s\".", path); - return -1; - } - if(verbose) - warnx("File \"%s\" lives in cell \"%s\"", path, cell); - return afslog_cell(cell, 0); -} - -static int -do_afslog(const char *cell) -{ - int k5ret, k4ret; - - k5ret = k4ret = 0; - -#ifdef KRB5 - if(context != NULL && id != NULL && use_krb5) { - k5ret = krb5_afslog(context, id, cell, NULL); - if(k5ret == 0) - return 0; - } -#endif -#if KRB4 - if (use_krb4) { - k4ret = krb_afslog(cell, NULL); - if(k4ret == 0) - return 0; - } -#endif - if (cell == NULL) - cell = ""; -#ifdef KRB5 - if (k5ret) - warnx("krb5_afslog(%s): %s", cell, krb5_get_err_text(context, k5ret)); -#endif -#ifdef KRB4 - if (k4ret) - warnx("krb_afslog(%s): %s", cell, krb_get_err_text(k4ret)); -#endif - if (k5ret || k4ret) - return 1; - return 0; -} - -static void -log_func(void *ctx, const char *str) -{ - fprintf(stderr, "%s\n", str); -} - -int -main(int argc, char **argv) -{ - int optind = 0; - int i; - int num; - int ret = 0; - int failed = 0; - struct cell_list *p; - - setprogname(argv[0]); - - if(getarg(args, num_args, argc, argv, &optind)) - usage(1); - if(help_flag) - usage(0); - if(version_flag) { - print_version(NULL); - exit(0); - } - - if(!k_hasafs()) - errx(1, "AFS does not seem to be present on this machine"); - - if(unlog_flag){ - k_unlog(); - exit(0); - } -#ifdef KRB5 - ret = krb5_init_context(&context); - if (ret) - context = NULL; - else - if(krb5_cc_default(context, &id) != 0) - id = NULL; -#endif - - if (verbose) - kafs_set_verbose(log_func, NULL); - - num = 0; - for(i = 0; i < files.num_strings; i++){ - afslog_file(files.strings[i]); - num++; - } - free_getarg_strings (&files); - for(i = 0; i < cells.num_strings; i++){ - afslog_cell(cells.strings[i], 1); - num++; - } - free_getarg_strings (&cells); - for(i = optind; i < argc; i++){ - num++; - if(strcmp(argv[i], ".") == 0 || - strcmp(argv[i], "..") == 0 || - strchr(argv[i], '/') || - access(argv[i], F_OK) == 0) - afslog_file(argv[i]); - else - afslog_cell(argv[i], 1); - } - if(num == 0) { - if(do_afslog(NULL)) - failed++; - } else - for(p = cell_list; p; p = p->next) { - if(verbose) - warnx("Getting tokens for cell \"%s\"", p->cell); - if(do_afslog(p->cell)) - failed++; - } - - return failed; -} diff --git a/crypto/heimdal-0.6.3/appl/afsutil/afslog.cat1 b/crypto/heimdal-0.6.3/appl/afsutil/afslog.cat1 deleted file mode 100644 index d662b4eadf..0000000000 --- a/crypto/heimdal-0.6.3/appl/afsutil/afslog.cat1 +++ /dev/null @@ -1,60 +0,0 @@ - -AFSLOG(1) UNIX Reference Manual AFSLOG(1) - -NNAAMMEE - aaffsslloogg - obtain AFS tokens - -SSYYNNOOPPSSIISS - aaffsslloogg [--cc _c_e_l_l | ----cceellll==_c_e_l_l] [--pp _p_a_t_h | ----ffiillee==_p_a_t_h] [--kk _r_e_a_l_m | - ----rreeaallmm==_r_e_a_l_m] [----nnoo--vv44] [----nnoo--vv55] [--uu | ----uunnlloogg] [--vv | ----vveerrbboossee] - [----vveerrssiioonn] [--hh | ----hheellpp] [_c_e_l_l | _p_a_t_h _._._.] - -DDEESSCCRRIIPPTTIIOONN - aaffsslloogg obtains AFS tokens for a number of cells. What cells to get tokens - for can either be specified as an explicit list, as file paths to get to- - kens for, or be left unspecified, in which case aaffsslloogg will use whatever - magic krb_afslog(3) decides upon. - - Supported options: - - --cc _c_e_l_l_, ----cceellll==_c_e_l_l - This specified one or more cell names to get tokens for. - - --pp _p_a_t_h, ----ffiillee==_p_a_t_h - This specified one or more file paths for which tokens should be - obtained. - - --kk _r_e_a_l_m, ----rreeaallmm==_r_e_a_l_m - This is the Kerberos realm the AFS servers live in, this should - normally not be specified. - - ----nnoo--vv44 - This makes aaffsslloogg not try using Kerberos 4. - - ----nnoo--vv55 - This makes aaffsslloogg not try using Kerberos 5. - - --uu, ----uunnlloogg - Destroy tokens instead of obtaining new. If this is specified, - all other options are ignored (except for ----hheellpp and ----vveerrssiioonn). - - --vv, ----vveerrbboossee - Adds more verbosity for what is actually going on. - Instead of using --cc and --pp, you may also pass a list of cells and file - paths after any other options. These arguments are considered files if - they are either the strings ``.'' or ``..'' or they contain a slash, or - if there exists a file by that name. - -EEXXAAMMPPLLEESS - Assuming that there is no file called ``openafs.org'' in the current di- - rectory, and that _/_a_f_s_/_o_p_e_n_a_f_s_._o_r_g points to that cell, the follwing - should be identical: - - $ afslog -c openafs.org - $ afslog openafs.org - $ afslog /afs/openafs.org/some/file - -SSEEEE AALLSSOO - krb_afslog(3) - - HEIMDAL November 26, 2002 1 diff --git a/crypto/heimdal-0.6.3/appl/afsutil/pagsh.c b/crypto/heimdal-0.6.3/appl/afsutil/pagsh.c deleted file mode 100644 index d61dba2fa1..0000000000 --- a/crypto/heimdal-0.6.3/appl/afsutil/pagsh.c +++ /dev/null @@ -1,183 +0,0 @@ -/* - * Copyright (c) 1995 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -#endif - -RCSID("$Id: pagsh.c,v 1.6 2002/08/23 17:54:20 assar Exp $"); - -#include -#include -#include -#include -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#include -#ifdef HAVE_FCNTL_H -#include -#endif -#ifdef HAVE_PWD_H -#include -#endif - -#ifdef KRB5 -#include -#endif -#ifdef KRB4 -#include -#endif -#include - -#include -#include -#include - -static int help_flag; -static int version_flag; -static int c_flag; - -struct getargs getargs[] = { - { NULL, 'c', arg_flag, &c_flag }, - { "version", 0, arg_flag, &version_flag }, - { "help", 'h', arg_flag, &help_flag }, -}; - -static int num_args = sizeof(getargs) / sizeof(getargs[0]); - -static void -usage(int ecode) -{ - arg_printusage(getargs, num_args, NULL, "command [args...]"); - exit(ecode); -} - -/* - * Run command with a new ticket file / credentials cache / token - */ - -int -main(int argc, char **argv) -{ - int f; - char tf[1024]; - char *p; - - char *path; - char **args; - int i; - int optind = 0; - - set_progname(argv[0]); - if(getarg(getargs, num_args, argc, argv, &optind)) - usage(1); - if(help_flag) - usage(0); - if(version_flag) { - print_version(NULL); - exit(0); - } - - argc -= optind; - argv += optind; - -#ifdef KRB5 - snprintf (tf, sizeof(tf), "%sXXXXXX", KRB5_DEFAULT_CCROOT); - f = mkstemp (tf + 5); - close (f); - unlink (tf + 5); - esetenv("KRB5CCNAME", tf, 1); -#endif - -#ifdef KRB4 - snprintf (tf, sizeof(tf), "%s_XXXXXX", TKT_ROOT); - f = mkstemp (tf); - close (f); - unlink (tf); - esetenv("KRBTKFILE", tf, 1); -#endif - - i = 0; - - args = (char **) malloc((argc + 10)*sizeof(char *)); - if (args == NULL) - errx (1, "Out of memory allocating %lu bytes", - (unsigned long)((argc + 10)*sizeof(char *))); - - if(*argv == NULL) { - path = getenv("SHELL"); - if(path == NULL){ - struct passwd *pw = k_getpwuid(geteuid()); - path = strdup(pw->pw_shell); - } - } else { - path = strdup(*argv++); - } - if (path == NULL) - errx (1, "Out of memory copying path"); - - p=strrchr(path, '/'); - if(p) - args[i] = strdup(p+1); - else - args[i] = strdup(path); - - if (args[i++] == NULL) - errx (1, "Out of memory copying arguments"); - - while(*argv) - args[i++] = *argv++; - - args[i++] = NULL; - - if(k_hasafs()) - k_setpag(); - - unsetenv("PAGPID"); - execvp(path, args); - if (errno == ENOENT) { - char **sh_args = malloc ((i + 2) * sizeof(char *)); - int j; - - if (sh_args == NULL) - errx (1, "Out of memory copying sh arguments"); - for (j = 1; j < i; ++j) - sh_args[j + 2] = args[j]; - sh_args[0] = "sh"; - sh_args[1] = "-c"; - sh_args[2] = path; - execv ("/bin/sh", sh_args); - } - err (1, "execvp"); -} diff --git a/crypto/heimdal-0.6.3/appl/dceutils/ChangeLog b/crypto/heimdal-0.6.3/appl/dceutils/ChangeLog deleted file mode 100644 index f8925c86ec..0000000000 --- a/crypto/heimdal-0.6.3/appl/dceutils/ChangeLog +++ /dev/null @@ -1,27 +0,0 @@ -2002-08-12 Johan Danielsson - - * Makefile.am: rename dpagaix_LDFLAGS etc to appease automake - -2001-08-24 Assar Westerlund - - * Makefile.am (dpagaix): make sure of using $(EXEEXT) just to - please automake (this is aix-only code) - -2001-02-07 Assar Westerlund - - * Makefile.am (dpagaix): needs to be linked with ld, add an - explicit command for it. from Ake Sandgren - -2000-10-02 Assar Westerlund - - * Makefile.am: link with roken on everything except irix, where - apperently it fails. reported by Ake Sandgren - -2000-07-17 Johan Danielsson - - * Makefile.am: set compiler flags - -2000-07-01 Assar Westerlund - - * imported stuff from Ake Sandgren - diff --git a/crypto/heimdal-0.6.3/appl/dceutils/Makefile.am b/crypto/heimdal-0.6.3/appl/dceutils/Makefile.am deleted file mode 100644 index bf795204b2..0000000000 --- a/crypto/heimdal-0.6.3/appl/dceutils/Makefile.am +++ /dev/null @@ -1,30 +0,0 @@ -# $Id: Makefile.am,v 1.8 2002/08/12 15:03:43 joda Exp $ - -include $(top_srcdir)/Makefile.am.common - - -DFSPROGS = k5dcecon -if AIX -AIX_DFSPROGS = dpagaix -endif - -libexec_PROGRAMS = $(DFSPROGS) $(AIX_DFSPROGS) - -dpagaix_CFLAGS = $(dpagaix_cflags) -dpagaix_LDFLAGS = $(dpagaix_ldflags) -dpagaix_LDADD = $(dpagaix_ldadd) - -dpagaix$(EXEEXT): $(dpagaix_OBJECTS) - ld -edpagaix -o dpagaix$(EXEEXT) $(dpagaix_OBJECTS) $(srcdir)/dfspag.exp - -LIB_dce = -ldce - -k5dcecon_SOURCES = k5dcecon.c k5dce.h - -dpagaix_SOURCES = dpagaix.c - -if IRIX -LDADD = $(LIB_dce) -else -LDADD = $(LIB_roken) $(LIB_dce) -endif diff --git a/crypto/heimdal-0.6.3/appl/dceutils/Makefile.in b/crypto/heimdal-0.6.3/appl/dceutils/Makefile.in deleted file mode 100644 index 95ed827f26..0000000000 --- a/crypto/heimdal-0.6.3/appl/dceutils/Makefile.in +++ /dev/null @@ -1,783 +0,0 @@ -# Makefile.in generated by automake 1.8.3 from Makefile.am. -# @configure_input@ - -# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004 Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -# $Id: Makefile.am,v 1.8 2002/08/12 15:03:43 joda Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $ - -SOURCES = $(dpagaix_SOURCES) $(k5dcecon_SOURCES) - -srcdir = @srcdir@ -top_srcdir = @top_srcdir@ -VPATH = @srcdir@ -pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -top_builddir = ../.. -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = @INSTALL@ -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_HEADER = $(INSTALL_DATA) -transform = $(program_transform_name) -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_triplet = @host@ -DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \ - $(top_srcdir)/Makefile.am.common \ - $(top_srcdir)/cf/Makefile.am.common ChangeLog -libexec_PROGRAMS = $(am__EXEEXT_1) $(am__EXEEXT_2) -subdir = appl/dceutils -ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \ - $(top_srcdir)/cf/auth-modules.m4 \ - $(top_srcdir)/cf/broken-getaddrinfo.m4 \ - $(top_srcdir)/cf/broken-getnameinfo.m4 \ - $(top_srcdir)/cf/broken-glob.m4 \ - $(top_srcdir)/cf/broken-realloc.m4 \ - $(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \ - $(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \ - $(top_srcdir)/cf/capabilities.m4 \ - $(top_srcdir)/cf/check-compile-et.m4 \ - $(top_srcdir)/cf/check-declaration.m4 \ - $(top_srcdir)/cf/check-getpwnam_r-posix.m4 \ - $(top_srcdir)/cf/check-man.m4 \ - $(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \ - $(top_srcdir)/cf/check-type-extra.m4 \ - $(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \ - $(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \ - $(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \ - $(top_srcdir)/cf/dlopen.m4 \ - $(top_srcdir)/cf/find-func-no-libs.m4 \ - $(top_srcdir)/cf/find-func-no-libs2.m4 \ - $(top_srcdir)/cf/find-func.m4 \ - $(top_srcdir)/cf/find-if-not-broken.m4 \ - $(top_srcdir)/cf/have-struct-field.m4 \ - $(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \ - $(top_srcdir)/cf/krb-bigendian.m4 \ - $(top_srcdir)/cf/krb-func-getlogin.m4 \ - $(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \ - $(top_srcdir)/cf/krb-readline.m4 \ - $(top_srcdir)/cf/krb-struct-spwd.m4 \ - $(top_srcdir)/cf/krb-struct-winsize.m4 \ - $(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \ - $(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \ - $(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \ - $(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \ - $(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \ - $(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \ - $(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in -am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ - $(ACLOCAL_M4) -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -am__EXEEXT_1 = k5dcecon$(EXEEXT) -@AIX_TRUE@am__EXEEXT_2 = dpagaix$(EXEEXT) -am__installdirs = "$(DESTDIR)$(libexecdir)" -libexecPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -PROGRAMS = $(libexec_PROGRAMS) -am_dpagaix_OBJECTS = dpagaix-dpagaix.$(OBJEXT) -dpagaix_OBJECTS = $(am_dpagaix_OBJECTS) -am__DEPENDENCIES_1 = -dpagaix_DEPENDENCIES = $(am__DEPENDENCIES_1) -am_k5dcecon_OBJECTS = k5dcecon.$(OBJEXT) -k5dcecon_OBJECTS = $(am_k5dcecon_OBJECTS) -k5dcecon_LDADD = $(LDADD) -@IRIX_FALSE@k5dcecon_DEPENDENCIES = $(am__DEPENDENCIES_1) \ -@IRIX_FALSE@ $(am__DEPENDENCIES_1) -@IRIX_TRUE@k5dcecon_DEPENDENCIES = $(am__DEPENDENCIES_1) -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \ - $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ - $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -SOURCES = $(dpagaix_SOURCES) $(k5dcecon_SOURCES) -DIST_SOURCES = $(dpagaix_SOURCES) $(k5dcecon_SOURCES) -ETAGS = etags -CTAGS = ctags -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) -ACLOCAL = @ACLOCAL@ -AIX4_FALSE = @AIX4_FALSE@ -AIX4_TRUE = @AIX4_TRUE@ -AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@ -AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@ -AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@ -AIX_FALSE = @AIX_FALSE@ -AIX_TRUE = @AIX_TRUE@ -AMTAR = @AMTAR@ -AR = @AR@ -AUTOCONF = @AUTOCONF@ -AUTOHEADER = @AUTOHEADER@ -AUTOMAKE = @AUTOMAKE@ -AWK = @AWK@ -CANONICAL_HOST = @CANONICAL_HOST@ -CATMAN = @CATMAN@ -CATMANEXT = @CATMANEXT@ -CATMAN_FALSE = @CATMAN_FALSE@ -CATMAN_TRUE = @CATMAN_TRUE@ -CC = @CC@ -CFLAGS = @CFLAGS@ -COMPILE_ET = @COMPILE_ET@ -CPP = @CPP@ -CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXFLAGS = @CXXFLAGS@ -CYGPATH_W = @CYGPATH_W@ -DBLIB = @DBLIB@ -DCE_FALSE = @DCE_FALSE@ -DCE_TRUE = @DCE_TRUE@ -DEFS = @DEFS@ -DIR_com_err = @DIR_com_err@ -DIR_des = @DIR_des@ -DIR_roken = @DIR_roken@ -ECHO = @ECHO@ -ECHO_C = @ECHO_C@ -ECHO_N = @ECHO_N@ -ECHO_T = @ECHO_T@ -EGREP = @EGREP@ -EXEEXT = @EXEEXT@ -EXTRA_LIB45 = @EXTRA_LIB45@ -F77 = @F77@ -FFLAGS = @FFLAGS@ -GROFF = @GROFF@ -HAVE_DB1_FALSE = @HAVE_DB1_FALSE@ -HAVE_DB1_TRUE = @HAVE_DB1_TRUE@ -HAVE_DB3_FALSE = @HAVE_DB3_FALSE@ -HAVE_DB3_TRUE = @HAVE_DB3_TRUE@ -HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@ -HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@ -HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@ -HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@ -HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@ -HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@ -HAVE_X_FALSE = @HAVE_X_FALSE@ -HAVE_X_TRUE = @HAVE_X_TRUE@ -INCLUDES_roken = @INCLUDES_roken@ -INCLUDE_des = @INCLUDE_des@ -INCLUDE_hesiod = @INCLUDE_hesiod@ -INCLUDE_krb4 = @INCLUDE_krb4@ -INCLUDE_openldap = @INCLUDE_openldap@ -INCLUDE_readline = @INCLUDE_readline@ -INSTALL_DATA = @INSTALL_DATA@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -IRIX_FALSE = @IRIX_FALSE@ -IRIX_TRUE = @IRIX_TRUE@ -KRB4_FALSE = @KRB4_FALSE@ -KRB4_TRUE = @KRB4_TRUE@ -KRB5_FALSE = @KRB5_FALSE@ -KRB5_TRUE = @KRB5_TRUE@ -LDFLAGS = @LDFLAGS@ -LEX = @LEX@ -LEXLIB = @LEXLIB@ -LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ -LIBOBJS = @LIBOBJS@ -LIBS = @LIBS@ -LIBTOOL = @LIBTOOL@ -LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@ -LIB_NDBM = @LIB_NDBM@ -LIB_XauFileName = @LIB_XauFileName@ -LIB_XauReadAuth = @LIB_XauReadAuth@ -LIB_XauWriteAuth = @LIB_XauWriteAuth@ -LIB_bswap16 = @LIB_bswap16@ -LIB_bswap32 = @LIB_bswap32@ -LIB_com_err = @LIB_com_err@ -LIB_com_err_a = @LIB_com_err_a@ -LIB_com_err_so = @LIB_com_err_so@ -LIB_crypt = @LIB_crypt@ -LIB_db_create = @LIB_db_create@ -LIB_dbm_firstkey = @LIB_dbm_firstkey@ -LIB_dbopen = @LIB_dbopen@ -LIB_des = @LIB_des@ -LIB_des_a = @LIB_des_a@ -LIB_des_appl = @LIB_des_appl@ -LIB_des_so = @LIB_des_so@ -LIB_dlopen = @LIB_dlopen@ -LIB_dn_expand = @LIB_dn_expand@ -LIB_el_init = @LIB_el_init@ -LIB_freeaddrinfo = @LIB_freeaddrinfo@ -LIB_gai_strerror = @LIB_gai_strerror@ -LIB_getaddrinfo = @LIB_getaddrinfo@ -LIB_gethostbyname = @LIB_gethostbyname@ -LIB_gethostbyname2 = @LIB_gethostbyname2@ -LIB_getnameinfo = @LIB_getnameinfo@ -LIB_getpwnam_r = @LIB_getpwnam_r@ -LIB_getsockopt = @LIB_getsockopt@ -LIB_hesiod = @LIB_hesiod@ -LIB_hstrerror = @LIB_hstrerror@ -LIB_kdb = @LIB_kdb@ -LIB_krb4 = @LIB_krb4@ -LIB_krb_disable_debug = @LIB_krb_disable_debug@ -LIB_krb_enable_debug = @LIB_krb_enable_debug@ -LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@ -LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@ -LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@ -LIB_loadquery = @LIB_loadquery@ -LIB_logout = @LIB_logout@ -LIB_logwtmp = @LIB_logwtmp@ -LIB_openldap = @LIB_openldap@ -LIB_openpty = @LIB_openpty@ -LIB_otp = @LIB_otp@ -LIB_pidfile = @LIB_pidfile@ -LIB_readline = @LIB_readline@ -LIB_res_nsearch = @LIB_res_nsearch@ -LIB_res_search = @LIB_res_search@ -LIB_roken = @LIB_roken@ -LIB_security = @LIB_security@ -LIB_setsockopt = @LIB_setsockopt@ -LIB_socket = @LIB_socket@ -LIB_syslog = @LIB_syslog@ -LIB_tgetent = @LIB_tgetent@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -MAINT = @MAINT@ -MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@ -MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@ -MAKEINFO = @MAKEINFO@ -NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ -NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ -NROFF = @NROFF@ -OBJEXT = @OBJEXT@ -OTP_FALSE = @OTP_FALSE@ -OTP_TRUE = @OTP_TRUE@ -PACKAGE = @PACKAGE@ -PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ -PACKAGE_NAME = @PACKAGE_NAME@ -PACKAGE_STRING = @PACKAGE_STRING@ -PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_VERSION = @PACKAGE_VERSION@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -RANLIB = @RANLIB@ -SET_MAKE = @SET_MAKE@ -SHELL = @SHELL@ -STRIP = @STRIP@ -VERSION = @VERSION@ -VOID_RETSIGTYPE = @VOID_RETSIGTYPE@ -WFLAGS = @WFLAGS@ -WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@ -WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@ -X_CFLAGS = @X_CFLAGS@ -X_EXTRA_LIBS = @X_EXTRA_LIBS@ -X_LIBS = @X_LIBS@ -X_PRE_LIBS = @X_PRE_LIBS@ -YACC = @YACC@ -ac_ct_AR = @ac_ct_AR@ -ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ -ac_ct_RANLIB = @ac_ct_RANLIB@ -ac_ct_STRIP = @ac_ct_STRIP@ -am__leading_dot = @am__leading_dot@ -bindir = @bindir@ -build = @build@ -build_alias = @build_alias@ -build_cpu = @build_cpu@ -build_os = @build_os@ -build_vendor = @build_vendor@ -datadir = @datadir@ -do_roken_rename_FALSE = @do_roken_rename_FALSE@ -do_roken_rename_TRUE = @do_roken_rename_TRUE@ -dpagaix_cflags = @dpagaix_cflags@ -dpagaix_ldadd = @dpagaix_ldadd@ -dpagaix_ldflags = @dpagaix_ldflags@ -el_compat_FALSE = @el_compat_FALSE@ -el_compat_TRUE = @el_compat_TRUE@ -exec_prefix = @exec_prefix@ -have_err_h_FALSE = @have_err_h_FALSE@ -have_err_h_TRUE = @have_err_h_TRUE@ -have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@ -have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@ -have_glob_h_FALSE = @have_glob_h_FALSE@ -have_glob_h_TRUE = @have_glob_h_TRUE@ -have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@ -have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@ -have_vis_h_FALSE = @have_vis_h_FALSE@ -have_vis_h_TRUE = @have_vis_h_TRUE@ -host = @host@ -host_alias = @host_alias@ -host_cpu = @host_cpu@ -host_os = @host_os@ -host_vendor = @host_vendor@ -includedir = @includedir@ -infodir = @infodir@ -install_sh = @install_sh@ -libdir = @libdir@ -libexecdir = @libexecdir@ -localstatedir = @localstatedir@ -mandir = @mandir@ -mkdir_p = @mkdir_p@ -oldincludedir = @oldincludedir@ -prefix = @prefix@ -program_transform_name = @program_transform_name@ -sbindir = @sbindir@ -sharedstatedir = @sharedstatedir@ -sysconfdir = @sysconfdir@ -target_alias = @target_alias@ -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) -@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME -AM_CFLAGS = $(WFLAGS) -CP = cp -buildinclude = $(top_builddir)/include -LIB_getattr = @LIB_getattr@ -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_setpcred = @LIB_setpcred@ -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -NROFF_MAN = groff -mandoc -Tascii -LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) -@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la - -@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la -@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la -DFSPROGS = k5dcecon -@AIX_TRUE@AIX_DFSPROGS = dpagaix -dpagaix_CFLAGS = $(dpagaix_cflags) -dpagaix_LDFLAGS = $(dpagaix_ldflags) -dpagaix_LDADD = $(dpagaix_ldadd) -LIB_dce = -ldce -k5dcecon_SOURCES = k5dcecon.c k5dce.h -dpagaix_SOURCES = dpagaix.c -@IRIX_FALSE@LDADD = $(LIB_roken) $(LIB_dce) -@IRIX_TRUE@LDADD = $(LIB_dce) -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps) - @for dep in $?; do \ - case '$(am__configure_deps)' in \ - *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ - exit 1;; \ - esac; \ - done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign --ignore-deps appl/dceutils/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign --ignore-deps appl/dceutils/Makefile -.PRECIOUS: Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - @case '$?' in \ - *config.status*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ - *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ - esac; - -$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -install-libexecPROGRAMS: $(libexec_PROGRAMS) - @$(NORMAL_INSTALL) - test -z "$(libexecdir)" || $(mkdir_p) "$(DESTDIR)$(libexecdir)" - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(libexecPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(libexecdir)/$$f'"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(libexecPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(libexecdir)/$$f" || exit 1; \ - else :; fi; \ - done - -uninstall-libexecPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f '$(DESTDIR)$(libexecdir)/$$f'"; \ - rm -f "$(DESTDIR)$(libexecdir)/$$f"; \ - done - -clean-libexecPROGRAMS: - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -k5dcecon$(EXEEXT): $(k5dcecon_OBJECTS) $(k5dcecon_DEPENDENCIES) - @rm -f k5dcecon$(EXEEXT) - $(LINK) $(k5dcecon_LDFLAGS) $(k5dcecon_OBJECTS) $(k5dcecon_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c $< - -.c.obj: - $(COMPILE) -c `$(CYGPATH_W) '$<'` - -.c.lo: - $(LTCOMPILE) -c -o $@ $< - -dpagaix-dpagaix.o: dpagaix.c - $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(dpagaix_CFLAGS) $(CFLAGS) -c -o dpagaix-dpagaix.o `test -f 'dpagaix.c' || echo '$(srcdir)/'`dpagaix.c - -dpagaix-dpagaix.obj: dpagaix.c - $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(dpagaix_CFLAGS) $(CFLAGS) -c -o dpagaix-dpagaix.obj `if test -f 'dpagaix.c'; then $(CYGPATH_W) 'dpagaix.c'; else $(CYGPATH_W) '$(srcdir)/dpagaix.c'; fi` - -dpagaix-dpagaix.lo: dpagaix.c - $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(dpagaix_CFLAGS) $(CFLAGS) -c -o dpagaix-dpagaix.lo `test -f 'dpagaix.c' || echo '$(srcdir)/'`dpagaix.c - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique -tags: TAGS - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique -ctags: CTAGS -CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ - || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - -distdir: $(DISTFILES) - $(mkdir_p) $(distdir)/../.. $(distdir)/../../cf - @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \ - list='$(DISTFILES)'; for file in $$list; do \ - case $$file in \ - $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \ - $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \ - esac; \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkdir_p) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="$(top_distdir)" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(PROGRAMS) all-local -installdirs: - for dir in "$(DESTDIR)$(libexecdir)"; do \ - test -z "$$dir" || $(mkdir_p) "$$dir"; \ - done -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-generic clean-libexecPROGRAMS clean-libtool \ - mostlyclean-am - -distclean: distclean-am - -rm -f Makefile -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -html: html-am - -info: info-am - -info-am: - -install-data-am: - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-data-hook - -install-exec-am: install-libexecPROGRAMS - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -rm -f Makefile -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -pdf: pdf-am - -pdf-am: - -ps: ps-am - -ps-am: - -uninstall-am: uninstall-info-am uninstall-libexecPROGRAMS - -.PHONY: CTAGS GTAGS all all-am all-local check check-am check-local \ - clean clean-generic clean-libexecPROGRAMS clean-libtool ctags \ - distclean distclean-compile distclean-generic \ - distclean-libtool distclean-tags distdir dvi dvi-am html \ - html-am info info-am install install-am install-data \ - install-data-am install-exec install-exec-am install-info \ - install-info-am install-libexecPROGRAMS install-man \ - install-strip installcheck installcheck-am installdirs \ - maintainer-clean maintainer-clean-generic mostlyclean \ - mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ - pdf pdf-am ps ps-am tags uninstall uninstall-am \ - uninstall-info-am uninstall-libexecPROGRAMS - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-hook: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< - -dpagaix$(EXEEXT): $(dpagaix_OBJECTS) - ld -edpagaix -o dpagaix$(EXEEXT) $(dpagaix_OBJECTS) $(srcdir)/dfspag.exp -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal-0.6.3/appl/dceutils/README.dcedfs b/crypto/heimdal-0.6.3/appl/dceutils/README.dcedfs deleted file mode 100644 index 80a06fec9a..0000000000 --- a/crypto/heimdal-0.6.3/appl/dceutils/README.dcedfs +++ /dev/null @@ -1,59 +0,0 @@ -This is a set of patches and files to get a DFS ticket from a k5 ticket. -This code comes from Doug Engert, Argonne Nat. Lab (See dce/README.original -for more info) - -The files in dce are; -testpag: for testing if this is at all possible. -k5dfspag: included in libkrb5 -k5dcecon: Creates (or searches for) the actual DFSPAG ticketfile. -dpagaix: An AIX syscall stub. -README.original: Original README file from Doug Engert - - -Certain applications (rshd/telnetd) have been patched to call the -functions in k5dfspag when the situation is right. They are ifdef -with DCE. The patches are also originally from Doug but they -where against MIT krb5 code and have been merged into heimdal by me. -I will try to fix ftpd soon... - -There is also an ifdefs for DCE && AIX that can be used to make AIX -use DCE for getting group/passwd entries. This is needed if one is running -with a bare bones passwd/group file and AUTHSTATE set to DCE (This will be -more or less clear to people doing this...) I have forced this on for now. - -k5dfspag.c is in lib/krb5 -k5dfspag.c is dependent on DCE only. -It is also POSIX systems only. There are defines for the location of -k5dcecon and dpagaix that needs a correct configure setting. - -k5dcecon needs no special things for the compile except whatever is needed -on the target system to compile dce programs. -(On aix the dce compile flags are: -D_THREAD_SAFE -D_AIX32_THREADS=1 -D_AIX41 -D_AES_SOURCE or one can use xlc_r4 if it is version 3.6.4 or later) - -k5dcecon wants the following libs (on aix 4.3): --ldce (and setenv from somewhere) - -dpagaix is only needed on AIX (see k5dfspag.c). -dpagaix needs dfspag.exp and is linked with -ld -edpagaix -o dpagaix dpagaix.o dfspag.exp - - -Hope to get this into heimdal soon :-) although I know that you will have to -change some things to get it cleanly into configure. Since I don't know the -structure of the code (heimdal), nor enough of configure, good enough I -just won't try it myself. - -One more thing, to get this to work one has to put fcache_version = x in -krb5.conf where x = whatever the DCE implementation understands, (usually -1 or 2). -Thanks for adding that... - - -Åke Sandgren (ake@hpc2n.umu.se) -HPC2N -Umeå University -Sweden - -PS -I have now added patches for configure.in and some Makefile.am's to get this -all cleanly (I hope) into heimdal. diff --git a/crypto/heimdal-0.6.3/appl/dceutils/README.original b/crypto/heimdal-0.6.3/appl/dceutils/README.original deleted file mode 100644 index 088702307a..0000000000 --- a/crypto/heimdal-0.6.3/appl/dceutils/README.original +++ /dev/null @@ -1,335 +0,0 @@ -KERBEROS and DCE INTEROPERABILITY ROUTINES - -WHAT'S NEW - -When k5dcecon was examining the ticket caches looking to -update one with a newer TGT, it might update the wrong -one for the correct user. This problem was reported by PNNL, -and is now fixed. - -Any Kerberized application can now use a forwarded TGT to establish a -DCE context, or can use a previously established DCE context. This is -both a functional improvement and a performance improvement. - -BACKGROUND - -The MIT Kerberos 5 Release 1.x and DCE 1.1 can interoperate in a -number of ways. This is possible because: - - o DCE used Kerberos 5 internally. Based on the MIT code as of beta 4 - or so, with additional changes. - - o The DCE security server can act as a K5 KDC, as defined in RFC 1510 - and responds on port 88. - - o On the clients, DCE and Kerberos use the same format for the ticket - cache, and then can share it. The KRB5CCNAME environment variable points - at the cache. - - o On the clients, DCE and Kerberos use the same format for the srvtab - file. DCE refers to is a /krb5/v5srvtab and Kerberos as - /etc/krb5.keytab. They can be symlinked. - - o MIT has added many options to the krb5.conf configuration file - which allows newer features of Release 1.0 to be turned off to match - the earlier version of Kerberos upon which DCE is based. - - o DCE will accept a externally obtained Kerberos TGT in place of a - password when establishing a DCE context. - -There are some areas where they differ, including the following: - - o Administration of the database and the keytab files is done by the - DCE routines, rather the the Kerberos kadmin. - - o User password changes must be done using the DCE commands. Kpasswd - does not work. (But there are mods to Kerberos to use the v5passwd - with DCE. - - o DCE goes beyond authentication only, and provides authorization via - the PAC, and the dce-ptgt tickets stored in the cache. Thus a - Kerberos KDC can not act as a DCE security server. - - o A DCE cell and Kerberos realm can cross-realm authenticate, but - there can be no intermediate realms. (There are other problems - in this area as well. But directly connected realms/cells do work.) - - o You can't link a module with the DCE library and the Kerberos - library. They have conflicting routines, static data and structures. - -One of the main features of DCE is the Distributed File System -DFS. Access to DFS requires authentication and authorization, and when -one uses a Kerberized network utility such as telnet, a forwarded -Kerberos ticket can be used to establish the DCE context to allow -access to DFS. - - -NEW TO THIS RELEASE - -This release introduces sharing of a DCE context, and PAG, and allows -any Kerberized application to establish or share the context. This is -made possible by using an undocumented feature of DCE which is on at -least the Transarc and IBM releases of DCE 1.1. - -I am in the process of trying to get this contributed to the general -DCE 1.2.2 release as a patch, so it could be included in other vendors -products. HP has expressed interest in doing this, as well as the -OpenGroup if the modification is contributed. You can help by -requesting Transarc and/or IBM to submit this modification to the -OpenGroup and ask your vendor to adopt this modification. - -The feature is a modification to the setpag() system call which will -allow an authorized process to set the PAG to a specific value, and -thus allow unrelated processes to share the same PAG. - -This then allows the Kerberized daemons such as kshd, to exec a DCE -module which established the DCE context. Kshd then sets the -KRB5CCNAME environment variable and then issues the setpag() to use -this context. This solves the linking problem. This is done via the -k5dfspag.c routine. - -The k5dfspag.c code is compiled with the lib/krb5/os routines and -included in the libkrb5. A daemon calls krb5_dfs_pag after the -krb5_kuserok has determined that the Kerberos principal and local -userid pair are acceptable. This should be done early so as to give -the daemon access to the home directory which may be located on DFS. -If the .k5login file is used by krb5_kuserok it will need to be -accessed by the daemon and will need special ACL handling. - -The krb5_dfs_pag routine will exec the k5dcecon module to do all the -real work. Upon return, if a PAG is obtained, krb5_dfs_pag with set -the PAG for the current process to the returned PAG value. It will -also set the KRB5CCNAME environment as well. Under DCE the PAG value -is the nnnnnnn part of the name of the cache: -FILE:/opt/dcelocal/var/security/creds/dcecred_nnnnnnnn. - -The k5dcecon routine will attempt to use TGT which may have been -forwarded, to convert it to a DCE context. If there is no TGT, an -attempt will be made to join an existing PAG for the local userid, and -Kerberos principal. If there are existing PAGs, and a forwarded TGT, -k5dcecon will check the lifetime of the forwarded TGT, and if it is -less than the lifetime of the PAG, it will just join the PAG. If it -is greater, it will refresh the PAG using the forwarded TGT. -This approach has the advantage of not requiring many new tickets from -having to be obtained, and allows one to refresh a DCE context, or use -an already established context. - -If the system also has AFS, the AFS krb5_afs_pag should be called -after the krb5_dfs_pag, since cache pointed at via the KRB5CCNAME may -have changed, such as if a DFS PAG has been joined. The AFS code does -not have the capability to join an existing AFS PAG, but can use the -same cache which might already had a -afsx/@ service ticket. - - -WHAT'S IN THIS RELEASE - -The k5prelogin, k5dcelogin, k5afslogin (with ak5log) were designed to -be slipped in between telnetd or klogind and login.krb5. They would -use a forwarded Kerberos ticket to establish a DCE context. They are -the older programs which are included here. They work on all DCE -platforms, and don't take advantage of the undocumented setpag -feature. (A version of k5dcelogin is being included with DCE 1.2.2) - -K5dcecon is the new program which can be used to create, update or -join a DCE context. k5dcecon returns KRB5CCNAME string which contains -the PAG. - -k5dfspag.c is to be built in the MIT Kerberos 5 release 1.0 patchlevel -1 and added to the libkrb5. It will exec k5dcecon and upon return set -the KRB5CCNAME and PAG. Mods to Kerberized klogind, rshd, telnetd, -ftpd are available to use the k5dfspag. - -Testpag.c is a test programs to see if the PAG can be set. - -The cpwkey.c routine can be used to change a key in the DCE registry, -by adding the key directly, or by setting the salt/pepper and password -or by providing the key and the pepper. This could be useful when -coping keys from a K4 or AFS database to DCE. It can also be used when -setting a DCE to K5 cross-cell key. This program is a test program -For mass inserts, it should be rewritten to read from stdin. - -K5dcelogin can also be called directly, much like dce_login. -I use the following commands in effect do the same thing as dce_login -and get a forwardable ticket, DCE context and an AFS token: - - #!/bin/csh - # simulate a dce_login using krb5 kinit and k5dcelogin - # - setenv KRB5CCNAME FILE:/tmp/krb5cc_p$$ - /krb5/bin/kinit -f - exec /krb5/sbin/k5dcelogin /krb5/sbin/k5afslogin /bin/csh - #exec /krb5/sbin/k5dcelogin /bin/csh - -This could be useful in a mixed cell where "AS_REQ" messages are -handled by a K5 KDC, but DCE RPCs are handled by the DCE security -server. - -TESTING THE SETPAG - -The krb5_dfs_pag routine relies on an undocumented feature which is -in the AIX and Transarc Solaris ports of DCE and has been recently -added to the SGI version. To test if this feature is present -on some other DFS implementation use the testpag routine. - -The testpag routine attempts to set a PAG value to one you supply. It -uses the afs_syscall with the afs_setpag, and passes the supplied -PAG value as the next parameter. On an unmodifed system, this -will be ignored, and a new will be set. You should also check that -if run as a user, you cannot join a PAG owned by another user. -When run as root, any PAG should be usable. - -On a machine with DFS running, do a dce_login to get a DCE context and -PAG. ECHO the KRB5CCNAME and look at the nnnnnnnn at the end. It -should look like an 8 char hex value, which may be 41ffxxxx on some -systems. - -Su to root and unsetenv KRB5CCNAME. Do a testpag -n nnnnnnnn where -nnnnnnnn is the PAG obtained for the above name. - -It should look like this example on an AIX 4.1.4 system: - - pembroke# ./testpag -n 63dc9997 - calling k5dcepag newpag=63dc9997 - PAG returned = 63dc9997 - -You will be running under a new shell with the PAG and KRB5CCNAME set. -If the PAG returned is the same as the newpag, then it worked. You can -further verify this by doing a DCE klist, cd to DFS and a DCE klist -again. The klist should show some tickets for DFS servers. - -If the PAG returned is not the same, and repeated attempts show a -returned PAG decremented by 1 from the previous returned PAG, then -this system does not have the modification For example: - - # ./testpag -n 41fffff9 - calling k5dcepag newpag=41fffff9 - PAG returned = 41fffff8 - # ./testpag -n 41fffff9 - calling k5dcepag newpag=41fffff9 - PAG returned = 41fffff7 - -In this case the syscall is ignoring the newpag parameter. - -Running it with -n 0 should get the next PAG value with or without -this modification. - -If the DFS kernel extensions are not installed, you would get -something like this: - - caliban.ctd.anl.gov% ./testpag -n 012345678 - calling k5dcepag newpag=012345678 - Setpag failed with a system error - PAG returned = ffffffff - Not a good pag value - -If you DFS implementation does not have this modification, you could -attempt to install it yourself. But this requires source and requires -modifications to the kernel extensions. At the end of this note is an -untested sample using the DCE 1.2.2 source code. You can also contact -your system vendor and ask for this modification. - -UNICOS has a similar function setppag(newpag) which can be used to set -the PAG of the parent. Contact me if you are interested. - -HOW TO INSTALL - -Examine the k5dfspag.c file to make sure the DFS syscalls are correct -for your platform. See the /opt/dcelocal/share/include/dcedfs/syscall.h -on Solaris for example. - -You should build the testpag routine and make sure it works before -adding all the other mods. If it fails you can still use the klogind -and telnetd with the k5prelogin and k5dcelogin code. - -If you intend to install with a prefix other than /krb5, change: -DPAGAIX and K5DCECON in k5dfspag.c; the three references in -k5prelogin.c; and the DESTDIR in the Makefile. - -Get k5101.cdiff.xxxxxx.tar file and install the mods for ANL_DFS_PAG -and ANL_DCE to the MIT Kerberos 5 source. These mods turn on some DCE -related changes and the calls to krb5_dfs_pag. - -Symlink or copy the k5dfspag.c to the src/lib/krb5/os directory. - -Add the -DANL_DFS_PAG and -DANL_DCE flags to the configuration. - -Configure and Build the Kerberos v5. - -Modify the k5dce Makefile for your system. - -Build the k5dcecon and related programs. - -Install both the MIT Kerberos v5 and the k5dcecon and dpagaix if AIX. - -The makefile can also build k5dcelogin and k5prelogin. The install -can install k5dcelogin, k5prelogin and update the links for login.krb5 --> k5prelogin and moving login.krb5 to login.k5. If you will be using -the k5dcecon/k5dfspag with the Kerberos mods, you don't need -k5prelogin, or the links changed, and may not need k5dcelogin. - -Note that Transarc has obfuscated the entries to the lib, and -the 1.0.3a is different from the 1.1. You may need to build two -versions of the k5dcelogin and/or k5dcecon one for each. - -AIX ONLY - -The dpagaix routine is needed for AIX because of the way they do the -syscalls. - -The following fix.aix.libdce.mk is not needed if dce 2.1.0.21 -has been installed. This PTF exposed the needed entrypoints. - -The fix.aix.libdce.mk is a Makefile for AIX 4.x to add the required -external entry points to the libdce.a. These are needed by k5dcecon -and k5dcelogin. A bug report was submitted to IBM on this, and it was -rejected. But since DCE 1.2.2 will have a k5dcelogin, this should not -be needed with 1.2.2 - -Copy /usr/lib/libdce.a to /usr/libdce.a.orig before starting. Copy the -makefile to its own directory. It will create a new libdce.a which you -need to copy back to /usr/lib/libdce.a You will need to reboot the -machine. See the /usr/lpp/dce/examples/inst/README.AIX for a similar -procedure. IBM was not responsive in a request to have these added. - -UNTESTED KERNEL EXTENSION FOR SETPAG - -*** src/file/osi/,osi_pag.c Wed Oct 2 13:03:05 1996 ---- src/file/osi/osi_pag.c Mon Jul 28 13:53:13 1997 -*************** -*** 293,298 **** ---- 293,302 ---- - int code; - - osi_MakePreemptionRight(); -+ /* allow sharing of a PAG by non child processes DEE- 6/6/97 */ -+ if (unused && osi_GetUID(osi_getucred()) == 0) { -+ newpag = unused; -+ } else { - osi_mutex_enter(&osi_pagLock); - now = osi_Time(); - soonest = osi_firstPagTime + -*************** -*** 309,314 **** ---- 313,319 ---- - } - osi_mutex_exit(&osi_pagLock); - newpag = osi_genpag(); -+ } - osi_pcred_lock(p); - credp = crcopy(osi_getucred()); - code = osi_SetPagInCred(credp, newpag); - -Created 07/08/96 -Modified 09/30/96 -Modified 11/19/96 -Modified 12/19/96 -Modified 06/20/97 -Modified 07/28/97 -Modified 02/18/98 - - Douglas E. Engert - Argonne National Laboratory - 9700 South Cass Avenue - Argonne, Illinois 60439 - (630) 252-5444 diff --git a/crypto/heimdal-0.6.3/appl/dceutils/dfspag.exp b/crypto/heimdal-0.6.3/appl/dceutils/dfspag.exp deleted file mode 100644 index ed39788d5e..0000000000 --- a/crypto/heimdal-0.6.3/appl/dceutils/dfspag.exp +++ /dev/null @@ -1,3 +0,0 @@ -#!/unix -* kernel extentions used to get the pag -kafs_syscall syscall diff --git a/crypto/heimdal-0.6.3/appl/dceutils/dpagaix.c b/crypto/heimdal-0.6.3/appl/dceutils/dpagaix.c deleted file mode 100644 index cbc23cb880..0000000000 --- a/crypto/heimdal-0.6.3/appl/dceutils/dpagaix.c +++ /dev/null @@ -1,23 +0,0 @@ -/* - * dpagaix.c - * On AIX we need to get the kernel extentions - * with the DFS kafs_syscall in it. - * We might be running on a system - * where DFS is not active. - * So we use this dummy routine which - * might not load to do the dirty work - * - * DCE does this with the /usr/lib/drivers/dfsloadobj - * - */ - - int dpagaix(parm1, parm2, parm3, parm4, parm5, parm6) - int parm1; - int parm2; - int parm3; - int parm4; - int parm5; - int parm6; - { - return(kafs_syscall(parm1, parm2, parm3, parm4, parm5, parm6)); - } diff --git a/crypto/heimdal-0.6.3/appl/dceutils/k5dce.h b/crypto/heimdal-0.6.3/appl/dceutils/k5dce.h deleted file mode 100644 index 424ebdc0da..0000000000 --- a/crypto/heimdal-0.6.3/appl/dceutils/k5dce.h +++ /dev/null @@ -1,165 +0,0 @@ -/* dummy K5 routines which are needed to get this to - * compile without having access ti the DCE versions - * of the header files. - * Thiis is very crude, and OSF needs to expose the K5 - * API. - */ - -#ifdef sun -/* Transarc obfascates these routines */ -#ifdef DCE_1_1 - -#define krb5_init_ets _dce_PkjKqOaklP -#define krb5_copy_creds _dce_LuFxPiITzD -#define krb5_unparse_name _dce_LWHtAuNgRV -#define krb5_get_default_realm _dce_vDruhprWGh -#define krb5_build_principal _dce_qwAalSzTtF -#define krb5_build_principal_ext _dce_vhafIQlejW -#define krb5_build_principal_va _dce_alsqToMmuJ -#define krb5_cc_default _dce_KZRshhTXhE -#define krb5_cc_default_name _dce_bzJVAjHXVQ -#define sec_login_krb5_add_cred _dce_ePDtOJTZvU - -#else /* DCE 1.0.3a */ - -#define krb5_init_ets _dce_BmLRpOVsBo -#define krb5_copy_creds _dce_VGwSEBNwaf -#define krb5_unparse_name _dce_PgAOkJoMXA -#define krb5_get_default_realm _dce_plVOzStKyK -#define krb5_build_principal _dce_uAKSsluIFy -#define krb5_build_principal_ext _dce_tRMpPiRada -#define krb5_build_principal_va _dce_SxnLejZemH -#define krb5_cc_default _dce_SeKosWFnsv -#define krb5_cc_default_name _dce_qJeaphJWVc -#define sec_login_krb5_add_cred _dce_uHwRasumsN - -#endif -#endif - -/* Define the bare minimum k5 structures which are needed - * by this program. Since the krb5 includes are not supplied - * with DCE, these were based on the MIT Kerberos 5 beta 3 - * which should match the DCE as of 1.0.3 at least. - * The tricky one is the krb5_creds, since one is allocated - * by this program, and it needs access to the client principal - * in it. - * Note that there are no function prototypes, so there is no - * compile time checking. - * DEE 07/11/95 - */ -#define NPROTOTYPE(x) () -typedef int krb5_int32; /* assuming all DCE systems are 32 bit */ -typedef short krb5short; /* assuming short is 16 bit */ -typedef krb5_int32 krb5_error_code; -typedef unsigned char krb5_octet; -typedef krb5_octet krb5_boolean; -typedef krb5short krb5_keytype; /* in k5.2 it's a short */ -typedef krb5_int32 krb5_flags; -typedef krb5_int32 krb5_timestamp; - -typedef char * krb5_pointer; /* pointer to unexposed data */ - -typedef struct _krb5_ccache { - struct _krb5_cc_ops *ops; - krb5_pointer data; -} *krb5_ccache; - -typedef struct _krb5_cc_ops { - char *prefix; - char *(*get_name) NPROTOTYPE((krb5_ccache)); - krb5_error_code (*resolve) NPROTOTYPE((krb5_ccache *, char *)); - krb5_error_code (*gen_new) NPROTOTYPE((krb5_ccache *)); - krb5_error_code (*init) NPROTOTYPE((krb5_ccache, krb5_principal)); - krb5_error_code (*destroy) NPROTOTYPE((krb5_ccache)); - krb5_error_code (*close) NPROTOTYPE((krb5_ccache)); - krb5_error_code (*store) NPROTOTYPE((krb5_ccache, krb5_creds *)); - krb5_error_code (*retrieve) NPROTOTYPE((krb5_ccache, krb5_flags, - krb5_creds *, krb5_creds *)); - krb5_error_code (*get_princ) NPROTOTYPE((krb5_ccache, - krb5_principal *)); - krb5_error_code (*get_first) NPROTOTYPE((krb5_ccache, - krb5_cc_cursor *)); - krb5_error_code (*get_next) NPROTOTYPE((krb5_ccache, krb5_cc_cursor *, - krb5_creds *)); - krb5_error_code (*end_get) NPROTOTYPE((krb5_ccache, krb5_cc_cursor *)); - krb5_error_code (*remove_cred) NPROTOTYPE((krb5_ccache, krb5_flags, - krb5_creds *)); - krb5_error_code (*set_flags) NPROTOTYPE((krb5_ccache, krb5_flags)); -} krb5_cc_ops; - -typedef struct _krb5_keyblock { - krb5_keytype keytype; - int length; - krb5_octet *contents; -} krb5_keyblock; - -typedef struct _krb5_ticket_times { - krb5_timestamp authtime; - krb5_timestamp starttime; - krb5_timestamp endtime; - krb5_timestamp renew_till; -} krb5_ticket_times; - -typedef krb5_pointer krb5_cc_cursor; - -typedef struct _krb5_data { - int length; - char *data; -} krb5_data; - -typedef struct _krb5_authdata { - int ad_type; - int length; - krb5_octet *contents; -} krb5_authdata; - -typedef struct _krb5_creds { - krb5_pointer client; - krb5_pointer server; - krb5_keyblock keyblock; - krb5_ticket_times times; - krb5_boolean is_skey; - krb5_flags ticket_flags; - krb5_pointer **addresses; - krb5_data ticket; - krb5_data second_ticket; - krb5_pointer **authdata; -} krb5_creds; - -typedef krb5_pointer krb5_principal; - -#define KRB5_CC_END 336760974 -#define KRB5_TC_OPENCLOSE 0x00000001 - -/* Ticket flags */ -/* flags are 32 bits; each host is responsible to put the 4 bytes - representing these bits into net order before transmission */ -/* #define TKT_FLG_RESERVED 0x80000000 */ -#define TKT_FLG_FORWARDABLE 0x40000000 -#define TKT_FLG_FORWARDED 0x20000000 -#define TKT_FLG_PROXIABLE 0x10000000 -#define TKT_FLG_PROXY 0x08000000 -#define TKT_FLG_MAY_POSTDATE 0x04000000 -#define TKT_FLG_POSTDATED 0x02000000 -#define TKT_FLG_INVALID 0x01000000 -#define TKT_FLG_RENEWABLE 0x00800000 -#define TKT_FLG_INITIAL 0x00400000 -#define TKT_FLG_PRE_AUTH 0x00200000 -#define TKT_FLG_HW_AUTH 0x00100000 -#ifdef PK_INIT -#define TKT_FLG_PUBKEY_PREAUTH 0x00080000 -#define TKT_FLG_DIGSIGN_PREAUTH 0x00040000 -#define TKT_FLG_PRIVKEY_PREAUTH 0x00020000 -#endif - - -#define krb5_cc_get_principal(cache, principal) (*(cache)->ops->get_princ)(cache, principal) -#define krb5_cc_set_flags(cache, flags) (*(cache)->ops->set_flags)(cache, flags) -#define krb5_cc_get_name(cache) (*(cache)->ops->get_name)(cache) -#define krb5_cc_start_seq_get(cache, cursor) (*(cache)->ops->get_first)(cache, cursor) -#define krb5_cc_next_cred(cache, cursor, creds) (*(cache)->ops->get_next)(cache, cursor, creds) -#define krb5_cc_destroy(cache) (*(cache)->ops->destroy)(cache) -#define krb5_cc_end_seq_get(cache, cursor) (*(cache)->ops->end_get)(cache, cursor) - -/* end of k5 dummy typedefs */ - diff --git a/crypto/heimdal-0.6.3/appl/dceutils/k5dcecon.c b/crypto/heimdal-0.6.3/appl/dceutils/k5dcecon.c deleted file mode 100644 index 99310bb34c..0000000000 --- a/crypto/heimdal-0.6.3/appl/dceutils/k5dcecon.c +++ /dev/null @@ -1,791 +0,0 @@ -/* - * (c) Copyright 1995 HEWLETT-PACKARD COMPANY - * - * To anyone who acknowledges that this file is provided - * "AS IS" without any express or implied warranty: - * permission to use, copy, modify, and distribute this - * file for any purpose is hereby granted without fee, - * provided that the above copyright notice and this - * notice appears in all copies, and that the name of - * Hewlett-Packard Company not be used in advertising or - * publicity pertaining to distribution of the software - * without specific, written prior permission. Hewlett- - * Packard Company makes no representations about the - * suitability of this software for any purpose. - * - */ -/* - * k5dcecon - Program to convert a K5 TGT to a DCE context, - * for use with DFS and its PAG. - * - * The program is designed to be called as a sub process, - * and return via stdout the name of the cache which implies - * the PAG which should be used. This program itself does not - * use the cache or PAG itself, so the PAG in the kernel for - * this program may not be set. - * - * The calling program can then use the name of the cache - * to set the KRB5CCNAME and PAG for its self and its children. - * - * If no ticket was passed, an attemplt to join an existing - * PAG will be made. - * - * If a forwarded K5 TGT is passed in, either a new DCE - * context will be created, or an existing one will be updated. - * If the same ticket was already used to create an existing - * context, it will be joined instead. - * - * Parts of this program are based on k5dceauth,c which was - * given to me by HP and by the k5dcelogin.c which I developed. - * A slightly different version of k5dcelogin.c, was added to - * DCE 1.2.2 - * - * D. E. Engert 6/17/97 ANL - */ - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include -#include "k5dce.h" - -#include -#include -#include - -/* #define DEBUG */ -#if defined(DEBUG) -#define DEEDEBUG(A) fprintf(stderr,A); fflush(stderr) -#define DEEDEBUG2(A,B) fprintf(stderr,A,B); fflush(stderr) -#else -#define DEEDEBUG(A) -#define DEEDEBUG2(A,B) -#endif - -#ifdef __hpux -#define seteuid(A) setresuid(-1,A,-1); -#endif - - -int k5dcecreate (uid_t, char *, char*, krb5_creds **); -int k5dcecon (uid_t, char *, char *); -int k5dcegettgt (krb5_ccache *, char *, char *, krb5_creds **); -int k5dcematch (uid_t, char *, char *, off_t *, krb5_creds **); -int k5dcesession (uid_t, char *, krb5_creds **, int *,krb5_flags); - - -char *progname = "k5dcecon"; -static time_t now; - -#ifdef notdef -#ifdef _AIX -/*---------------------------------------------*/ - /* AIX with DCE 1.1 does not have the com_err in the libdce.a - * do a half hearted job of substituting for it. - */ -void com_err(char *p1, int code, ...) -{ - int lst; - dce_error_string_t err_string; - dce_error_inq_text(code, err_string, &lst); - fprintf(stderr,"Error %d in %s: %s\n", code, p1, err_string ); -} - -/*---------------------------------------------*/ -void krb5_init_ets() -{ - -} -#endif -#endif - - -/*------------------------------------------------*/ -/* find a cache to use for our new pag */ -/* Since there is no simple way to determine which - * caches are associated with a pag, we will have - * do look around and see what makes most sense on - * different systems. - * on a Solaris system, and in the DCE source, - * the pags always start with a 41. - * this is not true on the IBM, where there does not - * appear to be any pattern. - * - * But since we are always certifing our creds when - * they are received, we can us that fact, and look - * at the first word of the associated data file - * to see that it has a "5". If not don't use. - */ - -int k5dcesession(luid, pname, tgt, ppag, tflags) - uid_t luid; - char *pname; - krb5_creds **tgt; - int *ppag; - krb5_flags tflags; -{ - DIR *dirp; - struct dirent *direntp; - off_t size; - krb5_timestamp endtime; - int better = 0; - krb5_creds *xtgt; - - char prev_name[17] = ""; - krb5_timestamp prev_endtime; - off_t prev_size; - u_long prev_pag = 0; - - char ccname[64] = "FILE:/opt/dcelocal/var/security/creds/"; - - error_status_t st; - sec_login_handle_t lcontext = 0; - dce_error_string_t err_string; - int lst; - - DEEDEBUG2("k5dcesession looking for flags %8.8x\n",tflags); - - dirp = opendir("/opt/dcelocal/var/security/creds/"); - if (dirp == NULL) { - return 1; - } - - while ( (direntp = readdir( dirp )) != NULL ) { - -/* - * (but root has the ffffffff which we are not interested in) - */ - if (!strncmp(direntp->d_name,"dcecred_",8) - && (strlen(direntp->d_name) == 16)) { - - /* looks like a cache name, lets do the stat, etc */ - - strcpy(ccname+38,direntp->d_name); - if (!k5dcematch(luid, pname, ccname, &size, &xtgt)) { - - /* its one of our caches, see if it is better - * i.e. the endtime is farther, and if the endtimes - * are the same, take the larger, as he who has the - * most tickets wins. - * it must also had the same set of flags at least - * i.e. if the forwarded TGT is forwardable, this one must - * be as well. - */ - - DEEDEBUG2("Cache:%s",direntp->d_name); - DEEDEBUG2(" size:%d",size); - DEEDEBUG2(" flags:%8.8x",xtgt->ticket_flags); - DEEDEBUG2(" %s",ctime((time_t *)&xtgt->times.endtime)); - - if ((xtgt->ticket_flags & tflags) == tflags ) { - if (prev_name[0]) { - if (xtgt->times.endtime > prev_endtime) { - better = 1; - } else if ((xtgt->times.endtime = prev_endtime) - && (size > prev_size)){ - better = 1; - } - } else { /* the first */ - if (xtgt->times.endtime >= now) { - better = 1; - } - } - if (better) { - strcpy(prev_name, direntp->d_name); - prev_endtime = xtgt->times.endtime; - prev_size = size; - sscanf(prev_name+8,"%8X",&prev_pag); - *tgt = xtgt; - better = 0; - } - } - } - } - } - (void)closedir( dirp ); - - if (!prev_name[0]) - return 1; /* failed to find one */ - - DEEDEBUG2("Best: %s\n",prev_name); - - if (ppag) - *ppag = prev_pag; - - strcpy(ccname+38,prev_name); - setenv("KRB5CCNAME",ccname,1); - - return(0); -} - - -/*----------------------------------------------*/ -/* see if this cache is for this this principal */ - -int k5dcematch(luid, pname, ccname, sizep, tgt) - uid_t luid; - char *pname; - char *ccname; - off_t *sizep; /* size of the file */ - krb5_creds **tgt; -{ - - krb5_ccache cache; - struct stat stbuf; - char ccdata[256]; - int fd; - int status; - - /* DEEDEBUG2("k5dcematch called: cache=%s\n",ccname+38); */ - - if (!strncmp(ccname,"FILE:",5)) { - - strcpy(ccdata,ccname+5); - strcat(ccdata,".data"); - - /* DEEDEBUG2("Checking the .data file for %s\n",ccdata); */ - - if (stat(ccdata, &stbuf)) - return(1); - - if (stbuf.st_uid != luid) - return(1); - - if ((fd = open(ccdata,O_RDONLY)) == -1) - return(1); - - if ((read(fd,&status,4)) != 4) { - close(fd); - return(1); - } - - /* DEEDEBUG2(".data file status = %d\n", status); */ - - if (status != 5) - return(1); - - if (stat(ccname+5, &stbuf)) - return(1); - - if (stbuf.st_uid != luid) - return(1); - - *sizep = stbuf.st_size; - } - - return(k5dcegettgt(&cache, ccname, pname, tgt)); -} - - -/*----------------------------------------*/ -/* k5dcegettgt - get the tgt from a cache */ - -int k5dcegettgt(pcache, ccname, pname, tgt) - krb5_ccache *pcache; - char *ccname; - char *pname; - krb5_creds **tgt; - -{ - krb5_ccache cache; - krb5_cc_cursor cur; - krb5_creds creds; - int code; - int found = 1; - krb5_principal princ; - char *kusername; - krb5_flags flags; - char *sname, *realm, *tgtname = NULL; - - /* Since DCE does not expose much of the Kerberos interface, - * we will have to use what we can. This means setting the - * KRB5CCNAME for each file we want to test - * We will also not worry about freeing extra cache structures - * as this this routine is also not exposed, and this should not - * effect this module. - * We should also free the creds contents, but that is not exposed - * either. - */ - - setenv("KRB5CCNAME",ccname,1); - cache = NULL; - *tgt = NULL; - - if (code = krb5_cc_default(pcache)) { - com_err(progname, code, "while getting ccache"); - goto return2; - } - - DEEDEBUG("Got cache\n"); - flags = 0; - if (code = krb5_cc_set_flags(*pcache, flags)) { - com_err(progname, code,"While setting flags"); - goto return2; - } - DEEDEBUG("Set flags\n"); - if (code = krb5_cc_get_principal(*pcache, &princ)) { - com_err(progname, code, "While getting princ"); - goto return1; - } - DEEDEBUG("Got principal\n"); - if (code = krb5_unparse_name(princ, &kusername)) { - com_err(progname, code, "While unparsing principal"); - goto return1; - } - - DEEDEBUG2("Unparsed to \"%s\"\n", kusername); - DEEDEBUG2("pname is \"%s\"\n", pname); - if (strcmp(kusername, pname)) { - DEEDEBUG("Principals not equal\n"); - goto return1; - } - DEEDEBUG("Principals equal\n"); - - realm = strchr(pname,'@'); - realm++; - - if ((tgtname = malloc(9 + 2 * strlen(realm))) == 0) { - fprintf(stderr,"Malloc failed for tgtname\n"); - goto return1; - } - - strcpy(tgtname,"krbtgt/"); - strcat(tgtname,realm); - strcat(tgtname,"@"); - strcat(tgtname,realm); - - DEEDEBUG2("Getting tgt %s\n", tgtname); - if (code = krb5_cc_start_seq_get(*pcache, &cur)) { - com_err(progname, code, "while starting to retrieve tickets"); - goto return1; - } - - while (!(code = krb5_cc_next_cred(*pcache, &cur, &creds))) { - krb5_creds *cred = &creds; - - if (code = krb5_unparse_name(cred->server, &sname)) { - com_err(progname, code, "while unparsing server name"); - continue; - } - - if (strncmp(sname, tgtname, strlen(tgtname)) == 0) { - DEEDEBUG("FOUND\n"); - if (code = krb5_copy_creds(&creds, tgt)) { - com_err(progname, code, "while copying TGT"); - goto return1; - } - found = 0; - break; - } - /* we should do a krb5_free_cred_contents(creds); */ - } - - if (code = krb5_cc_end_seq_get(*pcache, &cur)) { - com_err(progname, code, "while finishing retrieval"); - goto return2; - } - -return1: - flags = KRB5_TC_OPENCLOSE; - krb5_cc_set_flags(*pcache, flags); /* force a close */ - -return2: - if (tgtname) - free(tgtname); - - return(found); -} - - -/*------------------------------------------*/ -/* Convert a forwarded TGT to a DCE context */ -int k5dcecon(luid, luser, pname) - uid_t luid; - char *luser; - char *pname; -{ - - krb5_creds *ftgt = NULL; - krb5_creds *tgt = NULL; - unsigned32 dfspag; - boolean32 reset_passwd = 0; - int lst; - dce_error_string_t err_string; - char *shell_prog; - krb5_ccache fcache; - char *ccname; - char *kusername; - char *urealm; - char *cp; - int pag; - int code; - krb5_timestamp endtime; - - - /* If there is no cache to be converted, we should not be here */ - - if ((ccname = getenv("KRB5CCNAME")) == NULL) { - DEEDEBUG("No KRB5CCNAME\n"); - return(1); - } - - if (k5dcegettgt(&fcache, ccname, pname, &ftgt)) { - fprintf(stderr, "%s: Did not find TGT\n", progname); - return(1); - } - - - DEEDEBUG2("flags=%x\n",ftgt->ticket_flags); - if (!(ftgt->ticket_flags & TKT_FLG_FORWARDABLE)){ - fprintf(stderr,"Ticket not forwardable\n"); - return(0); /* but OK to continue */ - } - - setenv("KRB5CCNAME","",1); - -#define TKT_ACCEPTABLE (TKT_FLG_FORWARDABLE | TKT_FLG_PROXIABLE \ - | TKT_FLG_MAY_POSTDATE | TKT_FLG_RENEWABLE | TKT_FLG_HW_AUTH \ - | TKT_FLG_PRE_AUTH) - - if (!k5dcesession(luid, pname, &tgt, &pag, - (ftgt->ticket_flags & TKT_ACCEPTABLE))) { - if (ftgt->times.endtime > tgt->times.endtime) { - DEEDEBUG("Updating existing cache\n"); - return(k5dceupdate(&ftgt, pag)); - } else { - DEEDEBUG("Using existing cache\n"); - return(0); /* use the original one */ - } - } - /* see if the tgts match up */ - - if ((code = k5dcecreate(luid, luser, pname, &ftgt))) { - return (code); - } - - /* - * Destroy the Kerberos5 cred cache file. - * but dont care aout the return code. - */ - - DEEDEBUG("Destroying the old cache\n"); - if ((code = krb5_cc_destroy(fcache))) { - com_err(progname, code, "while destroying Kerberos5 ccache"); - } - return (0); -} - - -/*--------------------------------------------------*/ -/* k5dceupdate - update the cache with a new TGT */ -/* Assumed that the KRB5CCNAME has been set */ - -int k5dceupdate(krbtgt, pag) - krb5_creds **krbtgt; - int pag; -{ - - krb5_ccache ccache; - int code; - - if (code = krb5_cc_default(&ccache)) { - com_err(progname, code, "while opening cache for update"); - return(2); - } - - if (code = ccache->ops->init(ccache,(*krbtgt)->client)) { - com_err(progname, code, "while reinitilizing cache"); - return(3); - } - - /* krb5_cc_store_cred */ - if (code = ccache->ops->store(ccache, *krbtgt)) { - com_err(progname, code, "while updating cache"); - return(2); - } - - sec_login_pag_new_tgt(pag, (*krbtgt)->times.endtime); - return(0); -} -/*--------------------------------------------------*/ -/* k5dcecreate - create a new DCE context */ - -int k5dcecreate(luid, luser, pname, krbtgt) - uid_t luid; - char *luser; - char *pname; - krb5_creds **krbtgt; -{ - - char *cp; - char *urealm; - char *username; - char *defrealm; - uid_t uid; - - error_status_t st; - sec_login_handle_t lcontext = 0; - sec_login_auth_src_t auth_src = 0; - boolean32 reset_passwd = 0; - int lst; - dce_error_string_t err_string; - - setenv("KRB5CCNAME","",1); /* make sure it not misused */ - - uid = getuid(); - DEEDEBUG2("uid=%d\n",uid); - - /* if run as root, change to user, so as to have the - * cache created for the local user even if cross-cell - * If run as a user, let standard file protection work. - */ - - if (uid == 0) { - seteuid(luid); - } - - cp = strchr(pname,'@'); - *cp = '\0'; - urealm = ++cp; - - DEEDEBUG2("basename=%s\n",cp); - DEEDEBUG2("realm=%s\n",urealm); - - /* now build the username as a single string or a /.../cell/user - * if this is a cross cell - */ - - if ((username = malloc(7+strlen(pname)+strlen(urealm))) == 0) { - fprintf(stderr,"Malloc failed for username\n"); - goto abort; - } - if (krb5_get_default_realm(&defrealm)) { - DEEDEBUG("krb5_get_default_realm failed\n"); - goto abort; - } - - - if (!strcmp(urealm,defrealm)) { - strcpy(username,pname); - } else { - strcpy(username,"/.../"); - strcat(username,urealm); - strcat(username,"/"); - strcat(username,pname); - } - - /* - * Setup a DCE login context - */ - - if (sec_login_setup_identity((unsigned_char_p_t)username, - (sec_login_external_tgt|sec_login_proxy_cred), - &lcontext, &st)) { - /* - * Add our TGT. - */ - DEEDEBUG("Adding our new TGT\n"); - sec_login_krb5_add_cred(lcontext, *krbtgt, &st); - if (st) { - dce_error_inq_text(st, err_string, &lst); - fprintf(stderr, - "Error while adding credentials for %s because %s\n", - username, err_string); - goto abort; - } - DEEDEBUG("validating and certifying\n"); - /* - * Now "validate" and certify the identity, - * usually we would pass a password here, but... - * sec_login_valid_and_cert_ident - * sec_login_validate_identity - */ - - if (sec_login_validate_identity(lcontext, 0, &reset_passwd, - &auth_src, &st)) { - DEEDEBUG2("validate_identity st=%d\n",st); - if (st) { - dce_error_inq_text(st, err_string, &lst); - fprintf(stderr, "Validation error for %s because %s\n", - username, err_string); - goto abort; - } - if (!sec_login_certify_identity(lcontext,&st)) { - dce_error_inq_text(st, err_string, &lst); - fprintf(stderr, - "Credentials not certified because %s\n",err_string); - } - if (reset_passwd) { - fprintf(stderr, - "Password must be changed for %s\n", username); - } - if (auth_src == sec_login_auth_src_local) { - fprintf(stderr, - "Credentials obtained from local registry for %s\n", - username); - } - if (auth_src == sec_login_auth_src_overridden) { - fprintf(stderr, "Validated %s from local override entry, no network credentials obtained\n", username); - goto abort; - - } - /* - * Actually create the cred files. - */ - DEEDEBUG("Ceating new cred files.\n"); - sec_login_set_context(lcontext, &st); - if (st) { - dce_error_inq_text(st, err_string, &lst); - fprintf(stderr, - "Unable to set context for %s because %s\n", - username, err_string); - goto abort; - } - - /* - * Now free up the local context and leave the - * network context with its pag - */ -#if 0 - sec_login_release_context(&lcontext, &st); - if (st) { - dce_error_inq_text(st, err_string, &lst); - fprintf(stderr, - "Unable to release context for %s because %s\n", - username, err_string); - goto abort; - } -#endif - } - else { - DEEDEBUG2("validate failed %d\n",st); - dce_error_inq_text(st, err_string, &lst); - fprintf(stderr, - "Unable to validate %s because %s\n", username, - err_string); - goto abort; - } - } - else { - dce_error_inq_text(st, err_string, &lst); - fprintf(stderr, - "Unable to setup login entry for %s because %s\n", - username, err_string); - goto abort; - } - - done: - /* if we were root, get back to root */ - - DEEDEBUG2("sec_login_inq_pag %8.8x\n", - sec_login_inq_pag(lcontext, &st)); - - if (uid == 0) { - seteuid(0); - } - - DEEDEBUG("completed\n"); - return(0); - - abort: - if (uid == 0) { - seteuid(0); - } - - DEEDEBUG("Aborting\n"); - return(2); -} - - - -/*-------------------------------------------------*/ -main(argc, argv) - int argc; - char *argv[]; -{ - int status; - extern int optind; - extern char *optarg; - int rv; - - char *lusername = NULL; - char *pname = NULL; - int fflag = 0; - struct passwd *pw; - uid_t luid; - uid_t myuid; - char *ccname; - krb5_creds *tgt = NULL; - -#ifdef DEBUG - close(2); - open("/tmp/k5dce.debug",O_WRONLY|O_CREAT|O_APPEND, 0600); -#endif - - if (myuid = getuid()) { - DEEDEBUG2("UID = %d\n",myuid); - exit(33); /* must be root to run this, get out now */ - } - - while ((rv = getopt(argc,argv,"l:p:fs")) != -1) { - DEEDEBUG2("Arg = %c\n", rv); - switch(rv) { - case 'l': /* user name */ - lusername = optarg; - DEEDEBUG2("Optarg = %s\n", optarg); - break; - case 'p': /* principal name */ - pname = optarg; - DEEDEBUG2("Optarg = %s\n", optarg); - break; - case 'f': /* convert a forwarded TGT to a context */ - fflag++; - break; - case 's': /* old test parameter, ignore it */ - break; - } - } - - setlocale(LC_ALL, ""); - krb5_init_ets(); - time(&now); /* set time to check expired tickets */ - - /* if lusername == NULL, Then user is passed as the USER= variable */ - - if (!lusername) { - lusername = getenv("USER"); - if (!lusername) { - fprintf(stderr, "USER not in environment\n"); - return(3); - } - } - - if ((pw = getpwnam(lusername)) == NULL) { - fprintf(stderr, "Who are you?\n"); - return(44); - } - - luid = pw->pw_uid; - - if (fflag) { - status = k5dcecon(luid, lusername, pname); - } else { - status = k5dcesession(luid, pname, &tgt, NULL, 0); - } - - if (!status) { - printf("%s",getenv("KRB5CCNAME")); /* return via stdout to caller */ - DEEDEBUG2("KRB5CCNAME=%s\n",getenv("KRB5CCNAME")); - } - - DEEDEBUG2("Returning status %d\n",status); - return (status); -} diff --git a/crypto/heimdal-0.6.3/appl/dceutils/testpag.c b/crypto/heimdal-0.6.3/appl/dceutils/testpag.c deleted file mode 100644 index 4613fba5e9..0000000000 --- a/crypto/heimdal-0.6.3/appl/dceutils/testpag.c +++ /dev/null @@ -1,150 +0,0 @@ -/* Test the k5dcepag routine by setting a pag, and - * and execing a shell under this pag. - * - * This allows you to join a PAG which was created - * earlier by some other means. - * for example k5dcecon - * - * Must be run as root for testing only. - * - */ - -#include -#include -#include -#include -#include -#include -#include - -#define POSIX_SETJMP -#define POSIX_SIGNALS - -#ifdef POSIX_SIGNALS -typedef struct sigaction handler; -#define handler_init(H,F) (sigemptyset(&(H).sa_mask), \ - (H).sa_flags=0, \ - (H).sa_handler=(F)) -#define handler_swap(S,NEW,OLD) sigaction(S, &NEW, &OLD) -#define handler_set(S,OLD) sigaction(S, &OLD, NULL) -#else -typedef sigtype (*handler)(); -#define handler_init(H,F) ((H) = (F)) -#define handler_swap(S,NEW,OLD) ((OLD) = signal ((S), (NEW))) - -#define handler_set(S,OLD) (signal ((S), (OLD))) -#endif - -typedef void sigtype; - -/* - * We could include the dcedfs/syscall.h which should have these - * numbers, but it has extra baggage. So for - * simplicity sake now, we define these here. - */ - - -#define AFSCALL_SETPAG 2 -#define AFSCALL_GETPAG 11 - -#if defined(sun) -#define AFS_SYSCALL 72 - -#elif defined(hpux) -/* assume HPUX 10 + or is it 50 */ -#define AFS_SYSCALL 326 - -#elif defined(_AIX) -#define DPAGAIX "dpagaix" -/* #define DPAGAIX "/krb5/sbin/dpagaix" */ - -#elif defined(sgi) || defined(_sgi) -#define AFS_SYSCALL 206+1000 - -#else -#define AFS_SYSCALL (Unknown_DFS_AFS_SYSCALL) -#endif - -static sigjmp_buf setpag_buf; - -static sigtype mysig() -{ - siglongjmp(setpag_buf, 1); -} - - -int krb5_dfs_newpag(new_pag) - int new_pag; -{ - handler sa1, osa1; - handler sa2, osa2; - int pag = -1; - - handler_init (sa1, mysig); - handler_init (sa2, mysig); - handler_swap (SIGSYS, sa1, osa1); - handler_swap (SIGSEGV, sa2, osa2); - - if (sigsetjmp(setpag_buf, 1) == 0) { -#if defined(_AIX) - int (*dpagaix)(int, int, int, int, int, int); - - if (dpagaix = load(DPAGAIX, 0, 0)) - pag = (*dpagaix)(AFSCALL_SETPAG, new_pag, 0, 0, 0, 0); -#else - pag = syscall(AFS_SYSCALL,AFSCALL_SETPAG, new_pag, 0, 0, 0, 0); -#endif - handler_set (SIGSYS, osa1); - handler_set (SIGSEGV, osa2); - return(pag); - } - - fprintf(stderr,"Setpag failed with a system error\n"); - /* syscall failed! return 0 */ - handler_set (SIGSYS, osa1); - handler_set (SIGSEGV, osa2); - return(-1); -} - -main(argc, argv) - int argc; - char *argv[]; -{ - extern int optind; - extern char *optarg; - int rv; - int rc; - unsigned int pag; - unsigned int newpag = 0; - char ccname[256]; - int nflag = 0; - - while((rv = getopt(argc,argv,"n:")) != -1) { - switch(rv) { - case 'n': - nflag++; - sscanf(optarg,"%8x",&newpag); - break; - default: - printf("Usage: k5dcepagt -n pag \n"); - exit(1); - } - } - - if (nflag) { - fprintf (stderr,"calling k5dcepag newpag=%8.8x\n",newpag); - pag = krb5_dfs_newpag(newpag); - - fprintf (stderr,"PAG returned = %8.8x\n",pag); - if ((pag != 0) && (pag != -1)) { - sprintf (ccname, - "FILE:/opt/dcelocal/var/security/creds/dcecred_%8.8x", - pag); - esetenv("KRB5CCNAME",ccname,1); - execl("/bin/csh","csh",0); - } - else { - fprintf(stderr," Not a good pag value\n"); - } - } -} diff --git a/crypto/heimdal-0.6.3/appl/ftp/ChangeLog b/crypto/heimdal-0.6.3/appl/ftp/ChangeLog deleted file mode 100644 index 74ed7429d1..0000000000 --- a/crypto/heimdal-0.6.3/appl/ftp/ChangeLog +++ /dev/null @@ -1,795 +0,0 @@ -2004-08-20 Love Hörnquist Åstrand - - * ftp/ftp.c: 1.77: send ABOR protect with security layer if its there - - * ftpd/{ftpd_locl.h, extern.h, ftpcmd.y, ftpd.8, ftpd.c}: - Remove all traces of setjmp/longjmp. - Handle those command that is needed in oobhandler, - those are ABOR, STAT, ENC, CONF, MIC. - add options to turn off insecure OOB handling and document the option - - Changes inspired by openbsd and netbsd changes but quite diffrent is - most places since the code no longer look and is structured the same - way. - - extern.h: 1.25 - ftpcmd.y: 1.65 - ftpd.8: 1.22 - ftpd.c: 1.170 - ftpd_locl.h: 1.14 - -2004-06-21 Love Hörnquist Åstrand - - * ftpd/ftpcmd.y: 1.64: make cbuf 64k to handle lager tickets From: - MAAAAA MOOOR 1.63: strncasecmp returns - integer so don't compare with NULL - -2004-03-14 Love Hörnquist Åstrand - - * ftpd/ftpd.c: 1.169: (main): setpag if there is krb4 OR krb5 - support - -2003-08-20 Love Hörnquist Åstrand - - * ftpd/ftpd.8: 1.20->1.21: document --gss-bindings - - * ftpd/ftpd.c: 1.166->1.168: wrap gssapi stuff with KRB5, - (args): add gss-bindings - - * ftp/main.c: 1.33->1.35: wrap gssapi stuff with KRB5, - (args): add gss-bindings - (main): set ftp_do_gss_bindings to 1 to make client use them - - * ftp/security.h: 1.9->1.10: add ftp_do_gss_bindings - - * ftp/gssapi.c: 1.24->1.25: Optionally support gss bindings, - client does it by default, server not. This is to make it work - for clients behind NAT. - - * ftp/ftp.1: 1.12->1.15: gssapi bindings + madoc fixes - -2003-08-15 Love Hörnquist Åstrand - - * ftp/gssapi.c: 1.23->1.24: (gss_adat): fix name allocation bug - -2003-04-16 Love Hörnquist Åstrand - - * ftpd/ftpd.c: make sure argument to is* functions are unsigned - -2003-04-06 Love Hörnquist Åstrand - - * ftpd/ftpd.8: s/kerberos/Kerberos/ - -2003-03-23 Assar Westerlund - - * ftpd/pathnames.h (_PATH_FTPUSERS): conditionalize - -2003-03-18 Love Hörnquist Åstrand - - * ftpd/ftpd.c (krb5_verify): always do krb5_afslog, remove setpag - (its done in main) - - * ftpd/gss_userok.c: drop setpag - - * ftpd/ftpd.c (main): set afs PAG - - * ftpd/gss_userok.c: always try krb5_afslog, and while here do a - setpag too - - * ftpd/ftpd_locl.h: always include kafs - -2003-03-16 Love Hörnquist Åstrand - - * ftp/gssapi.c (gss_adat): now that gss_export_name exports a - principal, bandaid with gss_display_name, and check that oid is - GSS_KRB5_NT_PRINCIPAL_NAME, also free memory - -2003-02-25 Love Hörnquist Åstrand - - * ftp/gssapi.c (gss_auth): print out the name we authenticated too - -2003-02-25 Love Hörnquist Åstrand - - * ftpd/ls.c: use readlink with bufsize - 1, From NetBSD - - * ftp/ftp.1: s/utilizes/uses/ from NetBSD - - * ftpd/ftpd.8: s/utilize/use/ from NetBSD - -2003-02-10 Assar Westerlund - - * ftpd/ftpd.c (accept_with_timeout): use socklen_t - -2002-10-29 Johan Danielsson - - * ftp/main.c: reinstate -n flag (from Torbjörn Granlund) - -2002-10-16 Johan Danielsson - - * ftp/ftp.c: fix parsing of epsv ports (from Love) - -2002-09-05 Johan Danielsson - - * ftp/security.c (sec_vfprintf): free encoded data - - * ftp/gssapi.c (gss_decode): release buffer - - * ftp/ftp.c (active_mode): no need to allocate buffer for EPRT - -2002-08-28 Johan Danielsson - - * ftp/ftp.c (command): clean up va_{start,end}ing (from NetBSD) - -2002-08-23 Assar Westerlund - - * ftp/main.c: start using getarg - -2002-08-22 Johan Danielsson - - * ftpd/ls.c: uxp/v lacks _S_IFMT, but has S_IFMT - -2002-08-20 Johan Danielsson - - * ftp/gssapi.c: remove unused variable - -2002-04-24 Johan Danielsson - - * ftp/ftp.c: fix buffer overrun when receiving long replies - -2002-04-02 Johan Danielsson - - * ftpd/popen.c: make sure gl_pathc != 0 before referencing - gl_pathv - -2002-03-15 Johan Danielsson - - * ftp/gssapi.c (gss_adat): if accept_sec_context fails, syslog a - reason and give a temporary error message - -2002-02-28 Johan Danielsson - - * ftpd/ftpd.c: if builtin_ls failes, return error - - * ftpd/ls.c (builtin_ls): return status; also don't print fatal - error messages to the output stream, instead use syslog - -2001-09-14 Johan Danielsson - - * ftpd/ls.c: make sure we don't include . in recursive listings - -2001-09-13 Johan Danielsson - - * ftpd/ftpd.c (dataconn): don't wait forever on accept - -2001-09-04 Assar Westerlund - - * ftp/gssapi.c (gss_adat): leak less memory and check return value - from asprintf - -2001-08-28 Jacques Vidrine - - * ftpd/ftpd.c, ftpd/ftpd.8: On systems with IP_PORTRANGE, have - ftpd use `high-numbered' ports by default. Add a -U option - to get the old behavior. - -2001-08-28 Johan Danielsson - - * ftp/gssapi.c: try using "host" if there's no "ftp" principal - -2001-08-26 Johan Danielsson - - * ftpd/ls.c: implement -R - -2001-08-08 Assar Westerlund - - * ftpd/ls.c: make -a and -A do the same as in ls(1) - -2001-08-05 Assar Westerlund - - * ftpd/ftpcmd.y: add some (unsigned char) casts to is* - * ftp/cmds.c: add some (unsigned char) casts to is* - * ftpd/gss_userok.c (gss_userok): make argument to printf type - correct - -2001-08-05 Assar Westerlund - - * ftp/cmds.c (setpeer): __NetBSD__ is also a unix-like OS - -2001-06-19 Assar Westerlund - - * ftpd/popen.c, ftpd/ftpd.c: try to handle GLOB_MAXPATH (FreeBSD) - -2001-04-19 Johan Danielsson - - * ftpd/ftpd.c (do_store): call closefunc before claiming that - everything went ok, if the close fails the file might not have - been stored properly - -2001-03-26 Assar Westerlund - - * ftpd/ftpd.c, ftpd/popen.c: always use GLOB_LIMIT - * ftpd/popen.c (ftpd_popen): use GLOB_LIMIT if defined - * ftpd/ftpd.c (send_file_list): use GLOB_LIMIT if defined - -2001-02-15 Assar Westerlund - - * ftp/cmds.c (setpeer): handle both service names and port numbers - for the second optional argument. also make parsing more robust - -2001-02-07 Assar Westerlund - - * ftp/security.c (sec_end): only clean app_data if there is any - (*): do realloc consistently - -2001-02-05 Assar Westerlund - - * ftpd/popen.c (ftpd_popen): avoid overwriting the bounds of argv - and gargv - -2001-01-30 Assar Westerlund - - * ftpd/gss_userok.c: use gss_krb5_copy_ccache - -2001-01-29 Assar Westerlund - - * ftpd/Makefile.am: move up LIB_otp so we do not end up picking - one from /usr/athena - -2001-01-25 Johan Danielsson - - * ftpd/ls.c: fix bug in previous; make it easier to build test - version - -2001-01-19 Johan Danielsson - - * ftpd/ls.c (lstat_file): handle case where file lives in `/' - -2001-01-18 Johan Danielsson - - * ftpd/ftpd.c (pasv): close already open passive port - -2000-12-14 Johan Danielsson - - * ftpd/ls.c: reverse time and size sort order (pointed out by - tege) - -2000-12-11 Johan Danielsson - - * ftpd/ftpd.c: make it possible to set list of good filename - characters from command line - -2000-12-10 Johan Danielsson - - * ftpd/ftpd.c: some spec-violating mirror software assumes that - you can do things like `LIST -CF'; don't pass `--' to ls so this - actually works - - * ftpd/ls.c: implement -1CFx flags - -2000-12-08 Assar Westerlund - - * ftpd/gss_userok.c (gss_userok): handle getpwnam failing - * ftp/gssapi.c (gss_auth): be more explicit in error message - -2000-11-29 Johan Danielsson - - * ftpd/ftpd.8: close list - -2000-11-15 Assar Westerlund - - * ftp/main.c: add `-l' for no line-editing - * ftp/globals.c (readline): add - * ftp/ftp_var.h (lineedit): add variable indicated if we should - use readline - -2000-11-09 Johan Danielsson - - * ftp/security.c (sec_read): fix bug in previous (from Jacques A. - Vidrine ) - -2000-11-05 Johan Danielsson - - * ftpd/ftpcmd.y: only allow pasv if logged in - -2000-10-23 Johan Danielsson - - * ftpd/ftpd.c: change bad filename message slightly - - * common/buffer.c: HAVE_ST_BLKSIZE -> HAVE_STRUCT_STAT_ST_BLKSIZE - -2000-10-08 Assar Westerlund - - * ftp/ftp.c (*): check that fds are not too large to select on - * ftp/main.c (cmdscanner): print a newline upon EOF - -2000-09-19 Assar Westerlund - - * ftp/security.h: add some attributes to prototypes of sec* - * ftp/extern.h (command): add attributes - -2000-08-31 Johan Danielsson - - * ftpd/ftpd.c: change redundant password message to something - people can understand - -2000-07-27 Assar Westerlund - - * ftpd/gss_userok.c (gss_userok): only do AFS iff KRB4 - * ftpd/ftpd.c (krb5_verify): only do AFS stuff if KRB4 - -2000-07-07 Assar Westerlund - - * ftpd/ftpd.c: do not call setproctitle with a variable as the - format string - -2000-07-01 Assar Westerlund - - * ftpd/ftpd_locl.h: krb5.h before kafs.h - * ftpd/ftpd.c (krb5_verify): static-ize - * ftpd/ftpd.c (krb5_verify): conditionalize on KRB5 - -2000-06-21 Assar Westerlund - - * ftpd: support for authenticating passwords with krb5, by Daniel - Kouril - -2000-06-06 Johan Danielsson - - * ftpd/ftpcmd.y: change unix test to be negative - -2000-05-18 Assar Westerlund - - * ftpd/ftpd.c (args): should use `debug'. From Onno van der - Linden . - -2000-04-25 Assar Westerlund - - * ftp/ftp.c (login): re-structure code so that we prompt for - password for ftp/anonymous - -2000-04-11 Assar Westerlund - - * ftp/ftp.c (login): initialize tmp before calling fgets - -2000-04-02 Assar Westerlund - - * ftpd/ls.c: rename all st_mtime variables to avoid conflict with - #define. - * ftpd/ftpcmd.y: rename all st_mtime variables to avoid conflict - with #define. - * ftp/cmds.c: rename all st_mtime variables to avoid conflict with - #define. - -2000-03-26 Assar Westerlund - - * ftpd/ls.c, ftpd/ftpcmd.y, ftp/cmds.c: make sure to always call - time, ctime, and gmtime with `time_t's. there were some types - (like in lastlog) that we believed to always be time_t. this has - proven wrong on Solaris 8 in 64-bit mode, where they are stored as - 32-bit quantities but time_t has gone up to 64 bits - -2000-03-09 Johan Danielsson - - * call list_file for broken usages of nlst too - - * ftpd/ftpd.c: call list_file for broken usages of nlst too - -2000-02-07 Assar Westerlund - - * ftp/security.c (sec_read): more paranoia with return value from - sec_get_data - -2000-01-08 Assar Westerlund - - * ftp/ftp.c (hookup): handle ai_canonname being set in any of the - addresses returnedby getaddrinfo. glibc apparently returns the - reverse lookup of every address in ai_canonname. - * ftp/ruserpass.c (guess_domain): dito - -1999-12-21 Assar Westerlund - - * ftpd/ftpd.c: don't use sa_len as a parameter, it's defined on - Irix - -1999-12-21 Johan Danielsson - - * ftpd/ftpd.c (dataconn): make sure from points to actual data - -1999-12-16 Assar Westerlund - - * ftp/ruserpass.c (guess_domain): handle ai_canonname not being - set - * ftp/ftp.c (hookup): handle ai_canonname not being set - -1999-12-06 Assar Westerlund - - * ftp/krb4.c (krb4_auth): the nat-IP address might not be realm - bounded. - -1999-12-05 Assar Westerlund - - * ftpd/ftpd.c (dolog): update prototype - * ftpd/ftpd.c (dolog): use getnameinfo_verified - * ftpd/ftpd.c: replace inaddr2str by getnameinfo - -1999-12-04 Assar Westerlund - - * ftp/ruserpass.c (guess_domain): re-write to use getaddrinfo - * ftp/ftp.c (hookup): re-write to use getaddrinfo - -1999-11-30 Assar Westerlund - - * ftpd/ftpd.c (getdatasock): make sure to keep the port-number of - the outgoing connections. It has to be `ftp-data' or some people - might get upset. - - * ftpd/ftpd.c (args): set correct variable when `-l' so that - logging actually works - -1999-11-29 Assar Westerlund - - * ftp/security.c (sec_login): check return value from realloc - (sec_end): set app_data to NULL - -1999-11-25 Assar Westerlund - - * ftp/krb4.c (krb4_auth): obtain the `local' address when doing - NAT. also turn on passive mode. From - -1999-11-20 Assar Westerlund - - * ftpd/ls.c (make_fileinfo): cast to allow for non-const - prototypes of readlink - -1999-11-12 Assar Westerlund - - * ftpd/ftpd.c (args): use arg_counter for `l' - -1999-11-04 Assar Westerlund - - * ftpd/ls.c (S_ISSOCK, S_ISLNK): fallback definitions for systems - that don't have them (such as ultrix) - -1999-10-29 Assar Westerlund - - * ftpd/ls.c (make_fileinfo): cast uid's and gid's to unsigned in - printf, we don't know what types they might be. - (lstat_file): conditionalize the kafs part on KRB4 - - * ftpd/ftpd_locl.h: is needed for kafs.h - -1999-10-28 Assar Westerlund - - * ftpd/ls.c (lstat_file): don't set st_mode, it should already be - correct - - * ftpd/ls.c: don't use warnx to print errors - - * ftpd/ls.c (builtin_ls): fix typo, 'd' shouldn't imply 'f' - - * ftpd/ls.c (lstat_file): new function for avoiding stating AFS - mount points. From Love - (list_files): use `lstat_file' - - * ftpd/ftpd.c: some const-poisoning - - * ftpd/ftpd.c (args): add `-B' as an alias for `--builtin-ls' to - allow for stupid inetds that only support two arguments. From - Love - -1999-10-26 Assar Westerlund - - * ftpd/ftpcmd.y (help): it's unnecessary to interpret help strings - as printf commands - - * ftpd/ftpd.c (show_issue): don't interpret contents of - /etc/issue* as printf commands. From Brian A May - - -1999-10-21 Johan Danielsson - - * ftpd/kauth.c (kauth): complain if protection level isn't - `private' - - * ftp/krb4.c (krb4_decode): syslog failure reason - - * ftp/kauth.c (kauth): set private level earlier - - * ftp/security.c: get_command_prot; (sec_prot): partially match - `command' and `data' - -1999-10-18 Johan Danielsson - - * ftpd/ftpd.c: change `-l' flag to use arg_collect (this makes - `-ll' work again) - - * ftpd/ftpd.c (list_file): pass filename to ls - -1999-10-04 Johan Danielsson - - * ftpd/ftpcmd.y: FEAT - -1999-10-03 Assar Westerlund - - * ftpd/ls.c: fall-back definitions for constans and casts for - printfs - -1999-10-03 Johan Danielsson - - * ftpd/ftpd.c (main): make this use getarg; add `list_file' - - * ftpd/ftpcmd.y (LIST): call list_file - - * ftpd/ls.c: add simple built-in ls - - * ftp/security.c: add `sec_vfprintf2' and `sec_fprintf2' that - prints to the data stream - - * ftp/kauth.c (kauth): make sure we're using private protection - level - - * ftp/security.c (set_command_prot): set command protection level - - * ftp/security.c: make it possible to set the command protection - level with `prot' - -1999-09-30 Assar Westerlund - - * ftpd/ftpd_locl.h: add prototype for fclose to make sunos happy - -1999-08-19 Johan Danielsson - - * ftpd/ftpd.c (do_login): show issue-file - (send_data): change handling of zero-byte files - -1999-08-18 Assar Westerlund - - * ftp/cmds.c (getit): be more suspicious when parsing the result - of MDTM. Do the comparison of timestamps correctly. - -1999-08-13 Assar Westerlund - - * ftpd/ftpd.c (send_data): avoid calling mmap with `len == 0'. - Some mmap:s rather dislike that (Solaris) and some munmap (Linux) - get grumpy later. - - * ftp/ftp.c (copy_stream): avoid calling mmap with `len == 0'. - Some mmap:s rather dislike that (Solaris) and some munmap (Linux) - get grumpy later. - -1999-08-03 Assar Westerlund - - * ftp/ftp.c (active_mode): hide failure of EPRT by setting verbose - - * ftp/gssapi.c (gss_auth): initialize application_data in bindings - -1999-08-02 Assar Westerlund - - * ftpd/ftpcmd.y: save file names when doing commands that might - get aborted (and longjmp:ed out of) to avoid overwriting them also - remove extra closing brace - -1999-08-01 Johan Danielsson - - * ftpd/ftpcmd.y: change `site find' to `site locate' (to match - what it does, and other implementations) keep find as an alias - -1999-07-28 Assar Westerlund - - * common/socket.c: moved to roken - - * common/socket.c: new file with generic socket functions - - * ftpd/ftpd.c: make it more AF-neutral and v6-capable - - * ftpd/ftpcmd.y: add EPRT and EPSV - - * ftpd/extern.h: update prototypes and variables - - * ftp/krb4.c: update to new types of addresses - - * ftp/gssapi.c: add support for both AF_INET and AF_INET6 - addresses - - * ftp/ftp.c: make it more AF-neutral and v6-capable - - * ftp/extern.h (hookup): change prototype - - * common/common.h: add prototypes for functions in socket.c - - * common/Makefile.am (libcommon_a_SOURCES): add socket.c - - * ftp/gssapi.c (gss_auth): check return value from - `gss_import_name' and print error messages if it fails - -1999-06-15 Assar Westerlund - - * ftp/krb4.c (krb4_auth): type correctness - -1999-06-02 Johan Danielsson - - * ftp/ftp.c (sendrequest): lmode != rmode - -1999-05-21 Assar Westerlund - - * ftp/extern.h (sendrequest): update prototype - - * ftp/cmds.c: update calls to sendrequest and recvrequest to send - "b" when appropriate - - * ftp/ftp.c (sendrequest): add argument for mode to open file in. - -1999-05-08 Assar Westerlund - - * ftpd/ftpcmd.y: rename getline -> ftpd_getline - - * ftp/main.c (makeargv): fill in unused slots with NULL - -Thu Apr 8 15:06:40 1999 Johan Danielsson - - * ftpd/ftpd.c: remove definition of KRB_VERIFY_USER (moved to - config.h) - -Wed Apr 7 16:15:21 1999 Johan Danielsson - - * ftp/gssapi.c (gss_auth): call gss_display_status to get a sane - error message; return AUTH_{CONTINUE,ERROR}, where appropriate - - * ftp/krb4.c: return AUTH_{CONTINUE,ERROR}, where appropriate - - * ftp/security.c (sec_login): if mechanism returns AUTH_CONTINUE, - just continue with the next mechanism, this fixes the case of - having GSSAPI fail because of non-existant of expired tickets - - * ftp/security.h: add AUTH_{OK,CONTINUE,ERROR} - -Thu Apr 1 16:59:04 1999 Johan Danielsson - - * ftpd/Makefile.am: don't run check-local - - * ftp/Makefile.am: don't run check-local - -Mon Mar 22 22:15:18 1999 Assar Westerlund - - * ftpd/ftpd.c (pass): fall-back for KRB_VERIFY_SECURE - - * ftpd/ftpd.c (pass): 1 -> KRB_VERIFY_SECURE - -Thu Mar 18 12:07:09 1999 Johan Danielsson - - * ftpd/Makefile.am: clean ftpcmd.c - - * ftpd/ftpd_locl.h: remove krb5.h (breaks in ftpcmd.y) - - * ftpd/ftpd.c: move include of krb5.h here - - * ftpd/Makefile.am: include Makefile.am.common - - * Makefile.am: include Makefile.am.common - - * ftp/Makefile.am: include Makefile.am.common - - * common/Makefile.am: include Makefile.am.common - -Tue Mar 16 22:28:37 1999 Assar Westerlund - - * ftpd/ftpd_locl.h: add krb5.h to get heimdal_version - - * ftpd/ftpd.c: krb_verify_user_multiple -> krb_verify_user - -Thu Mar 11 14:54:59 1999 Johan Danielsson - - * ftp/Makefile.in: WFLAGS - - * ftp/ruserpass.c: add some if-braces - -Wed Mar 10 20:02:55 1999 Johan Danielsson - - * ftpd/ftpd_locl.h: remove ifdef HAVE_FNMATCH - -Mon Mar 8 21:29:24 1999 Johan Danielsson - - * ftpd/ftpd.c: re-add version in greeting message - -Mon Mar 1 10:49:38 1999 Johan Danielsson - - * ftpd/logwtmp.c: HAVE_UT_* -> HAVE_STRUCT_UTMP*_UT_* - -Mon Feb 22 19:20:51 1999 Johan Danielsson - - * common/Makefile.in: remove glob - -Sat Feb 13 17:19:35 1999 Assar Westerlund - - * ftpd/ftpd.c (match): remove #ifdef HAVE_FNMATCH. We have a - fnmatch implementation in roken and therefore always have it. - - * ftp/ftp.c (copy_stream): initialize `werr' - -Wed Jan 13 23:52:57 1999 Assar Westerlund - - * ftpd/ftpcmd.y: moved all check_login and check_login_no_guest to - the end of the rules to ensure we don't generate several - (independent) error messages. once again, having a yacc-grammar - for FTP with embedded actions doesn't strike me as the most - optimal way of doing it. - -Tue Dec 1 14:44:29 1998 Johan Danielsson - - * ftpd/Makefile.am: link with extra libs for aix - -Sun Nov 22 10:28:20 1998 Assar Westerlund - - * ftpd/ftpd.c (retrying): support on-the-fly decompression - - * ftpd/Makefile.in (WFLAGS): set - - * ftp/ruserpass.c (guess_domain): new function - (ruserpass): use it - - * common/Makefile.in (WFLAGS): set - - * Makefile.in (WFLAGS): set - -Sat Nov 21 23:13:03 1998 Assar Westerlund - - * ftp/security.c: some more type correctness. - - * ftp/gssapi.c (gss_adat): more braces to shut up warnings - -Wed Nov 18 21:47:55 1998 Assar Westerlund - - * ftp/main.c (main): new option `-p' for enable passive mode. - -Mon Nov 2 01:57:49 1998 Assar Westerlund - - * ftp/ftp.c (getreply): remove extra `break' - - * ftp/gssapi.c (gss_auth): fixo typo(copyo?) - - * ftp/security.c (sec_login): fix loop and return value - -Tue Sep 1 16:56:42 1998 Johan Danielsson - - * ftp/cmds.c (quote1): fix % quoting bug - -Fri Aug 14 17:10:06 1998 Johan Danielsson - - * ftp/krb4.c: krb_put_int -> KRB_PUT_INT - -Tue Jun 30 18:07:15 1998 Assar Westerlund - - * ftp/security.c (auth): free `app_data' - (sec_end): only destroy if it was initialized - -Tue Jun 9 21:01:59 1998 Johan Danielsson - - * ftp/krb4.c: pass client address to krb_rd_req - -Sat May 16 00:02:07 1998 Assar Westerlund - - * ftpd/Makefile.am: link with DBLIB - -Tue May 12 14:15:32 1998 Johan Danielsson - - * ftp/gssapi.c: Save client name for userok(). - - * ftpd/gss_userok.c: Userok for gssapi. - -Fri May 1 07:15:01 1998 Assar Westerlund - - * ftp/ftp.c: unifdef -DHAVE_H_ERRNO - -Fri Mar 27 00:46:07 1998 Johan Danielsson - - * Make compile w/o krb4. - -Thu Mar 26 03:49:12 1998 Johan Danielsson - - * ftp/*, ftpd/*: Changes for new framework. - - * ftp/gssapi.c: GSS-API backend for the new security framework. - - * ftp/krb4.c: Updated for new framework. - - * ftp/security.{c,h}: New unified security framework. diff --git a/crypto/heimdal-0.6.3/appl/ftp/Makefile.am b/crypto/heimdal-0.6.3/appl/ftp/Makefile.am deleted file mode 100644 index f8831a308d..0000000000 --- a/crypto/heimdal-0.6.3/appl/ftp/Makefile.am +++ /dev/null @@ -1,5 +0,0 @@ -# $Id: Makefile.am,v 1.5 1999/03/20 13:58:14 joda Exp $ - -include $(top_srcdir)/Makefile.am.common - -SUBDIRS = common ftp ftpd diff --git a/crypto/heimdal-0.6.3/appl/ftp/Makefile.in b/crypto/heimdal-0.6.3/appl/ftp/Makefile.in deleted file mode 100644 index c1b7c39ef2..0000000000 --- a/crypto/heimdal-0.6.3/appl/ftp/Makefile.in +++ /dev/null @@ -1,776 +0,0 @@ -# Makefile.in generated by automake 1.8.3 from Makefile.am. -# @configure_input@ - -# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004 Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -# $Id: Makefile.am,v 1.5 1999/03/20 13:58:14 joda Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $ -srcdir = @srcdir@ -top_srcdir = @top_srcdir@ -VPATH = @srcdir@ -pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -top_builddir = ../.. -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = @INSTALL@ -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_HEADER = $(INSTALL_DATA) -transform = $(program_transform_name) -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_triplet = @host@ -DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \ - $(top_srcdir)/Makefile.am.common \ - $(top_srcdir)/cf/Makefile.am.common ChangeLog -subdir = appl/ftp -ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \ - $(top_srcdir)/cf/auth-modules.m4 \ - $(top_srcdir)/cf/broken-getaddrinfo.m4 \ - $(top_srcdir)/cf/broken-getnameinfo.m4 \ - $(top_srcdir)/cf/broken-glob.m4 \ - $(top_srcdir)/cf/broken-realloc.m4 \ - $(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \ - $(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \ - $(top_srcdir)/cf/capabilities.m4 \ - $(top_srcdir)/cf/check-compile-et.m4 \ - $(top_srcdir)/cf/check-declaration.m4 \ - $(top_srcdir)/cf/check-getpwnam_r-posix.m4 \ - $(top_srcdir)/cf/check-man.m4 \ - $(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \ - $(top_srcdir)/cf/check-type-extra.m4 \ - $(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \ - $(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \ - $(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \ - $(top_srcdir)/cf/dlopen.m4 \ - $(top_srcdir)/cf/find-func-no-libs.m4 \ - $(top_srcdir)/cf/find-func-no-libs2.m4 \ - $(top_srcdir)/cf/find-func.m4 \ - $(top_srcdir)/cf/find-if-not-broken.m4 \ - $(top_srcdir)/cf/have-struct-field.m4 \ - $(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \ - $(top_srcdir)/cf/krb-bigendian.m4 \ - $(top_srcdir)/cf/krb-func-getlogin.m4 \ - $(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \ - $(top_srcdir)/cf/krb-readline.m4 \ - $(top_srcdir)/cf/krb-struct-spwd.m4 \ - $(top_srcdir)/cf/krb-struct-winsize.m4 \ - $(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \ - $(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \ - $(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \ - $(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \ - $(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \ - $(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \ - $(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in -am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ - $(ACLOCAL_M4) -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -depcomp = -am__depfiles_maybe = -SOURCES = -DIST_SOURCES = -RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \ - html-recursive info-recursive install-data-recursive \ - install-exec-recursive install-info-recursive \ - install-recursive installcheck-recursive installdirs-recursive \ - pdf-recursive ps-recursive uninstall-info-recursive \ - uninstall-recursive -ETAGS = etags -CTAGS = ctags -DIST_SUBDIRS = $(SUBDIRS) -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) -ACLOCAL = @ACLOCAL@ -AIX4_FALSE = @AIX4_FALSE@ -AIX4_TRUE = @AIX4_TRUE@ -AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@ -AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@ -AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@ -AIX_FALSE = @AIX_FALSE@ -AIX_TRUE = @AIX_TRUE@ -AMTAR = @AMTAR@ -AR = @AR@ -AUTOCONF = @AUTOCONF@ -AUTOHEADER = @AUTOHEADER@ -AUTOMAKE = @AUTOMAKE@ -AWK = @AWK@ -CANONICAL_HOST = @CANONICAL_HOST@ -CATMAN = @CATMAN@ -CATMANEXT = @CATMANEXT@ -CATMAN_FALSE = @CATMAN_FALSE@ -CATMAN_TRUE = @CATMAN_TRUE@ -CC = @CC@ -CFLAGS = @CFLAGS@ -COMPILE_ET = @COMPILE_ET@ -CPP = @CPP@ -CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXFLAGS = @CXXFLAGS@ -CYGPATH_W = @CYGPATH_W@ -DBLIB = @DBLIB@ -DCE_FALSE = @DCE_FALSE@ -DCE_TRUE = @DCE_TRUE@ -DEFS = @DEFS@ -DIR_com_err = @DIR_com_err@ -DIR_des = @DIR_des@ -DIR_roken = @DIR_roken@ -ECHO = @ECHO@ -ECHO_C = @ECHO_C@ -ECHO_N = @ECHO_N@ -ECHO_T = @ECHO_T@ -EGREP = @EGREP@ -EXEEXT = @EXEEXT@ -EXTRA_LIB45 = @EXTRA_LIB45@ -F77 = @F77@ -FFLAGS = @FFLAGS@ -GROFF = @GROFF@ -HAVE_DB1_FALSE = @HAVE_DB1_FALSE@ -HAVE_DB1_TRUE = @HAVE_DB1_TRUE@ -HAVE_DB3_FALSE = @HAVE_DB3_FALSE@ -HAVE_DB3_TRUE = @HAVE_DB3_TRUE@ -HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@ -HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@ -HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@ -HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@ -HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@ -HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@ -HAVE_X_FALSE = @HAVE_X_FALSE@ -HAVE_X_TRUE = @HAVE_X_TRUE@ -INCLUDES_roken = @INCLUDES_roken@ -INCLUDE_des = @INCLUDE_des@ -INCLUDE_hesiod = @INCLUDE_hesiod@ -INCLUDE_krb4 = @INCLUDE_krb4@ -INCLUDE_openldap = @INCLUDE_openldap@ -INCLUDE_readline = @INCLUDE_readline@ -INSTALL_DATA = @INSTALL_DATA@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -IRIX_FALSE = @IRIX_FALSE@ -IRIX_TRUE = @IRIX_TRUE@ -KRB4_FALSE = @KRB4_FALSE@ -KRB4_TRUE = @KRB4_TRUE@ -KRB5_FALSE = @KRB5_FALSE@ -KRB5_TRUE = @KRB5_TRUE@ -LDFLAGS = @LDFLAGS@ -LEX = @LEX@ -LEXLIB = @LEXLIB@ -LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ -LIBOBJS = @LIBOBJS@ -LIBS = @LIBS@ -LIBTOOL = @LIBTOOL@ -LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@ -LIB_NDBM = @LIB_NDBM@ -LIB_XauFileName = @LIB_XauFileName@ -LIB_XauReadAuth = @LIB_XauReadAuth@ -LIB_XauWriteAuth = @LIB_XauWriteAuth@ -LIB_bswap16 = @LIB_bswap16@ -LIB_bswap32 = @LIB_bswap32@ -LIB_com_err = @LIB_com_err@ -LIB_com_err_a = @LIB_com_err_a@ -LIB_com_err_so = @LIB_com_err_so@ -LIB_crypt = @LIB_crypt@ -LIB_db_create = @LIB_db_create@ -LIB_dbm_firstkey = @LIB_dbm_firstkey@ -LIB_dbopen = @LIB_dbopen@ -LIB_des = @LIB_des@ -LIB_des_a = @LIB_des_a@ -LIB_des_appl = @LIB_des_appl@ -LIB_des_so = @LIB_des_so@ -LIB_dlopen = @LIB_dlopen@ -LIB_dn_expand = @LIB_dn_expand@ -LIB_el_init = @LIB_el_init@ -LIB_freeaddrinfo = @LIB_freeaddrinfo@ -LIB_gai_strerror = @LIB_gai_strerror@ -LIB_getaddrinfo = @LIB_getaddrinfo@ -LIB_gethostbyname = @LIB_gethostbyname@ -LIB_gethostbyname2 = @LIB_gethostbyname2@ -LIB_getnameinfo = @LIB_getnameinfo@ -LIB_getpwnam_r = @LIB_getpwnam_r@ -LIB_getsockopt = @LIB_getsockopt@ -LIB_hesiod = @LIB_hesiod@ -LIB_hstrerror = @LIB_hstrerror@ -LIB_kdb = @LIB_kdb@ -LIB_krb4 = @LIB_krb4@ -LIB_krb_disable_debug = @LIB_krb_disable_debug@ -LIB_krb_enable_debug = @LIB_krb_enable_debug@ -LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@ -LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@ -LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@ -LIB_loadquery = @LIB_loadquery@ -LIB_logout = @LIB_logout@ -LIB_logwtmp = @LIB_logwtmp@ -LIB_openldap = @LIB_openldap@ -LIB_openpty = @LIB_openpty@ -LIB_otp = @LIB_otp@ -LIB_pidfile = @LIB_pidfile@ -LIB_readline = @LIB_readline@ -LIB_res_nsearch = @LIB_res_nsearch@ -LIB_res_search = @LIB_res_search@ -LIB_roken = @LIB_roken@ -LIB_security = @LIB_security@ -LIB_setsockopt = @LIB_setsockopt@ -LIB_socket = @LIB_socket@ -LIB_syslog = @LIB_syslog@ -LIB_tgetent = @LIB_tgetent@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -MAINT = @MAINT@ -MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@ -MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@ -MAKEINFO = @MAKEINFO@ -NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ -NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ -NROFF = @NROFF@ -OBJEXT = @OBJEXT@ -OTP_FALSE = @OTP_FALSE@ -OTP_TRUE = @OTP_TRUE@ -PACKAGE = @PACKAGE@ -PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ -PACKAGE_NAME = @PACKAGE_NAME@ -PACKAGE_STRING = @PACKAGE_STRING@ -PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_VERSION = @PACKAGE_VERSION@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -RANLIB = @RANLIB@ -SET_MAKE = @SET_MAKE@ -SHELL = @SHELL@ -STRIP = @STRIP@ -VERSION = @VERSION@ -VOID_RETSIGTYPE = @VOID_RETSIGTYPE@ -WFLAGS = @WFLAGS@ -WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@ -WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@ -X_CFLAGS = @X_CFLAGS@ -X_EXTRA_LIBS = @X_EXTRA_LIBS@ -X_LIBS = @X_LIBS@ -X_PRE_LIBS = @X_PRE_LIBS@ -YACC = @YACC@ -ac_ct_AR = @ac_ct_AR@ -ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ -ac_ct_RANLIB = @ac_ct_RANLIB@ -ac_ct_STRIP = @ac_ct_STRIP@ -am__leading_dot = @am__leading_dot@ -bindir = @bindir@ -build = @build@ -build_alias = @build_alias@ -build_cpu = @build_cpu@ -build_os = @build_os@ -build_vendor = @build_vendor@ -datadir = @datadir@ -do_roken_rename_FALSE = @do_roken_rename_FALSE@ -do_roken_rename_TRUE = @do_roken_rename_TRUE@ -dpagaix_cflags = @dpagaix_cflags@ -dpagaix_ldadd = @dpagaix_ldadd@ -dpagaix_ldflags = @dpagaix_ldflags@ -el_compat_FALSE = @el_compat_FALSE@ -el_compat_TRUE = @el_compat_TRUE@ -exec_prefix = @exec_prefix@ -have_err_h_FALSE = @have_err_h_FALSE@ -have_err_h_TRUE = @have_err_h_TRUE@ -have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@ -have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@ -have_glob_h_FALSE = @have_glob_h_FALSE@ -have_glob_h_TRUE = @have_glob_h_TRUE@ -have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@ -have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@ -have_vis_h_FALSE = @have_vis_h_FALSE@ -have_vis_h_TRUE = @have_vis_h_TRUE@ -host = @host@ -host_alias = @host_alias@ -host_cpu = @host_cpu@ -host_os = @host_os@ -host_vendor = @host_vendor@ -includedir = @includedir@ -infodir = @infodir@ -install_sh = @install_sh@ -libdir = @libdir@ -libexecdir = @libexecdir@ -localstatedir = @localstatedir@ -mandir = @mandir@ -mkdir_p = @mkdir_p@ -oldincludedir = @oldincludedir@ -prefix = @prefix@ -program_transform_name = @program_transform_name@ -sbindir = @sbindir@ -sharedstatedir = @sharedstatedir@ -sysconfdir = @sysconfdir@ -target_alias = @target_alias@ -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) -@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME -AM_CFLAGS = $(WFLAGS) -CP = cp -buildinclude = $(top_builddir)/include -LIB_getattr = @LIB_getattr@ -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_setpcred = @LIB_setpcred@ -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -NROFF_MAN = groff -mandoc -Tascii -LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) -@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la - -@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la -@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la -SUBDIRS = common ftp ftpd -all: all-recursive - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c -$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps) - @for dep in $?; do \ - case '$(am__configure_deps)' in \ - *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ - exit 1;; \ - esac; \ - done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign --ignore-deps appl/ftp/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign --ignore-deps appl/ftp/Makefile -.PRECIOUS: Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - @case '$?' in \ - *config.status*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ - *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ - esac; - -$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: - -# This directory's subdirectories are mostly independent; you can cd -# into them and run `make' without going through this Makefile. -# To change the values of `make' variables: instead of editing Makefiles, -# (1) if the variable is set in `config.status', edit `config.status' -# (which will cause the Makefiles to be regenerated when you run `make'); -# (2) otherwise, pass the desired values on the `make' command line. -$(RECURSIVE_TARGETS): - @set fnord $$MAKEFLAGS; amf=$$2; \ - dot_seen=no; \ - target=`echo $@ | sed s/-recursive//`; \ - list='$(SUBDIRS)'; for subdir in $$list; do \ - echo "Making $$target in $$subdir"; \ - if test "$$subdir" = "."; then \ - dot_seen=yes; \ - local_target="$$target-am"; \ - else \ - local_target="$$target"; \ - fi; \ - (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ - || case "$$amf" in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \ - done; \ - if test "$$dot_seen" = "no"; then \ - $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \ - fi; test -z "$$fail" - -mostlyclean-recursive clean-recursive distclean-recursive \ -maintainer-clean-recursive: - @set fnord $$MAKEFLAGS; amf=$$2; \ - dot_seen=no; \ - case "$@" in \ - distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \ - *) list='$(SUBDIRS)' ;; \ - esac; \ - rev=''; for subdir in $$list; do \ - if test "$$subdir" = "."; then :; else \ - rev="$$subdir $$rev"; \ - fi; \ - done; \ - rev="$$rev ."; \ - target=`echo $@ | sed s/-recursive//`; \ - for subdir in $$rev; do \ - echo "Making $$target in $$subdir"; \ - if test "$$subdir" = "."; then \ - local_target="$$target-am"; \ - else \ - local_target="$$target"; \ - fi; \ - (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ - || case "$$amf" in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \ - done && test -z "$$fail" -tags-recursive: - list='$(SUBDIRS)'; for subdir in $$list; do \ - test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \ - done -ctags-recursive: - list='$(SUBDIRS)'; for subdir in $$list; do \ - test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) ctags); \ - done - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique -tags: TAGS - -TAGS: tags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - if (etags --etags-include --version) >/dev/null 2>&1; then \ - include_option=--etags-include; \ - else \ - include_option=--include; \ - fi; \ - list='$(SUBDIRS)'; for subdir in $$list; do \ - if test "$$subdir" = .; then :; else \ - test -f $$subdir/TAGS && \ - tags="$$tags $$include_option=$$here/$$subdir/TAGS"; \ - fi; \ - done; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique -ctags: CTAGS -CTAGS: ctags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ - || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - -distdir: $(DISTFILES) - $(mkdir_p) $(distdir)/../.. $(distdir)/../../cf - @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \ - list='$(DISTFILES)'; for file in $$list; do \ - case $$file in \ - $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \ - $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \ - esac; \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkdir_p) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - list='$(SUBDIRS)'; for subdir in $$list; do \ - if test "$$subdir" = .; then :; else \ - test -d "$(distdir)/$$subdir" \ - || mkdir "$(distdir)/$$subdir" \ - || exit 1; \ - (cd $$subdir && \ - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="../$(top_distdir)" \ - distdir="../$(distdir)/$$subdir" \ - distdir) \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="$(top_distdir)" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-recursive -all-am: Makefile all-local -installdirs: installdirs-recursive -installdirs-am: -install: install-recursive -install-exec: install-exec-recursive -install-data: install-data-recursive -uninstall: uninstall-recursive - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-recursive -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-recursive - -clean-am: clean-generic clean-libtool mostlyclean-am - -distclean: distclean-recursive - -rm -f Makefile -distclean-am: clean-am distclean-generic distclean-libtool \ - distclean-tags - -dvi: dvi-recursive - -dvi-am: - -html: html-recursive - -info: info-recursive - -info-am: - -install-data-am: - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-data-hook - -install-exec-am: - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-recursive - -install-man: - -installcheck-am: - -maintainer-clean: maintainer-clean-recursive - -rm -f Makefile -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-recursive - -mostlyclean-am: mostlyclean-generic mostlyclean-libtool - -pdf: pdf-recursive - -pdf-am: - -ps: ps-recursive - -ps-am: - -uninstall-am: uninstall-info-am - -uninstall-info: uninstall-info-recursive - -.PHONY: $(RECURSIVE_TARGETS) CTAGS GTAGS all all-am all-local check \ - check-am check-local clean clean-generic clean-libtool \ - clean-recursive ctags ctags-recursive distclean \ - distclean-generic distclean-libtool distclean-recursive \ - distclean-tags distdir dvi dvi-am html html-am info info-am \ - install install-am install-data install-data-am install-exec \ - install-exec-am install-info install-info-am install-man \ - install-strip installcheck installcheck-am installdirs \ - installdirs-am maintainer-clean maintainer-clean-generic \ - maintainer-clean-recursive mostlyclean mostlyclean-generic \ - mostlyclean-libtool mostlyclean-recursive pdf pdf-am ps ps-am \ - tags tags-recursive uninstall uninstall-am uninstall-info-am - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-hook: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal-0.6.3/appl/ftp/common/Makefile.am b/crypto/heimdal-0.6.3/appl/ftp/common/Makefile.am deleted file mode 100644 index 4fab07b9a1..0000000000 --- a/crypto/heimdal-0.6.3/appl/ftp/common/Makefile.am +++ /dev/null @@ -1,12 +0,0 @@ -# $Id: Makefile.am,v 1.9 1999/07/28 21:15:06 assar Exp $ - -include $(top_srcdir)/Makefile.am.common - -INCLUDES += $(INCLUDE_krb4) - -noinst_LIBRARIES = libcommon.a - -libcommon_a_SOURCES = \ - sockbuf.c \ - buffer.c \ - common.h diff --git a/crypto/heimdal-0.6.3/appl/ftp/common/Makefile.in b/crypto/heimdal-0.6.3/appl/ftp/common/Makefile.in deleted file mode 100644 index 02e525f53e..0000000000 --- a/crypto/heimdal-0.6.3/appl/ftp/common/Makefile.in +++ /dev/null @@ -1,729 +0,0 @@ -# Makefile.in generated by automake 1.8.3 from Makefile.am. -# @configure_input@ - -# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004 Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -# $Id: Makefile.am,v 1.9 1999/07/28 21:15:06 assar Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $ - -SOURCES = $(libcommon_a_SOURCES) - -srcdir = @srcdir@ -top_srcdir = @top_srcdir@ -VPATH = @srcdir@ -pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -top_builddir = ../../.. -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = @INSTALL@ -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_HEADER = $(INSTALL_DATA) -transform = $(program_transform_name) -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_triplet = @host@ -DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \ - $(top_srcdir)/Makefile.am.common \ - $(top_srcdir)/cf/Makefile.am.common -subdir = appl/ftp/common -ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \ - $(top_srcdir)/cf/auth-modules.m4 \ - $(top_srcdir)/cf/broken-getaddrinfo.m4 \ - $(top_srcdir)/cf/broken-getnameinfo.m4 \ - $(top_srcdir)/cf/broken-glob.m4 \ - $(top_srcdir)/cf/broken-realloc.m4 \ - $(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \ - $(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \ - $(top_srcdir)/cf/capabilities.m4 \ - $(top_srcdir)/cf/check-compile-et.m4 \ - $(top_srcdir)/cf/check-declaration.m4 \ - $(top_srcdir)/cf/check-getpwnam_r-posix.m4 \ - $(top_srcdir)/cf/check-man.m4 \ - $(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \ - $(top_srcdir)/cf/check-type-extra.m4 \ - $(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \ - $(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \ - $(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \ - $(top_srcdir)/cf/dlopen.m4 \ - $(top_srcdir)/cf/find-func-no-libs.m4 \ - $(top_srcdir)/cf/find-func-no-libs2.m4 \ - $(top_srcdir)/cf/find-func.m4 \ - $(top_srcdir)/cf/find-if-not-broken.m4 \ - $(top_srcdir)/cf/have-struct-field.m4 \ - $(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \ - $(top_srcdir)/cf/krb-bigendian.m4 \ - $(top_srcdir)/cf/krb-func-getlogin.m4 \ - $(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \ - $(top_srcdir)/cf/krb-readline.m4 \ - $(top_srcdir)/cf/krb-struct-spwd.m4 \ - $(top_srcdir)/cf/krb-struct-winsize.m4 \ - $(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \ - $(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \ - $(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \ - $(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \ - $(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \ - $(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \ - $(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in -am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ - $(ACLOCAL_M4) -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -ARFLAGS = cru -LIBRARIES = $(noinst_LIBRARIES) -libcommon_a_AR = $(AR) $(ARFLAGS) -libcommon_a_LIBADD = -am_libcommon_a_OBJECTS = sockbuf.$(OBJEXT) buffer.$(OBJEXT) -libcommon_a_OBJECTS = $(am_libcommon_a_OBJECTS) -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \ - $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ - $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -SOURCES = $(libcommon_a_SOURCES) -DIST_SOURCES = $(libcommon_a_SOURCES) -ETAGS = etags -CTAGS = ctags -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) -ACLOCAL = @ACLOCAL@ -AIX4_FALSE = @AIX4_FALSE@ -AIX4_TRUE = @AIX4_TRUE@ -AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@ -AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@ -AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@ -AIX_FALSE = @AIX_FALSE@ -AIX_TRUE = @AIX_TRUE@ -AMTAR = @AMTAR@ -AR = @AR@ -AUTOCONF = @AUTOCONF@ -AUTOHEADER = @AUTOHEADER@ -AUTOMAKE = @AUTOMAKE@ -AWK = @AWK@ -CANONICAL_HOST = @CANONICAL_HOST@ -CATMAN = @CATMAN@ -CATMANEXT = @CATMANEXT@ -CATMAN_FALSE = @CATMAN_FALSE@ -CATMAN_TRUE = @CATMAN_TRUE@ -CC = @CC@ -CFLAGS = @CFLAGS@ -COMPILE_ET = @COMPILE_ET@ -CPP = @CPP@ -CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXFLAGS = @CXXFLAGS@ -CYGPATH_W = @CYGPATH_W@ -DBLIB = @DBLIB@ -DCE_FALSE = @DCE_FALSE@ -DCE_TRUE = @DCE_TRUE@ -DEFS = @DEFS@ -DIR_com_err = @DIR_com_err@ -DIR_des = @DIR_des@ -DIR_roken = @DIR_roken@ -ECHO = @ECHO@ -ECHO_C = @ECHO_C@ -ECHO_N = @ECHO_N@ -ECHO_T = @ECHO_T@ -EGREP = @EGREP@ -EXEEXT = @EXEEXT@ -EXTRA_LIB45 = @EXTRA_LIB45@ -F77 = @F77@ -FFLAGS = @FFLAGS@ -GROFF = @GROFF@ -HAVE_DB1_FALSE = @HAVE_DB1_FALSE@ -HAVE_DB1_TRUE = @HAVE_DB1_TRUE@ -HAVE_DB3_FALSE = @HAVE_DB3_FALSE@ -HAVE_DB3_TRUE = @HAVE_DB3_TRUE@ -HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@ -HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@ -HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@ -HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@ -HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@ -HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@ -HAVE_X_FALSE = @HAVE_X_FALSE@ -HAVE_X_TRUE = @HAVE_X_TRUE@ -INCLUDES_roken = @INCLUDES_roken@ -INCLUDE_des = @INCLUDE_des@ -INCLUDE_hesiod = @INCLUDE_hesiod@ -INCLUDE_krb4 = @INCLUDE_krb4@ -INCLUDE_openldap = @INCLUDE_openldap@ -INCLUDE_readline = @INCLUDE_readline@ -INSTALL_DATA = @INSTALL_DATA@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -IRIX_FALSE = @IRIX_FALSE@ -IRIX_TRUE = @IRIX_TRUE@ -KRB4_FALSE = @KRB4_FALSE@ -KRB4_TRUE = @KRB4_TRUE@ -KRB5_FALSE = @KRB5_FALSE@ -KRB5_TRUE = @KRB5_TRUE@ -LDFLAGS = @LDFLAGS@ -LEX = @LEX@ -LEXLIB = @LEXLIB@ -LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ -LIBOBJS = @LIBOBJS@ -LIBS = @LIBS@ -LIBTOOL = @LIBTOOL@ -LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@ -LIB_NDBM = @LIB_NDBM@ -LIB_XauFileName = @LIB_XauFileName@ -LIB_XauReadAuth = @LIB_XauReadAuth@ -LIB_XauWriteAuth = @LIB_XauWriteAuth@ -LIB_bswap16 = @LIB_bswap16@ -LIB_bswap32 = @LIB_bswap32@ -LIB_com_err = @LIB_com_err@ -LIB_com_err_a = @LIB_com_err_a@ -LIB_com_err_so = @LIB_com_err_so@ -LIB_crypt = @LIB_crypt@ -LIB_db_create = @LIB_db_create@ -LIB_dbm_firstkey = @LIB_dbm_firstkey@ -LIB_dbopen = @LIB_dbopen@ -LIB_des = @LIB_des@ -LIB_des_a = @LIB_des_a@ -LIB_des_appl = @LIB_des_appl@ -LIB_des_so = @LIB_des_so@ -LIB_dlopen = @LIB_dlopen@ -LIB_dn_expand = @LIB_dn_expand@ -LIB_el_init = @LIB_el_init@ -LIB_freeaddrinfo = @LIB_freeaddrinfo@ -LIB_gai_strerror = @LIB_gai_strerror@ -LIB_getaddrinfo = @LIB_getaddrinfo@ -LIB_gethostbyname = @LIB_gethostbyname@ -LIB_gethostbyname2 = @LIB_gethostbyname2@ -LIB_getnameinfo = @LIB_getnameinfo@ -LIB_getpwnam_r = @LIB_getpwnam_r@ -LIB_getsockopt = @LIB_getsockopt@ -LIB_hesiod = @LIB_hesiod@ -LIB_hstrerror = @LIB_hstrerror@ -LIB_kdb = @LIB_kdb@ -LIB_krb4 = @LIB_krb4@ -LIB_krb_disable_debug = @LIB_krb_disable_debug@ -LIB_krb_enable_debug = @LIB_krb_enable_debug@ -LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@ -LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@ -LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@ -LIB_loadquery = @LIB_loadquery@ -LIB_logout = @LIB_logout@ -LIB_logwtmp = @LIB_logwtmp@ -LIB_openldap = @LIB_openldap@ -LIB_openpty = @LIB_openpty@ -LIB_otp = @LIB_otp@ -LIB_pidfile = @LIB_pidfile@ -LIB_readline = @LIB_readline@ -LIB_res_nsearch = @LIB_res_nsearch@ -LIB_res_search = @LIB_res_search@ -LIB_roken = @LIB_roken@ -LIB_security = @LIB_security@ -LIB_setsockopt = @LIB_setsockopt@ -LIB_socket = @LIB_socket@ -LIB_syslog = @LIB_syslog@ -LIB_tgetent = @LIB_tgetent@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -MAINT = @MAINT@ -MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@ -MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@ -MAKEINFO = @MAKEINFO@ -NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ -NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ -NROFF = @NROFF@ -OBJEXT = @OBJEXT@ -OTP_FALSE = @OTP_FALSE@ -OTP_TRUE = @OTP_TRUE@ -PACKAGE = @PACKAGE@ -PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ -PACKAGE_NAME = @PACKAGE_NAME@ -PACKAGE_STRING = @PACKAGE_STRING@ -PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_VERSION = @PACKAGE_VERSION@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -RANLIB = @RANLIB@ -SET_MAKE = @SET_MAKE@ -SHELL = @SHELL@ -STRIP = @STRIP@ -VERSION = @VERSION@ -VOID_RETSIGTYPE = @VOID_RETSIGTYPE@ -WFLAGS = @WFLAGS@ -WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@ -WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@ -X_CFLAGS = @X_CFLAGS@ -X_EXTRA_LIBS = @X_EXTRA_LIBS@ -X_LIBS = @X_LIBS@ -X_PRE_LIBS = @X_PRE_LIBS@ -YACC = @YACC@ -ac_ct_AR = @ac_ct_AR@ -ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ -ac_ct_RANLIB = @ac_ct_RANLIB@ -ac_ct_STRIP = @ac_ct_STRIP@ -am__leading_dot = @am__leading_dot@ -bindir = @bindir@ -build = @build@ -build_alias = @build_alias@ -build_cpu = @build_cpu@ -build_os = @build_os@ -build_vendor = @build_vendor@ -datadir = @datadir@ -do_roken_rename_FALSE = @do_roken_rename_FALSE@ -do_roken_rename_TRUE = @do_roken_rename_TRUE@ -dpagaix_cflags = @dpagaix_cflags@ -dpagaix_ldadd = @dpagaix_ldadd@ -dpagaix_ldflags = @dpagaix_ldflags@ -el_compat_FALSE = @el_compat_FALSE@ -el_compat_TRUE = @el_compat_TRUE@ -exec_prefix = @exec_prefix@ -have_err_h_FALSE = @have_err_h_FALSE@ -have_err_h_TRUE = @have_err_h_TRUE@ -have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@ -have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@ -have_glob_h_FALSE = @have_glob_h_FALSE@ -have_glob_h_TRUE = @have_glob_h_TRUE@ -have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@ -have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@ -have_vis_h_FALSE = @have_vis_h_FALSE@ -have_vis_h_TRUE = @have_vis_h_TRUE@ -host = @host@ -host_alias = @host_alias@ -host_cpu = @host_cpu@ -host_os = @host_os@ -host_vendor = @host_vendor@ -includedir = @includedir@ -infodir = @infodir@ -install_sh = @install_sh@ -libdir = @libdir@ -libexecdir = @libexecdir@ -localstatedir = @localstatedir@ -mandir = @mandir@ -mkdir_p = @mkdir_p@ -oldincludedir = @oldincludedir@ -prefix = @prefix@ -program_transform_name = @program_transform_name@ -sbindir = @sbindir@ -sharedstatedir = @sharedstatedir@ -sysconfdir = @sysconfdir@ -target_alias = @target_alias@ -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4) -@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME -AM_CFLAGS = $(WFLAGS) -CP = cp -buildinclude = $(top_builddir)/include -LIB_getattr = @LIB_getattr@ -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_setpcred = @LIB_setpcred@ -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -NROFF_MAN = groff -mandoc -Tascii -LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) -@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la - -@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la -@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la -noinst_LIBRARIES = libcommon.a -libcommon_a_SOURCES = \ - sockbuf.c \ - buffer.c \ - common.h - -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps) - @for dep in $?; do \ - case '$(am__configure_deps)' in \ - *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ - exit 1;; \ - esac; \ - done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign --ignore-deps appl/ftp/common/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign --ignore-deps appl/ftp/common/Makefile -.PRECIOUS: Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - @case '$?' in \ - *config.status*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ - *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ - esac; - -$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -clean-noinstLIBRARIES: - -test -z "$(noinst_LIBRARIES)" || rm -f $(noinst_LIBRARIES) -libcommon.a: $(libcommon_a_OBJECTS) $(libcommon_a_DEPENDENCIES) - -rm -f libcommon.a - $(libcommon_a_AR) libcommon.a $(libcommon_a_OBJECTS) $(libcommon_a_LIBADD) - $(RANLIB) libcommon.a - -mostlyclean-compile: - -rm -f *.$(OBJEXT) - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c $< - -.c.obj: - $(COMPILE) -c `$(CYGPATH_W) '$<'` - -.c.lo: - $(LTCOMPILE) -c -o $@ $< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique -tags: TAGS - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique -ctags: CTAGS -CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ - || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - -distdir: $(DISTFILES) - $(mkdir_p) $(distdir)/../../.. $(distdir)/../../../cf - @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \ - list='$(DISTFILES)'; for file in $$list; do \ - case $$file in \ - $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \ - $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \ - esac; \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkdir_p) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="$(top_distdir)" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(LIBRARIES) all-local -installdirs: -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-generic clean-libtool clean-noinstLIBRARIES \ - mostlyclean-am - -distclean: distclean-am - -rm -f Makefile -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -html: html-am - -info: info-am - -info-am: - -install-data-am: - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-data-hook - -install-exec-am: - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -rm -f Makefile -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -pdf: pdf-am - -pdf-am: - -ps: ps-am - -ps-am: - -uninstall-am: uninstall-info-am - -.PHONY: CTAGS GTAGS all all-am all-local check check-am check-local \ - clean clean-generic clean-libtool clean-noinstLIBRARIES ctags \ - distclean distclean-compile distclean-generic \ - distclean-libtool distclean-tags distdir dvi dvi-am html \ - html-am info info-am install install-am install-data \ - install-data-am install-exec install-exec-am install-info \ - install-info-am install-man install-strip installcheck \ - installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ - tags uninstall uninstall-am uninstall-info-am - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-hook: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal-0.6.3/appl/ftp/common/buffer.c b/crypto/heimdal-0.6.3/appl/ftp/common/buffer.c deleted file mode 100644 index ba7773b604..0000000000 --- a/crypto/heimdal-0.6.3/appl/ftp/common/buffer.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (c) 1995-2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "common.h" -#include -#include -#include "roken.h" - -RCSID("$Id: buffer.c,v 1.4 2000/10/23 04:49:25 joda Exp $"); - -/* - * Allocate a buffer enough to handle st->st_blksize, if - * there is such a field, otherwise BUFSIZ. - */ - -void * -alloc_buffer (void *oldbuf, size_t *sz, struct stat *st) -{ - size_t new_sz; - - new_sz = BUFSIZ; -#ifdef HAVE_STRUCT_STAT_ST_BLKSIZE - if (st) - new_sz = max(BUFSIZ, st->st_blksize); -#endif - if(new_sz > *sz) { - if (oldbuf) - free (oldbuf); - oldbuf = malloc (new_sz); - if (oldbuf == NULL) { - warn ("malloc"); - *sz = 0; - return NULL; - } - *sz = new_sz; - } - return oldbuf; -} - diff --git a/crypto/heimdal-0.6.3/appl/ftp/common/common.h b/crypto/heimdal-0.6.3/appl/ftp/common/common.h deleted file mode 100644 index 5949b25d7b..0000000000 --- a/crypto/heimdal-0.6.3/appl/ftp/common/common.h +++ /dev/null @@ -1,60 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: common.h,v 1.12 1999/12/02 16:58:29 joda Exp $ */ - -#ifdef HAVE_CONFIG_H -#include -#endif - -#ifndef __COMMON_H__ -#define __COMMON_H__ - -#include "base64.h" - -void set_buffer_size(int, int); - -#include -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_SYS_STAT_H -#include -#endif -#ifdef HAVE_SYS_SOCKET_H -#include -#endif - -void *alloc_buffer (void *oldbuf, size_t *sz, struct stat *st); - -#endif /* __COMMON_H__ */ diff --git a/crypto/heimdal-0.6.3/appl/ftp/common/sockbuf.c b/crypto/heimdal-0.6.3/appl/ftp/common/sockbuf.c deleted file mode 100644 index 460cc6fbf5..0000000000 --- a/crypto/heimdal-0.6.3/appl/ftp/common/sockbuf.c +++ /dev/null @@ -1,56 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "common.h" -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_SYS_SOCKET_H -#include -#endif - -RCSID("$Id: sockbuf.c,v 1.3 1999/12/02 16:58:29 joda Exp $"); - -void -set_buffer_size(int fd, int read) -{ -#if defined(SO_RCVBUF) && defined(SO_SNDBUF) && defined(HAVE_SETSOCKOPT) - size_t size = 4194304; - while(size >= 131072 && - setsockopt(fd, SOL_SOCKET, read ? SO_RCVBUF : SO_SNDBUF, - (void *)&size, sizeof(size)) < 0) - size /= 2; -#endif -} - - diff --git a/crypto/heimdal-0.6.3/appl/ftp/ftp/Makefile.am b/crypto/heimdal-0.6.3/appl/ftp/ftp/Makefile.am deleted file mode 100644 index 9f4927dd96..0000000000 --- a/crypto/heimdal-0.6.3/appl/ftp/ftp/Makefile.am +++ /dev/null @@ -1,46 +0,0 @@ -# $Id: Makefile.am,v 1.15 2001/08/28 08:31:21 assar Exp $ - -include $(top_srcdir)/Makefile.am.common - -INCLUDES += -I$(srcdir)/../common $(INCLUDE_readline) $(INCLUDE_krb4) $(INCLUDE_des) - -bin_PROGRAMS = ftp - -CHECK_LOCAL = - -if KRB4 -krb4_sources = krb4.c kauth.c -endif -if KRB5 -krb5_sources = gssapi.c -endif - -ftp_SOURCES = \ - cmds.c \ - cmdtab.c \ - extern.h \ - ftp.c \ - ftp_locl.h \ - ftp_var.h \ - main.c \ - pathnames.h \ - ruserpass.c \ - domacro.c \ - globals.c \ - security.c \ - security.h \ - $(krb4_sources) \ - $(krb5_sources) - -EXTRA_ftp_SOURCES = krb4.c kauth.c gssapi.c - -man_MANS = ftp.1 - -LDADD = \ - ../common/libcommon.a \ - $(LIB_gssapi) \ - $(LIB_krb5) \ - $(LIB_krb4) \ - $(LIB_des) \ - $(LIB_roken) \ - $(LIB_readline) diff --git a/crypto/heimdal-0.6.3/appl/ftp/ftp/Makefile.in b/crypto/heimdal-0.6.3/appl/ftp/ftp/Makefile.in deleted file mode 100644 index da8fef7377..0000000000 --- a/crypto/heimdal-0.6.3/appl/ftp/ftp/Makefile.in +++ /dev/null @@ -1,849 +0,0 @@ -# Makefile.in generated by automake 1.8.3 from Makefile.am. -# @configure_input@ - -# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004 Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -# $Id: Makefile.am,v 1.15 2001/08/28 08:31:21 assar Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $ - -SOURCES = $(ftp_SOURCES) $(EXTRA_ftp_SOURCES) - -srcdir = @srcdir@ -top_srcdir = @top_srcdir@ -VPATH = @srcdir@ -pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -top_builddir = ../../.. -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = @INSTALL@ -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_HEADER = $(INSTALL_DATA) -transform = $(program_transform_name) -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_triplet = @host@ -DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \ - $(top_srcdir)/Makefile.am.common \ - $(top_srcdir)/cf/Makefile.am.common -bin_PROGRAMS = ftp$(EXEEXT) -subdir = appl/ftp/ftp -ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \ - $(top_srcdir)/cf/auth-modules.m4 \ - $(top_srcdir)/cf/broken-getaddrinfo.m4 \ - $(top_srcdir)/cf/broken-getnameinfo.m4 \ - $(top_srcdir)/cf/broken-glob.m4 \ - $(top_srcdir)/cf/broken-realloc.m4 \ - $(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \ - $(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \ - $(top_srcdir)/cf/capabilities.m4 \ - $(top_srcdir)/cf/check-compile-et.m4 \ - $(top_srcdir)/cf/check-declaration.m4 \ - $(top_srcdir)/cf/check-getpwnam_r-posix.m4 \ - $(top_srcdir)/cf/check-man.m4 \ - $(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \ - $(top_srcdir)/cf/check-type-extra.m4 \ - $(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \ - $(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \ - $(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \ - $(top_srcdir)/cf/dlopen.m4 \ - $(top_srcdir)/cf/find-func-no-libs.m4 \ - $(top_srcdir)/cf/find-func-no-libs2.m4 \ - $(top_srcdir)/cf/find-func.m4 \ - $(top_srcdir)/cf/find-if-not-broken.m4 \ - $(top_srcdir)/cf/have-struct-field.m4 \ - $(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \ - $(top_srcdir)/cf/krb-bigendian.m4 \ - $(top_srcdir)/cf/krb-func-getlogin.m4 \ - $(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \ - $(top_srcdir)/cf/krb-readline.m4 \ - $(top_srcdir)/cf/krb-struct-spwd.m4 \ - $(top_srcdir)/cf/krb-struct-winsize.m4 \ - $(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \ - $(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \ - $(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \ - $(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \ - $(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \ - $(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \ - $(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in -am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ - $(ACLOCAL_M4) -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -am__installdirs = "$(DESTDIR)$(bindir)" "$(DESTDIR)$(man1dir)" -binPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -PROGRAMS = $(bin_PROGRAMS) -am__ftp_SOURCES_DIST = cmds.c cmdtab.c extern.h ftp.c ftp_locl.h \ - ftp_var.h main.c pathnames.h ruserpass.c domacro.c globals.c \ - security.c security.h krb4.c kauth.c gssapi.c -@KRB4_TRUE@am__objects_1 = krb4.$(OBJEXT) kauth.$(OBJEXT) -@KRB5_TRUE@am__objects_2 = gssapi.$(OBJEXT) -am_ftp_OBJECTS = cmds.$(OBJEXT) cmdtab.$(OBJEXT) ftp.$(OBJEXT) \ - main.$(OBJEXT) ruserpass.$(OBJEXT) domacro.$(OBJEXT) \ - globals.$(OBJEXT) security.$(OBJEXT) $(am__objects_1) \ - $(am__objects_2) -ftp_OBJECTS = $(am_ftp_OBJECTS) -ftp_LDADD = $(LDADD) -@KRB5_TRUE@am__DEPENDENCIES_1 = \ -@KRB5_TRUE@ $(top_builddir)/lib/gssapi/libgssapi.la -@KRB5_TRUE@am__DEPENDENCIES_2 = $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la -am__DEPENDENCIES_3 = -ftp_DEPENDENCIES = ../common/libcommon.a $(am__DEPENDENCIES_1) \ - $(am__DEPENDENCIES_2) $(am__DEPENDENCIES_3) \ - $(am__DEPENDENCIES_3) $(am__DEPENDENCIES_3) \ - $(am__DEPENDENCIES_3) -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \ - $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ - $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -SOURCES = $(ftp_SOURCES) $(EXTRA_ftp_SOURCES) -DIST_SOURCES = $(am__ftp_SOURCES_DIST) $(EXTRA_ftp_SOURCES) -man1dir = $(mandir)/man1 -MANS = $(man_MANS) -ETAGS = etags -CTAGS = ctags -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) -ACLOCAL = @ACLOCAL@ -AIX4_FALSE = @AIX4_FALSE@ -AIX4_TRUE = @AIX4_TRUE@ -AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@ -AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@ -AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@ -AIX_FALSE = @AIX_FALSE@ -AIX_TRUE = @AIX_TRUE@ -AMTAR = @AMTAR@ -AR = @AR@ -AUTOCONF = @AUTOCONF@ -AUTOHEADER = @AUTOHEADER@ -AUTOMAKE = @AUTOMAKE@ -AWK = @AWK@ -CANONICAL_HOST = @CANONICAL_HOST@ -CATMAN = @CATMAN@ -CATMANEXT = @CATMANEXT@ -CATMAN_FALSE = @CATMAN_FALSE@ -CATMAN_TRUE = @CATMAN_TRUE@ -CC = @CC@ -CFLAGS = @CFLAGS@ -COMPILE_ET = @COMPILE_ET@ -CPP = @CPP@ -CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXFLAGS = @CXXFLAGS@ -CYGPATH_W = @CYGPATH_W@ -DBLIB = @DBLIB@ -DCE_FALSE = @DCE_FALSE@ -DCE_TRUE = @DCE_TRUE@ -DEFS = @DEFS@ -DIR_com_err = @DIR_com_err@ -DIR_des = @DIR_des@ -DIR_roken = @DIR_roken@ -ECHO = @ECHO@ -ECHO_C = @ECHO_C@ -ECHO_N = @ECHO_N@ -ECHO_T = @ECHO_T@ -EGREP = @EGREP@ -EXEEXT = @EXEEXT@ -EXTRA_LIB45 = @EXTRA_LIB45@ -F77 = @F77@ -FFLAGS = @FFLAGS@ -GROFF = @GROFF@ -HAVE_DB1_FALSE = @HAVE_DB1_FALSE@ -HAVE_DB1_TRUE = @HAVE_DB1_TRUE@ -HAVE_DB3_FALSE = @HAVE_DB3_FALSE@ -HAVE_DB3_TRUE = @HAVE_DB3_TRUE@ -HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@ -HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@ -HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@ -HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@ -HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@ -HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@ -HAVE_X_FALSE = @HAVE_X_FALSE@ -HAVE_X_TRUE = @HAVE_X_TRUE@ -INCLUDES_roken = @INCLUDES_roken@ -INCLUDE_des = @INCLUDE_des@ -INCLUDE_hesiod = @INCLUDE_hesiod@ -INCLUDE_krb4 = @INCLUDE_krb4@ -INCLUDE_openldap = @INCLUDE_openldap@ -INCLUDE_readline = @INCLUDE_readline@ -INSTALL_DATA = @INSTALL_DATA@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -IRIX_FALSE = @IRIX_FALSE@ -IRIX_TRUE = @IRIX_TRUE@ -KRB4_FALSE = @KRB4_FALSE@ -KRB4_TRUE = @KRB4_TRUE@ -KRB5_FALSE = @KRB5_FALSE@ -KRB5_TRUE = @KRB5_TRUE@ -LDFLAGS = @LDFLAGS@ -LEX = @LEX@ -LEXLIB = @LEXLIB@ -LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ -LIBOBJS = @LIBOBJS@ -LIBS = @LIBS@ -LIBTOOL = @LIBTOOL@ -LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@ -LIB_NDBM = @LIB_NDBM@ -LIB_XauFileName = @LIB_XauFileName@ -LIB_XauReadAuth = @LIB_XauReadAuth@ -LIB_XauWriteAuth = @LIB_XauWriteAuth@ -LIB_bswap16 = @LIB_bswap16@ -LIB_bswap32 = @LIB_bswap32@ -LIB_com_err = @LIB_com_err@ -LIB_com_err_a = @LIB_com_err_a@ -LIB_com_err_so = @LIB_com_err_so@ -LIB_crypt = @LIB_crypt@ -LIB_db_create = @LIB_db_create@ -LIB_dbm_firstkey = @LIB_dbm_firstkey@ -LIB_dbopen = @LIB_dbopen@ -LIB_des = @LIB_des@ -LIB_des_a = @LIB_des_a@ -LIB_des_appl = @LIB_des_appl@ -LIB_des_so = @LIB_des_so@ -LIB_dlopen = @LIB_dlopen@ -LIB_dn_expand = @LIB_dn_expand@ -LIB_el_init = @LIB_el_init@ -LIB_freeaddrinfo = @LIB_freeaddrinfo@ -LIB_gai_strerror = @LIB_gai_strerror@ -LIB_getaddrinfo = @LIB_getaddrinfo@ -LIB_gethostbyname = @LIB_gethostbyname@ -LIB_gethostbyname2 = @LIB_gethostbyname2@ -LIB_getnameinfo = @LIB_getnameinfo@ -LIB_getpwnam_r = @LIB_getpwnam_r@ -LIB_getsockopt = @LIB_getsockopt@ -LIB_hesiod = @LIB_hesiod@ -LIB_hstrerror = @LIB_hstrerror@ -LIB_kdb = @LIB_kdb@ -LIB_krb4 = @LIB_krb4@ -LIB_krb_disable_debug = @LIB_krb_disable_debug@ -LIB_krb_enable_debug = @LIB_krb_enable_debug@ -LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@ -LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@ -LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@ -LIB_loadquery = @LIB_loadquery@ -LIB_logout = @LIB_logout@ -LIB_logwtmp = @LIB_logwtmp@ -LIB_openldap = @LIB_openldap@ -LIB_openpty = @LIB_openpty@ -LIB_otp = @LIB_otp@ -LIB_pidfile = @LIB_pidfile@ -LIB_readline = @LIB_readline@ -LIB_res_nsearch = @LIB_res_nsearch@ -LIB_res_search = @LIB_res_search@ -LIB_roken = @LIB_roken@ -LIB_security = @LIB_security@ -LIB_setsockopt = @LIB_setsockopt@ -LIB_socket = @LIB_socket@ -LIB_syslog = @LIB_syslog@ -LIB_tgetent = @LIB_tgetent@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -MAINT = @MAINT@ -MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@ -MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@ -MAKEINFO = @MAKEINFO@ -NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ -NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ -NROFF = @NROFF@ -OBJEXT = @OBJEXT@ -OTP_FALSE = @OTP_FALSE@ -OTP_TRUE = @OTP_TRUE@ -PACKAGE = @PACKAGE@ -PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ -PACKAGE_NAME = @PACKAGE_NAME@ -PACKAGE_STRING = @PACKAGE_STRING@ -PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_VERSION = @PACKAGE_VERSION@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -RANLIB = @RANLIB@ -SET_MAKE = @SET_MAKE@ -SHELL = @SHELL@ -STRIP = @STRIP@ -VERSION = @VERSION@ -VOID_RETSIGTYPE = @VOID_RETSIGTYPE@ -WFLAGS = @WFLAGS@ -WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@ -WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@ -X_CFLAGS = @X_CFLAGS@ -X_EXTRA_LIBS = @X_EXTRA_LIBS@ -X_LIBS = @X_LIBS@ -X_PRE_LIBS = @X_PRE_LIBS@ -YACC = @YACC@ -ac_ct_AR = @ac_ct_AR@ -ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ -ac_ct_RANLIB = @ac_ct_RANLIB@ -ac_ct_STRIP = @ac_ct_STRIP@ -am__leading_dot = @am__leading_dot@ -bindir = @bindir@ -build = @build@ -build_alias = @build_alias@ -build_cpu = @build_cpu@ -build_os = @build_os@ -build_vendor = @build_vendor@ -datadir = @datadir@ -do_roken_rename_FALSE = @do_roken_rename_FALSE@ -do_roken_rename_TRUE = @do_roken_rename_TRUE@ -dpagaix_cflags = @dpagaix_cflags@ -dpagaix_ldadd = @dpagaix_ldadd@ -dpagaix_ldflags = @dpagaix_ldflags@ -el_compat_FALSE = @el_compat_FALSE@ -el_compat_TRUE = @el_compat_TRUE@ -exec_prefix = @exec_prefix@ -have_err_h_FALSE = @have_err_h_FALSE@ -have_err_h_TRUE = @have_err_h_TRUE@ -have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@ -have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@ -have_glob_h_FALSE = @have_glob_h_FALSE@ -have_glob_h_TRUE = @have_glob_h_TRUE@ -have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@ -have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@ -have_vis_h_FALSE = @have_vis_h_FALSE@ -have_vis_h_TRUE = @have_vis_h_TRUE@ -host = @host@ -host_alias = @host_alias@ -host_cpu = @host_cpu@ -host_os = @host_os@ -host_vendor = @host_vendor@ -includedir = @includedir@ -infodir = @infodir@ -install_sh = @install_sh@ -libdir = @libdir@ -libexecdir = @libexecdir@ -localstatedir = @localstatedir@ -mandir = @mandir@ -mkdir_p = @mkdir_p@ -oldincludedir = @oldincludedir@ -prefix = @prefix@ -program_transform_name = @program_transform_name@ -sbindir = @sbindir@ -sharedstatedir = @sharedstatedir@ -sysconfdir = @sysconfdir@ -target_alias = @target_alias@ -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) -I$(srcdir)/../common $(INCLUDE_readline) $(INCLUDE_krb4) $(INCLUDE_des) -@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME -AM_CFLAGS = $(WFLAGS) -CP = cp -buildinclude = $(top_builddir)/include -LIB_getattr = @LIB_getattr@ -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_setpcred = @LIB_setpcred@ -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -NROFF_MAN = groff -mandoc -Tascii -LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) -@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la - -@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la -@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la -CHECK_LOCAL = -@KRB4_TRUE@krb4_sources = krb4.c kauth.c -@KRB5_TRUE@krb5_sources = gssapi.c -ftp_SOURCES = \ - cmds.c \ - cmdtab.c \ - extern.h \ - ftp.c \ - ftp_locl.h \ - ftp_var.h \ - main.c \ - pathnames.h \ - ruserpass.c \ - domacro.c \ - globals.c \ - security.c \ - security.h \ - $(krb4_sources) \ - $(krb5_sources) - -EXTRA_ftp_SOURCES = krb4.c kauth.c gssapi.c -man_MANS = ftp.1 -LDADD = \ - ../common/libcommon.a \ - $(LIB_gssapi) \ - $(LIB_krb5) \ - $(LIB_krb4) \ - $(LIB_des) \ - $(LIB_roken) \ - $(LIB_readline) - -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps) - @for dep in $?; do \ - case '$(am__configure_deps)' in \ - *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ - exit 1;; \ - esac; \ - done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign --ignore-deps appl/ftp/ftp/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign --ignore-deps appl/ftp/ftp/Makefile -.PRECIOUS: Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - @case '$?' in \ - *config.status*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ - *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ - esac; - -$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -install-binPROGRAMS: $(bin_PROGRAMS) - @$(NORMAL_INSTALL) - test -z "$(bindir)" || $(mkdir_p) "$(DESTDIR)$(bindir)" - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(bindir)/$$f'"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(bindir)/$$f" || exit 1; \ - else :; fi; \ - done - -uninstall-binPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f '$(DESTDIR)$(bindir)/$$f'"; \ - rm -f "$(DESTDIR)$(bindir)/$$f"; \ - done - -clean-binPROGRAMS: - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -ftp$(EXEEXT): $(ftp_OBJECTS) $(ftp_DEPENDENCIES) - @rm -f ftp$(EXEEXT) - $(LINK) $(ftp_LDFLAGS) $(ftp_OBJECTS) $(ftp_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c $< - -.c.obj: - $(COMPILE) -c `$(CYGPATH_W) '$<'` - -.c.lo: - $(LTCOMPILE) -c -o $@ $< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: -install-man1: $(man1_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - test -z "$(man1dir)" || $(mkdir_p) "$(DESTDIR)$(man1dir)" - @list='$(man1_MANS) $(dist_man1_MANS) $(nodist_man1_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.1*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 1*) ;; \ - *) ext='1' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man1dir)/$$inst'"; \ - $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man1dir)/$$inst"; \ - done -uninstall-man1: - @$(NORMAL_UNINSTALL) - @list='$(man1_MANS) $(dist_man1_MANS) $(nodist_man1_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.1*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 1*) ;; \ - *) ext='1' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f '$(DESTDIR)$(man1dir)/$$inst'"; \ - rm -f "$(DESTDIR)$(man1dir)/$$inst"; \ - done - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique -tags: TAGS - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique -ctags: CTAGS -CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ - || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - -distdir: $(DISTFILES) - $(mkdir_p) $(distdir)/../../.. $(distdir)/../../../cf - @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \ - list='$(DISTFILES)'; for file in $$list; do \ - case $$file in \ - $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \ - $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \ - esac; \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkdir_p) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="$(top_distdir)" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(PROGRAMS) $(MANS) all-local -installdirs: - for dir in "$(DESTDIR)$(bindir)" "$(DESTDIR)$(man1dir)"; do \ - test -z "$$dir" || $(mkdir_p) "$$dir"; \ - done -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-binPROGRAMS clean-generic clean-libtool mostlyclean-am - -distclean: distclean-am - -rm -f Makefile -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -html: html-am - -info: info-am - -info-am: - -install-data-am: install-man - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-data-hook - -install-exec-am: install-binPROGRAMS - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: install-man1 - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -rm -f Makefile -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -pdf: pdf-am - -pdf-am: - -ps: ps-am - -ps-am: - -uninstall-am: uninstall-binPROGRAMS uninstall-info-am uninstall-man - -uninstall-man: uninstall-man1 - -.PHONY: CTAGS GTAGS all all-am all-local check check-am check-local \ - clean clean-binPROGRAMS clean-generic clean-libtool ctags \ - distclean distclean-compile distclean-generic \ - distclean-libtool distclean-tags distdir dvi dvi-am html \ - html-am info info-am install install-am install-binPROGRAMS \ - install-data install-data-am install-exec install-exec-am \ - install-info install-info-am install-man install-man1 \ - install-strip installcheck installcheck-am installdirs \ - maintainer-clean maintainer-clean-generic mostlyclean \ - mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ - pdf pdf-am ps ps-am tags uninstall uninstall-am \ - uninstall-binPROGRAMS uninstall-info-am uninstall-man \ - uninstall-man1 - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-hook: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal-0.6.3/appl/ftp/ftp/cmds.c b/crypto/heimdal-0.6.3/appl/ftp/ftp/cmds.c deleted file mode 100644 index a7928eb830..0000000000 --- a/crypto/heimdal-0.6.3/appl/ftp/ftp/cmds.c +++ /dev/null @@ -1,2127 +0,0 @@ -/* - * Copyright (c) 1985, 1989, 1993, 1994 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* - * FTP User Program -- Command Routines. - */ - -#include "ftp_locl.h" -RCSID("$Id: cmds.c,v 1.44 2001/08/05 06:39:14 assar Exp $"); - -typedef void (*sighand)(int); - -jmp_buf jabort; -char *mname; -char *home = "/"; - -/* - * `Another' gets another argument, and stores the new argc and argv. - * It reverts to the top level (via main.c's intr()) on EOF/error. - * - * Returns false if no new arguments have been added. - */ -int -another(int *pargc, char ***pargv, char *prompt) -{ - int len = strlen(line), ret; - - if (len >= sizeof(line) - 3) { - printf("sorry, arguments too long\n"); - intr(0); - } - printf("(%s) ", prompt); - line[len++] = ' '; - if (fgets(&line[len], sizeof(line) - len, stdin) == NULL) - intr(0); - len += strlen(&line[len]); - if (len > 0 && line[len - 1] == '\n') - line[len - 1] = '\0'; - makeargv(); - ret = margc > *pargc; - *pargc = margc; - *pargv = margv; - return (ret); -} - -/* - * Connect to peer server and - * auto-login, if possible. - */ -void -setpeer(int argc, char **argv) -{ - char *host; - u_short port; - struct servent *sp; - - if (connected) { - printf("Already connected to %s, use close first.\n", - hostname); - code = -1; - return; - } - if (argc < 2) - another(&argc, &argv, "to"); - if (argc < 2 || argc > 3) { - printf("usage: %s host-name [port]\n", argv[0]); - code = -1; - return; - } - sp = getservbyname("ftp", "tcp"); - if (sp == NULL) - errx(1, "You bastard. You removed ftp/tcp from services"); - port = sp->s_port; - if (argc > 2) { - sp = getservbyname(argv[2], "tcp"); - if (sp != NULL) { - port = sp->s_port; - } else { - char *ep; - - port = strtol(argv[2], &ep, 0); - if (argv[2] == ep) { - printf("%s: bad port number-- %s\n", - argv[1], argv[2]); - printf ("usage: %s host-name [port]\n", - argv[0]); - code = -1; - return; - } - port = htons(port); - } - } - host = hookup(argv[1], port); - if (host) { - int overbose; - - connected = 1; - /* - * Set up defaults for FTP. - */ - strlcpy(typename, "ascii", sizeof(typename)); - type = TYPE_A; - curtype = TYPE_A; - strlcpy(formname, "non-print", sizeof(formname)); - form = FORM_N; - strlcpy(modename, "stream", sizeof(modename)); - mode = MODE_S; - strlcpy(structname, "file", sizeof(structname)); - stru = STRU_F; - strlcpy(bytename, "8", sizeof(bytename)); - bytesize = 8; - if (autologin) - login(argv[1]); - -#if (defined(unix) || defined(__unix__) || defined(__unix) || defined(_AIX) || defined(_CRAY) || defined(__NetBSD__)) && NBBY == 8 -/* - * this ifdef is to keep someone form "porting" this to an incompatible - * system and not checking this out. This way they have to think about it. - */ - overbose = verbose; - if (debug == 0) - verbose = -1; - if (command("SYST") == COMPLETE && overbose) { - char *cp, c; - cp = strchr(reply_string+4, ' '); - if (cp == NULL) - cp = strchr(reply_string+4, '\r'); - if (cp) { - if (cp[-1] == '.') - cp--; - c = *cp; - *cp = '\0'; - } - - printf("Remote system type is %s.\n", - reply_string+4); - if (cp) - *cp = c; - } - if (!strncmp(reply_string, "215 UNIX Type: L8", 17)) { - if (proxy) - unix_proxy = 1; - else - unix_server = 1; - /* - * Set type to 0 (not specified by user), - * meaning binary by default, but don't bother - * telling server. We can use binary - * for text files unless changed by the user. - */ - type = 0; - strlcpy(typename, "binary", sizeof(typename)); - if (overbose) - printf("Using %s mode to transfer files.\n", - typename); - } else { - if (proxy) - unix_proxy = 0; - else - unix_server = 0; - if (overbose && - !strncmp(reply_string, "215 TOPS20", 10)) - printf( -"Remember to set tenex mode when transfering binary files from this machine.\n"); - } - verbose = overbose; -#endif /* unix */ - } -} - -struct types { - char *t_name; - char *t_mode; - int t_type; - char *t_arg; -} types[] = { - { "ascii", "A", TYPE_A, 0 }, - { "binary", "I", TYPE_I, 0 }, - { "image", "I", TYPE_I, 0 }, - { "ebcdic", "E", TYPE_E, 0 }, - { "tenex", "L", TYPE_L, bytename }, - { NULL } -}; - -/* - * Set transfer type. - */ -void -settype(int argc, char **argv) -{ - struct types *p; - int comret; - - if (argc > 2) { - char *sep; - - printf("usage: %s [", argv[0]); - sep = " "; - for (p = types; p->t_name; p++) { - printf("%s%s", sep, p->t_name); - sep = " | "; - } - printf(" ]\n"); - code = -1; - return; - } - if (argc < 2) { - printf("Using %s mode to transfer files.\n", typename); - code = 0; - return; - } - for (p = types; p->t_name; p++) - if (strcmp(argv[1], p->t_name) == 0) - break; - if (p->t_name == 0) { - printf("%s: unknown mode\n", argv[1]); - code = -1; - return; - } - if ((p->t_arg != NULL) && (*(p->t_arg) != '\0')) - comret = command ("TYPE %s %s", p->t_mode, p->t_arg); - else - comret = command("TYPE %s", p->t_mode); - if (comret == COMPLETE) { - strlcpy(typename, p->t_name, sizeof(typename)); - curtype = type = p->t_type; - } -} - -/* - * Internal form of settype; changes current type in use with server - * without changing our notion of the type for data transfers. - * Used to change to and from ascii for listings. - */ -void -changetype(int newtype, int show) -{ - struct types *p; - int comret, oldverbose = verbose; - - if (newtype == 0) - newtype = TYPE_I; - if (newtype == curtype) - return; - if (debug == 0 && show == 0) - verbose = 0; - for (p = types; p->t_name; p++) - if (newtype == p->t_type) - break; - if (p->t_name == 0) { - printf("ftp: internal error: unknown type %d\n", newtype); - return; - } - if (newtype == TYPE_L && bytename[0] != '\0') - comret = command("TYPE %s %s", p->t_mode, bytename); - else - comret = command("TYPE %s", p->t_mode); - if (comret == COMPLETE) - curtype = newtype; - verbose = oldverbose; -} - -char *stype[] = { - "type", - "", - 0 -}; - -/* - * Set binary transfer type. - */ -/*VARARGS*/ -void -setbinary(int argc, char **argv) -{ - - stype[1] = "binary"; - settype(2, stype); -} - -/* - * Set ascii transfer type. - */ -/*VARARGS*/ -void -setascii(int argc, char **argv) -{ - - stype[1] = "ascii"; - settype(2, stype); -} - -/* - * Set tenex transfer type. - */ -/*VARARGS*/ -void -settenex(int argc, char **argv) -{ - - stype[1] = "tenex"; - settype(2, stype); -} - -/* - * Set file transfer mode. - */ -/*ARGSUSED*/ -void -setftmode(int argc, char **argv) -{ - - printf("We only support %s mode, sorry.\n", modename); - code = -1; -} - -/* - * Set file transfer format. - */ -/*ARGSUSED*/ -void -setform(int argc, char **argv) -{ - - printf("We only support %s format, sorry.\n", formname); - code = -1; -} - -/* - * Set file transfer structure. - */ -/*ARGSUSED*/ -void -setstruct(int argc, char **argv) -{ - - printf("We only support %s structure, sorry.\n", structname); - code = -1; -} - -/* - * Send a single file. - */ -void -put(int argc, char **argv) -{ - char *cmd; - int loc = 0; - char *oldargv1, *oldargv2; - - if (argc == 2) { - argc++; - argv[2] = argv[1]; - loc++; - } - if (argc < 2 && !another(&argc, &argv, "local-file")) - goto usage; - if (argc < 3 && !another(&argc, &argv, "remote-file")) { -usage: - printf("usage: %s local-file remote-file\n", argv[0]); - code = -1; - return; - } - oldargv1 = argv[1]; - oldargv2 = argv[2]; - if (!globulize(&argv[1])) { - code = -1; - return; - } - /* - * If "globulize" modifies argv[1], and argv[2] is a copy of - * the old argv[1], make it a copy of the new argv[1]. - */ - if (argv[1] != oldargv1 && argv[2] == oldargv1) { - argv[2] = argv[1]; - } - cmd = (argv[0][0] == 'a') ? "APPE" : ((sunique) ? "STOU" : "STOR"); - if (loc && ntflag) { - argv[2] = dotrans(argv[2]); - } - if (loc && mapflag) { - argv[2] = domap(argv[2]); - } - sendrequest(cmd, argv[1], argv[2], - curtype == TYPE_I ? "rb" : "r", - argv[1] != oldargv1 || argv[2] != oldargv2); -} - -/* ARGSUSED */ -static RETSIGTYPE -mabort(int signo) -{ - int ointer; - - printf("\n"); - fflush(stdout); - if (mflag && fromatty) { - ointer = interactive; - interactive = 1; - if (confirm("Continue with", mname)) { - interactive = ointer; - longjmp(jabort,0); - } - interactive = ointer; - } - mflag = 0; - longjmp(jabort,0); -} - -/* - * Send multiple files. - */ -void -mput(int argc, char **argv) -{ - int i; - RETSIGTYPE (*oldintr)(int); - int ointer; - char *tp; - - if (argc < 2 && !another(&argc, &argv, "local-files")) { - printf("usage: %s local-files\n", argv[0]); - code = -1; - return; - } - mname = argv[0]; - mflag = 1; - oldintr = signal(SIGINT, mabort); - setjmp(jabort); - if (proxy) { - char *cp, *tp2, tmpbuf[MaxPathLen]; - - while ((cp = remglob(argv,0)) != NULL) { - if (*cp == 0) { - mflag = 0; - continue; - } - if (mflag && confirm(argv[0], cp)) { - tp = cp; - if (mcase) { - while (*tp && !islower((unsigned char)*tp)) { - tp++; - } - if (!*tp) { - tp = cp; - tp2 = tmpbuf; - while ((*tp2 = *tp) != '\0') { - if (isupper((unsigned char)*tp2)) { - *tp2 = 'a' + *tp2 - 'A'; - } - tp++; - tp2++; - } - } - tp = tmpbuf; - } - if (ntflag) { - tp = dotrans(tp); - } - if (mapflag) { - tp = domap(tp); - } - sendrequest((sunique) ? "STOU" : "STOR", - cp, tp, - curtype == TYPE_I ? "rb" : "r", - cp != tp || !interactive); - if (!mflag && fromatty) { - ointer = interactive; - interactive = 1; - if (confirm("Continue with","mput")) { - mflag++; - } - interactive = ointer; - } - } - } - signal(SIGINT, oldintr); - mflag = 0; - return; - } - for (i = 1; i < argc; i++) { - char **cpp; - glob_t gl; - int flags; - - if (!doglob) { - if (mflag && confirm(argv[0], argv[i])) { - tp = (ntflag) ? dotrans(argv[i]) : argv[i]; - tp = (mapflag) ? domap(tp) : tp; - sendrequest((sunique) ? "STOU" : "STOR", - argv[i], - curtype == TYPE_I ? "rb" : "r", - tp, tp != argv[i] || !interactive); - if (!mflag && fromatty) { - ointer = interactive; - interactive = 1; - if (confirm("Continue with","mput")) { - mflag++; - } - interactive = ointer; - } - } - continue; - } - - memset(&gl, 0, sizeof(gl)); - flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE; - if (glob(argv[i], flags, NULL, &gl) || gl.gl_pathc == 0) { - warnx("%s: not found", argv[i]); - globfree(&gl); - continue; - } - for (cpp = gl.gl_pathv; cpp && *cpp != NULL; cpp++) { - if (mflag && confirm(argv[0], *cpp)) { - tp = (ntflag) ? dotrans(*cpp) : *cpp; - tp = (mapflag) ? domap(tp) : tp; - sendrequest((sunique) ? "STOU" : "STOR", - *cpp, tp, - curtype == TYPE_I ? "rb" : "r", - *cpp != tp || !interactive); - if (!mflag && fromatty) { - ointer = interactive; - interactive = 1; - if (confirm("Continue with","mput")) { - mflag++; - } - interactive = ointer; - } - } - } - globfree(&gl); - } - signal(SIGINT, oldintr); - mflag = 0; -} - -void -reget(int argc, char **argv) -{ - getit(argc, argv, 1, curtype == TYPE_I ? "r+wb" : "r+w"); -} - -void -get(int argc, char **argv) -{ - char *mode; - - if (restart_point) { - if (curtype == TYPE_I) - mode = "r+wb"; - else - mode = "r+w"; - } else { - if (curtype == TYPE_I) - mode = "wb"; - else - mode = "w"; - } - - getit(argc, argv, 0, mode); -} - -/* - * Receive one file. - */ -int -getit(int argc, char **argv, int restartit, char *mode) -{ - int loc = 0; - int local_given = 1; - char *oldargv1, *oldargv2; - - if (argc == 2) { - argc++; - local_given = 0; - argv[2] = argv[1]; - loc++; - } - if ((argc < 2 && !another(&argc, &argv, "remote-file")) || - (argc < 3 && !another(&argc, &argv, "local-file"))) { - printf("usage: %s remote-file [ local-file ]\n", argv[0]); - code = -1; - return (0); - } - oldargv1 = argv[1]; - oldargv2 = argv[2]; - if (!globulize(&argv[2])) { - code = -1; - return (0); - } - if (loc && mcase) { - char *tp = argv[1], *tp2, tmpbuf[MaxPathLen]; - - while (*tp && !islower((unsigned char)*tp)) { - tp++; - } - if (!*tp) { - tp = argv[2]; - tp2 = tmpbuf; - while ((*tp2 = *tp) != '\0') { - if (isupper((unsigned char)*tp2)) { - *tp2 = 'a' + *tp2 - 'A'; - } - tp++; - tp2++; - } - argv[2] = tmpbuf; - } - } - if (loc && ntflag) - argv[2] = dotrans(argv[2]); - if (loc && mapflag) - argv[2] = domap(argv[2]); - if (restartit) { - struct stat stbuf; - int ret; - - ret = stat(argv[2], &stbuf); - if (restartit == 1) { - if (ret < 0) { - warn("local: %s", argv[2]); - return (0); - } - restart_point = stbuf.st_size; - } else if (ret == 0) { - int overbose; - int cmdret; - int yy, mo, day, hour, min, sec; - struct tm *tm; - time_t mtime = stbuf.st_mtime; - - overbose = verbose; - if (debug == 0) - verbose = -1; - cmdret = command("MDTM %s", argv[1]); - verbose = overbose; - if (cmdret != COMPLETE) { - printf("%s\n", reply_string); - return (0); - } - if (sscanf(reply_string, - "%*s %04d%02d%02d%02d%02d%02d", - &yy, &mo, &day, &hour, &min, &sec) - != 6) { - printf ("bad MDTM result\n"); - return (0); - } - - tm = gmtime(&mtime); - tm->tm_mon++; - tm->tm_year += 1900; - - if ((tm->tm_year > yy) || - (tm->tm_year == yy && - tm->tm_mon > mo) || - (tm->tm_mon == mo && - tm->tm_mday > day) || - (tm->tm_mday == day && - tm->tm_hour > hour) || - (tm->tm_hour == hour && - tm->tm_min > min) || - (tm->tm_min == min && - tm->tm_sec > sec)) - return (1); - } - } - - recvrequest("RETR", argv[2], argv[1], mode, - argv[1] != oldargv1 || argv[2] != oldargv2, local_given); - restart_point = 0; - return (0); -} - -static int -suspicious_filename(const char *fn) -{ - return strstr(fn, "../") != NULL || *fn == '/'; -} - -/* - * Get multiple files. - */ -void -mget(int argc, char **argv) -{ - sighand oldintr; - int ch, ointer; - char *cp, *tp, *tp2, tmpbuf[MaxPathLen]; - - if (argc < 2 && !another(&argc, &argv, "remote-files")) { - printf("usage: %s remote-files\n", argv[0]); - code = -1; - return; - } - mname = argv[0]; - mflag = 1; - oldintr = signal(SIGINT, mabort); - setjmp(jabort); - while ((cp = remglob(argv,proxy)) != NULL) { - if (*cp == '\0') { - mflag = 0; - continue; - } - if (mflag && suspicious_filename(cp)) - printf("*** Suspicious filename: %s\n", cp); - if (mflag && confirm(argv[0], cp)) { - tp = cp; - if (mcase) { - for (tp2 = tmpbuf; (ch = *tp++);) - *tp2++ = tolower(ch); - *tp2 = '\0'; - tp = tmpbuf; - } - if (ntflag) { - tp = dotrans(tp); - } - if (mapflag) { - tp = domap(tp); - } - recvrequest("RETR", tp, cp, - curtype == TYPE_I ? "wb" : "w", - tp != cp || !interactive, 0); - if (!mflag && fromatty) { - ointer = interactive; - interactive = 1; - if (confirm("Continue with","mget")) { - mflag++; - } - interactive = ointer; - } - } - } - signal(SIGINT,oldintr); - mflag = 0; -} - -char * -remglob(char **argv, int doswitch) -{ - char temp[16]; - static char buf[MaxPathLen]; - static FILE *ftemp = NULL; - static char **args; - int oldverbose, oldhash; - char *cp, *mode; - - if (!mflag) { - if (!doglob) { - args = NULL; - } - else { - if (ftemp) { - fclose(ftemp); - ftemp = NULL; - } - } - return (NULL); - } - if (!doglob) { - if (args == NULL) - args = argv; - if ((cp = *++args) == NULL) - args = NULL; - return (cp); - } - if (ftemp == NULL) { - int fd; - strlcpy(temp, _PATH_TMP_XXX, sizeof(temp)); - fd = mkstemp(temp); - if(fd < 0){ - warn("unable to create temporary file %s", temp); - return NULL; - } - close(fd); - oldverbose = verbose, verbose = 0; - oldhash = hash, hash = 0; - if (doswitch) { - pswitch(!proxy); - } - for (mode = "w"; *++argv != NULL; mode = "a") - recvrequest ("NLST", temp, *argv, mode, 0, 0); - if (doswitch) { - pswitch(!proxy); - } - verbose = oldverbose; hash = oldhash; - ftemp = fopen(temp, "r"); - unlink(temp); - if (ftemp == NULL) { - printf("can't find list of remote files, oops\n"); - return (NULL); - } - } - while(fgets(buf, sizeof (buf), ftemp)) { - if ((cp = strchr(buf, '\n')) != NULL) - *cp = '\0'; - if(!interactive && suspicious_filename(buf)){ - printf("Ignoring remote globbed file `%s'\n", buf); - continue; - } - return buf; - } - fclose(ftemp); - ftemp = NULL; - return (NULL); -} - -char * -onoff(int bool) -{ - - return (bool ? "on" : "off"); -} - -/* - * Show status. - */ -/*ARGSUSED*/ -void -status(int argc, char **argv) -{ - int i; - - if (connected) - printf("Connected to %s.\n", hostname); - else - printf("Not connected.\n"); - if (!proxy) { - pswitch(1); - if (connected) { - printf("Connected for proxy commands to %s.\n", hostname); - } - else { - printf("No proxy connection.\n"); - } - pswitch(0); - } - sec_status(); - printf("Mode: %s; Type: %s; Form: %s; Structure: %s\n", - modename, typename, formname, structname); - printf("Verbose: %s; Bell: %s; Prompting: %s; Globbing: %s\n", - onoff(verbose), onoff(bell), onoff(interactive), - onoff(doglob)); - printf("Store unique: %s; Receive unique: %s\n", onoff(sunique), - onoff(runique)); - printf("Case: %s; CR stripping: %s\n",onoff(mcase),onoff(crflag)); - if (ntflag) { - printf("Ntrans: (in) %s (out) %s\n", ntin,ntout); - } - else { - printf("Ntrans: off\n"); - } - if (mapflag) { - printf("Nmap: (in) %s (out) %s\n", mapin, mapout); - } - else { - printf("Nmap: off\n"); - } - printf("Hash mark printing: %s; Use of PORT cmds: %s\n", - onoff(hash), onoff(sendport)); - if (macnum > 0) { - printf("Macros:\n"); - for (i=0; i 1) { - val = atoi(argv[1]); - if (val < 0) { - printf("%s: bad debugging value.\n", argv[1]); - code = -1; - return; - } - } else - val = !debug; - debug = val; - if (debug) - options |= SO_DEBUG; - else - options &= ~SO_DEBUG; - printf("Debugging %s (debug=%d).\n", onoff(debug), debug); - code = debug > 0; -} - -/* - * Set current working directory - * on remote machine. - */ -void -cd(int argc, char **argv) -{ - - if (argc < 2 && !another(&argc, &argv, "remote-directory")) { - printf("usage: %s remote-directory\n", argv[0]); - code = -1; - return; - } - if (command("CWD %s", argv[1]) == ERROR && code == 500) { - if (verbose) - printf("CWD command not recognized, trying XCWD\n"); - command("XCWD %s", argv[1]); - } -} - -/* - * Set current working directory - * on local machine. - */ -void -lcd(int argc, char **argv) -{ - char buf[MaxPathLen]; - - if (argc < 2) - argc++, argv[1] = home; - if (argc != 2) { - printf("usage: %s local-directory\n", argv[0]); - code = -1; - return; - } - if (!globulize(&argv[1])) { - code = -1; - return; - } - if (chdir(argv[1]) < 0) { - warn("local: %s", argv[1]); - code = -1; - return; - } - if (getcwd(buf, sizeof(buf)) != NULL) - printf("Local directory now %s\n", buf); - else - warnx("getwd: %s", buf); - code = 0; -} - -/* - * Delete a single file. - */ -void -delete(int argc, char **argv) -{ - - if (argc < 2 && !another(&argc, &argv, "remote-file")) { - printf("usage: %s remote-file\n", argv[0]); - code = -1; - return; - } - command("DELE %s", argv[1]); -} - -/* - * Delete multiple files. - */ -void -mdelete(int argc, char **argv) -{ - sighand oldintr; - int ointer; - char *cp; - - if (argc < 2 && !another(&argc, &argv, "remote-files")) { - printf("usage: %s remote-files\n", argv[0]); - code = -1; - return; - } - mname = argv[0]; - mflag = 1; - oldintr = signal(SIGINT, mabort); - setjmp(jabort); - while ((cp = remglob(argv,0)) != NULL) { - if (*cp == '\0') { - mflag = 0; - continue; - } - if (mflag && confirm(argv[0], cp)) { - command("DELE %s", cp); - if (!mflag && fromatty) { - ointer = interactive; - interactive = 1; - if (confirm("Continue with", "mdelete")) { - mflag++; - } - interactive = ointer; - } - } - } - signal(SIGINT, oldintr); - mflag = 0; -} - -/* - * Rename a remote file. - */ -void -renamefile(int argc, char **argv) -{ - - if (argc < 2 && !another(&argc, &argv, "from-name")) - goto usage; - if (argc < 3 && !another(&argc, &argv, "to-name")) { -usage: - printf("%s from-name to-name\n", argv[0]); - code = -1; - return; - } - if (command("RNFR %s", argv[1]) == CONTINUE) - command("RNTO %s", argv[2]); -} - -/* - * Get a directory listing - * of remote files. - */ -void -ls(int argc, char **argv) -{ - char *cmd; - - if (argc < 2) - argc++, argv[1] = NULL; - if (argc < 3) - argc++, argv[2] = "-"; - if (argc > 3) { - printf("usage: %s remote-directory local-file\n", argv[0]); - code = -1; - return; - } - cmd = argv[0][0] == 'n' ? "NLST" : "LIST"; - if (strcmp(argv[2], "-") && !globulize(&argv[2])) { - code = -1; - return; - } - if (strcmp(argv[2], "-") && *argv[2] != '|') - if (!globulize(&argv[2]) || !confirm("output to local-file:", - argv[2])) { - code = -1; - return; - } - recvrequest(cmd, argv[2], argv[1], "w", 0, 1); -} - -/* - * Get a directory listing - * of multiple remote files. - */ -void -mls(int argc, char **argv) -{ - sighand oldintr; - int ointer, i; - char *cmd, mode[1], *dest; - - if (argc < 2 && !another(&argc, &argv, "remote-files")) - goto usage; - if (argc < 3 && !another(&argc, &argv, "local-file")) { -usage: - printf("usage: %s remote-files local-file\n", argv[0]); - code = -1; - return; - } - dest = argv[argc - 1]; - argv[argc - 1] = NULL; - if (strcmp(dest, "-") && *dest != '|') - if (!globulize(&dest) || - !confirm("output to local-file:", dest)) { - code = -1; - return; - } - cmd = argv[0][1] == 'l' ? "NLST" : "LIST"; - mname = argv[0]; - mflag = 1; - oldintr = signal(SIGINT, mabort); - setjmp(jabort); - for (i = 1; mflag && i < argc-1; ++i) { - *mode = (i == 1) ? 'w' : 'a'; - recvrequest(cmd, dest, argv[i], mode, 0, 1); - if (!mflag && fromatty) { - ointer = interactive; - interactive = 1; - if (confirm("Continue with", argv[0])) { - mflag ++; - } - interactive = ointer; - } - } - signal(SIGINT, oldintr); - mflag = 0; -} - -/* - * Do a shell escape - */ -/*ARGSUSED*/ -void -shell(int argc, char **argv) -{ - pid_t pid; - RETSIGTYPE (*old1)(int), (*old2)(int); - char shellnam[40], *shell, *namep; - int status; - - old1 = signal (SIGINT, SIG_IGN); - old2 = signal (SIGQUIT, SIG_IGN); - if ((pid = fork()) == 0) { - for (pid = 3; pid < 20; pid++) - close(pid); - signal(SIGINT, SIG_DFL); - signal(SIGQUIT, SIG_DFL); - shell = getenv("SHELL"); - if (shell == NULL) - shell = _PATH_BSHELL; - namep = strrchr(shell,'/'); - if (namep == NULL) - namep = shell; - snprintf (shellnam, sizeof(shellnam), - "-%s", ++namep); - if (strcmp(namep, "sh") != 0) - shellnam[0] = '+'; - if (debug) { - printf ("%s\n", shell); - fflush (stdout); - } - if (argc > 1) { - execl(shell,shellnam,"-c",altarg,(char *)0); - } - else { - execl(shell,shellnam,(char *)0); - } - warn("%s", shell); - code = -1; - exit(1); - } - if (pid > 0) - while (waitpid(-1, &status, 0) != pid) - ; - signal(SIGINT, old1); - signal(SIGQUIT, old2); - if (pid == -1) { - warn("%s", "Try again later"); - code = -1; - } - else { - code = 0; - } -} - -/* - * Send new user information (re-login) - */ -void -user(int argc, char **argv) -{ - char acct[80]; - int n, aflag = 0; - char tmp[256]; - - if (argc < 2) - another(&argc, &argv, "username"); - if (argc < 2 || argc > 4) { - printf("usage: %s username [password] [account]\n", argv[0]); - code = -1; - return; - } - n = command("USER %s", argv[1]); - if (n == CONTINUE) { - if (argc < 3 ) { - des_read_pw_string (tmp, - sizeof(tmp), - "Password: ", 0); - argv[2] = tmp; - argc++; - } - n = command("PASS %s", argv[2]); - } - if (n == CONTINUE) { - if (argc < 4) { - printf("Account: "); fflush(stdout); - fgets(acct, sizeof(acct) - 1, stdin); - acct[strlen(acct) - 1] = '\0'; - argv[3] = acct; argc++; - } - n = command("ACCT %s", argv[3]); - aflag++; - } - if (n != COMPLETE) { - fprintf(stdout, "Login failed.\n"); - return; - } - if (!aflag && argc == 4) { - command("ACCT %s", argv[3]); - } -} - -/* - * Print working directory. - */ -/*VARARGS*/ -void -pwd(int argc, char **argv) -{ - int oldverbose = verbose; - - /* - * If we aren't verbose, this doesn't do anything! - */ - verbose = 1; - if (command("PWD") == ERROR && code == 500) { - printf("PWD command not recognized, trying XPWD\n"); - command("XPWD"); - } - verbose = oldverbose; -} - -/* - * Make a directory. - */ -void -makedir(int argc, char **argv) -{ - - if (argc < 2 && !another(&argc, &argv, "directory-name")) { - printf("usage: %s directory-name\n", argv[0]); - code = -1; - return; - } - if (command("MKD %s", argv[1]) == ERROR && code == 500) { - if (verbose) - printf("MKD command not recognized, trying XMKD\n"); - command("XMKD %s", argv[1]); - } -} - -/* - * Remove a directory. - */ -void -removedir(int argc, char **argv) -{ - - if (argc < 2 && !another(&argc, &argv, "directory-name")) { - printf("usage: %s directory-name\n", argv[0]); - code = -1; - return; - } - if (command("RMD %s", argv[1]) == ERROR && code == 500) { - if (verbose) - printf("RMD command not recognized, trying XRMD\n"); - command("XRMD %s", argv[1]); - } -} - -/* - * Send a line, verbatim, to the remote machine. - */ -void -quote(int argc, char **argv) -{ - - if (argc < 2 && !another(&argc, &argv, "command line to send")) { - printf("usage: %s line-to-send\n", argv[0]); - code = -1; - return; - } - quote1("", argc, argv); -} - -/* - * Send a SITE command to the remote machine. The line - * is sent verbatim to the remote machine, except that the - * word "SITE" is added at the front. - */ -void -site(int argc, char **argv) -{ - - if (argc < 2 && !another(&argc, &argv, "arguments to SITE command")) { - printf("usage: %s line-to-send\n", argv[0]); - code = -1; - return; - } - quote1("SITE ", argc, argv); -} - -/* - * Turn argv[1..argc) into a space-separated string, then prepend initial text. - * Send the result as a one-line command and get response. - */ -void -quote1(char *initial, int argc, char **argv) -{ - int i; - char buf[BUFSIZ]; /* must be >= sizeof(line) */ - - strlcpy(buf, initial, sizeof(buf)); - for(i = 1; i < argc; i++) { - if(i > 1) - strlcat(buf, " ", sizeof(buf)); - strlcat(buf, argv[i], sizeof(buf)); - } - if (command("%s", buf) == PRELIM) { - while (getreply(0) == PRELIM) - continue; - } -} - -void -do_chmod(int argc, char **argv) -{ - - if (argc < 2 && !another(&argc, &argv, "mode")) - goto usage; - if (argc < 3 && !another(&argc, &argv, "file-name")) { -usage: - printf("usage: %s mode file-name\n", argv[0]); - code = -1; - return; - } - command("SITE CHMOD %s %s", argv[1], argv[2]); -} - -void -do_umask(int argc, char **argv) -{ - int oldverbose = verbose; - - verbose = 1; - command(argc == 1 ? "SITE UMASK" : "SITE UMASK %s", argv[1]); - verbose = oldverbose; -} - -void -ftp_idle(int argc, char **argv) -{ - int oldverbose = verbose; - - verbose = 1; - command(argc == 1 ? "SITE IDLE" : "SITE IDLE %s", argv[1]); - verbose = oldverbose; -} - -/* - * Ask the other side for help. - */ -void -rmthelp(int argc, char **argv) -{ - int oldverbose = verbose; - - verbose = 1; - command(argc == 1 ? "HELP" : "HELP %s", argv[1]); - verbose = oldverbose; -} - -/* - * Terminate session and exit. - */ -/*VARARGS*/ -void -quit(int argc, char **argv) -{ - - if (connected) - disconnect(0, 0); - pswitch(1); - if (connected) { - disconnect(0, 0); - } - exit(0); -} - -/* - * Terminate session, but don't exit. - */ -void -disconnect(int argc, char **argv) -{ - - if (!connected) - return; - command("QUIT"); - if (cout) { - fclose(cout); - } - cout = NULL; - connected = 0; - sec_end(); - data = -1; - if (!proxy) { - macnum = 0; - } -} - -int -confirm(char *cmd, char *file) -{ - char line[BUFSIZ]; - - if (!interactive) - return (1); - printf("%s %s? ", cmd, file); - fflush(stdout); - if (fgets(line, sizeof line, stdin) == NULL) - return (0); - return (*line == 'y' || *line == 'Y'); -} - -void -fatal(char *msg) -{ - - errx(1, "%s", msg); -} - -/* - * Glob a local file name specification with - * the expectation of a single return value. - * Can't control multiple values being expanded - * from the expression, we return only the first. - */ -int -globulize(char **cpp) -{ - glob_t gl; - int flags; - - if (!doglob) - return (1); - - flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE; - memset(&gl, 0, sizeof(gl)); - if (glob(*cpp, flags, NULL, &gl) || - gl.gl_pathc == 0) { - warnx("%s: not found", *cpp); - globfree(&gl); - return (0); - } - *cpp = strdup(gl.gl_pathv[0]); /* XXX - wasted memory */ - globfree(&gl); - return (1); -} - -void -account(int argc, char **argv) -{ - char acct[50]; - - if (argc > 1) { - ++argv; - --argc; - strlcpy (acct, *argv, sizeof(acct)); - while (argc > 1) { - --argc; - ++argv; - strlcat(acct, *argv, sizeof(acct)); - } - } - else { - des_read_pw_string(acct, sizeof(acct), "Account:", 0); - } - command("ACCT %s", acct); -} - -jmp_buf abortprox; - -static RETSIGTYPE -proxabort(int sig) -{ - - if (!proxy) { - pswitch(1); - } - if (connected) { - proxflag = 1; - } - else { - proxflag = 0; - } - pswitch(0); - longjmp(abortprox,1); -} - -void -doproxy(int argc, char **argv) -{ - struct cmd *c; - RETSIGTYPE (*oldintr)(int); - - if (argc < 2 && !another(&argc, &argv, "command")) { - printf("usage: %s command\n", argv[0]); - code = -1; - return; - } - c = getcmd(argv[1]); - if (c == (struct cmd *) -1) { - printf("?Ambiguous command\n"); - fflush(stdout); - code = -1; - return; - } - if (c == 0) { - printf("?Invalid command\n"); - fflush(stdout); - code = -1; - return; - } - if (!c->c_proxy) { - printf("?Invalid proxy command\n"); - fflush(stdout); - code = -1; - return; - } - if (setjmp(abortprox)) { - code = -1; - return; - } - oldintr = signal(SIGINT, proxabort); - pswitch(1); - if (c->c_conn && !connected) { - printf("Not connected\n"); - fflush(stdout); - pswitch(0); - signal(SIGINT, oldintr); - code = -1; - return; - } - (*c->c_handler)(argc-1, argv+1); - if (connected) { - proxflag = 1; - } - else { - proxflag = 0; - } - pswitch(0); - signal(SIGINT, oldintr); -} - -void -setcase(int argc, char **argv) -{ - - mcase = !mcase; - printf("Case mapping %s.\n", onoff(mcase)); - code = mcase; -} - -void -setcr(int argc, char **argv) -{ - - crflag = !crflag; - printf("Carriage Return stripping %s.\n", onoff(crflag)); - code = crflag; -} - -void -setntrans(int argc, char **argv) -{ - if (argc == 1) { - ntflag = 0; - printf("Ntrans off.\n"); - code = ntflag; - return; - } - ntflag++; - code = ntflag; - strlcpy (ntin, argv[1], 17); - if (argc == 2) { - ntout[0] = '\0'; - return; - } - strlcpy (ntout, argv[2], 17); -} - -char * -dotrans(char *name) -{ - static char new[MaxPathLen]; - char *cp1, *cp2 = new; - int i, ostop, found; - - for (ostop = 0; *(ntout + ostop) && ostop < 16; ostop++) - continue; - for (cp1 = name; *cp1; cp1++) { - found = 0; - for (i = 0; *(ntin + i) && i < 16; i++) { - if (*cp1 == *(ntin + i)) { - found++; - if (i < ostop) { - *cp2++ = *(ntout + i); - } - break; - } - } - if (!found) { - *cp2++ = *cp1; - } - } - *cp2 = '\0'; - return (new); -} - -void -setnmap(int argc, char **argv) -{ - char *cp; - - if (argc == 1) { - mapflag = 0; - printf("Nmap off.\n"); - code = mapflag; - return; - } - if (argc < 3 && !another(&argc, &argv, "mapout")) { - printf("Usage: %s [mapin mapout]\n",argv[0]); - code = -1; - return; - } - mapflag = 1; - code = 1; - cp = strchr(altarg, ' '); - if (proxy) { - while(*++cp == ' ') - continue; - altarg = cp; - cp = strchr(altarg, ' '); - } - *cp = '\0'; - strlcpy(mapin, altarg, MaxPathLen); - while (*++cp == ' ') - continue; - strlcpy(mapout, cp, MaxPathLen); -} - -char * -domap(char *name) -{ - static char new[MaxPathLen]; - char *cp1 = name, *cp2 = mapin; - char *tp[9], *te[9]; - int i, toks[9], toknum = 0, match = 1; - - for (i=0; i < 9; ++i) { - toks[i] = 0; - } - while (match && *cp1 && *cp2) { - switch (*cp2) { - case '\\': - if (*++cp2 != *cp1) { - match = 0; - } - break; - case '$': - if (*(cp2+1) >= '1' && (*cp2+1) <= '9') { - if (*cp1 != *(++cp2+1)) { - toks[toknum = *cp2 - '1']++; - tp[toknum] = cp1; - while (*++cp1 && *(cp2+1) - != *cp1); - te[toknum] = cp1; - } - cp2++; - break; - } - /* FALLTHROUGH */ - default: - if (*cp2 != *cp1) { - match = 0; - } - break; - } - if (match && *cp1) { - cp1++; - } - if (match && *cp2) { - cp2++; - } - } - if (!match && *cp1) /* last token mismatch */ - { - toks[toknum] = 0; - } - cp1 = new; - *cp1 = '\0'; - cp2 = mapout; - while (*cp2) { - match = 0; - switch (*cp2) { - case '\\': - if (*(cp2 + 1)) { - *cp1++ = *++cp2; - } - break; - case '[': -LOOP: - if (*++cp2 == '$' && isdigit((unsigned char)*(cp2+1))) { - if (*++cp2 == '0') { - char *cp3 = name; - - while (*cp3) { - *cp1++ = *cp3++; - } - match = 1; - } - else if (toks[toknum = *cp2 - '1']) { - char *cp3 = tp[toknum]; - - while (cp3 != te[toknum]) { - *cp1++ = *cp3++; - } - match = 1; - } - } - else { - while (*cp2 && *cp2 != ',' && - *cp2 != ']') { - if (*cp2 == '\\') { - cp2++; - } - else if (*cp2 == '$' && - isdigit((unsigned char)*(cp2+1))) { - if (*++cp2 == '0') { - char *cp3 = name; - - while (*cp3) { - *cp1++ = *cp3++; - } - } - else if (toks[toknum = - *cp2 - '1']) { - char *cp3=tp[toknum]; - - while (cp3 != - te[toknum]) { - *cp1++ = *cp3++; - } - } - } - else if (*cp2) { - *cp1++ = *cp2++; - } - } - if (!*cp2) { - printf("nmap: unbalanced brackets\n"); - return (name); - } - match = 1; - cp2--; - } - if (match) { - while (*++cp2 && *cp2 != ']') { - if (*cp2 == '\\' && *(cp2 + 1)) { - cp2++; - } - } - if (!*cp2) { - printf("nmap: unbalanced brackets\n"); - return (name); - } - break; - } - switch (*++cp2) { - case ',': - goto LOOP; - case ']': - break; - default: - cp2--; - goto LOOP; - } - break; - case '$': - if (isdigit((unsigned char)*(cp2 + 1))) { - if (*++cp2 == '0') { - char *cp3 = name; - - while (*cp3) { - *cp1++ = *cp3++; - } - } - else if (toks[toknum = *cp2 - '1']) { - char *cp3 = tp[toknum]; - - while (cp3 != te[toknum]) { - *cp1++ = *cp3++; - } - } - break; - } - /* intentional drop through */ - default: - *cp1++ = *cp2; - break; - } - cp2++; - } - *cp1 = '\0'; - if (!*new) { - return (name); - } - return (new); -} - -void -setpassive(int argc, char **argv) -{ - - passivemode = !passivemode; - printf("Passive mode %s.\n", onoff(passivemode)); - code = passivemode; -} - -void -setsunique(int argc, char **argv) -{ - - sunique = !sunique; - printf("Store unique %s.\n", onoff(sunique)); - code = sunique; -} - -void -setrunique(int argc, char **argv) -{ - - runique = !runique; - printf("Receive unique %s.\n", onoff(runique)); - code = runique; -} - -/* change directory to perent directory */ -void -cdup(int argc, char **argv) -{ - - if (command("CDUP") == ERROR && code == 500) { - if (verbose) - printf("CDUP command not recognized, trying XCUP\n"); - command("XCUP"); - } -} - -/* restart transfer at specific point */ -void -restart(int argc, char **argv) -{ - - if (argc != 2) - printf("restart: offset not specified\n"); - else { - restart_point = atol(argv[1]); - printf("restarting at %ld. %s\n", (long)restart_point, - "execute get, put or append to initiate transfer"); - } -} - -/* show remote system type */ -void -syst(int argc, char **argv) -{ - - command("SYST"); -} - -void -macdef(int argc, char **argv) -{ - char *tmp; - int c; - - if (macnum == 16) { - printf("Limit of 16 macros have already been defined\n"); - code = -1; - return; - } - if (argc < 2 && !another(&argc, &argv, "macro name")) { - printf("Usage: %s macro_name\n",argv[0]); - code = -1; - return; - } - if (interactive) { - printf("Enter macro line by line, terminating it with a null line\n"); - } - strlcpy(macros[macnum].mac_name, - argv[1], - sizeof(macros[macnum].mac_name)); - if (macnum == 0) { - macros[macnum].mac_start = macbuf; - } - else { - macros[macnum].mac_start = macros[macnum - 1].mac_end + 1; - } - tmp = macros[macnum].mac_start; - while (tmp != macbuf+4096) { - if ((c = getchar()) == EOF) { - printf("macdef:end of file encountered\n"); - code = -1; - return; - } - if ((*tmp = c) == '\n') { - if (tmp == macros[macnum].mac_start) { - macros[macnum++].mac_end = tmp; - code = 0; - return; - } - if (*(tmp-1) == '\0') { - macros[macnum++].mac_end = tmp - 1; - code = 0; - return; - } - *tmp = '\0'; - } - tmp++; - } - while (1) { - while ((c = getchar()) != '\n' && c != EOF) - /* LOOP */; - if (c == EOF || getchar() == '\n') { - printf("Macro not defined - 4k buffer exceeded\n"); - code = -1; - return; - } - } -} - -/* - * get size of file on remote machine - */ -void -sizecmd(int argc, char **argv) -{ - - if (argc < 2 && !another(&argc, &argv, "filename")) { - printf("usage: %s filename\n", argv[0]); - code = -1; - return; - } - command("SIZE %s", argv[1]); -} - -/* - * get last modification time of file on remote machine - */ -void -modtime(int argc, char **argv) -{ - int overbose; - - if (argc < 2 && !another(&argc, &argv, "filename")) { - printf("usage: %s filename\n", argv[0]); - code = -1; - return; - } - overbose = verbose; - if (debug == 0) - verbose = -1; - if (command("MDTM %s", argv[1]) == COMPLETE) { - int yy, mo, day, hour, min, sec; - sscanf(reply_string, "%*s %04d%02d%02d%02d%02d%02d", &yy, &mo, - &day, &hour, &min, &sec); - /* might want to print this in local time */ - printf("%s\t%02d/%02d/%04d %02d:%02d:%02d GMT\n", argv[1], - mo, day, yy, hour, min, sec); - } else - printf("%s\n", reply_string); - verbose = overbose; -} - -/* - * show status on reomte machine - */ -void -rmtstatus(int argc, char **argv) -{ - - command(argc > 1 ? "STAT %s" : "STAT" , argv[1]); -} - -/* - * get file if modtime is more recent than current file - */ -void -newer(int argc, char **argv) -{ - - if (getit(argc, argv, -1, curtype == TYPE_I ? "wb" : "w")) - printf("Local file \"%s\" is newer than remote file \"%s\"\n", - argv[2], argv[1]); -} diff --git a/crypto/heimdal-0.6.3/appl/ftp/ftp/cmdtab.c b/crypto/heimdal-0.6.3/appl/ftp/ftp/cmdtab.c deleted file mode 100644 index 5dc96efa36..0000000000 --- a/crypto/heimdal-0.6.3/appl/ftp/ftp/cmdtab.c +++ /dev/null @@ -1,202 +0,0 @@ -/* - * Copyright (c) 1985, 1989, 1993, 1994 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "ftp_locl.h" - -/* - * User FTP -- Command Tables. - */ - -char accounthelp[] = "send account command to remote server"; -char appendhelp[] = "append to a file"; -char asciihelp[] = "set ascii transfer type"; -char beephelp[] = "beep when command completed"; -char binaryhelp[] = "set binary transfer type"; -char casehelp[] = "toggle mget upper/lower case id mapping"; -char cdhelp[] = "change remote working directory"; -char cduphelp[] = "change remote working directory to parent directory"; -char chmodhelp[] = "change file permissions of remote file"; -char connecthelp[] = "connect to remote tftp"; -char crhelp[] = "toggle carriage return stripping on ascii gets"; -char deletehelp[] = "delete remote file"; -char debughelp[] = "toggle/set debugging mode"; -char dirhelp[] = "list contents of remote directory"; -char disconhelp[] = "terminate ftp session"; -char domachelp[] = "execute macro"; -char formhelp[] = "set file transfer format"; -char globhelp[] = "toggle metacharacter expansion of local file names"; -char hashhelp[] = "toggle printing `#' for each buffer transferred"; -char helphelp[] = "print local help information"; -char idlehelp[] = "get (set) idle timer on remote side"; -char lcdhelp[] = "change local working directory"; -char lshelp[] = "list contents of remote directory"; -char macdefhelp[] = "define a macro"; -char mdeletehelp[] = "delete multiple files"; -char mdirhelp[] = "list contents of multiple remote directories"; -char mgethelp[] = "get multiple files"; -char mkdirhelp[] = "make directory on the remote machine"; -char mlshelp[] = "list contents of multiple remote directories"; -char modtimehelp[] = "show last modification time of remote file"; -char modehelp[] = "set file transfer mode"; -char mputhelp[] = "send multiple files"; -char newerhelp[] = "get file if remote file is newer than local file "; -char nlisthelp[] = "nlist contents of remote directory"; -char nmaphelp[] = "set templates for default file name mapping"; -char ntranshelp[] = "set translation table for default file name mapping"; -char porthelp[] = "toggle use of PORT cmd for each data connection"; -char prompthelp[] = "force interactive prompting on multiple commands"; -char proxyhelp[] = "issue command on alternate connection"; -char pwdhelp[] = "print working directory on remote machine"; -char quithelp[] = "terminate ftp session and exit"; -char quotehelp[] = "send arbitrary ftp command"; -char receivehelp[] = "receive file"; -char regethelp[] = "get file restarting at end of local file"; -char remotehelp[] = "get help from remote server"; -char renamehelp[] = "rename file"; -char restarthelp[]= "restart file transfer at bytecount"; -char rmdirhelp[] = "remove directory on the remote machine"; -char rmtstatushelp[]="show status of remote machine"; -char runiquehelp[] = "toggle store unique for local files"; -char resethelp[] = "clear queued command replies"; -char sendhelp[] = "send one file"; -char passivehelp[] = "enter passive transfer mode"; -char sitehelp[] = "send site specific command to remote server\n\t\tTry \"rhelp site\" or \"site help\" for more information"; -char shellhelp[] = "escape to the shell"; -char sizecmdhelp[] = "show size of remote file"; -char statushelp[] = "show current status"; -char structhelp[] = "set file transfer structure"; -char suniquehelp[] = "toggle store unique on remote machine"; -char systemhelp[] = "show remote system type"; -char tenexhelp[] = "set tenex file transfer type"; -char tracehelp[] = "toggle packet tracing"; -char typehelp[] = "set file transfer type"; -char umaskhelp[] = "get (set) umask on remote side"; -char userhelp[] = "send new user information"; -char verbosehelp[] = "toggle verbose mode"; - -char prothelp[] = "set protection level"; -#ifdef KRB4 -char kauthhelp[] = "get remote tokens"; -char klisthelp[] = "show remote tickets"; -char kdestroyhelp[] = "destroy remote tickets"; -char krbtkfilehelp[] = "set filename of remote tickets"; -char afsloghelp[] = "obtain remote AFS tokens"; -#endif - -struct cmd cmdtab[] = { - { "!", shellhelp, 0, 0, 0, shell }, - { "$", domachelp, 1, 0, 0, domacro }, - { "account", accounthelp, 0, 1, 1, account}, - { "append", appendhelp, 1, 1, 1, put }, - { "ascii", asciihelp, 0, 1, 1, setascii }, - { "bell", beephelp, 0, 0, 0, setbell }, - { "binary", binaryhelp, 0, 1, 1, setbinary }, - { "bye", quithelp, 0, 0, 0, quit }, - { "case", casehelp, 0, 0, 1, setcase }, - { "cd", cdhelp, 0, 1, 1, cd }, - { "cdup", cduphelp, 0, 1, 1, cdup }, - { "chmod", chmodhelp, 0, 1, 1, do_chmod }, - { "close", disconhelp, 0, 1, 1, disconnect }, - { "cr", crhelp, 0, 0, 0, setcr }, - { "delete", deletehelp, 0, 1, 1, delete }, - { "debug", debughelp, 0, 0, 0, setdebug }, - { "dir", dirhelp, 1, 1, 1, ls }, - { "disconnect", disconhelp, 0, 1, 1, disconnect }, - { "form", formhelp, 0, 1, 1, setform }, - { "get", receivehelp, 1, 1, 1, get }, - { "glob", globhelp, 0, 0, 0, setglob }, - { "hash", hashhelp, 0, 0, 0, sethash }, - { "help", helphelp, 0, 0, 1, help }, - { "idle", idlehelp, 0, 1, 1, ftp_idle }, - { "image", binaryhelp, 0, 1, 1, setbinary }, - { "lcd", lcdhelp, 0, 0, 0, lcd }, - { "ls", lshelp, 1, 1, 1, ls }, - { "macdef", macdefhelp, 0, 0, 0, macdef }, - { "mdelete", mdeletehelp, 1, 1, 1, mdelete }, - { "mdir", mdirhelp, 1, 1, 1, mls }, - { "mget", mgethelp, 1, 1, 1, mget }, - { "mkdir", mkdirhelp, 0, 1, 1, makedir }, - { "mls", mlshelp, 1, 1, 1, mls }, - { "mode", modehelp, 0, 1, 1, setftmode }, - { "modtime", modtimehelp, 0, 1, 1, modtime }, - { "mput", mputhelp, 1, 1, 1, mput }, - { "newer", newerhelp, 1, 1, 1, newer }, - { "nmap", nmaphelp, 0, 0, 1, setnmap }, - { "nlist", nlisthelp, 1, 1, 1, ls }, - { "ntrans", ntranshelp, 0, 0, 1, setntrans }, - { "open", connecthelp, 0, 0, 1, setpeer }, - { "passive", passivehelp, 0, 0, 0, setpassive }, - { "prompt", prompthelp, 0, 0, 0, setprompt }, - { "proxy", proxyhelp, 0, 0, 1, doproxy }, - { "sendport", porthelp, 0, 0, 0, setport }, - { "put", sendhelp, 1, 1, 1, put }, - { "pwd", pwdhelp, 0, 1, 1, pwd }, - { "quit", quithelp, 0, 0, 0, quit }, - { "quote", quotehelp, 1, 1, 1, quote }, - { "recv", receivehelp, 1, 1, 1, get }, - { "reget", regethelp, 1, 1, 1, reget }, - { "rstatus", rmtstatushelp, 0, 1, 1, rmtstatus }, - { "rhelp", remotehelp, 0, 1, 1, rmthelp }, - { "rename", renamehelp, 0, 1, 1, renamefile }, - { "reset", resethelp, 0, 1, 1, reset }, - { "restart", restarthelp, 1, 1, 1, restart }, - { "rmdir", rmdirhelp, 0, 1, 1, removedir }, - { "runique", runiquehelp, 0, 0, 1, setrunique }, - { "send", sendhelp, 1, 1, 1, put }, - { "site", sitehelp, 0, 1, 1, site }, - { "size", sizecmdhelp, 1, 1, 1, sizecmd }, - { "status", statushelp, 0, 0, 1, status }, - { "struct", structhelp, 0, 1, 1, setstruct }, - { "system", systemhelp, 0, 1, 1, syst }, - { "sunique", suniquehelp, 0, 0, 1, setsunique }, - { "tenex", tenexhelp, 0, 1, 1, settenex }, - { "trace", tracehelp, 0, 0, 0, settrace }, - { "type", typehelp, 0, 1, 1, settype }, - { "user", userhelp, 0, 1, 1, user }, - { "umask", umaskhelp, 0, 1, 1, do_umask }, - { "verbose", verbosehelp, 0, 0, 0, setverbose }, - { "?", helphelp, 0, 0, 1, help }, - - { "prot", prothelp, 0, 1, 0, sec_prot }, -#ifdef KRB4 - { "kauth", kauthhelp, 0, 1, 0, kauth }, - { "klist", klisthelp, 0, 1, 0, klist }, - { "kdestroy", kdestroyhelp, 0, 1, 0, kdestroy }, - { "krbtkfile", krbtkfilehelp, 0, 1, 0, krbtkfile }, - { "afslog", afsloghelp, 0, 1, 0, afslog }, -#endif - - { 0 }, -}; - -int NCMDS = (sizeof (cmdtab) / sizeof (cmdtab[0])) - 1; diff --git a/crypto/heimdal-0.6.3/appl/ftp/ftp/domacro.c b/crypto/heimdal-0.6.3/appl/ftp/ftp/domacro.c deleted file mode 100644 index d91660d014..0000000000 --- a/crypto/heimdal-0.6.3/appl/ftp/ftp/domacro.c +++ /dev/null @@ -1,138 +0,0 @@ -/* - * Copyright (c) 1985, 1993, 1994 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "ftp_locl.h" -RCSID("$Id: domacro.c,v 1.7 1999/09/16 20:37:29 assar Exp $"); - -void -domacro(int argc, char **argv) -{ - int i, j, count = 2, loopflg = 0; - char *cp1, *cp2, line2[200]; - struct cmd *c; - - if (argc < 2 && !another(&argc, &argv, "macro name")) { - printf("Usage: %s macro_name.\n", argv[0]); - code = -1; - return; - } - for (i = 0; i < macnum; ++i) { - if (!strncmp(argv[1], macros[i].mac_name, 9)) { - break; - } - } - if (i == macnum) { - printf("'%s' macro not found.\n", argv[1]); - code = -1; - return; - } - strlcpy(line2, line, sizeof(line2)); -TOP: - cp1 = macros[i].mac_start; - while (cp1 != macros[i].mac_end) { - while (isspace(*cp1)) { - cp1++; - } - cp2 = line; - while (*cp1 != '\0') { - switch(*cp1) { - case '\\': - *cp2++ = *++cp1; - break; - case '$': - if (isdigit(*(cp1+1))) { - j = 0; - while (isdigit(*++cp1)) { - j = 10*j + *cp1 - '0'; - } - cp1--; - if (argc - 2 >= j) { - strcpy(cp2, argv[j+1]); - cp2 += strlen(argv[j+1]); - } - break; - } - if (*(cp1+1) == 'i') { - loopflg = 1; - cp1++; - if (count < argc) { - strcpy(cp2, argv[count]); - cp2 += strlen(argv[count]); - } - break; - } - /* intentional drop through */ - default: - *cp2++ = *cp1; - break; - } - if (*cp1 != '\0') { - cp1++; - } - } - *cp2 = '\0'; - makeargv(); - c = getcmd(margv[0]); - if (c == (struct cmd *)-1) { - printf("?Ambiguous command\n"); - code = -1; - } - else if (c == 0) { - printf("?Invalid command\n"); - code = -1; - } - else if (c->c_conn && !connected) { - printf("Not connected.\n"); - code = -1; - } - else { - if (verbose) { - printf("%s\n",line); - } - (*c->c_handler)(margc, margv); - if (bell && c->c_bell) { - putchar('\007'); - } - strcpy(line, line2); - makeargv(); - argc = margc; - argv = margv; - } - if (cp1 != macros[i].mac_end) { - cp1++; - } - } - if (loopflg && ++count < argc) { - goto TOP; - } -} diff --git a/crypto/heimdal-0.6.3/appl/ftp/ftp/extern.h b/crypto/heimdal-0.6.3/appl/ftp/ftp/extern.h deleted file mode 100644 index 337bed674d..0000000000 --- a/crypto/heimdal-0.6.3/appl/ftp/ftp/extern.h +++ /dev/null @@ -1,174 +0,0 @@ -/*- - * Copyright (c) 1994 The Regents of the University of California. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * @(#)extern.h 8.3 (Berkeley) 10/9/94 - */ - -/* $Id: extern.h,v 1.19 2000/09/19 13:15:12 assar Exp $ */ - -#include -#include -#ifdef TIME_WITH_SYS_TIME -#include -#include -#elif defined(HAVE_SYS_TIME_H) -#include -#else -#include -#endif -#ifdef HAVE_SYS_SELECT_H -#include -#endif - -void abort_remote (FILE *); -void abortpt (int); -void abortrecv (int); -void account (int, char **); -int another (int *, char ***, char *); -void blkfree (char **); -void cd (int, char **); -void cdup (int, char **); -void changetype (int, int); -void cmdabort (int); -void cmdscanner (int); -int command (char *fmt, ...) - __attribute__ ((format (printf, 1,2))); -int confirm (char *, char *); -FILE *dataconn (const char *); -void delete (int, char **); -void disconnect (int, char **); -void do_chmod (int, char **); -void do_umask (int, char **); -void domacro (int, char **); -char *domap (char *); -void doproxy (int, char **); -char *dotrans (char *); -int empty (fd_set *, int); -void fatal (char *); -void get (int, char **); -struct cmd *getcmd (char *); -int getit (int, char **, int, char *); -int getreply (int); -int globulize (char **); -char *gunique (char *); -void help (int, char **); -char *hookup (const char *, int); -void ftp_idle (int, char **); -int initconn (void); -void intr (int); -void lcd (int, char **); -int login (char *); -RETSIGTYPE lostpeer (int); -void ls (int, char **); -void macdef (int, char **); -void makeargv (void); -void makedir (int, char **); -void mdelete (int, char **); -void mget (int, char **); -void mls (int, char **); -void modtime (int, char **); -void mput (int, char **); -char *onoff (int); -void newer (int, char **); -void proxtrans (char *, char *, char *); -void psabort (int); -void pswitch (int); -void ptransfer (char *, long, struct timeval *, struct timeval *); -void put (int, char **); -void pwd (int, char **); -void quit (int, char **); -void quote (int, char **); -void quote1 (char *, int, char **); -void recvrequest (char *, char *, char *, char *, int, int); -void reget (int, char **); -char *remglob (char **, int); -void removedir (int, char **); -void renamefile (int, char **); -void reset (int, char **); -void restart (int, char **); -void rmthelp (int, char **); -void rmtstatus (int, char **); -int ruserpass (char *, char **, char **, char **); -void sendrequest (char *, char *, char *, char *, int); -void setascii (int, char **); -void setbell (int, char **); -void setbinary (int, char **); -void setcase (int, char **); -void setcr (int, char **); -void setdebug (int, char **); -void setform (int, char **); -void setftmode (int, char **); -void setglob (int, char **); -void sethash (int, char **); -void setnmap (int, char **); -void setntrans (int, char **); -void setpassive (int, char **); -void setpeer (int, char **); -void setport (int, char **); -void setprompt (int, char **); -void setrunique (int, char **); -void setstruct (int, char **); -void setsunique (int, char **); -void settenex (int, char **); -void settrace (int, char **); -void settype (int, char **); -void setverbose (int, char **); -void shell (int, char **); -void site (int, char **); -void sizecmd (int, char **); -char *slurpstring (void); -void status (int, char **); -void syst (int, char **); -void tvsub (struct timeval *, struct timeval *, struct timeval *); -void user (int, char **); - -extern jmp_buf abortprox; -extern int abrtflag; -extern struct cmd cmdtab[]; -extern FILE *cout; -extern int data; -extern char *home; -extern jmp_buf jabort; -extern int proxy; -extern char reply_string[]; -extern off_t restart_point; -extern int NCMDS; - -extern char username[32]; -extern char myhostname[]; -extern char *mydomain; - -void afslog (int, char **); -void kauth (int, char **); -void kdestroy (int, char **); -void klist (int, char **); -void krbtkfile (int, char **); diff --git a/crypto/heimdal-0.6.3/appl/ftp/ftp/ftp.1 b/crypto/heimdal-0.6.3/appl/ftp/ftp/ftp.1 deleted file mode 100644 index 282aab82bf..0000000000 --- a/crypto/heimdal-0.6.3/appl/ftp/ftp/ftp.1 +++ /dev/null @@ -1,1201 +0,0 @@ -.\" $NetBSD: ftp.1,v 1.11 1995/09/08 01:06:24 tls Exp $ -.\" -.\" Copyright (c) 1985, 1989, 1990, 1993 -.\" The Regents of the University of California. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" 3. All advertising materials mentioning features or use of this software -.\" must display the following acknowledgement: -.\" This product includes software developed by the University of -.\" California, Berkeley and its contributors. -.\" 4. Neither the name of the University nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" @(#)ftp.1 8.3 (Berkeley) 10/9/94 -.\" -.Dd April 27, 1996 -.Dt FTP 1 -.Os BSD 4.2 -.Sh NAME -.Nm ftp -.Nd -.Tn ARPANET -file transfer program -.Sh SYNOPSIS -.Nm ftp -.Op Fl t -.Op Fl v -.Op Fl d -.Op Fl i -.Op Fl n -.Op Fl g -.Op Fl p -.Op Fl l -.Op Fl -no-gss-bindings -.Op Ar host -.Sh DESCRIPTION -.Nm Ftp -is the user interface to the -.Tn ARPANET -standard File Transfer Protocol. -The program allows a user to transfer files to and from a -remote network site. -.Pp -Modifications has been made so that it almost follows the ftpsec -Internet draft. -.Pp -Options may be specified at the command line, or to the -command interpreter. -.Bl -tag -width flag -.It Fl t -Enables packet tracing. -.It Fl v -Verbose option forces -.Nm ftp -to show all responses from the remote server, as well -as report on data transfer statistics. -.It Fl n -Restrains -.Nm ftp -from attempting \*(Lqauto-login\*(Rq upon initial connection. -If auto-login is enabled, -.Nm ftp -will check the -.Pa .netrc -(see below) file in the user's home directory for an entry describing -an account on the remote machine. -If no entry exists, -.Nm ftp -will prompt for the remote machine login name (default is the user -identity on the local machine), and, if necessary, prompt for a password -and an account with which to login. -.It Fl i -Turns off interactive prompting during -multiple file transfers. -.It Fl p -Turn on passive mode. -.It Fl d -Enables debugging. -.It Fl g -Disables file name globbing. -.It Fl -no-gss-bindings -use GSS-API bindings when talking to peer (ie make sure IP addresses match). -.It Fl l -Disables command line editing. -.El -.Pp -The client host with which -.Nm ftp -is to communicate may be specified on the command line. -If this is done, -.Nm ftp -will immediately attempt to establish a connection to an -.Tn FTP -server on that host; otherwise, -.Nm ftp -will enter its command interpreter and await instructions -from the user. -When -.Nm ftp -is awaiting commands from the user the prompt -.Ql ftp\*[Gt] -is provided to the user. -The following commands are recognized -by -.Nm ftp : -.Bl -tag -width Fl -.It Ic \&! Op Ar command Op Ar args -Invoke an interactive shell on the local machine. -If there are arguments, the first is taken to be a command to execute -directly, with the rest of the arguments as its arguments. -.It Ic \&$ Ar macro-name Op Ar args -Execute the macro -.Ar macro-name -that was defined with the -.Ic macdef -command. -Arguments are passed to the macro unglobbed. -.It Ic account Op Ar passwd -Supply a supplemental password required by a remote system for access -to resources once a login has been successfully completed. -If no argument is included, the user will be prompted for an account -password in a non-echoing input mode. -.It Ic append Ar local-file Op Ar remote-file -Append a local file to a file on the remote machine. -If -.Ar remote-file -is left unspecified, the local file name is used in naming the -remote file after being altered by any -.Ic ntrans -or -.Ic nmap -setting. -File transfer uses the current settings for -.Ic type , -.Ic format , -.Ic mode , -and -.Ic structure . -.It Ic ascii -Set the file transfer -.Ic type -to network -.Tn ASCII . -This is the default type. -.It Ic bell -Arrange that a bell be sounded after each file transfer -command is completed. -.It Ic binary -Set the file transfer -.Ic type -to support binary image transfer. -.It Ic bye -Terminate the -.Tn FTP -session with the remote server -and exit -.Nm ftp . -An end of file will also terminate the session and exit. -.It Ic case -Toggle remote computer file name case mapping during -.Ic mget -commands. -When -.Ic case -is on (default is off), remote computer file names with all letters in -upper case are written in the local directory with the letters mapped -to lower case. -.It Ic \&cd Ar remote-directory -Change the working directory on the remote machine -to -.Ar remote-directory . -.It Ic cdup -Change the remote machine working directory to the parent of the -current remote machine working directory. -.It Ic chmod Ar mode file-name -Change the permission modes of the file -.Ar file-name -on the remote -sytem to -.Ar mode . -.It Ic close -Terminate the -.Tn FTP -session with the remote server, and -return to the command interpreter. -Any defined macros are erased. -.It Ic \&cr -Toggle carriage return stripping during -ascii type file retrieval. -Records are denoted by a carriage return/linefeed sequence -during ascii type file transfer. -When -.Ic \&cr -is on (the default), carriage returns are stripped from this -sequence to conform with the -.Ux -single linefeed record -delimiter. -Records on -.Pf non\- Ns Ux -remote systems may contain single linefeeds; -when an ascii type transfer is made, these linefeeds may be -distinguished from a record delimiter only when -.Ic \&cr -is off. -.It Ic delete Ar remote-file -Delete the file -.Ar remote-file -on the remote machine. -.It Ic debug Op Ar debug-value -Toggle debugging mode. -If an optional -.Ar debug-value -is specified it is used to set the debugging level. -When debugging is on, -.Nm ftp -prints each command sent to the remote machine, preceded -by the string -.Ql \-\-\*[Gt] -.It Xo -.Ic dir -.Op Ar remote-directory -.Op Ar local-file -.Xc -Print a listing of the directory contents in the -directory, -.Ar remote-directory , -and, optionally, placing the output in -.Ar local-file . -If interactive prompting is on, -.Nm ftp -will prompt the user to verify that the last argument is indeed the -target local file for receiving -.Ic dir -output. -If no directory is specified, the current working -directory on the remote machine is used. -If no local -file is specified, or -.Ar local-file -is -.Fl , -output comes to the terminal. -.It Ic disconnect -A synonym for -.Ar close . -.It Ic form Ar format -Set the file transfer -.Ic form -to -.Ar format . -The default format is \*(Lqfile\*(Rq. -.It Ic get Ar remote-file Op Ar local-file -Retrieve the -.Ar remote-file -and store it on the local machine. -If the local -file name is not specified, it is given the same -name it has on the remote machine, subject to -alteration by the current -.Ic case , -.Ic ntrans , -and -.Ic nmap -settings. -The current settings for -.Ic type , -.Ic form , -.Ic mode , -and -.Ic structure -are used while transferring the file. -.It Ic glob -Toggle filename expansion for -.Ic mdelete , -.Ic mget -and -.Ic mput . -If globbing is turned off with -.Ic glob , -the file name arguments -are taken literally and not expanded. -Globbing for -.Ic mput -is done as in -.Xr csh 1 . -For -.Ic mdelete -and -.Ic mget , -each remote file name is expanded -separately on the remote machine and the lists are not merged. -Expansion of a directory name is likely to be -different from expansion of the name of an ordinary file: -the exact result depends on the foreign operating system and ftp server, -and can be previewed by doing -.Ql mls remote-files \- . -As a security measure, remotely globbed files that starts with -.Sq / -or contains -.Sq ../ , -will not be automatically received. If you have interactive prompting -turned off, these filenames will be ignored. Note: -.Ic mget -and -.Ic mput -are not meant to transfer -entire directory subtrees of files. -That can be done by -transferring a -.Xr tar 1 -archive of the subtree (in binary mode). -.It Ic hash -Toggle hash-sign (``#'') printing for each data block -transferred. -The size of a data block is 1024 bytes. -.It Ic help Op Ar command -Print an informative message about the meaning of -.Ar command . -If no argument is given, -.Nm ftp -prints a list of the known commands. -.It Ic idle Op Ar seconds -Set the inactivity timer on the remote server to -.Ar seconds -seconds. -If -.Ar seconds -is omitted, the current inactivity timer is printed. -.It Ic lcd Op Ar directory -Change the working directory on the local machine. -If -no -.Ar directory -is specified, the user's home directory is used. -.It Xo -.Ic \&ls -.Op Ar remote-directory -.Op Ar local-file -.Xc -Print a listing of the contents of a -directory on the remote machine. -The listing includes any system-dependent information that the server -chooses to include; for example, most -.Ux -systems will produce -output from the command -.Ql ls \-l . -(See also -.Ic nlist . ) -If -.Ar remote-directory -is left unspecified, the current working directory is used. -If interactive prompting is on, -.Nm ftp -will prompt the user to verify that the last argument is indeed the -target local file for receiving -.Ic \&ls -output. -If no local file is specified, or if -.Ar local-file -is -.Sq Fl , -the output is sent to the terminal. -.It Ic macdef Ar macro-name -Define a macro. -Subsequent lines are stored as the macro -.Ar macro-name ; -a null line (consecutive newline characters -in a file or -carriage returns from the terminal) terminates macro input mode. -There is a limit of 16 macros and 4096 total characters in all -defined macros. -Macros remain defined until a -.Ic close -command is executed. -The macro processor interprets `$' and `\e' as special characters. -A `$' followed by a number (or numbers) is replaced by the -corresponding argument on the macro invocation command line. -A `$' followed by an `i' signals that macro processor that the -executing macro is to be looped. -On the first pass `$i' is -replaced by the first argument on the macro invocation command line, -on the second pass it is replaced by the second argument, and so on. -A `\e' followed by any character is replaced by that character. -Use the `\e' to prevent special treatment of the `$'. -.It Ic mdelete Op Ar remote-files -Delete the -.Ar remote-files -on the remote machine. -.It Ic mdir Ar remote-files local-file -Like -.Ic dir , -except multiple remote files may be specified. -If interactive prompting is on, -.Nm ftp -will prompt the user to verify that the last argument is indeed the -target local file for receiving -.Ic mdir -output. -.It Ic mget Ar remote-files -Expand the -.Ar remote-files -on the remote machine -and do a -.Ic get -for each file name thus produced. -See -.Ic glob -for details on the filename expansion. -Resulting file names will then be processed according to -.Ic case , -.Ic ntrans , -and -.Ic nmap -settings. -Files are transferred into the local working directory, -which can be changed with -.Ql lcd directory ; -new local directories can be created with -.Ql "\&! mkdir directory" . -.It Ic mkdir Ar directory-name -Make a directory on the remote machine. -.It Ic mls Ar remote-files local-file -Like -.Ic nlist , -except multiple remote files may be specified, -and the -.Ar local-file -must be specified. -If interactive prompting is on, -.Nm ftp -will prompt the user to verify that the last argument is indeed the -target local file for receiving -.Ic mls -output. -.It Ic mode Op Ar mode-name -Set the file transfer -.Ic mode -to -.Ar mode-name . -The default mode is \*(Lqstream\*(Rq mode. -.It Ic modtime Ar file-name -Show the last modification time of the file on the remote machine. -.It Ic mput Ar local-files -Expand wild cards in the list of local files given as arguments -and do a -.Ic put -for each file in the resulting list. -See -.Ic glob -for details of filename expansion. -Resulting file names will then be processed according to -.Ic ntrans -and -.Ic nmap -settings. -.It Ic newer Ar file-name -Get the file only if the modification time of the remote file is more -recent that the file on the current system. -If the file does not -exist on the current system, the remote file is considered -.Ic newer . -Otherwise, this command is identical to -.Ar get . -.It Xo -.Ic nlist -.Op Ar remote-directory -.Op Ar local-file -.Xc -Print a list of the files in a -directory on the remote machine. -If -.Ar remote-directory -is left unspecified, the current working directory is used. -If interactive prompting is on, -.Nm ftp -will prompt the user to verify that the last argument is indeed the -target local file for receiving -.Ic nlist -output. -If no local file is specified, or if -.Ar local-file -is -.Fl , -the output is sent to the terminal. -.It Ic nmap Op Ar inpattern outpattern -Set or unset the filename mapping mechanism. -If no arguments are specified, the filename mapping mechanism is unset. -If arguments are specified, remote filenames are mapped during -.Ic mput -commands and -.Ic put -commands issued without a specified remote target filename. -If arguments are specified, local filenames are mapped during -.Ic mget -commands and -.Ic get -commands issued without a specified local target filename. -This command is useful when connecting to a -.No non\- Ns Ux -remote computer -with different file naming conventions or practices. -The mapping follows the pattern set by -.Ar inpattern -and -.Ar outpattern . -.Op Ar Inpattern -is a template for incoming filenames (which may have already been -processed according to the -.Ic ntrans -and -.Ic case -settings). -Variable templating is accomplished by including the -sequences `$1', `$2', ..., `$9' in -.Ar inpattern . -Use `\\' to prevent this special treatment of the `$' character. -All other characters are treated literally, and are used to determine the -.Ic nmap -.Op Ar inpattern -variable values. -For example, given -.Ar inpattern -$1.$2 and the remote file name "mydata.data", $1 would have the value -"mydata", and $2 would have the value "data". -The -.Ar outpattern -determines the resulting mapped filename. -The sequences `$1', `$2', ...., `$9' are replaced by any value resulting -from the -.Ar inpattern -template. -The sequence `$0' is replace by the original filename. -Additionally, the sequence -.Ql Op Ar seq1 , Ar seq2 -is replaced by -.Op Ar seq1 -if -.Ar seq1 -is not a null string; otherwise it is replaced by -.Ar seq2 . -For example, the command -.Pp -.Bd -literal -offset indent -compact -nmap $1.$2.$3 [$1,$2].[$2,file] -.Ed -.Pp -would yield -the output filename "myfile.data" for input filenames "myfile.data" and -"myfile.data.old", "myfile.file" for the input filename "myfile", and -"myfile.myfile" for the input filename ".myfile". -Spaces may be included in -.Ar outpattern , -as in the example: `nmap $1 sed "s/ *$//" \*[Gt] $1' . -Use the `\e' character to prevent special treatment -of the `$','[','[', and `,' characters. -.It Ic ntrans Op Ar inchars Op Ar outchars -Set or unset the filename character translation mechanism. -If no arguments are specified, the filename character -translation mechanism is unset. -If arguments are specified, characters in -remote filenames are translated during -.Ic mput -commands and -.Ic put -commands issued without a specified remote target filename. -If arguments are specified, characters in -local filenames are translated during -.Ic mget -commands and -.Ic get -commands issued without a specified local target filename. -This command is useful when connecting to a -.No non\- Ns Ux -remote computer -with different file naming conventions or practices. -Characters in a filename matching a character in -.Ar inchars -are replaced with the corresponding character in -.Ar outchars . -If the character's position in -.Ar inchars -is longer than the length of -.Ar outchars , -the character is deleted from the file name. -.It Ic open Ar host Op Ar port -Establish a connection to the specified -.Ar host -.Tn FTP -server. -An optional port number may be supplied, -in which case, -.Nm ftp -will attempt to contact an -.Tn FTP -server at that port. -If the -.Ic auto-login -option is on (default), -.Nm ftp -will also attempt to automatically log the user in to -the -.Tn FTP -server (see below). -.It Ic passive -Toggle passive mode. If passive mode is turned on -(default is off), the ftp client will -send a -.Dv PASV -command for all data connections instead of the usual -.Dv PORT -command. The -.Dv PASV -command requests that the remote server open a port for the data connection -and return the address of that port. The remote server listens on that -port and the client connects to it. When using the more traditional -.Dv PORT -command, the client listens on a port and sends that address to the remote -server, who connects back to it. Passive mode is useful when using -.Nm ftp -through a gateway router or host that controls the directionality of -traffic. -(Note that though ftp servers are required to support the -.Dv PASV -command by RFC 1123, some do not.) -.It Ic prompt -Toggle interactive prompting. -Interactive prompting -occurs during multiple file transfers to allow the -user to selectively retrieve or store files. -If prompting is turned off (default is on), any -.Ic mget -or -.Ic mput -will transfer all files, and any -.Ic mdelete -will delete all files. -.It Ic proxy Ar ftp-command -Execute an ftp command on a secondary control connection. -This command allows simultaneous connection to two remote ftp -servers for transferring files between the two servers. -The first -.Ic proxy -command should be an -.Ic open , -to establish the secondary control connection. -Enter the command "proxy ?" to see other ftp commands executable on the -secondary connection. -The following commands behave differently when prefaced by -.Ic proxy : -.Ic open -will not define new macros during the auto-login process, -.Ic close -will not erase existing macro definitions, -.Ic get -and -.Ic mget -transfer files from the host on the primary control connection -to the host on the secondary control connection, and -.Ic put , -.Ic mput , -and -.Ic append -transfer files from the host on the secondary control connection -to the host on the primary control connection. -Third party file transfers depend upon support of the ftp protocol -.Dv PASV -command by the server on the secondary control connection. -.It Ic put Ar local-file Op Ar remote-file -Store a local file on the remote machine. -If -.Ar remote-file -is left unspecified, the local file name is used -after processing according to any -.Ic ntrans -or -.Ic nmap -settings -in naming the remote file. -File transfer uses the -current settings for -.Ic type , -.Ic format , -.Ic mode , -and -.Ic structure . -.It Ic pwd -Print the name of the current working directory on the remote -machine. -.It Ic quit -A synonym for -.Ic bye . -.It Ic quote Ar arg1 arg2 ... -The arguments specified are sent, verbatim, to the remote -.Tn FTP -server. -.It Ic recv Ar remote-file Op Ar local-file -A synonym for get. -.It Ic reget Ar remote-file Op Ar local-file -Reget acts like get, except that if -.Ar local-file -exists and is -smaller than -.Ar remote-file , -.Ar local-file -is presumed to be -a partially transferred copy of -.Ar remote-file -and the transfer -is continued from the apparent point of failure. -This command -is useful when transferring very large files over networks that -are prone to dropping connections. -.It Ic remotehelp Op Ar command-name -Request help from the remote -.Tn FTP -server. -If a -.Ar command-name -is specified it is supplied to the server as well. -.It Ic remotestatus Op Ar file-name -With no arguments, show status of remote machine. -If -.Ar file-name -is specified, show status of -.Ar file-name -on remote machine. -.It Xo -.Ic rename -.Op Ar from -.Op Ar to -.Xc -Rename the file -.Ar from -on the remote machine, to the file -.Ar to . -.It Ic reset -Clear reply queue. -This command re-synchronizes command/reply sequencing with the remote -ftp server. -Resynchronization may be necessary following a violation of the ftp protocol -by the remote server. -.It Ic restart Ar marker -Restart the immediately following -.Ic get -or -.Ic put -at the -indicated -.Ar marker . -On -.Ux -systems, marker is usually a byte -offset into the file. -.It Ic rmdir Ar directory-name -Delete a directory on the remote machine. -.It Ic runique -Toggle storing of files on the local system with unique filenames. -If a file already exists with a name equal to the target -local filename for a -.Ic get -or -.Ic mget -command, a ".1" is appended to the name. -If the resulting name matches another existing file, -a ".2" is appended to the original name. -If this process continues up to ".99", an error -message is printed, and the transfer does not take place. -The generated unique filename will be reported. -Note that -.Ic runique -will not affect local files generated from a shell command -(see below). -The default value is off. -.It Ic send Ar local-file Op Ar remote-file -A synonym for put. -.It Ic sendport -Toggle the use of -.Dv PORT -commands. -By default, -.Nm ftp -will attempt to use a -.Dv PORT -command when establishing -a connection for each data transfer. -The use of -.Dv PORT -commands can prevent delays -when performing multiple file transfers. -If the -.Dv PORT -command fails, -.Nm ftp -will use the default data port. -When the use of -.Dv PORT -commands is disabled, no attempt will be made to use -.Dv PORT -commands for each data transfer. -This is useful -for certain -.Tn FTP -implementations which do ignore -.Dv PORT -commands but, incorrectly, indicate they've been accepted. -.It Ic site Ar arg1 arg2 ... -The arguments specified are sent, verbatim, to the remote -.Tn FTP -server as a -.Dv SITE -command. -.It Ic size Ar file-name -Return size of -.Ar file-name -on remote machine. -.It Ic status -Show the current status of -.Nm ftp . -.It Ic struct Op Ar struct-name -Set the file transfer -.Ar structure -to -.Ar struct-name . -By default \*(Lqstream\*(Rq structure is used. -.It Ic sunique -Toggle storing of files on remote machine under unique file names. -Remote ftp server must support ftp protocol -.Dv STOU -command for -successful completion. -The remote server will report unique name. -Default value is off. -.It Ic system -Show the type of operating system running on the remote machine. -.It Ic tenex -Set the file transfer type to that needed to -talk to -.Tn TENEX -machines. -.It Ic trace -Toggle packet tracing. -.It Ic type Op Ar type-name -Set the file transfer -.Ic type -to -.Ar type-name . -If no type is specified, the current type -is printed. -The default type is network -.Tn ASCII . -.It Ic umask Op Ar newmask -Set the default umask on the remote server to -.Ar newmask . -If -.Ar newmask -is omitted, the current umask is printed. -.It Xo -.Ic user Ar user-name -.Op Ar password -.Op Ar account -.Xc -Identify yourself to the remote -.Tn FTP -server. -If the -.Ar password -is not specified and the server requires it, -.Nm ftp -will prompt the user for it (after disabling local echo). -If an -.Ar account -field is not specified, and the -.Tn FTP -server -requires it, the user will be prompted for it. -If an -.Ar account -field is specified, an account command will -be relayed to the remote server after the login sequence -is completed if the remote server did not require it -for logging in. -Unless -.Nm ftp -is invoked with \*(Lqauto-login\*(Rq disabled, this -process is done automatically on initial connection to -the -.Tn FTP -server. -.It Ic verbose -Toggle verbose mode. -In verbose mode, all responses from -the -.Tn FTP -server are displayed to the user. -In addition, -if verbose is on, when a file transfer completes, statistics -regarding the efficiency of the transfer are reported. -By default, -verbose is on. -.It Ic \&? Op Ar command -A synonym for help. -.El -.Pp -The following command can be used with ftpsec-aware servers. -.Bl -tag -width Fl -.It Xo -.Ic prot -.Ar clear | -.Ar safe | -.Ar confidential | -.Ar private -.Xc -Set the data protection level to the requested level. -.El -.Pp -The following command can be used with ftp servers that has -implemented the KAUTH site command. -.Bl -tag -width Fl -.It Ic kauth Op Ar principal -Obtain remote tickets. -.El -.Pp -Command arguments which have embedded spaces may be quoted with -quote `"' marks. -.Sh ABORTING A FILE TRANSFER -To abort a file transfer, use the terminal interrupt key -(usually Ctrl-C). -Sending transfers will be immediately halted. -Receiving transfers will be halted by sending a ftp protocol -.Dv ABOR -command to the remote server, and discarding any further data received. -The speed at which this is accomplished depends upon the remote -server's support for -.Dv ABOR -processing. -If the remote server does not support the -.Dv ABOR -command, an -.Ql ftp\*[Gt] -prompt will not appear until the remote server has completed -sending the requested file. -.Pp -The terminal interrupt key sequence will be ignored when -.Nm ftp -has completed any local processing and is awaiting a reply -from the remote server. -A long delay in this mode may result from the ABOR processing described -above, or from unexpected behavior by the remote server, including -violations of the ftp protocol. -If the delay results from unexpected remote server behavior, the local -.Nm ftp -program must be killed by hand. -.Sh FILE NAMING CONVENTIONS -Files specified as arguments to -.Nm ftp -commands are processed according to the following rules. -.Bl -enum -.It -If the file name -.Sq Fl -is specified, the -.Ar stdin -(for reading) or -.Ar stdout -(for writing) is used. -.It -If the first character of the file name is -.Sq \&| , -the -remainder of the argument is interpreted as a shell command. -.Nm Ftp -then forks a shell, using -.Xr popen 3 -with the argument supplied, and reads (writes) from the stdout -(stdin). -If the shell command includes spaces, the argument -must be quoted; e.g. -\*(Lq" ls -lt"\*(Rq. -A particularly -useful example of this mechanism is: \*(Lqdir more\*(Rq. -.It -Failing the above checks, if ``globbing'' is enabled, -local file names are expanded -according to the rules used in the -.Xr csh 1 ; -c.f. the -.Ic glob -command. -If the -.Nm ftp -command expects a single local file (.e.g. -.Ic put ) , -only the first filename generated by the "globbing" operation is used. -.It -For -.Ic mget -commands and -.Ic get -commands with unspecified local file names, the local filename is -the remote filename, which may be altered by a -.Ic case , -.Ic ntrans , -or -.Ic nmap -setting. -The resulting filename may then be altered if -.Ic runique -is on. -.It -For -.Ic mput -commands and -.Ic put -commands with unspecified remote file names, the remote filename is -the local filename, which may be altered by a -.Ic ntrans -or -.Ic nmap -setting. -The resulting filename may then be altered by the remote server if -.Ic sunique -is on. -.El -.Sh FILE TRANSFER PARAMETERS -The FTP specification specifies many parameters which may -affect a file transfer. -The -.Ic type -may be one of \*(Lqascii\*(Rq, \*(Lqimage\*(Rq (binary), -\*(Lqebcdic\*(Rq, and \*(Lqlocal byte size\*(Rq (for -.Tn PDP Ns -10's -and -.Tn PDP Ns -20's -mostly). -.Nm Ftp -supports the ascii and image types of file transfer, -plus local byte size 8 for -.Ic tenex -mode transfers. -.Pp -.Nm Ftp -supports only the default values for the remaining -file transfer parameters: -.Ic mode , -.Ic form , -and -.Ic struct . -.Sh THE .netrc FILE -The -.Pa .netrc -file contains login and initialization information -used by the auto-login process. -It resides in the user's home directory. -The following tokens are recognized; they may be separated by spaces, -tabs, or new-lines: -.Bl -tag -width password -.It Ic machine Ar name -Identify a remote machine -.Ar name . -The auto-login process searches the -.Pa .netrc -file for a -.Ic machine -token that matches the remote machine specified on the -.Nm ftp -command line or as an -.Ic open -command argument. -Once a match is made, the subsequent -.Pa .netrc -tokens are processed, -stopping when the end of file is reached or another -.Ic machine -or a -.Ic default -token is encountered. -.It Ic default -This is the same as -.Ic machine -.Ar name -except that -.Ic default -matches any name. -There can be only one -.Ic default -token, and it must be after all -.Ic machine -tokens. -This is normally used as: -.Pp -.Dl default login anonymous password user@site -.Pp -thereby giving the user -.Ar automatic -anonymous ftp login to -machines not specified in -.Pa .netrc . -This can be overridden -by using the -.Fl n -flag to disable auto-login. -.It Ic login Ar name -Identify a user on the remote machine. -If this token is present, the auto-login process will initiate -a login using the specified -.Ar name . -.It Ic password Ar string -Supply a password. -If this token is present, the auto-login process will supply the -specified string if the remote server requires a password as part -of the login process. -Note that if this token is present in the -.Pa .netrc -file for any user other -than -.Ar anonymous , -.Nm ftp -will abort the auto-login process if the -.Pa .netrc -is readable by -anyone besides the user. -.It Ic account Ar string -Supply an additional account password. -If this token is present, the auto-login process will supply the -specified string if the remote server requires an additional -account password, or the auto-login process will initiate an -.Dv ACCT -command if it does not. -.It Ic macdef Ar name -Define a macro. -This token functions like the -.Nm ftp -.Ic macdef -command functions. -A macro is defined with the specified name; its contents begin with the -next -.Pa .netrc -line and continue until a null line (consecutive new-line -characters) is encountered. -If a macro named -.Ic init -is defined, it is automatically executed as the last step in the -auto-login process. -.El -.Sh ENVIRONMENT -.Nm Ftp -uses the following environment variables. -.Bl -tag -width Fl -.It Ev HOME -For default location of a -.Pa .netrc -file, if one exists. -.It Ev SHELL -For default shell. -.El -.Sh SEE ALSO -.Xr ftpd 8 -.Rs -.%T RFC2228 -.Re -.Sh HISTORY -The -.Nm ftp -command appeared in -.Bx 4.2 . -.Sh BUGS -Correct execution of many commands depends upon proper behavior -by the remote server. -.Pp -An error in the treatment of carriage returns -in the -.Bx 4.2 -ascii-mode transfer code -has been corrected. -This correction may result in incorrect transfers of binary files -to and from -.Bx 4.2 -servers using the ascii type. -Avoid this problem by using the binary image type. diff --git a/crypto/heimdal-0.6.3/appl/ftp/ftp/ftp.c b/crypto/heimdal-0.6.3/appl/ftp/ftp/ftp.c deleted file mode 100644 index a6cb90e819..0000000000 --- a/crypto/heimdal-0.6.3/appl/ftp/ftp/ftp.c +++ /dev/null @@ -1,1775 +0,0 @@ -/* - * Copyright (c) 1985, 1989, 1993, 1994 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "ftp_locl.h" -RCSID ("$Id: ftp.c,v 1.75.2.1 2004/08/20 14:59:06 lha Exp $"); - -struct sockaddr_storage hisctladdr_ss; -struct sockaddr *hisctladdr = (struct sockaddr *)&hisctladdr_ss; -struct sockaddr_storage data_addr_ss; -struct sockaddr *data_addr = (struct sockaddr *)&data_addr_ss; -struct sockaddr_storage myctladdr_ss; -struct sockaddr *myctladdr = (struct sockaddr *)&myctladdr_ss; -int data = -1; -int abrtflag = 0; -jmp_buf ptabort; -int ptabflg; -int ptflag = 0; -off_t restart_point = 0; - - -FILE *cin, *cout; - -typedef void (*sighand) (int); - -char * -hookup (const char *host, int port) -{ - static char hostnamebuf[MaxHostNameLen]; - struct addrinfo *ai, *a; - struct addrinfo hints; - int error; - char portstr[NI_MAXSERV]; - socklen_t len; - int s; - - memset (&hints, 0, sizeof(hints)); - hints.ai_socktype = SOCK_STREAM; - hints.ai_protocol = IPPROTO_TCP; - hints.ai_flags = AI_CANONNAME; - - snprintf (portstr, sizeof(portstr), "%u", ntohs(port)); - - error = getaddrinfo (host, portstr, &hints, &ai); - if (error) { - warnx ("%s: %s", host, gai_strerror(error)); - code = -1; - return NULL; - } - strlcpy (hostnamebuf, host, sizeof(hostnamebuf)); - hostname = hostnamebuf; - - for (a = ai; a != NULL; a = a->ai_next) { - s = socket (a->ai_family, a->ai_socktype, a->ai_protocol); - if (s < 0) - continue; - - if (a->ai_canonname != NULL) - strlcpy (hostnamebuf, a->ai_canonname, sizeof(hostnamebuf)); - - memcpy (hisctladdr, a->ai_addr, a->ai_addrlen); - - error = connect (s, a->ai_addr, a->ai_addrlen); - if (error < 0) { - char addrstr[256]; - - if (getnameinfo (a->ai_addr, a->ai_addrlen, - addrstr, sizeof(addrstr), - NULL, 0, NI_NUMERICHOST) != 0) - strlcpy (addrstr, "unknown address", sizeof(addrstr)); - - warn ("connect %s", addrstr); - close (s); - continue; - } - break; - } - freeaddrinfo (ai); - if (error < 0) { - warnx ("failed to contact %s", host); - code = -1; - return NULL; - } - - len = sizeof(myctladdr_ss); - if (getsockname (s, myctladdr, &len) < 0) { - warn ("getsockname"); - code = -1; - close (s); - return NULL; - } -#ifdef IPTOS_LOWDELAY - socket_set_tos (s, IPTOS_LOWDELAY); -#endif - cin = fdopen (s, "r"); - cout = fdopen (s, "w"); - if (cin == NULL || cout == NULL) { - warnx ("fdopen failed."); - if (cin) - fclose (cin); - if (cout) - fclose (cout); - code = -1; - goto bad; - } - if (verbose) - printf ("Connected to %s.\n", hostname); - if (getreply (0) > 2) { /* read startup message from server */ - if (cin) - fclose (cin); - if (cout) - fclose (cout); - code = -1; - goto bad; - } -#if defined(SO_OOBINLINE) && defined(HAVE_SETSOCKOPT) - { - int on = 1; - - if (setsockopt (s, SOL_SOCKET, SO_OOBINLINE, (char *) &on, sizeof (on)) - < 0 && debug) { - warn ("setsockopt"); - } - } -#endif /* SO_OOBINLINE */ - - return (hostname); -bad: - close (s); - return NULL; -} - -int -login (char *host) -{ - char tmp[80]; - char defaultpass[128]; - char *user, *pass, *acct; - int n, aflag = 0; - - char *myname = NULL; - struct passwd *pw = k_getpwuid(getuid()); - - if (pw != NULL) - myname = pw->pw_name; - - user = pass = acct = 0; - - if(sec_login(host)) - printf("\n*** Using plaintext user and password ***\n\n"); - else{ - printf("Authentication successful.\n\n"); - } - - if (ruserpass (host, &user, &pass, &acct) < 0) { - code = -1; - return (0); - } - while (user == NULL) { - if (myname) - printf ("Name (%s:%s): ", host, myname); - else - printf ("Name (%s): ", host); - *tmp = '\0'; - if (fgets (tmp, sizeof (tmp) - 1, stdin) != NULL) - tmp[strlen (tmp) - 1] = '\0'; - if (*tmp == '\0') - user = myname; - else - user = tmp; - } - strlcpy(username, user, sizeof(username)); - n = command("USER %s", user); - if (n == COMPLETE) - n = command("PASS dummy"); /* DK: Compatibility with gssftp daemon */ - else if(n == CONTINUE) { - if (pass == NULL) { - char prompt[128]; - if(myname && - (!strcmp(user, "ftp") || !strcmp(user, "anonymous"))) { - snprintf(defaultpass, sizeof(defaultpass), - "%s@%s", myname, mydomain); - snprintf(prompt, sizeof(prompt), - "Password (%s): ", defaultpass); - } else if (sec_complete) { - pass = myname; - } else { - *defaultpass = '\0'; - snprintf(prompt, sizeof(prompt), "Password: "); - } - if (pass == NULL) { - pass = defaultpass; - des_read_pw_string (tmp, sizeof (tmp), prompt, 0); - if (tmp[0]) - pass = tmp; - } - } - n = command ("PASS %s", pass); - } - if (n == CONTINUE) { - aflag++; - acct = tmp; - des_read_pw_string (acct, 128, "Account:", 0); - n = command ("ACCT %s", acct); - } - if (n != COMPLETE) { - warnx ("Login failed."); - return (0); - } - if (!aflag && acct != NULL) - command ("ACCT %s", acct); - if (proxy) - return (1); - for (n = 0; n < macnum; ++n) { - if (!strcmp("init", macros[n].mac_name)) { - strlcpy (line, "$init", sizeof (line)); - makeargv(); - domacro(margc, margv); - break; - } - } - sec_set_protection_level (); - return (1); -} - -void -cmdabort (int sig) -{ - - printf ("\n"); - fflush (stdout); - abrtflag++; - if (ptflag) - longjmp (ptabort, 1); -} - -int -command (char *fmt,...) -{ - va_list ap; - int r; - sighand oldintr; - - abrtflag = 0; - if (cout == NULL) { - warn ("No control connection for command"); - code = -1; - return (0); - } - oldintr = signal(SIGINT, cmdabort); - if(debug){ - printf("---> "); - if (strncmp("PASS ", fmt, 5) == 0) - printf("PASS XXXX"); - else { - va_start(ap, fmt); - vfprintf(stdout, fmt, ap); - va_end(ap); - } - } - va_start(ap, fmt); - sec_vfprintf(cout, fmt, ap); - va_end(ap); - if(debug){ - printf("\n"); - fflush(stdout); - } - fprintf (cout, "\r\n"); - fflush (cout); - cpend = 1; - r = getreply (!strcmp (fmt, "QUIT")); - if (abrtflag && oldintr != SIG_IGN) - (*oldintr) (SIGINT); - signal (SIGINT, oldintr); - return (r); -} - -char reply_string[BUFSIZ]; /* last line of previous reply */ - -int -getreply (int expecteof) -{ - char *p; - char *lead_string; - int c; - struct sigaction sa, osa; - char buf[8192]; - int reply_code; - int long_warn = 0; - - sigemptyset (&sa.sa_mask); - sa.sa_flags = 0; - sa.sa_handler = cmdabort; - sigaction (SIGINT, &sa, &osa); - - p = buf; - - reply_code = 0; - while (1) { - c = getc (cin); - switch (c) { - case EOF: - if (expecteof) { - sigaction (SIGINT, &osa, NULL); - code = 221; - return 0; - } - lostpeer (0); - if (verbose) { - printf ("421 Service not available, " - "remote server has closed connection\n"); - fflush (stdout); - } - code = 421; - return (4); - case IAC: - c = getc (cin); - if (c == WILL || c == WONT) - fprintf (cout, "%c%c%c", IAC, DONT, getc (cin)); - if (c == DO || c == DONT) - fprintf (cout, "%c%c%c", IAC, WONT, getc (cin)); - continue; - case '\n': - *p++ = '\0'; - if(isdigit(buf[0])){ - sscanf(buf, "%d", &code); - if(code == 631){ - code = 0; - sec_read_msg(buf, prot_safe); - sscanf(buf, "%d", &code); - lead_string = "S:"; - } else if(code == 632){ - code = 0; - sec_read_msg(buf, prot_private); - sscanf(buf, "%d", &code); - lead_string = "P:"; - }else if(code == 633){ - code = 0; - sec_read_msg(buf, prot_confidential); - sscanf(buf, "%d", &code); - lead_string = "C:"; - }else if(sec_complete) - lead_string = "!!"; - else - lead_string = ""; - if(code != 0 && reply_code == 0) - reply_code = code; - if (verbose > 0 || (verbose > -1 && code > 499)) - fprintf (stdout, "%s%s\n", lead_string, buf); - if (code == reply_code && buf[3] == ' ') { - strlcpy (reply_string, buf, sizeof(reply_string)); - if (code >= 200) - cpend = 0; - sigaction (SIGINT, &osa, NULL); - if (code == 421) - lostpeer (0); -#if 1 - if (abrtflag && - osa.sa_handler != cmdabort && - osa.sa_handler != SIG_IGN) - osa.sa_handler (SIGINT); -#endif - if (code == 227 || code == 229) { - char *p; - - p = strchr (reply_string, '('); - if (p) { - p++; - strlcpy(pasv, p, sizeof(pasv)); - p = strrchr(pasv, ')'); - if (p) - *p = '\0'; - } - } - return code / 100; - } - }else{ - if(verbose > 0 || (verbose > -1 && code > 499)){ - if(sec_complete) - fprintf(stdout, "!!"); - fprintf(stdout, "%s\n", buf); - } - } - p = buf; - long_warn = 0; - continue; - default: - if(p < buf + sizeof(buf) - 1) - *p++ = c; - else if(long_warn == 0) { - fprintf(stderr, "WARNING: incredibly long line received\n"); - long_warn = 1; - } - } - } - -} - - -#if 0 -int -getreply (int expecteof) -{ - int c, n; - int dig; - int originalcode = 0, continuation = 0; - sighand oldintr; - int pflag = 0; - char *cp, *pt = pasv; - - oldintr = signal (SIGINT, cmdabort); - for (;;) { - dig = n = code = 0; - cp = reply_string; - while ((c = getc (cin)) != '\n') { - if (c == IAC) { /* handle telnet commands */ - switch (c = getc (cin)) { - case WILL: - case WONT: - c = getc (cin); - fprintf (cout, "%c%c%c", IAC, DONT, c); - fflush (cout); - break; - case DO: - case DONT: - c = getc (cin); - fprintf (cout, "%c%c%c", IAC, WONT, c); - fflush (cout); - break; - default: - break; - } - continue; - } - dig++; - if (c == EOF) { - if (expecteof) { - signal (SIGINT, oldintr); - code = 221; - return (0); - } - lostpeer (0); - if (verbose) { - printf ("421 Service not available, remote server has closed connection\n"); - fflush (stdout); - } - code = 421; - return (4); - } - if (c != '\r' && (verbose > 0 || - (verbose > -1 && n == '5' && dig > 4))) { - if (proxflag && - (dig == 1 || dig == 5 && verbose == 0)) - printf ("%s:", hostname); - putchar (c); - } - if (dig < 4 && isdigit (c)) - code = code * 10 + (c - '0'); - if (!pflag && code == 227) - pflag = 1; - if (dig > 4 && pflag == 1 && isdigit (c)) - pflag = 2; - if (pflag == 2) { - if (c != '\r' && c != ')') - *pt++ = c; - else { - *pt = '\0'; - pflag = 3; - } - } - if (dig == 4 && c == '-') { - if (continuation) - code = 0; - continuation++; - } - if (n == 0) - n = c; - if (cp < &reply_string[sizeof (reply_string) - 1]) - *cp++ = c; - } - if (verbose > 0 || verbose > -1 && n == '5') { - putchar (c); - fflush (stdout); - } - if (continuation && code != originalcode) { - if (originalcode == 0) - originalcode = code; - continue; - } - *cp = '\0'; - if(sec_complete){ - if(code == 631) - sec_read_msg(reply_string, prot_safe); - else if(code == 632) - sec_read_msg(reply_string, prot_private); - else if(code == 633) - sec_read_msg(reply_string, prot_confidential); - n = code / 100 + '0'; - } - if (n != '1') - cpend = 0; - signal (SIGINT, oldintr); - if (code == 421 || originalcode == 421) - lostpeer (0); - if (abrtflag && oldintr != cmdabort && oldintr != SIG_IGN) - (*oldintr) (SIGINT); - return (n - '0'); - } -} - -#endif - -int -empty (fd_set * mask, int sec) -{ - struct timeval t; - - t.tv_sec = sec; - t.tv_usec = 0; - return (select (FD_SETSIZE, mask, NULL, NULL, &t)); -} - -jmp_buf sendabort; - -static RETSIGTYPE -abortsend (int sig) -{ - - mflag = 0; - abrtflag = 0; - printf ("\nsend aborted\nwaiting for remote to finish abort\n"); - fflush (stdout); - longjmp (sendabort, 1); -} - -#define HASHBYTES 1024 - -static int -copy_stream (FILE * from, FILE * to) -{ - static size_t bufsize; - static char *buf; - int n; - int bytes = 0; - int werr = 0; - int hashbytes = HASHBYTES; - struct stat st; - -#if defined(HAVE_MMAP) && !defined(NO_MMAP) - void *chunk; - -#ifndef MAP_FAILED -#define MAP_FAILED (-1) -#endif - - if (fstat (fileno (from), &st) == 0 && S_ISREG (st.st_mode)) { - /* - * mmap zero bytes has potential of loosing, don't do it. - */ - if (st.st_size == 0) - return 0; - chunk = mmap (0, st.st_size, PROT_READ, MAP_SHARED, fileno (from), 0); - if (chunk != (void *) MAP_FAILED) { - int res; - - res = sec_write (fileno (to), chunk, st.st_size); - if (munmap (chunk, st.st_size) < 0) - warn ("munmap"); - sec_fflush (to); - return res; - } - } -#endif - - buf = alloc_buffer (buf, &bufsize, - fstat (fileno (from), &st) >= 0 ? &st : NULL); - if (buf == NULL) - return -1; - - while ((n = read (fileno (from), buf, bufsize)) > 0) { - werr = sec_write (fileno (to), buf, n); - if (werr < 0) - break; - bytes += werr; - while (hash && bytes > hashbytes) { - putchar ('#'); - hashbytes += HASHBYTES; - } - } - sec_fflush (to); - if (n < 0) - warn ("local"); - - if (werr < 0) { - if (errno != EPIPE) - warn ("netout"); - bytes = -1; - } - return bytes; -} - -void -sendrequest (char *cmd, char *local, char *remote, char *lmode, int printnames) -{ - struct stat st; - struct timeval start, stop; - int c, d; - FILE *fin, *dout = 0; - int (*closefunc) (FILE *); - RETSIGTYPE (*oldintr)(int), (*oldintp)(int); - long bytes = 0, hashbytes = HASHBYTES; - char *rmode = "w"; - - if (verbose && printnames) { - if (local && strcmp (local, "-") != 0) - printf ("local: %s ", local); - if (remote) - printf ("remote: %s\n", remote); - } - if (proxy) { - proxtrans (cmd, local, remote); - return; - } - if (curtype != type) - changetype (type, 0); - closefunc = NULL; - oldintr = NULL; - oldintp = NULL; - - if (setjmp (sendabort)) { - while (cpend) { - getreply (0); - } - if (data >= 0) { - close (data); - data = -1; - } - if (oldintr) - signal (SIGINT, oldintr); - if (oldintp) - signal (SIGPIPE, oldintp); - code = -1; - return; - } - oldintr = signal (SIGINT, abortsend); - if (strcmp (local, "-") == 0) - fin = stdin; - else if (*local == '|') { - oldintp = signal (SIGPIPE, SIG_IGN); - fin = popen (local + 1, lmode); - if (fin == NULL) { - warn ("%s", local + 1); - signal (SIGINT, oldintr); - signal (SIGPIPE, oldintp); - code = -1; - return; - } - closefunc = pclose; - } else { - fin = fopen (local, lmode); - if (fin == NULL) { - warn ("local: %s", local); - signal (SIGINT, oldintr); - code = -1; - return; - } - closefunc = fclose; - if (fstat (fileno (fin), &st) < 0 || - (st.st_mode & S_IFMT) != S_IFREG) { - fprintf (stdout, "%s: not a plain file.\n", local); - signal (SIGINT, oldintr); - fclose (fin); - code = -1; - return; - } - } - if (initconn ()) { - signal (SIGINT, oldintr); - if (oldintp) - signal (SIGPIPE, oldintp); - code = -1; - if (closefunc != NULL) - (*closefunc) (fin); - return; - } - if (setjmp (sendabort)) - goto abort; - - if (restart_point && - (strcmp (cmd, "STOR") == 0 || strcmp (cmd, "APPE") == 0)) { - int rc; - - switch (curtype) { - case TYPE_A: - rc = fseek (fin, (long) restart_point, SEEK_SET); - break; - case TYPE_I: - case TYPE_L: - rc = lseek (fileno (fin), restart_point, SEEK_SET); - break; - } - if (rc < 0) { - warn ("local: %s", local); - restart_point = 0; - if (closefunc != NULL) - (*closefunc) (fin); - return; - } - if (command ("REST %ld", (long) restart_point) - != CONTINUE) { - restart_point = 0; - if (closefunc != NULL) - (*closefunc) (fin); - return; - } - restart_point = 0; - rmode = "r+w"; - } - if (remote) { - if (command ("%s %s", cmd, remote) != PRELIM) { - signal (SIGINT, oldintr); - if (oldintp) - signal (SIGPIPE, oldintp); - if (closefunc != NULL) - (*closefunc) (fin); - return; - } - } else if (command ("%s", cmd) != PRELIM) { - signal(SIGINT, oldintr); - if (oldintp) - signal(SIGPIPE, oldintp); - if (closefunc != NULL) - (*closefunc)(fin); - return; - } - dout = dataconn(rmode); - if (dout == NULL) - goto abort; - set_buffer_size (fileno (dout), 0); - gettimeofday (&start, (struct timezone *) 0); - oldintp = signal (SIGPIPE, SIG_IGN); - switch (curtype) { - - case TYPE_I: - case TYPE_L: - errno = d = c = 0; - bytes = copy_stream (fin, dout); - break; - - case TYPE_A: - while ((c = getc (fin)) != EOF) { - if (c == '\n') { - while (hash && (bytes >= hashbytes)) { - putchar ('#'); - fflush (stdout); - hashbytes += HASHBYTES; - } - if (ferror (dout)) - break; - sec_putc ('\r', dout); - bytes++; - } - sec_putc (c, dout); - bytes++; - } - sec_fflush (dout); - if (hash) { - if (bytes < hashbytes) - putchar ('#'); - putchar ('\n'); - fflush (stdout); - } - if (ferror (fin)) - warn ("local: %s", local); - if (ferror (dout)) { - if (errno != EPIPE) - warn ("netout"); - bytes = -1; - } - break; - } - if (closefunc != NULL) - (*closefunc) (fin); - fclose (dout); - gettimeofday (&stop, (struct timezone *) 0); - getreply (0); - signal (SIGINT, oldintr); - if (oldintp) - signal (SIGPIPE, oldintp); - if (bytes > 0) - ptransfer ("sent", bytes, &start, &stop); - return; -abort: - signal (SIGINT, oldintr); - if (oldintp) - signal (SIGPIPE, oldintp); - if (!cpend) { - code = -1; - return; - } - if (data >= 0) { - close (data); - data = -1; - } - if (dout) - fclose (dout); - getreply (0); - code = -1; - if (closefunc != NULL && fin != NULL) - (*closefunc) (fin); - gettimeofday (&stop, (struct timezone *) 0); - if (bytes > 0) - ptransfer ("sent", bytes, &start, &stop); -} - -jmp_buf recvabort; - -void -abortrecv (int sig) -{ - - mflag = 0; - abrtflag = 0; - printf ("\nreceive aborted\nwaiting for remote to finish abort\n"); - fflush (stdout); - longjmp (recvabort, 1); -} - -void -recvrequest (char *cmd, char *local, char *remote, - char *lmode, int printnames, int local_given) -{ - FILE *fout, *din = 0; - int (*closefunc) (FILE *); - sighand oldintr, oldintp; - int c, d, is_retr, tcrflag, bare_lfs = 0; - static size_t bufsize; - static char *buf; - long bytes = 0, hashbytes = HASHBYTES; - struct timeval start, stop; - struct stat st; - - is_retr = strcmp (cmd, "RETR") == 0; - if (is_retr && verbose && printnames) { - if (local && strcmp (local, "-") != 0) - printf ("local: %s ", local); - if (remote) - printf ("remote: %s\n", remote); - } - if (proxy && is_retr) { - proxtrans (cmd, local, remote); - return; - } - closefunc = NULL; - oldintr = NULL; - oldintp = NULL; - tcrflag = !crflag && is_retr; - if (setjmp (recvabort)) { - while (cpend) { - getreply (0); - } - if (data >= 0) { - close (data); - data = -1; - } - if (oldintr) - signal (SIGINT, oldintr); - code = -1; - return; - } - oldintr = signal (SIGINT, abortrecv); - if (!local_given || (strcmp (local, "-") && *local != '|')) { - if (access (local, 2) < 0) { - char *dir = strrchr (local, '/'); - - if (errno != ENOENT && errno != EACCES) { - warn ("local: %s", local); - signal (SIGINT, oldintr); - code = -1; - return; - } - if (dir != NULL) - *dir = 0; - d = access (dir ? local : ".", 2); - if (dir != NULL) - *dir = '/'; - if (d < 0) { - warn ("local: %s", local); - signal (SIGINT, oldintr); - code = -1; - return; - } - if (!runique && errno == EACCES && - chmod (local, 0600) < 0) { - warn ("local: %s", local); - signal (SIGINT, oldintr); - signal (SIGINT, oldintr); - code = -1; - return; - } - if (runique && errno == EACCES && - (local = gunique (local)) == NULL) { - signal (SIGINT, oldintr); - code = -1; - return; - } - } else if (runique && (local = gunique (local)) == NULL) { - signal(SIGINT, oldintr); - code = -1; - return; - } - } - if (!is_retr) { - if (curtype != TYPE_A) - changetype (TYPE_A, 0); - } else if (curtype != type) - changetype (type, 0); - if (initconn ()) { - signal (SIGINT, oldintr); - code = -1; - return; - } - if (setjmp (recvabort)) - goto abort; - if (is_retr && restart_point && - command ("REST %ld", (long) restart_point) != CONTINUE) - return; - if (remote) { - if (command ("%s %s", cmd, remote) != PRELIM) { - signal (SIGINT, oldintr); - return; - } - } else { - if (command ("%s", cmd) != PRELIM) { - signal (SIGINT, oldintr); - return; - } - } - din = dataconn ("r"); - if (din == NULL) - goto abort; - set_buffer_size (fileno (din), 1); - if (local_given && strcmp (local, "-") == 0) - fout = stdout; - else if (local_given && *local == '|') { - oldintp = signal (SIGPIPE, SIG_IGN); - fout = popen (local + 1, "w"); - if (fout == NULL) { - warn ("%s", local + 1); - goto abort; - } - closefunc = pclose; - } else { - fout = fopen (local, lmode); - if (fout == NULL) { - warn ("local: %s", local); - goto abort; - } - closefunc = fclose; - } - buf = alloc_buffer (buf, &bufsize, - fstat (fileno (fout), &st) >= 0 ? &st : NULL); - if (buf == NULL) - goto abort; - - gettimeofday (&start, (struct timezone *) 0); - switch (curtype) { - - case TYPE_I: - case TYPE_L: - if (restart_point && - lseek (fileno (fout), restart_point, SEEK_SET) < 0) { - warn ("local: %s", local); - if (closefunc != NULL) - (*closefunc) (fout); - return; - } - errno = d = 0; - while ((c = sec_read (fileno (din), buf, bufsize)) > 0) { - if ((d = write (fileno (fout), buf, c)) != c) - break; - bytes += c; - if (hash) { - while (bytes >= hashbytes) { - putchar ('#'); - hashbytes += HASHBYTES; - } - fflush (stdout); - } - } - if (hash && bytes > 0) { - if (bytes < HASHBYTES) - putchar ('#'); - putchar ('\n'); - fflush (stdout); - } - if (c < 0) { - if (errno != EPIPE) - warn ("netin"); - bytes = -1; - } - if (d < c) { - if (d < 0) - warn ("local: %s", local); - else - warnx ("%s: short write", local); - } - break; - - case TYPE_A: - if (restart_point) { - int i, n, ch; - - if (fseek (fout, 0L, SEEK_SET) < 0) - goto done; - n = restart_point; - for (i = 0; i++ < n;) { - if ((ch = sec_getc (fout)) == EOF) - goto done; - if (ch == '\n') - i++; - } - if (fseek (fout, 0L, SEEK_CUR) < 0) { - done: - warn ("local: %s", local); - if (closefunc != NULL) - (*closefunc) (fout); - return; - } - } - while ((c = sec_getc(din)) != EOF) { - if (c == '\n') - bare_lfs++; - while (c == '\r') { - while (hash && (bytes >= hashbytes)) { - putchar ('#'); - fflush (stdout); - hashbytes += HASHBYTES; - } - bytes++; - if ((c = sec_getc (din)) != '\n' || tcrflag) { - if (ferror (fout)) - goto break2; - putc ('\r', fout); - if (c == '\0') { - bytes++; - goto contin2; - } - if (c == EOF) - goto contin2; - } - } - putc (c, fout); - bytes++; - contin2:; - } -break2: - if (bare_lfs) { - printf ("WARNING! %d bare linefeeds received in ASCII mode\n", - bare_lfs); - printf ("File may not have transferred correctly.\n"); - } - if (hash) { - if (bytes < hashbytes) - putchar ('#'); - putchar ('\n'); - fflush (stdout); - } - if (ferror (din)) { - if (errno != EPIPE) - warn ("netin"); - bytes = -1; - } - if (ferror (fout)) - warn ("local: %s", local); - break; - } - if (closefunc != NULL) - (*closefunc) (fout); - signal (SIGINT, oldintr); - if (oldintp) - signal (SIGPIPE, oldintp); - fclose (din); - gettimeofday (&stop, (struct timezone *) 0); - getreply (0); - if (bytes > 0 && is_retr) - ptransfer ("received", bytes, &start, &stop); - return; -abort: - - /* abort using RFC959 recommended IP,SYNC sequence */ - - if (oldintp) - signal (SIGPIPE, oldintr); - signal (SIGINT, SIG_IGN); - if (!cpend) { - code = -1; - signal (SIGINT, oldintr); - return; - } - abort_remote(din); - code = -1; - if (data >= 0) { - close (data); - data = -1; - } - if (closefunc != NULL && fout != NULL) - (*closefunc) (fout); - if (din) - fclose (din); - gettimeofday (&stop, (struct timezone *) 0); - if (bytes > 0) - ptransfer ("received", bytes, &start, &stop); - signal (SIGINT, oldintr); -} - -static int -parse_epsv (const char *str) -{ - char sep; - char *end; - int port; - - if (*str == '\0') - return -1; - sep = *str++; - if (sep != *str++) - return -1; - if (sep != *str++) - return -1; - port = strtol (str, &end, 0); - if (str == end) - return -1; - if (end[0] != sep || end[1] != '\0') - return -1; - return htons(port); -} - -static int -parse_pasv (struct sockaddr_in *sin, const char *str) -{ - int a0, a1, a2, a3, p0, p1; - - /* - * What we've got at this point is a string of comma separated - * one-byte unsigned integer values. The first four are the an IP - * address. The fifth is the MSB of the port number, the sixth is the - * LSB. From that we'll prepare a sockaddr_in. - */ - - if (sscanf (str, "%d,%d,%d,%d,%d,%d", - &a0, &a1, &a2, &a3, &p0, &p1) != 6) { - printf ("Passive mode address scan failure. " - "Shouldn't happen!\n"); - return -1; - } - if (a0 < 0 || a0 > 255 || - a1 < 0 || a1 > 255 || - a2 < 0 || a2 > 255 || - a3 < 0 || a3 > 255 || - p0 < 0 || p0 > 255 || - p1 < 0 || p1 > 255) { - printf ("Can't parse passive mode string.\n"); - return -1; - } - memset (sin, 0, sizeof(*sin)); - sin->sin_family = AF_INET; - sin->sin_addr.s_addr = htonl ((a0 << 24) | (a1 << 16) | - (a2 << 8) | a3); - sin->sin_port = htons ((p0 << 8) | p1); - return 0; -} - -static int -passive_mode (void) -{ - int port; - - data = socket (myctladdr->sa_family, SOCK_STREAM, 0); - if (data < 0) { - warn ("socket"); - return (1); - } - if (options & SO_DEBUG) - socket_set_debug (data); - if (command ("EPSV") != COMPLETE) { - if (command ("PASV") != COMPLETE) { - printf ("Passive mode refused.\n"); - goto bad; - } - } - - /* - * Parse the reply to EPSV or PASV - */ - - port = parse_epsv (pasv); - if (port > 0) { - data_addr->sa_family = myctladdr->sa_family; - socket_set_address_and_port (data_addr, - socket_get_address (hisctladdr), - port); - } else { - if (parse_pasv ((struct sockaddr_in *)data_addr, pasv) < 0) - goto bad; - } - - if (connect (data, data_addr, socket_sockaddr_size (data_addr)) < 0) { - warn ("connect"); - goto bad; - } -#ifdef IPTOS_THROUGHPUT - socket_set_tos (data, IPTOS_THROUGHPUT); -#endif - return (0); -bad: - close (data); - data = -1; - sendport = 1; - return (1); -} - - -static int -active_mode (void) -{ - int tmpno = 0; - socklen_t len; - int result; - -noport: - data_addr->sa_family = myctladdr->sa_family; - socket_set_address_and_port (data_addr, socket_get_address (myctladdr), - sendport ? 0 : socket_get_port (myctladdr)); - - if (data != -1) - close (data); - data = socket (data_addr->sa_family, SOCK_STREAM, 0); - if (data < 0) { - warn ("socket"); - if (tmpno) - sendport = 1; - return (1); - } - if (!sendport) - socket_set_reuseaddr (data, 1); - if (bind (data, data_addr, socket_sockaddr_size (data_addr)) < 0) { - warn ("bind"); - goto bad; - } - if (options & SO_DEBUG) - socket_set_debug (data); - len = sizeof (data_addr_ss); - if (getsockname (data, data_addr, &len) < 0) { - warn ("getsockname"); - goto bad; - } - if (listen (data, 1) < 0) - warn ("listen"); - if (sendport) { - char addr_str[256]; - int inet_af; - int overbose; - - if (inet_ntop (data_addr->sa_family, socket_get_address (data_addr), - addr_str, sizeof(addr_str)) == NULL) - errx (1, "inet_ntop failed"); - switch (data_addr->sa_family) { - case AF_INET : - inet_af = 1; - break; -#ifdef HAVE_IPV6 - case AF_INET6 : - inet_af = 2; - break; -#endif - default : - errx (1, "bad address family %d", data_addr->sa_family); - } - - - overbose = verbose; - if (debug == 0) - verbose = -1; - - result = command ("EPRT |%d|%s|%d|", - inet_af, addr_str, - ntohs(socket_get_port (data_addr))); - verbose = overbose; - - if (result == ERROR) { - struct sockaddr_in *sin = (struct sockaddr_in *)data_addr; - - unsigned int a = ntohl(sin->sin_addr.s_addr); - unsigned int p = ntohs(sin->sin_port); - - if (data_addr->sa_family != AF_INET) { - warnx ("remote server doesn't support EPRT"); - goto bad; - } - - result = command("PORT %d,%d,%d,%d,%d,%d", - (a >> 24) & 0xff, - (a >> 16) & 0xff, - (a >> 8) & 0xff, - a & 0xff, - (p >> 8) & 0xff, - p & 0xff); - if (result == ERROR && sendport == -1) { - sendport = 0; - tmpno = 1; - goto noport; - } - return (result != COMPLETE); - } - return result != COMPLETE; - } - if (tmpno) - sendport = 1; - - -#ifdef IPTOS_THROUGHPUT - socket_set_tos (data, IPTOS_THROUGHPUT); -#endif - return (0); -bad: - close (data); - data = -1; - if (tmpno) - sendport = 1; - return (1); -} - -/* - * Need to start a listen on the data channel before we send the command, - * otherwise the server's connect may fail. - */ -int -initconn (void) -{ - if (passivemode) - return passive_mode (); - else - return active_mode (); -} - -FILE * -dataconn (const char *lmode) -{ - struct sockaddr_storage from_ss; - struct sockaddr *from = (struct sockaddr *)&from_ss; - socklen_t fromlen = sizeof(from_ss); - int s; - - if (passivemode) - return (fdopen (data, lmode)); - - s = accept (data, from, &fromlen); - if (s < 0) { - warn ("accept"); - close (data), data = -1; - return (NULL); - } - close (data); - data = s; -#ifdef IPTOS_THROUGHPUT - socket_set_tos (s, IPTOS_THROUGHPUT); -#endif - return (fdopen (data, lmode)); -} - -void -ptransfer (char *direction, long int bytes, - struct timeval * t0, struct timeval * t1) -{ - struct timeval td; - float s; - float bs; - int prec; - char *unit; - - if (verbose) { - td.tv_sec = t1->tv_sec - t0->tv_sec; - td.tv_usec = t1->tv_usec - t0->tv_usec; - if (td.tv_usec < 0) { - td.tv_sec--; - td.tv_usec += 1000000; - } - s = td.tv_sec + (td.tv_usec / 1000000.); - bs = bytes / (s ? s : 1); - if (bs >= 1048576) { - bs /= 1048576; - unit = "M"; - prec = 2; - } else if (bs >= 1024) { - bs /= 1024; - unit = "k"; - prec = 1; - } else { - unit = ""; - prec = 0; - } - - printf ("%ld bytes %s in %.3g seconds (%.*f %sbyte/s)\n", - bytes, direction, s, prec, bs, unit); - } -} - -void -psabort (int sig) -{ - - abrtflag++; -} - -void -pswitch (int flag) -{ - sighand oldintr; - static struct comvars { - int connect; - char name[MaxHostNameLen]; - struct sockaddr_storage mctl; - struct sockaddr_storage hctl; - FILE *in; - FILE *out; - int tpe; - int curtpe; - int cpnd; - int sunqe; - int runqe; - int mcse; - int ntflg; - char nti[17]; - char nto[17]; - int mapflg; - char mi[MaxPathLen]; - char mo[MaxPathLen]; - } proxstruct, tmpstruct; - struct comvars *ip, *op; - - abrtflag = 0; - oldintr = signal (SIGINT, psabort); - if (flag) { - if (proxy) - return; - ip = &tmpstruct; - op = &proxstruct; - proxy++; - } else { - if (!proxy) - return; - ip = &proxstruct; - op = &tmpstruct; - proxy = 0; - } - ip->connect = connected; - connected = op->connect; - if (hostname) { - strlcpy (ip->name, hostname, sizeof (ip->name)); - } else - ip->name[0] = 0; - hostname = op->name; - ip->hctl = hisctladdr_ss; - hisctladdr_ss = op->hctl; - ip->mctl = myctladdr_ss; - myctladdr_ss = op->mctl; - ip->in = cin; - cin = op->in; - ip->out = cout; - cout = op->out; - ip->tpe = type; - type = op->tpe; - ip->curtpe = curtype; - curtype = op->curtpe; - ip->cpnd = cpend; - cpend = op->cpnd; - ip->sunqe = sunique; - sunique = op->sunqe; - ip->runqe = runique; - runique = op->runqe; - ip->mcse = mcase; - mcase = op->mcse; - ip->ntflg = ntflag; - ntflag = op->ntflg; - strlcpy (ip->nti, ntin, sizeof (ip->nti)); - strlcpy (ntin, op->nti, 17); - strlcpy (ip->nto, ntout, sizeof (ip->nto)); - strlcpy (ntout, op->nto, 17); - ip->mapflg = mapflag; - mapflag = op->mapflg; - strlcpy (ip->mi, mapin, MaxPathLen); - strlcpy (mapin, op->mi, MaxPathLen); - strlcpy (ip->mo, mapout, MaxPathLen); - strlcpy (mapout, op->mo, MaxPathLen); - signal(SIGINT, oldintr); - if (abrtflag) { - abrtflag = 0; - (*oldintr) (SIGINT); - } -} - -void -abortpt (int sig) -{ - - printf ("\n"); - fflush (stdout); - ptabflg++; - mflag = 0; - abrtflag = 0; - longjmp (ptabort, 1); -} - -void -proxtrans (char *cmd, char *local, char *remote) -{ - sighand oldintr; - int secndflag = 0, prox_type, nfnd; - char *cmd2; - fd_set mask; - - if (strcmp (cmd, "RETR")) - cmd2 = "RETR"; - else - cmd2 = runique ? "STOU" : "STOR"; - if ((prox_type = type) == 0) { - if (unix_server && unix_proxy) - prox_type = TYPE_I; - else - prox_type = TYPE_A; - } - if (curtype != prox_type) - changetype (prox_type, 1); - if (command ("PASV") != COMPLETE) { - printf ("proxy server does not support third party transfers.\n"); - return; - } - pswitch (0); - if (!connected) { - printf ("No primary connection\n"); - pswitch (1); - code = -1; - return; - } - if (curtype != prox_type) - changetype (prox_type, 1); - if (command ("PORT %s", pasv) != COMPLETE) { - pswitch (1); - return; - } - if (setjmp (ptabort)) - goto abort; - oldintr = signal (SIGINT, abortpt); - if (command ("%s %s", cmd, remote) != PRELIM) { - signal (SIGINT, oldintr); - pswitch (1); - return; - } - sleep (2); - pswitch (1); - secndflag++; - if (command ("%s %s", cmd2, local) != PRELIM) - goto abort; - ptflag++; - getreply (0); - pswitch (0); - getreply (0); - signal (SIGINT, oldintr); - pswitch (1); - ptflag = 0; - printf ("local: %s remote: %s\n", local, remote); - return; -abort: - signal (SIGINT, SIG_IGN); - ptflag = 0; - if (strcmp (cmd, "RETR") && !proxy) - pswitch (1); - else if (!strcmp (cmd, "RETR") && proxy) - pswitch (0); - if (!cpend && !secndflag) { /* only here if cmd = "STOR" (proxy=1) */ - if (command ("%s %s", cmd2, local) != PRELIM) { - pswitch (0); - if (cpend) - abort_remote ((FILE *) NULL); - } - pswitch (1); - if (ptabflg) - code = -1; - signal (SIGINT, oldintr); - return; - } - if (cpend) - abort_remote ((FILE *) NULL); - pswitch (!proxy); - if (!cpend && !secndflag) { /* only if cmd = "RETR" (proxy=1) */ - if (command ("%s %s", cmd2, local) != PRELIM) { - pswitch (0); - if (cpend) - abort_remote ((FILE *) NULL); - pswitch (1); - if (ptabflg) - code = -1; - signal (SIGINT, oldintr); - return; - } - } - if (cpend) - abort_remote ((FILE *) NULL); - pswitch (!proxy); - if (cpend) { - FD_ZERO (&mask); - if (fileno(cin) >= FD_SETSIZE) - errx (1, "fd too large"); - FD_SET (fileno (cin), &mask); - if ((nfnd = empty (&mask, 10)) <= 0) { - if (nfnd < 0) { - warn ("abort"); - } - if (ptabflg) - code = -1; - lostpeer (0); - } - getreply (0); - getreply (0); - } - if (proxy) - pswitch (0); - pswitch (1); - if (ptabflg) - code = -1; - signal (SIGINT, oldintr); -} - -void -reset (int argc, char **argv) -{ - fd_set mask; - int nfnd = 1; - - FD_ZERO (&mask); - while (nfnd > 0) { - if (fileno (cin) >= FD_SETSIZE) - errx (1, "fd too large"); - FD_SET (fileno (cin), &mask); - if ((nfnd = empty (&mask, 0)) < 0) { - warn ("reset"); - code = -1; - lostpeer(0); - } else if (nfnd) { - getreply(0); - } - } -} - -char * -gunique (char *local) -{ - static char new[MaxPathLen]; - char *cp = strrchr (local, '/'); - int d, count = 0; - char ext = '1'; - - if (cp) - *cp = '\0'; - d = access (cp ? local : ".", 2); - if (cp) - *cp = '/'; - if (d < 0) { - warn ("local: %s", local); - return NULL; - } - strlcpy (new, local, sizeof(new)); - cp = new + strlen(new); - *cp++ = '.'; - while (!d) { - if (++count == 100) { - printf ("runique: can't find unique file name.\n"); - return NULL; - } - *cp++ = ext; - *cp = '\0'; - if (ext == '9') - ext = '0'; - else - ext++; - if ((d = access (new, 0)) < 0) - break; - if (ext != '0') - cp--; - else if (*(cp - 2) == '.') - *(cp - 1) = '1'; - else { - *(cp - 2) = *(cp - 2) + 1; - cp--; - } - } - return (new); -} - -void -abort_remote (FILE * din) -{ - char buf[BUFSIZ]; - int nfnd; - fd_set mask; - - /* - * send IAC in urgent mode instead of DM because 4.3BSD places oob mark - * after urgent byte rather than before as is protocol now - */ - snprintf (buf, sizeof (buf), "%c%c%c", IAC, IP, IAC); - if (send (fileno (cout), buf, 3, MSG_OOB) != 3) - warn ("abort"); - fprintf (cout, "%c", DM); - sec_fprintf(cout, "ABOR"); - sec_fflush (cout); - fprintf (cout, "\r\n"); - fflush(cout); - FD_ZERO (&mask); - if (fileno (cin) >= FD_SETSIZE) - errx (1, "fd too large"); - FD_SET (fileno (cin), &mask); - if (din) { - if (fileno (din) >= FD_SETSIZE) - errx (1, "fd too large"); - FD_SET (fileno (din), &mask); - } - if ((nfnd = empty (&mask, 10)) <= 0) { - if (nfnd < 0) { - warn ("abort"); - } - if (ptabflg) - code = -1; - lostpeer (0); - } - if (din && FD_ISSET (fileno (din), &mask)) { - while (read (fileno (din), buf, BUFSIZ) > 0) - /* LOOP */ ; - } - if (getreply (0) == ERROR && code == 552) { - /* 552 needed for nic style abort */ - getreply (0); - } - getreply (0); -} diff --git a/crypto/heimdal-0.6.3/appl/ftp/ftp/ftp.cat1 b/crypto/heimdal-0.6.3/appl/ftp/ftp/ftp.cat1 deleted file mode 100644 index 7aff3dd686..0000000000 --- a/crypto/heimdal-0.6.3/appl/ftp/ftp/ftp.cat1 +++ /dev/null @@ -1,652 +0,0 @@ - -FTP(1) UNIX Reference Manual FTP(1) - -NNAAMMEE - ffttpp - ARPANET file transfer program - -SSYYNNOOPPSSIISS - ffttpp [--tt] [--vv] [--dd] [--ii] [--nn] [--gg] [--pp] [--ll] [----nnoo--ggssss--bbiinnddiinnggss] [_h_o_s_t] - -DDEESSCCRRIIPPTTIIOONN - FFttpp is the user interface to the ARPANET standard File Transfer Protocol. - The program allows a user to transfer files to and from a remote network - site. - - Modifications has been made so that it almost follows the ftpsec Internet - draft. - - Options may be specified at the command line, or to the command inter- - preter. - - --tt Enables packet tracing. - - --vv Verbose option forces ffttpp to show all responses from the remote - server, as well as report on data transfer statistics. - - --nn Restrains ffttpp from attempting ``auto-login'' upon initial connec- - tion. If auto-login is enabled, ffttpp will check the _._n_e_t_r_c (see be- - low) file in the user's home directory for an entry describing an - account on the remote machine. If no entry exists, ffttpp will prompt - for the remote machine login name (default is the user identity on - the local machine), and, if necessary, prompt for a password and an - account with which to login. - - --ii Turns off interactive prompting during multiple file transfers. - - --pp Turn on passive mode. - - --dd Enables debugging. - - --gg Disables file name globbing. - - ----nnoo--ggssss--bbiinnddiinnggss - use GSS-API bindings when talking to peer (ie make sure IP address- - es match). - - --ll Disables command line editing. - - The client host with which ffttpp is to communicate may be specified on the - command line. If this is done, ffttpp will immediately attempt to establish - a connection to an FTP server on that host; otherwise, ffttpp will enter its - command interpreter and await instructions from the user. When ffttpp is - awaiting commands from the user the prompt `ftp>' is provided to the us- - er. The following commands are recognized by ffttpp: - - !! [_c_o_m_m_a_n_d [_a_r_g_s]] - Invoke an interactive shell on the local machine. If there - are arguments, the first is taken to be a command to execute - directly, with the rest of the arguments as its arguments. - - $$ _m_a_c_r_o_-_n_a_m_e [_a_r_g_s] - Execute the macro _m_a_c_r_o_-_n_a_m_e that was defined with the mmaaccddeeff - command. Arguments are passed to the macro unglobbed. - - aaccccoouunntt [_p_a_s_s_w_d] - Supply a supplemental password required by a remote system - for access to resources once a login has been successfully - completed. If no argument is included, the user will be - prompted for an account password in a non-echoing input mode. - - aappppeenndd _l_o_c_a_l_-_f_i_l_e [_r_e_m_o_t_e_-_f_i_l_e] - Append a local file to a file on the remote machine. If - _r_e_m_o_t_e_-_f_i_l_e is left unspecified, the local file name is used - in naming the remote file after being altered by any nnttrraannss - or nnmmaapp setting. File transfer uses the current settings for - ttyyppee, ffoorrmmaatt, mmooddee, and ssttrruuccttuurree. - - aasscciiii Set the file transfer ttyyppee to network ASCII. This is the de- - fault type. - - bbeellll Arrange that a bell be sounded after each file transfer com- - mand is completed. - - bbiinnaarryy Set the file transfer ttyyppee to support binary image transfer. - - bbyyee Terminate the FTP session with the remote server and exit - ffttpp. An end of file will also terminate the session and exit. - - ccaassee Toggle remote computer file name case mapping during mmggeett - commands. When ccaassee is on (default is off), remote computer - file names with all letters in upper case are written in the - local directory with the letters mapped to lower case. - - ccdd _r_e_m_o_t_e_-_d_i_r_e_c_t_o_r_y - Change the working directory on the remote machine to _r_e_m_o_t_e_- - _d_i_r_e_c_t_o_r_y. - - ccdduupp Change the remote machine working directory to the parent of - the current remote machine working directory. - - cchhmmoodd _m_o_d_e _f_i_l_e_-_n_a_m_e - Change the permission modes of the file _f_i_l_e_-_n_a_m_e on the re- - mote sytem to _m_o_d_e. - - cclloossee Terminate the FTP session with the remote server, and return - to the command interpreter. Any defined macros are erased. - - ccrr Toggle carriage return stripping during ascii type file re- - trieval. Records are denoted by a carriage return/linefeed - sequence during ascii type file transfer. When ccrr is on (the - default), carriage returns are stripped from this sequence to - conform with the UNIX single linefeed record delimiter. - Records on non-UNIX remote systems may contain single line- - feeds; when an ascii type transfer is made, these linefeeds - may be distinguished from a record delimiter only when ccrr is - off. - - ddeelleettee _r_e_m_o_t_e_-_f_i_l_e - Delete the file _r_e_m_o_t_e_-_f_i_l_e on the remote machine. - - ddeebbuugg [_d_e_b_u_g_-_v_a_l_u_e] - Toggle debugging mode. If an optional _d_e_b_u_g_-_v_a_l_u_e is speci- - fied it is used to set the debugging level. When debugging - is on, ffttpp prints each command sent to the remote machine, - preceded by the string `-->' - - ddiirr [_r_e_m_o_t_e_-_d_i_r_e_c_t_o_r_y] [_l_o_c_a_l_-_f_i_l_e] - Print a listing of the directory contents in the directory, - _r_e_m_o_t_e_-_d_i_r_e_c_t_o_r_y, and, optionally, placing the output in - _l_o_c_a_l_-_f_i_l_e. If interactive prompting is on, ffttpp will prompt - the user to verify that the last argument is indeed the tar- - get local file for receiving ddiirr output. If no directory is - specified, the current working directory on the remote ma- - chine is used. If no local file is specified, or _l_o_c_a_l_-_f_i_l_e - is --, output comes to the terminal. - - ddiissccoonnnneecctt A synonym for _c_l_o_s_e. - - ffoorrmm _f_o_r_m_a_t - Set the file transfer ffoorrmm to _f_o_r_m_a_t. The default format is - ``file''. - - ggeett _r_e_m_o_t_e_-_f_i_l_e [_l_o_c_a_l_-_f_i_l_e] - Retrieve the _r_e_m_o_t_e_-_f_i_l_e and store it on the local machine. - If the local file name is not specified, it is given the same - name it has on the remote machine, subject to alteration by - the current ccaassee, nnttrraannss, and nnmmaapp settings. The current - settings for ttyyppee, ffoorrmm, mmooddee, and ssttrruuccttuurree are used while - transferring the file. - - gglloobb Toggle filename expansion for mmddeelleettee, mmggeett and mmppuutt. If - globbing is turned off with gglloobb, the file name arguments are - taken literally and not expanded. Globbing for mmppuutt is done - as in csh(1). For mmddeelleettee and mmggeett, each remote file name is - expanded separately on the remote machine and the lists are - not merged. Expansion of a directory name is likely to be - different from expansion of the name of an ordinary file: the - exact result depends on the foreign operating system and ftp - server, and can be previewed by doing `mls remote-files -'. - As a security measure, remotely globbed files that starts - with `/' or contains `../', will not be automatically re- - ceived. If you have interactive prompting turned off, these - filenames will be ignored. Note: mmggeett and mmppuutt are not meant - to transfer entire directory subtrees of files. That can be - done by transferring a tar(1) archive of the subtree (in bi- - nary mode). - - hhaasshh Toggle hash-sign (``#'') printing for each data block trans- - ferred. The size of a data block is 1024 bytes. - - hheellpp [_c_o_m_m_a_n_d] - Print an informative message about the meaning of _c_o_m_m_a_n_d. If - no argument is given, ffttpp prints a list of the known com- - mands. - - iiddllee [_s_e_c_o_n_d_s] - Set the inactivity timer on the remote server to _s_e_c_o_n_d_s sec- - onds. If _s_e_c_o_n_d_s is omitted, the current inactivity timer is - printed. - - llccdd [_d_i_r_e_c_t_o_r_y] - Change the working directory on the local machine. If no - _d_i_r_e_c_t_o_r_y is specified, the user's home directory is used. - - llss [_r_e_m_o_t_e_-_d_i_r_e_c_t_o_r_y] [_l_o_c_a_l_-_f_i_l_e] - Print a listing of the contents of a directory on the remote - machine. The listing includes any system-dependent informa- - tion that the server chooses to include; for example, most - UNIX systems will produce output from the command `ls -l'. - (See also nnlliisstt.) If _r_e_m_o_t_e_-_d_i_r_e_c_t_o_r_y is left unspecified, - the current working directory is used. If interactive - prompting is on, ffttpp will prompt the user to verify that the - last argument is indeed the target local file for receiving - llss output. If no local file is specified, or if _l_o_c_a_l_-_f_i_l_e - is `--', the output is sent to the terminal. - - mmaaccddeeff _m_a_c_r_o_-_n_a_m_e - Define a macro. Subsequent lines are stored as the macro - _m_a_c_r_o_-_n_a_m_e; a null line (consecutive newline characters in a - file or carriage returns from the terminal) terminates macro - input mode. There is a limit of 16 macros and 4096 total - characters in all defined macros. Macros remain defined un- - til a cclloossee command is executed. The macro processor inter- - prets `$' and `\' as special characters. A `$' followed by a - number (or numbers) is replaced by the corresponding argument - on the macro invocation command line. A `$' followed by an - `i' signals that macro processor that the executing macro is - to be looped. On the first pass `$i' is replaced by the - first argument on the macro invocation command line, on the - second pass it is replaced by the second argument, and so on. - A `\' followed by any character is replaced by that charac- - ter. Use the `\' to prevent special treatment of the `$'. - - mmddeelleettee [_r_e_m_o_t_e_-_f_i_l_e_s] - Delete the _r_e_m_o_t_e_-_f_i_l_e_s on the remote machine. - - mmddiirr _r_e_m_o_t_e_-_f_i_l_e_s _l_o_c_a_l_-_f_i_l_e - Like ddiirr, except multiple remote files may be specified. If - interactive prompting is on, ffttpp will prompt the user to ver- - ify that the last argument is indeed the target local file - for receiving mmddiirr output. - - mmggeett _r_e_m_o_t_e_-_f_i_l_e_s - Expand the _r_e_m_o_t_e_-_f_i_l_e_s on the remote machine and do a ggeett - for each file name thus produced. See gglloobb for details on - the filename expansion. Resulting file names will then be - processed according to ccaassee, nnttrraannss, and nnmmaapp settings. - Files are transferred into the local working directory, which - can be changed with `lcd directory'; new local directories - can be created with `! mkdir directory'. - - mmkkddiirr _d_i_r_e_c_t_o_r_y_-_n_a_m_e - Make a directory on the remote machine. - - mmllss _r_e_m_o_t_e_-_f_i_l_e_s _l_o_c_a_l_-_f_i_l_e - Like nnlliisstt, except multiple remote files may be specified, - and the _l_o_c_a_l_-_f_i_l_e must be specified. If interactive prompt- - ing is on, ffttpp will prompt the user to verify that the last - argument is indeed the target local file for receiving mmllss - output. - - mmooddee [_m_o_d_e_-_n_a_m_e] - Set the file transfer mmooddee to _m_o_d_e_-_n_a_m_e. The default mode is - ``stream'' mode. - - mmooddttiimmee _f_i_l_e_-_n_a_m_e - Show the last modification time of the file on the remote ma- - chine. - - mmppuutt _l_o_c_a_l_-_f_i_l_e_s - Expand wild cards in the list of local files given as argu- - ments and do a ppuutt for each file in the resulting list. See - gglloobb for details of filename expansion. Resulting file names - will then be processed according to nnttrraannss and nnmmaapp settings. - - nneewweerr _f_i_l_e_-_n_a_m_e - Get the file only if the modification time of the remote file - is more recent that the file on the current system. If the - file does not exist on the current system, the remote file is - considered nneewweerr. Otherwise, this command is identical to - _g_e_t. - - nnlliisstt [_r_e_m_o_t_e_-_d_i_r_e_c_t_o_r_y] [_l_o_c_a_l_-_f_i_l_e] - Print a list of the files in a directory on the remote ma- - chine. If _r_e_m_o_t_e_-_d_i_r_e_c_t_o_r_y is left unspecified, the current - working directory is used. If interactive prompting is on, - ffttpp will prompt the user to verify that the last argument is - indeed the target local file for receiving nnlliisstt output. If - no local file is specified, or if _l_o_c_a_l_-_f_i_l_e is --, the output - is sent to the terminal. - - nnmmaapp [_i_n_p_a_t_t_e_r_n _o_u_t_p_a_t_t_e_r_n] - Set or unset the filename mapping mechanism. If no arguments - are specified, the filename mapping mechanism is unset. If - arguments are specified, remote filenames are mapped during - mmppuutt commands and ppuutt commands issued without a specified re- - mote target filename. If arguments are specified, local - filenames are mapped during mmggeett commands and ggeett commands - issued without a specified local target filename. This com- - mand is useful when connecting to a non-UNIX remote computer - with different file naming conventions or practices. The - mapping follows the pattern set by _i_n_p_a_t_t_e_r_n and _o_u_t_p_a_t_t_e_r_n. - [_I_n_p_a_t_t_e_r_n] is a template for incoming filenames (which may - have already been processed according to the nnttrraannss and ccaassee - settings). Variable templating is accomplished by including - the sequences `$1', `$2', ..., `$9' in _i_n_p_a_t_t_e_r_n. Use `\' to - prevent this special treatment of the `$' character. All - other characters are treated literally, and are used to de- - termine the nnmmaapp [_i_n_p_a_t_t_e_r_n] variable values. For example, - given _i_n_p_a_t_t_e_r_n $1.$2 and the remote file name "mydata.data", - $1 would have the value "mydata", and $2 would have the value - "data". The _o_u_t_p_a_t_t_e_r_n determines the resulting mapped file- - name. The sequences `$1', `$2', ...., `$9' are replaced by - any value resulting from the _i_n_p_a_t_t_e_r_n template. The se- - quence `$0' is replace by the original filename. Additional- - ly, the sequence `[_s_e_q_1, _s_e_q_2]' is replaced by [_s_e_q_1] if _s_e_q_1 - is not a null string; otherwise it is replaced by _s_e_q_2. For - example, the command - - nmap $1.$2.$3 [$1,$2].[$2,file] - - would yield the output filename "myfile.data" for input file- - names "myfile.data" and "myfile.data.old", "myfile.file" for - the input filename "myfile", and "myfile.myfile" for the in- - put filename ".myfile". Spaces may be included in - _o_u_t_p_a_t_t_e_r_n, as in the example: `nmap $1 sed "s/ *$//" > $1' - . Use the `\' character to prevent special treatment of the - `$','[','[', and `,' characters. - - nnttrraannss [_i_n_c_h_a_r_s [_o_u_t_c_h_a_r_s]] - Set or unset the filename character translation mechanism. - If no arguments are specified, the filename character trans- - lation mechanism is unset. If arguments are specified, char- - acters in remote filenames are translated during mmppuutt com- - mands and ppuutt commands issued without a specified remote tar- - get filename. If arguments are specified, characters in lo- - cal filenames are translated during mmggeett commands and ggeett - commands issued without a specified local target filename. - This command is useful when connecting to a non-UNIX remote - computer with different file naming conventions or practices. - Characters in a filename matching a character in _i_n_c_h_a_r_s are - replaced with the corresponding character in _o_u_t_c_h_a_r_s. If the - character's position in _i_n_c_h_a_r_s is longer than the length of - _o_u_t_c_h_a_r_s, the character is deleted from the file name. - - ooppeenn _h_o_s_t [_p_o_r_t] - Establish a connection to the specified _h_o_s_t FTP server. An - optional port number may be supplied, in which case, ffttpp will - attempt to contact an FTP server at that port. If the aauuttoo-- - llooggiinn option is on (default), ffttpp will also attempt to auto- - - matically log the user in to the FTP server (see below). - - ppaassssiivvee Toggle passive mode. If passive mode is turned on (default - is off), the ftp client will send a PASV command for all data - connections instead of the usual PORT command. The PASV com- - mand requests that the remote server open a port for the data - connection and return the address of that port. The remote - server listens on that port and the client connects to it. - When using the more traditional PORT command, the client lis- - tens on a port and sends that address to the remote server, - who connects back to it. Passive mode is useful when using - ffttpp through a gateway router or host that controls the direc- - tionality of traffic. (Note that though ftp servers are re- - quired to support the PASV command by RFC 1123, some do not.) - - pprroommpptt Toggle interactive prompting. Interactive prompting occurs - during multiple file transfers to allow the user to selec- - tively retrieve or store files. If prompting is turned off - (default is on), any mmggeett or mmppuutt will transfer all files, - and any mmddeelleettee will delete all files. - - pprrooxxyy _f_t_p_-_c_o_m_m_a_n_d - Execute an ftp command on a secondary control connection. - This command allows simultaneous connection to two remote ftp - servers for transferring files between the two servers. The - first pprrooxxyy command should be an ooppeenn, to establish the sec- - ondary control connection. Enter the command "proxy ?" to - see other ftp commands executable on the secondary connec- - tion. The following commands behave differently when pref- - aced by pprrooxxyy: ooppeenn will not define new macros during the au- - to-login process, cclloossee will not erase existing macro defini- - tions, ggeett and mmggeett transfer files from the host on the pri- - mary control connection to the host on the secondary control - connection, and ppuutt, mmppuutt, and aappppeenndd transfer files from the - host on the secondary control connection to the host on the - primary control connection. Third party file transfers de- - pend upon support of the ftp protocol PASV command by the - server on the secondary control connection. - - ppuutt _l_o_c_a_l_-_f_i_l_e [_r_e_m_o_t_e_-_f_i_l_e] - Store a local file on the remote machine. If _r_e_m_o_t_e_-_f_i_l_e is - left unspecified, the local file name is used after process- - ing according to any nnttrraannss or nnmmaapp settings in naming the - remote file. File transfer uses the current settings for - ttyyppee, ffoorrmmaatt, mmooddee, and ssttrruuccttuurree. - - ppwwdd Print the name of the current working directory on the remote - machine. - - qquuiitt A synonym for bbyyee. - - qquuoottee _a_r_g_1 _a_r_g_2 _._._. - The arguments specified are sent, verbatim, to the remote FTP - server. - - rreeccvv _r_e_m_o_t_e_-_f_i_l_e [_l_o_c_a_l_-_f_i_l_e] - A synonym for get. - - rreeggeett _r_e_m_o_t_e_-_f_i_l_e [_l_o_c_a_l_-_f_i_l_e] - Reget acts like get, except that if _l_o_c_a_l_-_f_i_l_e exists and is - smaller than _r_e_m_o_t_e_-_f_i_l_e, _l_o_c_a_l_-_f_i_l_e is presumed to be a par- - tially transferred copy of _r_e_m_o_t_e_-_f_i_l_e and the transfer is - continued from the apparent point of failure. This command - is useful when transferring very large files over networks - - that are prone to dropping connections. - - rreemmootteehheellpp [_c_o_m_m_a_n_d_-_n_a_m_e] - Request help from the remote FTP server. If a _c_o_m_m_a_n_d_-_n_a_m_e - is specified it is supplied to the server as well. - - rreemmootteessttaattuuss [_f_i_l_e_-_n_a_m_e] - With no arguments, show status of remote machine. If _f_i_l_e_- - _n_a_m_e is specified, show status of _f_i_l_e_-_n_a_m_e on remote ma- - chine. - - rreennaammee [_f_r_o_m] [_t_o] - Rename the file _f_r_o_m on the remote machine, to the file _t_o. - - rreesseett Clear reply queue. This command re-synchronizes command/re- - ply sequencing with the remote ftp server. Resynchronization - may be necessary following a violation of the ftp protocol by - the remote server. - - rreessttaarrtt _m_a_r_k_e_r - Restart the immediately following ggeett or ppuutt at the indicated - _m_a_r_k_e_r. On UNIX systems, marker is usually a byte offset into - the file. - - rrmmddiirr _d_i_r_e_c_t_o_r_y_-_n_a_m_e - Delete a directory on the remote machine. - - rruunniiqquuee Toggle storing of files on the local system with unique file- - names. If a file already exists with a name equal to the - target local filename for a ggeett or mmggeett command, a ".1" is - appended to the name. If the resulting name matches another - existing file, a ".2" is appended to the original name. If - this process continues up to ".99", an error message is - printed, and the transfer does not take place. The generated - unique filename will be reported. Note that rruunniiqquuee will not - affect local files generated from a shell command (see be- - low). The default value is off. - - sseenndd _l_o_c_a_l_-_f_i_l_e [_r_e_m_o_t_e_-_f_i_l_e] - A synonym for put. - - sseennddppoorrtt Toggle the use of PORT commands. By default, ffttpp will at- - tempt to use a PORT command when establishing a connection - for each data transfer. The use of PORT commands can prevent - delays when performing multiple file transfers. If the PORT - command fails, ffttpp will use the default data port. When the - use of PORT commands is disabled, no attempt will be made to - use PORT commands for each data transfer. This is useful for - certain FTP implementations which do ignore PORT commands - but, incorrectly, indicate they've been accepted. - - ssiittee _a_r_g_1 _a_r_g_2 _._._. - The arguments specified are sent, verbatim, to the remote FTP - server as a SITE command. - - ssiizzee _f_i_l_e_-_n_a_m_e - Return size of _f_i_l_e_-_n_a_m_e on remote machine. - - ssttaattuuss Show the current status of ffttpp. - - ssttrruucctt [_s_t_r_u_c_t_-_n_a_m_e] - Set the file transfer _s_t_r_u_c_t_u_r_e to _s_t_r_u_c_t_-_n_a_m_e. By default - ``stream'' structure is used. - - ssuunniiqquuee Toggle storing of files on remote machine under unique file - names. Remote ftp server must support ftp protocol STOU com- - mand for successful completion. The remote server will re- - port unique name. Default value is off. - - ssyysstteemm Show the type of operating system running on the remote ma- - chine. - - tteenneexx Set the file transfer type to that needed to talk to TENEX - machines. - - ttrraaccee Toggle packet tracing. - - ttyyppee [_t_y_p_e_-_n_a_m_e] - Set the file transfer ttyyppee to _t_y_p_e_-_n_a_m_e. If no type is speci- - fied, the current type is printed. The default type is net- - work ASCII. - - uummaasskk [_n_e_w_m_a_s_k] - Set the default umask on the remote server to _n_e_w_m_a_s_k. If - _n_e_w_m_a_s_k is omitted, the current umask is printed. - - uusseerr _u_s_e_r_-_n_a_m_e [_p_a_s_s_w_o_r_d] [_a_c_c_o_u_n_t] - Identify yourself to the remote FTP server. If the _p_a_s_s_w_o_r_d - is not specified and the server requires it, ffttpp will prompt - the user for it (after disabling local echo). If an _a_c_c_o_u_n_t - field is not specified, and the FTP server requires it, the - user will be prompted for it. If an _a_c_c_o_u_n_t field is speci- - fied, an account command will be relayed to the remote server - after the login sequence is completed if the remote server - did not require it for logging in. Unless ffttpp is invoked - with ``auto-login'' disabled, this process is done automati- - cally on initial connection to the FTP server. - - vveerrbboossee Toggle verbose mode. In verbose mode, all responses from the - FTP server are displayed to the user. In addition, if ver- - bose is on, when a file transfer completes, statistics re- - garding the efficiency of the transfer are reported. By de- - fault, verbose is on. - - ?? [_c_o_m_m_a_n_d] - A synonym for help. - - The following command can be used with ftpsec-aware servers. - - pprroott _c_l_e_a_r | _s_a_f_e | _c_o_n_f_i_d_e_n_t_i_a_l | _p_r_i_v_a_t_e - Set the data protection level to the requested level. - - The following command can be used with ftp servers that has implemented - the KAUTH site command. - - kkaauutthh [_p_r_i_n_c_i_p_a_l] - Obtain remote tickets. - - Command arguments which have embedded spaces may be quoted with quote `"' - marks. - -AABBOORRTTIINNGG AA FFIILLEE TTRRAANNSSFFEERR - To abort a file transfer, use the terminal interrupt key (usually Ctrl- - C). Sending transfers will be immediately halted. Receiving transfers - will be halted by sending a ftp protocol ABOR command to the remote serv- - er, and discarding any further data received. The speed at which this is - accomplished depends upon the remote server's support for ABOR process- - ing. If the remote server does not support the ABOR command, an `ftp>' - prompt will not appear until the remote server has completed sending the - requested file. - - - The terminal interrupt key sequence will be ignored when ffttpp has complet- - ed any local processing and is awaiting a reply from the remote server. - A long delay in this mode may result from the ABOR processing described - above, or from unexpected behavior by the remote server, including viola- - tions of the ftp protocol. If the delay results from unexpected remote - server behavior, the local ffttpp program must be killed by hand. - -FFIILLEE NNAAMMIINNGG CCOONNVVEENNTTIIOONNSS - Files specified as arguments to ffttpp commands are processed according to - the following rules. - - 1. If the file name `--' is specified, the _s_t_d_i_n (for reading) or _s_t_d_o_u_t - (for writing) is used. - - 2. If the first character of the file name is `|', the remainder of the - argument is interpreted as a shell command. FFttpp then forks a shell, - using popen(3) with the argument supplied, and reads (writes) from - the stdout (stdin). If the shell command includes spaces, the argu- - ment must be quoted; e.g. ``" ls -lt"''. A particularly useful ex- - ample of this mechanism is: ``dir more''. - - 3. Failing the above checks, if ``globbing'' is enabled, local file - names are expanded according to the rules used in the csh(1); c.f. - the gglloobb command. If the ffttpp command expects a single local file - (.e.g. ppuutt), only the first filename generated by the "globbing" - operation is used. - - 4. For mmggeett commands and ggeett commands with unspecified local file - names, the local filename is the remote filename, which may be al- - tered by a ccaassee, nnttrraannss, or nnmmaapp setting. The resulting filename - may then be altered if rruunniiqquuee is on. - - 5. For mmppuutt commands and ppuutt commands with unspecified remote file - names, the remote filename is the local filename, which may be al- - tered by a nnttrraannss or nnmmaapp setting. The resulting filename may then - be altered by the remote server if ssuunniiqquuee is on. - -FFIILLEE TTRRAANNSSFFEERR PPAARRAAMMEETTEERRSS - The FTP specification specifies many parameters which may affect a file - transfer. The ttyyppee may be one of ``ascii'', ``image'' (binary), - ``ebcdic'', and ``local byte size'' (for PDP-10's and PDP-20's mostly). - FFttpp supports the ascii and image types of file transfer, plus local byte - size 8 for tteenneexx mode transfers. - - FFttpp supports only the default values for the remaining file transfer pa- - rameters: mmooddee, ffoorrmm, and ssttrruucctt. - -TTHHEE ..nneettrrcc FFIILLEE - The _._n_e_t_r_c file contains login and initialization information used by the - auto-login process. It resides in the user's home directory. The fol- - lowing tokens are recognized; they may be separated by spaces, tabs, or - new-lines: - - mmaacchhiinnee _n_a_m_e - Identify a remote machine _n_a_m_e. The auto-login process searches - the _._n_e_t_r_c file for a mmaacchhiinnee token that matches the remote ma- - chine specified on the ffttpp command line or as an ooppeenn command - argument. Once a match is made, the subsequent _._n_e_t_r_c tokens - are processed, stopping when the end of file is reached or an- - other mmaacchhiinnee or a ddeeffaauulltt token is encountered. - - ddeeffaauulltt This is the same as mmaacchhiinnee _n_a_m_e except that ddeeffaauulltt matches - any name. There can be only one ddeeffaauulltt token, and it must be - after all mmaacchhiinnee tokens. This is normally used as: - - - default login anonymous password user@site - - thereby giving the user _a_u_t_o_m_a_t_i_c anonymous ftp login to ma- - chines not specified in _._n_e_t_r_c. This can be overridden by using - the --nn flag to disable auto-login. - - llooggiinn _n_a_m_e - Identify a user on the remote machine. If this token is pre- - sent, the auto-login process will initiate a login using the - specified _n_a_m_e. - - ppaasssswwoorrdd _s_t_r_i_n_g - Supply a password. If this token is present, the auto-login - process will supply the specified string if the remote server - requires a password as part of the login process. Note that if - this token is present in the _._n_e_t_r_c file for any user other - than _a_n_o_n_y_m_o_u_s, ffttpp will abort the auto-login process if the - _._n_e_t_r_c is readable by anyone besides the user. - - aaccccoouunntt _s_t_r_i_n_g - Supply an additional account password. If this token is pre- - sent, the auto-login process will supply the specified string - if the remote server requires an additional account password, - or the auto-login process will initiate an ACCT command if it - does not. - - mmaaccddeeff _n_a_m_e - Define a macro. This token functions like the ffttpp mmaaccddeeff com- - mand functions. A macro is defined with the specified name; - its contents begin with the next _._n_e_t_r_c line and continue until - a null line (consecutive new-line characters) is encountered. - If a macro named iinniitt is defined, it is automatically executed - as the last step in the auto-login process. - -EENNVVIIRROONNMMEENNTT - FFttpp uses the following environment variables. - - HOME For default location of a _._n_e_t_r_c file, if one exists. - - SHELL For default shell. - -SSEEEE AALLSSOO - ftpd(8) - - _R_F_C_2_2_2_8. - -HHIISSTTOORRYY - The ffttpp command appeared in 4.2BSD. - -BBUUGGSS - Correct execution of many commands depends upon proper behavior by the - remote server. - - An error in the treatment of carriage returns in the 4.2BSD ascii-mode - transfer code has been corrected. This correction may result in incor- - rect transfers of binary files to and from 4.2BSD servers using the ascii - type. Avoid this problem by using the binary image type. - -4.2 Berkeley Distribution April 27, 1996 10 diff --git a/crypto/heimdal-0.6.3/appl/ftp/ftp/ftp_locl.h b/crypto/heimdal-0.6.3/appl/ftp/ftp/ftp_locl.h deleted file mode 100644 index 4749da0901..0000000000 --- a/crypto/heimdal-0.6.3/appl/ftp/ftp/ftp_locl.h +++ /dev/null @@ -1,141 +0,0 @@ -/* - * Copyright (c) 1995 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: ftp_locl.h,v 1.37 2002/09/10 20:03:46 joda Exp $ */ - -#ifndef __FTP_LOCL_H__ -#define __FTP_LOCL_H__ - -#ifdef HAVE_CONFIG_H -#include -#endif - -#ifdef HAVE_PWD_H -#include -#endif -#include -#include -#include -#include -#include -#ifdef TIME_WITH_SYS_TIME -#include -#include -#elif defined(HAVE_SYS_TIME_H) -#include -#else -#include -#endif -#ifdef HAVE_UNISTD_H -#include -#endif - -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_SYS_PARAM_H -#include -#endif -#ifdef HAVE_SYS_RESOURCE_H -#include -#endif -#ifdef HAVE_SYS_WAIT_H -#include -#endif -#ifdef HAVE_SYS_STAT_H -#include -#endif -#ifdef HAVE_SYS_SOCKET_H -#include -#endif - -#ifdef HAVE_NETINET_IN_H -#include -#endif -#ifdef HAVE_NETINET_IN_SYSTM_H -#include -#endif -#ifdef HAVE_NETINET_IP_H -#include -#endif - -#ifdef HAVE_ARPA_FTP_H -#include -#endif -#ifdef HAVE_ARPA_INET_H -#include -#endif -#ifdef HAVE_ARPA_TELNET_H -#include -#endif - -#include -#include -#include -#ifdef HAVE_NETDB_H -#include -#endif - -#ifdef HAVE_SYS_MMAN_H -#include -#endif - -#include - -#ifdef SOCKS -#include -extern int LIBPREFIX(fclose) (FILE *); - -/* This doesn't belong here. */ -struct tm *localtime(const time_t *); -struct hostent *gethostbyname(const char *); - -#endif - -#include "ftp_var.h" -#include "extern.h" -#include "common.h" -#include "pathnames.h" - -#include "roken.h" -#include "security.h" - -/* des_read_pw_string */ -#include "crypto-headers.h" - -#if defined(__sun__) && !defined(__svr4) -int fclose(FILE*); -int pclose(FILE*); -#endif - -#endif /* __FTP_LOCL_H__ */ diff --git a/crypto/heimdal-0.6.3/appl/ftp/ftp/ftp_var.h b/crypto/heimdal-0.6.3/appl/ftp/ftp/ftp_var.h deleted file mode 100644 index 3dbe6b44a1..0000000000 --- a/crypto/heimdal-0.6.3/appl/ftp/ftp/ftp_var.h +++ /dev/null @@ -1,129 +0,0 @@ -/* - * Copyright (c) 1985, 1989, 1993, 1994 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * @(#)ftp_var.h 8.4 (Berkeley) 10/9/94 - */ - -/* - * FTP global variables. - */ - -#ifdef HAVE_SYS_PARAM_H -#include -#endif -#include - -/* - * Options and other state info. - */ -extern int trace; /* trace packets exchanged */ -extern int hash; /* print # for each buffer transferred */ -extern int sendport; /* use PORT cmd for each data connection */ -extern int verbose; /* print messages coming back from server */ -extern int connected; /* connected to server */ -extern int fromatty; /* input is from a terminal */ -extern int interactive; /* interactively prompt on m* cmds */ -extern int lineedit; /* use line-editing */ -extern int debug; /* debugging level */ -extern int bell; /* ring bell on cmd completion */ -extern int doglob; /* glob local file names */ -extern int autologin; /* establish user account on connection */ -extern int proxy; /* proxy server connection active */ -extern int proxflag; /* proxy connection exists */ -extern int sunique; /* store files on server with unique name */ -extern int runique; /* store local files with unique name */ -extern int mcase; /* map upper to lower case for mget names */ -extern int ntflag; /* use ntin ntout tables for name translation */ -extern int mapflag; /* use mapin mapout templates on file names */ -extern int code; /* return/reply code for ftp command */ -extern int crflag; /* if 1, strip car. rets. on ascii gets */ -extern char pasv[64]; /* passive port for proxy data connection */ -extern int passivemode; /* passive mode enabled */ -extern char *altarg; /* argv[1] with no shell-like preprocessing */ -extern char ntin[17]; /* input translation table */ -extern char ntout[17]; /* output translation table */ -extern char mapin[MaxPathLen]; /* input map template */ -extern char mapout[MaxPathLen]; /* output map template */ -extern char typename[32]; /* name of file transfer type */ -extern int type; /* requested file transfer type */ -extern int curtype; /* current file transfer type */ -extern char structname[32]; /* name of file transfer structure */ -extern int stru; /* file transfer structure */ -extern char formname[32]; /* name of file transfer format */ -extern int form; /* file transfer format */ -extern char modename[32]; /* name of file transfer mode */ -extern int mode; /* file transfer mode */ -extern char bytename[32]; /* local byte size in ascii */ -extern int bytesize; /* local byte size in binary */ - -extern char *hostname; /* name of host connected to */ -extern int unix_server; /* server is unix, can use binary for ascii */ -extern int unix_proxy; /* proxy is unix, can use binary for ascii */ - -extern jmp_buf toplevel; /* non-local goto stuff for cmd scanner */ - -extern char line[200]; /* input line buffer */ -extern char *stringbase; /* current scan point in line buffer */ -extern char argbuf[200]; /* argument storage buffer */ -extern char *argbase; /* current storage point in arg buffer */ -extern int margc; /* count of arguments on input line */ -extern char **margv; /* args parsed from input line */ -extern int margvlen; /* how large margv is currently */ -extern int cpend; /* flag: if != 0, then pending server reply */ -extern int mflag; /* flag: if != 0, then active multi command */ - -extern int options; /* used during socket creation */ -extern int use_kerberos; /* use Kerberos authentication */ - -/* - * Format of command table. - */ -struct cmd { - char *c_name; /* name of command */ - char *c_help; /* help string */ - char c_bell; /* give bell when command completes */ - char c_conn; /* must be connected to use command */ - char c_proxy; /* proxy server may execute */ - void (*c_handler) (int, char **); /* function to call */ -}; - -struct macel { - char mac_name[9]; /* macro name */ - char *mac_start; /* start of macro in macbuf */ - char *mac_end; /* end of macro in macbuf */ -}; - -extern int macnum; /* number of defined macros */ -extern struct macel macros[16]; -extern char macbuf[4096]; - - diff --git a/crypto/heimdal-0.6.3/appl/ftp/ftp/globals.c b/crypto/heimdal-0.6.3/appl/ftp/ftp/globals.c deleted file mode 100644 index 8a0e1c93de..0000000000 --- a/crypto/heimdal-0.6.3/appl/ftp/ftp/globals.c +++ /dev/null @@ -1,78 +0,0 @@ -#include "ftp_locl.h" -RCSID("$Id: globals.c,v 1.8 2000/11/15 22:56:08 assar Exp $"); - -/* - * Options and other state info. - */ -int trace; /* trace packets exchanged */ -int hash; /* print # for each buffer transferred */ -int sendport; /* use PORT cmd for each data connection */ -int verbose; /* print messages coming back from server */ -int connected; /* connected to server */ -int fromatty; /* input is from a terminal */ -int interactive; /* interactively prompt on m* cmds */ -int lineedit; /* use line-editing */ -int debug; /* debugging level */ -int bell; /* ring bell on cmd completion */ -int doglob; /* glob local file names */ -int autologin; /* establish user account on connection */ -int proxy; /* proxy server connection active */ -int proxflag; /* proxy connection exists */ -int sunique; /* store files on server with unique name */ -int runique; /* store local files with unique name */ -int mcase; /* map upper to lower case for mget names */ -int ntflag; /* use ntin ntout tables for name translation */ -int mapflag; /* use mapin mapout templates on file names */ -int code; /* return/reply code for ftp command */ -int crflag; /* if 1, strip car. rets. on ascii gets */ -char pasv[64]; /* passive port for proxy data connection */ -int passivemode; /* passive mode enabled */ -char *altarg; /* argv[1] with no shell-like preprocessing */ -char ntin[17]; /* input translation table */ -char ntout[17]; /* output translation table */ -char mapin[MaxPathLen]; /* input map template */ -char mapout[MaxPathLen]; /* output map template */ -char typename[32]; /* name of file transfer type */ -int type; /* requested file transfer type */ -int curtype; /* current file transfer type */ -char structname[32]; /* name of file transfer structure */ -int stru; /* file transfer structure */ -char formname[32]; /* name of file transfer format */ -int form; /* file transfer format */ -char modename[32]; /* name of file transfer mode */ -int mode; /* file transfer mode */ -char bytename[32]; /* local byte size in ascii */ -int bytesize; /* local byte size in binary */ - -char *hostname; /* name of host connected to */ -int unix_server; /* server is unix, can use binary for ascii */ -int unix_proxy; /* proxy is unix, can use binary for ascii */ - -jmp_buf toplevel; /* non-local goto stuff for cmd scanner */ - -char line[200]; /* input line buffer */ -char *stringbase; /* current scan point in line buffer */ -char argbuf[200]; /* argument storage buffer */ -char *argbase; /* current storage point in arg buffer */ -int margc; /* count of arguments on input line */ -char **margv; /* args parsed from input line */ -int margvlen; /* how large margv is currently */ -int cpend; /* flag: if != 0, then pending server reply */ -int mflag; /* flag: if != 0, then active multi command */ - -int options; /* used during socket creation */ -int use_kerberos; /* use Kerberos authentication */ - -/* - * Format of command table. - */ - -int macnum; /* number of defined macros */ -struct macel macros[16]; -char macbuf[4096]; - -char username[32]; - -/* these are set in ruserpass */ -char myhostname[MaxHostNameLen]; -char *mydomain; diff --git a/crypto/heimdal-0.6.3/appl/ftp/ftp/gssapi.c b/crypto/heimdal-0.6.3/appl/ftp/ftp/gssapi.c deleted file mode 100644 index 65742e84d5..0000000000 --- a/crypto/heimdal-0.6.3/appl/ftp/ftp/gssapi.c +++ /dev/null @@ -1,517 +0,0 @@ -/* - * Copyright (c) 1998 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef FTP_SERVER -#include "ftpd_locl.h" -#else -#include "ftp_locl.h" -#endif -#include -#include - -RCSID("$Id: gssapi.c,v 1.22.2.2 2003/08/20 16:41:24 lha Exp $"); - -int ftp_do_gss_bindings = 0; - -struct gss_data { - gss_ctx_id_t context_hdl; - char *client_name; - gss_cred_id_t delegated_cred_handle; -}; - -static int -gss_init(void *app_data) -{ - struct gss_data *d = app_data; - d->context_hdl = GSS_C_NO_CONTEXT; - d->delegated_cred_handle = NULL; -#if defined(FTP_SERVER) - return 0; -#else - /* XXX Check the gss mechanism; with gss_indicate_mechs() ? */ -#ifdef KRB5 - return !use_kerberos; -#else - return 0 -#endif /* KRB5 */ -#endif /* FTP_SERVER */ -} - -static int -gss_check_prot(void *app_data, int level) -{ - if(level == prot_confidential) - return -1; - return 0; -} - -static int -gss_decode(void *app_data, void *buf, int len, int level) -{ - OM_uint32 maj_stat, min_stat; - gss_buffer_desc input, output; - gss_qop_t qop_state; - int conf_state; - struct gss_data *d = app_data; - size_t ret_len; - - input.length = len; - input.value = buf; - maj_stat = gss_unwrap (&min_stat, - d->context_hdl, - &input, - &output, - &conf_state, - &qop_state); - if(GSS_ERROR(maj_stat)) - return -1; - memmove(buf, output.value, output.length); - ret_len = output.length; - gss_release_buffer(&min_stat, &output); - return ret_len; -} - -static int -gss_overhead(void *app_data, int level, int len) -{ - return 100; /* dunno? */ -} - - -static int -gss_encode(void *app_data, void *from, int length, int level, void **to) -{ - OM_uint32 maj_stat, min_stat; - gss_buffer_desc input, output; - int conf_state; - struct gss_data *d = app_data; - - input.length = length; - input.value = from; - maj_stat = gss_wrap (&min_stat, - d->context_hdl, - level == prot_private, - GSS_C_QOP_DEFAULT, - &input, - &conf_state, - &output); - *to = output.value; - return output.length; -} - -static void -sockaddr_to_gss_address (const struct sockaddr *sa, - OM_uint32 *addr_type, - gss_buffer_desc *gss_addr) -{ - switch (sa->sa_family) { -#ifdef HAVE_IPV6 - case AF_INET6 : { - struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)sa; - - gss_addr->length = 16; - gss_addr->value = &sin6->sin6_addr; - *addr_type = GSS_C_AF_INET6; - break; - } -#endif - case AF_INET : { - struct sockaddr_in *sin = (struct sockaddr_in *)sa; - - gss_addr->length = 4; - gss_addr->value = &sin->sin_addr; - *addr_type = GSS_C_AF_INET; - break; - } - default : - errx (1, "unknown address family %d", sa->sa_family); - - } -} - -/* end common stuff */ - -#ifdef FTP_SERVER - -static int -gss_adat(void *app_data, void *buf, size_t len) -{ - char *p = NULL; - gss_buffer_desc input_token, output_token; - OM_uint32 maj_stat, min_stat; - gss_name_t client_name; - struct gss_data *d = app_data; - gss_channel_bindings_t bindings; - - if (ftp_do_gss_bindings) { - bindings = malloc(sizeof(*bindings)); - if (bindings == NULL) - errx(1, "out of memory"); - - sockaddr_to_gss_address (his_addr, - &bindings->initiator_addrtype, - &bindings->initiator_address); - sockaddr_to_gss_address (ctrl_addr, - &bindings->acceptor_addrtype, - &bindings->acceptor_address); - - bindings->application_data.length = 0; - bindings->application_data.value = NULL; - } else - bindings = GSS_C_NO_CHANNEL_BINDINGS; - - input_token.value = buf; - input_token.length = len; - - d->delegated_cred_handle = malloc(sizeof(*d->delegated_cred_handle)); - if (d->delegated_cred_handle == NULL) { - reply(500, "Out of memory"); - goto out; - } - - memset ((char*)d->delegated_cred_handle, 0, - sizeof(*d->delegated_cred_handle)); - - maj_stat = gss_accept_sec_context (&min_stat, - &d->context_hdl, - GSS_C_NO_CREDENTIAL, - &input_token, - bindings, - &client_name, - NULL, - &output_token, - NULL, - NULL, - &d->delegated_cred_handle); - - if (bindings != GSS_C_NO_CHANNEL_BINDINGS) - free(bindings); - - if(output_token.length) { - if(base64_encode(output_token.value, output_token.length, &p) < 0) { - reply(535, "Out of memory base64-encoding."); - return -1; - } - } - if(maj_stat == GSS_S_COMPLETE){ - char *name; - gss_buffer_desc export_name; - gss_OID oid; - - maj_stat = gss_display_name(&min_stat, client_name, - &export_name, &oid); - if(maj_stat != 0) { - reply(500, "Error displaying name"); - goto out; - } - /* XXX kerberos */ - if(oid != GSS_KRB5_NT_PRINCIPAL_NAME) { - reply(500, "OID not kerberos principal name"); - gss_release_buffer(&min_stat, &export_name); - goto out; - } - name = malloc(export_name.length + 1); - if(name == NULL) { - reply(500, "Out of memory"); - gss_release_buffer(&min_stat, &export_name); - goto out; - } - memcpy(name, export_name.value, export_name.length); - name[export_name.length] = '\0'; - gss_release_buffer(&min_stat, &export_name); - d->client_name = name; - if(p) - reply(235, "ADAT=%s", p); - else - reply(235, "ADAT Complete"); - sec_complete = 1; - - } else if(maj_stat == GSS_S_CONTINUE_NEEDED) { - if(p) - reply(335, "ADAT=%s", p); - else - reply(335, "OK, need more data"); - } else { - OM_uint32 new_stat; - OM_uint32 msg_ctx = 0; - gss_buffer_desc status_string; - gss_display_status(&new_stat, - min_stat, - GSS_C_MECH_CODE, - GSS_C_NO_OID, - &msg_ctx, - &status_string); - syslog(LOG_ERR, "gss_accept_sec_context: %s", - (char*)status_string.value); - gss_release_buffer(&new_stat, &status_string); - reply(431, "Security resource unavailable"); - } - out: - free(p); - return 0; -} - -int gss_userok(void*, char*); - -struct sec_server_mech gss_server_mech = { - "GSSAPI", - sizeof(struct gss_data), - gss_init, /* init */ - NULL, /* end */ - gss_check_prot, - gss_overhead, - gss_encode, - gss_decode, - /* */ - NULL, - gss_adat, - NULL, /* pbsz */ - NULL, /* ccc */ - gss_userok -}; - -#else /* FTP_SERVER */ - -extern struct sockaddr *hisctladdr, *myctladdr; - -static int -import_name(const char *kname, const char *host, gss_name_t *target_name) -{ - OM_uint32 maj_stat, min_stat; - gss_buffer_desc name; - - name.length = asprintf((char**)&name.value, "%s@%s", kname, host); - if (name.value == NULL) { - printf("Out of memory\n"); - return AUTH_ERROR; - } - - maj_stat = gss_import_name(&min_stat, - &name, - GSS_C_NT_HOSTBASED_SERVICE, - target_name); - if (GSS_ERROR(maj_stat)) { - OM_uint32 new_stat; - OM_uint32 msg_ctx = 0; - gss_buffer_desc status_string; - - gss_display_status(&new_stat, - min_stat, - GSS_C_MECH_CODE, - GSS_C_NO_OID, - &msg_ctx, - &status_string); - printf("Error importing name %s: %s\n", - (char *)name.value, - (char *)status_string.value); - gss_release_buffer(&new_stat, &status_string); - return AUTH_ERROR; - } - free(name.value); - return 0; -} - -static int -gss_auth(void *app_data, char *host) -{ - - OM_uint32 maj_stat, min_stat; - gss_name_t target_name; - gss_buffer_desc input, output_token; - int context_established = 0; - char *p; - int n; - gss_channel_bindings_t bindings; - struct gss_data *d = app_data; - - const char *knames[] = { "ftp", "host", NULL }, **kname = knames; - - - if(import_name(*kname++, host, &target_name)) - return AUTH_ERROR; - - input.length = 0; - input.value = NULL; - - if (ftp_do_gss_bindings) { - bindings = malloc(sizeof(*bindings)); - if (bindings == NULL) - errx(1, "out of memory"); - - sockaddr_to_gss_address (myctladdr, - &bindings->initiator_addrtype, - &bindings->initiator_address); - sockaddr_to_gss_address (hisctladdr, - &bindings->acceptor_addrtype, - &bindings->acceptor_address); - - bindings->application_data.length = 0; - bindings->application_data.value = NULL; - } else - bindings = GSS_C_NO_CHANNEL_BINDINGS; - - while(!context_established) { - maj_stat = gss_init_sec_context(&min_stat, - GSS_C_NO_CREDENTIAL, - &d->context_hdl, - target_name, - GSS_C_NO_OID, - GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG - | GSS_C_DELEG_FLAG, - 0, - bindings, - &input, - NULL, - &output_token, - NULL, - NULL); - if (GSS_ERROR(maj_stat)) { - OM_uint32 new_stat; - OM_uint32 msg_ctx = 0; - gss_buffer_desc status_string; - - if(min_stat == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN && *kname != NULL) { - if(import_name(*kname++, host, &target_name)) { - if (bindings != GSS_C_NO_CHANNEL_BINDINGS) - free(bindings); - return AUTH_ERROR; - } - continue; - } - - if (bindings != GSS_C_NO_CHANNEL_BINDINGS) - free(bindings); - - gss_display_status(&new_stat, - min_stat, - GSS_C_MECH_CODE, - GSS_C_NO_OID, - &msg_ctx, - &status_string); - printf("Error initializing security context: %s\n", - (char*)status_string.value); - gss_release_buffer(&new_stat, &status_string); - return AUTH_CONTINUE; - } - - if (input.value) { - free(input.value); - input.value = NULL; - input.length = 0; - } - if (output_token.length != 0) { - base64_encode(output_token.value, output_token.length, &p); - gss_release_buffer(&min_stat, &output_token); - n = command("ADAT %s", p); - free(p); - } - if (GSS_ERROR(maj_stat)) { - if (d->context_hdl != GSS_C_NO_CONTEXT) - gss_delete_sec_context (&min_stat, - &d->context_hdl, - GSS_C_NO_BUFFER); - break; - } - if (maj_stat & GSS_S_CONTINUE_NEEDED) { - p = strstr(reply_string, "ADAT="); - if(p == NULL){ - printf("Error: expected ADAT in reply. got: %s\n", - reply_string); - if (bindings != GSS_C_NO_CHANNEL_BINDINGS) - free(bindings); - return AUTH_ERROR; - } else { - p+=5; - input.value = malloc(strlen(p)); - input.length = base64_decode(p, input.value); - } - } else { - if(code != 235) { - printf("Unrecognized response code: %d\n", code); - if (bindings != GSS_C_NO_CHANNEL_BINDINGS) - free(bindings); - return AUTH_ERROR; - } - context_established = 1; - } - } - - if (bindings != GSS_C_NO_CHANNEL_BINDINGS) - free(bindings); - if (input.value) - free(input.value); - - { - gss_name_t targ_name; - - maj_stat = gss_inquire_context(&min_stat, - d->context_hdl, - NULL, - &targ_name, - NULL, - NULL, - NULL, - NULL, - NULL); - if (GSS_ERROR(maj_stat) == 0) { - gss_buffer_desc name; - maj_stat = gss_display_name (&min_stat, - targ_name, - &name, - NULL); - if (GSS_ERROR(maj_stat) == 0) { - printf("Authenticated to <%s>\n", (char *)name.value); - gss_release_buffer(&min_stat, &name); - } - gss_release_name(&min_stat, &targ_name); - } else - printf("Failed to get gss name of peer.\n"); - } - - - return AUTH_OK; -} - -struct sec_client_mech gss_client_mech = { - "GSSAPI", - sizeof(struct gss_data), - gss_init, - gss_auth, - NULL, /* end */ - gss_check_prot, - gss_overhead, - gss_encode, - gss_decode, -}; - -#endif /* FTP_SERVER */ diff --git a/crypto/heimdal-0.6.3/appl/ftp/ftp/kauth.c b/crypto/heimdal-0.6.3/appl/ftp/ftp/kauth.c deleted file mode 100644 index 613593a712..0000000000 --- a/crypto/heimdal-0.6.3/appl/ftp/ftp/kauth.c +++ /dev/null @@ -1,198 +0,0 @@ -/* - * Copyright (c) 1995-1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "ftp_locl.h" -#include -RCSID("$Id: kauth.c,v 1.20 1999/12/02 16:58:29 joda Exp $"); - -void -kauth(int argc, char **argv) -{ - int ret; - char buf[1024]; - des_cblock key; - des_key_schedule schedule; - KTEXT_ST tkt, tktcopy; - char *name; - char *p; - int overbose; - char passwd[100]; - int tmp; - - int save; - - if(argc > 2){ - printf("usage: %s [principal]\n", argv[0]); - code = -1; - return; - } - if(argc == 2) - name = argv[1]; - else - name = username; - - overbose = verbose; - verbose = 0; - - save = set_command_prot(prot_private); - ret = command("SITE KAUTH %s", name); - if(ret != CONTINUE){ - verbose = overbose; - set_command_prot(save); - code = -1; - return; - } - verbose = overbose; - p = strstr(reply_string, "T="); - if(!p){ - printf("Bad reply from server.\n"); - set_command_prot(save); - code = -1; - return; - } - p += 2; - tmp = base64_decode(p, &tkt.dat); - if(tmp < 0){ - printf("Failed to decode base64 in reply.\n"); - set_command_prot(save); - code = -1; - return; - } - tkt.length = tmp; - tktcopy.length = tkt.length; - - p = strstr(reply_string, "P="); - if(!p){ - printf("Bad reply from server.\n"); - verbose = overbose; - set_command_prot(save); - code = -1; - return; - } - name = p + 2; - for(; *p && *p != ' ' && *p != '\r' && *p != '\n'; p++); - *p = 0; - - snprintf(buf, sizeof(buf), "Password for %s:", name); - if (des_read_pw_string (passwd, sizeof(passwd)-1, buf, 0)) - *passwd = '\0'; - des_string_to_key (passwd, &key); - - des_key_sched(&key, schedule); - - des_pcbc_encrypt((des_cblock*)tkt.dat, (des_cblock*)tktcopy.dat, - tkt.length, - schedule, &key, DES_DECRYPT); - if (strcmp ((char*)tktcopy.dat + 8, - KRB_TICKET_GRANTING_TICKET) != 0) { - afs_string_to_key (passwd, krb_realmofhost(hostname), &key); - des_key_sched (&key, schedule); - des_pcbc_encrypt((des_cblock*)tkt.dat, (des_cblock*)tktcopy.dat, - tkt.length, - schedule, &key, DES_DECRYPT); - } - memset(key, 0, sizeof(key)); - memset(schedule, 0, sizeof(schedule)); - memset(passwd, 0, sizeof(passwd)); - if(base64_encode(tktcopy.dat, tktcopy.length, &p) < 0) { - printf("Out of memory base64-encoding.\n"); - set_command_prot(save); - code = -1; - return; - } - memset (tktcopy.dat, 0, tktcopy.length); - ret = command("SITE KAUTH %s %s", name, p); - free(p); - set_command_prot(save); - if(ret != COMPLETE){ - code = -1; - return; - } - code = 0; -} - -void -klist(int argc, char **argv) -{ - int ret; - if(argc != 1){ - printf("usage: %s\n", argv[0]); - code = -1; - return; - } - - ret = command("SITE KLIST"); - code = (ret == COMPLETE); -} - -void -kdestroy(int argc, char **argv) -{ - int ret; - if (argc != 1) { - printf("usage: %s\n", argv[0]); - code = -1; - return; - } - ret = command("SITE KDESTROY"); - code = (ret == COMPLETE); -} - -void -krbtkfile(int argc, char **argv) -{ - int ret; - if(argc != 2) { - printf("usage: %s tktfile\n", argv[0]); - code = -1; - return; - } - ret = command("SITE KRBTKFILE %s", argv[1]); - code = (ret == COMPLETE); -} - -void -afslog(int argc, char **argv) -{ - int ret; - if(argc > 2) { - printf("usage: %s [cell]\n", argv[0]); - code = -1; - return; - } - if(argc == 2) - ret = command("SITE AFSLOG %s", argv[1]); - else - ret = command("SITE AFSLOG"); - code = (ret == COMPLETE); -} diff --git a/crypto/heimdal-0.6.3/appl/ftp/ftp/krb4.c b/crypto/heimdal-0.6.3/appl/ftp/ftp/krb4.c deleted file mode 100644 index d057ed7135..0000000000 --- a/crypto/heimdal-0.6.3/appl/ftp/ftp/krb4.c +++ /dev/null @@ -1,340 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef FTP_SERVER -#include "ftpd_locl.h" -#else -#include "ftp_locl.h" -#endif -#include - -RCSID("$Id: krb4.c,v 1.38 2000/06/21 02:46:09 assar Exp $"); - -#ifdef FTP_SERVER -#define LOCAL_ADDR ctrl_addr -#define REMOTE_ADDR his_addr -#else -#define LOCAL_ADDR myctladdr -#define REMOTE_ADDR hisctladdr -#endif - -extern struct sockaddr *LOCAL_ADDR, *REMOTE_ADDR; - -struct krb4_data { - des_cblock key; - des_key_schedule schedule; - char name[ANAME_SZ]; - char instance[INST_SZ]; - char realm[REALM_SZ]; -}; - -static int -krb4_check_prot(void *app_data, int level) -{ - if(level == prot_confidential) - return -1; - return 0; -} - -static int -krb4_decode(void *app_data, void *buf, int len, int level) -{ - MSG_DAT m; - int e; - struct krb4_data *d = app_data; - - if(level == prot_safe) - e = krb_rd_safe(buf, len, &d->key, - (struct sockaddr_in *)REMOTE_ADDR, - (struct sockaddr_in *)LOCAL_ADDR, &m); - else - e = krb_rd_priv(buf, len, d->schedule, &d->key, - (struct sockaddr_in *)REMOTE_ADDR, - (struct sockaddr_in *)LOCAL_ADDR, &m); - if(e){ - syslog(LOG_ERR, "krb4_decode: %s", krb_get_err_text(e)); - return -1; - } - memmove(buf, m.app_data, m.app_length); - return m.app_length; -} - -static int -krb4_overhead(void *app_data, int level, int len) -{ - return 31; -} - -static int -krb4_encode(void *app_data, void *from, int length, int level, void **to) -{ - struct krb4_data *d = app_data; - *to = malloc(length + 31); - if(level == prot_safe) - return krb_mk_safe(from, *to, length, &d->key, - (struct sockaddr_in *)LOCAL_ADDR, - (struct sockaddr_in *)REMOTE_ADDR); - else if(level == prot_private) - return krb_mk_priv(from, *to, length, d->schedule, &d->key, - (struct sockaddr_in *)LOCAL_ADDR, - (struct sockaddr_in *)REMOTE_ADDR); - else - return -1; -} - -#ifdef FTP_SERVER - -static int -krb4_adat(void *app_data, void *buf, size_t len) -{ - KTEXT_ST tkt; - AUTH_DAT auth_dat; - char *p; - int kerror; - u_int32_t cs; - char msg[35]; /* size of encrypted block */ - int tmp_len; - struct krb4_data *d = app_data; - char inst[INST_SZ]; - struct sockaddr_in *his_addr_sin = (struct sockaddr_in *)his_addr; - - memcpy(tkt.dat, buf, len); - tkt.length = len; - - k_getsockinst(0, inst, sizeof(inst)); - kerror = krb_rd_req(&tkt, "ftp", inst, - his_addr_sin->sin_addr.s_addr, &auth_dat, ""); - if(kerror == RD_AP_UNDEC){ - k_getsockinst(0, inst, sizeof(inst)); - kerror = krb_rd_req(&tkt, "rcmd", inst, - his_addr_sin->sin_addr.s_addr, &auth_dat, ""); - } - - if(kerror){ - reply(535, "Error reading request: %s.", krb_get_err_text(kerror)); - return -1; - } - - memcpy(d->key, auth_dat.session, sizeof(d->key)); - des_set_key(&d->key, d->schedule); - - strlcpy(d->name, auth_dat.pname, sizeof(d->name)); - strlcpy(d->instance, auth_dat.pinst, sizeof(d->instance)); - strlcpy(d->realm, auth_dat.prealm, sizeof(d->instance)); - - cs = auth_dat.checksum + 1; - { - unsigned char tmp[4]; - KRB_PUT_INT(cs, tmp, 4, sizeof(tmp)); - tmp_len = krb_mk_safe(tmp, msg, 4, &d->key, - (struct sockaddr_in *)LOCAL_ADDR, - (struct sockaddr_in *)REMOTE_ADDR); - } - if(tmp_len < 0){ - reply(535, "Error creating reply: %s.", strerror(errno)); - return -1; - } - len = tmp_len; - if(base64_encode(msg, len, &p) < 0) { - reply(535, "Out of memory base64-encoding."); - return -1; - } - reply(235, "ADAT=%s", p); - sec_complete = 1; - free(p); - return 0; -} - -static int -krb4_userok(void *app_data, char *user) -{ - struct krb4_data *d = app_data; - return krb_kuserok(d->name, d->instance, d->realm, user); -} - -struct sec_server_mech krb4_server_mech = { - "KERBEROS_V4", - sizeof(struct krb4_data), - NULL, /* init */ - NULL, /* end */ - krb4_check_prot, - krb4_overhead, - krb4_encode, - krb4_decode, - /* */ - NULL, - krb4_adat, - NULL, /* pbsz */ - NULL, /* ccc */ - krb4_userok -}; - -#else /* FTP_SERVER */ - -static int -krb4_init(void *app_data) -{ - return !use_kerberos; -} - -static int -mk_auth(struct krb4_data *d, KTEXT adat, - char *service, char *host, int checksum) -{ - int ret; - CREDENTIALS cred; - char sname[SNAME_SZ], inst[INST_SZ], realm[REALM_SZ]; - - strlcpy(sname, service, sizeof(sname)); - strlcpy(inst, krb_get_phost(host), sizeof(inst)); - strlcpy(realm, krb_realmofhost(host), sizeof(realm)); - ret = krb_mk_req(adat, sname, inst, realm, checksum); - if(ret) - return ret; - strlcpy(sname, service, sizeof(sname)); - strlcpy(inst, krb_get_phost(host), sizeof(inst)); - strlcpy(realm, krb_realmofhost(host), sizeof(realm)); - ret = krb_get_cred(sname, inst, realm, &cred); - memmove(&d->key, &cred.session, sizeof(des_cblock)); - des_key_sched(&d->key, d->schedule); - memset(&cred, 0, sizeof(cred)); - return ret; -} - -static int -krb4_auth(void *app_data, char *host) -{ - int ret; - char *p; - int len; - KTEXT_ST adat; - MSG_DAT msg_data; - int checksum; - u_int32_t cs; - struct krb4_data *d = app_data; - struct sockaddr_in *localaddr = (struct sockaddr_in *)LOCAL_ADDR; - struct sockaddr_in *remoteaddr = (struct sockaddr_in *)REMOTE_ADDR; - - checksum = getpid(); - ret = mk_auth(d, &adat, "ftp", host, checksum); - if(ret == KDC_PR_UNKNOWN) - ret = mk_auth(d, &adat, "rcmd", host, checksum); - if(ret){ - printf("%s\n", krb_get_err_text(ret)); - return AUTH_CONTINUE; - } - -#ifdef HAVE_KRB_GET_OUR_IP_FOR_REALM - if (krb_get_config_bool("nat_in_use")) { - struct in_addr natAddr; - - if (krb_get_our_ip_for_realm(krb_realmofhost(host), - &natAddr) != KSUCCESS - && krb_get_our_ip_for_realm(NULL, &natAddr) != KSUCCESS) - printf("Can't get address for realm %s\n", - krb_realmofhost(host)); - else { - if (natAddr.s_addr != localaddr->sin_addr.s_addr) { - printf("Using NAT IP address (%s) for kerberos 4\n", - inet_ntoa(natAddr)); - localaddr->sin_addr = natAddr; - - /* - * This not the best place to do this, but it - * is here we know that (probably) NAT is in - * use! - */ - - passivemode = 1; - printf("Setting: Passive mode on.\n"); - } - } - } -#endif - - printf("Local address is %s\n", inet_ntoa(localaddr->sin_addr)); - printf("Remote address is %s\n", inet_ntoa(remoteaddr->sin_addr)); - - if(base64_encode(adat.dat, adat.length, &p) < 0) { - printf("Out of memory base64-encoding.\n"); - return AUTH_CONTINUE; - } - ret = command("ADAT %s", p); - free(p); - - if(ret != COMPLETE){ - printf("Server didn't accept auth data.\n"); - return AUTH_ERROR; - } - - p = strstr(reply_string, "ADAT="); - if(!p){ - printf("Remote host didn't send adat reply.\n"); - return AUTH_ERROR; - } - p += 5; - len = base64_decode(p, adat.dat); - if(len < 0){ - printf("Failed to decode base64 from server.\n"); - return AUTH_ERROR; - } - adat.length = len; - ret = krb_rd_safe(adat.dat, adat.length, &d->key, - (struct sockaddr_in *)hisctladdr, - (struct sockaddr_in *)myctladdr, &msg_data); - if(ret){ - printf("Error reading reply from server: %s.\n", - krb_get_err_text(ret)); - return AUTH_ERROR; - } - krb_get_int(msg_data.app_data, &cs, 4, 0); - if(cs - checksum != 1){ - printf("Bad checksum returned from server.\n"); - return AUTH_ERROR; - } - return AUTH_OK; -} - -struct sec_client_mech krb4_client_mech = { - "KERBEROS_V4", - sizeof(struct krb4_data), - krb4_init, /* init */ - krb4_auth, - NULL, /* end */ - krb4_check_prot, - krb4_overhead, - krb4_encode, - krb4_decode -}; - -#endif /* FTP_SERVER */ diff --git a/crypto/heimdal-0.6.3/appl/ftp/ftp/main.c b/crypto/heimdal-0.6.3/appl/ftp/ftp/main.c deleted file mode 100644 index 071f60127d..0000000000 --- a/crypto/heimdal-0.6.3/appl/ftp/ftp/main.c +++ /dev/null @@ -1,587 +0,0 @@ -/* - * Copyright (c) 1985, 1989, 1993, 1994 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* - * FTP User Program -- Command Interface. - */ - -#include "ftp_locl.h" -#include - -RCSID("$Id: main.c,v 1.33.2.1 2003/08/20 16:43:14 lha Exp $"); - -static int help_flag; -static int version_flag; -static int debug_flag; - -struct getargs getargs[] = { - { NULL, 'd', arg_flag, &debug_flag, - "debug", NULL }, - { NULL, 'g', arg_negative_flag, &doglob, - "disables globbing", NULL}, - { NULL, 'i', arg_negative_flag, &interactive, - "Turn off interactive prompting", NULL}, - { NULL, 'l', arg_negative_flag, &lineedit, - "Turn off line editing", NULL}, - { NULL, 'n', arg_negative_flag, &autologin, - "Turn off auto-login", NULL}, - { NULL, 'p', arg_flag, &passivemode, - "passive mode", NULL}, - { NULL, 't', arg_counter, &trace, - "Packet tracing", NULL}, -#ifdef KRB5 - { "gss-bindings", 0, arg_negative_flag, &ftp_do_gss_bindings, - "Use GSS-API bindings", NULL}, -#endif - { NULL, 'v', arg_counter, &verbose, - "verbosity", NULL}, - { NULL, 'K', arg_negative_flag, &use_kerberos, - "Disable kerberos authentication", NULL}, - { "version", 0, arg_flag, &version_flag }, - { "help", 'h', arg_flag, &help_flag }, -}; - -static int num_args = sizeof(getargs) / sizeof(getargs[0]); - -static void -usage(int ecode) -{ - arg_printusage(getargs, num_args, NULL, "[host [port]]"); - exit(ecode); -} - -int -main(int argc, char **argv) -{ - int top; - struct passwd *pw = NULL; - char homedir[MaxPathLen]; - struct servent *sp; - int optind = 0; - - setprogname(argv[0]); - - sp = getservbyname("ftp", "tcp"); - if (sp == 0) - errx(1, "ftp/tcp: unknown service"); - doglob = 1; - interactive = 1; - autologin = 1; - lineedit = 1; - passivemode = 0; /* passive mode not active */ - use_kerberos = 1; -#ifdef KRB5 - ftp_do_gss_bindings = 1; -#endif - - if(getarg(getargs, num_args, argc, argv, &optind)) - usage(1); - if(help_flag) - usage(0); - if(version_flag) { - print_version(NULL); - exit(0); - } - - if (debug_flag) { - options |= SO_DEBUG; - debug++; - } - - argc -= optind; - argv += optind; - - fromatty = isatty(fileno(stdin)); - if (fromatty) - verbose++; - cpend = 0; /* no pending replies */ - proxy = 0; /* proxy not active */ - crflag = 1; /* strip c.r. on ascii gets */ - sendport = -1; /* not using ports */ - /* - * Set up the home directory in case we're globbing. - */ - pw = k_getpwuid(getuid()); - if (pw != NULL) { - strlcpy(homedir, pw->pw_dir, sizeof(homedir)); - home = homedir; - } - if (argc > 0) { - char *xargv[5]; - - if (setjmp(toplevel)) - exit(0); - signal(SIGINT, intr); - signal(SIGPIPE, lostpeer); - xargv[0] = (char*)getprogname(); - xargv[1] = argv[0]; - xargv[2] = argv[1]; - xargv[3] = argv[2]; - xargv[4] = NULL; - setpeer(argc+1, xargv); - } - if(setjmp(toplevel) == 0) - top = 1; - else - top = 0; - if (top) { - signal(SIGINT, intr); - signal(SIGPIPE, lostpeer); - } - for (;;) { - cmdscanner(top); - top = 1; - } -} - -void -intr(int sig) -{ - - longjmp(toplevel, 1); -} - -#ifndef SHUT_RDWR -#define SHUT_RDWR 2 -#endif - -RETSIGTYPE -lostpeer(int sig) -{ - - if (connected) { - if (cout != NULL) { - shutdown(fileno(cout), SHUT_RDWR); - fclose(cout); - cout = NULL; - } - if (data >= 0) { - shutdown(data, SHUT_RDWR); - close(data); - data = -1; - } - connected = 0; - } - pswitch(1); - if (connected) { - if (cout != NULL) { - shutdown(fileno(cout), SHUT_RDWR); - fclose(cout); - cout = NULL; - } - connected = 0; - } - proxflag = 0; - pswitch(0); - sec_end(); - SIGRETURN(0); -} - -/* -char * -tail(filename) - char *filename; -{ - char *s; - - while (*filename) { - s = strrchr(filename, '/'); - if (s == NULL) - break; - if (s[1]) - return (s + 1); - *s = '\0'; - } - return (filename); -} -*/ - -static char * -simple_readline(char *prompt) -{ - char buf[BUFSIZ]; - printf ("%s", prompt); - fflush (stdout); - if(fgets(buf, sizeof(buf), stdin) == NULL) - return NULL; - if (buf[strlen(buf) - 1] == '\n') - buf[strlen(buf) - 1] = '\0'; - return strdup(buf); -} - -#ifndef HAVE_READLINE - -static char * -readline(char *prompt) -{ - return simple_readline (prompt); -} - -static void -add_history(char *p) -{ -} - -#else - -/* These should not really be here */ - -char *readline(char *); -void add_history(char *); - -#endif - -/* - * Command parser. - */ -void -cmdscanner(int top) -{ - struct cmd *c; - int l; - - if (!top) - putchar('\n'); - for (;;) { - if (fromatty) { - char *p; - if (lineedit) - p = readline("ftp> "); - else - p = simple_readline("ftp> "); - if(p == NULL) { - printf("\n"); - quit(0, 0); - } - strlcpy(line, p, sizeof(line)); - if (lineedit) - add_history(p); - free(p); - } else{ - if (fgets(line, sizeof line, stdin) == NULL) - quit(0, 0); - } - /* XXX will break on long lines */ - l = strlen(line); - if (l == 0) - break; - if (line[--l] == '\n') { - if (l == 0) - break; - line[l] = '\0'; - } else if (l == sizeof(line) - 2) { - printf("sorry, input line too long\n"); - while ((l = getchar()) != '\n' && l != EOF) - /* void */; - break; - } /* else it was a line without a newline */ - makeargv(); - if (margc == 0) { - continue; - } - c = getcmd(margv[0]); - if (c == (struct cmd *)-1) { - printf("?Ambiguous command\n"); - continue; - } - if (c == 0) { - printf("?Invalid command\n"); - continue; - } - if (c->c_conn && !connected) { - printf("Not connected.\n"); - continue; - } - (*c->c_handler)(margc, margv); - if (bell && c->c_bell) - putchar('\007'); - if (c->c_handler != help) - break; - } - signal(SIGINT, intr); - signal(SIGPIPE, lostpeer); -} - -struct cmd * -getcmd(char *name) -{ - char *p, *q; - struct cmd *c, *found; - int nmatches, longest; - - longest = 0; - nmatches = 0; - found = 0; - for (c = cmdtab; (p = c->c_name); c++) { - for (q = name; *q == *p++; q++) - if (*q == 0) /* exact match? */ - return (c); - if (!*q) { /* the name was a prefix */ - if (q - name > longest) { - longest = q - name; - nmatches = 1; - found = c; - } else if (q - name == longest) - nmatches++; - } - } - if (nmatches > 1) - return ((struct cmd *)-1); - return (found); -} - -/* - * Slice a string up into argc/argv. - */ - -int slrflag; - -void -makeargv(void) -{ - char **argp; - - argp = margv; - stringbase = line; /* scan from first of buffer */ - argbase = argbuf; /* store from first of buffer */ - slrflag = 0; - for (margc = 0; ; margc++) { - /* Expand array if necessary */ - if (margc == margvlen) { - int i; - - margv = (margvlen == 0) - ? (char **)malloc(20 * sizeof(char *)) - : (char **)realloc(margv, - (margvlen + 20)*sizeof(char *)); - if (margv == NULL) - errx(1, "cannot realloc argv array"); - for(i = margvlen; i < margvlen + 20; ++i) - margv[i] = NULL; - margvlen += 20; - argp = margv + margc; - } - - if ((*argp++ = slurpstring()) == NULL) - break; - } - -} - -/* - * Parse string into argbuf; - * implemented with FSM to - * handle quoting and strings - */ -char * -slurpstring(void) -{ - int got_one = 0; - char *sb = stringbase; - char *ap = argbase; - char *tmp = argbase; /* will return this if token found */ - - if (*sb == '!' || *sb == '$') { /* recognize ! as a token for shell */ - switch (slrflag) { /* and $ as token for macro invoke */ - case 0: - slrflag++; - stringbase++; - return ((*sb == '!') ? "!" : "$"); - /* NOTREACHED */ - case 1: - slrflag++; - altarg = stringbase; - break; - default: - break; - } - } - -S0: - switch (*sb) { - - case '\0': - goto OUT; - - case ' ': - case '\t': - sb++; goto S0; - - default: - switch (slrflag) { - case 0: - slrflag++; - break; - case 1: - slrflag++; - altarg = sb; - break; - default: - break; - } - goto S1; - } - -S1: - switch (*sb) { - - case ' ': - case '\t': - case '\0': - goto OUT; /* end of token */ - - case '\\': - sb++; goto S2; /* slurp next character */ - - case '"': - sb++; goto S3; /* slurp quoted string */ - - default: - *ap++ = *sb++; /* add character to token */ - got_one = 1; - goto S1; - } - -S2: - switch (*sb) { - - case '\0': - goto OUT; - - default: - *ap++ = *sb++; - got_one = 1; - goto S1; - } - -S3: - switch (*sb) { - - case '\0': - goto OUT; - - case '"': - sb++; goto S1; - - default: - *ap++ = *sb++; - got_one = 1; - goto S3; - } - -OUT: - if (got_one) - *ap++ = '\0'; - argbase = ap; /* update storage pointer */ - stringbase = sb; /* update scan pointer */ - if (got_one) { - return (tmp); - } - switch (slrflag) { - case 0: - slrflag++; - break; - case 1: - slrflag++; - altarg = (char *) 0; - break; - default: - break; - } - return NULL; -} - -#define HELPINDENT ((int) sizeof ("directory")) - -/* - * Help command. - * Call each command handler with argc == 0 and argv[0] == name. - */ -void -help(int argc, char **argv) -{ - struct cmd *c; - - if (argc == 1) { - int i, j, w, k; - int columns, width = 0, lines; - - printf("Commands may be abbreviated. Commands are:\n\n"); - for (c = cmdtab; c < &cmdtab[NCMDS]; c++) { - int len = strlen(c->c_name); - - if (len > width) - width = len; - } - width = (width + 8) &~ 7; - columns = 80 / width; - if (columns == 0) - columns = 1; - lines = (NCMDS + columns - 1) / columns; - for (i = 0; i < lines; i++) { - for (j = 0; j < columns; j++) { - c = cmdtab + j * lines + i; - if (c->c_name && (!proxy || c->c_proxy)) { - printf("%s", c->c_name); - } - else if (c->c_name) { - for (k=0; k < strlen(c->c_name); k++) { - putchar(' '); - } - } - if (c + lines >= &cmdtab[NCMDS]) { - printf("\n"); - break; - } - w = strlen(c->c_name); - while (w < width) { - w = (w + 8) &~ 7; - putchar('\t'); - } - } - } - return; - } - while (--argc > 0) { - char *arg; - arg = *++argv; - c = getcmd(arg); - if (c == (struct cmd *)-1) - printf("?Ambiguous help command %s\n", arg); - else if (c == (struct cmd *)0) - printf("?Invalid help command %s\n", arg); - else - printf("%-*s\t%s\n", HELPINDENT, - c->c_name, c->c_help); - } -} diff --git a/crypto/heimdal-0.6.3/appl/ftp/ftp/pathnames.h b/crypto/heimdal-0.6.3/appl/ftp/ftp/pathnames.h deleted file mode 100644 index f7c1fb391d..0000000000 --- a/crypto/heimdal-0.6.3/appl/ftp/ftp/pathnames.h +++ /dev/null @@ -1,44 +0,0 @@ -/* - * Copyright (c) 1989, 1993 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * @(#)pathnames.h 8.1 (Berkeley) 6/6/93 - */ - -#ifdef HAVE_PATHS_H -#include -#endif - -#define _PATH_TMP_XXX "/tmp/ftpXXXXXX" - -#ifndef _PATH_BSHELL -#define _PATH_BSHELL "/bin/sh" -#endif diff --git a/crypto/heimdal-0.6.3/appl/ftp/ftp/ruserpass.c b/crypto/heimdal-0.6.3/appl/ftp/ftp/ruserpass.c deleted file mode 100644 index b22f6997ee..0000000000 --- a/crypto/heimdal-0.6.3/appl/ftp/ftp/ruserpass.c +++ /dev/null @@ -1,313 +0,0 @@ -/* - * Copyright (c) 1985, 1993, 1994 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "ftp_locl.h" -RCSID("$Id: ruserpass.c,v 1.19 2000/01/08 07:45:11 assar Exp $"); - -static int token (void); -static FILE *cfile; - -#define DEFAULT 1 -#define LOGIN 2 -#define PASSWD 3 -#define ACCOUNT 4 -#define MACDEF 5 -#define PROT 6 -#define ID 10 -#define MACH 11 - -static char tokval[100]; - -static struct toktab { - char *tokstr; - int tval; -} toktab[]= { - { "default", DEFAULT }, - { "login", LOGIN }, - { "password", PASSWD }, - { "passwd", PASSWD }, - { "account", ACCOUNT }, - { "machine", MACH }, - { "macdef", MACDEF }, - { "prot", PROT }, - { NULL, 0 } -}; - -/* - * Write a copy of the hostname into `hostname, sz' and return a guess - * as to the `domain' of that hostname. - */ - -static char * -guess_domain (char *hostname, size_t sz) -{ - struct addrinfo *ai, *a; - struct addrinfo hints; - int error; - char *dot; - - if (gethostname (hostname, sz) < 0) { - strlcpy (hostname, "", sz); - return ""; - } - dot = strchr (hostname, '.'); - if (dot != NULL) - return dot + 1; - - memset (&hints, 0, sizeof(hints)); - hints.ai_flags = AI_CANONNAME; - - error = getaddrinfo (hostname, NULL, &hints, &ai); - if (error) - return hostname; - - for (a = ai; a != NULL; a = a->ai_next) - if (a->ai_canonname != NULL) { - strlcpy (hostname, ai->ai_canonname, sz); - break; - } - freeaddrinfo (ai); - dot = strchr (hostname, '.'); - if (dot != NULL) - return dot + 1; - else - return hostname; -} - -int -ruserpass(char *host, char **aname, char **apass, char **aacct) -{ - char *hdir, buf[BUFSIZ], *tmp; - int t, i, c, usedefault = 0; - struct stat stb; - - mydomain = guess_domain (myhostname, MaxHostNameLen); - - hdir = getenv("HOME"); - if (hdir == NULL) - hdir = "."; - snprintf(buf, sizeof(buf), "%s/.netrc", hdir); - cfile = fopen(buf, "r"); - if (cfile == NULL) { - if (errno != ENOENT) - warn("%s", buf); - return (0); - } - -next: - while ((t = token())) switch(t) { - - case DEFAULT: - usedefault = 1; - /* FALL THROUGH */ - - case MACH: - if (!usedefault) { - if (token() != ID) - continue; - /* - * Allow match either for user's input host name - * or official hostname. Also allow match of - * incompletely-specified host in local domain. - */ - if (strcasecmp(host, tokval) == 0) - goto match; - if (strcasecmp(hostname, tokval) == 0) - goto match; - if ((tmp = strchr(hostname, '.')) != NULL && - tmp++ && - strcasecmp(tmp, mydomain) == 0 && - strncasecmp(hostname, tokval, tmp-hostname) == 0 && - tokval[tmp - hostname] == '\0') - goto match; - if ((tmp = strchr(host, '.')) != NULL && - tmp++ && - strcasecmp(tmp, mydomain) == 0 && - strncasecmp(host, tokval, tmp - host) == 0 && - tokval[tmp - host] == '\0') - goto match; - continue; - } - match: - while ((t = token()) && t != MACH && t != DEFAULT) switch(t) { - - case LOGIN: - if (token()) { - if (*aname == 0) { - *aname = strdup(tokval); - } else { - if (strcmp(*aname, tokval)) - goto next; - } - } - break; - case PASSWD: - if ((*aname == NULL || strcmp(*aname, "anonymous")) && - fstat(fileno(cfile), &stb) >= 0 && - (stb.st_mode & 077) != 0) { - warnx("Error: .netrc file is readable by others."); - warnx("Remove password or make file unreadable by others."); - goto bad; - } - if (token() && *apass == 0) { - *apass = strdup(tokval); - } - break; - case ACCOUNT: - if (fstat(fileno(cfile), &stb) >= 0 - && (stb.st_mode & 077) != 0) { - warnx("Error: .netrc file is readable by others."); - warnx("Remove account or make file unreadable by others."); - goto bad; - } - if (token() && *aacct == 0) { - *aacct = strdup(tokval); - } - break; - case MACDEF: - if (proxy) { - fclose(cfile); - return (0); - } - while ((c=getc(cfile)) != EOF && - (c == ' ' || c == '\t')); - if (c == EOF || c == '\n') { - printf("Missing macdef name argument.\n"); - goto bad; - } - if (macnum == 16) { - printf("Limit of 16 macros have already been defined\n"); - goto bad; - } - tmp = macros[macnum].mac_name; - *tmp++ = c; - for (i=0; i < 8 && (c=getc(cfile)) != EOF && - !isspace(c); ++i) { - *tmp++ = c; - } - if (c == EOF) { - printf("Macro definition missing null line terminator.\n"); - goto bad; - } - *tmp = '\0'; - if (c != '\n') { - while ((c=getc(cfile)) != EOF && c != '\n'); - } - if (c == EOF) { - printf("Macro definition missing null line terminator.\n"); - goto bad; - } - if (macnum == 0) { - macros[macnum].mac_start = macbuf; - } - else { - macros[macnum].mac_start = macros[macnum-1].mac_end + 1; - } - tmp = macros[macnum].mac_start; - while (tmp != macbuf + 4096) { - if ((c=getc(cfile)) == EOF) { - printf("Macro definition missing null line terminator.\n"); - goto bad; - } - *tmp = c; - if (*tmp == '\n') { - if (*(tmp-1) == '\0') { - macros[macnum++].mac_end = tmp - 1; - break; - } - *tmp = '\0'; - } - tmp++; - } - if (tmp == macbuf + 4096) { - printf("4K macro buffer exceeded\n"); - goto bad; - } - break; - case PROT: - token(); - if(sec_request_prot(tokval) < 0) - warnx("Unknown protection level \"%s\"", tokval); - break; - default: - warnx("Unknown .netrc keyword %s", tokval); - break; - } - goto done; - } -done: - fclose(cfile); - return (0); -bad: - fclose(cfile); - return (-1); -} - -static int -token(void) -{ - char *cp; - int c; - struct toktab *t; - - if (feof(cfile) || ferror(cfile)) - return (0); - while ((c = getc(cfile)) != EOF && - (c == '\n' || c == '\t' || c == ' ' || c == ',')) - continue; - if (c == EOF) - return (0); - cp = tokval; - if (c == '"') { - while ((c = getc(cfile)) != EOF && c != '"') { - if (c == '\\') - c = getc(cfile); - *cp++ = c; - } - } else { - *cp++ = c; - while ((c = getc(cfile)) != EOF - && c != '\n' && c != '\t' && c != ' ' && c != ',') { - if (c == '\\') - c = getc(cfile); - *cp++ = c; - } - } - *cp = 0; - if (tokval[0] == 0) - return (0); - for (t = toktab; t->tokstr; t++) - if (!strcmp(t->tokstr, tokval)) - return (t->tval); - return (ID); -} diff --git a/crypto/heimdal-0.6.3/appl/ftp/ftp/security.c b/crypto/heimdal-0.6.3/appl/ftp/ftp/security.c deleted file mode 100644 index db67775dbd..0000000000 --- a/crypto/heimdal-0.6.3/appl/ftp/ftp/security.c +++ /dev/null @@ -1,805 +0,0 @@ -/* - * Copyright (c) 1998-2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef FTP_SERVER -#include "ftpd_locl.h" -#else -#include "ftp_locl.h" -#endif - -RCSID("$Id: security.c,v 1.19 2002/09/04 22:01:28 joda Exp $"); - -static enum protection_level command_prot; -static enum protection_level data_prot; -static size_t buffer_size; - -struct buffer { - void *data; - size_t size; - size_t index; - int eof_flag; -}; - -static struct buffer in_buffer, out_buffer; -int sec_complete; - -static struct { - enum protection_level level; - const char *name; -} level_names[] = { - { prot_clear, "clear" }, - { prot_safe, "safe" }, - { prot_confidential, "confidential" }, - { prot_private, "private" } -}; - -static const char * -level_to_name(enum protection_level level) -{ - int i; - for(i = 0; i < sizeof(level_names) / sizeof(level_names[0]); i++) - if(level_names[i].level == level) - return level_names[i].name; - return "unknown"; -} - -#ifndef FTP_SERVER /* not used in server */ -static enum protection_level -name_to_level(const char *name) -{ - int i; - for(i = 0; i < sizeof(level_names) / sizeof(level_names[0]); i++) - if(!strncasecmp(level_names[i].name, name, strlen(name))) - return level_names[i].level; - return (enum protection_level)-1; -} -#endif - -#ifdef FTP_SERVER - -static struct sec_server_mech *mechs[] = { -#ifdef KRB5 - &gss_server_mech, -#endif -#ifdef KRB4 - &krb4_server_mech, -#endif - NULL -}; - -static struct sec_server_mech *mech; - -#else - -static struct sec_client_mech *mechs[] = { -#ifdef KRB5 - &gss_client_mech, -#endif -#ifdef KRB4 - &krb4_client_mech, -#endif - NULL -}; - -static struct sec_client_mech *mech; - -#endif - -static void *app_data; - -int -sec_getc(FILE *F) -{ - if(sec_complete && data_prot) { - char c; - if(sec_read(fileno(F), &c, 1) <= 0) - return EOF; - return c; - } else - return getc(F); -} - -static int -block_read(int fd, void *buf, size_t len) -{ - unsigned char *p = buf; - int b; - while(len) { - b = read(fd, p, len); - if (b == 0) - return 0; - else if (b < 0) - return -1; - len -= b; - p += b; - } - return p - (unsigned char*)buf; -} - -static int -block_write(int fd, void *buf, size_t len) -{ - unsigned char *p = buf; - int b; - while(len) { - b = write(fd, p, len); - if(b < 0) - return -1; - len -= b; - p += b; - } - return p - (unsigned char*)buf; -} - -static int -sec_get_data(int fd, struct buffer *buf, int level) -{ - int len; - int b; - void *tmp; - - b = block_read(fd, &len, sizeof(len)); - if (b == 0) - return 0; - else if (b < 0) - return -1; - len = ntohl(len); - tmp = realloc(buf->data, len); - if (tmp == NULL) - return -1; - buf->data = tmp; - b = block_read(fd, buf->data, len); - if (b == 0) - return 0; - else if (b < 0) - return -1; - buf->size = (*mech->decode)(app_data, buf->data, len, data_prot); - buf->index = 0; - return 0; -} - -static size_t -buffer_read(struct buffer *buf, void *data, size_t len) -{ - len = min(len, buf->size - buf->index); - memcpy(data, (char*)buf->data + buf->index, len); - buf->index += len; - return len; -} - -static size_t -buffer_write(struct buffer *buf, void *data, size_t len) -{ - if(buf->index + len > buf->size) { - void *tmp; - if(buf->data == NULL) - tmp = malloc(1024); - else - tmp = realloc(buf->data, buf->index + len); - if(tmp == NULL) - return -1; - buf->data = tmp; - buf->size = buf->index + len; - } - memcpy((char*)buf->data + buf->index, data, len); - buf->index += len; - return len; -} - -int -sec_read(int fd, void *data, int length) -{ - size_t len; - int rx = 0; - - if(sec_complete == 0 || data_prot == 0) - return read(fd, data, length); - - if(in_buffer.eof_flag){ - in_buffer.eof_flag = 0; - return 0; - } - - len = buffer_read(&in_buffer, data, length); - length -= len; - rx += len; - data = (char*)data + len; - - while(length){ - int ret; - - ret = sec_get_data(fd, &in_buffer, data_prot); - if (ret < 0) - return -1; - if(ret == 0 && in_buffer.size == 0) { - if(rx) - in_buffer.eof_flag = 1; - return rx; - } - len = buffer_read(&in_buffer, data, length); - length -= len; - rx += len; - data = (char*)data + len; - } - return rx; -} - -static int -sec_send(int fd, char *from, int length) -{ - int bytes; - void *buf; - bytes = (*mech->encode)(app_data, from, length, data_prot, &buf); - bytes = htonl(bytes); - block_write(fd, &bytes, sizeof(bytes)); - block_write(fd, buf, ntohl(bytes)); - free(buf); - return length; -} - -int -sec_fflush(FILE *F) -{ - if(data_prot != prot_clear) { - if(out_buffer.index > 0){ - sec_write(fileno(F), out_buffer.data, out_buffer.index); - out_buffer.index = 0; - } - sec_send(fileno(F), NULL, 0); - } - fflush(F); - return 0; -} - -int -sec_write(int fd, char *data, int length) -{ - int len = buffer_size; - int tx = 0; - - if(data_prot == prot_clear) - return write(fd, data, length); - - len -= (*mech->overhead)(app_data, data_prot, len); - while(length){ - if(length < len) - len = length; - sec_send(fd, data, len); - length -= len; - data += len; - tx += len; - } - return tx; -} - -int -sec_vfprintf2(FILE *f, const char *fmt, va_list ap) -{ - char *buf; - int ret; - if(data_prot == prot_clear) - return vfprintf(f, fmt, ap); - else { - vasprintf(&buf, fmt, ap); - ret = buffer_write(&out_buffer, buf, strlen(buf)); - free(buf); - return ret; - } -} - -int -sec_fprintf2(FILE *f, const char *fmt, ...) -{ - int ret; - va_list ap; - va_start(ap, fmt); - ret = sec_vfprintf2(f, fmt, ap); - va_end(ap); - return ret; -} - -int -sec_putc(int c, FILE *F) -{ - char ch = c; - if(data_prot == prot_clear) - return putc(c, F); - - buffer_write(&out_buffer, &ch, 1); - if(c == '\n' || out_buffer.index >= 1024 /* XXX */) { - sec_write(fileno(F), out_buffer.data, out_buffer.index); - out_buffer.index = 0; - } - return c; -} - -int -sec_read_msg(char *s, int level) -{ - int len; - char *buf; - int code; - - buf = malloc(strlen(s)); - len = base64_decode(s + 4, buf); /* XXX */ - - len = (*mech->decode)(app_data, buf, len, level); - if(len < 0) - return -1; - - buf[len] = '\0'; - - if(buf[3] == '-') - code = 0; - else - sscanf(buf, "%d", &code); - if(buf[len-1] == '\n') - buf[len-1] = '\0'; - strcpy(s, buf); - free(buf); - return code; -} - -int -sec_vfprintf(FILE *f, const char *fmt, va_list ap) -{ - char *buf; - void *enc; - int len; - if(!sec_complete) - return vfprintf(f, fmt, ap); - - vasprintf(&buf, fmt, ap); - len = (*mech->encode)(app_data, buf, strlen(buf), command_prot, &enc); - free(buf); - if(len < 0) { - printf("Failed to encode command.\n"); - return -1; - } - if(base64_encode(enc, len, &buf) < 0){ - free(enc); - printf("Out of memory base64-encoding.\n"); - return -1; - } - free(enc); -#ifdef FTP_SERVER - if(command_prot == prot_safe) - fprintf(f, "631 %s\r\n", buf); - else if(command_prot == prot_private) - fprintf(f, "632 %s\r\n", buf); - else if(command_prot == prot_confidential) - fprintf(f, "633 %s\r\n", buf); -#else - if(command_prot == prot_safe) - fprintf(f, "MIC %s", buf); - else if(command_prot == prot_private) - fprintf(f, "ENC %s", buf); - else if(command_prot == prot_confidential) - fprintf(f, "CONF %s", buf); -#endif - free(buf); - return 0; -} - -int -sec_fprintf(FILE *f, const char *fmt, ...) -{ - va_list ap; - int ret; - va_start(ap, fmt); - ret = sec_vfprintf(f, fmt, ap); - va_end(ap); - return ret; -} - -/* end common stuff */ - -#ifdef FTP_SERVER - -void -auth(char *auth_name) -{ - int i; - void *tmp; - - for(i = 0; (mech = mechs[i]) != NULL; i++){ - if(!strcasecmp(auth_name, mech->name)){ - tmp = realloc(app_data, mech->size); - if (tmp == NULL) { - reply(431, "Unable to accept %s at this time", mech->name); - return; - } - app_data = tmp; - - if(mech->init && (*mech->init)(app_data) != 0) { - reply(431, "Unable to accept %s at this time", mech->name); - return; - } - if(mech->auth) { - (*mech->auth)(app_data); - return; - } - if(mech->adat) - reply(334, "Send authorization data."); - else - reply(234, "Authorization complete."); - return; - } - } - free (app_data); - app_data = NULL; - reply(504, "%s is unknown to me", auth_name); -} - -void -adat(char *auth_data) -{ - if(mech && !sec_complete) { - void *buf = malloc(strlen(auth_data)); - size_t len; - len = base64_decode(auth_data, buf); - (*mech->adat)(app_data, buf, len); - free(buf); - } else - reply(503, "You must %sissue an AUTH first.", mech ? "re-" : ""); -} - -void pbsz(int size) -{ - size_t new = size; - if(!sec_complete) - reply(503, "Incomplete security data exchange."); - if(mech->pbsz) - new = (*mech->pbsz)(app_data, size); - if(buffer_size != new){ - buffer_size = size; - } - if(new != size) - reply(200, "PBSZ=%lu", (unsigned long)new); - else - reply(200, "OK"); -} - -void -prot(char *pl) -{ - int p = -1; - - if(buffer_size == 0){ - reply(503, "No protection buffer size negotiated."); - return; - } - - if(!strcasecmp(pl, "C")) - p = prot_clear; - else if(!strcasecmp(pl, "S")) - p = prot_safe; - else if(!strcasecmp(pl, "E")) - p = prot_confidential; - else if(!strcasecmp(pl, "P")) - p = prot_private; - else { - reply(504, "Unrecognized protection level."); - return; - } - - if(sec_complete){ - if((*mech->check_prot)(app_data, p)){ - reply(536, "%s does not support %s protection.", - mech->name, level_to_name(p)); - }else{ - data_prot = (enum protection_level)p; - reply(200, "Data protection is %s.", level_to_name(p)); - } - }else{ - reply(503, "Incomplete security data exchange."); - } -} - -void ccc(void) -{ - if(sec_complete){ - if(mech->ccc && (*mech->ccc)(app_data) == 0) - command_prot = data_prot = prot_clear; - else - reply(534, "You must be joking."); - }else - reply(503, "Incomplete security data exchange."); -} - -void mec(char *msg, enum protection_level level) -{ - void *buf; - size_t len; - if(!sec_complete) { - reply(503, "Incomplete security data exchange."); - return; - } - buf = malloc(strlen(msg) + 2); /* XXX go figure out where that 2 - comes from :-) */ - len = base64_decode(msg, buf); - command_prot = level; - if(len == (size_t)-1) { - reply(501, "Failed to base64-decode command"); - return; - } - len = (*mech->decode)(app_data, buf, len, level); - if(len == (size_t)-1) { - reply(535, "Failed to decode command"); - return; - } - ((char*)buf)[len] = '\0'; - if(strstr((char*)buf, "\r\n") == NULL) - strcat((char*)buf, "\r\n"); - new_ftp_command(buf); -} - -/* ------------------------------------------------------------ */ - -int -sec_userok(char *user) -{ - if(sec_complete) - return (*mech->userok)(app_data, user); - return 0; -} - -char *ftp_command; - -void -new_ftp_command(char *command) -{ - ftp_command = command; -} - -void -delete_ftp_command(void) -{ - free(ftp_command); - ftp_command = NULL; -} - -int -secure_command(void) -{ - return ftp_command != NULL; -} - -enum protection_level -get_command_prot(void) -{ - return command_prot; -} - -#else /* FTP_SERVER */ - -void -sec_status(void) -{ - if(sec_complete){ - printf("Using %s for authentication.\n", mech->name); - printf("Using %s command channel.\n", level_to_name(command_prot)); - printf("Using %s data channel.\n", level_to_name(data_prot)); - if(buffer_size > 0) - printf("Protection buffer size: %lu.\n", - (unsigned long)buffer_size); - }else{ - printf("Not using any security mechanism.\n"); - } -} - -static int -sec_prot_internal(int level) -{ - int ret; - char *p; - unsigned int s = 1048576; - - int old_verbose = verbose; - verbose = 0; - - if(!sec_complete){ - printf("No security data exchange has taken place.\n"); - return -1; - } - - if(level){ - ret = command("PBSZ %u", s); - if(ret != COMPLETE){ - printf("Failed to set protection buffer size.\n"); - return -1; - } - buffer_size = s; - p = strstr(reply_string, "PBSZ="); - if(p) - sscanf(p, "PBSZ=%u", &s); - if(s < buffer_size) - buffer_size = s; - } - verbose = old_verbose; - ret = command("PROT %c", level["CSEP"]); /* XXX :-) */ - if(ret != COMPLETE){ - printf("Failed to set protection level.\n"); - return -1; - } - - data_prot = (enum protection_level)level; - return 0; -} - -enum protection_level -set_command_prot(enum protection_level level) -{ - enum protection_level old = command_prot; - command_prot = level; - return old; -} - -void -sec_prot(int argc, char **argv) -{ - int level = -1; - - if(argc < 2 || argc > 3) - goto usage; - if(!sec_complete) { - printf("No security data exchange has taken place.\n"); - code = -1; - return; - } - level = name_to_level(argv[argc - 1]); - - if(level == -1) - goto usage; - - if((*mech->check_prot)(app_data, level)) { - printf("%s does not implement %s protection.\n", - mech->name, level_to_name(level)); - code = -1; - return; - } - - if(argc == 2 || strncasecmp(argv[1], "data", strlen(argv[1])) == 0) { - if(sec_prot_internal(level) < 0){ - code = -1; - return; - } - } else if(strncasecmp(argv[1], "command", strlen(argv[1])) == 0) - set_command_prot(level); - else - goto usage; - code = 0; - return; - usage: - printf("usage: %s [command|data] [clear|safe|confidential|private]\n", - argv[0]); - code = -1; -} - -static enum protection_level request_data_prot; - -void -sec_set_protection_level(void) -{ - if(sec_complete && data_prot != request_data_prot) - sec_prot_internal(request_data_prot); -} - - -int -sec_request_prot(char *level) -{ - int l = name_to_level(level); - if(l == -1) - return -1; - request_data_prot = (enum protection_level)l; - return 0; -} - -int -sec_login(char *host) -{ - int ret; - struct sec_client_mech **m; - int old_verbose = verbose; - - verbose = -1; /* shut up all messages this will produce (they - are usually not very user friendly) */ - - for(m = mechs; *m && (*m)->name; m++) { - void *tmp; - - tmp = realloc(app_data, (*m)->size); - if (tmp == NULL) { - warnx ("realloc %u failed", (*m)->size); - return -1; - } - app_data = tmp; - - if((*m)->init && (*(*m)->init)(app_data) != 0) { - printf("Skipping %s...\n", (*m)->name); - continue; - } - printf("Trying %s...\n", (*m)->name); - ret = command("AUTH %s", (*m)->name); - if(ret != CONTINUE){ - if(code == 504){ - printf("%s is not supported by the server.\n", (*m)->name); - }else if(code == 534){ - printf("%s rejected as security mechanism.\n", (*m)->name); - }else if(ret == ERROR) { - printf("The server doesn't support the FTP " - "security extensions.\n"); - verbose = old_verbose; - return -1; - } - continue; - } - - ret = (*(*m)->auth)(app_data, host); - - if(ret == AUTH_CONTINUE) - continue; - else if(ret != AUTH_OK){ - /* mechanism is supposed to output error string */ - verbose = old_verbose; - return -1; - } - mech = *m; - sec_complete = 1; - command_prot = prot_safe; - break; - } - - verbose = old_verbose; - return *m == NULL; -} - -void -sec_end(void) -{ - if (mech != NULL) { - if(mech->end) - (*mech->end)(app_data); - if (app_data != NULL) { - memset(app_data, 0, mech->size); - free(app_data); - app_data = NULL; - } - } - sec_complete = 0; - data_prot = (enum protection_level)0; -} - -#endif /* FTP_SERVER */ - diff --git a/crypto/heimdal-0.6.3/appl/ftp/ftp/security.h b/crypto/heimdal-0.6.3/appl/ftp/ftp/security.h deleted file mode 100644 index 5e14ebd953..0000000000 --- a/crypto/heimdal-0.6.3/appl/ftp/ftp/security.h +++ /dev/null @@ -1,136 +0,0 @@ -/* - * Copyright (c) 1998 - 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: security.h,v 1.9.12.1 2003/08/20 16:41:53 lha Exp $ */ - -#ifndef __security_h__ -#define __security_h__ - -enum protection_level { - prot_clear, - prot_safe, - prot_confidential, - prot_private -}; - -struct sec_client_mech { - char *name; - size_t size; - int (*init)(void *); - int (*auth)(void *, char*); - void (*end)(void *); - int (*check_prot)(void *, int); - int (*overhead)(void *, int, int); - int (*encode)(void *, void*, int, int, void**); - int (*decode)(void *, void*, int, int); -}; - -struct sec_server_mech { - char *name; - size_t size; - int (*init)(void *); - void (*end)(void *); - int (*check_prot)(void *, int); - int (*overhead)(void *, int, int); - int (*encode)(void *, void*, int, int, void**); - int (*decode)(void *, void*, int, int); - - int (*auth)(void *); - int (*adat)(void *, void*, size_t); - size_t (*pbsz)(void *, size_t); - int (*ccc)(void*); - int (*userok)(void*, char*); -}; - -#define AUTH_OK 0 -#define AUTH_CONTINUE 1 -#define AUTH_ERROR 2 - -extern int ftp_do_gss_bindings; -#ifdef FTP_SERVER -extern struct sec_server_mech krb4_server_mech, gss_server_mech; -#else -extern struct sec_client_mech krb4_client_mech, gss_client_mech; -#endif - -extern int sec_complete; - -#ifdef FTP_SERVER -extern char *ftp_command; -void new_ftp_command(char*); -void delete_ftp_command(void); -#endif - -/* ---- */ - - -int sec_fflush (FILE *); -int sec_fprintf (FILE *, const char *, ...) - __attribute__ ((format (printf, 2,3))); -int sec_getc (FILE *); -int sec_putc (int, FILE *); -int sec_read (int, void *, int); -int sec_read_msg (char *, int); -int sec_vfprintf (FILE *, const char *, va_list) - __attribute__ ((format (printf, 2,0))); -int sec_fprintf2(FILE *f, const char *fmt, ...) - __attribute__ ((format (printf, 2,3))); -int sec_vfprintf2(FILE *, const char *, va_list) - __attribute__ ((format (printf, 2,0))); -int sec_write (int, char *, int); - -#ifdef FTP_SERVER -void adat (char *); -void auth (char *); -void ccc (void); -void mec (char *, enum protection_level); -void pbsz (int); -void prot (char *); -void delete_ftp_command (void); -void new_ftp_command (char *); -int sec_userok (char *); -int secure_command (void); -enum protection_level get_command_prot(void); -#else -void sec_end (void); -int sec_login (char *); -void sec_prot (int, char **); -int sec_request_prot (char *); -void sec_set_protection_level (void); -void sec_status (void); - -enum protection_level set_command_prot(enum protection_level); - -#endif - -#endif /* __security_h__ */ diff --git a/crypto/heimdal-0.6.3/appl/ftp/ftpd/Makefile.am b/crypto/heimdal-0.6.3/appl/ftp/ftpd/Makefile.am deleted file mode 100644 index 20f8b57cfb..0000000000 --- a/crypto/heimdal-0.6.3/appl/ftp/ftpd/Makefile.am +++ /dev/null @@ -1,55 +0,0 @@ -# $Id: Makefile.am,v 1.26 2001/09/06 12:18:34 assar Exp $ - -include $(top_srcdir)/Makefile.am.common - -INCLUDES += -I$(srcdir)/../common $(INCLUDE_krb4) -DFTP_SERVER - -libexec_PROGRAMS = ftpd - -CHECK_LOCAL = - -if KRB4 -krb4_sources = krb4.c kauth.c -endif -if KRB5 -krb5_sources = gssapi.c gss_userok.c -endif - -ftpd_SOURCES = \ - extern.h \ - ftpcmd.y \ - ftpd.c \ - ftpd_locl.h \ - logwtmp.c \ - ls.c \ - pathnames.h \ - popen.c \ - security.c \ - $(krb4_sources) \ - $(krb5_sources) - -EXTRA_ftpd_SOURCES = krb4.c kauth.c gssapi.c gss_userok.c - -$(ftpd_OBJECTS): security.h - -security.c: - @test -f security.c || $(LN_S) $(srcdir)/../ftp/security.c . -security.h: - @test -f security.h || $(LN_S) $(srcdir)/../ftp/security.h . -krb4.c: - @test -f krb4.c || $(LN_S) $(srcdir)/../ftp/krb4.c . -gssapi.c: - @test -f gssapi.c || $(LN_S) $(srcdir)/../ftp/gssapi.c . - -CLEANFILES = security.c security.h krb4.c gssapi.c ftpcmd.c - -man_MANS = ftpd.8 ftpusers.5 - -LDADD = ../common/libcommon.a \ - $(LIB_otp) \ - $(LIB_gssapi) \ - $(LIB_krb5) \ - $(LIB_kafs) \ - $(LIB_krb4) \ - $(LIB_des) \ - $(LIB_roken) diff --git a/crypto/heimdal-0.6.3/appl/ftp/ftpd/Makefile.in b/crypto/heimdal-0.6.3/appl/ftp/ftpd/Makefile.in deleted file mode 100644 index b6d8f62276..0000000000 --- a/crypto/heimdal-0.6.3/appl/ftp/ftpd/Makefile.in +++ /dev/null @@ -1,932 +0,0 @@ -# Makefile.in generated by automake 1.8.3 from Makefile.am. -# @configure_input@ - -# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004 Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -# $Id: Makefile.am,v 1.26 2001/09/06 12:18:34 assar Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $ - -SOURCES = $(ftpd_SOURCES) $(EXTRA_ftpd_SOURCES) - -srcdir = @srcdir@ -top_srcdir = @top_srcdir@ -VPATH = @srcdir@ -pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -top_builddir = ../../.. -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = @INSTALL@ -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_HEADER = $(INSTALL_DATA) -transform = $(program_transform_name) -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_triplet = @host@ -DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \ - $(top_srcdir)/Makefile.am.common \ - $(top_srcdir)/cf/Makefile.am.common ftpcmd.c -libexec_PROGRAMS = ftpd$(EXEEXT) -subdir = appl/ftp/ftpd -ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \ - $(top_srcdir)/cf/auth-modules.m4 \ - $(top_srcdir)/cf/broken-getaddrinfo.m4 \ - $(top_srcdir)/cf/broken-getnameinfo.m4 \ - $(top_srcdir)/cf/broken-glob.m4 \ - $(top_srcdir)/cf/broken-realloc.m4 \ - $(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \ - $(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \ - $(top_srcdir)/cf/capabilities.m4 \ - $(top_srcdir)/cf/check-compile-et.m4 \ - $(top_srcdir)/cf/check-declaration.m4 \ - $(top_srcdir)/cf/check-getpwnam_r-posix.m4 \ - $(top_srcdir)/cf/check-man.m4 \ - $(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \ - $(top_srcdir)/cf/check-type-extra.m4 \ - $(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \ - $(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \ - $(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \ - $(top_srcdir)/cf/dlopen.m4 \ - $(top_srcdir)/cf/find-func-no-libs.m4 \ - $(top_srcdir)/cf/find-func-no-libs2.m4 \ - $(top_srcdir)/cf/find-func.m4 \ - $(top_srcdir)/cf/find-if-not-broken.m4 \ - $(top_srcdir)/cf/have-struct-field.m4 \ - $(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \ - $(top_srcdir)/cf/krb-bigendian.m4 \ - $(top_srcdir)/cf/krb-func-getlogin.m4 \ - $(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \ - $(top_srcdir)/cf/krb-readline.m4 \ - $(top_srcdir)/cf/krb-struct-spwd.m4 \ - $(top_srcdir)/cf/krb-struct-winsize.m4 \ - $(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \ - $(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \ - $(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \ - $(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \ - $(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \ - $(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \ - $(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in -am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ - $(ACLOCAL_M4) -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -am__installdirs = "$(DESTDIR)$(libexecdir)" "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(man8dir)" -libexecPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -PROGRAMS = $(libexec_PROGRAMS) -am__ftpd_SOURCES_DIST = extern.h ftpcmd.y ftpd.c ftpd_locl.h logwtmp.c \ - ls.c pathnames.h popen.c security.c krb4.c kauth.c gssapi.c \ - gss_userok.c -@KRB4_TRUE@am__objects_1 = krb4.$(OBJEXT) kauth.$(OBJEXT) -@KRB5_TRUE@am__objects_2 = gssapi.$(OBJEXT) gss_userok.$(OBJEXT) -am_ftpd_OBJECTS = ftpcmd.$(OBJEXT) ftpd.$(OBJEXT) logwtmp.$(OBJEXT) \ - ls.$(OBJEXT) popen.$(OBJEXT) security.$(OBJEXT) \ - $(am__objects_1) $(am__objects_2) -ftpd_OBJECTS = $(am_ftpd_OBJECTS) -ftpd_LDADD = $(LDADD) -am__DEPENDENCIES_1 = -@KRB5_TRUE@am__DEPENDENCIES_2 = \ -@KRB5_TRUE@ $(top_builddir)/lib/gssapi/libgssapi.la -@KRB5_TRUE@am__DEPENDENCIES_3 = $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la -am__DEPENDENCIES_4 = $(top_builddir)/lib/kafs/libkafs.la \ - $(am__DEPENDENCIES_1) -ftpd_DEPENDENCIES = ../common/libcommon.a $(am__DEPENDENCIES_1) \ - $(am__DEPENDENCIES_2) $(am__DEPENDENCIES_3) \ - $(am__DEPENDENCIES_4) $(am__DEPENDENCIES_1) \ - $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \ - $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ - $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -YACCCOMPILE = $(YACC) $(YFLAGS) $(AM_YFLAGS) -LTYACCCOMPILE = $(LIBTOOL) --mode=compile $(YACC) $(YFLAGS) \ - $(AM_YFLAGS) -SOURCES = $(ftpd_SOURCES) $(EXTRA_ftpd_SOURCES) -DIST_SOURCES = $(am__ftpd_SOURCES_DIST) $(EXTRA_ftpd_SOURCES) -man5dir = $(mandir)/man5 -man8dir = $(mandir)/man8 -MANS = $(man_MANS) -ETAGS = etags -CTAGS = ctags -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) -ACLOCAL = @ACLOCAL@ -AIX4_FALSE = @AIX4_FALSE@ -AIX4_TRUE = @AIX4_TRUE@ -AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@ -AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@ -AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@ -AIX_FALSE = @AIX_FALSE@ -AIX_TRUE = @AIX_TRUE@ -AMTAR = @AMTAR@ -AR = @AR@ -AUTOCONF = @AUTOCONF@ -AUTOHEADER = @AUTOHEADER@ -AUTOMAKE = @AUTOMAKE@ -AWK = @AWK@ -CANONICAL_HOST = @CANONICAL_HOST@ -CATMAN = @CATMAN@ -CATMANEXT = @CATMANEXT@ -CATMAN_FALSE = @CATMAN_FALSE@ -CATMAN_TRUE = @CATMAN_TRUE@ -CC = @CC@ -CFLAGS = @CFLAGS@ -COMPILE_ET = @COMPILE_ET@ -CPP = @CPP@ -CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXFLAGS = @CXXFLAGS@ -CYGPATH_W = @CYGPATH_W@ -DBLIB = @DBLIB@ -DCE_FALSE = @DCE_FALSE@ -DCE_TRUE = @DCE_TRUE@ -DEFS = @DEFS@ -DIR_com_err = @DIR_com_err@ -DIR_des = @DIR_des@ -DIR_roken = @DIR_roken@ -ECHO = @ECHO@ -ECHO_C = @ECHO_C@ -ECHO_N = @ECHO_N@ -ECHO_T = @ECHO_T@ -EGREP = @EGREP@ -EXEEXT = @EXEEXT@ -EXTRA_LIB45 = @EXTRA_LIB45@ -F77 = @F77@ -FFLAGS = @FFLAGS@ -GROFF = @GROFF@ -HAVE_DB1_FALSE = @HAVE_DB1_FALSE@ -HAVE_DB1_TRUE = @HAVE_DB1_TRUE@ -HAVE_DB3_FALSE = @HAVE_DB3_FALSE@ -HAVE_DB3_TRUE = @HAVE_DB3_TRUE@ -HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@ -HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@ -HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@ -HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@ -HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@ -HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@ -HAVE_X_FALSE = @HAVE_X_FALSE@ -HAVE_X_TRUE = @HAVE_X_TRUE@ -INCLUDES_roken = @INCLUDES_roken@ -INCLUDE_des = @INCLUDE_des@ -INCLUDE_hesiod = @INCLUDE_hesiod@ -INCLUDE_krb4 = @INCLUDE_krb4@ -INCLUDE_openldap = @INCLUDE_openldap@ -INCLUDE_readline = @INCLUDE_readline@ -INSTALL_DATA = @INSTALL_DATA@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -IRIX_FALSE = @IRIX_FALSE@ -IRIX_TRUE = @IRIX_TRUE@ -KRB4_FALSE = @KRB4_FALSE@ -KRB4_TRUE = @KRB4_TRUE@ -KRB5_FALSE = @KRB5_FALSE@ -KRB5_TRUE = @KRB5_TRUE@ -LDFLAGS = @LDFLAGS@ -LEX = @LEX@ -LEXLIB = @LEXLIB@ -LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ -LIBOBJS = @LIBOBJS@ -LIBS = @LIBS@ -LIBTOOL = @LIBTOOL@ -LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@ -LIB_NDBM = @LIB_NDBM@ -LIB_XauFileName = @LIB_XauFileName@ -LIB_XauReadAuth = @LIB_XauReadAuth@ -LIB_XauWriteAuth = @LIB_XauWriteAuth@ -LIB_bswap16 = @LIB_bswap16@ -LIB_bswap32 = @LIB_bswap32@ -LIB_com_err = @LIB_com_err@ -LIB_com_err_a = @LIB_com_err_a@ -LIB_com_err_so = @LIB_com_err_so@ -LIB_crypt = @LIB_crypt@ -LIB_db_create = @LIB_db_create@ -LIB_dbm_firstkey = @LIB_dbm_firstkey@ -LIB_dbopen = @LIB_dbopen@ -LIB_des = @LIB_des@ -LIB_des_a = @LIB_des_a@ -LIB_des_appl = @LIB_des_appl@ -LIB_des_so = @LIB_des_so@ -LIB_dlopen = @LIB_dlopen@ -LIB_dn_expand = @LIB_dn_expand@ -LIB_el_init = @LIB_el_init@ -LIB_freeaddrinfo = @LIB_freeaddrinfo@ -LIB_gai_strerror = @LIB_gai_strerror@ -LIB_getaddrinfo = @LIB_getaddrinfo@ -LIB_gethostbyname = @LIB_gethostbyname@ -LIB_gethostbyname2 = @LIB_gethostbyname2@ -LIB_getnameinfo = @LIB_getnameinfo@ -LIB_getpwnam_r = @LIB_getpwnam_r@ -LIB_getsockopt = @LIB_getsockopt@ -LIB_hesiod = @LIB_hesiod@ -LIB_hstrerror = @LIB_hstrerror@ -LIB_kdb = @LIB_kdb@ -LIB_krb4 = @LIB_krb4@ -LIB_krb_disable_debug = @LIB_krb_disable_debug@ -LIB_krb_enable_debug = @LIB_krb_enable_debug@ -LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@ -LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@ -LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@ -LIB_loadquery = @LIB_loadquery@ -LIB_logout = @LIB_logout@ -LIB_logwtmp = @LIB_logwtmp@ -LIB_openldap = @LIB_openldap@ -LIB_openpty = @LIB_openpty@ -LIB_otp = @LIB_otp@ -LIB_pidfile = @LIB_pidfile@ -LIB_readline = @LIB_readline@ -LIB_res_nsearch = @LIB_res_nsearch@ -LIB_res_search = @LIB_res_search@ -LIB_roken = @LIB_roken@ -LIB_security = @LIB_security@ -LIB_setsockopt = @LIB_setsockopt@ -LIB_socket = @LIB_socket@ -LIB_syslog = @LIB_syslog@ -LIB_tgetent = @LIB_tgetent@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -MAINT = @MAINT@ -MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@ -MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@ -MAKEINFO = @MAKEINFO@ -NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ -NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ -NROFF = @NROFF@ -OBJEXT = @OBJEXT@ -OTP_FALSE = @OTP_FALSE@ -OTP_TRUE = @OTP_TRUE@ -PACKAGE = @PACKAGE@ -PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ -PACKAGE_NAME = @PACKAGE_NAME@ -PACKAGE_STRING = @PACKAGE_STRING@ -PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_VERSION = @PACKAGE_VERSION@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -RANLIB = @RANLIB@ -SET_MAKE = @SET_MAKE@ -SHELL = @SHELL@ -STRIP = @STRIP@ -VERSION = @VERSION@ -VOID_RETSIGTYPE = @VOID_RETSIGTYPE@ -WFLAGS = @WFLAGS@ -WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@ -WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@ -X_CFLAGS = @X_CFLAGS@ -X_EXTRA_LIBS = @X_EXTRA_LIBS@ -X_LIBS = @X_LIBS@ -X_PRE_LIBS = @X_PRE_LIBS@ -YACC = @YACC@ -ac_ct_AR = @ac_ct_AR@ -ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ -ac_ct_RANLIB = @ac_ct_RANLIB@ -ac_ct_STRIP = @ac_ct_STRIP@ -am__leading_dot = @am__leading_dot@ -bindir = @bindir@ -build = @build@ -build_alias = @build_alias@ -build_cpu = @build_cpu@ -build_os = @build_os@ -build_vendor = @build_vendor@ -datadir = @datadir@ -do_roken_rename_FALSE = @do_roken_rename_FALSE@ -do_roken_rename_TRUE = @do_roken_rename_TRUE@ -dpagaix_cflags = @dpagaix_cflags@ -dpagaix_ldadd = @dpagaix_ldadd@ -dpagaix_ldflags = @dpagaix_ldflags@ -el_compat_FALSE = @el_compat_FALSE@ -el_compat_TRUE = @el_compat_TRUE@ -exec_prefix = @exec_prefix@ -have_err_h_FALSE = @have_err_h_FALSE@ -have_err_h_TRUE = @have_err_h_TRUE@ -have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@ -have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@ -have_glob_h_FALSE = @have_glob_h_FALSE@ -have_glob_h_TRUE = @have_glob_h_TRUE@ -have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@ -have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@ -have_vis_h_FALSE = @have_vis_h_FALSE@ -have_vis_h_TRUE = @have_vis_h_TRUE@ -host = @host@ -host_alias = @host_alias@ -host_cpu = @host_cpu@ -host_os = @host_os@ -host_vendor = @host_vendor@ -includedir = @includedir@ -infodir = @infodir@ -install_sh = @install_sh@ -libdir = @libdir@ -libexecdir = @libexecdir@ -localstatedir = @localstatedir@ -mandir = @mandir@ -mkdir_p = @mkdir_p@ -oldincludedir = @oldincludedir@ -prefix = @prefix@ -program_transform_name = @program_transform_name@ -sbindir = @sbindir@ -sharedstatedir = @sharedstatedir@ -sysconfdir = @sysconfdir@ -target_alias = @target_alias@ -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) -I$(srcdir)/../common $(INCLUDE_krb4) -DFTP_SERVER -@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME -AM_CFLAGS = $(WFLAGS) -CP = cp -buildinclude = $(top_builddir)/include -LIB_getattr = @LIB_getattr@ -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_setpcred = @LIB_setpcred@ -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -NROFF_MAN = groff -mandoc -Tascii -LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) -@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la - -@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la -@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la -CHECK_LOCAL = -@KRB4_TRUE@krb4_sources = krb4.c kauth.c -@KRB5_TRUE@krb5_sources = gssapi.c gss_userok.c -ftpd_SOURCES = \ - extern.h \ - ftpcmd.y \ - ftpd.c \ - ftpd_locl.h \ - logwtmp.c \ - ls.c \ - pathnames.h \ - popen.c \ - security.c \ - $(krb4_sources) \ - $(krb5_sources) - -EXTRA_ftpd_SOURCES = krb4.c kauth.c gssapi.c gss_userok.c -CLEANFILES = security.c security.h krb4.c gssapi.c ftpcmd.c -man_MANS = ftpd.8 ftpusers.5 -LDADD = ../common/libcommon.a \ - $(LIB_otp) \ - $(LIB_gssapi) \ - $(LIB_krb5) \ - $(LIB_kafs) \ - $(LIB_krb4) \ - $(LIB_des) \ - $(LIB_roken) - -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj .y -$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps) - @for dep in $?; do \ - case '$(am__configure_deps)' in \ - *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ - exit 1;; \ - esac; \ - done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign --ignore-deps appl/ftp/ftpd/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign --ignore-deps appl/ftp/ftpd/Makefile -.PRECIOUS: Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - @case '$?' in \ - *config.status*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ - *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ - esac; - -$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -install-libexecPROGRAMS: $(libexec_PROGRAMS) - @$(NORMAL_INSTALL) - test -z "$(libexecdir)" || $(mkdir_p) "$(DESTDIR)$(libexecdir)" - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(libexecPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(libexecdir)/$$f'"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(libexecPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(libexecdir)/$$f" || exit 1; \ - else :; fi; \ - done - -uninstall-libexecPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f '$(DESTDIR)$(libexecdir)/$$f'"; \ - rm -f "$(DESTDIR)$(libexecdir)/$$f"; \ - done - -clean-libexecPROGRAMS: - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -ftpd$(EXEEXT): $(ftpd_OBJECTS) $(ftpd_DEPENDENCIES) - @rm -f ftpd$(EXEEXT) - $(LINK) $(ftpd_LDFLAGS) $(ftpd_OBJECTS) $(ftpd_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c $< - -.c.obj: - $(COMPILE) -c `$(CYGPATH_W) '$<'` - -.c.lo: - $(LTCOMPILE) -c -o $@ $< - -.y.c: - $(YACCCOMPILE) $< - if test -f y.tab.h; then \ - to=`echo "$*_H" | sed \ - -e 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/' \ - -e 's/[^ABCDEFGHIJKLMNOPQRSTUVWXYZ]/_/g'`; \ - sed "/^#/ s/Y_TAB_H/$$to/g" y.tab.h >$*.ht; \ - rm -f y.tab.h; \ - if cmp -s $*.ht $*.h; then \ - rm -f $*.ht ;\ - else \ - mv $*.ht $*.h; \ - fi; \ - fi - if test -f y.output; then \ - mv y.output $*.output; \ - fi - sed '/^#/ s|y\.tab\.c|$@|' y.tab.c >$@t && mv $@t $@ - rm -f y.tab.c - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: -install-man5: $(man5_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - test -z "$(man5dir)" || $(mkdir_p) "$(DESTDIR)$(man5dir)" - @list='$(man5_MANS) $(dist_man5_MANS) $(nodist_man5_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.5*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 5*) ;; \ - *) ext='5' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man5dir)/$$inst'"; \ - $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man5dir)/$$inst"; \ - done -uninstall-man5: - @$(NORMAL_UNINSTALL) - @list='$(man5_MANS) $(dist_man5_MANS) $(nodist_man5_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.5*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 5*) ;; \ - *) ext='5' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f '$(DESTDIR)$(man5dir)/$$inst'"; \ - rm -f "$(DESTDIR)$(man5dir)/$$inst"; \ - done -install-man8: $(man8_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - test -z "$(man8dir)" || $(mkdir_p) "$(DESTDIR)$(man8dir)" - @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.8*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 8*) ;; \ - *) ext='8' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ - $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \ - done -uninstall-man8: - @$(NORMAL_UNINSTALL) - @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.8*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 8*) ;; \ - *) ext='8' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \ - rm -f "$(DESTDIR)$(man8dir)/$$inst"; \ - done - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique -tags: TAGS - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique -ctags: CTAGS -CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ - || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - -distdir: $(DISTFILES) - $(mkdir_p) $(distdir)/../../.. $(distdir)/../../../cf - @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \ - list='$(DISTFILES)'; for file in $$list; do \ - case $$file in \ - $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \ - $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \ - esac; \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkdir_p) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="$(top_distdir)" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(PROGRAMS) $(MANS) all-local -installdirs: - for dir in "$(DESTDIR)$(libexecdir)" "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(man8dir)"; do \ - test -z "$$dir" || $(mkdir_p) "$$dir"; \ - done -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) - -distclean-generic: - -rm -f $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." - -rm -f ftpcmd.c -clean: clean-am - -clean-am: clean-generic clean-libexecPROGRAMS clean-libtool \ - mostlyclean-am - -distclean: distclean-am - -rm -f Makefile -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -html: html-am - -info: info-am - -info-am: - -install-data-am: install-man - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-data-hook - -install-exec-am: install-libexecPROGRAMS - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: install-man5 install-man8 - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -rm -f Makefile -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -pdf: pdf-am - -pdf-am: - -ps: ps-am - -ps-am: - -uninstall-am: uninstall-info-am uninstall-libexecPROGRAMS \ - uninstall-man - -uninstall-man: uninstall-man5 uninstall-man8 - -.PHONY: CTAGS GTAGS all all-am all-local check check-am check-local \ - clean clean-generic clean-libexecPROGRAMS clean-libtool ctags \ - distclean distclean-compile distclean-generic \ - distclean-libtool distclean-tags distdir dvi dvi-am html \ - html-am info info-am install install-am install-data \ - install-data-am install-exec install-exec-am install-info \ - install-info-am install-libexecPROGRAMS install-man \ - install-man5 install-man8 install-strip installcheck \ - installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ - tags uninstall uninstall-am uninstall-info-am \ - uninstall-libexecPROGRAMS uninstall-man uninstall-man5 \ - uninstall-man8 - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-hook: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< - -$(ftpd_OBJECTS): security.h - -security.c: - @test -f security.c || $(LN_S) $(srcdir)/../ftp/security.c . -security.h: - @test -f security.h || $(LN_S) $(srcdir)/../ftp/security.h . -krb4.c: - @test -f krb4.c || $(LN_S) $(srcdir)/../ftp/krb4.c . -gssapi.c: - @test -f gssapi.c || $(LN_S) $(srcdir)/../ftp/gssapi.c . -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal-0.6.3/appl/ftp/ftpd/extern.h b/crypto/heimdal-0.6.3/appl/ftp/ftpd/extern.h deleted file mode 100644 index 751d04cea5..0000000000 --- a/crypto/heimdal-0.6.3/appl/ftp/ftpd/extern.h +++ /dev/null @@ -1,144 +0,0 @@ -/*- - * Copyright (c) 1992, 1993 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * @(#)extern.h 8.2 (Berkeley) 4/4/94 - */ - -#ifndef _EXTERN_H_ -#define _EXTERN_H_ - -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_NETINET_IN_H -#include -#endif -#ifdef HAVE_NETDB_H -#include -#endif - -#include -#include -#ifdef HAVE_PWD_H -#include -#endif - -#ifdef HAVE_LIMITS_H -#include -#endif - -#ifndef NBBY -#define NBBY CHAR_BIT -#endif - -void abor(void); -void blkfree(char **); -char **copyblk(char **); -void cwd(char *); -void do_delete(char *); -void dologout(int); -void eprt(char *); -void epsv(char *); -void fatal(char *); -int filename_check(char *); -int ftpd_pclose(FILE *); -FILE *ftpd_popen(char *, char *, int, int); -char *ftpd_getline(char *, int); -void ftpd_logwtmp(char *, char *, char *); -void lreply(int, const char *, ...) - __attribute__ ((format (printf, 2, 3))); -void makedir(char *); -void nack(char *); -void nreply(const char *, ...) - __attribute__ ((format (printf, 1, 2))); -void pass(char *); -void pasv(void); -void perror_reply(int, const char *); -void pwd(void); -void removedir(char *); -void renamecmd(char *, char *); -char *renamefrom(char *); -void reply(int, const char *, ...) - __attribute__ ((format (printf, 2, 3))); -void retrieve(const char *, char *); -void send_file_list(char *); -void setproctitle(const char *, ...) - __attribute__ ((format (printf, 1, 2))); -void statcmd(void); -void statfilecmd(char *); -void do_store(char *, char *, int); -void upper(char *); -void user(char *); -void yyerror(char *); - -void list_file(char*); - -void kauth(char *, char*); -void klist(void); -void cond_kdestroy(void); -void kdestroy(void); -void krbtkfile(const char *tkfile); -void afslog(const char *cell); -void afsunlog(void); - -int find(char *); - -int builtin_ls(FILE*, const char*); - -int do_login(int code, char *passwd); -int klogin(char *name, char *password); - -const char *ftp_rooted(const char *path); - -extern struct sockaddr *ctrl_addr, *his_addr; -extern char hostname[]; - -extern struct sockaddr *data_dest; -extern int logged_in; -extern struct passwd *pw; -extern int guest; -extern int logging; -extern int type; -extern off_t file_size; -extern off_t byte_count; - -extern int form; -extern int debug; -extern int ftpd_timeout; -extern int maxtimeout; -extern int pdata; -extern char hostname[], remotehost[]; -extern char proctitle[]; -extern int usedefault; -extern char tmpline[]; - -#endif /* _EXTERN_H_ */ diff --git a/crypto/heimdal-0.6.3/appl/ftp/ftpd/ftpcmd.y b/crypto/heimdal-0.6.3/appl/ftp/ftpd/ftpcmd.y deleted file mode 100644 index 9c5fa4c37d..0000000000 --- a/crypto/heimdal-0.6.3/appl/ftp/ftpd/ftpcmd.y +++ /dev/null @@ -1,1461 +0,0 @@ -/* $NetBSD: ftpcmd.y,v 1.6 1995/06/03 22:46:45 mycroft Exp $ */ - -/* - * Copyright (c) 1985, 1988, 1993, 1994 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * @(#)ftpcmd.y 8.3 (Berkeley) 4/6/94 - */ - -/* - * Grammar for FTP commands. - * See RFC 959. - */ - -%{ - -#include "ftpd_locl.h" -RCSID("$Id: ftpcmd.y,v 1.61.10.2 2004/08/20 15:15:46 lha Exp $"); - -off_t restart_point; - -static int hasyyerrored; - - -static int cmd_type; -static int cmd_form; -static int cmd_bytesz; -char cbuf[64*1024]; -char *fromname; - -struct tab { - char *name; - short token; - short state; - short implemented; /* 1 if command is implemented */ - char *help; -}; - -extern struct tab cmdtab[]; -extern struct tab sitetab[]; - -static char *copy (char *); -static void help (struct tab *, char *); -static struct tab * - lookup (struct tab *, char *); -static void sizecmd (char *); -static RETSIGTYPE toolong (int); -static int yylex (void); - -/* This is for bison */ - -#if !defined(alloca) && !defined(HAVE_ALLOCA) -#define alloca(x) malloc(x) -#endif - -%} - -%union { - int i; - char *s; -} - -%token - A B C E F I - L N P R S T - - SP CRLF COMMA - - USER PASS ACCT REIN QUIT PORT - PASV TYPE STRU MODE RETR STOR - APPE MLFL MAIL MSND MSOM MSAM - MRSQ MRCP ALLO REST RNFR RNTO - ABOR DELE CWD LIST NLST SITE - sTAT HELP NOOP MKD RMD PWD - CDUP STOU SMNT SYST SIZE MDTM - EPRT EPSV - - UMASK IDLE CHMOD - - AUTH ADAT PROT PBSZ CCC MIC - CONF ENC - - KAUTH KLIST KDESTROY KRBTKFILE AFSLOG - LOCATE URL - - FEAT OPTS - - LEXERR - -%token STRING -%token NUMBER - -%type check_login check_login_no_guest check_secure octal_number byte_size -%type struct_code mode_code type_code form_code -%type pathstring pathname password username - -%start cmd_list - -%% - -cmd_list - : /* empty */ - | cmd_list cmd - { - fromname = (char *) 0; - restart_point = (off_t) 0; - } - | cmd_list rcmd - ; - -cmd - : USER SP username CRLF - { - user($3); - free($3); - } - | PASS SP password CRLF - { - pass($3); - memset ($3, 0, strlen($3)); - free($3); - } - | PORT SP host_port CRLF - { - usedefault = 0; - if (pdata >= 0) { - close(pdata); - pdata = -1; - } - reply(200, "PORT command successful."); - } - | EPRT SP STRING CRLF - { - eprt ($3); - free ($3); - } - | PASV CRLF check_login - { - if($3) - pasv (); - } - | EPSV CRLF check_login - { - if($3) - epsv (NULL); - } - | EPSV SP STRING CRLF check_login - { - if($5) - epsv ($3); - free ($3); - } - | TYPE SP type_code CRLF - { - switch (cmd_type) { - - case TYPE_A: - if (cmd_form == FORM_N) { - reply(200, "Type set to A."); - type = cmd_type; - form = cmd_form; - } else - reply(504, "Form must be N."); - break; - - case TYPE_E: - reply(504, "Type E not implemented."); - break; - - case TYPE_I: - reply(200, "Type set to I."); - type = cmd_type; - break; - - case TYPE_L: -#if NBBY == 8 - if (cmd_bytesz == 8) { - reply(200, - "Type set to L (byte size 8)."); - type = cmd_type; - } else - reply(504, "Byte size must be 8."); -#else /* NBBY == 8 */ - UNIMPLEMENTED for NBBY != 8 -#endif /* NBBY == 8 */ - } - } - | STRU SP struct_code CRLF - { - switch ($3) { - - case STRU_F: - reply(200, "STRU F ok."); - break; - - default: - reply(504, "Unimplemented STRU type."); - } - } - | MODE SP mode_code CRLF - { - switch ($3) { - - case MODE_S: - reply(200, "MODE S ok."); - break; - - default: - reply(502, "Unimplemented MODE type."); - } - } - | ALLO SP NUMBER CRLF - { - reply(202, "ALLO command ignored."); - } - | ALLO SP NUMBER SP R SP NUMBER CRLF - { - reply(202, "ALLO command ignored."); - } - | RETR SP pathname CRLF check_login - { - char *name = $3; - - if ($5 && name != NULL) - retrieve(0, name); - if (name != NULL) - free(name); - } - | STOR SP pathname CRLF check_login - { - char *name = $3; - - if ($5 && name != NULL) - do_store(name, "w", 0); - if (name != NULL) - free(name); - } - | APPE SP pathname CRLF check_login - { - char *name = $3; - - if ($5 && name != NULL) - do_store(name, "a", 0); - if (name != NULL) - free(name); - } - | NLST CRLF check_login - { - if ($3) - send_file_list("."); - } - | NLST SP STRING CRLF check_login - { - char *name = $3; - - if ($5 && name != NULL) - send_file_list(name); - if (name != NULL) - free(name); - } - | LIST CRLF check_login - { - if($3) - list_file("."); - } - | LIST SP pathname CRLF check_login - { - if($5) - list_file($3); - free($3); - } - | sTAT SP pathname CRLF check_login - { - if ($5 && $3 != NULL) - statfilecmd($3); - if ($3 != NULL) - free($3); - } - | sTAT CRLF - { - statcmd(); - } - | DELE SP pathname CRLF check_login_no_guest - { - if ($5 && $3 != NULL) - do_delete($3); - if ($3 != NULL) - free($3); - } - | RNTO SP pathname CRLF check_login_no_guest - { - if($5){ - if (fromname) { - renamecmd(fromname, $3); - free(fromname); - fromname = (char *) 0; - } else { - reply(503, "Bad sequence of commands."); - } - } - if ($3 != NULL) - free($3); - } - | ABOR CRLF - { - reply(225, "ABOR command successful."); - } - | CWD CRLF check_login - { - if ($3) - cwd(pw->pw_dir); - } - | CWD SP pathname CRLF check_login - { - if ($5 && $3 != NULL) - cwd($3); - if ($3 != NULL) - free($3); - } - | HELP CRLF - { - help(cmdtab, (char *) 0); - } - | HELP SP STRING CRLF - { - char *cp = $3; - - if (strncasecmp(cp, "SITE", 4) == 0) { - cp = $3 + 4; - if (*cp == ' ') - cp++; - if (*cp) - help(sitetab, cp); - else - help(sitetab, (char *) 0); - } else - help(cmdtab, $3); - } - | NOOP CRLF - { - reply(200, "NOOP command successful."); - } - | MKD SP pathname CRLF check_login - { - if ($5 && $3 != NULL) - makedir($3); - if ($3 != NULL) - free($3); - } - | RMD SP pathname CRLF check_login_no_guest - { - if ($5 && $3 != NULL) - removedir($3); - if ($3 != NULL) - free($3); - } - | PWD CRLF check_login - { - if ($3) - pwd(); - } - | CDUP CRLF check_login - { - if ($3) - cwd(".."); - } - | FEAT CRLF - { - lreply(211, "Supported features:"); - lreply(0, " MDTM"); - lreply(0, " REST STREAM"); - lreply(0, " SIZE"); - reply(211, "End"); - } - | OPTS SP STRING CRLF - { - free ($3); - reply(501, "Bad options"); - } - - | SITE SP HELP CRLF - { - help(sitetab, (char *) 0); - } - | SITE SP HELP SP STRING CRLF - { - help(sitetab, $5); - } - | SITE SP UMASK CRLF check_login - { - if ($5) { - int oldmask = umask(0); - umask(oldmask); - reply(200, "Current UMASK is %03o", oldmask); - } - } - | SITE SP UMASK SP octal_number CRLF check_login_no_guest - { - if ($7) { - if (($5 == -1) || ($5 > 0777)) { - reply(501, "Bad UMASK value"); - } else { - int oldmask = umask($5); - reply(200, - "UMASK set to %03o (was %03o)", - $5, oldmask); - } - } - } - | SITE SP CHMOD SP octal_number SP pathname CRLF check_login_no_guest - { - if ($9 && $7 != NULL) { - if ($5 > 0777) - reply(501, - "CHMOD: Mode value must be between 0 and 0777"); - else if (chmod($7, $5) < 0) - perror_reply(550, $7); - else - reply(200, "CHMOD command successful."); - } - if ($7 != NULL) - free($7); - } - | SITE SP IDLE CRLF - { - reply(200, - "Current IDLE time limit is %d seconds; max %d", - ftpd_timeout, maxtimeout); - } - | SITE SP IDLE SP NUMBER CRLF - { - if ($5 < 30 || $5 > maxtimeout) { - reply(501, - "Maximum IDLE time must be between 30 and %d seconds", - maxtimeout); - } else { - ftpd_timeout = $5; - alarm((unsigned) ftpd_timeout); - reply(200, - "Maximum IDLE time set to %d seconds", - ftpd_timeout); - } - } - - | SITE SP KAUTH SP STRING CRLF check_login - { -#ifdef KRB4 - char *p; - - if(guest) - reply(500, "Can't be done as guest."); - else{ - if($7 && $5 != NULL){ - p = strpbrk($5, " \t"); - if(p){ - *p++ = 0; - kauth($5, p + strspn(p, " \t")); - }else - kauth($5, NULL); - } - } - if($5 != NULL) - free($5); -#else - reply(500, "Command not implemented."); -#endif - } - | SITE SP KLIST CRLF check_login - { -#ifdef KRB4 - if($5) - klist(); -#else - reply(500, "Command not implemented."); -#endif - } - | SITE SP KDESTROY CRLF check_login - { -#ifdef KRB4 - if($5) - kdestroy(); -#else - reply(500, "Command not implemented."); -#endif - } - | SITE SP KRBTKFILE SP STRING CRLF check_login - { -#ifdef KRB4 - if(guest) - reply(500, "Can't be done as guest."); - else if($7 && $5) - krbtkfile($5); - if($5) - free($5); -#else - reply(500, "Command not implemented."); -#endif - } - | SITE SP AFSLOG CRLF check_login - { -#ifdef KRB4 - if(guest) - reply(500, "Can't be done as guest."); - else if($5) - afslog(NULL); -#else - reply(500, "Command not implemented."); -#endif - } - | SITE SP AFSLOG SP STRING CRLF check_login - { -#ifdef KRB4 - if(guest) - reply(500, "Can't be done as guest."); - else if($7) - afslog($5); - if($5) - free($5); -#else - reply(500, "Command not implemented."); -#endif - } - | SITE SP LOCATE SP STRING CRLF check_login - { - if($7 && $5 != NULL) - find($5); - if($5 != NULL) - free($5); - } - | SITE SP URL CRLF - { - reply(200, "http://www.pdc.kth.se/kth-krb/"); - } - | STOU SP pathname CRLF check_login - { - if ($5 && $3 != NULL) - do_store($3, "w", 1); - if ($3 != NULL) - free($3); - } - | SYST CRLF - { -#if !defined(WIN32) && !defined(__EMX__) && !defined(__OS2__) && !defined(__CYGWIN32__) - reply(215, "UNIX Type: L%d", NBBY); -#else - reply(215, "UNKNOWN Type: L%d", NBBY); -#endif - } - - /* - * SIZE is not in RFC959, but Postel has blessed it and - * it will be in the updated RFC. - * - * Return size of file in a format suitable for - * using with RESTART (we just count bytes). - */ - | SIZE SP pathname CRLF check_login - { - if ($5 && $3 != NULL) - sizecmd($3); - if ($3 != NULL) - free($3); - } - - /* - * MDTM is not in RFC959, but Postel has blessed it and - * it will be in the updated RFC. - * - * Return modification time of file as an ISO 3307 - * style time. E.g. YYYYMMDDHHMMSS or YYYYMMDDHHMMSS.xxx - * where xxx is the fractional second (of any precision, - * not necessarily 3 digits) - */ - | MDTM SP pathname CRLF check_login - { - if ($5 && $3 != NULL) { - struct stat stbuf; - if (stat($3, &stbuf) < 0) - reply(550, "%s: %s", - $3, strerror(errno)); - else if (!S_ISREG(stbuf.st_mode)) { - reply(550, - "%s: not a plain file.", $3); - } else { - struct tm *t; - time_t mtime = stbuf.st_mtime; - - t = gmtime(&mtime); - reply(213, - "%04d%02d%02d%02d%02d%02d", - t->tm_year + 1900, - t->tm_mon + 1, - t->tm_mday, - t->tm_hour, - t->tm_min, - t->tm_sec); - } - } - if ($3 != NULL) - free($3); - } - | QUIT CRLF - { - reply(221, "Goodbye."); - dologout(0); - } - | error CRLF - { - yyerrok; - } - ; -rcmd - : RNFR SP pathname CRLF check_login_no_guest - { - restart_point = (off_t) 0; - if ($5 && $3) { - fromname = renamefrom($3); - if (fromname == (char *) 0 && $3) { - free($3); - } - } - } - | REST SP byte_size CRLF - { - fromname = (char *) 0; - restart_point = $3; /* XXX $3 is only "int" */ - reply(350, "Restarting at %ld. %s", - (long)restart_point, - "Send STORE or RETRIEVE to initiate transfer."); - } - | AUTH SP STRING CRLF - { - auth($3); - free($3); - } - | ADAT SP STRING CRLF - { - adat($3); - free($3); - } - | PBSZ SP NUMBER CRLF - { - pbsz($3); - } - | PROT SP STRING CRLF - { - prot($3); - } - | CCC CRLF - { - ccc(); - } - | MIC SP STRING CRLF - { - mec($3, prot_safe); - free($3); - } - | CONF SP STRING CRLF - { - mec($3, prot_confidential); - free($3); - } - | ENC SP STRING CRLF - { - mec($3, prot_private); - free($3); - } - ; - -username - : STRING - ; - -password - : /* empty */ - { - $$ = (char *)calloc(1, sizeof(char)); - } - | STRING - ; - -byte_size - : NUMBER - ; - -host_port - : NUMBER COMMA NUMBER COMMA NUMBER COMMA NUMBER COMMA - NUMBER COMMA NUMBER - { - struct sockaddr_in *sin = (struct sockaddr_in *)data_dest; - - sin->sin_family = AF_INET; - sin->sin_port = htons($9 * 256 + $11); - sin->sin_addr.s_addr = - htonl(($1 << 24) | ($3 << 16) | ($5 << 8) | $7); - } - ; - -form_code - : N - { - $$ = FORM_N; - } - | T - { - $$ = FORM_T; - } - | C - { - $$ = FORM_C; - } - ; - -type_code - : A - { - cmd_type = TYPE_A; - cmd_form = FORM_N; - } - | A SP form_code - { - cmd_type = TYPE_A; - cmd_form = $3; - } - | E - { - cmd_type = TYPE_E; - cmd_form = FORM_N; - } - | E SP form_code - { - cmd_type = TYPE_E; - cmd_form = $3; - } - | I - { - cmd_type = TYPE_I; - } - | L - { - cmd_type = TYPE_L; - cmd_bytesz = NBBY; - } - | L SP byte_size - { - cmd_type = TYPE_L; - cmd_bytesz = $3; - } - /* this is for a bug in the BBN ftp */ - | L byte_size - { - cmd_type = TYPE_L; - cmd_bytesz = $2; - } - ; - -struct_code - : F - { - $$ = STRU_F; - } - | R - { - $$ = STRU_R; - } - | P - { - $$ = STRU_P; - } - ; - -mode_code - : S - { - $$ = MODE_S; - } - | B - { - $$ = MODE_B; - } - | C - { - $$ = MODE_C; - } - ; - -pathname - : pathstring - { - /* - * Problem: this production is used for all pathname - * processing, but only gives a 550 error reply. - * This is a valid reply in some cases but not in others. - */ - if (logged_in && $1 && *$1 == '~') { - glob_t gl; - int flags = - GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE; - - memset(&gl, 0, sizeof(gl)); - if (glob($1, flags, NULL, &gl) || - gl.gl_pathc == 0) { - reply(550, "not found"); - $$ = NULL; - } else { - $$ = strdup(gl.gl_pathv[0]); - } - globfree(&gl); - free($1); - } else - $$ = $1; - } - ; - -pathstring - : STRING - ; - -octal_number - : NUMBER - { - int ret, dec, multby, digit; - - /* - * Convert a number that was read as decimal number - * to what it would be if it had been read as octal. - */ - dec = $1; - multby = 1; - ret = 0; - while (dec) { - digit = dec%10; - if (digit > 7) { - ret = -1; - break; - } - ret += digit * multby; - multby *= 8; - dec /= 10; - } - $$ = ret; - } - ; - - -check_login_no_guest : check_login - { - $$ = $1 && !guest; - if($1 && !$$) - reply(550, "Permission denied"); - } - ; - -check_login : check_secure - { - if($1) { - if(($$ = logged_in) == 0) - reply(530, "Please login with USER and PASS."); - } else - $$ = 0; - } - ; - -check_secure : /* empty */ - { - $$ = 1; - if(sec_complete && !secure_command()) { - $$ = 0; - reply(533, "Command protection level denied " - "for paranoid reasons."); - } - } - ; - -%% - -#define CMD 0 /* beginning of command */ -#define ARGS 1 /* expect miscellaneous arguments */ -#define STR1 2 /* expect SP followed by STRING */ -#define STR2 3 /* expect STRING */ -#define OSTR 4 /* optional SP then STRING */ -#define ZSTR1 5 /* SP then optional STRING */ -#define ZSTR2 6 /* optional STRING after SP */ -#define SITECMD 7 /* SITE command */ -#define NSTR 8 /* Number followed by a string */ - -struct tab cmdtab[] = { /* In order defined in RFC 765 */ - { "USER", USER, STR1, 1, " username" }, - { "PASS", PASS, ZSTR1, 1, " password" }, - { "ACCT", ACCT, STR1, 0, "(specify account)" }, - { "SMNT", SMNT, ARGS, 0, "(structure mount)" }, - { "REIN", REIN, ARGS, 0, "(reinitialize server state)" }, - { "QUIT", QUIT, ARGS, 1, "(terminate service)", }, - { "PORT", PORT, ARGS, 1, " b0, b1, b2, b3, b4" }, - { "EPRT", EPRT, STR1, 1, " string" }, - { "PASV", PASV, ARGS, 1, "(set server in passive mode)" }, - { "EPSV", EPSV, OSTR, 1, "[ foo]" }, - { "TYPE", TYPE, ARGS, 1, " [ A | E | I | L ]" }, - { "STRU", STRU, ARGS, 1, "(specify file structure)" }, - { "MODE", MODE, ARGS, 1, "(specify transfer mode)" }, - { "RETR", RETR, STR1, 1, " file-name" }, - { "STOR", STOR, STR1, 1, " file-name" }, - { "APPE", APPE, STR1, 1, " file-name" }, - { "MLFL", MLFL, OSTR, 0, "(mail file)" }, - { "MAIL", MAIL, OSTR, 0, "(mail to user)" }, - { "MSND", MSND, OSTR, 0, "(mail send to terminal)" }, - { "MSOM", MSOM, OSTR, 0, "(mail send to terminal or mailbox)" }, - { "MSAM", MSAM, OSTR, 0, "(mail send to terminal and mailbox)" }, - { "MRSQ", MRSQ, OSTR, 0, "(mail recipient scheme question)" }, - { "MRCP", MRCP, STR1, 0, "(mail recipient)" }, - { "ALLO", ALLO, ARGS, 1, "allocate storage (vacuously)" }, - { "REST", REST, ARGS, 1, " offset (restart command)" }, - { "RNFR", RNFR, STR1, 1, " file-name" }, - { "RNTO", RNTO, STR1, 1, " file-name" }, - { "ABOR", ABOR, ARGS, 1, "(abort operation)" }, - { "DELE", DELE, STR1, 1, " file-name" }, - { "CWD", CWD, OSTR, 1, "[ directory-name ]" }, - { "XCWD", CWD, OSTR, 1, "[ directory-name ]" }, - { "LIST", LIST, OSTR, 1, "[ path-name ]" }, - { "NLST", NLST, OSTR, 1, "[ path-name ]" }, - { "SITE", SITE, SITECMD, 1, "site-cmd [ arguments ]" }, - { "SYST", SYST, ARGS, 1, "(get type of operating system)" }, - { "STAT", sTAT, OSTR, 1, "[ path-name ]" }, - { "HELP", HELP, OSTR, 1, "[ ]" }, - { "NOOP", NOOP, ARGS, 1, "" }, - { "MKD", MKD, STR1, 1, " path-name" }, - { "XMKD", MKD, STR1, 1, " path-name" }, - { "RMD", RMD, STR1, 1, " path-name" }, - { "XRMD", RMD, STR1, 1, " path-name" }, - { "PWD", PWD, ARGS, 1, "(return current directory)" }, - { "XPWD", PWD, ARGS, 1, "(return current directory)" }, - { "CDUP", CDUP, ARGS, 1, "(change to parent directory)" }, - { "XCUP", CDUP, ARGS, 1, "(change to parent directory)" }, - { "STOU", STOU, STR1, 1, " file-name" }, - { "SIZE", SIZE, OSTR, 1, " path-name" }, - { "MDTM", MDTM, OSTR, 1, " path-name" }, - - /* extensions from RFC2228 */ - { "AUTH", AUTH, STR1, 1, " auth-type" }, - { "ADAT", ADAT, STR1, 1, " auth-data" }, - { "PBSZ", PBSZ, ARGS, 1, " buffer-size" }, - { "PROT", PROT, STR1, 1, " prot-level" }, - { "CCC", CCC, ARGS, 1, "" }, - { "MIC", MIC, STR1, 1, " integrity command" }, - { "CONF", CONF, STR1, 1, " confidentiality command" }, - { "ENC", ENC, STR1, 1, " privacy command" }, - - /* RFC2389 */ - { "FEAT", FEAT, ARGS, 1, "" }, - { "OPTS", OPTS, ARGS, 1, " command [ options]" }, - - { NULL, 0, 0, 0, 0 } -}; - -struct tab sitetab[] = { - { "UMASK", UMASK, ARGS, 1, "[ umask ]" }, - { "IDLE", IDLE, ARGS, 1, "[ maximum-idle-time ]" }, - { "CHMOD", CHMOD, NSTR, 1, " mode file-name" }, - { "HELP", HELP, OSTR, 1, "[ ]" }, - - { "KAUTH", KAUTH, STR1, 1, " principal [ ticket ]" }, - { "KLIST", KLIST, ARGS, 1, "(show ticket file)" }, - { "KDESTROY", KDESTROY, ARGS, 1, "(destroy tickets)" }, - { "KRBTKFILE", KRBTKFILE, STR1, 1, " ticket-file" }, - { "AFSLOG", AFSLOG, OSTR, 1, "[ cell]" }, - - { "LOCATE", LOCATE, STR1, 1, " globexpr" }, - { "FIND", LOCATE, STR1, 1, " globexpr" }, - - { "URL", URL, ARGS, 1, "?" }, - - { NULL, 0, 0, 0, 0 } -}; - -static struct tab * -lookup(struct tab *p, char *cmd) -{ - - for (; p->name != NULL; p++) - if (strcmp(cmd, p->name) == 0) - return (p); - return (0); -} - -/* - * ftpd_getline - a hacked up version of fgets to ignore TELNET escape codes. - */ -char * -ftpd_getline(char *s, int n) -{ - int c; - char *cs; - - cs = s; - - /* might still be data within the security MIC/CONF/ENC */ - if(ftp_command){ - strlcpy(s, ftp_command, n); - if (debug) - syslog(LOG_DEBUG, "command: %s", s); - return s; - } - while ((c = getc(stdin)) != EOF) { - c &= 0377; - if (c == IAC) { - if ((c = getc(stdin)) != EOF) { - c &= 0377; - switch (c) { - case WILL: - case WONT: - c = getc(stdin); - printf("%c%c%c", IAC, DONT, 0377&c); - fflush(stdout); - continue; - case DO: - case DONT: - c = getc(stdin); - printf("%c%c%c", IAC, WONT, 0377&c); - fflush(stdout); - continue; - case IAC: - break; - default: - continue; /* ignore command */ - } - } - } - *cs++ = c; - if (--n <= 0 || c == '\n') - break; - } - if (c == EOF && cs == s) - return (NULL); - *cs++ = '\0'; - if (debug) { - if (!guest && strncasecmp("pass ", s, 5) == 0) { - /* Don't syslog passwords */ - syslog(LOG_DEBUG, "command: %.5s ???", s); - } else { - char *cp; - int len; - - /* Don't syslog trailing CR-LF */ - len = strlen(s); - cp = s + len - 1; - while (cp >= s && (*cp == '\n' || *cp == '\r')) { - --cp; - --len; - } - syslog(LOG_DEBUG, "command: %.*s", len, s); - } - } -#ifdef XXX - fprintf(stderr, "%s\n", s); -#endif - return (s); -} - -static RETSIGTYPE -toolong(int signo) -{ - - reply(421, - "Timeout (%d seconds): closing control connection.", - ftpd_timeout); - if (logging) - syslog(LOG_INFO, "User %s timed out after %d seconds", - (pw ? pw -> pw_name : "unknown"), ftpd_timeout); - dologout(1); - SIGRETURN(0); -} - -static int -yylex(void) -{ - static int cpos, state; - char *cp, *cp2; - struct tab *p; - int n; - char c; - - for (;;) { - switch (state) { - - case CMD: - hasyyerrored = 0; - - signal(SIGALRM, toolong); - alarm((unsigned) ftpd_timeout); - if (ftpd_getline(cbuf, sizeof(cbuf)-1) == NULL) { - reply(221, "You could at least say goodbye."); - dologout(0); - } - alarm(0); -#ifdef HAVE_SETPROCTITLE - if (strncasecmp(cbuf, "PASS", 4) != 0) - setproctitle("%s: %s", proctitle, cbuf); -#endif /* HAVE_SETPROCTITLE */ - if ((cp = strchr(cbuf, '\r'))) { - *cp++ = '\n'; - *cp = '\0'; - } - if ((cp = strpbrk(cbuf, " \n"))) - cpos = cp - cbuf; - if (cpos == 0) - cpos = 4; - c = cbuf[cpos]; - cbuf[cpos] = '\0'; - strupr(cbuf); - p = lookup(cmdtab, cbuf); - cbuf[cpos] = c; - if (p != 0) { - if (p->implemented == 0) { - nack(p->name); - hasyyerrored = 1; - break; - } - state = p->state; - yylval.s = p->name; - return (p->token); - } - break; - - case SITECMD: - if (cbuf[cpos] == ' ') { - cpos++; - return (SP); - } - cp = &cbuf[cpos]; - if ((cp2 = strpbrk(cp, " \n"))) - cpos = cp2 - cbuf; - c = cbuf[cpos]; - cbuf[cpos] = '\0'; - strupr(cp); - p = lookup(sitetab, cp); - cbuf[cpos] = c; - if (p != 0) { - if (p->implemented == 0) { - state = CMD; - nack(p->name); - hasyyerrored = 1; - break; - } - state = p->state; - yylval.s = p->name; - return (p->token); - } - state = CMD; - break; - - case OSTR: - if (cbuf[cpos] == '\n') { - state = CMD; - return (CRLF); - } - /* FALLTHROUGH */ - - case STR1: - case ZSTR1: - dostr1: - if (cbuf[cpos] == ' ') { - cpos++; - if(state == OSTR) - state = STR2; - else - state++; - return (SP); - } - break; - - case ZSTR2: - if (cbuf[cpos] == '\n') { - state = CMD; - return (CRLF); - } - /* FALLTHROUGH */ - - case STR2: - cp = &cbuf[cpos]; - n = strlen(cp); - cpos += n - 1; - /* - * Make sure the string is nonempty and \n terminated. - */ - if (n > 1 && cbuf[cpos] == '\n') { - cbuf[cpos] = '\0'; - yylval.s = copy(cp); - cbuf[cpos] = '\n'; - state = ARGS; - return (STRING); - } - break; - - case NSTR: - if (cbuf[cpos] == ' ') { - cpos++; - return (SP); - } - if (isdigit((unsigned char)cbuf[cpos])) { - cp = &cbuf[cpos]; - while (isdigit((unsigned char)cbuf[++cpos])) - ; - c = cbuf[cpos]; - cbuf[cpos] = '\0'; - yylval.i = atoi(cp); - cbuf[cpos] = c; - state = STR1; - return (NUMBER); - } - state = STR1; - goto dostr1; - - case ARGS: - if (isdigit((unsigned char)cbuf[cpos])) { - cp = &cbuf[cpos]; - while (isdigit((unsigned char)cbuf[++cpos])) - ; - c = cbuf[cpos]; - cbuf[cpos] = '\0'; - yylval.i = atoi(cp); - cbuf[cpos] = c; - return (NUMBER); - } - switch (cbuf[cpos++]) { - - case '\n': - state = CMD; - return (CRLF); - - case ' ': - return (SP); - - case ',': - return (COMMA); - - case 'A': - case 'a': - return (A); - - case 'B': - case 'b': - return (B); - - case 'C': - case 'c': - return (C); - - case 'E': - case 'e': - return (E); - - case 'F': - case 'f': - return (F); - - case 'I': - case 'i': - return (I); - - case 'L': - case 'l': - return (L); - - case 'N': - case 'n': - return (N); - - case 'P': - case 'p': - return (P); - - case 'R': - case 'r': - return (R); - - case 'S': - case 's': - return (S); - - case 'T': - case 't': - return (T); - - } - break; - - default: - fatal("Unknown state in scanner."); - } - yyerror(NULL); - state = CMD; - return (0); - } -} - -/* ARGSUSED */ -void -yyerror(char *s) -{ - char *cp; - - if (hasyyerrored) - return; - - if ((cp = strchr(cbuf,'\n'))) - *cp = '\0'; - reply(500, "'%s': command not understood.", cbuf); - hasyyerrored = 1; -} - -static char * -copy(char *s) -{ - char *p; - - p = strdup(s); - if (p == NULL) - fatal("Ran out of memory."); - return p; -} - -static void -help(struct tab *ctab, char *s) -{ - struct tab *c; - int width, NCMDS; - char *type; - char buf[1024]; - - if (ctab == sitetab) - type = "SITE "; - else - type = ""; - width = 0, NCMDS = 0; - for (c = ctab; c->name != NULL; c++) { - int len = strlen(c->name); - - if (len > width) - width = len; - NCMDS++; - } - width = (width + 8) &~ 7; - if (s == 0) { - int i, j, w; - int columns, lines; - - lreply(214, "The following %scommands are recognized %s.", - type, "(* =>'s unimplemented)"); - columns = 76 / width; - if (columns == 0) - columns = 1; - lines = (NCMDS + columns - 1) / columns; - for (i = 0; i < lines; i++) { - strlcpy (buf, " ", sizeof(buf)); - for (j = 0; j < columns; j++) { - c = ctab + j * lines + i; - snprintf (buf + strlen(buf), - sizeof(buf) - strlen(buf), - "%s%c", - c->name, - c->implemented ? ' ' : '*'); - if (c + lines >= &ctab[NCMDS]) - break; - w = strlen(c->name) + 1; - while (w < width) { - strlcat (buf, - " ", - sizeof(buf)); - w++; - } - } - lreply(214, "%s", buf); - } - reply(214, "Direct comments to kth-krb-bugs@pdc.kth.se"); - return; - } - strupr(s); - c = lookup(ctab, s); - if (c == (struct tab *)0) { - reply(502, "Unknown command %s.", s); - return; - } - if (c->implemented) - reply(214, "Syntax: %s%s %s", type, c->name, c->help); - else - reply(214, "%s%-*s\t%s; unimplemented.", type, width, - c->name, c->help); -} - -static void -sizecmd(char *filename) -{ - switch (type) { - case TYPE_L: - case TYPE_I: { - struct stat stbuf; - if (stat(filename, &stbuf) < 0 || !S_ISREG(stbuf.st_mode)) - reply(550, "%s: not a plain file.", filename); - else - reply(213, "%lu", (unsigned long)stbuf.st_size); - break; - } - case TYPE_A: { - FILE *fin; - int c; - size_t count; - struct stat stbuf; - fin = fopen(filename, "r"); - if (fin == NULL) { - perror_reply(550, filename); - return; - } - if (fstat(fileno(fin), &stbuf) < 0 || !S_ISREG(stbuf.st_mode)) { - reply(550, "%s: not a plain file.", filename); - fclose(fin); - return; - } - - count = 0; - while((c=getc(fin)) != EOF) { - if (c == '\n') /* will get expanded to \r\n */ - count++; - count++; - } - fclose(fin); - - reply(213, "%lu", (unsigned long)count); - break; - } - default: - reply(504, "SIZE not implemented for Type %c.", "?AEIL"[type]); - } -} diff --git a/crypto/heimdal-0.6.3/appl/ftp/ftpd/ftpd.8 b/crypto/heimdal-0.6.3/appl/ftp/ftpd/ftpd.8 deleted file mode 100644 index b630641923..0000000000 --- a/crypto/heimdal-0.6.3/appl/ftp/ftpd/ftpd.8 +++ /dev/null @@ -1,503 +0,0 @@ -.\" $NetBSD: ftpd.8,v 1.7 1995/04/11 02:44:53 cgd Exp $ -.\" -.\" Copyright (c) 1985, 1988, 1991, 1993 -.\" The Regents of the University of California. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" 3. All advertising materials mentioning features or use of this software -.\" must display the following acknowledgement: -.\" This product includes software developed by the University of -.\" California, Berkeley and its contributors. -.\" 4. Neither the name of the University nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" @(#)ftpd.8 8.2 (Berkeley) 4/19/94 -.\" -.Dd July 19, 2003 -.Dt FTPD 8 -.Os BSD 4.2 -.Sh NAME -.Nm ftpd -.Nd Internet File Transfer Protocol server -.Sh SYNOPSIS -.Nm -.Op Fl a Ar authmode -.Op Fl dilvU -.Op Fl g Ar umask -.Op Fl p Ar port -.Op Fl T Ar maxtimeout -.Op Fl t Ar timeout -.Op Fl -gss-bindings -.Op Fl I | Fl -no-insecure-oob -.Op Fl u Ar default umask -.Op Fl B | Fl -builtin-ls -.Op Fl -good-chars= Ns Ar string -.Sh DESCRIPTION -.Nm Ftpd -is the -Internet File Transfer Protocol -server process. The server uses the -.Tn TCP -protocol -and listens at the port specified in the -.Dq ftp -service specification; see -.Xr services 5 . -.Pp -Available options: -.Bl -tag -width Ds -.It Fl a -Select the level of authentication required. Kerberised login can not -be turned off. The default is to only allow kerberised login. Other -possibilities can be turned on by giving a string of comma separated -flags as argument to -.Fl a . -Recognised flags are: -.Bl -tag -width plain -.It Ar plain -Allow logging in with plaintext password. The password can be a(n) OTP -or an ordinary password. -.It Ar otp -Same as -.Ar plain , -but only OTP is allowed. -.It Ar ftp -Allow anonymous login. -.El -.Pp -The following combination modes exists for backwards compatibility: -.Bl -tag -width plain -.It Ar none -Same as -.Ar plain,ftp . -.It Ar safe -Same as -.Ar ftp . -.It Ar user -Ignored. -.El -.It Fl d -Debugging information is written to the syslog using LOG_FTP. -.It Fl g -Anonymous users will get a umask of -.Ar umask . -.It Fl -gss-bindings -require the peer to use GSS-API bindings (ie make sure IP addresses match). -.It Fl i -Open a socket and wait for a connection. This is mainly used for -debugging when ftpd isn't started by inetd. -.It Fl l -Each successful and failed -.Xr ftp 1 -session is logged using syslog with a facility of LOG_FTP. -If this option is specified twice, the retrieve (get), store (put), append, -delete, make directory, remove directory and rename operations and -their filename arguments are also logged. -.It Fl p -Use -.Ar port -(a service name or number) instead of the default -.Ar ftp/tcp . -.It Fl T -A client may also request a different timeout period; -the maximum period allowed may be set to -.Ar timeout -seconds with the -.Fl T -option. -The default limit is 2 hours. -.It Fl t -The inactivity timeout period is set to -.Ar timeout -seconds (the default is 15 minutes). -.It Fl u -Set the initial umask to something else than the default 027. -.It Fl U -In previous versions of -.Nm ftpd , -when a passive mode client requested a data connection to the server, the -server would use data ports in the range 1024..4999. Now, by default, -if the system supports the IP_PORTRANGE socket option, the server will -use data ports in the range 49152..65535. Specifying this option will -revert to the old behavior. -.It Fl v -Verbose mode. -.It Xo -.Fl B , -.Fl -builtin-ls -.Xc -use built-in ls to list files -.It Xo -.Fl -good-chars= Ns Ar string -.Xc -allowed anonymous upload filename chars -.It Xo -.Fl I -.Fl -no-insecure-oob -.Xc -don't allow insecure out of band. -Heimdal ftp client before 0.7 doesn't support secure oob, so turning -on this options makes them no longer work. -.El -.Pp -The file -.Pa /etc/nologin -can be used to disable ftp access. -If the file exists, -.Nm -displays it and exits. -If the file -.Pa /etc/ftpwelcome -exists, -.Nm -prints it before issuing the -.Dq ready -message. -If the file -.Pa /etc/motd -exists, -.Nm -prints it after a successful login. -.Pp -The ftp server currently supports the following ftp requests. -The case of the requests is ignored. -.Bl -column "Request" -offset indent -.It Request Ta "Description" -.It ABOR Ta "abort previous command" -.It ACCT Ta "specify account (ignored)" -.It ALLO Ta "allocate storage (vacuously)" -.It APPE Ta "append to a file" -.It CDUP Ta "change to parent of current working directory" -.It CWD Ta "change working directory" -.It DELE Ta "delete a file" -.It HELP Ta "give help information" -.It LIST Ta "give list files in a directory" Pq Dq Li "ls -lgA" -.It MKD Ta "make a directory" -.It MDTM Ta "show last modification time of file" -.It MODE Ta "specify data transfer" Em mode -.It NLST Ta "give name list of files in directory" -.It NOOP Ta "do nothing" -.It PASS Ta "specify password" -.It PASV Ta "prepare for server-to-server transfer" -.It PORT Ta "specify data connection port" -.It PWD Ta "print the current working directory" -.It QUIT Ta "terminate session" -.It REST Ta "restart incomplete transfer" -.It RETR Ta "retrieve a file" -.It RMD Ta "remove a directory" -.It RNFR Ta "specify rename-from file name" -.It RNTO Ta "specify rename-to file name" -.It SITE Ta "non-standard commands (see next section)" -.It SIZE Ta "return size of file" -.It STAT Ta "return status of server" -.It STOR Ta "store a file" -.It STOU Ta "store a file with a unique name" -.It STRU Ta "specify data transfer" Em structure -.It SYST Ta "show operating system type of server system" -.It TYPE Ta "specify data transfer" Em type -.It USER Ta "specify user name" -.It XCUP Ta "change to parent of current working directory (deprecated)" -.It XCWD Ta "change working directory (deprecated)" -.It XMKD Ta "make a directory (deprecated)" -.It XPWD Ta "print the current working directory (deprecated)" -.It XRMD Ta "remove a directory (deprecated)" -.El -.Pp -The following commands are specified by RFC2228. -.Bl -column Request -offset indent -.It AUTH Ta "authentication/security mechanism" -.It ADAT Ta "authentication/security data" -.It PROT Ta "data channel protection level" -.It PBSZ Ta "protection buffer size" -.It MIC Ta "integrity protected command" -.It CONF Ta "confidentiality protected command" -.It ENC Ta "privacy protected command" -.It CCC Ta "clear command channel" -.El -.Pp -The following non-standard or -.Tn UNIX -specific commands are supported -by the -SITE request. -.Pp -.Bl -column Request -offset indent -.It UMASK Ta change umask, (e.g. -.Ic "SITE UMASK 002" ) -.It IDLE Ta set idle-timer, (e.g. -.Ic "SITE IDLE 60" ) -.It CHMOD Ta change mode of a file (e.g. -.Ic "SITE CHMOD 755 filename" ) -.It FIND Ta quickly find a specific file with GNU -.Xr locate 1 . -.It HELP Ta give help information. -.El -.Pp -The following Kerberos related site commands are understood. -.Bl -column Request -offset indent -.It KAUTH Ta obtain remote tickets. -.It KLIST Ta show remote tickets -.El -.Pp -The remaining ftp requests specified in Internet RFC 959 -are -recognized, but not implemented. -MDTM and SIZE are not specified in RFC 959, but will appear in the -next updated FTP RFC. -.Pp -The ftp server will abort an active file transfer only when the -ABOR -command is preceded by a Telnet "Interrupt Process" (IP) -signal and a Telnet "Synch" signal in the command Telnet stream, -as described in Internet RFC 959. -If a -STAT -command is received during a data transfer, preceded by a Telnet IP -and Synch, transfer status will be returned. -.Pp -.Nm Ftpd -interprets file names according to the -.Dq globbing -conventions used by -.Xr csh 1 . -This allows users to use the metacharacters -.Dq Li \&*?[]{}~ . -.Pp -.Nm Ftpd -authenticates users according to these rules. -.Pp -.Bl -enum -offset indent -.It -If Kerberos authentication is used, the user must pass valid tickets -and the principal must be allowed to login as the remote user. -.It -The login name must be in the password data base, and not have a null -password (if Kerberos is used the password field is not checked). In -this case a password must be provided by the client before any file -operations may be performed. If the user has an OTP key, the response -from a successful USER command will include an OTP challenge. The -client may choose to respond with a PASS command giving either a -standard password or an OTP one-time password. The server will -automatically determine which type of password it has been given and -attempt to authenticate accordingly. See -.Xr otp 1 -for more information on OTP authentication. -.It -The login name must not appear in the file -.Pa /etc/ftpusers . -.It -The user must have a standard shell returned by -.Xr getusershell 3 . -.It -If the user name appears in the file -.Pa /etc/ftpchroot -the session's root will be changed to the user's login directory by -.Xr chroot 2 -as for an -.Dq anonymous -or -.Dq ftp -account (see next item). However, the user must still supply a password. -This feature is intended as a compromise between a fully anonymous account -and a fully privileged account. The account should also be set up as for an -anonymous account. -.It -If the user name is -.Dq anonymous -or -.Dq ftp , -an -anonymous ftp account must be present in the password -file (user -.Dq ftp ) . -In this case the user is allowed -to log in by specifying any password (by convention an email address for -the user should be used as the password). -.El -.Pp -In the last case, -.Nm ftpd -takes special measures to restrict the client's access privileges. -The server performs a -.Xr chroot 2 -to the home directory of the -.Dq ftp -user. -In order that system security is not breached, it is recommended -that the -.Dq ftp -subtree be constructed with care, consider following these guidelines -for anonymous ftp. -.Pp -In general all files should be owned by -.Dq root , -and have non-write permissions (644 or 755 depending on the kind of -file). No files should be owned or writable by -.Dq ftp -(possibly with exception for the -.Pa ~ftp/incoming , -as specified below). -.Bl -tag -width "~ftp/pub" -offset indent -.It Pa ~ftp -The -.Dq ftp -homedirectory should be owned by root. -.It Pa ~ftp/bin -The directory for external programs (such as -.Xr ls 1 ) . -These programs must either be statically linked, or you must setup an -environment for dynamic linking when running chrooted. -These programs will be used if present: -.Bl -tag -width "locate" -offset indent -.It ls -Used when listing files. -.It compress -When retrieving a filename that ends in -.Pa .Z , -and that file isn't present, -.Nm -will try to find the filename without -.Pa .Z -and compress it on the fly. -.It gzip -Same as compress, just with files ending in -.Pa .gz . -.It gtar -Enables retrieval of whole directories as files ending in -.Pa .tar . -Can also be combined with compression. You must use GNU Tar (or some -other that supports the -.Fl z -and -.Fl Z -flags). -.It locate -Will enable ``fast find'' with the -.Ic SITE FIND -command. You must also create a -.Pa locatedb -file in -.Pa ~ftp/etc . -.El -.It Pa ~ftp/etc -If you put copies of the -.Xr passwd 5 -and -.Xr group 5 -files here, ls will be able to produce owner names rather than -numbers. Remember to remove any passwords from these files. -.Pp -The file -.Pa motd , -if present, will be printed after a successful login. -.It Pa ~ftp/dev -Put a copy of -.Xr /dev/null 7 -here. -.It Pa ~ftp/pub -Traditional place to put whatever you want to make public. -.El -.Pp -If you want guests to be able to upload files, create a -.Pa ~ftp/incoming -directory owned by -.Dq root , -and group -.Dq ftp -with mode 730 (make sure -.Dq ftp -is member of group -.Dq ftp ) . -The following restrictions apply to anonymous users: -.Bl -bullet -.It -Directories created will have mode 700. -.It -Uploaded files will be created with an umask of 777, if not changed -with the -.Fl g -option. -.It -These command are not accessible: -.Ic DELE , RMD , RNTO , RNFR , -.Ic SITE UMASK , -and -.Ic SITE CHMOD . -.It -Filenames must start with an alpha-numeric character, and consist of -alpha-numeric characters or any of the following: -.Li \&+ -(plus), -.Li \&- -(minus), -.Li \&= -(equal), -.Li \&_ -(underscore), -.Li \&. -(period), and -.Li \&, -(comma). -.El -.Sh FILES -.Bl -tag -width /etc/ftpwelcome -compact -.It Pa /etc/ftpusers -Access list for users. -.It Pa /etc/ftpchroot -List of normal users who should be chroot'd. -.It Pa /etc/ftpwelcome -Welcome notice. -.It Pa /etc/motd -Welcome notice after login. -.It Pa /etc/nologin -Displayed and access refused. -.It Pa ~/.klogin -Login access for Kerberos. -.El -.Sh SEE ALSO -.Xr ftp 1 , -.Xr otp 1 , -.Xr getusershell 3 , -.Xr ftpusers 5 , -.Xr syslogd 8 -.Sh STANDARDS -.Bl -tag -compact -width "RFC 1938" -.It Cm RFC 959 -FTP PROTOCOL SPECIFICATION -.It Cm RFC 1938 -OTP Specification -.It Cm RFC 2228 -FTP Security Extensions. -.El -.Sh BUGS -The server must run as the super-user -to create sockets with privileged port numbers. It maintains -an effective user id of the logged in user, reverting to -the super-user only when binding addresses to sockets. The -possible security holes have been extensively -scrutinized, but are possibly incomplete. -.Sh HISTORY -The -.Nm -command appeared in -.Bx 4.2 . diff --git a/crypto/heimdal-0.6.3/appl/ftp/ftpd/ftpd.c b/crypto/heimdal-0.6.3/appl/ftp/ftpd/ftpd.c deleted file mode 100644 index 88bb4a1bb3..0000000000 --- a/crypto/heimdal-0.6.3/appl/ftp/ftpd/ftpd.c +++ /dev/null @@ -1,2374 +0,0 @@ -/* - * Copyright (c) 1985, 1988, 1990, 1992, 1993, 1994 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#define FTP_NAMES -#include "ftpd_locl.h" -#ifdef KRB5 -#include -#endif -#include "getarg.h" - -RCSID("$Id: ftpd.c,v 1.166.2.3 2004/08/20 15:16:37 lha Exp $"); - -static char version[] = "Version 6.00"; - -extern off_t restart_point; -extern char cbuf[]; - -struct sockaddr_storage ctrl_addr_ss; -struct sockaddr *ctrl_addr = (struct sockaddr *)&ctrl_addr_ss; - -struct sockaddr_storage data_source_ss; -struct sockaddr *data_source = (struct sockaddr *)&data_source_ss; - -struct sockaddr_storage data_dest_ss; -struct sockaddr *data_dest = (struct sockaddr *)&data_dest_ss; - -struct sockaddr_storage his_addr_ss; -struct sockaddr *his_addr = (struct sockaddr *)&his_addr_ss; - -struct sockaddr_storage pasv_addr_ss; -struct sockaddr *pasv_addr = (struct sockaddr *)&pasv_addr_ss; - -int data; -int logged_in; -struct passwd *pw; -int debug = 0; -int ftpd_timeout = 900; /* timeout after 15 minutes of inactivity */ -int maxtimeout = 7200;/* don't allow idle time to be set beyond 2 hours */ -int restricted_data_ports = 1; -int logging; -int guest; -int dochroot; -int type; -int form; -int stru; /* avoid C keyword */ -int mode; -int usedefault = 1; /* for data transfers */ -int pdata = -1; /* for passive mode */ -int allow_insecure_oob = 1; -static int transflag; -static int urgflag; -off_t file_size; -off_t byte_count; -#if !defined(CMASK) || CMASK == 0 -#undef CMASK -#define CMASK 027 -#endif -int defumask = CMASK; /* default umask value */ -int guest_umask = 0777; /* Paranoia for anonymous users */ -char tmpline[10240]; -char hostname[MaxHostNameLen]; -char remotehost[MaxHostNameLen]; -static char ttyline[20]; - -#define AUTH_PLAIN (1 << 0) /* allow sending passwords */ -#define AUTH_OTP (1 << 1) /* passwords are one-time */ -#define AUTH_FTP (1 << 2) /* allow anonymous login */ - -static int auth_level = 0; /* Only allow kerberos login by default */ - -/* - * Timeout intervals for retrying connections - * to hosts that don't accept PORT cmds. This - * is a kludge, but given the problems with TCP... - */ -#define SWAITMAX 90 /* wait at most 90 seconds */ -#define SWAITINT 5 /* interval between retries */ - -int swaitmax = SWAITMAX; -int swaitint = SWAITINT; - -#ifdef HAVE_SETPROCTITLE -char proctitle[BUFSIZ]; /* initial part of title */ -#endif /* HAVE_SETPROCTITLE */ - -#define LOGCMD(cmd, file) \ - if (logging > 1) \ - syslog(LOG_INFO,"%s %s%s", cmd, \ - *(file) == '/' ? "" : curdir(), file); -#define LOGCMD2(cmd, file1, file2) \ - if (logging > 1) \ - syslog(LOG_INFO,"%s %s%s %s%s", cmd, \ - *(file1) == '/' ? "" : curdir(), file1, \ - *(file2) == '/' ? "" : curdir(), file2); -#define LOGBYTES(cmd, file, cnt) \ - if (logging > 1) { \ - if (cnt == (off_t)-1) \ - syslog(LOG_INFO,"%s %s%s", cmd, \ - *(file) == '/' ? "" : curdir(), file); \ - else \ - syslog(LOG_INFO, "%s %s%s = %ld bytes", \ - cmd, (*(file) == '/') ? "" : curdir(), file, (long)cnt); \ - } - -static void ack (char *); -static void myoob (int); -static int handleoobcmd(void); -static int checkuser (char *, char *); -static int checkaccess (char *); -static FILE *dataconn (const char *, off_t, const char *); -static void dolog (struct sockaddr *sa, int len); -static void end_login (void); -static FILE *getdatasock (const char *); -static char *gunique (char *); -static RETSIGTYPE lostconn (int); -static int receive_data (FILE *, FILE *); -static void send_data (FILE *, FILE *); -static struct passwd * sgetpwnam (char *); - -static char * -curdir(void) -{ - static char path[MaxPathLen+1]; /* path + '/' + '\0' */ - - if (getcwd(path, sizeof(path)-1) == NULL) - return (""); - if (path[1] != '\0') /* special case for root dir. */ - strlcat(path, "/", sizeof(path)); - /* For guest account, skip / since it's chrooted */ - return (guest ? path+1 : path); -} - -#ifndef LINE_MAX -#define LINE_MAX 1024 -#endif - -static int -parse_auth_level(char *str) -{ - char *p; - int ret = 0; - char *foo = NULL; - - for(p = strtok_r(str, ",", &foo); - p; - p = strtok_r(NULL, ",", &foo)) { - if(strcmp(p, "user") == 0) - ; -#ifdef OTP - else if(strcmp(p, "otp") == 0) - ret |= AUTH_PLAIN|AUTH_OTP; -#endif - else if(strcmp(p, "ftp") == 0 || - strcmp(p, "safe") == 0) - ret |= AUTH_FTP; - else if(strcmp(p, "plain") == 0) - ret |= AUTH_PLAIN; - else if(strcmp(p, "none") == 0) - ret |= AUTH_PLAIN|AUTH_FTP; - else - warnx("bad value for -a: `%s'", p); - } - return ret; -} - -/* - * Print usage and die. - */ - -static int interactive_flag; -static char *guest_umask_string; -static char *port_string; -static char *umask_string; -static char *auth_string; - -int use_builtin_ls = -1; - -static int help_flag; -static int version_flag; - -static const char *good_chars = "+-=_,."; - -struct getargs args[] = { - { NULL, 'a', arg_string, &auth_string, "required authentication" }, - { NULL, 'i', arg_flag, &interactive_flag, "don't assume stdin is a socket" }, - { NULL, 'p', arg_string, &port_string, "what port to listen to" }, - { NULL, 'g', arg_string, &guest_umask_string, "umask for guest logins" }, - { NULL, 'l', arg_counter, &logging, "log more stuff", "" }, - { NULL, 't', arg_integer, &ftpd_timeout, "initial timeout" }, - { NULL, 'T', arg_integer, &maxtimeout, "max timeout" }, - { NULL, 'u', arg_string, &umask_string, "umask for user logins" }, - { NULL, 'U', arg_negative_flag, &restricted_data_ports, "don't use high data ports" }, - { NULL, 'd', arg_flag, &debug, "enable debugging" }, - { NULL, 'v', arg_flag, &debug, "enable debugging" }, - { "builtin-ls", 'B', arg_flag, &use_builtin_ls, "use built-in ls to list files" }, - { "good-chars", 0, arg_string, &good_chars, "allowed anonymous upload filename chars" }, - { "insecure-oob", 'I', arg_negative_flag, &allow_insecure_oob, "don't allow insecure OOB ABOR/STAT" }, -#ifdef KRB5 - { "gss-bindings", 0, arg_flag, &ftp_do_gss_bindings, "Require GSS-API bindings", NULL}, -#endif - { "version", 0, arg_flag, &version_flag }, - { "help", 'h', arg_flag, &help_flag } -}; - -static int num_args = sizeof(args) / sizeof(args[0]); - -static void -usage (int code) -{ - arg_printusage(args, num_args, NULL, ""); - exit (code); -} - -/* output contents of a file */ -static int -show_file(const char *file, int code) -{ - FILE *f; - char buf[128]; - - f = fopen(file, "r"); - if(f == NULL) - return -1; - while(fgets(buf, sizeof(buf), f)){ - buf[strcspn(buf, "\r\n")] = '\0'; - lreply(code, "%s", buf); - } - fclose(f); - return 0; -} - -int -main(int argc, char **argv) -{ - socklen_t his_addr_len, ctrl_addr_len; - int on = 1; - int port; - struct servent *sp; - - int optind = 0; - - setprogname (argv[0]); - - /* detach from any tickets and tokens */ - { -#ifdef KRB4 - char tkfile[1024]; - snprintf(tkfile, sizeof(tkfile), - "/tmp/ftp_%u", (unsigned)getpid()); - krb_set_tkt_string(tkfile); -#endif - } -#if defined(KRB4) || defined(KRB5) - if(k_hasafs()) - k_setpag(); -#endif - - if(getarg(args, num_args, argc, argv, &optind)) - usage(1); - - if(help_flag) - usage(0); - - if(version_flag) { - print_version(NULL); - exit(0); - } - - if(auth_string) - auth_level = parse_auth_level(auth_string); - { - char *p; - long val = 0; - - if(guest_umask_string) { - val = strtol(guest_umask_string, &p, 8); - if (*p != '\0' || val < 0) - warnx("bad value for -g"); - else - guest_umask = val; - } - if(umask_string) { - val = strtol(umask_string, &p, 8); - if (*p != '\0' || val < 0) - warnx("bad value for -u"); - else - defumask = val; - } - } - sp = getservbyname("ftp", "tcp"); - if(sp) - port = sp->s_port; - else - port = htons(21); - if(port_string) { - sp = getservbyname(port_string, "tcp"); - if(sp) - port = sp->s_port; - else - if(isdigit((unsigned char)port_string[0])) - port = htons(atoi(port_string)); - else - warnx("bad value for -p"); - } - - if (maxtimeout < ftpd_timeout) - maxtimeout = ftpd_timeout; - -#if 0 - if (ftpd_timeout > maxtimeout) - ftpd_timeout = maxtimeout; -#endif - - if(interactive_flag) - mini_inetd (port); - - /* - * LOG_NDELAY sets up the logging connection immediately, - * necessary for anonymous ftp's that chroot and can't do it later. - */ - openlog("ftpd", LOG_PID | LOG_NDELAY, LOG_FTP); - his_addr_len = sizeof(his_addr_ss); - if (getpeername(STDIN_FILENO, his_addr, &his_addr_len) < 0) { - syslog(LOG_ERR, "getpeername (%s): %m",argv[0]); - exit(1); - } - ctrl_addr_len = sizeof(ctrl_addr_ss); - if (getsockname(STDIN_FILENO, ctrl_addr, &ctrl_addr_len) < 0) { - syslog(LOG_ERR, "getsockname (%s): %m",argv[0]); - exit(1); - } -#if defined(IP_TOS) && defined(HAVE_SETSOCKOPT) - { - int tos = IPTOS_LOWDELAY; - - if (setsockopt(STDIN_FILENO, IPPROTO_IP, IP_TOS, - (void *)&tos, sizeof(int)) < 0) - syslog(LOG_WARNING, "setsockopt (IP_TOS): %m"); - } -#endif - data_source->sa_family = ctrl_addr->sa_family; - socket_set_port (data_source, - htons(ntohs(socket_get_port(ctrl_addr)) - 1)); - - /* set this here so it can be put in wtmp */ - snprintf(ttyline, sizeof(ttyline), "ftp%u", (unsigned)getpid()); - - - /* freopen(_PATH_DEVNULL, "w", stderr); */ - signal(SIGPIPE, lostconn); - signal(SIGCHLD, SIG_IGN); -#ifdef SIGURG - if (signal(SIGURG, myoob) == SIG_ERR) - syslog(LOG_ERR, "signal: %m"); -#endif - - /* Try to handle urgent data inline */ -#if defined(SO_OOBINLINE) && defined(HAVE_SETSOCKOPT) - if (setsockopt(0, SOL_SOCKET, SO_OOBINLINE, (void *)&on, - sizeof(on)) < 0) - syslog(LOG_ERR, "setsockopt: %m"); -#endif - -#ifdef F_SETOWN - if (fcntl(fileno(stdin), F_SETOWN, getpid()) == -1) - syslog(LOG_ERR, "fcntl F_SETOWN: %m"); -#endif - dolog(his_addr, his_addr_len); - /* - * Set up default state - */ - data = -1; - type = TYPE_A; - form = FORM_N; - stru = STRU_F; - mode = MODE_S; - tmpline[0] = '\0'; - - /* If logins are disabled, print out the message. */ - if(show_file(_PATH_NOLOGIN, 530) == 0) { - reply(530, "System not available."); - exit(0); - } - show_file(_PATH_FTPWELCOME, 220); - /* reply(220,) must follow */ - gethostname(hostname, sizeof(hostname)); - - reply(220, "%s FTP server (%s" -#ifdef KRB5 - "+%s" -#endif -#ifdef KRB4 - "+%s" -#endif - ") ready.", hostname, version -#ifdef KRB5 - ,heimdal_version -#endif -#ifdef KRB4 - ,krb4_version -#endif - ); - - for (;;) - yyparse(); - /* NOTREACHED */ -} - -static RETSIGTYPE -lostconn(int signo) -{ - - if (debug) - syslog(LOG_DEBUG, "lost connection"); - dologout(-1); -} - -/* - * Helper function for sgetpwnam(). - */ -static char * -sgetsave(char *s) -{ - char *new = strdup(s); - - if (new == NULL) { - perror_reply(421, "Local resource failure: malloc"); - dologout(1); - /* NOTREACHED */ - } - return new; -} - -/* - * Save the result of a getpwnam. Used for USER command, since - * the data returned must not be clobbered by any other command - * (e.g., globbing). - */ -static struct passwd * -sgetpwnam(char *name) -{ - static struct passwd save; - struct passwd *p; - - if ((p = k_getpwnam(name)) == NULL) - return (p); - if (save.pw_name) { - free(save.pw_name); - free(save.pw_passwd); - free(save.pw_gecos); - free(save.pw_dir); - free(save.pw_shell); - } - save = *p; - save.pw_name = sgetsave(p->pw_name); - save.pw_passwd = sgetsave(p->pw_passwd); - save.pw_gecos = sgetsave(p->pw_gecos); - save.pw_dir = sgetsave(p->pw_dir); - save.pw_shell = sgetsave(p->pw_shell); - return (&save); -} - -static int login_attempts; /* number of failed login attempts */ -static int askpasswd; /* had user command, ask for passwd */ -static char curname[10]; /* current USER name */ -#ifdef OTP -OtpContext otp_ctx; -#endif - -/* - * USER command. - * Sets global passwd pointer pw if named account exists and is acceptable; - * sets askpasswd if a PASS command is expected. If logged in previously, - * need to reset state. If name is "ftp" or "anonymous", the name is not in - * _PATH_FTPUSERS, and ftp account exists, set guest and pw, then just return. - * If account doesn't exist, ask for passwd anyway. Otherwise, check user - * requesting login privileges. Disallow anyone who does not have a standard - * shell as returned by getusershell(). Disallow anyone mentioned in the file - * _PATH_FTPUSERS to allow people such as root and uucp to be avoided. - */ -void -user(char *name) -{ - char *cp, *shell; - - if(auth_level == 0 && !sec_complete){ - reply(530, "No login allowed without authorization."); - return; - } - - if (logged_in) { - if (guest) { - reply(530, "Can't change user from guest login."); - return; - } else if (dochroot) { - reply(530, "Can't change user from chroot user."); - return; - } - end_login(); - } - - guest = 0; - if (strcmp(name, "ftp") == 0 || strcmp(name, "anonymous") == 0) { - if ((auth_level & AUTH_FTP) == 0 || - checkaccess("ftp") || - checkaccess("anonymous")) - reply(530, "User %s access denied.", name); - else if ((pw = sgetpwnam("ftp")) != NULL) { - guest = 1; - defumask = guest_umask; /* paranoia for incoming */ - askpasswd = 1; - reply(331, "Guest login ok, type your name as password."); - } else - reply(530, "User %s unknown.", name); - if (!askpasswd && logging) { - char data_addr[256]; - - if (inet_ntop (his_addr->sa_family, - socket_get_address(his_addr), - data_addr, sizeof(data_addr)) == NULL) - strlcpy (data_addr, "unknown address", - sizeof(data_addr)); - - syslog(LOG_NOTICE, - "ANONYMOUS FTP LOGIN REFUSED FROM %s(%s)", - remotehost, data_addr); - } - return; - } - if((auth_level & AUTH_PLAIN) == 0 && !sec_complete){ - reply(530, "Only authorized and anonymous login allowed."); - return; - } - if ((pw = sgetpwnam(name))) { - if ((shell = pw->pw_shell) == NULL || *shell == 0) - shell = _PATH_BSHELL; - while ((cp = getusershell()) != NULL) - if (strcmp(cp, shell) == 0) - break; - endusershell(); - - if (cp == NULL || checkaccess(name)) { - reply(530, "User %s access denied.", name); - if (logging) { - char data_addr[256]; - - if (inet_ntop (his_addr->sa_family, - socket_get_address(his_addr), - data_addr, - sizeof(data_addr)) == NULL) - strlcpy (data_addr, - "unknown address", - sizeof(data_addr)); - - syslog(LOG_NOTICE, - "FTP LOGIN REFUSED FROM %s(%s), %s", - remotehost, - data_addr, - name); - } - pw = (struct passwd *) NULL; - return; - } - } - if (logging) - strlcpy(curname, name, sizeof(curname)); - if(sec_complete) { - if(sec_userok(name) == 0) - do_login(232, name); - else - reply(530, "User %s access denied.", name); - } else { - char ss[256]; - -#ifdef OTP - if (otp_challenge(&otp_ctx, name, ss, sizeof(ss)) == 0) { - reply(331, "Password %s for %s required.", - ss, name); - askpasswd = 1; - } else -#endif - if ((auth_level & AUTH_OTP) == 0) { - reply(331, "Password required for %s.", name); - askpasswd = 1; - } else { - char *s; - -#ifdef OTP - if ((s = otp_error (&otp_ctx)) != NULL) - lreply(530, "OTP: %s", s); -#endif - reply(530, - "Only authorized, anonymous" -#ifdef OTP - " and OTP " -#endif - "login allowed."); - } - - } - /* - * Delay before reading passwd after first failed - * attempt to slow down passwd-guessing programs. - */ - if (login_attempts) - sleep(login_attempts); -} - -/* - * Check if a user is in the file "fname" - */ -static int -checkuser(char *fname, char *name) -{ - FILE *fd; - int found = 0; - char *p, line[BUFSIZ]; - - if ((fd = fopen(fname, "r")) != NULL) { - while (fgets(line, sizeof(line), fd) != NULL) - if ((p = strchr(line, '\n')) != NULL) { - *p = '\0'; - if (line[0] == '#') - continue; - if (strcmp(line, name) == 0) { - found = 1; - break; - } - } - fclose(fd); - } - return (found); -} - - -/* - * Determine whether a user has access, based on information in - * _PATH_FTPUSERS. The users are listed one per line, with `allow' - * or `deny' after the username. If anything other than `allow', or - * just nothing, is given after the username, `deny' is assumed. - * - * If the user is not found in the file, but the pseudo-user `*' is, - * the permission is taken from that line. - * - * This preserves the old semantics where if a user was listed in the - * file he was denied, otherwise he was allowed. - * - * Return 1 if the user is denied, or 0 if he is allowed. */ - -static int -match(const char *pattern, const char *string) -{ - return fnmatch(pattern, string, FNM_NOESCAPE); -} - -static int -checkaccess(char *name) -{ -#define ALLOWED 0 -#define NOT_ALLOWED 1 - FILE *fd; - int allowed = ALLOWED; - char *user, *perm, line[BUFSIZ]; - char *foo; - - fd = fopen(_PATH_FTPUSERS, "r"); - - if(fd == NULL) - return allowed; - - while (fgets(line, sizeof(line), fd) != NULL) { - foo = NULL; - user = strtok_r(line, " \t\n", &foo); - if (user == NULL || user[0] == '#') - continue; - perm = strtok_r(NULL, " \t\n", &foo); - if (match(user, name) == 0){ - if(perm && strcmp(perm, "allow") == 0) - allowed = ALLOWED; - else - allowed = NOT_ALLOWED; - break; - } - } - fclose(fd); - return allowed; -} -#undef ALLOWED -#undef NOT_ALLOWED - - -int do_login(int code, char *passwd) -{ - login_attempts = 0; /* this time successful */ - if (setegid((gid_t)pw->pw_gid) < 0) { - reply(550, "Can't set gid."); - return -1; - } - initgroups(pw->pw_name, pw->pw_gid); - - /* open wtmp before chroot */ - ftpd_logwtmp(ttyline, pw->pw_name, remotehost); - logged_in = 1; - - dochroot = checkuser(_PATH_FTPCHROOT, pw->pw_name); - if (guest) { - /* - * We MUST do a chdir() after the chroot. Otherwise - * the old current directory will be accessible as "." - * outside the new root! - */ - if (chroot(pw->pw_dir) < 0 || chdir("/") < 0) { - reply(550, "Can't set guest privileges."); - return -1; - } - } else if (dochroot) { - if (chroot(pw->pw_dir) < 0 || chdir("/") < 0) { - reply(550, "Can't change root."); - return -1; - } - } else if (chdir(pw->pw_dir) < 0) { - if (chdir("/") < 0) { - reply(530, "User %s: can't change directory to %s.", - pw->pw_name, pw->pw_dir); - return -1; - } else - lreply(code, "No directory! Logging in with home=/"); - } - if (seteuid((uid_t)pw->pw_uid) < 0) { - reply(550, "Can't set uid."); - return -1; - } - - if(use_builtin_ls == -1) { - struct stat st; - /* if /bin/ls exist and is a regular file, use it, otherwise - use built-in ls */ - if(stat("/bin/ls", &st) == 0 && - S_ISREG(st.st_mode)) - use_builtin_ls = 0; - else - use_builtin_ls = 1; - } - - /* - * Display a login message, if it exists. - * N.B. reply(code,) must follow the message. - */ - show_file(_PATH_FTPLOGINMESG, code); - if(show_file(_PATH_ISSUE_NET, code) != 0) - show_file(_PATH_ISSUE, code); - if (guest) { - reply(code, "Guest login ok, access restrictions apply."); -#ifdef HAVE_SETPROCTITLE - snprintf (proctitle, sizeof(proctitle), - "%s: anonymous/%s", - remotehost, - passwd); - setproctitle("%s", proctitle); -#endif /* HAVE_SETPROCTITLE */ - if (logging) { - char data_addr[256]; - - if (inet_ntop (his_addr->sa_family, - socket_get_address(his_addr), - data_addr, sizeof(data_addr)) == NULL) - strlcpy (data_addr, "unknown address", - sizeof(data_addr)); - - syslog(LOG_INFO, "ANONYMOUS FTP LOGIN FROM %s(%s), %s", - remotehost, - data_addr, - passwd); - } - } else { - reply(code, "User %s logged in.", pw->pw_name); -#ifdef HAVE_SETPROCTITLE - snprintf(proctitle, sizeof(proctitle), "%s: %s", remotehost, pw->pw_name); - setproctitle("%s", proctitle); -#endif /* HAVE_SETPROCTITLE */ - if (logging) { - char data_addr[256]; - - if (inet_ntop (his_addr->sa_family, - socket_get_address(his_addr), - data_addr, sizeof(data_addr)) == NULL) - strlcpy (data_addr, "unknown address", - sizeof(data_addr)); - - syslog(LOG_INFO, "FTP LOGIN FROM %s(%s) as %s", - remotehost, - data_addr, - pw->pw_name); - } - } - umask(defumask); - return 0; -} - -/* - * Terminate login as previous user, if any, resetting state; - * used when USER command is given or login fails. - */ -static void -end_login(void) -{ - - seteuid((uid_t)0); - if (logged_in) - ftpd_logwtmp(ttyline, "", ""); - pw = NULL; - logged_in = 0; - guest = 0; - dochroot = 0; -} - -#ifdef KRB5 -static int -krb5_verify(struct passwd *pwd, char *passwd) -{ - krb5_context context; - krb5_ccache id; - krb5_principal princ; - krb5_error_code ret; - - ret = krb5_init_context(&context); - if(ret) - return ret; - - ret = krb5_parse_name(context, pwd->pw_name, &princ); - if(ret){ - krb5_free_context(context); - return ret; - } - ret = krb5_cc_gen_new(context, &krb5_mcc_ops, &id); - if(ret){ - krb5_free_principal(context, princ); - krb5_free_context(context); - return ret; - } - ret = krb5_verify_user(context, - princ, - id, - passwd, - 1, - NULL); - krb5_free_principal(context, princ); - if (k_hasafs()) { - krb5_afslog_uid_home(context, id,NULL, NULL,pwd->pw_uid, pwd->pw_dir); - } - krb5_cc_destroy(context, id); - krb5_free_context (context); - if(ret) - return ret; - return 0; -} -#endif /* KRB5 */ - -void -pass(char *passwd) -{ - int rval; - - /* some clients insists on sending a password */ - if (logged_in && askpasswd == 0){ - reply(230, "Password not necessary"); - return; - } - - if (logged_in || askpasswd == 0) { - reply(503, "Login with USER first."); - return; - } - askpasswd = 0; - rval = 1; - if (!guest) { /* "ftp" is only account allowed no password */ - if (pw == NULL) - rval = 1; /* failure below */ -#ifdef OTP - else if (otp_verify_user (&otp_ctx, passwd) == 0) { - rval = 0; - } -#endif - else if((auth_level & AUTH_OTP) == 0) { -#ifdef KRB5 - rval = krb5_verify(pw, passwd); -#endif -#ifdef KRB4 - if (rval) { - char realm[REALM_SZ]; - if((rval = krb_get_lrealm(realm, 1)) == KSUCCESS) - rval = krb_verify_user(pw->pw_name, - "", realm, - passwd, - KRB_VERIFY_SECURE, NULL); - if (rval == KSUCCESS ) { - chown (tkt_string(), pw->pw_uid, pw->pw_gid); - if(k_hasafs()) - krb_afslog(0, 0); - } - } -#endif - if (rval) - rval = unix_verify_user(pw->pw_name, passwd); - } else { - char *s; - -#ifdef OTP - if ((s = otp_error(&otp_ctx)) != NULL) - lreply(530, "OTP: %s", s); -#endif - } - memset (passwd, 0, strlen(passwd)); - - /* - * If rval == 1, the user failed the authentication - * check above. If rval == 0, either Kerberos or - * local authentication succeeded. - */ - if (rval) { - char data_addr[256]; - - if (inet_ntop (his_addr->sa_family, - socket_get_address(his_addr), - data_addr, sizeof(data_addr)) == NULL) - strlcpy (data_addr, "unknown address", - sizeof(data_addr)); - - reply(530, "Login incorrect."); - if (logging) - syslog(LOG_NOTICE, - "FTP LOGIN FAILED FROM %s(%s), %s", - remotehost, - data_addr, - curname); - pw = NULL; - if (login_attempts++ >= 5) { - syslog(LOG_NOTICE, - "repeated login failures from %s(%s)", - remotehost, - data_addr); - exit(0); - } - return; - } - } - if(!do_login(230, passwd)) - return; - - /* Forget all about it... */ - end_login(); -} - -void -retrieve(const char *cmd, char *name) -{ - FILE *fin = NULL, *dout; - struct stat st; - int (*closefunc) (FILE *); - char line[BUFSIZ]; - - - if (cmd == 0) { - fin = fopen(name, "r"); - closefunc = fclose; - st.st_size = 0; - if(fin == NULL){ - int save_errno = errno; - struct cmds { - const char *ext; - const char *cmd; - const char *rev_cmd; - } cmds[] = { - {".tar", "/bin/gtar cPf - %s", NULL}, - {".tar.gz", "/bin/gtar zcPf - %s", NULL}, - {".tar.Z", "/bin/gtar ZcPf - %s", NULL}, - {".gz", "/bin/gzip -c -- %s", "/bin/gzip -c -d -- %s"}, - {".Z", "/bin/compress -c -- %s", "/bin/uncompress -c -- %s"}, - {NULL, NULL} - }; - struct cmds *p; - for(p = cmds; p->ext; p++){ - char *tail = name + strlen(name) - strlen(p->ext); - char c = *tail; - - if(strcmp(tail, p->ext) == 0 && - (*tail = 0) == 0 && - access(name, R_OK) == 0){ - snprintf (line, sizeof(line), p->cmd, name); - *tail = c; - break; - } - *tail = c; - if (p->rev_cmd != NULL) { - char *ext; - - asprintf(&ext, "%s%s", name, p->ext); - if (ext != NULL) { - if (access(ext, R_OK) == 0) { - snprintf (line, sizeof(line), - p->rev_cmd, ext); - free(ext); - break; - } - free(ext); - } - } - - } - if(p->ext){ - fin = ftpd_popen(line, "r", 0, 0); - closefunc = ftpd_pclose; - st.st_size = -1; - cmd = line; - } else - errno = save_errno; - } - } else { - snprintf(line, sizeof(line), cmd, name); - name = line; - fin = ftpd_popen(line, "r", 1, 0); - closefunc = ftpd_pclose; - st.st_size = -1; - } - if (fin == NULL) { - if (errno != 0) { - perror_reply(550, name); - if (cmd == 0) { - LOGCMD("get", name); - } - } - return; - } - byte_count = -1; - if (cmd == 0){ - if(fstat(fileno(fin), &st) < 0 || !S_ISREG(st.st_mode)) { - reply(550, "%s: not a plain file.", name); - goto done; - } - } - if (restart_point) { - if (type == TYPE_A) { - off_t i, n; - int c; - - n = restart_point; - i = 0; - while (i++ < n) { - if ((c=getc(fin)) == EOF) { - perror_reply(550, name); - goto done; - } - if (c == '\n') - i++; - } - } else if (lseek(fileno(fin), restart_point, SEEK_SET) < 0) { - perror_reply(550, name); - goto done; - } - } - dout = dataconn(name, st.st_size, "w"); - if (dout == NULL) - goto done; - set_buffer_size(fileno(dout), 0); - send_data(fin, dout); - fclose(dout); - data = -1; - pdata = -1; -done: - if (cmd == 0) - LOGBYTES("get", name, byte_count); - (*closefunc)(fin); -} - -/* filename sanity check */ - -int -filename_check(char *filename) -{ - unsigned char *p; - - p = (unsigned char *)strrchr(filename, '/'); - if(p) - filename = p + 1; - - p = filename; - - if(isalnum(*p)){ - p++; - while(*p && (isalnum(*p) || strchr(good_chars, *p))) - p++; - if(*p == '\0') - return 0; - } - lreply(553, "\"%s\" is not an acceptable filename.", filename); - lreply(553, "The filename must start with an alphanumeric " - "character and must only"); - reply(553, "consist of alphanumeric characters or any of the following: %s", - good_chars); - return 1; -} - -void -do_store(char *name, char *mode, int unique) -{ - FILE *fout, *din; - struct stat st; - int (*closefunc) (FILE *); - - if(guest && filename_check(name)) - return; - if (unique && stat(name, &st) == 0 && - (name = gunique(name)) == NULL) { - LOGCMD(*mode == 'w' ? "put" : "append", name); - return; - } - - if (restart_point) - mode = "r+"; - fout = fopen(name, mode); - closefunc = fclose; - if (fout == NULL) { - perror_reply(553, name); - LOGCMD(*mode == 'w' ? "put" : "append", name); - return; - } - byte_count = -1; - if (restart_point) { - if (type == TYPE_A) { - off_t i, n; - int c; - - n = restart_point; - i = 0; - while (i++ < n) { - if ((c=getc(fout)) == EOF) { - perror_reply(550, name); - goto done; - } - if (c == '\n') - i++; - } - /* - * We must do this seek to "current" position - * because we are changing from reading to - * writing. - */ - if (fseek(fout, 0L, SEEK_CUR) < 0) { - perror_reply(550, name); - goto done; - } - } else if (lseek(fileno(fout), restart_point, SEEK_SET) < 0) { - perror_reply(550, name); - goto done; - } - } - din = dataconn(name, (off_t)-1, "r"); - if (din == NULL) - goto done; - set_buffer_size(fileno(din), 1); - if (receive_data(din, fout) == 0) { - if((*closefunc)(fout) < 0) - perror_reply(552, name); - else { - if (unique) - reply(226, "Transfer complete (unique file name:%s).", - name); - else - reply(226, "Transfer complete."); - } - } else - (*closefunc)(fout); - fclose(din); - data = -1; - pdata = -1; -done: - LOGBYTES(*mode == 'w' ? "put" : "append", name, byte_count); -} - -static FILE * -getdatasock(const char *mode) -{ - int s, t, tries; - - if (data >= 0) - return (fdopen(data, mode)); - seteuid(0); - s = socket(ctrl_addr->sa_family, SOCK_STREAM, 0); - if (s < 0) - goto bad; - socket_set_reuseaddr (s, 1); - /* anchor socket to avoid multi-homing problems */ - socket_set_address_and_port (data_source, - socket_get_address (ctrl_addr), - socket_get_port (data_source)); - - for (tries = 1; ; tries++) { - if (bind(s, data_source, - socket_sockaddr_size (data_source)) >= 0) - break; - if (errno != EADDRINUSE || tries > 10) - goto bad; - sleep(tries); - } - seteuid(pw->pw_uid); -#ifdef IPTOS_THROUGHPUT - socket_set_tos (s, IPTOS_THROUGHPUT); -#endif - return (fdopen(s, mode)); -bad: - /* Return the real value of errno (close may change it) */ - t = errno; - seteuid((uid_t)pw->pw_uid); - close(s); - errno = t; - return (NULL); -} - -static int -accept_with_timeout(int socket, - struct sockaddr *address, - socklen_t *address_len, - struct timeval *timeout) -{ - int ret; - fd_set rfd; - FD_ZERO(&rfd); - FD_SET(socket, &rfd); - ret = select(socket + 1, &rfd, NULL, NULL, timeout); - if(ret < 0) - return ret; - if(ret == 0) { - errno = ETIMEDOUT; - return -1; - } - return accept(socket, address, address_len); -} - -static FILE * -dataconn(const char *name, off_t size, const char *mode) -{ - char sizebuf[32]; - FILE *file; - int retry = 0; - - file_size = size; - byte_count = 0; - if (size >= 0) - snprintf(sizebuf, sizeof(sizebuf), " (%ld bytes)", (long)size); - else - *sizebuf = '\0'; - if (pdata >= 0) { - struct sockaddr_storage from_ss; - struct sockaddr *from = (struct sockaddr *)&from_ss; - struct timeval timeout; - int s; - socklen_t fromlen = sizeof(from_ss); - - timeout.tv_sec = 15; - timeout.tv_usec = 0; - s = accept_with_timeout(pdata, from, &fromlen, &timeout); - if (s < 0) { - reply(425, "Can't open data connection."); - close(pdata); - pdata = -1; - return (NULL); - } - close(pdata); - pdata = s; -#if defined(IP_TOS) && defined(HAVE_SETSOCKOPT) - { - int tos = IPTOS_THROUGHPUT; - - setsockopt(s, IPPROTO_IP, IP_TOS, (void *)&tos, - sizeof(tos)); - } -#endif - reply(150, "Opening %s mode data connection for '%s'%s.", - type == TYPE_A ? "ASCII" : "BINARY", name, sizebuf); - return (fdopen(pdata, mode)); - } - if (data >= 0) { - reply(125, "Using existing data connection for '%s'%s.", - name, sizebuf); - usedefault = 1; - return (fdopen(data, mode)); - } - if (usedefault) - data_dest = his_addr; - usedefault = 1; - file = getdatasock(mode); - if (file == NULL) { - char data_addr[256]; - - if (inet_ntop (data_source->sa_family, - socket_get_address(data_source), - data_addr, sizeof(data_addr)) == NULL) - strlcpy (data_addr, "unknown address", - sizeof(data_addr)); - - reply(425, "Can't create data socket (%s,%d): %s.", - data_addr, - socket_get_port (data_source), - strerror(errno)); - return (NULL); - } - data = fileno(file); - while (connect(data, data_dest, - socket_sockaddr_size(data_dest)) < 0) { - if (errno == EADDRINUSE && retry < swaitmax) { - sleep(swaitint); - retry += swaitint; - continue; - } - perror_reply(425, "Can't build data connection"); - fclose(file); - data = -1; - return (NULL); - } - reply(150, "Opening %s mode data connection for '%s'%s.", - type == TYPE_A ? "ASCII" : "BINARY", name, sizebuf); - return (file); -} - -/* - * Tranfer the contents of "instr" to "outstr" peer using the appropriate - * encapsulation of the data subject * to Mode, Structure, and Type. - * - * NB: Form isn't handled. - */ -static void -send_data(FILE *instr, FILE *outstr) -{ - int c, cnt, filefd, netfd; - static char *buf; - static size_t bufsize; - - transflag = 1; - switch (type) { - - case TYPE_A: - while ((c = getc(instr)) != EOF) { - if (urgflag && handleoobcmd()) - return; - byte_count++; - if(c == '\n') - sec_putc('\r', outstr); - sec_putc(c, outstr); - } - sec_fflush(outstr); - transflag = 0; - urgflag = 0; - if (ferror(instr)) - goto file_err; - if (ferror(outstr)) - goto data_err; - reply(226, "Transfer complete."); - return; - - case TYPE_I: - case TYPE_L: -#if 0 /* XXX handle urg flag */ -#if defined(HAVE_MMAP) && !defined(NO_MMAP) -#ifndef MAP_FAILED -#define MAP_FAILED (-1) -#endif - { - struct stat st; - char *chunk; - int in = fileno(instr); - if(fstat(in, &st) == 0 && S_ISREG(st.st_mode) - && st.st_size > 0) { - /* - * mmap zero bytes has potential of loosing, don't do it. - */ - chunk = mmap(0, st.st_size, PROT_READ, - MAP_SHARED, in, 0); - if((void *)chunk != (void *)MAP_FAILED) { - cnt = st.st_size - restart_point; - sec_write(fileno(outstr), chunk + restart_point, cnt); - if (munmap(chunk, st.st_size) < 0) - warn ("munmap"); - sec_fflush(outstr); - byte_count = cnt; - transflag = 0; - urgflag = 0; - } - } - } -#endif -#endif - if(transflag) { - struct stat st; - - netfd = fileno(outstr); - filefd = fileno(instr); - buf = alloc_buffer (buf, &bufsize, - fstat(filefd, &st) >= 0 ? &st : NULL); - if (buf == NULL) { - transflag = 0; - urgflag = 0; - perror_reply(451, "Local resource failure: malloc"); - return; - } - while ((cnt = read(filefd, buf, bufsize)) > 0 && - sec_write(netfd, buf, cnt) == cnt) { - byte_count += cnt; - if (urgflag && handleoobcmd()) - return; - } - sec_fflush(outstr); /* to end an encrypted stream */ - transflag = 0; - urgflag = 0; - if (cnt != 0) { - if (cnt < 0) - goto file_err; - goto data_err; - } - } - reply(226, "Transfer complete."); - return; - default: - transflag = 0; - urgflag = 0; - reply(550, "Unimplemented TYPE %d in send_data", type); - return; - } - -data_err: - transflag = 0; - urgflag = 0; - perror_reply(426, "Data connection"); - return; - -file_err: - transflag = 0; - urgflag = 0; - perror_reply(551, "Error on input file"); -} - -/* - * Transfer data from peer to "outstr" using the appropriate encapulation of - * the data subject to Mode, Structure, and Type. - * - * N.B.: Form isn't handled. - */ -static int -receive_data(FILE *instr, FILE *outstr) -{ - int cnt, bare_lfs = 0; - static char *buf; - static size_t bufsize; - struct stat st; - - transflag = 1; - - buf = alloc_buffer (buf, &bufsize, - fstat(fileno(outstr), &st) >= 0 ? &st : NULL); - if (buf == NULL) { - transflag = 0; - urgflag = 0; - perror_reply(451, "Local resource failure: malloc"); - return -1; - } - - switch (type) { - - case TYPE_I: - case TYPE_L: - while ((cnt = sec_read(fileno(instr), buf, bufsize)) > 0) { - if (write(fileno(outstr), buf, cnt) != cnt) - goto file_err; - byte_count += cnt; - if (urgflag && handleoobcmd()) - return (-1); - } - if (cnt < 0) - goto data_err; - transflag = 0; - urgflag = 0; - return (0); - - case TYPE_E: - reply(553, "TYPE E not implemented."); - transflag = 0; - urgflag = 0; - return (-1); - - case TYPE_A: - { - char *p, *q; - int cr_flag = 0; - while ((cnt = sec_read(fileno(instr), - buf + cr_flag, - bufsize - cr_flag)) > 0){ - if (urgflag && handleoobcmd()) - return (-1); - byte_count += cnt; - cnt += cr_flag; - cr_flag = 0; - for(p = buf, q = buf; p < buf + cnt;) { - if(*p == '\n') - bare_lfs++; - if(*p == '\r') { - if(p == buf + cnt - 1){ - cr_flag = 1; - p++; - continue; - }else if(p[1] == '\n'){ - *q++ = '\n'; - p += 2; - continue; - } - } - *q++ = *p++; - } - fwrite(buf, q - buf, 1, outstr); - if(cr_flag) - buf[0] = '\r'; - } - if(cr_flag) - putc('\r', outstr); - fflush(outstr); - if (ferror(instr)) - goto data_err; - if (ferror(outstr)) - goto file_err; - transflag = 0; - urgflag = 0; - if (bare_lfs) { - lreply(226, "WARNING! %d bare linefeeds received in ASCII mode\r\n" - " File may not have transferred correctly.\r\n", - bare_lfs); - } - return (0); - } - default: - reply(550, "Unimplemented TYPE %d in receive_data", type); - transflag = 0; - urgflag = 0; - return (-1); - } - -data_err: - transflag = 0; - urgflag = 0; - perror_reply(426, "Data Connection"); - return (-1); - -file_err: - transflag = 0; - urgflag = 0; - perror_reply(452, "Error writing file"); - return (-1); -} - -void -statfilecmd(char *filename) -{ - FILE *fin; - int c; - char line[LINE_MAX]; - - snprintf(line, sizeof(line), "/bin/ls -la -- %s", filename); - fin = ftpd_popen(line, "r", 1, 0); - lreply(211, "status of %s:", filename); - while ((c = getc(fin)) != EOF) { - if (c == '\n') { - if (ferror(stdout)){ - perror_reply(421, "control connection"); - ftpd_pclose(fin); - dologout(1); - /* NOTREACHED */ - } - if (ferror(fin)) { - perror_reply(551, filename); - ftpd_pclose(fin); - return; - } - putc('\r', stdout); - } - putc(c, stdout); - } - ftpd_pclose(fin); - reply(211, "End of Status"); -} - -void -statcmd(void) -{ -#if 0 - struct sockaddr_in *sin; - u_char *a, *p; - - lreply(211, "%s FTP server (%s) status:", hostname, version); - printf(" %s\r\n", version); - printf(" Connected to %s", remotehost); - if (!isdigit(remotehost[0])) - printf(" (%s)", inet_ntoa(his_addr.sin_addr)); - printf("\r\n"); - if (logged_in) { - if (guest) - printf(" Logged in anonymously\r\n"); - else - printf(" Logged in as %s\r\n", pw->pw_name); - } else if (askpasswd) - printf(" Waiting for password\r\n"); - else - printf(" Waiting for user name\r\n"); - printf(" TYPE: %s", typenames[type]); - if (type == TYPE_A || type == TYPE_E) - printf(", FORM: %s", formnames[form]); - if (type == TYPE_L) -#if NBBY == 8 - printf(" %d", NBBY); -#else - printf(" %d", bytesize); /* need definition! */ -#endif - printf("; STRUcture: %s; transfer MODE: %s\r\n", - strunames[stru], modenames[mode]); - if (data != -1) - printf(" Data connection open\r\n"); - else if (pdata != -1) { - printf(" in Passive mode"); - sin = &pasv_addr; - goto printaddr; - } else if (usedefault == 0) { - printf(" PORT"); - sin = &data_dest; -printaddr: - a = (u_char *) &sin->sin_addr; - p = (u_char *) &sin->sin_port; -#define UC(b) (((int) b) & 0xff) - printf(" (%d,%d,%d,%d,%d,%d)\r\n", UC(a[0]), - UC(a[1]), UC(a[2]), UC(a[3]), UC(p[0]), UC(p[1])); -#undef UC - } else - printf(" No data connection\r\n"); -#endif - reply(211, "End of status"); -} - -void -fatal(char *s) -{ - - reply(451, "Error in server: %s\n", s); - reply(221, "Closing connection due to server error."); - dologout(0); - /* NOTREACHED */ -} - -static void -int_reply(int, char *, const char *, va_list) -#ifdef __GNUC__ -__attribute__ ((format (printf, 3, 0))) -#endif -; - -static void -int_reply(int n, char *c, const char *fmt, va_list ap) -{ - char buf[10240]; - char *p; - p=buf; - if(n){ - snprintf(p, sizeof(buf), "%d%s", n, c); - p+=strlen(p); - } - vsnprintf(p, sizeof(buf) - strlen(p), fmt, ap); - p+=strlen(p); - snprintf(p, sizeof(buf) - strlen(p), "\r\n"); - p+=strlen(p); - sec_fprintf(stdout, "%s", buf); - fflush(stdout); - if (debug) - syslog(LOG_DEBUG, "<--- %s- ", buf); -} - -void -reply(int n, const char *fmt, ...) -{ - va_list ap; - va_start(ap, fmt); - int_reply(n, " ", fmt, ap); - delete_ftp_command(); - va_end(ap); -} - -void -lreply(int n, const char *fmt, ...) -{ - va_list ap; - va_start(ap, fmt); - int_reply(n, "-", fmt, ap); - va_end(ap); -} - -void -nreply(const char *fmt, ...) -{ - va_list ap; - va_start(ap, fmt); - int_reply(0, NULL, fmt, ap); - va_end(ap); -} - -static void -ack(char *s) -{ - - reply(250, "%s command successful.", s); -} - -void -nack(char *s) -{ - - reply(502, "%s command not implemented.", s); -} - -void -do_delete(char *name) -{ - struct stat st; - - LOGCMD("delete", name); - if (stat(name, &st) < 0) { - perror_reply(550, name); - return; - } - if ((st.st_mode&S_IFMT) == S_IFDIR) { - if (rmdir(name) < 0) { - perror_reply(550, name); - return; - } - goto done; - } - if (unlink(name) < 0) { - perror_reply(550, name); - return; - } -done: - ack("DELE"); -} - -void -cwd(char *path) -{ - - if (chdir(path) < 0) - perror_reply(550, path); - else - ack("CWD"); -} - -void -makedir(char *name) -{ - - LOGCMD("mkdir", name); - if(guest && filename_check(name)) - return; - if (mkdir(name, 0777) < 0) - perror_reply(550, name); - else{ - if(guest) - chmod(name, 0700); /* guest has umask 777 */ - reply(257, "MKD command successful."); - } -} - -void -removedir(char *name) -{ - - LOGCMD("rmdir", name); - if (rmdir(name) < 0) - perror_reply(550, name); - else - ack("RMD"); -} - -void -pwd(void) -{ - char path[MaxPathLen]; - char *ret; - - /* SunOS has a broken getcwd that does popen(pwd) (!!!), this - * failes miserably when running chroot - */ - ret = getcwd(path, sizeof(path)); - if (ret == NULL) - reply(550, "%s.", strerror(errno)); - else - reply(257, "\"%s\" is current directory.", path); -} - -char * -renamefrom(char *name) -{ - struct stat st; - - if (stat(name, &st) < 0) { - perror_reply(550, name); - return NULL; - } - reply(350, "File exists, ready for destination name"); - return (name); -} - -void -renamecmd(char *from, char *to) -{ - - LOGCMD2("rename", from, to); - if(guest && filename_check(to)) - return; - if (rename(from, to) < 0) - perror_reply(550, "rename"); - else - ack("RNTO"); -} - -static void -dolog(struct sockaddr *sa, int len) -{ - getnameinfo_verified (sa, len, remotehost, sizeof(remotehost), - NULL, 0, 0); -#ifdef HAVE_SETPROCTITLE - snprintf(proctitle, sizeof(proctitle), "%s: connected", remotehost); - setproctitle("%s", proctitle); -#endif /* HAVE_SETPROCTITLE */ - - if (logging) { - char data_addr[256]; - - if (inet_ntop (his_addr->sa_family, - socket_get_address(his_addr), - data_addr, sizeof(data_addr)) == NULL) - strlcpy (data_addr, "unknown address", - sizeof(data_addr)); - - - syslog(LOG_INFO, "connection from %s(%s)", - remotehost, - data_addr); - } -} - -/* - * Record logout in wtmp file - * and exit with supplied status. - */ -void -dologout(int status) -{ - transflag = 0; - urgflag = 0; - if (logged_in) { - seteuid((uid_t)0); - ftpd_logwtmp(ttyline, "", ""); -#ifdef KRB4 - cond_kdestroy(); -#endif - } - /* beware of flushing buffers after a SIGPIPE */ -#ifdef XXX - exit(status); -#else - _exit(status); -#endif -} - -void abor(void) -{ - if (!transflag) - return; - reply(426, "Transfer aborted. Data connection closed."); - reply(226, "Abort successful"); - transflag = 0; -} - -static void -myoob(int signo) -{ - urgflag = 1; -} - -static char * -mec_space(char *p) -{ - while(isspace(*(unsigned char *)p)) - p++; - return p; -} - -static int -handleoobcmd(void) -{ - char *cp; - - /* only process if transfer occurring */ - if (!transflag) - return 0; - - urgflag = 0; - - cp = tmpline; - if (ftpd_getline(cp, sizeof(tmpline)) == NULL) { - reply(221, "You could at least say goodbye."); - dologout(0); - } - - if (strncasecmp("MIC", cp, 3) == 0) { - mec(mec_space(cp + 3), prot_safe); - } else if (strncasecmp("CONF", cp, 4) == 0) { - mec(mec_space(cp + 4), prot_confidential); - } else if (strncasecmp("ENC", cp, 3) == 0) { - mec(mec_space(cp + 3), prot_private); - } else if (!allow_insecure_oob) { - reply(533, "Command protection level denied " - "for paranoid reasons."); - goto out; - } - - if (secure_command()) - cp = ftp_command; - - if (strcasecmp(cp, "ABOR\r\n") == 0) { - abor(); - } else if (strcasecmp(cp, "STAT\r\n") == 0) { - if (file_size != (off_t) -1) - reply(213, "Status: %ld of %ld bytes transferred", - (long)byte_count, - (long)file_size); - else - reply(213, "Status: %ld bytes transferred", - (long)byte_count); - } -out: - return (transflag == 0); -} - -/* - * Note: a response of 425 is not mentioned as a possible response to - * the PASV command in RFC959. However, it has been blessed as - * a legitimate response by Jon Postel in a telephone conversation - * with Rick Adams on 25 Jan 89. - */ -void -pasv(void) -{ - socklen_t len; - char *p, *a; - struct sockaddr_in *sin; - - if (ctrl_addr->sa_family != AF_INET) { - reply(425, - "You cannot do PASV with something that's not IPv4"); - return; - } - - if(pdata != -1) - close(pdata); - - pdata = socket(ctrl_addr->sa_family, SOCK_STREAM, 0); - if (pdata < 0) { - perror_reply(425, "Can't open passive connection"); - return; - } - pasv_addr->sa_family = ctrl_addr->sa_family; - socket_set_address_and_port (pasv_addr, - socket_get_address (ctrl_addr), - 0); - socket_set_portrange(pdata, restricted_data_ports, - pasv_addr->sa_family); - seteuid(0); - if (bind(pdata, pasv_addr, socket_sockaddr_size (pasv_addr)) < 0) { - seteuid(pw->pw_uid); - goto pasv_error; - } - seteuid(pw->pw_uid); - len = sizeof(pasv_addr_ss); - if (getsockname(pdata, pasv_addr, &len) < 0) - goto pasv_error; - if (listen(pdata, 1) < 0) - goto pasv_error; - sin = (struct sockaddr_in *)pasv_addr; - a = (char *) &sin->sin_addr; - p = (char *) &sin->sin_port; - -#define UC(b) (((int) b) & 0xff) - - reply(227, "Entering Passive Mode (%d,%d,%d,%d,%d,%d)", UC(a[0]), - UC(a[1]), UC(a[2]), UC(a[3]), UC(p[0]), UC(p[1])); - return; - -pasv_error: - close(pdata); - pdata = -1; - perror_reply(425, "Can't open passive connection"); - return; -} - -void -epsv(char *proto) -{ - socklen_t len; - - pdata = socket(ctrl_addr->sa_family, SOCK_STREAM, 0); - if (pdata < 0) { - perror_reply(425, "Can't open passive connection"); - return; - } - pasv_addr->sa_family = ctrl_addr->sa_family; - socket_set_address_and_port (pasv_addr, - socket_get_address (ctrl_addr), - 0); - socket_set_portrange(pdata, restricted_data_ports, - pasv_addr->sa_family); - seteuid(0); - if (bind(pdata, pasv_addr, socket_sockaddr_size (pasv_addr)) < 0) { - seteuid(pw->pw_uid); - goto pasv_error; - } - seteuid(pw->pw_uid); - len = sizeof(pasv_addr_ss); - if (getsockname(pdata, pasv_addr, &len) < 0) - goto pasv_error; - if (listen(pdata, 1) < 0) - goto pasv_error; - - reply(229, "Entering Extended Passive Mode (|||%d|)", - ntohs(socket_get_port (pasv_addr))); - return; - -pasv_error: - close(pdata); - pdata = -1; - perror_reply(425, "Can't open passive connection"); - return; -} - -void -eprt(char *str) -{ - char *end; - char sep; - int af; - int ret; - int port; - - usedefault = 0; - if (pdata >= 0) { - close(pdata); - pdata = -1; - } - - sep = *str++; - if (sep == '\0') { - reply(500, "Bad syntax in EPRT"); - return; - } - af = strtol (str, &end, 0); - if (af == 0 || *end != sep) { - reply(500, "Bad syntax in EPRT"); - return; - } - str = end + 1; - switch (af) { -#ifdef HAVE_IPV6 - case 2 : - data_dest->sa_family = AF_INET6; - break; -#endif - case 1 : - data_dest->sa_family = AF_INET; - break; - default : - reply(522, "Network protocol %d not supported, use (1" -#ifdef HAVE_IPV6 - ",2" -#endif - ")", af); - return; - } - end = strchr (str, sep); - if (end == NULL) { - reply(500, "Bad syntax in EPRT"); - return; - } - *end = '\0'; - ret = inet_pton (data_dest->sa_family, str, - socket_get_address (data_dest)); - - if (ret != 1) { - reply(500, "Bad address syntax in EPRT"); - return; - } - str = end + 1; - port = strtol (str, &end, 0); - if (port == 0 || *end != sep) { - reply(500, "Bad port syntax in EPRT"); - return; - } - socket_set_port (data_dest, htons(port)); - reply(200, "EPRT command successful."); -} - -/* - * Generate unique name for file with basename "local". - * The file named "local" is already known to exist. - * Generates failure reply on error. - */ -static char * -gunique(char *local) -{ - static char new[MaxPathLen]; - struct stat st; - int count; - char *cp; - - cp = strrchr(local, '/'); - if (cp) - *cp = '\0'; - if (stat(cp ? local : ".", &st) < 0) { - perror_reply(553, cp ? local : "."); - return NULL; - } - if (cp) - *cp = '/'; - for (count = 1; count < 100; count++) { - snprintf (new, sizeof(new), "%s.%d", local, count); - if (stat(new, &st) < 0) - return (new); - } - reply(452, "Unique file name cannot be created."); - return (NULL); -} - -/* - * Format and send reply containing system error number. - */ -void -perror_reply(int code, const char *string) -{ - reply(code, "%s: %s.", string, strerror(errno)); -} - -static char *onefile[] = { - "", - 0 -}; - -void -list_file(char *file) -{ - if(use_builtin_ls) { - FILE *dout; - dout = dataconn(file, -1, "w"); - if (dout == NULL) - return; - set_buffer_size(fileno(dout), 0); - if(builtin_ls(dout, file) == 0) - reply(226, "Transfer complete."); - else - reply(451, "Requested action aborted. Local error in processing."); - fclose(dout); - data = -1; - pdata = -1; - } else { -#ifdef HAVE_LS_A - const char *cmd = "/bin/ls -lA %s"; -#else - const char *cmd = "/bin/ls -la %s"; -#endif - retrieve(cmd, file); - } -} - -void -send_file_list(char *whichf) -{ - struct stat st; - DIR *dirp = NULL; - struct dirent *dir; - FILE *dout = NULL; - char **dirlist, *dirname; - int simple = 0; - int freeglob = 0; - glob_t gl; - char buf[MaxPathLen]; - - if (strpbrk(whichf, "~{[*?") != NULL) { - int flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE| -#ifdef GLOB_MAXPATH - GLOB_MAXPATH -#else - GLOB_LIMIT -#endif - ; - - memset(&gl, 0, sizeof(gl)); - freeglob = 1; - if (glob(whichf, flags, 0, &gl)) { - reply(550, "not found"); - goto out; - } else if (gl.gl_pathc == 0) { - errno = ENOENT; - perror_reply(550, whichf); - goto out; - } - dirlist = gl.gl_pathv; - } else { - onefile[0] = whichf; - dirlist = onefile; - simple = 1; - } - - while ((dirname = *dirlist++)) { - - if (urgflag && handleoobcmd()) - goto out; - - if (stat(dirname, &st) < 0) { - /* - * If user typed "ls -l", etc, and the client - * used NLST, do what the user meant. - */ - if (dirname[0] == '-' && *dirlist == NULL && - transflag == 0) { - list_file(dirname); - goto out; - } - perror_reply(550, whichf); - goto out; - } - - if (S_ISREG(st.st_mode)) { - if (dout == NULL) { - dout = dataconn("file list", (off_t)-1, "w"); - if (dout == NULL) - goto out; - transflag = 1; - } - snprintf(buf, sizeof(buf), "%s%s\n", dirname, - type == TYPE_A ? "\r" : ""); - sec_write(fileno(dout), buf, strlen(buf)); - byte_count += strlen(dirname) + 1; - continue; - } else if (!S_ISDIR(st.st_mode)) - continue; - - if ((dirp = opendir(dirname)) == NULL) - continue; - - while ((dir = readdir(dirp)) != NULL) { - char nbuf[MaxPathLen]; - - if (urgflag && handleoobcmd()) - goto out; - - if (!strcmp(dir->d_name, ".")) - continue; - if (!strcmp(dir->d_name, "..")) - continue; - - snprintf(nbuf, sizeof(nbuf), "%s/%s", dirname, dir->d_name); - - /* - * We have to do a stat to insure it's - * not a directory or special file. - */ - if (simple || (stat(nbuf, &st) == 0 && - S_ISREG(st.st_mode))) { - if (dout == NULL) { - dout = dataconn("file list", (off_t)-1, "w"); - if (dout == NULL) - goto out; - transflag = 1; - } - if(strncmp(nbuf, "./", 2) == 0) - snprintf(buf, sizeof(buf), "%s%s\n", nbuf +2, - type == TYPE_A ? "\r" : ""); - else - snprintf(buf, sizeof(buf), "%s%s\n", nbuf, - type == TYPE_A ? "\r" : ""); - sec_write(fileno(dout), buf, strlen(buf)); - byte_count += strlen(nbuf) + 1; - } - } - closedir(dirp); - } - if (dout == NULL) - reply(550, "No files found."); - else if (ferror(dout) != 0) - perror_reply(550, "Data connection"); - else - reply(226, "Transfer complete."); - -out: - transflag = 0; - if (dout != NULL){ - sec_write(fileno(dout), buf, 0); /* XXX flush */ - - fclose(dout); - } - data = -1; - pdata = -1; - if (freeglob) { - freeglob = 0; - globfree(&gl); - } -} - - -int -find(char *pattern) -{ - char line[1024]; - FILE *f; - - snprintf(line, sizeof(line), - "/bin/locate -d %s -- %s", - ftp_rooted("/etc/locatedb"), - pattern); - f = ftpd_popen(line, "r", 1, 1); - if(f == NULL){ - perror_reply(550, "/bin/locate"); - return 1; - } - lreply(200, "Output from find."); - while(fgets(line, sizeof(line), f)){ - if(line[strlen(line)-1] == '\n') - line[strlen(line)-1] = 0; - nreply("%s", line); - } - reply(200, "Done"); - ftpd_pclose(f); - return 0; -} - diff --git a/crypto/heimdal-0.6.3/appl/ftp/ftpd/ftpd.cat8 b/crypto/heimdal-0.6.3/appl/ftp/ftpd/ftpd.cat8 deleted file mode 100644 index f005dd3efd..0000000000 --- a/crypto/heimdal-0.6.3/appl/ftp/ftpd/ftpd.cat8 +++ /dev/null @@ -1,314 +0,0 @@ - -FTPD(8) UNIX System Manager's Manual FTPD(8) - -NNAAMMEE - ffttppdd - Internet File Transfer Protocol server - -SSYYNNOOPPSSIISS - ffttppdd [--aa _a_u_t_h_m_o_d_e] [--ddiillvvUU] [--gg _u_m_a_s_k] [--pp _p_o_r_t] [--TT _m_a_x_t_i_m_e_o_u_t] [--tt - _t_i_m_e_o_u_t] [----ggssss--bbiinnddiinnggss] [--II | ----nnoo--iinnsseeccuurree--oooobb] [--uu _d_e_f_a_u_l_t _u_m_a_s_k] [--BB - | ----bbuuiillttiinn--llss] [----ggoooodd--cchhaarrss==_s_t_r_i_n_g] - -DDEESSCCRRIIPPTTIIOONN - FFttppdd is the Internet File Transfer Protocol server process. The server - uses the TCP protocol and listens at the port specified in the ``ftp'' - service specification; see services(5). - - Available options: - - --aa Select the level of authentication required. Kerberised login - can not be turned off. The default is to only allow kerberised - login. Other possibilities can be turned on by giving a string - of comma separated flags as argument to --aa. Recognised flags are: - - _p_l_a_i_n Allow logging in with plaintext password. The password can - be a(n) OTP or an ordinary password. - - _o_t_p Same as _p_l_a_i_n, but only OTP is allowed. - - _f_t_p Allow anonymous login. - - The following combination modes exists for backwards compatibili- - ty: - - _n_o_n_e Same as _p_l_a_i_n_,_f_t_p. - - _s_a_f_e Same as _f_t_p. - - _u_s_e_r Ignored. - - --dd Debugging information is written to the syslog using LOG_FTP. - - --gg Anonymous users will get a umask of _u_m_a_s_k. - - ----ggssss--bbiinnddiinnggss - require the peer to use GSS-API bindings (ie make sure IP ad- - dresses match). - - --ii Open a socket and wait for a connection. This is mainly used for - debugging when ftpd isn't started by inetd. - - --ll Each successful and failed ftp(1) session is logged using syslog - with a facility of LOG_FTP. If this option is specified twice, - the retrieve (get), store (put), append, delete, make directory, - remove directory and rename operations and their filename argu- - ments are also logged. - - --pp Use _p_o_r_t (a service name or number) instead of the default - _f_t_p_/_t_c_p. - - --TT A client may also request a different timeout period; the maximum - period allowed may be set to _t_i_m_e_o_u_t seconds with the --TT option. - The default limit is 2 hours. - - --tt The inactivity timeout period is set to _t_i_m_e_o_u_t seconds (the de- - - fault is 15 minutes). - - --uu Set the initial umask to something else than the default 027. - - --UU In previous versions of ffttppdd, when a passive mode client request- - ed a data connection to the server, the server would use data - ports in the range 1024..4999. Now, by default, if the system - supports the IP_PORTRANGE socket option, the server will use data - ports in the range 49152..65535. Specifying this option will re- - vert to the old behavior. - - --vv Verbose mode. - - --BB, ----bbuuiillttiinn--llss - use built-in ls to list files - - ----ggoooodd--cchhaarrss==_s_t_r_i_n_g - allowed anonymous upload filename chars - - --II ----nnoo--iinnsseeccuurree--oooobb - don't allow insecure out of band. Heimdal ftp client before 0.7 - doesn't support secure oob, so turning on this options makes them - no longer work. - - The file _/_e_t_c_/_n_o_l_o_g_i_n can be used to disable ftp access. If the file ex- - ists, ffttppdd displays it and exits. If the file _/_e_t_c_/_f_t_p_w_e_l_c_o_m_e exists, - ffttppdd prints it before issuing the ``ready'' message. If the file - _/_e_t_c_/_m_o_t_d exists, ffttppdd prints it after a successful login. - - The ftp server currently supports the following ftp requests. The case - of the requests is ignored. - - Request Description - ABOR abort previous command - ACCT specify account (ignored) - ALLO allocate storage (vacuously) - APPE append to a file - CDUP change to parent of current working directory - CWD change working directory - DELE delete a file - HELP give help information - LIST give list files in a directory (``ls -lgA'') - MKD make a directory - MDTM show last modification time of file - MODE specify data transfer _m_o_d_e - NLST give name list of files in directory - NOOP do nothing - PASS specify password - PASV prepare for server-to-server transfer - PORT specify data connection port - PWD print the current working directory - QUIT terminate session - REST restart incomplete transfer - RETR retrieve a file - RMD remove a directory - RNFR specify rename-from file name - RNTO specify rename-to file name - SITE non-standard commands (see next section) - SIZE return size of file - STAT return status of server - STOR store a file - STOU store a file with a unique name - STRU specify data transfer _s_t_r_u_c_t_u_r_e - SYST show operating system type of server system - - - TYPE specify data transfer _t_y_p_e - USER specify user name - XCUP change to parent of current working directory - (deprecated) - XCWD change working directory (deprecated) - XMKD make a directory (deprecated) - XPWD print the current working directory (deprecated) - XRMD remove a directory (deprecated) - - The following commands are specified by RFC2228. - - AUTH authentication/security mechanism - ADAT authentication/security data - PROT data channel protection level - PBSZ protection buffer size - MIC integrity protected command - CONF confidentiality protected command - ENC privacy protected command - CCC clear command channel - - The following non-standard or UNIX specific commands are supported by the - SITE request. - - UMASK change umask, (e.g. SSIITTEE UUMMAASSKK 000022) - IDLE set idle-timer, (e.g. SSIITTEE IIDDLLEE 6600) - CHMOD change mode of a file (e.g. SSIITTEE CCHHMMOODD 775555 ffiilleennaammee) - FIND quickly find a specific file with GNU locate(1). - HELP give help information. - - The following Kerberos related site commands are understood. - - KAUTH obtain remote tickets. - KLIST show remote tickets - - The remaining ftp requests specified in Internet RFC 959 are recognized, - but not implemented. MDTM and SIZE are not specified in RFC 959, but - will appear in the next updated FTP RFC. - - The ftp server will abort an active file transfer only when the ABOR com- - mand is preceded by a Telnet "Interrupt Process" (IP) signal and a Telnet - "Synch" signal in the command Telnet stream, as described in Internet RFC - 959. If a STAT command is received during a data transfer, preceded by a - Telnet IP and Synch, transfer status will be returned. - - FFttppdd interprets file names according to the ``globbing'' conventions used - by csh(1). This allows users to use the metacharacters ``*?[]{}~''. - - FFttppdd authenticates users according to these rules. - - 1. If Kerberos authentication is used, the user must pass valid - tickets and the principal must be allowed to login as the re- - mote user. - - 2. The login name must be in the password data base, and not have - a null password (if Kerberos is used the password field is not - checked). In this case a password must be provided by the - client before any file operations may be performed. If the - user has an OTP key, the response from a successful USER com- - mand will include an OTP challenge. The client may choose to - respond with a PASS command giving either a standard password - or an OTP one-time password. The server will automatically de- - termine which type of password it has been given and attempt - to authenticate accordingly. See otp(1) for more information - on OTP authentication. - - - 3. The login name must not appear in the file _/_e_t_c_/_f_t_p_u_s_e_r_s. - - 4. The user must have a standard shell returned by - getusershell(3). - - 5. If the user name appears in the file _/_e_t_c_/_f_t_p_c_h_r_o_o_t the ses- - sion's root will be changed to the user's login directory by - chroot(2) as for an ``anonymous'' or ``ftp'' account (see next - item). However, the user must still supply a password. This - feature is intended as a compromise between a fully anonymous - account and a fully privileged account. The account should - also be set up as for an anonymous account. - - 6. If the user name is ``anonymous'' or ``ftp'', an anonymous ftp - account must be present in the password file (user ``ftp''). - In this case the user is allowed to log in by specifying any - password (by convention an email address for the user should - be used as the password). - - In the last case, ffttppdd takes special measures to restrict the client's - access privileges. The server performs a chroot(2) to the home directory - of the ``ftp'' user. In order that system security is not breached, it - is recommended that the ``ftp'' subtree be constructed with care, consid- - er following these guidelines for anonymous ftp. - - In general all files should be owned by ``root'', and have non-write per- - missions (644 or 755 depending on the kind of file). No files should be - owned or writable by ``ftp'' (possibly with exception for the - _~_f_t_p_/_i_n_c_o_m_i_n_g, as specified below). - - _~_f_t_p The ``ftp'' homedirectory should be owned by root. - - _~_f_t_p_/_b_i_n The directory for external programs (such as ls(1)). - These programs must either be statically linked, or you - must setup an environment for dynamic linking when run- - ning chrooted. These programs will be used if present: - - ls Used when listing files. - - compress - When retrieving a filename that ends in _._Z, - and that file isn't present, ffttppdd will try - to find the filename without _._Z and com- - press it on the fly. - - gzip Same as compress, just with files ending in - _._g_z. - - gtar Enables retrieval of whole directories as - files ending in _._t_a_r. Can also be combined - with compression. You must use GNU Tar (or - some other that supports the --zz and --ZZ - flags). - - locate Will enable ``fast find'' with the SSIITTEE - FFIINNDD command. You must also create a - _l_o_c_a_t_e_d_b file in _~_f_t_p_/_e_t_c. - - _~_f_t_p_/_e_t_c If you put copies of the passwd(5) and group(5) files - here, ls will be able to produce owner names rather than - numbers. Remember to remove any passwords from these - files. - - The file _m_o_t_d, if present, will be printed after a suc- - - - cessful login. - - _~_f_t_p_/_d_e_v Put a copy of /dev/null(7) here. - - _~_f_t_p_/_p_u_b Traditional place to put whatever you want to make pub- - lic. - - If you want guests to be able to upload files, create a _~_f_t_p_/_i_n_c_o_m_i_n_g di- - rectory owned by ``root'', and group ``ftp'' with mode 730 (make sure - ``ftp'' is member of group ``ftp''). The following restrictions apply to - anonymous users: - - ++oo Directories created will have mode 700. - - ++oo Uploaded files will be created with an umask of 777, if not changed - with the --gg option. - - ++oo These command are not accessible: DDEELLEE, RRMMDD, RRNNTTOO, RRNNFFRR, SSIITTEE UUMMAASSKK, - and SSIITTEE CCHHMMOODD. - - ++oo Filenames must start with an alpha-numeric character, and consist of - alpha-numeric characters or any of the following: + (plus), - (mi- - nus), = (equal), _ (underscore), . (period), and , (comma). - -FFIILLEESS - /etc/ftpusers Access list for users. - /etc/ftpchroot List of normal users who should be chroot'd. - /etc/ftpwelcome Welcome notice. - /etc/motd Welcome notice after login. - /etc/nologin Displayed and access refused. - ~/.klogin Login access for Kerberos. - -SSEEEE AALLSSOO - ftp(1), otp(1), getusershell(3), ftpusers(5), syslogd(8) - -SSTTAANNDDAARRDDSS - RRFFCC 995599 FTP PROTOCOL SPECIFICATION - RRFFCC 11993388 OTP Specification - RRFFCC 22222288 FTP Security Extensions. - -BBUUGGSS - The server must run as the super-user to create sockets with privileged - port numbers. It maintains an effective user id of the logged in user, - reverting to the super-user only when binding addresses to sockets. The - possible security holes have been extensively scrutinized, but are possi- - bly incomplete. - -HHIISSTTOORRYY - The ffttppdd command appeared in 4.2BSD. - -4.2 Berkeley Distribution July 19, 2003 5 diff --git a/crypto/heimdal-0.6.3/appl/ftp/ftpd/ftpd_locl.h b/crypto/heimdal-0.6.3/appl/ftp/ftpd/ftpd_locl.h deleted file mode 100644 index bb172ac85a..0000000000 --- a/crypto/heimdal-0.6.3/appl/ftp/ftpd/ftpd_locl.h +++ /dev/null @@ -1,175 +0,0 @@ -/* - * Copyright (c) 1998 - 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: ftpd_locl.h,v 1.13.2.1 2004/08/20 15:17:07 lha Exp $ */ - -#ifndef __ftpd_locl_h__ -#define __ftpd_locl_h__ - -#ifdef HAVE_CONFIG_H -#include -#endif - -/* - * FTP server. - */ -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_SYS_PARAM_H -#include -#endif -#ifdef HAVE_SYS_STAT_H -#include -#endif -#ifdef HAVE_SYS_SOCKET_H -#include -#endif -#if defined(HAVE_SYS_IOCTL_H) && SunOS != 40 -#include -#endif -#ifdef HAVE_SYS_IOCCOM_H -#include -#endif -#ifdef TIME_WITH_SYS_TIME -#include -#include -#elif defined(HAVE_SYS_TIME_H) -#include -#else -#include -#endif -#ifdef HAVE_SYS_RESOURCE_H -#include -#endif -#ifdef HAVE_SYS_WAIT_H -#include -#endif - -#ifdef HAVE_NETINET_IN_H -#include -#endif -#ifdef HAVE_NETINET_IN_SYSTM_H -#include -#endif -#ifdef HAVE_NETINET_IP_H -#include -#endif - -#ifdef HAVE_SYS_MMAN_H -#include -#endif - -#include -#ifdef HAVE_ARPA_INET_H -#include -#endif -#ifdef HAVE_ARPA_TELNET_H -#include -#endif - -#include -#ifdef HAVE_DIRENT_H -#include -#endif -#include -#ifdef HAVE_FCNTL_H -#include -#endif -#include -#include -#ifdef HAVE_PWD_H -#include -#endif -#include -#include -#include -#include -#include -#ifdef HAVE_SYSLOG_H -#include -#endif -#include -#ifdef HAVE_UNISTD_H -#include -#endif -#ifdef HAVE_GRP_H -#include -#endif -#include - -#ifdef HAVE_BSD_BSD_H -#include -#endif - -#include -#include "roken.h" - -#include "pathnames.h" -#include "extern.h" -#include "common.h" - -#include "security.h" - -#ifdef KRB5 -#include -#endif /* KRB5 */ - -#ifdef KRB4 -#include -#endif - -#if defined(KRB4) || defined(KRB5) -#include -#endif - -#ifdef OTP -#include -#endif - -#ifdef SOCKS -#include -extern int LIBPREFIX(fclose) (FILE *); -#endif - -/* SunOS doesn't have any declaration of fclose */ - -int fclose(FILE *stream); - -int yyparse(); - -#ifndef LOG_FTP -#define LOG_FTP LOG_DAEMON -#endif - -#endif /* __ftpd_locl_h__ */ diff --git a/crypto/heimdal-0.6.3/appl/ftp/ftpd/ftpusers.5 b/crypto/heimdal-0.6.3/appl/ftp/ftpd/ftpusers.5 deleted file mode 100644 index ce59df820e..0000000000 --- a/crypto/heimdal-0.6.3/appl/ftp/ftpd/ftpusers.5 +++ /dev/null @@ -1,37 +0,0 @@ -.\" $Id: ftpusers.5,v 1.5 2002/08/20 17:07:04 joda Exp $ -.\" -.Dd May 7, 1997 -.Dt FTPUSERS 5 -.Os KTH-KRB -.Sh NAME -.Pa /etc/ftpusers -.Nd FTP access list file -.Sh DESCRIPTION -.Pa /etc/ftpusers -contains a list of users that should be allowed or denied FTP -access. Each line contains a user, optionally followed by -.Dq allow -(anything but -.Dq allow -is ignored). The semi-user -.Dq * -matches any user. Users that has an explicit -.Dq allow , -or that does not match any line, are allowed access. Anyone else is -denied access. -.Pp -Note that this is compatible with the old format, where this file -contained a list of users that should be denied access. -.Sh EXAMPLES -This will deny anyone but -.Dq foo -and -.Dq bar -to use FTP: -.Bd -literal -foo allow -bar allow -* -.Ed -.Sh SEE ALSO -.Xr ftpd 8 diff --git a/crypto/heimdal-0.6.3/appl/ftp/ftpd/ftpusers.cat5 b/crypto/heimdal-0.6.3/appl/ftp/ftpd/ftpusers.cat5 deleted file mode 100644 index d2ee3d3c3a..0000000000 --- a/crypto/heimdal-0.6.3/appl/ftp/ftpd/ftpusers.cat5 +++ /dev/null @@ -1,27 +0,0 @@ - -FTPUSERS(5) UNIX Programmer's Manual FTPUSERS(5) - -NNAAMMEE - _/_e_t_c_/_f_t_p_u_s_e_r_s - FTP access list file - -DDEESSCCRRIIPPTTIIOONN - _/_e_t_c_/_f_t_p_u_s_e_r_s contains a list of users that should be allowed or denied - FTP access. Each line contains a user, optionally followed by ``allow'' - (anything but ``allow'' is ignored). The semi-user ``*'' matches any us- - er. Users that has an explicit ``allow'', or that does not match any - line, are allowed access. Anyone else is denied access. - - Note that this is compatible with the old format, where this file con- - tained a list of users that should be denied access. - -EEXXAAMMPPLLEESS - This will deny anyone but ``foo'' and ``bar'' to use FTP: - - foo allow - bar allow - * - -SSEEEE AALLSSOO - ftpd(8) - - KTH-KRB May 7, 1997 1 diff --git a/crypto/heimdal-0.6.3/appl/ftp/ftpd/gss_userok.c b/crypto/heimdal-0.6.3/appl/ftp/ftpd/gss_userok.c deleted file mode 100644 index 11a2e75d8c..0000000000 --- a/crypto/heimdal-0.6.3/appl/ftp/ftpd/gss_userok.c +++ /dev/null @@ -1,124 +0,0 @@ -/* - * Copyright (c) 1998 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "ftpd_locl.h" -#include -#include - -RCSID("$Id: gss_userok.c,v 1.10 2003/03/18 13:56:35 lha Exp $"); - -/* XXX a bit too much of krb5 dependency here... - What is the correct way to do this? - */ - -extern krb5_context gssapi_krb5_context; - -/* XXX sync with gssapi.c */ -struct gss_data { - gss_ctx_id_t context_hdl; - char *client_name; - gss_cred_id_t delegated_cred_handle; -}; - -int gss_userok(void*, char*); /* to keep gcc happy */ - -int -gss_userok(void *app_data, char *username) -{ - struct gss_data *data = app_data; - if(gssapi_krb5_context) { - krb5_principal client; - krb5_error_code ret; - - ret = krb5_parse_name(gssapi_krb5_context, data->client_name, &client); - if(ret) - return 1; - ret = krb5_kuserok(gssapi_krb5_context, client, username); - if (!ret) { - krb5_free_principal(gssapi_krb5_context, client); - return 1; - } - - ret = 0; - - /* more of krb-depend stuff :-( */ - /* gss_add_cred() ? */ - if (data->delegated_cred_handle && - data->delegated_cred_handle->ccache ) { - - krb5_ccache ccache = NULL; - char* ticketfile; - struct passwd *pw; - OM_uint32 minor_status; - - pw = getpwnam(username); - - if (pw == NULL) { - ret = 1; - goto fail; - } - - asprintf (&ticketfile, "%s%u", KRB5_DEFAULT_CCROOT, - (unsigned)pw->pw_uid); - - ret = krb5_cc_resolve(gssapi_krb5_context, ticketfile, &ccache); - if (ret) - goto fail; - - ret = gss_krb5_copy_ccache(&minor_status, - data->delegated_cred_handle, - ccache); - if (ret) - goto fail; - - chown (ticketfile+5, pw->pw_uid, pw->pw_gid); - - if (k_hasafs()) { - krb5_afslog(gssapi_krb5_context, ccache, 0, 0); - } - esetenv ("KRB5CCNAME", ticketfile, 1); - -fail: - if (ccache) - krb5_cc_close(gssapi_krb5_context, ccache); - krb5_cc_destroy(gssapi_krb5_context, - data->delegated_cred_handle->ccache); - data->delegated_cred_handle->ccache = NULL; - free(ticketfile); - } - - krb5_free_principal(gssapi_krb5_context, client); - return ret; - } - return 1; -} diff --git a/crypto/heimdal-0.6.3/appl/ftp/ftpd/kauth.c b/crypto/heimdal-0.6.3/appl/ftp/ftpd/kauth.c deleted file mode 100644 index dad4de5401..0000000000 --- a/crypto/heimdal-0.6.3/appl/ftp/ftpd/kauth.c +++ /dev/null @@ -1,365 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "ftpd_locl.h" - -RCSID("$Id: kauth.c,v 1.25 1999/12/02 16:58:31 joda Exp $"); - -static KTEXT_ST cip; -static unsigned int lifetime; -static time_t local_time; - -static krb_principal pr; - -static int do_destroy_tickets = 1; - -static int -save_tkt(const char *user, - const char *instance, - const char *realm, - const void *arg, - key_proc_t key_proc, - KTEXT *cipp) -{ - local_time = time(0); - memmove(&cip, *cipp, sizeof(cip)); - return -1; -} - -static int -store_ticket(KTEXT cip) -{ - char *ptr; - des_cblock session; - krb_principal sp; - unsigned char kvno; - KTEXT_ST tkt; - int left = cip->length; - int len; - int kerror; - - ptr = (char *) cip->dat; - - /* extract session key */ - memmove(session, ptr, 8); - ptr += 8; - left -= 8; - - len = strnlen(ptr, left); - if (len == left) - return(INTK_BADPW); - - /* extract server's name */ - strlcpy(sp.name, ptr, sizeof(sp.name)); - ptr += len + 1; - left -= len + 1; - - len = strnlen(ptr, left); - if (len == left) - return(INTK_BADPW); - - /* extract server's instance */ - strlcpy(sp.instance, ptr, sizeof(sp.instance)); - ptr += len + 1; - left -= len + 1; - - len = strnlen(ptr, left); - if (len == left) - return(INTK_BADPW); - - /* extract server's realm */ - strlcpy(sp.realm, ptr, sizeof(sp.realm)); - ptr += len + 1; - left -= len + 1; - - if(left < 3) - return INTK_BADPW; - /* extract ticket lifetime, server key version, ticket length */ - /* be sure to avoid sign extension on lifetime! */ - lifetime = (unsigned char) ptr[0]; - kvno = (unsigned char) ptr[1]; - tkt.length = (unsigned char) ptr[2]; - ptr += 3; - left -= 3; - - if (tkt.length > left) - return(INTK_BADPW); - - /* extract ticket itself */ - memmove(tkt.dat, ptr, tkt.length); - ptr += tkt.length; - left -= tkt.length; - - /* Here is where the time should be verified against the KDC. - * Unfortunately everything is sent in host byte order (receiver - * makes wrong) , and at this stage there is no way for us to know - * which byteorder the KDC has. So we simply ignore the time, - * there are no security risks with this, the only thing that can - * happen is that we might receive a replayed ticket, which could - * at most be useless. - */ - -#if 0 - /* check KDC time stamp */ - { - time_t kdc_time; - - memmove(&kdc_time, ptr, sizeof(kdc_time)); - if (swap_bytes) swap_u_long(kdc_time); - - ptr += 4; - - if (abs((int)(local_time - kdc_time)) > CLOCK_SKEW) { - return(RD_AP_TIME); /* XXX should probably be better - code */ - } - } -#endif - - /* initialize ticket cache */ - - if (tf_create(TKT_FILE) != KSUCCESS) - return(INTK_ERR); - - if (tf_put_pname(pr.name) != KSUCCESS || - tf_put_pinst(pr.instance) != KSUCCESS) { - tf_close(); - return(INTK_ERR); - } - - - kerror = tf_save_cred(sp.name, sp.instance, sp.realm, session, - lifetime, kvno, &tkt, local_time); - tf_close(); - - return(kerror); -} - -void -kauth(char *principal, char *ticket) -{ - char *p; - int ret; - - if(get_command_prot() != prot_private) { - reply(500, "Request denied (bad protection level)"); - return; - } - ret = krb_parse_name(principal, &pr); - if(ret){ - reply(500, "Bad principal: %s.", krb_get_err_text(ret)); - return; - } - if(pr.realm[0] == 0) - krb_get_lrealm(pr.realm, 1); - - if(ticket){ - cip.length = base64_decode(ticket, &cip.dat); - if(cip.length == -1){ - reply(500, "Failed to decode data."); - return; - } - ret = store_ticket(&cip); - if(ret){ - reply(500, "Kerberos error: %s.", krb_get_err_text(ret)); - memset(&cip, 0, sizeof(cip)); - return; - } - do_destroy_tickets = 1; - - if(k_hasafs()) - krb_afslog(0, 0); - reply(200, "Tickets will be destroyed on exit."); - return; - } - - ret = krb_get_in_tkt (pr.name, - pr.instance, - pr.realm, - KRB_TICKET_GRANTING_TICKET, - pr.realm, - DEFAULT_TKT_LIFE, - NULL, save_tkt, NULL); - if(ret != INTK_BADPW){ - reply(500, "Kerberos error: %s.", krb_get_err_text(ret)); - return; - } - if(base64_encode(cip.dat, cip.length, &p) < 0) { - reply(500, "Out of memory while base64-encoding."); - return; - } - reply(300, "P=%s T=%s", krb_unparse_name(&pr), p); - free(p); - memset(&cip, 0, sizeof(cip)); -} - - -static char * -short_date(int32_t dp) -{ - char *cp; - time_t t = (time_t)dp; - - if (t == (time_t)(-1L)) return "*** Never *** "; - cp = ctime(&t) + 4; - cp[15] = '\0'; - return (cp); -} - -void -klist(void) -{ - int err; - - char *file = tkt_string(); - - krb_principal pr; - - char buf1[128], buf2[128]; - int header = 1; - CREDENTIALS c; - - - - err = tf_init(file, R_TKT_FIL); - if(err != KSUCCESS){ - reply(500, "%s", krb_get_err_text(err)); - return; - } - tf_close(); - - /* - * We must find the realm of the ticket file here before calling - * tf_init because since the realm of the ticket file is not - * really stored in the principal section of the file, the - * routine we use must itself call tf_init and tf_close. - */ - err = krb_get_tf_realm(file, pr.realm); - if(err != KSUCCESS){ - reply(500, "%s", krb_get_err_text(err)); - return; - } - - err = tf_init(file, R_TKT_FIL); - if(err != KSUCCESS){ - reply(500, "%s", krb_get_err_text(err)); - return; - } - - err = tf_get_pname(pr.name); - if(err != KSUCCESS){ - reply(500, "%s", krb_get_err_text(err)); - return; - } - err = tf_get_pinst(pr.instance); - if(err != KSUCCESS){ - reply(500, "%s", krb_get_err_text(err)); - return; - } - - /* - * You may think that this is the obvious place to get the - * realm of the ticket file, but it can't be done here as the - * routine to do this must open the ticket file. This is why - * it was done before tf_init. - */ - - lreply(200, "Ticket file: %s", tkt_string()); - - lreply(200, "Principal: %s", krb_unparse_name(&pr)); - while ((err = tf_get_cred(&c)) == KSUCCESS) { - if (header) { - lreply(200, "%-15s %-15s %s", - " Issued", " Expires", " Principal (kvno)"); - header = 0; - } - strlcpy(buf1, short_date(c.issue_date), sizeof(buf1)); - c.issue_date = krb_life_to_time(c.issue_date, c.lifetime); - if (time(0) < (unsigned long) c.issue_date) - strlcpy(buf2, short_date(c.issue_date), sizeof(buf2)); - else - strlcpy(buf2, ">>> Expired <<< ", sizeof(buf2)); - lreply(200, "%s %s %s (%d)", buf1, buf2, - krb_unparse_name_long(c.service, c.instance, c.realm), c.kvno); - } - if (header && err == EOF) { - lreply(200, "No tickets in file."); - } - reply(200, " "); -} - -/* - * Only destroy if we created the tickets - */ - -void -cond_kdestroy(void) -{ - if (do_destroy_tickets) - dest_tkt(); - afsunlog(); -} - -void -kdestroy(void) -{ - dest_tkt(); - afsunlog(); - reply(200, "Tickets destroyed"); -} - -void -krbtkfile(const char *tkfile) -{ - do_destroy_tickets = 0; - krb_set_tkt_string(tkfile); - reply(200, "Using ticket file %s", tkfile); -} - -void -afslog(const char *cell) -{ - if(k_hasafs()) { - krb_afslog(cell, 0); - reply(200, "afslog done"); - } else { - reply(200, "no AFS present"); - } -} - -void -afsunlog(void) -{ - if(k_hasafs()) - k_unlog(); -} diff --git a/crypto/heimdal-0.6.3/appl/ftp/ftpd/logwtmp.c b/crypto/heimdal-0.6.3/appl/ftp/ftpd/logwtmp.c deleted file mode 100644 index 51139a817e..0000000000 --- a/crypto/heimdal-0.6.3/appl/ftp/ftpd/logwtmp.c +++ /dev/null @@ -1,138 +0,0 @@ -/* - * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: logwtmp.c,v 1.15 2000/09/19 13:17:05 assar Exp $"); -#endif - -#include -#include -#ifdef TIME_WITH_SYS_TIME -#include -#include -#elif defined(HAVE_SYS_TIME_H) -#include -#else -#include -#endif -#ifdef HAVE_UNISTD_H -#include -#endif -#ifdef HAVE_FCNTL_H -#include -#endif -#ifdef HAVE_UTMP_H -#include -#endif -#ifdef HAVE_UTMPX_H -#include -#endif -#include -#include "extern.h" - -#ifndef WTMP_FILE -#ifdef _PATH_WTMP -#define WTMP_FILE _PATH_WTMP -#else -#define WTMP_FILE "/var/adm/wtmp" -#endif -#endif - -void -ftpd_logwtmp(char *line, char *name, char *host) -{ - static int init = 0; - static int fd; -#ifdef WTMPX_FILE - static int fdx; -#endif - struct utmp ut; -#ifdef WTMPX_FILE - struct utmpx utx; -#endif - - memset(&ut, 0, sizeof(struct utmp)); -#ifdef HAVE_STRUCT_UTMP_UT_TYPE - if(name[0]) - ut.ut_type = USER_PROCESS; - else - ut.ut_type = DEAD_PROCESS; -#endif - strncpy(ut.ut_line, line, sizeof(ut.ut_line)); - strncpy(ut.ut_name, name, sizeof(ut.ut_name)); -#ifdef HAVE_STRUCT_UTMP_UT_PID - ut.ut_pid = getpid(); -#endif -#ifdef HAVE_STRUCT_UTMP_UT_HOST - strncpy(ut.ut_host, host, sizeof(ut.ut_host)); -#endif - ut.ut_time = time(NULL); - -#ifdef WTMPX_FILE - strncpy(utx.ut_line, line, sizeof(utx.ut_line)); - strncpy(utx.ut_user, name, sizeof(utx.ut_user)); - strncpy(utx.ut_host, host, sizeof(utx.ut_host)); -#ifdef HAVE_STRUCT_UTMPX_UT_SYSLEN - utx.ut_syslen = strlen(host) + 1; - if (utx.ut_syslen > sizeof(utx.ut_host)) - utx.ut_syslen = sizeof(utx.ut_host); -#endif - { - struct timeval tv; - - gettimeofday (&tv, 0); - utx.ut_tv.tv_sec = tv.tv_sec; - utx.ut_tv.tv_usec = tv.tv_usec; - } - - if(name[0]) - utx.ut_type = USER_PROCESS; - else - utx.ut_type = DEAD_PROCESS; -#endif - - if(!init){ - fd = open(WTMP_FILE, O_WRONLY|O_APPEND, 0); -#ifdef WTMPX_FILE - fdx = open(WTMPX_FILE, O_WRONLY|O_APPEND, 0); -#endif - init = 1; - } - if(fd >= 0) { - write(fd, &ut, sizeof(struct utmp)); /* XXX */ -#ifdef WTMPX_FILE - write(fdx, &utx, sizeof(struct utmpx)); -#endif - } -} diff --git a/crypto/heimdal-0.6.3/appl/ftp/ftpd/ls.c b/crypto/heimdal-0.6.3/appl/ftp/ftpd/ls.c deleted file mode 100644 index f8ec4ad12c..0000000000 --- a/crypto/heimdal-0.6.3/appl/ftp/ftpd/ls.c +++ /dev/null @@ -1,854 +0,0 @@ -/* - * Copyright (c) 1999 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of KTH nor the names of its contributors may be - * used to endorse or promote products derived from this software without - * specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY - * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR - * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, - * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR - * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF - * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ - -#ifndef TEST -#include "ftpd_locl.h" - -RCSID("$Id: ls.c,v 1.26 2003/02/25 10:51:30 lha Exp $"); - -#else -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#define sec_fprintf2 fprintf -#define sec_fflush fflush -static void list_files(FILE *out, const char **files, int n_files, int flags); -static int parse_flags(const char *options); - -int -main(int argc, char **argv) -{ - int i = 1; - int flags; - if(argc > 1 && argv[1][0] == '-') { - flags = parse_flags(argv[1]); - i = 2; - } else - flags = parse_flags(NULL); - - list_files(stdout, (const char **)argv + i, argc - i, flags); - return 0; -} -#endif - -struct fileinfo { - struct stat st; - int inode; - int bsize; - char mode[11]; - int n_link; - char *user; - char *group; - char *size; - char *major; - char *minor; - char *date; - char *filename; - char *link; -}; - -static void -free_fileinfo(struct fileinfo *f) -{ - free(f->user); - free(f->group); - free(f->size); - free(f->major); - free(f->minor); - free(f->date); - free(f->filename); - free(f->link); -} - -#define LS_DIRS (1 << 0) -#define LS_IGNORE_DOT (1 << 1) -#define LS_SORT_MODE (3 << 2) -#define SORT_MODE(f) ((f) & LS_SORT_MODE) -#define LS_SORT_NAME (1 << 2) -#define LS_SORT_MTIME (2 << 2) -#define LS_SORT_SIZE (3 << 2) -#define LS_SORT_REVERSE (1 << 4) - -#define LS_SIZE (1 << 5) -#define LS_INODE (1 << 6) -#define LS_TYPE (1 << 7) -#define LS_DISP_MODE (3 << 8) -#define DISP_MODE(f) ((f) & LS_DISP_MODE) -#define LS_DISP_LONG (1 << 8) -#define LS_DISP_COLUMN (2 << 8) -#define LS_DISP_CROSS (3 << 8) -#define LS_SHOW_ALL (1 << 10) -#define LS_RECURSIVE (1 << 11) -#define LS_EXTRA_BLANK (1 << 12) -#define LS_SHOW_DIRNAME (1 << 13) -#define LS_DIR_FLAG (1 << 14) /* these files come via list_dir */ - -#ifndef S_ISTXT -#define S_ISTXT S_ISVTX -#endif - -#if !defined(_S_IFMT) && defined(S_IFMT) -#define _S_IFMT S_IFMT -#endif - -#ifndef S_ISSOCK -#define S_ISSOCK(mode) (((mode) & _S_IFMT) == S_IFSOCK) -#endif - -#ifndef S_ISLNK -#define S_ISLNK(mode) (((mode) & _S_IFMT) == S_IFLNK) -#endif - -static size_t -block_convert(size_t blocks) -{ -#ifdef S_BLKSIZE - return blocks * S_BLKSIZE / 1024; -#else - return blocks * 512 / 1024; -#endif -} - -static void -make_fileinfo(FILE *out, const char *filename, struct fileinfo *file, int flags) -{ - char buf[128]; - int file_type = 0; - struct stat *st = &file->st; - - file->inode = st->st_ino; - file->bsize = block_convert(st->st_blocks); - - if(S_ISDIR(st->st_mode)) { - file->mode[0] = 'd'; - file_type = '/'; - } - else if(S_ISCHR(st->st_mode)) - file->mode[0] = 'c'; - else if(S_ISBLK(st->st_mode)) - file->mode[0] = 'b'; - else if(S_ISREG(st->st_mode)) { - file->mode[0] = '-'; - if(st->st_mode & (S_IXUSR | S_IXGRP | S_IXOTH)) - file_type = '*'; - } - else if(S_ISFIFO(st->st_mode)) { - file->mode[0] = 'p'; - file_type = '|'; - } - else if(S_ISLNK(st->st_mode)) { - file->mode[0] = 'l'; - file_type = '@'; - } - else if(S_ISSOCK(st->st_mode)) { - file->mode[0] = 's'; - file_type = '='; - } -#ifdef S_ISWHT - else if(S_ISWHT(st->st_mode)) { - file->mode[0] = 'w'; - file_type = '%'; - } -#endif - else - file->mode[0] = '?'; - { - char *x[] = { "---", "--x", "-w-", "-wx", - "r--", "r-x", "rw-", "rwx" }; - strcpy(file->mode + 1, x[(st->st_mode & S_IRWXU) >> 6]); - strcpy(file->mode + 4, x[(st->st_mode & S_IRWXG) >> 3]); - strcpy(file->mode + 7, x[(st->st_mode & S_IRWXO) >> 0]); - if((st->st_mode & S_ISUID)) { - if((st->st_mode & S_IXUSR)) - file->mode[3] = 's'; - else - file->mode[3] = 'S'; - } - if((st->st_mode & S_ISGID)) { - if((st->st_mode & S_IXGRP)) - file->mode[6] = 's'; - else - file->mode[6] = 'S'; - } - if((st->st_mode & S_ISTXT)) { - if((st->st_mode & S_IXOTH)) - file->mode[9] = 't'; - else - file->mode[9] = 'T'; - } - } - file->n_link = st->st_nlink; - { - struct passwd *pwd; - pwd = getpwuid(st->st_uid); - if(pwd == NULL) - asprintf(&file->user, "%u", (unsigned)st->st_uid); - else - file->user = strdup(pwd->pw_name); - } - { - struct group *grp; - grp = getgrgid(st->st_gid); - if(grp == NULL) - asprintf(&file->group, "%u", (unsigned)st->st_gid); - else - file->group = strdup(grp->gr_name); - } - - if(S_ISCHR(st->st_mode) || S_ISBLK(st->st_mode)) { -#if defined(major) && defined(minor) - asprintf(&file->major, "%u", (unsigned)major(st->st_rdev)); - asprintf(&file->minor, "%u", (unsigned)minor(st->st_rdev)); -#else - /* Don't want to use the DDI/DKI crap. */ - asprintf(&file->major, "%u", (unsigned)st->st_rdev); - asprintf(&file->minor, "%u", 0); -#endif - } else - asprintf(&file->size, "%lu", (unsigned long)st->st_size); - - { - time_t t = time(NULL); - time_t mtime = st->st_mtime; - struct tm *tm = localtime(&mtime); - if((t - mtime > 6*30*24*60*60) || - (mtime - t > 6*30*24*60*60)) - strftime(buf, sizeof(buf), "%b %e %Y", tm); - else - strftime(buf, sizeof(buf), "%b %e %H:%M", tm); - file->date = strdup(buf); - } - { - const char *p = strrchr(filename, '/'); - if(p) - p++; - else - p = filename; - if((flags & LS_TYPE) && file_type != 0) - asprintf(&file->filename, "%s%c", p, file_type); - else - file->filename = strdup(p); - } - if(S_ISLNK(st->st_mode)) { - int n; - n = readlink((char *)filename, buf, sizeof(buf) - 1); - if(n >= 0) { - buf[n] = '\0'; - file->link = strdup(buf); - } else - sec_fprintf2(out, "readlink(%s): %s", filename, strerror(errno)); - } -} - -static void -print_file(FILE *out, - int flags, - struct fileinfo *f, - int max_inode, - int max_bsize, - int max_n_link, - int max_user, - int max_group, - int max_size, - int max_major, - int max_minor, - int max_date) -{ - if(f->filename == NULL) - return; - - if(flags & LS_INODE) { - sec_fprintf2(out, "%*d", max_inode, f->inode); - sec_fprintf2(out, " "); - } - if(flags & LS_SIZE) { - sec_fprintf2(out, "%*d", max_bsize, f->bsize); - sec_fprintf2(out, " "); - } - sec_fprintf2(out, "%s", f->mode); - sec_fprintf2(out, " "); - sec_fprintf2(out, "%*d", max_n_link, f->n_link); - sec_fprintf2(out, " "); - sec_fprintf2(out, "%-*s", max_user, f->user); - sec_fprintf2(out, " "); - sec_fprintf2(out, "%-*s", max_group, f->group); - sec_fprintf2(out, " "); - if(f->major != NULL && f->minor != NULL) - sec_fprintf2(out, "%*s, %*s", max_major, f->major, max_minor, f->minor); - else - sec_fprintf2(out, "%*s", max_size, f->size); - sec_fprintf2(out, " "); - sec_fprintf2(out, "%*s", max_date, f->date); - sec_fprintf2(out, " "); - sec_fprintf2(out, "%s", f->filename); - if(f->link) - sec_fprintf2(out, " -> %s", f->link); - sec_fprintf2(out, "\r\n"); -} - -static int -compare_filename(struct fileinfo *a, struct fileinfo *b) -{ - if(a->filename == NULL) - return 1; - if(b->filename == NULL) - return -1; - return strcmp(a->filename, b->filename); -} - -static int -compare_mtime(struct fileinfo *a, struct fileinfo *b) -{ - if(a->filename == NULL) - return 1; - if(b->filename == NULL) - return -1; - return b->st.st_mtime - a->st.st_mtime; -} - -static int -compare_size(struct fileinfo *a, struct fileinfo *b) -{ - if(a->filename == NULL) - return 1; - if(b->filename == NULL) - return -1; - return b->st.st_size - a->st.st_size; -} - -static int list_dir(FILE*, const char*, int); - -static int -log10(int num) -{ - int i = 1; - while(num > 10) { - i++; - num /= 10; - } - return i; -} - -/* - * Operate as lstat but fake up entries for AFS mount points so we don't - * have to fetch them. - */ - -#ifdef KRB4 -static int do_the_afs_dance = 1; -#endif - -static int -lstat_file (const char *file, struct stat *sb) -{ -#ifdef KRB4 - if (do_the_afs_dance && - k_hasafs() - && strcmp(file, ".") - && strcmp(file, "..") - && strcmp(file, "/")) - { - struct ViceIoctl a_params; - char *dir, *last; - char *path_bkp; - static ino_t ino_counter = 0, ino_last = 0; - int ret; - const int maxsize = 2048; - - path_bkp = strdup (file); - if (path_bkp == NULL) - return -1; - - a_params.out = malloc (maxsize); - if (a_params.out == NULL) { - free (path_bkp); - return -1; - } - - /* If path contains more than the filename alone - split it */ - - last = strrchr (path_bkp, '/'); - if (last != NULL) { - if(last[1] == '\0') - /* if path ended in /, replace with `.' */ - a_params.in = "."; - else - a_params.in = last + 1; - while(last > path_bkp && *--last == '/'); - if(*last != '/' || last != path_bkp) { - *++last = '\0'; - dir = path_bkp; - } else - /* we got to the start, so this must be the root dir */ - dir = "/"; - } else { - /* file is relative to cdir */ - dir = "."; - a_params.in = path_bkp; - } - - a_params.in_size = strlen (a_params.in) + 1; - a_params.out_size = maxsize; - - ret = k_pioctl (dir, VIOC_AFS_STAT_MT_PT, &a_params, 0); - free (a_params.out); - if (ret < 0) { - free (path_bkp); - - if (errno != EINVAL) - return ret; - else - /* if we get EINVAL this is probably not a mountpoint */ - return lstat (file, sb); - } - - /* - * wow this was a mountpoint, lets cook the struct stat - * use . as a prototype - */ - - ret = lstat (dir, sb); - free (path_bkp); - if (ret < 0) - return ret; - - if (ino_last == sb->st_ino) - ino_counter++; - else { - ino_last = sb->st_ino; - ino_counter = 0; - } - sb->st_ino += ino_counter; - sb->st_nlink = 3; - - return 0; - } -#endif /* KRB4 */ - return lstat (file, sb); -} - -#define IS_DOT_DOTDOT(X) ((X)[0] == '.' && ((X)[1] == '\0' || \ - ((X)[1] == '.' && (X)[2] == '\0'))) - -static int -list_files(FILE *out, const char **files, int n_files, int flags) -{ - struct fileinfo *fi; - int i; - int *dirs = NULL; - size_t total_blocks = 0; - int n_print = 0; - int ret = 0; - - if(n_files == 0) - return 0; - - if(n_files > 1) - flags |= LS_SHOW_DIRNAME; - - fi = calloc(n_files, sizeof(*fi)); - if (fi == NULL) { - syslog(LOG_ERR, "out of memory"); - return -1; - } - for(i = 0; i < n_files; i++) { - if(lstat_file(files[i], &fi[i].st) < 0) { - sec_fprintf2(out, "%s: %s\r\n", files[i], strerror(errno)); - fi[i].filename = NULL; - } else { - int include_in_list = 1; - total_blocks += block_convert(fi[i].st.st_blocks); - if(S_ISDIR(fi[i].st.st_mode)) { - if(dirs == NULL) - dirs = calloc(n_files, sizeof(*dirs)); - if(dirs == NULL) { - syslog(LOG_ERR, "%s: %m", files[i]); - ret = -1; - goto out; - } - dirs[i] = 1; - if((flags & LS_DIRS) == 0) - include_in_list = 0; - } - if(include_in_list) { - make_fileinfo(out, files[i], &fi[i], flags); - n_print++; - } - } - } - switch(SORT_MODE(flags)) { - case LS_SORT_NAME: - qsort(fi, n_files, sizeof(*fi), - (int (*)(const void*, const void*))compare_filename); - break; - case LS_SORT_MTIME: - qsort(fi, n_files, sizeof(*fi), - (int (*)(const void*, const void*))compare_mtime); - break; - case LS_SORT_SIZE: - qsort(fi, n_files, sizeof(*fi), - (int (*)(const void*, const void*))compare_size); - break; - } - if(DISP_MODE(flags) == LS_DISP_LONG) { - int max_inode = 0; - int max_bsize = 0; - int max_n_link = 0; - int max_user = 0; - int max_group = 0; - int max_size = 0; - int max_major = 0; - int max_minor = 0; - int max_date = 0; - for(i = 0; i < n_files; i++) { - if(fi[i].filename == NULL) - continue; - if(fi[i].inode > max_inode) - max_inode = fi[i].inode; - if(fi[i].bsize > max_bsize) - max_bsize = fi[i].bsize; - if(fi[i].n_link > max_n_link) - max_n_link = fi[i].n_link; - if(strlen(fi[i].user) > max_user) - max_user = strlen(fi[i].user); - if(strlen(fi[i].group) > max_group) - max_group = strlen(fi[i].group); - if(fi[i].major != NULL && strlen(fi[i].major) > max_major) - max_major = strlen(fi[i].major); - if(fi[i].minor != NULL && strlen(fi[i].minor) > max_minor) - max_minor = strlen(fi[i].minor); - if(fi[i].size != NULL && strlen(fi[i].size) > max_size) - max_size = strlen(fi[i].size); - if(strlen(fi[i].date) > max_date) - max_date = strlen(fi[i].date); - } - if(max_size < max_major + max_minor + 2) - max_size = max_major + max_minor + 2; - else if(max_size - max_minor - 2 > max_major) - max_major = max_size - max_minor - 2; - max_inode = log10(max_inode); - max_bsize = log10(max_bsize); - max_n_link = log10(max_n_link); - - if(n_print > 0) - sec_fprintf2(out, "total %lu\r\n", (unsigned long)total_blocks); - if(flags & LS_SORT_REVERSE) - for(i = n_files - 1; i >= 0; i--) - print_file(out, - flags, - &fi[i], - max_inode, - max_bsize, - max_n_link, - max_user, - max_group, - max_size, - max_major, - max_minor, - max_date); - else - for(i = 0; i < n_files; i++) - print_file(out, - flags, - &fi[i], - max_inode, - max_bsize, - max_n_link, - max_user, - max_group, - max_size, - max_major, - max_minor, - max_date); - } else if(DISP_MODE(flags) == LS_DISP_COLUMN || - DISP_MODE(flags) == LS_DISP_CROSS) { - int max_len = 0; - int size_len = 0; - int num_files = n_files; - int columns; - int j; - for(i = 0; i < n_files; i++) { - if(fi[i].filename == NULL) { - num_files--; - continue; - } - if(strlen(fi[i].filename) > max_len) - max_len = strlen(fi[i].filename); - if(log10(fi[i].bsize) > size_len) - size_len = log10(fi[i].bsize); - } - if(num_files == 0) - goto next; - if(flags & LS_SIZE) { - columns = 80 / (size_len + 1 + max_len + 1); - max_len = 80 / columns - size_len - 1; - } else { - columns = 80 / (max_len + 1); /* get space between columns */ - max_len = 80 / columns; - } - if(flags & LS_SIZE) - sec_fprintf2(out, "total %lu\r\n", - (unsigned long)total_blocks); - if(DISP_MODE(flags) == LS_DISP_CROSS) { - for(i = 0, j = 0; i < n_files; i++) { - if(fi[i].filename == NULL) - continue; - if(flags & LS_SIZE) - sec_fprintf2(out, "%*u %-*s", size_len, fi[i].bsize, - max_len, fi[i].filename); - else - sec_fprintf2(out, "%-*s", max_len, fi[i].filename); - j++; - if(j == columns) { - sec_fprintf2(out, "\r\n"); - j = 0; - } - } - if(j > 0) - sec_fprintf2(out, "\r\n"); - } else { - int skip = (num_files + columns - 1) / columns; - j = 0; - for(i = 0; i < skip; i++) { - for(j = i; j < n_files;) { - while(j < n_files && fi[j].filename == NULL) - j++; - if(flags & LS_SIZE) - sec_fprintf2(out, "%*u %-*s", size_len, fi[j].bsize, - max_len, fi[j].filename); - else - sec_fprintf2(out, "%-*s", max_len, fi[j].filename); - j += skip; - } - sec_fprintf2(out, "\r\n"); - } - } - } else { - for(i = 0; i < n_files; i++) { - if(fi[i].filename == NULL) - continue; - sec_fprintf2(out, "%s\r\n", fi[i].filename); - } - } - next: - if(((flags & LS_DIRS) == 0 || (flags & LS_RECURSIVE)) && dirs != NULL) { - for(i = 0; i < n_files; i++) { - if(dirs[i]) { - const char *p = strrchr(files[i], '/'); - if(p == NULL) - p = files[i]; - else - p++; - if(!(flags & LS_DIR_FLAG) || !IS_DOT_DOTDOT(p)) { - if((flags & LS_SHOW_DIRNAME)) { - if ((flags & LS_EXTRA_BLANK)) - sec_fprintf2(out, "\r\n"); - sec_fprintf2(out, "%s:\r\n", files[i]); - } - list_dir(out, files[i], flags | LS_DIRS | LS_EXTRA_BLANK); - } - } - } - } - out: - for(i = 0; i < n_files; i++) - free_fileinfo(&fi[i]); - free(fi); - if(dirs != NULL) - free(dirs); - return ret; -} - -static void -free_files (char **files, int n) -{ - int i; - - for (i = 0; i < n; ++i) - free (files[i]); - free (files); -} - -static int -hide_file(const char *filename, int flags) -{ - if(filename[0] != '.') - return 0; - if((flags & LS_IGNORE_DOT)) - return 1; - if(filename[1] == '\0' || (filename[1] == '.' && filename[2] == '\0')) { - if((flags & LS_SHOW_ALL)) - return 0; - else - return 1; - } - return 0; -} - -static int -list_dir(FILE *out, const char *directory, int flags) -{ - DIR *d = opendir(directory); - struct dirent *ent; - char **files = NULL; - int n_files = 0; - - if(d == NULL) { - syslog(LOG_ERR, "%s: %m", directory); - return -1; - } - while((ent = readdir(d)) != NULL) { - void *tmp; - - if(hide_file(ent->d_name, flags)) - continue; - tmp = realloc(files, (n_files + 1) * sizeof(*files)); - if (tmp == NULL) { - syslog(LOG_ERR, "%s: out of memory", directory); - free_files (files, n_files); - closedir (d); - return -1; - } - files = tmp; - asprintf(&files[n_files], "%s/%s", directory, ent->d_name); - if (files[n_files] == NULL) { - syslog(LOG_ERR, "%s: out of memory", directory); - free_files (files, n_files); - closedir (d); - return -1; - } - ++n_files; - } - closedir(d); - return list_files(out, (const char**)files, n_files, flags | LS_DIR_FLAG); -} - -static int -parse_flags(const char *options) -{ -#ifdef TEST - int flags = LS_SORT_NAME | LS_IGNORE_DOT | LS_DISP_COLUMN; -#else - int flags = LS_SORT_NAME | LS_IGNORE_DOT | LS_DISP_LONG; -#endif - - const char *p; - if(options == NULL || *options != '-') - return flags; - for(p = options + 1; *p; p++) { - switch(*p) { - case '1': - flags = (flags & ~LS_DISP_MODE); - break; - case 'a': - flags |= LS_SHOW_ALL; - /*FALLTHROUGH*/ - case 'A': - flags &= ~LS_IGNORE_DOT; - break; - case 'C': - flags = (flags & ~LS_DISP_MODE) | LS_DISP_COLUMN; - break; - case 'd': - flags |= LS_DIRS; - break; - case 'f': - flags = (flags & ~LS_SORT_MODE); - break; - case 'F': - flags |= LS_TYPE; - break; - case 'i': - flags |= LS_INODE; - break; - case 'l': - flags = (flags & ~LS_DISP_MODE) | LS_DISP_LONG; - break; - case 'r': - flags |= LS_SORT_REVERSE; - break; - case 'R': - flags |= LS_RECURSIVE; - break; - case 's': - flags |= LS_SIZE; - break; - case 'S': - flags = (flags & ~LS_SORT_MODE) | LS_SORT_SIZE; - break; - case 't': - flags = (flags & ~LS_SORT_MODE) | LS_SORT_MTIME; - break; - case 'x': - flags = (flags & ~LS_DISP_MODE) | LS_DISP_CROSS; - break; - /* these are a bunch of unimplemented flags from BSD ls */ - case 'k': /* display sizes in kB */ - case 'c': /* last change time */ - case 'L': /* list symlink target */ - case 'm': /* stream output */ - case 'o': /* BSD file flags */ - case 'p': /* display / after directories */ - case 'q': /* print non-graphic characters */ - case 'u': /* use last access time */ - case 'T': /* display complete time */ - case 'W': /* include whiteouts */ - break; - } - } - return flags; -} - -int -builtin_ls(FILE *out, const char *file) -{ - int flags; - int ret; - - if(*file == '-') { - flags = parse_flags(file); - file = "."; - } else - flags = parse_flags(""); - - ret = list_files(out, &file, 1, flags); - sec_fflush(out); - return ret; -} diff --git a/crypto/heimdal-0.6.3/appl/ftp/ftpd/pathnames.h b/crypto/heimdal-0.6.3/appl/ftp/ftpd/pathnames.h deleted file mode 100644 index e4f5b441ae..0000000000 --- a/crypto/heimdal-0.6.3/appl/ftp/ftpd/pathnames.h +++ /dev/null @@ -1,61 +0,0 @@ -/* - * Copyright (c) 1989, 1993 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * @(#)pathnames.h 8.1 (Berkeley) 6/4/93 - */ - -#ifdef HAVE_PATHS_H -#include -#endif - -#ifndef _PATH_DEVNULL -#define _PATH_DEVNULL "/dev/null" -#endif - -#ifndef _PATH_NOLOGIN -#define _PATH_NOLOGIN "/etc/nologin" -#endif - -#ifndef _PATH_BSHELL -#define _PATH_BSHELL "/bin/sh" -#endif - -#ifndef _PATH_FTPUSERS -#define _PATH_FTPUSERS SYSCONFDIR "/ftpusers" -#endif - -#define _PATH_FTPCHROOT SYSCONFDIR "/ftpchroot" -#define _PATH_FTPWELCOME SYSCONFDIR "/ftpwelcome" -#define _PATH_FTPLOGINMESG SYSCONFDIR "/motd" - -#define _PATH_ISSUE SYSCONFDIR "/issue" -#define _PATH_ISSUE_NET SYSCONFDIR "/issue.net" diff --git a/crypto/heimdal-0.6.3/appl/ftp/ftpd/popen.c b/crypto/heimdal-0.6.3/appl/ftp/ftpd/popen.c deleted file mode 100644 index 708cae1b7e..0000000000 --- a/crypto/heimdal-0.6.3/appl/ftp/ftpd/popen.c +++ /dev/null @@ -1,238 +0,0 @@ -/* - * Copyright (c) 1988, 1993, 1994 - * The Regents of the University of California. All rights reserved. - * - * This code is derived from software written by Ken Arnold and - * published in UNIX Review, Vol. 6, No. 8. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: popen.c,v 1.26 2002/04/02 11:57:39 joda Exp $"); -#endif - -#include -#ifdef TIME_WITH_SYS_TIME -#include -#include -#elif defined(HAVE_SYS_TIME_H) -#include -#else -#include -#endif -#ifdef HAVE_SYS_RESOURCE_H -#include -#endif -#include - -#include -#include -#include -#include -#include -#include -#include -#include -#include "extern.h" - - -/* - * Special version of popen which avoids call to shell. This ensures - * no one may create a pipe to a hidden program as a side effect of a - * list or dir command. - */ -static int *pids; -static int fds; - -extern int dochroot; - -/* return path prepended with ~ftp if that file exists, otherwise - * return path unchanged - */ - -const char * -ftp_rooted(const char *path) -{ - static char home[MaxPathLen] = ""; - static char newpath[MaxPathLen]; - struct passwd *pwd; - - if(!home[0]) - if((pwd = k_getpwnam("ftp"))) - strlcpy(home, pwd->pw_dir, sizeof(home)); - snprintf(newpath, sizeof(newpath), "%s/%s", home, path); - if(access(newpath, X_OK)) - strlcpy(newpath, path, sizeof(newpath)); - return newpath; -} - - -#define MAXARGS 100 -#define MAXGLOBS 1000 - -FILE * -ftpd_popen(char *program, char *type, int do_stderr, int no_glob) -{ - char *cp; - FILE *iop; - int argc, gargc, pdes[2], pid; - char **pop, *argv[MAXARGS], *gargv[MAXGLOBS]; - char *foo; - - if (strcmp(type, "r") && strcmp(type, "w")) - return (NULL); - - if (!pids) { - - /* This function is ugly and should be rewritten, in - * modern unices there is no such thing as a maximum - * filedescriptor. - */ - - fds = getdtablesize(); - pids = (int*)calloc(fds, sizeof(int)); - if(!pids) - return NULL; - } - if (pipe(pdes) < 0) - return (NULL); - - /* break up string into pieces */ - foo = NULL; - for (argc = 0, cp = program; argc < MAXARGS - 1; cp = NULL) { - if (!(argv[argc++] = strtok_r(cp, " \t\n", &foo))) - break; - } - argv[MAXARGS - 1] = NULL; - - gargv[0] = (char*)ftp_rooted(argv[0]); - /* glob each piece */ - for (gargc = argc = 1; argv[argc] && gargc < MAXGLOBS - 1; argc++) { - glob_t gl; - int flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE - | -#ifdef GLOB_MAXPATH - GLOB_MAXPATH -#else - GLOB_LIMIT -#endif - ; - - memset(&gl, 0, sizeof(gl)); - if (no_glob || - glob(argv[argc], flags, NULL, &gl) || - gl.gl_pathc == 0) - gargv[gargc++] = strdup(argv[argc]); - else - for (pop = gl.gl_pathv; - *pop && gargc < MAXGLOBS - 1; - pop++) - gargv[gargc++] = strdup(*pop); - globfree(&gl); - } - gargv[gargc] = NULL; - - iop = NULL; - switch(pid = fork()) { - case -1: /* error */ - close(pdes[0]); - close(pdes[1]); - goto pfree; - /* NOTREACHED */ - case 0: /* child */ - if (*type == 'r') { - if (pdes[1] != STDOUT_FILENO) { - dup2(pdes[1], STDOUT_FILENO); - close(pdes[1]); - } - if(do_stderr) - dup2(STDOUT_FILENO, STDERR_FILENO); - close(pdes[0]); - } else { - if (pdes[0] != STDIN_FILENO) { - dup2(pdes[0], STDIN_FILENO); - close(pdes[0]); - } - close(pdes[1]); - } - execv(gargv[0], gargv); - gargv[0] = argv[0]; - execv(gargv[0], gargv); - _exit(1); - } - /* parent; assume fdopen can't fail... */ - if (*type == 'r') { - iop = fdopen(pdes[0], type); - close(pdes[1]); - } else { - iop = fdopen(pdes[1], type); - close(pdes[0]); - } - pids[fileno(iop)] = pid; - -pfree: - for (argc = 1; gargv[argc] != NULL; argc++) - free(gargv[argc]); - - - return (iop); -} - -int -ftpd_pclose(FILE *iop) -{ - int fdes, status; - pid_t pid; - sigset_t sigset, osigset; - - /* - * pclose returns -1 if stream is not associated with a - * `popened' command, or, if already `pclosed'. - */ - if (pids == 0 || pids[fdes = fileno(iop)] == 0) - return (-1); - fclose(iop); - sigemptyset(&sigset); - sigaddset(&sigset, SIGINT); - sigaddset(&sigset, SIGQUIT); - sigaddset(&sigset, SIGHUP); - sigprocmask(SIG_BLOCK, &sigset, &osigset); - while ((pid = waitpid(pids[fdes], &status, 0)) < 0 && errno == EINTR) - continue; - sigprocmask(SIG_SETMASK, &osigset, NULL); - pids[fdes] = 0; - if (pid < 0) - return (pid); - if (WIFEXITED(status)) - return (WEXITSTATUS(status)); - return (1); -} diff --git a/crypto/heimdal-0.6.3/appl/kf/Makefile.am b/crypto/heimdal-0.6.3/appl/kf/Makefile.am deleted file mode 100644 index c145e07c94..0000000000 --- a/crypto/heimdal-0.6.3/appl/kf/Makefile.am +++ /dev/null @@ -1,18 +0,0 @@ -# $Id: Makefile.am,v 1.5 2000/11/15 22:51:08 assar Exp $ - -include $(top_srcdir)/Makefile.am.common - -bin_PROGRAMS = kf - -libexec_PROGRAMS = kfd - -man_MANS = kf.1 kfd.8 - -kf_SOURCES = kf.c kf_locl.h - -kfd_SOURCES = kfd.c kf_locl.h - -LDADD = $(top_builddir)/lib/krb5/libkrb5.la \ - $(LIB_des) \ - $(top_builddir)/lib/asn1/libasn1.la \ - $(LIB_roken) diff --git a/crypto/heimdal-0.6.3/appl/kf/Makefile.in b/crypto/heimdal-0.6.3/appl/kf/Makefile.in deleted file mode 100644 index ac8c4e78db..0000000000 --- a/crypto/heimdal-0.6.3/appl/kf/Makefile.in +++ /dev/null @@ -1,902 +0,0 @@ -# Makefile.in generated by automake 1.8.3 from Makefile.am. -# @configure_input@ - -# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004 Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -# $Id: Makefile.am,v 1.5 2000/11/15 22:51:08 assar Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $ - -SOURCES = $(kf_SOURCES) $(kfd_SOURCES) - -srcdir = @srcdir@ -top_srcdir = @top_srcdir@ -VPATH = @srcdir@ -pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -top_builddir = ../.. -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = @INSTALL@ -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_HEADER = $(INSTALL_DATA) -transform = $(program_transform_name) -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_triplet = @host@ -DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \ - $(top_srcdir)/Makefile.am.common \ - $(top_srcdir)/cf/Makefile.am.common -bin_PROGRAMS = kf$(EXEEXT) -libexec_PROGRAMS = kfd$(EXEEXT) -subdir = appl/kf -ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \ - $(top_srcdir)/cf/auth-modules.m4 \ - $(top_srcdir)/cf/broken-getaddrinfo.m4 \ - $(top_srcdir)/cf/broken-getnameinfo.m4 \ - $(top_srcdir)/cf/broken-glob.m4 \ - $(top_srcdir)/cf/broken-realloc.m4 \ - $(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \ - $(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \ - $(top_srcdir)/cf/capabilities.m4 \ - $(top_srcdir)/cf/check-compile-et.m4 \ - $(top_srcdir)/cf/check-declaration.m4 \ - $(top_srcdir)/cf/check-getpwnam_r-posix.m4 \ - $(top_srcdir)/cf/check-man.m4 \ - $(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \ - $(top_srcdir)/cf/check-type-extra.m4 \ - $(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \ - $(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \ - $(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \ - $(top_srcdir)/cf/dlopen.m4 \ - $(top_srcdir)/cf/find-func-no-libs.m4 \ - $(top_srcdir)/cf/find-func-no-libs2.m4 \ - $(top_srcdir)/cf/find-func.m4 \ - $(top_srcdir)/cf/find-if-not-broken.m4 \ - $(top_srcdir)/cf/have-struct-field.m4 \ - $(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \ - $(top_srcdir)/cf/krb-bigendian.m4 \ - $(top_srcdir)/cf/krb-func-getlogin.m4 \ - $(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \ - $(top_srcdir)/cf/krb-readline.m4 \ - $(top_srcdir)/cf/krb-struct-spwd.m4 \ - $(top_srcdir)/cf/krb-struct-winsize.m4 \ - $(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \ - $(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \ - $(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \ - $(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \ - $(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \ - $(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \ - $(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in -am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ - $(ACLOCAL_M4) -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -am__installdirs = "$(DESTDIR)$(bindir)" "$(DESTDIR)$(libexecdir)" "$(DESTDIR)$(man1dir)" "$(DESTDIR)$(man8dir)" -binPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -libexecPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -PROGRAMS = $(bin_PROGRAMS) $(libexec_PROGRAMS) -am_kf_OBJECTS = kf.$(OBJEXT) -kf_OBJECTS = $(am_kf_OBJECTS) -kf_LDADD = $(LDADD) -am__DEPENDENCIES_1 = -kf_DEPENDENCIES = $(top_builddir)/lib/krb5/libkrb5.la \ - $(am__DEPENDENCIES_1) $(top_builddir)/lib/asn1/libasn1.la \ - $(am__DEPENDENCIES_1) -am_kfd_OBJECTS = kfd.$(OBJEXT) -kfd_OBJECTS = $(am_kfd_OBJECTS) -kfd_LDADD = $(LDADD) -kfd_DEPENDENCIES = $(top_builddir)/lib/krb5/libkrb5.la \ - $(am__DEPENDENCIES_1) $(top_builddir)/lib/asn1/libasn1.la \ - $(am__DEPENDENCIES_1) -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \ - $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ - $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -SOURCES = $(kf_SOURCES) $(kfd_SOURCES) -DIST_SOURCES = $(kf_SOURCES) $(kfd_SOURCES) -man1dir = $(mandir)/man1 -man8dir = $(mandir)/man8 -MANS = $(man_MANS) -ETAGS = etags -CTAGS = ctags -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) -ACLOCAL = @ACLOCAL@ -AIX4_FALSE = @AIX4_FALSE@ -AIX4_TRUE = @AIX4_TRUE@ -AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@ -AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@ -AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@ -AIX_FALSE = @AIX_FALSE@ -AIX_TRUE = @AIX_TRUE@ -AMTAR = @AMTAR@ -AR = @AR@ -AUTOCONF = @AUTOCONF@ -AUTOHEADER = @AUTOHEADER@ -AUTOMAKE = @AUTOMAKE@ -AWK = @AWK@ -CANONICAL_HOST = @CANONICAL_HOST@ -CATMAN = @CATMAN@ -CATMANEXT = @CATMANEXT@ -CATMAN_FALSE = @CATMAN_FALSE@ -CATMAN_TRUE = @CATMAN_TRUE@ -CC = @CC@ -CFLAGS = @CFLAGS@ -COMPILE_ET = @COMPILE_ET@ -CPP = @CPP@ -CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXFLAGS = @CXXFLAGS@ -CYGPATH_W = @CYGPATH_W@ -DBLIB = @DBLIB@ -DCE_FALSE = @DCE_FALSE@ -DCE_TRUE = @DCE_TRUE@ -DEFS = @DEFS@ -DIR_com_err = @DIR_com_err@ -DIR_des = @DIR_des@ -DIR_roken = @DIR_roken@ -ECHO = @ECHO@ -ECHO_C = @ECHO_C@ -ECHO_N = @ECHO_N@ -ECHO_T = @ECHO_T@ -EGREP = @EGREP@ -EXEEXT = @EXEEXT@ -EXTRA_LIB45 = @EXTRA_LIB45@ -F77 = @F77@ -FFLAGS = @FFLAGS@ -GROFF = @GROFF@ -HAVE_DB1_FALSE = @HAVE_DB1_FALSE@ -HAVE_DB1_TRUE = @HAVE_DB1_TRUE@ -HAVE_DB3_FALSE = @HAVE_DB3_FALSE@ -HAVE_DB3_TRUE = @HAVE_DB3_TRUE@ -HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@ -HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@ -HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@ -HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@ -HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@ -HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@ -HAVE_X_FALSE = @HAVE_X_FALSE@ -HAVE_X_TRUE = @HAVE_X_TRUE@ -INCLUDES_roken = @INCLUDES_roken@ -INCLUDE_des = @INCLUDE_des@ -INCLUDE_hesiod = @INCLUDE_hesiod@ -INCLUDE_krb4 = @INCLUDE_krb4@ -INCLUDE_openldap = @INCLUDE_openldap@ -INCLUDE_readline = @INCLUDE_readline@ -INSTALL_DATA = @INSTALL_DATA@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -IRIX_FALSE = @IRIX_FALSE@ -IRIX_TRUE = @IRIX_TRUE@ -KRB4_FALSE = @KRB4_FALSE@ -KRB4_TRUE = @KRB4_TRUE@ -KRB5_FALSE = @KRB5_FALSE@ -KRB5_TRUE = @KRB5_TRUE@ -LDFLAGS = @LDFLAGS@ -LEX = @LEX@ -LEXLIB = @LEXLIB@ -LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ -LIBOBJS = @LIBOBJS@ -LIBS = @LIBS@ -LIBTOOL = @LIBTOOL@ -LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@ -LIB_NDBM = @LIB_NDBM@ -LIB_XauFileName = @LIB_XauFileName@ -LIB_XauReadAuth = @LIB_XauReadAuth@ -LIB_XauWriteAuth = @LIB_XauWriteAuth@ -LIB_bswap16 = @LIB_bswap16@ -LIB_bswap32 = @LIB_bswap32@ -LIB_com_err = @LIB_com_err@ -LIB_com_err_a = @LIB_com_err_a@ -LIB_com_err_so = @LIB_com_err_so@ -LIB_crypt = @LIB_crypt@ -LIB_db_create = @LIB_db_create@ -LIB_dbm_firstkey = @LIB_dbm_firstkey@ -LIB_dbopen = @LIB_dbopen@ -LIB_des = @LIB_des@ -LIB_des_a = @LIB_des_a@ -LIB_des_appl = @LIB_des_appl@ -LIB_des_so = @LIB_des_so@ -LIB_dlopen = @LIB_dlopen@ -LIB_dn_expand = @LIB_dn_expand@ -LIB_el_init = @LIB_el_init@ -LIB_freeaddrinfo = @LIB_freeaddrinfo@ -LIB_gai_strerror = @LIB_gai_strerror@ -LIB_getaddrinfo = @LIB_getaddrinfo@ -LIB_gethostbyname = @LIB_gethostbyname@ -LIB_gethostbyname2 = @LIB_gethostbyname2@ -LIB_getnameinfo = @LIB_getnameinfo@ -LIB_getpwnam_r = @LIB_getpwnam_r@ -LIB_getsockopt = @LIB_getsockopt@ -LIB_hesiod = @LIB_hesiod@ -LIB_hstrerror = @LIB_hstrerror@ -LIB_kdb = @LIB_kdb@ -LIB_krb4 = @LIB_krb4@ -LIB_krb_disable_debug = @LIB_krb_disable_debug@ -LIB_krb_enable_debug = @LIB_krb_enable_debug@ -LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@ -LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@ -LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@ -LIB_loadquery = @LIB_loadquery@ -LIB_logout = @LIB_logout@ -LIB_logwtmp = @LIB_logwtmp@ -LIB_openldap = @LIB_openldap@ -LIB_openpty = @LIB_openpty@ -LIB_otp = @LIB_otp@ -LIB_pidfile = @LIB_pidfile@ -LIB_readline = @LIB_readline@ -LIB_res_nsearch = @LIB_res_nsearch@ -LIB_res_search = @LIB_res_search@ -LIB_roken = @LIB_roken@ -LIB_security = @LIB_security@ -LIB_setsockopt = @LIB_setsockopt@ -LIB_socket = @LIB_socket@ -LIB_syslog = @LIB_syslog@ -LIB_tgetent = @LIB_tgetent@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -MAINT = @MAINT@ -MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@ -MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@ -MAKEINFO = @MAKEINFO@ -NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ -NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ -NROFF = @NROFF@ -OBJEXT = @OBJEXT@ -OTP_FALSE = @OTP_FALSE@ -OTP_TRUE = @OTP_TRUE@ -PACKAGE = @PACKAGE@ -PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ -PACKAGE_NAME = @PACKAGE_NAME@ -PACKAGE_STRING = @PACKAGE_STRING@ -PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_VERSION = @PACKAGE_VERSION@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -RANLIB = @RANLIB@ -SET_MAKE = @SET_MAKE@ -SHELL = @SHELL@ -STRIP = @STRIP@ -VERSION = @VERSION@ -VOID_RETSIGTYPE = @VOID_RETSIGTYPE@ -WFLAGS = @WFLAGS@ -WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@ -WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@ -X_CFLAGS = @X_CFLAGS@ -X_EXTRA_LIBS = @X_EXTRA_LIBS@ -X_LIBS = @X_LIBS@ -X_PRE_LIBS = @X_PRE_LIBS@ -YACC = @YACC@ -ac_ct_AR = @ac_ct_AR@ -ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ -ac_ct_RANLIB = @ac_ct_RANLIB@ -ac_ct_STRIP = @ac_ct_STRIP@ -am__leading_dot = @am__leading_dot@ -bindir = @bindir@ -build = @build@ -build_alias = @build_alias@ -build_cpu = @build_cpu@ -build_os = @build_os@ -build_vendor = @build_vendor@ -datadir = @datadir@ -do_roken_rename_FALSE = @do_roken_rename_FALSE@ -do_roken_rename_TRUE = @do_roken_rename_TRUE@ -dpagaix_cflags = @dpagaix_cflags@ -dpagaix_ldadd = @dpagaix_ldadd@ -dpagaix_ldflags = @dpagaix_ldflags@ -el_compat_FALSE = @el_compat_FALSE@ -el_compat_TRUE = @el_compat_TRUE@ -exec_prefix = @exec_prefix@ -have_err_h_FALSE = @have_err_h_FALSE@ -have_err_h_TRUE = @have_err_h_TRUE@ -have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@ -have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@ -have_glob_h_FALSE = @have_glob_h_FALSE@ -have_glob_h_TRUE = @have_glob_h_TRUE@ -have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@ -have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@ -have_vis_h_FALSE = @have_vis_h_FALSE@ -have_vis_h_TRUE = @have_vis_h_TRUE@ -host = @host@ -host_alias = @host_alias@ -host_cpu = @host_cpu@ -host_os = @host_os@ -host_vendor = @host_vendor@ -includedir = @includedir@ -infodir = @infodir@ -install_sh = @install_sh@ -libdir = @libdir@ -libexecdir = @libexecdir@ -localstatedir = @localstatedir@ -mandir = @mandir@ -mkdir_p = @mkdir_p@ -oldincludedir = @oldincludedir@ -prefix = @prefix@ -program_transform_name = @program_transform_name@ -sbindir = @sbindir@ -sharedstatedir = @sharedstatedir@ -sysconfdir = @sysconfdir@ -target_alias = @target_alias@ -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) -@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME -AM_CFLAGS = $(WFLAGS) -CP = cp -buildinclude = $(top_builddir)/include -LIB_getattr = @LIB_getattr@ -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_setpcred = @LIB_setpcred@ -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -NROFF_MAN = groff -mandoc -Tascii -LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) -@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la - -@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la -@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la -man_MANS = kf.1 kfd.8 -kf_SOURCES = kf.c kf_locl.h -kfd_SOURCES = kfd.c kf_locl.h -LDADD = $(top_builddir)/lib/krb5/libkrb5.la \ - $(LIB_des) \ - $(top_builddir)/lib/asn1/libasn1.la \ - $(LIB_roken) - -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps) - @for dep in $?; do \ - case '$(am__configure_deps)' in \ - *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ - exit 1;; \ - esac; \ - done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign --ignore-deps appl/kf/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign --ignore-deps appl/kf/Makefile -.PRECIOUS: Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - @case '$?' in \ - *config.status*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ - *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ - esac; - -$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -install-binPROGRAMS: $(bin_PROGRAMS) - @$(NORMAL_INSTALL) - test -z "$(bindir)" || $(mkdir_p) "$(DESTDIR)$(bindir)" - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(bindir)/$$f'"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(bindir)/$$f" || exit 1; \ - else :; fi; \ - done - -uninstall-binPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f '$(DESTDIR)$(bindir)/$$f'"; \ - rm -f "$(DESTDIR)$(bindir)/$$f"; \ - done - -clean-binPROGRAMS: - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -install-libexecPROGRAMS: $(libexec_PROGRAMS) - @$(NORMAL_INSTALL) - test -z "$(libexecdir)" || $(mkdir_p) "$(DESTDIR)$(libexecdir)" - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(libexecPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(libexecdir)/$$f'"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(libexecPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(libexecdir)/$$f" || exit 1; \ - else :; fi; \ - done - -uninstall-libexecPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f '$(DESTDIR)$(libexecdir)/$$f'"; \ - rm -f "$(DESTDIR)$(libexecdir)/$$f"; \ - done - -clean-libexecPROGRAMS: - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -kf$(EXEEXT): $(kf_OBJECTS) $(kf_DEPENDENCIES) - @rm -f kf$(EXEEXT) - $(LINK) $(kf_LDFLAGS) $(kf_OBJECTS) $(kf_LDADD) $(LIBS) -kfd$(EXEEXT): $(kfd_OBJECTS) $(kfd_DEPENDENCIES) - @rm -f kfd$(EXEEXT) - $(LINK) $(kfd_LDFLAGS) $(kfd_OBJECTS) $(kfd_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c $< - -.c.obj: - $(COMPILE) -c `$(CYGPATH_W) '$<'` - -.c.lo: - $(LTCOMPILE) -c -o $@ $< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: -install-man1: $(man1_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - test -z "$(man1dir)" || $(mkdir_p) "$(DESTDIR)$(man1dir)" - @list='$(man1_MANS) $(dist_man1_MANS) $(nodist_man1_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.1*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 1*) ;; \ - *) ext='1' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man1dir)/$$inst'"; \ - $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man1dir)/$$inst"; \ - done -uninstall-man1: - @$(NORMAL_UNINSTALL) - @list='$(man1_MANS) $(dist_man1_MANS) $(nodist_man1_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.1*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 1*) ;; \ - *) ext='1' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f '$(DESTDIR)$(man1dir)/$$inst'"; \ - rm -f "$(DESTDIR)$(man1dir)/$$inst"; \ - done -install-man8: $(man8_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - test -z "$(man8dir)" || $(mkdir_p) "$(DESTDIR)$(man8dir)" - @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.8*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 8*) ;; \ - *) ext='8' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ - $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \ - done -uninstall-man8: - @$(NORMAL_UNINSTALL) - @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.8*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 8*) ;; \ - *) ext='8' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \ - rm -f "$(DESTDIR)$(man8dir)/$$inst"; \ - done - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique -tags: TAGS - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique -ctags: CTAGS -CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ - || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - -distdir: $(DISTFILES) - $(mkdir_p) $(distdir)/../.. $(distdir)/../../cf - @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \ - list='$(DISTFILES)'; for file in $$list; do \ - case $$file in \ - $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \ - $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \ - esac; \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkdir_p) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="$(top_distdir)" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(PROGRAMS) $(MANS) all-local -installdirs: - for dir in "$(DESTDIR)$(bindir)" "$(DESTDIR)$(libexecdir)" "$(DESTDIR)$(man1dir)" "$(DESTDIR)$(man8dir)"; do \ - test -z "$$dir" || $(mkdir_p) "$$dir"; \ - done -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-binPROGRAMS clean-generic clean-libexecPROGRAMS \ - clean-libtool mostlyclean-am - -distclean: distclean-am - -rm -f Makefile -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -html: html-am - -info: info-am - -info-am: - -install-data-am: install-man - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-data-hook - -install-exec-am: install-binPROGRAMS install-libexecPROGRAMS - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: install-man1 install-man8 - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -rm -f Makefile -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -pdf: pdf-am - -pdf-am: - -ps: ps-am - -ps-am: - -uninstall-am: uninstall-binPROGRAMS uninstall-info-am \ - uninstall-libexecPROGRAMS uninstall-man - -uninstall-man: uninstall-man1 uninstall-man8 - -.PHONY: CTAGS GTAGS all all-am all-local check check-am check-local \ - clean clean-binPROGRAMS clean-generic clean-libexecPROGRAMS \ - clean-libtool ctags distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am html html-am info info-am install install-am \ - install-binPROGRAMS install-data install-data-am install-exec \ - install-exec-am install-info install-info-am \ - install-libexecPROGRAMS install-man install-man1 install-man8 \ - install-strip installcheck installcheck-am installdirs \ - maintainer-clean maintainer-clean-generic mostlyclean \ - mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ - pdf pdf-am ps ps-am tags uninstall uninstall-am \ - uninstall-binPROGRAMS uninstall-info-am \ - uninstall-libexecPROGRAMS uninstall-man uninstall-man1 \ - uninstall-man8 - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-hook: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal-0.6.3/appl/kf/kf.1 b/crypto/heimdal-0.6.3/appl/kf/kf.1 deleted file mode 100644 index 2426063af6..0000000000 --- a/crypto/heimdal-0.6.3/appl/kf/kf.1 +++ /dev/null @@ -1,112 +0,0 @@ -.\" Copyright (c) 2000 - 2001 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: kf.1,v 1.6 2003/04/11 12:43:57 lha Exp $ -.\" -.Dd July 2, 2000 -.Dt KF 1 -.Os Heimdal -.Sh NAME -.Nm kf -.Nd securely forward tickets -.Sh SYNOPSIS -.Nm -.Oo -.Fl p Ar port | -.Fl -port Ns = Ns Ar port -.Oc -.Oo -.Fl l Ar login | -.Fl -login Ns = Ns Ar login -.Oc -.Oo -.Fl c Ar ccache | -.Fl -ccache Ns = Ns Ar ccache -.Oc -.Op Fl F | -forwardable -.Op Fl G | -no-forwardable -.Op Fl h | -help -.Op Fl -version -.Ar host ... -.Sh DESCRIPTION -The -.Nm -program forwards tickets to a remote host through an authenticated -and encrypted stream. -Options supported are: -.Bl -tag -width indent -.It Xo -.Fl p Ar port , -.Fl -port Ns = Ns Ar port -.Xc -port to connect to -.It Xo -.Fl l Ar login , -.Fl -login Ns = Ns Ar login -.Xc -remote login name -.It Xo -.Fl c Ar ccache , -.Fl -ccache Ns = Ns Ar ccache -.Xc -remote cred cache -.It Fl F , -forwardable -forward forwardable credentials -.It Fl G , -no-forwardable -do not forward forwardable credentials -.It Fl h , -help -.It Fl -version -.El -.Pp -.Nm -is useful when you do not want to enter your password on a remote host -but want to have your tickets one for example AFS. -.Pp -In order for -.Nm -to work you will need to acquire your initial ticket with forwardable -flag, i.e. -.Nm kinit Fl -forwardable . -.Pp -.Nm telnet -is able to forward tickets by itself. -.\".Sh ENVIRONMENT -.\".Sh FILES -.\".Sh EXAMPLES -.\".Sh DIAGNOSTICS -.Sh SEE ALSO -.Xr kinit 1 , -.Xr telnet 1 , -.Xr kfd 8 -.\".Sh STANDARDS -.\".Sh HISTORY -.\".Sh AUTHORS -.\".Sh BUGS diff --git a/crypto/heimdal-0.6.3/appl/kf/kf.c b/crypto/heimdal-0.6.3/appl/kf/kf.c deleted file mode 100644 index 190101ba04..0000000000 --- a/crypto/heimdal-0.6.3/appl/kf/kf.c +++ /dev/null @@ -1,335 +0,0 @@ -/* - * Copyright (c) 1997 - 2000, 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kf_locl.h" -RCSID("$Id: kf.c,v 1.17 2002/09/05 15:00:03 joda Exp $"); - -krb5_context context; -static int help_flag; -static int version_flag; -static char *port_str; -const char *service = KF_SERVICE; -const char *remote_name = NULL; -int forwardable = 0; -const char *ccache_name = NULL; - -static struct getargs args[] = { - { "port", 'p', arg_string, &port_str, "port to connect to", "port" }, - { "login", 'l',arg_string, &remote_name,"remote login name","login"}, - { "ccache", 'c',arg_string, &ccache_name, "remote cred cache","ccache"}, - { "forwardable",'F',arg_flag,&forwardable, - "Forward forwardable credentials", NULL }, - { "forwardable",'G',arg_negative_flag,&forwardable, - "Don't forward forwardable credentials", NULL }, - { "help", 'h', arg_flag, &help_flag }, - { "version", 0, arg_flag, &version_flag } -}; - -static int num_args = sizeof(args) / sizeof(args[0]); - -static void -usage(int code, struct getargs *args, int num_args) -{ - arg_printusage(args, num_args, NULL, "hosts"); - exit(code); -} - -static int -client_setup(krb5_context *context, int *argc, char **argv) -{ - int optind = 0; - int port = 0; - int status; - - setprogname (argv[0]); - - status = krb5_init_context (context); - if (status) - errx(1, "krb5_init_context failed: %d", status); - - forwardable = krb5_config_get_bool (*context, NULL, - "libdefaults", - "forwardable", - NULL); - - if (getarg (args, num_args, *argc, argv, &optind)) - usage(1, args, num_args); - - if(help_flag) - usage (0, args, num_args); - if(version_flag) { - print_version(NULL); - exit(0); - } - - if(port_str) { - struct servent *s = roken_getservbyname(port_str, "tcp"); - if(s) - port = s->s_port; - else { - char *ptr; - - port = strtol (port_str, &ptr, 10); - if (port == 0 && ptr == port_str) - errx (1, "Bad port `%s'", port_str); - port = htons(port); - } - } - - if (port == 0) - port = krb5_getportbyname (*context, KF_PORT_NAME, "tcp", KF_PORT_NUM); - - if(*argc - optind < 1) - usage(1, args, num_args); - *argc = optind; - - return port; -} - -/* - * forward creds to `hostname'/`service' over `sock' - * return 0 iff OK - */ - -static int -proto (int sock, const char *hostname, const char *service, - char *message, size_t len) -{ - krb5_auth_context auth_context; - krb5_error_code status; - krb5_principal server; - krb5_data data; - krb5_data data_send; - - krb5_ccache ccache; - krb5_creds creds; - krb5_kdc_flags flags; - krb5_principal principal; - - status = krb5_auth_con_init (context, &auth_context); - if (status) { - krb5_warn (context, status, "krb5_auth_con_init"); - return 1; - } - - status = krb5_auth_con_setaddrs_from_fd (context, - auth_context, - &sock); - if (status) { - krb5_warn (context, status, "krb5_auth_con_setaddr"); - return 1; - } - - status = krb5_sname_to_principal (context, - hostname, - service, - KRB5_NT_SRV_HST, - &server); - if (status) { - krb5_warn (context, status, "krb5_sname_to_principal"); - return 1; - } - - status = krb5_sendauth (context, - &auth_context, - &sock, - KF_VERSION_1, - NULL, - server, - AP_OPTS_MUTUAL_REQUIRED | AP_OPTS_USE_SUBKEY, - NULL, - NULL, - NULL, - NULL, - NULL, - NULL); - if (status) { - krb5_warn(context, status, "krb5_sendauth"); - return 1; - } - - if (ccache_name == NULL) - ccache_name = ""; - - data_send.data = (void *)remote_name; - data_send.length = strlen(remote_name) + 1; - status = krb5_write_priv_message(context, auth_context, &sock, &data_send); - if (status) { - krb5_warn (context, status, "krb5_write_message"); - return 1; - } - data_send.data = (void *)ccache_name; - data_send.length = strlen(ccache_name)+1; - status = krb5_write_priv_message(context, auth_context, &sock, &data_send); - if (status) { - krb5_warn (context, status, "krb5_write_message"); - return 1; - } - - memset (&creds, 0, sizeof(creds)); - - status = krb5_cc_default (context, &ccache); - if (status) { - krb5_warn (context, status, "krb5_cc_default"); - return 1; - } - - status = krb5_cc_get_principal (context, ccache, &principal); - if (status) { - krb5_warn (context, status, "krb5_cc_get_principal"); - return 1; - } - - creds.client = principal; - - status = krb5_make_principal (context, - &creds.server, - principal->realm, - KRB5_TGS_NAME, - principal->realm, - NULL); - - if (status) { - krb5_warn (context, status, "krb5_make_principal"); - return 1; - } - - creds.times.endtime = 0; - - flags.i = 0; - flags.b.forwarded = 1; - flags.b.forwardable = forwardable; - - status = krb5_get_forwarded_creds (context, - auth_context, - ccache, - flags.i, - hostname, - &creds, - &data); - if (status) { - krb5_warn (context, status, "krb5_get_forwarded_creds"); - return 1; - } - - status = krb5_write_priv_message(context, auth_context, &sock, &data); - - if (status) { - krb5_warn (context, status, "krb5_mk_priv"); - return 1; - } - - krb5_data_free (&data); - - status = krb5_read_priv_message(context, auth_context, &sock, &data); - if (status) { - krb5_warn (context, status, "krb5_mk_priv"); - return 1; - } - if(data.length >= len) { - krb5_warnx (context, "returned string is too long, truncating"); - memcpy(message, data.data, len); - message[len - 1] = '\0'; - } else { - memcpy(message, data.data, data.length); - message[data.length] = '\0'; - } - krb5_data_free (&data); - - return(strcmp(message, "ok")); -} - -static int -doit (const char *hostname, int port, const char *service, - char *message, size_t len) -{ - struct addrinfo *ai, *a; - struct addrinfo hints; - int error; - char portstr[NI_MAXSERV]; - - memset (&hints, 0, sizeof(hints)); - hints.ai_socktype = SOCK_STREAM; - hints.ai_protocol = IPPROTO_TCP; - - snprintf (portstr, sizeof(portstr), "%u", ntohs(port)); - - error = getaddrinfo (hostname, portstr, &hints, &ai); - if (error) { - errx (1, "getaddrinfo(%s): %s", hostname, gai_strerror(error)); - } - - for (a = ai; a != NULL; a = a->ai_next) { - int s; - - s = socket (a->ai_family, a->ai_socktype, a->ai_protocol); - if (s < 0) - continue; - if (connect (s, a->ai_addr, a->ai_addrlen) < 0) { - warn ("connect(%s)", hostname); - close (s); - continue; - } - freeaddrinfo (ai); - return proto (s, hostname, service, message, len); - } - warnx ("failed to contact %s", hostname); - freeaddrinfo (ai); - return 1; -} - -int -main(int argc, char **argv) -{ - int argcc,port,i; - int ret=0; - - argcc = argc; - port = client_setup(&context, &argcc, argv); - - if (remote_name == NULL) { - remote_name = get_default_username (); - if (remote_name == NULL) - errx (1, "who are you?"); - } - - for (i = argcc;i < argc; i++) { - char message[128]; - ret = doit (argv[i], port, service, message, sizeof(message)); - if(ret == 0) - warnx ("%s: ok", argv[i]); - else - warnx ("%s: failed: %s", argv[i], message); - } - return(ret); -} diff --git a/crypto/heimdal-0.6.3/appl/kf/kf.cat1 b/crypto/heimdal-0.6.3/appl/kf/kf.cat1 deleted file mode 100644 index 35ebcf4407..0000000000 --- a/crypto/heimdal-0.6.3/appl/kf/kf.cat1 +++ /dev/null @@ -1,46 +0,0 @@ - -KF(1) UNIX Reference Manual KF(1) - -NNAAMMEE - kkff - securely forward tickets - -SSYYNNOOPPSSIISS - kkff [--pp _p_o_r_t | ----ppoorrtt=_p_o_r_t] [--ll _l_o_g_i_n | ----llooggiinn=_l_o_g_i_n] [--cc _c_c_a_c_h_e | - ----ccccaacchhee=_c_c_a_c_h_e] [--FF | ----ffoorrwwaarrddaabbllee] [--GG | ----nnoo--ffoorrwwaarrddaabbllee] [--hh | - ----hheellpp] [----vveerrssiioonn] _h_o_s_t _._._. - -DDEESSCCRRIIPPTTIIOONN - The kkff program forwards tickets to a remote host through an authenticated - and encrypted stream. Options supported are: - - --pp _p_o_r_t, ----ppoorrtt=_p_o_r_t - port to connect to - - --ll _l_o_g_i_n, ----llooggiinn=_l_o_g_i_n - remote login name - - --cc _c_c_a_c_h_e, ----ccccaacchhee=_c_c_a_c_h_e - remote cred cache - - --FF, ----ffoorrwwaarrddaabbllee - forward forwardable credentials - - --GG, ----nnoo--ffoorrwwaarrddaabbllee - do not forward forwardable credentials - - --hh, ----hheellpp - - ----vveerrssiioonn - - kkff is useful when you do not want to enter your password on a remote host - but want to have your tickets one for example AFS. - - In order for kkff to work you will need to acquire your initial ticket with - forwardable flag, i.e. kkiinniitt ----ffoorrwwaarrddaabbllee. - - tteellnneett is able to forward tickets by itself. - -SSEEEE AALLSSOO - kinit(1), telnet(1), kfd(8) - - Heimdal July 2, 2000 1 diff --git a/crypto/heimdal-0.6.3/appl/kf/kf_locl.h b/crypto/heimdal-0.6.3/appl/kf/kf_locl.h deleted file mode 100644 index 0a6a28f935..0000000000 --- a/crypto/heimdal-0.6.3/appl/kf/kf_locl.h +++ /dev/null @@ -1,81 +0,0 @@ -/* - * Copyright (c) 1997 - 1999, 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: kf_locl.h,v 1.3 2002/09/04 20:29:04 joda Exp $ */ - -#ifdef HAVE_CONFIG_H -#include -#endif - -#include -#include -#include -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_UNISTD_H -#include -#endif -#ifdef HAVE_SYS_SOCKET_H -#include -#endif -#ifdef HAVE_NETINET_IN_H -#include -#endif -#ifdef HAVE_NETINET_IN6_H -#include -#endif -#ifdef HAVE_NETINET6_IN6_H -#include -#endif - -#ifdef HAVE_PWD_H -#include -#endif -#ifdef HAVE_NETDB_H -#include -#endif -#ifdef HAVE_SYS_PARAM_H -#include -#endif -#include -#include -#include -#include -#include - -#define KF_SERVICE "host" - -#define KF_PORT_NAME "kf" -#define KF_PORT_NUM 2110 -#define KF_VERSION_1 "KFWDV0.1" diff --git a/crypto/heimdal-0.6.3/appl/kf/kfd.8 b/crypto/heimdal-0.6.3/appl/kf/kfd.8 deleted file mode 100644 index 94d26cc7cf..0000000000 --- a/crypto/heimdal-0.6.3/appl/kf/kfd.8 +++ /dev/null @@ -1,85 +0,0 @@ -.\" Copyright (c) 2000 - 2002 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: kfd.8,v 1.4 2003/02/16 21:10:05 lha Exp $ -.\" -.Dd July 2, 2000 -.Dt KFD 8 -.Os Heimdal -.Sh NAME -.Nm kfd -.Nd receive forwarded tickets -.Sh SYNOPSIS -.Nm -.Oo -.Fl p Ar port | -.Fl -port Ns = Ns Ar port -.Oc -.Op Fl i | -inetd -.Oo -.Fl R Ar regpag | -.Fl -regpag Ns = Ns Ar regpag -.Oc -.Op Fl h | -help -.Op Fl -version -.Sh DESCRIPTION -This is the daemon for -.Xr kf 1 . -Supported options: -.Bl -tag -width indent -.It Xo -.Fl p Ar port , -.Fl -port Ns = Ns Ar port -.Xc -port to listen to -.It Fl i , -inetd -not started from inetd -.It Xo -.Fl R Ar regpag , -.Fl -regpag= Ns Ar regpag -.Xc -path to regpag binary -.El -.\".Sh ENVIRONMENT -.\".Sh FILES -.Sh EXAMPLES -Put the following in -.Pa /etc/inetd.conf : -.Bd -literal -kf stream tcp nowait root /usr/heimdal/libexec/kfd kfd -.Ed -.\".Sh DIAGNOSTICS -.Sh SEE ALSO -.Xr kf 1 -.\".Sh STANDARDS -.\".Sh HISTORY -.\".Sh AUTHORS -.\".Sh BUGS diff --git a/crypto/heimdal-0.6.3/appl/kf/kfd.c b/crypto/heimdal-0.6.3/appl/kf/kfd.c deleted file mode 100644 index c358b540b1..0000000000 --- a/crypto/heimdal-0.6.3/appl/kf/kfd.c +++ /dev/null @@ -1,307 +0,0 @@ -/* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kf_locl.h" -RCSID("$Id: kfd.c,v 1.11 2003/04/16 15:40:24 lha Exp $"); - -krb5_context context; -char krb5_tkfile[MAXPATHLEN]; - -static int help_flag; -static int version_flag; -static char *port_str; -char *service = KF_SERVICE; -int do_inetd = 0; -static char *regpag_str=NULL; - -static struct getargs args[] = { - { "port", 'p', arg_string, &port_str, "port to listen to", "port" }, - { "inetd",'i',arg_flag, &do_inetd, - "Not started from inetd", NULL }, - { "regpag",'R',arg_string,®pag_str,"path to regpag binary","regpag"}, - { "help", 'h', arg_flag, &help_flag }, - { "version", 0, arg_flag, &version_flag } -}; - -static int num_args = sizeof(args) / sizeof(args[0]); - -static void -usage(int code, struct getargs *args, int num_args) -{ - arg_printusage(args, num_args, NULL, ""); - exit(code); -} - -static int -server_setup(krb5_context *context, int argc, char **argv) -{ - int port = 0; - int local_argc; - - local_argc = krb5_program_setup(context, argc, argv, args, num_args, usage); - - if(help_flag) - (*usage)(0, args, num_args); - if(version_flag) { - print_version(NULL); - exit(0); - } - - if(port_str){ - struct servent *s = roken_getservbyname(port_str, "tcp"); - if(s) - port = s->s_port; - else { - char *ptr; - - port = strtol (port_str, &ptr, 10); - if (port == 0 && ptr == port_str) - errx (1, "Bad port `%s'", port_str); - port = htons(port); - } - } - - if (port == 0) - port = krb5_getportbyname (*context, KF_PORT_NAME, "tcp", KF_PORT_NUM); - - if(argv[local_argc] != NULL) - usage(1, args, num_args); - - return port; -} - -static int protocol_version; - -static krb5_boolean -kfd_match_version(const void *arg, const char *version) -{ - if(strcmp(version, KF_VERSION_1) == 0) { - protocol_version = 1; - return TRUE; - } else if (strlen(version) == 4 && - version[0] == '0' && - version[1] == '.' && - (version[2] == '4' || version[2] == '3') && - islower(version[3])) { - protocol_version = 0; - return TRUE; - } - return FALSE; -} - -static int -proto (int sock, const char *service) -{ - krb5_auth_context auth_context; - krb5_error_code status; - krb5_principal server; - krb5_ticket *ticket; - char *name; - char ret_string[10]; - char hostname[MAXHOSTNAMELEN]; - krb5_data data; - krb5_data remotename; - krb5_data tk_file; - krb5_ccache ccache; - char ccname[MAXPATHLEN]; - struct passwd *pwd; - - status = krb5_auth_con_init (context, &auth_context); - if (status) - krb5_err(context, 1, status, "krb5_auth_con_init"); - - status = krb5_auth_con_setaddrs_from_fd (context, - auth_context, - &sock); - if (status) - krb5_err(context, 1, status, "krb5_auth_con_setaddr"); - - if(gethostname (hostname, sizeof(hostname)) < 0) - krb5_err(context, 1, errno, "gethostname"); - - status = krb5_sname_to_principal (context, - hostname, - service, - KRB5_NT_SRV_HST, - &server); - if (status) - krb5_err(context, 1, status, "krb5_sname_to_principal"); - - status = krb5_recvauth_match_version (context, - &auth_context, - &sock, - kfd_match_version, - NULL, - server, - 0, - NULL, - &ticket); - if (status) - krb5_err(context, 1, status, "krb5_recvauth"); - - status = krb5_unparse_name (context, - ticket->client, - &name); - if (status) - krb5_err(context, 1, status, "krb5_unparse_name"); - - if(protocol_version == 0) { - data.data = "old clnt"; /* XXX old clients only had room for - 10 bytes of message, and also - didn't show it to the user */ - data.length = strlen(data.data) + 1; - krb5_write_message(context, &sock, &data); - sleep(2); /* XXX give client time to finish */ - krb5_errx(context, 1, "old client; exiting"); - } - - status=krb5_read_priv_message (context, auth_context, - &sock, &remotename); - if (status) - krb5_err(context, 1, status, "krb5_read_message"); - status=krb5_read_priv_message (context, auth_context, - &sock, &tk_file); - if (status) - krb5_err(context, 1, status, "krb5_read_message"); - - krb5_data_zero (&data); - - if(((char*)remotename.data)[remotename.length-1] != '\0') - krb5_errx(context, 1, "unterminated received"); - if(((char*)tk_file.data)[tk_file.length-1] != '\0') - krb5_errx(context, 1, "unterminated received"); - - status = krb5_read_priv_message(context, auth_context, &sock, &data); - - if (status) { - krb5_err(context, 1, errno, "krb5_read_priv_message"); - goto out; - } - - pwd = getpwnam ((char *)(remotename.data)); - if (pwd == NULL) { - status=1; - krb5_warnx(context, "getpwnam: %s failed",(char *)(remotename.data)); - goto out; - } - - if(!krb5_kuserok (context, - ticket->client, - (char *)(remotename.data))) { - status=1; - krb5_warnx(context, "krb5_kuserok: permission denied"); - goto out; - } - - if (setgid(pwd->pw_gid) < 0) { - krb5_warn(context, errno, "setgid"); - goto out; - } - if (setuid(pwd->pw_uid) < 0) { - krb5_warn(context, errno, "setuid"); - goto out; - } - - if (tk_file.length != 1) - snprintf (ccname, sizeof(ccname), "%s", (char *)(tk_file.data)); - else - snprintf (ccname, sizeof(ccname), "FILE:/tmp/krb5cc_%u",pwd->pw_uid); - - status = krb5_cc_resolve (context, ccname, &ccache); - if (status) { - krb5_warn(context, status, "krb5_cc_resolve"); - goto out; - } - status = krb5_cc_initialize (context, ccache, ticket->client); - if (status) { - krb5_warn(context, status, "krb5_cc_initialize"); - goto out; - } - status = krb5_rd_cred2 (context, auth_context, ccache, &data); - krb5_cc_close (context, ccache); - if (status) { - krb5_warn(context, status, "krb5_rd_cred"); - goto out; - - } - strlcpy(krb5_tkfile,ccname,sizeof(krb5_tkfile)); - krb5_warnx(context, "%s forwarded ticket to %s,%s", - name, - (char *)(remotename.data),ccname); - out: - if (status) { - strlcpy(ret_string, "no", sizeof(ret_string)); - krb5_warnx(context, "failed"); - } else { - strlcpy(ret_string, "ok", sizeof(ret_string)); - } - - krb5_data_free (&tk_file); - krb5_data_free (&remotename); - krb5_data_free (&data); - free(name); - - data.data = ret_string; - data.length = strlen(ret_string) + 1; - return krb5_write_priv_message(context, auth_context, &sock, &data); -} - -static int -doit (int port, const char *service) -{ - if (do_inetd) - mini_inetd(port); - return proto (STDIN_FILENO, service); -} - -int -main(int argc, char **argv) -{ - int port; - int ret; - krb5_log_facility *fac; - - setprogname (argv[0]); - roken_openlog (argv[0], LOG_ODELAY | LOG_PID,LOG_AUTH); - port = server_setup(&context, argc, argv); - ret = krb5_openlog(context, "kfd", &fac); - if(ret) krb5_err(context, 1, ret, "krb5_openlog"); - ret = krb5_set_warn_dest(context, fac); - if(ret) krb5_err(context, 1, ret, "krb5_set_warn_dest"); - - ret = doit (port, service); - closelog(); - if (ret == 0 && regpag_str != NULL) - ret = execl(regpag_str, "regpag", "-t", krb5_tkfile, "-r", NULL); - return ret; -} diff --git a/crypto/heimdal-0.6.3/appl/kf/kfd.cat8 b/crypto/heimdal-0.6.3/appl/kf/kfd.cat8 deleted file mode 100644 index 396ffdc8fc..0000000000 --- a/crypto/heimdal-0.6.3/appl/kf/kfd.cat8 +++ /dev/null @@ -1,31 +0,0 @@ - -KFD(8) UNIX System Manager's Manual KFD(8) - -NNAAMMEE - kkffdd - receive forwarded tickets - -SSYYNNOOPPSSIISS - kkffdd [--pp _p_o_r_t | ----ppoorrtt=_p_o_r_t] [--ii | ----iinneettdd] [--RR _r_e_g_p_a_g | ----rreeggppaagg=_r_e_g_p_a_g] - [--hh | ----hheellpp] [----vveerrssiioonn] - -DDEESSCCRRIIPPTTIIOONN - This is the daemon for kf(1). Supported options: - - --pp _p_o_r_t, ----ppoorrtt=_p_o_r_t - port to listen to - - --ii, ----iinneettdd - not started from inetd - - --RR _r_e_g_p_a_g, ----rreeggppaagg==_r_e_g_p_a_g - path to regpag binary - -EEXXAAMMPPLLEESS - Put the following in _/_e_t_c_/_i_n_e_t_d_._c_o_n_f: - - kf stream tcp nowait root /usr/heimdal/libexec/kfd kfd - -SSEEEE AALLSSOO - kf(1) - - Heimdal July 2, 2000 1 diff --git a/crypto/heimdal-0.6.3/appl/kx/ChangeLog b/crypto/heimdal-0.6.3/appl/kx/ChangeLog deleted file mode 100644 index c2214a6c7f..0000000000 --- a/crypto/heimdal-0.6.3/appl/kx/ChangeLog +++ /dev/null @@ -1,408 +0,0 @@ -2004-03-16 Love Hörquist Åstrand - - * krb5.c: 1.12: (krb5_destroy): free allocated memory, not - something else - -2004-02-18 Love Hörquist Åstrand - - * krb4.c: 1.12: remove dup on - -2004-01-08 Love Hörquist Åstrand - - * krb5.c: 1.10->1.11: clean up krb5 support, log to syslog instead - of stdout - (very confusing for the other end tcp connection), patch originally - from joda - -2003-05-15 Love Hörquist Åstrand - - * kxd.c: 1.71->1.74: - (recv_conn): pass pointer to sockaddr, not pointer to pointer - (recv_conn): if getnameinfo failes, send error to client (and syslog) - (recv_conn): get sizeof of the sockaddr_storage, not the sockaddr - pointer - -2003-04-16 Johan Danielsson - - * kx.c (doit_{passive,active}): use kc->thataddr directly - - * kx.h: don't directly use sockaddr_storage, since we can't always - know what it looks like - -2003-04-11 Love Hörquist Åstrand - - * rxterm.1: spelling, from jmc - * rxtelnet.1: spelling, from jmc - * kxd.8: spelling, from jmc - * kx.1: spelling, from jmc - -2003-02-25 Love Hörquist Åstrand - - * krb4.c: remove \n from warnx, from NetBSD - -2002-12-11 Johan Danielsson - - * kx.c (connect_host): pass size of thisaddr_ss to getsockname - -2002-10-15 Johan Danielsson - - * some ipv6 support (from Love) - -2002-09-09 Johan Danielsson - - * krb5.c (krb5_authenticate): use subkey - -2002-08-22 Johan Danielsson - - * common.c: remove only reference to strndup - -2002-05-07 Johan Danielsson - - * krb5.c: use krb5_warn where appropriate - -2002-03-18 Johan Danielsson - - * rxtelnet.in, rxterm.in: add forward (-f) option - -2001-09-17 Assar Westerlund - - * kx.h: add a kludge to make it build on aix (that defines NOERROR - in both sys/stream.h and arpa/nameser.h and considers that a fatal - error) - -2001-07-12 Assar Westerlund - - * common.c (connect_local_xsocket): handle a tcp socket as last - resort - - * rxterm.in: add -K (send arguments to kx) - * rxtelnet.in: add -K (send arguments to kx) - -2001-06-21 Assar Westerlund - - * rxterm.in: add -b for pointing to the rsh program. from - - * rxtelnet.in: add -b for pointing to the telnet program. from - - -2001-01-17 Johan Danielsson - - * common.c: don't write to string constants - -2000-12-31 Assar Westerlund - - * krb5.c (krb5_make_context): handle krb5_init_context failure - consistently - -2000-10-08 Assar Westerlund - - * kxd.c (doit_passive): check that fds are not too large to select - on - * kx.c (doit_active): check that fds are not too large to select - on - * krb5.c (krb5_copy_encrypted): check that fds are not too large - to select on - * krb4.c (krb4_copy_encrypted): check that fds are not too large - to select on - -2000-07-17 Johan Danielsson - - * Makefile.am: use conditional for X - -2000-06-10 Assar Westerlund - - * Makefile.in: use INSTALL_SCRIPT for installing rxterm, rxtelnet, - tenletxr - -2000-04-19 Assar Westerlund - - * common.c: try hostname uncanonified if getaddrinfo() fails - -2000-02-06 Assar Westerlund - - * kx.h: remove old prorotypes - -2000-01-08 Assar Westerlund - - * common.c (match_local_auth): handle ai_canonname being set in - any of the addresses returnedby getaddrinfo. glibc apparently - returns the reverse lookup of every address in ai_canonname. - -1999-12-28 Assar Westerlund - - * kxd.c (main): call krb5_getportbyname with the default in - host-byte-order - -1999-12-17 Assar Westerlund - - * common.c (match_local_auth): remove extra brace. spotted by - Jakob Schlyter - -1999-12-16 Assar Westerlund - - * common.c (match_local_auth): handle ai_canonname not being set - -1999-12-06 Assar Westerlund - - * krb4.c (krb4_authenticate): the NAT address might not be the one - for the relevant realm, try anyway. - * kxd.c (recv_conn): type correctness - * kx.c (connect_host): typo - -1999-12-05 Assar Westerlund - - * common.c (INADDR_LOOPBACK): remove. now in roken. - - * kxd.c (recv_conn): use getnameinfo_verified - * kxd.c (recv_conn): replace inaddr2str with getnameinfo - -1999-12-04 Assar Westerlund - - * kx.c (connect_host): use getaddrinfo - * common.c (find_auth_cookie, match_local_auth): re-write to use - getaddrinfo - -1999-11-27 Assar Westerlund - - * kxd.c (recv_conn): better errors when getting unrecognized data - -1999-11-25 Assar Westerlund - - * krb4.c (krb4_authenticate): obtain the `local' address when - doing NAT. also turn on passive mode. From - -1999-11-18 Assar Westerlund - - * krb5.c (krb5_destroy): free the correct part of the context - -1999-11-02 Assar Westerlund - - * kx.c (main): redo the v4/v5 selection for consistency. -4 -> - try only v4 -5 -> try only v5 none, -45 -> try v5, v4 - -1999-10-10 Assar Westerlund - - * Makefile.am (CLEANFILES): add generated files so that they get - cleaned away - -1999-09-29 Assar Westerlund - - * common.c (match_local_auth): only look for FamilyLocal (and - FamilyWild) cookies. This will not work when we start talking tcp - to the local X-server but `connect_local_xsocket' and the rest of - the code doesn't handle it anyway and the old code could (and did) - pick up the wrong cookie sometimes. If we have to match - FamilyInternet cookies, the search order has to be changed anyway - -1999-09-02 Assar Westerlund - - * kxd.c (childhandler): watch for child `wait_on_pid' to die. - (recv_conn): set `wait_on_pid' instead of looping on waitpid here - also. This should solve the problem of kxd looping which was - caused by the signal handler getting invoked before this waitpid - and reaping the child leaving this poor loop without any child - -1999-08-19 Assar Westerlund - - * kxd.c (recv_conn): give better error message - (doit_active): don't die if fork gives EAGAIN - -1999-08-19 Johan Danielsson - - * kxd.c (recv_conn): call setjob on crays; - (doit_passive): if fork fails with EAGAIN, don't shutdown, just close - the connection re-implement `-t' flag - -1999-07-12 Assar Westerlund - - * Makefile.am: handle not building X programs - -1999-06-23 Assar Westerlund - - * kx.c: conditionalize krb_enable_debug - -1999-06-20 Assar Westerlund - - * kxd.c (main): hopefully do inetd confusion right - -1999-06-15 Assar Westerlund - - * krb4.c (krb4_authenticate): get rid of a warning - - * kx.h: const-pollution - - * kx.c: use get_default_username and resulting const pollution - - * context.c (context_set): const pollution - -1999-05-22 Assar Westerlund - - * kxd.c (recv_conn): fix syslog messages - (main): fix inetd_flag thinko - -1999-05-21 Assar Westerlund - - * kx.c (main): don't byte-swap the argument to krb5_getportbyname - - * kx.c (main): try to use $USERNAME - -1999-05-10 Assar Westerlund - - * Makefile.in (SOURCES*): update sources list - - * kx.c (main): forgot to conditionalize some KRB5 code - - * kxd.c (main): use getarg - (*): handle v4 and/or v5 - - * kx.h: update - - * kx.c (main): use getarg. - (*): handle v4 and/or v5 - - * common.c (do_enccopy, copy_encrypted): remove use - net_{read,write} instead of krb_net_{read,write} - (krb_get_int, krb_put_int): include fallback of these for when we - compile without krb4 - - * Makefile.am (*_SOURCES): remove encdata, add krb[45].c, - context.c - (LDADD): add krb5 - - * krb4.c, krb5.c, context.c: new files - -1999-05-08 Assar Westerlund - - * kxd.c (doit_passive): handle error code from - create_and_write_cookie - - * kx.c (doit_active): handle error code from - create_and_write_cookie - - * common.c (create_and_write_cookie): try to return better (and - correct) errors. Based on a patch from Love - - * common.c (try_pie): more braces - (match_local_auth): new function - (find_auth_cookie): new function - (replace_cookie): don't just take the first auth cookie. based on - patch from Ake Sandgren - -Wed Apr 7 23:39:23 1999 Assar Westerlund - - * common.c (get_xsockets): init local variable to get rid of a gcc - warning - -Thu Apr 1 21:11:36 1999 Johan Danielsson - - * Makefile.in: fix for writeauth.o - -Fri Mar 19 15:12:31 1999 Johan Danielsson - - * kx.c: add gcc-braces - -Thu Mar 18 11:18:20 1999 Johan Danielsson - - * Makefile.am: include Makefile.am.common - -Thu Mar 11 14:58:32 1999 Johan Danielsson - - * writeauth.c: protoize - - * common.c: fix some warnings - -Wed Mar 10 19:33:39 1999 Johan Danielsson - - * kxd.c: openlog -> roken_openlog - -Wed Feb 3 22:01:55 1999 Assar Westerlund - - * rxtelnet.in: print out what telnet program we are running. From - - - * tenletxr.in: add --version, [-h | --help], -v - - * rxterm.in: add --version, [-h | --help], -v - - * rxtelnet.in: add --version, [-h | --help], -v - - * Makefile.in (rxterm, rxtelnet, telnetxr): substitute VERSION and - PACKAGE - - * rxtelnet.in: update usage string - -Fri Jan 22 23:51:05 1999 Assar Westerlund - - * common.c (verify_and_remove_cookies): give back a meaningful - error message if we're using the wrong cookie - -Fri Dec 18 17:42:02 1998 Assar Westerlund - - * common.c (replace_cookie): try to handle the case of not finding - any cookies - -Sun Nov 22 10:31:53 1998 Assar Westerlund - - * Makefile.in (WFLAGS): set - -Wed Nov 18 20:25:37 1998 Assar Westerlund - - * rxtelnet.in: new argument -n for not starting any terminal - emulator - - * kx.c (doit_passive): parse $DISPLAY correctly - -Fri Oct 2 06:34:51 1998 Assar Westerlund - - * kx.c (doit_active): check DISPLAY to figure out what local - socket to connect to. From Åke Sandgren - -Thu Oct 1 23:02:29 1998 Johan Danielsson - - * kx.h: case MAY_HAVE_X11_PIPES with Solaris - -Tue Sep 29 02:22:44 1998 Assar Westerlund - - * kx.c: fix from Ake Sandgren - -Mon Sep 28 18:04:03 1998 Johan Danielsson - - * common.c (try_pipe): return -1 if I_PUSH fails with ENOSYS - -Sat Sep 26 17:34:21 1998 Assar Westerlund - - * kxd.c: create sockets before setuid to handle Solaris' strange - permissions on /tmp/.X11-{unix,pipe} - - * common.c (chown_xsockets): new function - - * kx.h (chown_xsockets): new prototype - -Sun Aug 16 18:34:30 1998 Assar Westerlund - - * kxd.c (doit_passive): conditionalize stream pipe code - - * implement support for Solaris's named-pipe X transport - -Thu May 28 17:20:39 1998 Johan Danielsson - - * common.c: fix for (compiler?) bug in solaris 2.4 bind - - * kx.c: get_xsockets returns int, not unsigned - -Wed May 27 04:20:20 1998 Assar Westerlund - - * kxd.c (doit): better error reporting - -Tue May 26 17:41:23 1998 Johan Danielsson - - * kx.c: use krb_enable_debug - -Mon May 25 05:22:18 1998 Assar Westerlund - - * Makefile.in (clean): remove encdata.c - -Fri May 1 07:16:36 1998 Assar Westerlund - - * kx.c: unifdef -DHAVE_H_ERRNO - diff --git a/crypto/heimdal-0.6.3/appl/kx/Makefile.am b/crypto/heimdal-0.6.3/appl/kx/Makefile.am deleted file mode 100644 index ec3f2498e0..0000000000 --- a/crypto/heimdal-0.6.3/appl/kx/Makefile.am +++ /dev/null @@ -1,73 +0,0 @@ -# $Id: Makefile.am,v 1.12 2000/11/15 22:51:08 assar Exp $ - -include $(top_srcdir)/Makefile.am.common - -INCLUDES += $(INCLUDE_krb4) $(X_CFLAGS) - -WFLAGS += $(WFLAGS_NOIMPLICITINT) - -if HAVE_X - -bin_PROGRAMS = kx -bin_SCRIPTS = rxterm rxtelnet tenletxr -libexec_PROGRAMS = kxd - -else - -bin_PROGRAMS = -bin_SCRIPTS = -libexec_PROGRAMS = - -endif - -CLEANFILES = rxterm rxtelnet tenletxr - -if NEED_WRITEAUTH -XauWriteAuth_c = writeauth.c -endif - -kx_SOURCES = \ - kx.c \ - kx.h \ - common.c \ - context.c \ - krb4.c \ - krb5.c \ - $(XauWriteAuth_c) - -EXTRA_kx_SOURCES = writeauth.c - -kxd_SOURCES = \ - kxd.c \ - kx.h \ - common.c \ - context.c \ - krb4.c \ - krb5.c \ - $(XauWriteAuth_c) - -EXTRA_kxd_SOURCES = writeauth.c - -EXTRA_DIST = rxterm.in rxtelnet.in tenletxr.in - -man_MANS = kx.1 rxtelnet.1 rxterm.1 tenletxr.1 kxd.8 - -rxterm: rxterm.in - sed -e "s!%bindir%!$(bindir)!" $(srcdir)/rxterm.in > $@ - chmod +x $@ - -rxtelnet: rxtelnet.in - sed -e "s!%bindir%!$(bindir)!" $(srcdir)/rxtelnet.in > $@ - chmod +x $@ - -tenletxr: tenletxr.in - sed -e "s!%bindir%!$(bindir)!" $(srcdir)/tenletxr.in > $@ - chmod +x $@ - -LDADD = \ - $(LIB_kafs) \ - $(LIB_krb5) \ - $(LIB_krb4) \ - $(LIB_des) \ - $(LIB_roken) \ - $(X_LIBS) $(LIB_XauReadAuth) $(X_PRE_LIBS) $(X_EXTRA_LIBS) diff --git a/crypto/heimdal-0.6.3/appl/kx/Makefile.in b/crypto/heimdal-0.6.3/appl/kx/Makefile.in deleted file mode 100644 index 08ff9819d1..0000000000 --- a/crypto/heimdal-0.6.3/appl/kx/Makefile.in +++ /dev/null @@ -1,982 +0,0 @@ -# Makefile.in generated by automake 1.8.3 from Makefile.am. -# @configure_input@ - -# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004 Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -# $Id: Makefile.am,v 1.12 2000/11/15 22:51:08 assar Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $ - - -SOURCES = $(kx_SOURCES) $(EXTRA_kx_SOURCES) $(kxd_SOURCES) $(EXTRA_kxd_SOURCES) - -srcdir = @srcdir@ -top_srcdir = @top_srcdir@ -VPATH = @srcdir@ -pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -top_builddir = ../.. -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = @INSTALL@ -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_HEADER = $(INSTALL_DATA) -transform = $(program_transform_name) -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_triplet = @host@ -DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \ - $(top_srcdir)/Makefile.am.common \ - $(top_srcdir)/cf/Makefile.am.common ChangeLog -@HAVE_X_TRUE@bin_PROGRAMS = kx$(EXEEXT) -@HAVE_X_TRUE@libexec_PROGRAMS = kxd$(EXEEXT) -subdir = appl/kx -ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \ - $(top_srcdir)/cf/auth-modules.m4 \ - $(top_srcdir)/cf/broken-getaddrinfo.m4 \ - $(top_srcdir)/cf/broken-getnameinfo.m4 \ - $(top_srcdir)/cf/broken-glob.m4 \ - $(top_srcdir)/cf/broken-realloc.m4 \ - $(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \ - $(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \ - $(top_srcdir)/cf/capabilities.m4 \ - $(top_srcdir)/cf/check-compile-et.m4 \ - $(top_srcdir)/cf/check-declaration.m4 \ - $(top_srcdir)/cf/check-getpwnam_r-posix.m4 \ - $(top_srcdir)/cf/check-man.m4 \ - $(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \ - $(top_srcdir)/cf/check-type-extra.m4 \ - $(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \ - $(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \ - $(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \ - $(top_srcdir)/cf/dlopen.m4 \ - $(top_srcdir)/cf/find-func-no-libs.m4 \ - $(top_srcdir)/cf/find-func-no-libs2.m4 \ - $(top_srcdir)/cf/find-func.m4 \ - $(top_srcdir)/cf/find-if-not-broken.m4 \ - $(top_srcdir)/cf/have-struct-field.m4 \ - $(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \ - $(top_srcdir)/cf/krb-bigendian.m4 \ - $(top_srcdir)/cf/krb-func-getlogin.m4 \ - $(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \ - $(top_srcdir)/cf/krb-readline.m4 \ - $(top_srcdir)/cf/krb-struct-spwd.m4 \ - $(top_srcdir)/cf/krb-struct-winsize.m4 \ - $(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \ - $(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \ - $(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \ - $(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \ - $(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \ - $(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \ - $(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in -am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ - $(ACLOCAL_M4) -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -am__installdirs = "$(DESTDIR)$(bindir)" "$(DESTDIR)$(libexecdir)" "$(DESTDIR)$(bindir)" "$(DESTDIR)$(man1dir)" "$(DESTDIR)$(man8dir)" -binPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -libexecPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -PROGRAMS = $(bin_PROGRAMS) $(libexec_PROGRAMS) -am__kx_SOURCES_DIST = kx.c kx.h common.c context.c krb4.c krb5.c \ - writeauth.c -@NEED_WRITEAUTH_TRUE@am__objects_1 = writeauth.$(OBJEXT) -am_kx_OBJECTS = kx.$(OBJEXT) common.$(OBJEXT) context.$(OBJEXT) \ - krb4.$(OBJEXT) krb5.$(OBJEXT) $(am__objects_1) -kx_OBJECTS = $(am_kx_OBJECTS) -kx_LDADD = $(LDADD) -am__DEPENDENCIES_1 = -am__DEPENDENCIES_2 = $(top_builddir)/lib/kafs/libkafs.la \ - $(am__DEPENDENCIES_1) -@KRB5_TRUE@am__DEPENDENCIES_3 = $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la -kx_DEPENDENCIES = $(am__DEPENDENCIES_2) $(am__DEPENDENCIES_3) \ - $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ - $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ - $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ - $(am__DEPENDENCIES_1) -am__kxd_SOURCES_DIST = kxd.c kx.h common.c context.c krb4.c krb5.c \ - writeauth.c -am_kxd_OBJECTS = kxd.$(OBJEXT) common.$(OBJEXT) context.$(OBJEXT) \ - krb4.$(OBJEXT) krb5.$(OBJEXT) $(am__objects_1) -kxd_OBJECTS = $(am_kxd_OBJECTS) -kxd_LDADD = $(LDADD) -kxd_DEPENDENCIES = $(am__DEPENDENCIES_2) $(am__DEPENDENCIES_3) \ - $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ - $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ - $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ - $(am__DEPENDENCIES_1) -binSCRIPT_INSTALL = $(INSTALL_SCRIPT) -SCRIPTS = $(bin_SCRIPTS) -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \ - $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ - $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -SOURCES = $(kx_SOURCES) $(EXTRA_kx_SOURCES) $(kxd_SOURCES) \ - $(EXTRA_kxd_SOURCES) -DIST_SOURCES = $(am__kx_SOURCES_DIST) $(EXTRA_kx_SOURCES) \ - $(am__kxd_SOURCES_DIST) $(EXTRA_kxd_SOURCES) -man1dir = $(mandir)/man1 -man8dir = $(mandir)/man8 -MANS = $(man_MANS) -ETAGS = etags -CTAGS = ctags -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) -ACLOCAL = @ACLOCAL@ -AIX4_FALSE = @AIX4_FALSE@ -AIX4_TRUE = @AIX4_TRUE@ -AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@ -AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@ -AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@ -AIX_FALSE = @AIX_FALSE@ -AIX_TRUE = @AIX_TRUE@ -AMTAR = @AMTAR@ -AR = @AR@ -AUTOCONF = @AUTOCONF@ -AUTOHEADER = @AUTOHEADER@ -AUTOMAKE = @AUTOMAKE@ -AWK = @AWK@ -CANONICAL_HOST = @CANONICAL_HOST@ -CATMAN = @CATMAN@ -CATMANEXT = @CATMANEXT@ -CATMAN_FALSE = @CATMAN_FALSE@ -CATMAN_TRUE = @CATMAN_TRUE@ -CC = @CC@ -CFLAGS = @CFLAGS@ -COMPILE_ET = @COMPILE_ET@ -CPP = @CPP@ -CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXFLAGS = @CXXFLAGS@ -CYGPATH_W = @CYGPATH_W@ -DBLIB = @DBLIB@ -DCE_FALSE = @DCE_FALSE@ -DCE_TRUE = @DCE_TRUE@ -DEFS = @DEFS@ -DIR_com_err = @DIR_com_err@ -DIR_des = @DIR_des@ -DIR_roken = @DIR_roken@ -ECHO = @ECHO@ -ECHO_C = @ECHO_C@ -ECHO_N = @ECHO_N@ -ECHO_T = @ECHO_T@ -EGREP = @EGREP@ -EXEEXT = @EXEEXT@ -EXTRA_LIB45 = @EXTRA_LIB45@ -F77 = @F77@ -FFLAGS = @FFLAGS@ -GROFF = @GROFF@ -HAVE_DB1_FALSE = @HAVE_DB1_FALSE@ -HAVE_DB1_TRUE = @HAVE_DB1_TRUE@ -HAVE_DB3_FALSE = @HAVE_DB3_FALSE@ -HAVE_DB3_TRUE = @HAVE_DB3_TRUE@ -HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@ -HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@ -HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@ -HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@ -HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@ -HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@ -HAVE_X_FALSE = @HAVE_X_FALSE@ -HAVE_X_TRUE = @HAVE_X_TRUE@ -INCLUDES_roken = @INCLUDES_roken@ -INCLUDE_des = @INCLUDE_des@ -INCLUDE_hesiod = @INCLUDE_hesiod@ -INCLUDE_krb4 = @INCLUDE_krb4@ -INCLUDE_openldap = @INCLUDE_openldap@ -INCLUDE_readline = @INCLUDE_readline@ -INSTALL_DATA = @INSTALL_DATA@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -IRIX_FALSE = @IRIX_FALSE@ -IRIX_TRUE = @IRIX_TRUE@ -KRB4_FALSE = @KRB4_FALSE@ -KRB4_TRUE = @KRB4_TRUE@ -KRB5_FALSE = @KRB5_FALSE@ -KRB5_TRUE = @KRB5_TRUE@ -LDFLAGS = @LDFLAGS@ -LEX = @LEX@ -LEXLIB = @LEXLIB@ -LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ -LIBOBJS = @LIBOBJS@ -LIBS = @LIBS@ -LIBTOOL = @LIBTOOL@ -LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@ -LIB_NDBM = @LIB_NDBM@ -LIB_XauFileName = @LIB_XauFileName@ -LIB_XauReadAuth = @LIB_XauReadAuth@ -LIB_XauWriteAuth = @LIB_XauWriteAuth@ -LIB_bswap16 = @LIB_bswap16@ -LIB_bswap32 = @LIB_bswap32@ -LIB_com_err = @LIB_com_err@ -LIB_com_err_a = @LIB_com_err_a@ -LIB_com_err_so = @LIB_com_err_so@ -LIB_crypt = @LIB_crypt@ -LIB_db_create = @LIB_db_create@ -LIB_dbm_firstkey = @LIB_dbm_firstkey@ -LIB_dbopen = @LIB_dbopen@ -LIB_des = @LIB_des@ -LIB_des_a = @LIB_des_a@ -LIB_des_appl = @LIB_des_appl@ -LIB_des_so = @LIB_des_so@ -LIB_dlopen = @LIB_dlopen@ -LIB_dn_expand = @LIB_dn_expand@ -LIB_el_init = @LIB_el_init@ -LIB_freeaddrinfo = @LIB_freeaddrinfo@ -LIB_gai_strerror = @LIB_gai_strerror@ -LIB_getaddrinfo = @LIB_getaddrinfo@ -LIB_gethostbyname = @LIB_gethostbyname@ -LIB_gethostbyname2 = @LIB_gethostbyname2@ -LIB_getnameinfo = @LIB_getnameinfo@ -LIB_getpwnam_r = @LIB_getpwnam_r@ -LIB_getsockopt = @LIB_getsockopt@ -LIB_hesiod = @LIB_hesiod@ -LIB_hstrerror = @LIB_hstrerror@ -LIB_kdb = @LIB_kdb@ -LIB_krb4 = @LIB_krb4@ -LIB_krb_disable_debug = @LIB_krb_disable_debug@ -LIB_krb_enable_debug = @LIB_krb_enable_debug@ -LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@ -LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@ -LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@ -LIB_loadquery = @LIB_loadquery@ -LIB_logout = @LIB_logout@ -LIB_logwtmp = @LIB_logwtmp@ -LIB_openldap = @LIB_openldap@ -LIB_openpty = @LIB_openpty@ -LIB_otp = @LIB_otp@ -LIB_pidfile = @LIB_pidfile@ -LIB_readline = @LIB_readline@ -LIB_res_nsearch = @LIB_res_nsearch@ -LIB_res_search = @LIB_res_search@ -LIB_roken = @LIB_roken@ -LIB_security = @LIB_security@ -LIB_setsockopt = @LIB_setsockopt@ -LIB_socket = @LIB_socket@ -LIB_syslog = @LIB_syslog@ -LIB_tgetent = @LIB_tgetent@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -MAINT = @MAINT@ -MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@ -MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@ -MAKEINFO = @MAKEINFO@ -NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ -NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ -NROFF = @NROFF@ -OBJEXT = @OBJEXT@ -OTP_FALSE = @OTP_FALSE@ -OTP_TRUE = @OTP_TRUE@ -PACKAGE = @PACKAGE@ -PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ -PACKAGE_NAME = @PACKAGE_NAME@ -PACKAGE_STRING = @PACKAGE_STRING@ -PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_VERSION = @PACKAGE_VERSION@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -RANLIB = @RANLIB@ -SET_MAKE = @SET_MAKE@ -SHELL = @SHELL@ -STRIP = @STRIP@ -VERSION = @VERSION@ -VOID_RETSIGTYPE = @VOID_RETSIGTYPE@ -WFLAGS = @WFLAGS@ $(WFLAGS_NOIMPLICITINT) -WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@ -WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@ -X_CFLAGS = @X_CFLAGS@ -X_EXTRA_LIBS = @X_EXTRA_LIBS@ -X_LIBS = @X_LIBS@ -X_PRE_LIBS = @X_PRE_LIBS@ -YACC = @YACC@ -ac_ct_AR = @ac_ct_AR@ -ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ -ac_ct_RANLIB = @ac_ct_RANLIB@ -ac_ct_STRIP = @ac_ct_STRIP@ -am__leading_dot = @am__leading_dot@ -bindir = @bindir@ -build = @build@ -build_alias = @build_alias@ -build_cpu = @build_cpu@ -build_os = @build_os@ -build_vendor = @build_vendor@ -datadir = @datadir@ -do_roken_rename_FALSE = @do_roken_rename_FALSE@ -do_roken_rename_TRUE = @do_roken_rename_TRUE@ -dpagaix_cflags = @dpagaix_cflags@ -dpagaix_ldadd = @dpagaix_ldadd@ -dpagaix_ldflags = @dpagaix_ldflags@ -el_compat_FALSE = @el_compat_FALSE@ -el_compat_TRUE = @el_compat_TRUE@ -exec_prefix = @exec_prefix@ -have_err_h_FALSE = @have_err_h_FALSE@ -have_err_h_TRUE = @have_err_h_TRUE@ -have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@ -have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@ -have_glob_h_FALSE = @have_glob_h_FALSE@ -have_glob_h_TRUE = @have_glob_h_TRUE@ -have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@ -have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@ -have_vis_h_FALSE = @have_vis_h_FALSE@ -have_vis_h_TRUE = @have_vis_h_TRUE@ -host = @host@ -host_alias = @host_alias@ -host_cpu = @host_cpu@ -host_os = @host_os@ -host_vendor = @host_vendor@ -includedir = @includedir@ -infodir = @infodir@ -install_sh = @install_sh@ -libdir = @libdir@ -libexecdir = @libexecdir@ -localstatedir = @localstatedir@ -mandir = @mandir@ -mkdir_p = @mkdir_p@ -oldincludedir = @oldincludedir@ -prefix = @prefix@ -program_transform_name = @program_transform_name@ -sbindir = @sbindir@ -sharedstatedir = @sharedstatedir@ -sysconfdir = @sysconfdir@ -target_alias = @target_alias@ -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4) $(X_CFLAGS) -@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME -AM_CFLAGS = $(WFLAGS) -CP = cp -buildinclude = $(top_builddir)/include -LIB_getattr = @LIB_getattr@ -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_setpcred = @LIB_setpcred@ -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -NROFF_MAN = groff -mandoc -Tascii -LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) -@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la - -@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la -@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la -@HAVE_X_FALSE@bin_SCRIPTS = -@HAVE_X_TRUE@bin_SCRIPTS = rxterm rxtelnet tenletxr -CLEANFILES = rxterm rxtelnet tenletxr -@NEED_WRITEAUTH_TRUE@XauWriteAuth_c = writeauth.c -kx_SOURCES = \ - kx.c \ - kx.h \ - common.c \ - context.c \ - krb4.c \ - krb5.c \ - $(XauWriteAuth_c) - -EXTRA_kx_SOURCES = writeauth.c -kxd_SOURCES = \ - kxd.c \ - kx.h \ - common.c \ - context.c \ - krb4.c \ - krb5.c \ - $(XauWriteAuth_c) - -EXTRA_kxd_SOURCES = writeauth.c -EXTRA_DIST = rxterm.in rxtelnet.in tenletxr.in -man_MANS = kx.1 rxtelnet.1 rxterm.1 tenletxr.1 kxd.8 -LDADD = \ - $(LIB_kafs) \ - $(LIB_krb5) \ - $(LIB_krb4) \ - $(LIB_des) \ - $(LIB_roken) \ - $(X_LIBS) $(LIB_XauReadAuth) $(X_PRE_LIBS) $(X_EXTRA_LIBS) - -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps) - @for dep in $?; do \ - case '$(am__configure_deps)' in \ - *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ - exit 1;; \ - esac; \ - done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign --ignore-deps appl/kx/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign --ignore-deps appl/kx/Makefile -.PRECIOUS: Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - @case '$?' in \ - *config.status*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ - *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ - esac; - -$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -install-binPROGRAMS: $(bin_PROGRAMS) - @$(NORMAL_INSTALL) - test -z "$(bindir)" || $(mkdir_p) "$(DESTDIR)$(bindir)" - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(bindir)/$$f'"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(bindir)/$$f" || exit 1; \ - else :; fi; \ - done - -uninstall-binPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f '$(DESTDIR)$(bindir)/$$f'"; \ - rm -f "$(DESTDIR)$(bindir)/$$f"; \ - done - -clean-binPROGRAMS: - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -install-libexecPROGRAMS: $(libexec_PROGRAMS) - @$(NORMAL_INSTALL) - test -z "$(libexecdir)" || $(mkdir_p) "$(DESTDIR)$(libexecdir)" - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(libexecPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(libexecdir)/$$f'"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(libexecPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(libexecdir)/$$f" || exit 1; \ - else :; fi; \ - done - -uninstall-libexecPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f '$(DESTDIR)$(libexecdir)/$$f'"; \ - rm -f "$(DESTDIR)$(libexecdir)/$$f"; \ - done - -clean-libexecPROGRAMS: - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -kx$(EXEEXT): $(kx_OBJECTS) $(kx_DEPENDENCIES) - @rm -f kx$(EXEEXT) - $(LINK) $(kx_LDFLAGS) $(kx_OBJECTS) $(kx_LDADD) $(LIBS) -kxd$(EXEEXT): $(kxd_OBJECTS) $(kxd_DEPENDENCIES) - @rm -f kxd$(EXEEXT) - $(LINK) $(kxd_LDFLAGS) $(kxd_OBJECTS) $(kxd_LDADD) $(LIBS) -install-binSCRIPTS: $(bin_SCRIPTS) - @$(NORMAL_INSTALL) - test -z "$(bindir)" || $(mkdir_p) "$(DESTDIR)$(bindir)" - @list='$(bin_SCRIPTS)'; for p in $$list; do \ - if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ - if test -f $$d$$p; then \ - f=`echo "$$p" | sed 's|^.*/||;$(transform)'`; \ - echo " $(binSCRIPT_INSTALL) '$$d$$p' '$(DESTDIR)$(bindir)/$$f'"; \ - $(binSCRIPT_INSTALL) "$$d$$p" "$(DESTDIR)$(bindir)/$$f"; \ - else :; fi; \ - done - -uninstall-binSCRIPTS: - @$(NORMAL_UNINSTALL) - @list='$(bin_SCRIPTS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's|^.*/||;$(transform)'`; \ - echo " rm -f '$(DESTDIR)$(bindir)/$$f'"; \ - rm -f "$(DESTDIR)$(bindir)/$$f"; \ - done - -mostlyclean-compile: - -rm -f *.$(OBJEXT) - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c $< - -.c.obj: - $(COMPILE) -c `$(CYGPATH_W) '$<'` - -.c.lo: - $(LTCOMPILE) -c -o $@ $< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: -install-man1: $(man1_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - test -z "$(man1dir)" || $(mkdir_p) "$(DESTDIR)$(man1dir)" - @list='$(man1_MANS) $(dist_man1_MANS) $(nodist_man1_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.1*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 1*) ;; \ - *) ext='1' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man1dir)/$$inst'"; \ - $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man1dir)/$$inst"; \ - done -uninstall-man1: - @$(NORMAL_UNINSTALL) - @list='$(man1_MANS) $(dist_man1_MANS) $(nodist_man1_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.1*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 1*) ;; \ - *) ext='1' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f '$(DESTDIR)$(man1dir)/$$inst'"; \ - rm -f "$(DESTDIR)$(man1dir)/$$inst"; \ - done -install-man8: $(man8_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - test -z "$(man8dir)" || $(mkdir_p) "$(DESTDIR)$(man8dir)" - @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.8*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 8*) ;; \ - *) ext='8' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ - $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \ - done -uninstall-man8: - @$(NORMAL_UNINSTALL) - @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.8*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 8*) ;; \ - *) ext='8' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \ - rm -f "$(DESTDIR)$(man8dir)/$$inst"; \ - done - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique -tags: TAGS - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique -ctags: CTAGS -CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ - || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - -distdir: $(DISTFILES) - $(mkdir_p) $(distdir)/../.. $(distdir)/../../cf - @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \ - list='$(DISTFILES)'; for file in $$list; do \ - case $$file in \ - $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \ - $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \ - esac; \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkdir_p) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="$(top_distdir)" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(PROGRAMS) $(SCRIPTS) $(MANS) all-local -installdirs: - for dir in "$(DESTDIR)$(bindir)" "$(DESTDIR)$(libexecdir)" "$(DESTDIR)$(bindir)" "$(DESTDIR)$(man1dir)" "$(DESTDIR)$(man8dir)"; do \ - test -z "$$dir" || $(mkdir_p) "$$dir"; \ - done -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) - -distclean-generic: - -rm -f $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-binPROGRAMS clean-generic clean-libexecPROGRAMS \ - clean-libtool mostlyclean-am - -distclean: distclean-am - -rm -f Makefile -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -html: html-am - -info: info-am - -info-am: - -install-data-am: install-man - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-data-hook - -install-exec-am: install-binPROGRAMS install-binSCRIPTS \ - install-libexecPROGRAMS - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: install-man1 install-man8 - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -rm -f Makefile -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -pdf: pdf-am - -pdf-am: - -ps: ps-am - -ps-am: - -uninstall-am: uninstall-binPROGRAMS uninstall-binSCRIPTS \ - uninstall-info-am uninstall-libexecPROGRAMS uninstall-man - -uninstall-man: uninstall-man1 uninstall-man8 - -.PHONY: CTAGS GTAGS all all-am all-local check check-am check-local \ - clean clean-binPROGRAMS clean-generic clean-libexecPROGRAMS \ - clean-libtool ctags distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am html html-am info info-am install install-am \ - install-binPROGRAMS install-binSCRIPTS install-data \ - install-data-am install-exec install-exec-am install-info \ - install-info-am install-libexecPROGRAMS install-man \ - install-man1 install-man8 install-strip installcheck \ - installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ - tags uninstall uninstall-am uninstall-binPROGRAMS \ - uninstall-binSCRIPTS uninstall-info-am \ - uninstall-libexecPROGRAMS uninstall-man uninstall-man1 \ - uninstall-man8 - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-hook: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< - -rxterm: rxterm.in - sed -e "s!%bindir%!$(bindir)!" $(srcdir)/rxterm.in > $@ - chmod +x $@ - -rxtelnet: rxtelnet.in - sed -e "s!%bindir%!$(bindir)!" $(srcdir)/rxtelnet.in > $@ - chmod +x $@ - -tenletxr: tenletxr.in - sed -e "s!%bindir%!$(bindir)!" $(srcdir)/tenletxr.in > $@ - chmod +x $@ -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal-0.6.3/appl/kx/common.c b/crypto/heimdal-0.6.3/appl/kx/common.c deleted file mode 100644 index 557f99d10a..0000000000 --- a/crypto/heimdal-0.6.3/appl/kx/common.c +++ /dev/null @@ -1,817 +0,0 @@ -/* - * Copyright (c) 1995 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kx.h" - -RCSID("$Id: common.c,v 1.68 2003/04/16 16:45:39 joda Exp $"); - -char x_socket[MaxPathLen]; - -u_int32_t display_num; -char display[MaxPathLen]; -int display_size = sizeof(display); -char xauthfile[MaxPathLen]; -int xauthfile_size = sizeof(xauthfile); -u_char cookie[16]; -size_t cookie_len = sizeof(cookie); - -#ifndef X_UNIX_PATH -#define X_UNIX_PATH "/tmp/.X11-unix/X" -#endif - -#ifndef X_PIPE_PATH -#define X_PIPE_PATH "/tmp/.X11-pipe/X" -#endif - -/* - * Allocate a unix domain socket in `s' for display `dpy' and with - * filename `pattern' - * - * 0 if all is OK - * -1 if bind failed badly - * 1 if dpy is already used */ - -static int -try_socket (struct x_socket *s, int dpy, const char *pattern) -{ - struct sockaddr_un addr; - int fd; - - fd = socket (AF_UNIX, SOCK_STREAM, 0); - if (fd < 0) - err (1, "socket AF_UNIX"); - memset (&addr, 0, sizeof(addr)); - addr.sun_family = AF_UNIX; - snprintf (addr.sun_path, sizeof(addr.sun_path), pattern, dpy); - if(bind(fd, - (struct sockaddr *)&addr, - sizeof(addr)) < 0) { - close (fd); - if (errno == EADDRINUSE || - errno == EACCES /* Cray return EACCESS */ -#ifdef ENOTUNIQ - || errno == ENOTUNIQ /* bug in Solaris 2.4 */ -#endif - ) - return 1; - else - return -1; - } - s->fd = fd; - s->pathname = strdup (addr.sun_path); - if (s->pathname == NULL) - errx (1, "strdup: out of memory"); - s->flags = UNIX_SOCKET; - return 0; -} - -#ifdef MAY_HAVE_X11_PIPES -/* - * Allocate a stream (masqueraded as a named pipe) - * - * 0 if all is OK - * -1 if bind failed badly - * 1 if dpy is already used - */ - -static int -try_pipe (struct x_socket *s, int dpy, const char *pattern) -{ - char path[MAXPATHLEN]; - int ret; - int fd; - int pipefd[2]; - - snprintf (path, sizeof(path), pattern, dpy); - fd = open (path, O_WRONLY | O_CREAT | O_EXCL, 0600); - if (fd < 0) { - if (errno == EEXIST) - return 1; - else - return -1; - } - - close (fd); - - ret = pipe (pipefd); - if (ret < 0) - err (1, "pipe"); - - ret = ioctl (pipefd[1], I_PUSH, "connld"); - if (ret < 0) { - if(errno == ENOSYS) - return -1; - err (1, "ioctl I_PUSH"); - } - - ret = fattach (pipefd[1], path); - if (ret < 0) - err (1, "fattach %s", path); - - s->fd = pipefd[0]; - close (pipefd[1]); - s->pathname = strdup (path); - if (s->pathname == NULL) - errx (1, "strdup: out of memory"); - s->flags = STREAM_PIPE; - return 0; -} -#endif /* MAY_HAVE_X11_PIPES */ - -/* - * Try to create a TCP socket in `s' corresponding to display `dpy'. - * - * 0 if all is OK - * -1 if bind failed badly - * 1 if dpy is already used - */ - -static int -try_tcp (struct x_socket *s, int dpy) -{ - struct sockaddr_in tcpaddr; - struct in_addr local; - int one = 1; - int fd; - - memset(&local, 0, sizeof(local)); - local.s_addr = htonl(INADDR_LOOPBACK); - - fd = socket (AF_INET, SOCK_STREAM, 0); - if (fd < 0) - err (1, "socket AF_INET"); -#if defined(TCP_NODELAY) && defined(HAVE_SETSOCKOPT) - setsockopt (fd, IPPROTO_TCP, TCP_NODELAY, (void *)&one, - sizeof(one)); -#endif - memset (&tcpaddr, 0, sizeof(tcpaddr)); - tcpaddr.sin_family = AF_INET; - tcpaddr.sin_addr = local; - tcpaddr.sin_port = htons(6000 + dpy); - if (bind (fd, (struct sockaddr *)&tcpaddr, - sizeof(tcpaddr)) < 0) { - close (fd); - if (errno == EADDRINUSE) - return 1; - else - return -1; - } - s->fd = fd; - s->pathname = NULL; - s->flags = TCP; - return 0; -} - -/* - * The potential places to create unix sockets. - */ - -static char *x_sockets[] = { -X_UNIX_PATH "%u", -"/var/X/.X11-unix/X" "%u", -"/usr/spool/sockets/X11/" "%u", -NULL -}; - -/* - * Dito for stream pipes. - */ - -#ifdef MAY_HAVE_X11_PIPES -static char *x_pipes[] = { -X_PIPE_PATH "%u", -"/var/X/.X11-pipe/X" "%u", -NULL -}; -#endif - -/* - * Create the directory corresponding to dirname of `path' or fail. - */ - -static void -try_mkdir (const char *path) -{ - char *dir; - char *p; - int oldmask; - - if((dir = strdup (path)) == NULL) - errx (1, "strdup: out of memory"); - p = strrchr (dir, '/'); - if (p) - *p = '\0'; - - oldmask = umask(0); - mkdir (dir, 01777); - umask (oldmask); - free (dir); -} - -/* - * Allocate a display, returning the number of sockets in `number' and - * all the corresponding sockets in `sockets'. If `tcp_socket' is - * true, also allcoaet a TCP socket. - * - * The return value is the display allocated or -1 if an error occurred. - */ - -int -get_xsockets (int *number, struct x_socket **sockets, int tcp_socket) -{ - int dpy; - struct x_socket *s; - int n; - int i; - - s = malloc (sizeof(*s) * 5); - if (s == NULL) - errx (1, "malloc: out of memory"); - - try_mkdir (X_UNIX_PATH); - try_mkdir (X_PIPE_PATH); - - for(dpy = 4; dpy < 256; ++dpy) { - char **path; - int tmp = 0; - - n = 0; - for (path = x_sockets; *path; ++path) { - tmp = try_socket (&s[n], dpy, *path); - if (tmp == -1) { - if (errno != ENOTDIR && errno != ENOENT) - return -1; - } else if (tmp == 1) { - while(--n >= 0) { - close (s[n].fd); - free (s[n].pathname); - } - break; - } else if (tmp == 0) - ++n; - } - if (tmp == 1) - continue; - -#ifdef MAY_HAVE_X11_PIPES - for (path = x_pipes; *path; ++path) { - tmp = try_pipe (&s[n], dpy, *path); - if (tmp == -1) { - if (errno != ENOTDIR && errno != ENOENT && errno != ENOSYS) - return -1; - } else if (tmp == 1) { - while (--n >= 0) { - close (s[n].fd); - free (s[n].pathname); - } - break; - } else if (tmp == 0) - ++n; - } - - if (tmp == 1) - continue; -#endif - - if (tcp_socket) { - tmp = try_tcp (&s[n], dpy); - if (tmp == -1) - return -1; - else if (tmp == 1) { - while (--n >= 0) { - close (s[n].fd); - free (s[n].pathname); - } - break; - } else if (tmp == 0) - ++n; - } - break; - } - if (dpy == 256) - errx (1, "no free x-servers"); - for (i = 0; i < n; ++i) - if (s[i].flags & LISTENP - && listen (s[i].fd, SOMAXCONN) < 0) - err (1, "listen %s", s[i].pathname ? s[i].pathname : "tcp"); - *number = n; - *sockets = s; - return dpy; -} - -/* - * Change owner on the `n' sockets in `sockets' to `uid', `gid'. - * Return 0 is succesful or -1 if an error occurred. - */ - -int -chown_xsockets (int n, struct x_socket *sockets, uid_t uid, gid_t gid) -{ - int i; - - for (i = 0; i < n; ++i) - if (sockets[i].pathname != NULL) - if (chown (sockets[i].pathname, uid, gid) < 0) - return -1; - return 0; -} - -/* - * Connect to local display `dnr' with local transport or TCP. - * Return a file descriptor. - */ - -int -connect_local_xsocket (unsigned dnr) -{ - int fd; - char **path; - - for (path = x_sockets; *path; ++path) { - struct sockaddr_un addr; - - fd = socket (AF_UNIX, SOCK_STREAM, 0); - if (fd < 0) - break; - memset (&addr, 0, sizeof(addr)); - addr.sun_family = AF_UNIX; - snprintf (addr.sun_path, sizeof(addr.sun_path), *path, dnr); - if (connect (fd, (struct sockaddr *)&addr, sizeof(addr)) == 0) - return fd; - close(fd); - } - { - struct sockaddr_in addr; - - fd = socket(AF_INET, SOCK_STREAM, 0); - if (fd < 0) - err (1, "socket AF_INET"); - memset (&addr, 0, sizeof(addr)); - addr.sin_family = AF_INET; - addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK); - addr.sin_port = htons(6000 + dnr); - if (connect(fd, (struct sockaddr *)&addr, sizeof(addr)) == 0) - return fd; - close(fd); - } - err (1, "connecting to local display %u", dnr); -} - -/* - * Create a cookie file with a random cookie for the localhost. The - * file name will be stored in `xauthfile' (but not larger than - * `xauthfile_size'), and the cookie returned in `cookie', `cookie_sz'. - * Return 0 if succesful, or errno. - */ - -int -create_and_write_cookie (char *xauthfile, - size_t xauthfile_size, - u_char *cookie, - size_t cookie_sz) -{ - Xauth auth; - char tmp[64]; - int fd; - FILE *f; - char hostname[MaxHostNameLen]; - int saved_errno; - - gethostname (hostname, sizeof(hostname)); - - auth.family = FamilyLocal; - auth.address = hostname; - auth.address_length = strlen(auth.address); - snprintf (tmp, sizeof(tmp), "%d", display_num); - auth.number_length = strlen(tmp); - auth.number = tmp; - auth.name = COOKIE_TYPE; - auth.name_length = strlen(auth.name); - auth.data_length = cookie_sz; - auth.data = (char*)cookie; -#ifdef KRB5 - krb5_generate_random_block (cookie, cookie_sz); -#else - krb_generate_random_block (cookie, cookie_sz); -#endif - - strlcpy(xauthfile, "/tmp/AXXXXXX", xauthfile_size); - fd = mkstemp(xauthfile); - if(fd < 0) { - saved_errno = errno; - syslog(LOG_ERR, "create_and_write_cookie: mkstemp: %m"); - return saved_errno; - } - f = fdopen(fd, "r+"); - if(f == NULL){ - saved_errno = errno; - close(fd); - return errno; - } - if(XauWriteAuth(f, &auth) == 0) { - saved_errno = errno; - fclose(f); - return saved_errno; - } - - /* - * I would like to write a cookie for localhost:n here, but some - * stupid code in libX11 will not look for cookies of that type, - * so we are forced to use FamilyWild instead. - */ - - auth.family = FamilyWild; - auth.address_length = 0; - - if (XauWriteAuth(f, &auth) == 0) { - saved_errno = errno; - fclose (f); - return saved_errno; - } - - if(fclose(f)) - return errno; - return 0; -} - -/* - * Verify and remove cookies. Read and parse a X-connection from - * `fd'. Check the cookie used is the same as in `cookie'. Remove the - * cookie and copy the rest of it to `sock'. - * Expect cookies iff cookiesp. - * Return 0 iff ok. - * - * The protocol is as follows: - * - * C->S: [Bl] 1 - * unused 1 - * protocol major version 2 - * protocol minor version 2 - * length of auth protocol name(n) 2 - * length of auth protocol data 2 - * unused 2 - * authorization protocol name n - * pad pad(n) - * authorization protocol data d - * pad pad(d) - * - * S->C: Failed - * 0 1 - * length of reason 1 - * protocol major version 2 - * protocol minor version 2 - * length in 4 bytes unit of - * additional data (n+p)/4 2 - * reason n - * unused p = pad(n) - */ - -int -verify_and_remove_cookies (int fd, int sock, int cookiesp) -{ - u_char beg[12]; - int bigendianp; - unsigned n, d, npad, dpad; - char *protocol_name, *protocol_data; - u_char zeros[6] = {0, 0, 0, 0, 0, 0}; - u_char refused[20] = {0, 10, - 0, 0, /* protocol major version */ - 0, 0, /* protocol minor version */ - 0, 0, /* length of additional data / 4 */ - 'b', 'a', 'd', ' ', 'c', 'o', 'o', 'k', 'i', 'e', - 0, 0}; - - if (net_read (fd, beg, sizeof(beg)) != sizeof(beg)) - return 1; - if (net_write (sock, beg, 6) != 6) - return 1; - bigendianp = beg[0] == 'B'; - if (bigendianp) { - n = (beg[6] << 8) | beg[7]; - d = (beg[8] << 8) | beg[9]; - } else { - n = (beg[7] << 8) | beg[6]; - d = (beg[9] << 8) | beg[8]; - } - npad = (4 - (n % 4)) % 4; - dpad = (4 - (d % 4)) % 4; - protocol_name = malloc(n + npad); - if (n + npad != 0 && protocol_name == NULL) - return 1; - protocol_data = malloc(d + dpad); - if (d + dpad != 0 && protocol_data == NULL) { - free (protocol_name); - return 1; - } - if (net_read (fd, protocol_name, n + npad) != n + npad) - goto fail; - if (net_read (fd, protocol_data, d + dpad) != d + dpad) - goto fail; - if (cookiesp) { - if (strncmp (protocol_name, COOKIE_TYPE, strlen(COOKIE_TYPE)) != 0) - goto refused; - if (d != cookie_len || - memcmp (protocol_data, cookie, cookie_len) != 0) - goto refused; - } - free (protocol_name); - free (protocol_data); - if (net_write (sock, zeros, 6) != 6) - return 1; - return 0; -refused: - refused[2] = beg[2]; - refused[3] = beg[3]; - refused[4] = beg[4]; - refused[5] = beg[5]; - if (bigendianp) - refused[7] = 3; - else - refused[6] = 3; - - net_write (fd, refused, sizeof(refused)); -fail: - free (protocol_name); - free (protocol_data); - return 1; -} - -/* - * Return 0 iff `cookie' is compatible with the cookie for the - * localhost with name given in `ai' (or `hostname') and display - * number in `disp_nr'. - */ - -static int -match_local_auth (Xauth* auth, - struct addrinfo *ai, const char *hostname, int disp_nr) -{ - int auth_disp; - char *tmp_disp; - struct addrinfo *a; - - tmp_disp = malloc(auth->number_length + 1); - if (tmp_disp == NULL) - return -1; - memcpy(tmp_disp, auth->number, auth->number_length); - tmp_disp[auth->number_length] = '\0'; - auth_disp = atoi(tmp_disp); - free (tmp_disp); - if (auth_disp != disp_nr) - return 1; - for (a = ai; a != NULL; a = a->ai_next) { - if ((auth->family == FamilyLocal - || auth->family == FamilyWild) - && a->ai_canonname != NULL - && strncmp (auth->address, - a->ai_canonname, - auth->address_length) == 0) - return 0; - } - if (hostname != NULL - && (auth->family == FamilyLocal - || auth->family == FamilyWild) - && strncmp (auth->address, hostname, auth->address_length) == 0) - return 0; - return 1; -} - -/* - * Find `our' cookie from the cookie file `f' and return it or NULL. - */ - -static Xauth* -find_auth_cookie (FILE *f) -{ - Xauth *ret = NULL; - char local_hostname[MaxHostNameLen]; - char *display = getenv("DISPLAY"); - char d[MaxHostNameLen + 4]; - char *colon; - struct addrinfo *ai; - struct addrinfo hints; - int disp; - int error; - - if(display == NULL) - display = ":0"; - strlcpy(d, display, sizeof(d)); - display = d; - colon = strchr (display, ':'); - if (colon == NULL) - disp = 0; - else { - *colon = '\0'; - disp = atoi (colon + 1); - } - if (strcmp (display, "") == 0 - || strncmp (display, "unix", 4) == 0 - || strncmp (display, "localhost", 9) == 0) { - gethostname (local_hostname, sizeof(local_hostname)); - display = local_hostname; - } - memset (&hints, 0, sizeof(hints)); - hints.ai_flags = AI_CANONNAME; - hints.ai_socktype = SOCK_STREAM; - hints.ai_protocol = IPPROTO_TCP; - - error = getaddrinfo (display, NULL, &hints, &ai); - if (error) - ai = NULL; - - for (; (ret = XauReadAuth (f)) != NULL; XauDisposeAuth(ret)) { - if (match_local_auth (ret, ai, display, disp) == 0) { - if (ai != NULL) - freeaddrinfo (ai); - return ret; - } - } - if (ai != NULL) - freeaddrinfo (ai); - return NULL; -} - -/* - * Get rid of the cookie that we were sent and get the correct one - * from our own cookie file instead. - */ - -int -replace_cookie(int xserver, int fd, char *filename, int cookiesp) /* XXX */ -{ - u_char beg[12]; - int bigendianp; - unsigned n, d, npad, dpad; - FILE *f; - u_char zeros[6] = {0, 0, 0, 0, 0, 0}; - - if (net_read (fd, beg, sizeof(beg)) != sizeof(beg)) - return 1; - if (net_write (xserver, beg, 6) != 6) - return 1; - bigendianp = beg[0] == 'B'; - if (bigendianp) { - n = (beg[6] << 8) | beg[7]; - d = (beg[8] << 8) | beg[9]; - } else { - n = (beg[7] << 8) | beg[6]; - d = (beg[9] << 8) | beg[8]; - } - if (n != 0 || d != 0) - return 1; - f = fopen(filename, "r"); - if (f != NULL) { - Xauth *auth = find_auth_cookie (f); - u_char len[6] = {0, 0, 0, 0, 0, 0}; - - fclose (f); - - if (auth != NULL) { - n = auth->name_length; - d = auth->data_length; - } else { - n = 0; - d = 0; - } - if (bigendianp) { - len[0] = n >> 8; - len[1] = n & 0xFF; - len[2] = d >> 8; - len[3] = d & 0xFF; - } else { - len[0] = n & 0xFF; - len[1] = n >> 8; - len[2] = d & 0xFF; - len[3] = d >> 8; - } - if (net_write (xserver, len, 6) != 6) { - XauDisposeAuth(auth); - return 1; - } - if(n != 0 && net_write (xserver, auth->name, n) != n) { - XauDisposeAuth(auth); - return 1; - } - npad = (4 - (n % 4)) % 4; - if (npad && net_write (xserver, zeros, npad) != npad) { - XauDisposeAuth(auth); - return 1; - } - if (d != 0 && net_write (xserver, auth->data, d) != d) { - XauDisposeAuth(auth); - return 1; - } - XauDisposeAuth(auth); - dpad = (4 - (d % 4)) % 4; - if (dpad && net_write (xserver, zeros, dpad) != dpad) - return 1; - } else { - if(net_write(xserver, zeros, 6) != 6) - return 1; - } - return 0; -} - -/* - * Some simple controls on the address and corresponding socket - */ - -int -suspicious_address (int sock, struct sockaddr *addr) -{ - char data[40]; - socklen_t len = sizeof(data); - - switch (addr->sa_family) { - case AF_INET: - return ((struct sockaddr_in *)addr)->sin_addr.s_addr != - htonl(INADDR_LOOPBACK) -#if defined(IP_OPTIONS) && defined(HAVE_GETSOCKOPT) - || getsockopt (sock, IPPROTO_IP, IP_OPTIONS, data, &len) < 0 - || len != 0 -#endif - ; - break; -#ifdef HAVE_IPV6 - case AF_INET6: - /* XXX check route headers */ - return !IN6_IS_ADDR_LOOPBACK(&((struct sockaddr_in6*)addr)->sin6_addr); -#endif - default: - return 1; - } -} - -/* - * This really sucks, but these functions are used and if we're not - * linking against libkrb they don't exist. Using the heimdal storage - * functions will not work either cause we do not always link with - * libkrb5 either. - */ - -#ifndef KRB4 - -int -krb_get_int(void *f, u_int32_t *to, int size, int lsb) -{ - int i; - unsigned char *from = (unsigned char *)f; - - *to = 0; - if(lsb){ - for(i = size-1; i >= 0; i--) - *to = (*to << 8) | from[i]; - }else{ - for(i = 0; i < size; i++) - *to = (*to << 8) | from[i]; - } - return size; -} - -int -krb_put_int(u_int32_t from, void *to, size_t rem, int size) -{ - int i; - unsigned char *p = (unsigned char *)to; - - if (rem < size) - return -1; - - for(i = size - 1; i >= 0; i--){ - p[i] = from & 0xff; - from >>= 8; - } - return size; -} - -#endif /* !KRB4 */ diff --git a/crypto/heimdal-0.6.3/appl/kx/context.c b/crypto/heimdal-0.6.3/appl/kx/context.c deleted file mode 100644 index 28e7254f7e..0000000000 --- a/crypto/heimdal-0.6.3/appl/kx/context.c +++ /dev/null @@ -1,94 +0,0 @@ -/* - * Copyright (c) 1995 - 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kx.h" - -RCSID("$Id: context.c,v 1.5 2003/04/16 16:45:41 joda Exp $"); - -/* - * Set the common part of the context `kc' - */ - -void -context_set (kx_context *kc, const char *host, const char *user, int port, - int debug_flag, int keepalive_flag, int tcp_flag) -{ - kc->thisaddr = (struct sockaddr*)&kc->__ss_this; - kc->thataddr = (struct sockaddr*)&kc->__ss_that; - kc->host = host; - kc->user = user; - kc->port = port; - kc->debug_flag = debug_flag; - kc->keepalive_flag = keepalive_flag; - kc->tcp_flag = tcp_flag; -} - -/* - * dispatch functions - */ - -void -context_destroy (kx_context *kc) -{ - (*kc->destroy)(kc); -} - -int -context_authenticate (kx_context *kc, int s) -{ - return (*kc->authenticate)(kc, s); -} - -int -context_userok (kx_context *kc, char *user) -{ - return (*kc->userok)(kc, user); -} - -ssize_t -kx_read (kx_context *kc, int fd, void *buf, size_t len) -{ - return (*kc->read)(kc, fd, buf, len); -} - -ssize_t -kx_write (kx_context *kc, int fd, const void *buf, size_t len) -{ - return (*kc->write)(kc, fd, buf, len); -} - -int -copy_encrypted (kx_context *kc, int fd1, int fd2) -{ - return (*kc->copy_encrypted)(kc, fd1, fd2); -} diff --git a/crypto/heimdal-0.6.3/appl/kx/krb4.c b/crypto/heimdal-0.6.3/appl/kx/krb4.c deleted file mode 100644 index dd70a447d7..0000000000 --- a/crypto/heimdal-0.6.3/appl/kx/krb4.c +++ /dev/null @@ -1,372 +0,0 @@ -/* - * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kx.h" - -RCSID("$Id: krb4.c,v 1.11.2.1 2004/02/18 19:22:30 lha Exp $"); - -#ifdef KRB4 - -struct krb4_kx_context { - des_cblock key; - des_key_schedule schedule; - AUTH_DAT auth; -}; - -typedef struct krb4_kx_context krb4_kx_context; - -/* - * Destroy the krb4 context in `c'. - */ - -static void -krb4_destroy (kx_context *c) -{ - memset (c->data, 0, sizeof(krb4_kx_context)); - free (c->data); -} - -/* - * Read the authentication information from `s' and return 0 if - * succesful, else -1. - */ - -static int -krb4_authenticate (kx_context *kc, int s) -{ - CREDENTIALS cred; - KTEXT_ST text; - MSG_DAT msg; - int status; - krb4_kx_context *c = (krb4_kx_context *)kc->data; - const char *host = kc->host; - - if (kc->thisaddr->sa_family != AF_INET) { - warnx ("%s: used Kerberos v4 authentiocation on non-IP4 address", host); - return -1; - } - -#ifdef HAVE_KRB_GET_OUR_IP_FOR_REALM - if (krb_get_config_bool("nat_in_use")) { - struct in_addr natAddr; - - if (krb_get_our_ip_for_realm(krb_realmofhost(kc->host), - &natAddr) == KSUCCESS - || krb_get_our_ip_for_realm (NULL, &natAddr) == KSUCCESS) - ((struct sockaddr_in *)kc->thisaddr)->sin_addr = natAddr; - } -#endif - - status = krb_sendauth (KOPT_DO_MUTUAL, s, &text, "rcmd", - (char *)host, krb_realmofhost (host), - getpid(), &msg, &cred, c->schedule, - (struct sockaddr_in *)kc->thisaddr, - (struct sockaddr_in *)kc->thataddr, KX_VERSION); - if (status != KSUCCESS) { - warnx ("%s: %s", host, krb_get_err_text(status)); - return -1; - } - memcpy (c->key, cred.session, sizeof(des_cblock)); - return 0; -} - -/* - * Read a krb4 priv packet from `fd' into `buf' (of size `len'). - * Return the number of bytes read or 0 on EOF or -1 on error. - */ - -static ssize_t -krb4_read (kx_context *kc, - int fd, void *buf, size_t len) -{ - unsigned char tmp[4]; - ssize_t ret; - size_t l; - int status; - krb4_kx_context *c = (krb4_kx_context *)kc->data; - MSG_DAT msg; - - ret = krb_net_read (fd, tmp, 4); - if (ret == 0) - return ret; - if (ret != 4) - return -1; - l = (tmp[0] << 24) | (tmp[1] << 16) | (tmp[2] << 8) | tmp[3]; - if (l > len) - return -1; - if (krb_net_read (fd, buf, l) != l) - return -1; - status = krb_rd_priv (buf, l, c->schedule, &c->key, - (struct sockaddr_in *)kc->thataddr, - (struct sockaddr_in *)kc->thisaddr, &msg); - if (status != RD_AP_OK) { - warnx ("krb4_read: %s", krb_get_err_text(status)); - return -1; - } - memmove (buf, msg.app_data, msg.app_length); - return msg.app_length; -} - -/* - * Write a krb4 priv packet on `fd' with the data in `buf, len'. - * Return len or -1 on error - */ - -static ssize_t -krb4_write(kx_context *kc, - int fd, const void *buf, size_t len) -{ - void *outbuf; - krb4_kx_context *c = (krb4_kx_context *)kc->data; - int outlen; - unsigned char tmp[4]; - - outbuf = malloc (len + 30); - if (outbuf == NULL) - return -1; - outlen = krb_mk_priv ((void *)buf, outbuf, len, c->schedule, &c->key, - (struct sockaddr_in *)kc->thisaddr, - (struct sockaddr_in *)kc->thataddr); - if (outlen < 0) { - free (outbuf); - return -1; - } - tmp[0] = (outlen >> 24) & 0xFF; - tmp[1] = (outlen >> 16) & 0xFF; - tmp[2] = (outlen >> 8) & 0xFF; - tmp[3] = (outlen >> 0) & 0xFF; - - if (krb_net_write (fd, tmp, 4) != 4 || - krb_net_write (fd, outbuf, outlen) != outlen) { - free (outbuf); - return -1; - } - free (outbuf); - return len; -} - -/* - * Copy data from `fd1' to `fd2', {en,de}crypting with cfb64 - * with `mode' and state stored in `iv', `schedule', and `num'. - * Return -1 if error, 0 if eof, else 1 - */ - -static int -do_enccopy (int fd1, int fd2, int mode, des_cblock *iv, - des_key_schedule schedule, int *num) -{ - int ret; - u_char buf[BUFSIZ]; - - ret = read (fd1, buf, sizeof(buf)); - if (ret == 0) - return 0; - if (ret < 0) { - warn ("read"); - return ret; - } -#ifndef NOENCRYPTION - des_cfb64_encrypt (buf, buf, ret, schedule, iv, - num, mode); -#endif - ret = krb_net_write (fd2, buf, ret); - if (ret < 0) { - warn ("write"); - return ret; - } - return 1; -} - -/* - * Copy data between fd1 and fd2, encrypting one way and decrypting - * the other. - */ - -static int -krb4_copy_encrypted (kx_context *kc, - int fd1, int fd2) -{ - krb4_kx_context *c = (krb4_kx_context *)kc->data; - des_cblock iv1, iv2; - int num1 = 0, num2 = 0; - - memcpy (iv1, c->key, sizeof(iv1)); - memcpy (iv2, c->key, sizeof(iv2)); - for (;;) { - fd_set fdset; - int ret; - - if (fd1 >= FD_SETSIZE || fd2 >= FD_SETSIZE) { - warnx ("fd too large"); - return 1; - } - - FD_ZERO(&fdset); - FD_SET(fd1, &fdset); - FD_SET(fd2, &fdset); - - ret = select (max(fd1, fd2)+1, &fdset, NULL, NULL, NULL); - if (ret < 0 && errno != EINTR) { - warn ("select"); - return 1; - } - if (FD_ISSET(fd1, &fdset)) { - ret = do_enccopy (fd1, fd2, DES_ENCRYPT, &iv1, c->schedule, &num1); - if (ret <= 0) - return ret; - } - if (FD_ISSET(fd2, &fdset)) { - ret = do_enccopy (fd2, fd1, DES_DECRYPT, &iv2, c->schedule, &num2); - if (ret <= 0) - return ret; - } - } -} - -/* - * Return 0 if the user authenticated on `kc' is allowed to login as - * `user'. - */ - -static int -krb4_userok (kx_context *kc, char *user) -{ - krb4_kx_context *c = (krb4_kx_context *)kc->data; - char *tmp; - - tmp = krb_unparse_name_long (c->auth.pname, - c->auth.pinst, - c->auth.prealm); - kc->user = strdup (tmp); - if (kc->user == NULL) - err (1, "malloc"); - - - return kuserok (&c->auth, user); -} - -/* - * Create an instance of an krb4 context. - */ - -void -krb4_make_context (kx_context *kc) -{ - kc->authenticate = krb4_authenticate; - kc->userok = krb4_userok; - kc->read = krb4_read; - kc->write = krb4_write; - kc->copy_encrypted = krb4_copy_encrypted; - kc->destroy = krb4_destroy; - kc->user = NULL; - kc->data = malloc(sizeof(krb4_kx_context)); - - if (kc->data == NULL) - err (1, "malloc"); -} - -/* - * Receive authentication information on `sock' (first four bytes - * in `buf'). - */ - -int -recv_v4_auth (kx_context *kc, int sock, u_char *buf) -{ - int status; - KTEXT_ST ticket; - char instance[INST_SZ + 1]; - char version[KRB_SENDAUTH_VLEN + 1]; - krb4_kx_context *c; - AUTH_DAT auth; - des_key_schedule schedule; - - if (kc->thisaddr->sa_family != AF_INET) - return -1; - - if (memcmp (buf, KRB_SENDAUTH_VERS, 4) != 0) - return -1; - if (net_read (sock, buf + 4, KRB_SENDAUTH_VLEN - 4) != - KRB_SENDAUTH_VLEN - 4) { - syslog (LOG_ERR, "read: %m"); - exit (1); - } - if (memcmp (buf, KRB_SENDAUTH_VERS, KRB_SENDAUTH_VLEN) != 0) { - syslog (LOG_ERR, "unrecognized auth protocol: %.8s", buf); - exit (1); - } - - k_getsockinst (sock, instance, sizeof(instance)); - status = krb_recvauth (KOPT_IGNORE_PROTOCOL | KOPT_DO_MUTUAL, - sock, - &ticket, - "rcmd", - instance, - (struct sockaddr_in *)kc->thataddr, - (struct sockaddr_in *)kc->thisaddr, - &auth, - "", - schedule, - version); - if (status != KSUCCESS) { - syslog (LOG_ERR, "krb_recvauth: %s", krb_get_err_text(status)); - exit (1); - } - if (strncmp (version, KX_VERSION, KRB_SENDAUTH_VLEN) != 0) { - /* Try to be nice to old kx's */ - if (strncmp (version, KX_OLD_VERSION, KRB_SENDAUTH_VLEN) == 0) { - char *old_errmsg = "\001Old version of kx. Please upgrade."; - char user[64]; - - syslog (LOG_ERR, "Old version client (%s)", version); - - krb_net_read (sock, user, sizeof(user)); - krb_net_write (sock, old_errmsg, strlen(old_errmsg) + 1); - exit (1); - } else { - syslog (LOG_ERR, "bad version: %s", version); - exit (1); - } - } - - krb4_make_context (kc); - c = (krb4_kx_context *)kc->data; - - c->auth = auth; - memcpy (c->key, &auth.session, sizeof(des_cblock)); - memcpy (c->schedule, schedule, sizeof(schedule)); - - return 0; -} - -#endif /* KRB4 */ diff --git a/crypto/heimdal-0.6.3/appl/kx/krb5.c b/crypto/heimdal-0.6.3/appl/kx/krb5.c deleted file mode 100644 index 2d3309dbf6..0000000000 --- a/crypto/heimdal-0.6.3/appl/kx/krb5.c +++ /dev/null @@ -1,421 +0,0 @@ -/* - * Copyright (c) 1995 - 2004 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kx.h" - -RCSID("$Id: krb5.c,v 1.10.6.2 2004/03/16 11:33:48 lha Exp $"); - -#ifdef KRB5 - -struct krb5_kx_context { - krb5_context context; - krb5_keyblock *keyblock; - krb5_crypto crypto; - krb5_principal client; - krb5_log_facility *log; - -}; - -typedef struct krb5_kx_context krb5_kx_context; - -#define K5DATA(kc) ((krb5_kx_context*)kc->data) -#define CONTEXT(kc) (K5DATA(kc)->context) - -/* - * Destroy the krb5 context in `c'. - */ - -static void -krb5_destroy (kx_context *kc) -{ - if (K5DATA(kc)->keyblock) - krb5_free_keyblock (CONTEXT(kc), K5DATA(kc)->keyblock); - if (K5DATA(kc)->crypto) - krb5_crypto_destroy (CONTEXT(kc), K5DATA(kc)->crypto); - if (K5DATA(kc)->client) - krb5_free_principal (CONTEXT(kc), K5DATA(kc)->client); - if (CONTEXT(kc)) - krb5_free_context (CONTEXT(kc)); - memset (kc->data, 0, sizeof(krb5_kx_context)); - free (kc->data); -} - -/* - * Read the authentication information from `s' and return 0 if - * succesful, else -1. - */ - -static int -krb5_authenticate (kx_context *kc, int s) -{ - krb5_auth_context auth_context = NULL; - krb5_error_code ret; - krb5_principal server; - const char *host = kc->host; - - ret = krb5_sname_to_principal (CONTEXT(kc), - host, "host", KRB5_NT_SRV_HST, &server); - if (ret) { - krb5_warn (CONTEXT(kc), ret, "krb5_sname_to_principal: %s", host); - return 1; - } - - ret = krb5_sendauth (CONTEXT(kc), - &auth_context, - &s, - KX_VERSION, - NULL, - server, - AP_OPTS_MUTUAL_REQUIRED | AP_OPTS_USE_SUBKEY, - NULL, - NULL, - NULL, - NULL, - NULL, - NULL); - if (ret) { - if(ret != KRB5_SENDAUTH_BADRESPONSE) - krb5_warn (CONTEXT(kc), ret, "krb5_sendauth: %s", host); - return 1; - } - - ret = krb5_auth_con_getkey (CONTEXT(kc), auth_context, - &K5DATA(kc)->keyblock); - if (ret) { - krb5_warn (CONTEXT(kc), ret, "krb5_auth_con_getkey: %s", host); - krb5_auth_con_free (CONTEXT(kc), auth_context); - return 1; - } - - ret = krb5_crypto_init (CONTEXT(kc), K5DATA(kc)->keyblock, - 0, &K5DATA(kc)->crypto); - if (ret) { - krb5_warn (CONTEXT(kc), ret, "krb5_crypto_init"); - krb5_auth_con_free (CONTEXT(kc), auth_context); - return 1; - } - return 0; -} - -/* - * Read an encapsulated krb5 packet from `fd' into `buf' (of size - * `len'). Return the number of bytes read or 0 on EOF or -1 on - * error. - */ - -static ssize_t -krb5_read (kx_context *kc, - int fd, void *buf, size_t len) -{ - size_t data_len, outer_len; - krb5_error_code ret; - unsigned char tmp[4]; - krb5_data data; - int l; - - l = krb5_net_read (CONTEXT(kc), &fd, tmp, 4); - if (l == 0) - return l; - if (l != 4) - return -1; - data_len = (tmp[0] << 24) | (tmp[1] << 16) | (tmp[2] << 8) | tmp[3]; - outer_len = krb5_get_wrapped_length (CONTEXT(kc), - K5DATA(kc)->crypto, data_len); - if (outer_len > len) - return -1; - if (krb5_net_read (CONTEXT(kc), &fd, buf, outer_len) != outer_len) - return -1; - - ret = krb5_decrypt (CONTEXT(kc), K5DATA(kc)->crypto, - KRB5_KU_OTHER_ENCRYPTED, - buf, outer_len, &data); - if (ret) { - krb5_warn (CONTEXT(kc), ret, "krb5_decrypt"); - return -1; - } - if (data_len > data.length) { - krb5_data_free (&data); - return -1; - } - memmove (buf, data.data, data_len); - krb5_data_free (&data); - return data_len; -} - -/* - * Write an encapsulated krb5 packet on `fd' with the data in `buf, - * len'. Return len or -1 on error. - */ - -static ssize_t -krb5_write(kx_context *kc, - int fd, const void *buf, size_t len) -{ - krb5_data data; - krb5_error_code ret; - unsigned char tmp[4]; - size_t outlen; - - ret = krb5_encrypt (CONTEXT(kc), K5DATA(kc)->crypto, - KRB5_KU_OTHER_ENCRYPTED, - (void *)buf, len, &data); - if (ret){ - krb5_warn (CONTEXT(kc), ret, "krb5_write"); - return -1; - } - - outlen = data.length; - tmp[0] = (len >> 24) & 0xFF; - tmp[1] = (len >> 16) & 0xFF; - tmp[2] = (len >> 8) & 0xFF; - tmp[3] = (len >> 0) & 0xFF; - - if (krb5_net_write (CONTEXT(kc), &fd, tmp, 4) != 4 || - krb5_net_write (CONTEXT(kc), &fd, data.data, outlen) != outlen) { - krb5_data_free (&data); - return -1; - } - krb5_data_free (&data); - return len; -} - -/* - * Copy from the unix socket `from_fd' encrypting to `to_fd'. - * Return 0, -1 or len. - */ - -static int -copy_out (kx_context *kc, int from_fd, int to_fd) -{ - char buf[32768]; - ssize_t len; - - len = read (from_fd, buf, sizeof(buf)); - if (len == 0) - return 0; - if (len < 0) { - krb5_warn (CONTEXT(kc), errno, "read"); - return len; - } - return krb5_write (kc, to_fd, buf, len); -} - -/* - * Copy from the socket `from_fd' decrypting to `to_fd'. - * Return 0, -1 or len. - */ - -static int -copy_in (kx_context *kc, int from_fd, int to_fd) -{ - char buf[33000]; /* XXX */ - - ssize_t len; - - len = krb5_read (kc, from_fd, buf, sizeof(buf)); - if (len == 0) - return 0; - if (len < 0) { - krb5_warn (CONTEXT(kc), errno, "krb5_read"); - return len; - } - - return krb5_net_write (CONTEXT(kc), &to_fd, buf, len); -} - -/* - * Copy data between `fd1' and `fd2', encrypting in one direction and - * decrypting in the other. - */ - -static int -krb5_copy_encrypted (kx_context *kc, int fd1, int fd2) -{ - for (;;) { - fd_set fdset; - int ret; - - if (fd1 >= FD_SETSIZE || fd2 >= FD_SETSIZE) { - krb5_warnx (CONTEXT(kc), "fd too large"); - return 1; - } - - FD_ZERO(&fdset); - FD_SET(fd1, &fdset); - FD_SET(fd2, &fdset); - - ret = select (max(fd1, fd2)+1, &fdset, NULL, NULL, NULL); - if (ret < 0 && errno != EINTR) { - krb5_warn (CONTEXT(kc), errno, "select"); - return 1; - } - if (FD_ISSET(fd1, &fdset)) { - ret = copy_out (kc, fd1, fd2); - if (ret <= 0) - return ret; - } - if (FD_ISSET(fd2, &fdset)) { - ret = copy_in (kc, fd2, fd1); - if (ret <= 0) - return ret; - } - } -} - -/* - * Return 0 if the user authenticated on `kc' is allowed to login as - * `user'. - */ - -static int -krb5_userok (kx_context *kc, char *user) -{ - krb5_error_code ret; - char *tmp; - - ret = krb5_unparse_name (CONTEXT(kc), K5DATA(kc)->client, &tmp); - if (ret) - krb5_err (CONTEXT(kc), 1, ret, "krb5_unparse_name"); - kc->user = tmp; - - return !krb5_kuserok (CONTEXT(kc), K5DATA(kc)->client, user); -} - -/* - * Create an instance of an krb5 context. - */ - -void -krb5_make_context (kx_context *kc) -{ - krb5_kx_context *c; - krb5_error_code ret; - - kc->authenticate = krb5_authenticate; - kc->userok = krb5_userok; - kc->read = krb5_read; - kc->write = krb5_write; - kc->copy_encrypted = krb5_copy_encrypted; - kc->destroy = krb5_destroy; - kc->user = NULL; - kc->data = malloc(sizeof(krb5_kx_context)); - - if (kc->data == NULL) { - syslog (LOG_ERR, "failed to malloc %u bytes", sizeof(krb5_kx_context)); - exit(1); - } - memset (kc->data, 0, sizeof(krb5_kx_context)); - c = (krb5_kx_context *)kc->data; - ret = krb5_init_context (&c->context); - if (ret) { - syslog (LOG_ERR, "failed initialise krb5 context"); - exit(1); - } -} - -/* - * Receive authentication information on `sock' (first four bytes - * in `buf'). - */ - -int -recv_v5_auth (kx_context *kc, int sock, u_char *buf) -{ - u_int32_t len; - krb5_error_code ret; - krb5_principal server; - krb5_auth_context auth_context = NULL; - krb5_ticket *ticket; - - if (memcmp (buf, "\x00\x00\x00\x13", 4) != 0) - return 1; - len = (buf[0] << 24) | (buf[1] << 16) | (buf[2] << 8) | (buf[3]); - if (net_read(sock, buf, len) != len) { - syslog (LOG_ERR, "read: %m"); - exit (1); - } - if (len != sizeof(KRB5_SENDAUTH_VERSION) - || memcmp (buf, KRB5_SENDAUTH_VERSION, len) != 0) { - syslog (LOG_ERR, "bad sendauth version: %.8s", buf); - exit (1); - } - - krb5_make_context (kc); - krb5_openlog(CONTEXT(kc), "kxd", &K5DATA(kc)->log); - krb5_set_warn_dest(CONTEXT(kc), K5DATA(kc)->log); - - ret = krb5_sock_to_principal (CONTEXT(kc), sock, "host", - KRB5_NT_SRV_HST, &server); - if (ret) { - syslog (LOG_ERR, "krb5_sock_to_principal: %s", - krb5_get_err_text (CONTEXT(kc), ret)); - exit (1); - } - - ret = krb5_recvauth (CONTEXT(kc), - &auth_context, - &sock, - KX_VERSION, - server, - KRB5_RECVAUTH_IGNORE_VERSION, - NULL, - &ticket); - krb5_free_principal (CONTEXT(kc), server); - if (ret) { - syslog (LOG_ERR, "krb5_sock_to_principal: %s", - krb5_get_err_text (CONTEXT(kc), ret)); - exit (1); - } - - ret = krb5_auth_con_getkey (CONTEXT(kc), auth_context, &K5DATA(kc)->keyblock); - if (ret) { - syslog (LOG_ERR, "krb5_auth_con_getkey: %s", - krb5_get_err_text (CONTEXT(kc), ret)); - exit (1); - } - - ret = krb5_crypto_init (CONTEXT(kc), K5DATA(kc)->keyblock, 0, &K5DATA(kc)->crypto); - if (ret) { - syslog (LOG_ERR, "krb5_crypto_init: %s", - krb5_get_err_text (CONTEXT(kc), ret)); - exit (1); - } - - K5DATA(kc)->client = ticket->client; - ticket->client = NULL; - krb5_free_ticket (CONTEXT(kc), ticket); - - return 0; -} - -#endif /* KRB5 */ diff --git a/crypto/heimdal-0.6.3/appl/kx/kx.1 b/crypto/heimdal-0.6.3/appl/kx/kx.1 deleted file mode 100644 index 9e488fae81..0000000000 --- a/crypto/heimdal-0.6.3/appl/kx/kx.1 +++ /dev/null @@ -1,93 +0,0 @@ -.\" Copyright (c) 1996 - 1997 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: kx.1,v 1.9 2003/04/11 12:44:57 lha Exp $ -.\" -.Dd September 27, 1996 -.Dt KX 1 -.Os KTH-KRB -.Sh NAME -.Nm kx -.Nd -securely forward X conections -.Sh SYNOPSIS -.Ar kx -.Op Fl l Ar username -.Op Fl k -.Op Fl d -.Op Fl t -.Op Fl p Ar port -.Op Fl P -.Ar host -.Sh DESCRIPTION -The -.Nm -program forwards an X connection from a remote client to a local screen -through an authenticated and encrypted stream. Options supported by -.Nm kx : -.Bl -tag -width Ds -.It Fl l -Log in on the remote the host as user -.Ar username . -.It Fl k -Do not enable keep-alives on the TCP connections. -.It Fl d -Do not fork. This is mainly useful for debugging. -.It Fl t -Listen not only on a UNIX-domain socket but on a TCP socket as well. -.It Fl p -Use the port -.Ar port . -.It Fl P -Force passive mode. -.El -.Pp -This program is used by -.Nm rxtelnet -and -.Nm rxterm -and you should not need to run it directly. -.Pp -It connects to a -.Nm kxd -on the host -.Ar host -and then will relay the traffic from the remote X clients to the local -server. When started, it prints the display and Xauthority-file to be -used on host -.Ar host -and then goes to the background, waiting for connections from the -remote -.Nm kxd . -.Sh SEE ALSO -.Xr rxtelnet 1 , -.Xr rxterm 1 , -.Xr kxd 8 diff --git a/crypto/heimdal-0.6.3/appl/kx/kx.c b/crypto/heimdal-0.6.3/appl/kx/kx.c deleted file mode 100644 index 27a69b5533..0000000000 --- a/crypto/heimdal-0.6.3/appl/kx/kx.c +++ /dev/null @@ -1,765 +0,0 @@ -/* - * Copyright (c) 1995-2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kx.h" - -RCSID("$Id: kx.c,v 1.72 2003/04/16 17:33:02 joda Exp $"); - -static int nchild; -static int donep; - -/* - * Signal handler that justs waits for the children when they die. - */ - -static RETSIGTYPE -childhandler (int sig) -{ - pid_t pid; - int status; - - do { - pid = waitpid (-1, &status, WNOHANG|WUNTRACED); - if (pid > 0 && (WIFEXITED(status) || WIFSIGNALED(status))) - if (--nchild == 0 && donep) - exit (0); - } while(pid > 0); - signal (SIGCHLD, childhandler); - SIGRETURN(0); -} - -/* - * Handler for SIGUSR1. - * This signal means that we should wait until there are no children - * left and then exit. - */ - -static RETSIGTYPE -usr1handler (int sig) -{ - donep = 1; - - SIGRETURN(0); -} - -/* - * Almost the same as for SIGUSR1, except we should exit immediately - * if there are no active children. - */ - -static RETSIGTYPE -usr2handler (int sig) -{ - donep = 1; - if (nchild == 0) - exit (0); - - SIGRETURN(0); -} - -/* - * Establish authenticated connection. Return socket or -1. - */ - -static int -connect_host (kx_context *kc) -{ - struct addrinfo *ai, *a; - struct addrinfo hints; - int error; - char portstr[NI_MAXSERV]; - socklen_t addrlen; - int s; - struct sockaddr_storage thisaddr_ss; - struct sockaddr *thisaddr = (struct sockaddr *)&thisaddr_ss; - - memset (&hints, 0, sizeof(hints)); - hints.ai_socktype = SOCK_STREAM; - hints.ai_protocol = IPPROTO_TCP; - - snprintf (portstr, sizeof(portstr), "%u", ntohs(kc->port)); - - error = getaddrinfo (kc->host, portstr, &hints, &ai); - if (error) { - warnx ("%s: %s", kc->host, gai_strerror(error)); - return -1; - } - - for (a = ai; a != NULL; a = a->ai_next) { - s = socket (a->ai_family, a->ai_socktype, a->ai_protocol); - if (s < 0) - continue; - if (connect (s, a->ai_addr, a->ai_addrlen) < 0) { - warn ("connect(%s)", kc->host); - close (s); - continue; - } - break; - } - - if (a == NULL) { - freeaddrinfo (ai); - return -1; - } - - addrlen = sizeof(thisaddr_ss); - if (getsockname (s, thisaddr, &addrlen) < 0 || - addrlen != a->ai_addrlen) - err(1, "getsockname(%s)", kc->host); - memcpy (&kc->__ss_this, thisaddr, sizeof(kc->__ss_this)); - kc->thisaddr_len = addrlen; - memcpy (&kc->__ss_that, a->ai_addr, sizeof(kc->__ss_that)); - kc->thataddr_len = a->ai_addrlen; - freeaddrinfo (ai); - if ((*kc->authenticate)(kc, s)) - return -1; - return s; -} - -/* - * Get rid of the cookie that we were sent and get the correct one - * from our own cookie file instead and then just copy data in both - * directions. - */ - -static int -passive_session (int xserver, int fd, kx_context *kc) -{ - if (replace_cookie (xserver, fd, XauFileName(), 1)) - return 1; - else - return copy_encrypted (kc, xserver, fd); -} - -static int -active_session (int xserver, int fd, kx_context *kc) -{ - if (verify_and_remove_cookies (xserver, fd, 1)) - return 1; - else - return copy_encrypted (kc, xserver, fd); -} - -/* - * fork (unless debugp) and print the output that will be used by the - * script to capture the display, xauth cookie and pid. - */ - -static void -status_output (int debugp) -{ - if(debugp) - printf ("%u\t%s\t%s\n", (unsigned)getpid(), display, xauthfile); - else { - pid_t pid; - - pid = fork(); - if (pid < 0) { - err(1, "fork"); - } else if (pid > 0) { - printf ("%u\t%s\t%s\n", (unsigned)pid, display, xauthfile); - exit (0); - } else { - fclose(stdout); - } - } -} - -/* - * Obtain an authenticated connection on `kc'. Send a kx message - * saying we are `kc->user' and want to use passive mode. Wait for - * answer on that connection and fork of a child for every new - * connection we have to make. - */ - -static int -doit_passive (kx_context *kc) -{ - int otherside; - u_char msg[1024], *p; - int len; - u_int32_t tmp; - const char *host = kc->host; - - otherside = connect_host (kc); - - if (otherside < 0) - return 1; -#if defined(SO_KEEPALIVE) && defined(HAVE_SETSOCKOPT) - if (kc->keepalive_flag) { - int one = 1; - - setsockopt (otherside, SOL_SOCKET, SO_KEEPALIVE, (void *)&one, - sizeof(one)); - } -#endif - - p = msg; - *p++ = INIT; - len = strlen(kc->user); - p += KRB_PUT_INT (len, p, sizeof(msg) - 1, 4); - memcpy(p, kc->user, len); - p += len; - *p++ = PASSIVE | (kc->keepalive_flag ? KEEP_ALIVE : 0); - if (kx_write (kc, otherside, msg, p - msg) != p - msg) - err (1, "write to %s", host); - len = kx_read (kc, otherside, msg, sizeof(msg)); - if (len <= 0) - errx (1, - "error reading initial message from %s: " - "this probably means it's using an old version.", - host); - p = (u_char *)msg; - if (*p == ERROR) { - p++; - p += krb_get_int (p, &tmp, 4, 0); - errx (1, "%s: %.*s", host, (int)tmp, p); - } else if (*p != ACK) { - errx (1, "%s: strange msg %d", host, *p); - } else - p++; - p += krb_get_int (p, &tmp, 4, 0); - memcpy(display, p, tmp); - display[tmp] = '\0'; - p += tmp; - - p += krb_get_int (p, &tmp, 4, 0); - memcpy(xauthfile, p, tmp); - xauthfile[tmp] = '\0'; - p += tmp; - - status_output (kc->debug_flag); - for (;;) { - pid_t child; - - len = kx_read (kc, otherside, msg, sizeof(msg)); - if (len < 0) - err (1, "read from %s", host); - else if (len == 0) - return 0; - - p = (u_char *)msg; - if (*p == ERROR) { - p++; - p += krb_get_int (p, &tmp, 4, 0); - errx (1, "%s: %.*s", host, (int)tmp, p); - } else if(*p != NEW_CONN) { - errx (1, "%s: strange msg %d", host, *p); - } else { - p++; - p += krb_get_int (p, &tmp, 4, 0); - } - - ++nchild; - child = fork (); - if (child < 0) { - warn("fork"); - continue; - } else if (child == 0) { - int fd; - int xserver; - - close (otherside); - - socket_set_port(kc->thataddr, htons(tmp)); - - fd = socket (kc->thataddr->sa_family, SOCK_STREAM, 0); - if (fd < 0) - err(1, "socket"); -#if defined(TCP_NODELAY) && defined(HAVE_SETSOCKOPT) - { - int one = 1; - - setsockopt (fd, IPPROTO_TCP, TCP_NODELAY, (void *)&one, - sizeof(one)); - } -#endif -#if defined(SO_KEEPALIVE) && defined(HAVE_SETSOCKOPT) - if (kc->keepalive_flag) { - int one = 1; - - setsockopt (fd, SOL_SOCKET, SO_KEEPALIVE, (void *)&one, - sizeof(one)); - } -#endif - - if (connect (fd, kc->thataddr, kc->thataddr_len) < 0) - err(1, "connect(%s)", host); - { - int d = 0; - char *s; - - s = getenv ("DISPLAY"); - if (s != NULL) { - s = strchr (s, ':'); - if (s != NULL) - d = atoi (s + 1); - } - - xserver = connect_local_xsocket (d); - if (xserver < 0) - return 1; - } - return passive_session (xserver, fd, kc); - } else { - } - } -} - -/* - * Allocate a local pseudo-xserver and wait for connections - */ - -static int -doit_active (kx_context *kc) -{ - int otherside; - int nsockets; - struct x_socket *sockets; - u_char msg[1024], *p; - int len = strlen(kc->user); - int tmp, tmp2; - char *s; - int i; - size_t rem; - u_int32_t other_port; - int error; - const char *host = kc->host; - - otherside = connect_host (kc); - if (otherside < 0) - return 1; -#if defined(SO_KEEPALIVE) && defined(HAVE_SETSOCKOPT) - if (kc->keepalive_flag) { - int one = 1; - - setsockopt (otherside, SOL_SOCKET, SO_KEEPALIVE, (void *)&one, - sizeof(one)); - } -#endif - p = msg; - rem = sizeof(msg); - *p++ = INIT; - --rem; - len = strlen(kc->user); - tmp = KRB_PUT_INT (len, p, rem, 4); - if (tmp < 0) - return 1; - p += tmp; - rem -= tmp; - memcpy(p, kc->user, len); - p += len; - rem -= len; - *p++ = (kc->keepalive_flag ? KEEP_ALIVE : 0); - --rem; - - s = getenv("DISPLAY"); - if (s == NULL || (s = strchr(s, ':')) == NULL) - s = ":0"; - len = strlen (s); - tmp = KRB_PUT_INT (len, p, rem, 4); - if (tmp < 0) - return 1; - rem -= tmp; - p += tmp; - memcpy (p, s, len); - p += len; - rem -= len; - - s = getenv("XAUTHORITY"); - if (s == NULL) - s = ""; - len = strlen (s); - tmp = KRB_PUT_INT (len, p, rem, 4); - if (tmp < 0) - return 1; - p += len; - rem -= len; - memcpy (p, s, len); - p += len; - rem -= len; - - if (kx_write (kc, otherside, msg, p - msg) != p - msg) - err (1, "write to %s", host); - - len = kx_read (kc, otherside, msg, sizeof(msg)); - if (len < 0) - err (1, "read from %s", host); - p = (u_char *)msg; - if (*p == ERROR) { - u_int32_t u32; - - p++; - p += krb_get_int (p, &u32, 4, 0); - errx (1, "%s: %.*s", host, (int)u32, p); - } else if (*p != ACK) { - errx (1, "%s: strange msg %d", host, *p); - } else - p++; - - tmp2 = get_xsockets (&nsockets, &sockets, kc->tcp_flag); - if (tmp2 < 0) - return 1; - display_num = tmp2; - if (kc->tcp_flag) - snprintf (display, display_size, "localhost:%u", display_num); - else - snprintf (display, display_size, ":%u", display_num); - error = create_and_write_cookie (xauthfile, xauthfile_size, - cookie, cookie_len); - if (error) { - warnx ("failed creating cookie file: %s", strerror(error)); - return 1; - } - status_output (kc->debug_flag); - for (;;) { - fd_set fdset; - pid_t child; - int fd, thisfd = -1; - socklen_t zero = 0; - - FD_ZERO(&fdset); - for (i = 0; i < nsockets; ++i) { - if (sockets[i].fd >= FD_SETSIZE) - errx (1, "fd too large"); - FD_SET(sockets[i].fd, &fdset); - } - if (select(FD_SETSIZE, &fdset, NULL, NULL, NULL) <= 0) - continue; - for (i = 0; i < nsockets; ++i) - if (FD_ISSET(sockets[i].fd, &fdset)) { - thisfd = sockets[i].fd; - break; - } - fd = accept (thisfd, NULL, &zero); - if (fd < 0) { - if (errno == EINTR) - continue; - else - err(1, "accept"); - } - - p = msg; - *p++ = NEW_CONN; - if (kx_write (kc, otherside, msg, p - msg) != p - msg) - err (1, "write to %s", host); - len = kx_read (kc, otherside, msg, sizeof(msg)); - if (len < 0) - err (1, "read from %s", host); - p = (u_char *)msg; - if (*p == ERROR) { - u_int32_t val; - - p++; - p += krb_get_int (p, &val, 4, 0); - errx (1, "%s: %.*s", host, (int)val, p); - } else if (*p != NEW_CONN) { - errx (1, "%s: strange msg %d", host, *p); - } else { - p++; - p += krb_get_int (p, &other_port, 4, 0); - } - - ++nchild; - child = fork (); - if (child < 0) { - warn("fork"); - continue; - } else if (child == 0) { - int s; - - for (i = 0; i < nsockets; ++i) - close (sockets[i].fd); - - close (otherside); - - socket_set_port(kc->thataddr, htons(tmp)); - - s = socket (kc->thataddr->sa_family, SOCK_STREAM, 0); - if (s < 0) - err(1, "socket"); -#if defined(TCP_NODELAY) && defined(HAVE_SETSOCKOPT) - { - int one = 1; - - setsockopt (s, IPPROTO_TCP, TCP_NODELAY, (void *)&one, - sizeof(one)); - } -#endif -#if defined(SO_KEEPALIVE) && defined(HAVE_SETSOCKOPT) - if (kc->keepalive_flag) { - int one = 1; - - setsockopt (s, SOL_SOCKET, SO_KEEPALIVE, (void *)&one, - sizeof(one)); - } -#endif - - if (connect (s, kc->thataddr, kc->thataddr_len) < 0) - err(1, "connect"); - - return active_session (fd, s, kc); - } else { - close (fd); - } - } -} - -/* - * Should we interpret `disp' as this being a passive call? - */ - -static int -check_for_passive (const char *disp) -{ - char local_hostname[MaxHostNameLen]; - - gethostname (local_hostname, sizeof(local_hostname)); - - return disp != NULL && - (*disp == ':' - || strncmp(disp, "unix", 4) == 0 - || strncmp(disp, "localhost", 9) == 0 - || strncmp(disp, local_hostname, strlen(local_hostname)) == 0); -} - -/* - * Set up signal handlers and then call the functions. - */ - -static int -doit (kx_context *kc, int passive_flag) -{ - signal (SIGCHLD, childhandler); - signal (SIGUSR1, usr1handler); - signal (SIGUSR2, usr2handler); - if (passive_flag) - return doit_passive (kc); - else - return doit_active (kc); -} - -#ifdef KRB4 - -/* - * Start a v4-authenticatated kx connection. - */ - -static int -doit_v4 (const char *host, int port, const char *user, - int passive_flag, int debug_flag, int keepalive_flag, int tcp_flag) -{ - int ret; - kx_context context; - - krb4_make_context (&context); - context_set (&context, - host, user, port, debug_flag, keepalive_flag, tcp_flag); - - ret = doit (&context, passive_flag); - context_destroy (&context); - return ret; -} -#endif /* KRB4 */ - -#ifdef KRB5 - -/* - * Start a v5-authenticatated kx connection. - */ - -static int -doit_v5 (const char *host, int port, const char *user, - int passive_flag, int debug_flag, int keepalive_flag, int tcp_flag) -{ - int ret; - kx_context context; - - krb5_make_context (&context); - context_set (&context, - host, user, port, debug_flag, keepalive_flag, tcp_flag); - - ret = doit (&context, passive_flag); - context_destroy (&context); - return ret; -} -#endif /* KRB5 */ - -/* - * Variables set from the arguments - */ - -#ifdef KRB4 -static int use_v4 = -1; -#ifdef HAVE_KRB_ENABLE_DEBUG -static int krb_debug_flag = 0; -#endif /* HAVE_KRB_ENABLE_DEBUG */ -#endif /* KRB4 */ -#ifdef KRB5 -static int use_v5 = -1; -#endif -static char *port_str = NULL; -static const char *user = NULL; -static int tcp_flag = 0; -static int passive_flag = 0; -static int keepalive_flag = 1; -static int debug_flag = 0; -static int version_flag = 0; -static int help_flag = 0; - -struct getargs args[] = { -#ifdef KRB4 - { "krb4", '4', arg_flag, &use_v4, "Use Kerberos V4", - NULL }, -#ifdef HAVE_KRB_ENABLE_DEBUG - { "krb4-debug", 'D', arg_flag, &krb_debug_flag, - "enable krb4 debugging" }, -#endif /* HAVE_KRB_ENABLE_DEBUG */ -#endif /* KRB4 */ -#ifdef KRB5 - { "krb5", '5', arg_flag, &use_v5, "Use Kerberos V5", - NULL }, -#endif - { "port", 'p', arg_string, &port_str, "Use this port", - "number-of-service" }, - { "user", 'l', arg_string, &user, "Run as this user", - NULL }, - { "tcp", 't', arg_flag, &tcp_flag, - "Use a TCP connection for X11" }, - { "passive", 'P', arg_flag, &passive_flag, - "Force a passive connection" }, - { "keepalive", 'k', arg_negative_flag, &keepalive_flag, - "disable keep-alives" }, - { "debug", 'd', arg_flag, &debug_flag, - "Enable debug information" }, - { "version", 0, arg_flag, &version_flag, "Print version", - NULL }, - { "help", 0, arg_flag, &help_flag, NULL, - NULL } -}; - -static void -usage(int ret) -{ - arg_printusage (args, - sizeof(args) / sizeof(args[0]), - NULL, - "host"); - exit (ret); -} - -/* - * kx - forward an x-connection over a kerberos-encrypted channel. - */ - -int -main(int argc, char **argv) -{ - int port = 0; - int optind = 0; - int ret = 1; - char *host = NULL; - - setprogname (argv[0]); - - if (getarg (args, sizeof(args) / sizeof(args[0]), argc, argv, - &optind)) - usage (1); - - if (help_flag) - usage (0); - - if (version_flag) { - print_version (NULL); - return 0; - } - - if (optind != argc - 1) - usage (1); - - host = argv[optind]; - - if (port_str) { - struct servent *s = roken_getservbyname (port_str, "tcp"); - - if (s) - port = s->s_port; - else { - char *ptr; - - port = strtol (port_str, &ptr, 10); - if (port == 0 && ptr == port_str) - errx (1, "Bad port `%s'", port_str); - port = htons(port); - } - } - - if (user == NULL) { - user = get_default_username (); - if (user == NULL) - errx (1, "who are you?"); - } - - if (!passive_flag) - passive_flag = check_for_passive (getenv("DISPLAY")); - -#if defined(HAVE_KERNEL_ENABLE_DEBUG) - if (krb_debug_flag) - krb_enable_debug (); -#endif - -#if defined(KRB4) && defined(KRB5) - if(use_v4 == -1 && use_v5 == 1) - use_v4 = 0; - if(use_v5 == -1 && use_v4 == 1) - use_v5 = 0; -#endif - -#ifdef KRB5 - if (ret && use_v5) { - if (port == 0) - port = krb5_getportbyname(NULL, "kx", "tcp", KX_PORT); - ret = doit_v5 (host, port, user, - passive_flag, debug_flag, keepalive_flag, tcp_flag); - } -#endif -#ifdef KRB4 - if (ret && use_v4) { - if (port == 0) - port = k_getportbyname("kx", "tcp", htons(KX_PORT)); - ret = doit_v4 (host, port, user, - passive_flag, debug_flag, keepalive_flag, tcp_flag); - } -#endif - return ret; -} diff --git a/crypto/heimdal-0.6.3/appl/kx/kx.cat1 b/crypto/heimdal-0.6.3/appl/kx/kx.cat1 deleted file mode 100644 index e7d2c343ef..0000000000 --- a/crypto/heimdal-0.6.3/appl/kx/kx.cat1 +++ /dev/null @@ -1,39 +0,0 @@ - -KX(1) UNIX Reference Manual KX(1) - -NNAAMMEE - kkxx - securely forward X conections - -SSYYNNOOPPSSIISS - _k_x [--ll _u_s_e_r_n_a_m_e] [--kk] [--dd] [--tt] [--pp _p_o_r_t] [--PP] _h_o_s_t - -DDEESSCCRRIIPPTTIIOONN - The kkxx program forwards an X connection from a remote client to a local - screen through an authenticated and encrypted stream. Options supported - by kkxx: - - --ll Log in on the remote the host as user _u_s_e_r_n_a_m_e. - - --kk Do not enable keep-alives on the TCP connections. - - --dd Do not fork. This is mainly useful for debugging. - - --tt Listen not only on a UNIX-domain socket but on a TCP socket as - well. - - --pp Use the port _p_o_r_t. - - --PP Force passive mode. - - This program is used by rrxxtteellnneett and rrxxtteerrmm and you should not need to - run it directly. - - It connects to a kkxxdd on the host _h_o_s_t and then will relay the traffic - from the remote X clients to the local server. When started, it prints - the display and Xauthority-file to be used on host _h_o_s_t and then goes to - the background, waiting for connections from the remote kkxxdd. - -SSEEEE AALLSSOO - rxtelnet(1), rxterm(1), kxd(8) - - KTH-KRB September 27, 1996 1 diff --git a/crypto/heimdal-0.6.3/appl/kx/kx.h b/crypto/heimdal-0.6.3/appl/kx/kx.h deleted file mode 100644 index dc66272335..0000000000 --- a/crypto/heimdal-0.6.3/appl/kx/kx.h +++ /dev/null @@ -1,267 +0,0 @@ -/* - * Copyright (c) 1995 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: kx.h,v 1.41 2003/04/16 16:45:43 joda Exp $ */ - -#ifdef HAVE_CONFIG_H -#include "config.h" -#endif /* HAVE_CONFIG_H */ - -#include -#include -#include -#include -#include -#include -#ifdef HAVE_UNISTD_H -#include -#endif -#ifdef HAVE_PWD_H -#include -#endif -#ifdef HAVE_GRP_H -#include -#endif -#ifdef HAVE_SYSLOG_H -#include -#endif -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef TIME_WITH_SYS_TIME -#include -#include -#elif defined(HAVE_SYS_TIME_H) -#include -#else -#include -#endif -#ifdef HAVE_SYS_RESOURCE_H -#include -#endif -#ifdef HAVE_SYS_SELECT_H -#include -#endif -#ifdef HAVE_SYS_WAIT_H -#include -#endif -#ifdef HAVE_SYS_STAT_H -#include -#endif -#ifdef HAVE_SYS_SOCKET_H -#include -#endif -#ifdef HAVE_NETINET_IN_H -#include -#endif -#ifdef HAVE_NETINET_TCP_H -#include -#endif -#ifdef HAVE_ARPA_INET_H -#include -#endif -#ifdef HAVE_NETDB_H -#include -#endif -#ifdef HAVE_SYS_UN_H -#include -#endif -#include -#include -#include - -#ifdef HAVE_SYS_STREAM_H -#include -#endif -#ifdef HAVE_SYS_STROPTS_H -#include -#endif - -/* defined by aix's sys/stream.h and again by arpa/nameser.h */ - -#undef NOERROR - -/* as far as we know, this is only used with later versions of Slowlaris */ -#if SunOS >= 50 && defined(HAVE_SYS_STROPTS_H) && defined(HAVE_FATTACH) && defined(I_PUSH) -#define MAY_HAVE_X11_PIPES -#endif - -#ifdef SOCKS -#include -/* This doesn't belong here. */ -struct tm *localtime(const time_t *); -struct hostent *gethostbyname(const char *); -#endif - -#ifdef KRB4 -#include -#include -#endif -#ifdef KRB5 -#include -#endif - -#include -#include -#include - -struct x_socket { - char *pathname; - int fd; - enum { - LISTENP = 0x80, - TCP = LISTENP | 1, - UNIX_SOCKET = LISTENP | 2, - STREAM_PIPE = 3 - } flags; -}; - -extern char x_socket[]; -extern u_int32_t display_num; -extern char display[]; -extern int display_size; -extern char xauthfile[]; -extern int xauthfile_size; -extern u_char cookie[]; -extern size_t cookie_len; - -int get_xsockets (int *number, struct x_socket **sockets, int tcpp); -int chown_xsockets (int n, struct x_socket *sockets, uid_t uid, gid_t gid); - -int connect_local_xsocket (unsigned dnr); -int create_and_write_cookie (char *xauthfile, - size_t size, - u_char *cookie, - size_t sz); -int verify_and_remove_cookies (int fd, int sock, int cookiesp); -int replace_cookie(int xserver, int fd, char *filename, int cookiesp); - -int suspicious_address (int sock, struct sockaddr *addr); - -#define KX_PORT 2111 - -#define KX_OLD_VERSION "KXSERV.1" -#define KX_VERSION "KXSERV.2" - -#define COOKIE_TYPE "MIT-MAGIC-COOKIE-1" - -enum { INIT = 0, ACK = 1, NEW_CONN = 2, ERROR = 3 }; - -enum kx_flags { PASSIVE = 1, KEEP_ALIVE = 2 }; - -typedef enum kx_flags kx_flags; - -struct kx_context { - int (*authenticate)(struct kx_context *kc, int s); - int (*userok)(struct kx_context *kc, char *user); - ssize_t (*read)(struct kx_context *kc, - int fd, void *buf, size_t len); - ssize_t (*write)(struct kx_context *kc, - int fd, const void *buf, size_t len); - int (*copy_encrypted)(struct kx_context *kc, - int fd1, int fd2); - void (*destroy)(struct kx_context *kc); - const char *host; - const char *user; - int port; - int debug_flag; - int keepalive_flag; - int tcp_flag; - struct sockaddr_storage __ss_this; - struct sockaddr_storage __ss_that; - struct sockaddr *thisaddr; - struct sockaddr *thataddr; - socklen_t thisaddr_len, thataddr_len; - void *data; -}; - -typedef struct kx_context kx_context; - -void -context_set (kx_context *kc, const char *host, const char *user, int port, - int debug_flag, int keepalive_flag, int tcp_flag); - -void -context_destroy (kx_context *kc); - -int -context_authenticate (kx_context *kc, int s); - -int -context_userok (kx_context *kc, char *user); - -ssize_t -kx_read (kx_context *kc, int fd, void *buf, size_t len); - -ssize_t -kx_write (kx_context *kc, int fd, const void *buf, size_t len); - -int -copy_encrypted (kx_context *kc, int fd1, int fd2); - -#ifdef KRB4 - -void -krb4_make_context (kx_context *c); - -int -recv_v4_auth (kx_context *kc, int sock, u_char *buf); - -#endif - -#ifdef KRB5 - -void -krb5_make_context (kx_context *c); - -int -recv_v5_auth (kx_context *kc, int sock, u_char *buf); - -#endif - -void -fatal (kx_context *kc, int fd, char *format, ...) -#ifdef __GNUC__ -__attribute__ ((format (printf, 3, 4))) -#endif -; - -#ifndef KRB4 - -int -krb_get_int(void *f, u_int32_t *to, int size, int lsb); - -int -krb_put_int(u_int32_t from, void *to, size_t rem, int size); - -#endif diff --git a/crypto/heimdal-0.6.3/appl/kx/kxd.8 b/crypto/heimdal-0.6.3/appl/kx/kxd.8 deleted file mode 100644 index 4ba136e754..0000000000 --- a/crypto/heimdal-0.6.3/appl/kx/kxd.8 +++ /dev/null @@ -1,84 +0,0 @@ -.\" Copyright (c) 1996 - 1997, 2001 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: kxd.8,v 1.7 2003/04/11 12:46:57 lha Exp $ -.\" -.Dd September 27, 1996 -.Dt KXD 8 -.Os KTH-KRB -.Sh NAME -.Nm kxd -.Nd -securely forward X conections -.Sh SYNOPSIS -.Ar kxd -.Op Fl t -.Op Fl i -.Op Fl p Ar port -.Sh DESCRIPTION -This is the daemon for -.Nm kx . -.Pp -Options supported by -.Nm kxd : -.Bl -tag -width Ds -.It Fl t -TCP. Normally -.Nm kxd -will only listen for X connections on a UNIX socket, but some machines -(for example, Cray) have X libraries that are not able to use UNIX -sockets and thus you need to use TCP to talk to the pseudo-xserver -created by -.Nm kxd . -This option decreases the security significantly and should only be -used when it is necessary and you have considered the consequences of -doing so. -.It Fl i -Interactive. Do not expect to be started by -.Nm inetd , -but allocate and listen to the socket yourself. Handy for testing -and debugging. -.It Fl p -Port. Listen on the port -.Ar port . -Only usable with -.Fl i . -.El -.Sh EXAMPLES -Put the following in -.Pa /etc/inetd.conf : -.Bd -literal -kx stream tcp nowait root /usr/athena/libexec/kxd kxd -.Ed -.Sh SEE ALSO -.Xr kx 1 , -.Xr rxtelnet 1 , -.Xr rxterm 1 diff --git a/crypto/heimdal-0.6.3/appl/kx/kxd.c b/crypto/heimdal-0.6.3/appl/kx/kxd.c deleted file mode 100644 index 6b05cd6030..0000000000 --- a/crypto/heimdal-0.6.3/appl/kx/kxd.c +++ /dev/null @@ -1,766 +0,0 @@ -/* - * Copyright (c) 1995 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kx.h" - -RCSID("$Id: kxd.c,v 1.71.2.2 2003/05/15 15:11:35 lha Exp $"); - -static pid_t wait_on_pid = -1; -static int done = 0; - -/* - * Signal handler that justs waits for the children when they die. - */ - -static RETSIGTYPE -childhandler (int sig) -{ - pid_t pid; - int status; - - do { - pid = waitpid (-1, &status, WNOHANG|WUNTRACED); - if (pid > 0 && pid == wait_on_pid) - done = 1; - } while(pid > 0); - signal (SIGCHLD, childhandler); - SIGRETURN(0); -} - -/* - * Print the error message `format' and `...' on fd and die. - */ - -void -fatal (kx_context *kc, int fd, char *format, ...) -{ - u_char msg[1024]; - u_char *p; - va_list args; - int len; - - va_start(args, format); - p = msg; - *p++ = ERROR; - vsnprintf ((char *)p + 4, sizeof(msg) - 5, format, args); - syslog (LOG_ERR, "%s", (char *)p + 4); - len = strlen ((char *)p + 4); - p += KRB_PUT_INT (len, p, 4, 4); - p += len; - kx_write (kc, fd, msg, p - msg); - va_end(args); - exit (1); -} - -/* - * Remove all sockets and cookie files. - */ - -static void -cleanup(int nsockets, struct x_socket *sockets) -{ - int i; - - if(xauthfile[0]) - unlink(xauthfile); - for (i = 0; i < nsockets; ++i) { - if (sockets[i].pathname != NULL) { - unlink (sockets[i].pathname); - free (sockets[i].pathname); - } - } -} - -/* - * Prepare to receive a connection on `sock'. - */ - -static int -recv_conn (int sock, kx_context *kc, - int *dispnr, int *nsockets, struct x_socket **sockets, - int tcp_flag) -{ - u_char msg[1024], *p; - char user[256]; - socklen_t addrlen; - struct passwd *passwd; - char remotehost[MaxHostNameLen]; - char remoteaddr[INET6_ADDRSTRLEN]; - int ret = 1; - int flags; - int len; - u_int32_t tmp32; - - addrlen = sizeof(kc->__ss_this); - kc->thisaddr = (struct sockaddr*)&kc->__ss_this; - if (getsockname (sock, kc->thisaddr, &addrlen) < 0) { - syslog (LOG_ERR, "getsockname: %m"); - exit (1); - } - kc->thisaddr_len = addrlen; - addrlen = sizeof(kc->__ss_that); - kc->thataddr = (struct sockaddr*)&kc->__ss_that; - if (getpeername (sock, kc->thataddr, &addrlen) < 0) { - syslog (LOG_ERR, "getpeername: %m"); - exit (1); - } - kc->thataddr_len = addrlen; - - getnameinfo_verified (kc->thataddr, - kc->thataddr_len, - remotehost, sizeof(remotehost), - NULL, 0, 0); - - if (net_read (sock, msg, 4) != 4) { - syslog (LOG_ERR, "read: %m"); - exit (1); - } - -#ifdef KRB5 - if (ret && recv_v5_auth (kc, sock, msg) == 0) - ret = 0; -#endif -#ifdef KRB4 - if (ret && recv_v4_auth (kc, sock, msg) == 0) - ret = 0; -#endif - if (ret) { - syslog (LOG_ERR, "unrecognized auth protocol: %x %x %x %x", - msg[0], msg[1], msg[2], msg[3]); - exit (1); - } - - len = kx_read (kc, sock, msg, sizeof(msg)); - if (len < 0) { - syslog (LOG_ERR, "kx_read failed"); - exit (1); - } - p = (u_char *)msg; - if (*p != INIT) - fatal(kc, sock, "Bad message"); - p++; - p += krb_get_int (p, &tmp32, 4, 0); - len = min(sizeof(user), tmp32); - memcpy (user, p, len); - p += tmp32; - user[len] = '\0'; - - passwd = k_getpwnam (user); - if (passwd == NULL) - fatal (kc, sock, "cannot find uid for %s", user); - - if (context_userok (kc, user) != 0) - fatal (kc, sock, "%s not allowed to login as %s", - kc->user, user); - - flags = *p++; - - if (flags & PASSIVE) { - pid_t pid; - int tmp; - - tmp = get_xsockets (nsockets, sockets, tcp_flag); - if (tmp < 0) { - fatal (kc, sock, "Cannot create X socket(s): %s", - strerror(errno)); - } - *dispnr = tmp; - - if (chown_xsockets (*nsockets, *sockets, - passwd->pw_uid, passwd->pw_gid)) { - cleanup (*nsockets, *sockets); - fatal (kc, sock, "Cannot chown sockets: %s", - strerror(errno)); - } - - pid = fork(); - if (pid == -1) { - cleanup (*nsockets, *sockets); - fatal (kc, sock, "fork: %s", strerror(errno)); - } else if (pid != 0) { - wait_on_pid = pid; - while (!done) - pause (); - cleanup (*nsockets, *sockets); - exit (0); - } - } - - if (setgid (passwd->pw_gid) || - initgroups(passwd->pw_name, passwd->pw_gid) || -#ifdef HAVE_GETUDBNAM /* XXX this happens on crays */ - setjob(passwd->pw_uid, 0) == -1 || -#endif - setuid(passwd->pw_uid)) { - syslog(LOG_ERR, "setting uid/groups: %m"); - fatal (kc, sock, "cannot set uid"); - } - - ret = getnameinfo(kc->thataddr, kc->thataddr_len, - remoteaddr, sizeof(remoteaddr), - NULL, 0, NI_NUMERICHOST); - if (ret != 0) - fatal (kc, sock, "getnameinfo failed: %s", gai_strerror(ret)); - - syslog (LOG_INFO, "from %s(%s): %s -> %s", - remotehost, remoteaddr, - kc->user, user); - umask(077); - if (!(flags & PASSIVE)) { - p += krb_get_int (p, &tmp32, 4, 0); - len = min(tmp32, display_size); - memcpy (display, p, len); - display[len] = '\0'; - p += tmp32; - p += krb_get_int (p, &tmp32, 4, 0); - len = min(tmp32, xauthfile_size); - memcpy (xauthfile, p, len); - xauthfile[len] = '\0'; - p += tmp32; - } -#if defined(SO_KEEPALIVE) && defined(HAVE_SETSOCKOPT) - if (flags & KEEP_ALIVE) { - int one = 1; - - setsockopt (sock, SOL_SOCKET, SO_KEEPALIVE, (void *)&one, - sizeof(one)); - } -#endif - return flags; -} - -/* - * - */ - -static int -passive_session (kx_context *kc, int fd, int sock, int cookiesp) -{ - if (verify_and_remove_cookies (fd, sock, cookiesp)) - return 1; - else - return copy_encrypted (kc, fd, sock); -} - -/* - * - */ - -static int -active_session (kx_context *kc, int fd, int sock, int cookiesp) -{ - fd = connect_local_xsocket(0); - - if (replace_cookie (fd, sock, xauthfile, cookiesp)) - return 1; - else - return copy_encrypted (kc, fd, sock); -} - -/* - * Handle a new connection. - */ - -static int -doit_conn (kx_context *kc, - int fd, int meta_sock, int flags, int cookiesp) -{ - int sock, sock2, port; - struct sockaddr_storage __ss_addr; - struct sockaddr *addr = (struct sockaddr*)&__ss_addr; - struct sockaddr_storage __ss_thisaddr; - struct sockaddr *thisaddr = (struct sockaddr*)&__ss_thisaddr; - socklen_t addrlen; - u_char msg[1024], *p; - - sock = socket (kc->thisaddr->sa_family, SOCK_STREAM, 0); - if (sock < 0) { - syslog (LOG_ERR, "socket: %m"); - return 1; - } -#if defined(TCP_NODELAY) && defined(HAVE_SETSOCKOPT) - { - int one = 1; - setsockopt (sock, IPPROTO_TCP, TCP_NODELAY, (void *)&one, sizeof(one)); - } -#endif -#if defined(SO_KEEPALIVE) && defined(HAVE_SETSOCKOPT) - if (flags & KEEP_ALIVE) { - int one = 1; - - setsockopt (sock, SOL_SOCKET, SO_KEEPALIVE, (void *)&one, - sizeof(one)); - } -#endif - memset (&__ss_addr, 0, sizeof(__ss_addr)); - addr->sa_family = kc->thisaddr->sa_family; - if (kc->thisaddr_len > sizeof(__ss_addr)) { - syslog(LOG_ERR, "error in af"); - return 1; - } - if (bind (sock, addr, kc->thisaddr_len) < 0) { - syslog (LOG_ERR, "bind: %m"); - return 1; - } - addrlen = sizeof(__ss_addr); - if (getsockname (sock, addr, &addrlen) < 0) { - syslog (LOG_ERR, "getsockname: %m"); - return 1; - } - if (listen (sock, SOMAXCONN) < 0) { - syslog (LOG_ERR, "listen: %m"); - return 1; - } - port = socket_get_port(addr); - - p = msg; - *p++ = NEW_CONN; - p += KRB_PUT_INT (ntohs(port), p, 4, 4); - - if (kx_write (kc, meta_sock, msg, p - msg) < 0) { - syslog (LOG_ERR, "write: %m"); - return 1; - } - - addrlen = sizeof(__ss_thisaddr); - sock2 = accept (sock, thisaddr, &addrlen); - if (sock2 < 0) { - syslog (LOG_ERR, "accept: %m"); - return 1; - } - close (sock); - close (meta_sock); - - if (flags & PASSIVE) - return passive_session (kc, fd, sock2, cookiesp); - else - return active_session (kc, fd, sock2, cookiesp); -} - -/* - * Is the current user the owner of the console? - */ - -static void -check_user_console (kx_context *kc, int fd) -{ - struct stat sb; - - if (stat ("/dev/console", &sb) < 0) - fatal (kc, fd, "Cannot stat /dev/console: %s", strerror(errno)); - if (getuid() != sb.st_uid) - fatal (kc, fd, "Permission denied"); -} - -/* close down the new connection with a reasonable error message */ -static void -close_connection(int fd, const char *message) -{ - char buf[264]; /* max message */ - char *p; - int lsb = 0; - size_t mlen; - - mlen = strlen(message); - if(mlen > 255) - mlen = 255; - - /* read first part of connection packet, to get byte order */ - if(read(fd, buf, 6) != 6) { - close(fd); - return; - } - if(buf[0] == 0x6c) - lsb++; - p = buf; - *p++ = 0; /* failed */ - *p++ = mlen; /* length of message */ - p += 4; /* skip protocol version */ - p += 2; /* skip additional length */ - memcpy(p, message, mlen); /* copy message */ - p += mlen; - while((p - buf) % 4) /* pad to multiple of 4 bytes */ - *p++ = 0; - - /* now fill in length of additional data */ - if(lsb) { - buf[6] = (p - buf - 8) / 4; - buf[7] = 0; - }else{ - buf[6] = 0; - buf[7] = (p - buf - 8) / 4; - } - write(fd, buf, p - buf); - close(fd); -} - - -/* - * Handle a passive session on `sock' - */ - -static int -doit_passive (kx_context *kc, - int sock, - int flags, - int dispnr, - int nsockets, - struct x_socket *sockets, - int tcp_flag) -{ - int tmp; - int len; - size_t rem; - u_char msg[1024], *p; - int error; - - display_num = dispnr; - if (tcp_flag) - snprintf (display, display_size, "localhost:%u", display_num); - else - snprintf (display, display_size, ":%u", display_num); - error = create_and_write_cookie (xauthfile, xauthfile_size, - cookie, cookie_len); - if (error) { - cleanup(nsockets, sockets); - fatal (kc, sock, "Cookie-creation failed: %s", strerror(error)); - return 1; - } - - p = msg; - rem = sizeof(msg); - *p++ = ACK; - --rem; - - len = strlen (display); - tmp = KRB_PUT_INT (len, p, rem, 4); - if (tmp < 0 || rem < len + 4) { - syslog (LOG_ERR, "doit: buffer too small"); - cleanup(nsockets, sockets); - return 1; - } - p += tmp; - rem -= tmp; - - memcpy (p, display, len); - p += len; - rem -= len; - - len = strlen (xauthfile); - tmp = KRB_PUT_INT (len, p, rem, 4); - if (tmp < 0 || rem < len + 4) { - syslog (LOG_ERR, "doit: buffer too small"); - cleanup(nsockets, sockets); - return 1; - } - p += tmp; - rem -= tmp; - - memcpy (p, xauthfile, len); - p += len; - rem -= len; - - if(kx_write (kc, sock, msg, p - msg) < 0) { - syslog (LOG_ERR, "write: %m"); - cleanup(nsockets, sockets); - return 1; - } - for (;;) { - pid_t child; - int fd = -1; - fd_set fds; - int i; - int ret; - int cookiesp = TRUE; - - FD_ZERO(&fds); - if (sock >= FD_SETSIZE) { - syslog (LOG_ERR, "fd too large"); - cleanup(nsockets, sockets); - return 1; - } - - FD_SET(sock, &fds); - for (i = 0; i < nsockets; ++i) { - if (sockets[i].fd >= FD_SETSIZE) { - syslog (LOG_ERR, "fd too large"); - cleanup(nsockets, sockets); - return 1; - } - FD_SET(sockets[i].fd, &fds); - } - ret = select(FD_SETSIZE, &fds, NULL, NULL, NULL); - if(ret <= 0) - continue; - if(FD_ISSET(sock, &fds)){ - /* there are no processes left on the remote side - */ - cleanup(nsockets, sockets); - exit(0); - } else if(ret) { - for (i = 0; i < nsockets; ++i) { - if (FD_ISSET(sockets[i].fd, &fds)) { - if (sockets[i].flags == TCP) { - struct sockaddr_storage __ss_peer; - struct sockaddr *peer = (struct sockaddr*)&__ss_peer; - socklen_t len = sizeof(__ss_peer); - - fd = accept (sockets[i].fd, - peer, - &len); - if (fd < 0 && errno != EINTR) - syslog (LOG_ERR, "accept: %m"); - - /* XXX */ - if (fd >= 0 && suspicious_address (fd, peer)) { - close (fd); - fd = -1; - errno = EINTR; - } - } else if(sockets[i].flags == UNIX_SOCKET) { - socklen_t zero = 0; - - fd = accept (sockets[i].fd, NULL, &zero); - - if (fd < 0 && errno != EINTR) - syslog (LOG_ERR, "accept: %m"); -#ifdef MAY_HAVE_X11_PIPES - } else if(sockets[i].flags == STREAM_PIPE) { - /* - * this code tries to handle the - * send fd-over-pipe stuff for - * solaris - */ - - struct strrecvfd strrecvfd; - - ret = ioctl (sockets[i].fd, - I_RECVFD, &strrecvfd); - if (ret < 0 && errno != EINTR) { - syslog (LOG_ERR, "ioctl I_RECVFD: %m"); - } - - /* XXX */ - if (ret == 0) { - if (strrecvfd.uid != getuid()) { - close (strrecvfd.fd); - fd = -1; - errno = EINTR; - } else { - fd = strrecvfd.fd; - cookiesp = FALSE; - } - } -#endif /* MAY_HAVE_X11_PIPES */ - } else - abort (); - break; - } - } - } - if (fd < 0) { - if (errno == EINTR) - continue; - else - return 1; - } - - child = fork (); - if (child < 0) { - syslog (LOG_ERR, "fork: %m"); - if(errno != EAGAIN) - return 1; - close_connection(fd, strerror(errno)); - } else if (child == 0) { - for (i = 0; i < nsockets; ++i) - close (sockets[i].fd); - return doit_conn (kc, fd, sock, flags, cookiesp); - } else { - close (fd); - } - } -} - -/* - * Handle an active session on `sock' - */ - -static int -doit_active (kx_context *kc, - int sock, - int flags, - int tcp_flag) -{ - u_char msg[1024], *p; - - check_user_console (kc, sock); - - p = msg; - *p++ = ACK; - - if(kx_write (kc, sock, msg, p - msg) < 0) { - syslog (LOG_ERR, "write: %m"); - return 1; - } - for (;;) { - pid_t child; - int len; - - len = kx_read (kc, sock, msg, sizeof(msg)); - if (len < 0) { - syslog (LOG_ERR, "read: %m"); - return 1; - } - p = (u_char *)msg; - if (*p != NEW_CONN) { - syslog (LOG_ERR, "bad_message: %d", *p); - return 1; - } - - child = fork (); - if (child < 0) { - syslog (LOG_ERR, "fork: %m"); - if (errno != EAGAIN) - return 1; - } else if (child == 0) { - return doit_conn (kc, sock, sock, flags, 1); - } else { - } - } -} - -/* - * Receive a connection on `sock' and process it. - */ - -static int -doit(int sock, int tcp_flag) -{ - int ret; - kx_context context; - int dispnr; - int nsockets; - struct x_socket *sockets; - int flags; - - flags = recv_conn (sock, &context, &dispnr, &nsockets, &sockets, tcp_flag); - - if (flags & PASSIVE) - ret = doit_passive (&context, sock, flags, dispnr, - nsockets, sockets, tcp_flag); - else - ret = doit_active (&context, sock, flags, tcp_flag); - context_destroy (&context); - return ret; -} - -static char *port_str = NULL; -static int inetd_flag = 1; -static int tcp_flag = 0; -static int version_flag = 0; -static int help_flag = 0; - -struct getargs args[] = { - { "inetd", 'i', arg_negative_flag, &inetd_flag, - "Not started from inetd" }, - { "tcp", 't', arg_flag, &tcp_flag, "Use TCP" }, - { "port", 'p', arg_string, &port_str, "Use this port", - "port" }, - { "version", 0, arg_flag, &version_flag }, - { "help", 0, arg_flag, &help_flag } -}; - -static void -usage(int ret) -{ - arg_printusage (args, - sizeof(args) / sizeof(args[0]), - NULL, - "host"); - exit (ret); -} - -/* - * kxd - receive a forwarded X conncection - */ - -int -main (int argc, char **argv) -{ - int port; - int optind = 0; - - setprogname (argv[0]); - roken_openlog ("kxd", LOG_ODELAY | LOG_PID, LOG_DAEMON); - - if (getarg (args, sizeof(args) / sizeof(args[0]), argc, argv, - &optind)) - usage (1); - - if (help_flag) - usage (0); - - if (version_flag) { - print_version (NULL); - return 0; - } - - if(port_str) { - struct servent *s = roken_getservbyname (port_str, "tcp"); - - if (s) - port = s->s_port; - else { - char *ptr; - - port = strtol (port_str, &ptr, 10); - if (port == 0 && ptr == port_str) - errx (1, "bad port `%s'", port_str); - port = htons(port); - } - } else { -#if defined(KRB5) - port = krb5_getportbyname(NULL, "kx", "tcp", KX_PORT); -#elif defined(KRB4) - port = k_getportbyname ("kx", "tcp", htons(KX_PORT)); -#else -#error define KRB4 or KRB5 -#endif - } - - if (!inetd_flag) - mini_inetd (port); - - signal (SIGCHLD, childhandler); - return doit(STDIN_FILENO, tcp_flag); -} diff --git a/crypto/heimdal-0.6.3/appl/kx/kxd.cat8 b/crypto/heimdal-0.6.3/appl/kx/kxd.cat8 deleted file mode 100644 index e452b72c9e..0000000000 --- a/crypto/heimdal-0.6.3/appl/kx/kxd.cat8 +++ /dev/null @@ -1,37 +0,0 @@ - -KXD(8) UNIX System Manager's Manual KXD(8) - -NNAAMMEE - kkxxdd - securely forward X conections - -SSYYNNOOPPSSIISS - _k_x_d [--tt] [--ii] [--pp _p_o_r_t] - -DDEESSCCRRIIPPTTIIOONN - This is the daemon for kkxx. - - Options supported by kkxxdd: - - --tt TCP. Normally kkxxdd will only listen for X connections on a UNIX - socket, but some machines (for example, Cray) have X libraries - that are not able to use UNIX sockets and thus you need to use - TCP to talk to the pseudo-xserver created by kkxxdd. This option de- - creases the security significantly and should only be used when - it is necessary and you have considered the consequences of doing - so. - - --ii Interactive. Do not expect to be started by iinneettdd, but allocate - and listen to the socket yourself. Handy for testing and debug- - ging. - - --pp Port. Listen on the port _p_o_r_t. Only usable with --ii. - -EEXXAAMMPPLLEESS - Put the following in _/_e_t_c_/_i_n_e_t_d_._c_o_n_f: - - kx stream tcp nowait root /usr/athena/libexec/kxd kxd - -SSEEEE AALLSSOO - kx(1), rxtelnet(1), rxterm(1) - - KTH-KRB September 27, 1996 1 diff --git a/crypto/heimdal-0.6.3/appl/kx/rxtelnet.1 b/crypto/heimdal-0.6.3/appl/kx/rxtelnet.1 deleted file mode 100644 index 55f2561f9e..0000000000 --- a/crypto/heimdal-0.6.3/appl/kx/rxtelnet.1 +++ /dev/null @@ -1,125 +0,0 @@ -.\" Copyright (c) 1996 - 1998, 2001 - 2002 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: rxtelnet.1,v 1.12 2003/04/11 12:48:46 lha Exp $ -.\" -.Dd September 27, 1996 -.Dt RXTELNET 1 -.Os KTH_KRB -.Sh NAME -.Nm rxtelnet -.Nd -start a telnet and forward X-connections. -.Sh SYNOPSIS -.Nm rxtelnet -.Op Fl l Ar username -.Op Fl k -.Op Fl t Ar telnet_args -.Op Fl x Ar xterm_args -.Op Fl K Ar kx_args -.Op Fl w Ar term_emulator -.Op Fl b Ar telnet_program -.Op Fl n -.Op Fl v -.Ar host -.Op Ar port -.Sh DESCRIPTION -The -.Nm -program starts an -.Nm xterm -window with a telnet to host -.Ar host . -From this window you will also be able to run X clients that will be -able to connect securely to your X server. If -.Ar port -is given, that port will be used instead of the default. -.Pp -The supported options are: -.Bl -tag -width Ds -.It Fl l -Log in on the remote host as user -.Ar username . -.It Fl k -Disables keep-alives. -.It Fl t -Send -.Ar telnet_args -as arguments to -.Nm telnet . -.It Fl x -Send -.Ar xterm_args -as arguments to -.Nm xterm . -.It Fl X -Send -.Ar kx_args -as arguments to -.Nm kx . -.It Fl w -Use -.Ar term_emulator -instead of xterm. -.It Fl b -Use -.Ar telnet_program -instead of telnet. -.It Fl n -Do not start any terminal emulator. -.It Fl v -Be verbose. -.El -.Sh EXAMPLE -To login from host -.Va foo -(where your display is) -to host -.Va bar , -you might do the following. -.Bl -enum -.It -On foo: -.Nm -.Va bar -.It -You will get a new window with a -.Nm telnet -to -.Va bar . -In this window you will be able to start X clients. -.El -.Sh SEE ALSO -.Xr kx 1 , -.Xr rxterm 1 , -.Xr telnet 1 , -.Xr tenletxr 1 , -.Xr kxd 8 diff --git a/crypto/heimdal-0.6.3/appl/kx/rxtelnet.cat1 b/crypto/heimdal-0.6.3/appl/kx/rxtelnet.cat1 deleted file mode 100644 index f95ab3fd9f..0000000000 --- a/crypto/heimdal-0.6.3/appl/kx/rxtelnet.cat1 +++ /dev/null @@ -1,49 +0,0 @@ - -RXTELNET(1) UNIX Reference Manual RXTELNET(1) - -NNAAMMEE - rrxxtteellnneett - start a telnet and forward X-connections. - -SSYYNNOOPPSSIISS - rrxxtteellnneett [--ll _u_s_e_r_n_a_m_e] [--kk] [--tt _t_e_l_n_e_t___a_r_g_s] [--xx _x_t_e_r_m___a_r_g_s] [--KK _k_x___a_r_g_s] - [--ww _t_e_r_m___e_m_u_l_a_t_o_r] [--bb _t_e_l_n_e_t___p_r_o_g_r_a_m] [--nn] [--vv] _h_o_s_t [_p_o_r_t] - -DDEESSCCRRIIPPTTIIOONN - The rrxxtteellnneett program starts an xxtteerrmm window with a telnet to host _h_o_s_t. - From this window you will also be able to run X clients that will be able - to connect securely to your X server. If _p_o_r_t is given, that port will be - used instead of the default. - - The supported options are: - - --ll Log in on the remote host as user _u_s_e_r_n_a_m_e. - - --kk Disables keep-alives. - - --tt Send _t_e_l_n_e_t___a_r_g_s as arguments to tteellnneett. - - --xx Send _x_t_e_r_m___a_r_g_s as arguments to xxtteerrmm. - - --XX Send _k_x___a_r_g_s as arguments to kkxx. - - --ww Use _t_e_r_m___e_m_u_l_a_t_o_r instead of xterm. - - --bb Use _t_e_l_n_e_t___p_r_o_g_r_a_m instead of telnet. - - --nn Do not start any terminal emulator. - - --vv Be verbose. - -EEXXAAMMPPLLEE - To login from host _f_o_o (where your display is) to host _b_a_r, you might do - the following. - - 1. On foo: rrxxtteellnneett _b_a_r - - 2. You will get a new window with a tteellnneett to _b_a_r. In this window you - will be able to start X clients. - -SSEEEE AALLSSOO - kx(1), rxterm(1), telnet(1), tenletxr(1), kxd(8) - - KTH_KRB September 27, 1996 1 diff --git a/crypto/heimdal-0.6.3/appl/kx/rxtelnet.in b/crypto/heimdal-0.6.3/appl/kx/rxtelnet.in deleted file mode 100644 index b4497c74b3..0000000000 --- a/crypto/heimdal-0.6.3/appl/kx/rxtelnet.in +++ /dev/null @@ -1,67 +0,0 @@ -#!/bin/sh -# $Id: rxtelnet.in,v 1.29 2002/03/18 17:37:34 joda Exp $ -# -usage="Usage: $0 [-l username] [-k] [-f] [-t args_to_telnet] [-x args_to_xterm] [-K args_to_kx] [-w term_emulator] [-b telnet_binary] [-n] [-v] [-h | --help] [--version] host [port]" -binary=telnet -term= -kx_args=-P -while true -do - case $1 in - -l) telnet_args="${telnet_args} -l $2 "; kx_args="${kx_args} -l $2"; title="${2}@"; shift 2;; - -t) telnet_args="${telnet_args} $2 "; shift 2;; - -x) xterm_args="${xterm_args} $2 "; shift 2;; - -f) telnet_args="${telnet_args} -f"; shift;; - -k) kx_args="${kx_args} -k"; shift;; - -K) kx_args="${kx_args} $2 "; shift 2;; - -n) term=none; shift;; - -w) term=$2; shift 2;; - -b) binary=$2; shift 2;; - --version) echo "$0: %PACKAGE% %VERSION%"; exit 0;; - -h) echo $usage; exit 0;; - --help) echo $usage; exit 0;; - -v) set -x; verb=1; shift;; - -*) echo "$0: Bad option $1"; echo $usage; exit 1;; - *) break;; - esac -done -if test $# -lt 1; then - echo $usage - exit 1 -fi -host=$1 -port=$2 -title="${title}${host}" -bindir=%bindir% -pdc_trams=`dirname $0` -PATH=$pdc_trams:$bindir:$PATH -export PATH -set -- `kx $kx_args $host` -if test $# -ne 3; then - exit 1 -fi -screen=`echo $DISPLAY | sed -ne 's/[^:]*:[0-9]*\(\.[0-9]*\)/\1/p'` -pid=$1 -disp=${2}${screen} -auth=$3 -oldifs=$IFS -IFS=: -set -- $PATH -IFS=$oldifs -if test -z "$term"; then - for j in xterm dtterm aixterm dxterm hpterm; do - for i in $*; do - test -n "$i" || i="." - if test -x $i/$j; then - term=$j; break 2 - fi - done - done -fi -test "$verb" && echo "Telnet command used is `type $binary`." -if test -n "$term" -a "$term" != "none"; then - ($term -title $title -n $title $xterm_args -e env DISPLAY=$disp XAUTHORITY=$auth $binary -D $telnet_args $host $port; kill -USR2 $pid) & -else - env DISPLAY=$disp XAUTHORITY=$auth $binary -D $telnet_args $host $port - kill -USR2 $pid -fi diff --git a/crypto/heimdal-0.6.3/appl/kx/rxterm.1 b/crypto/heimdal-0.6.3/appl/kx/rxterm.1 deleted file mode 100644 index 68b6f3625b..0000000000 --- a/crypto/heimdal-0.6.3/appl/kx/rxterm.1 +++ /dev/null @@ -1,121 +0,0 @@ -.\" Copyright (c) 1996 - 1997, 2001 - 2003 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: rxterm.1,v 1.10 2003/04/11 12:50:03 lha Exp $ -.\" -.Dd April 11, 2003 -.Dt RXTERM 1 -.Os KTH_KRB -.Sh NAME -.Nm rxterm -.Nd -start a secure remote xterm -.Sh SYNOPSIS -.Nm rxterm -.Op Fl l Ar username -.Op Fl k -.Op Fl r Ar rsh_args -.Op Fl x Ar xterm_args -.Op Fl K Ar kx_args -.Op Fl w Ar term_emulator -.Op Fl b Ar rsh_program -.Ar host -.Op Ar port -.Sh DESCRIPTION -The -.Nm -program starts an -.Nm xterm -window on host -.Ar host . -From this window you will also be able to run X clients that will be -able to connect securely to your X server. If -.Ar port -is given, that port will be used instead of the default. -.Pp -The supported options are: -.Bl -tag -width Ds -.It Fl l -Log in on the remote host as user -.Ar username . -.It Fl k -Disable keep-alives. -.It Fl r -Send -.Ar rsh_args -as arguments to -.Nm rsh . -.It Fl x -Send -.Ar xterm_args -as arguments to -.Nm xterm . -.It Fl X -Send -.Ar kx_args -as arguments to -.Nm kx . -.It Fl w -Use -.Ar term_emulator -instead of xterm. -.It Fl b -Use -.Ar rsh_program -instead of rsh. -.It Fl v -Be verbose. -.El -.Sh EXAMPLE -To login from host -.Va foo -(where your display is) -to host -.Va bar , -you might do the following. -.Bl -enum -.It -On foo: -.Nm -.Va bar -.It -You will get a new window running an -.Nm xterm -on host -.Va bar . -In this window you will be able to start X clients. -.El -.Sh SEE ALSO -.Xr kx 1 , -.Xr rsh 1 , -.Xr rxtelnet 1 , -.Xr tenletxr 1 , -.Xr kxd 8 diff --git a/crypto/heimdal-0.6.3/appl/kx/rxterm.cat1 b/crypto/heimdal-0.6.3/appl/kx/rxterm.cat1 deleted file mode 100644 index 41750c38c8..0000000000 --- a/crypto/heimdal-0.6.3/appl/kx/rxterm.cat1 +++ /dev/null @@ -1,47 +0,0 @@ - -RXTERM(1) UNIX Reference Manual RXTERM(1) - -NNAAMMEE - rrxxtteerrmm - start a secure remote xterm - -SSYYNNOOPPSSIISS - rrxxtteerrmm [--ll _u_s_e_r_n_a_m_e] [--kk] [--rr _r_s_h___a_r_g_s] [--xx _x_t_e_r_m___a_r_g_s] [--KK _k_x___a_r_g_s] [--ww - _t_e_r_m___e_m_u_l_a_t_o_r] [--bb _r_s_h___p_r_o_g_r_a_m] _h_o_s_t [_p_o_r_t] - -DDEESSCCRRIIPPTTIIOONN - The rrxxtteerrmm program starts an xxtteerrmm window on host _h_o_s_t. From this window - you will also be able to run X clients that will be able to connect se- - curely to your X server. If _p_o_r_t is given, that port will be used instead - of the default. - - The supported options are: - - --ll Log in on the remote host as user _u_s_e_r_n_a_m_e. - - --kk Disable keep-alives. - - --rr Send _r_s_h___a_r_g_s as arguments to rrsshh. - - --xx Send _x_t_e_r_m___a_r_g_s as arguments to xxtteerrmm. - - --XX Send _k_x___a_r_g_s as arguments to kkxx. - - --ww Use _t_e_r_m___e_m_u_l_a_t_o_r instead of xterm. - - --bb Use _r_s_h___p_r_o_g_r_a_m instead of rsh. - - --vv Be verbose. - -EEXXAAMMPPLLEE - To login from host _f_o_o (where your display is) to host _b_a_r, you might do - the following. - - 1. On foo: rrxxtteerrmm _b_a_r - - 2. You will get a new window running an xxtteerrmm on host _b_a_r. In this win- - dow you will be able to start X clients. - -SSEEEE AALLSSOO - kx(1), rsh(1), rxtelnet(1), tenletxr(1), kxd(8) - - KTH_KRB April 11, 2003 1 diff --git a/crypto/heimdal-0.6.3/appl/kx/rxterm.in b/crypto/heimdal-0.6.3/appl/kx/rxterm.in deleted file mode 100644 index 9291d21dfa..0000000000 --- a/crypto/heimdal-0.6.3/appl/kx/rxterm.in +++ /dev/null @@ -1,45 +0,0 @@ -#!/bin/sh -# $Id: rxterm.in,v 1.23 2002/03/18 17:37:34 joda Exp $ -# -usage="Usage: $0 [-l username] [-k] [-f] [-r rsh_args] [-x xterm_args] [-K kx_args] [-w term_emulator] [-b rsh_binary][-v] [-h | --help] [--version] host" -binary=rsh -term=xterm -while true -do - case $1 in - -l) rsh_args="${rsh_args} -l $2 "; kx_args="${kx_args} -l $2"; title="${2}@"; shift 2;; - -r) rsh_args="${rsh_args} $2 "; shift 2;; - -x) xterm_args="${xterm_args} $2 "; shift 2;; - -f) rsh_args="${rsh_args} -f"; shift;; - -k) kx_args="${kx_args} -k"; shift;; - -K) kx_args="${kx_args} $2 "; shift 2;; - -w) term=$2; shift 2;; - -b) binary=$2; shift 2;; - --version) echo "$0: %PACKAGE% %VERSION%"; exit 0;; - -h) echo $usage; exit 0;; - --help) echo $usage; exit 0;; - -v) set -x; shift;; - -*) echo "$0: Bad option $1"; echo $usage; exit 1;; - *) break;; - esac -done -if test $# -lt 1; then - echo "Usage: $0 host [arguments to $term]" - exit 1 -fi -host=$1 -title="${title}${host}" -bindir=%bindir% -pdc_trams=`dirname $0` -PATH=$pdc_trams:$bindir:$PATH -export PATH -set -- `kx $kx_args $host` -if test $# -ne 3; then - exit 1 -fi -screen=`echo $DISPLAY | sed -ne 's/[^:]*:[0-9]*\(\.[0-9]*\)/\1/p'` -pid=$1 -disp=${2}${screen} -auth=$3 -kill -USR1 $pid -$binary -n $rsh_args $host "/bin/sh -c 'DISPLAY=$disp XAUTHORITY=$auth $term -T $title -n $title $xterm_args /dev/null 2>/dev/null &'" diff --git a/crypto/heimdal-0.6.3/appl/kx/tenletxr.1 b/crypto/heimdal-0.6.3/appl/kx/tenletxr.1 deleted file mode 100644 index a48510c8d8..0000000000 --- a/crypto/heimdal-0.6.3/appl/kx/tenletxr.1 +++ /dev/null @@ -1,92 +0,0 @@ -.\" Copyright (c) 1997, 2001 - 2002 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: tenletxr.1,v 1.5 2003/02/16 21:10:16 lha Exp $ -.\" -.Dd March 31, 1997 -.Dt TENLETXR 1 -.Os KTH_KRB -.Sh NAME -.Nm tenletxr -.Nd -forward X-connections backwards. -.Sh SYNOPSIS -.Nm tenletxr -.Op Fl l Ar username -.Op Fl k -.Ar host -.Op Ar port -.Sh DESCRIPTION -The -.Nm -program -enables forwarding of X-connections from this machine to host -.Ar host . -If -.Ar port -is given, that port will be used instead of the default. -.Pp -The supported options are: -.Bl -tag -width Ds -.It Fl l -Log in on the remote host as user -.Ar username -.It Fl k -Disables keep-alives. -.El -.Sh EXAMPLE -To login from host -.Va foo -to host -.Va bar -(where your display is), -you might do the following. -.Bl -enum -.It -On foo: -.Nm -.Va bar -.It -You will get a new shell where you will be able to start X clients -that will show their windows on -.Va bar . -.El -.Sh BUGS -It currently checks if you have permission to run it by checking if -you own -.Pa /dev/console -on the remote host. -.Sh SEE ALSO -.Xr kx 1 , -.Xr rxtelnet 1 , -.Xr rxterm 1 , -.Xr telnet 1 , -.Xr kxd 8 diff --git a/crypto/heimdal-0.6.3/appl/kx/tenletxr.cat1 b/crypto/heimdal-0.6.3/appl/kx/tenletxr.cat1 deleted file mode 100644 index 99bcf7e240..0000000000 --- a/crypto/heimdal-0.6.3/appl/kx/tenletxr.cat1 +++ /dev/null @@ -1,37 +0,0 @@ - -TENLETXR(1) UNIX Reference Manual TENLETXR(1) - -NNAAMMEE - tteennlleettxxrr - forward X-connections backwards. - -SSYYNNOOPPSSIISS - tteennlleettxxrr [--ll _u_s_e_r_n_a_m_e] [--kk] _h_o_s_t [_p_o_r_t] - -DDEESSCCRRIIPPTTIIOONN - The tteennlleettxxrr program enables forwarding of X-connections from this ma- - chine to host _h_o_s_t. If _p_o_r_t is given, that port will be used instead of - the default. - - The supported options are: - - --ll Log in on the remote host as user _u_s_e_r_n_a_m_e - - --kk Disables keep-alives. - -EEXXAAMMPPLLEE - To login from host _f_o_o to host _b_a_r (where your display is), you might do - the following. - - 1. On foo: tteennlleettxxrr _b_a_r - - 2. You will get a new shell where you will be able to start X clients - that will show their windows on _b_a_r. - -BBUUGGSS - It currently checks if you have permission to run it by checking if you - own _/_d_e_v_/_c_o_n_s_o_l_e on the remote host. - -SSEEEE AALLSSOO - kx(1), rxtelnet(1), rxterm(1), telnet(1), kxd(8) - - KTH_KRB March 31, 1997 1 diff --git a/crypto/heimdal-0.6.3/appl/kx/tenletxr.in b/crypto/heimdal-0.6.3/appl/kx/tenletxr.in deleted file mode 100644 index 5c05dc9d4c..0000000000 --- a/crypto/heimdal-0.6.3/appl/kx/tenletxr.in +++ /dev/null @@ -1,37 +0,0 @@ -#!/bin/sh -# $Id: tenletxr.in,v 1.3 1999/02/04 09:29:59 assar Exp $ -# -usage="Usage: $0 [-l username] [-k] [-v] [-h | --help] [--version] host [port]" -while true -do - case $1 in - -l) kx_args="${kx_args} -l $2"; shift 2;; - -k) kx_args="${kx_args} -k"; shift;; - --version) echo "$0: %PACKAGE% %VERSION%"; exit 0;; - -h) echo $usage; exit 0;; - --help) echo $usage; exit 0;; - -v) set -x; shift;; - -*) echo "$0: Bad option $1"; echo $usage; exit 1;; - *) break;; - esac -done -if test $# -lt 1; then - echo $usage - exit 1 -fi -host=$1 -port=$2 -bindir=%bindir% -pdc_trams=`dirname $0` -PATH=$pdc_trams:$bindir:$PATH -export PATH -set -- `kx $kx_args $host` -if test $# -ne 3; then - exit 1 -fi -screen=`echo $DISPLAY | sed -ne 's/[^:]*:[0-9]*\(\.[0-9]*\)/\1/p'` -pid=$1 -disp=${2}${screen} -auth=$3 -env DISPLAY=$disp XAUTHORITY=$auth $SHELL -kill -USR2 $pid diff --git a/crypto/heimdal-0.6.3/appl/kx/writeauth.c b/crypto/heimdal-0.6.3/appl/kx/writeauth.c deleted file mode 100644 index 11dc72dfec..0000000000 --- a/crypto/heimdal-0.6.3/appl/kx/writeauth.c +++ /dev/null @@ -1,73 +0,0 @@ -/* $XConsortium: AuWrite.c,v 1.6 94/04/17 20:15:45 gildea Exp $ */ - -/* - -Copyright (c) 1988 X Consortium - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in -all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -X CONSORTIUM BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN -AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN -CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - -Except as contained in this notice, the name of the X Consortium shall not be -used in advertising or otherwise to promote the sale, use or other dealings -in this Software without prior written authorization from the X Consortium. - -*/ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: writeauth.c,v 1.4 1999/05/12 17:59:44 assar Exp $"); -#endif - -#include - -static int -write_short (unsigned short s, FILE *file) -{ - unsigned char file_short[2]; - - file_short[0] = (s & (unsigned)0xff00) >> 8; - file_short[1] = s & 0xff; - if (fwrite (file_short, sizeof (file_short), 1, file) != 1) - return 0; - return 1; -} - -static int -write_counted_string (unsigned short count, char *string, FILE *file) -{ - if (write_short (count, file) == 0) - return 0; - if (fwrite (string, (int) sizeof (char), (int) count, file) != count) - return 0; - return 1; -} - -int -XauWriteAuth (FILE *auth_file, Xauth *auth) -{ - if (write_short (auth->family, auth_file) == 0) - return 0; - if (write_counted_string (auth->address_length, auth->address, auth_file) == 0) - return 0; - if (write_counted_string (auth->number_length, auth->number, auth_file) == 0) - return 0; - if (write_counted_string (auth->name_length, auth->name, auth_file) == 0) - return 0; - if (write_counted_string (auth->data_length, auth->data, auth_file) == 0) - return 0; - return 1; -} diff --git a/crypto/heimdal-0.6.3/appl/login/ChangeLog b/crypto/heimdal-0.6.3/appl/login/ChangeLog deleted file mode 100644 index 3da323743a..0000000000 --- a/crypto/heimdal-0.6.3/appl/login/ChangeLog +++ /dev/null @@ -1,284 +0,0 @@ -2004-09-08 Johan Danielsson - - * login.c: pull up 1.62->1.63: use krb5_appdefault_boolean instead - of krb5_config_get_bool - -2003-03-24 Johan Danielsson - - * Makefile.am: install man pages - - * login.1: manpage for login - - * login.c: allow "welcome" as well as "motd" in login.conf - - * login.access.5: login.access manual page - -2003-03-18 Love Hörnquist Åstrand - - * login.c: also need pag_set - * login.c: if there is kerberos 5, call krb5_afslog\* - -2002-08-23 Johan Danielsson - - * login.c: if motd is set in login.conf, output its contents - before starting the shell - -2002-02-27 Johan Danielsson - - * login.c: reset signals to default, needed on solaris 8 - -2002-02-19 Johan Danielsson - - * login_locl.h: include netgroup.h and rpcsvc/ypclnt.h - - * login.c: make this build without krb5 - -2001-09-22 Assar Westerlund - - * login_locl.h: kludge: use absolute path to find prot.h so we do - not get confused by athena's prot.h - -2001-09-17 Assar Westerlund - - * login.c (do_login): add setpcred - -2001-07-06 Assar Westerlund - - * login.c: move osf2c magic earlier. from Mark Davies - - -2001-06-19 Assar Westerlund - - * login.c (krb5_to4): dereference result from krb5_princ_realm. - noted by Thomas Nystrom - -2001-06-04 Assar Westerlund - - * update copyright messages on Wietse Venema's code. - -2001-05-31 Assar Westerlund - - * login.c (krb5_to4): look for [realms]krb4_get_tickets to - decide whether to get kerberos 4 tickets - -2001-02-08 Assar Westerlund - - * utmp_login.c, utmpx_login.c: try to write a useful string as - host in utmp, using the same algoritm as telnetd - -2001-01-29 Assar Westerlund - - * login.c: remove some krb5_free_context that might happen at - unappropriate times - -2000-12-31 Assar Westerlund - - * login.c (main): handle krb5_init_context failure consistently - -2000-12-11 Assar Westerlund - - * login.c (do_login): set the group on the tty. - (r_flag): comment out - * login.c (krb5_to4): always return a value - -2000-10-15 Assar Westerlund - - * login.c (krb5_to4): check another return code - -2000-08-22 Johan Danielsson - - * login.c (do_login): set PATH to something sane; - (start_logout_process): avoid getting signals sent to the parent - - * login_locl.h: _PATH_DEFPATH - -2000-07-01 Assar Westerlund - - * login.c (login_timeout): add back - -2000-06-28 Johan Danielsson - - * env.c: new file for environment related functions - - * login.c: move environment stuff to separate file, allow - specifying list of environment files via login.conf - -2000-06-21 Assar Westerlund - - * Makefile.am (LDADD): add otp - * login.c: add reading of /etc/environment. From Ake Sandgren - - add otp support. From Daniel Kouril - -2000-06-09 Assar Westerlund - - * login.c (do_login): work-around for setuid and capabilities bug - fixed in Linux 2.2.16 - -2000-04-09 Assar Westerlund - - * login.c: allow conversion of v5 -> v4 tickets when logging in - with forwarded tickets - -1999-11-09 Johan Danielsson - - * conf.c: remove case for not having cgetent, since it's in roken - -1999-11-05 Assar Westerlund - - * login.c (do_login): conditionalize shadow stuff on getspnam - -1999-10-30 Assar Westerlund - - * Makefile.am (login_DEPENDENCIES): remove, it's not entirely - correct and was causing problems with non-GNU make - -1999-10-28 Assar Westerlund - - * login.c (start_logout_proceess): don't examine `prog' before - setting it. - -1999-10-27 Assar Westerlund - - * login.c (do_login): chown and chmod the tty. some clean-up. - -1999-10-03 Assar Westerlund - - * login.c (krb5_start_session): correct the ccache to - krb524_convert_creds_kdc - -1999-09-28 Assar Westerlund - - * login.c (krb5_verify): use krb5_verify_user_lrealm - -1999-09-01 Johan Danielsson - - * login.c: SGI capability mumbo-jumbo - -1999-08-09 Johan Danielsson - - * login.c (start_logout_process): call setproctitle - - * login_locl.h: declare struct spwd - - * login.c: add support for starting extra processes at login and - logout; always preserve TERM and TZ - - * conf.c: add configuration file support - -1999-08-07 Assar Westerlund - - * shadow.c (check_shadow): check for a NULL sp - -1999-08-05 Assar Westerlund - - * login.c (main): move down login incorrect to disallow account - guessing - -1999-08-04 Assar Westerlund - - * utmpx_login.c (utmpx_login): fix for Solaris. From Miroslav - Ruda - - * login_locl.h: add and some prototypes - - * login.c: fixes with v4 and shadow support. From Miroslav Ruda - - - * shadow.c: new file with functions for handling shadow passwords - - * Makefile.am: add shadow - -1999-07-22 Assar Westerlund - - * login.c (main): generate a better tty name - -1999-05-25 Johan Danielsson - - * login.c (do_login): set $SHELL - -1999-05-18 Assar Westerlund - - * add login-access - -1999-05-11 Assar Westerlund - - * login.c: copy the v5 ccache to a file after having done setuid - -1999-05-09 Assar Westerlund - - * login.c (krb5_verify): check seteuid for errors - -Mon Apr 19 22:30:55 1999 Assar Westerlund - - * login.c: conditionalize the kafs calls on KRB4 - - * Makefile.am (LDADD): add kafs - - * login.c: add support for getting afs tokens with v4 and v5 - -Sun Apr 18 14:12:28 1999 Johan Danielsson - - * login.c: check _PATH_NOLOGIN - - * login_locl.h: _PATH_NOLOGIN - -1999-04-11 Assar Westerlund - - * login.c (main): use print_version - -Thu Apr 8 15:03:55 1999 Johan Danielsson - - * login.c: remove definition of KRB_VERIFY_USER et.al. (moved to - config.h) - - * login_locl.h: include udb.h, sys/resource.h, and sys/category.h - -Sat Mar 27 17:58:37 1999 Johan Danielsson - - * Makefile.am: osfc2.c - - * login.c: magic for OSF C2, and Crays - - * login_locl.h: do_osfc2_magic proto - - * osfc2.c: bsd_locl -> login_locl - - * osfc2.c: OSF C2 magic - -Tue Mar 23 14:17:40 1999 Johan Danielsson - - * login_locl.h: _PATH_UTMP - -Sun Mar 21 15:02:31 1999 Johan Danielsson - - * login.c: `-h' is host, not help - -Sat Mar 20 00:11:13 1999 Assar Westerlund - - * login_locl.h: krb.h: add - - * login.c: static-size - (krb4_verify): add - -Thu Mar 18 11:36:10 1999 Johan Danielsson - - * Makefile.am: include Makefile.am.common - -Thu Mar 11 17:53:36 1999 Johan Danielsson - - * utmpx_login.c: add some consts - - * utmp_login.c: add some consts - - * login.c: staticize - - * login_locl.h: add prototypes, and defaults for - _PATH_* - -Mon Mar 1 10:49:14 1999 Johan Danielsson - - * utmpx_login.c: HAVE_UT_* -> HAVE_STRUCT_UTMP*_UT_* - - * utmp_login.c: HAVE_UT_* -> HAVE_STRUCT_UTMP*_UT_* - diff --git a/crypto/heimdal-0.6.3/appl/login/Makefile.am b/crypto/heimdal-0.6.3/appl/login/Makefile.am deleted file mode 100644 index 860ce70e52..0000000000 --- a/crypto/heimdal-0.6.3/appl/login/Makefile.am +++ /dev/null @@ -1,39 +0,0 @@ -# $Id: Makefile.am,v 1.21 2003/03/24 16:15:48 joda Exp $ - -include $(top_srcdir)/Makefile.am.common - -INCLUDES += $(INCLUDE_krb4) - -man_MANS = login.1 login.access.5 - -bin_PROGRAMS = login - -login_SOURCES = \ - conf.c \ - env.c \ - login.c \ - login_access.c \ - login_locl.h \ - login_protos.h \ - osfc2.c \ - read_string.c \ - shadow.c \ - stty_default.c \ - tty.c \ - utmp_login.c \ - utmpx_login.c - -LDADD = $(LIB_otp) \ - $(LIB_kafs) \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(LIB_krb4) \ - $(LIB_des) \ - $(top_builddir)/lib/asn1/libasn1.la \ - $(LIB_roken) \ - $(LIB_security) \ - $(DBLIB) - -$(srcdir)/login_protos.h: - cd $(srcdir); perl ../../cf/make-proto.pl -o login_protos.h -q -P comment $(login_SOURCES) || rm -f login_protos.h - -$(login_OBJECTS): $(srcdir)/login_protos.h diff --git a/crypto/heimdal-0.6.3/appl/login/Makefile.in b/crypto/heimdal-0.6.3/appl/login/Makefile.in deleted file mode 100644 index 72648ab609..0000000000 --- a/crypto/heimdal-0.6.3/appl/login/Makefile.in +++ /dev/null @@ -1,889 +0,0 @@ -# Makefile.in generated by automake 1.8.3 from Makefile.am. -# @configure_input@ - -# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004 Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -# $Id: Makefile.am,v 1.21 2003/03/24 16:15:48 joda Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $ - -SOURCES = $(login_SOURCES) - -srcdir = @srcdir@ -top_srcdir = @top_srcdir@ -VPATH = @srcdir@ -pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -top_builddir = ../.. -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = @INSTALL@ -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_HEADER = $(INSTALL_DATA) -transform = $(program_transform_name) -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_triplet = @host@ -DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \ - $(top_srcdir)/Makefile.am.common \ - $(top_srcdir)/cf/Makefile.am.common ChangeLog -bin_PROGRAMS = login$(EXEEXT) -subdir = appl/login -ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \ - $(top_srcdir)/cf/auth-modules.m4 \ - $(top_srcdir)/cf/broken-getaddrinfo.m4 \ - $(top_srcdir)/cf/broken-getnameinfo.m4 \ - $(top_srcdir)/cf/broken-glob.m4 \ - $(top_srcdir)/cf/broken-realloc.m4 \ - $(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \ - $(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \ - $(top_srcdir)/cf/capabilities.m4 \ - $(top_srcdir)/cf/check-compile-et.m4 \ - $(top_srcdir)/cf/check-declaration.m4 \ - $(top_srcdir)/cf/check-getpwnam_r-posix.m4 \ - $(top_srcdir)/cf/check-man.m4 \ - $(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \ - $(top_srcdir)/cf/check-type-extra.m4 \ - $(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \ - $(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \ - $(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \ - $(top_srcdir)/cf/dlopen.m4 \ - $(top_srcdir)/cf/find-func-no-libs.m4 \ - $(top_srcdir)/cf/find-func-no-libs2.m4 \ - $(top_srcdir)/cf/find-func.m4 \ - $(top_srcdir)/cf/find-if-not-broken.m4 \ - $(top_srcdir)/cf/have-struct-field.m4 \ - $(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \ - $(top_srcdir)/cf/krb-bigendian.m4 \ - $(top_srcdir)/cf/krb-func-getlogin.m4 \ - $(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \ - $(top_srcdir)/cf/krb-readline.m4 \ - $(top_srcdir)/cf/krb-struct-spwd.m4 \ - $(top_srcdir)/cf/krb-struct-winsize.m4 \ - $(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \ - $(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \ - $(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \ - $(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \ - $(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \ - $(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \ - $(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in -am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ - $(ACLOCAL_M4) -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -am__installdirs = "$(DESTDIR)$(bindir)" "$(DESTDIR)$(man1dir)" "$(DESTDIR)$(man5dir)" -binPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -PROGRAMS = $(bin_PROGRAMS) -am_login_OBJECTS = conf.$(OBJEXT) env.$(OBJEXT) login.$(OBJEXT) \ - login_access.$(OBJEXT) osfc2.$(OBJEXT) read_string.$(OBJEXT) \ - shadow.$(OBJEXT) stty_default.$(OBJEXT) tty.$(OBJEXT) \ - utmp_login.$(OBJEXT) utmpx_login.$(OBJEXT) -login_OBJECTS = $(am_login_OBJECTS) -login_LDADD = $(LDADD) -am__DEPENDENCIES_1 = -am__DEPENDENCIES_2 = $(top_builddir)/lib/kafs/libkafs.la \ - $(am__DEPENDENCIES_1) -login_DEPENDENCIES = $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_2) \ - $(top_builddir)/lib/krb5/libkrb5.la $(am__DEPENDENCIES_1) \ - $(am__DEPENDENCIES_1) $(top_builddir)/lib/asn1/libasn1.la \ - $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ - $(am__DEPENDENCIES_1) -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \ - $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ - $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -SOURCES = $(login_SOURCES) -DIST_SOURCES = $(login_SOURCES) -man1dir = $(mandir)/man1 -man5dir = $(mandir)/man5 -MANS = $(man_MANS) -ETAGS = etags -CTAGS = ctags -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) -ACLOCAL = @ACLOCAL@ -AIX4_FALSE = @AIX4_FALSE@ -AIX4_TRUE = @AIX4_TRUE@ -AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@ -AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@ -AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@ -AIX_FALSE = @AIX_FALSE@ -AIX_TRUE = @AIX_TRUE@ -AMTAR = @AMTAR@ -AR = @AR@ -AUTOCONF = @AUTOCONF@ -AUTOHEADER = @AUTOHEADER@ -AUTOMAKE = @AUTOMAKE@ -AWK = @AWK@ -CANONICAL_HOST = @CANONICAL_HOST@ -CATMAN = @CATMAN@ -CATMANEXT = @CATMANEXT@ -CATMAN_FALSE = @CATMAN_FALSE@ -CATMAN_TRUE = @CATMAN_TRUE@ -CC = @CC@ -CFLAGS = @CFLAGS@ -COMPILE_ET = @COMPILE_ET@ -CPP = @CPP@ -CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXFLAGS = @CXXFLAGS@ -CYGPATH_W = @CYGPATH_W@ -DBLIB = @DBLIB@ -DCE_FALSE = @DCE_FALSE@ -DCE_TRUE = @DCE_TRUE@ -DEFS = @DEFS@ -DIR_com_err = @DIR_com_err@ -DIR_des = @DIR_des@ -DIR_roken = @DIR_roken@ -ECHO = @ECHO@ -ECHO_C = @ECHO_C@ -ECHO_N = @ECHO_N@ -ECHO_T = @ECHO_T@ -EGREP = @EGREP@ -EXEEXT = @EXEEXT@ -EXTRA_LIB45 = @EXTRA_LIB45@ -F77 = @F77@ -FFLAGS = @FFLAGS@ -GROFF = @GROFF@ -HAVE_DB1_FALSE = @HAVE_DB1_FALSE@ -HAVE_DB1_TRUE = @HAVE_DB1_TRUE@ -HAVE_DB3_FALSE = @HAVE_DB3_FALSE@ -HAVE_DB3_TRUE = @HAVE_DB3_TRUE@ -HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@ -HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@ -HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@ -HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@ -HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@ -HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@ -HAVE_X_FALSE = @HAVE_X_FALSE@ -HAVE_X_TRUE = @HAVE_X_TRUE@ -INCLUDES_roken = @INCLUDES_roken@ -INCLUDE_des = @INCLUDE_des@ -INCLUDE_hesiod = @INCLUDE_hesiod@ -INCLUDE_krb4 = @INCLUDE_krb4@ -INCLUDE_openldap = @INCLUDE_openldap@ -INCLUDE_readline = @INCLUDE_readline@ -INSTALL_DATA = @INSTALL_DATA@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -IRIX_FALSE = @IRIX_FALSE@ -IRIX_TRUE = @IRIX_TRUE@ -KRB4_FALSE = @KRB4_FALSE@ -KRB4_TRUE = @KRB4_TRUE@ -KRB5_FALSE = @KRB5_FALSE@ -KRB5_TRUE = @KRB5_TRUE@ -LDFLAGS = @LDFLAGS@ -LEX = @LEX@ -LEXLIB = @LEXLIB@ -LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ -LIBOBJS = @LIBOBJS@ -LIBS = @LIBS@ -LIBTOOL = @LIBTOOL@ -LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@ -LIB_NDBM = @LIB_NDBM@ -LIB_XauFileName = @LIB_XauFileName@ -LIB_XauReadAuth = @LIB_XauReadAuth@ -LIB_XauWriteAuth = @LIB_XauWriteAuth@ -LIB_bswap16 = @LIB_bswap16@ -LIB_bswap32 = @LIB_bswap32@ -LIB_com_err = @LIB_com_err@ -LIB_com_err_a = @LIB_com_err_a@ -LIB_com_err_so = @LIB_com_err_so@ -LIB_crypt = @LIB_crypt@ -LIB_db_create = @LIB_db_create@ -LIB_dbm_firstkey = @LIB_dbm_firstkey@ -LIB_dbopen = @LIB_dbopen@ -LIB_des = @LIB_des@ -LIB_des_a = @LIB_des_a@ -LIB_des_appl = @LIB_des_appl@ -LIB_des_so = @LIB_des_so@ -LIB_dlopen = @LIB_dlopen@ -LIB_dn_expand = @LIB_dn_expand@ -LIB_el_init = @LIB_el_init@ -LIB_freeaddrinfo = @LIB_freeaddrinfo@ -LIB_gai_strerror = @LIB_gai_strerror@ -LIB_getaddrinfo = @LIB_getaddrinfo@ -LIB_gethostbyname = @LIB_gethostbyname@ -LIB_gethostbyname2 = @LIB_gethostbyname2@ -LIB_getnameinfo = @LIB_getnameinfo@ -LIB_getpwnam_r = @LIB_getpwnam_r@ -LIB_getsockopt = @LIB_getsockopt@ -LIB_hesiod = @LIB_hesiod@ -LIB_hstrerror = @LIB_hstrerror@ -LIB_kdb = @LIB_kdb@ -LIB_krb4 = @LIB_krb4@ -LIB_krb_disable_debug = @LIB_krb_disable_debug@ -LIB_krb_enable_debug = @LIB_krb_enable_debug@ -LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@ -LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@ -LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@ -LIB_loadquery = @LIB_loadquery@ -LIB_logout = @LIB_logout@ -LIB_logwtmp = @LIB_logwtmp@ -LIB_openldap = @LIB_openldap@ -LIB_openpty = @LIB_openpty@ -LIB_otp = @LIB_otp@ -LIB_pidfile = @LIB_pidfile@ -LIB_readline = @LIB_readline@ -LIB_res_nsearch = @LIB_res_nsearch@ -LIB_res_search = @LIB_res_search@ -LIB_roken = @LIB_roken@ -LIB_security = @LIB_security@ -LIB_setsockopt = @LIB_setsockopt@ -LIB_socket = @LIB_socket@ -LIB_syslog = @LIB_syslog@ -LIB_tgetent = @LIB_tgetent@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -MAINT = @MAINT@ -MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@ -MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@ -MAKEINFO = @MAKEINFO@ -NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ -NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ -NROFF = @NROFF@ -OBJEXT = @OBJEXT@ -OTP_FALSE = @OTP_FALSE@ -OTP_TRUE = @OTP_TRUE@ -PACKAGE = @PACKAGE@ -PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ -PACKAGE_NAME = @PACKAGE_NAME@ -PACKAGE_STRING = @PACKAGE_STRING@ -PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_VERSION = @PACKAGE_VERSION@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -RANLIB = @RANLIB@ -SET_MAKE = @SET_MAKE@ -SHELL = @SHELL@ -STRIP = @STRIP@ -VERSION = @VERSION@ -VOID_RETSIGTYPE = @VOID_RETSIGTYPE@ -WFLAGS = @WFLAGS@ -WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@ -WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@ -X_CFLAGS = @X_CFLAGS@ -X_EXTRA_LIBS = @X_EXTRA_LIBS@ -X_LIBS = @X_LIBS@ -X_PRE_LIBS = @X_PRE_LIBS@ -YACC = @YACC@ -ac_ct_AR = @ac_ct_AR@ -ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ -ac_ct_RANLIB = @ac_ct_RANLIB@ -ac_ct_STRIP = @ac_ct_STRIP@ -am__leading_dot = @am__leading_dot@ -bindir = @bindir@ -build = @build@ -build_alias = @build_alias@ -build_cpu = @build_cpu@ -build_os = @build_os@ -build_vendor = @build_vendor@ -datadir = @datadir@ -do_roken_rename_FALSE = @do_roken_rename_FALSE@ -do_roken_rename_TRUE = @do_roken_rename_TRUE@ -dpagaix_cflags = @dpagaix_cflags@ -dpagaix_ldadd = @dpagaix_ldadd@ -dpagaix_ldflags = @dpagaix_ldflags@ -el_compat_FALSE = @el_compat_FALSE@ -el_compat_TRUE = @el_compat_TRUE@ -exec_prefix = @exec_prefix@ -have_err_h_FALSE = @have_err_h_FALSE@ -have_err_h_TRUE = @have_err_h_TRUE@ -have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@ -have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@ -have_glob_h_FALSE = @have_glob_h_FALSE@ -have_glob_h_TRUE = @have_glob_h_TRUE@ -have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@ -have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@ -have_vis_h_FALSE = @have_vis_h_FALSE@ -have_vis_h_TRUE = @have_vis_h_TRUE@ -host = @host@ -host_alias = @host_alias@ -host_cpu = @host_cpu@ -host_os = @host_os@ -host_vendor = @host_vendor@ -includedir = @includedir@ -infodir = @infodir@ -install_sh = @install_sh@ -libdir = @libdir@ -libexecdir = @libexecdir@ -localstatedir = @localstatedir@ -mandir = @mandir@ -mkdir_p = @mkdir_p@ -oldincludedir = @oldincludedir@ -prefix = @prefix@ -program_transform_name = @program_transform_name@ -sbindir = @sbindir@ -sharedstatedir = @sharedstatedir@ -sysconfdir = @sysconfdir@ -target_alias = @target_alias@ -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4) -@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME -AM_CFLAGS = $(WFLAGS) -CP = cp -buildinclude = $(top_builddir)/include -LIB_getattr = @LIB_getattr@ -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_setpcred = @LIB_setpcred@ -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -NROFF_MAN = groff -mandoc -Tascii -LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) -@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la - -@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la -@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la -man_MANS = login.1 login.access.5 -login_SOURCES = \ - conf.c \ - env.c \ - login.c \ - login_access.c \ - login_locl.h \ - login_protos.h \ - osfc2.c \ - read_string.c \ - shadow.c \ - stty_default.c \ - tty.c \ - utmp_login.c \ - utmpx_login.c - -LDADD = $(LIB_otp) \ - $(LIB_kafs) \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(LIB_krb4) \ - $(LIB_des) \ - $(top_builddir)/lib/asn1/libasn1.la \ - $(LIB_roken) \ - $(LIB_security) \ - $(DBLIB) - -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps) - @for dep in $?; do \ - case '$(am__configure_deps)' in \ - *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ - exit 1;; \ - esac; \ - done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign --ignore-deps appl/login/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign --ignore-deps appl/login/Makefile -.PRECIOUS: Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - @case '$?' in \ - *config.status*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ - *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ - esac; - -$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -install-binPROGRAMS: $(bin_PROGRAMS) - @$(NORMAL_INSTALL) - test -z "$(bindir)" || $(mkdir_p) "$(DESTDIR)$(bindir)" - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(bindir)/$$f'"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(bindir)/$$f" || exit 1; \ - else :; fi; \ - done - -uninstall-binPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f '$(DESTDIR)$(bindir)/$$f'"; \ - rm -f "$(DESTDIR)$(bindir)/$$f"; \ - done - -clean-binPROGRAMS: - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -login$(EXEEXT): $(login_OBJECTS) $(login_DEPENDENCIES) - @rm -f login$(EXEEXT) - $(LINK) $(login_LDFLAGS) $(login_OBJECTS) $(login_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c $< - -.c.obj: - $(COMPILE) -c `$(CYGPATH_W) '$<'` - -.c.lo: - $(LTCOMPILE) -c -o $@ $< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: -install-man1: $(man1_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - test -z "$(man1dir)" || $(mkdir_p) "$(DESTDIR)$(man1dir)" - @list='$(man1_MANS) $(dist_man1_MANS) $(nodist_man1_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.1*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 1*) ;; \ - *) ext='1' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man1dir)/$$inst'"; \ - $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man1dir)/$$inst"; \ - done -uninstall-man1: - @$(NORMAL_UNINSTALL) - @list='$(man1_MANS) $(dist_man1_MANS) $(nodist_man1_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.1*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 1*) ;; \ - *) ext='1' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f '$(DESTDIR)$(man1dir)/$$inst'"; \ - rm -f "$(DESTDIR)$(man1dir)/$$inst"; \ - done -install-man5: $(man5_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - test -z "$(man5dir)" || $(mkdir_p) "$(DESTDIR)$(man5dir)" - @list='$(man5_MANS) $(dist_man5_MANS) $(nodist_man5_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.5*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 5*) ;; \ - *) ext='5' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man5dir)/$$inst'"; \ - $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man5dir)/$$inst"; \ - done -uninstall-man5: - @$(NORMAL_UNINSTALL) - @list='$(man5_MANS) $(dist_man5_MANS) $(nodist_man5_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.5*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 5*) ;; \ - *) ext='5' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f '$(DESTDIR)$(man5dir)/$$inst'"; \ - rm -f "$(DESTDIR)$(man5dir)/$$inst"; \ - done - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique -tags: TAGS - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique -ctags: CTAGS -CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ - || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - -distdir: $(DISTFILES) - $(mkdir_p) $(distdir)/../.. $(distdir)/../../cf - @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \ - list='$(DISTFILES)'; for file in $$list; do \ - case $$file in \ - $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \ - $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \ - esac; \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkdir_p) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="$(top_distdir)" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(PROGRAMS) $(MANS) all-local -installdirs: - for dir in "$(DESTDIR)$(bindir)" "$(DESTDIR)$(man1dir)" "$(DESTDIR)$(man5dir)"; do \ - test -z "$$dir" || $(mkdir_p) "$$dir"; \ - done -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-binPROGRAMS clean-generic clean-libtool mostlyclean-am - -distclean: distclean-am - -rm -f Makefile -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -html: html-am - -info: info-am - -info-am: - -install-data-am: install-man - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-data-hook - -install-exec-am: install-binPROGRAMS - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: install-man1 install-man5 - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -rm -f Makefile -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -pdf: pdf-am - -pdf-am: - -ps: ps-am - -ps-am: - -uninstall-am: uninstall-binPROGRAMS uninstall-info-am uninstall-man - -uninstall-man: uninstall-man1 uninstall-man5 - -.PHONY: CTAGS GTAGS all all-am all-local check check-am check-local \ - clean clean-binPROGRAMS clean-generic clean-libtool ctags \ - distclean distclean-compile distclean-generic \ - distclean-libtool distclean-tags distdir dvi dvi-am html \ - html-am info info-am install install-am install-binPROGRAMS \ - install-data install-data-am install-exec install-exec-am \ - install-info install-info-am install-man install-man1 \ - install-man5 install-strip installcheck installcheck-am \ - installdirs maintainer-clean maintainer-clean-generic \ - mostlyclean mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool pdf pdf-am ps ps-am tags uninstall \ - uninstall-am uninstall-binPROGRAMS uninstall-info-am \ - uninstall-man uninstall-man1 uninstall-man5 - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-hook: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< - -$(srcdir)/login_protos.h: - cd $(srcdir); perl ../../cf/make-proto.pl -o login_protos.h -q -P comment $(login_SOURCES) || rm -f login_protos.h - -$(login_OBJECTS): $(srcdir)/login_protos.h -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal-0.6.3/appl/login/conf.c b/crypto/heimdal-0.6.3/appl/login/conf.c deleted file mode 100644 index 85cfc0099d..0000000000 --- a/crypto/heimdal-0.6.3/appl/login/conf.c +++ /dev/null @@ -1,55 +0,0 @@ -/* - * Copyright (c) 1999 - 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of KTH nor the names of its contributors may be - * used to endorse or promote products derived from this software without - * specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY - * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR - * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, - * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR - * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF - * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ - -#include "login_locl.h" - -RCSID("$Id: conf.c,v 1.3 2000/05/29 16:52:24 assar Exp $"); - -static char *confbuf; - -static int -login_conf_init(void) -{ - char *files[] = { _PATH_LOGIN_CONF, NULL }; - return cgetent(&confbuf, files, "default"); -} - -char * -login_conf_get_string(const char *str) -{ - char *value; - if(login_conf_init() != 0) - return NULL; - if(cgetstr(confbuf, (char *)str, &value) < 0) - return NULL; - return value; -} diff --git a/crypto/heimdal-0.6.3/appl/login/env.c b/crypto/heimdal-0.6.3/appl/login/env.c deleted file mode 100644 index 57f68b1c9a..0000000000 --- a/crypto/heimdal-0.6.3/appl/login/env.c +++ /dev/null @@ -1,98 +0,0 @@ -/* - * Copyright (c) 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "login_locl.h" -RCSID("$Id: env.c,v 1.1 2000/06/28 12:27:38 joda Exp $"); - -/* - * the environment we will send to execle and the shell. - */ - -char **env; -int num_env; - -void -extend_env(char *str) -{ - env = realloc(env, (num_env + 1) * sizeof(*env)); - if(env == NULL) - errx(1, "Out of memory!"); - env[num_env++] = str; -} - -void -add_env(const char *var, const char *value) -{ - int i; - char *str; - asprintf(&str, "%s=%s", var, value); - if(str == NULL) - errx(1, "Out of memory!"); - for(i = 0; i < num_env; i++) - if(strncmp(env[i], var, strlen(var)) == 0 && - env[i][strlen(var)] == '='){ - free(env[i]); - env[i] = str; - return; - } - - extend_env(str); -} - -void -copy_env(void) -{ - char **p; - for(p = environ; *p; p++) - extend_env(*p); -} - -int -login_read_env(const char *file) -{ - char **newenv; - char *p; - int i, j; - - newenv = NULL; - i = read_environment(file, &newenv); - for (j = 0; j < i; j++) { - p = strchr(newenv[j], '='); - *p++ = 0; - add_env(newenv[j], p); - *--p = '='; - free(newenv[j]); - } - free(newenv); - return 0; -} diff --git a/crypto/heimdal-0.6.3/appl/login/login.1 b/crypto/heimdal-0.6.3/appl/login/login.1 deleted file mode 100644 index b0c9a6ce74..0000000000 --- a/crypto/heimdal-0.6.3/appl/login/login.1 +++ /dev/null @@ -1,226 +0,0 @@ -.\" $Id: login.1,v 1.1 2003/03/24 16:15:12 joda Exp $ -.\" -.Dd March 24, 2003 -.Dt LOGIN 1 -.Os HEIMDAL -.Sh NAME -.Nm login -.Nd -authenticate a user and start new session -.Sh SYNOPSIS -.Nm -.Op Fl fp -.Op Fl a Ar level -.Op Fl h Ar hostname -.Ar [username] -.Sh DESCRIPTION -This manual page documents the -.Nm login -program distributed with the Heimdal Kerberos 5 implementation, it may -differ in important ways from your system version. -.Pp -The -.Nm login -programs logs users into the system. It is intended to be run by -system daemons like -.Xr getty 8 -or -.Xr telnetd 8 . -If you are already logged in, but want to change to another user, you -should use -.Xr su 1 . -.Pp -A username can be given on the command line, else one will be prompted -for. -.Pp -A password is required to login, unless the -.Fl f -option is given (indicating that the calling program has already done -proper authentication). With -.Fl f -the user will be logged in without further questions. -.Pp -For password authentication Kerberos 5, Kerberos 4 (if compiled in), -OTP (if compiled in) and local -.No ( Pa /etc/passwd ) -passwords are supported. OTP will be used if the the user is -registered to use it, and -.Nm login -is given the option -.Fl a Li otp . -When using OTP, a challenge is shown to the user. -.Pp -Further options are: -.Bl -tag -width Ds -.It Fl a Ar string -Which authentication mode to use, the only supported value is -currently -.Dq otp . -.It Fl f -Indicates that the user is already authenticated. This happens, for -instance, when login is started by telnetd, and the user has proved -authentic via Kerberos. -.It Fl h Ar hostname -Indicates which host the user is logging in from. This is passed from -telnetd, and is entered into the login database. -.It Fl p -This tells -.Nm login -to preserve all environment variables. If not given, only the -.Dv TERM -and -.Dv TZ -variables are preserved. It could be a security risk to pass random -variables to -.Nm login -or the user shell, so the calling daemon should make sure it only -passes -.Dq safe -variables. -.El -.Pp -The process of logging user in proceeds as follows. -.Pp -First a check is made that logins are allowed at all. This usually -means checking -.Pa /etc/nologin . -If it exists, and the user trying to login is not root, the contents -is printed, and then login exits. -.Pp -Then various system parameters are set up, like changing the owner of -the tty to the user, setting up signals, setting the group list, and -user and group id. Also various machine specific tasks are performed. -.Pp -Next -.Nm login -changes to the users home directory, or if that fails, to -.Pa / . -The environment is setup, by adding some required variables (such as -.Dv PATH ) , -and also authentication related ones (such as -.Dv KRB5CCNAME ) . -If an environment file exists -.No ( Pa /etc/environment ) , -variables are set according to -it. -.Pp -If one or more login message files are configured, their contents is -printed to the terminal. -.Pp -If a login time command is configured, it is executed. A logout time -command can also be configured, which makes -.Nm login -fork, and wait for the user shell to exit, and then run the command. -This can be used to clean up user credentials. -.Pp -Finally, the user's shell is executed. If the user logging in is root, -and root's login shell does not exist, a default shell (usually -.Pa /bin/sh ) -is also tried before giving up. -.Sh ENVIRONMENT -These environment variables are set by login (not including ones set by -.Pa /etc/environment ) : -.Pp -.Bl -tag -compact -width USERXXLOGNAME -.It Dv PATH -the default system path -.It Dv HOME -the user's home directory (or possibly -.Pa / ) -.It Dv USER , Dv LOGNAME -both set to the username -.It Dv SHELL -the user's shell -.It Dv TERM , Dv TZ -set to whatever is passed to -.Nm login -.It Dv KRB5CCNAME -if the password is verified via Kerberos 5, this will point to the -credentials cache file -.It Dv KRBTKFILE -if the password is verified via Kerberos 4, this will point to the -ticket file -.El -.Sh FILES -.Bl -tag -compact -width Ds -.It Pa /etc/environment -Contains a set of environment variables that should be set in addition -to the ones above. It should contain sh-style assignments like -.Dq VARIABLE=value . -Note that they are not parsed the way a shell would. No variable -expansion is performed, and all strings are literal, and quotation -marks should not be used. Everything after a hash mark is considered a -comment. The following are all different (the last will set the -variable -.Dv BAR , -not -.Dv FOO ) . -.Bd -literal -offset indent -FOO=this is a string -FOO="this is a string" -BAR= FOO='this is a string' -.Ed -.It Pa /etc/login.access -See -.Xr login.access 5 . -.It Pa /etc/login.conf -This is a termcap style configuration file, that contains various -settings used by -.Nm login . -Currently only the -.Dq default -capability record is used. The possible capability strings include: -.Pp -.Bl -tag -compact -width Ds -.It Li environment -This is a comma separated list of environment files that are read in -the order specified. If this is missing the default -.Pa /etc/environment -is used. -.It Li login_program -This program will be executed just before the user's shell is started. -It will be called without arguments. -.It Li logout_program -This program will be executed just after the user's shell has -terminated. It will be called without arguments. This program will be -the parent process of the spawned shell. -.It Li motd -A comma separated list of text files that will be printed to the -user's terminal before starting the shell. The string -.Li welcome -works similarly, but points to a single file. -.El -.It Pa /etc/nologin -If it exists, login is denied to all but root. The contents of this -file is printed before login exits. -.El -.Pp -Other -.Nm login -programs typically print all sorts of information by default, such as -last time you logged in, if you have mail, and system message files. -This version of -.Nm login -does not, so there is no reason for -.Pa .hushlogin -files or similar. We feel that these tasks are best left to the user's -shell, but the -.Li login_program -facility allows for a shell independent solution, if that is desired. -.Sh EXAMPLES -A -.Pa login.conf -file could look like: -.Bd -literal -offset indent -default:\\ - :motd=/etc/motd,/etc/motd.local: -.Ed -.Sh SEE ALSO -.Xr su 1 , -.Xr login.access 5 , -.Xr getty 8 , -.Xr telnetd 8 -.Sh AUTHORS -This login program was written for the Heimdal Kerberos 5 -implementation. The login.access code was written by Wietse Venema. -.\".Sh BUGS diff --git a/crypto/heimdal-0.6.3/appl/login/login.access.5 b/crypto/heimdal-0.6.3/appl/login/login.access.5 deleted file mode 100644 index be8828c94f..0000000000 --- a/crypto/heimdal-0.6.3/appl/login/login.access.5 +++ /dev/null @@ -1,56 +0,0 @@ -.\" $Id: login.access.5,v 1.1 2003/03/24 15:49:30 joda Exp $ -.\" -.Dd March 21, 2003 -.Dt LOGIN.ACCESS 5 -.Os HEIMDAL -.Sh NAME -.Nm login.access -.Nd -login access control table -.Sh DESCRIPTION -The -.Nm login.access -file specifies on which ttys or from which hosts certain users are -allowed to login. -.Pp -At login, the -.Pa /etc/login.access -file is checked for the first entry that matches a specific user/host -or user/tty combination. That entry can either allow or deny login -access to that user. -.Pp -Each entry have three fields separated by colon: -.Bl -bullet -.It -The first field indicates the permission given if the entry matches. -It can be either -.Dq + -(allow access) -or -.Dq - -(deny access) . -.It -The second field is a comma separated list of users or groups for -which the current entry applies. NIS netgroups can used (if -configured) if preceeded by @. The magic string ALL matches all users. -A group will match if the user is a member of that group, or it is the -user's primary group. -.It -The third field is a list of ttys, or network names. A network name -can be either a hostname, a domain (indicated by a starting period), -or a netgroup. As with the user list, ALL matches anything. LOCAL -matches a string not containing a period. -.El -.Pp -If the string EXCEPT is found in either the user or from list, the -rest of the list are exceptions to the list before EXCEPT. -.Sh BUGS -If there's a user and a group with the same name, there is no way to -make the group match if the user also matches. -.Sh SEE ALSO -.Xr login 1 -.Sh AUTHORS -The -.Fn login_access -function was written by -Wietse Venema. This manual page was written for Heimdal. diff --git a/crypto/heimdal-0.6.3/appl/login/login.access.cat5 b/crypto/heimdal-0.6.3/appl/login/login.access.cat5 deleted file mode 100644 index 8d53505c5b..0000000000 --- a/crypto/heimdal-0.6.3/appl/login/login.access.cat5 +++ /dev/null @@ -1,45 +0,0 @@ - -LOGIN.ACCESS(5) UNIX Programmer's Manual LOGIN.ACCESS(5) - -NNAAMMEE - llooggiinn..aacccceessss - login access control table - -DDEESSCCRRIIPPTTIIOONN - The llooggiinn..aacccceessss file specifies on which ttys or from which hosts certain - users are allowed to login. - - At login, the _/_e_t_c_/_l_o_g_i_n_._a_c_c_e_s_s file is checked for the first entry that - matches a specific user/host or user/tty combination. That entry can ei- - ther allow or deny login access to that user. - - Each entry have three fields separated by colon: - - ++oo The first field indicates the permission given if the entry matches. - It can be either ``+'' (allow access) or ``-'' (deny access) . - - ++oo The second field is a comma separated list of users or groups for - which the current entry applies. NIS netgroups can used (if config- - ured) if preceeded by @. The magic string ALL matches all users. A - group will match if the user is a member of that group, or it is the - user's primary group. - - ++oo The third field is a list of ttys, or network names. A network name - can be either a hostname, a domain (indicated by a starting period), - or a netgroup. As with the user list, ALL matches anything. LOCAL - matches a string not containing a period. - - If the string EXCEPT is found in either the user or from list, the rest - of the list are exceptions to the list before EXCEPT. - -BBUUGGSS - If there's a user and a group with the same name, there is no way to make - the group match if the user also matches. - -SSEEEE AALLSSOO - login(1) - -AAUUTTHHOORRSS - The llooggiinn__aacccceessss() function was written by Wietse Venema. This manual - page was written for Heimdal. - - HEIMDAL March 21, 2003 1 diff --git a/crypto/heimdal-0.6.3/appl/login/login.c b/crypto/heimdal-0.6.3/appl/login/login.c deleted file mode 100644 index 1531eecbfa..0000000000 --- a/crypto/heimdal-0.6.3/appl/login/login.c +++ /dev/null @@ -1,858 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "login_locl.h" -#ifdef HAVE_CAPABILITY_H -#include -#endif -#ifdef HAVE_SYS_CAPABILITY_H -#include -#endif - -RCSID("$Id: login.c,v 1.59.2.1 2004/09/08 09:15:39 joda Exp $"); - -static int login_timeout = 60; - -static int -start_login_process(void) -{ - char *prog, *argv0; - prog = login_conf_get_string("login_program"); - if(prog == NULL) - return 0; - argv0 = strrchr(prog, '/'); - - if(argv0) - argv0++; - else - argv0 = prog; - - return simple_execle(prog, argv0, NULL, env); -} - -static int -start_logout_process(void) -{ - char *prog, *argv0; - pid_t pid; - - prog = login_conf_get_string("logout_program"); - if(prog == NULL) - return 0; - argv0 = strrchr(prog, '/'); - - if(argv0) - argv0++; - else - argv0 = prog; - - pid = fork(); - if(pid == 0) { - /* avoid getting signals sent to the shell */ - setpgid(0, getpid()); - return 0; - } - if(pid == -1) - err(1, "fork"); - /* wait for the real login process to exit */ -#ifdef HAVE_SETPROCTITLE - setproctitle("waitpid %d", pid); -#endif - while(1) { - int status; - int ret; - ret = waitpid(pid, &status, 0); - if(ret > 0) { - if(WIFEXITED(status) || WIFSIGNALED(status)) { - execle(prog, argv0, NULL, env); - err(1, "exec %s", prog); - } - } else if(ret < 0) - err(1, "waitpid"); - } -} - -static void -exec_shell(const char *shell, int fallback) -{ - char *sh; - const char *p; - - extend_env(NULL); - if(start_login_process() < 0) - warn("login process"); - start_logout_process(); - - p = strrchr(shell, '/'); - if(p) - p++; - else - p = shell; - asprintf(&sh, "-%s", p); - execle(shell, sh, NULL, env); - if(fallback){ - warnx("Can't exec %s, trying %s", - shell, _PATH_BSHELL); - execle(_PATH_BSHELL, "-sh", NULL, env); - err(1, "%s", _PATH_BSHELL); - } - err(1, "%s", shell); -} - -static enum { NONE = 0, AUTH_KRB4 = 1, AUTH_KRB5 = 2, AUTH_OTP = 3 } auth; - -#ifdef OTP -static OtpContext otp_ctx; - -static int -otp_verify(struct passwd *pwd, const char *password) -{ - return (otp_verify_user (&otp_ctx, password)); -} -#endif /* OTP */ - - -static int pag_set = 0; - -#ifdef KRB5 -static krb5_context context; -static krb5_ccache id, id2; - -static int -krb5_verify(struct passwd *pwd, const char *password) -{ - krb5_error_code ret; - krb5_principal princ; - - ret = krb5_parse_name(context, pwd->pw_name, &princ); - if(ret) - return 1; - ret = krb5_cc_gen_new(context, &krb5_mcc_ops, &id); - if(ret) { - krb5_free_principal(context, princ); - return 1; - } - ret = krb5_verify_user_lrealm(context, - princ, - id, - password, - 1, - NULL); - krb5_free_principal(context, princ); - return ret; -} - -#ifdef KRB4 -static krb5_error_code -krb5_to4 (krb5_ccache id) -{ - krb5_error_code ret; - krb5_principal princ; - - int get_v4_tgt; - - ret = krb5_cc_get_principal(context, id, &princ); - if(ret == 0) { - krb5_appdefault_boolean(context, "login", - krb5_principal_get_realm(context, princ), - "krb4_get_tickets", FALSE, &get_v4_tgt); - krb5_free_principal(context, princ); - } else { - krb5_realm realm = NULL; - krb5_get_default_realm(context, &realm); - krb5_appdefault_boolean(context, "login", - realm, - "krb4_get_tickets", FALSE, &get_v4_tgt); - free(realm); - } - - if (get_v4_tgt) { - CREDENTIALS c; - krb5_creds mcred, cred; - char krb4tkfile[MAXPATHLEN]; - krb5_error_code ret; - krb5_principal princ; - - ret = krb5_cc_get_principal (context, id, &princ); - if (ret) - return ret; - - ret = krb5_make_principal(context, &mcred.server, - princ->realm, - "krbtgt", - princ->realm, - NULL); - krb5_free_principal (context, princ); - if (ret) - return ret; - - ret = krb5_cc_retrieve_cred(context, id, 0, &mcred, &cred); - if(ret == 0) { - ret = krb524_convert_creds_kdc_ccache(context, id, &cred, &c); - if(ret == 0) { - snprintf(krb4tkfile,sizeof(krb4tkfile),"%s%d",TKT_ROOT, - getuid()); - krb_set_tkt_string(krb4tkfile); - tf_setup(&c, c.pname, c.pinst); - } - memset(&c, 0, sizeof(c)); - krb5_free_creds_contents(context, &cred); - } - krb5_free_principal(context, mcred.server); - } - return 0; -} -#endif /* KRB4 */ - -static int -krb5_start_session (const struct passwd *pwd) -{ - krb5_error_code ret; - char residual[64]; - - /* copy credentials to file cache */ - snprintf(residual, sizeof(residual), "FILE:/tmp/krb5cc_%u", - (unsigned)pwd->pw_uid); - krb5_cc_resolve(context, residual, &id2); - ret = krb5_cc_copy_cache(context, id, id2); - if (ret == 0) - add_env("KRB5CCNAME", residual); - else { - krb5_cc_destroy (context, id2); - return ret; - } -#ifdef KRB4 - krb5_to4 (id2); -#endif - krb5_cc_close(context, id2); - krb5_cc_destroy(context, id); - return 0; -} - -static void -krb5_finish (void) -{ - krb5_free_context(context); -} - -static void -krb5_get_afs_tokens (const struct passwd *pwd) -{ - char cell[64]; - char *pw_dir; - krb5_error_code ret; - - if (!k_hasafs ()) - return; - - ret = krb5_cc_default(context, &id2); - - if (ret == 0) { - pw_dir = pwd->pw_dir; - - if (!pag_set) { - k_setpag(); - pag_set = 1; - } - - if(k_afs_cell_of_file(pw_dir, cell, sizeof(cell)) == 0) - krb5_afslog_uid_home (context, id2, - cell, NULL, pwd->pw_uid, pwd->pw_dir); - krb5_afslog_uid_home (context, id2, NULL, NULL, - pwd->pw_uid, pwd->pw_dir); - krb5_cc_close (context, id2); - } -} - -#endif /* KRB5 */ - -#ifdef KRB4 - -static int -krb4_verify(struct passwd *pwd, const char *password) -{ - char lrealm[REALM_SZ]; - int ret; - char ticket_file[MaxPathLen]; - - ret = krb_get_lrealm (lrealm, 1); - if (ret) - return 1; - - snprintf (ticket_file, sizeof(ticket_file), - "%s%u_%u", - TKT_ROOT, (unsigned)pwd->pw_uid, (unsigned)getpid()); - - krb_set_tkt_string (ticket_file); - - ret = krb_verify_user (pwd->pw_name, "", lrealm, (char *)password, - KRB_VERIFY_SECURE_FAIL, NULL); - if (ret) - return 1; - - if (chown (ticket_file, pwd->pw_uid, pwd->pw_gid) < 0) { - dest_tkt(); - return 1; - } - - add_env ("KRBTKFILE", ticket_file); - return 0; -} - -static void -krb4_get_afs_tokens (const struct passwd *pwd) -{ - char cell[64]; - char *pw_dir; - - if (!k_hasafs ()) - return; - - pw_dir = pwd->pw_dir; - - if (!pag_set) { - k_setpag(); - pag_set = 1; - } - - if(k_afs_cell_of_file(pw_dir, cell, sizeof(cell)) == 0) - krb_afslog_uid_home (cell, NULL, pwd->pw_uid, pwd->pw_dir); - - krb_afslog_uid_home (NULL, NULL, pwd->pw_uid, pwd->pw_dir); -} - -#endif /* KRB4 */ - -static int f_flag; -static int p_flag; -#if 0 -static int r_flag; -#endif -static int version_flag; -static int help_flag; -static char *remote_host; -static char *auth_level = NULL; - -struct getargs args[] = { - { NULL, 'a', arg_string, &auth_level, "authentication mode" }, -#if 0 - { NULL, 'd' }, -#endif - { NULL, 'f', arg_flag, &f_flag, "pre-authenticated" }, - { NULL, 'h', arg_string, &remote_host, "remote host", "hostname" }, - { NULL, 'p', arg_flag, &p_flag, "don't purge environment" }, -#if 0 - { NULL, 'r', arg_flag, &r_flag, "rlogin protocol" }, -#endif - { "version", 0, arg_flag, &version_flag }, - { "help", 0, arg_flag,&help_flag, } -}; - -int nargs = sizeof(args) / sizeof(args[0]); - -static void -update_utmp(const char *username, const char *hostname, - char *tty, char *ttyn) -{ - /* - * Update the utmp files, both BSD and SYSV style. - */ - if (utmpx_login(tty, username, hostname) != 0 && !f_flag) { - printf("No utmpx entry. You must exec \"login\" from the " - "lowest level shell.\n"); - exit(1); - } - utmp_login(ttyn, username, hostname); -} - -static void -checknologin(void) -{ - FILE *f; - char buf[1024]; - - f = fopen(_PATH_NOLOGIN, "r"); - if(f == NULL) - return; - while(fgets(buf, sizeof(buf), f)) - fputs(buf, stdout); - fclose(f); - exit(0); -} - -/* print contents of a file */ -static void -show_file(const char *file) -{ - FILE *f; - char buf[BUFSIZ]; - if((f = fopen(file, "r")) == NULL) - return; - while (fgets(buf, sizeof(buf), f)) - fputs(buf, stdout); - fclose(f); -} - -/* - * Actually log in the user. `pwd' contains all the relevant - * information about the user. `ttyn' is the complete name of the tty - * and `tty' the short name. - */ - -static void -do_login(const struct passwd *pwd, char *tty, char *ttyn) -{ -#ifdef HAVE_GETSPNAM - struct spwd *sp; -#endif - int rootlogin = (pwd->pw_uid == 0); - gid_t tty_gid; - struct group *gr; - const char *home_dir; - int i; - - if(!rootlogin) - checknologin(); - -#ifdef HAVE_GETSPNAM - sp = getspnam(pwd->pw_name); -#endif - - update_utmp(pwd->pw_name, remote_host ? remote_host : "", - tty, ttyn); - - gr = getgrnam ("tty"); - if (gr != NULL) - tty_gid = gr->gr_gid; - else - tty_gid = pwd->pw_gid; - - if (chown (ttyn, pwd->pw_uid, tty_gid) < 0) { - warn("chown %s", ttyn); - if (rootlogin == 0) - exit (1); - } - - if (chmod (ttyn, S_IRUSR | S_IWUSR | S_IWGRP) < 0) { - warn("chmod %s", ttyn); - if (rootlogin == 0) - exit (1); - } - -#ifdef HAVE_SETLOGIN - if(setlogin(pwd->pw_name)){ - warn("setlogin(%s)", pwd->pw_name); - if(rootlogin == 0) - exit(1); - } -#endif -#ifdef HAVE_SETPCRED - if (setpcred (pwd->pw_name, NULL) == -1) - warn("setpcred(%s)", pwd->pw_name); -#endif /* HAVE_SETPCRED */ -#ifdef HAVE_INITGROUPS - if(initgroups(pwd->pw_name, pwd->pw_gid)){ - warn("initgroups(%s, %u)", pwd->pw_name, (unsigned)pwd->pw_gid); - if(rootlogin == 0) - exit(1); - } -#endif - if(do_osfc2_magic(pwd->pw_uid)) - exit(1); - if(setgid(pwd->pw_gid)){ - warn("setgid(%u)", (unsigned)pwd->pw_gid); - if(rootlogin == 0) - exit(1); - } - if(setuid(pwd->pw_uid) || (pwd->pw_uid != 0 && setuid(0) == 0)) { - warn("setuid(%u)", (unsigned)pwd->pw_uid); - if(rootlogin == 0) - exit(1); - } - - /* make sure signals are set to default actions, apparently some - OS:es like to ignore SIGINT, which is not very convenient */ - - for (i = 1; i < NSIG; ++i) - signal(i, SIG_DFL); - - /* all kinds of different magic */ - -#ifdef HAVE_GETSPNAM - check_shadow(pwd, sp); -#endif - -#if defined(HAVE_GETUDBNAM) && defined(HAVE_SETLIM) - { - struct udb *udb; - long t; - const long maxcpu = 46116860184; /* some random constant */ - udb = getudbnam(pwd->pw_name); - if(udb == UDB_NULL) - errx(1, "Failed to get UDB entry."); - t = udb->ue_pcpulim[UDBRC_INTER]; - if(t == 0 || t > maxcpu) - t = CPUUNLIM; - else - t *= 100 * CLOCKS_PER_SEC; - - if(limit(C_PROC, 0, L_CPU, t) < 0) - warn("limit C_PROC"); - - t = udb->ue_jcpulim[UDBRC_INTER]; - if(t == 0 || t > maxcpu) - t = CPUUNLIM; - else - t *= 100 * CLOCKS_PER_SEC; - - if(limit(C_JOBPROCS, 0, L_CPU, t) < 0) - warn("limit C_JOBPROCS"); - - nice(udb->ue_nice[UDBRC_INTER]); - } -#endif -#if defined(HAVE_SGI_GETCAPABILITYBYNAME) && defined(HAVE_CAP_SET_PROC) - /* XXX SGI capability hack IRIX 6.x (x >= 0?) has something - called capabilities, that allow you to give away - permissions (such as chown) to specific processes. From 6.5 - this is default on, and the default capability set seems to - not always be the empty set. The problem is that the - runtime linker refuses to do just about anything if the - process has *any* capabilities set, so we have to remove - them here (unless otherwise instructed by /etc/capability). - In IRIX < 6.5, these functions was called sgi_cap_setproc, - etc, but we ignore this fact (it works anyway). */ - { - struct user_cap *ucap = sgi_getcapabilitybyname(pwd->pw_name); - cap_t cap; - if(ucap == NULL) - cap = cap_from_text("all="); - else - cap = cap_from_text(ucap->ca_default); - if(cap == NULL) - err(1, "cap_from_text"); - if(cap_set_proc(cap) < 0) - err(1, "cap_set_proc"); - cap_free(cap); - free(ucap); - } -#endif - home_dir = pwd->pw_dir; - if (chdir(home_dir) < 0) { - fprintf(stderr, "No home directory \"%s\"!\n", pwd->pw_dir); - if (chdir("/")) - exit(0); - home_dir = "/"; - fprintf(stderr, "Logging in with home = \"/\".\n"); - } -#ifdef KRB5 - if (auth == AUTH_KRB5) { - krb5_start_session (pwd); - } -#ifdef KRB4 - else if (auth == 0) { - krb5_error_code ret; - krb5_ccache id; - - ret = krb5_cc_default (context, &id); - if (ret == 0) { - krb5_to4 (id); - krb5_cc_close (context, id); - } - } -#endif /* KRB4 */ - - krb5_get_afs_tokens (pwd); - - krb5_finish (); -#endif /* KRB5 */ - -#ifdef KRB4 - krb4_get_afs_tokens (pwd); -#endif /* KRB4 */ - - add_env("PATH", _PATH_DEFPATH); - - { - const char *str = login_conf_get_string("environment"); - char buf[MAXPATHLEN]; - - if(str == NULL) { - login_read_env(_PATH_ETC_ENVIRONMENT); - } else { - while(strsep_copy(&str, ",", buf, sizeof(buf)) != -1) { - if(buf[0] == '\0') - continue; - login_read_env(buf); - } - } - } - { - const char *str = login_conf_get_string("motd"); - char buf[MAXPATHLEN]; - - if(str != NULL) { - while(strsep_copy(&str, ",", buf, sizeof(buf)) != -1) { - if(buf[0] == '\0') - continue; - show_file(buf); - } - } else { - str = login_conf_get_string("welcome"); - if(str != NULL) - show_file(str); - } - } - add_env("HOME", home_dir); - add_env("USER", pwd->pw_name); - add_env("LOGNAME", pwd->pw_name); - add_env("SHELL", pwd->pw_shell); - exec_shell(pwd->pw_shell, rootlogin); -} - -static int -check_password(struct passwd *pwd, const char *password) -{ - if(pwd->pw_passwd == NULL) - return 1; - if(pwd->pw_passwd[0] == '\0'){ -#ifdef ALLOW_NULL_PASSWORD - return password[0] != '\0'; -#else - return 1; -#endif - } - if(strcmp(pwd->pw_passwd, crypt(password, pwd->pw_passwd)) == 0) - return 0; -#ifdef KRB5 - if(krb5_verify(pwd, password) == 0) { - auth = AUTH_KRB5; - return 0; - } -#endif -#ifdef KRB4 - if (krb4_verify (pwd, password) == 0) { - auth = AUTH_KRB4; - return 0; - } -#endif -#ifdef OTP - if (otp_verify (pwd, password) == 0) { - auth = AUTH_OTP; - return 0; - } -#endif - return 1; -} - -static void -usage(int status) -{ - arg_printusage(args, nargs, NULL, "[username]"); - exit(status); -} - -static RETSIGTYPE -sig_handler(int sig) -{ - if (sig == SIGALRM) - fprintf(stderr, "Login timed out after %d seconds\n", - login_timeout); - else - fprintf(stderr, "Login received signal, exiting\n"); - exit(0); -} - -int -main(int argc, char **argv) -{ - int max_tries = 5; - int try; - - char username[32]; - int optind = 0; - - int ask = 1; - struct sigaction sa; - - setprogname(argv[0]); - -#ifdef KRB5 - { - krb5_error_code ret; - - ret = krb5_init_context(&context); - if (ret) - errx (1, "krb5_init_context failed: %d", ret); - } -#endif - - openlog("login", LOG_ODELAY, LOG_AUTH); - - if (getarg (args, sizeof(args) / sizeof(args[0]), argc, argv, - &optind)) - usage (1); - argc -= optind; - argv += optind; - - if(help_flag) - usage(0); - if (version_flag) { - print_version (NULL); - return 0; - } - - if (geteuid() != 0) - errx(1, "only root may use login, use su"); - - /* Default tty settings. */ - stty_default(); - - if(p_flag) - copy_env(); - else { - /* this set of variables is always preserved by BSD login */ - if(getenv("TERM")) - add_env("TERM", getenv("TERM")); - if(getenv("TZ")) - add_env("TZ", getenv("TZ")); - } - - if(*argv){ - if(strchr(*argv, '=') == NULL && strcmp(*argv, "-") != 0){ - strlcpy (username, *argv, sizeof(username)); - ask = 0; - } - } - -#if defined(DCE) && defined(AIX) - esetenv("AUTHSTATE", "DCE", 1); -#endif - - /* XXX should we care about environment on the command line? */ - - memset(&sa, 0, sizeof(sa)); - sa.sa_handler = sig_handler; - sigemptyset(&sa.sa_mask); - sa.sa_flags = 0; - sigaction(SIGALRM, &sa, NULL); - alarm(login_timeout); - - for(try = 0; try < max_tries; try++){ - struct passwd *pwd; - char password[128]; - int ret; - char ttname[32]; - char *tty, *ttyn; - char prompt[128]; -#ifdef OTP - char otp_str[256]; -#endif - - if(ask){ - f_flag = 0; -#if 0 - r_flag = 0; -#endif - ret = read_string("login: ", username, sizeof(username), 1); - if(ret == -3) - exit(0); - if(ret == -2) - sig_handler(0); /* exit */ - } - pwd = k_getpwnam(username); -#ifdef ALLOW_NULL_PASSWORD - if (pwd != NULL && (pwd->pw_passwd[0] == '\0')) { - strcpy(password,""); - } - else -#endif - - { -#ifdef OTP - if(auth_level && strcmp(auth_level, "otp") == 0 && - otp_challenge(&otp_ctx, username, - otp_str, sizeof(otp_str)) == 0) - snprintf (prompt, sizeof(prompt), "%s's %s Password: ", - username, otp_str); - else -#endif - strncpy(prompt, "Password: ", sizeof(prompt)); - - if (f_flag == 0) { - ret = read_string(prompt, password, sizeof(password), 0); - if (ret == -3) { - ask = 1; - continue; - } - if (ret == -2) - sig_handler(0); - } - } - - if(pwd == NULL){ - fprintf(stderr, "Login incorrect.\n"); - ask = 1; - continue; - } - - if(f_flag == 0 && check_password(pwd, password)){ - fprintf(stderr, "Login incorrect.\n"); - ask = 1; - continue; - } - ttyn = ttyname(STDIN_FILENO); - if(ttyn == NULL){ - snprintf(ttname, sizeof(ttname), "%s??", _PATH_TTY); - ttyn = ttname; - } - if (strncmp (ttyn, _PATH_DEV, strlen(_PATH_DEV)) == 0) - tty = ttyn + strlen(_PATH_DEV); - else - tty = ttyn; - - if (login_access (pwd, remote_host ? remote_host : tty) == 0) { - fprintf(stderr, "Permission denied\n"); - if (remote_host) - syslog(LOG_NOTICE, "%s LOGIN REFUSED FROM %s", - pwd->pw_name, remote_host); - else - syslog(LOG_NOTICE, "%s LOGIN REFUSED ON %s", - pwd->pw_name, tty); - exit (1); - } - alarm(0); - do_login(pwd, tty, ttyn); - } - exit(1); -} diff --git a/crypto/heimdal-0.6.3/appl/login/login.cat1 b/crypto/heimdal-0.6.3/appl/login/login.cat1 deleted file mode 100644 index 21ca2a53d0..0000000000 --- a/crypto/heimdal-0.6.3/appl/login/login.cat1 +++ /dev/null @@ -1,153 +0,0 @@ - -LOGIN(1) UNIX Reference Manual LOGIN(1) - -NNAAMMEE - llooggiinn - authenticate a user and start new session - -SSYYNNOOPPSSIISS - llooggiinn [--ffpp] [--aa _l_e_v_e_l] [--hh _h_o_s_t_n_a_m_e] _[_u_s_e_r_n_a_m_e_] - -DDEESSCCRRIIPPTTIIOONN - This manual page documents the llooggiinn program distributed with the Heim- - dal Kerberos 5 implementation, it may differ in important ways from your - system version. - - The llooggiinn programs logs users into the system. It is intended to be run - by system daemons like getty(8) or telnetd(8). If you are already logged - in, but want to change to another user, you should use su(1). - - A username can be given on the command line, else one will be prompted - for. - - A password is required to login, unless the --ff option is given (indicat- - ing that the calling program has already done proper authentication). - With --ff the user will be logged in without further questions. - - For password authentication Kerberos 5, Kerberos 4 (if compiled in), OTP - (if compiled in) and local (_/_e_t_c_/_p_a_s_s_w_d) passwords are supported. OTP - will be used if the the user is registered to use it, and llooggiinn is given - the option --aa otp. When using OTP, a challenge is shown to the user. - - Further options are: - - --aa _s_t_r_i_n_g - Which authentication mode to use, the only supported value is - currently ``otp''. - - --ff Indicates that the user is already authenticated. This happens, - for instance, when login is started by telnetd, and the user has - proved authentic via Kerberos. - - --hh _h_o_s_t_n_a_m_e - Indicates which host the user is logging in from. This is passed - from telnetd, and is entered into the login database. - - --pp This tells llooggiinn to preserve all environment variables. If not - given, only the TERM and TZ variables are preserved. It could be - a security risk to pass random variables to llooggiinn or the user - shell, so the calling daemon should make sure it only passes - ``safe'' variables. - - The process of logging user in proceeds as follows. - - First a check is made that logins are allowed at all. This usually means - checking _/_e_t_c_/_n_o_l_o_g_i_n. If it exists, and the user trying to login is not - root, the contents is printed, and then login exits. - - Then various system parameters are set up, like changing the owner of the - tty to the user, setting up signals, setting the group list, and user and - group id. Also various machine specific tasks are performed. - - Next llooggiinn changes to the users home directory, or if that fails, to _/. - The environment is setup, by adding some required variables (such as - PATH), and also authentication related ones (such as KRB5CCNAME). If an - environment file exists (_/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t), variables are set according - to it. - - If one or more login message files are configured, their contents is - printed to the terminal. - - If a login time command is configured, it is executed. A logout time com- - mand can also be configured, which makes llooggiinn fork, and wait for the us- - er shell to exit, and then run the command. This can be used to clean up - user credentials. - - Finally, the user's shell is executed. If the user logging in is root, - and root's login shell does not exist, a default shell (usually _/_b_i_n_/_s_h) - is also tried before giving up. - -EENNVVIIRROONNMMEENNTT - These environment variables are set by login (not including ones set by - _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t): - - PATH the default system path - HOME the user's home directory (or possibly _/) - USER, LOGNAME both set to the username - SHELL the user's shell - TERM, TZ set to whatever is passed to llooggiinn - KRB5CCNAME if the password is verified via Kerberos 5, this will - point to the credentials cache file - KRBTKFILE if the password is verified via Kerberos 4, this will - point to the ticket file - -FFIILLEESS - /etc/environment - Contains a set of environment variables that should be set in ad- - dition to the ones above. It should contain sh-style assignments - like ``VARIABLE=value''. Note that they are not parsed the way a - shell would. No variable expansion is performed, and all strings - are literal, and quotation marks should not be used. Everything - after a hash mark is considered a comment. The following are all - different (the last will set the variable BAR, not FOO). - - FOO=this is a string - FOO="this is a string" - BAR= FOO='this is a string' - /etc/login.access - See login.access(5). - /etc/login.conf - This is a termcap style configuration file, that contains various - settings used by llooggiinn. Currently only the ``default'' capability - record is used. The possible capability strings include: - - environment - This is a comma separated list of environment files that - are read in the order specified. If this is missing the - default _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t is used. - login_program - This program will be executed just before the user's - shell is started. It will be called without arguments. - logout_program - This program will be executed just after the user's shell - has terminated. It will be called without arguments. This - program will be the parent process of the spawned shell. - motd A comma separated list of text files that will be printed - to the user's terminal before starting the shell. The - string welcome works similarly, but points to a single - file. - /etc/nologin - If it exists, login is denied to all but root. The contents of - this file is printed before login exits. - - - Other llooggiinn programs typically print all sorts of information by default, - such as last time you logged in, if you have mail, and system message - files. This version of llooggiinn does not, so there is no reason for - _._h_u_s_h_l_o_g_i_n files or similar. We feel that these tasks are best left to - the user's shell, but the login_program facility allows for a shell inde- - pendent solution, if that is desired. - -EEXXAAMMPPLLEESS - A _l_o_g_i_n_._c_o_n_f file could look like: - - default:\ - :motd=/etc/motd,/etc/motd.local: - -SSEEEE AALLSSOO - su(1), login.access(5), getty(8), telnetd(8) - -AAUUTTHHOORRSS - This login program was written for the Heimdal Kerberos 5 implementation. - The login.access code was written by Wietse Venema. - - HEIMDAL March 24, 2003 3 diff --git a/crypto/heimdal-0.6.3/appl/login/login_access.c b/crypto/heimdal-0.6.3/appl/login/login_access.c deleted file mode 100644 index d6275fdfb4..0000000000 --- a/crypto/heimdal-0.6.3/appl/login/login_access.c +++ /dev/null @@ -1,277 +0,0 @@ -/************************************************************************ -* Copyright 1995 by Wietse Venema. All rights reserved. Some individual -* files may be covered by other copyrights. -* -* This material was originally written and compiled by Wietse Venema at -* Eindhoven University of Technology, The Netherlands, in 1990, 1991, -* 1992, 1993, 1994 and 1995. -* -* Redistribution and use in source and binary forms, with or without -* modification, are permitted provided that this entire copyright notice -* is duplicated in all such copies. -* -* This software is provided "as is" and without any expressed or implied -* warranties, including, without limitation, the implied warranties of -* merchantibility and fitness for any particular purpose. -************************************************************************/ - /* - * This module implements a simple but effective form of login access - * control based on login names and on host (or domain) names, internet - * addresses (or network numbers), or on terminal line names in case of - * non-networked logins. Diagnostics are reported through syslog(3). - * - * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands. - */ - -#include "login_locl.h" - -RCSID("$Id: login_access.c,v 1.2 2001/06/04 14:09:45 assar Exp $"); - - /* Delimiters for fields and for lists of users, ttys or hosts. */ - -static char fs[] = ":"; /* field separator */ -static char sep[] = ", \t"; /* list-element separator */ - - /* Constants to be used in assignments only, not in comparisons... */ - -#define YES 1 -#define NO 0 - - /* - * A structure to bundle up all login-related information to keep the - * functional interfaces as generic as possible. - */ -struct login_info { - struct passwd *user; - char *from; -}; - -static int list_match(char *list, struct login_info *item, - int (*match_fn)(char *, struct login_info *)); -static int user_match(char *tok, struct login_info *item); -static int from_match(char *tok, struct login_info *item); -static int string_match(char *tok, char *string); - -/* login_access - match username/group and host/tty with access control file */ - -int login_access(struct passwd *user, char *from) -{ - struct login_info item; - FILE *fp; - char line[BUFSIZ]; - char *perm; /* becomes permission field */ - char *users; /* becomes list of login names */ - char *froms; /* becomes list of terminals or hosts */ - int match = NO; - int end; - int lineno = 0; /* for diagnostics */ - char *foo; - - /* - * Bundle up the arguments to avoid unnecessary clumsiness lateron. - */ - item.user = user; - item.from = from; - - /* - * Process the table one line at a time and stop at the first match. - * Blank lines and lines that begin with a '#' character are ignored. - * Non-comment lines are broken at the ':' character. All fields are - * mandatory. The first field should be a "+" or "-" character. A - * non-existing table means no access control. - */ - - if ((fp = fopen(_PATH_LOGACCESS, "r")) != 0) { - while (!match && fgets(line, sizeof(line), fp)) { - lineno++; - if (line[end = strlen(line) - 1] != '\n') { - syslog(LOG_ERR, "%s: line %d: missing newline or line too long", - _PATH_LOGACCESS, lineno); - continue; - } - if (line[0] == '#') - continue; /* comment line */ - while (end > 0 && isspace((unsigned char)line[end - 1])) - end--; - line[end] = 0; /* strip trailing whitespace */ - if (line[0] == 0) /* skip blank lines */ - continue; - foo = NULL; - if (!(perm = strtok_r(line, fs, &foo)) - || !(users = strtok_r(NULL, fs, &foo)) - || !(froms = strtok_r(NULL, fs, &foo)) - || strtok_r(NULL, fs, &foo)) { - syslog(LOG_ERR, "%s: line %d: bad field count", - _PATH_LOGACCESS, - lineno); - continue; - } - if (perm[0] != '+' && perm[0] != '-') { - syslog(LOG_ERR, "%s: line %d: bad first field", - _PATH_LOGACCESS, - lineno); - continue; - } - match = (list_match(froms, &item, from_match) - && list_match(users, &item, user_match)); - } - fclose(fp); - } else if (errno != ENOENT) { - syslog(LOG_ERR, "cannot open %s: %m", _PATH_LOGACCESS); - } - return (match == 0 || (line[0] == '+')); -} - -/* list_match - match an item against a list of tokens with exceptions */ - -static int -list_match(char *list, - struct login_info *item, - int (*match_fn)(char *, struct login_info *)) -{ - char *tok; - int match = NO; - char *foo = NULL; - - /* - * Process tokens one at a time. We have exhausted all possible matches - * when we reach an "EXCEPT" token or the end of the list. If we do find - * a match, look for an "EXCEPT" list and recurse to determine whether - * the match is affected by any exceptions. - */ - - for (tok = strtok_r(list, sep, &foo); - tok != NULL; - tok = strtok_r(NULL, sep, &foo)) { - if (strcasecmp(tok, "EXCEPT") == 0) /* EXCEPT: give up */ - break; - if ((match = (*match_fn) (tok, item)) != 0) /* YES */ - break; - } - /* Process exceptions to matches. */ - - if (match != NO) { - while ((tok = strtok_r(NULL, sep, &foo)) && strcasecmp(tok, "EXCEPT")) - /* VOID */ ; - if (tok == 0 || list_match(NULL, item, match_fn) == NO) - return (match); - } - return (NO); -} - -/* myhostname - figure out local machine name */ - -static char *myhostname(void) -{ - static char name[MAXHOSTNAMELEN + 1] = ""; - - if (name[0] == 0) { - gethostname(name, sizeof(name)); - name[MAXHOSTNAMELEN] = 0; - } - return (name); -} - -/* netgroup_match - match group against machine or user */ - -static int netgroup_match(char *group, char *machine, char *user) -{ -#ifdef HAVE_YP_GET_DEFAULT_DOMAIN - static char *mydomain = 0; - - if (mydomain == 0) - yp_get_default_domain(&mydomain); - return (innetgr(group, machine, user, mydomain)); -#else - syslog(LOG_ERR, "NIS netgroup support not configured"); - return 0; -#endif -} - -/* user_match - match a username against one token */ - -static int user_match(char *tok, struct login_info *item) -{ - char *string = item->user->pw_name; - struct login_info fake_item; - struct group *group; - int i; - char *at; - - /* - * If a token has the magic value "ALL" the match always succeeds. - * Otherwise, return YES if the token fully matches the username, if the - * token is a group that contains the username, or if the token is the - * name of the user's primary group. - */ - - if ((at = strchr(tok + 1, '@')) != 0) { /* split user@host pattern */ - *at = 0; - fake_item.from = myhostname(); - return (user_match(tok, item) && from_match(at + 1, &fake_item)); - } else if (tok[0] == '@') { /* netgroup */ - return (netgroup_match(tok + 1, (char *) 0, string)); - } else if (string_match(tok, string)) { /* ALL or exact match */ - return (YES); - } else if ((group = getgrnam(tok)) != 0) { /* try group membership */ - if (item->user->pw_gid == group->gr_gid) - return (YES); - for (i = 0; group->gr_mem[i]; i++) - if (strcasecmp(string, group->gr_mem[i]) == 0) - return (YES); - } - return (NO); -} - -/* from_match - match a host or tty against a list of tokens */ - -static int from_match(char *tok, struct login_info *item) -{ - char *string = item->from; - int tok_len; - int str_len; - - /* - * If a token has the magic value "ALL" the match always succeeds. Return - * YES if the token fully matches the string. If the token is a domain - * name, return YES if it matches the last fields of the string. If the - * token has the magic value "LOCAL", return YES if the string does not - * contain a "." character. If the token is a network number, return YES - * if it matches the head of the string. - */ - - if (tok[0] == '@') { /* netgroup */ - return (netgroup_match(tok + 1, string, (char *) 0)); - } else if (string_match(tok, string)) { /* ALL or exact match */ - return (YES); - } else if (tok[0] == '.') { /* domain: match last fields */ - if ((str_len = strlen(string)) > (tok_len = strlen(tok)) - && strcasecmp(tok, string + str_len - tok_len) == 0) - return (YES); - } else if (strcasecmp(tok, "LOCAL") == 0) { /* local: no dots */ - if (strchr(string, '.') == 0) - return (YES); - } else if (tok[(tok_len = strlen(tok)) - 1] == '.' /* network */ - && strncmp(tok, string, tok_len) == 0) { - return (YES); - } - return (NO); -} - -/* string_match - match a string against one token */ - -static int string_match(char *tok, char *string) -{ - - /* - * If the token has the magic value "ALL" the match always succeeds. - * Otherwise, return YES if the token fully matches the string. - */ - - if (strcasecmp(tok, "ALL") == 0) { /* all: always matches */ - return (YES); - } else if (strcasecmp(tok, string) == 0) { /* try exact match */ - return (YES); - } - return (NO); -} diff --git a/crypto/heimdal-0.6.3/appl/login/login_locl.h b/crypto/heimdal-0.6.3/appl/login/login_locl.h deleted file mode 100644 index cc1d92021e..0000000000 --- a/crypto/heimdal-0.6.3/appl/login/login_locl.h +++ /dev/null @@ -1,155 +0,0 @@ -/* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: login_locl.h,v 1.24 2002/08/12 15:09:15 joda Exp $ */ - -#ifndef __LOGIN_LOCL_H__ -#define __LOGIN_LOCL_H__ - -#ifdef HAVE_CONFIG_H -#include -#endif -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#ifdef HAVE_NETDB_H -#include -#endif -#ifdef HAVE_PATHS_H -#include -#endif -#ifdef HAVE_UTMP_H -#include -#endif -#ifdef HAVE_UTMPX_H -#include -#endif -#ifdef HAVE_UDB_H -#include -#endif -#ifdef HAVE_SYS_RESOURCE_H -#include -#endif -#ifdef HAVE_SYS_CATEGORY_H -#include -#endif -#ifdef HAVE_SYS_WAIT_H -#include -#endif -#ifdef HAVE_SHADOW_H -#include -#endif -#ifdef HAVE_NETGROUP_H -#include -#endif -#ifdef HAVE_RPCSVC_YPCLNT_H -#include -#endif -#ifdef KRB4 -#include -#endif -#ifdef KRB5 -#include -#endif -#include - -#ifdef OTP -#include -#endif - -#ifdef HAVE_OSFC2 -#define getargs OSFgetargs -#include "/usr/include/prot.h" -#undef getargs -#endif - -#ifndef _PATH_BSHELL -#define _PATH_BSHELL "/bin/sh" -#endif -#ifndef _PATH_TTY -#define _PATH_TTY "/dev/tty" -#endif -#ifndef _PATH_DEV -#define _PATH_DEV "/dev/" -#endif -#ifndef _PATH_NOLOGIN -#define _PATH_NOLOGIN "/etc/nologin" -#endif -#ifndef _PATH_WTMP -#ifdef WTMP_FILE -#define _PATH_WTMP WTMP_FILE -#else -#define _PATH_WTMP "/var/adm/wtmp" -#endif -#endif -#ifndef _PATH_UTMP -#ifdef UTMP_FILE -#define _PATH_UTMP UTMP_FILE -#else -#define _PATH_UTMP "/var/adm/utmp" -#endif -#endif - -#ifndef _PATH_LOGACCESS -#define _PATH_LOGACCESS SYSCONFDIR "/login.access" -#endif /* _PATH_LOGACCESS */ - -#ifndef _PATH_LOGIN_CONF -#define _PATH_LOGIN_CONF SYSCONFDIR "/login.conf" -#endif /* _PATH_LOGIN_CONF */ - -#ifndef _PATH_ETC_ENVIRONMENT -#define _PATH_ETC_ENVIRONMENT SYSCONFDIR "/environment" -#endif - -#ifndef _PATH_DEFPATH -#define _PATH_DEFPATH "/usr/bin:/bin" -#endif - -struct spwd; - -extern char **env; -extern int num_env; - -#include "login_protos.h" - -#endif /* __LOGIN_LOCL_H__ */ diff --git a/crypto/heimdal-0.6.3/appl/login/login_protos.h b/crypto/heimdal-0.6.3/appl/login/login_protos.h deleted file mode 100644 index 48b8101c23..0000000000 --- a/crypto/heimdal-0.6.3/appl/login/login_protos.h +++ /dev/null @@ -1,78 +0,0 @@ -/* This is a generated file */ -#ifndef __login_protos_h__ -#define __login_protos_h__ - -#include - -void -add_env ( - const char */*var*/, - const char */*value*/); - -void -check_shadow ( - const struct passwd */*pw*/, - const struct spwd */*sp*/); - -char * -clean_ttyname (char */*tty*/); - -void -copy_env (void); - -int -do_osfc2_magic (uid_t /*uid*/); - -void -extend_env (char */*str*/); - -int -login_access ( - struct passwd */*user*/, - char */*from*/); - -char * -login_conf_get_string (const char */*str*/); - -int -login_read_env (const char */*file*/); - -char * -make_id (char */*tty*/); - -void -prepare_utmp ( - struct utmp */*utmp*/, - char */*tty*/, - const char */*username*/, - const char */*hostname*/); - -int -read_string ( - const char */*prompt*/, - char */*buf*/, - size_t /*len*/, - int /*echo*/); - -void -shrink_hostname ( - const char */*hostname*/, - char */*dst*/, - size_t /*dst_sz*/); - -void -stty_default (void); - -void -utmp_login ( - char */*tty*/, - const char */*username*/, - const char */*hostname*/); - -int -utmpx_login ( - char */*line*/, - const char */*user*/, - const char */*host*/); - -#endif /* __login_protos_h__ */ diff --git a/crypto/heimdal-0.6.3/appl/login/osfc2.c b/crypto/heimdal-0.6.3/appl/login/osfc2.c deleted file mode 100644 index 056484c413..0000000000 --- a/crypto/heimdal-0.6.3/appl/login/osfc2.c +++ /dev/null @@ -1,79 +0,0 @@ -/* - * Copyright (c) 1998 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "login_locl.h" -RCSID("$Id: osfc2.c,v 1.4 2001/02/20 01:44:46 assar Exp $"); - -int -do_osfc2_magic(uid_t uid) -{ -#ifdef HAVE_OSFC2 - struct es_passwd *epw; - char *argv[2]; - - /* fake */ - argv[0] = (char*)getprogname(); - argv[1] = NULL; - set_auth_parameters(1, argv); - - epw = getespwuid(uid); - if(epw == NULL) { - syslog(LOG_AUTHPRIV|LOG_NOTICE, - "getespwuid failed for %d", uid); - printf("Sorry.\n"); - return 1; - } - /* We don't check for auto-retired, foo-retired, - bar-retired, or any other kind of retired accounts - here; neither do we check for time-locked accounts, or - any other kind of serious C2 mumbo-jumbo. We do, - however, call setluid, since failing to do so is not - very good (take my word for it). */ - - if(!epw->uflg->fg_uid) { - syslog(LOG_AUTHPRIV|LOG_NOTICE, - "attempted login by %s (has no uid)", epw->ufld->fd_name); - printf("Sorry.\n"); - return 1; - } - setluid(epw->ufld->fd_uid); - if(getluid() != epw->ufld->fd_uid) { - syslog(LOG_AUTHPRIV|LOG_NOTICE, - "failed to set LUID for %s (%d)", - epw->ufld->fd_name, epw->ufld->fd_uid); - printf("Sorry.\n"); - return 1; - } -#endif /* HAVE_OSFC2 */ - return 0; -} diff --git a/crypto/heimdal-0.6.3/appl/login/read_string.c b/crypto/heimdal-0.6.3/appl/login/read_string.c deleted file mode 100644 index f3cee14368..0000000000 --- a/crypto/heimdal-0.6.3/appl/login/read_string.c +++ /dev/null @@ -1,127 +0,0 @@ -/* - * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "login_locl.h" - -RCSID("$Id: read_string.c,v 1.4 2000/06/21 02:09:36 assar Exp $"); - -static sig_atomic_t intr_flag; - -static void -intr(int sig) -{ - intr_flag++; -} - -int -read_string(const char *prompt, char *buf, size_t len, int echo) -{ - struct sigaction sigs[47]; - struct sigaction sa; - FILE *tty; - int ret = 0; - int of = 0; - int i; - int c; - char *p; - - struct termios t_new, t_old; - - memset(&sa, 0, sizeof(sa)); - sa.sa_handler = intr; - sigemptyset(&sa.sa_mask); - sa.sa_flags = 0; - for(i = 0; i < sizeof(sigs) / sizeof(sigs[0]); i++) - if (i != SIGALRM) sigaction(i, &sa, &sigs[i]); - - if((tty = fopen("/dev/tty", "r")) == NULL) - tty = stdin; - - fprintf(stderr, "%s", prompt); - fflush(stderr); - - if(echo == 0){ - tcgetattr(fileno(tty), &t_old); - memcpy(&t_new, &t_old, sizeof(t_new)); - t_new.c_lflag &= ~ECHO; - tcsetattr(fileno(tty), TCSANOW, &t_new); - } - intr_flag = 0; - p = buf; - while(intr_flag == 0){ - c = getc(tty); - if(c == EOF){ - if(!ferror(tty)) - ret = 1; - break; - } - if(c == '\n') - break; - if(of == 0) - *p++ = c; - of = (p == buf + len); - } - if(of) - p--; - *p = 0; - - if(echo == 0){ - printf("\n"); - tcsetattr(fileno(tty), TCSANOW, &t_old); - } - - if(tty != stdin) - fclose(tty); - - for(i = 0; i < sizeof(sigs) / sizeof(sigs[0]); i++) - if (i != SIGALRM) sigaction(i, &sigs[i], NULL); - - if(ret) - return -3; - if(intr_flag) - return -2; - if(of) - return -1; - return 0; -} - - -#if 0 -int main() -{ - char s[128]; - int ret; - ret = read_string("foo: ", s, sizeof(s), 0); - printf("%d ->%s<-\n", ret, s); -} -#endif diff --git a/crypto/heimdal-0.6.3/appl/login/shadow.c b/crypto/heimdal-0.6.3/appl/login/shadow.c deleted file mode 100644 index 0923831c34..0000000000 --- a/crypto/heimdal-0.6.3/appl/login/shadow.c +++ /dev/null @@ -1,95 +0,0 @@ -/* - * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "login_locl.h" - -RCSID("$Id: shadow.c,v 1.5 1999/12/02 17:04:56 joda Exp $"); - -#ifdef HAVE_SHADOW_H - -#ifndef _PATH_CHPASS -#define _PATH_CHPASS "/usr/bin/passwd" -#endif - -static int -change_passwd(const struct passwd *who) -{ - int status; - pid_t pid; - - switch (pid = fork()) { - case -1: - printf("fork /bin/passwd"); - exit(1); - case 0: - execlp(_PATH_CHPASS, "passwd", who->pw_name, (char *) 0); - exit(1); - default: - waitpid(pid, &status, 0); - return (status); - } -} - -void -check_shadow(const struct passwd *pw, const struct spwd *sp) -{ - long today; - - today = time(0)/(24L * 60 * 60); - - if (sp == NULL) - return; - - if (sp->sp_expire > 0) { - if (today >= sp->sp_expire) { - printf("Your account has expired.\n"); - sleep(1); - exit(0); - } else if (sp->sp_expire - today < 14) { - printf("Your account will expire in %d days.\n", - (int)(sp->sp_expire - today)); - } - } - - if (sp->sp_max > 0) { - if (today >= (sp->sp_lstchg + sp->sp_max)) { - printf("Your password has expired. Choose a new one.\n"); - change_passwd(pw); - } else if (sp->sp_warn > 0 - && (today > (sp->sp_lstchg + sp->sp_max - sp->sp_warn))) { - printf("Your password will expire in %d days.\n", - (int)(sp->sp_lstchg + sp->sp_max - today)); - } - } -} -#endif /* HAVE_SHADOW_H */ diff --git a/crypto/heimdal-0.6.3/appl/login/stty_default.c b/crypto/heimdal-0.6.3/appl/login/stty_default.c deleted file mode 100644 index 5e38566295..0000000000 --- a/crypto/heimdal-0.6.3/appl/login/stty_default.c +++ /dev/null @@ -1,100 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "login_locl.h" - -RCSID("$Id: stty_default.c,v 1.8 1999/12/02 17:04:56 joda Exp $"); - -#include - -/* HP-UX 9.0 termios doesn't define these */ -#ifndef FLUSHO -#define FLUSHO 0 -#endif - -#ifndef XTABS -#define XTABS 0 -#endif - -#ifndef OXTABS -#define OXTABS XTABS -#endif - -/* Ultrix... */ -#ifndef ECHOPRT -#define ECHOPRT 0 -#endif - -#ifndef ECHOCTL -#define ECHOCTL 0 -#endif - -#ifndef ECHOKE -#define ECHOKE 0 -#endif - -#ifndef IMAXBEL -#define IMAXBEL 0 -#endif - -#define Ctl(x) ((x) ^ 0100) - -void -stty_default(void) -{ - struct termios termios; - - /* - * Finalize the terminal settings. Some systems default to 8 bits, - * others to 7, so we should leave that alone. - */ - tcgetattr(0, &termios); - - termios.c_iflag |= (BRKINT|IGNPAR|ICRNL|IXON|IMAXBEL); - termios.c_iflag &= ~IXANY; - - termios.c_lflag |= (ISIG|IEXTEN|ICANON|ECHO|ECHOE|ECHOK|ECHOCTL|ECHOKE); - termios.c_lflag &= ~(ECHOPRT|TOSTOP|FLUSHO); - - termios.c_oflag |= (OPOST|ONLCR); - termios.c_oflag &= ~OXTABS; - - termios.c_cc[VINTR] = Ctl('C'); - termios.c_cc[VERASE] = Ctl('H'); - termios.c_cc[VKILL] = Ctl('U'); - termios.c_cc[VEOF] = Ctl('D'); - - termios.c_cc[VSUSP] = Ctl('Z'); - - tcsetattr(0, TCSANOW, &termios); -} diff --git a/crypto/heimdal-0.6.3/appl/login/tty.c b/crypto/heimdal-0.6.3/appl/login/tty.c deleted file mode 100644 index 0ffea7249f..0000000000 --- a/crypto/heimdal-0.6.3/appl/login/tty.c +++ /dev/null @@ -1,70 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "login_locl.h" - -RCSID("$Id: tty.c,v 1.4 1999/12/02 17:04:56 joda Exp $"); - -/* - * Clean the tty name. Return a pointer to the cleaned version. - */ - -char * -clean_ttyname (char *tty) -{ - char *res = tty; - - if (strncmp (res, _PATH_DEV, strlen(_PATH_DEV)) == 0) - res += strlen(_PATH_DEV); - if (strncmp (res, "pty/", 4) == 0) - res += 4; - if (strncmp (res, "ptym/", 5) == 0) - res += 5; - return res; -} - -/* - * Generate a name usable as an `ut_id', typically without `tty'. - */ - -char * -make_id (char *tty) -{ - char *res = tty; - - if (strncmp (res, "pts/", 4) == 0) - res += 4; - if (strncmp (res, "tty", 3) == 0) - res += 3; - return res; -} diff --git a/crypto/heimdal-0.6.3/appl/login/utmp_login.c b/crypto/heimdal-0.6.3/appl/login/utmp_login.c deleted file mode 100644 index 0be6cdb19f..0000000000 --- a/crypto/heimdal-0.6.3/appl/login/utmp_login.c +++ /dev/null @@ -1,162 +0,0 @@ -/* - * Copyright (c) 1995 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "login_locl.h" - -RCSID("$Id: utmp_login.c,v 1.18 2001/02/08 16:08:26 assar Exp $"); - -/* try to put something useful from hostname into dst, dst_sz: - * full name, first component or address */ - -void -shrink_hostname (const char *hostname, - char *dst, size_t dst_sz) -{ - char local_hostname[MaxHostNameLen]; - char *ld, *hd; - int ret; - struct addrinfo *ai; - - if (strlen(hostname) < dst_sz) { - strlcpy (dst, hostname, dst_sz); - return; - } - gethostname (local_hostname, sizeof(local_hostname)); - hd = strchr (hostname, '.'); - ld = strchr (local_hostname, '.'); - if (hd != NULL && ld != NULL && strcmp(hd, ld) == 0 - && hd - hostname < dst_sz) { - strlcpy (dst, hostname, dst_sz); - dst[hd - hostname] = '\0'; - return; - } - - ret = getaddrinfo (hostname, NULL, NULL, &ai); - if (ret) { - strncpy (dst, hostname, dst_sz); - return; - } - ret = getnameinfo (ai->ai_addr, ai->ai_addrlen, - dst, dst_sz, - NULL, 0, - NI_NUMERICHOST); - freeaddrinfo (ai); - if (ret) { - strncpy (dst, hostname, dst_sz); - return; - } -} - -void -prepare_utmp (struct utmp *utmp, char *tty, - const char *username, const char *hostname) -{ - char *ttyx = clean_ttyname (tty); - - memset(utmp, 0, sizeof(*utmp)); - utmp->ut_time = time(NULL); - strncpy(utmp->ut_line, ttyx, sizeof(utmp->ut_line)); - strncpy(utmp->ut_name, username, sizeof(utmp->ut_name)); - -# ifdef HAVE_STRUCT_UTMP_UT_USER - strncpy(utmp->ut_user, username, sizeof(utmp->ut_user)); -# endif - -# ifdef HAVE_STRUCT_UTMP_UT_ADDR - if (hostname[0]) { - struct hostent *he; - if ((he = gethostbyname(hostname))) - memcpy(&utmp->ut_addr, he->h_addr_list[0], - sizeof(utmp->ut_addr)); - } -# endif - -# ifdef HAVE_STRUCT_UTMP_UT_HOST - shrink_hostname (hostname, utmp->ut_host, sizeof(utmp->ut_host)); -# endif - -# ifdef HAVE_STRUCT_UTMP_UT_TYPE - utmp->ut_type = USER_PROCESS; -# endif - -# ifdef HAVE_STRUCT_UTMP_UT_PID - utmp->ut_pid = getpid(); -# endif - -# ifdef HAVE_STRUCT_UTMP_UT_ID - strncpy(utmp->ut_id, make_id(ttyx), sizeof(utmp->ut_id)); -# endif -} - -#ifdef HAVE_UTMPX_H -void utmp_login(char *tty, const char *username, const char *hostname) -{ - return; -} -#else - -/* update utmp and wtmp - the BSD way */ - -void utmp_login(char *tty, const char *username, const char *hostname) -{ - struct utmp utmp; - int fd; - - prepare_utmp (&utmp, tty, username, hostname); - -#ifdef HAVE_SETUTENT - utmpname(_PATH_UTMP); - setutent(); - pututline(&utmp); - endutent(); -#else - -#ifdef HAVE_TTYSLOT - { - int ttyno; - ttyno = ttyslot(); - if (ttyno > 0 && (fd = open(_PATH_UTMP, O_WRONLY, 0)) >= 0) { - lseek(fd, (long)(ttyno * sizeof(struct utmp)), SEEK_SET); - write(fd, &utmp, sizeof(struct utmp)); - close(fd); - } - } -#endif /* HAVE_TTYSLOT */ -#endif /* HAVE_SETUTENT */ - - if ((fd = open(_PATH_WTMP, O_WRONLY|O_APPEND, 0)) >= 0) { - write(fd, &utmp, sizeof(struct utmp)); - close(fd); - } -} -#endif /* !HAVE_UTMPX_H */ diff --git a/crypto/heimdal-0.6.3/appl/login/utmpx_login.c b/crypto/heimdal-0.6.3/appl/login/utmpx_login.c deleted file mode 100644 index b6e5fcf1c0..0000000000 --- a/crypto/heimdal-0.6.3/appl/login/utmpx_login.c +++ /dev/null @@ -1,105 +0,0 @@ -/************************************************************************ -* Copyright 1995 by Wietse Venema. All rights reserved. Some individual -* files may be covered by other copyrights. -* -* This material was originally written and compiled by Wietse Venema at -* Eindhoven University of Technology, The Netherlands, in 1990, 1991, -* 1992, 1993, 1994 and 1995. -* -* Redistribution and use in source and binary forms, with or without -* modification, are permitted provided that this entire copyright notice -* is duplicated in all such copies. -* -* This software is provided "as is" and without any expressed or implied -* warranties, including, without limitation, the implied warranties of -* merchantibility and fitness for any particular purpose. -************************************************************************/ -/* Author: Wietse Venema */ - -#include "login_locl.h" - -RCSID("$Id: utmpx_login.c,v 1.26 2001/06/04 14:10:19 assar Exp $"); - -/* utmpx_login - update utmp and wtmp after login */ - -#ifndef HAVE_UTMPX_H -int utmpx_login(char *line, const char *user, const char *host) { return 0; } -#else - -static void -utmpx_update(struct utmpx *ut, char *line, const char *user, const char *host) -{ - struct timeval tmp; - char *clean_tty = clean_ttyname(line); - - strncpy(ut->ut_line, clean_tty, sizeof(ut->ut_line)); -#ifdef HAVE_STRUCT_UTMPX_UT_ID - strncpy(ut->ut_id, make_id(clean_tty), sizeof(ut->ut_id)); -#endif - strncpy(ut->ut_user, user, sizeof(ut->ut_user)); - shrink_hostname (host, ut->ut_host, sizeof(ut->ut_host)); -#ifdef HAVE_STRUCT_UTMPX_UT_SYSLEN - ut->ut_syslen = strlen(host) + 1; - if (ut->ut_syslen > sizeof(ut->ut_host)) - ut->ut_syslen = sizeof(ut->ut_host); -#endif - ut->ut_type = USER_PROCESS; - gettimeofday (&tmp, 0); - ut->ut_tv.tv_sec = tmp.tv_sec; - ut->ut_tv.tv_usec = tmp.tv_usec; - pututxline(ut); -#ifdef WTMPX_FILE - updwtmpx(WTMPX_FILE, ut); -#elif defined(WTMP_FILE) - { - struct utmp utmp; - int fd; - - prepare_utmp (&utmp, line, user, host); - if ((fd = open(_PATH_WTMP, O_WRONLY|O_APPEND, 0)) >= 0) { - write(fd, &utmp, sizeof(struct utmp)); - close(fd); - } - } -#endif -} - -int -utmpx_login(char *line, const char *user, const char *host) -{ - struct utmpx *ut, save_ut; - pid_t mypid = getpid(); - int ret = (-1); - - /* - * SYSV4 ttymon and login use tty port names with the "/dev/" prefix - * stripped off. Rlogind and telnetd, on the other hand, make utmpx - * entries with device names like /dev/pts/nnn. We therefore cannot use - * getutxline(). Return nonzero if no utmp entry was found with our own - * process ID for a login or user process. - */ - - while ((ut = getutxent())) { - /* Try to find a reusable entry */ - if (ut->ut_pid == mypid - && ( ut->ut_type == INIT_PROCESS - || ut->ut_type == LOGIN_PROCESS - || ut->ut_type == USER_PROCESS)) { - save_ut = *ut; - utmpx_update(&save_ut, line, user, host); - ret = 0; - break; - } - } - if (ret == -1) { - /* Grow utmpx file by one record. */ - struct utmpx newut; - memset(&newut, 0, sizeof(newut)); - newut.ut_pid = mypid; - utmpx_update(&newut, line, user, host); - ret = 0; - } - endutxent(); - return (ret); -} -#endif /* HAVE_UTMPX_H */ diff --git a/crypto/heimdal-0.6.3/appl/otp/ChangeLog b/crypto/heimdal-0.6.3/appl/otp/ChangeLog deleted file mode 100644 index 760c9c4cc6..0000000000 --- a/crypto/heimdal-0.6.3/appl/otp/ChangeLog +++ /dev/null @@ -1,44 +0,0 @@ -2003-02-25 Love Hörquist Åstrand - - * otp.c: remove \n from errx, from NetBSD - -2000-11-29 Johan Danielsson - - * otpprint.1: sort parameters and close a list - - * otp.1: sort parameters and close a list - -1999-09-14 Assar Westerlund - - * otp.c (verify_user_otp): check return value from - des_read_pw_string - -Thu Apr 1 16:51:07 1999 Johan Danielsson - - * otpprint.c: use getarg - - * otp.c: use getarg - -Thu Mar 18 12:08:58 1999 Johan Danielsson - - * Makefile.am: include Makefile.am.common - -Thu Mar 4 19:45:40 1999 Johan Danielsson - - * Makefile.am: DESTDIR - -Sat Feb 27 19:44:25 1999 Johan Danielsson - - * Makefile.am: add - -Sun Nov 22 10:32:50 1998 Assar Westerlund - - * otpprint.c: more braces - - * Makefile.in (WFLAGS): set - -Sun Dec 21 09:31:30 1997 Assar Westerlund - - * otp.c (renew): don't set the OTP if the reading of the string - fails. - diff --git a/crypto/heimdal-0.6.3/appl/otp/Makefile.am b/crypto/heimdal-0.6.3/appl/otp/Makefile.am deleted file mode 100644 index 16e1c0c4e8..0000000000 --- a/crypto/heimdal-0.6.3/appl/otp/Makefile.am +++ /dev/null @@ -1,15 +0,0 @@ -# $Id: Makefile.am,v 1.11 2001/08/28 08:31:21 assar Exp $ - -include $(top_srcdir)/Makefile.am.common - -INCLUDES += $(INCLUDE_des) - -bin_PROGRAMS = otp otpprint -bin_SUIDS = otp -otp_SOURCES = otp.c otp_locl.h -otpprint_SOURCES = otpprint.c otp_locl.h - -man_MANS = otp.1 otpprint.1 - -LDADD = \ - $(top_builddir)/lib/otp/libotp.la diff --git a/crypto/heimdal-0.6.3/appl/otp/Makefile.in b/crypto/heimdal-0.6.3/appl/otp/Makefile.in deleted file mode 100644 index ff739bbebc..0000000000 --- a/crypto/heimdal-0.6.3/appl/otp/Makefile.in +++ /dev/null @@ -1,816 +0,0 @@ -# Makefile.in generated by automake 1.8.3 from Makefile.am. -# @configure_input@ - -# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004 Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -# $Id: Makefile.am,v 1.11 2001/08/28 08:31:21 assar Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $ - -SOURCES = $(otp_SOURCES) $(otpprint_SOURCES) - -srcdir = @srcdir@ -top_srcdir = @top_srcdir@ -VPATH = @srcdir@ -pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -top_builddir = ../.. -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = @INSTALL@ -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_HEADER = $(INSTALL_DATA) -transform = $(program_transform_name) -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_triplet = @host@ -DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \ - $(top_srcdir)/Makefile.am.common \ - $(top_srcdir)/cf/Makefile.am.common ChangeLog -bin_PROGRAMS = otp$(EXEEXT) otpprint$(EXEEXT) -subdir = appl/otp -ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \ - $(top_srcdir)/cf/auth-modules.m4 \ - $(top_srcdir)/cf/broken-getaddrinfo.m4 \ - $(top_srcdir)/cf/broken-getnameinfo.m4 \ - $(top_srcdir)/cf/broken-glob.m4 \ - $(top_srcdir)/cf/broken-realloc.m4 \ - $(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \ - $(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \ - $(top_srcdir)/cf/capabilities.m4 \ - $(top_srcdir)/cf/check-compile-et.m4 \ - $(top_srcdir)/cf/check-declaration.m4 \ - $(top_srcdir)/cf/check-getpwnam_r-posix.m4 \ - $(top_srcdir)/cf/check-man.m4 \ - $(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \ - $(top_srcdir)/cf/check-type-extra.m4 \ - $(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \ - $(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \ - $(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \ - $(top_srcdir)/cf/dlopen.m4 \ - $(top_srcdir)/cf/find-func-no-libs.m4 \ - $(top_srcdir)/cf/find-func-no-libs2.m4 \ - $(top_srcdir)/cf/find-func.m4 \ - $(top_srcdir)/cf/find-if-not-broken.m4 \ - $(top_srcdir)/cf/have-struct-field.m4 \ - $(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \ - $(top_srcdir)/cf/krb-bigendian.m4 \ - $(top_srcdir)/cf/krb-func-getlogin.m4 \ - $(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \ - $(top_srcdir)/cf/krb-readline.m4 \ - $(top_srcdir)/cf/krb-struct-spwd.m4 \ - $(top_srcdir)/cf/krb-struct-winsize.m4 \ - $(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \ - $(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \ - $(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \ - $(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \ - $(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \ - $(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \ - $(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in -am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ - $(ACLOCAL_M4) -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -am__installdirs = "$(DESTDIR)$(bindir)" "$(DESTDIR)$(man1dir)" -binPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -PROGRAMS = $(bin_PROGRAMS) -am_otp_OBJECTS = otp.$(OBJEXT) -otp_OBJECTS = $(am_otp_OBJECTS) -otp_LDADD = $(LDADD) -otp_DEPENDENCIES = $(top_builddir)/lib/otp/libotp.la -am_otpprint_OBJECTS = otpprint.$(OBJEXT) -otpprint_OBJECTS = $(am_otpprint_OBJECTS) -otpprint_LDADD = $(LDADD) -otpprint_DEPENDENCIES = $(top_builddir)/lib/otp/libotp.la -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \ - $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ - $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -SOURCES = $(otp_SOURCES) $(otpprint_SOURCES) -DIST_SOURCES = $(otp_SOURCES) $(otpprint_SOURCES) -man1dir = $(mandir)/man1 -MANS = $(man_MANS) -ETAGS = etags -CTAGS = ctags -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) -ACLOCAL = @ACLOCAL@ -AIX4_FALSE = @AIX4_FALSE@ -AIX4_TRUE = @AIX4_TRUE@ -AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@ -AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@ -AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@ -AIX_FALSE = @AIX_FALSE@ -AIX_TRUE = @AIX_TRUE@ -AMTAR = @AMTAR@ -AR = @AR@ -AUTOCONF = @AUTOCONF@ -AUTOHEADER = @AUTOHEADER@ -AUTOMAKE = @AUTOMAKE@ -AWK = @AWK@ -CANONICAL_HOST = @CANONICAL_HOST@ -CATMAN = @CATMAN@ -CATMANEXT = @CATMANEXT@ -CATMAN_FALSE = @CATMAN_FALSE@ -CATMAN_TRUE = @CATMAN_TRUE@ -CC = @CC@ -CFLAGS = @CFLAGS@ -COMPILE_ET = @COMPILE_ET@ -CPP = @CPP@ -CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXFLAGS = @CXXFLAGS@ -CYGPATH_W = @CYGPATH_W@ -DBLIB = @DBLIB@ -DCE_FALSE = @DCE_FALSE@ -DCE_TRUE = @DCE_TRUE@ -DEFS = @DEFS@ -DIR_com_err = @DIR_com_err@ -DIR_des = @DIR_des@ -DIR_roken = @DIR_roken@ -ECHO = @ECHO@ -ECHO_C = @ECHO_C@ -ECHO_N = @ECHO_N@ -ECHO_T = @ECHO_T@ -EGREP = @EGREP@ -EXEEXT = @EXEEXT@ -EXTRA_LIB45 = @EXTRA_LIB45@ -F77 = @F77@ -FFLAGS = @FFLAGS@ -GROFF = @GROFF@ -HAVE_DB1_FALSE = @HAVE_DB1_FALSE@ -HAVE_DB1_TRUE = @HAVE_DB1_TRUE@ -HAVE_DB3_FALSE = @HAVE_DB3_FALSE@ -HAVE_DB3_TRUE = @HAVE_DB3_TRUE@ -HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@ -HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@ -HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@ -HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@ -HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@ -HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@ -HAVE_X_FALSE = @HAVE_X_FALSE@ -HAVE_X_TRUE = @HAVE_X_TRUE@ -INCLUDES_roken = @INCLUDES_roken@ -INCLUDE_des = @INCLUDE_des@ -INCLUDE_hesiod = @INCLUDE_hesiod@ -INCLUDE_krb4 = @INCLUDE_krb4@ -INCLUDE_openldap = @INCLUDE_openldap@ -INCLUDE_readline = @INCLUDE_readline@ -INSTALL_DATA = @INSTALL_DATA@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -IRIX_FALSE = @IRIX_FALSE@ -IRIX_TRUE = @IRIX_TRUE@ -KRB4_FALSE = @KRB4_FALSE@ -KRB4_TRUE = @KRB4_TRUE@ -KRB5_FALSE = @KRB5_FALSE@ -KRB5_TRUE = @KRB5_TRUE@ -LDFLAGS = @LDFLAGS@ -LEX = @LEX@ -LEXLIB = @LEXLIB@ -LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ -LIBOBJS = @LIBOBJS@ -LIBS = @LIBS@ -LIBTOOL = @LIBTOOL@ -LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@ -LIB_NDBM = @LIB_NDBM@ -LIB_XauFileName = @LIB_XauFileName@ -LIB_XauReadAuth = @LIB_XauReadAuth@ -LIB_XauWriteAuth = @LIB_XauWriteAuth@ -LIB_bswap16 = @LIB_bswap16@ -LIB_bswap32 = @LIB_bswap32@ -LIB_com_err = @LIB_com_err@ -LIB_com_err_a = @LIB_com_err_a@ -LIB_com_err_so = @LIB_com_err_so@ -LIB_crypt = @LIB_crypt@ -LIB_db_create = @LIB_db_create@ -LIB_dbm_firstkey = @LIB_dbm_firstkey@ -LIB_dbopen = @LIB_dbopen@ -LIB_des = @LIB_des@ -LIB_des_a = @LIB_des_a@ -LIB_des_appl = @LIB_des_appl@ -LIB_des_so = @LIB_des_so@ -LIB_dlopen = @LIB_dlopen@ -LIB_dn_expand = @LIB_dn_expand@ -LIB_el_init = @LIB_el_init@ -LIB_freeaddrinfo = @LIB_freeaddrinfo@ -LIB_gai_strerror = @LIB_gai_strerror@ -LIB_getaddrinfo = @LIB_getaddrinfo@ -LIB_gethostbyname = @LIB_gethostbyname@ -LIB_gethostbyname2 = @LIB_gethostbyname2@ -LIB_getnameinfo = @LIB_getnameinfo@ -LIB_getpwnam_r = @LIB_getpwnam_r@ -LIB_getsockopt = @LIB_getsockopt@ -LIB_hesiod = @LIB_hesiod@ -LIB_hstrerror = @LIB_hstrerror@ -LIB_kdb = @LIB_kdb@ -LIB_krb4 = @LIB_krb4@ -LIB_krb_disable_debug = @LIB_krb_disable_debug@ -LIB_krb_enable_debug = @LIB_krb_enable_debug@ -LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@ -LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@ -LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@ -LIB_loadquery = @LIB_loadquery@ -LIB_logout = @LIB_logout@ -LIB_logwtmp = @LIB_logwtmp@ -LIB_openldap = @LIB_openldap@ -LIB_openpty = @LIB_openpty@ -LIB_otp = @LIB_otp@ -LIB_pidfile = @LIB_pidfile@ -LIB_readline = @LIB_readline@ -LIB_res_nsearch = @LIB_res_nsearch@ -LIB_res_search = @LIB_res_search@ -LIB_roken = @LIB_roken@ -LIB_security = @LIB_security@ -LIB_setsockopt = @LIB_setsockopt@ -LIB_socket = @LIB_socket@ -LIB_syslog = @LIB_syslog@ -LIB_tgetent = @LIB_tgetent@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -MAINT = @MAINT@ -MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@ -MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@ -MAKEINFO = @MAKEINFO@ -NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ -NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ -NROFF = @NROFF@ -OBJEXT = @OBJEXT@ -OTP_FALSE = @OTP_FALSE@ -OTP_TRUE = @OTP_TRUE@ -PACKAGE = @PACKAGE@ -PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ -PACKAGE_NAME = @PACKAGE_NAME@ -PACKAGE_STRING = @PACKAGE_STRING@ -PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_VERSION = @PACKAGE_VERSION@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -RANLIB = @RANLIB@ -SET_MAKE = @SET_MAKE@ -SHELL = @SHELL@ -STRIP = @STRIP@ -VERSION = @VERSION@ -VOID_RETSIGTYPE = @VOID_RETSIGTYPE@ -WFLAGS = @WFLAGS@ -WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@ -WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@ -X_CFLAGS = @X_CFLAGS@ -X_EXTRA_LIBS = @X_EXTRA_LIBS@ -X_LIBS = @X_LIBS@ -X_PRE_LIBS = @X_PRE_LIBS@ -YACC = @YACC@ -ac_ct_AR = @ac_ct_AR@ -ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ -ac_ct_RANLIB = @ac_ct_RANLIB@ -ac_ct_STRIP = @ac_ct_STRIP@ -am__leading_dot = @am__leading_dot@ -bindir = @bindir@ -build = @build@ -build_alias = @build_alias@ -build_cpu = @build_cpu@ -build_os = @build_os@ -build_vendor = @build_vendor@ -datadir = @datadir@ -do_roken_rename_FALSE = @do_roken_rename_FALSE@ -do_roken_rename_TRUE = @do_roken_rename_TRUE@ -dpagaix_cflags = @dpagaix_cflags@ -dpagaix_ldadd = @dpagaix_ldadd@ -dpagaix_ldflags = @dpagaix_ldflags@ -el_compat_FALSE = @el_compat_FALSE@ -el_compat_TRUE = @el_compat_TRUE@ -exec_prefix = @exec_prefix@ -have_err_h_FALSE = @have_err_h_FALSE@ -have_err_h_TRUE = @have_err_h_TRUE@ -have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@ -have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@ -have_glob_h_FALSE = @have_glob_h_FALSE@ -have_glob_h_TRUE = @have_glob_h_TRUE@ -have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@ -have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@ -have_vis_h_FALSE = @have_vis_h_FALSE@ -have_vis_h_TRUE = @have_vis_h_TRUE@ -host = @host@ -host_alias = @host_alias@ -host_cpu = @host_cpu@ -host_os = @host_os@ -host_vendor = @host_vendor@ -includedir = @includedir@ -infodir = @infodir@ -install_sh = @install_sh@ -libdir = @libdir@ -libexecdir = @libexecdir@ -localstatedir = @localstatedir@ -mandir = @mandir@ -mkdir_p = @mkdir_p@ -oldincludedir = @oldincludedir@ -prefix = @prefix@ -program_transform_name = @program_transform_name@ -sbindir = @sbindir@ -sharedstatedir = @sharedstatedir@ -sysconfdir = @sysconfdir@ -target_alias = @target_alias@ -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_des) -@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME -AM_CFLAGS = $(WFLAGS) -CP = cp -buildinclude = $(top_builddir)/include -LIB_getattr = @LIB_getattr@ -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_setpcred = @LIB_setpcred@ -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -NROFF_MAN = groff -mandoc -Tascii -LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) -@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la - -@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la -@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la -bin_SUIDS = otp -otp_SOURCES = otp.c otp_locl.h -otpprint_SOURCES = otpprint.c otp_locl.h -man_MANS = otp.1 otpprint.1 -LDADD = \ - $(top_builddir)/lib/otp/libotp.la - -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps) - @for dep in $?; do \ - case '$(am__configure_deps)' in \ - *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ - exit 1;; \ - esac; \ - done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign --ignore-deps appl/otp/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign --ignore-deps appl/otp/Makefile -.PRECIOUS: Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - @case '$?' in \ - *config.status*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ - *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ - esac; - -$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -install-binPROGRAMS: $(bin_PROGRAMS) - @$(NORMAL_INSTALL) - test -z "$(bindir)" || $(mkdir_p) "$(DESTDIR)$(bindir)" - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(bindir)/$$f'"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(bindir)/$$f" || exit 1; \ - else :; fi; \ - done - -uninstall-binPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f '$(DESTDIR)$(bindir)/$$f'"; \ - rm -f "$(DESTDIR)$(bindir)/$$f"; \ - done - -clean-binPROGRAMS: - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -otp$(EXEEXT): $(otp_OBJECTS) $(otp_DEPENDENCIES) - @rm -f otp$(EXEEXT) - $(LINK) $(otp_LDFLAGS) $(otp_OBJECTS) $(otp_LDADD) $(LIBS) -otpprint$(EXEEXT): $(otpprint_OBJECTS) $(otpprint_DEPENDENCIES) - @rm -f otpprint$(EXEEXT) - $(LINK) $(otpprint_LDFLAGS) $(otpprint_OBJECTS) $(otpprint_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c $< - -.c.obj: - $(COMPILE) -c `$(CYGPATH_W) '$<'` - -.c.lo: - $(LTCOMPILE) -c -o $@ $< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: -install-man1: $(man1_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - test -z "$(man1dir)" || $(mkdir_p) "$(DESTDIR)$(man1dir)" - @list='$(man1_MANS) $(dist_man1_MANS) $(nodist_man1_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.1*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 1*) ;; \ - *) ext='1' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man1dir)/$$inst'"; \ - $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man1dir)/$$inst"; \ - done -uninstall-man1: - @$(NORMAL_UNINSTALL) - @list='$(man1_MANS) $(dist_man1_MANS) $(nodist_man1_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.1*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 1*) ;; \ - *) ext='1' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f '$(DESTDIR)$(man1dir)/$$inst'"; \ - rm -f "$(DESTDIR)$(man1dir)/$$inst"; \ - done - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique -tags: TAGS - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique -ctags: CTAGS -CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ - || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - -distdir: $(DISTFILES) - $(mkdir_p) $(distdir)/../.. $(distdir)/../../cf - @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \ - list='$(DISTFILES)'; for file in $$list; do \ - case $$file in \ - $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \ - $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \ - esac; \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkdir_p) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="$(top_distdir)" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(PROGRAMS) $(MANS) all-local -installdirs: - for dir in "$(DESTDIR)$(bindir)" "$(DESTDIR)$(man1dir)"; do \ - test -z "$$dir" || $(mkdir_p) "$$dir"; \ - done -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-binPROGRAMS clean-generic clean-libtool mostlyclean-am - -distclean: distclean-am - -rm -f Makefile -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -html: html-am - -info: info-am - -info-am: - -install-data-am: install-man - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-data-hook - -install-exec-am: install-binPROGRAMS - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: install-man1 - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -rm -f Makefile -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -pdf: pdf-am - -pdf-am: - -ps: ps-am - -ps-am: - -uninstall-am: uninstall-binPROGRAMS uninstall-info-am uninstall-man - -uninstall-man: uninstall-man1 - -.PHONY: CTAGS GTAGS all all-am all-local check check-am check-local \ - clean clean-binPROGRAMS clean-generic clean-libtool ctags \ - distclean distclean-compile distclean-generic \ - distclean-libtool distclean-tags distdir dvi dvi-am html \ - html-am info info-am install install-am install-binPROGRAMS \ - install-data install-data-am install-exec install-exec-am \ - install-info install-info-am install-man install-man1 \ - install-strip installcheck installcheck-am installdirs \ - maintainer-clean maintainer-clean-generic mostlyclean \ - mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ - pdf pdf-am ps ps-am tags uninstall uninstall-am \ - uninstall-binPROGRAMS uninstall-info-am uninstall-man \ - uninstall-man1 - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-hook: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal-0.6.3/appl/otp/otp.1 b/crypto/heimdal-0.6.3/appl/otp/otp.1 deleted file mode 100644 index 7abdaf1ae6..0000000000 --- a/crypto/heimdal-0.6.3/appl/otp/otp.1 +++ /dev/null @@ -1,91 +0,0 @@ -.\" Copyright (c) 1996, 2000 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: otp.1,v 1.3 2003/02/16 21:10:08 lha Exp $ -.\" -.Dd November 17, 1996 -.Dt OTP 1 -.Os KTH-KRB -.Sh NAME -.Nm otp -.Nd -manages one-time passwords -.Sh SYNOPSIS -.Nm otp -.Op Fl dhlor -.Op Fl f Ar algorithm -.Op Fl u Ar user -.Ar sequence-number -.Ar seed -.Sh DESCRIPTION -The -.Nm -program initializes and updates your current series of one-time -passwords (OTPs). -.Pp -Use this to set a new series of one-time passwords. Only perform this -on the console or over an encrypted link as you will have to supply -your pass-phrase. The other two parameters are -.Ar sequence-number -and -.Ar seed . -.Pp -Options are: -.Bl -tag -width Ds -.It Fl d -To delete a one-time password. -.It Fl f -Choose a different -.Ar algorithm -from the default md5. Pick any of: md4, md5, and sha. -.It Fl h -For getting a help message. -.It Fl l -List the current table of one-time passwords. -.It Fl o -To open (unlock) the otp-entry for a user. -.It Fl r -To renew a one-time password series. This operation can be performed -over an potentially eavesdropped link because you do not supply the -pass-phrase. First you need to supply the current one-time password -and then the new one corresponding to the supplied -.Ar sequence-number -and -.Ar seed . -.It Fl u -To choose a different -.Ar user -to set one-time passwords for. This only works when running -.Nm -as root. -.El -.Sh SEE ALSO -.Xr otpprint 1 diff --git a/crypto/heimdal-0.6.3/appl/otp/otp.c b/crypto/heimdal-0.6.3/appl/otp/otp.c deleted file mode 100644 index ed5772c636..0000000000 --- a/crypto/heimdal-0.6.3/appl/otp/otp.c +++ /dev/null @@ -1,366 +0,0 @@ -/* - * Copyright (c) 1995-1997, 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "otp_locl.h" -#include - -RCSID("$Id: otp.c,v 1.34 2003/02/25 10:55:17 lha Exp $"); - -static int listp; -static int deletep; -static int openp; -static int renewp; -static char* alg_string; -static char *user; -static int version_flag; -static int help_flag; - -struct getargs args[] = { - { "list", 'l', arg_flag, &listp, "list OTP status" }, - { "delete", 'd', arg_flag, &deletep, "delete OTP" }, - { "open", 'o', arg_flag, &openp, "open a locked OTP" }, - { "renew", 'r', arg_flag, &renewp, "securely renew OTP" }, - { "hash", 'f', arg_string, &alg_string, - "hash algorithm (md4, md5, or sha)", "algorithm"}, - { "user", 'u', arg_string, &user, - "user other than current user (root only)", "user" }, - { "version", 0, arg_flag, &version_flag }, - { "help", 'h', arg_flag, &help_flag } -}; - -int num_args = sizeof(args) / sizeof(args[0]); - -static void -usage(int code) -{ - arg_printusage(args, num_args, NULL, "[num seed]"); - exit(code); -} - -/* - * Renew the OTP for a user. - * The pass-phrase is not required (RFC 1938/8.0) - */ - -static int -renew (int argc, char **argv, OtpAlgorithm *alg, char *user) -{ - OtpContext newctx, *ctx; - char prompt[128]; - char pw[64]; - void *dbm; - int ret; - - newctx.alg = alg; - newctx.user = user; - newctx.n = atoi (argv[0]); - strlcpy (newctx.seed, argv[1], sizeof(newctx.seed)); - strlwr(newctx.seed); - snprintf (prompt, sizeof(prompt), - "[ otp-%s %u %s ]", - newctx.alg->name, - newctx.n, - newctx.seed); - if (des_read_pw_string (pw, sizeof(pw), prompt, 0) == 0 && - otp_parse (newctx.key, pw, alg) == 0) { - ctx = &newctx; - ret = 0; - } else - return 1; - - dbm = otp_db_open (); - if (dbm == NULL) { - warnx ("otp_db_open failed"); - return 1; - } - otp_put (dbm, ctx); - otp_db_close (dbm); - return ret; -} - -/* - * Return 0 if the user could enter the next OTP. - * I would rather have returned !=0 but it's shell-like here around. - */ - -static int -verify_user_otp(char *username) -{ - OtpContext ctx; - char passwd[OTP_MAX_PASSPHRASE + 1]; - char prompt[128], ss[256]; - - if (otp_challenge (&ctx, username, ss, sizeof(ss)) != 0) { - warnx("no otp challenge found for %s", username); - return 1; - } - - snprintf (prompt, sizeof(prompt), "%s's %s Password: ", username, ss); - if(des_read_pw_string(passwd, sizeof(passwd)-1, prompt, 0)) - return 1; - return otp_verify_user (&ctx, passwd); -} - -/* - * Set the OTP for a user - */ - -static int -set (int argc, char **argv, OtpAlgorithm *alg, char *user) -{ - void *db; - OtpContext ctx; - char pw[OTP_MAX_PASSPHRASE + 1]; - int ret; - int i; - - ctx.alg = alg; - ctx.user = strdup (user); - if (ctx.user == NULL) - err (1, "out of memory"); - - ctx.n = atoi (argv[0]); - strlcpy (ctx.seed, argv[1], sizeof(ctx.seed)); - strlwr(ctx.seed); - do { - if (des_read_pw_string (pw, sizeof(pw), "Pass-phrase: ", 1)) - return 1; - if (strlen (pw) < OTP_MIN_PASSPHRASE) - printf ("Too short pass-phrase. Use at least %d characters\n", - OTP_MIN_PASSPHRASE); - } while(strlen(pw) < OTP_MIN_PASSPHRASE); - ctx.alg->init (ctx.key, pw, ctx.seed); - for (i = 0; i < ctx.n; ++i) - ctx.alg->next (ctx.key); - db = otp_db_open (); - if(db == NULL) { - free (ctx.user); - err (1, "otp_db_open failed"); - } - ret = otp_put (db, &ctx); - otp_db_close (db); - free (ctx.user); - return ret; -} - -/* - * Delete otp of user from the database - */ - -static int -delete_otp (int argc, char **argv, char *user) -{ - void *db; - OtpContext ctx; - int ret; - - db = otp_db_open (); - if(db == NULL) - errx (1, "otp_db_open failed"); - - ctx.user = user; - ret = otp_delete(db, &ctx); - otp_db_close (db); - return ret; -} - -/* - * Tell whether the user has an otp - */ - -static int -has_an_otp(char *user) -{ - void *db; - OtpContext ctx; - int ret; - - db = otp_db_open (); - if(db == NULL) { - warnx ("otp_db_open failed"); - return 0; /* if no db no otp! */ - } - - ctx.user = user; - ret = otp_simple_get(db, &ctx); - - otp_db_close (db); - return !ret; -} - -/* - * Get and print out the otp entry for some user - */ - -static void -print_otp_entry_for_name (void *db, char *user) -{ - OtpContext ctx; - - ctx.user = user; - if (!otp_simple_get(db, &ctx)) { - fprintf(stdout, - "%s\totp-%s %d %s", - ctx.user, ctx.alg->name, ctx.n, ctx.seed); - if (ctx.lock_time) - fprintf(stdout, - "\tlocked since %s", - ctime(&ctx.lock_time)); - else - fprintf(stdout, "\n"); - } -} - -static int -open_otp (int argc, char **argv, char *user) -{ - void *db; - OtpContext ctx; - int ret; - - db = otp_db_open (); - if (db == NULL) - errx (1, "otp_db_open failed"); - - ctx.user = user; - ret = otp_simple_get (db, &ctx); - if (ret == 0) - ret = otp_put (db, &ctx); - otp_db_close (db); - return ret; -} - -/* - * Print otp entries for one or all users - */ - -static int -list_otps (int argc, char **argv, char *user) -{ - void *db; - struct passwd *pw; - - db = otp_db_open (); - if(db == NULL) - errx (1, "otp_db_open failed"); - - if (user) - print_otp_entry_for_name(db, user); - else - /* scans all users... so as to get a deterministic order */ - while ((pw = getpwent())) - print_otp_entry_for_name(db, pw->pw_name); - - otp_db_close (db); - return 0; -} - -int -main (int argc, char **argv) -{ - int defaultp = 0; - int uid = getuid(); - OtpAlgorithm *alg = otp_find_alg (OTP_ALG_DEFAULT); - int optind = 0; - - setprogname (argv[0]); - if(getarg(args, num_args, argc, argv, &optind)) - usage(1); - if(help_flag) - usage(0); - if(version_flag) { - print_version(NULL); - exit(0); - } - - if(deletep && uid != 0) - errx (1, "Only root can delete OTPs"); - if(alg_string) { - alg = otp_find_alg (alg_string); - if (alg == NULL) - errx (1, "Unknown algorithm: %s", alg_string); - } - if (user && uid != 0) - errx (1, "Only root can use `-u'"); - argc -= optind; - argv += optind; - - if (!(listp || deletep || renewp || openp)) - defaultp = 1; - - if ( listp + deletep + renewp + defaultp + openp != 1) - usage(1); /* one of -d or -l or -r or none */ - - if(deletep || openp || listp) { - if(argc != 0) - errx(1, "delete, open, and list requires no arguments"); - } else { - if(argc != 2) - errx(1, "setup, and renew requires `num', and `seed'"); - } - if (listp) - return list_otps (argc, argv, user); - - if (user == NULL) { - struct passwd *pwd; - - pwd = k_getpwuid(uid); - if (pwd == NULL) - err (1, "You don't exist"); - user = pwd->pw_name; - } - - /* - * users other that root must provide the next OTP to update the sequence. - * it avoids someone to use a pending session to change an OTP sequence. - * see RFC 1938/8.0. - */ - if (uid != 0 && (defaultp || renewp)) { - if (!has_an_otp(user)) { - errx (1, "Only root can set an initial OTP"); - } else { /* Check the next OTP (RFC 1938/8.0: SHOULD) */ - if (verify_user_otp(user) != 0) { - errx (1, "User authentification failed"); - } - } - } - - if (deletep) - return delete_otp (argc, argv, user); - else if (renewp) - return renew (argc, argv, alg, user); - else if (openp) - return open_otp (argc, argv, user); - else - return set (argc, argv, alg, user); -} diff --git a/crypto/heimdal-0.6.3/appl/otp/otp.cat1 b/crypto/heimdal-0.6.3/appl/otp/otp.cat1 deleted file mode 100644 index 588bcc2f6c..0000000000 --- a/crypto/heimdal-0.6.3/appl/otp/otp.cat1 +++ /dev/null @@ -1,43 +0,0 @@ - -OTP(1) UNIX Reference Manual OTP(1) - -NNAAMMEE - oottpp - manages one-time passwords - -SSYYNNOOPPSSIISS - oottpp [--ddhhlloorr] [--ff _a_l_g_o_r_i_t_h_m] [--uu _u_s_e_r] _s_e_q_u_e_n_c_e_-_n_u_m_b_e_r _s_e_e_d - -DDEESSCCRRIIPPTTIIOONN - The oottpp program initializes and updates your current series of one-time - passwords (OTPs). - - Use this to set a new series of one-time passwords. Only perform this on - the console or over an encrypted link as you will have to supply your - pass-phrase. The other two parameters are _s_e_q_u_e_n_c_e_-_n_u_m_b_e_r and _s_e_e_d. - - Options are: - - --dd To delete a one-time password. - - --ff Choose a different _a_l_g_o_r_i_t_h_m from the default md5. Pick any of: - md4, md5, and sha. - - --hh For getting a help message. - - --ll List the current table of one-time passwords. - - --oo To open (unlock) the otp-entry for a user. - - --rr To renew a one-time password series. This operation can be per- - formed over an potentially eavesdropped link because you do not - supply the pass-phrase. First you need to supply the current - one-time password and then the new one corresponding to the sup- - plied _s_e_q_u_e_n_c_e_-_n_u_m_b_e_r and _s_e_e_d. - - --uu To choose a different _u_s_e_r to set one-time passwords for. This - only works when running oottpp as root. - -SSEEEE AALLSSOO - otpprint(1) - - KTH-KRB November 17, 1996 1 diff --git a/crypto/heimdal-0.6.3/appl/otp/otp_locl.h b/crypto/heimdal-0.6.3/appl/otp/otp_locl.h deleted file mode 100644 index 65f9370bad..0000000000 --- a/crypto/heimdal-0.6.3/appl/otp/otp_locl.h +++ /dev/null @@ -1,56 +0,0 @@ -/* - * Copyright (c) 1995 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: otp_locl.h,v 1.10 2002/09/10 20:03:46 joda Exp $ */ - -#ifdef HAVE_CONFIG_H -#include -#endif - -#include -#include -#include -#include -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_UNISTD_H -#include -#endif -#ifdef HAVE_PWD_H -#include -#endif -#include -#include -#include "crypto-headers.h" /* for des_read_pw_string */ -#include diff --git a/crypto/heimdal-0.6.3/appl/otp/otpprint.1 b/crypto/heimdal-0.6.3/appl/otp/otpprint.1 deleted file mode 100644 index 0e66bb356f..0000000000 --- a/crypto/heimdal-0.6.3/appl/otp/otpprint.1 +++ /dev/null @@ -1,83 +0,0 @@ -.\" Copyright (c) 1996, 2000 - 2001 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: otpprint.1,v 1.5 2003/02/16 21:10:09 lha Exp $ -.\" -.Dd November 17, 1996 -.Dt OTP 1 -.Os KTH-KRB -.Sh NAME -.Nm otpprint -.Nd -print lists of one-time passwords -.Sh SYNOPSIS -.Nm otp -.Op Fl n Ar count -.Op Fl e -.Op Fl h -.Op Fl f Ar algorithm -.Ar sequence-number -.Ar seed -.Sh DESCRIPTION -The -.Nm -program prints lists of OTPs. -.Pp -Use this to print out a series of one-time passwords. You will have -to supply the -.Ar sequence number -and the -.Ar seed -as arguments and then the program will prompt you for your pass-phrase. -.Pp -There are several different print formats. The default is to print -each password with six short english words. -.Pp -Options are: -.Bl -tag -width Ds -.It Fl e -Print the passwords in ``extended'' format. In this format a prefix -that says ``hex:'' or ``word:'' is included. -.It Fl f -To choose a different -.Ar algorithm -from the default md5. Pick any of: md4, md5, and sha. -.It Fl h -Print the passwords in hex. -.It Fl n -Print -.Ar count -one-time passwords, starting at -.Ar sequence-number -and going backwards. The default is 10. -.El -.Sh SEE ALSO -.Xr otp 1 diff --git a/crypto/heimdal-0.6.3/appl/otp/otpprint.c b/crypto/heimdal-0.6.3/appl/otp/otpprint.c deleted file mode 100644 index b1d0a84a05..0000000000 --- a/crypto/heimdal-0.6.3/appl/otp/otpprint.c +++ /dev/null @@ -1,135 +0,0 @@ -/* - * Copyright (c) 1995-1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "otp_locl.h" -#include - -RCSID("$Id: otpprint.c,v 1.14 2001/02/20 01:44:46 assar Exp $"); - -static int extendedp; -static int count = 10; -static int hexp; -static char* alg_string; -static int version_flag; -static int help_flag; - -struct getargs args[] = { - { "extended", 'e', arg_flag, &extendedp, "print keys in extended format" }, - { "count", 'n', arg_integer, &count, "number of keys to print" }, - { "hexadecimal", 'h', arg_flag, &hexp, "output in hexadecimal" }, - { "hash", 'f', arg_string, &alg_string, - "hash algorithm (md4, md5, or sha)", "algorithm"}, - { "version", 0, arg_flag, &version_flag }, - { "help", 0, arg_flag, &help_flag } -}; - -int num_args = sizeof(args) / sizeof(args[0]); - -static void -usage(int code) -{ - arg_printusage(args, num_args, NULL, "num seed"); - exit(code); -} - -static int -print (int argc, - char **argv, - int count, - OtpAlgorithm *alg, - void (*print_fn)(OtpKey, char *, size_t)) -{ - char pw[64]; - OtpKey key; - int n; - int i; - char *seed; - - if (argc != 2) - usage (1); - n = atoi(argv[0]); - seed = argv[1]; - if (des_read_pw_string (pw, sizeof(pw), "Pass-phrase: ", 0)) - return 1; - alg->init (key, pw, seed); - for (i = 0; i < n; ++i) { - char s[64]; - - alg->next (key); - if (i >= n - count) { - (*print_fn)(key, s, sizeof(s)); - printf ("%d: %s\n", i + 1, s); - } - } - return 0; -} - -int -main (int argc, char **argv) -{ - int optind = 0; - void (*fn)(OtpKey, char *, size_t); - OtpAlgorithm *alg = otp_find_alg (OTP_ALG_DEFAULT); - - setprogname (argv[0]); - if(getarg(args, num_args, argc, argv, &optind)) - usage(1); - if(help_flag) - usage(0); - if(version_flag) { - print_version(NULL); - exit(0); - } - - if(alg_string) { - alg = otp_find_alg (alg_string); - if (alg == NULL) - errx(1, "Unknown algorithm: %s", alg_string); - } - argc -= optind; - argv += optind; - - if (hexp) { - if (extendedp) - fn = otp_print_hex_extended; - else - fn = otp_print_hex; - } else { - if (extendedp) - fn = otp_print_stddict_extended; - else - fn = otp_print_stddict; - } - - return print (argc, argv, count, alg, fn); -} diff --git a/crypto/heimdal-0.6.3/appl/otp/otpprint.cat1 b/crypto/heimdal-0.6.3/appl/otp/otpprint.cat1 deleted file mode 100644 index 1c4d2444fa..0000000000 --- a/crypto/heimdal-0.6.3/appl/otp/otpprint.cat1 +++ /dev/null @@ -1,36 +0,0 @@ - -OTP(1) UNIX Reference Manual OTP(1) - -NNAAMMEE - oottpppprriinntt - print lists of one-time passwords - -SSYYNNOOPPSSIISS - oottpp [--nn _c_o_u_n_t] [--ee] [--hh] [--ff _a_l_g_o_r_i_t_h_m] _s_e_q_u_e_n_c_e_-_n_u_m_b_e_r _s_e_e_d - -DDEESSCCRRIIPPTTIIOONN - The oottpppprriinntt program prints lists of OTPs. - - Use this to print out a series of one-time passwords. You will have to - supply the _s_e_q_u_e_n_c_e _n_u_m_b_e_r and the _s_e_e_d as arguments and then the program - will prompt you for your pass-phrase. - - There are several different print formats. The default is to print each - password with six short english words. - - Options are: - - --ee Print the passwords in ``extended'' format. In this format a - prefix that says ``hex:'' or ``word:'' is included. - - --ff To choose a different _a_l_g_o_r_i_t_h_m from the default md5. Pick any - of: md4, md5, and sha. - - --hh Print the passwords in hex. - - --nn Print _c_o_u_n_t one-time passwords, starting at _s_e_q_u_e_n_c_e_-_n_u_m_b_e_r and - going backwards. The default is 10. - -SSEEEE AALLSSOO - otp(1) - - KTH-KRB November 17, 1996 1 diff --git a/crypto/heimdal-0.6.3/appl/popper/ChangeLog b/crypto/heimdal-0.6.3/appl/popper/ChangeLog deleted file mode 100644 index 33d7b2cade..0000000000 --- a/crypto/heimdal-0.6.3/appl/popper/ChangeLog +++ /dev/null @@ -1,207 +0,0 @@ -2003-10-13 Love - - * pop_init.c: 1.58->1.59: (pop_init): change call to - authentication function, from a ?: construct (which toubles some - versions of gcc) to if; from Björn Grönvall - -2003-04-16 Love Hörnquist Åstrand - - * popper.8: spelling, from jmc - -2002-07-04 Johan Danielsson - - * pop_dropcopy.c: use RESP-CODES - - * pop_get_command.c: implement CAPA - - * popper.c: don't print our version in the greeting string - - * popper.h: add a flags parameter to the pop context - -2002-05-02 Johan Danielsson - - * pop_debug.c: revert some accidentally commited code in previous - -2002-02-07 Johan Danielsson - - * pop_debug.c: only claim krb5 support if really present - -2001-09-10 Johan Danielsson - - * maildir.c: replace MAXDROPLEN with MAXPATHLEN - - * popper.h: replace MAXDROPLEN with MAXPATHLEN - -2001-08-13 Johan Danielsson - - * popper.8: rewritten man page - -2000-12-31 Assar Westerlund - - * pop_init.c (pop_init): handle krb5_init_context failure - consistently - * pop_debug.c (doit_v5): handle krb5_init_context failure - consistently - -2000-06-10 Assar Westerlund - - * pop_init.c (krb4_authenticate): do not exit on failure, just - return - (krb5_authenticate): log errors from krb5_recvauth - -2000-04-12 Assar Westerlund - - * *.c: replace all erroneous calls to pop_log with POP_FAILURE - with POP_PRIORITY. reported by Janne Johansson ' - -2000-01-27 Assar Westerlund - - * pop_debug.c (main): figure out port number - -1999-12-20 Assar Westerlund - - * pop_init.c (pop_init): use getnameinfo_verified - - * pop_debug.c (get_socket): use getaddrinfo - -1999-12-03 Johan Danielsson - - * pop_init.c: optionally trace connected addresses to a file - -1999-11-02 Assar Westerlund - - * pop_debug.c (main): redo the v4/v5 selection for consistency. - -4 -> try only v4 -5 -> try only v5 none, -45 -> try v5, v4 - -1999-10-16 Johan Danielsson - - * pop_init.c (krb5_authenticate): don't use the principal - associated with the socket for authentication, instead let - krb5_rd_req pick the correct one from the ticket; just check that - it actually was a pop-ticket - -1999-08-12 Johan Danielsson - - * pop_init.c (pop_init): don't freehostent if ch == NULL - - * pop_dele.c: implement XDELE to delete a range of messages - -1999-08-05 Assar Westerlund - - * pop_init.c: v6-ify - - * pop_debug.c: v6-ify - -1999-05-10 Assar Westerlund - - * pop_debug.c (doit_v5): call krb5_sendauth with ccache == NULL - -1999-04-11 Assar Westerlund - - * pop_debug.c (main): use print_version - -Thu Apr 8 15:07:11 1999 Johan Danielsson - - * pop_pass.c: remove definition of KRB_VERIFY_USER (moved to - config.h) - -Thu Mar 18 12:55:42 1999 Johan Danielsson - - * pop_pass.c: define KRB_VERIFY_SECURE if not defined - - * Makefile.am: include Makefile.am.common - -Wed Mar 17 23:36:21 1999 Assar Westerlund - - * pop_pass.c (krb4_verify_password): use KRB_VERIFY_SECURE instead - of 1 - -Tue Mar 16 22:28:52 1999 Assar Westerlund - - * pop_pass.c: krb_verify_user_multiple -> krb_verify_user - -Sat Mar 13 22:17:29 1999 Assar Westerlund - - * pop_parse.c (pop_parse): cast when calling is* to get rid of a - warning - -Mon Mar 8 11:50:06 1999 Johan Danielsson - - * pop_init.c: use print_version - -Fri Mar 5 15:14:29 1999 Johan Danielsson - - * pop_send.c: fix handling of messages w/o body - -Sun Nov 22 10:33:29 1998 Assar Westerlund - - * pop_pass.c (pop_pass): try to always log - - * Makefile.in (WFLAGS): set - -Fri Jul 10 01:14:25 1998 Assar Westerlund - - * pop_init.c: s/net_read/pop_net_read/ - -Tue Jun 2 17:33:54 1998 Johan Danielsson - - * pop_send.c: add missing newlines - -Sun May 24 20:59:45 1998 Johan Danielsson - - * maildir.c (make_path): fix reversed args - -Sat May 16 00:02:18 1998 Assar Westerlund - - * Makefile.am: link with DBLIB - -Sun Apr 26 11:47:58 1998 Assar Westerlund - - * pop_pass.c (pop_pass): check return value from changeuser - - * pop_dropcopy.c (changeuser): check that `setuid' and `setgid' - succeeded. - - * popper.h: changeuser now returns int - -Thu Apr 23 00:54:38 1998 Johan Danielsson - - * Add support for maildir spoolfiles. - - * popper.h (MsgInfoList): replace `del_flag' and `retr_flag' with - single `flags' - - * pop_dropcopy.c: Fix mismatched parenthesis. - -Sat Apr 4 15:13:56 1998 Assar Westerlund - - * pop_dropcopy.c (pop_dropcopy): first do mkstemp and then fdopen. - Originally from - - * popper.h: include - -Sat Feb 7 10:07:39 1998 Assar Westerlund - - * pop_pass.c(krb4_verify_password: Don't use REALM_SZ + 1, just - REALM_SZ - -Mon Dec 29 16:37:26 1997 Assar Westerlund - - * pop_updt.c (pop_updt): lseek before ftruncating the file. From - - -Sat Nov 22 13:46:39 1997 Johan Danielsson - - * pop_pass.c: Destroy tickets after verification. - -Sun Nov 9 09:11:14 1997 Assar Westerlund - - * pop_dropinfo.c: be careful with mails without msg-id, subject, - or from - -Wed Oct 29 02:09:24 1997 Assar Westerlund - - * pop_pass.c: conditionalize OTP-support - - * pop_init.c: conditionalize OTP-support - diff --git a/crypto/heimdal-0.6.3/appl/popper/Makefile.am b/crypto/heimdal-0.6.3/appl/popper/Makefile.am deleted file mode 100644 index e3311dadf7..0000000000 --- a/crypto/heimdal-0.6.3/appl/popper/Makefile.am +++ /dev/null @@ -1,31 +0,0 @@ -# $Id: Makefile.am,v 1.14 2001/08/04 03:08:02 assar Exp $ - -include $(top_srcdir)/Makefile.am.common - -INCLUDES += $(INCLUDE_krb4) - -noinst_PROGRAMS = pop_debug - -libexec_PROGRAMS = popper - -popper_SOURCES = \ - pop_dele.c pop_dropcopy.c pop_dropinfo.c \ - pop_get_command.c pop_init.c \ - pop_last.c pop_list.c pop_log.c \ - pop_msg.c pop_parse.c pop_pass.c pop_quit.c \ - pop_rset.c pop_send.c pop_stat.c pop_updt.c \ - pop_user.c pop_uidl.c pop_xover.c popper.c \ - maildir.c popper.h version.h - -EXTRA_DIST = pop3.rfc1081 pop3e.rfc1082 \ - popper.README.release README-FIRST README-KRB4 - -LDADD = \ - $(LIB_otp) \ - $(LIB_krb5) \ - $(LIB_krb4) \ - $(LIB_des) \ - $(LIB_roken) \ - $(DBLIB) - -man_MANS = popper.8 diff --git a/crypto/heimdal-0.6.3/appl/popper/Makefile.in b/crypto/heimdal-0.6.3/appl/popper/Makefile.in deleted file mode 100644 index 299eb066f8..0000000000 --- a/crypto/heimdal-0.6.3/appl/popper/Makefile.in +++ /dev/null @@ -1,854 +0,0 @@ -# Makefile.in generated by automake 1.8.3 from Makefile.am. -# @configure_input@ - -# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004 Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -# $Id: Makefile.am,v 1.14 2001/08/04 03:08:02 assar Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $ - -SOURCES = pop_debug.c $(popper_SOURCES) - -srcdir = @srcdir@ -top_srcdir = @top_srcdir@ -VPATH = @srcdir@ -pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -top_builddir = ../.. -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = @INSTALL@ -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_HEADER = $(INSTALL_DATA) -transform = $(program_transform_name) -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_triplet = @host@ -DIST_COMMON = README $(srcdir)/Makefile.am $(srcdir)/Makefile.in \ - $(top_srcdir)/Makefile.am.common \ - $(top_srcdir)/cf/Makefile.am.common ChangeLog -noinst_PROGRAMS = pop_debug$(EXEEXT) -libexec_PROGRAMS = popper$(EXEEXT) -subdir = appl/popper -ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \ - $(top_srcdir)/cf/auth-modules.m4 \ - $(top_srcdir)/cf/broken-getaddrinfo.m4 \ - $(top_srcdir)/cf/broken-getnameinfo.m4 \ - $(top_srcdir)/cf/broken-glob.m4 \ - $(top_srcdir)/cf/broken-realloc.m4 \ - $(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \ - $(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \ - $(top_srcdir)/cf/capabilities.m4 \ - $(top_srcdir)/cf/check-compile-et.m4 \ - $(top_srcdir)/cf/check-declaration.m4 \ - $(top_srcdir)/cf/check-getpwnam_r-posix.m4 \ - $(top_srcdir)/cf/check-man.m4 \ - $(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \ - $(top_srcdir)/cf/check-type-extra.m4 \ - $(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \ - $(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \ - $(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \ - $(top_srcdir)/cf/dlopen.m4 \ - $(top_srcdir)/cf/find-func-no-libs.m4 \ - $(top_srcdir)/cf/find-func-no-libs2.m4 \ - $(top_srcdir)/cf/find-func.m4 \ - $(top_srcdir)/cf/find-if-not-broken.m4 \ - $(top_srcdir)/cf/have-struct-field.m4 \ - $(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \ - $(top_srcdir)/cf/krb-bigendian.m4 \ - $(top_srcdir)/cf/krb-func-getlogin.m4 \ - $(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \ - $(top_srcdir)/cf/krb-readline.m4 \ - $(top_srcdir)/cf/krb-struct-spwd.m4 \ - $(top_srcdir)/cf/krb-struct-winsize.m4 \ - $(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \ - $(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \ - $(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \ - $(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \ - $(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \ - $(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \ - $(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in -am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ - $(ACLOCAL_M4) -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -am__installdirs = "$(DESTDIR)$(libexecdir)" "$(DESTDIR)$(man8dir)" -libexecPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -PROGRAMS = $(libexec_PROGRAMS) $(noinst_PROGRAMS) -pop_debug_SOURCES = pop_debug.c -pop_debug_OBJECTS = pop_debug.$(OBJEXT) -pop_debug_LDADD = $(LDADD) -am__DEPENDENCIES_1 = -@KRB5_TRUE@am__DEPENDENCIES_2 = $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la -pop_debug_DEPENDENCIES = $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_2) \ - $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ - $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) -am_popper_OBJECTS = pop_dele.$(OBJEXT) pop_dropcopy.$(OBJEXT) \ - pop_dropinfo.$(OBJEXT) pop_get_command.$(OBJEXT) \ - pop_init.$(OBJEXT) pop_last.$(OBJEXT) pop_list.$(OBJEXT) \ - pop_log.$(OBJEXT) pop_msg.$(OBJEXT) pop_parse.$(OBJEXT) \ - pop_pass.$(OBJEXT) pop_quit.$(OBJEXT) pop_rset.$(OBJEXT) \ - pop_send.$(OBJEXT) pop_stat.$(OBJEXT) pop_updt.$(OBJEXT) \ - pop_user.$(OBJEXT) pop_uidl.$(OBJEXT) pop_xover.$(OBJEXT) \ - popper.$(OBJEXT) maildir.$(OBJEXT) -popper_OBJECTS = $(am_popper_OBJECTS) -popper_LDADD = $(LDADD) -popper_DEPENDENCIES = $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_2) \ - $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ - $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \ - $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ - $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -SOURCES = pop_debug.c $(popper_SOURCES) -DIST_SOURCES = pop_debug.c $(popper_SOURCES) -man8dir = $(mandir)/man8 -MANS = $(man_MANS) -ETAGS = etags -CTAGS = ctags -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) -ACLOCAL = @ACLOCAL@ -AIX4_FALSE = @AIX4_FALSE@ -AIX4_TRUE = @AIX4_TRUE@ -AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@ -AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@ -AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@ -AIX_FALSE = @AIX_FALSE@ -AIX_TRUE = @AIX_TRUE@ -AMTAR = @AMTAR@ -AR = @AR@ -AUTOCONF = @AUTOCONF@ -AUTOHEADER = @AUTOHEADER@ -AUTOMAKE = @AUTOMAKE@ -AWK = @AWK@ -CANONICAL_HOST = @CANONICAL_HOST@ -CATMAN = @CATMAN@ -CATMANEXT = @CATMANEXT@ -CATMAN_FALSE = @CATMAN_FALSE@ -CATMAN_TRUE = @CATMAN_TRUE@ -CC = @CC@ -CFLAGS = @CFLAGS@ -COMPILE_ET = @COMPILE_ET@ -CPP = @CPP@ -CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXFLAGS = @CXXFLAGS@ -CYGPATH_W = @CYGPATH_W@ -DBLIB = @DBLIB@ -DCE_FALSE = @DCE_FALSE@ -DCE_TRUE = @DCE_TRUE@ -DEFS = @DEFS@ -DIR_com_err = @DIR_com_err@ -DIR_des = @DIR_des@ -DIR_roken = @DIR_roken@ -ECHO = @ECHO@ -ECHO_C = @ECHO_C@ -ECHO_N = @ECHO_N@ -ECHO_T = @ECHO_T@ -EGREP = @EGREP@ -EXEEXT = @EXEEXT@ -EXTRA_LIB45 = @EXTRA_LIB45@ -F77 = @F77@ -FFLAGS = @FFLAGS@ -GROFF = @GROFF@ -HAVE_DB1_FALSE = @HAVE_DB1_FALSE@ -HAVE_DB1_TRUE = @HAVE_DB1_TRUE@ -HAVE_DB3_FALSE = @HAVE_DB3_FALSE@ -HAVE_DB3_TRUE = @HAVE_DB3_TRUE@ -HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@ -HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@ -HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@ -HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@ -HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@ -HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@ -HAVE_X_FALSE = @HAVE_X_FALSE@ -HAVE_X_TRUE = @HAVE_X_TRUE@ -INCLUDES_roken = @INCLUDES_roken@ -INCLUDE_des = @INCLUDE_des@ -INCLUDE_hesiod = @INCLUDE_hesiod@ -INCLUDE_krb4 = @INCLUDE_krb4@ -INCLUDE_openldap = @INCLUDE_openldap@ -INCLUDE_readline = @INCLUDE_readline@ -INSTALL_DATA = @INSTALL_DATA@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -IRIX_FALSE = @IRIX_FALSE@ -IRIX_TRUE = @IRIX_TRUE@ -KRB4_FALSE = @KRB4_FALSE@ -KRB4_TRUE = @KRB4_TRUE@ -KRB5_FALSE = @KRB5_FALSE@ -KRB5_TRUE = @KRB5_TRUE@ -LDFLAGS = @LDFLAGS@ -LEX = @LEX@ -LEXLIB = @LEXLIB@ -LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ -LIBOBJS = @LIBOBJS@ -LIBS = @LIBS@ -LIBTOOL = @LIBTOOL@ -LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@ -LIB_NDBM = @LIB_NDBM@ -LIB_XauFileName = @LIB_XauFileName@ -LIB_XauReadAuth = @LIB_XauReadAuth@ -LIB_XauWriteAuth = @LIB_XauWriteAuth@ -LIB_bswap16 = @LIB_bswap16@ -LIB_bswap32 = @LIB_bswap32@ -LIB_com_err = @LIB_com_err@ -LIB_com_err_a = @LIB_com_err_a@ -LIB_com_err_so = @LIB_com_err_so@ -LIB_crypt = @LIB_crypt@ -LIB_db_create = @LIB_db_create@ -LIB_dbm_firstkey = @LIB_dbm_firstkey@ -LIB_dbopen = @LIB_dbopen@ -LIB_des = @LIB_des@ -LIB_des_a = @LIB_des_a@ -LIB_des_appl = @LIB_des_appl@ -LIB_des_so = @LIB_des_so@ -LIB_dlopen = @LIB_dlopen@ -LIB_dn_expand = @LIB_dn_expand@ -LIB_el_init = @LIB_el_init@ -LIB_freeaddrinfo = @LIB_freeaddrinfo@ -LIB_gai_strerror = @LIB_gai_strerror@ -LIB_getaddrinfo = @LIB_getaddrinfo@ -LIB_gethostbyname = @LIB_gethostbyname@ -LIB_gethostbyname2 = @LIB_gethostbyname2@ -LIB_getnameinfo = @LIB_getnameinfo@ -LIB_getpwnam_r = @LIB_getpwnam_r@ -LIB_getsockopt = @LIB_getsockopt@ -LIB_hesiod = @LIB_hesiod@ -LIB_hstrerror = @LIB_hstrerror@ -LIB_kdb = @LIB_kdb@ -LIB_krb4 = @LIB_krb4@ -LIB_krb_disable_debug = @LIB_krb_disable_debug@ -LIB_krb_enable_debug = @LIB_krb_enable_debug@ -LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@ -LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@ -LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@ -LIB_loadquery = @LIB_loadquery@ -LIB_logout = @LIB_logout@ -LIB_logwtmp = @LIB_logwtmp@ -LIB_openldap = @LIB_openldap@ -LIB_openpty = @LIB_openpty@ -LIB_otp = @LIB_otp@ -LIB_pidfile = @LIB_pidfile@ -LIB_readline = @LIB_readline@ -LIB_res_nsearch = @LIB_res_nsearch@ -LIB_res_search = @LIB_res_search@ -LIB_roken = @LIB_roken@ -LIB_security = @LIB_security@ -LIB_setsockopt = @LIB_setsockopt@ -LIB_socket = @LIB_socket@ -LIB_syslog = @LIB_syslog@ -LIB_tgetent = @LIB_tgetent@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -MAINT = @MAINT@ -MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@ -MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@ -MAKEINFO = @MAKEINFO@ -NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ -NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ -NROFF = @NROFF@ -OBJEXT = @OBJEXT@ -OTP_FALSE = @OTP_FALSE@ -OTP_TRUE = @OTP_TRUE@ -PACKAGE = @PACKAGE@ -PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ -PACKAGE_NAME = @PACKAGE_NAME@ -PACKAGE_STRING = @PACKAGE_STRING@ -PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_VERSION = @PACKAGE_VERSION@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -RANLIB = @RANLIB@ -SET_MAKE = @SET_MAKE@ -SHELL = @SHELL@ -STRIP = @STRIP@ -VERSION = @VERSION@ -VOID_RETSIGTYPE = @VOID_RETSIGTYPE@ -WFLAGS = @WFLAGS@ -WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@ -WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@ -X_CFLAGS = @X_CFLAGS@ -X_EXTRA_LIBS = @X_EXTRA_LIBS@ -X_LIBS = @X_LIBS@ -X_PRE_LIBS = @X_PRE_LIBS@ -YACC = @YACC@ -ac_ct_AR = @ac_ct_AR@ -ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ -ac_ct_RANLIB = @ac_ct_RANLIB@ -ac_ct_STRIP = @ac_ct_STRIP@ -am__leading_dot = @am__leading_dot@ -bindir = @bindir@ -build = @build@ -build_alias = @build_alias@ -build_cpu = @build_cpu@ -build_os = @build_os@ -build_vendor = @build_vendor@ -datadir = @datadir@ -do_roken_rename_FALSE = @do_roken_rename_FALSE@ -do_roken_rename_TRUE = @do_roken_rename_TRUE@ -dpagaix_cflags = @dpagaix_cflags@ -dpagaix_ldadd = @dpagaix_ldadd@ -dpagaix_ldflags = @dpagaix_ldflags@ -el_compat_FALSE = @el_compat_FALSE@ -el_compat_TRUE = @el_compat_TRUE@ -exec_prefix = @exec_prefix@ -have_err_h_FALSE = @have_err_h_FALSE@ -have_err_h_TRUE = @have_err_h_TRUE@ -have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@ -have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@ -have_glob_h_FALSE = @have_glob_h_FALSE@ -have_glob_h_TRUE = @have_glob_h_TRUE@ -have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@ -have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@ -have_vis_h_FALSE = @have_vis_h_FALSE@ -have_vis_h_TRUE = @have_vis_h_TRUE@ -host = @host@ -host_alias = @host_alias@ -host_cpu = @host_cpu@ -host_os = @host_os@ -host_vendor = @host_vendor@ -includedir = @includedir@ -infodir = @infodir@ -install_sh = @install_sh@ -libdir = @libdir@ -libexecdir = @libexecdir@ -localstatedir = @localstatedir@ -mandir = @mandir@ -mkdir_p = @mkdir_p@ -oldincludedir = @oldincludedir@ -prefix = @prefix@ -program_transform_name = @program_transform_name@ -sbindir = @sbindir@ -sharedstatedir = @sharedstatedir@ -sysconfdir = @sysconfdir@ -target_alias = @target_alias@ -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4) -@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME -AM_CFLAGS = $(WFLAGS) -CP = cp -buildinclude = $(top_builddir)/include -LIB_getattr = @LIB_getattr@ -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_setpcred = @LIB_setpcred@ -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -NROFF_MAN = groff -mandoc -Tascii -LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) -@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la - -@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la -@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la -popper_SOURCES = \ - pop_dele.c pop_dropcopy.c pop_dropinfo.c \ - pop_get_command.c pop_init.c \ - pop_last.c pop_list.c pop_log.c \ - pop_msg.c pop_parse.c pop_pass.c pop_quit.c \ - pop_rset.c pop_send.c pop_stat.c pop_updt.c \ - pop_user.c pop_uidl.c pop_xover.c popper.c \ - maildir.c popper.h version.h - -EXTRA_DIST = pop3.rfc1081 pop3e.rfc1082 \ - popper.README.release README-FIRST README-KRB4 - -LDADD = \ - $(LIB_otp) \ - $(LIB_krb5) \ - $(LIB_krb4) \ - $(LIB_des) \ - $(LIB_roken) \ - $(DBLIB) - -man_MANS = popper.8 -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps) - @for dep in $?; do \ - case '$(am__configure_deps)' in \ - *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ - exit 1;; \ - esac; \ - done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign --ignore-deps appl/popper/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign --ignore-deps appl/popper/Makefile -.PRECIOUS: Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - @case '$?' in \ - *config.status*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ - *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ - esac; - -$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -install-libexecPROGRAMS: $(libexec_PROGRAMS) - @$(NORMAL_INSTALL) - test -z "$(libexecdir)" || $(mkdir_p) "$(DESTDIR)$(libexecdir)" - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(libexecPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(libexecdir)/$$f'"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(libexecPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(libexecdir)/$$f" || exit 1; \ - else :; fi; \ - done - -uninstall-libexecPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f '$(DESTDIR)$(libexecdir)/$$f'"; \ - rm -f "$(DESTDIR)$(libexecdir)/$$f"; \ - done - -clean-libexecPROGRAMS: - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done - -clean-noinstPROGRAMS: - @list='$(noinst_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -pop_debug$(EXEEXT): $(pop_debug_OBJECTS) $(pop_debug_DEPENDENCIES) - @rm -f pop_debug$(EXEEXT) - $(LINK) $(pop_debug_LDFLAGS) $(pop_debug_OBJECTS) $(pop_debug_LDADD) $(LIBS) -popper$(EXEEXT): $(popper_OBJECTS) $(popper_DEPENDENCIES) - @rm -f popper$(EXEEXT) - $(LINK) $(popper_LDFLAGS) $(popper_OBJECTS) $(popper_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c $< - -.c.obj: - $(COMPILE) -c `$(CYGPATH_W) '$<'` - -.c.lo: - $(LTCOMPILE) -c -o $@ $< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: -install-man8: $(man8_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - test -z "$(man8dir)" || $(mkdir_p) "$(DESTDIR)$(man8dir)" - @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.8*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 8*) ;; \ - *) ext='8' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ - $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \ - done -uninstall-man8: - @$(NORMAL_UNINSTALL) - @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.8*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 8*) ;; \ - *) ext='8' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \ - rm -f "$(DESTDIR)$(man8dir)/$$inst"; \ - done - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique -tags: TAGS - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique -ctags: CTAGS -CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ - || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - -distdir: $(DISTFILES) - $(mkdir_p) $(distdir)/../.. $(distdir)/../../cf - @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \ - list='$(DISTFILES)'; for file in $$list; do \ - case $$file in \ - $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \ - $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \ - esac; \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkdir_p) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="$(top_distdir)" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(PROGRAMS) $(MANS) all-local -installdirs: - for dir in "$(DESTDIR)$(libexecdir)" "$(DESTDIR)$(man8dir)"; do \ - test -z "$$dir" || $(mkdir_p) "$$dir"; \ - done -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-generic clean-libexecPROGRAMS clean-libtool \ - clean-noinstPROGRAMS mostlyclean-am - -distclean: distclean-am - -rm -f Makefile -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -html: html-am - -info: info-am - -info-am: - -install-data-am: install-man - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-data-hook - -install-exec-am: install-libexecPROGRAMS - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: install-man8 - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -rm -f Makefile -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -pdf: pdf-am - -pdf-am: - -ps: ps-am - -ps-am: - -uninstall-am: uninstall-info-am uninstall-libexecPROGRAMS \ - uninstall-man - -uninstall-man: uninstall-man8 - -.PHONY: CTAGS GTAGS all all-am all-local check check-am check-local \ - clean clean-generic clean-libexecPROGRAMS clean-libtool \ - clean-noinstPROGRAMS ctags distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am html html-am info info-am install install-am \ - install-data install-data-am install-exec install-exec-am \ - install-info install-info-am install-libexecPROGRAMS \ - install-man install-man8 install-strip installcheck \ - installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ - tags uninstall uninstall-am uninstall-info-am \ - uninstall-libexecPROGRAMS uninstall-man uninstall-man8 - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-hook: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal-0.6.3/appl/popper/README b/crypto/heimdal-0.6.3/appl/popper/README deleted file mode 100644 index 0735fdd56c..0000000000 --- a/crypto/heimdal-0.6.3/appl/popper/README +++ /dev/null @@ -1,381 +0,0 @@ -@(#)@(#)README 2.6 2.6 4/2/91 - - -The Post Office Protocol Server: Installation Guide - - - -Introduction - -The Post Office Protocol server runs on a variety of Unix[1] computers -to manage electronic mail for Macintosh and MS-DOS computers. The -server was developed at the University of California at Berkeley and -conforms fully to the specifications in RFC 1081[2] and RFC 1082[3]. -The Berkeley server also has extensions to send electronic mail on -behalf of a client. - -This guide explains how to install the POP server on your Unix -computer. It assumes that you are not only familiar with Unix but also -capable of performing Unix system administration. - - -How to Obtain the Server - -The POP server is available via anonymous ftp from ftp.CC.Berkeley.EDU -(128.32.136.9, 128.32.206.12). It is in two files in the pub directory: -a compressed tar file popper-version.tar.Z and a Macintosh StuffIt archive -in BinHex format called MacPOP.sit.hqx. - - -Contents of the Distribution - -The distribution contains the following: - -+ All of the C source necessary to create the server program. - -+ A visual representation of how the POP system works. - -+ Reprints of RFC 1081 and RFC 1082. - -+ A HyperCard stack POP client implementation using MacTCP. - -+ A man page for the popper daemon. - -+ This guide. - - -Compatibility - -The Berkeley POP server has been successfully tested on the following -Unix operating systems: - -+ Berkeley Systems Distribution 4.3 - -+ Sun Microsystems Operating System versions 3.5 and 4.0 - -+ Ultrix version 2.3 - -The following POP clients operate correctly with the Berkeley POP server: - -+ The Berkeley HyperMail HyperCard stack for the Apple Macintosh - (distributed with the server). - -+ The Stanford University Macintosh Internet Protocol MacMH program. - -+ The Stanford University Personal Computer Internet Protocol MH - program. - -+ The mh version 6.0 programs for Unix. - - -Support - -The Berkeley POP server is not officially supported and is without any -warranty, explicit or implied. However, we are interested in your -experiences using the server. Bugs, comments and suggestions should be -sent electronically to netinfo@garnet.Berkeley.EDU. - - -Operational Characteristics - -The POP Transaction Cycle - -The Berkeley POP server is a single program (called popper) that is -launched by inetd when it gets a service request on the POP TCP port. -(The official port number specified in RFC 1081 for POP version 3 is -port 110. However, some POP3 clients attempt to contact the server at -port 109, the POP version 2 port. Unless you are running both POP2 and -POP3 servers, you can simply define both ports for use by the POP3 -server. This is explained in the installation instructions later on.) -The popper program initializes and verifies that the peer IP address is -registered in the local domain, logging a warning message when a -connection is made to a client whose IP address does not have a -canonical name. For systems using BSD 4.3 bind, it also checks to see -if a cannonical name lookup for the client returns the same peer IP -address, logging a warning message if it does not. The the server -enters the authorization state, during which the client must correctly -identify itself by providing a valid Unix userid and password on the -server's host machine. No other exchanges are allowed during this -state (other than a request to quit.) If authentication fails, a -warning message is logged and the session ends. Once the user is -identified, popper changes its user and group ids to match that of the -user and enters the transaction state. The server makes a temporary -copy of the user's maildrop (ordinarily in /usr/spool/mail) which is -used for all subsequent transactions. These include the bulk of POP -commands to retrieve mail, delete mail, undelete mail, and so forth. A -Berkeley extension also allows the user to submit a mail parcel to the -server who mails it using the sendmail program (this extension is -supported in the HyperMail client distributed with the server). When -the client quits, the server enters the final update state during which -the network connection is terminated and the user's maildrop is updated -with the (possibly) modified temporary maildrop. - - -Logging - -The POP server uses syslog to keep a record of its activities. On -systems with BSD 4.3 syslogging, the server logs (by default) to the -"local0" facility at priority "notice" for all messages except -debugging which is logged at priority "debug". The default log file is -/usr/spool/mqueue/POPlog. These can be changed, if desired. On -systems with 4.2 syslogging all messages are logged to the local log -file, usually /usr/spool/mqueue/syslog. - -Problems - -If the filesystem which holds the /usr/spool/mail fills up users will -experience difficulties. The filesystem must have enough space to hold -(approximately) two copies of the largest mail box. Popper (v1.81 and -above) is designed to be robust in the face of this problem, but you may -end up with a situation where some of the user's mail is in - - /usr/spool/mail/.userid.pop - -and some of the mail is in - - /usr/spool/mail/userid - -If this happens the System Administrator should clear enough disk space -so that the filesystem has at least as much free disk as both mailboxes -hold and probably a little more. Then the user should initiate a POP -session, and do nothing but quit. If the POP session ends without an -error the user can then use POP or another mail program to clean up his/her -mailbox. - -Alternatively, the System Administrator can combine the two files (but -popper will do this for you if there is enough disk space). - - -Debugging - -The popper program will log debugging information when the -d parameter -is specified after its invocation in the inetd.conf file. Care should -be exercised in using this option since it generates considerable -output in the syslog file. Alternatively, the "-t " option -will place debugging information into file "" using fprintf -instead of syslog. (To enable debugging, you must edit the Makefile -to add -DDEBUG to the compiler options.) - -For SunOS version 3.5, the popper program is launched by inetd from -/etc/servers. This file does not allow you to specify command line -arguments. Therefore, if you want to enable debugging, you can specify -a shell script in /etc/servers to be launched instead of popper and in -this script call popper with the desired arguments. - - -Installation - -1. Examine this file for the latest information, warnings, etc. - -2. Check the Makefile for conformity with your system. - -3. Issue the make command in the directory containing the popper - source. - -4. Issue the make install command in the directory containing the - popper source to copy the program to /usr/etc. - -5. Enable syslogging: - - + For systems with 4.3 syslogging: - - Add the following line to the /etc/syslog.conf file: - - local0.notice;local0.debug /usr/spool/mqueue/POPlog - - Create the empty file /usr/spool/mqueue/POPlog. - - Kill and restart the syslogd daemon. - - + For systems with 4.2 syslogging: - - Be sure that you are logging messages of priority 7 and higher. - For example: - - 7/usr/spool/mqueue/syslog - 9/dev/null - -6. Update /etc/services: - - Add the following line to the /etc/services file: - - pop 110/tcp - - Note: This is the official port number for version 3 of the - Post Office Protocol as defined in RFC 1081. However, some - POP3 clients use port 109, the port number for the previous - version (2) of POP. Therefore you may also want to add the - following line to the /etc/services file: - - pop2 109/tcp - - For Sun systems running yp, also do the following: - - + Change to the /var/yp directory. - - + Issue the make services command. - -7. Update the inetd daemon configuration. Include the second line ONLY if you - are running the server at both ports. - - + On BSD 4.3 and SunOS 4.0 systems, add the following line to the - /etc/inetd.conf file: - - pop stream tcp nowait root /usr/etc/popper popper - pop2 stream tcp nowait root /usr/etc/popper popper - - + On Ultrix systems, add the following line to the - /etc/inetd.conf file: - - pop stream tcp nowait /usr/etc/popper popper - pop2 stream tcp nowait /usr/etc/popper popper - - + On SunOS 3.5 systems, add the following line to the - /etc/servers file: - - pop tcp /usr/etc/popper - pop2 tcp /usr/etc/popper - - Kill and restart the inetd daemon. - -You can confirm that the POP server is running on Unix by telneting to -port 110 (or 109 if you set it up that way). For example: - -%telnet myhost 110 -Trying... -Connected to myhost.berkeley.edu. -Escape character is '^]'. -+OK UCB Pop server (version 1.6) at myhost starting. -quit -Connection closed by foreign host. - - -Release Notes - -1.83 Make sure that everything we do as root is non-destructive. - -1.82 Make the /usr/spool/mail/.userid.pop file owned by the user rather - than owned by root. - -1.81 There were two versions of 1.7 floating around, 1.7b4 and 1.7b5. - The difference is that 1.7b5 attempted to save disk space on - /usr/spool/mail by deleting the users permanent maildrop after - making the temporary copy. Unfortunately, if compiled with - -DDEBUG, this version could easily wipe out a users' mail file. - This is now fixed. - - This version also fixes a security hole for systems that have - /usr/spool/mail writeable by all users. - - With this version we go to all new SCCS IDs for all files. This - is unfortunate, and we hope it is not too much of a problem. - - Thanks to Steve Dorner of UIUC for pointing out the major problem. - -1.7 Extensive re-write of the maildrop processing code contributed by - Viktor Dukhovni that greatly reduces the - possibility that the maildrop can be corrupted as the result of - simultaneous access by two or more processes. - - Added "pop_dropcopy" module to create a temporary maildrop from - the existing, standard maildrop as root before the setuid and - setgid for the user is done. This allows the temporary maildrop - to be created in a mail spool area that is not world read-writable. - - This version does *not* send the sendmail "From " delimiter line - in response to a TOP or RETR command. - - Encased all debugging code in #ifdef DEBUG constructs. This code can - be included by specifying the DEGUG compiler flag. Note: You still - need to use the -d or -t option to obtain debugging output. - -1.6 Corrects a bug that causes the server to crash on SunOS - 4.0 systems. - - Uses varargs and vsprintf (if available) in pop_log and - pop_msg. This is enabled by the "HAVE_VSPRINTF" - compiler flag. - - For systems with BSD 4.3 bind, performs a cannonical - name lookup and searches the returned address(es) for - the client's address, logging a warning message if it - is not located. This is enabled by the "BIND43" - comiler flag. - - Removed all the includes from popper.h and distributed - them throughout the porgrams files, as needed. - - Reformatted the source to convert tabs to spaces and - shorten lines for display on 80-column terminals. - -1.5 Creates the temporary maildrop with mode "600" and - immediately unlinks it. - - Uses client's IP address in lieu of a canonical name if - the latter cannot be obtained. - - Added "-t " option. The presence of this - option causes debugging output to be placed in the file - "file-name" using fprintf instead of the system log - file using syslog. - - Corrected maildrop parsing problem. - -1.4 Copies user's mail into a temporary maildrop on which - all subsequent activity is performed. - - Added "pop_log" function and replaced "syslog" calls - throughout the code with it. - -1.3 Corrected updating of Status: header line. - - Added strncasecmp for systems that do not have one. - Used strncasecmp in all appropriate places. This is - enabled by the STRNCASECMP compiler flag. - -1.2 Support for version 4.2 syslogging added. This is - enabled by the SYSLOG42 compiler flag. - -1.1 Several bugs fixed. - -1.0 Original version. - - -Limitations - -+ The POP server copies the user's entire maildrop to /tmp and - then operates on that copy. If the maildrop is particularly - large, or inadequate space is available in /tmp, then the - server will refuse to continue and terminate the connection. - -+ Simultaneous modification of a single maildrop can result in - confusing results. For example, manipulating messages in a - maildrop using the Unix /usr/ucb/mail command while a copy of - it is being processed by the POP server can cause the changes - made by one program to be lost when the other terminates. This - problem is being worked on and will be fixed in a later - release. - - -Credits - -The POP server was written by Edward Moy and Austin Shelton with -contributions from Robert Campbell (U.C. Berkeley) and Viktor Dukhovni -(Princeton University). Edward Moy wrote the HyperMail stack and drew -the POP operation diagram. This installation guide was written by -Austin Shelton. - - -Footnotes - -[1] Copyright (c) 1990 Regents of the University of California. - All rights reserved. The Berkeley software License Agreement - specifies the terms and conditions for redistribution. Unix is - a registered trademark of AT&T corporation. HyperCard and - Macintosh are registered trademarks of Apple Corporation. - -[2] M. Rose, Post Office Protocol - Version 3. RFC 1081, NIC, - November 1988. - -[3] M. Rose, Post Office Protocol - Version 3 Extended Service - Offerings. RFC 1082, NIC, November 1988. diff --git a/crypto/heimdal-0.6.3/appl/popper/README-FIRST b/crypto/heimdal-0.6.3/appl/popper/README-FIRST deleted file mode 100644 index 3d78fb644b..0000000000 --- a/crypto/heimdal-0.6.3/appl/popper/README-FIRST +++ /dev/null @@ -1,11 +0,0 @@ -This kerberized popper was based on popper-1.831beta -which was later announced as "offical" and not beta. - -This program is able to talk both the pop3 and the kpop3 protocol. - -Please note that the server principal is pop.hostname and not -rcmd.hostname. I.e an additional entry is needed in your mailhub's -/etc/srvtab. Use ksrvutil to add the extra prinicpal. - -The server is usually started from inetd and there is already an entry -for that in inetd.conf.changes. diff --git a/crypto/heimdal-0.6.3/appl/popper/README-KRB4 b/crypto/heimdal-0.6.3/appl/popper/README-KRB4 deleted file mode 100644 index f029cf97c2..0000000000 --- a/crypto/heimdal-0.6.3/appl/popper/README-KRB4 +++ /dev/null @@ -1,3 +0,0 @@ -Define KERBEROS if you want support for Kerberos V4 style -authentification, then you will be able to start a kerberise pop with -the `-k' flag. diff --git a/crypto/heimdal-0.6.3/appl/popper/maildir.c b/crypto/heimdal-0.6.3/appl/popper/maildir.c deleted file mode 100644 index 4953d4bd4e..0000000000 --- a/crypto/heimdal-0.6.3/appl/popper/maildir.c +++ /dev/null @@ -1,216 +0,0 @@ -/* - * Copyright (c) 1998 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include -#include -RCSID("$Id: maildir.c,v 1.6 2001/09/10 11:56:53 joda Exp $"); - -static void -make_path(POP *p, MsgInfoList *mp, int new, char *buf, size_t len) -{ - snprintf(buf, len, "%s/%s%s%s", p->drop_name, - new ? "new" : "cur", mp ? "/" : "", mp ? mp->name : ""); -} - -static int -scan_file(POP *p, MsgInfoList *mp) -{ - char path[MAXPATHLEN]; - FILE *f; - char buf[1024]; - int eoh = 0; - - make_path(p, mp, mp->flags & NEW_FLAG, path, sizeof(path)); - f = fopen(path, "r"); - - if(f == NULL) { -#ifdef DEBUG - if(p->debug) - pop_log(p, POP_DEBUG, - "Failed to open message file `%s': %s", - path, strerror(errno)); -#endif - return pop_msg (p, POP_FAILURE, - "Failed to open message file `%s'", path); - } - while(fgets(buf, sizeof(buf), f)) { - if(buf[strlen(buf) - 1] == '\n') - mp->lines++; - mp->length += strlen(buf); - if(eoh) - continue; - if(strcmp(buf, "\n") == 0) - eoh = 1; - parse_header(mp, buf); - } - fclose(f); - return add_missing_headers(p, mp); -} - -static int -scan_dir(POP *p, int new) -{ - char tmp[MAXPATHLEN]; - DIR *dir; - struct dirent *dent; - MsgInfoList *mp = p->mlp; - int n_mp = p->msg_count; - int e; - - make_path(p, NULL, new, tmp, sizeof(tmp)); - mkdir(tmp, 0700); - dir = opendir(tmp); - while((dent = readdir(dir)) != NULL) { - if(strcmp(dent->d_name, ".") == 0 || strcmp(dent->d_name, "..") == 0) - continue; - mp = realloc(mp, (n_mp + 1) * sizeof(*mp)); - if(mp == NULL) { - p->msg_count = 0; - return pop_msg (p, POP_FAILURE, - "Can't build message list for '%s': Out of memory", - p->user); - } - memset(mp + n_mp, 0, sizeof(*mp)); - mp[n_mp].name = strdup(dent->d_name); - if(mp[n_mp].name == NULL) { - p->msg_count = 0; - return pop_msg (p, POP_FAILURE, - "Can't build message list for '%s': Out of memory", - p->user); - } - mp[n_mp].number = n_mp + 1; - mp[n_mp].flags = 0; - if(new) - mp[n_mp].flags |= NEW_FLAG; - e = scan_file(p, &mp[n_mp]); - if(e != POP_SUCCESS) - return e; - p->drop_size += mp[n_mp].length; - n_mp++; - } - closedir(dir); - p->mlp = mp; - p->msg_count = n_mp; - return POP_SUCCESS; -} - -int -pop_maildir_info(POP *p) -{ - int e; - - p->temp_drop[0] = '\0'; - p->mlp = NULL; - p->msg_count = 0; - - e = scan_dir(p, 0); - if(e != POP_SUCCESS) return e; - - e = scan_dir(p, 1); - if(e != POP_SUCCESS) return e; - return POP_SUCCESS; -} - -int -pop_maildir_update(POP *p) -{ - int i; - char tmp1[MAXPATHLEN], tmp2[MAXPATHLEN]; - for(i = 0; i < p->msg_count; i++) { - make_path(p, &p->mlp[i], p->mlp[i].flags & NEW_FLAG, - tmp1, sizeof(tmp1)); - if(p->mlp[i].flags & DEL_FLAG) { -#ifdef DEBUG - if(p->debug) - pop_log(p, POP_DEBUG, "Removing `%s'", tmp1); -#endif - if(unlink(tmp1) < 0) { -#ifdef DEBUG - if(p->debug) - pop_log(p, POP_DEBUG, "Failed to remove `%s': %s", - tmp1, strerror(errno)); -#endif - /* return failure? */ - } - } else if((p->mlp[i].flags & NEW_FLAG) && - (p->mlp[i].flags & RETR_FLAG)) { - make_path(p, &p->mlp[i], 0, tmp2, sizeof(tmp2)); -#ifdef DEBUG - if(p->debug) - pop_log(p, POP_DEBUG, "Linking `%s' to `%s'", tmp1, tmp2); -#endif - if(link(tmp1, tmp2) == 0) { -#ifdef DEBUG - if(p->debug) - pop_log(p, POP_DEBUG, "Removing `%s'", tmp1); -#endif - if(unlink(tmp1) < 0) { -#ifdef DEBUG - if(p->debug) - pop_log(p, POP_DEBUG, "Failed to remove `%s'", tmp1); -#endif - /* return failure? */ - } - } else { - if(errno == EXDEV) { -#ifdef DEBUG - if(p->debug) - pop_log(p, POP_DEBUG, "Trying to rename `%s' to `%s'", - tmp1, tmp2); -#endif - if(rename(tmp1, tmp2) < 0) { -#ifdef DEBUG - if(p->debug) - pop_log(p, POP_DEBUG, "Failed to rename `%s' to `%s'", - tmp1, tmp2); -#endif - } - } - } - } - } - return(pop_quit(p)); -} - -int -pop_maildir_open(POP *p, MsgInfoList *mp) -{ - char tmp[MAXPATHLEN]; - make_path(p, mp, mp->flags & NEW_FLAG, tmp, sizeof(tmp)); - if(p->drop) - fclose(p->drop); - p->drop = fopen(tmp, "r"); - if(p->drop == NULL) - return pop_msg(p, POP_FAILURE, "Failed to open message file"); - return POP_SUCCESS; -} diff --git a/crypto/heimdal-0.6.3/appl/popper/pop3.rfc1081 b/crypto/heimdal-0.6.3/appl/popper/pop3.rfc1081 deleted file mode 100644 index 08ea6dd143..0000000000 --- a/crypto/heimdal-0.6.3/appl/popper/pop3.rfc1081 +++ /dev/null @@ -1,898 +0,0 @@ - - - - - - -Network Working Group M. Rose -Request for Comments: 1081 TWG - November 1988 - - Post Office Protocol - Version 3 - - -Status of this Memo - - This memo suggests a simple method for workstations to dynamically - access mail from a mailbox server. This RFC specifies a proposed - protocol for the Internet community, and requests discussion and - suggestions for improvements. Distribution of this memo is - unlimited. - - This memo is based on RFC 918 (since revised as RFC 937). Although - similar in form to the original Post Office Protocol (POP) proposed - for the Internet community, the protocol discussed in this memo is - similar in spirit to the ideas investigated by the MZnet project at - the University of California, Irvine. - - Further, substantial work was done on examining POP in a PC-based - environment. This work, which resulted in additional functionality - in this protocol, was performed by the ACIS Networking Systems Group - at Stanford University. The author gratefully acknowledges their - interest. - -Introduction - - On certain types of smaller nodes in the Internet it is often - impractical to maintain a message transport system (MTS). For - example, a workstation may not have sufficient resources (cycles, - disk space) in order to permit a SMTP server and associated local - mail delivery system to be kept resident and continuously running. - Similarly, it may be expensive (or impossible) to keep a personal - computer interconnected to an IP-style network for long amounts of - time (the node is lacking the resource known as "connectivity"). - - Despite this, it is often very useful to be able to manage mail on - these smaller nodes, and they often support a user agent (UA) to aid - the tasks of mail handling. To solve this problem, a node which can - support an MTS entity offers a maildrop service to these less endowed - nodes. The Post Office Protocol - Version 3 (POP3) is intended to - permit a workstation to dynamically access a maildrop on a server - host in a useful fashion. Usually, this means that the POP3 is used - to allow a workstation to retrieve mail that the server is holding - for it. - - - - -Rose [Page 1] - -RFC 1081 POP3 November 1988 - - - For the remainder of this memo, the term "client host" refers to a - host making use of the POP3 service, while the term "server host" - refers to a host which offers the POP3 service. - -A Short Digression - - This memo does not specify how a client host enters mail into the - transport system, although a method consistent with the philosophy of - this memo is presented here: - - When the user agent on a client host wishes to enter a message - into the transport system, it establishes an SMTP connection to - its relay host (this relay host could be, but need not be, the - POP3 server host for the client host). - - If this method is followed, then the client host appears to the MTS - as a user agent, and should NOT be regarded as a "trusted" MTS entity - in any sense whatsoever. This concept, along with the role of the - POP3 as a part of a split-UA model is discussed later in this memo. - - Initially, the server host starts the POP3 service by listening on - TCP port 110. When a client host wishes to make use of the service, - it establishes a TCP connection with the server host. When the - connection is established, the POP3 server sends a greeting. The - client and POP3 server then exchange commands and responses - (respectively) until the connection is closed or aborted. - - Commands in the POP3 consist of a keyword possibly followed by an - argument. All commands are terminated by a CRLF pair. - - Responses in the POP3 consist of a success indicator and a keyword - possibly followed by additional information. All responses are - terminated by a CRLF pair. There are currently two success - indicators: positive ("+OK") and negative ("-ERR"). - - Responses to certain commands are multi-line. In these cases, which - are clearly indicated below, after sending the first line of the - response and a CRLF, any additional lines are sent, each terminated - by a CRLF pair. When all lines of the response have been sent, a - final line is sent, consisting of a termination octet (decimal code - 046, ".") and a CRLF pair. If any line of the multi-line response - begins with the termination octet, the line is "byte-stuffed" by - pre-pending the termination octet to that line of the response. - Hence a multi-line response is terminated with the five octets - "CRLF.CRLF". When examining a multi-line response, the client checks - to see if the line begins with the termination octet. If so and if - octets other than CRLF follow, the the first octet of the line (the - termination octet) is stripped away. If so and if CRLF immediately - - - -Rose [Page 2] - -RFC 1081 POP3 November 1988 - - - follows the termination character, then the response from the POP - server is ended and the line containing ".CRLF" is not considered - part of the multi-line response. - - A POP3 session progresses through a number of states during its - lifetime. Once the TCP connection has been opened and the POP3 - server has sent the greeting, the session enters the AUTHORIZATION - state. In this state, the client must identify itself to the POP3 - server. Once the client has successfully done this, the server - acquires resources associated with the client's maildrop, and the - session enters the TRANSACTION state. In this state, the client - requests actions on the part of the POP3 server. When the client has - finished its transactions, the session enters the UPDATE state. In - this state, the POP3 server releases any resources acquired during - the TRANSACTION state and says goodbye. The TCP connection is then - closed. - -The AUTHORIZATION State - - Once the TCP connection has been opened by a POP3 client, the POP3 - server issues a one line greeting. This can be any string terminated - by CRLF. An example might be: - - S. +OK dewey POP3 server ready (Comments to: PostMaster@UDEL.EDU) - - Note that this greeting is a POP3 reply. The POP3 server should - always give a positive response as the greeting. - - The POP3 session is now in the AUTHORIZATION state. The client must - now issue the USER command. If the POP3 server responds with a - positive success indicator ("+OK"), then the client may issue either - the PASS command to complete the authorization, or the QUIT command - to terminate the POP3 session. If the POP3 server responds with a - negative success indicator ("-ERR") to the USER command, then the - client may either issue a new USER command or may issue the QUIT - command. - - When the client issues the PASS command, the POP3 server uses the - argument pair from the USER and PASS commands to determine if the - client should be given access to the appropriate maildrop. If so, - the POP3 server then acquires an exclusive-access lock on the - maildrop. If the lock is successfully acquired, the POP3 server - parses the maildrop into individual messages (read note below), - determines the last message (if any) present in the maildrop that was - referenced by the RETR command, and responds with a positive success - indicator. The POP3 session now enters the TRANSACTION state. If - the lock can not be acquired or the client should is denied access to - the appropriate maildrop or the maildrop can't be parsed for some - - - -Rose [Page 3] - -RFC 1081 POP3 November 1988 - - - reason, the POP3 server responds with a negative success indicator. - (If a lock was acquired but the POP3 server intends to respond with a - negative success indicator, the POP3 server must release the lock - prior to rejecting the command.) At this point, the client may - either issue a new USER command and start again, or the client may - issue the QUIT command. - - NOTE: Minimal implementations of the POP3 need only be - able to break a maildrop into its component messages; - they need NOT be able to parse individual messages. - More advanced implementations may wish to have this - capability, for reasons discussed later. - - After the POP3 server has parsed the maildrop into individual - messages, it assigns a message-id to each message, and notes the size - of the message in octets. The first message in the maildrop is - assigned a message-id of "1", the second is assigned "2", and so on, - so that the n'th message in a maildrop is assigned a message-id of - "n". In POP3 commands and responses, all message-id's and message - sizes are expressed in base-10 (i.e., decimal). - - It sets the "highest number accessed" to be that of the last message - referenced by the RETR command. - - Here are summaries for the three POP3 commands discussed thus far: - - USER name - Arguments: a server specific user-id (required) - Restrictions: may only be given in the AUTHORIZATION - state after the POP3 greeting or after an - unsuccessful USER or PASS command - Possible Responses: - +OK name is welcome here - -ERR never heard of name - Examples: - C: USER mrose - S: +OK mrose is a real hoopy frood - ... - C: USER frated - S: -ERR sorry, frated doesn't get his mail here - - PASS string - Arguments: a server/user-id specific password (required) - Restrictions: may only be given in the AUTHORIZATION - state after a successful USER command - Possible Responses: - +OK maildrop locked and ready - -ERR invalid password - - - -Rose [Page 4] - -RFC 1081 POP3 November 1988 - - - -ERR unable to lock maildrop - Examples: - C: USER mrose - S: +OK mrose is a real hoopy frood - C: PASS secret - S: +OK mrose's maildrop has 2 messages - (320 octets) - ... - C: USER mrose - S: +OK mrose is a real hoopy frood - C: PASS secret - S: -ERR unable to lock mrose's maildrop, file - already locked - - QUIT - Arguments: none - Restrictions: none - Possible Responses: - +OK - Examples: - C: QUIT - S: +OK dewey POP3 server signing off - - -The TRANSACTION State - - Once the client has successfully identified itself to the POP3 server - and the POP3 server has locked and burst the appropriate maildrop, - the POP3 session is now in the TRANSACTION state. The client may now - issue any of the following POP3 commands repeatedly. After each - command, the POP3 server issues a response. Eventually, the client - issues the QUIT command and the POP3 session enters the UPDATE state. - - Here are the POP3 commands valid in the TRANSACTION state: - - STAT - Arguments: none - Restrictions: may only be given in the TRANSACTION state. - Discussion: - - The POP3 server issues a positive response with a line - containing information for the maildrop. This line is - called a "drop listing" for that maildrop. - - In order to simplify parsing, all POP3 servers are - required to use a certain format for drop listings. - The first octets present must indicate the number of - messages in the maildrop. Following this is the size - - - -Rose [Page 5] - -RFC 1081 POP3 November 1988 - - - of the maildrop in octets. This memo makes no - requirement on what follows the maildrop size. - Minimal implementations should just end that line of - the response with a CRLF pair. More advanced - implementations may include other information. - - NOTE: This memo STRONGLY discourages - implementations from supplying additional - information in the drop listing. Other, - optional, facilities are discussed later on - which permit the client to parse the messages - in the maildrop. - - Note that messages marked as deleted are not counted in - either total. - - Possible Responses: - +OK nn mm - Examples: - C: STAT - S: +OK 2 320 - - LIST [msg] - Arguments: a message-id (optionally) If a message-id is - given, it may NOT refer to a message marked as - deleted. - Restrictions: may only be given in the TRANSACTION state. - Discussion: - - If an argument was given and the POP3 server issues a - positive response with a line containing information - for that message. This line is called a "scan listing" - for that message. - - If no argument was given and the POP3 server issues a - positive response, then the response given is - multi-line. After the initial +OK, for each message - in the maildrop, the POP3 server responds with a line - containing information for that message. This line - is called a "scan listing" for that message. - - In order to simplify parsing, all POP3 servers are - required to use a certain format for scan listings. - The first octets present must be the message-id of - the message. Following the message-id is the size of - the message in octets. This memo makes no requirement - on what follows the message size in the scan listing. - Minimal implementations should just end that line of - - - -Rose [Page 6] - -RFC 1081 POP3 November 1988 - - - the response with a CRLF pair. More advanced - implementations may include other information, as - parsed from the message. - - NOTE: This memo STRONGLY discourages - implementations from supplying additional - information in the scan listing. Other, optional, - facilities are discussed later on which permit - the client to parse the messages in the maildrop. - - Note that messages marked as deleted are not listed. - - Possible Responses: - +OK scan listing follows - -ERR no such message - Examples: - C: LIST - S: +OK 2 messages (320 octets) - S: 1 120 - S: 2 200 - S: . - ... - C: LIST 2 - S: +OK 2 200 - ... - C: LIST 3 - S: -ERR no such message, only 2 messages in - maildrop - - RETR msg - Arguments: a message-id (required) This message-id may - NOT refer to a message marked as deleted. - Restrictions: may only be given in the TRANSACTION state. - Discussion: - - If the POP3 server issues a positive response, then the - response given is multi-line. After the initial +OK, - the POP3 server sends the message corresponding to the - given message-id, being careful to byte-stuff the - termination character (as with all multi-line - responses). - - If the number associated with this message is higher - than the "highest number accessed" in the maildrop, the - POP3 server updates the "highest number accessed" to - the number associated with this message. - - - - - -Rose [Page 7] - -RFC 1081 POP3 November 1988 - - - Possible Responses: - +OK message follows - -ERR no such message - Examples: - C: RETR 1 - S: +OK 120 octets - S: - S: . - - DELE msg - Arguments: a message-id (required) This message-id - may NOT refer to a message marked as deleted. - Restrictions: may only be given in the TRANSACTION state. - Discussion: - - The POP3 server marks the message as deleted. Any - future reference to the message-id associated with the - message in a POP3 command generates an error. The POP3 - server does not actually delete the message until the - POP3 session enters the UPDATE state. - - If the number associated with this message is higher - than the "highest number accessed" in the maildrop, - the POP3 server updates the "highest number accessed" - to the number associated with this message. - - Possible Responses: - +OK message deleted - -ERR no such message - Examples: - C: DELE 1 - S: +OK message 1 deleted - ... - C: DELE 2 - S: -ERR message 2 already deleted - - NOOP - Arguments: none - Restrictions: may only be given in the TRANSACTION state. - Discussion: - - The POP3 server does nothing, it merely replies with a - positive response. - - Possible Responses: - +OK - - - - - -Rose [Page 8] - -RFC 1081 POP3 November 1988 - - - Examples: - C: NOOP - S: +OK - - LAST - Arguments: none - Restrictions: may only be issued in the TRANSACTION state. - Discussion: - - The POP3 server issues a positive response with a line - containing the highest message number which accessed. - Zero is returned in case no message in the maildrop has - been accessed during previous transactions. A client - may thereafter infer that messages, if any, numbered - greater than the response to the LAST command are - messages not yet accessed by the client. - - Possible Response: - +OK nn - - Examples: - C: STAT - S: +OK 4 320 - C: LAST - S: +OK 1 - C: RETR 3 - S: +OK 120 octets - S: - S: . - C: LAST - S: +OK 3 - C: DELE 2 - S: +OK message 2 deleted - C: LAST - S: +OK 3 - C: RSET - S: +OK - C: LAST - S: +OK 1 - - RSET - Arguments: none - Restrictions: may only be given in the TRANSACTION - state. - Discussion: - - If any messages have been marked as deleted by the POP3 - - - -Rose [Page 9] - -RFC 1081 POP3 November 1988 - - - server, they are unmarked. The POP3 server then - replies with a positive response. In addition, the - "highest number accessed" is also reset to the value - determined at the beginning of the POP3 session. - - Possible Responses: - +OK - Examples: - C: RSET - S: +OK maildrop has 2 messages (320 octets) - - - -The UPDATE State - - When the client issues the QUIT command from the TRANSACTION state, - the POP3 session enters the UPDATE state. (Note that if the client - issues the QUIT command from the AUTHORIZATION state, the POP3 - session terminates but does NOT enter the UPDATE state.) - - QUIT - Arguments: none - Restrictions: none - Discussion: - - The POP3 server removes all messages marked as deleted - from the maildrop. It then releases the - exclusive-access lock on the maildrop and replies as - to the success of - these operations. The TCP connection is then closed. - - Possible Responses: - +OK - Examples: - C: QUIT - S: +OK dewey POP3 server signing off (maildrop - empty) - ... - C: QUIT - S: +OK dewey POP3 server signing off (2 messages - left) - ... - - -Optional POP3 Commands - - The POP3 commands discussed above must be supported by all minimal - implementations of POP3 servers. - - - -Rose [Page 10] - -RFC 1081 POP3 November 1988 - - - The optional POP3 commands described below permit a POP3 client - greater freedom in message handling, while preserving a simple POP3 - server implementation. - - NOTE: This memo STRONGLY encourages implementations to - support these commands in lieu of developing augmented - drop and scan listings. In short, the philosophy of - this memo is to put intelligence in the part of the - POP3 client and not the POP3 server. - - TOP msg n - Arguments: a message-id (required) and a number. This - message-id may NOT refer to a message marked as - deleted. - Restrictions: may only be given in the TRANSACTION state. - Discussion: - - If the POP3 server issues a positive response, then - the response given is multi-line. After the initial - +OK, the POP3 server sends the headers of the message, - the blank line separating the headers from the body, - and then the number of lines indicated message's body, - being careful to byte-stuff the termination character - (as with all multi-line responses). - - Note that if the number of lines requested by the POP3 - client is greater than than the number of lines in the - body, then the POP3 server sends the entire message. - - Possible Responses: - +OK top of message follows - -ERR no such message - Examples: - C: TOP 10 - S: +OK - S: - S: . - ... - C: TOP 100 - S: -ERR no such message - - RPOP user - Arguments: a client specific user-id (required) - Restrictions: may only be given in the AUTHORIZATION - state after a successful USER command; in addition, - may only be given if the client used a reserved - - - -Rose [Page 11] - -RFC 1081 POP3 November 1988 - - - (privileged) TCP port to connect to the server. - Discussion: - - The RPOP command may be used instead of the PASS - command to authenticate access to the maildrop. In - order for this command to be successful, the POP3 - client must use a reserved TCP port (port < 1024) to - connect tothe server. The POP3 server uses the - argument pair from the USER and RPOP commands to - determine if the client should be given access to - the appropriate maildrop. Unlike the PASS command - however, the POP3 server considers if the remote user - specified by the RPOP command who resides on the POP3 - client host is allowed to access the maildrop for the - user specified by the USER command (e.g., on Berkeley - UNIX, the .rhosts mechanism is used). With the - exception of this differing in authentication, this - command is identical to the PASS command. - - Note that the use of this feature has allowed much wider - penetration into numerous hosts on local networks (and - sometimes remote networks) by those who gain illegal - access to computers by guessing passwords or otherwise - breaking into the system. - - Possible Responses: - +OK maildrop locked and ready - -ERR permission denied - Examples: - C: USER mrose - S: +OK mrose is a real hoopy frood - C: RPOP mrose - S: +OK mrose's maildrop has 2 messages (320 - octets) - - Minimal POP3 Commands: - USER name valid in the AUTHORIZATION state - PASS string - QUIT - - STAT valid in the TRANSACTION state - LIST [msg] - RETR msg - DELE msg - NOOP - LAST - RSET - - - - -Rose [Page 12] - -RFC 1081 POP3 November 1988 - - - QUIT valid in the UPDATE state - - Optional POP3 Commands: - RPOP user valid in the AUTHORIZATION state - - TOP msg n valid in the TRANSACTION state - - POP3 Replies: - +OK - -ERR - - Note that with the exception of the STAT command, the reply given - by the POP3 server to any command is significant only to "+OK" - and "-ERR". Any text occurring after this reply may be ignored - by the client. - -Example POP3 Session - - S: - ... - C: - S: +OK dewey POP3 server ready (Comments to: PostMaster@UDEL.EDU) - C: USER mrose - S: +OK mrose is a real hoopy frood - C: PASS secret - S: +OK mrose's maildrop has 2 messages (320 octets) - C: STAT - S: +OK 2 320 - C: LIST - S: +OK 2 messages (320 octets) - S: 1 120 - S: 2 200 - S: . - C: RETR 1 - S: +OK 120 octets - S: - S: . - C: DELE 1 - S: +OK message 1 deleted - C: RETR 2 - S: +OK 200 octets - S: - S: . - C: DELE 2 - S: +OK message 2 deleted - C: QUIT - - - - - -Rose [Page 13] - -RFC 1081 POP3 November 1988 - - - S: +OK dewey POP3 server signing off (maildrop empty) - C: - S: - -Message Format - - All messages transmitted during a POP3 session are assumed to conform - to the standard for the format of Internet text messages [RFC822]. - - It is important to note that the byte count for a message on the - server host may differ from the octet count assigned to that message - due to local conventions for designating end-of-line. Usually, - during the AUTHORIZATION state of the POP3 session, the POP3 client - can calculate the size of each message in octets when it parses the - maildrop into messages. For example, if the POP3 server host - internally represents end-of-line as a single character, then the - POP3 server simply counts each occurrence of this character in a - message as two octets. Note that lines in the message which start - with the termination octet need not be counted twice, since the POP3 - client will remove all byte-stuffed termination characters when it - receives a multi-line response. - -The POP and the Split-UA model - - The underlying paradigm in which the POP3 functions is that of a - split-UA model. The POP3 client host, being a remote PC based - workstation, acts solely as a client to the message transport system. - It does not provide delivery/authentication services to others. - Hence, it is acting as a UA, on behalf of the person using the - workstation. Furthermore, the workstation uses SMTP to enter mail - into the MTS. - - In this sense, we have two UA functions which interface to the - message transport system: Posting (SMTP) and Retrieval (POP3). The - entity which supports this type of environment is called a split-UA - (since the user agent is split between two hosts which must - interoperate to provide these functions). - - ASIDE: Others might term this a remote-UA instead. - There are arguments supporting the use of both terms. - - This memo has explicitly referenced TCP as the underlying transport - agent for the POP3. This need not be the case. In the MZnet split- - UA, for example, personal micro-computer systems are used which do - not have IP-style networking capability. To connect to the POP3 - server host, a PC establishes a terminal connection using some simple - protocol (PhoneNet). A program on the PC drives the connection, - first establishing a login session as a normal user. The login shell - - - -Rose [Page 14] - -RFC 1081 POP3 November 1988 - - - for this pseudo-user is a program which drives the other half of the - terminal protocol and communicates with one of two servers. Although - MZnet can support several PCs, a single pseudo-user login is present - on the server host. The user-id and password for this pseudo-user - login is known to all members of MZnet. Hence, the first action of - the login shell, after starting the terminal protocol, is to demand a - USER/PASS authorization pair from the PC. This second level of - authorization is used to ascertain who is interacting with the MTS. - Although the server host is deemed to support a "trusted" MTS entity, - PCs in MZnet are not. Naturally, the USER/PASS authorization pair - for a PC is known only to the owner of the PC (in theory, at least). - - After successfully verifying the identity of the client, a modified - SMTP server is started, and the PC posts mail with the server host. - After the QUIT command is given to the SMTP server and it terminates, - a modified POP3 server is started, and the PC retrieves mail from the - server host. After the QUIT command is given to the POP3 server and - it terminates, the login shell for the pseudo-user terminates the - terminal protocol and logs the job out. The PC then closes the - terminal connection to the server host. - - The SMTP server used by MZnet is modified in the sense that it knows - that it's talking to a user agent and not a "trusted" entity in the - message transport system. Hence, it does performs the validation - activities normally performed by an entity in the MTS when it accepts - a message from a UA. - - The POP3 server used by MZnet is modified in the sense that it does - not require a USER/PASS combination before entering the TRANSACTION - state. The reason for this (of course) is that the PC has already - identified itself during the second-level authorization step - described above. - - NOTE: Truth in advertising laws require that the author - of this memo state that MZnet has not actually been - fully implemented. The concepts presented and proven - by the project led to the notion of the MZnet - split-slot model. This notion has inspired the - split-UA concept described in this memo, led to the - author's interest in the POP, and heavily influenced - the the description of the POP3 herein. - - In fact, some UAs present in the Internet already support the notion - of posting directly to an SMTP server and retrieving mail directly - from a POP server, even if the POP server and client resided on the - same host! - - ASIDE: this discussion raises an issue which this memo - - - -Rose [Page 15] - -RFC 1081 POP3 November 1988 - - - purposedly avoids: how does SMTP know that it's talking - to a "trusted" MTS entity? - -References - - [MZnet] Stefferud, E., J. Sweet, and T. Domae, "MZnet: Mail - Service for Personal Micro-Computer Systems", - Proceedings, IFIP 6.5 International Conference on - Computer Message Systems, Nottingham, U.K., May 1984. - - [RFC821] Postel, J., "Simple Mail Transfer Protocol", - USC/Information Sciences Institute, August 1982. - - [RFC822] Crocker, D., "Standard for the Format of ARPA-Internet - Text Messages", University of Delaware, August 1982. - - [RFC937] Butler, M., J. Postel, D. Chase, J. Goldberger, and J. - Reynolds, "Post Office Protocol - Version 2", RFC 937, - USC/Information Sciences Institute, February 1985. - - [RFC1010] Reynolds, J., and J. Postel, "Assigned Numbers", RFC - 1010, USC/Information Sciences Institute, May 1987. - -Author's Address: - - - Marshall Rose - The Wollongong Group - 1129 San Antonio Rd. - Palo Alto, California 94303 - - Phone: (415) 962-7100 - - Email: MRose@TWG.COM - - - - - - - - - - - - - - - - - -Rose [Page 16] diff --git a/crypto/heimdal-0.6.3/appl/popper/pop3e.rfc1082 b/crypto/heimdal-0.6.3/appl/popper/pop3e.rfc1082 deleted file mode 100644 index ac49448b5e..0000000000 --- a/crypto/heimdal-0.6.3/appl/popper/pop3e.rfc1082 +++ /dev/null @@ -1,619 +0,0 @@ - - - - - - -Network Working Group M. Rose -Request for Comments: 1082 TWG - November 1988 - - - - Post Office Protocol - Version 3 - Extended Service Offerings - -Status of This Memo - - This memo suggests a simple method for workstations to dynamically - access mail from a discussion group server, as an extension to an - earlier memo which dealt with dynamically accessing mail from a - mailbox server using the Post Office Protocol - Version 3 (POP3). - This RFC specifies a proposed protocol for the Internet community, - and requests discussion and suggestions for improvements. All of the - extensions described in this memo to the POP3 are OPTIONAL. - Distribution of this memo is unlimited. - -Introduction and Motivation - - It is assumed that the reader is familiar with RFC 1081 that - discusses the Post Office Protocol - Version 3 (POP3) [RFC1081]. - This memo describes extensions to the POP3 which enhance the service - it offers to clients. This additional service permits a client host - to access discussion group mail, which is often kept in a separate - spool area, using the general POP3 facilities. - - The next section describes the evolution of discussion groups and the - technologies currently used to implement them. To summarize: - - o An exploder is used to map from a single address to - a list of addresses which subscribe to the list, and redirects - any subsequent error reports associated with the delivery of - each message. This has two primary advantages: - - Subscribers need know only a single address - - Responsible parties get the error reports and not - the subscribers - - - - - - - - - - - - -Rose [Page 1] - -RFC 1082 POP3 Extended Service November 1988 - - - o Typically, each subscription address is not a person's private - maildrop, but a system-wide maildrop, which can be accessed - by more than one user. This has several advantages: - - Only a single copy of each message need traverse the - net for a given site (which may contain several local - hosts). This conserves bandwidth and cycles. - - Only a single copy of each message need reside on each - subscribing host. This conserves disk space. - - The private maildrop for each user is not cluttered - with discussion group mail. - - Despite this optimization of resources, further economy can be - achieved at sites with more than one host. Typically, sites with - more than one host either: - - 1. Replicate discussion group mail on each host. This - results in literally gigabytes of disk space committed to - unnecessarily store redundant information. - - 2. Keep discussion group mail on one host and give all users a - login on that host (in addition to any other logins they may - have). This is usually a gross inconvenience for users who - work on other hosts, or a burden to users who are forced to - work on that host. - - As discussed in [RFC1081], the problem of giving workstations dynamic - access to mail from a mailbox server has been explored in great - detail (originally there was [RFC918], this prompted the author to - write [RFC1081], independently of this [RFC918] was upgraded to - [RFC937]). A natural solution to the problem outlined above is to - keep discussion group mail on a mailbox server at each site and - permit different hosts at that site to employ the POP3 to access - discussion group mail. If implemented properly, this avoids the - problems of both strategies outlined above. - - ASIDE: It might be noted that a good distributed filesystem - could also solve this problem. Sadly, "good" - distributed filesystems, which do not suffer - unacceptable response time for interactive use, are - few and far between these days! - - Given this motivation, now let's consider discussion groups, both in - general and from the point of view of a user agent. Following this, - extensions to the POP3 defined in [RFC1081] are presented. Finally, - some additional policy details are discussed along with some initial - experiences. - - - - - -Rose [Page 2] - -RFC 1082 POP3 Extended Service November 1988 - - -What's in a Discussion Group - - Since mailers and user agents first crawled out of the primordial - ARPAnet, the value of discussion groups have been appreciated, - (though their implementation has not always been well-understood). - - Described simply, a discussion group is composed of a number of - subscribers with a common interest. These subscribers post mail to a - single address, known as a distribution address. From this - distribution address, a copy of the message is sent to each - subscriber. Each group has a moderator, which is the person that - administrates the group. The moderator can usually be reached at a - special address, known as a request address. Usually, the - responsibilities of the moderator are quite simple, since the mail - system handles the distribution to subscribers automatically. In - some cases, the interest group, instead of being distributed directly - to its subscribers, is put into a digest format by the moderator and - then sent to the subscribers. Although this requires more work on - the part of the moderator, such groups tend to be better organized. - - Unfortunately, there are a few problems with the scheme outlined - above. First, if two users on the same host subscribe to the same - interest group, two copies of the message get delivered. This is - wasteful of both processor and disk resources. - - Second, some of these groups carry a lot of traffic. Although - subscription to an group does indicate interest on the part of a - subscriber, it is usually not interesting to get 50 messages or so - delivered to the user's private maildrop each day, interspersed with - personal mail, that is likely to be of a much more important and - timely nature. - - Third, if a subscriber on the distribution list for a group becomes - "bad" somehow, the originator of the message and not the moderator of - the group is notified. It is not uncommon for a large list to have - 10 or so bogus addresses present. This results in the originator - being flooded with "error messages" from mailers across the Internet - stating that a given address on the list was bad. Needless to say, - the originator usually could not care less if the bogus addresses got - a copy of the message or not. The originator is merely interested in - posting a message to the group at large. Furthermore, the moderator - of the group does care if there are bogus addresses on the list, but - ironically does not receive notification. - - There are various approaches which can be used to solve some or all - of these problems. Usually these involve placing an exploder agent - at the distribution source of the discussion group, which expands the - name of the group into the list of subscription addresses for the - - - -Rose [Page 3] - -RFC 1082 POP3 Extended Service November 1988 - - - group. In the process, the exploder will also change the address - that receives error notifications to be the request address or other - responsible party. - - A complementary approach, used in order to cut down on resource - utilization of all kinds, replaces all the subscribers at a single - host (or group of hosts under a single administration) with a single - address at that host. This address maps to a file on the host, - usually in a spool area, which all users can access. (Advanced - implementations can also implement private discussion groups this - way, in which a single copy of each message is kept, but is - accessible to only a select number of users on the host.) - - The two approaches can be combined to avoid all of the problems - described above. - - Finally, a third approach can be taken, which can be used to aid user - agents processing mail for the discussion group: In order to speed - querying of the maildrop which contains the local host's copy of the - discussion group, two other items are usually associated with the - discussion group, on a local basis. These are the maxima and the - last-date. Each time a message is received for the group on the - local host, the maxima is increased by at least one. Furthermore, - when a new maxima is generated, the current date is determined. This - is called the last date. As the message is entered into the local - maildrop, it is given the current maxima and last-date. This permits - the user agent to quickly determine if new messages are present in - the maildrop. - - NOTE: The maxima may be characterized as a monotonically - increasing quanity. Although sucessive values of the - maxima need not be consecutive, any maxima assigned - is always greater than any previously assigned value. - -Definition of Terms - - To formalize these notions somewhat, consider the following 7 - parameters which describe a given discussion group from the - perspective of the user agent (the syntax given is from [RFC822]): - - - - - - - - - - - - -Rose [Page 4] - -RFC 1082 POP3 Extended Service November 1988 - - - NAME Meaning: the name of the discussion group - Syntax: TOKEN (ALPHA *[ ALPHA / DIGIT / "-" ]) - (case-insensitive recognition) - Example: unix-wizards - - ALIASES Meaning: alternates names for the group, which - are locally meaningful; these are - typically used to shorten user typein - Syntax: TOKEN (case-insensitive recognition) - Example: uwiz - - ADDRESS Meaning: the primary source of the group - Syntax: 822 address - Example: Unix-Wizards@BRL.MIL - - REQUEST Meaning: the primary moderator of the group - Syntax: 822 address - Example: Unix-Wizards-Request@BRL.MIL - - FLAGS Meaning: locally meaningful flags associated - with the discussion group; this memo - leaves interpretation of this - parameter to each POP3 implementation - Syntax: octal number - Example: 01 - - MAXIMA Meaning: the magic cookie associated with the - last message locally received for the - group; it is the property of the magic - cookie that it's value NEVER - decreases, and increases by at least - one each time a message is locally - received - Syntax: decimal number - Example: 1004 - - LASTDATE Meaning: the date that the last message was - locally received - Syntax: 822 date - Example: Thu, 19 Dec 85 10:26:48 -0800 - - Note that the last two values are locally determined for the maildrop - associated with the discussion group and with each message in that - maildrop. Note however that the last message in the maildrop have a - different MAXIMA and LASTDATE than the discussion group. This often - occurs when the maildrop has been archived. - - - - - -Rose [Page 5] - -RFC 1082 POP3 Extended Service November 1988 - - - Finally, some local systems provide mechanisms for automatically - archiving discussion group mail. In some cases, a two-level archive - scheme is used: current mail is kept in the standard maildrop, - recent mail is kept in an archive maildrop, and older mail is kept - off-line. With this scheme, in addition to having a "standard" - maildrop for each discussion group, an "archive" maildrop may also be - available. This permits a user agent to examine the most recent - archive using the same mechanisms as those used on the current mail. - -The XTND Command - - The following commands are valid only in the TRANSACTION state of the - POP3. This implies that the POP3 server has already opened the - user's maildrop (which may be empty). This maildrop is called the - "default maildrop". The phrase "closes the current maildrop" has two - meanings, depending on whether the current maildrop is the default - maildrop or is a maildrop associated with a discussion group. - - In the former context, when the current maildrop is closed any - messages marked as deleted are removed from the maildrop currently in - use. The exclusive-access lock on the maildrop is then released - along with any implementation-specific resources (e.g., file- - descriptors). - - In the latter context, a maildrop associated with a discussion group - is considered to be read-only to the POP3 client. In this case, the - phrase "closes the current maildrop" merely means that any - implementation-specific resources are released. (Hence, the POP3 - command DELE is a no-op.) - - All the new facilities are introduced via a single POP3 command, - XTND. All positive reponses to the XTND command are multi-line. - - The most common multi-line response to the commands contains a - "discussion group listing" which presents the name of the discussion - group along with it's maxima. In order to simplify parsing all POP3 - servers are required to use a certain format for discussion group - listings: - - NAME SP MAXIMA - - This memo makes no requirement on what follows the maxima in the - listing. Minimal implementations should just end that line of the - response with a CRLF pair. More advanced implementations may include - other information, as parsed from the message. - - NOTE: This memo STRONGLY discourages implementations from - supplying additional information in the listing. - - - -Rose [Page 6] - -RFC 1082 POP3 Extended Service November 1988 - - - XTND BBOARDS [name] - Arguments: the name of a discussion group (optionally) - Restrictions: may only be given in the TRANSACTION state. - Discussion: - - If an argument was given, the POP3 server closes the current - maildrop. The POP3 server then validates the argument as the name of - a discussion group. If this is successful, it opens the maildrop - associated with the group, and returns a multi-line response - containing the discussion group listing. If the discussion group - named is not valid, or the associated archive maildrop is not - readable by the user, then an error response is returned. - - If no argument was given, the POP3 server issues a multi-line - response. After the initial +OK, for each discussion group known, - the POP3 server responds with a line containing the listing for that - discussion group. Note that only world-readable discussion groups - are included in the multi-line response. - - In order to aid user agents, this memo requires an extension to the - scan listing when an "XTND BBOARDS" command has been given. - Normally, a scan listing, as generated by the LIST, takes the form: - - MSGNO SIZE - - where MSGNO is the number of the message being listed and SIZE is the - size of the message in octets. When reading a maildrop accessed via - "XTND BBOARDS", the scan listing takes the form - - MSGNO SIZE MAXIMA - - where MAXIMA is the maxima that was assigned to the message when it - was placed in the BBoard. - - Possible Responses: - +OK XTND - -ERR no such bboard - Examples: - C: XTND BBOARDS - S: +OK XTND - S: system 10 - S: mh-users 100 - S: . - C: XTND BBOARDS system - S: + OK XTND - S: system 10 - S: . - - - - -Rose [Page 7] - -RFC 1082 POP3 Extended Service November 1988 - - - XTND ARCHIVE name - Arguments: the name of a discussion group (required) - Restrictions: may only be given in the TRANSACTION state. - Discussion: - - The POP3 server closes the current maildrop. The POP3 server then - validates the argument as the name of a discussion group. If this is - successful, it opens the archive maildrop associated with the group, - and returns a multi-line response containing the discussion group - listing. If the discussion group named is not valid, or the - associated archive maildrop is not readable by the user, then an - error response is returned. - - In addition, the scan listing generated by the LIST command is - augmented (as described above). - - Possible Responses: - +OK XTND - -ERR no such bboard Examples: - C: XTND ARCHIVE system - S: + OK XTND - S: system 3 - S: . - - XTND X-BBOARDS name - Arguments: the name of a discussion group (required) - Restrictions: may only be given in the TRANSACTION state. - Discussion: - - The POP3 server validates the argument as the name of a - discussion group. If this is unsuccessful, then an error - response is returned. Otherwise a multi-line response is - returned. The first 14 lines of this response (after the - initial +OK) are defined in this memo. Minimal implementations - need not include other information (and may omit certain - information, outputing a bare CRLF pair). More advanced - implementations may include other information. - - Line Information (refer to "Definition of Terms") - ---- ----------- - 1 NAME - 2 ALIASES, separated by SP - 3 system-specific: maildrop - 4 system-specific: archive maildrop - 5 system-specific: information - 6 system-specific: maildrop map - 7 system-specific: encrypted password - 8 system-specific: local leaders, separated by SP - - - -Rose [Page 8] - -RFC 1082 POP3 Extended Service November 1988 - - - 9 ADDRESS - 10 REQUEST - 11 system-specific: incoming feed - 12 system-specific: outgoing feeds - 13 FLAGS SP MAXIMA - 14 LASTDATE - - Most of this information is entirely too specific to the UCI Version - of the Rand MH Message Handling System [MRose85]. Nevertheless, - lines 1, 2, 9, 10, 13, and 14 are of general interest, regardless of - the implementation. - - Possible Responses: - +OK XTND - -ERR no such bboard - Examples: - C: XTND X-BBOARDS system - S: + OK XTND - S: system - S: local general - S: /usr/bboards/system.mbox - S: /usr/bboards/archive/system.mbox - S: /usr/bboards/.system.cnt - S: /usr/bboards/.system.map - S: * - S: mother - S: system@nrtc.northrop.com - S: system-request@nrtc.northrop.com - S: - S: dist-system@nrtc-gremlin.northrop.com - S: 01 10 - S: Thu, 19 Dec 85 00:08:49 -0800 - S: . - -Policy Notes - - Depending on the particular entity administrating the POP3 service - host, two additional policies might be implemented: - - 1. Private Discussion Groups - - In the general case, discussion groups are world-readable, any user, - once logged in (via a terminal, terminal server, or POP3, etc.), is - able to read the maildrop for each discussion group known to the POP3 - service host. Nevertheless, it is desirable, usually for privacy - reasons, to implement private discussion groups as well. - - Support of this is consistent with the extensions outlined in this - - - -Rose [Page 9] - -RFC 1082 POP3 Extended Service November 1988 - - - memo. Once the AUTHORIZATION state has successfully concluded, the - POP3 server grants the user access to exactly those discussion groups - the POP3 service host permits the authenticated user to access. As a - "security" feature, discussion groups associated with unreadable - maildrops should not be listed in a positive response to the XTND - BBOARDS command. - - 2. Anonymous POP3 Users - - In order to minimize the authentication problem, a policy permitting - "anonymous" access to the world-readable maildrops for discussion - groups on the POP3 server may be implemented. - - Support of this is consistent with the extensions outlined in this - memo. The POP3 server can be modified to accept a USER command for a - well-known pseudonym (i.e., "anonymous") which is valid with any PASS - command. As a "security" feature, it is advisable to limit this kind - of access to only hosts at the local site, or to hosts named in an - access list. - -Experiences and Conclusions - - All of the facilities described in this memo and in [RFC1081] have - been implemented in MH #6.1. Initial experiences have been, on the - whole, very positive. - - After the first implementation, some performance tuning was required. - This consisted primarily of caching the datastructures which describe - discussion groups in the POP3 server. A second optimization - pertained to the client: the program most commonly used to read - BBoards in MH was modified to retrieve messages only when needed. - Two schemes are used: - - o If only the headers (and the first few lines of the body) of - the message are required (e.g., for a scan listing), then only - these are retrieved. The resulting output is then cached, on - a per-message basis. - - o If the entire message is required, then it is retrieved intact, - and cached locally. - - With these optimizations, response time is quite adequate when the - POP3 server and client are connected via a high-speed local area - network. In fact, the author uses this mechanism to access certain - private discussion groups over the Internet. In this case, response - is still good. When a 9.6Kbps modem is inserted in the path, - response went from good to almost tolerable (fortunately the author - only reads a few discussion groups in this fashion). - - - -Rose [Page 10] - -RFC 1082 POP3 Extended Service November 1988 - - - To conclude: the POP3 is a good thing, not only for personal mail but - for discussion group mail as well. - - -References - - [RFC1081] Rose, M., "Post Office Protocol - Verison 3 (POP3)", RFC - 1081, TWG, November 1988. - - [MRose85] Rose, M., and J. Romine, "The Rand MH Message Handling - System: User's Manual", University of California, Irvine, - November 1985. - - [RFC822] Crocker, D., "Standard for the Format of ARPA-Internet - Text Messages", RFC 822, University of Delaware, August - 1982. - - [RFC918] Reynolds, J., "Post Office Protocol", RFC 918, - USC/Information Sciences Institute, October 1984. - - [RFC937] Butler, M., J. Postel, D. Chase, J. Goldberger, and J. - Reynolds, "Post Office Protocol - Version 2", RFC 937, - USC/Information Sciences Institute, February 1985. - -Author's Address: - - - Marshall Rose - The Wollongong Group - 1129 San Antonio Rd. - Palo Alto, California 94303 - - Phone: (415) 962-7100 - - Email: MRose@TWG.COM - - - - - - - - - - - - - - - - -Rose [Page 11] - diff --git a/crypto/heimdal-0.6.3/appl/popper/pop_auth.c b/crypto/heimdal-0.6.3/appl/popper/pop_auth.c deleted file mode 100644 index 525beaa381..0000000000 --- a/crypto/heimdal-0.6.3/appl/popper/pop_auth.c +++ /dev/null @@ -1,220 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include -#include -RCSID("$Id: pop_auth.c,v 1.2 2000/04/12 15:37:45 assar Exp $"); - -#ifdef KRB4 - -enum { - NO_PROT = 1, - INT_PROT = 2, - PRIV_PROT = 4 -}; - -static int -auth_krb4(POP *p) -{ - int ret; - des_cblock key; - u_int32_t nonce, nonce_reply; - u_int32_t max_client_packet; - int protocols = NO_PROT | INT_PROT | PRIV_PROT; - char data[8]; - int len; - char *s; - char instance[INST_SZ]; - KTEXT_ST authent; - des_key_schedule schedule; - struct passwd *pw; - - /* S -> C: 32 bit nonce in MSB base64 */ - - des_new_random_key(&key); - nonce = (key[0] | (key[1] << 8) | (key[2] << 16) | (key[3] << 24) - | key[4] | (key[5] << 8) | (key[6] << 16) | (key[7] << 24)); - krb_put_int(nonce, data, 4, 8); - len = base64_encode(data, 4, &s); - - pop_msg(p, POP_CONTINUE, "%s", s); - free(s); - - /* C -> S: ticket and authenticator */ - - ret = sch_readline(p->input, &s); - if (ret <= 0 || strcmp (s, "*") == 0) - return pop_msg(p, POP_FAILURE, - "authentication aborted by client"); - len = strlen(s); - if (len > sizeof(authent.dat)) { - return pop_msg(p, POP_FAILURE, "data packet too long"); - } - - authent.length = base64_decode(s, authent.dat); - - k_getsockinst (0, instance, sizeof(instance)); - ret = krb_rd_req(&authent, "pop", instance, - p->in_addr.sin_addr.s_addr, - &p->kdata, NULL); - if (ret != 0) { - return pop_msg(p, POP_FAILURE, "rd_req: %s", - krb_get_err_text(ret)); - } - if (p->kdata.checksum != nonce) { - return pop_msg(p, POP_FAILURE, "data stream modified"); - } - - /* S -> C: nonce + 1 | bit | max segment */ - - krb_put_int(nonce + 1, data, 4, 7); - data[4] = protocols; - krb_put_int(1024, data + 5, 3, 3); /* XXX */ - des_key_sched(&p->kdata.session, schedule); - des_pcbc_encrypt((des_cblock*)data, - (des_cblock*)data, 8, - schedule, - &p->kdata.session, - DES_ENCRYPT); - len = base64_encode(data, 8, &s); - pop_msg(p, POP_CONTINUE, "%s", s); - - free(s); - - /* C -> S: nonce | bit | max segment | username */ - - ret = sch_readline(p->input, &s); - if (ret <= 0 || strcmp (s, "*") == 0) - return pop_msg(p, POP_FAILURE, - "authentication aborted"); - len = strlen(s); - if (len > sizeof(authent.dat)) { - return pop_msg(p, POP_FAILURE, "data packet too long"); - } - - authent.length = base64_decode(s, authent.dat); - - if (authent.length % 8 != 0) { - return pop_msg(p, POP_FAILURE, "reply is not a multiple of 8 bytes"); - } - - des_key_sched(&p->kdata.session, schedule); - des_pcbc_encrypt((des_cblock*)authent.dat, - (des_cblock*)authent.dat, - authent.length, - schedule, - &p->kdata.session, - DES_DECRYPT); - - krb_get_int(authent.dat, &nonce_reply, 4, 0); - if (nonce_reply != nonce) { - return pop_msg(p, POP_FAILURE, "data stream modified"); - } - protocols &= authent.dat[4]; - krb_get_int(authent.dat + 5, &max_client_packet, 3, 0); - if(authent.dat[authent.length - 1] != '\0') { - return pop_msg(p, POP_FAILURE, "bad format of username"); - } - strncpy (p->user, authent.dat + 8, sizeof(p->user)); - pw = k_getpwnam(p->user); - if (pw == NULL) { - return (pop_msg(p,POP_FAILURE, - "Password supplied for \"%s\" is incorrect.", - p->user)); - } - - if (kuserok(&p->kdata, p->user)) { - pop_log(p, POP_PRIORITY, - "%s: (%s.%s@%s) tried to retrieve mail for %s.", - p->client, p->kdata.pname, p->kdata.pinst, - p->kdata.prealm, p->user); - return(pop_msg(p,POP_FAILURE, - "Popping not authorized")); - } - pop_log(p, POP_INFO, "%s: %s.%s@%s -> %s", - p->ipaddr, - p->kdata.pname, p->kdata.pinst, p->kdata.prealm, - p->user); - ret = pop_login(p, pw); - if (protocols & PRIV_PROT) - ; - else if (protocols & INT_PROT) - ; - else - ; - - return ret; -} -#endif /* KRB4 */ - -#ifdef KRB5 -static int -auth_gssapi(POP *p) -{ - -} -#endif /* KRB5 */ - -/* - * auth: RFC1734 - */ - -static struct { - const char *name; - int (*func)(POP *); -} methods[] = { -#ifdef KRB4 - {"KERBEROS_V4", auth_krb4}, -#endif -#ifdef KRB5 - {"GSSAPI", auth_gssapi}, -#endif - {NULL, NULL} -}; - -int -pop_auth (POP *p) -{ - int i; - - for (i = 0; methods[i].name != NULL; ++i) - if (strcasecmp(p->pop_parm[1], methods[i].name) == 0) - return (*methods[i].func)(p); - return pop_msg(p, POP_FAILURE, - "Authentication method %s unknown", p->pop_parm[1]); -} diff --git a/crypto/heimdal-0.6.3/appl/popper/pop_debug.c b/crypto/heimdal-0.6.3/appl/popper/pop_debug.c deleted file mode 100644 index 9a29e4d29a..0000000000 --- a/crypto/heimdal-0.6.3/appl/popper/pop_debug.c +++ /dev/null @@ -1,284 +0,0 @@ -/* - * Copyright (c) 1995 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* Tiny program to help debug popper */ - -#include "popper.h" -RCSID("$Id: pop_debug.c,v 1.23 2002/05/02 16:27:16 joda Exp $"); - -static void -loop(int s) -{ - char cmd[1024]; - char buf[1024]; - fd_set fds; - while(1){ - FD_ZERO(&fds); - FD_SET(0, &fds); - FD_SET(s, &fds); - if(select(s+1, &fds, 0, 0, 0) < 0) - err(1, "select"); - if(FD_ISSET(0, &fds)){ - fgets(cmd, sizeof(cmd), stdin); - cmd[strlen(cmd) - 1] = '\0'; - strlcat (cmd, "\r\n", sizeof(cmd)); - write(s, cmd, strlen(cmd)); - } - if(FD_ISSET(s, &fds)){ - int n = read(s, buf, sizeof(buf)); - if(n == 0) - exit(0); - fwrite(buf, n, 1, stdout); - } - } -} - -static int -get_socket (const char *hostname, int port) -{ - int ret; - struct addrinfo *ai, *a; - struct addrinfo hints; - char portstr[NI_MAXSERV]; - - memset (&hints, 0, sizeof(hints)); - hints.ai_socktype = SOCK_STREAM; - snprintf (portstr, sizeof(portstr), "%d", ntohs(port)); - ret = getaddrinfo (hostname, portstr, &hints, &ai); - if (ret) - errx (1, "getaddrinfo %s: %s", hostname, gai_strerror (ret)); - - for (a = ai; a != NULL; a = a->ai_next) { - int s; - - s = socket (a->ai_family, a->ai_socktype, a->ai_protocol); - if (s < 0) - continue; - if (connect (s, a->ai_addr, a->ai_addrlen) < 0) { - close (s); - continue; - } - freeaddrinfo (ai); - return s; - } - err (1, "failed to connect to %s", hostname); -} - -#ifdef KRB4 -static int -doit_v4 (char *host, int port) -{ - KTEXT_ST ticket; - MSG_DAT msg_data; - CREDENTIALS cred; - des_key_schedule sched; - int ret; - int s = get_socket (host, port); - - ret = krb_sendauth(0, - s, - &ticket, - "pop", - host, - krb_realmofhost(host), - getpid(), - &msg_data, - &cred, - sched, - NULL, - NULL, - "KPOPV0.1"); - if(ret) { - warnx("krb_sendauth: %s", krb_get_err_text(ret)); - return 1; - } - loop(s); - return 0; -} -#endif - -#ifdef KRB5 -static int -doit_v5 (char *host, int port) -{ - krb5_error_code ret; - krb5_context context; - krb5_auth_context auth_context = NULL; - krb5_principal server; - int s = get_socket (host, port); - - ret = krb5_init_context (&context); - if (ret) - errx (1, "krb5_init_context failed: %d", ret); - - ret = krb5_sname_to_principal (context, - host, - "pop", - KRB5_NT_SRV_HST, - &server); - if (ret) { - warnx ("krb5_sname_to_principal: %s", - krb5_get_err_text (context, ret)); - return 1; - } - ret = krb5_sendauth (context, - &auth_context, - &s, - "KPOPV1.0", - NULL, - server, - 0, - NULL, - NULL, - NULL, - NULL, - NULL, - NULL); - if (ret) { - warnx ("krb5_sendauth: %s", - krb5_get_err_text (context, ret)); - return 1; - } - loop (s); - return 0; -} -#endif - - -#ifdef KRB4 -static int use_v4 = -1; -#endif -#ifdef KRB5 -static int use_v5 = -1; -#endif -static char *port_str; -static int do_version; -static int do_help; - -struct getargs args[] = { -#ifdef KRB4 - { "krb4", '4', arg_flag, &use_v4, "Use Kerberos V4", - NULL }, -#endif -#ifdef KRB5 - { "krb5", '5', arg_flag, &use_v5, "Use Kerberos V5", - NULL }, -#endif - { "port", 'p', arg_string, &port_str, "Use this port", - "number-or-service" }, - { "version", 0, arg_flag, &do_version, "Print version", - NULL }, - { "help", 0, arg_flag, &do_help, NULL, - NULL } -}; - -static void -usage (int ret) -{ - arg_printusage (args, - sizeof(args) / sizeof(args[0]), - NULL, - "hostname"); - exit (ret); -} - -int -main(int argc, char **argv) -{ - int port = 0; - int ret = 1; - int optind = 0; - - setprogname(argv[0]); - - if (getarg (args, sizeof(args) / sizeof(args[0]), argc, argv, - &optind)) - usage (1); - - argc -= optind; - argv += optind; - - if (do_help) - usage (0); - - if (do_version) { - print_version (NULL); - return 0; - } - - if (argc < 1) - usage (1); - - if (port_str) { - struct servent *s = roken_getservbyname (port_str, "tcp"); - - if (s) - port = s->s_port; - else { - char *ptr; - - port = strtol (port_str, &ptr, 10); - if (port == 0 && ptr == port_str) - errx (1, "Bad port `%s'", port_str); - port = htons(port); - } - } - if (port == 0) { -#ifdef KRB5 - port = krb5_getportbyname (NULL, "kpop", "tcp", 1109); -#elif defined(KRB4) - port = k_getportbyname ("kpop", "tcp", 1109); -#else -#error must define KRB4 or KRB5 -#endif - } - -#if defined(KRB4) && defined(KRB5) - if(use_v4 == -1 && use_v5 == 1) - use_v4 = 0; - if(use_v5 == -1 && use_v4 == 1) - use_v5 = 0; -#endif - -#ifdef KRB5 - if (ret && use_v5) { - ret = doit_v5 (argv[0], port); - } -#endif -#ifdef KRB4 - if (ret && use_v4) { - ret = doit_v4 (argv[0], port); - } -#endif - return ret; -} diff --git a/crypto/heimdal-0.6.3/appl/popper/pop_dele.c b/crypto/heimdal-0.6.3/appl/popper/pop_dele.c deleted file mode 100644 index f1c2952a21..0000000000 --- a/crypto/heimdal-0.6.3/appl/popper/pop_dele.c +++ /dev/null @@ -1,107 +0,0 @@ -/* - * Copyright (c) 1989 Regents of the University of California. - * All rights reserved. The Berkeley software License Agreement - * specifies the terms and conditions for redistribution. - */ - -#include -RCSID("$Id: pop_dele.c,v 1.10 1999/08/12 11:35:26 joda Exp $"); - -/* - * dele: Delete a message from the POP maildrop - */ -int -pop_dele (POP *p) -{ - MsgInfoList * mp; /* Pointer to message info list */ - int msg_num; - - /* Convert the message number parameter to an integer */ - msg_num = atoi(p->pop_parm[1]); - - /* Is requested message out of range? */ - if ((msg_num < 1) || (msg_num > p->msg_count)) - return (pop_msg (p,POP_FAILURE,"Message %d does not exist.",msg_num)); - - /* Get a pointer to the message in the message list */ - mp = &(p->mlp[msg_num-1]); - - /* Is the message already flagged for deletion? */ - if (mp->flags & DEL_FLAG) - return (pop_msg (p,POP_FAILURE,"Message %d has already been deleted.", - msg_num)); - - /* Flag the message for deletion */ - mp->flags |= DEL_FLAG; - -#ifdef DEBUG - if(p->debug) - pop_log(p, POP_DEBUG, - "Deleting message %u at offset %ld of length %ld\n", - mp->number, mp->offset, mp->length); -#endif /* DEBUG */ - - /* Update the messages_deleted and bytes_deleted counters */ - p->msgs_deleted++; - p->bytes_deleted += mp->length; - - /* Update the last-message-accessed number if it is lower than - the deleted message */ - if (p->last_msg < msg_num) p->last_msg = msg_num; - - return (pop_msg (p,POP_SUCCESS,"Message %d has been deleted.",msg_num)); -} - -#ifdef XDELE -/* delete a range of messages */ -int -pop_xdele(POP *p) -{ - MsgInfoList * mp; /* Pointer to message info list */ - - int msg_min, msg_max; - int i; - - - msg_min = atoi(p->pop_parm[1]); - if(p->parm_count == 1) - msg_max = msg_min; - else - msg_max = atoi(p->pop_parm[2]); - - if (msg_min < 1) - return (pop_msg (p,POP_FAILURE,"Message %d does not exist.",msg_min)); - if(msg_max > p->msg_count) - return (pop_msg (p,POP_FAILURE,"Message %d does not exist.",msg_max)); - for(i = msg_min; i <= msg_max; i++) { - - /* Get a pointer to the message in the message list */ - mp = &(p->mlp[i - 1]); - - /* Is the message already flagged for deletion? */ - if (mp->flags & DEL_FLAG) - continue; /* no point in returning error */ - /* Flag the message for deletion */ - mp->flags |= DEL_FLAG; - -#ifdef DEBUG - if(p->debug) - pop_log(p, POP_DEBUG, - "Deleting message %u at offset %ld of length %ld\n", - mp->number, mp->offset, mp->length); -#endif /* DEBUG */ - - /* Update the messages_deleted and bytes_deleted counters */ - p->msgs_deleted++; - p->bytes_deleted += mp->length; - } - - /* Update the last-message-accessed number if it is lower than - the deleted message */ - if (p->last_msg < msg_max) p->last_msg = msg_max; - - return (pop_msg (p,POP_SUCCESS,"Messages %d-%d has been deleted.", - msg_min, msg_max)); - -} -#endif /* XDELE */ diff --git a/crypto/heimdal-0.6.3/appl/popper/pop_dropcopy.c b/crypto/heimdal-0.6.3/appl/popper/pop_dropcopy.c deleted file mode 100644 index 99ea49d085..0000000000 --- a/crypto/heimdal-0.6.3/appl/popper/pop_dropcopy.c +++ /dev/null @@ -1,174 +0,0 @@ -/* - * Copyright (c) 1989 Regents of the University of California. - * All rights reserved. The Berkeley software License Agreement - * specifies the terms and conditions for redistribution. - */ - -#include -RCSID("$Id: pop_dropcopy.c,v 1.26 2002/07/04 14:10:11 joda Exp $"); - -/* - * Run as the user in `pwd' - */ - -int -changeuser(POP *p, struct passwd *pwd) -{ - if(setgid(pwd->pw_gid) < 0) { - pop_log (p, POP_PRIORITY, - "Unable to change to gid %u: %s", - (unsigned)pwd->pw_gid, - strerror(errno)); - return pop_msg (p, POP_FAILURE, - "Unable to change gid"); - } - if(setuid(pwd->pw_uid) < 0) { - pop_log (p, POP_PRIORITY, - "Unable to change to uid %u: %s", - (unsigned)pwd->pw_uid, - strerror(errno)); - return pop_msg (p, POP_FAILURE, - "Unable to change uid"); - } -#ifdef DEBUG - if(p->debug) - pop_log(p, POP_DEBUG,"uid = %u, gid = %u", - (unsigned)getuid(), - (unsigned)getgid()); -#endif /* DEBUG */ - return POP_SUCCESS; -} - -/* - * dropcopy: Make a temporary copy of the user's mail drop and - * save a stream pointer for it. - */ - -int -pop_dropcopy(POP *p, struct passwd *pwp) -{ - int mfd; /* File descriptor for - the user's maildrop */ - int dfd; /* File descriptor for - the SERVER maildrop */ - FILE *tf; /* The temp file */ - char template[POP_TMPSIZE]; /* Temp name holder */ - char buffer[BUFSIZ]; /* Read buffer */ - long offset; /* Old/New boundary */ - int nchar; /* Bytes written/read */ - int tf_fd; /* fd for temp file */ - int ret; - - /* Create a temporary maildrop into which to copy the updated maildrop */ - snprintf(p->temp_drop, sizeof(p->temp_drop), POP_DROP,p->user); - -#ifdef DEBUG - if(p->debug) - pop_log(p,POP_DEBUG,"Creating temporary maildrop '%s'", - p->temp_drop); -#endif /* DEBUG */ - - /* Here we work to make sure the user doesn't cause us to remove or - * write over existing files by limiting how much work we do while - * running as root. - */ - - strlcpy(template, POP_TMPDROP, sizeof(template)); - if ((tf_fd = mkstemp(template)) < 0 || - (tf = fdopen(tf_fd, "w+")) == NULL) { - pop_log(p,POP_PRIORITY, - "Unable to create temporary temporary maildrop '%s': %s",template, - strerror(errno)); - return pop_msg(p,POP_FAILURE, - "System error, can't create temporary file."); - } - - /* Now give this file to the user */ - chown(template, pwp->pw_uid, pwp->pw_gid); - chmod(template, 0600); - - /* Now link this file to the temporary maildrop. If this fails it - * is probably because the temporary maildrop already exists. If so, - * this is ok. We can just go on our way, because by the time we try - * to write into the file we will be running as the user. - */ - link(template,p->temp_drop); - fclose(tf); - unlink(template); - - ret = changeuser(p, pwp); - if (ret != POP_SUCCESS) - return ret; - - /* Open for append, this solves the crash recovery problem */ - if ((dfd = open(p->temp_drop,O_RDWR|O_APPEND|O_CREAT,0600)) == -1){ - pop_log(p,POP_PRIORITY, - "Unable to open temporary maildrop '%s': %s",p->temp_drop, - strerror(errno)); - return pop_msg(p,POP_FAILURE, - "System error, can't open temporary file, do you own it?"); - } - - /* Lock the temporary maildrop */ - if ( flock (dfd, (LOCK_EX | LOCK_NB)) == -1 ) - switch(errno) { - case EWOULDBLOCK: - return pop_msg(p,POP_FAILURE, - "%sMaildrop lock busy! Is another session active?", - (p->flags & POP_FLAG_CAPA) ? "[IN-USE] " : ""); - /* NOTREACHED */ - default: - return pop_msg(p,POP_FAILURE,"flock: '%s': %s", p->temp_drop, - strerror(errno)); - /* NOTREACHED */ - } - - /* May have grown or shrunk between open and lock! */ - offset = lseek(dfd,0, SEEK_END); - - /* Open the user's maildrop, If this fails, no harm in assuming empty */ - if ((mfd = open(p->drop_name,O_RDWR)) > 0) { - - /* Lock the maildrop */ - if (flock (mfd, LOCK_EX) == -1) { - close(mfd) ; - return pop_msg(p,POP_FAILURE, "flock: '%s': %s", p->temp_drop, - strerror(errno)); - } - - /* Copy the actual mail drop into the temporary mail drop */ - while ( (nchar=read(mfd,buffer,BUFSIZ)) > 0 ) - if ( nchar != write(dfd,buffer,nchar) ) { - nchar = -1 ; - break ; - } - - if ( nchar != 0 ) { - /* Error adding new mail. Truncate to original size, - and leave the maildrop as is. The user will not - see the new mail until the error goes away. - Should let them process the current backlog, in case - the error is a quota problem requiring deletions! */ - ftruncate(dfd,(int)offset) ; - } else { - /* Mail transferred! Zero the mail drop NOW, that we - do not have to do gymnastics to figure out what's new - and what is old later */ - ftruncate(mfd,0) ; - } - - /* Close the actual mail drop */ - close (mfd); - } - - /* Acquire a stream pointer for the temporary maildrop */ - if ( (p->drop = fdopen(dfd,"a+")) == NULL ) { - close(dfd) ; - return pop_msg(p,POP_FAILURE,"Cannot assign stream for %s", - p->temp_drop); - } - - rewind (p->drop); - - return(POP_SUCCESS); -} diff --git a/crypto/heimdal-0.6.3/appl/popper/pop_dropinfo.c b/crypto/heimdal-0.6.3/appl/popper/pop_dropinfo.c deleted file mode 100644 index 71922d2cb1..0000000000 --- a/crypto/heimdal-0.6.3/appl/popper/pop_dropinfo.c +++ /dev/null @@ -1,232 +0,0 @@ -/* - * Copyright (c) 1989 Regents of the University of California. - * All rights reserved. The Berkeley software License Agreement - * specifies the terms and conditions for redistribution. - */ - -#include -RCSID("$Id: pop_dropinfo.c,v 1.24 1999/09/16 20:38:49 assar Exp $"); - -#if defined(UIDL) || defined(XOVER) - -/* - * Copy the string found after after : into a malloced buffer. Stop - * copying at end of string or end of line. End of line delimiter is - * not part of the resulting copy. - */ -static -char * -find_value_after_colon(char *p) -{ - char *t, *tmp; - - for (; *p != 0 && *p != ':'; p++) /* Find : */ - ; - - if (*p == 0) - goto error; - - p++; /* Skip over : */ - - for(; *p == ' ' || *p == '\t'; p++) /* Remove white space */ - ; - - for (t = p; *t != 0 && *t != '\n' && *t != '\r'; t++) /* Find end of str */ - ; - - tmp = t = malloc(t - p + 1); - if (tmp == 0) - goto error; - - for (; *p != 0 && *p != '\n' && *p != '\r'; p++, t++) /* Copy characters */ - *t = *p; - *t = 0; /* Terminate string */ - return tmp; - -error: - return "ErrorUIDL"; -} -#endif - -void -parse_header(MsgInfoList *mp, char *buffer) -{ -#if defined(UIDL) || defined(XOVER) - if (strncasecmp("Message-Id:",buffer, 11) == 0) { - if (mp->msg_id == NULL) - mp->msg_id = find_value_after_colon(buffer); - } -#ifdef UIDL - else if (strncasecmp(buffer, "X-UIDL:", 7) == 0) { - /* Courtesy to Qualcomm, there really is no such - thing as X-UIDL */ - mp->msg_id = find_value_after_colon(buffer); - } -#endif -#endif -#ifdef XOVER - else if (strncasecmp("Subject:", buffer, 8) == 0) { - if(mp->subject == NULL){ - char *p; - mp->subject = find_value_after_colon(buffer); - for(p = mp->subject; *p; p++) - if(*p == '\t') *p = ' '; - } - } - else if (strncasecmp("From:", buffer, 5) == 0) { - if(mp->from == NULL){ - char *p; - mp->from = find_value_after_colon(buffer); - for(p = mp->from; *p; p++) - if(*p == '\t') *p = ' '; - } - } - else if (strncasecmp("Date:", buffer, 5) == 0) { - if(mp->date == NULL){ - char *p; - mp->date = find_value_after_colon(buffer); - for(p = mp->date; *p; p++) - if(*p == '\t') *p = ' '; - } - } -#endif -} - -int -add_missing_headers(POP *p, MsgInfoList *mp) -{ -#if defined(UIDL) || defined(XOVER) - if (mp->msg_id == NULL) { - asprintf(&mp->msg_id, "no-message-id-%d", mp->number); - if(mp->msg_id == NULL) { - fclose (p->drop); - p->msg_count = 0; - return pop_msg (p,POP_FAILURE, - "Can't build message list for '%s': Out of memory", - p->user); - } - } -#endif -#ifdef XOVER - if (mp->subject == NULL) - mp->subject = ""; - if (mp->from == NULL) - mp->from = ""; - if (mp->date == NULL) - mp->date = ""; -#endif - return POP_SUCCESS; -} - -/* - * dropinfo: Extract information about the POP maildrop and store - * it for use by the other POP routines. - */ - -int -pop_dropinfo(POP *p) -{ - char buffer[BUFSIZ]; /* Read buffer */ - MsgInfoList * mp; /* Pointer to message - info list */ - int msg_num; /* Current message - counter */ - int nchar; /* Bytes written/read */ - int blank_line = 1; /* previous line was blank */ - int in_header = 0; /* if we are in a header block */ - - /* Initialize maildrop status variables in the POP parameter block */ - p->msg_count = 0; - p->msgs_deleted = 0; - p->last_msg = 0; - p->bytes_deleted = 0; - p->drop_size = 0; - - /* Allocate memory for message information structures */ - p->msg_count = ALLOC_MSGS; - p->mlp = (MsgInfoList *)calloc((unsigned)p->msg_count,sizeof(MsgInfoList)); - if (p->mlp == NULL){ - fclose (p->drop); - p->msg_count = 0; - return pop_msg (p,POP_FAILURE, - "Can't build message list for '%s': Out of memory", p->user); - } - - rewind (p->drop); - - /* Scan the file, loading the message information list with - information about each message */ - - for (msg_num = p->drop_size = 0, mp = p->mlp - 1; - fgets(buffer,MAXMSGLINELEN,p->drop);) { - - nchar = strlen(buffer); - - if (blank_line && strncmp(buffer,"From ",5) == 0) { - in_header = 1; - if (++msg_num > p->msg_count) { - p->mlp=(MsgInfoList *) realloc(p->mlp, - (p->msg_count+=ALLOC_MSGS)*sizeof(MsgInfoList)); - if (p->mlp == NULL){ - fclose (p->drop); - p->msg_count = 0; - return pop_msg (p,POP_FAILURE, - "Can't build message list for '%s': Out of memory", - p->user); - } - mp = p->mlp + msg_num - 2; - } - ++mp; - mp->number = msg_num; - mp->length = 0; - mp->lines = 0; - mp->offset = ftell(p->drop) - nchar; - mp->flags = 0; -#if defined(UIDL) || defined(XOVER) - mp->msg_id = 0; -#endif -#ifdef XOVER - mp->subject = 0; - mp->from = 0; - mp->date = 0; -#endif -#ifdef DEBUG - if(p->debug) - pop_log(p, POP_DEBUG, - "Msg %d at offset %ld being added to list", - mp->number, mp->offset); -#endif /* DEBUG */ - } else if(in_header) - parse_header(mp, buffer); - blank_line = (strncmp(buffer, "\n", nchar) == 0); - if(blank_line) { - int e; - in_header = 0; - e = add_missing_headers(p, mp); - if(e != POP_SUCCESS) - return e; - } - mp->length += nchar; - p->drop_size += nchar; - mp->lines++; - } - p->msg_count = msg_num; - -#ifdef DEBUG - if(p->debug && msg_num > 0) { - int i; - for (i = 0, mp = p->mlp; i < p->msg_count; i++, mp++) -#ifdef UIDL - pop_log(p,POP_DEBUG, - "Msg %d at offset %ld is %ld octets long and has %u lines and id %s.", - mp->number,mp->offset,mp->length,mp->lines, mp->msg_id); -#else - pop_log(p,POP_DEBUG, - "Msg %d at offset %d is %d octets long and has %u lines.", - mp->number,mp->offset,mp->length,mp->lines); -#endif - } -#endif /* DEBUG */ - - return(POP_SUCCESS); -} diff --git a/crypto/heimdal-0.6.3/appl/popper/pop_get_command.c b/crypto/heimdal-0.6.3/appl/popper/pop_get_command.c deleted file mode 100644 index f10c3fe53c..0000000000 --- a/crypto/heimdal-0.6.3/appl/popper/pop_get_command.c +++ /dev/null @@ -1,153 +0,0 @@ -/* - * Copyright (c) 1989 Regents of the University of California. - * All rights reserved. The Berkeley software License Agreement - * specifies the terms and conditions for redistribution. - */ - -#include -RCSID("$Id: pop_get_command.c,v 1.16 2002/07/04 14:09:47 joda Exp $"); - -/* - * get_command: Extract the command from an input line form a POP client - */ - -int pop_capa (POP *p); -static state_table states[] = { - {auth1, "user", 1, 1, pop_user, {auth1, auth2}}, - {auth2, "pass", 1, 99, pop_pass, {auth1, trans}}, -#ifdef RPOP - {auth2, "rpop", 1, 1, pop_rpop, {auth1, trans}}, -#endif /* RPOP */ - {auth1, "quit", 0, 0, pop_quit, {halt, halt}}, - {auth2, "quit", 0, 0, pop_quit, {halt, halt}}, -#ifdef CAPA - {auth1, "capa", 0, 0, pop_capa, {auth1, auth1}}, - {auth2, "capa", 0, 0, pop_capa, {auth2, auth2}}, - {trans, "capa", 0, 0, pop_capa, {trans, trans}}, -#endif - {trans, "stat", 0, 0, pop_stat, {trans, trans}}, - {trans, "list", 0, 1, pop_list, {trans, trans}}, - {trans, "retr", 1, 1, pop_send, {trans, trans}}, - {trans, "dele", 1, 1, pop_dele, {trans, trans}}, - {trans, "noop", 0, 0, NULL, {trans, trans}}, - {trans, "rset", 0, 0, pop_rset, {trans, trans}}, - {trans, "top", 2, 2, pop_send, {trans, trans}}, - {trans, "last", 0, 0, pop_last, {trans, trans}}, - {trans, "quit", 0, 0, pop_updt, {halt, halt}}, - {trans, "help", 0, 0, pop_help, {trans, trans}}, -#ifdef UIDL - {trans, "uidl", 0, 1, pop_uidl, {trans, trans}}, -#endif -#ifdef XOVER - {trans, "xover", 0, 0, pop_xover, {trans, trans}}, -#endif -#ifdef XDELE - {trans, "xdele", 1, 2, pop_xdele, {trans, trans}}, -#endif - {(state) 0, NULL, 0, 0, NULL, {halt, halt}}, -}; - -int -pop_capa (POP *p) -{ - /* Search for the POP command in the command/state table */ - pop_msg (p,POP_SUCCESS, "Capability list follows"); - fprintf(p->output, "USER\r\n"); - fprintf(p->output, "TOP\r\n"); - fprintf(p->output, "PIPELINING\r\n"); - fprintf(p->output, "EXPIRE NEVER\r\n"); - fprintf(p->output, "RESP-CODES\r\n"); -#ifdef UIDL - fprintf(p->output, "UIDL\r\n"); -#endif -#ifdef XOVER - fprintf(p->output, "XOVER\r\n"); -#endif -#ifdef XDELE - fprintf(p->output, "XDELE\r\n"); -#endif - if(p->CurrentState == trans) - fprintf(p->output, "IMPLEMENTATION %s-%s\r\n", PACKAGE, VERSION); - fprintf(p->output,".\r\n"); - fflush(p->output); - - p->flags |= POP_FLAG_CAPA; - - return(POP_SUCCESS); -} - -state_table * -pop_get_command(POP *p, char *mp) -{ - state_table * s; - char buf[MAXMSGLINELEN]; - - /* Save a copy of the original client line */ -#ifdef DEBUG - if(p->debug) strlcpy (buf, mp, sizeof(buf)); -#endif /* DEBUG */ - - /* Parse the message into the parameter array */ - if ((p->parm_count = pop_parse(p,mp)) < 0) return(NULL); - - /* Do not log cleartext passwords */ -#ifdef DEBUG - if(p->debug){ - if(strcmp(p->pop_command,"pass") == 0) - pop_log(p,POP_DEBUG,"Received: \"%s xxxxxxxxx\"",p->pop_command); - else { - /* Remove trailing */ - buf[strlen(buf)-2] = '\0'; - pop_log(p,POP_DEBUG,"Received: \"%s\"",buf); - } - } -#endif /* DEBUG */ - - /* Search for the POP command in the command/state table */ - for (s = states; s->command; s++) { - - /* Is this a valid command for the current operating state? */ - if (strcmp(s->command,p->pop_command) == 0 - && s->ValidCurrentState == p->CurrentState) { - - /* Were too few parameters passed to the command? */ - if (p->parm_count < s->min_parms) { - pop_msg(p,POP_FAILURE, - "Too few arguments for the %s command.", - p->pop_command); - return NULL; - } - - /* Were too many parameters passed to the command? */ - if (p->parm_count > s->max_parms) { - pop_msg(p,POP_FAILURE, - "Too many arguments for the %s command.", - p->pop_command); - return NULL; - } - - /* Return a pointer to the entry for this command in - the command/state table */ - return (s); - } - } - /* The client command was not located in the command/state table */ - pop_msg(p,POP_FAILURE, - "Unknown command: \"%s\".",p->pop_command); - return NULL; -} - -int -pop_help (POP *p) -{ - state_table *s; - - pop_msg(p, POP_SUCCESS, "help"); - - for (s = states; s->command; s++) { - fprintf (p->output, "%s\r\n", s->command); - } - fprintf (p->output, ".\r\n"); - fflush (p->output); - return POP_SUCCESS; -} diff --git a/crypto/heimdal-0.6.3/appl/popper/pop_init.c b/crypto/heimdal-0.6.3/appl/popper/pop_init.c deleted file mode 100644 index 4f780c7aad..0000000000 --- a/crypto/heimdal-0.6.3/appl/popper/pop_init.c +++ /dev/null @@ -1,401 +0,0 @@ -/* - * Copyright (c) 1989 Regents of the University of California. - * All rights reserved. The Berkeley software License Agreement - * specifies the terms and conditions for redistribution. - */ - -#include -RCSID("$Id: pop_init.c,v 1.58.12.1 2003/10/13 12:01:35 lha Exp $"); - - -#if defined(KRB4) || defined(KRB5) - -static int -pop_net_read(POP *p, int fd, void *buf, size_t len) -{ -#ifdef KRB5 - return krb5_net_read(p->context, &fd, buf, len); -#elif defined(KRB4) - return krb_net_read(fd, buf, len); -#endif -} -#endif - -static char *addr_log; - -static void -pop_write_addr(POP *p, struct sockaddr *addr) -{ - char ts[32]; - char as[128]; - time_t t; - FILE *f; - if(addr_log == NULL) - return; - t = time(NULL); - strftime(ts, sizeof(ts), "%Y%m%d%H%M%S", localtime(&t)); - if(inet_ntop (addr->sa_family, socket_get_address(addr), - as, sizeof(as)) == NULL) { - pop_log(p, POP_PRIORITY, "failed to print address"); - return; - } - - f = fopen(addr_log, "a"); - if(f == NULL) { - pop_log(p, POP_PRIORITY, "failed to open address log (%s)", addr_log); - return; - } - fprintf(f, "%s %s\n", as, ts); - fclose(f); -} - -#ifdef KRB4 -static int -krb4_authenticate (POP *p, int s, u_char *buf, struct sockaddr *addr) -{ - Key_schedule schedule; - KTEXT_ST ticket; - char instance[INST_SZ]; - char version[9]; - int auth; - - if (memcmp (buf, KRB_SENDAUTH_VERS, 4) != 0) - return -1; - if (pop_net_read (p, s, buf + 4, - KRB_SENDAUTH_VLEN - 4) != KRB_SENDAUTH_VLEN - 4) - return -1; - if (memcmp (buf, KRB_SENDAUTH_VERS, KRB_SENDAUTH_VLEN) != 0) - return -1; - - k_getsockinst (0, instance, sizeof(instance)); - auth = krb_recvauth(KOPT_IGNORE_PROTOCOL, - s, - &ticket, - "pop", - instance, - (struct sockaddr_in *)addr, - (struct sockaddr_in *) NULL, - &p->kdata, - "", - schedule, - version); - - if (auth != KSUCCESS) { - pop_msg(p, POP_FAILURE, "Kerberos authentication failure: %s", - krb_get_err_text(auth)); - pop_log(p, POP_PRIORITY, "%s: (%s.%s@%s) %s", p->client, - p->kdata.pname, p->kdata.pinst, p->kdata.prealm, - krb_get_err_text(auth)); - return -1; - } - -#ifdef DEBUG - pop_log(p, POP_DEBUG, "%s.%s@%s (%s): ok", p->kdata.pname, - p->kdata.pinst, p->kdata.prealm, p->ipaddr); -#endif /* DEBUG */ - return 0; -} -#endif /* KRB4 */ - -#ifdef KRB5 -static int -krb5_authenticate (POP *p, int s, u_char *buf, struct sockaddr *addr) -{ - krb5_error_code ret; - krb5_auth_context auth_context = NULL; - u_int32_t len; - krb5_ticket *ticket; - char *server; - - if (memcmp (buf, "\x00\x00\x00\x13", 4) != 0) - return -1; - len = (buf[0] << 24) | (buf[1] << 16) | (buf[2] << 8) | (buf[3]); - - if (krb5_net_read(p->context, &s, buf, len) != len) - return -1; - if (len != sizeof(KRB5_SENDAUTH_VERSION) - || memcmp (buf, KRB5_SENDAUTH_VERSION, len) != 0) - return -1; - - ret = krb5_recvauth (p->context, - &auth_context, - &s, - "KPOPV1.0", - NULL, /* let rd_req figure out what server to use */ - KRB5_RECVAUTH_IGNORE_VERSION, - NULL, - &ticket); - if (ret) { - pop_log(p, POP_PRIORITY, "krb5_recvauth: %s", - krb5_get_err_text(p->context, ret)); - return -1; - } - - - ret = krb5_unparse_name(p->context, ticket->server, &server); - if(ret) { - pop_log(p, POP_PRIORITY, "krb5_unparse_name: %s", - krb5_get_err_text(p->context, ret)); - ret = -1; - goto out; - } - /* does this make sense? */ - if(strncmp(server, "pop/", 4) != 0) { - pop_log(p, POP_PRIORITY, - "Got ticket for service `%s'", server); - ret = -1; - goto out; - } else if(p->debug) - pop_log(p, POP_DEBUG, - "Accepted ticket for service `%s'", server); - free(server); - out: - krb5_auth_con_free (p->context, auth_context); - krb5_copy_principal (p->context, ticket->client, &p->principal); - krb5_free_ticket (p->context, ticket); - - return ret; -} -#endif - -static int -krb_authenticate(POP *p, struct sockaddr *addr) -{ -#if defined(KRB4) || defined(KRB5) - u_char buf[BUFSIZ]; - - if (pop_net_read (p, 0, buf, 4) != 4) { - pop_msg(p, POP_FAILURE, "Reading four bytes: %s", - strerror(errno)); - exit (1); - } -#ifdef KRB4 - if (krb4_authenticate (p, 0, buf, addr) == 0){ - pop_write_addr(p, addr); - p->version = 4; - return POP_SUCCESS; - } -#endif -#ifdef KRB5 - if (krb5_authenticate (p, 0, buf, addr) == 0){ - pop_write_addr(p, addr); - p->version = 5; - return POP_SUCCESS; - } -#endif - exit (1); - -#endif /* defined(KRB4) || defined(KRB5) */ - - return(POP_SUCCESS); -} - -static int -plain_authenticate (POP *p, struct sockaddr *addr) -{ - return(POP_SUCCESS); -} - -static int kerberos_flag; -static char *auth_str; -static int debug_flag; -static int interactive_flag; -static char *port_str; -static char *trace_file; -static int timeout; -static int help_flag; -static int version_flag; - -static struct getargs args[] = { -#if defined(KRB4) || defined(KRB5) - { "kerberos", 'k', arg_flag, &kerberos_flag, "use kerberos" }, -#endif - { "auth-mode", 'a', arg_string, &auth_str, "required authentication" }, - { "debug", 'd', arg_flag, &debug_flag }, - { "interactive", 'i', arg_flag, &interactive_flag, "create new socket" }, - { "port", 'p', arg_string, &port_str, "port to listen to", "port" }, - { "trace-file", 't', arg_string, &trace_file, "trace all command to file", "file" }, - { "timeout", 'T', arg_integer, &timeout, "timeout", "seconds" }, - { "address-log", 0, arg_string, &addr_log, "enable address log", "file" }, - { "help", 'h', arg_flag, &help_flag }, - { "version", 'v', arg_flag, &version_flag } -}; - -static int num_args = sizeof(args) / sizeof(args[0]); - -/* - * init: Start a Post Office Protocol session - */ - -static int -pop_getportbyname(POP *p, const char *service, - const char *proto, short def) -{ -#ifdef KRB5 - return krb5_getportbyname(p->context, service, proto, def); -#elif defined(KRB4) - return k_getportbyname(service, proto, htons(def)); -#else - return htons(default); -#endif -} - -int -pop_init(POP *p,int argcount,char **argmessage) -{ - struct sockaddr_storage cs_ss; - struct sockaddr *cs = (struct sockaddr *)&cs_ss; - socklen_t len; - char * trace_file_name = "/tmp/popper-trace"; - int portnum = 0; - int optind = 0; - int error; - - /* Initialize the POP parameter block */ - memset (p, 0, sizeof(POP)); - - setprogname(argmessage[0]); - - /* Save my name in a global variable */ - p->myname = (char*)getprogname(); - - /* Get the name of our host */ - gethostname(p->myhost,MaxHostNameLen); - -#ifdef KRB5 - { - krb5_error_code ret; - - ret = krb5_init_context (&p->context); - if (ret) - errx (1, "krb5_init_context failed: %d", ret); - - krb5_openlog(p->context, p->myname, &p->logf); - krb5_set_warn_dest(p->context, p->logf); - } -#else - /* Open the log file */ - roken_openlog(p->myname,POP_LOGOPTS,POP_FACILITY); -#endif - - p->auth_level = AUTH_NONE; - - if(getarg(args, num_args, argcount, argmessage, &optind)){ - arg_printusage(args, num_args, NULL, ""); - exit(1); - } - if(help_flag){ - arg_printusage(args, num_args, NULL, ""); - exit(0); - } - if(version_flag){ - print_version(NULL); - exit(0); - } - - argcount -= optind; - argmessage += optind; - - if (argcount != 0) { - arg_printusage(args, num_args, NULL, ""); - exit(1); - } - - if(auth_str){ - if (strcmp (auth_str, "none") == 0) - p->auth_level = AUTH_NONE; - else if(strcmp(auth_str, "otp") == 0) - p->auth_level = AUTH_OTP; - else - warnx ("bad value for -a: %s", optarg); - } - /* Debugging requested */ - p->debug = debug_flag; - - if(port_str) - portnum = htons(atoi(port_str)); - if(trace_file){ - p->debug++; - if ((p->trace = fopen(trace_file, "a+")) == NULL) { - pop_log(p, POP_PRIORITY, - "Unable to open trace file \"%s\", err = %d", - optarg,errno); - exit (1); - } - trace_file_name = trace_file; - } - -#if defined(KRB4) || defined(KRB5) - p->kerberosp = kerberos_flag; -#endif - - if(timeout) - pop_timeout = timeout; - - /* Fake inetd */ - if (interactive_flag) { - if (portnum == 0) - portnum = p->kerberosp ? - pop_getportbyname(p, "kpop", "tcp", 1109) : - pop_getportbyname(p, "pop", "tcp", 110); - mini_inetd (portnum); - } - - /* Get the address and socket of the client to whom I am speaking */ - len = sizeof(cs_ss); - if (getpeername(STDIN_FILENO, cs, &len) < 0) { - pop_log(p,POP_PRIORITY, - "Unable to obtain socket and address of client, err = %d",errno); - exit (1); - } - - /* Save the dotted decimal form of the client's IP address - in the POP parameter block */ - inet_ntop (cs->sa_family, socket_get_address (cs), - p->ipaddr, sizeof(p->ipaddr)); - - /* Save the client's port */ - p->ipport = ntohs(socket_get_port (cs)); - - /* Get the canonical name of the host to whom I am speaking */ - error = getnameinfo_verified (cs, len, p->client, sizeof(p->client), - NULL, 0, 0); - if (error) { - pop_log (p, POP_PRIORITY, - "getnameinfo: %s", gai_strerror (error)); - strlcpy (p->client, p->ipaddr, sizeof(p->client)); - } - - /* Create input file stream for TCP/IP communication */ - if ((p->input = fdopen(STDIN_FILENO,"r")) == NULL){ - pop_log(p,POP_PRIORITY, - "Unable to open communication stream for input, err = %d",errno); - exit (1); - } - - /* Create output file stream for TCP/IP communication */ - if ((p->output = fdopen(STDOUT_FILENO,"w")) == NULL){ - pop_log(p,POP_PRIORITY, - "Unable to open communication stream for output, err = %d",errno); - exit (1); - } - - pop_log(p,POP_PRIORITY, - "(v%s) Servicing request from \"%s\" at %s\n", - VERSION,p->client,p->ipaddr); - -#ifdef DEBUG - if (p->trace) - pop_log(p,POP_PRIORITY, - "Tracing session and debugging information in file \"%s\"", - trace_file_name); - else if (p->debug) - pop_log(p,POP_PRIORITY,"Debugging turned on"); -#endif /* DEBUG */ - - - if(p->kerberosp) - return krb_authenticate(p, cs); - else - return plain_authenticate(p, cs); -} diff --git a/crypto/heimdal-0.6.3/appl/popper/pop_last.c b/crypto/heimdal-0.6.3/appl/popper/pop_last.c deleted file mode 100644 index 36fdd0d25a..0000000000 --- a/crypto/heimdal-0.6.3/appl/popper/pop_last.c +++ /dev/null @@ -1,18 +0,0 @@ -/* - * Copyright (c) 1989 Regents of the University of California. - * All rights reserved. The Berkeley software License Agreement - * specifies the terms and conditions for redistribution. - */ - -#include -RCSID("$Id: pop_last.c,v 1.6 1996/10/28 16:25:28 assar Exp $"); - -/* - * last: Display the last message touched in a POP session - */ - -int -pop_last (POP *p) -{ - return (pop_msg(p,POP_SUCCESS,"%u is the last message seen.",p->last_msg)); -} diff --git a/crypto/heimdal-0.6.3/appl/popper/pop_list.c b/crypto/heimdal-0.6.3/appl/popper/pop_list.c deleted file mode 100644 index aa7666a631..0000000000 --- a/crypto/heimdal-0.6.3/appl/popper/pop_list.c +++ /dev/null @@ -1,59 +0,0 @@ -/* - * Copyright (c) 1989 Regents of the University of California. - * All rights reserved. The Berkeley software License Agreement - * specifies the terms and conditions for redistribution. - */ - -#include -RCSID("$Id: pop_list.c,v 1.10 1998/04/23 17:37:47 joda Exp $"); - -/* - * list: List the contents of a POP maildrop - */ - -int -pop_list (POP *p) -{ - MsgInfoList * mp; /* Pointer to message info list */ - int i; - int msg_num; - - /* Was a message number provided? */ - if (p->parm_count > 0) { - msg_num = atoi(p->pop_parm[1]); - - /* Is requested message out of range? */ - if ((msg_num < 1) || (msg_num > p->msg_count)) - return (pop_msg (p,POP_FAILURE, - "Message %d does not exist.",msg_num)); - - /* Get a pointer to the message in the message list */ - mp = &p->mlp[msg_num-1]; - - /* Is the message already flagged for deletion? */ - if (mp->flags & DEL_FLAG) - return (pop_msg (p,POP_FAILURE, - "Message %d has been deleted.",msg_num)); - - /* Display message information */ - return (pop_msg(p,POP_SUCCESS,"%d %ld",msg_num,mp->length)); - } - - /* Display the entire list of messages */ - pop_msg(p,POP_SUCCESS, - "%d messages (%ld octets)", - p->msg_count-p->msgs_deleted, - p->drop_size-p->bytes_deleted); - - /* Loop through the message information list. Skip deleted messages */ - for (i = p->msg_count, mp = p->mlp; i > 0; i--, mp++) { - if (!(mp->flags & DEL_FLAG)) - fprintf(p->output,"%u %lu\r\n",mp->number,mp->length); - } - - /* "." signals the end of a multi-line transmission */ - fprintf(p->output,".\r\n"); - fflush(p->output); - - return(POP_SUCCESS); -} diff --git a/crypto/heimdal-0.6.3/appl/popper/pop_log.c b/crypto/heimdal-0.6.3/appl/popper/pop_log.c deleted file mode 100644 index deb9841d87..0000000000 --- a/crypto/heimdal-0.6.3/appl/popper/pop_log.c +++ /dev/null @@ -1,36 +0,0 @@ -/* - * Copyright (c) 1989 Regents of the University of California. - * All rights reserved. The Berkeley software License Agreement - * specifies the terms and conditions for redistribution. - */ - -#include -RCSID("$Id: pop_log.c,v 1.13 1997/10/14 21:59:07 joda Exp $"); - -/* - * log: Make a log entry - */ - -int -pop_log(POP *p, int stat, char *format, ...) -{ - char msgbuf[MAXLINELEN]; - va_list ap; - - va_start(ap, format); - vsnprintf(msgbuf, sizeof(msgbuf), format, ap); - - if (p->debug && p->trace) { - fprintf(p->trace,"%s\n",msgbuf); - fflush(p->trace); - } else { -#ifdef KRB5 - krb5_log(p->context, p->logf, stat, "%s", msgbuf); -#else - syslog (stat,"%s",msgbuf); -#endif - } - va_end(ap); - - return(stat); -} diff --git a/crypto/heimdal-0.6.3/appl/popper/pop_msg.c b/crypto/heimdal-0.6.3/appl/popper/pop_msg.c deleted file mode 100644 index 12887a49fa..0000000000 --- a/crypto/heimdal-0.6.3/appl/popper/pop_msg.c +++ /dev/null @@ -1,57 +0,0 @@ -/* - * Copyright (c) 1989 Regents of the University of California. - * All rights reserved. The Berkeley software License Agreement - * specifies the terms and conditions for redistribution. - */ - -#include -RCSID("$Id: pop_msg.c,v 1.16 1999/09/16 20:38:50 assar Exp $"); - -/* - * msg: Send a formatted line to the POP client - */ - -int -pop_msg(POP *p, int stat, char *format, ...) -{ - char *mp; - char message[MAXLINELEN]; - va_list ap; - - va_start(ap, format); - - /* Point to the message buffer */ - mp = message; - - /* Format the POP status code at the beginning of the message */ - snprintf (mp, sizeof(message), "%s ", - (stat == POP_SUCCESS) ? POP_OK : POP_ERR); - - /* Point past the POP status indicator in the message message */ - mp += strlen(mp); - - /* Append the message (formatted, if necessary) */ - if (format) - vsnprintf (mp, sizeof(message) - strlen(message), - format, ap); - - /* Log the message if debugging is turned on */ -#ifdef DEBUG - if (p->debug && stat == POP_SUCCESS) - pop_log(p,POP_DEBUG,"%s",message); -#endif /* DEBUG */ - - /* Log the message if a failure occurred */ - if (stat != POP_SUCCESS) - pop_log(p,POP_PRIORITY,"%s",message); - - /* Append the */ - strlcat(message, "\r\n", sizeof(message)); - - /* Send the message to the client */ - fputs(message, p->output); - fflush(p->output); - - va_end(ap); - return(stat); -} diff --git a/crypto/heimdal-0.6.3/appl/popper/pop_parse.c b/crypto/heimdal-0.6.3/appl/popper/pop_parse.c deleted file mode 100644 index 37aef369a9..0000000000 --- a/crypto/heimdal-0.6.3/appl/popper/pop_parse.c +++ /dev/null @@ -1,55 +0,0 @@ -/* - * Copyright (c) 1989 Regents of the University of California. - * All rights reserved. The Berkeley software License Agreement - * specifies the terms and conditions for redistribution. - */ - -#include -RCSID("$Id: pop_parse.c,v 1.9 1999/03/13 21:17:27 assar Exp $"); - -/* - * parse: Parse a raw input line from a POP client - * into null-delimited tokens - */ - -int -pop_parse(POP *p, char *buf) -{ - char * mp; - int i; - - /* Loop through the POP command array */ - for (mp = buf, i = 0; ; i++) { - - /* Skip leading spaces and tabs in the message */ - while (isspace((unsigned char)*mp))mp++; - - /* Are we at the end of the message? */ - if (*mp == 0) break; - - /* Have we already obtained the maximum allowable parameters? */ - if (i >= MAXPARMCOUNT) { - pop_msg(p,POP_FAILURE,"Too many arguments supplied."); - return(-1); - } - - /* Point to the start of the token */ - p->pop_parm[i] = mp; - - /* Search for the first space character (end of the token) */ - while (!isspace((unsigned char)*mp) && *mp) mp++; - - /* Delimit the token with a null */ - if (*mp) *mp++ = 0; - } - - /* Were any parameters passed at all? */ - if (i == 0) return (-1); - - /* Convert the first token (POP command) to lower case */ - strlwr(p->pop_command); - - /* Return the number of tokens extracted minus the command itself */ - return (i-1); - -} diff --git a/crypto/heimdal-0.6.3/appl/popper/pop_pass.c b/crypto/heimdal-0.6.3/appl/popper/pop_pass.c deleted file mode 100644 index cebd78083c..0000000000 --- a/crypto/heimdal-0.6.3/appl/popper/pop_pass.c +++ /dev/null @@ -1,220 +0,0 @@ -/* - * Copyright (c) 1989 Regents of the University of California. - * All rights reserved. The Berkeley software License Agreement - * specifies the terms and conditions for redistribution. - */ - -#include -RCSID("$Id: pop_pass.c,v 1.41 2000/04/12 15:37:46 assar Exp $"); - -#ifdef KRB4 -static int -krb4_verify_password (POP *p) -{ - int status; - char lrealm[REALM_SZ]; - char tkt[MaxPathLen]; - - status = krb_get_lrealm(lrealm,1); - if (status == KFAILURE) { - pop_log(p, POP_PRIORITY, "%s: (%s.%s@%s) %s", p->client, - p->kdata.pname, p->kdata.pinst, p->kdata.prealm, - krb_get_err_text(status)); - return 1; - } - snprintf(tkt, sizeof(tkt), "%s_popper.%u", TKT_ROOT, (unsigned)getpid()); - krb_set_tkt_string (tkt); - - status = krb_verify_user(p->user, "", lrealm, - p->pop_parm[1], KRB_VERIFY_SECURE, "pop"); - dest_tkt(); /* no point in keeping the tickets */ - return status; -} -#endif /* KRB4 */ - -#ifdef KRB5 -static int -krb5_verify_password (POP *p) -{ - krb5_preauthtype pre_auth_types[] = {KRB5_PADATA_ENC_TIMESTAMP}; - krb5_get_init_creds_opt get_options; - krb5_verify_init_creds_opt verify_options; - krb5_error_code ret; - krb5_principal client, server; - krb5_creds creds; - - krb5_get_init_creds_opt_init (&get_options); - - krb5_get_init_creds_opt_set_preauth_list (&get_options, - pre_auth_types, - 1); - - krb5_verify_init_creds_opt_init (&verify_options); - - ret = krb5_parse_name (p->context, p->user, &client); - if (ret) { - pop_log(p, POP_PRIORITY, "krb5_parse_name: %s", - krb5_get_err_text (p->context, ret)); - return 1; - } - - ret = krb5_get_init_creds_password (p->context, - &creds, - client, - p->pop_parm[1], - NULL, - NULL, - 0, - NULL, - &get_options); - if (ret) { - pop_log(p, POP_PRIORITY, - "krb5_get_init_creds_password: %s", - krb5_get_err_text (p->context, ret)); - return 1; - } - - ret = krb5_sname_to_principal (p->context, - p->myhost, - "pop", - KRB5_NT_SRV_HST, - &server); - if (ret) { - pop_log(p, POP_PRIORITY, - "krb5_get_init_creds_password: %s", - krb5_get_err_text (p->context, ret)); - return 1; - } - - ret = krb5_verify_init_creds (p->context, - &creds, - server, - NULL, - NULL, - &verify_options); - krb5_free_principal (p->context, client); - krb5_free_principal (p->context, server); - krb5_free_creds_contents (p->context, &creds); - return ret; -} -#endif -/* - * pass: Obtain the user password from a POP client - */ - -int -pop_pass (POP *p) -{ - struct passwd *pw; - int i; - struct stat st; - - /* Make one string of all these parameters */ - - for (i = 1; i < p->parm_count; ++i) - p->pop_parm[i][strlen(p->pop_parm[i])] = ' '; - - /* Look for the user in the password file */ - if ((pw = k_getpwnam(p->user)) == NULL) - return (pop_msg(p,POP_FAILURE, - "Password supplied for \"%s\" is incorrect.", - p->user)); - - if (p->kerberosp) { -#ifdef KRB4 - if (p->version == 4) { - if(kuserok (&p->kdata, p->user)) { - pop_log(p, POP_PRIORITY, - "%s: (%s.%s@%s) tried to retrieve mail for %s.", - p->client, p->kdata.pname, p->kdata.pinst, - p->kdata.prealm, p->user); - return(pop_msg(p,POP_FAILURE, - "Popping not authorized")); - } - pop_log(p, POP_INFO, "%s: %s.%s@%s -> %s", - p->ipaddr, - p->kdata.pname, p->kdata.pinst, p->kdata.prealm, - p->user); - } else -#endif /* KRB4 */ -#ifdef KRB5 - if (p->version == 5) { - char *name; - - if (!krb5_kuserok (p->context, p->principal, p->user)) { - pop_log (p, POP_PRIORITY, - "krb5 permission denied"); - return pop_msg(p, POP_FAILURE, - "Popping not authorized"); - } - if(krb5_unparse_name (p->context, p->principal, &name) == 0) { - pop_log(p, POP_INFO, "%s: %s -> %s", - p->ipaddr, name, p->user); - free (name); - } - } else { - pop_log (p, POP_PRIORITY, "kerberos authentication failed"); - return pop_msg (p, POP_FAILURE, - "kerberos authentication failed"); - } -#endif - { } - } else { - /* We don't accept connections from users with null passwords */ - if (pw->pw_passwd == NULL) - return (pop_msg(p, - POP_FAILURE, - "Password supplied for \"%s\" is incorrect.", - p->user)); - -#ifdef OTP - if (otp_verify_user (&p->otp_ctx, p->pop_parm[1]) == 0) - /* pass OK */; - else -#endif - /* Compare the supplied password with the password file entry */ - if (p->auth_level != AUTH_NONE) - return pop_msg(p, POP_FAILURE, - "Password supplied for \"%s\" is incorrect.", - p->user); - else if (!strcmp(crypt(p->pop_parm[1], pw->pw_passwd), pw->pw_passwd)) - /* pass OK */; - else { - int ret = -1; -#ifdef KRB4 - ret = krb4_verify_password (p); -#endif -#ifdef KRB5 - if(ret) - ret = krb5_verify_password (p); -#endif - if(ret) - return pop_msg(p, POP_FAILURE, - "Password incorrect"); - } - } - pop_log(p, POP_INFO, "login from %s as %s", - p->ipaddr, p->user); - - /* Build the name of the user's maildrop */ - snprintf(p->drop_name, sizeof(p->drop_name), "%s/%s", POP_MAILDIR, p->user); - - if(stat(p->drop_name, &st) < 0 || !S_ISDIR(st.st_mode)){ - /* Make a temporary copy of the user's maildrop */ - /* and set the group and user id */ - if (pop_dropcopy(p, pw) != POP_SUCCESS) return (POP_FAILURE); - - /* Get information about the maildrop */ - if (pop_dropinfo(p) != POP_SUCCESS) return(POP_FAILURE); - } else { - if(changeuser(p, pw) != POP_SUCCESS) return POP_FAILURE; - if(pop_maildir_info(p) != POP_SUCCESS) return POP_FAILURE; - } - /* Initialize the last-message-accessed number */ - p->last_msg = 0; - - /* Authorization completed successfully */ - return (pop_msg (p, POP_SUCCESS, - "%s has %d message(s) (%ld octets).", - p->user, p->msg_count, p->drop_size)); -} diff --git a/crypto/heimdal-0.6.3/appl/popper/pop_quit.c b/crypto/heimdal-0.6.3/appl/popper/pop_quit.c deleted file mode 100644 index 429b1815dd..0000000000 --- a/crypto/heimdal-0.6.3/appl/popper/pop_quit.c +++ /dev/null @@ -1,21 +0,0 @@ -/* - * Copyright (c) 1989 Regents of the University of California. - * All rights reserved. The Berkeley software License Agreement - * specifies the terms and conditions for redistribution. - */ - -#include -RCSID("$Id: pop_quit.c,v 1.7 1996/11/19 22:48:30 assar Exp $"); - -/* - * quit: Terminate a POP session - */ - -int -pop_quit (POP *p) -{ - /* Release the message information list */ - if (p->mlp) free (p->mlp); - - return(POP_SUCCESS); -} diff --git a/crypto/heimdal-0.6.3/appl/popper/pop_rset.c b/crypto/heimdal-0.6.3/appl/popper/pop_rset.c deleted file mode 100644 index 6888ebfbad..0000000000 --- a/crypto/heimdal-0.6.3/appl/popper/pop_rset.c +++ /dev/null @@ -1,33 +0,0 @@ -/* - * Copyright (c) 1989 Regents of the University of California. - * All rights reserved. The Berkeley software License Agreement - * specifies the terms and conditions for redistribution. - */ - -#include -RCSID("$Id: pop_rset.c,v 1.9 1998/04/23 17:38:08 joda Exp $"); - -/* - * rset: Unflag all messages flagged for deletion in a POP maildrop - */ - -int -pop_rset (POP *p) -{ - MsgInfoList * mp; /* Pointer to the message info list */ - int i; - - /* Unmark all the messages */ - for (i = p->msg_count, mp = p->mlp; i > 0; i--, mp++) - mp->flags &= ~DEL_FLAG; - - /* Reset the messages-deleted and bytes-deleted counters */ - p->msgs_deleted = 0; - p->bytes_deleted = 0; - - /* Reset the last-message-access flag */ - p->last_msg = 0; - - return (pop_msg(p,POP_SUCCESS,"Maildrop has %u messages (%ld octets)", - p->msg_count, p->drop_size)); -} diff --git a/crypto/heimdal-0.6.3/appl/popper/pop_send.c b/crypto/heimdal-0.6.3/appl/popper/pop_send.c deleted file mode 100644 index 166b990a14..0000000000 --- a/crypto/heimdal-0.6.3/appl/popper/pop_send.c +++ /dev/null @@ -1,176 +0,0 @@ -/* - * Copyright (c) 1989 Regents of the University of California. - * All rights reserved. The Berkeley software License Agreement - * specifies the terms and conditions for redistribution. - */ - -#include -RCSID("$Id: pop_send.c,v 1.25 1999/03/05 14:14:28 joda Exp $"); - -/* - * sendline: Send a line of a multi-line response to a client. - */ -static int -pop_sendline(POP *p, char *buffer) -{ - char * bp; - - /* Byte stuff lines that begin with the termination octet */ - if (*buffer == POP_TERMINATE) - fputc(POP_TERMINATE,p->output); - - /* Look for a in the buffer */ - if ((bp = strchr(buffer, '\n'))) - *bp = 0; - - /* Send the line to the client */ - fputs(buffer,p->output); - -#ifdef DEBUG - if(p->debug) - pop_log(p,POP_DEBUG,"Sending line \"%s\"",buffer); -#endif /* DEBUG */ - - /* Put a if a newline was removed from the buffer */ - if (bp) - fputs ("\r\n",p->output); - return bp != NULL; -} - -/* - * send: Send the header and a specified number of lines - * from a mail message to a POP client. - */ - -int -pop_send(POP *p) -{ - MsgInfoList * mp; /* Pointer to message info list */ - int msg_num; - int msg_lines; - char buffer[MAXMSGLINELEN]; -#ifdef RETURN_PATH_HANDLING - char * return_path_adr; - char * return_path_end; - int return_path_sent; - int return_path_linlen; -#endif - int sent_nl = 0; - - /* Convert the first parameter into an integer */ - msg_num = atoi(p->pop_parm[1]); - - /* Is requested message out of range? */ - if ((msg_num < 1) || (msg_num > p->msg_count)) - return (pop_msg (p,POP_FAILURE,"Message %d does not exist.",msg_num)); - - /* Get a pointer to the message in the message list */ - mp = &p->mlp[msg_num-1]; - - /* Is the message flagged for deletion? */ - if (mp->flags & DEL_FLAG) - return (pop_msg (p,POP_FAILURE, - "Message %d has been deleted.",msg_num)); - - /* If this is a TOP command, get the number of lines to send */ - if (strcmp(p->pop_command, "top") == 0) { - /* Convert the second parameter into an integer */ - msg_lines = atoi(p->pop_parm[2]); - } - else { - /* Assume that a RETR (retrieve) command was issued */ - msg_lines = -1; - /* Flag the message as retreived */ - mp->flags |= RETR_FLAG; - } - - /* Display the number of bytes in the message */ - pop_msg(p, POP_SUCCESS, "%ld octets", mp->length); - - if(IS_MAILDIR(p)) { - int e = pop_maildir_open(p, mp); - if(e != POP_SUCCESS) - return e; - } - - /* Position to the start of the message */ - fseek(p->drop, mp->offset, 0); - - return_path_sent = 0; - - if(!IS_MAILDIR(p)) { - /* Skip the first line (the sendmail "From" line) */ - fgets (buffer,MAXMSGLINELEN,p->drop); - -#ifdef RETURN_PATH_HANDLING - if (strncmp(buffer,"From ",5) == 0) { - return_path_linlen = strlen(buffer); - for (return_path_adr = buffer+5; - (*return_path_adr == ' ' || *return_path_adr == '\t') && - return_path_adr < buffer + return_path_linlen; - return_path_adr++) - ; - if (return_path_adr < buffer + return_path_linlen) { - if ((return_path_end = strchr(return_path_adr, ' ')) != NULL) - *return_path_end = '\0'; - if (strlen(return_path_adr) != 0 && *return_path_adr != '\n') { - static char tmpbuf[MAXMSGLINELEN + 20]; - if (snprintf (tmpbuf, - sizeof(tmpbuf), - "Return-Path: %s\n", - return_path_adr) < MAXMSGLINELEN) { - pop_sendline (p,tmpbuf); - if (hangup) - return pop_msg (p, POP_FAILURE, - "SIGHUP or SIGPIPE flagged"); - return_path_sent++; - } - } - } - } -#endif - } - - /* Send the header of the message followed by a blank line */ - while (fgets(buffer,MAXMSGLINELEN,p->drop)) { -#ifdef RETURN_PATH_HANDLING - /* Don't send existing Return-Path-header if already sent own */ - if (!return_path_sent || strncasecmp(buffer, "Return-Path:", 12) != 0) -#endif - sent_nl = pop_sendline (p,buffer); - /* A single newline (blank line) signals the - end of the header. sendline() converts this to a NULL, - so that's what we look for. */ - if (*buffer == 0) break; - if (hangup) - return (pop_msg (p,POP_FAILURE,"SIGHUP or SIGPIPE flagged")); - } - /* Send the message body */ - { - int blank_line = 1; - while (fgets(buffer, MAXMSGLINELEN-1, p->drop)) { - /* Look for the start of the next message */ - if (!IS_MAILDIR(p) && blank_line && strncmp(buffer,"From ",5) == 0) - break; - blank_line = (strncmp(buffer, "\n", 1) == 0); - /* Decrement the lines sent (for a TOP command) */ - if (msg_lines >= 0 && msg_lines-- == 0) break; - sent_nl = pop_sendline(p,buffer); - if (hangup) - return (pop_msg (p,POP_FAILURE,"SIGHUP or SIGPIPE flagged")); - } - /* add missing newline at end */ - if(!sent_nl) - fputs("\r\n", p->output); - /* some pop-clients want a blank line at the end of the - message, we always add one here, but what the heck -- in - outer (white) space, no one can hear you scream */ - if(IS_MAILDIR(p)) - fputs("\r\n", p->output); - } - /* "." signals the end of a multi-line transmission */ - fputs(".\r\n",p->output); - fflush(p->output); - - return(POP_SUCCESS); -} diff --git a/crypto/heimdal-0.6.3/appl/popper/pop_stat.c b/crypto/heimdal-0.6.3/appl/popper/pop_stat.c deleted file mode 100644 index 9ab2800b0f..0000000000 --- a/crypto/heimdal-0.6.3/appl/popper/pop_stat.c +++ /dev/null @@ -1,26 +0,0 @@ -/* - * Copyright (c) 1989 Regents of the University of California. - * All rights reserved. The Berkeley software License Agreement - * specifies the terms and conditions for redistribution. - */ - -#include -RCSID("$Id: pop_stat.c,v 1.7 1997/05/11 11:04:35 assar Exp $"); - -/* - * stat: Display the status of a POP maildrop to its client - */ - -int -pop_stat (POP *p) -{ -#ifdef DEBUG - if (p->debug) pop_log(p,POP_DEBUG,"%d message(s) (%ld octets).", - p->msg_count-p->msgs_deleted, - p->drop_size-p->bytes_deleted); -#endif /* DEBUG */ - return (pop_msg (p,POP_SUCCESS, - "%d %ld", - p->msg_count-p->msgs_deleted, - p->drop_size-p->bytes_deleted)); -} diff --git a/crypto/heimdal-0.6.3/appl/popper/pop_uidl.c b/crypto/heimdal-0.6.3/appl/popper/pop_uidl.c deleted file mode 100644 index 42dc12deba..0000000000 --- a/crypto/heimdal-0.6.3/appl/popper/pop_uidl.c +++ /dev/null @@ -1,88 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include -RCSID("$Id: pop_uidl.c,v 1.9 1999/12/02 16:58:33 joda Exp $"); - -#ifdef UIDL -/* - * uidl: Uidl the contents of a POP maildrop - */ - -int -pop_uidl (POP *p) -{ - MsgInfoList * mp; /* Pointer to message info list */ - int i; - int msg_num; - - /* Was a message number provided? */ - if (p->parm_count > 0) { - msg_num = atoi(p->pop_parm[1]); - - /* Is requested message out of range? */ - if ((msg_num < 1) || (msg_num > p->msg_count)) - return (pop_msg (p,POP_FAILURE, - "Message %d does not exist.",msg_num)); - - /* Get a pointer to the message in the message list */ - mp = &p->mlp[msg_num-1]; - - /* Is the message already flagged for deletion? */ - if (mp->flags & DEL_FLAG) - return (pop_msg (p,POP_FAILURE, - "Message %d has been deleted.",msg_num)); - - /* Display message information */ - return (pop_msg(p,POP_SUCCESS,"%u %s",msg_num,mp->msg_id)); - } - - /* Display the entire list of messages */ - pop_msg(p,POP_SUCCESS, - "%d messages (%ld octets)", - p->msg_count-p->msgs_deleted, - p->drop_size-p->bytes_deleted); - - /* Loop through the message information list. Skip deleted messages */ - for (i = p->msg_count, mp = p->mlp; i > 0; i--, mp++) { - if (!(mp->flags & DEL_FLAG)) - fprintf(p->output,"%u %s\r\n",mp->number,mp->msg_id); - } - - /* "." signals the end of a multi-line transmission */ - fprintf(p->output,".\r\n"); - fflush(p->output); - - return(POP_SUCCESS); -} -#endif /* UIDL */ diff --git a/crypto/heimdal-0.6.3/appl/popper/pop_updt.c b/crypto/heimdal-0.6.3/appl/popper/pop_updt.c deleted file mode 100644 index 013013257d..0000000000 --- a/crypto/heimdal-0.6.3/appl/popper/pop_updt.c +++ /dev/null @@ -1,199 +0,0 @@ -/* - * Copyright (c) 1989 Regents of the University of California. - * All rights reserved. The Berkeley software License Agreement - * specifies the terms and conditions for redistribution. - */ - -#include -RCSID("$Id: pop_updt.c,v 1.19 1998/04/23 18:36:51 joda Exp $"); - -static char standard_error[] = - "Error error updating primary drop. Mailbox unchanged"; - -/* - * updt: Apply changes to a user's POP maildrop - */ - -int -pop_updt (POP *p) -{ - FILE * md; /* Stream pointer for - the user's maildrop */ - int mfd; /* File descriptor for - above */ - char buffer[BUFSIZ]; /* Read buffer */ - - MsgInfoList * mp; /* Pointer to message - info list */ - int msg_num; /* Current message - counter */ - int status_written; /* Status header field - written */ - int nchar; /* Bytes read/written */ - - long offset; /* New mail offset */ - - int blank_line; - -#ifdef DEBUG - if (p->debug) { - pop_log(p,POP_DEBUG,"Performing maildrop update..."); - pop_log(p,POP_DEBUG,"Checking to see if all messages were deleted"); - } -#endif /* DEBUG */ - - if(IS_MAILDIR(p)) - return pop_maildir_update(p); - - if (p->msgs_deleted == p->msg_count) { - /* Truncate before close, to avoid race condition, DO NOT UNLINK! - Another process may have opened, and not yet tried to lock */ - ftruncate ((int)fileno(p->drop),0); - fclose(p->drop) ; - return (POP_SUCCESS); - } - -#ifdef DEBUG - if (p->debug) - pop_log(p,POP_DEBUG,"Opening mail drop \"%s\"",p->drop_name); -#endif /* DEBUG */ - - /* Open the user's real maildrop */ - if ((mfd = open(p->drop_name,O_RDWR|O_CREAT,0600)) == -1 || - (md = fdopen(mfd,"r+")) == NULL) { - return pop_msg(p,POP_FAILURE,standard_error); - } - - /* Lock the user's real mail drop */ - if ( flock(mfd, LOCK_EX) == -1 ) { - fclose(md) ; - return pop_msg(p,POP_FAILURE, "flock: '%s': %s", p->temp_drop, - strerror(errno)); - } - - /* Go to the right places */ - offset = lseek((int)fileno(p->drop),0,SEEK_END) ; - - /* Append any messages that may have arrived during the session - to the temporary maildrop */ - while ((nchar=read(mfd,buffer,BUFSIZ)) > 0) - if ( nchar != write((int)fileno(p->drop),buffer,nchar) ) { - nchar = -1; - break ; - } - if ( nchar != 0 ) { - fclose(md) ; - ftruncate((int)fileno(p->drop),(int)offset) ; - fclose(p->drop) ; - return pop_msg(p,POP_FAILURE,standard_error); - } - - rewind(md); - lseek(mfd,0,SEEK_SET); - ftruncate(mfd,0) ; - - /* Synch stdio and the kernel for the POP drop */ - rewind(p->drop); - lseek((int)fileno(p->drop),0,SEEK_SET); - - /* Transfer messages not flagged for deletion from the temporary - maildrop to the new maildrop */ -#ifdef DEBUG - if (p->debug) - pop_log(p,POP_DEBUG,"Creating new maildrop \"%s\" from \"%s\"", - p->drop_name,p->temp_drop); -#endif /* DEBUG */ - - for (msg_num = 0; msg_num < p->msg_count; ++msg_num) { - - int doing_body; - - /* Get a pointer to the message information list */ - mp = &p->mlp[msg_num]; - - if (mp->flags & DEL_FLAG) { -#ifdef DEBUG - if(p->debug) - pop_log(p,POP_DEBUG, - "Message %d flagged for deletion.",mp->number); -#endif /* DEBUG */ - continue; - } - - fseek(p->drop,mp->offset,0); - -#ifdef DEBUG - if(p->debug) - pop_log(p,POP_DEBUG,"Copying message %d.",mp->number); -#endif /* DEBUG */ - blank_line = 1; - for(status_written = doing_body = 0 ; - fgets(buffer,MAXMSGLINELEN,p->drop);) { - - if (doing_body == 0) { /* Header */ - - /* Update the message status */ - if (strncasecmp(buffer,"Status:",7) == 0) { - if (mp->flags & RETR_FLAG) - fputs("Status: RO\n",md); - else - fputs(buffer, md); - status_written++; - continue; - } - /* A blank line signals the end of the header. */ - if (*buffer == '\n') { - doing_body = 1; - if (status_written == 0) { - if (mp->flags & RETR_FLAG) - fputs("Status: RO\n\n",md); - else - fputs("Status: U\n\n",md); - } - else fputs ("\n", md); - continue; - } - /* Save another header line */ - fputs (buffer, md); - } - else { /* Body */ - if (blank_line && strncmp(buffer,"From ",5) == 0) break; - fputs (buffer, md); - blank_line = (*buffer == '\n'); - } - } - } - - /* flush and check for errors now! The new mail will writen - without stdio, since we need not separate messages */ - - fflush(md) ; - if (ferror(md)) { - ftruncate(mfd,0) ; - fclose(md) ; - fclose(p->drop) ; - return pop_msg(p,POP_FAILURE,standard_error); - } - - /* Go to start of new mail if any */ - lseek((int)fileno(p->drop),offset,SEEK_SET); - - while((nchar=read((int)fileno(p->drop),buffer,BUFSIZ)) > 0) - if ( nchar != write(mfd,buffer,nchar) ) { - nchar = -1; - break ; - } - if ( nchar != 0 ) { - ftruncate(mfd,0) ; - fclose(md) ; - fclose(p->drop) ; - return pop_msg(p,POP_FAILURE,standard_error); - } - - /* Close the maildrop and empty temporary maildrop */ - fclose(md); - ftruncate((int)fileno(p->drop),0); - fclose(p->drop); - - return(pop_quit(p)); -} diff --git a/crypto/heimdal-0.6.3/appl/popper/pop_user.c b/crypto/heimdal-0.6.3/appl/popper/pop_user.c deleted file mode 100644 index be771e690c..0000000000 --- a/crypto/heimdal-0.6.3/appl/popper/pop_user.c +++ /dev/null @@ -1,36 +0,0 @@ -/* - * Copyright (c) 1989 Regents of the University of California. - * All rights reserved. The Berkeley software License Agreement - * specifies the terms and conditions for redistribution. - */ - -#include -RCSID("$Id: pop_user.c,v 1.15 1999/09/16 20:38:50 assar Exp $"); - -/* - * user: Prompt for the user name at the start of a POP session - */ - -int -pop_user (POP *p) -{ - char ss[256]; - - strlcpy(p->user, p->pop_parm[1], sizeof(p->user)); - -#ifdef OTP - if (otp_challenge (&p->otp_ctx, p->user, ss, sizeof(ss)) == 0) { - return pop_msg(p, POP_SUCCESS, "Password %s required for %s.", - ss, p->user); - } else -#endif - if (p->auth_level != AUTH_NONE) { - char *s = NULL; -#ifdef OTP - s = otp_error(&p->otp_ctx); -#endif - return pop_msg(p, POP_FAILURE, "Permission denied%s%s", - s ? ":" : "", s ? s : ""); - } else - return pop_msg(p, POP_SUCCESS, "Password required for %s.", p->user); -} diff --git a/crypto/heimdal-0.6.3/appl/popper/pop_xover.c b/crypto/heimdal-0.6.3/appl/popper/pop_xover.c deleted file mode 100644 index 94936f9839..0000000000 --- a/crypto/heimdal-0.6.3/appl/popper/pop_xover.c +++ /dev/null @@ -1,37 +0,0 @@ -#include -RCSID("$Id: pop_xover.c,v 1.4 1998/04/23 17:39:31 joda Exp $"); - -int -pop_xover (POP *p) -{ -#ifdef XOVER - MsgInfoList * mp; /* Pointer to message info list */ - int i; - - pop_msg(p,POP_SUCCESS, - "%d messages (%ld octets)", - p->msg_count-p->msgs_deleted, - p->drop_size-p->bytes_deleted); - - /* Loop through the message information list. Skip deleted messages */ - for (i = p->msg_count, mp = p->mlp; i > 0; i--, mp++) { - if (!(mp->flags & DEL_FLAG)) - fprintf(p->output,"%u\t%s\t%s\t%s\t%s\t%lu\t%u\r\n", - mp->number, - mp->subject, - mp->from, - mp->date, - mp->msg_id, - mp->length, - mp->lines); - } - - /* "." signals the end of a multi-line transmission */ - fprintf(p->output,".\r\n"); - fflush(p->output); - - return(POP_SUCCESS); -#else - return pop_msg(p, POP_FAILURE, "Command not implemented."); -#endif -} diff --git a/crypto/heimdal-0.6.3/appl/popper/popper.8 b/crypto/heimdal-0.6.3/appl/popper/popper.8 deleted file mode 100644 index 2e04825601..0000000000 --- a/crypto/heimdal-0.6.3/appl/popper/popper.8 +++ /dev/null @@ -1,121 +0,0 @@ -.\" Copyright (c) 2001 - 2003 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: popper.8,v 1.10 2003/04/16 20:49:54 lha Exp $ -.\" -.Dd April 16, 2003 -.Dt POPPER 8 -.Os HEIMDAL -.Sh NAME -.Nm popper -.Nd -POP3 server -.Sh SYNOPSIS -.Nm -.Op Fl k -.Op Fl a Ar none Ns \*(Ba Ns otp -.Op Fl t Ar file -.Op Fl T Ar seconds -.Op Fl d -.Op Fl i -.Op Fl p Ar port -.Op Fl -address-log= Ns Pa file -.Sh DESCRIPTION -.Nm -serves mail via the Post Office Protocol. Supported options include: -.Bl -tag -width Ds -.It Xo -.Fl a Ar none Ns \*(Ba Ns otp , -.Fl -auth-mode= Ns Ar none Ns \*(Ba Ns otp -.Xc -tells -.Nm -what authentication modes are acceptable, passing -.Ar otp -disables clear text passwords. Otp doesn't disable Kerberos -authentication, only cleartext passwords. -.It Xo -.Fl -address-log= Ns Pa file -.Xc -logs the addresses of all clients to the specified file -.It Xo -.Fl d , -.Fl -debug -.Xc -enables more verbose log messages -.It Xo -.Fl i , -.Fl -interactive -.Xc -when not started by inetd, this flag tells -.Nm -that it has to create a socket by itself -.It Xo -.Fl k , -.Fl -kerberos -.Xc -tells -.Nm -to use the Kerberos for authentication. -.It Xo -.Fl p Ar port , -.Fl -port= Ns Ar port -.Xc -port to listen to, in combination with -.Fl i -.It Xo -.Fl t Ar file , -.Fl -trace-file= Ns Ar file -.Xc -trace all commands to file -.It Xo -.Fl T Ar seconds , -.Fl -timeout= Ns Ar seconds -.Xc -set timeout to something other than the default of 120 seconds -.El -.\".Sh ENVIRONMENT -.\".Sh FILES -.\".Sh EXAMPLES -.\".Sh DIAGNOSTICS -.Sh SEE ALSO -.Xr push 8 , -.Xr movemail 8 -.Sh STANDARDS -RFC1939 (Post Office Protocol - Version 3) -.\" RFC2449 (POP3 Extension Mechanism) -.\".Sh HISTORY -.Sh AUTHORS -The server was initially developed at the University of California, -Berkeley. -.Pp -Many changes have been made as part of the KTH Kerberos distributions. -.\".Sh BUGS diff --git a/crypto/heimdal-0.6.3/appl/popper/popper.README.release b/crypto/heimdal-0.6.3/appl/popper/popper.README.release deleted file mode 100644 index c0b313ecd9..0000000000 --- a/crypto/heimdal-0.6.3/appl/popper/popper.README.release +++ /dev/null @@ -1,45 +0,0 @@ -Release Notes: - -popper-1.831beta is no longer beta 30 July 91 - Removed popper-1.7.tar.Z - -popper-1.831beta.tar.Z 03 April 91 - Changed mkstemp to mktemp for Ultrix. Sigh. - -popper-1.83beta.tar.Z 02 April 91 - - This version makes certain that while running as root we do nothing - at all destructive. - -popper-1.82beta.tar.Z 27 March 91 - - This version fixes problems on Encore MultiMax and some Sun releases - which wouldn't allow a user to ftruncate() a file from an open - file descripter unless the user owns the file. Now the user - owns the /usr/spool/mail/.userid.pop file. Thanks to Ben Levy - of FTP Software and Henry Holtzman of Apple. - -popper-1.81beta.tar.Z 20 March 91 - - This version of popper is supposed to fix three problems reported - with various versions of popper (all called 1.7 or 1.7something). - - 1) Dropped network connections meant lost mail files. Some 1.7 - versions also risked corrupting mail files. - - 2) Some versions of 1.7 created temporary drop files with world - read and write permissions. - - 3) Some versions of 1.7 were not careful about opening the temporary - drop file. - -popper-1.7.tar.Z 09 September 90 (updated 20 March 91) - - This version will exhibit the first problem listed above if it is - compiled with -DDEBUG and run without the "-d" (debug) flag. - - If it is compiled without -DDEBUG it will exhibit only the second - and third bug listed above. - -Cliff Frost poptest@nettlesome.berkeley.edu -UC Berkeley diff --git a/crypto/heimdal-0.6.3/appl/popper/popper.c b/crypto/heimdal-0.6.3/appl/popper/popper.c deleted file mode 100644 index 6aee29441c..0000000000 --- a/crypto/heimdal-0.6.3/appl/popper/popper.c +++ /dev/null @@ -1,116 +0,0 @@ -/* - * Copyright (c) 1989 Regents of the University of California. - * All rights reserved. The Berkeley software License Agreement - * specifies the terms and conditions for redistribution. - */ - -#include -RCSID("$Id: popper.c,v 1.16 2002/07/04 14:09:25 joda Exp $"); - -int hangup = FALSE ; - -static RETSIGTYPE -catchSIGHUP(int sig) -{ - hangup = TRUE ; - - /* This should not be a problem on BSD systems */ - signal(SIGHUP, catchSIGHUP); - signal(SIGPIPE, catchSIGHUP); - SIGRETURN(0); -} - -int pop_timeout = POP_TIMEOUT; - -jmp_buf env; - -static RETSIGTYPE -ring(int sig) -{ - longjmp(env,1); -} - -/* - * fgets, but with a timeout - */ -static char * -tgets(char *str, int size, FILE *fp, int timeout) -{ - signal(SIGALRM, ring); - alarm(timeout); - if (setjmp(env)) - str = NULL; - else - str = fgets(str,size,fp); - alarm(0); - signal(SIGALRM,SIG_DFL); - return(str); -} - -/* - * popper: Handle a Post Office Protocol version 3 session - */ -int -main (int argc, char **argv) -{ - POP p; - state_table * s; - char message[MAXLINELEN]; - - signal(SIGHUP, catchSIGHUP); - signal(SIGPIPE, catchSIGHUP); - - /* Start things rolling */ - pop_init(&p,argc,argv); - - /* Tell the user that we are listenting */ - pop_msg(&p,POP_SUCCESS, "POP3 server ready"); - - /* State loop. The POP server is always in a particular state in - which a specific suite of commands can be executed. The following - loop reads a line from the client, gets the command, and processes - it in the current context (if allowed) or rejects it. This continues - until the client quits or an error occurs. */ - - for (p.CurrentState=auth1;p.CurrentState!=halt&&p.CurrentState!=error;) { - if (hangup) { - pop_msg(&p, POP_FAILURE, "POP hangup: %s", p.myhost); - if (p.CurrentState > auth2 && !pop_updt(&p)) - pop_msg(&p, POP_FAILURE, - "POP mailbox update failed: %s", p.myhost); - p.CurrentState = error; - } else if (tgets(message, MAXLINELEN, p.input, pop_timeout) == NULL) { - pop_msg(&p, POP_FAILURE, "POP timeout: %s", p.myhost); - if (p.CurrentState > auth2 && !pop_updt(&p)) - pop_msg(&p,POP_FAILURE, - "POP mailbox update failed: %s", p.myhost); - p.CurrentState = error; - } - else { - /* Search for the command in the command/state table */ - if ((s = pop_get_command(&p,message)) == NULL) continue; - - /* Call the function associated with this command in - the current state */ - if (s->function) p.CurrentState = s->result[(*s->function)(&p)]; - - /* Otherwise assume NOOP and send an OK message to the client */ - else { - p.CurrentState = s->success_state; - pop_msg(&p,POP_SUCCESS,NULL); - } - } - } - - /* Say goodbye to the client */ - pop_msg(&p,POP_SUCCESS,"Pop server at %s signing off.",p.myhost); - - /* Log the end of activity */ - pop_log(&p,POP_PRIORITY, - "(v%s) Ending request from \"%s\" at %s\n",VERSION,p.client,p.ipaddr); - - /* Stop logging */ - closelog(); - - return(0); -} diff --git a/crypto/heimdal-0.6.3/appl/popper/popper.cat8 b/crypto/heimdal-0.6.3/appl/popper/popper.cat8 deleted file mode 100644 index f2f3ebfc1d..0000000000 --- a/crypto/heimdal-0.6.3/appl/popper/popper.cat8 +++ /dev/null @@ -1,54 +0,0 @@ - -POPPER(8) UNIX System Manager's Manual POPPER(8) - -NNAAMMEE - ppooppppeerr - POP3 server - -SSYYNNOOPPSSIISS - ppooppppeerr [--kk] [--aa _n_o_n_e|otp] [--tt _f_i_l_e] [--TT _s_e_c_o_n_d_s] [--dd] [--ii] [--pp _p_o_r_t] - [----aaddddrreessss--lloogg==_f_i_l_e] - -DDEESSCCRRIIPPTTIIOONN - ppooppppeerr serves mail via the Post Office Protocol. Supported options in- - clude: - - --aa _n_o_n_e|otp, ----aauutthh--mmooddee==_n_o_n_e|otp - tells ppooppppeerr what authentication modes are acceptable, passing - _o_t_p disables clear text passwords. Otp doesn't disable Kerberos - authentication, only cleartext passwords. - - ----aaddddrreessss--lloogg==_f_i_l_e - logs the addresses of all clients to the specified file - - --dd, ----ddeebbuugg - enables more verbose log messages - - --ii, ----iinntteerraaccttiivvee - when not started by inetd, this flag tells ppooppppeerr that it has to - create a socket by itself - - --kk, ----kkeerrbbeerrooss - tells ppooppppeerr to use the Kerberos for authentication. - - --pp _p_o_r_t, ----ppoorrtt==_p_o_r_t - port to listen to, in combination with --ii - - --tt _f_i_l_e, ----ttrraaccee--ffiillee==_f_i_l_e - trace all commands to file - - --TT _s_e_c_o_n_d_s, ----ttiimmeeoouutt==_s_e_c_o_n_d_s - set timeout to something other than the default of 120 seconds - -SSEEEE AALLSSOO - push(8), movemail(8) - -SSTTAANNDDAARRDDSS - RFC1939 (Post Office Protocol - Version 3) - -AAUUTTHHOORRSS - The server was initially developed at the University of California, - Berkeley. - - Many changes have been made as part of the KTH Kerberos distributions. - - HEIMDAL April 16, 2003 1 diff --git a/crypto/heimdal-0.6.3/appl/popper/popper.h b/crypto/heimdal-0.6.3/appl/popper/popper.h deleted file mode 100644 index 7eac257c75..0000000000 --- a/crypto/heimdal-0.6.3/appl/popper/popper.h +++ /dev/null @@ -1,352 +0,0 @@ -/* - * Copyright (c) 1989 Regents of the University of California. - * All rights reserved. The Berkeley software License Agreement - * specifies the terms and conditions for redistribution. - * - * static char copyright[] = "Copyright (c) 1990 Regents of the University of California.\nAll rights reserved.\n"; - * static char SccsId[] = "@(#)@(#)popper.h 2.2 2.2 4/2/91"; - * - */ - -/* $Id: popper.h,v 1.51 2002/07/04 13:56:12 joda Exp $ */ - -/* - * Header file for the POP programs - */ - -#ifdef HAVE_CONFIG_H -#include -#define UIDL -#define XOVER -#define XDELE -#define DEBUG -#define RETURN_PATH_HANDLING -#endif - -/* Common include files */ - -#include -#include -#include -#include -#include -#include -#include -#include -#ifdef HAVE_FCNTL_H -#include -#endif -#ifdef HAVE_PWD_H -#include -#endif -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_IO_H -#include -#endif -#ifdef HAVE_UNISTD_H -#include -#endif -#ifdef HAVE_SYS_STAT_H -#include -#endif -#ifdef HAVE_SYS_FILE_H -#include -#endif -#ifdef TIME_WITH_SYS_TIME -#include -#include -#elif defined(HAVE_SYS_TIME_H) -#include -#else -#include -#endif -#ifdef HAVE_SYS_RESOURCE_H -#include -#endif -#ifdef HAVE_SYS_WAIT_H -#include -#endif -#ifdef HAVE_SYS_SOCKET_H -#include -#endif -#ifdef HAVE_NETINET_IN_H -#include -#endif -#ifdef HAVE_NETINET_IN6_H -#include -#endif -#ifdef HAVE_NETINET6_IN6_H -#include -#endif - -#ifdef HAVE_NETDB_H -#include -#endif -#ifdef HAVE_ARPA_INET_H -#ifdef _AIX -struct sockaddr_dl; /* AIX fun */ -struct ether_addr; -#endif -#include -#endif -#ifdef HAVE_SYSLOG_H -#include -#endif -#ifdef HAVE_SYS_SELECT_H -#include -#endif -#ifdef HAVE_SYS_PARAM_H -#include -#endif -#include "version.h" - -#ifdef SOCKS -#include -#endif - -#include -#include -#include - -#ifdef KRB4 -#include -#include -#endif -#ifdef KRB5 -#include -#endif - -#define MAXUSERNAMELEN 65 -#define MAXLINELEN 1024 -#define MAXMSGLINELEN 1024 -#define MAXCMDLEN 4 -#define MAXPARMCOUNT 10 -#define MAXPARMLEN 10 -#define ALLOC_MSGS 20 -#define MAIL_COMMAND "/usr/lib/sendmail" - -#define POP_FACILITY LOG_LOCAL0 -#define POP_PRIORITY LOG_NOTICE -#define POP_DEBUG LOG_DEBUG -#define POP_INFO LOG_INFO -#define POP_LOGOPTS 0 - -#ifdef HAVE_PATHS_H -#include -#endif -#ifdef HAVE_MAILLOCK_H -#include -#endif - -#ifdef OTP -#include -#endif - -#if defined(KRB4_MAILDIR) -#define POP_MAILDIR KRB4_MAILDIR -#elif defined(_PATH_MAILDIR) -#define POP_MAILDIR _PATH_MAILDIR -#elif defined(MAILDIR) -#define POP_MAILDIR MAILDIR -#else -#define POP_MAILDIR "/usr/spool/mail" -#endif - -#define POP_DROP POP_MAILDIR "/.%s.pop" - /* POP_TMPSIZE needs to be big enough to hold the string - * defined by POP_TMPDROP. POP_DROP and POP_TMPDROP - * must be in the same filesystem. - */ -#define POP_TMPDROP POP_MAILDIR "/tmpXXXXXX" -#define POP_TMPSIZE 256 -#define POP_TMPXMIT "/tmp/xmitXXXXXX" -#define POP_OK "+OK" -#define POP_ERR "-ERR" -#define POP_SUCCESS 1 -#define POP_FAILURE 0 -#define POP_TERMINATE '.' -#define POP_TIMEOUT 120 /* timeout connection after this many secs */ - -extern int pop_timeout; - -extern int hangup; - -#define AUTH_NONE 0 -#define AUTH_OTP 1 - -#define pop_command pop_parm[0] /* POP command is first token */ -#define pop_subcommand pop_parm[1] /* POP XTND subcommand is the - second token */ - -typedef enum { /* POP processing states */ - auth1, /* Authorization: waiting for - USER command */ - auth2, /* Authorization: waiting for - PASS command */ - trans, /* Transaction */ - update, /* Update: session ended, - process maildrop changes */ - halt, /* (Halt): stop processing - and exit */ - error /* (Error): something really - bad happened */ -} state; - - -#define DEL_FLAG 1 -#define RETR_FLAG 2 -#define NEW_FLAG 4 - -typedef struct { /* Message information */ - int number; /* Message number relative to - the beginning of list */ - long length; /* Length of message in - bytes */ - int lines; /* Number of (null-terminated) lines in the message */ - long offset; /* Offset from beginning of - file */ - unsigned flags; - -#if defined(UIDL) || defined(XOVER) - char *msg_id; /* The POP UIDL uniqueifier */ -#endif -#ifdef XOVER - char *subject; - char *from; - char *date; -#endif - char *name; -} MsgInfoList; - -#define IS_MAILDIR(P) ((P)->temp_drop[0] == '\0') - -typedef struct { /* POP parameter block */ - int debug; /* Debugging requested */ - char * myname; /* The name of this POP - daemon program */ - char myhost[MaxHostNameLen]; /* The name of our host - computer */ - char client[MaxHostNameLen]; /* Canonical name of client - computer */ - char ipaddr[MaxHostNameLen]; /* Dotted-notation format of - client IP address */ - unsigned short ipport; /* Client port for privileged - operations */ - char user[MAXUSERNAMELEN]; /* Name of the POP user */ - state CurrentState; /* The current POP operational state */ - MsgInfoList * mlp; /* Message information list */ - int msg_count; /* Number of messages in - the maildrop */ - int msgs_deleted; /* Number of messages flagged - for deletion */ - int last_msg; /* Last message touched by - the user */ - long bytes_deleted; /* Number of maildrop bytes - flagged for deletion */ - char drop_name[MAXPATHLEN]; /* The name of the user's - maildrop */ - char temp_drop[MAXPATHLEN]; /* The name of the user's - temporary maildrop */ - long drop_size; /* Size of the maildrop in - bytes */ - FILE * drop; /* (Temporary) mail drop */ - FILE * input; /* Input TCP/IP communication - stream */ - FILE * output; /* Output TCP/IP communication stream */ - FILE * trace; /* Debugging trace file */ - char * pop_parm[MAXPARMCOUNT]; /* Parse POP parameter list */ - int parm_count; /* Number of parameters in - parsed list */ - int kerberosp; /* Using KPOP? */ -#ifdef KRB4 - AUTH_DAT kdata; -#endif -#ifdef KRB5 - krb5_context context; - krb5_principal principal; /* principal auth as */ - krb5_log_facility* logf; -#endif - int version; /* 4 or 5? */ - int auth_level; /* Dont allow cleartext */ -#ifdef OTP - OtpContext otp_ctx; /* OTP context */ -#endif - unsigned int flags; -#define POP_FLAG_CAPA 1 -} POP; - -typedef struct { /* State information for - each POP command */ - state ValidCurrentState; /* The operating state of - the command */ - char * command; /* The POP command */ - int min_parms; /* Minimum number of parms - for the command */ - int max_parms; /* Maximum number of parms - for the command */ - int (*function) (); /* The function that process - the command */ - state result[2]; /* The resulting state after - command processing */ -#define success_state result[0] /* State when a command - succeeds */ -} state_table; - -typedef struct { /* Table of extensions */ - char * subcommand; /* The POP XTND subcommand */ - int min_parms; /* Minimum number of parms for - the subcommand */ - int max_parms; /* Maximum number of parms for - the subcommand */ - int (*function) (); /* The function that processes - the subcommand */ -} xtnd_table; - -int pop_dele(POP *p); -int pop_dropcopy(POP *p, struct passwd *pwp); -int pop_dropinfo(POP *p); -int pop_init(POP *p,int argcount,char **argmessage); -int pop_last(POP *p); -int pop_list(POP *p); -int pop_parse(POP *p, char *buf); -int pop_pass(POP *p); -int pop_quit(POP *p); -int pop_rset(POP *p); -int pop_send(POP *p); -int pop_stat(POP *p); -int pop_updt(POP *p); -int pop_user(POP *p); -#ifdef UIDL -int pop_uidl(POP *p); -#endif -#ifdef XOVER -int pop_xover(POP *p); -#endif -#ifdef XDELE -int pop_xdele(POP *p); -#endif -int pop_help(POP *p); -state_table *pop_get_command(POP *p, char *mp); -void pop_lower(char *buf); - -int pop_log(POP *p, int stat, char *format, ...) -#ifdef __GNUC__ -__attribute__ ((format (printf, 3, 4))) -#endif -; - -int pop_msg(POP *p, int stat, char *format, ...) -#ifdef __GNUC__ -__attribute__ ((format (printf, 3, 4))) -#endif -; - -int pop_maildir_info (POP*); -int pop_maildir_open (POP*, MsgInfoList*); -int pop_maildir_update (POP*); - -int changeuser(POP*, struct passwd*); -void parse_header(MsgInfoList*, char*); -int add_missing_headers(POP*, MsgInfoList*); diff --git a/crypto/heimdal-0.6.3/appl/popper/version.h b/crypto/heimdal-0.6.3/appl/popper/version.h deleted file mode 100644 index 1b5d135cf4..0000000000 --- a/crypto/heimdal-0.6.3/appl/popper/version.h +++ /dev/null @@ -1,19 +0,0 @@ -/* - * Copyright (c) 1989 Regents of the University of California. - * All rights reserved. The Berkeley software License Agreement - * specifies the terms and conditions for redistribution. - * - * static char copyright[] = "Copyright (c) 1990 Regents of the University of California.\nAll rights reserved.\n"; - * static char SccsId[] = "@(#)@(#)version.h 2.6 2.6 4/3/91"; - * - */ - -/* $Id: version.h,v 1.5 1997/08/08 22:50:13 assar Exp $ */ - -/* - * Current version of this POP implementation - */ - -#if 0 -#define VERSION krb4_version -#endif diff --git a/crypto/heimdal-0.6.3/appl/push/ChangeLog b/crypto/heimdal-0.6.3/appl/push/ChangeLog deleted file mode 100644 index e158181043..0000000000 --- a/crypto/heimdal-0.6.3/appl/push/ChangeLog +++ /dev/null @@ -1,196 +0,0 @@ -2004-06-21 Love Hörnquist Åstrand - - * push.c: 1.48: alloc memory to handle very long lines - -2003-04-03 Assar Westerlund - - * push.c: fixed one incorrect fprintf to stderr - -2003-03-18 Love Hörnquist Åstrand - - * push.c: add names of pop states, add some more debugging and use - fprintf(stderr) for all dbg stmts. - -2001-09-04 Assar Westerlund - - * push.c (doit): check return values from snprintf being negative - -2000-12-31 Assar Westerlund - - * push.c (main): handle krb5_init_context failure consistently - -2000-12-26 Assar Westerlund - - * push.c: support several headers, from use - estrdup, emalloc, erealloc - -2000-11-29 Johan Danielsson - - * pfrom.1: work around bug in grog that makes it think it needs - mdoc.old - - * push.8: work around bug in grog that makes it think it needs - mdoc.old - -2000-11-27 Johan Danielsson - - * push.c: add space to usage - -2000-10-08 Assar Westerlund - - * push.c (doit): check that fds are not too large to select on - -2000-03-04 Assar Westerlund - - * add man-page for pfrom - -1999-12-28 Assar Westerlund - - * push.c (main): call k_getportbyname with port number in - network-byte-order - -1999-12-14 Assar Westerlund - - * push.c (do_connect): remove bogus local block variable - -1999-12-05 Assar Westerlund - - * push.c (do_connect): use `getaddrinfo' - * push.c: add --count (print number of messages and bytes at - beginning) - -1999-11-13 Assar Westerlund - - * push.c: make `-v' a arg_counter - -1999-11-02 Assar Westerlund - - * push.c (main): redo the v4/v5 selection for consistency. -4 -> - try only v4 -5 -> try only v5 none, -45 -> try v5, v4 - -1999-08-19 Assar Westerlund - - * push.c (doit): remember to step over the error message when we - discover that XDELE is not supported - -1999-08-12 Johan Danielsson - - * push.c: use XDELE - -1999-08-05 Assar Westerlund - - * push.c (do_connect): v6-ify - -1999-06-15 Assar Westerlund - - * push.c: get_default_username and the resulting const propagation - -1999-05-21 Assar Westerlund - - * push.c (parse_pobox): try $USERNAME - -1999-05-11 Assar Westerlund - - * push.c (do_v5): remove unused and non-working code - -1999-05-10 Assar Westerlund - - * push.c (do_v5): call krb5_sendauth with ccache == NULL - -Wed Apr 7 23:40:00 1999 Assar Westerlund - - * Makefile.in: fix names of hesiod variables - -Wed Mar 24 04:37:04 1999 Assar Westerlund - - * Makefile.am (pfrom): fix typo - - * push.c (get_pobox): try to handle old and new hesiod APIs - -Mon Mar 22 22:19:40 1999 Assar Westerlund - - * Makefile.am: hesoid -> hesiod - -Sun Mar 21 18:02:10 1999 Johan Danielsson - - * Makefile.am: bindir -> libexecdir - -Sat Mar 20 00:12:26 1999 Assar Westerlund - - * Makefile.am: LDADD: add missing backslash - -Thu Mar 18 15:28:35 1999 Johan Danielsson - - * Makefile.am: clean pfrom - - * Makefile.am: include Makefile.am.common - -Mon Mar 15 18:26:16 1999 Johan Danielsson - - * push.c: strncasecmp headers - -Mon Feb 15 22:22:09 1999 Assar Westerlund - - * Makefile.in (pfrom): use libexecdir - - * Makefile.am: build and install pfrom - - * push.c (do_connect): init `s' - (pop_state): spell-check enums - -Tue Nov 24 23:20:54 1998 Assar Westerlund - - * Makefile.in: build and install pfrom - - * pfrom.in: bindir -> libexecdir - -Sun Nov 22 15:33:52 1998 Johan Danielsson - - * push.c: eliminate some warnings - -Sun Nov 22 10:34:54 1998 Assar Westerlund - - * Makefile.in (WFLAGS): set - -Thu Nov 19 01:17:33 1998 Assar Westerlund - - * push_locl.h: add - - * Makefile.am, Makefile.in: link and include hesiod - - * push.c (get_pobox): new function. add hesiod support. - -1998-11-07 Assar Westerlund - - * push.8: updated - - * push.c: --from implementation from - -Fri Jul 10 01:14:45 1998 Assar Westerlund - - * push.c (net_{read,write}): remove - -Wed Jun 24 14:41:41 1998 Johan Danielsson - - * push.c: allow `po:user@host' mailbox syntax - -Tue Jun 2 17:35:06 1998 Johan Danielsson - - * push.c: quote '^From ' properly - -Mon May 25 05:22:47 1998 Assar Westerlund - - * Makefile.in (clean): PROGS -> PROGRAMS - -Sun Apr 26 11:42:13 1998 Assar Westerlund - - * push.c (main): better default for v4 and v5 - - * push.c (main): init context correctly - - * push.c: should work with krb4 - - * push_locl.h: krb4 compat - - * Makefile.in: new file - diff --git a/crypto/heimdal-0.6.3/appl/push/Makefile.am b/crypto/heimdal-0.6.3/appl/push/Makefile.am deleted file mode 100644 index 5999ec1a52..0000000000 --- a/crypto/heimdal-0.6.3/appl/push/Makefile.am +++ /dev/null @@ -1,27 +0,0 @@ -# $Id: Makefile.am,v 1.17 2000/11/15 22:51:09 assar Exp $ - -include $(top_srcdir)/Makefile.am.common - -INCLUDES += $(INCLUDE_krb4) $(INCLUDE_hesiod) - -bin_SCRIPTS = pfrom - -libexec_PROGRAMS = push - -push_SOURCES = push.c push_locl.h - -pfrom: pfrom.in - sed -e "s!%libexecdir%!$(libexecdir)!" $(srcdir)/pfrom.in > $@ - chmod +x $@ - -man_MANS = push.8 pfrom.1 - -CLEANFILES = pfrom - -EXTRA_DIST = pfrom.in $(man_MANS) - -LDADD = $(LIB_krb5) \ - $(LIB_krb4) \ - $(LIB_des) \ - $(LIB_roken) \ - $(LIB_hesiod) diff --git a/crypto/heimdal-0.6.3/appl/push/Makefile.in b/crypto/heimdal-0.6.3/appl/push/Makefile.in deleted file mode 100644 index 4dc3b92a89..0000000000 --- a/crypto/heimdal-0.6.3/appl/push/Makefile.in +++ /dev/null @@ -1,894 +0,0 @@ -# Makefile.in generated by automake 1.8.3 from Makefile.am. -# @configure_input@ - -# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004 Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -# $Id: Makefile.am,v 1.17 2000/11/15 22:51:09 assar Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $ - - -SOURCES = $(push_SOURCES) - -srcdir = @srcdir@ -top_srcdir = @top_srcdir@ -VPATH = @srcdir@ -pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -top_builddir = ../.. -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = @INSTALL@ -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_HEADER = $(INSTALL_DATA) -transform = $(program_transform_name) -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_triplet = @host@ -DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \ - $(top_srcdir)/Makefile.am.common \ - $(top_srcdir)/cf/Makefile.am.common ChangeLog -libexec_PROGRAMS = push$(EXEEXT) -subdir = appl/push -ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \ - $(top_srcdir)/cf/auth-modules.m4 \ - $(top_srcdir)/cf/broken-getaddrinfo.m4 \ - $(top_srcdir)/cf/broken-getnameinfo.m4 \ - $(top_srcdir)/cf/broken-glob.m4 \ - $(top_srcdir)/cf/broken-realloc.m4 \ - $(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \ - $(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \ - $(top_srcdir)/cf/capabilities.m4 \ - $(top_srcdir)/cf/check-compile-et.m4 \ - $(top_srcdir)/cf/check-declaration.m4 \ - $(top_srcdir)/cf/check-getpwnam_r-posix.m4 \ - $(top_srcdir)/cf/check-man.m4 \ - $(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \ - $(top_srcdir)/cf/check-type-extra.m4 \ - $(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \ - $(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \ - $(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \ - $(top_srcdir)/cf/dlopen.m4 \ - $(top_srcdir)/cf/find-func-no-libs.m4 \ - $(top_srcdir)/cf/find-func-no-libs2.m4 \ - $(top_srcdir)/cf/find-func.m4 \ - $(top_srcdir)/cf/find-if-not-broken.m4 \ - $(top_srcdir)/cf/have-struct-field.m4 \ - $(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \ - $(top_srcdir)/cf/krb-bigendian.m4 \ - $(top_srcdir)/cf/krb-func-getlogin.m4 \ - $(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \ - $(top_srcdir)/cf/krb-readline.m4 \ - $(top_srcdir)/cf/krb-struct-spwd.m4 \ - $(top_srcdir)/cf/krb-struct-winsize.m4 \ - $(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \ - $(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \ - $(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \ - $(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \ - $(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \ - $(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \ - $(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in -am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ - $(ACLOCAL_M4) -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -am__installdirs = "$(DESTDIR)$(libexecdir)" "$(DESTDIR)$(bindir)" "$(DESTDIR)$(man1dir)" "$(DESTDIR)$(man8dir)" -libexecPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -PROGRAMS = $(libexec_PROGRAMS) -am_push_OBJECTS = push.$(OBJEXT) -push_OBJECTS = $(am_push_OBJECTS) -push_LDADD = $(LDADD) -@KRB5_TRUE@am__DEPENDENCIES_1 = $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la -am__DEPENDENCIES_2 = -push_DEPENDENCIES = $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_2) \ - $(am__DEPENDENCIES_2) $(am__DEPENDENCIES_2) \ - $(am__DEPENDENCIES_2) -binSCRIPT_INSTALL = $(INSTALL_SCRIPT) -SCRIPTS = $(bin_SCRIPTS) -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \ - $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ - $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -SOURCES = $(push_SOURCES) -DIST_SOURCES = $(push_SOURCES) -man1dir = $(mandir)/man1 -man8dir = $(mandir)/man8 -MANS = $(man_MANS) -ETAGS = etags -CTAGS = ctags -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) -ACLOCAL = @ACLOCAL@ -AIX4_FALSE = @AIX4_FALSE@ -AIX4_TRUE = @AIX4_TRUE@ -AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@ -AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@ -AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@ -AIX_FALSE = @AIX_FALSE@ -AIX_TRUE = @AIX_TRUE@ -AMTAR = @AMTAR@ -AR = @AR@ -AUTOCONF = @AUTOCONF@ -AUTOHEADER = @AUTOHEADER@ -AUTOMAKE = @AUTOMAKE@ -AWK = @AWK@ -CANONICAL_HOST = @CANONICAL_HOST@ -CATMAN = @CATMAN@ -CATMANEXT = @CATMANEXT@ -CATMAN_FALSE = @CATMAN_FALSE@ -CATMAN_TRUE = @CATMAN_TRUE@ -CC = @CC@ -CFLAGS = @CFLAGS@ -COMPILE_ET = @COMPILE_ET@ -CPP = @CPP@ -CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXFLAGS = @CXXFLAGS@ -CYGPATH_W = @CYGPATH_W@ -DBLIB = @DBLIB@ -DCE_FALSE = @DCE_FALSE@ -DCE_TRUE = @DCE_TRUE@ -DEFS = @DEFS@ -DIR_com_err = @DIR_com_err@ -DIR_des = @DIR_des@ -DIR_roken = @DIR_roken@ -ECHO = @ECHO@ -ECHO_C = @ECHO_C@ -ECHO_N = @ECHO_N@ -ECHO_T = @ECHO_T@ -EGREP = @EGREP@ -EXEEXT = @EXEEXT@ -EXTRA_LIB45 = @EXTRA_LIB45@ -F77 = @F77@ -FFLAGS = @FFLAGS@ -GROFF = @GROFF@ -HAVE_DB1_FALSE = @HAVE_DB1_FALSE@ -HAVE_DB1_TRUE = @HAVE_DB1_TRUE@ -HAVE_DB3_FALSE = @HAVE_DB3_FALSE@ -HAVE_DB3_TRUE = @HAVE_DB3_TRUE@ -HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@ -HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@ -HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@ -HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@ -HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@ -HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@ -HAVE_X_FALSE = @HAVE_X_FALSE@ -HAVE_X_TRUE = @HAVE_X_TRUE@ -INCLUDES_roken = @INCLUDES_roken@ -INCLUDE_des = @INCLUDE_des@ -INCLUDE_hesiod = @INCLUDE_hesiod@ -INCLUDE_krb4 = @INCLUDE_krb4@ -INCLUDE_openldap = @INCLUDE_openldap@ -INCLUDE_readline = @INCLUDE_readline@ -INSTALL_DATA = @INSTALL_DATA@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -IRIX_FALSE = @IRIX_FALSE@ -IRIX_TRUE = @IRIX_TRUE@ -KRB4_FALSE = @KRB4_FALSE@ -KRB4_TRUE = @KRB4_TRUE@ -KRB5_FALSE = @KRB5_FALSE@ -KRB5_TRUE = @KRB5_TRUE@ -LDFLAGS = @LDFLAGS@ -LEX = @LEX@ -LEXLIB = @LEXLIB@ -LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ -LIBOBJS = @LIBOBJS@ -LIBS = @LIBS@ -LIBTOOL = @LIBTOOL@ -LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@ -LIB_NDBM = @LIB_NDBM@ -LIB_XauFileName = @LIB_XauFileName@ -LIB_XauReadAuth = @LIB_XauReadAuth@ -LIB_XauWriteAuth = @LIB_XauWriteAuth@ -LIB_bswap16 = @LIB_bswap16@ -LIB_bswap32 = @LIB_bswap32@ -LIB_com_err = @LIB_com_err@ -LIB_com_err_a = @LIB_com_err_a@ -LIB_com_err_so = @LIB_com_err_so@ -LIB_crypt = @LIB_crypt@ -LIB_db_create = @LIB_db_create@ -LIB_dbm_firstkey = @LIB_dbm_firstkey@ -LIB_dbopen = @LIB_dbopen@ -LIB_des = @LIB_des@ -LIB_des_a = @LIB_des_a@ -LIB_des_appl = @LIB_des_appl@ -LIB_des_so = @LIB_des_so@ -LIB_dlopen = @LIB_dlopen@ -LIB_dn_expand = @LIB_dn_expand@ -LIB_el_init = @LIB_el_init@ -LIB_freeaddrinfo = @LIB_freeaddrinfo@ -LIB_gai_strerror = @LIB_gai_strerror@ -LIB_getaddrinfo = @LIB_getaddrinfo@ -LIB_gethostbyname = @LIB_gethostbyname@ -LIB_gethostbyname2 = @LIB_gethostbyname2@ -LIB_getnameinfo = @LIB_getnameinfo@ -LIB_getpwnam_r = @LIB_getpwnam_r@ -LIB_getsockopt = @LIB_getsockopt@ -LIB_hesiod = @LIB_hesiod@ -LIB_hstrerror = @LIB_hstrerror@ -LIB_kdb = @LIB_kdb@ -LIB_krb4 = @LIB_krb4@ -LIB_krb_disable_debug = @LIB_krb_disable_debug@ -LIB_krb_enable_debug = @LIB_krb_enable_debug@ -LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@ -LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@ -LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@ -LIB_loadquery = @LIB_loadquery@ -LIB_logout = @LIB_logout@ -LIB_logwtmp = @LIB_logwtmp@ -LIB_openldap = @LIB_openldap@ -LIB_openpty = @LIB_openpty@ -LIB_otp = @LIB_otp@ -LIB_pidfile = @LIB_pidfile@ -LIB_readline = @LIB_readline@ -LIB_res_nsearch = @LIB_res_nsearch@ -LIB_res_search = @LIB_res_search@ -LIB_roken = @LIB_roken@ -LIB_security = @LIB_security@ -LIB_setsockopt = @LIB_setsockopt@ -LIB_socket = @LIB_socket@ -LIB_syslog = @LIB_syslog@ -LIB_tgetent = @LIB_tgetent@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -MAINT = @MAINT@ -MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@ -MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@ -MAKEINFO = @MAKEINFO@ -NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ -NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ -NROFF = @NROFF@ -OBJEXT = @OBJEXT@ -OTP_FALSE = @OTP_FALSE@ -OTP_TRUE = @OTP_TRUE@ -PACKAGE = @PACKAGE@ -PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ -PACKAGE_NAME = @PACKAGE_NAME@ -PACKAGE_STRING = @PACKAGE_STRING@ -PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_VERSION = @PACKAGE_VERSION@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -RANLIB = @RANLIB@ -SET_MAKE = @SET_MAKE@ -SHELL = @SHELL@ -STRIP = @STRIP@ -VERSION = @VERSION@ -VOID_RETSIGTYPE = @VOID_RETSIGTYPE@ -WFLAGS = @WFLAGS@ -WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@ -WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@ -X_CFLAGS = @X_CFLAGS@ -X_EXTRA_LIBS = @X_EXTRA_LIBS@ -X_LIBS = @X_LIBS@ -X_PRE_LIBS = @X_PRE_LIBS@ -YACC = @YACC@ -ac_ct_AR = @ac_ct_AR@ -ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ -ac_ct_RANLIB = @ac_ct_RANLIB@ -ac_ct_STRIP = @ac_ct_STRIP@ -am__leading_dot = @am__leading_dot@ -bindir = @bindir@ -build = @build@ -build_alias = @build_alias@ -build_cpu = @build_cpu@ -build_os = @build_os@ -build_vendor = @build_vendor@ -datadir = @datadir@ -do_roken_rename_FALSE = @do_roken_rename_FALSE@ -do_roken_rename_TRUE = @do_roken_rename_TRUE@ -dpagaix_cflags = @dpagaix_cflags@ -dpagaix_ldadd = @dpagaix_ldadd@ -dpagaix_ldflags = @dpagaix_ldflags@ -el_compat_FALSE = @el_compat_FALSE@ -el_compat_TRUE = @el_compat_TRUE@ -exec_prefix = @exec_prefix@ -have_err_h_FALSE = @have_err_h_FALSE@ -have_err_h_TRUE = @have_err_h_TRUE@ -have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@ -have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@ -have_glob_h_FALSE = @have_glob_h_FALSE@ -have_glob_h_TRUE = @have_glob_h_TRUE@ -have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@ -have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@ -have_vis_h_FALSE = @have_vis_h_FALSE@ -have_vis_h_TRUE = @have_vis_h_TRUE@ -host = @host@ -host_alias = @host_alias@ -host_cpu = @host_cpu@ -host_os = @host_os@ -host_vendor = @host_vendor@ -includedir = @includedir@ -infodir = @infodir@ -install_sh = @install_sh@ -libdir = @libdir@ -libexecdir = @libexecdir@ -localstatedir = @localstatedir@ -mandir = @mandir@ -mkdir_p = @mkdir_p@ -oldincludedir = @oldincludedir@ -prefix = @prefix@ -program_transform_name = @program_transform_name@ -sbindir = @sbindir@ -sharedstatedir = @sharedstatedir@ -sysconfdir = @sysconfdir@ -target_alias = @target_alias@ -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4) $(INCLUDE_hesiod) -@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME -AM_CFLAGS = $(WFLAGS) -CP = cp -buildinclude = $(top_builddir)/include -LIB_getattr = @LIB_getattr@ -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_setpcred = @LIB_setpcred@ -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -NROFF_MAN = groff -mandoc -Tascii -LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) -@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la - -@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la -@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la -bin_SCRIPTS = pfrom -push_SOURCES = push.c push_locl.h -man_MANS = push.8 pfrom.1 -CLEANFILES = pfrom -EXTRA_DIST = pfrom.in $(man_MANS) -LDADD = $(LIB_krb5) \ - $(LIB_krb4) \ - $(LIB_des) \ - $(LIB_roken) \ - $(LIB_hesiod) - -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps) - @for dep in $?; do \ - case '$(am__configure_deps)' in \ - *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ - exit 1;; \ - esac; \ - done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign --ignore-deps appl/push/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign --ignore-deps appl/push/Makefile -.PRECIOUS: Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - @case '$?' in \ - *config.status*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ - *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ - esac; - -$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -install-libexecPROGRAMS: $(libexec_PROGRAMS) - @$(NORMAL_INSTALL) - test -z "$(libexecdir)" || $(mkdir_p) "$(DESTDIR)$(libexecdir)" - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(libexecPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(libexecdir)/$$f'"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(libexecPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(libexecdir)/$$f" || exit 1; \ - else :; fi; \ - done - -uninstall-libexecPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f '$(DESTDIR)$(libexecdir)/$$f'"; \ - rm -f "$(DESTDIR)$(libexecdir)/$$f"; \ - done - -clean-libexecPROGRAMS: - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -push$(EXEEXT): $(push_OBJECTS) $(push_DEPENDENCIES) - @rm -f push$(EXEEXT) - $(LINK) $(push_LDFLAGS) $(push_OBJECTS) $(push_LDADD) $(LIBS) -install-binSCRIPTS: $(bin_SCRIPTS) - @$(NORMAL_INSTALL) - test -z "$(bindir)" || $(mkdir_p) "$(DESTDIR)$(bindir)" - @list='$(bin_SCRIPTS)'; for p in $$list; do \ - if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ - if test -f $$d$$p; then \ - f=`echo "$$p" | sed 's|^.*/||;$(transform)'`; \ - echo " $(binSCRIPT_INSTALL) '$$d$$p' '$(DESTDIR)$(bindir)/$$f'"; \ - $(binSCRIPT_INSTALL) "$$d$$p" "$(DESTDIR)$(bindir)/$$f"; \ - else :; fi; \ - done - -uninstall-binSCRIPTS: - @$(NORMAL_UNINSTALL) - @list='$(bin_SCRIPTS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's|^.*/||;$(transform)'`; \ - echo " rm -f '$(DESTDIR)$(bindir)/$$f'"; \ - rm -f "$(DESTDIR)$(bindir)/$$f"; \ - done - -mostlyclean-compile: - -rm -f *.$(OBJEXT) - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c $< - -.c.obj: - $(COMPILE) -c `$(CYGPATH_W) '$<'` - -.c.lo: - $(LTCOMPILE) -c -o $@ $< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: -install-man1: $(man1_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - test -z "$(man1dir)" || $(mkdir_p) "$(DESTDIR)$(man1dir)" - @list='$(man1_MANS) $(dist_man1_MANS) $(nodist_man1_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.1*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 1*) ;; \ - *) ext='1' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man1dir)/$$inst'"; \ - $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man1dir)/$$inst"; \ - done -uninstall-man1: - @$(NORMAL_UNINSTALL) - @list='$(man1_MANS) $(dist_man1_MANS) $(nodist_man1_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.1*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 1*) ;; \ - *) ext='1' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f '$(DESTDIR)$(man1dir)/$$inst'"; \ - rm -f "$(DESTDIR)$(man1dir)/$$inst"; \ - done -install-man8: $(man8_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - test -z "$(man8dir)" || $(mkdir_p) "$(DESTDIR)$(man8dir)" - @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.8*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 8*) ;; \ - *) ext='8' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ - $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \ - done -uninstall-man8: - @$(NORMAL_UNINSTALL) - @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.8*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 8*) ;; \ - *) ext='8' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \ - rm -f "$(DESTDIR)$(man8dir)/$$inst"; \ - done - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique -tags: TAGS - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique -ctags: CTAGS -CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ - || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - -distdir: $(DISTFILES) - $(mkdir_p) $(distdir)/../.. $(distdir)/../../cf - @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \ - list='$(DISTFILES)'; for file in $$list; do \ - case $$file in \ - $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \ - $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \ - esac; \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkdir_p) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="$(top_distdir)" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(PROGRAMS) $(SCRIPTS) $(MANS) all-local -installdirs: - for dir in "$(DESTDIR)$(libexecdir)" "$(DESTDIR)$(bindir)" "$(DESTDIR)$(man1dir)" "$(DESTDIR)$(man8dir)"; do \ - test -z "$$dir" || $(mkdir_p) "$$dir"; \ - done -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) - -distclean-generic: - -rm -f $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-generic clean-libexecPROGRAMS clean-libtool \ - mostlyclean-am - -distclean: distclean-am - -rm -f Makefile -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -html: html-am - -info: info-am - -info-am: - -install-data-am: install-man - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-data-hook - -install-exec-am: install-binSCRIPTS install-libexecPROGRAMS - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: install-man1 install-man8 - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -rm -f Makefile -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -pdf: pdf-am - -pdf-am: - -ps: ps-am - -ps-am: - -uninstall-am: uninstall-binSCRIPTS uninstall-info-am \ - uninstall-libexecPROGRAMS uninstall-man - -uninstall-man: uninstall-man1 uninstall-man8 - -.PHONY: CTAGS GTAGS all all-am all-local check check-am check-local \ - clean clean-generic clean-libexecPROGRAMS clean-libtool ctags \ - distclean distclean-compile distclean-generic \ - distclean-libtool distclean-tags distdir dvi dvi-am html \ - html-am info info-am install install-am install-binSCRIPTS \ - install-data install-data-am install-exec install-exec-am \ - install-info install-info-am install-libexecPROGRAMS \ - install-man install-man1 install-man8 install-strip \ - installcheck installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ - tags uninstall uninstall-am uninstall-binSCRIPTS \ - uninstall-info-am uninstall-libexecPROGRAMS uninstall-man \ - uninstall-man1 uninstall-man8 - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-hook: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< - -pfrom: pfrom.in - sed -e "s!%libexecdir%!$(libexecdir)!" $(srcdir)/pfrom.in > $@ - chmod +x $@ -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal-0.6.3/appl/push/pfrom.1 b/crypto/heimdal-0.6.3/appl/push/pfrom.1 deleted file mode 100644 index 2d7983c240..0000000000 --- a/crypto/heimdal-0.6.3/appl/push/pfrom.1 +++ /dev/null @@ -1,55 +0,0 @@ -.\" Copyright (c) 2000 - 2002 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: pfrom.1,v 1.5 2003/02/16 21:10:11 lha Exp $ -.\" -.Dd March 4, 2000 -.Dt PFROM 1 -.Os HEIMDAL -.Sh NAME -.Nm pfrom -.Nd "fetch a list of the current mail via POP" -.Sh SYNOPSIS -.Nm -.Op Fl 4 | Fl -krb4 -.Op Fl 5 | Fl -krb5 -.Op Fl v | Fl -verbose -.Op Fl c | -count -.Op Fl -header -.Oo Fl p Ar port-spec \*(Ba Xo -.Fl -port= Ns Ar port-spec -.Xc -.Oc -.Sh DESCRIPTION -.Nm -is a script that does push --from. -.Sh SEE ALSO -.Xr push 8 diff --git a/crypto/heimdal-0.6.3/appl/push/pfrom.cat1 b/crypto/heimdal-0.6.3/appl/push/pfrom.cat1 deleted file mode 100644 index 4035710bc7..0000000000 --- a/crypto/heimdal-0.6.3/appl/push/pfrom.cat1 +++ /dev/null @@ -1,17 +0,0 @@ - -PFROM(1) UNIX Reference Manual PFROM(1) - -NNAAMMEE - ppffrroomm - fetch a list of the current mail via POP - -SSYYNNOOPPSSIISS - ppffrroomm [--44 | ----kkrrbb44] [--55 | ----kkrrbb55] [--vv | ----vveerrbboossee] [--cc | ----ccoouunntt] - [----hheeaaddeerr] [--pp _p_o_r_t_-_s_p_e_c | ----ppoorrtt==_p_o_r_t_-_s_p_e_c] - -DDEESSCCRRIIPPTTIIOONN - ppffrroomm is a script that does push --from. - -SSEEEE AALLSSOO - push(8) - - HEIMDAL March 4, 2000 1 diff --git a/crypto/heimdal-0.6.3/appl/push/pfrom.in b/crypto/heimdal-0.6.3/appl/push/pfrom.in deleted file mode 100644 index 6adf4f0f79..0000000000 --- a/crypto/heimdal-0.6.3/appl/push/pfrom.in +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/sh -# $Id: pfrom.in,v 1.2 1998/11/24 13:25:47 assar Exp $ -libexecdir=%libexecdir% -PATH=$libexecdir:$PATH -export PATH -push --from $* diff --git a/crypto/heimdal-0.6.3/appl/push/push.8 b/crypto/heimdal-0.6.3/appl/push/push.8 deleted file mode 100644 index 14561a9f9b..0000000000 --- a/crypto/heimdal-0.6.3/appl/push/push.8 +++ /dev/null @@ -1,138 +0,0 @@ -.\" $Id: push.8,v 1.13 2002/08/20 17:07:07 joda Exp $ -.\" -.Dd May 31, 1998 -.Dt PUSH 8 -.Os HEIMDAL -.Sh NAME -.Nm push -.Nd fetch mail via POP -.Sh SYNOPSIS -.Nm -.Op Fl 4 | Fl -krb4 -.Op Fl 5 | Fl -krb5 -.Op Fl v | Fl -verbose -.Op Fl f | Fl -fork -.Op Fl l | -leave -.Op Fl -from -.Op Fl c | -count -.Op Fl -headers Ns = Ns Ar headers -.Oo Fl p Ar port-spec \*(Ba Xo -.Fl -port Ns = Ns Ar port-spec -.Xc -.Oc -.Ar po-box -.Pa filename -.Sh DESCRIPTION -.Nm -retrieves mail from the post office box -.Ar po-box , -and stores the mail in mbox format in -.Pa filename . -The -.Ar po-box -can have any of the following formats: -.Bl -hang -compact -offset indent -.It Ql hostname:username -.It Ql po:hostname:username -.It Ql username@hostname -.It Ql po:username@hostname -.It Ql hostname -.It Ql po:username -.El -.Pp -If no username is specified, -.Nm -assumes that it's the same as on the local machine; -.Ar hostname -defaults to the value of the -.Ev MAILHOST -environment variable. -.Pp -Supported options: -.Bl -tag -width Ds -.It Xo -.Fl 4 , -.Fl -krb4 -.Xc -use Kerberos 4 (if compiled with support for Kerberos 4) -.It Xo -.Fl 5 , -.Fl -krb5 -.Xc -use Kerberos 5 (if compiled with support for Kerberos 5) -.It Xo -.Fl f , -.Fl -fork -.Xc -fork before starting to delete messages -.It Xo -.Fl l , -.Fl -leave -.Xc -don't delete fetched mail -.It Xo -.Fl -from -.Xc -behave like from. -.It Xo -.Fl c , -.Fl -count -.Xc -first print how many messages and bytes there are. -.It Xo -.Fl -headers Ns = Ns Ar headers -.Xc -a list of comma-separated headers that should get printed. -.It Xo -.Fl p Ar port-spec , -.Fl -port Ns = Ns Ar port-spec -.Xc -use this port instead of the default -.Ql kpop -or -.Ql 1109 . -.El -.Pp -The default is to first try Kerberos 5 authentication and then, if -that fails, Kerberos 4. -.Sh ENVIRONMENT -.Bl -tag -width Ds -.It Ev MAILHOST -points to the post office, if no other hostname is specified. -.El -.\".Sh FILES -.Sh EXAMPLES -.Bd -literal -offset indent -$ push cornfield:roosta ~/.emacs-mail-crash-box -.Ed -.Pp -tries to fetch mail for the user -.Ar roosta -from the post office at -.Dq cornfield , -and stores the mail in -.Pa ~/.emacs-mail-crash-box -(you are using Gnus, aren't you?) -.Bd -literal -offset indent -$ push --from -5 havregryn -.Ed -.Pp -tries to fetch -.Sy From: -lines for current user at post office -.Dq havregryn -using Kerberos 5. -.\".Sh DIAGNOSTICS -.Sh SEE ALSO -.Xr from 1 , -.Xr pfrom 1 , -.Xr movemail 8 , -.Xr popper 8 -.\".Sh STANDARDS -.Sh HISTORY -.Nm -was written while waiting for -.Nm movemail -to finish getting the mail. -.\".Sh AUTHORS -.\".Sh BUGS diff --git a/crypto/heimdal-0.6.3/appl/push/push.c b/crypto/heimdal-0.6.3/appl/push/push.c deleted file mode 100644 index 2e6f8b89a8..0000000000 --- a/crypto/heimdal-0.6.3/appl/push/push.c +++ /dev/null @@ -1,842 +0,0 @@ -/* - * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "push_locl.h" -RCSID("$Id: push.c,v 1.47.2.1 2004/06/21 10:54:46 lha Exp $"); - -#ifdef KRB4 -static int use_v4 = -1; -#endif - -#ifdef KRB5 -static int use_v5 = -1; -static krb5_context context; -#endif - -static char *port_str; -static int verbose_level; -static int do_fork; -static int do_leave; -static int do_version; -static int do_help; -static int do_from; -static int do_count; -static char *header_str; - -struct getargs args[] = { -#ifdef KRB4 - { "krb4", '4', arg_flag, &use_v4, "Use Kerberos V4", - NULL }, -#endif -#ifdef KRB5 - { "krb5", '5', arg_flag, &use_v5, "Use Kerberos V5", - NULL }, -#endif - { "verbose",'v', arg_counter, &verbose_level, "Verbose", - NULL }, - { "fork", 'f', arg_flag, &do_fork, "Fork deleting proc", - NULL }, - { "leave", 'l', arg_flag, &do_leave, "Leave mail on server", - NULL }, - { "port", 'p', arg_string, &port_str, "Use this port", - "number-or-service" }, - { "from", 0, arg_flag, &do_from, "Behave like from", - NULL }, - { "headers", 0, arg_string, &header_str, "Headers to print", NULL }, - { "count", 'c', arg_flag, &do_count, "Print number of messages", NULL}, - { "version", 0, arg_flag, &do_version, "Print version", - NULL }, - { "help", 0, arg_flag, &do_help, NULL, - NULL } - -}; - -static void -usage (int ret) -{ - arg_printusage (args, - sizeof(args) / sizeof(args[0]), - NULL, - "[[{po:username[@hostname] | hostname[:username]}] ...] " - "filename"); - exit (ret); -} - -static int -do_connect (const char *hostname, int port, int nodelay) -{ - struct addrinfo *ai, *a; - struct addrinfo hints; - int error; - int s = -1; - char portstr[NI_MAXSERV]; - - memset (&hints, 0, sizeof(hints)); - hints.ai_socktype = SOCK_STREAM; - hints.ai_protocol = IPPROTO_TCP; - - snprintf (portstr, sizeof(portstr), "%u", ntohs(port)); - - error = getaddrinfo (hostname, portstr, &hints, &ai); - if (error) - errx (1, "getaddrinfo(%s): %s", hostname, gai_strerror(error)); - - for (a = ai; a != NULL; a = a->ai_next) { - s = socket (a->ai_family, a->ai_socktype, a->ai_protocol); - if (s < 0) - continue; - if (connect (s, a->ai_addr, a->ai_addrlen) < 0) { - warn ("connect(%s)", hostname); - close (s); - continue; - } - break; - } - freeaddrinfo (ai); - if (a == NULL) { - warnx ("failed to contact %s", hostname); - return -1; - } - - if(setsockopt(s, IPPROTO_TCP, TCP_NODELAY, - (void *)&nodelay, sizeof(nodelay)) < 0) - err (1, "setsockopt TCP_NODELAY"); - return s; -} - -typedef enum { INIT = 0, GREET, USER, PASS, STAT, RETR, TOP, - DELE, XDELE, QUIT} pop_state; - -static char *pop_state_string[] = { - "INIT", "GREET", "USER", "PASS", "STAT", "RETR", "TOP", - "DELE", "XDELE", "QUIT" -}; - -#define PUSH_BUFSIZ 65536 - -#define STEP 16 - -struct write_state { - struct iovec *iovecs; - size_t niovecs, maxiovecs, allociovecs; - int fd; -}; - -static void -write_state_init (struct write_state *w, int fd) -{ -#ifdef UIO_MAXIOV - w->maxiovecs = UIO_MAXIOV; -#else - w->maxiovecs = 16; -#endif - w->allociovecs = min(STEP, w->maxiovecs); - w->niovecs = 0; - w->iovecs = emalloc(w->allociovecs * sizeof(*w->iovecs)); - w->fd = fd; -} - -static void -write_state_add (struct write_state *w, void *v, size_t len) -{ - if(w->niovecs == w->allociovecs) { - if(w->niovecs == w->maxiovecs) { - if(writev (w->fd, w->iovecs, w->niovecs) < 0) - err(1, "writev"); - w->niovecs = 0; - } else { - w->allociovecs = min(w->allociovecs + STEP, w->maxiovecs); - w->iovecs = erealloc (w->iovecs, - w->allociovecs * sizeof(*w->iovecs)); - } - } - w->iovecs[w->niovecs].iov_base = v; - w->iovecs[w->niovecs].iov_len = len; - ++w->niovecs; -} - -static void -write_state_flush (struct write_state *w) -{ - if (w->niovecs) { - if (writev (w->fd, w->iovecs, w->niovecs) < 0) - err (1, "writev"); - w->niovecs = 0; - } -} - -static void -write_state_destroy (struct write_state *w) -{ - free (w->iovecs); -} - -static int -doit(int s, - const char *host, - const char *user, - const char *outfilename, - const char *header_str, - int leavep, - int verbose, - int forkp) -{ - int ret; - char out_buf[PUSH_BUFSIZ]; - int out_len = 0; - char *in_buf; - size_t in_buf_size; - size_t in_len = 0; - char *in_ptr; - pop_state state = INIT; - unsigned count, bytes; - unsigned asked_for = 0, retrieved = 0, asked_deleted = 0, deleted = 0; - unsigned sent_xdele = 0; - int out_fd; - char from_line[128]; - size_t from_line_length; - time_t now; - struct write_state write_state; - int numheaders = 1; - char **headers = NULL; - int i; - char *tmp = NULL; - - in_buf = emalloc(PUSH_BUFSIZ + 1); - in_ptr = in_buf; - in_buf_size = PUSH_BUFSIZ; - - if (do_from) { - char *tmp2; - - tmp2 = tmp = estrdup(header_str); - - out_fd = -1; - if (verbose) - fprintf (stderr, "%s@%s\n", user, host); - while (*tmp != '\0') { - tmp = strchr(tmp, ','); - if (tmp == NULL) - break; - tmp++; - numheaders++; - } - - headers = emalloc(sizeof(char *) * (numheaders + 1)); - for (i = 0; i < numheaders; i++) { - headers[i] = strtok_r(tmp2, ",", &tmp2); - } - headers[numheaders] = NULL; - } else { - out_fd = open(outfilename, O_WRONLY | O_APPEND | O_CREAT, 0666); - if (out_fd < 0) - err (1, "open %s", outfilename); - if (verbose) - fprintf (stderr, "%s@%s -> %s\n", user, host, outfilename); - } - - now = time(NULL); - from_line_length = snprintf (from_line, sizeof(from_line), - "From %s %s", "push", ctime(&now)); - - out_len = snprintf (out_buf, sizeof(out_buf), - "USER %s\r\nPASS hej\r\nSTAT\r\n", - user); - if (out_len < 0) - errx (1, "snprintf failed"); - if (net_write (s, out_buf, out_len) != out_len) - err (1, "write"); - if (verbose > 1) - fprintf (stderr, "%s", out_buf); - - if (!do_from) - write_state_init (&write_state, out_fd); - - while(state != QUIT) { - fd_set readset, writeset; - - FD_ZERO(&readset); - FD_ZERO(&writeset); - if (s >= FD_SETSIZE) - errx (1, "fd too large"); - FD_SET(s,&readset); - - if (verbose > 1) - fprintf (stderr, "state: %s count: %d asked_for: %d " - "retrieved: %d asked_deleted: %d\n", - pop_state_string[state], - count, asked_for, retrieved, asked_deleted); - - if (((state == STAT || state == RETR || state == TOP) - && asked_for < count) - || (state == XDELE && !sent_xdele) - || (state == DELE && asked_deleted < count)) - FD_SET(s,&writeset); - ret = select (s + 1, &readset, &writeset, NULL, NULL); - if (ret < 0) { - if (errno == EAGAIN) - continue; - else - err (1, "select"); - } - - if (FD_ISSET(s, &readset)) { - char *beg, *p; - size_t rem; - int blank_line = 0; - - if(in_len >= in_buf_size) { - char *tmp = erealloc(in_buf, in_buf_size + PUSH_BUFSIZ + 1); - in_ptr = tmp + (in_ptr - in_buf); - in_buf = tmp; - in_buf_size += PUSH_BUFSIZ; - } - - ret = read (s, in_ptr, in_buf_size - in_len); - if (ret < 0) - err (1, "read"); - else if (ret == 0) - errx (1, "EOF during read"); - - in_len += ret; - in_ptr += ret; - *in_ptr = '\0'; - - beg = in_buf; - rem = in_len; - while(rem > 1 - && (p = strstr(beg, "\r\n")) != NULL) { - if (state == TOP) { - char *copy = beg; - - for (i = 0; i < numheaders; i++) { - size_t len; - - len = min(p - copy + 1, strlen(headers[i])); - if (strncasecmp(copy, headers[i], len) == 0) { - fprintf (stdout, "%.*s\n", (int)(p - copy), copy); - } - } - if (beg[0] == '.' && beg[1] == '\r' && beg[2] == '\n') { - if (numheaders > 1) - fprintf (stdout, "\n"); - state = STAT; - if (++retrieved == count) { - state = QUIT; - net_write (s, "QUIT\r\n", 6); - if (verbose > 1) - fprintf (stderr, "QUIT\r\n"); - } - } - rem -= p - beg + 2; - beg = p + 2; - } else if (state == RETR) { - char *copy = beg; - if (beg[0] == '.') { - if (beg[1] == '\r' && beg[2] == '\n') { - if(!blank_line) - write_state_add(&write_state, "\n", 1); - state = STAT; - rem -= p - beg + 2; - beg = p + 2; - if (++retrieved == count) { - write_state_flush (&write_state); - if (fsync (out_fd) < 0) - err (1, "fsync"); - close(out_fd); - if (leavep) { - state = QUIT; - net_write (s, "QUIT\r\n", 6); - if (verbose > 1) - fprintf (stderr, "QUIT\r\n"); - } else { - if (forkp) { - pid_t pid; - - pid = fork(); - if (pid < 0) - warn ("fork"); - else if(pid != 0) { - if(verbose) - fprintf (stderr, - "(exiting)"); - return 0; - } - } - - state = XDELE; - if (verbose) - fprintf (stderr, "deleting... "); - } - } - continue; - } else - ++copy; - } - *p = '\n'; - if(blank_line && - strncmp(copy, "From ", min(p - copy + 1, 5)) == 0) - write_state_add(&write_state, ">", 1); - write_state_add(&write_state, copy, p - copy + 1); - blank_line = (*copy == '\n'); - rem -= p - beg + 2; - beg = p + 2; - } else if (rem >= 3 && strncmp (beg, "+OK", 3) == 0) { - if (state == STAT) { - if (!do_from) - write_state_add(&write_state, - from_line, from_line_length); - blank_line = 0; - if (do_from) - state = TOP; - else - state = RETR; - } else if (state == XDELE) { - state = QUIT; - net_write (s, "QUIT\r\n", 6); - if (verbose > 1) - fprintf (stderr, "QUIT\r\n"); - break; - } else if (state == DELE) { - if (++deleted == count) { - state = QUIT; - net_write (s, "QUIT\r\n", 6); - if (verbose > 1) - fprintf (stderr, "QUIT\r\n"); - break; - } - } else if (++state == STAT) { - if(sscanf (beg + 4, "%u %u", &count, &bytes) != 2) - errx(1, "Bad STAT-line: %.*s", (int)(p - beg), beg); - if (verbose) { - fprintf (stderr, "%u message(s) (%u bytes). " - "fetching... ", - count, bytes); - if (do_from) - fprintf (stderr, "\n"); - } else if (do_count) { - fprintf (stderr, "%u message(s) (%u bytes).\n", - count, bytes); - } - if (count == 0) { - state = QUIT; - net_write (s, "QUIT\r\n", 6); - if (verbose > 1) - fprintf (stderr, "QUIT\r\n"); - break; - } - } - - rem -= p - beg + 2; - beg = p + 2; - } else { - if(state == XDELE) { - state = DELE; - rem -= p - beg + 2; - beg = p + 2; - } else - errx (1, "Bad response: %.*s", (int)(p - beg), beg); - } - } - if (!do_from) - write_state_flush (&write_state); - - memmove (in_buf, beg, rem); - in_len = rem; - in_ptr = in_buf + rem; - } - if (FD_ISSET(s, &writeset)) { - if ((state == STAT && !do_from) || state == RETR) - out_len = snprintf (out_buf, sizeof(out_buf), - "RETR %u\r\n", ++asked_for); - else if ((state == STAT && do_from) || state == TOP) - out_len = snprintf (out_buf, sizeof(out_buf), - "TOP %u 0\r\n", ++asked_for); - else if(state == XDELE) { - out_len = snprintf(out_buf, sizeof(out_buf), - "XDELE %u %u\r\n", 1, count); - sent_xdele++; - } - else if(state == DELE) - out_len = snprintf (out_buf, sizeof(out_buf), - "DELE %u\r\n", ++asked_deleted); - if (out_len < 0) - errx (1, "snprintf failed"); - if (net_write (s, out_buf, out_len) != out_len) - err (1, "write"); - if (verbose > 1) - fprintf (stderr, "%s", out_buf); - } - } - if (verbose) - fprintf (stderr, "Done\n"); - if (do_from) { - free (tmp); - free (headers); - } else { - write_state_destroy (&write_state); - } - return 0; -} - -#ifdef KRB5 -static int -do_v5 (const char *host, - int port, - const char *user, - const char *filename, - const char *header_str, - int leavep, - int verbose, - int forkp) -{ - krb5_error_code ret; - krb5_auth_context auth_context = NULL; - krb5_principal server; - int s; - - s = do_connect (host, port, 1); - if (s < 0) - return 1; - - ret = krb5_sname_to_principal (context, - host, - "pop", - KRB5_NT_SRV_HST, - &server); - if (ret) { - warnx ("krb5_sname_to_principal: %s", - krb5_get_err_text (context, ret)); - return 1; - } - - ret = krb5_sendauth (context, - &auth_context, - &s, - "KPOPV1.0", - NULL, - server, - 0, - NULL, - NULL, - NULL, - NULL, - NULL, - NULL); - krb5_free_principal (context, server); - if (ret) { - warnx ("krb5_sendauth: %s", - krb5_get_err_text (context, ret)); - return 1; - } - return doit (s, host, user, filename, header_str, leavep, verbose, forkp); -} -#endif - -#ifdef KRB4 -static int -do_v4 (const char *host, - int port, - const char *user, - const char *filename, - const char *header_str, - int leavep, - int verbose, - int forkp) -{ - KTEXT_ST ticket; - MSG_DAT msg_data; - CREDENTIALS cred; - des_key_schedule sched; - int s; - int ret; - - s = do_connect (host, port, 1); - if (s < 0) - return 1; - ret = krb_sendauth(0, - s, - &ticket, - "pop", - (char *)host, - krb_realmofhost(host), - getpid(), - &msg_data, - &cred, - sched, - NULL, - NULL, - "KPOPV0.1"); - if(ret) { - warnx("krb_sendauth: %s", krb_get_err_text(ret)); - return 1; - } - return doit (s, host, user, filename, header_str, leavep, verbose, forkp); -} -#endif /* KRB4 */ - -#ifdef HESIOD - -#ifdef HESIOD_INTERFACES - -static char * -hesiod_get_pobox (const char **user) -{ - void *context; - struct hesiod_postoffice *hpo; - char *ret = NULL; - - if(hesiod_init (&context) != 0) - err (1, "hesiod_init"); - - hpo = hesiod_getmailhost (context, *user); - if (hpo == NULL) { - warn ("hesiod_getmailhost %s", *user); - } else { - if (strcasecmp(hpo->hesiod_po_type, "pop") != 0) - errx (1, "Unsupported po type %s", hpo->hesiod_po_type); - - ret = estrdup(hpo->hesiod_po_host); - *user = estrdup(hpo->hesiod_po_name); - hesiod_free_postoffice (context, hpo); - } - hesiod_end (context); - return ret; -} - -#else /* !HESIOD_INTERFACES */ - -static char * -hesiod_get_pobox (const char **user) -{ - char *ret = NULL; - struct hes_postoffice *hpo; - - hpo = hes_getmailhost (*user); - if (hpo == NULL) { - warn ("hes_getmailhost %s", *user); - } else { - if (strcasecmp(hpo->po_type, "pop") != 0) - errx (1, "Unsupported po type %s", hpo->po_type); - - ret = estrdup(hpo->po_host); - *user = estrdup(hpo->po_name); - } - return ret; -} - -#endif /* HESIOD_INTERFACES */ - -#endif /* HESIOD */ - -static char * -get_pobox (const char **user) -{ - char *ret = NULL; - -#ifdef HESIOD - ret = hesiod_get_pobox (user); -#endif - - if (ret == NULL) - ret = getenv("MAILHOST"); - if (ret == NULL) - errx (1, "MAILHOST not set"); - return ret; -} - -static void -parse_pobox (char *a0, const char **host, const char **user) -{ - const char *h, *u; - char *p; - int po = 0; - - if (a0 == NULL) { - - *user = getenv ("USERNAME"); - if (*user == NULL) { - struct passwd *pwd = getpwuid (getuid ()); - - if (pwd == NULL) - errx (1, "Who are you?"); - *user = estrdup (pwd->pw_name); - } - *host = get_pobox (user); - return; - } - - /* if the specification starts with po:, remember this information */ - if(strncmp(a0, "po:", 3) == 0) { - a0 += 3; - po++; - } - /* if there is an `@', the hostname is after it, otherwise at the - beginning of the string */ - p = strchr(a0, '@'); - if(p != NULL) { - *p++ = '\0'; - h = p; - } else { - h = a0; - } - /* if there is a `:', the username comes before it, otherwise at - the beginning of the string */ - p = strchr(a0, ':'); - if(p != NULL) { - *p++ = '\0'; - u = p; - } else { - u = a0; - } - if(h == u) { - /* some inconsistent compatibility with various mailers */ - if(po) { - h = get_pobox (&u); - } else { - u = get_default_username (); - if (u == NULL) - errx (1, "Who are you?"); - } - } - *host = h; - *user = u; -} - -int -main(int argc, char **argv) -{ - int port = 0; - int optind = 0; - int ret = 1; - const char *host, *user, *filename = NULL; - char *pobox = NULL; - - setprogname (argv[0]); - -#ifdef KRB5 - { - krb5_error_code ret; - - ret = krb5_init_context (&context); - if (ret) - errx (1, "krb5_init_context failed: %d", ret); - } -#endif - - if (getarg (args, sizeof(args) / sizeof(args[0]), argc, argv, - &optind)) - usage (1); - - argc -= optind; - argv += optind; - -#if defined(KRB4) && defined(KRB5) - if(use_v4 == -1 && use_v5 == 1) - use_v4 = 0; - if(use_v5 == -1 && use_v4 == 1) - use_v5 = 0; -#endif - - if (do_help) - usage (0); - - if (do_version) { - print_version(NULL); - return 0; - } - - if (do_from && header_str == NULL) - header_str = "From:"; - else if (header_str != NULL) - do_from = 1; - - if (do_from) { - if (argc == 0) - pobox = NULL; - else if (argc == 1) - pobox = argv[0]; - else - usage (1); - } else { - if (argc == 1) { - filename = argv[0]; - pobox = NULL; - } else if (argc == 2) { - filename = argv[1]; - pobox = argv[0]; - } else - usage (1); - } - - if (port_str) { - struct servent *s = roken_getservbyname (port_str, "tcp"); - - if (s) - port = s->s_port; - else { - char *ptr; - - port = strtol (port_str, &ptr, 10); - if (port == 0 && ptr == port_str) - errx (1, "Bad port `%s'", port_str); - port = htons(port); - } - } - if (port == 0) { -#ifdef KRB5 - port = krb5_getportbyname (context, "kpop", "tcp", 1109); -#elif defined(KRB4) - port = k_getportbyname ("kpop", "tcp", htons(1109)); -#else -#error must define KRB4 or KRB5 -#endif - } - - parse_pobox (pobox, &host, &user); - -#ifdef KRB5 - if (ret && use_v5) { - ret = do_v5 (host, port, user, filename, header_str, - do_leave, verbose_level, do_fork); - } -#endif - -#ifdef KRB4 - if (ret && use_v4) { - ret = do_v4 (host, port, user, filename, header_str, - do_leave, verbose_level, do_fork); - } -#endif /* KRB4 */ - return ret; -} diff --git a/crypto/heimdal-0.6.3/appl/push/push.cat8 b/crypto/heimdal-0.6.3/appl/push/push.cat8 deleted file mode 100644 index cd92e2ad3b..0000000000 --- a/crypto/heimdal-0.6.3/appl/push/push.cat8 +++ /dev/null @@ -1,77 +0,0 @@ - -PUSH(8) UNIX System Manager's Manual PUSH(8) - -NNAAMMEE - ppuusshh - fetch mail via POP - -SSYYNNOOPPSSIISS - ppuusshh [--44 | ----kkrrbb44] [--55 | ----kkrrbb55] [--vv | ----vveerrbboossee] [--ff | ----ffoorrkk] [--ll | - ----lleeaavvee] [----ffrroomm] [--cc | ----ccoouunntt] [----hheeaaddeerrss=_h_e_a_d_e_r_s] [--pp _p_o_r_t_-_s_p_e_c | - ----ppoorrtt=_p_o_r_t_-_s_p_e_c] _p_o_-_b_o_x _f_i_l_e_n_a_m_e - -DDEESSCCRRIIPPTTIIOONN - ppuusshh retrieves mail from the post office box _p_o_-_b_o_x, and stores the mail - in mbox format in _f_i_l_e_n_a_m_e. The _p_o_-_b_o_x can have any of the following for- - mats: - `hostname:username' - `po:hostname:username' - `username@hostname' - `po:username@hostname' - `hostname' - `po:username' - - If no username is specified, ppuusshh assumes that it's the same as on the - local machine; _h_o_s_t_n_a_m_e defaults to the value of the MAILHOST environment - variable. - - Supported options: - - --44, ----kkrrbb44 - use Kerberos 4 (if compiled with support for Kerberos 4) - - --55, ----kkrrbb55 - use Kerberos 5 (if compiled with support for Kerberos 5) - - --ff, ----ffoorrkk - fork before starting to delete messages - - --ll, ----lleeaavvee - don't delete fetched mail - - ----ffrroomm behave like from. - - --cc, ----ccoouunntt - first print how many messages and bytes there are. - - ----hheeaaddeerrss=_h_e_a_d_e_r_s - a list of comma-separated headers that should get printed. - - --pp _p_o_r_t_-_s_p_e_c, ----ppoorrtt=_p_o_r_t_-_s_p_e_c - use this port instead of the default `kpop' or `1109'. - - The default is to first try Kerberos 5 authentication and then, if that - fails, Kerberos 4. - -EENNVVIIRROONNMMEENNTT - MAILHOST - points to the post office, if no other hostname is specified. - -EEXXAAMMPPLLEESS - $ push cornfield:roosta ~/.emacs-mail-crash-box - - tries to fetch mail for the user _r_o_o_s_t_a from the post office at - ``cornfield'', and stores the mail in _~_/_._e_m_a_c_s_-_m_a_i_l_-_c_r_a_s_h_-_b_o_x (you are - using Gnus, aren't you?) - - $ push --from -5 havregryn - - tries to fetch FFrroomm:: lines for current user at post office ``havregryn'' - using Kerberos 5. - -SSEEEE AALLSSOO - from(1), pfrom(1), movemail(8), popper(8) - -HHIISSTTOORRYY - ppuusshh was written while waiting for mmoovveemmaaiill to finish getting the mail. - - HEIMDAL May 31, 1998 2 diff --git a/crypto/heimdal-0.6.3/appl/push/push_locl.h b/crypto/heimdal-0.6.3/appl/push/push_locl.h deleted file mode 100644 index 1e5ca784c8..0000000000 --- a/crypto/heimdal-0.6.3/appl/push/push_locl.h +++ /dev/null @@ -1,98 +0,0 @@ -/* - * Copyright (c) 1997, 1998 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: push_locl.h,v 1.6 1999/12/02 16:58:33 joda Exp $ */ - -#ifdef HAVE_CONFIG_H -#include -#endif - -#include -#include -#include -#ifdef HAVE_FCNTL_H -#include -#endif -#ifdef HAVE_ERRNO_H -#include -#endif -#include -#include -#include -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_SYS_SELECT_H -#include -#endif -#ifdef HAVE_UNISTD_H -#include -#endif -#ifdef HAVE_SYS_UIO_H -#include -#endif -#ifdef HAVE_SYS_SOCKET_H -#include -#endif -#ifdef HAVE_NETINET_IN_H -#include -#endif -#ifdef HAVE_NETINET_IN6_H -#include -#endif -#ifdef HAVE_NETINET6_IN6_H -#include -#endif -#ifdef HAVE_NETINET_TCP_H -#include -#endif -#ifdef HAVE_NETDB_H -#include -#endif -#ifdef HAVE_PWD_H -#include -#endif -#ifdef HESIOD -#include -#endif - -#include -#include -#include -#ifdef KRB5 -#include -#endif - -#ifdef KRB4 -#include -#endif diff --git a/crypto/heimdal-0.6.3/appl/rcp/ChangeLog b/crypto/heimdal-0.6.3/appl/rcp/ChangeLog deleted file mode 100644 index 6c830d63ed..0000000000 --- a/crypto/heimdal-0.6.3/appl/rcp/ChangeLog +++ /dev/null @@ -1,72 +0,0 @@ -2003-04-16 Johan Danielsson - - * rcp.1: add a HISTORY section - - * rcp.1: brief manpage - - * rcp.c: add a -4 option - -2001-09-24 Johan Danielsson - - * rcp.c: more va_* fixing; from Thomas Klausner - -2001-09-08 Assar Westerlund - - * rcp.c (run_err): always match va_start and va_end - -2001-09-04 Assar Westerlund - - * util.c (allocbuf): do not leak memory on failure and zero - re-used memory, from Markus Friedl - -2001-07-19 Assar Westerlund - - * rcp.c (main): add missing setprogname - -2001-06-14 Assar Westerlund - - * rcp.c: add some const replace a few malloc/snprintf with - asprintf - * rcp.c (sizestr): remove and use snprintf to do this correctly - instead - -2001-04-21 Johan Danielsson - - * rcp.c: convert to use getarg - - * rcp.c: do a better job of supporting files larger than 2GB - -2001-02-07 Assar Westerlund - - * rcp.c: add -F for forwarding ticket, from Ake Sandgren - - -2001-01-29 Assar Westerlund - - * util.c (roundup): add fallback definition - - * rcp.c: remove non-STDC code - * rcp_locl.h: add sys/types.h and sys/wait.h - - * rcp.c: no calls to err with NULL - -2001-01-28 Assar Westerlund - - * rcp_locl.h: add - - * Makefile.am (LDADD): remove unused libraries - -2001-01-27 Assar Westerlund - - * util.c: replace vfork by fork - - * rcp.c: add RCSID S_ISTXT -> S_ISVTX printf sizes of files with - %lu instead of %q (which is not portable) - - * util.c: add RCSID do not use sig_t - * rcp.c: remove __P, use st_mtime et al from struct stat - * extern.h: remove __P - - * initial import of port of bsd rcp changed to use existing rsh, - contributed by Richard Nyberg - diff --git a/crypto/heimdal-0.6.3/appl/rcp/Makefile.am b/crypto/heimdal-0.6.3/appl/rcp/Makefile.am deleted file mode 100644 index 4ecf7a63b0..0000000000 --- a/crypto/heimdal-0.6.3/appl/rcp/Makefile.am +++ /dev/null @@ -1,11 +0,0 @@ -# $Id: Makefile.am,v 1.2 2001/01/28 22:50:35 assar Exp $ - -include $(top_srcdir)/Makefile.am.common - -INCLUDES += $(INCLUDE_krb4) - -bin_PROGRAMS = rcp - -rcp_SOURCES = rcp.c util.c - -LDADD = $(LIB_roken) diff --git a/crypto/heimdal-0.6.3/appl/rcp/Makefile.in b/crypto/heimdal-0.6.3/appl/rcp/Makefile.in deleted file mode 100644 index 7c5a0c439f..0000000000 --- a/crypto/heimdal-0.6.3/appl/rcp/Makefile.in +++ /dev/null @@ -1,755 +0,0 @@ -# Makefile.in generated by automake 1.8.3 from Makefile.am. -# @configure_input@ - -# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004 Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -# $Id: Makefile.am,v 1.2 2001/01/28 22:50:35 assar Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $ - -SOURCES = $(rcp_SOURCES) - -srcdir = @srcdir@ -top_srcdir = @top_srcdir@ -VPATH = @srcdir@ -pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -top_builddir = ../.. -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = @INSTALL@ -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_HEADER = $(INSTALL_DATA) -transform = $(program_transform_name) -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_triplet = @host@ -DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \ - $(top_srcdir)/Makefile.am.common \ - $(top_srcdir)/cf/Makefile.am.common ChangeLog -bin_PROGRAMS = rcp$(EXEEXT) -subdir = appl/rcp -ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \ - $(top_srcdir)/cf/auth-modules.m4 \ - $(top_srcdir)/cf/broken-getaddrinfo.m4 \ - $(top_srcdir)/cf/broken-getnameinfo.m4 \ - $(top_srcdir)/cf/broken-glob.m4 \ - $(top_srcdir)/cf/broken-realloc.m4 \ - $(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \ - $(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \ - $(top_srcdir)/cf/capabilities.m4 \ - $(top_srcdir)/cf/check-compile-et.m4 \ - $(top_srcdir)/cf/check-declaration.m4 \ - $(top_srcdir)/cf/check-getpwnam_r-posix.m4 \ - $(top_srcdir)/cf/check-man.m4 \ - $(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \ - $(top_srcdir)/cf/check-type-extra.m4 \ - $(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \ - $(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \ - $(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \ - $(top_srcdir)/cf/dlopen.m4 \ - $(top_srcdir)/cf/find-func-no-libs.m4 \ - $(top_srcdir)/cf/find-func-no-libs2.m4 \ - $(top_srcdir)/cf/find-func.m4 \ - $(top_srcdir)/cf/find-if-not-broken.m4 \ - $(top_srcdir)/cf/have-struct-field.m4 \ - $(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \ - $(top_srcdir)/cf/krb-bigendian.m4 \ - $(top_srcdir)/cf/krb-func-getlogin.m4 \ - $(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \ - $(top_srcdir)/cf/krb-readline.m4 \ - $(top_srcdir)/cf/krb-struct-spwd.m4 \ - $(top_srcdir)/cf/krb-struct-winsize.m4 \ - $(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \ - $(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \ - $(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \ - $(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \ - $(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \ - $(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \ - $(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in -am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ - $(ACLOCAL_M4) -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -am__installdirs = "$(DESTDIR)$(bindir)" -binPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -PROGRAMS = $(bin_PROGRAMS) -am_rcp_OBJECTS = rcp.$(OBJEXT) util.$(OBJEXT) -rcp_OBJECTS = $(am_rcp_OBJECTS) -rcp_LDADD = $(LDADD) -am__DEPENDENCIES_1 = -rcp_DEPENDENCIES = $(am__DEPENDENCIES_1) -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \ - $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ - $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -SOURCES = $(rcp_SOURCES) -DIST_SOURCES = $(rcp_SOURCES) -ETAGS = etags -CTAGS = ctags -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) -ACLOCAL = @ACLOCAL@ -AIX4_FALSE = @AIX4_FALSE@ -AIX4_TRUE = @AIX4_TRUE@ -AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@ -AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@ -AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@ -AIX_FALSE = @AIX_FALSE@ -AIX_TRUE = @AIX_TRUE@ -AMTAR = @AMTAR@ -AR = @AR@ -AUTOCONF = @AUTOCONF@ -AUTOHEADER = @AUTOHEADER@ -AUTOMAKE = @AUTOMAKE@ -AWK = @AWK@ -CANONICAL_HOST = @CANONICAL_HOST@ -CATMAN = @CATMAN@ -CATMANEXT = @CATMANEXT@ -CATMAN_FALSE = @CATMAN_FALSE@ -CATMAN_TRUE = @CATMAN_TRUE@ -CC = @CC@ -CFLAGS = @CFLAGS@ -COMPILE_ET = @COMPILE_ET@ -CPP = @CPP@ -CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXFLAGS = @CXXFLAGS@ -CYGPATH_W = @CYGPATH_W@ -DBLIB = @DBLIB@ -DCE_FALSE = @DCE_FALSE@ -DCE_TRUE = @DCE_TRUE@ -DEFS = @DEFS@ -DIR_com_err = @DIR_com_err@ -DIR_des = @DIR_des@ -DIR_roken = @DIR_roken@ -ECHO = @ECHO@ -ECHO_C = @ECHO_C@ -ECHO_N = @ECHO_N@ -ECHO_T = @ECHO_T@ -EGREP = @EGREP@ -EXEEXT = @EXEEXT@ -EXTRA_LIB45 = @EXTRA_LIB45@ -F77 = @F77@ -FFLAGS = @FFLAGS@ -GROFF = @GROFF@ -HAVE_DB1_FALSE = @HAVE_DB1_FALSE@ -HAVE_DB1_TRUE = @HAVE_DB1_TRUE@ -HAVE_DB3_FALSE = @HAVE_DB3_FALSE@ -HAVE_DB3_TRUE = @HAVE_DB3_TRUE@ -HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@ -HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@ -HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@ -HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@ -HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@ -HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@ -HAVE_X_FALSE = @HAVE_X_FALSE@ -HAVE_X_TRUE = @HAVE_X_TRUE@ -INCLUDES_roken = @INCLUDES_roken@ -INCLUDE_des = @INCLUDE_des@ -INCLUDE_hesiod = @INCLUDE_hesiod@ -INCLUDE_krb4 = @INCLUDE_krb4@ -INCLUDE_openldap = @INCLUDE_openldap@ -INCLUDE_readline = @INCLUDE_readline@ -INSTALL_DATA = @INSTALL_DATA@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -IRIX_FALSE = @IRIX_FALSE@ -IRIX_TRUE = @IRIX_TRUE@ -KRB4_FALSE = @KRB4_FALSE@ -KRB4_TRUE = @KRB4_TRUE@ -KRB5_FALSE = @KRB5_FALSE@ -KRB5_TRUE = @KRB5_TRUE@ -LDFLAGS = @LDFLAGS@ -LEX = @LEX@ -LEXLIB = @LEXLIB@ -LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ -LIBOBJS = @LIBOBJS@ -LIBS = @LIBS@ -LIBTOOL = @LIBTOOL@ -LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@ -LIB_NDBM = @LIB_NDBM@ -LIB_XauFileName = @LIB_XauFileName@ -LIB_XauReadAuth = @LIB_XauReadAuth@ -LIB_XauWriteAuth = @LIB_XauWriteAuth@ -LIB_bswap16 = @LIB_bswap16@ -LIB_bswap32 = @LIB_bswap32@ -LIB_com_err = @LIB_com_err@ -LIB_com_err_a = @LIB_com_err_a@ -LIB_com_err_so = @LIB_com_err_so@ -LIB_crypt = @LIB_crypt@ -LIB_db_create = @LIB_db_create@ -LIB_dbm_firstkey = @LIB_dbm_firstkey@ -LIB_dbopen = @LIB_dbopen@ -LIB_des = @LIB_des@ -LIB_des_a = @LIB_des_a@ -LIB_des_appl = @LIB_des_appl@ -LIB_des_so = @LIB_des_so@ -LIB_dlopen = @LIB_dlopen@ -LIB_dn_expand = @LIB_dn_expand@ -LIB_el_init = @LIB_el_init@ -LIB_freeaddrinfo = @LIB_freeaddrinfo@ -LIB_gai_strerror = @LIB_gai_strerror@ -LIB_getaddrinfo = @LIB_getaddrinfo@ -LIB_gethostbyname = @LIB_gethostbyname@ -LIB_gethostbyname2 = @LIB_gethostbyname2@ -LIB_getnameinfo = @LIB_getnameinfo@ -LIB_getpwnam_r = @LIB_getpwnam_r@ -LIB_getsockopt = @LIB_getsockopt@ -LIB_hesiod = @LIB_hesiod@ -LIB_hstrerror = @LIB_hstrerror@ -LIB_kdb = @LIB_kdb@ -LIB_krb4 = @LIB_krb4@ -LIB_krb_disable_debug = @LIB_krb_disable_debug@ -LIB_krb_enable_debug = @LIB_krb_enable_debug@ -LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@ -LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@ -LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@ -LIB_loadquery = @LIB_loadquery@ -LIB_logout = @LIB_logout@ -LIB_logwtmp = @LIB_logwtmp@ -LIB_openldap = @LIB_openldap@ -LIB_openpty = @LIB_openpty@ -LIB_otp = @LIB_otp@ -LIB_pidfile = @LIB_pidfile@ -LIB_readline = @LIB_readline@ -LIB_res_nsearch = @LIB_res_nsearch@ -LIB_res_search = @LIB_res_search@ -LIB_roken = @LIB_roken@ -LIB_security = @LIB_security@ -LIB_setsockopt = @LIB_setsockopt@ -LIB_socket = @LIB_socket@ -LIB_syslog = @LIB_syslog@ -LIB_tgetent = @LIB_tgetent@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -MAINT = @MAINT@ -MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@ -MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@ -MAKEINFO = @MAKEINFO@ -NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ -NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ -NROFF = @NROFF@ -OBJEXT = @OBJEXT@ -OTP_FALSE = @OTP_FALSE@ -OTP_TRUE = @OTP_TRUE@ -PACKAGE = @PACKAGE@ -PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ -PACKAGE_NAME = @PACKAGE_NAME@ -PACKAGE_STRING = @PACKAGE_STRING@ -PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_VERSION = @PACKAGE_VERSION@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -RANLIB = @RANLIB@ -SET_MAKE = @SET_MAKE@ -SHELL = @SHELL@ -STRIP = @STRIP@ -VERSION = @VERSION@ -VOID_RETSIGTYPE = @VOID_RETSIGTYPE@ -WFLAGS = @WFLAGS@ -WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@ -WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@ -X_CFLAGS = @X_CFLAGS@ -X_EXTRA_LIBS = @X_EXTRA_LIBS@ -X_LIBS = @X_LIBS@ -X_PRE_LIBS = @X_PRE_LIBS@ -YACC = @YACC@ -ac_ct_AR = @ac_ct_AR@ -ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ -ac_ct_RANLIB = @ac_ct_RANLIB@ -ac_ct_STRIP = @ac_ct_STRIP@ -am__leading_dot = @am__leading_dot@ -bindir = @bindir@ -build = @build@ -build_alias = @build_alias@ -build_cpu = @build_cpu@ -build_os = @build_os@ -build_vendor = @build_vendor@ -datadir = @datadir@ -do_roken_rename_FALSE = @do_roken_rename_FALSE@ -do_roken_rename_TRUE = @do_roken_rename_TRUE@ -dpagaix_cflags = @dpagaix_cflags@ -dpagaix_ldadd = @dpagaix_ldadd@ -dpagaix_ldflags = @dpagaix_ldflags@ -el_compat_FALSE = @el_compat_FALSE@ -el_compat_TRUE = @el_compat_TRUE@ -exec_prefix = @exec_prefix@ -have_err_h_FALSE = @have_err_h_FALSE@ -have_err_h_TRUE = @have_err_h_TRUE@ -have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@ -have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@ -have_glob_h_FALSE = @have_glob_h_FALSE@ -have_glob_h_TRUE = @have_glob_h_TRUE@ -have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@ -have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@ -have_vis_h_FALSE = @have_vis_h_FALSE@ -have_vis_h_TRUE = @have_vis_h_TRUE@ -host = @host@ -host_alias = @host_alias@ -host_cpu = @host_cpu@ -host_os = @host_os@ -host_vendor = @host_vendor@ -includedir = @includedir@ -infodir = @infodir@ -install_sh = @install_sh@ -libdir = @libdir@ -libexecdir = @libexecdir@ -localstatedir = @localstatedir@ -mandir = @mandir@ -mkdir_p = @mkdir_p@ -oldincludedir = @oldincludedir@ -prefix = @prefix@ -program_transform_name = @program_transform_name@ -sbindir = @sbindir@ -sharedstatedir = @sharedstatedir@ -sysconfdir = @sysconfdir@ -target_alias = @target_alias@ -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4) -@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME -AM_CFLAGS = $(WFLAGS) -CP = cp -buildinclude = $(top_builddir)/include -LIB_getattr = @LIB_getattr@ -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_setpcred = @LIB_setpcred@ -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -NROFF_MAN = groff -mandoc -Tascii -LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) -@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la - -@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la -@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la -rcp_SOURCES = rcp.c util.c -LDADD = $(LIB_roken) -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps) - @for dep in $?; do \ - case '$(am__configure_deps)' in \ - *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ - exit 1;; \ - esac; \ - done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign --ignore-deps appl/rcp/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign --ignore-deps appl/rcp/Makefile -.PRECIOUS: Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - @case '$?' in \ - *config.status*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ - *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ - esac; - -$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -install-binPROGRAMS: $(bin_PROGRAMS) - @$(NORMAL_INSTALL) - test -z "$(bindir)" || $(mkdir_p) "$(DESTDIR)$(bindir)" - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(bindir)/$$f'"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(bindir)/$$f" || exit 1; \ - else :; fi; \ - done - -uninstall-binPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f '$(DESTDIR)$(bindir)/$$f'"; \ - rm -f "$(DESTDIR)$(bindir)/$$f"; \ - done - -clean-binPROGRAMS: - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -rcp$(EXEEXT): $(rcp_OBJECTS) $(rcp_DEPENDENCIES) - @rm -f rcp$(EXEEXT) - $(LINK) $(rcp_LDFLAGS) $(rcp_OBJECTS) $(rcp_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c $< - -.c.obj: - $(COMPILE) -c `$(CYGPATH_W) '$<'` - -.c.lo: - $(LTCOMPILE) -c -o $@ $< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique -tags: TAGS - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique -ctags: CTAGS -CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ - || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - -distdir: $(DISTFILES) - $(mkdir_p) $(distdir)/../.. $(distdir)/../../cf - @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \ - list='$(DISTFILES)'; for file in $$list; do \ - case $$file in \ - $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \ - $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \ - esac; \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkdir_p) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="$(top_distdir)" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(PROGRAMS) all-local -installdirs: - for dir in "$(DESTDIR)$(bindir)"; do \ - test -z "$$dir" || $(mkdir_p) "$$dir"; \ - done -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-binPROGRAMS clean-generic clean-libtool mostlyclean-am - -distclean: distclean-am - -rm -f Makefile -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -html: html-am - -info: info-am - -info-am: - -install-data-am: - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-data-hook - -install-exec-am: install-binPROGRAMS - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -rm -f Makefile -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -pdf: pdf-am - -pdf-am: - -ps: ps-am - -ps-am: - -uninstall-am: uninstall-binPROGRAMS uninstall-info-am - -.PHONY: CTAGS GTAGS all all-am all-local check check-am check-local \ - clean clean-binPROGRAMS clean-generic clean-libtool ctags \ - distclean distclean-compile distclean-generic \ - distclean-libtool distclean-tags distdir dvi dvi-am html \ - html-am info info-am install install-am install-binPROGRAMS \ - install-data install-data-am install-exec install-exec-am \ - install-info install-info-am install-man install-strip \ - installcheck installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ - tags uninstall uninstall-am uninstall-binPROGRAMS \ - uninstall-info-am - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-hook: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal-0.6.3/appl/rcp/extern.h b/crypto/heimdal-0.6.3/appl/rcp/extern.h deleted file mode 100644 index a41ce6eae9..0000000000 --- a/crypto/heimdal-0.6.3/appl/rcp/extern.h +++ /dev/null @@ -1,51 +0,0 @@ -/*- - * Copyright (c) 1992, 1993 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * @(#)extern.h 8.1 (Berkeley) 5/31/93 - * $FreeBSD: src/bin/rcp/extern.h,v 1.5 1999/08/27 23:14:57 peter Exp $ - */ - -typedef struct { - int cnt; - char *buf; -} BUF; - -extern int iamremote; - -BUF *allocbuf (BUF *, int, int); -char *colon (char *); -void lostconn (int); -void nospace (void); -int okname (char *); -void run_err (const char *, ...); -int susystem (char *, int); -void verifydir (char *); diff --git a/crypto/heimdal-0.6.3/appl/rcp/rcp.1 b/crypto/heimdal-0.6.3/appl/rcp/rcp.1 deleted file mode 100644 index 5ce9527a91..0000000000 --- a/crypto/heimdal-0.6.3/appl/rcp/rcp.1 +++ /dev/null @@ -1,67 +0,0 @@ -.\" $Id: rcp.1,v 1.2 2003/04/16 12:20:43 joda Exp $ -.\" -.Dd April 16, 2003 -.Dt RCP 1 -.Os HEIMDAL -.Sh NAME -.Nm rcp -.Nd -copy file to and from remote machines -.Sh SYNOPSIS -.Nm rcp -.Op Fl 45FKpxz -.Op Fl P Ar port -.Ar file1 file2 -.Nm rcp -.Op Fl 45FKprxz -.Op Fl P Ar port -.Ar file... directory -.Sh DESCRIPTION -.Nm rcp -copies files between machines. Each file argument is either a remote file name of the form -.Dq rname@rhost:path -or a local file (containing no colon or with a slash before the first -colon). -.Pp -Supported options: -.Bl -tag -width Ds -.It Xo -.Fl 4 , -.Fl 5 , -.Fl K , -.Fl F , -.Fl x , -.Fl z -.Xc -These options are passed on to -.Xr rsh 1 . -.It Fl P Ar port -This will pass the option -.Fl p Ar port -to -.Xr rsh 1 . -.It Fl p -Preserve file permissions. -.It Fl r -Copy source directories recursively. -.El -.\".Sh ENVIRONMENT -.\".Sh FILES -.\".Sh EXAMPLES -.Sh DIAGNOSTICS -.Nm rcp -is implemented as a protocol on top of -.Xr rsh 1 , -and thus requires a working rsh. If you intend to use Kerberos -authentication, rsh needs to be Kerberos aware, else you may see more -or less strange errors, such as "login incorrect", or "lost -connection". -.\".Sh SEE ALSO -.\".Sh STANDARDS -.Sh HISTORY -The -.Nm rcp -utility first appeared in 4.2BSD. This version is derived from -4.3BSD-Reno. -.\".Sh AUTHORS -.\".Sh BUGS diff --git a/crypto/heimdal-0.6.3/appl/rcp/rcp.c b/crypto/heimdal-0.6.3/appl/rcp/rcp.c deleted file mode 100644 index c54409a343..0000000000 --- a/crypto/heimdal-0.6.3/appl/rcp/rcp.c +++ /dev/null @@ -1,789 +0,0 @@ -/* - * Copyright (c) 1983, 1990, 1992, 1993 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "rcp_locl.h" -#include - -#define RSH_PROGRAM "rsh" - -struct passwd *pwd; -uid_t userid; -int errs, remin, remout; -int pflag, iamremote, iamrecursive, targetshouldbedirectory; -int doencrypt, noencrypt; -int usebroken, usekrb4, usekrb5, forwardtkt; -char *port; - -#define CMDNEEDS 64 -char cmd[CMDNEEDS]; /* must hold "rcp -r -p -d\0" */ - -int response (void); -void rsource (char *, struct stat *); -void sink (int, char *[]); -void source (int, char *[]); -void tolocal (int, char *[]); -void toremote (char *, int, char *[]); - -int do_cmd(char *host, char *remuser, char *cmd, int *fdin, int *fdout); - -static int fflag, tflag; - -static int version_flag, help_flag; - -struct getargs args[] = { - { NULL, '4', arg_flag, &usekrb4, "use Kerberos 4 authentication" }, - { NULL, '5', arg_flag, &usekrb5, "use Kerberos 5 authentication" }, - { NULL, 'F', arg_flag, &forwardtkt, "forward credentials" }, - { NULL, 'K', arg_flag, &usebroken, "use BSD authentication" }, - { NULL, 'P', arg_string, &port, "non-default port", "port" }, - { NULL, 'p', arg_flag, &pflag, "preserve file permissions" }, - { NULL, 'r', arg_flag, &iamrecursive, "recursive mode" }, - { NULL, 'x', arg_flag, &doencrypt, "use encryption" }, - { NULL, 'z', arg_flag, &noencrypt, "don't encrypt" }, - { NULL, 'd', arg_flag, &targetshouldbedirectory }, - { NULL, 'f', arg_flag, &fflag }, - { NULL, 't', arg_flag, &tflag }, - { "version", 0, arg_flag, &version_flag }, - { "help", 0, arg_flag, &help_flag } -}; - -static void -usage (int ret) -{ - arg_printusage (args, - sizeof(args) / sizeof(args[0]), - NULL, - "file1 file2|file... directory"); - exit (ret); -} - -int -main(int argc, char **argv) -{ - char *targ; - int optind = 0; - - setprogname(argv[0]); - if (getarg (args, sizeof(args) / sizeof(args[0]), argc, argv, - &optind)) - usage (1); - if(help_flag) - usage(0); - if (version_flag) { - print_version (NULL); - return 0; - } - - iamremote = (fflag || tflag); - - argc -= optind; - argv += optind; - - if ((pwd = getpwuid(userid = getuid())) == NULL) - errx(1, "unknown user %d", (int)userid); - - remin = STDIN_FILENO; /* XXX */ - remout = STDOUT_FILENO; - - if (fflag) { /* Follow "protocol", send data. */ - response(); - setuid(userid); - source(argc, argv); - exit(errs); - } - - if (tflag) { /* Receive data. */ - setuid(userid); - sink(argc, argv); - exit(errs); - } - - if (argc < 2) - usage(1); - if (argc > 2) - targetshouldbedirectory = 1; - - remin = remout = -1; - /* Command to be executed on remote system using "rsh". */ - snprintf(cmd, sizeof(cmd), - "rcp%s%s%s", iamrecursive ? " -r" : "", - pflag ? " -p" : "", targetshouldbedirectory ? " -d" : ""); - - signal(SIGPIPE, lostconn); - - if ((targ = colon(argv[argc - 1]))) /* Dest is remote host. */ - toremote(targ, argc, argv); - else { - tolocal(argc, argv); /* Dest is local host. */ - if (targetshouldbedirectory) - verifydir(argv[argc - 1]); - } - exit(errs); -} - -void -toremote(char *targ, int argc, char **argv) -{ - int i; - char *bp, *host, *src, *suser, *thost, *tuser; - - *targ++ = 0; - if (*targ == 0) - targ = "."; - - if ((thost = strchr(argv[argc - 1], '@'))) { - /* user@host */ - *thost++ = 0; - tuser = argv[argc - 1]; - if (*tuser == '\0') - tuser = NULL; - else if (!okname(tuser)) - exit(1); - } else { - thost = argv[argc - 1]; - tuser = NULL; - } - - for (i = 0; i < argc - 1; i++) { - src = colon(argv[i]); - if (src) { /* remote to remote */ - *src++ = 0; - if (*src == 0) - src = "."; - host = strchr(argv[i], '@'); - if (host) { - *host++ = '\0'; - suser = argv[i]; - if (*suser == '\0') - suser = pwd->pw_name; - else if (!okname(suser)) - continue; - asprintf(&bp, - "%s %s -l %s -n %s %s '%s%s%s:%s'", - _PATH_RSH, host, suser, cmd, src, - tuser ? tuser : "", tuser ? "@" : "", - thost, targ); - } else { - asprintf(&bp, - "exec %s %s -n %s %s '%s%s%s:%s'", - _PATH_RSH, argv[i], cmd, src, - tuser ? tuser : "", tuser ? "@" : "", - thost, targ); - } - if (bp == NULL) - err (1, "malloc"); - susystem(bp, userid); - free(bp); - } else { /* local to remote */ - if (remin == -1) { - asprintf(&bp, "%s -t %s", cmd, targ); - if (bp == NULL) - err (1, "malloc"); - host = thost; - - if (do_cmd(host, tuser, bp, &remin, &remout) < 0) - exit(1); - - if (response() < 0) - exit(1); - free(bp); - setuid(userid); - } - source(1, argv+i); - } - } -} - -void -tolocal(int argc, char **argv) -{ - int i; - char *bp, *host, *src, *suser; - - for (i = 0; i < argc - 1; i++) { - if (!(src = colon(argv[i]))) { /* Local to local. */ - asprintf(&bp, "exec %s%s%s %s %s", _PATH_CP, - iamrecursive ? " -PR" : "", pflag ? " -p" : "", - argv[i], argv[argc - 1]); - if (bp == NULL) - err (1, "malloc"); - if (susystem(bp, userid)) - ++errs; - free(bp); - continue; - } - *src++ = 0; - if (*src == 0) - src = "."; - if ((host = strchr(argv[i], '@')) == NULL) { - host = argv[i]; - suser = pwd->pw_name; - } else { - *host++ = 0; - suser = argv[i]; - if (*suser == '\0') - suser = pwd->pw_name; - else if (!okname(suser)) - continue; - } - asprintf(&bp, "%s -f %s", cmd, src); - if (bp == NULL) - err (1, "malloc"); - if (do_cmd(host, suser, bp, &remin, &remout) < 0) { - free(bp); - ++errs; - continue; - } - free(bp); - sink(1, argv + argc - 1); - seteuid(0); - close(remin); - remin = remout = -1; - } -} - -void -source(int argc, char **argv) -{ - struct stat stb; - static BUF buffer; - BUF *bp; - off_t i; - int amt, fd, haderr, indx, result; - char *last, *name, buf[BUFSIZ]; - - for (indx = 0; indx < argc; ++indx) { - name = argv[indx]; - if ((fd = open(name, O_RDONLY, 0)) < 0) - goto syserr; - if (fstat(fd, &stb)) { -syserr: run_err("%s: %s", name, strerror(errno)); - goto next; - } - switch (stb.st_mode & S_IFMT) { - case S_IFREG: - break; - case S_IFDIR: - if (iamrecursive) { - rsource(name, &stb); - goto next; - } - /* FALLTHROUGH */ - default: - run_err("%s: not a regular file", name); - goto next; - } - if ((last = strrchr(name, '/')) == NULL) - last = name; - else - ++last; - if (pflag) { - /* - * Make it compatible with possible future - * versions expecting microseconds. - */ - snprintf(buf, sizeof(buf), "T%ld 0 %ld 0\n", - (long)stb.st_mtime, - (long)stb.st_atime); - write(remout, buf, strlen(buf)); - if (response() < 0) - goto next; - } -#define MODEMASK (S_ISUID|S_ISGID|S_ISVTX|S_IRWXU|S_IRWXG|S_IRWXO) - snprintf(buf, sizeof(buf), "C%04o %lu %s\n", - stb.st_mode & MODEMASK, - (unsigned long)stb.st_size, - last); - write(remout, buf, strlen(buf)); - if (response() < 0) - goto next; - if ((bp = allocbuf(&buffer, fd, BUFSIZ)) == NULL) { -next: close(fd); - continue; - } - - /* Keep writing after an error so that we stay sync'd up. */ - for (haderr = i = 0; i < stb.st_size; i += bp->cnt) { - amt = bp->cnt; - if (i + amt > stb.st_size) - amt = stb.st_size - i; - if (!haderr) { - result = read(fd, bp->buf, amt); - if (result != amt) - haderr = result >= 0 ? EIO : errno; - } - if (haderr) - write(remout, bp->buf, amt); - else { - result = write(remout, bp->buf, amt); - if (result != amt) - haderr = result >= 0 ? EIO : errno; - } - } - if (close(fd) && !haderr) - haderr = errno; - if (!haderr) - write(remout, "", 1); - else - run_err("%s: %s", name, strerror(haderr)); - response(); - } -} - -void -rsource(char *name, struct stat *statp) -{ - DIR *dirp; - struct dirent *dp; - char *last, *vect[1], path[MAXPATHLEN]; - - if (!(dirp = opendir(name))) { - run_err("%s: %s", name, strerror(errno)); - return; - } - last = strrchr(name, '/'); - if (last == 0) - last = name; - else - last++; - if (pflag) { - snprintf(path, sizeof(path), "T%ld 0 %ld 0\n", - (long)statp->st_mtime, - (long)statp->st_atime); - write(remout, path, strlen(path)); - if (response() < 0) { - closedir(dirp); - return; - } - } - snprintf(path, sizeof(path), - "D%04o %d %s\n", statp->st_mode & MODEMASK, 0, last); - write(remout, path, strlen(path)); - if (response() < 0) { - closedir(dirp); - return; - } - while ((dp = readdir(dirp))) { - if (dp->d_ino == 0) - continue; - if (!strcmp(dp->d_name, ".") || !strcmp(dp->d_name, "..")) - continue; - if (strlen(name) + 1 + strlen(dp->d_name) >= MAXPATHLEN - 1) { - run_err("%s/%s: name too long", name, dp->d_name); - continue; - } - snprintf(path, sizeof(path), "%s/%s", name, dp->d_name); - vect[0] = path; - source(1, vect); - } - closedir(dirp); - write(remout, "E\n", 2); - response(); -} - -void -sink(int argc, char **argv) -{ - static BUF buffer; - struct stat stb; - struct timeval tv[2]; - enum { YES, NO, DISPLAYED } wrerr; - BUF *bp; - off_t i, j, size; - int amt, count, exists, first, mask, mode, ofd, omode; - int setimes, targisdir, wrerrno = 0; - char ch, *cp, *np, *targ, *why, *vect[1], buf[BUFSIZ]; - -#define atime tv[0] -#define mtime tv[1] -#define SCREWUP(str) { why = str; goto screwup; } - - setimes = targisdir = 0; - mask = umask(0); - if (!pflag) - umask(mask); - if (argc != 1) { - run_err("ambiguous target"); - exit(1); - } - targ = *argv; - if (targetshouldbedirectory) - verifydir(targ); - write(remout, "", 1); - if (stat(targ, &stb) == 0 && S_ISDIR(stb.st_mode)) - targisdir = 1; - for (first = 1;; first = 0) { - cp = buf; - if (read(remin, cp, 1) <= 0) - return; - if (*cp++ == '\n') - SCREWUP("unexpected "); - do { - if (read(remin, &ch, sizeof(ch)) != sizeof(ch)) - SCREWUP("lost connection"); - *cp++ = ch; - } while (cp < &buf[BUFSIZ - 1] && ch != '\n'); - *cp = 0; - - if (buf[0] == '\01' || buf[0] == '\02') { - if (iamremote == 0) - write(STDERR_FILENO, - buf + 1, strlen(buf + 1)); - if (buf[0] == '\02') - exit(1); - ++errs; - continue; - } - if (buf[0] == 'E') { - write(remout, "", 1); - return; - } - - if (ch == '\n') - *--cp = 0; - - cp = buf; - if (*cp == 'T') { - setimes++; - cp++; - mtime.tv_sec = strtol(cp, &cp, 10); - if (!cp || *cp++ != ' ') - SCREWUP("mtime.sec not delimited"); - mtime.tv_usec = strtol(cp, &cp, 10); - if (!cp || *cp++ != ' ') - SCREWUP("mtime.usec not delimited"); - atime.tv_sec = strtol(cp, &cp, 10); - if (!cp || *cp++ != ' ') - SCREWUP("atime.sec not delimited"); - atime.tv_usec = strtol(cp, &cp, 10); - if (!cp || *cp++ != '\0') - SCREWUP("atime.usec not delimited"); - write(remout, "", 1); - continue; - } - if (*cp != 'C' && *cp != 'D') { - /* - * Check for the case "rcp remote:foo\* local:bar". - * In this case, the line "No match." can be returned - * by the shell before the rcp command on the remote is - * executed so the ^Aerror_message convention isn't - * followed. - */ - if (first) { - run_err("%s", cp); - exit(1); - } - SCREWUP("expected control record"); - } - mode = 0; - for (++cp; cp < buf + 5; cp++) { - if (*cp < '0' || *cp > '7') - SCREWUP("bad mode"); - mode = (mode << 3) | (*cp - '0'); - } - if (*cp++ != ' ') - SCREWUP("mode not delimited"); - - for (size = 0; isdigit((unsigned char)*cp);) - size = size * 10 + (*cp++ - '0'); - if (*cp++ != ' ') - SCREWUP("size not delimited"); - if (targisdir) { - static char *namebuf; - static int cursize; - size_t need; - - need = strlen(targ) + strlen(cp) + 250; - if (need > cursize) { - if (!(namebuf = malloc(need))) - run_err("%s", strerror(errno)); - } - snprintf(namebuf, need, "%s%s%s", targ, - *targ ? "/" : "", cp); - np = namebuf; - } else - np = targ; - exists = stat(np, &stb) == 0; - if (buf[0] == 'D') { - int mod_flag = pflag; - if (exists) { - if (!S_ISDIR(stb.st_mode)) { - errno = ENOTDIR; - goto bad; - } - if (pflag) - chmod(np, mode); - } else { - /* Handle copying from a read-only directory */ - mod_flag = 1; - if (mkdir(np, mode | S_IRWXU) < 0) - goto bad; - } - vect[0] = np; - sink(1, vect); - if (setimes) { - setimes = 0; - if (utimes(np, tv) < 0) - run_err("%s: set times: %s", - np, strerror(errno)); - } - if (mod_flag) - chmod(np, mode); - continue; - } - omode = mode; - mode |= S_IWRITE; - if ((ofd = open(np, O_WRONLY|O_CREAT, mode)) < 0) { -bad: run_err("%s: %s", np, strerror(errno)); - continue; - } - write(remout, "", 1); - if ((bp = allocbuf(&buffer, ofd, BUFSIZ)) == NULL) { - close(ofd); - continue; - } - cp = bp->buf; - wrerr = NO; - for (count = i = 0; i < size; i += BUFSIZ) { - amt = BUFSIZ; - if (i + amt > size) - amt = size - i; - count += amt; - if((j = net_read(remin, cp, amt)) != amt) { - run_err("%s", j ? strerror(errno) : - "dropped connection"); - exit(1); - } - amt -= j; - cp += j; - if (count == bp->cnt) { - /* Keep reading so we stay sync'd up. */ - if (wrerr == NO) { - j = write(ofd, bp->buf, count); - if (j != count) { - wrerr = YES; - wrerrno = j >= 0 ? EIO : errno; - } - } - count = 0; - cp = bp->buf; - } - } - if (count != 0 && wrerr == NO && - (j = write(ofd, bp->buf, count)) != count) { - wrerr = YES; - wrerrno = j >= 0 ? EIO : errno; - } - if (ftruncate(ofd, size)) { - run_err("%s: truncate: %s", np, strerror(errno)); - wrerr = DISPLAYED; - } - if (pflag) { - if (exists || omode != mode) - if (fchmod(ofd, omode)) - run_err("%s: set mode: %s", - np, strerror(errno)); - } else { - if (!exists && omode != mode) - if (fchmod(ofd, omode & ~mask)) - run_err("%s: set mode: %s", - np, strerror(errno)); - } - close(ofd); - response(); - if (setimes && wrerr == NO) { - setimes = 0; - if (utimes(np, tv) < 0) { - run_err("%s: set times: %s", - np, strerror(errno)); - wrerr = DISPLAYED; - } - } - switch(wrerr) { - case YES: - run_err("%s: %s", np, strerror(wrerrno)); - break; - case NO: - write(remout, "", 1); - break; - case DISPLAYED: - break; - } - } -screwup: - run_err("protocol error: %s", why); - exit(1); -} - -int -response(void) -{ - char ch, *cp, resp, rbuf[BUFSIZ]; - - if (read(remin, &resp, sizeof(resp)) != sizeof(resp)) - lostconn(0); - - cp = rbuf; - switch(resp) { - case 0: /* ok */ - return (0); - default: - *cp++ = resp; - /* FALLTHROUGH */ - case 1: /* error, followed by error msg */ - case 2: /* fatal error, "" */ - do { - if (read(remin, &ch, sizeof(ch)) != sizeof(ch)) - lostconn(0); - *cp++ = ch; - } while (cp < &rbuf[BUFSIZ] && ch != '\n'); - - if (!iamremote) - write(STDERR_FILENO, rbuf, cp - rbuf); - ++errs; - if (resp == 1) - return (-1); - exit(1); - } - /* NOTREACHED */ -} - -#include - -void -run_err(const char *fmt, ...) -{ - static FILE *fp; - va_list ap; - - ++errs; - if (fp == NULL && !(fp = fdopen(remout, "w"))) - return; - va_start(ap, fmt); - fprintf(fp, "%c", 0x01); - fprintf(fp, "rcp: "); - vfprintf(fp, fmt, ap); - fprintf(fp, "\n"); - fflush(fp); - va_end(ap); - - if (!iamremote) { - va_start(ap, fmt); - vwarnx(fmt, ap); - va_end(ap); - } -} - -/* - * This function executes the given command as the specified user on the - * given host. This returns < 0 if execution fails, and >= 0 otherwise. This - * assigns the input and output file descriptors on success. - * - * If it cannot create necessary pipes it exits with error message. - */ - -int -do_cmd(char *host, char *remuser, char *cmd, int *fdin, int *fdout) -{ - int pin[2], pout[2], reserved[2]; - - /* - * Reserve two descriptors so that the real pipes won't get - * descriptors 0 and 1 because that will screw up dup2 below. - */ - pipe(reserved); - - /* Create a socket pair for communicating with rsh. */ - if (pipe(pin) < 0) { - perror("pipe"); - exit(255); - } - if (pipe(pout) < 0) { - perror("pipe"); - exit(255); - } - - /* Free the reserved descriptors. */ - close(reserved[0]); - close(reserved[1]); - - /* For a child to execute the command on the remote host using rsh. */ - if (fork() == 0) { - char *args[100]; - unsigned int i; - - /* Child. */ - close(pin[1]); - close(pout[0]); - dup2(pin[0], 0); - dup2(pout[1], 1); - close(pin[0]); - close(pout[1]); - - i = 0; - args[i++] = RSH_PROGRAM; - if (usekrb4) - args[i++] = "-4"; - if (usekrb5) - args[i++] = "-5"; - if (usebroken) - args[i++] = "-K"; - if (doencrypt) - args[i++] = "-x"; - if (forwardtkt) - args[i++] = "-F"; - if (noencrypt) - args[i++] = "-z"; - if (port != NULL) { - args[i++] = "-p"; - args[i++] = port; - } - if (remuser != NULL) { - args[i++] = "-l"; - args[i++] = remuser; - } - args[i++] = host; - args[i++] = cmd; - args[i++] = NULL; - - execvp(RSH_PROGRAM, args); - perror(RSH_PROGRAM); - exit(1); - } - /* Parent. Close the other side, and return the local side. */ - close(pin[0]); - *fdout = pin[1]; - close(pout[1]); - *fdin = pout[0]; - return 0; -} diff --git a/crypto/heimdal-0.6.3/appl/rcp/rcp_locl.h b/crypto/heimdal-0.6.3/appl/rcp/rcp_locl.h deleted file mode 100644 index 4397c9f461..0000000000 --- a/crypto/heimdal-0.6.3/appl/rcp/rcp_locl.h +++ /dev/null @@ -1,64 +0,0 @@ -/* - * Copyright (c) 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: rcp_locl.h,v 1.3 2001/01/29 05:59:24 assar Exp $ */ - -#ifdef HAVE_CONFIG_H -#include -#endif - -#include -#include -#include -#include -#include - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include - -#include "extern.h" - -#define _PATH_CP "/bin/cp" -#define _PATH_RSH "/usr/bin/rsh" diff --git a/crypto/heimdal-0.6.3/appl/rcp/util.c b/crypto/heimdal-0.6.3/appl/rcp/util.c deleted file mode 100644 index 9cfda64439..0000000000 --- a/crypto/heimdal-0.6.3/appl/rcp/util.c +++ /dev/null @@ -1,171 +0,0 @@ -/*- - * Copyright (c) 1992, 1993 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#if 0 -#ifndef lint -#if 0 -static char sccsid[] = "@(#)util.c 8.2 (Berkeley) 4/2/94"; -#endif -static const char rcsid[] = - "$FreeBSD: src/bin/rcp/util.c,v 1.9 1999/08/27 23:14:58 peter Exp $"; -#endif /* not lint */ -#endif - -#include "rcp_locl.h" - -RCSID("$Id: util.c,v 1.6 2001/09/04 14:35:58 assar Exp $"); - -char * -colon(cp) - char *cp; -{ - if (*cp == ':') /* Leading colon is part of file name. */ - return (0); - - for (; *cp; ++cp) { - if (*cp == ':') - return (cp); - if (*cp == '/') - return (0); - } - return (0); -} - -void -verifydir(cp) - char *cp; -{ - struct stat stb; - - if (!stat(cp, &stb)) { - if (S_ISDIR(stb.st_mode)) - return; - errno = ENOTDIR; - } - run_err("%s: %s", cp, strerror(errno)); - exit(1); -} - -int -okname(cp0) - char *cp0; -{ - int c; - char *cp; - - cp = cp0; - do { - c = *cp; - if (c & 0200) - goto bad; - if (!isalpha(c) && !isdigit(c) && c != '_' && c != '-') - goto bad; - } while (*++cp); - return (1); - -bad: warnx("%s: invalid user name", cp0); - return (0); -} - -int -susystem(s, userid) - int userid; - char *s; -{ - void (*istat)(int), (*qstat)(int); - int status; - pid_t pid; - - pid = fork(); - switch (pid) { - case -1: - return (127); - - case 0: - (void)setuid(userid); - execl(_PATH_BSHELL, "sh", "-c", s, NULL); - _exit(127); - } - istat = signal(SIGINT, SIG_IGN); - qstat = signal(SIGQUIT, SIG_IGN); - if (waitpid(pid, &status, 0) < 0) - status = -1; - (void)signal(SIGINT, istat); - (void)signal(SIGQUIT, qstat); - return (status); -} - -#ifndef roundup -#define roundup(x, y) ((((x)+((y)-1))/(y))*(y)) -#endif - -BUF * -allocbuf(bp, fd, blksize) - BUF *bp; - int fd, blksize; -{ - struct stat stb; - size_t size; - char *p; - - if (fstat(fd, &stb) < 0) { - run_err("fstat: %s", strerror(errno)); - return (0); - } - size = roundup(stb.st_blksize, blksize); - if (size == 0) - size = blksize; - if (bp->cnt >= size) - return (bp); - if ((p = realloc(bp->buf, size)) == NULL) { - if (bp->buf) - free(bp->buf); - bp->buf = NULL; - bp->cnt = 0; - run_err("%s", strerror(errno)); - return (0); - } - memset(p, 0, size); - bp->buf = p; - bp->cnt = size; - return (bp); -} - -void -lostconn(signo) - int signo; -{ - if (!iamremote) - warnx("lost connection"); - exit(1); -} diff --git a/crypto/heimdal-0.6.3/appl/rsh/ChangeLog b/crypto/heimdal-0.6.3/appl/rsh/ChangeLog deleted file mode 100644 index 1f33245d7d..0000000000 --- a/crypto/heimdal-0.6.3/appl/rsh/ChangeLog +++ /dev/null @@ -1,424 +0,0 @@ -2003-04-16 Johan Danielsson - - * rsh.c: use krb5_appdefault to get defaults for forward and - encrypt - - * rshd.c: use ARG_MAX + 1 - - * rshd.c (read_str): return allocated string - - * rsh_locl.h: set NCARGS to 8k if undefined - -2003-03-23 Assar Westerlund - - * rsh.c (loop): only check errsock if it's valid - -2003-03-18 Love Love Hörnquist Åstrand - - * rshd.c: do krb5_afslog when compling with afs support - - * rsh_locl.h: always include kafs.h - -2002-11-22 Johan Danielsson - - * rshd.8: clarify -x and kerberos 5 - -2002-11-01 Johan Danielsson - - * rsh_locl.h: bump COMMAND_SZ to NCARGS+1 - -2002-09-04 Johan Danielsson - - * rsh.c: free some memory - -2002-09-04 Assar Westerlund - - * common.c: krb5_crypto_block_size -> krb5_crypto_getblocksize - -2002-09-04 Johan Danielsson - - * rsh.1: document -P - -2002-09-03 Johan Danielsson - - * rsh.c: revert to protocol v1 if not asked for specific protocol - - * rshd.c: handle protocol version 2 - - * rsh.c: handle protocol version 2 - - * common.c: handle protocol version 2 - - * rsh_locl.h: handle protocol version 2 - -2002-02-18 Johan Danielsson - - * rshd.c: don't show options that doesn't apply - - * rsh.c: don't show options that doesn't apply - - * rsh_locl.h: if we're not building with any kerberos support, - just call read/write directly - - * common.c: if we're not building with any kerberos support, just - call read/write directly - - * rshd.c: make this build without krb5; also use the addrinfo - interface to mini_inetd, and set the keepalive option if requested - - * rsh.c: make this build without krb5 - - * rsh_locl.h: make this build without krb5 - - * common.c: make this build without krb5 - -2001-11-30 Johan Danielsson - - * rshd.c: make the syslog messages somewhat more informative - -2001-08-15 Johan Danielsson - - * rsh.c: only complain about encryption flag when old - authentication is requested - -2001-08-07 Johan Danielsson - - * rsh.c: don't try broken auth if rresvport failed; try to give - some more informative error messages - -2001-07-31 Johan Danielsson - - * rshd.8: add an EXAMPLE - * rshd.8: manual page - * rshd.c: add some compat flags - * rsh.1: manual page - * rsh.c: iff -d, set the SO_DEBUG flags of the stdout and stderr - socket; implement parsing user@host - -2001-07-19 Assar Westerlund - - * rshd.c (fatal): use vsnprintf correctly - -2001-02-07 Assar Westerlund - - * Makefile.am: add login_access - * rshd.c (login_access): add prototype - (syslog_and_die, fatal): add printf attributes - (*): AIX -> _AIX - (doit): use login_access - based on patches from Ake Sandgren - -2001-01-09 Assar Westerlund - - * rshd.c (save_krb5_creds): use krb5_rd_cred2 instead of - krb5_rd_cred - -2000-12-31 Assar Westerlund - - * rshd.c (main): handle krb5_init_context failure consistently - * rsh.c (main): handle krb5_init_context failure consistently - -2000-12-05 Johan Danielsson - - * rshd.c: require encryption if passed -x - -2000-11-15 Assar Westerlund - - * rshd.c (loop): check that the fd's aren't too large to select on - * rsh.c (loop, proto): check that the fd's aren't too large to - select on - -2000-08-10 Assar Westerlund - - * rsh.c: move code to do config/command parsing correctly. - -2000-08-09 Assar Westerlund - - * rsh.c (main): only fetch stuff from krb5.conf when no option has - been given - -2000-08-01 Assar Westerlund - - * rsh.c (doit): loop until we create an error socket of an - supported socket family - -2000-07-02 Assar Westerlund - - * rshd.c: DCE stuff from Ake Sandgren - do not call syslog with a variable as format string - - * rsh_locl.h (_PATH_ETC_ENVIRONMENT): add - -2000-06-09 Assar Westerlund - - * rsh.c (main): work-around for setuid and capabilities bug fixed - in Linux 2.2.16 - -2000-06-06 Johan Danielsson - - * rsh.c: nuke long option from -z - - * rsh.c: don't try to encrypt if auth is broken (Daniel Kouril) - -2000-06-03 Assar Westerlund - - * rshd.c (doit): check return value of getspnam. From - - -2000-05-23 Assar Westerlund - - * rsh.c (proto): select on the normal socket when waiting for the - daemon to connect back to the stderr port, so that we discover - when data arrives there before. when that happens, we assume that - the daemon did not manage to connect (because of NAT/whatever) and - continue as if `-e' was given - * rshd.c (doit): if we fail to connect back to the stderr port, - act as if `-e' was given on the client side, i.e. without the - special TCP-connection. This tries to make things better when - running the head against a NAT wall, for example. - -2000-02-07 Assar Westerlund - - * Makefile.am (LDADD): make sure we use the heimdal libdes - -2000-02-06 Assar Westerlund - - * *: conditionalize des stuff on KRB4 - -1999-12-16 Assar Westerlund - - * rsh.c (doit): addrinfo returned from getaddrinfo() is not usable - directly as hints. copy it and set AI_PASSIVE. - -1999-11-20 Assar Westerlund - - * rsh.c (main): remember to close the priviledged sockets before - calling rlogin - -1999-11-02 Assar Westerlund - - * rsh.c (main): redo the v4/v5 selection for consistency. -4 -> - try only v4 -5 -> try only v5 none, -45 -> try v5, v4 - -1999-10-26 Assar Westerlund - - * rshd.c (main): ignore SIGPIPE - - * common.c (do_read): the encoded length can be longer than the - buffer being used, allocate memory for it dynamically. From Brian - A May - -1999-10-14 Assar Westerlund - - * rsh.c (proto): be more careful and don't print errno when read() - returns 0 - -1999-09-20 Assar Westerlund - - * rshd.c (recv_krb4_auth): set `iv' - -1999-08-16 Assar Westerlund - - * common.c (do_read): be careful with the return value from - krb5_net_read - -1999-08-05 Assar Westerlund - - * rsh.c: call freehostent - - * rsh.c: remove some dead code - -1999-08-04 Assar Westerlund - - * rshd.c: re-write the handling of forwarded credentials and - stuff. From Miroslav Ruda - - * rsh_locl.h: always include kafs.h - - * rsh.c: add `-z' and `-G' options - - * rsh.c (loop): shutdown one side of the TCP connection on EOF. - From Brian A May - - * common.c (do_read): handle EOF. From Brian A May - - -1999-08-01 Assar Westerlund - - * rsh.c: const fixes - -1999-07-29 Assar Westerlund - - * rshd.c: v6-ify - - * rsh.c: v6-ify - -1999-07-28 Assar Westerlund - - * rsh_locl.h: move around kafs.h - -1999-07-24 Assar Westerlund - - * rsh_locl.h: - - * rsh.c, rshd.c: improve forwarding and implement unique ccache on - server. From Miroslav Ruda - -1999-07-03 Assar Westerlund - - * rsh.c (construct_command): handle argc == 0 for generality - -1999-06-23 Assar Westerlund - - * rsh.c: new option `-e' for not trying to open an stderr socket - -1999-06-17 Assar Westerlund - - * rsh_locl.h (RSH_BUFSIZ): bump to 16 * 1024 to be sure that we - don't leave any data inside des_enc_read. (that constant should - really be exported in some way...) - -1999-06-15 Assar Westerlund - - * rsh.c: use get_default_username and resulting const pollution - -1999-05-21 Assar Westerlund - - * rsh.c (main): try $USERNAME - -1999-05-14 Assar Westerlund - - * rshd.c (doit): afslog correctly - -1999-05-11 Assar Westerlund - - * rsh.c (main): add fallback to rlogin - -1999-05-10 Assar Westerlund - - * rsh.c (send_krb5_auth): call krb5_sendauth with ccache == NULL. - check return value from krb5_crypto_init - - * common.c (do_write, do_read): always return -1 for failure - (net_write, net_read): remove. they already exist in libroken - -1999-05-09 Assar Westerlund - - * rsh.c: make sure it tries with all other authentication methods - after one has failed - * rsh.c (main): detect the case of no command given. - -1999-04-11 Assar Westerlund - - * rsh.c: new option --forwardable. use print_version - -Sat Apr 10 17:10:55 1999 Assar Westerlund - - * rshd.c (setup_copier): use `socketpair' instead of `pipe'. Some - shells don't think it's a rsh session if they find a pipe at the - other end. - (setup_environment): add SSH_CLIENT just to make bash happy - - * common.c (do_read): use krb5_get_wrapped_length - -Wed Mar 24 03:59:42 1999 Assar Westerlund - - * rsh.c (loop): more braces to make gcc happy - -Tue Mar 23 17:08:32 1999 Johan Danielsson - - * rsh_locl.h: kafs.h - - * rshd.c: add `-P', `-v', and `-L' flags - -Thu Mar 18 11:37:24 1999 Johan Danielsson - - * Makefile.am: include Makefile.am.common - -Tue Dec 1 14:44:44 1998 Johan Danielsson - - * appl/rsh/rshd.c: update to new crypto framework - - * appl/rsh/rsh_locl.h: update to new crypto framework - - * appl/rsh/rsh.c: update to new crypto framework - - * appl/rsh/common.c: update to new crypto framework - -Mon Nov 2 01:15:06 1998 Assar Westerlund - - * appl/rsh/rsh.c (main): initialize host - - * appl/rsh/rshd.c (recv_krb5_auth): disable `do_encrypt' if not - encrypting. - -Thu Jul 30 23:12:17 1998 Assar Westerlund - - * appl/rsh/rsh.c: kludges for parsing `rsh hostname -l user' - -Thu Jul 23 19:49:03 1998 Johan Danielsson - - * appl/rsh/rshd.c: use krb5_verify_authenticator_checksum - -Sat Apr 18 21:13:06 1998 Johan Danielsson - - * appl/rsh/rsh.c: Don't try v5 if (only) `-4' is specified. - -Sun Dec 21 09:44:05 1997 Assar Westerlund - - * appl/rsh/rshd.c (recv_krb5_auth): swap the order of the - `local_user' and the `remote_user' - - * appl/rsh/rsh.c (send_krb5_auth): swap the order of the - `local_user' and the `remote_user' - -Sat Nov 29 07:10:11 1997 Assar Westerlund - - * appl/rsh/rshd.c: updated to use getarg. - changed `struct fd_set' to `fd_set'. - implemented broken/BSD authentication (requires iruserok) - -Wed Nov 12 02:35:57 1997 Assar Westerlund - - * appl/rsh/rsh_locl.h: add AUTH_BROKEN and PATH_RSH - - * appl/rsh/Makefile.am: set BINDIR - - * appl/rsh/rsh.c: implemented BSD-style reserved port - `authentication' - -Sun Aug 24 08:06:54 1997 Assar Westerlund - - * appl/rsh/rshd.c: syslog remote shells - -Tue Aug 12 01:29:46 1997 Assar Westerlund - - * appl/rshd/rshd.c: Use `krb5_sock_to_principal'. Send server - parameter to krb5_rd_req/krb5_recvauth. Set addresses in - auth_context. - -Fri Jul 25 17:32:12 1997 Assar Westerlund - - * appl/rsh/rshd.c: implement forwarding - - * appl/rsh/rsh.c: Use getarg. Implement forwarding. - -Sun Jul 13 00:32:16 1997 Assar Westerlund - - * appl/rsh: Conditionalize the krb4-support. - -Wed Jul 9 06:58:00 1997 Assar Westerlund - - * appl/rsh/rsh.c: use the correct user for the checksum - -Mon Jul 7 11:15:51 1997 Assar Westerlund - - * appl/rsh/rshd.c: Now works. Also implementd encryption and - `-p'. - - * appl/rsh/common.c: new file - -Mon Jun 30 06:08:14 1997 Assar Westerlund - - * appl/rsh: New program. - diff --git a/crypto/heimdal-0.6.3/appl/rsh/Makefile.am b/crypto/heimdal-0.6.3/appl/rsh/Makefile.am deleted file mode 100644 index 2fbc8e0f4f..0000000000 --- a/crypto/heimdal-0.6.3/appl/rsh/Makefile.am +++ /dev/null @@ -1,25 +0,0 @@ -# $Id: Makefile.am,v 1.17 2001/07/31 09:12:03 joda Exp $ - -include $(top_srcdir)/Makefile.am.common - -INCLUDES += $(INCLUDE_krb4) -I$(srcdir)/../login - -bin_PROGRAMS = rsh - -man_MANS = rsh.1 rshd.8 - -libexec_PROGRAMS = rshd - -rsh_SOURCES = rsh.c common.c rsh_locl.h - -rshd_SOURCES = rshd.c common.c login_access.c rsh_locl.h - -login_access.c: - $(LN_S) $(srcdir)/../login/login_access.c . - -LDADD = $(LIB_kafs) \ - $(LIB_krb5) \ - $(LIB_krb4) \ - $(LIB_des) \ - $(LIB_roken) \ - $(LIB_kdfs) diff --git a/crypto/heimdal-0.6.3/appl/rsh/Makefile.in b/crypto/heimdal-0.6.3/appl/rsh/Makefile.in deleted file mode 100644 index 04412b3719..0000000000 --- a/crypto/heimdal-0.6.3/appl/rsh/Makefile.in +++ /dev/null @@ -1,913 +0,0 @@ -# Makefile.in generated by automake 1.8.3 from Makefile.am. -# @configure_input@ - -# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004 Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -# $Id: Makefile.am,v 1.17 2001/07/31 09:12:03 joda Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $ - -SOURCES = $(rsh_SOURCES) $(rshd_SOURCES) - -srcdir = @srcdir@ -top_srcdir = @top_srcdir@ -VPATH = @srcdir@ -pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -top_builddir = ../.. -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = @INSTALL@ -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_HEADER = $(INSTALL_DATA) -transform = $(program_transform_name) -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_triplet = @host@ -DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \ - $(top_srcdir)/Makefile.am.common \ - $(top_srcdir)/cf/Makefile.am.common ChangeLog -bin_PROGRAMS = rsh$(EXEEXT) -libexec_PROGRAMS = rshd$(EXEEXT) -subdir = appl/rsh -ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \ - $(top_srcdir)/cf/auth-modules.m4 \ - $(top_srcdir)/cf/broken-getaddrinfo.m4 \ - $(top_srcdir)/cf/broken-getnameinfo.m4 \ - $(top_srcdir)/cf/broken-glob.m4 \ - $(top_srcdir)/cf/broken-realloc.m4 \ - $(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \ - $(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \ - $(top_srcdir)/cf/capabilities.m4 \ - $(top_srcdir)/cf/check-compile-et.m4 \ - $(top_srcdir)/cf/check-declaration.m4 \ - $(top_srcdir)/cf/check-getpwnam_r-posix.m4 \ - $(top_srcdir)/cf/check-man.m4 \ - $(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \ - $(top_srcdir)/cf/check-type-extra.m4 \ - $(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \ - $(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \ - $(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \ - $(top_srcdir)/cf/dlopen.m4 \ - $(top_srcdir)/cf/find-func-no-libs.m4 \ - $(top_srcdir)/cf/find-func-no-libs2.m4 \ - $(top_srcdir)/cf/find-func.m4 \ - $(top_srcdir)/cf/find-if-not-broken.m4 \ - $(top_srcdir)/cf/have-struct-field.m4 \ - $(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \ - $(top_srcdir)/cf/krb-bigendian.m4 \ - $(top_srcdir)/cf/krb-func-getlogin.m4 \ - $(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \ - $(top_srcdir)/cf/krb-readline.m4 \ - $(top_srcdir)/cf/krb-struct-spwd.m4 \ - $(top_srcdir)/cf/krb-struct-winsize.m4 \ - $(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \ - $(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \ - $(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \ - $(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \ - $(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \ - $(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \ - $(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in -am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ - $(ACLOCAL_M4) -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -am__installdirs = "$(DESTDIR)$(bindir)" "$(DESTDIR)$(libexecdir)" "$(DESTDIR)$(man1dir)" "$(DESTDIR)$(man8dir)" -binPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -libexecPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -PROGRAMS = $(bin_PROGRAMS) $(libexec_PROGRAMS) -am_rsh_OBJECTS = rsh.$(OBJEXT) common.$(OBJEXT) -rsh_OBJECTS = $(am_rsh_OBJECTS) -rsh_LDADD = $(LDADD) -am__DEPENDENCIES_1 = -am__DEPENDENCIES_2 = $(top_builddir)/lib/kafs/libkafs.la \ - $(am__DEPENDENCIES_1) -@KRB5_TRUE@am__DEPENDENCIES_3 = $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la -@DCE_TRUE@am__DEPENDENCIES_4 = $(top_builddir)/lib/kdfs/libkdfs.la -rsh_DEPENDENCIES = $(am__DEPENDENCIES_2) $(am__DEPENDENCIES_3) \ - $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ - $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_4) -am_rshd_OBJECTS = rshd.$(OBJEXT) common.$(OBJEXT) \ - login_access.$(OBJEXT) -rshd_OBJECTS = $(am_rshd_OBJECTS) -rshd_LDADD = $(LDADD) -rshd_DEPENDENCIES = $(am__DEPENDENCIES_2) $(am__DEPENDENCIES_3) \ - $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ - $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_4) -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \ - $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ - $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -SOURCES = $(rsh_SOURCES) $(rshd_SOURCES) -DIST_SOURCES = $(rsh_SOURCES) $(rshd_SOURCES) -man1dir = $(mandir)/man1 -man8dir = $(mandir)/man8 -MANS = $(man_MANS) -ETAGS = etags -CTAGS = ctags -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) -ACLOCAL = @ACLOCAL@ -AIX4_FALSE = @AIX4_FALSE@ -AIX4_TRUE = @AIX4_TRUE@ -AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@ -AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@ -AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@ -AIX_FALSE = @AIX_FALSE@ -AIX_TRUE = @AIX_TRUE@ -AMTAR = @AMTAR@ -AR = @AR@ -AUTOCONF = @AUTOCONF@ -AUTOHEADER = @AUTOHEADER@ -AUTOMAKE = @AUTOMAKE@ -AWK = @AWK@ -CANONICAL_HOST = @CANONICAL_HOST@ -CATMAN = @CATMAN@ -CATMANEXT = @CATMANEXT@ -CATMAN_FALSE = @CATMAN_FALSE@ -CATMAN_TRUE = @CATMAN_TRUE@ -CC = @CC@ -CFLAGS = @CFLAGS@ -COMPILE_ET = @COMPILE_ET@ -CPP = @CPP@ -CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXFLAGS = @CXXFLAGS@ -CYGPATH_W = @CYGPATH_W@ -DBLIB = @DBLIB@ -DCE_FALSE = @DCE_FALSE@ -DCE_TRUE = @DCE_TRUE@ -DEFS = @DEFS@ -DIR_com_err = @DIR_com_err@ -DIR_des = @DIR_des@ -DIR_roken = @DIR_roken@ -ECHO = @ECHO@ -ECHO_C = @ECHO_C@ -ECHO_N = @ECHO_N@ -ECHO_T = @ECHO_T@ -EGREP = @EGREP@ -EXEEXT = @EXEEXT@ -EXTRA_LIB45 = @EXTRA_LIB45@ -F77 = @F77@ -FFLAGS = @FFLAGS@ -GROFF = @GROFF@ -HAVE_DB1_FALSE = @HAVE_DB1_FALSE@ -HAVE_DB1_TRUE = @HAVE_DB1_TRUE@ -HAVE_DB3_FALSE = @HAVE_DB3_FALSE@ -HAVE_DB3_TRUE = @HAVE_DB3_TRUE@ -HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@ -HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@ -HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@ -HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@ -HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@ -HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@ -HAVE_X_FALSE = @HAVE_X_FALSE@ -HAVE_X_TRUE = @HAVE_X_TRUE@ -INCLUDES_roken = @INCLUDES_roken@ -INCLUDE_des = @INCLUDE_des@ -INCLUDE_hesiod = @INCLUDE_hesiod@ -INCLUDE_krb4 = @INCLUDE_krb4@ -INCLUDE_openldap = @INCLUDE_openldap@ -INCLUDE_readline = @INCLUDE_readline@ -INSTALL_DATA = @INSTALL_DATA@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -IRIX_FALSE = @IRIX_FALSE@ -IRIX_TRUE = @IRIX_TRUE@ -KRB4_FALSE = @KRB4_FALSE@ -KRB4_TRUE = @KRB4_TRUE@ -KRB5_FALSE = @KRB5_FALSE@ -KRB5_TRUE = @KRB5_TRUE@ -LDFLAGS = @LDFLAGS@ -LEX = @LEX@ -LEXLIB = @LEXLIB@ -LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ -LIBOBJS = @LIBOBJS@ -LIBS = @LIBS@ -LIBTOOL = @LIBTOOL@ -LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@ -LIB_NDBM = @LIB_NDBM@ -LIB_XauFileName = @LIB_XauFileName@ -LIB_XauReadAuth = @LIB_XauReadAuth@ -LIB_XauWriteAuth = @LIB_XauWriteAuth@ -LIB_bswap16 = @LIB_bswap16@ -LIB_bswap32 = @LIB_bswap32@ -LIB_com_err = @LIB_com_err@ -LIB_com_err_a = @LIB_com_err_a@ -LIB_com_err_so = @LIB_com_err_so@ -LIB_crypt = @LIB_crypt@ -LIB_db_create = @LIB_db_create@ -LIB_dbm_firstkey = @LIB_dbm_firstkey@ -LIB_dbopen = @LIB_dbopen@ -LIB_des = @LIB_des@ -LIB_des_a = @LIB_des_a@ -LIB_des_appl = @LIB_des_appl@ -LIB_des_so = @LIB_des_so@ -LIB_dlopen = @LIB_dlopen@ -LIB_dn_expand = @LIB_dn_expand@ -LIB_el_init = @LIB_el_init@ -LIB_freeaddrinfo = @LIB_freeaddrinfo@ -LIB_gai_strerror = @LIB_gai_strerror@ -LIB_getaddrinfo = @LIB_getaddrinfo@ -LIB_gethostbyname = @LIB_gethostbyname@ -LIB_gethostbyname2 = @LIB_gethostbyname2@ -LIB_getnameinfo = @LIB_getnameinfo@ -LIB_getpwnam_r = @LIB_getpwnam_r@ -LIB_getsockopt = @LIB_getsockopt@ -LIB_hesiod = @LIB_hesiod@ -LIB_hstrerror = @LIB_hstrerror@ -LIB_kdb = @LIB_kdb@ -LIB_krb4 = @LIB_krb4@ -LIB_krb_disable_debug = @LIB_krb_disable_debug@ -LIB_krb_enable_debug = @LIB_krb_enable_debug@ -LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@ -LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@ -LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@ -LIB_loadquery = @LIB_loadquery@ -LIB_logout = @LIB_logout@ -LIB_logwtmp = @LIB_logwtmp@ -LIB_openldap = @LIB_openldap@ -LIB_openpty = @LIB_openpty@ -LIB_otp = @LIB_otp@ -LIB_pidfile = @LIB_pidfile@ -LIB_readline = @LIB_readline@ -LIB_res_nsearch = @LIB_res_nsearch@ -LIB_res_search = @LIB_res_search@ -LIB_roken = @LIB_roken@ -LIB_security = @LIB_security@ -LIB_setsockopt = @LIB_setsockopt@ -LIB_socket = @LIB_socket@ -LIB_syslog = @LIB_syslog@ -LIB_tgetent = @LIB_tgetent@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -MAINT = @MAINT@ -MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@ -MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@ -MAKEINFO = @MAKEINFO@ -NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ -NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ -NROFF = @NROFF@ -OBJEXT = @OBJEXT@ -OTP_FALSE = @OTP_FALSE@ -OTP_TRUE = @OTP_TRUE@ -PACKAGE = @PACKAGE@ -PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ -PACKAGE_NAME = @PACKAGE_NAME@ -PACKAGE_STRING = @PACKAGE_STRING@ -PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_VERSION = @PACKAGE_VERSION@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -RANLIB = @RANLIB@ -SET_MAKE = @SET_MAKE@ -SHELL = @SHELL@ -STRIP = @STRIP@ -VERSION = @VERSION@ -VOID_RETSIGTYPE = @VOID_RETSIGTYPE@ -WFLAGS = @WFLAGS@ -WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@ -WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@ -X_CFLAGS = @X_CFLAGS@ -X_EXTRA_LIBS = @X_EXTRA_LIBS@ -X_LIBS = @X_LIBS@ -X_PRE_LIBS = @X_PRE_LIBS@ -YACC = @YACC@ -ac_ct_AR = @ac_ct_AR@ -ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ -ac_ct_RANLIB = @ac_ct_RANLIB@ -ac_ct_STRIP = @ac_ct_STRIP@ -am__leading_dot = @am__leading_dot@ -bindir = @bindir@ -build = @build@ -build_alias = @build_alias@ -build_cpu = @build_cpu@ -build_os = @build_os@ -build_vendor = @build_vendor@ -datadir = @datadir@ -do_roken_rename_FALSE = @do_roken_rename_FALSE@ -do_roken_rename_TRUE = @do_roken_rename_TRUE@ -dpagaix_cflags = @dpagaix_cflags@ -dpagaix_ldadd = @dpagaix_ldadd@ -dpagaix_ldflags = @dpagaix_ldflags@ -el_compat_FALSE = @el_compat_FALSE@ -el_compat_TRUE = @el_compat_TRUE@ -exec_prefix = @exec_prefix@ -have_err_h_FALSE = @have_err_h_FALSE@ -have_err_h_TRUE = @have_err_h_TRUE@ -have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@ -have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@ -have_glob_h_FALSE = @have_glob_h_FALSE@ -have_glob_h_TRUE = @have_glob_h_TRUE@ -have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@ -have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@ -have_vis_h_FALSE = @have_vis_h_FALSE@ -have_vis_h_TRUE = @have_vis_h_TRUE@ -host = @host@ -host_alias = @host_alias@ -host_cpu = @host_cpu@ -host_os = @host_os@ -host_vendor = @host_vendor@ -includedir = @includedir@ -infodir = @infodir@ -install_sh = @install_sh@ -libdir = @libdir@ -libexecdir = @libexecdir@ -localstatedir = @localstatedir@ -mandir = @mandir@ -mkdir_p = @mkdir_p@ -oldincludedir = @oldincludedir@ -prefix = @prefix@ -program_transform_name = @program_transform_name@ -sbindir = @sbindir@ -sharedstatedir = @sharedstatedir@ -sysconfdir = @sysconfdir@ -target_alias = @target_alias@ -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4) -I$(srcdir)/../login -@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME -AM_CFLAGS = $(WFLAGS) -CP = cp -buildinclude = $(top_builddir)/include -LIB_getattr = @LIB_getattr@ -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_setpcred = @LIB_setpcred@ -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -NROFF_MAN = groff -mandoc -Tascii -LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) -@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la - -@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la -@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la -man_MANS = rsh.1 rshd.8 -rsh_SOURCES = rsh.c common.c rsh_locl.h -rshd_SOURCES = rshd.c common.c login_access.c rsh_locl.h -LDADD = $(LIB_kafs) \ - $(LIB_krb5) \ - $(LIB_krb4) \ - $(LIB_des) \ - $(LIB_roken) \ - $(LIB_kdfs) - -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps) - @for dep in $?; do \ - case '$(am__configure_deps)' in \ - *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ - exit 1;; \ - esac; \ - done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign --ignore-deps appl/rsh/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign --ignore-deps appl/rsh/Makefile -.PRECIOUS: Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - @case '$?' in \ - *config.status*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ - *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ - esac; - -$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -install-binPROGRAMS: $(bin_PROGRAMS) - @$(NORMAL_INSTALL) - test -z "$(bindir)" || $(mkdir_p) "$(DESTDIR)$(bindir)" - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(bindir)/$$f'"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(bindir)/$$f" || exit 1; \ - else :; fi; \ - done - -uninstall-binPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f '$(DESTDIR)$(bindir)/$$f'"; \ - rm -f "$(DESTDIR)$(bindir)/$$f"; \ - done - -clean-binPROGRAMS: - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -install-libexecPROGRAMS: $(libexec_PROGRAMS) - @$(NORMAL_INSTALL) - test -z "$(libexecdir)" || $(mkdir_p) "$(DESTDIR)$(libexecdir)" - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(libexecPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(libexecdir)/$$f'"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(libexecPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(libexecdir)/$$f" || exit 1; \ - else :; fi; \ - done - -uninstall-libexecPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f '$(DESTDIR)$(libexecdir)/$$f'"; \ - rm -f "$(DESTDIR)$(libexecdir)/$$f"; \ - done - -clean-libexecPROGRAMS: - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -rsh$(EXEEXT): $(rsh_OBJECTS) $(rsh_DEPENDENCIES) - @rm -f rsh$(EXEEXT) - $(LINK) $(rsh_LDFLAGS) $(rsh_OBJECTS) $(rsh_LDADD) $(LIBS) -rshd$(EXEEXT): $(rshd_OBJECTS) $(rshd_DEPENDENCIES) - @rm -f rshd$(EXEEXT) - $(LINK) $(rshd_LDFLAGS) $(rshd_OBJECTS) $(rshd_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c $< - -.c.obj: - $(COMPILE) -c `$(CYGPATH_W) '$<'` - -.c.lo: - $(LTCOMPILE) -c -o $@ $< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: -install-man1: $(man1_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - test -z "$(man1dir)" || $(mkdir_p) "$(DESTDIR)$(man1dir)" - @list='$(man1_MANS) $(dist_man1_MANS) $(nodist_man1_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.1*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 1*) ;; \ - *) ext='1' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man1dir)/$$inst'"; \ - $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man1dir)/$$inst"; \ - done -uninstall-man1: - @$(NORMAL_UNINSTALL) - @list='$(man1_MANS) $(dist_man1_MANS) $(nodist_man1_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.1*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 1*) ;; \ - *) ext='1' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f '$(DESTDIR)$(man1dir)/$$inst'"; \ - rm -f "$(DESTDIR)$(man1dir)/$$inst"; \ - done -install-man8: $(man8_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - test -z "$(man8dir)" || $(mkdir_p) "$(DESTDIR)$(man8dir)" - @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.8*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 8*) ;; \ - *) ext='8' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ - $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \ - done -uninstall-man8: - @$(NORMAL_UNINSTALL) - @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.8*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 8*) ;; \ - *) ext='8' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \ - rm -f "$(DESTDIR)$(man8dir)/$$inst"; \ - done - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique -tags: TAGS - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique -ctags: CTAGS -CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ - || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - -distdir: $(DISTFILES) - $(mkdir_p) $(distdir)/../.. $(distdir)/../../cf - @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \ - list='$(DISTFILES)'; for file in $$list; do \ - case $$file in \ - $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \ - $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \ - esac; \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkdir_p) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="$(top_distdir)" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(PROGRAMS) $(MANS) all-local -installdirs: - for dir in "$(DESTDIR)$(bindir)" "$(DESTDIR)$(libexecdir)" "$(DESTDIR)$(man1dir)" "$(DESTDIR)$(man8dir)"; do \ - test -z "$$dir" || $(mkdir_p) "$$dir"; \ - done -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-binPROGRAMS clean-generic clean-libexecPROGRAMS \ - clean-libtool mostlyclean-am - -distclean: distclean-am - -rm -f Makefile -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -html: html-am - -info: info-am - -info-am: - -install-data-am: install-man - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-data-hook - -install-exec-am: install-binPROGRAMS install-libexecPROGRAMS - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: install-man1 install-man8 - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -rm -f Makefile -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -pdf: pdf-am - -pdf-am: - -ps: ps-am - -ps-am: - -uninstall-am: uninstall-binPROGRAMS uninstall-info-am \ - uninstall-libexecPROGRAMS uninstall-man - -uninstall-man: uninstall-man1 uninstall-man8 - -.PHONY: CTAGS GTAGS all all-am all-local check check-am check-local \ - clean clean-binPROGRAMS clean-generic clean-libexecPROGRAMS \ - clean-libtool ctags distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am html html-am info info-am install install-am \ - install-binPROGRAMS install-data install-data-am install-exec \ - install-exec-am install-info install-info-am \ - install-libexecPROGRAMS install-man install-man1 install-man8 \ - install-strip installcheck installcheck-am installdirs \ - maintainer-clean maintainer-clean-generic mostlyclean \ - mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ - pdf pdf-am ps ps-am tags uninstall uninstall-am \ - uninstall-binPROGRAMS uninstall-info-am \ - uninstall-libexecPROGRAMS uninstall-man uninstall-man1 \ - uninstall-man8 - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-hook: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< - -login_access.c: - $(LN_S) $(srcdir)/../login/login_access.c . -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal-0.6.3/appl/rsh/common.c b/crypto/heimdal-0.6.3/appl/rsh/common.c deleted file mode 100644 index 69b0c9b5dd..0000000000 --- a/crypto/heimdal-0.6.3/appl/rsh/common.c +++ /dev/null @@ -1,174 +0,0 @@ -/* - * Copyright (c) 1997 - 1999, 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "rsh_locl.h" -RCSID("$Id: common.c,v 1.16 2002/09/04 15:50:36 assar Exp $"); - -#if defined(KRB4) || defined(KRB5) - -#ifdef KRB5 -int key_usage = 1026; - -void *ivec_in[2]; -void *ivec_out[2]; - -void -init_ivecs(int client) -{ - size_t blocksize; - - krb5_crypto_getblocksize(context, crypto, &blocksize); - - ivec_in[0] = malloc(blocksize); - memset(ivec_in[0], client, blocksize); - - ivec_in[1] = malloc(blocksize); - memset(ivec_in[1], 2 | client, blocksize); - - ivec_out[0] = malloc(blocksize); - memset(ivec_out[0], !client, blocksize); - - ivec_out[1] = malloc(blocksize); - memset(ivec_out[1], 2 | !client, blocksize); -} -#endif - - -ssize_t -do_read (int fd, void *buf, size_t sz, void *ivec) -{ - if (do_encrypt) { -#ifdef KRB4 - if (auth_method == AUTH_KRB4) { - return des_enc_read (fd, buf, sz, schedule, &iv); - } else -#endif /* KRB4 */ -#ifdef KRB5 - if(auth_method == AUTH_KRB5) { - krb5_error_code ret; - u_int32_t len, outer_len; - int status; - krb5_data data; - void *edata; - - ret = krb5_net_read (context, &fd, &len, 4); - if (ret <= 0) - return ret; - len = ntohl(len); - if (len > sz) - abort (); - /* ivec will be non null for protocol version 2 */ - if(ivec != NULL) - outer_len = krb5_get_wrapped_length (context, crypto, len + 4); - else - outer_len = krb5_get_wrapped_length (context, crypto, len); - edata = malloc (outer_len); - if (edata == NULL) - errx (1, "malloc: cannot allocate %u bytes", outer_len); - ret = krb5_net_read (context, &fd, edata, outer_len); - if (ret <= 0) - return ret; - - status = krb5_decrypt_ivec(context, crypto, key_usage, - edata, outer_len, &data, ivec); - free (edata); - - if (status) - krb5_err (context, 1, status, "decrypting data"); - if(ivec != NULL) { - unsigned long l; - if(data.length < len + 4) - errx (1, "data received is too short"); - _krb5_get_int(data.data, &l, 4); - if(l != len) - errx (1, "inconsistency in received data"); - memcpy (buf, (unsigned char *)data.data+4, len); - } else - memcpy (buf, data.data, len); - krb5_data_free (&data); - return len; - } else -#endif /* KRB5 */ - abort (); - } else - return read (fd, buf, sz); -} - -ssize_t -do_write (int fd, void *buf, size_t sz, void *ivec) -{ - if (do_encrypt) { -#ifdef KRB4 - if(auth_method == AUTH_KRB4) { - return des_enc_write (fd, buf, sz, schedule, &iv); - } else -#endif /* KRB4 */ -#ifdef KRB5 - if(auth_method == AUTH_KRB5) { - krb5_error_code status; - krb5_data data; - unsigned char len[4]; - int ret; - - _krb5_put_int(len, sz, 4); - if(ivec != NULL) { - unsigned char *tmp = malloc(sz + 4); - if(tmp == NULL) - err(1, "malloc"); - _krb5_put_int(tmp, sz, 4); - memcpy(tmp + 4, buf, sz); - status = krb5_encrypt_ivec(context, crypto, key_usage, - tmp, sz + 4, &data, ivec); - free(tmp); - } else - status = krb5_encrypt_ivec(context, crypto, key_usage, - buf, sz, &data, ivec); - - if (status) - krb5_err(context, 1, status, "encrypting data"); - - ret = krb5_net_write (context, &fd, len, 4); - if (ret != 4) - return ret; - ret = krb5_net_write (context, &fd, data.data, data.length); - if (ret != data.length) - return ret; - free (data.data); - return sz; - } else -#endif /* KRB5 */ - abort(); - } else - return write (fd, buf, sz); -} -#endif /* KRB4 || KRB5 */ diff --git a/crypto/heimdal-0.6.3/appl/rsh/rsh.1 b/crypto/heimdal-0.6.3/appl/rsh/rsh.1 deleted file mode 100644 index 82c1f6c1f0..0000000000 --- a/crypto/heimdal-0.6.3/appl/rsh/rsh.1 +++ /dev/null @@ -1,266 +0,0 @@ -.\" Copyright (c) 2002 - 2003 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: rsh.1,v 1.6 2003/04/16 19:57:25 lha Exp $ -.\" -.Dd September 4, 2002 -.Dt RSH 1 -.Os HEIMDAL -.Sh NAME -.Nm rsh -.Nd -remote shell -.Sh SYNOPSIS -.Nm -.Op Fl 45FGKdefnuxz -.Op Fl U Pa string -.Op Fl p Ar port -.Op Fl l Ar username -.Op Fl P Ar N|O -.Ar host [command] -.Sh DESCRIPTION -.Nm -authenticates to the -.Xr rshd 8 -daemon on the remote -.Ar host , -and then executes the specified -.Ar command . -.Pp -.Nm -copies its standard input to the remote command, and the standard -output and error of the remote command to its own. -.Pp -Valid options are: -.Bl -tag -width Ds -.It Xo -.Fl 4 , -.Fl -krb4 -.Xc -The -.Fl 4 -option requests Kerberos 4 authentication. Normally all supported -authentication mechanisms will be tried, but in some cases more -explicit control is desired. -.It Xo -.Fl 5 , -.Fl -krb5 -.Xc -The -.Fl 5 -option requests Kerberos 5 authentication. This is analogous to the -.Fl 4 -option. -.It Xo -.Fl K , -.Fl -broken -.Xc -The -.Fl K -option turns off all Kerberos authentication. The long name implies -that this is more or less totally unsecure. The security in this mode -relies on reserved ports, which is not very secure. -.It Xo -.Fl n , -.Fl -no-input -.Xc -The -.Fl n -option directs the input from the -.Pa /dev/null -device (see the -.Sx BUGS -section of this manual page). -.It Xo -.Fl e , -.Fl -no-stderr -.Xc -Don't use a separate socket for the stderr stream. This can be -necessary if rsh-ing through a NAT bridge. -.It Xo -.Fl x , -.Fl -encrypt -.Xc -The -.Fl x -option enables encryption for all data exchange. This is only valid -for Kerberos authenticated connections (see the -.Sx BUGS -section for limitations). -.It Xo -.Fl z -.Xc -The opposite of -.Fl x . -This is the default, but encryption can be enabled when using -Kerberos 5, by setting the -.Li libdefaults/encrypt -option in -.Xr krb5.conf 5 . -.It Xo -.Fl f , -.Fl -forward -.Xc -Forward Kerberos 5 credentials to the remote host. Also controlled by -.Li libdefaults/forward -in -.Xr krb5.conf 5 . -.It Xo -.Fl G -.Xc -The opposite of -.Fl f . -.It Xo -.Fl F , -.Fl -forwardable -.Xc -Make the forwarded credentials re-forwardable. Also controlled by -.Li libdefaults/forwardable -in -.Xr krb5.conf 5 . -.It Xo -.Fl u , -.Fl -unique -.Xc -Make sure the remote credentials cache is unique, that is, don't reuse -any existing cache. Mutually exclusive to -.Fl U . -.It Xo -.Fl U Pa string , -.Fl -tkfile= Ns Pa string -.Xc -Name of the remote credentials cache. Mutually exclusive to -.Fl u . -.It Xo -.Fl p Ar number-or-service , -.Fl -port= Ns Ar number-or-service -.Xc -Connect to this port instead of the default (which is 514 when using -old port based authentication, 544 for Kerberos 5 and non-encrypted -Kerberos 4, and 545 for encrytpted Kerberos 4; subject of course to -the contents of -.Pa /etc/services ) . -.It Xo -.Fl l Ar string , -.Fl -user= Ns Ar string -.Xc -By default the remote username is the same as the local. The -.Fl l -option or the -.Pa username@host -format allow the remote name to be specified. -.It Xo -.Fl P Ar N|O|1|2 , -.Fl -protocol= Ns Ar N|O|1|2 -.Xc -Specifies which protocol version to use with Kerberos 5. -.Ar N -and -.Ar 2 -selects protocol version 2, while -.Ar O -and -.Ar 1 -selects version 1. Version 2 is believed to be more secure, and is the -default. Unless asked for a specific version, -.Nm -will try both. This behaviour may change in the future. -.El -.\".Pp -.\"Without a -.\".Ar command -.\".Nm -.\"will just exec -.\".Xr rlogin 1 -.\"with the same arguments. -.Sh EXAMPLES -Care should be taken when issuing commands containing shell meta -characters. Without quoting, these will be expanded on the local -machine. -.Pp -The following command: -.Pp -.Dl rsh otherhost cat remotefile > localfile -.Pp -will write the contents of the remote -.Pa remotefile -to the local -.Pa localfile , -but: -.Pp -.Dl rsh otherhost 'cat remotefile > remotefile2' -.Pp -will write it to the remote -.Pa remotefile2 . -.\".Sh ENVIRONMENT -.Sh FILES -.Bl -tag -width /etc/hosts -compact -.It Pa /etc/hosts -.El -.\".Sh DIAGNOSTICS -.Sh SEE ALSO -.Xr rlogin 1 , -.Xr krb_realmofhost 3 , -.Xr krb_sendauth 3 , -.Xr hosts.equiv 5 , -.Xr krb5.conf 5 , -.Xr rhosts 5 , -.Xr kerberos 8 -.Xr rshd 8 -.\".Sh STANDARDS -.Sh HISTORY -The -.Nm -command appeared in -.Bx 4.2 . -.Sh AUTHORS -This implementation of -.Nm -was written as part of the Heimdal Kerberos 5 implementation. -.Sh BUGS -Some shells (notably -.Xr csh 1 ) -will cause -.Nm -to block if run in the background, unless the standard input is directed away from the terminal. This is what the -.Fl n -option is for. -.Pp -The -.Fl x -options enables encryption for the session, but for both Kerberos 4 -and 5 the actual command is sent unencrypted, so you should not send -any secret information in the command line (which is probably a bad -idea anyway, since the command line can usually be read with tools -like -.Xr ps 1 ) . -Forthermore in Kerberos 4 the command is not even integrity -protected, so anyone with the right tools can modify the command. diff --git a/crypto/heimdal-0.6.3/appl/rsh/rsh.c b/crypto/heimdal-0.6.3/appl/rsh/rsh.c deleted file mode 100644 index 8af5096b7e..0000000000 --- a/crypto/heimdal-0.6.3/appl/rsh/rsh.c +++ /dev/null @@ -1,1115 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "rsh_locl.h" -RCSID("$Id: rsh.c,v 1.71 2003/04/16 20:37:20 joda Exp $"); - -enum auth_method auth_method; -#if defined(KRB4) || defined(KRB5) -int do_encrypt = -1; -#endif -#ifdef KRB5 -int do_unique_tkfile = 0; -char *unique_tkfile = NULL; -char tkfile[MAXPATHLEN]; -int do_forward = -1; -int do_forwardable = -1; -krb5_context context; -krb5_keyblock *keyblock; -krb5_crypto crypto; -#endif -#ifdef KRB4 -des_key_schedule schedule; -des_cblock iv; -#endif -int sock_debug = 0; - -#ifdef KRB4 -static int use_v4 = -1; -#endif -#ifdef KRB5 -static int use_v5 = -1; -#endif -static int use_only_broken = 0; -static int use_broken = 1; -static char *port_str; -static const char *user; -static int do_version; -static int do_help; -static int do_errsock = 1; -static char *protocol_version_str; -static int protocol_version = 2; - -/* - * - */ - -static int input = 1; /* Read from stdin */ - -static int -loop (int s, int errsock) -{ - fd_set real_readset; - int count = 1; - -#ifdef KRB5 - if(auth_method == AUTH_KRB5 && protocol_version == 2) - init_ivecs(1); -#endif - - if (s >= FD_SETSIZE || (errsock != -1 && errsock >= FD_SETSIZE)) - errx (1, "fd too large"); - - FD_ZERO(&real_readset); - FD_SET(s, &real_readset); - if (errsock != -1) { - FD_SET(errsock, &real_readset); - ++count; - } - if(input) - FD_SET(STDIN_FILENO, &real_readset); - - for (;;) { - int ret; - fd_set readset; - char buf[RSH_BUFSIZ]; - - readset = real_readset; - ret = select (max(s, errsock) + 1, &readset, NULL, NULL, NULL); - if (ret < 0) { - if (errno == EINTR) - continue; - else - err (1, "select"); - } - if (FD_ISSET(s, &readset)) { - ret = do_read (s, buf, sizeof(buf), ivec_in[0]); - if (ret < 0) - err (1, "read"); - else if (ret == 0) { - close (s); - FD_CLR(s, &real_readset); - if (--count == 0) - return 0; - } else - net_write (STDOUT_FILENO, buf, ret); - } - if (errsock != -1 && FD_ISSET(errsock, &readset)) { - ret = do_read (errsock, buf, sizeof(buf), ivec_in[1]); - if (ret < 0) - err (1, "read"); - else if (ret == 0) { - close (errsock); - FD_CLR(errsock, &real_readset); - if (--count == 0) - return 0; - } else - net_write (STDERR_FILENO, buf, ret); - } - if (FD_ISSET(STDIN_FILENO, &readset)) { - ret = read (STDIN_FILENO, buf, sizeof(buf)); - if (ret < 0) - err (1, "read"); - else if (ret == 0) { - close (STDIN_FILENO); - FD_CLR(STDIN_FILENO, &real_readset); - shutdown (s, SHUT_WR); - } else - do_write (s, buf, ret, ivec_out[0]); - } - } -} - -#ifdef KRB4 -static int -send_krb4_auth(int s, - struct sockaddr *thisaddr, - struct sockaddr *thataddr, - const char *hostname, - const char *remote_user, - const char *local_user, - size_t cmd_len, - const char *cmd) -{ - KTEXT_ST text; - CREDENTIALS cred; - MSG_DAT msg; - int status; - size_t len; - - /* the normal default for krb4 should be to disable encryption */ - status = krb_sendauth ((do_encrypt == 1) ? KOPT_DO_MUTUAL : 0, - s, &text, "rcmd", - (char *)hostname, krb_realmofhost (hostname), - getpid(), &msg, &cred, schedule, - (struct sockaddr_in *)thisaddr, - (struct sockaddr_in *)thataddr, - KCMD_OLD_VERSION); - if (status != KSUCCESS) { - warnx("%s: %s", hostname, krb_get_err_text(status)); - return 1; - } - memcpy (iv, cred.session, sizeof(iv)); - - len = strlen(remote_user) + 1; - if (net_write (s, remote_user, len) != len) { - warn("write"); - return 1; - } - if (net_write (s, cmd, cmd_len) != cmd_len) { - warn("write"); - return 1; - } - return 0; -} -#endif /* KRB4 */ - -#ifdef KRB5 -/* - * Send forward information on `s' for host `hostname', them being - * forwardable themselves if `forwardable' - */ - -static int -krb5_forward_cred (krb5_auth_context auth_context, - int s, - const char *hostname, - int forwardable) -{ - krb5_error_code ret; - krb5_ccache ccache; - krb5_creds creds; - krb5_kdc_flags flags; - krb5_data out_data; - krb5_principal principal; - - memset (&creds, 0, sizeof(creds)); - - ret = krb5_cc_default (context, &ccache); - if (ret) { - warnx ("could not forward creds: krb5_cc_default: %s", - krb5_get_err_text (context, ret)); - return 1; - } - - ret = krb5_cc_get_principal (context, ccache, &principal); - if (ret) { - warnx ("could not forward creds: krb5_cc_get_principal: %s", - krb5_get_err_text (context, ret)); - return 1; - } - - creds.client = principal; - - ret = krb5_build_principal (context, - &creds.server, - strlen(principal->realm), - principal->realm, - "krbtgt", - principal->realm, - NULL); - - if (ret) { - warnx ("could not forward creds: krb5_build_principal: %s", - krb5_get_err_text (context, ret)); - return 1; - } - - creds.times.endtime = 0; - - flags.i = 0; - flags.b.forwarded = 1; - flags.b.forwardable = forwardable; - - ret = krb5_get_forwarded_creds (context, - auth_context, - ccache, - flags.i, - hostname, - &creds, - &out_data); - if (ret) { - warnx ("could not forward creds: krb5_get_forwarded_creds: %s", - krb5_get_err_text (context, ret)); - return 1; - } - - ret = krb5_write_message (context, - (void *)&s, - &out_data); - krb5_data_free (&out_data); - - if (ret) - warnx ("could not forward creds: krb5_write_message: %s", - krb5_get_err_text (context, ret)); - return 0; -} - -static int sendauth_version_error; - -static int -send_krb5_auth(int s, - struct sockaddr *thisaddr, - struct sockaddr *thataddr, - const char *hostname, - const char *remote_user, - const char *local_user, - size_t cmd_len, - const char *cmd) -{ - krb5_principal server; - krb5_data cksum_data; - int status; - size_t len; - krb5_auth_context auth_context = NULL; - const char *protocol_string = NULL; - krb5_flags ap_opts; - - status = krb5_sname_to_principal(context, - hostname, - "host", - KRB5_NT_SRV_HST, - &server); - if (status) { - warnx ("%s: %s", hostname, krb5_get_err_text(context, status)); - return 1; - } - - if(do_encrypt == -1) { - krb5_appdefault_boolean(context, NULL, - krb5_principal_get_realm(context, server), - "encrypt", - FALSE, - &do_encrypt); - } - - cksum_data.length = asprintf ((char **)&cksum_data.data, - "%u:%s%s%s", - ntohs(socket_get_port(thataddr)), - do_encrypt ? "-x " : "", - cmd, - remote_user); - - ap_opts = 0; - - if(do_encrypt) - ap_opts |= AP_OPTS_MUTUAL_REQUIRED; - - switch(protocol_version) { - case 2: - ap_opts |= AP_OPTS_USE_SUBKEY; - protocol_string = KCMD_NEW_VERSION; - break; - case 1: - protocol_string = KCMD_OLD_VERSION; - key_usage = KRB5_KU_OTHER_ENCRYPTED; - break; - default: - abort(); - } - - status = krb5_sendauth (context, - &auth_context, - &s, - protocol_string, - NULL, - server, - ap_opts, - &cksum_data, - NULL, - NULL, - NULL, - NULL, - NULL); - - /* do this while we have a principal */ - if(do_forward == -1 || do_forwardable == -1) { - krb5_const_realm realm = krb5_principal_get_realm(context, server); - if (do_forwardable == -1) - krb5_appdefault_boolean(context, NULL, realm, - "forwardable", FALSE, - &do_forwardable); - if (do_forward == -1) - krb5_appdefault_boolean(context, NULL, realm, - "forward", FALSE, - &do_forward); - } - - krb5_free_principal(context, server); - krb5_data_free(&cksum_data); - - if (status) { - if(status == KRB5_SENDAUTH_REJECTED && - protocol_version == 2 && protocol_version_str == NULL) - sendauth_version_error = 1; - else - krb5_warn(context, status, "%s", hostname); - return 1; - } - - status = krb5_auth_con_getlocalsubkey (context, auth_context, &keyblock); - if(keyblock == NULL) - status = krb5_auth_con_getkey (context, auth_context, &keyblock); - if (status) { - warnx ("krb5_auth_con_getkey: %s", krb5_get_err_text(context, status)); - return 1; - } - - status = krb5_auth_con_setaddrs_from_fd (context, - auth_context, - &s); - if (status) { - warnx("krb5_auth_con_setaddrs_from_fd: %s", - krb5_get_err_text(context, status)); - return(1); - } - - status = krb5_crypto_init(context, keyblock, 0, &crypto); - if(status) { - warnx ("krb5_crypto_init: %s", krb5_get_err_text(context, status)); - return 1; - } - - len = strlen(remote_user) + 1; - if (net_write (s, remote_user, len) != len) { - warn ("write"); - return 1; - } - if (do_encrypt && net_write (s, "-x ", 3) != 3) { - warn ("write"); - return 1; - } - if (net_write (s, cmd, cmd_len) != cmd_len) { - warn ("write"); - return 1; - } - - if (do_unique_tkfile) { - if (net_write (s, tkfile, strlen(tkfile)) != strlen(tkfile)) { - warn ("write"); - return 1; - } - } - len = strlen(local_user) + 1; - if (net_write (s, local_user, len) != len) { - warn ("write"); - return 1; - } - - if (!do_forward - || krb5_forward_cred (auth_context, s, hostname, do_forwardable)) { - /* Empty forwarding info */ - - u_char zero[4] = {0, 0, 0, 0}; - write (s, &zero, 4); - } - krb5_auth_con_free (context, auth_context); - return 0; -} - -#endif /* KRB5 */ - -static int -send_broken_auth(int s, - struct sockaddr *thisaddr, - struct sockaddr *thataddr, - const char *hostname, - const char *remote_user, - const char *local_user, - size_t cmd_len, - const char *cmd) -{ - size_t len; - - len = strlen(local_user) + 1; - if (net_write (s, local_user, len) != len) { - warn ("write"); - return 1; - } - len = strlen(remote_user) + 1; - if (net_write (s, remote_user, len) != len) { - warn ("write"); - return 1; - } - if (net_write (s, cmd, cmd_len) != cmd_len) { - warn ("write"); - return 1; - } - return 0; -} - -static int -proto (int s, int errsock, - const char *hostname, const char *local_user, const char *remote_user, - const char *cmd, size_t cmd_len, - int (*auth_func)(int s, - struct sockaddr *this, struct sockaddr *that, - const char *hostname, const char *remote_user, - const char *local_user, size_t cmd_len, - const char *cmd)) -{ - int errsock2; - char buf[BUFSIZ]; - char *p; - size_t len; - char reply; - struct sockaddr_storage thisaddr_ss; - struct sockaddr *thisaddr = (struct sockaddr *)&thisaddr_ss; - struct sockaddr_storage thataddr_ss; - struct sockaddr *thataddr = (struct sockaddr *)&thataddr_ss; - struct sockaddr_storage erraddr_ss; - struct sockaddr *erraddr = (struct sockaddr *)&erraddr_ss; - socklen_t addrlen; - int ret; - - addrlen = sizeof(thisaddr_ss); - if (getsockname (s, thisaddr, &addrlen) < 0) { - warn ("getsockname(%s)", hostname); - return 1; - } - addrlen = sizeof(thataddr_ss); - if (getpeername (s, thataddr, &addrlen) < 0) { - warn ("getpeername(%s)", hostname); - return 1; - } - - if (errsock != -1) { - - addrlen = sizeof(erraddr_ss); - if (getsockname (errsock, erraddr, &addrlen) < 0) { - warn ("getsockname"); - return 1; - } - - if (listen (errsock, 1) < 0) { - warn ("listen"); - return 1; - } - - p = buf; - snprintf (p, sizeof(buf), "%u", - ntohs(socket_get_port(erraddr))); - len = strlen(buf) + 1; - if(net_write (s, buf, len) != len) { - warn ("write"); - close (errsock); - return 1; - } - - - for (;;) { - fd_set fdset; - - if (errsock >= FD_SETSIZE || s >= FD_SETSIZE) - errx (1, "fd too large"); - - FD_ZERO(&fdset); - FD_SET(errsock, &fdset); - FD_SET(s, &fdset); - - ret = select (max(errsock, s) + 1, &fdset, NULL, NULL, NULL); - if (ret < 0) { - if (errno == EINTR) - continue; - warn ("select"); - close (errsock); - return 1; - } - if (FD_ISSET(errsock, &fdset)) { - errsock2 = accept (errsock, NULL, NULL); - close (errsock); - if (errsock2 < 0) { - warn ("accept"); - return 1; - } - break; - } - - /* - * there should not arrive any data on this fd so if it's - * readable it probably indicates that the other side when - * away. - */ - - if (FD_ISSET(s, &fdset)) { - warnx ("socket closed"); - close (errsock); - errsock2 = -1; - break; - } - } - } else { - if (net_write (s, "0", 2) != 2) { - warn ("write"); - return 1; - } - errsock2 = -1; - } - - if ((*auth_func)(s, thisaddr, thataddr, hostname, - remote_user, local_user, - cmd_len, cmd)) { - close (errsock2); - return 1; - } - - ret = net_read (s, &reply, 1); - if (ret < 0) { - warn ("read"); - close (errsock2); - return 1; - } else if (ret == 0) { - warnx ("unexpected EOF from %s", hostname); - close (errsock2); - return 1; - } - if (reply != 0) { - - warnx ("Error from rshd at %s:", hostname); - - while ((ret = read (s, buf, sizeof(buf))) > 0) - write (STDOUT_FILENO, buf, ret); - write (STDOUT_FILENO,"\n",1); - close (errsock2); - return 1; - } - - if (sock_debug) { - int one = 1; - if (setsockopt(s, SOL_SOCKET, SO_DEBUG, (void *)&one, sizeof(one)) < 0) - warn("setsockopt remote"); - if (errsock2 != -1 && - setsockopt(errsock2, SOL_SOCKET, SO_DEBUG, - (void *)&one, sizeof(one)) < 0) - warn("setsockopt stderr"); - } - - return loop (s, errsock2); -} - -/* - * Return in `res' a copy of the concatenation of `argc, argv' into - * malloced space. */ - -static size_t -construct_command (char **res, int argc, char **argv) -{ - int i; - size_t len = 0; - char *tmp; - - for (i = 0; i < argc; ++i) - len += strlen(argv[i]) + 1; - len = max (1, len); - tmp = malloc (len); - if (tmp == NULL) - errx (1, "malloc %u failed", len); - - *tmp = '\0'; - for (i = 0; i < argc - 1; ++i) { - strcat (tmp, argv[i]); - strcat (tmp, " "); - } - if (argc > 0) - strcat (tmp, argv[argc-1]); - *res = tmp; - return len; -} - -static char * -print_addr (const struct sockaddr *sa) -{ - char addr_str[256]; - char *res; - const char *as = NULL; - - if(sa->sa_family == AF_INET) - as = inet_ntop (sa->sa_family, &((struct sockaddr_in*)sa)->sin_addr, - addr_str, sizeof(addr_str)); -#ifdef HAVE_INET6 - else if(sa->sa_family == AF_INET6) - as = inet_ntop (sa->sa_family, &((struct sockaddr_in6*)sa)->sin6_addr, - addr_str, sizeof(addr_str)); -#endif - if(as == NULL) - return NULL; - res = strdup(as); - if (res == NULL) - errx (1, "malloc: out of memory"); - return res; -} - -static int -doit_broken (int argc, - char **argv, - int hostindex, - struct addrinfo *ai, - const char *remote_user, - const char *local_user, - int priv_socket1, - int priv_socket2, - const char *cmd, - size_t cmd_len) -{ - struct addrinfo *a; - - if (connect (priv_socket1, ai->ai_addr, ai->ai_addrlen) < 0) { - int save_errno = errno; - - close(priv_socket1); - close(priv_socket2); - - for (a = ai->ai_next; a != NULL; a = a->ai_next) { - pid_t pid; - char *adr = print_addr(a->ai_addr); - if(adr == NULL) - continue; - - pid = fork(); - if (pid < 0) - err (1, "fork"); - else if(pid == 0) { - char **new_argv; - int i = 0; - - new_argv = malloc((argc + 2) * sizeof(*new_argv)); - if (new_argv == NULL) - errx (1, "malloc: out of memory"); - new_argv[i] = argv[i]; - ++i; - if (hostindex == i) - new_argv[i++] = adr; - new_argv[i++] = "-K"; - for(; i <= argc; ++i) - new_argv[i] = argv[i - 1]; - if (hostindex > 1) - new_argv[hostindex + 1] = adr; - new_argv[argc + 1] = NULL; - execv(PATH_RSH, new_argv); - err(1, "execv(%s)", PATH_RSH); - } else { - int status; - free(adr); - - while(waitpid(pid, &status, 0) < 0) - ; - if(WIFEXITED(status) && WEXITSTATUS(status) == 0) - return 0; - } - } - errno = save_errno; - warn("%s", argv[hostindex]); - return 1; - } else { - int ret; - - ret = proto (priv_socket1, priv_socket2, - argv[hostindex], - local_user, remote_user, - cmd, cmd_len, - send_broken_auth); - return ret; - } -} - -#if defined(KRB4) || defined(KRB5) -static int -doit (const char *hostname, - struct addrinfo *ai, - const char *remote_user, - const char *local_user, - const char *cmd, - size_t cmd_len, - int do_errsock, - int (*auth_func)(int s, - struct sockaddr *this, struct sockaddr *that, - const char *hostname, const char *remote_user, - const char *local_user, size_t cmd_len, - const char *cmd)) -{ - int error; - struct addrinfo *a; - int socketfailed = 1; - int ret; - - for (a = ai; a != NULL; a = a->ai_next) { - int s; - int errsock; - - s = socket (a->ai_family, a->ai_socktype, a->ai_protocol); - if (s < 0) - continue; - socketfailed = 0; - if (connect (s, a->ai_addr, a->ai_addrlen) < 0) { - char addr[128]; - if(getnameinfo(a->ai_addr, a->ai_addrlen, - addr, sizeof(addr), NULL, 0, NI_NUMERICHOST) == 0) - warn ("connect(%s [%s])", hostname, addr); - else - warn ("connect(%s)", hostname); - close (s); - continue; - } - if (do_errsock) { - struct addrinfo *ea, *eai; - struct addrinfo hints; - - memset (&hints, 0, sizeof(hints)); - hints.ai_socktype = a->ai_socktype; - hints.ai_protocol = a->ai_protocol; - hints.ai_family = a->ai_family; - hints.ai_flags = AI_PASSIVE; - - errsock = -1; - - error = getaddrinfo (NULL, "0", &hints, &eai); - if (error) - errx (1, "getaddrinfo: %s", gai_strerror(error)); - for (ea = eai; ea != NULL; ea = ea->ai_next) { - errsock = socket (ea->ai_family, ea->ai_socktype, - ea->ai_protocol); - if (errsock < 0) - continue; - if (bind (errsock, ea->ai_addr, ea->ai_addrlen) < 0) - err (1, "bind"); - break; - } - if (errsock < 0) - err (1, "socket"); - freeaddrinfo (eai); - } else - errsock = -1; - - ret = proto (s, errsock, - hostname, - local_user, remote_user, - cmd, cmd_len, auth_func); - close (s); - return ret; - } - if(socketfailed) - warnx ("failed to contact %s", hostname); - return -1; -} -#endif /* KRB4 || KRB5 */ - -struct getargs args[] = { -#ifdef KRB4 - { "krb4", '4', arg_flag, &use_v4, "Use Kerberos V4" }, -#endif -#ifdef KRB5 - { "krb5", '5', arg_flag, &use_v5, "Use Kerberos V5" }, - { "forward", 'f', arg_flag, &do_forward, "Forward credentials (krb5)"}, - { NULL, 'G', arg_negative_flag,&do_forward, "Don't forward credentials" }, - { "forwardable", 'F', arg_flag, &do_forwardable, - "Forward forwardable credentials" }, -#endif -#if defined(KRB4) || defined(KRB5) - { "broken", 'K', arg_flag, &use_only_broken, "Use only priv port" }, - { "encrypt", 'x', arg_flag, &do_encrypt, "Encrypt connection" }, - { NULL, 'z', arg_negative_flag, &do_encrypt, - "Don't encrypt connection", NULL }, -#endif -#ifdef KRB5 - { "unique", 'u', arg_flag, &do_unique_tkfile, - "Use unique remote tkfile (krb5)" }, - { "tkfile", 'U', arg_string, &unique_tkfile, - "Use that remote tkfile (krb5)" }, -#endif - { NULL, 'd', arg_flag, &sock_debug, "Enable socket debugging" }, - { "input", 'n', arg_negative_flag, &input, "Close stdin" }, - { "port", 'p', arg_string, &port_str, "Use this port", - "port" }, - { "user", 'l', arg_string, &user, "Run as this user", "login" }, - { "stderr", 'e', arg_negative_flag, &do_errsock, "Don't open stderr"}, - { "protocol", 'P', arg_string, &protocol_version_str, - "Protocol version", "protocol" }, - { "version", 0, arg_flag, &do_version, NULL }, - { "help", 0, arg_flag, &do_help, NULL } -}; - -static void -usage (int ret) -{ - arg_printusage (args, - sizeof(args) / sizeof(args[0]), - NULL, - "[login@]host [command]"); - exit (ret); -} - -/* - * - */ - -int -main(int argc, char **argv) -{ - int priv_port1, priv_port2; - int priv_socket1, priv_socket2; - int argindex = 0; - int error; - struct addrinfo hints, *ai; - int ret = 1; - char *cmd; - char *tmp; - size_t cmd_len; - const char *local_user; - char *host = NULL; - int host_index = -1; -#ifdef KRB5 - int status; -#endif - uid_t uid; - - priv_port1 = priv_port2 = IPPORT_RESERVED-1; - priv_socket1 = rresvport(&priv_port1); - priv_socket2 = rresvport(&priv_port2); - uid = getuid (); - if (setuid (uid) || (uid != 0 && setuid(0) == 0)) - err (1, "setuid"); - - setprogname (argv[0]); - - if (argc >= 2 && argv[1][0] != '-') { - host = argv[host_index = 1]; - argindex = 1; - } - - if (getarg (args, sizeof(args) / sizeof(args[0]), argc, argv, - &argindex)) - usage (1); - - if (do_help) - usage (0); - - if (do_version) { - print_version (NULL); - return 0; - } - - if(protocol_version_str != NULL) { - if(strcasecmp(protocol_version_str, "N") == 0) - protocol_version = 2; - else if(strcasecmp(protocol_version_str, "O") == 0) - protocol_version = 1; - else { - char *end; - int v; - v = strtol(protocol_version_str, &end, 0); - if(*end != '\0' || (v != 1 && v != 2)) { - errx(1, "unknown protocol version \"%s\"", - protocol_version_str); - } - protocol_version = v; - } - } - -#ifdef KRB5 - status = krb5_init_context (&context); - if (status) { - if(use_v5 == 1) - errx(1, "krb5_init_context failed: %d", status); - else - use_v5 = 0; - } - - /* request for forwardable on the command line means we should - also forward */ - if (do_forwardable == 1) - do_forward = 1; - -#endif - -#if defined(KRB4) && defined(KRB5) - if(use_v4 == -1 && use_v5 == 1) - use_v4 = 0; - if(use_v5 == -1 && use_v4 == 1) - use_v5 = 0; -#endif - - if (use_only_broken) { -#ifdef KRB4 - use_v4 = 0; -#endif -#ifdef KRB5 - use_v5 = 0; -#endif - } - - if(priv_socket1 < 0) { - if (use_only_broken) - errx (1, "unable to bind reserved port: is rsh setuid root?"); - use_broken = 0; - } - -#if defined(KRB4) || defined(KRB5) - if (do_encrypt == 1 && use_only_broken) - errx (1, "encryption not supported with old style authentication"); -#endif - - - -#ifdef KRB5 - if (do_unique_tkfile && unique_tkfile != NULL) - errx (1, "Only one of -u and -U allowed."); - - if (do_unique_tkfile) - strcpy(tkfile,"-u "); - else if (unique_tkfile != NULL) { - if (strchr(unique_tkfile,' ') != NULL) { - warnx("Space is not allowed in tkfilename"); - usage(1); - } - do_unique_tkfile = 1; - snprintf (tkfile, sizeof(tkfile), "-U %s ", unique_tkfile); - } -#endif - - if (host == NULL) { - if (argc - argindex < 1) - usage (1); - else - host = argv[host_index = argindex++]; - } - - if((tmp = strchr(host, '@')) != NULL) { - *tmp++ = '\0'; - user = host; - host = tmp; - } - - if (argindex == argc) { - close (priv_socket1); - close (priv_socket2); - argv[0] = "rlogin"; - execvp ("rlogin", argv); - err (1, "execvp rlogin"); - } - - local_user = get_default_username (); - if (local_user == NULL) - errx (1, "who are you?"); - - if (user == NULL) - user = local_user; - - cmd_len = construct_command(&cmd, argc - argindex, argv + argindex); - - /* - * Try all different authentication methods - */ - -#ifdef KRB5 - if (ret && use_v5) { - memset (&hints, 0, sizeof(hints)); - hints.ai_socktype = SOCK_STREAM; - hints.ai_protocol = IPPROTO_TCP; - - if(port_str == NULL) { - error = getaddrinfo(host, "kshell", &hints, &ai); - if(error == EAI_NONAME) - error = getaddrinfo(host, "544", &hints, &ai); - } else - error = getaddrinfo(host, port_str, &hints, &ai); - - if(error) - errx (1, "getaddrinfo: %s", gai_strerror(error)); - - auth_method = AUTH_KRB5; - again: - ret = doit (host, ai, user, local_user, cmd, cmd_len, - do_errsock, - send_krb5_auth); - if(ret != 0 && sendauth_version_error && - protocol_version == 2) { - protocol_version = 1; - goto again; - } - freeaddrinfo(ai); - } -#endif -#ifdef KRB4 - if (ret && use_v4) { - memset (&hints, 0, sizeof(hints)); - hints.ai_socktype = SOCK_STREAM; - hints.ai_protocol = IPPROTO_TCP; - - if(port_str == NULL) { - if(do_encrypt) { - error = getaddrinfo(host, "ekshell", &hints, &ai); - if(error == EAI_NONAME) - error = getaddrinfo(host, "545", &hints, &ai); - } else { - error = getaddrinfo(host, "kshell", &hints, &ai); - if(error == EAI_NONAME) - error = getaddrinfo(host, "544", &hints, &ai); - } - } else - error = getaddrinfo(host, port_str, &hints, &ai); - - if(error) - errx (1, "getaddrinfo: %s", gai_strerror(error)); - auth_method = AUTH_KRB4; - ret = doit (host, ai, user, local_user, cmd, cmd_len, - do_errsock, - send_krb4_auth); - freeaddrinfo(ai); - } -#endif - if (ret && use_broken) { - memset (&hints, 0, sizeof(hints)); - hints.ai_socktype = SOCK_STREAM; - hints.ai_protocol = IPPROTO_TCP; - - if(port_str == NULL) { - error = getaddrinfo(host, "shell", &hints, &ai); - if(error == EAI_NONAME) - error = getaddrinfo(host, "514", &hints, &ai); - } else - error = getaddrinfo(host, port_str, &hints, &ai); - - if(error) - errx (1, "getaddrinfo: %s", gai_strerror(error)); - - auth_method = AUTH_BROKEN; - ret = doit_broken (argc, argv, host_index, ai, - user, local_user, - priv_socket1, - do_errsock ? priv_socket2 : -1, - cmd, cmd_len); - freeaddrinfo(ai); - } - free(cmd); - return ret; -} diff --git a/crypto/heimdal-0.6.3/appl/rsh/rsh.cat1 b/crypto/heimdal-0.6.3/appl/rsh/rsh.cat1 deleted file mode 100644 index e6d46ff0d4..0000000000 --- a/crypto/heimdal-0.6.3/appl/rsh/rsh.cat1 +++ /dev/null @@ -1,130 +0,0 @@ - -RSH(1) UNIX Reference Manual RSH(1) - -NNAAMMEE - rrsshh - remote shell - -SSYYNNOOPPSSIISS - rrsshh [--4455FFGGKKddeeffnnuuxxzz] [--UU _s_t_r_i_n_g] [--pp _p_o_r_t] [--ll _u_s_e_r_n_a_m_e] [--PP _N_|_O] _h_o_s_t - _[_c_o_m_m_a_n_d_] - -DDEESSCCRRIIPPTTIIOONN - rrsshh authenticates to the rshd(8) daemon on the remote _h_o_s_t, and then exe- - cutes the specified _c_o_m_m_a_n_d. - - rrsshh copies its standard input to the remote command, and the standard - output and error of the remote command to its own. - - Valid options are: - - --44, ----kkrrbb44 - The --44 option requests Kerberos 4 authentication. Normally all - supported authentication mechanisms will be tried, but in some - cases more explicit control is desired. - - --55, ----kkrrbb55 - The --55 option requests Kerberos 5 authentication. This is analo- - gous to the --44 option. - - --KK, ----bbrrookkeenn - The --KK option turns off all Kerberos authentication. The long - name implies that this is more or less totally unsecure. The se- - curity in this mode relies on reserved ports, which is not very - secure. - - --nn, ----nnoo--iinnppuutt - The --nn option directs the input from the _/_d_e_v_/_n_u_l_l device (see - the _B_U_G_S section of this manual page). - - --ee, ----nnoo--ssttddeerrrr - Don't use a separate socket for the stderr stream. This can be - necessary if rsh-ing through a NAT bridge. - - --xx, ----eennccrryypptt - The --xx option enables encryption for all data exchange. This is - only valid for Kerberos authenticated connections (see the _B_U_G_S - section for limitations). - - --zz The opposite of --xx. This is the default, but encryption can be - enabled when using Kerberos 5, by setting the libdefaults/encrypt - option in krb5.conf(5). - - --ff, ----ffoorrwwaarrdd - Forward Kerberos 5 credentials to the remote host. Also con- - trolled by libdefaults/forward in krb5.conf(5). - - --GG The opposite of --ff. - - --FF, ----ffoorrwwaarrddaabbllee - Make the forwarded credentials re-forwardable. Also controlled by - libdefaults/forwardable in krb5.conf(5). - - --uu, ----uunniiqquuee - Make sure the remote credentials cache is unique, that is, don't - - - reuse any existing cache. Mutually exclusive to --UU. - - --UU _s_t_r_i_n_g, ----ttkkffiillee==_s_t_r_i_n_g - Name of the remote credentials cache. Mutually exclusive to --uu. - - --pp _n_u_m_b_e_r_-_o_r_-_s_e_r_v_i_c_e, ----ppoorrtt==_n_u_m_b_e_r_-_o_r_-_s_e_r_v_i_c_e - Connect to this port instead of the default (which is 514 when - using old port based authentication, 544 for Kerberos 5 and non- - encrypted Kerberos 4, and 545 for encrytpted Kerberos 4; subject - of course to the contents of _/_e_t_c_/_s_e_r_v_i_c_e_s). - - --ll _s_t_r_i_n_g, ----uusseerr==_s_t_r_i_n_g - By default the remote username is the same as the local. The --ll - option or the _u_s_e_r_n_a_m_e_@_h_o_s_t format allow the remote name to be - specified. - - --PP _N_|_O_|_1_|_2, ----pprroottooccooll==_N_|_O_|_1_|_2 - Specifies which protocol version to use with Kerberos 5. _N and _2 - selects protocol version 2, while _O and _1 selects version 1. Ver- - sion 2 is believed to be more secure, and is the default. Unless - asked for a specific version, rrsshh will try both. This behaviour - may change in the future. - -EEXXAAMMPPLLEESS - Care should be taken when issuing commands containing shell meta charac- - ters. Without quoting, these will be expanded on the local machine. - - The following command: - - rsh otherhost cat remotefile > localfile - - will write the contents of the remote _r_e_m_o_t_e_f_i_l_e to the local _l_o_c_a_l_f_i_l_e, - but: - - rsh otherhost 'cat remotefile > remotefile2' - - will write it to the remote _r_e_m_o_t_e_f_i_l_e_2. - -FFIILLEESS - /etc/hosts - -SSEEEE AALLSSOO - rlogin(1), krb_realmofhost(3), krb_sendauth(3), hosts.equiv(5), - krb5.conf(5), rhosts(5), kerberos(8) rshd(8) - -HHIISSTTOORRYY - The rrsshh command appeared in 4.2BSD. - -AAUUTTHHOORRSS - This implementation of rrsshh was written as part of the Heimdal Kerberos 5 - implementation. - -BBUUGGSS - Some shells (notably csh(1)) will cause rrsshh to block if run in the back- - ground, unless the standard input is directed away from the terminal. - This is what the --nn option is for. - - The --xx options enables encryption for the session, but for both Kerberos - 4 and 5 the actual command is sent unencrypted, so you should not send - any secret information in the command line (which is probably a bad idea - anyway, since the command line can usually be read with tools like - ps(1)). Forthermore in Kerberos 4 the command is not even integrity pro- - tected, so anyone with the right tools can modify the command. - - HEIMDAL September 4, 2002 2 diff --git a/crypto/heimdal-0.6.3/appl/rsh/rsh_locl.h b/crypto/heimdal-0.6.3/appl/rsh/rsh_locl.h deleted file mode 100644 index 151a8887bd..0000000000 --- a/crypto/heimdal-0.6.3/appl/rsh/rsh_locl.h +++ /dev/null @@ -1,165 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: rsh_locl.h,v 1.33 2003/04/16 20:05:39 lha Exp $ */ - -#ifdef HAVE_CONFIG_H -#include -#endif - -#include -#include -#include -#include -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_UNISTD_H -#include -#endif -#ifdef HAVE_SYS_WAIT_H -#include -#endif -#ifdef HAVE_SYS_SELECT_H -#include -#endif -#ifdef HAVE_SYS_SOCKET_H -#include -#endif -#ifdef HAVE_NETINET_IN_H -#include -#endif -#ifdef HAVE_NETINET_IN6_H -#include -#endif -#ifdef HAVE_NETINET6_IN6_H -#include -#endif -#ifdef HAVE_ARPA_INET_H -#include -#endif - -#ifdef HAVE_PWD_H -#include -#endif -#ifdef HAVE_SHADOW_H -#include -#endif -#ifdef HAVE_NETDB_H -#include -#endif -#ifdef HAVE_LIMITS_H -#include -#endif -#include - -#ifdef HAVE_SYS_PARAM_H -#include -#endif - -#ifdef HAVE_SYSLOG_H -#include -#endif -#ifdef HAVE_PATHS_H -#include -#endif -#include -#include -#include -#ifdef KRB4 -#include -#include -#endif -#ifdef KRB5 -#include -#include /* for _krb5_{get,put}_int */ -#endif -#include - -#ifndef _PATH_NOLOGIN -#define _PATH_NOLOGIN "/etc/nologin" -#endif - -#ifndef _PATH_BSHELL -#define _PATH_BSHELL "/bin/sh" -#endif - -#ifndef _PATH_DEFPATH -#define _PATH_DEFPATH "/usr/bin:/bin" -#endif - -#ifndef _PATH_ETC_ENVIRONMENT -#define _PATH_ETC_ENVIRONMENT SYSCONFDIR "/environment" -#endif - -/* - * - */ - -enum auth_method { AUTH_KRB4, AUTH_KRB5, AUTH_BROKEN }; - -extern enum auth_method auth_method; -extern int do_encrypt; -#ifdef KRB5 -extern krb5_context context; -extern krb5_keyblock *keyblock; -extern krb5_crypto crypto; -extern int key_usage; -extern void *ivec_in[2]; -extern void *ivec_out[2]; -void init_ivecs(int); -#endif -#ifdef KRB4 -extern des_key_schedule schedule; -extern des_cblock iv; -#endif - -#define KCMD_OLD_VERSION "KCMDV0.1" -#define KCMD_NEW_VERSION "KCMDV0.2" - -#define USERNAME_SZ 16 -#ifndef ARG_MAX -#define ARG_MAX 8192 -#endif - -#define RSH_BUFSIZ (5 * 1024) /* MIT kcmd can't handle larger buffers */ - -#define PATH_RSH BINDIR "/rsh" - -#if defined(KRB4) || defined(KRB5) -ssize_t do_read (int, void*, size_t, void*); -ssize_t do_write (int, void*, size_t, void*); -#else -#define do_write(F, B, L, I) write((F), (B), (L)) -#define do_read(F, B, L, I) read((F), (B), (L)) -#endif diff --git a/crypto/heimdal-0.6.3/appl/rsh/rshd.8 b/crypto/heimdal-0.6.3/appl/rsh/rshd.8 deleted file mode 100644 index 7c7a3636c5..0000000000 --- a/crypto/heimdal-0.6.3/appl/rsh/rshd.8 +++ /dev/null @@ -1,162 +0,0 @@ -.\" Copyright (c) 2001 - 2002 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: rshd.8,v 1.7 2003/04/16 19:58:42 lha Exp $ -.\" -.Dd November 22, 2002 -.Dt RSHD 8 -.Os HEIMDAL -.Sh NAME -.Nm rshd -.Nd -remote shell server -.Sh SYNOPSIS -.Nm -.Op Fl aiklnvxPL -.Op Fl p Ar port -.Sh DESCRIPTION -.Nm -is the server for -the -.Xr rsh 1 -program. It provides an authenticated remote command execution -service. Supported options are: -.Bl -tag -width Ds -.It Xo -.Fl n , -.Fl -no-keepalive -.Xc -Disables keep-alive messages. -Keep-alives are packets sent at certain intervals to make sure that the -client is still there, even when it doesn't send any data. -.It Xo -.Fl k , -.Fl -kerberos -.Xc -Assume that clients connecting to this server will use some form of -Kerberos authentication. See the -.Sx EXAMPLES -section for a sample -.Xr inetd.conf 5 -configuration. -.It Xo -.Fl x , -.Fl -encrypt -.Xc -For Kerberos 4 this means that the connections are encrypted. Kerberos -5 can negotiate encryption even without this option, but if it's -present -.Nm -will deny unencrypted connections. This option implies -.Fl k . -.\".It Xo -.\".Fl l , -.\".Fl -no-rhosts -.\".Xc -.\"When using old port-based authentication, the user's -.\".Pa .rhosts -.\"files are normally checked. This options disables this. -.It Xo -.Fl v , -.Fl -vacuous -.Xc -If the connecting client does not use any Kerberised authentication, -print a message that complains about this fact, and exit. This is -helpful if you want to move away from old port-based authentication. -.It Xo -.Fl P -.Xc -When using the AFS filesystem, users' authentication tokens are put in -something called a PAG (Process Authentication Group). Multiple -processes can share a PAG, but normally each login session has its own -PAG. This option disables the -.Fn setpag -call, so all tokens will be put in the default (uid-based) PAG, making -it possible to share tokens between sessions. This is only useful in -peculiar environments, such as some batch systems. -.It Xo -.Fl i , -.Fl -no-inetd -.Xc -The -.Fl i -option will cause -.Nm -to create a socket, instead of assuming that its stdin came from -.Xr inetd 8 . -This is mostly useful for debugging. -.It Xo -.Fl p Ar port , -.Fl -port= Ns Ar port -.Xc -Port to use with -.Fl i . -.It Xo -.Fl a -.Xc -This flag is for backwards compatibility only. -.It Xo -.Fl L -.Xc -This flag enables logging of connections to -.Xr syslogd 8 . -This option is always on in this implementation. -.El -.\".Sh ENVIRONMENT -.Sh FILES -.Bl -tag -width /etc/hosts.equiv -compact -.It Pa /etc/hosts.equiv -.It Pa ~/.rhosts -.El -.Sh EXAMPLES -The following can be used to enable Kerberised rsh in -.Xr inetd.cond 5 , -while disabling non-Kerberised connections: -.Bd -literal -shell stream tcp nowait root /usr/libexec/rshd rshd -v -kshell stream tcp nowait root /usr/libexec/rshd rshd -k -ekshell stream tcp nowait root /usr/libexec/rshd rshd -kx -.Ed -.\".Sh DIAGNOSTICS -.Sh SEE ALSO -.Xr rsh 1 , -.Xr iruserok 3 -.\".Sh STANDARDS -.Sh HISTORY -The -.Nm -command appeared in -.Bx 4.2 . -.Sh AUTHORS -This implementation of -.Nm -was written as part of the Heimdal Kerberos 5 implementation. -.\".Sh BUGS diff --git a/crypto/heimdal-0.6.3/appl/rsh/rshd.c b/crypto/heimdal-0.6.3/appl/rsh/rshd.c deleted file mode 100644 index 1464fe1187..0000000000 --- a/crypto/heimdal-0.6.3/appl/rsh/rshd.c +++ /dev/null @@ -1,1042 +0,0 @@ -/* - * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "rsh_locl.h" -RCSID("$Id: rshd.c,v 1.51.2.1 2003/08/19 11:36:17 joda Exp $"); - -int -login_access( struct passwd *user, char *from); - -enum auth_method auth_method; - -#ifdef KRB5 -krb5_context context; -krb5_keyblock *keyblock; -krb5_crypto crypto; -#endif - -#ifdef KRB4 -des_key_schedule schedule; -des_cblock iv; -#endif - -#ifdef KRB5 -krb5_ccache ccache, ccache2; -int kerberos_status = 0; -#endif - -int do_encrypt = 0; - -static int do_unique_tkfile = 0; -static char tkfile[MAXPATHLEN] = ""; - -static int do_inetd = 1; -static char *port_str; -static int do_rhosts = 1; -static int do_kerberos = 0; -#define DO_KRB4 2 -#define DO_KRB5 4 -static int do_vacuous = 0; -static int do_log = 1; -static int do_newpag = 1; -static int do_addr_verify = 0; -static int do_keepalive = 1; -static int do_version; -static int do_help = 0; - -#if defined(KRB5) && defined(DCE) -int dfsk5ok = 0; -int dfspag = 0; -int dfsfwd = 0; -krb5_ticket *user_ticket; -#endif - -static void -syslog_and_die (const char *m, ...) - __attribute__ ((format (printf, 1, 2))); - -static void -syslog_and_die (const char *m, ...) -{ - va_list args; - - va_start(args, m); - vsyslog (LOG_ERR, m, args); - va_end(args); - exit (1); -} - -static void -fatal (int, const char*, const char *, ...) - __attribute__ ((noreturn, format (printf, 3, 4))); - -static void -fatal (int sock, const char *what, const char *m, ...) -{ - va_list args; - char buf[BUFSIZ]; - size_t len; - - *buf = 1; - va_start(args, m); - len = vsnprintf (buf + 1, sizeof(buf) - 1, m, args); - len = min(len, sizeof(buf) - 1); - va_end(args); - if(what != NULL) - syslog (LOG_ERR, "%s: %m: %s", what, buf + 1); - else - syslog (LOG_ERR, "%s", buf + 1); - net_write (sock, buf, len + 1); - exit (1); -} - -static char * -read_str (int s, size_t sz, char *expl) -{ - char *str = malloc(sz); - char *p = str; - if(str == NULL) - fatal(s, NULL, "%s too long", expl); - while(p < str + sz) { - if(net_read(s, p, 1) != 1) - syslog_and_die("read: %m"); - if(*p == '\0') - return str; - p++; - } - fatal(s, NULL, "%s too long", expl); -} - -static int -recv_bsd_auth (int s, u_char *buf, - struct sockaddr_in *thisaddr, - struct sockaddr_in *thataddr, - char **client_username, - char **server_username, - char **cmd) -{ - struct passwd *pwd; - - *client_username = read_str (s, USERNAME_SZ, "local username"); - *server_username = read_str (s, USERNAME_SZ, "remote username"); - *cmd = read_str (s, ARG_MAX + 1, "command"); - pwd = getpwnam(*server_username); - if (pwd == NULL) - fatal(s, NULL, "Login incorrect."); - if (iruserok(thataddr->sin_addr.s_addr, pwd->pw_uid == 0, - *client_username, *server_username)) - fatal(s, NULL, "Login incorrect."); - return 0; -} - -#ifdef KRB4 -static int -recv_krb4_auth (int s, u_char *buf, - struct sockaddr *thisaddr, - struct sockaddr *thataddr, - char **client_username, - char **server_username, - char **cmd) -{ - int status; - int32_t options; - KTEXT_ST ticket; - AUTH_DAT auth; - char instance[INST_SZ + 1]; - char version[KRB_SENDAUTH_VLEN + 1]; - - if (memcmp (buf, KRB_SENDAUTH_VERS, 4) != 0) - return -1; - if (net_read (s, buf + 4, KRB_SENDAUTH_VLEN - 4) != - KRB_SENDAUTH_VLEN - 4) - syslog_and_die ("reading auth info: %m"); - if (memcmp (buf, KRB_SENDAUTH_VERS, KRB_SENDAUTH_VLEN) != 0) - syslog_and_die("unrecognized auth protocol: %.8s", buf); - - options = KOPT_IGNORE_PROTOCOL; - if (do_encrypt) - options |= KOPT_DO_MUTUAL; - k_getsockinst (s, instance, sizeof(instance)); - status = krb_recvauth (options, - s, - &ticket, - "rcmd", - instance, - (struct sockaddr_in *)thataddr, - (struct sockaddr_in *)thisaddr, - &auth, - "", - schedule, - version); - if (status != KSUCCESS) - syslog_and_die ("recvauth: %s", krb_get_err_text(status)); - if (strncmp (version, KCMD_OLD_VERSION, KRB_SENDAUTH_VLEN) != 0) - syslog_and_die ("bad version: %s", version); - - *server_username = read_str (s, USERNAME_SZ, "remote username"); - if (kuserok (&auth, *server_username) != 0) - fatal (s, NULL, "Permission denied."); - *cmd = read_str (s, ARG_MAX + 1, "command"); - - syslog(LOG_INFO|LOG_AUTH, - "kerberos v4 shell from %s on %s as %s, cmd '%.80s'", - krb_unparse_name_long(auth.pname, auth.pinst, auth.prealm), - - inet_ntoa(((struct sockaddr_in *)thataddr)->sin_addr), - *server_username, - *cmd); - - memcpy (iv, auth.session, sizeof(iv)); - - return 0; -} - -#endif /* KRB4 */ - -#ifdef KRB5 -static int -save_krb5_creds (int s, - krb5_auth_context auth_context, - krb5_principal client) - -{ - int ret; - krb5_data remote_cred; - - krb5_data_zero (&remote_cred); - ret= krb5_read_message (context, (void *)&s, &remote_cred); - if (ret) { - krb5_data_free(&remote_cred); - return 0; - } - if (remote_cred.length == 0) - return 0; - - ret = krb5_cc_gen_new(context, &krb5_mcc_ops, &ccache); - if (ret) { - krb5_data_free(&remote_cred); - return 0; - } - - krb5_cc_initialize(context,ccache,client); - ret = krb5_rd_cred2(context, auth_context, ccache, &remote_cred); - if(ret != 0) - syslog(LOG_INFO|LOG_AUTH, - "reading creds: %s", krb5_get_err_text(context, ret)); - krb5_data_free (&remote_cred); - if (ret) - return 0; - return 1; -} - -static void -krb5_start_session (void) -{ - krb5_error_code ret; - - ret = krb5_cc_resolve (context, tkfile, &ccache2); - if (ret) { - krb5_cc_destroy(context, ccache); - return; - } - - ret = krb5_cc_copy_cache (context, ccache, ccache2); - if (ret) { - krb5_cc_destroy(context, ccache); - return ; - } - - krb5_cc_close(context, ccache2); - krb5_cc_destroy(context, ccache); - return; -} - -static int protocol_version; - -static krb5_boolean -match_kcmd_version(const void *data, const char *version) -{ - if(strcmp(version, KCMD_NEW_VERSION) == 0) { - protocol_version = 2; - return TRUE; - } - if(strcmp(version, KCMD_OLD_VERSION) == 0) { - protocol_version = 1; - key_usage = KRB5_KU_OTHER_ENCRYPTED; - return TRUE; - } - return FALSE; -} - - -static int -recv_krb5_auth (int s, u_char *buf, - struct sockaddr *thisaddr, - struct sockaddr *thataddr, - char **client_username, - char **server_username, - char **cmd) -{ - u_int32_t len; - krb5_auth_context auth_context = NULL; - krb5_ticket *ticket; - krb5_error_code status; - krb5_data cksum_data; - krb5_principal server; - - if (memcmp (buf, "\x00\x00\x00\x13", 4) != 0) - return -1; - len = (buf[0] << 24) | (buf[1] << 16) | (buf[2] << 8) | (buf[3]); - - if (net_read(s, buf, len) != len) - syslog_and_die ("reading auth info: %m"); - if (len != sizeof(KRB5_SENDAUTH_VERSION) - || memcmp (buf, KRB5_SENDAUTH_VERSION, len) != 0) - syslog_and_die ("bad sendauth version: %.8s", buf); - - status = krb5_sock_to_principal (context, - s, - "host", - KRB5_NT_SRV_HST, - &server); - if (status) - syslog_and_die ("krb5_sock_to_principal: %s", - krb5_get_err_text(context, status)); - - status = krb5_recvauth_match_version(context, - &auth_context, - &s, - match_kcmd_version, - NULL, - server, - KRB5_RECVAUTH_IGNORE_VERSION, - NULL, - &ticket); - krb5_free_principal (context, server); - if (status) - syslog_and_die ("krb5_recvauth: %s", - krb5_get_err_text(context, status)); - - *server_username = read_str (s, USERNAME_SZ, "remote username"); - *cmd = read_str (s, ARG_MAX + 1, "command"); - *client_username = read_str (s, ARG_MAX + 1, "local username"); - - if(protocol_version == 2) { - status = krb5_auth_con_getremotesubkey(context, auth_context, - &keyblock); - if(status != 0 || keyblock == NULL) - syslog_and_die("failed to get remote subkey"); - } else if(protocol_version == 1) { - status = krb5_auth_con_getkey (context, auth_context, &keyblock); - if(status != 0 || keyblock == NULL) - syslog_and_die("failed to get key"); - } - if (status != 0 || keyblock == NULL) - syslog_and_die ("krb5_auth_con_getkey: %s", - krb5_get_err_text(context, status)); - - status = krb5_crypto_init(context, keyblock, 0, &crypto); - if(status) - syslog_and_die("krb5_crypto_init: %s", - krb5_get_err_text(context, status)); - - - cksum_data.length = asprintf ((char **)&cksum_data.data, - "%u:%s%s", - ntohs(socket_get_port (thisaddr)), - *cmd, - *server_username); - - status = krb5_verify_authenticator_checksum(context, - auth_context, - cksum_data.data, - cksum_data.length); - - if (status) - syslog_and_die ("krb5_verify_authenticator_checksum: %s", - krb5_get_err_text(context, status)); - - free (cksum_data.data); - - if (strncmp (*client_username, "-u ", 3) == 0) { - do_unique_tkfile = 1; - memmove (*client_username, *client_username + 3, - strlen(*client_username) - 2); - } - - if (strncmp (*client_username, "-U ", 3) == 0) { - char *end, *temp_tkfile; - - do_unique_tkfile = 1; - if (strncmp (*client_username + 3, "FILE:", 5) == 0) { - temp_tkfile = tkfile; - } else { - strcpy (tkfile, "FILE:"); - temp_tkfile = tkfile + 5; - } - end = strchr(*client_username + 3,' '); - strncpy(temp_tkfile, *client_username + 3, end - *client_username - 3); - temp_tkfile[end - *client_username - 3] = '\0'; - memmove (*client_username, end + 1, strlen(end+1)+1); - } - - kerberos_status = save_krb5_creds (s, auth_context, ticket->client); - - if(!krb5_kuserok (context, - ticket->client, - *server_username)) - fatal (s, NULL, "Permission denied."); - - if (strncmp (*cmd, "-x ", 3) == 0) { - do_encrypt = 1; - memmove (*cmd, *cmd + 3, strlen(*cmd) - 2); - } else { - if(do_encrypt) - fatal (s, NULL, "Encryption is required."); - do_encrypt = 0; - } - - { - char *name; - - if (krb5_unparse_name (context, ticket->client, &name) == 0) { - char addr_str[256]; - - if (inet_ntop (thataddr->sa_family, - socket_get_address (thataddr), - addr_str, sizeof(addr_str)) == NULL) - strlcpy (addr_str, "unknown address", - sizeof(addr_str)); - - syslog(LOG_INFO|LOG_AUTH, - "kerberos v5 shell from %s on %s as %s, cmd '%.80s'", - name, - addr_str, - *server_username, - *cmd); - free (name); - } - } - -#if defined(DCE) - user_ticket = ticket; -#endif - - return 0; -} -#endif /* KRB5 */ - -static void -loop (int from0, int to0, - int to1, int from1, - int to2, int from2) -{ - fd_set real_readset; - int max_fd; - int count = 2; - - if(from0 >= FD_SETSIZE || from1 >= FD_SETSIZE || from2 >= FD_SETSIZE) - errx (1, "fd too large"); - -#ifdef KRB5 - if(auth_method == AUTH_KRB5 && protocol_version == 2) - init_ivecs(0); -#endif - - FD_ZERO(&real_readset); - FD_SET(from0, &real_readset); - FD_SET(from1, &real_readset); - FD_SET(from2, &real_readset); - max_fd = max(from0, max(from1, from2)) + 1; - for (;;) { - int ret; - fd_set readset = real_readset; - char buf[RSH_BUFSIZ]; - - ret = select (max_fd, &readset, NULL, NULL, NULL); - if (ret < 0) { - if (errno == EINTR) - continue; - else - syslog_and_die ("select: %m"); - } - if (FD_ISSET(from0, &readset)) { - ret = do_read (from0, buf, sizeof(buf), ivec_in[0]); - if (ret < 0) - syslog_and_die ("read: %m"); - else if (ret == 0) { - close (from0); - close (to0); - FD_CLR(from0, &real_readset); - } else - net_write (to0, buf, ret); - } - if (FD_ISSET(from1, &readset)) { - ret = read (from1, buf, sizeof(buf)); - if (ret < 0) - syslog_and_die ("read: %m"); - else if (ret == 0) { - close (from1); - close (to1); - FD_CLR(from1, &real_readset); - if (--count == 0) - exit (0); - } else - do_write (to1, buf, ret, ivec_out[0]); - } - if (FD_ISSET(from2, &readset)) { - ret = read (from2, buf, sizeof(buf)); - if (ret < 0) - syslog_and_die ("read: %m"); - else if (ret == 0) { - close (from2); - close (to2); - FD_CLR(from2, &real_readset); - if (--count == 0) - exit (0); - } else - do_write (to2, buf, ret, ivec_out[1]); - } - } -} - -/* - * Used by `setup_copier' to create some pipe-like means of - * communcation. Real pipes would probably be the best thing, but - * then the shell doesn't understand it's talking to rshd. If - * socketpair doesn't work everywhere, some autoconf magic would have - * to be added here. - * - * If it fails creating the `pipe', it aborts by calling fatal. - */ - -static void -pipe_a_like (int fd[2]) -{ - if (socketpair (AF_UNIX, SOCK_STREAM, 0, fd) < 0) - fatal (STDOUT_FILENO, "socketpair", "Pipe creation failed."); -} - -/* - * Start a child process and leave the parent copying data to and from it. */ - -static void -setup_copier (void) -{ - int p0[2], p1[2], p2[2]; - pid_t pid; - - pipe_a_like(p0); - pipe_a_like(p1); - pipe_a_like(p2); - pid = fork (); - if (pid < 0) - fatal (STDOUT_FILENO, "fork", "Could not create child process."); - if (pid == 0) { /* child */ - close (p0[1]); - close (p1[0]); - close (p2[0]); - dup2 (p0[0], STDIN_FILENO); - dup2 (p1[1], STDOUT_FILENO); - dup2 (p2[1], STDERR_FILENO); - close (p0[0]); - close (p1[1]); - close (p2[1]); - } else { /* parent */ - close (p0[0]); - close (p1[1]); - close (p2[1]); - - if (net_write (STDOUT_FILENO, "", 1) != 1) - fatal (STDOUT_FILENO, "net_write", "Write failure."); - - loop (STDIN_FILENO, p0[1], - STDOUT_FILENO, p1[0], - STDERR_FILENO, p2[0]); - } -} - -/* - * Is `port' a ``reserverd'' port? - */ - -static int -is_reserved(u_short port) -{ - return ntohs(port) < IPPORT_RESERVED; -} - -/* - * Set the necessary part of the environment in `env'. - */ - -static void -setup_environment (char ***env, const struct passwd *pwd) -{ - int i, j, path; - char **e; - - i = 0; - path = 0; - *env = NULL; - - i = read_environment(_PATH_ETC_ENVIRONMENT, env); - e = *env; - for (j = 0; j < i; j++) { - if (!strncmp(e[j], "PATH=", 5)) { - path = 1; - } - } - - e = *env; - e = realloc(e, (i + 7) * sizeof(char *)); - - asprintf (&e[i++], "USER=%s", pwd->pw_name); - asprintf (&e[i++], "HOME=%s", pwd->pw_dir); - asprintf (&e[i++], "SHELL=%s", pwd->pw_shell); - if (! path) { - asprintf (&e[i++], "PATH=%s", _PATH_DEFPATH); - } - asprintf (&e[i++], "SSH_CLIENT=only_to_make_bash_happy"); -#if defined(DCE) - if (getenv("KRB5CCNAME")) - asprintf (&e[i++], "KRB5CCNAME=%s", getenv("KRB5CCNAME")); -#else - if (do_unique_tkfile) - asprintf (&e[i++], "KRB5CCNAME=%s", tkfile); -#endif - e[i++] = NULL; - *env = e; -} - -static void -doit (void) -{ - u_char buf[BUFSIZ]; - u_char *p; - struct sockaddr_storage thisaddr_ss; - struct sockaddr *thisaddr = (struct sockaddr *)&thisaddr_ss; - struct sockaddr_storage thataddr_ss; - struct sockaddr *thataddr = (struct sockaddr *)&thataddr_ss; - struct sockaddr_storage erraddr_ss; - struct sockaddr *erraddr = (struct sockaddr *)&erraddr_ss; - socklen_t thisaddr_len, thataddr_len; - int port; - int errsock = -1; - char *client_user, *server_user, *cmd; - struct passwd *pwd; - int s = STDIN_FILENO; - char **env; - int ret; - char that_host[NI_MAXHOST]; - - thisaddr_len = sizeof(thisaddr_ss); - if (getsockname (s, thisaddr, &thisaddr_len) < 0) - syslog_and_die("getsockname: %m"); - thataddr_len = sizeof(thataddr_ss); - if (getpeername (s, thataddr, &thataddr_len) < 0) - syslog_and_die ("getpeername: %m"); - - /* check for V4MAPPED addresses? */ - - if (do_kerberos == 0 && !is_reserved(socket_get_port(thataddr))) - fatal(s, NULL, "Permission denied."); - - p = buf; - port = 0; - for(;;) { - if (net_read (s, p, 1) != 1) - syslog_and_die ("reading port number: %m"); - if (*p == '\0') - break; - else if (isdigit(*p)) - port = port * 10 + *p - '0'; - else - syslog_and_die ("non-digit in port number: %c", *p); - } - - if (do_kerberos == 0 && !is_reserved(htons(port))) - fatal(s, NULL, "Permission denied."); - - if (port) { - int priv_port = IPPORT_RESERVED - 1; - - /* - * There's no reason to require a ``privileged'' port number - * here, but for some reason the brain dead rsh clients - * do... :-( - */ - - erraddr->sa_family = thataddr->sa_family; - socket_set_address_and_port (erraddr, - socket_get_address (thataddr), - htons(port)); - - /* - * we only do reserved port for IPv4 - */ - - if (erraddr->sa_family == AF_INET) - errsock = rresvport (&priv_port); - else - errsock = socket (erraddr->sa_family, SOCK_STREAM, 0); - if (errsock < 0) - syslog_and_die ("socket: %m"); - if (connect (errsock, - erraddr, - socket_sockaddr_size (erraddr)) < 0) { - syslog (LOG_WARNING, "connect: %m"); - close (errsock); - } - } - - if(do_kerberos) { - if (net_read (s, buf, 4) != 4) - syslog_and_die ("reading auth info: %m"); - -#ifdef KRB4 - if ((do_kerberos & DO_KRB4) && - recv_krb4_auth (s, buf, thisaddr, thataddr, - &client_user, - &server_user, - &cmd) == 0) - auth_method = AUTH_KRB4; - else -#endif /* KRB4 */ -#ifdef KRB5 - if((do_kerberos & DO_KRB5) && - recv_krb5_auth (s, buf, thisaddr, thataddr, - &client_user, - &server_user, - &cmd) == 0) - auth_method = AUTH_KRB5; - else -#endif /* KRB5 */ - syslog_and_die ("unrecognized auth protocol: %x %x %x %x", - buf[0], buf[1], buf[2], buf[3]); - } else { - if(recv_bsd_auth (s, buf, - (struct sockaddr_in *)thisaddr, - (struct sockaddr_in *)thataddr, - &client_user, - &server_user, - &cmd) == 0) { - auth_method = AUTH_BROKEN; - if(do_vacuous) { - printf("Remote host requires Kerberos authentication\n"); - exit(0); - } - } else - syslog_and_die("recv_bsd_auth failed"); - } - -#if defined(DCE) && defined(_AIX) - esetenv("AUTHSTATE", "DCE", 1); -#endif - - pwd = getpwnam (server_user); - if (pwd == NULL) - fatal (s, NULL, "Login incorrect."); - - if (*pwd->pw_shell == '\0') - pwd->pw_shell = _PATH_BSHELL; - - if (pwd->pw_uid != 0 && access (_PATH_NOLOGIN, F_OK) == 0) - fatal (s, NULL, "Login disabled."); - - - ret = getnameinfo_verified (thataddr, thataddr_len, - that_host, sizeof(that_host), - NULL, 0, 0); - if (ret) - fatal (s, NULL, "getnameinfo: %s", gai_strerror(ret)); - - if (login_access(pwd, that_host) == 0) { - syslog(LOG_NOTICE, "Kerberos rsh denied to %s from %s", - server_user, that_host); - fatal(s, NULL, "Permission denied."); - } - -#ifdef HAVE_GETSPNAM - { - struct spwd *sp; - long today; - - sp = getspnam(server_user); - if (sp != NULL) { - today = time(0)/(24L * 60 * 60); - if (sp->sp_expire > 0) - if (today > sp->sp_expire) - fatal(s, NULL, "Account has expired."); - } - } -#endif - - -#ifdef KRB5 - { - int fd; - - if (!do_unique_tkfile) - snprintf(tkfile,sizeof(tkfile),"FILE:/tmp/krb5cc_%u",pwd->pw_uid); - else if (*tkfile=='\0') { - snprintf(tkfile,sizeof(tkfile),"FILE:/tmp/krb5cc_XXXXXX"); - fd = mkstemp(tkfile+5); - close(fd); - unlink(tkfile+5); - } - - if (kerberos_status) - krb5_start_session(); - } - chown(tkfile + 5, pwd->pw_uid, -1); - -#if defined(DCE) - if (kerberos_status) { - esetenv("KRB5CCNAME", tkfile, 1); - dfspag = krb5_dfs_pag(context, kerberos_status, user_ticket->client, server_user); - } -#endif - -#endif - -#ifdef HAVE_SETLOGIN - if (setlogin(pwd->pw_name) < 0) - syslog(LOG_ERR, "setlogin() failed: %m"); -#endif - -#ifdef HAVE_SETPCRED - if (setpcred (pwd->pw_name, NULL) == -1) - syslog(LOG_ERR, "setpcred() failure: %m"); -#endif /* HAVE_SETPCRED */ - - if (initgroups (pwd->pw_name, pwd->pw_gid) < 0) - fatal (s, "initgroups", "Login incorrect."); - - if (setgid(pwd->pw_gid) < 0) - fatal (s, "setgid", "Login incorrect."); - - if (setuid (pwd->pw_uid) < 0) - fatal (s, "setuid", "Login incorrect."); - - if (chdir (pwd->pw_dir) < 0) - fatal (s, "chdir", "Remote directory."); - - if (errsock >= 0) { - if (dup2 (errsock, STDERR_FILENO) < 0) - fatal (s, "dup2", "Cannot dup stderr."); - close (errsock); - } - - setup_environment (&env, pwd); - - if (do_encrypt) { - setup_copier (); - } else { - if (net_write (s, "", 1) != 1) - fatal (s, "net_write", "write failed"); - } - -#if defined(KRB4) || defined(KRB5) - if(k_hasafs()) { - char cell[64]; - - if(do_newpag) - k_setpag(); -#ifdef KRB4 - if (k_afs_cell_of_file (pwd->pw_dir, cell, sizeof(cell)) == 0) - krb_afslog_uid_home (cell, NULL, pwd->pw_uid, pwd->pw_dir); - krb_afslog_uid_home(NULL, NULL, pwd->pw_uid, pwd->pw_dir); -#endif - -#ifdef KRB5 - /* XXX */ - if (kerberos_status) { - krb5_ccache ccache; - krb5_error_code status; - - status = krb5_cc_resolve (context, tkfile, &ccache); - if (!status) { - if (k_afs_cell_of_file (pwd->pw_dir, cell, sizeof(cell)) == 0) - krb5_afslog_uid_home(context, ccache, cell, NULL, - pwd->pw_uid, pwd->pw_dir); - krb5_afslog_uid_home(context, ccache, NULL, NULL, - pwd->pw_uid, pwd->pw_dir); - krb5_cc_close (context, ccache); - } - } -#endif /* KRB5 */ - } -#endif /* KRB5 || KRB4 */ - execle (pwd->pw_shell, pwd->pw_shell, "-c", cmd, NULL, env); - err(1, "exec %s", pwd->pw_shell); -} - -struct getargs args[] = { - { NULL, 'a', arg_flag, &do_addr_verify }, - { "keepalive", 'n', arg_negative_flag, &do_keepalive }, - { "inetd", 'i', arg_negative_flag, &do_inetd, - "Not started from inetd" }, -#if defined(KRB4) || defined(KRB5) - { "kerberos", 'k', arg_flag, &do_kerberos, - "Implement kerberised services" }, - { "encrypt", 'x', arg_flag, &do_encrypt, - "Implement encrypted service" }, -#endif - { "rhosts", 'l', arg_negative_flag, &do_rhosts, - "Don't check users .rhosts" }, - { "port", 'p', arg_string, &port_str, "Use this port", - "port" }, - { "vacuous", 'v', arg_flag, &do_vacuous, - "Don't accept non-kerberised connections" }, -#if defined(KRB4) || defined(KRB5) - { NULL, 'P', arg_negative_flag, &do_newpag, - "Don't put process in new PAG" }, -#endif - /* compatibility flag: */ - { NULL, 'L', arg_flag, &do_log }, - { "version", 0, arg_flag, &do_version }, - { "help", 0, arg_flag, &do_help } -}; - -static void -usage (int ret) -{ - if(isatty(STDIN_FILENO)) - arg_printusage (args, - sizeof(args) / sizeof(args[0]), - NULL, - ""); - else - syslog (LOG_ERR, "Usage: %s [-ikxlvPL] [-p port]", getprogname()); - exit (ret); -} - - -int -main(int argc, char **argv) -{ - int optind = 0; - int on = 1; - - setprogname (argv[0]); - roken_openlog ("rshd", LOG_ODELAY | LOG_PID, LOG_AUTH); - - if (getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, - &optind)) - usage(1); - - if(do_help) - usage (0); - - if (do_version) { - print_version(NULL); - exit(0); - } - -#if defined(KRB4) || defined(KRB5) - if (do_encrypt) - do_kerberos = 1; - - if(do_kerberos) - do_kerberos = DO_KRB4 | DO_KRB5; -#endif - - if (do_keepalive && - setsockopt(0, SOL_SOCKET, SO_KEEPALIVE, (char *)&on, - sizeof(on)) < 0) - syslog(LOG_WARNING, "setsockopt (SO_KEEPALIVE): %m"); - - /* set SO_LINGER? */ - -#ifdef KRB5 - if((do_kerberos & DO_KRB5) && krb5_init_context (&context) != 0) - do_kerberos &= ~DO_KRB5; -#endif - - if (!do_inetd) { - int error; - struct addrinfo *ai = NULL, hints; - char portstr[NI_MAXSERV]; - - memset (&hints, 0, sizeof(hints)); - hints.ai_flags = AI_PASSIVE; - hints.ai_socktype = SOCK_STREAM; - hints.ai_family = PF_UNSPEC; - - if(port_str != NULL) { - error = getaddrinfo (NULL, port_str, &hints, &ai); - if (error) - errx (1, "getaddrinfo: %s", gai_strerror (error)); - } - if (ai == NULL) { -#if defined(KRB4) || defined(KRB5) - if (do_kerberos) { - if (do_encrypt) { - error = getaddrinfo(NULL, "ekshell", &hints, &ai); - if(error == EAI_NONAME) { - snprintf(portstr, sizeof(portstr), "%d", 545); - error = getaddrinfo(NULL, portstr, &hints, &ai); - } - if(error) - errx (1, "getaddrinfo: %s", gai_strerror (error)); - } else { - error = getaddrinfo(NULL, "kshell", &hints, &ai); - if(error == EAI_NONAME) { - snprintf(portstr, sizeof(portstr), "%d", 544); - error = getaddrinfo(NULL, portstr, &hints, &ai); - } - if(error) - errx (1, "getaddrinfo: %s", gai_strerror (error)); - } - } else -#endif - { - error = getaddrinfo(NULL, "shell", &hints, &ai); - if(error == EAI_NONAME) { - snprintf(portstr, sizeof(portstr), "%d", 514); - error = getaddrinfo(NULL, portstr, &hints, &ai); - } - if(error) - errx (1, "getaddrinfo: %s", gai_strerror (error)); - } - } - mini_inetd_addrinfo (ai); - freeaddrinfo(ai); - } - - signal (SIGPIPE, SIG_IGN); - - doit (); - return 0; -} diff --git a/crypto/heimdal-0.6.3/appl/rsh/rshd.cat8 b/crypto/heimdal-0.6.3/appl/rsh/rshd.cat8 deleted file mode 100644 index 2b09091aad..0000000000 --- a/crypto/heimdal-0.6.3/appl/rsh/rshd.cat8 +++ /dev/null @@ -1,79 +0,0 @@ - -RSHD(8) UNIX System Manager's Manual RSHD(8) - -NNAAMMEE - rrsshhdd - remote shell server - -SSYYNNOOPPSSIISS - rrsshhdd [--aaiikkllnnvvxxPPLL] [--pp _p_o_r_t] - -DDEESSCCRRIIPPTTIIOONN - rrsshhdd is the server for the rsh(1) program. It provides an authenticated - remote command execution service. Supported options are: - - --nn, ----nnoo--kkeeeeppaalliivvee - Disables keep-alive messages. Keep-alives are packets sent at - certain intervals to make sure that the client is still there, - even when it doesn't send any data. - - --kk, ----kkeerrbbeerrooss - Assume that clients connecting to this server will use some form - of Kerberos authentication. See the _E_X_A_M_P_L_E_S section for a sample - inetd.conf(5) configuration. - - --xx, ----eennccrryypptt - For Kerberos 4 this means that the connections are encrypted. - Kerberos 5 can negotiate encryption even without this option, but - if it's present rrsshhdd will deny unencrypted connections. This op- - tion implies --kk. - - --vv, ----vvaaccuuoouuss - If the connecting client does not use any Kerberised authentica- - tion, print a message that complains about this fact, and exit. - This is helpful if you want to move away from old port-based au- - thentication. - - --PP When using the AFS filesystem, users' authentication tokens are - put in something called a PAG (Process Authentication Group). - Multiple processes can share a PAG, but normally each login ses- - sion has its own PAG. This option disables the sseettppaagg() call, so - all tokens will be put in the default (uid-based) PAG, making it - possible to share tokens between sessions. This is only useful in - peculiar environments, such as some batch systems. - - --ii, ----nnoo--iinneettdd - The --ii option will cause rrsshhdd to create a socket, instead of as- - suming that its stdin came from inetd(8). This is mostly useful - for debugging. - - --pp _p_o_r_t, ----ppoorrtt==_p_o_r_t - Port to use with --ii. - - --aa This flag is for backwards compatibility only. - - --LL This flag enables logging of connections to syslogd(8). This op- - tion is always on in this implementation. - -FFIILLEESS - /etc/hosts.equiv - ~/.rhosts - -EEXXAAMMPPLLEESS - The following can be used to enable Kerberised rsh in inetd.cond(5), - while disabling non-Kerberised connections: - - shell stream tcp nowait root /usr/libexec/rshd rshd -v - kshell stream tcp nowait root /usr/libexec/rshd rshd -k - ekshell stream tcp nowait root /usr/libexec/rshd rshd -kx - -SSEEEE AALLSSOO - rsh(1), iruserok(3) - -HHIISSTTOORRYY - The rrsshhdd command appeared in 4.2BSD. - -AAUUTTHHOORRSS - This implementation of rrsshhdd was written as part of the Heimdal Kerberos 5 - implementation. - - HEIMDAL November 22, 2002 2 diff --git a/crypto/heimdal-0.6.3/appl/su/ChangeLog b/crypto/heimdal-0.6.3/appl/su/ChangeLog deleted file mode 100644 index 7420d85ee3..0000000000 --- a/crypto/heimdal-0.6.3/appl/su/ChangeLog +++ /dev/null @@ -1,87 +0,0 @@ -2003-05-06 Johan Danielsson - - * su.c: remove accidentally committed code that prints the command - being executed - -2003-03-18 Love Hörnquist Åstrand - - * su.c (krb5_start_session): krb5_afslog doesn't depend on KRB4 - any more - -2002-02-19 Johan Danielsson - - * su.c: make this build without krb5 - -2002-01-09 Jacques Vidrine - - * su.c: Don't use getlogin() to determine whether we are root. - Patch by joda. - -2001-06-12 Assar Westerlund - - * su.c: check memory allocations. add some const - -2000-12-31 Assar Westerlund - - * su.c (krb5_verify): handle krb5_init_context failure - consistently - -2000-08-28 Johan Danielsson - - * su.c: set KRBTKFILE - -2000-07-10 Assar Westerlund - - * Makefile.am: actually install su - * su.c (krb5_verify): try harder freeing. do not get upset on - interrupted password read - -2000-06-09 Assar Westerlund - - * su.c (main): work-around for setuid and capabilities bug fixed - in Linux 2.2.16 - -2000-06-03 Assar Westerlund - - * su.c (main): just ignore shadow information if getspnam returns - NULL - -1999-10-20 Assar Westerlund - - * Makefile.am: use LIB_roken - -1999-09-28 Assar Westerlund - - * su.c (krb5_verify): use krb5_verify_user_lrealm - -1999-08-04 Assar Westerlund - - * su.c: add support for shadow passwords and rewrite some logic. - From Miroslav Ruda - - * Makefile.am: add libkafs - -1999-06-15 Assar Westerlund - - * su.c (main): conditionalize `getlogin' - -1999-05-11 Assar Westerlund - - * su.c (verfiy_krb5): get the name out of the ccache before - closing it - -1999-05-05 Assar Westerlund - - * su.c: some more error checking - -Wed Apr 21 21:04:36 1999 Assar Westerlund - - * su.c (-f): implement - - * su.c: implement -i - (verify_krb5): correct the ownership on the credential cache - -Tue Apr 20 13:26:13 1999 Johan Danielsson - - * su.c: don't depend on paths.h - diff --git a/crypto/heimdal-0.6.3/appl/su/Makefile.am b/crypto/heimdal-0.6.3/appl/su/Makefile.am deleted file mode 100644 index 9cacaba7d1..0000000000 --- a/crypto/heimdal-0.6.3/appl/su/Makefile.am +++ /dev/null @@ -1,16 +0,0 @@ -# $Id: Makefile.am,v 1.7 2001/08/28 08:31:22 assar Exp $ - -include $(top_srcdir)/Makefile.am.common - -INCLUDES += $(INCLUDE_krb4) $(INCLUDE_des) - -bin_PROGRAMS = su -bin_SUIDS = su -su_SOURCES = su.c - -LDADD = $(LIB_kafs) \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(LIB_krb4) \ - $(LIB_des) \ - $(top_builddir)/lib/asn1/libasn1.la \ - $(LIB_roken) diff --git a/crypto/heimdal-0.6.3/appl/su/Makefile.in b/crypto/heimdal-0.6.3/appl/su/Makefile.in deleted file mode 100644 index f6eb06546e..0000000000 --- a/crypto/heimdal-0.6.3/appl/su/Makefile.in +++ /dev/null @@ -1,767 +0,0 @@ -# Makefile.in generated by automake 1.8.3 from Makefile.am. -# @configure_input@ - -# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004 Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -# $Id: Makefile.am,v 1.7 2001/08/28 08:31:22 assar Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $ - -SOURCES = $(su_SOURCES) - -srcdir = @srcdir@ -top_srcdir = @top_srcdir@ -VPATH = @srcdir@ -pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -top_builddir = ../.. -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = @INSTALL@ -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_HEADER = $(INSTALL_DATA) -transform = $(program_transform_name) -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_triplet = @host@ -DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \ - $(top_srcdir)/Makefile.am.common \ - $(top_srcdir)/cf/Makefile.am.common ChangeLog -bin_PROGRAMS = su$(EXEEXT) -subdir = appl/su -ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \ - $(top_srcdir)/cf/auth-modules.m4 \ - $(top_srcdir)/cf/broken-getaddrinfo.m4 \ - $(top_srcdir)/cf/broken-getnameinfo.m4 \ - $(top_srcdir)/cf/broken-glob.m4 \ - $(top_srcdir)/cf/broken-realloc.m4 \ - $(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \ - $(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \ - $(top_srcdir)/cf/capabilities.m4 \ - $(top_srcdir)/cf/check-compile-et.m4 \ - $(top_srcdir)/cf/check-declaration.m4 \ - $(top_srcdir)/cf/check-getpwnam_r-posix.m4 \ - $(top_srcdir)/cf/check-man.m4 \ - $(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \ - $(top_srcdir)/cf/check-type-extra.m4 \ - $(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \ - $(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \ - $(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \ - $(top_srcdir)/cf/dlopen.m4 \ - $(top_srcdir)/cf/find-func-no-libs.m4 \ - $(top_srcdir)/cf/find-func-no-libs2.m4 \ - $(top_srcdir)/cf/find-func.m4 \ - $(top_srcdir)/cf/find-if-not-broken.m4 \ - $(top_srcdir)/cf/have-struct-field.m4 \ - $(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \ - $(top_srcdir)/cf/krb-bigendian.m4 \ - $(top_srcdir)/cf/krb-func-getlogin.m4 \ - $(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \ - $(top_srcdir)/cf/krb-readline.m4 \ - $(top_srcdir)/cf/krb-struct-spwd.m4 \ - $(top_srcdir)/cf/krb-struct-winsize.m4 \ - $(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \ - $(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \ - $(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \ - $(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \ - $(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \ - $(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \ - $(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in -am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ - $(ACLOCAL_M4) -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -am__installdirs = "$(DESTDIR)$(bindir)" -binPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -PROGRAMS = $(bin_PROGRAMS) -am_su_OBJECTS = su.$(OBJEXT) -su_OBJECTS = $(am_su_OBJECTS) -su_LDADD = $(LDADD) -am__DEPENDENCIES_1 = -am__DEPENDENCIES_2 = $(top_builddir)/lib/kafs/libkafs.la \ - $(am__DEPENDENCIES_1) -su_DEPENDENCIES = $(am__DEPENDENCIES_2) \ - $(top_builddir)/lib/krb5/libkrb5.la $(am__DEPENDENCIES_1) \ - $(am__DEPENDENCIES_1) $(top_builddir)/lib/asn1/libasn1.la \ - $(am__DEPENDENCIES_1) -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \ - $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ - $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -SOURCES = $(su_SOURCES) -DIST_SOURCES = $(su_SOURCES) -ETAGS = etags -CTAGS = ctags -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) -ACLOCAL = @ACLOCAL@ -AIX4_FALSE = @AIX4_FALSE@ -AIX4_TRUE = @AIX4_TRUE@ -AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@ -AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@ -AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@ -AIX_FALSE = @AIX_FALSE@ -AIX_TRUE = @AIX_TRUE@ -AMTAR = @AMTAR@ -AR = @AR@ -AUTOCONF = @AUTOCONF@ -AUTOHEADER = @AUTOHEADER@ -AUTOMAKE = @AUTOMAKE@ -AWK = @AWK@ -CANONICAL_HOST = @CANONICAL_HOST@ -CATMAN = @CATMAN@ -CATMANEXT = @CATMANEXT@ -CATMAN_FALSE = @CATMAN_FALSE@ -CATMAN_TRUE = @CATMAN_TRUE@ -CC = @CC@ -CFLAGS = @CFLAGS@ -COMPILE_ET = @COMPILE_ET@ -CPP = @CPP@ -CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXFLAGS = @CXXFLAGS@ -CYGPATH_W = @CYGPATH_W@ -DBLIB = @DBLIB@ -DCE_FALSE = @DCE_FALSE@ -DCE_TRUE = @DCE_TRUE@ -DEFS = @DEFS@ -DIR_com_err = @DIR_com_err@ -DIR_des = @DIR_des@ -DIR_roken = @DIR_roken@ -ECHO = @ECHO@ -ECHO_C = @ECHO_C@ -ECHO_N = @ECHO_N@ -ECHO_T = @ECHO_T@ -EGREP = @EGREP@ -EXEEXT = @EXEEXT@ -EXTRA_LIB45 = @EXTRA_LIB45@ -F77 = @F77@ -FFLAGS = @FFLAGS@ -GROFF = @GROFF@ -HAVE_DB1_FALSE = @HAVE_DB1_FALSE@ -HAVE_DB1_TRUE = @HAVE_DB1_TRUE@ -HAVE_DB3_FALSE = @HAVE_DB3_FALSE@ -HAVE_DB3_TRUE = @HAVE_DB3_TRUE@ -HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@ -HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@ -HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@ -HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@ -HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@ -HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@ -HAVE_X_FALSE = @HAVE_X_FALSE@ -HAVE_X_TRUE = @HAVE_X_TRUE@ -INCLUDES_roken = @INCLUDES_roken@ -INCLUDE_des = @INCLUDE_des@ -INCLUDE_hesiod = @INCLUDE_hesiod@ -INCLUDE_krb4 = @INCLUDE_krb4@ -INCLUDE_openldap = @INCLUDE_openldap@ -INCLUDE_readline = @INCLUDE_readline@ -INSTALL_DATA = @INSTALL_DATA@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -IRIX_FALSE = @IRIX_FALSE@ -IRIX_TRUE = @IRIX_TRUE@ -KRB4_FALSE = @KRB4_FALSE@ -KRB4_TRUE = @KRB4_TRUE@ -KRB5_FALSE = @KRB5_FALSE@ -KRB5_TRUE = @KRB5_TRUE@ -LDFLAGS = @LDFLAGS@ -LEX = @LEX@ -LEXLIB = @LEXLIB@ -LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ -LIBOBJS = @LIBOBJS@ -LIBS = @LIBS@ -LIBTOOL = @LIBTOOL@ -LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@ -LIB_NDBM = @LIB_NDBM@ -LIB_XauFileName = @LIB_XauFileName@ -LIB_XauReadAuth = @LIB_XauReadAuth@ -LIB_XauWriteAuth = @LIB_XauWriteAuth@ -LIB_bswap16 = @LIB_bswap16@ -LIB_bswap32 = @LIB_bswap32@ -LIB_com_err = @LIB_com_err@ -LIB_com_err_a = @LIB_com_err_a@ -LIB_com_err_so = @LIB_com_err_so@ -LIB_crypt = @LIB_crypt@ -LIB_db_create = @LIB_db_create@ -LIB_dbm_firstkey = @LIB_dbm_firstkey@ -LIB_dbopen = @LIB_dbopen@ -LIB_des = @LIB_des@ -LIB_des_a = @LIB_des_a@ -LIB_des_appl = @LIB_des_appl@ -LIB_des_so = @LIB_des_so@ -LIB_dlopen = @LIB_dlopen@ -LIB_dn_expand = @LIB_dn_expand@ -LIB_el_init = @LIB_el_init@ -LIB_freeaddrinfo = @LIB_freeaddrinfo@ -LIB_gai_strerror = @LIB_gai_strerror@ -LIB_getaddrinfo = @LIB_getaddrinfo@ -LIB_gethostbyname = @LIB_gethostbyname@ -LIB_gethostbyname2 = @LIB_gethostbyname2@ -LIB_getnameinfo = @LIB_getnameinfo@ -LIB_getpwnam_r = @LIB_getpwnam_r@ -LIB_getsockopt = @LIB_getsockopt@ -LIB_hesiod = @LIB_hesiod@ -LIB_hstrerror = @LIB_hstrerror@ -LIB_kdb = @LIB_kdb@ -LIB_krb4 = @LIB_krb4@ -LIB_krb_disable_debug = @LIB_krb_disable_debug@ -LIB_krb_enable_debug = @LIB_krb_enable_debug@ -LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@ -LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@ -LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@ -LIB_loadquery = @LIB_loadquery@ -LIB_logout = @LIB_logout@ -LIB_logwtmp = @LIB_logwtmp@ -LIB_openldap = @LIB_openldap@ -LIB_openpty = @LIB_openpty@ -LIB_otp = @LIB_otp@ -LIB_pidfile = @LIB_pidfile@ -LIB_readline = @LIB_readline@ -LIB_res_nsearch = @LIB_res_nsearch@ -LIB_res_search = @LIB_res_search@ -LIB_roken = @LIB_roken@ -LIB_security = @LIB_security@ -LIB_setsockopt = @LIB_setsockopt@ -LIB_socket = @LIB_socket@ -LIB_syslog = @LIB_syslog@ -LIB_tgetent = @LIB_tgetent@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -MAINT = @MAINT@ -MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@ -MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@ -MAKEINFO = @MAKEINFO@ -NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ -NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ -NROFF = @NROFF@ -OBJEXT = @OBJEXT@ -OTP_FALSE = @OTP_FALSE@ -OTP_TRUE = @OTP_TRUE@ -PACKAGE = @PACKAGE@ -PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ -PACKAGE_NAME = @PACKAGE_NAME@ -PACKAGE_STRING = @PACKAGE_STRING@ -PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_VERSION = @PACKAGE_VERSION@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -RANLIB = @RANLIB@ -SET_MAKE = @SET_MAKE@ -SHELL = @SHELL@ -STRIP = @STRIP@ -VERSION = @VERSION@ -VOID_RETSIGTYPE = @VOID_RETSIGTYPE@ -WFLAGS = @WFLAGS@ -WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@ -WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@ -X_CFLAGS = @X_CFLAGS@ -X_EXTRA_LIBS = @X_EXTRA_LIBS@ -X_LIBS = @X_LIBS@ -X_PRE_LIBS = @X_PRE_LIBS@ -YACC = @YACC@ -ac_ct_AR = @ac_ct_AR@ -ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ -ac_ct_RANLIB = @ac_ct_RANLIB@ -ac_ct_STRIP = @ac_ct_STRIP@ -am__leading_dot = @am__leading_dot@ -bindir = @bindir@ -build = @build@ -build_alias = @build_alias@ -build_cpu = @build_cpu@ -build_os = @build_os@ -build_vendor = @build_vendor@ -datadir = @datadir@ -do_roken_rename_FALSE = @do_roken_rename_FALSE@ -do_roken_rename_TRUE = @do_roken_rename_TRUE@ -dpagaix_cflags = @dpagaix_cflags@ -dpagaix_ldadd = @dpagaix_ldadd@ -dpagaix_ldflags = @dpagaix_ldflags@ -el_compat_FALSE = @el_compat_FALSE@ -el_compat_TRUE = @el_compat_TRUE@ -exec_prefix = @exec_prefix@ -have_err_h_FALSE = @have_err_h_FALSE@ -have_err_h_TRUE = @have_err_h_TRUE@ -have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@ -have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@ -have_glob_h_FALSE = @have_glob_h_FALSE@ -have_glob_h_TRUE = @have_glob_h_TRUE@ -have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@ -have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@ -have_vis_h_FALSE = @have_vis_h_FALSE@ -have_vis_h_TRUE = @have_vis_h_TRUE@ -host = @host@ -host_alias = @host_alias@ -host_cpu = @host_cpu@ -host_os = @host_os@ -host_vendor = @host_vendor@ -includedir = @includedir@ -infodir = @infodir@ -install_sh = @install_sh@ -libdir = @libdir@ -libexecdir = @libexecdir@ -localstatedir = @localstatedir@ -mandir = @mandir@ -mkdir_p = @mkdir_p@ -oldincludedir = @oldincludedir@ -prefix = @prefix@ -program_transform_name = @program_transform_name@ -sbindir = @sbindir@ -sharedstatedir = @sharedstatedir@ -sysconfdir = @sysconfdir@ -target_alias = @target_alias@ -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4) $(INCLUDE_des) -@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME -AM_CFLAGS = $(WFLAGS) -CP = cp -buildinclude = $(top_builddir)/include -LIB_getattr = @LIB_getattr@ -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_setpcred = @LIB_setpcred@ -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -NROFF_MAN = groff -mandoc -Tascii -LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) -@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la - -@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la -@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la -bin_SUIDS = su -su_SOURCES = su.c -LDADD = $(LIB_kafs) \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(LIB_krb4) \ - $(LIB_des) \ - $(top_builddir)/lib/asn1/libasn1.la \ - $(LIB_roken) - -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps) - @for dep in $?; do \ - case '$(am__configure_deps)' in \ - *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ - exit 1;; \ - esac; \ - done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign --ignore-deps appl/su/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign --ignore-deps appl/su/Makefile -.PRECIOUS: Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - @case '$?' in \ - *config.status*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ - *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ - esac; - -$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -install-binPROGRAMS: $(bin_PROGRAMS) - @$(NORMAL_INSTALL) - test -z "$(bindir)" || $(mkdir_p) "$(DESTDIR)$(bindir)" - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(bindir)/$$f'"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(bindir)/$$f" || exit 1; \ - else :; fi; \ - done - -uninstall-binPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f '$(DESTDIR)$(bindir)/$$f'"; \ - rm -f "$(DESTDIR)$(bindir)/$$f"; \ - done - -clean-binPROGRAMS: - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -su$(EXEEXT): $(su_OBJECTS) $(su_DEPENDENCIES) - @rm -f su$(EXEEXT) - $(LINK) $(su_LDFLAGS) $(su_OBJECTS) $(su_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c $< - -.c.obj: - $(COMPILE) -c `$(CYGPATH_W) '$<'` - -.c.lo: - $(LTCOMPILE) -c -o $@ $< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique -tags: TAGS - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique -ctags: CTAGS -CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ - || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - -distdir: $(DISTFILES) - $(mkdir_p) $(distdir)/../.. $(distdir)/../../cf - @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \ - list='$(DISTFILES)'; for file in $$list; do \ - case $$file in \ - $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \ - $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \ - esac; \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkdir_p) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="$(top_distdir)" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(PROGRAMS) all-local -installdirs: - for dir in "$(DESTDIR)$(bindir)"; do \ - test -z "$$dir" || $(mkdir_p) "$$dir"; \ - done -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-binPROGRAMS clean-generic clean-libtool mostlyclean-am - -distclean: distclean-am - -rm -f Makefile -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -html: html-am - -info: info-am - -info-am: - -install-data-am: - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-data-hook - -install-exec-am: install-binPROGRAMS - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -rm -f Makefile -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -pdf: pdf-am - -pdf-am: - -ps: ps-am - -ps-am: - -uninstall-am: uninstall-binPROGRAMS uninstall-info-am - -.PHONY: CTAGS GTAGS all all-am all-local check check-am check-local \ - clean clean-binPROGRAMS clean-generic clean-libtool ctags \ - distclean distclean-compile distclean-generic \ - distclean-libtool distclean-tags distdir dvi dvi-am html \ - html-am info info-am install install-am install-binPROGRAMS \ - install-data install-data-am install-exec install-exec-am \ - install-info install-info-am install-man install-strip \ - installcheck installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ - tags uninstall uninstall-am uninstall-binPROGRAMS \ - uninstall-info-am - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-hook: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal-0.6.3/appl/su/su.c b/crypto/heimdal-0.6.3/appl/su/su.c deleted file mode 100644 index 79324e9ee5..0000000000 --- a/crypto/heimdal-0.6.3/appl/su/su.c +++ /dev/null @@ -1,551 +0,0 @@ -/* - * Copyright (c) 1999 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of KTH nor the names of its contributors may be - * used to endorse or promote products derived from this software without - * specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY - * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR - * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, - * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR - * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF - * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ - -#include - -RCSID("$Id: su.c,v 1.26.2.1 2003/05/06 12:06:44 joda Exp $"); - -#include -#include -#include - -#include - -#ifdef HAVE_PATHS_H -#include -#endif - -#ifdef HAVE_SHADOW_H -#include -#endif - -#include - -#include "crypto-headers.h" -#ifdef KRB5 -#include -#endif -#ifdef KRB4 -#include -#endif -#include -#include -#include -#include - -#ifndef _PATH_DEFPATH -#define _PATH_DEFPATH "/usr/bin:/bin" -#endif - -#ifndef _PATH_BSHELL -#define _PATH_BSHELL "/bin/sh" -#endif - -int kerberos_flag = 1; -int csh_f_flag; -int full_login; -int env_flag; -char *kerberos_instance = "root"; -int help_flag; -int version_flag; -char *cmd; -char tkfile[256]; - -struct getargs args[] = { - { "kerberos", 'K', arg_negative_flag, &kerberos_flag, - "don't use kerberos" }, - { NULL, 'f', arg_flag, &csh_f_flag, - "don't read .cshrc" }, - { "full", 'l', arg_flag, &full_login, - "simulate full login" }, - { NULL, 'm', arg_flag, &env_flag, - "leave environment unmodified" }, - { "instance", 'i', arg_string, &kerberos_instance, - "root instance to use" }, - { "command", 'c', arg_string, &cmd, - "command to execute" }, - { "help", 'h', arg_flag, &help_flag }, - { "version", 0, arg_flag, &version_flag }, -}; - - -static void -usage (int ret) -{ - arg_printusage (args, - sizeof(args)/sizeof(*args), - NULL, - "[login [shell arguments]]"); - exit (ret); -} - -static void -free_info(struct passwd *p) -{ - free (p->pw_name); - free (p->pw_passwd); - free (p->pw_dir); - free (p->pw_shell); - free (p); -} - -static struct passwd* -dup_info(const struct passwd *pwd) -{ - struct passwd *info; - - info = malloc(sizeof(*info)); - if(info == NULL) - return NULL; - info->pw_name = strdup(pwd->pw_name); - info->pw_passwd = strdup(pwd->pw_passwd); - info->pw_uid = pwd->pw_uid; - info->pw_gid = pwd->pw_gid; - info->pw_dir = strdup(pwd->pw_dir); - info->pw_shell = strdup(pwd->pw_shell); - if(info->pw_name == NULL || info->pw_passwd == NULL || - info->pw_dir == NULL || info->pw_shell == NULL) { - free_info (info); - return NULL; - } - return info; -} - -#if defined(KRB4) || defined(KRB5) -static void -set_tkfile() -{ -#ifndef TKT_ROOT -#define TKT_ROOT "/tmp/tkt" -#endif - int fd; - if(*tkfile != '\0') - return; - snprintf(tkfile, sizeof(tkfile), "%s_XXXXXX", TKT_ROOT); - fd = mkstemp(tkfile); - if(fd >= 0) - close(fd); -#ifdef KRB4 - krb_set_tkt_string(tkfile); -#endif -} -#endif - -#ifdef KRB5 -static krb5_context context; -static krb5_ccache ccache; - -static int -krb5_verify(const struct passwd *login_info, - const struct passwd *su_info, - const char *kerberos_instance) -{ - krb5_error_code ret; - krb5_principal p; - char *login_name = NULL; - -#if defined(HAVE_GETLOGIN) && !defined(POSIX_GETLOGIN) - login_name = getlogin(); -#endif - ret = krb5_init_context (&context); - if (ret) { -#if 0 - warnx("krb5_init_context failed: %d", ret); -#endif - return 1; - } - - if (login_name == NULL || strcmp (login_name, "root") == 0) - login_name = login_info->pw_name; - if (strcmp (su_info->pw_name, "root") == 0) - ret = krb5_make_principal(context, &p, NULL, - login_name, - kerberos_instance, - NULL); - else - ret = krb5_make_principal(context, &p, NULL, - su_info->pw_name, - NULL); - if(ret) - return 1; - - if(su_info->pw_uid != 0 || krb5_kuserok(context, p, su_info->pw_name)) { - ret = krb5_cc_gen_new(context, &krb5_mcc_ops, &ccache); - if(ret) { -#if 1 - krb5_warn(context, ret, "krb5_cc_gen_new"); -#endif - krb5_free_principal (context, p); - return 1; - } - ret = krb5_verify_user_lrealm(context, p, ccache, NULL, TRUE, NULL); - krb5_free_principal (context, p); - if(ret) { - krb5_cc_destroy(context, ccache); - switch (ret) { - case KRB5_LIBOS_PWDINTR : - break; - case KRB5KRB_AP_ERR_BAD_INTEGRITY: - case KRB5KRB_AP_ERR_MODIFIED: - krb5_warnx(context, "Password incorrect"); - break; - default : - krb5_warn(context, ret, "krb5_verify_user"); - break; - } - return 1; - } - return 0; - } - krb5_free_principal (context, p); - return 1; -} - -static int -krb5_start_session(void) -{ - krb5_ccache ccache2; - char *cc_name; - int ret; - - ret = krb5_cc_gen_new(context, &krb5_fcc_ops, &ccache2); - if (ret) { - krb5_cc_destroy(context, ccache); - return 1; - } - - ret = krb5_cc_copy_cache(context, ccache, ccache2); - - asprintf(&cc_name, "%s:%s", krb5_cc_get_type(context, ccache2), - krb5_cc_get_name(context, ccache2)); - esetenv("KRB5CCNAME", cc_name, 1); - - /* we want to export this even if we don't directly support KRB4 */ - set_tkfile(); - esetenv("KRBTKFILE", tkfile, 1); - - /* convert creds? */ - if(k_hasafs()) { - if (k_setpag() == 0) - krb5_afslog(context, ccache2, NULL, NULL); - } - - krb5_cc_close(context, ccache2); - krb5_cc_destroy(context, ccache); - return 0; -} -#endif - -#ifdef KRB4 - -static int -krb_verify(const struct passwd *login_info, - const struct passwd *su_info, - const char *kerberos_instance) -{ - int ret; - char *login_name = NULL; - char *name, *instance, realm[REALM_SZ]; - -#if defined(HAVE_GETLOGIN) && !defined(POSIX_GETLOGIN) - login_name = getlogin(); -#endif - - ret = krb_get_lrealm(realm, 1); - - if (login_name == NULL || strcmp (login_name, "root") == 0) - login_name = login_info->pw_name; - if (strcmp (su_info->pw_name, "root") == 0) { - name = login_name; - instance = (char*)kerberos_instance; - } else { - name = su_info->pw_name; - instance = ""; - } - - if(su_info->pw_uid != 0 || - krb_kuserok(name, instance, realm, su_info->pw_name) == 0) { - char password[128]; - char *prompt; - asprintf (&prompt, - "%s's Password: ", - krb_unparse_name_long (name, instance, realm)); - if (des_read_pw_string (password, sizeof (password), prompt, 0)) { - memset (password, 0, sizeof (password)); - free(prompt); - return (1); - } - free(prompt); - if (strlen(password) == 0) - return (1); /* Empty passwords are not allowed */ - set_tkfile(); - setuid(geteuid()); /* need to run as root here */ - ret = krb_verify_user(name, instance, realm, password, - KRB_VERIFY_SECURE, NULL); - memset(password, 0, sizeof(password)); - - if(ret) { - warnx("%s", krb_get_err_text(ret)); - return 1; - } - chown (tkt_string(), su_info->pw_uid, su_info->pw_gid); - return 0; - } - return 1; -} - - -static int -krb_start_session(void) -{ - esetenv("KRBTKFILE", tkfile, 1); - - /* convert creds? */ - if(k_hasafs() && k_setpag() == 0) - krb_afslog(NULL, NULL); - - return 0; -} -#endif - -static int -verify_unix(struct passwd *su) -{ - char prompt[128]; - char pw_buf[1024]; - char *pw; - int r; - if(su->pw_passwd != NULL && *su->pw_passwd != '\0') { - snprintf(prompt, sizeof(prompt), "%s's password: ", su->pw_name); - r = des_read_pw_string(pw_buf, sizeof(pw_buf), prompt, 0); - if(r != 0) - exit(0); - pw = crypt(pw_buf, su->pw_passwd); - memset(pw_buf, 0, sizeof(pw_buf)); - if(strcmp(pw, su->pw_passwd) != 0) - return 1; - } - return 0; -} - -int -main(int argc, char **argv) -{ - int i, optind = 0; - char *su_user; - struct passwd *su_info; - struct passwd *login_info; - - struct passwd *pwd; - - char *shell; - - int ok = 0; - int kerberos_error=1; - - setprogname (argv[0]); - - if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind)) - usage(1); - - for (i=0; i < optind; i++) - if (strcmp(argv[i], "-") == 0) { - full_login = 1; - break; - } - - if(help_flag) - usage(0); - if(version_flag) { - print_version(NULL); - exit(0); - } - if(optind >= argc) - su_user = "root"; - else - su_user = argv[optind++]; - - pwd = k_getpwnam(su_user); - if(pwd == NULL) - errx (1, "unknown login %s", su_user); - if (pwd->pw_uid == 0 && strcmp ("root", su_user) != 0) { - syslog (LOG_ALERT, "NIS attack, user %s has uid 0", su_user); - errx (1, "unknown login %s", su_user); - } - su_info = dup_info(pwd); - if (su_info == NULL) - errx (1, "malloc: out of memory"); - - pwd = getpwuid(getuid()); - if(pwd == NULL) - errx(1, "who are you?"); - login_info = dup_info(pwd); - if (login_info == NULL) - errx (1, "malloc: out of memory"); - if(env_flag) - shell = login_info->pw_shell; - else - shell = su_info->pw_shell; - if(shell == NULL || *shell == '\0') - shell = _PATH_BSHELL; - - -#ifdef KRB5 - if(kerberos_flag && ok == 0 && - (kerberos_error=krb5_verify(login_info, su_info, kerberos_instance)) == 0) - ok = 5; -#endif -#ifdef KRB4 - if(kerberos_flag && ok == 0 && - (kerberos_error = krb_verify(login_info, su_info, kerberos_instance)) == 0) - ok = 4; -#endif - - if(ok == 0 && login_info->pw_uid && verify_unix(su_info) != 0) { - printf("Sorry!\n"); - exit(1); - } - -#ifdef HAVE_GETSPNAM - { struct spwd *sp; - long today; - - sp = getspnam(su_info->pw_name); - if (sp != NULL) { - today = time(0)/(24L * 60 * 60); - if (sp->sp_expire > 0) { - if (today >= sp->sp_expire) { - if (login_info->pw_uid) - errx(1,"Your account has expired."); - else - printf("Your account has expired."); - } - else if (sp->sp_expire - today < 14) - printf("Your account will expire in %d days.\n", - (int)(sp->sp_expire - today)); - } - if (sp->sp_max > 0) { - if (today >= sp->sp_lstchg + sp->sp_max) { - if (login_info->pw_uid) - errx(1,"Your password has expired. Choose a new one."); - else - printf("Your password has expired. Choose a new one."); - } - else if (today >= sp->sp_lstchg + sp->sp_max - sp->sp_warn) - printf("Your account will expire in %d days.\n", - (int)(sp->sp_lstchg + sp->sp_max -today)); - } - } - } -#endif - { - char *tty = ttyname (STDERR_FILENO); - syslog (LOG_NOTICE | LOG_AUTH, tty ? "%s to %s" : "%s to %s on %s", - login_info->pw_name, su_info->pw_name, tty); - } - - - if(!env_flag) { - if(full_login) { - char *t = getenv ("TERM"); - - environ = malloc (10 * sizeof (char *)); - if (environ == NULL) - err (1, "malloc"); - environ[0] = NULL; - esetenv ("PATH", _PATH_DEFPATH, 1); - if (t) - esetenv ("TERM", t, 1); - if (chdir (su_info->pw_dir) < 0) - errx (1, "no directory"); - } - if (full_login || su_info->pw_uid) - esetenv ("USER", su_info->pw_name, 1); - esetenv("HOME", su_info->pw_dir, 1); - esetenv("SHELL", shell, 1); - } - - { - int i; - char **args; - char *p; - - p = strrchr(shell, '/'); - if(p) - p++; - else - p = shell; - - if (strcmp(p, "csh") != 0) - csh_f_flag = 0; - - args = malloc(((cmd ? 2 : 0) + 1 + argc - optind + 1 + csh_f_flag) * sizeof(*args)); - if (args == NULL) - err (1, "malloc"); - i = 0; - if(full_login) - asprintf(&args[i++], "-%s", p); - else - args[i++] = p; - if (cmd) { - args[i++] = "-c"; - args[i++] = cmd; - } - - if (csh_f_flag) - args[i++] = "-f"; - - for (argv += optind; *argv; ++argv) - args[i++] = *argv; - args[i] = NULL; - - if(setgid(su_info->pw_gid) < 0) - err(1, "setgid"); - if (initgroups (su_info->pw_name, su_info->pw_gid) < 0) - err (1, "initgroups"); - if(setuid(su_info->pw_uid) < 0 - || (su_info->pw_uid != 0 && setuid(0) == 0)) - err(1, "setuid"); - -#ifdef KRB5 - if (ok == 5) - krb5_start_session(); -#endif -#ifdef KRB4 - if (ok == 4) - krb_start_session(); -#endif - execv(shell, args); - } - - exit(1); -} diff --git a/crypto/heimdal-0.6.3/appl/telnet/ChangeLog b/crypto/heimdal-0.6.3/appl/telnet/ChangeLog deleted file mode 100644 index 610655763d..0000000000 --- a/crypto/heimdal-0.6.3/appl/telnet/ChangeLog +++ /dev/null @@ -1,559 +0,0 @@ -2004-06-21 Love Hörnquist Åstrand - - * telnet/network.c: 1.12: make network rings larger From: MAAAAA - MOOOR - - * telnetd/state.c: 1.14: make subbuffer larger XXX resize - dynamicly From: MAAAAA MOOOR - - * libtelnet/kerberos5.c: 1.54: (Data): allocate the data needed to - be send - From: MAAAAA MOOOR - -2004-03-22 Love Hörnquist Åstrand - - * telnetd/telnetd.c: call setprogname to make libvers happy - - * telnet/main.c: call setprogname to make libvers happy - -2002-09-02 Johan Danielsson - - * libtelnet/kerberos5.c: set AP_OPTS_USE_SUBKEY - -2002-08-28 Johan Danielsson - - * telnet/commands.c: remove extra "Toggle"'s - - * telnet/commands.c: IRIX == 4 -> IRIX4 - - * telnet/main.c: rename functions to what they're really called - - * telnet/commands.c: kill some might be uninitialized warnings - - * telnet/commands.c: add forward and forwardable toggle options, - and call set_forward_options() after parsing .telnetrc - - * telnet/externs.h: proto for set_forward_options - - * telnet/main.c: only register what forwarding options are asked - for when parsing command line, we have to set the actual flags - later after we have read .telnetrc - - * libtelnet/auth-proto.h: kerberos5_set_forward{,able} protos - - * libtelnet/kerberos5.c: add kerberos5_set_forward{,able} - functions suitable for the command parser - -2002-08-23 Assar Westerlund - - * telnetd/telnetd.c: add --version as a special case - * telnet/main.c: add --version as a special case - -2002-05-03 Johan Danielsson - - * telnet/telnet.c: only try to negotiate encryption if we're - talking to a real telnet - -2002-03-31 Johan Danielsson - - * telnet/commands.c: fix an old cut-n-paste typo (via debian) - -2002-02-07 Johan Danielsson - - * telnet/telnet.c: print a more informative message than "done" - after negotiating encryption - -2001-09-17 Assar Westerlund - - * telnetd/telnetd.c: add a kludge to make it build on aix (that - defines NOERROR in both sys/stream.h and arpa/nameser.h and - considers that a fatal error) - - * telnet/telnet.c: undef PUTSHORT to avoid conflict - -2001-08-26 Assar Westerlund - - * telnetd/Makefile.am: also link with the library for logout - -2001-08-22 Assar Westerlund - - * telnetd/sys_term.c: include libutil.h if it exists - -2001-08-10 Assar Westerlund - - * telnetd/sys_term.c (getpty): call openpty if it exists - -2001-07-19 Assar Westerlund - - * telnetd/global.c (output_data): make sure of not forwarding - `nfrontp' too far, thereby allowing writes after the end of - `netobuf' - -2001-06-18 Assar Westerlund - - * libtelnet/kerberos5.c: update to new krb5_auth_con* names - -2001-04-25 Assar Westerlund - - * telnetd/sys_term.c (start_login): give the correct error if exec - fails - * telnetd/utility.c (fatalperror_errno): add a new function with - explicit errno parameter - -2001-03-07 Assar Westerlund - - * telnetd/sys_term.c: some minimal more amount of - const-correctness - -2001-02-24 Assar Westerlund - - * libtelnet/enc_des.c: learn to live with libcrypto (from openssl) - -2001-02-20 Assar Westerlund - - * telnet/commands.c (tn): copy the hostname so it doesn't get - overwritten while reading ~/.telnetrc - (*): removed some unneeded externs - -2001-02-08 Assar Westerlund - - * telnetd/sys_term.c (startslave, start_login): re-write code to - keep track both of remote hostname and utmp string to be used - * telnetd/telnetd.c (doit, my_telnet): re-write code to keep track - both of remote hostname and utmp string to be used - -2001-02-07 Assar Westerlund - - * telnet/Makefile.am, telnetd/Makefile.am: add LIB_kdfs - -2001-01-09 Assar Westerlund - - * libtelnet/kerberos5.c (kerberos5_is): use krb5_rd_cred2 instead - of krb5_rd_cred - -2000-12-31 Assar Westerlund - - * telnet/main.c (krb5_init): check krb5_init_context for success - * libtelnet/kerberos5.c (kerberos5_init): check krb5_init_context - for success - -2000-12-11 Assar Westerlund - - * telnet/commands.c (sourceroute): make it not break if the - rfc2292 api does not exist - -2000-12-09 Assar Westerlund - - * telnetd/sys_term.c (scrub_env): add supporting non-file TERMCAP - variables - -2000-12-07 Assar Westerlund - - * telnetd/telnetd.h: move include files around to avoid getting SE - from sys/*.h on HP to override SE from telnet.h - - * telnetd/sys_term.c (scrub_env): remove some const-ness - * telnetd/sys_term.c (scrub_env): add LOGNAME and POSIXLY_CORRECT - to the list of authorized environment variables to be compatible - with linux-telnetd - - * telnetd/sys_term.c (scrub_env): change filtering algoritm from - allowing everything except a few bad cases to not allowing - anything except a few non-dangerous cases - -2000-12-06 Johan Danielsson - - * libtelnet/kerberos5.c: de-pointerise auth_context parameter to - krb5_mk_rep - -2000-11-23 Johan Danielsson - - * libtelnet/kerberos5.c: print the principal we're trying to use - - * libtelnet/kerberos.c: print the principal we're trying to use - -2000-11-16 Assar Westerlund - - * libtelnet/misc-proto.h (telnet_getenv): const-ize some - -2000-11-08 Johan Danielsson - - * telnet/telnet.c: fake entry if no tgetent - -2000-10-08 Assar Westerlund - - * telnetd/utility.c (stilloob): check that fds are not too large - to select on - (ttloop): remove confusing output of errno - * telnetd/telnetd.c (my_telnet): check that fds are not too large - to select on - * telnet/utilities.c (EmptyTerminal): check that fds are not too - large to select on - * telnet/sys_bsd.c (process_rings): check that fds are not too - large to select on - * telnet/network.c (stilloob): check that fds are not too large to - select on - -2000-06-09 Assar Westerlund - - * telnet/commands.c: remove all setuid(getuid()). we do not - support telnet being setuid root - -2000-05-05 Assar Westerlund - - * telnet/externs.h (sourceroute): update prototype - * telnet/commands.c (tn): re-enable source routing - (sourceroute): make it work again based on the code from - itojun@kame.net - -2000-03-28 Assar Westerlund - - * telnet/commands.c (tn): clean-up a tiny little bit. give-up if - we do not manage to connect to any address - -2000-03-26 Assar Westerlund - - * telnetd/sys_term.c (*): make sure to always call time, ctime, - and gmtime with `time_t's. there were some types (like in - lastlog) that we believed to always be time_t. this has proven - wrong on Solaris 8 in 64-bit mode, where they are stored as 32-bit - quantities but time_t has gone up to 64 bits - -2000-03-03 Assar Westerlund - - * libtelnet/kerberos5.c (kerberos5_init): check that we do have a - keytab before saying that we will support KERBEROS5 - -2000-02-12 Assar Westerlund - - * telnet/commands.c (tn): only set tos for AF_INET. From - itojun@iijlab.net - -2000-02-07 Assar Westerlund - - * libtelnet/kerberos.c (kerberos4_is): send a reject back to the - client when we're not authorized - -2000-02-06 Assar Westerlund - - * telnet/ring.h (ring_encrypt): better proto - * telnet/ring.c (ring_encrypt): better proto - -2000-02-04 Assar Westerlund - - * telnet/telnet_locl.h: klduge-around KLUDGELINEMODE - -2000-01-18 Assar Westerlund - - * libtelnet/misc.c (auth_encrypt_user): const-ify - * libtelnet/misc.h (RemoteHostName, LocalHostName): const-ify - * libtelnet/misc.c (auth_encrypt_init, RemoteHostName, - LocalHostName): const-ify - * libtelnet/misc-proto.h (auth_encrypt_init, auth_encrypt_user): - const-ify - * libtelnet/encrypt.c (encrypt_init, Name): const-ify - * libtelnet/enc-proto.h (encrypt_init): const-ify - * libtelnet/auth.c (auth_init, Name): const-ify - * libtelnet/auth-proto.h (auth_init): const-ify - -2000-01-08 Assar Westerlund - - * telnet/commands.c (tn): handle ai_canonname being set in any of - the addresses returnedby getaddrinfo. glibc apparently returns - the reverse lookup of every address in ai_canonname. remove some - unused variables. - -2000-01-01 Assar Westerlund - - * telnetd/sys_term.c (addarg): make void (return value isn't check - anyway). fatal error when malloc fails - -1999-12-16 Assar Westerlund - - * telnet/commands.c (*): handle ai_canonname not being set - -1999-12-04 Assar Westerlund - - * telnetd/telnetd.c (doit): use getnameinfo_verified - * telnetd/telnetd.c: use getnameinfo - * telnet/commands.c: re-write to using getaddrinfo. disable - source-routing for the moment, it doesn't seem to be used anyways. - -1999-09-16 Assar Westerlund - - * telnet/commands.c: revert 1.54, get_default_username should DTRT - now - -1999-09-05 Assar Westerlund - - * telnetd/utility.c (ttloop): make it return 1 if interrupted by a - signal, which must have been what was meant from the beginning - - * telnetd/ext.h (ttloop): update prototype - - * telnetd/authenc.c (telnet_spin): actually return the value from - ttloop (otherwise it's kind of bogus) - -1999-08-05 Assar Westerlund - - * telnetd/sys_term.c (rmut): free utxp - -1999-08-04 Assar Westerlund - - * telnet/main.c: add -G and config file support. From Miroslav - Ruda - - * telnetd/sys_term.c (rmut): work around utmpx strangness. From - Miroslav Ruda - -1999-08-02 Assar Westerlund - - * telnetd/telnetd.c (doit): only free hp if != NULL. From: Jonas - Oberg - -1999-07-29 Assar Westerlund - - * telnetd/telnetd.c (doit): remove unused variable mapped_sin - -1999-07-26 Assar Westerlund - - * telnetd/ext.h: update prototypes - - * telnetd/telnetd.c: make it handle v4 and v6 sockets. (it - doesn't handle being given a v6 socket that's really talking to an - v4 adress (mapped) because the rest of the code in telnetd is not - able to handle it anyway). please run two telnetd from your - inetd, one for v4 and one for v6. - -1999-07-07 Assar Westerlund - - * telnet/commands.c (tn): extra bogus const-cast - -1999-07-06 Assar Westerlund - - * telnetd/sys_term.c (start_login): print a different warning with - `-a otp' - -1999-06-24 Assar Westerlund - - * libtelnet/kerberos5.c (kerberos5_send): set the addresses in the - auth_context - -1999-06-23 Assar Westerlund - - * telnet/Makefile.am (INCLUDES): add $(INCLUDE_krb4) - - * telnet/commands.c (togkrbdebug): conditionalize on - krb_disable_debug - -1999-06-16 Johan Danielsson - - * telnet/commands.c: add kerberos debugging option - -1999-06-15 Assar Westerlund - - * telnet/commands.c (tn): use get_default_username - -1999-05-14 Assar Westerlund - - * telnetd/state.c (telrcv): magic patch to make it work against - DOS Clarkson Telnet. From Miroslav Ruda - -1999-04-25 Assar Westerlund - - * libtelnet/kerberos5.c (kerberos5_send): use - `krb5_auth_setkeytype' instead of `krb5_auth_setenctype' to make - sure we get a DES session key. - -Thu Apr 1 16:59:27 1999 Johan Danielsson - - * telnetd/Makefile.am: don't run check-local - - * telnet/Makefile.am: don't run check-local - -Mon Mar 29 16:11:33 1999 Johan Danielsson - - * telnetd/sys_term.c: _CRAY -> HAVE_STRUCT_UTMP_UT_ID - -Sat Mar 20 00:12:54 1999 Assar Westerlund - - * telnet/authenc.c (telnet_gets): remove old extern declarations - -Thu Mar 18 11:20:16 1999 Johan Danielsson - - * telnetd/Makefile.am: include Makefile.am.common - - * telnet/Makefile.am: include Makefile.am.common - - * libtelnet/Makefile.am: include Makefile.am.common - - * Makefile.am: include Makefile.am.common - -Mon Mar 15 17:40:53 1999 Johan Danielsson - - * telnetd/telnetd.c: replace perror/exit with fatalperror - -Sat Mar 13 22:18:57 1999 Assar Westerlund - - * telnetd/telnetd.c (main): 0 -> STDIN_FILENO. remove abs - - * libtelnet/kerberos.c (kerberos4_is): syslog root logins - -Thu Mar 11 14:48:54 1999 Johan Danielsson - - * telnetd/Makefile.in: add WFLAGS - - * telnet/Makefile.in: add WFLAGS - - * libtelnet/Makefile.in: add WFLAGS - - * telnetd/sys_term.c: remove unused variables - - * telnet/telnet.c: fix some warnings - - * telnet/main.c: fix some warnings - - * telnet/commands.c: fix types in format string - - * libtelnet/auth.c: fix types in format string - -Mon Mar 1 10:50:30 1999 Johan Danielsson - - * telnetd/sys_term.c: HAVE_UT_* -> HAVE_STRUCT_UTMP*_UT_* - -Mon Feb 1 04:08:36 1999 Assar Westerlund - - * telnet/commands.c (tn): only call gethostbyname2 with AF_INET6 - if we actually have IPv6. From "Brandon S. Allbery KF8NH" - - -Sat Nov 21 16:51:00 1998 Johan Danielsson - - * telnetd/sys_term.c (cleanup): don't call vhangup() on sgi:s - -Fri Aug 14 16:29:18 1998 Johan Danielsson - - * libtelnet/kerberos.c: krb_put_int -> KRB_PUT_INT - -Thu Jul 23 20:29:05 1998 Johan Danielsson - - * libtelnet/kerberos5.c: use krb5_verify_authenticator_checksum - -Mon Jul 13 22:00:09 1998 Assar Westerlund - - * telnet/commands.c (tn): don't advance hostent->h_addr_list, use - a copy instead - -Wed May 27 04:19:17 1998 Assar Westerlund - - * telnet/sys_bsd.c (process_rings): correct call to `stilloob' - -Fri May 15 19:38:19 1998 Johan Danielsson - - * libtelnet/kerberos5.c: Always print errors from mk_req. - -Fri May 1 07:16:59 1998 Assar Westerlund - - * telnet/commands.c: unifdef -DHAVE_H_ERRNO - -Sat Apr 4 15:00:29 1998 Assar Westerlund - - * telnet/commands.c (tn): moved the printing of `trying...' to the - loop - -Thu Mar 12 02:33:48 1998 Assar Westerlund - - * telnet/telnet_locl.h: include . From Gregory S. Stark - - -Sat Feb 21 15:12:38 1998 Assar Westerlund - - * telnetd/ext.h: add prototype for login_tty - - * telnet/utilities.c (printsub): `direction' is now an int. - - * libtelnet/misc-proto.h: add prototype for `printsub' - -Tue Feb 17 02:45:01 1998 Assar Westerlund - - * libtelnet/kerberos.c (kerberos4_is): cred.pname should be - cred.pinst. From - -Sun Feb 15 02:46:39 1998 Assar Westerlund - - * telnet/*/*.c: renamed `telnet' to `my_telnet' to avoid - conflicts with system header files on mklinux. - -Tue Feb 10 02:09:03 1998 Assar Westerlund - - * telnetd/telnetd.c: new signature for `getterminaltype' and - `auth_wait' - - * libtelnet: changed the signature of the authentication method - `status' - -Sat Feb 7 07:21:29 1998 Assar Westerlund - - * */*.c: replace HAS_GETTOS by HAVE_PARSETOS and HAVE_GETTOSBYNAME - -Fri Dec 26 16:17:10 1997 Assar Westerlund - - * telnet/commands.c (tn): repair support for numeric addresses - -Sun Dec 21 09:40:31 1997 Assar Westerlund - - * libtelnet/kerberos.c: fix up lots of stuff related to the - forwarding of v4 tickets. - - * libtelnet/kerberos5.c (kerberos5_forward): zero out `creds'. - -Mon Dec 15 20:53:13 1997 Johan Danielsson - - * telnet/sys_bsd.c: Don't turn off OPOST in 8bit-mode. - -Tue Dec 9 19:26:50 1997 Assar Westerlund - - * telnet/main.c (main): add 'b' to getopt - -Sat Nov 29 03:28:54 1997 Johan Danielsson - - * telnet/telnet.c: Change binary mode to do just that, and add a - eight-bit mode for just passing all characters. - -Sun Nov 16 04:37:02 1997 Assar Westerlund - - * libtelnet/kerberos5.c (kerberos5_send): always ask for a session - key of type DES - - * libtelnet/kerberos5.c: remove old garbage and fix call to - krb5_auth_con_setaddrs_from_fd - -Fri Nov 14 20:35:18 1997 Johan Danielsson - - * telnetd/telnetd.c: Output contents of /etc/issue. - -Mon Nov 3 07:09:16 1997 Assar Westerlund - - * telnet/telnet_locl.h: only include iff - !defined(HAVE_TERMIOS_H) - - * libtelnet/kerberos.c (kerberos4_is): send the peer address to - krb_rd_req - - * telnetd/telnetd.c (terminaltypeok): always return OK. It used - to call `tgetent' to figure if it was a defined terminal type. - It's possible to overflow tgetent so that's a bad idea. The worst - that could happen by saying yes to all terminals is that the user - ends up with a terminal that has no definition on the local - system. And besides, most telnet client has no support for - falling back to a different terminal type. - -Mon Oct 20 05:47:19 1997 Assar Westerlund - - * libtelnet/kerberos5.c: remove lots of old junk. clean-up. - better error checking and reporting. tell the user permission - denied much earlier. - - * libtelnet/kerberos.c (kerberos4_is): only print - UserNameRequested if != NULL - diff --git a/crypto/heimdal-0.6.3/appl/telnet/Makefile.am b/crypto/heimdal-0.6.3/appl/telnet/Makefile.am deleted file mode 100644 index eec013bae9..0000000000 --- a/crypto/heimdal-0.6.3/appl/telnet/Makefile.am +++ /dev/null @@ -1,11 +0,0 @@ -# $Id: Makefile.am,v 1.6 1999/03/20 13:58:15 joda Exp $ - -include $(top_srcdir)/Makefile.am.common - -SUBDIRS = libtelnet telnet telnetd - -dist-hook: - $(mkinstalldirs) $(distdir)/arpa - $(INSTALL_DATA) $(srcdir)/arpa/telnet.h $(distdir)/arpa - -EXTRA_DIST = README.ORIG telnet.state diff --git a/crypto/heimdal-0.6.3/appl/telnet/Makefile.in b/crypto/heimdal-0.6.3/appl/telnet/Makefile.in deleted file mode 100644 index b7c6296e41..0000000000 --- a/crypto/heimdal-0.6.3/appl/telnet/Makefile.in +++ /dev/null @@ -1,781 +0,0 @@ -# Makefile.in generated by automake 1.8.3 from Makefile.am. -# @configure_input@ - -# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004 Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -# $Id: Makefile.am,v 1.6 1999/03/20 13:58:15 joda Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $ -srcdir = @srcdir@ -top_srcdir = @top_srcdir@ -VPATH = @srcdir@ -pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -top_builddir = ../.. -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = @INSTALL@ -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_HEADER = $(INSTALL_DATA) -transform = $(program_transform_name) -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_triplet = @host@ -DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \ - $(top_srcdir)/Makefile.am.common \ - $(top_srcdir)/cf/Makefile.am.common ChangeLog -subdir = appl/telnet -ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \ - $(top_srcdir)/cf/auth-modules.m4 \ - $(top_srcdir)/cf/broken-getaddrinfo.m4 \ - $(top_srcdir)/cf/broken-getnameinfo.m4 \ - $(top_srcdir)/cf/broken-glob.m4 \ - $(top_srcdir)/cf/broken-realloc.m4 \ - $(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \ - $(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \ - $(top_srcdir)/cf/capabilities.m4 \ - $(top_srcdir)/cf/check-compile-et.m4 \ - $(top_srcdir)/cf/check-declaration.m4 \ - $(top_srcdir)/cf/check-getpwnam_r-posix.m4 \ - $(top_srcdir)/cf/check-man.m4 \ - $(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \ - $(top_srcdir)/cf/check-type-extra.m4 \ - $(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \ - $(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \ - $(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \ - $(top_srcdir)/cf/dlopen.m4 \ - $(top_srcdir)/cf/find-func-no-libs.m4 \ - $(top_srcdir)/cf/find-func-no-libs2.m4 \ - $(top_srcdir)/cf/find-func.m4 \ - $(top_srcdir)/cf/find-if-not-broken.m4 \ - $(top_srcdir)/cf/have-struct-field.m4 \ - $(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \ - $(top_srcdir)/cf/krb-bigendian.m4 \ - $(top_srcdir)/cf/krb-func-getlogin.m4 \ - $(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \ - $(top_srcdir)/cf/krb-readline.m4 \ - $(top_srcdir)/cf/krb-struct-spwd.m4 \ - $(top_srcdir)/cf/krb-struct-winsize.m4 \ - $(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \ - $(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \ - $(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \ - $(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \ - $(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \ - $(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \ - $(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in -am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ - $(ACLOCAL_M4) -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -depcomp = -am__depfiles_maybe = -SOURCES = -DIST_SOURCES = -RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \ - html-recursive info-recursive install-data-recursive \ - install-exec-recursive install-info-recursive \ - install-recursive installcheck-recursive installdirs-recursive \ - pdf-recursive ps-recursive uninstall-info-recursive \ - uninstall-recursive -ETAGS = etags -CTAGS = ctags -DIST_SUBDIRS = $(SUBDIRS) -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) -ACLOCAL = @ACLOCAL@ -AIX4_FALSE = @AIX4_FALSE@ -AIX4_TRUE = @AIX4_TRUE@ -AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@ -AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@ -AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@ -AIX_FALSE = @AIX_FALSE@ -AIX_TRUE = @AIX_TRUE@ -AMTAR = @AMTAR@ -AR = @AR@ -AUTOCONF = @AUTOCONF@ -AUTOHEADER = @AUTOHEADER@ -AUTOMAKE = @AUTOMAKE@ -AWK = @AWK@ -CANONICAL_HOST = @CANONICAL_HOST@ -CATMAN = @CATMAN@ -CATMANEXT = @CATMANEXT@ -CATMAN_FALSE = @CATMAN_FALSE@ -CATMAN_TRUE = @CATMAN_TRUE@ -CC = @CC@ -CFLAGS = @CFLAGS@ -COMPILE_ET = @COMPILE_ET@ -CPP = @CPP@ -CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXFLAGS = @CXXFLAGS@ -CYGPATH_W = @CYGPATH_W@ -DBLIB = @DBLIB@ -DCE_FALSE = @DCE_FALSE@ -DCE_TRUE = @DCE_TRUE@ -DEFS = @DEFS@ -DIR_com_err = @DIR_com_err@ -DIR_des = @DIR_des@ -DIR_roken = @DIR_roken@ -ECHO = @ECHO@ -ECHO_C = @ECHO_C@ -ECHO_N = @ECHO_N@ -ECHO_T = @ECHO_T@ -EGREP = @EGREP@ -EXEEXT = @EXEEXT@ -EXTRA_LIB45 = @EXTRA_LIB45@ -F77 = @F77@ -FFLAGS = @FFLAGS@ -GROFF = @GROFF@ -HAVE_DB1_FALSE = @HAVE_DB1_FALSE@ -HAVE_DB1_TRUE = @HAVE_DB1_TRUE@ -HAVE_DB3_FALSE = @HAVE_DB3_FALSE@ -HAVE_DB3_TRUE = @HAVE_DB3_TRUE@ -HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@ -HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@ -HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@ -HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@ -HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@ -HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@ -HAVE_X_FALSE = @HAVE_X_FALSE@ -HAVE_X_TRUE = @HAVE_X_TRUE@ -INCLUDES_roken = @INCLUDES_roken@ -INCLUDE_des = @INCLUDE_des@ -INCLUDE_hesiod = @INCLUDE_hesiod@ -INCLUDE_krb4 = @INCLUDE_krb4@ -INCLUDE_openldap = @INCLUDE_openldap@ -INCLUDE_readline = @INCLUDE_readline@ -INSTALL_DATA = @INSTALL_DATA@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -IRIX_FALSE = @IRIX_FALSE@ -IRIX_TRUE = @IRIX_TRUE@ -KRB4_FALSE = @KRB4_FALSE@ -KRB4_TRUE = @KRB4_TRUE@ -KRB5_FALSE = @KRB5_FALSE@ -KRB5_TRUE = @KRB5_TRUE@ -LDFLAGS = @LDFLAGS@ -LEX = @LEX@ -LEXLIB = @LEXLIB@ -LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ -LIBOBJS = @LIBOBJS@ -LIBS = @LIBS@ -LIBTOOL = @LIBTOOL@ -LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@ -LIB_NDBM = @LIB_NDBM@ -LIB_XauFileName = @LIB_XauFileName@ -LIB_XauReadAuth = @LIB_XauReadAuth@ -LIB_XauWriteAuth = @LIB_XauWriteAuth@ -LIB_bswap16 = @LIB_bswap16@ -LIB_bswap32 = @LIB_bswap32@ -LIB_com_err = @LIB_com_err@ -LIB_com_err_a = @LIB_com_err_a@ -LIB_com_err_so = @LIB_com_err_so@ -LIB_crypt = @LIB_crypt@ -LIB_db_create = @LIB_db_create@ -LIB_dbm_firstkey = @LIB_dbm_firstkey@ -LIB_dbopen = @LIB_dbopen@ -LIB_des = @LIB_des@ -LIB_des_a = @LIB_des_a@ -LIB_des_appl = @LIB_des_appl@ -LIB_des_so = @LIB_des_so@ -LIB_dlopen = @LIB_dlopen@ -LIB_dn_expand = @LIB_dn_expand@ -LIB_el_init = @LIB_el_init@ -LIB_freeaddrinfo = @LIB_freeaddrinfo@ -LIB_gai_strerror = @LIB_gai_strerror@ -LIB_getaddrinfo = @LIB_getaddrinfo@ -LIB_gethostbyname = @LIB_gethostbyname@ -LIB_gethostbyname2 = @LIB_gethostbyname2@ -LIB_getnameinfo = @LIB_getnameinfo@ -LIB_getpwnam_r = @LIB_getpwnam_r@ -LIB_getsockopt = @LIB_getsockopt@ -LIB_hesiod = @LIB_hesiod@ -LIB_hstrerror = @LIB_hstrerror@ -LIB_kdb = @LIB_kdb@ -LIB_krb4 = @LIB_krb4@ -LIB_krb_disable_debug = @LIB_krb_disable_debug@ -LIB_krb_enable_debug = @LIB_krb_enable_debug@ -LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@ -LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@ -LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@ -LIB_loadquery = @LIB_loadquery@ -LIB_logout = @LIB_logout@ -LIB_logwtmp = @LIB_logwtmp@ -LIB_openldap = @LIB_openldap@ -LIB_openpty = @LIB_openpty@ -LIB_otp = @LIB_otp@ -LIB_pidfile = @LIB_pidfile@ -LIB_readline = @LIB_readline@ -LIB_res_nsearch = @LIB_res_nsearch@ -LIB_res_search = @LIB_res_search@ -LIB_roken = @LIB_roken@ -LIB_security = @LIB_security@ -LIB_setsockopt = @LIB_setsockopt@ -LIB_socket = @LIB_socket@ -LIB_syslog = @LIB_syslog@ -LIB_tgetent = @LIB_tgetent@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -MAINT = @MAINT@ -MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@ -MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@ -MAKEINFO = @MAKEINFO@ -NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ -NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ -NROFF = @NROFF@ -OBJEXT = @OBJEXT@ -OTP_FALSE = @OTP_FALSE@ -OTP_TRUE = @OTP_TRUE@ -PACKAGE = @PACKAGE@ -PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ -PACKAGE_NAME = @PACKAGE_NAME@ -PACKAGE_STRING = @PACKAGE_STRING@ -PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_VERSION = @PACKAGE_VERSION@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -RANLIB = @RANLIB@ -SET_MAKE = @SET_MAKE@ -SHELL = @SHELL@ -STRIP = @STRIP@ -VERSION = @VERSION@ -VOID_RETSIGTYPE = @VOID_RETSIGTYPE@ -WFLAGS = @WFLAGS@ -WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@ -WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@ -X_CFLAGS = @X_CFLAGS@ -X_EXTRA_LIBS = @X_EXTRA_LIBS@ -X_LIBS = @X_LIBS@ -X_PRE_LIBS = @X_PRE_LIBS@ -YACC = @YACC@ -ac_ct_AR = @ac_ct_AR@ -ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ -ac_ct_RANLIB = @ac_ct_RANLIB@ -ac_ct_STRIP = @ac_ct_STRIP@ -am__leading_dot = @am__leading_dot@ -bindir = @bindir@ -build = @build@ -build_alias = @build_alias@ -build_cpu = @build_cpu@ -build_os = @build_os@ -build_vendor = @build_vendor@ -datadir = @datadir@ -do_roken_rename_FALSE = @do_roken_rename_FALSE@ -do_roken_rename_TRUE = @do_roken_rename_TRUE@ -dpagaix_cflags = @dpagaix_cflags@ -dpagaix_ldadd = @dpagaix_ldadd@ -dpagaix_ldflags = @dpagaix_ldflags@ -el_compat_FALSE = @el_compat_FALSE@ -el_compat_TRUE = @el_compat_TRUE@ -exec_prefix = @exec_prefix@ -have_err_h_FALSE = @have_err_h_FALSE@ -have_err_h_TRUE = @have_err_h_TRUE@ -have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@ -have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@ -have_glob_h_FALSE = @have_glob_h_FALSE@ -have_glob_h_TRUE = @have_glob_h_TRUE@ -have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@ -have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@ -have_vis_h_FALSE = @have_vis_h_FALSE@ -have_vis_h_TRUE = @have_vis_h_TRUE@ -host = @host@ -host_alias = @host_alias@ -host_cpu = @host_cpu@ -host_os = @host_os@ -host_vendor = @host_vendor@ -includedir = @includedir@ -infodir = @infodir@ -install_sh = @install_sh@ -libdir = @libdir@ -libexecdir = @libexecdir@ -localstatedir = @localstatedir@ -mandir = @mandir@ -mkdir_p = @mkdir_p@ -oldincludedir = @oldincludedir@ -prefix = @prefix@ -program_transform_name = @program_transform_name@ -sbindir = @sbindir@ -sharedstatedir = @sharedstatedir@ -sysconfdir = @sysconfdir@ -target_alias = @target_alias@ -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) -@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME -AM_CFLAGS = $(WFLAGS) -CP = cp -buildinclude = $(top_builddir)/include -LIB_getattr = @LIB_getattr@ -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_setpcred = @LIB_setpcred@ -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -NROFF_MAN = groff -mandoc -Tascii -LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) -@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la - -@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la -@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la -SUBDIRS = libtelnet telnet telnetd -EXTRA_DIST = README.ORIG telnet.state -all: all-recursive - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c -$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps) - @for dep in $?; do \ - case '$(am__configure_deps)' in \ - *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ - exit 1;; \ - esac; \ - done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign --ignore-deps appl/telnet/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign --ignore-deps appl/telnet/Makefile -.PRECIOUS: Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - @case '$?' in \ - *config.status*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ - *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ - esac; - -$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: - -# This directory's subdirectories are mostly independent; you can cd -# into them and run `make' without going through this Makefile. -# To change the values of `make' variables: instead of editing Makefiles, -# (1) if the variable is set in `config.status', edit `config.status' -# (which will cause the Makefiles to be regenerated when you run `make'); -# (2) otherwise, pass the desired values on the `make' command line. -$(RECURSIVE_TARGETS): - @set fnord $$MAKEFLAGS; amf=$$2; \ - dot_seen=no; \ - target=`echo $@ | sed s/-recursive//`; \ - list='$(SUBDIRS)'; for subdir in $$list; do \ - echo "Making $$target in $$subdir"; \ - if test "$$subdir" = "."; then \ - dot_seen=yes; \ - local_target="$$target-am"; \ - else \ - local_target="$$target"; \ - fi; \ - (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ - || case "$$amf" in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \ - done; \ - if test "$$dot_seen" = "no"; then \ - $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \ - fi; test -z "$$fail" - -mostlyclean-recursive clean-recursive distclean-recursive \ -maintainer-clean-recursive: - @set fnord $$MAKEFLAGS; amf=$$2; \ - dot_seen=no; \ - case "$@" in \ - distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \ - *) list='$(SUBDIRS)' ;; \ - esac; \ - rev=''; for subdir in $$list; do \ - if test "$$subdir" = "."; then :; else \ - rev="$$subdir $$rev"; \ - fi; \ - done; \ - rev="$$rev ."; \ - target=`echo $@ | sed s/-recursive//`; \ - for subdir in $$rev; do \ - echo "Making $$target in $$subdir"; \ - if test "$$subdir" = "."; then \ - local_target="$$target-am"; \ - else \ - local_target="$$target"; \ - fi; \ - (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ - || case "$$amf" in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \ - done && test -z "$$fail" -tags-recursive: - list='$(SUBDIRS)'; for subdir in $$list; do \ - test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \ - done -ctags-recursive: - list='$(SUBDIRS)'; for subdir in $$list; do \ - test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) ctags); \ - done - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique -tags: TAGS - -TAGS: tags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - if (etags --etags-include --version) >/dev/null 2>&1; then \ - include_option=--etags-include; \ - else \ - include_option=--include; \ - fi; \ - list='$(SUBDIRS)'; for subdir in $$list; do \ - if test "$$subdir" = .; then :; else \ - test -f $$subdir/TAGS && \ - tags="$$tags $$include_option=$$here/$$subdir/TAGS"; \ - fi; \ - done; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique -ctags: CTAGS -CTAGS: ctags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ - || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - -distdir: $(DISTFILES) - $(mkdir_p) $(distdir)/../.. $(distdir)/../../cf - @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \ - list='$(DISTFILES)'; for file in $$list; do \ - case $$file in \ - $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \ - $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \ - esac; \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkdir_p) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - list='$(SUBDIRS)'; for subdir in $$list; do \ - if test "$$subdir" = .; then :; else \ - test -d "$(distdir)/$$subdir" \ - || mkdir "$(distdir)/$$subdir" \ - || exit 1; \ - (cd $$subdir && \ - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="../$(top_distdir)" \ - distdir="../$(distdir)/$$subdir" \ - distdir) \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="$(top_distdir)" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-recursive -all-am: Makefile all-local -installdirs: installdirs-recursive -installdirs-am: -install: install-recursive -install-exec: install-exec-recursive -install-data: install-data-recursive -uninstall: uninstall-recursive - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-recursive -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-recursive - -clean-am: clean-generic clean-libtool mostlyclean-am - -distclean: distclean-recursive - -rm -f Makefile -distclean-am: clean-am distclean-generic distclean-libtool \ - distclean-tags - -dvi: dvi-recursive - -dvi-am: - -html: html-recursive - -info: info-recursive - -info-am: - -install-data-am: - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-data-hook - -install-exec-am: - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-recursive - -install-man: - -installcheck-am: - -maintainer-clean: maintainer-clean-recursive - -rm -f Makefile -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-recursive - -mostlyclean-am: mostlyclean-generic mostlyclean-libtool - -pdf: pdf-recursive - -pdf-am: - -ps: ps-recursive - -ps-am: - -uninstall-am: uninstall-info-am - -uninstall-info: uninstall-info-recursive - -.PHONY: $(RECURSIVE_TARGETS) CTAGS GTAGS all all-am all-local check \ - check-am check-local clean clean-generic clean-libtool \ - clean-recursive ctags ctags-recursive distclean \ - distclean-generic distclean-libtool distclean-recursive \ - distclean-tags distdir dvi dvi-am html html-am info info-am \ - install install-am install-data install-data-am install-exec \ - install-exec-am install-info install-info-am install-man \ - install-strip installcheck installcheck-am installdirs \ - installdirs-am maintainer-clean maintainer-clean-generic \ - maintainer-clean-recursive mostlyclean mostlyclean-generic \ - mostlyclean-libtool mostlyclean-recursive pdf pdf-am ps ps-am \ - tags tags-recursive uninstall uninstall-am uninstall-info-am - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-hook: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< - -dist-hook: - $(mkinstalldirs) $(distdir)/arpa - $(INSTALL_DATA) $(srcdir)/arpa/telnet.h $(distdir)/arpa -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal-0.6.3/appl/telnet/README.ORIG b/crypto/heimdal-0.6.3/appl/telnet/README.ORIG deleted file mode 100644 index 37b588fafd..0000000000 --- a/crypto/heimdal-0.6.3/appl/telnet/README.ORIG +++ /dev/null @@ -1,743 +0,0 @@ - -This is a distribution of both client and server telnet. These programs -have been compiled on: - telnet telnetd - 4.4 BSD-Lite x x - 4.3 BSD Reno X X - UNICOS 9.1 X X - UNICOS 9.0 X X - UNICOS 8.0 X X - BSDI 2.0 X X - Solaris 2.4 x x (no linemode in server) - SunOs 4.1.4 X X (no linemode in server) - Ultrix 4.3 X X (no linemode in server) - Ultrix 4.1 X X (no linemode in server) - -In addition, previous versions have been compiled on the following -machines, but were not available for testing this version. - telnet telnetd - Next1.0 X X - UNICOS 8.3 X X - UNICOS 7.C X X - UNICOS 7.0 X X - SunOs 4.0.3c X X (no linemode in server) - 4.3 BSD X X (no linemode in server) - DYNIX V3.0.12 X X (no linemode in server) - Ultrix 3.1 X X (no linemode in server) - Ultrix 4.0 X X (no linemode in server) - SunOs 3.5 X X (no linemode in server) - SunOs 4.1.3 X X (no linemode in server) - Solaris 2.2 x x (no linemode in server) - Solaris 2.3 x x (no linemode in server) - BSDI 1.0 X X - BSDI 1.1 X X - DYNIX V3.0.17.9 X X (no linemode in server) - HP-UX 8.0 x x (no linemode in server) - -This code should work, but there are no guarantees. - -May 30, 1995 - -This release represents what is on the 4.4BSD-Lite2 release, which -should be the final BSD release. I will continue to support of -telnet, The code (without encryption) is available via anonymous ftp -from ftp.cray.com, in src/telnet/telnet.YY.MM.DD.NE.tar.Z, where -YY.MM.DD is replaced with the year, month and day of the release. -If you can't find it at one of these places, at some point in the -near future information about the latest releases should be available -from ftp.borman.com. - -In addition, the version with the encryption code is available via -ftp from net-dist.mit.edu, in the directory /pub/telnet. There -is a README file there that gives further information on how -to get the distribution. - -Questions, comments, bug reports and bug fixes can be sent to -one of these addresses: - dab@borman.com - dab@cray.com - dab@bsdi.com - -This release is mainly bug fixes and code cleanup. - - Replace all calls to bcopy()/bzero() with calls to - memmove()/memset() and all calls to index()/rindex() - with calls to strchr()/strrchr(). - - Add some missing diagnostics for option tracing - to telnetd. - - Add support for BSDI 2.0 and Solaris 2.4. - - Add support for UNICOS 8.0 - - Get rid of expanded tabs and trailing white spaces. - - From Paul Vixie: - Fix for telnet going into an endless spin - when the session dies abnormally. - - From Jef Poskanzer: - Changes to allow telnet to compile - under SunOS 3.5. - - From Philip Guenther: - makeutx() doesn't expand utmpx, - use pututxline() instead. - - From Chris Torek: - Add a sleep(1) before execing login - to avoid race condition that can eat - up the login prompt. - Use terminal speed directly if it is - not an encoded value. - - From Steve Parker: - Fix to realloc() call. Fix for execing - login on solaris with no user name. - -January 19, 1994 - -This is a list of some of the changes since the last tar release -of telnet/telnetd. There are probably other changes that aren't -listed here, but this should hit a lot of the main ones. - - General: - Changed #define for AUTHENTICATE to AUTHENTICATION - Changed #define for ENCRYPT to ENCRYPTION - Changed #define for DES_ENCRYPT to DES_ENCRYPTION - - Added support for SPX authentication: -DSPX - - Added support for Kerberos Version 5 authentication: -DKRB5 - - Added support for ANSI C function prototypes - - Added support for the NEW-ENVIRON option (RFC-1572) - including support for USERVAR. - - Made support for the old Environment Option (RFC-1408) - conditional on -DOLD_ENVIRON - - Added #define ENV_HACK - support for RFC 1571 - - The encryption code is removed from the public distributions. - Domestic 4.4 BSD distributions contain the encryption code. - - ENV_HACK: Code to deal with systems that only implement - the old ENVIRON option, and have reversed definitions - of ENV_VAR and ENV_VAL. Also fixes ENV processing in - client to handle things besides just the default set... - - NO_BSD_SETJMP: UNICOS configuration for - UNICOS 6.1/6.0/5.1/5.0 systems. - - STREAMSPTY: Use /dev/ptmx to get a clean pty. This - is for SVr4 derivatives (Like Solaris) - - UTMPX: For systems that have /etc/utmpx. This is for - SVr4 derivatives (Like Solaris) - - Definitions for BSDI 1.0 - - Definitions for 4.3 Reno and 4.4 BSD. - - Definitions for UNICOS 8.0 and UNICOS 7.C - - Definitions for Solaris 2.0 - - Definitions for HP-UX 8.0 - - Latest Copyright notices from Berkeley. - - FLOW-CONTROL: support for RFC-XXXx - - - Client Specific: - - Fix the "send" command to not send garbage... - - Fix status message for "skiprc" - - Make sure to send NAWS after telnet has been suspended - or an external command has been run, if the window size - has changed. - - sysV88 support. - - Server Specific: - - Support flowcontrol option in non-linemode servers. - - -k Server supports Kludge Linemode, but will default to - either single character mode or real Linemode support. - The user will have to explicitly ask to switch into - kludge linemode. ("stty extproc", or escape back to - to telnet and say "mode line".) - - -u Specify the length of the hostname field in the utmp - file. Hostname longer than this length will be put - into the utmp file in dotted decimal notation, rather - than putting in a truncated hostname. - - -U Registered hosts only. If a reverse hostname lookup - fails, the connection will be refused. - - -f/-F - Allows forwarding of credentials for KRB5. - -Februrary 22, 1991: - - Features: - - This version of telnet/telnetd has support for both - the AUTHENTICATION and ENCRYPTION options. The - AUTHENTICATION option is fairly well defined, and - an option number has been assigned to it. The - ENCRYPTION option is still in a state of flux; an - option number has been assigned to, but it is still - subject to change. The code is provided in this release - for experimental and testing purposes. - - The telnet "send" command can now be used to send - do/dont/will/wont commands, with any telnet option - name. The rules for when do/dont/will/wont are sent - are still followed, so just because the user requests - that one of these be sent doesn't mean that it will - be sent... - - The telnet "getstatus" command no longer requires - that option printing be enabled to see the response - to the "DO STATUS" command. - - A -n flag has been added to telnetd to disable - keepalives. - - A new telnet command, "auth" has been added (if - AUTHENTICATE is defined). It has four sub-commands, - "status", "disable", "enable" and "help". - - A new telnet command, "encrypt" has been added (if - ENCRYPT is defined). It has many sub-commands: - "enable", "type", "start", "stop", "input", - "-input", "output", "-output", "status", and "help". - - The LOGOUT option is now supported by both telnet - and telnetd, a new command, "logout", was added - to support this. - - Several new toggle options were added: - "autoencrypt", "autodecrypt", "autologin", "authdebug", - "encdebug", "skiprc", "verbose_encrypt" - - An "rlogin" interface has been added. If the program - is named "rlogin", or the "-r" flag is given, then - an rlogin type of interface will be used. - ~. Terminates the session - ~ Suspend the session - ~^] Escape to telnet command mode - ~~ Pass through the ~. - BUG: If you type the rlogin escape character - in the middle of a line while in rlogin - mode, you cannot erase it or any characters - before it. Hopefully this can be fixed - in a future release... - - General changes: - - A "libtelnet.a" has now been created. This libraray - contains code that is common to both telnet and - telnetd. This is also where library routines that - are needed, but are not in the standard C library, - are placed. - - The makefiles have been re-done. All of the site - specific configuration information has now been put - into a single "Config.generic" file, in the top level - directory. Changing this one file will take care of - all three subdirectories. Also, to add a new/local - definition, a "Config.local" file may be created - at the top level; if that file exists, the subdirectories - will use that file instead of "Config.generic". - - Many 1-2 line functions in commands.c have been - removed, and just inserted in-line, or replaced - with a macro. - - Bug Fixes: - - The non-termio code in both telnet and telnetd was - setting/clearing CTLECH in the sg_flags word. This - was incorrect, and has been changed to set/clear the - LCTLECH bit in the local mode word. - - The SRCRT #define has been removed. If IP_OPTIONS - and IPPROTO_IP are defined on the system, then the - source route code is automatically enabled. - - The NO_GETTYTAB #define has been removed; there - is a compatability routine that can be built into - libtelnet to achive the same results. - - The server, telnetd, has been switched to use getopt() - for parsing the argument list. - - The code for getting the input/output speeds via - cfgetispeed()/cfgetospeed() was still not quite - right in telnet. Posix says if the ispeed is 0, - then it is really equal to the ospeed. - - The suboption processing code in telnet now has - explicit checks to make sure that we received - the entire suboption (telnetd was already doing this). - - The telnet code for processing the terminal type - could cause a core dump if an existing connection - was closed, and a new connection opened without - exiting telnet. - - Telnetd was doing a TCSADRAIN when setting the new - terminal settings; This is not good, because it means - that the tcsetattr() will hang waiting for output to - drain, and telnetd is the only one that will drain - the output... The fix is to use TCSANOW which does - not wait. - - Telnetd was improperly setting/clearing the ISTRIP - flag in the c_lflag field, it should be using the - c_iflag field. - - When the child process of telnetd was opening the - slave side of the pty, it was re-setting the EXTPROC - bit too early, and some of the other initialization - code was wiping it out. This would cause telnetd - to go out of linemode and into single character mode. - - One instance of leaving linemode in telnetd forgot - to send a WILL ECHO to the client, the net result - would be that the user would see double character - echo. - - If the MODE was being changed several times very - quickly, telnetd could get out of sync with the - state changes and the returning acks; and wind up - being left in the wrong state. - -September 14, 1990: - - Switch the client to use getopt() for parsing the - argument list. The 4.3Reno getopt.c is included for - systems that don't have getopt(). - - Use the posix _POSIX_VDISABLE value for what value - to use when disabling special characters. If this - is undefined, it defaults to 0x3ff. - - For non-termio systems, TIOCSETP was being used to - change the state of the terminal. This causes the - input queue to be flushed, which we don't want. This - is now changed to TIOCSETN. - - Take out the "#ifdef notdef" around the code in the - server that generates a "sync" when the pty oputput - is flushed. The potential problem is that some older - telnet clients may go into an infinate loop when they - receive a "sync", if so, the server can be compiled - with "NO_URGENT" defined. - - Fix the client where it was setting/clearing the OPOST - bit in the c_lflag field, not the c_oflag field. - - Fix the client where it was setting/clearing the ISTRIP - bit in the c_lflag field, not the c_iflag field. (On - 4.3Reno, this is the ECHOPRT bit in the c_lflag field.) - The client also had its interpretation of WILL BINARY - and DO BINARY reversed. - - Fix a bug in client that would cause a core dump when - attempting to remove the last environment variable. - - In the client, there were a few places were switch() - was being passed a character, and if it was a negative - value, it could get sign extended, and not match - the 8 bit case statements. The fix is to and the - switch value with 0xff. - - Add a couple more printoption() calls in the client, I - don't think there are any more places were a telnet - command can be received and not printed out when - "options" is on. - - A new flag has been added to the client, "-a". Currently, - this just causes the USER name to be sent across, in - the future this may be used to signify that automatic - authentication is requested. - - The USER variable is now only sent by the client if - the "-a" or "-l user" options are explicity used, or - if the user explicitly asks for the "USER" environment - variable to be exported. In the server, if it receives - the "USER" environment variable, it won't print out the - banner message, so that only "Password:" will be printed. - This makes the symantics more like rlogin, and should be - more familiar to the user. (People are not used to - getting a banner message, and then getting just a - "Password:" prompt.) - - Re-vamp the code for starting up the child login - process. The code was getting ugly, and it was - hard to tell what was really going on. What we - do now is after the fork(), in the child: - 1) make sure we have no controlling tty - 2) open and initialize the tty - 3) do a setsid()/setpgrp() - 4) makes the tty our controlling tty. - On some systems, #2 makes the tty our controlling - tty, and #4 is a no-op. The parent process does - a gets rid of any controlling tty after the child - is fork()ed. - - Use the strdup() library routine in telnet, instead - of the local savestr() routine. If you don't have - strdup(), you need to define NO_STRDUP. - - Add support for ^T (SIGINFO/VSTATUS), found in the - 4.3Reno distribution. This maps to the AYT character. - You need a 4-line bugfix in the kernel to get this - to work properly: - - > *** tty_pty.c.ORG Tue Sep 11 09:41:53 1990 - > --- tty_pty.c Tue Sep 11 17:48:03 1990 - > *************** - > *** 609,613 **** - > if ((tp->t_lflag&NOFLSH) == 0) - > ttyflush(tp, FREAD|FWRITE); - > ! pgsignal(tp->t_pgrp, *(unsigned int *)data); - > return(0); - > } - > --- 609,616 ---- - > if ((tp->t_lflag&NOFLSH) == 0) - > ttyflush(tp, FREAD|FWRITE); - > ! pgsignal(tp->t_pgrp, *(unsigned int *)data, 1); - > ! if ((*(unsigned int *)data == SIGINFO) && - > ! ((tp->t_lflag&NOKERNINFO) == 0)) - > ! ttyinfo(tp); - > return(0); - > } - - The client is now smarter when setting the telnet escape - character; it only sets it to one of VEOL and VEOL2 if - one of them is undefined, and the other one is not already - defined to the telnet escape character. - - Handle TERMIOS systems that have seperate input and output - line speed settings imbedded in the flags. - - Many other minor bug fixes. - -June 20, 1990: - Re-organize makefiles and source tree. The telnet/Source - directory is now gone, and all the source that was in - telnet/Source is now just in the telnet directory. - - Seperate makefile for each system are now gone. There - are two makefiles, Makefile and Makefile.generic. - The "Makefile" has the definitions for the various - system, and "Makefile.generic" does all the work. - There is a variable called "WHAT" that is used to - specify what to make. For example, in the telnet - directory, you might say: - make 4.4bsd WHAT=clean - to clean out the directory. - - Add support for the ENVIRON and XDISPLOC options. - In order for the server to work, login has to have - the "-p" option to preserve environment variables. - - Add the SOFT_TAB and LIT_ECHO modes in the LINEMODE support. - - Add the "-l user" option to command line and open command - (This is passed through the ENVIRON option). - - Add the "-e" command line option, for setting the escape - character. - - Add the "-D", diagnostic, option to the server. This allows - the server to print out debug information, which is very - useful when trying to debug a telnet that doesn't have any - debugging ability. - - Turn off the literal next character when not in LINEMODE. - - Don't recognize ^Y locally, just pass it through. - - Make minor modifications for Sun4.0 and Sun4.1 - - Add support for both FORW1 and FORW2 characters. The - telnet escpape character is set to whichever of the - two is not being used. If both are in use, the escape - character is not set, so when in linemode the user will - have to follow the escape character with a or - -libtelnet/Makefile.4.4: -telnet/Makefile.4.4: -telnetd/Makefile.4.4: - These are the makefiles that can be used on a 4.3Reno - system when this software is installed in /usr/src/lib/libtelnet, - /usr/src/libexec/telnetd, and /usr/src/usr.bin/telnet. - - -The following TELNET options are supported: - - LINEMODE: - The LINEMODE option is supported as per RFC1116. The - FORWARDMASK option is not currently supported. - - BINARY: The client has the ability to turn on/off the BINARY - option in each direction. Turning on BINARY from - server to client causes the LITOUT bit to get set in - the terminal driver on both ends, turning on BINARY - from the client to the server causes the PASS8 bit - to get set in the terminal driver on both ends. - - TERMINAL-TYPE: - This is supported as per RFC1091. On the server side, - when a terminal type is received, termcap/terminfo - is consulted to determine if it is a known terminal - type. It keeps requesting terminal types until it - gets one that it recongnizes, or hits the end of the - list. The server side looks up the entry in the - termcap/terminfo data base, and generates a list of - names which it then passes one at a time to each - request for a terminal type, duplicating the last - entry in the list before cycling back to the beginning. - - NAWS: The Negotiate about Window Size, as per RFC 1073. - - TERMINAL-SPEED: - Implemented as per RFC 1079 - - TOGGLE-FLOW-CONTROL: - Implemented as per RFC 1080 - - TIMING-MARK: - As per RFC 860 - - SGA: As per RFC 858 - - ECHO: As per RFC 857 - - LOGOUT: As per RFC 727 - - STATUS: - The server will send its current status upon - request. It does not ask for the clients status. - The client will request the servers current status - from the "send getstatus" command. - - ENVIRON: - This option is currently being defined by the IETF - Telnet Working Group, and an RFC has not yet been - issued, but should be in the near future... - - X-DISPLAY-LOCATION: - This functionality can be done through the ENVIRON - option, it is added here for completeness. - - AUTHENTICATION: - This option is currently being defined by the IETF - Telnet Working Group, and an RFC has not yet been - issued. The basic framework is pretty much decided, - but the definitions for the specific authentication - schemes is still in a state of flux. - - ENCRYPTION: - This option is currently being defined by the IETF - Telnet Working Group, and an RFC has not yet been - issued. The draft RFC is still in a state of flux, - so this code may change in the future. diff --git a/crypto/heimdal-0.6.3/appl/telnet/arpa/telnet.h b/crypto/heimdal-0.6.3/appl/telnet/arpa/telnet.h deleted file mode 100644 index 5d9ef60016..0000000000 --- a/crypto/heimdal-0.6.3/appl/telnet/arpa/telnet.h +++ /dev/null @@ -1,323 +0,0 @@ -/* - * Copyright (c) 1983, 1993 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * @(#)telnet.h 8.2 (Berkeley) 12/15/93 - */ - -#ifndef _TELNET_H_ -#define _TELNET_H_ - -/* - * Definitions for the TELNET protocol. - */ -#define IAC 255 /* interpret as command: */ -#define DONT 254 /* you are not to use option */ -#define DO 253 /* please, you use option */ -#define WONT 252 /* I won't use option */ -#define WILL 251 /* I will use option */ -#define SB 250 /* interpret as subnegotiation */ -#define GA 249 /* you may reverse the line */ -#define EL 248 /* erase the current line */ -#define EC 247 /* erase the current character */ -#define AYT 246 /* are you there */ -#define AO 245 /* abort output--but let prog finish */ -#define IP 244 /* interrupt process--permanently */ -#define BREAK 243 /* break */ -#define DM 242 /* data mark--for connect. cleaning */ -#define NOP 241 /* nop */ -#define SE 240 /* end sub negotiation */ -#define EOR 239 /* end of record (transparent mode) */ -#define ABORT 238 /* Abort process */ -#define SUSP 237 /* Suspend process */ -#define xEOF 236 /* End of file: EOF is already used... */ - -#define SYNCH 242 /* for telfunc calls */ - -#ifdef TELCMDS -char *telcmds[] = { - "EOF", "SUSP", "ABORT", "EOR", - "SE", "NOP", "DMARK", "BRK", "IP", "AO", "AYT", "EC", - "EL", "GA", "SB", "WILL", "WONT", "DO", "DONT", "IAC", 0, -}; -#else -extern char *telcmds[]; -#endif - -#define TELCMD_FIRST xEOF -#define TELCMD_LAST IAC -#define TELCMD_OK(x) ((unsigned int)(x) <= TELCMD_LAST && \ - (unsigned int)(x) >= TELCMD_FIRST) -#define TELCMD(x) telcmds[(x)-TELCMD_FIRST] - -/* telnet options */ -#define TELOPT_BINARY 0 /* 8-bit data path */ -#define TELOPT_ECHO 1 /* echo */ -#define TELOPT_RCP 2 /* prepare to reconnect */ -#define TELOPT_SGA 3 /* suppress go ahead */ -#define TELOPT_NAMS 4 /* approximate message size */ -#define TELOPT_STATUS 5 /* give status */ -#define TELOPT_TM 6 /* timing mark */ -#define TELOPT_RCTE 7 /* remote controlled transmission and echo */ -#define TELOPT_NAOL 8 /* negotiate about output line width */ -#define TELOPT_NAOP 9 /* negotiate about output page size */ -#define TELOPT_NAOCRD 10 /* negotiate about CR disposition */ -#define TELOPT_NAOHTS 11 /* negotiate about horizontal tabstops */ -#define TELOPT_NAOHTD 12 /* negotiate about horizontal tab disposition */ -#define TELOPT_NAOFFD 13 /* negotiate about formfeed disposition */ -#define TELOPT_NAOVTS 14 /* negotiate about vertical tab stops */ -#define TELOPT_NAOVTD 15 /* negotiate about vertical tab disposition */ -#define TELOPT_NAOLFD 16 /* negotiate about output LF disposition */ -#define TELOPT_XASCII 17 /* extended ascic character set */ -#define TELOPT_LOGOUT 18 /* force logout */ -#define TELOPT_BM 19 /* byte macro */ -#define TELOPT_DET 20 /* data entry terminal */ -#define TELOPT_SUPDUP 21 /* supdup protocol */ -#define TELOPT_SUPDUPOUTPUT 22 /* supdup output */ -#define TELOPT_SNDLOC 23 /* send location */ -#define TELOPT_TTYPE 24 /* terminal type */ -#define TELOPT_EOR 25 /* end or record */ -#define TELOPT_TUID 26 /* TACACS user identification */ -#define TELOPT_OUTMRK 27 /* output marking */ -#define TELOPT_TTYLOC 28 /* terminal location number */ -#define TELOPT_3270REGIME 29 /* 3270 regime */ -#define TELOPT_X3PAD 30 /* X.3 PAD */ -#define TELOPT_NAWS 31 /* window size */ -#define TELOPT_TSPEED 32 /* terminal speed */ -#define TELOPT_LFLOW 33 /* remote flow control */ -#define TELOPT_LINEMODE 34 /* Linemode option */ -#define TELOPT_XDISPLOC 35 /* X Display Location */ -#define TELOPT_OLD_ENVIRON 36 /* Old - Environment variables */ -#define TELOPT_AUTHENTICATION 37/* Authenticate */ -#define TELOPT_ENCRYPT 38 /* Encryption option */ -#define TELOPT_NEW_ENVIRON 39 /* New - Environment variables */ -#define TELOPT_EXOPL 255 /* extended-options-list */ - - -#define NTELOPTS (1+TELOPT_NEW_ENVIRON) -#ifdef TELOPTS -char *telopts[NTELOPTS+1] = { - "BINARY", "ECHO", "RCP", "SUPPRESS GO AHEAD", "NAME", - "STATUS", "TIMING MARK", "RCTE", "NAOL", "NAOP", - "NAOCRD", "NAOHTS", "NAOHTD", "NAOFFD", "NAOVTS", - "NAOVTD", "NAOLFD", "EXTEND ASCII", "LOGOUT", "BYTE MACRO", - "DATA ENTRY TERMINAL", "SUPDUP", "SUPDUP OUTPUT", - "SEND LOCATION", "TERMINAL TYPE", "END OF RECORD", - "TACACS UID", "OUTPUT MARKING", "TTYLOC", - "3270 REGIME", "X.3 PAD", "NAWS", "TSPEED", "LFLOW", - "LINEMODE", "XDISPLOC", "OLD-ENVIRON", "AUTHENTICATION", - "ENCRYPT", "NEW-ENVIRON", - 0, -}; -#define TELOPT_FIRST TELOPT_BINARY -#define TELOPT_LAST TELOPT_NEW_ENVIRON -#define TELOPT_OK(x) ((unsigned int)(x) <= TELOPT_LAST) -#define TELOPT(x) telopts[(x)-TELOPT_FIRST] -#endif - -/* sub-option qualifiers */ -#define TELQUAL_IS 0 /* option is... */ -#define TELQUAL_SEND 1 /* send option */ -#define TELQUAL_INFO 2 /* ENVIRON: informational version of IS */ -#define TELQUAL_REPLY 2 /* AUTHENTICATION: client version of IS */ -#define TELQUAL_NAME 3 /* AUTHENTICATION: client version of IS */ - -#define LFLOW_OFF 0 /* Disable remote flow control */ -#define LFLOW_ON 1 /* Enable remote flow control */ -#define LFLOW_RESTART_ANY 2 /* Restart output on any char */ -#define LFLOW_RESTART_XON 3 /* Restart output only on XON */ - -/* - * LINEMODE suboptions - */ - -#define LM_MODE 1 -#define LM_FORWARDMASK 2 -#define LM_SLC 3 - -#define MODE_EDIT 0x01 -#define MODE_TRAPSIG 0x02 -#define MODE_ACK 0x04 -#define MODE_SOFT_TAB 0x08 -#define MODE_LIT_ECHO 0x10 - -#define MODE_MASK 0x1f - -/* Not part of protocol, but needed to simplify things... */ -#define MODE_FLOW 0x0100 -#define MODE_ECHO 0x0200 -#define MODE_INBIN 0x0400 -#define MODE_OUTBIN 0x0800 -#define MODE_FORCE 0x1000 - -#define SLC_SYNCH 1 -#define SLC_BRK 2 -#define SLC_IP 3 -#define SLC_AO 4 -#define SLC_AYT 5 -#define SLC_EOR 6 -#define SLC_ABORT 7 -#define SLC_EOF 8 -#define SLC_SUSP 9 -#define SLC_EC 10 -#define SLC_EL 11 -#define SLC_EW 12 -#define SLC_RP 13 -#define SLC_LNEXT 14 -#define SLC_XON 15 -#define SLC_XOFF 16 -#define SLC_FORW1 17 -#define SLC_FORW2 18 - -#define NSLC 18 - -/* - * For backwards compatability, we define SLC_NAMES to be the - * list of names if SLC_NAMES is not defined. - */ -#define SLC_NAMELIST "0", "SYNCH", "BRK", "IP", "AO", "AYT", "EOR", \ - "ABORT", "EOF", "SUSP", "EC", "EL", "EW", "RP", \ - "LNEXT", "XON", "XOFF", "FORW1", "FORW2", 0, -#ifdef SLC_NAMES -char *slc_names[] = { - SLC_NAMELIST -}; -#else -extern char *slc_names[]; -#define SLC_NAMES SLC_NAMELIST -#endif - -#define SLC_NAME_OK(x) ((unsigned int)(x) <= NSLC) -#define SLC_NAME(x) slc_names[x] - -#define SLC_NOSUPPORT 0 -#define SLC_CANTCHANGE 1 -#define SLC_VARIABLE 2 -#define SLC_DEFAULT 3 -#define SLC_LEVELBITS 0x03 - -#define SLC_FUNC 0 -#define SLC_FLAGS 1 -#define SLC_VALUE 2 - -#define SLC_ACK 0x80 -#define SLC_FLUSHIN 0x40 -#define SLC_FLUSHOUT 0x20 - -#define OLD_ENV_VAR 1 -#define OLD_ENV_VALUE 0 -#define NEW_ENV_VAR 0 -#define NEW_ENV_VALUE 1 -#define ENV_ESC 2 -#define ENV_USERVAR 3 - -/* - * AUTHENTICATION suboptions - */ - -/* - * Who is authenticating who ... - */ -#define AUTH_WHO_CLIENT 0 /* Client authenticating server */ -#define AUTH_WHO_SERVER 1 /* Server authenticating client */ -#define AUTH_WHO_MASK 1 - -/* - * amount of authentication done - */ -#define AUTH_HOW_ONE_WAY 0 -#define AUTH_HOW_MUTUAL 2 -#define AUTH_HOW_MASK 2 - -#define AUTHTYPE_NULL 0 -#define AUTHTYPE_KERBEROS_V4 1 -#define AUTHTYPE_KERBEROS_V5 2 -#define AUTHTYPE_SPX 3 -#define AUTHTYPE_MINK 4 -#define AUTHTYPE_SRA 5 -#define AUTHTYPE_CNT 6 -/* #define AUTHTYPE_UNSECURE 6 */ - -#define AUTHTYPE_TEST 99 - -#ifdef AUTH_NAMES -char *authtype_names[] = { - "NULL", "KERBEROS_V4", "KERBEROS_V5", "SPX", "MINK", - "SRA", 0, -}; -#else -extern char *authtype_names[]; -#endif - -#define AUTHTYPE_NAME_OK(x) ((unsigned int)(x) < AUTHTYPE_CNT) -#define AUTHTYPE_NAME(x) authtype_names[x] - -/* - * ENCRYPTion suboptions - */ -#define ENCRYPT_IS 0 /* I pick encryption type ... */ -#define ENCRYPT_SUPPORT 1 /* I support encryption types ... */ -#define ENCRYPT_REPLY 2 /* Initial setup response */ -#define ENCRYPT_START 3 /* Am starting to send encrypted */ -#define ENCRYPT_END 4 /* Am ending encrypted */ -#define ENCRYPT_REQSTART 5 /* Request you start encrypting */ -#define ENCRYPT_REQEND 6 /* Request you send encrypting */ -#define ENCRYPT_ENC_KEYID 7 -#define ENCRYPT_DEC_KEYID 8 -#define ENCRYPT_CNT 9 - -#define ENCTYPE_ANY 0 -#define ENCTYPE_DES_CFB64 1 -#define ENCTYPE_DES_OFB64 2 -#define ENCTYPE_CNT 3 - -#ifdef ENCRYPT_NAMES -char *encrypt_names[] = { - "IS", "SUPPORT", "REPLY", "START", "END", - "REQUEST-START", "REQUEST-END", "ENC-KEYID", "DEC-KEYID", - 0, -}; -char *enctype_names[] = { - "ANY", "DES_CFB64", "DES_OFB64", 0, -}; -#else -extern char *encrypt_names[]; -extern char *enctype_names[]; -#endif - - -#define ENCRYPT_NAME_OK(x) ((unsigned int)(x) < ENCRYPT_CNT) -#define ENCRYPT_NAME(x) encrypt_names[x] - -#define ENCTYPE_NAME_OK(x) ((unsigned int)(x) < ENCTYPE_CNT) -#define ENCTYPE_NAME(x) enctype_names[x] - -#endif /* !_TELNET_H_ */ diff --git a/crypto/heimdal-0.6.3/appl/telnet/libtelnet/Makefile.am b/crypto/heimdal-0.6.3/appl/telnet/libtelnet/Makefile.am deleted file mode 100644 index 2c30c2c002..0000000000 --- a/crypto/heimdal-0.6.3/appl/telnet/libtelnet/Makefile.am +++ /dev/null @@ -1,24 +0,0 @@ -# $Id: Makefile.am,v 1.9 2001/08/28 08:31:23 assar Exp $ - -include $(top_srcdir)/Makefile.am.common - -INCLUDES += -I$(srcdir)/.. $(INCLUDE_krb4) $(INCLUDE_des) - -noinst_LIBRARIES = libtelnet.a - -libtelnet_a_SOURCES = \ - auth-proto.h \ - auth.c \ - auth.h \ - enc-proto.h \ - enc_des.c \ - encrypt.c \ - encrypt.h \ - genget.c \ - kerberos.c \ - kerberos5.c \ - misc-proto.h \ - misc.c \ - misc.h - -EXTRA_DIST = krb4encpwd.c rsaencpwd.c spx.c diff --git a/crypto/heimdal-0.6.3/appl/telnet/libtelnet/Makefile.in b/crypto/heimdal-0.6.3/appl/telnet/libtelnet/Makefile.in deleted file mode 100644 index e133fde7ef..0000000000 --- a/crypto/heimdal-0.6.3/appl/telnet/libtelnet/Makefile.in +++ /dev/null @@ -1,742 +0,0 @@ -# Makefile.in generated by automake 1.8.3 from Makefile.am. -# @configure_input@ - -# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004 Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -# $Id: Makefile.am,v 1.9 2001/08/28 08:31:23 assar Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $ - -SOURCES = $(libtelnet_a_SOURCES) - -srcdir = @srcdir@ -top_srcdir = @top_srcdir@ -VPATH = @srcdir@ -pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -top_builddir = ../../.. -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = @INSTALL@ -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_HEADER = $(INSTALL_DATA) -transform = $(program_transform_name) -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_triplet = @host@ -DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \ - $(top_srcdir)/Makefile.am.common \ - $(top_srcdir)/cf/Makefile.am.common -subdir = appl/telnet/libtelnet -ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \ - $(top_srcdir)/cf/auth-modules.m4 \ - $(top_srcdir)/cf/broken-getaddrinfo.m4 \ - $(top_srcdir)/cf/broken-getnameinfo.m4 \ - $(top_srcdir)/cf/broken-glob.m4 \ - $(top_srcdir)/cf/broken-realloc.m4 \ - $(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \ - $(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \ - $(top_srcdir)/cf/capabilities.m4 \ - $(top_srcdir)/cf/check-compile-et.m4 \ - $(top_srcdir)/cf/check-declaration.m4 \ - $(top_srcdir)/cf/check-getpwnam_r-posix.m4 \ - $(top_srcdir)/cf/check-man.m4 \ - $(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \ - $(top_srcdir)/cf/check-type-extra.m4 \ - $(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \ - $(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \ - $(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \ - $(top_srcdir)/cf/dlopen.m4 \ - $(top_srcdir)/cf/find-func-no-libs.m4 \ - $(top_srcdir)/cf/find-func-no-libs2.m4 \ - $(top_srcdir)/cf/find-func.m4 \ - $(top_srcdir)/cf/find-if-not-broken.m4 \ - $(top_srcdir)/cf/have-struct-field.m4 \ - $(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \ - $(top_srcdir)/cf/krb-bigendian.m4 \ - $(top_srcdir)/cf/krb-func-getlogin.m4 \ - $(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \ - $(top_srcdir)/cf/krb-readline.m4 \ - $(top_srcdir)/cf/krb-struct-spwd.m4 \ - $(top_srcdir)/cf/krb-struct-winsize.m4 \ - $(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \ - $(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \ - $(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \ - $(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \ - $(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \ - $(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \ - $(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in -am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ - $(ACLOCAL_M4) -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -ARFLAGS = cru -LIBRARIES = $(noinst_LIBRARIES) -libtelnet_a_AR = $(AR) $(ARFLAGS) -libtelnet_a_LIBADD = -am_libtelnet_a_OBJECTS = auth.$(OBJEXT) enc_des.$(OBJEXT) \ - encrypt.$(OBJEXT) genget.$(OBJEXT) kerberos.$(OBJEXT) \ - kerberos5.$(OBJEXT) misc.$(OBJEXT) -libtelnet_a_OBJECTS = $(am_libtelnet_a_OBJECTS) -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \ - $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ - $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -SOURCES = $(libtelnet_a_SOURCES) -DIST_SOURCES = $(libtelnet_a_SOURCES) -ETAGS = etags -CTAGS = ctags -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) -ACLOCAL = @ACLOCAL@ -AIX4_FALSE = @AIX4_FALSE@ -AIX4_TRUE = @AIX4_TRUE@ -AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@ -AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@ -AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@ -AIX_FALSE = @AIX_FALSE@ -AIX_TRUE = @AIX_TRUE@ -AMTAR = @AMTAR@ -AR = @AR@ -AUTOCONF = @AUTOCONF@ -AUTOHEADER = @AUTOHEADER@ -AUTOMAKE = @AUTOMAKE@ -AWK = @AWK@ -CANONICAL_HOST = @CANONICAL_HOST@ -CATMAN = @CATMAN@ -CATMANEXT = @CATMANEXT@ -CATMAN_FALSE = @CATMAN_FALSE@ -CATMAN_TRUE = @CATMAN_TRUE@ -CC = @CC@ -CFLAGS = @CFLAGS@ -COMPILE_ET = @COMPILE_ET@ -CPP = @CPP@ -CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXFLAGS = @CXXFLAGS@ -CYGPATH_W = @CYGPATH_W@ -DBLIB = @DBLIB@ -DCE_FALSE = @DCE_FALSE@ -DCE_TRUE = @DCE_TRUE@ -DEFS = @DEFS@ -DIR_com_err = @DIR_com_err@ -DIR_des = @DIR_des@ -DIR_roken = @DIR_roken@ -ECHO = @ECHO@ -ECHO_C = @ECHO_C@ -ECHO_N = @ECHO_N@ -ECHO_T = @ECHO_T@ -EGREP = @EGREP@ -EXEEXT = @EXEEXT@ -EXTRA_LIB45 = @EXTRA_LIB45@ -F77 = @F77@ -FFLAGS = @FFLAGS@ -GROFF = @GROFF@ -HAVE_DB1_FALSE = @HAVE_DB1_FALSE@ -HAVE_DB1_TRUE = @HAVE_DB1_TRUE@ -HAVE_DB3_FALSE = @HAVE_DB3_FALSE@ -HAVE_DB3_TRUE = @HAVE_DB3_TRUE@ -HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@ -HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@ -HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@ -HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@ -HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@ -HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@ -HAVE_X_FALSE = @HAVE_X_FALSE@ -HAVE_X_TRUE = @HAVE_X_TRUE@ -INCLUDES_roken = @INCLUDES_roken@ -INCLUDE_des = @INCLUDE_des@ -INCLUDE_hesiod = @INCLUDE_hesiod@ -INCLUDE_krb4 = @INCLUDE_krb4@ -INCLUDE_openldap = @INCLUDE_openldap@ -INCLUDE_readline = @INCLUDE_readline@ -INSTALL_DATA = @INSTALL_DATA@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -IRIX_FALSE = @IRIX_FALSE@ -IRIX_TRUE = @IRIX_TRUE@ -KRB4_FALSE = @KRB4_FALSE@ -KRB4_TRUE = @KRB4_TRUE@ -KRB5_FALSE = @KRB5_FALSE@ -KRB5_TRUE = @KRB5_TRUE@ -LDFLAGS = @LDFLAGS@ -LEX = @LEX@ -LEXLIB = @LEXLIB@ -LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ -LIBOBJS = @LIBOBJS@ -LIBS = @LIBS@ -LIBTOOL = @LIBTOOL@ -LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@ -LIB_NDBM = @LIB_NDBM@ -LIB_XauFileName = @LIB_XauFileName@ -LIB_XauReadAuth = @LIB_XauReadAuth@ -LIB_XauWriteAuth = @LIB_XauWriteAuth@ -LIB_bswap16 = @LIB_bswap16@ -LIB_bswap32 = @LIB_bswap32@ -LIB_com_err = @LIB_com_err@ -LIB_com_err_a = @LIB_com_err_a@ -LIB_com_err_so = @LIB_com_err_so@ -LIB_crypt = @LIB_crypt@ -LIB_db_create = @LIB_db_create@ -LIB_dbm_firstkey = @LIB_dbm_firstkey@ -LIB_dbopen = @LIB_dbopen@ -LIB_des = @LIB_des@ -LIB_des_a = @LIB_des_a@ -LIB_des_appl = @LIB_des_appl@ -LIB_des_so = @LIB_des_so@ -LIB_dlopen = @LIB_dlopen@ -LIB_dn_expand = @LIB_dn_expand@ -LIB_el_init = @LIB_el_init@ -LIB_freeaddrinfo = @LIB_freeaddrinfo@ -LIB_gai_strerror = @LIB_gai_strerror@ -LIB_getaddrinfo = @LIB_getaddrinfo@ -LIB_gethostbyname = @LIB_gethostbyname@ -LIB_gethostbyname2 = @LIB_gethostbyname2@ -LIB_getnameinfo = @LIB_getnameinfo@ -LIB_getpwnam_r = @LIB_getpwnam_r@ -LIB_getsockopt = @LIB_getsockopt@ -LIB_hesiod = @LIB_hesiod@ -LIB_hstrerror = @LIB_hstrerror@ -LIB_kdb = @LIB_kdb@ -LIB_krb4 = @LIB_krb4@ -LIB_krb_disable_debug = @LIB_krb_disable_debug@ -LIB_krb_enable_debug = @LIB_krb_enable_debug@ -LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@ -LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@ -LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@ -LIB_loadquery = @LIB_loadquery@ -LIB_logout = @LIB_logout@ -LIB_logwtmp = @LIB_logwtmp@ -LIB_openldap = @LIB_openldap@ -LIB_openpty = @LIB_openpty@ -LIB_otp = @LIB_otp@ -LIB_pidfile = @LIB_pidfile@ -LIB_readline = @LIB_readline@ -LIB_res_nsearch = @LIB_res_nsearch@ -LIB_res_search = @LIB_res_search@ -LIB_roken = @LIB_roken@ -LIB_security = @LIB_security@ -LIB_setsockopt = @LIB_setsockopt@ -LIB_socket = @LIB_socket@ -LIB_syslog = @LIB_syslog@ -LIB_tgetent = @LIB_tgetent@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -MAINT = @MAINT@ -MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@ -MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@ -MAKEINFO = @MAKEINFO@ -NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ -NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ -NROFF = @NROFF@ -OBJEXT = @OBJEXT@ -OTP_FALSE = @OTP_FALSE@ -OTP_TRUE = @OTP_TRUE@ -PACKAGE = @PACKAGE@ -PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ -PACKAGE_NAME = @PACKAGE_NAME@ -PACKAGE_STRING = @PACKAGE_STRING@ -PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_VERSION = @PACKAGE_VERSION@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -RANLIB = @RANLIB@ -SET_MAKE = @SET_MAKE@ -SHELL = @SHELL@ -STRIP = @STRIP@ -VERSION = @VERSION@ -VOID_RETSIGTYPE = @VOID_RETSIGTYPE@ -WFLAGS = @WFLAGS@ -WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@ -WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@ -X_CFLAGS = @X_CFLAGS@ -X_EXTRA_LIBS = @X_EXTRA_LIBS@ -X_LIBS = @X_LIBS@ -X_PRE_LIBS = @X_PRE_LIBS@ -YACC = @YACC@ -ac_ct_AR = @ac_ct_AR@ -ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ -ac_ct_RANLIB = @ac_ct_RANLIB@ -ac_ct_STRIP = @ac_ct_STRIP@ -am__leading_dot = @am__leading_dot@ -bindir = @bindir@ -build = @build@ -build_alias = @build_alias@ -build_cpu = @build_cpu@ -build_os = @build_os@ -build_vendor = @build_vendor@ -datadir = @datadir@ -do_roken_rename_FALSE = @do_roken_rename_FALSE@ -do_roken_rename_TRUE = @do_roken_rename_TRUE@ -dpagaix_cflags = @dpagaix_cflags@ -dpagaix_ldadd = @dpagaix_ldadd@ -dpagaix_ldflags = @dpagaix_ldflags@ -el_compat_FALSE = @el_compat_FALSE@ -el_compat_TRUE = @el_compat_TRUE@ -exec_prefix = @exec_prefix@ -have_err_h_FALSE = @have_err_h_FALSE@ -have_err_h_TRUE = @have_err_h_TRUE@ -have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@ -have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@ -have_glob_h_FALSE = @have_glob_h_FALSE@ -have_glob_h_TRUE = @have_glob_h_TRUE@ -have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@ -have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@ -have_vis_h_FALSE = @have_vis_h_FALSE@ -have_vis_h_TRUE = @have_vis_h_TRUE@ -host = @host@ -host_alias = @host_alias@ -host_cpu = @host_cpu@ -host_os = @host_os@ -host_vendor = @host_vendor@ -includedir = @includedir@ -infodir = @infodir@ -install_sh = @install_sh@ -libdir = @libdir@ -libexecdir = @libexecdir@ -localstatedir = @localstatedir@ -mandir = @mandir@ -mkdir_p = @mkdir_p@ -oldincludedir = @oldincludedir@ -prefix = @prefix@ -program_transform_name = @program_transform_name@ -sbindir = @sbindir@ -sharedstatedir = @sharedstatedir@ -sysconfdir = @sysconfdir@ -target_alias = @target_alias@ -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) -I$(srcdir)/.. $(INCLUDE_krb4) $(INCLUDE_des) -@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME -AM_CFLAGS = $(WFLAGS) -CP = cp -buildinclude = $(top_builddir)/include -LIB_getattr = @LIB_getattr@ -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_setpcred = @LIB_setpcred@ -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -NROFF_MAN = groff -mandoc -Tascii -LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) -@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la - -@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la -@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la -noinst_LIBRARIES = libtelnet.a -libtelnet_a_SOURCES = \ - auth-proto.h \ - auth.c \ - auth.h \ - enc-proto.h \ - enc_des.c \ - encrypt.c \ - encrypt.h \ - genget.c \ - kerberos.c \ - kerberos5.c \ - misc-proto.h \ - misc.c \ - misc.h - -EXTRA_DIST = krb4encpwd.c rsaencpwd.c spx.c -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps) - @for dep in $?; do \ - case '$(am__configure_deps)' in \ - *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ - exit 1;; \ - esac; \ - done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign --ignore-deps appl/telnet/libtelnet/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign --ignore-deps appl/telnet/libtelnet/Makefile -.PRECIOUS: Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - @case '$?' in \ - *config.status*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ - *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ - esac; - -$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -clean-noinstLIBRARIES: - -test -z "$(noinst_LIBRARIES)" || rm -f $(noinst_LIBRARIES) -libtelnet.a: $(libtelnet_a_OBJECTS) $(libtelnet_a_DEPENDENCIES) - -rm -f libtelnet.a - $(libtelnet_a_AR) libtelnet.a $(libtelnet_a_OBJECTS) $(libtelnet_a_LIBADD) - $(RANLIB) libtelnet.a - -mostlyclean-compile: - -rm -f *.$(OBJEXT) - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c $< - -.c.obj: - $(COMPILE) -c `$(CYGPATH_W) '$<'` - -.c.lo: - $(LTCOMPILE) -c -o $@ $< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique -tags: TAGS - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique -ctags: CTAGS -CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ - || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - -distdir: $(DISTFILES) - $(mkdir_p) $(distdir)/../../.. $(distdir)/../../../cf - @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \ - list='$(DISTFILES)'; for file in $$list; do \ - case $$file in \ - $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \ - $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \ - esac; \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkdir_p) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="$(top_distdir)" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(LIBRARIES) all-local -installdirs: -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-generic clean-libtool clean-noinstLIBRARIES \ - mostlyclean-am - -distclean: distclean-am - -rm -f Makefile -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -html: html-am - -info: info-am - -info-am: - -install-data-am: - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-data-hook - -install-exec-am: - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -rm -f Makefile -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -pdf: pdf-am - -pdf-am: - -ps: ps-am - -ps-am: - -uninstall-am: uninstall-info-am - -.PHONY: CTAGS GTAGS all all-am all-local check check-am check-local \ - clean clean-generic clean-libtool clean-noinstLIBRARIES ctags \ - distclean distclean-compile distclean-generic \ - distclean-libtool distclean-tags distdir dvi dvi-am html \ - html-am info info-am install install-am install-data \ - install-data-am install-exec install-exec-am install-info \ - install-info-am install-man install-strip installcheck \ - installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ - tags uninstall uninstall-am uninstall-info-am - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-hook: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal-0.6.3/appl/telnet/libtelnet/auth-proto.h b/crypto/heimdal-0.6.3/appl/telnet/libtelnet/auth-proto.h deleted file mode 100644 index 89f1fbc5e7..0000000000 --- a/crypto/heimdal-0.6.3/appl/telnet/libtelnet/auth-proto.h +++ /dev/null @@ -1,124 +0,0 @@ -/*- - * Copyright (c) 1991, 1993 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * @(#)auth-proto.h 8.1 (Berkeley) 6/4/93 - */ - -/* - * Copyright (C) 1990 by the Massachusetts Institute of Technology - * - * Export of this software from the United States of America is assumed - * to require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -/* $Id: auth-proto.h,v 1.11 2002/08/28 20:56:14 joda Exp $ */ - -#ifdef AUTHENTICATION -Authenticator *findauthenticator (int, int); - -int auth_wait (char *, size_t); -void auth_disable_name (char *); -void auth_finished (Authenticator *, int); -void auth_gen_printsub (unsigned char *, int, unsigned char *, int); -void auth_init (const char *, int); -void auth_is (unsigned char *, int); -void auth_name(unsigned char*, int); -void auth_reply (unsigned char *, int); -void auth_request (void); -void auth_send (unsigned char *, int); -void auth_send_retry (void); -void auth_printsub(unsigned char*, int, unsigned char*, int); -int getauthmask(char *type, int *maskp); -int auth_enable(char *type); -int auth_disable(char *type); -int auth_onoff(char *type, int on); -int auth_togdebug(int on); -int auth_status(void); -int auth_sendname(unsigned char *cp, int len); -void auth_debug(int mode); -void auth_gen_printsub(unsigned char *data, int cnt, - unsigned char *buf, int buflen); - -#ifdef UNSAFE -int unsafe_init (Authenticator *, int); -int unsafe_send (Authenticator *); -void unsafe_is (Authenticator *, unsigned char *, int); -void unsafe_reply (Authenticator *, unsigned char *, int); -int unsafe_status (Authenticator *, char *, int); -void unsafe_printsub (unsigned char *, int, unsigned char *, int); -#endif - -#ifdef SRA -int sra_init (Authenticator *, int); -int sra_send (Authenticator *); -void sra_is (Authenticator *, unsigned char *, int); -void sra_reply (Authenticator *, unsigned char *, int); -int sra_status (Authenticator *, char *, int); -void sra_printsub (unsigned char *, int, unsigned char *, int); -#endif - -#ifdef KRB4 -int kerberos4_init (Authenticator *, int); -int kerberos4_send_mutual (Authenticator *); -int kerberos4_send_oneway (Authenticator *); -void kerberos4_is (Authenticator *, unsigned char *, int); -void kerberos4_reply (Authenticator *, unsigned char *, int); -int kerberos4_status (Authenticator *, char *, size_t, int); -void kerberos4_printsub (unsigned char *, int, unsigned char *, int); -int kerberos4_forward(Authenticator *ap, void *); -#endif - -#ifdef KRB5 -int kerberos5_init (Authenticator *, int); -int kerberos5_send_mutual (Authenticator *); -int kerberos5_send_oneway (Authenticator *); -void kerberos5_is (Authenticator *, unsigned char *, int); -void kerberos5_reply (Authenticator *, unsigned char *, int); -int kerberos5_status (Authenticator *, char *, size_t, int); -void kerberos5_printsub (unsigned char *, int, unsigned char *, int); -int kerberos5_set_forward(int); -int kerberos5_set_forwardable(int); -#endif -#endif diff --git a/crypto/heimdal-0.6.3/appl/telnet/libtelnet/auth.c b/crypto/heimdal-0.6.3/appl/telnet/libtelnet/auth.c deleted file mode 100644 index cbb7a78cf4..0000000000 --- a/crypto/heimdal-0.6.3/appl/telnet/libtelnet/auth.c +++ /dev/null @@ -1,660 +0,0 @@ -/*- - * Copyright (c) 1991, 1993 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* - * Copyright (C) 1990 by the Massachusetts Institute of Technology - * - * Export of this software from the United States of America is assumed - * to require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include - -RCSID("$Id: auth.c,v 1.25 2002/01/18 12:58:48 joda Exp $"); - -#if defined(AUTHENTICATION) -#include -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#include -#define AUTH_NAMES -#ifdef HAVE_ARPA_TELNET_H -#include -#endif -#include -#include - -#include - -#ifdef SOCKS -#include -#endif - -#include "encrypt.h" -#include "auth.h" -#include "misc-proto.h" -#include "auth-proto.h" - -#define typemask(x) (1<<((x)-1)) - -#ifdef KRB4_ENCPWD -extern krb4encpwd_init(); -extern krb4encpwd_send(); -extern krb4encpwd_is(); -extern krb4encpwd_reply(); -extern krb4encpwd_status(); -extern krb4encpwd_printsub(); -#endif - -#ifdef RSA_ENCPWD -extern rsaencpwd_init(); -extern rsaencpwd_send(); -extern rsaencpwd_is(); -extern rsaencpwd_reply(); -extern rsaencpwd_status(); -extern rsaencpwd_printsub(); -#endif - -int auth_debug_mode = 0; -int auth_has_failed = 0; -int auth_enable_encrypt = 0; -static const char *Name = "Noname"; -static int Server = 0; -static Authenticator *authenticated = 0; -static int authenticating = 0; -static int validuser = 0; -static unsigned char _auth_send_data[256]; -static unsigned char *auth_send_data; -static int auth_send_cnt = 0; - -/* - * Authentication types supported. Plese note that these are stored - * in priority order, i.e. try the first one first. - */ -Authenticator authenticators[] = { -#ifdef UNSAFE - { AUTHTYPE_UNSAFE, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY, - unsafe_init, - unsafe_send, - unsafe_is, - unsafe_reply, - unsafe_status, - unsafe_printsub }, -#endif -#ifdef SRA - { AUTHTYPE_SRA, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY, - sra_init, - sra_send, - sra_is, - sra_reply, - sra_status, - sra_printsub }, -#endif -#ifdef SPX - { AUTHTYPE_SPX, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL, - spx_init, - spx_send, - spx_is, - spx_reply, - spx_status, - spx_printsub }, - { AUTHTYPE_SPX, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY, - spx_init, - spx_send, - spx_is, - spx_reply, - spx_status, - spx_printsub }, -#endif -#ifdef KRB5 - { AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL, - kerberos5_init, - kerberos5_send_mutual, - kerberos5_is, - kerberos5_reply, - kerberos5_status, - kerberos5_printsub }, - { AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY, - kerberos5_init, - kerberos5_send_oneway, - kerberos5_is, - kerberos5_reply, - kerberos5_status, - kerberos5_printsub }, -#endif -#ifdef KRB4 - { AUTHTYPE_KERBEROS_V4, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL, - kerberos4_init, - kerberos4_send_mutual, - kerberos4_is, - kerberos4_reply, - kerberos4_status, - kerberos4_printsub }, - { AUTHTYPE_KERBEROS_V4, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY, - kerberos4_init, - kerberos4_send_oneway, - kerberos4_is, - kerberos4_reply, - kerberos4_status, - kerberos4_printsub }, -#endif -#ifdef KRB4_ENCPWD - { AUTHTYPE_KRB4_ENCPWD, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL, - krb4encpwd_init, - krb4encpwd_send, - krb4encpwd_is, - krb4encpwd_reply, - krb4encpwd_status, - krb4encpwd_printsub }, -#endif -#ifdef RSA_ENCPWD - { AUTHTYPE_RSA_ENCPWD, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY, - rsaencpwd_init, - rsaencpwd_send, - rsaencpwd_is, - rsaencpwd_reply, - rsaencpwd_status, - rsaencpwd_printsub }, -#endif - { 0, }, -}; - -static Authenticator NoAuth = { 0 }; - -static int i_support = 0; -static int i_wont_support = 0; - -Authenticator * -findauthenticator(int type, int way) -{ - Authenticator *ap = authenticators; - - while (ap->type && (ap->type != type || ap->way != way)) - ++ap; - return(ap->type ? ap : 0); -} - -void -auth_init(const char *name, int server) -{ - Authenticator *ap = authenticators; - - Server = server; - Name = name; - - i_support = 0; - authenticated = 0; - authenticating = 0; - while (ap->type) { - if (!ap->init || (*ap->init)(ap, server)) { - i_support |= typemask(ap->type); - if (auth_debug_mode) - printf(">>>%s: I support auth type %d %d\r\n", - Name, - ap->type, ap->way); - } - else if (auth_debug_mode) - printf(">>>%s: Init failed: auth type %d %d\r\n", - Name, ap->type, ap->way); - ++ap; - } -} - -void -auth_disable_name(char *name) -{ - int x; - for (x = 0; x < AUTHTYPE_CNT; ++x) { - if (!strcasecmp(name, AUTHTYPE_NAME(x))) { - i_wont_support |= typemask(x); - break; - } - } -} - -int -getauthmask(char *type, int *maskp) -{ - int x; - - if (!strcasecmp(type, AUTHTYPE_NAME(0))) { - *maskp = -1; - return(1); - } - - for (x = 1; x < AUTHTYPE_CNT; ++x) { - if (!strcasecmp(type, AUTHTYPE_NAME(x))) { - *maskp = typemask(x); - return(1); - } - } - return(0); -} - -int -auth_enable(char *type) -{ - return(auth_onoff(type, 1)); -} - -int -auth_disable(char *type) -{ - return(auth_onoff(type, 0)); -} - -int -auth_onoff(char *type, int on) -{ - int i, mask = -1; - Authenticator *ap; - - if (!strcasecmp(type, "?") || !strcasecmp(type, "help")) { - printf("auth %s 'type'\n", on ? "enable" : "disable"); - printf("Where 'type' is one of:\n"); - printf("\t%s\n", AUTHTYPE_NAME(0)); - mask = 0; - for (ap = authenticators; ap->type; ap++) { - if ((mask & (i = typemask(ap->type))) != 0) - continue; - mask |= i; - printf("\t%s\n", AUTHTYPE_NAME(ap->type)); - } - return(0); - } - - if (!getauthmask(type, &mask)) { - printf("%s: invalid authentication type\n", type); - return(0); - } - if (on) - i_wont_support &= ~mask; - else - i_wont_support |= mask; - return(1); -} - -int -auth_togdebug(int on) -{ - if (on < 0) - auth_debug_mode ^= 1; - else - auth_debug_mode = on; - printf("auth debugging %s\n", auth_debug_mode ? "enabled" : "disabled"); - return(1); -} - -int -auth_status(void) -{ - Authenticator *ap; - int i, mask; - - if (i_wont_support == -1) - printf("Authentication disabled\n"); - else - printf("Authentication enabled\n"); - - mask = 0; - for (ap = authenticators; ap->type; ap++) { - if ((mask & (i = typemask(ap->type))) != 0) - continue; - mask |= i; - printf("%s: %s\n", AUTHTYPE_NAME(ap->type), - (i_wont_support & typemask(ap->type)) ? - "disabled" : "enabled"); - } - return(1); -} - -/* - * This routine is called by the server to start authentication - * negotiation. - */ -void -auth_request(void) -{ - static unsigned char str_request[64] = { IAC, SB, - TELOPT_AUTHENTICATION, - TELQUAL_SEND, }; - Authenticator *ap = authenticators; - unsigned char *e = str_request + 4; - - if (!authenticating) { - authenticating = 1; - while (ap->type) { - if (i_support & ~i_wont_support & typemask(ap->type)) { - if (auth_debug_mode) { - printf(">>>%s: Sending type %d %d\r\n", - Name, ap->type, ap->way); - } - *e++ = ap->type; - *e++ = ap->way; - } - ++ap; - } - *e++ = IAC; - *e++ = SE; - telnet_net_write(str_request, e - str_request); - printsub('>', &str_request[2], e - str_request - 2); - } -} - -/* - * This is called when an AUTH SEND is received. - * It should never arrive on the server side (as only the server can - * send an AUTH SEND). - * You should probably respond to it if you can... - * - * If you want to respond to the types out of order (i.e. even - * if he sends LOGIN KERBEROS and you support both, you respond - * with KERBEROS instead of LOGIN (which is against what the - * protocol says)) you will have to hack this code... - */ -void -auth_send(unsigned char *data, int cnt) -{ - Authenticator *ap; - static unsigned char str_none[] = { IAC, SB, TELOPT_AUTHENTICATION, - TELQUAL_IS, AUTHTYPE_NULL, 0, - IAC, SE }; - if (Server) { - if (auth_debug_mode) { - printf(">>>%s: auth_send called!\r\n", Name); - } - return; - } - - if (auth_debug_mode) { - printf(">>>%s: auth_send got:", Name); - printd(data, cnt); printf("\r\n"); - } - - /* - * Save the data, if it is new, so that we can continue looking - * at it if the authorization we try doesn't work - */ - if (data < _auth_send_data || - data > _auth_send_data + sizeof(_auth_send_data)) { - auth_send_cnt = cnt > sizeof(_auth_send_data) - ? sizeof(_auth_send_data) - : cnt; - memmove(_auth_send_data, data, auth_send_cnt); - auth_send_data = _auth_send_data; - } else { - /* - * This is probably a no-op, but we just make sure - */ - auth_send_data = data; - auth_send_cnt = cnt; - } - while ((auth_send_cnt -= 2) >= 0) { - if (auth_debug_mode) - printf(">>>%s: He supports %d\r\n", - Name, *auth_send_data); - if ((i_support & ~i_wont_support) & typemask(*auth_send_data)) { - ap = findauthenticator(auth_send_data[0], - auth_send_data[1]); - if (ap && ap->send) { - if (auth_debug_mode) - printf(">>>%s: Trying %d %d\r\n", - Name, auth_send_data[0], - auth_send_data[1]); - if ((*ap->send)(ap)) { - /* - * Okay, we found one we like - * and did it. - * we can go home now. - */ - if (auth_debug_mode) - printf(">>>%s: Using type %d\r\n", - Name, *auth_send_data); - auth_send_data += 2; - return; - } - } - /* else - * just continue on and look for the - * next one if we didn't do anything. - */ - } - auth_send_data += 2; - } - telnet_net_write(str_none, sizeof(str_none)); - printsub('>', &str_none[2], sizeof(str_none) - 2); - if (auth_debug_mode) - printf(">>>%s: Sent failure message\r\n", Name); - auth_finished(0, AUTH_REJECT); - auth_has_failed = 1; -#ifdef KANNAN - /* - * We requested strong authentication, however no mechanisms worked. - * Therefore, exit on client end. - */ - printf("Unable to securely authenticate user ... exit\n"); - exit(0); -#endif /* KANNAN */ -} - -void -auth_send_retry(void) -{ - /* - * if auth_send_cnt <= 0 then auth_send will end up rejecting - * the authentication and informing the other side of this. - */ - auth_send(auth_send_data, auth_send_cnt); -} - -void -auth_is(unsigned char *data, int cnt) -{ - Authenticator *ap; - - if (cnt < 2) - return; - - if (data[0] == AUTHTYPE_NULL) { - auth_finished(0, AUTH_REJECT); - return; - } - - if ((ap = findauthenticator(data[0], data[1]))) { - if (ap->is) - (*ap->is)(ap, data+2, cnt-2); - } else if (auth_debug_mode) - printf(">>>%s: Invalid authentication in IS: %d\r\n", - Name, *data); -} - -void -auth_reply(unsigned char *data, int cnt) -{ - Authenticator *ap; - - if (cnt < 2) - return; - - if ((ap = findauthenticator(data[0], data[1]))) { - if (ap->reply) - (*ap->reply)(ap, data+2, cnt-2); - } else if (auth_debug_mode) - printf(">>>%s: Invalid authentication in SEND: %d\r\n", - Name, *data); -} - -void -auth_name(unsigned char *data, int cnt) -{ - char savename[256]; - - if (cnt < 1) { - if (auth_debug_mode) - printf(">>>%s: Empty name in NAME\r\n", Name); - return; - } - if (cnt > sizeof(savename) - 1) { - if (auth_debug_mode) - printf(">>>%s: Name in NAME (%d) exceeds %lu length\r\n", - Name, cnt, (unsigned long)(sizeof(savename)-1)); - return; - } - memmove(savename, data, cnt); - savename[cnt] = '\0'; /* Null terminate */ - if (auth_debug_mode) - printf(">>>%s: Got NAME [%s]\r\n", Name, savename); - auth_encrypt_user(savename); -} - -int -auth_sendname(unsigned char *cp, int len) -{ - static unsigned char str_request[256+6] - = { IAC, SB, TELOPT_AUTHENTICATION, TELQUAL_NAME, }; - unsigned char *e = str_request + 4; - unsigned char *ee = &str_request[sizeof(str_request)-2]; - - while (--len >= 0) { - if ((*e++ = *cp++) == IAC) - *e++ = IAC; - if (e >= ee) - return(0); - } - *e++ = IAC; - *e++ = SE; - telnet_net_write(str_request, e - str_request); - printsub('>', &str_request[2], e - &str_request[2]); - return(1); -} - -void -auth_finished(Authenticator *ap, int result) -{ - if (!(authenticated = ap)) - authenticated = &NoAuth; - validuser = result; -} - -/* ARGSUSED */ -static void -auth_intr(int sig) -{ - auth_finished(0, AUTH_REJECT); -} - -int -auth_wait(char *name, size_t name_sz) -{ - if (auth_debug_mode) - printf(">>>%s: in auth_wait.\r\n", Name); - - if (Server && !authenticating) - return(0); - - signal(SIGALRM, auth_intr); - alarm(30); - while (!authenticated) - if (telnet_spin()) - break; - alarm(0); - signal(SIGALRM, SIG_DFL); - - /* - * Now check to see if the user is valid or not - */ - if (!authenticated || authenticated == &NoAuth) - return(AUTH_REJECT); - - if (validuser == AUTH_VALID) - validuser = AUTH_USER; - - if (authenticated->status) - validuser = (*authenticated->status)(authenticated, - name, name_sz, - validuser); - return(validuser); -} - -void -auth_debug(int mode) -{ - auth_debug_mode = mode; -} - -void -auth_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen) -{ - Authenticator *ap; - - if ((ap = findauthenticator(data[1], data[2])) && ap->printsub) - (*ap->printsub)(data, cnt, buf, buflen); - else - auth_gen_printsub(data, cnt, buf, buflen); -} - -void -auth_gen_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen) -{ - unsigned char *cp; - unsigned char tbuf[16]; - - cnt -= 3; - data += 3; - buf[buflen-1] = '\0'; - buf[buflen-2] = '*'; - buflen -= 2; - for (; cnt > 0; cnt--, data++) { - snprintf((char*)tbuf, sizeof(tbuf), " %d", *data); - for (cp = tbuf; *cp && buflen > 0; --buflen) - *buf++ = *cp++; - if (buflen <= 0) - return; - } - *buf = '\0'; -} -#endif diff --git a/crypto/heimdal-0.6.3/appl/telnet/libtelnet/auth.h b/crypto/heimdal-0.6.3/appl/telnet/libtelnet/auth.h deleted file mode 100644 index 83dd701c0a..0000000000 --- a/crypto/heimdal-0.6.3/appl/telnet/libtelnet/auth.h +++ /dev/null @@ -1,81 +0,0 @@ -/*- - * Copyright (c) 1991, 1993 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * @(#)auth.h 8.1 (Berkeley) 6/4/93 - */ - -/* - * Copyright (C) 1990 by the Massachusetts Institute of Technology - * - * Export of this software from the United States of America is assumed - * to require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -/* $Id: auth.h,v 1.4 1998/06/09 19:24:41 joda Exp $ */ - -#ifndef __AUTH__ -#define __AUTH__ - -#define AUTH_REJECT 0 /* Rejected */ -#define AUTH_UNKNOWN 1 /* We don't know who he is, but he's okay */ -#define AUTH_OTHER 2 /* We know him, but not his name */ -#define AUTH_USER 3 /* We know he name */ -#define AUTH_VALID 4 /* We know him, and he needs no password */ - -typedef struct XauthP { - int type; - int way; - int (*init) (struct XauthP *, int); - int (*send) (struct XauthP *); - void (*is) (struct XauthP *, unsigned char *, int); - void (*reply) (struct XauthP *, unsigned char *, int); - int (*status) (struct XauthP *, char *, size_t, int); - void (*printsub) (unsigned char *, int, unsigned char *, int); -} Authenticator; - -#include "auth-proto.h" - -extern int auth_debug_mode; -#endif diff --git a/crypto/heimdal-0.6.3/appl/telnet/libtelnet/enc-proto.h b/crypto/heimdal-0.6.3/appl/telnet/libtelnet/enc-proto.h deleted file mode 100644 index 3078848a93..0000000000 --- a/crypto/heimdal-0.6.3/appl/telnet/libtelnet/enc-proto.h +++ /dev/null @@ -1,133 +0,0 @@ -/*- - * Copyright (c) 1991, 1993 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * @(#)enc-proto.h 8.1 (Berkeley) 6/4/93 - * - * @(#)enc-proto.h 5.2 (Berkeley) 3/22/91 - */ - -/* - * Copyright (C) 1990 by the Massachusetts Institute of Technology - * - * Export of this software from the United States of America is assumed - * to require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -/* $Id: enc-proto.h,v 1.11 2002/01/18 12:58:49 joda Exp $ */ - -#if defined(ENCRYPTION) -Encryptions *findencryption (int); -Encryptions *finddecryption(int); -int EncryptAutoDec(int); -int EncryptAutoEnc(int); -int EncryptDebug(int); -int EncryptDisable(char*, char*); -int EncryptEnable(char*, char*); -int EncryptStart(char*); -int EncryptStartInput(void); -int EncryptStartOutput(void); -int EncryptStatus(void); -int EncryptStop(char*); -int EncryptStopInput(void); -int EncryptStopOutput(void); -int EncryptType(char*, char*); -int EncryptVerbose(int); -void decrypt_auto(int); -void encrypt_auto(int); -void encrypt_debug(int); -void encrypt_dec_keyid(unsigned char*, int); -void encrypt_display(void); -void encrypt_enc_keyid(unsigned char*, int); -void encrypt_end(void); -void encrypt_gen_printsub(unsigned char*, int, unsigned char*, int); -void encrypt_init(const char*, int); -void encrypt_is(unsigned char*, int); -void encrypt_list_types(void); -void encrypt_not(void); -void encrypt_printsub(unsigned char*, int, unsigned char*, int); -void encrypt_reply(unsigned char*, int); -void encrypt_request_end(void); -void encrypt_request_start(unsigned char*, int); -void encrypt_send_end(void); -void encrypt_send_keyid(int, unsigned char*, int, int); -void encrypt_send_request_end(void); -int encrypt_is_encrypting(void); -void encrypt_send_request_start(void); -void encrypt_send_support(void); -void encrypt_session_key(Session_Key*, int); -void encrypt_start(unsigned char*, int); -void encrypt_start_output(int); -void encrypt_support(unsigned char*, int); -void encrypt_verbose_quiet(int); -void encrypt_wait(void); -int encrypt_delay(void); - -#ifdef TELENTD -void encrypt_wait (void); -#else -void encrypt_display (void); -#endif - -void cfb64_encrypt (unsigned char *, int); -int cfb64_decrypt (int); -void cfb64_init (int); -int cfb64_start (int, int); -int cfb64_is (unsigned char *, int); -int cfb64_reply (unsigned char *, int); -void cfb64_session (Session_Key *, int); -int cfb64_keyid (int, unsigned char *, int *); -void cfb64_printsub (unsigned char *, int, unsigned char *, int); - -void ofb64_encrypt (unsigned char *, int); -int ofb64_decrypt (int); -void ofb64_init (int); -int ofb64_start (int, int); -int ofb64_is (unsigned char *, int); -int ofb64_reply (unsigned char *, int); -void ofb64_session (Session_Key *, int); -int ofb64_keyid (int, unsigned char *, int *); -void ofb64_printsub (unsigned char *, int, unsigned char *, int); - -#endif diff --git a/crypto/heimdal-0.6.3/appl/telnet/libtelnet/enc_des.c b/crypto/heimdal-0.6.3/appl/telnet/libtelnet/enc_des.c deleted file mode 100644 index 537d22fbba..0000000000 --- a/crypto/heimdal-0.6.3/appl/telnet/libtelnet/enc_des.c +++ /dev/null @@ -1,673 +0,0 @@ -/*- - * Copyright (c) 1991, 1993 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include - -RCSID("$Id: enc_des.c,v 1.21 2002/09/10 20:03:47 joda Exp $"); - -#if defined(AUTHENTICATION) && defined(ENCRYPTION) && defined(DES_ENCRYPTION) -#include -#include -#ifdef __STDC__ -#include -#include -#endif -#include -#ifdef SOCKS -#include -#endif - -#include "encrypt.h" -#include "misc-proto.h" - -#include "crypto-headers.h" - -extern int encrypt_debug_mode; - -#define CFB 0 -#define OFB 1 - -#define NO_SEND_IV 1 -#define NO_RECV_IV 2 -#define NO_KEYID 4 -#define IN_PROGRESS (NO_SEND_IV|NO_RECV_IV|NO_KEYID) -#define SUCCESS 0 -#define FAILED -1 - - -struct stinfo { - des_cblock str_output; - des_cblock str_feed; - des_cblock str_iv; - des_cblock str_ikey; - des_key_schedule str_sched; - int str_index; - int str_flagshift; -}; - -struct fb { - des_cblock krbdes_key; - des_key_schedule krbdes_sched; - des_cblock temp_feed; - unsigned char fb_feed[64]; - int need_start; - int state[2]; - int keyid[2]; - int once; - struct stinfo streams[2]; -}; - -static struct fb fb[2]; - -struct keyidlist { - char *keyid; - int keyidlen; - char *key; - int keylen; - int flags; -} keyidlist [] = { - { "\0", 1, 0, 0, 0 }, /* default key of zero */ - { 0, 0, 0, 0, 0 } -}; - -#define KEYFLAG_MASK 03 - -#define KEYFLAG_NOINIT 00 -#define KEYFLAG_INIT 01 -#define KEYFLAG_OK 02 -#define KEYFLAG_BAD 03 - -#define KEYFLAG_SHIFT 2 - -#define SHIFT_VAL(a,b) (KEYFLAG_SHIFT*((a)+((b)*2))) - -#define FB64_IV 1 -#define FB64_IV_OK 2 -#define FB64_IV_BAD 3 - - -void fb64_stream_iv (des_cblock, struct stinfo *); -void fb64_init (struct fb *); -static int fb64_start (struct fb *, int, int); -int fb64_is (unsigned char *, int, struct fb *); -int fb64_reply (unsigned char *, int, struct fb *); -static void fb64_session (Session_Key *, int, struct fb *); -void fb64_stream_key (des_cblock, struct stinfo *); -int fb64_keyid (int, unsigned char *, int *, struct fb *); -void fb64_printsub(unsigned char *, int , - unsigned char *, int , char *); - -void cfb64_init(int server) -{ - fb64_init(&fb[CFB]); - fb[CFB].fb_feed[4] = ENCTYPE_DES_CFB64; - fb[CFB].streams[0].str_flagshift = SHIFT_VAL(0, CFB); - fb[CFB].streams[1].str_flagshift = SHIFT_VAL(1, CFB); -} - - -void ofb64_init(int server) -{ - fb64_init(&fb[OFB]); - fb[OFB].fb_feed[4] = ENCTYPE_DES_OFB64; - fb[CFB].streams[0].str_flagshift = SHIFT_VAL(0, OFB); - fb[CFB].streams[1].str_flagshift = SHIFT_VAL(1, OFB); -} - -void fb64_init(struct fb *fbp) -{ - memset(fbp,0, sizeof(*fbp)); - fbp->state[0] = fbp->state[1] = FAILED; - fbp->fb_feed[0] = IAC; - fbp->fb_feed[1] = SB; - fbp->fb_feed[2] = TELOPT_ENCRYPT; - fbp->fb_feed[3] = ENCRYPT_IS; -} - -/* - * Returns: - * -1: some error. Negotiation is done, encryption not ready. - * 0: Successful, initial negotiation all done. - * 1: successful, negotiation not done yet. - * 2: Not yet. Other things (like getting the key from - * Kerberos) have to happen before we can continue. - */ -int cfb64_start(int dir, int server) -{ - return(fb64_start(&fb[CFB], dir, server)); -} - -int ofb64_start(int dir, int server) -{ - return(fb64_start(&fb[OFB], dir, server)); -} - -static int fb64_start(struct fb *fbp, int dir, int server) -{ - int x; - unsigned char *p; - int state; - - switch (dir) { - case DIR_DECRYPT: - /* - * This is simply a request to have the other side - * start output (our input). He will negotiate an - * IV so we need not look for it. - */ - state = fbp->state[dir-1]; - if (state == FAILED) - state = IN_PROGRESS; - break; - - case DIR_ENCRYPT: - state = fbp->state[dir-1]; - if (state == FAILED) - state = IN_PROGRESS; - else if ((state & NO_SEND_IV) == 0) { - break; - } - - if (!VALIDKEY(fbp->krbdes_key)) { - fbp->need_start = 1; - break; - } - - state &= ~NO_SEND_IV; - state |= NO_RECV_IV; - if (encrypt_debug_mode) - printf("Creating new feed\r\n"); - /* - * Create a random feed and send it over. - */ -#ifndef OLD_DES_RANDOM_KEY - des_new_random_key(&fbp->temp_feed); -#else - /* - * From des_cryp.man "If the des_check_key flag is non-zero, - * des_set_key will check that the key passed is - * of odd parity and is not a week or semi-weak key." - */ - do { - des_random_key(fbp->temp_feed); - des_set_odd_parity(fbp->temp_feed); - } while (des_is_weak_key(fbp->temp_feed)); -#endif - des_ecb_encrypt(&fbp->temp_feed, - &fbp->temp_feed, - fbp->krbdes_sched, 1); - p = fbp->fb_feed + 3; - *p++ = ENCRYPT_IS; - p++; - *p++ = FB64_IV; - for (x = 0; x < sizeof(des_cblock); ++x) { - if ((*p++ = fbp->temp_feed[x]) == IAC) - *p++ = IAC; - } - *p++ = IAC; - *p++ = SE; - printsub('>', &fbp->fb_feed[2], p - &fbp->fb_feed[2]); - telnet_net_write(fbp->fb_feed, p - fbp->fb_feed); - break; - default: - return(FAILED); - } - return(fbp->state[dir-1] = state); -} - -/* - * Returns: - * -1: some error. Negotiation is done, encryption not ready. - * 0: Successful, initial negotiation all done. - * 1: successful, negotiation not done yet. - */ - -int cfb64_is(unsigned char *data, int cnt) -{ - return(fb64_is(data, cnt, &fb[CFB])); -} - -int ofb64_is(unsigned char *data, int cnt) -{ - return(fb64_is(data, cnt, &fb[OFB])); -} - - -int fb64_is(unsigned char *data, int cnt, struct fb *fbp) -{ - unsigned char *p; - int state = fbp->state[DIR_DECRYPT-1]; - - if (cnt-- < 1) - goto failure; - - switch (*data++) { - case FB64_IV: - if (cnt != sizeof(des_cblock)) { - if (encrypt_debug_mode) - printf("CFB64: initial vector failed on size\r\n"); - state = FAILED; - goto failure; - } - - if (encrypt_debug_mode) - printf("CFB64: initial vector received\r\n"); - - if (encrypt_debug_mode) - printf("Initializing Decrypt stream\r\n"); - - fb64_stream_iv(data, &fbp->streams[DIR_DECRYPT-1]); - - p = fbp->fb_feed + 3; - *p++ = ENCRYPT_REPLY; - p++; - *p++ = FB64_IV_OK; - *p++ = IAC; - *p++ = SE; - printsub('>', &fbp->fb_feed[2], p - &fbp->fb_feed[2]); - telnet_net_write(fbp->fb_feed, p - fbp->fb_feed); - - state = fbp->state[DIR_DECRYPT-1] = IN_PROGRESS; - break; - - default: - if (encrypt_debug_mode) { - printf("Unknown option type: %d\r\n", *(data-1)); - printd(data, cnt); - printf("\r\n"); - } - /* FALL THROUGH */ - failure: - /* - * We failed. Send an FB64_IV_BAD option - * to the other side so it will know that - * things failed. - */ - p = fbp->fb_feed + 3; - *p++ = ENCRYPT_REPLY; - p++; - *p++ = FB64_IV_BAD; - *p++ = IAC; - *p++ = SE; - printsub('>', &fbp->fb_feed[2], p - &fbp->fb_feed[2]); - telnet_net_write(fbp->fb_feed, p - fbp->fb_feed); - - break; - } - return(fbp->state[DIR_DECRYPT-1] = state); -} - -/* - * Returns: - * -1: some error. Negotiation is done, encryption not ready. - * 0: Successful, initial negotiation all done. - * 1: successful, negotiation not done yet. - */ - -int cfb64_reply(unsigned char *data, int cnt) -{ - return(fb64_reply(data, cnt, &fb[CFB])); -} - -int ofb64_reply(unsigned char *data, int cnt) -{ - return(fb64_reply(data, cnt, &fb[OFB])); -} - - -int fb64_reply(unsigned char *data, int cnt, struct fb *fbp) -{ - int state = fbp->state[DIR_ENCRYPT-1]; - - if (cnt-- < 1) - goto failure; - - switch (*data++) { - case FB64_IV_OK: - fb64_stream_iv(fbp->temp_feed, &fbp->streams[DIR_ENCRYPT-1]); - if (state == FAILED) - state = IN_PROGRESS; - state &= ~NO_RECV_IV; - encrypt_send_keyid(DIR_ENCRYPT, (unsigned char *)"\0", 1, 1); - break; - - case FB64_IV_BAD: - memset(fbp->temp_feed, 0, sizeof(des_cblock)); - fb64_stream_iv(fbp->temp_feed, &fbp->streams[DIR_ENCRYPT-1]); - state = FAILED; - break; - - default: - if (encrypt_debug_mode) { - printf("Unknown option type: %d\r\n", data[-1]); - printd(data, cnt); - printf("\r\n"); - } - /* FALL THROUGH */ - failure: - state = FAILED; - break; - } - return(fbp->state[DIR_ENCRYPT-1] = state); -} - -void cfb64_session(Session_Key *key, int server) -{ - fb64_session(key, server, &fb[CFB]); -} - -void ofb64_session(Session_Key *key, int server) -{ - fb64_session(key, server, &fb[OFB]); -} - -static void fb64_session(Session_Key *key, int server, struct fb *fbp) -{ - - if (!key || key->type != SK_DES) { - if (encrypt_debug_mode) - printf("Can't set krbdes's session key (%d != %d)\r\n", - key ? key->type : -1, SK_DES); - return; - } - memcpy(fbp->krbdes_key, key->data, sizeof(des_cblock)); - - fb64_stream_key(fbp->krbdes_key, &fbp->streams[DIR_ENCRYPT-1]); - fb64_stream_key(fbp->krbdes_key, &fbp->streams[DIR_DECRYPT-1]); - - if (fbp->once == 0) { -#if !defined(OLD_DES_RANDOM_KEY) && !defined(HAVE_OPENSSL) - des_init_random_number_generator(&fbp->krbdes_key); -#endif - fbp->once = 1; - } - des_key_sched(&fbp->krbdes_key, fbp->krbdes_sched); - /* - * Now look to see if krbdes_start() was was waiting for - * the key to show up. If so, go ahead an call it now - * that we have the key. - */ - if (fbp->need_start) { - fbp->need_start = 0; - fb64_start(fbp, DIR_ENCRYPT, server); - } -} - -/* - * We only accept a keyid of 0. If we get a keyid of - * 0, then mark the state as SUCCESS. - */ - -int cfb64_keyid(int dir, unsigned char *kp, int *lenp) -{ - return(fb64_keyid(dir, kp, lenp, &fb[CFB])); -} - -int ofb64_keyid(int dir, unsigned char *kp, int *lenp) -{ - return(fb64_keyid(dir, kp, lenp, &fb[OFB])); -} - -int fb64_keyid(int dir, unsigned char *kp, int *lenp, struct fb *fbp) -{ - int state = fbp->state[dir-1]; - - if (*lenp != 1 || (*kp != '\0')) { - *lenp = 0; - return(state); - } - - if (state == FAILED) - state = IN_PROGRESS; - - state &= ~NO_KEYID; - - return(fbp->state[dir-1] = state); -} - -void fb64_printsub(unsigned char *data, int cnt, - unsigned char *buf, int buflen, char *type) -{ - char lbuf[32]; - int i; - char *cp; - - buf[buflen-1] = '\0'; /* make sure it's NULL terminated */ - buflen -= 1; - - switch(data[2]) { - case FB64_IV: - snprintf(lbuf, sizeof(lbuf), "%s_IV", type); - cp = lbuf; - goto common; - - case FB64_IV_OK: - snprintf(lbuf, sizeof(lbuf), "%s_IV_OK", type); - cp = lbuf; - goto common; - - case FB64_IV_BAD: - snprintf(lbuf, sizeof(lbuf), "%s_IV_BAD", type); - cp = lbuf; - goto common; - - default: - snprintf(lbuf, sizeof(lbuf), " %d (unknown)", data[2]); - cp = lbuf; - common: - for (; (buflen > 0) && (*buf = *cp++); buf++) - buflen--; - for (i = 3; i < cnt; i++) { - snprintf(lbuf, sizeof(lbuf), " %d", data[i]); - for (cp = lbuf; (buflen > 0) && (*buf = *cp++); buf++) - buflen--; - } - break; - } -} - -void cfb64_printsub(unsigned char *data, int cnt, - unsigned char *buf, int buflen) -{ - fb64_printsub(data, cnt, buf, buflen, "CFB64"); -} - -void ofb64_printsub(unsigned char *data, int cnt, - unsigned char *buf, int buflen) -{ - fb64_printsub(data, cnt, buf, buflen, "OFB64"); -} - -void fb64_stream_iv(des_cblock seed, struct stinfo *stp) -{ - - memcpy(stp->str_iv, seed,sizeof(des_cblock)); - memcpy(stp->str_output, seed, sizeof(des_cblock)); - - des_key_sched(&stp->str_ikey, stp->str_sched); - - stp->str_index = sizeof(des_cblock); -} - -void fb64_stream_key(des_cblock key, struct stinfo *stp) -{ - memcpy(stp->str_ikey, key, sizeof(des_cblock)); - des_key_sched((des_cblock*)key, stp->str_sched); - - memcpy(stp->str_output, stp->str_iv, sizeof(des_cblock)); - - stp->str_index = sizeof(des_cblock); -} - -/* - * DES 64 bit Cipher Feedback - * - * key --->+-----+ - * +->| DES |--+ - * | +-----+ | - * | v - * INPUT --(--------->(+)+---> DATA - * | | - * +-------------+ - * - * - * Given: - * iV: Initial vector, 64 bits (8 bytes) long. - * Dn: the nth chunk of 64 bits (8 bytes) of data to encrypt (decrypt). - * On: the nth chunk of 64 bits (8 bytes) of encrypted (decrypted) output. - * - * V0 = DES(iV, key) - * On = Dn ^ Vn - * V(n+1) = DES(On, key) - */ - -void cfb64_encrypt(unsigned char *s, int c) -{ - struct stinfo *stp = &fb[CFB].streams[DIR_ENCRYPT-1]; - int index; - - index = stp->str_index; - while (c-- > 0) { - if (index == sizeof(des_cblock)) { - des_cblock b; - des_ecb_encrypt(&stp->str_output, &b,stp->str_sched, 1); - memcpy(stp->str_feed, b, sizeof(des_cblock)); - index = 0; - } - - /* On encryption, we store (feed ^ data) which is cypher */ - *s = stp->str_output[index] = (stp->str_feed[index] ^ *s); - s++; - index++; - } - stp->str_index = index; -} - -int cfb64_decrypt(int data) -{ - struct stinfo *stp = &fb[CFB].streams[DIR_DECRYPT-1]; - int index; - - if (data == -1) { - /* - * Back up one byte. It is assumed that we will - * never back up more than one byte. If we do, this - * may or may not work. - */ - if (stp->str_index) - --stp->str_index; - return(0); - } - - index = stp->str_index++; - if (index == sizeof(des_cblock)) { - des_cblock b; - des_ecb_encrypt(&stp->str_output,&b, stp->str_sched, 1); - memcpy(stp->str_feed, b, sizeof(des_cblock)); - stp->str_index = 1; /* Next time will be 1 */ - index = 0; /* But now use 0 */ - } - - /* On decryption we store (data) which is cypher. */ - stp->str_output[index] = data; - return(data ^ stp->str_feed[index]); -} - -/* - * DES 64 bit Output Feedback - * - * key --->+-----+ - * +->| DES |--+ - * | +-----+ | - * +-----------+ - * v - * INPUT -------->(+) ----> DATA - * - * Given: - * iV: Initial vector, 64 bits (8 bytes) long. - * Dn: the nth chunk of 64 bits (8 bytes) of data to encrypt (decrypt). - * On: the nth chunk of 64 bits (8 bytes) of encrypted (decrypted) output. - * - * V0 = DES(iV, key) - * V(n+1) = DES(Vn, key) - * On = Dn ^ Vn - */ - -void ofb64_encrypt(unsigned char *s, int c) -{ - struct stinfo *stp = &fb[OFB].streams[DIR_ENCRYPT-1]; - int index; - - index = stp->str_index; - while (c-- > 0) { - if (index == sizeof(des_cblock)) { - des_cblock b; - des_ecb_encrypt(&stp->str_feed,&b, stp->str_sched, 1); - memcpy(stp->str_feed, b, sizeof(des_cblock)); - index = 0; - } - *s++ ^= stp->str_feed[index]; - index++; - } - stp->str_index = index; -} - -int ofb64_decrypt(int data) -{ - struct stinfo *stp = &fb[OFB].streams[DIR_DECRYPT-1]; - int index; - - if (data == -1) { - /* - * Back up one byte. It is assumed that we will - * never back up more than one byte. If we do, this - * may or may not work. - */ - if (stp->str_index) - --stp->str_index; - return(0); - } - - index = stp->str_index++; - if (index == sizeof(des_cblock)) { - des_cblock b; - des_ecb_encrypt(&stp->str_feed,&b,stp->str_sched, 1); - memcpy(stp->str_feed, b, sizeof(des_cblock)); - stp->str_index = 1; /* Next time will be 1 */ - index = 0; /* But now use 0 */ - } - - return(data ^ stp->str_feed[index]); -} -#endif - diff --git a/crypto/heimdal-0.6.3/appl/telnet/libtelnet/encrypt.c b/crypto/heimdal-0.6.3/appl/telnet/libtelnet/encrypt.c deleted file mode 100644 index fca8a4705f..0000000000 --- a/crypto/heimdal-0.6.3/appl/telnet/libtelnet/encrypt.c +++ /dev/null @@ -1,1002 +0,0 @@ -/*- - * Copyright (c) 1991, 1993 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* - * Copyright (C) 1990 by the Massachusetts Institute of Technology - * - * Export of this software from the United States of America is assumed - * to require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - - -#include - -RCSID("$Id: encrypt.c,v 1.23 2002/01/18 12:58:49 joda Exp $"); - -#if defined(ENCRYPTION) - -#define ENCRYPT_NAMES -#include - -#include "encrypt.h" -#include "misc.h" - -#include -#include -#include -#include -#ifdef SOCKS -#include -#endif - - -/* - * These functions pointers point to the current routines - * for encrypting and decrypting data. - */ -void (*encrypt_output) (unsigned char *, int); -int (*decrypt_input) (int); -char *nclearto; - -int encrypt_debug_mode = 0; -static int decrypt_mode = 0; -static int encrypt_mode = 0; -static int encrypt_verbose = 0; -static int autoencrypt = 0; -static int autodecrypt = 0; -static int havesessionkey = 0; -static int Server = 0; -static const char *Name = "Noname"; - -#define typemask(x) ((x) > 0 ? 1 << ((x)-1) : 0) - -static long i_support_encrypt = typemask(ENCTYPE_DES_CFB64) - | typemask(ENCTYPE_DES_OFB64); - static long i_support_decrypt = typemask(ENCTYPE_DES_CFB64) - | typemask(ENCTYPE_DES_OFB64); - static long i_wont_support_encrypt = 0; - static long i_wont_support_decrypt = 0; -#define I_SUPPORT_ENCRYPT (i_support_encrypt & ~i_wont_support_encrypt) -#define I_SUPPORT_DECRYPT (i_support_decrypt & ~i_wont_support_decrypt) - - static long remote_supports_encrypt = 0; - static long remote_supports_decrypt = 0; - - static Encryptions encryptions[] = { -#if defined(DES_ENCRYPTION) - { "DES_CFB64", ENCTYPE_DES_CFB64, - cfb64_encrypt, - cfb64_decrypt, - cfb64_init, - cfb64_start, - cfb64_is, - cfb64_reply, - cfb64_session, - cfb64_keyid, - cfb64_printsub }, - { "DES_OFB64", ENCTYPE_DES_OFB64, - ofb64_encrypt, - ofb64_decrypt, - ofb64_init, - ofb64_start, - ofb64_is, - ofb64_reply, - ofb64_session, - ofb64_keyid, - ofb64_printsub }, -#endif - { 0, }, - }; - -static unsigned char str_send[64] = { IAC, SB, TELOPT_ENCRYPT, - ENCRYPT_SUPPORT }; -static unsigned char str_suplen = 0; -static unsigned char str_start[72] = { IAC, SB, TELOPT_ENCRYPT }; -static unsigned char str_end[] = { IAC, SB, TELOPT_ENCRYPT, 0, IAC, SE }; - -Encryptions * -findencryption(int type) -{ - Encryptions *ep = encryptions; - - if (!(I_SUPPORT_ENCRYPT & remote_supports_decrypt & typemask(type))) - return(0); - while (ep->type && ep->type != type) - ++ep; - return(ep->type ? ep : 0); -} - -Encryptions * -finddecryption(int type) -{ - Encryptions *ep = encryptions; - - if (!(I_SUPPORT_DECRYPT & remote_supports_encrypt & typemask(type))) - return(0); - while (ep->type && ep->type != type) - ++ep; - return(ep->type ? ep : 0); -} - -#define MAXKEYLEN 64 - -static struct key_info { - unsigned char keyid[MAXKEYLEN]; - int keylen; - int dir; - int *modep; - Encryptions *(*getcrypt)(); -} ki[2] = { - { { 0 }, 0, DIR_ENCRYPT, &encrypt_mode, findencryption }, - { { 0 }, 0, DIR_DECRYPT, &decrypt_mode, finddecryption }, -}; - -void -encrypt_init(const char *name, int server) -{ - Encryptions *ep = encryptions; - - Name = name; - Server = server; - i_support_encrypt = i_support_decrypt = 0; - remote_supports_encrypt = remote_supports_decrypt = 0; - encrypt_mode = 0; - decrypt_mode = 0; - encrypt_output = 0; - decrypt_input = 0; -#ifdef notdef - encrypt_verbose = !server; -#endif - - str_suplen = 4; - - while (ep->type) { - if (encrypt_debug_mode) - printf(">>>%s: I will support %s\r\n", - Name, ENCTYPE_NAME(ep->type)); - i_support_encrypt |= typemask(ep->type); - i_support_decrypt |= typemask(ep->type); - if ((i_wont_support_decrypt & typemask(ep->type)) == 0) - if ((str_send[str_suplen++] = ep->type) == IAC) - str_send[str_suplen++] = IAC; - if (ep->init) - (*ep->init)(Server); - ++ep; - } - str_send[str_suplen++] = IAC; - str_send[str_suplen++] = SE; -} - -void -encrypt_list_types(void) -{ - Encryptions *ep = encryptions; - - printf("Valid encryption types:\n"); - while (ep->type) { - printf("\t%s (%d)\r\n", ENCTYPE_NAME(ep->type), ep->type); - ++ep; - } -} - -int -EncryptEnable(char *type, char *mode) -{ - if (isprefix(type, "help") || isprefix(type, "?")) { - printf("Usage: encrypt enable [input|output]\n"); - encrypt_list_types(); - return(0); - } - if (EncryptType(type, mode)) - return(EncryptStart(mode)); - return(0); -} - -int -EncryptDisable(char *type, char *mode) -{ - Encryptions *ep; - int ret = 0; - - if (isprefix(type, "help") || isprefix(type, "?")) { - printf("Usage: encrypt disable [input|output]\n"); - encrypt_list_types(); - } else if ((ep = (Encryptions *)genget(type, (char**)encryptions, - sizeof(Encryptions))) == 0) { - printf("%s: invalid encryption type\n", type); - } else if (Ambiguous(ep)) { - printf("Ambiguous type '%s'\n", type); - } else { - if ((mode == 0) || (isprefix(mode, "input") ? 1 : 0)) { - if (decrypt_mode == ep->type) - EncryptStopInput(); - i_wont_support_decrypt |= typemask(ep->type); - ret = 1; - } - if ((mode == 0) || (isprefix(mode, "output"))) { - if (encrypt_mode == ep->type) - EncryptStopOutput(); - i_wont_support_encrypt |= typemask(ep->type); - ret = 1; - } - if (ret == 0) - printf("%s: invalid encryption mode\n", mode); - } - return(ret); -} - -int -EncryptType(char *type, char *mode) -{ - Encryptions *ep; - int ret = 0; - - if (isprefix(type, "help") || isprefix(type, "?")) { - printf("Usage: encrypt type [input|output]\n"); - encrypt_list_types(); - } else if ((ep = (Encryptions *)genget(type, (char**)encryptions, - sizeof(Encryptions))) == 0) { - printf("%s: invalid encryption type\n", type); - } else if (Ambiguous(ep)) { - printf("Ambiguous type '%s'\n", type); - } else { - if ((mode == 0) || isprefix(mode, "input")) { - decrypt_mode = ep->type; - i_wont_support_decrypt &= ~typemask(ep->type); - ret = 1; - } - if ((mode == 0) || isprefix(mode, "output")) { - encrypt_mode = ep->type; - i_wont_support_encrypt &= ~typemask(ep->type); - ret = 1; - } - if (ret == 0) - printf("%s: invalid encryption mode\n", mode); - } - return(ret); -} - -int -EncryptStart(char *mode) -{ - int ret = 0; - if (mode) { - if (isprefix(mode, "input")) - return(EncryptStartInput()); - if (isprefix(mode, "output")) - return(EncryptStartOutput()); - if (isprefix(mode, "help") || isprefix(mode, "?")) { - printf("Usage: encrypt start [input|output]\n"); - return(0); - } - printf("%s: invalid encryption mode 'encrypt start ?' for help\n", mode); - return(0); - } - ret += EncryptStartInput(); - ret += EncryptStartOutput(); - return(ret); -} - -int -EncryptStartInput(void) -{ - if (decrypt_mode) { - encrypt_send_request_start(); - return(1); - } - printf("No previous decryption mode, decryption not enabled\r\n"); - return(0); -} - -int -EncryptStartOutput(void) -{ - if (encrypt_mode) { - encrypt_start_output(encrypt_mode); - return(1); - } - printf("No previous encryption mode, encryption not enabled\r\n"); - return(0); -} - -int -EncryptStop(char *mode) -{ - int ret = 0; - if (mode) { - if (isprefix(mode, "input")) - return(EncryptStopInput()); - if (isprefix(mode, "output")) - return(EncryptStopOutput()); - if (isprefix(mode, "help") || isprefix(mode, "?")) { - printf("Usage: encrypt stop [input|output]\n"); - return(0); - } - printf("%s: invalid encryption mode 'encrypt stop ?' for help\n", mode); - return(0); - } - ret += EncryptStopInput(); - ret += EncryptStopOutput(); - return(ret); -} - -int -EncryptStopInput(void) -{ - encrypt_send_request_end(); - return(1); -} - -int -EncryptStopOutput(void) -{ - encrypt_send_end(); - return(1); -} - -void -encrypt_display(void) -{ - printf("Autoencrypt for output is %s. Autodecrypt for input is %s.\r\n", - autoencrypt?"on":"off", autodecrypt?"on":"off"); - - if (encrypt_output) - printf("Currently encrypting output with %s\r\n", - ENCTYPE_NAME(encrypt_mode)); - else - printf("Currently not encrypting output\r\n"); - - if (decrypt_input) - printf("Currently decrypting input with %s\r\n", - ENCTYPE_NAME(decrypt_mode)); - else - printf("Currently not decrypting input\r\n"); -} - -int -EncryptStatus(void) -{ - printf("Autoencrypt for output is %s. Autodecrypt for input is %s.\r\n", - autoencrypt?"on":"off", autodecrypt?"on":"off"); - - if (encrypt_output) - printf("Currently encrypting output with %s\r\n", - ENCTYPE_NAME(encrypt_mode)); - else if (encrypt_mode) { - printf("Currently output is clear text.\r\n"); - printf("Last encryption mode was %s\r\n", - ENCTYPE_NAME(encrypt_mode)); - } else - printf("Currently not encrypting output\r\n"); - - if (decrypt_input) { - printf("Currently decrypting input with %s\r\n", - ENCTYPE_NAME(decrypt_mode)); - } else if (decrypt_mode) { - printf("Currently input is clear text.\r\n"); - printf("Last decryption mode was %s\r\n", - ENCTYPE_NAME(decrypt_mode)); - } else - printf("Currently not decrypting input\r\n"); - - return 1; -} - -void -encrypt_send_support(void) -{ - if (str_suplen) { - /* - * If the user has requested that decryption start - * immediatly, then send a "REQUEST START" before - * we negotiate the type. - */ - if (!Server && autodecrypt) - encrypt_send_request_start(); - telnet_net_write(str_send, str_suplen); - printsub('>', &str_send[2], str_suplen - 2); - str_suplen = 0; - } -} - -int -EncryptDebug(int on) -{ - if (on < 0) - encrypt_debug_mode ^= 1; - else - encrypt_debug_mode = on; - printf("Encryption debugging %s\r\n", - encrypt_debug_mode ? "enabled" : "disabled"); - return(1); -} - -/* turn on verbose encryption, but dont keep telling the whole world - */ -void encrypt_verbose_quiet(int on) -{ - if(on < 0) - encrypt_verbose ^= 1; - else - encrypt_verbose = on ? 1 : 0; -} - -int -EncryptVerbose(int on) -{ - encrypt_verbose_quiet(on); - printf("Encryption %s verbose\r\n", - encrypt_verbose ? "is" : "is not"); - return(1); -} - -int -EncryptAutoEnc(int on) -{ - encrypt_auto(on); - printf("Automatic encryption of output is %s\r\n", - autoencrypt ? "enabled" : "disabled"); - return(1); -} - -int -EncryptAutoDec(int on) -{ - decrypt_auto(on); - printf("Automatic decryption of input is %s\r\n", - autodecrypt ? "enabled" : "disabled"); - return(1); -} - -/* Called when we receive a WONT or a DONT ENCRYPT after we sent a DO - encrypt */ -void -encrypt_not(void) -{ - if (encrypt_verbose) - printf("[ Connection is NOT encrypted ]\r\n"); - else - printf("\r\n*** Connection not encrypted! " - "Communication may be eavesdropped. ***\r\n"); -} - -/* - * Called when ENCRYPT SUPPORT is received. - */ -void -encrypt_support(unsigned char *typelist, int cnt) -{ - int type, use_type = 0; - Encryptions *ep; - - /* - * Forget anything the other side has previously told us. - */ - remote_supports_decrypt = 0; - - while (cnt-- > 0) { - type = *typelist++; - if (encrypt_debug_mode) - printf(">>>%s: He is supporting %s (%d)\r\n", - Name, - ENCTYPE_NAME(type), type); - if ((type < ENCTYPE_CNT) && - (I_SUPPORT_ENCRYPT & typemask(type))) { - remote_supports_decrypt |= typemask(type); - if (use_type == 0) - use_type = type; - } - } - if (use_type) { - ep = findencryption(use_type); - if (!ep) - return; - type = ep->start ? (*ep->start)(DIR_ENCRYPT, Server) : 0; - if (encrypt_debug_mode) - printf(">>>%s: (*ep->start)() returned %d\r\n", - Name, type); - if (type < 0) - return; - encrypt_mode = use_type; - if (type == 0) - encrypt_start_output(use_type); - } -} - -void -encrypt_is(unsigned char *data, int cnt) -{ - Encryptions *ep; - int type, ret; - - if (--cnt < 0) - return; - type = *data++; - if (type < ENCTYPE_CNT) - remote_supports_encrypt |= typemask(type); - if (!(ep = finddecryption(type))) { - if (encrypt_debug_mode) - printf(">>>%s: Can't find type %s (%d) for initial negotiation\r\n", - Name, - ENCTYPE_NAME_OK(type) - ? ENCTYPE_NAME(type) : "(unknown)", - type); - return; - } - if (!ep->is) { - if (encrypt_debug_mode) - printf(">>>%s: No initial negotiation needed for type %s (%d)\r\n", - Name, - ENCTYPE_NAME_OK(type) - ? ENCTYPE_NAME(type) : "(unknown)", - type); - ret = 0; - } else { - ret = (*ep->is)(data, cnt); - if (encrypt_debug_mode) - printf("(*ep->is)(%p, %d) returned %s(%d)\n", data, cnt, - (ret < 0) ? "FAIL " : - (ret == 0) ? "SUCCESS " : "MORE_TO_DO ", ret); - } - if (ret < 0) { - autodecrypt = 0; - } else { - decrypt_mode = type; - if (ret == 0 && autodecrypt) - encrypt_send_request_start(); - } -} - -void -encrypt_reply(unsigned char *data, int cnt) -{ - Encryptions *ep; - int ret, type; - - if (--cnt < 0) - return; - type = *data++; - if (!(ep = findencryption(type))) { - if (encrypt_debug_mode) - printf(">>>%s: Can't find type %s (%d) for initial negotiation\r\n", - Name, - ENCTYPE_NAME_OK(type) - ? ENCTYPE_NAME(type) : "(unknown)", - type); - return; - } - if (!ep->reply) { - if (encrypt_debug_mode) - printf(">>>%s: No initial negotiation needed for type %s (%d)\r\n", - Name, - ENCTYPE_NAME_OK(type) - ? ENCTYPE_NAME(type) : "(unknown)", - type); - ret = 0; - } else { - ret = (*ep->reply)(data, cnt); - if (encrypt_debug_mode) - printf("(*ep->reply)(%p, %d) returned %s(%d)\n", - data, cnt, - (ret < 0) ? "FAIL " : - (ret == 0) ? "SUCCESS " : "MORE_TO_DO ", ret); - } - if (encrypt_debug_mode) - printf(">>>%s: encrypt_reply returned %d\n", Name, ret); - if (ret < 0) { - autoencrypt = 0; - } else { - encrypt_mode = type; - if (ret == 0 && autoencrypt) - encrypt_start_output(type); - } -} - -/* - * Called when a ENCRYPT START command is received. - */ -void -encrypt_start(unsigned char *data, int cnt) -{ - Encryptions *ep; - - if (!decrypt_mode) { - /* - * Something is wrong. We should not get a START - * command without having already picked our - * decryption scheme. Send a REQUEST-END to - * attempt to clear the channel... - */ - printf("%s: Warning, Cannot decrypt input stream!!!\r\n", Name); - encrypt_send_request_end(); - return; - } - - if ((ep = finddecryption(decrypt_mode))) { - decrypt_input = ep->input; - if (encrypt_verbose) - printf("[ Input is now decrypted with type %s ]\r\n", - ENCTYPE_NAME(decrypt_mode)); - if (encrypt_debug_mode) - printf(">>>%s: Start to decrypt input with type %s\r\n", - Name, ENCTYPE_NAME(decrypt_mode)); - } else { - printf("%s: Warning, Cannot decrypt type %s (%d)!!!\r\n", - Name, - ENCTYPE_NAME_OK(decrypt_mode) - ? ENCTYPE_NAME(decrypt_mode) - : "(unknown)", - decrypt_mode); - encrypt_send_request_end(); - } -} - -void -encrypt_session_key(Session_Key *key, int server) -{ - Encryptions *ep = encryptions; - - havesessionkey = 1; - - while (ep->type) { - if (ep->session) - (*ep->session)(key, server); - ++ep; - } -} - -/* - * Called when ENCRYPT END is received. - */ -void -encrypt_end(void) -{ - decrypt_input = 0; - if (encrypt_debug_mode) - printf(">>>%s: Input is back to clear text\r\n", Name); - if (encrypt_verbose) - printf("[ Input is now clear text ]\r\n"); -} - -/* - * Called when ENCRYPT REQUEST-END is received. - */ -void -encrypt_request_end(void) -{ - encrypt_send_end(); -} - -/* - * Called when ENCRYPT REQUEST-START is received. If we receive - * this before a type is picked, then that indicates that the - * other side wants us to start encrypting data as soon as we - * can. - */ -void -encrypt_request_start(unsigned char *data, int cnt) -{ - if (encrypt_mode == 0) { - if (Server) - autoencrypt = 1; - return; - } - encrypt_start_output(encrypt_mode); -} - -static unsigned char str_keyid[(MAXKEYLEN*2)+5] = { IAC, SB, TELOPT_ENCRYPT }; - -static void -encrypt_keyid(struct key_info *kp, unsigned char *keyid, int len) -{ - Encryptions *ep; - int dir = kp->dir; - int ret = 0; - - if (!(ep = (*kp->getcrypt)(*kp->modep))) { - if (len == 0) - return; - kp->keylen = 0; - } else if (len == 0) { - /* - * Empty option, indicates a failure. - */ - if (kp->keylen == 0) - return; - kp->keylen = 0; - if (ep->keyid) - (void)(*ep->keyid)(dir, kp->keyid, &kp->keylen); - - } else if ((len != kp->keylen) || (memcmp(keyid,kp->keyid,len) != 0)) { - /* - * Length or contents are different - */ - kp->keylen = len; - memcpy(kp->keyid,keyid, len); - if (ep->keyid) - (void)(*ep->keyid)(dir, kp->keyid, &kp->keylen); - } else { - if (ep->keyid) - ret = (*ep->keyid)(dir, kp->keyid, &kp->keylen); - if ((ret == 0) && (dir == DIR_ENCRYPT) && autoencrypt) - encrypt_start_output(*kp->modep); - return; - } - - encrypt_send_keyid(dir, kp->keyid, kp->keylen, 0); -} - -void encrypt_enc_keyid(unsigned char *keyid, int len) -{ - encrypt_keyid(&ki[1], keyid, len); -} - -void encrypt_dec_keyid(unsigned char *keyid, int len) -{ - encrypt_keyid(&ki[0], keyid, len); -} - - -void encrypt_send_keyid(int dir, unsigned char *keyid, int keylen, int saveit) -{ - unsigned char *strp; - - str_keyid[3] = (dir == DIR_ENCRYPT) - ? ENCRYPT_ENC_KEYID : ENCRYPT_DEC_KEYID; - if (saveit) { - struct key_info *kp = &ki[(dir == DIR_ENCRYPT) ? 0 : 1]; - memcpy(kp->keyid,keyid, keylen); - kp->keylen = keylen; - } - - for (strp = &str_keyid[4]; keylen > 0; --keylen) { - if ((*strp++ = *keyid++) == IAC) - *strp++ = IAC; - } - *strp++ = IAC; - *strp++ = SE; - telnet_net_write(str_keyid, strp - str_keyid); - printsub('>', &str_keyid[2], strp - str_keyid - 2); -} - -void -encrypt_auto(int on) -{ - if (on < 0) - autoencrypt ^= 1; - else - autoencrypt = on ? 1 : 0; -} - -void -decrypt_auto(int on) -{ - if (on < 0) - autodecrypt ^= 1; - else - autodecrypt = on ? 1 : 0; -} - -void -encrypt_start_output(int type) -{ - Encryptions *ep; - unsigned char *p; - int i; - - if (!(ep = findencryption(type))) { - if (encrypt_debug_mode) { - printf(">>>%s: Can't encrypt with type %s (%d)\r\n", - Name, - ENCTYPE_NAME_OK(type) - ? ENCTYPE_NAME(type) : "(unknown)", - type); - } - return; - } - if (ep->start) { - i = (*ep->start)(DIR_ENCRYPT, Server); - if (encrypt_debug_mode) { - printf(">>>%s: Encrypt start: %s (%d) %s\r\n", - Name, - (i < 0) ? "failed" : - "initial negotiation in progress", - i, ENCTYPE_NAME(type)); - } - if (i) - return; - } - p = str_start + 3; - *p++ = ENCRYPT_START; - for (i = 0; i < ki[0].keylen; ++i) { - if ((*p++ = ki[0].keyid[i]) == IAC) - *p++ = IAC; - } - *p++ = IAC; - *p++ = SE; - telnet_net_write(str_start, p - str_start); - net_encrypt(); - printsub('>', &str_start[2], p - &str_start[2]); - /* - * If we are already encrypting in some mode, then - * encrypt the ring (which includes our request) in - * the old mode, mark it all as "clear text" and then - * switch to the new mode. - */ - encrypt_output = ep->output; - encrypt_mode = type; - if (encrypt_debug_mode) - printf(">>>%s: Started to encrypt output with type %s\r\n", - Name, ENCTYPE_NAME(type)); - if (encrypt_verbose) - printf("[ Output is now encrypted with type %s ]\r\n", - ENCTYPE_NAME(type)); -} - -void -encrypt_send_end(void) -{ - if (!encrypt_output) - return; - - str_end[3] = ENCRYPT_END; - telnet_net_write(str_end, sizeof(str_end)); - net_encrypt(); - printsub('>', &str_end[2], sizeof(str_end) - 2); - /* - * Encrypt the output buffer now because it will not be done by - * netflush... - */ - encrypt_output = 0; - if (encrypt_debug_mode) - printf(">>>%s: Output is back to clear text\r\n", Name); - if (encrypt_verbose) - printf("[ Output is now clear text ]\r\n"); -} - -void -encrypt_send_request_start(void) -{ - unsigned char *p; - int i; - - p = &str_start[3]; - *p++ = ENCRYPT_REQSTART; - for (i = 0; i < ki[1].keylen; ++i) { - if ((*p++ = ki[1].keyid[i]) == IAC) - *p++ = IAC; - } - *p++ = IAC; - *p++ = SE; - telnet_net_write(str_start, p - str_start); - printsub('>', &str_start[2], p - &str_start[2]); - if (encrypt_debug_mode) - printf(">>>%s: Request input to be encrypted\r\n", Name); -} - -void -encrypt_send_request_end(void) -{ - str_end[3] = ENCRYPT_REQEND; - telnet_net_write(str_end, sizeof(str_end)); - printsub('>', &str_end[2], sizeof(str_end) - 2); - - if (encrypt_debug_mode) - printf(">>>%s: Request input to be clear text\r\n", Name); -} - - -void encrypt_wait(void) -{ - if (encrypt_debug_mode) - printf(">>>%s: in encrypt_wait\r\n", Name); - if (!havesessionkey || !(I_SUPPORT_ENCRYPT & remote_supports_decrypt)) - return; - while (autoencrypt && !encrypt_output) - if (telnet_spin()) - return; -} - -int -encrypt_delay(void) -{ - if(!havesessionkey || - (I_SUPPORT_ENCRYPT & remote_supports_decrypt) == 0 || - (I_SUPPORT_DECRYPT & remote_supports_encrypt) == 0) - return 0; - if(!(encrypt_output && decrypt_input)) - return 1; - return 0; -} - -int encrypt_is_encrypting() -{ - if (encrypt_output && decrypt_input) - return 1; - return 0; -} - -void -encrypt_debug(int mode) -{ - encrypt_debug_mode = mode; -} - -void encrypt_gen_printsub(unsigned char *data, int cnt, - unsigned char *buf, int buflen) -{ - char tbuf[16], *cp; - - cnt -= 2; - data += 2; - buf[buflen-1] = '\0'; - buf[buflen-2] = '*'; - buflen -= 2;; - for (; cnt > 0; cnt--, data++) { - snprintf(tbuf, sizeof(tbuf), " %d", *data); - for (cp = tbuf; *cp && buflen > 0; --buflen) - *buf++ = *cp++; - if (buflen <= 0) - return; - } - *buf = '\0'; -} - -void -encrypt_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen) -{ - Encryptions *ep; - int type = data[1]; - - for (ep = encryptions; ep->type && ep->type != type; ep++) - ; - - if (ep->printsub) - (*ep->printsub)(data, cnt, buf, buflen); - else - encrypt_gen_printsub(data, cnt, buf, buflen); -} -#endif diff --git a/crypto/heimdal-0.6.3/appl/telnet/libtelnet/encrypt.h b/crypto/heimdal-0.6.3/appl/telnet/libtelnet/encrypt.h deleted file mode 100644 index 3b04bd5a71..0000000000 --- a/crypto/heimdal-0.6.3/appl/telnet/libtelnet/encrypt.h +++ /dev/null @@ -1,103 +0,0 @@ -/*- - * Copyright (c) 1991, 1993 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * @(#)encrypt.h 8.1 (Berkeley) 6/4/93 - * - * @(#)encrypt.h 5.2 (Berkeley) 3/22/91 - */ - -/* - * Copyright (C) 1990 by the Massachusetts Institute of Technology - * - * Export of this software from the United States of America is assumed - * to require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -/* $Id: encrypt.h,v 1.8 2002/09/10 20:03:47 joda Exp $ */ - -#ifndef __ENCRYPT__ -#define __ENCRYPT__ - -#define DIR_DECRYPT 1 -#define DIR_ENCRYPT 2 - -#define VALIDKEY(key) ( key[0] | key[1] | key[2] | key[3] | \ - key[4] | key[5] | key[6] | key[7]) - -#define SAMEKEY(k1, k2) (!memcmp(k1, k2, sizeof(des_cblock))) - -typedef struct { - short type; - int length; - unsigned char *data; -} Session_Key; - -typedef struct { - char *name; - int type; - void (*output) (unsigned char *, int); - int (*input) (int); - void (*init) (int); - int (*start) (int, int); - int (*is) (unsigned char *, int); - int (*reply) (unsigned char *, int); - void (*session) (Session_Key *, int); - int (*keyid) (int, unsigned char *, int *); - void (*printsub) (unsigned char *, int, unsigned char *, int); -} Encryptions; - -#define SK_DES 1 /* Matched Kerberos v5 KEYTYPE_DES */ - -#include "crypto-headers.h" -#ifdef HAVE_OPENSSL -#define des_new_random_key des_random_key -#endif - -#include "enc-proto.h" - -extern int encrypt_debug_mode; -extern int (*decrypt_input) (int); -extern void (*encrypt_output) (unsigned char *, int); -#endif diff --git a/crypto/heimdal-0.6.3/appl/telnet/libtelnet/genget.c b/crypto/heimdal-0.6.3/appl/telnet/libtelnet/genget.c deleted file mode 100644 index 27d1d6708b..0000000000 --- a/crypto/heimdal-0.6.3/appl/telnet/libtelnet/genget.c +++ /dev/null @@ -1,103 +0,0 @@ -/*- - * Copyright (c) 1991, 1993 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include -#include "misc-proto.h" - -RCSID("$Id: genget.c,v 1.7 2001/09/03 05:54:14 assar Exp $"); - -#include - -#define LOWER(x) (isupper(x) ? tolower(x) : (x)) -/* - * The prefix function returns 0 if *s1 is not a prefix - * of *s2. If *s1 exactly matches *s2, the negative of - * the length is returned. If *s1 is a prefix of *s2, - * the length of *s1 is returned. - */ - -int -isprefix(char *s1, char *s2) -{ - char *os1; - char c1, c2; - - if (*s1 == '\0') - return(-1); - os1 = s1; - c1 = *s1; - c2 = *s2; - while (tolower((unsigned char)c1) == tolower((unsigned char)c2)) { - if (c1 == '\0') - break; - c1 = *++s1; - c2 = *++s2; - } - return(*s1 ? 0 : (*s2 ? (s1 - os1) : (os1 - s1))); -} - -static char *ambiguous; /* special return value for command routines */ - -char ** -genget(char *name, char **table, int stlen) - /* name to match */ - /* name entry in table */ - -{ - char **c, **found; - int n; - - if (name == 0) - return 0; - - found = 0; - for (c = table; *c != 0; c = (char **)((char *)c + stlen)) { - if ((n = isprefix(name, *c)) == 0) - continue; - if (n < 0) /* exact match */ - return(c); - if (found) - return(&ambiguous); - found = c; - } - return(found); -} - -/* - * Function call version of Ambiguous() - */ -int -Ambiguous(void *s) -{ - return((char **)s == &ambiguous); -} diff --git a/crypto/heimdal-0.6.3/appl/telnet/libtelnet/kerberos.c b/crypto/heimdal-0.6.3/appl/telnet/libtelnet/kerberos.c deleted file mode 100644 index 09d3073594..0000000000 --- a/crypto/heimdal-0.6.3/appl/telnet/libtelnet/kerberos.c +++ /dev/null @@ -1,722 +0,0 @@ -/*- - * Copyright (c) 1991, 1993 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* - * Copyright (C) 1990 by the Massachusetts Institute of Technology - * - * Export of this software from the United States of America is assumed - * to require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#ifdef HAVE_CONFIG_H -#include -#endif - -RCSID("$Id: kerberos.c,v 1.54 2001/08/22 20:30:22 assar Exp $"); - -#ifdef KRB4 -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_ARPA_TELNET_H -#include -#endif -#include -#include -#include -#include -#include -#include -#ifdef SOCKS -#include -#endif - - -#include "encrypt.h" -#include "auth.h" -#include "misc.h" - -int kerberos4_cksum (unsigned char *, int); -extern int auth_debug_mode; - -static unsigned char str_data[2048] = { IAC, SB, TELOPT_AUTHENTICATION, 0, - AUTHTYPE_KERBEROS_V4, }; - -#define KRB_AUTH 0 /* Authentication data follows */ -#define KRB_REJECT 1 /* Rejected (reason might follow) */ -#define KRB_ACCEPT 2 /* Accepted */ -#define KRB_CHALLENGE 3 /* Challenge for mutual auth. */ -#define KRB_RESPONSE 4 /* Response for mutual auth. */ - -#define KRB_FORWARD 5 /* */ -#define KRB_FORWARD_ACCEPT 6 /* */ -#define KRB_FORWARD_REJECT 7 /* */ - -#define KRB_SERVICE_NAME "rcmd" - -static KTEXT_ST auth; -static char name[ANAME_SZ]; -static AUTH_DAT adat; -static des_cblock session_key; -static des_cblock cred_session; -static des_key_schedule sched; -static des_cblock challenge; -static int auth_done; /* XXX */ - -static int pack_cred(CREDENTIALS *cred, unsigned char *buf); -static int unpack_cred(unsigned char *buf, int len, CREDENTIALS *cred); - - -static int -Data(Authenticator *ap, int type, const void *d, int c) -{ - unsigned char *p = str_data + 4; - const unsigned char *cd = (const unsigned char *)d; - - if (c == -1) - c = strlen((const char *)cd); - - if (auth_debug_mode) { - printf("%s:%d: [%d] (%d)", - str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY", - str_data[3], - type, c); - printd(d, c); - printf("\r\n"); - } - *p++ = ap->type; - *p++ = ap->way; - *p++ = type; - while (c-- > 0) { - if ((*p++ = *cd++) == IAC) - *p++ = IAC; - } - *p++ = IAC; - *p++ = SE; - if (str_data[3] == TELQUAL_IS) - printsub('>', &str_data[2], p - (&str_data[2])); - return(telnet_net_write(str_data, p - str_data)); -} - -int -kerberos4_init(Authenticator *ap, int server) -{ - FILE *fp; - - if (server) { - str_data[3] = TELQUAL_REPLY; - if ((fp = fopen(KEYFILE, "r")) == NULL) - return(0); - fclose(fp); - } else { - str_data[3] = TELQUAL_IS; - } - return(1); -} - -char dst_realm_buf[REALM_SZ], *dest_realm = NULL; -int dst_realm_sz = REALM_SZ; - -static int -kerberos4_send(char *name, Authenticator *ap) -{ - KTEXT_ST auth; - char instance[INST_SZ]; - char *realm; - CREDENTIALS cred; - int r; - - if (!UserNameRequested) { - if (auth_debug_mode) { - printf("Kerberos V4: no user name supplied\r\n"); - } - return(0); - } - - memset(instance, 0, sizeof(instance)); - - strlcpy (instance, - krb_get_phost(RemoteHostName), - INST_SZ); - - realm = dest_realm ? dest_realm : krb_realmofhost(RemoteHostName); - - if (!realm) { - printf("Kerberos V4: no realm for %s\r\n", RemoteHostName); - return(0); - } - printf("[ Trying %s (%s.%s@%s) ... ]\r\n", name, - KRB_SERVICE_NAME, instance, realm); - r = krb_mk_req(&auth, KRB_SERVICE_NAME, instance, realm, 0L); - if (r) { - printf("mk_req failed: %s\r\n", krb_get_err_text(r)); - return(0); - } - r = krb_get_cred(KRB_SERVICE_NAME, instance, realm, &cred); - if (r) { - printf("get_cred failed: %s\r\n", krb_get_err_text(r)); - return(0); - } - if (!auth_sendname((unsigned char*)UserNameRequested, - strlen(UserNameRequested))) { - if (auth_debug_mode) - printf("Not enough room for user name\r\n"); - return(0); - } - if (auth_debug_mode) - printf("Sent %d bytes of authentication data\r\n", auth.length); - if (!Data(ap, KRB_AUTH, (void *)auth.dat, auth.length)) { - if (auth_debug_mode) - printf("Not enough room for authentication data\r\n"); - return(0); - } -#ifdef ENCRYPTION - /* create challenge */ - if ((ap->way & AUTH_HOW_MASK)==AUTH_HOW_MUTUAL) { - int i; - - des_key_sched(&cred.session, sched); - memcpy (&cred_session, &cred.session, sizeof(cred_session)); -#ifndef HAVE_OPENSSL - des_init_random_number_generator(&cred.session); -#endif - des_new_random_key(&session_key); - des_ecb_encrypt(&session_key, &session_key, sched, 0); - des_ecb_encrypt(&session_key, &challenge, sched, 0); - - /* - old code - Some CERT Advisory thinks this is a bad thing... - - des_init_random_number_generator(&cred.session); - des_new_random_key(&challenge); - des_ecb_encrypt(&challenge, &session_key, sched, 1); - */ - - /* - * Increment the challenge by 1, and encrypt it for - * later comparison. - */ - for (i = 7; i >= 0; --i) - if(++challenge[i] != 0) /* No carry! */ - break; - des_ecb_encrypt(&challenge, &challenge, sched, 1); - } - -#endif - - if (auth_debug_mode) { - printf("CK: %d:", kerberos4_cksum(auth.dat, auth.length)); - printd(auth.dat, auth.length); - printf("\r\n"); - printf("Sent Kerberos V4 credentials to server\r\n"); - } - return(1); -} -int -kerberos4_send_mutual(Authenticator *ap) -{ - return kerberos4_send("mutual KERBEROS4", ap); -} - -int -kerberos4_send_oneway(Authenticator *ap) -{ - return kerberos4_send("KERBEROS4", ap); -} - -void -kerberos4_is(Authenticator *ap, unsigned char *data, int cnt) -{ - struct sockaddr_in addr; - char realm[REALM_SZ]; - char instance[INST_SZ]; - int r; - socklen_t addr_len; - - if (cnt-- < 1) - return; - switch (*data++) { - case KRB_AUTH: - if (krb_get_lrealm(realm, 1) != KSUCCESS) { - Data(ap, KRB_REJECT, (void *)"No local V4 Realm.", -1); - auth_finished(ap, AUTH_REJECT); - if (auth_debug_mode) - printf("No local realm\r\n"); - return; - } - memmove(auth.dat, data, auth.length = cnt); - if (auth_debug_mode) { - printf("Got %d bytes of authentication data\r\n", cnt); - printf("CK: %d:", kerberos4_cksum(auth.dat, auth.length)); - printd(auth.dat, auth.length); - printf("\r\n"); - } - k_getsockinst(0, instance, sizeof(instance)); - addr_len = sizeof(addr); - if(getpeername(0, (struct sockaddr *)&addr, &addr_len) < 0) { - if(auth_debug_mode) - printf("getpeername failed\r\n"); - Data(ap, KRB_REJECT, "getpeername failed", -1); - auth_finished(ap, AUTH_REJECT); - return; - } - if (addr.sin_family != AF_INET) { - if (auth_debug_mode) - printf("unknown address family: %d\r\n", addr.sin_family); - Data(ap, KRB_REJECT, "bad address family", -1); - auth_finished(ap, AUTH_REJECT); - return; - } - - r = krb_rd_req(&auth, KRB_SERVICE_NAME, - instance, addr.sin_addr.s_addr, &adat, ""); - if (r) { - if (auth_debug_mode) - printf("Kerberos failed him as %s\r\n", name); - Data(ap, KRB_REJECT, (void *)krb_get_err_text(r), -1); - auth_finished(ap, AUTH_REJECT); - return; - } - /* save the session key */ - memmove(session_key, adat.session, sizeof(adat.session)); - krb_kntoln(&adat, name); - - if (UserNameRequested && !kuserok(&adat, UserNameRequested)){ - char ts[MaxPathLen]; - struct passwd *pw = getpwnam(UserNameRequested); - - if(pw){ - snprintf(ts, sizeof(ts), - "%s%u", - TKT_ROOT, - (unsigned)pw->pw_uid); - esetenv("KRBTKFILE", ts, 1); - - if (pw->pw_uid == 0) - syslog(LOG_INFO|LOG_AUTH, - "ROOT Kerberos login from %s on %s\n", - krb_unparse_name_long(adat.pname, - adat.pinst, - adat.prealm), - RemoteHostName); - } - Data(ap, KRB_ACCEPT, NULL, 0); - } else { - char *msg; - - asprintf (&msg, "user `%s' is not authorized to " - "login as `%s'", - krb_unparse_name_long(adat.pname, - adat.pinst, - adat.prealm), - UserNameRequested ? UserNameRequested : ""); - if (msg == NULL) - Data(ap, KRB_REJECT, NULL, 0); - else { - Data(ap, KRB_REJECT, (void *)msg, -1); - free(msg); - } - auth_finished(ap, AUTH_REJECT); - break; - } - auth_finished(ap, AUTH_USER); - break; - - case KRB_CHALLENGE: -#ifndef ENCRYPTION - Data(ap, KRB_RESPONSE, NULL, 0); -#else - if(!VALIDKEY(session_key)){ - Data(ap, KRB_RESPONSE, NULL, 0); - break; - } - des_key_sched(&session_key, sched); - { - des_cblock d_block; - int i; - Session_Key skey; - - memmove(d_block, data, sizeof(d_block)); - - /* make a session key for encryption */ - des_ecb_encrypt(&d_block, &session_key, sched, 1); - skey.type=SK_DES; - skey.length=8; - skey.data=session_key; - encrypt_session_key(&skey, 1); - - /* decrypt challenge, add one and encrypt it */ - des_ecb_encrypt(&d_block, &challenge, sched, 0); - for (i = 7; i >= 0; i--) - if(++challenge[i] != 0) - break; - des_ecb_encrypt(&challenge, &challenge, sched, 1); - Data(ap, KRB_RESPONSE, (void *)challenge, sizeof(challenge)); - } -#endif - break; - - case KRB_FORWARD: - { - des_key_schedule ks; - unsigned char netcred[sizeof(CREDENTIALS)]; - CREDENTIALS cred; - int ret; - if(cnt > sizeof(cred)) - abort(); - - memcpy (session_key, adat.session, sizeof(session_key)); - des_set_key(&session_key, ks); - des_pcbc_encrypt((void*)data, (void*)netcred, cnt, - ks, &session_key, DES_DECRYPT); - unpack_cred(netcred, cnt, &cred); - { - if(strcmp(cred.service, KRB_TICKET_GRANTING_TICKET) || - strncmp(cred.instance, cred.realm, sizeof(cred.instance)) || - cred.lifetime < 0 || cred.lifetime > 255 || - cred.kvno < 0 || cred.kvno > 255 || - cred.issue_date < 0 || - cred.issue_date > time(0) + CLOCK_SKEW || - strncmp(cred.pname, adat.pname, sizeof(cred.pname)) || - strncmp(cred.pinst, adat.pinst, sizeof(cred.pinst))){ - Data(ap, KRB_FORWARD_REJECT, "Bad credentials", -1); - }else{ - if((ret = tf_setup(&cred, - cred.pname, - cred.pinst)) == KSUCCESS){ - struct passwd *pw = getpwnam(UserNameRequested); - - if (pw) - chown(tkt_string(), pw->pw_uid, pw->pw_gid); - Data(ap, KRB_FORWARD_ACCEPT, 0, 0); - } else{ - Data(ap, KRB_FORWARD_REJECT, - krb_get_err_text(ret), -1); - } - } - } - memset(data, 0, cnt); - memset(ks, 0, sizeof(ks)); - memset(&cred, 0, sizeof(cred)); - } - - break; - - default: - if (auth_debug_mode) - printf("Unknown Kerberos option %d\r\n", data[-1]); - Data(ap, KRB_REJECT, 0, 0); - break; - } -} - -void -kerberos4_reply(Authenticator *ap, unsigned char *data, int cnt) -{ - Session_Key skey; - - if (cnt-- < 1) - return; - switch (*data++) { - case KRB_REJECT: - if(auth_done){ /* XXX Ick! */ - printf("[ Kerberos V4 received unknown opcode ]\r\n"); - }else{ - printf("[ Kerberos V4 refuses authentication "); - if (cnt > 0) - printf("because %.*s ", cnt, data); - printf("]\r\n"); - auth_send_retry(); - } - return; - case KRB_ACCEPT: - printf("[ Kerberos V4 accepts you ]\r\n"); - auth_done = 1; - if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) { - /* - * Send over the encrypted challenge. - */ - Data(ap, KRB_CHALLENGE, session_key, - sizeof(session_key)); - des_ecb_encrypt(&session_key, &session_key, sched, 1); - skey.type = SK_DES; - skey.length = 8; - skey.data = session_key; - encrypt_session_key(&skey, 0); -#if 0 - kerberos4_forward(ap, &cred_session); -#endif - return; - } - auth_finished(ap, AUTH_USER); - return; - case KRB_RESPONSE: - /* make sure the response is correct */ - if ((cnt != sizeof(des_cblock)) || - (memcmp(data, challenge, sizeof(challenge)))){ - printf("[ Kerberos V4 challenge failed!!! ]\r\n"); - auth_send_retry(); - return; - } - printf("[ Kerberos V4 challenge successful ]\r\n"); - auth_finished(ap, AUTH_USER); - break; - case KRB_FORWARD_ACCEPT: - printf("[ Kerberos V4 accepted forwarded credentials ]\r\n"); - break; - case KRB_FORWARD_REJECT: - printf("[ Kerberos V4 rejected forwarded credentials: `%.*s']\r\n", - cnt, data); - break; - default: - if (auth_debug_mode) - printf("Unknown Kerberos option %d\r\n", data[-1]); - return; - } -} - -int -kerberos4_status(Authenticator *ap, char *name, size_t name_sz, int level) -{ - if (level < AUTH_USER) - return(level); - - if (UserNameRequested && !kuserok(&adat, UserNameRequested)) { - strlcpy(name, UserNameRequested, name_sz); - return(AUTH_VALID); - } else - return(AUTH_USER); -} - -#define BUMP(buf, len) while (*(buf)) {++(buf), --(len);} -#define ADDC(buf, len, c) if ((len) > 0) {*(buf)++ = (c); --(len);} - -void -kerberos4_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen) -{ - int i; - - buf[buflen-1] = '\0'; /* make sure its NULL terminated */ - buflen -= 1; - - switch(data[3]) { - case KRB_REJECT: /* Rejected (reason might follow) */ - strlcpy((char *)buf, " REJECT ", buflen); - goto common; - - case KRB_ACCEPT: /* Accepted (name might follow) */ - strlcpy((char *)buf, " ACCEPT ", buflen); - common: - BUMP(buf, buflen); - if (cnt <= 4) - break; - ADDC(buf, buflen, '"'); - for (i = 4; i < cnt; i++) - ADDC(buf, buflen, data[i]); - ADDC(buf, buflen, '"'); - ADDC(buf, buflen, '\0'); - break; - - case KRB_AUTH: /* Authentication data follows */ - strlcpy((char *)buf, " AUTH", buflen); - goto common2; - - case KRB_CHALLENGE: - strlcpy((char *)buf, " CHALLENGE", buflen); - goto common2; - - case KRB_RESPONSE: - strlcpy((char *)buf, " RESPONSE", buflen); - goto common2; - - default: - snprintf((char*)buf, buflen, " %d (unknown)", data[3]); - common2: - BUMP(buf, buflen); - for (i = 4; i < cnt; i++) { - snprintf((char*)buf, buflen, " %d", data[i]); - BUMP(buf, buflen); - } - break; - } -} - -int -kerberos4_cksum(unsigned char *d, int n) -{ - int ck = 0; - - /* - * A comment is probably needed here for those not - * well versed in the "C" language. Yes, this is - * supposed to be a "switch" with the body of the - * "switch" being a "while" statement. The whole - * purpose of the switch is to allow us to jump into - * the middle of the while() loop, and then not have - * to do any more switch()s. - * - * Some compilers will spit out a warning message - * about the loop not being entered at the top. - */ - switch (n&03) - while (n > 0) { - case 0: - ck ^= (int)*d++ << 24; - --n; - case 3: - ck ^= (int)*d++ << 16; - --n; - case 2: - ck ^= (int)*d++ << 8; - --n; - case 1: - ck ^= (int)*d++; - --n; - } - return(ck); -} - -static int -pack_cred(CREDENTIALS *cred, unsigned char *buf) -{ - unsigned char *p = buf; - - memcpy (p, cred->service, ANAME_SZ); - p += ANAME_SZ; - memcpy (p, cred->instance, INST_SZ); - p += INST_SZ; - memcpy (p, cred->realm, REALM_SZ); - p += REALM_SZ; - memcpy(p, cred->session, 8); - p += 8; - p += KRB_PUT_INT(cred->lifetime, p, 4, 4); - p += KRB_PUT_INT(cred->kvno, p, 4, 4); - p += KRB_PUT_INT(cred->ticket_st.length, p, 4, 4); - memcpy(p, cred->ticket_st.dat, cred->ticket_st.length); - p += cred->ticket_st.length; - p += KRB_PUT_INT(0, p, 4, 4); - p += KRB_PUT_INT(cred->issue_date, p, 4, 4); - memcpy (p, cred->pname, ANAME_SZ); - p += ANAME_SZ; - memcpy (p, cred->pinst, INST_SZ); - p += INST_SZ; - return p - buf; -} - -static int -unpack_cred(unsigned char *buf, int len, CREDENTIALS *cred) -{ - char *p = (char*)buf; - u_int32_t tmp; - - strncpy (cred->service, p, ANAME_SZ); - cred->service[ANAME_SZ - 1] = '\0'; - p += ANAME_SZ; - strncpy (cred->instance, p, INST_SZ); - cred->instance[INST_SZ - 1] = '\0'; - p += INST_SZ; - strncpy (cred->realm, p, REALM_SZ); - cred->realm[REALM_SZ - 1] = '\0'; - p += REALM_SZ; - - memcpy(cred->session, p, 8); - p += 8; - p += krb_get_int(p, &tmp, 4, 0); - cred->lifetime = tmp; - p += krb_get_int(p, &tmp, 4, 0); - cred->kvno = tmp; - - p += krb_get_int(p, &cred->ticket_st.length, 4, 0); - memcpy(cred->ticket_st.dat, p, cred->ticket_st.length); - p += cred->ticket_st.length; - p += krb_get_int(p, &tmp, 4, 0); - cred->ticket_st.mbz = 0; - p += krb_get_int(p, (u_int32_t *)&cred->issue_date, 4, 0); - - strncpy (cred->pname, p, ANAME_SZ); - cred->pname[ANAME_SZ - 1] = '\0'; - p += ANAME_SZ; - strncpy (cred->pinst, p, INST_SZ); - cred->pinst[INST_SZ - 1] = '\0'; - p += INST_SZ; - return 0; -} - - -int -kerberos4_forward(Authenticator *ap, void *v) -{ - des_cblock *key = (des_cblock *)v; - CREDENTIALS cred; - char *realm; - des_key_schedule ks; - int len; - unsigned char netcred[sizeof(CREDENTIALS)]; - int ret; - - realm = krb_realmofhost(RemoteHostName); - if(realm == NULL) - return -1; - memset(&cred, 0, sizeof(cred)); - ret = krb_get_cred(KRB_TICKET_GRANTING_TICKET, - realm, - realm, - &cred); - if(ret) - return ret; - des_set_key(key, ks); - len = pack_cred(&cred, netcred); - des_pcbc_encrypt((void*)netcred, (void*)netcred, len, - ks, key, DES_ENCRYPT); - memset(ks, 0, sizeof(ks)); - Data(ap, KRB_FORWARD, netcred, len); - memset(netcred, 0, sizeof(netcred)); - return 0; -} - -#endif /* KRB4 */ - diff --git a/crypto/heimdal-0.6.3/appl/telnet/libtelnet/kerberos5.c b/crypto/heimdal-0.6.3/appl/telnet/libtelnet/kerberos5.c deleted file mode 100644 index 9ea37590f4..0000000000 --- a/crypto/heimdal-0.6.3/appl/telnet/libtelnet/kerberos5.c +++ /dev/null @@ -1,881 +0,0 @@ -/*- - * Copyright (c) 1991, 1993 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* - * Copyright (C) 1990 by the Massachusetts Institute of Technology - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include - -RCSID("$Id: kerberos5.c,v 1.53.2.1 2004/06/21 08:21:07 lha Exp $"); - -#ifdef KRB5 - -#include -#include -#include -#include -#include -#include -#include -#include -#define Authenticator k5_Authenticator -#include -#undef Authenticator -#include -#ifdef SOCKS -#include -#endif - - -#include "encrypt.h" -#include "auth.h" -#include "misc.h" - -#if defined(DCE) -int dfsk5ok = 0; -int dfspag = 0; -int dfsfwd = 0; -#endif - -int forward_flags = 0; /* Flags get set in telnet/main.c on -f and -F */ - -int forward(int); -int forwardable(int); - -/* These values need to be the same as those defined in telnet/main.c. */ -/* Either define them in both places, or put in some common header file. */ -#define OPTS_FORWARD_CREDS 0x00000002 -#define OPTS_FORWARDABLE_CREDS 0x00000001 - - -void kerberos5_forward (Authenticator *); - -static unsigned char str_data[4] = { IAC, SB, TELOPT_AUTHENTICATION, 0 }; - -#define KRB_AUTH 0 /* Authentication data follows */ -#define KRB_REJECT 1 /* Rejected (reason might follow) */ -#define KRB_ACCEPT 2 /* Accepted */ -#define KRB_RESPONSE 3 /* Response for mutual auth. */ - -#define KRB_FORWARD 4 /* Forwarded credentials follow */ -#define KRB_FORWARD_ACCEPT 5 /* Forwarded credentials accepted */ -#define KRB_FORWARD_REJECT 6 /* Forwarded credentials rejected */ - -static krb5_data auth; -static krb5_ticket *ticket; - -static krb5_context context; -static krb5_auth_context auth_context; - -static int -Data(Authenticator *ap, int type, void *d, int c) -{ - unsigned char *cd = (unsigned char *)d; - unsigned char *p0, *p; - size_t len = sizeof(str_data) + 3 + 2; - int ret; - - if (c == -1) - c = strlen((char*)cd); - - for (p = cd; p - cd < c; p++, len++) - if (*p == IAC) - len++; - - p0 = malloc(len); - if (p0 == NULL) - return 0; - - memcpy(p0, str_data, sizeof(str_data)); - p = p0 + sizeof(str_data); - - if (auth_debug_mode) { - printf("%s:%d: [%d] (%d)", - str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY", - str_data[3], - type, c); - printd(d, c); - printf("\r\n"); - } - *p++ = ap->type; - *p++ = ap->way; - *p++ = type; - while (c-- > 0) { - if ((*p++ = *cd++) == IAC) - *p++ = IAC; - } - *p++ = IAC; - *p++ = SE; - if (str_data[3] == TELQUAL_IS) - printsub('>', &p0[2], len - 2); - ret = telnet_net_write(p0, len); - free(p0); - return ret; -} - -int -kerberos5_init(Authenticator *ap, int server) -{ - krb5_error_code ret; - - ret = krb5_init_context(&context); - if (ret) - return 0; - if (server) { - krb5_keytab kt; - krb5_kt_cursor cursor; - - ret = krb5_kt_default(context, &kt); - if (ret) - return 0; - - ret = krb5_kt_start_seq_get (context, kt, &cursor); - if (ret) { - krb5_kt_close (context, kt); - return 0; - } - krb5_kt_end_seq_get (context, kt, &cursor); - krb5_kt_close (context, kt); - - str_data[3] = TELQUAL_REPLY; - } else - str_data[3] = TELQUAL_IS; - return(1); -} - -extern int net; -static int -kerberos5_send(char *name, Authenticator *ap) -{ - krb5_error_code ret; - krb5_ccache ccache; - int ap_opts; - krb5_data cksum_data; - char foo[2]; - - if (!UserNameRequested) { - if (auth_debug_mode) { - printf("Kerberos V5: no user name supplied\r\n"); - } - return(0); - } - - ret = krb5_cc_default(context, &ccache); - if (ret) { - if (auth_debug_mode) { - printf("Kerberos V5: could not get default ccache: %s\r\n", - krb5_get_err_text (context, ret)); - } - return 0; - } - - if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) - ap_opts = AP_OPTS_MUTUAL_REQUIRED; - else - ap_opts = 0; - - ap_opts |= AP_OPTS_USE_SUBKEY; - - ret = krb5_auth_con_init (context, &auth_context); - if (ret) { - if (auth_debug_mode) { - printf("Kerberos V5: krb5_auth_con_init failed (%s)\r\n", - krb5_get_err_text(context, ret)); - } - return(0); - } - - ret = krb5_auth_con_setaddrs_from_fd (context, - auth_context, - &net); - if (ret) { - if (auth_debug_mode) { - printf ("Kerberos V5:" - " krb5_auth_con_setaddrs_from_fd failed (%s)\r\n", - krb5_get_err_text(context, ret)); - } - return(0); - } - - krb5_auth_con_setkeytype (context, auth_context, KEYTYPE_DES); - - foo[0] = ap->type; - foo[1] = ap->way; - - cksum_data.length = sizeof(foo); - cksum_data.data = foo; - - - { - krb5_principal service; - char sname[128]; - - - ret = krb5_sname_to_principal (context, - RemoteHostName, - NULL, - KRB5_NT_SRV_HST, - &service); - if(ret) { - if (auth_debug_mode) { - printf ("Kerberos V5:" - " krb5_sname_to_principal(%s) failed (%s)\r\n", - RemoteHostName, krb5_get_err_text(context, ret)); - } - return 0; - } - ret = krb5_unparse_name_fixed(context, service, sname, sizeof(sname)); - if(ret) { - if (auth_debug_mode) { - printf ("Kerberos V5:" - " krb5_unparse_name_fixed failed (%s)\r\n", - krb5_get_err_text(context, ret)); - } - return 0; - } - printf("[ Trying %s (%s)... ]\r\n", name, sname); - ret = krb5_mk_req_exact(context, &auth_context, ap_opts, - service, - &cksum_data, ccache, &auth); - krb5_free_principal (context, service); - - } - if (ret) { - if (1 || auth_debug_mode) { - printf("Kerberos V5: mk_req failed (%s)\r\n", - krb5_get_err_text(context, ret)); - } - return(0); - } - - if (!auth_sendname((unsigned char *)UserNameRequested, - strlen(UserNameRequested))) { - if (auth_debug_mode) - printf("Not enough room for user name\r\n"); - return(0); - } - if (!Data(ap, KRB_AUTH, auth.data, auth.length)) { - if (auth_debug_mode) - printf("Not enough room for authentication data\r\n"); - return(0); - } - if (auth_debug_mode) { - printf("Sent Kerberos V5 credentials to server\r\n"); - } - return(1); -} - -int -kerberos5_send_mutual(Authenticator *ap) -{ - return kerberos5_send("mutual KERBEROS5", ap); -} - -int -kerberos5_send_oneway(Authenticator *ap) -{ - return kerberos5_send("KERBEROS5", ap); -} - -void -kerberos5_is(Authenticator *ap, unsigned char *data, int cnt) -{ - krb5_error_code ret; - krb5_data outbuf; - krb5_keyblock *key_block; - char *name; - krb5_principal server; - int zero = 0; - - if (cnt-- < 1) - return; - switch (*data++) { - case KRB_AUTH: - auth.data = (char *)data; - auth.length = cnt; - - auth_context = NULL; - - ret = krb5_auth_con_init (context, &auth_context); - if (ret) { - Data(ap, KRB_REJECT, "krb5_auth_con_init failed", -1); - auth_finished(ap, AUTH_REJECT); - if (auth_debug_mode) - printf("Kerberos V5: krb5_auth_con_init failed (%s)\r\n", - krb5_get_err_text(context, ret)); - return; - } - - ret = krb5_auth_con_setaddrs_from_fd (context, - auth_context, - &zero); - if (ret) { - Data(ap, KRB_REJECT, "krb5_auth_con_setaddrs_from_fd failed", -1); - auth_finished(ap, AUTH_REJECT); - if (auth_debug_mode) - printf("Kerberos V5: " - "krb5_auth_con_setaddrs_from_fd failed (%s)\r\n", - krb5_get_err_text(context, ret)); - return; - } - - ret = krb5_sock_to_principal (context, - 0, - "host", - KRB5_NT_SRV_HST, - &server); - if (ret) { - Data(ap, KRB_REJECT, "krb5_sock_to_principal failed", -1); - auth_finished(ap, AUTH_REJECT); - if (auth_debug_mode) - printf("Kerberos V5: " - "krb5_sock_to_principal failed (%s)\r\n", - krb5_get_err_text(context, ret)); - return; - } - - ret = krb5_rd_req(context, - &auth_context, - &auth, - server, - NULL, - NULL, - &ticket); - - krb5_free_principal (context, server); - if (ret) { - char *errbuf; - - asprintf(&errbuf, - "Read req failed: %s", - krb5_get_err_text(context, ret)); - Data(ap, KRB_REJECT, errbuf, -1); - if (auth_debug_mode) - printf("%s\r\n", errbuf); - free (errbuf); - return; - } - - { - char foo[2]; - - foo[0] = ap->type; - foo[1] = ap->way; - - ret = krb5_verify_authenticator_checksum(context, - auth_context, - foo, - sizeof(foo)); - - if (ret) { - char *errbuf; - asprintf(&errbuf, "Bad checksum: %s", - krb5_get_err_text(context, ret)); - Data(ap, KRB_REJECT, errbuf, -1); - if (auth_debug_mode) - printf ("%s\r\n", errbuf); - free(errbuf); - return; - } - } - ret = krb5_auth_con_getremotesubkey (context, - auth_context, - &key_block); - - if (ret) { - Data(ap, KRB_REJECT, "krb5_auth_con_getremotesubkey failed", -1); - auth_finished(ap, AUTH_REJECT); - if (auth_debug_mode) - printf("Kerberos V5: " - "krb5_auth_con_getremotesubkey failed (%s)\r\n", - krb5_get_err_text(context, ret)); - return; - } - - if (key_block == NULL) { - ret = krb5_auth_con_getkey(context, - auth_context, - &key_block); - } - if (ret) { - Data(ap, KRB_REJECT, "krb5_auth_con_getkey failed", -1); - auth_finished(ap, AUTH_REJECT); - if (auth_debug_mode) - printf("Kerberos V5: " - "krb5_auth_con_getkey failed (%s)\r\n", - krb5_get_err_text(context, ret)); - return; - } - if (key_block == NULL) { - Data(ap, KRB_REJECT, "no subkey received", -1); - auth_finished(ap, AUTH_REJECT); - if (auth_debug_mode) - printf("Kerberos V5: " - "krb5_auth_con_getremotesubkey returned NULL key\r\n"); - return; - } - - if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) { - ret = krb5_mk_rep(context, auth_context, &outbuf); - if (ret) { - Data(ap, KRB_REJECT, - "krb5_mk_rep failed", -1); - auth_finished(ap, AUTH_REJECT); - if (auth_debug_mode) - printf("Kerberos V5: " - "krb5_mk_rep failed (%s)\r\n", - krb5_get_err_text(context, ret)); - return; - } - Data(ap, KRB_RESPONSE, outbuf.data, outbuf.length); - } - if (krb5_unparse_name(context, ticket->client, &name)) - name = 0; - - if(UserNameRequested && krb5_kuserok(context, - ticket->client, - UserNameRequested)) { - Data(ap, KRB_ACCEPT, name, name ? -1 : 0); - if (auth_debug_mode) { - printf("Kerberos5 identifies him as ``%s''\r\n", - name ? name : ""); - } - - if(key_block->keytype == ETYPE_DES_CBC_MD5 || - key_block->keytype == ETYPE_DES_CBC_MD4 || - key_block->keytype == ETYPE_DES_CBC_CRC) { - Session_Key skey; - - skey.type = SK_DES; - skey.length = 8; - skey.data = key_block->keyvalue.data; - encrypt_session_key(&skey, 0); - } - - } else { - char *msg; - - asprintf (&msg, "user `%s' is not authorized to " - "login as `%s'", - name ? name : "", - UserNameRequested ? UserNameRequested : ""); - if (msg == NULL) - Data(ap, KRB_REJECT, NULL, 0); - else { - Data(ap, KRB_REJECT, (void *)msg, -1); - free(msg); - } - auth_finished (ap, AUTH_REJECT); - krb5_free_keyblock_contents(context, key_block); - break; - } - auth_finished(ap, AUTH_USER); - krb5_free_keyblock_contents(context, key_block); - - break; - case KRB_FORWARD: { - struct passwd *pwd; - char ccname[1024]; /* XXX */ - krb5_data inbuf; - krb5_ccache ccache; - inbuf.data = (char *)data; - inbuf.length = cnt; - - pwd = getpwnam (UserNameRequested); - if (pwd == NULL) - break; - - snprintf (ccname, sizeof(ccname), - "FILE:/tmp/krb5cc_%u", pwd->pw_uid); - - ret = krb5_cc_resolve (context, ccname, &ccache); - if (ret) { - if (auth_debug_mode) - printf ("Kerberos V5: could not get ccache: %s\r\n", - krb5_get_err_text(context, ret)); - break; - } - - ret = krb5_cc_initialize (context, - ccache, - ticket->client); - if (ret) { - if (auth_debug_mode) - printf ("Kerberos V5: could not init ccache: %s\r\n", - krb5_get_err_text(context, ret)); - break; - } - -#if defined(DCE) - esetenv("KRB5CCNAME", ccname, 1); -#endif - ret = krb5_rd_cred2 (context, - auth_context, - ccache, - &inbuf); - if(ret) { - char *errbuf; - - asprintf (&errbuf, - "Read forwarded creds failed: %s", - krb5_get_err_text (context, ret)); - if(errbuf == NULL) - Data(ap, KRB_FORWARD_REJECT, NULL, 0); - else - Data(ap, KRB_FORWARD_REJECT, errbuf, -1); - if (auth_debug_mode) - printf("Could not read forwarded credentials: %s\r\n", - errbuf); - free (errbuf); - } else { - Data(ap, KRB_FORWARD_ACCEPT, 0, 0); -#if defined(DCE) - dfsfwd = 1; -#endif - } - chown (ccname + 5, pwd->pw_uid, -1); - if (auth_debug_mode) - printf("Forwarded credentials obtained\r\n"); - break; - } - default: - if (auth_debug_mode) - printf("Unknown Kerberos option %d\r\n", data[-1]); - Data(ap, KRB_REJECT, 0, 0); - break; - } -} - -void -kerberos5_reply(Authenticator *ap, unsigned char *data, int cnt) -{ - static int mutual_complete = 0; - - if (cnt-- < 1) - return; - switch (*data++) { - case KRB_REJECT: - if (cnt > 0) { - printf("[ Kerberos V5 refuses authentication because %.*s ]\r\n", - cnt, data); - } else - printf("[ Kerberos V5 refuses authentication ]\r\n"); - auth_send_retry(); - return; - case KRB_ACCEPT: { - krb5_error_code ret; - Session_Key skey; - krb5_keyblock *keyblock; - - if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL && - !mutual_complete) { - printf("[ Kerberos V5 accepted you, but didn't provide mutual authentication! ]\r\n"); - auth_send_retry(); - return; - } - if (cnt) - printf("[ Kerberos V5 accepts you as ``%.*s'' ]\r\n", cnt, data); - else - printf("[ Kerberos V5 accepts you ]\r\n"); - - ret = krb5_auth_con_getlocalsubkey (context, - auth_context, - &keyblock); - if (ret) - ret = krb5_auth_con_getkey (context, - auth_context, - &keyblock); - if(ret) { - printf("[ krb5_auth_con_getkey: %s ]\r\n", - krb5_get_err_text(context, ret)); - auth_send_retry(); - return; - } - - skey.type = SK_DES; - skey.length = 8; - skey.data = keyblock->keyvalue.data; - encrypt_session_key(&skey, 0); - krb5_free_keyblock_contents (context, keyblock); - auth_finished(ap, AUTH_USER); - if (forward_flags & OPTS_FORWARD_CREDS) - kerberos5_forward(ap); - break; - } - case KRB_RESPONSE: - if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) { - /* the rest of the reply should contain a krb_ap_rep */ - krb5_ap_rep_enc_part *reply; - krb5_data inbuf; - krb5_error_code ret; - - inbuf.length = cnt; - inbuf.data = (char *)data; - - ret = krb5_rd_rep(context, auth_context, &inbuf, &reply); - if (ret) { - printf("[ Mutual authentication failed: %s ]\r\n", - krb5_get_err_text (context, ret)); - auth_send_retry(); - return; - } - krb5_free_ap_rep_enc_part(context, reply); - mutual_complete = 1; - } - return; - case KRB_FORWARD_ACCEPT: - printf("[ Kerberos V5 accepted forwarded credentials ]\r\n"); - return; - case KRB_FORWARD_REJECT: - printf("[ Kerberos V5 refuses forwarded credentials because %.*s ]\r\n", - cnt, data); - return; - default: - if (auth_debug_mode) - printf("Unknown Kerberos option %d\r\n", data[-1]); - return; - } -} - -int -kerberos5_status(Authenticator *ap, char *name, size_t name_sz, int level) -{ - if (level < AUTH_USER) - return(level); - - if (UserNameRequested && - krb5_kuserok(context, - ticket->client, - UserNameRequested)) - { - strlcpy(name, UserNameRequested, name_sz); -#if defined(DCE) - dfsk5ok = 1; -#endif - return(AUTH_VALID); - } else - return(AUTH_USER); -} - -#define BUMP(buf, len) while (*(buf)) {++(buf), --(len);} -#define ADDC(buf, len, c) if ((len) > 0) {*(buf)++ = (c); --(len);} - -void -kerberos5_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen) -{ - int i; - - buf[buflen-1] = '\0'; /* make sure its NULL terminated */ - buflen -= 1; - - switch(data[3]) { - case KRB_REJECT: /* Rejected (reason might follow) */ - strlcpy((char *)buf, " REJECT ", buflen); - goto common; - - case KRB_ACCEPT: /* Accepted (name might follow) */ - strlcpy((char *)buf, " ACCEPT ", buflen); - common: - BUMP(buf, buflen); - if (cnt <= 4) - break; - ADDC(buf, buflen, '"'); - for (i = 4; i < cnt; i++) - ADDC(buf, buflen, data[i]); - ADDC(buf, buflen, '"'); - ADDC(buf, buflen, '\0'); - break; - - - case KRB_AUTH: /* Authentication data follows */ - strlcpy((char *)buf, " AUTH", buflen); - goto common2; - - case KRB_RESPONSE: - strlcpy((char *)buf, " RESPONSE", buflen); - goto common2; - - case KRB_FORWARD: /* Forwarded credentials follow */ - strlcpy((char *)buf, " FORWARD", buflen); - goto common2; - - case KRB_FORWARD_ACCEPT: /* Forwarded credentials accepted */ - strlcpy((char *)buf, " FORWARD_ACCEPT", buflen); - goto common2; - - case KRB_FORWARD_REJECT: /* Forwarded credentials rejected */ - /* (reason might follow) */ - strlcpy((char *)buf, " FORWARD_REJECT", buflen); - goto common2; - - default: - snprintf((char*)buf, buflen, " %d (unknown)", data[3]); - common2: - BUMP(buf, buflen); - for (i = 4; i < cnt; i++) { - snprintf((char*)buf, buflen, " %d", data[i]); - BUMP(buf, buflen); - } - break; - } -} - -void -kerberos5_forward(Authenticator *ap) -{ - krb5_error_code ret; - krb5_ccache ccache; - krb5_creds creds; - krb5_kdc_flags flags; - krb5_data out_data; - krb5_principal principal; - - ret = krb5_cc_default (context, &ccache); - if (ret) { - if (auth_debug_mode) - printf ("KerberosV5: could not get default ccache: %s\r\n", - krb5_get_err_text (context, ret)); - return; - } - - ret = krb5_cc_get_principal (context, ccache, &principal); - if (ret) { - if (auth_debug_mode) - printf ("KerberosV5: could not get principal: %s\r\n", - krb5_get_err_text (context, ret)); - return; - } - - memset (&creds, 0, sizeof(creds)); - - creds.client = principal; - - ret = krb5_build_principal (context, - &creds.server, - strlen(principal->realm), - principal->realm, - "krbtgt", - principal->realm, - NULL); - - if (ret) { - if (auth_debug_mode) - printf ("KerberosV5: could not get principal: %s\r\n", - krb5_get_err_text (context, ret)); - return; - } - - creds.times.endtime = 0; - - flags.i = 0; - flags.b.forwarded = 1; - if (forward_flags & OPTS_FORWARDABLE_CREDS) - flags.b.forwardable = 1; - - ret = krb5_get_forwarded_creds (context, - auth_context, - ccache, - flags.i, - RemoteHostName, - &creds, - &out_data); - if (ret) { - if (auth_debug_mode) - printf ("Kerberos V5: error getting forwarded creds: %s\r\n", - krb5_get_err_text (context, ret)); - return; - } - - if(!Data(ap, KRB_FORWARD, out_data.data, out_data.length)) { - if (auth_debug_mode) - printf("Not enough room for authentication data\r\n"); - } else { - if (auth_debug_mode) - printf("Forwarded local Kerberos V5 credentials to server\r\n"); - } -} - -#if defined(DCE) -/* if this was a K5 authentication try and join a PAG for the user. */ -void -kerberos5_dfspag(void) -{ - if (dfsk5ok) { - dfspag = krb5_dfs_pag(context, dfsfwd, ticket->client, - UserNameRequested); - } -} -#endif - -int -kerberos5_set_forward(int on) -{ - if(on == 0) - forward_flags &= ~OPTS_FORWARD_CREDS; - if(on == 1) - forward_flags |= OPTS_FORWARD_CREDS; - if(on == -1) - forward_flags ^= OPTS_FORWARD_CREDS; - return 0; -} - -int -kerberos5_set_forwardable(int on) -{ - if(on == 0) - forward_flags &= ~OPTS_FORWARDABLE_CREDS; - if(on == 1) - forward_flags |= OPTS_FORWARDABLE_CREDS; - if(on == -1) - forward_flags ^= OPTS_FORWARDABLE_CREDS; - return 0; -} - -#endif /* KRB5 */ diff --git a/crypto/heimdal-0.6.3/appl/telnet/libtelnet/krb4encpwd.c b/crypto/heimdal-0.6.3/appl/telnet/libtelnet/krb4encpwd.c deleted file mode 100644 index 0a4ff86d85..0000000000 --- a/crypto/heimdal-0.6.3/appl/telnet/libtelnet/krb4encpwd.c +++ /dev/null @@ -1,436 +0,0 @@ -/*- - * Copyright (c) 1992, 1993 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include - -RCSID("$Id: krb4encpwd.c,v 1.19 2001/02/15 04:20:52 assar Exp $"); - -#ifdef KRB4_ENCPWD -/* - * COPYRIGHT (C) 1990 DIGITAL EQUIPMENT CORPORATION - * ALL RIGHTS RESERVED - * - * "Digital Equipment Corporation authorizes the reproduction, - * distribution and modification of this software subject to the following - * restrictions: - * - * 1. Any partial or whole copy of this software, or any modification - * thereof, must include this copyright notice in its entirety. - * - * 2. This software is supplied "as is" with no warranty of any kind, - * expressed or implied, for any purpose, including any warranty of fitness - * or merchantibility. DIGITAL assumes no responsibility for the use or - * reliability of this software, nor promises to provide any form of - * support for it on any basis. - * - * 3. Distribution of this software is authorized only if no profit or - * remuneration of any kind is received in exchange for such distribution. - * - * 4. This software produces public key authentication certificates - * bearing an expiration date established by DIGITAL and RSA Data - * Security, Inc. It may cease to generate certificates after the expiration - * date. Any modification of this software that changes or defeats - * the expiration date or its effect is unauthorized. - * - * 5. Software that will renew or extend the expiration date of - * authentication certificates produced by this software may be obtained - * from RSA Data Security, Inc., 10 Twin Dolphin Drive, Redwood City, CA - * 94065, (415)595-8782, or from DIGITAL" - * - */ - -#include -#include -#include -#include - -#include -#include -#include -#ifdef SOCKS -#include -#endif - -#include "encrypt.h" -#include "auth.h" -#include "misc.h" - -int krb_mk_encpwd_req (KTEXT, char *, char *, char *, char *, char *, char *); -int krb_rd_encpwd_req (KTEXT, char *, char *, u_long, AUTH_DAT *, char *, char *, char *, char *); - -extern auth_debug_mode; - -static unsigned char str_data[1024] = { IAC, SB, TELOPT_AUTHENTICATION, 0, - AUTHTYPE_KRB4_ENCPWD, }; -static unsigned char str_name[1024] = { IAC, SB, TELOPT_AUTHENTICATION, - TELQUAL_NAME, }; - -#define KRB4_ENCPWD_AUTH 0 /* Authentication data follows */ -#define KRB4_ENCPWD_REJECT 1 /* Rejected (reason might follow) */ -#define KRB4_ENCPWD_ACCEPT 2 /* Accepted */ -#define KRB4_ENCPWD_CHALLENGE 3 /* Challenge for mutual auth. */ -#define KRB4_ENCPWD_ACK 4 /* Acknowledge */ - -#define KRB_SERVICE_NAME "rcmd" - -static KTEXT_ST auth; -static char name[ANAME_SZ]; -static char user_passwd[ANAME_SZ]; -static AUTH_DAT adat = { 0 }; -static des_key_schedule sched; -static char challenge[REALM_SZ]; - - static int -Data(ap, type, d, c) - Authenticator *ap; - int type; - void *d; - int c; -{ - unsigned char *p = str_data + 4; - unsigned char *cd = (unsigned char *)d; - - if (c == -1) - c = strlen(cd); - - if (0) { - printf("%s:%d: [%d] (%d)", - str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY", - str_data[3], - type, c); - printd(d, c); - printf("\r\n"); - } - *p++ = ap->type; - *p++ = ap->way; - *p++ = type; - while (c-- > 0) { - if ((*p++ = *cd++) == IAC) - *p++ = IAC; - } - *p++ = IAC; - *p++ = SE; - if (str_data[3] == TELQUAL_IS) - printsub('>', &str_data[2], p - (&str_data[2])); - return(telnet_net_write(str_data, p - str_data)); -} - - int -krb4encpwd_init(ap, server) - Authenticator *ap; - int server; -{ - char hostname[80], *cp, *realm; - des_clock skey; - - if (server) { - str_data[3] = TELQUAL_REPLY; - } else { - str_data[3] = TELQUAL_IS; - gethostname(hostname, sizeof(hostname)); - realm = krb_realmofhost(hostname); - cp = strchr(hostname, '.'); - if (*cp != NULL) *cp = NULL; - if (read_service_key(KRB_SERVICE_NAME, hostname, realm, 0, - KEYFILE, (char *)skey)) { - return(0); - } - } - return(1); -} - - int -krb4encpwd_send(ap) - Authenticator *ap; -{ - - printf("[ Trying KRB4ENCPWD ... ]\r\n"); - if (!UserNameRequested) { - return(0); - } - if (!auth_sendname(UserNameRequested, strlen(UserNameRequested))) { - return(0); - } - - if (!Data(ap, KRB4_ENCPWD_ACK, NULL, 0)) { - return(0); - } - - return(1); -} - - void -krb4encpwd_is(ap, data, cnt) - Authenticator *ap; - unsigned char *data; - int cnt; -{ - Session_Key skey; - des_cblock datablock; - char r_passwd[ANAME_SZ], r_user[ANAME_SZ]; - char lhostname[ANAME_SZ], *cp; - int r; - time_t now; - - if (cnt-- < 1) - return; - switch (*data++) { - case KRB4_ENCPWD_AUTH: - memmove(auth.dat, data, auth.length = cnt); - - gethostname(lhostname, sizeof(lhostname)); - if ((cp = strchr(lhostname, '.')) != 0) *cp = '\0'; - - if (r = krb_rd_encpwd_req(&auth, KRB_SERVICE_NAME, lhostname, 0, &adat, NULL, challenge, r_user, r_passwd)) { - Data(ap, KRB4_ENCPWD_REJECT, "Auth failed", -1); - auth_finished(ap, AUTH_REJECT); - return; - } - auth_encrypt_userpwd(r_passwd); - if (passwdok(UserNameRequested, UserPassword) == 0) { - /* - * illegal username and password - */ - Data(ap, KRB4_ENCPWD_REJECT, "Illegal password", -1); - auth_finished(ap, AUTH_REJECT); - return; - } - - memmove(session_key, adat.session, sizeof(des_cblock)); - Data(ap, KRB4_ENCPWD_ACCEPT, 0, 0); - auth_finished(ap, AUTH_USER); - break; - - case KRB4_ENCPWD_CHALLENGE: - /* - * Take the received random challenge text and save - * for future authentication. - */ - memmove(challenge, data, sizeof(des_cblock)); - break; - - - case KRB4_ENCPWD_ACK: - /* - * Receive ack, if mutual then send random challenge - */ - - /* - * If we are doing mutual authentication, get set up to send - * the challenge, and verify it when the response comes back. - */ - - if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) { - int i; - - time(&now); - snprintf(challenge, sizeof(challenge), "%x", now); - Data(ap, KRB4_ENCPWD_CHALLENGE, challenge, strlen(challenge)); - } - break; - - default: - Data(ap, KRB4_ENCPWD_REJECT, 0, 0); - break; - } -} - - - void -krb4encpwd_reply(ap, data, cnt) - Authenticator *ap; - unsigned char *data; - int cnt; -{ - Session_Key skey; - KTEXT_ST krb_token; - des_cblock enckey; - CREDENTIALS cred; - int r; - char randchal[REALM_SZ], instance[ANAME_SZ], *cp; - char hostname[80], *realm; - - if (cnt-- < 1) - return; - switch (*data++) { - case KRB4_ENCPWD_REJECT: - if (cnt > 0) { - printf("[ KRB4_ENCPWD refuses authentication because %.*s ]\r\n", - cnt, data); - } else - printf("[ KRB4_ENCPWD refuses authentication ]\r\n"); - auth_send_retry(); - return; - case KRB4_ENCPWD_ACCEPT: - printf("[ KRB4_ENCPWD accepts you ]\r\n"); - auth_finished(ap, AUTH_USER); - return; - case KRB4_ENCPWD_CHALLENGE: - /* - * Verify that the response to the challenge is correct. - */ - - gethostname(hostname, sizeof(hostname)); - realm = krb_realmofhost(hostname); - memmove(challenge, data, cnt); - memset(user_passwd, 0, sizeof(user_passwd)); - des_read_pw_string(user_passwd, sizeof(user_passwd)-1, "Password: ", 0); - UserPassword = user_passwd; - Challenge = challenge; - strlcpy(instance, RemoteHostName, sizeof(instance)); - if ((cp = strchr(instance, '.')) != 0) *cp = '\0'; - - if (r = krb_mk_encpwd_req(&krb_token, KRB_SERVICE_NAME, instance, realm, Challenge, UserNameRequested, user_passwd)) { - krb_token.length = 0; - } - - if (!Data(ap, KRB4_ENCPWD_AUTH, krb_token.dat, krb_token.length)) { - return; - } - - break; - - default: - return; - } -} - - int -krb4encpwd_status(ap, name, name_sz, level) - Authenticator *ap; - char *name; - size_t name_sz; - int level; -{ - - if (level < AUTH_USER) - return(level); - - if (UserNameRequested && passwdok(UserNameRequested, UserPassword)) { - strlcpy(name, UserNameRequested, name_sz); - return(AUTH_VALID); - } else { - return(AUTH_USER); - } -} - -#define BUMP(buf, len) while (*(buf)) {++(buf), --(len);} -#define ADDC(buf, len, c) if ((len) > 0) {*(buf)++ = (c); --(len);} - - void -krb4encpwd_printsub(data, cnt, buf, buflen) - unsigned char *data, *buf; - int cnt, buflen; -{ - int i; - - buf[buflen-1] = '\0'; /* make sure its NULL terminated */ - buflen -= 1; - - switch(data[3]) { - case KRB4_ENCPWD_REJECT: /* Rejected (reason might follow) */ - strlcpy((char *)buf, " REJECT ", buflen); - goto common; - - case KRB4_ENCPWD_ACCEPT: /* Accepted (name might follow) */ - strlcpy((char *)buf, " ACCEPT ", buflen); - common: - BUMP(buf, buflen); - if (cnt <= 4) - break; - ADDC(buf, buflen, '"'); - for (i = 4; i < cnt; i++) - ADDC(buf, buflen, data[i]); - ADDC(buf, buflen, '"'); - ADDC(buf, buflen, '\0'); - break; - - case KRB4_ENCPWD_AUTH: /* Authentication data follows */ - strlcpy((char *)buf, " AUTH", buflen); - goto common2; - - case KRB4_ENCPWD_CHALLENGE: - strlcpy((char *)buf, " CHALLENGE", buflen); - goto common2; - - case KRB4_ENCPWD_ACK: - strlcpy((char *)buf, " ACK", buflen); - goto common2; - - default: - snprintf(buf, buflen, " %d (unknown)", data[3]); - common2: - BUMP(buf, buflen); - for (i = 4; i < cnt; i++) { - snprintf(buf, buflen, " %d", data[i]); - BUMP(buf, buflen); - } - break; - } -} - -int passwdok(name, passwd) -char *name, *passwd; -{ - char *crypt(); - char *salt, *p; - struct passwd *pwd; - int passwdok_status = 0; - - if (pwd = k_getpwnam(name)) - salt = pwd->pw_passwd; - else salt = "xx"; - - p = crypt(passwd, salt); - - if (pwd && !strcmp(p, pwd->pw_passwd)) { - passwdok_status = 1; - } else passwdok_status = 0; - return(passwdok_status); -} - -#endif - -#ifdef notdef - -prkey(msg, key) - char *msg; - unsigned char *key; -{ - int i; - printf("%s:", msg); - for (i = 0; i < 8; i++) - printf(" %3d", key[i]); - printf("\r\n"); -} -#endif diff --git a/crypto/heimdal-0.6.3/appl/telnet/libtelnet/misc-proto.h b/crypto/heimdal-0.6.3/appl/telnet/libtelnet/misc-proto.h deleted file mode 100644 index 7bbafa5c94..0000000000 --- a/crypto/heimdal-0.6.3/appl/telnet/libtelnet/misc-proto.h +++ /dev/null @@ -1,79 +0,0 @@ -/*- - * Copyright (c) 1991, 1993 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * @(#)misc-proto.h 8.1 (Berkeley) 6/4/93 - */ - -/* - * Copyright (C) 1990 by the Massachusetts Institute of Technology - * - * Export of this software from the United States of America is assumed - * to require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -/* $Id: misc-proto.h,v 1.9 2000/11/15 23:00:21 assar Exp $ */ - -#ifndef __MISC_PROTO__ -#define __MISC_PROTO__ - -void auth_encrypt_init (const char *, const char *, const char *, int); -void auth_encrypt_user(const char *name); -void auth_encrypt_connect (int); -void printd (const unsigned char *, int); - -char** genget (char *name, char **table, int stlen); -int isprefix(char *s1, char *s2); -int Ambiguous(void *s); - -/* - * These functions are imported from the application - */ -int telnet_net_write (unsigned char *, int); -void net_encrypt (void); -int telnet_spin (void); -char *telnet_getenv (const char *); -char *telnet_gets (char *, char *, int, int); -void printsub(int direction, unsigned char *pointer, int length); -#endif diff --git a/crypto/heimdal-0.6.3/appl/telnet/libtelnet/misc.c b/crypto/heimdal-0.6.3/appl/telnet/libtelnet/misc.c deleted file mode 100644 index b7af23756b..0000000000 --- a/crypto/heimdal-0.6.3/appl/telnet/libtelnet/misc.c +++ /dev/null @@ -1,95 +0,0 @@ -/*- - * Copyright (c) 1991, 1993 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include - -RCSID("$Id: misc.c,v 1.15 2000/01/25 23:24:58 assar Exp $"); - -#include -#include -#include -#include -#ifdef SOCKS -#include -#endif -#include "misc.h" -#include "auth.h" -#include "encrypt.h" - - -const char *RemoteHostName; -const char *LocalHostName; -char *UserNameRequested = 0; -int ConnectedCount = 0; - -void -auth_encrypt_init(const char *local, const char *remote, const char *name, - int server) -{ - RemoteHostName = remote; - LocalHostName = local; -#ifdef AUTHENTICATION - auth_init(name, server); -#endif -#ifdef ENCRYPTION - encrypt_init(name, server); -#endif - if (UserNameRequested) { - free(UserNameRequested); - UserNameRequested = 0; - } -} - -void -auth_encrypt_user(const char *name) -{ - if (UserNameRequested) - free(UserNameRequested); - UserNameRequested = name ? strdup(name) : 0; -} - -void -auth_encrypt_connect(int cnt) -{ -} - -void -printd(const unsigned char *data, int cnt) -{ - if (cnt > 16) - cnt = 16; - while (cnt-- > 0) { - printf(" %02x", *data); - ++data; - } -} diff --git a/crypto/heimdal-0.6.3/appl/telnet/libtelnet/misc.h b/crypto/heimdal-0.6.3/appl/telnet/libtelnet/misc.h deleted file mode 100644 index e31556530a..0000000000 --- a/crypto/heimdal-0.6.3/appl/telnet/libtelnet/misc.h +++ /dev/null @@ -1,42 +0,0 @@ -/*- - * Copyright (c) 1991, 1993 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * @(#)misc.h 8.1 (Berkeley) 6/4/93 - */ - -extern char *UserNameRequested; -extern const char *LocalHostName; -extern const char *RemoteHostName; -extern int ConnectedCount; -extern int ReservedPort; - -#include "misc-proto.h" diff --git a/crypto/heimdal-0.6.3/appl/telnet/libtelnet/rsaencpwd.c b/crypto/heimdal-0.6.3/appl/telnet/libtelnet/rsaencpwd.c deleted file mode 100644 index 4c5e8751cb..0000000000 --- a/crypto/heimdal-0.6.3/appl/telnet/libtelnet/rsaencpwd.c +++ /dev/null @@ -1,487 +0,0 @@ -/*- - * Copyright (c) 1992, 1993 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include - -RCSID("$Id: rsaencpwd.c,v 1.19 2002/08/12 15:09:17 joda Exp $"); - -#ifdef RSA_ENCPWD -/* - * COPYRIGHT (C) 1990 DIGITAL EQUIPMENT CORPORATION - * ALL RIGHTS RESERVED - * - * "Digital Equipment Corporation authorizes the reproduction, - * distribution and modification of this software subject to the following - * restrictions: - * - * 1. Any partial or whole copy of this software, or any modification - * thereof, must include this copyright notice in its entirety. - * - * 2. This software is supplied "as is" with no warranty of any kind, - * expressed or implied, for any purpose, including any warranty of fitness - * or merchantibility. DIGITAL assumes no responsibility for the use or - * reliability of this software, nor promises to provide any form of - * support for it on any basis. - * - * 3. Distribution of this software is authorized only if no profit or - * remuneration of any kind is received in exchange for such distribution. - * - * 4. This software produces public key authentication certificates - * bearing an expiration date established by DIGITAL and RSA Data - * Security, Inc. It may cease to generate certificates after the expiration - * date. Any modification of this software that changes or defeats - * the expiration date or its effect is unauthorized. - * - * 5. Software that will renew or extend the expiration date of - * authentication certificates produced by this software may be obtained - * from RSA Data Security, Inc., 10 Twin Dolphin Drive, Redwood City, CA - * 94065, (415)595-8782, or from DIGITAL" - * - */ - -#include -#ifdef HAVE_ARPA_TELNET_H -#include -#endif -#include -#include - -#include -#include -#ifdef SOCKS -#include -#endif - -#include "encrypt.h" -#include "auth.h" -#include "misc.h" -#include "cdc.h" - -extern auth_debug_mode; - -static unsigned char str_data[1024] = { IAC, SB, TELOPT_AUTHENTICATION, 0, - AUTHTYPE_RSA_ENCPWD, }; -static unsigned char str_name[1024] = { IAC, SB, TELOPT_AUTHENTICATION, - TELQUAL_NAME, }; - -#define RSA_ENCPWD_AUTH 0 /* Authentication data follows */ -#define RSA_ENCPWD_REJECT 1 /* Rejected (reason might follow) */ -#define RSA_ENCPWD_ACCEPT 2 /* Accepted */ -#define RSA_ENCPWD_CHALLENGEKEY 3 /* Challenge and public key */ - -#define NAME_SZ 40 -#define CHAL_SZ 20 -#define PWD_SZ 40 - -static KTEXT_ST auth; -static char name[NAME_SZ]; -static char user_passwd[PWD_SZ]; -static char key_file[2*NAME_SZ]; -static char lhostname[NAME_SZ]; -static char challenge[CHAL_SZ]; -static int challenge_len; - - static int -Data(ap, type, d, c) - Authenticator *ap; - int type; - void *d; - int c; -{ - unsigned char *p = str_data + 4; - unsigned char *cd = (unsigned char *)d; - - if (c == -1) - c = strlen((char *)cd); - - if (0) { - printf("%s:%d: [%d] (%d)", - str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY", - str_data[3], - type, c); - printd(d, c); - printf("\r\n"); - } - *p++ = ap->type; - *p++ = ap->way; - if (type != NULL) *p++ = type; - while (c-- > 0) { - if ((*p++ = *cd++) == IAC) - *p++ = IAC; - } - *p++ = IAC; - *p++ = SE; - if (str_data[3] == TELQUAL_IS) - printsub('>', &str_data[2], p - (&str_data[2])); - return(telnet_net_write(str_data, p - str_data)); -} - - int -rsaencpwd_init(ap, server) - Authenticator *ap; - int server; -{ - char *cp; - FILE *fp; - - if (server) { - str_data[3] = TELQUAL_REPLY; - memset(key_file, 0, sizeof(key_file)); - gethostname(lhostname, sizeof(lhostname)); - if ((cp = strchr(lhostname, '.')) != 0) *cp = '\0'; - snprintf(key_file, sizeof(key_file), - SYSCONFDIR "/.%s_privkey", lhostname); - if ((fp=fopen(key_file, "r"))==NULL) return(0); - fclose(fp); - } else { - str_data[3] = TELQUAL_IS; - } - return(1); -} - - int -rsaencpwd_send(ap) - Authenticator *ap; -{ - - printf("[ Trying RSAENCPWD ... ]\r\n"); - if (!UserNameRequested) { - return(0); - } - if (!auth_sendname(UserNameRequested, strlen(UserNameRequested))) { - return(0); - } - if (!Data(ap, NULL, NULL, 0)) { - return(0); - } - - - return(1); -} - - void -rsaencpwd_is(ap, data, cnt) - Authenticator *ap; - unsigned char *data; - int cnt; -{ - Session_Key skey; - des_cblock datablock; - char r_passwd[PWD_SZ], r_user[NAME_SZ]; - char *cp, key[160]; - char chalkey[160], *ptr; - FILE *fp; - int r, i, j, chalkey_len, len; - time_t now; - - cnt--; - switch (*data++) { - case RSA_ENCPWD_AUTH: - memmove(auth.dat, data, auth.length = cnt); - - if ((fp=fopen(key_file, "r"))==NULL) { - Data(ap, RSA_ENCPWD_REJECT, "Auth failed", -1); - auth_finished(ap, AUTH_REJECT); - return; - } - /* - * get privkey - */ - fscanf(fp, "%x;", &len); - for (i=0;iway & AUTH_HOW_MASK) == AUTH_HOW_ONE_WAY) { - int i; - - - time(&now); - if ((now % 2) == 0) { - snprintf(challenge, sizeof(challenge), "%x", now); - challenge_len = strlen(challenge); - } else { - strlcpy(challenge, "randchal", sizeof(challenge)); - challenge_len = 8; - } - - if ((fp=fopen(key_file, "r"))==NULL) { - Data(ap, RSA_ENCPWD_REJECT, "Auth failed", -1); - auth_finished(ap, AUTH_REJECT); - return; - } - /* - * skip privkey - */ - fscanf(fp, "%x;", &len); - for (i=0;i 0) { - printf("[ RSA_ENCPWD refuses authentication because %.*s ]\r\n", - cnt, data); - } else - printf("[ RSA_ENCPWD refuses authentication ]\r\n"); - auth_send_retry(); - return; - case RSA_ENCPWD_ACCEPT: - printf("[ RSA_ENCPWD accepts you ]\r\n"); - auth_finished(ap, AUTH_USER); - return; - case RSA_ENCPWD_CHALLENGEKEY: - /* - * Verify that the response to the challenge is correct. - */ - - memmove(chalkey, data, cnt); - ptr = (char *) &chalkey[0]; - ptr += DecodeHeaderLength(chalkey); - if (*ptr != 0x04) { - return; - } - *ptr++; - challenge_len = DecodeValueLength(ptr); - ptr += NumEncodeLengthOctets(challenge_len); - memmove(challenge, ptr, challenge_len); - ptr += challenge_len; - if (*ptr != 0x04) { - return; - } - *ptr++; - pubkey_len = DecodeValueLength(ptr); - ptr += NumEncodeLengthOctets(pubkey_len); - memmove(pubkey, ptr, pubkey_len); - memset(user_passwd, 0, sizeof(user_passwd)); - des_read_pw_string(user_passwd, sizeof(user_passwd)-1, "Password: ", 0); - UserPassword = user_passwd; - Challenge = challenge; - r = init_rsa_encpwd(&token, user_passwd, challenge, challenge_len, pubkey); - if (r < 0) { - token.length = 1; - } - - if (!Data(ap, RSA_ENCPWD_AUTH, token.dat, token.length)) { - return; - } - - break; - - default: - return; - } -} - - int -rsaencpwd_status(ap, name, name_sz, level) - Authenticator *ap; - char *name; - size_t name_sz; - int level; -{ - - if (level < AUTH_USER) - return(level); - - if (UserNameRequested && rsaencpwd_passwdok(UserNameRequested, UserPassword)) { - strlcpy(name, UserNameRequested, name_sz); - return(AUTH_VALID); - } else { - return(AUTH_USER); - } -} - -#define BUMP(buf, len) while (*(buf)) {++(buf), --(len);} -#define ADDC(buf, len, c) if ((len) > 0) {*(buf)++ = (c); --(len);} - - void -rsaencpwd_printsub(data, cnt, buf, buflen) - unsigned char *data, *buf; - int cnt, buflen; -{ - int i; - - buf[buflen-1] = '\0'; /* make sure its NULL terminated */ - buflen -= 1; - - switch(data[3]) { - case RSA_ENCPWD_REJECT: /* Rejected (reason might follow) */ - strlcpy((char *)buf, " REJECT ", buflen); - goto common; - - case RSA_ENCPWD_ACCEPT: /* Accepted (name might follow) */ - strlcpy((char *)buf, " ACCEPT ", buflen); - common: - BUMP(buf, buflen); - if (cnt <= 4) - break; - ADDC(buf, buflen, '"'); - for (i = 4; i < cnt; i++) - ADDC(buf, buflen, data[i]); - ADDC(buf, buflen, '"'); - ADDC(buf, buflen, '\0'); - break; - - case RSA_ENCPWD_AUTH: /* Authentication data follows */ - strlcpy((char *)buf, " AUTH", buflen); - goto common2; - - case RSA_ENCPWD_CHALLENGEKEY: - strlcpy((char *)buf, " CHALLENGEKEY", buflen); - goto common2; - - default: - snprintf(buf, buflen, " %d (unknown)", data[3]); - common2: - BUMP(buf, buflen); - for (i = 4; i < cnt; i++) { - snprintf(buf, buflen, " %d", data[i]); - BUMP(buf, buflen); - } - break; - } -} - -int rsaencpwd_passwdok(name, passwd) -char *name, *passwd; -{ - char *crypt(); - char *salt, *p; - struct passwd *pwd; - int passwdok_status = 0; - - if (pwd = k_getpwnam(name)) - salt = pwd->pw_passwd; - else salt = "xx"; - - p = crypt(passwd, salt); - - if (pwd && !strcmp(p, pwd->pw_passwd)) { - passwdok_status = 1; - } else passwdok_status = 0; - return(passwdok_status); -} - -#endif - -#ifdef notdef - -prkey(msg, key) - char *msg; - unsigned char *key; -{ - int i; - printf("%s:", msg); - for (i = 0; i < 8; i++) - printf(" %3d", key[i]); - printf("\r\n"); -} -#endif diff --git a/crypto/heimdal-0.6.3/appl/telnet/libtelnet/spx.c b/crypto/heimdal-0.6.3/appl/telnet/libtelnet/spx.c deleted file mode 100644 index 9155ef2f3d..0000000000 --- a/crypto/heimdal-0.6.3/appl/telnet/libtelnet/spx.c +++ /dev/null @@ -1,586 +0,0 @@ -/*- - * Copyright (c) 1992, 1993 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include - -RCSID("$Id: spx.c,v 1.17 1999/09/16 20:41:34 assar Exp $"); - -#ifdef SPX -/* - * COPYRIGHT (C) 1990 DIGITAL EQUIPMENT CORPORATION - * ALL RIGHTS RESERVED - * - * "Digital Equipment Corporation authorizes the reproduction, - * distribution and modification of this software subject to the following - * restrictions: - * - * 1. Any partial or whole copy of this software, or any modification - * thereof, must include this copyright notice in its entirety. - * - * 2. This software is supplied "as is" with no warranty of any kind, - * expressed or implied, for any purpose, including any warranty of fitness - * or merchantibility. DIGITAL assumes no responsibility for the use or - * reliability of this software, nor promises to provide any form of - * support for it on any basis. - * - * 3. Distribution of this software is authorized only if no profit or - * remuneration of any kind is received in exchange for such distribution. - * - * 4. This software produces public key authentication certificates - * bearing an expiration date established by DIGITAL and RSA Data - * Security, Inc. It may cease to generate certificates after the expiration - * date. Any modification of this software that changes or defeats - * the expiration date or its effect is unauthorized. - * - * 5. Software that will renew or extend the expiration date of - * authentication certificates produced by this software may be obtained - * from RSA Data Security, Inc., 10 Twin Dolphin Drive, Redwood City, CA - * 94065, (415)595-8782, or from DIGITAL" - * - */ - -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_ARPA_TELNET_H -#include -#endif -#include -#include "gssapi_defs.h" -#include -#include - -#include -#ifdef SOCKS -#include -#endif - -#include "encrypt.h" -#include "auth.h" -#include "misc.h" - -extern auth_debug_mode; - -static unsigned char str_data[1024] = { IAC, SB, TELOPT_AUTHENTICATION, 0, - AUTHTYPE_SPX, }; -static unsigned char str_name[1024] = { IAC, SB, TELOPT_AUTHENTICATION, - TELQUAL_NAME, }; - -#define SPX_AUTH 0 /* Authentication data follows */ -#define SPX_REJECT 1 /* Rejected (reason might follow) */ -#define SPX_ACCEPT 2 /* Accepted */ - -static des_key_schedule sched; -static des_cblock challenge = { 0 }; - - -/*******************************************************************/ - -gss_OID_set actual_mechs; -gss_OID actual_mech_type, output_name_type; -int major_status, status, msg_ctx = 0, new_status; -int req_flags = 0, ret_flags, lifetime_rec; -gss_cred_id_t gss_cred_handle; -gss_ctx_id_t actual_ctxhandle, context_handle; -gss_buffer_desc output_token, input_token, input_name_buffer; -gss_buffer_desc status_string; -gss_name_t desired_targname, src_name; -gss_channel_bindings input_chan_bindings; -char lhostname[GSS_C_MAX_PRINTABLE_NAME]; -char targ_printable[GSS_C_MAX_PRINTABLE_NAME]; -int to_addr=0, from_addr=0; -char *address; -gss_buffer_desc fullname_buffer; -gss_OID fullname_type; -gss_cred_id_t gss_delegated_cred_handle; - -/*******************************************************************/ - - - - static int -Data(ap, type, d, c) - Authenticator *ap; - int type; - void *d; - int c; -{ - unsigned char *p = str_data + 4; - unsigned char *cd = (unsigned char *)d; - - if (c == -1) - c = strlen((char *)cd); - - if (0) { - printf("%s:%d: [%d] (%d)", - str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY", - str_data[3], - type, c); - printd(d, c); - printf("\r\n"); - } - *p++ = ap->type; - *p++ = ap->way; - *p++ = type; - while (c-- > 0) { - if ((*p++ = *cd++) == IAC) - *p++ = IAC; - } - *p++ = IAC; - *p++ = SE; - if (str_data[3] == TELQUAL_IS) - printsub('>', &str_data[2], p - (&str_data[2])); - return(telnet_net_write(str_data, p - str_data)); -} - - int -spx_init(ap, server) - Authenticator *ap; - int server; -{ - gss_cred_id_t tmp_cred_handle; - - if (server) { - str_data[3] = TELQUAL_REPLY; - gethostname(lhostname, sizeof(lhostname)); - snprintf (targ_printable, sizeof(targ_printable), - "SERVICE:rcmd@%s", lhostname); - input_name_buffer.length = strlen(targ_printable); - input_name_buffer.value = targ_printable; - major_status = gss_import_name(&status, - &input_name_buffer, - GSS_C_NULL_OID, - &desired_targname); - major_status = gss_acquire_cred(&status, - desired_targname, - 0, - GSS_C_NULL_OID_SET, - GSS_C_ACCEPT, - &tmp_cred_handle, - &actual_mechs, - &lifetime_rec); - if (major_status != GSS_S_COMPLETE) return(0); - } else { - str_data[3] = TELQUAL_IS; - } - return(1); -} - - int -spx_send(ap) - Authenticator *ap; -{ - des_cblock enckey; - int r; - - gss_OID actual_mech_type, output_name_type; - int msg_ctx = 0, new_status, status; - int req_flags = 0, ret_flags, lifetime_rec, major_status; - gss_buffer_desc output_token, input_token, input_name_buffer; - gss_buffer_desc output_name_buffer, status_string; - gss_name_t desired_targname; - gss_channel_bindings input_chan_bindings; - char targ_printable[GSS_C_MAX_PRINTABLE_NAME]; - int from_addr=0, to_addr=0, myhostlen, j; - int deleg_flag=1, mutual_flag=0, replay_flag=0, seq_flag=0; - char *address; - - printf("[ Trying SPX ... ]\r\n"); - snprintf (targ_printable, sizeof(targ_printable), - "SERVICE:rcmd@%s", RemoteHostName); - - input_name_buffer.length = strlen(targ_printable); - input_name_buffer.value = targ_printable; - - if (!UserNameRequested) { - return(0); - } - - major_status = gss_import_name(&status, - &input_name_buffer, - GSS_C_NULL_OID, - &desired_targname); - - - major_status = gss_display_name(&status, - desired_targname, - &output_name_buffer, - &output_name_type); - - printf("target is '%s'\n", output_name_buffer.value); fflush(stdout); - - major_status = gss_release_buffer(&status, &output_name_buffer); - - input_chan_bindings = (gss_channel_bindings) - malloc(sizeof(gss_channel_bindings_desc)); - - input_chan_bindings->initiator_addrtype = GSS_C_AF_INET; - input_chan_bindings->initiator_address.length = 4; - address = (char *) malloc(4); - input_chan_bindings->initiator_address.value = (char *) address; - address[0] = ((from_addr & 0xff000000) >> 24); - address[1] = ((from_addr & 0xff0000) >> 16); - address[2] = ((from_addr & 0xff00) >> 8); - address[3] = (from_addr & 0xff); - input_chan_bindings->acceptor_addrtype = GSS_C_AF_INET; - input_chan_bindings->acceptor_address.length = 4; - address = (char *) malloc(4); - input_chan_bindings->acceptor_address.value = (char *) address; - address[0] = ((to_addr & 0xff000000) >> 24); - address[1] = ((to_addr & 0xff0000) >> 16); - address[2] = ((to_addr & 0xff00) >> 8); - address[3] = (to_addr & 0xff); - input_chan_bindings->application_data.length = 0; - - req_flags = 0; - if (deleg_flag) req_flags = req_flags | 1; - if (mutual_flag) req_flags = req_flags | 2; - if (replay_flag) req_flags = req_flags | 4; - if (seq_flag) req_flags = req_flags | 8; - - major_status = gss_init_sec_context(&status, /* minor status */ - GSS_C_NO_CREDENTIAL, /* cred handle */ - &actual_ctxhandle, /* ctx handle */ - desired_targname, /* target name */ - GSS_C_NULL_OID, /* mech type */ - req_flags, /* req flags */ - 0, /* time req */ - input_chan_bindings, /* chan binding */ - GSS_C_NO_BUFFER, /* input token */ - &actual_mech_type, /* actual mech */ - &output_token, /* output token */ - &ret_flags, /* ret flags */ - &lifetime_rec); /* time rec */ - - if ((major_status != GSS_S_COMPLETE) && - (major_status != GSS_S_CONTINUE_NEEDED)) { - gss_display_status(&new_status, - status, - GSS_C_MECH_CODE, - GSS_C_NULL_OID, - &msg_ctx, - &status_string); - printf("%s\n", status_string.value); - return(0); - } - - if (!auth_sendname(UserNameRequested, strlen(UserNameRequested))) { - return(0); - } - - if (!Data(ap, SPX_AUTH, output_token.value, output_token.length)) { - return(0); - } - - return(1); -} - - void -spx_is(ap, data, cnt) - Authenticator *ap; - unsigned char *data; - int cnt; -{ - Session_Key skey; - des_cblock datablock; - int r; - - if (cnt-- < 1) - return; - switch (*data++) { - case SPX_AUTH: - input_token.length = cnt; - input_token.value = (char *) data; - - gethostname(lhostname, sizeof(lhostname)); - - snprintf(targ_printable, sizeof(targ_printable), - "SERVICE:rcmd@%s", lhostname); - - input_name_buffer.length = strlen(targ_printable); - input_name_buffer.value = targ_printable; - - major_status = gss_import_name(&status, - &input_name_buffer, - GSS_C_NULL_OID, - &desired_targname); - - major_status = gss_acquire_cred(&status, - desired_targname, - 0, - GSS_C_NULL_OID_SET, - GSS_C_ACCEPT, - &gss_cred_handle, - &actual_mechs, - &lifetime_rec); - - major_status = gss_release_name(&status, desired_targname); - - input_chan_bindings = (gss_channel_bindings) - malloc(sizeof(gss_channel_bindings_desc)); - - input_chan_bindings->initiator_addrtype = GSS_C_AF_INET; - input_chan_bindings->initiator_address.length = 4; - address = (char *) malloc(4); - input_chan_bindings->initiator_address.value = (char *) address; - address[0] = ((from_addr & 0xff000000) >> 24); - address[1] = ((from_addr & 0xff0000) >> 16); - address[2] = ((from_addr & 0xff00) >> 8); - address[3] = (from_addr & 0xff); - input_chan_bindings->acceptor_addrtype = GSS_C_AF_INET; - input_chan_bindings->acceptor_address.length = 4; - address = (char *) malloc(4); - input_chan_bindings->acceptor_address.value = (char *) address; - address[0] = ((to_addr & 0xff000000) >> 24); - address[1] = ((to_addr & 0xff0000) >> 16); - address[2] = ((to_addr & 0xff00) >> 8); - address[3] = (to_addr & 0xff); - input_chan_bindings->application_data.length = 0; - - major_status = gss_accept_sec_context(&status, - &context_handle, - gss_cred_handle, - &input_token, - input_chan_bindings, - &src_name, - &actual_mech_type, - &output_token, - &ret_flags, - &lifetime_rec, - &gss_delegated_cred_handle); - - - if (major_status != GSS_S_COMPLETE) { - - major_status = gss_display_name(&status, - src_name, - &fullname_buffer, - &fullname_type); - Data(ap, SPX_REJECT, "auth failed", -1); - auth_finished(ap, AUTH_REJECT); - return; - } - - major_status = gss_display_name(&status, - src_name, - &fullname_buffer, - &fullname_type); - - - Data(ap, SPX_ACCEPT, output_token.value, output_token.length); - auth_finished(ap, AUTH_USER); - break; - - default: - Data(ap, SPX_REJECT, 0, 0); - break; - } -} - - - void -spx_reply(ap, data, cnt) - Authenticator *ap; - unsigned char *data; - int cnt; -{ - Session_Key skey; - - if (cnt-- < 1) - return; - switch (*data++) { - case SPX_REJECT: - if (cnt > 0) { - printf("[ SPX refuses authentication because %.*s ]\r\n", - cnt, data); - } else - printf("[ SPX refuses authentication ]\r\n"); - auth_send_retry(); - return; - case SPX_ACCEPT: - printf("[ SPX accepts you ]\r\n"); - if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) { - /* - * Send over the encrypted challenge. - */ - input_token.value = (char *) data; - input_token.length = cnt; - - major_status = gss_init_sec_context(&status, /* minor stat */ - GSS_C_NO_CREDENTIAL, /* cred handle */ - &actual_ctxhandle, /* ctx handle */ - desired_targname, /* target name */ - GSS_C_NULL_OID, /* mech type */ - req_flags, /* req flags */ - 0, /* time req */ - input_chan_bindings, /* chan binding */ - &input_token, /* input token */ - &actual_mech_type, /* actual mech */ - &output_token, /* output token */ - &ret_flags, /* ret flags */ - &lifetime_rec); /* time rec */ - - if (major_status != GSS_S_COMPLETE) { - gss_display_status(&new_status, - status, - GSS_C_MECH_CODE, - GSS_C_NULL_OID, - &msg_ctx, - &status_string); - printf("[ SPX mutual response fails ... '%s' ]\r\n", - status_string.value); - auth_send_retry(); - return; - } - } - auth_finished(ap, AUTH_USER); - return; - - default: - return; - } -} - - int -spx_status(ap, name, name_sz, level) - Authenticator *ap; - char *name; - size_t name_sz; - int level; -{ - - gss_buffer_desc fullname_buffer, acl_file_buffer; - gss_OID fullname_type; - char acl_file[160], fullname[160]; - int major_status, status = 0; - struct passwd *pwd; - - /* - * hard code fullname to - * "SPX:/C=US/O=Digital/OU=LKG/OU=Sphinx/OU=Users/CN=Kannan Alagappan" - * and acl_file to "~kannan/.sphinx" - */ - - pwd = k_getpwnam(UserNameRequested); - if (pwd == NULL) { - return(AUTH_USER); /* not authenticated */ - } - - snprintf (acl_file, sizeof(acl_file), - "%s/.sphinx", pwd->pw_dir); - - acl_file_buffer.value = acl_file; - acl_file_buffer.length = strlen(acl_file); - - major_status = gss_display_name(&status, - src_name, - &fullname_buffer, - &fullname_type); - - if (level < AUTH_USER) - return(level); - - major_status = gss__check_acl(&status, &fullname_buffer, - &acl_file_buffer); - - if (major_status == GSS_S_COMPLETE) { - strlcpy(name, UserNameRequested, name_sz); - return(AUTH_VALID); - } else { - return(AUTH_USER); - } - -} - -#define BUMP(buf, len) while (*(buf)) {++(buf), --(len);} -#define ADDC(buf, len, c) if ((len) > 0) {*(buf)++ = (c); --(len);} - - void -spx_printsub(data, cnt, buf, buflen) - unsigned char *data, *buf; - int cnt, buflen; -{ - int i; - - buf[buflen-1] = '\0'; /* make sure its NULL terminated */ - buflen -= 1; - - switch(data[3]) { - case SPX_REJECT: /* Rejected (reason might follow) */ - strlcpy((char *)buf, " REJECT ", buflen); - goto common; - - case SPX_ACCEPT: /* Accepted (name might follow) */ - strlcpy((char *)buf, " ACCEPT ", buflen); - common: - BUMP(buf, buflen); - if (cnt <= 4) - break; - ADDC(buf, buflen, '"'); - for (i = 4; i < cnt; i++) - ADDC(buf, buflen, data[i]); - ADDC(buf, buflen, '"'); - ADDC(buf, buflen, '\0'); - break; - - case SPX_AUTH: /* Authentication data follows */ - strlcpy((char *)buf, " AUTH", buflen); - goto common2; - - default: - snprintf(buf, buflen, " %d (unknown)", data[3]); - common2: - BUMP(buf, buflen); - for (i = 4; i < cnt; i++) { - snprintf(buf, buflen, " %d", data[i]); - BUMP(buf, buflen); - } - break; - } -} - -#endif - -#ifdef notdef - -prkey(msg, key) - char *msg; - unsigned char *key; -{ - int i; - printf("%s:", msg); - for (i = 0; i < 8; i++) - printf(" %3d", key[i]); - printf("\r\n"); -} -#endif diff --git a/crypto/heimdal-0.6.3/appl/telnet/telnet.state b/crypto/heimdal-0.6.3/appl/telnet/telnet.state deleted file mode 100644 index 1927a2b4bb..0000000000 --- a/crypto/heimdal-0.6.3/appl/telnet/telnet.state +++ /dev/null @@ -1,80 +0,0 @@ - - Three pieces of state need to be kept for each side of each option. - (You need the localside, sending WILL/WONT & receiving DO/DONT, and - the remoteside, sending DO/DONT and receiving WILL/WONT) - - MY_STATE: What state am I in? - WANT_STATE: What state do I want? - WANT_RESP: How many requests have I initiated? - - Default values: - MY_STATE = WANT_STATE = DONT - WANT_RESP = 0 - - The local setup will change based on the state of the Telnet - variables. When we are the originator, we can either make the - local setup changes at option request time (in which case if - the option is denied we need to change things back) or when - the option is acknowledged. - - To initiate a switch to NEW_STATE: - - if ((WANT_RESP == 0 && NEW_STATE == MY_STATE) || - WANT_STATE == NEW_STATE) { - do nothing; - } else { - /* - * This is where the logic goes to change the local setup - * if we are doing so at request initiation - */ - WANT_STATE = NEW_STATE; - send NEW_STATE; - WANT_RESP += 1; - } - - When receiving NEW_STATE: - - if (WANT_RESP) { - --WANT_RESP; - if (WANT_RESP && (NEW_STATE == MY_STATE)) - --WANT_RESP; - } - if (WANT_RESP == 0) { - if (NEW_STATE != WANT_STATE) { - /* - * This is where the logic goes to decide if it is ok - * to switch to NEW_STATE, and if so, do any necessary - * local setup changes. - */ - if (ok_to_switch_to NEW_STATE) - WANT_STATE = NEW_STATE; - else - WANT_RESP++; -* if (MY_STATE != WANT_STATE) - reply with WANT_STATE; - } else { - /* - * This is where the logic goes to change the local setup - * if we are doing so at request acknowledgment - */ - } - } - MY_STATE = NEW_STATE; - -* This if() line is not needed, it should be ok to always do the - "reply with WANT_STATE". With the if() line, asking to turn on - an option that the other side doesn't understand is: - Send DO option - Recv WONT option - Without the if() line, it is: - Send DO option - Recv WONT option - Send DONT option - If the other side does not expect to receive the latter case, - but generates the latter case, then there is a potential for - option negotiation loops. An implementation that does not expect - to get the second case should not generate it, an implementation - that does expect to get it may or may not generate it, and things - will still work. Being conservative in what we send, we have the - if() statement in, but we expect the other side to generate the - last response. diff --git a/crypto/heimdal-0.6.3/appl/telnet/telnet/externs.h b/crypto/heimdal-0.6.3/appl/telnet/telnet/externs.h deleted file mode 100644 index 09f058c2be..0000000000 --- a/crypto/heimdal-0.6.3/appl/telnet/telnet/externs.h +++ /dev/null @@ -1,441 +0,0 @@ -/* - * Copyright (c) 1988, 1990, 1993 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * @(#)externs.h 8.3 (Berkeley) 5/30/95 - */ - -/* $Id: externs.h,v 1.25 2002/08/28 20:58:23 joda Exp $ */ - -#ifndef BSD -# define BSD 43 -#endif - -#ifndef _POSIX_VDISABLE -# ifdef sun -# include /* pick up VDISABLE definition, mayby */ -# endif -# ifdef VDISABLE -# define _POSIX_VDISABLE VDISABLE -# else -# define _POSIX_VDISABLE ((cc_t)'\377') -# endif -#endif - -#define SUBBUFSIZE 256 - -extern int - autologin, /* Autologin enabled */ - skiprc, /* Don't process the ~/.telnetrc file */ - eight, /* use eight bit mode (binary in and/or out */ - binary, - flushout, /* flush output */ - connected, /* Are we connected to the other side? */ - globalmode, /* Mode tty should be in */ - telnetport, /* Are we connected to the telnet port? */ - localflow, /* Flow control handled locally */ - restartany, /* If flow control, restart output on any character */ - localchars, /* we recognize interrupt/quit */ - donelclchars, /* the user has set "localchars" */ - showoptions, - wantencryption, /* User has requested encryption */ - net, /* Network file descriptor */ - tin, /* Terminal input file descriptor */ - tout, /* Terminal output file descriptor */ - crlf, /* Should '\r' be mapped to (or )? */ - autoflush, /* flush output when interrupting? */ - autosynch, /* send interrupt characters with SYNCH? */ - SYNCHing, /* Is the stream in telnet SYNCH mode? */ - donebinarytoggle, /* the user has put us in binary */ - dontlecho, /* do we suppress local echoing right now? */ - crmod, - netdata, /* Print out network data flow */ - prettydump, /* Print "netdata" output in user readable format */ - termdata, /* Print out terminal data flow */ - debug; /* Debug level */ - -extern int intr_happened, intr_waiting; /* for interrupt handling */ - -extern cc_t escape; /* Escape to command mode */ -extern cc_t rlogin; /* Rlogin mode escape character */ -#ifdef KLUDGELINEMODE -extern cc_t echoc; /* Toggle local echoing */ -#endif - -extern char - *prompt; /* Prompt for command. */ - -extern char - doopt[], - dont[], - will[], - wont[], - do_dont_resp[], - will_wont_resp[], - options[], /* All the little options */ - *hostname; /* Who are we connected to? */ -#if defined(ENCRYPTION) -extern void (*encrypt_output) (unsigned char *, int); -extern int (*decrypt_input) (int); -#endif - -/* - * We keep track of each side of the option negotiation. - */ - -#define MY_STATE_WILL 0x01 -#define MY_WANT_STATE_WILL 0x02 -#define MY_STATE_DO 0x04 -#define MY_WANT_STATE_DO 0x08 - -/* - * Macros to check the current state of things - */ - -#define my_state_is_do(opt) (options[opt]&MY_STATE_DO) -#define my_state_is_will(opt) (options[opt]&MY_STATE_WILL) -#define my_want_state_is_do(opt) (options[opt]&MY_WANT_STATE_DO) -#define my_want_state_is_will(opt) (options[opt]&MY_WANT_STATE_WILL) - -#define my_state_is_dont(opt) (!my_state_is_do(opt)) -#define my_state_is_wont(opt) (!my_state_is_will(opt)) -#define my_want_state_is_dont(opt) (!my_want_state_is_do(opt)) -#define my_want_state_is_wont(opt) (!my_want_state_is_will(opt)) - -#define set_my_state_do(opt) {options[opt] |= MY_STATE_DO;} -#define set_my_state_will(opt) {options[opt] |= MY_STATE_WILL;} -#define set_my_want_state_do(opt) {options[opt] |= MY_WANT_STATE_DO;} -#define set_my_want_state_will(opt) {options[opt] |= MY_WANT_STATE_WILL;} - -#define set_my_state_dont(opt) {options[opt] &= ~MY_STATE_DO;} -#define set_my_state_wont(opt) {options[opt] &= ~MY_STATE_WILL;} -#define set_my_want_state_dont(opt) {options[opt] &= ~MY_WANT_STATE_DO;} -#define set_my_want_state_wont(opt) {options[opt] &= ~MY_WANT_STATE_WILL;} - -/* - * Make everything symmetrical - */ - -#define HIS_STATE_WILL MY_STATE_DO -#define HIS_WANT_STATE_WILL MY_WANT_STATE_DO -#define HIS_STATE_DO MY_STATE_WILL -#define HIS_WANT_STATE_DO MY_WANT_STATE_WILL - -#define his_state_is_do my_state_is_will -#define his_state_is_will my_state_is_do -#define his_want_state_is_do my_want_state_is_will -#define his_want_state_is_will my_want_state_is_do - -#define his_state_is_dont my_state_is_wont -#define his_state_is_wont my_state_is_dont -#define his_want_state_is_dont my_want_state_is_wont -#define his_want_state_is_wont my_want_state_is_dont - -#define set_his_state_do set_my_state_will -#define set_his_state_will set_my_state_do -#define set_his_want_state_do set_my_want_state_will -#define set_his_want_state_will set_my_want_state_do - -#define set_his_state_dont set_my_state_wont -#define set_his_state_wont set_my_state_dont -#define set_his_want_state_dont set_my_want_state_wont -#define set_his_want_state_wont set_my_want_state_dont - - -extern FILE - *NetTrace; /* Where debugging output goes */ -extern char - NetTraceFile[]; /* Name of file where debugging output goes */ -extern void - SetNetTrace (char *); /* Function to change where debugging goes */ - -extern jmp_buf - peerdied, - toplevel; /* For error conditions. */ - -/* authenc.c */ - -#if defined(AUTHENTICATION) || defined(ENCRYPTION) -int telnet_net_write(unsigned char *str, int len); -void net_encrypt(void); -int telnet_spin(void); -char *telnet_getenv(const char *val); -char *telnet_gets(char *prompt, char *result, int length, int echo); -#endif - -/* commands.c */ - -struct env_lst *env_define (unsigned char *, unsigned char *); -struct env_lst *env_find(unsigned char *var); -void env_init (void); -void env_undefine (unsigned char *); -void env_export (unsigned char *); -void env_unexport (unsigned char *); -void env_send (unsigned char *); -void env_list (void); -unsigned char * env_default(int init, int welldefined); -unsigned char * env_getvalue(unsigned char *var); - -void set_escape_char(char *s); -int sourceroute(struct addrinfo *ai, char *arg, char **cpp, - int *prototp, int *optp); - -#if defined(AUTHENTICATION) -int auth_enable (char *); -int auth_disable (char *); -int auth_status (void); -#endif - -#if defined(ENCRYPTION) -int EncryptEnable (char *, char *); -int EncryptDisable (char *, char *); -int EncryptType (char *, char *); -int EncryptStart (char *); -int EncryptStartInput (void); -int EncryptStartOutput (void); -int EncryptStop (char *); -int EncryptStopInput (void); -int EncryptStopOutput (void); -int EncryptStatus (void); -#endif - -#ifdef SIGINFO -RETSIGTYPE ayt_status(int); -#endif -int tn(int argc, char **argv); -void command(int top, char *tbuf, int cnt); - -/* main.c */ - -void tninit(void); -void usage(void); -void set_forward_options(void); - -/* network.c */ - -void init_network(void); -int stilloob(void); -void setneturg(void); -int netflush(void); - -/* sys_bsd.c */ - -void init_sys(void); -int TerminalWrite(char *buf, int n); -int TerminalRead(unsigned char *buf, int n); -int TerminalAutoFlush(void); -int TerminalSpecialChars(int c); -void TerminalFlushOutput(void); -void TerminalSaveState(void); -void TerminalDefaultChars(void); -void TerminalNewMode(int f); -cc_t *tcval(int func); -void TerminalSpeeds(long *input_speed, long *output_speed); -int TerminalWindowSize(long *rows, long *cols); -int NetClose(int fd); -void NetNonblockingIO(int fd, int onoff); -int process_rings(int netin, int netout, int netex, int ttyin, int ttyout, - int poll); - -/* telnet.c */ - -void init_telnet(void); - -void tel_leave_binary(int rw); -void tel_enter_binary(int rw); -int opt_welldefined(char *ep); -int telrcv(void); -int rlogin_susp(void); -void intp(void); -void sendbrk(void); -void sendabort(void); -void sendsusp(void); -void sendeof(void); -void sendayt(void); - -void xmitAO(void); -void xmitEL(void); -void xmitEC(void); - - -void Dump (char, unsigned char *, int); -void printoption (char *, int, int); -void printsub (int, unsigned char *, int); -void sendnaws (void); -void setconnmode (int); -void setcommandmode (void); -void setneturg (void); -void sys_telnet_init (void); -void my_telnet (char *); -void tel_enter_binary (int); -void TerminalFlushOutput (void); -void TerminalNewMode (int); -void TerminalRestoreState (void); -void TerminalSaveState (void); -void willoption (int); -void wontoption (int); - - -void send_do (int, int); -void send_dont (int, int); -void send_will (int, int); -void send_wont (int, int); - -void lm_will (unsigned char *, int); -void lm_wont (unsigned char *, int); -void lm_do (unsigned char *, int); -void lm_dont (unsigned char *, int); -void lm_mode (unsigned char *, int, int); - -void slc_init (void); -void slcstate (void); -void slc_mode_export (void); -void slc_mode_import (int); -void slc_import (int); -void slc_export (void); -void slc (unsigned char *, int); -void slc_check (void); -void slc_start_reply (void); -void slc_add_reply (unsigned char, unsigned char, cc_t); -void slc_end_reply (void); -int slc_update (void); - -void env_opt (unsigned char *, int); -void env_opt_start (void); -void env_opt_start_info (void); -void env_opt_add (unsigned char *); -void env_opt_end (int); - -unsigned char *env_default (int, int); -unsigned char *env_getvalue (unsigned char *); - -int get_status (void); -int dosynch (void); - -cc_t *tcval (int); - -int quit (void); - -/* terminal.c */ - -void init_terminal(void); -int ttyflush(int drop); -int getconnmode(void); - -/* utilities.c */ - -int SetSockOpt(int fd, int level, int option, int yesno); -void SetNetTrace(char *file); -void Dump(char direction, unsigned char *buffer, int length); -void printoption(char *direction, int cmd, int option); -void optionstatus(void); -void printsub(int direction, unsigned char *pointer, int length); -void EmptyTerminal(void); -void SetForExit(void); -void Exit(int returnCode); -void ExitString(char *string, int returnCode); - -extern struct termios new_tc; - -# define termEofChar new_tc.c_cc[VEOF] -# define termEraseChar new_tc.c_cc[VERASE] -# define termIntChar new_tc.c_cc[VINTR] -# define termKillChar new_tc.c_cc[VKILL] -# define termQuitChar new_tc.c_cc[VQUIT] - -# ifndef VSUSP -extern cc_t termSuspChar; -# else -# define termSuspChar new_tc.c_cc[VSUSP] -# endif -# if defined(VFLUSHO) && !defined(VDISCARD) -# define VDISCARD VFLUSHO -# endif -# ifndef VDISCARD -extern cc_t termFlushChar; -# else -# define termFlushChar new_tc.c_cc[VDISCARD] -# endif -# ifndef VWERASE -extern cc_t termWerasChar; -# else -# define termWerasChar new_tc.c_cc[VWERASE] -# endif -# ifndef VREPRINT -extern cc_t termRprntChar; -# else -# define termRprntChar new_tc.c_cc[VREPRINT] -# endif -# ifndef VLNEXT -extern cc_t termLiteralNextChar; -# else -# define termLiteralNextChar new_tc.c_cc[VLNEXT] -# endif -# ifndef VSTART -extern cc_t termStartChar; -# else -# define termStartChar new_tc.c_cc[VSTART] -# endif -# ifndef VSTOP -extern cc_t termStopChar; -# else -# define termStopChar new_tc.c_cc[VSTOP] -# endif -# ifndef VEOL -extern cc_t termForw1Char; -# else -# define termForw1Char new_tc.c_cc[VEOL] -# endif -# ifndef VEOL2 -extern cc_t termForw2Char; -# else -# define termForw2Char new_tc.c_cc[VEOL] -# endif -# ifndef VSTATUS -extern cc_t termAytChar; -#else -# define termAytChar new_tc.c_cc[VSTATUS] -#endif - -/* Ring buffer structures which are shared */ - -extern Ring - netoring, - netiring, - ttyoring, - ttyiring; - -extern int resettermname; -extern int linemode; -#ifdef KLUDGELINEMODE -extern int kludgelinemode; -#endif -extern int want_status_response; diff --git a/crypto/heimdal-0.6.3/appl/telnet/telnetd/Makefile.am b/crypto/heimdal-0.6.3/appl/telnet/telnetd/Makefile.am deleted file mode 100644 index 19e10bc8b9..0000000000 --- a/crypto/heimdal-0.6.3/appl/telnet/telnetd/Makefile.am +++ /dev/null @@ -1,26 +0,0 @@ -# $Id: Makefile.am,v 1.18 2001/08/28 11:21:17 joda Exp $ - -include $(top_srcdir)/Makefile.am.common - -INCLUDES += -I$(srcdir)/.. $(INCLUDE_krb4) $(INCLUDE_des) - -libexec_PROGRAMS = telnetd - -CHECK_LOCAL = - -telnetd_SOURCES = telnetd.c state.c termstat.c slc.c sys_term.c \ - utility.c global.c authenc.c defs.h ext.h telnetd.h - -man_MANS = telnetd.8 - -LDADD = \ - ../libtelnet/libtelnet.a \ - $(LIB_krb5) \ - $(LIB_krb4) \ - $(LIB_des) \ - $(LIB_tgetent) \ - $(LIB_logwtmp) \ - $(LIB_logout) \ - $(LIB_openpty) \ - $(LIB_kdfs) \ - $(LIB_roken) diff --git a/crypto/heimdal-0.6.3/appl/telnet/telnetd/Makefile.in b/crypto/heimdal-0.6.3/appl/telnet/telnetd/Makefile.in deleted file mode 100644 index 1a14fc4f3e..0000000000 --- a/crypto/heimdal-0.6.3/appl/telnet/telnetd/Makefile.in +++ /dev/null @@ -1,831 +0,0 @@ -# Makefile.in generated by automake 1.8.3 from Makefile.am. -# @configure_input@ - -# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004 Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -# $Id: Makefile.am,v 1.18 2001/08/28 11:21:17 joda Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $ - -SOURCES = $(telnetd_SOURCES) - -srcdir = @srcdir@ -top_srcdir = @top_srcdir@ -VPATH = @srcdir@ -pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -top_builddir = ../../.. -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = @INSTALL@ -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_HEADER = $(INSTALL_DATA) -transform = $(program_transform_name) -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_triplet = @host@ -DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \ - $(top_srcdir)/Makefile.am.common \ - $(top_srcdir)/cf/Makefile.am.common -libexec_PROGRAMS = telnetd$(EXEEXT) -subdir = appl/telnet/telnetd -ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \ - $(top_srcdir)/cf/auth-modules.m4 \ - $(top_srcdir)/cf/broken-getaddrinfo.m4 \ - $(top_srcdir)/cf/broken-getnameinfo.m4 \ - $(top_srcdir)/cf/broken-glob.m4 \ - $(top_srcdir)/cf/broken-realloc.m4 \ - $(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \ - $(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \ - $(top_srcdir)/cf/capabilities.m4 \ - $(top_srcdir)/cf/check-compile-et.m4 \ - $(top_srcdir)/cf/check-declaration.m4 \ - $(top_srcdir)/cf/check-getpwnam_r-posix.m4 \ - $(top_srcdir)/cf/check-man.m4 \ - $(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \ - $(top_srcdir)/cf/check-type-extra.m4 \ - $(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \ - $(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \ - $(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \ - $(top_srcdir)/cf/dlopen.m4 \ - $(top_srcdir)/cf/find-func-no-libs.m4 \ - $(top_srcdir)/cf/find-func-no-libs2.m4 \ - $(top_srcdir)/cf/find-func.m4 \ - $(top_srcdir)/cf/find-if-not-broken.m4 \ - $(top_srcdir)/cf/have-struct-field.m4 \ - $(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \ - $(top_srcdir)/cf/krb-bigendian.m4 \ - $(top_srcdir)/cf/krb-func-getlogin.m4 \ - $(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \ - $(top_srcdir)/cf/krb-readline.m4 \ - $(top_srcdir)/cf/krb-struct-spwd.m4 \ - $(top_srcdir)/cf/krb-struct-winsize.m4 \ - $(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \ - $(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \ - $(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \ - $(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \ - $(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \ - $(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \ - $(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in -am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ - $(ACLOCAL_M4) -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -am__installdirs = "$(DESTDIR)$(libexecdir)" "$(DESTDIR)$(man8dir)" -libexecPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -PROGRAMS = $(libexec_PROGRAMS) -am_telnetd_OBJECTS = telnetd.$(OBJEXT) state.$(OBJEXT) \ - termstat.$(OBJEXT) slc.$(OBJEXT) sys_term.$(OBJEXT) \ - utility.$(OBJEXT) global.$(OBJEXT) authenc.$(OBJEXT) -telnetd_OBJECTS = $(am_telnetd_OBJECTS) -telnetd_LDADD = $(LDADD) -@KRB5_TRUE@am__DEPENDENCIES_1 = $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la -am__DEPENDENCIES_2 = -@DCE_TRUE@am__DEPENDENCIES_3 = $(top_builddir)/lib/kdfs/libkdfs.la -telnetd_DEPENDENCIES = ../libtelnet/libtelnet.a $(am__DEPENDENCIES_1) \ - $(am__DEPENDENCIES_2) $(am__DEPENDENCIES_2) \ - $(am__DEPENDENCIES_2) $(am__DEPENDENCIES_2) \ - $(am__DEPENDENCIES_2) $(am__DEPENDENCIES_2) \ - $(am__DEPENDENCIES_3) $(am__DEPENDENCIES_2) -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \ - $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ - $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -SOURCES = $(telnetd_SOURCES) -DIST_SOURCES = $(telnetd_SOURCES) -man8dir = $(mandir)/man8 -MANS = $(man_MANS) -ETAGS = etags -CTAGS = ctags -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) -ACLOCAL = @ACLOCAL@ -AIX4_FALSE = @AIX4_FALSE@ -AIX4_TRUE = @AIX4_TRUE@ -AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@ -AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@ -AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@ -AIX_FALSE = @AIX_FALSE@ -AIX_TRUE = @AIX_TRUE@ -AMTAR = @AMTAR@ -AR = @AR@ -AUTOCONF = @AUTOCONF@ -AUTOHEADER = @AUTOHEADER@ -AUTOMAKE = @AUTOMAKE@ -AWK = @AWK@ -CANONICAL_HOST = @CANONICAL_HOST@ -CATMAN = @CATMAN@ -CATMANEXT = @CATMANEXT@ -CATMAN_FALSE = @CATMAN_FALSE@ -CATMAN_TRUE = @CATMAN_TRUE@ -CC = @CC@ -CFLAGS = @CFLAGS@ -COMPILE_ET = @COMPILE_ET@ -CPP = @CPP@ -CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXFLAGS = @CXXFLAGS@ -CYGPATH_W = @CYGPATH_W@ -DBLIB = @DBLIB@ -DCE_FALSE = @DCE_FALSE@ -DCE_TRUE = @DCE_TRUE@ -DEFS = @DEFS@ -DIR_com_err = @DIR_com_err@ -DIR_des = @DIR_des@ -DIR_roken = @DIR_roken@ -ECHO = @ECHO@ -ECHO_C = @ECHO_C@ -ECHO_N = @ECHO_N@ -ECHO_T = @ECHO_T@ -EGREP = @EGREP@ -EXEEXT = @EXEEXT@ -EXTRA_LIB45 = @EXTRA_LIB45@ -F77 = @F77@ -FFLAGS = @FFLAGS@ -GROFF = @GROFF@ -HAVE_DB1_FALSE = @HAVE_DB1_FALSE@ -HAVE_DB1_TRUE = @HAVE_DB1_TRUE@ -HAVE_DB3_FALSE = @HAVE_DB3_FALSE@ -HAVE_DB3_TRUE = @HAVE_DB3_TRUE@ -HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@ -HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@ -HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@ -HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@ -HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@ -HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@ -HAVE_X_FALSE = @HAVE_X_FALSE@ -HAVE_X_TRUE = @HAVE_X_TRUE@ -INCLUDES_roken = @INCLUDES_roken@ -INCLUDE_des = @INCLUDE_des@ -INCLUDE_hesiod = @INCLUDE_hesiod@ -INCLUDE_krb4 = @INCLUDE_krb4@ -INCLUDE_openldap = @INCLUDE_openldap@ -INCLUDE_readline = @INCLUDE_readline@ -INSTALL_DATA = @INSTALL_DATA@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -IRIX_FALSE = @IRIX_FALSE@ -IRIX_TRUE = @IRIX_TRUE@ -KRB4_FALSE = @KRB4_FALSE@ -KRB4_TRUE = @KRB4_TRUE@ -KRB5_FALSE = @KRB5_FALSE@ -KRB5_TRUE = @KRB5_TRUE@ -LDFLAGS = @LDFLAGS@ -LEX = @LEX@ -LEXLIB = @LEXLIB@ -LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ -LIBOBJS = @LIBOBJS@ -LIBS = @LIBS@ -LIBTOOL = @LIBTOOL@ -LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@ -LIB_NDBM = @LIB_NDBM@ -LIB_XauFileName = @LIB_XauFileName@ -LIB_XauReadAuth = @LIB_XauReadAuth@ -LIB_XauWriteAuth = @LIB_XauWriteAuth@ -LIB_bswap16 = @LIB_bswap16@ -LIB_bswap32 = @LIB_bswap32@ -LIB_com_err = @LIB_com_err@ -LIB_com_err_a = @LIB_com_err_a@ -LIB_com_err_so = @LIB_com_err_so@ -LIB_crypt = @LIB_crypt@ -LIB_db_create = @LIB_db_create@ -LIB_dbm_firstkey = @LIB_dbm_firstkey@ -LIB_dbopen = @LIB_dbopen@ -LIB_des = @LIB_des@ -LIB_des_a = @LIB_des_a@ -LIB_des_appl = @LIB_des_appl@ -LIB_des_so = @LIB_des_so@ -LIB_dlopen = @LIB_dlopen@ -LIB_dn_expand = @LIB_dn_expand@ -LIB_el_init = @LIB_el_init@ -LIB_freeaddrinfo = @LIB_freeaddrinfo@ -LIB_gai_strerror = @LIB_gai_strerror@ -LIB_getaddrinfo = @LIB_getaddrinfo@ -LIB_gethostbyname = @LIB_gethostbyname@ -LIB_gethostbyname2 = @LIB_gethostbyname2@ -LIB_getnameinfo = @LIB_getnameinfo@ -LIB_getpwnam_r = @LIB_getpwnam_r@ -LIB_getsockopt = @LIB_getsockopt@ -LIB_hesiod = @LIB_hesiod@ -LIB_hstrerror = @LIB_hstrerror@ -LIB_kdb = @LIB_kdb@ -LIB_krb4 = @LIB_krb4@ -LIB_krb_disable_debug = @LIB_krb_disable_debug@ -LIB_krb_enable_debug = @LIB_krb_enable_debug@ -LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@ -LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@ -LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@ -LIB_loadquery = @LIB_loadquery@ -LIB_logout = @LIB_logout@ -LIB_logwtmp = @LIB_logwtmp@ -LIB_openldap = @LIB_openldap@ -LIB_openpty = @LIB_openpty@ -LIB_otp = @LIB_otp@ -LIB_pidfile = @LIB_pidfile@ -LIB_readline = @LIB_readline@ -LIB_res_nsearch = @LIB_res_nsearch@ -LIB_res_search = @LIB_res_search@ -LIB_roken = @LIB_roken@ -LIB_security = @LIB_security@ -LIB_setsockopt = @LIB_setsockopt@ -LIB_socket = @LIB_socket@ -LIB_syslog = @LIB_syslog@ -LIB_tgetent = @LIB_tgetent@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -MAINT = @MAINT@ -MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@ -MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@ -MAKEINFO = @MAKEINFO@ -NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ -NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ -NROFF = @NROFF@ -OBJEXT = @OBJEXT@ -OTP_FALSE = @OTP_FALSE@ -OTP_TRUE = @OTP_TRUE@ -PACKAGE = @PACKAGE@ -PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ -PACKAGE_NAME = @PACKAGE_NAME@ -PACKAGE_STRING = @PACKAGE_STRING@ -PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_VERSION = @PACKAGE_VERSION@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -RANLIB = @RANLIB@ -SET_MAKE = @SET_MAKE@ -SHELL = @SHELL@ -STRIP = @STRIP@ -VERSION = @VERSION@ -VOID_RETSIGTYPE = @VOID_RETSIGTYPE@ -WFLAGS = @WFLAGS@ -WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@ -WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@ -X_CFLAGS = @X_CFLAGS@ -X_EXTRA_LIBS = @X_EXTRA_LIBS@ -X_LIBS = @X_LIBS@ -X_PRE_LIBS = @X_PRE_LIBS@ -YACC = @YACC@ -ac_ct_AR = @ac_ct_AR@ -ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ -ac_ct_RANLIB = @ac_ct_RANLIB@ -ac_ct_STRIP = @ac_ct_STRIP@ -am__leading_dot = @am__leading_dot@ -bindir = @bindir@ -build = @build@ -build_alias = @build_alias@ -build_cpu = @build_cpu@ -build_os = @build_os@ -build_vendor = @build_vendor@ -datadir = @datadir@ -do_roken_rename_FALSE = @do_roken_rename_FALSE@ -do_roken_rename_TRUE = @do_roken_rename_TRUE@ -dpagaix_cflags = @dpagaix_cflags@ -dpagaix_ldadd = @dpagaix_ldadd@ -dpagaix_ldflags = @dpagaix_ldflags@ -el_compat_FALSE = @el_compat_FALSE@ -el_compat_TRUE = @el_compat_TRUE@ -exec_prefix = @exec_prefix@ -have_err_h_FALSE = @have_err_h_FALSE@ -have_err_h_TRUE = @have_err_h_TRUE@ -have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@ -have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@ -have_glob_h_FALSE = @have_glob_h_FALSE@ -have_glob_h_TRUE = @have_glob_h_TRUE@ -have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@ -have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@ -have_vis_h_FALSE = @have_vis_h_FALSE@ -have_vis_h_TRUE = @have_vis_h_TRUE@ -host = @host@ -host_alias = @host_alias@ -host_cpu = @host_cpu@ -host_os = @host_os@ -host_vendor = @host_vendor@ -includedir = @includedir@ -infodir = @infodir@ -install_sh = @install_sh@ -libdir = @libdir@ -libexecdir = @libexecdir@ -localstatedir = @localstatedir@ -mandir = @mandir@ -mkdir_p = @mkdir_p@ -oldincludedir = @oldincludedir@ -prefix = @prefix@ -program_transform_name = @program_transform_name@ -sbindir = @sbindir@ -sharedstatedir = @sharedstatedir@ -sysconfdir = @sysconfdir@ -target_alias = @target_alias@ -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) -I$(srcdir)/.. $(INCLUDE_krb4) $(INCLUDE_des) -@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME -AM_CFLAGS = $(WFLAGS) -CP = cp -buildinclude = $(top_builddir)/include -LIB_getattr = @LIB_getattr@ -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_setpcred = @LIB_setpcred@ -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -NROFF_MAN = groff -mandoc -Tascii -LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) -@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la - -@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la -@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la -CHECK_LOCAL = -telnetd_SOURCES = telnetd.c state.c termstat.c slc.c sys_term.c \ - utility.c global.c authenc.c defs.h ext.h telnetd.h - -man_MANS = telnetd.8 -LDADD = \ - ../libtelnet/libtelnet.a \ - $(LIB_krb5) \ - $(LIB_krb4) \ - $(LIB_des) \ - $(LIB_tgetent) \ - $(LIB_logwtmp) \ - $(LIB_logout) \ - $(LIB_openpty) \ - $(LIB_kdfs) \ - $(LIB_roken) - -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps) - @for dep in $?; do \ - case '$(am__configure_deps)' in \ - *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ - exit 1;; \ - esac; \ - done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign --ignore-deps appl/telnet/telnetd/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign --ignore-deps appl/telnet/telnetd/Makefile -.PRECIOUS: Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - @case '$?' in \ - *config.status*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ - *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ - esac; - -$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -install-libexecPROGRAMS: $(libexec_PROGRAMS) - @$(NORMAL_INSTALL) - test -z "$(libexecdir)" || $(mkdir_p) "$(DESTDIR)$(libexecdir)" - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(libexecPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(libexecdir)/$$f'"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(libexecPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(libexecdir)/$$f" || exit 1; \ - else :; fi; \ - done - -uninstall-libexecPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f '$(DESTDIR)$(libexecdir)/$$f'"; \ - rm -f "$(DESTDIR)$(libexecdir)/$$f"; \ - done - -clean-libexecPROGRAMS: - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -telnetd$(EXEEXT): $(telnetd_OBJECTS) $(telnetd_DEPENDENCIES) - @rm -f telnetd$(EXEEXT) - $(LINK) $(telnetd_LDFLAGS) $(telnetd_OBJECTS) $(telnetd_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c $< - -.c.obj: - $(COMPILE) -c `$(CYGPATH_W) '$<'` - -.c.lo: - $(LTCOMPILE) -c -o $@ $< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: -install-man8: $(man8_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - test -z "$(man8dir)" || $(mkdir_p) "$(DESTDIR)$(man8dir)" - @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.8*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 8*) ;; \ - *) ext='8' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ - $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \ - done -uninstall-man8: - @$(NORMAL_UNINSTALL) - @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.8*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 8*) ;; \ - *) ext='8' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \ - rm -f "$(DESTDIR)$(man8dir)/$$inst"; \ - done - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique -tags: TAGS - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique -ctags: CTAGS -CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ - || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - -distdir: $(DISTFILES) - $(mkdir_p) $(distdir)/../../.. $(distdir)/../../../cf - @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \ - list='$(DISTFILES)'; for file in $$list; do \ - case $$file in \ - $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \ - $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \ - esac; \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkdir_p) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="$(top_distdir)" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(PROGRAMS) $(MANS) all-local -installdirs: - for dir in "$(DESTDIR)$(libexecdir)" "$(DESTDIR)$(man8dir)"; do \ - test -z "$$dir" || $(mkdir_p) "$$dir"; \ - done -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-generic clean-libexecPROGRAMS clean-libtool \ - mostlyclean-am - -distclean: distclean-am - -rm -f Makefile -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -html: html-am - -info: info-am - -info-am: - -install-data-am: install-man - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-data-hook - -install-exec-am: install-libexecPROGRAMS - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: install-man8 - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -rm -f Makefile -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -pdf: pdf-am - -pdf-am: - -ps: ps-am - -ps-am: - -uninstall-am: uninstall-info-am uninstall-libexecPROGRAMS \ - uninstall-man - -uninstall-man: uninstall-man8 - -.PHONY: CTAGS GTAGS all all-am all-local check check-am check-local \ - clean clean-generic clean-libexecPROGRAMS clean-libtool ctags \ - distclean distclean-compile distclean-generic \ - distclean-libtool distclean-tags distdir dvi dvi-am html \ - html-am info info-am install install-am install-data \ - install-data-am install-exec install-exec-am install-info \ - install-info-am install-libexecPROGRAMS install-man \ - install-man8 install-strip installcheck installcheck-am \ - installdirs maintainer-clean maintainer-clean-generic \ - mostlyclean mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool pdf pdf-am ps ps-am tags uninstall \ - uninstall-am uninstall-info-am uninstall-libexecPROGRAMS \ - uninstall-man uninstall-man8 - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-hook: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal-0.6.3/appl/telnet/telnetd/authenc.c b/crypto/heimdal-0.6.3/appl/telnet/telnetd/authenc.c deleted file mode 100644 index 14594ea22c..0000000000 --- a/crypto/heimdal-0.6.3/appl/telnet/telnetd/authenc.c +++ /dev/null @@ -1,80 +0,0 @@ -/*- - * Copyright (c) 1991, 1993 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "telnetd.h" - -RCSID("$Id: authenc.c,v 1.10 2000/11/15 23:20:43 assar Exp $"); - -#ifdef AUTHENTICATION - -int -telnet_net_write(unsigned char *str, int len) -{ - if (nfrontp + len < netobuf + BUFSIZ) { - memmove(nfrontp, str, len); - nfrontp += len; - return(len); - } - return(0); -} - -void -net_encrypt(void) -{ -#ifdef ENCRYPTION - char *s = (nclearto > nbackp) ? nclearto : nbackp; - if (s < nfrontp && encrypt_output) { - (*encrypt_output)((unsigned char *)s, nfrontp - s); - } - nclearto = nfrontp; -#endif -} - -int -telnet_spin(void) -{ - return ttloop(); -} - -char * -telnet_getenv(const char *val) -{ - return(getenv(val)); -} - -char * -telnet_gets(char *prompt, char *result, int length, int echo) -{ - return NULL; -} -#endif diff --git a/crypto/heimdal-0.6.3/appl/telnet/telnetd/defs.h b/crypto/heimdal-0.6.3/appl/telnet/telnetd/defs.h deleted file mode 100644 index add8fd2151..0000000000 --- a/crypto/heimdal-0.6.3/appl/telnet/telnetd/defs.h +++ /dev/null @@ -1,190 +0,0 @@ -/* - * Copyright (c) 1989, 1993 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * @(#)defs.h 8.1 (Berkeley) 6/4/93 - */ - -/* - * Telnet server defines - */ - -#ifndef __DEFS_H__ -#define __DEFS_H__ - -#ifndef BSD -# define BSD 43 -#endif - -#if defined(PRINTOPTIONS) && defined(DIAGNOSTICS) -#define TELOPTS -#define TELCMDS -#define SLC_NAMES -#endif - -#if !defined(TIOCSCTTY) && defined(TCSETCTTY) -# define TIOCSCTTY TCSETCTTY -#endif - -#ifndef TIOCPKT_FLUSHWRITE -#define TIOCPKT_FLUSHWRITE 0x02 -#endif - -#ifndef TIOCPKT_NOSTOP -#define TIOCPKT_NOSTOP 0x10 -#endif - -#ifndef TIOCPKT_DOSTOP -#define TIOCPKT_DOSTOP 0x20 -#endif - -/* - * I/O data buffers defines - */ -#define NETSLOP 64 -#ifdef _CRAY -#undef BUFSIZ -#define BUFSIZ 2048 -#endif - -#define NIACCUM(c) { *netip++ = c; \ - ncc++; \ - } - -/* clock manipulations */ -#define settimer(x) (clocks.x = ++clocks.system) -#define sequenceIs(x,y) (clocks.x < clocks.y) - -/* - * Structures of information for each special character function. - */ -typedef struct { - unsigned char flag; /* the flags for this function */ - cc_t val; /* the value of the special character */ -} slcent, *Slcent; - -typedef struct { - slcent defset; /* the default settings */ - slcent current; /* the current settings */ - cc_t *sptr; /* a pointer to the char in */ - /* system data structures */ -} slcfun, *Slcfun; - -#ifdef DIAGNOSTICS -/* - * Diagnostics capabilities - */ -#define TD_REPORT 0x01 /* Report operations to client */ -#define TD_EXERCISE 0x02 /* Exercise client's implementation */ -#define TD_NETDATA 0x04 /* Display received data stream */ -#define TD_PTYDATA 0x08 /* Display data passed to pty */ -#define TD_OPTIONS 0x10 /* Report just telnet options */ -#endif /* DIAGNOSTICS */ - -/* - * We keep track of each side of the option negotiation. - */ - -#define MY_STATE_WILL 0x01 -#define MY_WANT_STATE_WILL 0x02 -#define MY_STATE_DO 0x04 -#define MY_WANT_STATE_DO 0x08 - -/* - * Macros to check the current state of things - */ - -#define my_state_is_do(opt) (options[opt]&MY_STATE_DO) -#define my_state_is_will(opt) (options[opt]&MY_STATE_WILL) -#define my_want_state_is_do(opt) (options[opt]&MY_WANT_STATE_DO) -#define my_want_state_is_will(opt) (options[opt]&MY_WANT_STATE_WILL) - -#define my_state_is_dont(opt) (!my_state_is_do(opt)) -#define my_state_is_wont(opt) (!my_state_is_will(opt)) -#define my_want_state_is_dont(opt) (!my_want_state_is_do(opt)) -#define my_want_state_is_wont(opt) (!my_want_state_is_will(opt)) - -#define set_my_state_do(opt) (options[opt] |= MY_STATE_DO) -#define set_my_state_will(opt) (options[opt] |= MY_STATE_WILL) -#define set_my_want_state_do(opt) (options[opt] |= MY_WANT_STATE_DO) -#define set_my_want_state_will(opt) (options[opt] |= MY_WANT_STATE_WILL) - -#define set_my_state_dont(opt) (options[opt] &= ~MY_STATE_DO) -#define set_my_state_wont(opt) (options[opt] &= ~MY_STATE_WILL) -#define set_my_want_state_dont(opt) (options[opt] &= ~MY_WANT_STATE_DO) -#define set_my_want_state_wont(opt) (options[opt] &= ~MY_WANT_STATE_WILL) - -/* - * Tricky code here. What we want to know is if the MY_STATE_WILL - * and MY_WANT_STATE_WILL bits have the same value. Since the two - * bits are adjacent, a little arithmatic will show that by adding - * in the lower bit, the upper bit will be set if the two bits were - * different, and clear if they were the same. - */ -#define my_will_wont_is_changing(opt) \ - ((options[opt]+MY_STATE_WILL) & MY_WANT_STATE_WILL) - -#define my_do_dont_is_changing(opt) \ - ((options[opt]+MY_STATE_DO) & MY_WANT_STATE_DO) - -/* - * Make everything symmetrical - */ - -#define HIS_STATE_WILL MY_STATE_DO -#define HIS_WANT_STATE_WILL MY_WANT_STATE_DO -#define HIS_STATE_DO MY_STATE_WILL -#define HIS_WANT_STATE_DO MY_WANT_STATE_WILL - -#define his_state_is_do my_state_is_will -#define his_state_is_will my_state_is_do -#define his_want_state_is_do my_want_state_is_will -#define his_want_state_is_will my_want_state_is_do - -#define his_state_is_dont my_state_is_wont -#define his_state_is_wont my_state_is_dont -#define his_want_state_is_dont my_want_state_is_wont -#define his_want_state_is_wont my_want_state_is_dont - -#define set_his_state_do set_my_state_will -#define set_his_state_will set_my_state_do -#define set_his_want_state_do set_my_want_state_will -#define set_his_want_state_will set_my_want_state_do - -#define set_his_state_dont set_my_state_wont -#define set_his_state_wont set_my_state_dont -#define set_his_want_state_dont set_my_want_state_wont -#define set_his_want_state_wont set_my_want_state_dont - -#define his_will_wont_is_changing my_do_dont_is_changing -#define his_do_dont_is_changing my_will_wont_is_changing - -#endif /* __DEFS_H__ */ diff --git a/crypto/heimdal-0.6.3/appl/telnet/telnetd/ext.h b/crypto/heimdal-0.6.3/appl/telnet/telnetd/ext.h deleted file mode 100644 index 8f9993415e..0000000000 --- a/crypto/heimdal-0.6.3/appl/telnet/telnetd/ext.h +++ /dev/null @@ -1,208 +0,0 @@ -/* - * Copyright (c) 1989, 1993 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * @(#)ext.h 8.2 (Berkeley) 12/15/93 - */ - -/* $Id: ext.h,v 1.23 2001/08/29 00:45:22 assar Exp $ */ - -#ifndef __EXT_H__ -#define __EXT_H__ - -/* - * Telnet server variable declarations - */ -extern char options[256]; -extern char do_dont_resp[256]; -extern char will_wont_resp[256]; -extern int flowmode; /* current flow control state */ -extern int restartany; /* restart output on any character state */ -#ifdef DIAGNOSTICS -extern int diagnostic; /* telnet diagnostic capabilities */ -#endif /* DIAGNOSTICS */ -extern int require_otp; -#ifdef AUTHENTICATION -extern int auth_level; -#endif -extern const char *new_login; - -extern slcfun slctab[NSLC + 1]; /* slc mapping table */ - -extern char *terminaltype; - -/* - * I/O data buffers, pointers, and counters. - */ -extern char ptyobuf[BUFSIZ+NETSLOP], *pfrontp, *pbackp; - -extern char netibuf[BUFSIZ], *netip; - -extern char netobuf[BUFSIZ+NETSLOP], *nfrontp, *nbackp; -extern char *neturg; /* one past last bye of urgent data */ - -extern int pcc, ncc; - -extern int ourpty, net; -extern char *line; -extern int SYNCHing; /* we are in TELNET SYNCH mode */ - -int telnet_net_write (unsigned char *str, int len); -void net_encrypt (void); -int telnet_spin (void); -char *telnet_getenv (const char *val); -char *telnet_gets (char *prompt, char *result, int length, int echo); -void get_slc_defaults (void); -void telrcv (void); -void send_do (int option, int init); -void willoption (int option); -void send_dont (int option, int init); -void wontoption (int option); -void send_will (int option, int init); -void dooption (int option); -void send_wont (int option, int init); -void dontoption (int option); -void suboption (void); -void doclientstat (void); -void send_status (void); -void init_termbuf (void); -void set_termbuf (void); -int spcset (int func, cc_t *valp, cc_t **valpp); -void set_utid (void); -int getpty (int *ptynum); -int tty_isecho (void); -int tty_flowmode (void); -int tty_restartany (void); -void tty_setecho (int on); -int tty_israw (void); -void tty_binaryin (int on); -void tty_binaryout (int on); -int tty_isbinaryin (void); -int tty_isbinaryout (void); -int tty_issofttab (void); -void tty_setsofttab (int on); -int tty_islitecho (void); -void tty_setlitecho (int on); -int tty_iscrnl (void); -void tty_tspeed (int val); -void tty_rspeed (int val); -void getptyslave (void); -int cleanopen (char *line); -void startslave (const char *host, const char *, int autologin, char *autoname); -void init_env (void); -void start_login (const char *host, int autologin, char *name); -void cleanup (int sig); -int main (int argc, char **argv); -int getterminaltype (char *name, size_t); -void _gettermname (void); -int terminaltypeok (char *s); -void my_telnet (int f, int p, const char*, const char *, int, char*); -void interrupt (void); -void sendbrk (void); -void sendsusp (void); -void recv_ayt (void); -void doeof (void); -void flowstat (void); -void clientstat (int code, int parm1, int parm2); -int ttloop (void); -int stilloob (int s); -void ptyflush (void); -char *nextitem (char *current); -void netclear (void); -void netflush (void); -void writenet (unsigned char *ptr, int len); -void fatal (int f, char *msg); -void fatalperror (int f, const char *msg); -void fatalperror_errno (int f, const char *msg, int error); -void edithost (char *pat, char *host); -void putstr (char *s); -void putchr (int cc); -void putf (char *cp, char *where); -void printoption (char *fmt, int option); -void printsub (int direction, unsigned char *pointer, int length); -void printdata (char *tag, char *ptr, int cnt); -int login_tty(int t); - -#ifdef ENCRYPTION -extern void (*encrypt_output) (unsigned char *, int); -extern int (*decrypt_input) (int); -extern char *nclearto; -#endif - - -/* - * The following are some clocks used to decide how to interpret - * the relationship between various variables. - */ - -struct clocks_t{ - int - system, /* what the current time is */ - echotoggle, /* last time user entered echo character */ - modenegotiated, /* last time operating mode negotiated */ - didnetreceive, /* last time we read data from network */ - ttypesubopt, /* ttype subopt is received */ - tspeedsubopt, /* tspeed subopt is received */ - environsubopt, /* environ subopt is received */ - oenvironsubopt, /* old environ subopt is received */ - xdisplocsubopt, /* xdisploc subopt is received */ - baseline, /* time started to do timed action */ - gotDM; /* when did we last see a data mark */ -}; -extern struct clocks_t clocks; - -extern int log_unauth; -extern int no_warn; - -extern int def_tspeed, def_rspeed; -#ifdef TIOCSWINSZ -extern int def_row, def_col; -#endif - -#ifdef STREAMSPTY -extern int really_stream; -#endif - -#ifndef USE_IM -# ifdef CRAY -# define USE_IM "Cray UNICOS (%h) (%t)" -# endif -# ifdef _AIX -# define USE_IM "%s %v.%r (%h) (%t)" -# endif -# ifndef USE_IM -# define USE_IM "%s %r (%h) (%t)" -# endif -#endif - -#define DEFAULT_IM "\r\n\r\n" USE_IM "\r\n\r\n\r\n" - -#endif /* __EXT_H__ */ diff --git a/crypto/heimdal-0.6.3/appl/telnet/telnetd/global.c b/crypto/heimdal-0.6.3/appl/telnet/telnetd/global.c deleted file mode 100644 index 54d1a777ab..0000000000 --- a/crypto/heimdal-0.6.3/appl/telnet/telnetd/global.c +++ /dev/null @@ -1,107 +0,0 @@ -/* - * Copyright (c) 1989, 1993 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* a *lot* of ugly global definitions that really should be removed... - */ - -#include "telnetd.h" - -RCSID("$Id: global.c,v 1.13 2001/07/19 16:00:42 assar Exp $"); - -/* - * Telnet server variable declarations - */ -char options[256]; -char do_dont_resp[256]; -char will_wont_resp[256]; -int linemode; /* linemode on/off */ -int flowmode; /* current flow control state */ -int restartany; /* restart output on any character state */ -#ifdef DIAGNOSTICS -int diagnostic; /* telnet diagnostic capabilities */ -#endif /* DIAGNOSTICS */ -int require_otp; - -slcfun slctab[NSLC + 1]; /* slc mapping table */ - -char *terminaltype; - -/* - * I/O data buffers, pointers, and counters. - */ -char ptyobuf[BUFSIZ+NETSLOP], *pfrontp, *pbackp; - -char netibuf[BUFSIZ], *netip; - -char netobuf[BUFSIZ+NETSLOP], *nfrontp, *nbackp; -char *neturg; /* one past last bye of urgent data */ - -int pcc, ncc; - -int ourpty, net; -int SYNCHing; /* we are in TELNET SYNCH mode */ - -/* - * The following are some clocks used to decide how to interpret - * the relationship between various variables. - */ - -struct clocks_t clocks; - - -/* whether to log unauthenticated login attempts */ -int log_unauth; - -/* do not print warning if connection is not encrypted */ -int no_warn; - -/* - * This function appends data to nfrontp and advances nfrontp. - */ - -int -output_data (const char *format, ...) -{ - va_list args; - int remaining, ret; - - va_start(args, format); - remaining = BUFSIZ - (nfrontp - netobuf); - ret = vsnprintf (nfrontp, - remaining, - format, - args); - nfrontp += min(ret, remaining-1); - va_end(args); - return ret; -} diff --git a/crypto/heimdal-0.6.3/appl/telnet/telnetd/slc.c b/crypto/heimdal-0.6.3/appl/telnet/telnetd/slc.c deleted file mode 100644 index 799d2d807c..0000000000 --- a/crypto/heimdal-0.6.3/appl/telnet/telnetd/slc.c +++ /dev/null @@ -1,57 +0,0 @@ -/* - * Copyright (c) 1989, 1993 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "telnetd.h" - -RCSID("$Id: slc.c,v 1.10 1997/05/11 06:30:00 assar Exp $"); - -/* - * get_slc_defaults - * - * Initialize the slc mapping table. - */ -void -get_slc_defaults(void) -{ - int i; - - init_termbuf(); - - for (i = 1; i <= NSLC; i++) { - slctab[i].defset.flag = - spcset(i, &slctab[i].defset.val, &slctab[i].sptr); - slctab[i].current.flag = SLC_NOSUPPORT; - slctab[i].current.val = 0; - } - -} diff --git a/crypto/heimdal-0.6.3/appl/telnet/telnetd/state.c b/crypto/heimdal-0.6.3/appl/telnet/telnetd/state.c deleted file mode 100644 index 3bc7f63253..0000000000 --- a/crypto/heimdal-0.6.3/appl/telnet/telnetd/state.c +++ /dev/null @@ -1,1357 +0,0 @@ -/* - * Copyright (c) 1989, 1993 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "telnetd.h" - -RCSID("$Id: state.c,v 1.14.12.1 2004/06/21 08:21:58 lha Exp $"); - -unsigned char doopt[] = { IAC, DO, '%', 'c', 0 }; -unsigned char dont[] = { IAC, DONT, '%', 'c', 0 }; -unsigned char will[] = { IAC, WILL, '%', 'c', 0 }; -unsigned char wont[] = { IAC, WONT, '%', 'c', 0 }; -int not42 = 1; - -/* - * Buffer for sub-options, and macros - * for suboptions buffer manipulations - */ -unsigned char subbuffer[1024*64], *subpointer= subbuffer, *subend= subbuffer; - -#define SB_CLEAR() subpointer = subbuffer -#define SB_TERM() { subend = subpointer; SB_CLEAR(); } -#define SB_ACCUM(c) if (subpointer < (subbuffer+sizeof subbuffer)) { \ - *subpointer++ = (c); \ - } -#define SB_GET() ((*subpointer++)&0xff) -#define SB_EOF() (subpointer >= subend) -#define SB_LEN() (subend - subpointer) - -#ifdef ENV_HACK -unsigned char *subsave; -#define SB_SAVE() subsave = subpointer; -#define SB_RESTORE() subpointer = subsave; -#endif - - -/* - * State for recv fsm - */ -#define TS_DATA 0 /* base state */ -#define TS_IAC 1 /* look for double IAC's */ -#define TS_CR 2 /* CR-LF ->'s CR */ -#define TS_SB 3 /* throw away begin's... */ -#define TS_SE 4 /* ...end's (suboption negotiation) */ -#define TS_WILL 5 /* will option negotiation */ -#define TS_WONT 6 /* wont -''- */ -#define TS_DO 7 /* do -''- */ -#define TS_DONT 8 /* dont -''- */ - -void -telrcv(void) -{ - int c; - static int state = TS_DATA; - - while (ncc > 0) { - if ((&ptyobuf[BUFSIZ] - pfrontp) < 2) - break; - c = *netip++ & 0377, ncc--; -#ifdef ENCRYPTION - if (decrypt_input) - c = (*decrypt_input)(c); -#endif - switch (state) { - - case TS_CR: - state = TS_DATA; - /* Strip off \n or \0 after a \r */ - if ((c == 0) || (c == '\n')) { - break; - } - /* FALL THROUGH */ - - case TS_DATA: - if (c == IAC) { - state = TS_IAC; - break; - } - /* - * We now map \r\n ==> \r for pragmatic reasons. - * Many client implementations send \r\n when - * the user hits the CarriageReturn key. - * - * We USED to map \r\n ==> \n, since \r\n says - * that we want to be in column 1 of the next - * printable line, and \n is the standard - * unix way of saying that (\r is only good - * if CRMOD is set, which it normally is). - */ - if ((c == '\r') && his_state_is_wont(TELOPT_BINARY)) { - int nc = *netip; -#ifdef ENCRYPTION - if (decrypt_input) - nc = (*decrypt_input)(nc & 0xff); -#endif - { -#ifdef ENCRYPTION - if (decrypt_input) - (void)(*decrypt_input)(-1); -#endif - state = TS_CR; - } - } - *pfrontp++ = c; - break; - - case TS_IAC: - gotiac: switch (c) { - - /* - * Send the process on the pty side an - * interrupt. Do this with a NULL or - * interrupt char; depending on the tty mode. - */ - case IP: - DIAG(TD_OPTIONS, - printoption("td: recv IAC", c)); - interrupt(); - break; - - case BREAK: - DIAG(TD_OPTIONS, - printoption("td: recv IAC", c)); - sendbrk(); - break; - - /* - * Are You There? - */ - case AYT: - DIAG(TD_OPTIONS, - printoption("td: recv IAC", c)); - recv_ayt(); - break; - - /* - * Abort Output - */ - case AO: - { - DIAG(TD_OPTIONS, - printoption("td: recv IAC", c)); - ptyflush(); /* half-hearted */ - init_termbuf(); - - if (slctab[SLC_AO].sptr && - *slctab[SLC_AO].sptr != (cc_t)(_POSIX_VDISABLE)) { - *pfrontp++ = - (unsigned char)*slctab[SLC_AO].sptr; - } - - netclear(); /* clear buffer back */ - output_data ("%c%c", IAC, DM); - neturg = nfrontp-1; /* off by one XXX */ - DIAG(TD_OPTIONS, - printoption("td: send IAC", DM)); - break; - } - - /* - * Erase Character and - * Erase Line - */ - case EC: - case EL: - { - cc_t ch; - - DIAG(TD_OPTIONS, - printoption("td: recv IAC", c)); - ptyflush(); /* half-hearted */ - init_termbuf(); - if (c == EC) - ch = *slctab[SLC_EC].sptr; - else - ch = *slctab[SLC_EL].sptr; - if (ch != (cc_t)(_POSIX_VDISABLE)) - *pfrontp++ = (unsigned char)ch; - break; - } - - /* - * Check for urgent data... - */ - case DM: - DIAG(TD_OPTIONS, - printoption("td: recv IAC", c)); - SYNCHing = stilloob(net); - settimer(gotDM); - break; - - - /* - * Begin option subnegotiation... - */ - case SB: - state = TS_SB; - SB_CLEAR(); - continue; - - case WILL: - state = TS_WILL; - continue; - - case WONT: - state = TS_WONT; - continue; - - case DO: - state = TS_DO; - continue; - - case DONT: - state = TS_DONT; - continue; - case EOR: - if (his_state_is_will(TELOPT_EOR)) - doeof(); - break; - - /* - * Handle RFC 10xx Telnet linemode option additions - * to command stream (EOF, SUSP, ABORT). - */ - case xEOF: - doeof(); - break; - - case SUSP: - sendsusp(); - break; - - case ABORT: - sendbrk(); - break; - - case IAC: - *pfrontp++ = c; - break; - } - state = TS_DATA; - break; - - case TS_SB: - if (c == IAC) { - state = TS_SE; - } else { - SB_ACCUM(c); - } - break; - - case TS_SE: - if (c != SE) { - if (c != IAC) { - /* - * bad form of suboption negotiation. - * handle it in such a way as to avoid - * damage to local state. Parse - * suboption buffer found so far, - * then treat remaining stream as - * another command sequence. - */ - - /* for DIAGNOSTICS */ - SB_ACCUM(IAC); - SB_ACCUM(c); - subpointer -= 2; - - SB_TERM(); - suboption(); - state = TS_IAC; - goto gotiac; - } - SB_ACCUM(c); - state = TS_SB; - } else { - /* for DIAGNOSTICS */ - SB_ACCUM(IAC); - SB_ACCUM(SE); - subpointer -= 2; - - SB_TERM(); - suboption(); /* handle sub-option */ - state = TS_DATA; - } - break; - - case TS_WILL: - willoption(c); - state = TS_DATA; - continue; - - case TS_WONT: - wontoption(c); - if (c==TELOPT_ENCRYPT && his_do_dont_is_changing(TELOPT_ENCRYPT) ) - dontoption(c); - state = TS_DATA; - continue; - - case TS_DO: - dooption(c); - state = TS_DATA; - continue; - - case TS_DONT: - dontoption(c); - state = TS_DATA; - continue; - - default: - syslog(LOG_ERR, "telnetd: panic state=%d\n", state); - printf("telnetd: panic state=%d\n", state); - exit(1); - } - } -} /* end of telrcv */ - -/* - * The will/wont/do/dont state machines are based on Dave Borman's - * Telnet option processing state machine. - * - * These correspond to the following states: - * my_state = the last negotiated state - * want_state = what I want the state to go to - * want_resp = how many requests I have sent - * All state defaults are negative, and resp defaults to 0. - * - * When initiating a request to change state to new_state: - * - * if ((want_resp == 0 && new_state == my_state) || want_state == new_state) { - * do nothing; - * } else { - * want_state = new_state; - * send new_state; - * want_resp++; - * } - * - * When receiving new_state: - * - * if (want_resp) { - * want_resp--; - * if (want_resp && (new_state == my_state)) - * want_resp--; - * } - * if ((want_resp == 0) && (new_state != want_state)) { - * if (ok_to_switch_to new_state) - * want_state = new_state; - * else - * want_resp++; - * send want_state; - * } - * my_state = new_state; - * - * Note that new_state is implied in these functions by the function itself. - * will and do imply positive new_state, wont and dont imply negative. - * - * Finally, there is one catch. If we send a negative response to a - * positive request, my_state will be the positive while want_state will - * remain negative. my_state will revert to negative when the negative - * acknowlegment arrives from the peer. Thus, my_state generally tells - * us not only the last negotiated state, but also tells us what the peer - * wants to be doing as well. It is important to understand this difference - * as we may wish to be processing data streams based on our desired state - * (want_state) or based on what the peer thinks the state is (my_state). - * - * This all works fine because if the peer sends a positive request, the data - * that we receive prior to negative acknowlegment will probably be affected - * by the positive state, and we can process it as such (if we can; if we - * can't then it really doesn't matter). If it is that important, then the - * peer probably should be buffering until this option state negotiation - * is complete. - * - */ -void -send_do(int option, int init) -{ - if (init) { - if ((do_dont_resp[option] == 0 && his_state_is_will(option)) || - his_want_state_is_will(option)) - return; - /* - * Special case for TELOPT_TM: We send a DO, but pretend - * that we sent a DONT, so that we can send more DOs if - * we want to. - */ - if (option == TELOPT_TM) - set_his_want_state_wont(option); - else - set_his_want_state_will(option); - do_dont_resp[option]++; - } - output_data((const char *)doopt, option); - - DIAG(TD_OPTIONS, printoption("td: send do", option)); -} - -#ifdef AUTHENTICATION -extern void auth_request(void); -#endif -#ifdef ENCRYPTION -extern void encrypt_send_support(); -#endif - -void -willoption(int option) -{ - int changeok = 0; - void (*func)() = 0; - - /* - * process input from peer. - */ - - DIAG(TD_OPTIONS, printoption("td: recv will", option)); - - if (do_dont_resp[option]) { - do_dont_resp[option]--; - if (do_dont_resp[option] && his_state_is_will(option)) - do_dont_resp[option]--; - } - if (do_dont_resp[option] == 0) { - if (his_want_state_is_wont(option)) { - switch (option) { - - case TELOPT_BINARY: - init_termbuf(); - tty_binaryin(1); - set_termbuf(); - changeok++; - break; - - case TELOPT_ECHO: - /* - * See comments below for more info. - */ - not42 = 0; /* looks like a 4.2 system */ - break; - - case TELOPT_TM: - /* - * We never respond to a WILL TM, and - * we leave the state WONT. - */ - return; - - case TELOPT_LFLOW: - /* - * If we are going to support flow control - * option, then don't worry peer that we can't - * change the flow control characters. - */ - slctab[SLC_XON].defset.flag &= ~SLC_LEVELBITS; - slctab[SLC_XON].defset.flag |= SLC_DEFAULT; - slctab[SLC_XOFF].defset.flag &= ~SLC_LEVELBITS; - slctab[SLC_XOFF].defset.flag |= SLC_DEFAULT; - case TELOPT_TTYPE: - case TELOPT_SGA: - case TELOPT_NAWS: - case TELOPT_TSPEED: - case TELOPT_XDISPLOC: - case TELOPT_NEW_ENVIRON: - case TELOPT_OLD_ENVIRON: - changeok++; - break; - - -#ifdef AUTHENTICATION - case TELOPT_AUTHENTICATION: - func = auth_request; - changeok++; - break; -#endif - -#ifdef ENCRYPTION - case TELOPT_ENCRYPT: - func = encrypt_send_support; - changeok++; - break; -#endif - - default: - break; - } - if (changeok) { - set_his_want_state_will(option); - send_do(option, 0); - } else { - do_dont_resp[option]++; - send_dont(option, 0); - } - } else { - /* - * Option processing that should happen when - * we receive conformation of a change in - * state that we had requested. - */ - switch (option) { - case TELOPT_ECHO: - not42 = 0; /* looks like a 4.2 system */ - /* - * Egads, he responded "WILL ECHO". Turn - * it off right now! - */ - send_dont(option, 1); - /* - * "WILL ECHO". Kludge upon kludge! - * A 4.2 client is now echoing user input at - * the tty. This is probably undesireable and - * it should be stopped. The client will - * respond WONT TM to the DO TM that we send to - * check for kludge linemode. When the WONT TM - * arrives, linemode will be turned off and a - * change propogated to the pty. This change - * will cause us to process the new pty state - * in localstat(), which will notice that - * linemode is off and send a WILL ECHO - * so that we are properly in character mode and - * all is well. - */ - break; - -#ifdef AUTHENTICATION - case TELOPT_AUTHENTICATION: - func = auth_request; - break; -#endif - -#ifdef ENCRYPTION - case TELOPT_ENCRYPT: - func = encrypt_send_support; - break; -#endif - - case TELOPT_LFLOW: - func = flowstat; - break; - } - } - } - set_his_state_will(option); - if (func) - (*func)(); -} /* end of willoption */ - -void -send_dont(int option, int init) -{ - if (init) { - if ((do_dont_resp[option] == 0 && his_state_is_wont(option)) || - his_want_state_is_wont(option)) - return; - set_his_want_state_wont(option); - do_dont_resp[option]++; - } - output_data((const char *)dont, option); - - DIAG(TD_OPTIONS, printoption("td: send dont", option)); -} - -void -wontoption(int option) -{ - /* - * Process client input. - */ - - DIAG(TD_OPTIONS, printoption("td: recv wont", option)); - - if (do_dont_resp[option]) { - do_dont_resp[option]--; - if (do_dont_resp[option] && his_state_is_wont(option)) - do_dont_resp[option]--; - } - if (do_dont_resp[option] == 0) { - if (his_want_state_is_will(option)) { - /* it is always ok to change to negative state */ - switch (option) { - case TELOPT_ECHO: - not42 = 1; /* doesn't seem to be a 4.2 system */ - break; - - case TELOPT_BINARY: - init_termbuf(); - tty_binaryin(0); - set_termbuf(); - break; - - case TELOPT_TM: - /* - * If we get a WONT TM, and had sent a DO TM, - * don't respond with a DONT TM, just leave it - * as is. Short circut the state machine to - * achive this. - */ - set_his_want_state_wont(TELOPT_TM); - return; - - case TELOPT_LFLOW: - /* - * If we are not going to support flow control - * option, then let peer know that we can't - * change the flow control characters. - */ - slctab[SLC_XON].defset.flag &= ~SLC_LEVELBITS; - slctab[SLC_XON].defset.flag |= SLC_CANTCHANGE; - slctab[SLC_XOFF].defset.flag &= ~SLC_LEVELBITS; - slctab[SLC_XOFF].defset.flag |= SLC_CANTCHANGE; - break; - -#ifdef AUTHENTICATION - case TELOPT_AUTHENTICATION: - auth_finished(0, AUTH_REJECT); - break; -#endif - - /* - * For options that we might spin waiting for - * sub-negotiation, if the client turns off the - * option rather than responding to the request, - * we have to treat it here as if we got a response - * to the sub-negotiation, (by updating the timers) - * so that we'll break out of the loop. - */ - case TELOPT_TTYPE: - settimer(ttypesubopt); - break; - - case TELOPT_TSPEED: - settimer(tspeedsubopt); - break; - - case TELOPT_XDISPLOC: - settimer(xdisplocsubopt); - break; - - case TELOPT_OLD_ENVIRON: - settimer(oenvironsubopt); - break; - - case TELOPT_NEW_ENVIRON: - settimer(environsubopt); - break; - - default: - break; - } - set_his_want_state_wont(option); - if (his_state_is_will(option)) - send_dont(option, 0); - } else { - switch (option) { - case TELOPT_TM: - break; - -#ifdef AUTHENTICATION - case TELOPT_AUTHENTICATION: - auth_finished(0, AUTH_REJECT); - break; -#endif - default: - break; - } - } - } - set_his_state_wont(option); - -} /* end of wontoption */ - -void -send_will(int option, int init) -{ - if (init) { - if ((will_wont_resp[option] == 0 && my_state_is_will(option))|| - my_want_state_is_will(option)) - return; - set_my_want_state_will(option); - will_wont_resp[option]++; - } - output_data ((const char *)will, option); - - DIAG(TD_OPTIONS, printoption("td: send will", option)); -} - -/* - * When we get a DONT SGA, we will try once to turn it - * back on. If the other side responds DONT SGA, we - * leave it at that. This is so that when we talk to - * clients that understand KLUDGELINEMODE but not LINEMODE, - * we'll keep them in char-at-a-time mode. - */ -int turn_on_sga = 0; - -void -dooption(int option) -{ - int changeok = 0; - - /* - * Process client input. - */ - - DIAG(TD_OPTIONS, printoption("td: recv do", option)); - - if (will_wont_resp[option]) { - will_wont_resp[option]--; - if (will_wont_resp[option] && my_state_is_will(option)) - will_wont_resp[option]--; - } - if ((will_wont_resp[option] == 0) && (my_want_state_is_wont(option))) { - switch (option) { - case TELOPT_ECHO: - { - init_termbuf(); - tty_setecho(1); - set_termbuf(); - } - changeok++; - break; - - case TELOPT_BINARY: - init_termbuf(); - tty_binaryout(1); - set_termbuf(); - changeok++; - break; - - case TELOPT_SGA: - turn_on_sga = 0; - changeok++; - break; - - case TELOPT_STATUS: - changeok++; - break; - - case TELOPT_TM: - /* - * Special case for TM. We send a WILL, but - * pretend we sent a WONT. - */ - send_will(option, 0); - set_my_want_state_wont(option); - set_my_state_wont(option); - return; - - case TELOPT_LOGOUT: - /* - * When we get a LOGOUT option, respond - * with a WILL LOGOUT, make sure that - * it gets written out to the network, - * and then just go away... - */ - set_my_want_state_will(TELOPT_LOGOUT); - send_will(TELOPT_LOGOUT, 0); - set_my_state_will(TELOPT_LOGOUT); - netflush(); - cleanup(0); - /* NOT REACHED */ - break; - -#ifdef ENCRYPTION - case TELOPT_ENCRYPT: - changeok++; - break; -#endif - case TELOPT_LINEMODE: - case TELOPT_TTYPE: - case TELOPT_NAWS: - case TELOPT_TSPEED: - case TELOPT_LFLOW: - case TELOPT_XDISPLOC: -#ifdef TELOPT_ENVIRON - case TELOPT_NEW_ENVIRON: -#endif - case TELOPT_OLD_ENVIRON: - default: - break; - } - if (changeok) { - set_my_want_state_will(option); - send_will(option, 0); - } else { - will_wont_resp[option]++; - send_wont(option, 0); - } - } - set_my_state_will(option); - -} /* end of dooption */ - -void -send_wont(int option, int init) -{ - if (init) { - if ((will_wont_resp[option] == 0 && my_state_is_wont(option)) || - my_want_state_is_wont(option)) - return; - set_my_want_state_wont(option); - will_wont_resp[option]++; - } - output_data ((const char *)wont, option); - - DIAG(TD_OPTIONS, printoption("td: send wont", option)); -} - -void -dontoption(int option) -{ - /* - * Process client input. - */ - - - DIAG(TD_OPTIONS, printoption("td: recv dont", option)); - - if (will_wont_resp[option]) { - will_wont_resp[option]--; - if (will_wont_resp[option] && my_state_is_wont(option)) - will_wont_resp[option]--; - } - if ((will_wont_resp[option] == 0) && (my_want_state_is_will(option))) { - switch (option) { - case TELOPT_BINARY: - init_termbuf(); - tty_binaryout(0); - set_termbuf(); - break; - - case TELOPT_ECHO: /* we should stop echoing */ - { - init_termbuf(); - tty_setecho(0); - set_termbuf(); - } - break; - - case TELOPT_SGA: - set_my_want_state_wont(option); - if (my_state_is_will(option)) - send_wont(option, 0); - set_my_state_wont(option); - if (turn_on_sga ^= 1) - send_will(option, 1); - return; - - default: - break; - } - - set_my_want_state_wont(option); - if (my_state_is_will(option)) - send_wont(option, 0); - } - set_my_state_wont(option); - -} /* end of dontoption */ - -#ifdef ENV_HACK -int env_ovar = -1; -int env_ovalue = -1; -#else /* ENV_HACK */ -# define env_ovar OLD_ENV_VAR -# define env_ovalue OLD_ENV_VALUE -#endif /* ENV_HACK */ - -/* - * suboption() - * - * Look at the sub-option buffer, and try to be helpful to the other - * side. - * - * Currently we recognize: - * - * Terminal type is - * Linemode - * Window size - * Terminal speed - */ -void -suboption(void) -{ - int subchar; - - DIAG(TD_OPTIONS, {netflush(); printsub('<', subpointer, SB_LEN()+2);}); - - subchar = SB_GET(); - switch (subchar) { - case TELOPT_TSPEED: { - int xspeed, rspeed; - - if (his_state_is_wont(TELOPT_TSPEED)) /* Ignore if option disabled */ - break; - - settimer(tspeedsubopt); - - if (SB_EOF() || SB_GET() != TELQUAL_IS) - return; - - xspeed = atoi((char *)subpointer); - - while (SB_GET() != ',' && !SB_EOF()); - if (SB_EOF()) - return; - - rspeed = atoi((char *)subpointer); - clientstat(TELOPT_TSPEED, xspeed, rspeed); - - break; - - } /* end of case TELOPT_TSPEED */ - - case TELOPT_TTYPE: { /* Yaaaay! */ - static char terminalname[41]; - - if (his_state_is_wont(TELOPT_TTYPE)) /* Ignore if option disabled */ - break; - settimer(ttypesubopt); - - if (SB_EOF() || SB_GET() != TELQUAL_IS) { - return; /* ??? XXX but, this is the most robust */ - } - - terminaltype = terminalname; - - while ((terminaltype < (terminalname + sizeof terminalname-1)) && - !SB_EOF()) { - int c; - - c = SB_GET(); - if (isupper(c)) { - c = tolower(c); - } - *terminaltype++ = c; /* accumulate name */ - } - *terminaltype = 0; - terminaltype = terminalname; - break; - } /* end of case TELOPT_TTYPE */ - - case TELOPT_NAWS: { - int xwinsize, ywinsize; - - if (his_state_is_wont(TELOPT_NAWS)) /* Ignore if option disabled */ - break; - - if (SB_EOF()) - return; - xwinsize = SB_GET() << 8; - if (SB_EOF()) - return; - xwinsize |= SB_GET(); - if (SB_EOF()) - return; - ywinsize = SB_GET() << 8; - if (SB_EOF()) - return; - ywinsize |= SB_GET(); - clientstat(TELOPT_NAWS, xwinsize, ywinsize); - - break; - - } /* end of case TELOPT_NAWS */ - - case TELOPT_STATUS: { - int mode; - - if (SB_EOF()) - break; - mode = SB_GET(); - switch (mode) { - case TELQUAL_SEND: - if (my_state_is_will(TELOPT_STATUS)) - send_status(); - break; - - case TELQUAL_IS: - break; - - default: - break; - } - break; - } /* end of case TELOPT_STATUS */ - - case TELOPT_XDISPLOC: { - if (SB_EOF() || SB_GET() != TELQUAL_IS) - return; - settimer(xdisplocsubopt); - subpointer[SB_LEN()] = '\0'; - esetenv("DISPLAY", (char *)subpointer, 1); - break; - } /* end of case TELOPT_XDISPLOC */ - -#ifdef TELOPT_NEW_ENVIRON - case TELOPT_NEW_ENVIRON: -#endif - case TELOPT_OLD_ENVIRON: { - int c; - char *cp, *varp, *valp; - - if (SB_EOF()) - return; - c = SB_GET(); - if (c == TELQUAL_IS) { - if (subchar == TELOPT_OLD_ENVIRON) - settimer(oenvironsubopt); - else - settimer(environsubopt); - } else if (c != TELQUAL_INFO) { - return; - } - -#ifdef TELOPT_NEW_ENVIRON - if (subchar == TELOPT_NEW_ENVIRON) { - while (!SB_EOF()) { - c = SB_GET(); - if ((c == NEW_ENV_VAR) || (c == ENV_USERVAR)) - break; - } - } else -#endif - { -#ifdef ENV_HACK - /* - * We only want to do this if we haven't already decided - * whether or not the other side has its VALUE and VAR - * reversed. - */ - if (env_ovar < 0) { - int last = -1; /* invalid value */ - int empty = 0; - int got_var = 0, got_value = 0, got_uservar = 0; - - /* - * The other side might have its VALUE and VAR values - * reversed. To be interoperable, we need to determine - * which way it is. If the first recognized character - * is a VAR or VALUE, then that will tell us what - * type of client it is. If the fist recognized - * character is a USERVAR, then we continue scanning - * the suboption looking for two consecutive - * VAR or VALUE fields. We should not get two - * consecutive VALUE fields, so finding two - * consecutive VALUE or VAR fields will tell us - * what the client is. - */ - SB_SAVE(); - while (!SB_EOF()) { - c = SB_GET(); - switch(c) { - case OLD_ENV_VAR: - if (last < 0 || last == OLD_ENV_VAR - || (empty && (last == OLD_ENV_VALUE))) - goto env_ovar_ok; - got_var++; - last = OLD_ENV_VAR; - break; - case OLD_ENV_VALUE: - if (last < 0 || last == OLD_ENV_VALUE - || (empty && (last == OLD_ENV_VAR))) - goto env_ovar_wrong; - got_value++; - last = OLD_ENV_VALUE; - break; - case ENV_USERVAR: - /* count strings of USERVAR as one */ - if (last != ENV_USERVAR) - got_uservar++; - if (empty) { - if (last == OLD_ENV_VALUE) - goto env_ovar_ok; - if (last == OLD_ENV_VAR) - goto env_ovar_wrong; - } - last = ENV_USERVAR; - break; - case ENV_ESC: - if (!SB_EOF()) - c = SB_GET(); - /* FALL THROUGH */ - default: - empty = 0; - continue; - } - empty = 1; - } - if (empty) { - if (last == OLD_ENV_VALUE) - goto env_ovar_ok; - if (last == OLD_ENV_VAR) - goto env_ovar_wrong; - } - /* - * Ok, the first thing was a USERVAR, and there - * are not two consecutive VAR or VALUE commands, - * and none of the VAR or VALUE commands are empty. - * If the client has sent us a well-formed option, - * then the number of VALUEs received should always - * be less than or equal to the number of VARs and - * USERVARs received. - * - * If we got exactly as many VALUEs as VARs and - * USERVARs, the client has the same definitions. - * - * If we got exactly as many VARs as VALUEs and - * USERVARS, the client has reversed definitions. - */ - if (got_uservar + got_var == got_value) { - env_ovar_ok: - env_ovar = OLD_ENV_VAR; - env_ovalue = OLD_ENV_VALUE; - } else if (got_uservar + got_value == got_var) { - env_ovar_wrong: - env_ovar = OLD_ENV_VALUE; - env_ovalue = OLD_ENV_VAR; - DIAG(TD_OPTIONS, { - output_data("ENVIRON VALUE and VAR are reversed!\r\n"); - }); - - } - } - SB_RESTORE(); -#endif - - while (!SB_EOF()) { - c = SB_GET(); - if ((c == env_ovar) || (c == ENV_USERVAR)) - break; - } - } - - if (SB_EOF()) - return; - - cp = varp = (char *)subpointer; - valp = 0; - - while (!SB_EOF()) { - c = SB_GET(); - if (subchar == TELOPT_OLD_ENVIRON) { - if (c == env_ovar) - c = NEW_ENV_VAR; - else if (c == env_ovalue) - c = NEW_ENV_VALUE; - } - switch (c) { - - case NEW_ENV_VALUE: - *cp = '\0'; - cp = valp = (char *)subpointer; - break; - - case NEW_ENV_VAR: - case ENV_USERVAR: - *cp = '\0'; - if (valp) - esetenv(varp, valp, 1); - else - unsetenv(varp); - cp = varp = (char *)subpointer; - valp = 0; - break; - - case ENV_ESC: - if (SB_EOF()) - break; - c = SB_GET(); - /* FALL THROUGH */ - default: - *cp++ = c; - break; - } - } - *cp = '\0'; - if (valp) - esetenv(varp, valp, 1); - else - unsetenv(varp); - break; - } /* end of case TELOPT_NEW_ENVIRON */ -#ifdef AUTHENTICATION - case TELOPT_AUTHENTICATION: - if (SB_EOF()) - break; - switch(SB_GET()) { - case TELQUAL_SEND: - case TELQUAL_REPLY: - /* - * These are sent by us and cannot be sent by - * the client. - */ - break; - case TELQUAL_IS: - auth_is(subpointer, SB_LEN()); - break; - case TELQUAL_NAME: - auth_name(subpointer, SB_LEN()); - break; - } - break; -#endif -#ifdef ENCRYPTION - case TELOPT_ENCRYPT: - if (SB_EOF()) - break; - switch(SB_GET()) { - case ENCRYPT_SUPPORT: - encrypt_support(subpointer, SB_LEN()); - break; - case ENCRYPT_IS: - encrypt_is(subpointer, SB_LEN()); - break; - case ENCRYPT_REPLY: - encrypt_reply(subpointer, SB_LEN()); - break; - case ENCRYPT_START: - encrypt_start(subpointer, SB_LEN()); - break; - case ENCRYPT_END: - encrypt_end(); - break; - case ENCRYPT_REQSTART: - encrypt_request_start(subpointer, SB_LEN()); - break; - case ENCRYPT_REQEND: - /* - * We can always send an REQEND so that we cannot - * get stuck encrypting. We should only get this - * if we have been able to get in the correct mode - * anyhow. - */ - encrypt_request_end(); - break; - case ENCRYPT_ENC_KEYID: - encrypt_enc_keyid(subpointer, SB_LEN()); - break; - case ENCRYPT_DEC_KEYID: - encrypt_dec_keyid(subpointer, SB_LEN()); - break; - default: - break; - } - break; -#endif - - default: - break; - } /* end of switch */ - -} /* end of suboption */ - -void -doclientstat(void) -{ - clientstat(TELOPT_LINEMODE, WILL, 0); -} - -#undef ADD -#define ADD(c) *ncp++ = c -#define ADD_DATA(c) { *ncp++ = c; if (c == SE || c == IAC) *ncp++ = c; } - -void -send_status(void) -{ - unsigned char statusbuf[256]; - unsigned char *ncp; - unsigned char i; - - ncp = statusbuf; - - netflush(); /* get rid of anything waiting to go out */ - - ADD(IAC); - ADD(SB); - ADD(TELOPT_STATUS); - ADD(TELQUAL_IS); - - /* - * We check the want_state rather than the current state, - * because if we received a DO/WILL for an option that we - * don't support, and the other side didn't send a DONT/WONT - * in response to our WONT/DONT, then the "state" will be - * WILL/DO, and the "want_state" will be WONT/DONT. We - * need to go by the latter. - */ - for (i = 0; i < (unsigned char)NTELOPTS; i++) { - if (my_want_state_is_will(i)) { - ADD(WILL); - ADD_DATA(i); - } - if (his_want_state_is_will(i)) { - ADD(DO); - ADD_DATA(i); - } - } - - if (his_want_state_is_will(TELOPT_LFLOW)) { - ADD(SB); - ADD(TELOPT_LFLOW); - if (flowmode) { - ADD(LFLOW_ON); - } else { - ADD(LFLOW_OFF); - } - ADD(SE); - - if (restartany >= 0) { - ADD(SB); - ADD(TELOPT_LFLOW); - if (restartany) { - ADD(LFLOW_RESTART_ANY); - } else { - ADD(LFLOW_RESTART_XON); - } - ADD(SE); - } - } - - - ADD(IAC); - ADD(SE); - - writenet(statusbuf, ncp - statusbuf); - netflush(); /* Send it on its way */ - - DIAG(TD_OPTIONS, - {printsub('>', statusbuf, ncp - statusbuf); netflush();}); -} diff --git a/crypto/heimdal-0.6.3/appl/telnet/telnetd/sys_term.c b/crypto/heimdal-0.6.3/appl/telnet/telnetd/sys_term.c deleted file mode 100644 index 3875847d8d..0000000000 --- a/crypto/heimdal-0.6.3/appl/telnet/telnetd/sys_term.c +++ /dev/null @@ -1,1914 +0,0 @@ -/* - * Copyright (c) 1989, 1993 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "telnetd.h" - -RCSID("$Id: sys_term.c,v 1.104 2001/09/17 02:09:04 assar Exp $"); - -#if defined(_CRAY) || (defined(__hpux) && !defined(HAVE_UTMPX_H)) -# define PARENT_DOES_UTMP -#endif - -#ifdef HAVE_UTMP_H -#include -#endif - -#ifdef HAVE_UTMPX_H -#include -#endif - -#ifdef HAVE_UTMPX_H -struct utmpx wtmp; -#elif defined(HAVE_UTMP_H) -struct utmp wtmp; -#endif /* HAVE_UTMPX_H */ - -#ifdef HAVE_STRUCT_UTMP_UT_HOST -int utmp_len = sizeof(wtmp.ut_host); -#else -int utmp_len = MaxHostNameLen; -#endif - -#ifndef UTMP_FILE -#ifdef _PATH_UTMP -#define UTMP_FILE _PATH_UTMP -#else -#define UTMP_FILE "/etc/utmp" -#endif -#endif - -#if !defined(WTMP_FILE) && defined(_PATH_WTMP) -#define WTMP_FILE _PATH_WTMP -#endif - -#ifndef PARENT_DOES_UTMP -#ifdef WTMP_FILE -char wtmpf[] = WTMP_FILE; -#else -char wtmpf[] = "/usr/adm/wtmp"; -#endif -char utmpf[] = UTMP_FILE; -#else /* PARENT_DOES_UTMP */ -#ifdef WTMP_FILE -char wtmpf[] = WTMP_FILE; -#else -char wtmpf[] = "/etc/wtmp"; -#endif -#endif /* PARENT_DOES_UTMP */ - -#ifdef HAVE_TMPDIR_H -#include -#endif /* CRAY */ - -#ifdef STREAMSPTY - -#ifdef HAVE_SAC_H -#include -#endif - -#ifdef HAVE_SYS_STROPTS_H -#include -#endif - -#endif /* STREAMSPTY */ - -#undef NOERROR - -#ifdef HAVE_SYS_STREAM_H -#ifdef HAVE_SYS_UIO_H -#include -#endif -#ifdef __hpux -#undef SE -#endif -#include -#endif -#if !(defined(__sgi) || defined(__linux) || defined(_AIX)) && defined(HAVE_SYS_TTY) -#include -#endif -#ifdef t_erase -#undef t_erase -#undef t_kill -#undef t_intrc -#undef t_quitc -#undef t_startc -#undef t_stopc -#undef t_eofc -#undef t_brkc -#undef t_suspc -#undef t_dsuspc -#undef t_rprntc -#undef t_flushc -#undef t_werasc -#undef t_lnextc -#endif - -#ifdef HAVE_TERMIOS_H -#include -#else -#ifdef HAVE_TERMIO_H -#include -#endif -#endif - -#ifdef HAVE_UTIL_H -#include -#endif -#ifdef HAVE_LIBUTIL_H -#include -#endif - -# ifndef TCSANOW -# ifdef TCSETS -# define TCSANOW TCSETS -# define TCSADRAIN TCSETSW -# define tcgetattr(f, t) ioctl(f, TCGETS, (char *)t) -# else -# ifdef TCSETA -# define TCSANOW TCSETA -# define TCSADRAIN TCSETAW -# define tcgetattr(f, t) ioctl(f, TCGETA, (char *)t) -# else -# define TCSANOW TIOCSETA -# define TCSADRAIN TIOCSETAW -# define tcgetattr(f, t) ioctl(f, TIOCGETA, (char *)t) -# endif -# endif -# define tcsetattr(f, a, t) ioctl(f, a, t) -# define cfsetospeed(tp, val) (tp)->c_cflag &= ~CBAUD; \ -(tp)->c_cflag |= (val) -# define cfgetospeed(tp) ((tp)->c_cflag & CBAUD) -# ifdef CIBAUD -# define cfsetispeed(tp, val) (tp)->c_cflag &= ~CIBAUD; \ - (tp)->c_cflag |= ((val)<c_cflag & CIBAUD)>>IBSHIFT) -# else -# define cfsetispeed(tp, val) (tp)->c_cflag &= ~CBAUD; \ - (tp)->c_cflag |= (val) -# define cfgetispeed(tp) ((tp)->c_cflag & CBAUD) -# endif -# endif /* TCSANOW */ - struct termios termbuf, termbuf2; /* pty control structure */ -# ifdef STREAMSPTY - static int ttyfd = -1; - int really_stream = 0; -# endif - - const char *new_login = _PATH_LOGIN; - -/* - * init_termbuf() - * copy_termbuf(cp) - * set_termbuf() - * - * These three routines are used to get and set the "termbuf" structure - * to and from the kernel. init_termbuf() gets the current settings. - * copy_termbuf() hands in a new "termbuf" to write to the kernel, and - * set_termbuf() writes the structure into the kernel. - */ - - void - init_termbuf(void) -{ -# ifdef STREAMSPTY - if (really_stream) - tcgetattr(ttyfd, &termbuf); - else -# endif - tcgetattr(ourpty, &termbuf); - termbuf2 = termbuf; -} - -void -set_termbuf(void) -{ - /* - * Only make the necessary changes. - */ - if (memcmp(&termbuf, &termbuf2, sizeof(termbuf))) -# ifdef STREAMSPTY - if (really_stream) - tcsetattr(ttyfd, TCSANOW, &termbuf); - else -# endif - tcsetattr(ourpty, TCSANOW, &termbuf); -} - - -/* - * spcset(func, valp, valpp) - * - * This function takes various special characters (func), and - * sets *valp to the current value of that character, and - * *valpp to point to where in the "termbuf" structure that - * value is kept. - * - * It returns the SLC_ level of support for this function. - */ - - -int -spcset(int func, cc_t *valp, cc_t **valpp) -{ - -#define setval(a, b) *valp = termbuf.c_cc[a]; \ - *valpp = &termbuf.c_cc[a]; \ - return(b); -#define defval(a) *valp = ((cc_t)a); *valpp = (cc_t *)0; return(SLC_DEFAULT); - - switch(func) { - case SLC_EOF: - setval(VEOF, SLC_VARIABLE); - case SLC_EC: - setval(VERASE, SLC_VARIABLE); - case SLC_EL: - setval(VKILL, SLC_VARIABLE); - case SLC_IP: - setval(VINTR, SLC_VARIABLE|SLC_FLUSHIN|SLC_FLUSHOUT); - case SLC_ABORT: - setval(VQUIT, SLC_VARIABLE|SLC_FLUSHIN|SLC_FLUSHOUT); - case SLC_XON: -#ifdef VSTART - setval(VSTART, SLC_VARIABLE); -#else - defval(0x13); -#endif - case SLC_XOFF: -#ifdef VSTOP - setval(VSTOP, SLC_VARIABLE); -#else - defval(0x11); -#endif - case SLC_EW: -#ifdef VWERASE - setval(VWERASE, SLC_VARIABLE); -#else - defval(0); -#endif - case SLC_RP: -#ifdef VREPRINT - setval(VREPRINT, SLC_VARIABLE); -#else - defval(0); -#endif - case SLC_LNEXT: -#ifdef VLNEXT - setval(VLNEXT, SLC_VARIABLE); -#else - defval(0); -#endif - case SLC_AO: -#if !defined(VDISCARD) && defined(VFLUSHO) -# define VDISCARD VFLUSHO -#endif -#ifdef VDISCARD - setval(VDISCARD, SLC_VARIABLE|SLC_FLUSHOUT); -#else - defval(0); -#endif - case SLC_SUSP: -#ifdef VSUSP - setval(VSUSP, SLC_VARIABLE|SLC_FLUSHIN); -#else - defval(0); -#endif -#ifdef VEOL - case SLC_FORW1: - setval(VEOL, SLC_VARIABLE); -#endif -#ifdef VEOL2 - case SLC_FORW2: - setval(VEOL2, SLC_VARIABLE); -#endif - case SLC_AYT: -#ifdef VSTATUS - setval(VSTATUS, SLC_VARIABLE); -#else - defval(0); -#endif - - case SLC_BRK: - case SLC_SYNCH: - case SLC_EOR: - defval(0); - - default: - *valp = 0; - *valpp = 0; - return(SLC_NOSUPPORT); - } -} - -#ifdef _CRAY -/* - * getnpty() - * - * Return the number of pty's configured into the system. - */ -int -getnpty() -{ -#ifdef _SC_CRAY_NPTY - int numptys; - - if ((numptys = sysconf(_SC_CRAY_NPTY)) != -1) - return numptys; - else -#endif /* _SC_CRAY_NPTY */ - return 128; -} -#endif /* CRAY */ - -/* - * getpty() - * - * Allocate a pty. As a side effect, the external character - * array "line" contains the name of the slave side. - * - * Returns the file descriptor of the opened pty. - */ - -static char Xline[] = "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"; -char *line = Xline; - -#ifdef _CRAY -char myline[] = "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"; -#endif /* CRAY */ - -#if !defined(HAVE_PTSNAME) && defined(STREAMSPTY) -static char *ptsname(int fd) -{ -#ifdef HAVE_TTYNAME - return ttyname(fd); -#else - return NULL; -#endif -} -#endif - -int getpty(int *ptynum) -{ -#ifdef __osf__ /* XXX */ - int master; - int slave; - if(openpty(&master, &slave, line, 0, 0) == 0){ - close(slave); - return master; - } - return -1; -#else -#ifdef HAVE__GETPTY - int master, slave; - char *p; - p = _getpty(&master, O_RDWR, 0600, 1); - if(p == NULL) - return -1; - strlcpy(line, p, sizeof(Xline)); - return master; -#else - - int p; - char *cp, *p1, *p2; - int i; -#if SunOS == 40 - int dummy; -#endif -#if __linux - int master; - int slave; - if(openpty(&master, &slave, line, 0, 0) == 0){ - close(slave); - return master; - } -#else -#ifdef STREAMSPTY - char *clone[] = { "/dev/ptc", "/dev/ptmx", "/dev/ptm", - "/dev/ptym/clone", 0 }; - - char **q; - for(q=clone; *q; q++){ - p=open(*q, O_RDWR); - if(p >= 0){ -#ifdef HAVE_GRANTPT - grantpt(p); -#endif -#ifdef HAVE_UNLOCKPT - unlockpt(p); -#endif - strlcpy(line, ptsname(p), sizeof(Xline)); - really_stream = 1; - return p; - } - } -#endif /* STREAMSPTY */ -#ifndef _CRAY - -#ifndef __hpux - snprintf(line, sizeof(Xline), "/dev/ptyXX"); - p1 = &line[8]; - p2 = &line[9]; -#else - snprintf(line, sizeof(Xline), "/dev/ptym/ptyXX"); - p1 = &line[13]; - p2 = &line[14]; -#endif - - - for (cp = "pqrstuvwxyzPQRST"; *cp; cp++) { - struct stat stb; - - *p1 = *cp; - *p2 = '0'; - /* - * This stat() check is just to keep us from - * looping through all 256 combinations if there - * aren't that many ptys available. - */ - if (stat(line, &stb) < 0) - break; - for (i = 0; i < 16; i++) { - *p2 = "0123456789abcdef"[i]; - p = open(line, O_RDWR); - if (p > 0) { -#ifndef __hpux - line[5] = 't'; -#else - for (p1 = &line[8]; *p1; p1++) - *p1 = *(p1+1); - line[9] = 't'; -#endif - chown(line, 0, 0); - chmod(line, 0600); -#if SunOS == 40 - if (ioctl(p, TIOCGPGRP, &dummy) == 0 - || errno != EIO) { - chmod(line, 0666); - close(p); - line[5] = 'p'; - } else -#endif /* SunOS == 40 */ - return(p); - } - } - } -#else /* CRAY */ - extern lowpty, highpty; - struct stat sb; - - for (*ptynum = lowpty; *ptynum <= highpty; (*ptynum)++) { - snprintf(myline, sizeof(myline), "/dev/pty/%03d", *ptynum); - p = open(myline, 2); - if (p < 0) - continue; - snprintf(line, sizeof(Xline), "/dev/ttyp%03d", *ptynum); - /* - * Here are some shenanigans to make sure that there - * are no listeners lurking on the line. - */ - if(stat(line, &sb) < 0) { - close(p); - continue; - } - if(sb.st_uid || sb.st_gid || sb.st_mode != 0600) { - chown(line, 0, 0); - chmod(line, 0600); - close(p); - p = open(myline, 2); - if (p < 0) - continue; - } - /* - * Now it should be safe...check for accessability. - */ - if (access(line, 6) == 0) - return(p); - else { - /* no tty side to pty so skip it */ - close(p); - } - } -#endif /* CRAY */ -#endif /* STREAMSPTY */ -#endif /* OPENPTY */ - return(-1); -#endif -} - - -int -tty_isecho(void) -{ - return (termbuf.c_lflag & ECHO); -} - -int -tty_flowmode(void) -{ - return((termbuf.c_iflag & IXON) ? 1 : 0); -} - -int -tty_restartany(void) -{ - return((termbuf.c_iflag & IXANY) ? 1 : 0); -} - -void -tty_setecho(int on) -{ - if (on) - termbuf.c_lflag |= ECHO; - else - termbuf.c_lflag &= ~ECHO; -} - -int -tty_israw(void) -{ - return(!(termbuf.c_lflag & ICANON)); -} - -void -tty_binaryin(int on) -{ - if (on) { - termbuf.c_iflag &= ~ISTRIP; - } else { - termbuf.c_iflag |= ISTRIP; - } -} - -void -tty_binaryout(int on) -{ - if (on) { - termbuf.c_cflag &= ~(CSIZE|PARENB); - termbuf.c_cflag |= CS8; - termbuf.c_oflag &= ~OPOST; - } else { - termbuf.c_cflag &= ~CSIZE; - termbuf.c_cflag |= CS7|PARENB; - termbuf.c_oflag |= OPOST; - } -} - -int -tty_isbinaryin(void) -{ - return(!(termbuf.c_iflag & ISTRIP)); -} - -int -tty_isbinaryout(void) -{ - return(!(termbuf.c_oflag&OPOST)); -} - - -int -tty_issofttab(void) -{ -# ifdef OXTABS - return (termbuf.c_oflag & OXTABS); -# endif -# ifdef TABDLY - return ((termbuf.c_oflag & TABDLY) == TAB3); -# endif -} - -void -tty_setsofttab(int on) -{ - if (on) { -# ifdef OXTABS - termbuf.c_oflag |= OXTABS; -# endif -# ifdef TABDLY - termbuf.c_oflag &= ~TABDLY; - termbuf.c_oflag |= TAB3; -# endif - } else { -# ifdef OXTABS - termbuf.c_oflag &= ~OXTABS; -# endif -# ifdef TABDLY - termbuf.c_oflag &= ~TABDLY; - termbuf.c_oflag |= TAB0; -# endif - } -} - -int -tty_islitecho(void) -{ -# ifdef ECHOCTL - return (!(termbuf.c_lflag & ECHOCTL)); -# endif -# ifdef TCTLECH - return (!(termbuf.c_lflag & TCTLECH)); -# endif -# if !defined(ECHOCTL) && !defined(TCTLECH) - return (0); /* assumes ctl chars are echoed '^x' */ -# endif -} - -void -tty_setlitecho(int on) -{ -# ifdef ECHOCTL - if (on) - termbuf.c_lflag &= ~ECHOCTL; - else - termbuf.c_lflag |= ECHOCTL; -# endif -# ifdef TCTLECH - if (on) - termbuf.c_lflag &= ~TCTLECH; - else - termbuf.c_lflag |= TCTLECH; -# endif -} - -int -tty_iscrnl(void) -{ - return (termbuf.c_iflag & ICRNL); -} - -/* - * Try to guess whether speeds are "encoded" (4.2BSD) or just numeric (4.4BSD). - */ -#if B4800 != 4800 -#define DECODE_BAUD -#endif - -#ifdef DECODE_BAUD - -/* - * A table of available terminal speeds - */ -struct termspeeds { - int speed; - int value; -} termspeeds[] = { - { 0, B0 }, { 50, B50 }, { 75, B75 }, - { 110, B110 }, { 134, B134 }, { 150, B150 }, - { 200, B200 }, { 300, B300 }, { 600, B600 }, - { 1200, B1200 }, { 1800, B1800 }, { 2400, B2400 }, - { 4800, B4800 }, -#ifdef B7200 - { 7200, B7200 }, -#endif - { 9600, B9600 }, -#ifdef B14400 - { 14400, B14400 }, -#endif -#ifdef B19200 - { 19200, B19200 }, -#endif -#ifdef B28800 - { 28800, B28800 }, -#endif -#ifdef B38400 - { 38400, B38400 }, -#endif -#ifdef B57600 - { 57600, B57600 }, -#endif -#ifdef B115200 - { 115200, B115200 }, -#endif -#ifdef B230400 - { 230400, B230400 }, -#endif - { -1, 0 } -}; -#endif /* DECODE_BUAD */ - -void -tty_tspeed(int val) -{ -#ifdef DECODE_BAUD - struct termspeeds *tp; - - for (tp = termspeeds; (tp->speed != -1) && (val > tp->speed); tp++) - ; - if (tp->speed == -1) /* back up to last valid value */ - --tp; - cfsetospeed(&termbuf, tp->value); -#else /* DECODE_BUAD */ - cfsetospeed(&termbuf, val); -#endif /* DECODE_BUAD */ -} - -void -tty_rspeed(int val) -{ -#ifdef DECODE_BAUD - struct termspeeds *tp; - - for (tp = termspeeds; (tp->speed != -1) && (val > tp->speed); tp++) - ; - if (tp->speed == -1) /* back up to last valid value */ - --tp; - cfsetispeed(&termbuf, tp->value); -#else /* DECODE_BAUD */ - cfsetispeed(&termbuf, val); -#endif /* DECODE_BAUD */ -} - -#ifdef PARENT_DOES_UTMP -extern struct utmp wtmp; -extern char wtmpf[]; - -extern void utmp_sig_init (void); -extern void utmp_sig_reset (void); -extern void utmp_sig_wait (void); -extern void utmp_sig_notify (int); -# endif /* PARENT_DOES_UTMP */ - -#ifdef STREAMSPTY - -/* I_FIND seems to live a life of its own */ -static int my_find(int fd, char *module) -{ -#if defined(I_FIND) && defined(I_LIST) - static int flag; - static struct str_list sl; - int n; - int i; - - if(!flag){ - n = ioctl(fd, I_LIST, 0); - if(n < 0){ - perror("ioctl(fd, I_LIST, 0)"); - return -1; - } - sl.sl_modlist=(struct str_mlist*)malloc(n * sizeof(struct str_mlist)); - sl.sl_nmods = n; - n = ioctl(fd, I_LIST, &sl); - if(n < 0){ - perror("ioctl(fd, I_LIST, n)"); - return -1; - } - flag = 1; - } - - for(i=0; i= modules; p--){ - err = ioctl(fd, I_PUSH, *p); - if(err < 0 && errno != EINVAL) - fatalperror(net, "I_PUSH"); - } -} -#endif - -/* - * getptyslave() - * - * Open the slave side of the pty, and do any initialization - * that is necessary. The return value is a file descriptor - * for the slave side. - */ -void getptyslave(void) -{ - int t = -1; - - struct winsize ws; - /* - * Opening the slave side may cause initilization of the - * kernel tty structure. We need remember the state of - * if linemode was turned on - * terminal window size - * terminal speed - * so that we can re-set them if we need to. - */ - - - /* - * Make sure that we don't have a controlling tty, and - * that we are the session (process group) leader. - */ - -#ifdef HAVE_SETSID - if(setsid()<0) - fatalperror(net, "setsid()"); -#else -# ifdef TIOCNOTTY - t = open(_PATH_TTY, O_RDWR); - if (t >= 0) { - ioctl(t, TIOCNOTTY, (char *)0); - close(t); - } -# endif -#endif - -# ifdef PARENT_DOES_UTMP - /* - * Wait for our parent to get the utmp stuff to get done. - */ - utmp_sig_wait(); -# endif - - t = cleanopen(line); - if (t < 0) - fatalperror(net, line); - -#ifdef STREAMSPTY - ttyfd = t; - - - /* - * Not all systems have (or need) modules ttcompat and pckt so - * don't flag it as a fatal error if they don't exist. - */ - - if (really_stream) - { - /* these are the streams modules that we want pushed. note - that they are in reverse order, ptem will be pushed - first. maybe_push_modules() will try to push all modules - before the first one that isn't already pushed. i.e if - ldterm is pushed, only ttcompat will be attempted. - - all this is because we don't know which modules are - available, and we don't know which modules are already - pushed (via autopush, for instance). - - */ - - char *ttymodules[] = { "ttcompat", "ldterm", "ptem", NULL }; - char *ptymodules[] = { "pckt", NULL }; - - maybe_push_modules(t, ttymodules); - maybe_push_modules(ourpty, ptymodules); - } -#endif - /* - * set up the tty modes as we like them to be. - */ - init_termbuf(); -# ifdef TIOCSWINSZ - if (def_row || def_col) { - memset(&ws, 0, sizeof(ws)); - ws.ws_col = def_col; - ws.ws_row = def_row; - ioctl(t, TIOCSWINSZ, (char *)&ws); - } -# endif - - /* - * Settings for sgtty based systems - */ - - /* - * Settings for UNICOS (and HPUX) - */ -# if defined(_CRAY) || defined(__hpux) - termbuf.c_oflag = OPOST|ONLCR|TAB3; - termbuf.c_iflag = IGNPAR|ISTRIP|ICRNL|IXON; - termbuf.c_lflag = ISIG|ICANON|ECHO|ECHOE|ECHOK; - termbuf.c_cflag = EXTB|HUPCL|CS8; -# endif - - /* - * Settings for all other termios/termio based - * systems, other than 4.4BSD. In 4.4BSD the - * kernel does the initial terminal setup. - */ -# if !(defined(_CRAY) || defined(__hpux)) && (BSD <= 43) -# ifndef OXTABS -# define OXTABS 0 -# endif - termbuf.c_lflag |= ECHO; - termbuf.c_oflag |= ONLCR|OXTABS; - termbuf.c_iflag |= ICRNL; - termbuf.c_iflag &= ~IXOFF; -# endif - tty_rspeed((def_rspeed > 0) ? def_rspeed : 9600); - tty_tspeed((def_tspeed > 0) ? def_tspeed : 9600); - - /* - * Set the tty modes, and make this our controlling tty. - */ - set_termbuf(); - if (login_tty(t) == -1) - fatalperror(net, "login_tty"); - if (net > 2) - close(net); - if (ourpty > 2) { - close(ourpty); - ourpty = -1; - } -} - -#ifndef O_NOCTTY -#define O_NOCTTY 0 -#endif -/* - * Open the specified slave side of the pty, - * making sure that we have a clean tty. - */ - -int cleanopen(char *line) -{ - int t; - -#ifdef STREAMSPTY - if (!really_stream) -#endif - { - /* - * Make sure that other people can't open the - * slave side of the connection. - */ - chown(line, 0, 0); - chmod(line, 0600); - } - -#ifdef HAVE_REVOKE - revoke(line); -#endif - - t = open(line, O_RDWR|O_NOCTTY); - - if (t < 0) - return(-1); - - /* - * Hangup anybody else using this ttyp, then reopen it for - * ourselves. - */ -# if !(defined(_CRAY) || defined(__hpux)) && (BSD <= 43) && !defined(STREAMSPTY) - signal(SIGHUP, SIG_IGN); -#ifdef HAVE_VHANGUP - vhangup(); -#else -#endif - signal(SIGHUP, SIG_DFL); - t = open(line, O_RDWR|O_NOCTTY); - if (t < 0) - return(-1); -# endif -# if defined(_CRAY) && defined(TCVHUP) - { - int i; - signal(SIGHUP, SIG_IGN); - ioctl(t, TCVHUP, (char *)0); - signal(SIGHUP, SIG_DFL); - - i = open(line, O_RDWR); - - if (i < 0) - return(-1); - close(t); - t = i; - } -# endif /* defined(CRAY) && defined(TCVHUP) */ - return(t); -} - -#if !defined(BSD4_4) - -int login_tty(int t) -{ -# if defined(TIOCSCTTY) && !defined(__hpux) - if (ioctl(t, TIOCSCTTY, (char *)0) < 0) - fatalperror(net, "ioctl(sctty)"); -# ifdef _CRAY - /* - * Close the hard fd to /dev/ttypXXX, and re-open through - * the indirect /dev/tty interface. - */ - close(t); - if ((t = open("/dev/tty", O_RDWR)) < 0) - fatalperror(net, "open(/dev/tty)"); -# endif -# else - /* - * We get our controlling tty assigned as a side-effect - * of opening up a tty device. But on BSD based systems, - * this only happens if our process group is zero. The - * setsid() call above may have set our pgrp, so clear - * it out before opening the tty... - */ -#ifdef HAVE_SETPGID - setpgid(0, 0); -#else - setpgrp(0, 0); /* if setpgid isn't available, setpgrp - probably takes arguments */ -#endif - close(open(line, O_RDWR)); -# endif - if (t != 0) - dup2(t, 0); - if (t != 1) - dup2(t, 1); - if (t != 2) - dup2(t, 2); - if (t > 2) - close(t); - return(0); -} -#endif /* BSD <= 43 */ - -/* - * This comes from ../../bsd/tty.c and should not really be here. - */ - -/* - * Clean the tty name. Return a pointer to the cleaned version. - */ - -static char * -clean_ttyname (char *tty) -{ - char *res = tty; - - if (strncmp (res, _PATH_DEV, strlen(_PATH_DEV)) == 0) - res += strlen(_PATH_DEV); - if (strncmp (res, "pty/", 4) == 0) - res += 4; - if (strncmp (res, "ptym/", 5) == 0) - res += 5; - return res; -} - -/* - * Generate a name usable as an `ut_id', typically without `tty'. - */ - -#ifdef HAVE_STRUCT_UTMP_UT_ID -static char * -make_id (char *tty) -{ - char *res = tty; - - if (strncmp (res, "pts/", 4) == 0) - res += 4; - if (strncmp (res, "tty", 3) == 0) - res += 3; - return res; -} -#endif - -/* - * startslave(host) - * - * Given a hostname, do whatever - * is necessary to startup the login process on the slave side of the pty. - */ - -/* ARGSUSED */ -void -startslave(const char *host, const char *utmp_host, - int autologin, char *autoname) -{ - int i; - -#ifdef AUTHENTICATION - if (!autoname || !autoname[0]) - autologin = 0; - - if (autologin < auth_level) { - fatal(net, "Authorization failed"); - exit(1); - } -#endif - - { - char *tbuf = - "\r\n*** Connection not encrypted! " - "Communication may be eavesdropped. ***\r\n"; -#ifdef ENCRYPTION - if (!no_warn && (encrypt_output == 0 || decrypt_input == 0)) -#endif - writenet((unsigned char*)tbuf, strlen(tbuf)); - } -# ifdef PARENT_DOES_UTMP - utmp_sig_init(); -# endif /* PARENT_DOES_UTMP */ - - if ((i = fork()) < 0) - fatalperror(net, "fork"); - if (i) { -# ifdef PARENT_DOES_UTMP - /* - * Cray parent will create utmp entry for child and send - * signal to child to tell when done. Child waits for signal - * before doing anything important. - */ - int pid = i; - void sigjob (int); - - setpgrp(); - utmp_sig_reset(); /* reset handler to default */ - /* - * Create utmp entry for child - */ - wtmp.ut_time = time(NULL); - wtmp.ut_type = LOGIN_PROCESS; - wtmp.ut_pid = pid; - strncpy(wtmp.ut_user, "LOGIN", sizeof(wtmp.ut_user)); - strncpy(wtmp.ut_host, utmp_host, sizeof(wtmp.ut_host)); - strncpy(wtmp.ut_line, clean_ttyname(line), sizeof(wtmp.ut_line)); -#ifdef HAVE_STRUCT_UTMP_UT_ID - strncpy(wtmp.ut_id, wtmp.ut_line + 3, sizeof(wtmp.ut_id)); -#endif - - pututline(&wtmp); - endutent(); - if ((i = open(wtmpf, O_WRONLY|O_APPEND)) >= 0) { - write(i, &wtmp, sizeof(struct utmp)); - close(i); - } -#ifdef _CRAY - signal(WJSIGNAL, sigjob); -#endif - utmp_sig_notify(pid); -# endif /* PARENT_DOES_UTMP */ - } else { - getptyslave(); -#if defined(DCE) - /* if we authenticated via K5, try and join the PAG */ - kerberos5_dfspag(); -#endif - start_login(host, autologin, autoname); - /*NOTREACHED*/ - } -} - -char *envinit[3]; -extern char **environ; - -void -init_env(void) -{ - char **envp; - - envp = envinit; - if ((*envp = getenv("TZ"))) - *envp++ -= 3; -#if defined(_CRAY) || defined(__hpux) - else - *envp++ = "TZ=GMT0"; -#endif - *envp = 0; - environ = envinit; -} - -/* - * scrub_env() - * - * We only accept the environment variables listed below. - */ - -static void -scrub_env(void) -{ - static const char *reject[] = { - "TERMCAP=/", - NULL - }; - - static const char *accept[] = { - "XAUTH=", "XAUTHORITY=", "DISPLAY=", - "TERM=", - "EDITOR=", - "PAGER=", - "PRINTER=", - "LOGNAME=", - "POSIXLY_CORRECT=", - "TERMCAP=", - NULL - }; - - char **cpp, **cpp2; - const char **p; - char ** new_environ; - size_t count; - - /* Allocate space for scrubbed environment. */ - for (count = 1, cpp = environ; *cpp; count++, cpp++) - ; - if ((new_environ = malloc(count * sizeof(char *))) == NULL) { - environ = NULL; - return; - } - - for (cpp2 = new_environ, cpp = environ; *cpp; cpp++) { - int reject_it = 0; - - for(p = reject; *p; p++) - if(strncmp(*cpp, *p, strlen(*p)) == 0) { - reject_it = 1; - break; - } - if (reject_it) - continue; - - for(p = accept; *p; p++) - if(strncmp(*cpp, *p, strlen(*p)) == 0) - break; - if(*p != NULL) { - if ((*cpp2++ = strdup(*cpp)) == NULL) { - environ = new_environ; - return; - } - } - } - *cpp2 = NULL; - environ = new_environ; -} - - -struct arg_val { - int size; - int argc; - const char **argv; -}; - -static void addarg(struct arg_val*, const char*); - -/* - * start_login(host) - * - * Assuming that we are now running as a child processes, this - * function will turn us into the login process. - */ - -void -start_login(const char *host, int autologin, char *name) -{ - struct arg_val argv; - char *user; - int save_errno; - -#ifdef HAVE_UTMPX_H - int pid = getpid(); - struct utmpx utmpx; - char *clean_tty; - - /* - * Create utmp entry for child - */ - - clean_tty = clean_ttyname(line); - memset(&utmpx, 0, sizeof(utmpx)); - strncpy(utmpx.ut_user, ".telnet", sizeof(utmpx.ut_user)); - strncpy(utmpx.ut_line, clean_tty, sizeof(utmpx.ut_line)); -#ifdef HAVE_STRUCT_UTMP_UT_ID - strncpy(utmpx.ut_id, make_id(clean_tty), sizeof(utmpx.ut_id)); -#endif - utmpx.ut_pid = pid; - - utmpx.ut_type = LOGIN_PROCESS; - - gettimeofday (&utmpx.ut_tv, NULL); - if (pututxline(&utmpx) == NULL) - fatal(net, "pututxline failed"); -#endif - - scrub_env(); - - /* - * -h : pass on name of host. - * WARNING: -h is accepted by login if and only if - * getuid() == 0. - * -p : don't clobber the environment (so terminal type stays set). - * - * -f : force this login, he has already been authenticated - */ - - /* init argv structure */ - argv.size=0; - argv.argc=0; - argv.argv=malloc(0); /*so we can call realloc later */ - addarg(&argv, "login"); - addarg(&argv, "-h"); - addarg(&argv, host); - addarg(&argv, "-p"); - if(name[0]) - user = name; - else - user = getenv("USER"); -#ifdef AUTHENTICATION - if (auth_level < 0 || autologin != AUTH_VALID) { - if(!no_warn) { - printf("User not authenticated. "); - if (require_otp) - printf("Using one-time password\r\n"); - else - printf("Using plaintext username and password\r\n"); - } - if (require_otp) { - addarg(&argv, "-a"); - addarg(&argv, "otp"); - } - if(log_unauth) - syslog(LOG_INFO, "unauthenticated access from %s (%s)", - host, user ? user : "unknown user"); - } - if (auth_level >= 0 && autologin == AUTH_VALID) - addarg(&argv, "-f"); -#endif - if(user){ - addarg(&argv, "--"); - addarg(&argv, strdup(user)); - } - if (getenv("USER")) { - /* - * Assume that login will set the USER variable - * correctly. For SysV systems, this means that - * USER will no longer be set, just LOGNAME by - * login. (The problem is that if the auto-login - * fails, and the user then specifies a different - * account name, he can get logged in with both - * LOGNAME and USER in his environment, but the - * USER value will be wrong. - */ - unsetenv("USER"); - } - closelog(); - /* - * This sleep(1) is in here so that telnetd can - * finish up with the tty. There's a race condition - * the login banner message gets lost... - */ - sleep(1); - - execv(new_login, argv.argv); - save_errno = errno; - syslog(LOG_ERR, "%s: %m\n", new_login); - fatalperror_errno(net, new_login, save_errno); - /*NOTREACHED*/ -} - -static void -addarg(struct arg_val *argv, const char *val) -{ - if(argv->size <= argv->argc+1) { - argv->argv = realloc(argv->argv, sizeof(char*) * (argv->size + 10)); - if (argv->argv == NULL) - fatal (net, "realloc: out of memory"); - argv->size+=10; - } - argv->argv[argv->argc++] = val; - argv->argv[argv->argc] = NULL; -} - - -/* - * rmut() - * - * This is the function called by cleanup() to - * remove the utmp entry for this person. - */ - -#ifdef HAVE_UTMPX_H -static void -rmut(void) -{ - struct utmpx utmpx, *non_save_utxp; - char *clean_tty = clean_ttyname(line); - - /* - * This updates the utmpx and utmp entries and make a wtmp/x entry - */ - - setutxent(); - memset(&utmpx, 0, sizeof(utmpx)); - strncpy(utmpx.ut_line, clean_tty, sizeof(utmpx.ut_line)); - utmpx.ut_type = LOGIN_PROCESS; - non_save_utxp = getutxline(&utmpx); - if (non_save_utxp) { - struct utmpx *utxp; - char user0; - - utxp = malloc(sizeof(struct utmpx)); - *utxp = *non_save_utxp; - user0 = utxp->ut_user[0]; - utxp->ut_user[0] = '\0'; - utxp->ut_type = DEAD_PROCESS; -#ifdef HAVE_STRUCT_UTMPX_UT_EXIT -#ifdef _STRUCT___EXIT_STATUS - utxp->ut_exit.__e_termination = 0; - utxp->ut_exit.__e_exit = 0; -#elif defined(__osf__) /* XXX */ - utxp->ut_exit.ut_termination = 0; - utxp->ut_exit.ut_exit = 0; -#else - utxp->ut_exit.e_termination = 0; - utxp->ut_exit.e_exit = 0; -#endif -#endif - gettimeofday(&utxp->ut_tv, NULL); - pututxline(utxp); -#ifdef WTMPX_FILE - utxp->ut_user[0] = user0; - updwtmpx(WTMPX_FILE, utxp); -#elif defined(WTMP_FILE) - /* This is a strange system with a utmpx and a wtmp! */ - { - int f = open(wtmpf, O_WRONLY|O_APPEND); - struct utmp wtmp; - if (f >= 0) { - strncpy(wtmp.ut_line, clean_tty, sizeof(wtmp.ut_line)); - strncpy(wtmp.ut_name, "", sizeof(wtmp.ut_name)); -#ifdef HAVE_STRUCT_UTMP_UT_HOST - strncpy(wtmp.ut_host, "", sizeof(wtmp.ut_host)); -#endif - wtmp.ut_time = time(NULL); - write(f, &wtmp, sizeof(wtmp)); - close(f); - } - } -#endif - free (utxp); - } - endutxent(); -} /* end of rmut */ -#endif - -#if !defined(HAVE_UTMPX_H) && !(defined(_CRAY) || defined(__hpux)) && BSD <= 43 -static void -rmut(void) -{ - int f; - int found = 0; - struct utmp *u, *utmp; - int nutmp; - struct stat statbf; - char *clean_tty = clean_ttyname(line); - - f = open(utmpf, O_RDWR); - if (f >= 0) { - fstat(f, &statbf); - utmp = (struct utmp *)malloc((unsigned)statbf.st_size); - if (!utmp) - syslog(LOG_ERR, "utmp malloc failed"); - if (statbf.st_size && utmp) { - nutmp = read(f, utmp, (int)statbf.st_size); - nutmp /= sizeof(struct utmp); - - for (u = utmp ; u < &utmp[nutmp] ; u++) { - if (strncmp(u->ut_line, - clean_tty, - sizeof(u->ut_line)) || - u->ut_name[0]==0) - continue; - lseek(f, ((long)u)-((long)utmp), L_SET); - strncpy(u->ut_name, "", sizeof(u->ut_name)); -#ifdef HAVE_STRUCT_UTMP_UT_HOST - strncpy(u->ut_host, "", sizeof(u->ut_host)); -#endif - u->ut_time = time(NULL); - write(f, u, sizeof(wtmp)); - found++; - } - } - close(f); - } - if (found) { - f = open(wtmpf, O_WRONLY|O_APPEND); - if (f >= 0) { - strncpy(wtmp.ut_line, clean_tty, sizeof(wtmp.ut_line)); - strncpy(wtmp.ut_name, "", sizeof(wtmp.ut_name)); -#ifdef HAVE_STRUCT_UTMP_UT_HOST - strncpy(wtmp.ut_host, "", sizeof(wtmp.ut_host)); -#endif - wtmp.ut_time = time(NULL); - write(f, &wtmp, sizeof(wtmp)); - close(f); - } - } - chmod(line, 0666); - chown(line, 0, 0); - line[strlen("/dev/")] = 'p'; - chmod(line, 0666); - chown(line, 0, 0); -} /* end of rmut */ -#endif /* CRAY */ - -#if defined(__hpux) && !defined(HAVE_UTMPX_H) -static void -rmut (char *line) -{ - struct utmp utmp; - struct utmp *utptr; - int fd; /* for /etc/wtmp */ - - utmp.ut_type = USER_PROCESS; - strncpy(utmp.ut_line, clean_ttyname(line), sizeof(utmp.ut_line)); - setutent(); - utptr = getutline(&utmp); - /* write it out only if it exists */ - if (utptr) { - utptr->ut_type = DEAD_PROCESS; - utptr->ut_time = time(NULL); - pututline(utptr); - /* set wtmp entry if wtmp file exists */ - if ((fd = open(wtmpf, O_WRONLY | O_APPEND)) >= 0) { - write(fd, utptr, sizeof(utmp)); - close(fd); - } - } - endutent(); - - chmod(line, 0666); - chown(line, 0, 0); - line[14] = line[13]; - line[13] = line[12]; - line[8] = 'm'; - line[9] = '/'; - line[10] = 'p'; - line[11] = 't'; - line[12] = 'y'; - chmod(line, 0666); - chown(line, 0, 0); -} -#endif - -/* - * cleanup() - * - * This is the routine to call when we are all through, to - * clean up anything that needs to be cleaned up. - */ - -#ifdef PARENT_DOES_UTMP - -void -cleanup(int sig) -{ -#ifdef _CRAY - static int incleanup = 0; - int t; - int child_status; /* status of child process as returned by waitpid */ - int flags = WNOHANG|WUNTRACED; - - /* - * 1: Pick up the zombie, if we are being called - * as the signal handler. - * 2: If we are a nested cleanup(), return. - * 3: Try to clean up TMPDIR. - * 4: Fill in utmp with shutdown of process. - * 5: Close down the network and pty connections. - * 6: Finish up the TMPDIR cleanup, if needed. - */ - if (sig == SIGCHLD) { - while (waitpid(-1, &child_status, flags) > 0) - ; /* VOID */ - /* Check if the child process was stopped - * rather than exited. We want cleanup only if - * the child has died. - */ - if (WIFSTOPPED(child_status)) { - return; - } - } - t = sigblock(sigmask(SIGCHLD)); - if (incleanup) { - sigsetmask(t); - return; - } - incleanup = 1; - sigsetmask(t); - - t = cleantmp(&wtmp); - setutent(); /* just to make sure */ -#endif /* CRAY */ - rmut(line); - close(ourpty); - shutdown(net, 2); -#ifdef _CRAY - if (t == 0) - cleantmp(&wtmp); -#endif /* CRAY */ - exit(1); -} - -#else /* PARENT_DOES_UTMP */ - -void -cleanup(int sig) -{ -#if defined(HAVE_UTMPX_H) || !defined(HAVE_LOGWTMP) - rmut(); -#ifdef HAVE_VHANGUP -#ifndef __sgi - vhangup(); /* XXX */ -#endif -#endif -#else - char *p; - - p = line + sizeof("/dev/") - 1; - if (logout(p)) - logwtmp(p, "", ""); - chmod(line, 0666); - chown(line, 0, 0); - *p = 'p'; - chmod(line, 0666); - chown(line, 0, 0); -#endif - shutdown(net, 2); - exit(1); -} - -#endif /* PARENT_DOES_UTMP */ - -#ifdef PARENT_DOES_UTMP -/* - * _utmp_sig_rcv - * utmp_sig_init - * utmp_sig_wait - * These three functions are used to coordinate the handling of - * the utmp file between the server and the soon-to-be-login shell. - * The server actually creates the utmp structure, the child calls - * utmp_sig_wait(), until the server calls utmp_sig_notify() and - * signals the future-login shell to proceed. - */ -static int caught=0; /* NZ when signal intercepted */ -static void (*func)(); /* address of previous handler */ - -void -_utmp_sig_rcv(sig) - int sig; -{ - caught = 1; - signal(SIGUSR1, func); -} - -void -utmp_sig_init() -{ - /* - * register signal handler for UTMP creation - */ - if ((int)(func = signal(SIGUSR1, _utmp_sig_rcv)) == -1) - fatalperror(net, "telnetd/signal"); -} - -void -utmp_sig_reset() -{ - signal(SIGUSR1, func); /* reset handler to default */ -} - -# ifdef __hpux -# define sigoff() /* do nothing */ -# define sigon() /* do nothing */ -# endif - -void -utmp_sig_wait() -{ - /* - * Wait for parent to write our utmp entry. - */ - sigoff(); - while (caught == 0) { - pause(); /* wait until we get a signal (sigon) */ - sigoff(); /* turn off signals while we check caught */ - } - sigon(); /* turn on signals again */ -} - -void -utmp_sig_notify(pid) -{ - kill(pid, SIGUSR1); -} - -#ifdef _CRAY -static int gotsigjob = 0; - - /*ARGSUSED*/ -void -sigjob(sig) - int sig; -{ - int jid; - struct jobtemp *jp; - - while ((jid = waitjob(NULL)) != -1) { - if (jid == 0) { - return; - } - gotsigjob++; - jobend(jid, NULL, NULL); - } -} - -/* - * jid_getutid: - * called by jobend() before calling cleantmp() - * to find the correct $TMPDIR to cleanup. - */ - -struct utmp * -jid_getutid(jid) - int jid; -{ - struct utmp *cur = NULL; - - setutent(); /* just to make sure */ - while (cur = getutent()) { - if ( (cur->ut_type != NULL) && (jid == cur->ut_jid) ) { - return(cur); - } - } - - return(0); -} - -/* - * Clean up the TMPDIR that login created. - * The first time this is called we pick up the info - * from the utmp. If the job has already gone away, - * then we'll clean up and be done. If not, then - * when this is called the second time it will wait - * for the signal that the job is done. - */ -int -cleantmp(wtp) - struct utmp *wtp; -{ - struct utmp *utp; - static int first = 1; - int mask, omask, ret; - extern struct utmp *getutid (const struct utmp *_Id); - - - mask = sigmask(WJSIGNAL); - - if (first == 0) { - omask = sigblock(mask); - while (gotsigjob == 0) - sigpause(omask); - return(1); - } - first = 0; - setutent(); /* just to make sure */ - - utp = getutid(wtp); - if (utp == 0) { - syslog(LOG_ERR, "Can't get /etc/utmp entry to clean TMPDIR"); - return(-1); - } - /* - * Nothing to clean up if the user shell was never started. - */ - if (utp->ut_type != USER_PROCESS || utp->ut_jid == 0) - return(1); - - /* - * Block the WJSIGNAL while we are in jobend(). - */ - omask = sigblock(mask); - ret = jobend(utp->ut_jid, utp->ut_tpath, utp->ut_user); - sigsetmask(omask); - return(ret); -} - -int -jobend(jid, path, user) - int jid; - char *path; - char *user; -{ - static int saved_jid = 0; - static int pty_saved_jid = 0; - static char saved_path[sizeof(wtmp.ut_tpath)+1]; - static char saved_user[sizeof(wtmp.ut_user)+1]; - - /* - * this little piece of code comes into play - * only when ptyreconnect is used to reconnect - * to an previous session. - * - * this is the only time when the - * "saved_jid != jid" code is executed. - */ - - if ( saved_jid && saved_jid != jid ) { - if (!path) { /* called from signal handler */ - pty_saved_jid = jid; - } else { - pty_saved_jid = saved_jid; - } - } - - if (path) { - strncpy(saved_path, path, sizeof(wtmp.ut_tpath)); - strncpy(saved_user, user, sizeof(wtmp.ut_user)); - saved_path[sizeof(saved_path)] = '\0'; - saved_user[sizeof(saved_user)] = '\0'; - } - if (saved_jid == 0) { - saved_jid = jid; - return(0); - } - - /* if the jid has changed, get the correct entry from the utmp file */ - - if ( saved_jid != jid ) { - struct utmp *utp = NULL; - struct utmp *jid_getutid(); - - utp = jid_getutid(pty_saved_jid); - - if (utp == 0) { - syslog(LOG_ERR, "Can't get /etc/utmp entry to clean TMPDIR"); - return(-1); - } - - cleantmpdir(jid, utp->ut_tpath, utp->ut_user); - return(1); - } - - cleantmpdir(jid, saved_path, saved_user); - return(1); -} - -/* - * Fork a child process to clean up the TMPDIR - */ -cleantmpdir(jid, tpath, user) - int jid; - char *tpath; - char *user; -{ - switch(fork()) { - case -1: - syslog(LOG_ERR, "TMPDIR cleanup(%s): fork() failed: %m\n", - tpath); - break; - case 0: - execl(CLEANTMPCMD, CLEANTMPCMD, user, tpath, 0); - syslog(LOG_ERR, "TMPDIR cleanup(%s): execl(%s) failed: %m\n", - tpath, CLEANTMPCMD); - exit(1); - default: - /* - * Forget about child. We will exit, and - * /etc/init will pick it up. - */ - break; - } -} -#endif /* CRAY */ -#endif /* defined(PARENT_DOES_UTMP) */ diff --git a/crypto/heimdal-0.6.3/appl/telnet/telnetd/telnetd.8 b/crypto/heimdal-0.6.3/appl/telnet/telnetd/telnetd.8 deleted file mode 100644 index fd7d0bde43..0000000000 --- a/crypto/heimdal-0.6.3/appl/telnet/telnetd/telnetd.8 +++ /dev/null @@ -1,532 +0,0 @@ -.\" Copyright (c) 1983, 1993 -.\" The Regents of the University of California. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" 3. All advertising materials mentioning features or use of this software -.\" must display the following acknowledgement: -.\" This product includes software developed by the University of -.\" California, Berkeley and its contributors. -.\" 4. Neither the name of the University nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" @(#)telnetd.8 8.4 (Berkeley) 6/1/94 -.\" -.Dd June 1, 1994 -.Dt TELNETD 8 -.Os BSD 4.2 -.Sh NAME -.Nm telnetd -.Nd DARPA -.Tn TELNET -protocol server -.Sh SYNOPSIS -.Nm telnetd -.Op Fl BUhkln -.Op Fl D Ar debugmode -.Op Fl S Ar tos -.Op Fl X Ar authtype -.Op Fl a Ar authmode -.Op Fl r Ns Ar lowpty-highpty -.Op Fl u Ar len -.Op Fl debug -.Op Fl L Ar /bin/login -.Op Fl y -.Op Ar port -.Sh DESCRIPTION -The -.Nm telnetd -command is a server which supports the -.Tn DARPA -standard -.Tn TELNET -virtual terminal protocol. -.Nm Telnetd -is normally invoked by the internet server (see -.Xr inetd 8 ) -for requests to connect to the -.Tn TELNET -port as indicated by the -.Pa /etc/services -file (see -.Xr services 5 ) . -The -.Fl debug -option may be used to start up -.Nm telnetd -manually, instead of through -.Xr inetd 8 . -If started up this way, -.Ar port -may be specified to run -.Nm telnetd -on an alternate -.Tn TCP -port number. -.Pp -The -.Nm telnetd -command accepts the following options: -.Bl -tag -width "-a authmode" -.It Fl a Ar authmode -This option may be used for specifying what mode should -be used for authentication. -Note that this option is only useful if -.Nm telnetd -has been compiled with support for the -.Dv AUTHENTICATION -option. -There are several valid values for -.Ar authmode : -.Bl -tag -width debug -.It debug -Turns on authentication debugging code. -.It user -Only allow connections when the remote user -can provide valid authentication information -to identify the remote user, -and is allowed access to the specified account -without providing a password. -.It valid -Only allow connections when the remote user -can provide valid authentication information -to identify the remote user. -The -.Xr login 1 -command will provide any additional user verification -needed if the remote user is not allowed automatic -access to the specified account. -.It other -Only allow connections that supply some authentication information. -This option is currently not supported -by any of the existing authentication mechanisms, -and is thus the same as specifying -.Fl a -.Cm valid . -.It otp -Only allow authenticated connections (as with -.Fl a -.Cm user ) -and also logins with one-time passwords (OTPs). This option will call -login with an option so that only OTPs are accepted. The user can of -course still type secret information at the prompt. -.It none -This is the default state. -Authentication information is not required. -If no or insufficient authentication information -is provided, then the -.Xr login 1 -program will provide the necessary user -verification. -.It off -This disables the authentication code. -All user verification will happen through the -.Xr login 1 -program. -.El -.It Fl B -Ignored. -.It Fl D Ar debugmode -This option may be used for debugging purposes. -This allows -.Nm telnetd -to print out debugging information -to the connection, allowing the user to see what -.Nm telnetd -is doing. -There are several possible values for -.Ar debugmode : -.Bl -tag -width exercise -.It Cm options -Prints information about the negotiation of -.Tn TELNET -options. -.It Cm report -Prints the -.Cm options -information, plus some additional information -about what processing is going on. -.It Cm netdata -Displays the data stream received by -.Nm telnetd . -.It Cm ptydata -Displays data written to the pty. -.It Cm exercise -Has not been implemented yet. -.El -.It Fl h -Disables the printing of host-specific information before -login has been completed. -.It Fl k -.It Fl l -Ignored. -.It Fl n -Disable -.Dv TCP -keep-alives. Normally -.Nm telnetd -enables the -.Tn TCP -keep-alive mechanism to probe connections that -have been idle for some period of time to determine -if the client is still there, so that idle connections -from machines that have crashed or can no longer -be reached may be cleaned up. -.It Fl r Ar lowpty-highpty -This option is only enabled when -.Nm telnetd -is compiled for -.Dv UNICOS . -It specifies an inclusive range of pseudo-terminal devices to -use. If the system has sysconf variable -.Dv _SC_CRAY_NPTY -configured, the default pty search range is 0 to -.Dv _SC_CRAY_NPTY ; -otherwise, the default range is 0 to 128. Either -.Ar lowpty -or -.Ar highpty -may be omitted to allow changing -either end of the search range. If -.Ar lowpty -is omitted, the - character is still required so that -.Nm telnetd -can differentiate -.Ar highpty -from -.Ar lowpty . -.It Fl S Ar tos -.It Fl u Ar len -This option is used to specify the size of the field -in the -.Dv utmp -structure that holds the remote host name. -If the resolved host name is longer than -.Ar len , -the dotted decimal value will be used instead. -This allows hosts with very long host names that -overflow this field to still be uniquely identified. -Specifying -.Fl u0 -indicates that only dotted decimal addresses -should be put into the -.Pa utmp -file. -.It Fl U -This option causes -.Nm telnetd -to refuse connections from addresses that -cannot be mapped back into a symbolic name -via the -.Xr gethostbyaddr 3 -routine. -.It Fl X Ar authtype -This option is only valid if -.Nm telnetd -has been built with support for the authentication option. -It disables the use of -.Ar authtype -authentication, and -can be used to temporarily disable -a specific authentication type without having to recompile -.Nm telnetd . -.It Fl L Ar pathname -Specify pathname to an alternative login program. -.It Fl y -Makes -.Nm -not warn when a user is trying to login with a cleartext password. -.El -.Pp -.Nm Telnetd -operates by allocating a pseudo-terminal device (see -.Xr pty 4 ) -for a client, then creating a login process which has -the slave side of the pseudo-terminal as -.Dv stdin , -.Dv stdout -and -.Dv stderr . -.Nm Telnetd -manipulates the master side of the pseudo-terminal, -implementing the -.Tn TELNET -protocol and passing characters -between the remote client and the login process. -.Pp -When a -.Tn TELNET -session is started up, -.Nm telnetd -sends -.Tn TELNET -options to the client side indicating -a willingness to do the -following -.Tn TELNET -options, which are described in more detail below: -.Bd -literal -offset indent -DO AUTHENTICATION -WILL ENCRYPT -DO TERMINAL TYPE -DO TSPEED -DO XDISPLOC -DO NEW-ENVIRON -DO ENVIRON -WILL SUPPRESS GO AHEAD -DO ECHO -DO LINEMODE -DO NAWS -WILL STATUS -DO LFLOW -DO TIMING-MARK -.Ed -.Pp -The pseudo-terminal allocated to the client is configured -to operate in -.Dq cooked -mode, and with -.Dv XTABS and -.Dv CRMOD -enabled (see -.Xr tty 4 ) . -.Pp -.Nm Telnetd -has support for enabling locally the following -.Tn TELNET -options: -.Bl -tag -width "DO AUTHENTICATION" -.It "WILL ECHO" -When the -.Dv LINEMODE -option is enabled, a -.Dv WILL ECHO -or -.Dv WONT ECHO -will be sent to the client to indicate the -current state of terminal echoing. -When terminal echo is not desired, a -.Dv WILL ECHO -is sent to indicate that -.Tn telnetd -will take care of echoing any data that needs to be -echoed to the terminal, and then nothing is echoed. -When terminal echo is desired, a -.Dv WONT ECHO -is sent to indicate that -.Tn telnetd -will not be doing any terminal echoing, so the -client should do any terminal echoing that is needed. -.It "WILL BINARY" -Indicates that the client is willing to send a -8 bits of data, rather than the normal 7 bits -of the Network Virtual Terminal. -.It "WILL SGA" -Indicates that it will not be sending -.Dv IAC GA , -go ahead, commands. -.It "WILL STATUS" -Indicates a willingness to send the client, upon -request, of the current status of all -.Tn TELNET -options. -.It "WILL TIMING-MARK" -Whenever a -.Dv DO TIMING-MARK -command is received, it is always responded -to with a -.Dv WILL TIMING-MARK -.It "WILL LOGOUT" -When a -.Dv DO LOGOUT -is received, a -.Dv WILL LOGOUT -is sent in response, and the -.Tn TELNET -session is shut down. -.It "WILL ENCRYPT" -Only sent if -.Nm telnetd -is compiled with support for data encryption, and -indicates a willingness to decrypt -the data stream. -.El -.Pp -.Nm Telnetd -has support for enabling remotely the following -.Tn TELNET -options: -.Bl -tag -width "DO AUTHENTICATION" -.It "DO BINARY" -Sent to indicate that -.Tn telnetd -is willing to receive an 8 bit data stream. -.It "DO LFLOW" -Requests that the client handle flow control -characters remotely. -.It "DO ECHO" -This is not really supported, but is sent to identify a 4.2BSD -.Xr telnet 1 -client, which will improperly respond with -.Dv WILL ECHO . -If a -.Dv WILL ECHO -is received, a -.Dv DONT ECHO -will be sent in response. -.It "DO TERMINAL-TYPE" -Indicates a desire to be able to request the -name of the type of terminal that is attached -to the client side of the connection. -.It "DO SGA" -Indicates that it does not need to receive -.Dv IAC GA , -the go ahead command. -.It "DO NAWS" -Requests that the client inform the server when -the window (display) size changes. -.It "DO TERMINAL-SPEED" -Indicates a desire to be able to request information -about the speed of the serial line to which -the client is attached. -.It "DO XDISPLOC" -Indicates a desire to be able to request the name -of the X windows display that is associated with -the telnet client. -.It "DO NEW-ENVIRON" -Indicates a desire to be able to request environment -variable information, as described in RFC 1572. -.It "DO ENVIRON" -Indicates a desire to be able to request environment -variable information, as described in RFC 1408. -.It "DO LINEMODE" -Only sent if -.Nm telnetd -is compiled with support for linemode, and -requests that the client do line by line processing. -.It "DO TIMING-MARK" -Only sent if -.Nm telnetd -is compiled with support for both linemode and -kludge linemode, and the client responded with -.Dv WONT LINEMODE . -If the client responds with -.Dv WILL TM , -the it is assumed that the client supports -kludge linemode. -Note that the -.Op Fl k -option can be used to disable this. -.It "DO AUTHENTICATION" -Only sent if -.Nm telnetd -is compiled with support for authentication, and -indicates a willingness to receive authentication -information for automatic login. -.It "DO ENCRYPT" -Only sent if -.Nm telnetd -is compiled with support for data encryption, and -indicates a willingness to decrypt -the data stream. -.El -.Sh FILES -.Bl -tag -width /etc/services -compact -.It Pa /etc/services -.It Pa /etc/inittab -(UNICOS systems only) -.It Pa /etc/iptos -(if supported) -.El -.Sh "SEE ALSO" -.Xr telnet 1 , -.Xr login 1 -.Sh STANDARDS -.Bl -tag -compact -width RFC-1572 -.It Cm RFC-854 -.Tn TELNET -PROTOCOL SPECIFICATION -.It Cm RFC-855 -TELNET OPTION SPECIFICATIONS -.It Cm RFC-856 -TELNET BINARY TRANSMISSION -.It Cm RFC-857 -TELNET ECHO OPTION -.It Cm RFC-858 -TELNET SUPPRESS GO AHEAD OPTION -.It Cm RFC-859 -TELNET STATUS OPTION -.It Cm RFC-860 -TELNET TIMING MARK OPTION -.It Cm RFC-861 -TELNET EXTENDED OPTIONS - LIST OPTION -.It Cm RFC-885 -TELNET END OF RECORD OPTION -.It Cm RFC-1073 -Telnet Window Size Option -.It Cm RFC-1079 -Telnet Terminal Speed Option -.It Cm RFC-1091 -Telnet Terminal-Type Option -.It Cm RFC-1096 -Telnet X Display Location Option -.It Cm RFC-1123 -Requirements for Internet Hosts -- Application and Support -.It Cm RFC-1184 -Telnet Linemode Option -.It Cm RFC-1372 -Telnet Remote Flow Control Option -.It Cm RFC-1416 -Telnet Authentication Option -.It Cm RFC-1411 -Telnet Authentication: Kerberos Version 4 -.It Cm RFC-1412 -Telnet Authentication: SPX -.It Cm RFC-1571 -Telnet Environment Option Interoperability Issues -.It Cm RFC-1572 -Telnet Environment Option -.El -.Sh BUGS -Some -.Tn TELNET -commands are only partially implemented. -.Pp -Because of bugs in the original 4.2 BSD -.Xr telnet 1 , -.Nm telnetd -performs some dubious protocol exchanges to try to discover if the remote -client is, in fact, a 4.2 BSD -.Xr telnet 1 . -.Pp -Binary mode -has no common interpretation except between similar operating systems -(Unix in this case). -.Pp -The terminal type name received from the remote client is converted to -lower case. -.Pp -.Nm Telnetd -never sends -.Tn TELNET -.Dv IAC GA -(go ahead) commands. diff --git a/crypto/heimdal-0.6.3/appl/telnet/telnetd/telnetd.c b/crypto/heimdal-0.6.3/appl/telnet/telnetd/telnetd.c deleted file mode 100644 index e57eed7169..0000000000 --- a/crypto/heimdal-0.6.3/appl/telnet/telnetd/telnetd.c +++ /dev/null @@ -1,1377 +0,0 @@ -/* - * Copyright (c) 1989, 1993 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "telnetd.h" - -RCSID("$Id: telnetd.c,v 1.69.6.1 2004/03/22 18:17:25 lha Exp $"); - -#ifdef _SC_CRAY_SECURE_SYS -#include -#include -#include -#include -int secflag; -char tty_dev[16]; -struct secdev dv; -struct sysv sysv; -struct socksec ss; -#endif /* _SC_CRAY_SECURE_SYS */ - -#ifdef AUTHENTICATION -int auth_level = 0; -#endif - -extern int utmp_len; -int registerd_host_only = 0; - -#undef NOERROR - -#ifdef STREAMSPTY -# include -# include -#ifdef HAVE_SYS_UIO_H -#include -#endif /* HAVE_SYS_UIO_H */ -#ifdef HAVE_SYS_STREAM_H -#include -#endif - -#ifdef _AIX -#include -#endif -# ifdef HAVE_SYS_STRTTY_H -# include -# endif -# ifdef HAVE_SYS_STR_TTY_H -# include -# endif -/* make sure we don't get the bsd version */ -/* what is this here for? solaris? /joda */ -# ifdef HAVE_SYS_TTY_H -# include "/usr/include/sys/tty.h" -# endif -# ifdef HAVE_SYS_PTYVAR_H -# include -# endif - -/* - * Because of the way ptyibuf is used with streams messages, we need - * ptyibuf+1 to be on a full-word boundary. The following wierdness - * is simply to make that happen. - */ -long ptyibufbuf[BUFSIZ/sizeof(long)+1]; -char *ptyibuf = ((char *)&ptyibufbuf[1])-1; -char *ptyip = ((char *)&ptyibufbuf[1])-1; -char ptyibuf2[BUFSIZ]; -unsigned char ctlbuf[BUFSIZ]; -struct strbuf strbufc, strbufd; - -int readstream(int, char*, int); - -#else /* ! STREAMPTY */ - -/* - * I/O data buffers, - * pointers, and counters. - */ -char ptyibuf[BUFSIZ], *ptyip = ptyibuf; -char ptyibuf2[BUFSIZ]; - -#endif /* ! STREAMPTY */ - -int hostinfo = 1; /* do we print login banner? */ - -#ifdef _CRAY -extern int newmap; /* nonzero if \n maps to ^M^J */ -int lowpty = 0, highpty; /* low, high pty numbers */ -#endif /* CRAY */ - -int debug = 0; -int keepalive = 1; -char *progname; - -static void usage (void); - -/* - * The string to pass to getopt(). We do it this way so - * that only the actual options that we support will be - * passed off to getopt(). - */ -char valid_opts[] = "Bd:hklnS:u:UL:y" -#ifdef AUTHENTICATION - "a:X:z" -#endif -#ifdef DIAGNOSTICS - "D:" -#endif -#ifdef _CRAY - "r:" -#endif - ; - -static void doit(struct sockaddr*, int); - -#ifdef ENCRYPTION -extern int des_check_key; -#endif - -int -main(int argc, char **argv) -{ - struct sockaddr_storage __ss; - struct sockaddr *sa = (struct sockaddr *)&__ss; - int on = 1; - socklen_t sa_size; - int ch; -#if defined(IPPROTO_IP) && defined(IP_TOS) - int tos = -1; -#endif -#ifdef ENCRYPTION - des_check_key = 1; /* Kludge for Mac NCSA telnet 2.6 /bg */ -#endif - pfrontp = pbackp = ptyobuf; - netip = netibuf; - nfrontp = nbackp = netobuf; - - setprogname(argv[0]); - - progname = *argv; -#ifdef ENCRYPTION - nclearto = 0; -#endif - -#ifdef _CRAY - /* - * Get number of pty's before trying to process options, - * which may include changing pty range. - */ - highpty = getnpty(); -#endif /* CRAY */ - - if (argc == 2 && strcmp(argv[1], "--version") == 0) { - print_version(NULL); - exit(0); - } - - while ((ch = getopt(argc, argv, valid_opts)) != -1) { - switch(ch) { - -#ifdef AUTHENTICATION - case 'a': - /* - * Check for required authentication level - */ - if (strcmp(optarg, "debug") == 0) { - auth_debug_mode = 1; - } else if (strcasecmp(optarg, "none") == 0) { - auth_level = 0; - } else if (strcasecmp(optarg, "otp") == 0) { - auth_level = 0; - require_otp = 1; - } else if (strcasecmp(optarg, "other") == 0) { - auth_level = AUTH_OTHER; - } else if (strcasecmp(optarg, "user") == 0) { - auth_level = AUTH_USER; - } else if (strcasecmp(optarg, "valid") == 0) { - auth_level = AUTH_VALID; - } else if (strcasecmp(optarg, "off") == 0) { - /* - * This hack turns off authentication - */ - auth_level = -1; - } else { - fprintf(stderr, - "telnetd: unknown authorization level for -a\n"); - } - break; -#endif /* AUTHENTICATION */ - - case 'B': /* BFTP mode is not supported any more */ - break; - case 'd': - if (strcmp(optarg, "ebug") == 0) { - debug++; - break; - } - usage(); - /* NOTREACHED */ - break; - -#ifdef DIAGNOSTICS - case 'D': - /* - * Check for desired diagnostics capabilities. - */ - if (!strcmp(optarg, "report")) { - diagnostic |= TD_REPORT|TD_OPTIONS; - } else if (!strcmp(optarg, "exercise")) { - diagnostic |= TD_EXERCISE; - } else if (!strcmp(optarg, "netdata")) { - diagnostic |= TD_NETDATA; - } else if (!strcmp(optarg, "ptydata")) { - diagnostic |= TD_PTYDATA; - } else if (!strcmp(optarg, "options")) { - diagnostic |= TD_OPTIONS; - } else { - usage(); - /* NOT REACHED */ - } - break; -#endif /* DIAGNOSTICS */ - - - case 'h': - hostinfo = 0; - break; - - case 'k': /* Linemode is not supported any more */ - case 'l': - break; - - case 'n': - keepalive = 0; - break; - -#ifdef _CRAY - case 'r': - { - char *strchr(); - char *c; - - /* - * Allow the specification of alterations - * to the pty search range. It is legal to - * specify only one, and not change the - * other from its default. - */ - c = strchr(optarg, '-'); - if (c) { - *c++ = '\0'; - highpty = atoi(c); - } - if (*optarg != '\0') - lowpty = atoi(optarg); - if ((lowpty > highpty) || (lowpty < 0) || - (highpty > 32767)) { - usage(); - /* NOT REACHED */ - } - break; - } -#endif /* CRAY */ - - case 'S': -#ifdef HAVE_PARSETOS - if ((tos = parsetos(optarg, "tcp")) < 0) - fprintf(stderr, "%s%s%s\n", - "telnetd: Bad TOS argument '", optarg, - "'; will try to use default TOS"); -#else - fprintf(stderr, "%s%s\n", "TOS option unavailable; ", - "-S flag not supported\n"); -#endif - break; - - case 'u': { - char *eptr; - - utmp_len = strtol(optarg, &eptr, 0); - if (optarg == eptr) - fprintf(stderr, "telnetd: unknown utmp len (%s)\n", optarg); - break; - } - - case 'U': - registerd_host_only = 1; - break; - -#ifdef AUTHENTICATION - case 'X': - /* - * Check for invalid authentication types - */ - auth_disable_name(optarg); - break; -#endif - case 'y': - no_warn = 1; - break; -#ifdef AUTHENTICATION - case 'z': - log_unauth = 1; - break; - -#endif /* AUTHENTICATION */ - - case 'L': - new_login = optarg; - break; - - default: - fprintf(stderr, "telnetd: %c: unknown option\n", ch); - /* FALLTHROUGH */ - case '?': - usage(); - /* NOTREACHED */ - } - } - - argc -= optind; - argv += optind; - - if (debug) { - int port = 0; - struct servent *sp; - - if (argc > 1) { - usage (); - } else if (argc == 1) { - sp = roken_getservbyname (*argv, "tcp"); - if (sp) - port = sp->s_port; - else - port = htons(atoi(*argv)); - } else { -#ifdef KRB5 - port = krb5_getportbyname (NULL, "telnet", "tcp", 23); -#else - port = k_getportbyname("telnet", "tcp", htons(23)); -#endif - } - mini_inetd (port); - } else if (argc > 0) { - usage(); - /* NOT REACHED */ - } - -#ifdef _SC_CRAY_SECURE_SYS - secflag = sysconf(_SC_CRAY_SECURE_SYS); - - /* - * Get socket's security label - */ - if (secflag) { - socklen_t szss = sizeof(ss); - int sock_multi; - socklen_t szi = sizeof(int); - - memset(&dv, 0, sizeof(dv)); - - if (getsysv(&sysv, sizeof(struct sysv)) != 0) - fatalperror(net, "getsysv"); - - /* - * Get socket security label and set device values - * {security label to be set on ttyp device} - */ -#ifdef SO_SEC_MULTI /* 8.0 code */ - if ((getsockopt(0, SOL_SOCKET, SO_SECURITY, - (void *)&ss, &szss) < 0) || - (getsockopt(0, SOL_SOCKET, SO_SEC_MULTI, - (void *)&sock_multi, &szi) < 0)) - fatalperror(net, "getsockopt"); - else { - dv.dv_actlvl = ss.ss_actlabel.lt_level; - dv.dv_actcmp = ss.ss_actlabel.lt_compart; - if (!sock_multi) { - dv.dv_minlvl = dv.dv_maxlvl = dv.dv_actlvl; - dv.dv_valcmp = dv.dv_actcmp; - } else { - dv.dv_minlvl = ss.ss_minlabel.lt_level; - dv.dv_maxlvl = ss.ss_maxlabel.lt_level; - dv.dv_valcmp = ss.ss_maxlabel.lt_compart; - } - dv.dv_devflg = 0; - } -#else /* SO_SEC_MULTI */ /* 7.0 code */ - if (getsockopt(0, SOL_SOCKET, SO_SECURITY, - (void *)&ss, &szss) >= 0) { - dv.dv_actlvl = ss.ss_slevel; - dv.dv_actcmp = ss.ss_compart; - dv.dv_minlvl = ss.ss_minlvl; - dv.dv_maxlvl = ss.ss_maxlvl; - dv.dv_valcmp = ss.ss_maxcmp; - } -#endif /* SO_SEC_MULTI */ - } -#endif /* _SC_CRAY_SECURE_SYS */ - - roken_openlog("telnetd", LOG_PID | LOG_ODELAY, LOG_DAEMON); - sa_size = sizeof (__ss); - if (getpeername(STDIN_FILENO, sa, &sa_size) < 0) { - fprintf(stderr, "%s: ", progname); - perror("getpeername"); - _exit(1); - } - if (keepalive && - setsockopt(STDIN_FILENO, SOL_SOCKET, SO_KEEPALIVE, - (void *)&on, sizeof (on)) < 0) { - syslog(LOG_WARNING, "setsockopt (SO_KEEPALIVE): %m"); - } - -#if defined(IPPROTO_IP) && defined(IP_TOS) && defined(HAVE_SETSOCKOPT) - { -# ifdef HAVE_GETTOSBYNAME - struct tosent *tp; - if (tos < 0 && (tp = gettosbyname("telnet", "tcp"))) - tos = tp->t_tos; -# endif - if (tos < 0) - tos = 020; /* Low Delay bit */ - if (tos - && sa->sa_family == AF_INET - && (setsockopt(STDIN_FILENO, IPPROTO_IP, IP_TOS, - (void *)&tos, sizeof(tos)) < 0) - && (errno != ENOPROTOOPT) ) - syslog(LOG_WARNING, "setsockopt (IP_TOS): %m"); - } -#endif /* defined(IPPROTO_IP) && defined(IP_TOS) */ - net = STDIN_FILENO; - doit(sa, sa_size); - /* NOTREACHED */ - return 0; -} /* end of main */ - -static void -usage(void) -{ - fprintf(stderr, "Usage: telnetd"); -#ifdef AUTHENTICATION - fprintf(stderr, " [-a (debug|other|otp|user|valid|off|none)]\n\t"); -#endif - fprintf(stderr, " [-debug]"); -#ifdef DIAGNOSTICS - fprintf(stderr, " [-D (options|report|exercise|netdata|ptydata)]\n\t"); -#endif -#ifdef AUTHENTICATION - fprintf(stderr, " [-edebug]"); -#endif - fprintf(stderr, " [-h]"); - fprintf(stderr, " [-L login]"); - fprintf(stderr, " [-n]"); -#ifdef _CRAY - fprintf(stderr, " [-r[lowpty]-[highpty]]"); -#endif - fprintf(stderr, "\n\t"); -#ifdef HAVE_GETTOSBYNAME - fprintf(stderr, " [-S tos]"); -#endif -#ifdef AUTHENTICATION - fprintf(stderr, " [-X auth-type] [-y] [-z]"); -#endif - fprintf(stderr, " [-u utmp_hostname_length] [-U]"); - fprintf(stderr, " [port]\n"); - exit(1); -} - -/* - * getterminaltype - * - * Ask the other end to send along its terminal type and speed. - * Output is the variable terminaltype filled in. - */ -static unsigned char ttytype_sbbuf[] = { - IAC, SB, TELOPT_TTYPE, TELQUAL_SEND, IAC, SE -}; - -int -getterminaltype(char *name, size_t name_sz) -{ - int retval = -1; - - settimer(baseline); -#ifdef AUTHENTICATION - /* - * Handle the Authentication option before we do anything else. - */ - send_do(TELOPT_AUTHENTICATION, 1); - while (his_will_wont_is_changing(TELOPT_AUTHENTICATION)) - ttloop(); - if (his_state_is_will(TELOPT_AUTHENTICATION)) { - retval = auth_wait(name, name_sz); - } -#endif - -#ifdef ENCRYPTION - send_will(TELOPT_ENCRYPT, 1); - send_do(TELOPT_ENCRYPT, 1); /* esc@magic.fi */ -#endif - send_do(TELOPT_TTYPE, 1); - send_do(TELOPT_TSPEED, 1); - send_do(TELOPT_XDISPLOC, 1); - send_do(TELOPT_NEW_ENVIRON, 1); - send_do(TELOPT_OLD_ENVIRON, 1); - while ( -#ifdef ENCRYPTION - his_do_dont_is_changing(TELOPT_ENCRYPT) || -#endif - his_will_wont_is_changing(TELOPT_TTYPE) || - his_will_wont_is_changing(TELOPT_TSPEED) || - his_will_wont_is_changing(TELOPT_XDISPLOC) || - his_will_wont_is_changing(TELOPT_NEW_ENVIRON) || - his_will_wont_is_changing(TELOPT_OLD_ENVIRON)) { - ttloop(); - } -#ifdef ENCRYPTION - /* - * Wait for the negotiation of what type of encryption we can - * send with. If autoencrypt is not set, this will just return. - */ - if (his_state_is_will(TELOPT_ENCRYPT)) { - encrypt_wait(); - } -#endif - if (his_state_is_will(TELOPT_TSPEED)) { - static unsigned char sb[] = - { IAC, SB, TELOPT_TSPEED, TELQUAL_SEND, IAC, SE }; - - telnet_net_write (sb, sizeof sb); - DIAG(TD_OPTIONS, printsub('>', sb + 2, sizeof sb - 2);); - } - if (his_state_is_will(TELOPT_XDISPLOC)) { - static unsigned char sb[] = - { IAC, SB, TELOPT_XDISPLOC, TELQUAL_SEND, IAC, SE }; - - telnet_net_write (sb, sizeof sb); - DIAG(TD_OPTIONS, printsub('>', sb + 2, sizeof sb - 2);); - } - if (his_state_is_will(TELOPT_NEW_ENVIRON)) { - static unsigned char sb[] = - { IAC, SB, TELOPT_NEW_ENVIRON, TELQUAL_SEND, IAC, SE }; - - telnet_net_write (sb, sizeof sb); - DIAG(TD_OPTIONS, printsub('>', sb + 2, sizeof sb - 2);); - } - else if (his_state_is_will(TELOPT_OLD_ENVIRON)) { - static unsigned char sb[] = - { IAC, SB, TELOPT_OLD_ENVIRON, TELQUAL_SEND, IAC, SE }; - - telnet_net_write (sb, sizeof sb); - DIAG(TD_OPTIONS, printsub('>', sb + 2, sizeof sb - 2);); - } - if (his_state_is_will(TELOPT_TTYPE)) { - - telnet_net_write (ttytype_sbbuf, sizeof ttytype_sbbuf); - DIAG(TD_OPTIONS, printsub('>', ttytype_sbbuf + 2, - sizeof ttytype_sbbuf - 2);); - } - if (his_state_is_will(TELOPT_TSPEED)) { - while (sequenceIs(tspeedsubopt, baseline)) - ttloop(); - } - if (his_state_is_will(TELOPT_XDISPLOC)) { - while (sequenceIs(xdisplocsubopt, baseline)) - ttloop(); - } - if (his_state_is_will(TELOPT_NEW_ENVIRON)) { - while (sequenceIs(environsubopt, baseline)) - ttloop(); - } - if (his_state_is_will(TELOPT_OLD_ENVIRON)) { - while (sequenceIs(oenvironsubopt, baseline)) - ttloop(); - } - if (his_state_is_will(TELOPT_TTYPE)) { - char first[256], last[256]; - - while (sequenceIs(ttypesubopt, baseline)) - ttloop(); - - /* - * If the other side has already disabled the option, then - * we have to just go with what we (might) have already gotten. - */ - if (his_state_is_will(TELOPT_TTYPE) && !terminaltypeok(terminaltype)) { - strlcpy(first, terminaltype, sizeof(first)); - for(;;) { - /* - * Save the unknown name, and request the next name. - */ - strlcpy(last, terminaltype, sizeof(last)); - _gettermname(); - if (terminaltypeok(terminaltype)) - break; - if ((strncmp(last, terminaltype, sizeof(last)) == 0) || - his_state_is_wont(TELOPT_TTYPE)) { - /* - * We've hit the end. If this is the same as - * the first name, just go with it. - */ - if (strncmp(first, terminaltype, sizeof(first)) == 0) - break; - /* - * Get the terminal name one more time, so that - * RFC1091 compliant telnets will cycle back to - * the start of the list. - */ - _gettermname(); - if (strncmp(first, terminaltype, sizeof(first)) != 0) - strcpy(terminaltype, first); - break; - } - } - } - } - return(retval); -} /* end of getterminaltype */ - -void -_gettermname(void) -{ - /* - * If the client turned off the option, - * we can't send another request, so we - * just return. - */ - if (his_state_is_wont(TELOPT_TTYPE)) - return; - settimer(baseline); - telnet_net_write (ttytype_sbbuf, sizeof ttytype_sbbuf); - DIAG(TD_OPTIONS, printsub('>', ttytype_sbbuf + 2, - sizeof ttytype_sbbuf - 2);); - while (sequenceIs(ttypesubopt, baseline)) - ttloop(); -} - -int -terminaltypeok(char *s) -{ - return 1; -} - - -char host_name[MaxHostNameLen]; -char remote_host_name[MaxHostNameLen]; -char remote_utmp_name[MaxHostNameLen]; - -/* - * Get a pty, scan input lines. - */ -static void -doit(struct sockaddr *who, int who_len) -{ - int level; - int ptynum; - char user_name[256]; - int error; - - /* - * Find an available pty to use. - */ - ourpty = getpty(&ptynum); - if (ourpty < 0) - fatal(net, "All network ports in use"); - -#ifdef _SC_CRAY_SECURE_SYS - /* - * set ttyp line security label - */ - if (secflag) { - char slave_dev[16]; - - snprintf(tty_dev, sizeof(tty_dev), "/dev/pty/%03d", ptynum); - if (setdevs(tty_dev, &dv) < 0) - fatal(net, "cannot set pty security"); - snprintf(slave_dev, sizeof(slave_dev), "/dev/ttyp%03d", ptynum); - if (setdevs(slave_dev, &dv) < 0) - fatal(net, "cannot set tty security"); - } -#endif /* _SC_CRAY_SECURE_SYS */ - - error = getnameinfo_verified (who, who_len, - remote_host_name, - sizeof(remote_host_name), - NULL, 0, - registerd_host_only ? NI_NAMEREQD : 0); - if (error) - fatal(net, "Couldn't resolve your address into a host name.\r\n\ -Please contact your net administrator"); - - gethostname(host_name, sizeof (host_name)); - - strlcpy (remote_utmp_name, remote_host_name, sizeof(remote_utmp_name)); - - /* Only trim if too long (and possible) */ - if (strlen(remote_utmp_name) > utmp_len) { - char *domain = strchr(host_name, '.'); - char *p = strchr(remote_utmp_name, '.'); - if (domain != NULL && p != NULL && (strcmp(p, domain) == 0)) - *p = '\0'; /* remove domain part */ - } - - /* - * If hostname still doesn't fit utmp, use ipaddr. - */ - if (strlen(remote_utmp_name) > utmp_len) { - error = getnameinfo (who, who_len, - remote_utmp_name, - sizeof(remote_utmp_name), - NULL, 0, - NI_NUMERICHOST); - if (error) - fatal(net, "Couldn't get numeric address\r\n"); - } - -#ifdef AUTHENTICATION - auth_encrypt_init(host_name, remote_host_name, "TELNETD", 1); -#endif - - init_env(); - /* - * get terminal type. - */ - *user_name = 0; - level = getterminaltype(user_name, sizeof(user_name)); - esetenv("TERM", terminaltype ? terminaltype : "network", 1); - -#ifdef _SC_CRAY_SECURE_SYS - if (secflag) { - if (setulvl(dv.dv_actlvl) < 0) - fatal(net,"cannot setulvl()"); - if (setucmp(dv.dv_actcmp) < 0) - fatal(net, "cannot setucmp()"); - } -#endif /* _SC_CRAY_SECURE_SYS */ - - /* begin server processing */ - my_telnet(net, ourpty, remote_host_name, remote_utmp_name, - level, user_name); - /*NOTREACHED*/ -} /* end of doit */ - -/* output contents of /etc/issue.net, or /etc/issue */ -static void -show_issue(void) -{ - FILE *f; - char buf[128]; - f = fopen(SYSCONFDIR "/issue.net", "r"); - if(f == NULL) - f = fopen(SYSCONFDIR "/issue", "r"); - if(f){ - while(fgets(buf, sizeof(buf)-2, f)){ - strcpy(buf + strcspn(buf, "\r\n"), "\r\n"); - writenet((unsigned char*)buf, strlen(buf)); - } - fclose(f); - } -} - -/* - * Main loop. Select from pty and network, and - * hand data to telnet receiver finite state machine. - */ -void -my_telnet(int f, int p, const char *host, const char *utmp_host, - int level, char *autoname) -{ - int on = 1; - char *he; - char *IM; - int nfd; - int startslave_called = 0; - time_t timeout; - - /* - * Initialize the slc mapping table. - */ - get_slc_defaults(); - - /* - * Do some tests where it is desireable to wait for a response. - * Rather than doing them slowly, one at a time, do them all - * at once. - */ - if (my_state_is_wont(TELOPT_SGA)) - send_will(TELOPT_SGA, 1); - /* - * Is the client side a 4.2 (NOT 4.3) system? We need to know this - * because 4.2 clients are unable to deal with TCP urgent data. - * - * To find out, we send out a "DO ECHO". If the remote system - * answers "WILL ECHO" it is probably a 4.2 client, and we note - * that fact ("WILL ECHO" ==> that the client will echo what - * WE, the server, sends it; it does NOT mean that the client will - * echo the terminal input). - */ - send_do(TELOPT_ECHO, 1); - - /* - * Send along a couple of other options that we wish to negotiate. - */ - send_do(TELOPT_NAWS, 1); - send_will(TELOPT_STATUS, 1); - flowmode = 1; /* default flow control state */ - restartany = -1; /* uninitialized... */ - send_do(TELOPT_LFLOW, 1); - - /* - * Spin, waiting for a response from the DO ECHO. However, - * some REALLY DUMB telnets out there might not respond - * to the DO ECHO. So, we spin looking for NAWS, (most dumb - * telnets so far seem to respond with WONT for a DO that - * they don't understand...) because by the time we get the - * response, it will already have processed the DO ECHO. - * Kludge upon kludge. - */ - while (his_will_wont_is_changing(TELOPT_NAWS)) - ttloop(); - - /* - * But... - * The client might have sent a WILL NAWS as part of its - * startup code; if so, we'll be here before we get the - * response to the DO ECHO. We'll make the assumption - * that any implementation that understands about NAWS - * is a modern enough implementation that it will respond - * to our DO ECHO request; hence we'll do another spin - * waiting for the ECHO option to settle down, which is - * what we wanted to do in the first place... - */ - if (his_want_state_is_will(TELOPT_ECHO) && - his_state_is_will(TELOPT_NAWS)) { - while (his_will_wont_is_changing(TELOPT_ECHO)) - ttloop(); - } - /* - * On the off chance that the telnet client is broken and does not - * respond to the DO ECHO we sent, (after all, we did send the - * DO NAWS negotiation after the DO ECHO, and we won't get here - * until a response to the DO NAWS comes back) simulate the - * receipt of a will echo. This will also send a WONT ECHO - * to the client, since we assume that the client failed to - * respond because it believes that it is already in DO ECHO - * mode, which we do not want. - */ - if (his_want_state_is_will(TELOPT_ECHO)) { - DIAG(TD_OPTIONS, - {output_data("td: simulating recv\r\n"); - }); - willoption(TELOPT_ECHO); - } - - /* - * Finally, to clean things up, we turn on our echo. This - * will break stupid 4.2 telnets out of local terminal echo. - */ - - if (my_state_is_wont(TELOPT_ECHO)) - send_will(TELOPT_ECHO, 1); - -#ifdef TIOCPKT -#ifdef STREAMSPTY - if (!really_stream) -#endif - /* - * Turn on packet mode - */ - ioctl(p, TIOCPKT, (char *)&on); -#endif - - - /* - * Call telrcv() once to pick up anything received during - * terminal type negotiation, 4.2/4.3 determination, and - * linemode negotiation. - */ - telrcv(); - - ioctl(f, FIONBIO, (char *)&on); - ioctl(p, FIONBIO, (char *)&on); - -#if defined(SO_OOBINLINE) && defined(HAVE_SETSOCKOPT) - setsockopt(net, SOL_SOCKET, SO_OOBINLINE, - (void *)&on, sizeof on); -#endif /* defined(SO_OOBINLINE) */ - -#ifdef SIGTSTP - signal(SIGTSTP, SIG_IGN); -#endif -#ifdef SIGTTOU - /* - * Ignoring SIGTTOU keeps the kernel from blocking us - * in ttioct() in /sys/tty.c. - */ - signal(SIGTTOU, SIG_IGN); -#endif - - signal(SIGCHLD, cleanup); - -#ifdef TIOCNOTTY - { - int t; - t = open(_PATH_TTY, O_RDWR); - if (t >= 0) { - ioctl(t, TIOCNOTTY, (char *)0); - close(t); - } - } -#endif - - show_issue(); - /* - * Show banner that getty never gave. - * - * We put the banner in the pty input buffer. This way, it - * gets carriage return null processing, etc., just like all - * other pty --> client data. - */ - - if (getenv("USER")) - hostinfo = 0; - - IM = DEFAULT_IM; - he = 0; - edithost(he, host_name); - if (hostinfo && *IM) - putf(IM, ptyibuf2); - - if (pcc) - strncat(ptyibuf2, ptyip, pcc+1); - ptyip = ptyibuf2; - pcc = strlen(ptyip); - - DIAG(TD_REPORT, { - output_data("td: Entering processing loop\r\n"); - }); - - - nfd = ((f > p) ? f : p) + 1; - timeout = time(NULL) + 5; - for (;;) { - fd_set ibits, obits, xbits; - int c; - - /* wait for encryption to be turned on, but don't wait - indefinitely */ - if(!startslave_called && (!encrypt_delay() || timeout > time(NULL))){ - startslave_called = 1; - startslave(host, utmp_host, level, autoname); - } - - if (ncc < 0 && pcc < 0) - break; - - FD_ZERO(&ibits); - FD_ZERO(&obits); - FD_ZERO(&xbits); - - if (f >= FD_SETSIZE - || p >= FD_SETSIZE) - fatal(net, "fd too large"); - - /* - * Never look for input if there's still - * stuff in the corresponding output buffer - */ - if (nfrontp - nbackp || pcc > 0) { - FD_SET(f, &obits); - } else { - FD_SET(p, &ibits); - } - if (pfrontp - pbackp || ncc > 0) { - FD_SET(p, &obits); - } else { - FD_SET(f, &ibits); - } - if (!SYNCHing) { - FD_SET(f, &xbits); - } - if ((c = select(nfd, &ibits, &obits, &xbits, - (struct timeval *)0)) < 1) { - if (c == -1) { - if (errno == EINTR) { - continue; - } - } - sleep(5); - continue; - } - - /* - * Any urgent data? - */ - if (FD_ISSET(net, &xbits)) { - SYNCHing = 1; - } - - /* - * Something to read from the network... - */ - if (FD_ISSET(net, &ibits)) { -#ifndef SO_OOBINLINE - /* - * In 4.2 (and 4.3 beta) systems, the - * OOB indication and data handling in the kernel - * is such that if two separate TCP Urgent requests - * come in, one byte of TCP data will be overlaid. - * This is fatal for Telnet, but we try to live - * with it. - * - * In addition, in 4.2 (and...), a special protocol - * is needed to pick up the TCP Urgent data in - * the correct sequence. - * - * What we do is: if we think we are in urgent - * mode, we look to see if we are "at the mark". - * If we are, we do an OOB receive. If we run - * this twice, we will do the OOB receive twice, - * but the second will fail, since the second - * time we were "at the mark", but there wasn't - * any data there (the kernel doesn't reset - * "at the mark" until we do a normal read). - * Once we've read the OOB data, we go ahead - * and do normal reads. - * - * There is also another problem, which is that - * since the OOB byte we read doesn't put us - * out of OOB state, and since that byte is most - * likely the TELNET DM (data mark), we would - * stay in the TELNET SYNCH (SYNCHing) state. - * So, clocks to the rescue. If we've "just" - * received a DM, then we test for the - * presence of OOB data when the receive OOB - * fails (and AFTER we did the normal mode read - * to clear "at the mark"). - */ - if (SYNCHing) { - int atmark; - - ioctl(net, SIOCATMARK, (char *)&atmark); - if (atmark) { - ncc = recv(net, netibuf, sizeof (netibuf), MSG_OOB); - if ((ncc == -1) && (errno == EINVAL)) { - ncc = read(net, netibuf, sizeof (netibuf)); - if (sequenceIs(didnetreceive, gotDM)) { - SYNCHing = stilloob(net); - } - } - } else { - ncc = read(net, netibuf, sizeof (netibuf)); - } - } else { - ncc = read(net, netibuf, sizeof (netibuf)); - } - settimer(didnetreceive); -#else /* !defined(SO_OOBINLINE)) */ - ncc = read(net, netibuf, sizeof (netibuf)); -#endif /* !defined(SO_OOBINLINE)) */ - if (ncc < 0 && errno == EWOULDBLOCK) - ncc = 0; - else { - if (ncc <= 0) { - break; - } - netip = netibuf; - } - DIAG((TD_REPORT | TD_NETDATA), { - output_data("td: netread %d chars\r\n", ncc); - }); - DIAG(TD_NETDATA, printdata("nd", netip, ncc)); - } - - /* - * Something to read from the pty... - */ - if (FD_ISSET(p, &ibits)) { -#ifdef STREAMSPTY - if (really_stream) - pcc = readstream(p, ptyibuf, BUFSIZ); - else -#endif - pcc = read(p, ptyibuf, BUFSIZ); - - /* - * On some systems, if we try to read something - * off the master side before the slave side is - * opened, we get EIO. - */ - if (pcc < 0 && (errno == EWOULDBLOCK || -#ifdef EAGAIN - errno == EAGAIN || -#endif - errno == EIO)) { - pcc = 0; - } else { - if (pcc <= 0) - break; - if (ptyibuf[0] & TIOCPKT_FLUSHWRITE) { - netclear(); /* clear buffer back */ -#ifndef NO_URGENT - /* - * There are client telnets on some - * operating systems get screwed up - * royally if we send them urgent - * mode data. - */ - output_data ("%c%c", IAC, DM); - - neturg = nfrontp-1; /* off by one XXX */ - DIAG(TD_OPTIONS, - printoption("td: send IAC", DM)); - -#endif - } - if (his_state_is_will(TELOPT_LFLOW) && - (ptyibuf[0] & - (TIOCPKT_NOSTOP|TIOCPKT_DOSTOP))) { - int newflow = - ptyibuf[0] & TIOCPKT_DOSTOP ? 1 : 0; - if (newflow != flowmode) { - flowmode = newflow; - output_data("%c%c%c%c%c%c", - IAC, SB, TELOPT_LFLOW, - flowmode ? LFLOW_ON - : LFLOW_OFF, - IAC, SE); - DIAG(TD_OPTIONS, printsub('>', - (unsigned char *)nfrontp-4, - 4);); - } - } - pcc--; - ptyip = ptyibuf+1; - } - } - - while (pcc > 0) { - if ((&netobuf[BUFSIZ] - nfrontp) < 3) - break; - c = *ptyip++ & 0377, pcc--; - if (c == IAC) - *nfrontp++ = c; - *nfrontp++ = c; - if ((c == '\r') && (my_state_is_wont(TELOPT_BINARY))) { - if (pcc > 0 && ((*ptyip & 0377) == '\n')) { - *nfrontp++ = *ptyip++ & 0377; - pcc--; - } else - *nfrontp++ = '\0'; - } - } - - if (FD_ISSET(f, &obits) && (nfrontp - nbackp) > 0) - netflush(); - if (ncc > 0) - telrcv(); - if (FD_ISSET(p, &obits) && (pfrontp - pbackp) > 0) - ptyflush(); - } - cleanup(0); -} - -#ifndef TCSIG -# ifdef TIOCSIG -# define TCSIG TIOCSIG -# endif -#endif - -#ifdef STREAMSPTY - - int flowison = -1; /* current state of flow: -1 is unknown */ - -int -readstream(int p, char *ibuf, int bufsize) -{ - int flags = 0; - int ret = 0; - struct termios *tsp; -#if 0 - struct termio *tp; -#endif - struct iocblk *ip; - char vstop, vstart; - int ixon; - int newflow; - - strbufc.maxlen = BUFSIZ; - strbufc.buf = (char *)ctlbuf; - strbufd.maxlen = bufsize-1; - strbufd.len = 0; - strbufd.buf = ibuf+1; - ibuf[0] = 0; - - ret = getmsg(p, &strbufc, &strbufd, &flags); - if (ret < 0) /* error of some sort -- probably EAGAIN */ - return(-1); - - if (strbufc.len <= 0 || ctlbuf[0] == M_DATA) { - /* data message */ - if (strbufd.len > 0) { /* real data */ - return(strbufd.len + 1); /* count header char */ - } else { - /* nothing there */ - errno = EAGAIN; - return(-1); - } - } - - /* - * It's a control message. Return 1, to look at the flag we set - */ - - switch (ctlbuf[0]) { - case M_FLUSH: - if (ibuf[1] & FLUSHW) - ibuf[0] = TIOCPKT_FLUSHWRITE; - return(1); - - case M_IOCTL: - ip = (struct iocblk *) (ibuf+1); - - switch (ip->ioc_cmd) { -#ifdef TCSETS - case TCSETS: - case TCSETSW: - case TCSETSF: - tsp = (struct termios *) - (ibuf+1 + sizeof(struct iocblk)); - vstop = tsp->c_cc[VSTOP]; - vstart = tsp->c_cc[VSTART]; - ixon = tsp->c_iflag & IXON; - break; -#endif -#if 0 - case TCSETA: - case TCSETAW: - case TCSETAF: - tp = (struct termio *) (ibuf+1 + sizeof(struct iocblk)); - vstop = tp->c_cc[VSTOP]; - vstart = tp->c_cc[VSTART]; - ixon = tp->c_iflag & IXON; - break; -#endif - default: - errno = EAGAIN; - return(-1); - } - - newflow = (ixon && (vstart == 021) && (vstop == 023)) ? 1 : 0; - if (newflow != flowison) { /* it's a change */ - flowison = newflow; - ibuf[0] = newflow ? TIOCPKT_DOSTOP : TIOCPKT_NOSTOP; - return(1); - } - } - - /* nothing worth doing anything about */ - errno = EAGAIN; - return(-1); -} -#endif /* STREAMSPTY */ - -/* - * Send interrupt to process on other side of pty. - * If it is in raw mode, just write NULL; - * otherwise, write intr char. - */ -void -interrupt() -{ - ptyflush(); /* half-hearted */ - -#if defined(STREAMSPTY) && defined(TIOCSIGNAL) - /* Streams PTY style ioctl to post a signal */ - if (really_stream) - { - int sig = SIGINT; - ioctl(ourpty, TIOCSIGNAL, &sig); - ioctl(ourpty, I_FLUSH, FLUSHR); - } -#else -#ifdef TCSIG - ioctl(ourpty, TCSIG, (char *)SIGINT); -#else /* TCSIG */ - init_termbuf(); - *pfrontp++ = slctab[SLC_IP].sptr ? - (unsigned char)*slctab[SLC_IP].sptr : '\177'; -#endif /* TCSIG */ -#endif -} - -/* - * Send quit to process on other side of pty. - * If it is in raw mode, just write NULL; - * otherwise, write quit char. - */ -void -sendbrk() -{ - ptyflush(); /* half-hearted */ -#ifdef TCSIG - ioctl(ourpty, TCSIG, (char *)SIGQUIT); -#else /* TCSIG */ - init_termbuf(); - *pfrontp++ = slctab[SLC_ABORT].sptr ? - (unsigned char)*slctab[SLC_ABORT].sptr : '\034'; -#endif /* TCSIG */ -} - -void -sendsusp() -{ -#ifdef SIGTSTP - ptyflush(); /* half-hearted */ -# ifdef TCSIG - ioctl(ourpty, TCSIG, (char *)SIGTSTP); -# else /* TCSIG */ - *pfrontp++ = slctab[SLC_SUSP].sptr ? - (unsigned char)*slctab[SLC_SUSP].sptr : '\032'; -# endif /* TCSIG */ -#endif /* SIGTSTP */ -} - -/* - * When we get an AYT, if ^T is enabled, use that. Otherwise, - * just send back "[Yes]". - */ -void -recv_ayt() -{ -#if defined(SIGINFO) && defined(TCSIG) - if (slctab[SLC_AYT].sptr && *slctab[SLC_AYT].sptr != _POSIX_VDISABLE) { - ioctl(ourpty, TCSIG, (char *)SIGINFO); - return; - } -#endif - output_data("\r\n[Yes]\r\n"); -} - -void -doeof() -{ - init_termbuf(); - - *pfrontp++ = slctab[SLC_EOF].sptr ? - (unsigned char)*slctab[SLC_EOF].sptr : '\004'; -} diff --git a/crypto/heimdal-0.6.3/appl/telnet/telnetd/telnetd.cat8 b/crypto/heimdal-0.6.3/appl/telnet/telnetd/telnetd.cat8 deleted file mode 100644 index ea599dc8c1..0000000000 --- a/crypto/heimdal-0.6.3/appl/telnet/telnetd/telnetd.cat8 +++ /dev/null @@ -1,299 +0,0 @@ - -TELNETD(8) UNIX System Manager's Manual TELNETD(8) - -NNAAMMEE - tteellnneettdd - DARPA TELNET protocol server - -SSYYNNOOPPSSIISS - tteellnneettdd [--BBUUhhkkllnn] [--DD _d_e_b_u_g_m_o_d_e] [--SS _t_o_s] [--XX _a_u_t_h_t_y_p_e] [--aa _a_u_t_h_m_o_d_e] - [--rr_l_o_w_p_t_y_-_h_i_g_h_p_t_y] [--uu _l_e_n] [--ddeebbuugg] [--LL _/_b_i_n_/_l_o_g_i_n] [--yy] [_p_o_r_t] - -DDEESSCCRRIIPPTTIIOONN - The tteellnneettdd command is a server which supports the DARPA standard TELNET - virtual terminal protocol. TTeellnneettdd is normally invoked by the internet - server (see inetd(8)) for requests to connect to the TELNET port as in- - dicated by the _/_e_t_c_/_s_e_r_v_i_c_e_s file (see services(5)). The --ddeebbuugg option - may be used to start up tteellnneettdd manually, instead of through inetd(8). - If started up this way, _p_o_r_t may be specified to run tteellnneettdd on an alter- - nate TCP port number. - - The tteellnneettdd command accepts the following options: - - --aa _a_u_t_h_m_o_d_e This option may be used for specifying what mode should be - used for authentication. Note that this option is only use- - ful if tteellnneettdd has been compiled with support for the - AUTHENTICATION option. There are several valid values for - _a_u_t_h_m_o_d_e: - - debug Turns on authentication debugging code. - - user Only allow connections when the remote user can pro- - vide valid authentication information to identify the - remote user, and is allowed access to the specified - account without providing a password. - - valid Only allow connections when the remote user can pro- - vide valid authentication information to identify the - remote user. The login(1) command will provide any - additional user verification needed if the remote us- - er is not allowed automatic access to the specified - account. - - other Only allow connections that supply some authentica- - tion information. This option is currently not sup- - ported by any of the existing authentication mecha- - nisms, and is thus the same as specifying --aa vvaalliidd. - - otp Only allow authenticated connections (as with --aa - uusseerr) and also logins with one-time passwords (OTPs). - This option will call login with an option so that - only OTPs are accepted. The user can of course still - type secret information at the prompt. - - none This is the default state. Authentication informa- - tion is not required. If no or insufficient authen- - tication information is provided, then the login(1) - program will provide the necessary user verification. - - off This disables the authentication code. All user ver- - ification will happen through the login(1) program. - - --BB Ignored. - - --DD _d_e_b_u_g_m_o_d_e - This option may be used for debugging purposes. This allows - tteellnneettdd to print out debugging information to the connec- - tion, allowing the user to see what tteellnneettdd is doing. There - are several possible values for _d_e_b_u_g_m_o_d_e: - - ooppttiioonnss Prints information about the negotiation of TELNET - options. - - rreeppoorrtt Prints the ooppttiioonnss information, plus some addi- - tional information about what processing is going - on. - - nneettddaattaa Displays the data stream received by tteellnneettdd. - - ppttyyddaattaa Displays data written to the pty. - - eexxeerrcciissee Has not been implemented yet. - - --hh Disables the printing of host-specific information before - login has been completed. - - --kk - - --ll Ignored. - - --nn Disable TCP keep-alives. Normally tteellnneettdd enables the TCP - keep-alive mechanism to probe connections that have been - idle for some period of time to determine if the client is - still there, so that idle connections from machines that - have crashed or can no longer be reached may be cleaned up. - - --rr _l_o_w_p_t_y_-_h_i_g_h_p_t_y - This option is only enabled when tteellnneettdd is compiled for - UNICOS. It specifies an inclusive range of pseudo-terminal - devices to use. If the system has sysconf variable - _SC_CRAY_NPTY configured, the default pty search range is 0 - to _SC_CRAY_NPTY; otherwise, the default range is 0 to 128. - Either _l_o_w_p_t_y or _h_i_g_h_p_t_y may be omitted to allow changing - either end of the search range. If _l_o_w_p_t_y is omitted, the - - character is still required so that tteellnneettdd can differenti- - ate _h_i_g_h_p_t_y from _l_o_w_p_t_y. - - --SS _t_o_s - - --uu _l_e_n This option is used to specify the size of the field in the - utmp structure that holds the remote host name. If the re- - solved host name is longer than _l_e_n, the dotted decimal val- - ue will be used instead. This allows hosts with very long - host names that overflow this field to still be uniquely - identified. Specifying --uu00 indicates that only dotted deci- - mal addresses should be put into the _u_t_m_p file. - - --UU This option causes tteellnneettdd to refuse connections from ad- - dresses that cannot be mapped back into a symbolic name via - the gethostbyaddr(3) routine. - - --XX _a_u_t_h_t_y_p_e This option is only valid if tteellnneettdd has been built with - support for the authentication option. It disables the use - of _a_u_t_h_t_y_p_e authentication, and can be used to temporarily - disable a specific authentication type without having to re- - compile tteellnneettdd. - - --LL _p_a_t_h_n_a_m_e Specify pathname to an alternative login program. - - --yy Makes tteellnneettdd not warn when a user is trying to login with a - cleartext password. - - - TTeellnneettdd operates by allocating a pseudo-terminal device (see pty(4)) for - a client, then creating a login process which has the slave side of the - pseudo-terminal as stdin, stdout and stderr. TTeellnneettdd manipulates the mas- - ter side of the pseudo-terminal, implementing the TELNET protocol and - passing characters between the remote client and the login process. - - When a TELNET session is started up, tteellnneettdd sends TELNET options to the - client side indicating a willingness to do the following TELNET options, - which are described in more detail below: - - DO AUTHENTICATION - WILL ENCRYPT - DO TERMINAL TYPE - DO TSPEED - DO XDISPLOC - DO NEW-ENVIRON - DO ENVIRON - WILL SUPPRESS GO AHEAD - DO ECHO - DO LINEMODE - DO NAWS - WILL STATUS - DO LFLOW - DO TIMING-MARK - - The pseudo-terminal allocated to the client is configured to operate in - ``cooked'' mode, and with XTABS and CRMOD enabled (see tty(4)). - - TTeellnneettdd has support for enabling locally the following TELNET options: - - WILL ECHO When the LINEMODE option is enabled, a WILL ECHO or - WONT ECHO will be sent to the client to indicate the - current state of terminal echoing. When terminal echo - is not desired, a WILL ECHO is sent to indicate that - telnetd will take care of echoing any data that needs - to be echoed to the terminal, and then nothing is - echoed. When terminal echo is desired, a WONT ECHO is - sent to indicate that telnetd will not be doing any - terminal echoing, so the client should do any terminal - echoing that is needed. - - WILL BINARY Indicates that the client is willing to send a 8 bits - of data, rather than the normal 7 bits of the Network - Virtual Terminal. - - WILL SGA Indicates that it will not be sending IAC GA, go - ahead, commands. - - WILL STATUS Indicates a willingness to send the client, upon re- - quest, of the current status of all TELNET options. - - WILL TIMING-MARK Whenever a DO TIMING-MARK command is received, it is - always responded to with a WILL TIMING-MARK - - WILL LOGOUT When a DO LOGOUT is received, a WILL LOGOUT is sent in - response, and the TELNET session is shut down. - - WILL ENCRYPT Only sent if tteellnneettdd is compiled with support for data - encryption, and indicates a willingness to decrypt the - data stream. - - TTeellnneettdd has support for enabling remotely the following TELNET options: - - DO BINARY Sent to indicate that telnetd is willing to receive an - - - 8 bit data stream. - - DO LFLOW Requests that the client handle flow control charac- - ters remotely. - - DO ECHO This is not really supported, but is sent to identify - a 4.2BSD telnet(1) client, which will improperly re- - spond with WILL ECHO. If a WILL ECHO is received, a - DONT ECHO will be sent in response. - - DO TERMINAL-TYPE Indicates a desire to be able to request the name of - the type of terminal that is attached to the client - side of the connection. - - DO SGA Indicates that it does not need to receive IAC GA, the - go ahead command. - - DO NAWS Requests that the client inform the server when the - window (display) size changes. - - DO TERMINAL-SPEED Indicates a desire to be able to request information - about the speed of the serial line to which the client - is attached. - - DO XDISPLOC Indicates a desire to be able to request the name of - the X windows display that is associated with the tel- - net client. - - DO NEW-ENVIRON Indicates a desire to be able to request environment - variable information, as described in RFC 1572. - - DO ENVIRON Indicates a desire to be able to request environment - variable information, as described in RFC 1408. - - DO LINEMODE Only sent if tteellnneettdd is compiled with support for - linemode, and requests that the client do line by line - processing. - - DO TIMING-MARK Only sent if tteellnneettdd is compiled with support for both - linemode and kludge linemode, and the client responded - with WONT LINEMODE. If the client responds with WILL - TM, the it is assumed that the client supports kludge - linemode. Note that the [--kk] option can be used to - disable this. - - DO AUTHENTICATION Only sent if tteellnneettdd is compiled with support for au- - thentication, and indicates a willingness to receive - authentication information for automatic login. - - DO ENCRYPT Only sent if tteellnneettdd is compiled with support for data - encryption, and indicates a willingness to decrypt the - data stream. - -FFIILLEESS - /etc/services - /etc/inittab (UNICOS systems only) - /etc/iptos (if supported) - -SSEEEE AALLSSOO - telnet(1), login(1) - -SSTTAANNDDAARRDDSS - RRFFCC--885544 TELNET PROTOCOL SPECIFICATION - RRFFCC--885555 TELNET OPTION SPECIFICATIONS - - - RRFFCC--885566 TELNET BINARY TRANSMISSION - RRFFCC--885577 TELNET ECHO OPTION - RRFFCC--885588 TELNET SUPPRESS GO AHEAD OPTION - RRFFCC--885599 TELNET STATUS OPTION - RRFFCC--886600 TELNET TIMING MARK OPTION - RRFFCC--886611 TELNET EXTENDED OPTIONS - LIST OPTION - RRFFCC--888855 TELNET END OF RECORD OPTION - RRFFCC--11007733 Telnet Window Size Option - RRFFCC--11007799 Telnet Terminal Speed Option - RRFFCC--11009911 Telnet Terminal-Type Option - RRFFCC--11009966 Telnet X Display Location Option - RRFFCC--11112233 Requirements for Internet Hosts -- Application and Support - RRFFCC--11118844 Telnet Linemode Option - RRFFCC--11337722 Telnet Remote Flow Control Option - RRFFCC--11441166 Telnet Authentication Option - RRFFCC--11441111 Telnet Authentication: Kerberos Version 4 - RRFFCC--11441122 Telnet Authentication: SPX - RRFFCC--11557711 Telnet Environment Option Interoperability Issues - RRFFCC--11557722 Telnet Environment Option - -BBUUGGSS - Some TELNET commands are only partially implemented. - - Because of bugs in the original 4.2 BSD telnet(1), tteellnneettdd performs some - dubious protocol exchanges to try to discover if the remote client is, in - fact, a 4.2 BSD telnet(1). - - Binary mode has no common interpretation except between similar operating - systems (Unix in this case). - - The terminal type name received from the remote client is converted to - lower case. - - TTeellnneettdd never sends TELNET IAC GA (go ahead) commands. - -4.2 Berkeley Distribution June 1, 1994 5 diff --git a/crypto/heimdal-0.6.3/appl/telnet/telnetd/telnetd.h b/crypto/heimdal-0.6.3/appl/telnet/telnetd/telnetd.h deleted file mode 100644 index 65046073e9..0000000000 --- a/crypto/heimdal-0.6.3/appl/telnet/telnetd/telnetd.h +++ /dev/null @@ -1,223 +0,0 @@ -/* - * Copyright (c) 1989, 1993 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * @(#)telnetd.h 8.1 (Berkeley) 6/4/93 - */ - - -#include - -#include -#include -#include -#include - -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_SYS_PARAM_H -#include -#endif - -#ifdef HAVE_SYS_SOCKET_H -#include -#endif -#ifdef TIME_WITH_SYS_TIME -#include -#include -#elif defined(HAVE_SYS_TIME_H) -#include -#else -#include -#endif - -#ifdef HAVE_SYS_RESOURCE_H -#include -#endif /* HAVE_SYS_RESOURCE_H */ - -#ifdef HAVE_SYS_WAIT_H -#include -#endif - -#ifdef HAVE_FCNTL_H -#include -#endif -#ifdef HAVE_SYS_FILE_H -#include -#endif -#ifdef HAVE_SYS_STAT_H -#include -#endif - -/* including both and in SunOS 4 generates a - lot of warnings */ - -#if defined(HAVE_SYS_IOCTL_H) && SunOS != 40 -#include -#endif -#ifdef HAVE_SYS_FILIO_H -#include -#endif - -#ifdef HAVE_NETINET_IN_H -#include -#endif -#ifdef HAVE_NETINET_IN6_H -#include -#endif -#ifdef HAVE_NETINET6_IN6_H -#include -#endif - -#ifdef HAVE_ARPA_INET_H -#include -#endif - -#include -#include -#ifdef HAVE_NETDB_H -#include -#endif -#ifdef HAVE_SYSLOG_H -#include -#endif -#include - -#ifdef HAVE_UNISTD_H -#include -#endif - -#include - -#ifdef HAVE_PTY_H -#include -#endif - -#include "defs.h" - -#ifndef _POSIX_VDISABLE -# ifdef VDISABLE -# define _POSIX_VDISABLE VDISABLE -# else -# define _POSIX_VDISABLE ((unsigned char)'\377') -# endif -#endif - - -#ifdef HAVE_SYS_PTY_H -#include -#endif -#ifdef HAVE_SYS_SELECT_H -#include -#endif - -#ifdef HAVE_SYS_PTYIO_H -#include -#endif - -#ifdef HAVE_SYS_UTSNAME_H -#include -#endif - -#ifdef HAVE_PATHS_H -#include -#endif - -#ifdef HAVE_ARPA_TELNET_H -#include -#endif - -#include "ext.h" - -#ifdef SOCKS -#include -/* This doesn't belong here. */ -struct tm *localtime(const time_t *); -struct hostent *gethostbyname(const char *); -#endif - -#ifdef KRB4 -#include -#endif - -#ifdef AUTHENTICATION -#include -#include -#ifdef ENCRYPTION -#include -#endif -#endif - -#ifdef HAVE_LIBUTIL_H -#include -#endif - -#include - -/* Don't use the system login, use our version instead */ - -/* BINDIR should be defined somewhere else... */ - -#ifndef BINDIR -#define BINDIR "/usr/athena/bin" -#endif - -#undef _PATH_LOGIN -#define _PATH_LOGIN BINDIR "/login" - -/* fallbacks */ - -#ifndef _PATH_DEV -#define _PATH_DEV "/dev/" -#endif - -#ifndef _PATH_TTY -#define _PATH_TTY "/dev/tty" -#endif /* _PATH_TTY */ - -#ifdef DIAGNOSTICS -#define DIAG(a,b) if (diagnostic & (a)) b -#else -#define DIAG(a,b) -#endif - -/* other external variables */ -extern char **environ; - -/* prototypes */ - -/* appends data to nfrontp and advances */ -int output_data (const char *format, ...) -#ifdef __GNUC__ -__attribute__ ((format (printf, 1, 2))) -#endif -; diff --git a/crypto/heimdal-0.6.3/appl/telnet/telnetd/termstat.c b/crypto/heimdal-0.6.3/appl/telnet/telnetd/termstat.c deleted file mode 100644 index a223269f03..0000000000 --- a/crypto/heimdal-0.6.3/appl/telnet/telnetd/termstat.c +++ /dev/null @@ -1,138 +0,0 @@ -/* - * Copyright (c) 1989, 1993 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "telnetd.h" - -RCSID("$Id: termstat.c,v 1.12 2001/08/29 00:45:23 assar Exp $"); - -/* - * local variables - */ -int def_tspeed = -1, def_rspeed = -1; -#ifdef TIOCSWINSZ -int def_row = 0, def_col = 0; -#endif - -/* - * flowstat - * - * Check for changes to flow control - */ -void -flowstat(void) -{ - if (his_state_is_will(TELOPT_LFLOW)) { - if (tty_flowmode() != flowmode) { - flowmode = tty_flowmode(); - output_data("%c%c%c%c%c%c", - IAC, SB, TELOPT_LFLOW, - flowmode ? LFLOW_ON : LFLOW_OFF, - IAC, SE); - } - if (tty_restartany() != restartany) { - restartany = tty_restartany(); - output_data("%c%c%c%c%c%c", - IAC, SB, TELOPT_LFLOW, - restartany ? LFLOW_RESTART_ANY - : LFLOW_RESTART_XON, - IAC, SE); - } - } -} - -/* - * clientstat - * - * Process linemode related requests from the client. - * Client can request a change to only one of linemode, editmode or slc's - * at a time, and if using kludge linemode, then only linemode may be - * affected. - */ -void -clientstat(int code, int parm1, int parm2) -{ - /* - * Get a copy of terminal characteristics. - */ - init_termbuf(); - - /* - * Process request from client. code tells what it is. - */ - switch (code) { - case TELOPT_NAWS: -#ifdef TIOCSWINSZ - { - struct winsize ws; - - def_col = parm1; - def_row = parm2; - - /* - * Change window size as requested by client. - */ - - ws.ws_col = parm1; - ws.ws_row = parm2; - ioctl(ourpty, TIOCSWINSZ, (char *)&ws); - } -#endif /* TIOCSWINSZ */ - - break; - - case TELOPT_TSPEED: - { - def_tspeed = parm1; - def_rspeed = parm2; - /* - * Change terminal speed as requested by client. - * We set the receive speed first, so that if we can't - * store seperate receive and transmit speeds, the transmit - * speed will take precedence. - */ - tty_rspeed(parm2); - tty_tspeed(parm1); - set_termbuf(); - - break; - - } /* end of case TELOPT_TSPEED */ - - default: - /* What? */ - break; - } /* end of switch */ - - netflush(); - -} diff --git a/crypto/heimdal-0.6.3/appl/telnet/telnetd/utility.c b/crypto/heimdal-0.6.3/appl/telnet/telnetd/utility.c deleted file mode 100644 index a98b3fc790..0000000000 --- a/crypto/heimdal-0.6.3/appl/telnet/telnetd/utility.c +++ /dev/null @@ -1,1170 +0,0 @@ -/* - * Copyright (c) 1989, 1993 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#define PRINTOPTIONS -#include "telnetd.h" - -RCSID("$Id: utility.c,v 1.27 2001/09/03 05:54:17 assar Exp $"); - -/* - * utility functions performing io related tasks - */ - -/* - * ttloop - * - * A small subroutine to flush the network output buffer, get some - * data from the network, and pass it through the telnet state - * machine. We also flush the pty input buffer (by dropping its data) - * if it becomes too full. - * - * return 0 if OK or 1 if interrupted by a signal. - */ - -int -ttloop(void) -{ - DIAG(TD_REPORT, { - output_data("td: ttloop\r\n"); - }); - if (nfrontp-nbackp) - netflush(); - ncc = read(net, netibuf, sizeof netibuf); - if (ncc < 0) { - if (errno == EINTR) - return 1; - syslog(LOG_INFO, "ttloop: read: %m\n"); - exit(1); - } else if (ncc == 0) { - syslog(LOG_INFO, "ttloop: peer died\n"); - exit(1); - } - DIAG(TD_REPORT, { - output_data("td: ttloop read %d chars\r\n", ncc); - }); - netip = netibuf; - telrcv(); /* state machine */ - if (ncc > 0) { - pfrontp = pbackp = ptyobuf; - telrcv(); - } - return 0; -} /* end of ttloop */ - -/* - * Check a descriptor to see if out of band data exists on it. - */ -int -stilloob(int s) -{ - static struct timeval timeout = { 0 }; - fd_set excepts; - int value; - - if (s >= FD_SETSIZE) - fatal(ourpty, "fd too large"); - - do { - FD_ZERO(&excepts); - FD_SET(s, &excepts); - value = select(s+1, 0, 0, &excepts, &timeout); - } while ((value == -1) && (errno == EINTR)); - - if (value < 0) { - fatalperror(ourpty, "select"); - } - if (FD_ISSET(s, &excepts)) { - return 1; - } else { - return 0; - } -} - -void -ptyflush(void) -{ - int n; - - if ((n = pfrontp - pbackp) > 0) { - DIAG((TD_REPORT | TD_PTYDATA), { - output_data("td: ptyflush %d chars\r\n", n); - }); - DIAG(TD_PTYDATA, printdata("pd", pbackp, n)); - n = write(ourpty, pbackp, n); - } - if (n < 0) { - if (errno == EWOULDBLOCK || errno == EINTR) - return; - cleanup(0); - } - pbackp += n; - if (pbackp == pfrontp) - pbackp = pfrontp = ptyobuf; -} - -/* - * nextitem() - * - * Return the address of the next "item" in the TELNET data - * stream. This will be the address of the next character if - * the current address is a user data character, or it will - * be the address of the character following the TELNET command - * if the current address is a TELNET IAC ("I Am a Command") - * character. - */ -char * -nextitem(char *current) -{ - if ((*current&0xff) != IAC) { - return current+1; - } - switch (*(current+1)&0xff) { - case DO: - case DONT: - case WILL: - case WONT: - return current+3; - case SB:{ - /* loop forever looking for the SE */ - char *look = current+2; - - for (;;) { - if ((*look++&0xff) == IAC) { - if ((*look++&0xff) == SE) { - return look; - } - } - } - } - default: - return current+2; - } -} - - -/* - * netclear() - * - * We are about to do a TELNET SYNCH operation. Clear - * the path to the network. - * - * Things are a bit tricky since we may have sent the first - * byte or so of a previous TELNET command into the network. - * So, we have to scan the network buffer from the beginning - * until we are up to where we want to be. - * - * A side effect of what we do, just to keep things - * simple, is to clear the urgent data pointer. The principal - * caller should be setting the urgent data pointer AFTER calling - * us in any case. - */ -void -netclear(void) -{ - char *thisitem, *next; - char *good; -#define wewant(p) ((nfrontp > p) && ((*p&0xff) == IAC) && \ - ((*(p+1)&0xff) != EC) && ((*(p+1)&0xff) != EL)) - -#ifdef ENCRYPTION - thisitem = nclearto > netobuf ? nclearto : netobuf; -#else - thisitem = netobuf; -#endif - - while ((next = nextitem(thisitem)) <= nbackp) { - thisitem = next; - } - - /* Now, thisitem is first before/at boundary. */ - -#ifdef ENCRYPTION - good = nclearto > netobuf ? nclearto : netobuf; -#else - good = netobuf; /* where the good bytes go */ -#endif - - while (nfrontp > thisitem) { - if (wewant(thisitem)) { - int length; - - next = thisitem; - do { - next = nextitem(next); - } while (wewant(next) && (nfrontp > next)); - length = next-thisitem; - memmove(good, thisitem, length); - good += length; - thisitem = next; - } else { - thisitem = nextitem(thisitem); - } - } - - nbackp = netobuf; - nfrontp = good; /* next byte to be sent */ - neturg = 0; -} /* end of netclear */ - -extern int not42; - -/* - * netflush - * Send as much data as possible to the network, - * handling requests for urgent data. - */ -void -netflush(void) -{ - int n; - - if ((n = nfrontp - nbackp) > 0) { - DIAG(TD_REPORT, - { n += output_data("td: netflush %d chars\r\n", n); - }); -#ifdef ENCRYPTION - if (encrypt_output) { - char *s = nclearto ? nclearto : nbackp; - if (nfrontp - s > 0) { - (*encrypt_output)((unsigned char *)s, nfrontp-s); - nclearto = nfrontp; - } - } -#endif - /* - * if no urgent data, or if the other side appears to be an - * old 4.2 client (and thus unable to survive TCP urgent data), - * write the entire buffer in non-OOB mode. - */ -#if 1 /* remove this to make it work between solaris 2.6 and linux */ - if ((neturg == 0) || (not42 == 0)) { -#endif - n = write(net, nbackp, n); /* normal write */ -#if 1 /* remove this to make it work between solaris 2.6 and linux */ - } else { - n = neturg - nbackp; - /* - * In 4.2 (and 4.3) systems, there is some question about - * what byte in a sendOOB operation is the "OOB" data. - * To make ourselves compatible, we only send ONE byte - * out of band, the one WE THINK should be OOB (though - * we really have more the TCP philosophy of urgent data - * rather than the Unix philosophy of OOB data). - */ - if (n > 1) { - n = send(net, nbackp, n-1, 0); /* send URGENT all by itself */ - } else { - n = send(net, nbackp, n, MSG_OOB); /* URGENT data */ - } - } -#endif - } - if (n < 0) { - if (errno == EWOULDBLOCK || errno == EINTR) - return; - cleanup(0); - } - nbackp += n; -#ifdef ENCRYPTION - if (nbackp > nclearto) - nclearto = 0; -#endif - if (nbackp >= neturg) { - neturg = 0; - } - if (nbackp == nfrontp) { - nbackp = nfrontp = netobuf; -#ifdef ENCRYPTION - nclearto = 0; -#endif - } - return; -} - - -/* - * writenet - * - * Just a handy little function to write a bit of raw data to the net. - * It will force a transmit of the buffer if necessary - * - * arguments - * ptr - A pointer to a character string to write - * len - How many bytes to write - */ -void -writenet(unsigned char *ptr, int len) -{ - /* flush buffer if no room for new data) */ - while ((&netobuf[BUFSIZ] - nfrontp) < len) { - /* if this fails, don't worry, buffer is a little big */ - netflush(); - } - - memmove(nfrontp, ptr, len); - nfrontp += len; -} - - -/* - * miscellaneous functions doing a variety of little jobs follow ... - */ - - -void fatal(int f, char *msg) -{ - char buf[BUFSIZ]; - - snprintf(buf, sizeof(buf), "telnetd: %s.\r\n", msg); -#ifdef ENCRYPTION - if (encrypt_output) { - /* - * Better turn off encryption first.... - * Hope it flushes... - */ - encrypt_send_end(); - netflush(); - } -#endif - write(f, buf, (int)strlen(buf)); - sleep(1); /*XXX*/ - exit(1); -} - -void -fatalperror_errno(int f, const char *msg, int error) -{ - char buf[BUFSIZ]; - - snprintf(buf, sizeof(buf), "%s: %s", msg, strerror(error)); - fatal(f, buf); -} - -void -fatalperror(int f, const char *msg) -{ - fatalperror_errno(f, msg, errno); -} - -char editedhost[32]; - -void edithost(char *pat, char *host) -{ - char *res = editedhost; - - if (!pat) - pat = ""; - while (*pat) { - switch (*pat) { - - case '#': - if (*host) - host++; - break; - - case '@': - if (*host) - *res++ = *host++; - break; - - default: - *res++ = *pat; - break; - } - if (res == &editedhost[sizeof editedhost - 1]) { - *res = '\0'; - return; - } - pat++; - } - if (*host) - strlcpy (res, host, - sizeof editedhost - (res - editedhost)); - else - *res = '\0'; - editedhost[sizeof editedhost - 1] = '\0'; -} - -static char *putlocation; - -void -putstr(char *s) -{ - - while (*s) - putchr(*s++); -} - -void -putchr(int cc) -{ - *putlocation++ = cc; -} - -/* - * This is split on two lines so that SCCS will not see the M - * between two % signs and expand it... - */ -static char fmtstr[] = { "%l:%M" "%P on %A, %d %B %Y" }; - -void putf(char *cp, char *where) -{ -#ifdef HAVE_UNAME - struct utsname name; -#endif - char *slash; - time_t t; - char db[100]; - - /* if we don't have uname, set these to sensible values */ - char *sysname = "Unix", - *machine = "", - *release = "", - *version = ""; - -#ifdef HAVE_UNAME - uname(&name); - sysname=name.sysname; - machine=name.machine; - release=name.release; - version=name.version; -#endif - - putlocation = where; - - while (*cp) { - if (*cp != '%') { - putchr(*cp++); - continue; - } - switch (*++cp) { - - case 't': -#ifdef STREAMSPTY - /* names are like /dev/pts/2 -- we want pts/2 */ - slash = strchr(line+1, '/'); -#else - slash = strrchr(line, '/'); -#endif - if (slash == (char *) 0) - putstr(line); - else - putstr(&slash[1]); - break; - - case 'h': - putstr(editedhost); - break; - - case 's': - putstr(sysname); - break; - - case 'm': - putstr(machine); - break; - - case 'r': - putstr(release); - break; - - case 'v': - putstr(version); - break; - - case 'd': - time(&t); - strftime(db, sizeof(db), fmtstr, localtime(&t)); - putstr(db); - break; - - case '%': - putchr('%'); - break; - } - cp++; - } -} - -#ifdef DIAGNOSTICS -/* - * Print telnet options and commands in plain text, if possible. - */ -void -printoption(char *fmt, int option) -{ - if (TELOPT_OK(option)) - output_data("%s %s\r\n", - fmt, - TELOPT(option)); - else if (TELCMD_OK(option)) - output_data("%s %s\r\n", - fmt, - TELCMD(option)); - else - output_data("%s %d\r\n", - fmt, - option); - return; -} - -void -printsub(int direction, unsigned char *pointer, int length) - /* '<' or '>' */ - /* where suboption data sits */ - /* length of suboption data */ -{ - int i = 0; - unsigned char buf[512]; - - if (!(diagnostic & TD_OPTIONS)) - return; - - if (direction) { - output_data("td: %s suboption ", - direction == '<' ? "recv" : "send"); - if (length >= 3) { - int j; - - i = pointer[length-2]; - j = pointer[length-1]; - - if (i != IAC || j != SE) { - output_data("(terminated by "); - if (TELOPT_OK(i)) - output_data("%s ", - TELOPT(i)); - else if (TELCMD_OK(i)) - output_data("%s ", - TELCMD(i)); - else - output_data("%d ", - i); - if (TELOPT_OK(j)) - output_data("%s", - TELOPT(j)); - else if (TELCMD_OK(j)) - output_data("%s", - TELCMD(j)); - else - output_data("%d", - j); - output_data(", not IAC SE!) "); - } - } - length -= 2; - } - if (length < 1) { - output_data("(Empty suboption??\?)"); - return; - } - switch (pointer[0]) { - case TELOPT_TTYPE: - output_data("TERMINAL-TYPE "); - switch (pointer[1]) { - case TELQUAL_IS: - output_data("IS \"%.*s\"", - length-2, - (char *)pointer+2); - break; - case TELQUAL_SEND: - output_data("SEND"); - break; - default: - output_data("- unknown qualifier %d (0x%x).", - pointer[1], pointer[1]); - } - break; - case TELOPT_TSPEED: - output_data("TERMINAL-SPEED"); - if (length < 2) { - output_data(" (empty suboption??\?)"); - break; - } - switch (pointer[1]) { - case TELQUAL_IS: - output_data(" IS %.*s", length-2, (char *)pointer+2); - break; - default: - if (pointer[1] == 1) - output_data(" SEND"); - else - output_data(" %d (unknown)", pointer[1]); - for (i = 2; i < length; i++) { - output_data(" ?%d?", pointer[i]); - } - break; - } - break; - - case TELOPT_LFLOW: - output_data("TOGGLE-FLOW-CONTROL"); - if (length < 2) { - output_data(" (empty suboption??\?)"); - break; - } - switch (pointer[1]) { - case LFLOW_OFF: - output_data(" OFF"); - break; - case LFLOW_ON: - output_data(" ON"); - break; - case LFLOW_RESTART_ANY: - output_data(" RESTART-ANY"); - break; - case LFLOW_RESTART_XON: - output_data(" RESTART-XON"); - break; - default: - output_data(" %d (unknown)", - pointer[1]); - } - for (i = 2; i < length; i++) { - output_data(" ?%d?", - pointer[i]); - } - break; - - case TELOPT_NAWS: - output_data("NAWS"); - if (length < 2) { - output_data(" (empty suboption??\?)"); - break; - } - if (length == 2) { - output_data(" ?%d?", - pointer[1]); - break; - } - output_data(" %u %u(%u)", - pointer[1], - pointer[2], - (((unsigned int)pointer[1])<<8) + pointer[2]); - if (length == 4) { - output_data(" ?%d?", - pointer[3]); - break; - } - output_data(" %u %u(%u)", - pointer[3], - pointer[4], - (((unsigned int)pointer[3])<<8) + pointer[4]); - for (i = 5; i < length; i++) { - output_data(" ?%d?", - pointer[i]); - } - break; - - case TELOPT_LINEMODE: - output_data("LINEMODE "); - if (length < 2) { - output_data(" (empty suboption??\?)"); - break; - } - switch (pointer[1]) { - case WILL: - output_data("WILL "); - goto common; - case WONT: - output_data("WONT "); - goto common; - case DO: - output_data("DO "); - goto common; - case DONT: - output_data("DONT "); - common: - if (length < 3) { - output_data("(no option??\?)"); - break; - } - switch (pointer[2]) { - case LM_FORWARDMASK: - output_data("Forward Mask"); - for (i = 3; i < length; i++) { - output_data(" %x", pointer[i]); - } - break; - default: - output_data("%d (unknown)", - pointer[2]); - for (i = 3; i < length; i++) { - output_data(" %d", - pointer[i]); - } - break; - } - break; - - case LM_SLC: - output_data("SLC"); - for (i = 2; i < length - 2; i += 3) { - if (SLC_NAME_OK(pointer[i+SLC_FUNC])) - output_data(" %s", - SLC_NAME(pointer[i+SLC_FUNC])); - else - output_data(" %d", - pointer[i+SLC_FUNC]); - switch (pointer[i+SLC_FLAGS]&SLC_LEVELBITS) { - case SLC_NOSUPPORT: - output_data(" NOSUPPORT"); - break; - case SLC_CANTCHANGE: - output_data(" CANTCHANGE"); - break; - case SLC_VARIABLE: - output_data(" VARIABLE"); - break; - case SLC_DEFAULT: - output_data(" DEFAULT"); - break; - } - output_data("%s%s%s", - pointer[i+SLC_FLAGS]&SLC_ACK ? "|ACK" : "", - pointer[i+SLC_FLAGS]&SLC_FLUSHIN ? "|FLUSHIN" : "", - pointer[i+SLC_FLAGS]&SLC_FLUSHOUT ? "|FLUSHOUT" : ""); - if (pointer[i+SLC_FLAGS]& ~(SLC_ACK|SLC_FLUSHIN| - SLC_FLUSHOUT| SLC_LEVELBITS)) { - output_data("(0x%x)", - pointer[i+SLC_FLAGS]); - } - output_data(" %d;", - pointer[i+SLC_VALUE]); - if ((pointer[i+SLC_VALUE] == IAC) && - (pointer[i+SLC_VALUE+1] == IAC)) - i++; - } - for (; i < length; i++) { - output_data(" ?%d?", - pointer[i]); - } - break; - - case LM_MODE: - output_data("MODE "); - if (length < 3) { - output_data("(no mode??\?)"); - break; - } - { - char tbuf[32]; - snprintf(tbuf, - sizeof(tbuf), - "%s%s%s%s%s", - pointer[2]&MODE_EDIT ? "|EDIT" : "", - pointer[2]&MODE_TRAPSIG ? "|TRAPSIG" : "", - pointer[2]&MODE_SOFT_TAB ? "|SOFT_TAB" : "", - pointer[2]&MODE_LIT_ECHO ? "|LIT_ECHO" : "", - pointer[2]&MODE_ACK ? "|ACK" : ""); - output_data("%s", - tbuf[1] ? &tbuf[1] : "0"); - } - if (pointer[2]&~(MODE_EDIT|MODE_TRAPSIG|MODE_ACK)) { - output_data(" (0x%x)", - pointer[2]); - } - for (i = 3; i < length; i++) { - output_data(" ?0x%x?", - pointer[i]); - } - break; - default: - output_data("%d (unknown)", - pointer[1]); - for (i = 2; i < length; i++) { - output_data(" %d", pointer[i]); - } - } - break; - - case TELOPT_STATUS: { - char *cp; - int j, k; - - output_data("STATUS"); - - switch (pointer[1]) { - default: - if (pointer[1] == TELQUAL_SEND) - output_data(" SEND"); - else - output_data(" %d (unknown)", - pointer[1]); - for (i = 2; i < length; i++) { - output_data(" ?%d?", - pointer[i]); - } - break; - case TELQUAL_IS: - output_data(" IS\r\n"); - - for (i = 2; i < length; i++) { - switch(pointer[i]) { - case DO: cp = "DO"; goto common2; - case DONT: cp = "DONT"; goto common2; - case WILL: cp = "WILL"; goto common2; - case WONT: cp = "WONT"; goto common2; - common2: - i++; - if (TELOPT_OK(pointer[i])) - output_data(" %s %s", - cp, - TELOPT(pointer[i])); - else - output_data(" %s %d", - cp, - pointer[i]); - - output_data("\r\n"); - break; - - case SB: - output_data(" SB "); - i++; - j = k = i; - while (j < length) { - if (pointer[j] == SE) { - if (j+1 == length) - break; - if (pointer[j+1] == SE) - j++; - else - break; - } - pointer[k++] = pointer[j++]; - } - printsub(0, &pointer[i], k - i); - if (i < length) { - output_data(" SE"); - i = j; - } else - i = j - 1; - - output_data("\r\n"); - - break; - - default: - output_data(" %d", - pointer[i]); - break; - } - } - break; - } - break; - } - - case TELOPT_XDISPLOC: - output_data("X-DISPLAY-LOCATION "); - switch (pointer[1]) { - case TELQUAL_IS: - output_data("IS \"%.*s\"", - length-2, - (char *)pointer+2); - break; - case TELQUAL_SEND: - output_data("SEND"); - break; - default: - output_data("- unknown qualifier %d (0x%x).", - pointer[1], pointer[1]); - } - break; - - case TELOPT_NEW_ENVIRON: - output_data("NEW-ENVIRON "); - goto env_common1; - case TELOPT_OLD_ENVIRON: - output_data("OLD-ENVIRON"); - env_common1: - switch (pointer[1]) { - case TELQUAL_IS: - output_data("IS "); - goto env_common; - case TELQUAL_SEND: - output_data("SEND "); - goto env_common; - case TELQUAL_INFO: - output_data("INFO "); - env_common: - { - int noquote = 2; - for (i = 2; i < length; i++ ) { - switch (pointer[i]) { - case NEW_ENV_VAR: - output_data("\" VAR " + noquote); - noquote = 2; - break; - - case NEW_ENV_VALUE: - output_data("\" VALUE " + noquote); - noquote = 2; - break; - - case ENV_ESC: - output_data("\" ESC " + noquote); - noquote = 2; - break; - - case ENV_USERVAR: - output_data("\" USERVAR " + noquote); - noquote = 2; - break; - - default: - if (isprint(pointer[i]) && pointer[i] != '"') { - if (noquote) { - output_data ("\""); - noquote = 0; - } - output_data ("%c", pointer[i]); - } else { - output_data("\" %03o " + noquote, - pointer[i]); - noquote = 2; - } - break; - } - } - if (!noquote) - output_data ("\""); - break; - } - } - break; - -#ifdef AUTHENTICATION - case TELOPT_AUTHENTICATION: - output_data("AUTHENTICATION"); - - if (length < 2) { - output_data(" (empty suboption??\?)"); - break; - } - switch (pointer[1]) { - case TELQUAL_REPLY: - case TELQUAL_IS: - output_data(" %s ", - (pointer[1] == TELQUAL_IS) ? - "IS" : "REPLY"); - if (AUTHTYPE_NAME_OK(pointer[2])) - output_data("%s ", - AUTHTYPE_NAME(pointer[2])); - else - output_data("%d ", - pointer[2]); - if (length < 3) { - output_data("(partial suboption??\?)"); - break; - } - output_data("%s|%s", - ((pointer[3] & AUTH_WHO_MASK) == AUTH_WHO_CLIENT) ? - "CLIENT" : "SERVER", - ((pointer[3] & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) ? - "MUTUAL" : "ONE-WAY"); - - auth_printsub(&pointer[1], length - 1, buf, sizeof(buf)); - output_data("%s", - buf); - break; - - case TELQUAL_SEND: - i = 2; - output_data(" SEND "); - while (i < length) { - if (AUTHTYPE_NAME_OK(pointer[i])) - output_data("%s ", - AUTHTYPE_NAME(pointer[i])); - else - output_data("%d ", - pointer[i]); - if (++i >= length) { - output_data("(partial suboption??\?)"); - break; - } - output_data("%s|%s ", - ((pointer[i] & AUTH_WHO_MASK) == AUTH_WHO_CLIENT) ? - "CLIENT" : "SERVER", - ((pointer[i] & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) ? - "MUTUAL" : "ONE-WAY"); - ++i; - } - break; - - case TELQUAL_NAME: - i = 2; - output_data(" NAME \"%.*s\"", - length - 2, - pointer); - break; - - default: - for (i = 2; i < length; i++) { - output_data(" ?%d?", - pointer[i]); - } - break; - } - break; -#endif - -#ifdef ENCRYPTION - case TELOPT_ENCRYPT: - output_data("ENCRYPT"); - if (length < 2) { - output_data(" (empty suboption?)"); - break; - } - switch (pointer[1]) { - case ENCRYPT_START: - output_data(" START"); - break; - - case ENCRYPT_END: - output_data(" END"); - break; - - case ENCRYPT_REQSTART: - output_data(" REQUEST-START"); - break; - - case ENCRYPT_REQEND: - output_data(" REQUEST-END"); - break; - - case ENCRYPT_IS: - case ENCRYPT_REPLY: - output_data(" %s ", - (pointer[1] == ENCRYPT_IS) ? - "IS" : "REPLY"); - if (length < 3) { - output_data(" (partial suboption?)"); - break; - } - if (ENCTYPE_NAME_OK(pointer[2])) - output_data("%s ", - ENCTYPE_NAME(pointer[2])); - else - output_data(" %d (unknown)", - pointer[2]); - - encrypt_printsub(&pointer[1], length - 1, buf, sizeof(buf)); - output_data("%s", - buf); - break; - - case ENCRYPT_SUPPORT: - i = 2; - output_data(" SUPPORT "); - while (i < length) { - if (ENCTYPE_NAME_OK(pointer[i])) - output_data("%s ", - ENCTYPE_NAME(pointer[i])); - else - output_data("%d ", - pointer[i]); - i++; - } - break; - - case ENCRYPT_ENC_KEYID: - output_data(" ENC_KEYID %d", pointer[1]); - goto encommon; - - case ENCRYPT_DEC_KEYID: - output_data(" DEC_KEYID %d", pointer[1]); - goto encommon; - - default: - output_data(" %d (unknown)", pointer[1]); - encommon: - for (i = 2; i < length; i++) { - output_data(" %d", pointer[i]); - } - break; - } - break; -#endif - - default: - if (TELOPT_OK(pointer[0])) - output_data("%s (unknown)", - TELOPT(pointer[0])); - else - output_data("%d (unknown)", - pointer[i]); - for (i = 1; i < length; i++) { - output_data(" %d", pointer[i]); - } - break; - } - output_data("\r\n"); -} - -/* - * Dump a data buffer in hex and ascii to the output data stream. - */ -void -printdata(char *tag, char *ptr, int cnt) -{ - int i; - char xbuf[30]; - - while (cnt) { - /* flush net output buffer if no room for new data) */ - if ((&netobuf[BUFSIZ] - nfrontp) < 80) { - netflush(); - } - - /* add a line of output */ - output_data("%s: ", tag); - for (i = 0; i < 20 && cnt; i++) { - output_data("%02x", *ptr); - if (isprint((unsigned char)*ptr)) { - xbuf[i] = *ptr; - } else { - xbuf[i] = '.'; - } - if (i % 2) { - output_data(" "); - } - cnt--; - ptr++; - } - xbuf[i] = '\0'; - output_data(" %s\r\n", xbuf); - } -} -#endif /* DIAGNOSTICS */ diff --git a/crypto/heimdal-0.6.3/appl/test/Makefile.am b/crypto/heimdal-0.6.3/appl/test/Makefile.am deleted file mode 100644 index 154b407644..0000000000 --- a/crypto/heimdal-0.6.3/appl/test/Makefile.am +++ /dev/null @@ -1,37 +0,0 @@ -# $Id: Makefile.am,v 1.14 2000/11/15 22:51:11 assar Exp $ - -include $(top_srcdir)/Makefile.am.common - -noinst_PROGRAMS = tcp_client tcp_server gssapi_server gssapi_client \ - uu_server uu_client nt_gss_server nt_gss_client - -tcp_client_SOURCES = tcp_client.c common.c test_locl.h - -tcp_server_SOURCES = tcp_server.c common.c test_locl.h - -gssapi_server_SOURCES = gssapi_server.c gss_common.c common.c \ - gss_common.h test_locl.h - -gssapi_client_SOURCES = gssapi_client.c gss_common.c common.c \ - gss_common.h test_locl.h - -uu_server_SOURCES = uu_server.c common.c test_locl.h - -uu_client_SOURCES = uu_client.c common.c test_locl.h - -gssapi_server_LDADD = $(top_builddir)/lib/gssapi/libgssapi.la $(LDADD) - -gssapi_client_LDADD = $(gssapi_server_LDADD) - -nt_gss_client_SOURCES = nt_gss_client.c nt_gss_common.c common.c - -nt_gss_server_SOURCES = nt_gss_server.c nt_gss_common.c - -nt_gss_client_LDADD = $(gssapi_server_LDADD) - -nt_gss_server_LDADD = $(nt_gss_client_LDADD) - -LDADD = $(top_builddir)/lib/krb5/libkrb5.la \ - $(LIB_des) \ - $(top_builddir)/lib/asn1/libasn1.la \ - $(LIB_roken) diff --git a/crypto/heimdal-0.6.3/appl/test/Makefile.in b/crypto/heimdal-0.6.3/appl/test/Makefile.in deleted file mode 100644 index 63ff46d46f..0000000000 --- a/crypto/heimdal-0.6.3/appl/test/Makefile.in +++ /dev/null @@ -1,821 +0,0 @@ -# Makefile.in generated by automake 1.8.3 from Makefile.am. -# @configure_input@ - -# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004 Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -# $Id: Makefile.am,v 1.14 2000/11/15 22:51:11 assar Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $ - -SOURCES = $(gssapi_client_SOURCES) $(gssapi_server_SOURCES) $(nt_gss_client_SOURCES) $(nt_gss_server_SOURCES) $(tcp_client_SOURCES) $(tcp_server_SOURCES) $(uu_client_SOURCES) $(uu_server_SOURCES) - -srcdir = @srcdir@ -top_srcdir = @top_srcdir@ -VPATH = @srcdir@ -pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -top_builddir = ../.. -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = @INSTALL@ -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_HEADER = $(INSTALL_DATA) -transform = $(program_transform_name) -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_triplet = @host@ -DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \ - $(top_srcdir)/Makefile.am.common \ - $(top_srcdir)/cf/Makefile.am.common -noinst_PROGRAMS = tcp_client$(EXEEXT) tcp_server$(EXEEXT) \ - gssapi_server$(EXEEXT) gssapi_client$(EXEEXT) \ - uu_server$(EXEEXT) uu_client$(EXEEXT) nt_gss_server$(EXEEXT) \ - nt_gss_client$(EXEEXT) -subdir = appl/test -ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \ - $(top_srcdir)/cf/auth-modules.m4 \ - $(top_srcdir)/cf/broken-getaddrinfo.m4 \ - $(top_srcdir)/cf/broken-getnameinfo.m4 \ - $(top_srcdir)/cf/broken-glob.m4 \ - $(top_srcdir)/cf/broken-realloc.m4 \ - $(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \ - $(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \ - $(top_srcdir)/cf/capabilities.m4 \ - $(top_srcdir)/cf/check-compile-et.m4 \ - $(top_srcdir)/cf/check-declaration.m4 \ - $(top_srcdir)/cf/check-getpwnam_r-posix.m4 \ - $(top_srcdir)/cf/check-man.m4 \ - $(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \ - $(top_srcdir)/cf/check-type-extra.m4 \ - $(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \ - $(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \ - $(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \ - $(top_srcdir)/cf/dlopen.m4 \ - $(top_srcdir)/cf/find-func-no-libs.m4 \ - $(top_srcdir)/cf/find-func-no-libs2.m4 \ - $(top_srcdir)/cf/find-func.m4 \ - $(top_srcdir)/cf/find-if-not-broken.m4 \ - $(top_srcdir)/cf/have-struct-field.m4 \ - $(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \ - $(top_srcdir)/cf/krb-bigendian.m4 \ - $(top_srcdir)/cf/krb-func-getlogin.m4 \ - $(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \ - $(top_srcdir)/cf/krb-readline.m4 \ - $(top_srcdir)/cf/krb-struct-spwd.m4 \ - $(top_srcdir)/cf/krb-struct-winsize.m4 \ - $(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \ - $(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \ - $(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \ - $(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \ - $(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \ - $(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \ - $(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in -am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ - $(ACLOCAL_M4) -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -PROGRAMS = $(noinst_PROGRAMS) -am_gssapi_client_OBJECTS = gssapi_client.$(OBJEXT) \ - gss_common.$(OBJEXT) common.$(OBJEXT) -gssapi_client_OBJECTS = $(am_gssapi_client_OBJECTS) -am__DEPENDENCIES_1 = -am__DEPENDENCIES_2 = $(top_builddir)/lib/krb5/libkrb5.la \ - $(am__DEPENDENCIES_1) $(top_builddir)/lib/asn1/libasn1.la \ - $(am__DEPENDENCIES_1) -am__DEPENDENCIES_3 = $(top_builddir)/lib/gssapi/libgssapi.la \ - $(am__DEPENDENCIES_2) -gssapi_client_DEPENDENCIES = $(am__DEPENDENCIES_3) -am_gssapi_server_OBJECTS = gssapi_server.$(OBJEXT) \ - gss_common.$(OBJEXT) common.$(OBJEXT) -gssapi_server_OBJECTS = $(am_gssapi_server_OBJECTS) -gssapi_server_DEPENDENCIES = $(top_builddir)/lib/gssapi/libgssapi.la \ - $(am__DEPENDENCIES_2) -am_nt_gss_client_OBJECTS = nt_gss_client.$(OBJEXT) \ - nt_gss_common.$(OBJEXT) common.$(OBJEXT) -nt_gss_client_OBJECTS = $(am_nt_gss_client_OBJECTS) -nt_gss_client_DEPENDENCIES = $(am__DEPENDENCIES_3) -am_nt_gss_server_OBJECTS = nt_gss_server.$(OBJEXT) \ - nt_gss_common.$(OBJEXT) -nt_gss_server_OBJECTS = $(am_nt_gss_server_OBJECTS) -am__DEPENDENCIES_4 = $(am__DEPENDENCIES_3) -nt_gss_server_DEPENDENCIES = $(am__DEPENDENCIES_4) -am_tcp_client_OBJECTS = tcp_client.$(OBJEXT) common.$(OBJEXT) -tcp_client_OBJECTS = $(am_tcp_client_OBJECTS) -tcp_client_LDADD = $(LDADD) -tcp_client_DEPENDENCIES = $(top_builddir)/lib/krb5/libkrb5.la \ - $(am__DEPENDENCIES_1) $(top_builddir)/lib/asn1/libasn1.la \ - $(am__DEPENDENCIES_1) -am_tcp_server_OBJECTS = tcp_server.$(OBJEXT) common.$(OBJEXT) -tcp_server_OBJECTS = $(am_tcp_server_OBJECTS) -tcp_server_LDADD = $(LDADD) -tcp_server_DEPENDENCIES = $(top_builddir)/lib/krb5/libkrb5.la \ - $(am__DEPENDENCIES_1) $(top_builddir)/lib/asn1/libasn1.la \ - $(am__DEPENDENCIES_1) -am_uu_client_OBJECTS = uu_client.$(OBJEXT) common.$(OBJEXT) -uu_client_OBJECTS = $(am_uu_client_OBJECTS) -uu_client_LDADD = $(LDADD) -uu_client_DEPENDENCIES = $(top_builddir)/lib/krb5/libkrb5.la \ - $(am__DEPENDENCIES_1) $(top_builddir)/lib/asn1/libasn1.la \ - $(am__DEPENDENCIES_1) -am_uu_server_OBJECTS = uu_server.$(OBJEXT) common.$(OBJEXT) -uu_server_OBJECTS = $(am_uu_server_OBJECTS) -uu_server_LDADD = $(LDADD) -uu_server_DEPENDENCIES = $(top_builddir)/lib/krb5/libkrb5.la \ - $(am__DEPENDENCIES_1) $(top_builddir)/lib/asn1/libasn1.la \ - $(am__DEPENDENCIES_1) -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \ - $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ - $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -SOURCES = $(gssapi_client_SOURCES) $(gssapi_server_SOURCES) \ - $(nt_gss_client_SOURCES) $(nt_gss_server_SOURCES) \ - $(tcp_client_SOURCES) $(tcp_server_SOURCES) \ - $(uu_client_SOURCES) $(uu_server_SOURCES) -DIST_SOURCES = $(gssapi_client_SOURCES) $(gssapi_server_SOURCES) \ - $(nt_gss_client_SOURCES) $(nt_gss_server_SOURCES) \ - $(tcp_client_SOURCES) $(tcp_server_SOURCES) \ - $(uu_client_SOURCES) $(uu_server_SOURCES) -ETAGS = etags -CTAGS = ctags -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) -ACLOCAL = @ACLOCAL@ -AIX4_FALSE = @AIX4_FALSE@ -AIX4_TRUE = @AIX4_TRUE@ -AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@ -AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@ -AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@ -AIX_FALSE = @AIX_FALSE@ -AIX_TRUE = @AIX_TRUE@ -AMTAR = @AMTAR@ -AR = @AR@ -AUTOCONF = @AUTOCONF@ -AUTOHEADER = @AUTOHEADER@ -AUTOMAKE = @AUTOMAKE@ -AWK = @AWK@ -CANONICAL_HOST = @CANONICAL_HOST@ -CATMAN = @CATMAN@ -CATMANEXT = @CATMANEXT@ -CATMAN_FALSE = @CATMAN_FALSE@ -CATMAN_TRUE = @CATMAN_TRUE@ -CC = @CC@ -CFLAGS = @CFLAGS@ -COMPILE_ET = @COMPILE_ET@ -CPP = @CPP@ -CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXFLAGS = @CXXFLAGS@ -CYGPATH_W = @CYGPATH_W@ -DBLIB = @DBLIB@ -DCE_FALSE = @DCE_FALSE@ -DCE_TRUE = @DCE_TRUE@ -DEFS = @DEFS@ -DIR_com_err = @DIR_com_err@ -DIR_des = @DIR_des@ -DIR_roken = @DIR_roken@ -ECHO = @ECHO@ -ECHO_C = @ECHO_C@ -ECHO_N = @ECHO_N@ -ECHO_T = @ECHO_T@ -EGREP = @EGREP@ -EXEEXT = @EXEEXT@ -EXTRA_LIB45 = @EXTRA_LIB45@ -F77 = @F77@ -FFLAGS = @FFLAGS@ -GROFF = @GROFF@ -HAVE_DB1_FALSE = @HAVE_DB1_FALSE@ -HAVE_DB1_TRUE = @HAVE_DB1_TRUE@ -HAVE_DB3_FALSE = @HAVE_DB3_FALSE@ -HAVE_DB3_TRUE = @HAVE_DB3_TRUE@ -HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@ -HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@ -HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@ -HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@ -HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@ -HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@ -HAVE_X_FALSE = @HAVE_X_FALSE@ -HAVE_X_TRUE = @HAVE_X_TRUE@ -INCLUDES_roken = @INCLUDES_roken@ -INCLUDE_des = @INCLUDE_des@ -INCLUDE_hesiod = @INCLUDE_hesiod@ -INCLUDE_krb4 = @INCLUDE_krb4@ -INCLUDE_openldap = @INCLUDE_openldap@ -INCLUDE_readline = @INCLUDE_readline@ -INSTALL_DATA = @INSTALL_DATA@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -IRIX_FALSE = @IRIX_FALSE@ -IRIX_TRUE = @IRIX_TRUE@ -KRB4_FALSE = @KRB4_FALSE@ -KRB4_TRUE = @KRB4_TRUE@ -KRB5_FALSE = @KRB5_FALSE@ -KRB5_TRUE = @KRB5_TRUE@ -LDFLAGS = @LDFLAGS@ -LEX = @LEX@ -LEXLIB = @LEXLIB@ -LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ -LIBOBJS = @LIBOBJS@ -LIBS = @LIBS@ -LIBTOOL = @LIBTOOL@ -LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@ -LIB_NDBM = @LIB_NDBM@ -LIB_XauFileName = @LIB_XauFileName@ -LIB_XauReadAuth = @LIB_XauReadAuth@ -LIB_XauWriteAuth = @LIB_XauWriteAuth@ -LIB_bswap16 = @LIB_bswap16@ -LIB_bswap32 = @LIB_bswap32@ -LIB_com_err = @LIB_com_err@ -LIB_com_err_a = @LIB_com_err_a@ -LIB_com_err_so = @LIB_com_err_so@ -LIB_crypt = @LIB_crypt@ -LIB_db_create = @LIB_db_create@ -LIB_dbm_firstkey = @LIB_dbm_firstkey@ -LIB_dbopen = @LIB_dbopen@ -LIB_des = @LIB_des@ -LIB_des_a = @LIB_des_a@ -LIB_des_appl = @LIB_des_appl@ -LIB_des_so = @LIB_des_so@ -LIB_dlopen = @LIB_dlopen@ -LIB_dn_expand = @LIB_dn_expand@ -LIB_el_init = @LIB_el_init@ -LIB_freeaddrinfo = @LIB_freeaddrinfo@ -LIB_gai_strerror = @LIB_gai_strerror@ -LIB_getaddrinfo = @LIB_getaddrinfo@ -LIB_gethostbyname = @LIB_gethostbyname@ -LIB_gethostbyname2 = @LIB_gethostbyname2@ -LIB_getnameinfo = @LIB_getnameinfo@ -LIB_getpwnam_r = @LIB_getpwnam_r@ -LIB_getsockopt = @LIB_getsockopt@ -LIB_hesiod = @LIB_hesiod@ -LIB_hstrerror = @LIB_hstrerror@ -LIB_kdb = @LIB_kdb@ -LIB_krb4 = @LIB_krb4@ -LIB_krb_disable_debug = @LIB_krb_disable_debug@ -LIB_krb_enable_debug = @LIB_krb_enable_debug@ -LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@ -LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@ -LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@ -LIB_loadquery = @LIB_loadquery@ -LIB_logout = @LIB_logout@ -LIB_logwtmp = @LIB_logwtmp@ -LIB_openldap = @LIB_openldap@ -LIB_openpty = @LIB_openpty@ -LIB_otp = @LIB_otp@ -LIB_pidfile = @LIB_pidfile@ -LIB_readline = @LIB_readline@ -LIB_res_nsearch = @LIB_res_nsearch@ -LIB_res_search = @LIB_res_search@ -LIB_roken = @LIB_roken@ -LIB_security = @LIB_security@ -LIB_setsockopt = @LIB_setsockopt@ -LIB_socket = @LIB_socket@ -LIB_syslog = @LIB_syslog@ -LIB_tgetent = @LIB_tgetent@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -MAINT = @MAINT@ -MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@ -MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@ -MAKEINFO = @MAKEINFO@ -NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ -NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ -NROFF = @NROFF@ -OBJEXT = @OBJEXT@ -OTP_FALSE = @OTP_FALSE@ -OTP_TRUE = @OTP_TRUE@ -PACKAGE = @PACKAGE@ -PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ -PACKAGE_NAME = @PACKAGE_NAME@ -PACKAGE_STRING = @PACKAGE_STRING@ -PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_VERSION = @PACKAGE_VERSION@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -RANLIB = @RANLIB@ -SET_MAKE = @SET_MAKE@ -SHELL = @SHELL@ -STRIP = @STRIP@ -VERSION = @VERSION@ -VOID_RETSIGTYPE = @VOID_RETSIGTYPE@ -WFLAGS = @WFLAGS@ -WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@ -WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@ -X_CFLAGS = @X_CFLAGS@ -X_EXTRA_LIBS = @X_EXTRA_LIBS@ -X_LIBS = @X_LIBS@ -X_PRE_LIBS = @X_PRE_LIBS@ -YACC = @YACC@ -ac_ct_AR = @ac_ct_AR@ -ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ -ac_ct_RANLIB = @ac_ct_RANLIB@ -ac_ct_STRIP = @ac_ct_STRIP@ -am__leading_dot = @am__leading_dot@ -bindir = @bindir@ -build = @build@ -build_alias = @build_alias@ -build_cpu = @build_cpu@ -build_os = @build_os@ -build_vendor = @build_vendor@ -datadir = @datadir@ -do_roken_rename_FALSE = @do_roken_rename_FALSE@ -do_roken_rename_TRUE = @do_roken_rename_TRUE@ -dpagaix_cflags = @dpagaix_cflags@ -dpagaix_ldadd = @dpagaix_ldadd@ -dpagaix_ldflags = @dpagaix_ldflags@ -el_compat_FALSE = @el_compat_FALSE@ -el_compat_TRUE = @el_compat_TRUE@ -exec_prefix = @exec_prefix@ -have_err_h_FALSE = @have_err_h_FALSE@ -have_err_h_TRUE = @have_err_h_TRUE@ -have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@ -have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@ -have_glob_h_FALSE = @have_glob_h_FALSE@ -have_glob_h_TRUE = @have_glob_h_TRUE@ -have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@ -have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@ -have_vis_h_FALSE = @have_vis_h_FALSE@ -have_vis_h_TRUE = @have_vis_h_TRUE@ -host = @host@ -host_alias = @host_alias@ -host_cpu = @host_cpu@ -host_os = @host_os@ -host_vendor = @host_vendor@ -includedir = @includedir@ -infodir = @infodir@ -install_sh = @install_sh@ -libdir = @libdir@ -libexecdir = @libexecdir@ -localstatedir = @localstatedir@ -mandir = @mandir@ -mkdir_p = @mkdir_p@ -oldincludedir = @oldincludedir@ -prefix = @prefix@ -program_transform_name = @program_transform_name@ -sbindir = @sbindir@ -sharedstatedir = @sharedstatedir@ -sysconfdir = @sysconfdir@ -target_alias = @target_alias@ -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) -@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME -AM_CFLAGS = $(WFLAGS) -CP = cp -buildinclude = $(top_builddir)/include -LIB_getattr = @LIB_getattr@ -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_setpcred = @LIB_setpcred@ -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -NROFF_MAN = groff -mandoc -Tascii -LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) -@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la - -@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la -@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la -tcp_client_SOURCES = tcp_client.c common.c test_locl.h -tcp_server_SOURCES = tcp_server.c common.c test_locl.h -gssapi_server_SOURCES = gssapi_server.c gss_common.c common.c \ - gss_common.h test_locl.h - -gssapi_client_SOURCES = gssapi_client.c gss_common.c common.c \ - gss_common.h test_locl.h - -uu_server_SOURCES = uu_server.c common.c test_locl.h -uu_client_SOURCES = uu_client.c common.c test_locl.h -gssapi_server_LDADD = $(top_builddir)/lib/gssapi/libgssapi.la $(LDADD) -gssapi_client_LDADD = $(gssapi_server_LDADD) -nt_gss_client_SOURCES = nt_gss_client.c nt_gss_common.c common.c -nt_gss_server_SOURCES = nt_gss_server.c nt_gss_common.c -nt_gss_client_LDADD = $(gssapi_server_LDADD) -nt_gss_server_LDADD = $(nt_gss_client_LDADD) -LDADD = $(top_builddir)/lib/krb5/libkrb5.la \ - $(LIB_des) \ - $(top_builddir)/lib/asn1/libasn1.la \ - $(LIB_roken) - -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps) - @for dep in $?; do \ - case '$(am__configure_deps)' in \ - *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ - exit 1;; \ - esac; \ - done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign --ignore-deps appl/test/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign --ignore-deps appl/test/Makefile -.PRECIOUS: Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - @case '$?' in \ - *config.status*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ - *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ - esac; - -$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -clean-noinstPROGRAMS: - @list='$(noinst_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -gssapi_client$(EXEEXT): $(gssapi_client_OBJECTS) $(gssapi_client_DEPENDENCIES) - @rm -f gssapi_client$(EXEEXT) - $(LINK) $(gssapi_client_LDFLAGS) $(gssapi_client_OBJECTS) $(gssapi_client_LDADD) $(LIBS) -gssapi_server$(EXEEXT): $(gssapi_server_OBJECTS) $(gssapi_server_DEPENDENCIES) - @rm -f gssapi_server$(EXEEXT) - $(LINK) $(gssapi_server_LDFLAGS) $(gssapi_server_OBJECTS) $(gssapi_server_LDADD) $(LIBS) -nt_gss_client$(EXEEXT): $(nt_gss_client_OBJECTS) $(nt_gss_client_DEPENDENCIES) - @rm -f nt_gss_client$(EXEEXT) - $(LINK) $(nt_gss_client_LDFLAGS) $(nt_gss_client_OBJECTS) $(nt_gss_client_LDADD) $(LIBS) -nt_gss_server$(EXEEXT): $(nt_gss_server_OBJECTS) $(nt_gss_server_DEPENDENCIES) - @rm -f nt_gss_server$(EXEEXT) - $(LINK) $(nt_gss_server_LDFLAGS) $(nt_gss_server_OBJECTS) $(nt_gss_server_LDADD) $(LIBS) -tcp_client$(EXEEXT): $(tcp_client_OBJECTS) $(tcp_client_DEPENDENCIES) - @rm -f tcp_client$(EXEEXT) - $(LINK) $(tcp_client_LDFLAGS) $(tcp_client_OBJECTS) $(tcp_client_LDADD) $(LIBS) -tcp_server$(EXEEXT): $(tcp_server_OBJECTS) $(tcp_server_DEPENDENCIES) - @rm -f tcp_server$(EXEEXT) - $(LINK) $(tcp_server_LDFLAGS) $(tcp_server_OBJECTS) $(tcp_server_LDADD) $(LIBS) -uu_client$(EXEEXT): $(uu_client_OBJECTS) $(uu_client_DEPENDENCIES) - @rm -f uu_client$(EXEEXT) - $(LINK) $(uu_client_LDFLAGS) $(uu_client_OBJECTS) $(uu_client_LDADD) $(LIBS) -uu_server$(EXEEXT): $(uu_server_OBJECTS) $(uu_server_DEPENDENCIES) - @rm -f uu_server$(EXEEXT) - $(LINK) $(uu_server_LDFLAGS) $(uu_server_OBJECTS) $(uu_server_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c $< - -.c.obj: - $(COMPILE) -c `$(CYGPATH_W) '$<'` - -.c.lo: - $(LTCOMPILE) -c -o $@ $< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique -tags: TAGS - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique -ctags: CTAGS -CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ - || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - -distdir: $(DISTFILES) - $(mkdir_p) $(distdir)/../.. $(distdir)/../../cf - @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \ - list='$(DISTFILES)'; for file in $$list; do \ - case $$file in \ - $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \ - $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \ - esac; \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkdir_p) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="$(top_distdir)" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(PROGRAMS) all-local -installdirs: -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-generic clean-libtool clean-noinstPROGRAMS \ - mostlyclean-am - -distclean: distclean-am - -rm -f Makefile -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -html: html-am - -info: info-am - -info-am: - -install-data-am: - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-data-hook - -install-exec-am: - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -rm -f Makefile -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -pdf: pdf-am - -pdf-am: - -ps: ps-am - -ps-am: - -uninstall-am: uninstall-info-am - -.PHONY: CTAGS GTAGS all all-am all-local check check-am check-local \ - clean clean-generic clean-libtool clean-noinstPROGRAMS ctags \ - distclean distclean-compile distclean-generic \ - distclean-libtool distclean-tags distdir dvi dvi-am html \ - html-am info info-am install install-am install-data \ - install-data-am install-exec install-exec-am install-info \ - install-info-am install-man install-strip installcheck \ - installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ - tags uninstall uninstall-am uninstall-info-am - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-hook: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal-0.6.3/appl/test/common.c b/crypto/heimdal-0.6.3/appl/test/common.c deleted file mode 100644 index 58b9fdf699..0000000000 --- a/crypto/heimdal-0.6.3/appl/test/common.c +++ /dev/null @@ -1,172 +0,0 @@ -/* - * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "test_locl.h" - -RCSID("$Id: common.c,v 1.11 2000/08/27 04:29:34 assar Exp $"); - -static int help_flag; -static int version_flag; -static char *port_str; -static char *keytab_str; -krb5_keytab keytab; -char *service = SERVICE; -int fork_flag; - -static struct getargs args[] = { - { "port", 'p', arg_string, &port_str, "port to listen to", "port" }, - { "service", 's', arg_string, &service, "service to use", "service" }, - { "keytab", 'k', arg_string, &keytab_str, "keytab to use", "keytab" }, - { "fork", 'f', arg_flag, &fork_flag, "do fork" }, - { "help", 'h', arg_flag, &help_flag }, - { "version", 0, arg_flag, &version_flag } -}; - -static int num_args = sizeof(args) / sizeof(args[0]); - -static void -server_usage(int code, struct getargs *args, int num_args) -{ - arg_printusage(args, num_args, NULL, ""); - exit(code); -} - -static void -client_usage(int code, struct getargs *args, int num_args) -{ - arg_printusage(args, num_args, NULL, "host"); - exit(code); -} - - -static int -common_setup(krb5_context *context, int *argc, char **argv, - void (*usage)(int, struct getargs*, int)) -{ - int port = 0; - *argc = krb5_program_setup(context, *argc, argv, args, num_args, usage); - - if(help_flag) - (*usage)(0, args, num_args); - if(version_flag) { - print_version(NULL); - exit(0); - } - - if(port_str){ - struct servent *s = roken_getservbyname(port_str, "tcp"); - if(s) - port = s->s_port; - else { - char *ptr; - - port = strtol (port_str, &ptr, 10); - if (port == 0 && ptr == port_str) - errx (1, "Bad port `%s'", port_str); - port = htons(port); - } - } - - if (port == 0) - port = krb5_getportbyname (*context, PORT, "tcp", 4711); - - return port; -} - -int -server_setup(krb5_context *context, int argc, char **argv) -{ - int port = common_setup(context, &argc, argv, server_usage); - krb5_error_code ret; - - if(argv[argc] != NULL) - server_usage(1, args, num_args); - if (keytab_str != NULL) - ret = krb5_kt_resolve (*context, keytab_str, &keytab); - else - ret = krb5_kt_default (*context, &keytab); - if (ret) - krb5_err (*context, 1, ret, "krb5_kt_resolve/default"); - return port; -} - -int -client_setup(krb5_context *context, int *argc, char **argv) -{ - int optind = *argc; - int port = common_setup(context, &optind, argv, client_usage); - if(*argc - optind != 1) - client_usage(1, args, num_args); - *argc = optind; - return port; -} - -int -client_doit (const char *hostname, int port, const char *service, - int (*func)(int, const char *hostname, const char *service)) -{ - struct addrinfo *ai, *a; - struct addrinfo hints; - int error; - char portstr[NI_MAXSERV]; - - memset (&hints, 0, sizeof(hints)); - hints.ai_socktype = SOCK_STREAM; - hints.ai_protocol = IPPROTO_TCP; - - snprintf (portstr, sizeof(portstr), "%u", ntohs(port)); - - error = getaddrinfo (hostname, portstr, &hints, &ai); - if (error) { - errx (1, "%s: %s", hostname, gai_strerror(error)); - return -1; - } - - for (a = ai; a != NULL; a = a->ai_next) { - int s; - - s = socket (a->ai_family, a->ai_socktype, a->ai_protocol); - if (s < 0) - continue; - if (connect (s, a->ai_addr, a->ai_addrlen) < 0) { - warn ("connect(%s)", hostname); - close (s); - continue; - } - freeaddrinfo (ai); - return (*func) (s, hostname, service); - } - warnx ("failed to contact %s", hostname); - freeaddrinfo (ai); - return 1; -} diff --git a/crypto/heimdal-0.6.3/appl/test/gss_common.c b/crypto/heimdal-0.6.3/appl/test/gss_common.c deleted file mode 100644 index 4b5319a1f0..0000000000 --- a/crypto/heimdal-0.6.3/appl/test/gss_common.c +++ /dev/null @@ -1,118 +0,0 @@ -/* - * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "test_locl.h" -#include -#include "gss_common.h" -RCSID("$Id: gss_common.c,v 1.9 2000/11/15 23:05:27 assar Exp $"); - -void -write_token (int sock, gss_buffer_t buf) -{ - u_int32_t len, net_len; - OM_uint32 min_stat; - - len = buf->length; - - net_len = htonl(len); - - if (net_write (sock, &net_len, 4) != 4) - err (1, "write"); - if (net_write (sock, buf->value, len) != len) - err (1, "write"); - - gss_release_buffer (&min_stat, buf); -} - -static void -enet_read(int fd, void *buf, size_t len) -{ - ssize_t ret; - - ret = net_read (fd, buf, len); - if (ret == 0) - errx (1, "EOF in read"); - else if (ret < 0) - errx (1, "read"); -} - -void -read_token (int sock, gss_buffer_t buf) -{ - u_int32_t len, net_len; - - enet_read (sock, &net_len, 4); - len = ntohl(net_len); - buf->length = len; - buf->value = emalloc(len); - enet_read (sock, buf->value, len); -} - -void -gss_print_errors (int min_stat) -{ - OM_uint32 new_stat; - OM_uint32 msg_ctx = 0; - gss_buffer_desc status_string; - OM_uint32 ret; - - do { - ret = gss_display_status (&new_stat, - min_stat, - GSS_C_MECH_CODE, - GSS_C_NO_OID, - &msg_ctx, - &status_string); - fprintf (stderr, "%s\n", (char *)status_string.value); - gss_release_buffer (&new_stat, &status_string); - } while (!GSS_ERROR(ret) && msg_ctx != 0); -} - -void -gss_verr(int exitval, int status, const char *fmt, va_list ap) -{ - vwarnx (fmt, ap); - gss_print_errors (status); - exit (exitval); -} - -void -gss_err(int exitval, int status, const char *fmt, ...) -{ - va_list args; - - va_start(args, fmt); - gss_verr (exitval, status, fmt, args); - va_end(args); -} - diff --git a/crypto/heimdal-0.6.3/appl/test/gss_common.h b/crypto/heimdal-0.6.3/appl/test/gss_common.h deleted file mode 100644 index 775126b91b..0000000000 --- a/crypto/heimdal-0.6.3/appl/test/gss_common.h +++ /dev/null @@ -1,45 +0,0 @@ -/* - * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: gss_common.h,v 1.5 1999/12/02 17:04:56 joda Exp $ */ - -void write_token (int sock, gss_buffer_t buf); -void read_token (int sock, gss_buffer_t buf); - -void gss_print_errors (int min_stat); - -void gss_verr(int exitval, int status, const char *fmt, va_list ap) - __attribute__ ((format (printf, 3, 0))); - -void gss_err(int exitval, int status, const char *fmt, ...) - __attribute__ ((format (printf, 3, 4))); diff --git a/crypto/heimdal-0.6.3/appl/test/gssapi_client.c b/crypto/heimdal-0.6.3/appl/test/gssapi_client.c deleted file mode 100644 index 126ce910b0..0000000000 --- a/crypto/heimdal-0.6.3/appl/test/gssapi_client.c +++ /dev/null @@ -1,230 +0,0 @@ -/* - * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "test_locl.h" -#include -#include "gss_common.h" -RCSID("$Id: gssapi_client.c,v 1.16 2000/08/09 20:53:06 assar Exp $"); - -static int -do_trans (int sock, gss_ctx_id_t context_hdl) -{ - OM_uint32 maj_stat, min_stat; - gss_buffer_desc real_input_token, real_output_token; - gss_buffer_t input_token = &real_input_token, - output_token = &real_output_token; - - /* get_mic */ - - input_token->length = 3; - input_token->value = strdup("hej"); - - maj_stat = gss_get_mic(&min_stat, - context_hdl, - GSS_C_QOP_DEFAULT, - input_token, - output_token); - if (GSS_ERROR(maj_stat)) - gss_err (1, min_stat, "gss_get_mic"); - - write_token (sock, input_token); - write_token (sock, output_token); - - /* wrap */ - - input_token->length = 7; - input_token->value = "hemligt"; - - - maj_stat = gss_wrap (&min_stat, - context_hdl, - 1, - GSS_C_QOP_DEFAULT, - input_token, - NULL, - output_token); - if (GSS_ERROR(maj_stat)) - gss_err (1, min_stat, "gss_wrap"); - - write_token (sock, output_token); - - return 0; -} - -static int -proto (int sock, const char *hostname, const char *service) -{ - struct sockaddr_in remote, local; - socklen_t addrlen; - - int context_established = 0; - gss_ctx_id_t context_hdl = GSS_C_NO_CONTEXT; - gss_buffer_desc real_input_token, real_output_token; - gss_buffer_t input_token = &real_input_token, - output_token = &real_output_token; - OM_uint32 maj_stat, min_stat; - gss_name_t server; - gss_buffer_desc name_token; - struct gss_channel_bindings_struct input_chan_bindings; - u_char init_buf[4]; - u_char acct_buf[4]; - - name_token.length = asprintf ((char **)&name_token.value, - "%s@%s", service, hostname); - - maj_stat = gss_import_name (&min_stat, - &name_token, - GSS_C_NT_HOSTBASED_SERVICE, - &server); - if (GSS_ERROR(maj_stat)) - gss_err (1, min_stat, - "Error importing name `%s@%s':\n", service, hostname); - - addrlen = sizeof(local); - if (getsockname (sock, (struct sockaddr *)&local, &addrlen) < 0 - || addrlen != sizeof(local)) - err (1, "getsockname(%s)", hostname); - - addrlen = sizeof(remote); - if (getpeername (sock, (struct sockaddr *)&remote, &addrlen) < 0 - || addrlen != sizeof(remote)) - err (1, "getpeername(%s)", hostname); - - input_token->length = 0; - output_token->length = 0; - - input_chan_bindings.initiator_addrtype = GSS_C_AF_INET; - input_chan_bindings.initiator_address.length = 4; - init_buf[0] = (local.sin_addr.s_addr >> 24) & 0xFF; - init_buf[1] = (local.sin_addr.s_addr >> 16) & 0xFF; - init_buf[2] = (local.sin_addr.s_addr >> 8) & 0xFF; - init_buf[3] = (local.sin_addr.s_addr >> 0) & 0xFF; - input_chan_bindings.initiator_address.value = init_buf; - - input_chan_bindings.acceptor_addrtype = GSS_C_AF_INET; - input_chan_bindings.acceptor_address.length = 4; - acct_buf[0] = (remote.sin_addr.s_addr >> 24) & 0xFF; - acct_buf[1] = (remote.sin_addr.s_addr >> 16) & 0xFF; - acct_buf[2] = (remote.sin_addr.s_addr >> 8) & 0xFF; - acct_buf[3] = (remote.sin_addr.s_addr >> 0) & 0xFF; - input_chan_bindings.acceptor_address.value = acct_buf; - -#if 0 - input_chan_bindings.application_data.value = emalloc(4); - * (unsigned short*)input_chan_bindings.application_data.value = local.sin_port; - * ((unsigned short *)input_chan_bindings.application_data.value + 1) = remote.sin_port; - input_chan_bindings.application_data.length = 4; -#else - input_chan_bindings.application_data.length = 0; - input_chan_bindings.application_data.value = NULL; -#endif - - while(!context_established) { - maj_stat = - gss_init_sec_context(&min_stat, - GSS_C_NO_CREDENTIAL, - &context_hdl, - server, - GSS_C_NO_OID, - GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG - | GSS_C_DELEG_FLAG, - 0, - &input_chan_bindings, - input_token, - NULL, - output_token, - NULL, - NULL); - if (GSS_ERROR(maj_stat)) - gss_err (1, min_stat, "gss_init_sec_context"); - if (output_token->length != 0) - write_token (sock, output_token); - if (GSS_ERROR(maj_stat)) { - if (context_hdl != GSS_C_NO_CONTEXT) - gss_delete_sec_context (&min_stat, - &context_hdl, - GSS_C_NO_BUFFER); - break; - } - if (maj_stat & GSS_S_CONTINUE_NEEDED) { - read_token (sock, input_token); - } else { - context_established = 1; - } - - } - if (fork_flag) { - pid_t pid; - int pipefd[2]; - - if (pipe (pipefd) < 0) - err (1, "pipe"); - - pid = fork (); - if (pid < 0) - err (1, "fork"); - if (pid != 0) { - gss_buffer_desc buf; - - maj_stat = gss_export_sec_context (&min_stat, - &context_hdl, - &buf); - if (GSS_ERROR(maj_stat)) - gss_err (1, min_stat, "gss_export_sec_context"); - write_token (pipefd[1], &buf); - exit (0); - } else { - gss_ctx_id_t context_hdl; - gss_buffer_desc buf; - - close (pipefd[1]); - read_token (pipefd[0], &buf); - close (pipefd[0]); - maj_stat = gss_import_sec_context (&min_stat, &buf, &context_hdl); - if (GSS_ERROR(maj_stat)) - gss_err (1, min_stat, "gss_import_sec_context"); - gss_release_buffer (&min_stat, &buf); - return do_trans (sock, context_hdl); - } - } else { - return do_trans (sock, context_hdl); - } -} - -int -main(int argc, char **argv) -{ - krb5_context context; /* XXX */ - int port = client_setup(&context, &argc, argv); - return client_doit (argv[argc], port, service, proto); -} diff --git a/crypto/heimdal-0.6.3/appl/test/gssapi_server.c b/crypto/heimdal-0.6.3/appl/test/gssapi_server.c deleted file mode 100644 index 3d4affd238..0000000000 --- a/crypto/heimdal-0.6.3/appl/test/gssapi_server.c +++ /dev/null @@ -1,277 +0,0 @@ -/* - * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "test_locl.h" -#include -#include "gss_common.h" -RCSID("$Id: gssapi_server.c,v 1.15 2000/08/09 20:53:07 assar Exp $"); - -static int -process_it(int sock, - gss_ctx_id_t context_hdl, - gss_name_t client_name - ) -{ - OM_uint32 maj_stat, min_stat; - gss_buffer_desc name_token; - gss_buffer_desc real_input_token, real_output_token; - gss_buffer_t input_token = &real_input_token, - output_token = &real_output_token; - - maj_stat = gss_display_name (&min_stat, - client_name, - &name_token, - NULL); - if (GSS_ERROR(maj_stat)) - gss_err (1, min_stat, "gss_display_name"); - - fprintf (stderr, "User is `%.*s'\n", (int)name_token.length, - (char *)name_token.value); - - gss_release_buffer (&min_stat, &name_token); - - /* gss_verify_mic */ - - read_token (sock, input_token); - read_token (sock, output_token); - - maj_stat = gss_verify_mic (&min_stat, - context_hdl, - input_token, - output_token, - NULL); - if (GSS_ERROR(maj_stat)) - gss_err (1, min_stat, "gss_verify_mic"); - - fprintf (stderr, "gss_verify_mic: %.*s\n", (int)input_token->length, - (char *)input_token->value); - - gss_release_buffer (&min_stat, input_token); - gss_release_buffer (&min_stat, output_token); - - /* gss_unwrap */ - - read_token (sock, input_token); - - maj_stat = gss_unwrap (&min_stat, - context_hdl, - input_token, - output_token, - NULL, - NULL); - if(GSS_ERROR(maj_stat)) - gss_err (1, min_stat, "gss_unwrap"); - - fprintf (stderr, "gss_unwrap: %.*s\n", (int)output_token->length, - (char *)output_token->value); - - gss_release_buffer (&min_stat, input_token); - gss_release_buffer (&min_stat, output_token); - - return 0; -} - -static int -proto (int sock, const char *service) -{ - struct sockaddr_in remote, local; - socklen_t addrlen; - gss_ctx_id_t context_hdl = GSS_C_NO_CONTEXT; - gss_buffer_desc real_input_token, real_output_token; - gss_buffer_t input_token = &real_input_token, - output_token = &real_output_token; - OM_uint32 maj_stat, min_stat; - gss_name_t client_name; - struct gss_channel_bindings_struct input_chan_bindings; - gss_cred_id_t delegated_cred_handle = NULL; - krb5_ccache ccache; - u_char init_buf[4]; - u_char acct_buf[4]; - - addrlen = sizeof(local); - if (getsockname (sock, (struct sockaddr *)&local, &addrlen) < 0 - || addrlen != sizeof(local)) - err (1, "getsockname)"); - - addrlen = sizeof(remote); - if (getpeername (sock, (struct sockaddr *)&remote, &addrlen) < 0 - || addrlen != sizeof(remote)) - err (1, "getpeername"); - - input_chan_bindings.initiator_addrtype = GSS_C_AF_INET; - input_chan_bindings.initiator_address.length = 4; - init_buf[0] = (remote.sin_addr.s_addr >> 24) & 0xFF; - init_buf[1] = (remote.sin_addr.s_addr >> 16) & 0xFF; - init_buf[2] = (remote.sin_addr.s_addr >> 8) & 0xFF; - init_buf[3] = (remote.sin_addr.s_addr >> 0) & 0xFF; - - input_chan_bindings.initiator_address.value = init_buf; - input_chan_bindings.acceptor_addrtype = GSS_C_AF_INET; - - input_chan_bindings.acceptor_address.length = 4; - acct_buf[0] = (local.sin_addr.s_addr >> 24) & 0xFF; - acct_buf[1] = (local.sin_addr.s_addr >> 16) & 0xFF; - acct_buf[2] = (local.sin_addr.s_addr >> 8) & 0xFF; - acct_buf[3] = (local.sin_addr.s_addr >> 0) & 0xFF; - input_chan_bindings.acceptor_address.value = acct_buf; - input_chan_bindings.application_data.value = emalloc(4); -#if 0 - * (unsigned short *)input_chan_bindings.application_data.value = - remote.sin_port; - * ((unsigned short *)input_chan_bindings.application_data.value + 1) = - local.sin_port; - input_chan_bindings.application_data.length = 4; -#else - input_chan_bindings.application_data.length = 0; - input_chan_bindings.application_data.value = NULL; -#endif - - delegated_cred_handle = emalloc(sizeof(*delegated_cred_handle)); - memset((char*)delegated_cred_handle, 0, sizeof(*delegated_cred_handle)); - - do { - read_token (sock, input_token); - maj_stat = - gss_accept_sec_context (&min_stat, - &context_hdl, - GSS_C_NO_CREDENTIAL, - input_token, - &input_chan_bindings, - &client_name, - NULL, - output_token, - NULL, - NULL, - /*&delegated_cred_handle*/ NULL); - if(GSS_ERROR(maj_stat)) - gss_err (1, min_stat, "gss_accept_sec_context"); - if (output_token->length != 0) - write_token (sock, output_token); - if (GSS_ERROR(maj_stat)) { - if (context_hdl != GSS_C_NO_CONTEXT) - gss_delete_sec_context (&min_stat, - &context_hdl, - GSS_C_NO_BUFFER); - break; - } - } while(maj_stat & GSS_S_CONTINUE_NEEDED); - - if (delegated_cred_handle->ccache) { - krb5_context context; - - maj_stat = krb5_init_context(&context); - maj_stat = krb5_cc_resolve(context, "FILE:/tmp/krb5cc_test", &ccache); - maj_stat = krb5_cc_copy_cache(context, - delegated_cred_handle->ccache, ccache); - krb5_cc_close(context, ccache); - krb5_cc_destroy(context, delegated_cred_handle->ccache); - } - - if (fork_flag) { - pid_t pid; - int pipefd[2]; - - if (pipe (pipefd) < 0) - err (1, "pipe"); - - pid = fork (); - if (pid < 0) - err (1, "fork"); - if (pid != 0) { - gss_buffer_desc buf; - - maj_stat = gss_export_sec_context (&min_stat, - &context_hdl, - &buf); - if (GSS_ERROR(maj_stat)) - gss_err (1, min_stat, "gss_export_sec_context"); - write_token (pipefd[1], &buf); - exit (0); - } else { - gss_ctx_id_t context_hdl; - gss_buffer_desc buf; - - close (pipefd[1]); - read_token (pipefd[0], &buf); - close (pipefd[0]); - maj_stat = gss_import_sec_context (&min_stat, &buf, &context_hdl); - if (GSS_ERROR(maj_stat)) - gss_err (1, min_stat, "gss_import_sec_context"); - gss_release_buffer (&min_stat, &buf); - return process_it (sock, context_hdl, client_name); - } - } else { - return process_it (sock, context_hdl, client_name); - } -} - -static int -doit (int port, const char *service) -{ - int sock, sock2; - struct sockaddr_in my_addr; - int one = 1; - - sock = socket (AF_INET, SOCK_STREAM, 0); - if (sock < 0) - err (1, "socket"); - - memset (&my_addr, 0, sizeof(my_addr)); - my_addr.sin_family = AF_INET; - my_addr.sin_port = port; - my_addr.sin_addr.s_addr = INADDR_ANY; - - if (setsockopt (sock, SOL_SOCKET, SO_REUSEADDR, - (void *)&one, sizeof(one)) < 0) - warn ("setsockopt SO_REUSEADDR"); - - if (bind (sock, (struct sockaddr *)&my_addr, sizeof(my_addr)) < 0) - err (1, "bind"); - - if (listen (sock, 1) < 0) - err (1, "listen"); - - sock2 = accept (sock, NULL, NULL); - if (sock2 < 0) - err (1, "accept"); - - return proto (sock2, service); -} - -int -main(int argc, char **argv) -{ - krb5_context context = NULL; /* XXX */ - int port = server_setup(&context, argc, argv); - return doit (port, service); -} diff --git a/crypto/heimdal-0.6.3/appl/test/nt_gss_client.c b/crypto/heimdal-0.6.3/appl/test/nt_gss_client.c deleted file mode 100644 index 4fabd662b1..0000000000 --- a/crypto/heimdal-0.6.3/appl/test/nt_gss_client.c +++ /dev/null @@ -1,163 +0,0 @@ -/* - * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "test_locl.h" -#include -#include "nt_gss_common.h" - -RCSID("$Id: nt_gss_client.c,v 1.4 2000/08/09 20:53:07 assar Exp $"); - -/* - * This program tries to act as a client for the sample in `Sample - * SSPI Code' in Windows 2000 RC1 SDK. - */ - -static int -proto (int sock, const char *hostname, const char *service) -{ - struct sockaddr_in remote, local; - socklen_t addrlen; - - int context_established = 0; - gss_ctx_id_t context_hdl = GSS_C_NO_CONTEXT; - gss_buffer_t input_token, output_token; - gss_buffer_desc real_input_token, real_output_token; - OM_uint32 maj_stat, min_stat; - gss_name_t server; - gss_buffer_desc name_token; - - name_token.length = asprintf ((char **)&name_token.value, - "%s@%s", service, hostname); - - maj_stat = gss_import_name (&min_stat, - &name_token, - GSS_C_NT_HOSTBASED_SERVICE, - &server); - if (GSS_ERROR(maj_stat)) - gss_err (1, min_stat, - "Error importing name `%s@%s':\n", service, hostname); - - addrlen = sizeof(local); - if (getsockname (sock, (struct sockaddr *)&local, &addrlen) < 0 - || addrlen != sizeof(local)) - err (1, "getsockname(%s)", hostname); - - addrlen = sizeof(remote); - if (getpeername (sock, (struct sockaddr *)&remote, &addrlen) < 0 - || addrlen != sizeof(remote)) - err (1, "getpeername(%s)", hostname); - - input_token = &real_input_token; - output_token = &real_output_token; - - input_token->length = 0; - output_token->length = 0; - - while(!context_established) { - maj_stat = - gss_init_sec_context(&min_stat, - GSS_C_NO_CREDENTIAL, - &context_hdl, - server, - GSS_C_NO_OID, - GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG, - 0, - GSS_C_NO_CHANNEL_BINDINGS, - input_token, - NULL, - output_token, - NULL, - NULL); - if (GSS_ERROR(maj_stat)) - gss_err (1, min_stat, "gss_init_sec_context"); - if (output_token->length != 0) - nt_write_token (sock, output_token); - if (GSS_ERROR(maj_stat)) { - if (context_hdl != GSS_C_NO_CONTEXT) - gss_delete_sec_context (&min_stat, - &context_hdl, - GSS_C_NO_BUFFER); - break; - } - if (maj_stat & GSS_S_CONTINUE_NEEDED) { - nt_read_token (sock, input_token); - } else { - context_established = 1; - } - - } - - /* get_mic */ - - input_token->length = 3; - input_token->value = strdup("hej"); - - maj_stat = gss_get_mic(&min_stat, - context_hdl, - GSS_C_QOP_DEFAULT, - input_token, - output_token); - if (GSS_ERROR(maj_stat)) - gss_err (1, min_stat, "gss_get_mic"); - - nt_write_token (sock, input_token); - nt_write_token (sock, output_token); - - /* wrap */ - - input_token->length = 7; - input_token->value = "hemligt"; - - - maj_stat = gss_wrap (&min_stat, - context_hdl, - 1, - GSS_C_QOP_DEFAULT, - input_token, - NULL, - output_token); - if (GSS_ERROR(maj_stat)) - gss_err (1, min_stat, "gss_wrap"); - - nt_write_token (sock, output_token); - - return 0; -} - -int -main(int argc, char **argv) -{ - krb5_context context; /* XXX */ - int port = client_setup(&context, &argc, argv); - return client_doit (argv[argc], port, service, proto); -} diff --git a/crypto/heimdal-0.6.3/appl/test/nt_gss_common.c b/crypto/heimdal-0.6.3/appl/test/nt_gss_common.c deleted file mode 100644 index ab10355a05..0000000000 --- a/crypto/heimdal-0.6.3/appl/test/nt_gss_common.c +++ /dev/null @@ -1,131 +0,0 @@ -/* - * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "test_locl.h" -#include -#include "nt_gss_common.h" - -RCSID("$Id: nt_gss_common.c,v 1.3 1999/12/02 17:04:57 joda Exp $"); - -/* - * These are functions that are needed to interoperate with the - * `Sample SSPI Code' in Windows 2000 RC1 SDK. - */ - -/* - * Write the `gss_buffer_t' in `buf' onto the fd `sock', but remember that - * the length is written in little-endian-order. - */ - -void -nt_write_token (int sock, gss_buffer_t buf) -{ - unsigned char net_len[4]; - u_int32_t len; - OM_uint32 min_stat; - - len = buf->length; - - net_len[0] = (len >> 0) & 0xFF; - net_len[1] = (len >> 8) & 0xFF; - net_len[2] = (len >> 16) & 0xFF; - net_len[3] = (len >> 24) & 0xFF; - - if (write (sock, net_len, 4) != 4) - err (1, "write"); - if (write (sock, buf->value, len) != len) - err (1, "write"); - - gss_release_buffer (&min_stat, buf); -} - -/* - * - */ - -void -nt_read_token (int sock, gss_buffer_t buf) -{ - unsigned char net_len[4]; - u_int32_t len; - - if (read(sock, net_len, 4) != 4) - err (1, "read"); - len = (net_len[0] << 0) - | (net_len[1] << 8) - | (net_len[2] << 16) - | (net_len[3] << 24); - - buf->length = len; - buf->value = malloc(len); - if (read (sock, buf->value, len) != len) - err (1, "read"); -} - -void -gss_print_errors (int min_stat) -{ - OM_uint32 new_stat; - OM_uint32 msg_ctx = 0; - gss_buffer_desc status_string; - OM_uint32 ret; - - do { - ret = gss_display_status (&new_stat, - min_stat, - GSS_C_MECH_CODE, - GSS_C_NO_OID, - &msg_ctx, - &status_string); - fprintf (stderr, "%s\n", (char *)status_string.value); - gss_release_buffer (&new_stat, &status_string); - } while (!GSS_ERROR(ret) && msg_ctx != 0); -} - -void -gss_verr(int exitval, int status, const char *fmt, va_list ap) -{ - vwarnx (fmt, ap); - gss_print_errors (status); - exit (exitval); -} - -void -gss_err(int exitval, int status, const char *fmt, ...) -{ - va_list args; - - va_start(args, fmt); - gss_verr (exitval, status, fmt, args); - va_end(args); -} diff --git a/crypto/heimdal-0.6.3/appl/test/nt_gss_common.h b/crypto/heimdal-0.6.3/appl/test/nt_gss_common.h deleted file mode 100644 index 07428ddcd9..0000000000 --- a/crypto/heimdal-0.6.3/appl/test/nt_gss_common.h +++ /dev/null @@ -1,45 +0,0 @@ -/* - * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: nt_gss_common.h,v 1.2 1999/12/02 17:04:57 joda Exp $ */ - -void nt_write_token (int sock, gss_buffer_t buf); -void nt_read_token (int sock, gss_buffer_t buf); - -void gss_print_errors (int min_stat); - -void gss_verr(int exitval, int status, const char *fmt, va_list ap) - __attribute__ ((format (printf, 3, 0))); - -void gss_err(int exitval, int status, const char *fmt, ...) - __attribute__ ((format (printf, 3, 4))); diff --git a/crypto/heimdal-0.6.3/appl/test/nt_gss_server.c b/crypto/heimdal-0.6.3/appl/test/nt_gss_server.c deleted file mode 100644 index 05b6bcb992..0000000000 --- a/crypto/heimdal-0.6.3/appl/test/nt_gss_server.c +++ /dev/null @@ -1,242 +0,0 @@ -/* - * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "test_locl.h" -#include -#include -#include "nt_gss_common.h" - -RCSID("$Id: nt_gss_server.c,v 1.5 2000/08/09 20:53:07 assar Exp $"); - -/* - * This program tries to act as a server for the sample in `Sample - * SSPI Code' in Windows 2000 RC1 SDK. - * - * use --dump-auth to get a binary dump of the authorization data in the ticket - */ - -static int help_flag; -static int version_flag; -static char *port_str; -char *service = SERVICE; -static char *auth_file; - -static struct getargs args[] = { - { "port", 'p', arg_string, &port_str, "port to listen to", "port" }, - { "service", 's', arg_string, &service, "service to use", "service" }, - { "dump-auth", 0, arg_string, &auth_file, "dump authorization data", - "file" }, - { "help", 'h', arg_flag, &help_flag }, - { "version", 0, arg_flag, &version_flag } -}; - -static int num_args = sizeof(args) / sizeof(args[0]); - -static int -proto (int sock, const char *service) -{ - struct sockaddr_in remote, local; - socklen_t addrlen; - gss_ctx_id_t context_hdl = GSS_C_NO_CONTEXT; - gss_buffer_t input_token, output_token; - gss_buffer_desc real_input_token, real_output_token; - OM_uint32 maj_stat, min_stat; - gss_name_t client_name; - gss_buffer_desc name_token; - - addrlen = sizeof(local); - if (getsockname (sock, (struct sockaddr *)&local, &addrlen) < 0 - || addrlen != sizeof(local)) - err (1, "getsockname)"); - - addrlen = sizeof(remote); - if (getpeername (sock, (struct sockaddr *)&remote, &addrlen) < 0 - || addrlen != sizeof(remote)) - err (1, "getpeername"); - - input_token = &real_input_token; - output_token = &real_output_token; - - do { - nt_read_token (sock, input_token); - maj_stat = - gss_accept_sec_context (&min_stat, - &context_hdl, - GSS_C_NO_CREDENTIAL, - input_token, - GSS_C_NO_CHANNEL_BINDINGS, - &client_name, - NULL, - output_token, - NULL, - NULL, - NULL); - if(GSS_ERROR(maj_stat)) - gss_err (1, min_stat, "gss_accept_sec_context"); - if (output_token->length != 0) - nt_write_token (sock, output_token); - if (GSS_ERROR(maj_stat)) { - if (context_hdl != GSS_C_NO_CONTEXT) - gss_delete_sec_context (&min_stat, - &context_hdl, - GSS_C_NO_BUFFER); - break; - } - } while(maj_stat & GSS_S_CONTINUE_NEEDED); - - if (auth_file != NULL) { - int fd = open (auth_file, O_WRONLY | O_CREAT, 0666); - krb5_ticket *ticket = context_hdl->ticket; - krb5_data *data = &ticket->ticket.authorization_data->val[0].ad_data; - - if(fd < 0) - err (1, "open %s", auth_file); - if (write (fd, data->data, data->length) != data->length) - errx (1, "write to %s failed", auth_file); - if (close (fd)) - err (1, "close %s", auth_file); - } - - maj_stat = gss_display_name (&min_stat, - client_name, - &name_token, - NULL); - if (GSS_ERROR(maj_stat)) - gss_err (1, min_stat, "gss_display_name"); - - fprintf (stderr, "User is `%.*s'\n", (int)name_token.length, - (char *)name_token.value); - - /* write something back */ - - output_token->value = strdup ("hejsan"); - output_token->length = strlen (output_token->value) + 1; - nt_write_token (sock, output_token); - - output_token->value = strdup ("hoppsan"); - output_token->length = strlen (output_token->value) + 1; - nt_write_token (sock, output_token); - - return 0; -} - -static int -doit (int port, const char *service) -{ - int sock, sock2; - struct sockaddr_in my_addr; - int one = 1; - - sock = socket (AF_INET, SOCK_STREAM, 0); - if (sock < 0) - err (1, "socket"); - - memset (&my_addr, 0, sizeof(my_addr)); - my_addr.sin_family = AF_INET; - my_addr.sin_port = port; - my_addr.sin_addr.s_addr = INADDR_ANY; - - if (setsockopt (sock, SOL_SOCKET, SO_REUSEADDR, - (void *)&one, sizeof(one)) < 0) - warn ("setsockopt SO_REUSEADDR"); - - if (bind (sock, (struct sockaddr *)&my_addr, sizeof(my_addr)) < 0) - err (1, "bind"); - - if (listen (sock, 1) < 0) - err (1, "listen"); - - sock2 = accept (sock, NULL, NULL); - if (sock2 < 0) - err (1, "accept"); - - return proto (sock2, service); -} - -static void -usage(int code, struct getargs *args, int num_args) -{ - arg_printusage(args, num_args, NULL, ""); - exit(code); -} - -static int -common_setup(krb5_context *context, int *argc, char **argv, - void (*usage)(int, struct getargs*, int)) -{ - int port = 0; - *argc = krb5_program_setup(context, *argc, argv, args, num_args, usage); - - if(help_flag) - (*usage)(0, args, num_args); - if(version_flag) { - print_version(NULL); - exit(0); - } - - if(port_str){ - struct servent *s = roken_getservbyname(port_str, "tcp"); - if(s) - port = s->s_port; - else { - char *ptr; - - port = strtol (port_str, &ptr, 10); - if (port == 0 && ptr == port_str) - errx (1, "Bad port `%s'", port_str); - port = htons(port); - } - } - - if (port == 0) - port = krb5_getportbyname (*context, PORT, "tcp", 4711); - - return port; -} - -static int -setup(krb5_context *context, int argc, char **argv) -{ - int port = common_setup(context, &argc, argv, usage); - if(argv[argc] != NULL) - usage(1, args, num_args); - return port; -} - -int -main(int argc, char **argv) -{ - krb5_context context = NULL; /* XXX */ - int port = setup(&context, argc, argv); - return doit (port, service); -} diff --git a/crypto/heimdal-0.6.3/appl/test/tcp_client.c b/crypto/heimdal-0.6.3/appl/test/tcp_client.c deleted file mode 100644 index 7affc432a1..0000000000 --- a/crypto/heimdal-0.6.3/appl/test/tcp_client.c +++ /dev/null @@ -1,132 +0,0 @@ -/* - * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "test_locl.h" -RCSID("$Id: tcp_client.c,v 1.15 1999/12/16 10:30:17 assar Exp $"); - -krb5_context context; - -static int -proto (int sock, const char *hostname, const char *service) -{ - krb5_auth_context auth_context; - krb5_error_code status; - krb5_principal server; - krb5_data data; - krb5_data packet; - u_int32_t len, net_len; - - status = krb5_auth_con_init (context, &auth_context); - if (status) - krb5_err (context, 1, status, "krb5_auth_con_init"); - - status = krb5_auth_con_setaddrs_from_fd (context, - auth_context, - &sock); - if (status) - krb5_err (context, 1, status, "krb5_auth_con_setaddrs_from_fd"); - - status = krb5_sname_to_principal (context, - hostname, - service, - KRB5_NT_SRV_HST, - &server); - if (status) - krb5_err (context, 1, status, "krb5_sname_to_principal"); - - status = krb5_sendauth (context, - &auth_context, - &sock, - VERSION, - NULL, - server, - AP_OPTS_MUTUAL_REQUIRED, - NULL, - NULL, - NULL, - NULL, - NULL, - NULL); - if (status) - krb5_err (context, 1, status, "krb5_sendauth"); - - data.data = "hej"; - data.length = 3; - - krb5_data_zero (&packet); - - status = krb5_mk_safe (context, - auth_context, - &data, - &packet, - NULL); - if (status) - krb5_err (context, 1, status, "krb5_mk_safe"); - - len = packet.length; - net_len = htonl(len); - - if (krb5_net_write (context, &sock, &net_len, 4) != 4) - err (1, "krb5_net_write"); - if (krb5_net_write (context, &sock, packet.data, len) != len) - err (1, "krb5_net_write"); - - data.data = "hemligt"; - data.length = 7; - - krb5_data_free (&packet); - - status = krb5_mk_priv (context, - auth_context, - &data, - &packet, - NULL); - if (status) - krb5_err (context, 1, status, "krb5_mk_priv"); - - len = packet.length; - net_len = htonl(len); - - if (krb5_net_write (context, &sock, &net_len, 4) != 4) - err (1, "krb5_net_write"); - if (krb5_net_write (context, &sock, packet.data, len) != len) - err (1, "krb5_net_write"); - return 0; -} - -int -main(int argc, char **argv) -{ - int port = client_setup(&context, &argc, argv); - return client_doit (argv[argc], port, service, proto); -} diff --git a/crypto/heimdal-0.6.3/appl/test/tcp_server.c b/crypto/heimdal-0.6.3/appl/test/tcp_server.c deleted file mode 100644 index 4469c5850e..0000000000 --- a/crypto/heimdal-0.6.3/appl/test/tcp_server.c +++ /dev/null @@ -1,168 +0,0 @@ -/* - * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "test_locl.h" -RCSID("$Id: tcp_server.c,v 1.16 1999/12/16 10:31:08 assar Exp $"); - -krb5_context context; - -static int -proto (int sock, const char *service) -{ - krb5_auth_context auth_context; - krb5_error_code status; - krb5_principal server; - krb5_ticket *ticket; - char *name; - char hostname[MAXHOSTNAMELEN]; - krb5_data packet; - krb5_data data; - u_int32_t len, net_len; - ssize_t n; - - status = krb5_auth_con_init (context, &auth_context); - if (status) - krb5_err (context, 1, status, "krb5_auth_con_init"); - - status = krb5_auth_con_setaddrs_from_fd (context, - auth_context, - &sock); - - if (status) - krb5_err (context, 1, status, "krb5_auth_con_setaddrs_from_fd"); - - if(gethostname (hostname, sizeof(hostname)) < 0) - krb5_err (context, 1, errno, "gethostname"); - - status = krb5_sname_to_principal (context, - hostname, - service, - KRB5_NT_SRV_HST, - &server); - if (status) - krb5_err (context, 1, status, "krb5_sname_to_principal"); - - status = krb5_recvauth (context, - &auth_context, - &sock, - VERSION, - server, - 0, - NULL, - &ticket); - if (status) - krb5_err (context, 1, status, "krb5_recvauth"); - - status = krb5_unparse_name (context, - ticket->client, - &name); - if (status) - krb5_err (context, 1, status, "krb5_unparse_name"); - - fprintf (stderr, "User is `%s'\n", name); - free (name); - - krb5_data_zero (&data); - krb5_data_zero (&packet); - - n = krb5_net_read (context, &sock, &net_len, 4); - if (n == 0) - krb5_errx (context, 1, "EOF in krb5_net_read"); - if (n < 0) - krb5_err (context, 1, errno, "krb5_net_read"); - - len = ntohl(net_len); - - krb5_data_alloc (&packet, len); - - n = krb5_net_read (context, &sock, packet.data, len); - if (n == 0) - krb5_errx (context, 1, "EOF in krb5_net_read"); - if (n < 0) - krb5_err (context, 1, errno, "krb5_net_read"); - - status = krb5_rd_safe (context, - auth_context, - &packet, - &data, - NULL); - if (status) - krb5_err (context, 1, status, "krb5_rd_safe"); - - fprintf (stderr, "safe packet: %.*s\n", (int)data.length, - (char *)data.data); - - n = krb5_net_read (context, &sock, &net_len, 4); - if (n == 0) - krb5_errx (context, 1, "EOF in krb5_net_read"); - if (n < 0) - krb5_err (context, 1, errno, "krb5_net_read"); - - len = ntohl(net_len); - - krb5_data_alloc (&packet, len); - - n = krb5_net_read (context, &sock, packet.data, len); - if (n == 0) - krb5_errx (context, 1, "EOF in krb5_net_read"); - if (n < 0) - krb5_err (context, 1, errno, "krb5_net_read"); - - status = krb5_rd_priv (context, - auth_context, - &packet, - &data, - NULL); - if (status) - krb5_err (context, 1, status, "krb5_rd_priv"); - - fprintf (stderr, "priv packet: %.*s\n", (int)data.length, - (char *)data.data); - - return 0; -} - -static int -doit (int port, const char *service) -{ - mini_inetd (port); - - return proto (STDIN_FILENO, service); -} - -int -main(int argc, char **argv) -{ - int port = server_setup(&context, argc, argv); - return doit (port, service); -} diff --git a/crypto/heimdal-0.6.3/appl/test/test_locl.h b/crypto/heimdal-0.6.3/appl/test/test_locl.h deleted file mode 100644 index 56f874574f..0000000000 --- a/crypto/heimdal-0.6.3/appl/test/test_locl.h +++ /dev/null @@ -1,87 +0,0 @@ -/* - * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: test_locl.h,v 1.9 2000/08/27 04:29:54 assar Exp $ */ - -#ifdef HAVE_CONFIG_H -#include -#endif - -#include -#include -#include -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_UNISTD_H -#include -#endif -#ifdef HAVE_SYS_SOCKET_H -#include -#endif -#ifdef HAVE_NETINET_IN_H -#include -#endif -#ifdef HAVE_NETINET_IN6_H -#include -#endif -#ifdef HAVE_NETINET6_IN6_H -#include -#endif - -#ifdef HAVE_PWD_H -#include -#endif -#ifdef HAVE_NETDB_H -#include -#endif -#ifdef HAVE_SYS_PARAM_H -#include -#endif -#include -#include -#include -#include -#include - -#define SERVICE "test" - -#define PORT "test" - -extern char *service; -extern krb5_keytab keytab; -extern int fork_flag; -int server_setup(krb5_context*, int, char**); -int client_setup(krb5_context*, int*, char**); -int client_doit (const char *hostname, int port, const char *service, - int (*func)(int, const char *hostname, const char *service)); diff --git a/crypto/heimdal-0.6.3/appl/test/uu_client.c b/crypto/heimdal-0.6.3/appl/test/uu_client.c deleted file mode 100644 index fae5bcbdb1..0000000000 --- a/crypto/heimdal-0.6.3/appl/test/uu_client.c +++ /dev/null @@ -1,175 +0,0 @@ -/* - * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "test_locl.h" -RCSID("$Id: uu_client.c,v 1.7 2000/12/31 07:41:39 assar Exp $"); - -krb5_context context; - -static int -proto (int sock, const char *hostname, const char *service) -{ - struct sockaddr_in remote, local; - socklen_t addrlen; - krb5_address remote_addr, local_addr; - krb5_context context; - krb5_ccache ccache; - krb5_auth_context auth_context; - krb5_error_code status; - krb5_principal client; - krb5_data data; - krb5_data packet; - krb5_creds mcred, cred; - - addrlen = sizeof(local); - if (getsockname (sock, (struct sockaddr *)&local, &addrlen) < 0 - || addrlen != sizeof(local)) - err (1, "getsockname(%s)", hostname); - - addrlen = sizeof(remote); - if (getpeername (sock, (struct sockaddr *)&remote, &addrlen) < 0 - || addrlen != sizeof(remote)) - err (1, "getpeername(%s)", hostname); - - status = krb5_init_context(&context); - if (status) - errx(1, "krb5_init_context failed: %d", status); - - status = krb5_cc_default (context, &ccache); - if (status) - krb5_err(context, 1, status, "krb5_cc_default"); - - status = krb5_auth_con_init (context, &auth_context); - if (status) - krb5_err(context, 1, status, "krb5_auth_con_init"); - - local_addr.addr_type = AF_INET; - local_addr.address.length = sizeof(local.sin_addr); - local_addr.address.data = &local.sin_addr; - - remote_addr.addr_type = AF_INET; - remote_addr.address.length = sizeof(remote.sin_addr); - remote_addr.address.data = &remote.sin_addr; - - status = krb5_auth_con_setaddrs (context, - auth_context, - &local_addr, - &remote_addr); - if (status) - krb5_err(context, 1, status, "krb5_auth_con_setaddr"); - - status = krb5_cc_get_principal(context, ccache, &client); - if(status) - krb5_err(context, 1, status, "krb5_cc_get_principal"); - status = krb5_make_principal(context, &mcred.server, - *krb5_princ_realm(context, client), - "krbtgt", - *krb5_princ_realm(context, client), - NULL); - if(status) - krb5_err(context, 1, status, "krb5_make_principal"); - - status = krb5_cc_retrieve_cred(context, ccache, 0, &mcred, &cred); - if(status) - krb5_err(context, 1, status, "krb5_cc_retrieve_cred"); - - { - char *client_name; - krb5_data data; - status = krb5_unparse_name(context, cred.client, &client_name); - if(status) - krb5_err(context, 1, status, "krb5_unparse_name"); - data.data = client_name; - data.length = strlen(client_name) + 1; - status = krb5_write_message(context, &sock, &data); - if(status) - krb5_err(context, 1, status, "krb5_write_message"); - free(client_name); - } - - status = krb5_write_message(context, &sock, &cred.ticket); - if(status) - krb5_err(context, 1, status, "krb5_write_message"); - - status = krb5_auth_con_setuserkey(context, auth_context, &cred.session); - if(status) - krb5_err(context, 1, status, "krb5_auth_con_setuserkey"); - - status = krb5_recvauth(context, &auth_context, &sock, - VERSION, client, 0, NULL, NULL); - - if (status) - krb5_err(context, 1, status, "krb5_recvauth"); - - data.data = "hej"; - data.length = 3; - - krb5_data_zero (&packet); - - status = krb5_mk_safe (context, - auth_context, - &data, - &packet, - NULL); - if (status) - krb5_err(context, 1, status, "krb5_mk_safe"); - - status = krb5_write_message(context, &sock, &packet); - if(status) - krb5_err(context, 1, status, "krb5_write_message"); - - data.data = "hemligt"; - data.length = 7; - - krb5_data_free (&packet); - - status = krb5_mk_priv (context, - auth_context, - &data, - &packet, - NULL); - if (status) - krb5_err(context, 1, status, "krb5_mk_priv"); - - status = krb5_write_message(context, &sock, &packet); - if(status) - krb5_err(context, 1, status, "krb5_write_message"); - return 0; -} - -int -main(int argc, char **argv) -{ - int port = client_setup(&context, &argc, argv); - return client_doit (argv[argc], port, service, proto); -} diff --git a/crypto/heimdal-0.6.3/appl/test/uu_server.c b/crypto/heimdal-0.6.3/appl/test/uu_server.c deleted file mode 100644 index 34a0927795..0000000000 --- a/crypto/heimdal-0.6.3/appl/test/uu_server.c +++ /dev/null @@ -1,203 +0,0 @@ -/* - * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "test_locl.h" -RCSID("$Id: uu_server.c,v 1.7 2000/08/09 20:53:08 assar Exp $"); - -krb5_context context; - -static int -proto (int sock, const char *service) -{ - struct sockaddr_in remote, local; - socklen_t addrlen; - krb5_address remote_addr, local_addr; - krb5_ccache ccache; - krb5_auth_context auth_context; - krb5_error_code status; - krb5_data packet; - krb5_data data; - krb5_data client_name; - krb5_creds in_creds, *out_creds; - - addrlen = sizeof(local); - if (getsockname (sock, (struct sockaddr *)&local, &addrlen) < 0 - || addrlen != sizeof(local)) - err (1, "getsockname)"); - - addrlen = sizeof(remote); - if (getpeername (sock, (struct sockaddr *)&remote, &addrlen) < 0 - || addrlen != sizeof(remote)) - err (1, "getpeername"); - - status = krb5_auth_con_init (context, &auth_context); - if (status) - errx (1, "krb5_auth_con_init: %s", - krb5_get_err_text(context, status)); - - local_addr.addr_type = AF_INET; - local_addr.address.length = sizeof(local.sin_addr); - local_addr.address.data = &local.sin_addr; - - remote_addr.addr_type = AF_INET; - remote_addr.address.length = sizeof(remote.sin_addr); - remote_addr.address.data = &remote.sin_addr; - - status = krb5_auth_con_setaddrs (context, - auth_context, - &local_addr, - &remote_addr); - if (status) - errx (1, "krb5_auth_con_setaddr: %s", - krb5_get_err_text(context, status)); - - status = krb5_read_message(context, &sock, &client_name); - if(status) - krb5_err(context, 1, status, "krb5_read_message"); - - memset(&in_creds, 0, sizeof(in_creds)); - status = krb5_cc_default(context, &ccache); - status = krb5_cc_get_principal(context, ccache, &in_creds.client); - - status = krb5_read_message(context, &sock, &in_creds.second_ticket); - if(status) - krb5_err(context, 1, status, "krb5_read_message"); - - status = krb5_parse_name(context, client_name.data, &in_creds.server); - if(status) - krb5_err(context, 1, status, "krb5_parse_name"); - - status = krb5_get_credentials(context, KRB5_GC_USER_USER, ccache, - &in_creds, &out_creds); - if(status) - krb5_err(context, 1, status, "krb5_get_credentials"); - - status = krb5_cc_default(context, &ccache); - - status = krb5_sendauth(context, - &auth_context, - &sock, - VERSION, - in_creds.client, - in_creds.server, - AP_OPTS_USE_SESSION_KEY, - NULL, - out_creds, - ccache, - NULL, - NULL, - NULL); - - if (status) - krb5_err(context, 1, status, "krb5_sendauth"); - - fprintf (stderr, "User is `%.*s'\n", (int)client_name.length, - (char *)client_name.data); - - krb5_data_zero (&data); - krb5_data_zero (&packet); - - status = krb5_read_message(context, &sock, &packet); - if(status) - krb5_err(context, 1, status, "krb5_read_message"); - - status = krb5_rd_safe (context, - auth_context, - &packet, - &data, - NULL); - if (status) - errx (1, "krb5_rd_safe: %s", - krb5_get_err_text(context, status)); - - fprintf (stderr, "safe packet: %.*s\n", (int)data.length, - (char *)data.data); - - status = krb5_read_message(context, &sock, &packet); - if(status) - krb5_err(context, 1, status, "krb5_read_message"); - - status = krb5_rd_priv (context, - auth_context, - &packet, - &data, - NULL); - if (status) - errx (1, "krb5_rd_priv: %s", - krb5_get_err_text(context, status)); - - fprintf (stderr, "priv packet: %.*s\n", (int)data.length, - (char *)data.data); - - return 0; -} - -static int -doit (int port, const char *service) -{ - int sock, sock2; - struct sockaddr_in my_addr; - int one = 1; - - sock = socket (AF_INET, SOCK_STREAM, 0); - if (sock < 0) - err (1, "socket"); - - memset (&my_addr, 0, sizeof(my_addr)); - my_addr.sin_family = AF_INET; - my_addr.sin_port = port; - my_addr.sin_addr.s_addr = INADDR_ANY; - - if (setsockopt (sock, SOL_SOCKET, SO_REUSEADDR, - (void *)&one, sizeof(one)) < 0) - warn ("setsockopt SO_REUSEADDR"); - - if (bind (sock, (struct sockaddr *)&my_addr, sizeof(my_addr)) < 0) - err (1, "bind"); - - if (listen (sock, 1) < 0) - err (1, "listen"); - - sock2 = accept (sock, NULL, NULL); - if (sock2 < 0) - err (1, "accept"); - - return proto (sock2, service); -} - -int -main(int argc, char **argv) -{ - int port = server_setup(&context, argc, argv); - return doit (port, service); -} diff --git a/crypto/heimdal-0.6.3/appl/xnlock/ChangeLog b/crypto/heimdal-0.6.3/appl/xnlock/ChangeLog deleted file mode 100644 index ca1da37506..0000000000 --- a/crypto/heimdal-0.6.3/appl/xnlock/ChangeLog +++ /dev/null @@ -1,111 +0,0 @@ -2004-09-08 Johan Danielsson - - * xnlock.c: pull up 1.99->1.100: use krb5_appdefault_boolean - instead of krb5_config_get_bool - -2004-03-22 Johan Danielsson - - * xnlock.c: protect the world from des_encrypt in crypt.h - -2004-03-01 Love Hörnquist Åstrand - - * xnlock.c: include , From: Fredrik Ljungberg - - -2003-05-06 Johan Danielsson - - * no checks here - -2003-04-29 Love Hörnquist Åstrand - - * xnlock.c: include kafs.h in the krb5 case - -2003-04-14 Love Hörnquist Åstrand - - * xnlock.c (GetPasswd): cast argument to isprint to unsigned char, - From Christian Biere via NetBSD - -2003-03-18 Love Hörnquist Åstrand - - * xnlock.c: do krb5_afslog when compling with afs support - -2003-02-10 Assar Westerlund - - * xnlock.c (verify): move ret to where it's used - -2002-08-23 Assar Westerlund - - * xnlock.c: add --version as a special case - -2001-06-24 Assar Westerlund - - * xnlock.c (verify_krb5): remove unused variable - -2001-03-15 Johan Danielsson - - * xnlock.c: don't explicitly set the krb4 ticket file - -2000-12-31 Assar Westerlund - - * xnlock.c (main): handle krb5_init_context failure consistently - -2000-07-17 Johan Danielsson - - * Makefile.am: use conditional for X - -2000-04-09 Assar Westerlund - - * xnlock.c (verfiy_krb5): get the v4-realm from the v5-ticket and - not from the default one. - * xnlock.c (verify_krb5): add obtainting of v4 tickets. - -1999-11-17 Assar Westerlund - - * Makefile.am: only build when we have X11. From: Simon Josefsson - - -Thu Mar 18 11:21:44 1999 Johan Danielsson - - * Makefile.am: include Makefile.am.common - -Wed Mar 17 23:35:51 1999 Assar Westerlund - - * xnlock.c (verify): use KRB_VERIFY_SECURE instead of 1 - -Tue Mar 16 22:29:14 1999 Assar Westerlund - - * xnlock.c: krb_verify_user_multiple -> krb_verify_user - -Thu Mar 11 14:59:20 1999 Johan Danielsson - - * xnlock.c: add some if-braces to keep gcc happy - -Sun Nov 22 10:36:45 1998 Assar Westerlund - - * Makefile.in (WFLAGS): set - -Wed Jul 8 01:37:37 1998 Assar Westerlund - - * xnlock.c (main): create place-holder ticket file with - open(O_EXCL | O_CREAT) instead of creat - -Sat Mar 28 12:53:46 1998 Assar Westerlund - - * Makefile.in (install, uninstall): transform the man page - -Tue Mar 24 05:20:34 1998 Assar Westerlund - - * xnlock.c: remove redundant preprocessor stuff - -Sat Mar 21 14:36:21 1998 Assar Westerlund - - * xnlock.c (init_words): recognize both `-p' and `-prog' - -Sat Feb 7 10:08:07 1998 Assar Westerlund - - * xnlock.c: Don't use REALM_SZ + 1, just REALM_SZ - -Sat Nov 29 04:58:19 1997 Johan Danielsson - - * xnlock.c: Make it build w/o krb4. - diff --git a/crypto/heimdal-0.6.3/appl/xnlock/Makefile.am b/crypto/heimdal-0.6.3/appl/xnlock/Makefile.am deleted file mode 100644 index 9a5921e91a..0000000000 --- a/crypto/heimdal-0.6.3/appl/xnlock/Makefile.am +++ /dev/null @@ -1,32 +0,0 @@ -# $Id: Makefile.am,v 1.15.12.1 2003/05/06 16:50:33 joda Exp $ - -include $(top_srcdir)/Makefile.am.common - -INCLUDES += $(INCLUDE_krb4) $(X_CFLAGS) - -WFLAGS += $(WFLAGS_NOIMPLICITINT) - -if HAVE_X - -bin_PROGRAMS = xnlock - -else - -bin_PROGRAMS = - -endif - -CHECK_LOCAL = - -man_MANS = xnlock.1 - -EXTRA_DIST = $(man_MANS) nose.0.left nose.0.right nose.1.left nose.1.right \ - nose.down nose.front nose.left.front nose.right.front - -LDADD = \ - $(LIB_kafs) \ - $(LIB_krb5) \ - $(LIB_krb4) \ - $(LIB_des) \ - $(LIB_roken) \ - $(X_LIBS) -lXt $(X_PRE_LIBS) -lX11 $(X_EXTRA_LIBS) diff --git a/crypto/heimdal-0.6.3/appl/xnlock/Makefile.in b/crypto/heimdal-0.6.3/appl/xnlock/Makefile.in deleted file mode 100644 index 9726a0b114..0000000000 --- a/crypto/heimdal-0.6.3/appl/xnlock/Makefile.in +++ /dev/null @@ -1,823 +0,0 @@ -# Makefile.in generated by automake 1.8.3 from Makefile.am. -# @configure_input@ - -# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004 Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -# $Id: Makefile.am,v 1.15.12.1 2003/05/06 16:50:33 joda Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $ - -SOURCES = xnlock.c - -srcdir = @srcdir@ -top_srcdir = @top_srcdir@ -VPATH = @srcdir@ -pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -top_builddir = ../.. -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = @INSTALL@ -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_HEADER = $(INSTALL_DATA) -transform = $(program_transform_name) -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_triplet = @host@ -DIST_COMMON = README $(srcdir)/Makefile.am $(srcdir)/Makefile.in \ - $(top_srcdir)/Makefile.am.common \ - $(top_srcdir)/cf/Makefile.am.common ChangeLog -@HAVE_X_TRUE@bin_PROGRAMS = xnlock$(EXEEXT) -subdir = appl/xnlock -ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \ - $(top_srcdir)/cf/auth-modules.m4 \ - $(top_srcdir)/cf/broken-getaddrinfo.m4 \ - $(top_srcdir)/cf/broken-getnameinfo.m4 \ - $(top_srcdir)/cf/broken-glob.m4 \ - $(top_srcdir)/cf/broken-realloc.m4 \ - $(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \ - $(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \ - $(top_srcdir)/cf/capabilities.m4 \ - $(top_srcdir)/cf/check-compile-et.m4 \ - $(top_srcdir)/cf/check-declaration.m4 \ - $(top_srcdir)/cf/check-getpwnam_r-posix.m4 \ - $(top_srcdir)/cf/check-man.m4 \ - $(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \ - $(top_srcdir)/cf/check-type-extra.m4 \ - $(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \ - $(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \ - $(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \ - $(top_srcdir)/cf/dlopen.m4 \ - $(top_srcdir)/cf/find-func-no-libs.m4 \ - $(top_srcdir)/cf/find-func-no-libs2.m4 \ - $(top_srcdir)/cf/find-func.m4 \ - $(top_srcdir)/cf/find-if-not-broken.m4 \ - $(top_srcdir)/cf/have-struct-field.m4 \ - $(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \ - $(top_srcdir)/cf/krb-bigendian.m4 \ - $(top_srcdir)/cf/krb-func-getlogin.m4 \ - $(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \ - $(top_srcdir)/cf/krb-readline.m4 \ - $(top_srcdir)/cf/krb-struct-spwd.m4 \ - $(top_srcdir)/cf/krb-struct-winsize.m4 \ - $(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \ - $(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \ - $(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \ - $(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \ - $(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \ - $(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \ - $(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in -am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ - $(ACLOCAL_M4) -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -am__installdirs = "$(DESTDIR)$(bindir)" "$(DESTDIR)$(man1dir)" -binPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -PROGRAMS = $(bin_PROGRAMS) -xnlock_SOURCES = xnlock.c -xnlock_OBJECTS = xnlock.$(OBJEXT) -xnlock_LDADD = $(LDADD) -am__DEPENDENCIES_1 = -am__DEPENDENCIES_2 = $(top_builddir)/lib/kafs/libkafs.la \ - $(am__DEPENDENCIES_1) -@KRB5_TRUE@am__DEPENDENCIES_3 = $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la -xnlock_DEPENDENCIES = $(am__DEPENDENCIES_2) $(am__DEPENDENCIES_3) \ - $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ - $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ - $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \ - $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ - $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -SOURCES = xnlock.c -DIST_SOURCES = xnlock.c -man1dir = $(mandir)/man1 -MANS = $(man_MANS) -ETAGS = etags -CTAGS = ctags -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) -ACLOCAL = @ACLOCAL@ -AIX4_FALSE = @AIX4_FALSE@ -AIX4_TRUE = @AIX4_TRUE@ -AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@ -AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@ -AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@ -AIX_FALSE = @AIX_FALSE@ -AIX_TRUE = @AIX_TRUE@ -AMTAR = @AMTAR@ -AR = @AR@ -AUTOCONF = @AUTOCONF@ -AUTOHEADER = @AUTOHEADER@ -AUTOMAKE = @AUTOMAKE@ -AWK = @AWK@ -CANONICAL_HOST = @CANONICAL_HOST@ -CATMAN = @CATMAN@ -CATMANEXT = @CATMANEXT@ -CATMAN_FALSE = @CATMAN_FALSE@ -CATMAN_TRUE = @CATMAN_TRUE@ -CC = @CC@ -CFLAGS = @CFLAGS@ -COMPILE_ET = @COMPILE_ET@ -CPP = @CPP@ -CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXFLAGS = @CXXFLAGS@ -CYGPATH_W = @CYGPATH_W@ -DBLIB = @DBLIB@ -DCE_FALSE = @DCE_FALSE@ -DCE_TRUE = @DCE_TRUE@ -DEFS = @DEFS@ -DIR_com_err = @DIR_com_err@ -DIR_des = @DIR_des@ -DIR_roken = @DIR_roken@ -ECHO = @ECHO@ -ECHO_C = @ECHO_C@ -ECHO_N = @ECHO_N@ -ECHO_T = @ECHO_T@ -EGREP = @EGREP@ -EXEEXT = @EXEEXT@ -EXTRA_LIB45 = @EXTRA_LIB45@ -F77 = @F77@ -FFLAGS = @FFLAGS@ -GROFF = @GROFF@ -HAVE_DB1_FALSE = @HAVE_DB1_FALSE@ -HAVE_DB1_TRUE = @HAVE_DB1_TRUE@ -HAVE_DB3_FALSE = @HAVE_DB3_FALSE@ -HAVE_DB3_TRUE = @HAVE_DB3_TRUE@ -HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@ -HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@ -HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@ -HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@ -HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@ -HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@ -HAVE_X_FALSE = @HAVE_X_FALSE@ -HAVE_X_TRUE = @HAVE_X_TRUE@ -INCLUDES_roken = @INCLUDES_roken@ -INCLUDE_des = @INCLUDE_des@ -INCLUDE_hesiod = @INCLUDE_hesiod@ -INCLUDE_krb4 = @INCLUDE_krb4@ -INCLUDE_openldap = @INCLUDE_openldap@ -INCLUDE_readline = @INCLUDE_readline@ -INSTALL_DATA = @INSTALL_DATA@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -IRIX_FALSE = @IRIX_FALSE@ -IRIX_TRUE = @IRIX_TRUE@ -KRB4_FALSE = @KRB4_FALSE@ -KRB4_TRUE = @KRB4_TRUE@ -KRB5_FALSE = @KRB5_FALSE@ -KRB5_TRUE = @KRB5_TRUE@ -LDFLAGS = @LDFLAGS@ -LEX = @LEX@ -LEXLIB = @LEXLIB@ -LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ -LIBOBJS = @LIBOBJS@ -LIBS = @LIBS@ -LIBTOOL = @LIBTOOL@ -LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@ -LIB_NDBM = @LIB_NDBM@ -LIB_XauFileName = @LIB_XauFileName@ -LIB_XauReadAuth = @LIB_XauReadAuth@ -LIB_XauWriteAuth = @LIB_XauWriteAuth@ -LIB_bswap16 = @LIB_bswap16@ -LIB_bswap32 = @LIB_bswap32@ -LIB_com_err = @LIB_com_err@ -LIB_com_err_a = @LIB_com_err_a@ -LIB_com_err_so = @LIB_com_err_so@ -LIB_crypt = @LIB_crypt@ -LIB_db_create = @LIB_db_create@ -LIB_dbm_firstkey = @LIB_dbm_firstkey@ -LIB_dbopen = @LIB_dbopen@ -LIB_des = @LIB_des@ -LIB_des_a = @LIB_des_a@ -LIB_des_appl = @LIB_des_appl@ -LIB_des_so = @LIB_des_so@ -LIB_dlopen = @LIB_dlopen@ -LIB_dn_expand = @LIB_dn_expand@ -LIB_el_init = @LIB_el_init@ -LIB_freeaddrinfo = @LIB_freeaddrinfo@ -LIB_gai_strerror = @LIB_gai_strerror@ -LIB_getaddrinfo = @LIB_getaddrinfo@ -LIB_gethostbyname = @LIB_gethostbyname@ -LIB_gethostbyname2 = @LIB_gethostbyname2@ -LIB_getnameinfo = @LIB_getnameinfo@ -LIB_getpwnam_r = @LIB_getpwnam_r@ -LIB_getsockopt = @LIB_getsockopt@ -LIB_hesiod = @LIB_hesiod@ -LIB_hstrerror = @LIB_hstrerror@ -LIB_kdb = @LIB_kdb@ -LIB_krb4 = @LIB_krb4@ -LIB_krb_disable_debug = @LIB_krb_disable_debug@ -LIB_krb_enable_debug = @LIB_krb_enable_debug@ -LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@ -LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@ -LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@ -LIB_loadquery = @LIB_loadquery@ -LIB_logout = @LIB_logout@ -LIB_logwtmp = @LIB_logwtmp@ -LIB_openldap = @LIB_openldap@ -LIB_openpty = @LIB_openpty@ -LIB_otp = @LIB_otp@ -LIB_pidfile = @LIB_pidfile@ -LIB_readline = @LIB_readline@ -LIB_res_nsearch = @LIB_res_nsearch@ -LIB_res_search = @LIB_res_search@ -LIB_roken = @LIB_roken@ -LIB_security = @LIB_security@ -LIB_setsockopt = @LIB_setsockopt@ -LIB_socket = @LIB_socket@ -LIB_syslog = @LIB_syslog@ -LIB_tgetent = @LIB_tgetent@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -MAINT = @MAINT@ -MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@ -MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@ -MAKEINFO = @MAKEINFO@ -NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ -NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ -NROFF = @NROFF@ -OBJEXT = @OBJEXT@ -OTP_FALSE = @OTP_FALSE@ -OTP_TRUE = @OTP_TRUE@ -PACKAGE = @PACKAGE@ -PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ -PACKAGE_NAME = @PACKAGE_NAME@ -PACKAGE_STRING = @PACKAGE_STRING@ -PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_VERSION = @PACKAGE_VERSION@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -RANLIB = @RANLIB@ -SET_MAKE = @SET_MAKE@ -SHELL = @SHELL@ -STRIP = @STRIP@ -VERSION = @VERSION@ -VOID_RETSIGTYPE = @VOID_RETSIGTYPE@ -WFLAGS = @WFLAGS@ $(WFLAGS_NOIMPLICITINT) -WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@ -WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@ -X_CFLAGS = @X_CFLAGS@ -X_EXTRA_LIBS = @X_EXTRA_LIBS@ -X_LIBS = @X_LIBS@ -X_PRE_LIBS = @X_PRE_LIBS@ -YACC = @YACC@ -ac_ct_AR = @ac_ct_AR@ -ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ -ac_ct_RANLIB = @ac_ct_RANLIB@ -ac_ct_STRIP = @ac_ct_STRIP@ -am__leading_dot = @am__leading_dot@ -bindir = @bindir@ -build = @build@ -build_alias = @build_alias@ -build_cpu = @build_cpu@ -build_os = @build_os@ -build_vendor = @build_vendor@ -datadir = @datadir@ -do_roken_rename_FALSE = @do_roken_rename_FALSE@ -do_roken_rename_TRUE = @do_roken_rename_TRUE@ -dpagaix_cflags = @dpagaix_cflags@ -dpagaix_ldadd = @dpagaix_ldadd@ -dpagaix_ldflags = @dpagaix_ldflags@ -el_compat_FALSE = @el_compat_FALSE@ -el_compat_TRUE = @el_compat_TRUE@ -exec_prefix = @exec_prefix@ -have_err_h_FALSE = @have_err_h_FALSE@ -have_err_h_TRUE = @have_err_h_TRUE@ -have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@ -have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@ -have_glob_h_FALSE = @have_glob_h_FALSE@ -have_glob_h_TRUE = @have_glob_h_TRUE@ -have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@ -have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@ -have_vis_h_FALSE = @have_vis_h_FALSE@ -have_vis_h_TRUE = @have_vis_h_TRUE@ -host = @host@ -host_alias = @host_alias@ -host_cpu = @host_cpu@ -host_os = @host_os@ -host_vendor = @host_vendor@ -includedir = @includedir@ -infodir = @infodir@ -install_sh = @install_sh@ -libdir = @libdir@ -libexecdir = @libexecdir@ -localstatedir = @localstatedir@ -mandir = @mandir@ -mkdir_p = @mkdir_p@ -oldincludedir = @oldincludedir@ -prefix = @prefix@ -program_transform_name = @program_transform_name@ -sbindir = @sbindir@ -sharedstatedir = @sharedstatedir@ -sysconfdir = @sysconfdir@ -target_alias = @target_alias@ -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4) $(X_CFLAGS) -@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME -AM_CFLAGS = $(WFLAGS) -CP = cp -buildinclude = $(top_builddir)/include -LIB_getattr = @LIB_getattr@ -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_setpcred = @LIB_setpcred@ -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -NROFF_MAN = groff -mandoc -Tascii -LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) -@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la - -@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la -@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la -CHECK_LOCAL = -man_MANS = xnlock.1 -EXTRA_DIST = $(man_MANS) nose.0.left nose.0.right nose.1.left nose.1.right \ - nose.down nose.front nose.left.front nose.right.front - -LDADD = \ - $(LIB_kafs) \ - $(LIB_krb5) \ - $(LIB_krb4) \ - $(LIB_des) \ - $(LIB_roken) \ - $(X_LIBS) -lXt $(X_PRE_LIBS) -lX11 $(X_EXTRA_LIBS) - -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps) - @for dep in $?; do \ - case '$(am__configure_deps)' in \ - *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ - exit 1;; \ - esac; \ - done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign --ignore-deps appl/xnlock/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign --ignore-deps appl/xnlock/Makefile -.PRECIOUS: Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - @case '$?' in \ - *config.status*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ - *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ - esac; - -$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -install-binPROGRAMS: $(bin_PROGRAMS) - @$(NORMAL_INSTALL) - test -z "$(bindir)" || $(mkdir_p) "$(DESTDIR)$(bindir)" - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(bindir)/$$f'"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(bindir)/$$f" || exit 1; \ - else :; fi; \ - done - -uninstall-binPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f '$(DESTDIR)$(bindir)/$$f'"; \ - rm -f "$(DESTDIR)$(bindir)/$$f"; \ - done - -clean-binPROGRAMS: - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -xnlock$(EXEEXT): $(xnlock_OBJECTS) $(xnlock_DEPENDENCIES) - @rm -f xnlock$(EXEEXT) - $(LINK) $(xnlock_LDFLAGS) $(xnlock_OBJECTS) $(xnlock_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c $< - -.c.obj: - $(COMPILE) -c `$(CYGPATH_W) '$<'` - -.c.lo: - $(LTCOMPILE) -c -o $@ $< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: -install-man1: $(man1_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - test -z "$(man1dir)" || $(mkdir_p) "$(DESTDIR)$(man1dir)" - @list='$(man1_MANS) $(dist_man1_MANS) $(nodist_man1_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.1*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 1*) ;; \ - *) ext='1' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man1dir)/$$inst'"; \ - $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man1dir)/$$inst"; \ - done -uninstall-man1: - @$(NORMAL_UNINSTALL) - @list='$(man1_MANS) $(dist_man1_MANS) $(nodist_man1_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.1*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 1*) ;; \ - *) ext='1' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f '$(DESTDIR)$(man1dir)/$$inst'"; \ - rm -f "$(DESTDIR)$(man1dir)/$$inst"; \ - done - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique -tags: TAGS - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique -ctags: CTAGS -CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ - || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - -distdir: $(DISTFILES) - $(mkdir_p) $(distdir)/../.. $(distdir)/../../cf - @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \ - list='$(DISTFILES)'; for file in $$list; do \ - case $$file in \ - $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \ - $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \ - esac; \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkdir_p) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="$(top_distdir)" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(PROGRAMS) $(MANS) all-local -installdirs: - for dir in "$(DESTDIR)$(bindir)" "$(DESTDIR)$(man1dir)"; do \ - test -z "$$dir" || $(mkdir_p) "$$dir"; \ - done -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-binPROGRAMS clean-generic clean-libtool mostlyclean-am - -distclean: distclean-am - -rm -f Makefile -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -html: html-am - -info: info-am - -info-am: - -install-data-am: install-man - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-data-hook - -install-exec-am: install-binPROGRAMS - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: install-man1 - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -rm -f Makefile -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -pdf: pdf-am - -pdf-am: - -ps: ps-am - -ps-am: - -uninstall-am: uninstall-binPROGRAMS uninstall-info-am uninstall-man - -uninstall-man: uninstall-man1 - -.PHONY: CTAGS GTAGS all all-am all-local check check-am check-local \ - clean clean-binPROGRAMS clean-generic clean-libtool ctags \ - distclean distclean-compile distclean-generic \ - distclean-libtool distclean-tags distdir dvi dvi-am html \ - html-am info info-am install install-am install-binPROGRAMS \ - install-data install-data-am install-exec install-exec-am \ - install-info install-info-am install-man install-man1 \ - install-strip installcheck installcheck-am installdirs \ - maintainer-clean maintainer-clean-generic mostlyclean \ - mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ - pdf pdf-am ps ps-am tags uninstall uninstall-am \ - uninstall-binPROGRAMS uninstall-info-am uninstall-man \ - uninstall-man1 - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-hook: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal-0.6.3/appl/xnlock/README b/crypto/heimdal-0.6.3/appl/xnlock/README deleted file mode 100644 index 5b16c522fd..0000000000 --- a/crypto/heimdal-0.6.3/appl/xnlock/README +++ /dev/null @@ -1,21 +0,0 @@ -xnlock -- Dan Heller, 1990 -"nlock" is a "new lockscreen" type program... something that prevents -screen burnout by making most of it "black" while providing something -of interest to be displayed in case anyone is watching. The program -also provides added security. - -"xnlock" is the X11 version of the program. - -Original sunview version written by Dan Heller 1985 (not included). - -For a real description of how this program works, read the -man page or just try running it. - -The one major outstanding bug with this program is that every -once in a while, two horizontal lines appear below the little -figure that runs around the screen. If someone can find and -fix this bug, *please* let me know -- I don't have time to -look and if I waited till I had time, you'd never see this -program... It has something to do with the "looking down" -position and then directly moving up and right or left... - diff --git a/crypto/heimdal-0.6.3/appl/xnlock/nose.0.left b/crypto/heimdal-0.6.3/appl/xnlock/nose.0.left deleted file mode 100644 index cb3d152863..0000000000 --- a/crypto/heimdal-0.6.3/appl/xnlock/nose.0.left +++ /dev/null @@ -1,38 +0,0 @@ -#define nose_0_left_width 64 -#define nose_0_left_height 64 -static unsigned char nose_0_left_bits[] = { - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0xc0,0xff,0xff,0x07,0x00,0x00,0x00,0x00,0x40,0x00, - 0x00,0x04,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x04,0x00,0x00,0x00,0x00,0x40, - 0x00,0x00,0x04,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x04,0x00,0x00,0x00,0x00, - 0x40,0x00,0x00,0x04,0x00,0x00,0x00,0xf8,0xff,0xff,0xff,0xff,0x3f,0x00,0x00, - 0x08,0x00,0x00,0x00,0x00,0x20,0x00,0x00,0x08,0x00,0x00,0x00,0x00,0x20,0x00, - 0x00,0xf8,0xff,0xff,0xff,0xff,0x3f,0x00,0x00,0xf0,0x03,0x00,0x00,0x80,0x00, - 0x00,0x00,0x0e,0x0c,0x00,0x00,0x80,0x01,0x00,0x00,0x03,0x30,0x00,0x00,0x00, - 0x01,0x00,0x80,0x00,0x40,0x00,0x00,0x00,0x02,0x00,0x40,0x00,0xc0,0x00,0x00, - 0x00,0x02,0x00,0x20,0x00,0x80,0x00,0x00,0x00,0x04,0x00,0x10,0x00,0x00,0x00, - 0x00,0x00,0x04,0x00,0x10,0x00,0x00,0x00,0x00,0x00,0x0c,0x00,0x08,0x00,0x00, - 0x00,0x00,0x00,0x08,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x08,0x00,0x08,0x00, - 0x00,0x00,0x00,0x00,0x10,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x08, - 0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x10,0x00, - 0x08,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x10, - 0x00,0x10,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x10,0x00,0x00,0x01,0x00,0x00, - 0x18,0x00,0x20,0x00,0x00,0x01,0x00,0x00,0x08,0x00,0x40,0x00,0x80,0x00,0x00, - 0x00,0x08,0x00,0x80,0x00,0x40,0x00,0x00,0x00,0x0c,0x00,0x00,0x01,0x20,0x00, - 0x00,0x00,0x04,0x00,0x00,0x06,0x18,0x00,0x00,0x00,0x06,0x00,0x00,0xf8,0x07, - 0x00,0x00,0x00,0x02,0x00,0x00,0x00,0xf8,0xff,0xff,0xff,0x01,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xf8,0x0f,0x00,0x00,0x00, - 0x00,0xff,0x00,0x04,0x10,0x00,0x00,0x00,0xc0,0x00,0x03,0x03,0x10,0x00,0x00, - 0x00,0x30,0x00,0x0c,0x01,0x20,0x00,0x00,0x00,0x08,0x00,0x98,0x00,0x20,0x00, - 0x00,0x00,0x0c,0x03,0x60,0x00,0x20,0x00,0x00,0x00,0xc2,0x00,0xc0,0x00,0x20, - 0x00,0x00,0x00,0x42,0x00,0x80,0x00,0x20,0x00,0x00,0x00,0x21,0x00,0x00,0x01, - 0x20,0x00,0x00,0x00,0x21,0x00,0x00,0x01,0x20,0x00,0x00,0x00,0x21,0x00,0x00, - 0x00,0x20,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x01,0x00, - 0x00,0x00,0x40,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x02, - 0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x04,0x00,0x00,0x00,0x20,0x00,0x00,0x00, - 0x18,0x00,0x00,0x00,0x20,0x00,0x00,0x00,0x70,0x00,0x00,0x00,0x10,0x00,0x00, - 0x00,0xc0,0xff,0xff,0xff,0x0f,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00}; diff --git a/crypto/heimdal-0.6.3/appl/xnlock/nose.0.right b/crypto/heimdal-0.6.3/appl/xnlock/nose.0.right deleted file mode 100644 index f387baa730..0000000000 --- a/crypto/heimdal-0.6.3/appl/xnlock/nose.0.right +++ /dev/null @@ -1,38 +0,0 @@ -#define nose_0_right_width 64 -#define nose_0_right_height 64 -static unsigned char nose_0_right_bits[] = { - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0xe0,0xff,0xff,0x03,0x00,0x00,0x00,0x00,0x20,0x00, - 0x00,0x02,0x00,0x00,0x00,0x00,0x20,0x00,0x00,0x02,0x00,0x00,0x00,0x00,0x20, - 0x00,0x00,0x02,0x00,0x00,0x00,0x00,0x20,0x00,0x00,0x02,0x00,0x00,0x00,0x00, - 0x20,0x00,0x00,0x02,0x00,0x00,0x00,0xfc,0xff,0xff,0xff,0xff,0x1f,0x00,0x00, - 0x04,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x04,0x00,0x00,0x00,0x00,0x10,0x00, - 0x00,0xfc,0xff,0xff,0xff,0xff,0x1f,0x00,0x00,0x00,0x01,0x00,0x00,0xc0,0x0f, - 0x00,0x00,0x80,0x01,0x00,0x00,0x30,0x70,0x00,0x00,0x80,0x00,0x00,0x00,0x0c, - 0xc0,0x00,0x00,0x40,0x00,0x00,0x00,0x02,0x00,0x01,0x00,0x40,0x00,0x00,0x00, - 0x03,0x00,0x02,0x00,0x20,0x00,0x00,0x00,0x01,0x00,0x04,0x00,0x20,0x00,0x00, - 0x00,0x00,0x00,0x08,0x00,0x30,0x00,0x00,0x00,0x00,0x00,0x08,0x00,0x10,0x00, - 0x00,0x00,0x00,0x00,0x10,0x00,0x10,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x08, - 0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x10,0x00, - 0x08,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x10, - 0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x08,0x00,0x00,0x00,0x00,0x00, - 0x10,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x08,0x00,0x18,0x00,0x00,0x80,0x00, - 0x00,0x08,0x00,0x10,0x00,0x00,0x80,0x00,0x00,0x04,0x00,0x10,0x00,0x00,0x00, - 0x01,0x00,0x02,0x00,0x30,0x00,0x00,0x00,0x02,0x00,0x01,0x00,0x20,0x00,0x00, - 0x00,0x04,0x80,0x00,0x00,0x60,0x00,0x00,0x00,0x18,0x60,0x00,0x00,0x40,0x00, - 0x00,0x00,0xe0,0x1f,0x00,0x00,0x80,0xff,0xff,0xff,0x1f,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xf0,0x1f,0x00,0x00,0x00,0x00,0x00, - 0x00,0x08,0x20,0x00,0xff,0x00,0x00,0x00,0x00,0x08,0xc0,0xc0,0x00,0x03,0x00, - 0x00,0x00,0x04,0x80,0x30,0x00,0x0c,0x00,0x00,0x00,0x04,0x00,0x19,0x00,0x10, - 0x00,0x00,0x00,0x04,0x00,0x06,0xc0,0x30,0x00,0x00,0x00,0x04,0x00,0x03,0x00, - 0x43,0x00,0x00,0x00,0x04,0x00,0x01,0x00,0x42,0x00,0x00,0x00,0x04,0x80,0x00, - 0x00,0x84,0x00,0x00,0x00,0x04,0x80,0x00,0x00,0x84,0x00,0x00,0x00,0x04,0x00, - 0x00,0x00,0x84,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x80,0x00,0x00,0x00,0x02, - 0x00,0x00,0x00,0x80,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x40,0x00,0x00,0x00, - 0x02,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x04,0x00,0x00,0x00,0x20,0x00,0x00, - 0x00,0x04,0x00,0x00,0x00,0x18,0x00,0x00,0x00,0x08,0x00,0x00,0x00,0x0e,0x00, - 0x00,0x00,0xf0,0xff,0xff,0xff,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00}; diff --git a/crypto/heimdal-0.6.3/appl/xnlock/nose.1.left b/crypto/heimdal-0.6.3/appl/xnlock/nose.1.left deleted file mode 100644 index 8a6b829526..0000000000 --- a/crypto/heimdal-0.6.3/appl/xnlock/nose.1.left +++ /dev/null @@ -1,38 +0,0 @@ -#define nose_1_left_width 64 -#define nose_1_left_height 64 -static unsigned char nose_1_left_bits[] = { - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0xc0,0xff,0xff,0x07,0x00,0x00,0x00,0x00,0x40,0x00, - 0x00,0x04,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x04,0x00,0x00,0x00,0x00,0x40, - 0x00,0x00,0x04,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x04,0x00,0x00,0x00,0x00, - 0x40,0x00,0x00,0x04,0x00,0x00,0x00,0xf8,0xff,0xff,0xff,0xff,0x3f,0x00,0x00, - 0x08,0x00,0x00,0x00,0x00,0x20,0x00,0x00,0x08,0x00,0x00,0x00,0x00,0x20,0x00, - 0x00,0xf8,0xff,0xff,0xff,0xff,0x3f,0x00,0x00,0xf0,0x03,0x00,0x00,0x80,0x00, - 0x00,0x00,0x0e,0x0c,0x00,0x00,0x80,0x01,0x00,0x00,0x03,0x30,0x00,0x00,0x00, - 0x01,0x00,0x80,0x00,0x40,0x00,0x00,0x00,0x02,0x00,0x40,0x00,0xc0,0x00,0x00, - 0x00,0x02,0x00,0x20,0x00,0x80,0x00,0x00,0x00,0x04,0x00,0x10,0x00,0x00,0x00, - 0x00,0x00,0x04,0x00,0x10,0x00,0x00,0x00,0x00,0x00,0x0c,0x00,0x08,0x00,0x00, - 0x00,0x00,0x00,0x08,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x08,0x00,0x08,0x00, - 0x00,0x00,0x00,0x00,0x10,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x08, - 0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x10,0x00, - 0x08,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x10, - 0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x10,0x00,0x00,0x01,0x00,0x00, - 0x18,0x00,0x10,0x00,0x00,0x01,0x00,0x00,0x08,0x00,0x20,0x00,0x80,0x00,0x00, - 0x00,0x08,0x00,0x40,0x00,0x40,0x00,0x00,0x00,0x0c,0x00,0x80,0x00,0x20,0x00, - 0x00,0x00,0xe4,0x00,0x00,0x03,0x18,0x00,0x00,0x00,0x26,0x03,0x00,0xfc,0x07, - 0x00,0x00,0x00,0x12,0x0c,0x00,0x00,0xf8,0xff,0xff,0xff,0x11,0x10,0x80,0x1f, - 0x00,0x00,0x00,0x00,0x08,0x20,0x60,0x60,0xc0,0x07,0x00,0x00,0x04,0x40,0x10, - 0xc0,0x20,0x08,0x00,0x1f,0x02,0x40,0x08,0x00,0x21,0x10,0xc0,0x60,0x02,0x40, - 0x04,0x00,0x12,0x20,0x20,0x80,0x02,0x20,0xc2,0x00,0x14,0x40,0x18,0x00,0x03, - 0x20,0x22,0x00,0x0c,0x80,0x04,0x03,0x02,0x10,0x12,0x00,0x08,0x80,0x86,0x00, - 0x04,0x10,0x12,0x00,0x10,0x80,0x42,0x00,0x18,0x08,0x12,0x00,0x10,0x40,0x42, - 0x00,0x00,0x04,0x02,0x00,0x20,0x40,0x42,0x00,0x00,0x04,0x02,0x00,0x00,0x20, - 0x42,0x00,0x00,0x02,0x04,0x00,0x00,0x20,0x02,0x00,0x00,0x01,0x04,0x00,0x00, - 0x20,0x02,0x00,0x00,0x01,0x08,0x00,0x00,0x20,0x04,0x00,0x80,0x00,0x10,0x00, - 0x00,0x20,0x0c,0x00,0x80,0x00,0x60,0x00,0x00,0x10,0x08,0x00,0x40,0x00,0x80, - 0xff,0xff,0x0f,0x30,0x00,0x30,0x00,0x00,0x00,0x00,0x00,0xc0,0xff,0x0f,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00}; diff --git a/crypto/heimdal-0.6.3/appl/xnlock/nose.1.right b/crypto/heimdal-0.6.3/appl/xnlock/nose.1.right deleted file mode 100644 index f7c8962c02..0000000000 --- a/crypto/heimdal-0.6.3/appl/xnlock/nose.1.right +++ /dev/null @@ -1,38 +0,0 @@ -#define nose_1_right_width 64 -#define nose_1_right_height 64 -static unsigned char nose_1_right_bits[] = { - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0xe0,0xff,0xff,0x03,0x00,0x00,0x00,0x00,0x20,0x00, - 0x00,0x02,0x00,0x00,0x00,0x00,0x20,0x00,0x00,0x02,0x00,0x00,0x00,0x00,0x20, - 0x00,0x00,0x02,0x00,0x00,0x00,0x00,0x20,0x00,0x00,0x02,0x00,0x00,0x00,0x00, - 0x20,0x00,0x00,0x02,0x00,0x00,0x00,0xfc,0xff,0xff,0xff,0xff,0x1f,0x00,0x00, - 0x04,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x04,0x00,0x00,0x00,0x00,0x10,0x00, - 0x00,0xfc,0xff,0xff,0xff,0xff,0x1f,0x00,0x00,0x00,0x01,0x00,0x00,0xc0,0x0f, - 0x00,0x00,0x80,0x01,0x00,0x00,0x30,0x70,0x00,0x00,0x80,0x00,0x00,0x00,0x0c, - 0xc0,0x00,0x00,0x40,0x00,0x00,0x00,0x02,0x00,0x01,0x00,0x40,0x00,0x00,0x00, - 0x03,0x00,0x02,0x00,0x20,0x00,0x00,0x00,0x01,0x00,0x04,0x00,0x20,0x00,0x00, - 0x00,0x00,0x00,0x08,0x00,0x30,0x00,0x00,0x00,0x00,0x00,0x08,0x00,0x10,0x00, - 0x00,0x00,0x00,0x00,0x10,0x00,0x10,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x08, - 0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x10,0x00, - 0x08,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x10, - 0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x08,0x00,0x00,0x00,0x00,0x00, - 0x10,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x18,0x00,0x00,0x80,0x00, - 0x00,0x08,0x00,0x10,0x00,0x00,0x80,0x00,0x00,0x08,0x00,0x10,0x00,0x00,0x00, - 0x01,0x00,0x04,0x00,0x30,0x00,0x00,0x00,0x02,0x00,0x02,0x00,0x27,0x00,0x00, - 0x00,0x04,0x00,0x01,0xc0,0x64,0x00,0x00,0x00,0x18,0xc0,0x00,0x30,0x48,0x00, - 0x00,0x00,0xe0,0x3f,0x00,0x08,0x88,0xff,0xff,0xff,0x1f,0x00,0x00,0x04,0x10, - 0x00,0x00,0x00,0x00,0xf8,0x01,0x02,0x20,0x00,0x00,0xe0,0x03,0x06,0x06,0x02, - 0x40,0xf8,0x00,0x10,0x04,0x03,0x08,0x02,0x40,0x06,0x03,0x08,0x84,0x00,0x10, - 0x04,0x40,0x01,0x04,0x04,0x48,0x00,0x20,0x04,0xc0,0x00,0x18,0x02,0x28,0x00, - 0x43,0x08,0x40,0xc0,0x20,0x01,0x30,0x00,0x44,0x08,0x20,0x00,0x61,0x01,0x10, - 0x00,0x48,0x10,0x18,0x00,0x42,0x01,0x08,0x00,0x48,0x20,0x00,0x00,0x42,0x02, - 0x08,0x00,0x48,0x20,0x00,0x00,0x42,0x02,0x04,0x00,0x40,0x40,0x00,0x00,0x42, - 0x04,0x00,0x00,0x40,0x80,0x00,0x00,0x40,0x04,0x00,0x00,0x20,0x80,0x00,0x00, - 0x40,0x04,0x00,0x00,0x20,0x00,0x01,0x00,0x20,0x04,0x00,0x00,0x10,0x00,0x01, - 0x00,0x30,0x04,0x00,0x00,0x08,0x00,0x02,0x00,0x10,0x08,0x00,0x00,0x06,0x00, - 0x0c,0x00,0x0c,0xf0,0xff,0xff,0x01,0x00,0xf0,0xff,0x03,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00}; diff --git a/crypto/heimdal-0.6.3/appl/xnlock/nose.down b/crypto/heimdal-0.6.3/appl/xnlock/nose.down deleted file mode 100644 index e8bdba4f45..0000000000 --- a/crypto/heimdal-0.6.3/appl/xnlock/nose.down +++ /dev/null @@ -1,38 +0,0 @@ -#define nose_down_width 64 -#define nose_down_height 64 -static unsigned char nose_down_bits[] = { - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0xfc,0xff,0x01,0x00,0x00,0x00,0x00,0xc0,0x03,0x00,0x1e,0x00, - 0x00,0x00,0x00,0x38,0x00,0x00,0xe0,0x00,0x00,0x00,0x00,0x06,0x00,0x00,0x00, - 0x03,0x00,0x00,0x80,0x01,0x00,0x00,0x00,0x04,0x00,0x00,0x40,0x00,0x00,0x00, - 0x00,0x08,0x00,0x00,0x20,0x00,0x00,0x00,0x00,0x30,0x00,0x00,0x10,0x00,0x80, - 0x1f,0x00,0x40,0x00,0x00,0x08,0x00,0x60,0x60,0x00,0x80,0x00,0x00,0x08,0x00, - 0x10,0x80,0x00,0x80,0x00,0x00,0x04,0x00,0x08,0x00,0x01,0x00,0x01,0x00,0x04, - 0x00,0x08,0x00,0x01,0x00,0x01,0x00,0x02,0x00,0x18,0x80,0x01,0x00,0x02,0x00, - 0x02,0x00,0x68,0x60,0x01,0x00,0x02,0x00,0x02,0x00,0x88,0x1f,0x01,0x00,0x02, - 0x00,0x02,0x00,0x08,0x00,0x01,0x00,0x02,0x00,0x02,0x00,0x10,0x80,0x00,0x00, - 0x03,0x00,0x06,0x00,0x60,0x60,0x00,0x80,0x02,0x00,0x0c,0x00,0x80,0x1f,0x00, - 0x40,0x01,0x00,0x14,0x00,0x00,0x00,0x00,0x20,0x01,0x00,0x28,0x00,0x00,0x00, - 0x00,0x90,0x00,0x00,0x50,0x00,0x00,0x00,0x00,0x48,0x00,0x00,0xa0,0x01,0x00, - 0x00,0x00,0x26,0x00,0x00,0x40,0x1e,0x00,0x00,0xc0,0x11,0x00,0x00,0x80,0xe1, - 0x03,0x00,0x3c,0x0c,0x00,0x00,0x00,0x0e,0xfc,0xff,0x83,0x03,0x00,0x00,0x00, - 0xf0,0x01,0x00,0x78,0x00,0x00,0x00,0x00,0x00,0xfe,0xff,0x0f,0x00,0x00,0x00, - 0x00,0x80,0x03,0x00,0x0c,0x00,0x00,0x00,0x00,0x80,0x02,0x00,0x14,0x00,0x00, - 0x00,0x00,0x60,0x04,0x00,0x12,0x00,0x00,0xc0,0x7f,0x10,0x04,0x00,0x22,0xe0, - 0x01,0x70,0xc0,0x18,0x08,0x00,0x61,0x1c,0x06,0x10,0x00,0x0f,0x30,0xc0,0x80, - 0x07,0x08,0x08,0x00,0x06,0xc0,0x3f,0x80,0x01,0x08,0x08,0x00,0x18,0x00,0x02, - 0xc0,0x00,0x10,0x04,0x00,0x30,0x00,0x05,0x30,0x00,0x10,0x04,0x00,0x00,0x80, - 0x08,0x18,0x00,0x20,0x04,0x00,0x00,0x80,0x08,0x00,0x00,0x20,0x04,0x00,0x00, - 0x40,0x10,0x00,0x00,0x20,0x24,0x00,0x00,0x40,0x10,0x00,0x00,0x22,0x24,0x00, - 0x00,0x40,0x10,0x00,0x00,0x22,0x44,0x00,0x00,0x40,0x10,0x00,0x00,0x11,0x84, - 0x01,0x00,0xc0,0x18,0x00,0xc0,0x10,0x08,0x00,0x00,0x80,0x08,0x00,0x00,0x08, - 0x30,0x00,0x00,0x80,0x08,0x00,0x00,0x04,0xe0,0xff,0xff,0xff,0xf8,0xff,0xff, - 0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00}; diff --git a/crypto/heimdal-0.6.3/appl/xnlock/nose.front b/crypto/heimdal-0.6.3/appl/xnlock/nose.front deleted file mode 100644 index 64b82015c6..0000000000 --- a/crypto/heimdal-0.6.3/appl/xnlock/nose.front +++ /dev/null @@ -1,38 +0,0 @@ -#define nose_front_width 64 -#define nose_front_height 64 -static unsigned char nose_front_bits[] = { - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0xc0,0xff,0xff,0x07,0x00,0x00,0x00,0x00,0x40,0x00, - 0x00,0x04,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x04,0x00,0x00,0x00,0x00,0x40, - 0x00,0x00,0x04,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x04,0x00,0x00,0x00,0x00, - 0x40,0x00,0x00,0x04,0x00,0x00,0x00,0xf8,0xff,0xff,0xff,0xff,0x3f,0x00,0x00, - 0x08,0x00,0xc0,0x1f,0x00,0x20,0x00,0x00,0x08,0x00,0x30,0x60,0x00,0x20,0x00, - 0x00,0xf8,0xff,0x0f,0x80,0xff,0x3f,0x00,0x00,0x00,0x02,0x02,0x00,0x82,0x00, - 0x00,0x00,0x00,0x03,0x01,0x00,0x84,0x01,0x00,0x00,0x00,0x81,0x00,0x00,0x08, - 0x01,0x00,0x00,0x80,0x80,0x00,0x00,0x08,0x02,0x00,0x00,0x80,0x40,0x00,0x00, - 0x10,0x02,0x00,0x00,0x40,0x40,0x00,0x00,0x10,0x04,0x00,0x00,0x40,0x20,0x00, - 0x00,0x20,0x04,0x00,0x00,0x60,0x20,0x00,0x00,0x20,0x0c,0x00,0x00,0x20,0x20, - 0x00,0x00,0x20,0x08,0x00,0x00,0x20,0x20,0x00,0x00,0x20,0x08,0x00,0x00,0x10, - 0x20,0x00,0x00,0x20,0x10,0x00,0x00,0x10,0x20,0x00,0x00,0x20,0x10,0x00,0x00, - 0x10,0x20,0x00,0x00,0x20,0x10,0x00,0x00,0x10,0x40,0x00,0x00,0x10,0x10,0x00, - 0x00,0x10,0x40,0x00,0x00,0x10,0x10,0x00,0x00,0x10,0x80,0x00,0x00,0x08,0x10, - 0x00,0x00,0x10,0x80,0x00,0x00,0x08,0x10,0x00,0x00,0x30,0x00,0x01,0x00,0x04, - 0x18,0x00,0x00,0x20,0x00,0x02,0x00,0x02,0x08,0x00,0x00,0x20,0x00,0x0c,0x80, - 0x01,0x08,0x00,0x00,0x60,0x00,0x30,0x60,0x00,0x0c,0x00,0x00,0x40,0x00,0xc0, - 0x1f,0x00,0x04,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x06,0x00,0x00,0x00,0x01, - 0x00,0x00,0x00,0x02,0x00,0x00,0x00,0xfe,0xff,0xff,0xff,0x01,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x80,0x0f,0xc0,0x0f,0x00,0x00,0x00, - 0x00,0x40,0x10,0x20,0x10,0x00,0x00,0x00,0x00,0x20,0x60,0x30,0x20,0x00,0x00, - 0x00,0x00,0x20,0xc0,0x18,0x20,0x00,0x00,0xc0,0x7f,0x10,0x80,0x0d,0x40,0xe0, - 0x01,0x70,0xc0,0x18,0x00,0x05,0x40,0x1c,0x06,0x10,0x00,0x0f,0x00,0x05,0x80, - 0x07,0x08,0x08,0x00,0x06,0x00,0x05,0x80,0x01,0x08,0x08,0x00,0x18,0x00,0x05, - 0xc0,0x00,0x10,0x04,0x00,0x30,0x00,0x05,0x30,0x00,0x10,0x04,0x00,0x00,0x80, - 0x08,0x18,0x00,0x20,0x04,0x00,0x00,0x80,0x08,0x00,0x00,0x20,0x04,0x00,0x00, - 0x40,0x10,0x00,0x00,0x20,0x24,0x00,0x00,0x40,0x10,0x00,0x00,0x22,0x24,0x00, - 0x00,0x40,0x10,0x00,0x00,0x22,0x44,0x00,0x00,0x40,0x10,0x00,0x00,0x11,0x84, - 0x01,0x00,0xc0,0x18,0x00,0xc0,0x10,0x08,0x00,0x00,0x80,0x08,0x00,0x00,0x08, - 0x30,0x00,0x00,0x80,0x08,0x00,0x00,0x04,0xe0,0xff,0xff,0xff,0xf8,0xff,0xff, - 0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00}; diff --git a/crypto/heimdal-0.6.3/appl/xnlock/nose.left.front b/crypto/heimdal-0.6.3/appl/xnlock/nose.left.front deleted file mode 100644 index 3a871eaaa1..0000000000 --- a/crypto/heimdal-0.6.3/appl/xnlock/nose.left.front +++ /dev/null @@ -1,38 +0,0 @@ -#define nose_left_front_width 64 -#define nose_left_front_height 64 -static unsigned char nose_left_front_bits[] = { - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0xc0,0xff,0xff,0x07,0x00,0x00,0x00,0x00,0x40,0x00, - 0x00,0x04,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x04,0x00,0x00,0x00,0x00,0x40, - 0x00,0x00,0x04,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x04,0x00,0x00,0x00,0x00, - 0x40,0x00,0x00,0x04,0x00,0x00,0x00,0xf8,0xff,0xff,0xff,0xff,0x3f,0x00,0x00, - 0x08,0x00,0xe0,0x0f,0x00,0x20,0x00,0x00,0x08,0x00,0x18,0x30,0x00,0x20,0x00, - 0x00,0xf8,0xff,0x07,0xc0,0xff,0x3f,0x00,0x00,0x00,0x02,0x01,0x00,0x81,0x00, - 0x00,0x00,0x00,0x83,0x00,0x00,0x82,0x01,0x00,0x00,0x00,0x41,0x00,0x00,0x04, - 0x01,0x00,0x00,0x80,0x40,0x00,0x00,0x04,0x02,0x00,0x00,0x80,0x20,0x00,0x00, - 0x08,0x02,0x00,0x00,0x40,0x20,0x00,0x00,0x08,0x04,0x00,0x00,0x40,0x10,0x00, - 0x00,0x10,0x04,0x00,0x00,0x60,0x10,0x00,0x00,0x10,0x0c,0x00,0x00,0x20,0x10, - 0x00,0x00,0x10,0x08,0x00,0x00,0x30,0x10,0x00,0x00,0x10,0x08,0x00,0x00,0x10, - 0x10,0x00,0x00,0x10,0x10,0x00,0x00,0x10,0x10,0x00,0x00,0x10,0x10,0x00,0x00, - 0x10,0x10,0x00,0x00,0x10,0x10,0x00,0x00,0x10,0x20,0x00,0x00,0x08,0x10,0x00, - 0x00,0x10,0x20,0x00,0x00,0x08,0x10,0x00,0x00,0x10,0x40,0x00,0x00,0x04,0x10, - 0x00,0x00,0x30,0x40,0x00,0x00,0x04,0x10,0x00,0x00,0x20,0x80,0x00,0x00,0x02, - 0x18,0x00,0x00,0x20,0x00,0x01,0x00,0x01,0x08,0x00,0x00,0x60,0x00,0x06,0xc0, - 0x00,0x08,0x00,0x00,0x80,0x00,0x18,0x30,0x00,0x0c,0x00,0x00,0x80,0x00,0xe0, - 0x0f,0x00,0x04,0x00,0x00,0x80,0x01,0x00,0x00,0x00,0x06,0x00,0x00,0x00,0x01, - 0x00,0x00,0x00,0x02,0x00,0x00,0x00,0xfe,0xff,0xff,0xff,0x01,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xf8,0x0f,0x00,0x00,0x00, - 0x00,0xff,0x00,0x04,0x10,0x00,0x00,0x00,0xe0,0x00,0x07,0x02,0x10,0x00,0x00, - 0x00,0x30,0x00,0x8c,0x01,0x20,0x00,0x00,0x00,0x0c,0x00,0x90,0x00,0x20,0x00, - 0x00,0x00,0x04,0x03,0x60,0x00,0x20,0x00,0x00,0x00,0xc2,0x00,0xc0,0x00,0x20, - 0x00,0x00,0x00,0x42,0x00,0x00,0x01,0x20,0x00,0x00,0x00,0x21,0x00,0x00,0x02, - 0x20,0x00,0x00,0x00,0x21,0x00,0x00,0x06,0x20,0x00,0x00,0x00,0x21,0x00,0x00, - 0x00,0x20,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x03,0x00, - 0x00,0x00,0x40,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x02, - 0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x04,0x00,0x00,0x00,0x20,0x00,0x00,0x00, - 0x18,0x00,0x00,0x00,0x20,0x00,0x00,0x00,0x70,0x00,0x00,0x00,0x10,0x00,0x00, - 0x00,0xc0,0xff,0xff,0xff,0x0f,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00}; diff --git a/crypto/heimdal-0.6.3/appl/xnlock/nose.right.front b/crypto/heimdal-0.6.3/appl/xnlock/nose.right.front deleted file mode 100644 index f8214174e8..0000000000 --- a/crypto/heimdal-0.6.3/appl/xnlock/nose.right.front +++ /dev/null @@ -1,38 +0,0 @@ -#define nose_right_front_width 64 -#define nose_right_front_height 64 -static unsigned char nose_right_front_bits[] = { - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0xe0,0xff,0xff,0x03,0x00,0x00,0x00,0x00,0x20,0x00, - 0x00,0x02,0x00,0x00,0x00,0x00,0x20,0x00,0x00,0x02,0x00,0x00,0x00,0x00,0x20, - 0x00,0x00,0x02,0x00,0x00,0x00,0x00,0x20,0x00,0x00,0x02,0x00,0x00,0x00,0x00, - 0x20,0x00,0x00,0x02,0x00,0x00,0x00,0xfc,0xff,0xff,0xff,0xff,0x1f,0x00,0x00, - 0x04,0x00,0xf0,0x07,0x00,0x10,0x00,0x00,0x04,0x00,0x0c,0x18,0x00,0x10,0x00, - 0x00,0xfc,0xff,0x03,0xe0,0xff,0x1f,0x00,0x00,0x00,0x81,0x00,0x80,0x40,0x00, - 0x00,0x00,0x80,0x41,0x00,0x00,0xc1,0x00,0x00,0x00,0x80,0x20,0x00,0x00,0x82, - 0x00,0x00,0x00,0x40,0x20,0x00,0x00,0x02,0x01,0x00,0x00,0x40,0x10,0x00,0x00, - 0x04,0x01,0x00,0x00,0x20,0x10,0x00,0x00,0x04,0x02,0x00,0x00,0x20,0x08,0x00, - 0x00,0x08,0x02,0x00,0x00,0x30,0x08,0x00,0x00,0x08,0x06,0x00,0x00,0x10,0x08, - 0x00,0x00,0x08,0x04,0x00,0x00,0x10,0x08,0x00,0x00,0x08,0x0c,0x00,0x00,0x08, - 0x08,0x00,0x00,0x08,0x08,0x00,0x00,0x08,0x08,0x00,0x00,0x08,0x08,0x00,0x00, - 0x08,0x08,0x00,0x00,0x08,0x08,0x00,0x00,0x08,0x10,0x00,0x00,0x04,0x08,0x00, - 0x00,0x08,0x10,0x00,0x00,0x04,0x08,0x00,0x00,0x08,0x20,0x00,0x00,0x02,0x08, - 0x00,0x00,0x08,0x20,0x00,0x00,0x02,0x0c,0x00,0x00,0x18,0x40,0x00,0x00,0x01, - 0x04,0x00,0x00,0x10,0x80,0x00,0x80,0x00,0x04,0x00,0x00,0x10,0x00,0x03,0x60, - 0x00,0x06,0x00,0x00,0x30,0x00,0x0c,0x18,0x00,0x01,0x00,0x00,0x20,0x00,0xf0, - 0x07,0x00,0x01,0x00,0x00,0x60,0x00,0x00,0x00,0x80,0x01,0x00,0x00,0x40,0x00, - 0x00,0x00,0x80,0x00,0x00,0x00,0x80,0xff,0xff,0xff,0x7f,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xf0,0x1f,0x00,0x00,0x00,0x00,0x00, - 0x00,0x08,0x20,0x00,0xff,0x00,0x00,0x00,0x00,0x08,0x40,0xe0,0x00,0x07,0x00, - 0x00,0x00,0x04,0x80,0x31,0x00,0x0c,0x00,0x00,0x00,0x04,0x00,0x09,0x00,0x30, - 0x00,0x00,0x00,0x04,0x00,0x06,0xc0,0x20,0x00,0x00,0x00,0x04,0x00,0x03,0x00, - 0x43,0x00,0x00,0x00,0x04,0x80,0x00,0x00,0x42,0x00,0x00,0x00,0x04,0x40,0x00, - 0x00,0x84,0x00,0x00,0x00,0x04,0x60,0x00,0x00,0x84,0x00,0x00,0x00,0x04,0x00, - 0x00,0x00,0x84,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x80,0x00,0x00,0x00,0x02, - 0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x40,0x00,0x00,0x00, - 0x02,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x04,0x00,0x00,0x00,0x20,0x00,0x00, - 0x00,0x04,0x00,0x00,0x00,0x18,0x00,0x00,0x00,0x08,0x00,0x00,0x00,0x0e,0x00, - 0x00,0x00,0xf0,0xff,0xff,0xff,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00}; diff --git a/crypto/heimdal-0.6.3/appl/xnlock/xnlock.1 b/crypto/heimdal-0.6.3/appl/xnlock/xnlock.1 deleted file mode 100644 index c62417d062..0000000000 --- a/crypto/heimdal-0.6.3/appl/xnlock/xnlock.1 +++ /dev/null @@ -1,123 +0,0 @@ -.\" xnlock -- Dan Heller 1985 -.TH XNLOCK 1L "19 April 1990" -.SH NAME -xnlock \- amusing lock screen program with message for passers-by -.SH SYNOPSIS -.B xnlock -[ -\fIoptions\fP -] -[ -\fImessage\fP -] -.SH DESCRIPTION -.I xnlock -is a program that acts as a screen saver for workstations running X11. -It also "locks" the screen such that the workstation can be left -unattended without worry that someone else will walk up to it and -mess everything up. When \fIxnlock\fP is running, a little man with -a big nose and a hat runs around spewing out messages to the screen. -By default, the messages are "humorous", but that depends on your -sense of humor. -.LP -If a key or mouse button is pressed, a prompt is printed requesting the -user's password. If a RETURN is not typed within 30 seconds, -the little man resumes running around. -.LP -Text on the command line is used as the message. For example: -.br - % xnlock I\'m out to lunch for a couple of hours. -.br -Note the need to quote shell metacharacters. -.LP -In the absence of flags or text, \fIxnlock\fP displays random fortunes. -.SH OPTIONS -Command line options override all resource specifications. -All arguments that are not associated with a command line option -is taken to be message text that the little man will "say" every -once in a while. The resource \fBxnlock.text\fP may be set to -a string. -.TP -.BI \-fn " fontname" -The default font is the first 18 point font in the \fInew century schoolbook\fP -family. While larger fonts are recokmmended over smaller ones, any font -in the server's font list will work. The resource to use for this option -is \fBxnlock.font\fP. -.TP -.BI \-filename " filename" -Take the message to be displayed from the file \fIfilename\fP. -If \fIfilename\fP is not specified, \fI$HOME/.msgfile\fP is used. -If the contents of the file are changed during runtime, the most recent text -of the file is used (allowing the displayed message to be altered remotely). -Carriage returns within the text are allowed, but tabs or other control -characters are not translated and should not be used. -The resource available for this option is \fBxnlock.file\fP. -.TP -.BI \-ar -Accept root's password to unlock screen. This option is true by -default. The reason for this is so that someone's screen may be -unlocked by autorized users in case of emergency and the person -running the program is still out to lunch. The resource available -for specifying this option is \fBxnlock.acceptRootPasswd\fP. -.TP -.BI \-noar -Don't accept root's password. This option is for paranoids who -fear their peers might breakin using root's password and remove -their files anyway. Specifying this option on the command line -overrides the \fBxnlock.acceptRootPasswd\fP if set to True. -.TP -.BI \-ip -Ignore password prompt. -The resource available for this option is \fBxnlock.ignorePasswd\fP. -.TP -.BI \-noip -Don't ignore password prompt. This is available in order to -override the resource \fBignorePasswd\fP if set to True. -.TP -.BI -fg " color" -Specifies the foreground color. The resource available for this -is \fBxnlock.foreground\fP. -.TP -.BI -bg " color" -Specifies the background color. The resource available for this -is \fBxnlock.background\fP. -.TP -.BI \-rv -Reverse the foreground and background colors. -The resource for this is \fBxvnlock.reverseVideo\fP. -.TP -.BI \-norv -Don't use reverse video. This is available to override the reverseVideo -resource if set to True. -.TP -.BI \-prog " program" -Receive message text from the running program \fIprogram\fP. If there -are arguments to \fIprogram\fP, encase them with the name of the program in -quotes (e.g. xnlock -t "fortune -o"). -The resource for this is \fBxnlock.program\fP. -.SH RESOURCES -.br -xnlock.font: fontname -.br -xnlock.foreground: color -.br -xnlock.background: color -.br -xnlock.reverseVideo: True/False -.br -xnlock.text: Some random text string -.br -xnlock.program: program [args] -.br -xnlock.ignorePasswd: True/False -.br -xnlock.acceptRootPasswd: True/False -.SH FILES -\fIxnlock\fP executable file -.br -~/.msgfile default message file -.SH AUTHOR -Dan Heller Copyright (c) 1985, 1990. -.br -The original version of this program was written using pixrects on -a Sun 2 running SunOS 1.1. diff --git a/crypto/heimdal-0.6.3/appl/xnlock/xnlock.c b/crypto/heimdal-0.6.3/appl/xnlock/xnlock.c deleted file mode 100644 index 84bba72f35..0000000000 --- a/crypto/heimdal-0.6.3/appl/xnlock/xnlock.c +++ /dev/null @@ -1,1145 +0,0 @@ -/* - * xnlock -- Dan Heller, 1990 - * "nlock" is a "new lockscreen" type program... something that prevents - * screen burnout by making most of it "black" while providing something - * of interest to be displayed in case anyone is watching. - * "xnlock" is the X11 version of the program. - * Original sunview version written by Dan Heller 1985 (not included here). - */ -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: xnlock.c,v 1.93.2.4 2004/09/08 09:16:00 joda Exp $"); -#endif - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#ifdef strerror -#undef strerror -#endif -#include -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_PWD_H -#include -#endif -#ifdef HAVE_CRYPT_H -#undef des_encrypt -#define des_encrypt wingless_pigs_mostly_fail_to_fly -#include -#undef des_encrypt -#endif - -#ifdef KRB5 -#include -#endif -#ifdef KRB4 -#include -#endif -#if defined(KRB4) || defined(KRB5) -#include -#endif - -#include -#include - -static char login[16]; -static char userprompt[128]; -#ifdef KRB4 -static char name[ANAME_SZ]; -static char inst[INST_SZ]; -static char realm[REALM_SZ]; -#endif -#ifdef KRB5 -static krb5_context context; -static krb5_principal client; -#endif - -#define font_height(font) (font->ascent + font->descent) - -static char *SPACE_STRING = " "; -static char STRING[] = "****************"; - -#define STRING_LENGTH (sizeof(STRING)) -#define MAX_PASSWD_LENGTH 256 -/* (sizeof(STRING)) */ - -#define PROMPT "Password: " -#define FAIL_MSG "Sorry, try again" -#define LEFT 001 -#define RIGHT 002 -#define DOWN 004 -#define UP 010 -#define FRONT 020 -#define X_INCR 3 -#define Y_INCR 2 -#define XNLOCK_CTRL 1 -#define XNLOCK_NOCTRL 0 - -static XtAppContext app; -static Display *dpy; -static unsigned short Width, Height; -static Widget widget; -static GC gc; -static XtIntervalId timeout_id; -static char *words; -static int x, y; -static Pixel Black, White; -static XFontStruct *font; -static char root_cpass[128]; -static char user_cpass[128]; -static int time_left, prompt_x, prompt_y, time_x, time_y; -static unsigned long interval; -static Pixmap left0, left1, right0, right1, left_front, - right_front, front, down; - -#define MAXLINES 40 - -#define IS_MOVING 1 -#define GET_PASSWD 2 -static int state; /* indicates states: walking or getting passwd */ - -static int ALLOW_LOGOUT = (60*10); /* Allow logout after nn seconds */ -#define LOGOUT_PASSWD "enuHDmTo5Lq4g" /* when given password "LOGOUT" */ -static time_t locked_at; - -struct appres_t { - Pixel bg; - Pixel fg; - XFontStruct *font; - Boolean ignore_passwd; - Boolean do_reverse; - Boolean accept_root; - char *text, *text_prog, *file, *logoutPasswd; - Boolean no_screensaver; - Boolean destroytickets; -} appres; - -static XtResource resources[] = { - { XtNbackground, XtCBackground, XtRPixel, sizeof(Pixel), - XtOffsetOf(struct appres_t, bg), XtRString, "black" }, - - { XtNforeground, XtCForeground, XtRPixel, sizeof(Pixel), - XtOffsetOf(struct appres_t, fg), XtRString, "white" }, - - { XtNfont, XtCFont, XtRFontStruct, sizeof (XFontStruct *), - XtOffsetOf(struct appres_t, font), - XtRString, "-*-new century schoolbook-*-*-*-18-*" }, - - { "ignorePasswd", "IgnorePasswd", XtRBoolean, sizeof(Boolean), - XtOffsetOf(struct appres_t,ignore_passwd),XtRImmediate,(XtPointer)False }, - - { "acceptRootPasswd", "AcceptRootPasswd", XtRBoolean, sizeof(Boolean), - XtOffsetOf(struct appres_t, accept_root), XtRImmediate, (XtPointer)True }, - - { "text", "Text", XtRString, sizeof(String), - XtOffsetOf(struct appres_t, text), XtRString, "I'm out running around." }, - - { "program", "Program", XtRString, sizeof(String), - XtOffsetOf(struct appres_t, text_prog), XtRImmediate, NULL }, - - { "file", "File", XtRString, sizeof(String), - XtOffsetOf(struct appres_t,file), XtRImmediate, NULL }, - - { "logoutPasswd", "logoutPasswd", XtRString, sizeof(String), - XtOffsetOf(struct appres_t, logoutPasswd), XtRString, LOGOUT_PASSWD }, - - { "noScreenSaver", "NoScreenSaver", XtRBoolean, sizeof(Boolean), - XtOffsetOf(struct appres_t,no_screensaver), XtRImmediate, (XtPointer)True }, - - { "destroyTickets", "DestroyTickets", XtRBoolean, sizeof(Boolean), - XtOffsetOf(struct appres_t,destroytickets), XtRImmediate, (XtPointer)True }, -}; - -static XrmOptionDescRec options[] = { - { "-fg", ".foreground", XrmoptionSepArg, NULL }, - { "-foreground", ".foreground", XrmoptionSepArg, NULL }, - { "-fn", ".font", XrmoptionSepArg, NULL }, - { "-font", ".font", XrmoptionSepArg, NULL }, - { "-ip", ".ignorePasswd", XrmoptionNoArg, "True" }, - { "-noip", ".ignorePasswd", XrmoptionNoArg, "False" }, - { "-ar", ".acceptRootPasswd", XrmoptionNoArg, "True" }, - { "-noar", ".acceptRootPasswd", XrmoptionNoArg, "False" }, - { "-nonoscreensaver", ".noScreenSaver", XrmoptionNoArg, "False" }, - { "-nodestroytickets", ".destroyTickets", XrmoptionNoArg, "False" }, -}; - -static char* -get_words(void) -{ - FILE *pp = NULL; - static char buf[512]; - long n; - - if (appres.text_prog) { - pp = popen(appres.text_prog, "r"); - if (!pp) { - warn("popen %s", appres.text_prog); - return appres.text; - } - n = fread(buf, 1, sizeof(buf) - 1, pp); - buf[n] = 0; - pclose(pp); - return buf; - } - if (appres.file) { - pp = fopen(appres.file, "r"); - if (!pp) { - warn("fopen %s", appres.file); - return appres.text; - } - n = fread(buf, 1, sizeof(buf) - 1, pp); - buf[n] = 0; - fclose(pp); - return buf; - } - - return appres.text; -} - -static void -usage(void) -{ - fprintf(stderr, "usage: %s [options] [message]\n", getprogname()); - fprintf(stderr, "-fg color foreground color\n"); - fprintf(stderr, "-bg color background color\n"); - fprintf(stderr, "-rv reverse foreground/background colors\n"); - fprintf(stderr, "-nrv no reverse video\n"); - fprintf(stderr, "-ip ignore passwd\n"); - fprintf(stderr, "-nip don't ignore passwd\n"); - fprintf(stderr, "-ar accept root's passwd to unlock\n"); - fprintf(stderr, "-nar don't accept root's passwd\n"); - fprintf(stderr, "-f [file] message is read from file or ~/.msgfile\n"); - fprintf(stderr, "-prog program text is gotten from executing `program'\n"); - fprintf(stderr, "-nodestroytickets keep kerberos tickets\n"); - exit(1); -} - -static void -init_words (int argc, char **argv) -{ - int i = 0; - - while(argv[i]) { - if(strcmp(argv[i], "-p") == 0 - || strcmp(argv[i], "-prog") == 0) { - i++; - if(argv[i]) { - appres.text_prog = argv[i]; - i++; - } else { - warnx ("-p requires an argument"); - usage(); - } - } else if(strcmp(argv[i], "-f") == 0) { - i++; - if(argv[i]) { - appres.file = argv[i]; - i++; - } else { - asprintf (&appres.file, - "%s/.msgfile", getenv("HOME")); - if (appres.file == NULL) - errx (1, "cannot allocate memory for message"); - } - } else if(strcmp(argv[i], "--version") == 0) { - print_version(NULL); - exit(0); - } else { - int j; - int len = 1; - for(j = i; argv[j]; j++) - len += strlen(argv[j]) + 1; - appres.text = malloc(len); - if (appres.text == NULL) - errx (1, "cannot allocate memory for message"); - appres.text[0] = 0; - for(; i < j; i++){ - strlcat(appres.text, argv[i], len); - strlcat(appres.text, " ", len); - } - } - } -} - -static void -ScreenSaver(int save) -{ - static int timeout, interval, prefer_blank, allow_exp; - if(!appres.no_screensaver){ - if (save) { - XGetScreenSaver(dpy, &timeout, &interval, - &prefer_blank, &allow_exp); - XSetScreenSaver(dpy, 0, interval, prefer_blank, allow_exp); - } else - /* restore state */ - XSetScreenSaver(dpy, timeout, interval, prefer_blank, allow_exp); - } -} - -/* Forward decls necessary */ -static void talk(int force_erase); -static unsigned long look(void); - -static int -zrefresh(void) -{ - switch (fork()) { - case -1: - warn ("zrefresh: fork"); - return -1; - case 0: - /* Child */ - execlp("zrefresh", "zrefresh", 0); - execl(BINDIR "/zrefresh", "zrefresh", 0); - return -1; - default: - /* Parent */ - break; - } - return 0; -} - -static void -leave(void) -{ - XUngrabPointer(dpy, CurrentTime); - XUngrabKeyboard(dpy, CurrentTime); - ScreenSaver(0); - XCloseDisplay(dpy); - zrefresh(); - exit(0); -} - -static void -walk(int dir) -{ - int incr = 0; - static int lastdir; - static int up = 1; - static Pixmap frame; - - XSetForeground(dpy, gc, White); - XSetBackground(dpy, gc, Black); - if (dir & (LEFT|RIGHT)) { /* left/right movement (mabye up/down too) */ - up = -up; /* bouncing effect (even if hit a wall) */ - if (dir & LEFT) { - incr = X_INCR; - frame = (up < 0) ? left0 : left1; - } else { - incr = -X_INCR; - frame = (up < 0) ? right0 : right1; - } - if ((lastdir == FRONT || lastdir == DOWN) && dir & UP) { - /* workaround silly bug that leaves screen dust when - * guy is facing forward or down and moves up-left/right. - */ - XCopyPlane(dpy, frame, XtWindow(widget), gc, 0, 0, 64,64, x, y, 1L); - XFlush(dpy); - } - /* note that maybe neither UP nor DOWN is set! */ - if (dir & UP && y > Y_INCR) - y -= Y_INCR; - else if (dir & DOWN && y < (int)Height - 64) - y += Y_INCR; - } - /* Explicit up/down movement only (no left/right) */ - else if (dir == UP) - XCopyPlane(dpy, front, XtWindow(widget), gc, - 0,0, 64,64, x, y -= Y_INCR, 1L); - else if (dir == DOWN) - XCopyPlane(dpy, down, XtWindow(widget), gc, - 0,0, 64,64, x, y += Y_INCR, 1L); - else if (dir == FRONT && frame != front) { - if (up > 0) - up = -up; - if (lastdir & LEFT) - frame = left_front; - else if (lastdir & RIGHT) - frame = right_front; - else - frame = front; - XCopyPlane(dpy, frame, XtWindow(widget), gc, 0, 0, 64,64, x, y, 1L); - } - if (dir & LEFT) - while(--incr >= 0) { - XCopyPlane(dpy, frame, XtWindow(widget), gc, - 0,0, 64,64, --x, y+up, 1L); - XFlush(dpy); - } - else if (dir & RIGHT) - while(++incr <= 0) { - XCopyPlane(dpy, frame, XtWindow(widget), gc, - 0,0, 64,64, ++x, y+up, 1L); - XFlush(dpy); - } - lastdir = dir; -} - -static long -my_random (void) -{ -#ifdef HAVE_RANDOM - return random(); -#else - return rand(); -#endif -} - -static int -think(void) -{ - if (my_random() & 1) - walk(FRONT); - if (my_random() & 1) { - words = get_words(); - return 1; - } - return 0; -} - -static void -move(XtPointer _p, XtIntervalId *_id) -{ - static int length, dir; - - if (!length) { - int tries = 0; - dir = 0; - if ((my_random() & 1) && think()) { - talk(0); /* sets timeout to itself */ - return; - } - if (!(my_random() % 3) && (interval = look())) { - timeout_id = XtAppAddTimeOut(app, interval, move, NULL); - return; - } - interval = 20 + my_random() % 100; - do { - if (!tries) - length = Width/100 + my_random() % 90, tries = 8; - else - tries--; - switch (my_random() % 8) { - case 0: - if (x - X_INCR*length >= 5) - dir = LEFT; - case 1: - if (x + X_INCR*length <= (int)Width - 70) - dir = RIGHT; - case 2: - if (y - (Y_INCR*length) >= 5) - dir = UP, interval = 40; - case 3: - if (y + Y_INCR*length <= (int)Height - 70) - dir = DOWN, interval = 20; - case 4: - if (x - X_INCR*length >= 5 && y - (Y_INCR*length) >= 5) - dir = (LEFT|UP); - case 5: - if (x + X_INCR * length <= (int)Width - 70 && - y-Y_INCR * length >= 5) - dir = (RIGHT|UP); - case 6: - if (x - X_INCR * length >= 5 && - y + Y_INCR * length <= (int)Height - 70) - dir = (LEFT|DOWN); - case 7: - if (x + X_INCR*length <= (int)Width - 70 && - y + Y_INCR*length <= (int)Height - 70) - dir = (RIGHT|DOWN); - } - } while (!dir); - } - walk(dir); - --length; - timeout_id = XtAppAddTimeOut(app, interval, move, NULL); -} - -static void -post_prompt_box(Window window) -{ - int width = (Width / 3); - int height = font_height(font) * 6; - int box_x, box_y; - - /* make sure the entire nose icon fits in the box */ - if (height < 100) - height = 100; - - if(width < 105 + font->max_bounds.width*STRING_LENGTH) - width = 105 + font->max_bounds.width*STRING_LENGTH; - box_x = (Width - width) / 2; - time_x = prompt_x = box_x + 105; - - time_y = prompt_y = Height / 2; - box_y = prompt_y - 3 * font_height(font); - - /* erase current guy -- text message may still exist */ - XSetForeground(dpy, gc, Black); - XFillRectangle(dpy, window, gc, x, y, 64, 64); - talk(1); /* forcefully erase message if one is being displayed */ - /* Clear area in middle of screen for prompt box */ - XSetForeground(dpy, gc, White); - XFillRectangle(dpy, window, gc, box_x, box_y, width, height); - - /* make a box that's 5 pixels thick. Then add a thin box inside it */ - XSetForeground(dpy, gc, Black); - XSetLineAttributes(dpy, gc, 5, 0, 0, 0); - XDrawRectangle(dpy, window, gc, box_x+5, box_y+5, width-10, height-10); - XSetLineAttributes(dpy, gc, 0, 0, 0, 0); - XDrawRectangle(dpy, window, gc, box_x+12, box_y+12, width-23, height-23); - - XDrawString(dpy, window, gc, - prompt_x, prompt_y-font_height(font), - userprompt, strlen(userprompt)); - XDrawString(dpy, window, gc, prompt_x, prompt_y, PROMPT, strlen(PROMPT)); - /* set background for copyplane and DrawImageString; need reverse video */ - XSetBackground(dpy, gc, White); - XCopyPlane(dpy, right0, window, gc, 0,0, 64,64, - box_x + 20, box_y + (height - 64)/2, 1L); - prompt_x += XTextWidth(font, PROMPT, strlen(PROMPT)); - time_y += 2*font_height(font); -} - -static void -RaiseWindow(Widget w, XEvent *ev, String *s, Cardinal *n) -{ - Widget x; - if(!XtIsRealized(w)) - return; - x = XtParent(w); - XRaiseWindow(dpy, XtWindow(x)); -} - - -static void -ClearWindow(Widget w, XEvent *_event, String *_s, Cardinal *_n) -{ - XExposeEvent *event = (XExposeEvent *)_event; - if (!XtIsRealized(w)) - return; - XClearArea(dpy, XtWindow(w), event->x, event->y, - event->width, event->height, False); - if (state == GET_PASSWD) - post_prompt_box(XtWindow(w)); - if (timeout_id == 0 && event->count == 0) { - timeout_id = XtAppAddTimeOut(app, 1000L, move, NULL); - /* first grab the input focus */ - XSetInputFocus(dpy, XtWindow(w), RevertToPointerRoot, CurrentTime); - /* now grab the pointer and keyboard and contrain to this window */ - XGrabPointer(dpy, XtWindow(w), TRUE, 0, GrabModeAsync, - GrabModeAsync, XtWindow(w), None, CurrentTime); - } -} - -static void -countdown(XtPointer _t, XtIntervalId *_d) -{ - int *timeout = (int *)_t; - char buf[128]; - time_t seconds; - - if (--(*timeout) < 0) { - XExposeEvent event; - XtRemoveTimeOut(timeout_id); - state = IS_MOVING; - event.x = event.y = 0; - event.width = Width, event.height = Height; - ClearWindow(widget, (XEvent *)&event, 0, 0); - timeout_id = XtAppAddTimeOut(app, 200L, move, NULL); - return; - } - seconds = time(0) - locked_at; - if (seconds >= 3600) - snprintf(buf, sizeof(buf), - "Locked for %d:%02d:%02d ", - (int)seconds/3600, (int)seconds/60%60, (int)seconds%60); - else - snprintf(buf, sizeof(buf), - "Locked for %2d:%02d ", - (int)seconds/60, (int)seconds%60); - - XDrawImageString(dpy, XtWindow(widget), gc, - time_x, time_y, buf, strlen(buf)); - XtAppAddTimeOut(app, 1000L, countdown, timeout); - return; -} - -#ifdef KRB5 -static int -verify_krb5(const char *password) -{ - krb5_error_code ret; - krb5_ccache id; - krb5_boolean get_v4_tgt; - - krb5_cc_default(context, &id); - ret = krb5_verify_user(context, - client, - id, - password, - 0, - NULL); - if (ret == 0){ -#ifdef KRB4 - krb5_appdefault_boolean(context, "xnlock", - krb5_principal_get_realm(context, client), - "krb4_get_tickets", FALSE, &get_v4_tgt); - if(get_v4_tgt) { - CREDENTIALS c; - krb5_creds mcred, cred; - - krb5_make_principal(context, &mcred.server, - client->realm, - "krbtgt", - client->realm, - NULL); - ret = krb5_cc_retrieve_cred(context, id, 0, &mcred, &cred); - if(ret == 0) { - ret = krb524_convert_creds_kdc_ccache(context, id, &cred, &c); - if(ret == 0) - tf_setup(&c, c.pname, c.pinst); - memset(&c, 0, sizeof(c)); - krb5_free_creds_contents(context, &cred); - } - krb5_free_principal(context, mcred.server); - } -#endif - if (k_hasafs()) - krb5_afslog(context, id, NULL, NULL); - return 0; - } - if (ret != KRB5KRB_AP_ERR_MODIFIED) - krb5_warn(context, ret, "verify_krb5"); - - return -1; -} -#endif - -static int -verify(char *password) -{ - /* - * First try with root password, if allowed. - */ - if ( appres.accept_root - && strcmp(crypt(password, root_cpass), root_cpass) == 0) - return 0; - - /* - * Password that log out user - */ - if (getuid() != 0 && - geteuid() != 0 && - (time(0) - locked_at) > ALLOW_LOGOUT && - strcmp(crypt(password, appres.logoutPasswd), appres.logoutPasswd) == 0) - { - signal(SIGHUP, SIG_IGN); - kill(-1, SIGHUP); - sleep(5); - /* If the X-server shut down then so will we, else - * continue */ - signal(SIGHUP, SIG_DFL); - } - - /* - * Try copy of users password. - */ - if (strcmp(crypt(password, user_cpass), user_cpass) == 0) - return 0; - - /* - * Try to verify as user in case password change. - */ - if (unix_verify_user(login, password) == 0) - return 0; - -#ifdef KRB5 - /* - * Try to verify as user with kerberos 5. - */ - if(verify_krb5(password) == 0) - return 0; -#endif - -#ifdef KRB4 - { - int ret; - /* - * Try to verify as user with kerberos 4. - */ - ret = krb_verify_user(name, inst, realm, password, - KRB_VERIFY_NOT_SECURE, NULL); - if (ret == KSUCCESS){ - if (k_hasafs()) - krb_afslog(NULL, NULL); - return 0; - } - if (ret != INTK_BADPW) - warnx ("warning: %s", - (ret < 0) ? strerror(ret) : krb_get_err_text(ret)); - } -#endif - - return -1; -} - - -static void -GetPasswd(Widget w, XEvent *_event, String *_s, Cardinal *_n) -{ - XKeyEvent *event = (XKeyEvent *)_event; - static char passwd[MAX_PASSWD_LENGTH]; - static int cnt; - static int is_ctrl = XNLOCK_NOCTRL; - char c; - KeySym keysym; - int echolen; - int old_state = state; - - if (event->type == ButtonPress) { - x = event->x, y = event->y; - return; - } - if (state == IS_MOVING) { - /* guy is running around--change to post prompt box. */ - XtRemoveTimeOut(timeout_id); - state = GET_PASSWD; - if (appres.ignore_passwd || !strlen(user_cpass)) - leave(); - post_prompt_box(XtWindow(w)); - cnt = 0; - time_left = 30; - countdown((XtPointer)&time_left, 0); - } - if (event->type == KeyRelease) { - keysym = XLookupKeysym(event, 0); - if (keysym == XK_Control_L || keysym == XK_Control_R) { - is_ctrl = XNLOCK_NOCTRL; - } - } - if (event->type != KeyPress) - return; - - time_left = 30; - - keysym = XLookupKeysym(event, 0); - if (keysym == XK_Control_L || keysym == XK_Control_R) { - is_ctrl = XNLOCK_CTRL; - return; - } - if (!XLookupString(event, &c, 1, &keysym, 0)) - return; - if (keysym == XK_Return || keysym == XK_Linefeed) { - passwd[cnt] = 0; - if(old_state == IS_MOVING) - return; - XtRemoveTimeOut(timeout_id); - - if(verify(passwd) == 0) - leave(); - - cnt = 0; - - XDrawImageString(dpy, XtWindow(widget), gc, - time_x, time_y, FAIL_MSG, strlen(FAIL_MSG)); - time_left = 0; - timeout_id = XtAppAddTimeOut(app, 2000L, countdown, &time_left); - return; - } - if (keysym == XK_BackSpace || keysym == XK_Delete || keysym == XK_Left) { - if (cnt) - passwd[cnt--] = ' '; - } else if (keysym == XK_u && is_ctrl == XNLOCK_CTRL) { - while (cnt) { - passwd[cnt--] = ' '; - echolen = min(cnt, STRING_LENGTH); - XDrawImageString(dpy, XtWindow(w), gc, - prompt_x, prompt_y, STRING, echolen); - XDrawImageString(dpy, XtWindow(w), gc, - prompt_x + XTextWidth(font, STRING, echolen), - prompt_y, SPACE_STRING, STRING_LENGTH - echolen + 1); - } - } else if (isprint((unsigned char)c)) { - if ((cnt + 1) >= MAX_PASSWD_LENGTH) - XBell(dpy, 50); - else - passwd[cnt++] = c; - } else - return; - echolen = min(cnt, STRING_LENGTH); - XDrawImageString(dpy, XtWindow(w), gc, - prompt_x, prompt_y, STRING, echolen); - XDrawImageString(dpy, XtWindow(w), gc, - prompt_x + XTextWidth(font, STRING, echolen), - prompt_y, SPACE_STRING, STRING_LENGTH - echolen +1); -} - -#include "nose.0.left" -#include "nose.1.left" -#include "nose.0.right" -#include "nose.1.right" -#include "nose.left.front" -#include "nose.right.front" -#include "nose.front" -#include "nose.down" - -static void -init_images(void) -{ - static Pixmap *images[] = { - &left0, &left1, &right0, &right1, - &left_front, &right_front, &front, &down - }; - static unsigned char *bits[] = { - nose_0_left_bits, nose_1_left_bits, nose_0_right_bits, - nose_1_right_bits, nose_left_front_bits, nose_right_front_bits, - nose_front_bits, nose_down_bits - }; - int i; - - for (i = 0; i < XtNumber(images); i++) - if (!(*images[i] = - XCreatePixmapFromBitmapData(dpy, DefaultRootWindow(dpy), - (char*)(bits[i]), 64, 64, 1, 0, 1))) - XtError("Can't load nose images"); -} - -static void -talk(int force_erase) -{ - int width = 0, height, Z, total = 0; - static int X, Y, talking; - static struct { int x, y, width, height; } s_rect; - char *p, *p2; - char buf[BUFSIZ], args[MAXLINES][256]; - - /* clear what we've written */ - if (talking || force_erase) { - if (!talking) - return; - if (talking == 2) { - XSetForeground(dpy, gc, Black); - XDrawString(dpy, XtWindow(widget), gc, X, Y, words, strlen(words)); - } else if (talking == 1) { - XSetForeground(dpy, gc, Black); - XFillRectangle(dpy, XtWindow(widget), gc, s_rect.x-5, s_rect.y-5, - s_rect.width+10, s_rect.height+10); - } - talking = 0; - if (!force_erase) - timeout_id = XtAppAddTimeOut(app, 40L, - (XtTimerCallbackProc)move, - NULL); - return; - } - XSetForeground(dpy, gc, White); - talking = 1; - walk(FRONT); - strlcpy (buf, words, sizeof(buf)); - p = buf; - - /* possibly avoid a lot of work here - * if no CR or only one, then just print the line - */ - if (!(p2 = strchr(p, '\n')) || !p2[1]) { - int w; - - if (p2) - *p2 = 0; - w = XTextWidth(font, words, strlen(words)); - X = x + 32 - w/2; - Y = y - 5 - font_height(font); - /* give us a nice 5 pixel margin */ - if (X < 5) - X = 5; - else if (X + w + 15 > (int)Width + 5) - X = Width - w - 5; - if (Y < 5) - Y = y + 64 + 5 + font_height(font); - XDrawString(dpy, XtWindow(widget), gc, X, Y, words, strlen(words)); - timeout_id = XtAppAddTimeOut(app, 5000L, (XtTimerCallbackProc)talk, - NULL); - talking++; - return; - } - - /* p2 now points to the first '\n' */ - for (height = 0; p; height++) { - int w; - *p2 = 0; - if ((w = XTextWidth(font, p, p2 - p)) > width) - width = w; - total += p2 - p; /* total chars; count to determine reading time */ - strlcpy(args[height], p, sizeof(args[height])); - if (height == MAXLINES - 1) { - puts("Message too long!"); - break; - } - p = p2+1; - if (!(p2 = strchr(p, '\n'))) - break; - } - height++; - - /* Figure out the height and width in pixels (height, width) extend - * the new box by 15 pixels on the sides (30 total) top and bottom. - */ - s_rect.width = width + 30; - s_rect.height = height * font_height(font) + 30; - if (x - s_rect.width - 10 < 5) - s_rect.x = 5; - else - if ((s_rect.x = x+32-(s_rect.width+15)/2) - + s_rect.width+15 > (int)Width-5) - s_rect.x = Width - 15 - s_rect.width; - if (y - s_rect.height - 10 < 5) - s_rect.y = y + 64 + 5; - else - s_rect.y = y - 5 - s_rect.height; - - XSetForeground(dpy, gc, White); - XFillRectangle(dpy, XtWindow(widget), gc, - s_rect.x-5, s_rect.y-5, s_rect.width+10, s_rect.height+10); - - /* make a box that's 5 pixels thick. Then add a thin box inside it */ - XSetForeground(dpy, gc, Black); - XSetLineAttributes(dpy, gc, 5, 0, 0, 0); - XDrawRectangle(dpy, XtWindow(widget), gc, - s_rect.x, s_rect.y, s_rect.width-1, s_rect.height-1); - XSetLineAttributes(dpy, gc, 0, 0, 0, 0); - XDrawRectangle(dpy, XtWindow(widget), gc, - s_rect.x + 7, s_rect.y + 7, s_rect.width - 15, - s_rect.height - 15); - - X = 15; - Y = 15 + font_height(font); - - /* now print each string in reverse order (start at bottom of box) */ - for (Z = 0; Z < height; Z++) { - XDrawString(dpy, XtWindow(widget), gc, s_rect.x+X, s_rect.y+Y, - args[Z], strlen(args[Z])); - Y += font_height(font); - } - timeout_id = XtAppAddTimeOut(app, (total/15) * 1000, - (XtTimerCallbackProc)talk, NULL); -} - -static unsigned long -look(void) -{ - XSetForeground(dpy, gc, White); - XSetBackground(dpy, gc, Black); - if (my_random() % 3) { - XCopyPlane(dpy, (my_random() & 1)? down : front, XtWindow(widget), gc, - 0, 0, 64,64, x, y, 1L); - return 1000L; - } - if (!(my_random() % 5)) - return 0; - if (my_random() % 3) { - XCopyPlane(dpy, (my_random() & 1)? left_front : right_front, - XtWindow(widget), gc, 0, 0, 64,64, x, y, 1L); - return 1000L; - } - if (!(my_random() % 5)) - return 0; - XCopyPlane(dpy, (my_random() & 1)? left0 : right0, XtWindow(widget), gc, - 0, 0, 64,64, x, y, 1L); - return 1000L; -} - -int -main (int argc, char **argv) -{ - int i; - Widget override; - XGCValues gcvalues; - - setprogname (argv[0]); - - /* - * Must be setuid root to read /etc/shadow, copy encrypted - * passwords here and then switch to sane uid. - */ - { - struct passwd *pw; - uid_t uid = getuid(); - if (!(pw = k_getpwuid(0))) - errx (1, "can't get root's passwd!"); - strlcpy(root_cpass, pw->pw_passwd, sizeof(root_cpass)); - - if (!(pw = k_getpwuid(uid))) - errx (1, "Can't get your password entry!"); - strlcpy(user_cpass, pw->pw_passwd, sizeof(user_cpass)); - setuid(uid); - if (uid != 0 && setuid(0) != -1) { - fprintf(stderr, "Failed to drop privileges!\n"); - exit(1); - } - /* Now we're no longer running setuid root. */ - strlcpy(login, pw->pw_name, sizeof(login)); - } - -#if defined(HAVE_SRANDOMDEV) - srandomdev(); -#elif defined(HAVE_RANDOM) - srandom(time(NULL)); -#else - srand (time(NULL)); -#endif - for (i = 0; i < STRING_LENGTH; i++) - STRING[i] = ((unsigned long)my_random() % ('~' - ' ')) + ' '; - - locked_at = time(0); - - snprintf(userprompt, sizeof(userprompt), "User: %s", login); -#ifdef KRB4 - krb_get_default_principal(name, inst, realm); - snprintf(userprompt, sizeof(userprompt), "User: %s", - krb_unparse_name_long(name, inst, realm)); -#endif -#ifdef KRB5 - { - krb5_error_code ret; - char *str; - - ret = krb5_init_context(&context); - if (ret) - errx (1, "krb5_init_context failed: %d", ret); - krb5_get_default_principal(context, &client); - krb5_unparse_name(context, client, &str); - snprintf(userprompt, sizeof(userprompt), "User: %s", str); - free(str); - } -#endif - - override = XtVaAppInitialize(&app, "XNlock", options, XtNumber(options), - (Cardinal*)&argc, argv, NULL, - XtNoverrideRedirect, True, - NULL); - - XtVaGetApplicationResources(override,(XtPointer)&appres, - resources,XtNumber(resources), - NULL); - /* the background is black and the little guy is white */ - Black = appres.bg; - White = appres.fg; - - if (appres.destroytickets) { -#ifdef KRB4 - int fd; - - dest_tkt(); /* Nuke old ticket file */ - /* but keep a place holder */ - fd = open (TKT_FILE, O_WRONLY | O_CREAT | O_EXCL, 0600); - if (fd >= 0) - close (fd); -#endif - } - - dpy = XtDisplay(override); - - if (dpy == 0) - errx (1, "Error: Can't open display"); - - Width = DisplayWidth(dpy, DefaultScreen(dpy)) + 2; - Height = DisplayHeight(dpy, DefaultScreen(dpy)) + 2; - - for(i = 0; i < ScreenCount(dpy); i++){ - Widget shell, core; - - struct xxx{ - Pixel bg; - }res; - - XtResource Res[] = { - { XtNbackground, XtCBackground, XtRPixel, sizeof(Pixel), - XtOffsetOf(struct xxx, bg), XtRString, "black" } - }; - - if(i == DefaultScreen(dpy)) - continue; - - shell = XtVaAppCreateShell(NULL,NULL, applicationShellWidgetClass, dpy, - XtNscreen, ScreenOfDisplay(dpy, i), - XtNoverrideRedirect, True, - XtNx, -1, - XtNy, -1, - NULL); - - XtVaGetApplicationResources(shell, (XtPointer)&res, - Res, XtNumber(Res), - NULL); - - core = XtVaCreateManagedWidget("_foo", widgetClass, shell, - XtNwidth, DisplayWidth(dpy, i), - XtNheight, DisplayHeight(dpy, i), - XtNbackground, res.bg, - NULL); - XtRealizeWidget(shell); - } - - widget = XtVaCreateManagedWidget("_foo", widgetClass, override, - XtNwidth, Width, - XtNheight, Height, - XtNbackground, Black, - NULL); - - init_words(--argc, ++argv); - init_images(); - - gcvalues.foreground = Black; - gcvalues.background = White; - - - font = appres.font; - gcvalues.font = font->fid; - gcvalues.graphics_exposures = False; - gc = XCreateGC(dpy, DefaultRootWindow(dpy), - GCForeground | GCBackground | GCGraphicsExposures | GCFont, - &gcvalues); - - x = Width / 2; - y = Height / 2; - srand (time(0)); - state = IS_MOVING; - - { - static XtActionsRec actions[] = { - { "ClearWindow", ClearWindow }, - { "GetPasswd", GetPasswd }, - { "RaiseWindow", RaiseWindow }, - }; - XtAppAddActions(app, actions, XtNumber(actions)); - XtOverrideTranslations(widget, - XtParseTranslationTable( - ": ClearWindow() \n" - ": GetPasswd() \n" - ": RaiseWindow() \n" - ": GetPasswd() \n" - ": GetPasswd()")); - } - - XtRealizeWidget(override); - if((i = XGrabPointer(dpy, XtWindow(widget), True, 0, GrabModeAsync, - GrabModeAsync, XtWindow(widget), - None, CurrentTime)) != 0) - errx(1, "Failed to grab pointer (%d)", i); - - if((i = XGrabKeyboard(dpy, XtWindow(widget), True, GrabModeAsync, - GrabModeAsync, CurrentTime)) != 0) - errx(1, "Failed to grab keyboard (%d)", i); - ScreenSaver(1); - XtAppMainLoop(app); - exit(0); -} - diff --git a/crypto/heimdal-0.6.3/appl/xnlock/xnlock.cat1 b/crypto/heimdal-0.6.3/appl/xnlock/xnlock.cat1 deleted file mode 100644 index dde8eef6cf..0000000000 --- a/crypto/heimdal-0.6.3/appl/xnlock/xnlock.cat1 +++ /dev/null @@ -1,132 +0,0 @@ - - - -XNLOCK(1L) XNLOCK(1L) - - - -NAME - xnlock - amusing lock screen program with message for passers-by - -SYNOPSIS - xxnnlloocckk [ _o_p_t_i_o_n_s ] [ _m_e_s_s_a_g_e ] - -DESCRIPTION - _x_n_l_o_c_k is a program that acts as a screen saver for workstations running - X11. It also "locks" the screen such that the workstation can be left - unattended without worry that someone else will walk up to it and mess - everything up. When _x_n_l_o_c_k is running, a little man with a big nose and a - hat runs around spewing out messages to the screen. By default, the mes- - sages are "humorous", but that depends on your sense of humor. - - If a key or mouse button is pressed, a prompt is printed requesting the - user's password. If a RETURN is not typed within 30 seconds, the little - man resumes running around. - - Text on the command line is used as the message. For example: - % xnlock I'm out to lunch for a couple of hours. - Note the need to quote shell metacharacters. - - In the absence of flags or text, _x_n_l_o_c_k displays random fortunes. - -OPTIONS - Command line options override all resource specifications. All arguments - that are not associated with a command line option is taken to be message - text that the little man will "say" every once in a while. The resource - xxnnlloocckk..tteexxtt may be set to a string. - - --ffnn _f_o_n_t_n_a_m_e - The default font is the first 18 point font in the _n_e_w _c_e_n_t_u_r_y _s_c_h_o_o_l_- - _b_o_o_k family. While larger fonts are recokmmended over smaller ones, - any font in the server's font list will work. The resource to use for - this option is xxnnlloocckk..ffoonntt. - - --ffiilleennaammee _f_i_l_e_n_a_m_e - Take the message to be displayed from the file _f_i_l_e_n_a_m_e. If _f_i_l_e_n_a_m_e - is not specified, _$_H_O_M_E_/_._m_s_g_f_i_l_e is used. If the contents of the file - are changed during runtime, the most recent text of the file is used - (allowing the displayed message to be altered remotely). Carriage - returns within the text are allowed, but tabs or other control charac- - ters are not translated and should not be used. The resource avail- - able for this option is xxnnlloocckk..ffiillee. - - --aarr Accept root's password to unlock screen. This option is true by - default. The reason for this is so that someone's screen may be - unlocked by autorized users in case of emergency and the person run- - ning the program is still out to lunch. The resource available for - specifying this option is xxnnlloocckk..aacccceeppttRRoooottPPaasssswwdd. - - --nnooaarr - Don't accept root's password. This option is for paranoids who fear - their peers might breakin using root's password and remove their files - anyway. Specifying this option on the command line overrides the - xxnnlloocckk..aacccceeppttRRoooottPPaasssswwdd if set to True. - - --iipp Ignore password prompt. The resource available for this option is - xxnnlloocckk..iiggnnoorreePPaasssswwdd. - - --nnooiipp - Don't ignore password prompt. This is available in order to override - the resource iiggnnoorreePPaasssswwdd if set to True. - - --ffgg _c_o_l_o_r - Specifies the foreground color. The resource available for this is - xxnnlloocckk..ffoorreeggrroouunndd. - - --bbgg _c_o_l_o_r - Specifies the background color. The resource available for this is - xxnnlloocckk..bbaacckkggrroouunndd. - - --rrvv Reverse the foreground and background colors. The resource for this - is xxvvnnlloocckk..rreevveerrsseeVViiddeeoo. - - --nnoorrvv - Don't use reverse video. This is available to override the reverseV- - ideo resource if set to True. - - --pprroogg _p_r_o_g_r_a_m - Receive message text from the running program _p_r_o_g_r_a_m. If there are - arguments to _p_r_o_g_r_a_m, encase them with the name of the program in - quotes (e.g. xnlock -t "fortune -o"). The resource for this is - xxnnlloocckk..pprrooggrraamm. - -RESOURCES - xnlock.font: fontname - xnlock.foreground: color - xnlock.background: color - xnlock.reverseVideo: True/False - xnlock.text: Some random text string - xnlock.program: program [args] - xnlock.ignorePasswd: True/False - xnlock.acceptRootPasswd: True/False - -FILES - _x_n_l_o_c_k executable file - ~/.msgfile default message file - -AUTHOR - Dan Heller Copyright (c) 1985, 1990. - The original version of this program was written using pixrects on a Sun 2 - running SunOS 1.1. - - - - - - - - - - - - - - - - - - - - - - diff --git a/crypto/heimdal-0.6.3/cf/ChangeLog b/crypto/heimdal-0.6.3/cf/ChangeLog deleted file mode 100644 index 1018925c9b..0000000000 --- a/crypto/heimdal-0.6.3/cf/ChangeLog +++ /dev/null @@ -1,815 +0,0 @@ -2003-08-15 Love - - * check-compile-et.m4: 1.7->1.8: check if compile_et support - ``error_table N M'' also, don't be overly aggressivly reset CFLAGS - -2003-05-08 Johan Danielsson - - * Makefile.am.common: change install-data-local to - install-data-hook - -2003-05-05 Assar Westerlund - - * crypto.m4: define OPENSSL_DES_LIBDES_COMPATIBILITY - -2003-04-03 Love Hörnquist Åstrand - - * crypto.m4: check if libcrypto needs -lnsl or -lsocket - -2003-04-02 Love Hörnquist Åstrand - - * crypto.m4: in the case where se don't link with kerberos 4, use - ${with_openssl_include} if its are set (not - ${with_openssl}/include) same for with_openssl_lib - -2003-03-18 Love Hörnquist Åstrand - - * Makefile.am.common: always define LIB_kafs - -2003-03-12 Love Hörnquist Åstrand - - * check-compile-et.m4: check if the output of compile_et needs - initialize_error_table_r - -2003-02-17 Love Hörnquist Åstrand - - * check-var.m4: add a check if the variable is avaible when we - include the headerfiles - -2002-12-18 Johan Danielsson - - * roken-frag.m4: res_nsearch takes 6 parameters; spotted by Howard - Chu - -2002-10-25 Johan Danielsson - - * crypto.m4: do a better job at matching headers to libraries - -2002-10-16 Johan Danielsson - - * sunos.m4: more quoting - -2002-09-19 Johan Danielsson - - * make-proto.pl: check the processed string for closing ), not the - source - -2002-09-10 Johan Danielsson - - * crypto.m4: use m4 macros for test cases, also test for older - hash names - - * test-package.m4: include dep libraries in LIB_* - - * crypto.m4: move krb4 test before test for openssl, and bail out - if krb4 is requested, but the crypto library is not the same as - krb4 - - * db.m4: filter contents of LDFLAGS - -2002-09-09 Johan Danielsson - - * auth-modules.m4: rename to rk_AUTH_MODULES - - * auth-modules.m4: only include modules explicitly asked for - -2002-09-04 Johan Danielsson - - * roken-frag.m4: test for res_nsearch - -2002-09-03 Assar Westerlund - - * roken-frag.m4: check for sys/mman.h and mmap (used by - parse_reply-test) - -2002-08-28 Assar Westerlund - - * krb-readline.m4: also add LIB_tgetent in the case of editline - - * crypto.m4: define HAVE_OPENSSL even if we got to hear about it - by krb4 - -2002-08-28 Johan Danielsson - - * krb-readline.m4: add LIB_tgetent to LIB_readline if we have to - - * sunos.m4: various sunos tests - - * crypto.m4: try to extract the crypto compiler flags from - {INCLUDE,LIB}_krb4 - (XXX this is really horrible) - - * krb-readline.m4: don't add -rpath to LIB_readline (libtool - should to this for us), also don't append LIB_tgetent to - LIB_readline (TEST_PACKAGE should do this) - - * test-package.m4: add the possibility to use a *-config program - to get flags; rename to rk_TEST_PACKAGE while here - - * krb-bigendian.m4: move ENDIANESS_IN_SYS_PARAM_H tests here - - * aix.m4: rename to rk_AIX - - * telnet.m4: move telnet tests here - - * aix.m4: restructure this somewhat - - * dlopen.m4: test for dlopen suitable for AC_REQUIRE - - * irix.m4: move some stuff here and rename to irix.m4 - - * krb-sys-nextstep.m4: move SGTTY stuff to read_pwd.c - -2002-08-28 Jacques Vidrine - - * auth-modules.m4: do not build pam_krb4 on freebsd - -2002-08-26 Assar Westerlund - - * roken-frag.m4: test for the vis, strvis functions requiring - prototypes - -2002-08-23 Johan Danielsson - - * need-proto.m4: missing comma - -2002-08-22 Johan Danielsson - - * roken-frag.m4: some rototilling - - * need-proto.m4: use AS_TR_CPP - -2002-08-20 Johan Danielsson - - * roken-frag.m4: HAVE_TYPE instead of CHECK_TYPE ssize_t - - * krb-version.m4: use PACKAGE_TARNAME and PACKAGE_STRING - - * broken-getaddrinfo.m4: can't test for EAI_SERVICE here since AIX - is even more fsck:ed - - * roken-frag.m4: test for altzone - -2002-08-19 Johan Danielsson - - * Makefile.am.common: only define ROKEN_RENAME if do_roken_rename - -2002-08-13 Johan Danielsson - - * Makefile.am.common: add ROKEN_RENAME variable - -2002-08-12 Johan Danielsson - - * make-proto.pl: include to get va_list - - * destdirs.m4: also define localstatedir and sysconfdir - -2002-08-01 Johan Danielsson - - * crypto.m4: newer openssl seems to take the address of the - schedule parameter to des_cbc_encrypt, so we need to feed it a - variable, not just NULL (from Magnus Holmberg) - -2002-05-24 Johan Danielsson - - * misc.m4: change \100 back to @; some m4's (probably some regex) - doesn't like this as a replacement regexp; the reason it was once - changed to \100 was probably because of some autoconf bug at the - time - -2002-05-20 Johan Danielsson - - * broken2.m4 []-less is apparently the way to go - -2002-05-19 Johan Danielsson - - * otp.m4: check db_type instead of precence of dbm_firstkey - - * roken-frag.m4: don't AC_LIBOBJ more than one function at a time - - * find-if-not-broken.m4: s/AC_LIBOBJ/rk_LIBOBJ/ - - * broken2.m4: s/AC_LIBOBJ/rk_LIBOBJ/ - - * broken.m4: s/AC_LIBOBJ/rk_LIBOBJ/ - - * misc.m4: automake can't handle macros passed to AC_LIBOBJ, so - add an alias to it called rk_LIBOBJ; this requires that the - relevant source are manually included in roken/Makefile.am - - * aix.m4: ac_enable --diable-dynamic-afs - - * roken-frag.m4: use AC_LIBOBJ - - * krb-func-getcwd-broken.m4: use AC_LIBOBJ - - * find-if-not-broken.m4: use AC_LIBOBJ - - * broken2.m4: use AC_LIBOBJ - - * broken.m4: use AC_LIBOBJ - - * aix.m4: recognise aix5 - -2002-05-17 Johan Danielsson - - * crypto.m4: am-conditionalise HAVE_OPENSSL - - * db.m4: make it possible to run this twice - - * Makefile.am.common: also install nodist_include_HEADERS - -2002-05-16 Johan Danielsson - - * make-proto.pl: make it possible to redefine the "private" regexp - -2002-05-02 Johan Danielsson - - * db.m4: am_cond HAVE_* - -2002-04-30 Johan Danielsson - - * krb-ipv6.m4: use AC_HELP_STRING; fix logic bug in AC_MSG_RESULT - call - - * test-package.m4: use AC_HELP_STRING - - * roken.m4: use AC_HELP_STRING - - * osfc2.m4: use AC_HELP_STRING - - * mips-abi.m4: use AC_HELP_STRING - - * krb-bigendian.m4: use AC_HELP_STRING - - * db.m4: rework this somewhat; check for db3/4 in subdirs, change - --with to --enable; it should really be possible to point it to - some directory --with-berkeley-db=/foo - - * otp.m4: OTP test - -2002-04-25 Johan Danielsson - - * destdirs.m4: define BINDIR et al - -2002-04-18 Johan Danielsson - - * misc.m4: remove some stuff that is defined elsewhere - - * make-proto.pl: optionally remove __P and parameter names - -2001-11-30 Assar Westerlund - - * roken-frag.m4: move ipv6 tests after -lsocket (to handle Solaris - 8) - -2001-09-29 Assar Westerlund - - * install-catman.sh: handle man pages without SYNOPSIS but looking - for both SYNOPSIS and DESCRIPTION - -2001-09-18 Johan Danielsson - - * roken-frag.m4: include freeaddrinfo if using getaddrinfo - -2001-09-13 Assar Westerlund - - * db.m4: test for the ndbm database really being a .db one - and use it when moving/removing database files - -2001-09-03 Assar Westerlund - - * db.m4: prefer ndbm.h to dbm.h - * roken-frag.m4: check for atexit and on_exit - -2001-09-02 Assar Westerlund - - * check-compile-et.m4: only add /usr/include/et to CPPFLAGS if - it's actually used - -2001-09-01 Assar Westerlund - - * Makefile.am.common (AUTOMAKE_OPTIONS): set 1.4b here so that - users are warned if using earlier automake versions - - * find-func-no-libs2.m4: ignore "no" as a library - another - special case to make it easy to send the result from this macro - into another invocation - -2001-08-30 Assar Westerlund - - * db.m4: check for ndbm functions in db3 library too - -2001-08-29 Jacques Vidrine - - * check-compile-et.m4: Check for already-installed com_err. - * Makefile.am.common: Use the compile_et discovered at - configuration time. - -2001-08-29 Assar Westerlund - - * crypto.m4: use AC_WITH_ALL to allow separate specification of - include and lib - * with-all.m4: new macro for doing --with-foo, --with-foo-include, - and --with-foo-lib in a sensible way - - * find-func-no-libs2.m4: handle both -llib and lib in the second - argument also yes -> "" as a library, to ease callers that send in - results from this macro (this might be a little bit unclean) - -2001-08-28 Assar Westerlund - - * roken-frag.m4: test for issetugid - -2001-08-24 Assar Westerlund - - * Makefile.am.common: change one += to = to AM_CFLAGS to avoid an - error with recent automake - -2001-08-22 Assar Westerlund - - * crypto.m4: SHA1_CTX should be SHA_CTX - -2001-08-21 Assar Westerlund - - * roken-frag.m4: remove all winsock.h - for now, it does more harm than good under cygwin and if it should be - used, the correct conditional needs to be found - from - -2001-08-21 Johan Danielsson - - * check-var.m4: AC_TR_CPP -> AS_TR_CPP to make autoconf 2.52 happy - -2001-08-17 Johan Danielsson - - * krb-ipv6.m4: add test for non-existant in6addr_loopback in AIX - -2001-08-15 Johan Danielsson - - * roken-frag.m4: test for getaddrinfo's that doesn't like numeric - services - - * broken-getaddrinfo.m4: test for getaddrinfo's that doesn't like - numeric services - -2001-08-08 Assar Westerlund - - * db.m4: do a separate test for gdbm/ndbm.h and -lgdbm - -2001-08-05 Assar Westerlund - - * db.m4: ac_cv_funclib_\func can be yes - * db.m4: use AC_FIND_FUNC_NO_LIBS to test in libc - anset cache variables after first attempt at finding dbm_firstkey (how - should this be done?) - * db.m4: do not test for ndbm library when ndbm-db was found in libc - * db.m4: test for ndbm-compatability with db - * db.m4: add forgotten AC_SUBST - * db.m4: first steps towards a new db test - - * roken-frag.m4: remove header files checked by rk_db - -2001-08-05 Assar Westerlund - - * roken-frag.m4: remove header files checked by rk_db - -2001-06-24 Assar Westerlund - - * roken-frag.m4: make sure of building getaddrinfo et al if - missing - -2001-06-20 Johan Danielsson - - * install-catman.sh: try to install links to manpages - -2001-06-19 Assar Westerlund - - * broken-glob.m4: try to handle FreeBSD's GLOB_MAXPATH - -2001-06-18 Johan Danielsson - - * roken-frag.m4: test for getaddrinfo needs netdb.h on Tru64 - -2001-06-17 Assar Westerlund - - * roken-frag.m4 (AC_CHECK_HEADERS): test for random - * roken-frag.m4 (AC_CHECK_HEADERS): test for initstate and - setstate - - * roken-frag.m4 (AC_BROKEN): test for - emalloc,ecalloc,erealloc,estrdup - -2001-05-11 Johan Danielsson - - * roken-frag.m4: bswap{16,32} - -2001-03-26 Assar Westerlund - - * broken-glob.m4: also test for GLOB_LIMIT - * krb-ipv6.m4: restore CFLAGS if v6 is not detected - -2001-02-20 Assar Westerlund - - * roken-frag.m4: check for getprogname, setprogname - -2001-02-07 Assar Westerlund - - * Makefile.am.common (LIB_kdfs): set. use it. from Ake Sandgren - - -2000-12-26 Assar Westerlund - - * krb-ipv6.m4: remove some dnl that weren't the correct with - modern autoconf - -2000-12-15 Assar Westerlund - - * roken-frag.m4 (inet_ntoa, inet_ntop, inet_pton): add necessary - includes when testing - * broken2.m4: new variant of broken, with includes and arguments - - * test-package.m4: s/ifval/m4_ifval/ to keep in sync with - autoconf. from Ake Sandgren - * check-var.m4: s/ifval/m4_ifval/ to keep in sync with autoconf. - from Ake Sandgren - -2000-12-13 Assar Westerlund - - * krb-irix.m4: need to set irix to no first. From Ake Sandgren - - -2000-12-12 Johan Danielsson - - * roken-frag.m4: move sa_len test to before test for broken - getnameinfo - -2000-12-12 Assar Westerlund - - * roken-frag.m4: only test for broken getnameinfo if it exists - -2000-12-10 Johan Danielsson - - * roken-frag.m4: ifaddrs.h - -2000-12-06 Johan Danielsson - - * roken-frag.m4: test for unvis, and vis.h - - * roken-frag.m4: test for strvis* - -2000-12-05 Johan Danielsson - - * Makefile.am.common: just warn if we fail to setuid a program - - * broken-getnameinfo.m4: add more quotes - - * roken-frag.m4: test for getifaddrs - - * roken-frag.m4: test for broken AIX getnameinfo - - * broken-getnameinfo.m4: test for broken getnameinfo - -2000-12-01 Assar Westerlund - - * Makefile.am.common: add kludge for LIBS - -2000-11-30 Johan Danielsson - - * check-man.m4: update this after recent changes - - * Makefile.am.common: use install-catman.sh - - * install-catman.sh: script to install preformatted manual pages - - * Makefile.am.common: change cat handling - -2000-11-29 Johan Danielsson - - * roken-frag.m4: don't use AC_CONFIG_FILES here, since it doesn't - work with automake - -2000-11-15 Assar Westerlund - - * krb-readline.m4: link against the libtool-versions of - libeditline and libel_compat - - * Makefile.am.common (INCLUDES): add $(INCLUDES_roken) - * roken-frag.m4 (CPPFLAGS_roken): rename to INCLUDES_roken - -2000-11-05 Johan Danielsson - - * aix.m4: set aix - -2000-08-19 Assar Westerlund - - * krb-bigendian.m4: merge from arla: make it work better - -2000-08-07 Johan Danielsson - - * roken-frag.m4: check getsockname for proto compat - -2000-08-04 Johan Danielsson - - * Makefile.am.common: add library for pidfile - - * roken-frag.m4: tests for util.h and pidfile - -2000-07-19 Johan Danielsson - - * check-var.m4: rename to rk_CHECK_VAR, transposing the arguments, - and making the second optional, AU_DEFINE AC_CHECK_VAR to - rk_CHECK_VAR - - * roken-frag.m4: other roken tests - - * db.m4: db tests - -2000-07-18 Johan Danielsson - - * mips-abi.m4: AC_ERROR -> AC_MSG_ERROR - - * check-netinet-ip-and-tcp.m4: use cache_check, and make this work - with new autoconf - - * aix.m4: don't subst AFS_EXTRA_LD - -2000-07-15 Johan Danielsson - - * check-var.m4: workaround feature of newer autoconf - - * find-func-no-libs2.m4: use cleaner autoheader trick - - * have-type.m4: use cleaner autoheader trick - - * have-types.m4: use cleaner autoheader trick - - * test-package.m4: add 6th parameter for now - - * broken.m4: use cleaner autoheader trick - - * retsigtype.m4: test for signal handler return type - - * broken-realloc.m4: test for broken realloc - -2000-07-08 Assar Westerlund - - * roken.m4: set CPPFLAGS_roken and call AC_CONFIG_SUBDIRS - -2000-07-02 Assar Westerlund - - * Makefile.am.common (CP): set and use - -2000-04-05 Assar Westerlund - - * Makefile.am.common (INCLUDE_openldap, LIB_openldap): add - -2000-03-28 Assar Westerlund - - * krb-prog-yacc.m4: AC_MSG_WARNING should be AC_MSG_WARN - - * shared-libs.m4: try to update to freebsd5 (and elf) - -2000-03-16 Assar Westerlund - - * krb-prog-yacc.m4: warn we do not find any yacc - -2000-01-08 Assar Westerlund - - * krb-bigendian.m4: new file, replacement for ac_c_bigendian - -2000-01-01 Assar Westerlund - - * krb-ipv6.m4: re-organize: test for type of stack first so that - we can find the libraries that we might have to link the test - program against. not linking the test program means we don't know - if the right stuff is in the libraries. also cosmetic changes to - make sure we print the checking for... nicely - -1999-12-21 Assar Westerlund - - * krb-ipv6.m4: try linking, not only compiling - * krb-ipv6.m4: add --without-ipv6 make sure we have `in6addr_any' - which we use in the code. This test avoids false positives on - OpenBSD - -1999-11-29 Johan Danielsson - - * grok-type.m4: inttypes.h - -1999-11-05 Assar Westerlund - - * check-x.m4: include X_PRE_LIBS and X_EXTRA_LIBS when testing - -1999-11-01 Assar Westerlund - - * Makefile.am.common (install-build-headers): use `cp' instead of - INSTALL_DATA for copying header files inside the build tree. The - user might have redefined INSTALL_DATA to specify owners and other - information. - -1999-10-30 Assar Westerlund - - * find-func-no-libs2.m4: add yet another argument to allow specify - linker flags that will be added _before_ the library when trying - to link - - * find-func-no-libs.m4: add yet another argument to allow specify - linker flags that will be added _before_ the library when trying - to link - -1999-10-12 Assar Westerlund - - * find-func-no-libs2.m4 (AC_FIND_FUNC_NO_LIBS2): new argument - `extra libs' - - * find-func-no-libs.m4 (AC_FIND_FUNC_NO_LIBS): new argument `extra - libs' - -1999-09-01 Johan Danielsson - - * capabilities.m4: sgi capabilities - -1999-07-29 Assar Westerlund - - * have-struct-field.m4: quote macros when undefining - -1999-07-28 Assar Westerlund - - * Makefile.am.common (install-build-headers): add dependencies - -1999-07-24 Assar Westerlund - - * have-type.m4: try to get autoheader to co-operate - - * have-type.m4: stolen from Arla - - * krb-struct-sockaddr-sa-len.m4: not used any longer. removed. - -1999-06-13 Assar Westerlund - - * krb-struct-spwd.m4: consequent name of cache variables - - * krb-func-getlogin.m4: new file for testing for posix (broken) - getlogin - - * shared-libs.m4 (freebsd[34]): don't use ld -Bshareable - -1999-06-02 Johan Danielsson - - * check-x.m4: extended test for X - -1999-05-14 Assar Westerlund - - * check-netinet-ip-and-tcp.m4: proper autoheader tricks - - * check-netinet-ip-and-tcp.m4: new file for checking for - netinet/{ip,tcp}.h. These are special as they on Irix 6.5.3 - require to be included in advance. - - * check-xau.m4: we also need to check for XauFilename since it's - used by appl/kx. And on Irix 6.5 that function requires linking - with -lX11. - -1999-05-08 Assar Westerlund - - * krb-find-db.m4: try with more header files than ndbm.h - -1999-04-19 Assar Westerlund - - * test-package.m4: try to handle the case of --without-package - correctly - -1999-04-17 Assar Westerlund - - * make-aclocal: removed. Not used anymore, being replaced by - aclocal from automake. - -Thu Apr 15 14:17:26 1999 Johan Danielsson - - * make-proto.pl: handle __attribute__ - -Fri Apr 9 20:37:18 1999 Assar Westerlund - - * shared-libs.m4: quote $@ - (freebsd3): add install_symlink_command2 - -Wed Apr 7 20:40:22 1999 Assar Westerlund - - * shared-libs.m4 (hpux): no library dependencies - -Mon Apr 5 16:13:08 1999 Johan Danielsson - - * test-package.m4: compile and link, rather than looking for - files; also export more information, so it's possible to add rpath - information - -Tue Mar 30 13:49:54 1999 Johan Danielsson - - * Makefile.am.common: CFLAGS -> AM_CFLAGS - -Mon Mar 29 16:51:12 1999 Johan Danielsson - - * check-xau.m4: check for XauWriteAuth before checking for - XauReadAuth to catch -lX11:s not containing XauWriteAuth, and IRIX - 6.5 that doesn't work with -lXau - -Sat Mar 27 18:03:58 1999 Johan Danielsson - - * osfc2.m4: --enable-osfc2 - -Fri Mar 19 15:34:52 1999 Johan Danielsson - - * shared-libs.m4: move shared lib stuff here - -Wed Mar 24 23:24:51 1999 Assar Westerlund - - * Makefile.am.common (install-build-headers): simplify loop - -Tue Mar 23 17:31:23 1999 Johan Danielsson - - * check-getpwnam_r-posix.m4: check for getpwnam_r, and if it's - posix or not - -Tue Mar 23 00:00:13 1999 Assar Westerlund - - * Makefile.am.common (install_build_headers): try to make it work - better when list of headers is empty. handle make rewriting the - filenames. - - * Makefile.am.common: hesoid -> hesiod - -Sun Mar 21 14:48:03 1999 Johan Danielsson - - * grok-type.m4: - - * Makefile.am.common: fix for automake bug/feature; add more LIB_* - - * test-package.m4: fix typo - - * check-man.m4: fix some typos - - * auth-modules.m4: tests for authentication modules - -Thu Mar 18 11:02:55 1999 Johan Danielsson - - * Makefile.am.common: make install-build-headers a multi - dependency target - - * Makefile.am.common: remove include_dir hack - - * Makefile.am.common: define LIB_kafs and LIB_gssapi - - * krb-find-db.m4: subst DBLIB also - - * check-xau.m4: test for Xau{Read,Write}Auth - -Wed Mar 10 19:29:20 1999 Johan Danielsson - - * wflags.m4: AC_WFLAGS - -Mon Mar 1 11:23:41 1999 Johan Danielsson - - * have-struct-field.m4: remove extra AC_MSG_RESULT - - * proto-compat.m4: typo - - * krb-func-getcwd-broken.m4: update to autoconf 2.13 - - * krb-find-db.m4: update to autoconf 2.13 - - * check-declaration.m4: typo - - * have-pragma-weak.m4: update to autoconf 2.13 - - * have-struct-field.m4: better handling of types with spaces - -Mon Feb 22 20:05:06 1999 Johan Danielsson - - * broken-glob.m4: check for broken glob - -Sun Jan 31 06:50:33 1999 Assar Westerlund - - * krb-ipv6.m4: more magic for different v6 implementations. From - Jun-ichiro itojun Hagino - -Sun Nov 22 12:16:06 1998 Assar Westerlund - - * krb-struct-spwd.m4: new file - -Thu Jun 4 04:07:41 1998 Assar Westerlund - - * find-func-no-libs2.m4: new file - -Fri May 1 23:31:28 1998 Assar Westerlund - - * c-attribute.m4, c-function.m4: new files (from arla) - -Wed Mar 18 23:11:29 1998 Assar Westerlund - - * krb-ipv6.m4: rename HAVE_STRUCT_SOCKADDR_IN6 to HAVE_IPV6 - -Thu Feb 26 02:37:49 1998 Assar Westerlund - - * make-proto.pl: should work with perl4 - diff --git a/crypto/heimdal-0.6.3/cf/Makefile.am.common b/crypto/heimdal-0.6.3/cf/Makefile.am.common deleted file mode 100644 index ddb86a49ca..0000000000 --- a/crypto/heimdal-0.6.3/cf/Makefile.am.common +++ /dev/null @@ -1,209 +0,0 @@ -# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $ - -SUFFIXES = .et .h - -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) - -if do_roken_rename -ROKEN_RENAME = -DROKEN_RENAME -endif - -AM_CFLAGS = $(WFLAGS) - -CP = cp - -## set build_HEADERZ to headers that should just be installed in build tree - -buildinclude = $(top_builddir)/include - -## these aren't detected by automake -LIB_XauReadAuth = @LIB_XauReadAuth@ -LIB_crypt = @LIB_crypt@ -LIB_dbm_firstkey = @LIB_dbm_firstkey@ -LIB_dbopen = @LIB_dbopen@ -LIB_dlopen = @LIB_dlopen@ -LIB_dn_expand = @LIB_dn_expand@ -LIB_el_init = @LIB_el_init@ -LIB_getattr = @LIB_getattr@ -LIB_gethostbyname = @LIB_gethostbyname@ -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_getpwnam_r = @LIB_getpwnam_r@ -LIB_getsockopt = @LIB_getsockopt@ -LIB_logout = @LIB_logout@ -LIB_logwtmp = @LIB_logwtmp@ -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_openpty = @LIB_openpty@ -LIB_pidfile = @LIB_pidfile@ -LIB_res_search = @LIB_res_search@ -LIB_setpcred = @LIB_setpcred@ -LIB_setsockopt = @LIB_setsockopt@ -LIB_socket = @LIB_socket@ -LIB_syslog = @LIB_syslog@ -LIB_tgetent = @LIB_tgetent@ - -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -INCLUDE_hesiod = @INCLUDE_hesiod@ -LIB_hesiod = @LIB_hesiod@ - -INCLUDE_krb4 = @INCLUDE_krb4@ -LIB_krb4 = @LIB_krb4@ - -INCLUDE_openldap = @INCLUDE_openldap@ -LIB_openldap = @LIB_openldap@ - -INCLUDE_readline = @INCLUDE_readline@ -LIB_readline = @LIB_readline@ - -LEXLIB = @LEXLIB@ - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -SUFFIXES += .x - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ - -SUFFIXES += .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 - -NROFF_MAN = groff -mandoc -Tascii -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -## MAINTAINERCLEANFILES += - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-hook: install-cat-mans - - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< - -LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) - -if KRB5 -LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la -LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la -endif - -if DCE -LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la -endif diff --git a/crypto/heimdal-0.6.3/cf/aix.m4 b/crypto/heimdal-0.6.3/cf/aix.m4 deleted file mode 100644 index 155cef278e..0000000000 --- a/crypto/heimdal-0.6.3/cf/aix.m4 +++ /dev/null @@ -1,57 +0,0 @@ -dnl -dnl $Id: aix.m4,v 1.9.6.1 2004/04/01 07:27:32 joda Exp $ -dnl - -AC_DEFUN([rk_AIX],[ - -aix=no -case "$host" in -*-*-aix3*) - aix=3 - ;; -*-*-aix4*|*-*-aix5*) - aix=4 - ;; -esac - -AM_CONDITIONAL(AIX, test "$aix" != no)dnl -AM_CONDITIONAL(AIX4, test "$aix" = 4) - - -AC_ARG_ENABLE(dynamic-afs, - AC_HELP_STRING([--disable-dynamic-afs], - [do not use loaded AFS library with AIX])) - -if test "$aix" != no; then - if test "$enable_dynamic_afs" != no; then - AC_REQUIRE([rk_DLOPEN]) - if test "$ac_cv_func_dlopen" = no; then - AC_FIND_FUNC_NO_LIBS(loadquery, ld) - fi - if test "$ac_cv_func_dlopen" != no; then - AIX_EXTRA_KAFS='$(LIB_dlopen)' - elif test "$ac_cv_func_loadquery" != no; then - AIX_EXTRA_KAFS='$(LIB_loadquery)' - else - AC_MSG_NOTICE([not using dynloaded AFS library]) - AIX_EXTRA_KAFS= - enable_dynamic_afs=no - fi - else - AIX_EXTRA_KAFS= - fi -fi - -AM_CONDITIONAL(AIX_DYNAMIC_AFS, test "$enable_dynamic_afs" != no)dnl -AC_SUBST(AIX_EXTRA_KAFS)dnl - -AH_BOTTOM([#if _AIX -#define _ALL_SOURCE -/* XXX this is gross, but kills about a gazillion warnings */ -struct ether_addr; -struct sockaddr; -struct sockaddr_dl; -struct sockaddr_in; -#endif]) - -]) diff --git a/crypto/heimdal-0.6.3/cf/auth-modules.m4 b/crypto/heimdal-0.6.3/cf/auth-modules.m4 deleted file mode 100644 index 5fb88f3647..0000000000 --- a/crypto/heimdal-0.6.3/cf/auth-modules.m4 +++ /dev/null @@ -1,45 +0,0 @@ -dnl $Id: auth-modules.m4,v 1.5.6.1 2004/04/01 07:27:32 joda Exp $ -dnl -dnl Figure what authentication modules should be built -dnl -dnl rk_AUTH_MODULES(module-list) - -AC_DEFUN([rk_AUTH_MODULES],[ -AC_MSG_CHECKING([which authentication modules should be built]) - -z='m4_ifval([$1], $1, [sia pam afskauthlib])' -LIB_AUTH_SUBDIRS= -for i in $z; do -case $i in -sia) -if test "$ac_cv_header_siad_h" = yes; then - LIB_AUTH_SUBDIRS="$LIB_AUTH_SUBDIRS sia" -fi -;; -pam) -case "${host}" in -*-*-freebsd*) ac_cv_want_pam_krb4=no ;; -*) ac_cv_want_pam_krb4=yes ;; -esac - -if test "$ac_cv_want_pam_krb4" = yes -a \ - "$ac_cv_header_security_pam_modules_h" = yes -a \ - "$enable_shared" = yes; then - LIB_AUTH_SUBDIRS="$LIB_AUTH_SUBDIRS pam" -fi -;; -afskauthlib) -case "${host}" in -*-*-irix[[56]]*) LIB_AUTH_SUBDIRS="$LIB_AUTH_SUBDIRS afskauthlib" ;; -esac -;; -esac -done -if test "$LIB_AUTH_SUBDIRS"; then - AC_MSG_RESULT($LIB_AUTH_SUBDIRS) -else - AC_MSG_RESULT(none) -fi - -AC_SUBST(LIB_AUTH_SUBDIRS)dnl -]) diff --git a/crypto/heimdal-0.6.3/cf/broken-getaddrinfo.m4 b/crypto/heimdal-0.6.3/cf/broken-getaddrinfo.m4 deleted file mode 100644 index a97e438932..0000000000 --- a/crypto/heimdal-0.6.3/cf/broken-getaddrinfo.m4 +++ /dev/null @@ -1,24 +0,0 @@ -dnl $Id: broken-getaddrinfo.m4,v 1.3.6.1 2004/04/01 07:27:32 joda Exp $ -dnl -dnl test if getaddrinfo can handle numeric services - -AC_DEFUN([rk_BROKEN_GETADDRINFO],[ -AC_CACHE_CHECK([if getaddrinfo handles numeric services], ac_cv_func_getaddrinfo_numserv, -AC_TRY_RUN([[#include -#include -#include -#include - -int -main(int argc, char **argv) -{ - struct addrinfo hints, *ai; - memset(&hints, 0, sizeof(hints)); - hints.ai_flags = AI_PASSIVE; - hints.ai_socktype = SOCK_STREAM; - hints.ai_family = PF_UNSPEC; - if(getaddrinfo(NULL, "17", &hints, &ai) != 0) - return 1; - return 0; -} -]], ac_cv_func_getaddrinfo_numserv=yes, ac_cv_func_getaddrinfo_numserv=no))]) diff --git a/crypto/heimdal-0.6.3/cf/broken-getnameinfo.m4 b/crypto/heimdal-0.6.3/cf/broken-getnameinfo.m4 deleted file mode 100644 index bf2897b2cd..0000000000 --- a/crypto/heimdal-0.6.3/cf/broken-getnameinfo.m4 +++ /dev/null @@ -1,28 +0,0 @@ -dnl $Id: broken-getnameinfo.m4,v 1.2.12.1 2004/04/01 07:27:32 joda Exp $ -dnl -dnl test for broken AIX getnameinfo - -AC_DEFUN([rk_BROKEN_GETNAMEINFO],[ -AC_CACHE_CHECK([if getnameinfo is broken], ac_cv_func_getnameinfo_broken, -AC_TRY_RUN([[#include -#include -#include -#include -#include - -int -main(int argc, char **argv) -{ - struct sockaddr_in sin; - char host[256]; - memset(&sin, 0, sizeof(sin)); -#ifdef HAVE_STRUCT_SOCKADDR_SA_LEN - sin.sin_len = sizeof(sin); -#endif - sin.sin_family = AF_INET; - sin.sin_addr.s_addr = 0xffffffff; - sin.sin_port = 0; - return getnameinfo((struct sockaddr*)&sin, sizeof(sin), host, sizeof(host), - NULL, 0, 0); -} -]], ac_cv_func_getnameinfo_broken=no, ac_cv_func_getnameinfo_broken=yes))]) diff --git a/crypto/heimdal-0.6.3/cf/broken-glob.m4 b/crypto/heimdal-0.6.3/cf/broken-glob.m4 deleted file mode 100644 index 4f4211a210..0000000000 --- a/crypto/heimdal-0.6.3/cf/broken-glob.m4 +++ /dev/null @@ -1,29 +0,0 @@ -dnl $Id: broken-glob.m4,v 1.4.12.1 2004/04/01 07:27:32 joda Exp $ -dnl -dnl check for glob(3) -dnl -AC_DEFUN([AC_BROKEN_GLOB],[ -AC_CACHE_CHECK(for working glob, ac_cv_func_glob_working, -ac_cv_func_glob_working=yes -AC_TRY_LINK([ -#include -#include ],[ -glob(NULL, GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE| -#ifdef GLOB_MAXPATH -GLOB_MAXPATH -#else -GLOB_LIMIT -#endif -, -NULL, NULL); -],:,ac_cv_func_glob_working=no,:)) - -if test "$ac_cv_func_glob_working" = yes; then - AC_DEFINE(HAVE_GLOB, 1, [define if you have a glob() that groks - GLOB_BRACE, GLOB_NOCHECK, GLOB_QUOTE, GLOB_TILDE, and GLOB_LIMIT]) -fi -if test "$ac_cv_func_glob_working" = yes; then -AC_NEED_PROTO([#include -#include ],glob) -fi -]) diff --git a/crypto/heimdal-0.6.3/cf/broken-realloc.m4 b/crypto/heimdal-0.6.3/cf/broken-realloc.m4 deleted file mode 100644 index e34d23d038..0000000000 --- a/crypto/heimdal-0.6.3/cf/broken-realloc.m4 +++ /dev/null @@ -1,26 +0,0 @@ -dnl -dnl $Id: broken-realloc.m4,v 1.1.12.1 2004/04/01 07:27:32 joda Exp $ -dnl -dnl Test for realloc that doesn't handle NULL as first parameter -dnl -AC_DEFUN([rk_BROKEN_REALLOC], [ -AC_CACHE_CHECK(if realloc if broken, ac_cv_func_realloc_broken, [ -ac_cv_func_realloc_broken=no -AC_TRY_RUN([ -#include -#include - -int main() -{ - return realloc(NULL, 17) == NULL; -} -],:, ac_cv_func_realloc_broken=yes, :) -]) -if test "$ac_cv_func_realloc_broken" = yes ; then - AC_DEFINE(BROKEN_REALLOC, 1, [Define if realloc(NULL) doesn't work.]) -fi -AH_BOTTOM([#ifdef BROKEN_REALLOC -#define realloc(X, Y) isoc_realloc((X), (Y)) -#define isoc_realloc(X, Y) ((X) ? realloc((X), (Y)) : malloc(Y)) -#endif]) -]) diff --git a/crypto/heimdal-0.6.3/cf/broken-snprintf.m4 b/crypto/heimdal-0.6.3/cf/broken-snprintf.m4 deleted file mode 100644 index 8436733734..0000000000 --- a/crypto/heimdal-0.6.3/cf/broken-snprintf.m4 +++ /dev/null @@ -1,54 +0,0 @@ -dnl $Id: broken-snprintf.m4,v 1.4.10.1 2004/04/01 07:27:32 joda Exp $ -dnl -AC_DEFUN([AC_BROKEN_SNPRINTF], [ -AC_CACHE_CHECK(for working snprintf,ac_cv_func_snprintf_working, -ac_cv_func_snprintf_working=yes -AC_TRY_RUN([ -#include -#include -int main() -{ - char foo[[3]]; - snprintf(foo, 2, "12"); - return strcmp(foo, "1"); -}],:,ac_cv_func_snprintf_working=no,:)) - -if test "$ac_cv_func_snprintf_working" = yes; then - AC_DEFINE_UNQUOTED(HAVE_SNPRINTF, 1, [define if you have a working snprintf]) -fi -if test "$ac_cv_func_snprintf_working" = yes; then -AC_NEED_PROTO([#include ],snprintf) -fi -]) - -AC_DEFUN([AC_BROKEN_VSNPRINTF],[ -AC_CACHE_CHECK(for working vsnprintf,ac_cv_func_vsnprintf_working, -ac_cv_func_vsnprintf_working=yes -AC_TRY_RUN([ -#include -#include -#include - -int foo(int num, ...) -{ - char bar[[3]]; - va_list arg; - va_start(arg, num); - vsnprintf(bar, 2, "%s", arg); - va_end(arg); - return strcmp(bar, "1"); -} - - -int main() -{ - return foo(0, "12"); -}],:,ac_cv_func_vsnprintf_working=no,:)) - -if test "$ac_cv_func_vsnprintf_working" = yes; then - AC_DEFINE_UNQUOTED(HAVE_VSNPRINTF, 1, [define if you have a working vsnprintf]) -fi -if test "$ac_cv_func_vsnprintf_working" = yes; then -AC_NEED_PROTO([#include ],vsnprintf) -fi -]) diff --git a/crypto/heimdal-0.6.3/cf/broken.m4 b/crypto/heimdal-0.6.3/cf/broken.m4 deleted file mode 100644 index 92b84dd348..0000000000 --- a/crypto/heimdal-0.6.3/cf/broken.m4 +++ /dev/null @@ -1,12 +0,0 @@ -dnl $Id: broken.m4,v 1.6 2002/05/19 19:36:52 joda Exp $ -dnl -dnl -dnl Same as AC _REPLACE_FUNCS, just define HAVE_func if found in normal -dnl libraries - -AC_DEFUN([AC_BROKEN], -[AC_FOREACH([rk_func], [$1], - [AC_CHECK_FUNC(rk_func, - [AC_DEFINE_UNQUOTED(AS_TR_CPP(HAVE_[]rk_func), 1, - [Define if you have the function `]rk_func['.])], - [rk_LIBOBJ(rk_func)])])]) diff --git a/crypto/heimdal-0.6.3/cf/broken2.m4 b/crypto/heimdal-0.6.3/cf/broken2.m4 deleted file mode 100644 index 56ed7a1109..0000000000 --- a/crypto/heimdal-0.6.3/cf/broken2.m4 +++ /dev/null @@ -1,26 +0,0 @@ -dnl $Id: broken2.m4,v 1.4 2002/05/19 22:16:46 joda Exp $ -dnl -dnl AC_BROKEN but with more arguments - -dnl AC_BROKEN2(func, includes, arguments) -AC_DEFUN([AC_BROKEN2], -[AC_MSG_CHECKING([for $1]) -AC_CACHE_VAL(ac_cv_func_[]$1, -[AC_TRY_LINK([$2], -[ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_$1) || defined (__stub___$1) -choke me -#else -$1($3) -#endif -], [eval "ac_cv_func_[]$1=yes"], [eval "ac_cv_func_[]$1=no"])]) -if eval "test \"\${ac_cv_func_[]$1}\" = yes"; then - AC_DEFINE_UNQUOTED(AS_TR_CPP(HAVE_[]$1), 1, define) - AC_MSG_RESULT(yes) -else - AC_MSG_RESULT(no) - rk_LIBOBJ($1) -fi]) diff --git a/crypto/heimdal-0.6.3/cf/c-attribute.m4 b/crypto/heimdal-0.6.3/cf/c-attribute.m4 deleted file mode 100644 index 6641b7483e..0000000000 --- a/crypto/heimdal-0.6.3/cf/c-attribute.m4 +++ /dev/null @@ -1,31 +0,0 @@ -dnl -dnl $Id: c-attribute.m4,v 1.2.34.1 2004/04/01 07:27:32 joda Exp $ -dnl - -dnl -dnl Test for __attribute__ -dnl - -AC_DEFUN([AC_C___ATTRIBUTE__], [ -AC_MSG_CHECKING(for __attribute__) -AC_CACHE_VAL(ac_cv___attribute__, [ -AC_TRY_COMPILE([ -#include -], -[ -static void foo(void) __attribute__ ((noreturn)); - -static void -foo(void) -{ - exit(1); -} -], -ac_cv___attribute__=yes, -ac_cv___attribute__=no)]) -if test "$ac_cv___attribute__" = "yes"; then - AC_DEFINE(HAVE___ATTRIBUTE__, 1, [define if your compiler has __attribute__]) -fi -AC_MSG_RESULT($ac_cv___attribute__) -]) - diff --git a/crypto/heimdal-0.6.3/cf/c-function.m4 b/crypto/heimdal-0.6.3/cf/c-function.m4 deleted file mode 100644 index 056b890a6c..0000000000 --- a/crypto/heimdal-0.6.3/cf/c-function.m4 +++ /dev/null @@ -1,33 +0,0 @@ -dnl -dnl $Id: c-function.m4,v 1.2.34.1 2004/04/01 07:27:32 joda Exp $ -dnl - -dnl -dnl Test for __FUNCTION__ -dnl - -AC_DEFUN([AC_C___FUNCTION__], [ -AC_MSG_CHECKING(for __FUNCTION__) -AC_CACHE_VAL(ac_cv___function__, [ -AC_TRY_RUN([ -#include - -static char *foo() -{ - return __FUNCTION__; -} - -int main() -{ - return strcmp(foo(), "foo") != 0; -} -], -ac_cv___function__=yes, -ac_cv___function__=no, -ac_cv___function__=no)]) -if test "$ac_cv___function__" = "yes"; then - AC_DEFINE(HAVE___FUNCTION__, 1, [define if your compiler has __FUNCTION__]) -fi -AC_MSG_RESULT($ac_cv___function__) -]) - diff --git a/crypto/heimdal-0.6.3/cf/capabilities.m4 b/crypto/heimdal-0.6.3/cf/capabilities.m4 deleted file mode 100644 index 9b258d597b..0000000000 --- a/crypto/heimdal-0.6.3/cf/capabilities.m4 +++ /dev/null @@ -1,14 +0,0 @@ -dnl -dnl $Id: capabilities.m4,v 1.2.20.1 2004/04/01 07:27:32 joda Exp $ -dnl - -dnl -dnl Test SGI capabilities -dnl - -AC_DEFUN([KRB_CAPABILITIES],[ - -AC_CHECK_HEADERS(capability.h sys/capability.h) - -AC_CHECK_FUNCS(sgi_getcapabilitybyname cap_set_proc) -]) diff --git a/crypto/heimdal-0.6.3/cf/check-compile-et.m4 b/crypto/heimdal-0.6.3/cf/check-compile-et.m4 deleted file mode 100644 index b71833c4d8..0000000000 --- a/crypto/heimdal-0.6.3/cf/check-compile-et.m4 +++ /dev/null @@ -1,93 +0,0 @@ -dnl $Id: check-compile-et.m4,v 1.7.2.1 2003/08/15 14:40:42 lha Exp $ -dnl -dnl CHECK_COMPILE_ET -AC_DEFUN([CHECK_COMPILE_ET], [ - -AC_CHECK_PROG(COMPILE_ET, compile_et, [compile_et]) - -krb_cv_compile_et="no" -krb_cv_com_err_need_r="" -if test "${COMPILE_ET}" = "compile_et"; then - -dnl We have compile_et. Now let's see if it supports `prefix' and `index'. -AC_MSG_CHECKING(whether compile_et has the features we need) -cat > conftest_et.et <<'EOF' -error_table test conf -prefix CONFTEST -index 1 -error_code CODE1, "CODE1" -index 128 -error_code CODE2, "CODE2" -end -EOF -if ${COMPILE_ET} conftest_et.et >/dev/null 2>&1; then - dnl XXX Some systems have . - save_CPPFLAGS="${CPPFLAGS}" - if test -d "/usr/include/et"; then - CPPFLAGS="-I/usr/include/et ${CPPFLAGS}" - fi - dnl Check that the `prefix' and `index' directives were honored. - AC_TRY_RUN([ -#include -#include -#include "conftest_et.h" -int main(){ -#ifndef ERROR_TABLE_BASE_conf -#error compile_et does not handle error_table N M -#endif -return (CONFTEST_CODE2 - CONFTEST_CODE1) != 127;} - ], [krb_cv_compile_et="yes"],[CPPFLAGS="${save_CPPFLAGS}"]) -fi -AC_MSG_RESULT(${krb_cv_compile_et}) -if test "${krb_cv_compile_et}" = "yes"; then - AC_MSG_CHECKING(for if com_err needs to have a initialize_error_table_r) - AC_EGREP_CPP(initialize_error_table_r,[#include "conftest_et.c"], - [krb_cv_com_err_need_r="initialize_error_table_r(0,0,0,0);"]) - if test X"$krb_cv_com_err_need_r" = X ; then - AC_MSG_RESULT(no) - else - AC_MSG_RESULT(yes) - fi -fi -rm -fr conftest* -fi - -if test "${krb_cv_compile_et}" = "yes"; then - dnl Since compile_et seems to work, let's check libcom_err - krb_cv_save_LIBS="${LIBS}" - LIBS="${LIBS} -lcom_err" - AC_MSG_CHECKING(for com_err) - AC_TRY_LINK([#include ],[ - const char *p; - p = error_message(0); - $krb_cv_com_err_need_r - ],[krb_cv_com_err="yes"],[krb_cv_com_err="no"; CPPFLAGS="${save_CPPFLAGS}"]) - AC_MSG_RESULT(${krb_cv_com_err}) - LIBS="${krb_cv_save_LIBS}" -else - dnl Since compile_et doesn't work, forget about libcom_err - krb_cv_com_err="no" -fi - -dnl Only use the system's com_err if we found compile_et, libcom_err, and -dnl com_err.h. -if test "${krb_cv_com_err}" = "yes"; then - DIR_com_err="" - LIB_com_err="-lcom_err" - LIB_com_err_a="" - LIB_com_err_so="" - AC_MSG_NOTICE(Using the already-installed com_err) -else - COMPILE_ET="\$(top_builddir)/lib/com_err/compile_et" - DIR_com_err="com_err" - LIB_com_err="\$(top_builddir)/lib/com_err/libcom_err.la" - LIB_com_err_a="\$(top_builddir)/lib/com_err/.libs/libcom_err.a" - LIB_com_err_so="\$(top_builddir)/lib/com_err/.libs/libcom_err.so" - AC_MSG_NOTICE(Using our own com_err) -fi -AC_SUBST(DIR_com_err) -AC_SUBST(LIB_com_err) -AC_SUBST(LIB_com_err_a) -AC_SUBST(LIB_com_err_so) - -]) diff --git a/crypto/heimdal-0.6.3/cf/check-declaration.m4 b/crypto/heimdal-0.6.3/cf/check-declaration.m4 deleted file mode 100644 index 18bdf8a7a0..0000000000 --- a/crypto/heimdal-0.6.3/cf/check-declaration.m4 +++ /dev/null @@ -1,25 +0,0 @@ -dnl $Id: check-declaration.m4,v 1.3.34.1 2004/04/01 07:27:32 joda Exp $ -dnl -dnl -dnl Check if we need the declaration of a variable -dnl - -dnl AC_HAVE_DECLARATION(includes, variable) -AC_DEFUN([AC_CHECK_DECLARATION], [ -AC_MSG_CHECKING([if $2 is properly declared]) -AC_CACHE_VAL(ac_cv_var_$2_declaration, [ -AC_TRY_COMPILE([$1 -extern struct { int foo; } $2;], -[$2.foo = 1;], -eval "ac_cv_var_$2_declaration=no", -eval "ac_cv_var_$2_declaration=yes") -]) - -define(foo, [HAVE_]translit($2, [a-z], [A-Z])[_DECLARATION]) - -AC_MSG_RESULT($ac_cv_var_$2_declaration) -if eval "test \"\$ac_cv_var_$2_declaration\" = yes"; then - AC_DEFINE(foo, 1, [define if your system declares $2]) -fi -undefine([foo]) -]) diff --git a/crypto/heimdal-0.6.3/cf/check-getpwnam_r-posix.m4 b/crypto/heimdal-0.6.3/cf/check-getpwnam_r-posix.m4 deleted file mode 100644 index d3b1e0f0e0..0000000000 --- a/crypto/heimdal-0.6.3/cf/check-getpwnam_r-posix.m4 +++ /dev/null @@ -1,24 +0,0 @@ -dnl $Id: check-getpwnam_r-posix.m4,v 1.2.34.1 2004/04/01 07:27:32 joda Exp $ -dnl -dnl check for getpwnam_r, and if it's posix or not - -AC_DEFUN([AC_CHECK_GETPWNAM_R_POSIX],[ -AC_FIND_FUNC_NO_LIBS(getpwnam_r,c_r) -if test "$ac_cv_func_getpwnam_r" = yes; then - AC_CACHE_CHECK(if getpwnam_r is posix,ac_cv_func_getpwnam_r_posix, - ac_libs="$LIBS" - LIBS="$LIBS $LIB_getpwnam_r" - AC_TRY_RUN([ -#include -int main() -{ - struct passwd pw, *pwd; - return getpwnam_r("", &pw, NULL, 0, &pwd) < 0; -} -],ac_cv_func_getpwnam_r_posix=yes,ac_cv_func_getpwnam_r_posix=no,:) -LIBS="$ac_libs") -if test "$ac_cv_func_getpwnam_r_posix" = yes; then - AC_DEFINE(POSIX_GETPWNAM_R, 1, [Define if getpwnam_r has POSIX flavour.]) -fi -fi -]) \ No newline at end of file diff --git a/crypto/heimdal-0.6.3/cf/check-man.m4 b/crypto/heimdal-0.6.3/cf/check-man.m4 deleted file mode 100644 index dd04666e54..0000000000 --- a/crypto/heimdal-0.6.3/cf/check-man.m4 +++ /dev/null @@ -1,58 +0,0 @@ -dnl $Id: check-man.m4,v 1.3.12.1 2004/04/01 07:27:32 joda Exp $ -dnl check how to format manual pages -dnl - -AC_DEFUN([rk_CHECK_MAN], -[AC_PATH_PROG(NROFF, nroff) -AC_PATH_PROG(GROFF, groff) -AC_CACHE_CHECK(how to format man pages,ac_cv_sys_man_format, -[cat > conftest.1 << END -.Dd January 1, 1970 -.Dt CONFTEST 1 -.Sh NAME -.Nm conftest -.Nd -foobar -END - -if test "$NROFF" ; then - for i in "-mdoc" "-mandoc"; do - if "$NROFF" $i conftest.1 2> /dev/null | \ - grep Jan > /dev/null 2>&1 ; then - ac_cv_sys_man_format="$NROFF $i" - break - fi - done -fi -if test "$ac_cv_sys_man_format" = "" -a "$GROFF" ; then - for i in "-mdoc" "-mandoc"; do - if "$GROFF" -Tascii $i conftest.1 2> /dev/null | \ - grep Jan > /dev/null 2>&1 ; then - ac_cv_sys_man_format="$GROFF -Tascii $i" - break - fi - done -fi -if test "$ac_cv_sys_man_format"; then - ac_cv_sys_man_format="$ac_cv_sys_man_format \[$]< > \[$]@" -fi -]) -if test "$ac_cv_sys_man_format"; then - CATMAN="$ac_cv_sys_man_format" - AC_SUBST(CATMAN) -fi -AM_CONDITIONAL(CATMAN, test "$CATMAN") -AC_CACHE_CHECK(extension of pre-formatted manual pages,ac_cv_sys_catman_ext, -[if grep _suffix /etc/man.conf > /dev/null 2>&1; then - ac_cv_sys_catman_ext=0 -else - ac_cv_sys_catman_ext=number -fi -]) -if test "$ac_cv_sys_catman_ext" = number; then - CATMANEXT='$$section' -else - CATMANEXT=0 -fi -AC_SUBST(CATMANEXT) -]) \ No newline at end of file diff --git a/crypto/heimdal-0.6.3/cf/check-netinet-ip-and-tcp.m4 b/crypto/heimdal-0.6.3/cf/check-netinet-ip-and-tcp.m4 deleted file mode 100644 index f169a4f6bd..0000000000 --- a/crypto/heimdal-0.6.3/cf/check-netinet-ip-and-tcp.m4 +++ /dev/null @@ -1,33 +0,0 @@ -dnl -dnl $Id: check-netinet-ip-and-tcp.m4,v 1.3.12.1 2004/04/01 07:27:33 joda Exp $ -dnl - -dnl extra magic check for netinet/{ip.h,tcp.h} because on irix 6.5.3 -dnl you have to include standards.h before including these files - -AC_DEFUN([CHECK_NETINET_IP_AND_TCP], -[ -AC_CHECK_HEADERS(standards.h) -for i in netinet/ip.h netinet/tcp.h; do - -cv=`echo "$i" | sed 'y%./+-%__p_%'` - -AC_CACHE_CHECK([for $i],ac_cv_header_$cv, -[AC_TRY_CPP([\ -#ifdef HAVE_STANDARDS_H -#include -#endif -#include <$i> -], -eval "ac_cv_header_$cv=yes", -eval "ac_cv_header_$cv=no")]) -ac_res=`eval echo \\$ac_cv_header_$cv` -if test "$ac_res" = yes; then - ac_tr_hdr=HAVE_`echo $i | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'` - AC_DEFINE_UNQUOTED($ac_tr_hdr, 1) -fi -done -if false;then - AC_CHECK_HEADERS(netinet/ip.h netinet/tcp.h) -fi -]) diff --git a/crypto/heimdal-0.6.3/cf/check-type-extra.m4 b/crypto/heimdal-0.6.3/cf/check-type-extra.m4 deleted file mode 100644 index 08471a7b82..0000000000 --- a/crypto/heimdal-0.6.3/cf/check-type-extra.m4 +++ /dev/null @@ -1,23 +0,0 @@ -dnl $Id: check-type-extra.m4,v 1.2.34.1 2004/04/01 07:27:33 joda Exp $ -dnl -dnl ac_check_type + extra headers - -dnl AC_CHECK_TYPE_EXTRA(TYPE, DEFAULT, HEADERS) -AC_DEFUN([AC_CHECK_TYPE_EXTRA], -[AC_REQUIRE([AC_HEADER_STDC])dnl -AC_MSG_CHECKING(for $1) -AC_CACHE_VAL(ac_cv_type_$1, -[AC_EGREP_CPP(dnl -changequote(<<,>>)dnl -<<$1[^a-zA-Z_0-9]>>dnl -changequote([,]), [#include -#if STDC_HEADERS -#include -#include -#endif -$3], ac_cv_type_$1=yes, ac_cv_type_$1=no)])dnl -AC_MSG_RESULT($ac_cv_type_$1) -if test $ac_cv_type_$1 = no; then - AC_DEFINE($1, $2, [Define this to what the type $1 should be.]) -fi -]) diff --git a/crypto/heimdal-0.6.3/cf/check-var.m4 b/crypto/heimdal-0.6.3/cf/check-var.m4 deleted file mode 100644 index 1960f724d0..0000000000 --- a/crypto/heimdal-0.6.3/cf/check-var.m4 +++ /dev/null @@ -1,29 +0,0 @@ -dnl $Id: check-var.m4,v 1.7 2003/02/17 00:44:57 lha Exp $ -dnl -dnl rk_CHECK_VAR(variable, includes) -AC_DEFUN([rk_CHECK_VAR], [ -AC_MSG_CHECKING(for $1) -AC_CACHE_VAL(ac_cv_var_$1, [ -m4_ifval([$2],[ - AC_TRY_LINK([$2 - void * foo() { return &$1; }], - [foo()], - ac_cv_var_$1=yes, ac_cv_var_$1=no)]) -if test "$ac_cv_var_$1" != yes ; then -AC_TRY_LINK([extern int $1; -int foo() { return $1; }], - [foo()], - ac_cv_var_$1=yes, ac_cv_var_$1=no) -fi -]) -ac_foo=`eval echo \\$ac_cv_var_$1` -AC_MSG_RESULT($ac_foo) -if test "$ac_foo" = yes; then - AC_DEFINE_UNQUOTED(AS_TR_CPP(HAVE_[]$1), 1, - [Define if you have the `]$1[' variable.]) - m4_ifval([$2], AC_CHECK_DECLARATION([$2],[$1])) -fi -]) - -AC_WARNING_ENABLE([obsolete]) -AU_DEFUN([AC_CHECK_VAR], [rk_CHECK_VAR([$2], [$1])], [foo]) diff --git a/crypto/heimdal-0.6.3/cf/check-x.m4 b/crypto/heimdal-0.6.3/cf/check-x.m4 deleted file mode 100644 index 53a3d8c982..0000000000 --- a/crypto/heimdal-0.6.3/cf/check-x.m4 +++ /dev/null @@ -1,52 +0,0 @@ -dnl -dnl See if there is any X11 present -dnl -dnl $Id: check-x.m4,v 1.2.20.1 2004/04/01 07:27:33 joda Exp $ - -AC_DEFUN([KRB_CHECK_X],[ -AC_PATH_XTRA - -# try to figure out if we need any additional ld flags, like -R -# and yes, the autoconf X test is utterly broken -if test "$no_x" != yes; then - AC_CACHE_CHECK(for special X linker flags,krb_cv_sys_x_libs_rpath,[ - ac_save_libs="$LIBS" - ac_save_cflags="$CFLAGS" - CFLAGS="$CFLAGS $X_CFLAGS" - krb_cv_sys_x_libs_rpath="" - krb_cv_sys_x_libs="" - for rflag in "" "-R" "-R " "-rpath "; do - if test "$rflag" = ""; then - foo="$X_LIBS" - else - foo="" - for flag in $X_LIBS; do - case $flag in - -L*) - foo="$foo $flag `echo $flag | sed \"s/-L/$rflag/\"`" - ;; - *) - foo="$foo $flag" - ;; - esac - done - fi - LIBS="$ac_save_libs $foo $X_PRE_LIBS -lX11 $X_EXTRA_LIBS" - AC_TRY_RUN([ - #include - foo() - { - XOpenDisplay(NULL); - } - main() - { - return 0; - } - ], krb_cv_sys_x_libs_rpath="$rflag"; krb_cv_sys_x_libs="$foo"; break,:) - done - LIBS="$ac_save_libs" - CFLAGS="$ac_save_cflags" - ]) - X_LIBS="$krb_cv_sys_x_libs" -fi -]) diff --git a/crypto/heimdal-0.6.3/cf/check-xau.m4 b/crypto/heimdal-0.6.3/cf/check-xau.m4 deleted file mode 100644 index 94f9586b15..0000000000 --- a/crypto/heimdal-0.6.3/cf/check-xau.m4 +++ /dev/null @@ -1,64 +0,0 @@ -dnl $Id: check-xau.m4,v 1.3.34.1 2004/04/01 07:27:33 joda Exp $ -dnl -dnl check for Xau{Read,Write}Auth and XauFileName -dnl -AC_DEFUN([AC_CHECK_XAU],[ -save_CFLAGS="$CFLAGS" -CFLAGS="$X_CFLAGS $CFLAGS" -save_LIBS="$LIBS" -dnl LIBS="$X_LIBS $X_PRE_LIBS $X_EXTRA_LIBS $LIBS" -LIBS="$X_PRE_LIBS $X_EXTRA_LIBS $LIBS" -save_LDFLAGS="$LDFLAGS" -LDFLAGS="$LDFLAGS $X_LIBS" - -## check for XauWriteAuth first, so we detect the case where -## XauReadAuth is in -lX11, but XauWriteAuth is only in -lXau this -## could be done by checking for XauReadAuth in -lXau first, but this -## breaks in IRIX 6.5 - -AC_FIND_FUNC_NO_LIBS(XauWriteAuth, X11 Xau) -ac_xxx="$LIBS" -LIBS="$LIB_XauWriteAuth $LIBS" -AC_FIND_FUNC_NO_LIBS(XauReadAuth, X11 Xau) -LIBS="$LIB_XauReadAauth $LIBS" -AC_FIND_FUNC_NO_LIBS(XauFileName, X11 Xau) -LIBS="$ac_xxx" - -## set LIB_XauReadAuth to union of these tests, since this is what the -## Makefiles are using -case "$ac_cv_funclib_XauWriteAuth" in -yes) ;; -no) ;; -*) if test "$ac_cv_funclib_XauReadAuth" = yes; then - if test "$ac_cv_funclib_XauFileName" = yes; then - LIB_XauReadAuth="$LIB_XauWriteAuth" - else - LIB_XauReadAuth="$LIB_XauWriteAuth $LIB_XauFileName" - fi - else - if test "$ac_cv_funclib_XauFileName" = yes; then - LIB_XauReadAuth="$LIB_XauReadAuth $LIB_XauWriteAuth" - else - LIB_XauReadAuth="$LIB_XauReadAuth $LIB_XauWriteAuth $LIB_XauFileName" - fi - fi - ;; -esac - -if test "$AUTOMAKE" != ""; then - AM_CONDITIONAL(NEED_WRITEAUTH, test "$ac_cv_func_XauWriteAuth" != "yes") -else - AC_SUBST(NEED_WRITEAUTH_TRUE) - AC_SUBST(NEED_WRITEAUTH_FALSE) - if test "$ac_cv_func_XauWriteAuth" != "yes"; then - NEED_WRITEAUTH_TRUE= - NEED_WRITEAUTH_FALSE='#' - else - NEED_WRITEAUTH_TRUE='#' - NEED_WRITEAUTH_FALSE= - fi -fi -CFLAGS=$save_CFLAGS -LIBS=$save_LIBS -LDFLAGS=$save_LDFLAGS -]) diff --git a/crypto/heimdal-0.6.3/cf/crypto.m4 b/crypto/heimdal-0.6.3/cf/crypto.m4 deleted file mode 100644 index c79ba4cfc7..0000000000 --- a/crypto/heimdal-0.6.3/cf/crypto.m4 +++ /dev/null @@ -1,185 +0,0 @@ -dnl $Id: crypto.m4,v 1.16.2.1 2003/05/05 20:08:32 joda Exp $ -dnl -dnl test for crypto libraries: -dnl - libcrypto (from openssl) -dnl - libdes (from krb4) -dnl - own-built libdes - -m4_define([test_headers], [ - #undef KRB5 /* makes md4.h et al unhappy */ - #ifdef HAVE_OPENSSL - #include - #include - #include - #define OPENSSL_DES_LIBDES_COMPATIBILITY - #include - #include - #include - #else - #include - #include - #include - #include - #include - #endif - #ifdef OLD_HASH_NAMES - typedef struct md4 MD4_CTX; - #define MD4_Init(C) md4_init((C)) - #define MD4_Update(C, D, L) md4_update((C), (D), (L)) - #define MD4_Final(D, C) md4_finito((C), (D)) - typedef struct md5 MD5_CTX; - #define MD5_Init(C) md5_init((C)) - #define MD5_Update(C, D, L) md5_update((C), (D), (L)) - #define MD5_Final(D, C) md5_finito((C), (D)) - typedef struct sha SHA_CTX; - #define SHA1_Init(C) sha_init((C)) - #define SHA1_Update(C, D, L) sha_update((C), (D), (L)) - #define SHA1_Final(D, C) sha_finito((C), (D)) - #endif - ]) -m4_define([test_body], [ - void *schedule = 0; - MD4_CTX md4; - MD5_CTX md5; - SHA_CTX sha1; - - MD4_Init(&md4); - MD5_Init(&md5); - SHA1_Init(&sha1); - #ifdef HAVE_OPENSSL - RAND_status(); - #endif - - des_cbc_encrypt(0, 0, 0, schedule, 0, 0); - RC4(0, 0, 0, 0);]) - - -AC_DEFUN([KRB_CRYPTO],[ -crypto_lib=unknown -AC_WITH_ALL([openssl]) - -DIR_des= - -AC_MSG_CHECKING([for crypto library]) - -openssl=no -old_hash=no - -if test "$crypto_lib" = "unknown" -a "$with_krb4" != "no"; then - save_CPPFLAGS="$CPPFLAGS" - save_LIBS="$LIBS" - - cdirs= clibs= - for i in $LIB_krb4; do - case "$i" in - -L*) cdirs="$cdirs $i";; - -l*) clibs="$clibs $i";; - esac - done - - ires= - for i in $INCLUDE_krb4; do - CFLAGS="-DHAVE_OPENSSL $i $save_CFLAGS" - for j in $cdirs; do - for k in $clibs; do - LIBS="$j $k $save_LIBS" - AC_TRY_LINK(test_headers, test_body, - openssl=yes ires="$i" lres="$j $k"; break 3) - done - done - CFLAGS="$i $save_CFLAGS" - for j in $cdirs; do - for k in $clibs; do - LIBS="$j $k $save_LIBS" - AC_TRY_LINK(test_headers, test_body, - openssl=no ires="$i" lres="$j $k"; break 3) - done - done - CFLAGS="-DHAVE_OLD_HASH_NAMES $i $save_CFLAGS" - for j in $cdirs; do - for k in $clibs; do - LIBS="$j $k $save_LIBS" - AC_TRY_LINK(test_headers, test_body, - openssl=no ires="$i" lres="$j $k"; break 3) - done - done - done - - CFLAGS="$save_CFLAGS" - LIBS="$save_LIBS" - if test "$ires" -a "$lres"; then - INCLUDE_des="$ires" - LIB_des="$lres" - crypto_lib=krb4 - AC_MSG_RESULT([same as krb4]) - LIB_des_a='$(LIB_des)' - LIB_des_so='$(LIB_des)' - LIB_des_appl='$(LIB_des)' - fi -fi - -if test "$crypto_lib" = "unknown" -a "$with_openssl" != "no"; then - save_CFLAGS="$CFLAGS" - save_LIBS="$LIBS" - INCLUDE_des= - LIB_des= - if test "$with_openssl_include" != ""; then - INCLUDE_des="-I${with_openssl_include}" - fi - if test "$with_openssl_lib" != ""; then - LIB_des="-L${with_openssl_lib}" - fi - CFLAGS="-DHAVE_OPENSSL ${INCLUDE_des} ${CFLAGS}" - saved_LIB_des="$LIB_des" - for lres in "" "-lnsl -lsocket"; do - LIB_des="${saved_LIB_des} -lcrypto $lres" - LIB_des_a="$LIB_des" - LIB_des_so="$LIB_des" - LIB_des_appl="$LIB_des" - LIBS="${LIBS} ${LIB_des}" - AC_TRY_LINK(test_headers, test_body, [ - crypto_lib=libcrypto openssl=yes - AC_MSG_RESULT([libcrypto]) - ]) - if test "$crypto_lib" = libcrypto ; then - break; - fi - done - CFLAGS="$save_CFLAGS" - LIBS="$save_LIBS" -fi - -if test "$crypto_lib" = "unknown"; then - - DIR_des='des' - LIB_des='$(top_builddir)/lib/des/libdes.la' - LIB_des_a='$(top_builddir)/lib/des/.libs/libdes.a' - LIB_des_so='$(top_builddir)/lib/des/.libs/libdes.so' - LIB_des_appl="-ldes" - - AC_MSG_RESULT([included libdes]) - -fi - -if test "$with_krb4" != no -a "$crypto_lib" != krb4; then - AC_MSG_ERROR([the crypto library used by krb4 lacks features -required by Kerberos 5; to continue, you need to install a newer -Kerberos 4 or configure --without-krb4]) -fi - -if test "$openssl" = "yes"; then - AC_DEFINE([HAVE_OPENSSL], 1, [define to use openssl's libcrypto]) -fi -if test "$old_hash" = yes; then - AC_DEFINE([HAVE_OLD_HASH_NAMES], 1, - [define if you have hash functions like md4_finito()]) -fi -AM_CONDITIONAL(HAVE_OPENSSL, test "$openssl" = yes)dnl - -AC_SUBST(DIR_des) -AC_SUBST(INCLUDE_des) -AC_SUBST(LIB_des) -AC_SUBST(LIB_des_a) -AC_SUBST(LIB_des_so) -AC_SUBST(LIB_des_appl) -]) diff --git a/crypto/heimdal-0.6.3/cf/db.m4 b/crypto/heimdal-0.6.3/cf/db.m4 deleted file mode 100644 index 7646bf640d..0000000000 --- a/crypto/heimdal-0.6.3/cf/db.m4 +++ /dev/null @@ -1,204 +0,0 @@ -dnl $Id: db.m4,v 1.9 2002/09/10 14:29:47 joda Exp $ -dnl -dnl tests for various db libraries -dnl -AC_DEFUN([rk_DB],[ -AC_ARG_ENABLE(berkeley-db, - AC_HELP_STRING([--disable-berkeley-db], - [if you don't want berkeley db]),[ -]) - -have_ndbm=no -db_type=unknown - -if test "$enable_berkeley_db" != no; then - - AC_CHECK_HEADERS([ \ - db4/db.h \ - db3/db.h \ - db.h \ - db_185.h \ - ]) - -dnl db_create is used by db3 and db4 - - AC_FIND_FUNC_NO_LIBS(db_create, db4 db3 db, [ - #include - #ifdef HAVE_DB4_DB_H - #include - #elif defined(HAVE_DB3_DB_H) - #include - #else - #include - #endif - ],[NULL, NULL, 0]) - - if test "$ac_cv_func_db_create" = "yes"; then - db_type=db3 - if test "$ac_cv_funclib_db_create" != "yes"; then - DBLIB="$ac_cv_funclib_db_create" - else - DBLIB="" - fi - AC_DEFINE(HAVE_DB3, 1, [define if you have a berkeley db3/4 library]) - else - -dnl dbopen is used by db1/db2 - - AC_FIND_FUNC_NO_LIBS(dbopen, db2 db, [ - #include - #if defined(HAVE_DB2_DB_H) - #include - #elif defined(HAVE_DB_185_H) - #include - #elif defined(HAVE_DB_H) - #include - #else - #error no db.h - #endif - ],[NULL, 0, 0, 0, NULL]) - - if test "$ac_cv_func_dbopen" = "yes"; then - db_type=db1 - if test "$ac_cv_funclib_dbopen" != "yes"; then - DBLIB="$ac_cv_funclib_dbopen" - else - DBLIB="" - fi - AC_DEFINE(HAVE_DB1, 1, [define if you have a berkeley db1/2 library]) - fi - fi - -dnl test for ndbm compatability - - if test "$ac_cv_func_dbm_firstkey" != yes; then - AC_FIND_FUNC_NO_LIBS2(dbm_firstkey, $ac_cv_funclib_dbopen $ac_cv_funclib_db_create, [ - #include - #define DB_DBM_HSEARCH 1 - #include - DBM *dbm; - ],[NULL]) - - if test "$ac_cv_func_dbm_firstkey" = "yes"; then - if test "$ac_cv_funclib_dbm_firstkey" != "yes"; then - LIB_NDBM="$ac_cv_funclib_dbm_firstkey" - else - LIB_NDBM="" - fi - AC_DEFINE(HAVE_DB_NDBM, 1, [define if you have ndbm compat in db]) - AC_DEFINE(HAVE_NEW_DB, 1, [Define if NDBM really is DB (creates files *.db)]) - else - $as_unset ac_cv_func_dbm_firstkey - $as_unset ac_cv_funclib_dbm_firstkey - fi - fi - -fi # berkeley db - -if test "$db_type" = "unknown" -o "$ac_cv_func_dbm_firstkey" = ""; then - - AC_CHECK_HEADERS([ \ - dbm.h \ - ndbm.h \ - ]) - - AC_FIND_FUNC_NO_LIBS(dbm_firstkey, ndbm, [ - #include - #if defined(HAVE_NDBM_H) - #include - #elif defined(HAVE_DBM_H) - #include - #endif - DBM *dbm; - ],[NULL]) - - if test "$ac_cv_func_dbm_firstkey" = "yes"; then - if test "$ac_cv_funclib_dbm_firstkey" != "yes"; then - LIB_NDBM="$ac_cv_funclib_dbm_firstkey" - else - LIB_NDBM="" - fi - AC_DEFINE(HAVE_NDBM, 1, [define if you have a ndbm library])dnl - have_ndbm=yes - if test "$db_type" = "unknown"; then - db_type=ndbm - DBLIB="$LIB_NDBM" - fi - else - - $as_unset ac_cv_func_dbm_firstkey - $as_unset ac_cv_funclib_dbm_firstkey - - AC_CHECK_HEADERS([ \ - gdbm/ndbm.h \ - ]) - - AC_FIND_FUNC_NO_LIBS(dbm_firstkey, gdbm, [ - #include - #include - DBM *dbm; - ],[NULL]) - - if test "$ac_cv_func_dbm_firstkey" = "yes"; then - if test "$ac_cv_funclib_dbm_firstkey" != "yes"; then - LIB_NDBM="$ac_cv_funclib_dbm_firstkey" - else - LIB_NDBM="" - fi - AC_DEFINE(HAVE_NDBM, 1, [define if you have a ndbm library])dnl - have_ndbm=yes - if test "$db_type" = "unknown"; then - db_type=ndbm - DBLIB="$LIB_NDBM" - fi - fi - fi - -fi # unknown - -if test "$have_ndbm" = "yes"; then - AC_MSG_CHECKING([if ndbm is implemented with db]) - AC_TRY_RUN([ -#include -#include -#if defined(HAVE_GDBM_NDBM_H) -#include -#elif defined(HAVE_NDBM_H) -#include -#elif defined(HAVE_DBM_H) -#include -#endif -int main() -{ - DBM *d; - - d = dbm_open("conftest", O_RDWR | O_CREAT, 0666); - if (d == NULL) - return 1; - dbm_close(d); - return 0; -}],[ - if test -f conftest.db; then - AC_MSG_RESULT([yes]) - AC_DEFINE(HAVE_NEW_DB, 1, [Define if NDBM really is DB (creates files *.db)]) - else - AC_MSG_RESULT([no]) - fi],[AC_MSG_RESULT([no])]) -fi - -AM_CONDITIONAL(HAVE_DB1, test "$db_type" = db1)dnl -AM_CONDITIONAL(HAVE_DB3, test "$db_type" = db3)dnl -AM_CONDITIONAL(HAVE_NDBM, test "$db_type" = ndbm)dnl - -## it's probably not correct to include LDFLAGS here, but we might -## need it, for now just add any possible -L -z="" -for i in $LDFLAGS; do - case "$i" in - -L*) z="$z $i";; - esac -done -DBLIB="$z $DBLIB" -AC_SUBST(DBLIB)dnl -AC_SUBST(LIB_NDBM)dnl -]) diff --git a/crypto/heimdal-0.6.3/cf/destdirs.m4 b/crypto/heimdal-0.6.3/cf/destdirs.m4 deleted file mode 100644 index 0d56e9cc41..0000000000 --- a/crypto/heimdal-0.6.3/cf/destdirs.m4 +++ /dev/null @@ -1,18 +0,0 @@ -dnl -dnl $Id: destdirs.m4,v 1.2 2002/08/12 15:12:50 joda Exp $ -dnl - -AC_DEFUN([rk_DESTDIRS], [ -# This is done by AC_OUTPUT but we need the result here. -test "x$prefix" = xNONE && prefix=$ac_default_prefix -test "x$exec_prefix" = xNONE && exec_prefix='${prefix}' - -AC_FOREACH([rk_dir], [bin lib libexec localstate sbin sysconf], [ - x="${rk_dir[]dir}" - eval y="$x" - while test "x$y" != "x$x"; do - x="$y" - eval y="$x" - done - AC_DEFINE_UNQUOTED(AS_TR_CPP(rk_dir[]dir), "$x", [path to ]rk_dir[])]) -]) diff --git a/crypto/heimdal-0.6.3/cf/dlopen.m4 b/crypto/heimdal-0.6.3/cf/dlopen.m4 deleted file mode 100644 index 322f8b9e93..0000000000 --- a/crypto/heimdal-0.6.3/cf/dlopen.m4 +++ /dev/null @@ -1,8 +0,0 @@ -dnl -dnl $Id: dlopen.m4,v 1.1 2002/08/28 16:32:16 joda Exp $ -dnl - -AC_DEFUN([rk_DLOPEN], [ - AC_FIND_FUNC_NO_LIBS(dlopen, dl) - AM_CONDITIONAL(HAVE_DLOPEN, test "$ac_cv_funclib_dlopen" != no) -]) diff --git a/crypto/heimdal-0.6.3/cf/find-func-no-libs.m4 b/crypto/heimdal-0.6.3/cf/find-func-no-libs.m4 deleted file mode 100644 index 4410330d31..0000000000 --- a/crypto/heimdal-0.6.3/cf/find-func-no-libs.m4 +++ /dev/null @@ -1,9 +0,0 @@ -dnl $Id: find-func-no-libs.m4,v 1.5.20.1 2004/04/01 07:27:33 joda Exp $ -dnl -dnl -dnl Look for function in any of the specified libraries -dnl - -dnl AC_FIND_FUNC_NO_LIBS(func, libraries, includes, arguments, extra libs, extra args) -AC_DEFUN([AC_FIND_FUNC_NO_LIBS], [ -AC_FIND_FUNC_NO_LIBS2([$1], ["" $2], [$3], [$4], [$5], [$6])]) diff --git a/crypto/heimdal-0.6.3/cf/find-func-no-libs2.m4 b/crypto/heimdal-0.6.3/cf/find-func-no-libs2.m4 deleted file mode 100644 index 566504af2f..0000000000 --- a/crypto/heimdal-0.6.3/cf/find-func-no-libs2.m4 +++ /dev/null @@ -1,63 +0,0 @@ -dnl $Id: find-func-no-libs2.m4,v 1.6.10.1 2004/04/01 07:27:33 joda Exp $ -dnl -dnl -dnl Look for function in any of the specified libraries -dnl - -dnl AC_FIND_FUNC_NO_LIBS2(func, libraries, includes, arguments, extra libs, extra args) -AC_DEFUN([AC_FIND_FUNC_NO_LIBS2], [ - -AC_MSG_CHECKING([for $1]) -AC_CACHE_VAL(ac_cv_funclib_$1, -[ -if eval "test \"\$ac_cv_func_$1\" != yes" ; then - ac_save_LIBS="$LIBS" - for ac_lib in $2; do - case "$ac_lib" in - "") ;; - yes) ac_lib="" ;; - no) continue ;; - -l*) ;; - *) ac_lib="-l$ac_lib" ;; - esac - LIBS="$6 $ac_lib $5 $ac_save_LIBS" - AC_TRY_LINK([$3],[$1($4)],eval "if test -n \"$ac_lib\";then ac_cv_funclib_$1=$ac_lib; else ac_cv_funclib_$1=yes; fi";break) - done - eval "ac_cv_funclib_$1=\${ac_cv_funclib_$1-no}" - LIBS="$ac_save_LIBS" -fi -]) - -eval "ac_res=\$ac_cv_funclib_$1" - -if false; then - AC_CHECK_FUNCS($1) -dnl AC_CHECK_LIBS($2, foo) -fi -# $1 -eval "ac_tr_func=HAVE_[]upcase($1)" -eval "ac_tr_lib=HAVE_LIB[]upcase($ac_res | sed -e 's/-l//')" -eval "LIB_$1=$ac_res" - -case "$ac_res" in - yes) - eval "ac_cv_func_$1=yes" - eval "LIB_$1=" - AC_DEFINE_UNQUOTED($ac_tr_func) - AC_MSG_RESULT([yes]) - ;; - no) - eval "ac_cv_func_$1=no" - eval "LIB_$1=" - AC_MSG_RESULT([no]) - ;; - *) - eval "ac_cv_func_$1=yes" - eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes" - AC_DEFINE_UNQUOTED($ac_tr_func) - AC_DEFINE_UNQUOTED($ac_tr_lib) - AC_MSG_RESULT([yes, in $ac_res]) - ;; -esac -AC_SUBST(LIB_$1) -]) diff --git a/crypto/heimdal-0.6.3/cf/find-func.m4 b/crypto/heimdal-0.6.3/cf/find-func.m4 deleted file mode 100644 index a5916cd2f1..0000000000 --- a/crypto/heimdal-0.6.3/cf/find-func.m4 +++ /dev/null @@ -1,9 +0,0 @@ -dnl $Id: find-func.m4,v 1.1.42.1 2004/04/01 07:27:33 joda Exp $ -dnl -dnl AC_FIND_FUNC(func, libraries, includes, arguments) -AC_DEFUN([AC_FIND_FUNC], [ -AC_FIND_FUNC_NO_LIBS([$1], [$2], [$3], [$4]) -if test -n "$LIB_$1"; then - LIBS="$LIB_$1 $LIBS" -fi -]) diff --git a/crypto/heimdal-0.6.3/cf/find-if-not-broken.m4 b/crypto/heimdal-0.6.3/cf/find-if-not-broken.m4 deleted file mode 100644 index 87ea36169d..0000000000 --- a/crypto/heimdal-0.6.3/cf/find-if-not-broken.m4 +++ /dev/null @@ -1,12 +0,0 @@ -dnl $Id: find-if-not-broken.m4,v 1.4.8.1 2004/04/01 07:27:33 joda Exp $ -dnl -dnl -dnl Mix between AC_FIND_FUNC and AC_BROKEN -dnl - -AC_DEFUN([AC_FIND_IF_NOT_BROKEN], -[AC_FIND_FUNC([$1], [$2], [$3], [$4]) -if eval "test \"$ac_cv_func_$1\" != yes"; then - rk_LIBOBJ([$1]) -fi -]) diff --git a/crypto/heimdal-0.6.3/cf/have-pragma-weak.m4 b/crypto/heimdal-0.6.3/cf/have-pragma-weak.m4 deleted file mode 100644 index a13016ad87..0000000000 --- a/crypto/heimdal-0.6.3/cf/have-pragma-weak.m4 +++ /dev/null @@ -1,37 +0,0 @@ -dnl $Id: have-pragma-weak.m4,v 1.3.34.1 2004/04/01 07:27:33 joda Exp $ -dnl -AC_DEFUN([AC_HAVE_PRAGMA_WEAK], [ -if test "${enable_shared}" = "yes"; then -AC_MSG_CHECKING(for pragma weak) -AC_CACHE_VAL(ac_have_pragma_weak, [ -ac_have_pragma_weak=no -cat > conftest_foo.$ac_ext <<'EOF' -[#]line __oline__ "configure" -#include "confdefs.h" -#pragma weak foo = _foo -int _foo = 17; -EOF -cat > conftest_bar.$ac_ext <<'EOF' -[#]line __oline__ "configure" -#include "confdefs.h" -extern int foo; - -int t() { - return foo; -} - -int main() { - return t(); -} -EOF -if AC_TRY_EVAL('CC -o conftest $CFLAGS $CPPFLAGS $LDFLAGS conftest_foo.$ac_ext conftest_bar.$ac_ext 1>&AC_FD_CC'); then -ac_have_pragma_weak=yes -fi -rm -rf conftest* -]) -if test "$ac_have_pragma_weak" = "yes"; then - AC_DEFINE(HAVE_PRAGMA_WEAK, 1, [Define this if your compiler supports \`#pragma weak.'])dnl -fi -AC_MSG_RESULT($ac_have_pragma_weak) -fi -]) diff --git a/crypto/heimdal-0.6.3/cf/have-struct-field.m4 b/crypto/heimdal-0.6.3/cf/have-struct-field.m4 deleted file mode 100644 index 341970ae98..0000000000 --- a/crypto/heimdal-0.6.3/cf/have-struct-field.m4 +++ /dev/null @@ -1,19 +0,0 @@ -dnl $Id: have-struct-field.m4,v 1.6.22.1 2004/04/01 07:27:33 joda Exp $ -dnl -dnl check for fields in a structure -dnl -dnl AC_HAVE_STRUCT_FIELD(struct, field, headers) - -AC_DEFUN([AC_HAVE_STRUCT_FIELD], [ -define(cache_val, translit(ac_cv_type_$1_$2, [A-Z ], [a-z_])) -AC_CACHE_CHECK([for $2 in $1], cache_val,[ -AC_TRY_COMPILE([$3],[$1 x; x.$2;], -cache_val=yes, -cache_val=no)]) -if test "$cache_val" = yes; then - define(foo, translit(HAVE_$1_$2, [a-z ], [A-Z_])) - AC_DEFINE(foo, 1, [Define if $1 has field $2.]) - undefine([foo]) -fi -undefine([cache_val]) -]) diff --git a/crypto/heimdal-0.6.3/cf/have-type.m4 b/crypto/heimdal-0.6.3/cf/have-type.m4 deleted file mode 100644 index c764ed6646..0000000000 --- a/crypto/heimdal-0.6.3/cf/have-type.m4 +++ /dev/null @@ -1,30 +0,0 @@ -dnl $Id: have-type.m4,v 1.6.12.1 2004/04/01 07:27:33 joda Exp $ -dnl -dnl check for existance of a type - -dnl AC_HAVE_TYPE(TYPE,INCLUDES) -AC_DEFUN([AC_HAVE_TYPE], [ -AC_REQUIRE([AC_HEADER_STDC]) -cv=`echo "$1" | sed 'y%./+- %__p__%'` -AC_MSG_CHECKING(for $1) -AC_CACHE_VAL([ac_cv_type_$cv], -AC_TRY_COMPILE( -[#include -#if STDC_HEADERS -#include -#include -#endif -$2], -[$1 foo;], -eval "ac_cv_type_$cv=yes", -eval "ac_cv_type_$cv=no"))dnl -ac_foo=`eval echo \\$ac_cv_type_$cv` -AC_MSG_RESULT($ac_foo) -if test "$ac_foo" = yes; then - ac_tr_hdr=HAVE_`echo $1 | sed 'y%abcdefghijklmnopqrstuvwxyz./- %ABCDEFGHIJKLMNOPQRSTUVWXYZ____%'` -if false; then - AC_CHECK_TYPES($1) -fi - AC_DEFINE_UNQUOTED($ac_tr_hdr, 1, [Define if you have type `$1']) -fi -]) diff --git a/crypto/heimdal-0.6.3/cf/have-types.m4 b/crypto/heimdal-0.6.3/cf/have-types.m4 deleted file mode 100644 index e36991036d..0000000000 --- a/crypto/heimdal-0.6.3/cf/have-types.m4 +++ /dev/null @@ -1,12 +0,0 @@ -dnl -dnl $Id: have-types.m4,v 1.2.12.1 2004/04/01 07:27:33 joda Exp $ -dnl - -AC_DEFUN([AC_HAVE_TYPES], [ -for i in $1; do - AC_HAVE_TYPE($i) -done -if false;then - AC_CHECK_FUNCS($1) -fi -]) diff --git a/crypto/heimdal-0.6.3/cf/install-catman.sh b/crypto/heimdal-0.6.3/cf/install-catman.sh deleted file mode 100644 index 4a5aa8ef77..0000000000 --- a/crypto/heimdal-0.6.3/cf/install-catman.sh +++ /dev/null @@ -1,53 +0,0 @@ -#!/bin/sh -# -# $Id: install-catman.sh,v 1.3 2001/09/29 16:05:38 assar Exp $ -# -# install preformatted manual pages - -INSTALL_DATA="$1"; shift -mkinstalldirs="$1"; shift -srcdir="$1"; shift -manbase="$1"; shift -suffix="$1"; shift - -for f in "$@"; do - base=`echo "$f" | sed 's/\(.*\)\.\([^.]*\)$/\1/'` - section=`echo "$f" | sed 's/\(.*\)\.\([^.]*\)$/\2/'` - mandir="$manbase/man$section" - catdir="$manbase/cat$section" - c="$base.cat$section" - - if test -f "$srcdir/$c"; then - if test \! -d "$catdir"; then - eval "$mkinstalldirs $catdir" - fi - eval "echo $INSTALL_DATA $srcdir/$c $catdir/$base.$suffix" - eval "$INSTALL_DATA $srcdir/$c $catdir/$base.$suffix" - fi - for link in `sed -n -e '/SYNOPSIS/q;/DESCRIPTION/q;s/^\.Nm \([^ ]*\).*/\1/p' $srcdir/$f`; do - if [ "$link" != "$base" ]; then - target="$mandir/$link.$section" - for cmd in "ln -f $mandir/$base.$section $target" \ - "ln -s $base.$section $target" \ - "cp -f $mandir/$base.$section $target" - do - if eval "$cmd"; then - eval echo "$cmd" - break - fi - done - if test -f "$srcdir/$c"; then - target="$catdir/$link.$suffix" - for cmd in "ln -f $catdir/$base.$suffix $target" \ - "ln -fs $base.$suffix $target" \ - "cp -f $catdir/$base.$suffix $target" - do - if eval "$cmd"; then - eval echo "$cmd" - break - fi - done - fi - fi - done -done diff --git a/crypto/heimdal-0.6.3/cf/irix.m4 b/crypto/heimdal-0.6.3/cf/irix.m4 deleted file mode 100644 index b62e2c3192..0000000000 --- a/crypto/heimdal-0.6.3/cf/irix.m4 +++ /dev/null @@ -1,26 +0,0 @@ -dnl -dnl $Id: irix.m4,v 1.1 2002/08/28 19:11:44 joda Exp $ -dnl - -AC_DEFUN([rk_IRIX], -[ -irix=no -case "$host" in -*-*-irix4*) - AC_DEFINE([IRIX4], 1, - [Define if you are running IRIX 4.]) - irix=yes - ;; -*-*-irix*) - irix=yes - ;; -esac -AM_CONDITIONAL(IRIX, test "$irix" != no)dnl - -AH_BOTTOM([ -/* IRIX 4 braindamage */ -#if IRIX == 4 && !defined(__STDC__) -#define __STDC__ 0 -#endif -]) -]) diff --git a/crypto/heimdal-0.6.3/cf/krb-bigendian.m4 b/crypto/heimdal-0.6.3/cf/krb-bigendian.m4 deleted file mode 100644 index 672cc25d31..0000000000 --- a/crypto/heimdal-0.6.3/cf/krb-bigendian.m4 +++ /dev/null @@ -1,62 +0,0 @@ -dnl -dnl $Id: krb-bigendian.m4,v 1.8.6.1 2004/04/01 07:27:33 joda Exp $ -dnl - -dnl check if this computer is little or big-endian -dnl if we can figure it out at compile-time then don't define the cpp symbol -dnl otherwise test for it and define it. also allow options for overriding -dnl it when cross-compiling - -AC_DEFUN([KRB_C_BIGENDIAN], [ -AC_ARG_ENABLE(bigendian, - AC_HELP_STRING([--enable-bigendian],[the target is big endian]), -krb_cv_c_bigendian=yes) -AC_ARG_ENABLE(littleendian, - AC_HELP_STRING([--enable-littleendian],[the target is little endian]), -krb_cv_c_bigendian=no) -AC_CACHE_CHECK(whether byte order is known at compile time, -krb_cv_c_bigendian_compile, -[AC_TRY_COMPILE([ -#include -#include ],[ -#if !BYTE_ORDER || !BIG_ENDIAN || !LITTLE_ENDIAN - bogus endian macros -#endif], krb_cv_c_bigendian_compile=yes, krb_cv_c_bigendian_compile=no)]) -AC_CACHE_CHECK(whether byte ordering is bigendian, krb_cv_c_bigendian,[ - if test "$krb_cv_c_bigendian_compile" = "yes"; then - AC_TRY_COMPILE([ -#include -#include ],[ -#if BYTE_ORDER != BIG_ENDIAN - not big endian -#endif], krb_cv_c_bigendian=yes, krb_cv_c_bigendian=no) - else - AC_TRY_RUN([main () { - /* Are we little or big endian? From Harbison&Steele. */ - union - { - long l; - char c[sizeof (long)]; - } u; - u.l = 1; - exit (u.c[sizeof (long) - 1] == 1); - }], krb_cv_c_bigendian=no, krb_cv_c_bigendian=yes, - AC_MSG_ERROR([specify either --enable-bigendian or --enable-littleendian])) - fi -]) -if test "$krb_cv_c_bigendian" = "yes"; then - AC_DEFINE(WORDS_BIGENDIAN, 1, [define if target is big endian])dnl -fi -if test "$krb_cv_c_bigendian_compile" = "yes"; then - AC_DEFINE(ENDIANESS_IN_SYS_PARAM_H, 1, [define if sys/param.h defines the endiness])dnl -fi -AH_BOTTOM([ -#if ENDIANESS_IN_SYS_PARAM_H -# include -# include -# if BYTE_ORDER == BIG_ENDIAN -# define WORDS_BIGENDIAN 1 -# endif -#endif -]) -]) diff --git a/crypto/heimdal-0.6.3/cf/krb-func-getcwd-broken.m4 b/crypto/heimdal-0.6.3/cf/krb-func-getcwd-broken.m4 deleted file mode 100644 index e3f9372a6f..0000000000 --- a/crypto/heimdal-0.6.3/cf/krb-func-getcwd-broken.m4 +++ /dev/null @@ -1,41 +0,0 @@ -dnl $Id: krb-func-getcwd-broken.m4,v 1.3.8.1 2004/04/01 07:27:34 joda Exp $ -dnl -dnl -dnl test for broken getcwd in (SunOS braindamage) -dnl - -AC_DEFUN([AC_KRB_FUNC_GETCWD_BROKEN], [ -if test "$ac_cv_func_getcwd" = yes; then -AC_MSG_CHECKING(if getcwd is broken) -AC_CACHE_VAL(ac_cv_func_getcwd_broken, [ -ac_cv_func_getcwd_broken=no - -AC_TRY_RUN([ -#include -char *getcwd(char*, int); - -void *popen(char *cmd, char *mode) -{ - errno = ENOTTY; - return 0; -} - -int main() -{ - char *ret; - ret = getcwd(0, 1024); - if(ret == 0 && errno == ENOTTY) - return 0; - return 1; -} -], ac_cv_func_getcwd_broken=yes,:,:) -]) -if test "$ac_cv_func_getcwd_broken" = yes; then - AC_DEFINE(BROKEN_GETCWD, 1, [Define if getcwd is broken (like in SunOS 4).])dnl - AC_LIBOBJ(getcwd) - AC_MSG_RESULT($ac_cv_func_getcwd_broken) -else - AC_MSG_RESULT([seems ok]) -fi -fi -]) diff --git a/crypto/heimdal-0.6.3/cf/krb-func-getlogin.m4 b/crypto/heimdal-0.6.3/cf/krb-func-getlogin.m4 deleted file mode 100644 index ec091d7897..0000000000 --- a/crypto/heimdal-0.6.3/cf/krb-func-getlogin.m4 +++ /dev/null @@ -1,22 +0,0 @@ -dnl -dnl $Id: krb-func-getlogin.m4,v 1.1.32.1 2004/04/01 07:27:34 joda Exp $ -dnl -dnl test for POSIX (broken) getlogin -dnl - - -AC_DEFUN([AC_FUNC_GETLOGIN], [ -AC_CHECK_FUNCS(getlogin setlogin) -if test "$ac_cv_func_getlogin" = yes; then -AC_CACHE_CHECK(if getlogin is posix, ac_cv_func_getlogin_posix, [ -if test "$ac_cv_func_getlogin" = yes -a "$ac_cv_func_setlogin" = yes; then - ac_cv_func_getlogin_posix=no -else - ac_cv_func_getlogin_posix=yes -fi -]) -if test "$ac_cv_func_getlogin_posix" = yes; then - AC_DEFINE(POSIX_GETLOGIN, 1, [Define if getlogin has POSIX flavour (and not BSD).]) -fi -fi -]) diff --git a/crypto/heimdal-0.6.3/cf/krb-ipv6.m4 b/crypto/heimdal-0.6.3/cf/krb-ipv6.m4 deleted file mode 100644 index 1afcbb2883..0000000000 --- a/crypto/heimdal-0.6.3/cf/krb-ipv6.m4 +++ /dev/null @@ -1,149 +0,0 @@ -dnl $Id: krb-ipv6.m4,v 1.13.8.1 2004/04/01 07:27:34 joda Exp $ -dnl -dnl test for IPv6 -dnl -AC_DEFUN([AC_KRB_IPV6], [ -AC_ARG_WITH(ipv6, - AC_HELP_STRING([--without-ipv6],[do not enable IPv6 support]),[ -if test "$withval" = "no"; then - ac_cv_lib_ipv6=no -fi]) -save_CFLAGS="${CFLAGS}" -AC_CACHE_CHECK([for IPv6 stack type], v6type, -[dnl check for different v6 implementations (by itojun) -v6type=unknown -v6lib=none - -for i in v6d toshiba kame inria zeta linux; do - case $i in - v6d) - AC_EGREP_CPP(yes, [ -#include -#ifdef __V6D__ -yes -#endif], - [v6type=$i; v6lib=v6; - v6libdir=/usr/local/v6/lib; - CFLAGS="-I/usr/local/v6/include $CFLAGS"]) - ;; - toshiba) - AC_EGREP_CPP(yes, [ -#include -#ifdef _TOSHIBA_INET6 -yes -#endif], - [v6type=$i; v6lib=inet6; - v6libdir=/usr/local/v6/lib; - CFLAGS="-DINET6 $CFLAGS"]) - ;; - kame) - AC_EGREP_CPP(yes, [ -#include -#ifdef __KAME__ -yes -#endif], - [v6type=$i; v6lib=inet6; - v6libdir=/usr/local/v6/lib; - CFLAGS="-DINET6 $CFLAGS"]) - ;; - inria) - AC_EGREP_CPP(yes, [ -#include -#ifdef IPV6_INRIA_VERSION -yes -#endif], - [v6type=$i; CFLAGS="-DINET6 $CFLAGS"]) - ;; - zeta) - AC_EGREP_CPP(yes, [ -#include -#ifdef _ZETA_MINAMI_INET6 -yes -#endif], - [v6type=$i; v6lib=inet6; - v6libdir=/usr/local/v6/lib; - CFLAGS="-DINET6 $CFLAGS"]) - ;; - linux) - if test -d /usr/inet6; then - v6type=$i - v6lib=inet6 - v6libdir=/usr/inet6 - CFLAGS="-DINET6 $CFLAGS" - fi - ;; - esac - if test "$v6type" != "unknown"; then - break - fi -done - -if test "$v6lib" != "none"; then - for dir in $v6libdir /usr/local/v6/lib /usr/local/lib; do - if test -d $dir -a -f $dir/lib$v6lib.a; then - LIBS="-L$dir -l$v6lib $LIBS" - break - fi - done -fi -]) - -AC_CACHE_CHECK([for IPv6], ac_cv_lib_ipv6, [ -AC_TRY_LINK([ -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_SYS_SOCKET_H -#include -#endif -#ifdef HAVE_NETINET_IN_H -#include -#endif -#ifdef HAVE_NETINET_IN6_H -#include -#endif -], -[ - struct sockaddr_in6 sin6; - int s; - - s = socket(AF_INET6, SOCK_DGRAM, 0); - - sin6.sin6_family = AF_INET6; - sin6.sin6_port = htons(17); - sin6.sin6_addr = in6addr_any; - bind(s, (struct sockaddr *)&sin6, sizeof(sin6)); -], -ac_cv_lib_ipv6=yes, -ac_cv_lib_ipv6=no)]) -if test "$ac_cv_lib_ipv6" = yes; then - AC_DEFINE(HAVE_IPV6, 1, [Define if you have IPv6.]) -else - CFLAGS="${save_CFLAGS}" -fi - -## test for AIX missing in6addr_loopback -if test "$ac_cv_lib_ipv6" = yes; then - AC_CACHE_CHECK([for in6addr_loopback],[ac_cv_var_in6addr_loopback],[ - AC_TRY_LINK([ -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_SYS_SOCKET_H -#include -#endif -#ifdef HAVE_NETINET_IN_H -#include -#endif -#ifdef HAVE_NETINET_IN6_H -#include -#endif],[ -struct sockaddr_in6 sin6; -sin6.sin6_addr = in6addr_loopback; -],ac_cv_var_in6addr_loopback=yes,ac_cv_var_in6addr_loopback=no)]) - if test "$ac_cv_var_in6addr_loopback" = yes; then - AC_DEFINE(HAVE_IN6ADDR_LOOPBACK, 1, - [Define if you have the in6addr_loopback variable]) - fi -fi -]) \ No newline at end of file diff --git a/crypto/heimdal-0.6.3/cf/krb-prog-ln-s.m4 b/crypto/heimdal-0.6.3/cf/krb-prog-ln-s.m4 deleted file mode 100644 index 16a4dff2de..0000000000 --- a/crypto/heimdal-0.6.3/cf/krb-prog-ln-s.m4 +++ /dev/null @@ -1,28 +0,0 @@ -dnl $Id: krb-prog-ln-s.m4,v 1.1.42.1 2004/04/01 07:27:34 joda Exp $ -dnl -dnl -dnl Better test for ln -s, ln or cp -dnl - -AC_DEFUN([AC_KRB_PROG_LN_S], -[AC_MSG_CHECKING(for ln -s or something else) -AC_CACHE_VAL(ac_cv_prog_LN_S, -[rm -f conftestdata -if ln -s X conftestdata 2>/dev/null -then - rm -f conftestdata - ac_cv_prog_LN_S="ln -s" -else - touch conftestdata1 - if ln conftestdata1 conftestdata2; then - rm -f conftestdata* - ac_cv_prog_LN_S=ln - else - ac_cv_prog_LN_S=cp - fi -fi])dnl -LN_S="$ac_cv_prog_LN_S" -AC_MSG_RESULT($ac_cv_prog_LN_S) -AC_SUBST(LN_S)dnl -]) - diff --git a/crypto/heimdal-0.6.3/cf/krb-prog-ranlib.m4 b/crypto/heimdal-0.6.3/cf/krb-prog-ranlib.m4 deleted file mode 100644 index cf061936d7..0000000000 --- a/crypto/heimdal-0.6.3/cf/krb-prog-ranlib.m4 +++ /dev/null @@ -1,8 +0,0 @@ -dnl $Id: krb-prog-ranlib.m4,v 1.1.42.1 2004/04/01 07:27:34 joda Exp $ -dnl -dnl -dnl Also look for EMXOMF for OS/2 -dnl - -AC_DEFUN([AC_KRB_PROG_RANLIB], -[AC_CHECK_PROGS(RANLIB, ranlib EMXOMF, :)]) diff --git a/crypto/heimdal-0.6.3/cf/krb-prog-yacc.m4 b/crypto/heimdal-0.6.3/cf/krb-prog-yacc.m4 deleted file mode 100644 index 54dd8b4e53..0000000000 --- a/crypto/heimdal-0.6.3/cf/krb-prog-yacc.m4 +++ /dev/null @@ -1,12 +0,0 @@ -dnl $Id: krb-prog-yacc.m4,v 1.3.16.1 2004/04/01 07:27:34 joda Exp $ -dnl -dnl -dnl We prefer byacc or yacc because they do not use `alloca' -dnl - -AC_DEFUN([AC_KRB_PROG_YACC], -[AC_CHECK_PROGS(YACC, byacc yacc 'bison -y') -if test "$YACC" = ""; then - AC_MSG_WARN([yacc not found - some stuff will not build]) -fi -]) diff --git a/crypto/heimdal-0.6.3/cf/krb-readline.m4 b/crypto/heimdal-0.6.3/cf/krb-readline.m4 deleted file mode 100644 index ed5aa0a33e..0000000000 --- a/crypto/heimdal-0.6.3/cf/krb-readline.m4 +++ /dev/null @@ -1,39 +0,0 @@ -dnl $Id: krb-readline.m4,v 1.5.6.1 2004/04/01 07:27:34 joda Exp $ -dnl -dnl Tests for readline functions -dnl - -dnl el_init - -AC_DEFUN([KRB_READLINE],[ -AC_FIND_FUNC_NO_LIBS(el_init, edit, [], [], [$LIB_tgetent]) -if test "$ac_cv_func_el_init" = yes ; then - AC_CACHE_CHECK(for four argument el_init, ac_cv_func_el_init_four,[ - AC_TRY_COMPILE([#include - #include ], - [el_init("", NULL, NULL, NULL);], - ac_cv_func_el_init_four=yes, - ac_cv_func_el_init_four=no)]) - if test "$ac_cv_func_el_init_four" = yes; then - AC_DEFINE(HAVE_FOUR_VALUED_EL_INIT, 1, [Define if el_init takes four arguments.]) - fi -fi - -dnl readline - -ac_foo=no -if test "$with_readline" = yes; then - : -elif test "$ac_cv_func_readline" = yes; then - : -elif test "$ac_cv_func_el_init" = yes; then - ac_foo=yes - LIB_readline="\$(top_builddir)/lib/editline/libel_compat.la \$(LIB_el_init) \$(LIB_tgetent)" -else - LIB_readline="\$(top_builddir)/lib/editline/libeditline.la \$(LIB_tgetent)" -fi -AM_CONDITIONAL(el_compat, test "$ac_foo" = yes) -AC_DEFINE(HAVE_READLINE, 1, - [Define if you have a readline compatible library.])dnl - -]) diff --git a/crypto/heimdal-0.6.3/cf/krb-struct-spwd.m4 b/crypto/heimdal-0.6.3/cf/krb-struct-spwd.m4 deleted file mode 100644 index 49d8efdbbe..0000000000 --- a/crypto/heimdal-0.6.3/cf/krb-struct-spwd.m4 +++ /dev/null @@ -1,22 +0,0 @@ -dnl $Id: krb-struct-spwd.m4,v 1.3.32.1 2004/04/01 07:27:34 joda Exp $ -dnl -dnl Test for `struct spwd' - -AC_DEFUN([AC_KRB_STRUCT_SPWD], [ -AC_MSG_CHECKING(for struct spwd) -AC_CACHE_VAL(ac_cv_struct_spwd, [ -AC_TRY_COMPILE( -[#include -#ifdef HAVE_SHADOW_H -#include -#endif], -[struct spwd foo;], -ac_cv_struct_spwd=yes, -ac_cv_struct_spwd=no) -]) -AC_MSG_RESULT($ac_cv_struct_spwd) - -if test "$ac_cv_struct_spwd" = "yes"; then - AC_DEFINE(HAVE_STRUCT_SPWD, 1, [define if you have struct spwd]) -fi -]) diff --git a/crypto/heimdal-0.6.3/cf/krb-struct-winsize.m4 b/crypto/heimdal-0.6.3/cf/krb-struct-winsize.m4 deleted file mode 100644 index 3fcc527d5b..0000000000 --- a/crypto/heimdal-0.6.3/cf/krb-struct-winsize.m4 +++ /dev/null @@ -1,25 +0,0 @@ -dnl $Id: krb-struct-winsize.m4,v 1.3.10.1 2004/04/01 07:27:34 joda Exp $ -dnl -dnl -dnl Search for struct winsize -dnl - -AC_DEFUN([AC_KRB_STRUCT_WINSIZE], [ -AC_MSG_CHECKING(for struct winsize) -AC_CACHE_VAL(ac_cv_struct_winsize, [ -ac_cv_struct_winsize=no -for i in sys/termios.h sys/ioctl.h; do -AC_EGREP_HEADER( -struct[[ ]]*winsize,dnl -$i, ac_cv_struct_winsize=yes; break)dnl -done -]) -if test "$ac_cv_struct_winsize" = "yes"; then - AC_DEFINE(HAVE_STRUCT_WINSIZE, 1, [define if struct winsize is declared in sys/termios.h]) -fi -AC_MSG_RESULT($ac_cv_struct_winsize) -AC_EGREP_HEADER(ws_xpixel, termios.h, - AC_DEFINE(HAVE_WS_XPIXEL, 1, [define if struct winsize has ws_xpixel])) -AC_EGREP_HEADER(ws_ypixel, termios.h, - AC_DEFINE(HAVE_WS_YPIXEL, 1, [define if struct winsize has ws_ypixel])) -]) diff --git a/crypto/heimdal-0.6.3/cf/krb-sys-aix.m4 b/crypto/heimdal-0.6.3/cf/krb-sys-aix.m4 deleted file mode 100644 index 02ba58545d..0000000000 --- a/crypto/heimdal-0.6.3/cf/krb-sys-aix.m4 +++ /dev/null @@ -1,15 +0,0 @@ -dnl $Id: krb-sys-aix.m4,v 1.1.42.1 2004/04/01 07:27:34 joda Exp $ -dnl -dnl -dnl AIX have a very different syscall convention -dnl -AC_DEFUN([AC_KRB_SYS_AIX], [ -AC_MSG_CHECKING(for AIX) -AC_CACHE_VAL(krb_cv_sys_aix, -AC_EGREP_CPP(yes, -[#ifdef _AIX - yes -#endif -], krb_cv_sys_aix=yes, krb_cv_sys_aix=no) ) -AC_MSG_RESULT($krb_cv_sys_aix) -]) diff --git a/crypto/heimdal-0.6.3/cf/krb-sys-nextstep.m4 b/crypto/heimdal-0.6.3/cf/krb-sys-nextstep.m4 deleted file mode 100644 index 1d098bcf6d..0000000000 --- a/crypto/heimdal-0.6.3/cf/krb-sys-nextstep.m4 +++ /dev/null @@ -1,18 +0,0 @@ -dnl $Id: krb-sys-nextstep.m4,v 1.4.6.1 2004/04/01 07:27:34 joda Exp $ -dnl -dnl NEXTSTEP is not posix compliant by default, -dnl you need a switch -posix to the compiler -dnl - -AC_DEFUN([rk_SYS_NEXTSTEP], [ -AC_CACHE_CHECK(for NeXTSTEP, rk_cv_sys_nextstep, [ -AC_EGREP_CPP(yes, -[#if defined(NeXT) && !defined(__APPLE__) - yes -#endif -], rk_cv_sys_nextstep=yes, rk_cv_sys_nextstep=no)]) -if test "$rk_cv_sys_nextstep" = "yes"; then - CFLAGS="$CFLAGS -posix" - LIBS="$LIBS -posix" -fi -]) diff --git a/crypto/heimdal-0.6.3/cf/krb-version.m4 b/crypto/heimdal-0.6.3/cf/krb-version.m4 deleted file mode 100644 index e452ad081e..0000000000 --- a/crypto/heimdal-0.6.3/cf/krb-version.m4 +++ /dev/null @@ -1,24 +0,0 @@ -dnl $Id: krb-version.m4,v 1.3.6.1 2004/04/01 07:27:34 joda Exp $ -dnl -dnl -dnl output a C header-file with some version strings -dnl - -AC_DEFUN([AC_KRB_VERSION],[ -cat > include/newversion.h.in </dev/null | sed 1q` - Date=`date` - mv -f include/newversion.h.in include/version.h.in - sed -e "s/@USER@/$User/" -e "s/@HOST@/$Host/" -e "s/@DATE@/$Date/" include/version.h.in > include/version.h -fi -]) diff --git a/crypto/heimdal-0.6.3/cf/make-proto.pl b/crypto/heimdal-0.6.3/cf/make-proto.pl deleted file mode 100644 index 769d96cc02..0000000000 --- a/crypto/heimdal-0.6.3/cf/make-proto.pl +++ /dev/null @@ -1,239 +0,0 @@ -# Make prototypes from .c files -# $Id: make-proto.pl,v 1.16 2002/09/19 19:29:42 joda Exp $ - -##use Getopt::Std; -require 'getopts.pl'; - -$brace = 0; -$line = ""; -$debug = 0; -$oproto = 1; -$private_func_re = "^_"; - -do Getopts('o:p:dqR:P:') || die "foo"; - -if($opt_d) { - $debug = 1; -} - -if($opt_q) { - $oproto = 0; -} - -if($opt_R) { - $private_func_re = $opt_R; -} - -while(<>) { - print $brace, " ", $_ if($debug); - if(/^\#if 0/) { - $if_0 = 1; - } - if($if_0 && /^\#endif/) { - $if_0 = 0; - } - if($if_0) { next } - if(/^\s*\#/) { - next; - } - if(/^\s*$/) { - $line = ""; - next; - } - if(/\{/){ - if (!/\}/) { - $brace++; - } - $_ = $line; - while(s/\*\//\ca/){ - s/\/\*(.|\n)*\ca//; - } - s/^\s*//; - s/\s*$//; - s/\s+/ /g; - if($_ =~ /\)$/){ - if(!/^static/ && !/^PRIVATE/){ - if(/(.*)(__attribute__\s?\(.*\))/) { - $attr = $2; - $_ = $1; - } else { - $attr = ""; - } - # remove outer () - s/\s*\(//; - # remove , within () - while(s/\(([^()]*),(.*)\)/($1\$$2)/g){} - s/\<\s*void\s*\>/<>/; - # remove parameter names - if($opt_P eq "remove") { - s/(\s*)([a-zA-Z0-9_]+)([,>])/$3/g; - s/\(\*(\s*)([a-zA-Z0-9_]+)\)/(*)/g; - } elsif($opt_P eq "comment") { - s/([a-zA-Z0-9_]+)([,>])/\/\*$1\*\/$2/g; - s/\(\*([a-zA-Z0-9_]+)\)/(*\/\*$1\*\/)/g; - } - s/\<\>//; - # add newlines before parameters - s/,\s*/,\n\t/g; - # fix removed , - s/\$/,/g; - # match function name - /([a-zA-Z0-9_]+)\s*\/$RP/; - # insert newline before function name - s/(.*)\s([a-zA-Z0-9_]+ \Q$LP\E)/$1\n$2/; - if($attr ne "") { - $_ .= "\n $attr"; - } - $_ = $_ . ";"; - $funcs{$f} = $_; - } - } - $line = ""; - } - if(/\}/){ - $brace--; - } - if(/^\}/){ - $brace = 0; - } - if($brace == 0) { - $line = $line . " " . $_; - } -} - -sub foo { - local ($arg) = @_; - $_ = $arg; - s/.*\/([^\/]*)/$1/; - s/[^a-zA-Z0-9]/_/g; - "__" . $_ . "__"; -} - -if($opt_o) { - open(OUT, ">$opt_o"); - $block = &foo($opt_o); -} else { - $block = "__public_h__"; -} - -if($opt_p) { - open(PRIV, ">$opt_p"); - $private = &foo($opt_p); -} else { - $private = "__private_h__"; -} - -$public_h = ""; -$private_h = ""; - -$public_h_header = "/* This is a generated file */ -#ifndef $block -#define $block - -"; -if ($oproto) { -$public_h_header .= "#ifdef __STDC__ -#include -#ifndef __P -#define __P(x) x -#endif -#else -#ifndef __P -#define __P(x) () -#endif -#endif - -"; -} else { - $public_h_header .= "#include - -"; -} - -$private_h_header = "/* This is a generated file */ -#ifndef $private -#define $private - -"; -if($oproto) { -$private_h_header .= "#ifdef __STDC__ -#include -#ifndef __P -#define __P(x) x -#endif -#else -#ifndef __P -#define __P(x) () -#endif -#endif - -"; -} else { - $private_h_header .= "#include - -"; -} -foreach(sort keys %funcs){ - if(/^(main)$/) { next } - if(/$private_func_re/) { - $private_h .= $funcs{$_} . "\n\n"; - if($funcs{$_} =~ /__attribute__/) { - $private_attribute_seen = 1; - } - } else { - $public_h .= $funcs{$_} . "\n\n"; - if($funcs{$_} =~ /__attribute__/) { - $public_attribute_seen = 1; - } - } -} - -if ($public_attribute_seen) { - $public_h_header .= "#if !defined(__GNUC__) && !defined(__attribute__) -#define __attribute__(x) -#endif - -"; -} - -if ($private_attribute_seen) { - $private_h_header .= "#if !defined(__GNUC__) && !defined(__attribute__) -#define __attribute__(x) -#endif - -"; -} - - -if ($public_h ne "") { - $public_h = $public_h_header . $public_h . "#endif /* $block */\n"; -} -if ($private_h ne "") { - $private_h = $private_h_header . $private_h . "#endif /* $private */\n"; -} - -if($opt_o) { - print OUT $public_h; -} -if($opt_p) { - print PRIV $private_h; -} - -close OUT; -close PRIV; diff --git a/crypto/heimdal-0.6.3/cf/mips-abi.m4 b/crypto/heimdal-0.6.3/cf/mips-abi.m4 deleted file mode 100644 index 401ee9114a..0000000000 --- a/crypto/heimdal-0.6.3/cf/mips-abi.m4 +++ /dev/null @@ -1,87 +0,0 @@ -dnl $Id: mips-abi.m4,v 1.6.8.1 2004/04/01 07:27:34 joda Exp $ -dnl -dnl -dnl Check for MIPS/IRIX ABI flags. Sets $abi and $abilibdirext to some -dnl value. - -AC_DEFUN([AC_MIPS_ABI], [ -AC_ARG_WITH(mips_abi, - AC_HELP_STRING([--with-mips-abi=abi],[ABI to use for IRIX (32, n32, or 64)])) - -case "$host_os" in -irix*) -with_mips_abi="${with_mips_abi:-yes}" -if test -n "$GCC"; then - -# GCC < 2.8 only supports the O32 ABI. GCC >= 2.8 has a flag to select -# which ABI to use, but only supports (as of 2.8.1) the N32 and 64 ABIs. -# -# Default to N32, but if GCC doesn't grok -mabi=n32, we assume an old -# GCC and revert back to O32. The same goes if O32 is asked for - old -# GCCs doesn't like the -mabi option, and new GCCs can't output O32. -# -# Don't you just love *all* the different SGI ABIs? - -case "${with_mips_abi}" in - 32|o32) abi='-mabi=32'; abilibdirext='' ;; - n32|yes) abi='-mabi=n32'; abilibdirext='32' ;; - 64) abi='-mabi=64'; abilibdirext='64' ;; - no) abi=''; abilibdirext='';; - *) AC_MSG_ERROR("Invalid ABI specified") ;; -esac -if test -n "$abi" ; then -ac_foo=krb_cv_gcc_`echo $abi | tr =- __` -dnl -dnl can't use AC_CACHE_CHECK here, since it doesn't quote CACHE-ID to -dnl AC_MSG_RESULT -dnl -AC_MSG_CHECKING([if $CC supports the $abi option]) -AC_CACHE_VAL($ac_foo, [ -save_CFLAGS="$CFLAGS" -CFLAGS="$CFLAGS $abi" -AC_TRY_COMPILE(,int x;, eval $ac_foo=yes, eval $ac_foo=no) -CFLAGS="$save_CFLAGS" -]) -ac_res=`eval echo \\\$$ac_foo` -AC_MSG_RESULT($ac_res) -if test $ac_res = no; then -# Try to figure out why that failed... -case $abi in - -mabi=32) - save_CFLAGS="$CFLAGS" - CFLAGS="$CFLAGS -mabi=n32" - AC_TRY_COMPILE(,int x;, ac_res=yes, ac_res=no) - CLAGS="$save_CFLAGS" - if test $ac_res = yes; then - # New GCC - AC_MSG_ERROR([$CC does not support the $with_mips_abi ABI]) - fi - # Old GCC - abi='' - abilibdirext='' - ;; - -mabi=n32|-mabi=64) - if test $with_mips_abi = yes; then - # Old GCC, default to O32 - abi='' - abilibdirext='' - else - # Some broken GCC - AC_MSG_ERROR([$CC does not support the $with_mips_abi ABI]) - fi - ;; -esac -fi #if test $ac_res = no; then -fi #if test -n "$abi" ; then -else -case "${with_mips_abi}" in - 32|o32) abi='-32'; abilibdirext='' ;; - n32|yes) abi='-n32'; abilibdirext='32' ;; - 64) abi='-64'; abilibdirext='64' ;; - no) abi=''; abilibdirext='';; - *) AC_MSG_ERROR("Invalid ABI specified") ;; -esac -fi #if test -n "$GCC"; then -;; -esac -]) diff --git a/crypto/heimdal-0.6.3/cf/misc.m4 b/crypto/heimdal-0.6.3/cf/misc.m4 deleted file mode 100644 index a825834f81..0000000000 --- a/crypto/heimdal-0.6.3/cf/misc.m4 +++ /dev/null @@ -1,15 +0,0 @@ - -dnl $Id: misc.m4,v 1.5 2002/05/24 15:35:32 joda Exp $ -dnl -AC_DEFUN([upcase],[`echo $1 | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`])dnl -AC_DEFUN([rk_LIBOBJ],[AC_LIBOBJ([$1])])dnl -AC_DEFUN([rk_CONFIG_HEADER],[AH_TOP([#ifndef RCSID -#define RCSID(msg) \ -static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg } -#endif - -/* Maximum values on all known systems */ -#define MaxHostNameLen (64+4) -#define MaxPathLen (1024+4) - -])]) \ No newline at end of file diff --git a/crypto/heimdal-0.6.3/cf/need-proto.m4 b/crypto/heimdal-0.6.3/cf/need-proto.m4 deleted file mode 100644 index b3190766e1..0000000000 --- a/crypto/heimdal-0.6.3/cf/need-proto.m4 +++ /dev/null @@ -1,24 +0,0 @@ -dnl $Id: need-proto.m4,v 1.4.6.1 2004/04/01 07:27:35 joda Exp $ -dnl -dnl -dnl Check if we need the prototype for a function -dnl - -dnl AC_NEED_PROTO(includes, function) - -AC_DEFUN([AC_NEED_PROTO], [ -if test "$ac_cv_func_$2+set" != set -o "$ac_cv_func_$2" = yes; then -AC_CACHE_CHECK([if $2 needs a prototype], ac_cv_func_$2_noproto, -AC_TRY_COMPILE([$1], -[struct foo { int foo; } xx; -extern int $2 (struct foo*); -$2(&xx); -], -eval "ac_cv_func_$2_noproto=yes", -eval "ac_cv_func_$2_noproto=no")) -if test "$ac_cv_func_$2_noproto" = yes; then - AC_DEFINE(AS_TR_CPP(NEED_[]$2[]_PROTO), 1, - [define if the system is missing a prototype for $2()]) -fi -fi -]) diff --git a/crypto/heimdal-0.6.3/cf/osfc2.m4 b/crypto/heimdal-0.6.3/cf/osfc2.m4 deleted file mode 100644 index 3ae889b24f..0000000000 --- a/crypto/heimdal-0.6.3/cf/osfc2.m4 +++ /dev/null @@ -1,14 +0,0 @@ -dnl $Id: osfc2.m4,v 1.3.8.1 2004/04/01 07:27:35 joda Exp $ -dnl -dnl enable OSF C2 stuff - -AC_DEFUN([AC_CHECK_OSFC2],[ -AC_ARG_ENABLE(osfc2, - AC_HELP_STRING([--enable-osfc2],[enable some OSF C2 support])) -LIB_security= -if test "$enable_osfc2" = yes; then - AC_DEFINE(HAVE_OSFC2, 1, [Define to enable basic OSF C2 support.]) - LIB_security=-lsecurity -fi -AC_SUBST(LIB_security) -]) diff --git a/crypto/heimdal-0.6.3/cf/otp.m4 b/crypto/heimdal-0.6.3/cf/otp.m4 deleted file mode 100644 index 37265ef291..0000000000 --- a/crypto/heimdal-0.6.3/cf/otp.m4 +++ /dev/null @@ -1,27 +0,0 @@ -dnl $Id: otp.m4,v 1.2 2002/05/19 20:51:08 joda Exp $ -dnl -dnl check requirements for OTP library -dnl -AC_DEFUN([rk_OTP],[ -AC_REQUIRE([rk_DB])dnl -AC_ARG_ENABLE(otp, - AC_HELP_STRING([--disable-otp],[if you don't want OTP support])) -if test "$enable_otp" = yes -a "$db_type" = unknown; then - AC_MSG_ERROR([OTP requires a NDBM/DB compatible library]) -fi -if test "$enable_otp" != no; then - if test "$db_type" != unknown; then - enable_otp=yes - else - enable_otp=no - fi -fi -if test "$enable_otp" = yes; then - AC_DEFINE(OTP, 1, [Define if you want OTP support in applications.]) - LIB_otp='$(top_builddir)/lib/otp/libotp.la' - AC_SUBST(LIB_otp) -fi -AC_MSG_CHECKING([whether to enable OTP library]) -AC_MSG_RESULT($enable_otp) -AM_CONDITIONAL(OTP, test "$enable_otp" = yes)dnl -]) diff --git a/crypto/heimdal-0.6.3/cf/proto-compat.m4 b/crypto/heimdal-0.6.3/cf/proto-compat.m4 deleted file mode 100644 index a666a558d4..0000000000 --- a/crypto/heimdal-0.6.3/cf/proto-compat.m4 +++ /dev/null @@ -1,22 +0,0 @@ -dnl $Id: proto-compat.m4,v 1.3.34.1 2004/04/01 07:27:35 joda Exp $ -dnl -dnl -dnl Check if the prototype of a function is compatible with another one -dnl - -dnl AC_PROTO_COMPAT(includes, function, prototype) - -AC_DEFUN([AC_PROTO_COMPAT], [ -AC_CACHE_CHECK([if $2 is compatible with system prototype], -ac_cv_func_$2_proto_compat, -AC_TRY_COMPILE([$1], -[$3;], -eval "ac_cv_func_$2_proto_compat=yes", -eval "ac_cv_func_$2_proto_compat=no")) -define([foo], translit($2, [a-z], [A-Z])[_PROTO_COMPATIBLE]) -if test "$ac_cv_func_$2_proto_compat" = yes; then - AC_DEFINE(foo, 1, [define if prototype of $2 is compatible with - $3]) -fi -undefine([foo]) -]) \ No newline at end of file diff --git a/crypto/heimdal-0.6.3/cf/retsigtype.m4 b/crypto/heimdal-0.6.3/cf/retsigtype.m4 deleted file mode 100644 index 465c654540..0000000000 --- a/crypto/heimdal-0.6.3/cf/retsigtype.m4 +++ /dev/null @@ -1,18 +0,0 @@ -dnl -dnl $Id: retsigtype.m4,v 1.1.12.1 2004/04/01 07:27:35 joda Exp $ -dnl -dnl Figure out return type of signal handlers, and define SIGRETURN macro -dnl that can be used to return from one -dnl -AC_DEFUN([rk_RETSIGTYPE],[ -AC_TYPE_SIGNAL -if test "$ac_cv_type_signal" = "void" ; then - AC_DEFINE(VOID_RETSIGTYPE, 1, [Define if signal handlers return void.]) -fi -AC_SUBST(VOID_RETSIGTYPE) -AH_BOTTOM([#ifdef VOID_RETSIGTYPE -#define SIGRETURN(x) return -#else -#define SIGRETURN(x) return (RETSIGTYPE)(x) -#endif]) -]) \ No newline at end of file diff --git a/crypto/heimdal-0.6.3/cf/roken-frag.m4 b/crypto/heimdal-0.6.3/cf/roken-frag.m4 deleted file mode 100644 index 569777a0f2..0000000000 --- a/crypto/heimdal-0.6.3/cf/roken-frag.m4 +++ /dev/null @@ -1,651 +0,0 @@ -dnl $Id: roken-frag.m4,v 1.45.2.1 2004/04/01 07:27:35 joda Exp $ -dnl -dnl some code to get roken working -dnl -dnl rk_ROKEN(subdir) -dnl -AC_DEFUN([rk_ROKEN], [ - -AC_REQUIRE([rk_CONFIG_HEADER]) - -DIR_roken=roken -LIB_roken='$(top_builddir)/$1/libroken.la' -INCLUDES_roken='-I$(top_builddir)/$1 -I$(top_srcdir)/$1' - -dnl Checks for programs -AC_REQUIRE([AC_PROG_CC]) -AC_REQUIRE([AC_PROG_AWK]) -AC_REQUIRE([AC_OBJEXT]) -AC_REQUIRE([AC_EXEEXT]) -AC_REQUIRE([AC_PROG_LIBTOOL]) - -AC_REQUIRE([AC_MIPS_ABI]) - -dnl C characteristics - -AC_REQUIRE([AC_C___ATTRIBUTE__]) -AC_REQUIRE([AC_C_INLINE]) -AC_REQUIRE([AC_C_CONST]) -AC_WFLAGS(-Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs) - -AC_REQUIRE([rk_DB]) - -dnl C types - -AC_REQUIRE([AC_TYPE_SIZE_T]) -AC_HAVE_TYPE([ssize_t],[#include ]) -AC_REQUIRE([AC_TYPE_PID_T]) -AC_REQUIRE([AC_TYPE_UID_T]) -AC_HAVE_TYPE([long long]) - -AC_REQUIRE([rk_RETSIGTYPE]) - -dnl Checks for header files. -AC_REQUIRE([AC_HEADER_STDC]) -AC_REQUIRE([AC_HEADER_TIME]) - -AC_CHECK_HEADERS([\ - arpa/inet.h \ - arpa/nameser.h \ - config.h \ - crypt.h \ - dirent.h \ - errno.h \ - err.h \ - fcntl.h \ - grp.h \ - ifaddrs.h \ - net/if.h \ - netdb.h \ - netinet/in.h \ - netinet/in6.h \ - netinet/in_systm.h \ - netinet6/in6.h \ - netinet6/in6_var.h \ - paths.h \ - pwd.h \ - resolv.h \ - rpcsvc/ypclnt.h \ - shadow.h \ - sys/bswap.h \ - sys/ioctl.h \ - sys/mman.h \ - sys/param.h \ - sys/proc.h \ - sys/resource.h \ - sys/socket.h \ - sys/sockio.h \ - sys/stat.h \ - sys/sysctl.h \ - sys/time.h \ - sys/tty.h \ - sys/types.h \ - sys/uio.h \ - sys/utsname.h \ - sys/wait.h \ - syslog.h \ - termios.h \ - unistd.h \ - userconf.h \ - usersec.h \ - util.h \ - vis.h \ -]) - -AC_REQUIRE([CHECK_NETINET_IP_AND_TCP]) - -AM_CONDITIONAL(have_err_h, test "$ac_cv_header_err_h" = yes) -AM_CONDITIONAL(have_fnmatch_h, test "$ac_cv_header_fnmatch_h" = yes) -AM_CONDITIONAL(have_ifaddrs_h, test "$ac_cv_header_ifaddrs_h" = yes) -AM_CONDITIONAL(have_vis_h, test "$ac_cv_header_vis_h" = yes) - -dnl Check for functions and libraries - -AC_FIND_FUNC(socket, socket) -AC_FIND_FUNC(gethostbyname, nsl) -AC_FIND_FUNC(syslog, syslog) - -AC_KRB_IPV6 - -AC_FIND_FUNC(gethostbyname2, inet6 ip6) - -AC_FIND_FUNC(res_search, resolv, -[ -#include -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_NETINET_IN_H -#include -#endif -#ifdef HAVE_ARPA_NAMESER_H -#include -#endif -#ifdef HAVE_RESOLV_H -#include -#endif -], -[0,0,0,0,0]) - -AC_FIND_FUNC(res_nsearch, resolv, -[ -#include -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_NETINET_IN_H -#include -#endif -#ifdef HAVE_ARPA_NAMESER_H -#include -#endif -#ifdef HAVE_RESOLV_H -#include -#endif -], -[0,0,0,0,0,0]) - -AC_FIND_FUNC(dn_expand, resolv, -[ -#include -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_NETINET_IN_H -#include -#endif -#ifdef HAVE_ARPA_NAMESER_H -#include -#endif -#ifdef HAVE_RESOLV_H -#include -#endif -], -[0,0,0,0,0]) - -rk_CHECK_VAR(_res, -[#include -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_NETINET_IN_H -#include -#endif -#ifdef HAVE_ARPA_NAMESER_H -#include -#endif -#ifdef HAVE_RESOLV_H -#include -#endif]) - - -AC_BROKEN_SNPRINTF -AC_BROKEN_VSNPRINTF - -AC_BROKEN_GLOB -if test "$ac_cv_func_glob_working" != yes; then - AC_LIBOBJ(glob) -fi -AM_CONDITIONAL(have_glob_h, test "$ac_cv_func_glob_working" = yes) - - -AC_CHECK_FUNCS([ \ - asnprintf \ - asprintf \ - atexit \ - cgetent \ - getconfattr \ - getprogname \ - getrlimit \ - getspnam \ - initstate \ - issetugid \ - on_exit \ - random \ - setprogname \ - setstate \ - strsvis \ - strunvis \ - strvis \ - strvisx \ - svis \ - sysconf \ - sysctl \ - uname \ - unvis \ - vasnprintf \ - vasprintf \ - vis \ -]) - -if test "$ac_cv_func_cgetent" = no; then - AC_LIBOBJ(getcap) -fi - -AC_REQUIRE([AC_FUNC_GETLOGIN]) - -AC_REQUIRE([AC_FUNC_MMAP]) - -AC_FIND_FUNC_NO_LIBS(getsockopt,, -[#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_SYS_SOCKET_H -#include -#endif], -[0,0,0,0,0]) -AC_FIND_FUNC_NO_LIBS(setsockopt,, -[#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_SYS_SOCKET_H -#include -#endif], -[0,0,0,0,0]) - -AC_FIND_IF_NOT_BROKEN(hstrerror, resolv, -[#ifdef HAVE_NETDB_H -#include -#endif], -17) -AC_NEED_PROTO([ -#ifdef HAVE_NETDB_H -#include -#endif], -hstrerror) - -AC_FOREACH([rk_func], [asprintf vasprintf asnprintf vasnprintf], - [AC_NEED_PROTO([ - #include - #include ], - rk_func)]) - -AC_FIND_FUNC_NO_LIBS(bswap16,, -[#ifdef HAVE_SYS_BSWAP_H -#include -#endif],0) - -AC_FIND_FUNC_NO_LIBS(bswap32,, -[#ifdef HAVE_SYS_BSWAP_H -#include -#endif],0) - -AC_FIND_FUNC_NO_LIBS(pidfile,util, -[#ifdef HAVE_UTIL_H -#include -#endif],0) - -AC_FIND_IF_NOT_BROKEN(getaddrinfo,, -[#ifdef HAVE_NETDB_H -#include -#endif],[0,0,0,0]) - -AC_FIND_IF_NOT_BROKEN(getnameinfo,, -[#ifdef HAVE_NETDB_H -#include -#endif],[0,0,0,0,0,0,0]) - -AC_FIND_IF_NOT_BROKEN(freeaddrinfo,, -[#ifdef HAVE_NETDB_H -#include -#endif],[0]) - -AC_FIND_IF_NOT_BROKEN(gai_strerror,, -[#ifdef HAVE_NETDB_H -#include -#endif],[0]) - -AC_BROKEN([ \ - chown \ - copyhostent \ - daemon \ - ecalloc \ - emalloc \ - erealloc \ - estrdup \ - err \ - errx \ - fchown \ - flock \ - fnmatch \ - freehostent \ - getcwd \ - getdtablesize \ - getegid \ - geteuid \ - getgid \ - gethostname \ - getifaddrs \ - getipnodebyaddr \ - getipnodebyname \ - getopt \ - gettimeofday \ - getuid \ - getusershell \ - initgroups \ - innetgr \ - iruserok \ - localtime_r \ - lstat \ - memmove \ - mkstemp \ - putenv \ - rcmd \ - readv \ - recvmsg \ - sendmsg \ - setegid \ - setenv \ - seteuid \ - strcasecmp \ - strdup \ - strerror \ - strftime \ - strlcat \ - strlcpy \ - strlwr \ - strncasecmp \ - strndup \ - strnlen \ - strptime \ - strsep \ - strsep_copy \ - strtok_r \ - strupr \ - swab \ - unsetenv \ - verr \ - verrx \ - vsyslog \ - vwarn \ - vwarnx \ - warn \ - warnx \ - writev \ -]) - -AC_FOREACH([rk_func], [strndup strsep strtok_r], - [AC_NEED_PROTO([#include ], rk_func)]) - -AC_FOREACH([rk_func], [strsvis strunvis strvis strvisx svis unvis vis], -[AC_NEED_PROTO([#ifdef HAVE_VIS_H -#include -#endif], rk_func)]) - -AC_BROKEN2(inet_aton, -[#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_SYS_SOCKET_H -#include -#endif -#ifdef HAVE_NETINET_IN_H -#include -#endif -#ifdef HAVE_ARPA_INET_H -#include -#endif], -[0,0]) - -AC_BROKEN2(inet_ntop, -[#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_SYS_SOCKET_H -#include -#endif -#ifdef HAVE_NETINET_IN_H -#include -#endif -#ifdef HAVE_ARPA_INET_H -#include -#endif], -[0, 0, 0, 0]) - -AC_BROKEN2(inet_pton, -[#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_SYS_SOCKET_H -#include -#endif -#ifdef HAVE_NETINET_IN_H -#include -#endif -#ifdef HAVE_ARPA_INET_H -#include -#endif], -[0,0,0]) - -dnl -dnl Check for sa_len in struct sockaddr, -dnl needs to come before the getnameinfo test -dnl -AC_HAVE_STRUCT_FIELD(struct sockaddr, sa_len, [#include -#include ]) - -if test "$ac_cv_func_getnameinfo" = "yes"; then - rk_BROKEN_GETNAMEINFO - if test "$ac_cv_func_getnameinfo_broken" = yes; then - AC_LIBOBJ(getnameinfo) - fi -fi - -if test "$ac_cv_func_getaddrinfo" = "yes"; then - rk_BROKEN_GETADDRINFO - if test "$ac_cv_func_getaddrinfo_numserv" = no; then - AC_LIBOBJ(getaddrinfo) - AC_LIBOBJ(freeaddrinfo) - fi -fi - -AC_NEED_PROTO([#include ], setenv) -AC_NEED_PROTO([#include ], unsetenv) -AC_NEED_PROTO([#include ], gethostname) -AC_NEED_PROTO([#include ], mkstemp) -AC_NEED_PROTO([#include ], getusershell) - -AC_NEED_PROTO([ -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_SYS_SOCKET_H -#include -#endif -#ifdef HAVE_NETINET_IN_H -#include -#endif -#ifdef HAVE_ARPA_INET_H -#include -#endif], -inet_aton) - -AC_FIND_FUNC_NO_LIBS(crypt, crypt)dnl - -AC_REQUIRE([rk_BROKEN_REALLOC])dnl - -dnl AC_KRB_FUNC_GETCWD_BROKEN - -dnl -dnl Checks for prototypes and declarations -dnl - -AC_PROTO_COMPAT([ -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_SYS_SOCKET_H -#include -#endif -#ifdef HAVE_NETINET_IN_H -#include -#endif -#ifdef HAVE_ARPA_INET_H -#include -#endif -#ifdef HAVE_NETDB_H -#include -#endif -], -gethostbyname, struct hostent *gethostbyname(const char *)) - -AC_PROTO_COMPAT([ -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_SYS_SOCKET_H -#include -#endif -#ifdef HAVE_NETINET_IN_H -#include -#endif -#ifdef HAVE_ARPA_INET_H -#include -#endif -#ifdef HAVE_NETDB_H -#include -#endif -], -gethostbyaddr, struct hostent *gethostbyaddr(const void *, size_t, int)) - -AC_PROTO_COMPAT([ -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_SYS_SOCKET_H -#include -#endif -#ifdef HAVE_NETINET_IN_H -#include -#endif -#ifdef HAVE_ARPA_INET_H -#include -#endif -#ifdef HAVE_NETDB_H -#include -#endif -], -getservbyname, struct servent *getservbyname(const char *, const char *)) - -AC_PROTO_COMPAT([ -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_SYS_SOCKET_H -#include -#endif -], -getsockname, int getsockname(int, struct sockaddr*, socklen_t*)) - -AC_PROTO_COMPAT([ -#ifdef HAVE_SYSLOG_H -#include -#endif -], -openlog, void openlog(const char *, int, int)) - -AC_NEED_PROTO([ -#ifdef HAVE_CRYPT_H -#include -#endif -#ifdef HAVE_UNISTD_H -#include -#endif -], -crypt) - -dnl variables - -rk_CHECK_VAR(h_errno, -[#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_NETDB_H -#include -#endif]) - -rk_CHECK_VAR(h_errlist, -[#ifdef HAVE_NETDB_H -#include -#endif]) - -rk_CHECK_VAR(h_nerr, -[#ifdef HAVE_NETDB_H -#include -#endif]) - -rk_CHECK_VAR([__progname], -[#ifdef HAVE_ERR_H -#include -#endif]) - -AC_CHECK_DECLARATION([#include -#ifdef HAVE_UNISTD_H -#include -#endif], optarg) -AC_CHECK_DECLARATION([#include -#ifdef HAVE_UNISTD_H -#include -#endif], optind) -AC_CHECK_DECLARATION([#include -#ifdef HAVE_UNISTD_H -#include -#endif], opterr) -AC_CHECK_DECLARATION([#include -#ifdef HAVE_UNISTD_H -#include -#endif], optopt) - -AC_CHECK_DECLARATION([#include ], environ) - -dnl -dnl Check for fields in struct tm -dnl - -AC_HAVE_STRUCT_FIELD(struct tm, tm_gmtoff, [#include ]) -AC_HAVE_STRUCT_FIELD(struct tm, tm_zone, [#include ]) - -dnl -dnl or do we have a variable `timezone' ? -dnl - -rk_CHECK_VAR(timezone,[#include ]) -rk_CHECK_VAR(altzone,[#include ]) - -AC_HAVE_TYPE([sa_family_t],[#include ]) -AC_HAVE_TYPE([socklen_t],[#include ]) -AC_HAVE_TYPE([struct sockaddr], [#include ]) -AC_HAVE_TYPE([struct sockaddr_storage], [#include ]) -AC_HAVE_TYPE([struct addrinfo], [#include ]) -AC_HAVE_TYPE([struct ifaddrs], [#include ]) -AC_HAVE_TYPE([struct iovec],[ -#include -#include -]) -AC_HAVE_TYPE([struct msghdr],[ -#include -#include -]) - -dnl -dnl Check for struct winsize -dnl - -AC_KRB_STRUCT_WINSIZE - -dnl -dnl Check for struct spwd -dnl - -AC_KRB_STRUCT_SPWD - -dnl won't work with automake -dnl moved to AC_OUTPUT in configure.in -dnl AC_CONFIG_FILES($1/Makefile) - -LIB_roken="${LIB_roken} \$(LIB_crypt) \$(LIB_dbopen)" - -AC_SUBST(DIR_roken)dnl -AC_SUBST(LIB_roken)dnl -AC_SUBST(INCLUDES_roken)dnl -]) diff --git a/crypto/heimdal-0.6.3/cf/roken.m4 b/crypto/heimdal-0.6.3/cf/roken.m4 deleted file mode 100644 index 04a8076c83..0000000000 --- a/crypto/heimdal-0.6.3/cf/roken.m4 +++ /dev/null @@ -1,64 +0,0 @@ -dnl $Id: roken.m4,v 1.3.8.1 2004/04/01 07:27:35 joda Exp $ -dnl -dnl try to look for an installed roken library with sufficient stuff -dnl -dnl set LIB_roken to the what we should link with -dnl set DIR_roken to if the directory should be built -dnl set CPPFLAGS_roken to stuff to add to CPPFLAGS - -dnl AC_ROKEN(version,directory-to-try,roken-dir,fallback-library,fallback-cppflags) -AC_DEFUN([AC_ROKEN], [ - -AC_ARG_WITH(roken, - AC_HELP_STRING([--with-roken=dir],[use the roken library in dir]), -[if test "$withval" = "no"; then - AC_MSG_ERROR(roken is required) -fi]) - -save_CPPFLAGS="${CPPFLAGS}" - -case $with_roken in -yes|"") - dirs="$2" ;; -*) - dirs="$with_roken" ;; -esac - -roken_installed=no - -for i in $dirs; do - -AC_MSG_CHECKING(for roken in $i) - -CPPFLAGS="-I$i/include ${CPPFLAGS}" - -AC_TRY_CPP( -[#include -#if ROKEN_VERSION < $1 -#error old roken version, should be $1 -fail -#endif -],[roken_installed=yes; break]) - -AC_MSG_RESULT($roken_installed) - -done - -CPPFLAGS="$save_CPPFLAGS" - -if test "$roken_installed" != "yes"; then - DIR_roken="roken" - LIB_roken='$4' - CPPFLAGS_roken='$5' - AC_CONFIG_SUBDIRS(lib/roken) -else - LIB_roken="$i/lib/libroken.la" - CPPFLAGS_roken="-I$i/include" -fi - -LIB_roken="${LIB_roken} \$(LIB_crypt) \$(LIB_dbopen)" - -AC_SUBST(LIB_roken)dnl -AC_SUBST(DIR_roken)dnl -AC_SUBST(CPPFLAGS_roken)dnl -]) diff --git a/crypto/heimdal-0.6.3/cf/sunos.m4 b/crypto/heimdal-0.6.3/cf/sunos.m4 deleted file mode 100644 index 6572d0b80f..0000000000 --- a/crypto/heimdal-0.6.3/cf/sunos.m4 +++ /dev/null @@ -1,25 +0,0 @@ -dnl -dnl $Id: sunos.m4,v 1.2 2002/10/16 14:42:13 joda Exp $ -dnl - -AC_DEFUN([rk_SUNOS],[ -sunos=no -case "$host" in -*-*-sunos4*) - sunos=40 - ;; -*-*-solaris2.7) - sunos=57 - ;; -*-*-solaris2.[[89]]) - sunos=58 - ;; -*-*-solaris2*) - sunos=50 - ;; -esac -if test "$sunos" != no; then - AC_DEFINE_UNQUOTED(SunOS, $sunos, - [Define to what version of SunOS you are running.]) -fi -]) \ No newline at end of file diff --git a/crypto/heimdal-0.6.3/cf/telnet.m4 b/crypto/heimdal-0.6.3/cf/telnet.m4 deleted file mode 100644 index add065c3d8..0000000000 --- a/crypto/heimdal-0.6.3/cf/telnet.m4 +++ /dev/null @@ -1,78 +0,0 @@ -dnl -dnl $Id: telnet.m4,v 1.1 2002/08/28 19:19:01 joda Exp $ -dnl -dnl stuff used by telnet - -AC_DEFUN([rk_TELNET],[ -AC_DEFINE(AUTHENTICATION, 1, - [Define if you want authentication support in telnet.])dnl -AC_DEFINE(ENCRYPTION, 1, - [Define if you want encryption support in telnet.])dnl -AC_DEFINE(DES_ENCRYPTION, 1, - [Define if you want to use DES encryption in telnet.])dnl -AC_DEFINE(DIAGNOSTICS, 1, - [Define this to enable diagnostics in telnet.])dnl -AC_DEFINE(OLD_ENVIRON, 1, - [Define this to enable old environment option in telnet.])dnl -if false; then - AC_DEFINE(ENV_HACK, 1, - [Define this if you want support for broken ENV_{VAR,VAL} telnets.]) -fi - -# Simple test for streamspty, based on the existance of getmsg(), alas -# this breaks on SunOS4 which have streams but BSD-like ptys -# -# And also something wierd has happend with dec-osf1, fallback to bsd-ptys - -case "$host" in -*-*-aix3*|*-*-sunos4*|*-*-osf*|*-*-hpux1[[01]]*) - ;; -*) - AC_CHECK_FUNC(getmsg) - if test "$ac_cv_func_getmsg" = "yes"; then - AC_CACHE_CHECK([if getmsg works], ac_cv_func_getmsg_works, - AC_TRY_RUN([ - #include - #include - - int main() - { - int ret; - ret = getmsg(open("/dev/null", 0), NULL, NULL, NULL); - if(ret < 0 && errno == ENOSYS) - return 1; - return 0; - } - ], ac_cv_func_getmsg_works=yes, - ac_cv_func_getmsg_works=no, - ac_cv_func_getmsg_works=no)) - if test "$ac_cv_func_getmsg_works" = "yes"; then - AC_DEFINE(HAVE_GETMSG, 1, - [Define if you have a working getmsg.]) - AC_DEFINE(STREAMSPTY, 1, - [Define if you have streams ptys.]) - fi - fi - ;; -esac - -AH_BOTTOM([ -#if defined(ENCRYPTION) && !defined(AUTHENTICATION) -#define AUTHENTICATION 1 -#endif - -/* Set this to the default system lead string for telnetd - * can contain %-escapes: %s=sysname, %m=machine, %r=os-release - * %v=os-version, %t=tty, %h=hostname, %d=date and time - */ -#undef USE_IM - -/* Used with login -p */ -#undef LOGIN_ARGS - -/* set this to a sensible login */ -#ifndef LOGIN_PATH -#define LOGIN_PATH BINDIR "/login" -#endif -]) -]) diff --git a/crypto/heimdal-0.6.3/cf/test-package.m4 b/crypto/heimdal-0.6.3/cf/test-package.m4 deleted file mode 100644 index dd38e1e623..0000000000 --- a/crypto/heimdal-0.6.3/cf/test-package.m4 +++ /dev/null @@ -1,125 +0,0 @@ -dnl $Id: test-package.m4,v 1.12.4.1 2004/04/01 07:27:35 joda Exp $ -dnl -dnl rk_TEST_PACKAGE(package,headers,libraries,extra libs, -dnl default locations, conditional, config-program) - -AC_DEFUN([rk_TEST_PACKAGE],[ -AC_ARG_WITH($1, - AC_HELP_STRING([--with-$1=dir],[use $1 in dir])) -AC_ARG_WITH($1-lib, - AC_HELP_STRING([--with-$1-lib=dir],[use $1 libraries in dir]), -[if test "$withval" = "yes" -o "$withval" = "no"; then - AC_MSG_ERROR([No argument for --with-$1-lib]) -elif test "X$with_$1" = "X"; then - with_$1=yes -fi]) -AC_ARG_WITH($1-include, - AC_HELP_STRING([--with-$1-include=dir],[use $1 headers in dir]), -[if test "$withval" = "yes" -o "$withval" = "no"; then - AC_MSG_ERROR([No argument for --with-$1-include]) -elif test "X$with_$1" = "X"; then - with_$1=yes -fi]) -AC_ARG_WITH($1-config, - AC_HELP_STRING([--with-$1-config=path],[config program for $1])) - -m4_ifval([$6], - m4_define([rk_pkgname], $6), - m4_define([rk_pkgname], AS_TR_CPP($1))) - -AC_MSG_CHECKING(for $1) - -case "$with_$1" in -yes|"") d='$5' ;; -no) d= ;; -*) d="$with_$1" ;; -esac - -header_dirs= -lib_dirs= -for i in $d; do - if test "$with_$1_include" = ""; then - if test -d "$i/include/$1"; then - header_dirs="$header_dirs $i/include/$1" - fi - if test -d "$i/include"; then - header_dirs="$header_dirs $i/include" - fi - fi - if test "$with_$1_lib" = ""; then - if test -d "$i/lib$abilibdirext"; then - lib_dirs="$lib_dirs $i/lib$abilibdirext" - fi - fi -done - -if test "$with_$1_include"; then - header_dirs="$with_$1_include $header_dirs" -fi -if test "$with_$1_lib"; then - lib_dirs="$with_$1_lib $lib_dirs" -fi - -if test "$with_$1_config" = ""; then - with_$1_config='$7' -fi - -$1_cflags= -$1_libs= - -case "$with_$1_config" in -yes|no|"") - ;; -*) - $1_cflags="`$with_$1_config --cflags 2>&1`" - $1_libs="`$with_$1_config --libs 2>&1`" - ;; -esac - -found=no -if test "$with_$1" != no; then - save_CFLAGS="$CFLAGS" - save_LIBS="$LIBS" - if test "$[]$1_cflags" -a "$[]$1_libs"; then - CFLAGS="$[]$1_cflags $save_CFLAGS" - LIBS="$[]$1_libs $save_LIBS" - AC_TRY_LINK([$2],,[ - INCLUDE_$1="$[]$1_cflags" - LIB_$1="$[]$1_libs" - AC_MSG_RESULT([from $with_$1_config]) - found=yes]) - fi - if test "$found" = no; then - ires= lres= - for i in $header_dirs; do - CFLAGS="-I$i $save_CFLAGS" - AC_TRY_COMPILE([$2],,ires=$i;break) - done - for i in $lib_dirs; do - LIBS="-L$i $3 $4 $save_LIBS" - AC_TRY_LINK([$2],,lres=$i;break) - done - if test "$ires" -a "$lres" -a "$with_$1" != "no"; then - INCLUDE_$1="-I$ires" - LIB_$1="-L$lres $3 $4" - found=yes - AC_MSG_RESULT([headers $ires, libraries $lres]) - fi - fi - CFLAGS="$save_CFLAGS" - LIBS="$save_LIBS" -fi - -if test "$found" = yes; then - AC_DEFINE_UNQUOTED(rk_pkgname, 1, [Define if you have the $1 package.]) - with_$1=yes -else - with_$1=no - INCLUDE_$1= - LIB_$1= - AC_MSG_RESULT(no) -fi - -AC_SUBST(INCLUDE_$1) -AC_SUBST(LIB_$1) -]) diff --git a/crypto/heimdal-0.6.3/cf/wflags.m4 b/crypto/heimdal-0.6.3/cf/wflags.m4 deleted file mode 100644 index 4051f29887..0000000000 --- a/crypto/heimdal-0.6.3/cf/wflags.m4 +++ /dev/null @@ -1,21 +0,0 @@ -dnl $Id: wflags.m4,v 1.3.34.1 2004/04/01 07:27:35 joda Exp $ -dnl -dnl set WFLAGS - -AC_DEFUN([AC_WFLAGS],[ -WFLAGS_NOUNUSED="" -WFLAGS_NOIMPLICITINT="" -if test -z "$WFLAGS" -a "$GCC" = "yes"; then - # -Wno-implicit-int for broken X11 headers - # leave these out for now: - # -Wcast-align doesn't work well on alpha osf/1 - # -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast - # -Wmissing-declarations -Wnested-externs - WFLAGS="ifelse($#, 0,-Wall, $1)" - WFLAGS_NOUNUSED="-Wno-unused" - WFLAGS_NOIMPLICITINT="-Wno-implicit-int" -fi -AC_SUBST(WFLAGS)dnl -AC_SUBST(WFLAGS_NOUNUSED)dnl -AC_SUBST(WFLAGS_NOIMPLICITINT)dnl -]) diff --git a/crypto/heimdal-0.6.3/cf/with-all.m4 b/crypto/heimdal-0.6.3/cf/with-all.m4 deleted file mode 100644 index 1b9d39ff14..0000000000 --- a/crypto/heimdal-0.6.3/cf/with-all.m4 +++ /dev/null @@ -1,42 +0,0 @@ -dnl -dnl $Id: with-all.m4,v 1.1 2001/08/29 17:01:23 assar Exp $ -dnl - -dnl AC_WITH_ALL(name) - -AC_DEFUN([AC_WITH_ALL], [ -AC_ARG_WITH($1, - AC_HELP_STRING([--with-$1=dir], - [use $1 in dir])) - -AC_ARG_WITH($1-lib, - AC_HELP_STRING([--with-$1-lib=dir], - [use $1 libraries in dir]), -[if test "$withval" = "yes" -o "$withval" = "no"; then - AC_MSG_ERROR([No argument for --with-$1-lib]) -elif test "X$with_$1" = "X"; then - with_$1=yes -fi]) - -AC_ARG_WITH($1-include, - AC_HELP_STRING([--with-$1-include=dir], - [use $1 headers in dir]), -[if test "$withval" = "yes" -o "$withval" = "no"; then - AC_MSG_ERROR([No argument for --with-$1-include]) -elif test "X$with_$1" = "X"; then - with_$1=yes -fi]) - -case "$with_$1" in -yes) ;; -no) ;; -"") ;; -*) if test "$with_$1_include" = ""; then - with_$1_include="$with_$1/include" - fi - if test "$with_$1_lib" = ""; then - with_$1_lib="$with_$1/lib$abilibdirext" - fi - ;; -esac -]) \ No newline at end of file diff --git a/crypto/heimdal-0.6.3/compile b/crypto/heimdal-0.6.3/compile deleted file mode 100644 index a81e000ae1..0000000000 --- a/crypto/heimdal-0.6.3/compile +++ /dev/null @@ -1,136 +0,0 @@ -#! /bin/sh -# Wrapper for compilers which do not understand `-c -o'. - -scriptversion=2003-11-09.00 - -# Copyright (C) 1999, 2000, 2003 Free Software Foundation, Inc. -# Written by Tom Tromey . -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2, or (at your option) -# any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. - -# As a special exception to the GNU General Public License, if you -# distribute this file as part of a program that contains a -# configuration script generated by Autoconf, you may include it under -# the same distribution terms that you use for the rest of that program. - -# This file is maintained in Automake, please report -# bugs to or send patches to -# . - -case $1 in - '') - echo "$0: No command. Try \`$0 --help' for more information." 1>&2 - exit 1; - ;; - -h | --h*) - cat <<\EOF -Usage: compile [--help] [--version] PROGRAM [ARGS] - -Wrapper for compilers which do not understand `-c -o'. -Remove `-o dest.o' from ARGS, run PROGRAM with the remaining -arguments, and rename the output as expected. - -If you are trying to build a whole package this is not the -right script to run: please start by reading the file `INSTALL'. - -Report bugs to . -EOF - exit 0 - ;; - -v | --v*) - echo "compile $scriptversion" - exit 0 - ;; -esac - - -prog=$1 -shift - -ofile= -cfile= -args= -while test $# -gt 0; do - case "$1" in - -o) - # configure might choose to run compile as `compile cc -o foo foo.c'. - # So we do something ugly here. - ofile=$2 - shift - case "$ofile" in - *.o | *.obj) - ;; - *) - args="$args -o $ofile" - ofile= - ;; - esac - ;; - *.c) - cfile=$1 - args="$args $1" - ;; - *) - args="$args $1" - ;; - esac - shift -done - -if test -z "$ofile" || test -z "$cfile"; then - # If no `-o' option was seen then we might have been invoked from a - # pattern rule where we don't need one. That is ok -- this is a - # normal compilation that the losing compiler can handle. If no - # `.c' file was seen then we are probably linking. That is also - # ok. - exec "$prog" $args -fi - -# Name of file we expect compiler to create. -cofile=`echo $cfile | sed -e 's|^.*/||' -e 's/\.c$/.o/'` - -# Create the lock directory. -# Note: use `[/.-]' here to ensure that we don't use the same name -# that we are using for the .o file. Also, base the name on the expected -# object file name, since that is what matters with a parallel build. -lockdir=`echo $cofile | sed -e 's|[/.-]|_|g'`.d -while true; do - if mkdir $lockdir > /dev/null 2>&1; then - break - fi - sleep 1 -done -# FIXME: race condition here if user kills between mkdir and trap. -trap "rmdir $lockdir; exit 1" 1 2 15 - -# Run the compile. -"$prog" $args -status=$? - -if test -f "$cofile"; then - mv "$cofile" "$ofile" -fi - -rmdir $lockdir -exit $status - -# Local Variables: -# mode: shell-script -# sh-indentation: 2 -# eval: (add-hook 'write-file-hooks 'time-stamp) -# time-stamp-start: "scriptversion=" -# time-stamp-format: "%:y-%02m-%02d.%02H" -# time-stamp-end: "$" -# End: diff --git a/crypto/heimdal-0.6.3/config.guess b/crypto/heimdal-0.6.3/config.guess deleted file mode 100644 index 0773d0f631..0000000000 --- a/crypto/heimdal-0.6.3/config.guess +++ /dev/null @@ -1,1456 +0,0 @@ -#! /bin/sh -# Attempt to guess a canonical system name. -# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, -# 2000, 2001, 2002, 2003 Free Software Foundation, Inc. - -timestamp='2004-03-03' - -# This file is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. -# -# As a special exception to the GNU General Public License, if you -# distribute this file as part of a program that contains a -# configuration script generated by Autoconf, you may include it under -# the same distribution terms that you use for the rest of that program. - -# Originally written by Per Bothner . -# Please send patches to . Submit a context -# diff and a properly formatted ChangeLog entry. -# -# This script attempts to guess a canonical system name similar to -# config.sub. If it succeeds, it prints the system name on stdout, and -# exits with 0. Otherwise, it exits with 1. -# -# The plan is that this can be called by configure scripts if you -# don't specify an explicit build system type. - -me=`echo "$0" | sed -e 's,.*/,,'` - -usage="\ -Usage: $0 [OPTION] - -Output the configuration name of the system \`$me' is run on. - -Operation modes: - -h, --help print this help, then exit - -t, --time-stamp print date of last modification, then exit - -v, --version print version number, then exit - -Report bugs and patches to ." - -version="\ -GNU config.guess ($timestamp) - -Originally written by Per Bothner. -Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001 -Free Software Foundation, Inc. - -This is free software; see the source for copying conditions. There is NO -warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." - -help=" -Try \`$me --help' for more information." - -# Parse command line -while test $# -gt 0 ; do - case $1 in - --time-stamp | --time* | -t ) - echo "$timestamp" ; exit 0 ;; - --version | -v ) - echo "$version" ; exit 0 ;; - --help | --h* | -h ) - echo "$usage"; exit 0 ;; - -- ) # Stop option processing - shift; break ;; - - ) # Use stdin as input. - break ;; - -* ) - echo "$me: invalid option $1$help" >&2 - exit 1 ;; - * ) - break ;; - esac -done - -if test $# != 0; then - echo "$me: too many arguments$help" >&2 - exit 1 -fi - -trap 'exit 1' 1 2 15 - -# CC_FOR_BUILD -- compiler used by this script. Note that the use of a -# compiler to aid in system detection is discouraged as it requires -# temporary files to be created and, as you can see below, it is a -# headache to deal with in a portable fashion. - -# Historically, `CC_FOR_BUILD' used to be named `HOST_CC'. We still -# use `HOST_CC' if defined, but it is deprecated. - -# Portable tmp directory creation inspired by the Autoconf team. - -set_cc_for_build=' -trap "exitcode=\$?; (rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null) && exit \$exitcode" 0 ; -trap "rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null; exit 1" 1 2 13 15 ; -: ${TMPDIR=/tmp} ; - { tmp=`(umask 077 && mktemp -d -q "$TMPDIR/cgXXXXXX") 2>/dev/null` && test -n "$tmp" && test -d "$tmp" ; } || - { test -n "$RANDOM" && tmp=$TMPDIR/cg$$-$RANDOM && (umask 077 && mkdir $tmp) ; } || - { tmp=$TMPDIR/cg-$$ && (umask 077 && mkdir $tmp) && echo "Warning: creating insecure temp directory" >&2 ; } || - { echo "$me: cannot create a temporary directory in $TMPDIR" >&2 ; exit 1 ; } ; -dummy=$tmp/dummy ; -tmpfiles="$dummy.c $dummy.o $dummy.rel $dummy" ; -case $CC_FOR_BUILD,$HOST_CC,$CC in - ,,) echo "int x;" > $dummy.c ; - for c in cc gcc c89 c99 ; do - if ($c -c -o $dummy.o $dummy.c) >/dev/null 2>&1 ; then - CC_FOR_BUILD="$c"; break ; - fi ; - done ; - if test x"$CC_FOR_BUILD" = x ; then - CC_FOR_BUILD=no_compiler_found ; - fi - ;; - ,,*) CC_FOR_BUILD=$CC ;; - ,*,*) CC_FOR_BUILD=$HOST_CC ;; -esac ;' - -# This is needed to find uname on a Pyramid OSx when run in the BSD universe. -# (ghazi@noc.rutgers.edu 1994-08-24) -if (test -f /.attbin/uname) >/dev/null 2>&1 ; then - PATH=$PATH:/.attbin ; export PATH -fi - -UNAME_MACHINE=`(uname -m) 2>/dev/null` || UNAME_MACHINE=unknown -UNAME_RELEASE=`(uname -r) 2>/dev/null` || UNAME_RELEASE=unknown -UNAME_SYSTEM=`(uname -s) 2>/dev/null` || UNAME_SYSTEM=unknown -UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown - -# Note: order is significant - the case branches are not exclusive. - -case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in - *:NetBSD:*:*) - # NetBSD (nbsd) targets should (where applicable) match one or - # more of the tupples: *-*-netbsdelf*, *-*-netbsdaout*, - # *-*-netbsdecoff* and *-*-netbsd*. For targets that recently - # switched to ELF, *-*-netbsd* would select the old - # object file format. This provides both forward - # compatibility and a consistent mechanism for selecting the - # object file format. - # - # Note: NetBSD doesn't particularly care about the vendor - # portion of the name. We always set it to "unknown". - sysctl="sysctl -n hw.machine_arch" - UNAME_MACHINE_ARCH=`(/sbin/$sysctl 2>/dev/null || \ - /usr/sbin/$sysctl 2>/dev/null || echo unknown)` - case "${UNAME_MACHINE_ARCH}" in - armeb) machine=armeb-unknown ;; - arm*) machine=arm-unknown ;; - sh3el) machine=shl-unknown ;; - sh3eb) machine=sh-unknown ;; - *) machine=${UNAME_MACHINE_ARCH}-unknown ;; - esac - # The Operating System including object format, if it has switched - # to ELF recently, or will in the future. - case "${UNAME_MACHINE_ARCH}" in - arm*|i386|m68k|ns32k|sh3*|sparc|vax) - eval $set_cc_for_build - if echo __ELF__ | $CC_FOR_BUILD -E - 2>/dev/null \ - | grep __ELF__ >/dev/null - then - # Once all utilities can be ECOFF (netbsdecoff) or a.out (netbsdaout). - # Return netbsd for either. FIX? - os=netbsd - else - os=netbsdelf - fi - ;; - *) - os=netbsd - ;; - esac - # The OS release - # Debian GNU/NetBSD machines have a different userland, and - # thus, need a distinct triplet. However, they do not need - # kernel version information, so it can be replaced with a - # suitable tag, in the style of linux-gnu. - case "${UNAME_VERSION}" in - Debian*) - release='-gnu' - ;; - *) - release=`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'` - ;; - esac - # Since CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM: - # contains redundant information, the shorter form: - # CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used. - echo "${machine}-${os}${release}" - exit 0 ;; - amd64:OpenBSD:*:*) - echo x86_64-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - amiga:OpenBSD:*:*) - echo m68k-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - arc:OpenBSD:*:*) - echo mipsel-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - cats:OpenBSD:*:*) - echo arm-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - hp300:OpenBSD:*:*) - echo m68k-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - mac68k:OpenBSD:*:*) - echo m68k-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - macppc:OpenBSD:*:*) - echo powerpc-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - mvme68k:OpenBSD:*:*) - echo m68k-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - mvme88k:OpenBSD:*:*) - echo m88k-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - mvmeppc:OpenBSD:*:*) - echo powerpc-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - pegasos:OpenBSD:*:*) - echo powerpc-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - pmax:OpenBSD:*:*) - echo mipsel-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - sgi:OpenBSD:*:*) - echo mipseb-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - sun3:OpenBSD:*:*) - echo m68k-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - wgrisc:OpenBSD:*:*) - echo mipsel-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - *:OpenBSD:*:*) - echo ${UNAME_MACHINE}-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - *:ekkoBSD:*:*) - echo ${UNAME_MACHINE}-unknown-ekkobsd${UNAME_RELEASE} - exit 0 ;; - macppc:MirBSD:*:*) - echo powerppc-unknown-mirbsd${UNAME_RELEASE} - exit 0 ;; - *:MirBSD:*:*) - echo ${UNAME_MACHINE}-unknown-mirbsd${UNAME_RELEASE} - exit 0 ;; - alpha:OSF1:*:*) - case $UNAME_RELEASE in - *4.0) - UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $3}'` - ;; - *5.*) - UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $4}'` - ;; - esac - # According to Compaq, /usr/sbin/psrinfo has been available on - # OSF/1 and Tru64 systems produced since 1995. I hope that - # covers most systems running today. This code pipes the CPU - # types through head -n 1, so we only detect the type of CPU 0. - ALPHA_CPU_TYPE=`/usr/sbin/psrinfo -v | sed -n -e 's/^ The alpha \(.*\) processor.*$/\1/p' | head -n 1` - case "$ALPHA_CPU_TYPE" in - "EV4 (21064)") - UNAME_MACHINE="alpha" ;; - "EV4.5 (21064)") - UNAME_MACHINE="alpha" ;; - "LCA4 (21066/21068)") - UNAME_MACHINE="alpha" ;; - "EV5 (21164)") - UNAME_MACHINE="alphaev5" ;; - "EV5.6 (21164A)") - UNAME_MACHINE="alphaev56" ;; - "EV5.6 (21164PC)") - UNAME_MACHINE="alphapca56" ;; - "EV5.7 (21164PC)") - UNAME_MACHINE="alphapca57" ;; - "EV6 (21264)") - UNAME_MACHINE="alphaev6" ;; - "EV6.7 (21264A)") - UNAME_MACHINE="alphaev67" ;; - "EV6.8CB (21264C)") - UNAME_MACHINE="alphaev68" ;; - "EV6.8AL (21264B)") - UNAME_MACHINE="alphaev68" ;; - "EV6.8CX (21264D)") - UNAME_MACHINE="alphaev68" ;; - "EV6.9A (21264/EV69A)") - UNAME_MACHINE="alphaev69" ;; - "EV7 (21364)") - UNAME_MACHINE="alphaev7" ;; - "EV7.9 (21364A)") - UNAME_MACHINE="alphaev79" ;; - esac - # A Pn.n version is a patched version. - # A Vn.n version is a released version. - # A Tn.n version is a released field test version. - # A Xn.n version is an unreleased experimental baselevel. - # 1.2 uses "1.2" for uname -r. - echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[PVTX]//' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'` - exit 0 ;; - Alpha*:OpenVMS:*:*) - echo alpha-hp-vms - exit 0 ;; - Alpha\ *:Windows_NT*:*) - # How do we know it's Interix rather than the generic POSIX subsystem? - # Should we change UNAME_MACHINE based on the output of uname instead - # of the specific Alpha model? - echo alpha-pc-interix - exit 0 ;; - 21064:Windows_NT:50:3) - echo alpha-dec-winnt3.5 - exit 0 ;; - Amiga*:UNIX_System_V:4.0:*) - echo m68k-unknown-sysv4 - exit 0;; - *:[Aa]miga[Oo][Ss]:*:*) - echo ${UNAME_MACHINE}-unknown-amigaos - exit 0 ;; - *:[Mm]orph[Oo][Ss]:*:*) - echo ${UNAME_MACHINE}-unknown-morphos - exit 0 ;; - *:OS/390:*:*) - echo i370-ibm-openedition - exit 0 ;; - *:OS400:*:*) - echo powerpc-ibm-os400 - exit 0 ;; - arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*) - echo arm-acorn-riscix${UNAME_RELEASE} - exit 0;; - SR2?01:HI-UX/MPP:*:* | SR8000:HI-UX/MPP:*:*) - echo hppa1.1-hitachi-hiuxmpp - exit 0;; - Pyramid*:OSx*:*:* | MIS*:OSx*:*:* | MIS*:SMP_DC-OSx*:*:*) - # akee@wpdis03.wpafb.af.mil (Earle F. Ake) contributed MIS and NILE. - if test "`(/bin/universe) 2>/dev/null`" = att ; then - echo pyramid-pyramid-sysv3 - else - echo pyramid-pyramid-bsd - fi - exit 0 ;; - NILE*:*:*:dcosx) - echo pyramid-pyramid-svr4 - exit 0 ;; - DRS?6000:unix:4.0:6*) - echo sparc-icl-nx6 - exit 0 ;; - DRS?6000:UNIX_SV:4.2*:7*) - case `/usr/bin/uname -p` in - sparc) echo sparc-icl-nx7 && exit 0 ;; - esac ;; - sun4H:SunOS:5.*:*) - echo sparc-hal-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` - exit 0 ;; - sun4*:SunOS:5.*:* | tadpole*:SunOS:5.*:*) - echo sparc-sun-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` - exit 0 ;; - i86pc:SunOS:5.*:*) - echo i386-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` - exit 0 ;; - sun4*:SunOS:6*:*) - # According to config.sub, this is the proper way to canonicalize - # SunOS6. Hard to guess exactly what SunOS6 will be like, but - # it's likely to be more like Solaris than SunOS4. - echo sparc-sun-solaris3`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` - exit 0 ;; - sun4*:SunOS:*:*) - case "`/usr/bin/arch -k`" in - Series*|S4*) - UNAME_RELEASE=`uname -v` - ;; - esac - # Japanese Language versions have a version number like `4.1.3-JL'. - echo sparc-sun-sunos`echo ${UNAME_RELEASE}|sed -e 's/-/_/'` - exit 0 ;; - sun3*:SunOS:*:*) - echo m68k-sun-sunos${UNAME_RELEASE} - exit 0 ;; - sun*:*:4.2BSD:*) - UNAME_RELEASE=`(sed 1q /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null` - test "x${UNAME_RELEASE}" = "x" && UNAME_RELEASE=3 - case "`/bin/arch`" in - sun3) - echo m68k-sun-sunos${UNAME_RELEASE} - ;; - sun4) - echo sparc-sun-sunos${UNAME_RELEASE} - ;; - esac - exit 0 ;; - aushp:SunOS:*:*) - echo sparc-auspex-sunos${UNAME_RELEASE} - exit 0 ;; - # The situation for MiNT is a little confusing. The machine name - # can be virtually everything (everything which is not - # "atarist" or "atariste" at least should have a processor - # > m68000). The system name ranges from "MiNT" over "FreeMiNT" - # to the lowercase version "mint" (or "freemint"). Finally - # the system name "TOS" denotes a system which is actually not - # MiNT. But MiNT is downward compatible to TOS, so this should - # be no problem. - atarist[e]:*MiNT:*:* | atarist[e]:*mint:*:* | atarist[e]:*TOS:*:*) - echo m68k-atari-mint${UNAME_RELEASE} - exit 0 ;; - atari*:*MiNT:*:* | atari*:*mint:*:* | atarist[e]:*TOS:*:*) - echo m68k-atari-mint${UNAME_RELEASE} - exit 0 ;; - *falcon*:*MiNT:*:* | *falcon*:*mint:*:* | *falcon*:*TOS:*:*) - echo m68k-atari-mint${UNAME_RELEASE} - exit 0 ;; - milan*:*MiNT:*:* | milan*:*mint:*:* | *milan*:*TOS:*:*) - echo m68k-milan-mint${UNAME_RELEASE} - exit 0 ;; - hades*:*MiNT:*:* | hades*:*mint:*:* | *hades*:*TOS:*:*) - echo m68k-hades-mint${UNAME_RELEASE} - exit 0 ;; - *:*MiNT:*:* | *:*mint:*:* | *:*TOS:*:*) - echo m68k-unknown-mint${UNAME_RELEASE} - exit 0 ;; - m68k:machten:*:*) - echo m68k-apple-machten${UNAME_RELEASE} - exit 0 ;; - powerpc:machten:*:*) - echo powerpc-apple-machten${UNAME_RELEASE} - exit 0 ;; - RISC*:Mach:*:*) - echo mips-dec-mach_bsd4.3 - exit 0 ;; - RISC*:ULTRIX:*:*) - echo mips-dec-ultrix${UNAME_RELEASE} - exit 0 ;; - VAX*:ULTRIX*:*:*) - echo vax-dec-ultrix${UNAME_RELEASE} - exit 0 ;; - 2020:CLIX:*:* | 2430:CLIX:*:*) - echo clipper-intergraph-clix${UNAME_RELEASE} - exit 0 ;; - mips:*:*:UMIPS | mips:*:*:RISCos) - eval $set_cc_for_build - sed 's/^ //' << EOF >$dummy.c -#ifdef __cplusplus -#include /* for printf() prototype */ - int main (int argc, char *argv[]) { -#else - int main (argc, argv) int argc; char *argv[]; { -#endif - #if defined (host_mips) && defined (MIPSEB) - #if defined (SYSTYPE_SYSV) - printf ("mips-mips-riscos%ssysv\n", argv[1]); exit (0); - #endif - #if defined (SYSTYPE_SVR4) - printf ("mips-mips-riscos%ssvr4\n", argv[1]); exit (0); - #endif - #if defined (SYSTYPE_BSD43) || defined(SYSTYPE_BSD) - printf ("mips-mips-riscos%sbsd\n", argv[1]); exit (0); - #endif - #endif - exit (-1); - } -EOF - $CC_FOR_BUILD -o $dummy $dummy.c \ - && $dummy `echo "${UNAME_RELEASE}" | sed -n 's/\([0-9]*\).*/\1/p'` \ - && exit 0 - echo mips-mips-riscos${UNAME_RELEASE} - exit 0 ;; - Motorola:PowerMAX_OS:*:*) - echo powerpc-motorola-powermax - exit 0 ;; - Motorola:*:4.3:PL8-*) - echo powerpc-harris-powermax - exit 0 ;; - Night_Hawk:*:*:PowerMAX_OS | Synergy:PowerMAX_OS:*:*) - echo powerpc-harris-powermax - exit 0 ;; - Night_Hawk:Power_UNIX:*:*) - echo powerpc-harris-powerunix - exit 0 ;; - m88k:CX/UX:7*:*) - echo m88k-harris-cxux7 - exit 0 ;; - m88k:*:4*:R4*) - echo m88k-motorola-sysv4 - exit 0 ;; - m88k:*:3*:R3*) - echo m88k-motorola-sysv3 - exit 0 ;; - AViiON:dgux:*:*) - # DG/UX returns AViiON for all architectures - UNAME_PROCESSOR=`/usr/bin/uname -p` - if [ $UNAME_PROCESSOR = mc88100 ] || [ $UNAME_PROCESSOR = mc88110 ] - then - if [ ${TARGET_BINARY_INTERFACE}x = m88kdguxelfx ] || \ - [ ${TARGET_BINARY_INTERFACE}x = x ] - then - echo m88k-dg-dgux${UNAME_RELEASE} - else - echo m88k-dg-dguxbcs${UNAME_RELEASE} - fi - else - echo i586-dg-dgux${UNAME_RELEASE} - fi - exit 0 ;; - M88*:DolphinOS:*:*) # DolphinOS (SVR3) - echo m88k-dolphin-sysv3 - exit 0 ;; - M88*:*:R3*:*) - # Delta 88k system running SVR3 - echo m88k-motorola-sysv3 - exit 0 ;; - XD88*:*:*:*) # Tektronix XD88 system running UTekV (SVR3) - echo m88k-tektronix-sysv3 - exit 0 ;; - Tek43[0-9][0-9]:UTek:*:*) # Tektronix 4300 system running UTek (BSD) - echo m68k-tektronix-bsd - exit 0 ;; - *:IRIX*:*:*) - echo mips-sgi-irix`echo ${UNAME_RELEASE}|sed -e 's/-/_/g'` - exit 0 ;; - ????????:AIX?:[12].1:2) # AIX 2.2.1 or AIX 2.1.1 is RT/PC AIX. - echo romp-ibm-aix # uname -m gives an 8 hex-code CPU id - exit 0 ;; # Note that: echo "'`uname -s`'" gives 'AIX ' - i*86:AIX:*:*) - echo i386-ibm-aix - exit 0 ;; - ia64:AIX:*:*) - if [ -x /usr/bin/oslevel ] ; then - IBM_REV=`/usr/bin/oslevel` - else - IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE} - fi - echo ${UNAME_MACHINE}-ibm-aix${IBM_REV} - exit 0 ;; - *:AIX:2:3) - if grep bos325 /usr/include/stdio.h >/dev/null 2>&1; then - eval $set_cc_for_build - sed 's/^ //' << EOF >$dummy.c - #include - - main() - { - if (!__power_pc()) - exit(1); - puts("powerpc-ibm-aix3.2.5"); - exit(0); - } -EOF - $CC_FOR_BUILD -o $dummy $dummy.c && $dummy && exit 0 - echo rs6000-ibm-aix3.2.5 - elif grep bos324 /usr/include/stdio.h >/dev/null 2>&1; then - echo rs6000-ibm-aix3.2.4 - else - echo rs6000-ibm-aix3.2 - fi - exit 0 ;; - *:AIX:*:[45]) - IBM_CPU_ID=`/usr/sbin/lsdev -C -c processor -S available | sed 1q | awk '{ print $1 }'` - if /usr/sbin/lsattr -El ${IBM_CPU_ID} | grep ' POWER' >/dev/null 2>&1; then - IBM_ARCH=rs6000 - else - IBM_ARCH=powerpc - fi - if [ -x /usr/bin/oslevel ] ; then - IBM_REV=`/usr/bin/oslevel` - else - IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE} - fi - echo ${IBM_ARCH}-ibm-aix${IBM_REV} - exit 0 ;; - *:AIX:*:*) - echo rs6000-ibm-aix - exit 0 ;; - ibmrt:4.4BSD:*|romp-ibm:BSD:*) - echo romp-ibm-bsd4.4 - exit 0 ;; - ibmrt:*BSD:*|romp-ibm:BSD:*) # covers RT/PC BSD and - echo romp-ibm-bsd${UNAME_RELEASE} # 4.3 with uname added to - exit 0 ;; # report: romp-ibm BSD 4.3 - *:BOSX:*:*) - echo rs6000-bull-bosx - exit 0 ;; - DPX/2?00:B.O.S.:*:*) - echo m68k-bull-sysv3 - exit 0 ;; - 9000/[34]??:4.3bsd:1.*:*) - echo m68k-hp-bsd - exit 0 ;; - hp300:4.4BSD:*:* | 9000/[34]??:4.3bsd:2.*:*) - echo m68k-hp-bsd4.4 - exit 0 ;; - 9000/[34678]??:HP-UX:*:*) - HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'` - case "${UNAME_MACHINE}" in - 9000/31? ) HP_ARCH=m68000 ;; - 9000/[34]?? ) HP_ARCH=m68k ;; - 9000/[678][0-9][0-9]) - if [ -x /usr/bin/getconf ]; then - sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null` - sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null` - case "${sc_cpu_version}" in - 523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0 - 528) HP_ARCH="hppa1.1" ;; # CPU_PA_RISC1_1 - 532) # CPU_PA_RISC2_0 - case "${sc_kernel_bits}" in - 32) HP_ARCH="hppa2.0n" ;; - 64) HP_ARCH="hppa2.0w" ;; - '') HP_ARCH="hppa2.0" ;; # HP-UX 10.20 - esac ;; - esac - fi - if [ "${HP_ARCH}" = "" ]; then - eval $set_cc_for_build - sed 's/^ //' << EOF >$dummy.c - - #define _HPUX_SOURCE - #include - #include - - int main () - { - #if defined(_SC_KERNEL_BITS) - long bits = sysconf(_SC_KERNEL_BITS); - #endif - long cpu = sysconf (_SC_CPU_VERSION); - - switch (cpu) - { - case CPU_PA_RISC1_0: puts ("hppa1.0"); break; - case CPU_PA_RISC1_1: puts ("hppa1.1"); break; - case CPU_PA_RISC2_0: - #if defined(_SC_KERNEL_BITS) - switch (bits) - { - case 64: puts ("hppa2.0w"); break; - case 32: puts ("hppa2.0n"); break; - default: puts ("hppa2.0"); break; - } break; - #else /* !defined(_SC_KERNEL_BITS) */ - puts ("hppa2.0"); break; - #endif - default: puts ("hppa1.0"); break; - } - exit (0); - } -EOF - (CCOPTS= $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy` - test -z "$HP_ARCH" && HP_ARCH=hppa - fi ;; - esac - if [ ${HP_ARCH} = "hppa2.0w" ] - then - # avoid double evaluation of $set_cc_for_build - test -n "$CC_FOR_BUILD" || eval $set_cc_for_build - if echo __LP64__ | (CCOPTS= $CC_FOR_BUILD -E -) | grep __LP64__ >/dev/null - then - HP_ARCH="hppa2.0w" - else - HP_ARCH="hppa64" - fi - fi - echo ${HP_ARCH}-hp-hpux${HPUX_REV} - exit 0 ;; - ia64:HP-UX:*:*) - HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'` - echo ia64-hp-hpux${HPUX_REV} - exit 0 ;; - 3050*:HI-UX:*:*) - eval $set_cc_for_build - sed 's/^ //' << EOF >$dummy.c - #include - int - main () - { - long cpu = sysconf (_SC_CPU_VERSION); - /* The order matters, because CPU_IS_HP_MC68K erroneously returns - true for CPU_PA_RISC1_0. CPU_IS_PA_RISC returns correct - results, however. */ - if (CPU_IS_PA_RISC (cpu)) - { - switch (cpu) - { - case CPU_PA_RISC1_0: puts ("hppa1.0-hitachi-hiuxwe2"); break; - case CPU_PA_RISC1_1: puts ("hppa1.1-hitachi-hiuxwe2"); break; - case CPU_PA_RISC2_0: puts ("hppa2.0-hitachi-hiuxwe2"); break; - default: puts ("hppa-hitachi-hiuxwe2"); break; - } - } - else if (CPU_IS_HP_MC68K (cpu)) - puts ("m68k-hitachi-hiuxwe2"); - else puts ("unknown-hitachi-hiuxwe2"); - exit (0); - } -EOF - $CC_FOR_BUILD -o $dummy $dummy.c && $dummy && exit 0 - echo unknown-hitachi-hiuxwe2 - exit 0 ;; - 9000/7??:4.3bsd:*:* | 9000/8?[79]:4.3bsd:*:* ) - echo hppa1.1-hp-bsd - exit 0 ;; - 9000/8??:4.3bsd:*:*) - echo hppa1.0-hp-bsd - exit 0 ;; - *9??*:MPE/iX:*:* | *3000*:MPE/iX:*:*) - echo hppa1.0-hp-mpeix - exit 0 ;; - hp7??:OSF1:*:* | hp8?[79]:OSF1:*:* ) - echo hppa1.1-hp-osf - exit 0 ;; - hp8??:OSF1:*:*) - echo hppa1.0-hp-osf - exit 0 ;; - i*86:OSF1:*:*) - if [ -x /usr/sbin/sysversion ] ; then - echo ${UNAME_MACHINE}-unknown-osf1mk - else - echo ${UNAME_MACHINE}-unknown-osf1 - fi - exit 0 ;; - parisc*:Lites*:*:*) - echo hppa1.1-hp-lites - exit 0 ;; - C1*:ConvexOS:*:* | convex:ConvexOS:C1*:*) - echo c1-convex-bsd - exit 0 ;; - C2*:ConvexOS:*:* | convex:ConvexOS:C2*:*) - if getsysinfo -f scalar_acc - then echo c32-convex-bsd - else echo c2-convex-bsd - fi - exit 0 ;; - C34*:ConvexOS:*:* | convex:ConvexOS:C34*:*) - echo c34-convex-bsd - exit 0 ;; - C38*:ConvexOS:*:* | convex:ConvexOS:C38*:*) - echo c38-convex-bsd - exit 0 ;; - C4*:ConvexOS:*:* | convex:ConvexOS:C4*:*) - echo c4-convex-bsd - exit 0 ;; - CRAY*Y-MP:*:*:*) - echo ymp-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' - exit 0 ;; - CRAY*[A-Z]90:*:*:*) - echo ${UNAME_MACHINE}-cray-unicos${UNAME_RELEASE} \ - | sed -e 's/CRAY.*\([A-Z]90\)/\1/' \ - -e y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/ \ - -e 's/\.[^.]*$/.X/' - exit 0 ;; - CRAY*TS:*:*:*) - echo t90-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' - exit 0 ;; - CRAY*T3E:*:*:*) - echo alphaev5-cray-unicosmk${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' - exit 0 ;; - CRAY*SV1:*:*:*) - echo sv1-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' - exit 0 ;; - *:UNICOS/mp:*:*) - echo nv1-cray-unicosmp${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' - exit 0 ;; - F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*) - FUJITSU_PROC=`uname -m | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'` - FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` - FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'` - echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" - exit 0 ;; - 5000:UNIX_System_V:4.*:*) - FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` - FUJITSU_REL=`echo ${UNAME_RELEASE} | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/ /_/'` - echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" - exit 0 ;; - i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*) - echo ${UNAME_MACHINE}-pc-bsdi${UNAME_RELEASE} - exit 0 ;; - sparc*:BSD/OS:*:*) - echo sparc-unknown-bsdi${UNAME_RELEASE} - exit 0 ;; - *:BSD/OS:*:*) - echo ${UNAME_MACHINE}-unknown-bsdi${UNAME_RELEASE} - exit 0 ;; - *:FreeBSD:*:*) - # Determine whether the default compiler uses glibc. - eval $set_cc_for_build - sed 's/^ //' << EOF >$dummy.c - #include - #if __GLIBC__ >= 2 - LIBC=gnu - #else - LIBC= - #endif -EOF - eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^LIBC=` - # GNU/KFreeBSD systems have a "k" prefix to indicate we are using - # FreeBSD's kernel, but not the complete OS. - case ${LIBC} in gnu) kernel_only='k' ;; esac - echo ${UNAME_MACHINE}-unknown-${kernel_only}freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`${LIBC:+-$LIBC} - exit 0 ;; - i*:CYGWIN*:*) - echo ${UNAME_MACHINE}-pc-cygwin - exit 0 ;; - i*:MINGW*:*) - echo ${UNAME_MACHINE}-pc-mingw32 - exit 0 ;; - i*:PW*:*) - echo ${UNAME_MACHINE}-pc-pw32 - exit 0 ;; - x86:Interix*:[34]*) - echo i586-pc-interix${UNAME_RELEASE}|sed -e 's/\..*//' - exit 0 ;; - [345]86:Windows_95:* | [345]86:Windows_98:* | [345]86:Windows_NT:*) - echo i${UNAME_MACHINE}-pc-mks - exit 0 ;; - i*:Windows_NT*:* | Pentium*:Windows_NT*:*) - # How do we know it's Interix rather than the generic POSIX subsystem? - # It also conflicts with pre-2.0 versions of AT&T UWIN. Should we - # UNAME_MACHINE based on the output of uname instead of i386? - echo i586-pc-interix - exit 0 ;; - i*:UWIN*:*) - echo ${UNAME_MACHINE}-pc-uwin - exit 0 ;; - p*:CYGWIN*:*) - echo powerpcle-unknown-cygwin - exit 0 ;; - prep*:SunOS:5.*:*) - echo powerpcle-unknown-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` - exit 0 ;; - *:GNU:*:*) - # the GNU system - echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-gnu`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'` - exit 0 ;; - *:GNU/*:*:*) - # other systems with GNU libc and userland - echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr '[A-Z]' '[a-z]'``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-gnu - exit 0 ;; - i*86:Minix:*:*) - echo ${UNAME_MACHINE}-pc-minix - exit 0 ;; - arm*:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-gnu - exit 0 ;; - cris:Linux:*:*) - echo cris-axis-linux-gnu - exit 0 ;; - ia64:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-gnu - exit 0 ;; - m68*:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-gnu - exit 0 ;; - mips:Linux:*:*) - eval $set_cc_for_build - sed 's/^ //' << EOF >$dummy.c - #undef CPU - #undef mips - #undef mipsel - #if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL) - CPU=mipsel - #else - #if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB) - CPU=mips - #else - CPU= - #endif - #endif -EOF - eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^CPU=` - test x"${CPU}" != x && echo "${CPU}-unknown-linux-gnu" && exit 0 - ;; - mips64:Linux:*:*) - eval $set_cc_for_build - sed 's/^ //' << EOF >$dummy.c - #undef CPU - #undef mips64 - #undef mips64el - #if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL) - CPU=mips64el - #else - #if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB) - CPU=mips64 - #else - CPU= - #endif - #endif -EOF - eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^CPU=` - test x"${CPU}" != x && echo "${CPU}-unknown-linux-gnu" && exit 0 - ;; - ppc:Linux:*:*) - echo powerpc-unknown-linux-gnu - exit 0 ;; - ppc64:Linux:*:*) - echo powerpc64-unknown-linux-gnu - exit 0 ;; - alpha:Linux:*:*) - case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in - EV5) UNAME_MACHINE=alphaev5 ;; - EV56) UNAME_MACHINE=alphaev56 ;; - PCA56) UNAME_MACHINE=alphapca56 ;; - PCA57) UNAME_MACHINE=alphapca56 ;; - EV6) UNAME_MACHINE=alphaev6 ;; - EV67) UNAME_MACHINE=alphaev67 ;; - EV68*) UNAME_MACHINE=alphaev68 ;; - esac - objdump --private-headers /bin/sh | grep ld.so.1 >/dev/null - if test "$?" = 0 ; then LIBC="libc1" ; else LIBC="" ; fi - echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC} - exit 0 ;; - parisc:Linux:*:* | hppa:Linux:*:*) - # Look for CPU level - case `grep '^cpu[^a-z]*:' /proc/cpuinfo 2>/dev/null | cut -d' ' -f2` in - PA7*) echo hppa1.1-unknown-linux-gnu ;; - PA8*) echo hppa2.0-unknown-linux-gnu ;; - *) echo hppa-unknown-linux-gnu ;; - esac - exit 0 ;; - parisc64:Linux:*:* | hppa64:Linux:*:*) - echo hppa64-unknown-linux-gnu - exit 0 ;; - s390:Linux:*:* | s390x:Linux:*:*) - echo ${UNAME_MACHINE}-ibm-linux - exit 0 ;; - sh64*:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-gnu - exit 0 ;; - sh*:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-gnu - exit 0 ;; - sparc:Linux:*:* | sparc64:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-gnu - exit 0 ;; - x86_64:Linux:*:*) - echo x86_64-unknown-linux-gnu - exit 0 ;; - i*86:Linux:*:*) - # The BFD linker knows what the default object file format is, so - # first see if it will tell us. cd to the root directory to prevent - # problems with other programs or directories called `ld' in the path. - # Set LC_ALL=C to ensure ld outputs messages in English. - ld_supported_targets=`cd /; LC_ALL=C ld --help 2>&1 \ - | sed -ne '/supported targets:/!d - s/[ ][ ]*/ /g - s/.*supported targets: *// - s/ .*// - p'` - case "$ld_supported_targets" in - elf32-i386) - TENTATIVE="${UNAME_MACHINE}-pc-linux-gnu" - ;; - a.out-i386-linux) - echo "${UNAME_MACHINE}-pc-linux-gnuaout" - exit 0 ;; - coff-i386) - echo "${UNAME_MACHINE}-pc-linux-gnucoff" - exit 0 ;; - "") - # Either a pre-BFD a.out linker (linux-gnuoldld) or - # one that does not give us useful --help. - echo "${UNAME_MACHINE}-pc-linux-gnuoldld" - exit 0 ;; - esac - # Determine whether the default compiler is a.out or elf - eval $set_cc_for_build - sed 's/^ //' << EOF >$dummy.c - #include - #ifdef __ELF__ - # ifdef __GLIBC__ - # if __GLIBC__ >= 2 - LIBC=gnu - # else - LIBC=gnulibc1 - # endif - # else - LIBC=gnulibc1 - # endif - #else - #ifdef __INTEL_COMPILER - LIBC=gnu - #else - LIBC=gnuaout - #endif - #endif - #ifdef __dietlibc__ - LIBC=dietlibc - #endif -EOF - eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^LIBC=` - test x"${LIBC}" != x && echo "${UNAME_MACHINE}-pc-linux-${LIBC}" && exit 0 - test x"${TENTATIVE}" != x && echo "${TENTATIVE}" && exit 0 - ;; - i*86:DYNIX/ptx:4*:*) - # ptx 4.0 does uname -s correctly, with DYNIX/ptx in there. - # earlier versions are messed up and put the nodename in both - # sysname and nodename. - echo i386-sequent-sysv4 - exit 0 ;; - i*86:UNIX_SV:4.2MP:2.*) - # Unixware is an offshoot of SVR4, but it has its own version - # number series starting with 2... - # I am not positive that other SVR4 systems won't match this, - # I just have to hope. -- rms. - # Use sysv4.2uw... so that sysv4* matches it. - echo ${UNAME_MACHINE}-pc-sysv4.2uw${UNAME_VERSION} - exit 0 ;; - i*86:OS/2:*:*) - # If we were able to find `uname', then EMX Unix compatibility - # is probably installed. - echo ${UNAME_MACHINE}-pc-os2-emx - exit 0 ;; - i*86:XTS-300:*:STOP) - echo ${UNAME_MACHINE}-unknown-stop - exit 0 ;; - i*86:atheos:*:*) - echo ${UNAME_MACHINE}-unknown-atheos - exit 0 ;; - i*86:syllable:*:*) - echo ${UNAME_MACHINE}-pc-syllable - exit 0 ;; - i*86:LynxOS:2.*:* | i*86:LynxOS:3.[01]*:* | i*86:LynxOS:4.0*:*) - echo i386-unknown-lynxos${UNAME_RELEASE} - exit 0 ;; - i*86:*DOS:*:*) - echo ${UNAME_MACHINE}-pc-msdosdjgpp - exit 0 ;; - i*86:*:4.*:* | i*86:SYSTEM_V:4.*:*) - UNAME_REL=`echo ${UNAME_RELEASE} | sed 's/\/MP$//'` - if grep Novell /usr/include/link.h >/dev/null 2>/dev/null; then - echo ${UNAME_MACHINE}-univel-sysv${UNAME_REL} - else - echo ${UNAME_MACHINE}-pc-sysv${UNAME_REL} - fi - exit 0 ;; - i*86:*:5:[78]*) - case `/bin/uname -X | grep "^Machine"` in - *486*) UNAME_MACHINE=i486 ;; - *Pentium) UNAME_MACHINE=i586 ;; - *Pent*|*Celeron) UNAME_MACHINE=i686 ;; - esac - echo ${UNAME_MACHINE}-unknown-sysv${UNAME_RELEASE}${UNAME_SYSTEM}${UNAME_VERSION} - exit 0 ;; - i*86:*:3.2:*) - if test -f /usr/options/cb.name; then - UNAME_REL=`sed -n 's/.*Version //p' /dev/null >/dev/null ; then - UNAME_REL=`(/bin/uname -X|grep Release|sed -e 's/.*= //')` - (/bin/uname -X|grep i80486 >/dev/null) && UNAME_MACHINE=i486 - (/bin/uname -X|grep '^Machine.*Pentium' >/dev/null) \ - && UNAME_MACHINE=i586 - (/bin/uname -X|grep '^Machine.*Pent *II' >/dev/null) \ - && UNAME_MACHINE=i686 - (/bin/uname -X|grep '^Machine.*Pentium Pro' >/dev/null) \ - && UNAME_MACHINE=i686 - echo ${UNAME_MACHINE}-pc-sco$UNAME_REL - else - echo ${UNAME_MACHINE}-pc-sysv32 - fi - exit 0 ;; - pc:*:*:*) - # Left here for compatibility: - # uname -m prints for DJGPP always 'pc', but it prints nothing about - # the processor, so we play safe by assuming i386. - echo i386-pc-msdosdjgpp - exit 0 ;; - Intel:Mach:3*:*) - echo i386-pc-mach3 - exit 0 ;; - paragon:*:*:*) - echo i860-intel-osf1 - exit 0 ;; - i860:*:4.*:*) # i860-SVR4 - if grep Stardent /usr/include/sys/uadmin.h >/dev/null 2>&1 ; then - echo i860-stardent-sysv${UNAME_RELEASE} # Stardent Vistra i860-SVR4 - else # Add other i860-SVR4 vendors below as they are discovered. - echo i860-unknown-sysv${UNAME_RELEASE} # Unknown i860-SVR4 - fi - exit 0 ;; - mini*:CTIX:SYS*5:*) - # "miniframe" - echo m68010-convergent-sysv - exit 0 ;; - mc68k:UNIX:SYSTEM5:3.51m) - echo m68k-convergent-sysv - exit 0 ;; - M680?0:D-NIX:5.3:*) - echo m68k-diab-dnix - exit 0 ;; - M68*:*:R3V[567]*:*) - test -r /sysV68 && echo 'm68k-motorola-sysv' && exit 0 ;; - 3[345]??:*:4.0:3.0 | 3[34]??A:*:4.0:3.0 | 3[34]??,*:*:4.0:3.0 | 3[34]??/*:*:4.0:3.0 | 4400:*:4.0:3.0 | 4850:*:4.0:3.0 | SKA40:*:4.0:3.0 | SDS2:*:4.0:3.0 | SHG2:*:4.0:3.0) - OS_REL='' - test -r /etc/.relid \ - && OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid` - /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ - && echo i486-ncr-sysv4.3${OS_REL} && exit 0 - /bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \ - && echo i586-ncr-sysv4.3${OS_REL} && exit 0 ;; - 3[34]??:*:4.0:* | 3[34]??,*:*:4.0:*) - /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ - && echo i486-ncr-sysv4 && exit 0 ;; - m68*:LynxOS:2.*:* | m68*:LynxOS:3.0*:*) - echo m68k-unknown-lynxos${UNAME_RELEASE} - exit 0 ;; - mc68030:UNIX_System_V:4.*:*) - echo m68k-atari-sysv4 - exit 0 ;; - TSUNAMI:LynxOS:2.*:*) - echo sparc-unknown-lynxos${UNAME_RELEASE} - exit 0 ;; - rs6000:LynxOS:2.*:*) - echo rs6000-unknown-lynxos${UNAME_RELEASE} - exit 0 ;; - PowerPC:LynxOS:2.*:* | PowerPC:LynxOS:3.[01]*:* | PowerPC:LynxOS:4.0*:*) - echo powerpc-unknown-lynxos${UNAME_RELEASE} - exit 0 ;; - SM[BE]S:UNIX_SV:*:*) - echo mips-dde-sysv${UNAME_RELEASE} - exit 0 ;; - RM*:ReliantUNIX-*:*:*) - echo mips-sni-sysv4 - exit 0 ;; - RM*:SINIX-*:*:*) - echo mips-sni-sysv4 - exit 0 ;; - *:SINIX-*:*:*) - if uname -p 2>/dev/null >/dev/null ; then - UNAME_MACHINE=`(uname -p) 2>/dev/null` - echo ${UNAME_MACHINE}-sni-sysv4 - else - echo ns32k-sni-sysv - fi - exit 0 ;; - PENTIUM:*:4.0*:*) # Unisys `ClearPath HMP IX 4000' SVR4/MP effort - # says - echo i586-unisys-sysv4 - exit 0 ;; - *:UNIX_System_V:4*:FTX*) - # From Gerald Hewes . - # How about differentiating between stratus architectures? -djm - echo hppa1.1-stratus-sysv4 - exit 0 ;; - *:*:*:FTX*) - # From seanf@swdc.stratus.com. - echo i860-stratus-sysv4 - exit 0 ;; - *:VOS:*:*) - # From Paul.Green@stratus.com. - echo hppa1.1-stratus-vos - exit 0 ;; - mc68*:A/UX:*:*) - echo m68k-apple-aux${UNAME_RELEASE} - exit 0 ;; - news*:NEWS-OS:6*:*) - echo mips-sony-newsos6 - exit 0 ;; - R[34]000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R*000:UNIX_SV:*:*) - if [ -d /usr/nec ]; then - echo mips-nec-sysv${UNAME_RELEASE} - else - echo mips-unknown-sysv${UNAME_RELEASE} - fi - exit 0 ;; - BeBox:BeOS:*:*) # BeOS running on hardware made by Be, PPC only. - echo powerpc-be-beos - exit 0 ;; - BeMac:BeOS:*:*) # BeOS running on Mac or Mac clone, PPC only. - echo powerpc-apple-beos - exit 0 ;; - BePC:BeOS:*:*) # BeOS running on Intel PC compatible. - echo i586-pc-beos - exit 0 ;; - SX-4:SUPER-UX:*:*) - echo sx4-nec-superux${UNAME_RELEASE} - exit 0 ;; - SX-5:SUPER-UX:*:*) - echo sx5-nec-superux${UNAME_RELEASE} - exit 0 ;; - SX-6:SUPER-UX:*:*) - echo sx6-nec-superux${UNAME_RELEASE} - exit 0 ;; - Power*:Rhapsody:*:*) - echo powerpc-apple-rhapsody${UNAME_RELEASE} - exit 0 ;; - *:Rhapsody:*:*) - echo ${UNAME_MACHINE}-apple-rhapsody${UNAME_RELEASE} - exit 0 ;; - *:Darwin:*:*) - case `uname -p` in - *86) UNAME_PROCESSOR=i686 ;; - powerpc) UNAME_PROCESSOR=powerpc ;; - esac - echo ${UNAME_PROCESSOR}-apple-darwin${UNAME_RELEASE} - exit 0 ;; - *:procnto*:*:* | *:QNX:[0123456789]*:*) - UNAME_PROCESSOR=`uname -p` - if test "$UNAME_PROCESSOR" = "x86"; then - UNAME_PROCESSOR=i386 - UNAME_MACHINE=pc - fi - echo ${UNAME_PROCESSOR}-${UNAME_MACHINE}-nto-qnx${UNAME_RELEASE} - exit 0 ;; - *:QNX:*:4*) - echo i386-pc-qnx - exit 0 ;; - NSR-?:NONSTOP_KERNEL:*:*) - echo nsr-tandem-nsk${UNAME_RELEASE} - exit 0 ;; - *:NonStop-UX:*:*) - echo mips-compaq-nonstopux - exit 0 ;; - BS2000:POSIX*:*:*) - echo bs2000-siemens-sysv - exit 0 ;; - DS/*:UNIX_System_V:*:*) - echo ${UNAME_MACHINE}-${UNAME_SYSTEM}-${UNAME_RELEASE} - exit 0 ;; - *:Plan9:*:*) - # "uname -m" is not consistent, so use $cputype instead. 386 - # is converted to i386 for consistency with other x86 - # operating systems. - if test "$cputype" = "386"; then - UNAME_MACHINE=i386 - else - UNAME_MACHINE="$cputype" - fi - echo ${UNAME_MACHINE}-unknown-plan9 - exit 0 ;; - *:TOPS-10:*:*) - echo pdp10-unknown-tops10 - exit 0 ;; - *:TENEX:*:*) - echo pdp10-unknown-tenex - exit 0 ;; - KS10:TOPS-20:*:* | KL10:TOPS-20:*:* | TYPE4:TOPS-20:*:*) - echo pdp10-dec-tops20 - exit 0 ;; - XKL-1:TOPS-20:*:* | TYPE5:TOPS-20:*:*) - echo pdp10-xkl-tops20 - exit 0 ;; - *:TOPS-20:*:*) - echo pdp10-unknown-tops20 - exit 0 ;; - *:ITS:*:*) - echo pdp10-unknown-its - exit 0 ;; - SEI:*:*:SEIUX) - echo mips-sei-seiux${UNAME_RELEASE} - exit 0 ;; - *:DragonFly:*:*) - echo ${UNAME_MACHINE}-unknown-dragonfly`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` - exit 0 ;; -esac - -#echo '(No uname command or uname output not recognized.)' 1>&2 -#echo "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" 1>&2 - -eval $set_cc_for_build -cat >$dummy.c < -# include -#endif -main () -{ -#if defined (sony) -#if defined (MIPSEB) - /* BFD wants "bsd" instead of "newsos". Perhaps BFD should be changed, - I don't know.... */ - printf ("mips-sony-bsd\n"); exit (0); -#else -#include - printf ("m68k-sony-newsos%s\n", -#ifdef NEWSOS4 - "4" -#else - "" -#endif - ); exit (0); -#endif -#endif - -#if defined (__arm) && defined (__acorn) && defined (__unix) - printf ("arm-acorn-riscix"); exit (0); -#endif - -#if defined (hp300) && !defined (hpux) - printf ("m68k-hp-bsd\n"); exit (0); -#endif - -#if defined (NeXT) -#if !defined (__ARCHITECTURE__) -#define __ARCHITECTURE__ "m68k" -#endif - int version; - version=`(hostinfo | sed -n 's/.*NeXT Mach \([0-9]*\).*/\1/p') 2>/dev/null`; - if (version < 4) - printf ("%s-next-nextstep%d\n", __ARCHITECTURE__, version); - else - printf ("%s-next-openstep%d\n", __ARCHITECTURE__, version); - exit (0); -#endif - -#if defined (MULTIMAX) || defined (n16) -#if defined (UMAXV) - printf ("ns32k-encore-sysv\n"); exit (0); -#else -#if defined (CMU) - printf ("ns32k-encore-mach\n"); exit (0); -#else - printf ("ns32k-encore-bsd\n"); exit (0); -#endif -#endif -#endif - -#if defined (__386BSD__) - printf ("i386-pc-bsd\n"); exit (0); -#endif - -#if defined (sequent) -#if defined (i386) - printf ("i386-sequent-dynix\n"); exit (0); -#endif -#if defined (ns32000) - printf ("ns32k-sequent-dynix\n"); exit (0); -#endif -#endif - -#if defined (_SEQUENT_) - struct utsname un; - - uname(&un); - - if (strncmp(un.version, "V2", 2) == 0) { - printf ("i386-sequent-ptx2\n"); exit (0); - } - if (strncmp(un.version, "V1", 2) == 0) { /* XXX is V1 correct? */ - printf ("i386-sequent-ptx1\n"); exit (0); - } - printf ("i386-sequent-ptx\n"); exit (0); - -#endif - -#if defined (vax) -# if !defined (ultrix) -# include -# if defined (BSD) -# if BSD == 43 - printf ("vax-dec-bsd4.3\n"); exit (0); -# else -# if BSD == 199006 - printf ("vax-dec-bsd4.3reno\n"); exit (0); -# else - printf ("vax-dec-bsd\n"); exit (0); -# endif -# endif -# else - printf ("vax-dec-bsd\n"); exit (0); -# endif -# else - printf ("vax-dec-ultrix\n"); exit (0); -# endif -#endif - -#if defined (alliant) && defined (i860) - printf ("i860-alliant-bsd\n"); exit (0); -#endif - - exit (1); -} -EOF - -$CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null && $dummy && exit 0 - -# Apollos put the system type in the environment. - -test -d /usr/apollo && { echo ${ISP}-apollo-${SYSTYPE}; exit 0; } - -# Convex versions that predate uname can use getsysinfo(1) - -if [ -x /usr/convex/getsysinfo ] -then - case `getsysinfo -f cpu_type` in - c1*) - echo c1-convex-bsd - exit 0 ;; - c2*) - if getsysinfo -f scalar_acc - then echo c32-convex-bsd - else echo c2-convex-bsd - fi - exit 0 ;; - c34*) - echo c34-convex-bsd - exit 0 ;; - c38*) - echo c38-convex-bsd - exit 0 ;; - c4*) - echo c4-convex-bsd - exit 0 ;; - esac -fi - -cat >&2 < in order to provide the needed -information to handle your system. - -config.guess timestamp = $timestamp - -uname -m = `(uname -m) 2>/dev/null || echo unknown` -uname -r = `(uname -r) 2>/dev/null || echo unknown` -uname -s = `(uname -s) 2>/dev/null || echo unknown` -uname -v = `(uname -v) 2>/dev/null || echo unknown` - -/usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null` -/bin/uname -X = `(/bin/uname -X) 2>/dev/null` - -hostinfo = `(hostinfo) 2>/dev/null` -/bin/universe = `(/bin/universe) 2>/dev/null` -/usr/bin/arch -k = `(/usr/bin/arch -k) 2>/dev/null` -/bin/arch = `(/bin/arch) 2>/dev/null` -/usr/bin/oslevel = `(/usr/bin/oslevel) 2>/dev/null` -/usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null` - -UNAME_MACHINE = ${UNAME_MACHINE} -UNAME_RELEASE = ${UNAME_RELEASE} -UNAME_SYSTEM = ${UNAME_SYSTEM} -UNAME_VERSION = ${UNAME_VERSION} -EOF - -exit 1 - -# Local variables: -# eval: (add-hook 'write-file-hooks 'time-stamp) -# time-stamp-start: "timestamp='" -# time-stamp-format: "%:y-%02m-%02d" -# time-stamp-end: "'" -# End: diff --git a/crypto/heimdal-0.6.3/config.sub b/crypto/heimdal-0.6.3/config.sub deleted file mode 100644 index 264f820aa5..0000000000 --- a/crypto/heimdal-0.6.3/config.sub +++ /dev/null @@ -1,1549 +0,0 @@ -#! /bin/sh -# Configuration validation subroutine script. -# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, -# 2000, 2001, 2002, 2003 Free Software Foundation, Inc. - -timestamp='2004-02-23' - -# This file is (in principle) common to ALL GNU software. -# The presence of a machine in this file suggests that SOME GNU software -# can handle that machine. It does not imply ALL GNU software can. -# -# This file is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, -# Boston, MA 02111-1307, USA. - -# As a special exception to the GNU General Public License, if you -# distribute this file as part of a program that contains a -# configuration script generated by Autoconf, you may include it under -# the same distribution terms that you use for the rest of that program. - -# Please send patches to . Submit a context -# diff and a properly formatted ChangeLog entry. -# -# Configuration subroutine to validate and canonicalize a configuration type. -# Supply the specified configuration type as an argument. -# If it is invalid, we print an error message on stderr and exit with code 1. -# Otherwise, we print the canonical config type on stdout and succeed. - -# This file is supposed to be the same for all GNU packages -# and recognize all the CPU types, system types and aliases -# that are meaningful with *any* GNU software. -# Each package is responsible for reporting which valid configurations -# it does not support. The user should be able to distinguish -# a failure to support a valid configuration from a meaningless -# configuration. - -# The goal of this file is to map all the various variations of a given -# machine specification into a single specification in the form: -# CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM -# or in some cases, the newer four-part form: -# CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM -# It is wrong to echo any other type of specification. - -me=`echo "$0" | sed -e 's,.*/,,'` - -usage="\ -Usage: $0 [OPTION] CPU-MFR-OPSYS - $0 [OPTION] ALIAS - -Canonicalize a configuration name. - -Operation modes: - -h, --help print this help, then exit - -t, --time-stamp print date of last modification, then exit - -v, --version print version number, then exit - -Report bugs and patches to ." - -version="\ -GNU config.sub ($timestamp) - -Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001 -Free Software Foundation, Inc. - -This is free software; see the source for copying conditions. There is NO -warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." - -help=" -Try \`$me --help' for more information." - -# Parse command line -while test $# -gt 0 ; do - case $1 in - --time-stamp | --time* | -t ) - echo "$timestamp" ; exit 0 ;; - --version | -v ) - echo "$version" ; exit 0 ;; - --help | --h* | -h ) - echo "$usage"; exit 0 ;; - -- ) # Stop option processing - shift; break ;; - - ) # Use stdin as input. - break ;; - -* ) - echo "$me: invalid option $1$help" - exit 1 ;; - - *local*) - # First pass through any local machine types. - echo $1 - exit 0;; - - * ) - break ;; - esac -done - -case $# in - 0) echo "$me: missing argument$help" >&2 - exit 1;; - 1) ;; - *) echo "$me: too many arguments$help" >&2 - exit 1;; -esac - -# Separate what the user gave into CPU-COMPANY and OS or KERNEL-OS (if any). -# Here we must recognize all the valid KERNEL-OS combinations. -maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'` -case $maybe_os in - nto-qnx* | linux-gnu* | linux-dietlibc | linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | \ - kfreebsd*-gnu* | knetbsd*-gnu* | netbsd*-gnu* | storm-chaos* | os2-emx* | rtmk-nova*) - os=-$maybe_os - basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'` - ;; - *) - basic_machine=`echo $1 | sed 's/-[^-]*$//'` - if [ $basic_machine != $1 ] - then os=`echo $1 | sed 's/.*-/-/'` - else os=; fi - ;; -esac - -### Let's recognize common machines as not being operating systems so -### that things like config.sub decstation-3100 work. We also -### recognize some manufacturers as not being operating systems, so we -### can provide default operating systems below. -case $os in - -sun*os*) - # Prevent following clause from handling this invalid input. - ;; - -dec* | -mips* | -sequent* | -encore* | -pc532* | -sgi* | -sony* | \ - -att* | -7300* | -3300* | -delta* | -motorola* | -sun[234]* | \ - -unicom* | -ibm* | -next | -hp | -isi* | -apollo | -altos* | \ - -convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\ - -c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \ - -harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \ - -apple | -axis) - os= - basic_machine=$1 - ;; - -sim | -cisco | -oki | -wec | -winbond) - os= - basic_machine=$1 - ;; - -scout) - ;; - -wrs) - os=-vxworks - basic_machine=$1 - ;; - -chorusos*) - os=-chorusos - basic_machine=$1 - ;; - -chorusrdb) - os=-chorusrdb - basic_machine=$1 - ;; - -hiux*) - os=-hiuxwe2 - ;; - -sco5) - os=-sco3.2v5 - basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` - ;; - -sco4) - os=-sco3.2v4 - basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` - ;; - -sco3.2.[4-9]*) - os=`echo $os | sed -e 's/sco3.2./sco3.2v/'` - basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` - ;; - -sco3.2v[4-9]*) - # Don't forget version if it is 3.2v4 or newer. - basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` - ;; - -sco*) - os=-sco3.2v2 - basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` - ;; - -udk*) - basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` - ;; - -isc) - os=-isc2.2 - basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` - ;; - -clix*) - basic_machine=clipper-intergraph - ;; - -isc*) - basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` - ;; - -lynx*) - os=-lynxos - ;; - -ptx*) - basic_machine=`echo $1 | sed -e 's/86-.*/86-sequent/'` - ;; - -windowsnt*) - os=`echo $os | sed -e 's/windowsnt/winnt/'` - ;; - -psos*) - os=-psos - ;; - -mint | -mint[0-9]*) - basic_machine=m68k-atari - os=-mint - ;; -esac - -# Decode aliases for certain CPU-COMPANY combinations. -case $basic_machine in - # Recognize the basic CPU types without company name. - # Some are omitted here because they have special meanings below. - 1750a | 580 \ - | a29k \ - | alpha | alphaev[4-8] | alphaev56 | alphaev6[78] | alphapca5[67] \ - | alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \ - | am33_2.0 \ - | arc | arm | arm[bl]e | arme[lb] | armv[2345] | armv[345][lb] | avr \ - | c4x | clipper \ - | d10v | d30v | dlx | dsp16xx \ - | fr30 | frv \ - | h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \ - | i370 | i860 | i960 | ia64 \ - | ip2k | iq2000 \ - | m32r | m68000 | m68k | m88k | mcore \ - | mips | mipsbe | mipseb | mipsel | mipsle \ - | mips16 \ - | mips64 | mips64el \ - | mips64vr | mips64vrel \ - | mips64orion | mips64orionel \ - | mips64vr4100 | mips64vr4100el \ - | mips64vr4300 | mips64vr4300el \ - | mips64vr5000 | mips64vr5000el \ - | mipsisa32 | mipsisa32el \ - | mipsisa32r2 | mipsisa32r2el \ - | mipsisa64 | mipsisa64el \ - | mipsisa64r2 | mipsisa64r2el \ - | mipsisa64sb1 | mipsisa64sb1el \ - | mipsisa64sr71k | mipsisa64sr71kel \ - | mipstx39 | mipstx39el \ - | mn10200 | mn10300 \ - | msp430 \ - | ns16k | ns32k \ - | openrisc | or32 \ - | pdp10 | pdp11 | pj | pjl \ - | powerpc | powerpc64 | powerpc64le | powerpcle | ppcbe \ - | pyramid \ - | sh | sh[1234] | sh[23]e | sh[34]eb | shbe | shle | sh[1234]le | sh3ele \ - | sh64 | sh64le \ - | sparc | sparc64 | sparc86x | sparclet | sparclite | sparcv9 | sparcv9b \ - | strongarm \ - | tahoe | thumb | tic4x | tic80 | tron \ - | v850 | v850e \ - | we32k \ - | x86 | xscale | xstormy16 | xtensa \ - | z8k) - basic_machine=$basic_machine-unknown - ;; - m6811 | m68hc11 | m6812 | m68hc12) - # Motorola 68HC11/12. - basic_machine=$basic_machine-unknown - os=-none - ;; - m88110 | m680[12346]0 | m683?2 | m68360 | m5200 | v70 | w65 | z8k) - ;; - - # We use `pc' rather than `unknown' - # because (1) that's what they normally are, and - # (2) the word "unknown" tends to confuse beginning users. - i*86 | x86_64) - basic_machine=$basic_machine-pc - ;; - # Object if more than one company name word. - *-*-*) - echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2 - exit 1 - ;; - # Recognize the basic CPU types with company name. - 580-* \ - | a29k-* \ - | alpha-* | alphaev[4-8]-* | alphaev56-* | alphaev6[78]-* \ - | alpha64-* | alpha64ev[4-8]-* | alpha64ev56-* | alpha64ev6[78]-* \ - | alphapca5[67]-* | alpha64pca5[67]-* | arc-* \ - | arm-* | armbe-* | armle-* | armeb-* | armv*-* \ - | avr-* \ - | bs2000-* \ - | c[123]* | c30-* | [cjt]90-* | c4x-* | c54x-* | c55x-* | c6x-* \ - | clipper-* | cydra-* \ - | d10v-* | d30v-* | dlx-* \ - | elxsi-* \ - | f30[01]-* | f700-* | fr30-* | frv-* | fx80-* \ - | h8300-* | h8500-* \ - | hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \ - | i*86-* | i860-* | i960-* | ia64-* \ - | ip2k-* | iq2000-* \ - | m32r-* \ - | m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \ - | m88110-* | m88k-* | mcore-* \ - | mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \ - | mips16-* \ - | mips64-* | mips64el-* \ - | mips64vr-* | mips64vrel-* \ - | mips64orion-* | mips64orionel-* \ - | mips64vr4100-* | mips64vr4100el-* \ - | mips64vr4300-* | mips64vr4300el-* \ - | mips64vr5000-* | mips64vr5000el-* \ - | mipsisa32-* | mipsisa32el-* \ - | mipsisa32r2-* | mipsisa32r2el-* \ - | mipsisa64-* | mipsisa64el-* \ - | mipsisa64r2-* | mipsisa64r2el-* \ - | mipsisa64sb1-* | mipsisa64sb1el-* \ - | mipsisa64sr71k-* | mipsisa64sr71kel-* \ - | mipstx39-* | mipstx39el-* \ - | msp430-* \ - | none-* | np1-* | nv1-* | ns16k-* | ns32k-* \ - | orion-* \ - | pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \ - | powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* | ppcbe-* \ - | pyramid-* \ - | romp-* | rs6000-* \ - | sh-* | sh[1234]-* | sh[23]e-* | sh[34]eb-* | shbe-* \ - | shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \ - | sparc-* | sparc64-* | sparc86x-* | sparclet-* | sparclite-* \ - | sparcv9-* | sparcv9b-* | strongarm-* | sv1-* | sx?-* \ - | tahoe-* | thumb-* \ - | tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \ - | tron-* \ - | v850-* | v850e-* | vax-* \ - | we32k-* \ - | x86-* | x86_64-* | xps100-* | xscale-* | xstormy16-* \ - | xtensa-* \ - | ymp-* \ - | z8k-*) - ;; - # Recognize the various machine names and aliases which stand - # for a CPU type and a company and sometimes even an OS. - 386bsd) - basic_machine=i386-unknown - os=-bsd - ;; - 3b1 | 7300 | 7300-att | att-7300 | pc7300 | safari | unixpc) - basic_machine=m68000-att - ;; - 3b*) - basic_machine=we32k-att - ;; - a29khif) - basic_machine=a29k-amd - os=-udi - ;; - abacus) - basic_machine=abacus-unknown - ;; - adobe68k) - basic_machine=m68010-adobe - os=-scout - ;; - alliant | fx80) - basic_machine=fx80-alliant - ;; - altos | altos3068) - basic_machine=m68k-altos - ;; - am29k) - basic_machine=a29k-none - os=-bsd - ;; - amd64) - basic_machine=x86_64-pc - ;; - amd64-*) - basic_machine=x86_64-`echo $basic_machine | sed 's/^[^-]*-//'` - ;; - amdahl) - basic_machine=580-amdahl - os=-sysv - ;; - amiga | amiga-*) - basic_machine=m68k-unknown - ;; - amigaos | amigados) - basic_machine=m68k-unknown - os=-amigaos - ;; - amigaunix | amix) - basic_machine=m68k-unknown - os=-sysv4 - ;; - apollo68) - basic_machine=m68k-apollo - os=-sysv - ;; - apollo68bsd) - basic_machine=m68k-apollo - os=-bsd - ;; - aux) - basic_machine=m68k-apple - os=-aux - ;; - balance) - basic_machine=ns32k-sequent - os=-dynix - ;; - c90) - basic_machine=c90-cray - os=-unicos - ;; - convex-c1) - basic_machine=c1-convex - os=-bsd - ;; - convex-c2) - basic_machine=c2-convex - os=-bsd - ;; - convex-c32) - basic_machine=c32-convex - os=-bsd - ;; - convex-c34) - basic_machine=c34-convex - os=-bsd - ;; - convex-c38) - basic_machine=c38-convex - os=-bsd - ;; - cray | j90) - basic_machine=j90-cray - os=-unicos - ;; - cr16c) - basic_machine=cr16c-unknown - os=-elf - ;; - crds | unos) - basic_machine=m68k-crds - ;; - cris | cris-* | etrax*) - basic_machine=cris-axis - ;; - crx) - basic_machine=crx-unknown - os=-elf - ;; - da30 | da30-*) - basic_machine=m68k-da30 - ;; - decstation | decstation-3100 | pmax | pmax-* | pmin | dec3100 | decstatn) - basic_machine=mips-dec - ;; - decsystem10* | dec10*) - basic_machine=pdp10-dec - os=-tops10 - ;; - decsystem20* | dec20*) - basic_machine=pdp10-dec - os=-tops20 - ;; - delta | 3300 | motorola-3300 | motorola-delta \ - | 3300-motorola | delta-motorola) - basic_machine=m68k-motorola - ;; - delta88) - basic_machine=m88k-motorola - os=-sysv3 - ;; - dpx20 | dpx20-*) - basic_machine=rs6000-bull - os=-bosx - ;; - dpx2* | dpx2*-bull) - basic_machine=m68k-bull - os=-sysv3 - ;; - ebmon29k) - basic_machine=a29k-amd - os=-ebmon - ;; - elxsi) - basic_machine=elxsi-elxsi - os=-bsd - ;; - encore | umax | mmax) - basic_machine=ns32k-encore - ;; - es1800 | OSE68k | ose68k | ose | OSE) - basic_machine=m68k-ericsson - os=-ose - ;; - fx2800) - basic_machine=i860-alliant - ;; - genix) - basic_machine=ns32k-ns - ;; - gmicro) - basic_machine=tron-gmicro - os=-sysv - ;; - go32) - basic_machine=i386-pc - os=-go32 - ;; - h3050r* | hiux*) - basic_machine=hppa1.1-hitachi - os=-hiuxwe2 - ;; - h8300hms) - basic_machine=h8300-hitachi - os=-hms - ;; - h8300xray) - basic_machine=h8300-hitachi - os=-xray - ;; - h8500hms) - basic_machine=h8500-hitachi - os=-hms - ;; - harris) - basic_machine=m88k-harris - os=-sysv3 - ;; - hp300-*) - basic_machine=m68k-hp - ;; - hp300bsd) - basic_machine=m68k-hp - os=-bsd - ;; - hp300hpux) - basic_machine=m68k-hp - os=-hpux - ;; - hp3k9[0-9][0-9] | hp9[0-9][0-9]) - basic_machine=hppa1.0-hp - ;; - hp9k2[0-9][0-9] | hp9k31[0-9]) - basic_machine=m68000-hp - ;; - hp9k3[2-9][0-9]) - basic_machine=m68k-hp - ;; - hp9k6[0-9][0-9] | hp6[0-9][0-9]) - basic_machine=hppa1.0-hp - ;; - hp9k7[0-79][0-9] | hp7[0-79][0-9]) - basic_machine=hppa1.1-hp - ;; - hp9k78[0-9] | hp78[0-9]) - # FIXME: really hppa2.0-hp - basic_machine=hppa1.1-hp - ;; - hp9k8[67]1 | hp8[67]1 | hp9k80[24] | hp80[24] | hp9k8[78]9 | hp8[78]9 | hp9k893 | hp893) - # FIXME: really hppa2.0-hp - basic_machine=hppa1.1-hp - ;; - hp9k8[0-9][13679] | hp8[0-9][13679]) - basic_machine=hppa1.1-hp - ;; - hp9k8[0-9][0-9] | hp8[0-9][0-9]) - basic_machine=hppa1.0-hp - ;; - hppa-next) - os=-nextstep3 - ;; - hppaosf) - basic_machine=hppa1.1-hp - os=-osf - ;; - hppro) - basic_machine=hppa1.1-hp - os=-proelf - ;; - i370-ibm* | ibm*) - basic_machine=i370-ibm - ;; -# I'm not sure what "Sysv32" means. Should this be sysv3.2? - i*86v32) - basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` - os=-sysv32 - ;; - i*86v4*) - basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` - os=-sysv4 - ;; - i*86v) - basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` - os=-sysv - ;; - i*86sol2) - basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` - os=-solaris2 - ;; - i386mach) - basic_machine=i386-mach - os=-mach - ;; - i386-vsta | vsta) - basic_machine=i386-unknown - os=-vsta - ;; - iris | iris4d) - basic_machine=mips-sgi - case $os in - -irix*) - ;; - *) - os=-irix4 - ;; - esac - ;; - isi68 | isi) - basic_machine=m68k-isi - os=-sysv - ;; - m88k-omron*) - basic_machine=m88k-omron - ;; - magnum | m3230) - basic_machine=mips-mips - os=-sysv - ;; - merlin) - basic_machine=ns32k-utek - os=-sysv - ;; - mingw32) - basic_machine=i386-pc - os=-mingw32 - ;; - miniframe) - basic_machine=m68000-convergent - ;; - *mint | -mint[0-9]* | *MiNT | *MiNT[0-9]*) - basic_machine=m68k-atari - os=-mint - ;; - mips3*-*) - basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'` - ;; - mips3*) - basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`-unknown - ;; - mmix*) - basic_machine=mmix-knuth - os=-mmixware - ;; - monitor) - basic_machine=m68k-rom68k - os=-coff - ;; - morphos) - basic_machine=powerpc-unknown - os=-morphos - ;; - msdos) - basic_machine=i386-pc - os=-msdos - ;; - mvs) - basic_machine=i370-ibm - os=-mvs - ;; - ncr3000) - basic_machine=i486-ncr - os=-sysv4 - ;; - netbsd386) - basic_machine=i386-unknown - os=-netbsd - ;; - netwinder) - basic_machine=armv4l-rebel - os=-linux - ;; - news | news700 | news800 | news900) - basic_machine=m68k-sony - os=-newsos - ;; - news1000) - basic_machine=m68030-sony - os=-newsos - ;; - news-3600 | risc-news) - basic_machine=mips-sony - os=-newsos - ;; - necv70) - basic_machine=v70-nec - os=-sysv - ;; - next | m*-next ) - basic_machine=m68k-next - case $os in - -nextstep* ) - ;; - -ns2*) - os=-nextstep2 - ;; - *) - os=-nextstep3 - ;; - esac - ;; - nh3000) - basic_machine=m68k-harris - os=-cxux - ;; - nh[45]000) - basic_machine=m88k-harris - os=-cxux - ;; - nindy960) - basic_machine=i960-intel - os=-nindy - ;; - mon960) - basic_machine=i960-intel - os=-mon960 - ;; - nonstopux) - basic_machine=mips-compaq - os=-nonstopux - ;; - np1) - basic_machine=np1-gould - ;; - nv1) - basic_machine=nv1-cray - os=-unicosmp - ;; - nsr-tandem) - basic_machine=nsr-tandem - ;; - op50n-* | op60c-*) - basic_machine=hppa1.1-oki - os=-proelf - ;; - or32 | or32-*) - basic_machine=or32-unknown - os=-coff - ;; - os400) - basic_machine=powerpc-ibm - os=-os400 - ;; - OSE68000 | ose68000) - basic_machine=m68000-ericsson - os=-ose - ;; - os68k) - basic_machine=m68k-none - os=-os68k - ;; - pa-hitachi) - basic_machine=hppa1.1-hitachi - os=-hiuxwe2 - ;; - paragon) - basic_machine=i860-intel - os=-osf - ;; - pbd) - basic_machine=sparc-tti - ;; - pbb) - basic_machine=m68k-tti - ;; - pc532 | pc532-*) - basic_machine=ns32k-pc532 - ;; - pentium | p5 | k5 | k6 | nexgen | viac3) - basic_machine=i586-pc - ;; - pentiumpro | p6 | 6x86 | athlon | athlon_*) - basic_machine=i686-pc - ;; - pentiumii | pentium2 | pentiumiii | pentium3) - basic_machine=i686-pc - ;; - pentium4) - basic_machine=i786-pc - ;; - pentium-* | p5-* | k5-* | k6-* | nexgen-* | viac3-*) - basic_machine=i586-`echo $basic_machine | sed 's/^[^-]*-//'` - ;; - pentiumpro-* | p6-* | 6x86-* | athlon-*) - basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'` - ;; - pentiumii-* | pentium2-* | pentiumiii-* | pentium3-*) - basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'` - ;; - pentium4-*) - basic_machine=i786-`echo $basic_machine | sed 's/^[^-]*-//'` - ;; - pn) - basic_machine=pn-gould - ;; - power) basic_machine=power-ibm - ;; - ppc) basic_machine=powerpc-unknown - ;; - ppc-*) basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'` - ;; - ppcle | powerpclittle | ppc-le | powerpc-little) - basic_machine=powerpcle-unknown - ;; - ppcle-* | powerpclittle-*) - basic_machine=powerpcle-`echo $basic_machine | sed 's/^[^-]*-//'` - ;; - ppc64) basic_machine=powerpc64-unknown - ;; - ppc64-*) basic_machine=powerpc64-`echo $basic_machine | sed 's/^[^-]*-//'` - ;; - ppc64le | powerpc64little | ppc64-le | powerpc64-little) - basic_machine=powerpc64le-unknown - ;; - ppc64le-* | powerpc64little-*) - basic_machine=powerpc64le-`echo $basic_machine | sed 's/^[^-]*-//'` - ;; - ps2) - basic_machine=i386-ibm - ;; - pw32) - basic_machine=i586-unknown - os=-pw32 - ;; - rom68k) - basic_machine=m68k-rom68k - os=-coff - ;; - rm[46]00) - basic_machine=mips-siemens - ;; - rtpc | rtpc-*) - basic_machine=romp-ibm - ;; - s390 | s390-*) - basic_machine=s390-ibm - ;; - s390x | s390x-*) - basic_machine=s390x-ibm - ;; - sa29200) - basic_machine=a29k-amd - os=-udi - ;; - sb1) - basic_machine=mipsisa64sb1-unknown - ;; - sb1el) - basic_machine=mipsisa64sb1el-unknown - ;; - sei) - basic_machine=mips-sei - os=-seiux - ;; - sequent) - basic_machine=i386-sequent - ;; - sh) - basic_machine=sh-hitachi - os=-hms - ;; - sh64) - basic_machine=sh64-unknown - ;; - sparclite-wrs | simso-wrs) - basic_machine=sparclite-wrs - os=-vxworks - ;; - sps7) - basic_machine=m68k-bull - os=-sysv2 - ;; - spur) - basic_machine=spur-unknown - ;; - st2000) - basic_machine=m68k-tandem - ;; - stratus) - basic_machine=i860-stratus - os=-sysv4 - ;; - sun2) - basic_machine=m68000-sun - ;; - sun2os3) - basic_machine=m68000-sun - os=-sunos3 - ;; - sun2os4) - basic_machine=m68000-sun - os=-sunos4 - ;; - sun3os3) - basic_machine=m68k-sun - os=-sunos3 - ;; - sun3os4) - basic_machine=m68k-sun - os=-sunos4 - ;; - sun4os3) - basic_machine=sparc-sun - os=-sunos3 - ;; - sun4os4) - basic_machine=sparc-sun - os=-sunos4 - ;; - sun4sol2) - basic_machine=sparc-sun - os=-solaris2 - ;; - sun3 | sun3-*) - basic_machine=m68k-sun - ;; - sun4) - basic_machine=sparc-sun - ;; - sun386 | sun386i | roadrunner) - basic_machine=i386-sun - ;; - sv1) - basic_machine=sv1-cray - os=-unicos - ;; - symmetry) - basic_machine=i386-sequent - os=-dynix - ;; - t3e) - basic_machine=alphaev5-cray - os=-unicos - ;; - t90) - basic_machine=t90-cray - os=-unicos - ;; - tic54x | c54x*) - basic_machine=tic54x-unknown - os=-coff - ;; - tic55x | c55x*) - basic_machine=tic55x-unknown - os=-coff - ;; - tic6x | c6x*) - basic_machine=tic6x-unknown - os=-coff - ;; - tx39) - basic_machine=mipstx39-unknown - ;; - tx39el) - basic_machine=mipstx39el-unknown - ;; - toad1) - basic_machine=pdp10-xkl - os=-tops20 - ;; - tower | tower-32) - basic_machine=m68k-ncr - ;; - tpf) - basic_machine=s390x-ibm - os=-tpf - ;; - udi29k) - basic_machine=a29k-amd - os=-udi - ;; - ultra3) - basic_machine=a29k-nyu - os=-sym1 - ;; - v810 | necv810) - basic_machine=v810-nec - os=-none - ;; - vaxv) - basic_machine=vax-dec - os=-sysv - ;; - vms) - basic_machine=vax-dec - os=-vms - ;; - vpp*|vx|vx-*) - basic_machine=f301-fujitsu - ;; - vxworks960) - basic_machine=i960-wrs - os=-vxworks - ;; - vxworks68) - basic_machine=m68k-wrs - os=-vxworks - ;; - vxworks29k) - basic_machine=a29k-wrs - os=-vxworks - ;; - w65*) - basic_machine=w65-wdc - os=-none - ;; - w89k-*) - basic_machine=hppa1.1-winbond - os=-proelf - ;; - xps | xps100) - basic_machine=xps100-honeywell - ;; - ymp) - basic_machine=ymp-cray - os=-unicos - ;; - z8k-*-coff) - basic_machine=z8k-unknown - os=-sim - ;; - none) - basic_machine=none-none - os=-none - ;; - -# Here we handle the default manufacturer of certain CPU types. It is in -# some cases the only manufacturer, in others, it is the most popular. - w89k) - basic_machine=hppa1.1-winbond - ;; - op50n) - basic_machine=hppa1.1-oki - ;; - op60c) - basic_machine=hppa1.1-oki - ;; - romp) - basic_machine=romp-ibm - ;; - rs6000) - basic_machine=rs6000-ibm - ;; - vax) - basic_machine=vax-dec - ;; - pdp10) - # there are many clones, so DEC is not a safe bet - basic_machine=pdp10-unknown - ;; - pdp11) - basic_machine=pdp11-dec - ;; - we32k) - basic_machine=we32k-att - ;; - sh3 | sh4 | sh[34]eb | sh[1234]le | sh[23]ele) - basic_machine=sh-unknown - ;; - sh64) - basic_machine=sh64-unknown - ;; - sparc | sparcv9 | sparcv9b) - basic_machine=sparc-sun - ;; - cydra) - basic_machine=cydra-cydrome - ;; - orion) - basic_machine=orion-highlevel - ;; - orion105) - basic_machine=clipper-highlevel - ;; - mac | mpw | mac-mpw) - basic_machine=m68k-apple - ;; - pmac | pmac-mpw) - basic_machine=powerpc-apple - ;; - *-unknown) - # Make sure to match an already-canonicalized machine name. - ;; - *) - echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2 - exit 1 - ;; -esac - -# Here we canonicalize certain aliases for manufacturers. -case $basic_machine in - *-digital*) - basic_machine=`echo $basic_machine | sed 's/digital.*/dec/'` - ;; - *-commodore*) - basic_machine=`echo $basic_machine | sed 's/commodore.*/cbm/'` - ;; - *) - ;; -esac - -# Decode manufacturer-specific aliases for certain operating systems. - -if [ x"$os" != x"" ] -then -case $os in - # First match some system type aliases - # that might get confused with valid system types. - # -solaris* is a basic system type, with this one exception. - -solaris1 | -solaris1.*) - os=`echo $os | sed -e 's|solaris1|sunos4|'` - ;; - -solaris) - os=-solaris2 - ;; - -svr4*) - os=-sysv4 - ;; - -unixware*) - os=-sysv4.2uw - ;; - -gnu/linux*) - os=`echo $os | sed -e 's|gnu/linux|linux-gnu|'` - ;; - # First accept the basic system types. - # The portable systems comes first. - # Each alternative MUST END IN A *, to match a version number. - # -sysv* is not here because it comes later, after sysvr4. - -gnu* | -bsd* | -mach* | -minix* | -genix* | -ultrix* | -irix* \ - | -*vms* | -sco* | -esix* | -isc* | -aix* | -sunos | -sunos[34]*\ - | -hpux* | -unos* | -osf* | -luna* | -dgux* | -solaris* | -sym* \ - | -amigaos* | -amigados* | -msdos* | -newsos* | -unicos* | -aof* \ - | -aos* \ - | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \ - | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \ - | -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* | -openbsd* \ - | -ekkobsd* | -kfreebsd* | -freebsd* | -riscix* | -lynxos* \ - | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \ - | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \ - | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \ - | -chorusos* | -chorusrdb* \ - | -cygwin* | -pe* | -psos* | -moss* | -proelf* | -rtems* \ - | -mingw32* | -linux-gnu* | -linux-uclibc* | -uxpv* | -beos* | -mpeix* | -udk* \ - | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \ - | -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \ - | -storm-chaos* | -tops10* | -tenex* | -tops20* | -its* \ - | -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \ - | -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \ - | -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly*) - # Remember, each alternative MUST END IN *, to match a version number. - ;; - -qnx*) - case $basic_machine in - x86-* | i*86-*) - ;; - *) - os=-nto$os - ;; - esac - ;; - -nto-qnx*) - ;; - -nto*) - os=`echo $os | sed -e 's|nto|nto-qnx|'` - ;; - -sim | -es1800* | -hms* | -xray | -os68k* | -none* | -v88r* \ - | -windows* | -osx | -abug | -netware* | -os9* | -beos* \ - | -macos* | -mpw* | -magic* | -mmixware* | -mon960* | -lnews*) - ;; - -mac*) - os=`echo $os | sed -e 's|mac|macos|'` - ;; - -linux-dietlibc) - os=-linux-dietlibc - ;; - -linux*) - os=`echo $os | sed -e 's|linux|linux-gnu|'` - ;; - -sunos5*) - os=`echo $os | sed -e 's|sunos5|solaris2|'` - ;; - -sunos6*) - os=`echo $os | sed -e 's|sunos6|solaris3|'` - ;; - -opened*) - os=-openedition - ;; - -os400*) - os=-os400 - ;; - -wince*) - os=-wince - ;; - -osfrose*) - os=-osfrose - ;; - -osf*) - os=-osf - ;; - -utek*) - os=-bsd - ;; - -dynix*) - os=-bsd - ;; - -acis*) - os=-aos - ;; - -atheos*) - os=-atheos - ;; - -syllable*) - os=-syllable - ;; - -386bsd) - os=-bsd - ;; - -ctix* | -uts*) - os=-sysv - ;; - -nova*) - os=-rtmk-nova - ;; - -ns2 ) - os=-nextstep2 - ;; - -nsk*) - os=-nsk - ;; - # Preserve the version number of sinix5. - -sinix5.*) - os=`echo $os | sed -e 's|sinix|sysv|'` - ;; - -sinix*) - os=-sysv4 - ;; - -tpf*) - os=-tpf - ;; - -triton*) - os=-sysv3 - ;; - -oss*) - os=-sysv3 - ;; - -svr4) - os=-sysv4 - ;; - -svr3) - os=-sysv3 - ;; - -sysvr4) - os=-sysv4 - ;; - # This must come after -sysvr4. - -sysv*) - ;; - -ose*) - os=-ose - ;; - -es1800*) - os=-ose - ;; - -xenix) - os=-xenix - ;; - -*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*) - os=-mint - ;; - -aros*) - os=-aros - ;; - -kaos*) - os=-kaos - ;; - -none) - ;; - *) - # Get rid of the `-' at the beginning of $os. - os=`echo $os | sed 's/[^-]*-//'` - echo Invalid configuration \`$1\': system \`$os\' not recognized 1>&2 - exit 1 - ;; -esac -else - -# Here we handle the default operating systems that come with various machines. -# The value should be what the vendor currently ships out the door with their -# machine or put another way, the most popular os provided with the machine. - -# Note that if you're going to try to match "-MANUFACTURER" here (say, -# "-sun"), then you have to tell the case statement up towards the top -# that MANUFACTURER isn't an operating system. Otherwise, code above -# will signal an error saying that MANUFACTURER isn't an operating -# system, and we'll never get to this point. - -case $basic_machine in - *-acorn) - os=-riscix1.2 - ;; - arm*-rebel) - os=-linux - ;; - arm*-semi) - os=-aout - ;; - c4x-* | tic4x-*) - os=-coff - ;; - # This must come before the *-dec entry. - pdp10-*) - os=-tops20 - ;; - pdp11-*) - os=-none - ;; - *-dec | vax-*) - os=-ultrix4.2 - ;; - m68*-apollo) - os=-domain - ;; - i386-sun) - os=-sunos4.0.2 - ;; - m68000-sun) - os=-sunos3 - # This also exists in the configure program, but was not the - # default. - # os=-sunos4 - ;; - m68*-cisco) - os=-aout - ;; - mips*-cisco) - os=-elf - ;; - mips*-*) - os=-elf - ;; - or32-*) - os=-coff - ;; - *-tti) # must be before sparc entry or we get the wrong os. - os=-sysv3 - ;; - sparc-* | *-sun) - os=-sunos4.1.1 - ;; - *-be) - os=-beos - ;; - *-ibm) - os=-aix - ;; - *-wec) - os=-proelf - ;; - *-winbond) - os=-proelf - ;; - *-oki) - os=-proelf - ;; - *-hp) - os=-hpux - ;; - *-hitachi) - os=-hiux - ;; - i860-* | *-att | *-ncr | *-altos | *-motorola | *-convergent) - os=-sysv - ;; - *-cbm) - os=-amigaos - ;; - *-dg) - os=-dgux - ;; - *-dolphin) - os=-sysv3 - ;; - m68k-ccur) - os=-rtu - ;; - m88k-omron*) - os=-luna - ;; - *-next ) - os=-nextstep - ;; - *-sequent) - os=-ptx - ;; - *-crds) - os=-unos - ;; - *-ns) - os=-genix - ;; - i370-*) - os=-mvs - ;; - *-next) - os=-nextstep3 - ;; - *-gould) - os=-sysv - ;; - *-highlevel) - os=-bsd - ;; - *-encore) - os=-bsd - ;; - *-sgi) - os=-irix - ;; - *-siemens) - os=-sysv4 - ;; - *-masscomp) - os=-rtu - ;; - f30[01]-fujitsu | f700-fujitsu) - os=-uxpv - ;; - *-rom68k) - os=-coff - ;; - *-*bug) - os=-coff - ;; - *-apple) - os=-macos - ;; - *-atari*) - os=-mint - ;; - *) - os=-none - ;; -esac -fi - -# Here we handle the case where we know the os, and the CPU type, but not the -# manufacturer. We pick the logical manufacturer. -vendor=unknown -case $basic_machine in - *-unknown) - case $os in - -riscix*) - vendor=acorn - ;; - -sunos*) - vendor=sun - ;; - -aix*) - vendor=ibm - ;; - -beos*) - vendor=be - ;; - -hpux*) - vendor=hp - ;; - -mpeix*) - vendor=hp - ;; - -hiux*) - vendor=hitachi - ;; - -unos*) - vendor=crds - ;; - -dgux*) - vendor=dg - ;; - -luna*) - vendor=omron - ;; - -genix*) - vendor=ns - ;; - -mvs* | -opened*) - vendor=ibm - ;; - -os400*) - vendor=ibm - ;; - -ptx*) - vendor=sequent - ;; - -tpf*) - vendor=ibm - ;; - -vxsim* | -vxworks* | -windiss*) - vendor=wrs - ;; - -aux*) - vendor=apple - ;; - -hms*) - vendor=hitachi - ;; - -mpw* | -macos*) - vendor=apple - ;; - -*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*) - vendor=atari - ;; - -vos*) - vendor=stratus - ;; - esac - basic_machine=`echo $basic_machine | sed "s/unknown/$vendor/"` - ;; -esac - -echo $basic_machine$os -exit 0 - -# Local variables: -# eval: (add-hook 'write-file-hooks 'time-stamp) -# time-stamp-start: "timestamp='" -# time-stamp-format: "%:y-%02m-%02d" -# time-stamp-end: "'" -# End: diff --git a/crypto/heimdal-0.6.3/doc/Makefile.am b/crypto/heimdal-0.6.3/doc/Makefile.am deleted file mode 100644 index 6507fff9f7..0000000000 --- a/crypto/heimdal-0.6.3/doc/Makefile.am +++ /dev/null @@ -1,8 +0,0 @@ -# $Id: Makefile.am,v 1.6.26.1 2003/10/13 13:15:39 joda Exp $ - -include $(top_srcdir)/Makefile.am.common - -AUTOMAKE_OPTIONS = no-texinfo.tex - -info_TEXINFOS = heimdal.texi -heimdal_TEXINFOS = intro.texi install.texi setup.texi kerberos4.texi diff --git a/crypto/heimdal-0.6.3/doc/Makefile.in b/crypto/heimdal-0.6.3/doc/Makefile.in deleted file mode 100644 index ebf43954f1..0000000000 --- a/crypto/heimdal-0.6.3/doc/Makefile.in +++ /dev/null @@ -1,786 +0,0 @@ -# Makefile.in generated by automake 1.8.3 from Makefile.am. -# @configure_input@ - -# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004 Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -# $Id: Makefile.am,v 1.6.26.1 2003/10/13 13:15:39 joda Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $ -srcdir = @srcdir@ -top_srcdir = @top_srcdir@ -VPATH = @srcdir@ -pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -top_builddir = .. -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = @INSTALL@ -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_HEADER = $(INSTALL_DATA) -transform = $(program_transform_name) -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_triplet = @host@ -DIST_COMMON = $(heimdal_TEXINFOS) $(srcdir)/Makefile.am \ - $(srcdir)/Makefile.in $(top_srcdir)/Makefile.am.common \ - $(top_srcdir)/cf/Makefile.am.common mdate-sh -subdir = doc -ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \ - $(top_srcdir)/cf/auth-modules.m4 \ - $(top_srcdir)/cf/broken-getaddrinfo.m4 \ - $(top_srcdir)/cf/broken-getnameinfo.m4 \ - $(top_srcdir)/cf/broken-glob.m4 \ - $(top_srcdir)/cf/broken-realloc.m4 \ - $(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \ - $(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \ - $(top_srcdir)/cf/capabilities.m4 \ - $(top_srcdir)/cf/check-compile-et.m4 \ - $(top_srcdir)/cf/check-declaration.m4 \ - $(top_srcdir)/cf/check-getpwnam_r-posix.m4 \ - $(top_srcdir)/cf/check-man.m4 \ - $(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \ - $(top_srcdir)/cf/check-type-extra.m4 \ - $(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \ - $(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \ - $(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \ - $(top_srcdir)/cf/dlopen.m4 \ - $(top_srcdir)/cf/find-func-no-libs.m4 \ - $(top_srcdir)/cf/find-func-no-libs2.m4 \ - $(top_srcdir)/cf/find-func.m4 \ - $(top_srcdir)/cf/find-if-not-broken.m4 \ - $(top_srcdir)/cf/have-struct-field.m4 \ - $(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \ - $(top_srcdir)/cf/krb-bigendian.m4 \ - $(top_srcdir)/cf/krb-func-getlogin.m4 \ - $(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \ - $(top_srcdir)/cf/krb-readline.m4 \ - $(top_srcdir)/cf/krb-struct-spwd.m4 \ - $(top_srcdir)/cf/krb-struct-winsize.m4 \ - $(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \ - $(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \ - $(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \ - $(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \ - $(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \ - $(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \ - $(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in -am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ - $(ACLOCAL_M4) -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -depcomp = -am__depfiles_maybe = -SOURCES = -DIST_SOURCES = -INFO_DEPS = $(srcdir)/heimdal.info -am__TEXINFO_TEX_DIR = $(srcdir) -DVIS = heimdal.dvi -PDFS = heimdal.pdf -PSS = heimdal.ps -HTMLS = heimdal.html -TEXINFOS = heimdal.texi -TEXI2DVI = texi2dvi -TEXI2PDF = $(TEXI2DVI) --pdf --batch -MAKEINFOHTML = $(MAKEINFO) --html -AM_MAKEINFOHTMLFLAGS = $(AM_MAKEINFOFLAGS) -DVIPS = dvips -am__installdirs = "$(DESTDIR)$(infodir)" -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) -ACLOCAL = @ACLOCAL@ -AIX4_FALSE = @AIX4_FALSE@ -AIX4_TRUE = @AIX4_TRUE@ -AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@ -AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@ -AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@ -AIX_FALSE = @AIX_FALSE@ -AIX_TRUE = @AIX_TRUE@ -AMTAR = @AMTAR@ -AR = @AR@ -AUTOCONF = @AUTOCONF@ -AUTOHEADER = @AUTOHEADER@ -AUTOMAKE = @AUTOMAKE@ -AWK = @AWK@ -CANONICAL_HOST = @CANONICAL_HOST@ -CATMAN = @CATMAN@ -CATMANEXT = @CATMANEXT@ -CATMAN_FALSE = @CATMAN_FALSE@ -CATMAN_TRUE = @CATMAN_TRUE@ -CC = @CC@ -CFLAGS = @CFLAGS@ -COMPILE_ET = @COMPILE_ET@ -CPP = @CPP@ -CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXFLAGS = @CXXFLAGS@ -CYGPATH_W = @CYGPATH_W@ -DBLIB = @DBLIB@ -DCE_FALSE = @DCE_FALSE@ -DCE_TRUE = @DCE_TRUE@ -DEFS = @DEFS@ -DIR_com_err = @DIR_com_err@ -DIR_des = @DIR_des@ -DIR_roken = @DIR_roken@ -ECHO = @ECHO@ -ECHO_C = @ECHO_C@ -ECHO_N = @ECHO_N@ -ECHO_T = @ECHO_T@ -EGREP = @EGREP@ -EXEEXT = @EXEEXT@ -EXTRA_LIB45 = @EXTRA_LIB45@ -F77 = @F77@ -FFLAGS = @FFLAGS@ -GROFF = @GROFF@ -HAVE_DB1_FALSE = @HAVE_DB1_FALSE@ -HAVE_DB1_TRUE = @HAVE_DB1_TRUE@ -HAVE_DB3_FALSE = @HAVE_DB3_FALSE@ -HAVE_DB3_TRUE = @HAVE_DB3_TRUE@ -HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@ -HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@ -HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@ -HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@ -HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@ -HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@ -HAVE_X_FALSE = @HAVE_X_FALSE@ -HAVE_X_TRUE = @HAVE_X_TRUE@ -INCLUDES_roken = @INCLUDES_roken@ -INCLUDE_des = @INCLUDE_des@ -INCLUDE_hesiod = @INCLUDE_hesiod@ -INCLUDE_krb4 = @INCLUDE_krb4@ -INCLUDE_openldap = @INCLUDE_openldap@ -INCLUDE_readline = @INCLUDE_readline@ -INSTALL_DATA = @INSTALL_DATA@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -IRIX_FALSE = @IRIX_FALSE@ -IRIX_TRUE = @IRIX_TRUE@ -KRB4_FALSE = @KRB4_FALSE@ -KRB4_TRUE = @KRB4_TRUE@ -KRB5_FALSE = @KRB5_FALSE@ -KRB5_TRUE = @KRB5_TRUE@ -LDFLAGS = @LDFLAGS@ -LEX = @LEX@ -LEXLIB = @LEXLIB@ -LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ -LIBOBJS = @LIBOBJS@ -LIBS = @LIBS@ -LIBTOOL = @LIBTOOL@ -LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@ -LIB_NDBM = @LIB_NDBM@ -LIB_XauFileName = @LIB_XauFileName@ -LIB_XauReadAuth = @LIB_XauReadAuth@ -LIB_XauWriteAuth = @LIB_XauWriteAuth@ -LIB_bswap16 = @LIB_bswap16@ -LIB_bswap32 = @LIB_bswap32@ -LIB_com_err = @LIB_com_err@ -LIB_com_err_a = @LIB_com_err_a@ -LIB_com_err_so = @LIB_com_err_so@ -LIB_crypt = @LIB_crypt@ -LIB_db_create = @LIB_db_create@ -LIB_dbm_firstkey = @LIB_dbm_firstkey@ -LIB_dbopen = @LIB_dbopen@ -LIB_des = @LIB_des@ -LIB_des_a = @LIB_des_a@ -LIB_des_appl = @LIB_des_appl@ -LIB_des_so = @LIB_des_so@ -LIB_dlopen = @LIB_dlopen@ -LIB_dn_expand = @LIB_dn_expand@ -LIB_el_init = @LIB_el_init@ -LIB_freeaddrinfo = @LIB_freeaddrinfo@ -LIB_gai_strerror = @LIB_gai_strerror@ -LIB_getaddrinfo = @LIB_getaddrinfo@ -LIB_gethostbyname = @LIB_gethostbyname@ -LIB_gethostbyname2 = @LIB_gethostbyname2@ -LIB_getnameinfo = @LIB_getnameinfo@ -LIB_getpwnam_r = @LIB_getpwnam_r@ -LIB_getsockopt = @LIB_getsockopt@ -LIB_hesiod = @LIB_hesiod@ -LIB_hstrerror = @LIB_hstrerror@ -LIB_kdb = @LIB_kdb@ -LIB_krb4 = @LIB_krb4@ -LIB_krb_disable_debug = @LIB_krb_disable_debug@ -LIB_krb_enable_debug = @LIB_krb_enable_debug@ -LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@ -LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@ -LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@ -LIB_loadquery = @LIB_loadquery@ -LIB_logout = @LIB_logout@ -LIB_logwtmp = @LIB_logwtmp@ -LIB_openldap = @LIB_openldap@ -LIB_openpty = @LIB_openpty@ -LIB_otp = @LIB_otp@ -LIB_pidfile = @LIB_pidfile@ -LIB_readline = @LIB_readline@ -LIB_res_nsearch = @LIB_res_nsearch@ -LIB_res_search = @LIB_res_search@ -LIB_roken = @LIB_roken@ -LIB_security = @LIB_security@ -LIB_setsockopt = @LIB_setsockopt@ -LIB_socket = @LIB_socket@ -LIB_syslog = @LIB_syslog@ -LIB_tgetent = @LIB_tgetent@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -MAINT = @MAINT@ -MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@ -MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@ -MAKEINFO = @MAKEINFO@ -NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ -NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ -NROFF = @NROFF@ -OBJEXT = @OBJEXT@ -OTP_FALSE = @OTP_FALSE@ -OTP_TRUE = @OTP_TRUE@ -PACKAGE = @PACKAGE@ -PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ -PACKAGE_NAME = @PACKAGE_NAME@ -PACKAGE_STRING = @PACKAGE_STRING@ -PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_VERSION = @PACKAGE_VERSION@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -RANLIB = @RANLIB@ -SET_MAKE = @SET_MAKE@ -SHELL = @SHELL@ -STRIP = @STRIP@ -VERSION = @VERSION@ -VOID_RETSIGTYPE = @VOID_RETSIGTYPE@ -WFLAGS = @WFLAGS@ -WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@ -WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@ -X_CFLAGS = @X_CFLAGS@ -X_EXTRA_LIBS = @X_EXTRA_LIBS@ -X_LIBS = @X_LIBS@ -X_PRE_LIBS = @X_PRE_LIBS@ -YACC = @YACC@ -ac_ct_AR = @ac_ct_AR@ -ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ -ac_ct_RANLIB = @ac_ct_RANLIB@ -ac_ct_STRIP = @ac_ct_STRIP@ -am__leading_dot = @am__leading_dot@ -bindir = @bindir@ -build = @build@ -build_alias = @build_alias@ -build_cpu = @build_cpu@ -build_os = @build_os@ -build_vendor = @build_vendor@ -datadir = @datadir@ -do_roken_rename_FALSE = @do_roken_rename_FALSE@ -do_roken_rename_TRUE = @do_roken_rename_TRUE@ -dpagaix_cflags = @dpagaix_cflags@ -dpagaix_ldadd = @dpagaix_ldadd@ -dpagaix_ldflags = @dpagaix_ldflags@ -el_compat_FALSE = @el_compat_FALSE@ -el_compat_TRUE = @el_compat_TRUE@ -exec_prefix = @exec_prefix@ -have_err_h_FALSE = @have_err_h_FALSE@ -have_err_h_TRUE = @have_err_h_TRUE@ -have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@ -have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@ -have_glob_h_FALSE = @have_glob_h_FALSE@ -have_glob_h_TRUE = @have_glob_h_TRUE@ -have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@ -have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@ -have_vis_h_FALSE = @have_vis_h_FALSE@ -have_vis_h_TRUE = @have_vis_h_TRUE@ -host = @host@ -host_alias = @host_alias@ -host_cpu = @host_cpu@ -host_os = @host_os@ -host_vendor = @host_vendor@ -includedir = @includedir@ -infodir = @infodir@ -install_sh = @install_sh@ -libdir = @libdir@ -libexecdir = @libexecdir@ -localstatedir = @localstatedir@ -mandir = @mandir@ -mkdir_p = @mkdir_p@ -oldincludedir = @oldincludedir@ -prefix = @prefix@ -program_transform_name = @program_transform_name@ -sbindir = @sbindir@ -sharedstatedir = @sharedstatedir@ -sysconfdir = @sysconfdir@ -target_alias = @target_alias@ -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) -@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME -AM_CFLAGS = $(WFLAGS) -CP = cp -buildinclude = $(top_builddir)/include -LIB_getattr = @LIB_getattr@ -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_setpcred = @LIB_setpcred@ -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -NROFF_MAN = groff -mandoc -Tascii -LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) -@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la - -@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la -@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la -AUTOMAKE_OPTIONS = no-texinfo.tex -info_TEXINFOS = heimdal.texi -heimdal_TEXINFOS = intro.texi install.texi setup.texi kerberos4.texi -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .dvi .html .info .pdf .ps .texi -$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps) - @for dep in $?; do \ - case '$(am__configure_deps)' in \ - *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ - exit 1;; \ - esac; \ - done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign --ignore-deps doc/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign --ignore-deps doc/Makefile -.PRECIOUS: Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - @case '$?' in \ - *config.status*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ - *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ - esac; - -$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool - -.texi.info: - restore=: && \ - backupdir="$(am__leading_dot)am$$$$" && \ - am__cwd=`pwd` && cd $(srcdir) && \ - rm -rf $$backupdir && mkdir $$backupdir && \ - for f in $@ $@-[0-9] $@-[0-9][0-9] $(@:.info=).i[0-9] $(@:.info=).i[0-9][0-9]; do \ - if test -f $$f; then \ - mv $$f $$backupdir; \ - restore=mv; \ - fi; \ - done; \ - cd "$$am__cwd"; \ - if $(MAKEINFO) $(AM_MAKEINFOFLAGS) $(MAKEINFOFLAGS) -I $(srcdir) \ - -o $@ $<; \ - then \ - rc=0; \ - cd $(srcdir); \ - else \ - rc=$$?; \ - cd $(srcdir) && \ - $$restore $$backupdir/* `echo "./$@" | sed 's|[^/]*$$||'`; \ - fi; \ - rm -rf $$backupdir; \ - exit $$rc - -.texi.dvi: - TEXINPUTS="$(am__TEXINFO_TEX_DIR)$(PATH_SEPARATOR)$$TEXINPUTS" \ - MAKEINFO='$(MAKEINFO) $(AM_MAKEINFOFLAGS) $(MAKEINFOFLAGS) -I $(srcdir)' \ - $(TEXI2DVI) $< - -.texi.pdf: - TEXINPUTS="$(am__TEXINFO_TEX_DIR)$(PATH_SEPARATOR)$$TEXINPUTS" \ - MAKEINFO='$(MAKEINFO) $(AM_MAKEINFOFLAGS) $(MAKEINFOFLAGS) -I $(srcdir)' \ - $(TEXI2PDF) $< - -.texi.html: - $(MAKEINFOHTML) $(AM_MAKEINFOHTMLFLAGS) $(MAKEINFOFLAGS) -I $(srcdir) \ - -o $@ $< - if test ! -d $@ && test -d $(@:.html=); then \ - mv $(@:.html=) $@; else :; fi -$(srcdir)/heimdal.info: heimdal.texi $(heimdal_TEXINFOS) -heimdal.dvi: heimdal.texi $(heimdal_TEXINFOS) -heimdal.pdf: heimdal.texi $(heimdal_TEXINFOS) -heimdal.html: heimdal.texi $(heimdal_TEXINFOS) -.dvi.ps: - $(DVIPS) -o $@ $< - -uninstall-info-am: - $(PRE_UNINSTALL) - @if (install-info --version && \ - install-info --version 2>&1 | sed 1q | grep -i -v debian) >/dev/null 2>&1; then \ - list='$(INFO_DEPS)'; \ - for file in $$list; do \ - relfile=`echo "$$file" | sed 's|^.*/||'`; \ - echo " install-info --info-dir='$(DESTDIR)$(infodir)' --remove '$(DESTDIR)$(infodir)/$$relfile'"; \ - install-info --info-dir="$(DESTDIR)$(infodir)" --remove "$(DESTDIR)$(infodir)/$$relfile"; \ - done; \ - else :; fi - @$(NORMAL_UNINSTALL) - @list='$(INFO_DEPS)'; \ - for file in $$list; do \ - relfile=`echo "$$file" | sed 's|^.*/||'`; \ - relfile_i=`echo "$$relfile" | sed 's|\.info$$||;s|$$|.i|'`; \ - (if cd "$(DESTDIR)$(infodir)"; then \ - echo " rm -f $$relfile $$relfile-[0-9] $$relfile-[0-9][0-9] $$relfile_i[0-9] $$relfile_i[0-9][0-9])"; \ - rm -f $$relfile $$relfile-[0-9] $$relfile-[0-9][0-9] $$relfile_i[0-9] $$relfile_i[0-9][0-9]; \ - else :; fi); \ - done - -dist-info: $(INFO_DEPS) - @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \ - list='$(INFO_DEPS)'; \ - for base in $$list; do \ - case $$base in \ - $(srcdir)/*) base=`echo "$$base" | sed "s|^$$srcdirstrip/||"`;; \ - esac; \ - if test -f $$base; then d=.; else d=$(srcdir); fi; \ - for file in $$d/$$base*; do \ - relfile=`expr "$$file" : "$$d/\(.*\)"`; \ - test -f $(distdir)/$$relfile || \ - cp -p $$file $(distdir)/$$relfile; \ - done; \ - done - -mostlyclean-aminfo: - -rm -rf heimdal.aux heimdal.cp heimdal.cps heimdal.fn heimdal.fns heimdal.ky \ - heimdal.kys heimdal.log heimdal.pg heimdal.tmp heimdal.toc \ - heimdal.tp heimdal.tps heimdal.vr heimdal.vrs heimdal.dvi \ - heimdal.pdf heimdal.ps heimdal.html - -maintainer-clean-aminfo: - @list='$(INFO_DEPS)'; for i in $$list; do \ - i_i=`echo "$$i" | sed 's|\.info$$||;s|$$|.i|'`; \ - echo " rm -f $$i $$i-[0-9] $$i-[0-9][0-9] $$i_i[0-9] $$i_i[0-9][0-9]"; \ - rm -f $$i $$i-[0-9] $$i-[0-9][0-9] $$i_i[0-9] $$i_i[0-9][0-9]; \ - done -tags: TAGS -TAGS: - -ctags: CTAGS -CTAGS: - - -distdir: $(DISTFILES) - $(mkdir_p) $(distdir)/.. $(distdir)/../cf - @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \ - list='$(DISTFILES)'; for file in $$list; do \ - case $$file in \ - $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \ - $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \ - esac; \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkdir_p) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="$(top_distdir)" distdir="$(distdir)" \ - dist-info dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(INFO_DEPS) all-local -installdirs: - for dir in "$(DESTDIR)$(infodir)"; do \ - test -z "$$dir" || $(mkdir_p) "$$dir"; \ - done -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-generic clean-libtool mostlyclean-am - -distclean: distclean-am - -rm -f Makefile -distclean-am: clean-am distclean-generic distclean-libtool - -dvi: dvi-am - -dvi-am: $(DVIS) - -html: html-am - -html-am: $(HTMLS) - -info: info-am - -info-am: $(INFO_DEPS) - -install-data-am: install-info-am - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-data-hook - -install-exec-am: - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-info-am: $(INFO_DEPS) - @$(NORMAL_INSTALL) - test -z "$(infodir)" || $(mkdir_p) "$(DESTDIR)$(infodir)" - @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \ - list='$(INFO_DEPS)'; \ - for file in $$list; do \ - case $$file in \ - $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \ - esac; \ - if test -f $$file; then d=.; else d=$(srcdir); fi; \ - file_i=`echo "$$file" | sed 's|\.info$$||;s|$$|.i|'`; \ - for ifile in $$d/$$file $$d/$$file-[0-9] $$d/$$file-[0-9][0-9] \ - $$d/$$file_i[0-9] $$d/$$file_i[0-9][0-9] ; do \ - if test -f $$ifile; then \ - relfile=`echo "$$ifile" | sed 's|^.*/||'`; \ - echo " $(INSTALL_DATA) '$$ifile' '$(DESTDIR)$(infodir)/$$relfile'"; \ - $(INSTALL_DATA) "$$ifile" "$(DESTDIR)$(infodir)/$$relfile"; \ - else : ; fi; \ - done; \ - done - @$(POST_INSTALL) - @if (install-info --version && \ - install-info --version 2>&1 | sed 1q | grep -i -v debian) >/dev/null 2>&1; then \ - list='$(INFO_DEPS)'; \ - for file in $$list; do \ - relfile=`echo "$$file" | sed 's|^.*/||'`; \ - echo " install-info --info-dir='$(DESTDIR)$(infodir)' '$(DESTDIR)$(infodir)/$$relfile'";\ - install-info --info-dir="$(DESTDIR)$(infodir)" "$(DESTDIR)$(infodir)/$$relfile" || :;\ - done; \ - else : ; fi -install-man: - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -rm -f Makefile -maintainer-clean-am: distclean-am maintainer-clean-aminfo \ - maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-aminfo mostlyclean-generic \ - mostlyclean-libtool - -pdf: pdf-am - -pdf-am: $(PDFS) - -ps: ps-am - -ps-am: $(PSS) - -uninstall-am: uninstall-info-am - -.PHONY: all all-am all-local check check-am check-local clean \ - clean-generic clean-libtool dist-info distclean \ - distclean-generic distclean-libtool distdir dvi dvi-am html \ - html-am info info-am install install-am install-data \ - install-data-am install-exec install-exec-am install-info \ - install-info-am install-man install-strip installcheck \ - installcheck-am installdirs maintainer-clean \ - maintainer-clean-aminfo maintainer-clean-generic mostlyclean \ - mostlyclean-aminfo mostlyclean-generic mostlyclean-libtool pdf \ - pdf-am ps ps-am uninstall uninstall-am uninstall-info-am - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-hook: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal-0.6.3/doc/ack.texi b/crypto/heimdal-0.6.3/doc/ack.texi deleted file mode 100644 index d6586ba882..0000000000 --- a/crypto/heimdal-0.6.3/doc/ack.texi +++ /dev/null @@ -1,68 +0,0 @@ -@c $Id: ack.texi,v 1.16.2.1 2003/09/18 20:46:05 lha Exp $ - -@node Acknowledgments, , Migration, Top -@comment node-name, next, previous, up -@appendix Acknowledgments - -Eric Young wrote ``libdes''. - -The University of California at Berkeley initially wrote @code{telnet}, -and @code{telnetd}. The authentication and encryption code of -@code{telnet} and @code{telnetd} was added by David Borman (then of Cray -Research, Inc). The encryption code was removed when this was exported -and then added back by Juha Eskelinen, @email{esc@@magic.fi}. - -The @code{popper} was also a Berkeley program initially. - -Some of the functions in @file{libroken} also come from Berkeley by way -of NetBSD/FreeBSD. - -@code{editline} was written by Simmule Turner and Rich Salz. - -The @code{getifaddrs} implementation for Linux was written by Hideaki -YOSHIFUJI for the Usagi project. - -Bugfixes, documentation, encouragement, and code has been contributed by: -@table @asis -@item Derrick J Brashear -@email{shadow@@dementia.org} -@item Ken Hornstein -@email{kenh@@cmf.nrl.navy.mil} -@item Johan Ihrén -@email{johani@@pdc.kth.se} -@item Love Hörnquist-Åstrand -@email{lha@@stacken.kth.se} -@item Magnus Ahltorp -@email{map@@stacken.kth.se} -@item Mark Eichin -@email{eichin@@cygnus.com} -@item Marc Horowitz -@email{marc@@cygnus.com} -@item Luke Howard -@email{lukeh@@PADL.COM} -@item Brandon S. Allbery KF8NH -@email{allbery@@kf8nh.apk.net} -@item Jun-ichiro itojun Hagino -@email{itojun@@kame.net} -@item Daniel Kouril -@email{kouril@@informatics.muni.cz} -@item Åke Sandgren -@email{ake@@cs.umu.se} -@item Michal Vocu -@email{michal@@karlin.mff.cuni.cz} -@item Miroslav Ruda -@email{ruda@@ics.muni.cz} -@item Brian A May -@email{bmay@@snoopy.apana.org.au} -@item Chaskiel M Grundman -@email{cg2v@@andrew.cmu.edu} -@item Richard Nyberg -@email{rnyberg@@it.su.se} -@item Frank van der Linden -@email{fvdl@@netbsd.org} -@item Cizzi Storm -@email{cizzi@@it.su.se} -@item and we hope that those not mentioned here will forgive us. -@end table - -All bugs were introduced by ourselves. diff --git a/crypto/heimdal-0.6.3/doc/heimdal.info b/crypto/heimdal-0.6.3/doc/heimdal.info deleted file mode 100644 index 54337fca33..0000000000 --- a/crypto/heimdal-0.6.3/doc/heimdal.info +++ /dev/null @@ -1,54 +0,0 @@ -This is Info file heimdal.info, produced by Makeinfo version 1.68 from -the input file heimdal.texi. - -INFO-DIR-SECTION Heimdal -START-INFO-DIR-ENTRY -* Heimdal: (heimdal). The Kerberos 5 distribution from KTH -END-INFO-DIR-ENTRY - - -Indirect: -heimdal.info-1: 236 -heimdal.info-2: 48957 - -Tag Table: -(Indirect) -Node: Top236 -Node: Introduction591 -Node: What is Kerberos?3469 -Node: Building and Installing8542 -Node: Setting up a realm12154 -Node: Configuration file12905 -Node: Creating the database15662 -Node: keytabs18261 -Node: Serving Kerberos 4/524/kaserver19105 -Node: Remote administration20553 -Node: Password changing22489 -Node: Testing clients and servers24298 -Node: Slave Servers24618 -Node: Incremental propagation26366 -Node: Salting28894 -Node: Cross realm30628 -Node: Transit policy33178 -Node: Setting up DNS34421 -Node: Things in search for a better place36071 -Node: Kerberos 4 issues41083 -Node: Principal conversion issues41585 -Node: Converting a version 4 database43929 -Node: kaserver48957 -Node: Windows 2000 compatability50696 -Node: Configuring Windows 2000 to use a Heimdal KDC51882 -Node: Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC53634 -Node: Create account mappings56082 -Node: Encryption types56672 -Node: Authorization data57413 -Node: Quirks of Windows 2000 KDC58557 -Node: Useful links when reading about the Windows 200059799 -Node: Programming with Kerberos61871 -Node: Kerberos 5 API Overview62285 -Node: Walkthru a sample Kerberos 5 client63839 -Node: Validating a password in a server application71655 -Node: Migration71936 -Node: Acknowledgments73189 - -End Tag Table diff --git a/crypto/heimdal-0.6.3/doc/heimdal.info-1 b/crypto/heimdal-0.6.3/doc/heimdal.info-1 deleted file mode 100644 index 9650a80a90..0000000000 --- a/crypto/heimdal-0.6.3/doc/heimdal.info-1 +++ /dev/null @@ -1,1290 +0,0 @@ -This is Info file heimdal.info, produced by Makeinfo version 1.68 from -the input file heimdal.texi. - -INFO-DIR-SECTION Heimdal -START-INFO-DIR-ENTRY -* Heimdal: (heimdal). The Kerberos 5 distribution from KTH -END-INFO-DIR-ENTRY - - -File: heimdal.info, Node: Top, Next: Introduction, Prev: (dir), Up: (dir) - -Heimdal -******* - -* Menu: - -* Introduction:: -* What is Kerberos?:: -* Building and Installing:: -* Setting up a realm:: -* Things in search for a better place:: -* Kerberos 4 issues:: -* Windows 2000 compatability:: -* Programming with Kerberos:: -* Migration:: -* Acknowledgments:: - - -File: heimdal.info, Node: Introduction, Next: What is Kerberos?, Prev: Top, Up: Top - -Introduction -************ - -What is Heimdal? -================ - -Heimdal is a free implementation of Kerberos 5. The goals are to: - - * have an implementation that can be freely used by anyone - - * be protocol compatible with existing implementations and, if not in - conflict, with RFC 1510 (and any future updated RFC) - - * be reasonably compatible with the M.I.T Kerberos V5 API - - * have support for Kerberos V5 over GSS-API (RFC1964) - - * include the most important and useful application programs (rsh, - telnet, popper, etc.) - - * include enough backwards compatibility with Kerberos V4 - -Status -====== - -Heimdal has the following features (this does not mean any of this -works): - - * a stub generator and a library to encode/decode/whatever ASN.1/DER - stuff - - * a `libkrb5' library that should be possible to get to work with - simple applications - - * a GSS-API library that should have all the important functions for - building applications - - * Eric Young's `libdes' - - * `kinit', `klist', `kdestroy' - - * `telnet', `telnetd' - - * `rsh', `rshd' - - * `popper', `push' (a movemail equivalent) - - * `ftp', and `ftpd' - - * a library `libkafs' for authenticating to AFS and a program - `afslog' that uses it - - * some simple test programs - - * a KDC that supports most things; optionally, it may also support - Kerberos V4 and kaserver, - - * simple programs for distributing databases between a KDC master and - slaves - - * a password changing daemon `kpasswdd', library functions for - changing passwords and a simple client - - * some kind of administration system - - * Kerberos V4 support in many of the applications. - -Bug reports -=========== - -If you find bugs in this software, make sure it is a genuine bug and not -just a part of the code that isn't implemented. - -Bug reports should be sent to . Please include -information on what machine and operating system (including version) -you are running, what you are trying to do, what happens, what you -think should have happened, an example for us to repeat, the output you -get when trying the example, and a patch for the problem if you have -one. Please make any patches with `diff -u' or `diff -c'. - -Suggestions, comments and other non bug reports are also welcome. - -Mailing list -============ - -There are two mailing lists with talk about Heimdal. - is a low-volume announcement list, while - is for general discussion. Send a message to - to subscribe. - -Heimdal source code, binaries and the manual -============================================ - -The source code for heimdal, links to binaries and the manual (this -document) can be found on our web-page at -`http://www.pdc.kth.se/heimdal/'. - - -File: heimdal.info, Node: What is Kerberos?, Next: Building and Installing, Prev: Introduction, Up: Top - -What is Kerberos? -***************** - - Now this Cerberus had three heads of dogs, - the tail of a dragon, and on his back the - heads of all sorts of snakes. - -- Pseudo-Apollodorus Library 2.5.12 - -Kerberos is a system for authenticating users and services on a network. -It is built upon the assumption that the network is "unsafe". For -example, data sent over the network can be eavesdropped and altered, and -addresses can also be faked. Therefore they cannot be used for -authentication purposes. - -Kerberos is a trusted third-party service. That means that there is a -third party (the kerberos server) that is trusted by all the entities on -the network (users and services, usually called "principals"). All -principals share a secret password (or key) with the kerberos server and -this enables principals to verify that the messages from the kerberos -server are authentic. Thus trusting the kerberos server, users and -services can authenticate each other. - -Basic mechanism -=============== - - *Note:* This discussion is about Kerberos version 4, but version 5 - works similarly. - -In Kerberos, principals use "tickets" to prove that they are who they -claim to be. In the following example, A is the initiator of the -authentication exchange, usually a user, and B is the service that A -wishes to use. - -To obtain a ticket for a specific service, A sends a ticket request to -the kerberos server. The request contains A's and B's names (along with -some other fields). The kerberos server checks that both A and B are -valid principals. - -Having verified the validity of the principals, it creates a packet -containing A's and B's names, A's network address (A), the -current time (T), the lifetime of the ticket (LIFE), and a -secret "session key" (K). This packet is encrypted with B's secret -key (K). The actual ticket (T) looks like this: ({A, B, -A, T, LIFE, K}K). - -The reply to A consists of the ticket (T), B's name, the current -time, the lifetime of the ticket, and the session key, all encrypted in -A's secret key ({B, T, LIFE, K, T}K). A decrypts the -reply and retains it for later use. - -Before sending a message to B, A creates an authenticator consisting of -A's name, A's address, the current time, and a "checksum" chosen by A, -all encrypted with the secret session key ({A, A, T, -CHECKSUM}K). This is sent together with the ticket received from -the kerberos server to B. Upon reception, B decrypts the ticket using -B's secret key. Since the ticket contains the session key that the -authenticator was encrypted with, B can now also decrypt the -authenticator. To verify that A really is A, B now has to compare the -contents of the ticket with that of the authenticator. If everything -matches, B now considers A as properly authenticated. - -Different attacks -================= - -Impersonating A ---------------- - -An impostor, C could steal the authenticator and the ticket as it is -transmitted across the network, and use them to impersonate A. The -address in the ticket and the authenticator was added to make it more -difficult to perform this attack. To succeed C will have to either use -the same machine as A or fake the source addresses of the packets. By -including the time stamp in the authenticator, C does not have much -time in which to mount the attack. - -Impersonating B ---------------- - -C can hijack B's network address, and when A sends her credentials, C -just pretend to verify them. C can't be sure that she is talking to A. - -Defense strategies -================== - -It would be possible to add a "replay cache" to the server side. The -idea is to save the authenticators sent during the last few minutes, so -that B can detect when someone is trying to retransmit an already used -message. This is somewhat impractical (mostly regarding efficiency), -and is not part of Kerberos 4; MIT Kerberos 5 contains it. - -To authenticate B, A might request that B sends something back that -proves that B has access to the session key. An example of this is the -checksum that A sent as part of the authenticator. One typical -procedure is to add one to the checksum, encrypt it with the session -key and send it back to A. This is called "mutual authentication". - -The session key can also be used to add cryptographic checksums to the -messages sent between A and B (known as "message integrity"). -Encryption can also be added ("message confidentiality"). This is -probably the best approach in all cases. - -Further reading -=============== - -The original paper on Kerberos from 1988 is `Kerberos: An -Authentication Service for Open Network Systems', by Jennifer Steiner, -Clifford Neuman and Jeffrey I. Schiller. - -A less technical description can be found in `Designing an -Authentication System: a Dialogue in Four Scenes' by Bill Bryant, also -from 1988. - -These documents can be found on our web-page at -`http://www.pdc.kth.se/kth-krb/'. - - -File: heimdal.info, Node: Building and Installing, Next: Setting up a realm, Prev: What is Kerberos?, Up: Top - -Building and Installing -*********************** - -Heimdal uses GNU Autoconf to configure for specific hosts, and GNU -Automake to manage makefiles. If this is new to you, the short -instruction is to run the `configure' script in the top level -directory, and when that finishes `make'. - -If you want to build the distribution in a different directory from the -source directory, you will need a make that implements VPATH correctly, -such as GNU make. - -You will need to build the distribution: - - * A compiler that supports a "loose" ANSI C mode, such as `gcc'. - - * lex or flex - - * awk - - * yacc or bison - - * a socket library - - * NDBM or Berkeley DB for building the server side. - -When everything is built, you can install by doing `make install'. The -default location for installation is `/usr/heimdal', but this can be -changed by running `configure' with `--prefix=/some/other/place'. - -If you need to change the default behavior, configure understands the -following options: - -`--without-berkeley-db' - DB is preferred before NDBM, but if you for some reason want to - use NDBM instead, you can use this option. - -`--with-krb4=`dir'' - Gives the location of Kerberos 4 libraries and headers. This - enables Kerberos 4 support in the applications (telnet, rsh, - popper, etc) and the KDC. It is automatically check for in - `/usr/athena'. If you keep libraries and headers in different - places, you can instead give the path to each with the - `--with-krb4-lib=`dir'', and `--with-krb4-include=`dir'' options. - - You will need a fairly recent version of our Kerberos 4 - distribution for `rshd' and `popper' to support version 4 clients. - -`--enable-dce' - Enables support for getting DCE credentials and tokens. See the - README files in `appl/dceutils' for more information. - -`--disable-otp' - By default some of the application programs will build with - support for one-time passwords (OTP). Use this option to disable - that support. - -`--enable-osfc2' - Enable some C2 support for OSF/Digital Unix/Tru64. Use this - option if you are running your OSF operating system in C2 mode. - -`--with-readline=`dir'' - Gives the path for the GNU Readline library, which will be used in - some programs. If no readline library is found, the (simpler) - editline library will be used instead. - -`--with-hesiod=`dir'' - Enables hesiod support in push. - -`--enable-netinfo' - Add support for using netinfo to lookup configuration information. - Probably only useful (and working) on NextStep/Mac OS X. - -`--without-ipv6' - Disable the IPv6 support. - -`--with-openldap' - Compile Heimdal with support for storing the database in LDAP. - Requires OpenLDAP `http://www.openldap.org'. See - `http://www.padl.com/~lukeh/heimdal/' for more information. - -`--enable-bigendian' - -`--enable-littleendian' - Normally, the build process will figure out by itself if the - machine is big or little endian. It might fail in some cases when - cross-compiling. If it does fail to figure it out, use the - relevant of these two options. - -`--with-mips-abi=ABI' - On Irix there are three different ABIs that can be used (`32', - `n32', or `64'). This option allows you to override the automatic - selection. - -`--disable-mmap' - Do not use the mmap system call. Normally, configure detects if - there is a working mmap and it is only used if there is one. Only - try this option if it fails to work anyhow. - - -File: heimdal.info, Node: Setting up a realm, Next: Things in search for a better place, Prev: Building and Installing, Up: Top - -Setting up a realm -****************** - -* Menu: - -* Configuration file:: -* Creating the database:: -* keytabs:: -* Serving Kerberos 4/524/kaserver:: -* Remote administration:: -* Password changing:: -* Testing clients and servers:: -* Slave Servers:: -* Incremental propagation:: -* Salting:: -* Cross realm:: -* Transit policy:: -* Setting up DNS:: - -A realm is an administrative domain. The name of a Kerberos realm is -usually the Internet domain name in uppercase. Call your realm the same -as your Internet domain name if you do not have strong reasons for not -doing so. It will make life easier for you and everyone else. - - -File: heimdal.info, Node: Configuration file, Next: Creating the database, Prev: Setting up a realm, Up: Setting up a realm - -Configuration file -================== - -To setup a realm you will first have to create a configuration file: -`/etc/krb5.conf'. The `krb5.conf' file can contain many configuration -options, some of which are described here. - -There is a sample `krb5.conf' supplied with the distribution. - -The configuration file is a hierarchical structure consisting of -sections, each containing a list of bindings (either variable -assignments or subsections). A section starts with `[section-name]'. A -binding consists of a left hand side, an equal (`=') and a right hand -side (the left hand side tag must be separated from the equal with some -whitespace.) Subsections has a `{' as the first non-whitespace -character after the equal. All other bindings are treated as variable -assignments. The value of a variable extends to the end of the line. - - [section1] - a-subsection = { - var = value1 - other-var = value with {} - sub-sub-section = { - var = 123 - } - } - var = some other value - [section2] - var = yet another value - -In this manual, names of sections and bindings will be given as strings -separated by slashes (`/'). The `other-var' variable will thus be -`section1/a-subsection/other-var'. - -For in-depth information about the contents of the configuration file, -refer to the `krb5.conf' manual page. Some of the more important -sections are briefly described here. - -The `libdefaults' section contains a list of library configuration -parameters, such as the default realm and the timeout for KDC -responses. The `realms' section contains information about specific -realms, such as where they hide their KDC. This section serves the same -purpose as the Kerberos 4 `krb.conf' file, but can contain more -information. Finally the `domain_realm' section contains a list of -mappings from domains to realms, equivalent to the Kerberos 4 -`krb.realms' file. - -To continue with the realm setup, you will have to create a -configuration file, with contents similar to the following. - - [libdefaults] - default_realm = MY.REALM - [realms] - MY.REALM = { - kdc = my.kdc my.slave.kdc - kdc = my.third.kdc - } - [domain_realm] - .my.domain = MY.REALM - -If you use a realm name equal to your domain name, you can omit the -`libdefaults', and `domain_realm', sections. If you have a SRV-record -for your realm, or your Kerberos server has CNAME called -`kerberos.my.realm', you can omit the `realms' section too. - - -File: heimdal.info, Node: Creating the database, Next: keytabs, Prev: Configuration file, Up: Setting up a realm - -Creating the database -===================== - -The database library will look for the database in the directory -`/var/heimdal', so you should probably create that directory. Make -sure the directory have restrictive permissions. - - # mkdir /var/heimdal - -The keys of all the principals are stored in the database. If you -choose to, these can be encrypted with a master key. You do not have to -remember this key (or password), but just to enter it once and it will -be stored in a file (`/var/heimdal/m-key'). If you want to have a -master key, run `kstash' to create this master key: - - # kstash - Master key: - Verifying password - Master key: - -To initialise the database use the `kadmin' program, with the `-l' -option (to enable local database mode). First issue a `init MY.REALM' -command. This will create the database and insert default principals -for that realm. You can have more than one realm in one database, so -`init' does not destroy any old database. - -Before creating the database, `init' will ask you some questions about -max ticket lifetimes. - -After creating the database you should probably add yourself to it. You -do this with the `add' command. It takes as argument the name of a -principal. The principal should contain a realm, so if you haven't setup -a default realm, you will need to explicitly include the realm. - - # kadmin -l - kadmin> init MY.REALM - Realm max ticket life [unlimited]: - Realm max renewable ticket life [unlimited]: - kadmin> add me - Max ticket life [unlimited]: - Max renewable life [unlimited]: - Attributes []: - Password: - Verifying password - Password: - -Now start the KDC and try getting a ticket. - - # kdc & - # kinit me - me@MY.REALMS's Password: - # klist - Credentials cache: /tmp/krb5cc_0 - Principal: me@MY.REALM - - Issued Expires Principal - Aug 25 07:25:55 Aug 25 17:25:55 krbtgt/MY.REALM@MY.REALM - -If you are curious you can use the `dump' command to list all the -entries in the database. It should look something similar to the -following example (note that the entries here are truncated for -typographical reasons): - - kadmin> dump - me@MY.REALM 1:0:1:0b01d3cb7c293b57:-:0:7:8aec316b9d1629e3baf8 ... - kadmin/admin@MY.REALM 1:0:1:e5c8a2675b37a443:-:0:7:cb913ebf85 ... - krbtgt/MY.REALM@MY.REALM 1:0:1:52b53b61c875ce16:-:0:7:c8943be ... - kadmin/changepw@MY.REALM 1:0:1:f48c8af2b340e9fb:-:0:7:e3e6088 ... - - -File: heimdal.info, Node: keytabs, Next: Serving Kerberos 4/524/kaserver, Prev: Creating the database, Up: Setting up a realm - -keytabs -======= - -To extract a service ticket from the database and put it in a keytab you -need to first create the principal in the database with `ank' (using -the `--random-key' flag to get a random key) and then extract it with -`ext_keytab'. - - kadmin> add --random-key host/my.host.name - Max ticket life [unlimited]: - Max renewable life [unlimited]: - Attributes []: - kadmin> ext host/my.host.name - # ktutil list - Version Type Principal - 1 des-cbc-md5 host/my.host.name@MY.REALM - 1 des-cbc-md4 host/my.host.name@MY.REALM - 1 des-cbc-crc host/my.host.name@MY.REALM - 1 des3-cbc-sha1 host/my.host.name@MY.REALM - - -File: heimdal.info, Node: Serving Kerberos 4/524/kaserver, Next: Remote administration, Prev: keytabs, Up: Setting up a realm - -Serving Kerberos 4/524/kaserver -=============================== - -Heimdal can be configured to support 524, Kerberos 4 or kaserver. All -theses services are default turned off. Kerberos 4 support also depends -on if Kerberos 4 support is compiled in with Heimdal. - -524 ---- - -524 is a service that allows the KDC to convert Kerberos 5 tickets to -Kerberos 4 tickets for backward compatibility. See also Using 2b tokens -with AFS in *Note Things in search for a better place::. - -524 can be turned on by adding this to the configuration file - - [kdc] - enable-524 = yes - -Kerberos 4 ----------- - -Kerberos 4 is the predecessor to to Kerberos 5. It only support single -DES. You should only enable Kerberos 4 support if you have a need for -for compatibility with an installed base of Kerberos 4 clients/servers. - -Kerberos 4 can be turned on by adding this to the configuration file - - [kdc] - enable-kerberos4 = yes - -kaserver --------- - -Kaserver is a Kerberos 4 that is used in AFS, the protocol have some -features over plain Kerberos 4, but like Kerberos 4 only use single DES -too. - -You should only enable Kerberos 4 support if you have a need for for -compatibility with an installed base of AFS machines. - -Kaserver can be turned on by adding this to the configuration file - - [kdc] - enable-kaserver = yes - - -File: heimdal.info, Node: Remote administration, Next: Password changing, Prev: Serving Kerberos 4/524/kaserver, Up: Setting up a realm - -Remote administration -===================== - -The administration server, `kadmind', can be started by `inetd' (which -isn't recommended) or run as a normal daemon. If you want to start it -from `inetd' you should add a line similar to the one below to your -`/etc/inetd.conf'. - - kerberos-adm stream tcp nowait root /usr/heimdal/libexec/kadmind kadmind - -You might need to add `kerberos-adm' to your `/etc/services' as 749/tcp. - -Access to the administration server is controlled by an acl-file, -(default `/var/heimdal/kadmind.acl'.) The lines in the access file, has -the following syntax: - principal [priv1,priv2,...] [glob-pattern] - -The matching is from top to bottom for matching principal (and if given, -glob-pattern). When there is a match, the rights of that lines are -used. - -The privileges you can assign to a principal are: `add', -`change-password' (or `cpw' for short), `delete', `get', `list', and -`modify', or the special privilege `all'. All of these roughly -corresponds to the different commands in `kadmin'. - -If a GLOB-PATTERN is given on a line, it restricts the right for the -principal to only apply for the subjects that match the pattern. The -patters are of the same type as those used in shell globbing, see -`none,,fnmatch(3)'. - -In the example below `lha/admin' can change every principal in the -database. `jimmy/admin' can only modify principals that belong to the -realm `E.KTH.SE'. `mille/admin' is working at the help desk, so he -should only be able to change the passwords for single component -principals (ordinary users). He will not be able to change any `/admin' -principal. - - lha/admin@E.KTH.SE all - jimmy/admin@E.KTH.SE all *@E.KTH.SE - jimmy/admin@E.KTH.SE all */*@E.KTH.SE - mille/admin@E.KTH.SE change-password *@E.KTH.SE - - -File: heimdal.info, Node: Password changing, Next: Testing clients and servers, Prev: Remote administration, Up: Setting up a realm - -Password changing -================= - -To allow users to change their passwords, you should run `kpasswdd'. -It is not run from `inetd'. - -You might need to add `kpasswd' to your `/etc/services' as 464/udp. - -Password quality assurance --------------------------- - -It is important that users have good passwords, both to make it harder -to guess them and to avoid off-line attacks (pre-authentication provides -some defense against off-line attacks). To ensure that the users choose -good passwords, you can enable password quality controls in `kpasswdd'. -The controls themselves are done in a shared library that is used by -`kpasswdd'. To configure in these controls, add lines similar to the -following to your `/etc/krb5.conf': - - [password_quality] - check_library = LIBRARY - check_function = FUNCTION - -The function FUNCTION in the shared library LIBRARY will be called for -proposed new passwords. The function should be declared as: - - const char * - function(krb5_context context, krb5_principal principal, krb5_data *pwd); - -The function should verify that PWD is a good password for PRINCIPAL -and if so return `NULL'. If it is deemed to be of low quality, it -should return a string explaining why that password should not be used. - -Code for a password quality checking function that uses the cracklib -library can be found in `lib/kadm5/sample_password_check.c' in the -source code distribution. It requires the cracklib library built with -the patch available at -`ftp://ftp.pdc.kth.se/pub/krb/src/cracklib.patch'. - -If no password quality checking function is configured, it is only -verified that it is at least six characters of length. - - -File: heimdal.info, Node: Testing clients and servers, Next: Slave Servers, Prev: Password changing, Up: Setting up a realm - -Testing clients and servers -=========================== - -Now you should be able to run all the clients and servers. Refer to the -appropriate man pages for information on how to use them. - - -File: heimdal.info, Node: Slave Servers, Next: Incremental propagation, Prev: Testing clients and servers, Up: Setting up a realm - -Slave servers, Incremental propagation, Testing clients and servers, Setting up a realm -======================================================================================= - -It is desirable to have at least one backup (slave) server in case the -master server fails. It is possible to have any number of such slave -servers but more than three usually doesn't buy much more redundancy. - -All Kerberos servers for a realm shall have the same database so that -they present the same service to all the users. The `hprop' program, -running on the master, will propagate the database to the slaves, -running `hpropd' processes. - -Every slave needs a database directory, the master key (if it was used -for the database) and a keytab with the principal `hprop/HOSTNAME'. -Add the principal with the `ktutil' command and start `propd', as -follows: - - slave# ktutil get -p foo/admin hprop/`hostname` - slave# mkdir /var/heimdal - slave# hpropd - -The master will use the principal `kadmin/hprop' to authenticate to the -slaves. This principal should be added when running `kadmin -l init' -but if you do not have it in your database for whatever reason, please -add it with `kadmin -l add'. - -Then run `hprop' on the master: - - master# hprop slave - -This was just an on-hands example to make sure that everything was -working properly. Doing it manually is of course the wrong way and to -automate this you will want to start `hpropd' from `inetd' on the -slave(s) and regularly run `hprop' on the master to regularly propagate -the database. Starting the propagation once an hour from `cron' is -probably a good idea. - - -File: heimdal.info, Node: Incremental propagation, Next: Salting, Prev: Slave Servers, Up: Setting up a realm - -Incremental propagation -======================= - -There is also a newer and still somewhat experimental mechanism for -doing incremental propagation in Heimdal. Instead of sending the whole -database regularly, it sends the changes as they happen on the master to -the slaves. The master keeps track of all the changes by assigned a -version number to every change to the database. The slaves know which -was the latest version they saw and in this way it can be determined if -they are in sync or not. A log of all the changes is kept on the master -and when a slave is at an older versioner than the oldest one in the -log, the whole database has to be sent. - -Protocol-wise, all the slaves connects to the master and as a greeting -tell it the latest version that they have (`IHAVE' message). The -master then responds by sending all the changes between that version and -the current version at the master (a series of `FORYOU' messages) or -the whole database in a `TELLYOUEVERYTHING' message. - -Configuring incremental propagation ------------------------------------ - -The program that runs on the master is `ipropd-master' and all clients -run `ipropd-slave'. - -Create the file `/var/heimdal/slaves' on the master containing all the -slaves that the database should be propagated to. Each line contains -the full name of the principal (for example -`iprop/hemligare.foo.se@FOO.SE'). - -You should already have `iprop/tcp' defined as 2121, in your -`/etc/services'. Otherwise, or if you need to use a different port for -some peculiar reason, you can use the `--port' option. This is useful -when you have multiple realms to distribute from one server. - -Then you need to create these principals that you added in the -configuration file. Create one `iprop/hostname' for the master and for -every slave. - - master# /usr/heimdal/sbin/ktutil get iprop/`hostname` - -The next step is to start the `ipropd-master' process on the master -server. The `ipropd-master' listens on the UNIX-socket -`/var/heimdal/signal' to know when changes have been made to the -database so they can be propagated to the slaves. There is also a -safety feature of testing the version number regularly (every 30 -seconds) to see if it has been modified by some means that do not raise -this signal. Then, start `ipropd-slave' on all the slaves: - - master# /usr/heimdal/libexec/ipropd-master & - slave# /usr/heimdal/libexec/ipropd-slave master & - - -File: heimdal.info, Node: Salting, Next: Cross realm, Prev: Incremental propagation, Up: Setting up a realm - -Salting -======= - -Salting is used to make it harder to precalculate all possible keys. -Using a salt increases the search space to make it almost impossible to -precalculate all keys. Salting is the process of mixing a public string -(the salt) with the password, then sending it through an -encryption-type specific string-to-key function that will output the -fixed size encryption key. - -In Kerberos 5 the salt is determined by the encryption-type, except in -some special cases. - -In `des' there is the Kerberos 4 salt (none at all) or the afs-salt -(using the cell (realm in afs-lingo)). - -In `arcfour' (the encryption type that Microsoft Windows 2000 uses) -there is no salt. This is to be compatible with NTLM keys in Windows NT -4. - -`[kadmin]default_keys' in `krb5.conf' controls what salting to use, - -The syntax of `[kadmin]default_keys' is -`[etype:]salt-type[:salt-string]'. `etype' is the encryption type (des, -des3, arcfour), `salt-type' is the type of salt (pw-salt or afs3-salt), -and the salt-string is the string that will be used as salt (remember -that if the salt is appended/prepended, the empty salt "" is the same -thing as no salt at all). - -Common types of salting includes - - * `v4' (or `des:pw-salt:') - - The Kerberos 4 salting is using no salt att all. Reason there is - colon that the end or the salt string is that it makes the salt - the empty string (same as no salt). - - * `v5' (or `pw-salt') - - `pw-salt' means all regular encryption-types that is regular - - * `afs3-salt' - - `afs3-salt' is the salting that is used with Transarc kaserver. Its - the cell appended to the password. - - -File: heimdal.info, Node: Cross realm, Next: Transit policy, Prev: Salting, Up: Setting up a realm - -Cross realm -=========== - -Suppose you are residing in the realm `MY.REALM', how do you -authenticate to a server in `OTHER.REALM'? Having valid tickets in -`MY.REALM' allows you to communicate with kerberised services in that -realm. However, the computer in the other realm does not have a secret -key shared with the Kerberos server in your realm. - -It is possible to add a share keys between two realms that trust each -other. When a client program, such as `telnet' or `ssh', finds that the -other computer is in a different realm, it will try to get a ticket -granting ticket for that other realm, but from the local Kerberos -server. With that ticket granting ticket, it will then obtain service -tickets from the Kerberos server in the other realm. - -For a two way trust between `MY.REALM' and `OTHER.REALM' add the -following principals to each realm. The principals should be -`krbtgt/OTHER.REALM@MY.REALM' and `krbtgt/MY.REALM@OTHER.REALM' in -`MY.REALM', and `krbtgt/MY.REALM@OTHER.REALM' and -`krbtgt/OTHER.REALM@MY.REALM'in `OTHER.REALM'. - -In Kerberos 5 the trust can be one configured to be one way. So that -users from `MY.REALM' can authenticate to services in `OTHER.REALM', -but not the opposite. In the example above, the -`krbtgt/MY.REALM@OTHER.REALM' then should be removed. - -The two principals must have the same key, key version number, and the -same set of encryption types. Remember to transfer the two keys in a -safe manner. - - vr$ klist - Credentials cache: FILE:/tmp/krb5cc_913.console - Principal: lha@E.KTH.SE - - Issued Expires Principal - May 3 13:55:52 May 3 23:55:54 krbtgt/E.KTH.SE@E.KTH.SE - - vr$ telnet -l lha hummel.it.su.se - Trying 2001:6b0:5:1095:250:fcff:fe24:dbf... - Connected to hummel.it.su.se. - Escape character is '^]'. - Waiting for encryption to be negotiated... - [ Trying mutual KERBEROS5 (host/hummel.it.su.se@SU.SE)... ] - [ Kerberos V5 accepts you as ``lha@E.KTH.SE'' ] - Encryption negotiated. - Last login: Sat May 3 14:11:47 from vr.l.nxs.se - hummel$ exit - - vr$ klist - Credentials cache: FILE:/tmp/krb5cc_913.console - Principal: lha@E.KTH.SE - - Issued Expires Principal - May 3 13:55:52 May 3 23:55:54 krbtgt/E.KTH.SE@E.KTH.SE - May 3 13:55:56 May 3 23:55:54 krbtgt/SU.SE@E.KTH.SE - May 3 14:10:54 May 3 23:55:54 host/hummel.it.su.se@SU.SE - - -File: heimdal.info, Node: Transit policy, Next: Setting up DNS, Prev: Cross realm, Up: Setting up a realm - -Transit policy -============== - -If you want to use cross realm authentication through an intermediate -realm it must be explicitly allowed by either the KDCs or the server -receiving the request. This is done in `krb5.conf' in the `[capaths]' -section. - -When the ticket transits through a realm to another realm, the -destination realm adds its peer to the "transited-realms" field in the -ticket. The field is unordered, this is since there is no way to know if -know if one of the transited-realms changed the order of the list. - -The syntax for `[capaths]' section: - - [capaths] - CLIENT-REALM = { - SERVER-REALM = PERMITTED-CROSS-REALMS ... - } - -The realm `STACKEN.KTH.SE' allows clients from `SU.SE' and `DSV.SU.SE' -to cross in. Since `STACKEN.KTH.SE' only have direct cross realm with -`KTH.SE', and `DSV.SU.SE' only have direct cross realm with `SU.SE' -they need to use both `SU.SE' and `KTH.SE' as transit realms. - - [capaths] - SU.SE = { - STACKEN.KTH.SE = KTH.SE - } - DSV.SU.SE = { - STACKEN.KTH.SE = SU.SE KTH.SE - } - - -File: heimdal.info, Node: Setting up DNS, Prev: Transit policy, Up: Setting up a realm - -Setting up DNS -============== - -If there is information about where to find the KDC or kadmind for a -realm in the `krb5.conf' for a realm, that information will be -preferred and DNS will not be queried. - -Heimdal will try to use DNS to find the KDCs for a realm. First it will -try to find `SRV' resource record (RR) for the realm. If no SRV RRs are -found, it will fall back to looking for a `A' RR for a machine named -kerberos.REALM, and then kerberos-1.REALM, etc - -Adding this information to DNS makes the client have less configuration -(in the common case, no configuration) and allows the system -administrator to change the number of KDCs and on what machines they -are running without caring about clients. - -The backside of using DNS that the client might be fooled to use the -wrong server if someone fakes DNS replies/data, but storing the IP -addresses of the KDC on all the clients makes it very hard to change -the infrastructure. - -Example of the configuration for the realm `EXAMPLE.COM', - - - $ORIGIN example.com. - _kerberos._tcp SRV 10 1 88 kerberos.example.com. - _kerberos._udp SRV 10 1 88 kerberos.example.com. - _kerberos._tcp SRV 10 1 88 kerberos-1.example.com. - _kerberos._udp SRV 10 1 88 kerberos-1.example.com. - _kpasswd._udp SRV 10 1 464 kerberos.example.com. - _kerberos-adm._tcp SRV 10 1 749 kerberos.example.com. - -More information about DNS SRV resource records can be found in -RFC-2782 (A DNS RR for specifying the location of services (DNS SRV)). - - -File: heimdal.info, Node: Things in search for a better place, Next: Kerberos 4 issues, Prev: Setting up a realm, Up: Top - -Things in search for a better place -*********************************** - -Making things work on Ciscos -============================ - -Modern versions of Cisco IOS has some support for authenticating via -Kerberos 5. This can be used both by having the router get a ticket when -you login (boring), and by using Kerberos authenticated telnet to access -your router (less boring). The following has been tested on IOS -11.2(12), things might be different with other versions. Old versions -are known to have bugs. - -To make this work, you will first have to configure your router to use -Kerberos (this is explained in the documentation). A sample -configuration looks like the following: - - aaa new-model - aaa authentication login default krb5-telnet krb5 enable - aaa authorization exec krb5-instance - kerberos local-realm FOO.SE - kerberos srvtab entry host/router.foo.se 0 891725446 4 1 8 012345678901234567 - kerberos server FOO.SE 10.0.0.1 - kerberos instance map admin 15 - -This tells you (among other things) that when logging in, the router -should try to authenticate with kerberised telnet, and if that fails try -to verify a plain text password via a Kerberos ticket exchange (as -opposed to a local database, RADIUS or something similar), and if that -fails try the local enable password. If you're not careful when you -specify the `login default' authentication mechanism, you might not be -able to login at all. The `instance map' and `authorization exec' lines -says that people with `admin' instances should be given `enabled' shells -when logging in. - -The numbers after the principal on the `srvtab' line are principal type, -time stamp (in seconds since 1970), key version number (4), keytype (1 -== des), key length (always 8 with des), and then the key. - -To make the Heimdal KDC produce tickets that the Cisco can decode you -might have to turn on the `encode_as_rep_as_tgs_rep' flag in the KDC. -You will also have to specify that the router can't handle anything but -`des-cbc-crc'. This can be done with the `del_enctype' command of -`kadmin'. - -This all fine and so, but unless you have an IOS version with encryption -(available only in the U.S) it doesn't really solve any problems. Sure -you don't have to send your password over the wire, but since the telnet -connection isn't protected it's still possible for someone to steal your -session. This won't be fixed until someone adds integrity to the telnet -protocol. - -A working solution would be to hook up a machine with a real operating -system to the console of the Cisco and then use it as a backwards -terminal server. - -Making things work on Transarc/OpenAFS AFS -========================================== - -How to get a KeyFile --------------------- - -`ktutil -k AFSKEYFILE:KeyFile get afs@MY.REALM' - -or you can extract it with kadmin - - kadmin> ext -k AFSKEYFILE:/usr/afs/etc/KeyFile afs@My.CELL.NAME - -You have to make sure you have a `des-cbc-md5' encryption type since -that is the key that will be converted. - -How to convert a srvtab to a KeyFile ------------------------------------- - -You need a `/usr/vice/etc/ThisCell' containing the cellname of you -AFS-cell. - -`ktutil copy krb4:/root/afs-srvtab AFSKEYFILE:/usr/afs/etc/KeyFile'. - -If keyfile already exists, this will add the new key in afs-srvtab to -KeyFile. - -Using 2b tokens with AFS -======================== - -What is 2b ? ------------- - -2b is the name of the proposal that was implemented to give basic -Kerberos 5 support to AFS in rxkad. Its not real Kerberos 5 support -since it still uses fcrypt for data encryption and not Kerberos -encryption types. - -Its only possible (in all cases) to do this for DES encryption types -because only then the token (the AFS equivalent of a ticket) will be be -smaller than the maximum size that can fit in the token cache in -OpenAFS/Transarc client. Its so tight fit that some extra wrapping on -the ASN1/DER encoding is removed from the Kerberos ticket. - -2b uses a Kerberos 5 EncTicketPart instead of a Kerberos 4 ditto for -the part of the ticket that is encrypted with the service's key. The -client doesn't know what's inside the encrypted data so to the client -it doesn't matter. - -To differentiate between Kerberos 4 tickets and Kerberos 5 tickets 2b -uses a special kvno, 213 for 2b tokens and 255 for Kerberos 5 tokens. - -Its a requirement that all AFS servers that support 2b also support -native Kerberos 5 in rxkad. - -Configuring Heimdal to use 2b tokens ------------------------------------- - -Support for 2b tokens are turned on for specific principals by adding -them to the string list option `[kdc]use_2b' in the kdc's `krb5.conf' -file. - - [kdc] - use_2b = { - afs@SU.SE = yes - afs/it.su.se@SU.SE = yes - } - -Configuring AFS clients ------------------------ - -There is no need to configure AFS clients. The only software that needs -to be installed/upgrade is a Kerberos 5 enabled `afslog'. - - -File: heimdal.info, Node: Kerberos 4 issues, Next: Windows 2000 compatability, Prev: Things in search for a better place, Up: Top - -Kerberos 4 issues -***************** - -If compiled with version 4 support, the KDC can serve requests from a -Kerberos 4 client. There are a few things you must do for this to work. - -The KDC will also have kaserver emulation and be able to handle -AFS-clients that use `klog'. - -* Menu: - -* Principal conversion issues:: -* Converting a version 4 database:: -* kaserver:: - - -File: heimdal.info, Node: Principal conversion issues, Next: Converting a version 4 database, Prev: Kerberos 4 issues, Up: Kerberos 4 issues - -Principal conversion issues -=========================== - -First, Kerberos 4 and Kerberos 5 principals are different. A version 4 -principal consists of a name, an instance, and a realm. A version 5 -principal has one or more components, and a realm (the terms "name" and -"instance" are still used, for the first and second component, -respectively). Also, in some cases the name of a version 4 principal -differs from the first component of the corresponding version 5 -principal. One notable example is the "host" type principals, where the -version 4 name is `rcmd' (for "remote command"), and the version 5 name -is `host'. For the class of principals that has a hostname as instance, -there is an other major difference, Kerberos 4 uses only the first -component of the hostname, whereas Kerberos 5 uses the fully qualified -hostname. - -Because of this it can be hard or impossible to correctly convert a -version 4 principal to a version 5 principal (1). The biggest problem is -to know if the conversion resulted in a valid principal. To give an -example, suppose you want to convert the principal `rcmd.foo'. - -The `rcmd' name suggests that the instance is a hostname (even if there -are exceptions to this rule). To correctly convert the instance `foo' -to a hostname, you have to know which host it is referring to. You can -to this by either guessing (from the realm) which domain name to -append, or you have to have a list of possible hostnames. In the -simplest cases you can cover most principals with the first rule. If you -have several domains sharing a single realm this will not usually work. -If the exceptions are few you can probably come by with a lookup table -for the exceptions. - -In a complex scenario you will need some kind of host lookup mechanism. -Using DNS for this is tempting, but DNS is error prone, slow and unsafe -(2). - -Fortunately, the KDC has a trump on hand: it can easily tell if a -principal exists in the database. The KDC will use -`krb5_425_conv_principal_ext' to convert principals when handling to -version 4 requests. - ----------- Footnotes ---------- - -(1) the other way is not always trivial either, but usually easier - -(2) at least until secure DNS is commonly available - - -File: heimdal.info, Node: Converting a version 4 database, Next: kaserver, Prev: Principal conversion issues, Up: Kerberos 4 issues - -Converting a version 4 database -=============================== - -If you want to convert an existing version 4 database, the principal -conversion issue arises too. - -If you decide to convert your database once and for all, you will only -have to do this conversion once. It is also possible to run a version 5 -KDC as a slave to a version 4 KDC. In this case this conversion will -happen every time the database is propagated. When doing this -conversion, there are a few things to look out for. If you have stale -entries in the database, these entries will not be converted. This might -be because these principals are not used anymore, or it might be just -because the principal couldn't be converted. - -You might also see problems with a many-to-one mapping of principals. -For instance, if you are using DNS lookups and you have two principals -`rcmd.foo' and `rcmd.bar', where `foo' is a CNAME for `bar', the -resulting principals will be the same. Since the conversion function -can't tell which is correct, these conflicts will have to be resolved -manually. - -Conversion example ------------------- - -Given the following set of hosts and services: - - foo.se rcmd - mail.foo.se rcmd, pop - ftp.bar.se rcmd, ftp - -you have a database that consists of the following principals: - -`rcmd.foo', `rcmd.mail', `pop.mail', `rcmd.ftp', and `ftp.ftp'. - -lets say you also got these extra principals: `rcmd.gone', -`rcmd.old-mail', where `gone.foo.se' was a machine that has now passed -away, and `old-mail.foo.se' was an old mail machine that is now a CNAME -for `mail.foo.se'. - -When you convert this database you want the following conversions to be -done: - rcmd.foo host/foo.se - rcmd.mail host/mail.foo.se - pop.mail pop/mail.foo.se - rcmd.ftp host/ftp.bar.se - ftp.ftp ftp/ftp.bar.se - rcmd.gone removed - rcmd.old-mail removed - -A `krb5.conf' that does this looks like: - - [realms] - FOO.SE = { - v4_name_convert = { - host = { - ftp = ftp - pop = pop - rcmd = host - } - } - v4_instance_convert = { - foo = foo.se - ftp = ftp.bar.se - } - default_domain = foo.se - } - -The `v4_name_convert' section says which names should be considered -having an instance consisting of a hostname, and it also says how the -names should be converted (for instance `rcmd' should be converted to -`host'). The `v4_instance_convert' section says how a hostname should -be qualified (this is just a hosts-file in disguise). Host-instances -that aren't covered by `v4_instance_convert' are qualified by appending -the contents of the `default_domain'. - -Actually, this example doesn't work. Or rather, it works to well. Since -it has no way of knowing which hostnames are valid and which are not, it -will happily convert `rcmd.gone' to `host/gone.foo.se'. This isn't a -big problem, but if you have run your kerberos realm for a few years, -chances are big that you have quite a few `junk' principals. - -If you don't want this you can remove the `default_domain' statement, -but then you will have to add entries for *all* your hosts in the -`v4_instance_convert' section. - -Instead of doing this you can use DNS to convert instances. This is not -a solution without problems, but it is probably easier than adding lots -of static host entries. - -To enable DNS lookup you should turn on `v4_instance_resolve' in the -`[libdefaults]' section. - -Converting a database ---------------------- - -The database conversion is done with `hprop'. You can run this command -to propagate the database to the machine called `slave-server' (which -should be running a `hpropd'). - - hprop --source=krb4-db --master-key=/.m slave-server - -This command can also be to use for converting the v4 database on the -server: - - hprop -n --source=krb4-db -d /var/kerberos/principal --master-key=/.m | hpropd -n - -Version 4 Kadmin -================ - -`kadmind' can act as a version 4 kadmind, and you can do most -operations, but with some restrictions (since the version 4 kadmin -protocol is, lets say, very ad hoc.) One example is that it only passes -des keys when creating principals and changing passwords (modern kpasswd -clients do send the password, so it's possible to to password quality -checks). Because of this you can only create principals with des keys, -and you can't set any flags or do any other fancy stuff. - -To get this to work, you have to add another entry to inetd (since -version 4 uses port 751, not 749). - -*And then there are a many more things you can do; more on this in a -later version of this manual. Until then, UTSL.* - diff --git a/crypto/heimdal-0.6.3/doc/heimdal.info-2 b/crypto/heimdal-0.6.3/doc/heimdal.info-2 deleted file mode 100644 index 42d7466fd8..0000000000 --- a/crypto/heimdal-0.6.3/doc/heimdal.info-2 +++ /dev/null @@ -1,756 +0,0 @@ -This is Info file heimdal.info, produced by Makeinfo version 1.68 from -the input file heimdal.texi. - -INFO-DIR-SECTION Heimdal -START-INFO-DIR-ENTRY -* Heimdal: (heimdal). The Kerberos 5 distribution from KTH -END-INFO-DIR-ENTRY - - -File: heimdal.info, Node: kaserver, Prev: Converting a version 4 database, Up: Kerberos 4 issues - -kaserver -======== - -kaserver emulation ------------------- - -The Heimdal kdc can emulate a kaserver. The kaserver is a Kerberos 4 -server with pre-authentication using Rx as the on-wire protocol. The kdc -contains a minimalistic Rx implementation. - -There are three parts of the kaserver; KAA (Authentication), KAT (Ticket -Granting), and KAM (Maintenance). The KAA interface and KAT interface -both passes over DES encrypted data-blobs (just like the -Kerberos-protocol) and thus do not need any other protection. The KAM -interface uses `rxkad' (Kerberos authentication layer for Rx) for -security and data protection, and is used for example for changing -passwords. This part is not implemented in the kdc. - -Another difference between the ka-protocol and the Kerberos 4 protocol -is that the pass-phrase is salted with the cellname in the `string to -key' function in the ka-protocol, while in the Kerberos 4 protocol there -is no salting of the password at all. To make sure AFS-compatible keys -are added to each principals when they are created or their password are -changed, `afs3-salt' should be added to `[kadmin]default_keys'. - -Transarc AFS Windows client ---------------------------- - -The Transarc Windows client uses Kerberos 4 to obtain tokens, and thus -does not need a kaserver. The Windows client assumes that the Kerberos -server is on the same machine as the AFS-database server. If you do not -like to do that you can add a small program that runs on the database -servers that forward all kerberos requests to the real kerberos server. -A program that does this is `krb-forward' -(`ftp://ftp.stacken.kth.se/pub/projekts/krb-forward'). - - -File: heimdal.info, Node: Windows 2000 compatability, Next: Programming with Kerberos, Prev: Kerberos 4 issues, Up: Top - -Windows 2000 compatability -************************** - -Windows 2000 (formerly known as Windows NT 5) from Microsoft implements -Kerberos 5. Their implementation, however, has some quirks, -peculiarities, and bugs. This chapter is a short summary of the things -that we have found out while trying to test Heimdal against Windows -2000. Another big problem with the Kerberos implementation in Windows -2000 is that the available documentation is more focused on getting -things to work rather than how they work and not that useful in figuring -out how things really work. - -This information should apply to Heimdal 0.3a and Windows 2000 -Professional. It's of course subject all the time and mostly consists -of our not so inspired guesses. Hopefully it's still somewhat useful. - -* Menu: - -* Configuring Windows 2000 to use a Heimdal KDC:: -* Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC:: -* Create account mappings:: -* Encryption types:: -* Authorization data:: -* Quirks of Windows 2000 KDC:: -* Useful links when reading about the Windows 2000:: - - -File: heimdal.info, Node: Configuring Windows 2000 to use a Heimdal KDC, Next: Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC, Prev: Windows 2000 compatability, Up: Windows 2000 compatability - -Configuring Windows 2000 to use a Heimdal KDC -============================================= - -You need the command line program called `ksetup.exe' which is available -in the file `SUPPORT/TOOLS/SUPPORT.CAB' on the Windows 2000 Professional -CD-ROM. This program is used to configure the Kerberos settings on a -Workstation. - -`Ksetup' store the domain information under the registry key: -`HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\Kerberos\Domains'. - -Use the kadmin program in Heimdal to create a host principal in the -Kerberos realm. - - unix% kadmin - kadmin> ank -pw password host/datan.my.domain - -You must configure the Workstation as a member of a workgroup, as -opposed to a member in an NT domain, and specify the KDC server of the -realm as follows: - C:> ksetup /setdomain MY.REALM - C:> ksetup /addkdc MY.REALM kdc.my.domain - -Set the machine password, i.e. create the local keytab: - C:> ksetup /setmachpassword password - -The workstation must now be rebooted. - -A mapping between local NT users and Kerberos principals must be -specified, you have two choices: - - C:> ksetup /mapuser user@MY.REALM nt_user - -This will map a user to a specific principal, this allows you to have -other usernames in the realm than in your NT user database. (Don't ask -me why on earth you would want that...) - -You can also say: - C:> ksetup /mapuser * * -The Windows machine will now map any user to the corresponding -principal, for example `nisse' to the principal `nisse@MY.REALM'. -(This is most likely what you want.) - - -File: heimdal.info, Node: Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC, Next: Create account mappings, Prev: Configuring Windows 2000 to use a Heimdal KDC, Up: Windows 2000 compatability - -Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC -=============================================================== - -See also the Step-by-Step guide from Microsoft, referenced below. - -Install Windows 2000, and create a new controller (Active Directory -Server) for the domain. - -By default the trust will be non-transitive. This means that only users -directly from the trusted domain may authenticate. This can be changed -to transitive by using the `netdom.exe' tool. - -You need to tell Windows 2000 on what hosts to find the KDCs for the -non-Windows realm with `ksetup', see *Note Configuring Windows 2000 to -use a Heimdal KDC::. - -This need to be done on all computers that want enable cross-realm -login with `Mapped Names'. - -Then you need to add the inter-realm keys on the Windows kdc. Start the -Domain Tree Management tool. (Found in Programs, Administrative tools, -Active Directory Domains and Trusts). - -Right click on Properties of your domain, select the Trust tab. Press -Add on the appropriate trust windows and enter domain name and -password. When prompted if this is a non-Windows Kerberos realm, press -OK. - -Do not forget to add trusts in both directions. - -You also need to add the inter-realm keys to the Heimdal KDC. There are -some tweaks that you need to do to `krb5.conf' beforehand. - - [libdefaults] - default_etypes = des-cbc-crc - default_etypes_des = des-cbc-crc - -since otherwise checksum types that are not understood by Windows 2000 -will be generated (*Note Quirks of Windows 2000 KDC::.). - -Another issue is salting. Since Windows 2000 does not seem to -understand Kerberos 4 salted hashes you might need to turn off anything -similar to the following if you have it, at least while adding the -principals that are going to share keys with Windows 2000. - - [kadmin]default_keys = v5 v4 - -You must also set: - -Once that is also done, you can add the required inter-realm keys: - - kadmin add krbtgt/NT.REALM.EXAMPLE.COM@EXAMPLE.COM - kadmin add krbtgt/REALM.EXAMPLE.COM@NT.EXAMPLE.COM - -Use the same passwords for both keys. - -Do not forget to reboot before trying the new realm-trust (after running -`ksetup'). It looks like it might work, but packets are never sent to -the non-Windows KDC. - - -File: heimdal.info, Node: Create account mappings, Next: Encryption types, Prev: Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC, Up: Windows 2000 compatability - -Create account mappings -======================= - -Start the `Active Directory Users and Computers' tool. Select the View -menu, that is in the left corner just below the real menu (or press -Alt-V), and select Advanced Features. Right click on the user that you -are going to do a name mapping for and choose Name mapping. - -Click on the Kerberos Names tab and add a new principal from the -non-Windows domain. - - -File: heimdal.info, Node: Encryption types, Next: Authorization data, Prev: Create account mappings, Up: Windows 2000 compatability - -Encryption types -================ - -Windows 2000 supports both the standard DES encryptions (des-cbc-crc and -des-cbc-md5) and its own proprietary encryption that is based on MD4 and -rc4 that is documented in and is supposed to be described in -`draft-brezak-win2k-krb-rc4-hmac-03.txt'. New users will get both MD4 -and DES keys. Users that are converted from a NT4 database, will only -have MD4 passwords and will need a password change to get a DES key. - -Heimdal implements both of these encryption types, but since DES is the -standard and the hmac-code is somewhat newer, it is likely to work -better. - - -File: heimdal.info, Node: Authorization data, Next: Quirks of Windows 2000 KDC, Prev: Encryption types, Up: Windows 2000 compatability - -Authorization data -================== - -The Windows 2000 KDC also adds extra authorization data in tickets. It -is at this point unclear what triggers it to do this. The format of -this data is only available under a "secret" license from Microsoft, -which prohibits you implementing it. - -A simple way of getting hold of the data to be able to understand it -better is described here. - - 1. Find the client example on using the SSPI in the SDK documentation. - - 2. Change "AuthSamp" in the source code to lowercase. - - 3. Build the program. - - 4. Add the "authsamp" principal with a known password to the - database. Make sure it has a DES key. - - 5. Run `ktutil add' to add the key for that principal to a keytab. - - 6. Run `appl/test/nt_gss_server -p 2000 -s authsamp --dump-auth=file' - where file is an appropriate file. - - 7. It should authenticate and dump for you the authorization data in - the file. - - 8. The tool `lib/asn1/asn1_print' is somewhat useful for analyzing - the data. - - -File: heimdal.info, Node: Quirks of Windows 2000 KDC, Next: Useful links when reading about the Windows 2000, Prev: Authorization data, Up: Windows 2000 compatability - -Quirks of Windows 2000 KDC -========================== - -There are some issues with salts and Windows 2000. Using an empty salt, -which is the only one that Kerberos 4 supported and is therefore known -as a Kerberos 4 compatible salt does not work, as far as we can tell -from out experiments and users reports. Therefore, you have to make -sure you keep around keys with all the different types of salts that are -required. - -Microsoft seems also to have forgotten to implement the checksum -algorithms `rsa-md4-des' and `rsa-md5-des'. This can make Name mapping -(*note Create account mappings::.) fail if a `des-cbc-md5' key is used. -To make the KDC return only `des-cbc-crc' you must delete the -`des-cbc-md5' key from the kdc using the `kadmin del_enctype' command. - - kadmin del_enctype lha des-cbc-md5 - -You should also add the following entries to the `krb5.conf' file: - - [libdefaults] - default_etypes = des-cbc-crc - default_etypes_des = des-cbc-crc - -These configuration options will make sure that no checksums of the -unsupported types are generated. - - -File: heimdal.info, Node: Useful links when reading about the Windows 2000, Prev: Quirks of Windows 2000 KDC, Up: Windows 2000 compatability - -Useful links when reading about the Windows 2000 -================================================ - -See also our paper presented at the 2001 usenix Annual Technical -Conference, available in the proceedings or at -`http://www.usenix.org/publications/library/proceedings/usenix01/freenix01/westerlund.html'. - -There are lots of text about Kerberos on Microsoft's web site, here is a -short list of the interesting documents that we have managed to find. - - * Step-by-Step Guide to Kerberos 5 (krb5 1.0) Interoperability - - - - - - - - - - - - - `http://www.microsoft.com/windows2000/library/planning/security/kerbsteps.asp' - Kerberos GSS-API (in Windows-ize SSPI), Windows as a client in a - non-Windows KDC realm, adding unix clients to a Windows 2000 KDC, - and adding cross-realm trust (*Note Inter-Realm keys (trust) - between Windows 2000 and a Heimdal KDC::.). - - * Windows 2000 Kerberos Authentication - - - - - - - - `http://www.microsoft.com/TechNet/win2000/win2ksrv/technote/kerberos.asp' - White paper that describes how Kerberos is used in Windows 2000. - - * Overview of kerberos - - `http://support.microsoft.com/support/kb/articles/Q248/7/58.ASP' - Links to useful other links. - - * Klist for windows - - - - - `http://msdn.microsoft.com/library/periodic/period00/security0500.htm' - Describes where to get a klist for Windows 2000. - - * Event logging for kerberos - - `http://support.microsoft.com/support/kb/articles/Q262/1/77.ASP'. - Basicly it say that you can add a registry key - - - - - - - - - - - - - - - - - - - - `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\LogLevel' - with value DWORD equal to 1, and then you'll get logging in the - Event Logger. - - * Access to the active directory through LDAP - `http://msdn.microsoft.com/library/techart/kerberossamp.htm' - -Other useful programs include these: - - * pwdump2 `http://www.webspan.net/~tas/pwdump2/' - - -File: heimdal.info, Node: Programming with Kerberos, Next: Migration, Prev: Windows 2000 compatability, Up: Top - -Programming with Kerberos -************************* - -First you need to know how the Kerberos model works, go read the -introduction text (*note What is Kerberos?::.). - -* Menu: - -* Kerberos 5 API Overview:: -* Walkthru a sample Kerberos 5 client:: -* Validating a password in a server application:: - - -File: heimdal.info, Node: Kerberos 5 API Overview, Next: Walkthru a sample Kerberos 5 client, Prev: Programming with Kerberos, Up: Programming with Kerberos - -Kerberos 5 API Overview -======================= - -Most functions are documenteded in manual pages. This overview only -tries to point to where to look for a specific function. - -Kerberos context ----------------- - -A kerberos context (`krb5_context') holds all per thread state. All -global variables that are context specific are stored in this struture, -including default encryption types, credential-cache (ticket file), and -default realms. - -See the manual pages for `krb5_context(3)' and `krb5_init_context(3)'. - -Kerberos authenication context ------------------------------- - -Kerberos authentication context (`krb5_auth_context') holds all context -related to an authenticated connection, in a similar way to the -kerberos context that holds the context for the thread or process. - -The `krb5_auth_context' is used by various functions that are directly -related to authentication between the server/client. Example of data -that this structure contains are various flags, addresses of client and -server, port numbers, keyblocks (and subkeys), sequence numbers, replay -cache, and checksum types. - -See the manual page for `krb5_auth_context(3)'. - -Keytab management ------------------ - -A keytab is a storage for locally stored keys. Heimdal includes keytab -support for Kerberos 5 keytabs, Kerberos 4 srvtab, AFS-KeyFile's, and -for storing keys in memory. - -See also manual page for `krb5_keytab(3)' - - -File: heimdal.info, Node: Walkthru a sample Kerberos 5 client, Next: Validating a password in a server application, Prev: Kerberos 5 API Overview, Up: Programming with Kerberos - -Walkthru a sample Kerberos 5 client -=================================== - -This example contains parts of a sample TCP Kerberos 5 clients, if you -want a real working client, please look in `appl/test' directory in the -Heimdal distribution. - -All Kerberos error-codes that are returned from kerberos functions in -this program are passed to `krb5_err', that will print a descriptive -text of the error code and exit. Graphical programs can convert -error-code to a humal readable error-string with the -`krb5_get_err_text(3)' function. - -Note that you should not use any Kerberos function before -`krb5_init_context()' have completed successfully. That is the reson -`err()' is used when `krb5_init_context()' fails. - -First the client needs to call `krb5_init_context' to initialize the -Kerberos 5 library. This is only needed once per thread in the program. -If the function returns a non-zero value it indicates that either the -Kerberos implemtation is failing or its disabled on this host. - - #include - - int - main(int argc, char **argv) - { - krb5_context context; - - if (krb5_context(&context)) - errx (1, "krb5_context"); - -Now the client wants to connect to the host at the other end. The -preferred way of doing this is using `getaddrinfo(3)' (for operating -system that have this function implemented), since getaddrinfo is -neutral to the address type and can use any protocol that is available. - - struct addrinfo *ai, *a; - struct addrinfo hints; - int error; - - memset (&hints, 0, sizeof(hints)); - hints.ai_socktype = SOCK_STREAM; - hints.ai_protocol = IPPROTO_TCP; - - error = getaddrinfo (hostname, "pop3", &hints, &ai); - if (error) - errx (1, "%s: %s", hostname, gai_strerror(error)); - - for (a = ai; a != NULL; a = a->ai_next) { - int s; - - s = socket (a->ai_family, a->ai_socktype, a->ai_protocol); - if (s < 0) - continue; - if (connect (s, a->ai_addr, a->ai_addrlen) < 0) { - warn ("connect(%s)", hostname); - close (s); - continue; - } - freeaddrinfo (ai); - ai = NULL; - } - if (ai) { - freeaddrinfo (ai); - errx ("failed to contact %s", hostname); - } - -Before authenticating, an authentication context needs to be created. -This context keeps all information for one (to be) authenticated -connection (see `krb5_auth_context(3)'). - - status = krb5_auth_con_init (context, &auth_context); - if (status) - krb5_err (context, 1, status, "krb5_auth_con_init"); - -For setting the address in the authentication there is a help function -`krb5_auth_con_setaddrs_from_fd' that does everthing that is needed -when given a connected file descriptor to the socket. - - status = krb5_auth_con_setaddrs_from_fd (context, - auth_context, - &sock); - if (status) - krb5_err (context, 1, status, - "krb5_auth_con_setaddrs_from_fd"); - -The next step is to build a server principal for the service we want to -connect to. (See also `krb5_sname_to_principal(3)'.) - - status = krb5_sname_to_principal (context, - hostname, - service, - KRB5_NT_SRV_HST, - &server); - if (status) - krb5_err (context, 1, status, "krb5_sname_to_principal"); - -The client principal is not passed to `krb5_sendauth(3)' function, this -causes the `krb5_sendauth' function to try to figure it out itself. - -The server program is using the function `krb5_recvauth(3)' to receive -the Kerberos 5 authenticator. - -In this case, mutual authenication will be tried. That means that the -server will authenticate to the client. Using mutual authenication is -good since it enables the user to verify that they are talking to the -right server (a server that knows the key). - -If you are using a non-blocking socket you will need to do all work of -`krb5_sendauth' yourself. Basically you need to send over the -authenticator from `krb5_mk_req(3)' and, in case of mutual -authentication, verifying the result from the server with -`krb5_rd_rep(3)'. - - status = krb5_sendauth (context, - &auth_context, - &sock, - VERSION, - NULL, - server, - AP_OPTS_MUTUAL_REQUIRED, - NULL, - NULL, - NULL, - NULL, - NULL, - NULL); - if (status) - krb5_err (context, 1, status, "krb5_sendauth"); - -Once authentication has been performed, it is time to send some data. -First we create a krb5_data structure, then we sign it with -`krb5_mk_safe(3)' using the `auth_context' that contains the -session-key that was exchanged in the -`krb5_sendauth(3)'/`krb5_recvauth(3)' authentication sequence. - - data.data = "hej"; - data.length = 3; - - krb5_data_zero (&packet); - - status = krb5_mk_safe (context, - auth_context, - &data, - &packet, - NULL); - if (status) - krb5_err (context, 1, status, "krb5_mk_safe"); - -And send it over the network. - - len = packet.length; - net_len = htonl(len); - - if (krb5_net_write (context, &sock, &net_len, 4) != 4) - err (1, "krb5_net_write"); - if (krb5_net_write (context, &sock, packet.data, len) != len) - err (1, "krb5_net_write"); - -To send encrypted (and signed) data `krb5_mk_priv(3)' should be used -instead. `krb5_mk_priv(3)' works the same way as `krb5_mk_safe(3)', -with the exception that it encrypts the data in addition to signing it. - - data.data = "hemligt"; - data.length = 7; - - krb5_data_free (&packet); - - status = krb5_mk_priv (context, - auth_context, - &data, - &packet, - NULL); - if (status) - krb5_err (context, 1, status, "krb5_mk_priv"); - -And send it over the network. - - len = packet.length; - net_len = htonl(len); - - if (krb5_net_write (context, &sock, &net_len, 4) != 4) - err (1, "krb5_net_write"); - if (krb5_net_write (context, &sock, packet.data, len) != len) - err (1, "krb5_net_write"); - -The server is using `krb5_rd_safe(3)' and `krb5_rd_priv(3)' to verify -the signature and decrypt the packet. - - -File: heimdal.info, Node: Validating a password in a server application, Prev: Walkthru a sample Kerberos 5 client, Up: Programming with Kerberos - -Validating a password in an application -======================================= - -See the manual page for `krb5_verify_user(3)'. - - -File: heimdal.info, Node: Migration, Next: Acknowledgments, Prev: Programming with Kerberos, Up: Top - -Migration -********* - -General issues -============== - -When migrating from a Kerberos 4 KDC. - -Order in what to do things: -=========================== - - * Convert the database, check all principals that hprop complains - about. - - `hprop -n --source=| hpropd -n' - - Replace with whatever source you have, like krb4-db or - krb4-dump. - - * Run a Kerberos 5 slave for a while. - - * Figure out if it does everything you want it to. - - Make sure that all things that you use works for you. - - * Let a small number of controlled users use Kerberos 5 tools. - - Find a sample population of your users and check what programs - they use, you can also check the kdc-log to check what ticket are - checked out. - - * Burn the bridge and change the master. - - * Let all users use the Kerberos 5 tools by default. - - * Turn off services that do not need Kerberos 4 authentication. - - Things that might be hard to get away is old programs with support - for Kerberos 4. Example applications are old Eudora installations - using KPOP, and Zephyr. Eudora can use the Kerberos 4 kerberos in - the Heimdal kdc. - - -File: heimdal.info, Node: Acknowledgments, Prev: Migration, Up: Top - -Acknowledgments -*************** - -Eric Young wrote "libdes". - -The University of California at Berkeley initially wrote `telnet', and -`telnetd'. The authentication and encryption code of `telnet' and -`telnetd' was added by David Borman (then of Cray Research, Inc). The -encryption code was removed when this was exported and then added back -by Juha Eskelinen, . - -The `popper' was also a Berkeley program initially. - -Some of the functions in `libroken' also come from Berkeley by way of -NetBSD/FreeBSD. - -`editline' was written by Simmule Turner and Rich Salz. - -The `getifaddrs' implementation for Linux was written by Hideaki -YOSHIFUJI for the Usagi project. - -Bugfixes, documentation, encouragement, and code has been contributed -by: -Derrick J Brashear - - -Ken Hornstein - - -Johan Ihrén - - -Love Hörnquist-Åstrand - - -Magnus Ahltorp - - -Mark Eichin - - -Marc Horowitz - - -Luke Howard - - -Brandon S. Allbery KF8NH - - -Jun-ichiro itojun Hagino - - -Daniel Kouril - - -Åke Sandgren - - -Michal Vocu - - -Miroslav Ruda - - -Brian A May - - -Chaskiel M Grundman - - -Richard Nyberg - - -Frank van der Linden - - -Cizzi Storm - - -and we hope that those not mentioned here will forgive us. -All bugs were introduced by ourselves. - - diff --git a/crypto/heimdal-0.6.3/doc/heimdal.texi b/crypto/heimdal-0.6.3/doc/heimdal.texi deleted file mode 100644 index 6bc92a92eb..0000000000 --- a/crypto/heimdal-0.6.3/doc/heimdal.texi +++ /dev/null @@ -1,250 +0,0 @@ -\input texinfo @c -*- texinfo -*- -@c %**start of header -@c $Id: heimdal.texi,v 1.17 2001/02/24 05:09:24 assar Exp $ -@setfilename heimdal.info -@settitle HEIMDAL -@iftex -@afourpaper -@end iftex -@c some sensible characters, please? -@tex -\input latin1.tex -@end tex -@setchapternewpage on -@syncodeindex pg cp -@c %**end of header - -@c not yet @include version.texi -@set UPDATED $Date: 2001/02/24 05:09:24 $ -@set EDITION 0.1 -@set VERSION 0.3a - -@ifinfo -@dircategory Heimdal -@direntry -* Heimdal: (heimdal). The Kerberos 5 distribution from KTH -@end direntry -@end ifinfo - -@c title page -@titlepage -@title Heimdal -@subtitle Kerberos 5 from KTH -@subtitle Edition @value{EDITION}, for version @value{VERSION} -@subtitle 1999 -@author Johan Danielsson -@author Assar Westerlund -@author last updated @value{UPDATED} - -@def@copynext{@vskip 20pt plus 1fil@penalty-1000} -@def@copyrightstart{} -@def@copyrightend{} -@page -@copyrightstart -Copyright (c) 1997-2000 Kungliga Tekniska Högskolan -(Royal Institute of Technology, Stockholm, Sweden). -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions -are met: - -1. Redistributions of source code must retain the above copyright - notice, this list of conditions and the following disclaimer. - -2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - -3. Neither the name of the Institute nor the names of its contributors - may be used to endorse or promote products derived from this software - without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -SUCH DAMAGE. - -@copynext - -Copyright (C) 1995-1997 Eric Young (eay@@mincom.oz.au) -All rights reserved. - -This package is an DES implementation written by Eric Young (eay@@mincom.oz.au). -The implementation was written so as to conform with MIT's libdes. - -This library is free for commercial and non-commercial use as long as -the following conditions are aheared to. The following conditions -apply to all code found in this distribution. - -Copyright remains Eric Young's, and as such any Copyright notices in -the code are not to be removed. -If this package is used in a product, Eric Young should be given attribution -as the author of that the SSL library. This can be in the form of a textual -message at program startup or in documentation (online or textual) provided -with the package. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions -are met: - -1. Redistributions of source code must retain the copyright - notice, this list of conditions and the following disclaimer. - -2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - -3. All advertising materials mentioning features or use of this software - must display the following acknowledgement: - This product includes software developed by Eric Young (eay@@mincom.oz.au) - -THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND -ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -SUCH DAMAGE. - -@copynext - -Copyright (C) 1990 by the Massachusetts Institute of Technology - -Export of this software from the United States of America may -require a specific license from the United States Government. -It is the responsibility of any person or organization contemplating -export to obtain such a license before exporting. - -WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -distribute this software and its documentation for any purpose and -without fee is hereby granted, provided that the above copyright -notice appear in all copies and that both that copyright notice and -this permission notice appear in supporting documentation, and that -the name of M.I.T. not be used in advertising or publicity pertaining -to distribution of the software without specific, written prior -permission. M.I.T. makes no representations about the suitability of -this software for any purpose. It is provided "as is" without express -or implied warranty. - -@copynext - -Copyright (c) 1988, 1990, 1993 - The Regents of the University of California. All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions -are met: - -1. Redistributions of source code must retain the above copyright - notice, this list of conditions and the following disclaimer. - -2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - -3. All advertising materials mentioning features or use of this software - must display the following acknowledgement: - This product includes software developed by the University of - California, Berkeley and its contributors. - -4. Neither the name of the University nor the names of its contributors - may be used to endorse or promote products derived from this software - without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND -ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -SUCH DAMAGE. - -@copynext - -Copyright 1992 Simmule Turner and Rich Salz. All rights reserved. - -This software is not subject to any license of the American Telephone -and Telegraph Company or of the Regents of the University of California. - -Permission is granted to anyone to use this software for any purpose on -any computer system, and to alter it and redistribute it freely, subject -to the following restrictions: - -1. The authors are not responsible for the consequences of use of this - software, no matter how awful, even if they arise from flaws in it. - -2. The origin of this software must not be misrepresented, either by - explicit claim or by omission. Since few users ever read sources, - credits must appear in the documentation. - -3. Altered versions must be plainly marked as such, and must not be - misrepresented as being the original software. Since few users - ever read sources, credits must appear in the documentation. - -4. This notice may not be removed or altered. - -@copyrightend -@end titlepage - -@c Less filling! Tastes great! -@iftex -@parindent=0pt -@global@parskip 6pt plus 1pt -@global@chapheadingskip = 15pt plus 4pt minus 2pt -@global@secheadingskip = 12pt plus 3pt minus 2pt -@global@subsecheadingskip = 9pt plus 2pt minus 2pt -@end iftex -@ifinfo -@paragraphindent 0 -@end ifinfo - -@ifinfo -@node Top, Introduction, (dir), (dir) -@top Heimdal -@end ifinfo - -@menu -* Introduction:: -* What is Kerberos?:: -* Building and Installing:: -* Setting up a realm:: -* Things in search for a better place:: -* Kerberos 4 issues:: -* Windows 2000 compatability:: -* Programming with Kerberos:: -* Migration:: -* Acknowledgments:: - -@end menu - -@include intro.texi -@include whatis.texi -@include install.texi -@include setup.texi -@include misc.texi -@include kerberos4.texi -@include win2k.texi -@include programming.texi -@include migration.texi -@include ack.texi - -@c @shortcontents -@contents - -@bye diff --git a/crypto/heimdal-0.6.3/doc/init-creds b/crypto/heimdal-0.6.3/doc/init-creds deleted file mode 100644 index 13667e0434..0000000000 --- a/crypto/heimdal-0.6.3/doc/init-creds +++ /dev/null @@ -1,374 +0,0 @@ -Currently, getting an initial ticket for a user involves many function -calls, especially when a full set of features including password -expiration and challenge preauthentication is desired. In order to -solve this problem, a new api is proposed. - -typedef struct _krb5_prompt { - char *prompt; - int hidden; - krb5_data *reply; -} krb5_prompt; - -typedef int (*krb5_prompter_fct)(krb5_context context, - void *data, - const char *banner, - int num_prompts, - krb5_prompt prompts[]); - -typedef struct _krb5_get_init_creds_opt { - krb5_flags flags; - krb5_deltat tkt_life; - krb5_deltat renew_life; - int forwardable; - int proxiable; - krb5_enctype *etype_list; - int etype_list_length; - krb5_address **address_list; - /* XXX the next three should not be used, as they may be - removed later */ - krb5_preauthtype *preauth_list; - int preauth_list_length; - krb5_data *salt; -} krb5_get_init_creds_opt; - -#define KRB5_GET_INIT_CREDS_OPT_TKT_LIFE 0x0001 -#define KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE 0x0002 -#define KRB5_GET_INIT_CREDS_OPT_FORWARDABLE 0x0004 -#define KRB5_GET_INIT_CREDS_OPT_PROXIABLE 0x0008 -#define KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST 0x0010 -#define KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST 0x0020 -#define KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST 0x0040 -#define KRB5_GET_INIT_CREDS_OPT_SALT 0x0080 - -void krb5_get_init_creds_opt_init(krb5_get_init_creds_opt *opt); - -void krb5_get_init_creds_opt_set_tkt_life(krb5_get_init_creds_opt *opt, - krb5_deltat tkt_life); -void krb5_get_init_creds_opt_set_renew_life(krb5_get_init_creds_opt *opt, - krb5_deltat renew_life); -void krb5_get_init_creds_opt_set_forwardable(krb5_get_init_creds_opt *opt, - int forwardable); -void krb5_get_init_creds_opt_set_proxiable(krb5_get_init_creds_opt *opt, - int proxiable); -void krb5_get_init_creds_opt_set_etype_list(krb5_get_init_creds_opt *opt, - krb5_enctype *etype_list, - int etype_list_length); -void krb5_get_init_creds_opt_set_address_list(krb5_get_init_creds_opt *opt, - krb5_address **addresses); -void krb5_get_init_creds_opt_set_preauth_list(krb5_get_init_creds_opt *opt, - krb5_preauthtype *preauth_list, - int preauth_list_length); -void krb5_get_init_creds_opt_set_salt(krb5_get_init_creds_opt *opt, - krb5_data *salt); - -krb5_error_code -krb5_get_init_creds_password(krb5_context context, - krb5_creds *creds, - krb5_principal client, - char *password, - krb5_prompter_fct prompter, - void *data, - krb5_deltat start_time, - char *in_tkt_service, - krb5_get_init_creds_opt *options); - -This function will attempt to acquire an initial ticket. The function -will perform whatever tasks are necessary to do so. This may include -changing an expired password, preauthentication. - -The arguments divide into two types. Some arguments are basically -invariant and arbitrary across all initial tickets, and if not -specified are determined by configuration or library defaults. Some -arguments are different for each execution or application, and if not -specified can be determined correctly from system configuration or -environment. The former arguments are contained in a structure whose -pointer is passed to the function. A bitmask specifies which elements -of the structure should be used. In most cases, a NULL pointer can be -used. The latter arguments are specified as individual arguments to -the function. - -If a pointer to a credential is specified, the initial credential is -filled in. If the caller only wishes to do a simple password check -and will not be doing any other kerberos functions, then a NULL -pointer may be specified, and the credential will be destroyed. - -If the client name is non-NULL, the initial ticket requested will be -for that principal. Otherwise, the principal will be the the username -specified by the USER environment variable, or if the USER environment -variable is not set, the username corresponding to the real user id of -the caller. - -If the password is non-NULL, then this string is used as the password. -Otherwise, the prompter function will be used to prompt the user for -the password. - -If a prompter function is non-NULL, it will be used if additional user -input is required, such as if the user's password has expired and -needs to be changed, or if input preauthentication is necessary. If -no function is specified and input is required, then the login will -fail. - - The context argument is the same as that passed to krb5_login. - The data argument is passed unmodified to the prompter - function and is intended to be used to pass application data - (such as a display handle) to the prompter function. - - The banner argument, if non-NULL, will indicate what sort of - input is expected from the user (for example, "Password has - expired and must be changed" or "Enter Activcard response for - challenge 012345678"), and should be displayed accordingly. - - The num_prompts argument indicates the number of values which - should be prompted for. If num_prompts == 0, then the banner - contains an informational message which should be displayed to - the user. - - The prompts argument contains an array describing the values - for which the user should be prompted. The prompt member - indicates the prompt for each value ("Enter new - password"/"Enter it again", or "Challenge response"). The - hidden member is nonzero if the response should not be - displayed back to the user. The reply member is a pointer to - krb5_data structure which has already been allocated. The - prompter should fill in the structure with the NUL-terminated - response from the user. - - If the response data does not fit, or if any other error - occurs, then the prompter function should return a non-zero - value which will be returned by the krb5_get_init_creds - function. Otherwise, zero should be returned. - - The library function krb5_prompter_posix() implements - a prompter using a posix terminal for user in. This function - does not use the data argument. - -If the start_time is zero, then the requested ticket will be valid -beginning immediately. Otherwise, the start_time indicates how far in -the future the ticket should be postdated. - -If the in_tkt_service name is non-NULL, that principal name will be -used as the server name for the initial ticket request. The realm of -the name specified will be ignored and will be set to the realm of the -client name. If no in_tkt_service name is specified, -krbtgt/CLIENT-REALM@CLIENT-REALM will be used. - -For the rest of arguments, a configuration or library default will be -used if no value is specified in the options structure. - -If a tkt_life is specified, that will be the lifetime of the ticket. -The library default is 10 hours; there is no configuration variable -(there should be, but it's not there now). - -If a renew_life is specified and non-zero, then the RENEWABLE option -on the ticket will be set, and the value of the argument will be the -the renewable lifetime. The configuration variable [libdefaults] -"renew_lifetime" is the renewable lifetime if none is passed in. The -library default is not to set the RENEWABLE option. - -If forwardable is specified, the FORWARDABLE option on the ticket will -be set if and only if forwardable is non-zero. The configuration -variable [libdefaults] "forwardable" is used if no value is passed in. -The option will be set if and only if the variable is "y", "yes", -"true", "t", "1", or "on", case insensitive. The library default is -not to set the FORWARDABLE option. - -If proxiable is specified, the PROXIABLE option on the ticket will be -set if and only if proxiable is non-zero. The configuration variable -[libdefaults] "proxiable" is used if no value is passed in. The -option will be set if and only if the variable is "y", "yes", "true", -"t", "1", or "on", case insensitive. The library default is not to -set the PROXIABLE option. - -If etype_list is specified, it will be used as the list of desired -encryption algorithms in the request. The configuration variable -[libdefaults] "default_tkt_enctypes" is used if no value is passed in. -The library default is "des-cbc-md5 des-cbc-crc". - -If address_list is specified, it will be used as the list of addresses -for which the ticket will be valid. The library default is to use all -local non-loopback addresses. There is no configuration variable. - -If preauth_list is specified, it names preauth data types which will -be included in the request. The library default is to interact with -the kdc to determine the required preauth types. There is no -configuration variable. - -If salt is specified, it specifies the salt which will be used when -converting the password to a key. The library default is to interact -with the kdc to determine the correct salt. There is no configuration -variable. - -================================================================ - -typedef struct _krb5_verify_init_creds_opt { - krb5_flags flags; - int ap_req_nofail; -} krb5_verify_init_creds_opt; - -#define KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL 0x0001 - -void krb5_verify_init_creds_opt_init(krb5_init_creds_opt *options); -void krb5_verify_init_creds_opt_set_ap_req_nofail(krb5_init_creds_opt *options, - int ap_req_nofail); - -krb5_error_code -krb5_verify_init_creds(krb5_context context, - krb5_creds *creds, - krb5_principal ap_req_server, - krb5_keytab ap_req_keytab, - krb5_ccache *ccache, - krb5_verify_init_creds_opt *options); - -This function will use the initial ticket in creds to make an AP_REQ -and verify it to insure that the AS_REP has not been spoofed. - -If the ap_req_server name is non-NULL, then this service name will be -used for the AP_REQ; otherwise, the default host key -(host/hostname.domain@LOCAL-REALM) will be used. - -If ap_req_keytab is non-NULL, the service key for the verification -will be read from that keytab; otherwise, the service key will be read -from the default keytab. - -If the service of the ticket in creds is the same as the service name -for the AP_REQ, then this ticket will be used directly. If the ticket -is a tgt, then it will be used to obtain credentials for the service. -Otherwise, the verification will fail, and return an error. - -Other failures of the AP_REQ verification may or may not be considered -errors, as described below. - -If a pointer to a credential cache handle is specified, and the handle -is NULL, a credential cache handle referring to all credentials -obtained in the course of verifying the user will be returned. In -order to avoid potential setuid race conditions and other problems -related to file system access, this handle will refer to a memory -credential cache. If the handle is non-NULL, then the credentials -will be added to the existing ccache. If the caller only wishes to -verify the password and will not be doing any other kerberos -functions, then a NULL pointer may be specified, and the credentials -will be deleted before the function returns. - -If ap_req_nofail is specified, then failures of the AP_REQ -verification are considered errors if and only if ap_req_nofail is -non-zero. - -Whether or not AP_REQ validation is performed and what failures mean -depends on these inputs: - - A) The appropriate keytab exists and contains the named key. - - B) An AP_REQ request to the kdc succeeds, and the resulting AP_REQ -can be decrypted and verified. - - C) The administrator has specified in a configuration file that -AP_REQ validation must succeed. This is basically a paranoid bit, and -can be overridden by the application based on a command line flag or -other application-specific info. This flag is especially useful if -the admin is concerned that DNS might be spoofed while determining the -host/FQDN name. The configuration variable [libdefaults] -"verify_ap_req_nofail" is used if no value is passed in. The library -default is not to set this option. - -Initial ticket verification will succeed if and only if: - - - A && B or - - !A && !C - -================================================================ - -For illustrative purposes, here's the invocations I expect some -programs will use. Of course, error checking needs to be added. - -kinit: - - /* Fill in client from the command line || existing ccache, and, - start_time, and options.{tkt_life,renew_life,forwardable,proxiable} - from the command line. Some or all may remain unset. */ - - krb5_get_init_creds(context, &creds, client, - krb5_initial_prompter_posix, NULL, - start_time, NULL, &options); - krb5_cc_store_cred(context, ccache, &creds); - krb5_free_cred_contents(context, &creds); - -login: - - krb5_get_init_creds(context, &creds, client, - krb5_initial_prompter_posix, NULL, - 0, NULL, NULL); - krb5_verify_init_creds(context, &creds, NULL, NULL, &vcc, NULL); - /* setuid */ - krb5_cc_store_cred(context, ccache, &creds); - krb5_cc_copy(context, vcc, ccache); - krb5_free_cred_contents(context, &creds); - krb5_cc_destroy(context, vcc); - -xdm: - - krb5_get_initial_creds(context, &creds, client, - krb5_initial_prompter_xt, (void *) &xtstuff, - 0, NULL, NULL); - krb5_verify_init_creds(context, &creds, NULL, NULL, &vcc, NULL); - /* setuid */ - krb5_cc_store_cred(context, ccache, &creds); - krb5_free_cred_contents(context, &creds); - krb5_cc_copy(context, vcc, ccache); - krb5_cc_destroy(context, vcc); - -passwd: - - krb5_init_creds_opt_init(&options); - krb5_init_creds_opt_set_tkt_life = 300; - krb5_get_initial_creds(context, &creds, client, - krb5_initial_prompter_posix, NULL, - 0, "kadmin/changepw", &options); - /* change password */ - krb5_free_cred_contents(context, &creds); - -pop3d (simple password validator when no user interation possible): - - krb5_get_initial_creds(context, &creds, client, - NULL, NULL, 0, NULL, NULL); - krb5_verify_init_creds(context, &creds, NULL, NULL, &vcc, NULL); - krb5_cc_destroy(context, vcc); - -================================================================ - -password expiration has a subtlety. When a password expires and is -changed, there is a delay between when the master gets the new key -(immediately), and the slaves (propogation interval). So, when -getting an in_tkt, if the password is expired, the request should be -reissued to the master (this kind of sucks if you have SAM, oh well). -If this says expired, too, then the password should be changed, and -then the initial ticket request should be issued to the master again. -If the master times out, then a message that the password has expired -and cannot be changed due to the master being unreachable should be -displayed. - -================================================================ - -get_init_creds reads config stuff from: - -[libdefaults] - varname1 = defvalue - REALM = { - varname1 = value - varname2 = value - } - -typedef struct _krb5_get_init_creds_opt { - krb5_flags flags; - krb5_deltat tkt_life; /* varname = "ticket_lifetime" */ - krb5_deltat renew_life; /* varname = "renew_lifetime" */ - int forwardable; /* varname = "forwardable" */ - int proxiable; /* varname = "proxiable" */ - krb5_enctype *etype_list; /* varname = "default_tkt_enctypes" */ - int etype_list_length; - krb5_address **address_list; /* no varname */ - krb5_preauthtype *preauth_list; /* no varname */ - int preauth_list_length; - krb5_data *salt; -} krb5_get_init_creds_opt; - - diff --git a/crypto/heimdal-0.6.3/doc/install.texi b/crypto/heimdal-0.6.3/doc/install.texi deleted file mode 100644 index d12ace9bf3..0000000000 --- a/crypto/heimdal-0.6.3/doc/install.texi +++ /dev/null @@ -1,106 +0,0 @@ -@c $Id: install.texi,v 1.18 2002/09/04 03:18:48 assar Exp $ - -@node Building and Installing, Setting up a realm, What is Kerberos?, Top -@comment node-name, next, previous, up -@chapter Building and Installing - -Heimdal uses GNU Autoconf to configure for specific hosts, and GNU -Automake to manage makefiles. If this is new to you, the short -instruction is to run the @code{configure} script in the top level -directory, and when that finishes @code{make}. - -If you want to build the distribution in a different directory from the -source directory, you will need a make that implements VPATH correctly, -such as GNU make. - -You will need to build the distribution: - -@itemize @bullet -@item -A compiler that supports a ``loose'' ANSI C mode, such as @code{gcc}. -@item -lex or flex -@item -awk -@item -yacc or bison -@item -a socket library -@item -NDBM or Berkeley DB for building the server side. -@end itemize - -When everything is built, you can install by doing @kbd{make -install}. The default location for installation is @file{/usr/heimdal}, -but this can be changed by running @code{configure} with -@samp{--prefix=/some/other/place}. - -If you need to change the default behavior, configure understands the -following options: - -@table @asis -@item @kbd{--without-berkeley-db} -DB is preferred before NDBM, but if you for some reason want to use NDBM -instead, you can use this option. - -@item @kbd{--with-krb4=@file{dir}} -Gives the location of Kerberos 4 libraries and headers. This enables -Kerberos 4 support in the applications (telnet, rsh, popper, etc) and -the KDC. It is automatically check for in @file{/usr/athena}. If you -keep libraries and headers in different places, you can instead give the -path to each with the @kbd{--with-krb4-lib=@file{dir}}, and -@kbd{--with-krb4-include=@file{dir}} options. - -You will need a fairly recent version of our Kerberos 4 distribution for -@code{rshd} and @code{popper} to support version 4 clients. - -@item @kbd{--enable-dce} -Enables support for getting DCE credentials and tokens. See the README -files in @file{appl/dceutils} for more information. - -@item @kbd{--disable-otp} -By default some of the application programs will build with support for -one-time passwords (OTP). Use this option to disable that support. - -@item @kbd{--enable-osfc2} -Enable some C2 support for OSF/Digital Unix/Tru64. Use this option if -you are running your OSF operating system in C2 mode. - -@item @kbd{--with-readline=@file{dir}} -Gives the path for the GNU Readline library, which will be used in some -programs. If no readline library is found, the (simpler) editline -library will be used instead. - -@item @kbd{--with-hesiod=@file{dir}} -Enables hesiod support in push. - -@item @kbd{--enable-netinfo} -Add support for using netinfo to lookup configuration information. -Probably only useful (and working) on NextStep/Mac OS X. - -@item @kbd{--without-ipv6} -Disable the IPv6 support. - -@item @kbd{--with-openldap} -Compile Heimdal with support for storing the database in LDAP. Requires -OpenLDAP @url{http://www.openldap.org}. See -@url{http://www.padl.com/~lukeh/heimdal/} for more information. - -@item @kbd{--enable-bigendian} -@item @kbd{--enable-littleendian} -Normally, the build process will figure out by itself if the machine is -big or little endian. It might fail in some cases when -cross-compiling. If it does fail to figure it out, use the relevant of -these two options. - -@item @kbd{--with-mips-abi=@var{abi}} -On Irix there are three different ABIs that can be used (@samp{32}, -@samp{n32}, or @samp{64}). This option allows you to override the -automatic selection. - -@item @kbd{--disable-mmap} -Do not use the mmap system call. Normally, configure detects if there -is a working mmap and it is only used if there is one. Only try this -option if it fails to work anyhow. - -@end table diff --git a/crypto/heimdal-0.6.3/doc/intro.texi b/crypto/heimdal-0.6.3/doc/intro.texi deleted file mode 100644 index c190fe2182..0000000000 --- a/crypto/heimdal-0.6.3/doc/intro.texi +++ /dev/null @@ -1,101 +0,0 @@ -@c $Id: intro.texi,v 1.13 2003/03/15 13:42:16 lha Exp $ - -@node Introduction, What is Kerberos?, Top, Top -@c @node Introduction, What is Kerberos?, Top, Top -@comment node-name, next, previous, up -@chapter Introduction - -@heading What is Heimdal? - -Heimdal is a free implementation of Kerberos 5. The goals are to: - -@itemize @bullet -@item -have an implementation that can be freely used by anyone -@item -be protocol compatible with existing implementations and, if not in -conflict, with RFC 1510 (and any future updated RFC) -@item -be reasonably compatible with the M.I.T Kerberos V5 API -@item -have support for Kerberos V5 over GSS-API (RFC1964) -@item -include the most important and useful application programs (rsh, telnet, -popper, etc.) -@item -include enough backwards compatibility with Kerberos V4 -@end itemize - -@heading Status - -Heimdal has the following features (this does not mean any of this -works): - -@itemize @bullet -@item -a stub generator and a library to encode/decode/whatever ASN.1/DER -stuff -@item -a @code{libkrb5} library that should be possible to get to work with -simple applications -@item -a GSS-API library that should have all the important functions for -building applications -@item -Eric Young's @file{libdes} -@item -@file{kinit}, @file{klist}, @file{kdestroy} -@item -@file{telnet}, @file{telnetd} -@item -@file{rsh}, @file{rshd} -@item -@file{popper}, @file{push} (a movemail equivalent) -@item -@file{ftp}, and @file{ftpd} -@item -a library @file{libkafs} for authenticating to AFS and a program -@file{afslog} that uses it -@item -some simple test programs -@item -a KDC that supports most things; optionally, it may also support -Kerberos V4 and kaserver, -@item -simple programs for distributing databases between a KDC master and -slaves -@item -a password changing daemon @file{kpasswdd}, library functions for -changing passwords and a simple client -@item -some kind of administration system -@item -Kerberos V4 support in many of the applications. -@end itemize - -@heading Bug reports - -If you find bugs in this software, make sure it is a genuine bug and not -just a part of the code that isn't implemented. - -Bug reports should be sent to @email{heimdal-bugs@@pdc.kth.se}. Please -include information on what machine and operating system (including -version) you are running, what you are trying to do, what happens, what -you think should have happened, an example for us to repeat, the output -you get when trying the example, and a patch for the problem if you have -one. Please make any patches with @code{diff -u} or @code{diff -c}. - -Suggestions, comments and other non bug reports are also welcome. - -@heading Mailing list - -There are two mailing lists with talk about -Heimdal. @email{heimdal-announce@@sics.se} is a low-volume announcement -list, while @email{heimdal-discuss@@sics.se} is for general discussion. -Send a message to @email{majordomo@@sics.se} to subscribe. - -@heading Heimdal source code, binaries and the manual - -The source code for heimdal, links to binaries and the manual (this -document) can be found on our web-page at -@url{http://www.pdc.kth.se/heimdal/}. diff --git a/crypto/heimdal-0.6.3/doc/kerberos4.texi b/crypto/heimdal-0.6.3/doc/kerberos4.texi deleted file mode 100644 index 42a5f898f1..0000000000 --- a/crypto/heimdal-0.6.3/doc/kerberos4.texi +++ /dev/null @@ -1,226 +0,0 @@ -@c $Id: kerberos4.texi,v 1.16 2001/07/19 17:17:46 assar Exp $ - -@node Kerberos 4 issues, Windows 2000 compatability, Things in search for a better place, Top -@comment node-name, next, previous, up -@chapter Kerberos 4 issues - -If compiled with version 4 support, the KDC can serve requests from a -Kerberos 4 client. There are a few things you must do for this to work. - -The KDC will also have kaserver emulation and be able to handle -AFS-clients that use @code{klog}. - -@menu -* Principal conversion issues:: -* Converting a version 4 database:: -* kaserver:: -@end menu - -@node Principal conversion issues, Converting a version 4 database, Kerberos 4 issues, Kerberos 4 issues -@section Principal conversion issues - -First, Kerberos 4 and Kerberos 5 principals are different. A version 4 -principal consists of a name, an instance, and a realm. A version 5 -principal has one or more components, and a realm (the terms ``name'' -and ``instance'' are still used, for the first and second component, -respectively). Also, in some cases the name of a version 4 principal -differs from the first component of the corresponding version 5 -principal. One notable example is the ``host'' type principals, where -the version 4 name is @samp{rcmd} (for ``remote command''), and the -version 5 name is @samp{host}. For the class of principals that has a -hostname as instance, there is an other major difference, Kerberos 4 -uses only the first component of the hostname, whereas Kerberos 5 uses -the fully qualified hostname. - -Because of this it can be hard or impossible to correctly convert a -version 4 principal to a version 5 principal @footnote{the other way is -not always trivial either, but usually easier}. The biggest problem is -to know if the conversion resulted in a valid principal. To give an -example, suppose you want to convert the principal @samp{rcmd.foo}. - -The @samp{rcmd} name suggests that the instance is a hostname (even if -there are exceptions to this rule). To correctly convert the instance -@samp{foo} to a hostname, you have to know which host it is referring -to. You can to this by either guessing (from the realm) which domain -name to append, or you have to have a list of possible hostnames. In the -simplest cases you can cover most principals with the first rule. If you -have several domains sharing a single realm this will not usually -work. If the exceptions are few you can probably come by with a lookup -table for the exceptions. - -In a complex scenario you will need some kind of host lookup mechanism. -Using DNS for this is tempting, but DNS is error prone, slow and unsafe -@footnote{at least until secure DNS is commonly available}. - -Fortunately, the KDC has a trump on hand: it can easily tell if a -principal exists in the database. The KDC will use -@code{krb5_425_conv_principal_ext} to convert principals when handling -to version 4 requests. - -@node Converting a version 4 database, kaserver , Principal conversion issues, Kerberos 4 issues -@section Converting a version 4 database - -If you want to convert an existing version 4 database, the principal -conversion issue arises too. - -If you decide to convert your database once and for all, you will only -have to do this conversion once. It is also possible to run a version 5 -KDC as a slave to a version 4 KDC. In this case this conversion will -happen every time the database is propagated. When doing this -conversion, there are a few things to look out for. If you have stale -entries in the database, these entries will not be converted. This might -be because these principals are not used anymore, or it might be just -because the principal couldn't be converted. - -You might also see problems with a many-to-one mapping of -principals. For instance, if you are using DNS lookups and you have two -principals @samp{rcmd.foo} and @samp{rcmd.bar}, where `foo' is a CNAME -for `bar', the resulting principals will be the same. Since the -conversion function can't tell which is correct, these conflicts will -have to be resolved manually. - -@subsection Conversion example - -Given the following set of hosts and services: - -@example -foo.se rcmd -mail.foo.se rcmd, pop -ftp.bar.se rcmd, ftp -@end example - -you have a database that consists of the following principals: - -@samp{rcmd.foo}, @samp{rcmd.mail}, @samp{pop.mail}, @samp{rcmd.ftp}, and -@samp{ftp.ftp}. - -lets say you also got these extra principals: @samp{rcmd.gone}, -@samp{rcmd.old-mail}, where @samp{gone.foo.se} was a machine that has -now passed away, and @samp{old-mail.foo.se} was an old mail machine that -is now a CNAME for @samp{mail.foo.se}. - -When you convert this database you want the following conversions to be -done: -@example -rcmd.foo host/foo.se -rcmd.mail host/mail.foo.se -pop.mail pop/mail.foo.se -rcmd.ftp host/ftp.bar.se -ftp.ftp ftp/ftp.bar.se -rcmd.gone @i{removed} -rcmd.old-mail @i{removed} -@end example - -A @file{krb5.conf} that does this looks like: - -@example -[realms] - FOO.SE = @{ - v4_name_convert = @{ - host = @{ - ftp = ftp - pop = pop - rcmd = host - @} - @} - v4_instance_convert = @{ - foo = foo.se - ftp = ftp.bar.se - @} - default_domain = foo.se - @} -@end example - -The @samp{v4_name_convert} section says which names should be considered -having an instance consisting of a hostname, and it also says how the -names should be converted (for instance @samp{rcmd} should be converted -to @samp{host}). The @samp{v4_instance_convert} section says how a -hostname should be qualified (this is just a hosts-file in -disguise). Host-instances that aren't covered by -@samp{v4_instance_convert} are qualified by appending the contents of -the @samp{default_domain}. - -Actually, this example doesn't work. Or rather, it works to well. Since -it has no way of knowing which hostnames are valid and which are not, it -will happily convert @samp{rcmd.gone} to @samp{host/gone.foo.se}. This -isn't a big problem, but if you have run your kerberos realm for a few -years, chances are big that you have quite a few `junk' principals. - -If you don't want this you can remove the @samp{default_domain} -statement, but then you will have to add entries for @emph{all} your hosts -in the @samp{v4_instance_convert} section. - -Instead of doing this you can use DNS to convert instances. This is not -a solution without problems, but it is probably easier than adding lots -of static host entries. - -To enable DNS lookup you should turn on @samp{v4_instance_resolve} in -the @samp{[libdefaults]} section. - -@subsection Converting a database - -The database conversion is done with @samp{hprop}. You can run this -command to propagate the database to the machine called -@samp{slave-server} (which should be running a @samp{hpropd}). - -@example -hprop --source=krb4-db --master-key=/.m slave-server -@end example - -This command can also be to use for converting the v4 database on the -server: - -@example -hprop -n --source=krb4-db -d /var/kerberos/principal --master-key=/.m | hpropd -n -@end example - -@section Version 4 Kadmin - -@samp{kadmind} can act as a version 4 kadmind, and you can do most -operations, but with some restrictions (since the version 4 kadmin -protocol is, lets say, very ad hoc.) One example is that it only passes -des keys when creating principals and changing passwords (modern kpasswd -clients do send the password, so it's possible to to password quality -checks). Because of this you can only create principals with des keys, -and you can't set any flags or do any other fancy stuff. - -To get this to work, you have to add another entry to inetd (since -version 4 uses port 751, not 749). - -@emph{And then there are a many more things you can do; more on this in -a later version of this manual. Until then, UTSL.} - -@node kaserver, , Converting a version 4 database, Kerberos 4 issues -@section kaserver - -@subsection kaserver emulation - -The Heimdal kdc can emulate a kaserver. The kaserver is a Kerberos 4 -server with pre-authentication using Rx as the on-wire protocol. The kdc -contains a minimalistic Rx implementation. - -There are three parts of the kaserver; KAA (Authentication), KAT (Ticket -Granting), and KAM (Maintenance). The KAA interface and KAT interface -both passes over DES encrypted data-blobs (just like the -Kerberos-protocol) and thus do not need any other protection. The KAM -interface uses @code{rxkad} (Kerberos authentication layer for Rx) for -security and data protection, and is used for example for changing -passwords. This part is not implemented in the kdc. - -Another difference between the ka-protocol and the Kerberos 4 protocol -is that the pass-phrase is salted with the cellname in the @code{string to -key} function in the ka-protocol, while in the Kerberos 4 protocol there -is no salting of the password at all. To make sure AFS-compatible keys -are added to each principals when they are created or their password are -changed, @samp{afs3-salt} should be added to -@samp{[kadmin]default_keys}. - -@subsection Transarc AFS Windows client - -The Transarc Windows client uses Kerberos 4 to obtain tokens, and thus -does not need a kaserver. The Windows client assumes that the Kerberos -server is on the same machine as the AFS-database server. If you do not -like to do that you can add a small program that runs on the database -servers that forward all kerberos requests to the real kerberos -server. A program that does this is @code{krb-forward} -(@url{ftp://ftp.stacken.kth.se/pub/projekts/krb-forward}). diff --git a/crypto/heimdal-0.6.3/doc/latin1.tex b/crypto/heimdal-0.6.3/doc/latin1.tex deleted file mode 100644 index e683dd271d..0000000000 --- a/crypto/heimdal-0.6.3/doc/latin1.tex +++ /dev/null @@ -1,95 +0,0 @@ -% ISO Latin 1 (ISO 8859/1) encoding for Computer Modern fonts. -% Jan Michael Rynning 1990-10-12 -\def\inmathmode#1{\relax\ifmmode#1\else$#1$\fi} -\global\catcode`\^^a0=\active \global\let^^a0=~ % no-break space -\global\catcode`\^^a1=\active \global\def^^a1{!`} % inverted exclamation mark -\global\catcode`\^^a2=\active \global\def^^a2{{\rm\rlap/c}} % cent sign -\global\catcode`\^^a3=\active \global\def^^a3{{\it\$}} % pound sign -% currency sign, yen sign, broken bar -\global\catcode`\^^a7=\active \global\let^^a7=\S % section sign -\global\catcode`\^^a8=\active \global\def^^a8{\"{}} % diaeresis -\global\catcode`\^^a9=\active \global\let^^a9=\copyright % copyright sign -% feminine ordinal indicator, left angle quotation mark -\global\catcode`\^^ac=\active \global\def^^ac{\inmathmode\neg}% not sign -\global\catcode`\^^ad=\active \global\let^^ad=\- % soft hyphen -% registered trade mark sign -\global\catcode`\^^af=\active \global\def^^af{\={}} % macron -% ... -\global\catcode`\^^b1=\active \global\def^^b1{\inmathmode\pm} % plus minus -\global\catcode`\^^b2=\active \global\def^^b2{\inmathmode{{^2}}} -\global\catcode`\^^b3=\active \global\def^^b3{\inmathmode{{^3}}} -\global\catcode`\^^b4=\active \global\def^^b4{\'{}} % acute accent -\global\catcode`\^^b5=\active \global\def^^b5{\inmathmode\mu} % mu -\global\catcode`\^^b6=\active \global\let^^b6=\P % pilcroy -\global\catcode`\^^b7=\active \global\def^^b7{\inmathmode{{\cdot}}} -\global\catcode`\^^b8=\active \global\def^^b8{\c{}} % cedilla -\global\catcode`\^^b9=\active \global\def^^b9{\inmathmode{{^1}}} -% ... -\global\catcode`\^^bc=\active \global\def^^bc{\inmathmode{{1\over4}}} -\global\catcode`\^^bd=\active \global\def^^bd{\inmathmode{{1\over2}}} -\global\catcode`\^^be=\active \global\def^^be{\inmathmode{{3\over4}}} -\global\catcode`\^^bf=\active \global\def^^bf{?`} % inverted question mark -\global\catcode`\^^c0=\active \global\def^^c0{\`A} -\global\catcode`\^^c1=\active \global\def^^c1{\'A} -\global\catcode`\^^c2=\active \global\def^^c2{\^A} -\global\catcode`\^^c3=\active \global\def^^c3{\~A} -\global\catcode`\^^c4=\active \global\def^^c4{\"A} % capital a with diaeresis -\global\catcode`\^^c5=\active \global\let^^c5=\AA % capital a with ring above -\global\catcode`\^^c6=\active \global\let^^c6=\AE -\global\catcode`\^^c7=\active \global\def^^c7{\c C} -\global\catcode`\^^c8=\active \global\def^^c8{\`E} -\global\catcode`\^^c9=\active \global\def^^c9{\'E} -\global\catcode`\^^ca=\active \global\def^^ca{\^E} -\global\catcode`\^^cb=\active \global\def^^cb{\"E} -\global\catcode`\^^cc=\active \global\def^^cc{\`I} -\global\catcode`\^^cd=\active \global\def^^cd{\'I} -\global\catcode`\^^ce=\active \global\def^^ce{\^I} -\global\catcode`\^^cf=\active \global\def^^cf{\"I} -% capital eth -\global\catcode`\^^d1=\active \global\def^^d1{\~N} -\global\catcode`\^^d2=\active \global\def^^d2{\`O} -\global\catcode`\^^d3=\active \global\def^^d3{\'O} -\global\catcode`\^^d4=\active \global\def^^d4{\^O} -\global\catcode`\^^d5=\active \global\def^^d5{\~O} -\global\catcode`\^^d6=\active \global\def^^d6{\"O} % capital o with diaeresis -\global\catcode`\^^d7=\active \global\def^^d7{\inmathmode\times}% multiplication sign -\global\catcode`\^^d8=\active \global\let^^d8=\O -\global\catcode`\^^d9=\active \global\def^^d9{\`U} -\global\catcode`\^^da=\active \global\def^^da{\'U} -\global\catcode`\^^db=\active \global\def^^db{\^U} -\global\catcode`\^^dc=\active \global\def^^dc{\"U} -\global\catcode`\^^dd=\active \global\def^^dd{\'Y} -% capital thorn -\global\catcode`\^^df=\active \global\def^^df{\ss} -\global\catcode`\^^e0=\active \global\def^^e0{\`a} -\global\catcode`\^^e1=\active \global\def^^e1{\'a} -\global\catcode`\^^e2=\active \global\def^^e2{\^a} -\global\catcode`\^^e3=\active \global\def^^e3{\~a} -\global\catcode`\^^e4=\active \global\def^^e4{\"a} % small a with diaeresis -\global\catcode`\^^e5=\active \global\let^^e5=\aa % small a with ring above -\global\catcode`\^^e6=\active \global\let^^e6=\ae -\global\catcode`\^^e7=\active \global\def^^e7{\c c} -\global\catcode`\^^e8=\active \global\def^^e8{\`e} -\global\catcode`\^^e9=\active \global\def^^e9{\'e} -\global\catcode`\^^ea=\active \global\def^^ea{\^e} -\global\catcode`\^^eb=\active \global\def^^eb{\"e} -\global\catcode`\^^ec=\active \global\def^^ec{\`\i} -\global\catcode`\^^ed=\active \global\def^^ed{\'\i} -\global\catcode`\^^ee=\active \global\def^^ee{\^\i} -\global\catcode`\^^ef=\active \global\def^^ef{\"\i} -% small eth -\global\catcode`\^^f1=\active \global\def^^f1{\~n} -\global\catcode`\^^f2=\active \global\def^^f2{\`o} -\global\catcode`\^^f3=\active \global\def^^f3{\'o} -\global\catcode`\^^f4=\active \global\def^^f4{\^o} -\global\catcode`\^^f5=\active \global\def^^f5{\~o} -\global\catcode`\^^f6=\active \global\def^^f6{\"o} % small o with diaeresis -\global\catcode`\^^f7=\active \global\def^^f7{\inmathmode\div}% division sign -\global\catcode`\^^f8=\active \global\let^^f8=\o -\global\catcode`\^^f9=\active \global\def^^f9{\`u} -\global\catcode`\^^fa=\active \global\def^^fa{\'u} -\global\catcode`\^^fb=\active \global\def^^fb{\^u} -\global\catcode`\^^fc=\active \global\def^^fc{\"u} -\global\catcode`\^^fd=\active \global\def^^fd{\'y} -% capital thorn -\global\catcode`\^^ff=\active \global\def^^ff{\"y} diff --git a/crypto/heimdal-0.6.3/doc/layman.asc b/crypto/heimdal-0.6.3/doc/layman.asc deleted file mode 100644 index d4fbe64be9..0000000000 --- a/crypto/heimdal-0.6.3/doc/layman.asc +++ /dev/null @@ -1,1855 +0,0 @@ -A Layman's Guide to a Subset of ASN.1, BER, and DER - -An RSA Laboratories Technical Note -Burton S. Kaliski Jr. -Revised November 1, 1993 - - -Supersedes June 3, 1991 version, which was also published as -NIST/OSI Implementors' Workshop document SEC-SIG-91-17. -PKCS documents are available by electronic mail to -. - -Copyright (C) 1991-1993 RSA Laboratories, a division of RSA -Data Security, Inc. License to copy this document is granted -provided that it is identified as "RSA Data Security, Inc. -Public-Key Cryptography Standards (PKCS)" in all material -mentioning or referencing this document. -003-903015-110-000-000 - - -Abstract. This note gives a layman's introduction to a -subset of OSI's Abstract Syntax Notation One (ASN.1), Basic -Encoding Rules (BER), and Distinguished Encoding Rules -(DER). The particular purpose of this note is to provide -background material sufficient for understanding and -implementing the PKCS family of standards. - - -1. Introduction - -It is a generally accepted design principle that abstraction -is a key to managing software development. With abstraction, -a designer can specify a part of a system without concern -for how the part is actually implemented or represented. -Such a practice leaves the implementation open; it -simplifies the specification; and it makes it possible to -state "axioms" about the part that can be proved when the -part is implemented, and assumed when the part is employed -in another, higher-level part. Abstraction is the hallmark -of most modern software specifications. - -One of the most complex systems today, and one that also -involves a great deal of abstraction, is Open Systems -Interconnection (OSI, described in X.200). OSI is an -internationally standardized architecture that governs the -interconnection of computers from the physical layer up to -the user application layer. Objects at higher layers are -defined abstractly and intended to be implemented with -objects at lower layers. For instance, a service at one -layer may require transfer of certain abstract objects -between computers; a lower layer may provide transfer -services for strings of ones and zeroes, using encoding -rules to transform the abstract objects into such strings. -OSI is called an open system because it supports many -different implementations of the services at each layer. - -OSI's method of specifying abstract objects is called ASN.1 -(Abstract Syntax Notation One, defined in X.208), and one -set of rules for representing such objects as strings of -ones and zeros is called the BER (Basic Encoding Rules, -defined in X.209). ASN.1 is a flexible notation that allows -one to define a variety data types, from simple types such -as integers and bit strings to structured types such as sets -and sequences, as well as complex types defined in terms of -others. BER describes how to represent or encode values of -each ASN.1 type as a string of eight-bit octets. There is -generally more than one way to BER-encode a given value. -Another set of rules, called the Distinguished Encoding -Rules (DER), which is a subset of BER, gives a unique -encoding to each ASN.1 value. - -The purpose of this note is to describe a subset of ASN.1, -BER and DER sufficient to understand and implement one OSI- -based application, RSA Data Security, Inc.'s Public-Key -Cryptography Standards. The features described include an -overview of ASN.1, BER, and DER and an abridged list of -ASN.1 types and their BER and DER encodings. Sections 2-4 -give an overview of ASN.1, BER, and DER, in that order. -Section 5 lists some ASN.1 types, giving their notation, -specific encoding rules, examples, and comments about their -application to PKCS. Section 6 concludes with an example, -X.500 distinguished names. - -Advanced features of ASN.1, such as macros, are not -described in this note, as they are not needed to implement -PKCS. For information on the other features, and for more -detail generally, the reader is referred to CCITT -Recommendations X.208 and X.209, which define ASN.1 and BER. - -Terminology and notation. In this note, an octet is an eight- -bit unsigned integer. Bit 8 of the octet is the most -significant and bit 1 is the least significant. - -The following meta-syntax is used for in describing ASN.1 -notation: - - BIT monospace denotes literal characters in the type - and value notation; in examples, it generally - denotes an octet value in hexadecimal - - n1 bold italics denotes a variable - - [] bold square brackets indicate that a term is - optional - - {} bold braces group related terms - - | bold vertical bar delimits alternatives with a - group - - ... bold ellipsis indicates repeated occurrences - - = bold equals sign expresses terms as subterms - - -2. Abstract Syntax Notation One - -Abstract Syntax Notation One, abbreviated ASN.1, is a -notation for describing abstract types and values. - -In ASN.1, a type is a set of values. For some types, there -are a finite number of values, and for other types there are -an infinite number. A value of a given ASN.1 type is an -element of the type's set. ASN.1 has four kinds of type: -simple types, which are "atomic" and have no components; -structured types, which have components; tagged types, which -are derived from other types; and other types, which include -the CHOICE type and the ANY type. Types and values can be -given names with the ASN.1 assignment operator (::=) , and -those names can be used in defining other types and values. - -Every ASN.1 type other than CHOICE and ANY has a tag, which -consists of a class and a nonnegative tag number. ASN.1 -types are abstractly the same if and only if their tag -numbers are the same. In other words, the name of an ASN.1 -type does not affect its abstract meaning, only the tag -does. There are four classes of tag: - - Universal, for types whose meaning is the same in all - applications; these types are only defined in - X.208. - - Application, for types whose meaning is specific to an - application, such as X.500 directory services; - types in two different applications may have the - same application-specific tag and different - meanings. - - Private, for types whose meaning is specific to a given - enterprise. - - Context-specific, for types whose meaning is specific - to a given structured type; context-specific tags - are used to distinguish between component types - with the same underlying tag within the context of - a given structured type, and component types in - two different structured types may have the same - tag and different meanings. - -The types with universal tags are defined in X.208, which -also gives the types' universal tag numbers. Types with -other tags are defined in many places, and are always -obtained by implicit or explicit tagging (see Section 2.3). -Table 1 lists some ASN.1 types and their universal-class -tags. - - Type Tag number Tag number - (decimal) (hexadecimal) - INTEGER 2 02 - BIT STRING 3 03 - OCTET STRING 4 04 - NULL 5 05 - OBJECT IDENTIFIER 6 06 - SEQUENCE and SEQUENCE OF 16 10 - SET and SET OF 17 11 - PrintableString 19 13 - T61String 20 14 - IA5String 22 16 - UTCTime 23 17 - - Table 1. Some types and their universal-class tags. - -ASN.1 types and values are expressed in a flexible, -programming-language-like notation, with the following -special rules: - - o Layout is not significant; multiple spaces and - line breaks can be considered as a single space. - - o Comments are delimited by pairs of hyphens (--), - or a pair of hyphens and a line break. - - o Identifiers (names of values and fields) and type - references (names of types) consist of upper- and - lower-case letters, digits, hyphens, and spaces; - identifiers begin with lower-case letters; type - references begin with upper-case letters. - -The following four subsections give an overview of simple -types, structured types, implicitly and explicitly tagged -types, and other types. Section 5 describes specific types -in more detail. - - -2.1 Simple types - -Simple types are those not consisting of components; they -are the "atomic" types. ASN.1 defines several; the types -that are relevant to the PKCS standards are the following: - - BIT STRING, an arbitrary string of bits (ones and - zeroes). - - IA5String, an arbitrary string of IA5 (ASCII) - characters. - - INTEGER, an arbitrary integer. - - NULL, a null value. - - OBJECT IDENTIFIER, an object identifier, which is a - sequence of integer components that identify an - object such as an algorithm or attribute type. - - OCTET STRING, an arbitrary string of octets (eight-bit - values). - - PrintableString, an arbitrary string of printable - characters. - - T61String, an arbitrary string of T.61 (eight-bit) - characters. - - UTCTime, a "coordinated universal time" or Greenwich - Mean Time (GMT) value. - -Simple types fall into two categories: string types and non- -string types. BIT STRING, IA5String, OCTET STRING, -PrintableString, T61String, and UTCTime are string types. - -String types can be viewed, for the purposes of encoding, as -consisting of components, where the components are -substrings. This view allows one to encode a value whose -length is not known in advance (e.g., an octet string value -input from a file stream) with a constructed, indefinite- -length encoding (see Section 3). - -The string types can be given size constraints limiting the -length of values. - - -2.2 Structured types - -Structured types are those consisting of components. ASN.1 -defines four, all of which are relevant to the PKCS -standards: - - SEQUENCE, an ordered collection of one or more types. - - SEQUENCE OF, an ordered collection of zero or more - occurrences of a given type. - - SET, an unordered collection of one or more types. - - SET OF, an unordered collection of zero or more - occurrences of a given type. - -The structured types can have optional components, possibly -with default values. - - -2.3 Implicitly and explicitly tagged types - -Tagging is useful to distinguish types within an -application; it is also commonly used to distinguish -component types within a structured type. For instance, -optional components of a SET or SEQUENCE type are typically -given distinct context-specific tags to avoid ambiguity. - -There are two ways to tag a type: implicitly and explicitly. - -Implicitly tagged types are derived from other types by -changing the tag of the underlying type. Implicit tagging is -denoted by the ASN.1 keywords [class number] IMPLICIT (see -Section 5.1). - -Explicitly tagged types are derived from other types by -adding an outer tag to the underlying type. In effect, -explicitly tagged types are structured types consisting of -one component, the underlying type. Explicit tagging is -denoted by the ASN.1 keywords [class number] EXPLICIT (see -Section 5.2). - -The keyword [class number] alone is the same as explicit -tagging, except when the "module" in which the ASN.1 type is -defined has implicit tagging by default. ("Modules" are -among the advanced features not described in this note.) - -For purposes of encoding, an implicitly tagged type is -considered the same as the underlying type, except that the -tag is different. An explicitly tagged type is considered -like a structured type with one component, the underlying -type. Implicit tags result in shorter encodings, but -explicit tags may be necessary to avoid ambiguity if the tag -of the underlying type is indeterminate (e.g., the -underlying type is CHOICE or ANY). - - -2.4 Other types - -Other types in ASN.1 include the CHOICE and ANY types. The -CHOICE type denotes a union of one or more alternatives; the -ANY type denotes an arbitrary value of an arbitrary type, -where the arbitrary type is possibly defined in the -registration of an object identifier or integer value. - - -3. Basic Encoding Rules - -The Basic Encoding Rules for ASN.1, abbreviated BER, give -one or more ways to represent any ASN.1 value as an octet -string. (There are certainly other ways to represent ASN.1 -values, but BER is the standard for interchanging such -values in OSI.) - -There are three methods to encode an ASN.1 value under BER, -the choice of which depends on the type of value and whether -the length of the value is known. The three methods are -primitive, definite-length encoding; constructed, definite- -length encoding; and constructed, indefinite-length -encoding. Simple non-string types employ the primitive, -definite-length method; structured types employ either of -the constructed methods; and simple string types employ any -of the methods, depending on whether the length of the value -is known. Types derived by implicit tagging employ the -method of the underlying type and types derived by explicit -tagging employ the constructed methods. - -In each method, the BER encoding has three or four parts: - - Identifier octets. These identify the class and tag - number of the ASN.1 value, and indicate whether - the method is primitive or constructed. - - Length octets. For the definite-length methods, these - give the number of contents octets. For the - constructed, indefinite-length method, these - indicate that the length is indefinite. - - Contents octets. For the primitive, definite-length - method, these give a concrete representation of - the value. For the constructed methods, these - give the concatenation of the BER encodings of the - components of the value. - - End-of-contents octets. For the constructed, indefinite- - length method, these denote the end of the - contents. For the other methods, these are absent. - -The three methods of encoding are described in the following -sections. - - -3.1 Primitive, definite-length method - -This method applies to simple types and types derived from -simple types by implicit tagging. It requires that the -length of the value be known in advance. The parts of the -BER encoding are as follows: - -Identifier octets. There are two forms: low tag number (for -tag numbers between 0 and 30) and high tag number (for tag -numbers 31 and greater). - - Low-tag-number form. One octet. Bits 8 and 7 specify - the class (see Table 2), bit 6 has value "0," - indicating that the encoding is primitive, and - bits 5-1 give the tag number. - - Class Bit Bit - 8 7 - universal 0 0 - application 0 1 - context-specific 1 0 - private 1 1 - - Table 2. Class encoding in identifier octets. - - High-tag-number form. Two or more octets. First octet - is as in low-tag-number form, except that bits 5-1 - all have value "1." Second and following octets - give the tag number, base 128, most significant - digit first, with as few digits as possible, and - with the bit 8 of each octet except the last set - to "1." - -Length octets. There are two forms: short (for lengths -between 0 and 127), and long definite (for lengths between 0 -and 21008-1). - - Short form. One octet. Bit 8 has value "0" and bits 7-1 - give the length. - - Long form. Two to 127 octets. Bit 8 of first octet has - value "1" and bits 7-1 give the number of - additional length octets. Second and following - octets give the length, base 256, most significant - digit first. - -Contents octets. These give a concrete representation of the -value (or the value of the underlying type, if the type is -derived by implicit tagging). Details for particular types -are given in Section 5. - - -3.2 Constructed, definite-length method - -This method applies to simple string types, structured -types, types derived simple string types and structured -types by implicit tagging, and types derived from anything -by explicit tagging. It requires that the length of the -value be known in advance. The parts of the BER encoding are -as follows: - -Identifier octets. As described in Section 3.1, except that -bit 6 has value "1," indicating that the encoding is -constructed. - -Length octets. As described in Section 3.1. - -Contents octets. The concatenation of the BER encodings of -the components of the value: - - o For simple string types and types derived from - them by implicit tagging, the concatenation of the - BER encodings of consecutive substrings of the - value (underlying value for implicit tagging). - - o For structured types and types derived from them - by implicit tagging, the concatenation of the BER - encodings of components of the value (underlying - value for implicit tagging). - - o For types derived from anything by explicit - tagging, the BER encoding of the underlying value. - -Details for particular types are given in Section 5. - - -3.3 Constructed, indefinite-length method - -This method applies to simple string types, structured -types, types derived simple string types and structured -types by implicit tagging, and types derived from anything -by explicit tagging. It does not require that the length of -the value be known in advance. The parts of the BER encoding -are as follows: - -Identifier octets. As described in Section 3.2. - -Length octets. One octet, 80. - -Contents octets. As described in Section 3.2. - -End-of-contents octets. Two octets, 00 00. - -Since the end-of-contents octets appear where an ordinary -BER encoding might be expected (e.g., in the contents octets -of a sequence value), the 00 and 00 appear as identifier and -length octets, respectively. Thus the end-of-contents octets -is really the primitive, definite-length encoding of a value -with universal class, tag number 0, and length 0. - - -4. Distinguished Encoding Rules - -The Distinguished Encoding Rules for ASN.1, abbreviated DER, -are a subset of BER, and give exactly one way to represent -any ASN.1 value as an octet string. DER is intended for -applications in which a unique octet string encoding is -needed, as is the case when a digital signature is computed -on an ASN.1 value. DER is defined in Section 8.7 of X.509. - -DER adds the following restrictions to the rules given in -Section 3: - - 1. When the length is between 0 and 127, the short - form of length must be used - - 2. When the length is 128 or greater, the long form - of length must be used, and the length must be - encoded in the minimum number of octets. - - 3. For simple string types and implicitly tagged - types derived from simple string types, the - primitive, definite-length method must be - employed. - - 4. For structured types, implicitly tagged types - derived from structured types, and explicitly - tagged types derived from anything, the - constructed, definite-length method must be - employed. - -Other restrictions are defined for particular types (such as -BIT STRING, SEQUENCE, SET, and SET OF), and can be found in -Section 5. - - -5. Notation and encodings for some types - -This section gives the notation for some ASN.1 types and -describes how to encode values of those types under both BER -and DER. - -The types described are those presented in Section 2. They -are listed alphabetically here. - -Each description includes ASN.1 notation, BER encoding, and -DER encoding. The focus of the encodings is primarily on the -contents octets; the tag and length octets follow Sections 3 -and 4. The descriptions also explain where each type is used -in PKCS and related standards. ASN.1 notation is generally -only for types, although for the type OBJECT IDENTIFIER, -value notation is given as well. - - -5.1 Implicitly tagged types - -An implicitly tagged type is a type derived from another -type by changing the tag of the underlying type. - -Implicit tagging is used for optional SEQUENCE components -with underlying type other than ANY throughout PKCS, and for -the extendedCertificate alternative of PKCS #7's -ExtendedCertificateOrCertificate type. - -ASN.1 notation: - -[[class] number] IMPLICIT Type - -class = UNIVERSAL | APPLICATION | PRIVATE - -where Type is a type, class is an optional class name, and -number is the tag number within the class, a nonnegative -integer. - -In ASN.1 "modules" whose default tagging method is implicit -tagging, the notation [[class] number] Type is also -acceptable, and the keyword IMPLICIT is implied. (See -Section 2.3.) For definitions stated outside a module, the -explicit inclusion of the keyword IMPLICIT is preferable to -prevent ambiguity. - -If the class name is absent, then the tag is context- -specific. Context-specific tags can only appear in a -component of a structured or CHOICE type. - -Example: PKCS #8's PrivateKeyInfo type has an optional -attributes component with an implicit, context-specific tag: - -PrivateKeyInfo ::= SEQUENCE { - version Version, - privateKeyAlgorithm PrivateKeyAlgorithmIdentifier, - privateKey PrivateKey, - attributes [0] IMPLICIT Attributes OPTIONAL } - -Here the underlying type is Attributes, the class is absent -(i.e., context-specific), and the tag number within the -class is 0. - -BER encoding. Primitive or constructed, depending on the -underlying type. Contents octets are as for the BER encoding -of the underlying value. - -Example: The BER encoding of the attributes component of a -PrivateKeyInfo value is as follows: - - o the identifier octets are 80 if the underlying - Attributes value has a primitive BER encoding and - a0 if the underlying Attributes value has a - constructed BER encoding - - o the length and contents octets are the same as the - length and contents octets of the BER encoding of - the underlying Attributes value - -DER encoding. Primitive or constructed, depending on the -underlying type. Contents octets are as for the DER encoding -of the underlying value. - - -5.2 Explicitly tagged types - -Explicit tagging denotes a type derived from another type by -adding an outer tag to the underlying type. - -Explicit tagging is used for optional SEQUENCE components -with underlying type ANY throughout PKCS, and for the -version component of X.509's Certificate type. - -ASN.1 notation: - -[[class] number] EXPLICIT Type - -class = UNIVERSAL | APPLICATION | PRIVATE - -where Type is a type, class is an optional class name, and -number is the tag number within the class, a nonnegative -integer. - -If the class name is absent, then the tag is context- -specific. Context-specific tags can only appear in a -component of a SEQUENCE, SET or CHOICE type. - -In ASN.1 "modules" whose default tagging method is explicit -tagging, the notation [[class] number] Type is also -acceptable, and the keyword EXPLICIT is implied. (See -Section 2.3.) For definitions stated outside a module, the -explicit inclusion of the keyword EXPLICIT is preferable to -prevent ambiguity. - -Example 1: PKCS #7's ContentInfo type has an optional -content component with an explicit, context-specific tag: - -ContentInfo ::= SEQUENCE { - contentType ContentType, - content - [0] EXPLICIT ANY DEFINED BY contentType OPTIONAL } - -Here the underlying type is ANY DEFINED BY contentType, the -class is absent (i.e., context-specific), and the tag number -within the class is 0. - -Example 2: X.509's Certificate type has a version component -with an explicit, context-specific tag, where the EXPLICIT -keyword is omitted: - -Certificate ::= ... - version [0] Version DEFAULT v1988, -... - -The tag is explicit because the default tagging method for -the ASN.1 "module" in X.509 that defines the Certificate -type is explicit tagging. - -BER encoding. Constructed. Contents octets are the BER -encoding of the underlying value. - -Example: the BER encoding of the content component of a -ContentInfo value is as follows: - - o identifier octets are a0 - - o length octets represent the length of the BER - encoding of the underlying ANY DEFINED BY - contentType value - - o contents octets are the BER encoding of the - underlying ANY DEFINED BY contentType value - -DER encoding. Constructed. Contents octets are the DER -encoding of the underlying value. - - -5.3 ANY - -The ANY type denotes an arbitrary value of an arbitrary -type, where the arbitrary type is possibly defined in the -registration of an object identifier or associated with an -integer index. - -The ANY type is used for content of a particular content -type in PKCS #7's ContentInfo type, for parameters of a -particular algorithm in X.509's AlgorithmIdentifier type, -and for attribute values in X.501's Attribute and -AttributeValueAssertion types. The Attribute type is used by -PKCS #6, #7, #8, #9 and #10, and the AttributeValueAssertion -type is used in X.501 distinguished names. - -ASN.1 notation: - -ANY [DEFINED BY identifier] - -where identifier is an optional identifier. - -In the ANY form, the actual type is indeterminate. - -The ANY DEFINED BY identifier form can only appear in a -component of a SEQUENCE or SET type for which identifier -identifies some other component, and that other component -has type INTEGER or OBJECT IDENTIFIER (or a type derived -from either of those by tagging). In that form, the actual -type is determined by the value of the other component, -either in the registration of the object identifier value, -or in a table of integer values. - -Example: X.509's AlgorithmIdentifier type has a component of -type ANY: - -AlgorithmIdentifier ::= SEQUENCE { - algorithm OBJECT IDENTIFIER, - parameters ANY DEFINED BY algorithm OPTIONAL } - -Here the actual type of the parameter component depends on -the value of the algorithm component. The actual type would -be defined in the registration of object identifier values -for the algorithm component. - -BER encoding. Same as the BER encoding of the actual value. - -Example: The BER encoding of the value of the parameter -component is the BER encoding of the value of the actual -type as defined in the registration of object identifier -values for the algorithm component. - -DER encoding. Same as the DER encoding of the actual value. - - -5.4 BIT STRING - -The BIT STRING type denotes an arbitrary string of bits -(ones and zeroes). A BIT STRING value can have any length, -including zero. This type is a string type. - -The BIT STRING type is used for digital signatures on -extended certificates in PKCS #6's ExtendedCertificate type, -for digital signatures on certificates in X.509's -Certificate type, and for public keys in certificates in -X.509's SubjectPublicKeyInfo type. - -ASN.1 notation: - -BIT STRING - -Example: X.509's SubjectPublicKeyInfo type has a component -of type BIT STRING: - -SubjectPublicKeyInfo ::= SEQUENCE { - algorithm AlgorithmIdentifier, - publicKey BIT STRING } - -BER encoding. Primitive or constructed. In a primitive -encoding, the first contents octet gives the number of bits -by which the length of the bit string is less than the next -multiple of eight (this is called the "number of unused -bits"). The second and following contents octets give the -value of the bit string, converted to an octet string. The -conversion process is as follows: - - 1. The bit string is padded after the last bit with - zero to seven bits of any value to make the length - of the bit string a multiple of eight. If the - length of the bit string is a multiple of eight - already, no padding is done. - - 2. The padded bit string is divided into octets. The - first eight bits of the padded bit string become - the first octet, bit 8 to bit 1, and so on through - the last eight bits of the padded bit string. - -In a constructed encoding, the contents octets give the -concatenation of the BER encodings of consecutive substrings -of the bit string, where each substring except the last has -a length that is a multiple of eight bits. - -Example: The BER encoding of the BIT STRING value -"011011100101110111" can be any of the following, among -others, depending on the choice of padding bits, the form of -length octets, and whether the encoding is primitive or -constructed: - -03 04 06 6e 5d c0 DER encoding - -03 04 06 6e 5d e0 padded with "100000" - -03 81 04 06 6e 5d c0 long form of length octets - -23 09 constructed encoding: "0110111001011101" + "11" - 03 03 00 6e 5d - 03 02 06 c0 - -DER encoding. Primitive. The contents octects are as for a -primitive BER encoding, except that the bit string is padded -with zero-valued bits. - -Example: The DER encoding of the BIT STRING value -"011011100101110111" is - -03 04 06 6e 5d c0 - - -5.5 CHOICE - -The CHOICE type denotes a union of one or more alternatives. - -The CHOICE type is used to represent the union of an -extended certificate and an X.509 certificate in PKCS #7's -ExtendedCertificateOrCertificate type. - -ASN.1 notation: - -CHOICE { - [identifier1] Type1, - ..., - [identifiern] Typen } - -where identifier1 , ..., identifiern are optional, distinct -identifiers for the alternatives, and Type1, ..., Typen are -the types of the alternatives. The identifiers are primarily -for documentation; they do not affect values of the type or -their encodings in any way. - -The types must have distinct tags. This requirement is -typically satisfied with explicit or implicit tagging on -some of the alternatives. - -Example: PKCS #7's ExtendedCertificateOrCertificate type is -a CHOICE type: - -ExtendedCertificateOrCertificate ::= CHOICE { - certificate Certificate, -- X.509 - extendedCertificate [0] IMPLICIT ExtendedCertificate -} - -Here the identifiers for the alternatives are certificate -and extendedCertificate, and the types of the alternatives -are Certificate and [0] IMPLICIT ExtendedCertificate. - -BER encoding. Same as the BER encoding of the chosen -alternative. The fact that the alternatives have distinct -tags makes it possible to distinguish between their BER -encodings. - -Example: The identifier octets for the BER encoding are 30 -if the chosen alternative is certificate, and a0 if the -chosen alternative is extendedCertificate. - -DER encoding. Same as the DER encoding of the chosen -alternative. - - -5.6 IA5String - -The IA5String type denotes an arbtrary string of IA5 -characters. IA5 stands for International Alphabet 5, which -is the same as ASCII. The character set includes non- -printing control characters. An IA5String value can have any -length, including zero. This type is a string type. - -The IA5String type is used in PKCS #9's electronic-mail -address, unstructured-name, and unstructured-address -attributes. - -ASN.1 notation: - -IA5String - -BER encoding. Primitive or constructed. In a primitive -encoding, the contents octets give the characters in the IA5 -string, encoded in ASCII. In a constructed encoding, the -contents octets give the concatenation of the BER encodings -of consecutive substrings of the IA5 string. - -Example: The BER encoding of the IA5String value -"test1@rsa.com" can be any of the following, among others, -depending on the form of length octets and whether the -encoding is primitive or constructed: - -16 0d 74 65 73 74 31 40 72 73 61 2e 63 6f 6d DER encoding - -16 81 0d long form of length octets - 74 65 73 74 31 40 72 73 61 2e 63 6f 6d - -36 13 constructed encoding: "test1" + "@" + "rsa.com" - 16 05 74 65 73 74 31 - 16 01 40 - 16 07 72 73 61 2e 63 6f 6d - -DER encoding. Primitive. Contents octets are as for a -primitive BER encoding. - -Example: The DER encoding of the IA5String value -"test1@rsa.com" is - -16 0d 74 65 73 74 31 40 72 73 61 2e 63 6f 6d - - -5.7 INTEGER - -The INTEGER type denotes an arbitrary integer. INTEGER -values can be positive, negative, or zero, and can have any -magnitude. - -The INTEGER type is used for version numbers throughout -PKCS, cryptographic values such as modulus, exponent, and -primes in PKCS #1's RSAPublicKey and RSAPrivateKey types and -PKCS #3's DHParameter type, a message-digest iteration count -in PKCS #5's PBEParameter type, and version numbers and -serial numbers in X.509's Certificate type. - -ASN.1 notation: - -INTEGER [{ identifier1(value1) ... identifiern(valuen) }] - -where identifier1, ..., identifiern are optional distinct -identifiers and value1, ..., valuen are optional integer -values. The identifiers, when present, are associated with -values of the type. - -Example: X.509's Version type is an INTEGER type with -identified values: - -Version ::= INTEGER { v1988(0) } - -The identifier v1988 is associated with the value 0. X.509's -Certificate type uses the identifier v1988 to give a default -value of 0 for the version component: - -Certificate ::= ... - version Version DEFAULT v1988, -... - -BER encoding. Primitive. Contents octets give the value of -the integer, base 256, in two's complement form, most -significant digit first, with the minimum number of octets. -The value 0 is encoded as a single 00 octet. - -Some example BER encodings (which also happen to be DER -encodings) are given in Table 3. - - Integer BER encoding - value - 0 02 01 00 - 127 02 01 7F - 128 02 02 00 80 - 256 02 02 01 00 - -128 02 01 80 - -129 02 02 FF 7F - - Table 3. Example BER encodings of INTEGER values. - -DER encoding. Primitive. Contents octets are as for a -primitive BER encoding. - - -5.8 NULL - -The NULL type denotes a null value. - -The NULL type is used for algorithm parameters in several -places in PKCS. - -ASN.1 notation: - -NULL - -BER encoding. Primitive. Contents octets are empty. - -Example: The BER encoding of a NULL value can be either of -the following, as well as others, depending on the form of -the length octets: - -05 00 - -05 81 00 - -DER encoding. Primitive. Contents octets are empty; the DER -encoding of a NULL value is always 05 00. - - -5.9 OBJECT IDENTIFIER - -The OBJECT IDENTIFIER type denotes an object identifier, a -sequence of integer components that identifies an object -such as an algorithm, an attribute type, or perhaps a -registration authority that defines other object -identifiers. An OBJECT IDENTIFIER value can have any number -of components, and components can generally have any -nonnegative value. This type is a non-string type. - -OBJECT IDENTIFIER values are given meanings by registration -authorities. Each registration authority is responsible for -all sequences of components beginning with a given sequence. -A registration authority typically delegates responsibility -for subsets of the sequences in its domain to other -registration authorities, or for particular types of object. -There are always at least two components. - -The OBJECT IDENTIFIER type is used to identify content in -PKCS #7's ContentInfo type, to identify algorithms in -X.509's AlgorithmIdentifier type, and to identify attributes -in X.501's Attribute and AttributeValueAssertion types. The -Attribute type is used by PKCS #6, #7, #8, #9, and #10, and -the AttributeValueAssertion type is used in X.501 -distinguished names. OBJECT IDENTIFIER values are defined -throughout PKCS. - -ASN.1 notation: - -OBJECT IDENTIFIER - -The ASN.1 notation for values of the OBJECT IDENTIFIER type -is - -{ [identifier] component1 ... componentn } - -componenti = identifieri | identifieri (valuei) | valuei - -where identifier, identifier1, ..., identifiern are -identifiers, and value1, ..., valuen are optional integer -values. - -The form without identifier is the "complete" value with all -its components; the form with identifier abbreviates the -beginning components with another object identifier value. -The identifiers identifier1, ..., identifiern are intended -primarily for documentation, but they must correspond to the -integer value when both are present. These identifiers can -appear without integer values only if they are among a small -set of identifiers defined in X.208. - -Example: The following values both refer to the object -identifier assigned to RSA Data Security, Inc.: - -{ iso(1) member-body(2) 840 113549 } -{ 1 2 840 113549 } - -(In this example, which gives ASN.1 value notation, the -object identifier values are decimal, not hexadecimal.) -Table 4 gives some other object identifier values and their -meanings. - - Object identifier value Meaning - { 1 2 } ISO member bodies - { 1 2 840 } US (ANSI) - { 1 2 840 113549 } RSA Data Security, Inc. - { 1 2 840 113549 1 } RSA Data Security, Inc. PKCS - { 2 5 } directory services (X.500) - { 2 5 8 } directory services-algorithms - - Table 4. Some object identifier values and their meanings. - -BER encoding. Primitive. Contents octets are as follows, -where value1, ..., valuen denote the integer values of the -components in the complete object identifier: - - 1. The first octet has value 40 * value1 + value2. - (This is unambiguous, since value1 is limited to - values 0, 1, and 2; value2 is limited to the range - 0 to 39 when value1 is 0 or 1; and, according to - X.208, n is always at least 2.) - - 2. The following octets, if any, encode value3, ..., - valuen. Each value is encoded base 128, most - significant digit first, with as few digits as - possible, and the most significant bit of each - octet except the last in the value's encoding set - to "1." - -Example: The first octet of the BER encoding of RSA Data -Security, Inc.'s object identifier is 40 * 1 + 2 = 42 = -2a16. The encoding of 840 = 6 * 128 + 4816 is 86 48 and the -encoding of 113549 = 6 * 1282 + 7716 * 128 + d16 is 86 f7 -0d. This leads to the following BER encoding: - -06 06 2a 86 48 86 f7 0d - -DER encoding. Primitive. Contents octets are as for a -primitive BER encoding. - - -5.10 OCTET STRING - -The OCTET STRING type denotes an arbitrary string of octets -(eight-bit values). An OCTET STRING value can have any -length, including zero. This type is a string type. - -The OCTET STRING type is used for salt values in PKCS #5's -PBEParameter type, for message digests, encrypted message -digests, and encrypted content in PKCS #7, and for private -keys and encrypted private keys in PKCS #8. - -ASN.1 notation: - -OCTET STRING [SIZE ({size | size1..size2})] - -where size, size1, and size2 are optional size constraints. -In the OCTET STRING SIZE (size) form, the octet string must -have size octets. In the OCTET STRING SIZE (size1..size2) -form, the octet string must have between size1 and size2 -octets. In the OCTET STRING form, the octet string can have -any size. - -Example: PKCS #5's PBEParameter type has a component of type -OCTET STRING: - -PBEParameter ::= SEQUENCE { - salt OCTET STRING SIZE(8), - iterationCount INTEGER } - -Here the size of the salt component is always eight octets. - -BER encoding. Primitive or constructed. In a primitive -encoding, the contents octets give the value of the octet -string, first octet to last octet. In a constructed -encoding, the contents octets give the concatenation of the -BER encodings of substrings of the OCTET STRING value. - -Example: The BER encoding of the OCTET STRING value 01 23 45 -67 89 ab cd ef can be any of the following, among others, -depending on the form of length octets and whether the -encoding is primitive or constructed: - -04 08 01 23 45 67 89 ab cd ef DER encoding - -04 81 08 01 23 45 67 89 ab cd ef long form of length octets - -24 0c constructed encoding: 01 ... 67 + 89 ... ef - 04 04 01 23 45 67 - 04 04 89 ab cd ef - -DER encoding. Primitive. Contents octets are as for a -primitive BER encoding. - -Example: The BER encoding of the OCTET STRING value 01 23 45 -67 89 ab cd ef is - -04 08 01 23 45 67 89 ab cd ef - - -5.11 PrintableString - -The PrintableString type denotes an arbitrary string of -printable characters from the following character set: - - A, B, ..., Z - a, b, ..., z - 0, 1, ..., 9 - (space) ' ( ) + , - . / : = ? - -This type is a string type. - -The PrintableString type is used in PKCS #9's challenge- -password and unstructuerd-address attributes, and in several -X.521 distinguished names attributes. - -ASN.1 notation: - -PrintableString - -BER encoding. Primitive or constructed. In a primitive -encoding, the contents octets give the characters in the -printable string, encoded in ASCII. In a constructed -encoding, the contents octets give the concatenation of the -BER encodings of consecutive substrings of the string. - -Example: The BER encoding of the PrintableString value "Test -User 1" can be any of the following, among others, depending -on the form of length octets and whether the encoding is -primitive or constructed: - -13 0b 54 65 73 74 20 55 73 65 72 20 31 DER encoding - -13 81 0b long form of length octets - 54 65 73 74 20 55 73 65 72 20 31 - -33 0f constructed encoding: "Test " + "User 1" - 13 05 54 65 73 74 20 - 13 06 55 73 65 72 20 31 - -DER encoding. Primitive. Contents octets are as for a -primitive BER encoding. - -Example: The DER encoding of the PrintableString value "Test -User 1" is - -13 0b 54 65 73 74 20 55 73 65 72 20 31 - - -5.12 SEQUENCE - -The SEQUENCE type denotes an ordered collection of one or -more types. - -The SEQUENCE type is used throughout PKCS and related -standards. - -ASN.1 notation: - -SEQUENCE { - [identifier1] Type1 [{OPTIONAL | DEFAULT value1}], - ..., - [identifiern] Typen [{OPTIONAL | DEFAULT valuen}]} - -where identifier1 , ..., identifiern are optional, distinct -identifiers for the components, Type1, ..., Typen are the -types of the components, and value1, ..., valuen are optional -default values for the components. The identifiers are -primarily for documentation; they do not affect values of -the type or their encodings in any way. - -The OPTIONAL qualifier indicates that the value of a -component is optional and need not be present in the -sequence. The DEFAULT qualifier also indicates that the -value of a component is optional, and assigns a default -value to the component when the component is absent. - -The types of any consecutive series of components with the -OPTIONAL or DEFAULT qualifier, as well as of any component -immediately following that series, must have distinct tags. -This requirement is typically satisfied with explicit or -implicit tagging on some of the components. - -Example: X.509's Validity type is a SEQUENCE type with two -components: - -Validity ::= SEQUENCE { - start UTCTime, - end UTCTime } - -Here the identifiers for the components are start and end, -and the types of the components are both UTCTime. - -BER encoding. Constructed. Contents octets are the -concatenation of the BER encodings of the values of the -components of the sequence, in order of definition, with the -following rules for components with the OPTIONAL and DEFAULT -qualifiers: - - o if the value of a component with the OPTIONAL or - DEFAULT qualifier is absent from the sequence, - then the encoding of that component is not - included in the contents octets - - o if the value of a component with the DEFAULT - qualifier is the default value, then the encoding - of that component may or may not be included in - the contents octets - -DER encoding. Constructed. Contents octets are the same as -the BER encoding, except that if the value of a component -with the DEFAULT qualifier is the default value, the -encoding of that component is not included in the contents -octets. - - -5.13 SEQUENCE OF - -The SEQUENCE OF type denotes an ordered collection of zero -or more occurrences of a given type. - -The SEQUENCE OF type is used in X.501 distinguished names. - -ASN.1 notation: - -SEQUENCE OF Type - -where Type is a type. - -Example: X.501's RDNSequence type consists of zero or more -occurences of the RelativeDistinguishedName type, most -significant occurrence first: - -RDNSequence ::= SEQUENCE OF RelativeDistinguishedName - -BER encoding. Constructed. Contents octets are the -concatenation of the BER encodings of the values of the -occurrences in the collection, in order of occurence. - -DER encoding. Constructed. Contents octets are the -concatenation of the DER encodings of the values of the -occurrences in the collection, in order of occurence. - - -5.14 SET - -The SET type denotes an unordered collection of one or more -types. - -The SET type is not used in PKCS. - -ASN.1 notation: - -SET { - [identifier1] Type1 [{OPTIONAL | DEFAULT value1}], - ..., - [identifiern] Typen [{OPTIONAL | DEFAULT valuen}]} - -where identifier1, ..., identifiern are optional, distinct -identifiers for the components, Type1, ..., Typen are the -types of the components, and value1, ..., valuen are -optional default values for the components. The identifiers -are primarily for documentation; they do not affect values -of the type or their encodings in any way. - -The OPTIONAL qualifier indicates that the value of a -component is optional and need not be present in the set. -The DEFAULT qualifier also indicates that the value of a -component is optional, and assigns a default value to the -component when the component is absent. - -The types must have distinct tags. This requirement is -typically satisfied with explicit or implicit tagging on -some of the components. - -BER encoding. Constructed. Contents octets are the -concatenation of the BER encodings of the values of the -components of the set, in any order, with the following -rules for components with the OPTIONAL and DEFAULT -qualifiers: - - o if the value of a component with the OPTIONAL or - DEFAULT qualifier is absent from the set, then the - encoding of that component is not included in the - contents octets - - o if the value of a component with the DEFAULT - qualifier is the default value, then the encoding - of that component may or may not be included in - the contents octets - -DER encoding. Constructed. Contents octets are the same as -for the BER encoding, except that: - - 1. If the value of a component with the DEFAULT - qualifier is the default value, the encoding of - that component is not included. - - 2. There is an order to the components, namely - ascending order by tag. - - -5.15 SET OF - -The SET OF type denotes an unordered collection of zero or -more occurrences of a given type. - -The SET OF type is used for sets of attributes in PKCS #6, -#7, #8, #9 and #10, for sets of message-digest algorithm -identifiers, signer information, and recipient information -in PKCS #7, and in X.501 distinguished names. - -ASN.1 notation: - -SET OF Type - -where Type is a type. - -Example: X.501's RelativeDistinguishedName type consists of -zero or more occurrences of the AttributeValueAssertion -type, where the order is unimportant: - -RelativeDistinguishedName ::= - SET OF AttributeValueAssertion - -BER encoding. Constructed. Contents octets are the -concatenation of the BER encodings of the values of the -occurrences in the collection, in any order. - -DER encoding. Constructed. Contents octets are the same as -for the BER encoding, except that there is an order, namely -ascending lexicographic order of BER encoding. Lexicographic -comparison of two different BER encodings is done as -follows: Logically pad the shorter BER encoding after the -last octet with dummy octets that are smaller in value than -any normal octet. Scan the BER encodings from left to right -until a difference is found. The smaller-valued BER encoding -is the one with the smaller-valued octet at the point of -difference. - - -5.16 T61String - -The T61String type denotes an arbtrary string of T.61 -characters. T.61 is an eight-bit extension to the ASCII -character set. Special "escape" sequences specify the -interpretation of subsequent character values as, for -example, Japanese; the initial interpretation is Latin. The -character set includes non-printing control characters. The -T61String type allows only the Latin and Japanese character -interepretations, and implementors' agreements for directory -names exclude control characters [NIST92]. A T61String value -can have any length, including zero. This type is a string -type. - -The T61String type is used in PKCS #9's unstructured-address -and challenge-password attributes, and in several X.521 -attributes. - -ASN.1 notation: - -T61String - -BER encoding. Primitive or constructed. In a primitive -encoding, the contents octets give the characters in the -T.61 string, encoded in ASCII. In a constructed encoding, -the contents octets give the concatenation of the BER -encodings of consecutive substrings of the T.61 string. - -Example: The BER encoding of the T61String value "cl'es -publiques" (French for "public keys") can be any of the -following, among others, depending on the form of length -octets and whether the encoding is primitive or constructed: - -14 0f DER encoding - 63 6c c2 65 73 20 70 75 62 6c 69 71 75 65 73 - -14 81 0f long form of length octets - 63 6c c2 65 73 20 70 75 62 6c 69 71 75 65 73 - -34 15 constructed encoding: "cl'es" + " " + "publiques" - 14 05 63 6c c2 65 73 - 14 01 20 - 14 09 70 75 62 6c 69 71 75 65 73 - -The eight-bit character c2 is a T.61 prefix that adds an -acute accent (') to the next character. - -DER encoding. Primitive. Contents octets are as for a -primitive BER encoding. - -Example: The DER encoding of the T61String value "cl'es -publiques" is - -14 0f 63 6c c2 65 73 20 70 75 62 6c 69 71 75 65 73 - - -5.17 UTCTime - -The UTCTime type denotes a "coordinated universal time" or -Greenwich Mean Time (GMT) value. A UTCTime value includes -the local time precise to either minutes or seconds, and an -offset from GMT in hours and minutes. It takes any of the -following forms: - -YYMMDDhhmmZ -YYMMDDhhmm+hh'mm' -YYMMDDhhmm-hh'mm' -YYMMDDhhmmssZ -YYMMDDhhmmss+hh'mm' -YYMMDDhhmmss-hh'mm' - -where: - - YY is the least significant two digits of the year - - MM is the month (01 to 12) - - DD is the day (01 to 31) - - hh is the hour (00 to 23) - - mm are the minutes (00 to 59) - - ss are the seconds (00 to 59) - - Z indicates that local time is GMT, + indicates that - local time is later than GMT, and - indicates that - local time is earlier than GMT - - hh' is the absolute value of the offset from GMT in - hours - - mm' is the absolute value of the offset from GMT in - minutes - -This type is a string type. - -The UTCTime type is used for signing times in PKCS #9's -signing-time attribute and for certificate validity periods -in X.509's Validity type. - -ASN.1 notation: - -UTCTime - -BER encoding. Primitive or constructed. In a primitive -encoding, the contents octets give the characters in the -string, encoded in ASCII. In a constructed encoding, the -contents octets give the concatenation of the BER encodings -of consecutive substrings of the string. (The constructed -encoding is not particularly interesting, since UTCTime -values are so short, but the constructed encoding is -permitted.) - -Example: The time this sentence was originally written was -4:45:40 p.m. Pacific Daylight Time on May 6, 1991, which can -be represented with either of the following UTCTime values, -among others: - -"910506164540-0700" - -"910506234540Z" - -These values have the following BER encodings, among others: - -17 0d 39 31 30 35 30 36 32 33 34 35 34 30 5a - -17 11 39 31 30 35 30 36 31 36 34 35 34 30 2D 30 37 30 - 30 - -DER encoding. Primitive. Contents octets are as for a -primitive BER encoding. - - -6. An example - -This section gives an example of ASN.1 notation and DER -encoding: the X.501 type Name. - - -6.1 Abstract notation - -This section gives the ASN.1 notation for the X.501 type -Name. - -Name ::= CHOICE { - RDNSequence } - -RDNSequence ::= SEQUENCE OF RelativeDistinguishedName - -RelativeDistinguishedName ::= - SET OF AttributeValueAssertion - -AttributeValueAssertion ::= SEQUENCE { - AttributeType, - AttributeValue } - -AttributeType ::= OBJECT IDENTIFIER - -AttributeValue ::= ANY - -The Name type identifies an object in an X.500 directory. -Name is a CHOICE type consisting of one alternative: -RDNSequence. (Future revisions of X.500 may have other -alternatives.) - -The RDNSequence type gives a path through an X.500 directory -tree starting at the root. RDNSequence is a SEQUENCE OF type -consisting of zero or more occurences of -RelativeDistinguishedName. - -The RelativeDistinguishedName type gives a unique name to an -object relative to the object superior to it in the -directory tree. RelativeDistinguishedName is a SET OF type -consisting of zero or more occurrences of -AttributeValueAssertion. - -The AttributeValueAssertion type assigns a value to some -attribute of a relative distinguished name, such as country -name or common name. AttributeValueAssertion is a SEQUENCE -type consisting of two components, an AttributeType type and -an AttributeValue type. - -The AttributeType type identifies an attribute by object -identifier. The AttributeValue type gives an arbitrary -attribute value. The actual type of the attribute value is -determined by the attribute type. - - -6.2 DER encoding - -This section gives an example of a DER encoding of a value -of type Name, working from the bottom up. - -The name is that of the Test User 1 from the PKCS examples -[Kal93]. The name is represented by the following path: - - (root) - | - countryName = "US" - | - organizationName = "Example Organization" - | - commonName = "Test User 1" - -Each level corresponds to one RelativeDistinguishedName -value, each of which happens for this name to consist of one -AttributeValueAssertion value. The AttributeType value is -before the equals sign, and the AttributeValue value (a -printable string for the given attribute types) is after the -equals sign. - -The countryName, organizationName, and commonUnitName are -attribute types defined in X.520 as: - -attributeType OBJECT IDENTIFIER ::= - { joint-iso-ccitt(2) ds(5) 4 } - -countryName OBJECT IDENTIFIER ::= { attributeType 6 } -organizationName OBJECT IDENTIFIER ::= - { attributeType 10 } -commonUnitName OBJECT IDENTIFIER ::= - { attributeType 3 } - - -6.2.1 AttributeType - -The three AttributeType values are OCTET STRING values, so -their DER encoding follows the primitive, definite-length -method: - -06 03 55 04 06 countryName - -06 03 55 04 0a organizationName - -06 03 55 04 03 commonName - -The identifier octets follow the low-tag form, since the tag -is 6 for OBJECT IDENTIFIER. Bits 8 and 7 have value "0," -indicating universal class, and bit 6 has value "0," -indicating that the encoding is primitive. The length octets -follow the short form. The contents octets are the -concatenation of three octet strings derived from -subidentifiers (in decimal): 40 * 2 + 5 = 85 = 5516; 4; and -6, 10, or 3. - - -6.2.2 AttributeValue - -The three AttributeValue values are PrintableString values, -so their encodings follow the primitive, definite-length -method: - -13 02 55 53 "US" - -13 14 "Example Organization" - 45 78 61 6d 70 6c 65 20 4f 72 67 61 6e 69 7a 61 - 74 69 6f 6e - -13 0b "Test User 1" - 54 65 73 74 20 55 73 65 72 20 31 - -The identifier octets follow the low-tag-number form, since -the tag for PrintableString, 19 (decimal), is between 0 and -30. Bits 8 and 7 have value "0" since PrintableString is in -the universal class. Bit 6 has value "0" since the encoding -is primitive. The length octets follow the short form, and -the contents octets are the ASCII representation of the -attribute value. - - -6.2.3 AttributeValueAssertion - -The three AttributeValueAssertion values are SEQUENCE -values, so their DER encodings follow the constructed, -definite-length method: - -30 09 countryName = "US" - 06 03 55 04 06 - 13 02 55 53 - -30 1b organizationName = "Example Organizaiton" - 06 03 55 04 0a - 13 14 ... 6f 6e - -30 12 commonName = "Test User 1" - 06 03 55 04 0b - 13 0b ... 20 31 - -The identifier octets follow the low-tag-number form, since -the tag for SEQUENCE, 16 (decimal), is between 0 and 30. -Bits 8 and 7 have value "0" since SEQUENCE is in the -universal class. Bit 6 has value "1" since the encoding is -constructed. The length octets follow the short form, and -the contents octets are the concatenation of the DER -encodings of the attributeType and attributeValue -components. - - -6.2.4 RelativeDistinguishedName - -The three RelativeDistinguishedName values are SET OF -values, so their DER encodings follow the constructed, -definite-length method: - -31 0b - 30 09 ... 55 53 - -31 1d - 30 1b ... 6f 6e - -31 14 - 30 12 ... 20 31 - -The identifier octets follow the low-tag-number form, since -the tag for SET OF, 17 (decimal), is between 0 and 30. Bits -8 and 7 have value "0" since SET OF is in the universal -class Bit 6 has value "1" since the encoding is constructed. -The lengths octets follow the short form, and the contents -octets are the DER encodings of the respective -AttributeValueAssertion values, since there is only one -value in each set. - - -6.2.5 RDNSequence - -The RDNSequence value is a SEQUENCE OF value, so its DER -encoding follows the constructed, definite-length method: - -30 42 - 31 0b ... 55 53 - 31 1d ... 6f 6e - 31 14 ... 20 31 - -The identifier octets follow the low-tag-number form, since -the tag for SEQUENCE OF, 16 (decimal), is between 0 and 30. -Bits 8 and 7 have value "0" since SEQUENCE OF is in the -universal class. Bit 6 has value "1" since the encoding is -constructed. The lengths octets follow the short form, and -the contents octets are the concatenation of the DER -encodings of the three RelativeDistinguishedName values, in -order of occurrence. - - -6.2.6 Name - -The Name value is a CHOICE value, so its DER encoding is the -same as that of the RDNSequence value: - -30 42 - 31 0b - 30 09 - 06 03 55 04 06 attributeType = countryName - 13 02 55 53 attributeValue = "US" - 31 1d - 30 1b - 06 03 55 04 0a attributeType = organizationName - 13 14 attributeValue = "Example Organization" - 45 78 61 6d 70 6c 65 20 4f 72 67 61 6e 69 7a 61 - 74 69 6f 6e - - 31 14 - 30 12 - 06 03 55 04 03 attributeType = commonName - 13 0b attributeValue = "Test User 1" - 54 65 73 74 20 55 73 65 72 20 31 - - -References - -PKCS #1 RSA Laboratories. PKCS #1: RSA Encryption - Standard. Version 1.5, November 1993. - -PKCS #3 RSA Laboratories. PKCS #3: Diffie-Hellman Key- - Agreement Standard. Version 1.4, November 1993. - -PKCS #5 RSA Laboratories. PKCS #5: Password-Based - Encryption Standard. Version 1.5, November 1993. - -PKCS #6 RSA Laboratories. PKCS #6: Extended-Certificate - Syntax Standard. Version 1.5, November 1993. - -PKCS #7 RSA Laboratories. PKCS #7: Cryptographic Message - Syntax Standard. Version 1.5, November 1993. - -PKCS #8 RSA Laboratories. PKCS #8: Private-Key Information - Syntax Standard. Version 1.2, November 1993. - -PKCS #9 RSA Laboratories. PKCS #9: Selected Attribute - Types. Version 1.1, November 1993. - -PKCS #10 RSA Laboratories. PKCS #10: Certification Request - Syntax Standard. Version 1.0, November 1993. - -X.200 CCITT. Recommendation X.200: Reference Model of - Open Systems Interconnection for CCITT - Applications. 1984. - -X.208 CCITT. Recommendation X.208: Specification of - Abstract Syntax Notation One (ASN.1). 1988. - -X.209 CCITT. Recommendation X.209: Specification of - Basic Encoding Rules for Abstract Syntax Notation - One (ASN.1). 1988. - -X.500 CCITT. Recommendation X.500: The - Directory--Overview of Concepts, Models and - Services. 1988. - -X.501 CCITT. Recommendation X.501: The Directory-- - Models. 1988. - -X.509 CCITT. Recommendation X.509: The Directory-- - Authentication Framework. 1988. - -X.520 CCITT. Recommendation X.520: The Directory-- - Selected Attribute Types. 1988. - -[Kal93] Burton S. Kaliski Jr. Some Examples of the PKCS - Standards. RSA Laboratories, November 1993. - -[NIST92] NIST. Special Publication 500-202: Stable - Implementation Agreements for Open Systems - Interconnection Protocols. Part 11 (Directory - Services Protocols). December 1992. - - -Revision history - - -June 3, 1991 version - -The June 3, 1991 version is part of the initial public -release of PKCS. It was published as NIST/OSI Implementors' -Workshop document SEC-SIG-91-17. - - -November 1, 1993 version - -The November 1, 1993 version incorporates several editorial -changes, including the addition of a revision history. It is -updated to be consistent with the following versions of the -PKCS documents: - - PKCS #1: RSA Encryption Standard. Version 1.5, November - 1993. - - PKCS #3: Diffie-Hellman Key-Agreement Standard. Version - 1.4, November 1993. - - PKCS #5: Password-Based Encryption Standard. Version - 1.5, November 1993. - - PKCS #6: Extended-Certificate Syntax Standard. Version - 1.5, November 1993. - - PKCS #7: Cryptographic Message Syntax Standard. Version - 1.5, November 1993. - - PKCS #8: Private-Key Information Syntax Standard. - Version 1.2, November 1993. - - PKCS #9: Selected Attribute Types. Version 1.1, - November 1993. - - PKCS #10: Certification Request Syntax Standard. - Version 1.0, November 1993. - -The following substantive changes were made: - - Section 5: Description of T61String type is added. - - Section 6: Names are changed, consistent with other - PKCS examples. - - -Author's address - -Burton S. Kaliski Jr., Ph.D. -Chief Scientist -RSA Laboratories (415) 595-7703 -100 Marine Parkway (415) 595-4126 (fax) -Redwood City, CA 94065 USA burt@rsa.com diff --git a/crypto/heimdal-0.6.3/doc/mdate-sh b/crypto/heimdal-0.6.3/doc/mdate-sh deleted file mode 100644 index 37171f21fb..0000000000 --- a/crypto/heimdal-0.6.3/doc/mdate-sh +++ /dev/null @@ -1,92 +0,0 @@ -#!/bin/sh -# Get modification time of a file or directory and pretty-print it. -# Copyright (C) 1995, 1996, 1997 Free Software Foundation, Inc. -# written by Ulrich Drepper , June 1995 -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2, or (at your option) -# any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software Foundation, -# Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. - -# Prevent date giving response in another language. -LANG=C -export LANG -LC_ALL=C -export LC_ALL -LC_TIME=C -export LC_TIME - -# Get the extended ls output of the file or directory. -# On HPUX /bin/sh, "set" interprets "-rw-r--r--" as options, so the "x" below. -if ls -L /dev/null 1>/dev/null 2>&1; then - set - x`ls -L -l -d $1` -else - set - x`ls -l -d $1` -fi -# The month is at least the fourth argument -# (3 shifts here, the next inside the loop). -shift -shift -shift - -# Find the month. Next argument is day, followed by the year or time. -month= -until test $month -do - shift - case $1 in - Jan) month=January; nummonth=1;; - Feb) month=February; nummonth=2;; - Mar) month=March; nummonth=3;; - Apr) month=April; nummonth=4;; - May) month=May; nummonth=5;; - Jun) month=June; nummonth=6;; - Jul) month=July; nummonth=7;; - Aug) month=August; nummonth=8;; - Sep) month=September; nummonth=9;; - Oct) month=October; nummonth=10;; - Nov) month=November; nummonth=11;; - Dec) month=December; nummonth=12;; - esac -done - -day=$2 - -# Here we have to deal with the problem that the ls output gives either -# the time of day or the year. -case $3 in - *:*) set `date`; eval year=\$$# - case $2 in - Jan) nummonthtod=1;; - Feb) nummonthtod=2;; - Mar) nummonthtod=3;; - Apr) nummonthtod=4;; - May) nummonthtod=5;; - Jun) nummonthtod=6;; - Jul) nummonthtod=7;; - Aug) nummonthtod=8;; - Sep) nummonthtod=9;; - Oct) nummonthtod=10;; - Nov) nummonthtod=11;; - Dec) nummonthtod=12;; - esac - # For the first six month of the year the time notation can also - # be used for files modified in the last year. - if (expr $nummonth \> $nummonthtod) > /dev/null; - then - year=`expr $year - 1` - fi;; - *) year=$3;; -esac - -# The result. -echo $day $month $year diff --git a/crypto/heimdal-0.6.3/doc/migration.texi b/crypto/heimdal-0.6.3/doc/migration.texi deleted file mode 100644 index 67b843ae75..0000000000 --- a/crypto/heimdal-0.6.3/doc/migration.texi +++ /dev/null @@ -1,43 +0,0 @@ -@c $Id: migration.texi,v 1.3 2001/02/24 05:09:24 assar Exp $ - -@node Migration, Acknowledgments, Programming with Kerberos, Top -@chapter Migration - -@section General issues - -When migrating from a Kerberos 4 KDC. - -@section Order in what to do things: - -@itemize @bullet - -@item Convert the database, check all principals that hprop complains -about. - -@samp{hprop -n --source=| hpropd -n} - -Replace with whatever source you have, like krb4-db or krb4-dump. - -@item Run a Kerberos 5 slave for a while. - -@c XXX Add you slave first to your kdc list in you kdc. - -@item Figure out if it does everything you want it to. - -Make sure that all things that you use works for you. - -@item Let a small number of controlled users use Kerberos 5 tools. - -Find a sample population of your users and check what programs they use, -you can also check the kdc-log to check what ticket are checked out. - -@item Burn the bridge and change the master. -@item Let all users use the Kerberos 5 tools by default. -@item Turn off services that do not need Kerberos 4 authentication. - -Things that might be hard to get away is old programs with support for -Kerberos 4. Example applications are old Eudora installations using -KPOP, and Zephyr. Eudora can use the Kerberos 4 kerberos in the Heimdal -kdc. - -@end itemize diff --git a/crypto/heimdal-0.6.3/doc/misc.texi b/crypto/heimdal-0.6.3/doc/misc.texi deleted file mode 100644 index 83c2a4ad8b..0000000000 --- a/crypto/heimdal-0.6.3/doc/misc.texi +++ /dev/null @@ -1,126 +0,0 @@ -@c $Id: misc.texi,v 1.13 2003/03/30 21:30:59 lha Exp $ - -@node Things in search for a better place, Kerberos 4 issues, Setting up a realm, Top -@chapter Things in search for a better place - -@section Making things work on Ciscos - -Modern versions of Cisco IOS has some support for authenticating via -Kerberos 5. This can be used both by having the router get a ticket when -you login (boring), and by using Kerberos authenticated telnet to access -your router (less boring). The following has been tested on IOS -11.2(12), things might be different with other versions. Old versions -are known to have bugs. - -To make this work, you will first have to configure your router to use -Kerberos (this is explained in the documentation). A sample -configuration looks like the following: - -@example -aaa new-model -aaa authentication login default krb5-telnet krb5 enable -aaa authorization exec krb5-instance -kerberos local-realm FOO.SE -kerberos srvtab entry host/router.foo.se 0 891725446 4 1 8 012345678901234567 -kerberos server FOO.SE 10.0.0.1 -kerberos instance map admin 15 -@end example - -This tells you (among other things) that when logging in, the router -should try to authenticate with kerberised telnet, and if that fails try -to verify a plain text password via a Kerberos ticket exchange (as -opposed to a local database, RADIUS or something similar), and if that -fails try the local enable password. If you're not careful when you -specify the `login default' authentication mechanism, you might not be -able to login at all. The `instance map' and `authorization exec' lines -says that people with `admin' instances should be given `enabled' shells -when logging in. - -The numbers after the principal on the `srvtab' line are principal type, -time stamp (in seconds since 1970), key version number (4), keytype (1 == -des), key length (always 8 with des), and then the key. - -To make the Heimdal KDC produce tickets that the Cisco can decode you -might have to turn on the @samp{encode_as_rep_as_tgs_rep} flag in the -KDC. You will also have to specify that the router can't handle anything -but @samp{des-cbc-crc}. This can be done with the @samp{del_enctype} -command of @samp{kadmin}. - -This all fine and so, but unless you have an IOS version with encryption -(available only in the U.S) it doesn't really solve any problems. Sure -you don't have to send your password over the wire, but since the telnet -connection isn't protected it's still possible for someone to steal your -session. This won't be fixed until someone adds integrity to the telnet -protocol. - -A working solution would be to hook up a machine with a real operating -system to the console of the Cisco and then use it as a backwards -terminal server. - -@section Making things work on Transarc/OpenAFS AFS - -@subsection How to get a KeyFile - -@file{ktutil -k AFSKEYFILE:KeyFile get afs@@MY.REALM} - -or you can extract it with kadmin - -@example -kadmin> ext -k AFSKEYFILE:/usr/afs/etc/KeyFile afs@@My.CELL.NAME -@end example - -You have to make sure you have a @code{des-cbc-md5} encryption type since that -is the key that will be converted. - -@subsection How to convert a srvtab to a KeyFile - -You need a @file{/usr/vice/etc/ThisCell} containing the cellname of you -AFS-cell. - -@file{ktutil copy krb4:/root/afs-srvtab AFSKEYFILE:/usr/afs/etc/KeyFile}. - -If keyfile already exists, this will add the new key in afs-srvtab to -KeyFile. - -@section Using 2b tokens with AFS - -@subsection What is 2b ? - -2b is the name of the proposal that was implemented to give basic -Kerberos 5 support to AFS in rxkad. Its not real Kerberos 5 support -since it still uses fcrypt for data encryption and not Kerberos -encryption types. - -Its only possible (in all cases) to do this for DES encryption types because -only then the token (the AFS equivalent of a ticket) will be be smaller -than the maximum size that can fit in the token cache in -OpenAFS/Transarc client. Its so tight fit that some extra wrapping on the ASN1/DER encoding is removed from the Kerberos ticket. - -2b uses a Kerberos 5 EncTicketPart instead of a Kerberos 4 ditto for -the part of the ticket that is encrypted with the service's key. The -client doesn't know what's inside the encrypted data so to the client it doesn't matter. - -To differentiate between Kerberos 4 tickets and Kerberos 5 tickets 2b -uses a special kvno, 213 for 2b tokens and 255 for Kerberos 5 tokens. - -Its a requirement that all AFS servers that support 2b also support -native Kerberos 5 in rxkad. - -@subsection Configuring Heimdal to use 2b tokens - -Support for 2b tokens are turned on for specific principals by adding -them to the string list option @code{[kdc]use_2b} in the kdc's -@file{krb5.conf} file. - -@example -[kdc] - use_2b = @{ - afs@@SU.SE = yes - afs/it.su.se@@SU.SE = yes - @} -@end example - -@subsection Configuring AFS clients - -There is no need to configure AFS clients. The only software that -needs to be installed/upgrade is a Kerberos 5 enabled @file{afslog}. diff --git a/crypto/heimdal-0.6.3/doc/programming.texi b/crypto/heimdal-0.6.3/doc/programming.texi deleted file mode 100644 index 63f07150fd..0000000000 --- a/crypto/heimdal-0.6.3/doc/programming.texi +++ /dev/null @@ -1,287 +0,0 @@ -@c $Id: programming.texi,v 1.2.8.1 2003/04/24 11:55:45 lha Exp $ - -@node Programming with Kerberos -@chapter Programming with Kerberos - -First you need to know how the Kerberos model works, go read the -introduction text (@pxref{What is Kerberos?}). - -@macro manpage{man, section} -@cite{\man\(\section\)} -@end macro - -@menu -* Kerberos 5 API Overview:: -* Walkthru a sample Kerberos 5 client:: -* Validating a password in a server application:: -@end menu - -@node Kerberos 5 API Overview, Walkthru a sample Kerberos 5 client, Programming with Kerberos, Programming with Kerberos -@section Kerberos 5 API Overview - -Most functions are documenteded in manual pages. This overview only -tries to point to where to look for a specific function. - -@subsection Kerberos context - -A kerberos context (@code{krb5_context}) holds all per thread state. All global variables that -are context specific are stored in this struture, including default -encryption types, credential-cache (ticket file), and default realms. - -See the manual pages for @manpage{krb5_context,3} and -@manpage{krb5_init_context,3}. - -@subsection Kerberos authenication context - -Kerberos authentication context (@code{krb5_auth_context}) holds all -context related to an authenticated connection, in a similar way to the -kerberos context that holds the context for the thread or process. - -The @code{krb5_auth_context} is used by various functions that are -directly related to authentication between the server/client. Example of -data that this structure contains are various flags, addresses of client -and server, port numbers, keyblocks (and subkeys), sequence numbers, -replay cache, and checksum types. - -See the manual page for @manpage{krb5_auth_context,3}. - -@subsection Keytab management - -A keytab is a storage for locally stored keys. Heimdal includes keytab -support for Kerberos 5 keytabs, Kerberos 4 srvtab, AFS-KeyFile's, -and for storing keys in memory. - -See also manual page for @manpage{krb5_keytab,3} - -@node Walkthru a sample Kerberos 5 client, Validating a password in a server application, Kerberos 5 API Overview, Programming with Kerberos -@section Walkthru a sample Kerberos 5 client - -This example contains parts of a sample TCP Kerberos 5 clients, if you -want a real working client, please look in @file{appl/test} directory in -the Heimdal distribution. - -All Kerberos error-codes that are returned from kerberos functions in -this program are passed to @code{krb5_err}, that will print a -descriptive text of the error code and exit. Graphical programs can -convert error-code to a humal readable error-string with the -@manpage{krb5_get_err_text,3} function. - -Note that you should not use any Kerberos function before -@code{krb5_init_context()} have completed successfully. That is the -reson @code{err()} is used when @code{krb5_init_context()} fails. - -First the client needs to call @code{krb5_init_context} to initialize -the Kerberos 5 library. This is only needed once per thread -in the program. If the function returns a non-zero value it indicates -that either the Kerberos implemtation is failing or its disabled on -this host. - -@example -#include - -int -main(int argc, char **argv) -@{ - krb5_context context; - - if (krb5_context(&context)) - errx (1, "krb5_context"); -@end example - -Now the client wants to connect to the host at the other end. The -preferred way of doing this is using @manpage{getaddrinfo,3} (for -operating system that have this function implemented), since getaddrinfo -is neutral to the address type and can use any protocol that is available. - -@example - struct addrinfo *ai, *a; - struct addrinfo hints; - int error; - - memset (&hints, 0, sizeof(hints)); - hints.ai_socktype = SOCK_STREAM; - hints.ai_protocol = IPPROTO_TCP; - - error = getaddrinfo (hostname, "pop3", &hints, &ai); - if (error) - errx (1, "%s: %s", hostname, gai_strerror(error)); - - for (a = ai; a != NULL; a = a->ai_next) @{ - int s; - - s = socket (a->ai_family, a->ai_socktype, a->ai_protocol); - if (s < 0) - continue; - if (connect (s, a->ai_addr, a->ai_addrlen) < 0) @{ - warn ("connect(%s)", hostname); - close (s); - continue; - @} - freeaddrinfo (ai); - ai = NULL; - @} - if (ai) @{ - freeaddrinfo (ai); - errx ("failed to contact %s", hostname); - @} -@end example - -Before authenticating, an authentication context needs to be -created. This context keeps all information for one (to be) authenticated -connection (see @manpage{krb5_auth_context,3}). - -@example - status = krb5_auth_con_init (context, &auth_context); - if (status) - krb5_err (context, 1, status, "krb5_auth_con_init"); -@end example - -For setting the address in the authentication there is a help function -@code{krb5_auth_con_setaddrs_from_fd} that does everthing that is needed -when given a connected file descriptor to the socket. - -@example - status = krb5_auth_con_setaddrs_from_fd (context, - auth_context, - &sock); - if (status) - krb5_err (context, 1, status, - "krb5_auth_con_setaddrs_from_fd"); -@end example - -The next step is to build a server principal for the service we want -to connect to. (See also @manpage{krb5_sname_to_principal,3}.) - -@example - status = krb5_sname_to_principal (context, - hostname, - service, - KRB5_NT_SRV_HST, - &server); - if (status) - krb5_err (context, 1, status, "krb5_sname_to_principal"); -@end example - -The client principal is not passed to @manpage{krb5_sendauth,3} -function, this causes the @code{krb5_sendauth} function to try to figure it -out itself. - -The server program is using the function @manpage{krb5_recvauth,3} to -receive the Kerberos 5 authenticator. - -In this case, mutual authenication will be tried. That means that the server -will authenticate to the client. Using mutual authenication -is good since it enables the user to verify that they are talking to the -right server (a server that knows the key). - -If you are using a non-blocking socket you will need to do all work of -@code{krb5_sendauth} yourself. Basically you need to send over the -authenticator from @manpage{krb5_mk_req,3} and, in case of mutual -authentication, verifying the result from the server with -@manpage{krb5_rd_rep,3}. - -@example - status = krb5_sendauth (context, - &auth_context, - &sock, - VERSION, - NULL, - server, - AP_OPTS_MUTUAL_REQUIRED, - NULL, - NULL, - NULL, - NULL, - NULL, - NULL); - if (status) - krb5_err (context, 1, status, "krb5_sendauth"); -@end example - -Once authentication has been performed, it is time to send some -data. First we create a krb5_data structure, then we sign it with -@manpage{krb5_mk_safe,3} using the @code{auth_context} that contains the -session-key that was exchanged in the -@manpage{krb5_sendauth,3}/@manpage{krb5_recvauth,3} authentication -sequence. - -@example - data.data = "hej"; - data.length = 3; - - krb5_data_zero (&packet); - - status = krb5_mk_safe (context, - auth_context, - &data, - &packet, - NULL); - if (status) - krb5_err (context, 1, status, "krb5_mk_safe"); -@end example - -And send it over the network. - -@example - len = packet.length; - net_len = htonl(len); - - if (krb5_net_write (context, &sock, &net_len, 4) != 4) - err (1, "krb5_net_write"); - if (krb5_net_write (context, &sock, packet.data, len) != len) - err (1, "krb5_net_write"); -@end example - -To send encrypted (and signed) data @manpage{krb5_mk_priv,3} should be -used instead. @manpage{krb5_mk_priv,3} works the same way as -@manpage{krb5_mk_safe,3}, with the exception that it encrypts the data -in addition to signing it. - -@example - data.data = "hemligt"; - data.length = 7; - - krb5_data_free (&packet); - - status = krb5_mk_priv (context, - auth_context, - &data, - &packet, - NULL); - if (status) - krb5_err (context, 1, status, "krb5_mk_priv"); -@end example - -And send it over the network. - -@example - len = packet.length; - net_len = htonl(len); - - if (krb5_net_write (context, &sock, &net_len, 4) != 4) - err (1, "krb5_net_write"); - if (krb5_net_write (context, &sock, packet.data, len) != len) - err (1, "krb5_net_write"); - -@end example - -The server is using @manpage{krb5_rd_safe,3} and -@manpage{krb5_rd_priv,3} to verify the signature and decrypt the packet. - -@node Validating a password in a server application, , Walkthru a sample Kerberos 5 client, Programming with Kerberos -@section Validating a password in an application - -See the manual page for @manpage{krb5_verify_user,3}. - -@c @node Why you should use GSS-API for new applications, Walkthru a sample GSS-API client, Validating a password in a server application, Programming with Kerberos -@c @section Why you should use GSS-API for new applications -@c -@c SSPI, bah, bah, microsoft, bah, bah, almost GSS-API. -@c -@c It would also be possible for other mechanisms then Kerberos, but that -@c doesn't exist any other GSS-API implementations today. -@c -@c @node Walkthru a sample GSS-API client, , Why you should use GSS-API for new applications, Programming with Kerberos -@c @section Walkthru a sample GSS-API client -@c -@c Write about how gssapi_clent.c works. diff --git a/crypto/heimdal-0.6.3/doc/setup.texi b/crypto/heimdal-0.6.3/doc/setup.texi deleted file mode 100644 index 55f321cba2..0000000000 --- a/crypto/heimdal-0.6.3/doc/setup.texi +++ /dev/null @@ -1,664 +0,0 @@ -@c $Id: setup.texi,v 1.27.2.2 2003/10/21 21:37:56 lha Exp $ - -@node Setting up a realm, Things in search for a better place, Building and Installing, Top - -@chapter Setting up a realm - -@menu -* Configuration file:: -* Creating the database:: -* keytabs:: -* Serving Kerberos 4/524/kaserver:: -* Remote administration:: -* Password changing:: -* Testing clients and servers:: -* Slave Servers:: -* Incremental propagation:: -* Salting:: -* Cross realm:: -* Transit policy:: -* Setting up DNS:: -@end menu - -A -@cindex realm -realm is an administrative domain. The name of a Kerberos realm is -usually the Internet domain name in uppercase. Call your realm the same -as your Internet domain name if you do not have strong reasons for not -doing so. It will make life easier for you and everyone else. - -@node Configuration file, Creating the database, Setting up a realm, Setting up a realm -@section Configuration file - -To setup a realm you will first have to create a configuration file: -@file{/etc/krb5.conf}. The @file{krb5.conf} file can contain many -configuration options, some of which are described here. - -There is a sample @file{krb5.conf} supplied with the distribution. - -The configuration file is a hierarchical structure consisting of -sections, each containing a list of bindings (either variable -assignments or subsections). A section starts with -@samp{[section-name]}. A binding consists of a left hand side, an equal -(@samp{=}) and a right hand side (the left hand side tag must be -separated from the equal with some whitespace.) Subsections has a -@samp{@{} as the first non-whitespace character after the equal. All -other bindings are treated as variable assignments. The value of a -variable extends to the end of the line. - -@example -[section1] - a-subsection = @{ - var = value1 - other-var = value with @{@} - sub-sub-section = @{ - var = 123 - @} - @} - var = some other value -[section2] - var = yet another value -@end example - -In this manual, names of sections and bindings will be given as strings -separated by slashes (@samp{/}). The @samp{other-var} variable will thus -be @samp{section1/a-subsection/other-var}. - -For in-depth information about the contents of the configuration file, refer to -the @file{krb5.conf} manual page. Some of the more important sections -are briefly described here. - -The @samp{libdefaults} section contains a list of library configuration -parameters, such as the default realm and the timeout for KDC -responses. The @samp{realms} section contains information about specific -realms, such as where they hide their KDC. This section serves the same -purpose as the Kerberos 4 @file{krb.conf} file, but can contain more -information. Finally the @samp{domain_realm} section contains a list of -mappings from domains to realms, equivalent to the Kerberos 4 -@file{krb.realms} file. - -To continue with the realm setup, you will have to create a configuration file, -with contents similar to the following. - -@example -[libdefaults] - default_realm = MY.REALM -[realms] - MY.REALM = @{ - kdc = my.kdc my.slave.kdc - kdc = my.third.kdc - @} -[domain_realm] - .my.domain = MY.REALM - -@end example - -If you use a realm name equal to your domain name, you can omit the -@samp{libdefaults}, and @samp{domain_realm}, sections. If you have a -SRV-record for your realm, or your Kerberos server has CNAME called -@samp{kerberos.my.realm}, you can omit the @samp{realms} section too. - -@node Creating the database, keytabs, Configuration file, Setting up a realm -@section Creating the database - -The database library will look for the database in the directory -@file{/var/heimdal}, so you should probably create that directory. -Make sure the directory have restrictive permissions. - -@example -# mkdir /var/heimdal -@end example - -The keys of all the principals are stored in the database. If you -choose to, these can be encrypted with a master key. You do not have to -remember this key (or password), but just to enter it once and it will -be stored in a file (@file{/var/heimdal/m-key}). If you want to have a -master key, run @samp{kstash} to create this master key: - -@example -# kstash -Master key: -Verifying password - Master key: -@end example - -To initialise the database use the @code{kadmin} program, with the -@samp{-l} option (to enable local database mode). First issue a -@kbd{init MY.REALM} command. This will create the database and insert -default principals for that realm. You can have more than one realm in -one database, so @samp{init} does not destroy any old database. - -Before creating the database, @samp{init} will ask you some questions -about max ticket lifetimes. - -After creating the database you should probably add yourself to it. You -do this with the @samp{add} command. It takes as argument the name of a -principal. The principal should contain a realm, so if you haven't setup -a default realm, you will need to explicitly include the realm. - -@example -# kadmin -l -kadmin> init MY.REALM -Realm max ticket life [unlimited]: -Realm max renewable ticket life [unlimited]: -kadmin> add me -Max ticket life [unlimited]: -Max renewable life [unlimited]: -Attributes []: -Password: -Verifying password - Password: -@end example - -Now start the KDC and try getting a ticket. - -@example -# kdc & -# kinit me -me@@MY.REALMS's Password: -# klist -Credentials cache: /tmp/krb5cc_0 - Principal: me@@MY.REALM - - Issued Expires Principal -Aug 25 07:25:55 Aug 25 17:25:55 krbtgt/MY.REALM@@MY.REALM -@end example - -If you are curious you can use the @samp{dump} command to list all the -entries in the database. It should look something similar to the -following example (note that the entries here are truncated for -typographical reasons): - -@smallexample -kadmin> dump -me@@MY.REALM 1:0:1:0b01d3cb7c293b57:-:0:7:8aec316b9d1629e3baf8 ... -kadmin/admin@@MY.REALM 1:0:1:e5c8a2675b37a443:-:0:7:cb913ebf85 ... -krbtgt/MY.REALM@@MY.REALM 1:0:1:52b53b61c875ce16:-:0:7:c8943be ... -kadmin/changepw@@MY.REALM 1:0:1:f48c8af2b340e9fb:-:0:7:e3e6088 ... -@end smallexample - -@node keytabs, Serving Kerberos 4/524/kaserver, Creating the database, Setting up a realm -@section keytabs - -To extract a service ticket from the database and put it in a keytab you -need to first create the principal in the database with @samp{ank} -(using the @kbd{--random-key} flag to get a random key) and then -extract it with @samp{ext_keytab}. - -@example -kadmin> add --random-key host/my.host.name -Max ticket life [unlimited]: -Max renewable life [unlimited]: -Attributes []: -kadmin> ext host/my.host.name -# ktutil list -Version Type Principal - 1 des-cbc-md5 host/my.host.name@@MY.REALM - 1 des-cbc-md4 host/my.host.name@@MY.REALM - 1 des-cbc-crc host/my.host.name@@MY.REALM - 1 des3-cbc-sha1 host/my.host.name@@MY.REALM -@end example - -@node Serving Kerberos 4/524/kaserver, Remote administration, keytabs, Setting up a realm -@section Serving Kerberos 4/524/kaserver - -Heimdal can be configured to support 524, Kerberos 4 or kaserver. All -theses services are default turned off. Kerberos 4 support also -depends on if Kerberos 4 support is compiled in with Heimdal. - -@subsection 524 - -524 is a service that allows the KDC to convert Kerberos 5 tickets to -Kerberos 4 tickets for backward compatibility. See also Using 2b -tokens with AFS in @xref{Things in search for a better place}. - -524 can be turned on by adding this to the configuration file - -@example -[kdc] - enable-524 = yes -@end example - -@subsection Kerberos 4 - -Kerberos 4 is the predecessor to to Kerberos 5. It only support single -DES. You should only enable Kerberos 4 support if you have a need for -for compatibility with an installed base of Kerberos 4 clients/servers. - -Kerberos 4 can be turned on by adding this to the configuration file - -@example -[kdc] - enable-kerberos4 = yes -@end example - -@subsection kaserver - -Kaserver is a Kerberos 4 that is used in AFS, the protocol have some -features over plain Kerberos 4, but like Kerberos 4 only use single -DES too. - -You should only enable Kerberos 4 support if you have a need for for -compatibility with an installed base of AFS machines. - -Kaserver can be turned on by adding this to the configuration file - -@example -[kdc] - enable-kaserver = yes -@end example - -@node Remote administration, Password changing, Serving Kerberos 4/524/kaserver, Setting up a realm -@section Remote administration - -The administration server, @samp{kadmind}, can be started by -@samp{inetd} (which isn't recommended) or run as a normal daemon. If you -want to start it from @samp{inetd} you should add a line similar to the -one below to your @file{/etc/inetd.conf}. - -@example -kerberos-adm stream tcp nowait root /usr/heimdal/libexec/kadmind kadmind -@end example - -You might need to add @samp{kerberos-adm} to your @file{/etc/services} -as 749/tcp. - -Access to the administration server is controlled by an acl-file, (default -@file{/var/heimdal/kadmind.acl}.) The lines in the access file, has the -following syntax: -@smallexample -principal [priv1,priv2,...] [glob-pattern] -@end smallexample - -The matching is from top to bottom for matching principal (and if given, -glob-pattern). When there is a match, the rights of that lines are -used. - -The privileges you can assign to a principal are: @samp{add}, -@samp{change-password} (or @samp{cpw} for short), @samp{delete}, -@samp{get}, @samp{list}, and @samp{modify}, or the special privilege -@samp{all}. All of these roughly corresponds to the different commands -in @samp{kadmin}. - -If a @var{glob-pattern} is given on a line, it restricts the right for -the principal to only apply for the subjects that match the pattern. -The patters are of the same type as those used in shell globbing, see -@url{none,,fnmatch(3)}. - -In the example below @samp{lha/admin} can change every principal in the -database. @samp{jimmy/admin} can only modify principals that belong to -the realm @samp{E.KTH.SE}. @samp{mille/admin} is working at the -help desk, so he should only be able to change the passwords for single -component principals (ordinary users). He will not be able to change any -@samp{/admin} principal. - -@example -lha/admin@@E.KTH.SE all -jimmy/admin@@E.KTH.SE all *@@E.KTH.SE -jimmy/admin@@E.KTH.SE all */*@@E.KTH.SE -mille/admin@@E.KTH.SE change-password *@@E.KTH.SE -@end example - -@node Password changing, Testing clients and servers, Remote administration, Setting up a realm -@section Password changing - -To allow users to change their passwords, you should run @samp{kpasswdd}. -It is not run from @samp{inetd}. - -You might need to add @samp{kpasswd} to your @file{/etc/services} as -464/udp. - -@subsection Password quality assurance - -It is important that users have good passwords, both to make it harder -to guess them and to avoid off-line attacks (pre-authentication provides -some defense against off-line attacks). To ensure that the users choose -good passwords, you can enable password quality controls in -@samp{kpasswdd}. The controls themselves are done in a shared library -that is used by @samp{kpasswdd}. To configure in these controls, add -lines similar to the following to your @file{/etc/krb5.conf}: - -@example -[password_quality] - check_library = @var{library} - check_function = @var{function} -@end example - -The function @var{function} in the shared library @var{library} will be -called for proposed new passwords. The function should be declared as: - -@example -const char * -function(krb5_context context, krb5_principal principal, krb5_data *pwd); -@end example - -The function should verify that @var{pwd} is a good password for -@var{principal} and if so return @code{NULL}. If it is deemed to be of -low quality, it should return a string explaining why that password -should not be used. - -Code for a password quality checking function that uses the cracklib -library can be found in @file{lib/kadm5/sample_password_check.c} in the -source code distribution. It requires the cracklib library built with -the patch available at -@url{ftp://ftp.pdc.kth.se/pub/krb/src/cracklib.patch}. - -If no password quality checking function is configured, it is only -verified that it is at least six characters of length. - -@node Testing clients and servers, Slave Servers, Password changing, Setting up a realm -@section Testing clients and servers - -Now you should be able to run all the clients and servers. Refer to the -appropriate man pages for information on how to use them. - -@node Slave Servers, Incremental propagation, Testing clients and servers, Setting up a realm -@section Slave servers, Incremental propagation, Testing clients and servers, Setting up a realm - -It is desirable to have at least one backup (slave) server in case the -master server fails. It is possible to have any number of such slave -servers but more than three usually doesn't buy much more redundancy. - -All Kerberos servers for a realm shall have the same database so that -they present the same service to all the users. The -@pindex hprop -@code{hprop} program, running on the master, will propagate the database -to the slaves, running -@pindex hpropd -@code{hpropd} processes. - -Every slave needs a database directory, the master key (if it was used -for the database) and a keytab with the principal -@samp{hprop/@var{hostname}}. Add the principal with the -@pindex ktutil -@code{ktutil} command and start -@pindex hpropd -@code{propd}, as follows: - -@example -slave# ktutil get -p foo/admin hprop/`hostname` -slave# mkdir /var/heimdal -slave# hpropd -@end example - -The master will use the principal @samp{kadmin/hprop} to authenticate to -the slaves. This principal should be added when running @kbd{kadmin -l -init} but if you do not have it in your database for whatever reason, -please add it with @kbd{kadmin -l add}. - -Then run -@pindex hprop -@code{hprop} on the master: - -@example -master# hprop slave -@end example - -This was just an on-hands example to make sure that everything was -working properly. Doing it manually is of course the wrong way and to -automate this you will want to start -@pindex hpropd -@code{hpropd} from @code{inetd} on the slave(s) and regularly run -@pindex hprop -@code{hprop} on the master to regularly propagate the database. -Starting the propagation once an hour from @code{cron} is probably a -good idea. - -@node Incremental propagation, Salting , Slave Servers, Setting up a realm -@section Incremental propagation - -There is also a newer and still somewhat experimental mechanism for -doing incremental propagation in Heimdal. Instead of sending the whole -database regularly, it sends the changes as they happen on the master to -the slaves. The master keeps track of all the changes by assigned a -version number to every change to the database. The slaves know which -was the latest version they saw and in this way it can be determined if -they are in sync or not. A log of all the changes is kept on the master -and when a slave is at an older versioner than the oldest one in the -log, the whole database has to be sent. - -Protocol-wise, all the slaves connects to the master and as a greeting -tell it the latest version that they have (@samp{IHAVE} message). The -master then responds by sending all the changes between that version and -the current version at the master (a series of @samp{FORYOU} messages) -or the whole database in a @samp{TELLYOUEVERYTHING} message. - -@subsection Configuring incremental propagation - -The program that runs on the master is @code{ipropd-master} and all -clients run @code{ipropd-slave}. - -Create the file @file{/var/heimdal/slaves} on the master containing all -the slaves that the database should be propagated to. Each line contains -the full name of the principal (for example -@samp{iprop/hemligare.foo.se@@FOO.SE}). - -You should already have @samp{iprop/tcp} defined as 2121, in your -@file{/etc/services}. Otherwise, or if you need to use a different port -for some peculiar reason, you can use the @kbd{--port} option. This is -useful when you have multiple realms to distribute from one server. - -Then you need to create these principals that you added in the -configuration file. Create one @samp{iprop/hostname} for the master and -for every slave. - - -@example -master# /usr/heimdal/sbin/ktutil get iprop/`hostname` -@end example - -The next step is to start the @code{ipropd-master} process on the master -server. The @code{ipropd-master} listens on the UNIX-socket -@file{/var/heimdal/signal} to know when changes have been made to the -database so they can be propagated to the slaves. There is also a -safety feature of testing the version number regularly (every 30 -seconds) to see if it has been modified by some means that do not raise -this signal. Then, start @code{ipropd-slave} on all the slaves: - -@example -master# /usr/heimdal/libexec/ipropd-master & -slave# /usr/heimdal/libexec/ipropd-slave master & -@end example - -@node Salting, Cross realm, Incremental propagation, Setting up a realm -@section Salting -@cindex Salting - -Salting is used to make it harder to precalculate all possible -keys. Using a salt increases the search space to make it almost -impossible to precalculate all keys. Salting is the process of mixing a -public string (the salt) with the password, then sending it through an -encryption-type specific string-to-key function that will output the -fixed size encryption key. - -In Kerberos 5 the salt is determined by the encryption-type, except -in some special cases. - -In @code{des} there is the Kerberos 4 salt -(none at all) or the afs-salt (using the cell (realm in -afs-lingo)). - -In @code{arcfour} (the encryption type that Microsoft Windows 2000 uses) -there is no salt. This is to be compatible with NTLM keys in Windows -NT 4. - -@code{[kadmin]default_keys} in @file{krb5.conf} controls -what salting to use, - -The syntax of @code{[kadmin]default_keys} is -@samp{[etype:]salt-type[:salt-string]}. @samp{etype} is the encryption -type (des, des3, arcfour), @code{salt-type} is the type of salt (pw-salt -or afs3-salt), and the salt-string is the string that will be used as -salt (remember that if the salt is appended/prepended, the empty salt "" -is the same thing as no salt at all). - -Common types of salting includes - -@itemize @bullet -@item @code{v4} (or @code{des:pw-salt:}) - -The Kerberos 4 salting is using no salt att all. Reason there is colon -that the end or the salt string is that it makes the salt the empty -string (same as no salt). - -@item @code{v5} (or @code{pw-salt}) - -@code{pw-salt} means all regular encryption-types that is regular - -@item @code{afs3-salt} - -@code{afs3-salt} is the salting that is used with Transarc kaserver. Its -the cell appended to the password. - -@end itemize - -@node Cross realm, Transit policy , Salting, Setting up a realm -@section Cross realm -@cindex Cross realm - -Suppose you are residing in the realm @samp{MY.REALM}, how do you -authenticate to a server in @samp{OTHER.REALM}? Having valid tickets in -@samp{MY.REALM} allows you to communicate with kerberised services in that -realm. However, the computer in the other realm does not have a secret -key shared with the Kerberos server in your realm. - -It is possible to add a share keys between two realms that trust each -other. When a client program, such as @code{telnet} or @code{ssh}, -finds that the other computer is in a different realm, it will try to -get a ticket granting ticket for that other realm, but from the local -Kerberos server. With that ticket granting ticket, it will then obtain -service tickets from the Kerberos server in the other realm. - -For a two way trust between @samp{MY.REALM} and @samp{OTHER.REALM} -add the following principals to each realm. The principals should be -@samp{krbtgt/OTHER.REALM@@MY.REALM} and -@samp{krbtgt/MY.REALM@@OTHER.REALM} in @samp{MY.REALM}, and -@samp{krbtgt/MY.REALM@@OTHER.REALM} and -@samp{krbtgt/OTHER.REALM@@MY.REALM}in @samp{OTHER.REALM}. - -In Kerberos 5 the trust can be one configured to be one way. So that -users from @samp{MY.REALM} can authenticate to services in -@samp{OTHER.REALM}, but not the opposite. In the example above, the -@samp{krbtgt/MY.REALM@@OTHER.REALM} then should be removed. - -The two principals must have the same key, key version number, and the -same set of encryption types. Remember to transfer the two keys in a -safe manner. - -@example -@cartouche -vr$ klist -Credentials cache: FILE:/tmp/krb5cc_913.console - Principal: lha@@E.KTH.SE - - Issued Expires Principal -May 3 13:55:52 May 3 23:55:54 krbtgt/E.KTH.SE@@E.KTH.SE - -vr$ telnet -l lha hummel.it.su.se -Trying 2001:6b0:5:1095:250:fcff:fe24:dbf... -Connected to hummel.it.su.se. -Escape character is '^]'. -Waiting for encryption to be negotiated... -[ Trying mutual KERBEROS5 (host/hummel.it.su.se@@SU.SE)... ] -[ Kerberos V5 accepts you as ``lha@@E.KTH.SE'' ] -Encryption negotiated. -Last login: Sat May 3 14:11:47 from vr.l.nxs.se -hummel$ exit - -vr$ klist -Credentials cache: FILE:/tmp/krb5cc_913.console - Principal: lha@@E.KTH.SE - - Issued Expires Principal -May 3 13:55:52 May 3 23:55:54 krbtgt/E.KTH.SE@@E.KTH.SE -May 3 13:55:56 May 3 23:55:54 krbtgt/SU.SE@@E.KTH.SE -May 3 14:10:54 May 3 23:55:54 host/hummel.it.su.se@@SU.SE - -@end cartouche -@end example - -@node Transit policy, Setting up DNS , Cross realm, Setting up a realm -@section Transit policy -@cindex Transit policy - -If you want to use cross realm authentication through an intermediate -realm it must be explicitly allowed by either the KDCs or the server -receiving the request. This is done in @file{krb5.conf} in the -@code{[capaths]} section. - -When the ticket transits through a realm to another realm, the -destination realm adds its peer to the "transited-realms" field in the -ticket. The field is unordered, this is since there is no way to know if -know if one of the transited-realms changed the order of the list. - -The syntax for @code{[capaths]} section: - -@example -@cartouche -[capaths] - CLIENT-REALM = @{ - SERVER-REALM = PERMITTED-CROSS-REALMS ... - @} -@end cartouche -@end example - -The realm @code{STACKEN.KTH.SE} allows clients from @code{SU.SE} and -@code{DSV.SU.SE} to cross in. Since @code{STACKEN.KTH.SE} only have -direct cross realm with @code{KTH.SE}, and @code{DSV.SU.SE} only have direct cross -realm with @code{SU.SE} they need to use both @code{SU.SE} and -@code{KTH.SE} as transit realms. - -@example -@cartouche -[capaths] - SU.SE = @{ - STACKEN.KTH.SE = KTH.SE - @} - DSV.SU.SE = @{ - STACKEN.KTH.SE = SU.SE KTH.SE - @} - -@end cartouche -@end example - -@c To test the cross realm configuration, use: -@c kmumble transit-check client server transit-realms ... - -@node Setting up DNS, , Transit policy, Setting up a realm -@section Setting up DNS -@cindex Setting up DNS - -If there is information about where to find the KDC or kadmind for a -realm in the @file{krb5.conf} for a realm, that information will be -preferred and DNS will not be queried. - -Heimdal will try to use DNS to find the KDCs for a realm. First it -will try to find @code{SRV} resource record (RR) for the realm. If no -SRV RRs are found, it will fall back to looking for a @code{A} RR for -a machine named kerberos.REALM, and then kerberos-1.REALM, etc - -Adding this information to DNS makes the client have less -configuration (in the common case, no configuration) and allows the -system administrator to change the number of KDCs and on what machines -they are running without caring about clients. - -The backside of using DNS that the client might be fooled to use the -wrong server if someone fakes DNS replies/data, but storing the IP -addresses of the KDC on all the clients makes it very hard to change -the infrastructure. - -Example of the configuration for the realm @code{EXAMPLE.COM}, - -@example - -$ORIGIN example.com. -_kerberos._tcp SRV 10 1 88 kerberos.example.com. -_kerberos._udp SRV 10 1 88 kerberos.example.com. -_kerberos._tcp SRV 10 1 88 kerberos-1.example.com. -_kerberos._udp SRV 10 1 88 kerberos-1.example.com. -_kpasswd._udp SRV 10 1 464 kerberos.example.com. -_kerberos-adm._tcp SRV 10 1 749 kerberos.example.com. - -@end example - -More information about DNS SRV resource records can be found in -RFC-2782 (A DNS RR for specifying the location of services (DNS SRV)). - diff --git a/crypto/heimdal-0.6.3/doc/standardisation/draft-brezak-win2k-krb-rc4-hmac-01.txt b/crypto/heimdal-0.6.3/doc/standardisation/draft-brezak-win2k-krb-rc4-hmac-01.txt deleted file mode 100644 index a97ef9d191..0000000000 --- a/crypto/heimdal-0.6.3/doc/standardisation/draft-brezak-win2k-krb-rc4-hmac-01.txt +++ /dev/null @@ -1,412 +0,0 @@ -CAT working group M. Swift -Internet Draft J. Brezak -Document: draft-brezak-win2k-krb-rc4-hmac-01.txt Microsoft -Category: Informational October 1999 - - - The Windows 2000 RC4-HMAC Kerberos encryption type - - -Status of this Memo - - This document is an Internet-Draft and is in full conformance with - all provisions of Section 10 of RFC2026 [1]. Internet-Drafts are - working documents of the Internet Engineering Task Force (IETF), its - areas, and its working groups. Note that other groups may also - distribute working documents as Internet-Drafts. Internet-Drafts are - draft documents valid for a maximum of six months and may be - updated, replaced, or obsoleted by other documents at any time. It - is inappropriate to use Internet- Drafts as reference material or to - cite them other than as "work in progress." - - The list of current Internet-Drafts can be accessed at - http://www.ietf.org/ietf/1id-abstracts.txt - - The list of Internet-Draft Shadow Directories can be accessed at - http://www.ietf.org/shadow.html. - -1. Abstract - - The Windows 2000 implementation of Kerberos introduces a new - encryption type based on the RC4 encryption algorithm and using an - MD5 HMAC for checksum. This is offered as an alternative to using - the existing DES based encryption types. - - The RC4-HMAC encryption types are used to ease upgrade of existing - Windows NT environments, provide strong crypto (128-bit key - lengths), and provide exportable (meet United States government - export restriction requirements) encryption. - - The Windows 2000 implementation of Kerberos contains new encryption - and checksum types for two reasons: for export reasons early in the - development process, 56 bit DES encryption could not be exported, - and because upon upgrade from Windows NT 4.0 to Windows 2000, - accounts will not have the appropriate DES keying material to do the - standard DES encryption. Furthermore, 3DES is not available for - export, and there was a desire to use a single flavor of encryption - in the product for both US and international products. - - As a result, there are two new encryption types and one new checksum - type introduced in Windows 2000. - - -2. Conventions used in this document - - - -Swift Category - Informational 1 - - Windows 2000 RC4-HMAC Kerberos E-Type October 1999 - - - The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", - "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in - this document are to be interpreted as described in RFC-2119 [2]. - -3. Key Generation - - On upgrade from existing Windows NT domains, the user accounts would - not have a DES based key available to enable the use of DES base - encryption types specified in RFC 1510. The key used for RC4-HMAC is - the same as the existing Windows NT key (NT Password Hash) for - compatibility reasons. Once the account password is changed, the DES - based keys are created and maintained. Once the DES keys are - available DES based encryption types can be used with Kerberos. - - The RC4-HMAC String to key function is defined as follow: - - String2Key(password) - - K = MD4(UNICODE(password)) - - The RC4-HMAC keys are generated by using the Windows UNICODE version - of the password. Each Windows UNICODE character is encoded in - little-endian format of 2 octets each. Then performing an MD4 [6] - hash operation on just the UNICODE characters of the password (not - including the terminating zero octets). - -4. Basic Operations - - The MD5 HMAC function is defined in [3]. It is used in this - encryption type for checksum operations. Refer to [3] for details on - its operation. In this document this function is referred to as - HMAC(Key, Data) returning the checksum using the specified key on - the data. - - The basic MD5 hash operation is used in this encryption type and - defined in [7]. In this document this function is referred to as - MD5(Data) returning the checksum of the data. - - The basic RC4 encryption operation is used in this encryption type - and defined in [8]. In this document the function is referred to as - RC4(Key, Data) returning the encrypted data using the specified key - on the data. - - These encryption types use key derivation as defined in [9] (RFC- - 1510BIS) in Section titled "Key Derivation". With each message, the - message type (T) is used as a component of the keying material. - - All strings in this document are ASCII unless otherwise specified. - The lengths of ASCII encoded character strings include the trailing - terminator character (0). - - The concat(a,b,c,...) function will return the logical concatenation - (left to right) of the values of the arguments. - -Swift Category - Informational 2 - - Windows 2000 RC4-HMAC Kerberos E-Type October 1999 - - - - The nonce(n) function returns a pseudo-random number of "n" octets. - -5. Checksum Types - - There is one checksum type used in this encryption type. The - Kerberos constant for this type is: - #define KERB_CHECKSUM_HMAC_MD5 (-138) - - The function is defined as follows: - - K - is the Key - T - the message type, encoded as a little-endian four byte integer - - CHKSUM(K, T, data) - - Ksign = HMAC(K, "signature key") //includes zero octet at end - tmp = MD5(concat(T, data)) - CHKSUM = HMAC(Ksign, tmp) - - -6. Encryption Types - - There are two encryption types used in these encryption types. The - Kerberos constants for these types are: - #define KERB_ETYPE_RC4_HMAC 23 - #define KERB_ETYPE_RC4_HMAC_EXP 24 - - The basic encryption function is defined as follow: - - T = the message type, encoded as a little-endian four byte integer. - - ENCRYPT(K, T, data) - if (K.enctype == KERB_ETYPE_RC4_HMAC_EXP) - L = concat("fortybits", T) //includes zero octet at - //end of string constant - Else - L = T - Ksign = HMAC(K,L) - Confounder = nonce(8) // get an 8 octet nonce for a confounder - Checksum = HMAC(Ksign, concat(Confounder, data)) - Ke = Ksign - if (K.enctype == KERB_ETYPE_RC4_HMAC_EXP) - memset(&Ke[7], 0x0ab, 9) - Ke2 = HMAC(Ke, Checksum) - data = RC4(Ke2, data) - - The header field on the encrypted data in KDC messages is: - - typedef struct _RC4_MDx_HEADER { - UCHAR Checksum[16]; - UCHAR Confounder[8]; - } RC4_MDx_HEADER, *PRC4_MDx_HEADER; - -Swift Category - Informational 3 - - Windows 2000 RC4-HMAC Kerberos E-Type October 1999 - - - - The character constant "fortybits" evolved from the time when a 40- - bit key length was all that was exportable from the United States. - It is now used to recognize that the key length is of "exportable" - length. In this description, the key size is actually 56-bits. - -7. Key Strength Negotiation - - A Kerberos client and server can negotiate over key length if they - are using mutual authentication. If the client is unable to perform - full strength encryption, it may propose a key in the "subkey" field - of the authenticator, using a weaker encryption type. The server - must then either return the same key or suggest its own key in the - subkey field of the AP reply message. The key used to encrypt data - is derived from the key returned by the server. If the client is - able to perform strong encryption but the server is not, it may - propose a subkey in the AP reply without first being sent a subkey - in the authenticator. - -8. GSSAPI Kerberos V5 Mechanism Type - -8.1 Mechanism Specific Changes - - The GSSAPI per-message tokens also require new checksum and - encryption types. The GSS-API per-message tokens must be changed to - support these new encryption types (See [5] Section 1.2.2). The - sealing algorithm identifier (SEAL_ALG) for an RC4 based encryption - is: - Byte 4..5 SEAL_ALG 0x10 0x00 - RC4 - - The signing algorithm identifier (SGN_ALG) for MD5 HMAC is: - Byte 2..3 SGN ALG 0x11 0x00 - HMAC - - The only support quality of protection is: - #define GSS_KRB5_INTEG_C_QOP_DEFAULT 0x0 - - In addition, when using an RC4 based encryption type, the sequence - number is sent in big-endian rather than little-endian order. - -8.2 GSSAPI Checksum Type - - The GSSAPI checksum type and algorithm is defined in Section 5. Only - the first 8 octets of the checksum are used. The resulting checksum - is stored in the SGN_CKSUM field (See [5] Section 1.2) for - GSS_GetMIC() and GSS_Wrap(conf_flag=FALSE). - -8.3 GSSAPI Encryption Types - - There are two encryption types for GSSAPI message tokens, one that - is 128 bits in strength, and one that is 56 bits in strength as - defined in Section 6. - - - -Swift Category - Informational 4 - - Windows 2000 RC4-HMAC Kerberos E-Type October 1999 - - - All padding is rounded up to 1 byte. One byte is needed to say that - there is 1 byte of padding. The DES based mechanism type uses 8 byte - padding. See [5] Section 1.2.2.3. - - The encryption mechanism used for GSS based messages is as follow: - - T = the message type, encoded as a little-endian four byte integer. - - GSS-ENCRYPT(K, T, data) - IV = SND_SEQ - K = XOR(K, 0xf0f0f0f0f0f0f0f0f0f0f0f0f0f0f0) - if (K.enctype == KERB_ETYPE_RC4_HMAC_EXP) - L = concat("fortybits", T) //includes zero octet at end - else - L = T - Ksign = HMAC(K, L) - Ke = Ksign - if (K.enctype == KERB_ETYPE_RC4_HMAC_EXP) - memset(&Ke[7], 0x0ab, 9) - Ke2 = HMAC(Ke, IV) - Data = RC4(Ke2, data) - SND_SEQ = RC4(Ke, seq#) - - The sequence number (SND_SEQ) and IV are used as defined in [5] - Section 1.2.2. - - The character constant "fortybits" evolved from the time when a 40- - bit key length was all that was exportable from the United States. - It is now used to recognize that the key length is of "exportable" - length. In this description, the key size is actually 56-bits. - -8. Security Considerations - - Care must be taken in implementing this encryption type because it - uses a stream cipher. If a different IV isnÆt used in each direction - when using a session key, the encryption is weak. By using the - sequence number as an IV, this is avoided. - -9. References - - 1 Bradner, S., "The Internet Standards Process -- Revision 3", BCP - 9, RFC 2026, October 1996. - - 2 Bradner, S., "Key words for use in RFCs to Indicate Requirement - Levels", BCP 14, RFC 2119, March 1997 - - 3 Krawczyk, H., Bellare, M., Canetti, R.,"HMAC: Keyed-Hashing for - Message Authentication", RFC 2104, February 1997 - - 4 Kohl, J., Neuman, C., "The Kerberos Network Authentication - Service (V5)", RFC 1510, September 1993 - - - -Swift Category - Informational 5 - - Windows 2000 RC4-HMAC Kerberos E-Type October 1999 - - - - 5 Linn, J., "The Kerberos Version 5 GSS-API Mechanism", RFC-1964, - June 1996 - - 6 R. Rivest, "The MD4 Message-Digest Algorithm", RFC-1320, April - 1992 - - 7 R. Rivest, "The MD5 Message-Digest Algorithm", RFC-1321, April - 1992 - - 8 RC4 is a proprietary encryption algorithm available under license - from RSA Data Security Inc. For licensing information, - contact: - RSA Data Security, Inc. - 100 Marine Parkway - Redwood City, CA 94065-1031 - - 9 Neuman, C., Kohl, J., Ts'o, T., "The Kerberos Network - Authentication Service (V5)", draft-ietf-cat-kerberos-revisions- - 04.txt, June 25, 1999 - - -10. Author's Addresses - - Mike Swift - Microsoft - One Microsoft Way - Redmond, Washington - Email: mikesw@microsoft.com - - John Brezak - Microsoft - One Microsoft Way - Redmond, Washington - Email: jbrezak@microsoft.com - - - - - - - - - - - - - - - - - - - -Swift Category - Informational 6 - - Windows 2000 RC4-HMAC Kerberos E-Type October 1999 - - - -11. Full Copyright Statement - - Copyright (C) The Internet Society (1999). All Rights Reserved. - - This document and translations of it may be copied and furnished to - others, and derivative works that comment on or otherwise explain it - or assist in its implementation may be prepared, copied, published - and distributed, in whole or in part, without restriction of any - kind, provided that the above copyright notice and this paragraph - are included on all such copies and derivative works. However, this - document itself may not be modified in any way, such as by removing - the copyright notice or references to the Internet Society or other - Internet organizations, except as needed for the purpose of - developing Internet standards in which case the procedures for - copyrights defined in the Internet Standards process must be - followed, or as required to translate it into languages other than - English. - - The limited permissions granted above are perpetual and will not be - revoked by the Internet Society or its successors or assigns. - - This document and the information contained herein is provided on an - "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING - TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING - BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION - HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF - MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE." - - - - - - - - - - - - - - - - - - - - - - - - - - -Swift Category - Informational 7 - \ No newline at end of file diff --git a/crypto/heimdal-0.6.3/doc/standardisation/draft-brezak-win2k-krb-rc4-hmac-02.txt b/crypto/heimdal-0.6.3/doc/standardisation/draft-brezak-win2k-krb-rc4-hmac-02.txt deleted file mode 100644 index 1fc9927dea..0000000000 --- a/crypto/heimdal-0.6.3/doc/standardisation/draft-brezak-win2k-krb-rc4-hmac-02.txt +++ /dev/null @@ -1,589 +0,0 @@ - - -CAT working group M. Swift -Internet Draft J. Brezak -Document: draft-brezak-win2k-krb-rc4-hmac-02.txt Microsoft -Category: Informational November 2000 - - - The Windows 2000 RC4-HMAC Kerberos encryption type - - -tatus of this Memo - - This document is an Internet-Draft and is in full conformance with - all provisions of Section 10 of RFC2026 [1]. Internet-Drafts are - working documents of the Internet Engineering Task Force (IETF), its - areas, and its working groups. Note that other groups may also - distribute working documents as Internet-Drafts. Internet-Drafts are - draft documents valid for a maximum of six months and may be - updated, replaced, or obsoleted by other documents at any time. It - is inappropriate to use Internet- Drafts as reference material or to - cite them other than as "work in progress." - - The list of current Internet-Drafts can be accessed at - http://www.ietf.org/ietf/1id-abstracts.txt - The list of Internet-Draft Shadow Directories can be accessed at - http://www.ietf.org/shadow.html. - -. Abstract - - The Windows 2000 implementation of Kerberos introduces a new - encryption type based on the RC4 encryption algorithm and using an - MD5 HMAC for checksum. This is offered as an alternative to using - the existing DES based encryption types. - - The RC4-HMAC encryption types are used to ease upgrade of existing - Windows NT environments, provide strong crypto (128-bit key - lengths), and provide exportable (meet United States government - export restriction requirements) encryption. - - The Windows 2000 implementation of Kerberos contains new encryption - and checksum types for two reasons: for export reasons early in the - development process, 56 bit DES encryption could not be exported, - and because upon upgrade from Windows NT 4.0 to Windows 2000, - accounts will not have the appropriate DES keying material to do the - standard DES encryption. Furthermore, 3DES is not available for - export, and there was a desire to use a single flavor of encryption - in the product for both US and international products. - - As a result, there are two new encryption types and one new checksum - type introduced in Windows 2000. - - -. Conventions used in this document - - - -wift Category - Informational 1 - - Windows 2000 RC4-HMAC Kerberos E-Type June 2000 - - - The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", - "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in - this document are to be interpreted as described in RFC-2119 [2]. - -. Key Generation - - On upgrade from existing Windows NT domains, the user accounts would - not have a DES based key available to enable the use of DES base - encryption types specified in RFC 1510. The key used for RC4-HMAC is - the same as the existing Windows NT key (NT Password Hash) for - compatibility reasons. Once the account password is changed, the DES - based keys are created and maintained. Once the DES keys are - available DES based encryption types can be used with Kerberos. - - The RC4-HMAC String to key function is defined as follow: - - String2Key(password) - - K = MD4(UNICODE(password)) - - The RC4-HMAC keys are generated by using the Windows UNICODE version - of the password. Each Windows UNICODE character is encoded in - little-endian format of 2 octets each. Then performing an MD4 [6] - hash operation on just the UNICODE characters of the password (not - including the terminating zero octets). - - For an account with a password of "foo", this String2Key("foo") will - return: - - 0xac, 0x8e, 0x65, 0x7f, 0x83, 0xdf, 0x82, 0xbe, - 0xea, 0x5d, 0x43, 0xbd, 0xaf, 0x78, 0x00, 0xcc - -. Basic Operations - - The MD5 HMAC function is defined in [3]. It is used in this - encryption type for checksum operations. Refer to [3] for details on - its operation. In this document this function is referred to as - HMAC(Key, Data) returning the checksum using the specified key on - the data. - - The basic MD5 hash operation is used in this encryption type and - defined in [7]. In this document this function is referred to as - MD5(Data) returning the checksum of the data. - - RC4 is a stream cipher licensed by RSA Data Security [RSADSI]. A - compatible cipher is described in [8]. In this document the function - is referred to as RC4(Key, Data) returning the encrypted data using - the specified key on the data. - - These encryption types use key derivation as defined in [9] (RFC- - 1510BIS) in Section titled "Key Derivation". With each message, the - message type (T) is used as a component of the keying material. This - summarizes the different key derivation values used in the various - -wift Category - Informational 2 - - Windows 2000 RC4-HMAC Kerberos E-Type June 2000 - - - operations. Note that these differ from the key derivations used in - other Kerberos encryption types. - - T = 1 for TS-ENC-TS in the AS-Request - T = 8 for the AS-Reply - T = 7 for the Authenticator in the TGS-Request - T = 8 for the TGS-Reply - T = 2 for the Server Ticket in the AP-Request - T = 11 for the Authenticator in the AP-Request - T = 12 for the Server returned AP-Reply - T = 15 in the generation of checksum for the MIC token - T = 0 in the generation of sequence number for the MIC token - T = 13 in the generation of checksum for the WRAP token - T = 0 in the generation of sequence number for the WRAP token - T = 0 in the generation of encrypted data for the WRAPPED token - - All strings in this document are ASCII unless otherwise specified. - The lengths of ASCII encoded character strings include the trailing - terminator character (0). - - The concat(a,b,c,...) function will return the logical concatenation - (left to right) of the values of the arguments. - - The nonce(n) function returns a pseudo-random number of "n" octets. - -. Checksum Types - - There is one checksum type used in this encryption type. The - Kerberos constant for this type is: - #define KERB_CHECKSUM_HMAC_MD5 (-138) - - The function is defined as follows: - - K - is the Key - T - the message type, encoded as a little-endian four byte integer - - CHKSUM(K, T, data) - - Ksign = HMAC(K, "signaturekey") //includes zero octet at end - tmp = MD5(concat(T, data)) - CHKSUM = HMAC(Ksign, tmp) - - -. Encryption Types - - There are two encryption types used in these encryption types. The - Kerberos constants for these types are: - #define KERB_ETYPE_RC4_HMAC 23 - #define KERB_ETYPE_RC4_HMAC_EXP 24 - - The basic encryption function is defined as follow: - - T = the message type, encoded as a little-endian four byte integer. - -wift Category - Informational 3 - - Windows 2000 RC4-HMAC Kerberos E-Type June 2000 - - - - BYTE L40[14] = "fortybits"; - BYTE SK = "signaturekey"; - - ENCRYPT (K, fRC4_EXP, T, data, data_len, edata, edata_len) - { - if (fRC4_EXP){ - *((DWORD *)(L40+10)) = T; - HMAC (K, L40, 10 + 4, K1); - }else{ - HMAC (K, &T, 4, K1); - } - memcpy (K2, K1, 16); - if (fRC4_EXP) memset (K1+7, 0xAB, 9); - add_8_random_bytes(data, data_len, conf_plus_data); - HMAC (K2, conf_plus_data, 8 + data_len, checksum); - HMAC (K1, checksum, 16, K3); - RC4(K3, conf_plus_data, 8 + data_len, edata + 16); - memcpy (edata, checksum, 16); - edata_len = 16 + 8 + data_len; - } - - DECRYPT (K, fRC4_EXP, T, edata, edata_len, data, data_len) - { - if (fRC4_EXP){ - *((DWORD *)(L40+10)) = T; - HMAC (K, L40, 14, K1); - }else{ - HMAC (K, &T, 4, K1); - } - memcpy (K2, K1, 16); - if (fRC4_EXP) memset (K1+7, 0xAB, 9); - HMAC (K1, edata, 16, K3); // checksum is at edata - RC4(K3, edata + 16, edata_len - 16, edata + 16); - data_len = edata_len - 16 - 8; - memcpy (data, edata + 16 + 8, data_len); - - // verify generated and received checksums - HMAC (K2, edata + 16, edata_len - 16, checksum); - if (memcmp(edata, checksum, 16) != 0) - printf("CHECKSUM ERROR !!!!!!\n"); - } - - The header field on the encrypted data in KDC messages is: - - typedef struct _RC4_MDx_HEADER { - UCHAR Checksum[16]; - UCHAR Confounder[8]; - } RC4_MDx_HEADER, *PRC4_MDx_HEADER; - - The KDC message is encrypted using the ENCRYPT function not - including the Checksum in the RC4_MDx_HEADER. - - -wift Category - Informational 4 - - Windows 2000 RC4-HMAC Kerberos E-Type June 2000 - - - The character constant "fortybits" evolved from the time when a 40- - bit key length was all that was exportable from the United States. - It is now used to recognize that the key length is of "exportable" - length. In this description, the key size is actually 56-bits. - -. Key Strength Negotiation - - A Kerberos client and server can negotiate over key length if they - are using mutual authentication. If the client is unable to perform - full strength encryption, it may propose a key in the "subkey" field - of the authenticator, using a weaker encryption type. The server - must then either return the same key or suggest its own key in the - subkey field of the AP reply message. The key used to encrypt data - is derived from the key returned by the server. If the client is - able to perform strong encryption but the server is not, it may - propose a subkey in the AP reply without first being sent a subkey - in the authenticator. - -. GSSAPI Kerberos V5 Mechanism Type - -.1 Mechanism Specific Changes - - The GSSAPI per-message tokens also require new checksum and - encryption types. The GSS-API per-message tokens must be changed to - support these new encryption types (See [5] Section 1.2.2). The - sealing algorithm identifier (SEAL_ALG) for an RC4 based encryption - is: - Byte 4..5 SEAL_ALG 0x10 0x00 - RC4 - - The signing algorithm identifier (SGN_ALG) for MD5 HMAC is: - Byte 2..3 SGN ALG 0x11 0x00 - HMAC - - The only support quality of protection is: - #define GSS_KRB5_INTEG_C_QOP_DEFAULT 0x0 - - In addition, when using an RC4 based encryption type, the sequence - number is sent in big-endian rather than little-endian order. - - The Windows 2000 implementation also defines new GSSAPI flags in the - initial token passed when initializing a security context. These - flags are passed in the checksum field of the authenticator (See [5] - Section 1.1.1). - - GSS_C_DCE_STYLE - This flag was added for use with MicrosoftÆs - implementation of DCE RPC, which initially expected three legs of - authentication. Setting this flag causes an extra AP reply to be - sent from the client back to the server after receiving the serverÆs - AP reply. In addition, the context negotiation tokens do not have - GSSAPI framing - they are raw AP message and do not include object - identifiers. - #define GSS_C_DCE_STYLE 0x1000 - - - -wift Category - Informational 5 - - Windows 2000 RC4-HMAC Kerberos E-Type June 2000 - - - GSS_C_IDENTIFY_FLAG - This flag allows the client to indicate to the - server that it should only allow the server application to identify - the client by name and ID, but not to impersonate the client. - #define GSS_C_IDENTIFY_FLAG 0x2000 - - GSS_C_EXTENDED_ERROR_FLAG - Setting this flag indicates that the - client wants to be informed of extended error information. In - particular, Windows 2000 status codes may be returned in the data - field of a Kerberos error message. This allows the client to - understand a server failure more precisely. In addition, the server - may return errors to the client that are normally handled at the - application layer in the server, in order to let the client try to - recover. After receiving an error message, the client may attempt to - resubmit an AP request. - #define GSS_C_EXTENDED_ERROR_FLAG 0x4000 - - These flags are only used if a client is aware of these conventions - when using the SSPI on the Windows platform, they are not generally - used by default. - - When NetBIOS addresses are used in the GSSAPI, they are identified - by the GSS_C_AF_NETBIOS value. This value is defined as: - #define GSS_C_AF_NETBIOS 0x14 - NetBios addresses are 16-octet addresses typically composed of 1 to th 15 characters, trailing blank (ascii char 20) filled, with a 16 - octet of 0x0. - -.2 GSSAPI Checksum Type - - The GSSAPI checksum type and algorithm is defined in Section 5. Only - the first 8 octets of the checksum are used. The resulting checksum - is stored in the SGN_CKSUM field (See [5] Section 1.2) for - GSS_GetMIC() and GSS_Wrap(conf_flag=FALSE). - - MIC (K, fRC4_EXP, seq_num, MIC_hdr, msg, msg_len, - MIC_seq, MIC_checksum) - { - HMAC (K, SK, 13, K4); - T = 15; - memcpy (T_plus_hdr_plus_msg + 00, &T, 4); - memcpy (T_plus_hdr_plus_msg + 04, MIC_hdr, 8); - // 0101 1100 FFFFFFFF - memcpy (T_plus_hdr_plus_msg + 12, msg, msg_len); - MD5 (T_hdr_msg, 4 + 8 + msg_len, MD5_of_T_hdr_msg); - HMAC (K4, MD5_of_T_hdr_msg, CHKSUM); - memcpy (MIC_checksum, CHKSUM, 8); // use only first 8 bytes - - T = 0; - if (fRC4_EXP){ - *((DWORD *)(L40+10)) = T; - HMAC (K, L40, 14, K5); - }else{ - HMAC (K, &T, 4, K5); - -wift Category - Informational 6 - - Windows 2000 RC4-HMAC Kerberos E-Type June 2000 - - - } - if (fRC4_EXP) memset(K5+7, 0xAB, 9); - HMAC(K5, MIT_checksum, 8, K6); - copy_seq_num_in_big_endian(seq_num, seq_plus_direction); - //0x12345678 - copy_direction_flag (direction_flag, seq_plus_direction + - 4); //0x12345678FFFFFFFF - RC4(K6, seq_plus_direction, 8, MIC_seq); - } - -.3 GSSAPI Encryption Types - - There are two encryption types for GSSAPI message tokens, one that - is 128 bits in strength, and one that is 56 bits in strength as - defined in Section 6. - - All padding is rounded up to 1 byte. One byte is needed to say that - there is 1 byte of padding. The DES based mechanism type uses 8 byte - padding. See [5] Section 1.2.2.3. - - The encryption mechanism used for GSS wrap based messages is as - follow: - - - WRAP (K, fRC4_EXP, seq_num, WRAP_hdr, msg, msg_len, - WRAP_seq, WRAP_checksum, edata, edata_len) - { - HMAC (K, SK, 13, K7); - T = 13; - PAD = 1; - memcpy (T_hdr_conf_msg_pad + 00, &T, 4); - memcpy (T_hdr_conf_msg_pad + 04, WRAP_hdr, 8); // 0101 1100 - FFFFFFFF - memcpy (T_hdr_conf_msg_pad + 12, msg, msg_len); - memcpy (T_hdr_conf_msg_pad + 12 + msg_len, &PAD, 1); - MD5 (T_hdr_conf_msg_pad, - 4 + 8 + 8 + msg_len + 1, - MD5_of_T_hdr_conf_msg_pad); - HMAC (K7, MD5_of_T_hdr_conf_msg_pad, CHKSUM); - memcpy (WRAP_checksum, CHKSUM, 8); // use only first 8 - bytes - - T = 0; - if (fRC4_EXP){ - *((DWORD *)(L40+10)) = T; - HMAC (K, L40, 14, K8); - }else{ - HMAC (K, &T, 4, K8); - } - if (fRC4_EXP) memset(K8+7, 0xAB, 9); - HMAC(K8, WRAP_checksum, 8, K9); - copy_seq_num_in_big_endian(seq_num, seq_plus_direction); - //0x12345678 - -wift Category - Informational 7 - - Windows 2000 RC4-HMAC Kerberos E-Type June 2000 - - - copy_direction_flag (direction_flag, seq_plus_direction + - 4); //0x12345678FFFFFFFF - RC4(K9, seq_plus_direction, 8, WRAP_seq); - - for (i = 0; i < 16; i++) K10 [i] ^= 0xF0; // XOR each byte - of key with 0xF0 - T = 0; - if (fRC4_EXP){ - *(DWORD *)(L40+10) = T; - HMAC(K10, L40, 14, K11); - memset(K11+7, 0xAB, 9); - }else{ - HMAC(K10, &T, 4, K11); - } - HMAC(K11, seq_num, 4, K12); - RC4(K12, T_hdr_conf_msg_pad + 4 + 8, 8 + msg_len + 1, - edata); /* skip T & hdr */ - edata_len = 8 + msg_len + 1; // conf + msg_len + pad - } - - - The character constant "fortybits" evolved from the time when a 40- - bit key length was all that was exportable from the United States. - It is now used to recognize that the key length is of "exportable" - length. In this description, the key size is actually 56-bits. - -. Security Considerations - - Care must be taken in implementing this encryption type because it - uses a stream cipher. If a different IV isnÆt used in each direction - when using a session key, the encryption is weak. By using the - sequence number as an IV, this is avoided. - -0. Acknowledgements - - We would like to thank Salil Dangi for the valuable input in - refining the descriptions of the functions and review input. - -1. References - - 1 Bradner, S., "The Internet Standards Process -- Revision 3", BCP - 9, RFC 2026, October 1996. - - 2 Bradner, S., "Key words for use in RFCs to Indicate Requirement - Levels", BCP 14, RFC 2119, March 1997 - - 3 Krawczyk, H., Bellare, M., Canetti, R.,"HMAC: Keyed-Hashing for - Message Authentication", RFC 2104, February 1997 - - 4 Kohl, J., Neuman, C., "The Kerberos Network Authentication - Service (V5)", RFC 1510, September 1993 - - - -wift Category - Informational 8 - - Windows 2000 RC4-HMAC Kerberos E-Type June 2000 - - - - 5 Linn, J., "The Kerberos Version 5 GSS-API Mechanism", RFC-1964, - June 1996 - - 6 R. Rivest, "The MD4 Message-Digest Algorithm", RFC-1320, April - 1992 - - 7 R. Rivest, "The MD5 Message-Digest Algorithm", RFC-1321, April - 1992 - - 8 Thayer, R. and K. Kaukonen, "A Stream Cipher Encryption - Algorithm", Work in Progress. - - 9 RC4 is a proprietary encryption algorithm available under license - from RSA Data Security Inc. For licensing information, contact: - - RSA Data Security, Inc. - 100 Marine Parkway - Redwood City, CA 94065-1031 - - 10 Neuman, C., Kohl, J., Ts'o, T., "The Kerberos Network - Authentication Service (V5)", draft-ietf-cat-kerberos-revisions- - 04.txt, June 25, 1999 - - -2. Author's Addresses - - Mike Swift - Dept. of Computer Science - Sieg Hall - University of Washington - Seattle, WA 98105 - Email: mikesw@cs.washington.edu - - John Brezak - Microsoft - One Microsoft Way - Redmond, Washington - Email: jbrezak@microsoft.com - - - - - - - - - - - - - - - -wift Category - Informational 9 - - Windows 2000 RC4-HMAC Kerberos E-Type October 1999 - - - -3. Full Copyright Statement - - "Copyright (C) The Internet Society (2000). All Rights Reserved. - - This document and translations of it may be copied and - furnished to others, and derivative works that comment on or - otherwise explain it or assist in its implementation may be - prepared, copied, published and distributed, in whole or in - part, without restriction of any kind, provided that the above - copyright notice and this paragraph are included on all such - copies and derivative works. However, this document itself may - not be modified in any way, such as by removing the copyright - notice or references to the Internet Society or other Internet - organizations, except as needed for the purpose of developing - Internet standards in which case the procedures for copyrights - defined in the Internet Standards process must be followed, or - as required to translate it into languages other than English. - - The limited permissions granted above are perpetual and will - not be revoked by the Internet Society or its successors or - assigns. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -wift Category - Informational 10 - diff --git a/crypto/heimdal-0.6.3/doc/standardisation/draft-brezak-win2k-krb-rc4-hmac-03.txt b/crypto/heimdal-0.6.3/doc/standardisation/draft-brezak-win2k-krb-rc4-hmac-03.txt deleted file mode 100644 index 202d44e863..0000000000 --- a/crypto/heimdal-0.6.3/doc/standardisation/draft-brezak-win2k-krb-rc4-hmac-03.txt +++ /dev/null @@ -1,587 +0,0 @@ -CAT working group M. Swift -Internet Draft J. Brezak -Document: draft-brezak-win2k-krb-rc4-hmac-03.txt Microsoft -Category: Informational June 2000 - - - The Windows 2000 RC4-HMAC Kerberos encryption type - - -Status of this Memo - - This document is an Internet-Draft and is in full conformance with - all provisions of Section 10 of RFC2026 [1]. Internet-Drafts are - working documents of the Internet Engineering Task Force (IETF), its - areas, and its working groups. Note that other groups may also - distribute working documents as Internet-Drafts. Internet-Drafts are - draft documents valid for a maximum of six months and may be - updated, replaced, or obsoleted by other documents at any time. It - is inappropriate to use Internet- Drafts as reference material or to - cite them other than as "work in progress." - - The list of current Internet-Drafts can be accessed at - http://www.ietf.org/ietf/1id-abstracts.txt - The list of Internet-Draft Shadow Directories can be accessed at - http://www.ietf.org/shadow.html. - -1. Abstract - - The Windows 2000 implementation of Kerberos introduces a new - encryption type based on the RC4 encryption algorithm and using an - MD5 HMAC for checksum. This is offered as an alternative to using - the existing DES based encryption types. - - The RC4-HMAC encryption types are used to ease upgrade of existing - Windows NT environments, provide strong crypto (128-bit key - lengths), and provide exportable (meet United States government - export restriction requirements) encryption. - - The Windows 2000 implementation of Kerberos contains new encryption - and checksum types for two reasons: for export reasons early in the - development process, 56 bit DES encryption could not be exported, - and because upon upgrade from Windows NT 4.0 to Windows 2000, - accounts will not have the appropriate DES keying material to do the - standard DES encryption. Furthermore, 3DES is not available for - export, and there was a desire to use a single flavor of encryption - in the product for both US and international products. - - As a result, there are two new encryption types and one new checksum - type introduced in Windows 2000. - - -2. Conventions used in this document - - - -Swift Category - Informational 1 - - Windows 2000 RC4-HMAC Kerberos E-Type June 2000 - - - The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", - "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in - this document are to be interpreted as described in RFC-2119 [2]. - -3. Key Generation - - On upgrade from existing Windows NT domains, the user accounts would - not have a DES based key available to enable the use of DES base - encryption types specified in RFC 1510. The key used for RC4-HMAC is - the same as the existing Windows NT key (NT Password Hash) for - compatibility reasons. Once the account password is changed, the DES - based keys are created and maintained. Once the DES keys are - available DES based encryption types can be used with Kerberos. - - The RC4-HMAC String to key function is defined as follow: - - String2Key(password) - - K = MD4(UNICODE(password)) - - The RC4-HMAC keys are generated by using the Windows UNICODE version - of the password. Each Windows UNICODE character is encoded in - little-endian format of 2 octets each. Then performing an MD4 [6] - hash operation on just the UNICODE characters of the password (not - including the terminating zero octets). - - For an account with a password of "foo", this String2Key("foo") will - return: - - 0xac, 0x8e, 0x65, 0x7f, 0x83, 0xdf, 0x82, 0xbe, - 0xea, 0x5d, 0x43, 0xbd, 0xaf, 0x78, 0x00, 0xcc - -4. Basic Operations - - The MD5 HMAC function is defined in [3]. It is used in this - encryption type for checksum operations. Refer to [3] for details on - its operation. In this document this function is referred to as - HMAC(Key, Data) returning the checksum using the specified key on - the data. - - The basic MD5 hash operation is used in this encryption type and - defined in [7]. In this document this function is referred to as - MD5(Data) returning the checksum of the data. - - RC4 is a stream cipher licensed by RSA Data Security [RSADSI]. A - compatible cipher is described in [8]. In this document the function - is referred to as RC4(Key, Data) returning the encrypted data using - the specified key on the data. - - These encryption types use key derivation as defined in [9] (RFC- - 1510BIS) in Section titled "Key Derivation". With each message, the - message type (T) is used as a component of the keying material. This - summarizes the different key derivation values used in the various - -Swift Category - Informational 2 - - Windows 2000 RC4-HMAC Kerberos E-Type June 2000 - - - operations. Note that these differ from the key derivations used in - other Kerberos encryption types. - - T = 1 for TS-ENC-TS in the AS-Request - T = 8 for the AS-Reply - T = 7 for the Authenticator in the TGS-Request - T = 8 for the TGS-Reply - T = 2 for the Server Ticket in the AP-Request - T = 11 for the Authenticator in the AP-Request - T = 12 for the Server returned AP-Reply - T = 15 in the generation of checksum for the MIC token - T = 0 in the generation of sequence number for the MIC token - T = 13 in the generation of checksum for the WRAP token - T = 0 in the generation of sequence number for the WRAP token - T = 0 in the generation of encrypted data for the WRAPPED token - - All strings in this document are ASCII unless otherwise specified. - The lengths of ASCII encoded character strings include the trailing - terminator character (0). - - The concat(a,b,c,...) function will return the logical concatenation - (left to right) of the values of the arguments. - - The nonce(n) function returns a pseudo-random number of "n" octets. - -5. Checksum Types - - There is one checksum type used in this encryption type. The - Kerberos constant for this type is: - #define KERB_CHECKSUM_HMAC_MD5 (-138) - - The function is defined as follows: - - K - is the Key - T - the message type, encoded as a little-endian four byte integer - - CHKSUM(K, T, data) - - Ksign = HMAC(K, "signaturekey") //includes zero octet at end - tmp = MD5(concat(T, data)) - CHKSUM = HMAC(Ksign, tmp) - - -6. Encryption Types - - There are two encryption types used in these encryption types. The - Kerberos constants for these types are: - #define KERB_ETYPE_RC4_HMAC 23 - #define KERB_ETYPE_RC4_HMAC_EXP 24 - - The basic encryption function is defined as follow: - - T = the message type, encoded as a little-endian four byte integer. - -Swift Category - Informational 3 - - Windows 2000 RC4-HMAC Kerberos E-Type June 2000 - - - - BYTE L40[14] = "fortybits"; - BYTE SK = "signaturekey"; - - ENCRYPT (K, fRC4_EXP, T, data, data_len, edata, edata_len) - { - if (fRC4_EXP){ - *((DWORD *)(L40+10)) = T; - HMAC (K, L40, 10 + 4, K1); - }else{ - HMAC (K, &T, 4, K1); - } - memcpy (K2, K1, 16); - if (fRC4_EXP) memset (K1+7, 0xAB, 9); - add_8_random_bytes(data, data_len, conf_plus_data); - HMAC (K2, conf_plus_data, 8 + data_len, checksum); - HMAC (K1, checksum, 16, K3); - RC4(K3, conf_plus_data, 8 + data_len, edata + 16); - memcpy (edata, checksum, 16); - edata_len = 16 + 8 + data_len; - } - - DECRYPT (K, fRC4_EXP, T, edata, edata_len, data, data_len) - { - if (fRC4_EXP){ - *((DWORD *)(L40+10)) = T; - HMAC (K, L40, 14, K1); - }else{ - HMAC (K, &T, 4, K1); - } - memcpy (K2, K1, 16); - if (fRC4_EXP) memset (K1+7, 0xAB, 9); - HMAC (K1, edata, 16, K3); // checksum is at edata - RC4(K3, edata + 16, edata_len - 16, edata + 16); - data_len = edata_len - 16 - 8; - memcpy (data, edata + 16 + 8, data_len); - - // verify generated and received checksums - HMAC (K2, edata + 16, edata_len - 16, checksum); - if (memcmp(edata, checksum, 16) != 0) - printf("CHECKSUM ERROR !!!!!!\n"); - } - - The header field on the encrypted data in KDC messages is: - - typedef struct _RC4_MDx_HEADER { - UCHAR Checksum[16]; - UCHAR Confounder[8]; - } RC4_MDx_HEADER, *PRC4_MDx_HEADER; - - The KDC message is encrypted using the ENCRYPT function not - including the Checksum in the RC4_MDx_HEADER. - - -Swift Category - Informational 4 - - Windows 2000 RC4-HMAC Kerberos E-Type June 2000 - - - The character constant "fortybits" evolved from the time when a 40- - bit key length was all that was exportable from the United States. - It is now used to recognize that the key length is of "exportable" - length. In this description, the key size is actually 56-bits. - -7. Key Strength Negotiation - - A Kerberos client and server can negotiate over key length if they - are using mutual authentication. If the client is unable to perform - full strength encryption, it may propose a key in the "subkey" field - of the authenticator, using a weaker encryption type. The server - must then either return the same key or suggest its own key in the - subkey field of the AP reply message. The key used to encrypt data - is derived from the key returned by the server. If the client is - able to perform strong encryption but the server is not, it may - propose a subkey in the AP reply without first being sent a subkey - in the authenticator. - -8. GSSAPI Kerberos V5 Mechanism Type - -8.1 Mechanism Specific Changes - - The GSSAPI per-message tokens also require new checksum and - encryption types. The GSS-API per-message tokens must be changed to - support these new encryption types (See [5] Section 1.2.2). The - sealing algorithm identifier (SEAL_ALG) for an RC4 based encryption - is: - Byte 4..5 SEAL_ALG 0x10 0x00 - RC4 - - The signing algorithm identifier (SGN_ALG) for MD5 HMAC is: - Byte 2..3 SGN ALG 0x11 0x00 - HMAC - - The only support quality of protection is: - #define GSS_KRB5_INTEG_C_QOP_DEFAULT 0x0 - - In addition, when using an RC4 based encryption type, the sequence - number is sent in big-endian rather than little-endian order. - - The Windows 2000 implementation also defines new GSSAPI flags in the - initial token passed when initializing a security context. These - flags are passed in the checksum field of the authenticator (See [5] - Section 1.1.1). - - GSS_C_DCE_STYLE - This flag was added for use with Microsoft’s - implementation of DCE RPC, which initially expected three legs of - authentication. Setting this flag causes an extra AP reply to be - sent from the client back to the server after receiving the server’s - AP reply. In addition, the context negotiation tokens do not have - GSSAPI framing - they are raw AP message and do not include object - identifiers. - #define GSS_C_DCE_STYLE 0x1000 - - - -Swift Category - Informational 5 - - Windows 2000 RC4-HMAC Kerberos E-Type June 2000 - - - GSS_C_IDENTIFY_FLAG - This flag allows the client to indicate to the - server that it should only allow the server application to identify - the client by name and ID, but not to impersonate the client. - #define GSS_C_IDENTIFY_FLAG 0x2000 - - GSS_C_EXTENDED_ERROR_FLAG - Setting this flag indicates that the - client wants to be informed of extended error information. In - particular, Windows 2000 status codes may be returned in the data - field of a Kerberos error message. This allows the client to - understand a server failure more precisely. In addition, the server - may return errors to the client that are normally handled at the - application layer in the server, in order to let the client try to - recover. After receiving an error message, the client may attempt to - resubmit an AP request. - #define GSS_C_EXTENDED_ERROR_FLAG 0x4000 - - These flags are only used if a client is aware of these conventions - when using the SSPI on the Windows platform, they are not generally - used by default. - - When NetBIOS addresses are used in the GSSAPI, they are identified - by the GSS_C_AF_NETBIOS value. This value is defined as: - #define GSS_C_AF_NETBIOS 0x14 - NetBios addresses are 16-octet addresses typically composed of 1 to th 15 characters, trailing blank (ascii char 20) filled, with a 16 - octet of 0x0. - -8.2 GSSAPI Checksum Type - - The GSSAPI checksum type and algorithm is defined in Section 5. Only - the first 8 octets of the checksum are used. The resulting checksum - is stored in the SGN_CKSUM field (See [5] Section 1.2) for - GSS_GetMIC() and GSS_Wrap(conf_flag=FALSE). - - MIC (K, fRC4_EXP, seq_num, MIC_hdr, msg, msg_len, - MIC_seq, MIC_checksum) - { - HMAC (K, SK, 13, K4); - T = 15; - memcpy (T_plus_hdr_plus_msg + 00, &T, 4); - memcpy (T_plus_hdr_plus_msg + 04, MIC_hdr, 8); - // 0101 1100 FFFFFFFF - memcpy (T_plus_hdr_plus_msg + 12, msg, msg_len); - MD5 (T_hdr_msg, 4 + 8 + msg_len, MD5_of_T_hdr_msg); - HMAC (K4, MD5_of_T_hdr_msg, CHKSUM); - memcpy (MIC_checksum, CHKSUM, 8); // use only first 8 bytes - - T = 0; - if (fRC4_EXP){ - *((DWORD *)(L40+10)) = T; - HMAC (K, L40, 14, K5); - }else{ - HMAC (K, &T, 4, K5); - -Swift Category - Informational 6 - - Windows 2000 RC4-HMAC Kerberos E-Type June 2000 - - - } - if (fRC4_EXP) memset(K5+7, 0xAB, 9); - HMAC(K5, MIT_checksum, 8, K6); - copy_seq_num_in_big_endian(seq_num, seq_plus_direction); - //0x12345678 - copy_direction_flag (direction_flag, seq_plus_direction + - 4); //0x12345678FFFFFFFF - RC4(K6, seq_plus_direction, 8, MIC_seq); - } - -8.3 GSSAPI Encryption Types - - There are two encryption types for GSSAPI message tokens, one that - is 128 bits in strength, and one that is 56 bits in strength as - defined in Section 6. - - All padding is rounded up to 1 byte. One byte is needed to say that - there is 1 byte of padding. The DES based mechanism type uses 8 byte - padding. See [5] Section 1.2.2.3. - - The encryption mechanism used for GSS wrap based messages is as - follow: - - - WRAP (K, fRC4_EXP, seq_num, WRAP_hdr, msg, msg_len, - WRAP_seq, WRAP_checksum, edata, edata_len) - { - HMAC (K, SK, 13, K7); - T = 13; - PAD = 1; - memcpy (T_hdr_conf_msg_pad + 00, &T, 4); - memcpy (T_hdr_conf_msg_pad + 04, WRAP_hdr, 8); // 0101 1100 - FFFFFFFF - memcpy (T_hdr_conf_msg_pad + 12, msg, msg_len); - memcpy (T_hdr_conf_msg_pad + 12 + msg_len, &PAD, 1); - MD5 (T_hdr_conf_msg_pad, - 4 + 8 + 8 + msg_len + 1, - MD5_of_T_hdr_conf_msg_pad); - HMAC (K7, MD5_of_T_hdr_conf_msg_pad, CHKSUM); - memcpy (WRAP_checksum, CHKSUM, 8); // use only first 8 - bytes - - T = 0; - if (fRC4_EXP){ - *((DWORD *)(L40+10)) = T; - HMAC (K, L40, 14, K8); - }else{ - HMAC (K, &T, 4, K8); - } - if (fRC4_EXP) memset(K8+7, 0xAB, 9); - HMAC(K8, WRAP_checksum, 8, K9); - copy_seq_num_in_big_endian(seq_num, seq_plus_direction); - //0x12345678 - -Swift Category - Informational 7 - - Windows 2000 RC4-HMAC Kerberos E-Type June 2000 - - - copy_direction_flag (direction_flag, seq_plus_direction + - 4); //0x12345678FFFFFFFF - RC4(K9, seq_plus_direction, 8, WRAP_seq); - - for (i = 0; i < 16; i++) K10 [i] ^= 0xF0; // XOR each byte - of key with 0xF0 - T = 0; - if (fRC4_EXP){ - *(DWORD *)(L40+10) = T; - HMAC(K10, L40, 14, K11); - memset(K11+7, 0xAB, 9); - }else{ - HMAC(K10, &T, 4, K11); - } - HMAC(K11, seq_num, 4, K12); - RC4(K12, T_hdr_conf_msg_pad + 4 + 8, 8 + msg_len + 1, - edata); /* skip T & hdr */ - edata_len = 8 + msg_len + 1; // conf + msg_len + pad - } - - - The character constant "fortybits" evolved from the time when a 40- - bit key length was all that was exportable from the United States. - It is now used to recognize that the key length is of "exportable" - length. In this description, the key size is actually 56-bits. - -9. Security Considerations - - Care must be taken in implementing this encryption type because it - uses a stream cipher. If a different IV isn’t used in each direction - when using a session key, the encryption is weak. By using the - sequence number as an IV, this is avoided. - -10. Acknowledgements - - We would like to thank Salil Dangi for the valuable input in - refining the descriptions of the functions and review input. - -11. References - - 1 Bradner, S., "The Internet Standards Process -- Revision 3", BCP - 9, RFC 2026, October 1996. - - 2 Bradner, S., "Key words for use in RFCs to Indicate Requirement - Levels", BCP 14, RFC 2119, March 1997 - - 3 Krawczyk, H., Bellare, M., Canetti, R.,"HMAC: Keyed-Hashing for - Message Authentication", RFC 2104, February 1997 - - 4 Kohl, J., Neuman, C., "The Kerberos Network Authentication - Service (V5)", RFC 1510, September 1993 - - - -Swift Category - Informational 8 - - Windows 2000 RC4-HMAC Kerberos E-Type June 2000 - - - - 5 Linn, J., "The Kerberos Version 5 GSS-API Mechanism", RFC-1964, - June 1996 - - 6 R. Rivest, "The MD4 Message-Digest Algorithm", RFC-1320, April - 1992 - - 7 R. Rivest, "The MD5 Message-Digest Algorithm", RFC-1321, April - 1992 - - 8 Thayer, R. and K. Kaukonen, "A Stream Cipher Encryption - Algorithm", Work in Progress. - - 9 RC4 is a proprietary encryption algorithm available under license - from RSA Data Security Inc. For licensing information, contact: - - RSA Data Security, Inc. - 100 Marine Parkway - Redwood City, CA 94065-1031 - - 10 Neuman, C., Kohl, J., Ts'o, T., "The Kerberos Network - Authentication Service (V5)", draft-ietf-cat-kerberos-revisions- - 04.txt, June 25, 1999 - - -12. Author's Addresses - - Mike Swift - Dept. of Computer Science - Sieg Hall - University of Washington - Seattle, WA 98105 - Email: mikesw@cs.washington.edu - - John Brezak - Microsoft - One Microsoft Way - Redmond, Washington - Email: jbrezak@microsoft.com - - - - - - - - - - - - - - - -Swift Category - Informational 9 - - Windows 2000 RC4-HMAC Kerberos E-Type October 1999 - - - -13. Full Copyright Statement - - "Copyright (C) The Internet Society (2000). All Rights Reserved. - - This document and translations of it may be copied and - furnished to others, and derivative works that comment on or - otherwise explain it or assist in its implementation may be - prepared, copied, published and distributed, in whole or in - part, without restriction of any kind, provided that the above - copyright notice and this paragraph are included on all such - copies and derivative works. However, this document itself may - not be modified in any way, such as by removing the copyright - notice or references to the Internet Society or other Internet - organizations, except as needed for the purpose of developing - Internet standards in which case the procedures for copyrights - defined in the Internet Standards process must be followed, or - as required to translate it into languages other than English. - - The limited permissions granted above are perpetual and will - not be revoked by the Internet Society or its successors or - assigns. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Swift Category - Informational 10 - diff --git a/crypto/heimdal-0.6.3/doc/standardisation/draft-foo b/crypto/heimdal-0.6.3/doc/standardisation/draft-foo deleted file mode 100644 index 8174d4678f..0000000000 --- a/crypto/heimdal-0.6.3/doc/standardisation/draft-foo +++ /dev/null @@ -1,171 +0,0 @@ - - - - - - -Network Working Group Assar Westerlund - SICS -Internet-Draft October, 1997 -Expire in six months - - Kerberos over IPv6 - -Status of this Memo - - This document is an Internet-Draft. Internet-Drafts are working - documents of the Internet Engineering Task Force (IETF), its areas, - and its working groups. Note that other groups may also distribute - working documents as Internet-Drafts. - - Internet-Drafts are draft documents valid for a maximum of six months - and may be updated, replaced, or obsoleted by other documents at any - time. It is inappropriate to use Internet- Drafts as reference - material or to cite them other than as "work in progress." - - To view the entire list of current Internet-Drafts, please check the - "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow - Directories on ftp.is.co.za (Africa), ftp.nordu.net (Europe), - munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or - ftp.isi.edu (US West Coast). - - Distribution of this memo is unlimited. Please send comments to the - mailing list. - -Abstract - - This document specifies the address types and transport types - necessary for using Kerberos [RFC1510] over IPv6 [RFC1883]. - -Specification - - IPv6 addresses are 128-bit (16-octet) quantities, encoded in MSB - order. The type of IPv6 addresses is twenty-four (24). - - The following addresses (see [RFC1884]) MUST not appear in any - Kerberos packet: - - the Unspecified Address - the Loopback Address - Link-Local addresses - - IPv4-mapped IPv6 addresses MUST be represented as addresses of type - 2. - - - - -Westerlund [Page 1] - -Internet Draft Kerberos over IPv6 October, 1997 - - - Communication with the KDC over IPv6 MUST be done as in section 8.2.1 - of [RFC1510]. - -Discussion - - [RFC1510] suggests using the address family constants in - from BSD. This cannot be done for IPv6 as these - numbers have diverged and are different on different BSD-derived - systems. [RFC2133] does not either specify a value for AF_INET6. - Thus a value has to be decided and the implementations have to - convert between the value used in Kerberos HostAddress and the local - AF_INET6. - - There are a few different address types in IPv6, see [RFC1884]. Some - of these are used for quite special purposes and it makes no sense to - include them in Kerberos packets. - - It is necessary to represent IPv4-mapped addresses as Internet - addresses (type 2) to be compatible with Kerberos implementations - that only support IPv4. - -Security considerations - - This memo does not introduce any known security considerations in - addition to those mentioned in [RFC1510]. - -References - - [RFC1510] Kohl, J. and Neuman, C., "The Kerberos Network - Authentication Service (V5)", RFC 1510, September 1993. - - [RFC1883] Deering, S., Hinden, R., "Internet Protocol, Version 6 - (IPv6) Specification", RFC 1883, December 1995. - - [RFC1884] Hinden, R., Deering, S., "IP Version 6 Addressing - Architecture", RFC 1884, December 1995. - - [RFC2133] Gilligan, R., Thomson, S., Bound, J., Stevens, W., "Basic - Socket Interface Extensions for IPv6", RFC2133, April 1997. - -Author's Address - - Assar Westerlund - Swedish Institute of Computer Science - Box 1263 - S-164 29 KISTA - Sweden - - - - -Westerlund [Page 2] - -Internet Draft Kerberos over IPv6 October, 1997 - - - Phone: +46-8-7521526 - Fax: +46-8-7517230 - EMail: assar@sics.se - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Westerlund [Page 3] - diff --git a/crypto/heimdal-0.6.3/doc/standardisation/draft-foo.ms b/crypto/heimdal-0.6.3/doc/standardisation/draft-foo.ms deleted file mode 100644 index 62b109afa5..0000000000 --- a/crypto/heimdal-0.6.3/doc/standardisation/draft-foo.ms +++ /dev/null @@ -1,136 +0,0 @@ -.pl 10.0i -.po 0 -.ll 7.2i -.lt 7.2i -.nr LL 7.2i -.nr LT 7.2i -.ds LF Westerlund -.ds RF [Page %] -.ds CF -.ds LH Internet Draft -.ds RH October, 1997 -.ds CH Kerberos over IPv6 -.hy 0 -.ad l -.in 0 -.ta \n(.luR -Network Working Group Assar Westerlund - SICS -Internet-Draft October, 1997 -Expire in six months - -.ce -Kerberos over IPv6 - -.ti 0 -Status of this Memo - -.in 3 -This document is an Internet-Draft. Internet-Drafts are working -documents of the Internet Engineering Task Force (IETF), its -areas, and its working groups. Note that other groups may also -distribute working documents as Internet-Drafts. - -Internet-Drafts are draft documents valid for a maximum of six -months and may be updated, replaced, or obsoleted by other -documents at any time. It is inappropriate to use Internet- -Drafts as reference material or to cite them other than as -"work in progress." - -To view the entire list of current Internet-Drafts, please check -the "1id-abstracts.txt" listing contained in the Internet-Drafts -Shadow Directories on ftp.is.co.za (Africa), ftp.nordu.net -(Europe), munnari.oz.au (Pacific Rim), ds.internic.net (US East -Coast), or ftp.isi.edu (US West Coast). - -Distribution of this memo is unlimited. Please send comments to the - mailing list. - -.ti 0 -Abstract - -.in 3 -This document specifies the address types and transport types -necessary for using Kerberos [RFC1510] over IPv6 [RFC1883]. - -.ti 0 -Specification - -.in 3 -IPv6 addresses are 128-bit (16-octet) quantities, encoded in MSB -order. The type of IPv6 addresses is twenty-four (24). - -The following addresses (see [RFC1884]) MUST not appear in any -Kerberos packet: - -the Unspecified Address -.br -the Loopback Address -.br -Link-Local addresses - -IPv4-mapped IPv6 addresses MUST be represented as addresses of type 2. - -Communication with the KDC over IPv6 MUST be done as in section -8.2.1 of [RFC1510]. - -.ti 0 -Discussion - -.in 3 -[RFC1510] suggests using the address family constants in - from BSD. This cannot be done for IPv6 as these -numbers have diverged and are different on different BSD-derived -systems. [RFC2133] does not either specify a value for AF_INET6. -Thus a value has to be decided and the implementations have to convert -between the value used in Kerberos HostAddress and the local AF_INET6. - -There are a few different address types in IPv6, see [RFC1884]. Some -of these are used for quite special purposes and it makes no sense to -include them in Kerberos packets. - -It is necessary to represent IPv4-mapped addresses as Internet -addresses (type 2) to be compatible with Kerberos implementations that -only support IPv4. - -.ti 0 -Security considerations - -.in 3 -This memo does not introduce any known security considerations in -addition to those mentioned in [RFC1510]. - -.ti 0 -References - -.in 3 -[RFC1510] Kohl, J. and Neuman, C., "The Kerberos Network -Authentication Service (V5)", RFC 1510, September 1993. - -[RFC1883] Deering, S., Hinden, R., "Internet Protocol, Version 6 -(IPv6) Specification", RFC 1883, December 1995. - -[RFC1884] Hinden, R., Deering, S., "IP Version 6 Addressing -Architecture", RFC 1884, December 1995. - -[RFC2133] Gilligan, R., Thomson, S., Bound, J., Stevens, W., "Basic -Socket Interface Extensions for IPv6", RFC2133, April 1997. - -.ti 0 -Author's Address - -Assar Westerlund -.br -Swedish Institute of Computer Science -.br -Box 1263 -.br -S-164 29 KISTA -.br -Sweden - -Phone: +46-8-7521526 -.br -Fax: +46-8-7517230 -.br -EMail: assar@sics.se diff --git a/crypto/heimdal-0.6.3/doc/standardisation/draft-foo2 b/crypto/heimdal-0.6.3/doc/standardisation/draft-foo2 deleted file mode 100644 index 0fa695f640..0000000000 --- a/crypto/heimdal-0.6.3/doc/standardisation/draft-foo2 +++ /dev/null @@ -1,171 +0,0 @@ - - - - - - -Network Working Group Assar Westerlund - SICS -Internet-Draft Johan Danielsson -November, 1997 PDC, KTH -Expire in six months - - Kerberos over TCP - -Status of this Memo - - This document is an Internet-Draft. Internet-Drafts are working - documents of the Internet Engineering Task Force (IETF), its areas, - and its working groups. Note that other groups may also distribute - working documents as Internet-Drafts. - - Internet-Drafts are draft documents valid for a maximum of six months - and may be updated, replaced, or obsoleted by other documents at any - time. It is inappropriate to use Internet- Drafts as reference - material or to cite them other than as "work in progress." - - To view the entire list of current Internet-Drafts, please check the - "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow - Directories on ftp.is.co.za (Africa), ftp.nordu.net (Europe), - munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or - ftp.isi.edu (US West Coast). - - Distribution of this memo is unlimited. Please send comments to the - mailing list. - -Abstract - - This document specifies how the communication should be done between - a client and a KDC using Kerberos [RFC1510] with TCP as the transport - protocol. - -Specification - - This draft specifies an extension to section 8.2.1 of RFC1510. - - A Kerberos server MAY accept requests on TCP port 88 (decimal). - - The data sent from the client to the KDC should consist of 4 bytes - containing the length, in network byte order, of the Kerberos - request, followed by the request (AS-REQ or TGS-REQ) itself. The - reply from the KDC should consist of the length of the reply packet - (4 bytes, network byte order) followed by the packet itself (AS-REP, - TGS-REP, or KRB-ERROR). - - - - -Westerlund, Danielsson [Page 1] - -Internet Draft Kerberos over TCP November, 1997 - - - C->S: Open connection to TCP port 88 at the server - C->S: length of request - C->S: AS-REQ or TGS-REQ - S->C: length of reply - S->C: AS-REP, TGS-REP, or KRB-ERROR - -Discussion - - Even though the preferred way of sending kerberos packets is over UDP - there are several occasions when it's more practical to use TCP. - - Mainly, it's usually much less cumbersome to get TCP through - firewalls than UDP. - - In theory, there's no reason for having explicit length fields, that - information is already encoded in the ASN1 encoding of the Kerberos - packets. But having explicit lengths makes it unnecessary to have to - decode the ASN.1 encoding just to know how much data has to be read. - - Another way of signaling the end of the request of the reply would be - to do a half-close after the request and a full-close after the - reply. This does not work well with all kinds of firewalls. - -Security considerations - - This memo does not introduce any known security considerations in - addition to those mentioned in [RFC1510]. - -References - - [RFC1510] Kohl, J. and Neuman, C., "The Kerberos Network - Authentication Service (V5)", RFC 1510, September 1993. - -Authors' Addresses - - Assar Westerlund - Swedish Institute of Computer Science - Box 1263 - S-164 29 KISTA - Sweden - - Phone: +46-8-7521526 - Fax: +46-8-7517230 - EMail: assar@sics.se - - Johan Danielsson - PDC, KTH - S-100 44 STOCKHOLM - - - -Westerlund, Danielsson [Page 2] - -Internet Draft Kerberos over TCP November, 1997 - - - Sweden - - Phone: +46-8-7907885 - Fax: +46-8-247784 - EMail: joda@pdc.kth.se - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Westerlund, Danielsson [Page 3] - diff --git a/crypto/heimdal-0.6.3/doc/standardisation/draft-foo2.ms b/crypto/heimdal-0.6.3/doc/standardisation/draft-foo2.ms deleted file mode 100644 index 7e0fa0a628..0000000000 --- a/crypto/heimdal-0.6.3/doc/standardisation/draft-foo2.ms +++ /dev/null @@ -1,145 +0,0 @@ -.pl 10.0i -.po 0 -.ll 7.2i -.lt 7.2i -.nr LL 7.2i -.nr LT 7.2i -.ds LF Westerlund, Danielsson -.ds RF [Page %] -.ds CF -.ds LH Internet Draft -.ds RH November, 1997 -.ds CH Kerberos over TCP -.hy 0 -.ad l -.in 0 -.ta \n(.luR -.nf -Network Working Group Assar Westerlund - SICS -Internet-Draft Johan Danielsson -November, 1997 PDC, KTH -Expire in six months -.fi - -.ce -Kerberos over TCP - -.ti 0 -Status of this Memo - -.in 3 -This document is an Internet-Draft. Internet-Drafts are working -documents of the Internet Engineering Task Force (IETF), its -areas, and its working groups. Note that other groups may also -distribute working documents as Internet-Drafts. - -Internet-Drafts are draft documents valid for a maximum of six -months and may be updated, replaced, or obsoleted by other -documents at any time. It is inappropriate to use Internet- -Drafts as reference material or to cite them other than as -"work in progress." - -To view the entire list of current Internet-Drafts, please check -the "1id-abstracts.txt" listing contained in the Internet-Drafts -Shadow Directories on ftp.is.co.za (Africa), ftp.nordu.net -(Europe), munnari.oz.au (Pacific Rim), ds.internic.net (US East -Coast), or ftp.isi.edu (US West Coast). - -Distribution of this memo is unlimited. Please send comments to the - mailing list. - -.ti 0 -Abstract - -.in 3 -This document specifies how the communication should be done between a -client and a KDC using Kerberos [RFC1510] with TCP as the transport -protocol. - -.ti 0 -Specification - -This draft specifies an extension to section 8.2.1 of RFC1510. - -A Kerberos server MAY accept requests on TCP port 88 (decimal). - -The data sent from the client to the KDC should consist of 4 bytes -containing the length, in network byte order, of the Kerberos request, -followed by the request (AS-REQ or TGS-REQ) itself. The reply from -the KDC should consist of the length of the reply packet (4 bytes, -network byte order) followed by the packet itself (AS-REP, TGS-REP, or -KRB-ERROR). - -.nf -C->S: Open connection to TCP port 88 at the server -C->S: length of request -C->S: AS-REQ or TGS-REQ -S->C: length of reply -S->C: AS-REP, TGS-REP, or KRB-ERROR -.fi - -.ti 0 -Discussion - -Even though the preferred way of sending kerberos packets is over UDP -there are several occasions when it's more practical to use TCP. - -Mainly, it's usually much less cumbersome to get TCP through firewalls -than UDP. - -In theory, there's no reason for having explicit length fields, that -information is already encoded in the ASN1 encoding of the Kerberos -packets. But having explicit lengths makes it unnecessary to have to -decode the ASN.1 encoding just to know how much data has to be read. - -Another way of signaling the end of the request of the reply would be -to do a half-close after the request and a full-close after the reply. -This does not work well with all kinds of firewalls. - -.ti 0 -Security considerations - -.in 3 -This memo does not introduce any known security considerations in -addition to those mentioned in [RFC1510]. - -.ti 0 -References - -.in 3 -[RFC1510] Kohl, J. and Neuman, C., "The Kerberos Network -Authentication Service (V5)", RFC 1510, September 1993. - -.ti 0 -Authors' Addresses - -Assar Westerlund -.br -Swedish Institute of Computer Science -.br -Box 1263 -.br -S-164 29 KISTA -.br -Sweden - -Phone: +46-8-7521526 -.br -Fax: +46-8-7517230 -.br -EMail: assar@sics.se - -Johan Danielsson -.br -PDC, KTH -.br -S-100 44 STOCKHOLM -.br -Sweden - -Phone: +46-8-7907885 -.br -Fax: +46-8-247784 -.br -EMail: joda@pdc.kth.se diff --git a/crypto/heimdal-0.6.3/doc/standardisation/draft-foo3 b/crypto/heimdal-0.6.3/doc/standardisation/draft-foo3 deleted file mode 100644 index 2b8b7bb577..0000000000 --- a/crypto/heimdal-0.6.3/doc/standardisation/draft-foo3 +++ /dev/null @@ -1,227 +0,0 @@ - - - - - - -Network Working Group Assar Westerlund - SICS -Internet-Draft Johan Danielsson -November, 1997 PDC, KTH -Expire in six months - - Kerberos vs firewalls - -Status of this Memo - - This document is an Internet-Draft. Internet-Drafts are working - documents of the Internet Engineering Task Force (IETF), its areas, - and its working groups. Note that other groups may also distribute - working documents as Internet-Drafts. - - Internet-Drafts are draft documents valid for a maximum of six months - and may be updated, replaced, or obsoleted by other documents at any - time. It is inappropriate to use Internet- Drafts as reference - material or to cite them other than as "work in progress." - - To view the entire list of current Internet-Drafts, please check the - "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow - Directories on ftp.is.co.za (Africa), ftp.nordu.net (Europe), - munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or - ftp.isi.edu (US West Coast). - - Distribution of this memo is unlimited. Please send comments to the - mailing list. - -Abstract - -Introduction - - Kerberos[RFC1510] is a protocol for authenticating parties - communicating over insecure networks. - - Firewalling is a technique for achieving an illusion of security by - putting restrictions on what kinds of packets and how these are sent - between the internal (so called "secure") network and the global (or - "insecure") Internet. - -Definitions - - client: the user, process, and host acquiring tickets from the KDC - and authenticating itself to the kerberised server. - - KDC: the Kerberos Key Distribution Center - - - - -Westerlund, Danielsson [Page 1] - -Internet Draft Kerberos vs firewalls November, 1997 - - - Kerberised server: the server using Kerberos to authenticate the - client, for example telnetd. - -Firewalls - - A firewall is usually placed between the "inside" and the "outside" - networks, and is supposed to protect the inside from the evils on the - outside. There are different kinds of firewalls. The main - differences are in the way they forward packets. - - o+ The most straight forward type is the one that just imposes - restrictions on incoming packets. Such a firewall could be - described as a router that filters packets that match some - criteria. - - o+ They may also "hide" some or all addresses on the inside of the - firewall, replacing the addresses in the outgoing packets with the - address of the firewall (aka network address translation, or NAT). - NAT can also be used without any packet filtering, for instance - when you have more than one host sharing a single address (for - example, with a dialed-in PPP connection). - - There are also firewalls that does NAT both on the inside and the - outside (a server on the inside will see this as a connection from - the firewall). - - o+ A third type is the proxy type firewall, that parses the contents - of the packets, basically acting as a server to the client, and as - a client to the server (man-in-the-middle). If Kerberos is to be - used with this kind of firewall, a protocol module that handles - KDC requests has to be written. - - This type of firewall might also cause extra trouble when used with - kerberised versions of protocols that the proxy understands, in - addition to the ones mentioned below. This is the case with the FTP - Security Extensions [RFC2228], that adds a new set of commands to the - FTP protocol [RFC959], for integrity, confidentiality, and privacy - protecting commands. When transferring data, the FTP protocol uses a - separate data channel, and an FTP proxy will have to look out for - commands that start a data transfer. If all commands are encrypted, - this is impossible. A protocol that doesn't suffer from this is the - Telnet Authentication Option [RFC1416] that does all authentication - and encryption in-bound. - -Scenarios - - Here the different scenarios we have considered are described, the - problems they introduce and the proposed ways of solving them. - - - -Westerlund, Danielsson [Page 2] - -Internet Draft Kerberos vs firewalls November, 1997 - - - Combinations of these can also occur. - - Client behind firewall - - This is the most typical and common scenario. First of all the - client needs some way of communicating with the KDC. This can be - done with whatever means and is usually much simpler when the KDC is - able to communicate over TCP. - - Apart from that, the client needs to be sure that the ticket it will - acquire from the KDC can be used to authenticate to a server outside - its firewall. For this, it needs to add the address(es) of potential - firewalls between itself and the KDC/server, to the list of its own - addresses when requesting the ticket. We are not aware of any - protocol for determining this set of addresses, thus this will have - to be manually configured in the client. - - The client could also request a ticket with no addresses, but some - KDCs and servers might not accept such a ticket. - - With the ticket in possession, communication with the kerberised - server will not need to be any different from communicating between a - non-kerberised client and server. - - Kerberised server behind firewall - - The kerberised server does not talk to the KDC at all so nothing - beyond normal firewall-traversal techniques for reaching the server - itself needs to be applied. - - The kerberised server needs to be able to retrieve the original - address (before its firewall) that the request was sent for. If this - is done via some out-of-band mechanism or it's directly able to see - it doesn't matter. - - KDC behind firewall - - The same restrictions applies for a KDC as for any other server. - -Specification - -Security considerations - - This memo does not introduce any known security considerations in - addition to those mentioned in [RFC1510]. - -References - - - - -Westerlund, Danielsson [Page 3] - -Internet Draft Kerberos vs firewalls November, 1997 - - - [RFC959] Postel, J. and Reynolds, J., "File Transfer Protocol (FTP)", - RFC 969, October 1985 - - [RFC1416] Borman, D., "Telnet Authentication Option", RFC 1416, - February 1993. - - [RFC1510] Kohl, J. and Neuman, C., "The Kerberos Network - Authentication Service (V5)", RFC 1510, September 1993. - - [RFC2228] Horowitz, M. and Lunt, S., "FTP Security Extensions", - RFC2228, October 1997. - -Authors' Addresses - - Assar Westerlund - Swedish Institute of Computer Science - Box 1263 - S-164 29 KISTA - Sweden - - Phone: +46-8-7521526 - Fax: +46-8-7517230 - EMail: assar@sics.se - - Johan Danielsson - PDC, KTH - S-100 44 STOCKHOLM - Sweden - - Phone: +46-8-7907885 - Fax: +46-8-247784 - EMail: joda@pdc.kth.se - - - - - - - - - - - - - - - - - - - -Westerlund, Danielsson [Page 4] - diff --git a/crypto/heimdal-0.6.3/doc/standardisation/draft-foo3.ms b/crypto/heimdal-0.6.3/doc/standardisation/draft-foo3.ms deleted file mode 100644 index c024ca355c..0000000000 --- a/crypto/heimdal-0.6.3/doc/standardisation/draft-foo3.ms +++ /dev/null @@ -1,260 +0,0 @@ -.\" even if this file is called .ms, it's using the me macros. -.\" to format try something like `nroff -me' -.\" level 2 heading -.de HH -.$p "\\$2" "" "\\$1" -.$0 "\\$2" -.. -.\" make sure footnotes produce the right thing with nroff -.ie t \ -\{\ -.ds { \v'-0.4m'\x'\\n(0x=0*-0.2m'\s-3 -.ds } \s0\v'0.4m' -.\} -.el \ -\{\ -.ds { [ -.ds } ] -.\} -.ds * \\*{\\n($f\\*}\k* -.\" page footer -.fo 'Westerlund, Danielsson''[Page %]' -.\" date -.ds RH \*(mo, 19\n(yr -.\" left margin -.nr lm 6 -.\" heading indent per level -.nr si 3n -.\" footnote indent -.nr fi 0 -.\" paragraph indent -.nr po 0 -.\" don't hyphenate -.hy 0 -.\" left adjustment -.ad l -.\" indent 0 -.in 0 -.\" line length 16cm and page length 25cm (~10 inches) -.ll 16c -.pl 25c -.ta \n(.luR -.nf -Network Working Group Assar Westerlund - SICS -Internet-Draft Johan Danielsson -\*(RH PDC, KTH -Expire in six months -.fi - -.\" page header, has to be set here so it won't appear on page 1 -.he 'Internet Draft'Kerberos vs firewalls'\*(RH' -.ce -.b "Kerberos vs firewalls" - -.HH 1 "Status of this Memo" -.lp -This document is an Internet-Draft. Internet-Drafts are working -documents of the Internet Engineering Task Force (IETF), its areas, -and its working groups. Note that other groups may also distribute -working documents as Internet-Drafts. -.lp -Internet-Drafts are draft documents valid for a maximum of six months -and may be updated, replaced, or obsoleted by other documents at any -time. It is inappropriate to use Internet- Drafts as reference -material or to cite them other than as \*(lqwork in progress.\*(rq -.lp -To view the entire list of current Internet-Drafts, please check the -\*(lq1id-abstracts.txt\*(rq listing contained in the Internet-Drafts -Shadow Directories on ftp.is.co.za (Africa), ftp.nordu.net (Europe), -munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or -ftp.isi.edu (US West Coast). -.lp -Distribution of this memo is unlimited. Please send comments to the - mailing list. -.HH 1 "Abstract" -.lp -Kerberos and firewalls both deal with security, but doesn't get along -very well. This memo discusses ways to use Kerberos in a firewalled -environment. -.HH 1 "Introduction" -.lp -Kerberos[RFC1510] -.(d -[RFC1510] -Kohl, J. and Neuman, C., \*(lqThe Kerberos Network Authentication -Service (V5)\*(rq, RFC 1510, September 1993. -.)d -is a protocol for authenticating parties communicating over insecure -networks. Firewalling is a technique for achieving an illusion of -security by putting restrictions on what kinds of packets and how -these are sent between the internal (so called \*(lqsecure\*(rq) -network and the global (or \*(lqinsecure\*(rq) Internet. The problems -with firewalls are many, but to name a few: -.np -Firewalls usually doesn't allow people to use UDP. The reason for this -is that UDP is (by firewall advocates) considered insecure. This -belief is probably based on the fact that many \*(lqinsecure\*(rq -protocols (like NFS) use UDP. UDP packets are also considered easy to -fake. -.np -Firewalls usually doesn't allow people to connect to arbitrary ports, -such as the ports used when talking to the KDC. -.np -In many non-computer organisations, the computer staff isn't what -you'd call \*(lqwizards\*(rq; a typical case is an academic -institution, where someone is taking care of the computers part time, -and is doing research the rest of the time. Adding a complex device -like a firewall to an environment like this, often leads to poorly run -systems that is more a hindrance for the legitimate users than to -possible crackers. -.lp -The easiest way to deal with firewalls is to ignore them, however in -some cases this just isn't possible. You might have users that are -stuck behind a firewall, but also has to access your system, or you -might find yourself behind a firewall, for instance when out -travelling. -.lp -To make it possible for people to use Kerberos from behind a firewall, -there are several things to consider. -.(q -.i -Add things to do when stuck behind a firewall, like talking about the -problem with local staff, making them open some port in the firewall, -using some other port, or proxy. -.r -.)q -.HH 1 "Firewalls" -.lp -A firewall is usually placed between the \*(lqinside\*(rq and the -\*(lqoutside\*(rq networks, and is supposed to protect the inside from the -evils on the outside. There are different kinds of firewalls. The -main differences are in the way they forward (or doesn't) packets. -.ip \(bu -The most straight forward type is the one that just imposes -restrictions on incoming packets. Such a firewall could be described -as a router that filters packets that match some criteria. -.ip \(bu -They may also \*(lqhide\*(rq some or all addresses on the inside of the -firewall, replacing the addresses in the outgoing packets with the -address of the firewall (aka network address translation, or NAT). NAT -can also be used without any packet filtering, for instance when you -have more than one host sharing a single address (e.g with a dialed-in -PPP connection). -.ip -There are also firewalls that does NAT both on the inside and the -outside (a server on the inside will see this as a connection from the -firewall). -.ip \(bu -A third type is the proxy type firewall, that parses the contents of -the packets, basically acting as a server to the client, and as a -client to the server (man-in-the-middle). If Kerberos is to be used -with this kind of firewall, a protocol module that handles KDC -requests has to be written\**. -.(f -\**Instead of writing a new module for Kerberos, it can be possible to -hitch a ride on some other protocol, that's already beeing handled by -the proxy. -.)f -.lp -The last type of firewall might also cause extra trouble when used -with kerberised versions of protocols that the proxy understands, in -addition to the ones mentioned below. This is the case with the FTP -Security Extensions [RFC2228], -.(d -[RFC2228] -Horowitz, M. and Lunt, S., \*(lqFTP Security Extensions\*(rq, RFC2228, -October 1997. -.)d -that adds a new set of commands to the FTP protocol [RFC959], -.(d -[RFC959] Postel, J. and Reynolds, J., \*(lqFile Transfer Protocol -(FTP)\*(rq, RFC 969, October 1985 -.)d -for integrity, confidentiality, and privacy protecting commands, and -data. When transferring data, the FTP protocol uses a separate data -channel, and an FTP proxy will have to look out for commands that -start a data transfer. If all commands are encrypted, this is -impossible. A protocol that doesn't suffer from this is the Telnet -Authentication Option [RFC1416] -.(d -[RFC1416] -Borman, D., \*(lqTelnet Authentication Option\*(rq, RFC 1416, February -1993. -.)d -that does all -authentication and encryption in-bound. -.HH 1 "Scenarios" -.lp -Here the different scenarios we have considered are described, the -problems they introduce and the proposed ways of solving them. -Combinations of these can also occur. -.HH 2 "Client behind firewall" -.lp -This is the most typical and common scenario. First of all the client -needs some way of communicating with the KDC. This can be done with -whatever means and is usually much simpler when the KDC is able to -communicate over TCP. -.lp -Apart from that, the client needs to be sure that the ticket it will -acquire from the KDC can be used to authenticate to a server outside -its firewall. For this, it needs to add the address(es) of potential -firewalls between itself and the KDC/server, to the list of its own -addresses when requesting the ticket. We are not aware of any -protocol for determining this set of addresses, thus this will have to -be manually configured in the client. -.lp -The client could also request a ticket with no addresses. This is not -a recommended way to solve this problem. The address was put into the -ticket to make it harder to use a stolen ticket. A ticket without -addresses will therefore be less \*(lqsecure.\*(rq RFC1510 also says that -the KDC may refuse to issue, and the server may refuse to accept an -address-less ticket. -.lp -With the ticket in possession, communication with the kerberised -server will not need to be any different from communicating between a -non-kerberised client and server. -.HH 2 "Kerberised server behind firewall" -.lp -The kerberised server does not talk to the KDC at all, so nothing -beyond normal firewall-traversal techniques for reaching the server -itself needs to be applied. -.lp -If the firewall rewrites the clients address, the server will have to -use some other (possibly firewall specific) protocol to retrieve the -original address. If this is not possible, the address field will have -to be ignored. This has the same effect as if there were no addresses -in the ticket (see the discussion above). -.HH 2 "KDC behind firewall" -.lp -The KDC is in this respect basically just like any other server. -.\" .uh "Specification" -.HH 1 "Security considerations" -.lp -Since the whole network behind a NAT-type firewall looks like one -computer from the outside, any security added by the addresses in the -ticket will be lost. -.HH 1 "References" -.lp -.pd -.HH 1 "Authors' Addresses" -.lp -.nf -Assar Westerlund -Swedish Institute of Computer Science -Box 1263 -S-164 29 KISTA -.sp -Phone: +46-8-7521526 -Fax: +46-8-7517230 -EMail: assar@sics.se -.sp 2 -Johan Danielsson -Center for Parallel Computers -KTH -S-100 44 STOCKHOLM -.sp -Phone: +46-8-7906356 -Fax: +46-8-247784 -EMail: joda@pdc.kth.se -.fi \ No newline at end of file diff --git a/crypto/heimdal-0.6.3/doc/standardisation/draft-hornstein-dhc-kerbauth-02.txt b/crypto/heimdal-0.6.3/doc/standardisation/draft-hornstein-dhc-kerbauth-02.txt deleted file mode 100644 index 89e64524c4..0000000000 --- a/crypto/heimdal-0.6.3/doc/standardisation/draft-hornstein-dhc-kerbauth-02.txt +++ /dev/null @@ -1,1594 +0,0 @@ - -DHC Working Group Ken Hornstein -INTERNET-DRAFT NRL -Category: Standards Track Ted Lemon - Internet Engines, Inc. -20 February 2000 Bernard Aboba -Expires: September 1, 2000 Microsoft - Jonathan Trostle - Cisco Systems - - DHCP Authentication Via Kerberos V - -This document is an Internet-Draft and is in full conformance with all -provisions of Section 10 of RFC2026. - -Internet-Drafts are working documents of the Internet Engineering Task -Force (IETF), its areas, and its working groups. Note that other groups -may also distribute working documents as Internet- Drafts. - -Internet-Drafts are draft documents valid for a maximum of six months -and may be updated, replaced, or obsoleted by other documents at any -time. It is inappropriate to use Internet-Drafts as reference material -or to cite them other than as "work in progress." - -The list of current Internet-Drafts can be accessed at -http://www.ietf.org/ietf/1id-abstracts.txt - -The list of Internet-Draft Shadow Directories can be accessed at -http://www.ietf.org/shadow.html. - -The distribution of this memo is unlimited. - -1. Copyright Notice - -Copyright (C) The Internet Society (2000). All Rights Reserved. - -2. Abstract - -The Dynamic Host Configuration Protocol (DHCP) provides a mechanism for -host configuration. In some circumstances, it is useful for the DHCP -client and server to be able to mutually authenticate as well as to -guarantee the integrity of DHCP packets in transit. This document -describes how Kerberos V may be used in order to allow a DHCP client and -server to mutually authenticate as well as to protect the integrity of -the DHCP exchange. The protocol described in this document is capable of -handling both intra-realm and inter-realm authentication. - - - - - - -Hornstein, et al. Standards Track [Page 1] - - -INTERNET-DRAFT DHCP Authentication Via Kerberos V 20 February 2000 - - -3. Introduction - -The Dynamic Host Configuration Protocol (DHCP) provides a mechanism for -host configuration. In some circumstances, it is useful for the DHCP -client and server to be able to mutually authenticate as well as to -guarantee the integrity of DHCP packets in transit. This document -describes how Kerberos V may be used in order to allow a DHCP client and -server to mutually authenticate as well as to protect the integrity of -the DHCP exchange. The protocol described in this document is capable -of handling both intra-realm and inter-realm authentication. - -3.1. Terminology - -This document uses the following terms: - -DHCP client - A DHCP client or "client" is an Internet host using DHCP to - obtain configuration parameters such as a network address. - -DHCP server - A DHCP server or "server" is an Internet host that returns - configuration parameters to DHCP clients. - -Home KDC The KDC corresponding to the DHCP client's realm. - -Local KDC The KDC corresponding to the DHCP server's realm. - -3.2. Requirements language - -In this document, the key words "MAY", "MUST, "MUST NOT", "optional", -"recommended", "SHOULD", and "SHOULD NOT", are to be interpreted as -described in [1]. - -4. Protocol overview - -In DHCP authentication via Kerberos V, DHCP clients and servers utilize -a Kerberos session key in order to compute a message integrity check -value included within the DHCP authentication option. The message -integrity check serves to authenticate as well as integrity protect the -messages, while remaining compatible with the operation of a DHCP relay. -Replay protection is also provided by a replay counter within the -authentication option, as described in [3]. - -Each server maintains a list of session keys and identifiers for -clients, so that the server can retrieve the session key and identifier -used by a client to which the server has provided previous configuration -information. Each server MUST save the replay counter from the previous -authenticated message. To avoid replay attacks, the server MUST discard - - - -Hornstein, et al. Standards Track [Page 2] - - -INTERNET-DRAFT DHCP Authentication Via Kerberos V 20 February 2000 - - -any incoming message whose replay counter is not strictly greater than -the replay counter from the previous message. - -DHCP authentication, described in [3], must work within the existing -DHCP state machine described in [4]. For a client in INIT state, this -means that the client must obtain a valid TGT, as well as a session key, -within the two round-trips provided by the -DHCPDISCOVER/OFFER/REQUEST/ACK sequence. - -In INIT state, the DHCP client submits an incomplete AS_REQ to the DHCP -server within the DHCPDISCOVER message. The DHCP server then completes -the AS_REQ using the IP address to be assigned to the client, and -submits this to the client's home KDC in order to obtain a TGT on the -client's behalf. Once the home KDC responds with an AS_REP, the DHCP -server extracts the client TGT and submits this along with its own TGT -to the home KDC, in order to obtain a user-to-user ticket to the DHCP -client. The AS_REP as well as the AP_REQ are included by the DHCP server -in the DHCPOFFER. The DHCP client can then decrypt the AS_REP to obtain -a home realm TGT and TGT session key, using the latter to decrypt the -user-to-user ticket to obtain the user-to-user session key. It is the -user-to-user session key that is used to authenticate and integrity -protect the client's DHCPREQUEST, and DHCPDECLINE messages. Similarly, -this same session key is used to compute the integrity attribute in the -server's DHCPOFFER, DHCPACK and DHCPNAK messages, as described in [3]. - -In the INIT-REBOOT, REBINDING, or RENEWING states, the server can submit -the home realm TGT in the DHCPREQUEST, along with authenticating and -integrity protecting the message using an integrity attribute within the -authentication option. The integrity attribute is computed using the -existing session key. The DHCP server can then return a renewed user- -to-user ticket within the DHCPACK message. The authenticated DHCPREQUEST -message from a client in INIT-REBOOT state can only be validated by -servers that used the same session key to compute the integrity -attribute in their DHCPOFFER messages. - -Other servers will discard the DHCPREQUEST messages. Thus, only servers -that used the user-to-user session key selected by the client will be -able to determine that their offered configuration information was not -selected, returning the offered network address to the server's pool of -available addresses. The servers that cannot validate the DHCPREQUEST -message will eventually return their offered network addresses to their -pool of available addresses as described in section 3.1 of the DHCP -specification [4]. - -When sending a DHCPINFORM, there are two possible procedures. If the -client knows the DHCP server it will be interacting with, then it can -obtain a ticket to the DHCP server from the local realm KDC. This will -require obtaining a TGT to its home realm, as well as possibly a cross- - - - -Hornstein, et al. Standards Track [Page 3] - - -INTERNET-DRAFT DHCP Authentication Via Kerberos V 20 February 2000 - - -realm TGT to the local realm if the local and home realms differ. Once -the DHCP client has a local realm TGT, it can then request a DHCP server -ticket in a TGS_REQ. The DHCP client can then include AP_REQ and -integrity attributes within the DHCPINFORM. The integrity attribute is -computed as described in [3], using the session key obtained from the -TGS_REP. The DHCP server replies with a DHCPACK/DHCPNAK, authenticated -using the same session key. - -If the DHCP client does not know the DHCP server it is interacting with -then it will not be able to obtain a ticket to it and a different -procedure is needed. In this case, the client will include in the -DHCPINFORM an authentication option with a ticket attribute containing -its home realm TGT. The DHCP server will then use this TGT in order to -request a user-to-user ticket from the home KDC in a TGS_REQ. The DHCP -server will return the user-to-user ticket and will authenticate and -integrity protect the DHCPACK/DHCPNAK message. This is accomplished by -including AP_REQ and integrity attributes within the authentication -option included with the DHCPACK/DHCPNAK messages. - -In order to support the DHCP client's ability to authenticate the DHCP -server in the case where the server name is unknown, the Kerberos -principal name for the DHCP server must be of type KRB_NT_SRV_HST with -the service name component equal to 'dhcp'. For example, the DHCP server -principal name for the host srv.foo.org would be of the form -dhcp/srv.foo.org. The client MUST validate that the DHCP server -principal name has the above format. This convention requires that the -administrator ensure that non-DHCP server principals do not have names -that match the above format. - -4.1. Authentication Option Format - -A summary of the authentication option format for DHCP authentication -via Kerberos V is shown below. The fields are transmitted from left to -right. - -0 1 2 3 -0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -| Code | Length | Protocol | Algorithm | -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -| Global Replay Counter | -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -| Global Replay Counter | -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -| Attributes... -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - -Code - - - -Hornstein, et al. Standards Track [Page 4] - - -INTERNET-DRAFT DHCP Authentication Via Kerberos V 20 February 2000 - - - TBD - DHCP Authentication - -Length - - The length field is a single octet and indicates the length of the - Protocol, Algorith, and Authentication Information fields. Octets - outside the range of the length field should be ignored on reception. - -Protocol - - TBD - DHCP Kerberos V authentication - -Algorithm - - The algorithm field is a single octet and defines the specific - algorithm to be used for computation of the authentication option. - Values for the field are as follows: - - 0 - reserved - 1 - HMAC-MD5 - 2 - HMAC-SHA - 3 - 255 reserved - -Global Replay Counter - - As described in [3], the global replay counter field is 8 octets in - length. It MUST be set to the value of a monotonically increasing - counter. Using a counter value such as the current time of day (e.g., - an NTP-format timestamp [10]) can reduce the danger of replay - attacks. - -Attributes - - The attributes field consists of type-length-value attributes of the - following format: - - 0 1 2 3 - 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | Type | Reserved | Payload Length | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | Attribute value... - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - -Type - The type field is a single octet and is defined as follows: - - 0 - Integrity check - - - -Hornstein, et al. Standards Track [Page 5] - - -INTERNET-DRAFT DHCP Authentication Via Kerberos V 20 February 2000 - - - 1 - TICKET - 2 - Authenticator - 3 - EncTicketPart - 10 - AS_REQ - 11 - AS_REP - 12 - TGS_REQ - 13 - TGS_REP - 14 - AP_REQ - 15 - AP_REP - 20 - KRB_SAFE - 21 - KRB_PRIV - 22 - KRB_CRED - 25 - EncASRepPart - 26 - EncTGSRepPart - 27 - EncAPRepPart - 28 - EncKrbPrvPart - 29 - EncKrbCredPart - 30 - KRB_ERROR - - Note that the values of the Type field are the same as in the - Kerberos MSG-TYPE field. As a result, no new number spaces are - created for IANA administration. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Hornstein, et al. Standards Track [Page 6] - - -INTERNET-DRAFT DHCP Authentication Via Kerberos V 20 February 2000 - - - The following attribute types are allowed within the following - messages: - - DISCOVER OFFER REQUEST DECLINE # Attribute - -------------------------------------------------------- - 0 1 1 1 0 Integrity check - 0 0 0-1 0 1 Ticket - 1 0 0 0 10 AS_REQ - 0 1 0 0 11 AS_REP - 0 1 0 0 14 AP_REQ - 0 0-1 0 0 30 KRB_ERROR - - RELEASE ACK NAK INFORM INFORM # Attribute - w/known w/unknown - server server - --------------------------------------------------------------- - 1 1 1 1 0 0 Integrity check - 0 0 0 0 1 1 Ticket - 0 0 0 0 0 10 AS_REQ - 0 0 0 0 0 11 AS_REP - 0 0-1 0 1 0 14 AP_REQ - 0 0 0-1 0 0 30 KRB_ERROR - -4.2. Client behavior - -The following section, which incorporates material from [3], describes -client behavior in detail. - -4.2.1. INIT state - -When in INIT state, the client behaves as follows: - - -[1] As described in [3], the client MUST include the authentication - request option in its DHCPDISCOVER message along with option 61 - [11] to identify itself uniquely to the server. An AS_REQ attribute - MUST be included within the authentication request option. This - (incomplete) AS_REQ will set the FORWARDABLE and RENEWABLE flags - and MAY include pre-authentication data (PADATA) if the client - knows what PADATA its home KDC will require. The ADDRESSES field in - the AS_REQ will be ommitted since the client does not yet know its - IP address. The ETYPE field will be set to an encryption type that - the client can accept. - -[2] The client MUST validate DHCPOFFER messages that include an - authentication option. Messages including an authentication option - with a KRB_ERROR attribute and no integrity attribute are treated - as though they are unauthenticated. More typically, authentication - - - -Hornstein, et al. Standards Track [Page 7] - - -INTERNET-DRAFT DHCP Authentication Via Kerberos V 20 February 2000 - - - options within the DHCPOFFER message will include AS_REP, AP_REQ, - and integrity attributes. To validate the authentication option, - the client decrypts the enc-part of the AS_REP in order to obtain - the TGT session key. This is used to decrypt the enc-part of the - AP_REQ in order to obtain the user-to-user session key. The user- - to-user session key is then used to compute the message integrity - check as described in [3], and the computed value is compared to - the value within the integrity attribute. The client MUST discard - any messages which fail to pass validation and MAY log the - validation failure. - - As described in [3], the client selects one DHCPOFFER message as - its selected configuration. If none of the DHCPOFFER messages - received by the client include an authentication option, the client - MAY choose an unauthenticated message as its selected - configuration. DHCPOFFER messages including an authentication - option with a KRB_ERROR attribute and no integrity attribute are - treated as though they are unauthenticated. The client SHOULD be - configurable to accept or reject unauthenticated DHCPOFFER - messages. - -[3] The client replies with a DHCPREQUEST message that MUST include an - authentication option. The authentication option MUST include an - integrity attribute, computed as described in [3], using the user - to user session key recovered in step 2. - -[4] As noted in [3], the client MUST validate a DHCPACK message from - the server that includes an authentication option. DHCPACK or - DHCPNAK messages including an authentication option with a - KRB_ERROR attribute and no integrity attribute are treated as - though they are unauthenticated. The client MUST silently discard - the DHCPACK if the message fails to pass validation and MAY log the - validation failure. If the DHCPACK fails to pass validation, the - client MUST revert to the INIT state and return to step 1. The - client MAY choose to remember which server replied with an invalid - DHCPACK message and discard subsequent messages from that server. - -4.2.2. INIT-REBOOT state - -When in INIT-REBOOT state, if the user-to-user ticket is still valid, -the client MUST re-use the session key from the DHCP server user-to-user -ticket in its DHCPREQUEST message. This is used to generate the -integrity attribute contained within the authentication option, as -described in [3]. In the DHCPREQUEST, the DHCP client also includes its -home realm TGT in a ticket attribute in the authentication option in -order to assist the DHCP server in renewing the user-to-user ticket. To -ensure that the user-to-user ticket remains valid throughout the DHCP -lease period so that the renewal process can proceed, the Kerberos - - - -Hornstein, et al. Standards Track [Page 8] - - -INTERNET-DRAFT DHCP Authentication Via Kerberos V 20 February 2000 - - -ticket lifetime SHOULD be set to exceed the DHCP lease time. If the -user-to-user ticket is expired, then the client MUST return to the INIT -state. - -The client MAY choose to accept unauthenticated DHCPACK/DHCPNAK messages -if no authenticated messages were received. DHCPACK/DHCPNAK messages -with an authentication option containing a KRB_ERROR attribute and no -integrity attribute are treated as though they are unauthenticated. The -client MUST treat the receipt (or lack thereof) of any DHCPACK/DHCPNAK -messages as specified in section 3.2 of the DHCP specification [4]. - -4.2.3. RENEWING state - -When in RENEWING state, the DHCP client can be assumed to have a valid -IP address, as well as a TGT to the home realm, a user-to-user ticket -provided by the DHCP server, and a session key with the DHCP server, all -obtained during the original DHCP conversation. If the user-to-user -ticket is still valid, the client MUST re-use the session key from the -user-to-user ticket in its DHCPREQUEST message to generate the integrity -attribute contained within the authentication option. - -Since the DHCP client can renew the TGT to the home realm, it is -possible for it to continue to hold a valid home realm TGT. However, -since the DHCP client did not obtain the user-to-user ticket on its own, -it will need to rely on the DHCP server to renew this ticket. In the -DHCPREQUEST, the DHCP client includes its home realm TGT in a ticket -attribute in the authentication option in order to assist the DHCP -server in renewing the user-to-user ticket. - -If the DHCP server user-to-user ticket is expired, then the client MUST -return to INIT state. To ensure that the user-to-user ticket remains -valid throughout the DHCP lease period so that the renewal process can -proceed, the Kerberos ticket lifetime SHOULD be set to exceed the DHCP -lease time. If client receives no DHCPACK messages or none of the -DHCPACK messages pass validation, the client behaves as if it had not -received a DHCPACK message in section 4.4.5 of the DHCP specification -[4]. - -4.2.4. REBINDING state - -When in REBINDING state, the DHCP client can be assumed to have a valid -IP address, as well as a TGT to the home realm, a user-to-user ticket -and a session key with the DHCP server, all obtained during the original -DHCP conversation. If the user-to-user ticket is still valid, the -client MUST re-use the session key from the user-to-user ticket in its -DHCPREQUEST message to generate the integrity attribute contained within -the authentication option, as described in [3]. - - - - -Hornstein, et al. Standards Track [Page 9] - - -INTERNET-DRAFT DHCP Authentication Via Kerberos V 20 February 2000 - - -Since the DHCP client can renew the TGT to the home realm, it is -possible for it to continue to hold a valid home realm TGT. However, -since the DHCP client did not obtain the user-to-user ticket on its own, -it will need to rely on the DHCP server to renew this ticket. In the -DHCPREQUEST, the DHCP client includes its home realm TGT in a ticket -attribute in the authentication option in order to assist the DHCP -server in renewing the user-to-user ticket. - -If the user-to-user ticket is expired, then the client MUST return to -INIT state. To ensure that the user-to-user ticket remains valid -throughout the DHCP lease period so that the renewal process can -proceed, the Kerberos ticket lifetime SHOULD be set to exceed the DHCP -lease time. If client receives no DHCPACK messages or none of the -DHCPACK messages pass validation, the client behaves as if it had not -received a DHCPACK message in section 4.4.5 of the DHCP specification -[4]. - -4.2.5. DHCPRELEASE message - -Clients sending a DHCPRELEASE MUST include an authentication option. The -authentication option MUST include an integrity attribute, computed as -described in [3], using the user to user session key. - -4.2.6. DHCPDECLINE message - -Clients sending a DHCPDECLINE MUST include an authentication option. The -authentication option MUST include an integrity attribute, computed as -described in [3], using the user to user session key. - -4.2.7. DHCPINFORM message - -Since the client already has some configuration information, it can be -assumed that it has the ability to obtain a home or local realm TGT -prior to sending the DHCPINFORM. - -If the DHCP client knows which DHCP server it will be interacting with, -then it SHOULD include an authentication option containing AP_REQ and -integrity attributes within the DHCPINFORM. The DHCP client first -requests a TGT to the local realm via an AS_REQ and then using the TGT -returned in the AS_REP to request a ticket to the DHCP server from the -local KDC in a TGS_REQ. The session key obtained from the TGS_REP will -be used to generate the integrity attribute as described in [3]. - -If the DHCP client does not know what DHCP server it will be talking to, -then it cannot obtain a ticket to the DHCP server. In this case, the -DHCP client MAY send an unauthenticated DHCPINFORM or it MAY include an -authentication option including a ticket attribute only. The ticket -attribute includes a TGT for the home realm. The client MUST validate - - - -Hornstein, et al. Standards Track [Page 10] - - -INTERNET-DRAFT DHCP Authentication Via Kerberos V 20 February 2000 - - -that the DHCP server name in the received Kerberos AP_REQ message is of -the form dhcp/.... as described in section 4. - -The client MAY choose to accept unauthenticated DHCPACK/DHCPNAK messages -if no authenticated messages were received. DHCPACK/DHCPNAK messages -with an authentication option containing a KRB_ERROR attribute and no -integrity attribute are treated as though they are unauthenticated. The -client MUST treat the receipt (or lack thereof) of any DHCPACK/DHCPNAK -messages as specified in section 3.2 of the DHCP specification [4]. - -4.3. Server behavior - -This section, which relies on material from [3], describes the behavior -of a server in response to client messages. - -4.3.1. After receiving a DHCPDISCOVER message - -For installations where IP addresses are required within tickets, the -DHCP server MAY complete the AS_REQ by filling in the ADDRESSES field -based on the IP address that it will include in the DHCPOFFER. The DHCP -server sends the AS_REQ to the home KDC with the FORWARDABLE flag set. -The home KDC then replies to the DHCP server with an AS_REP. The DHCP -server extracts the client TGT from the AS_REP and forms a TGS_REQ, -which it sends to the home KDC. - -If the DHCP server and client are in different realms, then the DHCP -server will need to obtain a TGT to the home realm from the KDC of its -own (local) realm prior to sending the TGS_REQ. The TGS_REQ includes the -DHCP server's TGT within the home realm, has the ENC-TKT-IN-SKEY flag -set and includes the client home realm TGT in the ADDITIONAL-TICKETS -field, thus requesting a user-to ticket to the DHCP client. The home -KDC then returns a user-to-user ticket in a TGS_REP. The user-to-user -ticket is encrypted in the client's home realm TGT session key. - -In order to recover the user-to-user session key, the DHCP server -decrypts the enc-part of the TGS_REP. To accomplish this, the DHCP -server uses the session key that it shares with the home realm, obtained -in the AS_REQ/AS_REP conversation that it used to obtain its own TGT to -the home realm. - -The DHCP server then sends a DHCPOFFER to the client, including AS_REP, -AP_REQ and integrity attributes within the authentication option. The -AS_REP attribute encapsulates the AS_REP sent to the DHCP server by the -home KDC. The AP_REQ attribute includes an AP_REQ constructed by the -DHCP server based on the TGS_REP sent to it by the home KDC. The server -also includes an integrity attribute generated as specified in [3] from -the user-to-user session key. The server MUST record the user-to-user -session key selected for the client and use that session key for - - - -Hornstein, et al. Standards Track [Page 11] - - -INTERNET-DRAFT DHCP Authentication Via Kerberos V 20 February 2000 - - -validating subsequent messages with the client. - -4.3.2. After receiving a DHCPREQUEST message - -The DHCP server uses the user-to-user session key in order to validate -the integrity attribute contained within the authentication option, -using the method specified in [3]. If the message fails to pass -validation, it MUST discard the message and MAY choose to log the -validation failure. - -If the message passes the validation procedure, the server responds as -described in [4], including an integrity attribute computed as specified -in [3] within the DHCPACK or DHCPNAK message. - -If the authentication option included within the DHCPREQUEST message -contains a ticket attribute then the DHCP server will use the home realm -TGT included in the ticket attribute in order to renew the user-to-user -ticket, which it returns in an AP_REQ attribute within the DHCPACK. -DHCPACK or DHCPNAK messages then include an integrity attribute -generated as specified in [3], using the new user-to-user session key -included within the AP_REQ. - -4.3.3. After receiving a DHCPINFORM message - -The server MAY choose to accept unauthenticated DHCPINFORM messages, or -only accept authenticated DHCPINFORM messages based on a site policy. - -When a client includes an authentication option in a DHCPINFORM message, -the server MUST respond with an authenticated DHCPACK or DHCPNAK -message. If the DHCPINFORM message includes an authentication option -including AP_REQ and integrity attributes, the DHCP server decrypts the -AP_REQ attribute and then recovers the session key. The DHCP server than -validates the integrity attribute included in the authentication option -using the session key. If the integrity attribute is invalid then the -DHCP server MUST silently discard the DHCPINFORM message. - -If the authentication option only includes a ticket attribute and no -integrity or AP_REQ attributes, then the DHCP server should assume that -the client needs the server to obtain a user-to-user ticket from the -home realm KDC. In this case, the DHCP server includes the client home -realm TGT and its own home realm TGT in a TGS_REQ to the home realm KDC. -It then receives a user-to-user ticket from the home realm KDC in a -TGS_REP. The DHCP server will then include AP_REQ and integrity -attributes within the DHCPACK/DHCPNAK. - -If the client does not include an authentication option in the -DHCPINFORM, the server can either respond with an unauthenticated -DHCPACK message, or a DHCPNAK if the server does not accept - - - -Hornstein, et al. Standards Track [Page 12] - - -INTERNET-DRAFT DHCP Authentication Via Kerberos V 20 February 2000 - - -unauthenticated clients. - -4.3.4. After receiving a DHCPRELEASE message - -The DHCP server uses the session key in order to validate the integrity -attribute contained within the authentication option, using the method -specified in [3]. If the message fails to pass validation, it MUST -discard the message and MAY choose to log the validation failure. - -If the message passes the validation procedure, the server responds as -described in [4], marking the client's network address as not allocated. - -4.3.5. After receiving a DHCPDECLINE message - -The DHCP server uses the session key in order to validate the integrity -attribute contained within the authentication option, using the method -specified in [3]. If the message fails to pass validation, it MUST -discard the message and MAY choose to log the validation failure. - -If the message passes the validation procedure, the server proceeds as -described in [4]. - -4.4. Error handling - -When an error condition occurs during a Kerberos exchange, Kerberos -error messages can be returned by either side. These Kerberos error -messages MAY be logged by the receiving and sending parties. - -In some cases, it may be possible for these error messages to be -included within the authentication option via the KRB_ERROR attribute. -However, in most cases, errors will result in messages being silently -discarded and so no response will be returned. - -For example, if the home KDC returns a KRB_ERROR in response to the -AS_REQ submitted by the DHCP server on the client's behalf, then the -DHCP server will conclude that the DHCPDISCOVER was not authentic, and -will silently discard it. - -However, if the AS_REQ included PADATA and the home KDC responds with an -AS_REP, then the DHCP server can conclude that the client is authentic. -If the subsequent TGS_REQ is unsuccessful, with a KRB_ERROR returned by -the home KDC in the TGS_REP, then the fault may lie with the DHCP server -rather than with the client. In this case, the DHCP server MAY choose to -return a KRB_ERROR within the authentication option included in the -DHCPOFFER. The client will then treat this as an unauthenticated -DHCPOFFER. - - - - - -Hornstein, et al. Standards Track [Page 13] - - -INTERNET-DRAFT DHCP Authentication Via Kerberos V 20 February 2000 - - -Similarly, if the integrity attribute contained in the DHCPOFFER proves -invalid, the client will silently discard the DHCPOFFER and instead -accept an offer from another server if one is available. If the -integrity attribute included in the DHCPACK/DHCPNAK proves invalid, then -the client behaves as if it did not receive a DHCPACK/DHCPNAK. - -When in INIT-REBOOT, REBINDING or RENEWING state, the client will -include a ticket attribute and integrity attribute within the -authentication option of the DHCPREQUEST, in order to assist the DHCP -server in renewing the user-to-user ticket. If the integrity attribute -is invalid, then the DHCP server MUST silently discard the DHCPREQUEST. - -However, if the integrity attribute is successfully validated by the -DHCP server, but the home realm TGT included in the ticket attribute is -invalid (e.g. expired), then the DHCP server will receive a KRB_ERROR in -response to its TGS_REQ to the home KDC. In this case, the DHCP server -MAY respond with a DHCPNAK including a KRB_ERROR attribute and no -integrity attribute within the authentication option. This will force -the client back to the INIT state, where it can receive a valid home -realm TGT. - -Where the client included PADATA in the AS_REQ attribute of the -authentication option within the DHCPDISCOVER and the AS_REQ was -successfully validated by the KDC, the DHCP server will conclude that -the DHCP client is authentic. In this case if the client successfully -validates the integrity attribute in the DHCPOFFER, but the server does -not validate the integrity attribute in the client's DHCPREQUEST, the -server MAY choose to respond with an authenticated DHCPNAK containing a -KRB_ERROR attribute. - -4.5. PKINIT issues - -When public key authentication is supported with Kerberos as described -in [8], the client certificate and a signature accompany the initial -request in the preauthentication fields. As a result, it is conceivable -that the incomplete AS_REQ included in the DHCPDISCOVER packet may -exceed the size of a single DHCP option, or even the MTU size. As noted -in [4], a single option may be as large as 255 octets. If the value to -be passed is larger than this the client concatenates together the -values of multiple instances of the same option. - -4.6. Examples - -4.6.1. INIT state - -In the intra-realm case where the DHCP Kerberos mutual authentication is -successful, the conversation will appear as follows: - - - - -Hornstein, et al. Standards Track [Page 14] - - -INTERNET-DRAFT DHCP Authentication Via Kerberos V 20 February 2000 - - - DHCP DHCP - Client Server KDC --------------- ------------- --------- -DHCPDISCOVER - (Incomplete - AS_REQ) -> - AS_REQ -> - <- AS_REP - TGS_REQ - U-2-U -> - <- TGS_REP - <- DHCPOFFER, - (AS_REP, - AP_REQ, - Integrity) -DHCPREQUEST - (Integrity) -> - <- DHCPACK - (Integrity) - -In the case where the KDC returns a KRB_ERROR in response to the AS_REQ, -the server will silently discard the DHCPDISCOVER and the conversation -will appear as follows: - - DHCP DHCP - Client Server KDC --------------- ------------- --------- -DHCPDISCOVER - (Incomplete - AS_REQ) -> - AS_REQ -> - <- KRB_ERROR - -In the inter-realm case where the DHCP Kerberos mutual authentication is -successful, the conversation will appear as follows: - - DHCP DHCP Home Local - Client Server KDC KDC --------------- ------------- --------- --------- -DHCPDISCOVER -(Incomplete - AS_REQ) -> - AS_REQ -> - <- AS_REP - TGS_REQ -> - (cross realm, - for home - KDC) - - - -Hornstein, et al. Standards Track [Page 15] - - -INTERNET-DRAFT DHCP Authentication Via Kerberos V 20 February 2000 - - - <- TGS_REP - - TGS_REQ - U-2-U -> - <- TGS_REP - <- DHCPOFFER, - (AS_REP, - AP_REQ, - Integrity) -DHCPREQUEST - (Integrity) -> - <- DHCPACK - (Integrity) - -In the case where the client includes PADATA in the AS_REQ attribute -within the authentication option of the DHCPDISCOVER and the KDC returns -an error-free AS_REP indicating successful validation of the PADATA, the -DHCP server will conclude that the DHCP client is authentic. If the KDC -then returns a KRB_ERROR in response to the TGS_REQ, indicating a fault -that lies with the DHCP server, the server MAY choose not to silently -discard the DHCPDISCOVER. Instead it MAY respond with a DHCPOFFER -including a KRB_ERROR attribute within the authentication option. The -client will then treat this as an unauthenticated DHCPOFFER. The -conversation will appear as follows: - - DHCP DHCP - Client Server KDC --------------- ------------- --------- -DHCPDISCOVER - (Incomplete - AS_REQ - w/PADATA) -> - AS_REQ -> - <- AS_REP - TGS_REQ - U-2-U -> - <- KRB_ERROR - <- DHCPOFFER, - (KRB_ERROR) -DHCPREQUEST -> - <- DHCPACK - -In the intra-realm case where the client included PADATA in the AS_REQ -attribute of the authentication option and the AS_REQ was successfully -validated by the KDC, the DHCP server will conclude that the DHCP client -is authentic. In this case if the client successfully validates the -integrity attribute in the DHCPOFFER, but the server does not validate -the integrity attribute in the client's DHCPREQUEST, the server MAY - - - -Hornstein, et al. Standards Track [Page 16] - - -INTERNET-DRAFT DHCP Authentication Via Kerberos V 20 February 2000 - - -choose to respond with an authenticated DHCPNAK containing a KRB_ERROR -attribute. The conversation will appear as follows: - - DHCP DHCP - Client Server KDC --------------- ------------- --------- -DHCPDISCOVER - (Incomplete - AS_REQ - w/PADATA) -> - AS_REQ -> - <- AS_REP - TGS_REQ - U-2-U -> - <- TGS_REP - <- DHCPOFFER, - (AS_REP, - AP_REQ, - Integrity) -DHCPREQUEST - (Integrity) -> - <- DHCNAK - (KRB_ERROR, - Integrity) -DHCPDISCOVER - (Incomplete - AS_REQ) -> - -In the intra-realm case where the DHCP client cannot validate the -integrity attribute in the DHCPOFFER, the client silently discards the -DHCPOFFER. The conversation will appear as follows: - - DHCP DHCP - Client Server KDC --------------- ------------- --------- -DHCPDISCOVER - (Incomplete - AS_REQ) -> - AS_REQ -> - <- AS_REP - TGS_REQ - U-2-U -> - <- TGS_REP - <- DHCPOFFER, - (AS_REP, - AP_REQ, - Integrity) -DHCPREQUEST - - - -Hornstein, et al. Standards Track [Page 17] - - -INTERNET-DRAFT DHCP Authentication Via Kerberos V 20 February 2000 - - - [To another server] - (Integrity) -> - -In the intra-realm case where the DHCP client cannot validate the -integrity attribute in the DHCPACK, the client reverts to INIT state. -The conversation will appear as follows: - - DHCP DHCP - Client Server KDC --------------- ------------- --------- -DHCPDISCOVER -(Incomplete - AS_REQ) -> - AS_REQ -> - <- AS_REP - TGS_REQ - U-2-U -> - <- TGS_REP - <- DHCPOFFER, - (AS_REP, - AP_REQ, - Integrity) -DHCPREQUEST - (Integrity) -> - <- DHCPACK - (Integrity) -DHCPDISCOVER - (Incomplete - AS_REQ) -> - -4.6.2. INIT-REBOOT, RENEWING or REBINDING - -In the intra-realm or inter-realm case where the original user-to-user -ticket is still valid, and the DHCP server still has a valid TGT to the -home realm, the conversation will appear as follows: - - DHCP DHCP Home - Client Server KDC --------------- ------------- --------- - -DHCPREQUEST - (TGT, - Integrity) -> - TGS_REQ - U-2-U -> - <- TGS_REP - <- DHCPACK - (AP_REQ, - - - -Hornstein, et al. Standards Track [Page 18] - - -INTERNET-DRAFT DHCP Authentication Via Kerberos V 20 February 2000 - - - Integrity) - -In the intra-realm or inter-realm case where the DHCP server validates -the integrity attribute in the DHCPREQUEST, but receives a KRB_ERROR in -response to the TGS_REQ to the KDC, the DHCP sever MAY choose not to -silently discard the DHCPREQUEST and MAY return an authenticated DHCPNAK -to the client instead, using the user-to-user session key previously -established with the client. The conversation appears as follows: - - DHCP DHCP Home - Client Server KDC --------------- ------------- --------- - -DHCPREQUEST - (TGT, - Integrity) -> - TGS_REQ - U-2-U -> - <- KRB_ERROR - <- DHCPNAK - (KRB_ERROR, - Integrity) -DHCPDISCOVER - (Incomplete - AS_REQ) -> - -In the intra-realm or inter-realm case where the DHCP server cannot -validate the integrity attribute in the DHCPREQUEST, the DHCP server -MUST silently discard the DHCPREQUEST and the conversation will appear -as follows: - - DHCP DHCP - Client Server KDC --------------- ------------- --------- - -DHCPREQUEST - (TGT, - Integrity) -> - Silent discard -[Sequence repeats - until timeout] - -DHCPDISCOVER - (Incomplete - AS_REQ) -> - -In the intra-realm or inter-realm case where the original user-to-user -ticket is still valid, the server validates the integrity attribute in - - - -Hornstein, et al. Standards Track [Page 19] - - -INTERNET-DRAFT DHCP Authentication Via Kerberos V 20 February 2000 - - -the DHCPREQUEST, but the client fails to validate the integrity -attribute in the DHCPACK, the client will silently discard the DHCPACK. -The conversation will appear as follows: - - DHCP DHCP - Client Server KDC --------------- ------------- --------- - -DHCPREQUEST - (TGT, - Integrity) -> - - <- DHCPACK - (AP_REQ, - Integrity) -DHCPDISCOVER - (Incomplete - AS_REQ) -> - -4.6.3. DHCPINFORM (with known DHCP server) - -In the case where the DHCP client knows the DHCP server it will be -interacting with, the DHCP client will obtain a ticket to the DHCP -server and will include AP_REQ and integrity attributes within the -DHCPINFORM. - -Where the DHCP Kerberos mutual authentication is successful, the -conversation will appear as follows: - - DHCP DHCP - Client Server KDC --------------- ------------- --------- -AS_REQ -> - <- AS_REP -TGS_REQ -> - <- TGS_REP -DHCPINFORM - (AP_REQ, - Integrity) -> - <- DHCPACK - (Integrity) - -In the inter-realm case where the DHCP Kerberos mutual authentication is -successful, the conversation will appear as follows: - - DHCP DHCP Home Local - Client Server KDC KDC --------------- ------------- --------- --------- - - - -Hornstein, et al. Standards Track [Page 20] - - -INTERNET-DRAFT DHCP Authentication Via Kerberos V 20 February 2000 - - -AS_REQ -> - <- AS_REP -TGS_REQ -> - <- TGS_REP -TGS_REQ -> - <- TGS_REP -DHCPINFORM - (AP_REQ, - Integrity) -> - <- DHCPACK - (Integrity) - -In the inter-realm case where the DHCP server fails to validate the -integrity attribute in the DHCPINFORM, the server MUST silently discard -the DHCPINFORM. The conversation will appear as follows: - - DHCP DHCP Home Local - Client Server KDC KDC --------------- ------------- --------- --------- -AS_REQ -> - <- AS_REP -TGS_REQ -> - <- TGS_REP -TGS_REQ -> - <- TGS_REP -DHCPINFORM - (AP_REQ, - Integrity) -> - <- DHCPACK - (Integrity) -DHCPINFORM - (AP_REQ, - Integrity) -> - -In the inter-realm case where the DHCP client fails to validate the -integrity attribute in the DHCPACK, the client MUST silently discard the -DHCPACK. The conversation will appear as follows: - - DHCP DHCP Home Local - Client Server KDC KDC --------------- ------------- --------- --------- -AS_REQ -> - <- AS_REP -TGS_REQ -> - <- TGS_REP -TGS_REQ -> - <- TGS_REP -DHCPINFORM - - - -Hornstein, et al. Standards Track [Page 21] - - -INTERNET-DRAFT DHCP Authentication Via Kerberos V 20 February 2000 - - - (AP_REQ, - Integrity) -> - -4.6.4. DHCPINFORM (with unknown DHCP server) - -In the case where the DHCP client does not know the DHCP server it will -be interacting with, the DHCP client will only include a ticket -attribute within the DHCPINFORM. Thus the DHCP server will not be able -to validate the authentication option. - -Where the DHCP client is able to validate the DHCPACK and no error -occur, the onversation will appear as follows: - - DHCP DHCP - Client Server KDC --------------- ------------- --------- -AS_REQ -> - <- AS_REP -DHCPINFORM - (Ticket) -> - TGS_REQ - U-2-U -> - <- TGS_REP - <- DHCPACK - (AP_REQ, - Integrity) - -In the inter-realm case where the DHCP server needs to obtain a TGT to -the home realm, and where the client successfully validates the DHCPACK, -the conversation will appear as follows: - - DHCP DHCP Home Local - Client Server KDC KDC --------------- ------------- --------- --------- -AS_REQ -> - <- AS_REP -DHCPINFORM - (Ticket) -> - AS_REQ -> - <- AS_REP - TGS_REQ -> - (cross realm, - for home - KDC) - <- TGS_REP - - TGS_REQ - U-2-U -> - - - -Hornstein, et al. Standards Track [Page 22] - - -INTERNET-DRAFT DHCP Authentication Via Kerberos V 20 February 2000 - - - <- TGS_REP - <- DHCPACK - (AP_REQ, - Integrity) - -In the inter-realm case where the local KDC returns a KRB_ERROR in -response to the TGS_REQ from the DHCP server, the DHCP server MAY return -a KRB_ERROR within the DHCP authentication option included in a DHCPNAK. -The conversation will appear as follows: - - DHCP DHCP Home Local - Client Server KDC KDC --------------- ------------- --------- --------- -AS_REQ -> - <- AS_REP -DHCPINFORM - (Ticket) -> - AS_REQ -> - <- AS_REP - TGS_REQ -> - (cross realm, - for home - KDC) - <- KRB_ERROR - <- DHCPNAK - (KRB_ERROR) - - -In the inter-realm case where the DHCP client fails to validate the -integrity attribute in the DHCPACK, the client MUST silently discard the -DHCPACK. The conversation will appear as follows: - - DHCP DHCP Home Local - Client Server KDC KDC --------------- ------------- --------- --------- -AS_REQ -> - <- AS_REP -DHCPINFORM - (Ticket) -> - AS_REQ -> - <- AS_REP - TGS_REQ -> - (cross realm, - for home - KDC) - <- TGS_REP - - TGS_REQ - - - -Hornstein, et al. Standards Track [Page 23] - - -INTERNET-DRAFT DHCP Authentication Via Kerberos V 20 February 2000 - - - U-2-U -> - <- TGS_REP - <- DHCPACK - (AP_REQ, - Integrity) -DHCPINFORM - (Ticket) -> - -5. References - - -[1] Bradner, S., "Key words for use in RFCs to Indicate Requirement - Levels", BCP 14, RFC 2119, March 1997. - -[2] Kohl, J., Neuman, C., "The Kerberos Network Authentication Service - (V5)", RFC 1510, September 1993. - -[3] Droms, R., Arbaugh, W., "Authentication for DHCP Messages", - Internet draft (work in progress), draft-ietf-dhc- - authentication-11.txt, June 1999. - -[4] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131, March - 1997. - -[5] Alexander, S., Droms, R., "DHCP Options and BOOTP Vendor - Extensions", RFC 2132, March 1997. - -[6] Perkins, C., "IP Mobility Support", RFC 2002, October 1996. - -[7] Jain, V., Congdon, P., Roese, J., "Network Port Authentication", - IEEE 802.1 PAR submission, June 1999. - -[8] Tung, B., Neuman, C., Hur, M., Medvinsky, A., Medvinsky, S., Wray, - J., Trostle, J., "Public Key Cryptography for Initial - Authentication in Kerberos", Internet draft (work in progress), - draft-ietf-cat-kerberos-pk-init-09.txt, June 1999. - -[9] Tung, B., Ryutov, T., Neuman, C., Tsudik, G., Sommerfeld, B., - Medvinsky, A., Hur, M., "Public Key Cryptography for Cross-Realm - Authentication in Kerberos", Internet draft (work in progress), - draft-ietf-cat-kerberos-pk-cross-04.txt, June 1999. - -[10] Mills, D., "Network Time Protocol (Version 3)", RFC-1305, March - 1992. - -[11] Henry, M., "DHCP Option 61 UUID Type Definition", Internet draft - (work in progress), draft-henry-DHCP-opt61-UUID-type-00.txt, - November 1998. - - - -Hornstein, et al. Standards Track [Page 24] - - -INTERNET-DRAFT DHCP Authentication Via Kerberos V 20 February 2000 - - -6. Security Considerations - -DHCP authentication, described in [3], addresses the following threats: - - Modification of messages - Rogue servers - Unauthorized clients - -This section describes how DHCP authentication via Kerberos V addresses -each of these threats. - -6.1. Client security - -As noted in [3], it may be desirable to ensure that IP addresses are -only allocated to authorized clients. This can serve to protect against -denial of service attacks. To address this issue it is necessary for -DHCP client messages to be authenticated. In order to guard against -message modification, it is also necessary for DHCP client messages to -be integrity protected. - -Note that this protocol does not make use of KRB_SAFE, so as to allow -modification of mutable fields by the DHCP relay. Replay protection is -therefore provided within the DHCP authentication option itself. - -In DHCP authentication via Kerberos V the DHCP client will authenticate, -integrity and replay-protect the DHCPREQUEST, DHCPDECLINE and -DHCPRELEASE messages using a user-to-user session key obtained by the -DHCP server from the home KDC. If the DHCP client knows the DHCP server -it will be interacting with, then the DHCP client MAY also authenticate, -integrity and replay-protect the DHCPINFORM message using a session key -obtained from the local realm KDC for the DHCP server it expects to -converse with. - -Since the client has not yet obtained a session key, DHCPDISCOVER -packets cannot be authenticated using the session key. However, the -client MAY include pre-authentication data in the PADATA field included -in the DHCPDISCOVER packet. Since the PADATA will then be used by the -DHCP server to request a ticket on the client's behalf, the DHCP server -will learn from the AS_REP whether the PADATA was acceptable or not. -Therefore in this case, the DHCPDISCOVER will be authenticated but not -integrity protected. - -Where the DHCP client does not know the DHCP server it will be -interacting with ahead of time, the DHCPINFORM message will not be -authenticated, integrity or replay protected. - -Note that snooping of PADATA and TGTs on the wire may provide an -attacker with a means of mounting a dictionary attack, since these items - - - -Hornstein, et al. Standards Track [Page 25] - - -INTERNET-DRAFT DHCP Authentication Via Kerberos V 20 February 2000 - - -are typically encrypted with a key derived from the user's password. -Thus use of strong passwords and/or pre-authentication methods utilizing -strong cryptography (see [8]) are recommended. - -6.2. Network access control - -DHCP authentication has been proposed as a method of limiting access to -network media that are not physically secured such as wireless LANs and -ports in college residence halls. However, it is not particularly well -suited to this purpose since even if address allocation is denied an -inauthentic client may use a statically assigned IP address instead, or -may attempt to access the network using non-IP protocols. As a result, -other methods, described in [6]-[7], have been proposed for controlling -access to wireless media and switched LANs. - -6.3. Server security - -As noted in [3], it may be desirable to protect against rogue DHCP -servers put on the network either intentionally or by accident. To -address this issue it is necessary for DHCP server messages to be -authenticated. In order to guard against message modification, it is -also necessary for DHCP server messages to be integrity protected. -Replay protection is also provided within the DHCP authentication -option. - -All messages sent by the DHCP server are authenticated and integrity and -replaly protected using a session key. This includes the DHCPOFFER, -DHCPACK, and DHCPNAK messages. The session key is used to compute the -DHCP authentication option, which is verified by the client. - -In order to provide protection against rogue servers it is necessary to -prevent rogue servers from obtaining the credentials necessary to act as -a DHCP server. As noted in Section 4, the Kerberos principal name for -the DHCP server must be of type KRB_NT_SRV_HST with the service name -component equal to 'dhcp'. The client MUST validate that the DHCP server -principal name has the above format. This convention requires that the -administrator ensure that non-DHCP server principals do not have names -that match the above format. - -7. IANA Considerations - -This draft does not create any new number spaces for IANA -administration. - -8. Acknowledgements - -The authors would like to acknowledge Ralph Droms and William Arbaugh, -authors of the DHCP authentication draft [3]. This draft incorporates - - - -Hornstein, et al. Standards Track [Page 26] - - -INTERNET-DRAFT DHCP Authentication Via Kerberos V 20 February 2000 - - -material from their work; however, any mistakes in this document are -solely the responsibility of the authors. - -9. Authors' Addresses - -Ken Hornstein -US Naval Research Laboratory -Bldg A-49, Room 2 -4555 Overlook Avenue -Washington DC 20375 USA - -Phone: +1 (202) 404-4765 -EMail: kenh@cmf.nrl.navy.mil - -Ted Lemon -Internet Engines, Inc. -950 Charter Street -Redwood City, CA 94063 - -Phone: +1 (650) 779 6031 -Email: mellon@iengines.net - -Bernard Aboba -Microsoft Corporation -One Microsoft Way -Redmond, WA 98052 - -Phone: +1 (425) 936-6605 -EMail: bernarda@microsoft.com - -Jonathan Trostle -170 W. Tasman Dr. -San Jose, CA 95134, U.S.A. - -Email: jtrostle@cisco.com -Phone: +1 (408) 527-6201 - - -10. Intellectual Property Statement - -The IETF takes no position regarding the validity or scope of any -intellectual property or other rights that might be claimed to pertain -to the implementation or use of the technology described in this -document or the extent to which any license under such rights might or -might not be available; neither does it represent that it has made any -effort to identify any such rights. Information on the IETF's -procedures with respect to rights in standards-track and standards- -related documentation can be found in BCP-11. Copies of claims of - - - -Hornstein, et al. Standards Track [Page 27] - - -INTERNET-DRAFT DHCP Authentication Via Kerberos V 20 February 2000 - - -rights made available for publication and any assurances of licenses to -be made available, or the result of an attempt made to obtain a general -license or permission for the use of such proprietary rights by -implementors or users of this specification can be obtained from the -IETF Secretariat. - -The IETF invites any interested party to bring to its attention any -copyrights, patents or patent applications, or other proprietary rights -which may cover technology that may be required to practice this -standard. Please address the information to the IETF Executive -Director. - -11. Full Copyright Statement - -Copyright (C) The Internet Society (2000). All Rights Reserved. -This document and translations of it may be copied and furnished to -others, and derivative works that comment on or otherwise explain it or -assist in its implmentation may be prepared, copied, published and -distributed, in whole or in part, without restriction of any kind, -provided that the above copyright notice and this paragraph are included -on all such copies and derivative works. However, this document itself -may not be modified in any way, such as by removing the copyright notice -or references to the Internet Society or other Internet organizations, -except as needed for the purpose of developing Internet standards in -which case the procedures for copyrights defined in the Internet -Standards process must be followed, or as required to translate it into -languages other than English. The limited permissions granted above are -perpetual and will not be revoked by the Internet Society or its -successors or assigns. This document and the information contained -herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE -INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE -INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED -WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE." - -12. Expiration Date - -This memo is filed as , and -expires October 1, 2000. - - - - - - - - - - - - -Hornstein, et al. Standards Track [Page 28] - - diff --git a/crypto/heimdal-0.6.3/doc/standardisation/draft-horowitz-key-derivation-01.txt b/crypto/heimdal-0.6.3/doc/standardisation/draft-horowitz-key-derivation-01.txt deleted file mode 100644 index 4dcff486b9..0000000000 --- a/crypto/heimdal-0.6.3/doc/standardisation/draft-horowitz-key-derivation-01.txt +++ /dev/null @@ -1,244 +0,0 @@ -Network Working Group M. Horowitz - Cygnus Solutions -Internet-Draft March, 1997 - - - Key Derivation for Authentication, Integrity, and Privacy - -Status of this Memo - - This document is an Internet-Draft. Internet-Drafts are working - documents of the Internet Engineering Task Force (IETF), its areas, - and its working groups. Note that other groups may also distribute - working documents as Internet-Drafts. - - Internet-Drafts are draft documents valid for a maximum of six months - and may be updated, replaced, or obsoleted by other documents at any - time. It is inappropriate to use Internet-Drafts as reference - material or to cite them other than as ``work in progress.'' - - To learn the current status of any Internet-Draft, please check the - ``1id-abstracts.txt'' listing contained in the Internet-Drafts Shadow - Directories on ds.internic.net (US East Coast), nic.nordu.net - (Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific - Rim). - - Distribution of this memo is unlimited. Please send comments to the - author. - -Abstract - - Recent advances in cryptography have made it desirable to use longer - cryptographic keys, and to make more careful use of these keys. In - particular, it is considered unwise by some cryptographers to use the - same key for multiple purposes. Since most cryptographic-based - systems perform a range of functions, such as authentication, key - exchange, integrity, and encryption, it is desirable to use different - cryptographic keys for these purposes. - - This RFC does not define a particular protocol, but defines a set of - cryptographic transformations for use with arbitrary network - protocols and block cryptographic algorithm. - - -Deriving Keys - - In order to use multiple keys for different functions, there are two - possibilities: - - - Each protocol ``key'' contains multiple cryptographic keys. The - implementation would know how to break up the protocol ``key'' for - use by the underlying cryptographic routines. - - - The protocol ``key'' is used to derive the cryptographic keys. - The implementation would perform this derivation before calling - - - -Horowitz [Page 1] - -Internet Draft Key Derivation March, 1997 - - - the underlying cryptographic routines. - - In the first solution, the system has the opportunity to provide - separate keys for different functions. This has the advantage that - if one of these keys is broken, the others remain secret. However, - this comes at the cost of larger ``keys'' at the protocol layer. In - addition, since these ``keys'' may be encrypted, compromising the - cryptographic key which is used to encrypt them compromises all the - component keys. Also, the not all ``keys'' are used for all possible - functions. Some ``keys'', especially those derived from passwords, - are generated from limited amounts of entropy. Wasting some of this - entropy on cryptographic keys which are never used is unwise. - - The second solution uses keys derived from a base key to perform - cryptographic operations. By carefully specifying how this key is - used, all of the advantages of the first solution can be kept, while - eliminating some disadvantages. In particular, the base key must be - used only for generating the derived keys, and this derivation must - be non-invertible and entropy-preserving. Given these restrictions, - compromise of one derived keys does not compromise the other subkeys. - Attack of the base key is limited, since it is only used for - derivation, and is not exposed to any user data. - - Since the derived key has as much entropy as the base keys (if the - cryptosystem is good), password-derived keys have the full benefit of - all the entropy in the password. - - To generate a derived key from a base key: - - Derived Key = DK(Base Key, Well-Known Constant) - - where - - DK(Key, Constant) = n-truncate(E(Key, Constant)) - - In this construction, E(Key, Plaintext) is a block cipher, Constant - is a well-known constant defined by the protocol, and n-truncate - truncates its argument by taking the first n bits; here, n is the key - size of E. - - If the output of E is is shorter than n bits, then some entropy in - the key will be lost. If the Constant is smaller than the block size - of E, then it must be padded so it may be encrypted. If the Constant - is larger than the block size, then it must be folded down to the - block size to avoid chaining, which affects the distribution of - entropy. - - In any of these situations, a variation of the above construction is - used, where the folded Constant is encrypted, and the resulting - output is fed back into the encryption as necessary (the | indicates - concatentation): - - K1 = E(Key, n-fold(Constant)) - K2 = E(Key, K1) - - - -Horowitz [Page 2] - -Internet Draft Key Derivation March, 1997 - - - K3 = E(Key, K2) - K4 = ... - - DK(Key, Constant) = n-truncate(K1 | K2 | K3 | K4 ...) - - n-fold is an algorithm which takes m input bits and ``stretches'' - them to form n output bits with no loss of entropy, as described in - [Blumenthal96]. In this document, n-fold is always used to produce n - bits of output, where n is the key size of E. - - If the size of the Constant is not equal to the block size of E, then - the Constant must be n-folded to the block size of E. This number is - used as input to E. If the block size of E is less than the key - size, then the output from E is taken as input to a second invocation - of E. This process is repeated until the number of bits accumulated - is greater than or equal to the key size of E. When enough bits have - been computed, the first n are taken as the derived key. - - Since the derived key is the result of one or more encryptions in the - base key, deriving the base key from the derived key is equivalent to - determining the key from a very small number of plaintext/ciphertext - pairs. Thus, this construction is as strong as the cryptosystem - itself. - - -Deriving Keys from Passwords - - When protecting information with a password or other user data, it is - necessary to convert an arbitrary bit string into an encryption key. - In addition, it is sometimes desirable that the transformation from - password to key be difficult to reverse. A simple variation on the - construction in the prior section can be used: - - Key = DK(n-fold(Password), Well-Known Constant) - - The n-fold algorithm is reversible, so recovery of the n-fold output - is equivalent to recovery of Password. However, recovering the n- - fold output is difficult for the same reason recovering the base key - from a derived key is difficult. - - - - Traditionally, the transformation from plaintext to ciphertext, or - vice versa, is determined by the cryptographic algorithm and the key. - A simple way to think of derived keys is that the transformation is - determined by the cryptographic algorithm, the constant, and the key. - - For interoperability, the constants used to derive keys for different - purposes must be specified in the protocol specification. The - constants must not be specified on the wire, or else an attacker who - determined one derived key could provide the associated constant and - spoof data using that derived key, rather than the one the protocol - designer intended. - - - - -Horowitz [Page 3] - -Internet Draft Key Derivation March, 1997 - - - Determining which parts of a protocol require their own constants is - an issue for the designer of protocol using derived keys. - - -Security Considerations - - This entire document deals with security considerations relating to - the use of cryptography in network protocols. - - -Acknowledgements - - I would like to thank Uri Blumenthal, Hugo Krawczyk, and Bill - Sommerfeld for their contributions to this document. - - -References - - [Blumenthal96] Blumenthal, U., "A Better Key Schedule for DES-Like - Ciphers", Proceedings of PRAGOCRYPT '96, 1996. - - -Author's Address - - Marc Horowitz - Cygnus Solutions - 955 Massachusetts Avenue - Cambridge, MA 02139 - - Phone: +1 617 354 7688 - Email: marc@cygnus.com - - - - - - - - - - - - - - - - - - - - - - - - - - -Horowitz [Page 4] diff --git a/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-cat-iakerb-04.txt b/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-cat-iakerb-04.txt deleted file mode 100644 index 208d057f24..0000000000 --- a/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-cat-iakerb-04.txt +++ /dev/null @@ -1,301 +0,0 @@ -INTERNET-DRAFT Mike Swift -draft-ietf-cat-iakerb-04.txt Microsoft -Updates: RFC 1510 Jonathan Trostle -July 2000 Cisco Systems - - - Initial Authentication and Pass Through Authentication - Using Kerberos V5 and the GSS-API (IAKERB) - - -0. Status Of This Memo - - This document is an Internet-Draft and is in full conformance - with all provisions of Section 10 of RFC2026. - - Internet-Drafts are working documents of the Internet Engineering - Task Force (IETF), its areas, and its working groups. Note that - other groups may also distribute working documents as - Internet-Drafts. - - Internet-Drafts are draft documents valid for a maximum of six - months and may be updated, replaced, or obsoleted by other - documents at any time. It is inappropriate to use Internet- - Drafts as reference material or to cite them other than as - "work in progress." - - The list of current Internet-Drafts can be accessed at - http://www.ietf.org/ietf/1id-abstracts.txt - - The list of Internet-Draft Shadow Directories can be accessed at - http://www.ietf.org/shadow.html. - - This draft expires on January 31st, 2001. - - -1. Abstract - - This document defines an extension to the Kerberos protocol - specification (RFC 1510 [1]) and GSSAPI Kerberos mechanism (RFC - 1964 [2]) that enables a client to obtain Kerberos tickets for - services where: - - (1) The client knows its principal name and password, but not - its realm name (applicable in the situation where a user is already - on the network but needs to authenticate to an ISP, and the user - does not know his ISP realm name). - (2) The client is able to obtain the IP address of the service in - a realm which it wants to send a request to, but is otherwise unable - to locate or communicate with a KDC in the service realm or one of - the intermediate realms. (One example would be a dial up user who - does not have direct IP connectivity). - (3) The client does not know the realm name of the service. - - -2. Motivation - - When authenticating using Kerberos V5, clients obtain tickets from - a KDC and present them to services. This method of operation works - - well in many situations, but is not always applicable since it - requires the client to know its own realm, the realm of the target - service, the names of the KDC's, and to be able to connect to the - KDC's. - - This document defines an extension to the Kerberos protocol - specification (RFC 1510) [1] that enables a client to obtain - Kerberos tickets for services where: - - (1) The client knows its principal name and password, but not - its realm name (applicable in the situation where a user is already - on the network but needs to authenticate to an ISP, and the user - does not know his ISP realm name). - (2) The client is able to obtain the IP address of the service in - a realm which it wants to send a request to, but is otherwise unable - to locate or communicate with a KDC in the service realm or one of - the intermediate realms. (One example would be a dial up user who - does not have direct IP connectivity). - (3) The client does not know the realm name of the service. - - In this proposal, the client sends KDC request messages directly - to application servers if one of the above failure cases develops. - The application server acts as a proxy, forwarding messages back - and forth between the client and various KDC's (see Figure 1). - - - Client <---------> App Server <----------> KDC - proxies - - - Figure 1: IAKERB proxying - - - In the case where the client has sent a TGS_REQ message to the - application server without a realm name in the request, the - application server will forward an error message to the client - with its realm name in the e-data field of the error message. - The client will attempt to proceed using conventional Kerberos. - -3. When Clients Should Use IAKERB - - We list several, but possibly not all, cases where the client - should use IAKERB. In general, the existing Kerberos paradigm - where clients contact the KDC to obtain service tickets should - be preserved where possible. - - (a) AS_REQ cases: - - (i) The client is unable to locate the user's KDC or the KDC's - in the user's realm are not responding, or - (ii) The user has not entered a name which can be converted - into a realm name (and the realm name cannot be derived from - a certificate). - - (b) TGS_REQ cases: - - (i) the client determines that the KDC(s) in either an - intermediate realm or the service realm are not responding or - - the client is unable to locate a KDC, - - (ii) the client is not able to generate the application server - realm name. - - -4. GSSAPI Encapsulation - - The mechanism ID for IAKERB GSS-API Kerberos, in accordance with the - mechanism proposed by SPNEGO for negotiating protocol variations, is: - {iso(1) member-body(2) United States(840) mit(113554) infosys(1) - gssapi(2) krb5(2) initialauth(4)} - - The AS request, AS reply, TGS request, and TGS reply messages are all - encapsulated using the format defined by RFC1964 [2]. This consists - of the GSS-API token framing defined in appendix B of RFC1508 [3]: - - InitialContextToken ::= - [APPLICATION 0] IMPLICIT SEQUENCE { - thisMech MechType - -- MechType is OBJECT IDENTIFIER - -- representing "Kerberos V5" - innerContextToken ANY DEFINED BY thisMech - -- contents mechanism-specific; - -- ASN.1 usage within innerContextToken - -- is not required - } - - The innerContextToken consists of a 2-byte TOK_ID field (defined - below), followed by the Kerberos V5 KRB-AS-REQ, KRB-AS-REP, - KRB-TGS-REQ, or KRB-TGS-REP messages, as appropriate. The TOK_ID field - shall be one of the following values, to denote that the message is - either a request to the KDC or a response from the KDC. - - Message TOK_ID - KRB-KDC-REQ 00 03 - KRB-KDC-REP 01 03 - - -5. The Protocol - - a. The user supplies a password (AS_REQ): Here the Kerberos client - will send an AS_REQ message to the application server if it cannot - locate a KDC for the user's realm, or such KDC's do not respond, - or the user does not enter a name from which the client can derive - the user's realm name. The client sets the realm field of the - request equal to its own realm if the realm name is known, - otherwise the realm length is set to 0. Upon receipt of the AS_REQ - message, the application server checks if the client has included - a realm. - - If the realm was not included in the original request, the - application server must determine the realm and add it to the - AS_REQ message before forwarding it. If the application server - cannot determine the client realm, it returns the - KRB_AP_ERR_REALM_REQUIRED error-code in an error message to - the client: - - KRB_AP_ERR_REALM_REQUIRED 77 - - The error message can be sent in response to either an AS_REQ - message, or in response to a TGS_REQ message, in which case the - realm and principal name of the application server are placed - into the realm and sname fields respectively, of the KRB-ERROR - message. In the AS_REQ case, once the realm is filled in, the - application server forwards the request to a KDC in the user's - realm. It will retry the request if necessary, and forward the - KDC response back to the client. - - At the time the user enters a username and password, the client - should create a new credential with an INTERNAL NAME [3] that can - be used as an input into the GSS_Acquire_cred function call. - - This functionality is useful when there is no trust relationship - between the user's logon realm and the target realm (Figure 2). - - - User Realm KDC - / - / - / - / 2,3 - 1,4 / - Client<-------------->App Server - - - 1 Client sends AS_REQ to App Server - 2 App server forwards AS_REQ to User Realm KDC - 3 App server receives AS_REP from User Realm KDC - 4 App server sends AS_REP back to Client - - - Figure 2: IAKERB AS_REQ - - - - b. The user does not supply a password (TGS_REQ): The user includes a - TGT targetted at the user's realm, or an intermediate realm, in a - TGS_REQ message. The TGS_REQ message is sent to the application - server. - - If the client has included the realm name in the TGS request, then - the application server will forward the request to a KDC in the - request TGT srealm. It will forward the response back to the client. - - If the client has not included the realm name in the TGS request, - then the application server will return its realm name and principal - name to the client using the KRB_AP_ERR_REALM_REQUIRED error - described above. Sending a TGS_REQ message to the application server - without a realm name in the request, followed by a TGS request using - the returned realm name and then sending an AP request with a mutual - authentication flag should be subject to a local policy decision - (see security considerations below). Using the returned server - principal name in a TGS request followed by sending an AP request - message using the received ticket MUST NOT set any mutual - authentication flags. - - -6. Addresses in Tickets - - In IAKERB, the machine sending requests to the KDC is the server and - not the client. As a result, the client should not include its - addresses in any KDC requests for two reasons. First, the KDC may - reject the forwarded request as being from the wrong client. Second, - in the case of initial authentication for a dial-up client, the client - machine may not yet possess a network address. Hence, as allowed by - RFC1510 [1], the addresses field of the AS and TGS requests should be - blank and the caddr field of the ticket should similarly be left blank. - - -7. Combining IAKERB with Other Kerberos Extensions - - This protocol is usable with other proposed Kerberos extensions such as - PKINIT (Public Key Cryptography for Initial Authentication in Kerberos - [4]). In such cases, the messages which would normally be sent to the - KDC by the GSS runtime are instead sent by the client application to the - server, which then forwards them to a KDC. - - -8. Security Considerations - - A principal is identified by its principal name and realm. A client - that sends a TGS request to an application server without the request - realm name will only be able to mutually authenticate the server - up to its principal name. Thus when requesting mutual authentication, - it is preferable if clients can either determine the server realm name - beforehand, or apply some policy checks to the realm name obtained from - the returned error message. - - -9. Bibliography - - [1] J. Kohl, C. Neuman. The Kerberos Network Authentication - Service (V5). Request for Comments 1510. - - [2] J. Linn. The Kerberos Version 5 GSS-API Mechanism. Request - for Comments 1964 - - [3] J. Linn. Generic Security Service Application Program Interface. - Request for Comments 1508 - - [4] B. Tung, C. Neuman, M. Hur, A. Medvinsky, S. Medvinsky, J. Wray, - J. Trostle, Public Key Cryptography for Initial Authentication in - Kerberos, http://www.ietf.org/internet-drafts/draft-ietf-cat-kerberos- - pkinit-10.txt. - - -10. This draft expires on January 31st, 2001. - - -11. Authors' Addresses - - Michael Swift - Microsoft - One Microsoft Way - Redmond, Washington, 98052, U.S.A. - Email: mikesw@microsoft.com - - Jonathan Trostle - 170 W. Tasman Dr. - San Jose, CA 95134, U.S.A. - Email: jtrostle@cisco.com - Phone: (408) 527-6201 diff --git a/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-cat-kerb-chg-password-02.txt b/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-cat-kerb-chg-password-02.txt deleted file mode 100644 index e235bec58c..0000000000 --- a/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-cat-kerb-chg-password-02.txt +++ /dev/null @@ -1,311 +0,0 @@ - - - - -Network Working Group M. Horowitz - Stonecast, Inc. -Internet-Draft August, 1998 - - Kerberos Change Password Protocol - -Status of this Memo - - This document is an Internet-Draft. Internet-Drafts are working - documents of the Internet Engineering Task Force (IETF), its areas, - and its working groups. Note that other groups may also distribute - working documents as Internet-Drafts. - - Internet-Drafts are draft documents valid for a maximum of six months - and may be updated, replaced, or obsoleted by other documents at any - time. It is inappropriate to use Internet-Drafts as reference - material or to cite them other than as ``work in progress.'' - - To learn the current status of any Internet-Draft, please check the - ``1id-abstracts.txt'' listing contained in the Internet-Drafts Shadow - Directories on ftp.ietf.org (US East Coast), nic.nordu.net - (Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific - Rim). - - Distribution of this memo is unlimited. Please send comments to the - mailing list. - -Abstract - - The Kerberos V5 protocol [RFC1510] does not describe any mechanism - for users to change their own passwords. In order to promote - interoperability between workstations, personal computers, terminal - servers, routers, and KDC's from multiple vendors, a common password - changing protocol is required. - - - -Overview - - When a user wishes to change his own password, or is required to by - local policy, a simple request of a password changing service is - necessary. This service must be implemented on at least one host for - each Kerberos realm, probably on one of the kdc's for that realm. - The service must accept requests on UDP port 464 (kpasswd), and may - accept requests on TCP port 464 as well. - - The protocol itself consists of a single request message followed by - a single reply message. For UDP transport, each message must be - fully contained in a single UDP packet. - - - - - - - - -Horowitz [Page 1] - -Internet Draft Kerberos Change Password Protocol August, 1998 - - -Request Message - - 0 1 2 3 - 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | message length | protocol version number | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | AP_REQ length | AP-REQ data / - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - / KRB-PRIV message / - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - - message length (16 bits) - Contains the length of the message, including this field, in bytes - (big-endian integer) - protocol version number (16 bits) - Contains the hex constant 0x0001 (big-endian integer) - AP-REQ length (16 bits) - length (big-endian integer) of AP-REQ data, in bytes. - AP-REQ data, as described in RFC1510 (variable length) - This AP-REQ must be for the service principal - kadmin/changepw@REALM, where REALM is the REALM of the user who - wishes to change his password. The Ticket in the AP-REQ must be - derived from an AS request (thus having the INITIAL flag set), and - must include a subkey in the Authenticator. - KRB-PRIV message, as described in RFC1510 (variable length) - This KRB-PRIV message must be generated using the subkey in the - Authenticator in the AP-REQ data. The user-data component of the - message must consist of the user's new password. - - The server must verify the AP-REQ message, decrypt the new password, - perform any local policy checks (such as password quality, history, - authorization, etc.) required, then set the password to the new value - specified. - - The principal whose password is to be changed is the principal which - authenticated to the password changing service. This protocol does - not address administrators who want to change passwords of principal - besides their own. - - -Reply Message - - 0 1 2 3 - 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | message length | protocol version number | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | AP_REP length | AP-REP data / - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - / KRB-PRIV or KRB-ERROR message / - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - - message length (16 bits) - - - -Horowitz [Page 2] - -Internet Draft Kerberos Change Password Protocol August, 1998 - - - Contains the length of the message, including this field, in bytes - (big-endian integer), - protocol version number (16 bits) - Contains the hex constant 0x0001 (big-endian integer) - AP-REP length (16 bits) - length of AP-REP data, in bytes. If the the length is zero, then - the last field will contain a KRB-ERROR message instead of a KRB- - PRIV message. - AP-REP data, as described in RFC1510 (variable length) - The AP-REP corresponding to the AP-REQ in the request packet. - KRB-PRIV or KRB-ERROR message, as described in RFC1510 (variable - length) - If the AP-REP length is zero, then this field contains a KRB-ERROR - message. Otherwise, it contains a KRB-PRIV message. This KRB- - PRIV message must be generated using the subkey in the - Authenticator in the AP-REQ data. - - The user-data component of the KRB-PRIV message, or e-data - component of the KRB-ERROR message, must consist of the following - data: - - 0 1 2 3 - 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | result code | result string / - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - - result code (16 bits) - The result code must have one of the following values (big- - endian integer): - 0x0000 if the request succeeds. (This value is not permitted - in a KRB-ERROR message.) - 0x0001 if the request fails due to being malformed - 0x0002 if the request fails due to a "hard" error processing - the request (for example, there is a resource or other - problem causing the request to fail) - 0x0003 if the request fails due to an error in authentication - processing - 0x0004 if the request fails due to a "soft" error processing - the request (for example, some policy or other similar - consideration is causing the request to be rejected). - 0xFFFF if the request fails for some other reason. - Although only a few non-zero result codes are specified here, - the client should accept any non-zero result code as indicating - failure. - result string (variable length) - This field should contain information which the server thinks - might be useful to the user, such as feedback about policy - failures. The string must be encoded in UTF-8. It may be - omitted if the server does not wish to include it. If it is - present, the client should display the string to the user. - This field is analogous to the string which follows the numeric - code in SMTP, FTP, and similar protocols. - - - - -Horowitz [Page 3] - -Internet Draft Kerberos Change Password Protocol August, 1998 - - -Dropped and Modified Messages - - An attacker (or simply a lossy network) could cause either the - request or reply to be dropped, or modified by substituting a KRB- - ERROR message in the reply. - - If a request is dropped, no modification of the password/key database - will take place. If a reply is dropped, the server will (assuming a - valid request) make the password change. However, the client cannot - distinguish between these two cases. - - In this situation, the client should construct a new authenticator, - re-encrypt the request, and retransmit. If the original request was - lost, the server will treat this as a valid request, and the password - will be changed normally. If the reply was lost, then the server - should take care to notice that the request was a duplicate of the - prior request, because the "new" password is the current password, - and the password change time is within some implementation-defined - replay time window. The server should then return a success reply - (an AP-REP message with result code == 0x0000) without actually - changing the password or any other information (such as modification - timestamps). - - If a success reply was replaced with an error reply, then the - application performing the request would return an error to the user. - In this state, the user's password has been changed, but the user - believes that it has not. If the user attempts to change the - password again, this will probably fail, because the user cannot - successfully provide the old password to get an INITIAL ticket to - make the request. This situation requires administrative - intervention as if a password was lost. This situation is, - unfortunately, impossible to prevent. - - -Security Considerations - - This document deals with changing passwords for Kerberos. Because - Kerberos is used for authentication and key distribution, it is - important that this protocol use the highest level of security - services available to a particular installation. Mutual - authentication is performed, so that the server knows the request is - valid, and the client knows that the request has been received and - processed by the server. - - There are also security issues relating to dropped or modified - messages which are addressed explicitly. - - -References - - [RFC1510] Kohl, J. and Neuman, C., "The Kerberos Network - Authentication Service (V5)", RFC 1510, September 1993. - - - - - -Horowitz [Page 4] - -Internet Draft Kerberos Change Password Protocol August, 1998 - - -Author's Address - - Marc Horowitz - Stonecast, Inc. - 108 Stow Road - Harvard, MA 01451 - - Phone: +1 978 456 9103 - Email: marc@stonecast.net - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Horowitz [Page 5] - diff --git a/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-cat-kerb-des3-hmac-sha1-00.txt b/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-cat-kerb-des3-hmac-sha1-00.txt deleted file mode 100644 index 2583a84da0..0000000000 --- a/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-cat-kerb-des3-hmac-sha1-00.txt +++ /dev/null @@ -1,127 +0,0 @@ - - - - - - -Network Working Group M. Horowitz - Cygnus Solutions -Internet-Draft November, 1996 - - - Triple DES with HMAC-SHA1 Kerberos Encryption Type - -Status of this Memo - - This document is an Internet-Draft. Internet-Drafts are working - documents of the Internet Engineering Task Force (IETF), its areas, - and its working groups. Note that other groups may also distribute - working documents as Internet-Drafts. - - Internet-Drafts are draft documents valid for a maximum of six months - and may be updated, replaced, or obsoleted by other documents at any - time. It is inappropriate to use Internet-Drafts as reference - material or to cite them other than as ``work in progress.'' - - To learn the current status of any Internet-Draft, please check the - ``1id-abstracts.txt'' listing contained in the Internet-Drafts Shadow - Directories on ds.internic.net (US East Coast), nic.nordu.net - (Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific - Rim). - - Distribution of this memo is unlimited. Please send comments to the - mailing list. - -Abstract - - This document defines a new encryption type and a new checksum type - for use with Kerberos V5 [RFC1510]. This encryption type is based on - the Triple DES cryptosystem and the HMAC-SHA1 [Krawczyk96] message - authentication algorithm. - - The des3-cbc-hmac-sha1 encryption type has been assigned the value 7. - The hmac-sha1-des3 checksum type has been assigned the value 12. - - -Encryption Type des3-cbc-hmac-sha1 - - EncryptedData using this type must be generated as described in - [Horowitz96]. The encryption algorithm is Triple DES in Outer-CBC - mode. The keyed hash algorithm is HMAC-SHA1. Unless otherwise - specified, a zero IV must be used. If the length of the input data - is not a multiple of the block size, zero octets must be used to pad - the plaintext to the next eight-octet boundary. The counfounder must - be eight random octets (one block). - - -Checksum Type hmac-sha1-des3 - - Checksums using this type must be generated as described in - [Horowitz96]. The keyed hash algorithm is HMAC-SHA1. - - - -Horowitz [Page 1] - -Internet Draft Kerberos Triple DES with HMAC-SHA1 November, 1996 - - -Common Requirements - - Where the Triple DES key is represented as an EncryptionKey, it shall - be represented as three DES keys, with parity bits, concatenated - together. The key shall be represented with the most significant bit - first. - - When keys are generated by the derivation function, a key length of - 168 bits shall be used. The output bit string will be converted to a - valid Triple DES key by inserting DES parity bits after every seventh - bit. - - Any implementation which implements either of the encryption or - checksum types in this document must support both. - - -Security Considerations - - This entire document defines encryption and checksum types for use - with Kerberos V5. - - -References - - [Horowitz96] Horowitz, M., "Key Derivation for Kerberos V5", draft- - horowitz-kerb-key-derivation-00.txt, November 1996. - [Krawczyk96] Krawczyk, H., Bellare, and M., Canetti, R., "HMAC: - Keyed-Hashing for Message Authentication", draft-ietf-ipsec-hmac- - md5-01.txt, August, 1996. - [RFC1510] Kohl, J. and Neuman, C., "The Kerberos Network - Authentication Service (V5)", RFC 1510, September 1993. - - -Author's Address - - Marc Horowitz - Cygnus Solutions - 955 Massachusetts Avenue - Cambridge, MA 02139 - - Phone: +1 617 354 7688 - Email: marc@cygnus.com - - - - - - - - - - - - - - - -Horowitz [Page 2] - diff --git a/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-cat-kerb-key-derivation-00.txt b/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-cat-kerb-key-derivation-00.txt deleted file mode 100644 index 46a4158527..0000000000 --- a/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-cat-kerb-key-derivation-00.txt +++ /dev/null @@ -1,250 +0,0 @@ - - - - - -Network Working Group M. Horowitz - Cygnus Solutions -Internet-Draft November, 1996 - - - Key Derivation for Kerberos V5 - -Status of this Memo - - This document is an Internet-Draft. Internet-Drafts are working - documents of the Internet Engineering Task Force (IETF), its areas, - and its working groups. Note that other groups may also distribute - working documents as Internet-Drafts. - - Internet-Drafts are draft documents valid for a maximum of six months - and may be updated, replaced, or obsoleted by other documents at any - time. It is inappropriate to use Internet-Drafts as reference - material or to cite them other than as ``work in progress.'' - - To learn the current status of any Internet-Draft, please check the - ``1id-abstracts.txt'' listing contained in the Internet-Drafts Shadow - Directories on ds.internic.net (US East Coast), nic.nordu.net - (Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific - Rim). - - Distribution of this memo is unlimited. Please send comments to the - mailing list. - -Abstract - - In the Kerberos protocol [RFC1510], cryptographic keys are used in a - number of places. In order to minimize the effect of compromising a - key, it is desirable to use a different key for each of these places. - Key derivation [Horowitz96] can be used to construct different keys - for each operation from the keys transported on the network. For - this to be possible, a small change to the specification is - necessary. - - -Overview - - Under RFC1510 as stated, key derivation could be specified as a set - of encryption types which share the same key type. The constant for - each derivation would be a function of the encryption type. However, - it is generally accepted that, for interoperability, key types and - encryption types must map one-to-one onto each other. (RFC 1510 is - being revised to address this issue.) Therefore, to use key - derivcation with Kerberos V5 requires a small change to the - specification. - - For each place where a key is used in Kerberos, a ``key usage'' must - be specified for that purpose. The key, key usage, and - encryption/checksum type together describe the transformation from - plaintext to ciphertext, or plaintext to checksum. For backward - - - -Horowitz [Page 1] - -Internet Draft Key Derivation for Kerberos V5 November, 1996 - - - compatibility, old encryption types would be defined independently of - the key usage. - - -Key Usage Values - - This is a complete list of places keys are used in the kerberos - protocol, with key usage values and RFC 1510 section numbers: - - 1. AS-REQ PA-ENC-TIMESTAMP padata timestamp, encrypted with the - client key (section 5.4.1) - 2. AS-REP Ticket and TGS-REP Ticket (includes tgs session key or - application session key), encrypted with the service key - (section 5.4.2) - 3. AS-REP encrypted part (includes tgs session key or application - session key), encrypted with the client key (section 5.4.2) - - 4. TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the tgs - session key (section 5.4.1) - 5. TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the tgs - authenticator subkey (section 5.4.1) - 6. TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator cksum, keyed - with the tgs session key (sections 5.3.2, 5.4.1) - 7. TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator (includes tgs - authenticator subkey), encrypted with the tgs session key - (section 5.3.2) - 8. TGS-REP encrypted part (includes application session key), - encrypted with the tgs session key (section 5.4.2) - 9. TGS-REP encrypted part (includes application session key), - encrypted with the tgs authenticator subkey (section 5.4.2) - - 10. AP-REQ Authenticator cksum, keyed with the application session - key (section 5.3.2) - 11. AP-REQ Authenticator (includes application authenticator - subkey), encrypted with the application session key (section - 5.3.2) - 12. AP-REP encrypted part (includes application session subkey), - encrypted with the application session key (section 5.5.2) - - 13. KRB-PRIV encrypted part, encrypted with a key chosen by the - application (section 5.7.1) - 14. KRB-CRED encrypted part, encrypted with a key chosen by the - application (section 5.6.1) - 15. KRB-SAVE cksum, keyed with a key chosen by the application - (section 5.8.1) - - 16. Data which is defined in some specification outside of - Kerberos to be encrypted using an RFC1510 encryption type. - 17. Data which is defined in some specification outside of - Kerberos to be checksummed using an RFC1510 checksum type. - - A few of these key usages need a little clarification. A service - which receives an AP-REQ has no way to know if the enclosed Ticket - was part of an AS-REP or TGS-REP. Therefore, key usage 2 must always - - - -Horowitz [Page 2] - -Internet Draft Key Derivation for Kerberos V5 November, 1996 - - - be used for generating a Ticket, whether it is in response to an AS- - REQ or TGS-REQ. - - There might exist other documents which define protocols in terms of - the RFC1510 encryption types or checksum types. Such documents would - not know about key usages. In order that these documents continue to - be meaningful until they are updated, key usages 16 and 17 must be - used to derive keys for encryption and checksums, respectively. New - protocols defined in terms of the Kerberos encryption and checksum - types should use their own key usages. Key usages may be registered - with IANA to avoid conflicts. Key usages shall be unsigned 32 bit - integers. Zero is not permitted. - - -Defining Cryptosystems Using Key Derivation - - Kerberos requires that the ciphertext component of EncryptedData be - tamper-resistant as well as confidential. This implies encryption - and integrity functions, which must each use their own separate keys. - So, for each key usage, two keys must be generated, one for - encryption (Ke), and one for integrity (Ki): - - Ke = DK(protocol key, key usage | 0xAA) - Ki = DK(protocol key, key usage | 0x55) - - where the key usage is represented as a 32 bit integer in network - byte order. The ciphertest must be generated from the plaintext as - follows: - - ciphertext = E(Ke, confounder | length | plaintext | padding) | - H(Ki, confounder | length | plaintext | padding) - - The confounder and padding are specific to the encryption algorithm - E. - - When generating a checksum only, there is no need for a confounder or - padding. Again, a new key (Kc) must be used. Checksums must be - generated from the plaintext as follows: - - Kc = DK(protocol key, key usage | 0x99) - - MAC = H(Kc, length | plaintext) - - Note that each enctype is described by an encryption algorithm E and - a keyed hash algorithm H, and each checksum type is described by a - keyed hash algorithm H. HMAC, with an appropriate hash, is - recommended for use as H. - - -Security Considerations - - This entire document addresses shortcomings in the use of - cryptographic keys in Kerberos V5. - - - - -Horowitz [Page 3] - -Internet Draft Key Derivation for Kerberos V5 November, 1996 - - -Acknowledgements - - I would like to thank Uri Blumenthal, Sam Hartman, and Bill - Sommerfeld for their contributions to this document. - - -References - - [Horowitz96] Horowitz, M., "Key Derivation for Authentication, - Integrity, and Privacy", draft-horowitz-key-derivation-00.txt, - November 1996. [RFC1510] Kohl, J. and Neuman, C., "The Kerberos - Network Authentication Service (V5)", RFC 1510, September 1993. - - -Author's Address - - Marc Horowitz - Cygnus Solutions - 955 Massachusetts Avenue - Cambridge, MA 02139 - - Phone: +1 617 354 7688 - Email: marc@cygnus.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Horowitz [Page 4] - diff --git a/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-cat-kerberos-err-msg-00.txt b/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-cat-kerberos-err-msg-00.txt deleted file mode 100644 index c5e4d05e7e..0000000000 --- a/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-cat-kerberos-err-msg-00.txt +++ /dev/null @@ -1,252 +0,0 @@ - -INTERNET-DRAFT Ari Medvinsky -draft-ietf-cat-kerberos-err-msg-00.txt Matt Hur -Updates: RFC 1510 Dominique Brezinski -expires September 30, 1997 CyberSafe Corporation - Gene Tsudik - Brian Tung - ISI - -Integrity Protection for the Kerberos Error Message - -0. Status Of this Memo - - This document is an Internet-Draft. Internet-Drafts are working - documents of the Internet Engineering Task Force (IETF), its - areas, and its working groups. Note that other groups may also - distribute working documents as Internet-Drafts. - - Internet-Drafts are draft documents valid for a maximum of six - months and may be updated, replaced, or obsoleted by other - documents at any time. It is inappropriate to use Internet-Drafts - as reference material or to cite them other than as "work in - progress." - - To learn the current status of any Internet-Draft, please check - the "1id-abstracts.txt" listing contained in the Internet-Drafts - Shadow Directories on ds.internic.net (US East Coast), - nic.nordu.net (Europe), ftp.isi.edu (US West Coast), or - munnari.oz.au (Pacific Rim). - - The distribution of this memo is unlimited. It is filed as - draft-ietf-cat-kerberos-pk-init-03.txt, and expires June xx, 1997. - Please send comments to the authors. - -1. Abstract - - The Kerberos error message, as defined in RFC 1510, is transmitted - to the client without any integrity assurance. Therefore, the - client has no means to distinguish between a valid error message - sent from the KDC and one sent by an attacker. This draft describes - a method for assuring the integrity of Kerberos error messages, and - proposes a consistent format for the e-data field in the KRB_ERROR - message. This e-data format enables the storage of cryptographic - checksums by providing an extensible mechanism for specifying e-data - types. - - -2. Motivation - - In the Kerberos protocol [1], if an error occurs for AS_REQ, - TGS_REQ, or AP_REQ, a clear text error message is returned to the - client. An attacker may exploit this vulnerability by sending a - false error message as a reply to any of the above requests. For - example, an attacker may send the KDC_ERR_KEY_EXPIRED error message - in order to force a user to change their password in hope that the - new key will not be as strong as the current key, and thus, easier - to break. - - Since false error messages may be utilized by an attacker, a - Kerberos client should have a means for determining how much trust - to place in a given error message. The rest of this draft - describes a method for assuring the integrity of Kerberos error - messages. - - -3. Approach - - We propose taking a cryptographic checksum over the entire KRB-ERROR - message. This checksum would be returned as part of the error - message and would enable the client to verify the integrity of the - error message. For interoperability reasons, no new fields are - added to the KRB-ERROR message. Instead, the e-data field (see - figure 1) is utilized to carry the cryptographic checksum. - - -3.1 Cryptographic checksums in error messages for AS_REQ, - TGS_REQ & AP_REQ - - If an error occurs for the AS request, the only key that is - available to the KDC is the shared secret (the key derived from the - clients password) registered in the KDCs database. The KDC will - use this key to sign the error message, if and only if, the client - already proved knowledge of the shared secret in the AS request - (e.g. via PA-ENC-TIMESTAMP in preauth data). This policy is needed - to prevent an attacker from getting the KDC to send a signed error - message and then launching an off-line attack in order to obtain a - key of a given principal. - - If an error occurs for a TGS or an AP request, the server will use - the session key sealed in the clients ticket granting ticket to - compute the checksum over the error message. If the checksum could - not be computed (e.g. error while decrypting the ticket) the error - message is returned to the client without the checksum. The client - then has the option to treat unprotected error messages differently. - - - KRB-ERROR ::= [APPLICATION 30] SEQUENCE { - pvno [0] integer, - msg-type [1] integer, - ctime [2] KerberosTime OPTIONAL, - cusec [3] INTEGER OPTIONAL, - stime [4] KerberosTime, - susec [5] INTEGER, - error-code [6] INTEGER, - crealm [7] Realm OPTIONAL, - cname [8] PrincipalName OPTIONAL, - realm [9] Realm, --Correct realm - sname [10] PrincipalName, --Correct name - e-text [11] GeneralString OPTIONAL, - e-data [12] OCTET STRING OPTIONAL - } - Figure 1 - - -3.2 Format of the e-data field - - We propose to place the cryptographic checksum in the e-data field. - First, we review the format of the e-data field, as specified in - RFC 1510. The format of e-data is specified only in two cases [2]. - "If the error code is KDC_ERR_PREAUTH_REQUIRED, then the e-data - field will contain an encoding of a sequence of padata fields": - - METHOD-DATA ::= SEQUENCE of PA-DATA - PA-DATA ::= SEQUENCE { - padata-type [1] INTEGER, - padata-value [2] OCTET STRING - } - - The second case deals with the KRB_AP_ERR_METHOD error code. The - e-data field will contain an encoding of the following sequence: - - METHOD-DATA ::= SEQUENCE { - method-type [0] INTEGER, - method-data [1] OCTET STRING OPTIONAL - } - - method-type indicates the required alternate authentication method. - - It should be noted that, in the case of KRB_AP_ERR_METHOD, a signed - checksum is not returned as part of the error message, since the - error code indicates that the Kerberos credentials provided in the - AP_REQ message are unacceptable. - - We propose that the e-data field have the following format for all - error-codes (except KRB_AP_ERR_METHOD): - - E-DATA ::= SEQUENCE { - data-type [1] INTEGER, - data-value [2] OCTET STRING, - } - - The data-type field specifies the type of information that is - carried in the data-value field. Thus, to send a cryptographic - checksum back to the client, the data-type is set to CHECKSUM, the - data-value is set to the ASN.1 encoding of the following sequence: - - Checksum ::= SEQUENCE { - cksumtype [0] INTEGER, - checksum [1] OCTET STRING - } - - -3.3 Computing the checksum - - After the error message is filled out, the error structure is - converted into ASN.1 representation. A cryptographic checksum is - then taken over the encoded error message; the result is placed in - the error message structure, as the last item in the e-data field. - To send the error message, ASN.1 encoding is again performed over - the error message, which now includes the cryptographic checksum. - - -3.4 Verifying the integrity of the error message - - In addition to verifying the cryptographic checksum for the error - message, the client must verify that the error message is bound to - its request. This is done by comparing the ctime field in the - error message to its counterpart in the request message. - - -4. E-DATA types - - Since the e-data types must not conflict with preauthentication data - types, we propose that the preauthentication data types in the range - of 2048 and above be reserved for use as e-data types. - - We define the following e-data type in support of integrity checking - for the Kerberos error message: - - CHECKSUM = 2048 -- the keyed checksum described above - - -5. Discussion - - -5.1 e-data types - - The extension for Kerberos error messages, as outlined above, is - extensible to allow for definition of other error data types. - We propose that the following e-data types be reserved: - - KDCTIME = 2049 - The error data would consist of the KDCs time in KerberosTime. - This data would be used by the client to adjust for clock skew. - - REDIRECT = 2050 - The error data would consist of a hostname. The hostname would - indicate the authoritative KDC from which to obtain a TGT. - - -5.2 e-data types vs. error code specific data formats - - Since RFC 1510 does not define an error data type, the data format - must be explicitly specified for each error code. This draft has - proposed an extension to RFC 1510 that would introduce the concept - of error data types. This would allow for a manageable set of data - types to be used for any error message. The authors assume that - the introduction of this e-data structure will not break any - existing Kerberos implementations. - - -6. Bibliography - - [1] J. Kohl, C. Neuman. The Kerberos Network Authentication - Service (V5). Request for Comments: 1510 - [2] J. Kohl, C. Neuman. The Kerberos Network Authentication - Service (V5). Request for Comments: 1510 p.67 - - -7. Authors - - Ari Medvinsky - Matthew Hur - Dominique Brezinski - - CyberSafe Corporation - 1605 NW Sammamish Road - Suite 310 - Issaquah, WA 98027-5378 - Phone: (206) 391-6000 - Fax: (206) 391-0508 - http:/www.cybersafe.com - - - Brian Tung - Gene Tsudik - - USC Information Sciences Institute - 4676 Admiralty Way Suite 1001 - Marina del Rey CA 90292-6695 - Phone: (310) 822-1511 - diff --git a/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-cat-kerberos-extra-tgt-02.txt b/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-cat-kerberos-extra-tgt-02.txt deleted file mode 100644 index b3ec336b65..0000000000 --- a/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-cat-kerberos-extra-tgt-02.txt +++ /dev/null @@ -1,174 +0,0 @@ -INTERNET-DRAFT Jonathan Trostle -draft-ietf-cat-kerberos-extra-tgt-02.txt Cisco Systems -Updates: RFC 1510 Michael M. Swift -expires January 30, 2000 University of WA - - - Extension to Kerberos V5 For Additional Initial Encryption - -0. Status Of This Memo - - This document is an Internet-Draft and is in full conformance - with all provisions of Section 10 of RFC2026. - - Internet-Drafts are working documents of the Internet Engineering - Task Force (IETF), its areas, and its working groups. Note that - other groups may also distribute working documents as - Internet-Drafts. - - Internet-Drafts are draft documents valid for a maximum of six - months and may be updated, replaced, or obsoleted by other - documents at any time. It is inappropriate to use Internet- - Drafts as reference material or to cite them other than as - "work in progress." - - The list of current Internet-Drafts can be accessed at - http://www.ietf.org/ietf/1id-abstracts.txt - - The list of Internet-Draft Shadow Directories can be accessed at - http://www.ietf.org/shadow.html. - -1. Abstract - - This document defines an extension to the Kerberos protocol - specification (RFC 1510) [1] to enable a preauthentication field in - the AS_REQ message to carry a ticket granting ticket. The session - key from this ticket granting ticket will be used to - cryptographically strengthen the initial exchange in either the - conventional Kerberos V5 case or in the case the user stores their - encrypted private key on the KDC [2]. - - -2. Motivation - - In Kerberos V5, the initial exchange with the KDC consists of the - AS_REQ and AS_REP messages. For users, the encrypted part of the - AS_REP message is encrypted in a key derived from a password. - Although a password policy may be in place to prevent dictionary - attacks, brute force attacks may still be a concern due to - insufficient key length. - - This draft specifies an extension to the Kerberos V5 protocol to - allow a ticket granting ticket to be included in an AS_REQ message - preauthentication field. The session key from this ticket granting - ticket will be used to cryptographically strengthen the initial - - exchange in either the conventional Kerberos V5 case or in the case - the user stores their encrypted private key on the KDC [2]. The - session key from the ticket granting ticket is combined with the - user password key (key K2 in the encrypted private key on KDC - option) using HMAC to obtain a new triple des key that is used in - place of the user key in the initial exchange. The ticket granting - ticket could be obtained by the workstation using its host key. - -3. The Extension - - The following new preauthentication type is proposed: - - PA-EXTRA-TGT 22 - - The preauthentication-data field contains a ticket granting ticket - encoded as an ASN.1 octet string. The server realm of the ticket - granting ticket must be equal to the realm in the KDC-REQ-BODY of - the AS_REQ message. In the absence of a trust relationship, the - local Kerberos client should send the AS_REQ message without this - extension. - - In the conventional (non-pkinit) case, we require the RFC 1510 - PA-ENC-TIMESTAMP preauthentication field in the AS_REQ message. - If neither it or the PA-PK-KEY-REQ preauthentication field is - included in the AS_REQ message, the KDC will reply with a - KDC_ERR_PREAUTH_FAILED error message. - - We propose the following new etypes: - - des3-cbc-md5-xor 16 - des3-cbc-sha1-xor 17 - - The encryption key is obtained by: - - (1) Obtaining an output M from the HMAC-SHA1 function [3] using - the user password key (the key K2 in the encrypted private - key on KDC option of pkinit) as the text and the triple des - session key as the K input in HMAC: - - M = H(K XOR opad, H(K XOR ipad, text)) where H = SHA1. - - The session key from the accompanying ticket granting ticket - must be a triple des key when one of the triple des xor - encryption types is used. - (2) Concatenate the output M (20 bytes) with the first 8 non-parity - bits of the triple-des ticket granting ticket session key to - get 168 bits that will be used for the new triple-des encryption - key. - (3) Set the parity bits of the resulting key. - - The resulting triple des key is used to encrypt the timestamp - for the PA-ENC-TIMESTAMP preauthentication value (or in the - encrypted private key on KDC option of pkinit, it is used in - place of the key K2 to both sign in the PA-PK-KEY-REQ and for - encryption in the PA-PK-KEY-REP preauthentication types). - - If the KDC decrypts the encrypted timestamp and it is not within - the appropriate clock skew period, the KDC will reply with the - KDC_ERR_PREAUTH_FAILED error. The same error will also be sent if - the above ticket granting ticket fails to decrypt properly, or if - it is not a valid ticket. - - The KDC will create the shared triple des key from the ticket - granting ticket session key and the user password key (the key K2 - in the encrypted private key on KDC case) using HMAC as specified - above and use it to validate the AS_REQ message and then to - encrypt the encrypted part of the AS_REP message (use it in place - of the key K2 for encryption in the PA-PK-KEY-REP preauthentication - field). - - Local workstation policy will determine the exact behaviour of - the Kerberos client with respect to the extension protocol. For - example, the client should consult policy to decide when to use - use the extension. This policy could be dependent on the user - identity, or whether the workstation is in the same realm as the - user. One possibility is for the workstation logon to fail if - the extension is not used. Another possibility is for the KDC - to set a flag in tickets issued when this extension is used. - - A similar idea was proposed in OSF DCE RFC 26.0 [4]; there a - preauthentication field containing a ticket granting ticket, - a randomly generated subkey encrypted in the session key from - the ticket, and a timestamp structure encrypted in the user - password and then the randomly generated subkey was proposed. - Some advantages of the current proposal are that the KDC has two - fewer decryptions to perform per request and the client does not - have to generate a random key. - -4. Bibliography - - [1] J. Kohl, C. Neuman. The Kerberos Network Authentication - Service (V5). Request for Comments 1510. - - [2] B. Tung, C. Neuman, J. Wray, A. Medvinsky, M. Hur, J. Trostle. - Public Key Cryptography for Initial Authentication in Kerberos. - ftp://ds.internic.net/internet-drafts/ - draft-ietf-cat-kerberos-pkinit-08.txt - - [3] H. Krawczyk, M. Bellare, R. Canetti. HMAC: Keyed-Hashing for - Message Authentication. Request for Comments 2104. - - [4] J. Pato. Using Pre-authentication to Avoid Password Guessing - Attacks. OSF DCE SIG Request for Comments 26.0. - -5. Acknowledgement: We thank Ken Hornstein for some helpful comments. - -6. Expires January 30, 2000. - -7. Authors' Addresses - - Jonathan Trostle - 170 W. Tasman Dr. - San Jose, CA 95134, U.S.A. - - Email: jtrostle@cisco.com - Phone: (408) 527-6201 - - Michael Swift - Email: mikesw@cs.washington.edu diff --git a/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-cat-kerberos-extra-tgt-03.txt b/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-cat-kerberos-extra-tgt-03.txt deleted file mode 100644 index d09a2ded5b..0000000000 --- a/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-cat-kerberos-extra-tgt-03.txt +++ /dev/null @@ -1,5 +0,0 @@ -This Internet-Draft has expired and is no longer available. - -Unrevised documents placed in the Internet-Drafts directories have a -maximum life of six months. After that time, they must be updated, or -they will be deleted. This document was deleted on March 20, 2000. diff --git a/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-cat-kerberos-pk-cross-01.txt b/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-cat-kerberos-pk-cross-01.txt deleted file mode 100644 index 4b193c5739..0000000000 --- a/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-cat-kerberos-pk-cross-01.txt +++ /dev/null @@ -1,282 +0,0 @@ -INTERNET-DRAFT Brian Tung -draft-ietf-cat-kerberos-pk-cross-01.txt Tatyana Ryutov -Updates: RFC 1510 Clifford Neuman -expires September 30, 1997 Gene Tsudik - ISI - Bill Sommerfeld - Hewlett-Packard - Ari Medvinsky - Matthew Hur - CyberSafe Corporation - - - Public Key Cryptography for Cross-Realm Authentication in Kerberos - - -0. Status Of this Memo - - This document is an Internet-Draft. Internet-Drafts are working - documents of the Internet Engineering Task Force (IETF), its - areas, and its working groups. Note that other groups may also - distribute working documents as Internet-Drafts. - - Internet-Drafts are draft documents valid for a maximum of six - months and may be updated, replaced, or obsoleted by other - documents at any time. It is inappropriate to use Internet-Drafts - as reference material or to cite them other than as ``work in - progress.'' - - To learn the current status of any Internet-Draft, please check - the ``1id-abstracts.txt'' listing contained in the Internet-Drafts - Shadow Directories on ds.internic.net (US East Coast), - nic.nordu.net (Europe), ftp.isi.edu (US West Coast), or - munnari.oz.au (Pacific Rim). - - The distribution of this memo is unlimited. It is filed as - draft-ietf-cat-kerberos-pk-cross-01.txt, and expires September 30, - 1997. Please send comments to the authors. - - -1. Abstract - - This document defines extensions to the Kerberos protocol - specification (RFC 1510, "The Kerberos Network Authentication - Service (V5)", September 1993) to provide a method for using - public key cryptography during cross-realm authentication. The - methods defined here specify the way in which message exchanges - are to be used to transport cross-realm secret keys protected by - encryption under public keys certified as belonging to KDCs. - - -2. Motivation - - The advantages provided by public key cryptography--ease of - recoverability in the event of a compromise, the possibility of - an autonomous authentication infrastructure, to name a few--have - produced a demand for use by Kerberos authentication protocol. A - draft describing the use of public key cryptography in the initial - authentication exchange in Kerberos has already been submitted. - This draft describes its use in cross-realm authentication. - - The principal advantage provided by public key cryptography in - cross-realm authentication lies in the ability to leverage the - existing public key infrastructure. It frees the Kerberos realm - administrator from having to maintain separate keys for each other - realm with which it wishes to exchange authentication information, - or to utilize a hierarchical arrangement, which may pose problems - of trust. - - Even with the multi-hop cross-realm authentication, there must be - some way to locate the path by which separate realms are to be - transited. The current method, which makes use of the DNS-like - realm names typical to Kerberos, requires trust of the intermediate - KDCs. - - The methods described in this draft allow a realm to specify, at - the time of authentication, which certification paths it will - trust. A shared key for cross-realm authentication can be - established, for a period of time. Furthermore, these methods are - transparent to the client, so that only the KDC's need to be - modified to use them. - - It is not necessary to implement the changes described in the - "Public Key Cryptography for Initial Authentication" draft to make - use of the changes in this draft. We solicit comments about the - interaction between the two protocol changes, but as of this - writing, the authors do not perceive any obstacles to using both. - - -3. Protocol Amendments - - We assume that the user has already obtained a TGT. To perform - cross-realm authentication, the user sends a request to the local - KDC as per RFC 1510. If the two realms share a secret key, then - cross-realm authentication proceeds as usual. Otherwise, the - local KDC may attempt to establish a shared key with the remote - KDC using public key cryptography, and exchange this key through - the cross-realm ticket granting ticket. - - We will consider the specific channel on which the message - exchanges take place in Section 5 below. - - -3.1. Changes to the Cross-Realm Ticket Granting Ticket - - In order to avoid the need for changes to the "installed base" of - Kerberos application clients and servers, the only protocol change - is to the way in which cross-realm ticket granting tickets (TGTs) - are encrypted; as these tickets are opaque to clients and servers, - the only change visible to them will be the increased size of the - tickets. - - Cross-realm TGTs are granted by a local KDC to authenticate a user - to a remote KDC's ticket granting service. In standard Kerberos, - they are encrypted using a shared secret key manually configured - into each KDC. - - In order to incorporate public key cryptography, we define a new - encryption type, "ENCTYPE_PK_CROSS". Operationally, this encryption - type transforms an OCTET STRING of plaintext (normally an EncTktPart) - into the following SEQUENCE: - - PKCrossOutput ::= SEQUENCE { - certificate [0] OCTET STRING OPTIONAL, - -- public key certificate - -- of local KDC - encSharedKey [1] EncryptedData, - -- of type EncryptionKey - -- containing random symmetric key - -- encrypted using public key - -- of remote KDC - sigSharedKey [2] Signature, - -- of encSharedKey - -- using signature key - -- of local KDC - pkEncData [3] EncryptedData, - -- (normally) of type EncTktPart - -- encrypted using encryption key - -- found in encSharedKey - } - - PKCROSS operates as follows: when a client submits a request for - cross-realm authentication, the local KDC checks to see if it has - a long-term shared key established for that realm. If so, it uses - this key as per RFC 1510. - - If not, it sends a request for information to the remote KDC. The - content of this message is immaterial, as it does not need to be - processed by the remote KDC; for the sake of consistency, we define - it as follows: - - RemoteRequest ::= [APPLICATION 41] SEQUENCE { - nonce [0] INTEGER - } - - The remote KDC replies with a list of all trusted certifiers and - all its (the remote KDC's) certificates. We note that this response - is universal and does not depend on which KDC makes the request: - - RemoteReply ::= [APPLICATION 42] SEQUENCE { - trustedCertifiers [0] SEQUENCE OF PrincipalName, - certificates[1] SEQUENCE OF Certificate, - encTypeToUse [1] SEQUENCE OF INTEGER - -- encryption types usable - -- for encrypting pkEncData - } - - Certificate ::= SEQUENCE { - CertType [0] INTEGER, - -- type of certificate - -- 1 = X.509v3 (DER encoding) - -- 2 = PGP (per PGP draft) - CertData [1] OCTET STRING - -- actual certificate - -- type determined by CertType - } -- from pk-init draft - - Upon receiving this reply, the local KDC determines whether it has - a certificate the remote KDC trusts, and whether the remote KDC has - a certificate the local KDC trusts. If so, it issues a ticket - encrypted using the ENCTYPE_PK_CROSS encryption type defined above. - - -3.2. Profile Caches - - We observe that using PKCROSS as specified above requires two - private key operations: a signature generation by the local KDC and - a decryption by the remote KDC. This cost can be reduced in the - long term by judicious caching of the encSharedKey and the - sigSharedKey. - - Let us define a "profile" as the encSharedKey and sigSharedKey, in - conjunction with the associated remote realm name and decrypted - shared key (the key encrypted in the encSharedKey). - - To optimize these interactions, each KDC maintains two caches, one - for outbound profiles and one for inbound profiles. When generating - an outbound TGT for another realm, the local KDC first checks to see - if the corresponding entry exists in the outbound profile cache; if - so, it uses its contents to form the first three fields of the - PKCrossOutput; the shared key is used to encrypt the data for the - fourth field. If not, the components are generated fresh and stored - in the outbound profile cache. - - Upon receipt of the TGT, the remote realm checks its inbound profile - cache for the corresponding entry. If it exists, then it uses the - contents of the entry to decrypt the data encrypted in the pkEncData. - If not, then it goes through the full process of verifying and - extracting the shared key; if this is successful, then a new entry - is created in the inbound profile cache. - - The inbound profile cache should support multiple entries per realm, - in the event that the initiating realm is replicated. - - -4. Finding Realms Supporting PKCROSS - - If either the local realm or the destination realm does not support - PKCROSS, or both do not, the mechanism specified in Section 3 can - still be used in obtaining the desired remote TGT. - - In the reference Kerberos implementations, the default behavior is - to traverse a path up and down the realm name hierarchy, if the - two realms do not share a key. There is, however, the possibility - of using cross links--i.e., keys shared between two realms that - are non-contiguous in the realm name hierarchy--to shorten the - path, both to minimize delay and the number of intermediate realms - that need to be trusted. - - PKCROSS can be used as a way to provide cross-links even in the - absence of shared keys. If the client is aware that one or two - intermediate realms support PKCROSS, then a combination of - PKCROSS and conventional cross-realm authentication can be used - to reach the final destination realm. - - We solicit discussion on the best methods for clients and KDCs to - determine or advertise support for PKCROSS. - - -5. Message Ports - - We have not specified the port on which KDCs supporting PKCROSS - should listen to receive the request for information messages noted - above. We solicit discussion on which port should be used. We - propose to use the standard Kerberos ports (well-known 88 or 750), - but another possibility is to use a completely different port. - - We also solicit discussion on what other approaches can be taken to - obtain the information in the RemoteReply (e.g., secure DNS or some - other repository). - - -6. Expiration Date - - This Internet-Draft will expire on September 30, 1997. - - -7. Authors' Addresses - - Brian Tung - Tatyana Ryutov - Clifford Neuman - Gene Tsudik - USC/Information Sciences Institute - 4676 Admiralty Way Suite 1001 - Marina del Rey, CA 90292-6695 - Phone: +1 310 822 1511 - E-Mail: {brian, tryutov, bcn, gts}@isi.edu - - Bill Sommerfeld - Hewlett Packard - 300 Apollo Drive - Chelmsford MA 01824 - Phone: +1 508 436 4352 - E-Mail: sommerfeld@apollo.hp.com - - Ari Medvinsky - Matthew Hur - CyberSafe Corporation - 1605 NW Sammamish Road Suite 310 - Issaquah WA 98027-5378 - Phone: +1 206 391 6000 - E-mail: {ari.medvinsky, matt.hur}@cybersafe.com diff --git a/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-cat-kerberos-pk-cross-06.txt b/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-cat-kerberos-pk-cross-06.txt deleted file mode 100644 index 1ab2b03e07..0000000000 --- a/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-cat-kerberos-pk-cross-06.txt +++ /dev/null @@ -1,523 +0,0 @@ - -INTERNET-DRAFT Matthew Hur -draft-ietf-cat-kerberos-pk-cross-06.txt CyberSafe Corporation -Updates: RFC 1510 Brian Tung -expires October 10, 2000 Tatyana Ryutov - Clifford Neuman - Gene Tsudik - ISI - Ari Medvinsky - Keen.com - Bill Sommerfeld - Hewlett-Packard - - - Public Key Cryptography for Cross-Realm Authentication in Kerberos - - -0. Status Of this Memo - - This document is an Internet-Draft and is in full conformance with - all provisions of Section 10 of RFC 2026. Internet-Drafts are - working documents of the Internet Engineering Task Force (IETF), - its areas, and its working groups. Note that other groups may - also distribute working documents as Internet-Drafts. - - Internet-Drafts are draft documents valid for a maximum of six - months and may be updated, replaced, or obsoleted by other - documents at any time. It is inappropriate to use Internet-Drafts - as reference material or to cite them other than as ``work in - progress.'' - - The list of current Internet-Drafts can be accessed at - http://www.ietf.org/ietf/1id-abstracts.txt - - The list of Internet-Draft Shadow Directories can be accessed at - http://www.ietf.org/shadow.html. - - - - To learn the current status of any Internet-Draft, please check - the ``1id-abstracts.txt'' listing contained in the Internet-Drafts - Shadow Directories on ftp.ietf.org (US East Coast), - nic.nordu.net (Europe), ftp.isi.edu (US West Coast), or - munnari.oz.au (Pacific Rim). - - The distribution of this memo is unlimited. It is filed as - draft-ietf-cat-kerberos-pk-cross-06.txt, and expires May 15, 1999. - Please send comments to the authors. - - -1. Abstract - - This document defines extensions to the Kerberos protocol - specification [1] to provide a method for using public key - cryptography to enable cross-realm authentication. The methods - defined here specify the way in which message exchanges are to be - used to transport cross-realm secret keys protected by encryption - under public keys certified as belonging to KDCs. - - -2. Introduction - - The Kerberos authentication protocol [2] can leverage the - advantages provided by public key cryptography. PKINIT [3] - describes the use of public key cryptography in the initial - authentication exchange in Kerberos. PKTAPP [4] describes how an - application service can essentially issue a kerberos ticket to - itself after utilizing public key cryptography for authentication. - Another informational document species the use of public key - crypography for anonymous authentication in Kerberos [5]. This - specification describes the use of public key crpytography in cross- - realm authentication. - - Without the use of public key cryptography, administrators must - maintain separate keys for every realm which wishes to exchange - authentication information with another realm (which implies n(n-1) - keys), or they must utilize a hierachichal arrangement of realms, - which may complicate the trust model by requiring evaluation of - transited realms. - - Even with the multi-hop cross-realm authentication, there must be - some way to locate the path by which separate realms are to be - transited. The current method, which makes use of the DNS-like - realm names typical to Kerberos, requires trust of the intermediate - KDCs. - - PKCROSS utilizes a public key infrastructure (PKI) [6] to simplify - the administrative burden of maintaining cross-realm keys. Such - usage leverages a PKI for a non-centrally-administratable environment - (namely, inter-realm). Thus, a shared key for cross-realm - authentication can be established for a set period of time, and a - remote realm is able to issue policy information that is returned to - itself when a client requests cross-realm authentication. Such policy - information may be in the form of restrictions [7]. Furthermore, - these methods are transparent to the client; therefore, only the KDCs - need to be modified to use them. In this way, we take advantage of - the the distributed trust management capabilities of public key - crypography while maintaining the advantages of localized trust - management provided by Kerberos. - - - Although this specification utilizes the protocol specfied in the - PKINIT specification, it is not necessary to implement client - changes in order to make use of the changes in this document. - - -3. Objectives - - The objectives of this specification are as follows: - - 1. Simplify the administration required to establish Kerberos - cross-realm keys. - - 2. Avoid modification of clients and application servers. - - 3. Allow remote KDC to control its policy on cross-realm - keys shared between KDCs, and on cross-realm tickets - presented by clients. - - 4. Remove any need for KDCs to maintain state about keys - shared with other KDCs. - - 5. Leverage the work done for PKINIT to provide the public key - protocol for establishing symmetric cross realm keys. - - -4. Definitions - - The following notation is used throughout this specification: - KDC_l ........... local KDC - KDC_r ........... remote KDC - XTKT_(l,r) ...... PKCROSS ticket that the remote KDC issues to the - local KDC - TGT_(c,r) ....... cross-realm TGT that the local KDC issues to the - client for presentation to the remote KDC - - This specification defines the following new types to be added to the - Kerberos specification: - PKCROSS kdc-options field in the AS_REQ is bit 9 - TE-TYPE-PKCROSS-KDC 2 - TE-TYPE-PKCROSS-CLIENT 3 - - This specification defines the following ASN.1 type for conveying - policy information: - CrossRealmTktData ::= SEQUENCE OF TypedData - - This specification defines the following types for policy information - conveyed in CrossRealmTktData: - PLC_LIFETIME 1 - PLC_SET_TKT_FLAGS 2 - PLC_NOSET_TKT_FLAGS 3 - - TicketExtensions are defined per the Kerberos specification [8]: - TicketExtensions ::= SEQUENCE OF TypedData - Where - TypedData ::= SEQUENCE { - data-type[0] INTEGER, - data-value[1] OCTET STRING OPTIONAL - } - - -5. Protocol Specification - - We assume that the client has already obtained a TGT. To perform - cross-realm authentication, the client does exactly what it does - with ordinary (i.e. non-public-key-enabled) Kerberos; the only - changes are in the KDC; although the ticket which the client - forwards to the remote realm may be changed. This is acceptable - since the client treats the ticket as opaque. - - -5.1. Overview of Protocol - - The basic operation of the PKCROSS protocol is as follows: - - 1. The client submits a request to the local KDC for - credentials for the remote realm. This is just a typical - cross realm request that may occur with or without PKCROSS. - - 2. The local KDC submits a PKINIT request to the remote KDC to - obtain a "special" PKCROSS ticket. This is a standard - PKINIT request, except that PKCROSS flag (bit 9) is set in - the kdc-options field in the AS_REQ. - - 3. The remote KDC responds as per PKINIT, except that - the ticket contains a TicketExtension, which contains - policy information such as lifetime of cross realm tickets - issued by KDC_l to a client. The local KDC must reflect - this policy information in the credentials it forwards to - the client. Call this ticket XTKT_(l,r) to indicate that - this ticket is used to authenticate the local KDC to the - remote KDC. - - 4. The local KDC passes a ticket, TGT_(c,r) (the cross realm - TGT between the client and remote KDC), to the client. - This ticket contains in its TicketExtension field the - ticket, XTKT_(l,r), which contains the cross-realm key. - The TGT_(c,r) ticket is encrypted using the key sealed in - XTKT_(l,r). (The TicketExtension field is not encrypted.) - The local KDC may optionally include another TicketExtension - type that indicates the hostname and/or IP address for the - remote KDC. - - 5. The client submits the request directly to the remote - KDC, as before. - - 6. The remote KDC extracts XTKT_(l,r) from the TicketExtension - in order to decrypt the encrypted part of TGT_(c,r). - - -------------------------------------------------------------------- - - Client Local KDC (KDC_l) Remote KDC (KDC_r) - ------ ----------------- ------------------ - Normal Kerberos - request for - cross-realm - ticket for KDC_r - ----------------------> - - PKINIT request for - XTKT(l,r) - PKCROSS flag - set in the AS-REQ - * -------------------------> - - PKINIT reply with - XTKT_(l,r) and - policy info in - ticket extension - <-------------------------- * - - Normal Kerberos reply - with TGT_(c,r) and - XTKT(l,r) in ticket - extension - <--------------------------------- - - Normal Kerberos - cross-realm TGS-REQ - for remote - application - service with - TGT_(c,r) and - XTKT(l,r) in ticket - extension - -------------------------------------------------> - - Normal Kerberos - cross-realm - TGS-REP - <--------------------------------------------------------------- - - * Note that the KDC to KDC messages occur only periodically, since - the local KDC caches the XTKT_(l,r). - -------------------------------------------------------------------- - - - Sections 5.2 through 5.4 describe in detail steps 2 through 4 - above. Section 5.6 describes the conditions under which steps - 2 and 3 may be skipped. - - Note that the mechanism presented above requires infrequent KDC to - KDC communication (as dictated by policy - this is discussed - later). Without such an exchange, there are the following issues: - 1) KDC_l would have to issue a ticket with the expectation that - KDC_r will accept it. - 2) In the message that the client sends to KDC_r, KDC_l would have - to authenticate KDC_r with credentials that KDC_r trusts. - 3) There is no way for KDC_r to convey policy information to KDC_l. - 4) If, based on local policy, KDC_r does not accept a ticket from - KDC_l, then the client gets stuck in the middle. To address such - an issue would require modifications to standard client - processing behavior. - Therefore, the infreqeunt use of KDC to KDC communication assures - that inter-realm KDC keys may be established in accordance with local - policies and that clients may continue to operate without - modification. - - -5.2. Local KDC's Request to Remote KDC - - When the local KDC receives a request for cross-realm authentication, - it first checks its ticket cache to see if it has a valid PKCROSS - ticket, XTKT_(l,r). If it has a valid XTKT_(l,r), then it does not - need to send a request to the remote KDC (see section 5.5). - - If the local KDC does not have a valid XTKT_(l,r), it sends a - request to the remote KDC in order to establish a cross realm key and - obtain the XTKT_(l,r). This request is in fact a PKINIT request as - described in the PKINIT specification; i.e., it consists of an AS-REQ - with a PA-PK-AS-REQ included as a preauthentication field. Note, - that the AS-REQ MUST have the PKCROSS flag (bit 9) set in the - kdc_options field of the AS-REQ. Otherwise, this exchange exactly - follows the description given in the PKINIT specification. In - addition, the naming - - -5.3. Remote KDC's Response to Local KDC - - When the remote KDC receives the PKINIT/PKCROSS request from the - local KDC, it sends back a PKINIT response as described in - the PKINIT specification with the following exception: the encrypted - part of the Kerberos ticket is not encrypted with the krbtgt key; - instead, it is encrypted with the ticket granting server's PKCROSS - key. This key, rather than the krbtgt key, is used because it - encrypts a ticket used for verifying a cross realm request rather - than for issuing an application service ticket. Note that, as a - matter of policy, the session key for the XTKT_(l,r) MAY be of - greater strength than that of a session key for a normal PKINIT - reply, since the XTKT_(l,r) SHOULD be much longer lived than a - normal application service ticket. - - In addition, the remote KDC SHOULD include policy information in the - XTKT_(l,r). This policy information would then be reflected in the - cross-realm TGT, TGT_(c,r). Otherwise, the policy for TGT_(c,r) - would be dictated by KDC_l rather than by KDC_r. The local KDC MAY - enforce a more restrictive local policy when creating a cross-realm - ticket, TGT_(c,r). For example, KDC_r may dictate a lifetime - policy of eight hours, but KDC_l may create TKT_(c,r) with a - lifetime of four hours, as dictated by local policy. Also, the - remote KDC MAY include other information about itself along with the - PKCROSS ticket. These items are further discussed in section 6 - below. - - -5.4. Local KDC's Response to Client - - Upon receipt of the PKINIT/CROSS response from the remote KDC, - the local KDC formulates a response to the client. This reply - is constructed exactly as in the Kerberos specification, except - for the following: - - A) The local KDC places XTKT_(l,r) in the TicketExtension field of - the client's cross-realm, ticket, TGT_(c,r), for the remote realm. - Where - data-type equals 3 for TE-TYPE-PKCROSS-CLIENT - data-value is ASN.1 encoding of XTKT_(l,r) - - B) The local KDC adds the name of its CA to the transited field of - TGT_(c,r). - - -5.5 Remote KDC's Processing of Client Request - - When the remote KDC, KDC_r, receives a cross-realm ticket, - TGT_(c,r), and it detects that the ticket contains a ticket - extension of type TE-TYPE-PKCROSS-CLIENT, KDC_r must first decrypt - the ticket, XTKT_(l,r), that is encoded in the ticket extension. - KDC_r uses its PKCROSS key in order to decrypt XTKT_(l,r). KDC_r - then uses the key obtained from XTKT_(l,r) in order to decrypt the - cross-realm ticket, TGT_(c,r). - - KDC_r MUST verify that the cross-realm ticket, TGT_(c,r) is in - compliance with any policy information contained in XTKT_(l,r) (see - section 6). If the TGT_(c,r) is not in compliance with policy, then - the KDC_r responds to the client with a KRB-ERROR message of type - KDC_ERR_POLICY. - - -5.6. Short-Circuiting the KDC-to-KDC Exchange - - As we described earlier, the KDC to KDC exchange is required only - for establishing a symmetric, inter-realm key. Once this key is - established (via the PKINIT exchange), no KDC to KDC communication - is required until that key needs to be renewed. This section - describes the circumstances under which the KDC to KDC exchange - described in Sections 5.2 and 5.3 may be skipped. - - The local KDC has a known lifetime for TGT_(c,r). This lifetime may - be determined by policy information included in XTKT_(l,r), and/or - it may be determined by local KDC policy. If the local KDC already - has a ticket XTKT(l,r), and the start time plus the lifetime for - TGT_(c,r) does not exceed the expiration time for XTGT_(l,r), then - the local KDC may skip the exchange with the remote KDC, and issue a - cross-realm ticket to the client as described in Section 5.4. - - Since the remote KDC may change its PKCROSS key (referred to in - Section 5.2) while there are PKCROSS tickets still active, it SHOULD - cache the old PKCROSS keys until the last issued PKCROSS ticket - expires. Otherwise, the remote KDC will respond to a client with a - KRB-ERROR message of type KDC_ERR_TGT_REVOKED. - - -6. Extensions for the PKCROSS Ticket - - As stated in section 5.3, the remote KDC SHOULD include policy - information in XTKT_(l,r). This policy information is contained in - a TicketExtension, as defined by the Kerberos specification, and the - authorization data of the ticket will contain an authorization - record of type AD-IN-Ticket-Extensions. The TicketExtension defined - for use by PKCROSS is TE-TYPE-PKCROSS-KDC. - Where - data-type equals 2 for TE-TYPE-PKCROSS-KDC - data-value is ASN.1 encoding of CrossRealmTktData - - CrossRealmTktData ::= SEQUENCE OF TypedData - - - ------------------------------------------------------------------ - CrossRealmTktData types and the corresponding data are interpreted - as follows: - - ASN.1 data - type value interpretation encoding - ---------------- ----- -------------- ---------- - PLC_LIFETIME 1 lifetime (in seconds) INTEGER - for TGT_(c,r) - - cross-realm tickets - issued for clients by - TGT_l - - PLC_SET_TKT_FLAGS 2 TicketFlags that must BITSTRING - be set - - format defined by - Kerberos specification - - PLC_NOSET_TKT_FLAGS 3 TicketFlags that must BITSTRING - not be set - - format defined by - Kerberos specification - - Further types may be added to this table. - ------------------------------------------------------------------ - - -7. Usage of Certificates - - In the cases of PKINIT and PKCROSS, the trust in a certification - authority is equivalent to Kerberos cross realm trust. For this - reason, an implementation MAY choose to use the same KDC certificate - when the KDC is acting in any of the following three roles: - 1) KDC is authenticating clients via PKINIT - 2) KDC is authenticating another KDC for PKCROSS - 3) KDC is the client in a PKCROSS exchange with another KDC - - Note that per PKINIT, the KDC X.509 certificate (the server in a - PKINIT exchange) MUST contain the principal name of the KDC in the - subjectAltName field. - - -8. Transport Issues - - Because the messages between the KDCs involve PKINIT exchanges, and - PKINIT recommends TCP as a transport mechanism (due to the length of - the messages and the likelihood that they will fragment), the same - recommendation for TCP applies to PKCROSS as well. - - -9. Security Considerations - - Since PKCROSS utilizes PKINIT, it is subject to the same security - considerations as PKINIT. Administrators should assure adherence - to security policy - for example, this affects the PKCROSS policies - for cross realm key lifetime and for policy propogation from the - PKCROSS ticket, issued from a remote KDC to a local KDC, to - cross realm tickets that are issued by a local KDC to a client. - - -10. Bibliography - - [1] J. Kohl, C. Neuman. The Kerberos Network Authentication Service - (V5). Request for Comments 1510. - - [2] B.C. Neuman, Theodore Ts'o. Kerberos: An Authentication Service - for Computer Networks, IEEE Communications, 32(9):33-38. September - 1994. - - [3] B. Tung, C. Neuman, M. Hur, A. Medvinsky, S.Medvinsky, J. Wray - J. Trostle. Public Key Cryptography for Initial Authentication - in Kerberos. - draft-ietf-cat-kerberos-pk-init-11.txt - - [4] A. Medvinsky, M. Hur, S. Medvinsky, B. Clifford Neuman. Public - Key Utilizing Tickets for Application Servers (PKTAPP). draft-ietf- - cat-pktapp-02.txt - - [5] A. Medvinsky, J. Cargille, M. Hur. Anonymous Credentials in - Kerberos. draft-ietf-cat-kerberos-anoncred-01.txt - - [6] ITU-T (formerly CCITT) Information technology - Open Systems - Interconnection - The Directory: Authentication Framework - Recommendation X.509 ISO/IEC 9594-8 - - [7] B.C. Neuman, Proxy-Based Authorization and Accounting for - Distributed Systems. In Proceedings of the 13th International - Conference on Distributed Computing Systems, May 1993. - - [8] C.Neuman, J. Kohl, T. Ts'o. The Kerberos Network Authentication - Service (V5). draft-ietf-cat-kerberos-revisions-05.txt - - -11. Authors' Addresses - - Matthew Hur - CyberSafe Corporation - 1605 NW Sammamish Road - Issaquah WA 98027-5378 - Phone: +1 425 391 6000 - E-mail: matt.hur@cybersafe.com - - Brian Tung - Tatyana Ryutov - Clifford Neuman - Gene Tsudik - USC/Information Sciences Institute - 4676 Admiralty Way Suite 1001 - Marina del Rey, CA 90292-6695 - Phone: +1 310 822 1511 - E-Mail: {brian, tryutov, bcn, gts}@isi.edu - - Ari Medvinsky - Keen.com - 2480 Sand Hill Road, Suite 200 - Menlo Park, CA 94025 - Phone +1 650 289 3134 - E-mail: ari@keen.com - - Bill Sommerfeld - Hewlett Packard - 300 Apollo Drive - Chelmsford MA 01824 - Phone: +1 508 436 4352 - E-Mail: sommerfeld@apollo.hp.com - diff --git a/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-cat-kerberos-pk-init-11.txt b/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-cat-kerberos-pk-init-11.txt deleted file mode 100644 index 9b0e76adad..0000000000 --- a/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-cat-kerberos-pk-init-11.txt +++ /dev/null @@ -1,1059 +0,0 @@ -INTERNET-DRAFT Brian Tung -draft-ietf-cat-kerberos-pk-init-11.txt Clifford Neuman -Updates: RFC 1510 USC/ISI -expires September 15, 2000 Matthew Hur - CyberSafe Corporation - Ari Medvinsky - Keen.com, Inc. - Sasha Medvinsky - Motorola - John Wray - Iris Associates, Inc. - Jonathan Trostle - Cisco - - Public Key Cryptography for Initial Authentication in Kerberos - -0. Status Of This Memo - - This document is an Internet-Draft and is in full conformance with - all provisions of Section 10 of RFC 2026. Internet-Drafts are - working documents of the Internet Engineering Task Force (IETF), - its areas, and its working groups. Note that other groups may also - distribute working documents as Internet-Drafts. - - Internet-Drafts are draft documents valid for a maximum of six - months and may be updated, replaced, or obsoleted by other - documents at any time. It is inappropriate to use Internet-Drafts - as reference material or to cite them other than as "work in - progress." - - The list of current Internet-Drafts can be accessed at - http://www.ietf.org/ietf/1id-abstracts.txt - - The list of Internet-Draft Shadow Directories can be accessed at - http://www.ietf.org/shadow.html. - - To learn the current status of any Internet-Draft, please check - the "1id-abstracts.txt" listing contained in the Internet-Drafts - Shadow Directories on ftp.ietf.org (US East Coast), - nic.nordu.net (Europe), ftp.isi.edu (US West Coast), or - munnari.oz.au (Pacific Rim). - - The distribution of this memo is unlimited. It is filed as - draft-ietf-cat-kerberos-pk-init-11.txt, and expires September 15, - 2000. Please send comments to the authors. - -1. Abstract - - This document defines extensions (PKINIT) to the Kerberos protocol - specification (RFC 1510 [1]) to provide a method for using public - key cryptography during initial authentication. The methods - defined specify the ways in which preauthentication data fields and - error data fields in Kerberos messages are to be used to transport - public key data. - -2. Introduction - - The popularity of public key cryptography has produced a desire for - its support in Kerberos [2]. The advantages provided by public key - cryptography include simplified key management (from the Kerberos - perspective) and the ability to leverage existing and developing - public key certification infrastructures. - - Public key cryptography can be integrated into Kerberos in a number - of ways. One is to associate a key pair with each realm, which can - then be used to facilitate cross-realm authentication; this is the - topic of another draft proposal. Another way is to allow users with - public key certificates to use them in initial authentication. This - is the concern of the current document. - - PKINIT utilizes ephemeral-ephemeral Diffie-Hellman keys in - combination with digital signature keys as the primary, required - mechanism. It also allows for the use of RSA keys and/or (static) - Diffie-Hellman certificates. Note in particular that PKINIT supports - the use of separate signature and encryption keys. - - PKINIT enables access to Kerberos-secured services based on initial - authentication utilizing public key cryptography. PKINIT utilizes - standard public key signature and encryption data formats within the - standard Kerberos messages. The basic mechanism is as follows: The - user sends an AS-REQ message to the KDC as before, except that if that - user is to use public key cryptography in the initial authentication - step, his certificate and a signature accompany the initial request - in the preauthentication fields. Upon receipt of this request, the - KDC verifies the certificate and issues a ticket granting ticket - (TGT) as before, except that the encPart from the AS-REP message - carrying the TGT is now encrypted utilizing either a Diffie-Hellman - derived key or the user's public key. This message is authenticated - utilizing the public key signature of the KDC. - - Note that PKINIT does not require the use of certificates. A KDC - may store the public key of a principal as part of that principal's - record. In this scenario, the KDC is the trusted party that vouches - for the principal (as in a standard, non-cross realm, Kerberos - environment). Thus, for any principal, the KDC may maintain a - secret key, a public key, or both. - - The PKINIT specification may also be used as a building block for - other specifications. PKCROSS [3] utilizes PKINIT for establishing - the inter-realm key and associated inter-realm policy to be applied - in issuing cross realm service tickets. As specified in [4], - anonymous Kerberos tickets can be issued by applying a NULL - signature in combination with Diffie-Hellman in the PKINIT exchange. - Additionally, the PKINIT specification may be used for direct peer - to peer authentication without contacting a central KDC. This - application of PKINIT is described in PKTAPP [5] and is based on - concepts introduced in [6, 7]. For direct client-to-server - authentication, the client uses PKINIT to authenticate to the end - server (instead of a central KDC), which then issues a ticket for - itself. This approach has an advantage over TLS [8] in that the - server does not need to save state (cache session keys). - Furthermore, an additional benefit is that Kerberos tickets can - facilitate delegation (see [9]). - -3. Proposed Extensions - - This section describes extensions to RFC 1510 for supporting the - use of public key cryptography in the initial request for a ticket - granting ticket (TGT). - - In summary, the following change to RFC 1510 is proposed: - - * Users may authenticate using either a public key pair or a - conventional (symmetric) key. If public key cryptography is - used, public key data is transported in preauthentication - data fields to help establish identity. The user presents - a public key certificate and obtains an ordinary TGT that may - be used for subsequent authentication, with such - authentication using only conventional cryptography. - - Section 3.1 provides definitions to help specify message formats. - Section 3.2 describes the extensions for the initial authentication - method. - -3.1. Definitions - - The extensions involve new preauthentication fields; we introduce - the following preauthentication types: - - PA-PK-AS-REQ 14 - PA-PK-AS-REP 15 - - The extensions also involve new error types; we introduce the - following types: - - KDC_ERR_CLIENT_NOT_TRUSTED 62 - KDC_ERR_KDC_NOT_TRUSTED 63 - KDC_ERR_INVALID_SIG 64 - KDC_ERR_KEY_TOO_WEAK 65 - KDC_ERR_CERTIFICATE_MISMATCH 66 - KDC_ERR_CANT_VERIFY_CERTIFICATE 70 - KDC_ERR_INVALID_CERTIFICATE 71 - KDC_ERR_REVOKED_CERTIFICATE 72 - KDC_ERR_REVOCATION_STATUS_UNKNOWN 73 - KDC_ERR_REVOCATION_STATUS_UNAVAILABLE 74 - KDC_ERR_CLIENT_NAME_MISMATCH 75 - KDC_ERR_KDC_NAME_MISMATCH 76 - - We utilize the following typed data for errors: - - TD-PKINIT-CMS-CERTIFICATES 101 - TD-KRB-PRINCIPAL 102 - TD-KRB-REALM 103 - TD-TRUSTED-CERTIFIERS 104 - TD-CERTIFICATE-INDEX 105 - - We utilize the following encryption types (which map directly to - OIDs): - - dsaWithSHA1-CmsOID 9 - md5WithRSAEncryption-CmsOID 10 - sha1WithRSAEncryption-CmsOID 11 - rc2CBC-EnvOID 12 - rsaEncryption-EnvOID (PKCS#1 v1.5) 13 - rsaES-OAEP-ENV-OID (PKCS#1 v2.0) 14 - des-ede3-cbc-Env-OID 15 - - These mappings are provided so that a client may send the - appropriate enctypes in the AS-REQ message in order to indicate - support for the corresponding OIDs (for performing PKINIT). - - In many cases, PKINIT requires the encoding of the X.500 name of a - certificate authority as a Realm. When such a name appears as - a realm it will be represented using the "other" form of the realm - name as specified in the naming constraints section of RFC1510. - For a realm derived from an X.500 name, NAMETYPE will have the value - X500-RFC2253. The full realm name will appear as follows: - - + ":" + - - where nametype is "X500-RFC2253" and string is the result of doing - an RFC2253 encoding of the distinguished name, i.e. - - "X500-RFC2253:" + RFC2253Encode(DistinguishedName) - - where DistinguishedName is an X.500 name, and RFC2253Encode is a - function returing a readable UTF encoding of an X.500 name, as - defined by RFC 2253 [14] (part of LDAPv3 [18]). - - To ensure that this encoding is unique, we add the following rule - to those specified by RFC 2253: - - The order in which the attributes appear in the RFC 2253 - encoding must be the reverse of the order in the ASN.1 - encoding of the X.500 name that appears in the public key - certificate. The order of the relative distinguished names - (RDNs), as well as the order of the AttributeTypeAndValues - within each RDN, will be reversed. (This is despite the fact - that an RDN is defined as a SET of AttributeTypeAndValues, where - an order is normally not important.) - - Similarly, in cases where the KDC does not provide a specific - policy based mapping from the X.500 name or X.509 Version 3 - SubjectAltName extension in the user's certificate to a Kerberos - principal name, PKINIT requires the direct encoding of the X.500 - name as a PrincipalName. In this case, the name-type of the - principal name shall be set to KRB_NT-X500-PRINCIPAL. This new - name type is defined in RFC 1510 as: - - KRB_NT_X500_PRINCIPAL 6 - - The name-string shall be set as follows: - - RFC2253Encode(DistinguishedName) - - as described above. When this name type is used, the principal's - realm shall be set to the certificate authority's distinguished - name using the X500-RFC2253 realm name format described earlier in - this section - - RFC 1510 specifies the ASN.1 structure for PrincipalName as follows: - - PrincipalName ::= SEQUENCE { - name-type[0] INTEGER, - name-string[1] SEQUENCE OF GeneralString - } - - For the purposes of encoding an X.500 name as a Kerberos name for - use in Kerberos structures, the name-string shall be encoded as a - single GeneralString. The name-type should be KRB_NT_X500_PRINCIPAL, - as noted above. All Kerberos names must conform to validity - requirements as given in RFC 1510. Note that name mapping may be - required or optional, based on policy. - - We also define the following similar ASN.1 structure: - - CertPrincipalName ::= SEQUENCE { - name-type[0] INTEGER, - name-string[1] SEQUENCE OF UTF8String - } - - When a Kerberos PrincipalName is to be placed within an X.509 data - structure, the CertPrincipalName structure is to be used, with the - name-string encoded as a single UTF8String. The name-type should be - as identified in the original PrincipalName structure. The mapping - between the GeneralString and UTF8String formats can be found in - [19]. - - The following rules relate to the the matching of PrincipalNames (or - corresponding CertPrincipalNames) with regard to the PKI name - constraints for CAs as laid out in RFC 2459 [15]. In order to be - regarded as a match (for permitted and excluded name trees), the - following must be satisfied. - - 1. If the constraint is given as a user plus realm name, or - as a user plus instance plus realm name (as specified in - RFC 1510), the realm name must be valid (see 2.a-d below) - and the match must be exact, byte for byte. - - 2. If the constraint is given only as a realm name, matching - depends on the type of the realm: - - a. If the realm contains a colon (':') before any equal - sign ('='), it is treated as a realm of type Other, - and must match exactly, byte for byte. - - b. Otherwise, if the realm contains an equal sign, it - is treated as an X.500 name. In order to match, every - component in the constraint MUST be in the principal - name, and have the same value. For example, 'C=US' - matches 'C=US/O=ISI' but not 'C=UK'. - - c. Otherwise, if the realm name conforms to rules regarding - the format of DNS names, it is considered a realm name of - type Domain. The constraint may be given as a realm - name 'FOO.BAR', which matches any PrincipalName within - the realm 'FOO.BAR' but not those in subrealms such as - 'CAR.FOO.BAR'. A constraint of the form '.FOO.BAR' - matches PrincipalNames in subrealms of the form - 'CAR.FOO.BAR' but not the realm 'FOO.BAR' itself. - - d. Otherwise, the realm name is invalid and does not match - under any conditions. - -3.1.1. Encryption and Key Formats - - In the exposition below, we use the terms public key and private - key generically. It should be understood that the term "public - key" may be used to refer to either a public encryption key or a - signature verification key, and that the term "private key" may be - used to refer to either a private decryption key or a signature - generation key. The fact that these are logically distinct does - not preclude the assignment of bitwise identical keys for RSA - keys. - - In the case of Diffie-Hellman, the key shall be produced from the - agreed bit string as follows: - - * Truncate the bit string to the appropriate length. - * Rectify parity in each byte (if necessary) to obtain the key. - - For instance, in the case of a DES key, we take the first eight - bytes of the bit stream, and then adjust the least significant bit - of each byte to ensure that each byte has odd parity. - -3.1.2. Algorithm Identifiers - - PKINIT does not define, but does permit, the algorithm identifiers - listed below. - -3.1.2.1. Signature Algorithm Identifiers - - The following signature algorithm identifiers specified in [11] and - in [15] shall be used with PKINIT: - - id-dsa-with-sha1 (DSA with SHA1) - md5WithRSAEncryption (RSA with MD5) - sha-1WithRSAEncryption (RSA with SHA1) - -3.1.2.2 Diffie-Hellman Key Agreement Algorithm Identifier - - The following algorithm identifier shall be used within the - SubjectPublicKeyInfo data structure: dhpublicnumber - - This identifier and the associated algorithm parameters are - specified in RFC 2459 [15]. - -3.1.2.3. Algorithm Identifiers for RSA Encryption - - These algorithm identifiers are used inside the EnvelopedData data - structure, for encrypting the temporary key with a public key: - - rsaEncryption (RSA encryption, PKCS#1 v1.5) - id-RSAES-OAEP (RSA encryption, PKCS#1 v2.0) - - Both of the above RSA encryption schemes are specified in [16]. - Currently, only PKCS#1 v1.5 is specified by CMS [11], although the - CMS specification says that it will likely include PKCS#1 v2.0 in - the future. (PKCS#1 v2.0 addresses adaptive chosen ciphertext - vulnerability discovered in PKCS#1 v1.5.) - -3.1.2.4. Algorithm Identifiers for Encryption with Secret Keys - - These algorithm identifiers are used inside the EnvelopedData data - structure in the PKINIT Reply, for encrypting the reply key with the - temporary key: - des-ede3-cbc (3-key 3-DES, CBC mode) - rc2-cbc (RC2, CBC mode) - - The full definition of the above algorithm identifiers and their - corresponding parameters (an IV for block chaining) is provided in - the CMS specification [11]. - -3.2. Public Key Authentication - - Implementation of the changes in this section is REQUIRED for - compliance with PKINIT. - -3.2.1. Client Request - - Public keys may be signed by some certification authority (CA), or - they may be maintained by the KDC in which case the KDC is the - trusted authority. Note that the latter mode does not require the - use of certificates. - - The initial authentication request is sent as per RFC 1510, except - that a preauthentication field containing data signed by the user's - private key accompanies the request: - - PA-PK-AS-REQ ::= SEQUENCE { - -- PA TYPE 14 - signedAuthPack [0] SignedData - -- Defined in CMS [11]; - -- AuthPack (below) defines the - -- data that is signed. - trustedCertifiers [1] SEQUENCE OF TrustedCas OPTIONAL, - -- This is a list of CAs that the - -- client trusts and that certify - -- KDCs. - kdcCert [2] IssuerAndSerialNumber OPTIONAL - -- As defined in CMS [11]; - -- specifies a particular KDC - -- certificate if the client - -- already has it. - encryptionCert [3] IssuerAndSerialNumber OPTIONAL - -- For example, this may be the - -- client's Diffie-Hellman - -- certificate, or it may be the - -- client's RSA encryption - -- certificate. - } - - TrustedCas ::= CHOICE { - principalName [0] KerberosName, - -- as defined below - caName [1] Name - -- fully qualified X.500 name - -- as defined by X.509 - issuerAndSerial [2] IssuerAndSerialNumber - -- Since a CA may have a number of - -- certificates, only one of which - -- a client trusts - } - - Usage of SignedData: - - The SignedData data type is specified in the Cryptographic - Message Syntax, a product of the S/MIME working group of the - IETF. The following describes how to fill in the fields of - this data: - - 1. The encapContentInfo field must contain the PKAuthenticator - and, optionally, the client's Diffie Hellman public value. - - a. The eContentType field shall contain the OID value for - pkdata: iso (1) org (3) dod (6) internet (1) security (5) - kerberosv5 (2) pkinit (3) pkdata (1) - - b. The eContent field is data of the type AuthPack (below). - - 2. The signerInfos field contains the signature of AuthPack. - - 3. The Certificates field, when non-empty, contains the client's - certificate chain. If present, the KDC uses the public key - from the client's certificate to verify the signature in the - request. Note that the client may pass different certificate - chains that are used for signing or for encrypting. Thus, - the KDC may utilize a different client certificate for - signature verification than the one it uses to encrypt the - reply to the client. For example, the client may place a - Diffie-Hellman certificate in this field in order to convey - its static Diffie Hellman certificate to the KDC to enable - static-ephemeral Diffie-Hellman mode for the reply; in this - case, the client does NOT place its public value in the - AuthPack (defined below). As another example, the client may - place an RSA encryption certificate in this field. However, - there must always be (at least) a signature certificate. - - AuthPack ::= SEQUENCE { - pkAuthenticator [0] PKAuthenticator, - clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL - -- if client is using Diffie-Hellman - -- (ephemeral-ephemeral only) - } - - PKAuthenticator ::= SEQUENCE { - kdcName [0] PrincipalName, - kdcRealm [1] Realm, - cusec [2] INTEGER, - -- for replay prevention as in RFC1510 - ctime [3] KerberosTime, - -- for replay prevention as in RFC1510 - nonce [4] INTEGER - } - - SubjectPublicKeyInfo ::= SEQUENCE { - algorithm AlgorithmIdentifier, - -- dhKeyAgreement - subjectPublicKey BIT STRING - -- for DH, equals - -- public exponent (INTEGER encoded - -- as payload of BIT STRING) - } -- as specified by the X.509 recommendation [10] - - AlgorithmIdentifier ::= SEQUENCE { - algorithm ALGORITHM.&id, - parameters ALGORITHM.&type - } -- as specified by the X.509 recommendation [10] - - If the client passes an issuer and serial number in the request, - the KDC is requested to use the referred-to certificate. If none - exists, then the KDC returns an error of type - KDC_ERR_CERTIFICATE_MISMATCH. It also returns this error if, on the - other hand, the client does not pass any trustedCertifiers, - believing that it has the KDC's certificate, but the KDC has more - than one certificate. The KDC should include information in the - KRB-ERROR message that indicates the KDC certificate(s) that a - client may utilize. This data is specified in the e-data, which - is defined in RFC 1510 revisions as a SEQUENCE of TypedData: - - TypedData ::= SEQUENCE { - data-type [0] INTEGER, - data-value [1] OCTET STRING, - } -- per Kerberos RFC 1510 revisions - - where: - data-type = TD-PKINIT-CMS-CERTIFICATES = 101 - data-value = CertificateSet // as specified by CMS [11] - - The PKAuthenticator carries information to foil replay attacks, and - to bind the request and response. The PKAuthenticator is signed - with the client's signature key. - -3.2.2. KDC Response - - Upon receipt of the AS_REQ with PA-PK-AS-REQ pre-authentication - type, the KDC attempts to verify the user's certificate chain - (userCert), if one is provided in the request. This is done by - verifying the certification path against the KDC's policy of - legitimate certifiers. This may be based on a certification - hierarchy, or it may be simply a list of recognized certifiers in a - system like PGP. - - If the client's certificate chain contains no certificate signed by - a CA trusted by the KDC, then the KDC sends back an error message - of type KDC_ERR_CANT_VERIFY_CERTIFICATE. The accompanying e-data - is a SEQUENCE of one TypedData (with type TD-TRUSTED-CERTIFIERS=104) - whose data-value is an OCTET STRING which is the DER encoding of - - TrustedCertifiers ::= SEQUENCE OF PrincipalName - -- X.500 name encoded as a principal name - -- see Section 3.1 - - If while verifying a certificate chain the KDC determines that the - signature on one of the certificates in the CertificateSet from - the signedAuthPack fails verification, then the KDC returns an - error of type KDC_ERR_INVALID_CERTIFICATE. The accompanying - e-data is a SEQUENCE of one TypedData (with type - TD-CERTIFICATE-INDEX=105) whose data-value is an OCTET STRING - which is the DER encoding of the index into the CertificateSet - ordered as sent by the client. - - CertificateIndex ::= INTEGER - -- 0 = 1st certificate, - -- (in order of encoding) - -- 1 = 2nd certificate, etc - - The KDC may also check whether any of the certificates in the - client's chain has been revoked. If one of the certificates has - been revoked, then the KDC returns an error of type - KDC_ERR_REVOKED_CERTIFICATE; if such a query reveals that - the certificate's revocation status is unknown or not - available, then if required by policy, the KDC returns the - appropriate error of type KDC_ERR_REVOCATION_STATUS_UNKNOWN or - KDC_ERR_REVOCATION_STATUS_UNAVAILABLE. In any of these three - cases, the affected certificate is identified by the accompanying - e-data, which contains a CertificateIndex as described for - KDC_ERR_INVALID_CERTIFICATE. - - If the certificate chain can be verified, but the name of the - client in the certificate does not match the client's name in the - request, then the KDC returns an error of type - KDC_ERR_CLIENT_NAME_MISMATCH. There is no accompanying e-data - field in this case. - - Finally, if the certificate chain is verified, but the KDC's name - or realm as given in the PKAuthenticator does not match the KDC's - actual principal name, then the KDC returns an error of type - KDC_ERR_KDC_NAME_MISMATCH. The accompanying e-data field is again - a SEQUENCE of one TypedData (with type TD-KRB-PRINCIPAL=102 or - TD-KRB-REALM=103 as appropriate) whose data-value is an OCTET - STRING whose data-value is the DER encoding of a PrincipalName or - Realm as defined in RFC 1510 revisions. - - Even if all succeeds, the KDC may--for policy reasons--decide not - to trust the client. In this case, the KDC returns an error message - of type KDC_ERR_CLIENT_NOT_TRUSTED. One specific case of this is - the presence or absence of an Enhanced Key Usage (EKU) OID within - the certificate extensions. The rules regarding acceptability of - an EKU sequence (or the absence of any sequence) are a matter of - local policy. For the benefit of implementers, we define a PKINIT - EKU OID as the following: iso (1) org (3) dod (6) internet (1) - security (5) kerberosv5 (2) pkinit (3) pkekuoid (2). - - If a trust relationship exists, the KDC then verifies the client's - signature on AuthPack. If that fails, the KDC returns an error - message of type KDC_ERR_INVALID_SIG. Otherwise, the KDC uses the - timestamp (ctime and cusec) in the PKAuthenticator to assure that - the request is not a replay. The KDC also verifies that its name - is specified in the PKAuthenticator. - - If the clientPublicValue field is filled in, indicating that the - client wishes to use Diffie-Hellman key agreement, then the KDC - checks to see that the parameters satisfy its policy. If they do - not (e.g., the prime size is insufficient for the expected - encryption type), then the KDC sends back an error message of type - KDC_ERR_KEY_TOO_WEAK. Otherwise, it generates its own public and - private values for the response. - - The KDC also checks that the timestamp in the PKAuthenticator is - within the allowable window and that the principal name and realm - are correct. If the local (server) time and the client time in the - authenticator differ by more than the allowable clock skew, then the - KDC returns an error message of type KRB_AP_ERR_SKEW as defined in 1510. - - Assuming no errors, the KDC replies as per RFC 1510, except as - follows. The user's name in the ticket is determined by the - following decision algorithm: - - 1. If the KDC has a mapping from the name in the certificate - to a Kerberos name, then use that name. - Else - 2. If the certificate contains the SubjectAltName extention - and the local KDC policy defines a mapping from the - SubjectAltName to a Kerberos name, then use that name. - Else - 3. Use the name as represented in the certificate, mapping - mapping as necessary (e.g., as per RFC 2253 for X.500 - names). In this case the realm in the ticket shall be the - name of the certifier that issued the user's certificate. - - Note that a principal name may be carried in the subject alt name - field of a certificate. This name may be mapped to a principal - record in a security database based on local policy, for example - the subject alt name may be kerberos/principal@realm format. In - this case the realm name is not that of the CA but that of the - local realm doing the mapping (or some realm name chosen by that - realm). - - If a non-KDC X.509 certificate contains the principal name within - the subjectAltName version 3 extension , that name may utilize - KerberosName as defined below, or, in the case of an S/MIME - certificate [17], may utilize the email address. If the KDC - is presented with an S/MIME certificate, then the email address - within subjectAltName will be interpreted as a principal and realm - separated by the "@" sign, or as a name that needs to be - canonicalized. If the resulting name does not correspond to a - registered principal name, then the principal name is formed as - defined in section 3.1. - - The trustedCertifiers field contains a list of certification - authorities trusted by the client, in the case that the client does - not possess the KDC's public key certificate. If the KDC has no - certificate signed by any of the trustedCertifiers, then it returns - an error of type KDC_ERR_KDC_NOT_TRUSTED. - - KDCs should try to (in order of preference): - 1. Use the KDC certificate identified by the serialNumber included - in the client's request. - 2. Use a certificate issued to the KDC by the client's CA (if in the - middle of a CA key roll-over, use the KDC cert issued under same - CA key as user cert used to verify request). - 3. Use a certificate issued to the KDC by one of the client's - trustedCertifier(s); - If the KDC is unable to comply with any of these options, then the - KDC returns an error message of type KDC_ERR_KDC_NOT_TRUSTED to the - client. - - The KDC encrypts the reply not with the user's long-term key, but - with the Diffie Hellman derived key or a random key generated - for this particular response which is carried in the padata field of - the TGS-REP message. - - PA-PK-AS-REP ::= CHOICE { - -- PA TYPE 15 - dhSignedData [0] SignedData, - -- Defined in CMS and used only with - -- Diffie-Hellman key exchange (if the - -- client public value was present in the - -- request). - -- This choice MUST be supported - -- by compliant implementations. - encKeyPack [1] EnvelopedData, - -- Defined in CMS - -- The temporary key is encrypted - -- using the client public key - -- key - -- SignedReplyKeyPack, encrypted - -- with the temporary key, is also - -- included. - } - - Usage of SignedData: - - When the Diffie-Hellman option is used, dhSignedData in - PA-PK-AS-REP provides authenticated Diffie-Hellman parameters - of the KDC. The reply key used to encrypt part of the KDC reply - message is derived from the Diffie-Hellman exchange: - - 1. Both the KDC and the client calculate a secret value - (g^ab mod p), where a is the client's private exponent and - b is the KDC's private exponent. - - 2. Both the KDC and the client take the first N bits of this - secret value and convert it into a reply key. N depends on - the reply key type. - - 3. If the reply key is DES, N=64 bits, where some of the bits - are replaced with parity bits, according to FIPS PUB 74. - - 4. If the reply key is (3-key) 3-DES, N=192 bits, where some - of the bits are replaced with parity bits, according to - FIPS PUB 74. - - 5. The encapContentInfo field must contain the KdcDHKeyInfo as - defined below. - - a. The eContentType field shall contain the OID value for - pkdata: iso (1) org (3) dod (6) internet (1) security (5) - kerberosv5 (2) pkinit (3) pkdata (1) - - b. The eContent field is data of the type KdcDHKeyInfo - (below). - - 6. The certificates field must contain the certificates - necessary for the client to establish trust in the KDC's - certificate based on the list of trusted certifiers sent by - the client in the PA-PK-AS-REQ. This field may be empty if - the client did not send to the KDC a list of trusted - certifiers (the trustedCertifiers field was empty, meaning - that the client already possesses the KDC's certificate). - - 7. The signerInfos field is a SET that must contain at least - one member, since it contains the actual signature. - - KdcDHKeyInfo ::= SEQUENCE { - -- used only when utilizing Diffie-Hellman - nonce [0] INTEGER, - -- binds responce to the request - subjectPublicKey [2] BIT STRING - -- Equals public exponent (g^a mod p) - -- INTEGER encoded as payload of - -- BIT STRING - } - - Usage of EnvelopedData: - - The EnvelopedData data type is specified in the Cryptographic - Message Syntax, a product of the S/MIME working group of the - IETF. It contains a temporary key encrypted with the PKINIT - client's public key. It also contains a signed and encrypted - reply key. - - 1. The originatorInfo field is not required, since that - information may be presented in the signedData structure - that is encrypted within the encryptedContentInfo field. - - 2. The optional unprotectedAttrs field is not required for - PKINIT. - - 3. The recipientInfos field is a SET which must contain exactly - one member of the KeyTransRecipientInfo type for encryption - with an RSA public key. - - a. The encryptedKey field (in KeyTransRecipientInfo) - contains the temporary key which is encrypted with the - PKINIT client's public key. - - 4. The encryptedContentInfo field contains the signed and - encrypted reply key. - - a. The contentType field shall contain the OID value for - id-signedData: iso (1) member-body (2) us (840) - rsadsi (113549) pkcs (1) pkcs7 (7) signedData (2) - - b. The encryptedContent field is encrypted data of the CMS - type signedData as specified below. - - i. The encapContentInfo field must contains the - ReplyKeyPack. - - * The eContentType field shall contain the OID value - for pkdata: iso (1) org (3) dod (6) internet (1) - security (5) kerberosv5 (2) pkinit (3) pkdata (1) - - * The eContent field is data of the type ReplyKeyPack - (below). - - ii. The certificates field must contain the certificates - necessary for the client to establish trust in the - KDC's certificate based on the list of trusted - certifiers sent by the client in the PA-PK-AS-REQ. - This field may be empty if the client did not send - to the KDC a list of trusted certifiers (the - trustedCertifiers field was empty, meaning that the - client already possesses the KDC's certificate). - - iii. The signerInfos field is a SET that must contain at - least one member, since it contains the actual - signature. - - ReplyKeyPack ::= SEQUENCE { - -- not used for Diffie-Hellman - replyKey [0] EncryptionKey, - -- used to encrypt main reply - -- ENCTYPE is at least as strong as - -- ENCTYPE of session key - nonce [1] INTEGER, - -- binds response to the request - -- must be same as the nonce - -- passed in the PKAuthenticator - } - - Since each certifier in the certification path of a user's - certificate is equivalent to a separate Kerberos realm, the name - of each certifier in the certificate chain must be added to the - transited field of the ticket. The format of these realm names is - defined in Section 3.1 of this document. If applicable, the - transit-policy-checked flag should be set in the issued ticket. - - The KDC's certificate(s) must bind the public key(s) of the KDC to - a name derivable from the name of the realm for that KDC. X.509 - certificates shall contain the principal name of the KDC - (defined in section 8.2 of RFC 1510) as the SubjectAltName version - 3 extension. Below is the definition of this version 3 extension, - as specified by the X.509 standard: - - subjectAltName EXTENSION ::= { - SYNTAX GeneralNames - IDENTIFIED BY id-ce-subjectAltName - } - - GeneralNames ::= SEQUENCE SIZE(1..MAX) OF GeneralName - - GeneralName ::= CHOICE { - otherName [0] OtherName, - ... - } - - OtherName ::= SEQUENCE { - type-id OBJECT IDENTIFIER, - value [0] EXPLICIT ANY DEFINED BY type-id - } - - For the purpose of specifying a Kerberos principal name, the value - in OtherName shall be a KerberosName as defined in RFC 1510, but with - the PrincipalName replaced by CertPrincipalName as mentioned in - Section 3.1: - - KerberosName ::= SEQUENCE { - realm [0] Realm, - principalName [1] CertPrincipalName -- defined above - } - - This specific syntax is identified within subjectAltName by setting - the type-id in OtherName to krb5PrincipalName, where (from the - Kerberos specification) we have - - krb5 OBJECT IDENTIFIER ::= { iso (1) - org (3) - dod (6) - internet (1) - security (5) - kerberosv5 (2) } - - krb5PrincipalName OBJECT IDENTIFIER ::= { krb5 2 } - - (This specification may also be used to specify a Kerberos name - within the user's certificate.) The KDC's certificate may be signed - directly by a CA, or there may be intermediaries if the server resides - within a large organization, or it may be unsigned if the client - indicates possession (and trust) of the KDC's certificate. - - The client then extracts the random key used to encrypt the main - reply. This random key (in encPaReply) is encrypted with either the - client's public key or with a key derived from the DH values - exchanged between the client and the KDC. The client uses this - random key to decrypt the main reply, and subsequently proceeds as - described in RFC 1510. - -3.2.3. Required Algorithms - - Not all of the algorithms in the PKINIT protocol specification have - to be implemented in order to comply with the proposed standard. - Below is a list of the required algorithms: - - * Diffie-Hellman public/private key pairs - * utilizing Diffie-Hellman ephemeral-ephemeral mode - * SHA1 digest and DSA for signatures - * 3-key triple DES keys derived from the Diffie-Hellman Exchange - * 3-key triple DES Temporary and Reply keys - -4. Logistics and Policy - - This section describes a way to define the policy on the use of - PKINIT for each principal and request. - - The KDC is not required to contain a database record for users - who use public key authentication. However, if these users are - registered with the KDC, it is recommended that the database record - for these users be modified to an additional flag in the attributes - field to indicate that the user should authenticate using PKINIT. - If this flag is set and a request message does not contain the - PKINIT preauthentication field, then the KDC sends back as error of - type KDC_ERR_PREAUTH_REQUIRED indicating that a preauthentication - field of type PA-PK-AS-REQ must be included in the request. - -5. Security Considerations - - PKINIT raises a few security considerations, which we will address - in this section. - - First of all, PKINIT introduces a new trust model, where KDCs do not - (necessarily) certify the identity of those for whom they issue - tickets. PKINIT does allow KDCs to act as their own CAs, in the - limited capacity of self-signing their certificates, but one of the - additional benefits is to align Kerberos authentication with a global - public key infrastructure. Anyone using PKINIT in this way must be - aware of how the certification infrastructure they are linking to - works. - - Secondly, PKINIT also introduces the possibility of interactions - between different cryptosystems, which may be of widely varying - strengths. Many systems, for instance, allow the use of 512-bit - public keys. Using such keys to wrap data encrypted under strong - conventional cryptosystems, such as triple-DES, is inappropriate; - it adds a weak link to a strong one at extra cost. Implementors - and administrators should take care to avoid such wasteful and - deceptive interactions. - - Lastly, PKINIT calls for randomly generated keys for conventional - cryptosystems. Many such systems contain systematically "weak" - keys. PKINIT implementations MUST avoid use of these keys, either - by discarding those keys when they are generated, or by fixing them - in some way (e.g., by XORing them with a given mask). These - precautions vary from system to system; it is not our intention to - give an explicit recipe for them here. - -6. Transport Issues - - Certificate chains can potentially grow quite large and span several - UDP packets; this in turn increases the probability that a Kerberos - message involving PKINIT extensions will be broken in transit. In - light of the possibility that the Kerberos specification will - require KDCs to accept requests using TCP as a transport mechanism, - we make the same recommendation with respect to the PKINIT - extensions as well. - -7. Bibliography - - [1] J. Kohl, C. Neuman. The Kerberos Network Authentication Service - (V5). Request for Comments 1510. - - [2] B.C. Neuman, Theodore Ts'o. Kerberos: An Authentication Service - for Computer Networks, IEEE Communications, 32(9):33-38. September - 1994. - - [3] B. Tung, T. Ryutov, C. Neuman, G. Tsudik, B. Sommerfeld, - A. Medvinsky, M. Hur. Public Key Cryptography for Cross-Realm - Authentication in Kerberos. draft-ietf-cat-kerberos-pk-cross-04.txt - - [4] A. Medvinsky, J. Cargille, M. Hur. Anonymous Credentials in - Kerberos. draft-ietf-cat-kerberos-anoncred-00.txt - - [5] Ari Medvinsky, M. Hur, Alexander Medvinsky, B. Clifford Neuman. - Public Key Utilizing Tickets for Application Servers (PKTAPP). - draft-ietf-cat-pktapp-02.txt - - [6] M. Sirbu, J. Chuang. Distributed Authentication in Kerberos - Using Public Key Cryptography. Symposium On Network and Distributed - System Security, 1997. - - [7] B. Cox, J.D. Tygar, M. Sirbu. NetBill Security and Transaction - Protocol. In Proceedings of the USENIX Workshop on Electronic - Commerce, July 1995. - - [8] T. Dierks, C. Allen. The TLS Protocol, Version 1.0 - Request for Comments 2246, January 1999. - - [9] B.C. Neuman, Proxy-Based Authorization and Accounting for - Distributed Systems. In Proceedings of the 13th International - Conference on Distributed Computing Systems, May 1993. - - [10] ITU-T (formerly CCITT) Information technology - Open Systems - Interconnection - The Directory: Authentication Framework - Recommendation X.509 ISO/IEC 9594-8 - - [11] R. Housley. Cryptographic Message Syntax. - draft-ietf-smime-cms-13.txt, April 1999, approved for publication - as RFC. - - [12] PKCS #7: Cryptographic Message Syntax Standard, - An RSA Laboratories Technical Note Version 1.5 - Revised November 1, 1993 - - [13] R. Rivest, MIT Laboratory for Computer Science and RSA Data - Security, Inc. A Description of the RC2(r) Encryption Algorithm - March 1998. - Request for Comments 2268. - - [14] M. Wahl, S. Kille, T. Howes. Lightweight Directory Access - Protocol (v3): UTF-8 String Representation of Distinguished Names. - Request for Comments 2253. - - [15] R. Housley, W. Ford, W. Polk, D. Solo. Internet X.509 Public - Key Infrastructure, Certificate and CRL Profile, January 1999. - Request for Comments 2459. - - [16] B. Kaliski, J. Staddon. PKCS #1: RSA Cryptography - Specifications, October 1998. Request for Comments 2437. - - [17] S. Dusse, P. Hoffman, B. Ramsdell, J. Weinstein. S/MIME - Version 2 Certificate Handling, March 1998. Request for - Comments 2312. - - [18] M. Wahl, T. Howes, S. Kille. Lightweight Directory Access - Protocol (v3), December 1997. Request for Comments 2251. - - [19] ITU-T (formerly CCITT) Information Processing Systems - Open - Systems Interconnection - Specification of Abstract Syntax Notation - One (ASN.1) Rec. X.680 ISO/IEC 8824-1 - -8. Acknowledgements - - Some of the ideas on which this proposal is based arose during - discussions over several years between members of the SAAG, the IETF - CAT working group, and the PSRG, regarding integration of Kerberos - and SPX. Some ideas have also been drawn from the DASS system. - These changes are by no means endorsed by these groups. This is an - attempt to revive some of the goals of those groups, and this - proposal approaches those goals primarily from the Kerberos - perspective. Lastly, comments from groups working on similar ideas - in DCE have been invaluable. - -9. Expiration Date - - This draft expires September 15, 2000. - -10. Authors - - Brian Tung - Clifford Neuman - USC Information Sciences Institute - 4676 Admiralty Way Suite 1001 - Marina del Rey CA 90292-6695 - Phone: +1 310 822 1511 - E-mail: {brian, bcn}@isi.edu - - Matthew Hur - CyberSafe Corporation - 1605 NW Sammamish Road - Issaquah WA 98027-5378 - Phone: +1 425 391 6000 - E-mail: matt.hur@cybersafe.com - - Ari Medvinsky - Keen.com, Inc. - 150 Independence Drive - Menlo Park CA 94025 - Phone: +1 650 289 3134 - E-mail: ari@keen.com - - Sasha Medvinsky - Motorola - 6450 Sequence Drive - San Diego, CA 92121 - Phone +1 619 404 2825 - E-mail: smedvinsky@gi.com - - John Wray - Iris Associates, Inc. - 5 Technology Park Dr. - Westford, MA 01886 - E-mail: John_Wray@iris.com - - Jonathan Trostle - 170 W. Tasman Dr. - San Jose, CA 95134 - E-mail: jtrostle@cisco.com diff --git a/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-cat-kerberos-pk-init-12.txt b/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-cat-kerberos-pk-init-12.txt deleted file mode 100644 index b1e596836e..0000000000 --- a/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-cat-kerberos-pk-init-12.txt +++ /dev/null @@ -1,1080 +0,0 @@ -INTERNET-DRAFT Brian Tung -draft-ietf-cat-kerberos-pk-init-12.txt Clifford Neuman -Updates: RFC 1510 USC/ISI -expires January 15, 2001 Matthew Hur - CyberSafe Corporation - Ari Medvinsky - Keen.com, Inc. - Sasha Medvinsky - Motorola - John Wray - Iris Associates, Inc. - Jonathan Trostle - Cisco - - Public Key Cryptography for Initial Authentication in Kerberos - -0. Status Of This Memo - - This document is an Internet-Draft and is in full conformance with - all provisions of Section 10 of RFC 2026. Internet-Drafts are - working documents of the Internet Engineering Task Force (IETF), - its areas, and its working groups. Note that other groups may also - distribute working documents as Internet-Drafts. - - Internet-Drafts are draft documents valid for a maximum of six - months and may be updated, replaced, or obsoleted by other - documents at any time. It is inappropriate to use Internet-Drafts - as reference material or to cite them other than as "work in - progress." - - The list of current Internet-Drafts can be accessed at - http://www.ietf.org/ietf/1id-abstracts.txt - - The list of Internet-Draft Shadow Directories can be accessed at - http://www.ietf.org/shadow.html. - - To learn the current status of any Internet-Draft, please check - the "1id-abstracts.txt" listing contained in the Internet-Drafts - Shadow Directories on ftp.ietf.org (US East Coast), - nic.nordu.net (Europe), ftp.isi.edu (US West Coast), or - munnari.oz.au (Pacific Rim). - - The distribution of this memo is unlimited. It is filed as - draft-ietf-cat-kerberos-pk-init-11.txt, and expires January 15, - 2001. Please send comments to the authors. - -1. Abstract - - This document defines extensions (PKINIT) to the Kerberos protocol - specification (RFC 1510 [1]) to provide a method for using public - key cryptography during initial authentication. The methods - defined specify the ways in which preauthentication data fields and - error data fields in Kerberos messages are to be used to transport - public key data. - -2. Introduction - - The popularity of public key cryptography has produced a desire for - its support in Kerberos [2]. The advantages provided by public key - cryptography include simplified key management (from the Kerberos - perspective) and the ability to leverage existing and developing - public key certification infrastructures. - - Public key cryptography can be integrated into Kerberos in a number - of ways. One is to associate a key pair with each realm, which can - then be used to facilitate cross-realm authentication; this is the - topic of another draft proposal. Another way is to allow users with - public key certificates to use them in initial authentication. This - is the concern of the current document. - - PKINIT utilizes ephemeral-ephemeral Diffie-Hellman keys in - combination with digital signature keys as the primary, required - mechanism. It also allows for the use of RSA keys and/or (static) - Diffie-Hellman certificates. Note in particular that PKINIT supports - the use of separate signature and encryption keys. - - PKINIT enables access to Kerberos-secured services based on initial - authentication utilizing public key cryptography. PKINIT utilizes - standard public key signature and encryption data formats within the - standard Kerberos messages. The basic mechanism is as follows: The - user sends an AS-REQ message to the KDC as before, except that if that - user is to use public key cryptography in the initial authentication - step, his certificate and a signature accompany the initial request - in the preauthentication fields. Upon receipt of this request, the - KDC verifies the certificate and issues a ticket granting ticket - (TGT) as before, except that the encPart from the AS-REP message - carrying the TGT is now encrypted utilizing either a Diffie-Hellman - derived key or the user's public key. This message is authenticated - utilizing the public key signature of the KDC. - - Note that PKINIT does not require the use of certificates. A KDC - may store the public key of a principal as part of that principal's - record. In this scenario, the KDC is the trusted party that vouches - for the principal (as in a standard, non-cross realm, Kerberos - environment). Thus, for any principal, the KDC may maintain a - secret key, a public key, or both. - - The PKINIT specification may also be used as a building block for - other specifications. PKCROSS [3] utilizes PKINIT for establishing - the inter-realm key and associated inter-realm policy to be applied - in issuing cross realm service tickets. As specified in [4], - anonymous Kerberos tickets can be issued by applying a NULL - signature in combination with Diffie-Hellman in the PKINIT exchange. - Additionally, the PKINIT specification may be used for direct peer - to peer authentication without contacting a central KDC. This - application of PKINIT is described in PKTAPP [5] and is based on - concepts introduced in [6, 7]. For direct client-to-server - authentication, the client uses PKINIT to authenticate to the end - server (instead of a central KDC), which then issues a ticket for - itself. This approach has an advantage over TLS [8] in that the - server does not need to save state (cache session keys). - Furthermore, an additional benefit is that Kerberos tickets can - facilitate delegation (see [9]). - -3. Proposed Extensions - - This section describes extensions to RFC 1510 for supporting the - use of public key cryptography in the initial request for a ticket - granting ticket (TGT). - - In summary, the following change to RFC 1510 is proposed: - - * Users may authenticate using either a public key pair or a - conventional (symmetric) key. If public key cryptography is - used, public key data is transported in preauthentication - data fields to help establish identity. The user presents - a public key certificate and obtains an ordinary TGT that may - be used for subsequent authentication, with such - authentication using only conventional cryptography. - - Section 3.1 provides definitions to help specify message formats. - Section 3.2 describes the extensions for the initial authentication - method. - -3.1. Definitions - - The extensions involve new preauthentication fields; we introduce - the following preauthentication types: - - PA-PK-AS-REQ 14 - PA-PK-AS-REP 15 - - The extensions also involve new error types; we introduce the - following types: - - KDC_ERR_CLIENT_NOT_TRUSTED 62 - KDC_ERR_KDC_NOT_TRUSTED 63 - KDC_ERR_INVALID_SIG 64 - KDC_ERR_KEY_TOO_WEAK 65 - KDC_ERR_CERTIFICATE_MISMATCH 66 - KDC_ERR_CANT_VERIFY_CERTIFICATE 70 - KDC_ERR_INVALID_CERTIFICATE 71 - KDC_ERR_REVOKED_CERTIFICATE 72 - KDC_ERR_REVOCATION_STATUS_UNKNOWN 73 - KDC_ERR_REVOCATION_STATUS_UNAVAILABLE 74 - KDC_ERR_CLIENT_NAME_MISMATCH 75 - KDC_ERR_KDC_NAME_MISMATCH 76 - - We utilize the following typed data for errors: - - TD-PKINIT-CMS-CERTIFICATES 101 - TD-KRB-PRINCIPAL 102 - TD-KRB-REALM 103 - TD-TRUSTED-CERTIFIERS 104 - TD-CERTIFICATE-INDEX 105 - - We utilize the following encryption types (which map directly to - OIDs): - - dsaWithSHA1-CmsOID 9 - md5WithRSAEncryption-CmsOID 10 - sha1WithRSAEncryption-CmsOID 11 - rc2CBC-EnvOID 12 - rsaEncryption-EnvOID (PKCS#1 v1.5) 13 - rsaES-OAEP-ENV-OID (PKCS#1 v2.0) 14 - des-ede3-cbc-Env-OID 15 - - These mappings are provided so that a client may send the - appropriate enctypes in the AS-REQ message in order to indicate - support for the corresponding OIDs (for performing PKINIT). - - In many cases, PKINIT requires the encoding of the X.500 name of a - certificate authority as a Realm. When such a name appears as - a realm it will be represented using the "other" form of the realm - name as specified in the naming constraints section of RFC1510. - For a realm derived from an X.500 name, NAMETYPE will have the value - X500-RFC2253. The full realm name will appear as follows: - - + ":" + - - where nametype is "X500-RFC2253" and string is the result of doing - an RFC2253 encoding of the distinguished name, i.e. - - "X500-RFC2253:" + RFC2253Encode(DistinguishedName) - - where DistinguishedName is an X.500 name, and RFC2253Encode is a - function returing a readable UTF encoding of an X.500 name, as - defined by RFC 2253 [14] (part of LDAPv3 [18]). - - To ensure that this encoding is unique, we add the following rule - to those specified by RFC 2253: - - The order in which the attributes appear in the RFC 2253 - encoding must be the reverse of the order in the ASN.1 - encoding of the X.500 name that appears in the public key - certificate. The order of the relative distinguished names - (RDNs), as well as the order of the AttributeTypeAndValues - within each RDN, will be reversed. (This is despite the fact - that an RDN is defined as a SET of AttributeTypeAndValues, where - an order is normally not important.) - - Similarly, in cases where the KDC does not provide a specific - policy based mapping from the X.500 name or X.509 Version 3 - SubjectAltName extension in the user's certificate to a Kerberos - principal name, PKINIT requires the direct encoding of the X.500 - name as a PrincipalName. In this case, the name-type of the - principal name shall be set to KRB_NT-X500-PRINCIPAL. This new - name type is defined in RFC 1510 as: - - KRB_NT_X500_PRINCIPAL 6 - - The name-string shall be set as follows: - - RFC2253Encode(DistinguishedName) - - as described above. When this name type is used, the principal's - realm shall be set to the certificate authority's distinguished - name using the X500-RFC2253 realm name format described earlier in - this section - - RFC 1510 specifies the ASN.1 structure for PrincipalName as follows: - - PrincipalName ::= SEQUENCE { - name-type[0] INTEGER, - name-string[1] SEQUENCE OF GeneralString - } - - For the purposes of encoding an X.500 name as a Kerberos name for - use in Kerberos structures, the name-string shall be encoded as a - single GeneralString. The name-type should be KRB_NT_X500_PRINCIPAL, - as noted above. All Kerberos names must conform to validity - requirements as given in RFC 1510. Note that name mapping may be - required or optional, based on policy. - - We also define the following similar ASN.1 structure: - - CertPrincipalName ::= SEQUENCE { - name-type[0] INTEGER, - name-string[1] SEQUENCE OF UTF8String - } - - When a Kerberos PrincipalName is to be placed within an X.509 data - structure, the CertPrincipalName structure is to be used, with the - name-string encoded as a single UTF8String. The name-type should be - as identified in the original PrincipalName structure. The mapping - between the GeneralString and UTF8String formats can be found in - [19]. - - The following rules relate to the the matching of PrincipalNames (or - corresponding CertPrincipalNames) with regard to the PKI name - constraints for CAs as laid out in RFC 2459 [15]. In order to be - regarded as a match (for permitted and excluded name trees), the - following must be satisfied. - - 1. If the constraint is given as a user plus realm name, or - as a user plus instance plus realm name (as specified in - RFC 1510), the realm name must be valid (see 2.a-d below) - and the match must be exact, byte for byte. - - 2. If the constraint is given only as a realm name, matching - depends on the type of the realm: - - a. If the realm contains a colon (':') before any equal - sign ('='), it is treated as a realm of type Other, - and must match exactly, byte for byte. - - b. Otherwise, if the realm contains an equal sign, it - is treated as an X.500 name. In order to match, every - component in the constraint MUST be in the principal - name, and have the same value. For example, 'C=US' - matches 'C=US/O=ISI' but not 'C=UK'. - - c. Otherwise, if the realm name conforms to rules regarding - the format of DNS names, it is considered a realm name of - type Domain. The constraint may be given as a realm - name 'FOO.BAR', which matches any PrincipalName within - the realm 'FOO.BAR' but not those in subrealms such as - 'CAR.FOO.BAR'. A constraint of the form '.FOO.BAR' - matches PrincipalNames in subrealms of the form - 'CAR.FOO.BAR' but not the realm 'FOO.BAR' itself. - - d. Otherwise, the realm name is invalid and does not match - under any conditions. - -3.1.1. Encryption and Key Formats - - In the exposition below, we use the terms public key and private - key generically. It should be understood that the term "public - key" may be used to refer to either a public encryption key or a - signature verification key, and that the term "private key" may be - used to refer to either a private decryption key or a signature - generation key. The fact that these are logically distinct does - not preclude the assignment of bitwise identical keys for RSA - keys. - - In the case of Diffie-Hellman, the key shall be produced from the - agreed bit string as follows: - - * Truncate the bit string to the appropriate length. - * Rectify parity in each byte (if necessary) to obtain the key. - - For instance, in the case of a DES key, we take the first eight - bytes of the bit stream, and then adjust the least significant bit - of each byte to ensure that each byte has odd parity. - -3.1.2. Algorithm Identifiers - - PKINIT does not define, but does permit, the algorithm identifiers - listed below. - -3.1.2.1. Signature Algorithm Identifiers - - The following signature algorithm identifiers specified in [11] and - in [15] shall be used with PKINIT: - - id-dsa-with-sha1 (DSA with SHA1) - md5WithRSAEncryption (RSA with MD5) - sha-1WithRSAEncryption (RSA with SHA1) - -3.1.2.2 Diffie-Hellman Key Agreement Algorithm Identifier - - The following algorithm identifier shall be used within the - SubjectPublicKeyInfo data structure: dhpublicnumber - - This identifier and the associated algorithm parameters are - specified in RFC 2459 [15]. - -3.1.2.3. Algorithm Identifiers for RSA Encryption - - These algorithm identifiers are used inside the EnvelopedData data - structure, for encrypting the temporary key with a public key: - - rsaEncryption (RSA encryption, PKCS#1 v1.5) - id-RSAES-OAEP (RSA encryption, PKCS#1 v2.0) - - Both of the above RSA encryption schemes are specified in [16]. - Currently, only PKCS#1 v1.5 is specified by CMS [11], although the - CMS specification says that it will likely include PKCS#1 v2.0 in - the future. (PKCS#1 v2.0 addresses adaptive chosen ciphertext - vulnerability discovered in PKCS#1 v1.5.) - -3.1.2.4. Algorithm Identifiers for Encryption with Secret Keys - - These algorithm identifiers are used inside the EnvelopedData data - structure in the PKINIT Reply, for encrypting the reply key with the - temporary key: - des-ede3-cbc (3-key 3-DES, CBC mode) - rc2-cbc (RC2, CBC mode) - - The full definition of the above algorithm identifiers and their - corresponding parameters (an IV for block chaining) is provided in - the CMS specification [11]. - -3.2. Public Key Authentication - - Implementation of the changes in this section is REQUIRED for - compliance with PKINIT. - -3.2.1. Client Request - - Public keys may be signed by some certification authority (CA), or - they may be maintained by the KDC in which case the KDC is the - trusted authority. Note that the latter mode does not require the - use of certificates. - - The initial authentication request is sent as per RFC 1510, except - that a preauthentication field containing data signed by the user's - private key accompanies the request: - - PA-PK-AS-REQ ::= SEQUENCE { - -- PA TYPE 14 - signedAuthPack [0] SignedData - -- Defined in CMS [11]; - -- AuthPack (below) defines the - -- data that is signed. - trustedCertifiers [1] SEQUENCE OF TrustedCas OPTIONAL, - -- This is a list of CAs that the - -- client trusts and that certify - -- KDCs. - kdcCert [2] IssuerAndSerialNumber OPTIONAL - -- As defined in CMS [11]; - -- specifies a particular KDC - -- certificate if the client - -- already has it. - encryptionCert [3] IssuerAndSerialNumber OPTIONAL - -- For example, this may be the - -- client's Diffie-Hellman - -- certificate, or it may be the - -- client's RSA encryption - -- certificate. - } - - TrustedCas ::= CHOICE { - principalName [0] KerberosName, - -- as defined below - caName [1] Name - -- fully qualified X.500 name - -- as defined by X.509 - issuerAndSerial [2] IssuerAndSerialNumber - -- Since a CA may have a number of - -- certificates, only one of which - -- a client trusts - } - - Usage of SignedData: - - The SignedData data type is specified in the Cryptographic - Message Syntax, a product of the S/MIME working group of the - IETF. The following describes how to fill in the fields of - this data: - - 1. The encapContentInfo field must contain the PKAuthenticator - and, optionally, the client's Diffie Hellman public value. - - a. The eContentType field shall contain the OID value for - pkauthdata: iso (1) org (3) dod (6) internet (1) - security (5) kerberosv5 (2) pkinit (3) pkauthdata (1) - - b. The eContent field is data of the type AuthPack (below). - - 2. The signerInfos field contains the signature of AuthPack. - - 3. The Certificates field, when non-empty, contains the client's - certificate chain. If present, the KDC uses the public key - from the client's certificate to verify the signature in the - request. Note that the client may pass different certificate - chains that are used for signing or for encrypting. Thus, - the KDC may utilize a different client certificate for - signature verification than the one it uses to encrypt the - reply to the client. For example, the client may place a - Diffie-Hellman certificate in this field in order to convey - its static Diffie Hellman certificate to the KDC to enable - static-ephemeral Diffie-Hellman mode for the reply; in this - case, the client does NOT place its public value in the - AuthPack (defined below). As another example, the client may - place an RSA encryption certificate in this field. However, - there must always be (at least) a signature certificate. - - AuthPack ::= SEQUENCE { - pkAuthenticator [0] PKAuthenticator, - clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL - -- if client is using Diffie-Hellman - -- (ephemeral-ephemeral only) - } - - PKAuthenticator ::= SEQUENCE { - cusec [0] INTEGER, - -- for replay prevention as in RFC1510 - ctime [1] KerberosTime, - -- for replay prevention as in RFC1510 - nonce [2] INTEGER, - pachecksum [3] Checksum - -- Checksum over KDC-REQ-BODY - -- Defined by Kerberos spec - } - - SubjectPublicKeyInfo ::= SEQUENCE { - algorithm AlgorithmIdentifier, - -- dhKeyAgreement - subjectPublicKey BIT STRING - -- for DH, equals - -- public exponent (INTEGER encoded - -- as payload of BIT STRING) - } -- as specified by the X.509 recommendation [10] - - AlgorithmIdentifier ::= SEQUENCE { - algorithm OBJECT IDENTIFIER, - -- for dhKeyAgreement, this is - -- { iso (1) member-body (2) US (840) - -- rsadsi (113459) pkcs (1) 3 1 } - -- from PKCS #3 [20] - parameters ANY DEFINED by algorithm OPTIONAL - -- for dhKeyAgreement, this is - -- DHParameter - } -- as specified by the X.509 recommendation [10] - - DHParameter ::= SEQUENCE { - prime INTEGER, - -- p - base INTEGER, - -- g - privateValueLength INTEGER OPTIONAL - -- l - } -- as defined in PKCS #3 [20] - - If the client passes an issuer and serial number in the request, - the KDC is requested to use the referred-to certificate. If none - exists, then the KDC returns an error of type - KDC_ERR_CERTIFICATE_MISMATCH. It also returns this error if, on the - other hand, the client does not pass any trustedCertifiers, - believing that it has the KDC's certificate, but the KDC has more - than one certificate. The KDC should include information in the - KRB-ERROR message that indicates the KDC certificate(s) that a - client may utilize. This data is specified in the e-data, which - is defined in RFC 1510 revisions as a SEQUENCE of TypedData: - - TypedData ::= SEQUENCE { - data-type [0] INTEGER, - data-value [1] OCTET STRING, - } -- per Kerberos RFC 1510 revisions - - where: - data-type = TD-PKINIT-CMS-CERTIFICATES = 101 - data-value = CertificateSet // as specified by CMS [11] - - The PKAuthenticator carries information to foil replay attacks, to - bind the pre-authentication data to the KDC-REQ-BODY, and to bind the - request and response. The PKAuthenticator is signed with the client's - signature key. - -3.2.2. KDC Response - - Upon receipt of the AS_REQ with PA-PK-AS-REQ pre-authentication - type, the KDC attempts to verify the user's certificate chain - (userCert), if one is provided in the request. This is done by - verifying the certification path against the KDC's policy of - legitimate certifiers. This may be based on a certification - hierarchy, or it may be simply a list of recognized certifiers in a - system like PGP. - - If the client's certificate chain contains no certificate signed by - a CA trusted by the KDC, then the KDC sends back an error message - of type KDC_ERR_CANT_VERIFY_CERTIFICATE. The accompanying e-data - is a SEQUENCE of one TypedData (with type TD-TRUSTED-CERTIFIERS=104) - whose data-value is an OCTET STRING which is the DER encoding of - - TrustedCertifiers ::= SEQUENCE OF PrincipalName - -- X.500 name encoded as a principal name - -- see Section 3.1 - - If while verifying a certificate chain the KDC determines that the - signature on one of the certificates in the CertificateSet from - the signedAuthPack fails verification, then the KDC returns an - error of type KDC_ERR_INVALID_CERTIFICATE. The accompanying - e-data is a SEQUENCE of one TypedData (with type - TD-CERTIFICATE-INDEX=105) whose data-value is an OCTET STRING - which is the DER encoding of the index into the CertificateSet - ordered as sent by the client. - - CertificateIndex ::= INTEGER - -- 0 = 1st certificate, - -- (in order of encoding) - -- 1 = 2nd certificate, etc - - The KDC may also check whether any of the certificates in the - client's chain has been revoked. If one of the certificates has - been revoked, then the KDC returns an error of type - KDC_ERR_REVOKED_CERTIFICATE; if such a query reveals that - the certificate's revocation status is unknown or not - available, then if required by policy, the KDC returns the - appropriate error of type KDC_ERR_REVOCATION_STATUS_UNKNOWN or - KDC_ERR_REVOCATION_STATUS_UNAVAILABLE. In any of these three - cases, the affected certificate is identified by the accompanying - e-data, which contains a CertificateIndex as described for - KDC_ERR_INVALID_CERTIFICATE. - - If the certificate chain can be verified, but the name of the - client in the certificate does not match the client's name in the - request, then the KDC returns an error of type - KDC_ERR_CLIENT_NAME_MISMATCH. There is no accompanying e-data - field in this case. - - Finally, if the certificate chain is verified, but the KDC's name - or realm as given in the PKAuthenticator does not match the KDC's - actual principal name, then the KDC returns an error of type - KDC_ERR_KDC_NAME_MISMATCH. The accompanying e-data field is again - a SEQUENCE of one TypedData (with type TD-KRB-PRINCIPAL=102 or - TD-KRB-REALM=103 as appropriate) whose data-value is an OCTET - STRING whose data-value is the DER encoding of a PrincipalName or - Realm as defined in RFC 1510 revisions. - - Even if all succeeds, the KDC may--for policy reasons--decide not - to trust the client. In this case, the KDC returns an error message - of type KDC_ERR_CLIENT_NOT_TRUSTED. One specific case of this is - the presence or absence of an Enhanced Key Usage (EKU) OID within - the certificate extensions. The rules regarding acceptability of - an EKU sequence (or the absence of any sequence) are a matter of - local policy. For the benefit of implementers, we define a PKINIT - EKU OID as the following: iso (1) org (3) dod (6) internet (1) - security (5) kerberosv5 (2) pkinit (3) pkekuoid (2). - - If a trust relationship exists, the KDC then verifies the client's - signature on AuthPack. If that fails, the KDC returns an error - message of type KDC_ERR_INVALID_SIG. Otherwise, the KDC uses the - timestamp (ctime and cusec) in the PKAuthenticator to assure that - the request is not a replay. The KDC also verifies that its name - is specified in the PKAuthenticator. - - If the clientPublicValue field is filled in, indicating that the - client wishes to use Diffie-Hellman key agreement, then the KDC - checks to see that the parameters satisfy its policy. If they do - not (e.g., the prime size is insufficient for the expected - encryption type), then the KDC sends back an error message of type - KDC_ERR_KEY_TOO_WEAK. Otherwise, it generates its own public and - private values for the response. - - The KDC also checks that the timestamp in the PKAuthenticator is - within the allowable window and that the principal name and realm - are correct. If the local (server) time and the client time in the - authenticator differ by more than the allowable clock skew, then the - KDC returns an error message of type KRB_AP_ERR_SKEW as defined in 1510. - - Assuming no errors, the KDC replies as per RFC 1510, except as - follows. The user's name in the ticket is determined by the - following decision algorithm: - - 1. If the KDC has a mapping from the name in the certificate - to a Kerberos name, then use that name. - Else - 2. If the certificate contains the SubjectAltName extention - and the local KDC policy defines a mapping from the - SubjectAltName to a Kerberos name, then use that name. - Else - 3. Use the name as represented in the certificate, mapping - mapping as necessary (e.g., as per RFC 2253 for X.500 - names). In this case the realm in the ticket shall be the - name of the certifier that issued the user's certificate. - - Note that a principal name may be carried in the subject alt name - field of a certificate. This name may be mapped to a principal - record in a security database based on local policy, for example - the subject alt name may be kerberos/principal@realm format. In - this case the realm name is not that of the CA but that of the - local realm doing the mapping (or some realm name chosen by that - realm). - - If a non-KDC X.509 certificate contains the principal name within - the subjectAltName version 3 extension , that name may utilize - KerberosName as defined below, or, in the case of an S/MIME - certificate [17], may utilize the email address. If the KDC - is presented with an S/MIME certificate, then the email address - within subjectAltName will be interpreted as a principal and realm - separated by the "@" sign, or as a name that needs to be - canonicalized. If the resulting name does not correspond to a - registered principal name, then the principal name is formed as - defined in section 3.1. - - The trustedCertifiers field contains a list of certification - authorities trusted by the client, in the case that the client does - not possess the KDC's public key certificate. If the KDC has no - certificate signed by any of the trustedCertifiers, then it returns - an error of type KDC_ERR_KDC_NOT_TRUSTED. - - KDCs should try to (in order of preference): - 1. Use the KDC certificate identified by the serialNumber included - in the client's request. - 2. Use a certificate issued to the KDC by the client's CA (if in the - middle of a CA key roll-over, use the KDC cert issued under same - CA key as user cert used to verify request). - 3. Use a certificate issued to the KDC by one of the client's - trustedCertifier(s); - If the KDC is unable to comply with any of these options, then the - KDC returns an error message of type KDC_ERR_KDC_NOT_TRUSTED to the - client. - - The KDC encrypts the reply not with the user's long-term key, but - with the Diffie Hellman derived key or a random key generated - for this particular response which is carried in the padata field of - the TGS-REP message. - - PA-PK-AS-REP ::= CHOICE { - -- PA TYPE 15 - dhSignedData [0] SignedData, - -- Defined in CMS and used only with - -- Diffie-Hellman key exchange (if the - -- client public value was present in the - -- request). - -- This choice MUST be supported - -- by compliant implementations. - encKeyPack [1] EnvelopedData, - -- Defined in CMS - -- The temporary key is encrypted - -- using the client public key - -- key - -- SignedReplyKeyPack, encrypted - -- with the temporary key, is also - -- included. - } - - Usage of SignedData: - - When the Diffie-Hellman option is used, dhSignedData in - PA-PK-AS-REP provides authenticated Diffie-Hellman parameters - of the KDC. The reply key used to encrypt part of the KDC reply - message is derived from the Diffie-Hellman exchange: - - 1. Both the KDC and the client calculate a secret value - (g^ab mod p), where a is the client's private exponent and - b is the KDC's private exponent. - - 2. Both the KDC and the client take the first N bits of this - secret value and convert it into a reply key. N depends on - the reply key type. - - 3. If the reply key is DES, N=64 bits, where some of the bits - are replaced with parity bits, according to FIPS PUB 74. - - 4. If the reply key is (3-key) 3-DES, N=192 bits, where some - of the bits are replaced with parity bits, according to - FIPS PUB 74. - - 5. The encapContentInfo field must contain the KdcDHKeyInfo as - defined below. - - a. The eContentType field shall contain the OID value for - pkdhkeydata: iso (1) org (3) dod (6) internet (1) - security (5) kerberosv5 (2) pkinit (3) pkdhkeydata (2) - - b. The eContent field is data of the type KdcDHKeyInfo - (below). - - 6. The certificates field must contain the certificates - necessary for the client to establish trust in the KDC's - certificate based on the list of trusted certifiers sent by - the client in the PA-PK-AS-REQ. This field may be empty if - the client did not send to the KDC a list of trusted - certifiers (the trustedCertifiers field was empty, meaning - that the client already possesses the KDC's certificate). - - 7. The signerInfos field is a SET that must contain at least - one member, since it contains the actual signature. - - KdcDHKeyInfo ::= SEQUENCE { - -- used only when utilizing Diffie-Hellman - nonce [0] INTEGER, - -- binds responce to the request - subjectPublicKey [2] BIT STRING - -- Equals public exponent (g^a mod p) - -- INTEGER encoded as payload of - -- BIT STRING - } - - Usage of EnvelopedData: - - The EnvelopedData data type is specified in the Cryptographic - Message Syntax, a product of the S/MIME working group of the - IETF. It contains a temporary key encrypted with the PKINIT - client's public key. It also contains a signed and encrypted - reply key. - - 1. The originatorInfo field is not required, since that - information may be presented in the signedData structure - that is encrypted within the encryptedContentInfo field. - - 2. The optional unprotectedAttrs field is not required for - PKINIT. - - 3. The recipientInfos field is a SET which must contain exactly - one member of the KeyTransRecipientInfo type for encryption - with an RSA public key. - - a. The encryptedKey field (in KeyTransRecipientInfo) - contains the temporary key which is encrypted with the - PKINIT client's public key. - - 4. The encryptedContentInfo field contains the signed and - encrypted reply key. - - a. The contentType field shall contain the OID value for - id-signedData: iso (1) member-body (2) us (840) - rsadsi (113549) pkcs (1) pkcs7 (7) signedData (2) - - b. The encryptedContent field is encrypted data of the CMS - type signedData as specified below. - - i. The encapContentInfo field must contains the - ReplyKeyPack. - - * The eContentType field shall contain the OID value - for pkrkeydata: iso (1) org (3) dod (6) internet (1) - security (5) kerberosv5 (2) pkinit (3) pkrkeydata (3) - - * The eContent field is data of the type ReplyKeyPack - (below). - - ii. The certificates field must contain the certificates - necessary for the client to establish trust in the - KDC's certificate based on the list of trusted - certifiers sent by the client in the PA-PK-AS-REQ. - This field may be empty if the client did not send - to the KDC a list of trusted certifiers (the - trustedCertifiers field was empty, meaning that the - client already possesses the KDC's certificate). - - iii. The signerInfos field is a SET that must contain at - least one member, since it contains the actual - signature. - - ReplyKeyPack ::= SEQUENCE { - -- not used for Diffie-Hellman - replyKey [0] EncryptionKey, - -- used to encrypt main reply - -- ENCTYPE is at least as strong as - -- ENCTYPE of session key - nonce [1] INTEGER, - -- binds response to the request - -- must be same as the nonce - -- passed in the PKAuthenticator - } - - Since each certifier in the certification path of a user's - certificate is equivalent to a separate Kerberos realm, the name - of each certifier in the certificate chain must be added to the - transited field of the ticket. The format of these realm names is - defined in Section 3.1 of this document. If applicable, the - transit-policy-checked flag should be set in the issued ticket. - - The KDC's certificate(s) must bind the public key(s) of the KDC to - a name derivable from the name of the realm for that KDC. X.509 - certificates shall contain the principal name of the KDC - (defined in section 8.2 of RFC 1510) as the SubjectAltName version - 3 extension. Below is the definition of this version 3 extension, - as specified by the X.509 standard: - - subjectAltName EXTENSION ::= { - SYNTAX GeneralNames - IDENTIFIED BY id-ce-subjectAltName - } - - GeneralNames ::= SEQUENCE SIZE(1..MAX) OF GeneralName - - GeneralName ::= CHOICE { - otherName [0] OtherName, - ... - } - - OtherName ::= SEQUENCE { - type-id OBJECT IDENTIFIER, - value [0] EXPLICIT ANY DEFINED BY type-id - } - - For the purpose of specifying a Kerberos principal name, the value - in OtherName shall be a KerberosName as defined in RFC 1510, but with - the PrincipalName replaced by CertPrincipalName as mentioned in - Section 3.1: - - KerberosName ::= SEQUENCE { - realm [0] Realm, - principalName [1] CertPrincipalName -- defined above - } - - This specific syntax is identified within subjectAltName by setting - the type-id in OtherName to krb5PrincipalName, where (from the - Kerberos specification) we have - - krb5 OBJECT IDENTIFIER ::= { iso (1) - org (3) - dod (6) - internet (1) - security (5) - kerberosv5 (2) } - - krb5PrincipalName OBJECT IDENTIFIER ::= { krb5 2 } - - (This specification may also be used to specify a Kerberos name - within the user's certificate.) The KDC's certificate may be signed - directly by a CA, or there may be intermediaries if the server resides - within a large organization, or it may be unsigned if the client - indicates possession (and trust) of the KDC's certificate. - - The client then extracts the random key used to encrypt the main - reply. This random key (in encPaReply) is encrypted with either the - client's public key or with a key derived from the DH values - exchanged between the client and the KDC. The client uses this - random key to decrypt the main reply, and subsequently proceeds as - described in RFC 1510. - -3.2.3. Required Algorithms - - Not all of the algorithms in the PKINIT protocol specification have - to be implemented in order to comply with the proposed standard. - Below is a list of the required algorithms: - - * Diffie-Hellman public/private key pairs - * utilizing Diffie-Hellman ephemeral-ephemeral mode - * SHA1 digest and DSA for signatures - * SHA1 digest also for the Checksum in the PKAuthenticator - * 3-key triple DES keys derived from the Diffie-Hellman Exchange - * 3-key triple DES Temporary and Reply keys - -4. Logistics and Policy - - This section describes a way to define the policy on the use of - PKINIT for each principal and request. - - The KDC is not required to contain a database record for users - who use public key authentication. However, if these users are - registered with the KDC, it is recommended that the database record - for these users be modified to an additional flag in the attributes - field to indicate that the user should authenticate using PKINIT. - If this flag is set and a request message does not contain the - PKINIT preauthentication field, then the KDC sends back as error of - type KDC_ERR_PREAUTH_REQUIRED indicating that a preauthentication - field of type PA-PK-AS-REQ must be included in the request. - -5. Security Considerations - - PKINIT raises a few security considerations, which we will address - in this section. - - First of all, PKINIT introduces a new trust model, where KDCs do not - (necessarily) certify the identity of those for whom they issue - tickets. PKINIT does allow KDCs to act as their own CAs, in the - limited capacity of self-signing their certificates, but one of the - additional benefits is to align Kerberos authentication with a global - public key infrastructure. Anyone using PKINIT in this way must be - aware of how the certification infrastructure they are linking to - works. - - Secondly, PKINIT also introduces the possibility of interactions - between different cryptosystems, which may be of widely varying - strengths. Many systems, for instance, allow the use of 512-bit - public keys. Using such keys to wrap data encrypted under strong - conventional cryptosystems, such as triple-DES, is inappropriate; - it adds a weak link to a strong one at extra cost. Implementors - and administrators should take care to avoid such wasteful and - deceptive interactions. - - Lastly, PKINIT calls for randomly generated keys for conventional - cryptosystems. Many such systems contain systematically "weak" - keys. PKINIT implementations MUST avoid use of these keys, either - by discarding those keys when they are generated, or by fixing them - in some way (e.g., by XORing them with a given mask). These - precautions vary from system to system; it is not our intention to - give an explicit recipe for them here. - -6. Transport Issues - - Certificate chains can potentially grow quite large and span several - UDP packets; this in turn increases the probability that a Kerberos - message involving PKINIT extensions will be broken in transit. In - light of the possibility that the Kerberos specification will - require KDCs to accept requests using TCP as a transport mechanism, - we make the same recommendation with respect to the PKINIT - extensions as well. - -7. Bibliography - - [1] J. Kohl, C. Neuman. The Kerberos Network Authentication Service - (V5). Request for Comments 1510. - - [2] B.C. Neuman, Theodore Ts'o. Kerberos: An Authentication Service - for Computer Networks, IEEE Communications, 32(9):33-38. September - 1994. - - [3] B. Tung, T. Ryutov, C. Neuman, G. Tsudik, B. Sommerfeld, - A. Medvinsky, M. Hur. Public Key Cryptography for Cross-Realm - Authentication in Kerberos. draft-ietf-cat-kerberos-pk-cross-04.txt - - [4] A. Medvinsky, J. Cargille, M. Hur. Anonymous Credentials in - Kerberos. draft-ietf-cat-kerberos-anoncred-00.txt - - [5] Ari Medvinsky, M. Hur, Alexander Medvinsky, B. Clifford Neuman. - Public Key Utilizing Tickets for Application Servers (PKTAPP). - draft-ietf-cat-pktapp-02.txt - - [6] M. Sirbu, J. Chuang. Distributed Authentication in Kerberos - Using Public Key Cryptography. Symposium On Network and Distributed - System Security, 1997. - - [7] B. Cox, J.D. Tygar, M. Sirbu. NetBill Security and Transaction - Protocol. In Proceedings of the USENIX Workshop on Electronic - Commerce, July 1995. - - [8] T. Dierks, C. Allen. The TLS Protocol, Version 1.0 - Request for Comments 2246, January 1999. - - [9] B.C. Neuman, Proxy-Based Authorization and Accounting for - Distributed Systems. In Proceedings of the 13th International - Conference on Distributed Computing Systems, May 1993. - - [10] ITU-T (formerly CCITT) Information technology - Open Systems - Interconnection - The Directory: Authentication Framework - Recommendation X.509 ISO/IEC 9594-8 - - [11] R. Housley. Cryptographic Message Syntax. - draft-ietf-smime-cms-13.txt, April 1999, approved for publication - as RFC. - - [12] PKCS #7: Cryptographic Message Syntax Standard, - An RSA Laboratories Technical Note Version 1.5 - Revised November 1, 1993 - - [13] R. Rivest, MIT Laboratory for Computer Science and RSA Data - Security, Inc. A Description of the RC2(r) Encryption Algorithm - March 1998. - Request for Comments 2268. - - [14] M. Wahl, S. Kille, T. Howes. Lightweight Directory Access - Protocol (v3): UTF-8 String Representation of Distinguished Names. - Request for Comments 2253. - - [15] R. Housley, W. Ford, W. Polk, D. Solo. Internet X.509 Public - Key Infrastructure, Certificate and CRL Profile, January 1999. - Request for Comments 2459. - - [16] B. Kaliski, J. Staddon. PKCS #1: RSA Cryptography - Specifications, October 1998. Request for Comments 2437. - - [17] S. Dusse, P. Hoffman, B. Ramsdell, J. Weinstein. S/MIME - Version 2 Certificate Handling, March 1998. Request for - Comments 2312. - - [18] M. Wahl, T. Howes, S. Kille. Lightweight Directory Access - Protocol (v3), December 1997. Request for Comments 2251. - - [19] ITU-T (formerly CCITT) Information Processing Systems - Open - Systems Interconnection - Specification of Abstract Syntax Notation - One (ASN.1) Rec. X.680 ISO/IEC 8824-1 - - [20] PKCS #3: Diffie-Hellman Key-Agreement Standard, An RSA - Laboratories Technical Note, Version 1.4, Revised November 1, 1993. - -8. Acknowledgements - - Some of the ideas on which this proposal is based arose during - discussions over several years between members of the SAAG, the IETF - CAT working group, and the PSRG, regarding integration of Kerberos - and SPX. Some ideas have also been drawn from the DASS system. - These changes are by no means endorsed by these groups. This is an - attempt to revive some of the goals of those groups, and this - proposal approaches those goals primarily from the Kerberos - perspective. Lastly, comments from groups working on similar ideas - in DCE have been invaluable. - -9. Expiration Date - - This draft expires January 15, 2001. - -10. Authors - - Brian Tung - Clifford Neuman - USC Information Sciences Institute - 4676 Admiralty Way Suite 1001 - Marina del Rey CA 90292-6695 - Phone: +1 310 822 1511 - E-mail: {brian, bcn}@isi.edu - - Matthew Hur - CyberSafe Corporation - 1605 NW Sammamish Road - Issaquah WA 98027-5378 - Phone: +1 425 391 6000 - E-mail: matt.hur@cybersafe.com - - Ari Medvinsky - Keen.com, Inc. - 150 Independence Drive - Menlo Park CA 94025 - Phone: +1 650 289 3134 - E-mail: ari@keen.com - - Sasha Medvinsky - Motorola - 6450 Sequence Drive - San Diego, CA 92121 - +1 858 404 2367 - E-mail: smedvinsky@gi.com - - John Wray - Iris Associates, Inc. - 5 Technology Park Dr. - Westford, MA 01886 - E-mail: John_Wray@iris.com - - Jonathan Trostle - 170 W. Tasman Dr. - San Jose, CA 95134 - E-mail: jtrostle@cisco.com diff --git a/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-cat-kerberos-pk-tapp-03.txt b/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-cat-kerberos-pk-tapp-03.txt deleted file mode 100644 index 6581dd5810..0000000000 --- a/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-cat-kerberos-pk-tapp-03.txt +++ /dev/null @@ -1,378 +0,0 @@ -INTERNET-DRAFT Ari Medvinsky -draft-ietf-cat-kerberos-pk-tapp-03.txt Keen.com, Inc. -Expires January 14, 2001 Matthew Hur -Informational CyberSafe Corporation - Sasha Medvinsky - Motorola - Clifford Neuman - USC/ISI - -Public Key Utilizing Tickets for Application Servers (PKTAPP) - - -0. Status Of this Memo - -This document is an Internet-Draft and is in full conformance with -all provisions of Section 10 of RFC 2026. Internet-Drafts are -working documents of the Internet Engineering Task Force (IETF), -its areas, and its working groups. Note that other groups may also -distribute working documents as Internet-Drafts. - -Internet-Drafts are draft documents valid for a maximum of six -months and may be updated, replaced, or obsoleted by other -documents at any time. It is inappropriate to use Internet-Drafts -as reference material or to cite them other than as "work in -progress." - -The list of current Internet-Drafts can be accessed at -http://www.ietf.org/ietf/1id-abstracts.txt - -The list of Internet-Draft Shadow Directories can be accessed at -http://www.ietf.org/shadow.html. - -To learn the current status of any Internet-Draft, please check -the "1id-abstracts.txt" listing contained in the Internet-Drafts -Shadow Directories on ftp.ietf.org (US East Coast), -nic.nordu.net (Europe), ftp.isi.edu (US West Coast), or -munnari.oz.au (Pacific Rim). - -The distribution of this memo is unlimited. It is filed as -draft-ietf-cat-kerberos-pk-init-10.txt, and expires April 30, -2000. Please send comments to the authors. - -1. Abstract - -Public key based Kerberos for Distributed Authentication[1], (PKDA) -proposed by Sirbu & Chuang, describes PK based authentication that -eliminates the use of a centralized key distribution center while -retaining the advantages of Kerberos tickets. This draft describes how, -without any modification, the PKINIT specification[2] may be used to -implement the ideas introduced in PKDA. The benefit is that only a -single PK Kerberos extension is needed to address the goals of PKINIT & -PKDA. - - - -2. Introduction - -With the proliferation of public key cryptography, a number of public -key extensions to Kerberos have been proposed to provide -interoperability with the PK infrastructure and to improve the Kerberos -authentication system [4]. Among these are PKINIT[2] (under development -in the CAT working group) and more recently PKDA [1] proposed by Sirbu & -Chuang of CMU. One of the principal goals of PKINIT is to provide for -interoperability between a PK infrastructure and Kerberos. Using -PKINIT, a user can authenticate to the KDC via a public key certificate. -A ticket granting ticket (TGT), returned by the KDC, enables a PK user -to obtain tickets and authenticate to kerberized services. The PKDA -proposal goes a step further. It supports direct client to server -authentication, eliminating the need for an online key distribution -center. In this draft, we describe how, without any modification, the -PKINIT protocol may be applied to achieve the goals of PKDA. For direct -client to server authentication, the client will use PKINIT to -authenticate to the end server (instead of a central KDC), which then, -will issue a ticket for itself. The benefit of this proposal, is that a -single PK extension to Kerberos can addresses the goals of PKINIT and -PKDA. - - -3. PKDA background - -The PKDA proposal provides direct client to server authentication, thus -eliminating the need for an online key distribution center. A client -and server take part in an initial PK based authentication exchange, -with an added caveat that the server acts as a Kerberos ticket granting -service and issues a traditional Kerberos ticket for itself. In -subsequent communication, the client makes use of the Kerberos ticket, -thus eliminating the need for public key operations on the server. This -approach has an advantage over SSL in that the server does not need to -save state (cache session keys). Furthermore, an additional benefit, is -that Kerberos tickets can facilitate delegation (see Neuman[3]). - -Below is a brief overview of the PKDA protocol. For a more detailed -description see [1]. - -SCERT_REQ: Client to Server -The client requests a certificate from the server. If the serverÆs -certificate is cached locally, SCERT_REQ and SCERT_REP are omitted. - -SCERT_REP: Server to Client -The server returns its certificate to the client. - -PKTGS_REQ: Client to Server -The client sends a request for a service ticket to the server. To -authenticate the request, the client signs, among other fields, a time -stamp and a newly generated symmetric key . The time stamp is used to -foil replay attacks; the symmetric key is used by the server to secure -the PKTGS_REP message. -The client provides a certificate in the request (the certificate -enables the server to verify the validity of the clientÆs signature) and -seals it along with the signed information using the serverÆs public -key. - - -PKTGS_REP: Server to Client -The server returns a service ticket (which it issued for itself) along -with the session key for the ticket. The session key is protected by -the client-generated key from the PKTGS_REQ message. - -AP_REQ: Client to Server -After the above exchange, the client can proceed in a normal fashion, -using the conventional Kerberos ticket in an AP_REQ message. - - -4. PKINIT background - -One of the principal goals of PKINIT is to provide for interoperability -between a public key infrastructure and Kerberos. Using a public key -certificate, a client can authenticate to the KDC and receive a TGT -which enables the client to obtain service tickets to kerberized -services.. In PKINIT, the AS-REQ and AS-REP messages remain the same; -new preauthentication data types are used to conduct the PK exchange. -Client and server certificates are exchanged via the preauthentication -data. Thus, the exchange of certificates , PK authentication, and -delivery of a TGT can occur in two messages. - -Below is a brief overview of the PKINIT protocol. For a more detailed -description see [2]. - -PreAuthentication data of AS-REQ: Client to Server -The client sends a list of trusted certifiers, a signed PK -authenticator, and its certificate. The PK authenticator, based on the -Kerberos authenticator, contains the name of the KDC, a timestamp, and a -nonce. - -PreAuthentication data of AS-REP: Server to Client -The server responds with its certificate and the key used for decrypting -the encrypted part of the AS-REQ. This key is encrypted with the -clientÆs public key. - -AP_REQ: Client to Server -After the above exchange, the client can proceed in a normal fashion, -using the conventional Kerberos ticket in an AP_REQ message. - - -5. Application of PKINIT to achieve equivalence to PKDA - -While PKINIT is normally used to retrieve a ticket granting ticket -(TGT), it may also be used to request an end service ticket. When used -in this fashion, PKINIT is functionally equivalent to PKDA. We -introduce the concept of a local ticket granting server (LTGS) to -illustrate how PKINIT may be used for issuing end service tickets based -on public key authentication. It is important to note that the LTGS may -be built into an application server, or it may be a stand-alone server -used for issuing tickets within a well-defined realm, such as a single -machine. We will discuss both of these options. - - -5.1. The LTGS - -The LTGS processes the Kerberos AS-REQ and AS-REP messages with PKINIT -preauthentication data. When a client submits an AS-REQ to the LTGS, it -specifies an application server, in order to receive an end service -ticket instead of a TGT. - - -5.1.1. The LTGS as a standalone server - -The LTGS may run as a separate process that serves applications which -reside on the same machine. This serves to consolidate administrative -functions and provide an easier migration path for a heterogeneous -environment consisting of both public key and Kerberos. The LTGS would -use one well-known port (port #88 - same as the KDC) for all message -traffic and would share a symmetric with each service. After the client -receives a service ticket, it then contacts the application server -directly. This approach is similar to the one suggested by Sirbu , et -al [1]. - -5.1.1.1. Ticket Policy for PKTAPP Clients - -It is desirable for the LTGS to have access to a PKTAPP client ticket -policy. This policy will contain information for each client, such as -the maximum lifetime of a ticket, whether or not a ticket can be -forwardable, etc. PKTAPP clients, however, use the PKINIT protocol for -authentication and are not required to be registered as Kerberos -principals. - -As one possible solution, each public key Certification Authority could -be registered in a secure database, along with the ticket policy -information for all PKTAPP clients that are certified by this -Certification Authority. - -5.1.1.2. LTGS as a Kerberos Principal - -Since the LTGS serves only PKTAPP clients and returns only end service -tickets for other services, it does not require a Kerberos service key -or a Kerberos principal identity. It is therefore not necessary for the -LTGS to even be registered as a Kerberos principal. - -The LTGS still requires public key credentials for the PKINIT exchange, -and it may be desired to have some global restrictions on the Kerberos -tickets that it can issue. It is recommended (but not required) that -this information be associated with a Kerberos principal entry for the -LTGS. - - -5.1.1.3. Kerberos Principal Database - -Since the LTGS issues tickets for Kerberos services, it will require -access to a Kerberos principal database containing entries for at least -the end services. Each entry must contain a service key and may also -contain restrictions on the service tickets that are issued to clients. -It is recommended that (for ease of administration) this principal -database be centrally administered and distributed (replicated) to all -hosts where an LTGS may be running. - -In the case that there are other clients that do not support PKINIT -protocol, but still need access to the same Kerberos services, this -principal database will also require entries for Kerberos clients and -for the TGS entries. - -5.1.2. The LTGS as part of an application server - -The LTGS may be combined with an application server. This accomplishes -direct client to application server authentication; however, it requires -that applications be modified to process AS-REQ and AS-REP messages. -The LTGS would communicate over the port assigned to the application -server or over the well known Kerberos port for that particular -application. - -5.1.2.2. Ticket Policy for PKTAPP Clients - -Application servers normally do not have access to a distributed -principal database. Therefore, they will have to find another means of -keeping track of the ticket policy information for PKTAPP clients. It is -recommended that this ticket policy be kept in a directory service (such -as LDAP). - -It is critical, however, that both read and write access to this ticket -policy is restricted with strong authentication and encryption to only -the correct application server. An unauthorized party should not have -the authority to modify the ticket policy. Disclosing the ticket policy -to a 3rd party may aid an adversary in determining the best way to -compromise the network. - -It is just as critical for the application server to authenticate the -directory service. Otherwise an adversary could use a man-in-the-middle -attack to substitute a false ticket policy with a false directory -service. - -5.1.2.3. LTGS Credentials - -Each LTGS (combined with an application service) will require public key -credentials in order to use the PKINIT protocol. These credentials can -be stored in a single file that is both encrypted with a password- -derived symmetric key and also secured by an operating system. This -symmetric key may be stashed somewhere on the machine for convenience, -although such practice potentially weakens the overall system security -and is strongly discouraged. - -For added security, it is recommended that the LTGS private keys are -stored inside a temper-resistant hardware module that requires a pin -code for access. - - -5.1.2.4. Compatibility With Standard Kerberos - -Even though an application server is combined with the LTGS, for -backward compatibility it should still accept service tickets that have -been issued by the KDC. This will allow Kerberos clients that do not -support PKTAPP to authenticate to the same application server (with the -help of a KDC). - -5.1.3. Cross-Realm Authentication - -According to the PKINIT draft, the client's realm is the X.500 name of -the Certification Authority that issued the client certificate. A -Kerberos application service will be in a standard Kerberos realm, which -implies that the LTGS will need to issue cross-realm end service -tickets. This is the only case, where cross-realm end service tickets -are issued. In a standard Kerberos model, a client first acquires a -cross-realm TGT, and then gets an end service ticket from the KDC that -is in the same realm as the application service. - -6. Protocol differences between PKINIT and PKDA - -Both PKINIT and PKDA will accomplish the same goal of issuing end -service tickets, based on initial public key authentication. A PKINIT- -based implementation and a PKDA implementation would be functionally -equivalent. The primary differences are that 1)PKDA requires the client -to create the symmetric key while PKINIT requires the server to create -the key and 2)PKINIT accomplishes in two messages what PKDA accomplishes -in four messages. - -7. Summary - -The PKINIT protocol can be used, without modification to facilitate -client to server authentication without the use of a central KDC. The -approach described in this draft (and originally proposed in PKDA[1]) -is essentially a public key authentication protocol that retains the -advantages of Kerberos tickets. - -Given that PKINIT has progressed through the CAT working group of the -IETF, with plans for non-commercial distribution (via MITÆs v5 Kerberos) -as well as commercial support, it is worthwhile to provide PKDA -functionality, under the PKINIT umbrella. - -8. Security Considerations - -PKTAPP is based on the PKINIT protocol and all security considerations -already listed in [2] apply here. - -When the LTGS is implemented as part of each application server, the -secure storage of its public key credentials and of its ticket policy -are both a concern. The respective security considerations are already -covered in sections 5.1.2.3 and 5.1.2.2 of this document. - - -9. Bibliography - -[1] M. Sirbu, J. Chuang. Distributed Authentication in Kerberos Using -Public Key Cryptography. Symposium On Network and Distributed System -Security, 1997. - -[2] B. Tung, C. Neuman, M. Hur, A. Medvinsky, S. Medvinsky, J. Wray, -J. Trostle. Public Key Cryptography for Initial Authentication in -Kerberos. Internet Draft, October 1999. -(ftp://ietf.org/internet-drafts/draft-ietf-cat-kerberos-pk-init-10.txt) - -[3] C. Neuman, Proxy-Based Authorization and Accounting for -Distributed Systems. In Proceedings of the 13th International -Conference on Distributed Computing Systems, May 1993. - -[4] J. Kohl, C. Neuman. The Kerberos Network Authentication Service -(V5). Request for Comments 1510. - -10. Expiration Date - -This draft expires April 24, 2000. - -11. Authors - -Ari Medvinsky -Keen.com, Inc. -150 Independence Dr. -Menlo Park, CA 94025 -Phone +1 650 289 3134 -E-mail: ari@keen.com - -Matthew Hur -CyberSafe Corporation -1605 NW Sammamish Road -Issaquah, WA 98027-5378 -Phone: +1 425 391 6000 -E-mail: matt.hur@cybersafe.com - -Alexander Medvinsky -Motorola -6450 Sequence Dr. -San Diego, CA 92121 -Phone: +1 858 404 2367 -E-mail: smedvinsky@gi.com - -Clifford Neuman -USC Information Sciences Institute -4676 Admiralty Way Suite 1001 -Marina del Rey CA 90292-6695 -Phone: +1 310 822 1511 -E-mail: bcn@isi.edu diff --git a/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-cat-kerberos-revisions-00.txt b/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-cat-kerberos-revisions-00.txt deleted file mode 100644 index 2284c3c6b5..0000000000 --- a/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-cat-kerberos-revisions-00.txt +++ /dev/null @@ -1,8277 +0,0 @@ - -INTERNET-DRAFT Clifford Neuman - John Kohl - Theodore Ts'o - 11 July 1997 - - - - The Kerberos Network Authentication Service (V5) - - -STATUS OF THIS MEMO - - This document is an Internet-Draft. Internet-Drafts -are working documents of the Internet Engineering Task Force -(IETF), its areas, and its working groups. Note that other -groups may also distribute working documents as Internet- -Drafts. - - Internet-Drafts are draft documents valid for a maximum -of six months and may be updated, replaced, or obsoleted by -other documents at any time. It is inappropriate to use -Internet-Drafts as reference material or to cite them other -than as "work in progress." - - To learn the current status of any Internet-Draft, -please check the "1id-abstracts.txt" listing contained in -the Internet-Drafts Shadow Directories on ds.internic.net -(US East Coast), nic.nordu.net (Europe), ftp.isi.edu (US -West Coast), or munnari.oz.au (Pacific Rim). - - The distribution of this memo is unlimited. It is -filed as draft-ietf-cat-kerberos-revisions-00.txt, and expires -11 January 1998. Please send comments to: - - krb-protocol@MIT.EDU - -ABSTRACT - - - This document provides an overview and specification of -Version 5 of the Kerberos protocol, and updates RFC1510 to -clarify aspects of the protocol and its intended use that -require more detailed or clearer explanation than was pro- -vided in RFC1510. This document is intended to provide a -detailed description of the protocol, suitable for implemen- -tation, together with descriptions of the appropriate use of -protocol messages and fields within those messages. - - This document is not intended to describe Kerberos to -__________________________ -Project Athena, Athena, and Kerberos are trademarks of -the Massachusetts Institute of Technology (MIT). No -commercial use of these trademarks may be made without -prior written permission of MIT. - - - -Overview - 1 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -the end user, system administrator, or application -developer. Higher level papers describing Version 5 of the -Kerberos system [1] and documenting version 4 [23], are -available elsewhere. - -OVERVIEW - - This INTERNET-DRAFT describes the concepts and model -upon which the Kerberos network authentication system is -based. It also specifies Version 5 of the Kerberos proto- -col. - - The motivations, goals, assumptions, and rationale -behind most design decisions are treated cursorily; they are -more fully described in a paper available in IEEE communica- -tions [1] and earlier in the Kerberos portion of the Athena -Technical Plan [2]. The protocols have been a proposed -standard and are being considered for advancement for draft -standard through the IETF standard process. Comments are -encouraged on the presentation, but only minor refinements -to the protocol as implemented or extensions that fit within -current protocol framework will be considered at this time. - - Requests for addition to an electronic mailing list for -discussion of Kerberos, kerberos@MIT.EDU, may be addressed -to kerberos-request@MIT.EDU. This mailing list is gatewayed -onto the Usenet as the group comp.protocols.kerberos. -Requests for further information, including documents and -code availability, may be sent to info-kerberos@MIT.EDU. - -BACKGROUND - - The Kerberos model is based in part on Needham and -Schroeder's trusted third-party authentication protocol [4] -and on modifications suggested by Denning and Sacco [5]. -The original design and implementation of Kerberos Versions -1 through 4 was the work of two former Project Athena staff -members, Steve Miller of Digital Equipment Corporation and -Clifford Neuman (now at the Information Sciences Institute -of the University of Southern California), along with Jerome -Saltzer, Technical Director of Project Athena, and Jeffrey -Schiller, MIT Campus Network Manager. Many other members of -Project Athena have also contributed to the work on Ker- -beros. - - Version 5 of the Kerberos protocol (described in this -document) has evolved from Version 4 based on new require- -ments and desires for features not available in Version 4. -The design of Version 5 of the Kerberos protocol was led by -Clifford Neuman and John Kohl with much input from the com- -munity. The development of the MIT reference implementation -was led at MIT by John Kohl and Theodore T'so, with help and -contributed code from many others. Reference implementa- -tions of both version 4 and version 5 of Kerberos are pub- -licly available and commercial implementations have been - -Overview - 2 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -developed and are widely used. - - Details on the differences between Kerberos Versions 4 -and 5 can be found in [6]. - -1. Introduction - - Kerberos provides a means of verifying the identities -of principals, (e.g. a workstation user or a network server) -on an open (unprotected) network. This is accomplished -without relying on assertions by the host operating system, -without basing trust on host addresses, without requiring -physical security of all the hosts on the network, and under -the assumption that packets traveling along the network can -be read, modified, and inserted at will[1]. Kerberos per- -forms authentication under these conditions as a trusted -third-party authentication service by using conventional -(shared secret key[2]) cryptography. Kerberos extensions -have been proposed and implemented that provide for the use -of public key cryptography during certain phases of the -authentication protocol. These extensions provide for -authentication of users registered with public key certifi- -cation authorities, and allow the system to provide certain -benefits of public key cryptography in situations where they -are needed. - - The basic Kerberos authentication process proceeds as -follows: A client sends a request to the authentication -server (AS) requesting "credentials" for a given server. -The AS responds with these credentials, encrypted in the -client's key. The credentials consist of 1) a "ticket" for -the server and 2) a temporary encryption key (often called a -"session key"). The client transmits the ticket (which con- -tains the client's identity and a copy of the session key, -all encrypted in the server's key) to the server. The ses- -sion key (now shared by the client and server) is used to -authenticate the client, and may optionally be used to -__________________________ -[1] Note, however, that many applications use Kerberos' -functions only upon the initiation of a stream-based -network connection. Unless an application subsequently -provides integrity protection for the data stream, the -identity verification applies only to the initiation of -the connection, and does not guarantee that subsequent -messages on the connection originate from the same -principal. -[2] Secret and private are often used interchangeably -in the literature. In our usage, it takes two (or -more) to share a secret, thus a shared DES key is a -secret key. Something is only private when no one but -its owner knows it. Thus, in public key cryptosystems, -one has a public and a private key. - - - -Section 1. - 3 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -authenticate the server. It may also be used to encrypt -further communication between the two parties or to exchange -a separate sub-session key to be used to encrypt further -communication. - - Implementation of the basic protocol consists of one or -more authentication servers running on physically secure -hosts. The authentication servers maintain a database of -principals (i.e., users and servers) and their secret keys. -Code libraries provide encryption and implement the Kerberos -protocol. In order to add authentication to its transac- -tions, a typical network application adds one or two calls -to the Kerberos library directly or through the Generic -Security Services Application Programming Interface, GSSAPI, -described in separate document. These calls result in the -transmission of the necessary messages to achieve authenti- -cation. - - The Kerberos protocol consists of several sub-protocols -(or exchanges). There are two basic methods by which a -client can ask a Kerberos server for credentials. In the -first approach, the client sends a cleartext request for a -ticket for the desired server to the AS. The reply is sent -encrypted in the client's secret key. Usually this request -is for a ticket-granting ticket (TGT) which can later be -used with the ticket-granting server (TGS). In the second -method, the client sends a request to the TGS. The client -uses the TGT to authenticate itself to the TGS in the same -manner as if it were contacting any other application server -that requires Kerberos authentication. The reply is -encrypted in the session key from the TGT. Though the pro- -tocol specification describes the AS and the TGS as separate -servers, they are implemented in practice as different pro- -tocol entry points within a single Kerberos server. - - Once obtained, credentials may be used to verify the -identity of the principals in a transaction, to ensure the -integrity of messages exchanged between them, or to preserve -privacy of the messages. The application is free to choose -whatever protection may be necessary. - - To verify the identities of the principals in a tran- -saction, the client transmits the ticket to the application -server. Since the ticket is sent "in the clear" (parts of -it are encrypted, but this encryption doesn't thwart replay) -and might be intercepted and reused by an attacker, addi- -tional information is sent to prove that the message ori- -ginated with the principal to whom the ticket was issued. -This information (called the authenticator) is encrypted in -the session key, and includes a timestamp. The timestamp -proves that the message was recently generated and is not a -replay. Encrypting the authenticator in the session key -proves that it was generated by a party possessing the ses- -sion key. Since no one except the requesting principal and - - -Section 1. - 4 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -the server know the session key (it is never sent over the -network in the clear) this guarantees the identity of the -client. - - The integrity of the messages exchanged between princi- -pals can also be guaranteed using the session key (passed in -the ticket and contained in the credentials). This approach -provides detection of both replay attacks and message stream -modification attacks. It is accomplished by generating and -transmitting a collision-proof checksum (elsewhere called a -hash or digest function) of the client's message, keyed with -the session key. Privacy and integrity of the messages -exchanged between principals can be secured by encrypting -the data to be passed using the session key contained in the -ticket or the subsession key found in the authenticator. - - The authentication exchanges mentioned above require -read-only access to the Kerberos database. Sometimes, how- -ever, the entries in the database must be modified, such as -when adding new principals or changing a principal's key. -This is done using a protocol between a client and a third -Kerberos server, the Kerberos Administration Server (KADM). -There is also a protocol for maintaining multiple copies of -the Kerberos database. Neither of these protocols are -described in this document. - -1.1. Cross-Realm Operation - - The Kerberos protocol is designed to operate across -organizational boundaries. A client in one organization can -be authenticated to a server in another. Each organization -wishing to run a Kerberos server establishes its own -"realm". The name of the realm in which a client is -registered is part of the client's name, and can be used by -the end-service to decide whether to honor a request. - - By establishing "inter-realm" keys, the administrators -of two realms can allow a client authenticated in the local -realm to prove its identity to servers in other realms[3]. -The exchange of inter-realm keys (a separate key may be used -for each direction) registers the ticket-granting service of -each realm as a principal in the other realm. A client is -then able to obtain a ticket-granting ticket for the remote -realm's ticket-granting service from its local realm. When -that ticket-granting ticket is used, the remote ticket- -granting service uses the inter-realm key (which usually -__________________________ -[3] Of course, with appropriate permission the client -could arrange registration of a separately-named prin- -cipal in a remote realm, and engage in normal exchanges -with that realm's services. However, for even small -numbers of clients this becomes cumbersome, and more -automatic methods as described here are necessary. - - -Section 1.1. - 5 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -differs from its own normal TGS key) to decrypt the ticket- -granting ticket, and is thus certain that it was issued by -the client's own TGS. Tickets issued by the remote ticket- -granting service will indicate to the end-service that the -client was authenticated from another realm. - - A realm is said to communicate with another realm if -the two realms share an inter-realm key, or if the local -realm shares an inter-realm key with an intermediate realm -that communicates with the remote realm. An authentication -path is the sequence of intermediate realms that are tran- -sited in communicating from one realm to another. - - Realms are typically organized hierarchically. Each -realm shares a key with its parent and a different key with -each child. If an inter-realm key is not directly shared by -two realms, the hierarchical organization allows an authen- -tication path to be easily constructed. If a hierarchical -organization is not used, it may be necessary to consult a -database in order to construct an authentication path -between realms. - - Although realms are typically hierarchical, intermedi- -ate realms may be bypassed to achieve cross-realm authenti- -cation through alternate authentication paths (these might -be established to make communication between two realms more -efficient). It is important for the end-service to know -which realms were transited when deciding how much faith to -place in the authentication process. To facilitate this -decision, a field in each ticket contains the names of the -realms that were involved in authenticating the client. - -1.2. Authorization - -As an authentication service, Kerberos provides a means of -verifying the identity of principals on a network. Authen- -tication is usually useful primarily as a first step in the -process of authorization, determining whether a client may -use a service, which objects the client is allowed to -access, and the type of access allowed for each. Kerberos -does not, by itself, provide authorization. Possession of a -client ticket for a service provides only for authentication -of the client to that service, and in the absence of a -separate authorization procedure, it should not be con- -sidered by an application as authorizing the use of that -service. - - Such separate authorization methods may be implemented -as application specific access control functions and may be -based on files such as the application server, or on -separately issued authorization credentials such as those -based on proxies [7] , or on other authorization services. - - Applications should not be modified to accept the -issuance of a service ticket by the Kerberos server (even by - -Section 1.2. - 6 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -an modified Kerberos server) as granting authority to use -the service, since such applications may become vulnerable -to the bypass of this authorization check in an environment -where they interoperate with other KDCs or where other -options for application authentication (e.g. the PKTAPP pro- -posal) are provided. - -1.3. Environmental assumptions - -Kerberos imposes a few assumptions on the environment in -which it can properly function: - -+ "Denial of service" attacks are not solved with Ker- - beros. There are places in these protocols where an - intruder can prevent an application from participating - in the proper authentication steps. Detection and - solution of such attacks (some of which can appear to - be not-uncommon "normal" failure modes for the system) - is usually best left to the human administrators and - users. - -+ Principals must keep their secret keys secret. If an - intruder somehow steals a principal's key, it will be - able to masquerade as that principal or impersonate any - server to the legitimate principal. - -+ "Password guessing" attacks are not solved by Kerberos. - If a user chooses a poor password, it is possible for - an attacker to successfully mount an offline dictionary - attack by repeatedly attempting to decrypt, with suc- - cessive entries from a dictionary, messages obtained - which are encrypted under a key derived from the user's - password. - -+ Each host on the network must have a clock which is - "loosely synchronized" to the time of the other hosts; - this synchronization is used to reduce the bookkeeping - needs of application servers when they do replay detec- - tion. The degree of "looseness" can be configured on a - per-server basis, but is typically on the order of 5 - minutes. If the clocks are synchronized over the net- - work, the clock synchronization protocol must itself be - secured from network attackers. - -+ Principal identifiers are not recycled on a short-term - basis. A typical mode of access control will use - access control lists (ACLs) to grant permissions to - particular principals. If a stale ACL entry remains - for a deleted principal and the principal identifier is - reused, the new principal will inherit rights specified - in the stale ACL entry. By not re-using principal - identifiers, the danger of inadvertent access is - removed. - - - -Section 1.3. - 7 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -1.4. Glossary of terms - -Below is a list of terms used throughout this document. - - -Authentication Verifying the claimed identity of a - principal. - - -Authentication headerA record containing a Ticket and an - Authenticator to be presented to a - server as part of the authentication - process. - - -Authentication path A sequence of intermediate realms tran- - sited in the authentication process when - communicating from one realm to another. - - -Authenticator A record containing information that can - be shown to have been recently generated - using the session key known only by the - client and server. - - -Authorization The process of determining whether a - client may use a service, which objects - the client is allowed to access, and the - type of access allowed for each. - - -Capability A token that grants the bearer permis- - sion to access an object or service. In - Kerberos, this might be a ticket whose - use is restricted by the contents of the - authorization data field, but which - lists no network addresses, together - with the session key necessary to use - the ticket. - - -Ciphertext The output of an encryption function. - Encryption transforms plaintext into - ciphertext. - - -Client A process that makes use of a network - service on behalf of a user. Note that - in some cases a Server may itself be a - client of some other server (e.g. a - print server may be a client of a file - server). - - - -Section 1.4. - 8 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -Credentials A ticket plus the secret session key - necessary to successfully use that - ticket in an authentication exchange. - - -KDC Key Distribution Center, a network ser- - vice that supplies tickets and temporary - session keys; or an instance of that - service or the host on which it runs. - The KDC services both initial ticket and - ticket-granting ticket requests. The - initial ticket portion is sometimes - referred to as the Authentication Server - (or service). The ticket-granting - ticket portion is sometimes referred to - as the ticket-granting server (or ser- - vice). - - -Kerberos Aside from the 3-headed dog guarding - Hades, the name given to Project - Athena's authentication service, the - protocol used by that service, or the - code used to implement the authentica- - tion service. - - -Plaintext The input to an encryption function or - the output of a decryption function. - Decryption transforms ciphertext into - plaintext. - - -Principal A uniquely named client or server - instance that participates in a network - communication. - - -Principal identifierThe name used to uniquely identify each - different principal. - - -Seal To encipher a record containing several - fields in such a way that the fields - cannot be individually replaced without - either knowledge of the encryption key - or leaving evidence of tampering. - - -Secret key An encryption key shared by a principal - and the KDC, distributed outside the - bounds of the system, with a long life- - time. In the case of a human user's - principal, the secret key is derived - - -Section 1.4. - 9 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - from a password. - - -Server A particular Principal which provides a - resource to network clients. The server - is sometimes refered to as the Applica- - tion Server. - - -Service A resource provided to network clients; - often provided by more than one server - (for example, remote file service). - - -Session key A temporary encryption key used between - two principals, with a lifetime limited - to the duration of a single login "ses- - sion". - - -Sub-session key A temporary encryption key used between - two principals, selected and exchanged - by the principals using the session key, - and with a lifetime limited to the dura- - tion of a single association. - - -Ticket A record that helps a client authenti- - cate itself to a server; it contains the - client's identity, a session key, a - timestamp, and other information, all - sealed using the server's secret key. - It only serves to authenticate a client - when presented along with a fresh - Authenticator. - -2. Ticket flag uses and requests - -Each Kerberos ticket contains a set of flags which are used -to indicate various attributes of that ticket. Most flags -may be requested by a client when the ticket is obtained; -some are automatically turned on and off by a Kerberos -server as required. The following sections explain what the -various flags mean, and gives examples of reasons to use -such a flag. - -2.1. Initial and pre-authenticated tickets - - The INITIAL flag indicates that a ticket was issued -using the AS protocol and not issued based on a ticket- -granting ticket. Application servers that want to require -the demonstrated knowledge of a client's secret key (e.g. a -password-changing program) can insist that this flag be set -in any tickets they accept, and thus be assured that the - - -Section 2.1. - 10 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -client's key was recently presented to the application -client. - - The PRE-AUTHENT and HW-AUTHENT flags provide addition -information about the initial authentication, regardless of -whether the current ticket was issued directly (in which -case INITIAL will also be set) or issued on the basis of a -ticket-granting ticket (in which case the INITIAL flag is -clear, but the PRE-AUTHENT and HW-AUTHENT flags are carried -forward from the ticket-granting ticket). - -2.2. Invalid tickets - - The INVALID flag indicates that a ticket is invalid. -Application servers must reject tickets which have this flag -set. A postdated ticket will usually be issued in this -form. Invalid tickets must be validated by the KDC before -use, by presenting them to the KDC in a TGS request with the -VALIDATE option specified. The KDC will only validate tick- -ets after their starttime has passed. The validation is -required so that postdated tickets which have been stolen -before their starttime can be rendered permanently invalid -(through a hot-list mechanism) (see section 3.3.3.1). - -2.3. Renewable tickets - - Applications may desire to hold tickets which can be -valid for long periods of time. However, this can expose -their credentials to potential theft for equally long -periods, and those stolen credentials would be valid until -the expiration time of the ticket(s). Simply using short- -lived tickets and obtaining new ones periodically would -require the client to have long-term access to its secret -key, an even greater risk. Renewable tickets can be used to -mitigate the consequences of theft. Renewable tickets have -two "expiration times": the first is when the current -instance of the ticket expires, and the second is the latest -permissible value for an individual expiration time. An -application client must periodically (i.e. before it -expires) present a renewable ticket to the KDC, with the -RENEW option set in the KDC request. The KDC will issue a -new ticket with a new session key and a later expiration -time. All other fields of the ticket are left unmodified by -the renewal process. When the latest permissible expiration -time arrives, the ticket expires permanently. At each -renewal, the KDC may consult a hot-list to determine if the -ticket had been reported stolen since its last renewal; it -will refuse to renew such stolen tickets, and thus the -usable lifetime of stolen tickets is reduced. - - The RENEWABLE flag in a ticket is normally only inter- -preted by the ticket-granting service (discussed below in -section 3.3). It can usually be ignored by application -servers. However, some particularly careful application - - -Section 2.3. - 11 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -servers may wish to disallow renewable tickets. - - If a renewable ticket is not renewed by its expiration -time, the KDC will not renew the ticket. The RENEWABLE flag -is reset by default, but a client may request it be set by -setting the RENEWABLE option in the KRB_AS_REQ message. If -it is set, then the renew-till field in the ticket contains -the time after which the ticket may not be renewed. - -2.4. Postdated tickets - - Applications may occasionally need to obtain tickets -for use much later, e.g. a batch submission system would -need tickets to be valid at the time the batch job is ser- -viced. However, it is dangerous to hold valid tickets in a -batch queue, since they will be on-line longer and more -prone to theft. Postdated tickets provide a way to obtain -these tickets from the KDC at job submission time, but to -leave them "dormant" until they are activated and validated -by a further request of the KDC. If a ticket theft were -reported in the interim, the KDC would refuse to validate -the ticket, and the thief would be foiled. - - The MAY-POSTDATE flag in a ticket is normally only -interpreted by the ticket-granting service. It can be -ignored by application servers. This flag must be set in a -ticket-granting ticket in order to issue a postdated ticket -based on the presented ticket. It is reset by default; it -may be requested by a client by setting the ALLOW-POSTDATE -option in the KRB_AS_REQ message. This flag does not allow -a client to obtain a postdated ticket-granting ticket; post- -dated ticket-granting tickets can only by obtained by -requesting the postdating in the KRB_AS_REQ message. The -life (endtime-starttime) of a postdated ticket will be the -remaining life of the ticket-granting ticket at the time of -the request, unless the RENEWABLE option is also set, in -which case it can be the full life (endtime-starttime) of -the ticket-granting ticket. The KDC may limit how far in -the future a ticket may be postdated. - - The POSTDATED flag indicates that a ticket has been -postdated. The application server can check the authtime -field in the ticket to see when the original authentication -occurred. Some services may choose to reject postdated -tickets, or they may only accept them within a certain -period after the original authentication. When the KDC -issues a POSTDATED ticket, it will also be marked as -INVALID, so that the application client must present the -ticket to the KDC to be validated before use. - -2.5. Proxiable and proxy tickets - - At times it may be necessary for a principal to allow a -service to perform an operation on its behalf. The service - - -Section 2.5. - 12 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -must be able to take on the identity of the client, but only -for a particular purpose. A principal can allow a service -to take on the principal's identity for a particular purpose -by granting it a proxy. - - The process of granting a proxy using the proxy and -proxiable flags is used to provide credentials for use with -specific services. Though conceptually also a proxy, user's -wishing to delegate their identity for ANY purpose must use -the ticket forwarding mechanism described in the next sec- -tion to forward a ticket granting ticket. - - The PROXIABLE flag in a ticket is normally only inter- -preted by the ticket-granting service. It can be ignored by -application servers. When set, this flag tells the ticket- -granting server that it is OK to issue a new ticket (but not -a ticket-granting ticket) with a different network address -based on this ticket. This flag is set if requested by the -client on initial authentication. By default, the client -will request that it be set when requesting a ticket grant- -ing ticket, and reset when requesting any other ticket. - - This flag allows a client to pass a proxy to a server -to perform a remote request on its behalf, e.g. a print ser- -vice client can give the print server a proxy to access the -client's files on a particular file server in order to -satisfy a print request. - - In order to complicate the use of stolen credentials, -Kerberos tickets are usually valid from only those network -addresses specifically included in the ticket[4]. When -granting a proxy, the client must specify the new network -address from which the proxy is to be used, or indicate that -the proxy is to be issued for use from any address. - - The PROXY flag is set in a ticket by the TGS when it -issues a proxy ticket. Application servers may check this -flag and at their option they may require additional authen- -tication from the agent presenting the proxy in order to -provide an audit trail. - -2.6. Forwardable tickets - - Authentication forwarding is an instance of a proxy -where the service is granted complete use of the client's -identity. An example where it might be used is when a user -logs in to a remote system and wants authentication to work -from that system as if the login were local. - - The FORWARDABLE flag in a ticket is normally only -__________________________ -[4] Though it is permissible to request or issue tick- -ets with no network addresses specified. - - -Section 2.6. - 13 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -interpreted by the ticket-granting service. It can be -ignored by application servers. The FORWARDABLE flag has an -interpretation similar to that of the PROXIABLE flag, except -ticket-granting tickets may also be issued with different -network addresses. This flag is reset by default, but users -may request that it be set by setting the FORWARDABLE option -in the AS request when they request their initial ticket- -granting ticket. - - This flag allows for authentication forwarding without -requiring the user to enter a password again. If the flag -is not set, then authentication forwarding is not permitted, -but the same result can still be achieved if the user -engages in the AS exchange specifying the requested network -addresses and supplies a password. - - The FORWARDED flag is set by the TGS when a client -presents a ticket with the FORWARDABLE flag set and requests -a forwarded ticket by specifying the FORWARDED KDC option -and supplying a set of addresses for the new ticket. It is -also set in all tickets issued based on tickets with the -FORWARDED flag set. Application servers may choose to pro- -cess FORWARDED tickets differently than non-FORWARDED tick- -ets. - -2.7. Other KDC options - - There are two additional options which may be set in a -client's request of the KDC. The RENEWABLE-OK option indi- -cates that the client will accept a renewable ticket if a -ticket with the requested life cannot otherwise be provided. -If a ticket with the requested life cannot be provided, then -the KDC may issue a renewable ticket with a renew-till equal -to the the requested endtime. The value of the renew-till -field may still be adjusted by site-determined limits or -limits imposed by the individual principal or server. - - The ENC-TKT-IN-SKEY option is honored only by the -ticket-granting service. It indicates that the ticket to be -issued for the end server is to be encrypted in the session -key from the a additional second ticket-granting ticket pro- -vided with the request. See section 3.3.3 for specific -details. - -__________________________ -[5] The password-changing request must not be honored -unless the requester can provide the old password (the -user's current secret key). Otherwise, it would be -possible for someone to walk up to an unattended ses- -sion and change another user's password. -[6] To authenticate a user logging on to a local sys- -tem, the credentials obtained in the AS exchange may -first be used in a TGS exchange to obtain credentials - - -Section 3.1. - 14 - Expires 11 January 1998 - - - - - - - Version 5 - Specification Revision 6 - - - -3. Message Exchanges - -The following sections describe the interactions between -network clients and servers and the messages involved in -those exchanges. - -3.1. The Authentication Service Exchange - - Summary - Message direction Message type Section - 1. Client to Kerberos KRB_AS_REQ 5.4.1 - 2. Kerberos to client KRB_AS_REP or 5.4.2 - KRB_ERROR 5.9.1 - - - The Authentication Service (AS) Exchange between the -client and the Kerberos Authentication Server is initiated -by a client when it wishes to obtain authentication creden- -tials for a given server but currently holds no credentials. -In its basic form, the client's secret key is used for en- -cryption and decryption. This exchange is typically used at -the initiation of a login session to obtain credentials for -a Ticket-Granting Server which will subsequently be used to -obtain credentials for other servers (see section 3.3) -without requiring further use of the client's secret key. -This exchange is also used to request credentials for ser- -vices which must not be mediated through the Ticket-Granting -Service, but rather require a principal's secret key, such -as the password-changing service[5]. This exchange does not -by itself provide any assurance of the the identity of the -user[6]. - - The exchange consists of two messages: KRB_AS_REQ from -the client to Kerberos, and KRB_AS_REP or KRB_ERROR in -reply. The formats for these messages are described in sec- -tions 5.4.1, 5.4.2, and 5.9.1. - - In the request, the client sends (in cleartext) its own -identity and the identity of the server for which it is -requesting credentials. The response, KRB_AS_REP, contains -a ticket for the client to present to the server, and a ses- -sion key that will be shared by the client and the server. -The session key and additional information are encrypted in -the client's secret key. The KRB_AS_REP message contains -information which can be used to detect replays, and to -associate it with the message to which it replies. Various -errors can occur; these are indicated by an error response -(KRB_ERROR) instead of the KRB_AS_REP response. The error -__________________________ -for a local server. Those credentials must then be -verified by a local server through successful comple- -tion of the Client/Server exchange. - - - -Section 3.1. - 15 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -message is not encrypted. The KRB_ERROR message contains -information which can be used to associate it with the mes- -sage to which it replies. The lack of encryption in the -KRB_ERROR message precludes the ability to detect replays, -fabrications, or modifications of such messages. - - Without preautentication, the authentication server -does not know whether the client is actually the principal -named in the request. It simply sends a reply without know- -ing or caring whether they are the same. This is acceptable -because nobody but the principal whose identity was given in -the request will be able to use the reply. Its critical -information is encrypted in that principal's key. The ini- -tial request supports an optional field that can be used to -pass additional information that might be needed for the -initial exchange. This field may be used for pre- -authentication as described in section <>. - -3.1.1. Generation of KRB_AS_REQ message - - The client may specify a number of options in the ini- -tial request. Among these options are whether pre- -authentication is to be performed; whether the requested -ticket is to be renewable, proxiable, or forwardable; -whether it should be postdated or allow postdating of -derivative tickets; and whether a renewable ticket will be -accepted in lieu of a non-renewable ticket if the requested -ticket expiration date cannot be satisfied by a non- -renewable ticket (due to configuration constraints; see sec- -tion 4). See section A.1 for pseudocode. - - The client prepares the KRB_AS_REQ message and sends it -to the KDC. - -3.1.2. Receipt of KRB_AS_REQ message - - If all goes well, processing the KRB_AS_REQ message -will result in the creation of a ticket for the client to -present to the server. The format for the ticket is -described in section 5.3.1. The contents of the ticket are -determined as follows. - -3.1.3. Generation of KRB_AS_REP message - - The authentication server looks up the client and -server principals named in the KRB_AS_REQ in its database, -extracting their respective keys. If required, the server -pre-authenticates the request, and if the pre-authentication -check fails, an error message with the code -KDC_ERR_PREAUTH_FAILED is returned. If the server cannot -accommodate the requested encryption type, an error message -with code KDC_ERR_ETYPE_NOSUPP is returned. Otherwise it -generates a "random" session key[7]. -__________________________ - - -Section 3.1.3. - 16 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - If there are multiple encryption keys registered for a -client in the Kerberos database (or if the key registered -supports multiple encryption types; e.g. DES-CBC-CRC and -DES-CBC-MD5), then the etype field from the AS request is -used by the KDC to select the encryption method to be used -for encrypting the response to the client. If there is more -than one supported, strong encryption type in the etype -list, the first valid etype for which an encryption key is -available is used. The encryption method used to respond to -a TGS request is taken from the keytype of the session key -found in the ticket granting ticket. - - When the etype field is present in a KDC request, -whether an AS or TGS request, the KDC will attempt to assign -the type of the random session key from the list of methods -in the etype field. The KDC will select the appropriate -type using the list of methods provided together with infor- -mation from the Kerberos database indicating acceptable -encryption methods for the application server. The KDC will -not issue tickets with a weak session key encryption type. - - If the requested start time is absent, indicates a time -in the past, or is within the window of acceptable clock -skew for the KDC and the POSTDATE option has not been speci- -fied, then the start time of the ticket is set to the -authentication server's current time. If it indicates a -time in the future beyond the acceptable clock skew, but the -POSTDATED option has not been specified then the error -KDC_ERR_CANNOT_POSTDATE is returned. Otherwise the -requested start time is checked against the policy of the -local realm (the administrator might decide to prohibit cer- -tain types or ranges of postdated tickets), and if accept- -able, the ticket's start time is set as requested and the -INVALID flag is set in the new ticket. The postdated ticket -must be validated before use by presenting it to the KDC -after the start time has been reached. - - - - - - - - - -__________________________ -[7] "Random" means that, among other things, it should -be impossible to guess the next session key based on -knowledge of past session keys. This can only be -achieved in a pseudo-random number generator if it is -based on cryptographic principles. It is more desir- -able to use a truly random number generator, such as -one based on measurements of random physical phenomena. - - - -Section 3.1.3. - 17 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -The expiration time of the ticket will be set to the minimum -of the following: - -+The expiration time (endtime) requested in the KRB_AS_REQ - message. - -+The ticket's start time plus the maximum allowable lifetime - associated with the client principal (the authentication - server's database includes a maximum ticket lifetime field - in each principal's record; see section 4). - -+The ticket's start time plus the maximum allowable lifetime - associated with the server principal. - -+The ticket's start time plus the maximum lifetime set by - the policy of the local realm. - - If the requested expiration time minus the start time -(as determined above) is less than a site-determined minimum -lifetime, an error message with code KDC_ERR_NEVER_VALID is -returned. If the requested expiration time for the ticket -exceeds what was determined as above, and if the -"RENEWABLE-OK" option was requested, then the "RENEWABLE" -flag is set in the new ticket, and the renew-till value is -set as if the "RENEWABLE" option were requested (the field -and option names are described fully in section 5.4.1). - -If the RENEWABLE option has been requested or if the -RENEWABLE-OK option has been set and a renewable ticket is -to be issued, then the renew-till field is set to the -minimum of: - -+Its requested value. - -+The start time of the ticket plus the minimum of the two - maximum renewable lifetimes associated with the principals' - database entries. - -+The start time of the ticket plus the maximum renewable - lifetime set by the policy of the local realm. - - The flags field of the new ticket will have the follow- -ing options set if they have been requested and if the pol- -icy of the local realm allows: FORWARDABLE, MAY-POSTDATE, -POSTDATED, PROXIABLE, RENEWABLE. If the new ticket is post- -dated (the start time is in the future), its INVALID flag -will also be set. - - If all of the above succeed, the server formats a -KRB_AS_REP message (see section 5.4.2), copying the -addresses in the request into the caddr of the response, -placing any required pre-authentication data into the padata -of the response, and encrypts the ciphertext part in the -client's key using the requested encryption method, and - - -Section 3.1.3. - 18 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -sends it to the client. See section A.2 for pseudocode. - -3.1.4. Generation of KRB_ERROR message - - Several errors can occur, and the Authentication Server -responds by returning an error message, KRB_ERROR, to the -client, with the error-code and e-text fields set to -appropriate values. The error message contents and details -are described in Section 5.9.1. - -3.1.5. Receipt of KRB_AS_REP message - - If the reply message type is KRB_AS_REP, then the -client verifies that the cname and crealm fields in the -cleartext portion of the reply match what it requested. If -any padata fields are present, they may be used to derive -the proper secret key to decrypt the message. The client -decrypts the encrypted part of the response using its secret -key, verifies that the nonce in the encrypted part matches -the nonce it supplied in its request (to detect replays). -It also verifies that the sname and srealm in the response -match those in the request (or are otherwise expected -values), and that the host address field is also correct. -It then stores the ticket, session key, start and expiration -times, and other information for later use. The key- -expiration field from the encrypted part of the response may -be checked to notify the user of impending key expiration -(the client program could then suggest remedial action, such -as a password change). See section A.3 for pseudocode. - - Proper decryption of the KRB_AS_REP message is not suf- -ficient to verify the identity of the user; the user and an -attacker could cooperate to generate a KRB_AS_REP format -message which decrypts properly but is not from the proper -KDC. If the host wishes to verify the identity of the user, -it must require the user to present application credentials -which can be verified using a securely-stored secret key for -the host. If those credentials can be verified, then the -identity of the user can be assured. - -3.1.6. Receipt of KRB_ERROR message - - If the reply message type is KRB_ERROR, then the client -interprets it as an error and performs whatever -application-specific tasks are necessary to recover. - -3.2. The Client/Server Authentication Exchange - - Summary -Message direction Message type Section -Client to Application server KRB_AP_REQ 5.5.1 -[optional] Application server to client KRB_AP_REP or 5.5.2 - KRB_ERROR 5.9.1 - - - -Section 3.2. - 19 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - The client/server authentication (CS) exchange is used -by network applications to authenticate the client to the -server and vice versa. The client must have already -acquired credentials for the server using the AS or TGS -exchange. - -3.2.1. The KRB_AP_REQ message - - The KRB_AP_REQ contains authentication information -which should be part of the first message in an authenti- -cated transaction. It contains a ticket, an authenticator, -and some additional bookkeeping information (see section -5.5.1 for the exact format). The ticket by itself is insuf- -ficient to authenticate a client, since tickets are passed -across the network in cleartext[8], so the authenticator is -used to prevent invalid replay of tickets by proving to the -server that the client knows the session key of the ticket -and thus is entitled to use the ticket. The KRB_AP_REQ mes- -sage is referred to elsewhere as the "authentication -header." - -3.2.2. Generation of a KRB_AP_REQ message - - When a client wishes to initiate authentication to a -server, it obtains (either through a credentials cache, the -AS exchange, or the TGS exchange) a ticket and session key -for the desired service. The client may re-use any tickets -it holds until they expire. To use a ticket the client con- -structs a new Authenticator from the the system time, its -name, and optionally an application specific checksum, an -initial sequence number to be used in KRB_SAFE or KRB_PRIV -messages, and/or a session subkey to be used in negotiations -for a session key unique to this particular session. -Authenticators may not be re-used and will be rejected if -replayed to a server[9]. If a sequence number is to be -included, it should be randomly chosen so that even after -many messages have been exchanged it is not likely to col- -lide with other sequence numbers in use. - - The client may indicate a requirement of mutual -__________________________ -[8] Tickets contain both an encrypted and unencrypted -portion, so cleartext here refers to the entire unit, -which can be copied from one message and replayed in -another without any cryptographic skill. -[9] Note that this can make applications based on un- -reliable transports difficult to code correctly. If the -transport might deliver duplicated messages, either a -new authenticator must be generated for each retry, or -the application server must match requests and replies -and replay the first reply in response to a detected -duplicate. - - - -Section 3.2.2. - 20 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -authentication or the use of a session-key based ticket by -setting the appropriate flag(s) in the ap-options field of -the message. - - The Authenticator is encrypted in the session key and -combined with the ticket to form the KRB_AP_REQ message -which is then sent to the end server along with any addi- -tional application-specific information. See section A.9 -for pseudocode. - -3.2.3. Receipt of KRB_AP_REQ message - - Authentication is based on the server's current time of -day (clocks must be loosely synchronized), the authentica- -tor, and the ticket. Several errors are possible. If an -error occurs, the server is expected to reply to the client -with a KRB_ERROR message. This message may be encapsulated -in the application protocol if its "raw" form is not accept- -able to the protocol. The format of error messages is -described in section 5.9.1. - - The algorithm for verifying authentication information -is as follows. If the message type is not KRB_AP_REQ, the -server returns the KRB_AP_ERR_MSG_TYPE error. If the key -version indicated by the Ticket in the KRB_AP_REQ is not one -the server can use (e.g., it indicates an old key, and the -server no longer possesses a copy of the old key), the -KRB_AP_ERR_BADKEYVER error is returned. If the USE- -SESSION-KEY flag is set in the ap-options field, it indi- -cates to the server that the ticket is encrypted in the ses- -sion key from the server's ticket-granting ticket rather -than its secret key[10]. Since it is possible for the -server to be registered in multiple realms, with different -keys in each, the srealm field in the unencrypted portion of -the ticket in the KRB_AP_REQ is used to specify which secret -key the server should use to decrypt that ticket. The -KRB_AP_ERR_NOKEY error code is returned if the server -doesn't have the proper key to decipher the ticket. - - The ticket is decrypted using the version of the -server's key specified by the ticket. If the decryption -routines detect a modification of the ticket (each encryp- -tion system must provide safeguards to detect modified -ciphertext; see section 6), the KRB_AP_ERR_BAD_INTEGRITY -error is returned (chances are good that different keys were -used to encrypt and decrypt). - - The authenticator is decrypted using the session key -extracted from the decrypted ticket. If decryption shows it -to have been modified, the KRB_AP_ERR_BAD_INTEGRITY error is -__________________________ -[10] This is used for user-to-user authentication as -described in [8]. - - -Section 3.2.3. - 21 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -returned. The name and realm of the client from the ticket -are compared against the same fields in the authenticator. -If they don't match, the KRB_AP_ERR_BADMATCH error is -returned (they might not match, for example, if the wrong -session key was used to encrypt the authenticator). The -addresses in the ticket (if any) are then searched for an -address matching the operating-system reported address of -the client. If no match is found or the server insists on -ticket addresses but none are present in the ticket, the -KRB_AP_ERR_BADADDR error is returned. - - If the local (server) time and the client time in the -authenticator differ by more than the allowable clock skew -(e.g., 5 minutes), the KRB_AP_ERR_SKEW error is returned. -If the server name, along with the client name, time and -microsecond fields from the Authenticator match any -recently-seen such tuples, the KRB_AP_ERR_REPEAT error is -returned[11]. The server must remember any authenticator -presented within the allowable clock skew, so that a replay -attempt is guaranteed to fail. If a server loses track of -any authenticator presented within the allowable clock skew, -it must reject all requests until the clock skew interval -has passed. This assures that any lost or re-played authen- -ticators will fall outside the allowable clock skew and can -no longer be successfully replayed (If this is not done, an -attacker could conceivably record the ticket and authentica- -tor sent over the network to a server, then disable the -client's host, pose as the disabled host, and replay the -ticket and authenticator to subvert the authentication.). -If a sequence number is provided in the authenticator, the -server saves it for later use in processing KRB_SAFE and/or -KRB_PRIV messages. If a subkey is present, the server -either saves it for later use or uses it to help generate -its own choice for a subkey to be returned in a KRB_AP_REP -message. - - The server computes the age of the ticket: local -(server) time minus the start time inside the Ticket. If -the start time is later than the current time by more than -the allowable clock skew or if the INVALID flag is set in -the ticket, the KRB_AP_ERR_TKT_NYV error is returned. Oth- -erwise, if the current time is later than end time by more -than the allowable clock skew, the KRB_AP_ERR_TKT_EXPIRED -error is returned. - - If all these checks succeed without an error, the -__________________________ -[11] Note that the rejection here is restricted to au- -thenticators from the same principal to the same -server. Other client principals communicating with the -same server principal should not be have their authen- -ticators rejected if the time and microsecond fields -happen to match some other client's authenticator. - - -Section 3.2.3. - 22 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -server is assured that the client possesses the credentials -of the principal named in the ticket and thus, the client -has been authenticated to the server. See section A.10 for -pseudocode. - - Passing these checks provides only authentication of -the named principal; it does not imply authorization to use -the named service. Applications must make a separate -authorization decisions based upon the authenticated name of -the user, the requested operation, local acces control -information such as that contained in a .k5login or .k5users -file, and possibly a separate distributed authorization ser- -vice. - -3.2.4. Generation of a KRB_AP_REP message - - Typically, a client's request will include both the -authentication information and its initial request in the -same message, and the server need not explicitly reply to -the KRB_AP_REQ. However, if mutual authentication (not only -authenticating the client to the server, but also the server -to the client) is being performed, the KRB_AP_REQ message -will have MUTUAL-REQUIRED set in its ap-options field, and a -KRB_AP_REP message is required in response. As with the -error message, this message may be encapsulated in the -application protocol if its "raw" form is not acceptable to -the application's protocol. The timestamp and microsecond -field used in the reply must be the client's timestamp and -microsecond field (as provided in the authenticator)[12]. -If a sequence number is to be included, it should be ran- -domly chosen as described above for the authenticator. A -subkey may be included if the server desires to negotiate a -different subkey. The KRB_AP_REP message is encrypted in -the session key extracted from the ticket. See section A.11 -for pseudocode. - -3.2.5. Receipt of KRB_AP_REP message - - - If a KRB_AP_REP message is returned, the client uses -the session key from the credentials obtained for the -server[13] to decrypt the message, and verifies that the -__________________________ -[12] In the Kerberos version 4 protocol, the timestamp -in the reply was the client's timestamp plus one. This -is not necessary in version 5 because version 5 mes- -sages are formatted in such a way that it is not possi- -ble to create the reply by judicious message surgery -(even in encrypted form) without knowledge of the ap- -propriate encryption keys. -[13] Note that for encrypting the KRB_AP_REP message, -the sub-session key is not used, even if present in the -Authenticator. - - -Section 3.2.5. - 23 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -timestamp and microsecond fields match those in the Authen- -ticator it sent to the server. If they match, then the -client is assured that the server is genuine. The sequence -number and subkey (if present) are retained for later use. -See section A.12 for pseudocode. - - -3.2.6. Using the encryption key - - After the KRB_AP_REQ/KRB_AP_REP exchange has occurred, -the client and server share an encryption key which can be -used by the application. The "true session key" to be used -for KRB_PRIV, KRB_SAFE, or other application-specific uses -may be chosen by the application based on the subkeys in the -KRB_AP_REP message and the authenticator[14]. In some -cases, the use of this session key will be implicit in the -protocol; in others the method of use must be chosen from -several alternatives. We leave the protocol negotiations of -how to use the key (e.g. selecting an encryption or check- -sum type) to the application programmer; the Kerberos proto- -col does not constrain the implementation options, but an -example of how this might be done follows. - - One way that an application may choose to negotiate a -key to be used for subequent integrity and privacy protec- -tion is for the client to propose a key in the subkey field -of the authenticator. The server can then choose a key -using the proposed key from the client as input, returning -the new subkey in the subkey field of the application reply. -This key could then be used for subsequent communication. -To make this example more concrete, if the encryption method -in use required a 56 bit key, and for whatever reason, one -of the parties was prevented from using a key with more than -40 unknown bits, this method would allow the the party which -is prevented from using more than 40 bits to either propose -(if the client) an initial key with a known quantity for 16 -of those bits, or to mask 16 of the bits (if the server) -with the known quantity. The application implementor is -warned, however, that this is only an example, and that an -analysis of the particular crytosystem to be used, and the -reasons for limiting the key length, must be made before -deciding whether it is acceptable to mask bits of the key. - - With both the one-way and mutual authentication -exchanges, the peers should take care not to send sensitive -information to each other without proper assurances. In -particular, applications that require privacy or integrity -should use the KRB_AP_REP response from the server to client -__________________________ -[14] Implementations of the protocol may wish to pro- -vide routines to choose subkeys based on session keys -and random numbers and to generate a negotiated key to -be returned in the KRB_AP_REP message. - - -Section 3.2.6. - 24 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -to assure both client and server of their peer's identity. -If an application protocol requires privacy of its messages, -it can use the KRB_PRIV message (section 3.5). The KRB_SAFE -message (section 3.4) can be used to assure integrity. - - -3.3. The Ticket-Granting Service (TGS) Exchange - - Summary - Message direction Message type Section - 1. Client to Kerberos KRB_TGS_REQ 5.4.1 - 2. Kerberos to client KRB_TGS_REP or 5.4.2 - KRB_ERROR 5.9.1 - - - The TGS exchange between a client and the Kerberos -Ticket-Granting Server is initiated by a client when it -wishes to obtain authentication credentials for a given -server (which might be registered in a remote realm), when -it wishes to renew or validate an existing ticket, or when -it wishes to obtain a proxy ticket. In the first case, the -client must already have acquired a ticket for the Ticket- -Granting Service using the AS exchange (the ticket-granting -ticket is usually obtained when a client initially authenti- -cates to the system, such as when a user logs in). The mes- -sage format for the TGS exchange is almost identical to that -for the AS exchange. The primary difference is that encryp- -tion and decryption in the TGS exchange does not take place -under the client's key. Instead, the session key from the -ticket-granting ticket or renewable ticket, or sub-session -key from an Authenticator is used. As is the case for all -application servers, expired tickets are not accepted by the -TGS, so once a renewable or ticket-granting ticket expires, -the client must use a separate exchange to obtain valid -tickets. - - The TGS exchange consists of two messages: A request -(KRB_TGS_REQ) from the client to the Kerberos Ticket- -Granting Server, and a reply (KRB_TGS_REP or KRB_ERROR). -The KRB_TGS_REQ message includes information authenticating -the client plus a request for credentials. The authentica- -tion information consists of the authentication header -(KRB_AP_REQ) which includes the client's previously obtained -ticket-granting, renewable, or invalid ticket. In the -ticket-granting ticket and proxy cases, the request may -include one or more of: a list of network addresses, a col- -lection of typed authorization data to be sealed in the -ticket for authorization use by the application server, or -additional tickets (the use of which are described later). -The TGS reply (KRB_TGS_REP) contains the requested creden- -tials, encrypted in the session key from the ticket-granting -ticket or renewable ticket, or if present, in the sub- -session key from the Authenticator (part of the authentica- -tion header). The KRB_ERROR message contains an error code - - -Section 3.3. - 25 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -and text explaining what went wrong. The KRB_ERROR message -is not encrypted. The KRB_TGS_REP message contains informa- -tion which can be used to detect replays, and to associate -it with the message to which it replies. The KRB_ERROR mes- -sage also contains information which can be used to associ- -ate it with the message to which it replies, but the lack of -encryption in the KRB_ERROR message precludes the ability to -detect replays or fabrications of such messages. - -3.3.1. Generation of KRB_TGS_REQ message - - Before sending a request to the ticket-granting ser- -vice, the client must determine in which realm the applica- -tion server is registered[15]. If the client does not -already possess a ticket-granting ticket for the appropriate -realm, then one must be obtained. This is first attempted -by requesting a ticket-granting ticket for the destination -realm from a Kerberos server for which the client does -posess a ticket-granting ticket (using the KRB_TGS_REQ mes- -sage recursively). The Kerberos server may return a TGT for -the desired realm in which case one can proceed. Alterna- -tively, the Kerberos server may return a TGT for a realm -which is "closer" to the desired realm (further along the -standard hierarchical path), in which case this step must be -repeated with a Kerberos server in the realm specified in -the returned TGT. If neither are returned, then the request -must be retried with a Kerberos server for a realm higher in -the hierarchy. This request will itself require a ticket- -granting ticket for the higher realm which must be obtained -by recursively applying these directions. - - - Once the client obtains a ticket-granting ticket for -the appropriate realm, it determines which Kerberos servers -serve that realm, and contacts one. The list might be -obtained through a configuration file or network service or -it may be generated from the name of the realm; as long as -the secret keys exchanged by realms are kept secret, only -denial of service results from using a false Kerberos -server. -__________________________ -[15] This can be accomplished in several ways. It -might be known beforehand (since the realm is part of -the principal identifier), it might be stored in a -nameserver, or it might be obtained from a configura- -tion file. If the realm to be used is obtained from a -nameserver, there is a danger of being spoofed if the -nameservice providing the realm name is not authenti- -cated. This might result in the use of a realm which -has been compromised, and would result in an attacker's -ability to compromise the authentication of the appli- -cation server to the client. - - - -Section 3.3.1. - 26 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - As in the AS exchange, the client may specify a number -of options in the KRB_TGS_REQ message. The client prepares -the KRB_TGS_REQ message, providing an authentication header -as an element of the padata field, and including the same -fields as used in the KRB_AS_REQ message along with several -optional fields: the enc-authorization-data field for appli- -cation server use and additional tickets required by some -options. - - In preparing the authentication header, the client can -select a sub-session key under which the response from the -Kerberos server will be encrypted[16]. If the sub-session -key is not specified, the session key from the ticket- -granting ticket will be used. If the enc-authorization-data -is present, it must be encrypted in the sub-session key, if -present, from the authenticator portion of the authentica- -tion header, or if not present, using the session key from -the ticket-granting ticket. - - Once prepared, the message is sent to a Kerberos server -for the destination realm. See section A.5 for pseudocode. - -3.3.2. Receipt of KRB_TGS_REQ message - - The KRB_TGS_REQ message is processed in a manner simi- -lar to the KRB_AS_REQ message, but there are many additional -checks to be performed. First, the Kerberos server must -determine which server the accompanying ticket is for and it -must select the appropriate key to decrypt it. For a normal -KRB_TGS_REQ message, it will be for the ticket granting ser- -vice, and the TGS's key will be used. If the TGT was issued -by another realm, then the appropriate inter-realm key must -be used. If the accompanying ticket is not a ticket grant- -ing ticket for the current realm, but is for an application -server in the current realm, the RENEW, VALIDATE, or PROXY -options are specified in the request, and the server for -which a ticket is requested is the server named in the -accompanying ticket, then the KDC will decrypt the ticket in -the authentication header using the key of the server for -which it was issued. If no ticket can be found in the -padata field, the KDC_ERR_PADATA_TYPE_NOSUPP error is -returned. - - Once the accompanying ticket has been decrypted, the -user-supplied checksum in the Authenticator must be verified -against the contents of the request, and the message -rejected if the checksums do not match (with an error code -__________________________ -[16] If the client selects a sub-session key, care must -be taken to ensure the randomness of the selected sub- -session key. One approach would be to generate a ran- -dom number and XOR it with the session key from the -ticket-granting ticket. - - -Section 3.3.2. - 27 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -of KRB_AP_ERR_MODIFIED) or if the checksum is not keyed or -not collision-proof (with an error code of -KRB_AP_ERR_INAPP_CKSUM). If the checksum type is not sup- -ported, the KDC_ERR_SUMTYPE_NOSUPP error is returned. If -the authorization-data are present, they are decrypted using -the sub-session key from the Authenticator. - - If any of the decryptions indicate failed integrity -checks, the KRB_AP_ERR_BAD_INTEGRITY error is returned. - -3.3.3. Generation of KRB_TGS_REP message - - The KRB_TGS_REP message shares its format with the -KRB_AS_REP (KRB_KDC_REP), but with its type field set to -KRB_TGS_REP. The detailed specification is in section -5.4.2. - - The response will include a ticket for the requested -server. The Kerberos database is queried to retrieve the -record for the requested server (including the key with -which the ticket will be encrypted). If the request is for -a ticket granting ticket for a remote realm, and if no key -is shared with the requested realm, then the Kerberos server -will select the realm "closest" to the requested realm with -which it does share a key, and use that realm instead. This -is the only case where the response from the KDC will be for -a different server than that requested by the client. - - By default, the address field, the client's name and -realm, the list of transited realms, the time of initial -authentication, the expiration time, and the authorization -data of the newly-issued ticket will be copied from the -ticket-granting ticket (TGT) or renewable ticket. If the -transited field needs to be updated, but the transited type -is not supported, the KDC_ERR_TRTYPE_NOSUPP error is -returned. - - If the request specifies an endtime, then the endtime -of the new ticket is set to the minimum of (a) that request, -(b) the endtime from the TGT, and (c) the starttime of the -TGT plus the minimum of the maximum life for the application -server and the maximum life for the local realm (the maximum -life for the requesting principal was already applied when -the TGT was issued). If the new ticket is to be a renewal, -then the endtime above is replaced by the minimum of (a) the -value of the renew_till field of the ticket and (b) the -starttime for the new ticket plus the life (endtime- -starttime) of the old ticket. - - If the FORWARDED option has been requested, then the -resulting ticket will contain the addresses specified by the -client. This option will only be honored if the FORWARDABLE -flag is set in the TGT. The PROXY option is similar; the -resulting ticket will contain the addresses specified by the - - -Section 3.3.3. - 28 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -client. It will be honored only if the PROXIABLE flag in -the TGT is set. The PROXY option will not be honored on -requests for additional ticket-granting tickets. - - If the requested start time is absent, indicates a time -in the past, or is within the window of acceptable clock -skew for the KDC and the POSTDATE option has not been speci- -fied, then the start time of the ticket is set to the -authentication server's current time. If it indicates a -time in the future beyond the acceptable clock skew, but the -POSTDATED option has not been specified or the MAY-POSTDATE -flag is not set in the TGT, then the error -KDC_ERR_CANNOT_POSTDATE is returned. Otherwise, if the -ticket-granting ticket has the MAY-POSTDATE flag set, then -the resulting ticket will be postdated and the requested -starttime is checked against the policy of the local realm. -If acceptable, the ticket's start time is set as requested, -and the INVALID flag is set. The postdated ticket must be -validated before use by presenting it to the KDC after the -starttime has been reached. However, in no case may the -starttime, endtime, or renew-till time of a newly-issued -postdated ticket extend beyond the renew-till time of the -ticket-granting ticket. - - If the ENC-TKT-IN-SKEY option has been specified and an -additional ticket has been included in the request, the KDC -will decrypt the additional ticket using the key for the -server to which the additional ticket was issued and verify -that it is a ticket-granting ticket. If the name of the -requested server is missing from the request, the name of -the client in the additional ticket will be used. Otherwise -the name of the requested server will be compared to the -name of the client in the additional ticket and if dif- -ferent, the request will be rejected. If the request -succeeds, the session key from the additional ticket will be -used to encrypt the new ticket that is issued instead of -using the key of the server for which the new ticket will be -used[17]. - - If the name of the server in the ticket that is -presented to the KDC as part of the authentication header is -not that of the ticket-granting server itself, the server is -registered in the realm of the KDC, and the RENEW option is -requested, then the KDC will verify that the RENEWABLE flag -is set in the ticket, that the INVALID flag is not set in -the ticket, and that the renew_till time is still in the -future. If the VALIDATE option is rqeuested, the KDC will -__________________________ -[17] This allows easy implementation of user-to-user -authentication [8], which uses ticket-granting ticket -session keys in lieu of secret server keys in situa- -tions where such secret keys could be easily comprom- -ised. - - -Section 3.3.3. - 29 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -check that the starttime has passed and the INVALID flag is -set. If the PROXY option is requested, then the KDC will -check that the PROXIABLE flag is set in the ticket. If the -tests succeed, and the ticket passes the hotlist check -described in the next paragraph, the KDC will issue the -appropriate new ticket. - - -3.3.3.1. Checking for revoked tickets - - Whenever a request is made to the ticket-granting -server, the presented ticket(s) is(are) checked against a -hot-list of tickets which have been canceled. This hot-list -might be implemented by storing a range of issue timestamps -for "suspect tickets"; if a presented ticket had an authtime -in that range, it would be rejected. In this way, a stolen -ticket-granting ticket or renewable ticket cannot be used to -gain additional tickets (renewals or otherwise) once the -theft has been reported. Any normal ticket obtained before -it was reported stolen will still be valid (because they -require no interaction with the KDC), but only until their -normal expiration time. - - The ciphertext part of the response in the KRB_TGS_REP -message is encrypted in the sub-session key from the Authen- -ticator, if present, or the session key key from the -ticket-granting ticket. It is not encrypted using the -client's secret key. Furthermore, the client's key's -expiration date and the key version number fields are left -out since these values are stored along with the client's -database record, and that record is not needed to satisfy a -request based on a ticket-granting ticket. See section A.6 -for pseudocode. - -3.3.3.2. Encoding the transited field - - If the identity of the server in the TGT that is -presented to the KDC as part of the authentication header is -that of the ticket-granting service, but the TGT was issued -from another realm, the KDC will look up the inter-realm key -shared with that realm and use that key to decrypt the -ticket. If the ticket is valid, then the KDC will honor the -request, subject to the constraints outlined above in the -section describing the AS exchange. The realm part of the -client's identity will be taken from the ticket-granting -ticket. The name of the realm that issued the ticket- -granting ticket will be added to the transited field of the -ticket to be issued. This is accomplished by reading the -transited field from the ticket-granting ticket (which is -treated as an unordered set of realm names), adding the new -realm to the set, then constructing and writing out its -encoded (shorthand) form (this may involve a rearrangement -of the existing encoding). - - - -Section 3.3.3.2. - 30 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - Note that the ticket-granting service does not add the -name of its own realm. Instead, its responsibility is to -add the name of the previous realm. This prevents a mali- -cious Kerberos server from intentionally leaving out its own -name (it could, however, omit other realms' names). - - The names of neither the local realm nor the -principal's realm are to be included in the transited field. -They appear elsewhere in the ticket and both are known to -have taken part in authenticating the principal. Since the -endpoints are not included, both local and single-hop -inter-realm authentication result in a transited field that -is empty. - - Because the name of each realm transited is added to -this field, it might potentially be very long. To decrease -the length of this field, its contents are encoded. The -initially supported encoding is optimized for the normal -case of inter-realm communication: a hierarchical arrange- -ment of realms using either domain or X.500 style realm -names. This encoding (called DOMAIN-X500-COMPRESS) is now -described. - - Realm names in the transited field are separated by a -",". The ",", "\", trailing "."s, and leading spaces (" ") -are special characters, and if they are part of a realm -name, they must be quoted in the transited field by preced- -ing them with a "\". - - A realm name ending with a "." is interpreted as being -prepended to the previous realm. For example, we can encode -traversal of EDU, MIT.EDU, ATHENA.MIT.EDU, WASHINGTON.EDU, -and CS.WASHINGTON.EDU as: - - "EDU,MIT.,ATHENA.,WASHINGTON.EDU,CS.". - -Note that if ATHENA.MIT.EDU, or CS.WASHINGTON.EDU were end- -points, that they would not be included in this field, and -we would have: - - "EDU,MIT.,WASHINGTON.EDU" - -A realm name beginning with a "/" is interpreted as being -appended to the previous realm[18]. If it is to stand by -itself, then it should be preceded by a space (" "). For -example, we can encode traversal of /COM/HP/APOLLO, /COM/HP, -/COM, and /COM/DEC as: - - "/COM,/HP,/APOLLO, /COM/DEC". -__________________________ -[18] For the purpose of appending, the realm preceding -the first listed realm is considered to be the null -realm (""). - - -Section 3.3.3.2. - 31 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -Like the example above, if /COM/HP/APOLLO and /COM/DEC are -endpoints, they they would not be included in this field, -and we would have: - - "/COM,/HP" - - - A null subfield preceding or following a "," indicates -that all realms between the previous realm and the next -realm have been traversed[19]. Thus, "," means that all -realms along the path between the client and the server have -been traversed. ",EDU, /COM," means that that all realms -from the client's realm up to EDU (in a domain style hierar- -chy) have been traversed, and that everything from /COM down -to the server's realm in an X.500 style has also been -traversed. This could occur if the EDU realm in one hierar- -chy shares an inter-realm key directly with the /COM realm -in another hierarchy. - -3.3.4. Receipt of KRB_TGS_REP message - -When the KRB_TGS_REP is received by the client, it is pro- -cessed in the same manner as the KRB_AS_REP processing -described above. The primary difference is that the cipher- -text part of the response must be decrypted using the ses- -sion key from the ticket-granting ticket rather than the -client's secret key. See section A.7 for pseudocode. - - -3.4. The KRB_SAFE Exchange - - The KRB_SAFE message may be used by clients requiring -the ability to detect modifications of messages they -exchange. It achieves this by including a keyed collision- -proof checksum of the user data and some control informa- -tion. The checksum is keyed with an encryption key (usually -the last key negotiated via subkeys, or the session key if -no negotiation has occured). - -3.4.1. Generation of a KRB_SAFE message - -When an application wishes to send a KRB_SAFE message, it -collects its data and the appropriate control information -and computes a checksum over them. The checksum algorithm -should be a keyed one-way hash function (such as the RSA- -MD5-DES checksum algorithm specified in section 6.4.5, or -the DES MAC), generated using the sub-session key if -present, or the session key. Different algorithms may be -__________________________ -[19] For the purpose of interpreting null subfields, -the client's realm is considered to precede those in -the transited field, and the server's realm is con- -sidered to follow them. - - -Section 3.4.1. - 32 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -selected by changing the checksum type in the message. -Unkeyed or non-collision-proof checksums are not suitable -for this use. - - The control information for the KRB_SAFE message -includes both a timestamp and a sequence number. The -designer of an application using the KRB_SAFE message must -choose at least one of the two mechanisms. This choice -should be based on the needs of the application protocol. - - Sequence numbers are useful when all messages sent will -be received by one's peer. Connection state is presently -required to maintain the session key, so maintaining the -next sequence number should not present an additional prob- -lem. - - If the application protocol is expected to tolerate -lost messages without them being resent, the use of the -timestamp is the appropriate replay detection mechanism. -Using timestamps is also the appropriate mechanism for -multi-cast protocols where all of one's peers share a common -sub-session key, but some messages will be sent to a subset -of one's peers. - - After computing the checksum, the client then transmits -the information and checksum to the recipient in the message -format specified in section 5.6.1. - -3.4.2. Receipt of KRB_SAFE message - -When an application receives a KRB_SAFE message, it verifies -it as follows. If any error occurs, an error code is -reported for use by the application. - - The message is first checked by verifying that the pro- -tocol version and type fields match the current version and -KRB_SAFE, respectively. A mismatch generates a -KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE error. The -application verifies that the checksum used is a collision- -proof keyed checksum, and if it is not, a -KRB_AP_ERR_INAPP_CKSUM error is generated. The recipient -verifies that the operating system's report of the sender's -address matches the sender's address in the message, and (if -a recipient address is specified or the recipient requires -an address) that one of the recipient's addresses appears as -the recipient's address in the message. A failed match for -either case generates a KRB_AP_ERR_BADADDR error. Then the -timestamp and usec and/or the sequence number fields are -checked. If timestamp and usec are expected and not -present, or they are present but not current, the -KRB_AP_ERR_SKEW error is generated. If the server name, -along with the client name, time and microsecond fields from -the Authenticator match any recently-seen (sent or -received[20] ) such tuples, the KRB_AP_ERR_REPEAT error is -__________________________ -[20] This means that a client and server running on the - - - - - - - Version 5 - Specification Revision 6 - - -generated. If an incorrect sequence number is included, or -a sequence number is expected but not present, the -KRB_AP_ERR_BADORDER error is generated. If neither a time- -stamp and usec or a sequence number is present, a -KRB_AP_ERR_MODIFIED error is generated. Finally, the check- -sum is computed over the data and control information, and -if it doesn't match the received checksum, a -KRB_AP_ERR_MODIFIED error is generated. - - If all the checks succeed, the application is assured -that the message was generated by its peer and was not modi- -fied in transit. - -3.5. The KRB_PRIV Exchange - - The KRB_PRIV message may be used by clients requiring -confidentiality and the ability to detect modifications of -exchanged messages. It achieves this by encrypting the mes- -sages and adding control information. - -3.5.1. Generation of a KRB_PRIV message - -When an application wishes to send a KRB_PRIV message, it -collects its data and the appropriate control information -(specified in section 5.7.1) and encrypts them under an -encryption key (usually the last key negotiated via subkeys, -or the session key if no negotiation has occured). As part -of the control information, the client must choose to use -either a timestamp or a sequence number (or both); see the -discussion in section 3.4.1 for guidelines on which to use. -After the user data and control information are encrypted, -the client transmits the ciphertext and some "envelope" -information to the recipient. - -3.5.2. Receipt of KRB_PRIV message - -When an application receives a KRB_PRIV message, it verifies -it as follows. If any error occurs, an error code is -reported for use by the application. - - The message is first checked by verifying that the pro- -tocol version and type fields match the current version and -KRB_PRIV, respectively. A mismatch generates a -KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE error. The -application then decrypts the ciphertext and processes the -resultant plaintext. If decryption shows the data to have -been modified, a KRB_AP_ERR_BAD_INTEGRITY error is gen- -erated. The recipient verifies that the operating system's -report of the sender's address matches the sender's address -__________________________ -same host and communicating with one another using the -KRB_SAFE messages should not share a common replay -cache to detect KRB_SAFE replays. - - - -Section 3.5.2. - 34 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -in the message, and (if a recipient address is specified or -the recipient requires an address) that one of the -recipient's addresses appears as the recipient's address in -the message. A failed match for either case generates a -KRB_AP_ERR_BADADDR error. Then the timestamp and usec -and/or the sequence number fields are checked. If timestamp -and usec are expected and not present, or they are present -but not current, the KRB_AP_ERR_SKEW error is generated. If -the server name, along with the client name, time and -microsecond fields from the Authenticator match any -recently-seen such tuples, the KRB_AP_ERR_REPEAT error is -generated. If an incorrect sequence number is included, or -a sequence number is expected but not present, the -KRB_AP_ERR_BADORDER error is generated. If neither a time- -stamp and usec or a sequence number is present, a -KRB_AP_ERR_MODIFIED error is generated. - - If all the checks succeed, the application can assume -the message was generated by its peer, and was securely -transmitted (without intruders able to see the unencrypted -contents). - -3.6. The KRB_CRED Exchange - - The KRB_CRED message may be used by clients requiring -the ability to send Kerberos credentials from one host to -another. It achieves this by sending the tickets together -with encrypted data containing the session keys and other -information associated with the tickets. - -3.6.1. Generation of a KRB_CRED message - -When an application wishes to send a KRB_CRED message it -first (using the KRB_TGS exchange) obtains credentials to be -sent to the remote host. It then constructs a KRB_CRED mes- -sage using the ticket or tickets so obtained, placing the -session key needed to use each ticket in the key field of -the corresponding KrbCredInfo sequence of the encrypted part -of the the KRB_CRED message. - - Other information associated with each ticket and -obtained during the KRB_TGS exchange is also placed in the -corresponding KrbCredInfo sequence in the encrypted part of -the KRB_CRED message. The current time and, if specifically -required by the application the nonce, s-address, and r- -address fields, are placed in the encrypted part of the -KRB_CRED message which is then encrypted under an encryption -key previosuly exchanged in the KRB_AP exchange (usually the -last key negotiated via subkeys, or the session key if no -negotiation has occured). - -3.6.2. Receipt of KRB_CRED message - -When an application receives a KRB_CRED message, it verifies - - -Section 3.6.2. - 35 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -it. If any error occurs, an error code is reported for use -by the application. The message is verified by checking -that the protocol version and type fields match the current -version and KRB_CRED, respectively. A mismatch generates a -KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE error. The -application then decrypts the ciphertext and processes the -resultant plaintext. If decryption shows the data to have -been modified, a KRB_AP_ERR_BAD_INTEGRITY error is gen- -erated. - - If present or required, the recipient verifies that the -operating system's report of the sender's address matches -the sender's address in the message, and that one of the -recipient's addresses appears as the recipient's address in -the message. A failed match for either case generates a -KRB_AP_ERR_BADADDR error. The timestamp and usec fields -(and the nonce field if required) are checked next. If the -timestamp and usec are not present, or they are present but -not current, the KRB_AP_ERR_SKEW error is generated. - - If all the checks succeed, the application stores each -of the new tickets in its ticket cache together with the -session key and other information in the corresponding -KrbCredInfo sequence from the encrypted part of the KRB_CRED -message. - -4. The Kerberos Database - -The Kerberos server must have access to a database contain- -ing the principal identifiers and secret keys of principals -to be authenticated[21]. - -4.1. Database contents - -A database entry should contain at least the following -fields: - -Field Value - -name Principal's identif- -ier -key Principal's secret key -p_kvno Principal's key version -max_life Maximum lifetime for Tickets -__________________________ -[21] The implementation of the Kerberos server need not -combine the database and the server on the same -machine; it is feasible to store the principal database -in, say, a network name service, as long as the entries -stored therein are protected from disclosure to and -modification by unauthorized parties. However, we -recommend against such strategies, as they can make -system management and threat analysis quite complex. - - -Section 4.1. - 36 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -max_renewable_life Maximum total lifetime for renewable Tickets - -The name field is an encoding of the principal's identifier. -The key field contains an encryption key. This key is the -principal's secret key. (The key can be encrypted before -storage under a Kerberos "master key" to protect it in case -the database is compromised but the master key is not. In -that case, an extra field must be added to indicate the mas- -ter key version used, see below.) The p_kvno field is the -key version number of the principal's secret key. The -max_life field contains the maximum allowable lifetime (end- -time - starttime) for any Ticket issued for this principal. -The max_renewable_life field contains the maximum allowable -total lifetime for any renewable Ticket issued for this -principal. (See section 3.1 for a description of how these -lifetimes are used in determining the lifetime of a given -Ticket.) - - A server may provide KDC service to several realms, as -long as the database representation provides a mechanism to -distinguish between principal records with identifiers which -differ only in the realm name. - - When an application server's key changes, if the change -is routine (i.e. not the result of disclosure of the old -key), the old key should be retained by the server until all -tickets that had been issued using that key have expired. -Because of this, it is possible for several keys to be -active for a single principal. Ciphertext encrypted in a -principal's key is always tagged with the version of the key -that was used for encryption, to help the recipient find the -proper key for decryption. - - When more than one key is active for a particular prin- -cipal, the principal will have more than one record in the -Kerberos database. The keys and key version numbers will -differ between the records (the rest of the fields may or -may not be the same). Whenever Kerberos issues a ticket, or -responds to a request for initial authentication, the most -recent key (known by the Kerberos server) will be used for -encryption. This is the key with the highest key version -number. - -4.2. Additional fields - -Project Athena's KDC implementation uses additional fields -in its database: - -Field Value - -K_kvno Kerberos' key version -expiration Expiration date for entry -attributes Bit field of attributes -mod_date Timestamp of last modification - - -Section 4.2. - 37 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -mod_name Modifying principal's identifier - - -The K_kvno field indicates the key version of the Kerberos -master key under which the principal's secret key is -encrypted. - - After an entry's expiration date has passed, the KDC -will return an error to any client attempting to gain tick- -ets as or for the principal. (A database may want to main- -tain two expiration dates: one for the principal, and one -for the principal's current key. This allows password aging -to work independently of the principal's expiration date. -However, due to the limited space in the responses, the KDC -must combine the key expiration and principal expiration -date into a single value called "key_exp", which is used as -a hint to the user to take administrative action.) - - The attributes field is a bitfield used to govern the -operations involving the principal. This field might be -useful in conjunction with user registration procedures, for -site-specific policy implementations (Project Athena -currently uses it for their user registration process con- -trolled by the system-wide database service, Moira [9]), to -identify whether a principal can play the role of a client -or server or both, to note whether a server is appropriate -trusted to recieve credentials delegated by a client, or to -identify the "string to key" conversion algorithm used for a -principal's key[22]. Other bits are used to indicate that -certain ticket options should not be allowed in tickets -encrypted under a principal's key (one bit each): Disallow -issuing postdated tickets, disallow issuing forwardable -tickets, disallow issuing tickets based on TGT authentica- -tion, disallow issuing renewable tickets, disallow issuing -proxiable tickets, and disallow issuing tickets for which -the principal is the server. - - The mod_date field contains the time of last modifica- -tion of the entry, and the mod_name field contains the name -of the principal which last modified the entry. - -4.3. Frequently Changing Fields - - Some KDC implementations may wish to maintain the last -time that a request was made by a particular principal. -Information that might be maintained includes the time of -the last request, the time of the last request for a -ticket-granting ticket, the time of the last use of a -ticket-granting ticket, or other times. This information -can then be returned to the user in the last-req field (see -__________________________ -[22] See the discussion of the padata field in section -5.4.2 for details on why this can be useful. - - -Section 4.3. - 38 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -section 5.2). - - Other frequently changing information that can be main- -tained is the latest expiration time for any tickets that -have been issued using each key. This field would be used -to indicate how long old keys must remain valid to allow the -continued use of outstanding tickets. - -4.4. Site Constants - - The KDC implementation should have the following confi- -gurable constants or options, to allow an administrator to -make and enforce policy decisions: - -+ The minimum supported lifetime (used to determine whether - the KDC_ERR_NEVER_VALID error should be returned). This - constant should reflect reasonable expectations of - round-trip time to the KDC, encryption/decryption time, - and processing time by the client and target server, and - it should allow for a minimum "useful" lifetime. - -+ The maximum allowable total (renewable) lifetime of a - ticket (renew_till - starttime). - -+ The maximum allowable lifetime of a ticket (endtime - - starttime). - -+ Whether to allow the issue of tickets with empty address - fields (including the ability to specify that such tick- - ets may only be issued if the request specifies some - authorization_data). - -+ Whether proxiable, forwardable, renewable or post-datable - tickets are to be issued. - - -5. Message Specifications - - The following sections describe the exact contents and -encoding of protocol messages and objects. The ASN.1 base -definitions are presented in the first subsection. The -remaining subsections specify the protocol objects (tickets -and authenticators) and messages. Specification of encryp- -tion and checksum techniques, and the fields related to -them, appear in section 6. - -5.1. ASN.1 Distinguished Encoding Representation - - All uses of ASN.1 in Kerberos shall use the Dis- -tinguished Encoding Representation of the data elements as -described in the X.509 specification, section 8.7 [10]. - - - - - -Section 5.1. - 39 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -5.2. ASN.1 Base Definitions - - The following ASN.1 base definitions are used in the -rest of this section. Note that since the underscore char- -acter (_) is not permitted in ASN.1 names, the hyphen (-) is -used in its place for the purposes of ASN.1 names. - -Realm ::= GeneralString -PrincipalName ::= SEQUENCE { - name-type[0] INTEGER, - name-string[1] SEQUENCE OF GeneralString -} - - -Kerberos realms are encoded as GeneralStrings. Realms shall -not contain a character with the code 0 (the ASCII NUL). -Most realms will usually consist of several components -separated by periods (.), in the style of Internet Domain -Names, or separated by slashes (/) in the style of X.500 -names. Acceptable forms for realm names are specified in -section 7. A PrincipalName is a typed sequence of com- -ponents consisting of the following sub-fields: - -name-type This field specifies the type of name that fol- - lows. Pre-defined values for this field are - specified in section 7.2. The name-type should be - treated as a hint. Ignoring the name type, no two - names can be the same (i.e. at least one of the - components, or the realm, must be different). - This constraint may be eliminated in the future. - -name-stringThis field encodes a sequence of components that - form a name, each component encoded as a General- - String. Taken together, a PrincipalName and a - Realm form a principal identifier. Most Princi- - palNames will have only a few components (typi- - cally one or two). - - - - KerberosTime ::= GeneralizedTime - -- Specifying UTC time zone (Z) - - - The timestamps used in Kerberos are encoded as General- -izedTimes. An encoding shall specify the UTC time zone (Z) -and shall not include any fractional portions of the -seconds. It further shall not include any separators. -Example: The only valid format for UTC time 6 minutes, 27 -seconds after 9 pm on 6 November 1985 is 19851106210627Z. - - HostAddress ::= SEQUENCE { - addr-type[0] INTEGER, - address[1] OCTET STRING - - -Section 5.2. - 40 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - } - - HostAddresses ::= SEQUENCE OF SEQUENCE { - addr-type[0] INTEGER, - address[1] OCTET STRING - } - - - The host adddress encodings consists of two fields: - -addr-type This field specifies the type of address that - follows. Pre-defined values for this field are - specified in section 8.1. - - -address This field encodes a single address of type addr- - type. - -The two forms differ slightly. HostAddress contains exactly -one address; HostAddresses contains a sequence of possibly -many addresses. - -AuthorizationData ::= SEQUENCE OF SEQUENCE { - ad-type[0] INTEGER, - ad-data[1] OCTET STRING -} - - -ad-data This field contains authorization data to be - interpreted according to the value of the - corresponding ad-type field. - -ad-type This field specifies the format for the ad-data - subfield. All negative values are reserved for - local use. Non-negative values are reserved for - registered use. - - APOptions ::= BIT STRING { - reserved(0), - use-session-key(1), - mutual-required(2) - } - - - TicketFlags ::= BIT STRING { - reserved(0), - forwardable(1), - forwarded(2), - proxiable(3), - proxy(4), - may-postdate(5), - postdated(6), - invalid(7), - renewable(8), - initial(9), - - -Section 5.2. - 41 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - pre-authent(10), - hw-authent(11), - transited-policy-checked(12), - ok-as-delegate(13) - } - - - KDCOptions ::= BIT STRING { - reserved(0), - forwardable(1), - forwarded(2), - proxiable(3), - proxy(4), - allow-postdate(5), - postdated(6), - unused7(7), - renewable(8), - unused9(9), - unused10(10), - unused11(11), - unused12(12), - unused13(13), - disable-transited-check(26), - renewable-ok(27), - enc-tkt-in-skey(28), - renew(30), - validate(31) - } - - ASN.1 Bit strings have a length and a value. When - used in Kerberos for the APOptions, TicketFlags, - and KDCOptions, the length of the bit string on - generated values should be the smallest multiple - of 32 bits needed to include the highest order bit - that is set (1), but in no case less than 32 bits. - Implementations should accept values of bit - strings of any length and treat the value of flags - cooresponding to bits beyond the end of the bit - string as if the bit were reset (0). Comparisonof - bit strings of different length should treat the - smaller string as if it were padded with zeros - beyond the high order bits to the length of the - longer string[23]. - -__________________________ -[23] Warning for implementations that unpack and repack -data structures during the generation and verification -of embedded checksums: Because any checksums applied to -data structures must be checked against the original -data the length of bit strings must be preserved within -a data structure between the time that a checksum is -generated through transmission to the time that the -checksum is verified. - - - -Section 5.2. - 42 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - LastReq ::= SEQUENCE OF SEQUENCE { - lr-type[0] INTEGER, - lr-value[1] KerberosTime - } - - -lr-type This field indicates how the following lr-value - field is to be interpreted. Negative values indi- - cate that the information pertains only to the - responding server. Non-negative values pertain to - all servers for the realm. - - If the lr-type field is zero (0), then no informa- - tion is conveyed by the lr-value subfield. If the - absolute value of the lr-type field is one (1), - then the lr-value subfield is the time of last - initial request for a TGT. If it is two (2), then - the lr-value subfield is the time of last initial - request. If it is three (3), then the lr-value - subfield is the time of issue for the newest - ticket-granting ticket used. If it is four (4), - then the lr-value subfield is the time of the last - renewal. If it is five (5), then the lr-value - subfield is the time of last request (of any - type). - - -lr-value This field contains the time of the last request. - The time must be interpreted according to the con- - tents of the accompanying lr-type subfield. - - See section 6 for the definitions of Checksum, Check- -sumType, EncryptedData, EncryptionKey, EncryptionType, and -KeyType. - - -5.3. Tickets and Authenticators - - This section describes the format and encryption param- -eters for tickets and authenticators. When a ticket or -authenticator is included in a protocol message it is -treated as an opaque object. - -5.3.1. Tickets - - A ticket is a record that helps a client authenticate -to a service. A Ticket contains the following information: - -Ticket ::= [APPLICATION 1] SEQUENCE { - tkt-vno[0] INTEGER, - realm[1] Realm, - sname[2] PrincipalName, - enc-part[3] EncryptedData -} - - -Section 5.3.1. - 43 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - --- Encrypted part of ticket -EncTicketPart ::= [APPLICATION 3] SEQUENCE { - flags[0] TicketFlags, - key[1] EncryptionKey, - crealm[2] Realm, - cname[3] PrincipalName, - transited[4] TransitedEncoding, - authtime[5] KerberosTime, - starttime[6] KerberosTime OPTIONAL, - endtime[7] KerberosTime, - renew-till[8] KerberosTime OPTIONAL, - caddr[9] HostAddresses OPTIONAL, - authorization-data[10] AuthorizationData OPTIONAL -} --- encoded Transited field -TransitedEncoding ::= SEQUENCE { - tr-type[0] INTEGER, -- must be registered - contents[1] OCTET STRING -} - -The encoding of EncTicketPart is encrypted in the key shared -by Kerberos and the end server (the server's secret key). -See section 6 for the format of the ciphertext. - -tkt-vno This field specifies the version number for the - ticket format. This document describes version - number 5. - - -realm This field specifies the realm that issued a - ticket. It also serves to identify the realm part - of the server's principal identifier. Since a - Kerberos server can only issue tickets for servers - within its realm, the two will always be identi- - cal. - - -sname This field specifies the name part of the server's - identity. - - -enc-part This field holds the encrypted encoding of the - EncTicketPart sequence. - - -flags This field indicates which of various options were - used or requested when the ticket was issued. It - is a bit-field, where the selected options are - indicated by the bit being set (1), and the - unselected options and reserved fields being reset - (0). Bit 0 is the most significant bit. The - encoding of the bits is specified in section 5.2. - The flags are described in more detail above in - section 2. The meanings of the flags are: - - -Section 5.3.1. - 44 - Expires 11 January 1998 - - - - - - Version 5 - Specification Revision 6 - - - Bit(s) Name Description - - 0 RESERVED - Reserved for future expansion of this - field. - - 1 FORWARDABLE - The FORWARDABLE flag is normally only - interpreted by the TGS, and can be - ignored by end servers. When set, this - flag tells the ticket-granting server - that it is OK to issue a new ticket- - granting ticket with a different network - address based on the presented ticket. - - 2 FORWARDED - When set, this flag indicates that the - ticket has either been forwarded or was - issued based on authentication involving - a forwarded ticket-granting ticket. - - 3 PROXIABLE - The PROXIABLE flag is normally only - interpreted by the TGS, and can be - ignored by end servers. The PROXIABLE - flag has an interpretation identical to - that of the FORWARDABLE flag, except - that the PROXIABLE flag tells the - ticket-granting server that only non- - ticket-granting tickets may be issued - with different network addresses. - - 4 PROXY - When set, this flag indicates that a - ticket is a proxy. - - 5 MAY-POSTDATE - The MAY-POSTDATE flag is normally only - interpreted by the TGS, and can be - ignored by end servers. This flag tells - the ticket-granting server that a post- - dated ticket may be issued based on this - ticket-granting ticket. - - 6 POSTDATED - This flag indicates that this ticket has - been postdated. The end-service can - check the authtime field to see when the - original authentication occurred. - - 7 INVALID - This flag indicates that a ticket is - invalid, and it must be validated by the - KDC before use. Application servers - must reject tickets which have this flag - set. - - - - - - - - -Section 5.3.1. - 45 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - 8 RENEWABLE - The RENEWABLE flag is normally only - interpreted by the TGS, and can usually - be ignored by end servers (some particu- - larly careful servers may wish to disal- - low renewable tickets). A renewable - ticket can be used to obtain a replace- - ment ticket that expires at a later - date. - - 9 INITIAL - This flag indicates that this ticket was - issued using the AS protocol, and not - issued based on a ticket-granting - ticket. - - 10 PRE-AUTHENT - This flag indicates that during initial - authentication, the client was authenti- - cated by the KDC before a ticket was - issued. The strength of the pre- - authentication method is not indicated, - but is acceptable to the KDC. - - 11 HW-AUTHENT - This flag indicates that the protocol - employed for initial authentication - required the use of hardware expected to - be possessed solely by the named client. - The hardware authentication method is - selected by the KDC and the strength of - the method is not indicated. - - - - -Section 5.3.1. - 46 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - 12 TRANSITED This flag indicates that the KDC for the - POLICY-CHECKED realm has checked the transited field - against a realm defined policy for - trusted certifiers. If this flag is - reset (0), then the application server - must check the transited field itself, - and if unable to do so it must reject - the authentication. If the flag is set - (1) then the application server may skip - its own validation of the transited - field, relying on the validation - performed by the KDC. At its option the - application server may still apply its - own validation based on a separate - policy for acceptance. - -Section 5.3.1. - 47 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - 13 OK-AS-DELEGATE This flag indicates that the server (not - the client) specified in the ticket has - been determined by policy of the realm - to be a suitable recipient of - delegation. A client can use the - presence of this flag to help it make a - decision whether to delegate credentials - (either grant a proxy or a forwarded - ticket granting ticket) to this server. - The client is free to ignore the value - of this flag. When setting this flag, - an administrator should consider the - security and placement of the server on - which the service will run, as well as - whether the service requires the use of - delegated credentials. - - - - -Section 5.3.1. - 48 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - 14 ANONYMOUS - This flag indicates that the principal - named in the ticket is a generic princi- - pal for the realm and does not identify - the individual using the ticket. The - purpose of the ticket is only to - securely distribute a session key, and - not to identify the user. Subsequent - requests using the same ticket and ses- - sion may be considered as originating - from the same user, but requests with - the same username but a different ticket - are likely to originate from different - users. - - 15-31 RESERVED - Reserved for future use. - - - -key This field exists in the ticket and the KDC - response and is used to pass the session key from - Kerberos to the application server and the client. - The field's encoding is described in section 6.2. - -crealm This field contains the name of the realm in which - the client is registered and in which initial - authentication took place. - - -cname This field contains the name part of the client's - principal identifier. - - -transited This field lists the names of the Kerberos realms - that took part in authenticating the user to whom - this ticket was issued. It does not specify the - order in which the realms were transited. See - section 3.3.3.2 for details on how this field - encodes the traversed realms. - - -authtime This field indicates the time of initial authenti- - cation for the named principal. It is the time of - issue for the original ticket on which this ticket - is based. It is included in the ticket to provide - additional information to the end service, and to - provide the necessary information for implementa- - tion of a `hot list' service at the KDC. An end - service that is particularly paranoid could refuse - to accept tickets for which the initial authenti- - cation occurred "too far" in the past. - - This field is also returned as part of the - response from the KDC. When returned as part of - the response to initial authentication - - -Section 5.3.1. - 49 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - (KRB_AS_REP), this is the current time on the Ker- - beros server[24]. - - -starttime This field in the ticket specifies the time after - which the ticket is valid. Together with endtime, - this field specifies the life of the ticket. If - it is absent from the ticket, its value should be - treated as that of the authtime field. - - -endtime This field contains the time after which the - ticket will not be honored (its expiration time). - Note that individual services may place their own - limits on the life of a ticket and may reject - tickets which have not yet expired. As such, this - is really an upper bound on the expiration time - for the ticket. - - -renew-tillThis field is only present in tickets that have - the RENEWABLE flag set in the flags field. It - indicates the maximum endtime that may be included - in a renewal. It can be thought of as the abso- - lute expiration time for the ticket, including all - renewals. - - -caddr This field in a ticket contains zero (if omitted) - or more (if present) host addresses. These are - the addresses from which the ticket can be used. - If there are no addresses, the ticket can be used - from any location. The decision by the KDC to - issue or by the end server to accept zero-address - tickets is a policy decision and is left to the - Kerberos and end-service administrators; they may - refuse to issue or accept such tickets. The sug- - gested and default policy, however, is that such - tickets will only be issued or accepted when addi- - tional information that can be used to restrict - the use of the ticket is included in the - authorization_data field. Such a ticket is a - capability. - - Network addresses are included in the ticket to - make it harder for an attacker to use stolen - credentials. Because the session key is not sent - over the network in cleartext, credentials can't -__________________________ -[24] It is NOT recommended that this time value be used -to adjust the workstation's clock since the workstation -cannot reliably determine that such a KRB_AS_REP actu- -ally came from the proper KDC in a timely manner. - - -Section 5.3.1. - 50 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - be stolen simply by listening to the network; an - attacker has to gain access to the session key - (perhaps through operating system security - breaches or a careless user's unattended session) - to make use of stolen tickets. - - It is important to note that the network address - from which a connection is received cannot be - reliably determined. Even if it could be, an - attacker who has compromised the client's worksta- - tion could use the credentials from there. - Including the network addresses only makes it more - difficult, not impossible, for an attacker to walk - off with stolen credentials and then use them from - a "safe" location. - - -authorization-data - The authorization-data field is used to pass - authorization data from the principal on whose - behalf a ticket was issued to the application ser- - vice. If no authorization data is included, this - field will be left out. Experience has shown that - the name of this field is confusing, and that a - better name for this field would be restrictions. - Unfortunately, it is not possible to change the - name of this field at this time. - - This field contains restrictions on any authority - obtained on the bases of authentication using the - ticket. It is possible for any principal in - posession of credentials to add entries to the - authorization data field since these entries - further restrict what can be done with the ticket. - Such additions can be made by specifying the addi- - tional entries when a new ticket is obtained dur- - ing the TGS exchange, or they may be added during - chained delegation using the authorization data - field of the authenticator. - - Because entries may be added to this field by the - holder of credentials, it is not allowable for the - presence of an entry in the authorization data - field of a ticket to amplify the priveleges one - would obtain from using a ticket. - - The data in this field may be specific to the end - service; the field will contain the names of ser- - vice specific objects, and the rights to those - objects. The format for this field is described - in section 5.2. Although Kerberos is not con- - cerned with the format of the contents of the sub- - fields, it does carry type information (ad-type). - - - -Section 5.3.1. - 51 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - By using the authorization_data field, a principal - is able to issue a proxy that is valid for a - specific purpose. For example, a client wishing - to print a file can obtain a file server proxy to - be passed to the print server. By specifying the - name of the file in the authorization_data field, - the file server knows that the print server can - only use the client's rights when accessing the - particular file to be printed. - - A separate service providing providing authoriza- - tion or certifying group membership may be built - using the authorization-data field. In this case, - the entity granting authorization (not the author- - ized entity), obtains a ticket in its own name - (e.g. the ticket is issued in the name of a - privelege server), and this entity adds restric- - tions on its own authority and delegates the res- - tricted authority through a proxy to the client. - The client would then present this authorization - credential to the application server separately - from the authentication exchange. - - Similarly, if one specifies the authorization-data - field of a proxy and leaves the host addresses - blank, the resulting ticket and session key can be - treated as a capability. See [7] for some sug- - gested uses of this field. - - The authorization-data field is optional and does - not have to be included in a ticket. - - -5.3.2. Authenticators - - An authenticator is a record sent with a ticket to a -server to certify the client's knowledge of the encryption -key in the ticket, to help the server detect replays, and to -help choose a "true session key" to use with the particular -session. The encoding is encrypted in the ticket's session -key shared by the client and the server: - --- Unencrypted authenticator -Authenticator ::= [APPLICATION 2] SEQUENCE { - authenticator-vno[0] INTEGER, - crealm[1] Realm, - cname[2] PrincipalName, - cksum[3] Checksum OPTIONAL, - cusec[4] INTEGER, - ctime[5] KerberosTime, - subkey[6] EncryptionKey OPTIONAL, - seq-number[7] INTEGER OPTIONAL, - authorization-data[8] AuthorizationData OPTIONAL -} - - - -Section 5.3.2. - 52 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -authenticator-vno - This field specifies the version number for the - format of the authenticator. This document speci- - fies version 5. - - -crealm and cname - These fields are the same as those described for - the ticket in section 5.3.1. - - -cksum This field contains a checksum of the the applica- - tion data that accompanies the KRB_AP_REQ. - - -cusec This field contains the microsecond part of the - client's timestamp. Its value (before encryption) - ranges from 0 to 999999. It often appears along - with ctime. The two fields are used together to - specify a reasonably accurate timestamp. - - -ctime This field contains the current time on the - client's host. - - -subkey This field contains the client's choice for an - encryption key which is to be used to protect this - specific application session. Unless an applica- - tion specifies otherwise, if this field is left - out the session key from the ticket will be used. - -seq-numberThis optional field includes the initial sequence - number to be used by the KRB_PRIV or KRB_SAFE mes- - sages when sequence numbers are used to detect - replays (It may also be used by application - specific messages). When included in the authen- - ticator this field specifies the initial sequence - number for messages from the client to the server. - When included in the AP-REP message, the initial - sequence number is that for messages from the - server to the client. When used in KRB_PRIV or - KRB_SAFE messages, it is incremented by one after - each message is sent. - - For sequence numbers to adequately support the - detection of replays they should be non-repeating, - even across connection boundaries. The initial - sequence number should be random and uniformly - distributed across the full space of possible - sequence numbers, so that it cannot be guessed by - an attacker and so that it and the successive - sequence numbers do not repeat other sequences. - - - -Section 5.3.2. - 53 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -authorization-data - This field is the same as described for the ticket - in section 5.3.1. It is optional and will only - appear when additional restrictions are to be - placed on the use of a ticket, beyond those car- - ried in the ticket itself. - -5.4. Specifications for the AS and TGS exchanges - - This section specifies the format of the messages used -in the exchange between the client and the Kerberos server. -The format of possible error messages appears in section -5.9.1. - -5.4.1. KRB_KDC_REQ definition - - The KRB_KDC_REQ message has no type of its own. -Instead, its type is one of KRB_AS_REQ or KRB_TGS_REQ -depending on whether the request is for an initial ticket or -an additional ticket. In either case, the message is sent -from the client to the Authentication Server to request -credentials for a service. - - The message fields are: - -AS-REQ ::= [APPLICATION 10] KDC-REQ -TGS-REQ ::= [APPLICATION 12] KDC-REQ - -KDC-REQ ::= SEQUENCE { - pvno[1] INTEGER, - msg-type[2] INTEGER, - padata[3] SEQUENCE OF PA-DATA OPTIONAL, - req-body[4] KDC-REQ-BODY -} - -PA-DATA ::= SEQUENCE { - padata-type[1] INTEGER, - padata-value[2] OCTET STRING, - -- might be encoded AP-REQ -} - -KDC-REQ-BODY ::= SEQUENCE { - kdc-options[0] KDCOptions, - cname[1] PrincipalName OPTIONAL, - -- Used only in AS-REQ - realm[2] Realm, -- Server's realm - -- Also client's in AS-REQ - sname[3] PrincipalName OPTIONAL, - from[4] KerberosTime OPTIONAL, - till[5] KerberosTime OPTIONAL, - rtime[6] KerberosTime OPTIONAL, - nonce[7] INTEGER, - etype[8] SEQUENCE OF INTEGER, - -- EncryptionType, - -- in preference order - - -Section 5.4.1. - 54 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - addresses[9] HostAddresses OPTIONAL, - enc-authorization-data[10] EncryptedData OPTIONAL, - -- Encrypted AuthorizationData - -- encoding - additional-tickets[11] SEQUENCE OF Ticket OPTIONAL -} - -The fields in this message are: - - -pvno This field is included in each message, and speci- - fies the protocol version number. This document - specifies protocol version 5. - - -msg-type This field indicates the type of a protocol mes- - sage. It will almost always be the same as the - application identifier associated with a message. - It is included to make the identifier more readily - accessible to the application. For the KDC-REQ - message, this type will be KRB_AS_REQ or - KRB_TGS_REQ. - - -padata The padata (pre-authentication data) field con- - tains a sequence of authentication information - which may be needed before credentials can be - issued or decrypted. In the case of requests for - additional tickets (KRB_TGS_REQ), this field will - include an element with padata-type of PA-TGS-REQ - and data of an authentication header (ticket- - granting ticket and authenticator). The checksum - in the authenticator (which must be collision- - proof) is to be computed over the KDC-REQ-BODY - encoding. In most requests for initial authenti- - cation (KRB_AS_REQ) and most replies (KDC-REP), - the padata field will be left out. - - This field may also contain information needed by - certain extensions to the Kerberos protocol. For - example, it might be used to initially verify the - identity of a client before any response is - returned. This is accomplished with a padata - field with padata-type equal to PA-ENC-TIMESTAMP - and padata-value defined as follows: - -padata-type ::= PA-ENC-TIMESTAMP -padata-value ::= EncryptedData -- PA-ENC-TS-ENC - -PA-ENC-TS-ENC ::= SEQUENCE { - patimestamp[0] KerberosTime, -- client's time - pausec[1] INTEGER OPTIONAL -} - - with patimestamp containing the client's time and - - -Section 5.4.1. - 55 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - pausec containing the microseconds which may be - omitted if a client will not generate more than - one request per second. The ciphertext (padata- - value) consists of the PA-ENC-TS-ENC sequence, - encrypted using the client's secret key. - - The padata field can also contain information - needed to help the KDC or the client select the - key needed for generating or decrypting the - response. This form of the padata is useful for - supporting the use of certain token cards with - Kerberos. The details of such extensions are - specified in separate documents. See [11] for - additional uses of this field. - -padata-type - The padata-type element of the padata field indi- - cates the way that the padata-value element is to - be interpreted. Negative values of padata-type - are reserved for unregistered use; non-negative - values are used for a registered interpretation of - the element type. - - -req-body This field is a placeholder delimiting the extent - of the remaining fields. If a checksum is to be - calculated over the request, it is calculated over - an encoding of the KDC-REQ-BODY sequence which is - enclosed within the req-body field. - - -kdc-options - This field appears in the KRB_AS_REQ and - KRB_TGS_REQ requests to the KDC and indicates the - flags that the client wants set on the tickets as - well as other information that is to modify the - behavior of the KDC. Where appropriate, the name - of an option may be the same as the flag that is - set by that option. Although in most case, the - bit in the options field will be the same as that - in the flags field, this is not guaranteed, so it - is not acceptable to simply copy the options field - to the flags field. There are various checks that - must be made before honoring an option anyway. - - The kdc_options field is a bit-field, where the - selected options are indicated by the bit being - set (1), and the unselected options and reserved - fields being reset (0). The encoding of the bits - is specified in section 5.2. The options are - described in more detail above in section 2. The - meanings of the options are: - - - - -Section 5.4.1. - 56 - Expires 11 January 1998 - - - - - Version 5 - Specification Revision 6 - - - Bit(s) Name Description - 0 RESERVED - Reserved for future expansion of this - field. - - 1 FORWARDABLE - The FORWARDABLE option indicates that - the ticket to be issued is to have its - forwardable flag set. It may only be - set on the initial request, or in a sub- - sequent request if the ticket-granting - ticket on which it is based is also for- - wardable. - - 2 FORWARDED - The FORWARDED option is only specified - in a request to the ticket-granting - server and will only be honored if the - ticket-granting ticket in the request - has its FORWARDABLE bit set. This - option indicates that this is a request - for forwarding. The address(es) of the - host from which the resulting ticket is - to be valid are included in the - addresses field of the request. - - 3 PROXIABLE - The PROXIABLE option indicates that the - ticket to be issued is to have its prox- - iable flag set. It may only be set on - the initial request, or in a subsequent - request if the ticket-granting ticket on - which it is based is also proxiable. - - 4 PROXY - The PROXY option indicates that this is - a request for a proxy. This option will - only be honored if the ticket-granting - ticket in the request has its PROXIABLE - bit set. The address(es) of the host - from which the resulting ticket is to be - valid are included in the addresses - field of the request. - - 5 ALLOW-POSTDATE - The ALLOW-POSTDATE option indicates that - the ticket to be issued is to have its - MAY-POSTDATE flag set. It may only be - set on the initial request, or in a sub- - sequent request if the ticket-granting - ticket on which it is based also has its - MAY-POSTDATE flag set. - - - - - - - -Section 5.4.1. - 57 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - 6 POSTDATED - The POSTDATED option indicates that this - is a request for a postdated ticket. - This option will only be honored if the - ticket-granting ticket on which it is - based has its MAY-POSTDATE flag set. - The resulting ticket will also have its - INVALID flag set, and that flag may be - reset by a subsequent request to the KDC - after the starttime in the ticket has - been reached. - - 7 UNUSED - This option is presently unused. - - 8 RENEWABLE - The RENEWABLE option indicates that the - ticket to be issued is to have its - RENEWABLE flag set. It may only be set - on the initial request, or when the - ticket-granting ticket on which the - request is based is also renewable. If - this option is requested, then the rtime - field in the request contains the - desired absolute expiration time for the - ticket. - - 9-13 UNUSED - These options are presently unused. - - 14 REQUEST-ANONYMOUS - The REQUEST-ANONYMOUS option indicates - that the ticket to be issued is not to - identify the user to which it was - issued. Instead, the principal identif- - ier is to be generic, as specified by - the policy of the realm (e.g. usually - anonymous@realm). The purpose of the - ticket is only to securely distribute a - session key, and not to identify the - user. The ANONYMOUS flag on the ticket - to be returned should be set. If the - local realms policy does not permit - anonymous credentials, the request is to - be rejected. - - 15-25 RESERVED - Reserved for future use. - - 26 DISABLE-TRANSITED-CHECK - By default the KDC will check the - transited field of a ticket-granting- - ticket against the policy of the local - realm before it will issue derivative - tickets based on the ticket granting - ticket. If this flag is set in the - request, checking of the transited field - is disabled. Tickets issued without the - performance of this check will be noted - by the reset (0) value of the - TRANSITED-POLICY-CHECKED flag, - indicating to the application server - that the tranisted field must be checked - locally. KDC's are encouraged but not - required to honor the - DISABLE-TRANSITED-CHECK option. - - - -Section 5.4.1. - 58 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - 27 RENEWABLE-OK - The RENEWABLE-OK option indicates that a - renewable ticket will be acceptable if a - ticket with the requested life cannot - otherwise be provided. If a ticket with - the requested life cannot be provided, - then a renewable ticket may be issued - with a renew-till equal to the the - requested endtime. The value of the - renew-till field may still be limited by - local limits, or limits selected by the - individual principal or server. - - 28 ENC-TKT-IN-SKEY - This option is used only by the ticket- - granting service. The ENC-TKT-IN-SKEY - option indicates that the ticket for the - end server is to be encrypted in the - session key from the additional ticket- - granting ticket provided. - - 29 RESERVED - Reserved for future use. - - 30 RENEW - This option is used only by the ticket- - granting service. The RENEW option - indicates that the present request is - for a renewal. The ticket provided is - encrypted in the secret key for the - server on which it is valid. This - option will only be honored if the - ticket to be renewed has its RENEWABLE - flag set and if the time in its renew- - till field has not passed. The ticket - to be renewed is passed in the padata - field as part of the authentication - header. - - 31 VALIDATE - This option is used only by the ticket- - granting service. The VALIDATE option - indicates that the request is to vali- - date a postdated ticket. It will only - be honored if the ticket presented is - postdated, presently has its INVALID - flag set, and would be otherwise usable - at this time. A ticket cannot be vali- - dated before its starttime. The ticket - presented for validation is encrypted in - the key of the server for which it is - valid and is passed in the padata field - as part of the authentication header. - -cname and sname - These fields are the same as those described for - the ticket in section 5.3.1. sname may only be - - -Section 5.4.1. - 59 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - absent when the ENC-TKT-IN-SKEY option is speci- - fied. If absent, the name of the server is taken - from the name of the client in the ticket passed - as additional-tickets. - - -enc-authorization-data - The enc-authorization-data, if present (and it can - only be present in the TGS_REQ form), is an encod- - ing of the desired authorization-data encrypted - under the sub-session key if present in the - Authenticator, or alternatively from the session - key in the ticket-granting ticket, both from the - padata field in the KRB_AP_REQ. - - -realm This field specifies the realm part of the - server's principal identifier. In the AS - exchange, this is also the realm part of the - client's principal identifier. - - -from This field is included in the KRB_AS_REQ and - KRB_TGS_REQ ticket requests when the requested - ticket is to be postdated. It specifies the - desired start time for the requested ticket. - - - -till This field contains the expiration date requested - by the client in a ticket request. It is option - and if omitted the requested ticket is to have the - maximum endtime permitted according to KDC policy - for the parties to the authentication exchange as - limited by expiration date of the ticket granting - ticket or other preauthentication credentials. - - -rtime This field is the requested renew-till time sent - from a client to the KDC in a ticket request. It - is optional. - - -nonce This field is part of the KDC request and - response. It it intended to hold a random number - generated by the client. If the same number is - included in the encrypted response from the KDC, - it provides evidence that the response is fresh - and has not been replayed by an attacker. Nonces - must never be re-used. Ideally, it should be gen- - erated randomly, but if the correct time is known, - it may suffice[25]. -__________________________ -[25] Note, however, that if the time is used as the - -Section 5.4.1. - 60 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -etype This field specifies the desired encryption algo- - rithm to be used in the response. - - -addresses This field is included in the initial request for - tickets, and optionally included in requests for - additional tickets from the ticket-granting - server. It specifies the addresses from which the - requested ticket is to be valid. Normally it - includes the addresses for the client's host. If - a proxy is requested, this field will contain - other addresses. The contents of this field are - usually copied by the KDC into the caddr field of - the resulting ticket. - - -additional-tickets - Additional tickets may be optionally included in a - request to the ticket-granting server. If the - ENC-TKT-IN-SKEY option has been specified, then - the session key from the additional ticket will be - used in place of the server's key to encrypt the - new ticket. If more than one option which - requires additional tickets has been specified, - then the additional tickets are used in the order - specified by the ordering of the options bits (see - kdc-options, above). - - - The application code will be either ten (10) or twelve -(12) depending on whether the request is for an initial -ticket (AS-REQ) or for an additional ticket (TGS-REQ). - - The optional fields (addresses, authorization-data and -additional-tickets) are only included if necessary to per- -form the operation specified in the kdc-options field. - - It should be noted that in KRB_TGS_REQ, the protocol -version number appears twice and two different message types -appear: the KRB_TGS_REQ message contains these fields as -does the authentication header (KRB_AP_REQ) that is passed -in the padata field. - -5.4.2. KRB_KDC_REP definition - - The KRB_KDC_REP message format is used for the reply -from the KDC for either an initial (AS) request or a subse- -quent (TGS) request. There is no message type for -__________________________ -nonce, one must make sure that the workstation time is -monotonically increasing. If the time is ever reset -backwards, there is a small, but finite, probability -that a nonce will be reused. - - - -Section 5.4.2. - 61 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -KRB_KDC_REP. Instead, the type will be either KRB_AS_REP or -KRB_TGS_REP. The key used to encrypt the ciphertext part of -the reply depends on the message type. For KRB_AS_REP, the -ciphertext is encrypted in the client's secret key, and the -client's key version number is included in the key version -number for the encrypted data. For KRB_TGS_REP, the cipher- -text is encrypted in the sub-session key from the Authenti- -cator, or if absent, the session key from the ticket- -granting ticket used in the request. In that case, no ver- -sion number will be present in the EncryptedData sequence. - - The KRB_KDC_REP message contains the following fields: - -AS-REP ::= [APPLICATION 11] KDC-REP -TGS-REP ::= [APPLICATION 13] KDC-REP - -KDC-REP ::= SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - padata[2] SEQUENCE OF PA-DATA OPTIONAL, - crealm[3] Realm, - cname[4] PrincipalName, - ticket[5] Ticket, - enc-part[6] EncryptedData -} - - -EncASRepPart ::= [APPLICATION 25[27]] EncKDCRepPart -EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart - - - -EncKDCRepPart ::= SEQUENCE { - key[0] EncryptionKey, - last-req[1] LastReq, - nonce[2] INTEGER, - key-expiration[3] KerberosTime OPTIONAL, - flags[4] TicketFlags, - authtime[5] KerberosTime, - starttime[6] KerberosTime OPTIONAL, - endtime[7] KerberosTime, - renew-till[8] KerberosTime OPTIONAL, - srealm[9] Realm, - sname[10] PrincipalName, - caddr[11] HostAddresses OPTIONAL -} - - -pvno and msg-type - These fields are described above in section 5.4.1. - msg-type is either KRB_AS_REP or KRB_TGS_REP. -__________________________ -[27] An application code in the encrypted part of a -message provides an additional check that the message -was decrypted properly. - - -Section 5.4.2. - 62 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -padata This field is described in detail in section - 5.4.1. One possible use for this field is to - encode an alternate "mix-in" string to be used - with a string-to-key algorithm (such as is - described in section 6.3.2). This ability is use- - ful to ease transitions if a realm name needs to - change (e.g. when a company is acquired); in such - a case all existing password-derived entries in - the KDC database would be flagged as needing a - special mix-in string until the next password - change. - - -crealm, cname, srealm and sname - These fields are the same as those described for - the ticket in section 5.3.1. - - -ticket The newly-issued ticket, from section 5.3.1. - - -enc-part This field is a place holder for the ciphertext - and related information that forms the encrypted - part of a message. The description of the - encrypted part of the message follows each appear- - ance of this field. The encrypted part is encoded - as described in section 6.1. - - -key This field is the same as described for the ticket - in section 5.3.1. - - -last-req This field is returned by the KDC and specifies - the time(s) of the last request by a principal. - Depending on what information is available, this - might be the last time that a request for a - ticket-granting ticket was made, or the last time - that a request based on a ticket-granting ticket - was successful. It also might cover all servers - for a realm, or just the particular server. Some - implementations may display this information to - the user to aid in discovering unauthorized use of - one's identity. It is similar in spirit to the - last login time displayed when logging into - timesharing systems. - - -nonce This field is described above in section 5.4.1. - - -key-expiration - The key-expiration field is part of the response - from the KDC and specifies the time that the - - -Section 5.4.2. - 63 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - client's secret key is due to expire. The expira- - tion might be the result of password aging or an - account expiration. This field will usually be - left out of the TGS reply since the response to - the TGS request is encrypted in a session key and - no client information need be retrieved from the - KDC database. It is up to the application client - (usually the login program) to take appropriate - action (such as notifying the user) if the expira- - tion time is imminent. - - -flags, authtime, starttime, endtime, renew-till and caddr - These fields are duplicates of those found in the - encrypted portion of the attached ticket (see sec- - tion 5.3.1), provided so the client may verify - they match the intended request and to assist in - proper ticket caching. If the message is of type - KRB_TGS_REP, the caddr field will only be filled - in if the request was for a proxy or forwarded - ticket, or if the user is substituting a subset of - the addresses from the ticket granting ticket. If - the client-requested addresses are not present or - not used, then the addresses contained in the - ticket will be the same as those included in the - ticket-granting ticket. - - -5.5. Client/Server (CS) message specifications - - This section specifies the format of the messages used -for the authentication of the client to the application -server. - -5.5.1. KRB_AP_REQ definition - - The KRB_AP_REQ message contains the Kerberos protocol -version number, the message type KRB_AP_REQ, an options -field to indicate any options in use, and the ticket and -authenticator themselves. The KRB_AP_REQ message is often -referred to as the "authentication header". - -AP-REQ ::= [APPLICATION 14] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - ap-options[2] APOptions, - ticket[3] Ticket, - authenticator[4] EncryptedData -} - -APOptions ::= BIT STRING { - reserved(0), - use-session-key(1), - mutual-required(2) - - -Section 5.5.1. - 64 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -} - - -pvno and msg-type - These fields are described above in section 5.4.1. - msg-type is KRB_AP_REQ. - - -ap-optionsThis field appears in the application request - (KRB_AP_REQ) and affects the way the request is - processed. It is a bit-field, where the selected - options are indicated by the bit being set (1), - and the unselected options and reserved fields - being reset (0). The encoding of the bits is - specified in section 5.2. The meanings of the - options are: - - Bit(s) Name Description - - 0 RESERVED - Reserved for future expansion of this - field. - - 1 USE-SESSION-KEY - The USE-SESSION-KEY option indicates - that the ticket the client is presenting - to a server is encrypted in the session - key from the server's ticket-granting - ticket. When this option is not speci- - fied, the ticket is encrypted in the - server's secret key. - - 2 MUTUAL-REQUIRED - The MUTUAL-REQUIRED option tells the - server that the client requires mutual - authentication, and that it must respond - with a KRB_AP_REP message. - - 3-31 RESERVED - Reserved for future use. - - - -ticket This field is a ticket authenticating the client - to the server. - - -authenticator - This contains the authenticator, which includes - the client's choice of a subkey. Its encoding is - described in section 5.3.2. - -5.5.2. KRB_AP_REP definition - - The KRB_AP_REP message contains the Kerberos protocol -version number, the message type, and an encrypted time- -stamp. The message is sent in in response to an application -request (KRB_AP_REQ) where the mutual authentication option - - -Section 5.5.2. - 65 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -has been selected in the ap-options field. - -AP-REP ::= [APPLICATION 15] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - enc-part[2] EncryptedData -} - -EncAPRepPart ::= [APPLICATION 27[29]] SEQUENCE { - ctime[0] KerberosTime, - cusec[1] INTEGER, - subkey[2] EncryptionKey OPTIONAL, - seq-number[3] INTEGER OPTIONAL -} - -The encoded EncAPRepPart is encrypted in the shared session -key of the ticket. The optional subkey field can be used in -an application-arranged negotiation to choose a per associa- -tion session key. - - -pvno and msg-type - These fields are described above in section 5.4.1. - msg-type is KRB_AP_REP. - - -enc-part This field is described above in section 5.4.2. - - -ctime This field contains the current time on the - client's host. - - -cusec This field contains the microsecond part of the - client's timestamp. - - -subkey This field contains an encryption key which is to - be used to protect this specific application ses- - sion. See section 3.2.6 for specifics on how this - field is used to negotiate a key. Unless an - application specifies otherwise, if this field is - left out, the sub-session key from the authentica- - tor, or if also left out, the session key from the - ticket will be used. - - - -__________________________ -[29] An application code in the encrypted part of a -message provides an additional check that the message -was decrypted properly. - - - -Section 5.5.2. - 66 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -5.5.3. Error message reply - - If an error occurs while processing the application -request, the KRB_ERROR message will be sent in response. -See section 5.9.1 for the format of the error message. The -cname and crealm fields may be left out if the server cannot -determine their appropriate values from the corresponding -KRB_AP_REQ message. If the authenticator was decipherable, -the ctime and cusec fields will contain the values from it. - -5.6. KRB_SAFE message specification - - This section specifies the format of a message that can -be used by either side (client or server) of an application -to send a tamper-proof message to its peer. It presumes -that a session key has previously been exchanged (for exam- -ple, by using the KRB_AP_REQ/KRB_AP_REP messages). - -5.6.1. KRB_SAFE definition - - The KRB_SAFE message contains user data along with a -collision-proof checksum keyed with the last encryption key -negotiated via subkeys, or the session key if no negotiation -has occured. The message fields are: - -KRB-SAFE ::= [APPLICATION 20] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - safe-body[2] KRB-SAFE-BODY, - cksum[3] Checksum -} - -KRB-SAFE-BODY ::= SEQUENCE { - user-data[0] OCTET STRING, - timestamp[1] KerberosTime OPTIONAL, - usec[2] INTEGER OPTIONAL, - seq-number[3] INTEGER OPTIONAL, - s-address[4] HostAddress OPTIONAL, - r-address[5] HostAddress OPTIONAL -} - - - - -pvno and msg-type - These fields are described above in section 5.4.1. - msg-type is KRB_SAFE. - - -safe-body This field is a placeholder for the body of the - KRB-SAFE message. It is to be encoded separately - and then have the checksum computed over it, for - use in the cksum field. - - - -Section 5.6.1. - 67 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -cksum This field contains the checksum of the applica- - tion data. Checksum details are described in sec- - tion 6.4. The checksum is computed over the - encoding of the KRB-SAFE-BODY sequence. - - -user-data This field is part of the KRB_SAFE and KRB_PRIV - messages and contain the application specific data - that is being passed from the sender to the reci- - pient. - - -timestamp This field is part of the KRB_SAFE and KRB_PRIV - messages. Its contents are the current time as - known by the sender of the message. By checking - the timestamp, the recipient of the message is - able to make sure that it was recently generated, - and is not a replay. - - -usec This field is part of the KRB_SAFE and KRB_PRIV - headers. It contains the microsecond part of the - timestamp. - - -seq-number - This field is described above in section 5.3.2. - - -s-address This field specifies the address in use by the - sender of the message. - - -r-address This field specifies the address in use by the - recipient of the message. It may be omitted for - some uses (such as broadcast protocols), but the - recipient may arbitrarily reject such messages. - This field along with s-address can be used to - help detect messages which have been incorrectly - or maliciously delivered to the wrong recipient. - -5.7. KRB_PRIV message specification - - This section specifies the format of a message that can -be used by either side (client or server) of an application -to securely and privately send a message to its peer. It -presumes that a session key has previously been exchanged -(for example, by using the KRB_AP_REQ/KRB_AP_REP messages). - -5.7.1. KRB_PRIV definition - - The KRB_PRIV message contains user data encrypted in -the Session Key. The message fields are: - -__________________________ -[31] An application code in the encrypted part of a - - - - - - - Version 5 - Specification Revision 6 - - - -KRB-PRIV ::= [APPLICATION 21] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - enc-part[3] EncryptedData -} - -EncKrbPrivPart ::= [APPLICATION 28[31]] SEQUENCE { - user-data[0] OCTET STRING, - timestamp[1] KerberosTime OPTIONAL, - usec[2] INTEGER OPTIONAL, - seq-number[3] INTEGER OPTIONAL, - s-address[4] HostAddress OPTIONAL, -- sender's addr - r-address[5] HostAddress OPTIONAL -- recip's addr -} - - - -pvno and msg-type - These fields are described above in section 5.4.1. - msg-type is KRB_PRIV. - - -enc-part This field holds an encoding of the EncKrbPrivPart - sequence encrypted under the session key[32]. - This encrypted encoding is used for the enc-part - field of the KRB-PRIV message. See section 6 for - the format of the ciphertext. - - -user-data, timestamp, usec, s-address and r-address - These fields are described above in section 5.6.1. - - -seq-number - This field is described above in section 5.3.2. - -5.8. KRB_CRED message specification - - This section specifies the format of a message that can -be used to send Kerberos credentials from one principal to -__________________________ -message provides an additional check that the message -was decrypted properly. -[32] If supported by the encryption method in use, an -initialization vector may be passed to the encryption -procedure, in order to achieve proper cipher chaining. -The initialization vector might come from the last -block of the ciphertext from the previous KRB_PRIV mes- -sage, but it is the application's choice whether or not -to use such an initialization vector. If left out, the -default initialization vector for the encryption algo- -rithm will be used. - - -Section 5.8. - 69 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -another. It is presented here to encourage a common mechan- -ism to be used by applications when forwarding tickets or -providing proxies to subordinate servers. It presumes that -a session key has already been exchanged perhaps by using -the KRB_AP_REQ/KRB_AP_REP messages. - -5.8.1. KRB_CRED definition - - The KRB_CRED message contains a sequence of tickets to -be sent and information needed to use the tickets, including -the session key from each. The information needed to use -the tickets is encrypted under an encryption key previously -exchanged or transferred alongside the KRB_CRED message. -The message fields are: - -KRB-CRED ::= [APPLICATION 22] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, -- KRB_CRED - tickets[2] SEQUENCE OF Ticket, - enc-part[3] EncryptedData -} - -EncKrbCredPart ::= [APPLICATION 29] SEQUENCE { - ticket-info[0] SEQUENCE OF KrbCredInfo, - nonce[1] INTEGER OPTIONAL, - timestamp[2] KerberosTime OPTIONAL, - usec[3] INTEGER OPTIONAL, - s-address[4] HostAddress OPTIONAL, - r-address[5] HostAddress OPTIONAL -} - -KrbCredInfo ::= SEQUENCE { - key[0] EncryptionKey, - prealm[1] Realm OPTIONAL, - pname[2] PrincipalName OPTIONAL, - flags[3] TicketFlags OPTIONAL, - authtime[4] KerberosTime OPTIONAL, - starttime[5] KerberosTime OPTIONAL, - endtime[6] KerberosTime OPTIONAL - renew-till[7] KerberosTime OPTIONAL, - srealm[8] Realm OPTIONAL, - sname[9] PrincipalName OPTIONAL, - caddr[10] HostAddresses OPTIONAL -} - - - - - -pvno and msg-type - These fields are described above in section 5.4.1. - msg-type is KRB_CRED. - - - - -Section 5.8.1. - 70 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -tickets - These are the tickets obtained from the KDC - specifically for use by the intended recipient. - Successive tickets are paired with the correspond- - ing KrbCredInfo sequence from the enc-part of the - KRB-CRED message. - - -enc-part This field holds an encoding of the EncKrbCredPart - sequence encrypted under the session key shared - between the sender and the intended recipient. - This encrypted encoding is used for the enc-part - field of the KRB-CRED message. See section 6 for - the format of the ciphertext. - - -nonce If practical, an application may require the - inclusion of a nonce generated by the recipient of - the message. If the same value is included as the - nonce in the message, it provides evidence that - the message is fresh and has not been replayed by - an attacker. A nonce must never be re-used; it - should be generated randomly by the recipient of - the message and provided to the sender of the mes- - sage in an application specific manner. - - -timestamp and usec - - These fields specify the time that the KRB-CRED - message was generated. The time is used to pro- - vide assurance that the message is fresh. - - -s-address and r-address - These fields are described above in section 5.6.1. - They are used optionally to provide additional - assurance of the integrity of the KRB-CRED mes- - sage. - - -key This field exists in the corresponding ticket - passed by the KRB-CRED message and is used to pass - the session key from the sender to the intended - recipient. The field's encoding is described in - section 6.2. - - The following fields are optional. If present, they -can be associated with the credentials in the remote ticket -file. If left out, then it is assumed that the recipient of -the credentials already knows their value. - - -prealm and pname - - -Section 5.8.1. - 71 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - The name and realm of the delegated principal - identity. - - -flags, authtime, starttime, endtime, renew-till, srealm, - sname, and caddr - These fields contain the values of the correspond- - ing fields from the ticket found in the ticket - field. Descriptions of the fields are identical - to the descriptions in the KDC-REP message. - -5.9. Error message specification - - This section specifies the format for the KRB_ERROR -message. The fields included in the message are intended to -return as much information as possible about an error. It -is not expected that all the information required by the -fields will be available for all types of errors. If the -appropriate information is not available when the message is -composed, the corresponding field will be left out of the -message. - - Note that since the KRB_ERROR message is not protected -by any encryption, it is quite possible for an intruder to -synthesize or modify such a message. In particular, this -means that the client should not use any fields in this mes- -sage for security-critical purposes, such as setting a sys- -tem clock or generating a fresh authenticator. The message -can be useful, however, for advising a user on the reason -for some failure. - -5.9.1. KRB_ERROR definition - - The KRB_ERROR message consists of the following fields: - -KRB-ERROR ::= [APPLICATION 30] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - ctime[2] KerberosTime OPTIONAL, - cusec[3] INTEGER OPTIONAL, - stime[4] KerberosTime, - susec[5] INTEGER, - error-code[6] INTEGER, - crealm[7] Realm OPTIONAL, - cname[8] PrincipalName OPTIONAL, - realm[9] Realm, -- Correct realm - sname[10] PrincipalName, -- Correct name - e-text[11] GeneralString OPTIONAL, - e-data[12] OCTET STRING OPTIONAL, - e-cksum[13] Checksum OPTIONAL -} - - - - - -Section 5.9.1. - 72 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -pvno and msg-type - These fields are described above in section 5.4.1. - msg-type is KRB_ERROR. - - -ctime This field is described above in section 5.4.1. - - - -cusec This field is described above in section 5.5.2. - - -stime This field contains the current time on the - server. It is of type KerberosTime. - - -susec This field contains the microsecond part of the - server's timestamp. Its value ranges from 0 to - 999999. It appears along with stime. The two - fields are used in conjunction to specify a rea- - sonably accurate timestamp. - - -error-codeThis field contains the error code returned by - Kerberos or the server when a request fails. To - interpret the value of this field see the list of - error codes in section 8. Implementations are - encouraged to provide for national language sup- - port in the display of error messages. - - -crealm, cname, srealm and sname - These fields are described above in section 5.3.1. - - -e-text This field contains additional text to help - explain the error code associated with the failed - request (for example, it might include a principal - name which was unknown). - - -e-data This field contains additional data about the - error for use by the application to help it - recover from or handle the error. If the error- - code is KDC_ERR_PREAUTH_REQUIRED, then the e-data - field will contain an encoding of a sequence of - padata fields, each corresponding to an acceptable - pre-authentication method and optionally contain- - ing data for the method: - - -e-cksum This field contains an optional checksum for the - KRB-ERROR message. The checksum is calculated - over the Kerberos ASN.1 encoding of the KRB-ERROR - - -Section 5.9.1. - 73 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - message with the checksum absent. The checksum is - then added to the KRB-ERROR structure and the mes- - sage is re-encoded. The Checksum should be calcu- - lated using the session key from the ticket grant- - ing ticket or service ticket, where available. If - the error is in response to a TGS or AP request, - the checksum should be calculated uing the the - session key from the client's ticket. If the - error is in response to an AS request, then the - checksum should be calulated using the client's - secret key ONLY if there has been suitable preau- - thentication to prove knowledge of the secret key - by the client[33]. If a checksum can not be com- - puted because the key to be used is not available, - no checksum will be included. - - METHOD-DATA ::= SEQUENCE of PA-DATA - - - If the error-code is KRB_AP_ERR_METHOD, then the - e-data field will contain an encoding of the fol- - lowing sequence: - - METHOD-DATA ::= SEQUENCE { - method-type[0] INTEGER, - method-data[1] OCTET STRING OPTIONAL - } - - method-type will indicate the required alternate - method; method-data will contain any required - additional information. - - - -6. Encryption and Checksum Specifications - -The Kerberos protocols described in this document are -designed to use stream encryption ciphers, which can be -simulated using commonly available block encryption ciphers, -such as the Data Encryption Standard, [12] in conjunction -with block chaining and checksum methods [13]. Encryption -is used to prove the identities of the network entities par- -ticipating in message exchanges. The Key Distribution -Center for each realm is trusted by all principals -registered in that realm to store a secret key in confi- -dence. Proof of knowledge of this secret key is used to -verify the authenticity of a principal. - - The KDC uses the principal's secret key (in the AS -__________________________ -[33] This prevents an attacker who generates an in- -correct AS request from obtaining verifiable plaintext -for use in an off-line password guessing attack. - - -Section 6. - 74 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -exchange) or a shared session key (in the TGS exchange) to -encrypt responses to ticket requests; the ability to obtain -the secret key or session key implies the knowledge of the -appropriate keys and the identity of the KDC. The ability -of a principal to decrypt the KDC response and present a -Ticket and a properly formed Authenticator (generated with -the session key from the KDC response) to a service verifies -the identity of the principal; likewise the ability of the -service to extract the session key from the Ticket and prove -its knowledge thereof in a response verifies the identity of -the service. - - The Kerberos protocols generally assume that the -encryption used is secure from cryptanalysis; however, in -some cases, the order of fields in the encrypted portions of -messages are arranged to minimize the effects of poorly -chosen keys. It is still important to choose good keys. If -keys are derived from user-typed passwords, those passwords -need to be well chosen to make brute force attacks more dif- -ficult. Poorly chosen keys still make easy targets for -intruders. - - The following sections specify the encryption and -checksum mechanisms currently defined for Kerberos. The -encodings, chaining, and padding requirements for each are -described. For encryption methods, it is often desirable to -place random information (often referred to as a confounder) -at the start of the message. The requirements for a con- -founder are specified with each encryption mechanism. - - Some encryption systems use a block-chaining method to -improve the the security characteristics of the ciphertext. -However, these chaining methods often don't provide an -integrity check upon decryption. Such systems (such as DES -in CBC mode) must be augmented with a checksum of the plain- -text which can be verified at decryption and used to detect -any tampering or damage. Such checksums should be good at -detecting burst errors in the input. If any damage is -detected, the decryption routine is expected to return an -error indicating the failure of an integrity check. Each -encryption type is expected to provide and verify an -appropriate checksum. The specification of each encryption -method sets out its checksum requirements. - - Finally, where a key is to be derived from a user's -password, an algorithm for converting the password to a key -of the appropriate type is included. It is desirable for -the string to key function to be one-way, and for the map- -ping to be different in different realms. This is important -because users who are registered in more than one realm will -often use the same password in each, and it is desirable -that an attacker compromising the Kerberos server in one -realm not obtain or derive the user's key in another. - - - -Section 6. - 75 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - For an discussion of the integrity characteristics of -the candidate encryption and checksum methods considered for -Kerberos, the the reader is referred to [14]. - -6.1. Encryption Specifications - - The following ASN.1 definition describes all encrypted -messages. The enc-part field which appears in the unen- -crypted part of messages in section 5 is a sequence consist- -ing of an encryption type, an optional key version number, -and the ciphertext. - - -EncryptedData ::= SEQUENCE { - etype[0] INTEGER, -- EncryptionType - kvno[1] INTEGER OPTIONAL, - cipher[2] OCTET STRING -- ciphertext -} - - -etype This field identifies which encryption algorithm - was used to encipher the cipher. Detailed specif- - ications for selected encryption types appear - later in this section. - - -kvno This field contains the version number of the key - under which data is encrypted. It is only present - in messages encrypted under long lasting keys, - such as principals' secret keys. - - -cipher This field contains the enciphered text, encoded - as an OCTET STRING. - - - The cipher field is generated by applying the specified -encryption algorithm to data composed of the message and -algorithm-specific inputs. Encryption mechanisms defined -for use with Kerberos must take sufficient measures to -guarantee the integrity of the plaintext, and we recommend -they also take measures to protect against precomputed dic- -tionary attacks. If the encryption algorithm is not itself -capable of doing so, the protections can often be enhanced -by adding a checksum and a confounder. - - The suggested format for the data to be encrypted -includes a confounder, a checksum, the encoded plaintext, -and any necessary padding. The msg-seq field contains the -part of the protocol message described in section 5 which is -to be encrypted. The confounder, checksum, and padding are -all untagged and untyped, and their length is exactly suffi- -cient to hold the appropriate item. The type and length is -implicit and specified by the particular encryption type - - -Section 6.1. - 76 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -being used (etype). The format for the data to be encrypted -is described in the following diagram: - - +-----------+----------+-------------+-----+ - |confounder | check | msg-seq | pad | - +-----------+----------+-------------+-----+ - -The format cannot be described in ASN.1, but for those who -prefer an ASN.1-like notation: - -CipherText ::= ENCRYPTED SEQUENCE { - confounder[0] UNTAGGED[35] OCTET STRING(conf_length) OPTIONAL, - check[1] UNTAGGED OCTET STRING(checksum_length) OPTIONAL, - msg-seq[2] MsgSequence, - pad UNTAGGED OCTET STRING(pad_length) OPTIONAL -} - - - One generates a random confounder of the appropriate -length, placing it in confounder; zeroes out check; calcu- -lates the appropriate checksum over confounder, check, and -msg-seq, placing the result in check; adds the necessary -padding; then encrypts using the specified encryption type -and the appropriate key. - - Unless otherwise specified, a definition of an encryp- -tion algorithm that specifies a checksum, a length for the -confounder field, or an octet boundary for padding uses this -ciphertext format[36]. Those fields which are not specified -will be omitted. - - In the interest of allowing all implementations using a -__________________________ -[35] In the above specification, UNTAGGED OCTET -STRING(length) is the notation for an octet string with -its tag and length removed. It is not a valid ASN.1 -type. The tag bits and length must be removed from the -confounder since the purpose of the confounder is so -that the message starts with random data, but the tag -and its length are fixed. For other fields, the length -and tag would be redundant if they were included be- -cause they are specified by the encryption type. -[36] The ordering of the fields in the CipherText is -important. Additionally, messages encoded in this for- -mat must include a length as part of the msg-seq field. -This allows the recipient to verify that the message -has not been truncated. Without a length, an attacker -could use a chosen plaintext attack to generate a mes- -sage which could be truncated, while leaving the check- -sum intact. Note that if the msg-seq is an encoding of -an ASN.1 SEQUENCE or OCTET STRING, then the length is -part of that encoding. - - - -Section 6.1. - 77 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -particular encryption type to communicate with all others -using that type, the specification of an encryption type -defines any checksum that is needed as part of the encryp- -tion process. If an alternative checksum is to be used, a -new encryption type must be defined. - - Some cryptosystems require additional information -beyond the key and the data to be encrypted. For example, -DES, when used in cipher-block-chaining mode, requires an -initialization vector. If required, the description for -each encryption type must specify the source of such addi- -tional information. - -6.2. Encryption Keys - - The sequence below shows the encoding of an encryption -key: - - EncryptionKey ::= SEQUENCE { - keytype[0] INTEGER, - keyvalue[1] OCTET STRING - } - - -keytype This field specifies the type of encryption key - that follows in the keyvalue field. It will - almost always correspond to the encryption algo- - rithm used to generate the EncryptedData, though - more than one algorithm may use the same type of - key (the mapping is many to one). This might hap- - pen, for example, if the encryption algorithm uses - an alternate checksum algorithm for an integrity - check, or a different chaining mechanism. - - -keyvalue This field contains the key itself, encoded as an - octet string. - - All negative values for the encryption key type are -reserved for local use. All non-negative values are -reserved for officially assigned type fields and interpreta- -tions. - -6.3. Encryption Systems - -6.3.1. The NULL Encryption System (null) - - If no encryption is in use, the encryption system is -said to be the NULL encryption system. In the NULL encryp- -tion system there is no checksum, confounder or padding. -The ciphertext is simply the plaintext. The NULL Key is -used by the null encryption system and is zero octets in -length, with keytype zero (0). - - - -Section 6.3.1. - 78 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -6.3.2. DES in CBC mode with a CRC-32 checksum (des-cbc-crc) - - The des-cbc-crc encryption mode encrypts information -under the Data Encryption Standard [12] using the cipher -block chaining mode [13]. A CRC-32 checksum (described in -ISO 3309 [15]) is applied to the confounder and message -sequence (msg-seq) and placed in the cksum field. DES -blocks are 8 bytes. As a result, the data to be encrypted -(the concatenation of confounder, checksum, and message) -must be padded to an 8 byte boundary before encryption. The -details of the encryption of this data are identical to -those for the des-cbc-md5 encryption mode. - - Note that, since the CRC-32 checksum is not collision- -proof, an attacker could use a probabilistic chosen- -plaintext attack to generate a valid message even if a con- -founder is used [14]. The use of collision-proof checksums -is recommended for environments where such attacks represent -a significant threat. The use of the CRC-32 as the checksum -for ticket or authenticator is no longer mandated as an -interoperability requirement for Kerberos Version 5 Specifi- -cation 1 (See section 9.1 for specific details). - - -6.3.3. DES in CBC mode with an MD4 checksum (des-cbc-md4) - - The des-cbc-md4 encryption mode encrypts information -under the Data Encryption Standard [12] using the cipher -block chaining mode [13]. An MD4 checksum (described in -[16]) is applied to the confounder and message sequence -(msg-seq) and placed in the cksum field. DES blocks are 8 -bytes. As a result, the data to be encrypted (the concate- -nation of confounder, checksum, and message) must be padded -to an 8 byte boundary before encryption. The details of the -encryption of this data are identical to those for the des- -cbc-md5 encryption mode. - - -6.3.4. DES in CBC mode with an MD5 checksum (des-cbc-md5) - - The des-cbc-md5 encryption mode encrypts information -under the Data Encryption Standard [12] using the cipher -block chaining mode [13]. An MD5 checksum (described in -[17].) is applied to the confounder and message sequence -(msg-seq) and placed in the cksum field. DES blocks are 8 -bytes. As a result, the data to be encrypted (the concate- -nation of confounder, checksum, and message) must be padded -to an 8 byte boundary before encryption. - - Plaintext and DES ciphtertext are encoded as 8-octet -blocks which are concatenated to make the 64-bit inputs for -the DES algorithms. The first octet supplies the 8 most -significant bits (with the octet's MSbit used as the DES -input block's MSbit, etc.), the second octet the next 8 - - -Section 6.3.4. - 79 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -bits, ..., and the eighth octet supplies the 8 least signi- -ficant bits. - - Encryption under DES using cipher block chaining -requires an additional input in the form of an initializa- -tion vector. Unless otherwise specified, zero should be -used as the initialization vector. Kerberos' use of DES -requires an 8-octet confounder. - - The DES specifications identify some "weak" and "semi- -weak" keys; those keys shall not be used for encrypting mes- -sages for use in Kerberos. Additionally, because of the way -that keys are derived for the encryption of checksums, keys -shall not be used that yield "weak" or "semi-weak" keys when -eXclusive-ORed with the constant F0F0F0F0F0F0F0F0. - - A DES key is 8 octets of data, with keytype one (1). -This consists of 56 bits of key, and 8 parity bits (one per -octet). The key is encoded as a series of 8 octets written -in MSB-first order. The bits within the key are also -encoded in MSB order. For example, if the encryption key is -(B1,B2,...,B7,P1,B8,...,B14,P2,B15,...,B49,P7,B50,...,B56,P8) -where B1,B2,...,B56 are the key bits in MSB order, and -P1,P2,...,P8 are the parity bits, the first octet of the key -would be B1,B2,...,B7,P1 (with B1 as the MSbit). [See the -FIPS 81 introduction for reference.] - - To generate a DES key from a text string (password), -the text string normally must have the realm and each com- -ponent of the principal's name appended[37], then padded -with ASCII nulls to an 8 byte boundary. This string is then -fan-folded and eXclusive-ORed with itself to form an 8 byte -DES key. The parity is corrected on the key, and it is used -to generate a DES CBC checksum on the initial string (with -the realm and name appended). Next, parity is corrected on -the CBC checksum. If the result matches a "weak" or "semi- -weak" key as described in the DES specification, it is -eXclusive-ORed with the constant 00000000000000F0. Finally, -the result is returned as the key. Pseudocode follows: - - string_to_key(string,realm,name) { - odd = 1; - s = string + realm; - for(each component in name) { - s = s + component; - } - tempkey = NULL; - pad(s); /* with nulls to 8 byte boundary */ - for(8byteblock in s) { -__________________________ -[37] In some cases, it may be necessary to use a dif- -ferent "mix-in" string for compatibility reasons; see -the discussion of padata in section 5.4.2. - - -Section 6.3.4. - 80 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - if(odd == 0) { - odd = 1; - reverse(8byteblock) - } - else odd = 0; - tempkey = tempkey XOR 8byteblock; - } - fixparity(tempkey); - key = DES-CBC-check(s,tempkey); - fixparity(key); - if(is_weak_key_key(key)) - key = key XOR 0xF0; - return(key); - } - -6.3.5. Triple DES EDE in outer CBC mode with an SHA1 check- -sum (des3-cbc-sha1) - - The des3-cbc-sha1 encryption encodes information using -three Data Encryption Standard transformations with three -DES keys. The first key is used to perform a DES ECB -encryption on an eight-octet data block using the first DES -key, followed by a DES ECB decryption of the result using -the second DES key, and a DES ECB encryption of the result -using the third DES key. Because DES blocks are 8 bytes, -the data to be encrypted (the concatenation of confounder, -checksum, and message) must first be padded to an 8 byte -boundary before encryption. To support the outer CBC mode, -the input is padded an eight-octet boundary. The first 8 -octets of the data to be encrypted (the confounder) is -exclusive-ored with an initialization vector of zero and -then ECB encrypted using triple DES as described above. -Subsequent blocks of 8 octets are exclusive-ored with the -ciphertext produced by the encryption on the previous block -before ECB encryption. - - An HMAC-SHA1 checksum (described in [18].) is applied -to the confounder and message sequence (msg-seq) and placed -in the cksum field. - - Plaintext are encoded as 8-octet blocks which are con- -catenated to make the 64-bit inputs for the DES algorithms. -The first octet supplies the 8 most significant bits (with -the octet's MSbit used as the DES input block's MSbit, -etc.), the second octet the next 8 bits, ..., and the eighth -octet supplies the 8 least significant bits. - - Encryption under Triple DES using cipher block chaining -requires an additional input in the form of an initializa- -tion vector. Unless otherwise specified, zero should be -used as the initialization vector. Kerberos' use of DES -requires an 8-octet confounder. - - The DES specifications identify some "weak" and "semi- - - -Section 6.3.5. - 81 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -weak" keys; those keys shall not be used for encrypting mes- -sages for use in Kerberos. Additionally, because of the way -that keys are derived for the encryption of checksums, keys -shall not be used that yield "weak" or "semi-weak" keys when -eXclusive-ORed with the constant F0F0F0F0F0F0F0F0. - - A Triple DES key is 24 octets of data, with keytype -seven (7). This consists of 168 bits of key, and 24 parity -bits (one per octet). The key is encoded as a series of 24 -octets written in MSB-first order, with the first 8 octets -treated as the first DES key, the second 8 octets as the -second key, and the third 8 octets the third DES key. The -bits within each key are also encoded in MSB order. For -example, if the encryption key is -(B1,B2,...,B7,P1,B8,...,B14,P2,B15,...,B49,P7,B50,...,B56,P8) -where B1,B2,...,B56 are the key bits in MSB order, and -P1,P2,...,P8 are the parity bits, the first octet of the key -would be B1,B2,...,B7,P1 (with B1 as the MSbit). [See the -FIPS 81 introduction for reference.] - - To generate a DES key from a text string (password), -the text string normally must have the realm and each com- -ponent of the principal's name appended[38], - - The input string (with any salt data appended to it) is -n-folded into a 24 octet (192 bit) string. To n-fold a -number X, replicate the input value to a length that is the -least common multiple of n and the length of X. Before each -repetition, the input X is rotated to the right by 13 bit -positions. The successive n-bit chunks are added together -using 1's-complement addition (addition with end-around -carry) to yield a n-bit result. (This transformation was -proposed by Richard Basch) - - Each successive set of 8 octets is taken as a DES key, -and its parity is adjusted in the same manner as previously -described. If any of the three sets of 8 octets match a -"weak" or "semi-weak" key as described in the DES specifica- -tion, that chunk is eXclusive-ORed with the constant -00000000000000F0. The resulting DES keys are then used in -sequence to perform a Triple-DES CBC encryption of the n- -folded input string (appended with any salt data), using a -zero initial vector. Parity, weak, and semi-weak keys are -once again corrected and the result is returned as the 24 -octet key. - - Pseudocode follows: - - string_to_key(string,realm,name) { -__________________________ -[38] In some cases, it may be necessary to use a dif- -ferent "mix-in" string for compatibility reasons; see -the discussion of padata in section 5.4.2. - - -Section 6.3.5. - 82 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - s = string + realm; - for(each component in name) { - s = s + component; - } - tkey[24] = fold(s); - fixparity(tkey); - if(isweak(tkey[0-7])) tkey[0-7] = tkey[0-7] XOR 0xF0; - if(isweak(tkey[8-15])) tkey[8-15] = tkey[8-15] XOR 0xF0; - if(is_weak(tkey[16-23])) tkey[16-23] = tkey[16-23] XOR 0xF0; - key[24] = 3DES-CBC(data=fold(s),key=tkey,iv=0); - fixparity(key); - if(is_weak(key[0-7])) key[0-7] = key[0-7] XOR 0xF0; - if(is_weak(key[8-15])) key[8-15] = key[8-15] XOR 0xF0; - if(is_weak(key[16-23])) key[16-23] = key[16-23] XOR 0xF0; - return(key); - } - -6.4. Checksums - - The following is the ASN.1 definition used for a check- -sum: - - Checksum ::= SEQUENCE { - cksumtype[0] INTEGER, - checksum[1] OCTET STRING - } - - -cksumtype This field indicates the algorithm used to gen- - erate the accompanying checksum. - -checksum This field contains the checksum itself, encoded - as an octet string. - - Detailed specification of selected checksum types -appear later in this section. Negative values for the -checksum type are reserved for local use. All non-negative -values are reserved for officially assigned type fields and -interpretations. - - Checksums used by Kerberos can be classified by two -properties: whether they are collision-proof, and whether -they are keyed. It is infeasible to find two plaintexts -which generate the same checksum value for a collision-proof -checksum. A key is required to perturb or initialize the -algorithm in a keyed checksum. To prevent message-stream -modification by an active attacker, unkeyed checksums should -only be used when the checksum and message will be subse- -quently encrypted (e.g. the checksums defined as part of the -encryption algorithms covered earlier in this section). - - Collision-proof checksums can be made tamper-proof if -the checksum value is encrypted before inclusion in a mes- -sage. In such cases, the composition of the checksum and - - -Section 6.4. - 83 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -the encryption algorithm must be considered a separate -checksum algorithm (e.g. RSA-MD5 encrypted using DES is a -new checksum algorithm of type RSA-MD5-DES). For most keyed -checksums, as well as for the encrypted forms of unkeyed -collision-proof checksums, Kerberos prepends a confounder -before the checksum is calculated. - -6.4.1. The CRC-32 Checksum (crc32) - - The CRC-32 checksum calculates a checksum based on a -cyclic redundancy check as described in ISO 3309 [15]. The -resulting checksum is four (4) octets in length. The CRC-32 -is neither keyed nor collision-proof. The use of this -checksum is not recommended. An attacker using a proba- -bilistic chosen-plaintext attack as described in [14] might -be able to generate an alternative message that satisfies -the checksum. The use of collision-proof checksums is -recommended for environments where such attacks represent a -significant threat. - -6.4.2. The RSA MD4 Checksum (rsa-md4) - - The RSA-MD4 checksum calculates a checksum using the -RSA MD4 algorithm [16]. The algorithm takes as input an -input message of arbitrary length and produces as output a -128-bit (16 octet) checksum. RSA-MD4 is believed to be -collision-proof. - -6.4.3. RSA MD4 Cryptographic Checksum Using DES (rsa-md4- -des) - - The RSA-MD4-DES checksum calculates a keyed collision- -proof checksum by prepending an 8 octet confounder before -the text, applying the RSA MD4 checksum algorithm, and -encrypting the confounder and the checksum using DES in -cipher-block-chaining (CBC) mode using a variant of the key, -where the variant is computed by eXclusive-ORing the key -with the constant F0F0F0F0F0F0F0F0[39]. The initialization -vector should be zero. The resulting checksum is 24 octets -long (8 octets of which are redundant). This checksum is -tamper-proof and believed to be collision-proof. - - The DES specifications identify some "weak keys" and -__________________________ -[39] A variant of the key is used to limit the use of a -key to a particular function, separating the functions -of generating a checksum from other encryption per- -formed using the session key. The constant -F0F0F0F0F0F0F0F0 was chosen because it maintains key -parity. The properties of DES precluded the use of the -complement. The same constant is used for similar pur- -pose in the Message Integrity Check in the Privacy -Enhanced Mail standard. - - -Section 6.4.3. - 84 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -"semi-weak keys"; those keys shall not be used for generat- -ing RSA-MD4 checksums for use in Kerberos. - - The format for the checksum is described in the follow- -ing diagram: - -+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ -| des-cbc(confounder + rsa-md4(confounder+msg),key=var(key),iv=0) | -+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ - -The format cannot be described in ASN.1, but for those who -prefer an ASN.1-like notation: - -rsa-md4-des-checksum ::= ENCRYPTED UNTAGGED SEQUENCE { - confounder[0] UNTAGGED OCTET STRING(8), - check[1] UNTAGGED OCTET STRING(16) -} - - - -6.4.4. The RSA MD5 Checksum (rsa-md5) - - The RSA-MD5 checksum calculates a checksum using the -RSA MD5 algorithm. [17]. The algorithm takes as input an -input message of arbitrary length and produces as output a -128-bit (16 octet) checksum. RSA-MD5 is believed to be -collision-proof. - -6.4.5. RSA MD5 Cryptographic Checksum Using DES (rsa-md5- -des) - - The RSA-MD5-DES checksum calculates a keyed collision- -proof checksum by prepending an 8 octet confounder before -the text, applying the RSA MD5 checksum algorithm, and -encrypting the confounder and the checksum using DES in -cipher-block-chaining (CBC) mode using a variant of the key, -where the variant is computed by eXclusive-ORing the key -with the constant F0F0F0F0F0F0F0F0. The initialization vec- -tor should be zero. The resulting checksum is 24 octets -long (8 octets of which are redundant). This checksum is -tamper-proof and believed to be collision-proof. - - The DES specifications identify some "weak keys" and -"semi-weak keys"; those keys shall not be used for encrypt- -ing RSA-MD5 checksums for use in Kerberos. - - The format for the checksum is described in the follow- -ing diagram: - -+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ -| des-cbc(confounder + rsa-md5(confounder+msg),key=var(key),iv=0) | -+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ - -The format cannot be described in ASN.1, but for those who - - -Section 6.4.5. - 85 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -prefer an ASN.1-like notation: - -rsa-md5-des-checksum ::= ENCRYPTED UNTAGGED SEQUENCE { - confounder[0] UNTAGGED OCTET STRING(8), - check[1] UNTAGGED OCTET STRING(16) -} - - -6.4.6. DES cipher-block chained checksum (des-mac) - - The DES-MAC checksum is computed by prepending an 8 -octet confounder to the plaintext, performing a DES CBC-mode -encryption on the result using the key and an initialization -vector of zero, taking the last block of the ciphertext, -prepending the same confounder and encrypting the pair using -DES in cipher-block-chaining (CBC) mode using a a variant of -the key, where the variant is computed by eXclusive-ORing -the key with the constant F0F0F0F0F0F0F0F0. The initializa- -tion vector should be zero. The resulting checksum is 128 -bits (16 octets) long, 64 bits of which are redundant. This -checksum is tamper-proof and collision-proof. - - The format for the checksum is described in the follow- -ing diagram: - -+--+--+--+--+--+--+--+--+-----+-----+-----+-----+-----+-----+-----+-----+ -| des-cbc(confounder + des-mac(conf+msg,iv=0,key),key=var(key),iv=0) | -+--+--+--+--+--+--+--+--+-----+-----+-----+-----+-----+-----+-----+-----+ - -The format cannot be described in ASN.1, but for those who -prefer an ASN.1-like notation: - -des-mac-checksum ::= ENCRYPTED UNTAGGED SEQUENCE { - confounder[0] UNTAGGED OCTET STRING(8), - check[1] UNTAGGED OCTET STRING(8) -} - - - The DES specifications identify some "weak" and "semi- -weak" keys; those keys shall not be used for generating -DES-MAC checksums for use in Kerberos, nor shall a key be -used whose variant is "weak" or "semi-weak". - -6.4.7. RSA MD4 Cryptographic Checksum Using DES alternative -(rsa-md4-des-k) - - The RSA-MD4-DES-K checksum calculates a keyed -collision-proof checksum by applying the RSA MD4 checksum -algorithm and encrypting the results using DES in cipher- -block-chaining (CBC) mode using a DES key as both key and -initialization vector. The resulting checksum is 16 octets -long. This checksum is tamper-proof and believed to be -collision-proof. Note that this checksum type is the old -method for encoding the RSA-MD4-DES checksum and it is no - - -Section 6.4.7. - 86 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -longer recommended. - -6.4.8. DES cipher-block chained checksum alternative (des- -mac-k) - - The DES-MAC-K checksum is computed by performing a DES -CBC-mode encryption of the plaintext, and using the last -block of the ciphertext as the checksum value. It is keyed -with an encryption key and an initialization vector; any -uses which do not specify an additional initialization vec- -tor will use the key as both key and initialization vector. -The resulting checksum is 64 bits (8 octets) long. This -checksum is tamper-proof and collision-proof. Note that -this checksum type is the old method for encoding the DES- -MAC checksum and it is no longer recommended. - - The DES specifications identify some "weak keys" and -"semi-weak keys"; those keys shall not be used for generat- -ing DES-MAC checksums for use in Kerberos. - -7. Naming Constraints - - -7.1. Realm Names - - Although realm names are encoded as GeneralStrings and -although a realm can technically select any name it chooses, -interoperability across realm boundaries requires agreement -on how realm names are to be assigned, and what information -they imply. - - To enforce these conventions, each realm must conform -to the conventions itself, and it must require that any -realms with which inter-realm keys are shared also conform -to the conventions and require the same from its neighbors. - - Kerberos realm names are case sensitive. Realm names -that differ only in the case of the characters are not -equivalent. There are presently four styles of realm names: -domain, X500, other, and reserved. Examples of each style -follow: - - domain: ATHENA.MIT.EDU (example) - X500: C=US/O=OSF (example) - other: NAMETYPE:rest/of.name=without-restrictions (example) - reserved: reserved, but will not conflict with above - - -Domain names must look like domain names: they consist of -components separated by periods (.) and they contain neither -colons (:) nor slashes (/). Domain names must be converted -to upper case when used as realm names. - - X.500 names contain an equal (=) and cannot contain a - - -Section 7.1. - 87 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -colon (:) before the equal. The realm names for X.500 names -will be string representations of the names with components -separated by slashes. Leading and trailing slashes will not -be included. - - Names that fall into the other category must begin with -a prefix that contains no equal (=) or period (.) and the -prefix must be followed by a colon (:) and the rest of the -name. All prefixes must be assigned before they may be -used. Presently none are assigned. - - The reserved category includes strings which do not -fall into the first three categories. All names in this -category are reserved. It is unlikely that names will be -assigned to this category unless there is a very strong -argument for not using the "other" category. - - These rules guarantee that there will be no conflicts -between the various name styles. The following additional -constraints apply to the assignment of realm names in the -domain and X.500 categories: the name of a realm for the -domain or X.500 formats must either be used by the organiza- -tion owning (to whom it was assigned) an Internet domain -name or X.500 name, or in the case that no such names are -registered, authority to use a realm name may be derived -from the authority of the parent realm. For example, if -there is no domain name for E40.MIT.EDU, then the adminis- -trator of the MIT.EDU realm can authorize the creation of a -realm with that name. - - This is acceptable because the organization to which -the parent is assigned is presumably the organization -authorized to assign names to its children in the X.500 and -domain name systems as well. If the parent assigns a realm -name without also registering it in the domain name or X.500 -hierarchy, it is the parent's responsibility to make sure -that there will not in the future exists a name identical to -the realm name of the child unless it is assigned to the -same entity as the realm name. - - -7.2. Principal Names - - As was the case for realm names, conventions are needed -to ensure that all agree on what information is implied by a -principal name. The name-type field that is part of the -principal name indicates the kind of information implied by -the name. The name-type should be treated as a hint. -Ignoring the name type, no two names can be the same (i.e. -at least one of the components, or the realm, must be dif- -ferent). This constraint may be eliminated in the future. -The following name types are defined: - - name-type value meaning - - -Section 7.2. - 88 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - NT-UNKNOWN 0 Name type not known - NT-PRINCIPAL 1 General principal name (e.g. username, or DCE principal) - NT-SRV-INST 2 Service and other unique instance (krbtgt) - NT-SRV-HST 3 Service with host name as instance (telnet, rcommands) - NT-SRV-XHST 4 Service with slash-separated host name components - NT-UID 5 Unique ID - - -When a name implies no information other than its uniqueness -at a particular time the name type PRINCIPAL should be used. -The principal name type should be used for users, and it -might also be used for a unique server. If the name is a -unique machine generated ID that is guaranteed never to be -reassigned then the name type of UID should be used (note -that it is generally a bad idea to reassign names of any -type since stale entries might remain in access control -lists). - - If the first component of a name identifies a service -and the remaining components identify an instance of the -service in a server specified manner, then the name type of -SRV-INST should be used. An example of this name type is -the Kerberos ticket-granting service whose name has a first -component of krbtgt and a second component identifying the -realm for which the ticket is valid. - - If instance is a single component following the service -name and the instance identifies the host on which the -server is running, then the name type SRV-HST should be -used. This type is typically used for Internet services -such as telnet and the Berkeley R commands. If the separate -components of the host name appear as successive components -following the name of the service, then the name type SRV- -XHST should be used. This type might be used to identify -servers on hosts with X.500 names where the slash (/) might -otherwise be ambiguous. - - A name type of UNKNOWN should be used when the form of -the name is not known. When comparing names, a name of type -UNKNOWN will match principals authenticated with names of -any type. A principal authenticated with a name of type -UNKNOWN, however, will only match other names of type UNK- -NOWN. - - Names of any type with an initial component of "krbtgt" -are reserved for the Kerberos ticket granting service. See -section 8.2.3 for the form of such names. - -7.2.1. Name of server principals - - The principal identifier for a server on a host will -generally be composed of two parts: (1) the realm of the KDC -with which the server is registered, and (2) a two-component - - -Section 7.2.1. - 89 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -name of type NT-SRV-HST if the host name is an Internet -domain name or a multi-component name of type NT-SRV-XHST if -the name of the host is of a form such as X.500 that allows -slash (/) separators. The first component of the two- or -multi-component name will identify the service and the -latter components will identify the host. Where the name of -the host is not case sensitive (for example, with Internet -domain names) the name of the host must be lower case. If -specified by the application protocol for services such as -telnet and the Berkeley R commands which run with system -privileges, the first component may be the string "host" -instead of a service specific identifier. When a host has -an official name and one or more aliases, the official name -of the host must be used when constructing the name of the -server principal. - -8. Constants and other defined values - - -8.1. Host address types - - All negative values for the host address type are -reserved for local use. All non-negative values are -reserved for officially assigned type fields and interpreta- -tions. - - The values of the types for the following addresses are -chosen to match the defined address family constants in the -Berkeley Standard Distributions of Unix. They can be found -in with symbolic names AF_xxx (where xxx is -an abbreviation of the address family name). - - -Internet addresses - - Internet addresses are 32-bit (4-octet) quantities, -encoded in MSB order. The type of internet addresses is two -(2). - -CHAOSnet addresses - - CHAOSnet addresses are 16-bit (2-octet) quantities, -encoded in MSB order. The type of CHAOSnet addresses is -five (5). - -ISO addresses - - ISO addresses are variable-length. The type of ISO -addresses is seven (7). - -Xerox Network Services (XNS) addresses - - XNS addresses are 48-bit (6-octet) quantities, encoded -in MSB order. The type of XNS addresses is six (6). - - -Section 8.1. - 90 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -AppleTalk Datagram Delivery Protocol (DDP) addresses - - AppleTalk DDP addresses consist of an 8-bit node number -and a 16-bit network number. The first octet of the address -is the node number; the remaining two octets encode the net- -work number in MSB order. The type of AppleTalk DDP -addresses is sixteen (16). - -DECnet Phase IV addresses - - DECnet Phase IV addresses are 16-bit addresses, encoded -in LSB order. The type of DECnet Phase IV addresses is -twelve (12). - -8.2. KDC messages - -8.2.1. IP transport - - When contacting a Kerberos server (KDC) for a -KRB_KDC_REQ request using UDP IP transport, the client shall -send a UDP datagram containing only an encoding of the -request to port 88 (decimal) at the KDC's IP address; the -KDC will respond with a reply datagram containing only an -encoding of the reply message (either a KRB_ERROR or a -KRB_KDC_REP) to the sending port at the sender's IP address. - - Kerberos servers supporting IP transport must accept -UDP requests on port 88 (decimal). Servers may also accept -TCP requests on port 88 (decimal). When the KRB_KDC_REQ -message is sent to the KDC by TCP, a new connection will be -established for each authentication exchange and the -KRB_KDC_REP or KRB_ERROR message will be returned to the -client on the TCP stream that was established for the -request. The connection will be broken after the reply has -been received (or upon time-out). Care must be taken in -managing TCP/IP connections with the KDC to prevent denial -of service attacks based on the number of TCP/IP connections -with the KDC that remain open. - -8.2.2. OSI transport - - During authentication of an OSI client to an OSI -server, the mutual authentication of an OSI server to an OSI -client, the transfer of credentials from an OSI client to an -OSI server, or during exchange of private or integrity -checked messages, Kerberos protocol messages may be treated -as opaque objects and the type of the authentication mechan- -ism will be: - -OBJECT IDENTIFIER ::= {iso (1), org(3), dod(6),internet(1), security(5), - kerberosv5(2)} - -Depending on the situation, the opaque object will be an -authentication header (KRB_AP_REQ), an authentication reply -(KRB_AP_REP), a safe message (KRB_SAFE), a private message - - -Section 8.2.2. - 91 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -(KRB_PRIV), or a credentials message (KRB_CRED). The opaque -data contains an application code as specified in the ASN.1 -description for each message. The application code may be -used by Kerberos to determine the message type. - -8.2.3. Name of the TGS - - The principal identifier of the ticket-granting service -shall be composed of three parts: (1) the realm of the KDC -issuing the TGS ticket (2) a two-part name of type NT-SRV- -INST, with the first part "krbtgt" and the second part the -name of the realm which will accept the ticket-granting -ticket. For example, a ticket-granting ticket issued by the -ATHENA.MIT.EDU realm to be used to get tickets from the -ATHENA.MIT.EDU KDC has a principal identifier of -"ATHENA.MIT.EDU" (realm), ("krbtgt", "ATHENA.MIT.EDU") -(name). A ticket-granting ticket issued by the -ATHENA.MIT.EDU realm to be used to get tickets from the -MIT.EDU realm has a principal identifier of "ATHENA.MIT.EDU" -(realm), ("krbtgt", "MIT.EDU") (name). - - -8.3. Protocol constants and associated values - -The following tables list constants used in the protocol and defines their -meanings. - -Encryption type etype value block size minimum pad size confounder size -NULL 0 1 0 0 -des-cbc-crc 1 8 4 8 -des-cbc-md4 2 8 0 8 -des-cbc-md5 3 8 0 8 - 4 -des3-cbc-md5 5 8 0 8 - 6 -des3-cbc-sha1 7 8 0 8 -sign-dsa-generate 8 (pkinit) -encrypt-rsa-priv 9 (pkinit) -encrypt-rsa-pub 10 (pkinit) -ENCTYPE_PK_CROSS 48 (reserved for pkcross) - 0x8003 - -Checksum type sumtype value checksum size -CRC32 1 4 -rsa-md4 2 16 -rsa-md4-des 3 24 -des-mac 4 16 -des-mac-k 5 8 -rsa-md4-des-k 6 16 -rsa-md5 7 16 -rsa-md5-des 8 24 -rsa-md5-des3 9 24 -hmac-sha1-des3 10 20 (I had this as 10, is it 12) - - -Section 8.3. - 92 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -padata type padata-type value - -PA-TGS-REQ 1 -PA-ENC-TIMESTAMP 2 -PA-PW-SALT 3 - 4 -PA-ENC-UNIX-TIME 5 -PA-SANDIA-SECUREID 6 -PA-SESAME 7 -PA-OSF-DCE 8 -PA-CYBERSAFE-SECUREID 9 -PA-AFS3-SALT 10 -PA-ETYPE-INFO 11 -SAM-CHALLENGE 12 (sam/otp) -SAM-RESPONSE 13 (sam/otp) -PA-PK-AS-REQ 14 (pkinit) -PA-PK-AS-REP 15 (pkinit) -PA-PK-AS-SIGN 16 (pkinit) -PA-PK-KEY-REQ 17 (pkinit) -PA-PK-KEY-REP 18 (pkinit) - -authorization data type ad-type value -reserved values 0-63 -OSF-DCE 64 -SESAME 65 - -alternate authentication type method-type value -reserved values 0-63 -ATT-CHALLENGE-RESPONSE 64 - -transited encoding type tr-type value -DOMAIN-X500-COMPRESS 1 -reserved values all others - - - -Label Value Meaning or MIT code - -pvno 5 current Kerberos protocol version number - -message types - -KRB_AS_REQ 10 Request for initial authentication -KRB_AS_REP 11 Response to KRB_AS_REQ request -KRB_TGS_REQ 12 Request for authentication based on TGT -KRB_TGS_REP 13 Response to KRB_TGS_REQ request -KRB_AP_REQ 14 application request to server -KRB_AP_REP 15 Response to KRB_AP_REQ_MUTUAL -KRB_SAFE 20 Safe (checksummed) application message -KRB_PRIV 21 Private (encrypted) application message -KRB_CRED 22 Private (encrypted) message to forward credentials -KRB_ERROR 30 Error response - - -Section 8.3. - 93 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -name types - -KRB_NT_UNKNOWN 0 Name type not known -KRB_NT_PRINCIPAL 1 Just the name of the principal as in DCE, or for users -KRB_NT_SRV_INST 2 Service and other unique instance (krbtgt) -KRB_NT_SRV_HST 3 Service with host name as instance (telnet, rcommands) -KRB_NT_SRV_XHST 4 Service with host as remaining components -KRB_NT_UID 5 Unique ID - -error codes - -KDC_ERR_NONE 0 No error -KDC_ERR_NAME_EXP 1 Client's entry in database has expired -KDC_ERR_SERVICE_EXP 2 Server's entry in database has expired -KDC_ERR_BAD_PVNO 3 Requested protocol version number not supported -KDC_ERR_C_OLD_MAST_KVNO 4 Client's key encrypted in old master key -KDC_ERR_S_OLD_MAST_KVNO 5 Server's key encrypted in old master key -KDC_ERR_C_PRINCIPAL_UNKNOWN 6 Client not found in Kerberos database -KDC_ERR_S_PRINCIPAL_UNKNOWN 7 Server not found in Kerberos database -KDC_ERR_PRINCIPAL_NOT_UNIQUE 8 Multiple principal entries in database -KDC_ERR_NULL_KEY 9 The client or server has a null key -KDC_ERR_CANNOT_POSTDATE 10 Ticket not eligible for postdating -KDC_ERR_NEVER_VALID 11 Requested start time is later than end time -KDC_ERR_POLICY 12 KDC policy rejects request -KDC_ERR_BADOPTION 13 KDC cannot accommodate requested option -KDC_ERR_ETYPE_NOSUPP 14 KDC has no support for encryption type -KDC_ERR_SUMTYPE_NOSUPP 15 KDC has no support for checksum type -KDC_ERR_PADATA_TYPE_NOSUPP 16 KDC has no support for padata type -KDC_ERR_TRTYPE_NOSUPP 17 KDC has no support for transited type -KDC_ERR_CLIENT_REVOKED 18 Clients credentials have been revoked -KDC_ERR_SERVICE_REVOKED 19 Credentials for server have been revoked -KDC_ERR_TGT_REVOKED 20 TGT has been revoked -KDC_ERR_CLIENT_NOTYET 21 Client not yet valid - try again later -KDC_ERR_SERVICE_NOTYET 22 Server not yet valid - try again later -KDC_ERR_KEY_EXPIRED 23 Password has expired - change password to reset -KDC_ERR_PREAUTH_FAILED 24 Pre-authentication information was invalid -KDC_ERR_PREAUTH_REQUIRED 25 Additional pre-authenticationrequired- -KDC_ERR_SERVER_NOMATCH 26 Requested server and ticket don't match -KDC_ERR_MUST_USE_USER2USER 27 Server principal valid for user2user only -KDC_ERR_PATH_NOT_ACCPETED 28 KDC Policy rejects transited path -KRB_AP_ERR_BAD_INTEGRITY 31 Integrity check on decrypted field failed -KRB_AP_ERR_TKT_EXPIRED 32 Ticket expired -KRB_AP_ERR_TKT_NYV 33 Ticket not yet valid -KRB_AP_ERR_REPEAT 34 Request is a replay -KRB_AP_ERR_NOT_US 35 The ticket isn't for us -KRB_AP_ERR_BADMATCH 36 Ticket and authenticator don't match -KRB_AP_ERR_SKEW 37 Clock skew too great -KRB_AP_ERR_BADADDR 38 Incorrect net address -KRB_AP_ERR_BADVERSION 39 Protocol version mismatch -KRB_AP_ERR_MSG_TYPE 40 Invalid msg type -KRB_AP_ERR_MODIFIED 41 Message stream modified -KRB_AP_ERR_BADORDER 42 Message out of order -KRB_AP_ERR_BADKEYVER 44 Specified version of key is not available -KRB_AP_ERR_NOKEY 45 Service key not available -KRB_AP_ERR_MUT_FAIL 46 Mutual authentication failed -KRB_AP_ERR_BADDIRECTION 47 Incorrect message direction -KRB_AP_ERR_METHOD 48 Alternative authentication method required -KRB_AP_ERR_BADSEQ 49 Incorrect sequence number in message - - - -Section 8.3. - 94 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -KRB_AP_ERR_INAPP_CKSUM 50 Inappropriate type of checksum in message -KRB_ERR_GENERIC 60 Generic error (description in e-text) -KRB_ERR_FIELD_TOOLONG 61 Field is too long for this implementation -KDC_ERROR_CLIENT_NOT_TRUSTED 62 (pkinit) -KDC_ERROR_KDC_NOT_TRUSTED 63 (pkinit) -KDC_ERROR_INVALID_SIG 64 (pkinit) -KDC_ERR_KEY_TOO_WEAK 65 (pkinit) - - -9. Interoperability requirements - - Version 5 of the Kerberos protocol supports a myriad of -options. Among these are multiple encryption and checksum -types, alternative encoding schemes for the transited field, -optional mechanisms for pre-authentication, the handling of -tickets with no addresses, options for mutual authentica- -tion, user to user authentication, support for proxies, for- -warding, postdating, and renewing tickets, the format of -realm names, and the handling of authorization data. - - In order to ensure the interoperability of realms, it -is necessary to define a minimal configuration which must be -supported by all implementations. This minimal configura- -tion is subject to change as technology does. For example, -if at some later date it is discovered that one of the -required encryption or checksum algorithms is not secure, it -will be replaced. - -9.1. Specification 1 - - This section defines the first specification of these -options. Implementations which are configured in this way -can be said to support Kerberos Version 5 Specification 1 -(5.1). - -Encryption and checksum methods - -The following encryption and checksum mechanisms must be -supported. Implementations may support other mechanisms as -well, but the additional mechanisms may only be used when -communicating with principals known to also support them: -This list is to be determined. -Encryption: DES-CBC-MD5 -Checksums: CRC-32, DES-MAC, DES-MAC-K, and DES-MD5 - - -__________________________ -- This error carries additional information in the e- -data field. The contents of the e-data field for this -message is described in section 5.9.1. - - - -Section 9.1. - 95 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -Realm Names - -All implementations must understand hierarchical realms in -both the Internet Domain and the X.500 style. When a ticket -granting ticket for an unknown realm is requested, the KDC -must be able to determine the names of the intermediate -realms between the KDCs realm and the requested realm. - -Transited field encoding - -DOMAIN-X500-COMPRESS (described in section 3.3.3.2) must be -supported. Alternative encodings may be supported, but they -may be used only when that encoding is supported by ALL -intermediate realms. - -Pre-authentication methods - -The TGS-REQ method must be supported. The TGS-REQ method is -not used on the initial request. The PA-ENC-TIMESTAMP -method must be supported by clients but whether it is -enabled by default may be determined on a realm by realm -basis. If not used in the initial request and the error -KDC_ERR_PREAUTH_REQUIRED is returned specifying PA-ENC- -TIMESTAMP as an acceptable method, the client should retry -the initial request using the PA-ENC-TIMESTAMP pre- -authentication method. Servers need not support the PA- -ENC-TIMESTAMP method, but if not supported the server should -ignore the presence of PA-ENC-TIMESTAMP pre-authentication -in a request. - -Mutual authentication - -Mutual authentication (via the KRB_AP_REP message) must be -supported. - - -Ticket addresses and flags - -All KDC's must pass on tickets that carry no addresses (i.e. -if a TGT contains no addresses, the KDC will return deriva- -tive tickets), but each realm may set its own policy for -issuing such tickets, and each application server will set -its own policy with respect to accepting them. - - Proxies and forwarded tickets must be supported. Indi- -vidual realms and application servers can set their own pol- -icy on when such tickets will be accepted. - - All implementations must recognize renewable and post- -dated tickets, but need not actually implement them. If -these options are not supported, the starttime and endtime -in the ticket shall specify a ticket's entire useful life. -When a postdated ticket is decoded by a server, all imple- -mentations shall make the presence of the postdated flag - - -Section 9.1. - 96 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -visible to the calling server. - -User-to-user authentication - -Support for user to user authentication (via the ENC-TKT- -IN-SKEY KDC option) must be provided by implementations, but -individual realms may decide as a matter of policy to reject -such requests on a per-principal or realm-wide basis. - -Authorization data - -Implementations must pass all authorization data subfields -from ticket-granting tickets to any derivative tickets -unless directed to suppress a subfield as part of the defin- -ition of that registered subfield type (it is never -incorrect to pass on a subfield, and no registered subfield -types presently specify suppression at the KDC). - - Implementations must make the contents of any authori- -zation data subfields available to the server when a ticket -is used. Implementations are not required to allow clients -to specify the contents of the authorization data fields. - -9.2. Recommended KDC values - -Following is a list of recommended values for a KDC imple- -mentation, based on the list of suggested configuration con- -stants (see section 4.4). - -minimum lifetime 5 minutes - -maximum renewable lifetime1 week - -maximum ticket lifetime1 day - -empty addresses only when suitable restrictions appear - in authorization data - -proxiable, etc. Allowed. - - - - - - - - - - - - - - - - - -Section 9.2. - 97 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -10. REFERENCES - - - -1. B. Clifford Neuman and Theodore Y. Ts'o, "An Authenti- - cation Service for Computer Networks," IEEE Communica- - tions Magazine, Vol. 32(9), pp. 33-38 (September 1994). - -2. S. P. Miller, B. C. Neuman, J. I. Schiller, and J. H. - Saltzer, Section E.2.1: Kerberos Authentication and - Authorization System, M.I.T. Project Athena, Cambridge, - Massachusetts (December 21, 1987). - -3. J. G. Steiner, B. C. Neuman, and J. I. Schiller, "Ker- - beros: An Authentication Service for Open Network Sys- - tems," pp. 191-202 in Usenix Conference Proceedings, - Dallas, Texas (February, 1988). - -4. Roger M. Needham and Michael D. Schroeder, "Using - Encryption for Authentication in Large Networks of Com- - puters," Communications of the ACM, Vol. 21(12), - pp. 993-999 (December, 1978). - -5. Dorothy E. Denning and Giovanni Maria Sacco, "Time- - stamps in Key Distribution Protocols," Communications - of the ACM, Vol. 24(8), pp. 533-536 (August 1981). - -6. John T. Kohl, B. Clifford Neuman, and Theodore Y. Ts'o, - "The Evolution of the Kerberos Authentication Service," - in an IEEE Computer Society Text soon to be published - (June 1992). - -7. B. Clifford Neuman, "Proxy-Based Authorization and - Accounting for Distributed Systems," in Proceedings of - the 13th International Conference on Distributed Com- - puting Systems, Pittsburgh, PA (May, 1993). - -8. Don Davis and Ralph Swick, "Workstation Services and - Kerberos Authentication at Project Athena," Technical - Memorandum TM-424, MIT Laboratory for Computer Science - (February 1990). - -9. P. J. Levine, M. R. Gretzinger, J. M. Diaz, W. E. Som- - merfeld, and K. Raeburn, Section E.1: Service Manage- - ment System, M.I.T. Project Athena, Cambridge, Mas- - sachusetts (1987). - -10. CCITT, Recommendation X.509: The Directory Authentica- - tion Framework, December 1988. - -11. J. Pato, Using Pre-Authentication to Avoid Password - Guessing Attacks, Open Software Foundation DCE Request - for Comments 26 (December 1992). - - - -Section 10. - 98 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -12. National Bureau of Standards, U.S. Department of Com- - merce, "Data Encryption Standard," Federal Information - Processing Standards Publication 46, Washington, DC - (1977). - -13. National Bureau of Standards, U.S. Department of Com- - merce, "DES Modes of Operation," Federal Information - Processing Standards Publication 81, Springfield, VA - (December 1980). - -14. Stuart G. Stubblebine and Virgil D. Gligor, "On Message - Integrity in Cryptographic Protocols," in Proceedings - of the IEEE Symposium on Research in Security and - Privacy, Oakland, California (May 1992). - -15. International Organization for Standardization, "ISO - Information Processing Systems - Data Communication - - High-Level Data Link Control Procedure - Frame Struc- - ture," IS 3309 (October 1984). 3rd Edition. - -16. R. Rivest, "The MD4 Message Digest Algorithm," RFC - 1320, MIT Laboratory for Computer Science (April - 1992). - -17. R. Rivest, "The MD5 Message Digest Algorithm," RFC - 1321, MIT Laboratory for Computer Science (April - 1992). - -18. H. Krawczyk, M. Bellare, and R. Canetti, "HMAC: Keyed- - Hashing for Message Authentication," Working Draft - draft-ietf-ipsec-hmac-md5-01.txt, (August 1996). - - - - - - - - - - - - - - - - - - - - - - - - - -Section 10. - 99 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -A. Pseudo-code for protocol processing - - This appendix provides pseudo-code describing how the -messages are to be constructed and interpreted by clients -and servers. - -A.1. KRB_AS_REQ generation - request.pvno := protocol version; /* pvno = 5 */ - request.msg-type := message type; /* type = KRB_AS_REQ */ - - if(pa_enc_timestamp_required) then - request.padata.padata-type = PA-ENC-TIMESTAMP; - get system_time; - padata-body.patimestamp,pausec = system_time; - encrypt padata-body into request.padata.padata-value - using client.key; /* derived from password */ - endif - - body.kdc-options := users's preferences; - body.cname := user's name; - body.realm := user's realm; - body.sname := service's name; /* usually "krbtgt", "localrealm" */ - if (body.kdc-options.POSTDATED is set) then - body.from := requested starting time; - else - omit body.from; - endif - body.till := requested end time; - if (body.kdc-options.RENEWABLE is set) then - body.rtime := requested final renewal time; - endif - body.nonce := random_nonce(); - body.etype := requested etypes; - if (user supplied addresses) then - body.addresses := user's addresses; - else - omit body.addresses; - endif - omit body.enc-authorization-data; - request.req-body := body; - - kerberos := lookup(name of local kerberos server (or servers)); - send(packet,kerberos); - - wait(for response); - if (timed_out) then - retry or use alternate server; - endif - -A.2. KRB_AS_REQ verification and KRB_AS_REP generation - decode message into req; - - client := lookup(req.cname,req.realm); - server := lookup(req.sname,req.realm); - - -Section A.2. - 100 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - - get system_time; - kdc_time := system_time.seconds; - - if (!client) then - /* no client in Database */ - error_out(KDC_ERR_C_PRINCIPAL_UNKNOWN); - endif - if (!server) then - /* no server in Database */ - error_out(KDC_ERR_S_PRINCIPAL_UNKNOWN); - endif - - if(client.pa_enc_timestamp_required and - pa_enc_timestamp not present) then - error_out(KDC_ERR_PREAUTH_REQUIRED(PA_ENC_TIMESTAMP)); - endif - - if(pa_enc_timestamp present) then - decrypt req.padata-value into decrypted_enc_timestamp - using client.key; - using auth_hdr.authenticator.subkey; - if (decrypt_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - if(decrypted_enc_timestamp is not within allowable skew) then - error_out(KDC_ERR_PREAUTH_FAILED); - endif - if(decrypted_enc_timestamp and usec is replay) - error_out(KDC_ERR_PREAUTH_FAILED); - endif - add decrypted_enc_timestamp and usec to replay cache; - endif - - use_etype := first supported etype in req.etypes; - - if (no support for req.etypes) then - error_out(KDC_ERR_ETYPE_NOSUPP); - endif - - new_tkt.vno := ticket version; /* = 5 */ - new_tkt.sname := req.sname; - new_tkt.srealm := req.srealm; - reset all flags in new_tkt.flags; - - /* It should be noted that local policy may affect the */ - /* processing of any of these flags. For example, some */ - /* realms may refuse to issue renewable tickets */ - - if (req.kdc-options.FORWARDABLE is set) then - set new_tkt.flags.FORWARDABLE; - endif - if (req.kdc-options.PROXIABLE is set) then - set new_tkt.flags.PROXIABLE; - endif - - -Section A.2. - 101 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - if (req.kdc-options.ALLOW-POSTDATE is set) then - set new_tkt.flags.MAY-POSTDATE; - endif - if ((req.kdc-options.RENEW is set) or - (req.kdc-options.VALIDATE is set) or - (req.kdc-options.PROXY is set) or - (req.kdc-options.FORWARDED is set) or - (req.kdc-options.ENC-TKT-IN-SKEY is set)) then - error_out(KDC_ERR_BADOPTION); - endif - - new_tkt.session := random_session_key(); - new_tkt.cname := req.cname; - new_tkt.crealm := req.crealm; - new_tkt.transited := empty_transited_field(); - - new_tkt.authtime := kdc_time; - - if (req.kdc-options.POSTDATED is set) then - if (against_postdate_policy(req.from)) then - error_out(KDC_ERR_POLICY); - endif - set new_tkt.flags.POSTDATED; - set new_tkt.flags.INVALID; - new_tkt.starttime := req.from; - else - omit new_tkt.starttime; /* treated as authtime when omitted */ - endif - if (req.till = 0) then - till := infinity; - else - till := req.till; - endif - - new_tkt.endtime := min(till, - new_tkt.starttime+client.max_life, - new_tkt.starttime+server.max_life, - new_tkt.starttime+max_life_for_realm); - - if ((req.kdc-options.RENEWABLE-OK is set) and - (new_tkt.endtime < req.till)) then - /* we set the RENEWABLE option for later processing */ - set req.kdc-options.RENEWABLE; - req.rtime := req.till; - endif - - if (req.rtime = 0) then - rtime := infinity; - else - rtime := req.rtime; - endif - - if (req.kdc-options.RENEWABLE is set) then - set new_tkt.flags.RENEWABLE; - - -Section A.2. - 102 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - new_tkt.renew-till := min(rtime, - new_tkt.starttime+client.max_rlife, - new_tkt.starttime+server.max_rlife, - new_tkt.starttime+max_rlife_for_realm); - else - omit new_tkt.renew-till; /* only present if RENEWABLE */ - endif - - if (req.addresses) then - new_tkt.caddr := req.addresses; - else - omit new_tkt.caddr; - endif - - new_tkt.authorization_data := empty_authorization_data(); - - encode to-be-encrypted part of ticket into OCTET STRING; - new_tkt.enc-part := encrypt OCTET STRING - using etype_for_key(server.key), server.key, server.p_kvno; - - - /* Start processing the response */ - - resp.pvno := 5; - resp.msg-type := KRB_AS_REP; - resp.cname := req.cname; - resp.crealm := req.realm; - resp.ticket := new_tkt; - - resp.key := new_tkt.session; - resp.last-req := fetch_last_request_info(client); - resp.nonce := req.nonce; - resp.key-expiration := client.expiration; - resp.flags := new_tkt.flags; - - resp.authtime := new_tkt.authtime; - resp.starttime := new_tkt.starttime; - resp.endtime := new_tkt.endtime; - - if (new_tkt.flags.RENEWABLE) then - resp.renew-till := new_tkt.renew-till; - endif - - resp.realm := new_tkt.realm; - resp.sname := new_tkt.sname; - - resp.caddr := new_tkt.caddr; - - encode body of reply into OCTET STRING; - - resp.enc-part := encrypt OCTET STRING - using use_etype, client.key, client.p_kvno; - send(resp); - - - -Section A.2. - 103 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -A.3. KRB_AS_REP verification - decode response into resp; - - if (resp.msg-type = KRB_ERROR) then - if(error = KDC_ERR_PREAUTH_REQUIRED(PA_ENC_TIMESTAMP)) then - set pa_enc_timestamp_required; - goto KRB_AS_REQ; - endif - process_error(resp); - return; - endif - - /* On error, discard the response, and zero the session key */ - /* from the response immediately */ - - key = get_decryption_key(resp.enc-part.kvno, resp.enc-part.etype, - resp.padata); - unencrypted part of resp := decode of decrypt of resp.enc-part - using resp.enc-part.etype and key; - zero(key); - - if (common_as_rep_tgs_rep_checks fail) then - destroy resp.key; - return error; - endif - - if near(resp.princ_exp) then - print(warning message); - endif - save_for_later(ticket,session,client,server,times,flags); - -A.4. KRB_AS_REP and KRB_TGS_REP common checks - if (decryption_error() or - (req.cname != resp.cname) or - (req.realm != resp.crealm) or - (req.sname != resp.sname) or - (req.realm != resp.realm) or - (req.nonce != resp.nonce) or - (req.addresses != resp.caddr)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - - /* make sure no flags are set that shouldn't be, and that all that */ - /* should be are set */ - if (!check_flags_for_compatability(req.kdc-options,resp.flags)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - - if ((req.from = 0) and - (resp.starttime is not within allowable skew)) then - destroy resp.key; - return KRB_AP_ERR_SKEW; - - -Section A.4. - 104 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - endif - if ((req.from != 0) and (req.from != resp.starttime)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - if ((req.till != 0) and (resp.endtime > req.till)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - - if ((req.kdc-options.RENEWABLE is set) and - (req.rtime != 0) and (resp.renew-till > req.rtime)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - if ((req.kdc-options.RENEWABLE-OK is set) and - (resp.flags.RENEWABLE) and - (req.till != 0) and - (resp.renew-till > req.till)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - -A.5. KRB_TGS_REQ generation - /* Note that make_application_request might have to recursivly */ - /* call this routine to get the appropriate ticket-granting ticket */ - - request.pvno := protocol version; /* pvno = 5 */ - request.msg-type := message type; /* type = KRB_TGS_REQ */ - - body.kdc-options := users's preferences; - /* If the TGT is not for the realm of the end-server */ - /* then the sname will be for a TGT for the end-realm */ - /* and the realm of the requested ticket (body.realm) */ - /* will be that of the TGS to which the TGT we are */ - /* sending applies */ - body.sname := service's name; - body.realm := service's realm; - - if (body.kdc-options.POSTDATED is set) then - body.from := requested starting time; - else - omit body.from; - endif - body.till := requested end time; - if (body.kdc-options.RENEWABLE is set) then - body.rtime := requested final renewal time; - endif - body.nonce := random_nonce(); - body.etype := requested etypes; - if (user supplied addresses) then - body.addresses := user's addresses; - else - omit body.addresses; - - -Section A.5. - 105 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - endif - - body.enc-authorization-data := user-supplied data; - if (body.kdc-options.ENC-TKT-IN-SKEY) then - body.additional-tickets_ticket := second TGT; - endif - - request.req-body := body; - check := generate_checksum (req.body,checksumtype); - - request.padata[0].padata-type := PA-TGS-REQ; - request.padata[0].padata-value := create a KRB_AP_REQ using - the TGT and checksum - - /* add in any other padata as required/supplied */ - - kerberos := lookup(name of local kerberose server (or servers)); - send(packet,kerberos); - - wait(for response); - if (timed_out) then - retry or use alternate server; - endif - -A.6. KRB_TGS_REQ verification and KRB_TGS_REP generation - /* note that reading the application request requires first - determining the server for which a ticket was issued, and choosing the - correct key for decryption. The name of the server appears in the - plaintext part of the ticket. */ - - if (no KRB_AP_REQ in req.padata) then - error_out(KDC_ERR_PADATA_TYPE_NOSUPP); - endif - verify KRB_AP_REQ in req.padata; - - /* Note that the realm in which the Kerberos server is operating is - determined by the instance from the ticket-granting ticket. The realm - in the ticket-granting ticket is the realm under which the ticket - granting ticket was issued. It is possible for a single Kerberos - server to support more than one realm. */ - - auth_hdr := KRB_AP_REQ; - tgt := auth_hdr.ticket; - - if (tgt.sname is not a TGT for local realm and is not req.sname) then - error_out(KRB_AP_ERR_NOT_US); - - realm := realm_tgt_is_for(tgt); - - decode remainder of request; - - if (auth_hdr.authenticator.cksum is missing) then - error_out(KRB_AP_ERR_INAPP_CKSUM); - endif - - -Section A.6. - 106 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - if (auth_hdr.authenticator.cksum type is not supported) then - error_out(KDC_ERR_SUMTYPE_NOSUPP); - endif - if (auth_hdr.authenticator.cksum is not both collision-proof and keyed) then - error_out(KRB_AP_ERR_INAPP_CKSUM); - endif - - set computed_checksum := checksum(req); - if (computed_checksum != auth_hdr.authenticatory.cksum) then - error_out(KRB_AP_ERR_MODIFIED); - endif - - server := lookup(req.sname,realm); - - if (!server) then - if (is_foreign_tgt_name(server)) then - server := best_intermediate_tgs(server); - else - /* no server in Database */ - error_out(KDC_ERR_S_PRINCIPAL_UNKNOWN); - endif - endif - - session := generate_random_session_key(); - - - use_etype := first supported etype in req.etypes; - - if (no support for req.etypes) then - error_out(KDC_ERR_ETYPE_NOSUPP); - endif - - new_tkt.vno := ticket version; /* = 5 */ - new_tkt.sname := req.sname; - new_tkt.srealm := realm; - reset all flags in new_tkt.flags; - - /* It should be noted that local policy may affect the */ - /* processing of any of these flags. For example, some */ - /* realms may refuse to issue renewable tickets */ - - new_tkt.caddr := tgt.caddr; - resp.caddr := NULL; /* We only include this if they change */ - if (req.kdc-options.FORWARDABLE is set) then - if (tgt.flags.FORWARDABLE is reset) then - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.FORWARDABLE; - endif - if (req.kdc-options.FORWARDED is set) then - if (tgt.flags.FORWARDABLE is reset) then - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.FORWARDED; - - -Section A.6. - 107 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - new_tkt.caddr := req.addresses; - resp.caddr := req.addresses; - endif - if (tgt.flags.FORWARDED is set) then - set new_tkt.flags.FORWARDED; - endif - - if (req.kdc-options.PROXIABLE is set) then - if (tgt.flags.PROXIABLE is reset) - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.PROXIABLE; - endif - if (req.kdc-options.PROXY is set) then - if (tgt.flags.PROXIABLE is reset) then - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.PROXY; - new_tkt.caddr := req.addresses; - resp.caddr := req.addresses; - endif - - if (req.kdc-options.ALLOW-POSTDATE is set) then - if (tgt.flags.MAY-POSTDATE is reset) - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.MAY-POSTDATE; - endif - if (req.kdc-options.POSTDATED is set) then - if (tgt.flags.MAY-POSTDATE is reset) then - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.POSTDATED; - set new_tkt.flags.INVALID; - if (against_postdate_policy(req.from)) then - error_out(KDC_ERR_POLICY); - endif - new_tkt.starttime := req.from; - endif - - - if (req.kdc-options.VALIDATE is set) then - if (tgt.flags.INVALID is reset) then - error_out(KDC_ERR_POLICY); - endif - if (tgt.starttime > kdc_time) then - error_out(KRB_AP_ERR_NYV); - endif - if (check_hot_list(tgt)) then - error_out(KRB_AP_ERR_REPEAT); - endif - tkt := tgt; - reset new_tkt.flags.INVALID; - endif - - -Section A.6. - 108 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - if (req.kdc-options.(any flag except ENC-TKT-IN-SKEY, RENEW, - and those already processed) is set) then - error_out(KDC_ERR_BADOPTION); - endif - - new_tkt.authtime := tgt.authtime; - - if (req.kdc-options.RENEW is set) then - /* Note that if the endtime has already passed, the ticket would */ - /* have been rejected in the initial authentication stage, so */ - /* there is no need to check again here */ - if (tgt.flags.RENEWABLE is reset) then - error_out(KDC_ERR_BADOPTION); - endif - if (tgt.renew-till >= kdc_time) then - error_out(KRB_AP_ERR_TKT_EXPIRED); - endif - tkt := tgt; - new_tkt.starttime := kdc_time; - old_life := tgt.endttime - tgt.starttime; - new_tkt.endtime := min(tgt.renew-till, - new_tkt.starttime + old_life); - else - new_tkt.starttime := kdc_time; - if (req.till = 0) then - till := infinity; - else - till := req.till; - endif - new_tkt.endtime := min(till, - new_tkt.starttime+client.max_life, - new_tkt.starttime+server.max_life, - new_tkt.starttime+max_life_for_realm, - tgt.endtime); - - if ((req.kdc-options.RENEWABLE-OK is set) and - (new_tkt.endtime < req.till) and - (tgt.flags.RENEWABLE is set) then - /* we set the RENEWABLE option for later processing */ - set req.kdc-options.RENEWABLE; - req.rtime := min(req.till, tgt.renew-till); - endif - endif - - if (req.rtime = 0) then - rtime := infinity; - else - rtime := req.rtime; - endif - - if ((req.kdc-options.RENEWABLE is set) and - (tgt.flags.RENEWABLE is set)) then - set new_tkt.flags.RENEWABLE; - new_tkt.renew-till := min(rtime, - - -Section A.6. - 109 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - new_tkt.starttime+client.max_rlife, - new_tkt.starttime+server.max_rlife, - new_tkt.starttime+max_rlife_for_realm, - tgt.renew-till); - else - new_tkt.renew-till := OMIT; /* leave the renew-till field out */ - endif - if (req.enc-authorization-data is present) then - decrypt req.enc-authorization-data into decrypted_authorization_data - using auth_hdr.authenticator.subkey; - if (decrypt_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - endif - new_tkt.authorization_data := req.auth_hdr.ticket.authorization_data + - decrypted_authorization_data; - - new_tkt.key := session; - new_tkt.crealm := tgt.crealm; - new_tkt.cname := req.auth_hdr.ticket.cname; - - if (realm_tgt_is_for(tgt) := tgt.realm) then - /* tgt issued by local realm */ - new_tkt.transited := tgt.transited; - else - /* was issued for this realm by some other realm */ - if (tgt.transited.tr-type not supported) then - error_out(KDC_ERR_TRTYPE_NOSUPP); - endif - new_tkt.transited := compress_transited(tgt.transited + tgt.realm) - endif - - encode encrypted part of new_tkt into OCTET STRING; - if (req.kdc-options.ENC-TKT-IN-SKEY is set) then - if (server not specified) then - server = req.second_ticket.client; - endif - if ((req.second_ticket is not a TGT) or - (req.second_ticket.client != server)) then - error_out(KDC_ERR_POLICY); - endif - - new_tkt.enc-part := encrypt OCTET STRING using - using etype_for_key(second-ticket.key), second-ticket.key; - else - new_tkt.enc-part := encrypt OCTET STRING - using etype_for_key(server.key), server.key, server.p_kvno; - endif - - resp.pvno := 5; - resp.msg-type := KRB_TGS_REP; - resp.crealm := tgt.crealm; - resp.cname := tgt.cname; - - - -Section A.6. - 110 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - resp.ticket := new_tkt; - - resp.key := session; - resp.nonce := req.nonce; - resp.last-req := fetch_last_request_info(client); - resp.flags := new_tkt.flags; - - resp.authtime := new_tkt.authtime; - resp.starttime := new_tkt.starttime; - resp.endtime := new_tkt.endtime; - - omit resp.key-expiration; - - resp.sname := new_tkt.sname; - resp.realm := new_tkt.realm; - - if (new_tkt.flags.RENEWABLE) then - resp.renew-till := new_tkt.renew-till; - endif - - - encode body of reply into OCTET STRING; - - if (req.padata.authenticator.subkey) - resp.enc-part := encrypt OCTET STRING using use_etype, - req.padata.authenticator.subkey; - else resp.enc-part := encrypt OCTET STRING using use_etype, tgt.key; - - send(resp); - -A.7. KRB_TGS_REP verification - decode response into resp; - - if (resp.msg-type = KRB_ERROR) then - process_error(resp); - return; - endif - - /* On error, discard the response, and zero the session key from - the response immediately */ - - if (req.padata.authenticator.subkey) - unencrypted part of resp := decode of decrypt of resp.enc-part - using resp.enc-part.etype and subkey; - else unencrypted part of resp := decode of decrypt of resp.enc-part - using resp.enc-part.etype and tgt's session key; - if (common_as_rep_tgs_rep_checks fail) then - destroy resp.key; - return error; - endif - - check authorization_data as necessary; - save_for_later(ticket,session,client,server,times,flags); - - - -Section A.7. - 111 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -A.8. Authenticator generation - body.authenticator-vno := authenticator vno; /* = 5 */ - body.cname, body.crealm := client name; - if (supplying checksum) then - body.cksum := checksum; - endif - get system_time; - body.ctime, body.cusec := system_time; - if (selecting sub-session key) then - select sub-session key; - body.subkey := sub-session key; - endif - if (using sequence numbers) then - select initial sequence number; - body.seq-number := initial sequence; - endif - -A.9. KRB_AP_REQ generation - obtain ticket and session_key from cache; - - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_AP_REQ */ - - if (desired(MUTUAL_AUTHENTICATION)) then - set packet.ap-options.MUTUAL-REQUIRED; - else - reset packet.ap-options.MUTUAL-REQUIRED; - endif - if (using session key for ticket) then - set packet.ap-options.USE-SESSION-KEY; - else - reset packet.ap-options.USE-SESSION-KEY; - endif - packet.ticket := ticket; /* ticket */ - generate authenticator; - encode authenticator into OCTET STRING; - encrypt OCTET STRING into packet.authenticator using session_key; - -A.10. KRB_AP_REQ verification - receive packet; - if (packet.pvno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.msg-type != KRB_AP_REQ) then - error_out(KRB_AP_ERR_MSG_TYPE); - endif - if (packet.ticket.tkt_vno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.ap_options.USE-SESSION-KEY is set) then - retrieve session key from ticket-granting ticket for - packet.ticket.{sname,srealm,enc-part.etype}; - - -Section A.10. - 112 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - else - retrieve service key for - packet.ticket.{sname,srealm,enc-part.etype,enc-part.skvno}; - endif - if (no_key_available) then - if (cannot_find_specified_skvno) then - error_out(KRB_AP_ERR_BADKEYVER); - else - error_out(KRB_AP_ERR_NOKEY); - endif - endif - decrypt packet.ticket.enc-part into decr_ticket using retrieved key; - if (decryption_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - decrypt packet.authenticator into decr_authenticator - using decr_ticket.key; - if (decryption_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - if (decr_authenticator.{cname,crealm} != - decr_ticket.{cname,crealm}) then - error_out(KRB_AP_ERR_BADMATCH); - endif - if (decr_ticket.caddr is present) then - if (sender_address(packet) is not in decr_ticket.caddr) then - error_out(KRB_AP_ERR_BADADDR); - endif - elseif (application requires addresses) then - error_out(KRB_AP_ERR_BADADDR); - endif - if (not in_clock_skew(decr_authenticator.ctime, - decr_authenticator.cusec)) then - error_out(KRB_AP_ERR_SKEW); - endif - if (repeated(decr_authenticator.{ctime,cusec,cname,crealm})) then - error_out(KRB_AP_ERR_REPEAT); - endif - save_identifier(decr_authenticator.{ctime,cusec,cname,crealm}); - get system_time; - if ((decr_ticket.starttime-system_time > CLOCK_SKEW) or - (decr_ticket.flags.INVALID is set)) then - /* it hasn't yet become valid */ - error_out(KRB_AP_ERR_TKT_NYV); - endif - if (system_time-decr_ticket.endtime > CLOCK_SKEW) then - error_out(KRB_AP_ERR_TKT_EXPIRED); - endif - /* caller must check decr_ticket.flags for any pertinent details */ - return(OK, decr_ticket, packet.ap_options.MUTUAL-REQUIRED); - -A.11. KRB_AP_REP generation - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_AP_REP */ - - -Section A.11. - 113 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - body.ctime := packet.ctime; - body.cusec := packet.cusec; - if (selecting sub-session key) then - select sub-session key; - body.subkey := sub-session key; - endif - if (using sequence numbers) then - select initial sequence number; - body.seq-number := initial sequence; - endif - - encode body into OCTET STRING; - - select encryption type; - encrypt OCTET STRING into packet.enc-part; - -A.12. KRB_AP_REP verification - receive packet; - if (packet.pvno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.msg-type != KRB_AP_REP) then - error_out(KRB_AP_ERR_MSG_TYPE); - endif - cleartext := decrypt(packet.enc-part) using ticket's session key; - if (decryption_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - if (cleartext.ctime != authenticator.ctime) then - error_out(KRB_AP_ERR_MUT_FAIL); - endif - if (cleartext.cusec != authenticator.cusec) then - error_out(KRB_AP_ERR_MUT_FAIL); - endif - if (cleartext.subkey is present) then - save cleartext.subkey for future use; - endif - if (cleartext.seq-number is present) then - save cleartext.seq-number for future verifications; - endif - return(AUTHENTICATION_SUCCEEDED); - -A.13. KRB_SAFE generation - collect user data in buffer; - - /* assemble packet: */ - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_SAFE */ - - body.user-data := buffer; /* DATA */ - if (using timestamp) then - get system_time; - body.timestamp, body.usec := system_time; - - -Section A.13. - 114 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - endif - if (using sequence numbers) then - body.seq-number := sequence number; - endif - body.s-address := sender host addresses; - if (only one recipient) then - body.r-address := recipient host address; - endif - checksum.cksumtype := checksum type; - compute checksum over body; - checksum.checksum := checksum value; /* checksum.checksum */ - packet.cksum := checksum; - packet.safe-body := body; - -A.14. KRB_SAFE verification - receive packet; - if (packet.pvno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.msg-type != KRB_SAFE) then - error_out(KRB_AP_ERR_MSG_TYPE); - endif - if (packet.checksum.cksumtype is not both collision-proof and keyed) then - error_out(KRB_AP_ERR_INAPP_CKSUM); - endif - if (safe_priv_common_checks_ok(packet)) then - set computed_checksum := checksum(packet.body); - if (computed_checksum != packet.checksum) then - error_out(KRB_AP_ERR_MODIFIED); - endif - return (packet, PACKET_IS_GENUINE); - else - return common_checks_error; - endif - -A.15. KRB_SAFE and KRB_PRIV common checks - if (packet.s-address != O/S_sender(packet)) then - /* O/S report of sender not who claims to have sent it */ - error_out(KRB_AP_ERR_BADADDR); - endif - if ((packet.r-address is present) and - (packet.r-address != local_host_address)) then - /* was not sent to proper place */ - error_out(KRB_AP_ERR_BADADDR); - endif - if (((packet.timestamp is present) and - (not in_clock_skew(packet.timestamp,packet.usec))) or - (packet.timestamp is not present and timestamp expected)) then - error_out(KRB_AP_ERR_SKEW); - endif - if (repeated(packet.timestamp,packet.usec,packet.s-address)) then - error_out(KRB_AP_ERR_REPEAT); - endif - - -Section A.15. - 115 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - if (((packet.seq-number is present) and - ((not in_sequence(packet.seq-number)))) or - (packet.seq-number is not present and sequence expected)) then - error_out(KRB_AP_ERR_BADORDER); - endif - if (packet.timestamp not present and packet.seq-number not present) then - error_out(KRB_AP_ERR_MODIFIED); - endif - - save_identifier(packet.{timestamp,usec,s-address}, - sender_principal(packet)); - - return PACKET_IS_OK; - -A.16. KRB_PRIV generation - collect user data in buffer; - - /* assemble packet: */ - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_PRIV */ - - packet.enc-part.etype := encryption type; - - body.user-data := buffer; - if (using timestamp) then - get system_time; - body.timestamp, body.usec := system_time; - endif - if (using sequence numbers) then - body.seq-number := sequence number; - endif - body.s-address := sender host addresses; - if (only one recipient) then - body.r-address := recipient host address; - endif - - encode body into OCTET STRING; - - select encryption type; - encrypt OCTET STRING into packet.enc-part.cipher; - - -A.17. KRB_PRIV verification - receive packet; - if (packet.pvno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.msg-type != KRB_PRIV) then - error_out(KRB_AP_ERR_MSG_TYPE); - endif - - cleartext := decrypt(packet.enc-part) using negotiated key; - if (decryption_error()) then - - -Section A.17. - 116 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - - if (safe_priv_common_checks_ok(cleartext)) then - return(cleartext.DATA, PACKET_IS_GENUINE_AND_UNMODIFIED); - else - return common_checks_error; - endif - -A.18. KRB_CRED generation - invoke KRB_TGS; /* obtain tickets to be provided to peer */ - - /* assemble packet: */ - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_CRED */ - - for (tickets[n] in tickets to be forwarded) do - packet.tickets[n] = tickets[n].ticket; - done - - packet.enc-part.etype := encryption type; - - for (ticket[n] in tickets to be forwarded) do - body.ticket-info[n].key = tickets[n].session; - body.ticket-info[n].prealm = tickets[n].crealm; - body.ticket-info[n].pname = tickets[n].cname; - body.ticket-info[n].flags = tickets[n].flags; - body.ticket-info[n].authtime = tickets[n].authtime; - body.ticket-info[n].starttime = tickets[n].starttime; - body.ticket-info[n].endtime = tickets[n].endtime; - body.ticket-info[n].renew-till = tickets[n].renew-till; - body.ticket-info[n].srealm = tickets[n].srealm; - body.ticket-info[n].sname = tickets[n].sname; - body.ticket-info[n].caddr = tickets[n].caddr; - done - - get system_time; - body.timestamp, body.usec := system_time; - - if (using nonce) then - body.nonce := nonce; - endif - - if (using s-address) then - body.s-address := sender host addresses; - endif - if (limited recipients) then - body.r-address := recipient host address; - endif - - encode body into OCTET STRING; - - select encryption type; - encrypt OCTET STRING into packet.enc-part.cipher - - -Section A.18. - 117 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - using negotiated encryption key; - - -A.19. KRB_CRED verification - receive packet; - if (packet.pvno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.msg-type != KRB_CRED) then - error_out(KRB_AP_ERR_MSG_TYPE); - endif - - cleartext := decrypt(packet.enc-part) using negotiated key; - if (decryption_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - if ((packet.r-address is present or required) and - (packet.s-address != O/S_sender(packet)) then - /* O/S report of sender not who claims to have sent it */ - error_out(KRB_AP_ERR_BADADDR); - endif - if ((packet.r-address is present) and - (packet.r-address != local_host_address)) then - /* was not sent to proper place */ - error_out(KRB_AP_ERR_BADADDR); - endif - if (not in_clock_skew(packet.timestamp,packet.usec)) then - error_out(KRB_AP_ERR_SKEW); - endif - if (repeated(packet.timestamp,packet.usec,packet.s-address)) then - error_out(KRB_AP_ERR_REPEAT); - endif - if (packet.nonce is required or present) and - (packet.nonce != expected-nonce) then - error_out(KRB_AP_ERR_MODIFIED); - endif - - for (ticket[n] in tickets that were forwarded) do - save_for_later(ticket[n],key[n],principal[n], - server[n],times[n],flags[n]); - return - -A.20. KRB_ERROR generation - - /* assemble packet: */ - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_ERROR */ - - get system_time; - packet.stime, packet.susec := system_time; - packet.realm, packet.sname := server name; - - if (client time available) then - - -Section A.20. - 118 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - packet.ctime, packet.cusec := client_time; - endif - packet.error-code := error code; - if (client name available) then - packet.cname, packet.crealm := client name; - endif - if (error text available) then - packet.e-text := error text; - endif - if (error data available) then - packet.e-data := error data; - endif - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 119 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - cxx - Expires 11 January 1998 - - - - - - - - - - - Table of Contents - - - - -Overview .............................................. 2 - -Background ............................................ 2 - -1. Introduction ....................................... 3 - -1.1. Cross-Realm Operation ............................ 5 - -1.2. Authorization .................................... 6 - -1.3. Environmental assumptions ........................ 7 - -1.4. Glossary of terms ................................ 8 - -2. Ticket flag uses and requests ...................... 10 - -2.1. Initial and pre-authenticated tickets ............ 10 - -2.2. Invalid tickets .................................. 11 - -2.3. Renewable tickets ................................ 11 - -2.4. Postdated tickets ................................ 12 - -2.5. Proxiable and proxy tickets ...................... 12 - -2.6. Forwardable tickets .............................. 13 - -2.7. Other KDC options ................................ 14 - -3. Message Exchanges .................................. 14 - -3.1. The Authentication Service Exchange .............. 14 - -3.1.1. Generation of KRB_AS_REQ message ............... 16 - -3.1.2. Receipt of KRB_AS_REQ message .................. 16 - -3.1.3. Generation of KRB_AS_REP message ............... 16 - -3.1.4. Generation of KRB_ERROR message ................ 19 - -3.1.5. Receipt of KRB_AS_REP message .................. 19 - -3.1.6. Receipt of KRB_ERROR message ................... 19 - -3.2. The Client/Server Authentication Exchange ........ 19 - -3.2.1. The KRB_AP_REQ message ......................... 20 - - - - i - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -3.2.2. Generation of a KRB_AP_REQ message ............. 20 - -3.2.3. Receipt of KRB_AP_REQ message .................. 21 - -3.2.4. Generation of a KRB_AP_REP message ............. 23 - -3.2.5. Receipt of KRB_AP_REP message .................. 23 - -3.2.6. Using the encryption key ....................... 24 - -3.3. The Ticket-Granting Service (TGS) Exchange ....... 25 - -3.3.1. Generation of KRB_TGS_REQ message .............. 26 - -3.3.2. Receipt of KRB_TGS_REQ message ................. 27 - -3.3.3. Generation of KRB_TGS_REP message .............. 28 - -3.3.3.1. Checking for revoked tickets ................. 30 - -3.3.3.2. Encoding the transited field ................. 30 - -3.3.4. Receipt of KRB_TGS_REP message ................. 32 - -3.4. The KRB_SAFE Exchange ............................ 32 - -3.4.1. Generation of a KRB_SAFE message ............... 32 - -3.4.2. Receipt of KRB_SAFE message .................... 33 - -3.5. The KRB_PRIV Exchange ............................ 34 - -3.5.1. Generation of a KRB_PRIV message ............... 34 - -3.5.2. Receipt of KRB_PRIV message .................... 34 - -3.6. The KRB_CRED Exchange ............................ 35 - -3.6.1. Generation of a KRB_CRED message ............... 35 - -3.6.2. Receipt of KRB_CRED message .................... 35 - -4. The Kerberos Database .............................. 36 - -4.1. Database contents ................................ 36 - -4.2. Additional fields ................................ 37 - -4.3. Frequently Changing Fields ....................... 38 - -4.4. Site Constants ................................... 39 - -5. Message Specifications ............................. 39 - - - - - ii - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -5.1. ASN.1 Distinguished Encoding Representation ...... 39 - -5.2. ASN.1 Base Definitions ........................... 40 - -5.3. Tickets and Authenticators ....................... 43 - -5.3.1. Tickets ........................................ 43 - -5.3.2. Authenticators ................................. 52 - -5.4. Specifications for the AS and TGS exchanges ...... 54 - -5.4.1. KRB_KDC_REQ definition ......................... 54 - -5.4.2. KRB_KDC_REP definition ......................... 61 - -5.5. Client/Server (CS) message specifications ........ 64 - -5.5.1. KRB_AP_REQ definition .......................... 64 - -5.5.2. KRB_AP_REP definition .......................... 65 - -5.5.3. Error message reply ............................ 67 - -5.6. KRB_SAFE message specification ................... 67 - -5.6.1. KRB_SAFE definition ............................ 67 - -5.7. KRB_PRIV message specification ................... 68 - -5.7.1. KRB_PRIV definition ............................ 68 - -5.8. KRB_CRED message specification ................... 69 - -5.8.1. KRB_CRED definition ............................ 70 - -5.9. Error message specification ...................... 72 - -5.9.1. KRB_ERROR definition ........................... 72 - -6. Encryption and Checksum Specifications ............. 74 - -6.1. Encryption Specifications ........................ 76 - -6.2. Encryption Keys .................................. 78 - -6.3. Encryption Systems ............................... 78 - -6.3.1. The NULL Encryption System (null) .............. 78 - -6.3.2. DES in CBC mode with a CRC-32 checksum (des- -cbc-crc) .............................................. 79 - -6.3.3. DES in CBC mode with an MD4 checksum (des- - - - - iii - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -cbc-md4) .............................................. 79 - -6.3.4. DES in CBC mode with an MD5 checksum (des- -cbc-md5) .............................................. 79 - -6.3.5. Triple DES EDE in outer CBC mode with an SHA1 -checksum (des3-cbc-sha1) .............................. 81 - -6.4. Checksums ........................................ 83 - -6.4.1. The CRC-32 Checksum (crc32) .................... 84 - -6.4.2. The RSA MD4 Checksum (rsa-md4) ................. 84 - -6.4.3. RSA MD4 Cryptographic Checksum Using DES -(rsa-md4-des) ......................................... 84 - -6.4.4. The RSA MD5 Checksum (rsa-md5) ................. 85 - -6.4.5. RSA MD5 Cryptographic Checksum Using DES -(rsa-md5-des) ......................................... 85 - -6.4.6. DES cipher-block chained checksum (des-mac) - -6.4.7. RSA MD4 Cryptographic Checksum Using DES -alternative (rsa-md4-des-k) ........................... 86 - -6.4.8. DES cipher-block chained checksum alternative -(des-mac-k) ........................................... 87 - -7. Naming Constraints ................................. 87 - -7.1. Realm Names ...................................... 87 - -7.2. Principal Names .................................. 88 - -7.2.1. Name of server principals ...................... 89 - -8. Constants and other defined values ................. 90 - -8.1. Host address types ............................... 90 - -8.2. KDC messages ..................................... 91 - -8.2.1. IP transport ................................... 91 - -8.2.2. OSI transport .................................. 91 - -8.2.3. Name of the TGS ................................ 92 - -8.3. Protocol constants and associated values ......... 92 - -9. Interoperability requirements ...................... 95 - - - - - iv - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -9.1. Specification 1 .................................. 95 - -9.2. Recommended KDC values ........................... 97 - -10. REFERENCES ........................................ 98 - -A. Pseudo-code for protocol processing ................ 100 - -A.1. KRB_AS_REQ generation ............................ 100 - -A.2. KRB_AS_REQ verification and KRB_AS_REP genera- -tion .................................................. 100 - -A.3. KRB_AS_REP verification .......................... 104 - -A.4. KRB_AS_REP and KRB_TGS_REP common checks ......... 104 - -A.5. KRB_TGS_REQ generation ........................... 105 - -A.6. KRB_TGS_REQ verification and KRB_TGS_REP gen- -eration ............................................... 106 - -A.7. KRB_TGS_REP verification ......................... 111 - -A.8. Authenticator generation ......................... 112 - -A.9. KRB_AP_REQ generation ............................ 112 - -A.10. KRB_AP_REQ verification ......................... 112 - -A.11. KRB_AP_REP generation ........................... 113 - -A.12. KRB_AP_REP verification ......................... 114 - -A.13. KRB_SAFE generation ............................. 114 - -A.14. KRB_SAFE verification ........................... 115 - -A.15. KRB_SAFE and KRB_PRIV common checks ............. 115 - -A.16. KRB_PRIV generation ............................. 116 - -A.17. KRB_PRIV verification ........................... 116 - -A.18. KRB_CRED generation ............................. 117 - -A.19. KRB_CRED verification ........................... 118 - -A.20. KRB_ERROR generation ............................ 118 - - - - - - - - - v - Expires 11 January 1998 - - - - diff --git a/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-cat-kerberos-revisions-01.txt b/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-cat-kerberos-revisions-01.txt deleted file mode 100644 index 78db9d78f3..0000000000 --- a/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-cat-kerberos-revisions-01.txt +++ /dev/null @@ -1,6214 +0,0 @@ - -INTERNET-DRAFT Clifford Neuman - John Kohl - Theodore Ts'o - 21 November 1997 - -The Kerberos Network Authentication Service (V5) - -STATUS OF THIS MEMO - -This document is an Internet-Draft. Internet-Drafts are working documents of -the Internet Engineering Task Force (IETF), its areas, and its working -groups. Note that other groups may also distribute working documents as -Internet-Drafts. - -Internet-Drafts are draft documents valid for a maximum of six months and -may be updated, replaced, or obsoleted by other documents at any time. It is -inappropriate to use Internet-Drafts as reference material or to cite them -other than as 'work in progress.' - -To learn the current status of any Internet-Draft, please check the -'1id-abstracts.txt' listing contained in the Internet-Drafts Shadow -Directories on ds.internic.net (US East Coast), nic.nordu.net (Europe), -ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim). - -The distribution of this memo is unlimited. It is filed as -draft-ietf-cat-kerberos-r-01.txt, and expires 21 May 1998. Please send -comments to: krb-protocol@MIT.EDU - -ABSTRACT - -This document provides an overview and specification of Version 5 of the -Kerberos protocol, and updates RFC1510 to clarify aspects of the protocol -and its intended use that require more detailed or clearer explanation than -was provided in RFC1510. This document is intended to provide a detailed -description of the protocol, suitable for implementation, together with -descriptions of the appropriate use of protocol messages and fields within -those messages. - -This document is not intended to describe Kerberos to the end user, system -administrator, or application developer. Higher level papers describing -Version 5 of the Kerberos system [NT94] and documenting version 4 [SNS88], -are available elsewhere. - -OVERVIEW - -This INTERNET-DRAFT describes the concepts and model upon which the Kerberos -network authentication system is based. It also specifies Version 5 of the -Kerberos protocol. - -The motivations, goals, assumptions, and rationale behind most design -decisions are treated cursorily; they are more fully described in a paper -available in IEEE communications [NT94] and earlier in the Kerberos portion -of the Athena Technical Plan [MNSS87]. The protocols have been a proposed - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -standard and are being considered for advancement for draft standard through -the IETF standard process. Comments are encouraged on the presentation, but -only minor refinements to the protocol as implemented or extensions that fit -within current protocol framework will be considered at this time. - -Requests for addition to an electronic mailing list for discussion of -Kerberos, kerberos@MIT.EDU, may be addressed to kerberos-request@MIT.EDU. -This mailing list is gatewayed onto the Usenet as the group -comp.protocols.kerberos. Requests for further information, including -documents and code availability, may be sent to info-kerberos@MIT.EDU. - -BACKGROUND - -The Kerberos model is based in part on Needham and Schroeder's trusted -third-party authentication protocol [NS78] and on modifications suggested by -Denning and Sacco [DS81]. The original design and implementation of Kerberos -Versions 1 through 4 was the work of two former Project Athena staff -members, Steve Miller of Digital Equipment Corporation and Clifford Neuman -(now at the Information Sciences Institute of the University of Southern -California), along with Jerome Saltzer, Technical Director of Project -Athena, and Jeffrey Schiller, MIT Campus Network Manager. Many other members -of Project Athena have also contributed to the work on Kerberos. - -Version 5 of the Kerberos protocol (described in this document) has evolved -from Version 4 based on new requirements and desires for features not -available in Version 4. The design of Version 5 of the Kerberos protocol was -led by Clifford Neuman and John Kohl with much input from the community. The -development of the MIT reference implementation was led at MIT by John Kohl -and Theodore T'so, with help and contributed code from many others. -Reference implementations of both version 4 and version 5 of Kerberos are -publicly available and commercial implementations have been developed and -are widely used. - -Details on the differences between Kerberos Versions 4 and 5 can be found in -[KNT92]. - -1. Introduction - -Kerberos provides a means of verifying the identities of principals, (e.g. a -workstation user or a network server) on an open (unprotected) network. This -is accomplished without relying on assertions by the host operating system, -without basing trust on host addresses, without requiring physical security -of all the hosts on the network, and under the assumption that packets -traveling along the network can be read, modified, and inserted at will[1]. -Kerberos performs authentication under these conditions as a trusted -third-party authentication service by using conventional (shared secret key -[2] cryptography. Kerberos extensions have been proposed and implemented -that provide for the use of public key cryptography during certain phases of -the authentication protocol. These extensions provide for authentication of -users registered with public key certification authorities, and allow the -system to provide certain benefits of public key cryptography in situations -where they are needed. - -The basic Kerberos authentication process proceeds as follows: A client - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -sends a request to the authentication server (AS) requesting 'credentials' -for a given server. The AS responds with these credentials, encrypted in the -client's key. The credentials consist of 1) a 'ticket' for the server and 2) -a temporary encryption key (often called a "session key"). The client -transmits the ticket (which contains the client's identity and a copy of the -session key, all encrypted in the server's key) to the server. The session -key (now shared by the client and server) is used to authenticate the -client, and may optionally be used to authenticate the server. It may also -be used to encrypt further communication between the two parties or to -exchange a separate sub-session key to be used to encrypt further -communication. - -Implementation of the basic protocol consists of one or more authentication -servers running on physically secure hosts. The authentication servers -maintain a database of principals (i.e., users and servers) and their secret -keys. Code libraries provide encryption and implement the Kerberos protocol. -In order to add authentication to its transactions, a typical network -application adds one or two calls to the Kerberos library directly or -through the Generic Security Services Application Programming Interface, -GSSAPI, described in separate document. These calls result in the -transmission of the necessary messages to achieve authentication. - -The Kerberos protocol consists of several sub-protocols (or exchanges). -There are two basic methods by which a client can ask a Kerberos server for -credentials. In the first approach, the client sends a cleartext request for -a ticket for the desired server to the AS. The reply is sent encrypted in -the client's secret key. Usually this request is for a ticket-granting -ticket (TGT) which can later be used with the ticket-granting server (TGS). -In the second method, the client sends a request to the TGS. The client uses -the TGT to authenticate itself to the TGS in the same manner as if it were -contacting any other application server that requires Kerberos -authentication. The reply is encrypted in the session key from the TGT. -Though the protocol specification describes the AS and the TGS as separate -servers, they are implemented in practice as different protocol entry points -within a single Kerberos server. - -Once obtained, credentials may be used to verify the identity of the -principals in a transaction, to ensure the integrity of messages exchanged -between them, or to preserve privacy of the messages. The application is -free to choose whatever protection may be necessary. - -To verify the identities of the principals in a transaction, the client -transmits the ticket to the application server. Since the ticket is sent "in -the clear" (parts of it are encrypted, but this encryption doesn't thwart -replay) and might be intercepted and reused by an attacker, additional -information is sent to prove that the message originated with the principal -to whom the ticket was issued. This information (called the authenticator) -is encrypted in the session key, and includes a timestamp. The timestamp -proves that the message was recently generated and is not a replay. -Encrypting the authenticator in the session key proves that it was generated -by a party possessing the session key. Since no one except the requesting -principal and the server know the session key (it is never sent over the -network in the clear) this guarantees the identity of the client. - - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -The integrity of the messages exchanged between principals can also be -guaranteed using the session key (passed in the ticket and contained in the -credentials). This approach provides detection of both replay attacks and -message stream modification attacks. It is accomplished by generating and -transmitting a collision-proof checksum (elsewhere called a hash or digest -function) of the client's message, keyed with the session key. Privacy and -integrity of the messages exchanged between principals can be secured by -encrypting the data to be passed using the session key contained in the -ticket or the subsession key found in the authenticator. - -The authentication exchanges mentioned above require read-only access to the -Kerberos database. Sometimes, however, the entries in the database must be -modified, such as when adding new principals or changing a principal's key. -This is done using a protocol between a client and a third Kerberos server, -the Kerberos Administration Server (KADM). There is also a protocol for -maintaining multiple copies of the Kerberos database. Neither of these -protocols are described in this document. - -1.1. Cross-Realm Operation - -The Kerberos protocol is designed to operate across organizational -boundaries. A client in one organization can be authenticated to a server in -another. Each organization wishing to run a Kerberos server establishes its -own 'realm'. The name of the realm in which a client is registered is part -of the client's name, and can be used by the end-service to decide whether -to honor a request. - -By establishing 'inter-realm' keys, the administrators of two realms can -allow a client authenticated in the local realm to prove its identity to -servers in other realms[3]. The exchange of inter-realm keys (a separate key -may be used for each direction) registers the ticket-granting service of -each realm as a principal in the other realm. A client is then able to -obtain a ticket-granting ticket for the remote realm's ticket-granting -service from its local realm. When that ticket-granting ticket is used, the -remote ticket-granting service uses the inter-realm key (which usually -differs from its own normal TGS key) to decrypt the ticket-granting ticket, -and is thus certain that it was issued by the client's own TGS. Tickets -issued by the remote ticket-granting service will indicate to the -end-service that the client was authenticated from another realm. - -A realm is said to communicate with another realm if the two realms share an -inter-realm key, or if the local realm shares an inter-realm key with an -intermediate realm that communicates with the remote realm. An -authentication path is the sequence of intermediate realms that are -transited in communicating from one realm to another. - -Realms are typically organized hierarchically. Each realm shares a key with -its parent and a different key with each child. If an inter-realm key is not -directly shared by two realms, the hierarchical organization allows an -authentication path to be easily constructed. If a hierarchical organization -is not used, it may be necessary to consult a database in order to construct -an authentication path between realms. - -Although realms are typically hierarchical, intermediate realms may be - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -bypassed to achieve cross-realm authentication through alternate -authentication paths (these might be established to make communication -between two realms more efficient). It is important for the end-service to -know which realms were transited when deciding how much faith to place in -the authentication process. To facilitate this decision, a field in each -ticket contains the names of the realms that were involved in authenticating -the client. - -The application server is ultimately responsible for accepting or rejecting -authentication and should check the transited field. The application server -may choose to rely on the KDC for the application server's realm to check -the transited field. The application server's KDC will set the -TRANSITED-POLICY-CHECKED flag in this case. The KDC's for intermediate -realms may also check the transited field as they issue -ticket-granting-tickets for other realms, but they are encouraged not to do -so. A client may request that the KDC's not check the transited field by -setting the DISABLE-TRANSITED-CHECK flag. KDC's are encouraged but not -required to honor this flag. - -1.2. Authorization - -As an authentication service, Kerberos provides a means of verifying the -identity of principals on a network. Authentication is usually useful -primarily as a first step in the process of authorization, determining -whether a client may use a service, which objects the client is allowed to -access, and the type of access allowed for each. Kerberos does not, by -itself, provide authorization. Possession of a client ticket for a service -provides only for authentication of the client to that service, and in the -absence of a separate authorization procedure, it should not be considered -by an application as authorizing the use of that service. - -Such separate authorization methods may be implemented as application -specific access control functions and may be based on files such as the -application server, or on separately issued authorization credentials such -as those based on proxies [Neu93] , or on other authorization services. - -Applications should not be modified to accept the issuance of a service -ticket by the Kerberos server (even by an modified Kerberos server) as -granting authority to use the service, since such applications may become -vulnerable to the bypass of this authorization check in an environment if -they interoperate with other KDCs or where other options for application -authentication (e.g. the PKTAPP proposal) are provided. - -1.3. Environmental assumptions - -Kerberos imposes a few assumptions on the environment in which it can -properly function: - - * 'Denial of service' attacks are not solved with Kerberos. There are - places in these protocols where an intruder can prevent an application - from participating in the proper authentication steps. Detection and - solution of such attacks (some of which can appear to be nnot-uncommon - 'normal' failure modes for the system) is usually best left to the - human administrators and users. - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - * Principals must keep their secret keys secret. If an intruder somehow - steals a principal's key, it will be able to masquerade as that - principal or impersonate any server to the legitimate principal. - * 'Password guessing' attacks are not solved by Kerberos. If a user - chooses a poor password, it is possible for an attacker to successfully - mount an offline dictionary attack by repeatedly attempting to decrypt, - with successive entries from a dictionary, messages obtained which are - encrypted under a key derived from the user's password. - * Each host on the network must have a clock which is 'loosely - synchronized' to the time of the other hosts; this synchronization is - used to reduce the bookkeeping needs of application servers when they - do replay detection. The degree of "looseness" can be configured on a - per-server basis, but is typically on the order of 5 minutes. If the - clocks are synchronized over the network, the clock synchronization - protocol must itself be secured from network attackers. - * Principal identifiers are not recycled on a short-term basis. A typical - mode of access control will use access control lists (ACLs) to grant - permissions to particular principals. If a stale ACL entry remains for - a deleted principal and the principal identifier is reused, the new - principal will inherit rights specified in the stale ACL entry. By not - re-using principal identifiers, the danger of inadvertent access is - removed. - -1.4. Glossary of terms - -Below is a list of terms used throughout this document. - -Authentication - Verifying the claimed identity of a principal. -Authentication header - A record containing a Ticket and an Authenticator to be presented to a - server as part of the authentication process. -Authentication path - A sequence of intermediate realms transited in the authentication - process when communicating from one realm to another. -Authenticator - A record containing information that can be shown to have been recently - generated using the session key known only by the client and server. -Authorization - The process of determining whether a client may use a service, which - objects the client is allowed to access, and the type of access allowed - for each. -Capability - A token that grants the bearer permission to access an object or - service. In Kerberos, this might be a ticket whose use is restricted by - the contents of the authorization data field, but which lists no - network addresses, together with the session key necessary to use the - ticket. -Ciphertext - The output of an encryption function. Encryption transforms plaintext - into ciphertext. -Client - A process that makes use of a network service on behalf of a user. Note - that in some cases a Server may itself be a client of some other server - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - (e.g. a print server may be a client of a file server). -Credentials - A ticket plus the secret session key necessary to successfully use that - ticket in an authentication exchange. -KDC - Key Distribution Center, a network service that supplies tickets and - temporary session keys; or an instance of that service or the host on - which it runs. The KDC services both initial ticket and ticket-granting - ticket requests. The initial ticket portion is sometimes referred to as - the Authentication Server (or service). The ticket-granting ticket - portion is sometimes referred to as the ticket-granting server (or - service). -Kerberos - Aside from the 3-headed dog guarding Hades, the name given to Project - Athena's authentication service, the protocol used by that service, or - the code used to implement the authentication service. -Plaintext - The input to an encryption function or the output of a decryption - function. Decryption transforms ciphertext into plaintext. -Principal - A uniquely named client or server instance that participates in a - network communication. -Principal identifier - The name used to uniquely identify each different principal. -Seal - To encipher a record containing several fields in such a way that the - fields cannot be individually replaced without either knowledge of the - encryption key or leaving evidence of tampering. -Secret key - An encryption key shared by a principal and the KDC, distributed - outside the bounds of the system, with a long lifetime. In the case of - a human user's principal, the secret key is derived from a password. -Server - A particular Principal which provides a resource to network clients. - The server is sometimes refered to as the Application Server. -Service - A resource provided to network clients; often provided by more than one - server (for example, remote file service). -Session key - A temporary encryption key used between two principals, with a lifetime - limited to the duration of a single login "session". -Sub-session key - A temporary encryption key used between two principals, selected and - exchanged by the principals using the session key, and with a lifetime - limited to the duration of a single association. -Ticket - A record that helps a client authenticate itself to a server; it - contains the client's identity, a session key, a timestamp, and other - information, all sealed using the server's secret key. It only serves - to authenticate a client when presented along with a fresh - Authenticator. - -2. Ticket flag uses and requests - - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -Each Kerberos ticket contains a set of flags which are used to indicate -various attributes of that ticket. Most flags may be requested by a client -when the ticket is obtained; some are automatically turned on and off by a -Kerberos server as required. The following sections explain what the various -flags mean, and gives examples of reasons to use such a flag. - -2.1. Initial and pre-authenticated tickets - -The INITIAL flag indicates that a ticket was issued using the AS protocol -and not issued based on a ticket-granting ticket. Application servers that -want to require the demonstrated knowledge of a client's secret key (e.g. a -password-changing program) can insist that this flag be set in any tickets -they accept, and thus be assured that the client's key was recently -presented to the application client. - -The PRE-AUTHENT and HW-AUTHENT flags provide addition information about the -initial authentication, regardless of whether the current ticket was issued -directly (in which case INITIAL will also be set) or issued on the basis of -a ticket-granting ticket (in which case the INITIAL flag is clear, but the -PRE-AUTHENT and HW-AUTHENT flags are carried forward from the -ticket-granting ticket). - -2.2. Invalid tickets - -The INVALID flag indicates that a ticket is invalid. Application servers -must reject tickets which have this flag set. A postdated ticket will -usually be issued in this form. Invalid tickets must be validated by the KDC -before use, by presenting them to the KDC in a TGS request with the VALIDATE -option specified. The KDC will only validate tickets after their starttime -has passed. The validation is required so that postdated tickets which have -been stolen before their starttime can be rendered permanently invalid -(through a hot-list mechanism) (see section 3.3.3.1). - -2.3. Renewable tickets - -Applications may desire to hold tickets which can be valid for long periods -of time. However, this can expose their credentials to potential theft for -equally long periods, and those stolen credentials would be valid until the -expiration time of the ticket(s). Simply using short-lived tickets and -obtaining new ones periodically would require the client to have long-term -access to its secret key, an even greater risk. Renewable tickets can be -used to mitigate the consequences of theft. Renewable tickets have two -"expiration times": the first is when the current instance of the ticket -expires, and the second is the latest permissible value for an individual -expiration time. An application client must periodically (i.e. before it -expires) present a renewable ticket to the KDC, with the RENEW option set in -the KDC request. The KDC will issue a new ticket with a new session key and -a later expiration time. All other fields of the ticket are left unmodified -by the renewal process. When the latest permissible expiration time arrives, -the ticket expires permanently. At each renewal, the KDC may consult a -hot-list to determine if the ticket had been reported stolen since its last -renewal; it will refuse to renew such stolen tickets, and thus the usable -lifetime of stolen tickets is reduced. - - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -The RENEWABLE flag in a ticket is normally only interpreted by the -ticket-granting service (discussed below in section 3.3). It can usually be -ignored by application servers. However, some particularly careful -application servers may wish to disallow renewable tickets. - -If a renewable ticket is not renewed by its expiration time, the KDC will -not renew the ticket. The RENEWABLE flag is reset by default, but a client -may request it be set by setting the RENEWABLE option in the KRB_AS_REQ -message. If it is set, then the renew-till field in the ticket contains the -time after which the ticket may not be renewed. - -2.4. Postdated tickets - -Applications may occasionally need to obtain tickets for use much later, -e.g. a batch submission system would need tickets to be valid at the time -the batch job is serviced. However, it is dangerous to hold valid tickets in -a batch queue, since they will be on-line longer and more prone to theft. -Postdated tickets provide a way to obtain these tickets from the KDC at job -submission time, but to leave them "dormant" until they are activated and -validated by a further request of the KDC. If a ticket theft were reported -in the interim, the KDC would refuse to validate the ticket, and the thief -would be foiled. - -The MAY-POSTDATE flag in a ticket is normally only interpreted by the -ticket-granting service. It can be ignored by application servers. This flag -must be set in a ticket-granting ticket in order to issue a postdated ticket -based on the presented ticket. It is reset by default; it may be requested -by a client by setting the ALLOW-POSTDATE option in the KRB_AS_REQ message. -This flag does not allow a client to obtain a postdated ticket-granting -ticket; postdated ticket-granting tickets can only by obtained by requesting -the postdating in the KRB_AS_REQ message. The life (endtime-starttime) of a -postdated ticket will be the remaining life of the ticket-granting ticket at -the time of the request, unless the RENEWABLE option is also set, in which -case it can be the full life (endtime-starttime) of the ticket-granting -ticket. The KDC may limit how far in the future a ticket may be postdated. - -The POSTDATED flag indicates that a ticket has been postdated. The -application server can check the authtime field in the ticket to see when -the original authentication occurred. Some services may choose to reject -postdated tickets, or they may only accept them within a certain period -after the original authentication. When the KDC issues a POSTDATED ticket, -it will also be marked as INVALID, so that the application client must -present the ticket to the KDC to be validated before use. - -2.5. Proxiable and proxy tickets - -At times it may be necessary for a principal to allow a service to perform -an operation on its behalf. The service must be able to take on the identity -of the client, but only for a particular purpose. A principal can allow a -service to take on the principal's identity for a particular purpose by -granting it a proxy. - -The process of granting a proxy using the proxy and proxiable flags is used -to provide credentials for use with specific services. Though conceptually - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -also a proxy, user's wishing to delegate their identity for ANY purpose must -use the ticket forwarding mechanism described in the next section to forward -a ticket granting ticket. - -The PROXIABLE flag in a ticket is normally only interpreted by the -ticket-granting service. It can be ignored by application servers. When set, -this flag tells the ticket-granting server that it is OK to issue a new -ticket (but not a ticket-granting ticket) with a different network address -based on this ticket. This flag is set if requested by the client on initial -authentication. By default, the client will request that it be set when -requesting a ticket granting ticket, and reset when requesting any other -ticket. - -This flag allows a client to pass a proxy to a server to perform a remote -request on its behalf, e.g. a print service client can give the print server -a proxy to access the client's files on a particular file server in order to -satisfy a print request. - -In order to complicate the use of stolen credentials, Kerberos tickets are -usually valid from only those network addresses specifically included in the -ticket[4]. When granting a proxy, the client must specify the new network -address from which the proxy is to be used, or indicate that the proxy is to -be issued for use from any address. - -The PROXY flag is set in a ticket by the TGS when it issues a proxy ticket. -Application servers may check this flag and at their option they may require -additional authentication from the agent presenting the proxy in order to -provide an audit trail. - -2.6. Forwardable tickets - -Authentication forwarding is an instance of a proxy where the service is -granted complete use of the client's identity. An example where it might be -used is when a user logs in to a remote system and wants authentication to -work from that system as if the login were local. - -The FORWARDABLE flag in a ticket is normally only interpreted by the -ticket-granting service. It can be ignored by application servers. The -FORWARDABLE flag has an interpretation similar to that of the PROXIABLE -flag, except ticket-granting tickets may also be issued with different -network addresses. This flag is reset by default, but users may request that -it be set by setting the FORWARDABLE option in the AS request when they -request their initial ticket- granting ticket. - -This flag allows for authentication forwarding without requiring the user to -enter a password again. If the flag is not set, then authentication -forwarding is not permitted, but the same result can still be achieved if -the user engages in the AS exchange specifying the requested network -addresses and supplies a password. - -The FORWARDED flag is set by the TGS when a client presents a ticket with -the FORWARDABLE flag set and requests a forwarded ticket by specifying the -FORWARDED KDC option and supplying a set of addresses for the new ticket. It -is also set in all tickets issued based on tickets with the FORWARDED flag - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -set. Application servers may choose to process FORWARDED tickets differently -than non-FORWARDED tickets. - -2.7. Other KDC options - -There are two additional options which may be set in a client's request of -the KDC. The RENEWABLE-OK option indicates that the client will accept a -renewable ticket if a ticket with the requested life cannot otherwise be -provided. If a ticket with the requested life cannot be provided, then the -KDC may issue a renewable ticket with a renew-till equal to the the -requested endtime. The value of the renew-till field may still be adjusted -by site-determined limits or limits imposed by the individual principal or -server. - -The ENC-TKT-IN-SKEY option is honored only by the ticket-granting service. -It indicates that the ticket to be issued for the end server is to be -encrypted in the session key from the a additional second ticket-granting -ticket provided with the request. See section 3.3.3 for specific details. - -3. Message Exchanges - -The following sections describe the interactions between network clients and -servers and the messages involved in those exchanges. - -3.1. The Authentication Service Exchange - - Summary - Message direction Message type Section - 1. Client to Kerberos KRB_AS_REQ 5.4.1 - 2. Kerberos to client KRB_AS_REP or 5.4.2 - KRB_ERROR 5.9.1 - -The Authentication Service (AS) Exchange between the client and the Kerberos -Authentication Server is initiated by a client when it wishes to obtain -authentication credentials for a given server but currently holds no -credentials. In its basic form, the client's secret key is used for -encryption and decryption. This exchange is typically used at the initiation -of a login session to obtain credentials for a Ticket-Granting Server which -will subsequently be used to obtain credentials for other servers (see -section 3.3) without requiring further use of the client's secret key. This -exchange is also used to request credentials for services which must not be -mediated through the Ticket-Granting Service, but rather require a -principal's secret key, such as the password-changing service[5]. This -exchange does not by itself provide any assurance of the the identity of the -user[6]. - -The exchange consists of two messages: KRB_AS_REQ from the client to -Kerberos, and KRB_AS_REP or KRB_ERROR in reply. The formats for these -messages are described in sections 5.4.1, 5.4.2, and 5.9.1. - -In the request, the client sends (in cleartext) its own identity and the -identity of the server for which it is requesting credentials. The response, -KRB_AS_REP, contains a ticket for the client to present to the server, and a -session key that will be shared by the client and the server. The session - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -key and additional information are encrypted in the client's secret key. The -KRB_AS_REP message contains information which can be used to detect replays, -and to associate it with the message to which it replies. Various errors can -occur; these are indicated by an error response (KRB_ERROR) instead of the -KRB_AS_REP response. The error message is not encrypted. The KRB_ERROR -message contains information which can be used to associate it with the -message to which it replies. The lack of encryption in the KRB_ERROR message -precludes the ability to detect replays, fabrications, or modifications of -such messages. - -Without preautentication, the authentication server does not know whether -the client is actually the principal named in the request. It simply sends a -reply without knowing or caring whether they are the same. This is -acceptable because nobody but the principal whose identity was given in the -request will be able to use the reply. Its critical information is encrypted -in that principal's key. The initial request supports an optional field that -can be used to pass additional information that might be needed for the -initial exchange. This field may be used for preauthentication as described -in section [hl<>]. - -3.1.1. Generation of KRB_AS_REQ message - -The client may specify a number of options in the initial request. Among -these options are whether pre-authentication is to be performed; whether the -requested ticket is to be renewable, proxiable, or forwardable; whether it -should be postdated or allow postdating of derivative tickets; and whether a -renewable ticket will be accepted in lieu of a non-renewable ticket if the -requested ticket expiration date cannot be satisfied by a non-renewable -ticket (due to configuration constraints; see section 4). See section A.1 -for pseudocode. - -The client prepares the KRB_AS_REQ message and sends it to the KDC. - -3.1.2. Receipt of KRB_AS_REQ message - -If all goes well, processing the KRB_AS_REQ message will result in the -creation of a ticket for the client to present to the server. The format for -the ticket is described in section 5.3.1. The contents of the ticket are -determined as follows. - -3.1.3. Generation of KRB_AS_REP message - -The authentication server looks up the client and server principals named in -the KRB_AS_REQ in its database, extracting their respective keys. If -required, the server pre-authenticates the request, and if the -pre-authentication check fails, an error message with the code -KDC_ERR_PREAUTH_FAILED is returned. If the server cannot accommodate the -requested encryption type, an error message with code KDC_ERR_ETYPE_NOSUPP -is returned. Otherwise it generates a 'random' session key[7]. - -If there are multiple encryption keys registered for a client in the -Kerberos database (or if the key registered supports multiple encryption -types; e.g. DES-CBC-CRC and DES-CBC-MD5), then the etype field from the AS -request is used by the KDC to select the encryption method to be used for - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -encrypting the response to the client. If there is more than one supported, -strong encryption type in the etype list, the first valid etype for which an -encryption key is available is used. The encryption method used to respond -to a TGS request is taken from the keytype of the session key found in the -ticket granting ticket. - -When the etype field is present in a KDC request, whether an AS or TGS -request, the KDC will attempt to assign the type of the random session key -from the list of methods in the etype field. The KDC will select the -appropriate type using the list of methods provided together with -information from the Kerberos database indicating acceptable encryption -methods for the application server. The KDC will not issue tickets with a -weak session key encryption type. - -If the requested start time is absent, indicates a time in the past, or is -within the window of acceptable clock skew for the KDC and the POSTDATE -option has not been specified, then the start time of the ticket is set to -the authentication server's current time. If it indicates a time in the -future beyond the acceptable clock skew, but the POSTDATED option has not -been specified then the error KDC_ERR_CANNOT_POSTDATE is returned. Otherwise -the requested start time is checked against the policy of the local realm -(the administrator might decide to prohibit certain types or ranges of -postdated tickets), and if acceptable, the ticket's start time is set as -requested and the INVALID flag is set in the new ticket. The postdated -ticket must be validated before use by presenting it to the KDC after the -start time has been reached. - -The expiration time of the ticket will be set to the minimum of the -following: - - * The expiration time (endtime) requested in the KRB_AS_REQ message. - * The ticket's start time plus the maximum allowable lifetime associated - with the client principal (the authentication server's database - includes a maximum ticket lifetime field in each principal's record; - see section 4). - * The ticket's start time plus the maximum allowable lifetime associated - with the server principal. - * The ticket's start time plus the maximum lifetime set by the policy of - the local realm. - -If the requested expiration time minus the start time (as determined above) -is less than a site-determined minimum lifetime, an error message with code -KDC_ERR_NEVER_VALID is returned. If the requested expiration time for the -ticket exceeds what was determined as above, and if the 'RENEWABLE-OK' -option was requested, then the 'RENEWABLE' flag is set in the new ticket, -and the renew-till value is set as if the 'RENEWABLE' option were requested -(the field and option names are described fully in section 5.4.1). - -If the RENEWABLE option has been requested or if the RENEWABLE-OK option has -been set and a renewable ticket is to be issued, then the renew-till field -is set to the minimum of: - - * Its requested value. - * The start time of the ticket plus the minimum of the two maximum - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - renewable lifetimes associated with the principals' database entries. - * The start time of the ticket plus the maximum renewable lifetime set by - the policy of the local realm. - -The flags field of the new ticket will have the following options set if -they have been requested and if the policy of the local realm allows: -FORWARDABLE, MAY-POSTDATE, POSTDATED, PROXIABLE, RENEWABLE. If the new -ticket is post-dated (the start time is in the future), its INVALID flag -will also be set. - -If all of the above succeed, the server formats a KRB_AS_REP message (see -section 5.4.2), copying the addresses in the request into the caddr of the -response, placing any required pre-authentication data into the padata of -the response, and encrypts the ciphertext part in the client's key using the -requested encryption method, and sends it to the client. See section A.2 for -pseudocode. - -3.1.4. Generation of KRB_ERROR message - -Several errors can occur, and the Authentication Server responds by -returning an error message, KRB_ERROR, to the client, with the error-code -and e-text fields set to appropriate values. The error message contents and -details are described in Section 5.9.1. - -3.1.5. Receipt of KRB_AS_REP message - -If the reply message type is KRB_AS_REP, then the client verifies that the -cname and crealm fields in the cleartext portion of the reply match what it -requested. If any padata fields are present, they may be used to derive the -proper secret key to decrypt the message. The client decrypts the encrypted -part of the response using its secret key, verifies that the nonce in the -encrypted part matches the nonce it supplied in its request (to detect -replays). It also verifies that the sname and srealm in the response match -those in the request (or are otherwise expected values), and that the host -address field is also correct. It then stores the ticket, session key, start -and expiration times, and other information for later use. The -key-expiration field from the encrypted part of the response may be checked -to notify the user of impending key expiration (the client program could -then suggest remedial action, such as a password change). See section A.3 -for pseudocode. - -Proper decryption of the KRB_AS_REP message is not sufficient to verify the -identity of the user; the user and an attacker could cooperate to generate a -KRB_AS_REP format message which decrypts properly but is not from the proper -KDC. If the host wishes to verify the identity of the user, it must require -the user to present application credentials which can be verified using a -securely-stored secret key for the host. If those credentials can be -verified, then the identity of the user can be assured. - -3.1.6. Receipt of KRB_ERROR message - -If the reply message type is KRB_ERROR, then the client interprets it as an -error and performs whatever application-specific tasks are necessary to -recover. - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - -3.2. The Client/Server Authentication Exchange - - Summary -Message direction Message type Section -Client to Application server KRB_AP_REQ 5.5.1 -[optional] Application server to client KRB_AP_REP or 5.5.2 - KRB_ERROR 5.9.1 - -The client/server authentication (CS) exchange is used by network -applications to authenticate the client to the server and vice versa. The -client must have already acquired credentials for the server using the AS or -TGS exchange. - -3.2.1. The KRB_AP_REQ message - -The KRB_AP_REQ contains authentication information which should be part of -the first message in an authenticated transaction. It contains a ticket, an -authenticator, and some additional bookkeeping information (see section -5.5.1 for the exact format). The ticket by itself is insufficient to -authenticate a client, since tickets are passed across the network in -cleartext[DS90], so the authenticator is used to prevent invalid replay of -tickets by proving to the server that the client knows the session key of -the ticket and thus is entitled to use the ticket. The KRB_AP_REQ message is -referred to elsewhere as the 'authentication header.' - -3.2.2. Generation of a KRB_AP_REQ message - -When a client wishes to initiate authentication to a server, it obtains -(either through a credentials cache, the AS exchange, or the TGS exchange) a -ticket and session key for the desired service. The client may re-use any -tickets it holds until they expire. To use a ticket the client constructs a -new Authenticator from the the system time, its name, and optionally an -application specific checksum, an initial sequence number to be used in -KRB_SAFE or KRB_PRIV messages, and/or a session subkey to be used in -negotiations for a session key unique to this particular session. -Authenticators may not be re-used and will be rejected if replayed to a -server[LGDSR87]. If a sequence number is to be included, it should be -randomly chosen so that even after many messages have been exchanged it is -not likely to collide with other sequence numbers in use. - -The client may indicate a requirement of mutual authentication or the use of -a session-key based ticket by setting the appropriate flag(s) in the -ap-options field of the message. - -The Authenticator is encrypted in the session key and combined with the -ticket to form the KRB_AP_REQ message which is then sent to the end server -along with any additional application-specific information. See section A.9 -for pseudocode. - -3.2.3. Receipt of KRB_AP_REQ message - -Authentication is based on the server's current time of day (clocks must be -loosely synchronized), the authenticator, and the ticket. Several errors are - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -possible. If an error occurs, the server is expected to reply to the client -with a KRB_ERROR message. This message may be encapsulated in the -application protocol if its 'raw' form is not acceptable to the protocol. -The format of error messages is described in section 5.9.1. - -The algorithm for verifying authentication information is as follows. If the -message type is not KRB_AP_REQ, the server returns the KRB_AP_ERR_MSG_TYPE -error. If the key version indicated by the Ticket in the KRB_AP_REQ is not -one the server can use (e.g., it indicates an old key, and the server no -longer possesses a copy of the old key), the KRB_AP_ERR_BADKEYVER error is -returned. If the USE-SESSION-KEY flag is set in the ap-options field, it -indicates to the server that the ticket is encrypted in the session key from -the server's ticket-granting ticket rather than its secret key[10]. Since it -is possible for the server to be registered in multiple realms, with -different keys in each, the srealm field in the unencrypted portion of the -ticket in the KRB_AP_REQ is used to specify which secret key the server -should use to decrypt that ticket. The KRB_AP_ERR_NOKEY error code is -returned if the server doesn't have the proper key to decipher the ticket. - -The ticket is decrypted using the version of the server's key specified by -the ticket. If the decryption routines detect a modification of the ticket -(each encryption system must provide safeguards to detect modified -ciphertext; see section 6), the KRB_AP_ERR_BAD_INTEGRITY error is returned -(chances are good that different keys were used to encrypt and decrypt). - -The authenticator is decrypted using the session key extracted from the -decrypted ticket. If decryption shows it to have been modified, the -KRB_AP_ERR_BAD_INTEGRITY error is returned. The name and realm of the client -from the ticket are compared against the same fields in the authenticator. -If they don't match, the KRB_AP_ERR_BADMATCH error is returned (they might -not match, for example, if the wrong session key was used to encrypt the -authenticator). The addresses in the ticket (if any) are then searched for -an address matching the operating-system reported address of the client. If -no match is found or the server insists on ticket addresses but none are -present in the ticket, the KRB_AP_ERR_BADADDR error is returned. - -If the local (server) time and the client time in the authenticator differ -by more than the allowable clock skew (e.g., 5 minutes), the KRB_AP_ERR_SKEW -error is returned. If the server name, along with the client name, time and -microsecond fields from the Authenticator match any recently-seen such -tuples, the KRB_AP_ERR_REPEAT error is returned[11]. The server must -remember any authenticator presented within the allowable clock skew, so -that a replay attempt is guaranteed to fail. If a server loses track of any -authenticator presented within the allowable clock skew, it must reject all -requests until the clock skew interval has passed. This assures that any -lost or re-played authenticators will fall outside the allowable clock skew -and can no longer be successfully replayed (If this is not done, an attacker -could conceivably record the ticket and authenticator sent over the network -to a server, then disable the client's host, pose as the disabled host, and -replay the ticket and authenticator to subvert the authentication.). If a -sequence number is provided in the authenticator, the server saves it for -later use in processing KRB_SAFE and/or KRB_PRIV messages. If a subkey is -present, the server either saves it for later use or uses it to help -generate its own choice for a subkey to be returned in a KRB_AP_REP message. - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - -The server computes the age of the ticket: local (server) time minus the -start time inside the Ticket. If the start time is later than the current -time by more than the allowable clock skew or if the INVALID flag is set in -the ticket, the KRB_AP_ERR_TKT_NYV error is returned. Otherwise, if the -current time is later than end time by more than the allowable clock skew, -the KRB_AP_ERR_TKT_EXPIRED error is returned. - -If all these checks succeed without an error, the server is assured that the -client possesses the credentials of the principal named in the ticket and -thus, the client has been authenticated to the server. See section A.10 for -pseudocode. - -Passing these checks provides only authentication of the named principal; it -does not imply authorization to use the named service. Applications must -make a separate authorization decisions based upon the authenticated name of -the user, the requested operation, local acces control information such as -that contained in a .k5login or .k5users file, and possibly a separate -distributed authorization service. - -3.2.4. Generation of a KRB_AP_REP message - -Typically, a client's request will include both the authentication -information and its initial request in the same message, and the server need -not explicitly reply to the KRB_AP_REQ. However, if mutual authentication -(not only authenticating the client to the server, but also the server to -the client) is being performed, the KRB_AP_REQ message will have -MUTUAL-REQUIRED set in its ap-options field, and a KRB_AP_REP message is -required in response. As with the error message, this message may be -encapsulated in the application protocol if its "raw" form is not acceptable -to the application's protocol. The timestamp and microsecond field used in -the reply must be the client's timestamp and microsecond field (as provided -in the authenticator)[12]. If a sequence number is to be included, it should -be randomly chosen as described above for the authenticator. A subkey may be -included if the server desires to negotiate a different subkey. The -KRB_AP_REP message is encrypted in the session key extracted from the -ticket. See section A.11 for pseudocode. - -3.2.5. Receipt of KRB_AP_REP message - -If a KRB_AP_REP message is returned, the client uses the session key from -the credentials obtained for the server[13] to decrypt the message, and -verifies that the timestamp and microsecond fields match those in the -Authenticator it sent to the server. If they match, then the client is -assured that the server is genuine. The sequence number and subkey (if -present) are retained for later use. See section A.12 for pseudocode. - -3.2.6. Using the encryption key - -After the KRB_AP_REQ/KRB_AP_REP exchange has occurred, the client and server -share an encryption key which can be used by the application. The 'true -session key' to be used for KRB_PRIV, KRB_SAFE, or other -application-specific uses may be chosen by the application based on the -subkeys in the KRB_AP_REP message and the authenticator[14]. In some cases, - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -the use of this session key will be implicit in the protocol; in others the -method of use must be chosen from several alternatives. We leave the -protocol negotiations of how to use the key (e.g. selecting an encryption or -checksum type) to the application programmer; the Kerberos protocol does not -constrain the implementation options, but an example of how this might be -done follows. - -One way that an application may choose to negotiate a key to be used for -subequent integrity and privacy protection is for the client to propose a -key in the subkey field of the authenticator. The server can then choose a -key using the proposed key from the client as input, returning the new -subkey in the subkey field of the application reply. This key could then be -used for subsequent communication. To make this example more concrete, if -the encryption method in use required a 56 bit key, and for whatever reason, -one of the parties was prevented from using a key with more than 40 unknown -bits, this method would allow the the party which is prevented from using -more than 40 bits to either propose (if the client) an initial key with a -known quantity for 16 of those bits, or to mask 16 of the bits (if the -server) with the known quantity. The application implementor is warned, -however, that this is only an example, and that an analysis of the -particular crytosystem to be used, and the reasons for limiting the key -length, must be made before deciding whether it is acceptable to mask bits -of the key. - -With both the one-way and mutual authentication exchanges, the peers should -take care not to send sensitive information to each other without proper -assurances. In particular, applications that require privacy or integrity -should use the KRB_AP_REP response from the server to client to assure both -client and server of their peer's identity. If an application protocol -requires privacy of its messages, it can use the KRB_PRIV message (section -3.5). The KRB_SAFE message (section 3.4) can be used to assure integrity. - -3.3. The Ticket-Granting Service (TGS) Exchange - - Summary - Message direction Message type Section - 1. Client to Kerberos KRB_TGS_REQ 5.4.1 - 2. Kerberos to client KRB_TGS_REP or 5.4.2 - KRB_ERROR 5.9.1 - -The TGS exchange between a client and the Kerberos Ticket-Granting Server is -initiated by a client when it wishes to obtain authentication credentials -for a given server (which might be registered in a remote realm), when it -wishes to renew or validate an existing ticket, or when it wishes to obtain -a proxy ticket. In the first case, the client must already have acquired a -ticket for the Ticket-Granting Service using the AS exchange (the -ticket-granting ticket is usually obtained when a client initially -authenticates to the system, such as when a user logs in). The message -format for the TGS exchange is almost identical to that for the AS exchange. -The primary difference is that encryption and decryption in the TGS exchange -does not take place under the client's key. Instead, the session key from -the ticket-granting ticket or renewable ticket, or sub-session key from an -Authenticator is used. As is the case for all application servers, expired -tickets are not accepted by the TGS, so once a renewable or ticket-granting - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -ticket expires, the client must use a separate exchange to obtain valid -tickets. - -The TGS exchange consists of two messages: A request (KRB_TGS_REQ) from the -client to the Kerberos Ticket-Granting Server, and a reply (KRB_TGS_REP or -KRB_ERROR). The KRB_TGS_REQ message includes information authenticating the -client plus a request for credentials. The authentication information -consists of the authentication header (KRB_AP_REQ) which includes the -client's previously obtained ticket-granting, renewable, or invalid ticket. -In the ticket-granting ticket and proxy cases, the request may include one -or more of: a list of network addresses, a collection of typed authorization -data to be sealed in the ticket for authorization use by the application -server, or additional tickets (the use of which are described later). The -TGS reply (KRB_TGS_REP) contains the requested credentials, encrypted in the -session key from the ticket-granting ticket or renewable ticket, or if -present, in the sub-session key from the Authenticator (part of the -authentication header). The KRB_ERROR message contains an error code and -text explaining what went wrong. The KRB_ERROR message is not encrypted. The -KRB_TGS_REP message contains information which can be used to detect -replays, and to associate it with the message to which it replies. The -KRB_ERROR message also contains information which can be used to associate -it with the message to which it replies, but the lack of encryption in the -KRB_ERROR message precludes the ability to detect replays or fabrications of -such messages. - -3.3.1. Generation of KRB_TGS_REQ message - -Before sending a request to the ticket-granting service, the client must -determine in which realm the application server is registered[15]. If the -client does not already possess a ticket-granting ticket for the appropriate -realm, then one must be obtained. This is first attempted by requesting a -ticket-granting ticket for the destination realm from a Kerberos server for -which the client does posess a ticket-granting ticket (using the KRB_TGS_REQ -message recursively). The Kerberos server may return a TGT for the desired -realm in which case one can proceed. Alternatively, the Kerberos server may -return a TGT for a realm which is 'closer' to the desired realm (further -along the standard hierarchical path), in which case this step must be -repeated with a Kerberos server in the realm specified in the returned TGT. -If neither are returned, then the request must be retried with a Kerberos -server for a realm higher in the hierarchy. This request will itself require -a ticket-granting ticket for the higher realm which must be obtained by -recursively applying these directions. - -Once the client obtains a ticket-granting ticket for the appropriate realm, -it determines which Kerberos servers serve that realm, and contacts one. The -list might be obtained through a configuration file or network service or it -may be generated from the name of the realm; as long as the secret keys -exchanged by realms are kept secret, only denial of service results from -using a false Kerberos server. - -As in the AS exchange, the client may specify a number of options in the -KRB_TGS_REQ message. The client prepares the KRB_TGS_REQ message, providing -an authentication header as an element of the padata field, and including -the same fields as used in the KRB_AS_REQ message along with several - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -optional fields: the enc-authorization-data field for application server use -and additional tickets required by some options. - -In preparing the authentication header, the client can select a sub-session -key under which the response from the Kerberos server will be encrypted[16]. -If the sub-session key is not specified, the session key from the -ticket-granting ticket will be used. If the enc-authorization-data is -present, it must be encrypted in the sub-session key, if present, from the -authenticator portion of the authentication header, or if not present, using -the session key from the ticket-granting ticket. - -Once prepared, the message is sent to a Kerberos server for the destination -realm. See section A.5 for pseudocode. - -3.3.2. Receipt of KRB_TGS_REQ message - -The KRB_TGS_REQ message is processed in a manner similar to the KRB_AS_REQ -message, but there are many additional checks to be performed. First, the -Kerberos server must determine which server the accompanying ticket is for -and it must select the appropriate key to decrypt it. For a normal -KRB_TGS_REQ message, it will be for the ticket granting service, and the -TGS's key will be used. If the TGT was issued by another realm, then the -appropriate inter-realm key must be used. If the accompanying ticket is not -a ticket granting ticket for the current realm, but is for an application -server in the current realm, the RENEW, VALIDATE, or PROXY options are -specified in the request, and the server for which a ticket is requested is -the server named in the accompanying ticket, then the KDC will decrypt the -ticket in the authentication header using the key of the server for which it -was issued. If no ticket can be found in the padata field, the -KDC_ERR_PADATA_TYPE_NOSUPP error is returned. - -Once the accompanying ticket has been decrypted, the user-supplied checksum -in the Authenticator must be verified against the contents of the request, -and the message rejected if the checksums do not match (with an error code -of KRB_AP_ERR_MODIFIED) or if the checksum is not keyed or not -collision-proof (with an error code of KRB_AP_ERR_INAPP_CKSUM). If the -checksum type is not supported, the KDC_ERR_SUMTYPE_NOSUPP error is -returned. If the authorization-data are present, they are decrypted using -the sub-session key from the Authenticator. - -If any of the decryptions indicate failed integrity checks, the -KRB_AP_ERR_BAD_INTEGRITY error is returned. - -3.3.3. Generation of KRB_TGS_REP message - -The KRB_TGS_REP message shares its format with the KRB_AS_REP (KRB_KDC_REP), -but with its type field set to KRB_TGS_REP. The detailed specification is in -section 5.4.2. - -The response will include a ticket for the requested server. The Kerberos -database is queried to retrieve the record for the requested server -(including the key with which the ticket will be encrypted). If the request -is for a ticket granting ticket for a remote realm, and if no key is shared -with the requested realm, then the Kerberos server will select the realm - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -"closest" to the requested realm with which it does share a key, and use -that realm instead. This is the only case where the response from the KDC -will be for a different server than that requested by the client. - -By default, the address field, the client's name and realm, the list of -transited realms, the time of initial authentication, the expiration time, -and the authorization data of the newly-issued ticket will be copied from -the ticket-granting ticket (TGT) or renewable ticket. If the transited field -needs to be updated, but the transited type is not supported, the -KDC_ERR_TRTYPE_NOSUPP error is returned. - -If the request specifies an endtime, then the endtime of the new ticket is -set to the minimum of (a) that request, (b) the endtime from the TGT, and -(c) the starttime of the TGT plus the minimum of the maximum life for the -application server and the maximum life for the local realm (the maximum -life for the requesting principal was already applied when the TGT was -issued). If the new ticket is to be a renewal, then the endtime above is -replaced by the minimum of (a) the value of the renew_till field of the -ticket and (b) the starttime for the new ticket plus the life -(endtime-starttime) of the old ticket. - -If the FORWARDED option has been requested, then the resulting ticket will -contain the addresses specified by the client. This option will only be -honored if the FORWARDABLE flag is set in the TGT. The PROXY option is -similar; the resulting ticket will contain the addresses specified by the -client. It will be honored only if the PROXIABLE flag in the TGT is set. The -PROXY option will not be honored on requests for additional ticket-granting -tickets. - -If the requested start time is absent, indicates a time in the past, or is -within the window of acceptable clock skew for the KDC and the POSTDATE -option has not been specified, then the start time of the ticket is set to -the authentication server's current time. If it indicates a time in the -future beyond the acceptable clock skew, but the POSTDATED option has not -been specified or the MAY-POSTDATE flag is not set in the TGT, then the -error KDC_ERR_CANNOT_POSTDATE is returned. Otherwise, if the ticket-granting -ticket has the MAY-POSTDATE flag set, then the resulting ticket will be -postdated and the requested starttime is checked against the policy of the -local realm. If acceptable, the ticket's start time is set as requested, and -the INVALID flag is set. The postdated ticket must be validated before use -by presenting it to the KDC after the starttime has been reached. However, -in no case may the starttime, endtime, or renew-till time of a newly-issued -postdated ticket extend beyond the renew-till time of the ticket-granting -ticket. - -If the ENC-TKT-IN-SKEY option has been specified and an additional ticket -has been included in the request, the KDC will decrypt the additional ticket -using the key for the server to which the additional ticket was issued and -verify that it is a ticket-granting ticket. If the name of the requested -server is missing from the request, the name of the client in the additional -ticket will be used. Otherwise the name of the requested server will be -compared to the name of the client in the additional ticket and if -different, the request will be rejected. If the request succeeds, the -session key from the additional ticket will be used to encrypt the new - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -ticket that is issued instead of using the key of the server for which the -new ticket will be used[17]. - -If the name of the server in the ticket that is presented to the KDC as part -of the authentication header is not that of the ticket-granting server -itself, the server is registered in the realm of the KDC, and the RENEW -option is requested, then the KDC will verify that the RENEWABLE flag is set -in the ticket, that the INVALID flag is not set in the ticket, and that the -renew_till time is still in the future. If the VALIDATE option is rqeuested, -the KDC will check that the starttime has passed and the INVALID flag is -set. If the PROXY option is requested, then the KDC will check that the -PROXIABLE flag is set in the ticket. If the tests succeed, and the ticket -passes the hotlist check described in the next paragraph, the KDC will issue -the appropriate new ticket. - -3.3.3.1. Checking for revoked tickets - -Whenever a request is made to the ticket-granting server, the presented -ticket(s) is(are) checked against a hot-list of tickets which have been -canceled. This hot-list might be implemented by storing a range of issue -timestamps for 'suspect tickets'; if a presented ticket had an authtime in -that range, it would be rejected. In this way, a stolen ticket-granting -ticket or renewable ticket cannot be used to gain additional tickets -(renewals or otherwise) once the theft has been reported. Any normal ticket -obtained before it was reported stolen will still be valid (because they -require no interaction with the KDC), but only until their normal expiration -time. - -The ciphertext part of the response in the KRB_TGS_REP message is encrypted -in the sub-session key from the Authenticator, if present, or the session -key key from the ticket-granting ticket. It is not encrypted using the -client's secret key. Furthermore, the client's key's expiration date and the -key version number fields are left out since these values are stored along -with the client's database record, and that record is not needed to satisfy -a request based on a ticket-granting ticket. See section A.6 for pseudocode. - -3.3.3.2. Encoding the transited field - -If the identity of the server in the TGT that is presented to the KDC as -part of the authentication header is that of the ticket-granting service, -but the TGT was issued from another realm, the KDC will look up the -inter-realm key shared with that realm and use that key to decrypt the -ticket. If the ticket is valid, then the KDC will honor the request, subject -to the constraints outlined above in the section describing the AS exchange. -The realm part of the client's identity will be taken from the -ticket-granting ticket. The name of the realm that issued the -ticket-granting ticket will be added to the transited field of the ticket to -be issued. This is accomplished by reading the transited field from the -ticket-granting ticket (which is treated as an unordered set of realm -names), adding the new realm to the set, then constructing and writing out -its encoded (shorthand) form (this may involve a rearrangement of the -existing encoding). - -Note that the ticket-granting service does not add the name of its own - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -realm. Instead, its responsibility is to add the name of the previous realm. -This prevents a malicious Kerberos server from intentionally leaving out its -own name (it could, however, omit other realms' names). - -The names of neither the local realm nor the principal's realm are to be -included in the transited field. They appear elsewhere in the ticket and -both are known to have taken part in authenticating the principal. Since the -endpoints are not included, both local and single-hop inter-realm -authentication result in a transited field that is empty. - -Because the name of each realm transited is added to this field, it might -potentially be very long. To decrease the length of this field, its contents -are encoded. The initially supported encoding is optimized for the normal -case of inter-realm communication: a hierarchical arrangement of realms -using either domain or X.500 style realm names. This encoding (called -DOMAIN-X500-COMPRESS) is now described. - -Realm names in the transited field are separated by a ",". The ",", "\", -trailing "."s, and leading spaces (" ") are special characters, and if they -are part of a realm name, they must be quoted in the transited field by -preced- ing them with a "\". - -A realm name ending with a "." is interpreted as being prepended to the -previous realm. For example, we can encode traversal of EDU, MIT.EDU, -ATHENA.MIT.EDU, WASHINGTON.EDU, and CS.WASHINGTON.EDU as: - - "EDU,MIT.,ATHENA.,WASHINGTON.EDU,CS.". - -Note that if ATHENA.MIT.EDU, or CS.WASHINGTON.EDU were end-points, that they -would not be included in this field, and we would have: - - "EDU,MIT.,WASHINGTON.EDU" - -A realm name beginning with a "/" is interpreted as being appended to the -previous realm[18]. If it is to stand by itself, then it should be preceded -by a space (" "). For example, we can encode traversal of /COM/HP/APOLLO, -/COM/HP, /COM, and /COM/DEC as: - - "/COM,/HP,/APOLLO, /COM/DEC". - -Like the example above, if /COM/HP/APOLLO and /COM/DEC are endpoints, they -they would not be included in this field, and we would have: - - "/COM,/HP" - -A null subfield preceding or following a "," indicates that all realms -between the previous realm and the next realm have been traversed[19]. Thus, -"," means that all realms along the path between the client and the server -have been traversed. ",EDU, /COM," means that that all realms from the -client's realm up to EDU (in a domain style hierarchy) have been traversed, -and that everything from /COM down to the server's realm in an X.500 style -has also been traversed. This could occur if the EDU realm in one hierarchy -shares an inter-realm key directly with the /COM realm in another hierarchy. - - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -3.3.4. Receipt of KRB_TGS_REP message - -When the KRB_TGS_REP is received by the client, it is processed in the same -manner as the KRB_AS_REP processing described above. The primary difference -is that the ciphertext part of the response must be decrypted using the -session key from the ticket-granting ticket rather than the client's secret -key. See section A.7 for pseudocode. - -3.4. The KRB_SAFE Exchange - -The KRB_SAFE message may be used by clients requiring the ability to detect -modifications of messages they exchange. It achieves this by including a -keyed collision-proof checksum of the user data and some control -information. The checksum is keyed with an encryption key (usually the last -key negotiated via subkeys, or the session key if no negotiation has -occured). - -3.4.1. Generation of a KRB_SAFE message - -When an application wishes to send a KRB_SAFE message, it collects its data -and the appropriate control information and computes a checksum over them. -The checksum algorithm should be a keyed one-way hash function (such as the -RSA- MD5-DES checksum algorithm specified in section 6.4.5, or the DES MAC), -generated using the sub-session key if present, or the session key. -Different algorithms may be selected by changing the checksum type in the -message. Unkeyed or non-collision-proof checksums are not suitable for this -use. - -The control information for the KRB_SAFE message includes both a timestamp -and a sequence number. The designer of an application using the KRB_SAFE -message must choose at least one of the two mechanisms. This choice should -be based on the needs of the application protocol. - -Sequence numbers are useful when all messages sent will be received by one's -peer. Connection state is presently required to maintain the session key, so -maintaining the next sequence number should not present an additional -problem. - -If the application protocol is expected to tolerate lost messages without -them being resent, the use of the timestamp is the appropriate replay -detection mechanism. Using timestamps is also the appropriate mechanism for -multi-cast protocols where all of one's peers share a common sub-session -key, but some messages will be sent to a subset of one's peers. - -After computing the checksum, the client then transmits the information and -checksum to the recipient in the message format specified in section 5.6.1. - -3.4.2. Receipt of KRB_SAFE message - -When an application receives a KRB_SAFE message, it verifies it as follows. -If any error occurs, an error code is reported for use by the application. - -The message is first checked by verifying that the protocol version and type -fields match the current version and KRB_SAFE, respectively. A mismatch - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -generates a KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE error. The -application verifies that the checksum used is a collision-proof keyed -checksum, and if it is not, a KRB_AP_ERR_INAPP_CKSUM error is generated. The -recipient verifies that the operating system's report of the sender's -address matches the sender's address in the message, and (if a recipient -address is specified or the recipient requires an address) that one of the -recipient's addresses appears as the recipient's address in the message. A -failed match for either case generates a KRB_AP_ERR_BADADDR error. Then the -timestamp and usec and/or the sequence number fields are checked. If -timestamp and usec are expected and not present, or they are present but not -current, the KRB_AP_ERR_SKEW error is generated. If the server name, along -with the client name, time and microsecond fields from the Authenticator -match any recently-seen (sent or received[20] ) such tuples, the -KRB_AP_ERR_REPEAT error is generated. If an incorrect sequence number is -included, or a sequence number is expected but not present, the -KRB_AP_ERR_BADORDER error is generated. If neither a time-stamp and usec or -a sequence number is present, a KRB_AP_ERR_MODIFIED error is generated. -Finally, the checksum is computed over the data and control information, and -if it doesn't match the received checksum, a KRB_AP_ERR_MODIFIED error is -generated. - -If all the checks succeed, the application is assured that the message was -generated by its peer and was not modi- fied in transit. - -3.5. The KRB_PRIV Exchange - -The KRB_PRIV message may be used by clients requiring confidentiality and -the ability to detect modifications of exchanged messages. It achieves this -by encrypting the messages and adding control information. - -3.5.1. Generation of a KRB_PRIV message - -When an application wishes to send a KRB_PRIV message, it collects its data -and the appropriate control information (specified in section 5.7.1) and -encrypts them under an encryption key (usually the last key negotiated via -subkeys, or the session key if no negotiation has occured). As part of the -control information, the client must choose to use either a timestamp or a -sequence number (or both); see the discussion in section 3.4.1 for -guidelines on which to use. After the user data and control information are -encrypted, the client transmits the ciphertext and some 'envelope' -information to the recipient. - -3.5.2. Receipt of KRB_PRIV message - -When an application receives a KRB_PRIV message, it verifies it as follows. -If any error occurs, an error code is reported for use by the application. - -The message is first checked by verifying that the protocol version and type -fields match the current version and KRB_PRIV, respectively. A mismatch -generates a KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE error. The -application then decrypts the ciphertext and processes the resultant -plaintext. If decryption shows the data to have been modified, a -KRB_AP_ERR_BAD_INTEGRITY error is generated. The recipient verifies that the -operating system's report of the sender's address matches the sender's - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -address in the message, and (if a recipient address is specified or the -recipient requires an address) that one of the recipient's addresses appears -as the recipient's address in the message. A failed match for either case -generates a KRB_AP_ERR_BADADDR error. Then the timestamp and usec and/or the -sequence number fields are checked. If timestamp and usec are expected and -not present, or they are present but not current, the KRB_AP_ERR_SKEW error -is generated. If the server name, along with the client name, time and -microsecond fields from the Authenticator match any recently-seen such -tuples, the KRB_AP_ERR_REPEAT error is generated. If an incorrect sequence -number is included, or a sequence number is expected but not present, the -KRB_AP_ERR_BADORDER error is generated. If neither a time-stamp and usec or -a sequence number is present, a KRB_AP_ERR_MODIFIED error is generated. - -If all the checks succeed, the application can assume the message was -generated by its peer, and was securely transmitted (without intruders able -to see the unencrypted contents). - -3.6. The KRB_CRED Exchange - -The KRB_CRED message may be used by clients requiring the ability to send -Kerberos credentials from one host to another. It achieves this by sending -the tickets together with encrypted data containing the session keys and -other information associated with the tickets. - -3.6.1. Generation of a KRB_CRED message - -When an application wishes to send a KRB_CRED message it first (using the -KRB_TGS exchange) obtains credentials to be sent to the remote host. It then -constructs a KRB_CRED message using the ticket or tickets so obtained, -placing the session key needed to use each ticket in the key field of the -corresponding KrbCredInfo sequence of the encrypted part of the the KRB_CRED -message. - -Other information associated with each ticket and obtained during the -KRB_TGS exchange is also placed in the corresponding KrbCredInfo sequence in -the encrypted part of the KRB_CRED message. The current time and, if -specifically required by the application the nonce, s-address, and r-address -fields, are placed in the encrypted part of the KRB_CRED message which is -then encrypted under an encryption key previosuly exchanged in the KRB_AP -exchange (usually the last key negotiated via subkeys, or the session key if -no negotiation has occured). - -3.6.2. Receipt of KRB_CRED message - -When an application receives a KRB_CRED message, it verifies it. If any -error occurs, an error code is reported for use by the application. The -message is verified by checking that the protocol version and type fields -match the current version and KRB_CRED, respectively. A mismatch generates a -KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE error. The application then -decrypts the ciphertext and processes the resultant plaintext. If decryption -shows the data to have been modified, a KRB_AP_ERR_BAD_INTEGRITY error is -generated. - -If present or required, the recipient verifies that the operating system's - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -report of the sender's address matches the sender's address in the message, -and that one of the recipient's addresses appears as the recipient's address -in the message. A failed match for either case generates a -KRB_AP_ERR_BADADDR error. The timestamp and usec fields (and the nonce field -if required) are checked next. If the timestamp and usec are not present, or -they are present but not current, the KRB_AP_ERR_SKEW error is generated. - -If all the checks succeed, the application stores each of the new tickets in -its ticket cache together with the session key and other information in the -corresponding KrbCredInfo sequence from the encrypted part of the KRB_CRED -message. - -4. The Kerberos Database - -The Kerberos server must have access to a database contain- ing the -principal identifiers and secret keys of principals to be authenticated[21]. - -4.1. Database contents - -A database entry should contain at least the following fields: - -Field Value - -name Principal's identifier -key Principal's secret key -p_kvno Principal's key version -max_life Maximum lifetime for Tickets -max_renewable_life Maximum total lifetime for renewable Tickets - -The name field is an encoding of the principal's identifier. The key field -contains an encryption key. This key is the principal's secret key. (The key -can be encrypted before storage under a Kerberos "master key" to protect it -in case the database is compromised but the master key is not. In that case, -an extra field must be added to indicate the master key version used, see -below.) The p_kvno field is the key version number of the principal's secret -key. The max_life field contains the maximum allowable lifetime (endtime - -starttime) for any Ticket issued for this principal. The max_renewable_life -field contains the maximum allowable total lifetime for any renewable Ticket -issued for this principal. (See section 3.1 for a description of how these -lifetimes are used in determining the lifetime of a given Ticket.) - -A server may provide KDC service to several realms, as long as the database -representation provides a mechanism to distinguish between principal records -with identifiers which differ only in the realm name. - -When an application server's key changes, if the change is routine (i.e. not -the result of disclosure of the old key), the old key should be retained by -the server until all tickets that had been issued using that key have -expired. Because of this, it is possible for several keys to be active for a -single principal. Ciphertext encrypted in a principal's key is always tagged -with the version of the key that was used for encryption, to help the -recipient find the proper key for decryption. - -When more than one key is active for a particular principal, the principal - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -will have more than one record in the Kerberos database. The keys and key -version numbers will differ between the records (the rest of the fields may -or may not be the same). Whenever Kerberos issues a ticket, or responds to a -request for initial authentication, the most recent key (known by the -Kerberos server) will be used for encryption. This is the key with the -highest key version number. - -4.2. Additional fields - -Project Athena's KDC implementation uses additional fields in its database: - -Field Value - -K_kvno Kerberos' key version -expiration Expiration date for entry -attributes Bit field of attributes -mod_date Timestamp of last modification -mod_name Modifying principal's identifier - -The K_kvno field indicates the key version of the Kerberos master key under -which the principal's secret key is encrypted. - -After an entry's expiration date has passed, the KDC will return an error to -any client attempting to gain tickets as or for the principal. (A database -may want to maintain two expiration dates: one for the principal, and one -for the principal's current key. This allows password aging to work -independently of the principal's expiration date. However, due to the -limited space in the responses, the KDC must combine the key expiration and -principal expiration date into a single value called 'key_exp', which is -used as a hint to the user to take administrative action.) - -The attributes field is a bitfield used to govern the operations involving -the principal. This field might be useful in conjunction with user -registration procedures, for site-specific policy implementations (Project -Athena currently uses it for their user registration process controlled by -the system-wide database service, Moira [LGDSR87]), to identify whether a -principal can play the role of a client or server or both, to note whether a -server is appropriate trusted to recieve credentials delegated by a client, -or to identify the 'string to key' conversion algorithm used for a -principal's key[22]. Other bits are used to indicate that certain ticket -options should not be allowed in tickets encrypted under a principal's key -(one bit each): Disallow issuing postdated tickets, disallow issuing -forwardable tickets, disallow issuing tickets based on TGT authentication, -disallow issuing renewable tickets, disallow issuing proxiable tickets, and -disallow issuing tickets for which the principal is the server. - -The mod_date field contains the time of last modification of the entry, and -the mod_name field contains the name of the principal which last modified -the entry. - -4.3. Frequently Changing Fields - -Some KDC implementations may wish to maintain the last time that a request -was made by a particular principal. Information that might be maintained - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -includes the time of the last request, the time of the last request for a -ticket-granting ticket, the time of the last use of a ticket-granting -ticket, or other times. This information can then be returned to the user in -the last-req field (see section 5.2). - -Other frequently changing information that can be maintained is the latest -expiration time for any tickets that have been issued using each key. This -field would be used to indicate how long old keys must remain valid to allow -the continued use of outstanding tickets. - -4.4. Site Constants - -The KDC implementation should have the following configurable constants or -options, to allow an administrator to make and enforce policy decisions: - - * The minimum supported lifetime (used to determine whether the - KDC_ERR_NEVER_VALID error should be returned). This constant should - reflect reasonable expectations of round-trip time to the KDC, - encryption/decryption time, and processing time by the client and - target server, and it should allow for a minimum 'useful' lifetime. - * The maximum allowable total (renewable) lifetime of a ticket - (renew_till - starttime). - * The maximum allowable lifetime of a ticket (endtime - starttime). - * Whether to allow the issue of tickets with empty address fields - (including the ability to specify that such tickets may only be issued - if the request specifies some authorization_data). - * Whether proxiable, forwardable, renewable or post-datable tickets are - to be issued. - -5. Message Specifications - -The following sections describe the exact contents and encoding of protocol -messages and objects. The ASN.1 base definitions are presented in the first -subsection. The remaining subsections specify the protocol objects (tickets -and authenticators) and messages. Specification of encryption and checksum -techniques, and the fields related to them, appear in section 6. - -5.1. ASN.1 Distinguished Encoding Representation - -All uses of ASN.1 in Kerberos shall use the Distinguished Encoding -Representation of the data elements as described in the X.509 specification, -section 8.7 [X509-88]. - -5.2. ASN.1 Base Definitions - -The following ASN.1 base definitions are used in the rest of this section. -Note that since the underscore character (_) is not permitted in ASN.1 -names, the hyphen (-) is used in its place for the purposes of ASN.1 names. - -Realm ::= GeneralString -PrincipalName ::= SEQUENCE { - name-type[0] INTEGER, - name-string[1] SEQUENCE OF GeneralString -} - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - -Kerberos realms are encoded as GeneralStrings. Realms shall not contain a -character with the code 0 (the ASCII NUL). Most realms will usually consist -of several components separated by periods (.), in the style of Internet -Domain Names, or separated by slashes (/) in the style of X.500 names. -Acceptable forms for realm names are specified in section 7. A PrincipalName -is a typed sequence of components consisting of the following sub-fields: - -name-type - This field specifies the type of name that follows. Pre-defined values - for this field are specified in section 7.2. The name-type should be - treated as a hint. Ignoring the name type, no two names can be the same - (i.e. at least one of the components, or the realm, must be different). - This constraint may be eliminated in the future. -name-string - This field encodes a sequence of components that form a name, each - component encoded as a GeneralString. Taken together, a PrincipalName - and a Realm form a principal identifier. Most PrincipalNames will have - only a few components (typically one or two). - -KerberosTime ::= GeneralizedTime - -- Specifying UTC time zone (Z) - -The timestamps used in Kerberos are encoded as GeneralizedTimes. An encoding -shall specify the UTC time zone (Z) and shall not include any fractional -portions of the seconds. It further shall not include any separators. -Example: The only valid format for UTC time 6 minutes, 27 seconds after 9 pm -on 6 November 1985 is 19851106210627Z. - -HostAddress ::= SEQUENCE { - addr-type[0] INTEGER, - address[1] OCTET STRING -} - -HostAddresses ::= SEQUENCE OF HostAddress - -The host adddress encodings consists of two fields: - -addr-type - This field specifies the type of address that follows. Pre-defined - values for this field are specified in section 8.1. -address - This field encodes a single address of type addr-type. - -The two forms differ slightly. HostAddress contains exactly one address; -HostAddresses contains a sequence of possibly many addresses. - -AuthorizationData ::= SEQUENCE OF SEQUENCE { - ad-type[0] INTEGER, - ad-data[1] OCTET STRING -} - -ad-data - This field contains authorization data to be interpreted according to - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - the value of the corresponding ad-type field. -ad-type - This field specifies the format for the ad-data subfield. All negative - values are reserved for local use. Non-negative values are reserved for - registered use. - -Each sequence of type and data is refered to as an authorization element. -Elements may be application specific, however, there is a common set of -recursive elements that should be understood by all implementations. These -elements contain other elements embedded within them, and the interpretation -of the encapsulating element determines which of the embedded elements must -be interpreted, and which may be ignored. Definitions for these common -elements may be found in Appendix B. - -TicketExtensions ::= SEQUENCE OF SEQUENCE { - te-type[0] INTEGER, - te-data[1] OCTET STRING -} - - - -te-data - This field contains opaque data that must be caried with the ticket to - support extensions to the Kerberos protocol including but not limited - to some forms of inter-realm key exchange and plaintext authorization - data. See appendix C for some common uses of this field. -te-type - This field specifies the format for the te-data subfield. All negative - values are reserved for local use. Non-negative values are reserved for - registered use. - -APOptions ::= BIT STRING { - reserved(0), - use-session-key(1), - mutual-required(2) -} - -TicketFlags ::= BIT STRING { - reserved(0), - forwardable(1), - forwarded(2), - proxiable(3), - proxy(4), - may-postdate(5), - postdated(6), - invalid(7), - renewable(8), - initial(9), - pre-authent(10), - hw-authent(11), - transited-policy-checked(12), - ok-as-delegate(13) -} - - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -KDCOptions ::= BIT STRING { - reserved(0), - forwardable(1), - forwarded(2), - proxiable(3), - proxy(4), - allow-postdate(5), - postdated(6), - unused7(7), - renewable(8), - unused9(9), - unused10(10), - unused11(11), - unused12(12), - unused13(13), - disable-transited-check(26), - renewable-ok(27), - enc-tkt-in-skey(28), - renew(30), - validate(31) -} - -ASN.1 Bit strings have a length and a value. When used in Kerberos for the -APOptions, TicketFlags, and KDCOptions, the length of the bit string on -generated values should be the smallest multiple of 32 bits needed to -include the highest order bit that is set (1), but in no case less than 32 -bits. Implementations should accept values of bit strings of any length and -treat the value of flags cooresponding to bits beyond the end of the bit -string as if the bit were reset (0). Comparisonof bit strings of different -length should treat the smaller string as if it were padded with zeros -beyond the high order bits to the length of the longer string[23]. - -LastReq ::= SEQUENCE OF SEQUENCE { - lr-type[0] INTEGER, - lr-value[1] KerberosTime -} - -lr-type - This field indicates how the following lr-value field is to be - interpreted. Negative values indicate that the information pertains - only to the responding server. Non-negative values pertain to all - servers for the realm. If the lr-type field is zero (0), then no - information is conveyed by the lr-value subfield. If the absolute value - of the lr-type field is one (1), then the lr-value subfield is the time - of last initial request for a TGT. If it is two (2), then the lr-value - subfield is the time of last initial request. If it is three (3), then - the lr-value subfield is the time of issue for the newest - ticket-granting ticket used. If it is four (4), then the lr-value - subfield is the time of the last renewal. If it is five (5), then the - lr-value subfield is the time of last request (of any type). -lr-value - This field contains the time of the last request. the time must be - interpreted according to the contents of the accompanying lr-type - subfield. - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - -See section 6 for the definitions of Checksum, ChecksumType, EncryptedData, -EncryptionKey, EncryptionType, and KeyType. - -5.3. Tickets and Authenticators - -This section describes the format and encryption parameters for tickets and -authenticators. When a ticket or authenticator is included in a protocol -message it is treated as an opaque object. - -5.3.1. Tickets - -A ticket is a record that helps a client authenticate to a service. A Ticket -contains the following information: - -Ticket ::= [APPLICATION 1] SEQUENCE { - tkt-vno[0] INTEGER, - realm[1] Realm, - sname[2] PrincipalName, - enc-part[3] EncryptedData, - extensions[4] TicketExtensions OPTIONAL -} - --- Encrypted part of ticket -EncTicketPart ::= [APPLICATION 3] SEQUENCE { - flags[0] TicketFlags, - key[1] EncryptionKey, - crealm[2] Realm, - cname[3] PrincipalName, - transited[4] TransitedEncoding, - authtime[5] KerberosTime, - starttime[6] KerberosTime OPTIONAL, - endtime[7] KerberosTime, - renew-till[8] KerberosTime OPTIONAL, - caddr[9] HostAddresses OPTIONAL, - authorization-data[10] AuthorizationData OPTIONAL -} --- encoded Transited field -TransitedEncoding ::= SEQUENCE { - tr-type[0] INTEGER, -- must be registered - contents[1] OCTET STRING -} - -The encoding of EncTicketPart is encrypted in the key shared by Kerberos and -the end server (the server's secret key). See section 6 for the format of -the ciphertext. - -tkt-vno - This field specifies the version number for the ticket format. This - document describes version number 5. -realm - This field specifies the realm that issued a ticket. It also serves to - identify the realm part of the server's principal identifier. Since a - Kerberos server can only issue tickets for servers within its realm, - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - the two will always be identical. -sname - This field specifies the name part of the server's identity. -enc-part - This field holds the encrypted encoding of the EncTicketPart sequence. -extensions - This optional field contains a sequence of extentions that may be used - to carry information that must be carried with the ticket to support - several extensions, including but not limited to plaintext - authorization data, tokens for exchanging inter-realm keys, and other - information that must be associated with a ticket for use by the - application server. See Appendix C for definitions of some common - extensions. - - Note that some older versions of Kerberos did not support this field. - Because this is an optional field it will not break older clients, but - older clients might strip this field from the ticket before sending it - to the application server. This limits the usefulness of this ticket - field to environments where the ticket will not be parsed and - reconstructed by these older Kerberos clients. - - If it is known that the client will strip this field from the ticket, - as an interim measure the KDC may append this field to the end of the - enc-part of the ticket and append a traler indicating the lenght of the - appended extensions field. (this paragraph is open for discussion, - including the form of the traler). -flags - This field indicates which of various options were used or requested - when the ticket was issued. It is a bit-field, where the selected - options are indicated by the bit being set (1), and the unselected - options and reserved fields being reset (0). Bit 0 is the most - significant bit. The encoding of the bits is specified in section 5.2. - The flags are described in more detail above in section 2. The meanings - of the flags are: - - Bit(s) Name Description - - 0 RESERVED - Reserved for future expansion of this - field. - - 1 FORWARDABLE - The FORWARDABLE flag is normally only - interpreted by the TGS, and can be - ignored by end servers. When set, this - flag tells the ticket-granting server - that it is OK to issue a new ticket- - granting ticket with a different network - address based on the presented ticket. - - 2 FORWARDED - When set, this flag indicates that the - ticket has either been forwarded or was - issued based on authentication involving - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - a forwarded ticket-granting ticket. - - 3 PROXIABLE - The PROXIABLE flag is normally only - interpreted by the TGS, and can be - ignored by end servers. The PROXIABLE - flag has an interpretation identical to - that of the FORWARDABLE flag, except - that the PROXIABLE flag tells the - ticket-granting server that only non- - ticket-granting tickets may be issued - with different network addresses. - - 4 PROXY - When set, this flag indicates that a - ticket is a proxy. - - 5 MAY-POSTDATE - The MAY-POSTDATE flag is normally only - interpreted by the TGS, and can be - ignored by end servers. This flag tells - the ticket-granting server that a post- - dated ticket may be issued based on this - ticket-granting ticket. - - 6 POSTDATED - This flag indicates that this ticket has - been postdated. The end-service can - check the authtime field to see when the - original authentication occurred. - - 7 INVALID - This flag indicates that a ticket is - invalid, and it must be validated by the - KDC before use. Application servers - must reject tickets which have this flag - set. - - 8 RENEWABLE - The RENEWABLE flag is normally only - interpreted by the TGS, and can usually - be ignored by end servers (some particu- - larly careful servers may wish to disal- - low renewable tickets). A renewable - ticket can be used to obtain a replace- - ment ticket that expires at a later - date. - - 9 INITIAL - This flag indicates that this ticket was - issued using the AS protocol, and not - issued based on a ticket-granting - ticket. - - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - 10 PRE-AUTHENT - This flag indicates that during initial - authentication, the client was authenti- - cated by the KDC before a ticket was - issued. The strength of the pre- - authentication method is not indicated, - but is acceptable to the KDC. - - 11 HW-AUTHENT - This flag indicates that the protocol - employed for initial authentication - required the use of hardware expected to - be possessed solely by the named client. - The hardware authentication method is - selected by the KDC and the strength of - the method is not indicated. - - 12 TRANSITED This flag indicates that the KDC for the - POLICY-CHECKED realm has checked the transited field - against a realm defined policy for - trusted certifiers. If this flag is - reset (0), then the application server - must check the transited field itself, - and if unable to do so it must reject - the authentication. If the flag is set - (1) then the application server may skip - its own validation of the transited - field, relying on the validation - performed by the KDC. At its option the - application server may still apply its - own validation based on a separate - policy for acceptance. - - 13 OK-AS-DELEGATE This flag indicates that the server (not - the client) specified in the ticket has - been determined by policy of the realm - to be a suitable recipient of - delegation. A client can use the - presence of this flag to help it make a - decision whether to delegate credentials - (either grant a proxy or a forwarded - ticket granting ticket) to this server. - The client is free to ignore the value - of this flag. When setting this flag, - an administrator should consider the - Security and placement of the server on - which the service will run, as well as - whether the service requires the use of - delegated credentials. - - 14 ANONYMOUS - This flag indicates that the principal - named in the ticket is a generic princi- - pal for the realm and does not identify - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - the individual using the ticket. The - purpose of the ticket is only to - securely distribute a session key, and - not to identify the user. Subsequent - requests using the same ticket and ses- - sion may be considered as originating - from the same user, but requests with - the same username but a different ticket - are likely to originate from different - users. - - 15-31 RESERVED - Reserved for future use. - -key - This field exists in the ticket and the KDC response and is used to - pass the session key from Kerberos to the application server and the - client. The field's encoding is described in section 6.2. -crealm - This field contains the name of the realm in which the client is - registered and in which initial authentication took place. -cname - This field contains the name part of the client's principal identifier. -transited - This field lists the names of the Kerberos realms that took part in - authenticating the user to whom this ticket was issued. It does not - specify the order in which the realms were transited. See section - 3.3.3.2 for details on how this field encodes the traversed realms. -authtime - This field indicates the time of initial authentication for the named - principal. It is the time of issue for the original ticket on which - this ticket is based. It is included in the ticket to provide - additional information to the end service, and to provide the necessary - information for implementation of a `hot list' service at the KDC. An - end service that is particularly paranoid could refuse to accept - tickets for which the initial authentication occurred "too far" in the - past. This field is also returned as part of the response from the KDC. - When returned as part of the response to initial authentication - (KRB_AS_REP), this is the current time on the Ker- beros server[24]. -starttime - This field in the ticket specifies the time after which the ticket is - valid. Together with endtime, this field specifies the life of the - ticket. If it is absent from the ticket, its value should be treated as - that of the authtime field. -endtime - This field contains the time after which the ticket will not be honored - (its expiration time). Note that individual services may place their - own limits on the life of a ticket and may reject tickets which have - not yet expired. As such, this is really an upper bound on the - expiration time for the ticket. -renew-till - This field is only present in tickets that have the RENEWABLE flag set - in the flags field. It indicates the maximum endtime that may be - included in a renewal. It can be thought of as the absolute expiration - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - time for the ticket, including all renewals. -caddr - This field in a ticket contains zero (if omitted) or more (if present) - host addresses. These are the addresses from which the ticket can be - used. If there are no addresses, the ticket can be used from any - location. The decision by the KDC to issue or by the end server to - accept zero-address tickets is a policy decision and is left to the - Kerberos and end-service administrators; they may refuse to issue or - accept such tickets. The suggested and default policy, however, is that - such tickets will only be issued or accepted when additional - information that can be used to restrict the use of the ticket is - included in the authorization_data field. Such a ticket is a - capability. - - Network addresses are included in the ticket to make it harder for an - attacker to use stolen credentials. Because the session key is not sent - over the network in cleartext, credentials can't be stolen simply by - listening to the network; an attacker has to gain access to the session - key (perhaps through operating system security breaches or a careless - user's unattended session) to make use of stolen tickets. - - It is important to note that the network address from which a - connection is received cannot be reliably determined. Even if it could - be, an attacker who has compromised the client's worksta- tion could - use the credentials from there. Including the network addresses only - makes it more difficult, not impossible, for an attacker to walk off - with stolen credentials and then use them from a "safe" location. -authorization-data - The authorization-data field is used to pass authorization data from - the principal on whose behalf a ticket was issued to the application - service. If no authorization data is included, this field will be left - out. Experience has shown that the name of this field is confusing, and - that a better name for this field would be restrictions. Unfortunately, - it is not possible to change the name of this field at this time. - - This field contains restrictions on any authority obtained on the basis - of authentication using the ticket. It is possible for any principal in - posession of credentials to add entries to the authorization data field - since these entries further restrict what can be done with the ticket. - Such additions can be made by specifying the additional entries when a - new ticket is obtained during the TGS exchange, or they may be added - during chained delegation using the authorization data field of the - authenticator. - - Because entries may be added to this field by the holder of - credentials, it is not allowable for the presence of an entry in the - authorization data field of a ticket to amplify the priveleges one - would obtain from using a ticket. - - The data in this field may be specific to the end service; the field - will contain the names of service specific objects, and the rights to - those objects. The format for this field is described in section 5.2. - Although Kerberos is not concerned with the format of the contents of - the sub-fields, it does carry type information (ad-type). - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - - By using the authorization_data field, a principal is able to issue a - proxy that is valid for a specific purpose. For example, a client - wishing to print a file can obtain a file server proxy to be passed to - the print server. By specifying the name of the file in the - authorization_data field, the file server knows that the print server - can only use the client's rights when accessing the particular file to - be printed. - - A separate service providing authorization or certifying group - membership may be built using the authorization-data field. In this - case, the entity granting authorization (not the authorized entity), - obtains a ticket in its own name (e.g. the ticket is issued in the name - of a privelege server), and this entity adds restrictions on its own - authority and delegates the restricted authority through a proxy to the - client. The client would then present this authorization credential to - the application server separately from the authentication exchange. - - Similarly, if one specifies the authorization-data field of a proxy and - leaves the host addresses blank, the resulting ticket and session key - can be treated as a capability. See [Neu93] for some suggested uses of - this field. - - The authorization-data field is optional and does not have to be - included in a ticket. - -5.3.2. Authenticators - -An authenticator is a record sent with a ticket to a server to certify the -client's knowledge of the encryption key in the ticket, to help the server -detect replays, and to help choose a "true session key" to use with the -particular session. The encoding is encrypted in the ticket's session key -shared by the client and the server: - --- Unencrypted authenticator -Authenticator ::= [APPLICATION 2] SEQUENCE { - authenticator-vno[0] INTEGER, - crealm[1] Realm, - cname[2] PrincipalName, - cksum[3] Checksum OPTIONAL, - cusec[4] INTEGER, - ctime[5] KerberosTime, - subkey[6] EncryptionKey OPTIONAL, - seq-number[7] INTEGER OPTIONAL, - authorization-data[8] AuthorizationData OPTIONAL -} - - -authenticator-vno - This field specifies the version number for the format of the - authenticator. This document specifies version 5. -crealm and cname - These fields are the same as those described for the ticket in section - 5.3.1. - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -cksum - This field contains a checksum of the the applica- tion data that - accompanies the KRB_AP_REQ. -cusec - This field contains the microsecond part of the client's timestamp. Its - value (before encryption) ranges from 0 to 999999. It often appears - along with ctime. The two fields are used together to specify a - reasonably accurate timestamp. -ctime - This field contains the current time on the client's host. -subkey - This field contains the client's choice for an encryption key which is - to be used to protect this specific application session. Unless an - application specifies otherwise, if this field is left out the session - key from the ticket will be used. -seq-number - This optional field includes the initial sequence number to be used by - the KRB_PRIV or KRB_SAFE messages when sequence numbers are used to - detect replays (It may also be used by application specific messages). - When included in the authenticator this field specifies the initial - sequence number for messages from the client to the server. When - included in the AP-REP message, the initial sequence number is that for - messages from the server to the client. When used in KRB_PRIV or - KRB_SAFE messages, it is incremented by one after each message is sent. - - For sequence numbers to adequately support the detection of replays - they should be non-repeating, even across connection boundaries. The - initial sequence number should be random and uniformly distributed - across the full space of possible sequence numbers, so that it cannot - be guessed by an attacker and so that it and the successive sequence - numbers do not repeat other sequences. -authorization-data - This field is the same as described for the ticket in section 5.3.1. It - is optional and will only appear when additional restrictions are to be - placed on the use of a ticket, beyond those carried in the ticket - itself. - -5.4. Specifications for the AS and TGS exchanges - -This section specifies the format of the messages used in the exchange -between the client and the Kerberos server. The format of possible error -messages appears in section 5.9.1. - -5.4.1. KRB_KDC_REQ definition - -The KRB_KDC_REQ message has no type of its own. Instead, its type is one of -KRB_AS_REQ or KRB_TGS_REQ depending on whether the request is for an initial -ticket or an additional ticket. In either case, the message is sent from the -client to the Authentication Server to request credentials for a service. - -The message fields are: - -AS-REQ ::= [APPLICATION 10] KDC-REQ -TGS-REQ ::= [APPLICATION 12] KDC-REQ - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - -KDC-REQ ::= SEQUENCE { - pvno[1] INTEGER, - msg-type[2] INTEGER, - padata[3] SEQUENCE OF PA-DATA OPTIONAL, - req-body[4] KDC-REQ-BODY -} - -PA-DATA ::= SEQUENCE { - padata-type[1] INTEGER, - padata-value[2] OCTET STRING, - -- might be encoded AP-REQ -} - -KDC-REQ-BODY ::= SEQUENCE { - kdc-options[0] KDCOptions, - cname[1] PrincipalName OPTIONAL, - -- Used only in AS-REQ - realm[2] Realm, -- Server's realm - -- Also client's in AS-REQ - sname[3] PrincipalName OPTIONAL, - from[4] KerberosTime OPTIONAL, - till[5] KerberosTime OPTIONAL, - rtime[6] KerberosTime OPTIONAL, - nonce[7] INTEGER, - etype[8] SEQUENCE OF INTEGER, - -- EncryptionType, - -- in preference order - addresses[9] HostAddresses OPTIONAL, - enc-authorization-data[10] EncryptedData OPTIONAL, - -- Encrypted AuthorizationData - -- encoding - additional-tickets[11] SEQUENCE OF Ticket OPTIONAL -} - -The fields in this message are: - -pvno - This field is included in each message, and specifies the protocol - version number. This document specifies protocol version 5. -msg-type - This field indicates the type of a protocol message. It will almost - always be the same as the application identifier associated with a - message. It is included to make the identifier more readily accessible - to the application. For the KDC-REQ message, this type will be - KRB_AS_REQ or KRB_TGS_REQ. -padata - The padata (pre-authentication data) field contains a sequence of - authentication information which may be needed before credentials can - be issued or decrypted. In the case of requests for additional tickets - (KRB_TGS_REQ), this field will include an element with padata-type of - PA-TGS-REQ and data of an authentication header (ticket-granting ticket - and authenticator). The checksum in the authenticator (which must be - collision-proof) is to be computed over the KDC-REQ-BODY encoding. In - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - most requests for initial authentication (KRB_AS_REQ) and most replies - (KDC-REP), the padata field will be left out. - - This field may also contain information needed by certain extensions to - the Kerberos protocol. For example, it might be used to initially - verify the identity of a client before any response is returned. This - is accomplished with a padata field with padata-type equal to - PA-ENC-TIMESTAMP and padata-value defined as follows: - - padata-type ::= PA-ENC-TIMESTAMP - padata-value ::= EncryptedData -- PA-ENC-TS-ENC - - PA-ENC-TS-ENC ::= SEQUENCE { - patimestamp[0] KerberosTime, -- client's time - pausec[1] INTEGER OPTIONAL - } - - with patimestamp containing the client's time and pausec containing the - microseconds which may be omitted if a client will not generate more - than one request per second. The ciphertext (padata-value) consists of - the PA-ENC-TS-ENC sequence, encrypted using the client's secret key. - - [use-specified-kvno item is here for discussion and may be removed] It - may also be used by the client to specify the version of a key that is - being used for accompanying preauthentication, and/or which should be - used to encrypt the reply from the KDC. - - PA-USE-SPECIFIED-KVNO ::= Integer - - The KDC should only accept and abide by the value of the - use-specified-kvno preauthentication data field when the specified key - is still valid and until use of a new key is confirmed. This situation - is likely to occur primarily during the period during which an updated - key is propagating to other KDC's in a realm. - - The padata field can also contain information needed to help the KDC or - the client select the key needed for generating or decrypting the - response. This form of the padata is useful for supporting the use of - certain token cards with Kerberos. The details of such extensions are - specified in separate documents. See [Pat92] for additional uses of - this field. -padata-type - The padata-type element of the padata field indicates the way that the - padata-value element is to be interpreted. Negative values of - padata-type are reserved for unregistered use; non-negative values are - used for a registered interpretation of the element type. -req-body - This field is a placeholder delimiting the extent of the remaining - fields. If a checksum is to be calculated over the request, it is - calculated over an encoding of the KDC-REQ-BODY sequence which is - enclosed within the req-body field. -kdc-options - This field appears in the KRB_AS_REQ and KRB_TGS_REQ requests to the - KDC and indicates the flags that the client wants set on the tickets as - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - well as other information that is to modify the behavior of the KDC. - Where appropriate, the name of an option may be the same as the flag - that is set by that option. Although in most case, the bit in the - options field will be the same as that in the flags field, this is not - guaranteed, so it is not acceptable to simply copy the options field to - the flags field. There are various checks that must be made before - honoring an option anyway. - - The kdc_options field is a bit-field, where the selected options are - indicated by the bit being set (1), and the unselected options and - reserved fields being reset (0). The encoding of the bits is specified - in section 5.2. The options are described in more detail above in - section 2. The meanings of the options are: - - Bit(s) Name Description - 0 RESERVED - Reserved for future expansion of this - field. - - 1 FORWARDABLE - The FORWARDABLE option indicates that - the ticket to be issued is to have its - forwardable flag set. It may only be - set on the initial request, or in a sub- - sequent request if the ticket-granting - ticket on which it is based is also for- - wardable. - - 2 FORWARDED - The FORWARDED option is only specified - in a request to the ticket-granting - server and will only be honored if the - ticket-granting ticket in the request - has its FORWARDABLE bit set. This - option indicates that this is a request - for forwarding. The address(es) of the - host from which the resulting ticket is - to be valid are included in the - addresses field of the request. - - 3 PROXIABLE - The PROXIABLE option indicates that the - ticket to be issued is to have its prox- - iable flag set. It may only be set on - the initial request, or in a subsequent - request if the ticket-granting ticket on - which it is based is also proxiable. - - 4 PROXY - The PROXY option indicates that this is - a request for a proxy. This option will - only be honored if the ticket-granting - ticket in the request has its PROXIABLE - bit set. The address(es) of the host - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - from which the resulting ticket is to be - valid are included in the addresses - field of the request. - - 5 ALLOW-POSTDATE - The ALLOW-POSTDATE option indicates that - the ticket to be issued is to have its - MAY-POSTDATE flag set. It may only be - set on the initial request, or in a sub- - sequent request if the ticket-granting - ticket on which it is based also has its - MAY-POSTDATE flag set. - - 6 POSTDATED - The POSTDATED option indicates that this - is a request for a postdated ticket. - This option will only be honored if the - ticket-granting ticket on which it is - based has its MAY-POSTDATE flag set. - The resulting ticket will also have its - INVALID flag set, and that flag may be - reset by a subsequent request to the KDC - after the starttime in the ticket has - been reached. - - 7 UNUSED - This option is presently unused. - - 8 RENEWABLE - The RENEWABLE option indicates that the - ticket to be issued is to have its - RENEWABLE flag set. It may only be set - on the initial request, or when the - ticket-granting ticket on which the - request is based is also renewable. If - this option is requested, then the rtime - field in the request contains the - desired absolute expiration time for the - ticket. - - 9-13 UNUSED - These options are presently unused. - - 14 REQUEST-ANONYMOUS - The REQUEST-ANONYMOUS option indicates - that the ticket to be issued is not to - identify the user to which it was - issued. Instead, the principal identif- - ier is to be generic, as specified by - the policy of the realm (e.g. usually - anonymous@realm). The purpose of the - ticket is only to securely distribute a - session key, and not to identify the - user. The ANONYMOUS flag on the ticket - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - to be returned should be set. If the - local realms policy does not permit - anonymous credentials, the request is to - be rejected. - - 15-25 RESERVED - Reserved for future use. - - 26 DISABLE-TRANSITED-CHECK - By default the KDC will check the - transited field of a ticket-granting- - ticket against the policy of the local - realm before it will issue derivative - tickets based on the ticket granting - ticket. If this flag is set in the - request, checking of the transited field - is disabled. Tickets issued without the - performance of this check will be noted - by the reset (0) value of the - TRANSITED-POLICY-CHECKED flag, - indicating to the application server - that the tranisted field must be checked - locally. KDC's are encouraged but not - required to honor the - DISABLE-TRANSITED-CHECK option. - - 27 RENEWABLE-OK - The RENEWABLE-OK option indicates that a - renewable ticket will be acceptable if a - ticket with the requested life cannot - otherwise be provided. If a ticket with - the requested life cannot be provided, - then a renewable ticket may be issued - with a renew-till equal to the the - requested endtime. The value of the - renew-till field may still be limited by - local limits, or limits selected by the - individual principal or server. - - 28 ENC-TKT-IN-SKEY - This option is used only by the ticket- - granting service. The ENC-TKT-IN-SKEY - option indicates that the ticket for the - end server is to be encrypted in the - session key from the additional ticket- - granting ticket provided. - - 29 RESERVED - Reserved for future use. - - 30 RENEW - This option is used only by the ticket- - granting service. The RENEW option - indicates that the present request is - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - for a renewal. The ticket provided is - encrypted in the secret key for the - server on which it is valid. This - option will only be honored if the - ticket to be renewed has its RENEWABLE - flag set and if the time in its renew- - till field has not passed. The ticket - to be renewed is passed in the padata - field as part of the authentication - header. - - 31 VALIDATE - This option is used only by the ticket- - granting service. The VALIDATE option - indicates that the request is to vali- - date a postdated ticket. It will only - be honored if the ticket presented is - postdated, presently has its INVALID - flag set, and would be otherwise usable - at this time. A ticket cannot be vali- - dated before its starttime. The ticket - presented for validation is encrypted in - the key of the server for which it is - valid and is passed in the padata field - as part of the authentication header. - -cname and sname - These fields are the same as those described for the ticket in section - 5.3.1. sname may only be absent when the ENC-TKT-IN-SKEY option is - specified. If absent, the name of the server is taken from the name of - the client in the ticket passed as additional-tickets. -enc-authorization-data - The enc-authorization-data, if present (and it can only be present in - the TGS_REQ form), is an encoding of the desired authorization-data - encrypted under the sub-session key if present in the Authenticator, or - alternatively from the session key in the ticket-granting ticket, both - from the padata field in the KRB_AP_REQ. -realm - This field specifies the realm part of the server's principal - identifier. In the AS exchange, this is also the realm part of the - client's principal identifier. -from - This field is included in the KRB_AS_REQ and KRB_TGS_REQ ticket - requests when the requested ticket is to be postdated. It specifies the - desired start time for the requested ticket. If this field is omitted - then the KDC should use the current time instead. -till - This field contains the expiration date requested by the client in a - ticket request. It is optional and if omitted the requested ticket is - to have the maximum endtime permitted according to KDC policy for the - parties to the authentication exchange as limited by expiration date of - the ticket granting ticket or other preauthentication credentials. -rtime - This field is the requested renew-till time sent from a client to the - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - KDC in a ticket request. It is optional. -nonce - This field is part of the KDC request and response. It it intended to - hold a random number generated by the client. If the same number is - included in the encrypted response from the KDC, it provides evidence - that the response is fresh and has not been replayed by an attacker. - Nonces must never be re-used. Ideally, it should be generated randomly, - but if the correct time is known, it may suffice[25]. -etype - This field specifies the desired encryption algorithm to be used in the - response. -addresses - This field is included in the initial request for tickets, and - optionally included in requests for additional tickets from the - ticket-granting server. It specifies the addresses from which the - requested ticket is to be valid. Normally it includes the addresses for - the client's host. If a proxy is requested, this field will contain - other addresses. The contents of this field are usually copied by the - KDC into the caddr field of the resulting ticket. -additional-tickets - Additional tickets may be optionally included in a request to the - ticket-granting server. If the ENC-TKT-IN-SKEY option has been - specified, then the session key from the additional ticket will be used - in place of the server's key to encrypt the new ticket. If more than - one option which requires additional tickets has been specified, then - the additional tickets are used in the order specified by the ordering - of the options bits (see kdc-options, above). - -The application code will be either ten (10) or twelve (12) depending on -whether the request is for an initial ticket (AS-REQ) or for an additional -ticket (TGS-REQ). - -The optional fields (addresses, authorization-data and additional-tickets) -are only included if necessary to perform the operation specified in the -kdc-options field. - -It should be noted that in KRB_TGS_REQ, the protocol version number appears -twice and two different message types appear: the KRB_TGS_REQ message -contains these fields as does the authentication header (KRB_AP_REQ) that is -passed in the padata field. - -5.4.2. KRB_KDC_REP definition - -The KRB_KDC_REP message format is used for the reply from the KDC for either -an initial (AS) request or a subsequent (TGS) request. There is no message -type for KRB_KDC_REP. Instead, the type will be either KRB_AS_REP or -KRB_TGS_REP. The key used to encrypt the ciphertext part of the reply -depends on the message type. For KRB_AS_REP, the ciphertext is encrypted in -the client's secret key, and the client's key version number is included in -the key version number for the encrypted data. For KRB_TGS_REP, the -ciphertext is encrypted in the sub-session key from the Authenticator, or if -absent, the session key from the ticket-granting ticket used in the request. -In that case, no version number will be present in the EncryptedData -sequence. - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - -The KRB_KDC_REP message contains the following fields: - -AS-REP ::= [APPLICATION 11] KDC-REP -TGS-REP ::= [APPLICATION 13] KDC-REP - -KDC-REP ::= SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - padata[2] SEQUENCE OF PA-DATA OPTIONAL, - crealm[3] Realm, - cname[4] PrincipalName, - ticket[5] Ticket, - enc-part[6] EncryptedData -} - -EncASRepPart ::= [APPLICATION 25[27]] EncKDCRepPart -EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart - -EncKDCRepPart ::= SEQUENCE { - key[0] EncryptionKey, - last-req[1] LastReq, - nonce[2] INTEGER, - key-expiration[3] KerberosTime OPTIONAL, - flags[4] TicketFlags, - authtime[5] KerberosTime, - starttime[6] KerberosTime OPTIONAL, - endtime[7] KerberosTime, - renew-till[8] KerberosTime OPTIONAL, - srealm[9] Realm, - sname[10] PrincipalName, - caddr[11] HostAddresses OPTIONAL -} - -pvno and msg-type - These fields are described above in section 5.4.1. msg-type is either - KRB_AS_REP or KRB_TGS_REP. -padata - This field is described in detail in section 5.4.1. One possible use - for this field is to encode an alternate "mix-in" string to be used - with a string-to-key algorithm (such as is described in section 6.3.2). - This ability is useful to ease transitions if a realm name needs to - change (e.g. when a company is acquired); in such a case all existing - password-derived entries in the KDC database would be flagged as - needing a special mix-in string until the next password change. -crealm, cname, srealm and sname - These fields are the same as those described for the ticket in section - 5.3.1. -ticket - The newly-issued ticket, from section 5.3.1. -enc-part - This field is a place holder for the ciphertext and related information - that forms the encrypted part of a message. The description of the - encrypted part of the message follows each appearance of this field. - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - The encrypted part is encoded as described in section 6.1. -key - This field is the same as described for the ticket in section 5.3.1. -last-req - This field is returned by the KDC and specifies the time(s) of the last - request by a principal. Depending on what information is available, - this might be the last time that a request for a ticket-granting ticket - was made, or the last time that a request based on a ticket-granting - ticket was successful. It also might cover all servers for a realm, or - just the particular server. Some implementations may display this - information to the user to aid in discovering unauthorized use of one's - identity. It is similar in spirit to the last login time displayed when - logging into timesharing systems. -nonce - This field is described above in section 5.4.1. -key-expiration - The key-expiration field is part of the response from the KDC and - specifies the time that the client's secret key is due to expire. The - expiration might be the result of password aging or an account - expiration. This field will usually be left out of the TGS reply since - the response to the TGS request is encrypted in a session key and no - client information need be retrieved from the KDC database. It is up to - the application client (usually the login program) to take appropriate - action (such as notifying the user) if the expiration time is imminent. -flags, authtime, starttime, endtime, renew-till and caddr - These fields are duplicates of those found in the encrypted portion of - the attached ticket (see section 5.3.1), provided so the client may - verify they match the intended request and to assist in proper ticket - caching. If the message is of type KRB_TGS_REP, the caddr field will - only be filled in if the request was for a proxy or forwarded ticket, - or if the user is substituting a subset of the addresses from the - ticket granting ticket. If the client-requested addresses are not - present or not used, then the addresses contained in the ticket will be - the same as those included in the ticket-granting ticket. - -5.5. Client/Server (CS) message specifications - -This section specifies the format of the messages used for the -authentication of the client to the application server. - -5.5.1. KRB_AP_REQ definition - -The KRB_AP_REQ message contains the Kerberos protocol version number, the -message type KRB_AP_REQ, an options field to indicate any options in use, -and the ticket and authenticator themselves. The KRB_AP_REQ message is often -referred to as the 'authentication header'. - -AP-REQ ::= [APPLICATION 14] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - ap-options[2] APOptions, - ticket[3] Ticket, - authenticator[4] EncryptedData -} - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - -APOptions ::= BIT STRING { - reserved(0), - use-session-key(1), - mutual-required(2) -} - - - -pvno and msg-type - These fields are described above in section 5.4.1. msg-type is - KRB_AP_REQ. -ap-options - This field appears in the application request (KRB_AP_REQ) and affects - the way the request is processed. It is a bit-field, where the selected - options are indicated by the bit being set (1), and the unselected - options and reserved fields being reset (0). The encoding of the bits - is specified in section 5.2. The meanings of the options are: - - Bit(s) Name Description - 0 RESERVED - Reserved for future expansion of this - field. - - 1 USE-SESSION-KEY - The USE-SESSION-KEY option indicates - that the ticket the client is presenting - to a server is encrypted in the session - key from the server's ticket-granting - ticket. When this option is not speci- - fied, the ticket is encrypted in the - server's secret key. - - 2 MUTUAL-REQUIRED - The MUTUAL-REQUIRED option tells the - server that the client requires mutual - authentication, and that it must respond - with a KRB_AP_REP message. - - 3-31 RESERVED - Reserved for future use. -ticket - This field is a ticket authenticating the client to the server. -authenticator - This contains the authenticator, which includes the client's choice of - a subkey. Its encoding is described in section 5.3.2. - -5.5.2. KRB_AP_REP definition - -The KRB_AP_REP message contains the Kerberos protocol version number, the -message type, and an encrypted time- stamp. The message is sent in in -response to an application request (KRB_AP_REQ) where the mutual -authentication option has been selected in the ap-options field. - - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -AP-REP ::= [APPLICATION 15] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - enc-part[2] EncryptedData -} - -EncAPRepPart ::= [APPLICATION 27[29]] SEQUENCE { - ctime[0] KerberosTime, - cusec[1] INTEGER, - subkey[2] EncryptionKey OPTIONAL, - seq-number[3] INTEGER OPTIONAL -} - -The encoded EncAPRepPart is encrypted in the shared session key of the -ticket. The optional subkey field can be used in an application-arranged -negotiation to choose a per association session key. - -pvno and msg-type - These fields are described above in section 5.4.1. msg-type is - KRB_AP_REP. -enc-part - This field is described above in section 5.4.2. -ctime - This field contains the current time on the client's host. -cusec - This field contains the microsecond part of the client's timestamp. -subkey - This field contains an encryption key which is to be used to protect - this specific application session. See section 3.2.6 for specifics on - how this field is used to negotiate a key. Unless an application - specifies otherwise, if this field is left out, the sub-session key - from the authenticator, or if also left out, the session key from the - ticket will be used. - -5.5.3. Error message reply - -If an error occurs while processing the application request, the KRB_ERROR -message will be sent in response. See section 5.9.1 for the format of the -error message. The cname and crealm fields may be left out if the server -cannot determine their appropriate values from the corresponding KRB_AP_REQ -message. If the authenticator was decipherable, the ctime and cusec fields -will contain the values from it. - -5.6. KRB_SAFE message specification - -This section specifies the format of a message that can be used by either -side (client or server) of an application to send a tamper-proof message to -its peer. It presumes that a session key has previously been exchanged (for -example, by using the KRB_AP_REQ/KRB_AP_REP messages). - -5.6.1. KRB_SAFE definition - -The KRB_SAFE message contains user data along with a collision-proof -checksum keyed with the last encryption key negotiated via subkeys, or the - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -session key if no negotiation has occured. The message fields are: - -KRB-SAFE ::= [APPLICATION 20] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - safe-body[2] KRB-SAFE-BODY, - cksum[3] Checksum -} - -KRB-SAFE-BODY ::= SEQUENCE { - user-data[0] OCTET STRING, - timestamp[1] KerberosTime OPTIONAL, - usec[2] INTEGER OPTIONAL, - seq-number[3] INTEGER OPTIONAL, - s-address[4] HostAddress OPTIONAL, - r-address[5] HostAddress OPTIONAL -} - -pvno and msg-type - These fields are described above in section 5.4.1. msg-type is - KRB_SAFE. -safe-body - This field is a placeholder for the body of the KRB-SAFE message. It is - to be encoded separately and then have the checksum computed over it, - for use in the cksum field. -cksum - This field contains the checksum of the application data. Checksum - details are described in section 6.4. The checksum is computed over the - encoding of the KRB-SAFE-BODY sequence. -user-data - This field is part of the KRB_SAFE and KRB_PRIV messages and contain - the application specific data that is being passed from the sender to - the recipient. -timestamp - This field is part of the KRB_SAFE and KRB_PRIV messages. Its contents - are the current time as known by the sender of the message. By checking - the timestamp, the recipient of the message is able to make sure that - it was recently generated, and is not a replay. -usec - This field is part of the KRB_SAFE and KRB_PRIV headers. It contains - the microsecond part of the timestamp. -seq-number - This field is described above in section 5.3.2. -s-address - This field specifies the address in use by the sender of the message. -r-address - This field specifies the address in use by the recipient of the - message. It may be omitted for some uses (such as broadcast protocols), - but the recipient may arbitrarily reject such messages. This field - along with s-address can be used to help detect messages which have - been incorrectly or maliciously delivered to the wrong recipient. - -5.7. KRB_PRIV message specification - - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -This section specifies the format of a message that can be used by either -side (client or server) of an application to securely and privately send a -message to its peer. It presumes that a session key has previously been -exchanged (for example, by using the KRB_AP_REQ/KRB_AP_REP messages). - -5.7.1. KRB_PRIV definition - -The KRB_PRIV message contains user data encrypted in the Session Key. The -message fields are: - -KRB-PRIV ::= [APPLICATION 21] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - enc-part[3] EncryptedData -} - -EncKrbPrivPart ::= [APPLICATION 28[31]] SEQUENCE { - user-data[0] OCTET STRING, - timestamp[1] KerberosTime OPTIONAL, - usec[2] INTEGER OPTIONAL, - seq-number[3] INTEGER OPTIONAL, - s-address[4] HostAddress OPTIONAL, -- sender's addr - r-address[5] HostAddress OPTIONAL -- recip's addr -} - -pvno and msg-type - These fields are described above in section 5.4.1. msg-type is - KRB_PRIV. -enc-part - This field holds an encoding of the EncKrbPrivPart sequence encrypted - under the session key[32]. This encrypted encoding is used for the - enc-part field of the KRB-PRIV message. See section 6 for the format of - the ciphertext. -user-data, timestamp, usec, s-address and r-address - These fields are described above in section 5.6.1. -seq-number - This field is described above in section 5.3.2. - -5.8. KRB_CRED message specification - -This section specifies the format of a message that can be used to send -Kerberos credentials from one principal to another. It is presented here to -encourage a common mechanism to be used by applications when forwarding -tickets or providing proxies to subordinate servers. It presumes that a -session key has already been exchanged perhaps by using the -KRB_AP_REQ/KRB_AP_REP messages. - -5.8.1. KRB_CRED definition - -The KRB_CRED message contains a sequence of tickets to be sent and -information needed to use the tickets, including the session key from each. -The information needed to use the tickets is encrypted under an encryption -key previously exchanged or transferred alongside the KRB_CRED message. The -message fields are: - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - -KRB-CRED ::= [APPLICATION 22] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, -- KRB_CRED - tickets[2] SEQUENCE OF Ticket, - enc-part[3] EncryptedData -} - -EncKrbCredPart ::= [APPLICATION 29] SEQUENCE { - ticket-info[0] SEQUENCE OF KrbCredInfo, - nonce[1] INTEGER OPTIONAL, - timestamp[2] KerberosTime OPTIONAL, - usec[3] INTEGER OPTIONAL, - s-address[4] HostAddress OPTIONAL, - r-address[5] HostAddress OPTIONAL -} - -KrbCredInfo ::= SEQUENCE { - key[0] EncryptionKey, - prealm[1] Realm OPTIONAL, - pname[2] PrincipalName OPTIONAL, - flags[3] TicketFlags OPTIONAL, - authtime[4] KerberosTime OPTIONAL, - starttime[5] KerberosTime OPTIONAL, - endtime[6] KerberosTime OPTIONAL - renew-till[7] KerberosTime OPTIONAL, - srealm[8] Realm OPTIONAL, - sname[9] PrincipalName OPTIONAL, - caddr[10] HostAddresses OPTIONAL -} - -pvno and msg-type - These fields are described above in section 5.4.1. msg-type is - KRB_CRED. -tickets - These are the tickets obtained from the KDC specifically for use by the - intended recipient. Successive tickets are paired with the - corresponding KrbCredInfo sequence from the enc-part of the KRB-CRED - message. -enc-part - This field holds an encoding of the EncKrbCredPart sequence encrypted - under the session key shared between the sender and the intended - recipient. This encrypted encoding is used for the enc-part field of - the KRB-CRED message. See section 6 for the format of the ciphertext. -nonce - If practical, an application may require the inclusion of a nonce - generated by the recipient of the message. If the same value is - included as the nonce in the message, it provides evidence that the - message is fresh and has not been replayed by an attacker. A nonce must - never be re-used; it should be generated randomly by the recipient of - the message and provided to the sender of the message in an application - specific manner. -timestamp and usec - These fields specify the time that the KRB-CRED message was generated. - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - The time is used to provide assurance that the message is fresh. -s-address and r-address - These fields are described above in section 5.6.1. They are used - optionally to provide additional assurance of the integrity of the - KRB-CRED message. -key - This field exists in the corresponding ticket passed by the KRB-CRED - message and is used to pass the session key from the sender to the - intended recipient. The field's encoding is described in section 6.2. - -The following fields are optional. If present, they can be associated with -the credentials in the remote ticket file. If left out, then it is assumed -that the recipient of the credentials already knows their value. - -prealm and pname - The name and realm of the delegated principal identity. -flags, authtime, starttime, endtime, renew-till, srealm, sname, and caddr - These fields contain the values of the correspond- ing fields from the - ticket found in the ticket field. Descriptions of the fields are - identical to the descriptions in the KDC-REP message. - -5.9. Error message specification - -This section specifies the format for the KRB_ERROR message. The fields -included in the message are intended to return as much information as -possible about an error. It is not expected that all the information -required by the fields will be available for all types of errors. If the -appropriate information is not available when the message is composed, the -corresponding field will be left out of the message. - -Note that since the KRB_ERROR message is not protected by any encryption, it -is quite possible for an intruder to synthesize or modify such a message. In -particular, this means that the client should not use any fields in this -message for security-critical purposes, such as setting a system clock or -generating a fresh authenticator. The message can be useful, however, for -advising a user on the reason for some failure. - -5.9.1. KRB_ERROR definition - -The KRB_ERROR message consists of the following fields: - -KRB-ERROR ::= [APPLICATION 30] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - ctime[2] KerberosTime OPTIONAL, - cusec[3] INTEGER OPTIONAL, - stime[4] KerberosTime, - susec[5] INTEGER, - error-code[6] INTEGER, - crealm[7] Realm OPTIONAL, - cname[8] PrincipalName OPTIONAL, - realm[9] Realm, -- Correct realm - sname[10] PrincipalName, -- Correct name - e-text[11] GeneralString OPTIONAL, - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - e-data[12] OCTET STRING OPTIONAL, - e-cksum[13] Checksum OPTIONAL, - e-typed-data[14] SEQUENCE of ETypedData OPTIONAL -} - -ETypedData ::= SEQUENCE { - e-data-type [1] INTEGER, - e-data-value [2] OCTET STRING, -} - - - -pvno and msg-type - These fields are described above in section 5.4.1. msg-type is - KRB_ERROR. -ctime - This field is described above in section 5.4.1. -cusec - This field is described above in section 5.5.2. -stime - This field contains the current time on the server. It is of type - KerberosTime. -susec - This field contains the microsecond part of the server's timestamp. Its - value ranges from 0 to 999999. It appears along with stime. The two - fields are used in conjunction to specify a reasonably accurate - timestamp. -error-code - This field contains the error code returned by Kerberos or the server - when a request fails. To interpret the value of this field see the list - of error codes in section 8. Implementations are encouraged to provide - for national language support in the display of error messages. -crealm, cname, srealm and sname - These fields are described above in section 5.3.1. -e-text - This field contains additional text to help explain the error code - associated with the failed request (for example, it might include a - principal name which was unknown). -e-data - This field contains additional data about the error for use by the - application to help it recover from or handle the error. If the - errorcode is KDC_ERR_PREAUTH_REQUIRED, then the e-data field will - contain an encoding of a sequence of padata fields, each corresponding - to an acceptable pre-authentication method and optionally containing - data for the method: - - METHOD-DATA ::= SEQUENCE of PA-DATA - - If the error-code is KRB_AP_ERR_METHOD, then the e-data field will - contain an encoding of the following sequence: - - METHOD-DATA ::= SEQUENCE { - method-type[0] INTEGER, - method-data[1] OCTET STRING OPTIONAL - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - } - - method-type will indicate the required alternate method; method-data - will contain any required additional information. -e-cksum - This field contains an optional checksum for the KRB-ERROR message. The - checksum is calculated over the Kerberos ASN.1 encoding of the - KRB-ERROR message with the checksum absent. The checksum is then added - to the KRB-ERROR structure and the message is re-encoded. The Checksum - should be calculated using the session key from the ticket granting - ticket or service ticket, where available. If the error is in response - to a TGS or AP request, the checksum should be calculated uing the the - session key from the client's ticket. If the error is in response to an - AS request, then the checksum should be calulated using the client's - secret key ONLY if there has been suitable preauthentication to prove - knowledge of the secret key by the client[33]. If a checksum can not be - computed because the key to be used is not available, no checksum will - be included. -e-typed-data - [This field for discussion, may be deleted from final spec] This field - contains optional data that may be used to help the client recover from - the indicated error. [This could contain the METHOD-DATA specified - since I don't think anyone actually uses it yet. It could also contain - the PA-DATA sequence for the preauth required error if we had a clear - way to transition to the use of this field from the use of the untype - e-data field.] For example, this field may specify the key version of - the key used to verify preauthentication: - - e-data-type := 20 -- Key version number - e-data-value := Integer -- Key version number used to verify - preauthentication - -6. Encryption and Checksum Specifications - -The Kerberos protocols described in this document are designed to use stream -encryption ciphers, which can be simulated using commonly available block -encryption ciphers, such as the Data Encryption Standard, [DES77] in -conjunction with block chaining and checksum methods [DESM80]. Encryption is -used to prove the identities of the network entities participating in -message exchanges. The Key Distribution Center for each realm is trusted by -all principals registered in that realm to store a secret key in confidence. -Proof of knowledge of this secret key is used to verify the authenticity of -a principal. - -The KDC uses the principal's secret key (in the AS exchange) or a shared -session key (in the TGS exchange) to encrypt responses to ticket requests; -the ability to obtain the secret key or session key implies the knowledge of -the appropriate keys and the identity of the KDC. The ability of a principal -to decrypt the KDC response and present a Ticket and a properly formed -Authenticator (generated with the session key from the KDC response) to a -service verifies the identity of the principal; likewise the ability of the -service to extract the session key from the Ticket and prove its knowledge -thereof in a response verifies the identity of the service. - - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -The Kerberos protocols generally assume that the encryption used is secure -from cryptanalysis; however, in some cases, the order of fields in the -encrypted portions of messages are arranged to minimize the effects of -poorly chosen keys. It is still important to choose good keys. If keys are -derived from user-typed passwords, those passwords need to be well chosen to -make brute force attacks more difficult. Poorly chosen keys still make easy -targets for intruders. - -The following sections specify the encryption and checksum mechanisms -currently defined for Kerberos. The encodings, chaining, and padding -requirements for each are described. For encryption methods, it is often -desirable to place random information (often referred to as a confounder) at -the start of the message. The requirements for a confounder are specified -with each encryption mechanism. - -Some encryption systems use a block-chaining method to improve the the -security characteristics of the ciphertext. However, these chaining methods -often don't provide an integrity check upon decryption. Such systems (such -as DES in CBC mode) must be augmented with a checksum of the plain-text -which can be verified at decryption and used to detect any tampering or -damage. Such checksums should be good at detecting burst errors in the -input. If any damage is detected, the decryption routine is expected to -return an error indicating the failure of an integrity check. Each -encryption type is expected to provide and verify an appropriate checksum. -The specification of each encryption method sets out its checksum -requirements. - -Finally, where a key is to be derived from a user's password, an algorithm -for converting the password to a key of the appropriate type is included. It -is desirable for the string to key function to be one-way, and for the -mapping to be different in different realms. This is important because users -who are registered in more than one realm will often use the same password -in each, and it is desirable that an attacker compromising the Kerberos -server in one realm not obtain or derive the user's key in another. - -For an discussion of the integrity characteristics of the candidate -encryption and checksum methods considered for Kerberos, the the reader is -referred to [SG92]. - -6.1. Encryption Specifications - -The following ASN.1 definition describes all encrypted messages. The -enc-part field which appears in the unencrypted part of messages in section -5 is a sequence consisting of an encryption type, an optional key version -number, and the ciphertext. - -EncryptedData ::= SEQUENCE { - etype[0] INTEGER, -- EncryptionType - kvno[1] INTEGER OPTIONAL, - cipher[2] OCTET STRING -- ciphertext -} - - - - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -etype - This field identifies which encryption algorithm was used to encipher - the cipher. Detailed specifications for selected encryption types - appear later in this section. -kvno - This field contains the version number of the key under which data is - encrypted. It is only present in messages encrypted under long lasting - keys, such as principals' secret keys. -cipher - This field contains the enciphered text, encoded as an OCTET STRING. - -The cipher field is generated by applying the specified encryption algorithm -to data composed of the message and algorithm-specific inputs. Encryption -mechanisms defined for use with Kerberos must take sufficient measures to -guarantee the integrity of the plaintext, and we recommend they also take -measures to protect against precomputed dictionary attacks. If the -encryption algorithm is not itself capable of doing so, the protections can -often be enhanced by adding a checksum and a confounder. - -The suggested format for the data to be encrypted includes a confounder, a -checksum, the encoded plaintext, and any necessary padding. The msg-seq -field contains the part of the protocol message described in section 5 which -is to be encrypted. The confounder, checksum, and padding are all untagged -and untyped, and their length is exactly sufficient to hold the appropriate -item. The type and length is implicit and specified by the particular -encryption type being used (etype). The format for the data to be encrypted -is described in the following diagram: - - +-----------+----------+-------------+-----+ - |confounder | check | msg-seq | pad | - +-----------+----------+-------------+-----+ - -The format cannot be described in ASN.1, but for those who prefer an -ASN.1-like notation: - -CipherText ::= ENCRYPTED SEQUENCE { - confounder[0] UNTAGGED[35] OCTET STRING(conf_length) OPTIONAL, - check[1] UNTAGGED OCTET STRING(checksum_length) OPTIONAL, - msg-seq[2] MsgSequence, - pad UNTAGGED OCTET STRING(pad_length) OPTIONAL -} - -One generates a random confounder of the appropriate length, placing it in -confounder; zeroes out check; calculates the appropriate checksum over -confounder, check, and msg-seq, placing the result in check; adds the -necessary padding; then encrypts using the specified encryption type and the -appropriate key. - -Unless otherwise specified, a definition of an encryption algorithm that -specifies a checksum, a length for the confounder field, or an octet -boundary for padding uses this ciphertext format[36]. Those fields which are -not specified will be omitted. - -In the interest of allowing all implementations using a particular - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -encryption type to communicate with all others using that type, the -specification of an encryption type defines any checksum that is needed as -part of the encryption process. If an alternative checksum is to be used, a -new encryption type must be defined. - -Some cryptosystems require additional information beyond the key and the -data to be encrypted. For example, DES, when used in cipher-block-chaining -mode, requires an initialization vector. If required, the description for -each encryption type must specify the source of such additional information. -6.2. Encryption Keys - -The sequence below shows the encoding of an encryption key: - - EncryptionKey ::= SEQUENCE { - keytype[0] INTEGER, - keyvalue[1] OCTET STRING - } - -keytype - This field specifies the type of encryption key that follows in the - keyvalue field. It will almost always correspond to the encryption - algorithm used to generate the EncryptedData, though more than one - algorithm may use the same type of key (the mapping is many to one). - This might happen, for example, if the encryption algorithm uses an - alternate checksum algorithm for an integrity check, or a different - chaining mechanism. -keyvalue - This field contains the key itself, encoded as an octet string. - -All negative values for the encryption key type are reserved for local use. -All non-negative values are reserved for officially assigned type fields and -interpreta- tions. - -6.3. Encryption Systems - -6.3.1. The NULL Encryption System (null) - -If no encryption is in use, the encryption system is said to be the NULL -encryption system. In the NULL encryption system there is no checksum, -confounder or padding. The ciphertext is simply the plaintext. The NULL Key -is used by the null encryption system and is zero octets in length, with -keytype zero (0). - -6.3.2. DES in CBC mode with a CRC-32 checksum (des-cbc-crc) - -The des-cbc-crc encryption mode encrypts information under the Data -Encryption Standard [DES77] using the cipher block chaining mode [DESM80]. A -CRC-32 checksum (described in ISO 3309 [ISO3309]) is applied to the -confounder and message sequence (msg-seq) and placed in the cksum field. DES -blocks are 8 bytes. As a result, the data to be encrypted (the concatenation -of confounder, checksum, and message) must be padded to an 8 byte boundary -before encryption. The details of the encryption of this data are identical -to those for the des-cbc-md5 encryption mode. - - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -Note that, since the CRC-32 checksum is not collision-proof, an attacker -could use a probabilistic chosen-plaintext attack to generate a valid -message even if a confounder is used [SG92]. The use of collision-proof -checksums is recommended for environments where such attacks represent a -significant threat. The use of the CRC-32 as the checksum for ticket or -authenticator is no longer mandated as an interoperability requirement for -Kerberos Version 5 Specification 1 (See section 9.1 for specific details). - -6.3.3. DES in CBC mode with an MD4 checksum (des-cbc-md4) - -The des-cbc-md4 encryption mode encrypts information under the Data -Encryption Standard [DES77] using the cipher block chaining mode [DESM80]. -An MD4 checksum (described in [MD492]) is applied to the confounder and -message sequence (msg-seq) and placed in the cksum field. DES blocks are 8 -bytes. As a result, the data to be encrypted (the concatenation of -confounder, checksum, and message) must be padded to an 8 byte boundary -before encryption. The details of the encryption of this data are identical -to those for the des-cbc-md5 encryption mode. - -6.3.4. DES in CBC mode with an MD5 checksum (des-cbc-md5) - -The des-cbc-md5 encryption mode encrypts information under the Data -Encryption Standard [DES77] using the cipher block chaining mode [DESM80]. -An MD5 checksum (described in [MD5-92].) is applied to the confounder and -message sequence (msg-seq) and placed in the cksum field. DES blocks are 8 -bytes. As a result, the data to be encrypted (the concatenation of -confounder, checksum, and message) must be padded to an 8 byte boundary -before encryption. - -Plaintext and DES ciphtertext are encoded as blocks of 8 octets which are -concatenated to make the 64-bit inputs for the DES algorithms. The first -octet supplies the 8 most significant bits (with the octet's MSbit used as -the DES input block's MSbit, etc.), the second octet the next 8 bits, ..., -and the eighth octet supplies the 8 least significant bits. - -Encryption under DES using cipher block chaining requires an additional -input in the form of an initialization vector. Unless otherwise specified, -zero should be used as the initialization vector. Kerberos' use of DES -requires an 8 octet confounder. - -The DES specifications identify some 'weak' and 'semi-weak' keys; those keys -shall not be used for encrypting messages for use in Kerberos. Additionally, -because of the way that keys are derived for the encryption of checksums, -keys shall not be used that yield 'weak' or 'semi-weak' keys when -eXclusive-ORed with the hexadecimal constant F0F0F0F0F0F0F0F0. - -A DES key is 8 octets of data, with keytype one (1). This consists of 56 -bits of key, and 8 parity bits (one per octet). The key is encoded as a -series of 8 octets written in MSB-first order. The bits within the key are -also encoded in MSB order. For example, if the encryption key is -(B1,B2,...,B7,P1,B8,...,B14,P2,B15,...,B49,P7,B50,...,B56,P8) where -B1,B2,...,B56 are the key bits in MSB order, and P1,P2,...,P8 are the parity -bits, the first octet of the key would be B1,B2,...,B7,P1 (with B1 as the -MSbit). [See the FIPS 81 introduction for reference.] - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - -String to key transformation - -To generate a DES key from a text string (password), the text string -normally must have the realm and each component of the principal's name -appended[37], then padded with ASCII nulls to an 8 byte boundary. This -string is then fan-folded and eXclusive-ORed with itself to form an 8 byte -DES key. The parity is corrected on the key, and it is used to generate a -DES CBC checksum on the initial string (with the realm and name appended). -Next, parity is corrected on the CBC checksum. If the result matches a -'weak' or 'semi-weak' key as described in the DES specification, it is -eXclusive-ORed with the constant 00000000000000F0. Finally, the result is -returned as the key. Pseudocode follows: - - string_to_key(string,realm,name) { - odd = 1; - s = string + realm; - for(each component in name) { - s = s + component; - } - tempkey = NULL; - pad(s); /* with nulls to 8 byte boundary */ - for(8byteblock in s) { - if(odd == 0) { - odd = 1; - reverse(8byteblock) - } - else odd = 0; - tempkey = tempkey XOR 8byteblock; - } - fixparity(tempkey); - key = DES-CBC-check(s,tempkey); - fixparity(key); - if(is_weak_key_key(key)) - key = key XOR 0xF0; - return(key); - } - -6.3.5. Triple DES EDE in outer CBC mode with an SHA1 check-sum -(des3-cbc-sha1) - -The des3-cbc-sha1 encryption encodes information using three Data Encryption -Standard transformations with three DES keys. The first key is used to -perform a DES ECB encryption on an eight-octet data block using the first -DES key, followed by a DES ECB decryption of the result using the second DES -key, and a DES ECB encryption of the result using the third DES key. Because -DES blocks are 8 bytes, the data to be encrypted (the concatenation of -confounder, checksum, and message) must first be padded to an 8 byte -boundary before encryption. To support the outer CBC mode, the input is -padded to an eight-octet boundary. The first 8 octets of the data to be -encrypted (the confounder) is exclusive-ored with an initialization vector -of zero and then ECB encrypted using triple DES as described above. -Subsequent blocks of 8 octets are exclusive-ored with the ciphertext -produced by the encryption on the previous block before ECB encryption. - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - -An HMAC-SHA1 checksum (described in [KBC96].) is applied to the confounder -and message sequence (msg-seq) and placed in the cksum field. - -Plaintext are encoded as blocks of 8 octets which are concatenated to make -the 64-bit inputs for the DES algorithms. The first octet supplies the 8 -most significant bits (with the octet's MSbit used as the DES input block's -MSbit, etc.), the second octet the next 8 bits, ..., and the eighth octet -supplies the 8 least significant bits. - -Encryption under Triple DES using cipher block chaining requires an -additional input in the form of an initialization vector. Unless otherwise -specified, zero should be used as the initialization vector. Kerberos' use -of DES requires an 8 octet confounder. - -The DES specifications identify some 'weak' and 'semi-weak' keys; those keys -shall not be used for encrypting messages for use in Kerberos. Additionally, -because of the way that keys are derived for the encryption of checksums, -keys shall not be used that yield 'weak' or 'semi-weak' keys when -eXclusive-ORed with the hexadecimal constant F0F0F0F0F0F0F0F0. - -A Triple DES key is 24 octets of data, with keytype seven (7). This consists -of 168 bits of key, and 24 parity bits (one per octet). The key is encoded -as a series of 24 octets written in MSB-first order, with the first 8 octets -treated as the first DES key, the second 8 octets as the second key, and the -third 8 octets the third DES key. The bits within each key are also encoded -in MSB order. For example, if the encryption key is -(B1,B2,...,B7,P1,B8,...,B14,P2,B15,...,B49,P7,B50,...,B56,P8) where -B1,B2,...,B56 are the key bits in MSB order, and P1,P2,...,P8 are the parity -bits, the first octet of the key would be B1,B2,...,B7,P1 (with B1 as the -MSbit). [See the FIPS 81 introduction for reference.] - -Key derivation for specified operations (Horowitz) - -[Discussion is needed for this section, especially since it does not simply -derive key generation, but also specifies encryption using triple DES in a -manner that is different than the basic template that was specified for -single DES and similar systems] - -In the Kerberos protocol cryptographic keys are used in a number of places. -In order to minimize the effect of compromising a key, it is desirable to -use a different key in each of these places. Key derivation [Horowitz96] can -be used to construct different keys for each operation from the keys -transported on the network or derived from the password specified by the -user. - -For each place where a key is used in Kerberos, a ``key usage'' is specified -for that purpose. The key, key usage, and encryption/checksum type together -describe the transformation from plaintext to ciphertext. For backwards -compatibility, this key derivation is only specified here for encryption -methods based on triple DES. Encryption methods specified for use by -Kerberos in the future should specify the key derivation function to be -used. - - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -Kerberos requires that the ciphertext component of EncryptedData be -tamper-resistant as well as confidential. This implies encryption and -integrity functions, which must each use their own separate keys. So, for -each key usage, two keys must be generated, one for encryption (Ke), and one -for integrity (Ki): - - Ke = DK(protocol key, key usage | 0xAA) - Ki = DK(protocol key, key usage | 0x55) - -where the key usage is represented as a 32 bit integer in network byte -order. The ciphertest must be generated from the plaintext as follows: - - ciphertext = E(Ke, confounder | length | plaintext | padding) | - H(Ki, confounder | length | plaintext | padding) - -The confounder and padding are specific to the encryption algorithm E. - -When generating a checksum only, there is no need for a confounder or -padding. Again, a new key (Kc) must be used. Checksums must be generated -from the plaintext as follows: - - Kc = DK(protocol key, key usage | 0x99) - MAC = H(Kc, length | plaintext) - - -Note that each enctype is described by an encryption algorithm E and a keyed -hash algorithm H, and each checksum type is described by a keyed hash -algorithm H. HMAC, with an appropriate hash, is recommended for use as H. - -The key usage value will be taken from the following list of places where -keys are used in the Kerberos protocol, with key usage values and Kerberos -specification section numbers: - - 1. AS-REQ PA-ENC-TIMESTAMP padata timestamp, encrypted with the - client key (section 5.4.1) - 2. AS-REP Ticket and TGS-REP Ticket (includes tgs session key or - application session key), encrypted with the service key - (section 5.4.2) - 3. AS-REP encrypted part (includes tgs session key or application - session key), encrypted with the client key (section 5.4.2) - - 4. TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the tgs - session key (section 5.4.1) - 5. TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the tgs - authenticator subkey (section 5.4.1) - 6. TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator cksum, keyed - with the tgs session key (sections 5.3.2, 5.4.1) - 7. TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator (includes tgs - authenticator subkey), encrypted with the tgs session key - (section 5.3.2) - 8. TGS-REP encrypted part (includes application session key), - encrypted with the tgs session key (section 5.4.2) - 9. TGS-REP encrypted part (includes application session key), - encrypted with the tgs authenticator subkey (section 5.4.2) - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - - 10. AP-REQ Authenticator cksum, keyed with the application session - key (section 5.3.2) - 11. AP-REQ Authenticator (includes application authenticator - subkey), encrypted with the application session key (section - 5.3.2) - 12. AP-REP encrypted part (includes application session subkey), - encrypted with the application session key (section 5.5.2) - - 13. KRB-PRIV encrypted part, encrypted with a key chosen by the - application (section 5.7.1) - 14. KRB-CRED encrypted part, encrypted with a key chosen by the - application (section 5.6.1) - 15. KRB-SAFE cksum, keyed with a key chosen by the application - (section 5.8.1) - - 16. Data which is defined in some specification outside of - Kerberos to be encrypted using Kerberos encryption type. - 17. Data which is defined in some specification outside of - Kerberos to be checksummed using Kerberos checksum type. - - 18. KRB-ERROR checksum (e-cksum in section 5.9.1) - 19. AD-KDCIssued checksum (ad-checksum in appendix B.1) - 20. Checksum for Mandatory Ticket Extensions (appendix B.6) - 21. Checksum in Authorization Data in Ticket Extensions (appendix B.7) - -String to key transformation - -To generate a DES key from a text string (password), the text string -normally must have the realm and each component of the principal's name -appended[38]. - -The input string (with any salt data appended to it) is n-folded into a 24 -octet (192 bit) string. To n-fold a number X, replicate the input value to a -length that is the least common multiple of n and the length of X. Before -each repetition, the input X is rotated to the right by 13 bit positions. -The successive n-bit chunks are added together using 1's-complement addition -(addition with end-around carry) to yield a n-bit result. (This -transformation was proposed by Richard Basch) - -Each successive set of 8 octets is taken as a DES key, and its parity is -adjusted in the same manner as previously described. If any of the three -sets of 8 octets match a 'weak' or 'semi-weak key as described in the DES -specification, that chunk is eXclusive-ORed with the hexadecimal constant -00000000000000F0. The resulting DES keys are then used in sequence to -perform a Triple-DES CBC encryption of the n-folded input string (appended -with any salt data), using a zero initial vector. Parity, weak, and -semi-weak keys are once again corrected and the result is returned as the 24 -octet key. - -Pseudocode follows: - - string_to_key(string,realm,name) { - s = string + realm; - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - for(each component in name) { - s = s + component; - } - tkey[24] = fold(s); - fixparity(tkey); - if(isweak(tkey[0-7])) tkey[0-7] = tkey[0-7] XOR 0xF0; - if(isweak(tkey[8-15])) tkey[8-15] = tkey[8-15] XOR 0xF0; - if(is_weak(tkey[16-23])) tkey[16-23] = tkey[16-23] XOR 0xF0; - key[24] = 3DES-CBC(data=fold(s),key=tkey,iv=0); - fixparity(key); - if(is_weak(key[0-7])) key[0-7] = key[0-7] XOR 0xF0; - if(is_weak(key[8-15])) key[8-15] = key[8-15] XOR 0xF0; - if(is_weak(key[16-23])) key[16-23] = key[16-23] XOR 0xF0; - return(key); - } - -6.4. Checksums - -The following is the ASN.1 definition used for a checksum: - - Checksum ::= SEQUENCE { - cksumtype[0] INTEGER, - checksum[1] OCTET STRING - } - -cksumtype - This field indicates the algorithm used to generate the accompanying - checksum. -checksum - This field contains the checksum itself, encoded as an octet string. - -Detailed specification of selected checksum types appear later in this -section. Negative values for the checksum type are reserved for local use. -All non-negative values are reserved for officially assigned type fields and -interpretations. - -Checksums used by Kerberos can be classified by two properties: whether they -are collision-proof, and whether they are keyed. It is infeasible to find -two plaintexts which generate the same checksum value for a collision-proof -checksum. A key is required to perturb or initialize the algorithm in a -keyed checksum. To prevent message-stream modification by an active -attacker, unkeyed checksums should only be used when the checksum and -message will be subsequently encrypted (e.g. the checksums defined as part -of the encryption algorithms covered earlier in this section). - -Collision-proof checksums can be made tamper-proof if the checksum value is -encrypted before inclusion in a message. In such cases, the composition of -the checksum and the encryption algorithm must be considered a separate -checksum algorithm (e.g. RSA-MD5 encrypted using DES is a new checksum -algorithm of type RSA-MD5-DES). For most keyed checksums, as well as for the -encrypted forms of unkeyed collision-proof checksums, Kerberos prepends a -confounder before the checksum is calculated. - -6.4.1. The CRC-32 Checksum (crc32) - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - -The CRC-32 checksum calculates a checksum based on a cyclic redundancy check -as described in ISO 3309 [ISO3309]. The resulting checksum is four (4) -octets in length. The CRC-32 is neither keyed nor collision-proof. The use -of this checksum is not recommended. An attacker using a probabilistic -chosen-plaintext attack as described in [SG92] might be able to generate an -alternative message that satisfies the checksum. The use of collision-proof -checksums is recommended for environments where such attacks represent a -significant threat. - -6.4.2. The RSA MD4 Checksum (rsa-md4) - -The RSA-MD4 checksum calculates a checksum using the RSA MD4 algorithm -[MD4-92]. The algorithm takes as input an input message of arbitrary length -and produces as output a 128-bit (16 octet) checksum. RSA-MD4 is believed to -be collision-proof. - -6.4.3. RSA MD4 Cryptographic Checksum Using DES (rsa-md4-des) - -The RSA-MD4-DES checksum calculates a keyed collision-proof checksum by -prepending an 8 octet confounder before the text, applying the RSA MD4 -checksum algorithm, and encrypting the confounder and the checksum using DES -in cipher-block-chaining (CBC) mode using a variant of the key, where the -variant is computed by eXclusive-ORing the key with the constant -F0F0F0F0F0F0F0F0[39]. The initialization vector should be zero. The -resulting checksum is 24 octets long (8 octets of which are redundant). This -checksum is tamper-proof and believed to be collision-proof. - -The DES specifications identify some weak keys' and 'semi-weak keys'; those -keys shall not be used for generating RSA-MD4 checksums for use in Kerberos. - -The format for the checksum is described in the follow- ing diagram: - -+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ -| des-cbc(confounder + rsa-md4(confounder+msg),key=var(key),iv=0) | -+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ - -The format cannot be described in ASN.1, but for those who prefer an -ASN.1-like notation: - -rsa-md4-des-checksum ::= ENCRYPTED UNTAGGED SEQUENCE { - confounder[0] UNTAGGED OCTET STRING(8), - check[1] UNTAGGED OCTET STRING(16) -} - -6.4.4. The RSA MD5 Checksum (rsa-md5) - -The RSA-MD5 checksum calculates a checksum using the RSA MD5 algorithm. -[MD5-92]. The algorithm takes as input an input message of arbitrary length -and produces as output a 128-bit (16 octet) checksum. RSA-MD5 is believed to -be collision-proof. - -6.4.5. RSA MD5 Cryptographic Checksum Using DES (rsa-md5-des) - - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -The RSA-MD5-DES checksum calculates a keyed collision-proof checksum by -prepending an 8 octet confounder before the text, applying the RSA MD5 -checksum algorithm, and encrypting the confounder and the checksum using DES -in cipher-block-chaining (CBC) mode using a variant of the key, where the -variant is computed by eXclusive-ORing the key with the hexadecimal constant -F0F0F0F0F0F0F0F0. The initialization vector should be zero. The resulting -checksum is 24 octets long (8 octets of which are redundant). This checksum -is tamper-proof and believed to be collision-proof. - -The DES specifications identify some 'weak keys' and 'semi-weak keys'; those -keys shall not be used for encrypting RSA-MD5 checksums for use in Kerberos. - -The format for the checksum is described in the following diagram: - -+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ -| des-cbc(confounder + rsa-md5(confounder+msg),key=var(key),iv=0) | -+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ - -The format cannot be described in ASN.1, but for those who prefer an -ASN.1-like notation: - -rsa-md5-des-checksum ::= ENCRYPTED UNTAGGED SEQUENCE { - confounder[0] UNTAGGED OCTET STRING(8), - check[1] UNTAGGED OCTET STRING(16) -} - -6.4.6. DES cipher-block chained checksum (des-mac) - -The DES-MAC checksum is computed by prepending an 8 octet confounder to the -plaintext, performing a DES CBC-mode encryption on the result using the key -and an initialization vector of zero, taking the last block of the -ciphertext, prepending the same confounder and encrypting the pair using DES -in cipher-block-chaining (CBC) mode using a a variant of the key, where the -variant is computed by eXclusive-ORing the key with the hexadecimal constant -F0F0F0F0F0F0F0F0. The initialization vector should be zero. The resulting -checksum is 128 bits (16 octets) long, 64 bits of which are redundant. This -checksum is tamper-proof and collision-proof. - -The format for the checksum is described in the following diagram: - -+--+--+--+--+--+--+--+--+-----+-----+-----+-----+-----+-----+-----+-----+ -| des-cbc(confounder + des-mac(conf+msg,iv=0,key),key=var(key),iv=0) | -+--+--+--+--+--+--+--+--+-----+-----+-----+-----+-----+-----+-----+-----+ - -The format cannot be described in ASN.1, but for those who prefer an -ASN.1-like notation: - -des-mac-checksum ::= ENCRYPTED UNTAGGED SEQUENCE { - confounder[0] UNTAGGED OCTET STRING(8), - check[1] UNTAGGED OCTET STRING(8) -} - -The DES specifications identify some 'weak' and 'semi-weak' keys; those keys -shall not be used for generating DES-MAC checksums for use in Kerberos, nor - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -shall a key be used whose variant is 'weak' or 'semi-weak'. - -6.4.7. RSA MD4 Cryptographic Checksum Using DES alternative (rsa-md4-des-k) - -The RSA-MD4-DES-K checksum calculates a keyed collision-proof checksum by -applying the RSA MD4 checksum algorithm and encrypting the results using DES -in cipher-block-chaining (CBC) mode using a DES key as both key and -initialization vector. The resulting checksum is 16 octets long. This -checksum is tamper-proof and believed to be collision-proof. Note that this -checksum type is the old method for encoding the RSA-MD4-DES checksum and it -is no longer recommended. - -6.4.8. DES cipher-block chained checksum alternative (des-mac-k) - -The DES-MAC-K checksum is computed by performing a DES CBC-mode encryption -of the plaintext, and using the last block of the ciphertext as the checksum -value. It is keyed with an encryption key and an initialization vector; any -uses which do not specify an additional initialization vector will use the -key as both key and initialization vector. The resulting checksum is 64 bits -(8 octets) long. This checksum is tamper-proof and collision-proof. Note -that this checksum type is the old method for encoding the DES-MAC checksum -and it is no longer recommended. The DES specifications identify some 'weak -keys' and 'semi-weak keys'; those keys shall not be used for generating -DES-MAC checksums for use in Kerberos. - -7. Naming Constraints - -7.1. Realm Names - -Although realm names are encoded as GeneralStrings and although a realm can -technically select any name it chooses, interoperability across realm -boundaries requires agreement on how realm names are to be assigned, and -what information they imply. - -To enforce these conventions, each realm must conform to the conventions -itself, and it must require that any realms with which inter-realm keys are -shared also conform to the conventions and require the same from its -neighbors. - -Kerberos realm names are case sensitive. Realm names that differ only in the -case of the characters are not equivalent. There are presently four styles -of realm names: domain, X500, other, and reserved. Examples of each style -follow: - - domain: ATHENA.MIT.EDU (example) - X500: C=US/O=OSF (example) - other: NAMETYPE:rest/of.name=without-restrictions (example) - reserved: reserved, but will not conflict with above - -Domain names must look like domain names: they consist of components -separated by periods (.) and they contain neither colons (:) nor slashes -(/). Domain names must be converted to upper case when used as realm names. - -X.500 names contain an equal (=) and cannot contain a colon (:) before the - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -equal. The realm names for X.500 names will be string representations of the -names with components separated by slashes. Leading and trailing slashes -will not be included. - -Names that fall into the other category must begin with a prefix that -contains no equal (=) or period (.) and the prefix must be followed by a -colon (:) and the rest of the name. All prefixes must be assigned before -they may be used. Presently none are assigned. - -The reserved category includes strings which do not fall into the first -three categories. All names in this category are reserved. It is unlikely -that names will be assigned to this category unless there is a very strong -argument for not using the 'other' category. - -These rules guarantee that there will be no conflicts between the various -name styles. The following additional constraints apply to the assignment of -realm names in the domain and X.500 categories: the name of a realm for the -domain or X.500 formats must either be used by the organization owning (to -whom it was assigned) an Internet domain name or X.500 name, or in the case -that no such names are registered, authority to use a realm name may be -derived from the authority of the parent realm. For example, if there is no -domain name for E40.MIT.EDU, then the administrator of the MIT.EDU realm can -authorize the creation of a realm with that name. - -This is acceptable because the organization to which the parent is assigned -is presumably the organization authorized to assign names to its children in -the X.500 and domain name systems as well. If the parent assigns a realm -name without also registering it in the domain name or X.500 hierarchy, it -is the parent's responsibility to make sure that there will not in the -future exists a name identical to the realm name of the child unless it is -assigned to the same entity as the realm name. - -7.2. Principal Names - -As was the case for realm names, conventions are needed to ensure that all -agree on what information is implied by a principal name. The name-type -field that is part of the principal name indicates the kind of information -implied by the name. The name-type should be treated as a hint. Ignoring the -name type, no two names can be the same (i.e. at least one of the -components, or the realm, must be different). The following name types are -defined: - - name-type value meaning - - NT-UNKNOWN 0 Name type not known - NT-PRINCIPAL 1 General principal name (e.g. username, or DCE principal) - NT-SRV-INST 2 Service and other unique instance (krbtgt) - NT-SRV-HST 3 Service with host name as instance (telnet, rcommands) - NT-SRV-XHST 4 Service with slash-separated host name components - NT-UID 5 Unique ID - NT-X500-PRINCIPAL 6 Encoded X.509 Distingished name [RFC 1779] - -When a name implies no information other than its uniqueness at a particular -time the name type PRINCIPAL should be used. The principal name type should - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -be used for users, and it might also be used for a unique server. If the -name is a unique machine generated ID that is guaranteed never to be -reassigned then the name type of UID should be used (note that it is -generally a bad idea to reassign names of any type since stale entries might -remain in access control lists). - -If the first component of a name identifies a service and the remaining -components identify an instance of the service in a server specified manner, -then the name type of SRV-INST should be used. An example of this name type -is the Kerberos ticket-granting service whose name has a first component of -krbtgt and a second component identifying the realm for which the ticket is -valid. - -If instance is a single component following the service name and the -instance identifies the host on which the server is running, then the name -type SRV-HST should be used. This type is typically used for Internet -services such as telnet and the Berkeley R commands. If the separate -components of the host name appear as successive components following the -name of the service, then the name type SRV-XHST should be used. This type -might be used to identify servers on hosts with X.500 names where the slash -(/) might otherwise be ambiguous. - -A name type of NT-X500-PRINCIPAL should be used when a name from an X.509 -certificiate is translated into a Kerberos name. The encoding of the X.509 -name as a Kerberos principal shall conform to the encoding rules specified -in RFC 1779. - -A name type of UNKNOWN should be used when the form of the name is not -known. When comparing names, a name of type UNKNOWN will match principals -authenticated with names of any type. A principal authenticated with a name -of type UNKNOWN, however, will only match other names of type UNKNOWN. - -Names of any type with an initial component of 'krbtgt' are reserved for the -Kerberos ticket granting service. See section 8.2.3 for the form of such -names. - -7.2.1. Name of server principals - -The principal identifier for a server on a host will generally be composed -of two parts: (1) the realm of the KDC with which the server is registered, -and (2) a two-component name of type NT-SRV-HST if the host name is an -Internet domain name or a multi-component name of type NT-SRV-XHST if the -name of the host is of a form such as X.500 that allows slash (/) -separators. The first component of the two- or multi-component name will -identify the service and the latter components will identify the host. Where -the name of the host is not case sensitive (for example, with Internet -domain names) the name of the host must be lower case. If specified by the -application protocol for services such as telnet and the Berkeley R commands -which run with system privileges, the first component may be the string -'host' instead of a service specific identifier. When a host has an official -name and one or more aliases, the official name of the host must be used -when constructing the name of the server principal. - -8. Constants and other defined values - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - -8.1. Host address types - -All negative values for the host address type are reserved for local use. -All non-negative values are reserved for officially assigned type fields and -interpretations. - -The values of the types for the following addresses are chosen to match the -defined address family constants in the Berkeley Standard Distributions of -Unix. They can be found in with symbolic names AF_xxx (where xxx is an -abbreviation of the address family name). - -Internet (IPv4) Addresses - -Internet (IPv4) addresses are 32-bit (4-octet) quantities, encoded in MSB -order. The type of IPv4 addresses is two (2). - -Internet (IPv6) Addresses - -IPv6 addresses are 128-bit (16-octet) quantities, encoded in MSB order. The -type of IPv6 addresses is twenty-four (24). [RFC1883] [RFC1884]. The -following addresses (see [RFC1884]) MUST not appear in any Kerberos packet: - - * the Unspecified Address - * the Loopback Address - * Link-Local addresses - -IPv4-mapped IPv6 addresses MUST be represented as addresses of type 2. - -CHAOSnet addresses - -CHAOSnet addresses are 16-bit (2-octet) quantities, encoded in MSB order. -The type of CHAOSnet addresses is five (5). - -ISO addresses - -ISO addresses are variable-length. The type of ISO addresses is seven (7). - -Xerox Network Services (XNS) addresses - -XNS addresses are 48-bit (6-octet) quantities, encoded in MSB order. The -type of XNS addresses is six (6). - -AppleTalk Datagram Delivery Protocol (DDP) addresses - -AppleTalk DDP addresses consist of an 8-bit node number and a 16-bit network -number. The first octet of the address is the node number; the remaining two -octets encode the network number in MSB order. The type of AppleTalk DDP -addresses is sixteen (16). - -DECnet Phase IV addresses - -DECnet Phase IV addresses are 16-bit addresses, encoded in LSB order. The -type of DECnet Phase IV addresses is twelve (12). - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - -8.2. KDC messages - -8.2.1. UDP/IP transport - -When contacting a Kerberos server (KDC) for a KRB_KDC_REQ request using UDP -IP transport, the client shall send a UDP datagram containing only an -encoding of the request to port 88 (decimal) at the KDC's IP address; the -KDC will respond with a reply datagram containing only an encoding of the -reply message (either a KRB_ERROR or a KRB_KDC_REP) to the sending port at -the sender's IP address. Kerberos servers supporting IP transport must -accept UDP requests on port 88 (decimal). The response to a request made -through UDP/IP transport must also use UDP/IP transport. - -8.2.2. TCP/IP transport - -Kerberos servers (KDC's) must accept TCP requests on port 88 (decimal). When -the KRB_KDC_REQ message is sent to the KDC over a TCP stream, a new -connection will be established for each authentication exchange (request and -response). The KRB_KDC_REP or KRB_ERROR message will be returned to the -client on the same TCP stream that was established for the request. The -connection will be broken after the reply has been received (or upon -time-out). Care must be taken in managing TCP/IP connections with the KDC to -prevent denial of service attacks based on the number of TCP/IP connections -with the KDC that remain open. If multiple exchanges with the KDC are needed -for certain forms of preauthentication, multiple TCP connections will be -required. The response to a request made through TCP/IP transport must also -use TCP/IP transport. - -The first four octets of the TCP stream used to transmit the request request -will encode in network byte order the length of the request (KRB_KDC_REQ), -and the length will be followed by the request itself. The response will -similarly be preceeded by a 4 octet encoding in network byte order of the -length of the KRB_KDC_REP or the KRB_ERROR message and will be followed by -the KRB_KDC_REP or the KRB_ERROR response. - -8.2.3. OSI transport - -During authentication of an OSI client to an OSI server, the mutual -authentication of an OSI server to an OSI client, the transfer of -credentials from an OSI client to an OSI server, or during exchange of -private or integrity checked messages, Kerberos protocol messages may be -treated as opaque objects and the type of the authentication mechanism will -be: - -OBJECT IDENTIFIER ::= {iso (1), org(3), dod(6),internet(1), security(5),kerberosv5(2)} - -Depending on the situation, the opaque object will be an authentication -header (KRB_AP_REQ), an authentication reply (KRB_AP_REP), a safe message -(KRB_SAFE), a private message (KRB_PRIV), or a credentials message -(KRB_CRED). The opaque data contains an application code as specified in the -ASN.1 description for each message. The application code may be used by -Kerberos to determine the message type. - - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -8.2.3. Name of the TGS - -The principal identifier of the ticket-granting service shall be composed of -three parts: (1) the realm of the KDC issuing the TGS ticket (2) a two-part -name of type NT-SRV-INST, with the first part "krbtgt" and the second part -the name of the realm which will accept the ticket-granting ticket. For -example, a ticket-granting ticket issued by the ATHENA.MIT.EDU realm to be -used to get tickets from the ATHENA.MIT.EDU KDC has a principal identifier -of "ATHENA.MIT.EDU" (realm), ("krbtgt", "ATHENA.MIT.EDU") (name). A -ticket-granting ticket issued by the ATHENA.MIT.EDU realm to be used to get -tickets from the MIT.EDU realm has a principal identifier of -"ATHENA.MIT.EDU" (realm), ("krbtgt", "MIT.EDU") (name). - -8.3. Protocol constants and associated values - -The following tables list constants used in the protocol and defines their -meanings. - -Encryption type etype value block size minimum pad size confounder size -NULL 0 1 0 0 -des-cbc-crc 1 8 4 8 -des-cbc-md4 2 8 0 8 -des-cbc-md5 3 8 0 8 - 4 -des3-cbc-md5 5 8 0 8 - 6 -des3-cbc-sha1 7 8 0 8 -sign-dsa-generate 8 (pkinit) -encrypt-rsa-priv 9 (pkinit) -encrypt-rsa-pub 10 (pkinit) -rsa-pub-md5 11 (pkinit) -rsa-pub-sha1 12 (pkinit) -ENCTYPE_PK_CROSS 48 (reserved for pkcross) - 0x8003 - -Checksum type sumtype value checksum size -CRC32 1 4 -rsa-md4 2 16 -rsa-md4-des 3 24 -des-mac 4 16 -des-mac-k 5 8 -rsa-md4-des-k 6 16 -rsa-md5 7 16 -rsa-md5-des 8 24 -rsa-md5-des3 9 24 -hmac-sha1-des3 10 20 (I had this as 10, is it 12) - -padata type padata-type value - -PA-TGS-REQ 1 -PA-ENC-TIMESTAMP 2 -PA-PW-SALT 3 - 4 -PA-ENC-UNIX-TIME 5 - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -PA-SANDIA-SECUREID 6 -PA-SESAME 7 -PA-OSF-DCE 8 -PA-CYBERSAFE-SECUREID 9 -PA-AFS3-SALT 10 -PA-ETYPE-INFO 11 -SAM-CHALLENGE 12 (sam/otp) -SAM-RESPONSE 13 (sam/otp) -PA-PK-AS-REQ 14 (pkinit) -PA-PK-AS-REP 15 (pkinit) -PA-PK-AS-SIGN 16 (pkinit) -PA-PK-KEY-REQ 17 (pkinit) -PA-PK-KEY-REP 18 (pkinit) -PA-USE-SPECIFIED-KVNO 20 - -authorization data type ad-type value -AD-KDC-ISSUED 1 -AD-INTENDED-FOR-SERVER 2 -AD-INTENDED-FOR-APPLICATION-CLASS 3 -AD-IF-RELEVANT 4 -AD-OR 5 -AD-MANDATORY-TICKET-EXTENSIONS 6 -AD-IN-TICKET-EXTENSIONS 7 -reserved values 8-63 -OSF-DCE 64 -SESAME 65 - -Ticket Extension Types - -TE-TYPE-NULL 0 Null ticket extension -TE-TYPE-EXTERNAL-ADATA 1 Integrity protected authorization data - 2 TE-TYPE-PKCROSS-KDC (I have reservations) -TE-TYPE-PKCROSS-CLIENT 3 PKCROSS cross realm key ticket -TE-TYPE-CYBERSAFE-EXT 4 Assigned to CyberSafe Corp - 5 TE-TYPE-DEST-HOST (I have reservations) - -alternate authentication type method-type value -reserved values 0-63 -ATT-CHALLENGE-RESPONSE 64 - -transited encoding type tr-type value -DOMAIN-X500-COMPRESS 1 -reserved values all others - -Label Value Meaning or MIT code - -pvno 5 current Kerberos protocol version number - -message types - -KRB_AS_REQ 10 Request for initial authentication -KRB_AS_REP 11 Response to KRB_AS_REQ request -KRB_TGS_REQ 12 Request for authentication based on TGT -KRB_TGS_REP 13 Response to KRB_TGS_REQ request - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -KRB_AP_REQ 14 application request to server -KRB_AP_REP 15 Response to KRB_AP_REQ_MUTUAL -KRB_SAFE 20 Safe (checksummed) application message -KRB_PRIV 21 Private (encrypted) application message -KRB_CRED 22 Private (encrypted) message to forward credentials -KRB_ERROR 30 Error response - -name types - -KRB_NT_UNKNOWN 0 Name type not known -KRB_NT_PRINCIPAL 1 Just the name of the principal as in DCE, or for users -KRB_NT_SRV_INST 2 Service and other unique instance (krbtgt) -KRB_NT_SRV_HST 3 Service with host name as instance (telnet, rcommands) -KRB_NT_SRV_XHST 4 Service with host as remaining components -KRB_NT_UID 5 Unique ID -KRB_NT_X500_PRINCIPAL 6 Encoded X.509 Distingished name [RFC 1779] - -error codes - -KDC_ERR_NONE 0 No error -KDC_ERR_NAME_EXP 1 Client's entry in database has expired -KDC_ERR_SERVICE_EXP 2 Server's entry in database has expired -KDC_ERR_BAD_PVNO 3 Requested protocol version number not - supported -KDC_ERR_C_OLD_MAST_KVNO 4 Client's key encrypted in old master key -KDC_ERR_S_OLD_MAST_KVNO 5 Server's key encrypted in old master key -KDC_ERR_C_PRINCIPAL_UNKNOWN 6 Client not found in Kerberos database -KDC_ERR_S_PRINCIPAL_UNKNOWN 7 Server not found in Kerberos database -KDC_ERR_PRINCIPAL_NOT_UNIQUE 8 Multiple principal entries in database -KDC_ERR_NULL_KEY 9 The client or server has a null key -KDC_ERR_CANNOT_POSTDATE 10 Ticket not eligible for postdating -KDC_ERR_NEVER_VALID 11 Requested start time is later than end time -KDC_ERR_POLICY 12 KDC policy rejects request -KDC_ERR_BADOPTION 13 KDC cannot accommodate requested option -KDC_ERR_ETYPE_NOSUPP 14 KDC has no support for encryption type -KDC_ERR_SUMTYPE_NOSUPP 15 KDC has no support for checksum type -KDC_ERR_PADATA_TYPE_NOSUPP 16 KDC has no support for padata type -KDC_ERR_TRTYPE_NOSUPP 17 KDC has no support for transited type -KDC_ERR_CLIENT_REVOKED 18 Clients credentials have been revoked -KDC_ERR_SERVICE_REVOKED 19 Credentials for server have been revoked -KDC_ERR_TGT_REVOKED 20 TGT has been revoked -KDC_ERR_CLIENT_NOTYET 21 Client not yet valid - try again later -KDC_ERR_SERVICE_NOTYET 22 Server not yet valid - try again later -KDC_ERR_KEY_EXPIRED 23 Password has expired - change password - to reset -KDC_ERR_PREAUTH_FAILED 24 Pre-authentication information was invalid -KDC_ERR_PREAUTH_REQUIRED 25 Additional pre-authenticationrequired [40] -KDC_ERR_SERVER_NOMATCH 26 Requested server and ticket don't match -KDC_ERR_MUST_USE_USER2USER 27 Server principal valid for user2user only -KDC_ERR_PATH_NOT_ACCPETED 28 KDC Policy rejects transited path -KRB_AP_ERR_BAD_INTEGRITY 31 Integrity check on decrypted field failed -KRB_AP_ERR_TKT_EXPIRED 32 Ticket expired -KRB_AP_ERR_TKT_NYV 33 Ticket not yet valid -KRB_AP_ERR_REPEAT 34 Request is a replay -KRB_AP_ERR_NOT_US 35 The ticket isn't for us -KRB_AP_ERR_BADMATCH 36 Ticket and authenticator don't match - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -KRB_AP_ERR_SKEW 37 Clock skew too great -KRB_AP_ERR_BADADDR 38 Incorrect net address -KRB_AP_ERR_BADVERSION 39 Protocol version mismatch -KRB_AP_ERR_MSG_TYPE 40 Invalid msg type -KRB_AP_ERR_MODIFIED 41 Message stream modified -KRB_AP_ERR_BADORDER 42 Message out of order -KRB_AP_ERR_BADKEYVER 44 Specified version of key is not available -KRB_AP_ERR_NOKEY 45 Service key not available -KRB_AP_ERR_MUT_FAIL 46 Mutual authentication failed -KRB_AP_ERR_BADDIRECTION 47 Incorrect message direction -KRB_AP_ERR_METHOD 48 Alternative authentication method required -KRB_AP_ERR_BADSEQ 49 Incorrect sequence number in message -KRB_AP_ERR_INAPP_CKSUM 50 Inappropriate type of checksum in message -KRB_AP_PATH_NOT_ACCEPTED 51 Policy rejects transited path -KRB_ERR_GENERIC 60 Generic error (description in e-text) -KRB_ERR_FIELD_TOOLONG 61 Field is too long for this implementation -KDC_ERROR_CLIENT_NOT_TRUSTED 62 (pkinit) -KDC_ERROR_KDC_NOT_TRUSTED 63 (pkinit) -KDC_ERROR_INVALID_SIG 64 (pkinit) -KDC_ERR_KEY_TOO_WEAK 65 (pkinit) -KDC_ERR_CERTIFICATE_MISMATCH 66 (pkinit) - -9. Interoperability requirements - -Version 5 of the Kerberos protocol supports a myriad of options. Among these -are multiple encryption and checksum types, alternative encoding schemes for -the transited field, optional mechanisms for pre-authentication, the -handling of tickets with no addresses, options for mutual authentication, -user to user authentication, support for proxies, forwarding, postdating, -and renewing tickets, the format of realm names, and the handling of -authorization data. - -In order to ensure the interoperability of realms, it is necessary to define -a minimal configuration which must be supported by all implementations. This -minimal configuration is subject to change as technology does. For example, -if at some later date it is discovered that one of the required encryption -or checksum algorithms is not secure, it will be replaced. - -9.1. Specification 2 - -This section defines the second specification of these options. -Implementations which are configured in this way can be said to support -Kerberos Version 5 Specification 2 (5.1). Specification 1 (depricated) may -be found in RFC1510. - -Transport - -TCP/IP and UDP/IP transport must be supported by KDCs claiming conformance -to specification 2. Kerberos clients claiming conformance to specification 2 -must support UDP/IP transport for messages with the KDC and may support -TCP/IP transport. - -Encryption and checksum methods - - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -The following encryption and checksum mechanisms must be supported. -Implementations may support other mechanisms as well, but the additional -mechanisms may only be used when communicating with principals known to also -support them: This list is to be determined. - -Encryption: DES-CBC-MD5 -Checksums: CRC-32, DES-MAC, DES-MAC-K, and DES-MD5 - -Realm Names - -All implementations must understand hierarchical realms in both the Internet -Domain and the X.500 style. When a ticket granting ticket for an unknown -realm is requested, the KDC must be able to determine the names of the -intermediate realms between the KDCs realm and the requested realm. - -Transited field encoding - -DOMAIN-X500-COMPRESS (described in section 3.3.3.2) must be supported. -Alternative encodings may be supported, but they may be used only when that -encoding is supported by ALL intermediate realms. - -Pre-authentication methods - -The TGS-REQ method must be supported. The TGS-REQ method is not used on the -initial request. The PA-ENC-TIMESTAMP method must be supported by clients -but whether it is enabled by default may be determined on a realm by realm -basis. If not used in the initial request and the error -KDC_ERR_PREAUTH_REQUIRED is returned specifying PA-ENC-TIMESTAMP as an -acceptable method, the client should retry the initial request using the -PA-ENC-TIMESTAMP preauthentication method. Servers need not support the -PA-ENC-TIMESTAMP method, but if not supported the server should ignore the -presence of PA-ENC-TIMESTAMP pre-authentication in a request. - -Mutual authentication - -Mutual authentication (via the KRB_AP_REP message) must be supported. - -Ticket addresses and flags - -All KDC's must pass on tickets that carry no addresses (i.e. if a TGT -contains no addresses, the KDC will return derivative tickets), but each -realm may set its own policy for issuing such tickets, and each application -server will set its own policy with respect to accepting them. - -Proxies and forwarded tickets must be supported. Individual realms and -application servers can set their own policy on when such tickets will be -accepted. - -All implementations must recognize renewable and postdated tickets, but need -not actually implement them. If these options are not supported, the -starttime and endtime in the ticket shall specify a ticket's entire useful -life. When a postdated ticket is decoded by a server, all implementations -shall make the presence of the postdated flag visible to the calling server. - - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -User-to-user authentication - -Support for user to user authentication (via the ENC-TKT-IN-SKEY KDC option) -must be provided by implementations, but individual realms may decide as a -matter of policy to reject such requests on a per-principal or realm-wide -basis. - -Authorization data - -Implementations must pass all authorization data subfields from -ticket-granting tickets to any derivative tickets unless directed to -suppress a subfield as part of the definition of that registered subfield -type (it is never incorrect to pass on a subfield, and no registered -subfield types presently specify suppression at the KDC). - -Implementations must make the contents of any authorization data subfields -available to the server when a ticket is used. Implementations are not -required to allow clients to specify the contents of the authorization data -fields. - -9.2. Recommended KDC values - -Following is a list of recommended values for a KDC implementation, based on -the list of suggested configuration constants (see section 4.4). - -minimum lifetime 5 minutes -maximum renewable lifetime 1 week -maximum ticket lifetime 1 day -empty addresses only when suitable restrictions appear - in authorization data -proxiable, etc. Allowed. - -10. REFERENCES - -[NT94] B. Clifford Neuman and Theodore Y. Ts'o, "An Authenti- - cation Service for Computer Networks," IEEE Communica- - tions Magazine, Vol. 32(9), pp. 33-38 (September 1994). - -[MNSS87] S. P. Miller, B. C. Neuman, J. I. Schiller, and J. H. - Saltzer, Section E.2.1: Kerberos Authentication and - Authorization System, M.I.T. Project Athena, Cambridge, - Massachusetts (December 21, 1987). - -[SNS88] J. G. Steiner, B. C. Neuman, and J. I. Schiller, "Ker- - beros: An Authentication Service for Open Network Sys- - tems," pp. 191-202 in Usenix Conference Proceedings, - Dallas, Texas (February, 1988). - -[NS78] Roger M. Needham and Michael D. Schroeder, "Using - Encryption for Authentication in Large Networks of Com- - puters," Communications of the ACM, Vol. 21(12), - pp. 993-999 (December, 1978). - -[DS81] Dorothy E. Denning and Giovanni Maria Sacco, "Time- - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - stamps in Key Distribution Protocols," Communications - of the ACM, Vol. 24(8), pp. 533-536 (August 1981). - -[KNT92] John T. Kohl, B. Clifford Neuman, and Theodore Y. Ts'o, - "The Evolution of the Kerberos Authentication Service," - in an IEEE Computer Society Text soon to be published - (June 1992). - -[Neu93] B. Clifford Neuman, "Proxy-Based Authorization and - Accounting for Distributed Systems," in Proceedings of - the 13th International Conference on Distributed Com- - puting Systems, Pittsburgh, PA (May, 1993). - -[DS90] Don Davis and Ralph Swick, "Workstation Services and - Kerberos Authentication at Project Athena," Technical - Memorandum TM-424, MIT Laboratory for Computer Science - (February 1990). - -[LGDSR87] P. J. Levine, M. R. Gretzinger, J. M. Diaz, W. E. Som- - merfeld, and K. Raeburn, Section E.1: Service Manage- - ment System, M.I.T. Project Athena, Cambridge, Mas- - sachusetts (1987). - -[X509-88] CCITT, Recommendation X.509: The Directory Authentica- - tion Framework, December 1988. - -[Pat92]. J. Pato, Using Pre-Authentication to Avoid Password - Guessing Attacks, Open Software Foundation DCE Request - for Comments 26 (December 1992). - -[DES77] National Bureau of Standards, U.S. Department of Com- - merce, "Data Encryption Standard," Federal Information - Processing Standards Publication 46, Washington, DC - (1977). - -[DESM80] National Bureau of Standards, U.S. Department of Com- - merce, "DES Modes of Operation," Federal Information - Processing Standards Publication 81, Springfield, VA - (December 1980). - -[SG92] Stuart G. Stubblebine and Virgil D. Gligor, "On Message - Integrity in Cryptographic Protocols," in Proceedings - of the IEEE Symposium on Research in Security and - Privacy, Oakland, California (May 1992). - -[IS3309] International Organization for Standardization, "ISO - Information Processing Systems - Data Communication - - High-Level Data Link Control Procedure - Frame Struc- - ture," IS 3309 (October 1984). 3rd Edition. - -[MD4-92] R. Rivest, "The MD4 Message Digest Algorithm," RFC - 1320, MIT Laboratory for Computer Science (April - 1992). - - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -[MD5-92] R. Rivest, "The MD5 Message Digest Algorithm," RFC - 1321, MIT Laboratory for Computer Science (April - 1992). - -[KBC96] H. Krawczyk, M. Bellare, and R. Canetti, "HMAC: Keyed- - Hashing for Message Authentication," Working Draft - draft-ietf-ipsec-hmac-md5-01.txt, (August 1996). - -A. Pseudo-code for protocol processing - -This appendix provides pseudo-code describing how the messages are to be -constructed and interpreted by clients and servers. - -A.1. KRB_AS_REQ generation - - request.pvno := protocol version; /* pvno = 5 */ - request.msg-type := message type; /* type = KRB_AS_REQ */ - - if(pa_enc_timestamp_required) then - request.padata.padata-type = PA-ENC-TIMESTAMP; - get system_time; - padata-body.patimestamp,pausec = system_time; - encrypt padata-body into request.padata.padata-value - using client.key; /* derived from password */ - endif - - body.kdc-options := users's preferences; - body.cname := user's name; - body.realm := user's realm; - body.sname := service's name; /* usually "krbtgt", "localrealm" */ - if (body.kdc-options.POSTDATED is set) then - body.from := requested starting time; - else - omit body.from; - endif - body.till := requested end time; - if (body.kdc-options.RENEWABLE is set) then - body.rtime := requested final renewal time; - endif - body.nonce := random_nonce(); - body.etype := requested etypes; - if (user supplied addresses) then - body.addresses := user's addresses; - else - omit body.addresses; - endif - omit body.enc-authorization-data; - request.req-body := body; - - kerberos := lookup(name of local kerberos server (or servers)); - send(packet,kerberos); - - wait(for response); - if (timed_out) then - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - retry or use alternate server; - endif - -A.2. KRB_AS_REQ verification and KRB_AS_REP generation - - decode message into req; - - client := lookup(req.cname,req.realm); - server := lookup(req.sname,req.realm); - - get system_time; - kdc_time := system_time.seconds; - - if (!client) then - /* no client in Database */ - error_out(KDC_ERR_C_PRINCIPAL_UNKNOWN); - endif - if (!server) then - /* no server in Database */ - error_out(KDC_ERR_S_PRINCIPAL_UNKNOWN); - endif - - if(client.pa_enc_timestamp_required and - pa_enc_timestamp not present) then - error_out(KDC_ERR_PREAUTH_REQUIRED(PA_ENC_TIMESTAMP)); - endif - - if(pa_enc_timestamp present) then - decrypt req.padata-value into decrypted_enc_timestamp - using client.key; - using auth_hdr.authenticator.subkey; - if (decrypt_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - if(decrypted_enc_timestamp is not within allowable skew) then - error_out(KDC_ERR_PREAUTH_FAILED); - endif - if(decrypted_enc_timestamp and usec is replay) - error_out(KDC_ERR_PREAUTH_FAILED); - endif - add decrypted_enc_timestamp and usec to replay cache; - endif - - use_etype := first supported etype in req.etypes; - - if (no support for req.etypes) then - error_out(KDC_ERR_ETYPE_NOSUPP); - endif - - new_tkt.vno := ticket version; /* = 5 */ - new_tkt.sname := req.sname; - new_tkt.srealm := req.srealm; - reset all flags in new_tkt.flags; - - /* It should be noted that local policy may affect the */ - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - /* processing of any of these flags. For example, some */ - /* realms may refuse to issue renewable tickets */ - - if (req.kdc-options.FORWARDABLE is set) then - set new_tkt.flags.FORWARDABLE; - endif - if (req.kdc-options.PROXIABLE is set) then - set new_tkt.flags.PROXIABLE; - endif - - if (req.kdc-options.ALLOW-POSTDATE is set) then - set new_tkt.flags.MAY-POSTDATE; - endif - if ((req.kdc-options.RENEW is set) or - (req.kdc-options.VALIDATE is set) or - (req.kdc-options.PROXY is set) or - (req.kdc-options.FORWARDED is set) or - (req.kdc-options.ENC-TKT-IN-SKEY is set)) then - error_out(KDC_ERR_BADOPTION); - endif - - new_tkt.session := random_session_key(); - new_tkt.cname := req.cname; - new_tkt.crealm := req.crealm; - new_tkt.transited := empty_transited_field(); - - new_tkt.authtime := kdc_time; - - if (req.kdc-options.POSTDATED is set) then - if (against_postdate_policy(req.from)) then - error_out(KDC_ERR_POLICY); - endif - set new_tkt.flags.POSTDATED; - set new_tkt.flags.INVALID; - new_tkt.starttime := req.from; - else - omit new_tkt.starttime; /* treated as authtime when omitted */ - endif - if (req.till = 0) then - till := infinity; - else - till := req.till; - endif - - new_tkt.endtime := min(till, - new_tkt.starttime+client.max_life, - new_tkt.starttime+server.max_life, - new_tkt.starttime+max_life_for_realm); - - if ((req.kdc-options.RENEWABLE-OK is set) and - (new_tkt.endtime < req.till)) then - /* we set the RENEWABLE option for later processing */ - set req.kdc-options.RENEWABLE; - req.rtime := req.till; - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - endif - - if (req.rtime = 0) then - rtime := infinity; - else - rtime := req.rtime; - endif - - if (req.kdc-options.RENEWABLE is set) then - set new_tkt.flags.RENEWABLE; - new_tkt.renew-till := min(rtime, - new_tkt.starttime+client.max_rlife, - new_tkt.starttime+server.max_rlife, - new_tkt.starttime+max_rlife_for_realm); - else - omit new_tkt.renew-till; /* only present if RENEWABLE */ - endif - - if (req.addresses) then - new_tkt.caddr := req.addresses; - else - omit new_tkt.caddr; - endif - - new_tkt.authorization_data := empty_authorization_data(); - - encode to-be-encrypted part of ticket into OCTET STRING; - new_tkt.enc-part := encrypt OCTET STRING - using etype_for_key(server.key), server.key, server.p_kvno; - - /* Start processing the response */ - - resp.pvno := 5; - resp.msg-type := KRB_AS_REP; - resp.cname := req.cname; - resp.crealm := req.realm; - resp.ticket := new_tkt; - - resp.key := new_tkt.session; - resp.last-req := fetch_last_request_info(client); - resp.nonce := req.nonce; - resp.key-expiration := client.expiration; - resp.flags := new_tkt.flags; - - resp.authtime := new_tkt.authtime; - resp.starttime := new_tkt.starttime; - resp.endtime := new_tkt.endtime; - - if (new_tkt.flags.RENEWABLE) then - resp.renew-till := new_tkt.renew-till; - endif - - resp.realm := new_tkt.realm; - resp.sname := new_tkt.sname; - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - - resp.caddr := new_tkt.caddr; - - encode body of reply into OCTET STRING; - - resp.enc-part := encrypt OCTET STRING - using use_etype, client.key, client.p_kvno; - send(resp); - -A.3. KRB_AS_REP verification - - decode response into resp; - - if (resp.msg-type = KRB_ERROR) then - if(error = KDC_ERR_PREAUTH_REQUIRED(PA_ENC_TIMESTAMP)) then - set pa_enc_timestamp_required; - goto KRB_AS_REQ; - endif - process_error(resp); - return; - endif - - /* On error, discard the response, and zero the session key */ - /* from the response immediately */ - - key = get_decryption_key(resp.enc-part.kvno, resp.enc-part.etype, - resp.padata); - unencrypted part of resp := decode of decrypt of resp.enc-part - using resp.enc-part.etype and key; - zero(key); - - if (common_as_rep_tgs_rep_checks fail) then - destroy resp.key; - return error; - endif - - if near(resp.princ_exp) then - print(warning message); - endif - save_for_later(ticket,session,client,server,times,flags); - -A.4. KRB_AS_REP and KRB_TGS_REP common checks - - if (decryption_error() or - (req.cname != resp.cname) or - (req.realm != resp.crealm) or - (req.sname != resp.sname) or - (req.realm != resp.realm) or - (req.nonce != resp.nonce) or - (req.addresses != resp.caddr)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - /* make sure no flags are set that shouldn't be, and that all that */ - /* should be are set */ - if (!check_flags_for_compatability(req.kdc-options,resp.flags)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - - if ((req.from = 0) and - (resp.starttime is not within allowable skew)) then - destroy resp.key; - return KRB_AP_ERR_SKEW; - endif - if ((req.from != 0) and (req.from != resp.starttime)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - if ((req.till != 0) and (resp.endtime > req.till)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - - if ((req.kdc-options.RENEWABLE is set) and - (req.rtime != 0) and (resp.renew-till > req.rtime)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - if ((req.kdc-options.RENEWABLE-OK is set) and - (resp.flags.RENEWABLE) and - (req.till != 0) and - (resp.renew-till > req.till)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - -A.5. KRB_TGS_REQ generation - - /* Note that make_application_request might have to recursivly */ - /* call this routine to get the appropriate ticket-granting ticket */ - - request.pvno := protocol version; /* pvno = 5 */ - request.msg-type := message type; /* type = KRB_TGS_REQ */ - - body.kdc-options := users's preferences; - /* If the TGT is not for the realm of the end-server */ - /* then the sname will be for a TGT for the end-realm */ - /* and the realm of the requested ticket (body.realm) */ - /* will be that of the TGS to which the TGT we are */ - /* sending applies */ - body.sname := service's name; - body.realm := service's realm; - - if (body.kdc-options.POSTDATED is set) then - body.from := requested starting time; - else - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - omit body.from; - endif - body.till := requested end time; - if (body.kdc-options.RENEWABLE is set) then - body.rtime := requested final renewal time; - endif - body.nonce := random_nonce(); - body.etype := requested etypes; - if (user supplied addresses) then - body.addresses := user's addresses; - else - omit body.addresses; - endif - - body.enc-authorization-data := user-supplied data; - if (body.kdc-options.ENC-TKT-IN-SKEY) then - body.additional-tickets_ticket := second TGT; - endif - - request.req-body := body; - check := generate_checksum (req.body,checksumtype); - - request.padata[0].padata-type := PA-TGS-REQ; - request.padata[0].padata-value := create a KRB_AP_REQ using - the TGT and checksum - - /* add in any other padata as required/supplied */ - - kerberos := lookup(name of local kerberose server (or servers)); - send(packet,kerberos); - - wait(for response); - if (timed_out) then - retry or use alternate server; - endif - -A.6. KRB_TGS_REQ verification and KRB_TGS_REP generation - - /* note that reading the application request requires first - determining the server for which a ticket was issued, and choosing the - correct key for decryption. The name of the server appears in the - plaintext part of the ticket. */ - - if (no KRB_AP_REQ in req.padata) then - error_out(KDC_ERR_PADATA_TYPE_NOSUPP); - endif - verify KRB_AP_REQ in req.padata; - - /* Note that the realm in which the Kerberos server is operating is - determined by the instance from the ticket-granting ticket. The realm - in the ticket-granting ticket is the realm under which the ticket - granting ticket was issued. It is possible for a single Kerberos - server to support more than one realm. */ - - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - auth_hdr := KRB_AP_REQ; - tgt := auth_hdr.ticket; - - if (tgt.sname is not a TGT for local realm and is not req.sname) then - error_out(KRB_AP_ERR_NOT_US); - - realm := realm_tgt_is_for(tgt); - - decode remainder of request; - - if (auth_hdr.authenticator.cksum is missing) then - error_out(KRB_AP_ERR_INAPP_CKSUM); - endif - - if (auth_hdr.authenticator.cksum type is not supported) then - error_out(KDC_ERR_SUMTYPE_NOSUPP); - endif - if (auth_hdr.authenticator.cksum is not both collision-proof and keyed) then - error_out(KRB_AP_ERR_INAPP_CKSUM); - endif - - set computed_checksum := checksum(req); - if (computed_checksum != auth_hdr.authenticatory.cksum) then - error_out(KRB_AP_ERR_MODIFIED); - endif - - server := lookup(req.sname,realm); - - if (!server) then - if (is_foreign_tgt_name(req.sname)) then - server := best_intermediate_tgs(req.sname); - else - /* no server in Database */ - error_out(KDC_ERR_S_PRINCIPAL_UNKNOWN); - endif - endif - - session := generate_random_session_key(); - - use_etype := first supported etype in req.etypes; - - if (no support for req.etypes) then - error_out(KDC_ERR_ETYPE_NOSUPP); - endif - - new_tkt.vno := ticket version; /* = 5 */ - new_tkt.sname := req.sname; - new_tkt.srealm := realm; - reset all flags in new_tkt.flags; - - /* It should be noted that local policy may affect the */ - /* processing of any of these flags. For example, some */ - /* realms may refuse to issue renewable tickets */ - - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - new_tkt.caddr := tgt.caddr; - resp.caddr := NULL; /* We only include this if they change */ - if (req.kdc-options.FORWARDABLE is set) then - if (tgt.flags.FORWARDABLE is reset) then - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.FORWARDABLE; - endif - if (req.kdc-options.FORWARDED is set) then - if (tgt.flags.FORWARDABLE is reset) then - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.FORWARDED; - new_tkt.caddr := req.addresses; - resp.caddr := req.addresses; - endif - if (tgt.flags.FORWARDED is set) then - set new_tkt.flags.FORWARDED; - endif - - if (req.kdc-options.PROXIABLE is set) then - if (tgt.flags.PROXIABLE is reset) - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.PROXIABLE; - endif - if (req.kdc-options.PROXY is set) then - if (tgt.flags.PROXIABLE is reset) then - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.PROXY; - new_tkt.caddr := req.addresses; - resp.caddr := req.addresses; - endif - - if (req.kdc-options.ALLOW-POSTDATE is set) then - if (tgt.flags.MAY-POSTDATE is reset) - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.MAY-POSTDATE; - endif - if (req.kdc-options.POSTDATED is set) then - if (tgt.flags.MAY-POSTDATE is reset) then - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.POSTDATED; - set new_tkt.flags.INVALID; - if (against_postdate_policy(req.from)) then - error_out(KDC_ERR_POLICY); - endif - new_tkt.starttime := req.from; - endif - - if (req.kdc-options.VALIDATE is set) then - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - if (tgt.flags.INVALID is reset) then - error_out(KDC_ERR_POLICY); - endif - if (tgt.starttime > kdc_time) then - error_out(KRB_AP_ERR_NYV); - endif - if (check_hot_list(tgt)) then - error_out(KRB_AP_ERR_REPEAT); - endif - tkt := tgt; - reset new_tkt.flags.INVALID; - endif - - if (req.kdc-options.(any flag except ENC-TKT-IN-SKEY, RENEW, - and those already processed) is set) then - error_out(KDC_ERR_BADOPTION); - endif - - new_tkt.authtime := tgt.authtime; - - if (req.kdc-options.RENEW is set) then - /* Note that if the endtime has already passed, the ticket would */ - /* have been rejected in the initial authentication stage, so */ - /* there is no need to check again here */ - if (tgt.flags.RENEWABLE is reset) then - error_out(KDC_ERR_BADOPTION); - endif - if (tgt.renew-till < kdc_time) then - error_out(KRB_AP_ERR_TKT_EXPIRED); - endif - tkt := tgt; - new_tkt.starttime := kdc_time; - old_life := tgt.endttime - tgt.starttime; - new_tkt.endtime := min(tgt.renew-till, - new_tkt.starttime + old_life); - else - new_tkt.starttime := kdc_time; - if (req.till = 0) then - till := infinity; - else - till := req.till; - endif - new_tkt.endtime := min(till, - new_tkt.starttime+client.max_life, - new_tkt.starttime+server.max_life, - new_tkt.starttime+max_life_for_realm, - tgt.endtime); - - if ((req.kdc-options.RENEWABLE-OK is set) and - (new_tkt.endtime < req.till) and - (tgt.flags.RENEWABLE is set) then - /* we set the RENEWABLE option for later processing */ - set req.kdc-options.RENEWABLE; - req.rtime := min(req.till, tgt.renew-till); - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - endif - endif - - if (req.rtime = 0) then - rtime := infinity; - else - rtime := req.rtime; - endif - - if ((req.kdc-options.RENEWABLE is set) and - (tgt.flags.RENEWABLE is set)) then - set new_tkt.flags.RENEWABLE; - new_tkt.renew-till := min(rtime, - new_tkt.starttime+client.max_rlife, - new_tkt.starttime+server.max_rlife, - new_tkt.starttime+max_rlife_for_realm, - tgt.renew-till); - else - new_tkt.renew-till := OMIT; /* leave the renew-till field out */ - endif - if (req.enc-authorization-data is present) then - decrypt req.enc-authorization-data into decrypted_authorization_data - using auth_hdr.authenticator.subkey; - if (decrypt_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - endif - new_tkt.authorization_data := req.auth_hdr.ticket.authorization_data + - decrypted_authorization_data; - - new_tkt.key := session; - new_tkt.crealm := tgt.crealm; - new_tkt.cname := req.auth_hdr.ticket.cname; - - if (realm_tgt_is_for(tgt) := tgt.realm) then - /* tgt issued by local realm */ - new_tkt.transited := tgt.transited; - else - /* was issued for this realm by some other realm */ - if (tgt.transited.tr-type not supported) then - error_out(KDC_ERR_TRTYPE_NOSUPP); - endif - new_tkt.transited := compress_transited(tgt.transited + tgt.realm) - /* Don't check tranited field if TGT for foreign realm, - * or requested not to check */ - if (is_not_foreign_tgt_name(new_tkt.server) - && req.kdc-options.DISABLE-TRANSITED-CHECK not set) then - /* Check it, so end-server does not have to - * but don't fail, end-server may still accept it */ - if (check_transited_field(new_tkt.transited) == OK) - set new_tkt.flags.TRANSITED-POLICY-CHECKED; - endif - endif - endif - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - - encode encrypted part of new_tkt into OCTET STRING; - if (req.kdc-options.ENC-TKT-IN-SKEY is set) then - if (server not specified) then - server = req.second_ticket.client; - endif - if ((req.second_ticket is not a TGT) or - (req.second_ticket.client != server)) then - error_out(KDC_ERR_POLICY); - endif - - new_tkt.enc-part := encrypt OCTET STRING using - using etype_for_key(second-ticket.key), second-ticket.key; - else - new_tkt.enc-part := encrypt OCTET STRING - using etype_for_key(server.key), server.key, server.p_kvno; - endif - - resp.pvno := 5; - resp.msg-type := KRB_TGS_REP; - resp.crealm := tgt.crealm; - resp.cname := tgt.cname; - resp.ticket := new_tkt; - - resp.key := session; - resp.nonce := req.nonce; - resp.last-req := fetch_last_request_info(client); - resp.flags := new_tkt.flags; - - resp.authtime := new_tkt.authtime; - resp.starttime := new_tkt.starttime; - resp.endtime := new_tkt.endtime; - - omit resp.key-expiration; - - resp.sname := new_tkt.sname; - resp.realm := new_tkt.realm; - - if (new_tkt.flags.RENEWABLE) then - resp.renew-till := new_tkt.renew-till; - endif - - encode body of reply into OCTET STRING; - - if (req.padata.authenticator.subkey) - resp.enc-part := encrypt OCTET STRING using use_etype, - req.padata.authenticator.subkey; - else resp.enc-part := encrypt OCTET STRING using use_etype, tgt.key; - - send(resp); - -A.7. KRB_TGS_REP verification - - decode response into resp; - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - - if (resp.msg-type = KRB_ERROR) then - process_error(resp); - return; - endif - - /* On error, discard the response, and zero the session key from - the response immediately */ - - if (req.padata.authenticator.subkey) - unencrypted part of resp := decode of decrypt of resp.enc-part - using resp.enc-part.etype and subkey; - else unencrypted part of resp := decode of decrypt of resp.enc-part - using resp.enc-part.etype and tgt's session key; - if (common_as_rep_tgs_rep_checks fail) then - destroy resp.key; - return error; - endif - - check authorization_data as necessary; - save_for_later(ticket,session,client,server,times,flags); - -A.8. Authenticator generation - - body.authenticator-vno := authenticator vno; /* = 5 */ - body.cname, body.crealm := client name; - if (supplying checksum) then - body.cksum := checksum; - endif - get system_time; - body.ctime, body.cusec := system_time; - if (selecting sub-session key) then - select sub-session key; - body.subkey := sub-session key; - endif - if (using sequence numbers) then - select initial sequence number; - body.seq-number := initial sequence; - endif - -A.9. KRB_AP_REQ generation - - obtain ticket and session_key from cache; - - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_AP_REQ */ - - if (desired(MUTUAL_AUTHENTICATION)) then - set packet.ap-options.MUTUAL-REQUIRED; - else - reset packet.ap-options.MUTUAL-REQUIRED; - endif - if (using session key for ticket) then - set packet.ap-options.USE-SESSION-KEY; - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - else - reset packet.ap-options.USE-SESSION-KEY; - endif - packet.ticket := ticket; /* ticket */ - generate authenticator; - encode authenticator into OCTET STRING; - encrypt OCTET STRING into packet.authenticator using session_key; - -A.10. KRB_AP_REQ verification - - receive packet; - if (packet.pvno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.msg-type != KRB_AP_REQ) then - error_out(KRB_AP_ERR_MSG_TYPE); - endif - if (packet.ticket.tkt_vno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.ap_options.USE-SESSION-KEY is set) then - retrieve session key from ticket-granting ticket for - packet.ticket.{sname,srealm,enc-part.etype}; - else - retrieve service key for - packet.ticket.{sname,srealm,enc-part.etype,enc-part.skvno}; - endif - if (no_key_available) then - if (cannot_find_specified_skvno) then - error_out(KRB_AP_ERR_BADKEYVER); - else - error_out(KRB_AP_ERR_NOKEY); - endif - endif - decrypt packet.ticket.enc-part into decr_ticket using retrieved key; - if (decryption_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - decrypt packet.authenticator into decr_authenticator - using decr_ticket.key; - if (decryption_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - if (decr_authenticator.{cname,crealm} != - decr_ticket.{cname,crealm}) then - error_out(KRB_AP_ERR_BADMATCH); - endif - if (decr_ticket.caddr is present) then - if (sender_address(packet) is not in decr_ticket.caddr) then - error_out(KRB_AP_ERR_BADADDR); - endif - elseif (application requires addresses) then - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - error_out(KRB_AP_ERR_BADADDR); - endif - if (not in_clock_skew(decr_authenticator.ctime, - decr_authenticator.cusec)) then - error_out(KRB_AP_ERR_SKEW); - endif - if (repeated(decr_authenticator.{ctime,cusec,cname,crealm})) then - error_out(KRB_AP_ERR_REPEAT); - endif - save_identifier(decr_authenticator.{ctime,cusec,cname,crealm}); - get system_time; - if ((decr_ticket.starttime-system_time > CLOCK_SKEW) or - (decr_ticket.flags.INVALID is set)) then - /* it hasn't yet become valid */ - error_out(KRB_AP_ERR_TKT_NYV); - endif - if (system_time-decr_ticket.endtime > CLOCK_SKEW) then - error_out(KRB_AP_ERR_TKT_EXPIRED); - endif - if (decr_ticket.transited) then - /* caller may ignore the TRANSITED-POLICY-CHECKED and do - * check anyway */ - if (decr_ticket.flags.TRANSITED-POLICY-CHECKED not set) then - if (check_transited_field(decr_ticket.transited) then - error_out(KDC_AP_PATH_NOT_ACCPETED); - endif - endif - endif - /* caller must check decr_ticket.flags for any pertinent details */ - return(OK, decr_ticket, packet.ap_options.MUTUAL-REQUIRED); - -A.11. KRB_AP_REP generation - - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_AP_REP */ - - body.ctime := packet.ctime; - body.cusec := packet.cusec; - if (selecting sub-session key) then - select sub-session key; - body.subkey := sub-session key; - endif - if (using sequence numbers) then - select initial sequence number; - body.seq-number := initial sequence; - endif - - encode body into OCTET STRING; - - select encryption type; - encrypt OCTET STRING into packet.enc-part; - -A.12. KRB_AP_REP verification - - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - receive packet; - if (packet.pvno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.msg-type != KRB_AP_REP) then - error_out(KRB_AP_ERR_MSG_TYPE); - endif - cleartext := decrypt(packet.enc-part) using ticket's session key; - if (decryption_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - if (cleartext.ctime != authenticator.ctime) then - error_out(KRB_AP_ERR_MUT_FAIL); - endif - if (cleartext.cusec != authenticator.cusec) then - error_out(KRB_AP_ERR_MUT_FAIL); - endif - if (cleartext.subkey is present) then - save cleartext.subkey for future use; - endif - if (cleartext.seq-number is present) then - save cleartext.seq-number for future verifications; - endif - return(AUTHENTICATION_SUCCEEDED); - -A.13. KRB_SAFE generation - - collect user data in buffer; - - /* assemble packet: */ - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_SAFE */ - - body.user-data := buffer; /* DATA */ - if (using timestamp) then - get system_time; - body.timestamp, body.usec := system_time; - endif - if (using sequence numbers) then - body.seq-number := sequence number; - endif - body.s-address := sender host addresses; - if (only one recipient) then - body.r-address := recipient host address; - endif - checksum.cksumtype := checksum type; - compute checksum over body; - checksum.checksum := checksum value; /* checksum.checksum */ - packet.cksum := checksum; - packet.safe-body := body; - -A.14. KRB_SAFE verification - - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - receive packet; - if (packet.pvno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.msg-type != KRB_SAFE) then - error_out(KRB_AP_ERR_MSG_TYPE); - endif - if (packet.checksum.cksumtype is not both collision-proof and keyed) then - error_out(KRB_AP_ERR_INAPP_CKSUM); - endif - if (safe_priv_common_checks_ok(packet)) then - set computed_checksum := checksum(packet.body); - if (computed_checksum != packet.checksum) then - error_out(KRB_AP_ERR_MODIFIED); - endif - return (packet, PACKET_IS_GENUINE); - else - return common_checks_error; - endif - -A.15. KRB_SAFE and KRB_PRIV common checks - - if (packet.s-address != O/S_sender(packet)) then - /* O/S report of sender not who claims to have sent it */ - error_out(KRB_AP_ERR_BADADDR); - endif - if ((packet.r-address is present) and - (packet.r-address != local_host_address)) then - /* was not sent to proper place */ - error_out(KRB_AP_ERR_BADADDR); - endif - if (((packet.timestamp is present) and - (not in_clock_skew(packet.timestamp,packet.usec))) or - (packet.timestamp is not present and timestamp expected)) then - error_out(KRB_AP_ERR_SKEW); - endif - if (repeated(packet.timestamp,packet.usec,packet.s-address)) then - error_out(KRB_AP_ERR_REPEAT); - endif - - if (((packet.seq-number is present) and - ((not in_sequence(packet.seq-number)))) or - (packet.seq-number is not present and sequence expected)) then - error_out(KRB_AP_ERR_BADORDER); - endif - if (packet.timestamp not present and packet.seq-number not present) - then - error_out(KRB_AP_ERR_MODIFIED); - endif - - save_identifier(packet.{timestamp,usec,s-address}, - sender_principal(packet)); - - return PACKET_IS_OK; - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - -A.16. KRB_PRIV generation - - collect user data in buffer; - - /* assemble packet: */ - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_PRIV */ - - packet.enc-part.etype := encryption type; - - body.user-data := buffer; - if (using timestamp) then - get system_time; - body.timestamp, body.usec := system_time; - endif - if (using sequence numbers) then - body.seq-number := sequence number; - endif - body.s-address := sender host addresses; - if (only one recipient) then - body.r-address := recipient host address; - endif - - encode body into OCTET STRING; - - select encryption type; - encrypt OCTET STRING into packet.enc-part.cipher; - -A.17. KRB_PRIV verification - - receive packet; - if (packet.pvno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.msg-type != KRB_PRIV) then - error_out(KRB_AP_ERR_MSG_TYPE); - endif - - cleartext := decrypt(packet.enc-part) using negotiated key; - if (decryption_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - - if (safe_priv_common_checks_ok(cleartext)) then - return(cleartext.DATA, PACKET_IS_GENUINE_AND_UNMODIFIED); - else - return common_checks_error; - endif - -A.18. KRB_CRED generation - - invoke KRB_TGS; /* obtain tickets to be provided to peer */ - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - - /* assemble packet: */ - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_CRED */ - - for (tickets[n] in tickets to be forwarded) do - packet.tickets[n] = tickets[n].ticket; - done - - packet.enc-part.etype := encryption type; - - for (ticket[n] in tickets to be forwarded) do - body.ticket-info[n].key = tickets[n].session; - body.ticket-info[n].prealm = tickets[n].crealm; - body.ticket-info[n].pname = tickets[n].cname; - body.ticket-info[n].flags = tickets[n].flags; - body.ticket-info[n].authtime = tickets[n].authtime; - body.ticket-info[n].starttime = tickets[n].starttime; - body.ticket-info[n].endtime = tickets[n].endtime; - body.ticket-info[n].renew-till = tickets[n].renew-till; - body.ticket-info[n].srealm = tickets[n].srealm; - body.ticket-info[n].sname = tickets[n].sname; - body.ticket-info[n].caddr = tickets[n].caddr; - done - - get system_time; - body.timestamp, body.usec := system_time; - - if (using nonce) then - body.nonce := nonce; - endif - - if (using s-address) then - body.s-address := sender host addresses; - endif - if (limited recipients) then - body.r-address := recipient host address; - endif - - encode body into OCTET STRING; - - select encryption type; - encrypt OCTET STRING into packet.enc-part.cipher - using negotiated encryption key; - -A.19. KRB_CRED verification - - receive packet; - if (packet.pvno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.msg-type != KRB_CRED) then - error_out(KRB_AP_ERR_MSG_TYPE); - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - endif - - cleartext := decrypt(packet.enc-part) using negotiated key; - if (decryption_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - if ((packet.r-address is present or required) and - (packet.s-address != O/S_sender(packet)) then - /* O/S report of sender not who claims to have sent it */ - error_out(KRB_AP_ERR_BADADDR); - endif - if ((packet.r-address is present) and - (packet.r-address != local_host_address)) then - /* was not sent to proper place */ - error_out(KRB_AP_ERR_BADADDR); - endif - if (not in_clock_skew(packet.timestamp,packet.usec)) then - error_out(KRB_AP_ERR_SKEW); - endif - if (repeated(packet.timestamp,packet.usec,packet.s-address)) then - error_out(KRB_AP_ERR_REPEAT); - endif - if (packet.nonce is required or present) and - (packet.nonce != expected-nonce) then - error_out(KRB_AP_ERR_MODIFIED); - endif - - for (ticket[n] in tickets that were forwarded) do - save_for_later(ticket[n],key[n],principal[n], - server[n],times[n],flags[n]); - return - -A.20. KRB_ERROR generation - - /* assemble packet: */ - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_ERROR */ - - get system_time; - packet.stime, packet.susec := system_time; - packet.realm, packet.sname := server name; - - if (client time available) then - packet.ctime, packet.cusec := client_time; - endif - packet.error-code := error code; - if (client name available) then - packet.cname, packet.crealm := client name; - endif - if (error text available) then - packet.e-text := error text; - endif - if (error data available) then - packet.e-data := error data; - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - endif - -B. Definition of common authorization data elements - -This appendix contains the definitions of common authorization data -elements. These common authorization data elements are recursivly defined, -meaning the ad-data for these types will itself contain a sequence of -authorization data whose interpretation is affected by the encapsulating -element. Depending on the meaning of the encapsulating element, the -encapsulated elements may be ignored, might be interpreted as issued -directly by the KDC, or they might be stored in a separate plaintext part of -the ticket. The types of the encapsulating elements are specified as part of -the Kerberos specification ebcause the behavior based on these values should -be understood across implementations whereas other elements need only be -understood by the applications which they affect. - -In the definitions that follow, the value of the ad-type for the element -will be specified in the subsection number, and the value of the ad-data -will be as shown in the ASN.1 structure that follows the subsection heading. - -B.1. KDC Issued - -AD-KDCIssued SEQUENCE { - ad-checksum[0] Checksum, - i-realm[1] Realm OPTIONAL, - i-sname[2] PrincipalName OPTIONAL, - elements[3] AuthorizationData. -} - -ad-checksum - A checksum over the elements field using a cryptographic checksum - method that is identical to the checksum used to protect the ticket - itself (i.e. using the same hash function and the same encryption - algorithm used to encrypt the ticket) and using a key derived from the - same key used to protect the ticket. -i-realm, i-sname - The name of the issuing principal if different from the KDC itself. - This field would be used when the KDC can verify the authenticity of - elements signed by the issuing principal and it allows this KDC to - notify the application server of the validity of those elements. -elements - A sequence of authorization data elements issued by the KDC. - -The KDC-issued ad-data field is intended to provide a means for Kerberos -principal credentials to embed within themselves privilege attributes and -other mechanisms for positive authorization, amplifying the priveleges of -the principal beyond what can be done using a credentials without such an -a-data element. - -This can not be provided without this element because the definition of the -authorization-data field allows elements to be added at will by the bearer -of a TGT at the time that they request service tickets and elements may also -be added to a delegated ticket by inclusion in the authenticator. - - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -For KDC-issued elements this is prevented because the elements are signed by -the KDC by including a checksum encrypted using the server's key (the same -key used to encrypt the ticket - or a key derived from that key). Elements -encapsulated with in the KDC-issued element will be ignored by the -application server if this "signature" is not present. Further, elements -encapsulated within this element from a ticket granting ticket may be -interpreted by the KDC, and used as a basis according to policy for -including new signed elements within derivative tickets, but they will not -be copied to a derivative ticket directly. If they are copied directly to a -derivative ticket by a KDC that is not aware of this element, the signature -will not be correct for the application ticket elements, and the field will -be ignored by the application server. - -This element and the elements it encapulates may be safely ignored by -applications, application servers, and KDCs that do not implement this -element. - -B.2. Intended for server - -AD-INTENDED-FOR-SERVER SEQUENCE { - intended-server[0] SEQUENCE OF PrincipalName - elements[1] AuthorizationData -} - -AD elements encapsulated within the intended-for-server element may be -ignored if the application server is not in the list of principal names of -intended servers. Further, a KDC issuing a ticket for an application server -can remove this element if the application server is not in the list of -intended servers. - -Application servers should check for their principal name in the -intended-server field of this element. If their principal name is not found, -this element should be ignored. If found, then the encapsulated elements -should be evaluated in the same manner as if they were present in the top -level authorization data field. Applications and application servers that do -not implement this element should reject tickets that contain authorization -data elements of this type. - -B.3. Intended for application class - -AD-INTENDED-FOR-APPLICATION-CLASS SEQUENCE { intended-application-class[0] -SEQUENCE OF GeneralString elements[1] AuthorizationData } AD elements -encapsulated within the intended-for-application-class element may be -ignored if the application server is not in one of the named classes of -application servers. Examples of application server classes include -"FILESYSTEM", and other kinds of servers. - -This element and the elements it encapulates may be safely ignored by -applications, application servers, and KDCs that do not implement this -element. - -B.4. If relevant - -AD-IF-RELEVANT AuthorizationData - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - -AD elements encapsulated within the if-relevant element are intended for -interpretation only by application servers that understand the particular -ad-type of the embedded element. Application servers that do not understand -the type of an element embedded within the if-relevant element may ignore -the uninterpretable element. This element promotes interoperability across -implementations which may have local extensions for authorization. - -B.5. And-Or - -AD-AND-OR SEQUENCE { - condition-count[0] INTEGER, - elements[1] AuthorizationData -} - -When restrictive AD elements encapsulated within the and-or element are -encountered, only the number specified in condition-count of the -encapsulated conditions must be met in order to satisfy this element. This -element may be used to implement an "or" operation by setting the -condition-count field to 1, and it may specify an "and" operation by setting -the condition count to the number of embedded elements. Application servers -that do not implement this element must reject tickets that contain -authorization data elements of this type. - -B.6. Mandatory ticket extensions - -AD-Mandatory-Ticket-Extensions Checksum - -An authorization data element of type mandatory-ticket-extensions specifies -a collision-proof checksum using the same has angorithm used to protect the -integrity of the ticket itself. This checksum will be calculated over the -entire extensions field. If there are more than one extension, all will be -covered by the checksum. This restriction indicates that the ticket should -not be accepted if the checksum does not match that calculated over the -ticket extensions. Application servers that do not implement this element -must reject tickets that contain authorization data elements of this type. - -B.7. Authorization Data in ticket extensions - -AD-IN-Ticket-Extensions Checksum - -An authorization data element of type in-ticket-extensions specifies a -collision-proof checksum using the same has angorithm used to protect the -integrity of the ticket itself. This checksum is calculated over a separate -external AuthorizationData field carried in the ticket extensions. -Application servers that do not implement this element must reject tickets -that contain authorization data elements of this type. Application servers -that do implement this element will search the ticket extensions for -authorization data fields, calculate the specified checksum over each -authorization data field and look for one matching the checksum in this -in-ticket-extensions element. If not found, then the ticket must be -rejected. If found, the corresponding authorization data elements will be -interpreted in the same manner as if they were contained in the top level -authorization data field. - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - -Note that if multiple external authorization data fields are present in a -ticket, each will have a corresponding element of type in-ticket-extensions -in the top level authorization data field, and the external entries will be -linked to the corresponding element by their checksums. - -C. Definition of common ticket extensions - -This appendix contains the definitions of common ticket extensions. Support -for these extensions is optional. However, certain extensions have -associated authorization data elements that may require rejection of a -ticket containing an extension by application servers that do not implement -the particular extension. Other extensions have been defined beyond those -described in this specification. Such extensions are described elswhere and -for some of those extensions the reserved number may be found in the list of -constants. - -It is known that older versions of Kerberos did not support this field, and -that some clients will strip this field from a ticket when they parse and -then reassemble a ticket as it is passed to the application servers. The -presence of the extension will not break such clients, but any functionaly -dependent on the extensions will not work when such tickets are handled by -old clients. In such situations, some implementation may use alternate -methods to transmit the information in the extensions field. - -C.1. Null ticket extension - -TE-NullExtension OctetString -- The empty Octet String - -The te-data field in the null ticket extension is an octet string of lenght -zero. This extension may be included in a ticket granting ticket so that the -KDC can determine on presentation of the ticket granting ticket whether the -client software will strip the extensions field. - -C.2. External Authorization Data - -TE-ExternalAuthorizationData AuthorizationData - -The te-data field in the external authorization data ticket extension is -field of type AuthorizationData containing one or more authorization data -elements. If present, a corresponding authorization data element will be -present in the primary authorization data for the ticket and that element -will contain a checksum of the external authorization data ticket extension. ----------------------------------------------------------------------------- -[TM] Project Athena, Athena, and Kerberos are trademarks of the -Massachusetts Institute of Technology (MIT). No commercial use of these -trademarks may be made without prior written permission of MIT. - -[1] Note, however, that many applications use Kerberos' functions only upon -the initiation of a stream-based network connection. Unless an application -subsequently provides integrity protection for the data stream, the identity -verification applies only to the initiation of the connection, and does not -guarantee that subsequent messages on the connection originate from the same -principal. - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - -[2] Secret and private are often used interchangeably in the literature. In -our usage, it takes two (or more) to share a secret, thus a shared DES key -is a secret key. Something is only private when no one but its owner knows -it. Thus, in public key cryptosystems, one has a public and a private key. - -[3] Of course, with appropriate permission the client could arrange -registration of a separately-named prin- cipal in a remote realm, and engage -in normal exchanges with that realm's services. However, for even small -numbers of clients this becomes cumbersome, and more automatic methods as -described here are necessary. - -[4] Though it is permissible to request or issue tick- ets with no network -addresses specified. - -[5] The password-changing request must not be honored unless the requester -can provide the old password (the user's current secret key). Otherwise, it -would be possible for someone to walk up to an unattended ses- sion and -change another user's password. - -[6] To authenticate a user logging on to a local system, the credentials -obtained in the AS exchange may first be used in a TGS exchange to obtain -credentials for a local server. Those credentials must then be verified by a -local server through successful completion of the Client/Server exchange. - -[7] "Random" means that, among other things, it should be impossible to -guess the next session key based on knowledge of past session keys. This can -only be achieved in a pseudo-random number generator if it is based on -cryptographic principles. It is more desirable to use a truly random number -generator, such as one based on measurements of random physical phenomena. - -[8] Tickets contain both an encrypted and unencrypted portion, so cleartext -here refers to the entire unit, which can be copied from one message and -replayed in another without any cryptographic skill. - -[9] Note that this can make applications based on unreliable transports -difficult to code correctly. If the transport might deliver duplicated -messages, either a new authenticator must be generated for each retry, or -the application server must match requests and replies and replay the first -reply in response to a detected duplicate. - -[10] This is used for user-to-user authentication as described in [8]. - -[11] Note that the rejection here is restricted to authenticators from the -same principal to the same server. Other client principals communicating -with the same server principal should not be have their authenticators -rejected if the time and microsecond fields happen to match some other -client's authenticator. - -[12] In the Kerberos version 4 protocol, the timestamp in the reply was the -client's timestamp plus one. This is not necessary in version 5 because -version 5 messages are formatted in such a way that it is not possible to -create the reply by judicious message surgery (even in encrypted form) -without knowledge of the appropriate encryption keys. - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - -[13] Note that for encrypting the KRB_AP_REP message, the sub-session key is -not used, even if present in the Authenticator. - -[14] Implementations of the protocol may wish to provide routines to choose -subkeys based on session keys and random numbers and to generate a -negotiated key to be returned in the KRB_AP_REP message. - -[15]This can be accomplished in several ways. It might be known beforehand -(since the realm is part of the principal identifier), it might be stored in -a nameserver, or it might be obtained from a configura- tion file. If the -realm to be used is obtained from a nameserver, there is a danger of being -spoofed if the nameservice providing the realm name is not authenti- cated. -This might result in the use of a realm which has been compromised, and -would result in an attacker's ability to compromise the authentication of -the application server to the client. - -[16] If the client selects a sub-session key, care must be taken to ensure -the randomness of the selected sub- session key. One approach would be to -generate a random number and XOR it with the session key from the -ticket-granting ticket. - -[17] This allows easy implementation of user-to-user authentication [8], -which uses ticket-granting ticket session keys in lieu of secret server keys -in situa- tions where such secret keys could be easily comprom- ised. - -[18] For the purpose of appending, the realm preceding the first listed -realm is considered to be the null realm (""). - -[19] For the purpose of interpreting null subfields, the client's realm is -considered to precede those in the transited field, and the server's realm -is considered to follow them. - -[20] This means that a client and server running on the same host and -communicating with one another using the KRB_SAFE messages should not share -a common replay cache to detect KRB_SAFE replays. - -[21] The implementation of the Kerberos server need not combine the database -and the server on the same machine; it is feasible to store the principal -database in, say, a network name service, as long as the entries stored -therein are protected from disclosure to and modification by unauthorized -parties. However, we recommend against such strategies, as they can make -system management and threat analysis quite complex. - -[22] See the discussion of the padata field in section 5.4.2 for details on -why this can be useful. - -[23] Warning for implementations that unpack and repack data structures -during the generation and verification of embedded checksums: Because any -checksums applied to data structures must be checked against the original -data the length of bit strings must be preserved within a data structure -between the time that a checksum is generated through transmission to the -time that the checksum is verified. - - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -[24] It is NOT recommended that this time value be used to adjust the -workstation's clock since the workstation cannot reliably determine that -such a KRB_AS_REP actually came from the proper KDC in a timely manner. - -[25] Note, however, that if the time is used as the nonce, one must make -sure that the workstation time is monotonically increasing. If the time is -ever reset backwards, there is a small, but finite, probability that a nonce -will be reused. - -[27] An application code in the encrypted part of a message provides an -additional check that the message was decrypted properly. - -[29] An application code in the encrypted part of a message provides an -additional check that the message was decrypted properly. - -[31] An application code in the encrypted part of a message provides an -additional check that the message was decrypted properly. - -[32] If supported by the encryption method in use, an initialization vector -may be passed to the encryption procedure, in order to achieve proper cipher -chaining. The initialization vector might come from the last block of the -ciphertext from the previous KRB_PRIV message, but it is the application's -choice whether or not to use such an initialization vector. If left out, the -default initialization vector for the encryption algorithm will be used. - -[33] This prevents an attacker who generates an incorrect AS request from -obtaining verifiable plaintext for use in an off-line password guessing -attack. - -[35] In the above specification, UNTAGGED OCTET STRING(length) is the -notation for an octet string with its tag and length removed. It is not a -valid ASN.1 type. The tag bits and length must be removed from the -confounder since the purpose of the confounder is so that the message starts -with random data, but the tag and its length are fixed. For other fields, -the length and tag would be redundant if they were included because they are -specified by the encryption type. [36] The ordering of the fields in the -CipherText is important. Additionally, messages encoded in this format must -include a length as part of the msg-seq field. This allows the recipient to -verify that the message has not been truncated. Without a length, an -attacker could use a chosen plaintext attack to generate a message which -could be truncated, while leaving the checksum intact. Note that if the -msg-seq is an encoding of an ASN.1 SEQUENCE or OCTET STRING, then the length -is part of that encoding. - -[37] In some cases, it may be necessary to use a different "mix-in" string -for compatibility reasons; see the discussion of padata in section 5.4.2. - -[38] In some cases, it may be necessary to use a different "mix-in" string -for compatibility reasons; see the discussion of padata in section 5.4.2. - -[39] A variant of the key is used to limit the use of a key to a particular -function, separating the functions of generating a checksum from other -encryption performed using the session key. The constant F0F0F0F0F0F0F0F0 -was chosen because it maintains key parity. The properties of DES precluded - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -the use of the complement. The same constant is used for similar purpose in -the Message Integrity Check in the Privacy Enhanced Mail standard. - -[40] This error carries additional information in the e- data field. The -contents of the e-data field for this message is described in section 5.9.1. diff --git a/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-cat-kerberos-revisions-03.txt b/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-cat-kerberos-revisions-03.txt deleted file mode 100644 index 06d997d48c..0000000000 --- a/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-cat-kerberos-revisions-03.txt +++ /dev/null @@ -1,6766 +0,0 @@ - - - -INTERNET-DRAFT Clifford Neuman - John Kohl - Theodore Ts'o - November 18th, 1998 - -The Kerberos Network Authentication Service (V5) - -STATUS OF THIS MEMO - -This document is an Internet-Draft. Internet-Drafts are working documents -of the Internet Engineering Task Force (IETF), its areas, and its working -groups. Note that other groups may also distribute working documents as -Internet-Drafts. - -Internet-Drafts are draft documents valid for a maximum of six months and -may be updated, replaced, or obsoleted by other documents at any time. It -is inappropriate to use Internet-Drafts as reference material or to cite -them other than as 'work in progress.' - -To learn the current status of any Internet-Draft, please check the -'1id-abstracts.txt' listing contained in the Internet-Drafts Shadow -Directories on ftp.ietf.org (US East Coast), nic.nordu.net (Europe), -ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim). - -The distribution of this memo is unlimited. It is filed as -draft-ietf-cat-kerberos-revisions-03.txt, and expires May 18th, 1999. -Please send comments to: krb-protocol@MIT.EDU - -ABSTRACT - -This document provides an overview and specification of Version 5 of the -Kerberos protocol, and updates RFC1510 to clarify aspects of the protocol -and its intended use that require more detailed or clearer explanation than -was provided in RFC1510. This document is intended to provide a detailed -description of the protocol, suitable for implementation, together with -descriptions of the appropriate use of protocol messages and fields within -those messages. - -This document is not intended to describe Kerberos to the end user, system -administrator, or application developer. Higher level papers describing -Version 5 of the Kerberos system [NT94] and documenting version 4 [SNS88], -are available elsewhere. - -OVERVIEW - -This INTERNET-DRAFT describes the concepts and model upon which the -Kerberos network authentication system is based. It also specifies Version -5 of the Kerberos protocol. - -The motivations, goals, assumptions, and rationale behind most design -decisions are treated cursorily; they are more fully described in a paper -available in IEEE communications [NT94] and earlier in the Kerberos portion -of the Athena Technical Plan [MNSS87]. The protocols have been a proposed -standard and are being considered for advancement for draft standard -through the IETF standard process. Comments are encouraged on the -presentation, but only minor refinements to the protocol as implemented or -extensions that fit within current protocol framework will be considered at - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -this time. - -Requests for addition to an electronic mailing list for discussion of -Kerberos, kerberos@MIT.EDU, may be addressed to kerberos-request@MIT.EDU. -This mailing list is gatewayed onto the Usenet as the group -comp.protocols.kerberos. Requests for further information, including -documents and code availability, may be sent to info-kerberos@MIT.EDU. - -BACKGROUND - -The Kerberos model is based in part on Needham and Schroeder's trusted -third-party authentication protocol [NS78] and on modifications suggested -by Denning and Sacco [DS81]. The original design and implementation of -Kerberos Versions 1 through 4 was the work of two former Project Athena -staff members, Steve Miller of Digital Equipment Corporation and Clifford -Neuman (now at the Information Sciences Institute of the University of -Southern California), along with Jerome Saltzer, Technical Director of -Project Athena, and Jeffrey Schiller, MIT Campus Network Manager. Many -other members of Project Athena have also contributed to the work on -Kerberos. - -Version 5 of the Kerberos protocol (described in this document) has evolved -from Version 4 based on new requirements and desires for features not -available in Version 4. The design of Version 5 of the Kerberos protocol -was led by Clifford Neuman and John Kohl with much input from the -community. The development of the MIT reference implementation was led at -MIT by John Kohl and Theodore T'so, with help and contributed code from -many others. Since RFC1510 was issued, extensions and revisions to the -protocol have been proposed by many individuals. Some of these proposals -are reflected in this document. Where such changes involved significant -effort, the document cites the contribution of the proposer. - -Reference implementations of both version 4 and version 5 of Kerberos are -publicly available and commercial implementations have been developed and -are widely used. Details on the differences between Kerberos Versions 4 and -5 can be found in [KNT92]. - -1. Introduction - -Kerberos provides a means of verifying the identities of principals, (e.g. -a workstation user or a network server) on an open (unprotected) network. -This is accomplished without relying on assertions by the host operating -system, without basing trust on host addresses, without requiring physical -security of all the hosts on the network, and under the assumption that -packets traveling along the network can be read, modified, and inserted at -will[1]. Kerberos performs authentication under these conditions as a -trusted third-party authentication service by using conventional (shared -secret key [2] cryptography. Kerberos extensions have been proposed and -implemented that provide for the use of public key cryptography during -certain phases of the authentication protocol. These extensions provide for -authentication of users registered with public key certification -authorities, and allow the system to provide certain benefits of public key -cryptography in situations where they are needed. - -The basic Kerberos authentication process proceeds as follows: A client -sends a request to the authentication server (AS) requesting 'credentials' -for a given server. The AS responds with these credentials, encrypted in -the client's key. The credentials consist of 1) a 'ticket' for the server -and 2) a temporary encryption key (often called a "session key"). The - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -client transmits the ticket (which contains the client's identity and a -copy of the session key, all encrypted in the server's key) to the server. -The session key (now shared by the client and server) is used to -authenticate the client, and may optionally be used to authenticate the -server. It may also be used to encrypt further communication between the -two parties or to exchange a separate sub-session key to be used to encrypt -further communication. - -Implementation of the basic protocol consists of one or more authentication -servers running on physically secure hosts. The authentication servers -maintain a database of principals (i.e., users and servers) and their -secret keys. Code libraries provide encryption and implement the Kerberos -protocol. In order to add authentication to its transactions, a typical -network application adds one or two calls to the Kerberos library directly -or through the Generic Security Services Application Programming Interface, -GSSAPI, described in separate document. These calls result in the -transmission of the necessary messages to achieve authentication. - -The Kerberos protocol consists of several sub-protocols (or exchanges). -There are two basic methods by which a client can ask a Kerberos server for -credentials. In the first approach, the client sends a cleartext request -for a ticket for the desired server to the AS. The reply is sent encrypted -in the client's secret key. Usually this request is for a ticket-granting -ticket (TGT) which can later be used with the ticket-granting server (TGS). -In the second method, the client sends a request to the TGS. The client -uses the TGT to authenticate itself to the TGS in the same manner as if it -were contacting any other application server that requires Kerberos -authentication. The reply is encrypted in the session key from the TGT. -Though the protocol specification describes the AS and the TGS as separate -servers, they are implemented in practice as different protocol entry -points within a single Kerberos server. - -Once obtained, credentials may be used to verify the identity of the -principals in a transaction, to ensure the integrity of messages exchanged -between them, or to preserve privacy of the messages. The application is -free to choose whatever protection may be necessary. - -To verify the identities of the principals in a transaction, the client -transmits the ticket to the application server. Since the ticket is sent -"in the clear" (parts of it are encrypted, but this encryption doesn't -thwart replay) and might be intercepted and reused by an attacker, -additional information is sent to prove that the message originated with -the principal to whom the ticket was issued. This information (called the -authenticator) is encrypted in the session key, and includes a timestamp. -The timestamp proves that the message was recently generated and is not a -replay. Encrypting the authenticator in the session key proves that it was -generated by a party possessing the session key. Since no one except the -requesting principal and the server know the session key (it is never sent -over the network in the clear) this guarantees the identity of the client. - -The integrity of the messages exchanged between principals can also be -guaranteed using the session key (passed in the ticket and contained in the -credentials). This approach provides detection of both replay attacks and -message stream modification attacks. It is accomplished by generating and -transmitting a collision-proof checksum (elsewhere called a hash or digest -function) of the client's message, keyed with the session key. Privacy and -integrity of the messages exchanged between principals can be secured by -encrypting the data to be passed using the session key contained in the -ticket or the subsession key found in the authenticator. - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - -The authentication exchanges mentioned above require read-only access to -the Kerberos database. Sometimes, however, the entries in the database must -be modified, such as when adding new principals or changing a principal's -key. This is done using a protocol between a client and a third Kerberos -server, the Kerberos Administration Server (KADM). There is also a protocol -for maintaining multiple copies of the Kerberos database. Neither of these -protocols are described in this document. - -1.1. Cross-Realm Operation - -The Kerberos protocol is designed to operate across organizational -boundaries. A client in one organization can be authenticated to a server -in another. Each organization wishing to run a Kerberos server establishes -its own 'realm'. The name of the realm in which a client is registered is -part of the client's name, and can be used by the end-service to decide -whether to honor a request. - -By establishing 'inter-realm' keys, the administrators of two realms can -allow a client authenticated in the local realm to prove its identity to -servers in other realms[3]. The exchange of inter-realm keys (a separate -key may be used for each direction) registers the ticket-granting service -of each realm as a principal in the other realm. A client is then able to -obtain a ticket-granting ticket for the remote realm's ticket-granting -service from its local realm. When that ticket-granting ticket is used, the -remote ticket-granting service uses the inter-realm key (which usually -differs from its own normal TGS key) to decrypt the ticket-granting ticket, -and is thus certain that it was issued by the client's own TGS. Tickets -issued by the remote ticket-granting service will indicate to the -end-service that the client was authenticated from another realm. - -A realm is said to communicate with another realm if the two realms share -an inter-realm key, or if the local realm shares an inter-realm key with an -intermediate realm that communicates with the remote realm. An -authentication path is the sequence of intermediate realms that are -transited in communicating from one realm to another. - -Realms are typically organized hierarchically. Each realm shares a key with -its parent and a different key with each child. If an inter-realm key is -not directly shared by two realms, the hierarchical organization allows an -authentication path to be easily constructed. If a hierarchical -organization is not used, it may be necessary to consult a database in -order to construct an authentication path between realms. - -Although realms are typically hierarchical, intermediate realms may be -bypassed to achieve cross-realm authentication through alternate -authentication paths (these might be established to make communication -between two realms more efficient). It is important for the end-service to -know which realms were transited when deciding how much faith to place in -the authentication process. To facilitate this decision, a field in each -ticket contains the names of the realms that were involved in -authenticating the client. - -The application server is ultimately responsible for accepting or rejecting -authentication and should check the transited field. The application server -may choose to rely on the KDC for the application server's realm to check -the transited field. The application server's KDC will set the -TRANSITED-POLICY-CHECKED flag in this case. The KDC's for intermediate -realms may also check the transited field as they issue - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -ticket-granting-tickets for other realms, but they are encouraged not to do -so. A client may request that the KDC's not check the transited field by -setting the DISABLE-TRANSITED-CHECK flag. KDC's are encouraged but not -required to honor this flag. - -1.2. Authorization - -As an authentication service, Kerberos provides a means of verifying the -identity of principals on a network. Authentication is usually useful -primarily as a first step in the process of authorization, determining -whether a client may use a service, which objects the client is allowed to -access, and the type of access allowed for each. Kerberos does not, by -itself, provide authorization. Possession of a client ticket for a service -provides only for authentication of the client to that service, and in the -absence of a separate authorization procedure, it should not be considered -by an application as authorizing the use of that service. - -Such separate authorization methods may be implemented as application -specific access control functions and may be based on files such as the -application server, or on separately issued authorization credentials such -as those based on proxies [Neu93] , or on other authorization services. - -Applications should not be modified to accept the issuance of a service -ticket by the Kerberos server (even by an modified Kerberos server) as -granting authority to use the service, since such applications may become -vulnerable to the bypass of this authorization check in an environment if -they interoperate with other KDCs or where other options for application -authentication (e.g. the PKTAPP proposal) are provided. - -1.3. Environmental assumptions - -Kerberos imposes a few assumptions on the environment in which it can -properly function: - - * 'Denial of service' attacks are not solved with Kerberos. There are - places in these protocols where an intruder can prevent an application - from participating in the proper authentication steps. Detection and - solution of such attacks (some of which can appear to be nnot-uncommon - 'normal' failure modes for the system) is usually best left to the - human administrators and users. - * Principals must keep their secret keys secret. If an intruder somehow - steals a principal's key, it will be able to masquerade as that - principal or impersonate any server to the legitimate principal. - * 'Password guessing' attacks are not solved by Kerberos. If a user - chooses a poor password, it is possible for an attacker to - successfully mount an offline dictionary attack by repeatedly - attempting to decrypt, with successive entries from a dictionary, - messages obtained which are encrypted under a key derived from the - user's password. - * Each host on the network must have a clock which is 'loosely - synchronized' to the time of the other hosts; this synchronization is - used to reduce the bookkeeping needs of application servers when they - do replay detection. The degree of "looseness" can be configured on a - per-server basis, but is typically on the order of 5 minutes. If the - clocks are synchronized over the network, the clock synchronization - protocol must itself be secured from network attackers. - * Principal identifiers are not recycled on a short-term basis. A - typical mode of access control will use access control lists (ACLs) to - grant permissions to particular principals. If a stale ACL entry - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - remains for a deleted principal and the principal identifier is - reused, the new principal will inherit rights specified in the stale - ACL entry. By not re-using principal identifiers, the danger of - inadvertent access is removed. - -1.4. Glossary of terms - -Below is a list of terms used throughout this document. - -Authentication - Verifying the claimed identity of a principal. -Authentication header - A record containing a Ticket and an Authenticator to be presented to a - server as part of the authentication process. -Authentication path - A sequence of intermediate realms transited in the authentication - process when communicating from one realm to another. -Authenticator - A record containing information that can be shown to have been - recently generated using the session key known only by the client and - server. -Authorization - The process of determining whether a client may use a service, which - objects the client is allowed to access, and the type of access - allowed for each. -Capability - A token that grants the bearer permission to access an object or - service. In Kerberos, this might be a ticket whose use is restricted - by the contents of the authorization data field, but which lists no - network addresses, together with the session key necessary to use the - ticket. -Ciphertext - The output of an encryption function. Encryption transforms plaintext - into ciphertext. -Client - A process that makes use of a network service on behalf of a user. - Note that in some cases a Server may itself be a client of some other - server (e.g. a print server may be a client of a file server). -Credentials - A ticket plus the secret session key necessary to successfully use - that ticket in an authentication exchange. -KDC - Key Distribution Center, a network service that supplies tickets and - temporary session keys; or an instance of that service or the host on - which it runs. The KDC services both initial ticket and - ticket-granting ticket requests. The initial ticket portion is - sometimes referred to as the Authentication Server (or service). The - ticket-granting ticket portion is sometimes referred to as the - ticket-granting server (or service). -Kerberos - Aside from the 3-headed dog guarding Hades, the name given to Project - Athena's authentication service, the protocol used by that service, or - the code used to implement the authentication service. -Plaintext - The input to an encryption function or the output of a decryption - function. Decryption transforms ciphertext into plaintext. -Principal - A uniquely named client or server instance that participates in a - network communication. - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -Principal identifier - The name used to uniquely identify each different principal. -Seal - To encipher a record containing several fields in such a way that the - fields cannot be individually replaced without either knowledge of the - encryption key or leaving evidence of tampering. -Secret key - An encryption key shared by a principal and the KDC, distributed - outside the bounds of the system, with a long lifetime. In the case of - a human user's principal, the secret key is derived from a password. -Server - A particular Principal which provides a resource to network clients. - The server is sometimes refered to as the Application Server. -Service - A resource provided to network clients; often provided by more than - one server (for example, remote file service). -Session key - A temporary encryption key used between two principals, with a - lifetime limited to the duration of a single login "session". -Sub-session key - A temporary encryption key used between two principals, selected and - exchanged by the principals using the session key, and with a lifetime - limited to the duration of a single association. -Ticket - A record that helps a client authenticate itself to a server; it - contains the client's identity, a session key, a timestamp, and other - information, all sealed using the server's secret key. It only serves - to authenticate a client when presented along with a fresh - Authenticator. - -2. Ticket flag uses and requests - -Each Kerberos ticket contains a set of flags which are used to indicate -various attributes of that ticket. Most flags may be requested by a client -when the ticket is obtained; some are automatically turned on and off by a -Kerberos server as required. The following sections explain what the -various flags mean, and gives examples of reasons to use such a flag. - -2.1. Initial and pre-authenticated tickets - -The INITIAL flag indicates that a ticket was issued using the AS protocol -and not issued based on a ticket-granting ticket. Application servers that -want to require the demonstrated knowledge of a client's secret key (e.g. a -password-changing program) can insist that this flag be set in any tickets -they accept, and thus be assured that the client's key was recently -presented to the application client. - -The PRE-AUTHENT and HW-AUTHENT flags provide addition information about the -initial authentication, regardless of whether the current ticket was issued -directly (in which case INITIAL will also be set) or issued on the basis of -a ticket-granting ticket (in which case the INITIAL flag is clear, but the -PRE-AUTHENT and HW-AUTHENT flags are carried forward from the -ticket-granting ticket). - -2.2. Invalid tickets - -The INVALID flag indicates that a ticket is invalid. Application servers -must reject tickets which have this flag set. A postdated ticket will -usually be issued in this form. Invalid tickets must be validated by the - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -KDC before use, by presenting them to the KDC in a TGS request with the -VALIDATE option specified. The KDC will only validate tickets after their -starttime has passed. The validation is required so that postdated tickets -which have been stolen before their starttime can be rendered permanently -invalid (through a hot-list mechanism) (see section 3.3.3.1). - -2.3. Renewable tickets - -Applications may desire to hold tickets which can be valid for long periods -of time. However, this can expose their credentials to potential theft for -equally long periods, and those stolen credentials would be valid until the -expiration time of the ticket(s). Simply using short-lived tickets and -obtaining new ones periodically would require the client to have long-term -access to its secret key, an even greater risk. Renewable tickets can be -used to mitigate the consequences of theft. Renewable tickets have two -"expiration times": the first is when the current instance of the ticket -expires, and the second is the latest permissible value for an individual -expiration time. An application client must periodically (i.e. before it -expires) present a renewable ticket to the KDC, with the RENEW option set -in the KDC request. The KDC will issue a new ticket with a new session key -and a later expiration time. All other fields of the ticket are left -unmodified by the renewal process. When the latest permissible expiration -time arrives, the ticket expires permanently. At each renewal, the KDC may -consult a hot-list to determine if the ticket had been reported stolen -since its last renewal; it will refuse to renew such stolen tickets, and -thus the usable lifetime of stolen tickets is reduced. - -The RENEWABLE flag in a ticket is normally only interpreted by the -ticket-granting service (discussed below in section 3.3). It can usually be -ignored by application servers. However, some particularly careful -application servers may wish to disallow renewable tickets. - -If a renewable ticket is not renewed by its expiration time, the KDC will -not renew the ticket. The RENEWABLE flag is reset by default, but a client -may request it be set by setting the RENEWABLE option in the KRB_AS_REQ -message. If it is set, then the renew-till field in the ticket contains the -time after which the ticket may not be renewed. - -2.4. Postdated tickets - -Applications may occasionally need to obtain tickets for use much later, -e.g. a batch submission system would need tickets to be valid at the time -the batch job is serviced. However, it is dangerous to hold valid tickets -in a batch queue, since they will be on-line longer and more prone to -theft. Postdated tickets provide a way to obtain these tickets from the KDC -at job submission time, but to leave them "dormant" until they are -activated and validated by a further request of the KDC. If a ticket theft -were reported in the interim, the KDC would refuse to validate the ticket, -and the thief would be foiled. - -The MAY-POSTDATE flag in a ticket is normally only interpreted by the -ticket-granting service. It can be ignored by application servers. This -flag must be set in a ticket-granting ticket in order to issue a postdated -ticket based on the presented ticket. It is reset by default; it may be -requested by a client by setting the ALLOW-POSTDATE option in the -KRB_AS_REQ message. This flag does not allow a client to obtain a postdated -ticket-granting ticket; postdated ticket-granting tickets can only by -obtained by requesting the postdating in the KRB_AS_REQ message. The life -(endtime-starttime) of a postdated ticket will be the remaining life of the - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -ticket-granting ticket at the time of the request, unless the RENEWABLE -option is also set, in which case it can be the full life -(endtime-starttime) of the ticket-granting ticket. The KDC may limit how -far in the future a ticket may be postdated. - -The POSTDATED flag indicates that a ticket has been postdated. The -application server can check the authtime field in the ticket to see when -the original authentication occurred. Some services may choose to reject -postdated tickets, or they may only accept them within a certain period -after the original authentication. When the KDC issues a POSTDATED ticket, -it will also be marked as INVALID, so that the application client must -present the ticket to the KDC to be validated before use. - -2.5. Proxiable and proxy tickets - -At times it may be necessary for a principal to allow a service to perform -an operation on its behalf. The service must be able to take on the -identity of the client, but only for a particular purpose. A principal can -allow a service to take on the principal's identity for a particular -purpose by granting it a proxy. - -The process of granting a proxy using the proxy and proxiable flags is used -to provide credentials for use with specific services. Though conceptually -also a proxy, user's wishing to delegate their identity for ANY purpose -must use the ticket forwarding mechanism described in the next section to -forward a ticket granting ticket. - -The PROXIABLE flag in a ticket is normally only interpreted by the -ticket-granting service. It can be ignored by application servers. When -set, this flag tells the ticket-granting server that it is OK to issue a -new ticket (but not a ticket-granting ticket) with a different network -address based on this ticket. This flag is set if requested by the client -on initial authentication. By default, the client will request that it be -set when requesting a ticket granting ticket, and reset when requesting any -other ticket. - -This flag allows a client to pass a proxy to a server to perform a remote -request on its behalf, e.g. a print service client can give the print -server a proxy to access the client's files on a particular file server in -order to satisfy a print request. - -In order to complicate the use of stolen credentials, Kerberos tickets are -usually valid from only those network addresses specifically included in -the ticket[4]. When granting a proxy, the client must specify the new -network address from which the proxy is to be used, or indicate that the -proxy is to be issued for use from any address. - -The PROXY flag is set in a ticket by the TGS when it issues a proxy ticket. -Application servers may check this flag and at their option they may -require additional authentication from the agent presenting the proxy in -order to provide an audit trail. - -2.6. Forwardable tickets - -Authentication forwarding is an instance of a proxy where the service is -granted complete use of the client's identity. An example where it might be -used is when a user logs in to a remote system and wants authentication to -work from that system as if the login were local. - - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -The FORWARDABLE flag in a ticket is normally only interpreted by the -ticket-granting service. It can be ignored by application servers. The -FORWARDABLE flag has an interpretation similar to that of the PROXIABLE -flag, except ticket-granting tickets may also be issued with different -network addresses. This flag is reset by default, but users may request -that it be set by setting the FORWARDABLE option in the AS request when -they request their initial ticket- granting ticket. - -This flag allows for authentication forwarding without requiring the user -to enter a password again. If the flag is not set, then authentication -forwarding is not permitted, but the same result can still be achieved if -the user engages in the AS exchange specifying the requested network -addresses and supplies a password. - -The FORWARDED flag is set by the TGS when a client presents a ticket with -the FORWARDABLE flag set and requests a forwarded ticket by specifying the -FORWARDED KDC option and supplying a set of addresses for the new ticket. -It is also set in all tickets issued based on tickets with the FORWARDED -flag set. Application servers may choose to process FORWARDED tickets -differently than non-FORWARDED tickets. - -2.7. Other KDC options - -There are two additional options which may be set in a client's request of -the KDC. The RENEWABLE-OK option indicates that the client will accept a -renewable ticket if a ticket with the requested life cannot otherwise be -provided. If a ticket with the requested life cannot be provided, then the -KDC may issue a renewable ticket with a renew-till equal to the the -requested endtime. The value of the renew-till field may still be adjusted -by site-determined limits or limits imposed by the individual principal or -server. - -The ENC-TKT-IN-SKEY option is honored only by the ticket-granting service. -It indicates that the ticket to be issued for the end server is to be -encrypted in the session key from the a additional second ticket-granting -ticket provided with the request. See section 3.3.3 for specific details. - -3. Message Exchanges - -The following sections describe the interactions between network clients -and servers and the messages involved in those exchanges. - -3.1. The Authentication Service Exchange - - Summary - Message direction Message type Section - 1. Client to Kerberos KRB_AS_REQ 5.4.1 - 2. Kerberos to client KRB_AS_REP or 5.4.2 - KRB_ERROR 5.9.1 - -The Authentication Service (AS) Exchange between the client and the -Kerberos Authentication Server is initiated by a client when it wishes to -obtain authentication credentials for a given server but currently holds no -credentials. In its basic form, the client's secret key is used for -encryption and decryption. This exchange is typically used at the -initiation of a login session to obtain credentials for a Ticket-Granting -Server which will subsequently be used to obtain credentials for other -servers (see section 3.3) without requiring further use of the client's -secret key. This exchange is also used to request credentials for services - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -which must not be mediated through the Ticket-Granting Service, but rather -require a principal's secret key, such as the password-changing service[5]. -This exchange does not by itself provide any assurance of the the identity -of the user[6]. - -The exchange consists of two messages: KRB_AS_REQ from the client to -Kerberos, and KRB_AS_REP or KRB_ERROR in reply. The formats for these -messages are described in sections 5.4.1, 5.4.2, and 5.9.1. - -In the request, the client sends (in cleartext) its own identity and the -identity of the server for which it is requesting credentials. The -response, KRB_AS_REP, contains a ticket for the client to present to the -server, and a session key that will be shared by the client and the server. -The session key and additional information are encrypted in the client's -secret key. The KRB_AS_REP message contains information which can be used -to detect replays, and to associate it with the message to which it -replies. Various errors can occur; these are indicated by an error response -(KRB_ERROR) instead of the KRB_AS_REP response. The error message is not -encrypted. The KRB_ERROR message contains information which can be used to -associate it with the message to which it replies. The lack of encryption -in the KRB_ERROR message precludes the ability to detect replays, -fabrications, or modifications of such messages. - -Without preautentication, the authentication server does not know whether -the client is actually the principal named in the request. It simply sends -a reply without knowing or caring whether they are the same. This is -acceptable because nobody but the principal whose identity was given in the -request will be able to use the reply. Its critical information is -encrypted in that principal's key. The initial request supports an optional -field that can be used to pass additional information that might be needed -for the initial exchange. This field may be used for preauthentication as -described in section [hl<>]. - -3.1.1. Generation of KRB_AS_REQ message - -The client may specify a number of options in the initial request. Among -these options are whether pre-authentication is to be performed; whether -the requested ticket is to be renewable, proxiable, or forwardable; whether -it should be postdated or allow postdating of derivative tickets; and -whether a renewable ticket will be accepted in lieu of a non-renewable -ticket if the requested ticket expiration date cannot be satisfied by a -non-renewable ticket (due to configuration constraints; see section 4). See -section A.1 for pseudocode. - -The client prepares the KRB_AS_REQ message and sends it to the KDC. - -3.1.2. Receipt of KRB_AS_REQ message - -If all goes well, processing the KRB_AS_REQ message will result in the -creation of a ticket for the client to present to the server. The format -for the ticket is described in section 5.3.1. The contents of the ticket -are determined as follows. - -3.1.3. Generation of KRB_AS_REP message - -The authentication server looks up the client and server principals named -in the KRB_AS_REQ in its database, extracting their respective keys. If -required, the server pre-authenticates the request, and if the -pre-authentication check fails, an error message with the code - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -KDC_ERR_PREAUTH_FAILED is returned. If the server cannot accommodate the -requested encryption type, an error message with code KDC_ERR_ETYPE_NOSUPP -is returned. Otherwise it generates a 'random' session key[7]. - -If there are multiple encryption keys registered for a client in the -Kerberos database (or if the key registered supports multiple encryption -types; e.g. DES-CBC-CRC and DES-CBC-MD5), then the etype field from the AS -request is used by the KDC to select the encryption method to be used for -encrypting the response to the client. If there is more than one supported, -strong encryption type in the etype list, the first valid etype for which -an encryption key is available is used. The encryption method used to -respond to a TGS request is taken from the keytype of the session key found -in the ticket granting ticket. - -When the etype field is present in a KDC request, whether an AS or TGS -request, the KDC will attempt to assign the type of the random session key -from the list of methods in the etype field. The KDC will select the -appropriate type using the list of methods provided together with -information from the Kerberos database indicating acceptable encryption -methods for the application server. The KDC will not issue tickets with a -weak session key encryption type. - -If the requested start time is absent, indicates a time in the past, or is -within the window of acceptable clock skew for the KDC and the POSTDATE -option has not been specified, then the start time of the ticket is set to -the authentication server's current time. If it indicates a time in the -future beyond the acceptable clock skew, but the POSTDATED option has not -been specified then the error KDC_ERR_CANNOT_POSTDATE is returned. -Otherwise the requested start time is checked against the policy of the -local realm (the administrator might decide to prohibit certain types or -ranges of postdated tickets), and if acceptable, the ticket's start time is -set as requested and the INVALID flag is set in the new ticket. The -postdated ticket must be validated before use by presenting it to the KDC -after the start time has been reached. - -The expiration time of the ticket will be set to the minimum of the -following: - - * The expiration time (endtime) requested in the KRB_AS_REQ message. - * The ticket's start time plus the maximum allowable lifetime associated - with the client principal (the authentication server's database - includes a maximum ticket lifetime field in each principal's record; - see section 4). - * The ticket's start time plus the maximum allowable lifetime associated - with the server principal. - * The ticket's start time plus the maximum lifetime set by the policy of - the local realm. - -If the requested expiration time minus the start time (as determined above) -is less than a site-determined minimum lifetime, an error message with code -KDC_ERR_NEVER_VALID is returned. If the requested expiration time for the -ticket exceeds what was determined as above, and if the 'RENEWABLE-OK' -option was requested, then the 'RENEWABLE' flag is set in the new ticket, -and the renew-till value is set as if the 'RENEWABLE' option were requested -(the field and option names are described fully in section 5.4.1). - -If the RENEWABLE option has been requested or if the RENEWABLE-OK option -has been set and a renewable ticket is to be issued, then the renew-till -field is set to the minimum of: - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - - * Its requested value. - * The start time of the ticket plus the minimum of the two maximum - renewable lifetimes associated with the principals' database entries. - * The start time of the ticket plus the maximum renewable lifetime set - by the policy of the local realm. - -The flags field of the new ticket will have the following options set if -they have been requested and if the policy of the local realm allows: -FORWARDABLE, MAY-POSTDATE, POSTDATED, PROXIABLE, RENEWABLE. If the new -ticket is post-dated (the start time is in the future), its INVALID flag -will also be set. - -If all of the above succeed, the server formats a KRB_AS_REP message (see -section 5.4.2), copying the addresses in the request into the caddr of the -response, placing any required pre-authentication data into the padata of -the response, and encrypts the ciphertext part in the client's key using -the requested encryption method, and sends it to the client. See section -A.2 for pseudocode. - -3.1.4. Generation of KRB_ERROR message - -Several errors can occur, and the Authentication Server responds by -returning an error message, KRB_ERROR, to the client, with the error-code -and e-text fields set to appropriate values. The error message contents and -details are described in Section 5.9.1. - -3.1.5. Receipt of KRB_AS_REP message - -If the reply message type is KRB_AS_REP, then the client verifies that the -cname and crealm fields in the cleartext portion of the reply match what it -requested. If any padata fields are present, they may be used to derive the -proper secret key to decrypt the message. The client decrypts the encrypted -part of the response using its secret key, verifies that the nonce in the -encrypted part matches the nonce it supplied in its request (to detect -replays). It also verifies that the sname and srealm in the response match -those in the request (or are otherwise expected values), and that the host -address field is also correct. It then stores the ticket, session key, -start and expiration times, and other information for later use. The -key-expiration field from the encrypted part of the response may be checked -to notify the user of impending key expiration (the client program could -then suggest remedial action, such as a password change). See section A.3 -for pseudocode. - -Proper decryption of the KRB_AS_REP message is not sufficient to verify the -identity of the user; the user and an attacker could cooperate to generate -a KRB_AS_REP format message which decrypts properly but is not from the -proper KDC. If the host wishes to verify the identity of the user, it must -require the user to present application credentials which can be verified -using a securely-stored secret key for the host. If those credentials can -be verified, then the identity of the user can be assured. - -3.1.6. Receipt of KRB_ERROR message - -If the reply message type is KRB_ERROR, then the client interprets it as an -error and performs whatever application-specific tasks are necessary to -recover. - -3.2. The Client/Server Authentication Exchange - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - - Summary -Message direction Message type Section -Client to Application server KRB_AP_REQ 5.5.1 -[optional] Application server to client KRB_AP_REP or 5.5.2 - KRB_ERROR 5.9.1 - -The client/server authentication (CS) exchange is used by network -applications to authenticate the client to the server and vice versa. The -client must have already acquired credentials for the server using the AS -or TGS exchange. - -3.2.1. The KRB_AP_REQ message - -The KRB_AP_REQ contains authentication information which should be part of -the first message in an authenticated transaction. It contains a ticket, an -authenticator, and some additional bookkeeping information (see section -5.5.1 for the exact format). The ticket by itself is insufficient to -authenticate a client, since tickets are passed across the network in -cleartext[DS90], so the authenticator is used to prevent invalid replay of -tickets by proving to the server that the client knows the session key of -the ticket and thus is entitled to use the ticket. The KRB_AP_REQ message -is referred to elsewhere as the 'authentication header.' - -3.2.2. Generation of a KRB_AP_REQ message - -When a client wishes to initiate authentication to a server, it obtains -(either through a credentials cache, the AS exchange, or the TGS exchange) -a ticket and session key for the desired service. The client may re-use any -tickets it holds until they expire. To use a ticket the client constructs a -new Authenticator from the the system time, its name, and optionally an -application specific checksum, an initial sequence number to be used in -KRB_SAFE or KRB_PRIV messages, and/or a session subkey to be used in -negotiations for a session key unique to this particular session. -Authenticators may not be re-used and will be rejected if replayed to a -server[LGDSR87]. If a sequence number is to be included, it should be -randomly chosen so that even after many messages have been exchanged it is -not likely to collide with other sequence numbers in use. - -The client may indicate a requirement of mutual authentication or the use -of a session-key based ticket by setting the appropriate flag(s) in the -ap-options field of the message. - -The Authenticator is encrypted in the session key and combined with the -ticket to form the KRB_AP_REQ message which is then sent to the end server -along with any additional application-specific information. See section A.9 -for pseudocode. - -3.2.3. Receipt of KRB_AP_REQ message - -Authentication is based on the server's current time of day (clocks must be -loosely synchronized), the authenticator, and the ticket. Several errors -are possible. If an error occurs, the server is expected to reply to the -client with a KRB_ERROR message. This message may be encapsulated in the -application protocol if its 'raw' form is not acceptable to the protocol. -The format of error messages is described in section 5.9.1. - -The algorithm for verifying authentication information is as follows. If -the message type is not KRB_AP_REQ, the server returns the - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -KRB_AP_ERR_MSG_TYPE error. If the key version indicated by the Ticket in -the KRB_AP_REQ is not one the server can use (e.g., it indicates an old -key, and the server no longer possesses a copy of the old key), the -KRB_AP_ERR_BADKEYVER error is returned. If the USE-SESSION-KEY flag is set -in the ap-options field, it indicates to the server that the ticket is -encrypted in the session key from the server's ticket-granting ticket -rather than its secret key[10]. Since it is possible for the server to be -registered in multiple realms, with different keys in each, the srealm -field in the unencrypted portion of the ticket in the KRB_AP_REQ is used to -specify which secret key the server should use to decrypt that ticket. The -KRB_AP_ERR_NOKEY error code is returned if the server doesn't have the -proper key to decipher the ticket. - -The ticket is decrypted using the version of the server's key specified by -the ticket. If the decryption routines detect a modification of the ticket -(each encryption system must provide safeguards to detect modified -ciphertext; see section 6), the KRB_AP_ERR_BAD_INTEGRITY error is returned -(chances are good that different keys were used to encrypt and decrypt). - -The authenticator is decrypted using the session key extracted from the -decrypted ticket. If decryption shows it to have been modified, the -KRB_AP_ERR_BAD_INTEGRITY error is returned. The name and realm of the -client from the ticket are compared against the same fields in the -authenticator. If they don't match, the KRB_AP_ERR_BADMATCH error is -returned (they might not match, for example, if the wrong session key was -used to encrypt the authenticator). The addresses in the ticket (if any) -are then searched for an address matching the operating-system reported -address of the client. If no match is found or the server insists on ticket -addresses but none are present in the ticket, the KRB_AP_ERR_BADADDR error -is returned. - -If the local (server) time and the client time in the authenticator differ -by more than the allowable clock skew (e.g., 5 minutes), the -KRB_AP_ERR_SKEW error is returned. If the server name, along with the -client name, time and microsecond fields from the Authenticator match any -recently-seen such tuples, the KRB_AP_ERR_REPEAT error is returned[11]. The -server must remember any authenticator presented within the allowable clock -skew, so that a replay attempt is guaranteed to fail. If a server loses -track of any authenticator presented within the allowable clock skew, it -must reject all requests until the clock skew interval has passed. This -assures that any lost or re-played authenticators will fall outside the -allowable clock skew and can no longer be successfully replayed (If this is -not done, an attacker could conceivably record the ticket and authenticator -sent over the network to a server, then disable the client's host, pose as -the disabled host, and replay the ticket and authenticator to subvert the -authentication.). If a sequence number is provided in the authenticator, -the server saves it for later use in processing KRB_SAFE and/or KRB_PRIV -messages. If a subkey is present, the server either saves it for later use -or uses it to help generate its own choice for a subkey to be returned in a -KRB_AP_REP message. - -The server computes the age of the ticket: local (server) time minus the -start time inside the Ticket. If the start time is later than the current -time by more than the allowable clock skew or if the INVALID flag is set in -the ticket, the KRB_AP_ERR_TKT_NYV error is returned. Otherwise, if the -current time is later than end time by more than the allowable clock skew, -the KRB_AP_ERR_TKT_EXPIRED error is returned. - -If all these checks succeed without an error, the server is assured that - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -the client possesses the credentials of the principal named in the ticket -and thus, the client has been authenticated to the server. See section A.10 -for pseudocode. - -Passing these checks provides only authentication of the named principal; -it does not imply authorization to use the named service. Applications must -make a separate authorization decisions based upon the authenticated name -of the user, the requested operation, local acces control information such -as that contained in a .k5login or .k5users file, and possibly a separate -distributed authorization service. - -3.2.4. Generation of a KRB_AP_REP message - -Typically, a client's request will include both the authentication -information and its initial request in the same message, and the server -need not explicitly reply to the KRB_AP_REQ. However, if mutual -authentication (not only authenticating the client to the server, but also -the server to the client) is being performed, the KRB_AP_REQ message will -have MUTUAL-REQUIRED set in its ap-options field, and a KRB_AP_REP message -is required in response. As with the error message, this message may be -encapsulated in the application protocol if its "raw" form is not -acceptable to the application's protocol. The timestamp and microsecond -field used in the reply must be the client's timestamp and microsecond -field (as provided in the authenticator)[12]. If a sequence number is to be -included, it should be randomly chosen as described above for the -authenticator. A subkey may be included if the server desires to negotiate -a different subkey. The KRB_AP_REP message is encrypted in the session key -extracted from the ticket. See section A.11 for pseudocode. - -3.2.5. Receipt of KRB_AP_REP message - -If a KRB_AP_REP message is returned, the client uses the session key from -the credentials obtained for the server[13] to decrypt the message, and -verifies that the timestamp and microsecond fields match those in the -Authenticator it sent to the server. If they match, then the client is -assured that the server is genuine. The sequence number and subkey (if -present) are retained for later use. See section A.12 for pseudocode. - -3.2.6. Using the encryption key - -After the KRB_AP_REQ/KRB_AP_REP exchange has occurred, the client and -server share an encryption key which can be used by the application. The -'true session key' to be used for KRB_PRIV, KRB_SAFE, or other -application-specific uses may be chosen by the application based on the -subkeys in the KRB_AP_REP message and the authenticator[14]. In some cases, -the use of this session key will be implicit in the protocol; in others the -method of use must be chosen from several alternatives. We leave the -protocol negotiations of how to use the key (e.g. selecting an encryption -or checksum type) to the application programmer; the Kerberos protocol does -not constrain the implementation options, but an example of how this might -be done follows. - -One way that an application may choose to negotiate a key to be used for -subequent integrity and privacy protection is for the client to propose a -key in the subkey field of the authenticator. The server can then choose a -key using the proposed key from the client as input, returning the new -subkey in the subkey field of the application reply. This key could then be -used for subsequent communication. To make this example more concrete, if -the encryption method in use required a 56 bit key, and for whatever - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -reason, one of the parties was prevented from using a key with more than 40 -unknown bits, this method would allow the the party which is prevented from -using more than 40 bits to either propose (if the client) an initial key -with a known quantity for 16 of those bits, or to mask 16 of the bits (if -the server) with the known quantity. The application implementor is warned, -however, that this is only an example, and that an analysis of the -particular crytosystem to be used, and the reasons for limiting the key -length, must be made before deciding whether it is acceptable to mask bits -of the key. - -With both the one-way and mutual authentication exchanges, the peers should -take care not to send sensitive information to each other without proper -assurances. In particular, applications that require privacy or integrity -should use the KRB_AP_REP response from the server to client to assure both -client and server of their peer's identity. If an application protocol -requires privacy of its messages, it can use the KRB_PRIV message (section -3.5). The KRB_SAFE message (section 3.4) can be used to assure integrity. - -3.3. The Ticket-Granting Service (TGS) Exchange - - Summary - Message direction Message type Section - 1. Client to Kerberos KRB_TGS_REQ 5.4.1 - 2. Kerberos to client KRB_TGS_REP or 5.4.2 - KRB_ERROR 5.9.1 - -The TGS exchange between a client and the Kerberos Ticket-Granting Server -is initiated by a client when it wishes to obtain authentication -credentials for a given server (which might be registered in a remote -realm), when it wishes to renew or validate an existing ticket, or when it -wishes to obtain a proxy ticket. In the first case, the client must already -have acquired a ticket for the Ticket-Granting Service using the AS -exchange (the ticket-granting ticket is usually obtained when a client -initially authenticates to the system, such as when a user logs in). The -message format for the TGS exchange is almost identical to that for the AS -exchange. The primary difference is that encryption and decryption in the -TGS exchange does not take place under the client's key. Instead, the -session key from the ticket-granting ticket or renewable ticket, or -sub-session key from an Authenticator is used. As is the case for all -application servers, expired tickets are not accepted by the TGS, so once a -renewable or ticket-granting ticket expires, the client must use a separate -exchange to obtain valid tickets. - -The TGS exchange consists of two messages: A request (KRB_TGS_REQ) from the -client to the Kerberos Ticket-Granting Server, and a reply (KRB_TGS_REP or -KRB_ERROR). The KRB_TGS_REQ message includes information authenticating the -client plus a request for credentials. The authentication information -consists of the authentication header (KRB_AP_REQ) which includes the -client's previously obtained ticket-granting, renewable, or invalid ticket. -In the ticket-granting ticket and proxy cases, the request may include one -or more of: a list of network addresses, a collection of typed -authorization data to be sealed in the ticket for authorization use by the -application server, or additional tickets (the use of which are described -later). The TGS reply (KRB_TGS_REP) contains the requested credentials, -encrypted in the session key from the ticket-granting ticket or renewable -ticket, or if present, in the sub-session key from the Authenticator (part -of the authentication header). The KRB_ERROR message contains an error code -and text explaining what went wrong. The KRB_ERROR message is not -encrypted. The KRB_TGS_REP message contains information which can be used - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -to detect replays, and to associate it with the message to which it -replies. The KRB_ERROR message also contains information which can be used -to associate it with the message to which it replies, but the lack of -encryption in the KRB_ERROR message precludes the ability to detect replays -or fabrications of such messages. - -3.3.1. Generation of KRB_TGS_REQ message - -Before sending a request to the ticket-granting service, the client must -determine in which realm the application server is registered[15]. If the -client does not already possess a ticket-granting ticket for the -appropriate realm, then one must be obtained. This is first attempted by -requesting a ticket-granting ticket for the destination realm from a -Kerberos server for which the client does posess a ticket-granting ticket -(using the KRB_TGS_REQ message recursively). The Kerberos server may return -a TGT for the desired realm in which case one can proceed. Alternatively, -the Kerberos server may return a TGT for a realm which is 'closer' to the -desired realm (further along the standard hierarchical path), in which case -this step must be repeated with a Kerberos server in the realm specified in -the returned TGT. If neither are returned, then the request must be retried -with a Kerberos server for a realm higher in the hierarchy. This request -will itself require a ticket-granting ticket for the higher realm which -must be obtained by recursively applying these directions. - -Once the client obtains a ticket-granting ticket for the appropriate realm, -it determines which Kerberos servers serve that realm, and contacts one. -The list might be obtained through a configuration file or network service -or it may be generated from the name of the realm; as long as the secret -keys exchanged by realms are kept secret, only denial of service results -from using a false Kerberos server. - -As in the AS exchange, the client may specify a number of options in the -KRB_TGS_REQ message. The client prepares the KRB_TGS_REQ message, providing -an authentication header as an element of the padata field, and including -the same fields as used in the KRB_AS_REQ message along with several -optional fields: the enc-authorization-data field for application server -use and additional tickets required by some options. - -In preparing the authentication header, the client can select a sub-session -key under which the response from the Kerberos server will be -encrypted[16]. If the sub-session key is not specified, the session key -from the ticket-granting ticket will be used. If the enc-authorization-data -is present, it must be encrypted in the sub-session key, if present, from -the authenticator portion of the authentication header, or if not present, -using the session key from the ticket-granting ticket. - -Once prepared, the message is sent to a Kerberos server for the destination -realm. See section A.5 for pseudocode. - -3.3.2. Receipt of KRB_TGS_REQ message - -The KRB_TGS_REQ message is processed in a manner similar to the KRB_AS_REQ -message, but there are many additional checks to be performed. First, the -Kerberos server must determine which server the accompanying ticket is for -and it must select the appropriate key to decrypt it. For a normal -KRB_TGS_REQ message, it will be for the ticket granting service, and the -TGS's key will be used. If the TGT was issued by another realm, then the -appropriate inter-realm key must be used. If the accompanying ticket is not -a ticket granting ticket for the current realm, but is for an application - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -server in the current realm, the RENEW, VALIDATE, or PROXY options are -specified in the request, and the server for which a ticket is requested is -the server named in the accompanying ticket, then the KDC will decrypt the -ticket in the authentication header using the key of the server for which -it was issued. If no ticket can be found in the padata field, the -KDC_ERR_PADATA_TYPE_NOSUPP error is returned. - -Once the accompanying ticket has been decrypted, the user-supplied checksum -in the Authenticator must be verified against the contents of the request, -and the message rejected if the checksums do not match (with an error code -of KRB_AP_ERR_MODIFIED) or if the checksum is not keyed or not -collision-proof (with an error code of KRB_AP_ERR_INAPP_CKSUM). If the -checksum type is not supported, the KDC_ERR_SUMTYPE_NOSUPP error is -returned. If the authorization-data are present, they are decrypted using -the sub-session key from the Authenticator. - -If any of the decryptions indicate failed integrity checks, the -KRB_AP_ERR_BAD_INTEGRITY error is returned. - -3.3.3. Generation of KRB_TGS_REP message - -The KRB_TGS_REP message shares its format with the KRB_AS_REP -(KRB_KDC_REP), but with its type field set to KRB_TGS_REP. The detailed -specification is in section 5.4.2. - -The response will include a ticket for the requested server. The Kerberos -database is queried to retrieve the record for the requested server -(including the key with which the ticket will be encrypted). If the request -is for a ticket granting ticket for a remote realm, and if no key is shared -with the requested realm, then the Kerberos server will select the realm -"closest" to the requested realm with which it does share a key, and use -that realm instead. This is the only case where the response from the KDC -will be for a different server than that requested by the client. - -By default, the address field, the client's name and realm, the list of -transited realms, the time of initial authentication, the expiration time, -and the authorization data of the newly-issued ticket will be copied from -the ticket-granting ticket (TGT) or renewable ticket. If the transited -field needs to be updated, but the transited type is not supported, the -KDC_ERR_TRTYPE_NOSUPP error is returned. - -If the request specifies an endtime, then the endtime of the new ticket is -set to the minimum of (a) that request, (b) the endtime from the TGT, and -(c) the starttime of the TGT plus the minimum of the maximum life for the -application server and the maximum life for the local realm (the maximum -life for the requesting principal was already applied when the TGT was -issued). If the new ticket is to be a renewal, then the endtime above is -replaced by the minimum of (a) the value of the renew_till field of the -ticket and (b) the starttime for the new ticket plus the life -(endtime-starttime) of the old ticket. - -If the FORWARDED option has been requested, then the resulting ticket will -contain the addresses specified by the client. This option will only be -honored if the FORWARDABLE flag is set in the TGT. The PROXY option is -similar; the resulting ticket will contain the addresses specified by the -client. It will be honored only if the PROXIABLE flag in the TGT is set. -The PROXY option will not be honored on requests for additional -ticket-granting tickets. - - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -If the requested start time is absent, indicates a time in the past, or is -within the window of acceptable clock skew for the KDC and the POSTDATE -option has not been specified, then the start time of the ticket is set to -the authentication server's current time. If it indicates a time in the -future beyond the acceptable clock skew, but the POSTDATED option has not -been specified or the MAY-POSTDATE flag is not set in the TGT, then the -error KDC_ERR_CANNOT_POSTDATE is returned. Otherwise, if the -ticket-granting ticket has the MAY-POSTDATE flag set, then the resulting -ticket will be postdated and the requested starttime is checked against the -policy of the local realm. If acceptable, the ticket's start time is set as -requested, and the INVALID flag is set. The postdated ticket must be -validated before use by presenting it to the KDC after the starttime has -been reached. However, in no case may the starttime, endtime, or renew-till -time of a newly-issued postdated ticket extend beyond the renew-till time -of the ticket-granting ticket. - -If the ENC-TKT-IN-SKEY option has been specified and an additional ticket -has been included in the request, the KDC will decrypt the additional -ticket using the key for the server to which the additional ticket was -issued and verify that it is a ticket-granting ticket. If the name of the -requested server is missing from the request, the name of the client in the -additional ticket will be used. Otherwise the name of the requested server -will be compared to the name of the client in the additional ticket and if -different, the request will be rejected. If the request succeeds, the -session key from the additional ticket will be used to encrypt the new -ticket that is issued instead of using the key of the server for which the -new ticket will be used[17]. - -If the name of the server in the ticket that is presented to the KDC as -part of the authentication header is not that of the ticket-granting server -itself, the server is registered in the realm of the KDC, and the RENEW -option is requested, then the KDC will verify that the RENEWABLE flag is -set in the ticket, that the INVALID flag is not set in the ticket, and that -the renew_till time is still in the future. If the VALIDATE option is -rqeuested, the KDC will check that the starttime has passed and the INVALID -flag is set. If the PROXY option is requested, then the KDC will check that -the PROXIABLE flag is set in the ticket. If the tests succeed, and the -ticket passes the hotlist check described in the next paragraph, the KDC -will issue the appropriate new ticket. - -3.3.3.1. Checking for revoked tickets - -Whenever a request is made to the ticket-granting server, the presented -ticket(s) is(are) checked against a hot-list of tickets which have been -canceled. This hot-list might be implemented by storing a range of issue -timestamps for 'suspect tickets'; if a presented ticket had an authtime in -that range, it would be rejected. In this way, a stolen ticket-granting -ticket or renewable ticket cannot be used to gain additional tickets -(renewals or otherwise) once the theft has been reported. Any normal ticket -obtained before it was reported stolen will still be valid (because they -require no interaction with the KDC), but only until their normal -expiration time. - -The ciphertext part of the response in the KRB_TGS_REP message is encrypted -in the sub-session key from the Authenticator, if present, or the session -key key from the ticket-granting ticket. It is not encrypted using the -client's secret key. Furthermore, the client's key's expiration date and -the key version number fields are left out since these values are stored -along with the client's database record, and that record is not needed to - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -satisfy a request based on a ticket-granting ticket. See section A.6 for -pseudocode. - -3.3.3.2. Encoding the transited field - -If the identity of the server in the TGT that is presented to the KDC as -part of the authentication header is that of the ticket-granting service, -but the TGT was issued from another realm, the KDC will look up the -inter-realm key shared with that realm and use that key to decrypt the -ticket. If the ticket is valid, then the KDC will honor the request, -subject to the constraints outlined above in the section describing the AS -exchange. The realm part of the client's identity will be taken from the -ticket-granting ticket. The name of the realm that issued the -ticket-granting ticket will be added to the transited field of the ticket -to be issued. This is accomplished by reading the transited field from the -ticket-granting ticket (which is treated as an unordered set of realm -names), adding the new realm to the set, then constructing and writing out -its encoded (shorthand) form (this may involve a rearrangement of the -existing encoding). - -Note that the ticket-granting service does not add the name of its own -realm. Instead, its responsibility is to add the name of the previous -realm. This prevents a malicious Kerberos server from intentionally leaving -out its own name (it could, however, omit other realms' names). - -The names of neither the local realm nor the principal's realm are to be -included in the transited field. They appear elsewhere in the ticket and -both are known to have taken part in authenticating the principal. Since -the endpoints are not included, both local and single-hop inter-realm -authentication result in a transited field that is empty. - -Because the name of each realm transited is added to this field, it might -potentially be very long. To decrease the length of this field, its -contents are encoded. The initially supported encoding is optimized for the -normal case of inter-realm communication: a hierarchical arrangement of -realms using either domain or X.500 style realm names. This encoding -(called DOMAIN-X500-COMPRESS) is now described. - -Realm names in the transited field are separated by a ",". The ",", "\", -trailing "."s, and leading spaces (" ") are special characters, and if they -are part of a realm name, they must be quoted in the transited field by -preced- ing them with a "\". - -A realm name ending with a "." is interpreted as being prepended to the -previous realm. For example, we can encode traversal of EDU, MIT.EDU, -ATHENA.MIT.EDU, WASHINGTON.EDU, and CS.WASHINGTON.EDU as: - - "EDU,MIT.,ATHENA.,WASHINGTON.EDU,CS.". - -Note that if ATHENA.MIT.EDU, or CS.WASHINGTON.EDU were end-points, that -they would not be included in this field, and we would have: - - "EDU,MIT.,WASHINGTON.EDU" - -A realm name beginning with a "/" is interpreted as being appended to the -previous realm[18]. If it is to stand by itself, then it should be preceded -by a space (" "). For example, we can encode traversal of /COM/HP/APOLLO, -/COM/HP, /COM, and /COM/DEC as: - - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - "/COM,/HP,/APOLLO, /COM/DEC". - -Like the example above, if /COM/HP/APOLLO and /COM/DEC are endpoints, they -they would not be included in this field, and we would have: - - "/COM,/HP" - -A null subfield preceding or following a "," indicates that all realms -between the previous realm and the next realm have been traversed[19]. -Thus, "," means that all realms along the path between the client and the -server have been traversed. ",EDU, /COM," means that that all realms from -the client's realm up to EDU (in a domain style hierarchy) have been -traversed, and that everything from /COM down to the server's realm in an -X.500 style has also been traversed. This could occur if the EDU realm in -one hierarchy shares an inter-realm key directly with the /COM realm in -another hierarchy. - -3.3.4. Receipt of KRB_TGS_REP message - -When the KRB_TGS_REP is received by the client, it is processed in the same -manner as the KRB_AS_REP processing described above. The primary difference -is that the ciphertext part of the response must be decrypted using the -session key from the ticket-granting ticket rather than the client's secret -key. See section A.7 for pseudocode. - -3.4. The KRB_SAFE Exchange - -The KRB_SAFE message may be used by clients requiring the ability to detect -modifications of messages they exchange. It achieves this by including a -keyed collision-proof checksum of the user data and some control -information. The checksum is keyed with an encryption key (usually the last -key negotiated via subkeys, or the session key if no negotiation has -occured). - -3.4.1. Generation of a KRB_SAFE message - -When an application wishes to send a KRB_SAFE message, it collects its data -and the appropriate control information and computes a checksum over them. -The checksum algorithm should be a keyed one-way hash function (such as the -RSA- MD5-DES checksum algorithm specified in section 6.4.5, or the DES -MAC), generated using the sub-session key if present, or the session key. -Different algorithms may be selected by changing the checksum type in the -message. Unkeyed or non-collision-proof checksums are not suitable for this -use. - -The control information for the KRB_SAFE message includes both a timestamp -and a sequence number. The designer of an application using the KRB_SAFE -message must choose at least one of the two mechanisms. This choice should -be based on the needs of the application protocol. - -Sequence numbers are useful when all messages sent will be received by -one's peer. Connection state is presently required to maintain the session -key, so maintaining the next sequence number should not present an -additional problem. - -If the application protocol is expected to tolerate lost messages without -them being resent, the use of the timestamp is the appropriate replay -detection mechanism. Using timestamps is also the appropriate mechanism for -multi-cast protocols where all of one's peers share a common sub-session - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -key, but some messages will be sent to a subset of one's peers. - -After computing the checksum, the client then transmits the information and -checksum to the recipient in the message format specified in section 5.6.1. - -3.4.2. Receipt of KRB_SAFE message - -When an application receives a KRB_SAFE message, it verifies it as follows. -If any error occurs, an error code is reported for use by the application. - -The message is first checked by verifying that the protocol version and -type fields match the current version and KRB_SAFE, respectively. A -mismatch generates a KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE error. -The application verifies that the checksum used is a collision-proof keyed -checksum, and if it is not, a KRB_AP_ERR_INAPP_CKSUM error is generated. -The recipient verifies that the operating system's report of the sender's -address matches the sender's address in the message, and (if a recipient -address is specified or the recipient requires an address) that one of the -recipient's addresses appears as the recipient's address in the message. A -failed match for either case generates a KRB_AP_ERR_BADADDR error. Then the -timestamp and usec and/or the sequence number fields are checked. If -timestamp and usec are expected and not present, or they are present but -not current, the KRB_AP_ERR_SKEW error is generated. If the server name, -along with the client name, time and microsecond fields from the -Authenticator match any recently-seen (sent or received[20] ) such tuples, -the KRB_AP_ERR_REPEAT error is generated. If an incorrect sequence number -is included, or a sequence number is expected but not present, the -KRB_AP_ERR_BADORDER error is generated. If neither a time-stamp and usec or -a sequence number is present, a KRB_AP_ERR_MODIFIED error is generated. -Finally, the checksum is computed over the data and control information, -and if it doesn't match the received checksum, a KRB_AP_ERR_MODIFIED error -is generated. - -If all the checks succeed, the application is assured that the message was -generated by its peer and was not modi- fied in transit. - -3.5. The KRB_PRIV Exchange - -The KRB_PRIV message may be used by clients requiring confidentiality and -the ability to detect modifications of exchanged messages. It achieves this -by encrypting the messages and adding control information. - -3.5.1. Generation of a KRB_PRIV message - -When an application wishes to send a KRB_PRIV message, it collects its data -and the appropriate control information (specified in section 5.7.1) and -encrypts them under an encryption key (usually the last key negotiated via -subkeys, or the session key if no negotiation has occured). As part of the -control information, the client must choose to use either a timestamp or a -sequence number (or both); see the discussion in section 3.4.1 for -guidelines on which to use. After the user data and control information are -encrypted, the client transmits the ciphertext and some 'envelope' -information to the recipient. - -3.5.2. Receipt of KRB_PRIV message - -When an application receives a KRB_PRIV message, it verifies it as follows. -If any error occurs, an error code is reported for use by the application. - - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -The message is first checked by verifying that the protocol version and -type fields match the current version and KRB_PRIV, respectively. A -mismatch generates a KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE error. -The application then decrypts the ciphertext and processes the resultant -plaintext. If decryption shows the data to have been modified, a -KRB_AP_ERR_BAD_INTEGRITY error is generated. The recipient verifies that -the operating system's report of the sender's address matches the sender's -address in the message, and (if a recipient address is specified or the -recipient requires an address) that one of the recipient's addresses -appears as the recipient's address in the message. A failed match for -either case generates a KRB_AP_ERR_BADADDR error. Then the timestamp and -usec and/or the sequence number fields are checked. If timestamp and usec -are expected and not present, or they are present but not current, the -KRB_AP_ERR_SKEW error is generated. If the server name, along with the -client name, time and microsecond fields from the Authenticator match any -recently-seen such tuples, the KRB_AP_ERR_REPEAT error is generated. If an -incorrect sequence number is included, or a sequence number is expected but -not present, the KRB_AP_ERR_BADORDER error is generated. If neither a -time-stamp and usec or a sequence number is present, a KRB_AP_ERR_MODIFIED -error is generated. - -If all the checks succeed, the application can assume the message was -generated by its peer, and was securely transmitted (without intruders able -to see the unencrypted contents). - -3.6. The KRB_CRED Exchange - -The KRB_CRED message may be used by clients requiring the ability to send -Kerberos credentials from one host to another. It achieves this by sending -the tickets together with encrypted data containing the session keys and -other information associated with the tickets. - -3.6.1. Generation of a KRB_CRED message - -When an application wishes to send a KRB_CRED message it first (using the -KRB_TGS exchange) obtains credentials to be sent to the remote host. It -then constructs a KRB_CRED message using the ticket or tickets so obtained, -placing the session key needed to use each ticket in the key field of the -corresponding KrbCredInfo sequence of the encrypted part of the the -KRB_CRED message. - -Other information associated with each ticket and obtained during the -KRB_TGS exchange is also placed in the corresponding KrbCredInfo sequence -in the encrypted part of the KRB_CRED message. The current time and, if -specifically required by the application the nonce, s-address, and -r-address fields, are placed in the encrypted part of the KRB_CRED message -which is then encrypted under an encryption key previosuly exchanged in the -KRB_AP exchange (usually the last key negotiated via subkeys, or the -session key if no negotiation has occured). - -3.6.2. Receipt of KRB_CRED message - -When an application receives a KRB_CRED message, it verifies it. If any -error occurs, an error code is reported for use by the application. The -message is verified by checking that the protocol version and type fields -match the current version and KRB_CRED, respectively. A mismatch generates -a KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE error. The application then -decrypts the ciphertext and processes the resultant plaintext. If -decryption shows the data to have been modified, a KRB_AP_ERR_BAD_INTEGRITY - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -error is generated. - -If present or required, the recipient verifies that the operating system's -report of the sender's address matches the sender's address in the message, -and that one of the recipient's addresses appears as the recipient's -address in the message. A failed match for either case generates a -KRB_AP_ERR_BADADDR error. The timestamp and usec fields (and the nonce -field if required) are checked next. If the timestamp and usec are not -present, or they are present but not current, the KRB_AP_ERR_SKEW error is -generated. - -If all the checks succeed, the application stores each of the new tickets -in its ticket cache together with the session key and other information in -the corresponding KrbCredInfo sequence from the encrypted part of the -KRB_CRED message. - -4. The Kerberos Database - -The Kerberos server must have access to a database contain- ing the -principal identifiers and secret keys of principals to be -authenticated[21]. - -4.1. Database contents - -A database entry should contain at least the following fields: - -Field Value - -name Principal's identifier -key Principal's secret key -p_kvno Principal's key version -max_life Maximum lifetime for Tickets -max_renewable_life Maximum total lifetime for renewable Tickets - -The name field is an encoding of the principal's identifier. The key field -contains an encryption key. This key is the principal's secret key. (The -key can be encrypted before storage under a Kerberos "master key" to -protect it in case the database is compromised but the master key is not. -In that case, an extra field must be added to indicate the master key -version used, see below.) The p_kvno field is the key version number of the -principal's secret key. The max_life field contains the maximum allowable -lifetime (endtime - starttime) for any Ticket issued for this principal. -The max_renewable_life field contains the maximum allowable total lifetime -for any renewable Ticket issued for this principal. (See section 3.1 for a -description of how these lifetimes are used in determining the lifetime of -a given Ticket.) - -A server may provide KDC service to several realms, as long as the database -representation provides a mechanism to distinguish between principal -records with identifiers which differ only in the realm name. - -When an application server's key changes, if the change is routine (i.e. -not the result of disclosure of the old key), the old key should be -retained by the server until all tickets that had been issued using that -key have expired. Because of this, it is possible for several keys to be -active for a single principal. Ciphertext encrypted in a principal's key is -always tagged with the version of the key that was used for encryption, to -help the recipient find the proper key for decryption. - - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -When more than one key is active for a particular principal, the principal -will have more than one record in the Kerberos database. The keys and key -version numbers will differ between the records (the rest of the fields may -or may not be the same). Whenever Kerberos issues a ticket, or responds to -a request for initial authentication, the most recent key (known by the -Kerberos server) will be used for encryption. This is the key with the -highest key version number. - -4.2. Additional fields - -Project Athena's KDC implementation uses additional fields in its database: - -Field Value - -K_kvno Kerberos' key version -expiration Expiration date for entry -attributes Bit field of attributes -mod_date Timestamp of last modification -mod_name Modifying principal's identifier - -The K_kvno field indicates the key version of the Kerberos master key under -which the principal's secret key is encrypted. - -After an entry's expiration date has passed, the KDC will return an error -to any client attempting to gain tickets as or for the principal. (A -database may want to maintain two expiration dates: one for the principal, -and one for the principal's current key. This allows password aging to work -independently of the principal's expiration date. However, due to the -limited space in the responses, the KDC must combine the key expiration and -principal expiration date into a single value called 'key_exp', which is -used as a hint to the user to take administrative action.) - -The attributes field is a bitfield used to govern the operations involving -the principal. This field might be useful in conjunction with user -registration procedures, for site-specific policy implementations (Project -Athena currently uses it for their user registration process controlled by -the system-wide database service, Moira [LGDSR87]), to identify whether a -principal can play the role of a client or server or both, to note whether -a server is appropriate trusted to recieve credentials delegated by a -client, or to identify the 'string to key' conversion algorithm used for a -principal's key[22]. Other bits are used to indicate that certain ticket -options should not be allowed in tickets encrypted under a principal's key -(one bit each): Disallow issuing postdated tickets, disallow issuing -forwardable tickets, disallow issuing tickets based on TGT authentication, -disallow issuing renewable tickets, disallow issuing proxiable tickets, and -disallow issuing tickets for which the principal is the server. - -The mod_date field contains the time of last modification of the entry, and -the mod_name field contains the name of the principal which last modified -the entry. - -4.3. Frequently Changing Fields - -Some KDC implementations may wish to maintain the last time that a request -was made by a particular principal. Information that might be maintained -includes the time of the last request, the time of the last request for a -ticket-granting ticket, the time of the last use of a ticket-granting -ticket, or other times. This information can then be returned to the user -in the last-req field (see section 5.2). - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - -Other frequently changing information that can be maintained is the latest -expiration time for any tickets that have been issued using each key. This -field would be used to indicate how long old keys must remain valid to -allow the continued use of outstanding tickets. - -4.4. Site Constants - -The KDC implementation should have the following configurable constants or -options, to allow an administrator to make and enforce policy decisions: - - * The minimum supported lifetime (used to determine whether the - KDC_ERR_NEVER_VALID error should be returned). This constant should - reflect reasonable expectations of round-trip time to the KDC, - encryption/decryption time, and processing time by the client and - target server, and it should allow for a minimum 'useful' lifetime. - * The maximum allowable total (renewable) lifetime of a ticket - (renew_till - starttime). - * The maximum allowable lifetime of a ticket (endtime - starttime). - * Whether to allow the issue of tickets with empty address fields - (including the ability to specify that such tickets may only be issued - if the request specifies some authorization_data). - * Whether proxiable, forwardable, renewable or post-datable tickets are - to be issued. - -5. Message Specifications - -The following sections describe the exact contents and encoding of protocol -messages and objects. The ASN.1 base definitions are presented in the first -subsection. The remaining subsections specify the protocol objects (tickets -and authenticators) and messages. Specification of encryption and checksum -techniques, and the fields related to them, appear in section 6. - -Optional field in ASN.1 sequences - -For optional integer value and date fields in ASN.1 sequences where a -default value has been specified, certain default values will not be -allowed in the encoding because these values will always be represented -through defaulting by the absence of the optional field. For example, one -will not send a microsecond zero value because one must make sure that -there is only one way to encode this value. - -Additional fields in ASN.1 sequences - -Implementations receiving Kerberos messages with additional fields present -in ASN.1 sequences should carry the those fields through unmodified when -the message is forwarded. Implementation should drop such fields if the -sequence is reencoded. - -5.1. ASN.1 Distinguished Encoding Representation - -All uses of ASN.1 in Kerberos shall use the Distinguished Encoding -Representation of the data elements as described in the X.509 -specification, section 8.7 [X509-88]. - -5.3. ASN.1 Base Definitions - -The following ASN.1 base definitions are used in the rest of this section. -Note that since the underscore character (_) is not permitted in ASN.1 - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -names, the hyphen (-) is used in its place for the purposes of ASN.1 names. - -Realm ::= GeneralString -PrincipalName ::= SEQUENCE { - name-type[0] INTEGER, - name-string[1] SEQUENCE OF GeneralString -} - -Kerberos realms are encoded as GeneralStrings. Realms shall not contain a -character with the code 0 (the ASCII NUL). Most realms will usually consist -of several components separated by periods (.), in the style of Internet -Domain Names, or separated by slashes (/) in the style of X.500 names. -Acceptable forms for realm names are specified in section 7. A -PrincipalName is a typed sequence of components consisting of the following -sub-fields: - -name-type - This field specifies the type of name that follows. Pre-defined values - for this field are specified in section 7.2. The name-type should be - treated as a hint. Ignoring the name type, no two names can be the - same (i.e. at least one of the components, or the realm, must be - different). This constraint may be eliminated in the future. -name-string - This field encodes a sequence of components that form a name, each - component encoded as a GeneralString. Taken together, a PrincipalName - and a Realm form a principal identifier. Most PrincipalNames will have - only a few components (typically one or two). - -KerberosTime ::= GeneralizedTime - -- Specifying UTC time zone (Z) - -The timestamps used in Kerberos are encoded as GeneralizedTimes. An -encoding shall specify the UTC time zone (Z) and shall not include any -fractional portions of the seconds. It further shall not include any -separators. Example: The only valid format for UTC time 6 minutes, 27 -seconds after 9 pm on 6 November 1985 is 19851106210627Z. - -HostAddress ::= SEQUENCE { - addr-type[0] INTEGER, - address[1] OCTET STRING -} - -HostAddresses ::= SEQUENCE OF HostAddress - -The host adddress encodings consists of two fields: - -addr-type - This field specifies the type of address that follows. Pre-defined - values for this field are specified in section 8.1. -address - This field encodes a single address of type addr-type. - -The two forms differ slightly. HostAddress contains exactly one address; -HostAddresses contains a sequence of possibly many addresses. - -AuthorizationData ::= SEQUENCE OF SEQUENCE { - ad-type[0] INTEGER, - ad-data[1] OCTET STRING -} - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - -ad-data - This field contains authorization data to be interpreted according to - the value of the corresponding ad-type field. -ad-type - This field specifies the format for the ad-data subfield. All negative - values are reserved for local use. Non-negative values are reserved - for registered use. - -Each sequence of type and data is refered to as an authorization element. -Elements may be application specific, however, there is a common set of -recursive elements that should be understood by all implementations. These -elements contain other elements embedded within them, and the -interpretation of the encapsulating element determines which of the -embedded elements must be interpreted, and which may be ignored. -Definitions for these common elements may be found in Appendix B. - -TicketExtensions ::= SEQUENCE OF SEQUENCE { - te-type[0] INTEGER, - te-data[1] OCTET STRING -} - - - -te-data - This field contains opaque data that must be caried with the ticket to - support extensions to the Kerberos protocol including but not limited - to some forms of inter-realm key exchange and plaintext authorization - data. See appendix C for some common uses of this field. -te-type - This field specifies the format for the te-data subfield. All negative - values are reserved for local use. Non-negative values are reserved - for registered use. - -APOptions ::= BIT STRING - -- reserved(0), - -- use-session-key(1), - -- mutual-required(2) - -TicketFlags ::= BIT STRING - -- reserved(0), - -- forwardable(1), - -- forwarded(2), - -- proxiable(3), - -- proxy(4), - -- may-postdate(5), - -- postdated(6), - -- invalid(7), - -- renewable(8), - -- initial(9), - -- pre-authent(10), - -- hw-authent(11), - -- transited-policy-checked(12), - -- ok-as-delegate(13) - -KDCOptions ::= BIT STRING - -- reserved(0), - -- forwardable(1), - -- forwarded(2), - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - -- proxiable(3), - -- proxy(4), - -- allow-postdate(5), - -- postdated(6), - -- unused7(7), - -- renewable(8), - -- unused9(9), - -- unused10(10), - -- unused11(11), - -- unused12(12), - -- unused13(13), - -- disable-transited-check(26), - -- renewable-ok(27), - -- enc-tkt-in-skey(28), - -- renew(30), - -- validate(31) - -ASN.1 Bit strings have a length and a value. When used in Kerberos for the -APOptions, TicketFlags, and KDCOptions, the length of the bit string on -generated values should be the smallest number of bits needed to include -the highest order bit that is set (1), but in no case less than 32 bits. -The ASN.1 representation of the bit strings uses unnamed bits, with the -meaning of the individual bits defined by the comments in the specification -above. Implementations should accept values of bit strings of any length -and treat the value of flags corresponding to bits beyond the end of the -bit string as if the bit were reset (0). Comparison of bit strings of -different length should treat the smaller string as if it were padded with -zeros beyond the high order bits to the length of the longer string[23]. - -LastReq ::= SEQUENCE OF SEQUENCE { - lr-type[0] INTEGER, - lr-value[1] KerberosTime -} - -lr-type - This field indicates how the following lr-value field is to be - interpreted. Negative values indicate that the information pertains - only to the responding server. Non-negative values pertain to all - servers for the realm. If the lr-type field is zero (0), then no - information is conveyed by the lr-value subfield. If the absolute - value of the lr-type field is one (1), then the lr-value subfield is - the time of last initial request for a TGT. If it is two (2), then the - lr-value subfield is the time of last initial request. If it is three - (3), then the lr-value subfield is the time of issue for the newest - ticket-granting ticket used. If it is four (4), then the lr-value - subfield is the time of the last renewal. If it is five (5), then the - lr-value subfield is the time of last request (of any type). If it is - (6), then the lr-value subfield is the time when the password will - expire. -lr-value - This field contains the time of the last request. the time must be - interpreted according to the contents of the accompanying lr-type - subfield. - -See section 6 for the definitions of Checksum, ChecksumType, EncryptedData, -EncryptionKey, EncryptionType, and KeyType. - -5.3. Tickets and Authenticators - - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -This section describes the format and encryption parameters for tickets and -authenticators. When a ticket or authenticator is included in a protocol -message it is treated as an opaque object. - -5.3.1. Tickets - -A ticket is a record that helps a client authenticate to a service. A -Ticket contains the following information: - -Ticket ::= [APPLICATION 1] SEQUENCE { - tkt-vno[0] INTEGER, - realm[1] Realm, - sname[2] PrincipalName, - enc-part[3] EncryptedData, - extensions[4] TicketExtensions OPTIONAL -} - --- Encrypted part of ticket -EncTicketPart ::= [APPLICATION 3] SEQUENCE { - flags[0] TicketFlags, - key[1] EncryptionKey, - crealm[2] Realm, - cname[3] PrincipalName, - transited[4] TransitedEncoding, - authtime[5] KerberosTime, - starttime[6] KerberosTime OPTIONAL, - endtime[7] KerberosTime, - renew-till[8] KerberosTime OPTIONAL, - caddr[9] HostAddresses OPTIONAL, - authorization-data[10] AuthorizationData OPTIONAL -} --- encoded Transited field -TransitedEncoding ::= SEQUENCE { - tr-type[0] INTEGER, -- must be -registered - contents[1] OCTET STRING -} - -The encoding of EncTicketPart is encrypted in the key shared by Kerberos -and the end server (the server's secret key). See section 6 for the format -of the ciphertext. - -tkt-vno - This field specifies the version number for the ticket format. This - document describes version number 5. -realm - This field specifies the realm that issued a ticket. It also serves to - identify the realm part of the server's principal identifier. Since a - Kerberos server can only issue tickets for servers within its realm, - the two will always be identical. -sname - This field specifies the name part of the server's identity. -enc-part - This field holds the encrypted encoding of the EncTicketPart sequence. -extensions - This optional field contains a sequence of extentions that may be used - to carry information that must be carried with the ticket to support - several extensions, including but not limited to plaintext - authorization data, tokens for exchanging inter-realm keys, and other - information that must be associated with a ticket for use by the - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - application server. See Appendix C for definitions of some common - extensions. - - Note that some older versions of Kerberos did not support this field. - Because this is an optional field it will not break older clients, but - older clients might strip this field from the ticket before sending it - to the application server. This limits the usefulness of this ticket - field to environments where the ticket will not be parsed and - reconstructed by these older Kerberos clients. - - If it is known that the client will strip this field from the ticket, - as an interim measure the KDC may append this field to the end of the - enc-part of the ticket and append a traler indicating the lenght of - the appended extensions field. (this paragraph is open for discussion, - including the form of the traler). -flags - This field indicates which of various options were used or requested - when the ticket was issued. It is a bit-field, where the selected - options are indicated by the bit being set (1), and the unselected - options and reserved fields being reset (0). Bit 0 is the most - significant bit. The encoding of the bits is specified in section 5.2. - The flags are described in more detail above in section 2. The - meanings of the flags are: - - Bit(s) Name Description - - 0 RESERVED - Reserved for future expansion of this - field. - - 1 FORWARDABLE - The FORWARDABLE flag is normally only - interpreted by the TGS, and can be - ignored by end servers. When set, this - flag tells the ticket-granting server - that it is OK to issue a new ticket- - granting ticket with a different network - address based on the presented ticket. - - 2 FORWARDED - When set, this flag indicates that the - ticket has either been forwarded or was - issued based on authentication involving - a forwarded ticket-granting ticket. - - 3 PROXIABLE - The PROXIABLE flag is normally only - interpreted by the TGS, and can be - ignored by end servers. The PROXIABLE - flag has an interpretation identical to - that of the FORWARDABLE flag, except - that the PROXIABLE flag tells the - ticket-granting server that only non- - ticket-granting tickets may be issued - with different network addresses. - - 4 PROXY - When set, this flag indicates that a - ticket is a proxy. - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - - 5 MAY-POSTDATE - The MAY-POSTDATE flag is normally only - interpreted by the TGS, and can be - ignored by end servers. This flag tells - the ticket-granting server that a post- - dated ticket may be issued based on this - ticket-granting ticket. - - 6 POSTDATED - This flag indicates that this ticket has - been postdated. The end-service can - check the authtime field to see when the - original authentication occurred. - - 7 INVALID - This flag indicates that a ticket is - invalid, and it must be validated by the - KDC before use. Application servers - must reject tickets which have this flag - set. - - 8 RENEWABLE - The RENEWABLE flag is normally only - interpreted by the TGS, and can usually - be ignored by end servers (some particu- - larly careful servers may wish to disal- - low renewable tickets). A renewable - ticket can be used to obtain a replace- - ment ticket that expires at a later - date. - - 9 INITIAL - This flag indicates that this ticket was - issued using the AS protocol, and not - issued based on a ticket-granting - ticket. - - 10 PRE-AUTHENT - This flag indicates that during initial - authentication, the client was authenti- - cated by the KDC before a ticket was - issued. The strength of the pre- - authentication method is not indicated, - but is acceptable to the KDC. - - 11 HW-AUTHENT - This flag indicates that the protocol - employed for initial authentication - required the use of hardware expected to - be possessed solely by the named client. - The hardware authentication method is - selected by the KDC and the strength of - the method is not indicated. - - 12 TRANSITED This flag indicates that the KDC for the - POLICY-CHECKED realm has checked the transited field - against a realm defined policy for - trusted certifiers. If this flag is - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - reset (0), then the application server - must check the transited field itself, - and if unable to do so it must reject - the authentication. If the flag is set - (1) then the application server may skip - its own validation of the transited - field, relying on the validation - performed by the KDC. At its option the - application server may still apply its - own validation based on a separate - policy for acceptance. - - 13 OK-AS-DELEGATE This flag indicates that the server (not - the client) specified in the ticket has - been determined by policy of the realm - to be a suitable recipient of - delegation. A client can use the - presence of this flag to help it make a - decision whether to delegate credentials - (either grant a proxy or a forwarded - ticket granting ticket) to this server. - The client is free to ignore the value - of this flag. When setting this flag, - an administrator should consider the - Security and placement of the server on - which the service will run, as well as - whether the service requires the use of - delegated credentials. - - 14 ANONYMOUS - This flag indicates that the principal - named in the ticket is a generic princi- - pal for the realm and does not identify - the individual using the ticket. The - purpose of the ticket is only to - securely distribute a session key, and - not to identify the user. Subsequent - requests using the same ticket and ses- - sion may be considered as originating - from the same user, but requests with - the same username but a different ticket - are likely to originate from different - users. - - 15-31 RESERVED - Reserved for future use. - -key - This field exists in the ticket and the KDC response and is used to - pass the session key from Kerberos to the application server and the - client. The field's encoding is described in section 6.2. -crealm - This field contains the name of the realm in which the client is - registered and in which initial authentication took place. -cname - This field contains the name part of the client's principal - identifier. -transited - This field lists the names of the Kerberos realms that took part in - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - authenticating the user to whom this ticket was issued. It does not - specify the order in which the realms were transited. See section - 3.3.3.2 for details on how this field encodes the traversed realms. - When the names of CA's are to be embedded inthe transited field (as - specified for some extentions to the protocol), the X.500 names of the - CA's should be mapped into items in the transited field using the - mapping defined by RFC2253. -authtime - This field indicates the time of initial authentication for the named - principal. It is the time of issue for the original ticket on which - this ticket is based. It is included in the ticket to provide - additional information to the end service, and to provide the - necessary information for implementation of a `hot list' service at - the KDC. An end service that is particularly paranoid could refuse to - accept tickets for which the initial authentication occurred "too far" - in the past. This field is also returned as part of the response from - the KDC. When returned as part of the response to initial - authentication (KRB_AS_REP), this is the current time on the Ker- - beros server[24]. -starttime - This field in the ticket specifies the time after which the ticket is - valid. Together with endtime, this field specifies the life of the - ticket. If it is absent from the ticket, its value should be treated - as that of the authtime field. -endtime - This field contains the time after which the ticket will not be - honored (its expiration time). Note that individual services may place - their own limits on the life of a ticket and may reject tickets which - have not yet expired. As such, this is really an upper bound on the - expiration time for the ticket. -renew-till - This field is only present in tickets that have the RENEWABLE flag set - in the flags field. It indicates the maximum endtime that may be - included in a renewal. It can be thought of as the absolute expiration - time for the ticket, including all renewals. -caddr - This field in a ticket contains zero (if omitted) or more (if present) - host addresses. These are the addresses from which the ticket can be - used. If there are no addresses, the ticket can be used from any - location. The decision by the KDC to issue or by the end server to - accept zero-address tickets is a policy decision and is left to the - Kerberos and end-service administrators; they may refuse to issue or - accept such tickets. The suggested and default policy, however, is - that such tickets will only be issued or accepted when additional - information that can be used to restrict the use of the ticket is - included in the authorization_data field. Such a ticket is a - capability. - - Network addresses are included in the ticket to make it harder for an - attacker to use stolen credentials. Because the session key is not - sent over the network in cleartext, credentials can't be stolen simply - by listening to the network; an attacker has to gain access to the - session key (perhaps through operating system security breaches or a - careless user's unattended session) to make use of stolen tickets. - - It is important to note that the network address from which a - connection is received cannot be reliably determined. Even if it could - be, an attacker who has compromised the client's worksta- tion could - use the credentials from there. Including the network addresses only - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - makes it more difficult, not impossible, for an attacker to walk off - with stolen credentials and then use them from a "safe" location. -authorization-data - The authorization-data field is used to pass authorization data from - the principal on whose behalf a ticket was issued to the application - service. If no authorization data is included, this field will be left - out. Experience has shown that the name of this field is confusing, - and that a better name for this field would be restrictions. - Unfortunately, it is not possible to change the name of this field at - this time. - - This field contains restrictions on any authority obtained on the - basis of authentication using the ticket. It is possible for any - principal in posession of credentials to add entries to the - authorization data field since these entries further restrict what can - be done with the ticket. Such additions can be made by specifying the - additional entries when a new ticket is obtained during the TGS - exchange, or they may be added during chained delegation using the - authorization data field of the authenticator. - - Because entries may be added to this field by the holder of - credentials, it is not allowable for the presence of an entry in the - authorization data field of a ticket to amplify the priveleges one - would obtain from using a ticket. - - The data in this field may be specific to the end service; the field - will contain the names of service specific objects, and the rights to - those objects. The format for this field is described in section 5.2. - Although Kerberos is not concerned with the format of the contents of - the sub-fields, it does carry type information (ad-type). - - By using the authorization_data field, a principal is able to issue a - proxy that is valid for a specific purpose. For example, a client - wishing to print a file can obtain a file server proxy to be passed to - the print server. By specifying the name of the file in the - authorization_data field, the file server knows that the print server - can only use the client's rights when accessing the particular file to - be printed. - - A separate service providing authorization or certifying group - membership may be built using the authorization-data field. In this - case, the entity granting authorization (not the authorized entity), - obtains a ticket in its own name (e.g. the ticket is issued in the - name of a privelege server), and this entity adds restrictions on its - own authority and delegates the restricted authority through a proxy - to the client. The client would then present this authorization - credential to the application server separately from the - authentication exchange. - - Similarly, if one specifies the authorization-data field of a proxy - and leaves the host addresses blank, the resulting ticket and session - key can be treated as a capability. See [Neu93] for some suggested - uses of this field. - - The authorization-data field is optional and does not have to be - included in a ticket. - -5.3.2. Authenticators - - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -An authenticator is a record sent with a ticket to a server to certify the -client's knowledge of the encryption key in the ticket, to help the server -detect replays, and to help choose a "true session key" to use with the -particular session. The encoding is encrypted in the ticket's session key -shared by the client and the server: - --- Unencrypted authenticator -Authenticator ::= [APPLICATION 2] SEQUENCE { - authenticator-vno[0] INTEGER, - crealm[1] Realm, - cname[2] PrincipalName, - cksum[3] Checksum OPTIONAL, - cusec[4] INTEGER, - ctime[5] KerberosTime, - subkey[6] EncryptionKey OPTIONAL, - seq-number[7] INTEGER OPTIONAL, - authorization-data[8] AuthorizationData OPTIONAL -} - - -authenticator-vno - This field specifies the version number for the format of the - authenticator. This document specifies version 5. -crealm and cname - These fields are the same as those described for the ticket in section - 5.3.1. -cksum - This field contains a checksum of the the applica- tion data that - accompanies the KRB_AP_REQ. -cusec - This field contains the microsecond part of the client's timestamp. - Its value (before encryption) ranges from 0 to 999999. It often - appears along with ctime. The two fields are used together to specify - a reasonably accurate timestamp. -ctime - This field contains the current time on the client's host. -subkey - This field contains the client's choice for an encryption key which is - to be used to protect this specific application session. Unless an - application specifies otherwise, if this field is left out the session - key from the ticket will be used. -seq-number - This optional field includes the initial sequence number to be used by - the KRB_PRIV or KRB_SAFE messages when sequence numbers are used to - detect replays (It may also be used by application specific messages). - When included in the authenticator this field specifies the initial - sequence number for messages from the client to the server. When - included in the AP-REP message, the initial sequence number is that - for messages from the server to the client. When used in KRB_PRIV or - KRB_SAFE messages, it is incremented by one after each message is - sent. Sequence numbers fall in the range of 0 through 2^32 - 1 and - wrap to zero following the value 2^32 - 1. - - For sequence numbers to adequately support the detection of replays - they should be non-repeating, even across connection boundaries. The - initial sequence number should be random and uniformly distributed - across the full space of possible sequence numbers, so that it cannot - be guessed by an attacker and so that it and the successive sequence - numbers do not repeat other sequences. - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -authorization-data - This field is the same as described for the ticket in section 5.3.1. - It is optional and will only appear when additional restrictions are - to be placed on the use of a ticket, beyond those carried in the - ticket itself. - -5.4. Specifications for the AS and TGS exchanges - -This section specifies the format of the messages used in the exchange -between the client and the Kerberos server. The format of possible error -messages appears in section 5.9.1. - -5.4.1. KRB_KDC_REQ definition - -The KRB_KDC_REQ message has no type of its own. Instead, its type is one of -KRB_AS_REQ or KRB_TGS_REQ depending on whether the request is for an -initial ticket or an additional ticket. In either case, the message is sent -from the client to the Authentication Server to request credentials for a -service. - -The message fields are: - -AS-REQ ::= [APPLICATION 10] KDC-REQ -TGS-REQ ::= [APPLICATION 12] KDC-REQ - -KDC-REQ ::= SEQUENCE { - pvno[1] INTEGER, - msg-type[2] INTEGER, - padata[3] SEQUENCE OF PA-DATA OPTIONAL, - req-body[4] KDC-REQ-BODY -} - -PA-DATA ::= SEQUENCE { - padata-type[1] INTEGER, - padata-value[2] OCTET STRING, - -- might be encoded AP-REQ -} - -KDC-REQ-BODY ::= SEQUENCE { - kdc-options[0] KDCOptions, - cname[1] PrincipalName OPTIONAL, - -- Used only in AS-REQ - realm[2] Realm, -- Server's realm - -- Also client's in AS-REQ - sname[3] PrincipalName OPTIONAL, - from[4] KerberosTime OPTIONAL, - till[5] KerberosTime OPTIONAL, - rtime[6] KerberosTime OPTIONAL, - nonce[7] INTEGER, - etype[8] SEQUENCE OF INTEGER, - -- EncryptionType, - -- in preference order - addresses[9] HostAddresses OPTIONAL, - enc-authorization-data[10] EncryptedData OPTIONAL, - -- Encrypted AuthorizationData - -- encoding - additional-tickets[11] SEQUENCE OF Ticket OPTIONAL -} - - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -The fields in this message are: - -pvno - This field is included in each message, and specifies the protocol - version number. This document specifies protocol version 5. -msg-type - This field indicates the type of a protocol message. It will almost - always be the same as the application identifier associated with a - message. It is included to make the identifier more readily accessible - to the application. For the KDC-REQ message, this type will be - KRB_AS_REQ or KRB_TGS_REQ. -padata - The padata (pre-authentication data) field contains a sequence of - authentication information which may be needed before credentials can - be issued or decrypted. In the case of requests for additional tickets - (KRB_TGS_REQ), this field will include an element with padata-type of - PA-TGS-REQ and data of an authentication header (ticket-granting - ticket and authenticator). The checksum in the authenticator (which - must be collision-proof) is to be computed over the KDC-REQ-BODY - encoding. In most requests for initial authentication (KRB_AS_REQ) and - most replies (KDC-REP), the padata field will be left out. - - This field may also contain information needed by certain extensions - to the Kerberos protocol. For example, it might be used to initially - verify the identity of a client before any response is returned. This - is accomplished with a padata field with padata-type equal to - PA-ENC-TIMESTAMP and padata-value defined as follows: - - padata-type ::= PA-ENC-TIMESTAMP - padata-value ::= EncryptedData -- PA-ENC-TS-ENC - - PA-ENC-TS-ENC ::= SEQUENCE { - patimestamp[0] KerberosTime, -- client's time - pausec[1] INTEGER OPTIONAL - } - - with patimestamp containing the client's time and pausec containing - the microseconds which may be omitted if a client will not generate - more than one request per second. The ciphertext (padata-value) - consists of the PA-ENC-TS-ENC sequence, encrypted using the client's - secret key. - - [use-specified-kvno item is here for discussion and may be removed] It - may also be used by the client to specify the version of a key that is - being used for accompanying preauthentication, and/or which should be - used to encrypt the reply from the KDC. - - PA-USE-SPECIFIED-KVNO ::= Integer - - The KDC should only accept and abide by the value of the - use-specified-kvno preauthentication data field when the specified key - is still valid and until use of a new key is confirmed. This situation - is likely to occur primarily during the period during which an updated - key is propagating to other KDC's in a realm. - - The padata field can also contain information needed to help the KDC - or the client select the key needed for generating or decrypting the - response. This form of the padata is useful for supporting the use of - certain token cards with Kerberos. The details of such extensions are - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - specified in separate documents. See [Pat92] for additional uses of - this field. -padata-type - The padata-type element of the padata field indicates the way that the - padata-value element is to be interpreted. Negative values of - padata-type are reserved for unregistered use; non-negative values are - used for a registered interpretation of the element type. -req-body - This field is a placeholder delimiting the extent of the remaining - fields. If a checksum is to be calculated over the request, it is - calculated over an encoding of the KDC-REQ-BODY sequence which is - enclosed within the req-body field. -kdc-options - This field appears in the KRB_AS_REQ and KRB_TGS_REQ requests to the - KDC and indicates the flags that the client wants set on the tickets - as well as other information that is to modify the behavior of the - KDC. Where appropriate, the name of an option may be the same as the - flag that is set by that option. Although in most case, the bit in the - options field will be the same as that in the flags field, this is not - guaranteed, so it is not acceptable to simply copy the options field - to the flags field. There are various checks that must be made before - honoring an option anyway. - - The kdc_options field is a bit-field, where the selected options are - indicated by the bit being set (1), and the unselected options and - reserved fields being reset (0). The encoding of the bits is specified - in section 5.2. The options are described in more detail above in - section 2. The meanings of the options are: - - Bit(s) Name Description - 0 RESERVED - Reserved for future expansion of -this - field. - - 1 FORWARDABLE - The FORWARDABLE option indicates -that - the ticket to be issued is to have -its - forwardable flag set. It may only -be - set on the initial request, or in a -sub- - sequent request if the -ticket-granting - ticket on which it is based is also -for- - wardable. - - 2 FORWARDED - The FORWARDED option is only -specified - in a request to the -ticket-granting - server and will only be honored if -the - ticket-granting ticket in the -request - has its FORWARDABLE bit set. -This - option indicates that this is a -request - for forwarding. The address(es) of -the - host from which the resulting ticket -is - to be valid are included in -the - addresses field of the request. - - 3 PROXIABLE - The PROXIABLE option indicates that -the - ticket to be issued is to have its -prox- - iable flag set. It may only be set -on - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - the initial request, or in a -subsequent - request if the ticket-granting ticket -on - which it is based is also proxiable. - - 4 PROXY - The PROXY option indicates that this -is - a request for a proxy. This option -will - only be honored if the -ticket-granting - ticket in the request has its -PROXIABLE - bit set. The address(es) of the -host - from which the resulting ticket is to -be - valid are included in the -addresses - field of the request. - - 5 ALLOW-POSTDATE - The ALLOW-POSTDATE option indicates -that - the ticket to be issued is to have -its - MAY-POSTDATE flag set. It may only -be - set on the initial request, or in a -sub- - sequent request if the -ticket-granting - ticket on which it is based also has -its - MAY-POSTDATE flag set. - - 6 POSTDATED - The POSTDATED option indicates that -this - is a request for a postdated -ticket. - This option will only be honored if -the - ticket-granting ticket on which - it is based has its MAY-POSTDATE - flag set. - The resulting ticket will also have -its - INVALID flag set, and that flag may -be - reset by a subsequent request to the -KDC - after the starttime in the ticket -has - been reached. - - 7 UNUSED - This option is presently unused. - - 8 RENEWABLE - The RENEWABLE option indicates that -the - ticket to be issued is to have -its - RENEWABLE flag set. It may only be -set - on the initial request, or when -the - ticket-granting ticket on which -the - request is based is also renewable. -If - this option is requested, then the -rtime - field in the request contains -the - desired absolute expiration time for -the - ticket. - - 9-13 UNUSED - These options are presently unused. - - 14 REQUEST-ANONYMOUS - The REQUEST-ANONYMOUS option -indicates - that the ticket to be issued is not -to - identify the user to which it -was - issued. Instead, the principal -identif- - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - ier is to be generic, as specified -by - the policy of the realm (e.g. -usually - anonymous@realm). The purpose of -the - ticket is only to securely distribute -a - session key, and not to identify -the - user. The ANONYMOUS flag on the -ticket - to be returned should be set. If -the - local realms policy does not -permit - anonymous credentials, the request is -to - be rejected. - - 15-25 RESERVED - Reserved for future use. - - 26 DISABLE-TRANSITED-CHECK - By default the KDC will check the - transited field of a ticket-granting- - ticket against the policy of the local - realm before it will issue derivative - tickets based on the ticket granting - ticket. If this flag is set in the - request, checking of the transited -field - is disabled. Tickets issued without -the - performance of this check will be -noted - by the reset (0) value of the - TRANSITED-POLICY-CHECKED flag, - indicating to the application server - that the tranisted field must be -checked - locally. KDC's are encouraged but not - required to honor the - DISABLE-TRANSITED-CHECK option. - - 27 RENEWABLE-OK - The RENEWABLE-OK option indicates that -a - renewable ticket will be acceptable if -a - ticket with the requested life -cannot - otherwise be provided. If a ticket -with - the requested life cannot be -provided, - then a renewable ticket may be -issued - with a renew-till equal to the -the - requested endtime. The value of -the - renew-till field may still be limited -by - local limits, or limits selected by -the - individual principal or server. - - 28 ENC-TKT-IN-SKEY - This option is used only by the -ticket- - granting service. The -ENC-TKT-IN-SKEY - option indicates that the ticket for -the - end server is to be encrypted in -the - session key from the additional -ticket- - granting ticket provided. - - 29 RESERVED - Reserved for future use. - - 30 RENEW - This option is used only by the -ticket- - granting service. The RENEW -option - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - indicates that the present request -is - for a renewal. The ticket provided -is - encrypted in the secret key for -the - server on which it is valid. -This - option will only be honored if -the - ticket to be renewed has its -RENEWABLE - flag set and if the time in its -renew- - till field has not passed. The -ticket - to be renewed is passed in the -padata - field as part of the -authentication - header. - - 31 VALIDATE - This option is used only by the -ticket- - granting service. The VALIDATE -option - indicates that the request is to -vali- - date a postdated ticket. It will -only - be honored if the ticket presented -is - postdated, presently has its -INVALID - flag set, and would be otherwise -usable - at this time. A ticket cannot be -vali- - dated before its starttime. The -ticket - presented for validation is encrypted -in - the key of the server for which it -is - valid and is passed in the padata -field - as part of the authentication header. - -cname and sname - These fields are the same as those described for the ticket in section - 5.3.1. sname may only be absent when the ENC-TKT-IN-SKEY option is - specified. If absent, the name of the server is taken from the name of - the client in the ticket passed as additional-tickets. -enc-authorization-data - The enc-authorization-data, if present (and it can only be present in - the TGS_REQ form), is an encoding of the desired authorization-data - encrypted under the sub-session key if present in the Authenticator, - or alternatively from the session key in the ticket-granting ticket, - both from the padata field in the KRB_AP_REQ. -realm - This field specifies the realm part of the server's principal - identifier. In the AS exchange, this is also the realm part of the - client's principal identifier. -from - This field is included in the KRB_AS_REQ and KRB_TGS_REQ ticket - requests when the requested ticket is to be postdated. It specifies - the desired start time for the requested ticket. If this field is - omitted then the KDC should use the current time instead. -till - This field contains the expiration date requested by the client in a - ticket request. It is optional and if omitted the requested ticket is - to have the maximum endtime permitted according to KDC policy for the - parties to the authentication exchange as limited by expiration date - of the ticket granting ticket or other preauthentication credentials. -rtime - This field is the requested renew-till time sent from a client to the - KDC in a ticket request. It is optional. -nonce - This field is part of the KDC request and response. It it intended to - hold a random number generated by the client. If the same number is - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - included in the encrypted response from the KDC, it provides evidence - that the response is fresh and has not been replayed by an attacker. - Nonces must never be re-used. Ideally, it should be generated - randomly, but if the correct time is known, it may suffice[25]. -etype - This field specifies the desired encryption algorithm to be used in - the response. -addresses - This field is included in the initial request for tickets, and - optionally included in requests for additional tickets from the - ticket-granting server. It specifies the addresses from which the - requested ticket is to be valid. Normally it includes the addresses - for the client's host. If a proxy is requested, this field will - contain other addresses. The contents of this field are usually copied - by the KDC into the caddr field of the resulting ticket. -additional-tickets - Additional tickets may be optionally included in a request to the - ticket-granting server. If the ENC-TKT-IN-SKEY option has been - specified, then the session key from the additional ticket will be - used in place of the server's key to encrypt the new ticket. If more - than one option which requires additional tickets has been specified, - then the additional tickets are used in the order specified by the - ordering of the options bits (see kdc-options, above). - -The application code will be either ten (10) or twelve (12) depending on -whether the request is for an initial ticket (AS-REQ) or for an additional -ticket (TGS-REQ). - -The optional fields (addresses, authorization-data and additional-tickets) -are only included if necessary to perform the operation specified in the -kdc-options field. - -It should be noted that in KRB_TGS_REQ, the protocol version number appears -twice and two different message types appear: the KRB_TGS_REQ message -contains these fields as does the authentication header (KRB_AP_REQ) that -is passed in the padata field. - -5.4.2. KRB_KDC_REP definition - -The KRB_KDC_REP message format is used for the reply from the KDC for -either an initial (AS) request or a subsequent (TGS) request. There is no -message type for KRB_KDC_REP. Instead, the type will be either KRB_AS_REP -or KRB_TGS_REP. The key used to encrypt the ciphertext part of the reply -depends on the message type. For KRB_AS_REP, the ciphertext is encrypted in -the client's secret key, and the client's key version number is included in -the key version number for the encrypted data. For KRB_TGS_REP, the -ciphertext is encrypted in the sub-session key from the Authenticator, or -if absent, the session key from the ticket-granting ticket used in the -request. In that case, no version number will be present in the -EncryptedData sequence. - -The KRB_KDC_REP message contains the following fields: - -AS-REP ::= [APPLICATION 11] KDC-REP -TGS-REP ::= [APPLICATION 13] KDC-REP - -KDC-REP ::= SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - padata[2] SEQUENCE OF PA-DATA OPTIONAL, - crealm[3] Realm, - cname[4] PrincipalName, - ticket[5] Ticket, - enc-part[6] EncryptedData -} - -EncASRepPart ::= [APPLICATION 25[27]] EncKDCRepPart -EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart - -EncKDCRepPart ::= SEQUENCE { - key[0] EncryptionKey, - last-req[1] LastReq, - nonce[2] INTEGER, - key-expiration[3] KerberosTime OPTIONAL, - flags[4] TicketFlags, - authtime[5] KerberosTime, - starttime[6] KerberosTime OPTIONAL, - endtime[7] KerberosTime, - renew-till[8] KerberosTime OPTIONAL, - srealm[9] Realm, - sname[10] PrincipalName, - caddr[11] HostAddresses OPTIONAL -} - -pvno and msg-type - These fields are described above in section 5.4.1. msg-type is either - KRB_AS_REP or KRB_TGS_REP. -padata - This field is described in detail in section 5.4.1. One possible use - for this field is to encode an alternate "mix-in" string to be used - with a string-to-key algorithm (such as is described in section - 6.3.2). This ability is useful to ease transitions if a realm name - needs to change (e.g. when a company is acquired); in such a case all - existing password-derived entries in the KDC database would be flagged - as needing a special mix-in string until the next password change. -crealm, cname, srealm and sname - These fields are the same as those described for the ticket in section - 5.3.1. -ticket - The newly-issued ticket, from section 5.3.1. -enc-part - This field is a place holder for the ciphertext and related - information that forms the encrypted part of a message. The - description of the encrypted part of the message follows each - appearance of this field. The encrypted part is encoded as described - in section 6.1. -key - This field is the same as described for the ticket in section 5.3.1. -last-req - This field is returned by the KDC and specifies the time(s) of the - last request by a principal. Depending on what information is - available, this might be the last time that a request for a - ticket-granting ticket was made, or the last time that a request based - on a ticket-granting ticket was successful. It also might cover all - servers for a realm, or just the particular server. Some - implementations may display this information to the user to aid in - discovering unauthorized use of one's identity. It is similar in - spirit to the last login time displayed when logging into timesharing - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - systems. -nonce - This field is described above in section 5.4.1. -key-expiration - The key-expiration field is part of the response from the KDC and - specifies the time that the client's secret key is due to expire. The - expiration might be the result of password aging or an account - expiration. This field will usually be left out of the TGS reply since - the response to the TGS request is encrypted in a session key and no - client information need be retrieved from the KDC database. It is up - to the application client (usually the login program) to take - appropriate action (such as notifying the user) if the expiration time - is imminent. -flags, authtime, starttime, endtime, renew-till and caddr - These fields are duplicates of those found in the encrypted portion of - the attached ticket (see section 5.3.1), provided so the client may - verify they match the intended request and to assist in proper ticket - caching. If the message is of type KRB_TGS_REP, the caddr field will - only be filled in if the request was for a proxy or forwarded ticket, - or if the user is substituting a subset of the addresses from the - ticket granting ticket. If the client-requested addresses are not - present or not used, then the addresses contained in the ticket will - be the same as those included in the ticket-granting ticket. - -5.5. Client/Server (CS) message specifications - -This section specifies the format of the messages used for the -authentication of the client to the application server. - -5.5.1. KRB_AP_REQ definition - -The KRB_AP_REQ message contains the Kerberos protocol version number, the -message type KRB_AP_REQ, an options field to indicate any options in use, -and the ticket and authenticator themselves. The KRB_AP_REQ message is -often referred to as the 'authentication header'. - -AP-REQ ::= [APPLICATION 14] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - ap-options[2] APOptions, - ticket[3] Ticket, - authenticator[4] EncryptedData -} - -APOptions ::= BIT STRING { - reserved(0), - use-session-key(1), - mutual-required(2) -} - - - -pvno and msg-type - These fields are described above in section 5.4.1. msg-type is - KRB_AP_REQ. -ap-options - This field appears in the application request (KRB_AP_REQ) and affects - the way the request is processed. It is a bit-field, where the - selected options are indicated by the bit being set (1), and the - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - unselected options and reserved fields being reset (0). The encoding - of the bits is specified in section 5.2. The meanings of the options - are: - - Bit(s) Name Description - - 0 RESERVED - Reserved for future expansion of -this - field. - - 1 USE-SESSION-KEY - The USE-SESSION-KEY option -indicates - that the ticket the client is -presenting - to a server is encrypted in the -session - key from the server's -ticket-granting - ticket. When this option is not -speci- - fied, the ticket is encrypted in -the - server's secret key. - - 2 MUTUAL-REQUIRED - The MUTUAL-REQUIRED option tells -the - server that the client requires -mutual - authentication, and that it must -respond - with a KRB_AP_REP message. - - 3-31 RESERVED - Reserved for future use. - -ticket - This field is a ticket authenticating the client to the server. -authenticator - This contains the authenticator, which includes the client's choice of - a subkey. Its encoding is described in section 5.3.2. - -5.5.2. KRB_AP_REP definition - -The KRB_AP_REP message contains the Kerberos protocol version number, the -message type, and an encrypted time- stamp. The message is sent in in -response to an application request (KRB_AP_REQ) where the mutual -authentication option has been selected in the ap-options field. - -AP-REP ::= [APPLICATION 15] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - enc-part[2] EncryptedData -} - -EncAPRepPart ::= [APPLICATION 27[29]] SEQUENCE { - ctime[0] KerberosTime, - cusec[1] INTEGER, - subkey[2] EncryptionKey OPTIONAL, - seq-number[3] INTEGER OPTIONAL -} - -The encoded EncAPRepPart is encrypted in the shared session key of the -ticket. The optional subkey field can be used in an application-arranged -negotiation to choose a per association session key. - -pvno and msg-type - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - These fields are described above in section 5.4.1. msg-type is - KRB_AP_REP. -enc-part - This field is described above in section 5.4.2. -ctime - This field contains the current time on the client's host. -cusec - This field contains the microsecond part of the client's timestamp. -subkey - This field contains an encryption key which is to be used to protect - this specific application session. See section 3.2.6 for specifics on - how this field is used to negotiate a key. Unless an application - specifies otherwise, if this field is left out, the sub-session key - from the authenticator, or if also left out, the session key from the - ticket will be used. - -5.5.3. Error message reply - -If an error occurs while processing the application request, the KRB_ERROR -message will be sent in response. See section 5.9.1 for the format of the -error message. The cname and crealm fields may be left out if the server -cannot determine their appropriate values from the corresponding KRB_AP_REQ -message. If the authenticator was decipherable, the ctime and cusec fields -will contain the values from it. - -5.6. KRB_SAFE message specification - -This section specifies the format of a message that can be used by either -side (client or server) of an application to send a tamper-proof message to -its peer. It presumes that a session key has previously been exchanged (for -example, by using the KRB_AP_REQ/KRB_AP_REP messages). - -5.6.1. KRB_SAFE definition - -The KRB_SAFE message contains user data along with a collision-proof -checksum keyed with the last encryption key negotiated via subkeys, or the -session key if no negotiation has occured. The message fields are: - -KRB-SAFE ::= [APPLICATION 20] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - safe-body[2] KRB-SAFE-BODY, - cksum[3] Checksum -} - -KRB-SAFE-BODY ::= SEQUENCE { - user-data[0] OCTET STRING, - timestamp[1] KerberosTime OPTIONAL, - usec[2] INTEGER OPTIONAL, - seq-number[3] INTEGER OPTIONAL, - s-address[4] HostAddress OPTIONAL, - r-address[5] HostAddress OPTIONAL -} - -pvno and msg-type - These fields are described above in section 5.4.1. msg-type is - KRB_SAFE. -safe-body - This field is a placeholder for the body of the KRB-SAFE message. - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -cksum - This field contains the checksum of the application data. Checksum - details are described in section 6.4. The checksum is computed over - the encoding of the KRB-SAFE sequence. First, the cksum is zeroed and - the checksum is computed over the encoding of the KRB-SAFE sequence, - then the checksum is set to the result of that computation, and - finally the KRB-SAFE sequence is encoded again. -user-data - This field is part of the KRB_SAFE and KRB_PRIV messages and contain - the application specific data that is being passed from the sender to - the recipient. -timestamp - This field is part of the KRB_SAFE and KRB_PRIV messages. Its contents - are the current time as known by the sender of the message. By - checking the timestamp, the recipient of the message is able to make - sure that it was recently generated, and is not a replay. -usec - This field is part of the KRB_SAFE and KRB_PRIV headers. It contains - the microsecond part of the timestamp. -seq-number - This field is described above in section 5.3.2. -s-address - This field specifies the address in use by the sender of the message. -r-address - This field specifies the address in use by the recipient of the - message. It may be omitted for some uses (such as broadcast - protocols), but the recipient may arbitrarily reject such messages. - This field along with s-address can be used to help detect messages - which have been incorrectly or maliciously delivered to the wrong - recipient. - -5.7. KRB_PRIV message specification - -This section specifies the format of a message that can be used by either -side (client or server) of an application to securely and privately send a -message to its peer. It presumes that a session key has previously been -exchanged (for example, by using the KRB_AP_REQ/KRB_AP_REP messages). - -5.7.1. KRB_PRIV definition - -The KRB_PRIV message contains user data encrypted in the Session Key. The -message fields are: - -KRB-PRIV ::= [APPLICATION 21] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - enc-part[3] EncryptedData -} - -EncKrbPrivPart ::= [APPLICATION 28[31]] SEQUENCE { - user-data[0] OCTET STRING, - timestamp[1] KerberosTime OPTIONAL, - usec[2] INTEGER OPTIONAL, - seq-number[3] INTEGER OPTIONAL, - s-address[4] HostAddress OPTIONAL, -- sender's -addr - r-address[5] HostAddress OPTIONAL -- recip's -addr -} - -pvno and msg-type - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - These fields are described above in section 5.4.1. msg-type is - KRB_PRIV. -enc-part - This field holds an encoding of the EncKrbPrivPart sequence encrypted - under the session key[32]. This encrypted encoding is used for the - enc-part field of the KRB-PRIV message. See section 6 for the format - of the ciphertext. -user-data, timestamp, usec, s-address and r-address - These fields are described above in section 5.6.1. -seq-number - This field is described above in section 5.3.2. - -5.8. KRB_CRED message specification - -This section specifies the format of a message that can be used to send -Kerberos credentials from one principal to another. It is presented here to -encourage a common mechanism to be used by applications when forwarding -tickets or providing proxies to subordinate servers. It presumes that a -session key has already been exchanged perhaps by using the -KRB_AP_REQ/KRB_AP_REP messages. - -5.8.1. KRB_CRED definition - -The KRB_CRED message contains a sequence of tickets to be sent and -information needed to use the tickets, including the session key from each. -The information needed to use the tickets is encrypted under an encryption -key previously exchanged or transferred alongside the KRB_CRED message. The -message fields are: - -KRB-CRED ::= [APPLICATION 22] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, -- KRB_CRED - tickets[2] SEQUENCE OF Ticket, - enc-part[3] EncryptedData -} - -EncKrbCredPart ::= [APPLICATION 29] SEQUENCE { - ticket-info[0] SEQUENCE OF KrbCredInfo, - nonce[1] INTEGER OPTIONAL, - timestamp[2] KerberosTime OPTIONAL, - usec[3] INTEGER OPTIONAL, - s-address[4] HostAddress OPTIONAL, - r-address[5] HostAddress OPTIONAL -} - -KrbCredInfo ::= SEQUENCE { - key[0] EncryptionKey, - prealm[1] Realm OPTIONAL, - pname[2] PrincipalName OPTIONAL, - flags[3] TicketFlags OPTIONAL, - authtime[4] KerberosTime OPTIONAL, - starttime[5] KerberosTime OPTIONAL, - endtime[6] KerberosTime OPTIONAL - renew-till[7] KerberosTime OPTIONAL, - srealm[8] Realm OPTIONAL, - sname[9] PrincipalName OPTIONAL, - caddr[10] HostAddresses OPTIONAL -} - - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -pvno and msg-type - These fields are described above in section 5.4.1. msg-type is - KRB_CRED. -tickets - These are the tickets obtained from the KDC specifically for use by - the intended recipient. Successive tickets are paired with the - corresponding KrbCredInfo sequence from the enc-part of the KRB-CRED - message. -enc-part - This field holds an encoding of the EncKrbCredPart sequence encrypted - under the session key shared between the sender and the intended - recipient. This encrypted encoding is used for the enc-part field of - the KRB-CRED message. See section 6 for the format of the ciphertext. -nonce - If practical, an application may require the inclusion of a nonce - generated by the recipient of the message. If the same value is - included as the nonce in the message, it provides evidence that the - message is fresh and has not been replayed by an attacker. A nonce - must never be re-used; it should be generated randomly by the - recipient of the message and provided to the sender of the message in - an application specific manner. -timestamp and usec - These fields specify the time that the KRB-CRED message was generated. - The time is used to provide assurance that the message is fresh. -s-address and r-address - These fields are described above in section 5.6.1. They are used - optionally to provide additional assurance of the integrity of the - KRB-CRED message. -key - This field exists in the corresponding ticket passed by the KRB-CRED - message and is used to pass the session key from the sender to the - intended recipient. The field's encoding is described in section 6.2. - -The following fields are optional. If present, they can be associated with -the credentials in the remote ticket file. If left out, then it is assumed -that the recipient of the credentials already knows their value. - -prealm and pname - The name and realm of the delegated principal identity. -flags, authtime, starttime, endtime, renew-till, srealm, sname, and caddr - These fields contain the values of the correspond- ing fields from the - ticket found in the ticket field. Descriptions of the fields are - identical to the descriptions in the KDC-REP message. - -5.9. Error message specification - -This section specifies the format for the KRB_ERROR message. The fields -included in the message are intended to return as much information as -possible about an error. It is not expected that all the information -required by the fields will be available for all types of errors. If the -appropriate information is not available when the message is composed, the -corresponding field will be left out of the message. - -Note that since the KRB_ERROR message is not protected by any encryption, -it is quite possible for an intruder to synthesize or modify such a -message. In particular, this means that the client should not use any -fields in this message for security-critical purposes, such as setting a -system clock or generating a fresh authenticator. The message can be -useful, however, for advising a user on the reason for some failure. - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - -5.9.1. KRB_ERROR definition - -The KRB_ERROR message consists of the following fields: - -KRB-ERROR ::= [APPLICATION 30] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - ctime[2] KerberosTime OPTIONAL, - cusec[3] INTEGER OPTIONAL, - stime[4] KerberosTime, - susec[5] INTEGER, - error-code[6] INTEGER, - crealm[7] Realm OPTIONAL, - cname[8] PrincipalName OPTIONAL, - realm[9] Realm, -- Correct realm - sname[10] PrincipalName, -- Correct name - e-text[11] GeneralString OPTIONAL, - e-data[12] OCTET STRING OPTIONAL, - e-cksum[13] Checksum OPTIONAL, - e-typed-data[14] SEQUENCE of ETypedData -OPTIONAL -} - -ETypedData ::= SEQUENCE { - e-data-type [1] INTEGER, - e-data-value [2] OCTET STRING, -} - - - -pvno and msg-type - These fields are described above in section 5.4.1. msg-type is - KRB_ERROR. -ctime - This field is described above in section 5.4.1. -cusec - This field is described above in section 5.5.2. -stime - This field contains the current time on the server. It is of type - KerberosTime. -susec - This field contains the microsecond part of the server's timestamp. - Its value ranges from 0 to 999999. It appears along with stime. The - two fields are used in conjunction to specify a reasonably accurate - timestamp. -error-code - This field contains the error code returned by Kerberos or the server - when a request fails. To interpret the value of this field see the - list of error codes in section 8. Implementations are encouraged to - provide for national language support in the display of error - messages. -crealm, cname, srealm and sname - These fields are described above in section 5.3.1. -e-text - This field contains additional text to help explain the error code - associated with the failed request (for example, it might include a - principal name which was unknown). -e-data - This field contains additional data about the error for use by the - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - application to help it recover from or handle the error. If the - errorcode is KDC_ERR_PREAUTH_REQUIRED, then the e-data field will - contain an encoding of a sequence of padata fields, each corresponding - to an acceptable pre-authentication method and optionally containing - data for the method: - - METHOD-DATA ::= SEQUENCE of PA-DATA - - If the error-code is KRB_AP_ERR_METHOD, then the e-data field will - contain an encoding of the following sequence: - - METHOD-DATA ::= SEQUENCE { - method-type[0] INTEGER, - method-data[1] OCTET STRING OPTIONAL - } - - method-type will indicate the required alternate method; method-data - will contain any required additional information. -e-cksum - This field contains an optional checksum for the KRB-ERROR message. - The checksum is calculated over the Kerberos ASN.1 encoding of the - KRB-ERROR message with the checksum absent. The checksum is then added - to the KRB-ERROR structure and the message is re-encoded. The Checksum - should be calculated using the session key from the ticket granting - ticket or service ticket, where available. If the error is in response - to a TGS or AP request, the checksum should be calculated uing the the - session key from the client's ticket. If the error is in response to - an AS request, then the checksum should be calulated using the - client's secret key ONLY if there has been suitable preauthentication - to prove knowledge of the secret key by the client[33]. If a checksum - can not be computed because the key to be used is not available, no - checksum will be included. -e-typed-data - [This field for discussion, may be deleted from final spec] This field - contains optional data that may be used to help the client recover - from the indicated error. [This could contain the METHOD-DATA - specified since I don't think anyone actually uses it yet. It could - also contain the PA-DATA sequence for the preauth required error if we - had a clear way to transition to the use of this field from the use of - the untype e-data field.] For example, this field may specify the key - version of the key used to verify preauthentication: - - e-data-type := 20 -- Key version number - e-data-value := Integer -- Key version number used to verify -preauthentication - -6. Encryption and Checksum Specifications - -The Kerberos protocols described in this document are designed to use -stream encryption ciphers, which can be simulated using commonly available -block encryption ciphers, such as the Data Encryption Standard, [DES77] in -conjunction with block chaining and checksum methods [DESM80]. Encryption -is used to prove the identities of the network entities participating in -message exchanges. The Key Distribution Center for each realm is trusted by -all principals registered in that realm to store a secret key in -confidence. Proof of knowledge of this secret key is used to verify the -authenticity of a principal. - -The KDC uses the principal's secret key (in the AS exchange) or a shared -session key (in the TGS exchange) to encrypt responses to ticket requests; - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -the ability to obtain the secret key or session key implies the knowledge -of the appropriate keys and the identity of the KDC. The ability of a -principal to decrypt the KDC response and present a Ticket and a properly -formed Authenticator (generated with the session key from the KDC response) -to a service verifies the identity of the principal; likewise the ability -of the service to extract the session key from the Ticket and prove its -knowledge thereof in a response verifies the identity of the service. - -The Kerberos protocols generally assume that the encryption used is secure -from cryptanalysis; however, in some cases, the order of fields in the -encrypted portions of messages are arranged to minimize the effects of -poorly chosen keys. It is still important to choose good keys. If keys are -derived from user-typed passwords, those passwords need to be well chosen -to make brute force attacks more difficult. Poorly chosen keys still make -easy targets for intruders. - -The following sections specify the encryption and checksum mechanisms -currently defined for Kerberos. The encodings, chaining, and padding -requirements for each are described. For encryption methods, it is often -desirable to place random information (often referred to as a confounder) -at the start of the message. The requirements for a confounder are -specified with each encryption mechanism. - -Some encryption systems use a block-chaining method to improve the the -security characteristics of the ciphertext. However, these chaining methods -often don't provide an integrity check upon decryption. Such systems (such -as DES in CBC mode) must be augmented with a checksum of the plain-text -which can be verified at decryption and used to detect any tampering or -damage. Such checksums should be good at detecting burst errors in the -input. If any damage is detected, the decryption routine is expected to -return an error indicating the failure of an integrity check. Each -encryption type is expected to provide and verify an appropriate checksum. -The specification of each encryption method sets out its checksum -requirements. - -Finally, where a key is to be derived from a user's password, an algorithm -for converting the password to a key of the appropriate type is included. -It is desirable for the string to key function to be one-way, and for the -mapping to be different in different realms. This is important because -users who are registered in more than one realm will often use the same -password in each, and it is desirable that an attacker compromising the -Kerberos server in one realm not obtain or derive the user's key in -another. - -For an discussion of the integrity characteristics of the candidate -encryption and checksum methods considered for Kerberos, the the reader is -referred to [SG92]. - -6.1. Encryption Specifications - -The following ASN.1 definition describes all encrypted messages. The -enc-part field which appears in the unencrypted part of messages in section -5 is a sequence consisting of an encryption type, an optional key version -number, and the ciphertext. - -EncryptedData ::= SEQUENCE { - etype[0] INTEGER, -- EncryptionType - kvno[1] INTEGER OPTIONAL, - cipher[2] OCTET STRING -- ciphertext - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -} - - - -etype - This field identifies which encryption algorithm was used to encipher - the cipher. Detailed specifications for selected encryption types - appear later in this section. -kvno - This field contains the version number of the key under which data is - encrypted. It is only present in messages encrypted under long lasting - keys, such as principals' secret keys. -cipher - This field contains the enciphered text, encoded as an OCTET STRING. - -The cipher field is generated by applying the specified encryption -algorithm to data composed of the message and algorithm-specific inputs. -Encryption mechanisms defined for use with Kerberos must take sufficient -measures to guarantee the integrity of the plaintext, and we recommend they -also take measures to protect against precomputed dictionary attacks. If -the encryption algorithm is not itself capable of doing so, the protections -can often be enhanced by adding a checksum and a confounder. - -The suggested format for the data to be encrypted includes a confounder, a -checksum, the encoded plaintext, and any necessary padding. The msg-seq -field contains the part of the protocol message described in section 5 -which is to be encrypted. The confounder, checksum, and padding are all -untagged and untyped, and their length is exactly sufficient to hold the -appropriate item. The type and length is implicit and specified by the -particular encryption type being used (etype). The format for the data to -be encrypted is described in the following diagram: - - +-----------+----------+-------------+-----+ - |confounder | check | msg-seq | pad | - +-----------+----------+-------------+-----+ - -The format cannot be described in ASN.1, but for those who prefer an -ASN.1-like notation: - -CipherText ::= ENCRYPTED SEQUENCE { - confounder[0] UNTAGGED[35] OCTET STRING(conf_length) OPTIONAL, - check[1] UNTAGGED OCTET STRING(checksum_length) OPTIONAL, - msg-seq[2] MsgSequence, - pad UNTAGGED OCTET STRING(pad_length) OPTIONAL -} - -One generates a random confounder of the appropriate length, placing it in -confounder; zeroes out check; calculates the appropriate checksum over -confounder, check, and msg-seq, placing the result in check; adds the -necessary padding; then encrypts using the specified encryption type and -the appropriate key. - -Unless otherwise specified, a definition of an encryption algorithm that -specifies a checksum, a length for the confounder field, or an octet -boundary for padding uses this ciphertext format[36]. Those fields which -are not specified will be omitted. - -In the interest of allowing all implementations using a particular -encryption type to communicate with all others using that type, the - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -specification of an encryption type defines any checksum that is needed as -part of the encryption process. If an alternative checksum is to be used, a -new encryption type must be defined. - -Some cryptosystems require additional information beyond the key and the -data to be encrypted. For example, DES, when used in cipher-block-chaining -mode, requires an initialization vector. If required, the description for -each encryption type must specify the source of such additional -information. 6.2. Encryption Keys - -The sequence below shows the encoding of an encryption key: - - EncryptionKey ::= SEQUENCE { - keytype[0] INTEGER, - keyvalue[1] OCTET STRING - } - -keytype - This field specifies the type of encryption key that follows in the - keyvalue field. It will almost always correspond to the encryption - algorithm used to generate the EncryptedData, though more than one - algorithm may use the same type of key (the mapping is many to one). - This might happen, for example, if the encryption algorithm uses an - alternate checksum algorithm for an integrity check, or a different - chaining mechanism. -keyvalue - This field contains the key itself, encoded as an octet string. - -All negative values for the encryption key type are reserved for local use. -All non-negative values are reserved for officially assigned type fields -and interpreta- tions. - -6.3. Encryption Systems - -6.3.1. The NULL Encryption System (null) - -If no encryption is in use, the encryption system is said to be the NULL -encryption system. In the NULL encryption system there is no checksum, -confounder or padding. The ciphertext is simply the plaintext. The NULL Key -is used by the null encryption system and is zero octets in length, with -keytype zero (0). - -6.3.2. DES in CBC mode with a CRC-32 checksum (des-cbc-crc) - -The des-cbc-crc encryption mode encrypts information under the Data -Encryption Standard [DES77] using the cipher block chaining mode [DESM80]. -A CRC-32 checksum (described in ISO 3309 [ISO3309]) is applied to the -confounder and message sequence (msg-seq) and placed in the cksum field. -DES blocks are 8 bytes. As a result, the data to be encrypted (the -concatenation of confounder, checksum, and message) must be padded to an 8 -byte boundary before encryption. The details of the encryption of this data -are identical to those for the des-cbc-md5 encryption mode. - -Note that, since the CRC-32 checksum is not collision-proof, an attacker -could use a probabilistic chosen-plaintext attack to generate a valid -message even if a confounder is used [SG92]. The use of collision-proof -checksums is recommended for environments where such attacks represent a -significant threat. The use of the CRC-32 as the checksum for ticket or -authenticator is no longer mandated as an interoperability requirement for - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -Kerberos Version 5 Specification 1 (See section 9.1 for specific details). - -6.3.3. DES in CBC mode with an MD4 checksum (des-cbc-md4) - -The des-cbc-md4 encryption mode encrypts information under the Data -Encryption Standard [DES77] using the cipher block chaining mode [DESM80]. -An MD4 checksum (described in [MD492]) is applied to the confounder and -message sequence (msg-seq) and placed in the cksum field. DES blocks are 8 -bytes. As a result, the data to be encrypted (the concatenation of -confounder, checksum, and message) must be padded to an 8 byte boundary -before encryption. The details of the encryption of this data are identical -to those for the des-cbc-md5 encryption mode. - -6.3.4. DES in CBC mode with an MD5 checksum (des-cbc-md5) - -The des-cbc-md5 encryption mode encrypts information under the Data -Encryption Standard [DES77] using the cipher block chaining mode [DESM80]. -An MD5 checksum (described in [MD5-92].) is applied to the confounder and -message sequence (msg-seq) and placed in the cksum field. DES blocks are 8 -bytes. As a result, the data to be encrypted (the concatenation of -confounder, checksum, and message) must be padded to an 8 byte boundary -before encryption. - -Plaintext and DES ciphtertext are encoded as blocks of 8 octets which are -concatenated to make the 64-bit inputs for the DES algorithms. The first -octet supplies the 8 most significant bits (with the octet's MSbit used as -the DES input block's MSbit, etc.), the second octet the next 8 bits, ..., -and the eighth octet supplies the 8 least significant bits. - -Encryption under DES using cipher block chaining requires an additional -input in the form of an initialization vector. Unless otherwise specified, -zero should be used as the initialization vector. Kerberos' use of DES -requires an 8 octet confounder. - -The DES specifications identify some 'weak' and 'semi-weak' keys; those -keys shall not be used for encrypting messages for use in Kerberos. -Additionally, because of the way that keys are derived for the encryption -of checksums, keys shall not be used that yield 'weak' or 'semi-weak' keys -when eXclusive-ORed with the hexadecimal constant F0F0F0F0F0F0F0F0. - -A DES key is 8 octets of data, with keytype one (1). This consists of 56 -bits of key, and 8 parity bits (one per octet). The key is encoded as a -series of 8 octets written in MSB-first order. The bits within the key are -also encoded in MSB order. For example, if the encryption key is -(B1,B2,...,B7,P1,B8,...,B14,P2,B15,...,B49,P7,B50,...,B56,P8) where -B1,B2,...,B56 are the key bits in MSB order, and P1,P2,...,P8 are the -parity bits, the first octet of the key would be B1,B2,...,B7,P1 (with B1 -as the MSbit). [See the FIPS 81 introduction for reference.] - -String to key transformation - -To generate a DES key from a text string (password), a "salt" is -concatenated to the text string, and then padded with ASCII nulls to an 8 -byte boundary. This "salt" is normally the realm and each component of the -principal's name appended. However, sometimes different salts are used --- -for example, when a realm is renamed, or if a user changes her username, or -for compatibility with Kerberos V4 (whose string-to-key algorithm uses a -null string for the salt). This string is then fan-folded and -eXclusive-ORed with itself to form an 8 byte DES key. Before - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -eXclusive-ORing a block, every byte is shifted one bit to the left to leave -the lowest bit zero. The key is the "corrected" by correcting the parity on -the key, and if the key matches a 'weak' or 'semi-weak' key as described in -the DES specification, it is eXclusive-ORed with the constant -00000000000000F0. This key is then used to generate a DES CBC checksum on -the initial string (with the salt appended). The result of the CBC checksum -is the "corrected" as described above to form the result which is return as -the key. Pseudocode follows: - - name_to_default_salt(realm, name) { - s = realm - for(each component in name) { - s = s + component; - } - return s; - } - - key_correction(key) { - fixparity(key); - if (is_weak_key_key(key)) - key = key XOR 0xF0; - return(key); - } - - string_to_key(string,salt) { - - odd = 1; - s = string + salt; - tempkey = NULL; - pad(s); /* with nulls to 8 byte boundary */ - for(8byteblock in s) { - if(odd == 0) { - odd = 1; - reverse(8byteblock) - } - else odd = 0; - left shift every byte in 8byteblock one bit; - tempkey = tempkey XOR 8byteblock; - } - tempkey = key_correction(tempkey); - key = key_correction(DES-CBC-check(s,tempkey)); - return(key); - } - -6.3.5. Triple DES with HMAC-SHA1 Kerberos Encryption Type with Key -Derivation [Horowitz] - -NOTE: This description currently refers to documents, the contents of which -might be bettered included by value in this spec. The description below was -provided by Marc Horowitz, and the form in which it will finally appear is -yet to be determined. This description is included in this version of the -draft because it does describe the implemenation ready for use with the MIT -implementation. Note also that the encryption identifier has been left -unspecified here because the value from Marc Horowitz's spec conflicted -with some other impmenentations implemented based on perevious versions of -the specification. - -This encryption type is based on the Triple DES cryptosystem, the HMAC-SHA1 -[Krawczyk96] message authentication algorithm, and key derivation for - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -Kerberos V5 [HorowitzB96]. - -The des3-cbc-hmac-sha1 encryption type has been assigned the value ??. The -hmac-sha1-des3 checksum type has been assigned the value 12. - -Encryption Type des3-cbc-hmac-sha1 - -EncryptedData using this type must be generated as described in -[Horowitz96]. The encryption algorithm is Triple DES in Outer-CBC mode. The -keyed hash algorithm is HMAC-SHA1. Unless otherwise specified, a zero IV -must be used. If the length of the input data is not a multiple of the -block size, zero octets must be used to pad the plaintext to the next -eight-octet boundary. The counfounder must be eight random octets (one -block). - -Checksum Type hmac-sha1-des3 - -Checksums using this type must be generated as described in [Horowitz96]. -The keyed hash algorithm is HMAC-SHA1. - -Common Requirements - -The EncryptionKey value is 24 octets long. The 7 most significant bits of -each octet contain key bits, and the least significant bit is the inverse -of the xor of the key bits. - -For the purposes of key derivation, the block size is 64 bits, and the key -size is 168 bits. The 168 bits output by key derivation are converted to an -EncryptionKey value as follows. First, the 168 bits are divided into three -groups of 56 bits, which are expanded individually into 64 bits as follows: - - 1 2 3 4 5 6 7 p - 9 10 11 12 13 14 15 p -17 18 19 20 21 22 23 p -25 26 27 28 29 30 31 p -33 34 35 36 37 38 39 p -41 42 43 44 45 46 47 p -49 50 51 52 53 54 55 p -56 48 40 32 24 16 8 p - -The "p" bits are parity bits computed over the data bits. The output of the -three expansions are concatenated to form the EncryptionKey value. - -When the HMAC-SHA1 of a string is computed, the key is used in the -EncryptedKey form. - -Key Derivation - -In the Kerberos protocol, cryptographic keys are used in a number of -places. In order to minimize the effect of compromising a key, it is -desirable to use a different key for each of these places. Key derivation -[Horowitz96] can be used to construct different keys for each operation -from the keys transported on the network. For this to be possible, a small -change to the specification is necessary. - -This section specifies a profile for the use of key derivation [Horowitz96] -with Kerberos. For each place where a key is used, a ``key usage'' must is -specified for that purpose. The key, key usage, and encryption/checksum -type together describe the transformation from plaintext to ciphertext, or - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -plaintext to checksum. - -Key Usage Values - -This is a complete list of places keys are used in the kerberos protocol, -with key usage values and RFC 1510 section numbers: - - 1. AS-REQ PA-ENC-TIMESTAMP padata timestamp, encrypted with the - client key (section 5.4.1) - 2. AS-REP Ticket and TGS-REP Ticket (includes tgs session key or - application session key), encrypted with the service key - (section 5.4.2) - 3. AS-REP encrypted part (includes tgs session key or application - session key), encrypted with the client key (section 5.4.2) - 4. TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the tgs - session key (section 5.4.1) - 5. TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the tgs - authenticator subkey (section 5.4.1) - 6. TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator cksum, keyed - with the tgs session key (sections 5.3.2, 5.4.1) - 7. TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator (includes tgs - authenticator subkey), encrypted with the tgs session key - (section 5.3.2) - 8. TGS-REP encrypted part (includes application session key), - encrypted with the tgs session key (section 5.4.2) - 9. TGS-REP encrypted part (includes application session key), - encrypted with the tgs authenticator subkey (section 5.4.2) -10. AP-REQ Authenticator cksum, keyed with the application session - key (section 5.3.2) -11. AP-REQ Authenticator (includes application authenticator - subkey), encrypted with the application session key (section - 5.3.2) -12. AP-REP encrypted part (includes application session subkey), - encrypted with the application session key (section 5.5.2) -13. KRB-PRIV encrypted part, encrypted with a key chosen by the - application (section 5.7.1) -14. KRB-CRED encrypted part, encrypted with a key chosen by the - application (section 5.6.1) -15. KRB-SAVE cksum, keyed with a key chosen by the application - (section 5.8.1) -18. KRB-ERROR checksum (e-cksum in section 5.9.1) -19. AD-KDCIssued checksum (ad-checksum in appendix B.1) -20. Checksum for Mandatory Ticket Extensions (appendix B.6) -21. Checksum in Authorization Data in Ticket Extensions (appendix B.7) - -Key usage values between 1024 and 2047 (inclusive) are reserved for -application use. Applications should use even values for encryption and odd -values for checksums within this range. - -A few of these key usages need a little clarification. A service which -receives an AP-REQ has no way to know if the enclosed Ticket was part of an -AS-REP or TGS-REP. Therefore, key usage 2 must always be used for -generating a Ticket, whether it is in response to an AS- REQ or TGS-REQ. - -There might exist other documents which define protocols in terms of the -RFC1510 encryption types or checksum types. Such documents would not know -about key usages. In order that these documents continue to be meaningful -until they are updated, key usages 1024 and 1025 must be used to derive -keys for encryption and checksums, respectively. New protocols defined in - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -terms of the Kerberos encryption and checksum types should use their own -key usages. Key usages may be registered with IANA to avoid conflicts. Key -usages must be unsigned 32 bit integers. Zero is not permitted. - -Defining Cryptosystems Using Key Derivation - -Kerberos requires that the ciphertext component of EncryptedData be -tamper-resistant as well as confidential. This implies encryption and -integrity functions, which must each use their own separate keys. So, for -each key usage, two keys must be generated, one for encryption (Ke), and -one for integrity (Ki): - - Ke = DK(protocol key, key usage | 0xAA) - Ki = DK(protocol key, key usage | 0x55) - -where the protocol key is from the EncryptionKey from the wire protocol, -and the key usage is represented as a 32 bit integer in network byte order. -The ciphertest must be generated from the plaintext as follows: - - ciphertext = E(Ke, confounder | plaintext | padding) | - H(Ki, confounder | plaintext | padding) - -The confounder and padding are specific to the encryption algorithm E. - -When generating a checksum only, there is no need for a confounder or -padding. Again, a new key (Kc) must be used. Checksums must be generated -from the plaintext as follows: - - Kc = DK(protocol key, key usage | 0x99) - - MAC = H(Kc, plaintext) - -Note that each enctype is described by an encryption algorithm E and a -keyed hash algorithm H, and each checksum type is described by a keyed hash -algorithm H. HMAC, with an appropriate hash, is recommended for use as H. - -Key Derivation from Passwords - -The well-known constant for password key derivation must be the byte string -{0x6b 0x65 0x72 0x62 0x65 0x72 0x6f 0x73}. These values correspond to the -ASCII encoding for the string "kerberos". - -6.4. Checksums - -The following is the ASN.1 definition used for a checksum: - - Checksum ::= SEQUENCE { - cksumtype[0] INTEGER, - checksum[1] OCTET STRING - } - -cksumtype - This field indicates the algorithm used to generate the accompanying - checksum. -checksum - This field contains the checksum itself, encoded as an octet string. - -Detailed specification of selected checksum types appear later in this -section. Negative values for the checksum type are reserved for local use. - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -All non-negative values are reserved for officially assigned type fields -and interpretations. - -Checksums used by Kerberos can be classified by two properties: whether -they are collision-proof, and whether they are keyed. It is infeasible to -find two plaintexts which generate the same checksum value for a -collision-proof checksum. A key is required to perturb or initialize the -algorithm in a keyed checksum. To prevent message-stream modification by an -active attacker, unkeyed checksums should only be used when the checksum -and message will be subsequently encrypted (e.g. the checksums defined as -part of the encryption algorithms covered earlier in this section). - -Collision-proof checksums can be made tamper-proof if the checksum value is -encrypted before inclusion in a message. In such cases, the composition of -the checksum and the encryption algorithm must be considered a separate -checksum algorithm (e.g. RSA-MD5 encrypted using DES is a new checksum -algorithm of type RSA-MD5-DES). For most keyed checksums, as well as for -the encrypted forms of unkeyed collision-proof checksums, Kerberos prepends -a confounder before the checksum is calculated. - -6.4.1. The CRC-32 Checksum (crc32) - -The CRC-32 checksum calculates a checksum based on a cyclic redundancy -check as described in ISO 3309 [ISO3309]. The resulting checksum is four -(4) octets in length. The CRC-32 is neither keyed nor collision-proof. The -use of this checksum is not recommended. An attacker using a probabilistic -chosen-plaintext attack as described in [SG92] might be able to generate an -alternative message that satisfies the checksum. The use of collision-proof -checksums is recommended for environments where such attacks represent a -significant threat. - -6.4.2. The RSA MD4 Checksum (rsa-md4) - -The RSA-MD4 checksum calculates a checksum using the RSA MD4 algorithm -[MD4-92]. The algorithm takes as input an input message of arbitrary length -and produces as output a 128-bit (16 octet) checksum. RSA-MD4 is believed -to be collision-proof. - -6.4.3. RSA MD4 Cryptographic Checksum Using DES (rsa-md4-des) - -The RSA-MD4-DES checksum calculates a keyed collision-proof checksum by -prepending an 8 octet confounder before the text, applying the RSA MD4 -checksum algorithm, and encrypting the confounder and the checksum using -DES in cipher-block-chaining (CBC) mode using a variant of the key, where -the variant is computed by eXclusive-ORing the key with the constant -F0F0F0F0F0F0F0F0[39]. The initialization vector should be zero. The -resulting checksum is 24 octets long (8 octets of which are redundant). -This checksum is tamper-proof and believed to be collision-proof. - -The DES specifications identify some weak keys' and 'semi-weak keys'; those -keys shall not be used for generating RSA-MD4 checksums for use in -Kerberos. - -The format for the checksum is described in the follow- ing diagram: - -+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ -| des-cbc(confounder + rsa-md4(confounder+msg),key=var(key),iv=0) | -+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ - - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -The format cannot be described in ASN.1, but for those who prefer an -ASN.1-like notation: - -rsa-md4-des-checksum ::= ENCRYPTED UNTAGGED SEQUENCE { - confounder[0] UNTAGGED OCTET STRING(8), - check[1] UNTAGGED OCTET STRING(16) -} - -6.4.4. The RSA MD5 Checksum (rsa-md5) - -The RSA-MD5 checksum calculates a checksum using the RSA MD5 algorithm. -[MD5-92]. The algorithm takes as input an input message of arbitrary length -and produces as output a 128-bit (16 octet) checksum. RSA-MD5 is believed -to be collision-proof. - -6.4.5. RSA MD5 Cryptographic Checksum Using DES (rsa-md5-des) - -The RSA-MD5-DES checksum calculates a keyed collision-proof checksum by -prepending an 8 octet confounder before the text, applying the RSA MD5 -checksum algorithm, and encrypting the confounder and the checksum using -DES in cipher-block-chaining (CBC) mode using a variant of the key, where -the variant is computed by eXclusive-ORing the key with the hexadecimal -constant F0F0F0F0F0F0F0F0. The initialization vector should be zero. The -resulting checksum is 24 octets long (8 octets of which are redundant). -This checksum is tamper-proof and believed to be collision-proof. - -The DES specifications identify some 'weak keys' and 'semi-weak keys'; -those keys shall not be used for encrypting RSA-MD5 checksums for use in -Kerberos. - -The format for the checksum is described in the following diagram: - -+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ -| des-cbc(confounder + rsa-md5(confounder+msg),key=var(key),iv=0) | -+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ - -The format cannot be described in ASN.1, but for those who prefer an -ASN.1-like notation: - -rsa-md5-des-checksum ::= ENCRYPTED UNTAGGED SEQUENCE { - confounder[0] UNTAGGED OCTET STRING(8), - check[1] UNTAGGED OCTET STRING(16) -} - -6.4.6. DES cipher-block chained checksum (des-mac) - -The DES-MAC checksum is computed by prepending an 8 octet confounder to the -plaintext, performing a DES CBC-mode encryption on the result using the key -and an initialization vector of zero, taking the last block of the -ciphertext, prepending the same confounder and encrypting the pair using -DES in cipher-block-chaining (CBC) mode using a a variant of the key, where -the variant is computed by eXclusive-ORing the key with the hexadecimal -constant F0F0F0F0F0F0F0F0. The initialization vector should be zero. The -resulting checksum is 128 bits (16 octets) long, 64 bits of which are -redundant. This checksum is tamper-proof and collision-proof. - -The format for the checksum is described in the following diagram: - -+--+--+--+--+--+--+--+--+-----+-----+-----+-----+-----+-----+-----+-----+ - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -| des-cbc(confounder + des-mac(conf+msg,iv=0,key),key=var(key),iv=0) | -+--+--+--+--+--+--+--+--+-----+-----+-----+-----+-----+-----+-----+-----+ - -The format cannot be described in ASN.1, but for those who prefer an -ASN.1-like notation: - -des-mac-checksum ::= ENCRYPTED UNTAGGED SEQUENCE { - confounder[0] UNTAGGED OCTET STRING(8), - check[1] UNTAGGED OCTET STRING(8) -} - -The DES specifications identify some 'weak' and 'semi-weak' keys; those -keys shall not be used for generating DES-MAC checksums for use in -Kerberos, nor shall a key be used whose variant is 'weak' or 'semi-weak'. - -6.4.7. RSA MD4 Cryptographic Checksum Using DES alternative (rsa-md4-des-k) - -The RSA-MD4-DES-K checksum calculates a keyed collision-proof checksum by -applying the RSA MD4 checksum algorithm and encrypting the results using -DES in cipher-block-chaining (CBC) mode using a DES key as both key and -initialization vector. The resulting checksum is 16 octets long. This -checksum is tamper-proof and believed to be collision-proof. Note that this -checksum type is the old method for encoding the RSA-MD4-DES checksum and -it is no longer recommended. - -6.4.8. DES cipher-block chained checksum alternative (des-mac-k) - -The DES-MAC-K checksum is computed by performing a DES CBC-mode encryption -of the plaintext, and using the last block of the ciphertext as the -checksum value. It is keyed with an encryption key and an initialization -vector; any uses which do not specify an additional initialization vector -will use the key as both key and initialization vector. The resulting -checksum is 64 bits (8 octets) long. This checksum is tamper-proof and -collision-proof. Note that this checksum type is the old method for -encoding the DES-MAC checksum and it is no longer recommended. The DES -specifications identify some 'weak keys' and 'semi-weak keys'; those keys -shall not be used for generating DES-MAC checksums for use in Kerberos. - -7. Naming Constraints - -7.1. Realm Names - -Although realm names are encoded as GeneralStrings and although a realm can -technically select any name it chooses, interoperability across realm -boundaries requires agreement on how realm names are to be assigned, and -what information they imply. - -To enforce these conventions, each realm must conform to the conventions -itself, and it must require that any realms with which inter-realm keys are -shared also conform to the conventions and require the same from its -neighbors. - -Kerberos realm names are case sensitive. Realm names that differ only in -the case of the characters are not equivalent. There are presently four -styles of realm names: domain, X500, other, and reserved. Examples of each -style follow: - - domain: ATHENA.MIT.EDU (example) - X500: C=US/O=OSF (example) - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - other: NAMETYPE:rest/of.name=without-restrictions (example) - reserved: reserved, but will not conflict with above - -Domain names must look like domain names: they consist of components -separated by periods (.) and they contain neither colons (:) nor slashes -(/). Domain names must be converted to upper case when used as realm names. - -X.500 names contain an equal (=) and cannot contain a colon (:) before the -equal. The realm names for X.500 names will be string representations of -the names with components separated by slashes. Leading and trailing -slashes will not be included. - -Names that fall into the other category must begin with a prefix that -contains no equal (=) or period (.) and the prefix must be followed by a -colon (:) and the rest of the name. All prefixes must be assigned before -they may be used. Presently none are assigned. - -The reserved category includes strings which do not fall into the first -three categories. All names in this category are reserved. It is unlikely -that names will be assigned to this category unless there is a very strong -argument for not using the 'other' category. - -These rules guarantee that there will be no conflicts between the various -name styles. The following additional constraints apply to the assignment -of realm names in the domain and X.500 categories: the name of a realm for -the domain or X.500 formats must either be used by the organization owning -(to whom it was assigned) an Internet domain name or X.500 name, or in the -case that no such names are registered, authority to use a realm name may -be derived from the authority of the parent realm. For example, if there is -no domain name for E40.MIT.EDU, then the administrator of the MIT.EDU realm -can authorize the creation of a realm with that name. - -This is acceptable because the organization to which the parent is assigned -is presumably the organization authorized to assign names to its children -in the X.500 and domain name systems as well. If the parent assigns a realm -name without also registering it in the domain name or X.500 hierarchy, it -is the parent's responsibility to make sure that there will not in the -future exists a name identical to the realm name of the child unless it is -assigned to the same entity as the realm name. - -7.2. Principal Names - -As was the case for realm names, conventions are needed to ensure that all -agree on what information is implied by a principal name. The name-type -field that is part of the principal name indicates the kind of information -implied by the name. The name-type should be treated as a hint. Ignoring -the name type, no two names can be the same (i.e. at least one of the -components, or the realm, must be different). The following name types are -defined: - - name-type value meaning - - NT-UNKNOWN 0 Name type not known - NT-PRINCIPAL 1 General principal name (e.g. username, or DCE -principal) - NT-SRV-INST 2 Service and other unique instance (krbtgt) - NT-SRV-HST 3 Service with host name as instance (telnet, -rcommands) - NT-SRV-XHST 4 Service with slash-separated host name components - NT-UID 5 Unique ID - NT-X500-PRINCIPAL 6 Encoded X.509 Distingished name [RFC 1779] - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - -When a name implies no information other than its uniqueness at a -particular time the name type PRINCIPAL should be used. The principal name -type should be used for users, and it might also be used for a unique -server. If the name is a unique machine generated ID that is guaranteed -never to be reassigned then the name type of UID should be used (note that -it is generally a bad idea to reassign names of any type since stale -entries might remain in access control lists). - -If the first component of a name identifies a service and the remaining -components identify an instance of the service in a server specified -manner, then the name type of SRV-INST should be used. An example of this -name type is the Kerberos ticket-granting service whose name has a first -component of krbtgt and a second component identifying the realm for which -the ticket is valid. - -If instance is a single component following the service name and the -instance identifies the host on which the server is running, then the name -type SRV-HST should be used. This type is typically used for Internet -services such as telnet and the Berkeley R commands. If the separate -components of the host name appear as successive components following the -name of the service, then the name type SRV-XHST should be used. This type -might be used to identify servers on hosts with X.500 names where the slash -(/) might otherwise be ambiguous. - -A name type of NT-X500-PRINCIPAL should be used when a name from an X.509 -certificiate is translated into a Kerberos name. The encoding of the X.509 -name as a Kerberos principal shall conform to the encoding rules specified -in RFC 2253. - -A name type of UNKNOWN should be used when the form of the name is not -known. When comparing names, a name of type UNKNOWN will match principals -authenticated with names of any type. A principal authenticated with a name -of type UNKNOWN, however, will only match other names of type UNKNOWN. - -Names of any type with an initial component of 'krbtgt' are reserved for -the Kerberos ticket granting service. See section 8.2.3 for the form of -such names. - -7.2.1. Name of server principals - -The principal identifier for a server on a host will generally be composed -of two parts: (1) the realm of the KDC with which the server is registered, -and (2) a two-component name of type NT-SRV-HST if the host name is an -Internet domain name or a multi-component name of type NT-SRV-XHST if the -name of the host is of a form such as X.500 that allows slash (/) -separators. The first component of the two- or multi-component name will -identify the service and the latter components will identify the host. -Where the name of the host is not case sensitive (for example, with -Internet domain names) the name of the host must be lower case. If -specified by the application protocol for services such as telnet and the -Berkeley R commands which run with system privileges, the first component -may be the string 'host' instead of a service specific identifier. When a -host has an official name and one or more aliases, the official name of the -host must be used when constructing the name of the server principal. - -8. Constants and other defined values - -8.1. Host address types - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - -All negative values for the host address type are reserved for local use. -All non-negative values are reserved for officially assigned type fields -and interpretations. - -The values of the types for the following addresses are chosen to match the -defined address family constants in the Berkeley Standard Distributions of -Unix. They can be found in with symbolic names AF_xxx (where xxx is an -abbreviation of the address family name). - -Internet (IPv4) Addresses - -Internet (IPv4) addresses are 32-bit (4-octet) quantities, encoded in MSB -order. The type of IPv4 addresses is two (2). - -Internet (IPv6) Addresses [Westerlund] - -IPv6 addresses are 128-bit (16-octet) quantities, encoded in MSB order. The -type of IPv6 addresses is twenty-four (24). [RFC1883] [RFC1884]. The -following addresses (see [RFC1884]) MUST not appear in any Kerberos packet: - - * the Unspecified Address - * the Loopback Address - * Link-Local addresses - -IPv4-mapped IPv6 addresses MUST be represented as addresses of type 2. - -CHAOSnet addresses - -CHAOSnet addresses are 16-bit (2-octet) quantities, encoded in MSB order. -The type of CHAOSnet addresses is five (5). - -ISO addresses - -ISO addresses are variable-length. The type of ISO addresses is seven (7). - -Xerox Network Services (XNS) addresses - -XNS addresses are 48-bit (6-octet) quantities, encoded in MSB order. The -type of XNS addresses is six (6). - -AppleTalk Datagram Delivery Protocol (DDP) addresses - -AppleTalk DDP addresses consist of an 8-bit node number and a 16-bit -network number. The first octet of the address is the node number; the -remaining two octets encode the network number in MSB order. The type of -AppleTalk DDP addresses is sixteen (16). - -DECnet Phase IV addresses - -DECnet Phase IV addresses are 16-bit addresses, encoded in LSB order. The -type of DECnet Phase IV addresses is twelve (12). - -Netbios addresses - -Netbios addresses are 16-octet addresses typically composed of 1 to 15 -characters, trailing blank (ascii char 20) filled, with a 16th octet of -0x0. The type of Netbios addresses is 20 (0x14). - - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -8.2. KDC messages - -8.2.1. UDP/IP transport - -When contacting a Kerberos server (KDC) for a KRB_KDC_REQ request using UDP -IP transport, the client shall send a UDP datagram containing only an -encoding of the request to port 88 (decimal) at the KDC's IP address; the -KDC will respond with a reply datagram containing only an encoding of the -reply message (either a KRB_ERROR or a KRB_KDC_REP) to the sending port at -the sender's IP address. Kerberos servers supporting IP transport must -accept UDP requests on port 88 (decimal). The response to a request made -through UDP/IP transport must also use UDP/IP transport. - -8.2.2. TCP/IP transport [Westerlund,Danielsson] - -Kerberos servers (KDC's) should accept TCP requests on port 88 (decimal) -and clients should support the sending of TCP requests on port 88 -(decimal). When the KRB_KDC_REQ message is sent to the KDC over a TCP -stream, a new connection will be established for each authentication -exchange (request and response). The KRB_KDC_REP or KRB_ERROR message will -be returned to the client on the same TCP stream that was established for -the request. The response to a request made through TCP/IP transport must -also use TCP/IP transport. Implementors should note that some extentions to -the Kerberos protocol will not work if any implementation not supporting -the TCP transport is involved (client or KDC). Implementors are strongly -urged to support the TCP transport on both the client and server and are -advised that the current notation of "should" support will likely change in -the future to must support. The KDC may close the TCP stream after sending -a response, but may leave the stream open if it expects a followup - in -which case it may close the stream at any time if resource constratints or -other factors make it desirable to do so. Care must be taken in managing -TCP/IP connections with the KDC to prevent denial of service attacks based -on the number of TCP/IP connections with the KDC that remain open. If -multiple exchanges with the KDC are needed for certain forms of -preauthentication, multiple TCP connections may be required. A client may -close the stream after receiving response, and should close the stream if -it does not expect to send followup messages. The client must be prepared -to have the stream closed by the KDC at anytime, in which case it must -simply connect again when it is ready to send subsequent messages. - -The first four octets of the TCP stream used to transmit the request -request will encode in network byte order the length of the request -(KRB_KDC_REQ), and the length will be followed by the request itself. The -response will similarly be preceeded by a 4 octet encoding in network byte -order of the length of the KRB_KDC_REP or the KRB_ERROR message and will be -followed by the KRB_KDC_REP or the KRB_ERROR response. If the sign bit is -set on integer represented by the first 4 octets, then the next 4 octets -will be read, extending the length of the field by another 4 octets (less 1 -bit). - -8.2.3. OSI transport - -During authentication of an OSI client to an OSI server, the mutual -authentication of an OSI server to an OSI client, the transfer of -credentials from an OSI client to an OSI server, or during exchange of -private or integrity checked messages, Kerberos protocol messages may be -treated as opaque objects and the type of the authentication mechanism will -be: - - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -OBJECT IDENTIFIER ::= {iso (1), org(3), dod(6),internet(1), -security(5),kerberosv5(2)} - -Depending on the situation, the opaque object will be an authentication -header (KRB_AP_REQ), an authentication reply (KRB_AP_REP), a safe message -(KRB_SAFE), a private message (KRB_PRIV), or a credentials message -(KRB_CRED). The opaque data contains an application code as specified in -the ASN.1 description for each message. The application code may be used by -Kerberos to determine the message type. - -8.2.3. Name of the TGS - -The principal identifier of the ticket-granting service shall be composed -of three parts: (1) the realm of the KDC issuing the TGS ticket (2) a -two-part name of type NT-SRV-INST, with the first part "krbtgt" and the -second part the name of the realm which will accept the ticket-granting -ticket. For example, a ticket-granting ticket issued by the ATHENA.MIT.EDU -realm to be used to get tickets from the ATHENA.MIT.EDU KDC has a principal -identifier of "ATHENA.MIT.EDU" (realm), ("krbtgt", "ATHENA.MIT.EDU") -(name). A ticket-granting ticket issued by the ATHENA.MIT.EDU realm to be -used to get tickets from the MIT.EDU realm has a principal identifier of -"ATHENA.MIT.EDU" (realm), ("krbtgt", "MIT.EDU") (name). - -8.3. Protocol constants and associated values - -The following tables list constants used in the protocol and defines their -meanings. Ranges are specified in the "specification" section that limit -the values of constants for which values are defined here. This allows -implementations to make assumptions about the maximum values that will be -received for these constants. Implementation receiving values outside the -range specified in the "specification" section may reject the request, but -they must recover cleanly. - -Encryption type etype value block size minimum pad size confounder -size -NULL 0 1 0 0 -des-cbc-crc 1 8 4 8 -des-cbc-md4 2 8 0 8 -des-cbc-md5 3 8 0 8 - 4 -des3-cbc-md5 5 8 0 8 - 6 -des3-cbc-sha1 7 8 0 8 -sign-dsa-generate 8 (pkinit) -encrypt-rsa-priv 9 (pkinit) -encrypt-rsa-pub 10 (pkinit) -rsa-pub-md5 11 (pkinit) -rsa-pub-sha1 12 (pkinit) -des3kd-cbc-sha1 ?? 8 0 8 -ENCTYPE_PK_CROSS 48 (reserved for pkcross) - 0x8003 - -Checksum type sumtype value checksum size -CRC32 1 4 -rsa-md4 2 16 -rsa-md4-des 3 24 -des-mac 4 16 -des-mac-k 5 8 -rsa-md4-des-k 6 16 -rsa-md5 7 16 -rsa-md5-des 8 24 - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -rsa-md5-des3 9 24 -hmac-sha1-des3 12 20 (I had this as 10, is it -12) - -padata type padata-type value - -PA-TGS-REQ 1 -PA-ENC-TIMESTAMP 2 -PA-PW-SALT 3 - 4 -PA-ENC-UNIX-TIME 5 -PA-SANDIA-SECUREID 6 -PA-SESAME 7 -PA-OSF-DCE 8 -PA-CYBERSAFE-SECUREID 9 -PA-AFS3-SALT 10 -PA-ETYPE-INFO 11 -SAM-CHALLENGE 12 (sam/otp) -SAM-RESPONSE 13 (sam/otp) -PA-PK-AS-REQ 14 (pkinit) -PA-PK-AS-REP 15 (pkinit) -PA-PK-AS-SIGN 16 (pkinit) -PA-PK-KEY-REQ 17 (pkinit) -PA-PK-KEY-REP 18 (pkinit) -PA-USE-SPECIFIED-KVNO 20 - -authorization data type ad-type value -AD-KDC-ISSUED 1 -AD-INTENDED-FOR-SERVER 2 -AD-INTENDED-FOR-APPLICATION-CLASS 3 -AD-IF-RELEVANT 4 -AD-OR 5 -AD-MANDATORY-TICKET-EXTENSIONS 6 -AD-IN-TICKET-EXTENSIONS 7 -reserved values 8-63 -OSF-DCE 64 -SESAME 65 - -Ticket Extension Types - -TE-TYPE-NULL 0 Null ticket extension -TE-TYPE-EXTERNAL-ADATA 1 Integrity protected authorization data - 2 TE-TYPE-PKCROSS-KDC (I have reservations) -TE-TYPE-PKCROSS-CLIENT 3 PKCROSS cross realm key ticket -TE-TYPE-CYBERSAFE-EXT 4 Assigned to CyberSafe Corp - 5 TE-TYPE-DEST-HOST (I have reservations) - -alternate authentication type method-type value -reserved values 0-63 -ATT-CHALLENGE-RESPONSE 64 - -transited encoding type tr-type value -DOMAIN-X500-COMPRESS 1 -reserved values all others - -Label Value Meaning or MIT code - -pvno 5 current Kerberos protocol version number - -message types - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - -KRB_AS_REQ 10 Request for initial authentication -KRB_AS_REP 11 Response to KRB_AS_REQ request -KRB_TGS_REQ 12 Request for authentication based on TGT -KRB_TGS_REP 13 Response to KRB_TGS_REQ request -KRB_AP_REQ 14 application request to server -KRB_AP_REP 15 Response to KRB_AP_REQ_MUTUAL -KRB_SAFE 20 Safe (checksummed) application message -KRB_PRIV 21 Private (encrypted) application message -KRB_CRED 22 Private (encrypted) message to forward -credentials -KRB_ERROR 30 Error response - -name types - -KRB_NT_UNKNOWN 0 Name type not known -KRB_NT_PRINCIPAL 1 Just the name of the principal as in DCE, or for -users -KRB_NT_SRV_INST 2 Service and other unique instance (krbtgt) -KRB_NT_SRV_HST 3 Service with host name as instance (telnet, -rcommands) -KRB_NT_SRV_XHST 4 Service with host as remaining components -KRB_NT_UID 5 Unique ID -KRB_NT_X500_PRINCIPAL 6 Encoded X.509 Distingished name [RFC 2253] - -error codes - -KDC_ERR_NONE 0 No error -KDC_ERR_NAME_EXP 1 Client's entry in database has expired -KDC_ERR_SERVICE_EXP 2 Server's entry in database has expired -KDC_ERR_BAD_PVNO 3 Requested protocol version number not -supported -KDC_ERR_C_OLD_MAST_KVNO 4 Client's key encrypted in old master key -KDC_ERR_S_OLD_MAST_KVNO 5 Server's key encrypted in old master key -KDC_ERR_C_PRINCIPAL_UNKNOWN 6 Client not found in Kerberos database -KDC_ERR_S_PRINCIPAL_UNKNOWN 7 Server not found in Kerberos database -KDC_ERR_PRINCIPAL_NOT_UNIQUE 8 Multiple principal entries in database -KDC_ERR_NULL_KEY 9 The client or server has a null key -KDC_ERR_CANNOT_POSTDATE 10 Ticket not eligible for postdating -KDC_ERR_NEVER_VALID 11 Requested start time is later than end -time -KDC_ERR_POLICY 12 KDC policy rejects request -KDC_ERR_BADOPTION 13 KDC cannot accommodate requested option -KDC_ERR_ETYPE_NOSUPP 14 KDC has no support for encryption type -KDC_ERR_SUMTYPE_NOSUPP 15 KDC has no support for checksum type -KDC_ERR_PADATA_TYPE_NOSUPP 16 KDC has no support for padata type -KDC_ERR_TRTYPE_NOSUPP 17 KDC has no support for transited type -KDC_ERR_CLIENT_REVOKED 18 Clients credentials have been revoked -KDC_ERR_SERVICE_REVOKED 19 Credentials for server have been revoked -KDC_ERR_TGT_REVOKED 20 TGT has been revoked -KDC_ERR_CLIENT_NOTYET 21 Client not yet valid - try again later -KDC_ERR_SERVICE_NOTYET 22 Server not yet valid - try again later -KDC_ERR_KEY_EXPIRED 23 Password has expired - change password -to reset -KDC_ERR_PREAUTH_FAILED 24 Pre-authentication information was -invalid -KDC_ERR_PREAUTH_REQUIRED 25 Additional pre-authenticationrequired -[40] -KDC_ERR_SERVER_NOMATCH 26 Requested server and ticket don't match -KDC_ERR_MUST_USE_USER2USER 27 Server principal valid for user2user -only -KDC_ERR_PATH_NOT_ACCPETED 28 KDC Policy rejects transited path -KRB_AP_ERR_BAD_INTEGRITY 31 Integrity check on decrypted field -failed -KRB_AP_ERR_TKT_EXPIRED 32 Ticket expired -KRB_AP_ERR_TKT_NYV 33 Ticket not yet valid -KRB_AP_ERR_REPEAT 34 Request is a replay -KRB_AP_ERR_NOT_US 35 The ticket isn't for us -KRB_AP_ERR_BADMATCH 36 Ticket and authenticator don't match - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -KRB_AP_ERR_SKEW 37 Clock skew too great -KRB_AP_ERR_BADADDR 38 Incorrect net address -KRB_AP_ERR_BADVERSION 39 Protocol version mismatch -KRB_AP_ERR_MSG_TYPE 40 Invalid msg type -KRB_AP_ERR_MODIFIED 41 Message stream modified -KRB_AP_ERR_BADORDER 42 Message out of order -KRB_AP_ERR_BADKEYVER 44 Specified version of key is not -available -KRB_AP_ERR_NOKEY 45 Service key not available -KRB_AP_ERR_MUT_FAIL 46 Mutual authentication failed -KRB_AP_ERR_BADDIRECTION 47 Incorrect message direction -KRB_AP_ERR_METHOD 48 Alternative authentication method -required -KRB_AP_ERR_BADSEQ 49 Incorrect sequence number in message -KRB_AP_ERR_INAPP_CKSUM 50 Inappropriate type of checksum in -message -KRB_AP_PATH_NOT_ACCEPTED 51 Policy rejects transited path -KRB_ERR_RESPONSE_TOO_BIG 52 Response too big for UDP, retry with TCP -KRB_ERR_GENERIC 60 Generic error (description in e-text) -KRB_ERR_FIELD_TOOLONG 61 Field is too long for this -implementation -KDC_ERROR_CLIENT_NOT_TRUSTED 62 (pkinit) -KDC_ERROR_KDC_NOT_TRUSTED 63 (pkinit) -KDC_ERROR_INVALID_SIG 64 (pkinit) -KDC_ERR_KEY_TOO_WEAK 65 (pkinit) -KDC_ERR_CERTIFICATE_MISMATCH 66 (pkinit) - -9. Interoperability requirements - -Version 5 of the Kerberos protocol supports a myriad of options. Among -these are multiple encryption and checksum types, alternative encoding -schemes for the transited field, optional mechanisms for -pre-authentication, the handling of tickets with no addresses, options for -mutual authentication, user to user authentication, support for proxies, -forwarding, postdating, and renewing tickets, the format of realm names, -and the handling of authorization data. - -In order to ensure the interoperability of realms, it is necessary to -define a minimal configuration which must be supported by all -implementations. This minimal configuration is subject to change as -technology does. For example, if at some later date it is discovered that -one of the required encryption or checksum algorithms is not secure, it -will be replaced. - -9.1. Specification 2 - -This section defines the second specification of these options. -Implementations which are configured in this way can be said to support -Kerberos Version 5 Specification 2 (5.1). Specification 1 (depricated) may -be found in RFC1510. - -Transport - -TCP/IP and UDP/IP transport must be supported by KDCs claiming conformance -to specification 2. Kerberos clients claiming conformance to specification -2 must support UDP/IP transport for messages with the KDC and should -support TCP/IP transport. - -Encryption and checksum methods - -The following encryption and checksum mechanisms must be supported. -Implementations may support other mechanisms as well, but the additional -mechanisms may only be used when communicating with principals known to - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -also support them: This list is to be determined. - -Encryption: DES-CBC-MD5 -Checksums: CRC-32, DES-MAC, DES-MAC-K, and DES-MD5 - -Realm Names - -All implementations must understand hierarchical realms in both the -Internet Domain and the X.500 style. When a ticket granting ticket for an -unknown realm is requested, the KDC must be able to determine the names of -the intermediate realms between the KDCs realm and the requested realm. - -Transited field encoding - -DOMAIN-X500-COMPRESS (described in section 3.3.3.2) must be supported. -Alternative encodings may be supported, but they may be used only when that -encoding is supported by ALL intermediate realms. - -Pre-authentication methods - -The TGS-REQ method must be supported. The TGS-REQ method is not used on the -initial request. The PA-ENC-TIMESTAMP method must be supported by clients -but whether it is enabled by default may be determined on a realm by realm -basis. If not used in the initial request and the error -KDC_ERR_PREAUTH_REQUIRED is returned specifying PA-ENC-TIMESTAMP as an -acceptable method, the client should retry the initial request using the -PA-ENC-TIMESTAMP preauthentication method. Servers need not support the -PA-ENC-TIMESTAMP method, but if not supported the server should ignore the -presence of PA-ENC-TIMESTAMP pre-authentication in a request. - -Mutual authentication - -Mutual authentication (via the KRB_AP_REP message) must be supported. - -Ticket addresses and flags - -All KDC's must pass on tickets that carry no addresses (i.e. if a TGT -contains no addresses, the KDC will return derivative tickets), but each -realm may set its own policy for issuing such tickets, and each application -server will set its own policy with respect to accepting them. - -Proxies and forwarded tickets must be supported. Individual realms and -application servers can set their own policy on when such tickets will be -accepted. - -All implementations must recognize renewable and postdated tickets, but -need not actually implement them. If these options are not supported, the -starttime and endtime in the ticket shall specify a ticket's entire useful -life. When a postdated ticket is decoded by a server, all implementations -shall make the presence of the postdated flag visible to the calling -server. - -User-to-user authentication - -Support for user to user authentication (via the ENC-TKT-IN-SKEY KDC -option) must be provided by implementations, but individual realms may -decide as a matter of policy to reject such requests on a per-principal or -realm-wide basis. - - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -Authorization data - -Implementations must pass all authorization data subfields from -ticket-granting tickets to any derivative tickets unless directed to -suppress a subfield as part of the definition of that registered subfield -type (it is never incorrect to pass on a subfield, and no registered -subfield types presently specify suppression at the KDC). - -Implementations must make the contents of any authorization data subfields -available to the server when a ticket is used. Implementations are not -required to allow clients to specify the contents of the authorization data -fields. - -Constant ranges - -All protocol constants are constrained to 32 bit (signed) values unless -further constrained by the protocol definition. This limit is provided to -allow implementations to make assumptions about the maximum values that -will be received for these constants. Implementation receiving values -outside this range may reject the request, but they must recover cleanly. - -9.2. Recommended KDC values - -Following is a list of recommended values for a KDC implementation, based -on the list of suggested configuration constants (see section 4.4). - -minimum lifetime 5 minutes -maximum renewable lifetime 1 week -maximum ticket lifetime 1 day -empty addresses only when suitable restrictions appear - in authorization data -proxiable, etc. Allowed. - -10. REFERENCES - -[NT94] B. Clifford Neuman and Theodore Y. Ts'o, "An Authenti- - cation Service for Computer Networks," IEEE Communica- - tions Magazine, Vol. 32(9), pp. 33-38 (September 1994). - -[MNSS87] S. P. Miller, B. C. Neuman, J. I. Schiller, and J. H. - Saltzer, Section E.2.1: Kerberos Authentication and - Authorization System, M.I.T. Project Athena, Cambridge, - Massachusetts (December 21, 1987). - -[SNS88] J. G. Steiner, B. C. Neuman, and J. I. Schiller, "Ker- - beros: An Authentication Service for Open Network Sys- - tems," pp. 191-202 in Usenix Conference Proceedings, - Dallas, Texas (February, 1988). - -[NS78] Roger M. Needham and Michael D. Schroeder, "Using - Encryption for Authentication in Large Networks of Com- - puters," Communications of the ACM, Vol. 21(12), - pp. 993-999 (December, 1978). - -[DS81] Dorothy E. Denning and Giovanni Maria Sacco, "Time- - stamps in Key Distribution Protocols," Communications - of the ACM, Vol. 24(8), pp. 533-536 (August 1981). - -[KNT92] John T. Kohl, B. Clifford Neuman, and Theodore Y. Ts'o, - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - "The Evolution of the Kerberos Authentication Service," - in an IEEE Computer Society Text soon to be published - (June 1992). - -[Neu93] B. Clifford Neuman, "Proxy-Based Authorization and - Accounting for Distributed Systems," in Proceedings of - the 13th International Conference on Distributed Com- - puting Systems, Pittsburgh, PA (May, 1993). - -[DS90] Don Davis and Ralph Swick, "Workstation Services and - Kerberos Authentication at Project Athena," Technical - Memorandum TM-424, MIT Laboratory for Computer Science - (February 1990). - -[LGDSR87] P. J. Levine, M. R. Gretzinger, J. M. Diaz, W. E. Som- - merfeld, and K. Raeburn, Section E.1: Service Manage- - ment System, M.I.T. Project Athena, Cambridge, Mas- - sachusetts (1987). - -[X509-88] CCITT, Recommendation X.509: The Directory Authentica- - tion Framework, December 1988. - -[Pat92]. J. Pato, Using Pre-Authentication to Avoid Password - Guessing Attacks, Open Software Foundation DCE Request - for Comments 26 (December 1992). - -[DES77] National Bureau of Standards, U.S. Department of Com- - merce, "Data Encryption Standard," Federal Information - Processing Standards Publication 46, Washington, DC - (1977). - -[DESM80] National Bureau of Standards, U.S. Department of Com- - merce, "DES Modes of Operation," Federal Information - Processing Standards Publication 81, Springfield, VA - (December 1980). - -[SG92] Stuart G. Stubblebine and Virgil D. Gligor, "On Message - Integrity in Cryptographic Protocols," in Proceedings - of the IEEE Symposium on Research in Security and - Privacy, Oakland, California (May 1992). - -[IS3309] International Organization for Standardization, "ISO - Information Processing Systems - Data Communication - - High-Level Data Link Control Procedure - Frame Struc- - ture," IS 3309 (October 1984). 3rd Edition. - -[MD4-92] R. Rivest, "The MD4 Message Digest Algorithm," RFC - 1320, MIT Laboratory for Computer Science (April - 1992). - -[MD5-92] R. Rivest, "The MD5 Message Digest Algorithm," RFC - 1321, MIT Laboratory for Computer Science (April - 1992). - -[KBC96] H. Krawczyk, M. Bellare, and R. Canetti, "HMAC: Keyed- - Hashing for Message Authentication," Working Draft - draft-ietf-ipsec-hmac-md5-01.txt, (August 1996). - -[Horowitz96] Horowitz, M., "Key Derivation for Authentication, - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - Integrity, and Privacy", draft-horowitz-key-derivation-02.txt, - August 1998. - -[HorowitzB96] Horowitz, M., "Key Derivation for Kerberos V5", draft- - horowitz-kerb-key-derivation-01.txt, September 1998. - -[Krawczyk96] Krawczyk, H., Bellare, and M., Canetti, R., "HMAC: - Keyed-Hashing for Message Authentication", draft-ietf-ipsec-hmac- - md5-01.txt, August, 1996. - -A. Pseudo-code for protocol processing - -This appendix provides pseudo-code describing how the messages are to be -constructed and interpreted by clients and servers. - -A.1. KRB_AS_REQ generation - - request.pvno := protocol version; /* pvno = 5 */ - request.msg-type := message type; /* type = KRB_AS_REQ */ - - if(pa_enc_timestamp_required) then - request.padata.padata-type = PA-ENC-TIMESTAMP; - get system_time; - padata-body.patimestamp,pausec = system_time; - encrypt padata-body into request.padata.padata-value - using client.key; /* derived from password */ - endif - - body.kdc-options := users's preferences; - body.cname := user's name; - body.realm := user's realm; - body.sname := service's name; /* usually "krbtgt", "localrealm" */ - if (body.kdc-options.POSTDATED is set) then - body.from := requested starting time; - else - omit body.from; - endif - body.till := requested end time; - if (body.kdc-options.RENEWABLE is set) then - body.rtime := requested final renewal time; - endif - body.nonce := random_nonce(); - body.etype := requested etypes; - if (user supplied addresses) then - body.addresses := user's addresses; - else - omit body.addresses; - endif - omit body.enc-authorization-data; - request.req-body := body; - - kerberos := lookup(name of local kerberos server (or servers)); - send(packet,kerberos); - - wait(for response); - if (timed_out) then - retry or use alternate server; - endif - - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -A.2. KRB_AS_REQ verification and KRB_AS_REP generation - - decode message into req; - - client := lookup(req.cname,req.realm); - server := lookup(req.sname,req.realm); - - get system_time; - kdc_time := system_time.seconds; - - if (!client) then - /* no client in Database */ - error_out(KDC_ERR_C_PRINCIPAL_UNKNOWN); - endif - if (!server) then - /* no server in Database */ - error_out(KDC_ERR_S_PRINCIPAL_UNKNOWN); - endif - - if(client.pa_enc_timestamp_required and - pa_enc_timestamp not present) then - error_out(KDC_ERR_PREAUTH_REQUIRED(PA_ENC_TIMESTAMP)); - endif - - if(pa_enc_timestamp present) then - decrypt req.padata-value into decrypted_enc_timestamp - using client.key; - using auth_hdr.authenticator.subkey; - if (decrypt_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - if(decrypted_enc_timestamp is not within allowable skew) -then - error_out(KDC_ERR_PREAUTH_FAILED); - endif - if(decrypted_enc_timestamp and usec is replay) - error_out(KDC_ERR_PREAUTH_FAILED); - endif - add decrypted_enc_timestamp and usec to replay cache; - endif - - use_etype := first supported etype in req.etypes; - - if (no support for req.etypes) then - error_out(KDC_ERR_ETYPE_NOSUPP); - endif - - new_tkt.vno := ticket version; /* = 5 */ - new_tkt.sname := req.sname; - new_tkt.srealm := req.srealm; - reset all flags in new_tkt.flags; - - /* It should be noted that local policy may affect the */ - /* processing of any of these flags. For example, some */ - /* realms may refuse to issue renewable tickets */ - - if (req.kdc-options.FORWARDABLE is set) then - set new_tkt.flags.FORWARDABLE; - endif - if (req.kdc-options.PROXIABLE is set) then - set new_tkt.flags.PROXIABLE; - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - endif - - if (req.kdc-options.ALLOW-POSTDATE is set) then - set new_tkt.flags.MAY-POSTDATE; - endif - if ((req.kdc-options.RENEW is set) or - (req.kdc-options.VALIDATE is set) or - (req.kdc-options.PROXY is set) or - (req.kdc-options.FORWARDED is set) or - (req.kdc-options.ENC-TKT-IN-SKEY is set)) then - error_out(KDC_ERR_BADOPTION); - endif - - new_tkt.session := random_session_key(); - new_tkt.cname := req.cname; - new_tkt.crealm := req.crealm; - new_tkt.transited := empty_transited_field(); - - new_tkt.authtime := kdc_time; - - if (req.kdc-options.POSTDATED is set) then - if (against_postdate_policy(req.from)) then - error_out(KDC_ERR_POLICY); - endif - set new_tkt.flags.POSTDATED; - set new_tkt.flags.INVALID; - new_tkt.starttime := req.from; - else - omit new_tkt.starttime; /* treated as authtime when omitted */ - endif - if (req.till = 0) then - till := infinity; - else - till := req.till; - endif - - new_tkt.endtime := min(till, - new_tkt.starttime+client.max_life, - new_tkt.starttime+server.max_life, - new_tkt.starttime+max_life_for_realm); - - if ((req.kdc-options.RENEWABLE-OK is set) and - (new_tkt.endtime < req.till)) then - /* we set the RENEWABLE option for later processing */ - set req.kdc-options.RENEWABLE; - req.rtime := req.till; - endif - - if (req.rtime = 0) then - rtime := infinity; - else - rtime := req.rtime; - endif - - if (req.kdc-options.RENEWABLE is set) then - set new_tkt.flags.RENEWABLE; - new_tkt.renew-till := min(rtime, - -new_tkt.starttime+client.max_rlife, - -new_tkt.starttime+server.max_rlife, - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - -new_tkt.starttime+max_rlife_for_realm); - else - omit new_tkt.renew-till; /* only present if RENEWABLE */ - endif - - if (req.addresses) then - new_tkt.caddr := req.addresses; - else - omit new_tkt.caddr; - endif - - new_tkt.authorization_data := empty_authorization_data(); - - encode to-be-encrypted part of ticket into OCTET STRING; - new_tkt.enc-part := encrypt OCTET STRING - using etype_for_key(server.key), server.key, server.p_kvno; - - /* Start processing the response */ - - resp.pvno := 5; - resp.msg-type := KRB_AS_REP; - resp.cname := req.cname; - resp.crealm := req.realm; - resp.ticket := new_tkt; - - resp.key := new_tkt.session; - resp.last-req := fetch_last_request_info(client); - resp.nonce := req.nonce; - resp.key-expiration := client.expiration; - resp.flags := new_tkt.flags; - - resp.authtime := new_tkt.authtime; - resp.starttime := new_tkt.starttime; - resp.endtime := new_tkt.endtime; - - if (new_tkt.flags.RENEWABLE) then - resp.renew-till := new_tkt.renew-till; - endif - - resp.realm := new_tkt.realm; - resp.sname := new_tkt.sname; - - resp.caddr := new_tkt.caddr; - - encode body of reply into OCTET STRING; - - resp.enc-part := encrypt OCTET STRING - using use_etype, client.key, client.p_kvno; - send(resp); - -A.3. KRB_AS_REP verification - - decode response into resp; - - if (resp.msg-type = KRB_ERROR) then - if(error = KDC_ERR_PREAUTH_REQUIRED(PA_ENC_TIMESTAMP)) then - set pa_enc_timestamp_required; - goto KRB_AS_REQ; - endif - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - process_error(resp); - return; - endif - - /* On error, discard the response, and zero the session key */ - /* from the response immediately */ - - key = get_decryption_key(resp.enc-part.kvno, resp.enc-part.etype, - resp.padata); - unencrypted part of resp := decode of decrypt of resp.enc-part - using resp.enc-part.etype and key; - zero(key); - - if (common_as_rep_tgs_rep_checks fail) then - destroy resp.key; - return error; - endif - - if near(resp.princ_exp) then - print(warning message); - endif - save_for_later(ticket,session,client,server,times,flags); - -A.4. KRB_AS_REP and KRB_TGS_REP common checks - - if (decryption_error() or - (req.cname != resp.cname) or - (req.realm != resp.crealm) or - (req.sname != resp.sname) or - (req.realm != resp.realm) or - (req.nonce != resp.nonce) or - (req.addresses != resp.caddr)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - - /* make sure no flags are set that shouldn't be, and that all that -*/ - /* should be are set -*/ - if (!check_flags_for_compatability(req.kdc-options,resp.flags)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - - if ((req.from = 0) and - (resp.starttime is not within allowable skew)) then - destroy resp.key; - return KRB_AP_ERR_SKEW; - endif - if ((req.from != 0) and (req.from != resp.starttime)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - if ((req.till != 0) and (resp.endtime > req.till)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - - if ((req.kdc-options.RENEWABLE is set) and - (req.rtime != 0) and (resp.renew-till > req.rtime)) then - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - if ((req.kdc-options.RENEWABLE-OK is set) and - (resp.flags.RENEWABLE) and - (req.till != 0) and - (resp.renew-till > req.till)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - -A.5. KRB_TGS_REQ generation - - /* Note that make_application_request might have to recursivly -*/ - /* call this routine to get the appropriate ticket-granting ticket -*/ - - request.pvno := protocol version; /* pvno = 5 */ - request.msg-type := message type; /* type = KRB_TGS_REQ */ - - body.kdc-options := users's preferences; - /* If the TGT is not for the realm of the end-server */ - /* then the sname will be for a TGT for the end-realm */ - /* and the realm of the requested ticket (body.realm) */ - /* will be that of the TGS to which the TGT we are */ - /* sending applies */ - body.sname := service's name; - body.realm := service's realm; - - if (body.kdc-options.POSTDATED is set) then - body.from := requested starting time; - else - omit body.from; - endif - body.till := requested end time; - if (body.kdc-options.RENEWABLE is set) then - body.rtime := requested final renewal time; - endif - body.nonce := random_nonce(); - body.etype := requested etypes; - if (user supplied addresses) then - body.addresses := user's addresses; - else - omit body.addresses; - endif - - body.enc-authorization-data := user-supplied data; - if (body.kdc-options.ENC-TKT-IN-SKEY) then - body.additional-tickets_ticket := second TGT; - endif - - request.req-body := body; - check := generate_checksum (req.body,checksumtype); - - request.padata[0].padata-type := PA-TGS-REQ; - request.padata[0].padata-value := create a KRB_AP_REQ using - the TGT and checksum - - /* add in any other padata as required/supplied */ - kerberos := lookup(name of local kerberose server (or servers)); - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - send(packet,kerberos); - - wait(for response); - if (timed_out) then - retry or use alternate server; - endif - -A.6. KRB_TGS_REQ verification and KRB_TGS_REP generation - - /* note that reading the application request requires first - determining the server for which a ticket was issued, and choosing -the - correct key for decryption. The name of the server appears in the - plaintext part of the ticket. */ - - if (no KRB_AP_REQ in req.padata) then - error_out(KDC_ERR_PADATA_TYPE_NOSUPP); - endif - verify KRB_AP_REQ in req.padata; - - /* Note that the realm in which the Kerberos server is operating is - determined by the instance from the ticket-granting ticket. The -realm - in the ticket-granting ticket is the realm under which the ticket - granting ticket was issued. It is possible for a single Kerberos - server to support more than one realm. */ - - auth_hdr := KRB_AP_REQ; - tgt := auth_hdr.ticket; - - if (tgt.sname is not a TGT for local realm and is not req.sname) -then - error_out(KRB_AP_ERR_NOT_US); - - realm := realm_tgt_is_for(tgt); - - decode remainder of request; - - if (auth_hdr.authenticator.cksum is missing) then - error_out(KRB_AP_ERR_INAPP_CKSUM); - endif - - if (auth_hdr.authenticator.cksum type is not supported) then - error_out(KDC_ERR_SUMTYPE_NOSUPP); - endif - if (auth_hdr.authenticator.cksum is not both collision-proof and -keyed) then - error_out(KRB_AP_ERR_INAPP_CKSUM); - endif - - set computed_checksum := checksum(req); - if (computed_checksum != auth_hdr.authenticatory.cksum) then - error_out(KRB_AP_ERR_MODIFIED); - endif - - server := lookup(req.sname,realm); - - if (!server) then - if (is_foreign_tgt_name(req.sname)) then - server := best_intermediate_tgs(req.sname); - else - /* no server in Database */ - error_out(KDC_ERR_S_PRINCIPAL_UNKNOWN); - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - endif - endif - - session := generate_random_session_key(); - - use_etype := first supported etype in req.etypes; - - if (no support for req.etypes) then - error_out(KDC_ERR_ETYPE_NOSUPP); - endif - - new_tkt.vno := ticket version; /* = 5 */ - new_tkt.sname := req.sname; - new_tkt.srealm := realm; - reset all flags in new_tkt.flags; - - /* It should be noted that local policy may affect the */ - /* processing of any of these flags. For example, some */ - /* realms may refuse to issue renewable tickets */ - - new_tkt.caddr := tgt.caddr; - resp.caddr := NULL; /* We only include this if they change */ - if (req.kdc-options.FORWARDABLE is set) then - if (tgt.flags.FORWARDABLE is reset) then - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.FORWARDABLE; - endif - if (req.kdc-options.FORWARDED is set) then - if (tgt.flags.FORWARDABLE is reset) then - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.FORWARDED; - new_tkt.caddr := req.addresses; - resp.caddr := req.addresses; - endif - if (tgt.flags.FORWARDED is set) then - set new_tkt.flags.FORWARDED; - endif - - if (req.kdc-options.PROXIABLE is set) then - if (tgt.flags.PROXIABLE is reset) - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.PROXIABLE; - endif - if (req.kdc-options.PROXY is set) then - if (tgt.flags.PROXIABLE is reset) then - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.PROXY; - new_tkt.caddr := req.addresses; - resp.caddr := req.addresses; - endif - - if (req.kdc-options.ALLOW-POSTDATE is set) then - if (tgt.flags.MAY-POSTDATE is reset) - error_out(KDC_ERR_BADOPTION); - endif - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - set new_tkt.flags.MAY-POSTDATE; - endif - if (req.kdc-options.POSTDATED is set) then - if (tgt.flags.MAY-POSTDATE is reset) then - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.POSTDATED; - set new_tkt.flags.INVALID; - if (against_postdate_policy(req.from)) then - error_out(KDC_ERR_POLICY); - endif - new_tkt.starttime := req.from; - endif - - if (req.kdc-options.VALIDATE is set) then - if (tgt.flags.INVALID is reset) then - error_out(KDC_ERR_POLICY); - endif - if (tgt.starttime > kdc_time) then - error_out(KRB_AP_ERR_NYV); - endif - if (check_hot_list(tgt)) then - error_out(KRB_AP_ERR_REPEAT); - endif - tkt := tgt; - reset new_tkt.flags.INVALID; - endif - - if (req.kdc-options.(any flag except ENC-TKT-IN-SKEY, RENEW, - and those already processed) is set) then - error_out(KDC_ERR_BADOPTION); - endif - - new_tkt.authtime := tgt.authtime; - - if (req.kdc-options.RENEW is set) then - /* Note that if the endtime has already passed, the ticket would -*/ - /* have been rejected in the initial authentication stage, so -*/ - /* there is no need to check again here -*/ - if (tgt.flags.RENEWABLE is reset) then - error_out(KDC_ERR_BADOPTION); - endif - if (tgt.renew-till < kdc_time) then - error_out(KRB_AP_ERR_TKT_EXPIRED); - endif - tkt := tgt; - new_tkt.starttime := kdc_time; - old_life := tgt.endttime - tgt.starttime; - new_tkt.endtime := min(tgt.renew-till, - new_tkt.starttime + old_life); - else - new_tkt.starttime := kdc_time; - if (req.till = 0) then - till := infinity; - else - till := req.till; - endif - - new_tkt.endtime := min(till, - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - new_tkt.starttime+client.max_life, - new_tkt.starttime+server.max_life, - new_tkt.starttime+max_life_for_realm, - tgt.endtime); - - if ((req.kdc-options.RENEWABLE-OK is set) and - (new_tkt.endtime < req.till) and - (tgt.flags.RENEWABLE is set) then - /* we set the RENEWABLE option for later processing -*/ - set req.kdc-options.RENEWABLE; - req.rtime := min(req.till, tgt.renew-till); - endif - endif - - if (req.rtime = 0) then - rtime := infinity; - else - rtime := req.rtime; - endif - - if ((req.kdc-options.RENEWABLE is set) and - (tgt.flags.RENEWABLE is set)) then - set new_tkt.flags.RENEWABLE; - new_tkt.renew-till := min(rtime, - -new_tkt.starttime+client.max_rlife, - -new_tkt.starttime+server.max_rlife, - -new_tkt.starttime+max_rlife_for_realm, - tgt.renew-till); - else - new_tkt.renew-till := OMIT; /* leave the renew-till field -out */ - endif - if (req.enc-authorization-data is present) then - decrypt req.enc-authorization-data into -decrypted_authorization_data - using auth_hdr.authenticator.subkey; - if (decrypt_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - endif - new_tkt.authorization_data := req.auth_hdr.ticket.authorization_data -+ - decrypted_authorization_data; - - new_tkt.key := session; - new_tkt.crealm := tgt.crealm; - new_tkt.cname := req.auth_hdr.ticket.cname; - - if (realm_tgt_is_for(tgt) := tgt.realm) then - /* tgt issued by local realm */ - new_tkt.transited := tgt.transited; - else - /* was issued for this realm by some other realm */ - if (tgt.transited.tr-type not supported) then - error_out(KDC_ERR_TRTYPE_NOSUPP); - endif - new_tkt.transited := compress_transited(tgt.transited + -tgt.realm) - /* Don't check tranited field if TGT for foreign realm, - * or requested not to check */ - if (is_not_foreign_tgt_name(new_tkt.server) - && req.kdc-options.DISABLE-TRANSITED-CHECK not set) then - - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - /* Check it, so end-server does not have to - * but don't fail, end-server may still accept it */ - if (check_transited_field(new_tkt.transited) == OK) - set new_tkt.flags.TRANSITED-POLICY-CHECKED; - endif - endif - endif - - encode encrypted part of new_tkt into OCTET STRING; - if (req.kdc-options.ENC-TKT-IN-SKEY is set) then - if (server not specified) then - server = req.second_ticket.client; - endif - if ((req.second_ticket is not a TGT) or - (req.second_ticket.client != server)) then - error_out(KDC_ERR_POLICY); - endif - - new_tkt.enc-part := encrypt OCTET STRING using - using etype_for_key(second-ticket.key), -second-ticket.key; - else - new_tkt.enc-part := encrypt OCTET STRING - using etype_for_key(server.key), server.key, -server.p_kvno; - endif - - resp.pvno := 5; - resp.msg-type := KRB_TGS_REP; - resp.crealm := tgt.crealm; - resp.cname := tgt.cname; - resp.ticket := new_tkt; - - resp.key := session; - resp.nonce := req.nonce; - resp.last-req := fetch_last_request_info(client); - resp.flags := new_tkt.flags; - - resp.authtime := new_tkt.authtime; - resp.starttime := new_tkt.starttime; - resp.endtime := new_tkt.endtime; - - omit resp.key-expiration; - - resp.sname := new_tkt.sname; - resp.realm := new_tkt.realm; - - if (new_tkt.flags.RENEWABLE) then - resp.renew-till := new_tkt.renew-till; - endif - - encode body of reply into OCTET STRING; - - if (req.padata.authenticator.subkey) - resp.enc-part := encrypt OCTET STRING using use_etype, - req.padata.authenticator.subkey; - else resp.enc-part := encrypt OCTET STRING using use_etype, tgt.key; - - send(resp); - -A.7. KRB_TGS_REP verification - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - - decode response into resp; - - if (resp.msg-type = KRB_ERROR) then - process_error(resp); - return; - endif - - /* On error, discard the response, and zero the session key from - the response immediately */ - - if (req.padata.authenticator.subkey) - unencrypted part of resp := decode of decrypt of -resp.enc-part - using resp.enc-part.etype and subkey; - else unencrypted part of resp := decode of decrypt of resp.enc-part - using resp.enc-part.etype and tgt's session -key; - if (common_as_rep_tgs_rep_checks fail) then - destroy resp.key; - return error; - endif - - check authorization_data as necessary; - save_for_later(ticket,session,client,server,times,flags); - -A.8. Authenticator generation - - body.authenticator-vno := authenticator vno; /* = 5 */ - body.cname, body.crealm := client name; - if (supplying checksum) then - body.cksum := checksum; - endif - get system_time; - body.ctime, body.cusec := system_time; - if (selecting sub-session key) then - select sub-session key; - body.subkey := sub-session key; - endif - if (using sequence numbers) then - select initial sequence number; - body.seq-number := initial sequence; - endif - -A.9. KRB_AP_REQ generation - - obtain ticket and session_key from cache; - - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_AP_REQ */ - - if (desired(MUTUAL_AUTHENTICATION)) then - set packet.ap-options.MUTUAL-REQUIRED; - else - reset packet.ap-options.MUTUAL-REQUIRED; - endif - if (using session key for ticket) then - set packet.ap-options.USE-SESSION-KEY; - else - reset packet.ap-options.USE-SESSION-KEY; - endif - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - - packet.ticket := ticket; /* ticket */ - generate authenticator; - encode authenticator into OCTET STRING; - encrypt OCTET STRING into packet.authenticator using session_key; - -A.10. KRB_AP_REQ verification - - receive packet; - if (packet.pvno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.msg-type != KRB_AP_REQ) then - error_out(KRB_AP_ERR_MSG_TYPE); - endif - if (packet.ticket.tkt_vno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.ap_options.USE-SESSION-KEY is set) then - retrieve session key from ticket-granting ticket for - packet.ticket.{sname,srealm,enc-part.etype}; - else - retrieve service key for - packet.ticket.{sname,srealm,enc-part.etype,enc-part.skvno}; - endif - if (no_key_available) then - if (cannot_find_specified_skvno) then - error_out(KRB_AP_ERR_BADKEYVER); - else - error_out(KRB_AP_ERR_NOKEY); - endif - endif - decrypt packet.ticket.enc-part into decr_ticket using retrieved key; - if (decryption_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - decrypt packet.authenticator into decr_authenticator - using decr_ticket.key; - if (decryption_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - if (decr_authenticator.{cname,crealm} != - decr_ticket.{cname,crealm}) then - error_out(KRB_AP_ERR_BADMATCH); - endif - if (decr_ticket.caddr is present) then - if (sender_address(packet) is not in decr_ticket.caddr) then - error_out(KRB_AP_ERR_BADADDR); - endif - elseif (application requires addresses) then - error_out(KRB_AP_ERR_BADADDR); - endif - if (not in_clock_skew(decr_authenticator.ctime, - decr_authenticator.cusec)) then - error_out(KRB_AP_ERR_SKEW); - endif - if (repeated(decr_authenticator.{ctime,cusec,cname,crealm})) then - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - error_out(KRB_AP_ERR_REPEAT); - endif - save_identifier(decr_authenticator.{ctime,cusec,cname,crealm}); - get system_time; - if ((decr_ticket.starttime-system_time > CLOCK_SKEW) or - (decr_ticket.flags.INVALID is set)) then - /* it hasn't yet become valid */ - error_out(KRB_AP_ERR_TKT_NYV); - endif - if (system_time-decr_ticket.endtime > CLOCK_SKEW) then - error_out(KRB_AP_ERR_TKT_EXPIRED); - endif - if (decr_ticket.transited) then - /* caller may ignore the TRANSITED-POLICY-CHECKED and do - * check anyway */ - if (decr_ticket.flags.TRANSITED-POLICY-CHECKED not set) then - if (check_transited_field(decr_ticket.transited) then - error_out(KDC_AP_PATH_NOT_ACCPETED); - endif - endif - endif - /* caller must check decr_ticket.flags for any pertinent details */ - return(OK, decr_ticket, packet.ap_options.MUTUAL-REQUIRED); - -A.11. KRB_AP_REP generation - - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_AP_REP */ - - body.ctime := packet.ctime; - body.cusec := packet.cusec; - if (selecting sub-session key) then - select sub-session key; - body.subkey := sub-session key; - endif - if (using sequence numbers) then - select initial sequence number; - body.seq-number := initial sequence; - endif - - encode body into OCTET STRING; - - select encryption type; - encrypt OCTET STRING into packet.enc-part; - -A.12. KRB_AP_REP verification - - receive packet; - if (packet.pvno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.msg-type != KRB_AP_REP) then - error_out(KRB_AP_ERR_MSG_TYPE); - endif - cleartext := decrypt(packet.enc-part) using ticket's session key; - if (decryption_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - if (cleartext.ctime != authenticator.ctime) then - error_out(KRB_AP_ERR_MUT_FAIL); - endif - if (cleartext.cusec != authenticator.cusec) then - error_out(KRB_AP_ERR_MUT_FAIL); - endif - if (cleartext.subkey is present) then - save cleartext.subkey for future use; - endif - if (cleartext.seq-number is present) then - save cleartext.seq-number for future verifications; - endif - return(AUTHENTICATION_SUCCEEDED); - -A.13. KRB_SAFE generation - - collect user data in buffer; - - /* assemble packet: */ - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_SAFE */ - - body.user-data := buffer; /* DATA */ - if (using timestamp) then - get system_time; - body.timestamp, body.usec := system_time; - endif - if (using sequence numbers) then - body.seq-number := sequence number; - endif - body.s-address := sender host addresses; - if (only one recipient) then - body.r-address := recipient host address; - endif - checksum.cksumtype := checksum type; - compute checksum over body; - checksum.checksum := checksum value; /* checksum.checksum */ - packet.cksum := checksum; - packet.safe-body := body; - -A.14. KRB_SAFE verification - - receive packet; - if (packet.pvno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.msg-type != KRB_SAFE) then - error_out(KRB_AP_ERR_MSG_TYPE); - endif - if (packet.checksum.cksumtype is not both collision-proof and keyed) -then - error_out(KRB_AP_ERR_INAPP_CKSUM); - endif - if (safe_priv_common_checks_ok(packet)) then - set computed_checksum := checksum(packet.body); - if (computed_checksum != packet.checksum) then - error_out(KRB_AP_ERR_MODIFIED); - endif - return (packet, PACKET_IS_GENUINE); - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - else - return common_checks_error; - endif - -A.15. KRB_SAFE and KRB_PRIV common checks - - if (packet.s-address != O/S_sender(packet)) then - /* O/S report of sender not who claims to have sent it */ - error_out(KRB_AP_ERR_BADADDR); - endif - if ((packet.r-address is present) and - (packet.r-address != local_host_address)) then - /* was not sent to proper place */ - error_out(KRB_AP_ERR_BADADDR); - endif - if (((packet.timestamp is present) and - (not in_clock_skew(packet.timestamp,packet.usec))) or - (packet.timestamp is not present and timestamp expected)) then - error_out(KRB_AP_ERR_SKEW); - endif - if (repeated(packet.timestamp,packet.usec,packet.s-address)) then - error_out(KRB_AP_ERR_REPEAT); - endif - - if (((packet.seq-number is present) and - ((not in_sequence(packet.seq-number)))) or - (packet.seq-number is not present and sequence expected)) then - error_out(KRB_AP_ERR_BADORDER); - endif - if (packet.timestamp not present and packet.seq-number not present) -then - error_out(KRB_AP_ERR_MODIFIED); - endif - - save_identifier(packet.{timestamp,usec,s-address}, - sender_principal(packet)); - - return PACKET_IS_OK; - -A.16. KRB_PRIV generation - - collect user data in buffer; - - /* assemble packet: */ - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_PRIV */ - - packet.enc-part.etype := encryption type; - - body.user-data := buffer; - if (using timestamp) then - get system_time; - body.timestamp, body.usec := system_time; - endif - if (using sequence numbers) then - body.seq-number := sequence number; - endif - body.s-address := sender host addresses; - if (only one recipient) then - body.r-address := recipient host address; - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - endif - - encode body into OCTET STRING; - - select encryption type; - encrypt OCTET STRING into packet.enc-part.cipher; - -A.17. KRB_PRIV verification - - receive packet; - if (packet.pvno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.msg-type != KRB_PRIV) then - error_out(KRB_AP_ERR_MSG_TYPE); - endif - - cleartext := decrypt(packet.enc-part) using negotiated key; - if (decryption_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - - if (safe_priv_common_checks_ok(cleartext)) then - return(cleartext.DATA, PACKET_IS_GENUINE_AND_UNMODIFIED); - else - return common_checks_error; - endif - -A.18. KRB_CRED generation - - invoke KRB_TGS; /* obtain tickets to be provided to peer */ - - /* assemble packet: */ - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_CRED */ - - for (tickets[n] in tickets to be forwarded) do - packet.tickets[n] = tickets[n].ticket; - done - - packet.enc-part.etype := encryption type; - - for (ticket[n] in tickets to be forwarded) do - body.ticket-info[n].key = tickets[n].session; - body.ticket-info[n].prealm = tickets[n].crealm; - body.ticket-info[n].pname = tickets[n].cname; - body.ticket-info[n].flags = tickets[n].flags; - body.ticket-info[n].authtime = tickets[n].authtime; - body.ticket-info[n].starttime = tickets[n].starttime; - body.ticket-info[n].endtime = tickets[n].endtime; - body.ticket-info[n].renew-till = tickets[n].renew-till; - body.ticket-info[n].srealm = tickets[n].srealm; - body.ticket-info[n].sname = tickets[n].sname; - body.ticket-info[n].caddr = tickets[n].caddr; - done - - get system_time; - body.timestamp, body.usec := system_time; - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - - if (using nonce) then - body.nonce := nonce; - endif - - if (using s-address) then - body.s-address := sender host addresses; - endif - if (limited recipients) then - body.r-address := recipient host address; - endif - - encode body into OCTET STRING; - - select encryption type; - encrypt OCTET STRING into packet.enc-part.cipher - using negotiated encryption key; - -A.19. KRB_CRED verification - - receive packet; - if (packet.pvno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.msg-type != KRB_CRED) then - error_out(KRB_AP_ERR_MSG_TYPE); - endif - - cleartext := decrypt(packet.enc-part) using negotiated key; - if (decryption_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - if ((packet.r-address is present or required) and - (packet.s-address != O/S_sender(packet)) then - /* O/S report of sender not who claims to have sent it */ - error_out(KRB_AP_ERR_BADADDR); - endif - if ((packet.r-address is present) and - (packet.r-address != local_host_address)) then - /* was not sent to proper place */ - error_out(KRB_AP_ERR_BADADDR); - endif - if (not in_clock_skew(packet.timestamp,packet.usec)) then - error_out(KRB_AP_ERR_SKEW); - endif - if (repeated(packet.timestamp,packet.usec,packet.s-address)) then - error_out(KRB_AP_ERR_REPEAT); - endif - if (packet.nonce is required or present) and - (packet.nonce != expected-nonce) then - error_out(KRB_AP_ERR_MODIFIED); - endif - - for (ticket[n] in tickets that were forwarded) do - save_for_later(ticket[n],key[n],principal[n], - server[n],times[n],flags[n]); - return - - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -A.20. KRB_ERROR generation - - /* assemble packet: */ - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_ERROR */ - - get system_time; - packet.stime, packet.susec := system_time; - packet.realm, packet.sname := server name; - - if (client time available) then - packet.ctime, packet.cusec := client_time; - endif - packet.error-code := error code; - if (client name available) then - packet.cname, packet.crealm := client name; - endif - if (error text available) then - packet.e-text := error text; - endif - if (error data available) then - packet.e-data := error data; - endif - -B. Definition of common authorization data elements - -This appendix contains the definitions of common authorization data -elements. These common authorization data elements are recursivly defined, -meaning the ad-data for these types will itself contain a sequence of -authorization data whose interpretation is affected by the encapsulating -element. Depending on the meaning of the encapsulating element, the -encapsulated elements may be ignored, might be interpreted as issued -directly by the KDC, or they might be stored in a separate plaintext part -of the ticket. The types of the encapsulating elements are specified as -part of the Kerberos specification because the behavior based on these -values should be understood across implementations whereas other elements -need only be understood by the applications which they affect. - -In the definitions that follow, the value of the ad-type for the element -will be specified in the subsection number, and the value of the ad-data -will be as shown in the ASN.1 structure that follows the subsection -heading. - -B.1. KDC Issued - -AD-KDCIssued SEQUENCE { - ad-checksum[0] Checksum, - i-realm[1] Realm OPTIONAL, - i-sname[2] PrincipalName OPTIONAL, - elements[3] AuthorizationData. -} - -ad-checksum - A checksum over the elements field using a cryptographic checksum - method that is identical to the checksum used to protect the ticket - itself (i.e. using the same hash function and the same encryption - algorithm used to encrypt the ticket) and using a key derived from the - same key used to protect the ticket. -i-realm, i-sname - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - The name of the issuing principal if different from the KDC itself. - This field would be used when the KDC can verify the authenticity of - elements signed by the issuing principal and it allows this KDC to - notify the application server of the validity of those elements. -elements - A sequence of authorization data elements issued by the KDC. - -The KDC-issued ad-data field is intended to provide a means for Kerberos -principal credentials to embed within themselves privilege attributes and -other mechanisms for positive authorization, amplifying the priveleges of -the principal beyond what can be done using a credentials without such an -a-data element. - -This can not be provided without this element because the definition of the -authorization-data field allows elements to be added at will by the bearer -of a TGT at the time that they request service tickets and elements may -also be added to a delegated ticket by inclusion in the authenticator. - -For KDC-issued elements this is prevented because the elements are signed -by the KDC by including a checksum encrypted using the server's key (the -same key used to encrypt the ticket - or a key derived from that key). -Elements encapsulated with in the KDC-issued element will be ignored by the -application server if this "signature" is not present. Further, elements -encapsulated within this element from a ticket granting ticket may be -interpreted by the KDC, and used as a basis according to policy for -including new signed elements within derivative tickets, but they will not -be copied to a derivative ticket directly. If they are copied directly to a -derivative ticket by a KDC that is not aware of this element, the signature -will not be correct for the application ticket elements, and the field will -be ignored by the application server. - -This element and the elements it encapulates may be safely ignored by -applications, application servers, and KDCs that do not implement this -element. - -B.2. Intended for server - -AD-INTENDED-FOR-SERVER SEQUENCE { - intended-server[0] SEQUENCE OF PrincipalName - elements[1] AuthorizationData -} - -AD elements encapsulated within the intended-for-server element may be -ignored if the application server is not in the list of principal names of -intended servers. Further, a KDC issuing a ticket for an application server -can remove this element if the application server is not in the list of -intended servers. - -Application servers should check for their principal name in the -intended-server field of this element. If their principal name is not -found, this element should be ignored. If found, then the encapsulated -elements should be evaluated in the same manner as if they were present in -the top level authorization data field. Applications and application -servers that do not implement this element should reject tickets that -contain authorization data elements of this type. - -B.3. Intended for application class - -AD-INTENDED-FOR-APPLICATION-CLASS SEQUENCE { intended-application-class[0] - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -SEQUENCE OF GeneralString elements[1] AuthorizationData } AD elements -encapsulated within the intended-for-application-class element may be -ignored if the application server is not in one of the named classes of -application servers. Examples of application server classes include -"FILESYSTEM", and other kinds of servers. - -This element and the elements it encapulates may be safely ignored by -applications, application servers, and KDCs that do not implement this -element. - -B.4. If relevant - -AD-IF-RELEVANT AuthorizationData - -AD elements encapsulated within the if-relevant element are intended for -interpretation only by application servers that understand the particular -ad-type of the embedded element. Application servers that do not understand -the type of an element embedded within the if-relevant element may ignore -the uninterpretable element. This element promotes interoperability across -implementations which may have local extensions for authorization. - -B.5. And-Or - -AD-AND-OR SEQUENCE { - condition-count[0] INTEGER, - elements[1] AuthorizationData -} - -When restrictive AD elements encapsulated within the and-or element are -encountered, only the number specified in condition-count of the -encapsulated conditions must be met in order to satisfy this element. This -element may be used to implement an "or" operation by setting the -condition-count field to 1, and it may specify an "and" operation by -setting the condition count to the number of embedded elements. Application -servers that do not implement this element must reject tickets that contain -authorization data elements of this type. - -B.6. Mandatory ticket extensions - -AD-Mandatory-Ticket-Extensions Checksum - -An authorization data element of type mandatory-ticket-extensions specifies -a collision-proof checksum using the same hash algorithm used to protect -the integrity of the ticket itself. This checksum will be calculated over -an individual extension field. If there are more than one extension, -multiple Mandatory-Ticket-Extensions authorization data elements may be -present, each with a checksum for a different extension field. This -restriction indicates that the ticket should not be accepted if a ticket -extension is not present in the ticket for which the checksum does not -match that checksum specified in the authorization data element. -Application servers that do not implement this element must reject tickets -that contain authorization data elements of this type. - -B.7. Authorization Data in ticket extensions - -AD-IN-Ticket-Extensions Checksum - -An authorization data element of type in-ticket-extensions specifies a -collision-proof checksum using the same hash algorithm used to protect the - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -integrity of the ticket itself. This checksum is calculated over a separate -external AuthorizationData field carried in the ticket extensions. -Application servers that do not implement this element must reject tickets -that contain authorization data elements of this type. Application servers -that do implement this element will search the ticket extensions for -authorization data fields, calculate the specified checksum over each -authorization data field and look for one matching the checksum in this -in-ticket-extensions element. If not found, then the ticket must be -rejected. If found, the corresponding authorization data elements will be -interpreted in the same manner as if they were contained in the top level -authorization data field. - -Note that if multiple external authorization data fields are present in a -ticket, each will have a corresponding element of type in-ticket-extensions -in the top level authorization data field, and the external entries will be -linked to the corresponding element by their checksums. - -C. Definition of common ticket extensions - -This appendix contains the definitions of common ticket extensions. Support -for these extensions is optional. However, certain extensions have -associated authorization data elements that may require rejection of a -ticket containing an extension by application servers that do not implement -the particular extension. Other extensions have been defined beyond those -described in this specification. Such extensions are described elswhere and -for some of those extensions the reserved number may be found in the list -of constants. - -It is known that older versions of Kerberos did not support this field, and -that some clients will strip this field from a ticket when they parse and -then reassemble a ticket as it is passed to the application servers. The -presence of the extension will not break such clients, but any functionaly -dependent on the extensions will not work when such tickets are handled by -old clients. In such situations, some implementation may use alternate -methods to transmit the information in the extensions field. - -C.1. Null ticket extension - -TE-NullExtension OctetString -- The empty Octet String - -The te-data field in the null ticket extension is an octet string of lenght -zero. This extension may be included in a ticket granting ticket so that -the KDC can determine on presentation of the ticket granting ticket whether -the client software will strip the extensions field. - -C.2. External Authorization Data - -TE-ExternalAuthorizationData AuthorizationData - -The te-data field in the external authorization data ticket extension is -field of type AuthorizationData containing one or more authorization data -elements. If present, a corresponding authorization data element will be -present in the primary authorization data for the ticket and that element -will contain a checksum of the external authorization data ticket -extension. - ------------------------------------------------------------------------ -[TM] Project Athena, Athena, and Kerberos are trademarks of the -Massachusetts Institute of Technology (MIT). No commercial use of these -trademarks may be made without prior written permission of MIT. - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - -[1] Note, however, that many applications use Kerberos' functions only upon -the initiation of a stream-based network connection. Unless an application -subsequently provides integrity protection for the data stream, the -identity verification applies only to the initiation of the connection, and -does not guarantee that subsequent messages on the connection originate -from the same principal. - -[2] Secret and private are often used interchangeably in the literature. In -our usage, it takes two (or more) to share a secret, thus a shared DES key -is a secret key. Something is only private when no one but its owner knows -it. Thus, in public key cryptosystems, one has a public and a private key. - -[3] Of course, with appropriate permission the client could arrange -registration of a separately-named prin- cipal in a remote realm, and -engage in normal exchanges with that realm's services. However, for even -small numbers of clients this becomes cumbersome, and more automatic -methods as described here are necessary. - -[4] Though it is permissible to request or issue tick- ets with no network -addresses specified. - -[5] The password-changing request must not be honored unless the requester -can provide the old password (the user's current secret key). Otherwise, it -would be possible for someone to walk up to an unattended ses- sion and -change another user's password. - -[6] To authenticate a user logging on to a local system, the credentials -obtained in the AS exchange may first be used in a TGS exchange to obtain -credentials for a local server. Those credentials must then be verified by -a local server through successful completion of the Client/Server exchange. - -[7] "Random" means that, among other things, it should be impossible to -guess the next session key based on knowledge of past session keys. This -can only be achieved in a pseudo-random number generator if it is based on -cryptographic principles. It is more desirable to use a truly random number -generator, such as one based on measurements of random physical phenomena. - -[8] Tickets contain both an encrypted and unencrypted portion, so cleartext -here refers to the entire unit, which can be copied from one message and -replayed in another without any cryptographic skill. - -[9] Note that this can make applications based on unreliable transports -difficult to code correctly. If the transport might deliver duplicated -messages, either a new authenticator must be generated for each retry, or -the application server must match requests and replies and replay the first -reply in response to a detected duplicate. - -[10] This is used for user-to-user authentication as described in [8]. - -[11] Note that the rejection here is restricted to authenticators from the -same principal to the same server. Other client principals communicating -with the same server principal should not be have their authenticators -rejected if the time and microsecond fields happen to match some other -client's authenticator. - -[12] In the Kerberos version 4 protocol, the timestamp in the reply was the -client's timestamp plus one. This is not necessary in version 5 because -version 5 messages are formatted in such a way that it is not possible to - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -create the reply by judicious message surgery (even in encrypted form) -without knowledge of the appropriate encryption keys. - -[13] Note that for encrypting the KRB_AP_REP message, the sub-session key -is not used, even if present in the Authenticator. - -[14] Implementations of the protocol may wish to provide routines to choose -subkeys based on session keys and random numbers and to generate a -negotiated key to be returned in the KRB_AP_REP message. - -[15]This can be accomplished in several ways. It might be known beforehand -(since the realm is part of the principal identifier), it might be stored -in a nameserver, or it might be obtained from a configura- tion file. If -the realm to be used is obtained from a nameserver, there is a danger of -being spoofed if the nameservice providing the realm name is not authenti- -cated. This might result in the use of a realm which has been compromised, -and would result in an attacker's ability to compromise the authentication -of the application server to the client. - -[16] If the client selects a sub-session key, care must be taken to ensure -the randomness of the selected sub- session key. One approach would be to -generate a random number and XOR it with the session key from the -ticket-granting ticket. - -[17] This allows easy implementation of user-to-user authentication [8], -which uses ticket-granting ticket session keys in lieu of secret server -keys in situa- tions where such secret keys could be easily comprom- ised. - -[18] For the purpose of appending, the realm preceding the first listed -realm is considered to be the null realm (""). - -[19] For the purpose of interpreting null subfields, the client's realm is -considered to precede those in the transited field, and the server's realm -is considered to follow them. - -[20] This means that a client and server running on the same host and -communicating with one another using the KRB_SAFE messages should not share -a common replay cache to detect KRB_SAFE replays. - -[21] The implementation of the Kerberos server need not combine the -database and the server on the same machine; it is feasible to store the -principal database in, say, a network name service, as long as the entries -stored therein are protected from disclosure to and modification by -unauthorized parties. However, we recommend against such strategies, as -they can make system management and threat analysis quite complex. - -[22] See the discussion of the padata field in section 5.4.2 for details on -why this can be useful. - -[23] Warning for implementations that unpack and repack data structures -during the generation and verification of embedded checksums: Because any -checksums applied to data structures must be checked against the original -data the length of bit strings must be preserved within a data structure -between the time that a checksum is generated through transmission to the -time that the checksum is verified. - -[24] It is NOT recommended that this time value be used to adjust the -workstation's clock since the workstation cannot reliably determine that -such a KRB_AS_REP actually came from the proper KDC in a timely manner. - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - -[25] Note, however, that if the time is used as the nonce, one must make -sure that the workstation time is monotonically increasing. If the time is -ever reset backwards, there is a small, but finite, probability that a -nonce will be reused. - -[27] An application code in the encrypted part of a message provides an -additional check that the message was decrypted properly. - -[29] An application code in the encrypted part of a message provides an -additional check that the message was decrypted properly. - -[31] An application code in the encrypted part of a message provides an -additional check that the message was decrypted properly. - -[32] If supported by the encryption method in use, an initialization vector -may be passed to the encryption procedure, in order to achieve proper -cipher chaining. The initialization vector might come from the last block -of the ciphertext from the previous KRB_PRIV message, but it is the -application's choice whether or not to use such an initialization vector. -If left out, the default initialization vector for the encryption algorithm -will be used. - -[33] This prevents an attacker who generates an incorrect AS request from -obtaining verifiable plaintext for use in an off-line password guessing -attack. - -[35] In the above specification, UNTAGGED OCTET STRING(length) is the -notation for an octet string with its tag and length removed. It is not a -valid ASN.1 type. The tag bits and length must be removed from the -confounder since the purpose of the confounder is so that the message -starts with random data, but the tag and its length are fixed. For other -fields, the length and tag would be redundant if they were included because -they are specified by the encryption type. [36] The ordering of the fields -in the CipherText is important. Additionally, messages encoded in this -format must include a length as part of the msg-seq field. This allows the -recipient to verify that the message has not been truncated. Without a -length, an attacker could use a chosen plaintext attack to generate a -message which could be truncated, while leaving the checksum intact. Note -that if the msg-seq is an encoding of an ASN.1 SEQUENCE or OCTET STRING, -then the length is part of that encoding. - -[37] In some cases, it may be necessary to use a different "mix-in" string -for compatibility reasons; see the discussion of padata in section 5.4.2. - -[38] In some cases, it may be necessary to use a different "mix-in" string -for compatibility reasons; see the discussion of padata in section 5.4.2. - -[39] A variant of the key is used to limit the use of a key to a particular -function, separating the functions of generating a checksum from other -encryption performed using the session key. The constant F0F0F0F0F0F0F0F0 -was chosen because it maintains key parity. The properties of DES precluded -the use of the complement. The same constant is used for similar purpose in -the Message Integrity Check in the Privacy Enhanced Mail standard. - -[40] This error carries additional information in the e- data field. The -contents of the e-data field for this message is described in section -5.9.1. - - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - diff --git a/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-cat-kerberos-revisions-05.txt b/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-cat-kerberos-revisions-05.txt deleted file mode 100644 index 15921248c1..0000000000 --- a/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-cat-kerberos-revisions-05.txt +++ /dev/null @@ -1,6866 +0,0 @@ -INTERNET-DRAFT Clifford Neuman - John Kohl - Theodore Ts'o - March 10, 2000 - Expires September 10, 2000 - -The Kerberos Network Authentication Service (V5) -draft-ietf-cat-kerberos-revisions-05.txt - -STATUS OF THIS MEMO - -This document is an Internet-Draft and is in full conformance with all -provisions of Section 10 of RFC 2026. Internet-Drafts are working documents -of the Internet Engineering Task Force (IETF), its areas, and its working -groups. Note that other groups may also distribute working documents as -Internet-Drafts. - -Internet-Drafts are draft documents valid for a maximum of six months and -may be updated, replaced, or obsoleted by other documents at any time. It is -inappropriate to use Internet-Drafts as reference material or to cite them -other than as "work in progress." - -The list of current Internet-Drafts can be accessed at -http://www.ietf.org/ietf/1id-abstracts.txt - -The list of Internet-Draft Shadow Directories can be accessed at -http://www.ietf.org/shadow.html. - -To learn the current status of any Internet-Draft, please check the -"1id-abstracts.txt" listing contained in the Internet-Drafts Shadow -Directories on ftp.ietf.org (US East Coast), nic.nordu.net (Europe), -ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim). - -The distribution of this memo is unlimited. It is filed as -draft-ietf-cat-kerberos-revisions-05.txt, and expires September 10, 2000. -Please send comments to: krb-protocol@MIT.EDU - -ABSTRACT - -This document provides an overview and specification of Version 5 of the -Kerberos protocol, and updates RFC1510 to clarify aspects of the protocol -and its intended use that require more detailed or clearer explanation than -was provided in RFC1510. This document is intended to provide a detailed -description of the protocol, suitable for implementation, together with -descriptions of the appropriate use of protocol messages and fields within -those messages. - -This document is not intended to describe Kerberos to the end user, system -administrator, or application developer. Higher level papers describing -Version 5 of the Kerberos system [NT94] and documenting version 4 [SNS88], -are available elsewhere. - -OVERVIEW - -This INTERNET-DRAFT describes the concepts and model upon which the Kerberos -network authentication system is based. It also specifies Version 5 of the -Kerberos protocol. - -The motivations, goals, assumptions, and rationale behind most design -decisions are treated cursorily; they are more fully described in a paper - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - -available in IEEE communications [NT94] and earlier in the Kerberos portion -of the Athena Technical Plan [MNSS87]. The protocols have been a proposed -standard and are being considered for advancement for draft standard through -the IETF standard process. Comments are encouraged on the presentation, but -only minor refinements to the protocol as implemented or extensions that fit -within current protocol framework will be considered at this time. - -Requests for addition to an electronic mailing list for discussion of -Kerberos, kerberos@MIT.EDU, may be addressed to kerberos-request@MIT.EDU. -This mailing list is gatewayed onto the Usenet as the group -comp.protocols.kerberos. Requests for further information, including -documents and code availability, may be sent to info-kerberos@MIT.EDU. - -BACKGROUND - -The Kerberos model is based in part on Needham and Schroeder's trusted -third-party authentication protocol [NS78] and on modifications suggested by -Denning and Sacco [DS81]. The original design and implementation of Kerberos -Versions 1 through 4 was the work of two former Project Athena staff -members, Steve Miller of Digital Equipment Corporation and Clifford Neuman -(now at the Information Sciences Institute of the University of Southern -California), along with Jerome Saltzer, Technical Director of Project -Athena, and Jeffrey Schiller, MIT Campus Network Manager. Many other members -of Project Athena have also contributed to the work on Kerberos. - -Version 5 of the Kerberos protocol (described in this document) has evolved -from Version 4 based on new requirements and desires for features not -available in Version 4. The design of Version 5 of the Kerberos protocol was -led by Clifford Neuman and John Kohl with much input from the community. The -development of the MIT reference implementation was led at MIT by John Kohl -and Theodore T'so, with help and contributed code from many others. Since -RFC1510 was issued, extensions and revisions to the protocol have been -proposed by many individuals. Some of these proposals are reflected in this -document. Where such changes involved significant effort, the document cites -the contribution of the proposer. - -Reference implementations of both version 4 and version 5 of Kerberos are -publicly available and commercial implementations have been developed and -are widely used. Details on the differences between Kerberos Versions 4 and -5 can be found in [KNT92]. - -1. Introduction - -Kerberos provides a means of verifying the identities of principals, (e.g. a -workstation user or a network server) on an open (unprotected) network. This -is accomplished without relying on assertions by the host operating system, -without basing trust on host addresses, without requiring physical security -of all the hosts on the network, and under the assumption that packets -traveling along the network can be read, modified, and inserted at will[1]. -Kerberos performs authentication under these conditions as a trusted -third-party authentication service by using conventional (shared secret key -[2] cryptography. Kerberos extensions have been proposed and implemented -that provide for the use of public key cryptography during certain phases of -the authentication protocol. These extensions provide for authentication of -users registered with public key certification authorities, and allow the -system to provide certain benefits of public key cryptography in situations -where they are needed. - -The basic Kerberos authentication process proceeds as follows: A client - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - -sends a request to the authentication server (AS) requesting 'credentials' -for a given server. The AS responds with these credentials, encrypted in the -client's key. The credentials consist of 1) a 'ticket' for the server and 2) -a temporary encryption key (often called a "session key"). The client -transmits the ticket (which contains the client's identity and a copy of the -session key, all encrypted in the server's key) to the server. The session -key (now shared by the client and server) is used to authenticate the -client, and may optionally be used to authenticate the server. It may also -be used to encrypt further communication between the two parties or to -exchange a separate sub-session key to be used to encrypt further -communication. - -Implementation of the basic protocol consists of one or more authentication -servers running on physically secure hosts. The authentication servers -maintain a database of principals (i.e., users and servers) and their secret -keys. Code libraries provide encryption and implement the Kerberos protocol. -In order to add authentication to its transactions, a typical network -application adds one or two calls to the Kerberos library directly or -through the Generic Security Services Application Programming Interface, -GSSAPI, described in separate document. These calls result in the -transmission of the necessary messages to achieve authentication. - -The Kerberos protocol consists of several sub-protocols (or exchanges). -There are two basic methods by which a client can ask a Kerberos server for -credentials. In the first approach, the client sends a cleartext request for -a ticket for the desired server to the AS. The reply is sent encrypted in -the client's secret key. Usually this request is for a ticket-granting -ticket (TGT) which can later be used with the ticket-granting server (TGS). -In the second method, the client sends a request to the TGS. The client uses -the TGT to authenticate itself to the TGS in the same manner as if it were -contacting any other application server that requires Kerberos -authentication. The reply is encrypted in the session key from the TGT. -Though the protocol specification describes the AS and the TGS as separate -servers, they are implemented in practice as different protocol entry points -within a single Kerberos server. - -Once obtained, credentials may be used to verify the identity of the -principals in a transaction, to ensure the integrity of messages exchanged -between them, or to preserve privacy of the messages. The application is -free to choose whatever protection may be necessary. - -To verify the identities of the principals in a transaction, the client -transmits the ticket to the application server. Since the ticket is sent "in -the clear" (parts of it are encrypted, but this encryption doesn't thwart -replay) and might be intercepted and reused by an attacker, additional -information is sent to prove that the message originated with the principal -to whom the ticket was issued. This information (called the authenticator) -is encrypted in the session key, and includes a timestamp. The timestamp -proves that the message was recently generated and is not a replay. -Encrypting the authenticator in the session key proves that it was generated -by a party possessing the session key. Since no one except the requesting -principal and the server know the session key (it is never sent over the -network in the clear) this guarantees the identity of the client. - -The integrity of the messages exchanged between principals can also be -guaranteed using the session key (passed in the ticket and contained in the -credentials). This approach provides detection of both replay attacks and -message stream modification attacks. It is accomplished by generating and -transmitting a collision-proof checksum (elsewhere called a hash or digest - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - -function) of the client's message, keyed with the session key. Privacy and -integrity of the messages exchanged between principals can be secured by -encrypting the data to be passed using the session key contained in the -ticket or the subsession key found in the authenticator. - -The authentication exchanges mentioned above require read-only access to the -Kerberos database. Sometimes, however, the entries in the database must be -modified, such as when adding new principals or changing a principal's key. -This is done using a protocol between a client and a third Kerberos server, -the Kerberos Administration Server (KADM). There is also a protocol for -maintaining multiple copies of the Kerberos database. Neither of these -protocols are described in this document. - -1.1. Cross-Realm Operation - -The Kerberos protocol is designed to operate across organizational -boundaries. A client in one organization can be authenticated to a server in -another. Each organization wishing to run a Kerberos server establishes its -own 'realm'. The name of the realm in which a client is registered is part -of the client's name, and can be used by the end-service to decide whether -to honor a request. - -By establishing 'inter-realm' keys, the administrators of two realms can -allow a client authenticated in the local realm to prove its identity to -servers in other realms[3]. The exchange of inter-realm keys (a separate key -may be used for each direction) registers the ticket-granting service of -each realm as a principal in the other realm. A client is then able to -obtain a ticket-granting ticket for the remote realm's ticket-granting -service from its local realm. When that ticket-granting ticket is used, the -remote ticket-granting service uses the inter-realm key (which usually -differs from its own normal TGS key) to decrypt the ticket-granting ticket, -and is thus certain that it was issued by the client's own TGS. Tickets -issued by the remote ticket-granting service will indicate to the -end-service that the client was authenticated from another realm. - -A realm is said to communicate with another realm if the two realms share an -inter-realm key, or if the local realm shares an inter-realm key with an -intermediate realm that communicates with the remote realm. An -authentication path is the sequence of intermediate realms that are -transited in communicating from one realm to another. - -Realms are typically organized hierarchically. Each realm shares a key with -its parent and a different key with each child. If an inter-realm key is not -directly shared by two realms, the hierarchical organization allows an -authentication path to be easily constructed. If a hierarchical organization -is not used, it may be necessary to consult a database in order to construct -an authentication path between realms. - -Although realms are typically hierarchical, intermediate realms may be -bypassed to achieve cross-realm authentication through alternate -authentication paths (these might be established to make communication -between two realms more efficient). It is important for the end-service to -know which realms were transited when deciding how much faith to place in -the authentication process. To facilitate this decision, a field in each -ticket contains the names of the realms that were involved in authenticating -the client. - -The application server is ultimately responsible for accepting or rejecting -authentication and should check the transited field. The application server - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - -may choose to rely on the KDC for the application server's realm to check -the transited field. The application server's KDC will set the -TRANSITED-POLICY-CHECKED flag in this case. The KDC's for intermediate -realms may also check the transited field as they issue -ticket-granting-tickets for other realms, but they are encouraged not to do -so. A client may request that the KDC's not check the transited field by -setting the DISABLE-TRANSITED-CHECK flag. KDC's are encouraged but not -required to honor this flag. - -1.2. Authorization - -As an authentication service, Kerberos provides a means of verifying the -identity of principals on a network. Authentication is usually useful -primarily as a first step in the process of authorization, determining -whether a client may use a service, which objects the client is allowed to -access, and the type of access allowed for each. Kerberos does not, by -itself, provide authorization. Possession of a client ticket for a service -provides only for authentication of the client to that service, and in the -absence of a separate authorization procedure, it should not be considered -by an application as authorizing the use of that service. - -Such separate authorization methods may be implemented as application -specific access control functions and may be based on files such as the -application server, or on separately issued authorization credentials such -as those based on proxies [Neu93], or on other authorization services. -Separately authenticated authorization credentials may be embedded in a -tickets authorization data when encapsulated by the kdc-issued authorization -data element. - -Applications should not be modified to accept the mere issuance of a service -ticket by the Kerberos server (even by a modified Kerberos server) as -granting authority to use the service, since such applications may become -vulnerable to the bypass of this authorization check in an environment if -they interoperate with other KDCs or where other options for application -authentication (e.g. the PKTAPP proposal) are provided. - -1.3. Environmental assumptions - -Kerberos imposes a few assumptions on the environment in which it can -properly function: - - * 'Denial of service' attacks are not solved with Kerberos. There are - places in these protocols where an intruder can prevent an application - from participating in the proper authentication steps. Detection and - solution of such attacks (some of which can appear to be nnot-uncommon - 'normal' failure modes for the system) is usually best left to the - human administrators and users. - * Principals must keep their secret keys secret. If an intruder somehow - steals a principal's key, it will be able to masquerade as that - principal or impersonate any server to the legitimate principal. - * 'Password guessing' attacks are not solved by Kerberos. If a user - chooses a poor password, it is possible for an attacker to successfully - mount an offline dictionary attack by repeatedly attempting to decrypt, - with successive entries from a dictionary, messages obtained which are - encrypted under a key derived from the user's password. - * Each host on the network must have a clock which is 'loosely - synchronized' to the time of the other hosts; this synchronization is - used to reduce the bookkeeping needs of application servers when they - do replay detection. The degree of "looseness" can be configured on a - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - per-server basis, but is typically on the order of 5 minutes. If the - clocks are synchronized over the network, the clock synchronization - protocol must itself be secured from network attackers. - * Principal identifiers are not recycled on a short-term basis. A typical - mode of access control will use access control lists (ACLs) to grant - permissions to particular principals. If a stale ACL entry remains for - a deleted principal and the principal identifier is reused, the new - principal will inherit rights specified in the stale ACL entry. By not - re-using principal identifiers, the danger of inadvertent access is - removed. - -1.4. Glossary of terms - -Below is a list of terms used throughout this document. - -Authentication - Verifying the claimed identity of a principal. -Authentication header - A record containing a Ticket and an Authenticator to be presented to a - server as part of the authentication process. -Authentication path - A sequence of intermediate realms transited in the authentication - process when communicating from one realm to another. -Authenticator - A record containing information that can be shown to have been recently - generated using the session key known only by the client and server. -Authorization - The process of determining whether a client may use a service, which - objects the client is allowed to access, and the type of access allowed - for each. -Capability - A token that grants the bearer permission to access an object or - service. In Kerberos, this might be a ticket whose use is restricted by - the contents of the authorization data field, but which lists no - network addresses, together with the session key necessary to use the - ticket. -Ciphertext - The output of an encryption function. Encryption transforms plaintext - into ciphertext. -Client - A process that makes use of a network service on behalf of a user. Note - that in some cases a Server may itself be a client of some other server - (e.g. a print server may be a client of a file server). -Credentials - A ticket plus the secret session key necessary to successfully use that - ticket in an authentication exchange. -KDC - Key Distribution Center, a network service that supplies tickets and - temporary session keys; or an instance of that service or the host on - which it runs. The KDC services both initial ticket and ticket-granting - ticket requests. The initial ticket portion is sometimes referred to as - the Authentication Server (or service). The ticket-granting ticket - portion is sometimes referred to as the ticket-granting server (or - service). -Kerberos - Aside from the 3-headed dog guarding Hades, the name given to Project - Athena's authentication service, the protocol used by that service, or - the code used to implement the authentication service. -Plaintext - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - The input to an encryption function or the output of a decryption - function. Decryption transforms ciphertext into plaintext. -Principal - A uniquely named client or server instance that participates in a - network communication. -Principal identifier - The name used to uniquely identify each different principal. -Seal - To encipher a record containing several fields in such a way that the - fields cannot be individually replaced without either knowledge of the - encryption key or leaving evidence of tampering. -Secret key - An encryption key shared by a principal and the KDC, distributed - outside the bounds of the system, with a long lifetime. In the case of - a human user's principal, the secret key is derived from a password. -Server - A particular Principal which provides a resource to network clients. - The server is sometimes refered to as the Application Server. -Service - A resource provided to network clients; often provided by more than one - server (for example, remote file service). -Session key - A temporary encryption key used between two principals, with a lifetime - limited to the duration of a single login "session". -Sub-session key - A temporary encryption key used between two principals, selected and - exchanged by the principals using the session key, and with a lifetime - limited to the duration of a single association. -Ticket - A record that helps a client authenticate itself to a server; it - contains the client's identity, a session key, a timestamp, and other - information, all sealed using the server's secret key. It only serves - to authenticate a client when presented along with a fresh - Authenticator. - -2. Ticket flag uses and requests - -Each Kerberos ticket contains a set of flags which are used to indicate -various attributes of that ticket. Most flags may be requested by a client -when the ticket is obtained; some are automatically turned on and off by a -Kerberos server as required. The following sections explain what the various -flags mean, and gives examples of reasons to use such a flag. - -2.1. Initial and pre-authenticated tickets - -The INITIAL flag indicates that a ticket was issued using the AS protocol -and not issued based on a ticket-granting ticket. Application servers that -want to require the demonstrated knowledge of a client's secret key (e.g. a -password-changing program) can insist that this flag be set in any tickets -they accept, and thus be assured that the client's key was recently -presented to the application client. - -The PRE-AUTHENT and HW-AUTHENT flags provide addition information about the -initial authentication, regardless of whether the current ticket was issued -directly (in which case INITIAL will also be set) or issued on the basis of -a ticket-granting ticket (in which case the INITIAL flag is clear, but the -PRE-AUTHENT and HW-AUTHENT flags are carried forward from the -ticket-granting ticket). - - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - -2.2. Invalid tickets - -The INVALID flag indicates that a ticket is invalid. Application servers -must reject tickets which have this flag set. A postdated ticket will -usually be issued in this form. Invalid tickets must be validated by the KDC -before use, by presenting them to the KDC in a TGS request with the VALIDATE -option specified. The KDC will only validate tickets after their starttime -has passed. The validation is required so that postdated tickets which have -been stolen before their starttime can be rendered permanently invalid -(through a hot-list mechanism) (see section 3.3.3.1). - -2.3. Renewable tickets - -Applications may desire to hold tickets which can be valid for long periods -of time. However, this can expose their credentials to potential theft for -equally long periods, and those stolen credentials would be valid until the -expiration time of the ticket(s). Simply using short-lived tickets and -obtaining new ones periodically would require the client to have long-term -access to its secret key, an even greater risk. Renewable tickets can be -used to mitigate the consequences of theft. Renewable tickets have two -"expiration times": the first is when the current instance of the ticket -expires, and the second is the latest permissible value for an individual -expiration time. An application client must periodically (i.e. before it -expires) present a renewable ticket to the KDC, with the RENEW option set in -the KDC request. The KDC will issue a new ticket with a new session key and -a later expiration time. All other fields of the ticket are left unmodified -by the renewal process. When the latest permissible expiration time arrives, -the ticket expires permanently. At each renewal, the KDC may consult a -hot-list to determine if the ticket had been reported stolen since its last -renewal; it will refuse to renew such stolen tickets, and thus the usable -lifetime of stolen tickets is reduced. - -The RENEWABLE flag in a ticket is normally only interpreted by the -ticket-granting service (discussed below in section 3.3). It can usually be -ignored by application servers. However, some particularly careful -application servers may wish to disallow renewable tickets. - -If a renewable ticket is not renewed by its expiration time, the KDC will -not renew the ticket. The RENEWABLE flag is reset by default, but a client -may request it be set by setting the RENEWABLE option in the KRB_AS_REQ -message. If it is set, then the renew-till field in the ticket contains the -time after which the ticket may not be renewed. - -2.4. Postdated tickets - -Applications may occasionally need to obtain tickets for use much later, -e.g. a batch submission system would need tickets to be valid at the time -the batch job is serviced. However, it is dangerous to hold valid tickets in -a batch queue, since they will be on-line longer and more prone to theft. -Postdated tickets provide a way to obtain these tickets from the KDC at job -submission time, but to leave them "dormant" until they are activated and -validated by a further request of the KDC. If a ticket theft were reported -in the interim, the KDC would refuse to validate the ticket, and the thief -would be foiled. - -The MAY-POSTDATE flag in a ticket is normally only interpreted by the -ticket-granting service. It can be ignored by application servers. This flag -must be set in a ticket-granting ticket in order to issue a postdated ticket -based on the presented ticket. It is reset by default; it may be requested - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - -by a client by setting the ALLOW-POSTDATE option in the KRB_AS_REQ message. -This flag does not allow a client to obtain a postdated ticket-granting -ticket; postdated ticket-granting tickets can only by obtained by requesting -the postdating in the KRB_AS_REQ message. The life (endtime-starttime) of a -postdated ticket will be the remaining life of the ticket-granting ticket at -the time of the request, unless the RENEWABLE option is also set, in which -case it can be the full life (endtime-starttime) of the ticket-granting -ticket. The KDC may limit how far in the future a ticket may be postdated. - -The POSTDATED flag indicates that a ticket has been postdated. The -application server can check the authtime field in the ticket to see when -the original authentication occurred. Some services may choose to reject -postdated tickets, or they may only accept them within a certain period -after the original authentication. When the KDC issues a POSTDATED ticket, -it will also be marked as INVALID, so that the application client must -present the ticket to the KDC to be validated before use. - -2.5. Proxiable and proxy tickets - -At times it may be necessary for a principal to allow a service to perform -an operation on its behalf. The service must be able to take on the identity -of the client, but only for a particular purpose. A principal can allow a -service to take on the principal's identity for a particular purpose by -granting it a proxy. - -The process of granting a proxy using the proxy and proxiable flags is used -to provide credentials for use with specific services. Though conceptually -also a proxy, user's wishing to delegate their identity for ANY purpose must -use the ticket forwarding mechanism described in the next section to forward -a ticket granting ticket. - -The PROXIABLE flag in a ticket is normally only interpreted by the -ticket-granting service. It can be ignored by application servers. When set, -this flag tells the ticket-granting server that it is OK to issue a new -ticket (but not a ticket-granting ticket) with a different network address -based on this ticket. This flag is set if requested by the client on initial -authentication. By default, the client will request that it be set when -requesting a ticket granting ticket, and reset when requesting any other -ticket. - -This flag allows a client to pass a proxy to a server to perform a remote -request on its behalf, e.g. a print service client can give the print server -a proxy to access the client's files on a particular file server in order to -satisfy a print request. - -In order to complicate the use of stolen credentials, Kerberos tickets are -usually valid from only those network addresses specifically included in the -ticket[4]. When granting a proxy, the client must specify the new network -address from which the proxy is to be used, or indicate that the proxy is to -be issued for use from any address. - -The PROXY flag is set in a ticket by the TGS when it issues a proxy ticket. -Application servers may check this flag and at their option they may require -additional authentication from the agent presenting the proxy in order to -provide an audit trail. - -2.6. Forwardable tickets - -Authentication forwarding is an instance of a proxy where the service is - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - -granted complete use of the client's identity. An example where it might be -used is when a user logs in to a remote system and wants authentication to -work from that system as if the login were local. - -The FORWARDABLE flag in a ticket is normally only interpreted by the -ticket-granting service. It can be ignored by application servers. The -FORWARDABLE flag has an interpretation similar to that of the PROXIABLE -flag, except ticket-granting tickets may also be issued with different -network addresses. This flag is reset by default, but users may request that -it be set by setting the FORWARDABLE option in the AS request when they -request their initial ticket- granting ticket. - -This flag allows for authentication forwarding without requiring the user to -enter a password again. If the flag is not set, then authentication -forwarding is not permitted, but the same result can still be achieved if -the user engages in the AS exchange specifying the requested network -addresses and supplies a password. - -The FORWARDED flag is set by the TGS when a client presents a ticket with -the FORWARDABLE flag set and requests a forwarded ticket by specifying the -FORWARDED KDC option and supplying a set of addresses for the new ticket. It -is also set in all tickets issued based on tickets with the FORWARDED flag -set. Application servers may choose to process FORWARDED tickets differently -than non-FORWARDED tickets. - -2.7. Other KDC options - -There are two additional options which may be set in a client's request of -the KDC. The RENEWABLE-OK option indicates that the client will accept a -renewable ticket if a ticket with the requested life cannot otherwise be -provided. If a ticket with the requested life cannot be provided, then the -KDC may issue a renewable ticket with a renew-till equal to the the -requested endtime. The value of the renew-till field may still be adjusted -by site-determined limits or limits imposed by the individual principal or -server. - -The ENC-TKT-IN-SKEY option is honored only by the ticket-granting service. -It indicates that the ticket to be issued for the end server is to be -encrypted in the session key from the a additional second ticket-granting -ticket provided with the request. See section 3.3.3 for specific details. - -3. Message Exchanges - -The following sections describe the interactions between network clients and -servers and the messages involved in those exchanges. - -3.1. The Authentication Service Exchange - - Summary - Message direction Message type Section - 1. Client to Kerberos KRB_AS_REQ 5.4.1 - 2. Kerberos to client KRB_AS_REP or 5.4.2 - KRB_ERROR 5.9.1 - -The Authentication Service (AS) Exchange between the client and the Kerberos -Authentication Server is initiated by a client when it wishes to obtain -authentication credentials for a given server but currently holds no -credentials. In its basic form, the client's secret key is used for -encryption and decryption. This exchange is typically used at the initiation - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - -of a login session to obtain credentials for a Ticket-Granting Server which -will subsequently be used to obtain credentials for other servers (see -section 3.3) without requiring further use of the client's secret key. This -exchange is also used to request credentials for services which must not be -mediated through the Ticket-Granting Service, but rather require a -principal's secret key, such as the password-changing service[5]. This -exchange does not by itself provide any assurance of the the identity of the -user[6]. - -The exchange consists of two messages: KRB_AS_REQ from the client to -Kerberos, and KRB_AS_REP or KRB_ERROR in reply. The formats for these -messages are described in sections 5.4.1, 5.4.2, and 5.9.1. - -In the request, the client sends (in cleartext) its own identity and the -identity of the server for which it is requesting credentials. The response, -KRB_AS_REP, contains a ticket for the client to present to the server, and a -session key that will be shared by the client and the server. The session -key and additional information are encrypted in the client's secret key. The -KRB_AS_REP message contains information which can be used to detect replays, -and to associate it with the message to which it replies. Various errors can -occur; these are indicated by an error response (KRB_ERROR) instead of the -KRB_AS_REP response. The error message is not encrypted. The KRB_ERROR -message contains information which can be used to associate it with the -message to which it replies. The lack of encryption in the KRB_ERROR message -precludes the ability to detect replays, fabrications, or modifications of -such messages. - -Without preautentication, the authentication server does not know whether -the client is actually the principal named in the request. It simply sends a -reply without knowing or caring whether they are the same. This is -acceptable because nobody but the principal whose identity was given in the -request will be able to use the reply. Its critical information is encrypted -in that principal's key. The initial request supports an optional field that -can be used to pass additional information that might be needed for the -initial exchange. This field may be used for preauthentication as described -in section [hl<>]. - -3.1.1. Generation of KRB_AS_REQ message - -The client may specify a number of options in the initial request. Among -these options are whether pre-authentication is to be performed; whether the -requested ticket is to be renewable, proxiable, or forwardable; whether it -should be postdated or allow postdating of derivative tickets; and whether a -renewable ticket will be accepted in lieu of a non-renewable ticket if the -requested ticket expiration date cannot be satisfied by a non-renewable -ticket (due to configuration constraints; see section 4). See section A.1 -for pseudocode. - -The client prepares the KRB_AS_REQ message and sends it to the KDC. - -3.1.2. Receipt of KRB_AS_REQ message - -If all goes well, processing the KRB_AS_REQ message will result in the -creation of a ticket for the client to present to the server. The format for -the ticket is described in section 5.3.1. The contents of the ticket are -determined as follows. - -3.1.3. Generation of KRB_AS_REP message - - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - -The authentication server looks up the client and server principals named in -the KRB_AS_REQ in its database, extracting their respective keys. If -required, the server pre-authenticates the request, and if the -pre-authentication check fails, an error message with the code -KDC_ERR_PREAUTH_FAILED is returned. If the server cannot accommodate the -requested encryption type, an error message with code KDC_ERR_ETYPE_NOSUPP -is returned. Otherwise it generates a 'random' session key[7]. - -If there are multiple encryption keys registered for a client in the -Kerberos database (or if the key registered supports multiple encryption -types; e.g. DES-CBC-CRC and DES-CBC-MD5), then the etype field from the AS -request is used by the KDC to select the encryption method to be used for -encrypting the response to the client. If there is more than one supported, -strong encryption type in the etype list, the first valid etype for which an -encryption key is available is used. The encryption method used to respond -to a TGS request is taken from the keytype of the session key found in the -ticket granting ticket. [***I will change the example keytypes to be 3DES -based examples 7/14***] - -When the etype field is present in a KDC request, whether an AS or TGS -request, the KDC will attempt to assign the type of the random session key -from the list of methods in the etype field. The KDC will select the -appropriate type using the list of methods provided together with -information from the Kerberos database indicating acceptable encryption -methods for the application server. The KDC will not issue tickets with a -weak session key encryption type. - -If the requested start time is absent, indicates a time in the past, or is -within the window of acceptable clock skew for the KDC and the POSTDATE -option has not been specified, then the start time of the ticket is set to -the authentication server's current time. If it indicates a time in the -future beyond the acceptable clock skew, but the POSTDATED option has not -been specified then the error KDC_ERR_CANNOT_POSTDATE is returned. Otherwise -the requested start time is checked against the policy of the local realm -(the administrator might decide to prohibit certain types or ranges of -postdated tickets), and if acceptable, the ticket's start time is set as -requested and the INVALID flag is set in the new ticket. The postdated -ticket must be validated before use by presenting it to the KDC after the -start time has been reached. - -The expiration time of the ticket will be set to the minimum of the -following: - - * The expiration time (endtime) requested in the KRB_AS_REQ message. - * The ticket's start time plus the maximum allowable lifetime associated - with the client principal (the authentication server's database - includes a maximum ticket lifetime field in each principal's record; - see section 4). - * The ticket's start time plus the maximum allowable lifetime associated - with the server principal. - * The ticket's start time plus the maximum lifetime set by the policy of - the local realm. - -If the requested expiration time minus the start time (as determined above) -is less than a site-determined minimum lifetime, an error message with code -KDC_ERR_NEVER_VALID is returned. If the requested expiration time for the -ticket exceeds what was determined as above, and if the 'RENEWABLE-OK' -option was requested, then the 'RENEWABLE' flag is set in the new ticket, -and the renew-till value is set as if the 'RENEWABLE' option were requested - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - -(the field and option names are described fully in section 5.4.1). - -If the RENEWABLE option has been requested or if the RENEWABLE-OK option has -been set and a renewable ticket is to be issued, then the renew-till field -is set to the minimum of: - - * Its requested value. - * The start time of the ticket plus the minimum of the two maximum - renewable lifetimes associated with the principals' database entries. - * The start time of the ticket plus the maximum renewable lifetime set by - the policy of the local realm. - -The flags field of the new ticket will have the following options set if -they have been requested and if the policy of the local realm allows: -FORWARDABLE, MAY-POSTDATE, POSTDATED, PROXIABLE, RENEWABLE. If the new -ticket is post-dated (the start time is in the future), its INVALID flag -will also be set. - -If all of the above succeed, the server formats a KRB_AS_REP message (see -section 5.4.2), copying the addresses in the request into the caddr of the -response, placing any required pre-authentication data into the padata of -the response, and encrypts the ciphertext part in the client's key using the -requested encryption method, and sends it to the client. See section A.2 for -pseudocode. - -3.1.4. Generation of KRB_ERROR message - -Several errors can occur, and the Authentication Server responds by -returning an error message, KRB_ERROR, to the client, with the error-code -and e-text fields set to appropriate values. The error message contents and -details are described in Section 5.9.1. - -3.1.5. Receipt of KRB_AS_REP message - -If the reply message type is KRB_AS_REP, then the client verifies that the -cname and crealm fields in the cleartext portion of the reply match what it -requested. If any padata fields are present, they may be used to derive the -proper secret key to decrypt the message. The client decrypts the encrypted -part of the response using its secret key, verifies that the nonce in the -encrypted part matches the nonce it supplied in its request (to detect -replays). It also verifies that the sname and srealm in the response match -those in the request (or are otherwise expected values), and that the host -address field is also correct. It then stores the ticket, session key, start -and expiration times, and other information for later use. The -key-expiration field from the encrypted part of the response may be checked -to notify the user of impending key expiration (the client program could -then suggest remedial action, such as a password change). See section A.3 -for pseudocode. - -Proper decryption of the KRB_AS_REP message is not sufficient to verify the -identity of the user; the user and an attacker could cooperate to generate a -KRB_AS_REP format message which decrypts properly but is not from the proper -KDC. If the host wishes to verify the identity of the user, it must require -the user to present application credentials which can be verified using a -securely-stored secret key for the host. If those credentials can be -verified, then the identity of the user can be assured. - -3.1.6. Receipt of KRB_ERROR message - - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - -If the reply message type is KRB_ERROR, then the client interprets it as an -error and performs whatever application-specific tasks are necessary to -recover. - -3.2. The Client/Server Authentication Exchange - - Summary -Message direction Message type Section -Client to Application server KRB_AP_REQ 5.5.1 -[optional] Application server to client KRB_AP_REP or 5.5.2 - KRB_ERROR 5.9.1 - -The client/server authentication (CS) exchange is used by network -applications to authenticate the client to the server and vice versa. The -client must have already acquired credentials for the server using the AS or -TGS exchange. - -3.2.1. The KRB_AP_REQ message - -The KRB_AP_REQ contains authentication information which should be part of -the first message in an authenticated transaction. It contains a ticket, an -authenticator, and some additional bookkeeping information (see section -5.5.1 for the exact format). The ticket by itself is insufficient to -authenticate a client, since tickets are passed across the network in -cleartext[DS90], so the authenticator is used to prevent invalid replay of -tickets by proving to the server that the client knows the session key of -the ticket and thus is entitled to use the ticket. The KRB_AP_REQ message is -referred to elsewhere as the 'authentication header.' - -3.2.2. Generation of a KRB_AP_REQ message - -When a client wishes to initiate authentication to a server, it obtains -(either through a credentials cache, the AS exchange, or the TGS exchange) a -ticket and session key for the desired service. The client may re-use any -tickets it holds until they expire. To use a ticket the client constructs a -new Authenticator from the the system time, its name, and optionally an -application specific checksum, an initial sequence number to be used in -KRB_SAFE or KRB_PRIV messages, and/or a session subkey to be used in -negotiations for a session key unique to this particular session. -Authenticators may not be re-used and will be rejected if replayed to a -server[LGDSR87]. If a sequence number is to be included, it should be -randomly chosen so that even after many messages have been exchanged it is -not likely to collide with other sequence numbers in use. - -The client may indicate a requirement of mutual authentication or the use of -a session-key based ticket by setting the appropriate flag(s) in the -ap-options field of the message. - -The Authenticator is encrypted in the session key and combined with the -ticket to form the KRB_AP_REQ message which is then sent to the end server -along with any additional application-specific information. See section A.9 -for pseudocode. - -3.2.3. Receipt of KRB_AP_REQ message - -Authentication is based on the server's current time of day (clocks must be -loosely synchronized), the authenticator, and the ticket. Several errors are -possible. If an error occurs, the server is expected to reply to the client -with a KRB_ERROR message. This message may be encapsulated in the - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - -application protocol if its 'raw' form is not acceptable to the protocol. -The format of error messages is described in section 5.9.1. - -The algorithm for verifying authentication information is as follows. If the -message type is not KRB_AP_REQ, the server returns the KRB_AP_ERR_MSG_TYPE -error. If the key version indicated by the Ticket in the KRB_AP_REQ is not -one the server can use (e.g., it indicates an old key, and the server no -longer possesses a copy of the old key), the KRB_AP_ERR_BADKEYVER error is -returned. If the USE-SESSION-KEY flag is set in the ap-options field, it -indicates to the server that the ticket is encrypted in the session key from -the server's ticket-granting ticket rather than its secret key[10]. Since it -is possible for the server to be registered in multiple realms, with -different keys in each, the srealm field in the unencrypted portion of the -ticket in the KRB_AP_REQ is used to specify which secret key the server -should use to decrypt that ticket. The KRB_AP_ERR_NOKEY error code is -returned if the server doesn't have the proper key to decipher the ticket. - -The ticket is decrypted using the version of the server's key specified by -the ticket. If the decryption routines detect a modification of the ticket -(each encryption system must provide safeguards to detect modified -ciphertext; see section 6), the KRB_AP_ERR_BAD_INTEGRITY error is returned -(chances are good that different keys were used to encrypt and decrypt). - -The authenticator is decrypted using the session key extracted from the -decrypted ticket. If decryption shows it to have been modified, the -KRB_AP_ERR_BAD_INTEGRITY error is returned. The name and realm of the client -from the ticket are compared against the same fields in the authenticator. -If they don't match, the KRB_AP_ERR_BADMATCH error is returned (they might -not match, for example, if the wrong session key was used to encrypt the -authenticator). The addresses in the ticket (if any) are then searched for -an address matching the operating-system reported address of the client. If -no match is found or the server insists on ticket addresses but none are -present in the ticket, the KRB_AP_ERR_BADADDR error is returned. - -If the local (server) time and the client time in the authenticator differ -by more than the allowable clock skew (e.g., 5 minutes), the KRB_AP_ERR_SKEW -error is returned. If the server name, along with the client name, time and -microsecond fields from the Authenticator match any recently-seen such -tuples, the KRB_AP_ERR_REPEAT error is returned[11]. The server must -remember any authenticator presented within the allowable clock skew, so -that a replay attempt is guaranteed to fail. If a server loses track of any -authenticator presented within the allowable clock skew, it must reject all -requests until the clock skew interval has passed. This assures that any -lost or re-played authenticators will fall outside the allowable clock skew -and can no longer be successfully replayed (If this is not done, an attacker -could conceivably record the ticket and authenticator sent over the network -to a server, then disable the client's host, pose as the disabled host, and -replay the ticket and authenticator to subvert the authentication.). If a -sequence number is provided in the authenticator, the server saves it for -later use in processing KRB_SAFE and/or KRB_PRIV messages. If a subkey is -present, the server either saves it for later use or uses it to help -generate its own choice for a subkey to be returned in a KRB_AP_REP message. - -The server computes the age of the ticket: local (server) time minus the -start time inside the Ticket. If the start time is later than the current -time by more than the allowable clock skew or if the INVALID flag is set in -the ticket, the KRB_AP_ERR_TKT_NYV error is returned. Otherwise, if the -current time is later than end time by more than the allowable clock skew, -the KRB_AP_ERR_TKT_EXPIRED error is returned. - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - -If all these checks succeed without an error, the server is assured that the -client possesses the credentials of the principal named in the ticket and -thus, the client has been authenticated to the server. See section A.10 for -pseudocode. - -Passing these checks provides only authentication of the named principal; it -does not imply authorization to use the named service. Applications must -make a separate authorization decisions based upon the authenticated name of -the user, the requested operation, local acces control information such as -that contained in a .k5login or .k5users file, and possibly a separate -distributed authorization service. - -3.2.4. Generation of a KRB_AP_REP message - -Typically, a client's request will include both the authentication -information and its initial request in the same message, and the server need -not explicitly reply to the KRB_AP_REQ. However, if mutual authentication -(not only authenticating the client to the server, but also the server to -the client) is being performed, the KRB_AP_REQ message will have -MUTUAL-REQUIRED set in its ap-options field, and a KRB_AP_REP message is -required in response. As with the error message, this message may be -encapsulated in the application protocol if its "raw" form is not acceptable -to the application's protocol. The timestamp and microsecond field used in -the reply must be the client's timestamp and microsecond field (as provided -in the authenticator)[12]. If a sequence number is to be included, it should -be randomly chosen as described above for the authenticator. A subkey may be -included if the server desires to negotiate a different subkey. The -KRB_AP_REP message is encrypted in the session key extracted from the -ticket. See section A.11 for pseudocode. - -3.2.5. Receipt of KRB_AP_REP message - -If a KRB_AP_REP message is returned, the client uses the session key from -the credentials obtained for the server[13] to decrypt the message, and -verifies that the timestamp and microsecond fields match those in the -Authenticator it sent to the server. If they match, then the client is -assured that the server is genuine. The sequence number and subkey (if -present) are retained for later use. See section A.12 for pseudocode. - -3.2.6. Using the encryption key - -After the KRB_AP_REQ/KRB_AP_REP exchange has occurred, the client and server -share an encryption key which can be used by the application. The 'true -session key' to be used for KRB_PRIV, KRB_SAFE, or other -application-specific uses may be chosen by the application based on the -subkeys in the KRB_AP_REP message and the authenticator[14]. In some cases, -the use of this session key will be implicit in the protocol; in others the -method of use must be chosen from several alternatives. We leave the -protocol negotiations of how to use the key (e.g. selecting an encryption or -checksum type) to the application programmer; the Kerberos protocol does not -constrain the implementation options, but an example of how this might be -done follows. - -One way that an application may choose to negotiate a key to be used for -subequent integrity and privacy protection is for the client to propose a -key in the subkey field of the authenticator. The server can then choose a -key using the proposed key from the client as input, returning the new -subkey in the subkey field of the application reply. This key could then be - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - -used for subsequent communication. To make this example more concrete, if -the encryption method in use required a 56 bit key, and for whatever reason, -one of the parties was prevented from using a key with more than 40 unknown -bits, this method would allow the the party which is prevented from using -more than 40 bits to either propose (if the client) an initial key with a -known quantity for 16 of those bits, or to mask 16 of the bits (if the -server) with the known quantity. The application implementor is warned, -however, that this is only an example, and that an analysis of the -particular crytosystem to be used, and the reasons for limiting the key -length, must be made before deciding whether it is acceptable to mask bits -of the key. - -With both the one-way and mutual authentication exchanges, the peers should -take care not to send sensitive information to each other without proper -assurances. In particular, applications that require privacy or integrity -should use the KRB_AP_REP response from the server to client to assure both -client and server of their peer's identity. If an application protocol -requires privacy of its messages, it can use the KRB_PRIV message (section -3.5). The KRB_SAFE message (section 3.4) can be used to assure integrity. - -3.3. The Ticket-Granting Service (TGS) Exchange - - Summary - Message direction Message type Section - 1. Client to Kerberos KRB_TGS_REQ 5.4.1 - 2. Kerberos to client KRB_TGS_REP or 5.4.2 - KRB_ERROR 5.9.1 - -The TGS exchange between a client and the Kerberos Ticket-Granting Server is -initiated by a client when it wishes to obtain authentication credentials -for a given server (which might be registered in a remote realm), when it -wishes to renew or validate an existing ticket, or when it wishes to obtain -a proxy ticket. In the first case, the client must already have acquired a -ticket for the Ticket-Granting Service using the AS exchange (the -ticket-granting ticket is usually obtained when a client initially -authenticates to the system, such as when a user logs in). The message -format for the TGS exchange is almost identical to that for the AS exchange. -The primary difference is that encryption and decryption in the TGS exchange -does not take place under the client's key. Instead, the session key from -the ticket-granting ticket or renewable ticket, or sub-session key from an -Authenticator is used. As is the case for all application servers, expired -tickets are not accepted by the TGS, so once a renewable or ticket-granting -ticket expires, the client must use a separate exchange to obtain valid -tickets. - -The TGS exchange consists of two messages: A request (KRB_TGS_REQ) from the -client to the Kerberos Ticket-Granting Server, and a reply (KRB_TGS_REP or -KRB_ERROR). The KRB_TGS_REQ message includes information authenticating the -client plus a request for credentials. The authentication information -consists of the authentication header (KRB_AP_REQ) which includes the -client's previously obtained ticket-granting, renewable, or invalid ticket. -In the ticket-granting ticket and proxy cases, the request may include one -or more of: a list of network addresses, a collection of typed authorization -data to be sealed in the ticket for authorization use by the application -server, or additional tickets (the use of which are described later). The -TGS reply (KRB_TGS_REP) contains the requested credentials, encrypted in the -session key from the ticket-granting ticket or renewable ticket, or if -present, in the sub-session key from the Authenticator (part of the -authentication header). The KRB_ERROR message contains an error code and - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - -text explaining what went wrong. The KRB_ERROR message is not encrypted. The -KRB_TGS_REP message contains information which can be used to detect -replays, and to associate it with the message to which it replies. The -KRB_ERROR message also contains information which can be used to associate -it with the message to which it replies, but the lack of encryption in the -KRB_ERROR message precludes the ability to detect replays or fabrications of -such messages. - -3.3.1. Generation of KRB_TGS_REQ message - -Before sending a request to the ticket-granting service, the client must -determine in which realm the application server is registered[15]. If the -client does not already possess a ticket-granting ticket for the appropriate -realm, then one must be obtained. This is first attempted by requesting a -ticket-granting ticket for the destination realm from a Kerberos server for -which the client does posess a ticket-granting ticket (using the KRB_TGS_REQ -message recursively). The Kerberos server may return a TGT for the desired -realm in which case one can proceed. Alternatively, the Kerberos server may -return a TGT for a realm which is 'closer' to the desired realm (further -along the standard hierarchical path), in which case this step must be -repeated with a Kerberos server in the realm specified in the returned TGT. -If neither are returned, then the request must be retried with a Kerberos -server for a realm higher in the hierarchy. This request will itself require -a ticket-granting ticket for the higher realm which must be obtained by -recursively applying these directions. - -Once the client obtains a ticket-granting ticket for the appropriate realm, -it determines which Kerberos servers serve that realm, and contacts one. The -list might be obtained through a configuration file or network service or it -may be generated from the name of the realm; as long as the secret keys -exchanged by realms are kept secret, only denial of service results from -using a false Kerberos server. - -As in the AS exchange, the client may specify a number of options in the -KRB_TGS_REQ message. The client prepares the KRB_TGS_REQ message, providing -an authentication header as an element of the padata field, and including -the same fields as used in the KRB_AS_REQ message along with several -optional fields: the enc-authorization-data field for application server use -and additional tickets required by some options. - -In preparing the authentication header, the client can select a sub-session -key under which the response from the Kerberos server will be encrypted[16]. -If the sub-session key is not specified, the session key from the -ticket-granting ticket will be used. If the enc-authorization-data is -present, it must be encrypted in the sub-session key, if present, from the -authenticator portion of the authentication header, or if not present, using -the session key from the ticket-granting ticket. - -Once prepared, the message is sent to a Kerberos server for the destination -realm. See section A.5 for pseudocode. - -3.3.2. Receipt of KRB_TGS_REQ message - -The KRB_TGS_REQ message is processed in a manner similar to the KRB_AS_REQ -message, but there are many additional checks to be performed. First, the -Kerberos server must determine which server the accompanying ticket is for -and it must select the appropriate key to decrypt it. For a normal -KRB_TGS_REQ message, it will be for the ticket granting service, and the -TGS's key will be used. If the TGT was issued by another realm, then the - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - -appropriate inter-realm key must be used. If the accompanying ticket is not -a ticket granting ticket for the current realm, but is for an application -server in the current realm, the RENEW, VALIDATE, or PROXY options are -specified in the request, and the server for which a ticket is requested is -the server named in the accompanying ticket, then the KDC will decrypt the -ticket in the authentication header using the key of the server for which it -was issued. If no ticket can be found in the padata field, the -KDC_ERR_PADATA_TYPE_NOSUPP error is returned. - -Once the accompanying ticket has been decrypted, the user-supplied checksum -in the Authenticator must be verified against the contents of the request, -and the message rejected if the checksums do not match (with an error code -of KRB_AP_ERR_MODIFIED) or if the checksum is not keyed or not -collision-proof (with an error code of KRB_AP_ERR_INAPP_CKSUM). If the -checksum type is not supported, the KDC_ERR_SUMTYPE_NOSUPP error is -returned. If the authorization-data are present, they are decrypted using -the sub-session key from the Authenticator. - -If any of the decryptions indicate failed integrity checks, the -KRB_AP_ERR_BAD_INTEGRITY error is returned. - -3.3.3. Generation of KRB_TGS_REP message - -The KRB_TGS_REP message shares its format with the KRB_AS_REP (KRB_KDC_REP), -but with its type field set to KRB_TGS_REP. The detailed specification is in -section 5.4.2. - -The response will include a ticket for the requested server. The Kerberos -database is queried to retrieve the record for the requested server -(including the key with which the ticket will be encrypted). If the request -is for a ticket granting ticket for a remote realm, and if no key is shared -with the requested realm, then the Kerberos server will select the realm -"closest" to the requested realm with which it does share a key, and use -that realm instead. This is the only case where the response from the KDC -will be for a different server than that requested by the client. - -By default, the address field, the client's name and realm, the list of -transited realms, the time of initial authentication, the expiration time, -and the authorization data of the newly-issued ticket will be copied from -the ticket-granting ticket (TGT) or renewable ticket. If the transited field -needs to be updated, but the transited type is not supported, the -KDC_ERR_TRTYPE_NOSUPP error is returned. - -If the request specifies an endtime, then the endtime of the new ticket is -set to the minimum of (a) that request, (b) the endtime from the TGT, and -(c) the starttime of the TGT plus the minimum of the maximum life for the -application server and the maximum life for the local realm (the maximum -life for the requesting principal was already applied when the TGT was -issued). If the new ticket is to be a renewal, then the endtime above is -replaced by the minimum of (a) the value of the renew_till field of the -ticket and (b) the starttime for the new ticket plus the life -(endtime-starttime) of the old ticket. - -If the FORWARDED option has been requested, then the resulting ticket will -contain the addresses specified by the client. This option will only be -honored if the FORWARDABLE flag is set in the TGT. The PROXY option is -similar; the resulting ticket will contain the addresses specified by the -client. It will be honored only if the PROXIABLE flag in the TGT is set. The -PROXY option will not be honored on requests for additional ticket-granting - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - -tickets. - -If the requested start time is absent, indicates a time in the past, or is -within the window of acceptable clock skew for the KDC and the POSTDATE -option has not been specified, then the start time of the ticket is set to -the authentication server's current time. If it indicates a time in the -future beyond the acceptable clock skew, but the POSTDATED option has not -been specified or the MAY-POSTDATE flag is not set in the TGT, then the -error KDC_ERR_CANNOT_POSTDATE is returned. Otherwise, if the ticket-granting -ticket has the MAY-POSTDATE flag set, then the resulting ticket will be -postdated and the requested starttime is checked against the policy of the -local realm. If acceptable, the ticket's start time is set as requested, and -the INVALID flag is set. The postdated ticket must be validated before use -by presenting it to the KDC after the starttime has been reached. However, -in no case may the starttime, endtime, or renew-till time of a newly-issued -postdated ticket extend beyond the renew-till time of the ticket-granting -ticket. - -If the ENC-TKT-IN-SKEY option has been specified and an additional ticket -has been included in the request, the KDC will decrypt the additional ticket -using the key for the server to which the additional ticket was issued and -verify that it is a ticket-granting ticket. If the name of the requested -server is missing from the request, the name of the client in the additional -ticket will be used. Otherwise the name of the requested server will be -compared to the name of the client in the additional ticket and if -different, the request will be rejected. If the request succeeds, the -session key from the additional ticket will be used to encrypt the new -ticket that is issued instead of using the key of the server for which the -new ticket will be used[17]. - -If the name of the server in the ticket that is presented to the KDC as part -of the authentication header is not that of the ticket-granting server -itself, the server is registered in the realm of the KDC, and the RENEW -option is requested, then the KDC will verify that the RENEWABLE flag is set -in the ticket, that the INVALID flag is not set in the ticket, and that the -renew_till time is still in the future. If the VALIDATE option is rqeuested, -the KDC will check that the starttime has passed and the INVALID flag is -set. If the PROXY option is requested, then the KDC will check that the -PROXIABLE flag is set in the ticket. If the tests succeed, and the ticket -passes the hotlist check described in the next paragraph, the KDC will issue -the appropriate new ticket. - -3.3.3.1. Checking for revoked tickets - -Whenever a request is made to the ticket-granting server, the presented -ticket(s) is(are) checked against a hot-list of tickets which have been -canceled. This hot-list might be implemented by storing a range of issue -timestamps for 'suspect tickets'; if a presented ticket had an authtime in -that range, it would be rejected. In this way, a stolen ticket-granting -ticket or renewable ticket cannot be used to gain additional tickets -(renewals or otherwise) once the theft has been reported. Any normal ticket -obtained before it was reported stolen will still be valid (because they -require no interaction with the KDC), but only until their normal expiration -time. - -The ciphertext part of the response in the KRB_TGS_REP message is encrypted -in the sub-session key from the Authenticator, if present, or the session -key key from the ticket-granting ticket. It is not encrypted using the -client's secret key. Furthermore, the client's key's expiration date and the - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - -key version number fields are left out since these values are stored along -with the client's database record, and that record is not needed to satisfy -a request based on a ticket-granting ticket. See section A.6 for pseudocode. - -3.3.3.2. Encoding the transited field - -If the identity of the server in the TGT that is presented to the KDC as -part of the authentication header is that of the ticket-granting service, -but the TGT was issued from another realm, the KDC will look up the -inter-realm key shared with that realm and use that key to decrypt the -ticket. If the ticket is valid, then the KDC will honor the request, subject -to the constraints outlined above in the section describing the AS exchange. -The realm part of the client's identity will be taken from the -ticket-granting ticket. The name of the realm that issued the -ticket-granting ticket will be added to the transited field of the ticket to -be issued. This is accomplished by reading the transited field from the -ticket-granting ticket (which is treated as an unordered set of realm -names), adding the new realm to the set, then constructing and writing out -its encoded (shorthand) form (this may involve a rearrangement of the -existing encoding). - -Note that the ticket-granting service does not add the name of its own -realm. Instead, its responsibility is to add the name of the previous realm. -This prevents a malicious Kerberos server from intentionally leaving out its -own name (it could, however, omit other realms' names). - -The names of neither the local realm nor the principal's realm are to be -included in the transited field. They appear elsewhere in the ticket and -both are known to have taken part in authenticating the principal. Since the -endpoints are not included, both local and single-hop inter-realm -authentication result in a transited field that is empty. - -Because the name of each realm transited is added to this field, it might -potentially be very long. To decrease the length of this field, its contents -are encoded. The initially supported encoding is optimized for the normal -case of inter-realm communication: a hierarchical arrangement of realms -using either domain or X.500 style realm names. This encoding (called -DOMAIN-X500-COMPRESS) is now described. - -Realm names in the transited field are separated by a ",". The ",", "\", -trailing "."s, and leading spaces (" ") are special characters, and if they -are part of a realm name, they must be quoted in the transited field by -preced- ing them with a "\". - -A realm name ending with a "." is interpreted as being prepended to the -previous realm. For example, we can encode traversal of EDU, MIT.EDU, -ATHENA.MIT.EDU, WASHINGTON.EDU, and CS.WASHINGTON.EDU as: - - "EDU,MIT.,ATHENA.,WASHINGTON.EDU,CS.". - -Note that if ATHENA.MIT.EDU, or CS.WASHINGTON.EDU were end-points, that they -would not be included in this field, and we would have: - - "EDU,MIT.,WASHINGTON.EDU" - -A realm name beginning with a "/" is interpreted as being appended to the -previous realm[18]. If it is to stand by itself, then it should be preceded -by a space (" "). For example, we can encode traversal of /COM/HP/APOLLO, -/COM/HP, /COM, and /COM/DEC as: - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - - "/COM,/HP,/APOLLO, /COM/DEC". - -Like the example above, if /COM/HP/APOLLO and /COM/DEC are endpoints, they -they would not be included in this field, and we would have: - - "/COM,/HP" - -A null subfield preceding or following a "," indicates that all realms -between the previous realm and the next realm have been traversed[19]. Thus, -"," means that all realms along the path between the client and the server -have been traversed. ",EDU, /COM," means that that all realms from the -client's realm up to EDU (in a domain style hierarchy) have been traversed, -and that everything from /COM down to the server's realm in an X.500 style -has also been traversed. This could occur if the EDU realm in one hierarchy -shares an inter-realm key directly with the /COM realm in another hierarchy. - -3.3.4. Receipt of KRB_TGS_REP message - -When the KRB_TGS_REP is received by the client, it is processed in the same -manner as the KRB_AS_REP processing described above. The primary difference -is that the ciphertext part of the response must be decrypted using the -session key from the ticket-granting ticket rather than the client's secret -key. See section A.7 for pseudocode. - -3.4. The KRB_SAFE Exchange - -The KRB_SAFE message may be used by clients requiring the ability to detect -modifications of messages they exchange. It achieves this by including a -keyed collision-proof checksum of the user data and some control -information. The checksum is keyed with an encryption key (usually the last -key negotiated via subkeys, or the session key if no negotiation has -occured). - -3.4.1. Generation of a KRB_SAFE message - -When an application wishes to send a KRB_SAFE message, it collects its data -and the appropriate control information and computes a checksum over them. -The checksum algorithm should be a keyed one-way hash function (such as the -RSA- MD5-DES checksum algorithm specified in section 6.4.5, or the DES MAC), -generated using the sub-session key if present, or the session key. -Different algorithms may be selected by changing the checksum type in the -message. Unkeyed or non-collision-proof checksums are not suitable for this -use. - -The control information for the KRB_SAFE message includes both a timestamp -and a sequence number. The designer of an application using the KRB_SAFE -message must choose at least one of the two mechanisms. This choice should -be based on the needs of the application protocol. - -Sequence numbers are useful when all messages sent will be received by one's -peer. Connection state is presently required to maintain the session key, so -maintaining the next sequence number should not present an additional -problem. - -If the application protocol is expected to tolerate lost messages without -them being resent, the use of the timestamp is the appropriate replay -detection mechanism. Using timestamps is also the appropriate mechanism for -multi-cast protocols where all of one's peers share a common sub-session - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - -key, but some messages will be sent to a subset of one's peers. - -After computing the checksum, the client then transmits the information and -checksum to the recipient in the message format specified in section 5.6.1. - -3.4.2. Receipt of KRB_SAFE message - -When an application receives a KRB_SAFE message, it verifies it as follows. -If any error occurs, an error code is reported for use by the application. - -The message is first checked by verifying that the protocol version and type -fields match the current version and KRB_SAFE, respectively. A mismatch -generates a KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE error. The -application verifies that the checksum used is a collision-proof keyed -checksum, and if it is not, a KRB_AP_ERR_INAPP_CKSUM error is generated. If -the sender's address was included in the control information, the recipient -verifies that the operating system's report of the sender's address matches -the sender's address in the message, and (if a recipient address is -specified or the recipient requires an address) that one of the recipient's -addresses appears as the recipient's address in the message. A failed match -for either case generates a KRB_AP_ERR_BADADDR error. Then the timestamp and -usec and/or the sequence number fields are checked. If timestamp and usec -are expected and not present, or they are present but not current, the -KRB_AP_ERR_SKEW error is generated. If the server name, along with the -client name, time and microsecond fields from the Authenticator match any -recently-seen (sent or received[20] ) such tuples, the KRB_AP_ERR_REPEAT -error is generated. If an incorrect sequence number is included, or a -sequence number is expected but not present, the KRB_AP_ERR_BADORDER error -is generated. If neither a time-stamp and usec or a sequence number is -present, a KRB_AP_ERR_MODIFIED error is generated. Finally, the checksum is -computed over the data and control information, and if it doesn't match the -received checksum, a KRB_AP_ERR_MODIFIED error is generated. - -If all the checks succeed, the application is assured that the message was -generated by its peer and was not modi- fied in transit. - -3.5. The KRB_PRIV Exchange - -The KRB_PRIV message may be used by clients requiring confidentiality and -the ability to detect modifications of exchanged messages. It achieves this -by encrypting the messages and adding control information. - -3.5.1. Generation of a KRB_PRIV message - -When an application wishes to send a KRB_PRIV message, it collects its data -and the appropriate control information (specified in section 5.7.1) and -encrypts them under an encryption key (usually the last key negotiated via -subkeys, or the session key if no negotiation has occured). As part of the -control information, the client must choose to use either a timestamp or a -sequence number (or both); see the discussion in section 3.4.1 for -guidelines on which to use. After the user data and control information are -encrypted, the client transmits the ciphertext and some 'envelope' -information to the recipient. - -3.5.2. Receipt of KRB_PRIV message - -When an application receives a KRB_PRIV message, it verifies it as follows. -If any error occurs, an error code is reported for use by the application. - - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - -The message is first checked by verifying that the protocol version and type -fields match the current version and KRB_PRIV, respectively. A mismatch -generates a KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE error. The -application then decrypts the ciphertext and processes the resultant -plaintext. If decryption shows the data to have been modified, a -KRB_AP_ERR_BAD_INTEGRITY error is generated. If the sender's address was -included in the control information, the recipient verifies that the -operating system's report of the sender's address matches the sender's -address in the message, and (if a recipient address is specified or the -recipient requires an address) that one of the recipient's addresses appears -as the recipient's address in the message. A failed match for either case -generates a KRB_AP_ERR_BADADDR error. Then the timestamp and usec and/or the -sequence number fields are checked. If timestamp and usec are expected and -not present, or they are present but not current, the KRB_AP_ERR_SKEW error -is generated. If the server name, along with the client name, time and -microsecond fields from the Authenticator match any recently-seen such -tuples, the KRB_AP_ERR_REPEAT error is generated. If an incorrect sequence -number is included, or a sequence number is expected but not present, the -KRB_AP_ERR_BADORDER error is generated. If neither a time-stamp and usec or -a sequence number is present, a KRB_AP_ERR_MODIFIED error is generated. - -If all the checks succeed, the application can assume the message was -generated by its peer, and was securely transmitted (without intruders able -to see the unencrypted contents). - -3.6. The KRB_CRED Exchange - -The KRB_CRED message may be used by clients requiring the ability to send -Kerberos credentials from one host to another. It achieves this by sending -the tickets together with encrypted data containing the session keys and -other information associated with the tickets. - -3.6.1. Generation of a KRB_CRED message - -When an application wishes to send a KRB_CRED message it first (using the -KRB_TGS exchange) obtains credentials to be sent to the remote host. It then -constructs a KRB_CRED message using the ticket or tickets so obtained, -placing the session key needed to use each ticket in the key field of the -corresponding KrbCredInfo sequence of the encrypted part of the the KRB_CRED -message. - -Other information associated with each ticket and obtained during the -KRB_TGS exchange is also placed in the corresponding KrbCredInfo sequence in -the encrypted part of the KRB_CRED message. The current time and, if -specifically required by the application the nonce, s-address, and r-address -fields, are placed in the encrypted part of the KRB_CRED message which is -then encrypted under an encryption key previosuly exchanged in the KRB_AP -exchange (usually the last key negotiated via subkeys, or the session key if -no negotiation has occured). - -3.6.2. Receipt of KRB_CRED message - -When an application receives a KRB_CRED message, it verifies it. If any -error occurs, an error code is reported for use by the application. The -message is verified by checking that the protocol version and type fields -match the current version and KRB_CRED, respectively. A mismatch generates a -KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE error. The application then -decrypts the ciphertext and processes the resultant plaintext. If decryption -shows the data to have been modified, a KRB_AP_ERR_BAD_INTEGRITY error is - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - -generated. - -If present or required, the recipient verifies that the operating system's -report of the sender's address matches the sender's address in the message, -and that one of the recipient's addresses appears as the recipient's address -in the message. A failed match for either case generates a -KRB_AP_ERR_BADADDR error. The timestamp and usec fields (and the nonce field -if required) are checked next. If the timestamp and usec are not present, or -they are present but not current, the KRB_AP_ERR_SKEW error is generated. - -If all the checks succeed, the application stores each of the new tickets in -its ticket cache together with the session key and other information in the -corresponding KrbCredInfo sequence from the encrypted part of the KRB_CRED -message. - -4. The Kerberos Database - -The Kerberos server must have access to a database containing the principal -identifiers and secret keys of principals to be authenticated[21]. - -4.1. Database contents - -A database entry should contain at least the following fields: - -Field Value - -name Principal's identifier -key Principal's secret key -p_kvno Principal's key version -max_life Maximum lifetime for Tickets -max_renewable_life Maximum total lifetime for renewable Tickets - -The name field is an encoding of the principal's identifier. The key field -contains an encryption key. This key is the principal's secret key. (The key -can be encrypted before storage under a Kerberos "master key" to protect it -in case the database is compromised but the master key is not. In that case, -an extra field must be added to indicate the master key version used, see -below.) The p_kvno field is the key version number of the principal's secret -key. The max_life field contains the maximum allowable lifetime (endtime - -starttime) for any Ticket issued for this principal. The max_renewable_life -field contains the maximum allowable total lifetime for any renewable Ticket -issued for this principal. (See section 3.1 for a description of how these -lifetimes are used in determining the lifetime of a given Ticket.) - -A server may provide KDC service to several realms, as long as the database -representation provides a mechanism to distinguish between principal records -with identifiers which differ only in the realm name. - -When an application server's key changes, if the change is routine (i.e. not -the result of disclosure of the old key), the old key should be retained by -the server until all tickets that had been issued using that key have -expired. Because of this, it is possible for several keys to be active for a -single principal. Ciphertext encrypted in a principal's key is always tagged -with the version of the key that was used for encryption, to help the -recipient find the proper key for decryption. - -When more than one key is active for a particular principal, the principal -will have more than one record in the Kerberos database. The keys and key -version numbers will differ between the records (the rest of the fields may - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - -or may not be the same). Whenever Kerberos issues a ticket, or responds to a -request for initial authentication, the most recent key (known by the -Kerberos server) will be used for encryption. This is the key with the -highest key version number. - -4.2. Additional fields - -Project Athena's KDC implementation uses additional fields in its database: - -Field Value - -K_kvno Kerberos' key version -expiration Expiration date for entry -attributes Bit field of attributes -mod_date Timestamp of last modification -mod_name Modifying principal's identifier - -The K_kvno field indicates the key version of the Kerberos master key under -which the principal's secret key is encrypted. - -After an entry's expiration date has passed, the KDC will return an error to -any client attempting to gain tickets as or for the principal. (A database -may want to maintain two expiration dates: one for the principal, and one -for the principal's current key. This allows password aging to work -independently of the principal's expiration date. However, due to the -limited space in the responses, the KDC must combine the key expiration and -principal expiration date into a single value called 'key_exp', which is -used as a hint to the user to take administrative action.) - -The attributes field is a bitfield used to govern the operations involving -the principal. This field might be useful in conjunction with user -registration procedures, for site-specific policy implementations (Project -Athena currently uses it for their user registration process controlled by -the system-wide database service, Moira [LGDSR87]), to identify whether a -principal can play the role of a client or server or both, to note whether a -server is appropriate trusted to recieve credentials delegated by a client, -or to identify the 'string to key' conversion algorithm used for a -principal's key[22]. Other bits are used to indicate that certain ticket -options should not be allowed in tickets encrypted under a principal's key -(one bit each): Disallow issuing postdated tickets, disallow issuing -forwardable tickets, disallow issuing tickets based on TGT authentication, -disallow issuing renewable tickets, disallow issuing proxiable tickets, and -disallow issuing tickets for which the principal is the server. - -The mod_date field contains the time of last modification of the entry, and -the mod_name field contains the name of the principal which last modified -the entry. - -4.3. Frequently Changing Fields - -Some KDC implementations may wish to maintain the last time that a request -was made by a particular principal. Information that might be maintained -includes the time of the last request, the time of the last request for a -ticket-granting ticket, the time of the last use of a ticket-granting -ticket, or other times. This information can then be returned to the user in -the last-req field (see section 5.2). - -Other frequently changing information that can be maintained is the latest -expiration time for any tickets that have been issued using each key. This - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - -field would be used to indicate how long old keys must remain valid to allow -the continued use of outstanding tickets. - -4.4. Site Constants - -The KDC implementation should have the following configurable constants or -options, to allow an administrator to make and enforce policy decisions: - - * The minimum supported lifetime (used to determine whether the - KDC_ERR_NEVER_VALID error should be returned). This constant should - reflect reasonable expectations of round-trip time to the KDC, - encryption/decryption time, and processing time by the client and - target server, and it should allow for a minimum 'useful' lifetime. - * The maximum allowable total (renewable) lifetime of a ticket - (renew_till - starttime). - * The maximum allowable lifetime of a ticket (endtime - starttime). - * Whether to allow the issue of tickets with empty address fields - (including the ability to specify that such tickets may only be issued - if the request specifies some authorization_data). - * Whether proxiable, forwardable, renewable or post-datable tickets are - to be issued. - -5. Message Specifications - -The following sections describe the exact contents and encoding of protocol -messages and objects. The ASN.1 base definitions are presented in the first -subsection. The remaining subsections specify the protocol objects (tickets -and authenticators) and messages. Specification of encryption and checksum -techniques, and the fields related to them, appear in section 6. - -Optional field in ASN.1 sequences - -For optional integer value and date fields in ASN.1 sequences where a -default value has been specified, certain default values will not be allowed -in the encoding because these values will always be represented through -defaulting by the absence of the optional field. For example, one will not -send a microsecond zero value because one must make sure that there is only -one way to encode this value. - -Additional fields in ASN.1 sequences - -Implementations receiving Kerberos messages with additional fields present -in ASN.1 sequences should carry the those fields through, unmodified, when -the message is forwarded. Implementations should not drop such fields if the -sequence is reencoded. - -5.1. ASN.1 Distinguished Encoding Representation - -All uses of ASN.1 in Kerberos shall use the Distinguished Encoding -Representation of the data elements as described in the X.509 specification, -section 8.7 [X509-88]. - -5.3. ASN.1 Base Definitions - -The following ASN.1 base definitions are used in the rest of this section. -Note that since the underscore character (_) is not permitted in ASN.1 -names, the hyphen (-) is used in its place for the purposes of ASN.1 names. - -Realm ::= GeneralString - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - -PrincipalName ::= SEQUENCE { - name-type[0] INTEGER, - name-string[1] SEQUENCE OF GeneralString -} - -Kerberos realms are encoded as GeneralStrings. Realms shall not contain a -character with the code 0 (the ASCII NUL). Most realms will usually consist -of several components separated by periods (.), in the style of Internet -Domain Names, or separated by slashes (/) in the style of X.500 names. -Acceptable forms for realm names are specified in section 7. A PrincipalName -is a typed sequence of components consisting of the following sub-fields: - -name-type - This field specifies the type of name that follows. Pre-defined values - for this field are specified in section 7.2. The name-type should be - treated as a hint. Ignoring the name type, no two names can be the same - (i.e. at least one of the components, or the realm, must be different). - This constraint may be eliminated in the future. -name-string - This field encodes a sequence of components that form a name, each - component encoded as a GeneralString. Taken together, a PrincipalName - and a Realm form a principal identifier. Most PrincipalNames will have - only a few components (typically one or two). - -KerberosTime ::= GeneralizedTime - -- Specifying UTC time zone (Z) - -The timestamps used in Kerberos are encoded as GeneralizedTimes. An encoding -shall specify the UTC time zone (Z) and shall not include any fractional -portions of the seconds. It further shall not include any separators. -Example: The only valid format for UTC time 6 minutes, 27 seconds after 9 pm -on 6 November 1985 is 19851106210627Z. - -HostAddress ::= SEQUENCE { - addr-type[0] INTEGER, - address[1] OCTET STRING -} - -HostAddresses ::= SEQUENCE OF HostAddress - -The host adddress encodings consists of two fields: - -addr-type - This field specifies the type of address that follows. Pre-defined - values for this field are specified in section 8.1. -address - This field encodes a single address of type addr-type. - -The two forms differ slightly. HostAddress contains exactly one address; -HostAddresses contains a sequence of possibly many addresses. - -AuthorizationData ::= SEQUENCE OF SEQUENCE { - ad-type[0] INTEGER, - ad-data[1] OCTET STRING -} - -ad-data - This field contains authorization data to be interpreted according to - the value of the corresponding ad-type field. - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - -ad-type - This field specifies the format for the ad-data subfield. All negative - values are reserved for local use. Non-negative values are reserved for - registered use. - -Each sequence of type and data is refered to as an authorization element. -Elements may be application specific, however, there is a common set of -recursive elements that should be understood by all implementations. These -elements contain other elements embedded within them, and the interpretation -of the encapsulating element determines which of the embedded elements must -be interpreted, and which may be ignored. Definitions for these common -elements may be found in Appendix B. - -TicketExtensions ::= SEQUENCE OF SEQUENCE { - te-type[0] INTEGER, - te-data[1] OCTET STRING -} - - - -te-data - This field contains opaque data that must be caried with the ticket to - support extensions to the Kerberos protocol including but not limited - to some forms of inter-realm key exchange and plaintext authorization - data. See appendix C for some common uses of this field. -te-type - This field specifies the format for the te-data subfield. All negative - values are reserved for local use. Non-negative values are reserved for - registered use. - -APOptions ::= BIT STRING - -- reserved(0), - -- use-session-key(1), - -- mutual-required(2) - -TicketFlags ::= BIT STRING - -- reserved(0), - -- forwardable(1), - -- forwarded(2), - -- proxiable(3), - -- proxy(4), - -- may-postdate(5), - -- postdated(6), - -- invalid(7), - -- renewable(8), - -- initial(9), - -- pre-authent(10), - -- hw-authent(11), - -- transited-policy-checked(12), - -- ok-as-delegate(13) - -KDCOptions ::= BIT STRING - -- reserved(0), - -- forwardable(1), - -- forwarded(2), - -- proxiable(3), - -- proxy(4), - -- allow-postdate(5), - -- postdated(6), - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - -- unused7(7), - -- renewable(8), - -- unused9(9), - -- unused10(10), - -- unused11(11), - -- unused12(12), - -- unused13(13), - -- disable-transited-check(26), - -- renewable-ok(27), - -- enc-tkt-in-skey(28), - -- renew(30), - -- validate(31) - -ASN.1 Bit strings have a length and a value. When used in Kerberos for the -APOptions, TicketFlags, and KDCOptions, the length of the bit string on -generated values should be the smallest number of bits needed to include the -highest order bit that is set (1), but in no case less than 32 bits. The -ASN.1 representation of the bit strings uses unnamed bits, with the meaning -of the individual bits defined by the comments in the specification above. -Implementations should accept values of bit strings of any length and treat -the value of flags corresponding to bits beyond the end of the bit string as -if the bit were reset (0). Comparison of bit strings of different length -should treat the smaller string as if it were padded with zeros beyond the -high order bits to the length of the longer string[23]. - -LastReq ::= SEQUENCE OF SEQUENCE { - lr-type[0] INTEGER, - lr-value[1] KerberosTime -} - -lr-type - This field indicates how the following lr-value field is to be - interpreted. Negative values indicate that the information pertains - only to the responding server. Non-negative values pertain to all - servers for the realm. If the lr-type field is zero (0), then no - information is conveyed by the lr-value subfield. If the absolute value - of the lr-type field is one (1), then the lr-value subfield is the time - of last initial request for a TGT. If it is two (2), then the lr-value - subfield is the time of last initial request. If it is three (3), then - the lr-value subfield is the time of issue for the newest - ticket-granting ticket used. If it is four (4), then the lr-value - subfield is the time of the last renewal. If it is five (5), then the - lr-value subfield is the time of last request (of any type). If it is - (6), then the lr-value subfield is the time when the password will - expire. -lr-value - This field contains the time of the last request. the time must be - interpreted according to the contents of the accompanying lr-type - subfield. - -See section 6 for the definitions of Checksum, ChecksumType, EncryptedData, -EncryptionKey, EncryptionType, and KeyType. - -5.3. Tickets and Authenticators - -This section describes the format and encryption parameters for tickets and -authenticators. When a ticket or authenticator is included in a protocol -message it is treated as an opaque object. - - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - -5.3.1. Tickets - -A ticket is a record that helps a client authenticate to a service. A Ticket -contains the following information: - -Ticket ::= [APPLICATION 1] SEQUENCE { - tkt-vno[0] INTEGER, - realm[1] Realm, - sname[2] PrincipalName, - enc-part[3] EncryptedData, - extensions[4] TicketExtensions OPTIONAL -} - --- Encrypted part of ticket -EncTicketPart ::= [APPLICATION 3] SEQUENCE { - flags[0] TicketFlags, - key[1] EncryptionKey, - crealm[2] Realm, - cname[3] PrincipalName, - transited[4] TransitedEncoding, - authtime[5] KerberosTime, - starttime[6] KerberosTime OPTIONAL, - endtime[7] KerberosTime, - renew-till[8] KerberosTime OPTIONAL, - caddr[9] HostAddresses OPTIONAL, - authorization-data[10] AuthorizationData OPTIONAL -} --- encoded Transited field -TransitedEncoding ::= SEQUENCE { - tr-type[0] INTEGER, -- must be registered - contents[1] OCTET STRING -} - -The encoding of EncTicketPart is encrypted in the key shared by Kerberos and -the end server (the server's secret key). See section 6 for the format of -the ciphertext. - -tkt-vno - This field specifies the version number for the ticket format. This - document describes version number 5. -realm - This field specifies the realm that issued a ticket. It also serves to - identify the realm part of the server's principal identifier. Since a - Kerberos server can only issue tickets for servers within its realm, - the two will always be identical. -sname - This field specifies all components of the name part of the server's - identity, including those parts that identify a specific instance of a - service. -enc-part - This field holds the encrypted encoding of the EncTicketPart sequence. -extensions - This optional field contains a sequence of extentions that may be used - to carry information that must be carried with the ticket to support - several extensions, including but not limited to plaintext - authorization data, tokens for exchanging inter-realm keys, and other - information that must be associated with a ticket for use by the - application server. See Appendix C for definitions of some common - extensions. - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - - Note that some older versions of Kerberos did not support this field. - Because this is an optional field it will not break older clients, but - older clients might strip this field from the ticket before sending it - to the application server. This limits the usefulness of this ticket - field to environments where the ticket will not be parsed and - reconstructed by these older Kerberos clients. - - If it is known that the client will strip this field from the ticket, - as an interim measure the KDC may append this field to the end of the - enc-part of the ticket and append a traler indicating the lenght of the - appended extensions field. (this paragraph is open for discussion, - including the form of the traler). -flags - This field indicates which of various options were used or requested - when the ticket was issued. It is a bit-field, where the selected - options are indicated by the bit being set (1), and the unselected - options and reserved fields being reset (0). Bit 0 is the most - significant bit. The encoding of the bits is specified in section 5.2. - The flags are described in more detail above in section 2. The meanings - of the flags are: - - Bit(s) Name Description - - 0 RESERVED - Reserved for future expansion of this - field. - - 1 FORWARDABLE - The FORWARDABLE flag is normally only - interpreted by the TGS, and can be - ignored by end servers. When set, this - flag tells the ticket-granting server - that it is OK to issue a new ticket- - granting ticket with a different network - address based on the presented ticket. - - 2 FORWARDED - When set, this flag indicates that the - ticket has either been forwarded or was - issued based on authentication involving - a forwarded ticket-granting ticket. - - 3 PROXIABLE - The PROXIABLE flag is normally only - interpreted by the TGS, and can be - ignored by end servers. The PROXIABLE - flag has an interpretation identical to - that of the FORWARDABLE flag, except - that the PROXIABLE flag tells the - ticket-granting server that only non- - ticket-granting tickets may be issued - with different network addresses. - - 4 PROXY - When set, this flag indicates that a - ticket is a proxy. - - 5 MAY-POSTDATE - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - The MAY-POSTDATE flag is normally only - interpreted by the TGS, and can be - ignored by end servers. This flag tells - the ticket-granting server that a post- - dated ticket may be issued based on this - ticket-granting ticket. - - 6 POSTDATED - This flag indicates that this ticket has - been postdated. The end-service can - check the authtime field to see when the - original authentication occurred. - - 7 INVALID - This flag indicates that a ticket is - invalid, and it must be validated by the - KDC before use. Application servers - must reject tickets which have this flag - set. - - 8 RENEWABLE - The RENEWABLE flag is normally only - interpreted by the TGS, and can usually - be ignored by end servers (some particu- - larly careful servers may wish to disal- - low renewable tickets). A renewable - ticket can be used to obtain a replace- - ment ticket that expires at a later - date. - - 9 INITIAL - This flag indicates that this ticket was - issued using the AS protocol, and not - issued based on a ticket-granting - ticket. - - 10 PRE-AUTHENT - This flag indicates that during initial - authentication, the client was authenti- - cated by the KDC before a ticket was - issued. The strength of the pre- - authentication method is not indicated, - but is acceptable to the KDC. - - 11 HW-AUTHENT - This flag indicates that the protocol - employed for initial authentication - required the use of hardware expected to - be possessed solely by the named client. - The hardware authentication method is - selected by the KDC and the strength of - the method is not indicated. - - 12 TRANSITED This flag indicates that the KDC for the - POLICY-CHECKED realm has checked the transited field - against a realm defined policy for - trusted certifiers. If this flag is - reset (0), then the application server - must check the transited field itself, - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - and if unable to do so it must reject - the authentication. If the flag is set - (1) then the application server may skip - its own validation of the transited - field, relying on the validation - performed by the KDC. At its option the - application server may still apply its - own validation based on a separate - policy for acceptance. - - 13 OK-AS-DELEGATE This flag indicates that the server (not - the client) specified in the ticket has - been determined by policy of the realm - to be a suitable recipient of - delegation. A client can use the - presence of this flag to help it make a - decision whether to delegate credentials - (either grant a proxy or a forwarded - ticket granting ticket) to this server. - The client is free to ignore the value - of this flag. When setting this flag, - an administrator should consider the - Security and placement of the server on - which the service will run, as well as - whether the service requires the use of - delegated credentials. - - 14 ANONYMOUS - This flag indicates that the principal - named in the ticket is a generic princi- - pal for the realm and does not identify - the individual using the ticket. The - purpose of the ticket is only to - securely distribute a session key, and - not to identify the user. Subsequent - requests using the same ticket and ses- - sion may be considered as originating - from the same user, but requests with - the same username but a different ticket - are likely to originate from different - users. - - 15-31 RESERVED - Reserved for future use. - -key - This field exists in the ticket and the KDC response and is used to - pass the session key from Kerberos to the application server and the - client. The field's encoding is described in section 6.2. -crealm - This field contains the name of the realm in which the client is - registered and in which initial authentication took place. -cname - This field contains the name part of the client's principal identifier. -transited - This field lists the names of the Kerberos realms that took part in - authenticating the user to whom this ticket was issued. It does not - specify the order in which the realms were transited. See section - 3.3.3.2 for details on how this field encodes the traversed realms. - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - When the names of CA's are to be embedded inthe transited field (as - specified for some extentions to the protocol), the X.500 names of the - CA's should be mapped into items in the transited field using the - mapping defined by RFC2253. -authtime - This field indicates the time of initial authentication for the named - principal. It is the time of issue for the original ticket on which - this ticket is based. It is included in the ticket to provide - additional information to the end service, and to provide the necessary - information for implementation of a `hot list' service at the KDC. An - end service that is particularly paranoid could refuse to accept - tickets for which the initial authentication occurred "too far" in the - past. This field is also returned as part of the response from the KDC. - When returned as part of the response to initial authentication - (KRB_AS_REP), this is the current time on the Kerberos server[24]. -starttime - This field in the ticket specifies the time after which the ticket is - valid. Together with endtime, this field specifies the life of the - ticket. If it is absent from the ticket, its value should be treated as - that of the authtime field. -endtime - This field contains the time after which the ticket will not be honored - (its expiration time). Note that individual services may place their - own limits on the life of a ticket and may reject tickets which have - not yet expired. As such, this is really an upper bound on the - expiration time for the ticket. -renew-till - This field is only present in tickets that have the RENEWABLE flag set - in the flags field. It indicates the maximum endtime that may be - included in a renewal. It can be thought of as the absolute expiration - time for the ticket, including all renewals. -caddr - This field in a ticket contains zero (if omitted) or more (if present) - host addresses. These are the addresses from which the ticket can be - used. If there are no addresses, the ticket can be used from any - location. The decision by the KDC to issue or by the end server to - accept zero-address tickets is a policy decision and is left to the - Kerberos and end-service administrators; they may refuse to issue or - accept such tickets. The suggested and default policy, however, is that - such tickets will only be issued or accepted when additional - information that can be used to restrict the use of the ticket is - included in the authorization_data field. Such a ticket is a - capability. - - Network addresses are included in the ticket to make it harder for an - attacker to use stolen credentials. Because the session key is not sent - over the network in cleartext, credentials can't be stolen simply by - listening to the network; an attacker has to gain access to the session - key (perhaps through operating system security breaches or a careless - user's unattended session) to make use of stolen tickets. - - It is important to note that the network address from which a - connection is received cannot be reliably determined. Even if it could - be, an attacker who has compromised the client's workstation could use - the credentials from there. Including the network addresses only makes - it more difficult, not impossible, for an attacker to walk off with - stolen credentials and then use them from a "safe" location. -authorization-data - The authorization-data field is used to pass authorization data from - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - the principal on whose behalf a ticket was issued to the application - service. If no authorization data is included, this field will be left - out. Experience has shown that the name of this field is confusing, and - that a better name for this field would be restrictions. Unfortunately, - it is not possible to change the name of this field at this time. - - This field contains restrictions on any authority obtained on the basis - of authentication using the ticket. It is possible for any principal in - posession of credentials to add entries to the authorization data field - since these entries further restrict what can be done with the ticket. - Such additions can be made by specifying the additional entries when a - new ticket is obtained during the TGS exchange, or they may be added - during chained delegation using the authorization data field of the - authenticator. - - Because entries may be added to this field by the holder of - credentials, except when an entry is separately authenticated by - encapulation in the kdc-issued element, it is not allowable for the - presence of an entry in the authorization data field of a ticket to - amplify the priveleges one would obtain from using a ticket. - - The data in this field may be specific to the end service; the field - will contain the names of service specific objects, and the rights to - those objects. The format for this field is described in section 5.2. - Although Kerberos is not concerned with the format of the contents of - the sub-fields, it does carry type information (ad-type). - - By using the authorization_data field, a principal is able to issue a - proxy that is valid for a specific purpose. For example, a client - wishing to print a file can obtain a file server proxy to be passed to - the print server. By specifying the name of the file in the - authorization_data field, the file server knows that the print server - can only use the client's rights when accessing the particular file to - be printed. - - A separate service providing authorization or certifying group - membership may be built using the authorization-data field. In this - case, the entity granting authorization (not the authorized entity), - may obtain a ticket in its own name (e.g. the ticket is issued in the - name of a privelege server), and this entity adds restrictions on its - own authority and delegates the restricted authority through a proxy to - the client. The client would then present this authorization credential - to the application server separately from the authentication exchange. - Alternatively, such authorization credentials may be embedded in the - ticket authenticating the authorized entity, when the authorization is - separately authenticated using the kdc-issued authorization data - element (see B.4). - - Similarly, if one specifies the authorization-data field of a proxy and - leaves the host addresses blank, the resulting ticket and session key - can be treated as a capability. See [Neu93] for some suggested uses of - this field. - - The authorization-data field is optional and does not have to be - included in a ticket. - -5.3.2. Authenticators - -An authenticator is a record sent with a ticket to a server to certify the - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - -client's knowledge of the encryption key in the ticket, to help the server -detect replays, and to help choose a "true session key" to use with the -particular session. The encoding is encrypted in the ticket's session key -shared by the client and the server: - --- Unencrypted authenticator -Authenticator ::= [APPLICATION 2] SEQUENCE { - authenticator-vno[0] INTEGER, - crealm[1] Realm, - cname[2] PrincipalName, - cksum[3] Checksum OPTIONAL, - cusec[4] INTEGER, - ctime[5] KerberosTime, - subkey[6] EncryptionKey OPTIONAL, - seq-number[7] INTEGER OPTIONAL, - authorization-data[8] AuthorizationData OPTIONAL -} - - -authenticator-vno - This field specifies the version number for the format of the - authenticator. This document specifies version 5. -crealm and cname - These fields are the same as those described for the ticket in section - 5.3.1. -cksum - This field contains a checksum of the the applica- tion data that - accompanies the KRB_AP_REQ. -cusec - This field contains the microsecond part of the client's timestamp. Its - value (before encryption) ranges from 0 to 999999. It often appears - along with ctime. The two fields are used together to specify a - reasonably accurate timestamp. -ctime - This field contains the current time on the client's host. -subkey - This field contains the client's choice for an encryption key which is - to be used to protect this specific application session. Unless an - application specifies otherwise, if this field is left out the session - key from the ticket will be used. -seq-number - This optional field includes the initial sequence number to be used by - the KRB_PRIV or KRB_SAFE messages when sequence numbers are used to - detect replays (It may also be used by application specific messages). - When included in the authenticator this field specifies the initial - sequence number for messages from the client to the server. When - included in the AP-REP message, the initial sequence number is that for - messages from the server to the client. When used in KRB_PRIV or - KRB_SAFE messages, it is incremented by one after each message is sent. - Sequence numbers fall in the range of 0 through 2^32 - 1 and wrap to - zero following the value 2^32 - 1. - - For sequence numbers to adequately support the detection of replays - they should be non-repeating, even across connection boundaries. The - initial sequence number should be random and uniformly distributed - across the full space of possible sequence numbers, so that it cannot - be guessed by an attacker and so that it and the successive sequence - numbers do not repeat other sequences. -authorization-data - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - This field is the same as described for the ticket in section 5.3.1. It - is optional and will only appear when additional restrictions are to be - placed on the use of a ticket, beyond those carried in the ticket - itself. - -5.4. Specifications for the AS and TGS exchanges - -This section specifies the format of the messages used in the exchange -between the client and the Kerberos server. The format of possible error -messages appears in section 5.9.1. - -5.4.1. KRB_KDC_REQ definition - -The KRB_KDC_REQ message has no type of its own. Instead, its type is one of -KRB_AS_REQ or KRB_TGS_REQ depending on whether the request is for an initial -ticket or an additional ticket. In either case, the message is sent from the -client to the Authentication Server to request credentials for a service. - -The message fields are: - -AS-REQ ::= [APPLICATION 10] KDC-REQ -TGS-REQ ::= [APPLICATION 12] KDC-REQ - -KDC-REQ ::= SEQUENCE { - pvno[1] INTEGER, - msg-type[2] INTEGER, - padata[3] SEQUENCE OF PA-DATA OPTIONAL, - req-body[4] KDC-REQ-BODY -} - -PA-DATA ::= SEQUENCE { - padata-type[1] INTEGER, - padata-value[2] OCTET STRING, - -- might be encoded AP-REQ -} - -KDC-REQ-BODY ::= SEQUENCE { - kdc-options[0] KDCOptions, - cname[1] PrincipalName OPTIONAL, - -- Used only in AS-REQ - realm[2] Realm, -- Server's realm - -- Also client's in AS-REQ - sname[3] PrincipalName OPTIONAL, - from[4] KerberosTime OPTIONAL, - till[5] KerberosTime OPTIONAL, - rtime[6] KerberosTime OPTIONAL, - nonce[7] INTEGER, - etype[8] SEQUENCE OF INTEGER, - -- EncryptionType, - -- in preference order - addresses[9] HostAddresses OPTIONAL, - enc-authorization-data[10] EncryptedData OPTIONAL, - -- Encrypted AuthorizationData - -- encoding - additional-tickets[11] SEQUENCE OF Ticket OPTIONAL -} - -The fields in this message are: - - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - -pvno - This field is included in each message, and specifies the protocol - version number. This document specifies protocol version 5. -msg-type - This field indicates the type of a protocol message. It will almost - always be the same as the application identifier associated with a - message. It is included to make the identifier more readily accessible - to the application. For the KDC-REQ message, this type will be - KRB_AS_REQ or KRB_TGS_REQ. -padata - The padata (pre-authentication data) field contains a sequence of - authentication information which may be needed before credentials can - be issued or decrypted. In the case of requests for additional tickets - (KRB_TGS_REQ), this field will include an element with padata-type of - PA-TGS-REQ and data of an authentication header (ticket-granting ticket - and authenticator). The checksum in the authenticator (which must be - collision-proof) is to be computed over the KDC-REQ-BODY encoding. In - most requests for initial authentication (KRB_AS_REQ) and most replies - (KDC-REP), the padata field will be left out. - - This field may also contain information needed by certain extensions to - the Kerberos protocol. For example, it might be used to initially - verify the identity of a client before any response is returned. This - is accomplished with a padata field with padata-type equal to - PA-ENC-TIMESTAMP and padata-value defined as follows: - - padata-type ::= PA-ENC-TIMESTAMP - padata-value ::= EncryptedData -- PA-ENC-TS-ENC - - PA-ENC-TS-ENC ::= SEQUENCE { - patimestamp[0] KerberosTime, -- client's time - pausec[1] INTEGER OPTIONAL - } - - with patimestamp containing the client's time and pausec containing the - microseconds which may be omitted if a client will not generate more - than one request per second. The ciphertext (padata-value) consists of - the PA-ENC-TS-ENC sequence, encrypted using the client's secret key. - - [use-specified-kvno item is here for discussion and may be removed] It - may also be used by the client to specify the version of a key that is - being used for accompanying preauthentication, and/or which should be - used to encrypt the reply from the KDC. - - PA-USE-SPECIFIED-KVNO ::= Integer - - The KDC should only accept and abide by the value of the - use-specified-kvno preauthentication data field when the specified key - is still valid and until use of a new key is confirmed. This situation - is likely to occur primarily during the period during which an updated - key is propagating to other KDC's in a realm. - - The padata field can also contain information needed to help the KDC or - the client select the key needed for generating or decrypting the - response. This form of the padata is useful for supporting the use of - certain token cards with Kerberos. The details of such extensions are - specified in separate documents. See [Pat92] for additional uses of - this field. -padata-type - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - The padata-type element of the padata field indicates the way that the - padata-value element is to be interpreted. Negative values of - padata-type are reserved for unregistered use; non-negative values are - used for a registered interpretation of the element type. -req-body - This field is a placeholder delimiting the extent of the remaining - fields. If a checksum is to be calculated over the request, it is - calculated over an encoding of the KDC-REQ-BODY sequence which is - enclosed within the req-body field. -kdc-options - This field appears in the KRB_AS_REQ and KRB_TGS_REQ requests to the - KDC and indicates the flags that the client wants set on the tickets as - well as other information that is to modify the behavior of the KDC. - Where appropriate, the name of an option may be the same as the flag - that is set by that option. Although in most case, the bit in the - options field will be the same as that in the flags field, this is not - guaranteed, so it is not acceptable to simply copy the options field to - the flags field. There are various checks that must be made before - honoring an option anyway. - - The kdc_options field is a bit-field, where the selected options are - indicated by the bit being set (1), and the unselected options and - reserved fields being reset (0). The encoding of the bits is specified - in section 5.2. The options are described in more detail above in - section 2. The meanings of the options are: - - Bit(s) Name Description - 0 RESERVED - Reserved for future expansion of this - field. - - 1 FORWARDABLE - The FORWARDABLE option indicates that - the ticket to be issued is to have its - forwardable flag set. It may only be - set on the initial request, or in a sub- - sequent request if the ticket-granting - ticket on which it is based is also for- - wardable. - - 2 FORWARDED - The FORWARDED option is only specified - in a request to the ticket-granting - server and will only be honored if the - ticket-granting ticket in the request - has its FORWARDABLE bit set. This - option indicates that this is a request - for forwarding. The address(es) of the - host from which the resulting ticket is - to be valid are included in the - addresses field of the request. - - 3 PROXIABLE - The PROXIABLE option indicates that the - ticket to be issued is to have its prox- - iable flag set. It may only be set on - the initial request, or in a subsequent - request if the ticket-granting ticket on - which it is based is also proxiable. - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - - 4 PROXY - The PROXY option indicates that this is - a request for a proxy. This option will - only be honored if the ticket-granting - ticket in the request has its PROXIABLE - bit set. The address(es) of the host - from which the resulting ticket is to be - valid are included in the addresses - field of the request. - - 5 ALLOW-POSTDATE - The ALLOW-POSTDATE option indicates that - the ticket to be issued is to have its - MAY-POSTDATE flag set. It may only be - set on the initial request, or in a sub- - sequent request if the ticket-granting - ticket on which it is based also has its - MAY-POSTDATE flag set. - - 6 POSTDATED - The POSTDATED option indicates that this - is a request for a postdated ticket. - This option will only be honored if the - ticket-granting ticket on which it is - based has its MAY-POSTDATE flag set. - The resulting ticket will also have its - INVALID flag set, and that flag may be - reset by a subsequent request to the KDC - after the starttime in the ticket has - been reached. - - 7 UNUSED - This option is presently unused. - - 8 RENEWABLE - The RENEWABLE option indicates that the - ticket to be issued is to have its - RENEWABLE flag set. It may only be set - on the initial request, or when the - ticket-granting ticket on which the - request is based is also renewable. If - this option is requested, then the rtime - field in the request contains the - desired absolute expiration time for the - ticket. - - 9-13 UNUSED - These options are presently unused. - - 14 REQUEST-ANONYMOUS - The REQUEST-ANONYMOUS option indicates - that the ticket to be issued is not to - identify the user to which it was - issued. Instead, the principal identif- - ier is to be generic, as specified by - the policy of the realm (e.g. usually - anonymous@realm). The purpose of the - ticket is only to securely distribute a - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - session key, and not to identify the - user. The ANONYMOUS flag on the ticket - to be returned should be set. If the - local realms policy does not permit - anonymous credentials, the request is to - be rejected. - - 15-25 RESERVED - Reserved for future use. - - 26 DISABLE-TRANSITED-CHECK - By default the KDC will check the - transited field of a ticket-granting- - ticket against the policy of the local - realm before it will issue derivative - tickets based on the ticket granting - ticket. If this flag is set in the - request, checking of the transited field - is disabled. Tickets issued without the - performance of this check will be noted - by the reset (0) value of the - TRANSITED-POLICY-CHECKED flag, - indicating to the application server - that the tranisted field must be checked - locally. KDC's are encouraged but not - required to honor the - DISABLE-TRANSITED-CHECK option. - - 27 RENEWABLE-OK - The RENEWABLE-OK option indicates that a - renewable ticket will be acceptable if a - ticket with the requested life cannot - otherwise be provided. If a ticket with - the requested life cannot be provided, - then a renewable ticket may be issued - with a renew-till equal to the the - requested endtime. The value of the - renew-till field may still be limited by - local limits, or limits selected by the - individual principal or server. - - 28 ENC-TKT-IN-SKEY - This option is used only by the ticket- - granting service. The ENC-TKT-IN-SKEY - option indicates that the ticket for the - end server is to be encrypted in the - session key from the additional ticket- - granting ticket provided. - - 29 RESERVED - Reserved for future use. - - 30 RENEW - This option is used only by the ticket- - granting service. The RENEW option - indicates that the present request is - for a renewal. The ticket provided is - encrypted in the secret key for the - server on which it is valid. This - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - option will only be honored if the - ticket to be renewed has its RENEWABLE - flag set and if the time in its renew- - till field has not passed. The ticket - to be renewed is passed in the padata - field as part of the authentication - header. - - 31 VALIDATE - This option is used only by the ticket- - granting service. The VALIDATE option - indicates that the request is to vali- - date a postdated ticket. It will only - be honored if the ticket presented is - postdated, presently has its INVALID - flag set, and would be otherwise usable - at this time. A ticket cannot be vali- - dated before its starttime. The ticket - presented for validation is encrypted in - the key of the server for which it is - valid and is passed in the padata field - as part of the authentication header. - -cname and sname - These fields are the same as those described for the ticket in section - 5.3.1. sname may only be absent when the ENC-TKT-IN-SKEY option is - specified. If absent, the name of the server is taken from the name of - the client in the ticket passed as additional-tickets. -enc-authorization-data - The enc-authorization-data, if present (and it can only be present in - the TGS_REQ form), is an encoding of the desired authorization-data - encrypted under the sub-session key if present in the Authenticator, or - alternatively from the session key in the ticket-granting ticket, both - from the padata field in the KRB_AP_REQ. -realm - This field specifies the realm part of the server's principal - identifier. In the AS exchange, this is also the realm part of the - client's principal identifier. -from - This field is included in the KRB_AS_REQ and KRB_TGS_REQ ticket - requests when the requested ticket is to be postdated. It specifies the - desired start time for the requested ticket. If this field is omitted - then the KDC should use the current time instead. -till - This field contains the expiration date requested by the client in a - ticket request. It is optional and if omitted the requested ticket is - to have the maximum endtime permitted according to KDC policy for the - parties to the authentication exchange as limited by expiration date of - the ticket granting ticket or other preauthentication credentials. -rtime - This field is the requested renew-till time sent from a client to the - KDC in a ticket request. It is optional. -nonce - This field is part of the KDC request and response. It it intended to - hold a random number generated by the client. If the same number is - included in the encrypted response from the KDC, it provides evidence - that the response is fresh and has not been replayed by an attacker. - Nonces must never be re-used. Ideally, it should be generated randomly, - but if the correct time is known, it may suffice[25]. - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - -etype - This field specifies the desired encryption algorithm to be used in the - response. -addresses - This field is included in the initial request for tickets, and - optionally included in requests for additional tickets from the - ticket-granting server. It specifies the addresses from which the - requested ticket is to be valid. Normally it includes the addresses for - the client's host. If a proxy is requested, this field will contain - other addresses. The contents of this field are usually copied by the - KDC into the caddr field of the resulting ticket. -additional-tickets - Additional tickets may be optionally included in a request to the - ticket-granting server. If the ENC-TKT-IN-SKEY option has been - specified, then the session key from the additional ticket will be used - in place of the server's key to encrypt the new ticket. If more than - one option which requires additional tickets has been specified, then - the additional tickets are used in the order specified by the ordering - of the options bits (see kdc-options, above). - -The application code will be either ten (10) or twelve (12) depending on -whether the request is for an initial ticket (AS-REQ) or for an additional -ticket (TGS-REQ). - -The optional fields (addresses, authorization-data and additional-tickets) -are only included if necessary to perform the operation specified in the -kdc-options field. - -It should be noted that in KRB_TGS_REQ, the protocol version number appears -twice and two different message types appear: the KRB_TGS_REQ message -contains these fields as does the authentication header (KRB_AP_REQ) that is -passed in the padata field. - -5.4.2. KRB_KDC_REP definition - -The KRB_KDC_REP message format is used for the reply from the KDC for either -an initial (AS) request or a subsequent (TGS) request. There is no message -type for KRB_KDC_REP. Instead, the type will be either KRB_AS_REP or -KRB_TGS_REP. The key used to encrypt the ciphertext part of the reply -depends on the message type. For KRB_AS_REP, the ciphertext is encrypted in -the client's secret key, and the client's key version number is included in -the key version number for the encrypted data. For KRB_TGS_REP, the -ciphertext is encrypted in the sub-session key from the Authenticator, or if -absent, the session key from the ticket-granting ticket used in the request. -In that case, no version number will be present in the EncryptedData -sequence. - -The KRB_KDC_REP message contains the following fields: - -AS-REP ::= [APPLICATION 11] KDC-REP -TGS-REP ::= [APPLICATION 13] KDC-REP - -KDC-REP ::= SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - padata[2] SEQUENCE OF PA-DATA OPTIONAL, - crealm[3] Realm, - cname[4] PrincipalName, - ticket[5] Ticket, - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - enc-part[6] EncryptedData -} - -EncASRepPart ::= [APPLICATION 25[27]] EncKDCRepPart -EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart - -EncKDCRepPart ::= SEQUENCE { - key[0] EncryptionKey, - last-req[1] LastReq, - nonce[2] INTEGER, - key-expiration[3] KerberosTime OPTIONAL, - flags[4] TicketFlags, - authtime[5] KerberosTime, - starttime[6] KerberosTime OPTIONAL, - endtime[7] KerberosTime, - renew-till[8] KerberosTime OPTIONAL, - srealm[9] Realm, - sname[10] PrincipalName, - caddr[11] HostAddresses OPTIONAL -} - -pvno and msg-type - These fields are described above in section 5.4.1. msg-type is either - KRB_AS_REP or KRB_TGS_REP. -padata - This field is described in detail in section 5.4.1. One possible use - for this field is to encode an alternate "mix-in" string to be used - with a string-to-key algorithm (such as is described in section 6.3.2). - This ability is useful to ease transitions if a realm name needs to - change (e.g. when a company is acquired); in such a case all existing - password-derived entries in the KDC database would be flagged as - needing a special mix-in string until the next password change. -crealm, cname, srealm and sname - These fields are the same as those described for the ticket in section - 5.3.1. -ticket - The newly-issued ticket, from section 5.3.1. -enc-part - This field is a place holder for the ciphertext and related information - that forms the encrypted part of a message. The description of the - encrypted part of the message follows each appearance of this field. - The encrypted part is encoded as described in section 6.1. -key - This field is the same as described for the ticket in section 5.3.1. -last-req - This field is returned by the KDC and specifies the time(s) of the last - request by a principal. Depending on what information is available, - this might be the last time that a request for a ticket-granting ticket - was made, or the last time that a request based on a ticket-granting - ticket was successful. It also might cover all servers for a realm, or - just the particular server. Some implementations may display this - information to the user to aid in discovering unauthorized use of one's - identity. It is similar in spirit to the last login time displayed when - logging into timesharing systems. -nonce - This field is described above in section 5.4.1. -key-expiration - The key-expiration field is part of the response from the KDC and - specifies the time that the client's secret key is due to expire. The - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - expiration might be the result of password aging or an account - expiration. This field will usually be left out of the TGS reply since - the response to the TGS request is encrypted in a session key and no - client information need be retrieved from the KDC database. It is up to - the application client (usually the login program) to take appropriate - action (such as notifying the user) if the expiration time is imminent. -flags, authtime, starttime, endtime, renew-till and caddr - These fields are duplicates of those found in the encrypted portion of - the attached ticket (see section 5.3.1), provided so the client may - verify they match the intended request and to assist in proper ticket - caching. If the message is of type KRB_TGS_REP, the caddr field will - only be filled in if the request was for a proxy or forwarded ticket, - or if the user is substituting a subset of the addresses from the - ticket granting ticket. If the client-requested addresses are not - present or not used, then the addresses contained in the ticket will be - the same as those included in the ticket-granting ticket. - -5.5. Client/Server (CS) message specifications - -This section specifies the format of the messages used for the -authentication of the client to the application server. - -5.5.1. KRB_AP_REQ definition - -The KRB_AP_REQ message contains the Kerberos protocol version number, the -message type KRB_AP_REQ, an options field to indicate any options in use, -and the ticket and authenticator themselves. The KRB_AP_REQ message is often -referred to as the 'authentication header'. - -AP-REQ ::= [APPLICATION 14] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - ap-options[2] APOptions, - ticket[3] Ticket, - authenticator[4] EncryptedData -} - -APOptions ::= BIT STRING { - reserved(0), - use-session-key(1), - mutual-required(2) -} - - - -pvno and msg-type - These fields are described above in section 5.4.1. msg-type is - KRB_AP_REQ. -ap-options - This field appears in the application request (KRB_AP_REQ) and affects - the way the request is processed. It is a bit-field, where the selected - options are indicated by the bit being set (1), and the unselected - options and reserved fields being reset (0). The encoding of the bits - is specified in section 5.2. The meanings of the options are: - - Bit(s) Name Description - - 0 RESERVED - Reserved for future expansion of this - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - field. - - 1 USE-SESSION-KEY - The USE-SESSION-KEY option indicates - that the ticket the client is presenting - to a server is encrypted in the session - key from the server's ticket-granting - ticket. When this option is not speci- - fied, the ticket is encrypted in the - server's secret key. - - 2 MUTUAL-REQUIRED - The MUTUAL-REQUIRED option tells the - server that the client requires mutual - authentication, and that it must respond - with a KRB_AP_REP message. - - 3-31 RESERVED - Reserved for future use. - -ticket - This field is a ticket authenticating the client to the server. -authenticator - This contains the authenticator, which includes the client's choice of - a subkey. Its encoding is described in section 5.3.2. - -5.5.2. KRB_AP_REP definition - -The KRB_AP_REP message contains the Kerberos protocol version number, the -message type, and an encrypted time- stamp. The message is sent in in -response to an application request (KRB_AP_REQ) where the mutual -authentication option has been selected in the ap-options field. - -AP-REP ::= [APPLICATION 15] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - enc-part[2] EncryptedData -} - -EncAPRepPart ::= [APPLICATION 27[29]] SEQUENCE { - ctime[0] KerberosTime, - cusec[1] INTEGER, - subkey[2] EncryptionKey OPTIONAL, - seq-number[3] INTEGER OPTIONAL -} - -The encoded EncAPRepPart is encrypted in the shared session key of the -ticket. The optional subkey field can be used in an application-arranged -negotiation to choose a per association session key. - -pvno and msg-type - These fields are described above in section 5.4.1. msg-type is - KRB_AP_REP. -enc-part - This field is described above in section 5.4.2. -ctime - This field contains the current time on the client's host. -cusec - This field contains the microsecond part of the client's timestamp. - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - -subkey - This field contains an encryption key which is to be used to protect - this specific application session. See section 3.2.6 for specifics on - how this field is used to negotiate a key. Unless an application - specifies otherwise, if this field is left out, the sub-session key - from the authenticator, or if also left out, the session key from the - ticket will be used. - -5.5.3. Error message reply - -If an error occurs while processing the application request, the KRB_ERROR -message will be sent in response. See section 5.9.1 for the format of the -error message. The cname and crealm fields may be left out if the server -cannot determine their appropriate values from the corresponding KRB_AP_REQ -message. If the authenticator was decipherable, the ctime and cusec fields -will contain the values from it. - -5.6. KRB_SAFE message specification - -This section specifies the format of a message that can be used by either -side (client or server) of an application to send a tamper-proof message to -its peer. It presumes that a session key has previously been exchanged (for -example, by using the KRB_AP_REQ/KRB_AP_REP messages). - -5.6.1. KRB_SAFE definition - -The KRB_SAFE message contains user data along with a collision-proof -checksum keyed with the last encryption key negotiated via subkeys, or the -session key if no negotiation has occured. The message fields are: - -KRB-SAFE ::= [APPLICATION 20] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - safe-body[2] KRB-SAFE-BODY, - cksum[3] Checksum -} - -KRB-SAFE-BODY ::= SEQUENCE { - user-data[0] OCTET STRING, - timestamp[1] KerberosTime OPTIONAL, - usec[2] INTEGER OPTIONAL, - seq-number[3] INTEGER OPTIONAL, - s-address[4] HostAddress OPTIONAL, - r-address[5] HostAddress OPTIONAL -} - -pvno and msg-type - These fields are described above in section 5.4.1. msg-type is - KRB_SAFE. -safe-body - This field is a placeholder for the body of the KRB-SAFE message. -cksum - This field contains the checksum of the application data. Checksum - details are described in section 6.4. The checksum is computed over the - encoding of the KRB-SAFE sequence. First, the cksum is zeroed and the - checksum is computed over the encoding of the KRB-SAFE sequence, then - the checksum is set to the result of that computation, and finally the - KRB-SAFE sequence is encoded again. -user-data - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - This field is part of the KRB_SAFE and KRB_PRIV messages and contain - the application specific data that is being passed from the sender to - the recipient. -timestamp - This field is part of the KRB_SAFE and KRB_PRIV messages. Its contents - are the current time as known by the sender of the message. By checking - the timestamp, the recipient of the message is able to make sure that - it was recently generated, and is not a replay. -usec - This field is part of the KRB_SAFE and KRB_PRIV headers. It contains - the microsecond part of the timestamp. -seq-number - This field is described above in section 5.3.2. -s-address - This field specifies the address in use by the sender of the message. - It may be omitted if not required by the application protocol. The - application designer considering omission of this field is warned, that - the inclusion of this address prevents some kinds of replay attacks - (e.g., reflection attacks) and that it is only acceptable to omit this - address if there is sufficient information in the integrity protected - part of the application message for the recipient to unambiguously - determine if it was the intended recipient. -r-address - This field specifies the address in use by the recipient of the - message. It may be omitted for some uses (such as broadcast protocols), - but the recipient may arbitrarily reject such messages. This field - along with s-address can be used to help detect messages which have - been incorrectly or maliciously delivered to the wrong recipient. - -5.7. KRB_PRIV message specification - -This section specifies the format of a message that can be used by either -side (client or server) of an application to securely and privately send a -message to its peer. It presumes that a session key has previously been -exchanged (for example, by using the KRB_AP_REQ/KRB_AP_REP messages). - -5.7.1. KRB_PRIV definition - -The KRB_PRIV message contains user data encrypted in the Session Key. The -message fields are: - -KRB-PRIV ::= [APPLICATION 21] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - enc-part[3] EncryptedData -} - -EncKrbPrivPart ::= [APPLICATION 28[31]] SEQUENCE { - user-data[0] OCTET STRING, - timestamp[1] KerberosTime OPTIONAL, - usec[2] INTEGER OPTIONAL, - seq-number[3] INTEGER OPTIONAL, - s-address[4] HostAddress OPTIONAL, -- sender's addr - r-address[5] HostAddress OPTIONAL -- recip's addr -} - -pvno and msg-type - These fields are described above in section 5.4.1. msg-type is - KRB_PRIV. - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - -enc-part - This field holds an encoding of the EncKrbPrivPart sequence encrypted - under the session key[32]. This encrypted encoding is used for the - enc-part field of the KRB-PRIV message. See section 6 for the format of - the ciphertext. -user-data, timestamp, usec, s-address and r-address - These fields are described above in section 5.6.1. -seq-number - This field is described above in section 5.3.2. - -5.8. KRB_CRED message specification - -This section specifies the format of a message that can be used to send -Kerberos credentials from one principal to another. It is presented here to -encourage a common mechanism to be used by applications when forwarding -tickets or providing proxies to subordinate servers. It presumes that a -session key has already been exchanged perhaps by using the -KRB_AP_REQ/KRB_AP_REP messages. - -5.8.1. KRB_CRED definition - -The KRB_CRED message contains a sequence of tickets to be sent and -information needed to use the tickets, including the session key from each. -The information needed to use the tickets is encrypted under an encryption -key previously exchanged or transferred alongside the KRB_CRED message. The -message fields are: - -KRB-CRED ::= [APPLICATION 22] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, -- KRB_CRED - tickets[2] SEQUENCE OF Ticket, - enc-part[3] EncryptedData -} - -EncKrbCredPart ::= [APPLICATION 29] SEQUENCE { - ticket-info[0] SEQUENCE OF KrbCredInfo, - nonce[1] INTEGER OPTIONAL, - timestamp[2] KerberosTime OPTIONAL, - usec[3] INTEGER OPTIONAL, - s-address[4] HostAddress OPTIONAL, - r-address[5] HostAddress OPTIONAL -} - -KrbCredInfo ::= SEQUENCE { - key[0] EncryptionKey, - prealm[1] Realm OPTIONAL, - pname[2] PrincipalName OPTIONAL, - flags[3] TicketFlags OPTIONAL, - authtime[4] KerberosTime OPTIONAL, - starttime[5] KerberosTime OPTIONAL, - endtime[6] KerberosTime OPTIONAL - renew-till[7] KerberosTime OPTIONAL, - srealm[8] Realm OPTIONAL, - sname[9] PrincipalName OPTIONAL, - caddr[10] HostAddresses OPTIONAL -} - -pvno and msg-type - These fields are described above in section 5.4.1. msg-type is - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - KRB_CRED. -tickets - These are the tickets obtained from the KDC specifically for use by the - intended recipient. Successive tickets are paired with the - corresponding KrbCredInfo sequence from the enc-part of the KRB-CRED - message. -enc-part - This field holds an encoding of the EncKrbCredPart sequence encrypted - under the session key shared between the sender and the intended - recipient. This encrypted encoding is used for the enc-part field of - the KRB-CRED message. See section 6 for the format of the ciphertext. -nonce - If practical, an application may require the inclusion of a nonce - generated by the recipient of the message. If the same value is - included as the nonce in the message, it provides evidence that the - message is fresh and has not been replayed by an attacker. A nonce must - never be re-used; it should be generated randomly by the recipient of - the message and provided to the sender of the message in an application - specific manner. -timestamp and usec - These fields specify the time that the KRB-CRED message was generated. - The time is used to provide assurance that the message is fresh. -s-address and r-address - These fields are described above in section 5.6.1. They are used - optionally to provide additional assurance of the integrity of the - KRB-CRED message. -key - This field exists in the corresponding ticket passed by the KRB-CRED - message and is used to pass the session key from the sender to the - intended recipient. The field's encoding is described in section 6.2. - -The following fields are optional. If present, they can be associated with -the credentials in the remote ticket file. If left out, then it is assumed -that the recipient of the credentials already knows their value. - -prealm and pname - The name and realm of the delegated principal identity. -flags, authtime, starttime, endtime, renew-till, srealm, sname, and caddr - These fields contain the values of the correspond- ing fields from the - ticket found in the ticket field. Descriptions of the fields are - identical to the descriptions in the KDC-REP message. - -5.9. Error message specification - -This section specifies the format for the KRB_ERROR message. The fields -included in the message are intended to return as much information as -possible about an error. It is not expected that all the information -required by the fields will be available for all types of errors. If the -appropriate information is not available when the message is composed, the -corresponding field will be left out of the message. - -Note that since the KRB_ERROR message is only optionally integrity -protected, it is quite possible for an intruder to synthesize or modify such -a message. In particular, this means that unless appropriate integrity -protection mechanisms have been applied to the KRB_ERROR message, the client -should not use any fields in this message for security-critical purposes, -such as setting a system clock or generating a fresh authenticator. The -message can be useful, however, for advising a user on the reason for some -failure. - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - -5.9.1. KRB_ERROR definition - -The KRB_ERROR message consists of the following fields: - -KRB-ERROR ::= [APPLICATION 30] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - ctime[2] KerberosTime OPTIONAL, - cusec[3] INTEGER OPTIONAL, - stime[4] KerberosTime, - susec[5] INTEGER, - error-code[6] INTEGER, - crealm[7] Realm OPTIONAL, - cname[8] PrincipalName OPTIONAL, - realm[9] Realm, -- Correct realm - sname[10] PrincipalName, -- Correct name - e-text[11] GeneralString OPTIONAL, - e-data[12] OCTET STRING OPTIONAL, - e-cksum[13] Checksum OPTIONAL, -} - - - -pvno and msg-type - These fields are described above in section 5.4.1. msg-type is - KRB_ERROR. -ctime - This field is described above in section 5.4.1. -cusec - This field is described above in section 5.5.2. -stime - This field contains the current time on the server. It is of type - KerberosTime. -susec - This field contains the microsecond part of the server's timestamp. Its - value ranges from 0 to 999999. It appears along with stime. The two - fields are used in conjunction to specify a reasonably accurate - timestamp. -error-code - This field contains the error code returned by Kerberos or the server - when a request fails. To interpret the value of this field see the list - of error codes in section 8. Implementations are encouraged to provide - for national language support in the display of error messages. -crealm, cname, srealm and sname - These fields are described above in section 5.3.1. -e-text - This field contains additional text to help explain the error code - associated with the failed request (for example, it might include a - principal name which was unknown). -e-data - This field contains additional data about the error for use by the - application to help it recover from or handle the error. If present, - this field will contain the encoding of a sequence of TypedData - (TYPED-DATA below), unless the errorcode is KDC_ERR_PREAUTH_REQUIRED, - in which case it will contain the encoding of a sequence of of padata - fields (METHOD-DATA below), each corresponding to an acceptable - pre-authentication method and optionally containing data for the - method: - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - - TYPED-DATA ::= SEQUENCE of TypeData - METHOD-DATA ::= SEQUENCE of PA-DATA - - TypedData ::= SEQUENCE { - data-type[0] INTEGER, - data-value[1] OCTET STRING OPTIONAL - } - - Note that e-data-types have been reserved for all PA data types defined - prior to July 1999. For the KDC_ERR_PREAUTH_REQUIRED message, when - using new PA data types defined in July 1999 or later, the METHOD-DATA - sequence must itself be encapsulated in an TypedData element of type - TD-PADATA. All new implementations interpreting the METHOD-DATA field - for the KDC_ERR_PREAUTH_REQUIRED message must accept a type of - TD-PADATA, extract the typed data field and interpret the use any - elements encapsulated in the TD-PADATA elements as if they were present - in the METHOD-DATA sequence. -e-cksum - This field contains an optional checksum for the KRB-ERROR message. The - checksum is calculated over the Kerberos ASN.1 encoding of the - KRB-ERROR message with the checksum absent. The checksum is then added - to the KRB-ERROR structure and the message is re-encoded. The Checksum - should be calculated using the session key from the ticket granting - ticket or service ticket, where available. If the error is in response - to a TGS or AP request, the checksum should be calculated uing the the - session key from the client's ticket. If the error is in response to an - AS request, then the checksum should be calulated using the client's - secret key ONLY if there has been suitable preauthentication to prove - knowledge of the secret key by the client[33]. If a checksum can not be - computed because the key to be used is not available, no checksum will - be included. - - 6. Encryption and Checksum Specifications - - The Kerberos protocols described in this document are designed to use - stream encryption ciphers, which can be simulated using commonly - available block encryption ciphers, such as the Data Encryption - Standard [DES77], and triple DES variants, in conjunction with block - chaining and checksum methods [DESM80]. Encryption is used to prove the - identities of the network entities participating in message exchanges. - The Key Distribution Center for each realm is trusted by all principals - registered in that realm to store a secret key in confidence. Proof of - knowledge of this secret key is used to verify the authenticity of a - principal. - - The KDC uses the principal's secret key (in the AS exchange) or a - shared session key (in the TGS exchange) to encrypt responses to ticket - requests; the ability to obtain the secret key or session key implies - the knowledge of the appropriate keys and the identity of the KDC. The - ability of a principal to decrypt the KDC response and present a Ticket - and a properly formed Authenticator (generated with the session key - from the KDC response) to a service verifies the identity of the - principal; likewise the ability of the service to extract the session - key from the Ticket and prove its knowledge thereof in a response - verifies the identity of the service. - - The Kerberos protocols generally assume that the encryption used is - secure from cryptanalysis; however, in some cases, the order of fields - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - in the encrypted portions of messages are arranged to minimize the - effects of poorly chosen keys. It is still important to choose good - keys. If keys are derived from user-typed passwords, those passwords - need to be well chosen to make brute force attacks more difficult. - Poorly chosen keys still make easy targets for intruders. - - The following sections specify the encryption and checksum mechanisms - currently defined for Kerberos. The encodings, chaining, and padding - requirements for each are described. For encryption methods, it is - often desirable to place random information (often referred to as a - confounder) at the start of the message. The requirements for a - confounder are specified with each encryption mechanism. - - Some encryption systems use a block-chaining method to improve the the - security characteristics of the ciphertext. However, these chaining - methods often don't provide an integrity check upon decryption. Such - systems (such as DES in CBC mode) must be augmented with a checksum of - the plain-text which can be verified at decryption and used to detect - any tampering or damage. Such checksums should be good at detecting - burst errors in the input. If any damage is detected, the decryption - routine is expected to return an error indicating the failure of an - integrity check. Each encryption type is expected to provide and verify - an appropriate checksum. The specification of each encryption method - sets out its checksum requirements. - - Finally, where a key is to be derived from a user's password, an - algorithm for converting the password to a key of the appropriate type - is included. It is desirable for the string to key function to be - one-way, and for the mapping to be different in different realms. This - is important because users who are registered in more than one realm - will often use the same password in each, and it is desirable that an - attacker compromising the Kerberos server in one realm not obtain or - derive the user's key in another. - - For an discussion of the integrity characteristics of the candidate - encryption and checksum methods considered for Kerberos, the reader is - referred to [SG92]. - - 6.1. Encryption Specifications - - The following ASN.1 definition describes all encrypted messages. The - enc-part field which appears in the unencrypted part of messages in - section 5 is a sequence consisting of an encryption type, an optional - key version number, and the ciphertext. - - EncryptedData ::= SEQUENCE { - etype[0] INTEGER, -- EncryptionType - kvno[1] INTEGER OPTIONAL, - cipher[2] OCTET STRING -- ciphertext - } - - - - etype - This field identifies which encryption algorithm was used to - encipher the cipher. Detailed specifications for selected - encryption types appear later in this section. - kvno - This field contains the version number of the key under which data - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - is encrypted. It is only present in messages encrypted under long - lasting keys, such as principals' secret keys. - cipher - This field contains the enciphered text, encoded as an OCTET - STRING. - The cipher field is generated by applying the specified encryption - algorithm to data composed of the message and algorithm-specific - inputs. Encryption mechanisms defined for use with Kerberos must take - sufficient measures to guarantee the integrity of the plaintext, and we - recommend they also take measures to protect against precomputed - dictionary attacks. If the encryption algorithm is not itself capable - of doing so, the protections can often be enhanced by adding a checksum - and a confounder. - - The suggested format for the data to be encrypted includes a - confounder, a checksum, the encoded plaintext, and any necessary - padding. The msg-seq field contains the part of the protocol message - described in section 5 which is to be encrypted. The confounder, - checksum, and padding are all untagged and untyped, and their length is - exactly sufficient to hold the appropriate item. The type and length is - implicit and specified by the particular encryption type being used - (etype). The format for the data to be encrypted for some methods is - described in the following diagram, but other methods may deviate from - this layour - so long as the definition of the method defines the - layout actually in use. - - +-----------+----------+-------------+-----+ - |confounder | check | msg-seq | pad | - +-----------+----------+-------------+-----+ - - The format cannot be described in ASN.1, but for those who prefer an - ASN.1-like notation: - - CipherText ::= ENCRYPTED SEQUENCE { - confounder[0] UNTAGGED[35] OCTET STRING(conf_length) OPTIONAL, - check[1] UNTAGGED OCTET STRING(checksum_length) OPTIONAL, - msg-seq[2] MsgSequence, - pad UNTAGGED OCTET STRING(pad_length) OPTIONAL - } - - One generates a random confounder of the appropriate length, placing it - in confounder; zeroes out check; calculates the appropriate checksum - over confounder, check, and msg-seq, placing the result in check; adds - the necessary padding; then encrypts using the specified encryption - type and the appropriate key. - - Unless otherwise specified, a definition of an encryption algorithm - that specifies a checksum, a length for the confounder field, or an - octet boundary for padding uses this ciphertext format[36]. Those - fields which are not specified will be omitted. - - In the interest of allowing all implementations using a particular - encryption type to communicate with all others using that type, the - specification of an encryption type defines any checksum that is needed - as part of the encryption process. If an alternative checksum is to be - used, a new encryption type must be defined. - - Some cryptosystems require additional information beyond the key and - the data to be encrypted. For example, DES, when used in - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - cipher-block-chaining mode, requires an initialization vector. If - required, the description for each encryption type must specify the - source of such additional information. 6.2. Encryption Keys - - The sequence below shows the encoding of an encryption key: - - EncryptionKey ::= SEQUENCE { - keytype[0] INTEGER, - keyvalue[1] OCTET STRING - } - - keytype - This field specifies the type of encryption that is to be - performed using the key that follows in the keyvalue field. It - will always correspond to the etype to be used to generate or - decode the EncryptedData. In cases when multiple algorithms use a - common kind of key (e.g., if the encryption algorithm uses an - alternate checksum algorithm for an integrity check, or a - different chaining mechanism), the keytype provides information - needed to determine which algorithm is to be used. - keyvalue - This field contains the key itself, encoded as an octet string. - All negative values for the encryption key type are reserved for local - use. All non-negative values are reserved for officially assigned type - fields and interpreta- tions. - - 6.3. Encryption Systems - - 6.3.1. The NULL Encryption System (null) - - If no encryption is in use, the encryption system is said to be the - NULL encryption system. In the NULL encryption system there is no - checksum, confounder or padding. The ciphertext is simply the - plaintext. The NULL Key is used by the null encryption system and is - zero octets in length, with keytype zero (0). - - 6.3.2. DES in CBC mode with a CRC-32 checksum (des-cbc-crc) - - The des-cbc-crc encryption mode encrypts information under the Data - Encryption Standard [DES77] using the cipher block chaining mode - [DESM80]. A CRC-32 checksum (described in ISO 3309 [ISO3309]) is - applied to the confounder and message sequence (msg-seq) and placed in - the cksum field. DES blocks are 8 bytes. As a result, the data to be - encrypted (the concatenation of confounder, checksum, and message) must - be padded to an 8 byte boundary before encryption. The details of the - encryption of this data are identical to those for the des-cbc-md5 - encryption mode. - - Note that, since the CRC-32 checksum is not collision-proof, an - attacker could use a probabilistic chosen-plaintext attack to generate - a valid message even if a confounder is used [SG92]. The use of - collision-proof checksums is recommended for environments where such - attacks represent a significant threat. The use of the CRC-32 as the - checksum for ticket or authenticator is no longer mandated as an - interoperability requirement for Kerberos Version 5 Specification 1 - (See section 9.1 for specific details). - - 6.3.3. DES in CBC mode with an MD4 checksum (des-cbc-md4) - - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - The des-cbc-md4 encryption mode encrypts information under the Data - Encryption Standard [DES77] using the cipher block chaining mode - [DESM80]. An MD4 checksum (described in [MD492]) is applied to the - confounder and message sequence (msg-seq) and placed in the cksum - field. DES blocks are 8 bytes. As a result, the data to be encrypted - (the concatenation of confounder, checksum, and message) must be padded - to an 8 byte boundary before encryption. The details of the encryption - of this data are identical to those for the des-cbc-md5 encryption - mode. - - 6.3.4. DES in CBC mode with an MD5 checksum (des-cbc-md5) - - The des-cbc-md5 encryption mode encrypts information under the Data - Encryption Standard [DES77] using the cipher block chaining mode - [DESM80]. An MD5 checksum (described in [MD5-92].) is applied to the - confounder and message sequence (msg-seq) and placed in the cksum - field. DES blocks are 8 bytes. As a result, the data to be encrypted - (the concatenation of confounder, checksum, and message) must be padded - to an 8 byte boundary before encryption. - - Plaintext and DES ciphtertext are encoded as blocks of 8 octets which - are concatenated to make the 64-bit inputs for the DES algorithms. The - first octet supplies the 8 most significant bits (with the octet's - MSbit used as the DES input block's MSbit, etc.), the second octet the - next 8 bits, ..., and the eighth octet supplies the 8 least significant - bits. - - Encryption under DES using cipher block chaining requires an additional - input in the form of an initialization vector. Unless otherwise - specified, zero should be used as the initialization vector. Kerberos' - use of DES requires an 8 octet confounder. - - The DES specifications identify some 'weak' and 'semi-weak' keys; those - keys shall not be used for encrypting messages for use in Kerberos. - Additionally, because of the way that keys are derived for the - encryption of checksums, keys shall not be used that yield 'weak' or - 'semi-weak' keys when eXclusive-ORed with the hexadecimal constant - F0F0F0F0F0F0F0F0. - - A DES key is 8 octets of data, with keytype one (1). This consists of - 56 bits of key, and 8 parity bits (one per octet). The key is encoded - as a series of 8 octets written in MSB-first order. The bits within the - key are also encoded in MSB order. For example, if the encryption key - is (B1,B2,...,B7,P1,B8,...,B14,P2,B15,...,B49,P7,B50,...,B56,P8) where - B1,B2,...,B56 are the key bits in MSB order, and P1,P2,...,P8 are the - parity bits, the first octet of the key would be B1,B2,...,B7,P1 (with - B1 as the MSbit). [See the FIPS 81 introduction for reference.] - - String to key transformation - - To generate a DES key from a text string (password), a "salt" is - concatenated to the text string, and then padded with ASCII nulls to an - 8 byte boundary. This "salt" is normally the realm and each component - of the principal's name appended. However, sometimes different salts - are used --- for example, when a realm is renamed, or if a user changes - her username, or for compatibility with Kerberos V4 (whose - string-to-key algorithm uses a null string for the salt). This string - is then fan-folded and eXclusive-ORed with itself to form an 8 byte DES - key. Before eXclusive-ORing a block, every byte is shifted one bit to - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - the left to leave the lowest bit zero. The key is the "corrected" by - correcting the parity on the key, and if the key matches a 'weak' or - 'semi-weak' key as described in the DES specification, it is - eXclusive-ORed with the constant 00000000000000F0. This key is then - used to generate a DES CBC checksum on the initial string (with the - salt appended). The result of the CBC checksum is the "corrected" as - described above to form the result which is return as the key. - Pseudocode follows: - - name_to_default_salt(realm, name) { - s = realm - for(each component in name) { - s = s + component; - } - return s; - } - - key_correction(key) { - fixparity(key); - if (is_weak_key_key(key)) - key = key XOR 0xF0; - return(key); - } - - string_to_key(string,salt) { - - odd = 1; - s = string + salt; - tempkey = NULL; - pad(s); /* with nulls to 8 byte boundary */ - for(8byteblock in s) { - if(odd == 0) { - odd = 1; - reverse(8byteblock) - } - else odd = 0; - left shift every byte in 8byteblock one bit; - tempkey = tempkey XOR 8byteblock; - } - tempkey = key_correction(tempkey); - key = key_correction(DES-CBC-check(s,tempkey)); - return(key); - } - - 6.3.5. Triple DES with HMAC-SHA1 Kerberos Encryption Type with and - without Key Derivation [Original draft by Marc Horowitz, revisions by - David Miller] - - This encryption type is based on the Triple DES cryptosystem, the - HMAC-SHA1 [Krawczyk96] message authentication algorithm, and key - derivation for Kerberos V5 [HorowitzB96]. Key derivation may or may not - be used in conjunction with the use of Triple DES keys. - - Algorithm Identifiers - - The des3-cbc-hmac-sha1 encryption type has been assigned the value 7. - The des3-cbc-hmac-sha1-kd encryption type, specifying the key - derivation variant of the encryption type, has been assigned the value - 16. The hmac-sha1-des3 checksum type has been assigned the value 13. - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - The hmac-sha1-des3-kd checksum type, specifying the key derivation - variant of the checksum, has been assigned the value 12. - - Triple DES Key Production - - The EncryptionKey value is 24 octets long. The 7 most significant bits - of each octet contain key bits, and the least significant bit is the - inverse of the xor of the key bits. - - For the purposes of key derivation, the block size is 64 bits, and the - key size is 168 bits. The 168 bits output by key derivation are - converted to an EncryptionKey value as follows. First, the 168 bits are - divided into three groups of 56 bits, which are expanded individually - into 64 bits as follows: - - 1 2 3 4 5 6 7 p - 9 10 11 12 13 14 15 p - 17 18 19 20 21 22 23 p - 25 26 27 28 29 30 31 p - 33 34 35 36 37 38 39 p - 41 42 43 44 45 46 47 p - 49 50 51 52 53 54 55 p - 56 48 40 32 24 16 8 p - - The "p" bits are parity bits computed over the data bits. The output of - the three expansions are concatenated to form the EncryptionKey value. - - When the HMAC-SHA1 of a string is computed, the key is used in the - EncryptedKey form. - - The string-to-key function is used to tranform UNICODE passwords into - DES3 keys. The DES3 string-to-key function relies on the "N-fold" - algorithm, which is detailed in [9]. The description of the N-fold - algorithm in that document is as follows: - o To n-fold a number X, replicate the input value to a length that - is the least common multiple of n and the length of X. Before each - repetition, the input is rotated to the right by 13 bit positions. - The successive n-bit chunks are added together using - 1's-complement addition (that is, addition with end-around carry) - to yield an n-bit result" - o The n-fold algorithm, as with DES string-to-key, is applied to the - password string concatenated with a salt value. The salt value is - derived in the same was as for the DES string-to-key algorithm. - For 3-key triple DES then, the operation will involve a 168-fold - of the input password string. The remainder of the string-to-key - function for DES3 is shown here in pseudocode: - - DES3string-to-key(passwordString, key) - - salt = name_to_default_salt(realm, name) - s = passwordString + salt - tmpKey1 = 168-fold(s) - parityFix(tmpKey1); - if not weakKey(tmpKey1) - /* - * Encrypt temp key in itself with a - * zero initialization vector - * - * Function signature is DES3encrypt(plain, key, iv) - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - * with cipher as the return value - */ - tmpKey2 = DES3encrypt(tmpKey1, tmpKey1, zeroIvec) - /* - * Encrypt resultant temp key in itself with third component - * of first temp key as initialization vector - */ - key = DES3encrypt(tmpKey2, tmpKey1, tmpKey1[2]) - parityFix(key) - if not weakKey(key) - return SUCCESS - else - return FAILURE - else - return FAILURE - - The weakKey function above is the same weakKey function used with DES - keys, but applied to each of the three single DES keys that comprise - the triple DES key. - - The lengths of UNICODE encoded character strings include the trailing - terminator character (0). - - Encryption Types des3-cbc-hmac-sha1 and des3-cbc-hmac-sha1-kd - - EncryptedData using this type must be generated as described in - [Horowitz96]. The encryption algorithm is Triple DES in Outer-CBC mode. - The checksum algorithm is HMAC-SHA1. If the key derivation variant of - the encryption type is used, encryption key values are modified - according to the method under the Key Derivation section below. - - Unless otherwise specified, a zero IV must be used. - - If the length of the input data is not a multiple of the block size, - zero octets must be used to pad the plaintext to the next eight-octet - boundary. The counfounder must be eight random octets (one block). - - Checksum Types hmac-sha1-des3 and hmac-sha1-des3-kd - - Checksums using this type must be generated as described in - [Horowitz96]. The keyed hash algorithm is HMAC-SHA1. If the key - derivation variant of the checksum type is used, checksum key values - are modified according to the method under the Key Derivation section - below. - - Key Derivation - - In the Kerberos protocol, cryptographic keys are used in a number of - places. In order to minimize the effect of compromising a key, it is - desirable to use a different key for each of these places. Key - derivation [Horowitz96] can be used to construct different keys for - each operation from the keys transported on the network. For this to be - possible, a small change to the specification is necessary. - - This section specifies a profile for the use of key derivation - [Horowitz96] with Kerberos. For each place where a key is used, a ``key - usage'' must is specified for that purpose. The key, key usage, and - encryption/checksum type together describe the transformation from - plaintext to ciphertext, or plaintext to checksum. - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - - Key Usage Values - - This is a complete list of places keys are used in the kerberos - protocol, with key usage values and RFC 1510 section numbers: - - 1. AS-REQ PA-ENC-TIMESTAMP padata timestamp, encrypted with the - client key (section 5.4.1) - 2. AS-REP Ticket and TGS-REP Ticket (includes tgs session key or - application session key), encrypted with the service key - (section 5.4.2) - 3. AS-REP encrypted part (includes tgs session key or application - session key), encrypted with the client key (section 5.4.2) - 4. TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the tgs - session key (section 5.4.1) - 5. TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the tgs - authenticator subkey (section 5.4.1) - 6. TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator cksum, keyed - with the tgs session key (sections 5.3.2, 5.4.1) - 7. TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator (includes tgs - authenticator subkey), encrypted with the tgs session key - (section 5.3.2) - 8. TGS-REP encrypted part (includes application session key), - encrypted with the tgs session key (section 5.4.2) - 9. TGS-REP encrypted part (includes application session key), - encrypted with the tgs authenticator subkey (section 5.4.2) - 10. AP-REQ Authenticator cksum, keyed with the application session - key (section 5.3.2) - 11. AP-REQ Authenticator (includes application authenticator - subkey), encrypted with the application session key (section - 5.3.2) - 12. AP-REP encrypted part (includes application session subkey), - encrypted with the application session key (section 5.5.2) - 13. KRB-PRIV encrypted part, encrypted with a key chosen by the - application (section 5.7.1) - 14. KRB-CRED encrypted part, encrypted with a key chosen by the - application (section 5.6.1) - 15. KRB-SAVE cksum, keyed with a key chosen by the application - (section 5.8.1) - 18. KRB-ERROR checksum (e-cksum in section 5.9.1) - 19. AD-KDCIssued checksum (ad-checksum in appendix B.1) - 20. Checksum for Mandatory Ticket Extensions (appendix B.6) - 21. Checksum in Authorization Data in Ticket Extensions (appendix B.7) - - Key usage values between 1024 and 2047 (inclusive) are reserved for - application use. Applications should use even values for encryption and - odd values for checksums within this range. - - A few of these key usages need a little clarification. A service which - receives an AP-REQ has no way to know if the enclosed Ticket was part - of an AS-REP or TGS-REP. Therefore, key usage 2 must always be used for - generating a Ticket, whether it is in response to an AS- REQ or - TGS-REQ. - - There might exist other documents which define protocols in terms of - the RFC1510 encryption types or checksum types. Such documents would - not know about key usages. In order that these documents continue to be - meaningful until they are updated, key usages 1024 and 1025 must be - used to derive keys for encryption and checksums, respectively. New - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - protocols defined in terms of the Kerberos encryption and checksum - types should use their own key usages. Key usages may be registered - with IANA to avoid conflicts. Key usages must be unsigned 32 bit - integers. Zero is not permitted. - - Defining Cryptosystems Using Key Derivation - - Kerberos requires that the ciphertext component of EncryptedData be - tamper-resistant as well as confidential. This implies encryption and - integrity functions, which must each use their own separate keys. So, - for each key usage, two keys must be generated, one for encryption - (Ke), and one for integrity (Ki): - - Ke = DK(protocol key, key usage | 0xAA) - Ki = DK(protocol key, key usage | 0x55) - - where the protocol key is from the EncryptionKey from the wire - protocol, and the key usage is represented as a 32 bit integer in - network byte order. The ciphertest must be generated from the plaintext - as follows: - - ciphertext = E(Ke, confounder | plaintext | padding) | - H(Ki, confounder | plaintext | padding) - - The confounder and padding are specific to the encryption algorithm E. - - When generating a checksum only, there is no need for a confounder or - padding. Again, a new key (Kc) must be used. Checksums must be - generated from the plaintext as follows: - - Kc = DK(protocol key, key usage | 0x99) - MAC = H(Kc, plaintext) - - Note that each enctype is described by an encryption algorithm E and a - keyed hash algorithm H, and each checksum type is described by a keyed - hash algorithm H. HMAC, with an appropriate hash, is required for use - as H. - - Key Derivation from Passwords - - The well-known constant for password key derivation must be the byte - string {0x6b 0x65 0x72 0x62 0x65 0x72 0x6f 0x73}. These values - correspond to the ASCII encoding for the string "kerberos". - - 6.4. Checksums - - The following is the ASN.1 definition used for a checksum: - - Checksum ::= SEQUENCE { - cksumtype[0] INTEGER, - checksum[1] OCTET STRING - } - - cksumtype - This field indicates the algorithm used to generate the - accompanying checksum. - checksum - This field contains the checksum itself, encoded as an octet - string. - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - Detailed specification of selected checksum types appear later in this - section. Negative values for the checksum type are reserved for local - use. All non-negative values are reserved for officially assigned type - fields and interpretations. - - Checksums used by Kerberos can be classified by two properties: whether - they are collision-proof, and whether they are keyed. It is infeasible - to find two plaintexts which generate the same checksum value for a - collision-proof checksum. A key is required to perturb or initialize - the algorithm in a keyed checksum. To prevent message-stream - modification by an active attacker, unkeyed checksums should only be - used when the checksum and message will be subsequently encrypted (e.g. - the checksums defined as part of the encryption algorithms covered - earlier in this section). - - Collision-proof checksums can be made tamper-proof if the checksum - value is encrypted before inclusion in a message. In such cases, the - composition of the checksum and the encryption algorithm must be - considered a separate checksum algorithm (e.g. RSA-MD5 encrypted using - DES is a new checksum algorithm of type RSA-MD5-DES). For most keyed - checksums, as well as for the encrypted forms of unkeyed - collision-proof checksums, Kerberos prepends a confounder before the - checksum is calculated. - - 6.4.1. The CRC-32 Checksum (crc32) - - The CRC-32 checksum calculates a checksum based on a cyclic redundancy - check as described in ISO 3309 [ISO3309]. The resulting checksum is - four (4) octets in length. The CRC-32 is neither keyed nor - collision-proof. The use of this checksum is not recommended. An - attacker using a probabilistic chosen-plaintext attack as described in - [SG92] might be able to generate an alternative message that satisfies - the checksum. The use of collision-proof checksums is recommended for - environments where such attacks represent a significant threat. - - 6.4.2. The RSA MD4 Checksum (rsa-md4) - - The RSA-MD4 checksum calculates a checksum using the RSA MD4 algorithm - [MD4-92]. The algorithm takes as input an input message of arbitrary - length and produces as output a 128-bit (16 octet) checksum. RSA-MD4 is - believed to be collision-proof. - - 6.4.3. RSA MD4 Cryptographic Checksum Using DES (rsa-md4-des) - - The RSA-MD4-DES checksum calculates a keyed collision-proof checksum by - prepending an 8 octet confounder before the text, applying the RSA MD4 - checksum algorithm, and encrypting the confounder and the checksum - using DES in cipher-block-chaining (CBC) mode using a variant of the - key, where the variant is computed by eXclusive-ORing the key with the - constant F0F0F0F0F0F0F0F0[39]. The initialization vector should be - zero. The resulting checksum is 24 octets long (8 octets of which are - redundant). This checksum is tamper-proof and believed to be - collision-proof. - - The DES specifications identify some weak keys' and 'semi-weak keys'; - those keys shall not be used for generating RSA-MD4 checksums for use - in Kerberos. - - The format for the checksum is described in the follow- ing diagram: - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - - +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ - | des-cbc(confounder + rsa-md4(confounder+msg),key=var(key),iv=0) | - +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ - - The format cannot be described in ASN.1, but for those who prefer an - ASN.1-like notation: - - rsa-md4-des-checksum ::= ENCRYPTED UNTAGGED SEQUENCE { - confounder[0] UNTAGGED OCTET STRING(8), - check[1] UNTAGGED OCTET STRING(16) - } - - 6.4.4. The RSA MD5 Checksum (rsa-md5) - - The RSA-MD5 checksum calculates a checksum using the RSA MD5 algorithm. - [MD5-92]. The algorithm takes as input an input message of arbitrary - length and produces as output a 128-bit (16 octet) checksum. RSA-MD5 is - believed to be collision-proof. - - 6.4.5. RSA MD5 Cryptographic Checksum Using DES (rsa-md5-des) - - The RSA-MD5-DES checksum calculates a keyed collision-proof checksum by - prepending an 8 octet confounder before the text, applying the RSA MD5 - checksum algorithm, and encrypting the confounder and the checksum - using DES in cipher-block-chaining (CBC) mode using a variant of the - key, where the variant is computed by eXclusive-ORing the key with the - hexadecimal constant F0F0F0F0F0F0F0F0. The initialization vector should - be zero. The resulting checksum is 24 octets long (8 octets of which - are redundant). This checksum is tamper-proof and believed to be - collision-proof. - - The DES specifications identify some 'weak keys' and 'semi-weak keys'; - those keys shall not be used for encrypting RSA-MD5 checksums for use - in Kerberos. - - The format for the checksum is described in the following diagram: - - +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ - | des-cbc(confounder + rsa-md5(confounder+msg),key=var(key),iv=0) | - +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ - - The format cannot be described in ASN.1, but for those who prefer an - ASN.1-like notation: - - rsa-md5-des-checksum ::= ENCRYPTED UNTAGGED SEQUENCE { - confounder[0] UNTAGGED OCTET STRING(8), - check[1] UNTAGGED OCTET STRING(16) - } - - 6.4.6. DES cipher-block chained checksum (des-mac) - - The DES-MAC checksum is computed by prepending an 8 octet confounder to - the plaintext, performing a DES CBC-mode encryption on the result using - the key and an initialization vector of zero, taking the last block of - the ciphertext, prepending the same confounder and encrypting the pair - using DES in cipher-block-chaining (CBC) mode using a a variant of the - key, where the variant is computed by eXclusive-ORing the key with the - hexadecimal constant F0F0F0F0F0F0F0F0. The initialization vector should - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - be zero. The resulting checksum is 128 bits (16 octets) long, 64 bits - of which are redundant. This checksum is tamper-proof and - collision-proof. - - The format for the checksum is described in the following diagram: - - +--+--+--+--+--+--+--+--+-----+-----+-----+-----+-----+-----+-----+-----+ - | des-cbc(confounder + des-mac(conf+msg,iv=0,key),key=var(key),iv=0) | - +--+--+--+--+--+--+--+--+-----+-----+-----+-----+-----+-----+-----+-----+ - - The format cannot be described in ASN.1, but for those who prefer an - ASN.1-like notation: - - des-mac-checksum ::= ENCRYPTED UNTAGGED SEQUENCE { - confounder[0] UNTAGGED OCTET STRING(8), - check[1] UNTAGGED OCTET STRING(8) - } - - The DES specifications identify some 'weak' and 'semi-weak' keys; those - keys shall not be used for generating DES-MAC checksums for use in - Kerberos, nor shall a key be used whose variant is 'weak' or - 'semi-weak'. - - 6.4.7. RSA MD4 Cryptographic Checksum Using DES alternative - (rsa-md4-des-k) - - The RSA-MD4-DES-K checksum calculates a keyed collision-proof checksum - by applying the RSA MD4 checksum algorithm and encrypting the results - using DES in cipher-block-chaining (CBC) mode using a DES key as both - key and initialization vector. The resulting checksum is 16 octets - long. This checksum is tamper-proof and believed to be collision-proof. - Note that this checksum type is the old method for encoding the - RSA-MD4-DES checksum and it is no longer recommended. - - 6.4.8. DES cipher-block chained checksum alternative (des-mac-k) - - The DES-MAC-K checksum is computed by performing a DES CBC-mode - encryption of the plaintext, and using the last block of the ciphertext - as the checksum value. It is keyed with an encryption key and an - initialization vector; any uses which do not specify an additional - initialization vector will use the key as both key and initialization - vector. The resulting checksum is 64 bits (8 octets) long. This - checksum is tamper-proof and collision-proof. Note that this checksum - type is the old method for encoding the DES-MAC checksum and it is no - longer recommended. The DES specifications identify some 'weak keys' - and 'semi-weak keys'; those keys shall not be used for generating - DES-MAC checksums for use in Kerberos. - - 7. Naming Constraints - - 7.1. Realm Names - - Although realm names are encoded as GeneralStrings and although a realm - can technically select any name it chooses, interoperability across - realm boundaries requires agreement on how realm names are to be - assigned, and what information they imply. - - To enforce these conventions, each realm must conform to the - conventions itself, and it must require that any realms with which - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - inter-realm keys are shared also conform to the conventions and require - the same from its neighbors. - - Kerberos realm names are case sensitive. Realm names that differ only - in the case of the characters are not equivalent. There are presently - four styles of realm names: domain, X500, other, and reserved. Examples - of each style follow: - - domain: ATHENA.MIT.EDU (example) - X500: C=US/O=OSF (example) - other: NAMETYPE:rest/of.name=without-restrictions (example) - reserved: reserved, but will not conflict with above - - Domain names must look like domain names: they consist of components - separated by periods (.) and they contain neither colons (:) nor - slashes (/). Domain names must be converted to upper case when used as - realm names. - - X.500 names contain an equal (=) and cannot contain a colon (:) before - the equal. The realm names for X.500 names will be string - representations of the names with components separated by slashes. - Leading and trailing slashes will not be included. - - Names that fall into the other category must begin with a prefix that - contains no equal (=) or period (.) and the prefix must be followed by - a colon (:) and the rest of the name. All prefixes must be assigned - before they may be used. Presently none are assigned. - - The reserved category includes strings which do not fall into the first - three categories. All names in this category are reserved. It is - unlikely that names will be assigned to this category unless there is a - very strong argument for not using the 'other' category. - - These rules guarantee that there will be no conflicts between the - various name styles. The following additional constraints apply to the - assignment of realm names in the domain and X.500 categories: the name - of a realm for the domain or X.500 formats must either be used by the - organization owning (to whom it was assigned) an Internet domain name - or X.500 name, or in the case that no such names are registered, - authority to use a realm name may be derived from the authority of the - parent realm. For example, if there is no domain name for E40.MIT.EDU, - then the administrator of the MIT.EDU realm can authorize the creation - of a realm with that name. - - This is acceptable because the organization to which the parent is - assigned is presumably the organization authorized to assign names to - its children in the X.500 and domain name systems as well. If the - parent assigns a realm name without also registering it in the domain - name or X.500 hierarchy, it is the parent's responsibility to make sure - that there will not in the future exists a name identical to the realm - name of the child unless it is assigned to the same entity as the realm - name. - - 7.2. Principal Names - - As was the case for realm names, conventions are needed to ensure that - all agree on what information is implied by a principal name. The - name-type field that is part of the principal name indicates the kind - of information implied by the name. The name-type should be treated as - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - a hint. Ignoring the name type, no two names can be the same (i.e. at - least one of the components, or the realm, must be different). The - following name types are defined: - - name-type value meaning - - NT-UNKNOWN 0 Name type not known - NT-PRINCIPAL 1 General principal name (e.g. username, or DCE principal) - NT-SRV-INST 2 Service and other unique instance (krbtgt) - NT-SRV-HST 3 Service with host name as instance (telnet, rcommands) - NT-SRV-XHST 4 Service with slash-separated host name components - NT-UID 5 Unique ID - NT-X500-PRINCIPAL 6 Encoded X.509 Distingished name [RFC 1779] - - When a name implies no information other than its uniqueness at a - particular time the name type PRINCIPAL should be used. The principal - name type should be used for users, and it might also be used for a - unique server. If the name is a unique machine generated ID that is - guaranteed never to be reassigned then the name type of UID should be - used (note that it is generally a bad idea to reassign names of any - type since stale entries might remain in access control lists). - - If the first component of a name identifies a service and the remaining - components identify an instance of the service in a server specified - manner, then the name type of SRV-INST should be used. An example of - this name type is the Kerberos ticket-granting service whose name has a - first component of krbtgt and a second component identifying the realm - for which the ticket is valid. - - If instance is a single component following the service name and the - instance identifies the host on which the server is running, then the - name type SRV-HST should be used. This type is typically used for - Internet services such as telnet and the Berkeley R commands. If the - separate components of the host name appear as successive components - following the name of the service, then the name type SRV-XHST should - be used. This type might be used to identify servers on hosts with - X.500 names where the slash (/) might otherwise be ambiguous. - - A name type of NT-X500-PRINCIPAL should be used when a name from an - X.509 certificiate is translated into a Kerberos name. The encoding of - the X.509 name as a Kerberos principal shall conform to the encoding - rules specified in RFC 2253. - - A name type of UNKNOWN should be used when the form of the name is not - known. When comparing names, a name of type UNKNOWN will match - principals authenticated with names of any type. A principal - authenticated with a name of type UNKNOWN, however, will only match - other names of type UNKNOWN. - - Names of any type with an initial component of 'krbtgt' are reserved - for the Kerberos ticket granting service. See section 8.2.3 for the - form of such names. - - 7.2.1. Name of server principals - - The principal identifier for a server on a host will generally be - composed of two parts: (1) the realm of the KDC with which the server - is registered, and (2) a two-component name of type NT-SRV-HST if the - host name is an Internet domain name or a multi-component name of type - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - NT-SRV-XHST if the name of the host is of a form such as X.500 that - allows slash (/) separators. The first component of the two- or - multi-component name will identify the service and the latter - components will identify the host. Where the name of the host is not - case sensitive (for example, with Internet domain names) the name of - the host must be lower case. If specified by the application protocol - for services such as telnet and the Berkeley R commands which run with - system privileges, the first component may be the string 'host' instead - of a service specific identifier. When a host has an official name and - one or more aliases, the official name of the host must be used when - constructing the name of the server principal. - - 8. Constants and other defined values - - 8.1. Host address types - - All negative values for the host address type are reserved for local - use. All non-negative values are reserved for officially assigned type - fields and interpretations. - - The values of the types for the following addresses are chosen to match - the defined address family constants in the Berkeley Standard - Distributions of Unix. They can be found in with symbolic names AF_xxx - (where xxx is an abbreviation of the address family name). - - Internet (IPv4) Addresses - - Internet (IPv4) addresses are 32-bit (4-octet) quantities, encoded in - MSB order. The type of IPv4 addresses is two (2). - - Internet (IPv6) Addresses [Westerlund] - - IPv6 addresses are 128-bit (16-octet) quantities, encoded in MSB order. - The type of IPv6 addresses is twenty-four (24). [RFC1883] [RFC1884]. - The following addresses (see [RFC1884]) MUST not appear in any Kerberos - packet: - o the Unspecified Address - o the Loopback Address - o Link-Local addresses - IPv4-mapped IPv6 addresses MUST be represented as addresses of type 2. - - CHAOSnet addresses - - CHAOSnet addresses are 16-bit (2-octet) quantities, encoded in MSB - order. The type of CHAOSnet addresses is five (5). - - ISO addresses - - ISO addresses are variable-length. The type of ISO addresses is seven - (7). - - Xerox Network Services (XNS) addresses - - XNS addresses are 48-bit (6-octet) quantities, encoded in MSB order. - The type of XNS addresses is six (6). - - AppleTalk Datagram Delivery Protocol (DDP) addresses - - AppleTalk DDP addresses consist of an 8-bit node number and a 16-bit - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - network number. The first octet of the address is the node number; the - remaining two octets encode the network number in MSB order. The type - of AppleTalk DDP addresses is sixteen (16). - - DECnet Phase IV addresses - - DECnet Phase IV addresses are 16-bit addresses, encoded in LSB order. - The type of DECnet Phase IV addresses is twelve (12). - - Netbios addresses - - Netbios addresses are 16-octet addresses typically composed of 1 to 15 - characters, trailing blank (ascii char 20) filled, with a 16th octet of - 0x0. The type of Netbios addresses is 20 (0x14). - - 8.2. KDC messages - - 8.2.1. UDP/IP transport - - When contacting a Kerberos server (KDC) for a KRB_KDC_REQ request using - UDP IP transport, the client shall send a UDP datagram containing only - an encoding of the request to port 88 (decimal) at the KDC's IP - address; the KDC will respond with a reply datagram containing only an - encoding of the reply message (either a KRB_ERROR or a KRB_KDC_REP) to - the sending port at the sender's IP address. Kerberos servers - supporting IP transport must accept UDP requests on port 88 (decimal). - The response to a request made through UDP/IP transport must also use - UDP/IP transport. - - 8.2.2. TCP/IP transport [Westerlund,Danielsson] - - Kerberos servers (KDC's) should accept TCP requests on port 88 - (decimal) and clients should support the sending of TCP requests on - port 88 (decimal). When the KRB_KDC_REQ message is sent to the KDC over - a TCP stream, a new connection will be established for each - authentication exchange (request and response). The KRB_KDC_REP or - KRB_ERROR message will be returned to the client on the same TCP stream - that was established for the request. The response to a request made - through TCP/IP transport must also use TCP/IP transport. Implementors - should note that some extentions to the Kerberos protocol will not work - if any implementation not supporting the TCP transport is involved - (client or KDC). Implementors are strongly urged to support the TCP - transport on both the client and server and are advised that the - current notation of "should" support will likely change in the future - to must support. The KDC may close the TCP stream after sending a - response, but may leave the stream open if it expects a followup - in - which case it may close the stream at any time if resource constratints - or other factors make it desirable to do so. Care must be taken in - managing TCP/IP connections with the KDC to prevent denial of service - attacks based on the number of TCP/IP connections with the KDC that - remain open. If multiple exchanges with the KDC are needed for certain - forms of preauthentication, multiple TCP connections may be required. A - client may close the stream after receiving response, and should close - the stream if it does not expect to send followup messages. The client - must be prepared to have the stream closed by the KDC at anytime, in - which case it must simply connect again when it is ready to send - subsequent messages. - - The first four octets of the TCP stream used to transmit the request - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - request will encode in network byte order the length of the request - (KRB_KDC_REQ), and the length will be followed by the request itself. - The response will similarly be preceeded by a 4 octet encoding in - network byte order of the length of the KRB_KDC_REP or the KRB_ERROR - message and will be followed by the KRB_KDC_REP or the KRB_ERROR - response. If the sign bit is set on the integer represented by the - first 4 octets, then the next 4 octets will be read, extending the - length of the field by another 4 octets (less the sign bit which is - reserved for future expansion). - - 8.2.3. OSI transport - - During authentication of an OSI client to an OSI server, the mutual - authentication of an OSI server to an OSI client, the transfer of - credentials from an OSI client to an OSI server, or during exchange of - private or integrity checked messages, Kerberos protocol messages may - be treated as opaque objects and the type of the authentication - mechanism will be: - - OBJECT IDENTIFIER ::= {iso (1), org(3), dod(6),internet(1), security(5),kerberosv5(2)} - - Depending on the situation, the opaque object will be an authentication - header (KRB_AP_REQ), an authentication reply (KRB_AP_REP), a safe - message (KRB_SAFE), a private message (KRB_PRIV), or a credentials - message (KRB_CRED). The opaque data contains an application code as - specified in the ASN.1 description for each message. The application - code may be used by Kerberos to determine the message type. - - 8.2.3. Name of the TGS - - The principal identifier of the ticket-granting service shall be - composed of three parts: (1) the realm of the KDC issuing the TGS - ticket (2) a two-part name of type NT-SRV-INST, with the first part - "krbtgt" and the second part the name of the realm which will accept - the ticket-granting ticket. For example, a ticket-granting ticket - issued by the ATHENA.MIT.EDU realm to be used to get tickets from the - ATHENA.MIT.EDU KDC has a principal identifier of "ATHENA.MIT.EDU" - (realm), ("krbtgt", "ATHENA.MIT.EDU") (name). A ticket-granting ticket - issued by the ATHENA.MIT.EDU realm to be used to get tickets from the - MIT.EDU realm has a principal identifier of "ATHENA.MIT.EDU" (realm), - ("krbtgt", "MIT.EDU") (name). - - 8.3. Protocol constants and associated values - - The following tables list constants used in the protocol and defines - their meanings. Ranges are specified in the "specification" section - that limit the values of constants for which values are defined here. - This allows implementations to make assumptions about the maximum - values that will be received for these constants. Implementation - receiving values outside the range specified in the "specification" - section may reject the request, but they must recover cleanly. - - Encryption type etype value block size minimum pad size confounder size - NULL 0 1 0 0 - des-cbc-crc 1 8 4 8 - des-cbc-md4 2 8 0 8 - des-cbc-md5 3 8 0 8 - 4 - des3-cbc-md5 5 8 0 8 - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - 6 - des3-cbc-sha1 7 8 0 8 - dsaWithSHA1-CmsOID 9 (pkinit) - md5WithRSAEncryption-CmsOID 10 (pkinit) - sha1WithRSAEncryption-CmsOID 11 (pkinit) - rc2CBC-EnvOID 12 (pkinit) - rsaEncryption-EnvOID 13 (pkinit from PKCS#1 v1.5) - rsaES-OAEP-ENV-OID 14 (pkinit from PKCS#1 v2.0) - des-ede3-cbc-Env-OID 15 (pkinit) - des3-cbc-sha1-kd 16 (Tom Yu) - rc4-hmac 23 (swift) - rc4-hmac-exp 24 (swift) - - ENCTYPE_PK_CROSS 48 (reserved for pkcross) - 0x8003 - - Checksum type sumtype value checksum size - CRC32 1 4 - rsa-md4 2 16 - rsa-md4-des 3 24 - des-mac 4 16 - des-mac-k 5 8 - rsa-md4-des-k 6 16 (drop rsa ?) - rsa-md5 7 16 (drop rsa ?) - rsa-md5-des 8 24 (drop rsa ?) - rsa-md5-des3 9 24 (drop rsa ?) - hmac-sha1-des3-kd 12 20 - hmac-sha1-des3 13 20 - - padata type padata-type value - - PA-TGS-REQ 1 - PA-ENC-TIMESTAMP 2 - PA-PW-SALT 3 - 4 - PA-ENC-UNIX-TIME 5 (depricated) - PA-SANDIA-SECUREID 6 - PA-SESAME 7 - PA-OSF-DCE 8 - PA-CYBERSAFE-SECUREID 9 - PA-AFS3-SALT 10 - PA-ETYPE-INFO 11 - PA-SAM-CHALLENGE 12 (sam/otp) - PA-SAM-RESPONSE 13 (sam/otp) - PA-PK-AS-REQ 14 (pkinit) - PA-PK-AS-REP 15 (pkinit) - PA-USE-SPECIFIED-KVNO 20 - PA-SAM-REDIRECT 21 (sam/otp) - PA-GET-FROM-TYPED-DATA 22 - PA-SAM-ETYPE-INFO 23 (sam/otp) - -data-type value form of typed-data - - 1-21 -TD-PADATA 22 -TD-PKINIT-CMS-CERTIFICATES 101 CertificateSet from CMS -TD-KRB-PRINCIPAL 102 -TD-KRB-REALM 103 -TD-TRUSTED-CERTIFIERS 104 - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - -TD-CERTIFICATE-INDEX 105 - -authorization data type ad-type value -AD-IF-RELEVANT 1 -AD-INTENDED-FOR-SERVER 2 -AD-INTENDED-FOR-APPLICATION-CLASS 3 -AD-KDC-ISSUED 4 -AD-OR 5 -AD-MANDATORY-TICKET-EXTENSIONS 6 -AD-IN-TICKET-EXTENSIONS 7 -reserved values 8-63 -OSF-DCE 64 -SESAME 65 -AD-OSF-DCE-PKI-CERTID 66 (hemsath@us.ibm.com) - -Ticket Extension Types - -TE-TYPE-NULL 0 Null ticket extension -TE-TYPE-EXTERNAL-ADATA 1 Integrity protected authorization data - 2 TE-TYPE-PKCROSS-KDC (I have reservations) -TE-TYPE-PKCROSS-CLIENT 3 PKCROSS cross realm key ticket -TE-TYPE-CYBERSAFE-EXT 4 Assigned to CyberSafe Corp - 5 TE-TYPE-DEST-HOST (I have reservations) - -alternate authentication type method-type value -reserved values 0-63 -ATT-CHALLENGE-RESPONSE 64 - -transited encoding type tr-type value -DOMAIN-X500-COMPRESS 1 -reserved values all others - -Label Value Meaning or MIT code - -pvno 5 current Kerberos protocol version number - -message types - -KRB_AS_REQ 10 Request for initial authentication -KRB_AS_REP 11 Response to KRB_AS_REQ request -KRB_TGS_REQ 12 Request for authentication based on TGT -KRB_TGS_REP 13 Response to KRB_TGS_REQ request -KRB_AP_REQ 14 application request to server -KRB_AP_REP 15 Response to KRB_AP_REQ_MUTUAL -KRB_SAFE 20 Safe (checksummed) application message -KRB_PRIV 21 Private (encrypted) application message -KRB_CRED 22 Private (encrypted) message to forward credentials -KRB_ERROR 30 Error response - -name types - -KRB_NT_UNKNOWN 0 Name type not known -KRB_NT_PRINCIPAL 1 Just the name of the principal as in DCE, or for users -KRB_NT_SRV_INST 2 Service and other unique instance (krbtgt) -KRB_NT_SRV_HST 3 Service with host name as instance (telnet, rcommands) -KRB_NT_SRV_XHST 4 Service with host as remaining components -KRB_NT_UID 5 Unique ID -KRB_NT_X500_PRINCIPAL 6 Encoded X.509 Distingished name [RFC 2253] - - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - -error codes - -KDC_ERR_NONE 0 No error -KDC_ERR_NAME_EXP 1 Client's entry in database has expired -KDC_ERR_SERVICE_EXP 2 Server's entry in database has expired -KDC_ERR_BAD_PVNO 3 Requested prot vers number not supported -KDC_ERR_C_OLD_MAST_KVNO 4 Client's key encrypted in old master key -KDC_ERR_S_OLD_MAST_KVNO 5 Server's key encrypted in old master key -KDC_ERR_C_PRINCIPAL_UNKNOWN 6 Client not found in Kerberos database -KDC_ERR_S_PRINCIPAL_UNKNOWN 7 Server not found in Kerberos database -KDC_ERR_PRINCIPAL_NOT_UNIQUE 8 Multiple principal entries in database -KDC_ERR_NULL_KEY 9 The client or server has a null key -KDC_ERR_CANNOT_POSTDATE 10 Ticket not eligible for postdating -KDC_ERR_NEVER_VALID 11 Requested start time is later than end time -KDC_ERR_POLICY 12 KDC policy rejects request -KDC_ERR_BADOPTION 13 KDC cannot accommodate requested option -KDC_ERR_ETYPE_NOSUPP 14 KDC has no support for encryption type -KDC_ERR_SUMTYPE_NOSUPP 15 KDC has no support for checksum type -KDC_ERR_PADATA_TYPE_NOSUPP 16 KDC has no support for padata type -KDC_ERR_TRTYPE_NOSUPP 17 KDC has no support for transited type -KDC_ERR_CLIENT_REVOKED 18 Clients credentials have been revoked -KDC_ERR_SERVICE_REVOKED 19 Credentials for server have been revoked -KDC_ERR_TGT_REVOKED 20 TGT has been revoked -KDC_ERR_CLIENT_NOTYET 21 Client not yet valid - try again later -KDC_ERR_SERVICE_NOTYET 22 Server not yet valid - try again later -KDC_ERR_KEY_EXPIRED 23 Password has expired - change password -KDC_ERR_PREAUTH_FAILED 24 Pre-authentication information was invalid -KDC_ERR_PREAUTH_REQUIRED 25 Additional pre-authenticationrequired [40] -KDC_ERR_SERVER_NOMATCH 26 Requested server and ticket don't match -KDC_ERR_MUST_USE_USER2USER 27 Server principal valid for user2user only -KDC_ERR_PATH_NOT_ACCPETED 28 KDC Policy rejects transited path -KDC_ERR_SVC_UNAVAILABLE 29 A service is not available -KRB_AP_ERR_BAD_INTEGRITY 31 Integrity check on decrypted field failed -KRB_AP_ERR_TKT_EXPIRED 32 Ticket expired -KRB_AP_ERR_TKT_NYV 33 Ticket not yet valid -KRB_AP_ERR_REPEAT 34 Request is a replay -KRB_AP_ERR_NOT_US 35 The ticket isn't for us -KRB_AP_ERR_BADMATCH 36 Ticket and authenticator don't match -KRB_AP_ERR_SKEW 37 Clock skew too great -KRB_AP_ERR_BADADDR 38 Incorrect net address -KRB_AP_ERR_BADVERSION 39 Protocol version mismatch -KRB_AP_ERR_MSG_TYPE 40 Invalid msg type -KRB_AP_ERR_MODIFIED 41 Message stream modified -KRB_AP_ERR_BADORDER 42 Message out of order -KRB_AP_ERR_BADKEYVER 44 Specified version of key is not available -KRB_AP_ERR_NOKEY 45 Service key not available -KRB_AP_ERR_MUT_FAIL 46 Mutual authentication failed -KRB_AP_ERR_BADDIRECTION 47 Incorrect message direction -KRB_AP_ERR_METHOD 48 Alternative authentication method required -KRB_AP_ERR_BADSEQ 49 Incorrect sequence number in message -KRB_AP_ERR_INAPP_CKSUM 50 Inappropriate type of checksum in message -KRB_AP_PATH_NOT_ACCEPTED 51 Policy rejects transited path -KRB_ERR_RESPONSE_TOO_BIG 52 Response too big for UDP, retry with TCP -KRB_ERR_GENERIC 60 Generic error (description in e-text) -KRB_ERR_FIELD_TOOLONG 61 Field is too long for this implementation -KDC_ERROR_CLIENT_NOT_TRUSTED 62 (pkinit) -KDC_ERROR_KDC_NOT_TRUSTED 63 (pkinit) -KDC_ERROR_INVALID_SIG 64 (pkinit) -KDC_ERR_KEY_TOO_WEAK 65 (pkinit) - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - -KDC_ERR_CERTIFICATE_MISMATCH 66 (pkinit) -KRB_AP_ERR_NO_TGT 67 (user-to-user) -KDC_ERR_WRONG_REALM 68 (user-to-user) -KRB_AP_ERR_USER_TO_USER_REQUIRED 69 (user-to-user) -KDC_ERR_CANT_VERIFY_CERTIFICATE 70 (pkinit) -KDC_ERR_INVALID_CERTIFICATE 71 (pkinit) -KDC_ERR_REVOKED_CERTIFICATE 72 (pkinit) -KDC_ERR_REVOCATION_STATUS_UNKNOWN 73 (pkinit) -KDC_ERR_REVOCATION_STATUS_UNAVAILABLE 74 (pkinit) -KDC_ERR_CLIENT_NAME_MISMATCH 75 (pkinit) -KDC_ERR_KDC_NAME_MISMATCH 76 (pkinit) - - 9. Interoperability requirements - - Version 5 of the Kerberos protocol supports a myriad of options. Among - these are multiple encryption and checksum types, alternative encoding - schemes for the transited field, optional mechanisms for - pre-authentication, the handling of tickets with no addresses, options - for mutual authentication, user to user authentication, support for - proxies, forwarding, postdating, and renewing tickets, the format of - realm names, and the handling of authorization data. - - In order to ensure the interoperability of realms, it is necessary to - define a minimal configuration which must be supported by all - implementations. This minimal configuration is subject to change as - technology does. For example, if at some later date it is discovered - that one of the required encryption or checksum algorithms is not - secure, it will be replaced. - - 9.1. Specification 2 - - This section defines the second specification of these options. - Implementations which are configured in this way can be said to support - Kerberos Version 5 Specification 2 (5.1). Specification 1 (depricated) - may be found in RFC1510. - - Transport - - TCP/IP and UDP/IP transport must be supported by KDCs claiming - conformance to specification 2. Kerberos clients claiming conformance - to specification 2 must support UDP/IP transport for messages with the - KDC and should support TCP/IP transport. - - Encryption and checksum methods - - The following encryption and checksum mechanisms must be supported. - Implementations may support other mechanisms as well, but the - additional mechanisms may only be used when communicating with - principals known to also support them: This list is to be determined. - - Encryption: DES-CBC-MD5, one triple des variant (tbd) - Checksums: CRC-32, DES-MAC, DES-MAC-K, and DES-MD5 (tbd) - - Realm Names - - All implementations must understand hierarchical realms in both the - Internet Domain and the X.500 style. When a ticket granting ticket for - an unknown realm is requested, the KDC must be able to determine the - names of the intermediate realms between the KDCs realm and the - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - requested realm. - - Transited field encoding - - DOMAIN-X500-COMPRESS (described in section 3.3.3.2) must be supported. - Alternative encodings may be supported, but they may be used only when - that encoding is supported by ALL intermediate realms. - - Pre-authentication methods - - The TGS-REQ method must be supported. The TGS-REQ method is not used on - the initial request. The PA-ENC-TIMESTAMP method must be supported by - clients but whether it is enabled by default may be determined on a - realm by realm basis. If not used in the initial request and the error - KDC_ERR_PREAUTH_REQUIRED is returned specifying PA-ENC-TIMESTAMP as an - acceptable method, the client should retry the initial request using - the PA-ENC-TIMESTAMP preauthentication method. Servers need not support - the PA-ENC-TIMESTAMP method, but if not supported the server should - ignore the presence of PA-ENC-TIMESTAMP pre-authentication in a - request. - - Mutual authentication - - Mutual authentication (via the KRB_AP_REP message) must be supported. - - Ticket addresses and flags - - All KDC's must pass on tickets that carry no addresses (i.e. if a TGT - contains no addresses, the KDC will return derivative tickets), but - each realm may set its own policy for issuing such tickets, and each - application server will set its own policy with respect to accepting - them. - - Proxies and forwarded tickets must be supported. Individual realms and - application servers can set their own policy on when such tickets will - be accepted. - - All implementations must recognize renewable and postdated tickets, but - need not actually implement them. If these options are not supported, - the starttime and endtime in the ticket shall specify a ticket's entire - useful life. When a postdated ticket is decoded by a server, all - implementations shall make the presence of the postdated flag visible - to the calling server. - - User-to-user authentication - - Support for user to user authentication (via the ENC-TKT-IN-SKEY KDC - option) must be provided by implementations, but individual realms may - decide as a matter of policy to reject such requests on a per-principal - or realm-wide basis. - - Authorization data - - Implementations must pass all authorization data subfields from - ticket-granting tickets to any derivative tickets unless directed to - suppress a subfield as part of the definition of that registered - subfield type (it is never incorrect to pass on a subfield, and no - registered subfield types presently specify suppression at the KDC). - - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - Implementations must make the contents of any authorization data - subfields available to the server when a ticket is used. - Implementations are not required to allow clients to specify the - contents of the authorization data fields. - - Constant ranges - - All protocol constants are constrained to 32 bit (signed) values unless - further constrained by the protocol definition. This limit is provided - to allow implementations to make assumptions about the maximum values - that will be received for these constants. Implementation receiving - values outside this range may reject the request, but they must recover - cleanly. - - 9.2. Recommended KDC values - - Following is a list of recommended values for a KDC implementation, - based on the list of suggested configuration constants (see section - 4.4). - - minimum lifetime 5 minutes - maximum renewable lifetime 1 week - maximum ticket lifetime 1 day - empty addresses only when suitable restrictions appear - in authorization data - proxiable, etc. Allowed. - - 10. REFERENCES - - [NT94] B. Clifford Neuman and Theodore Y. Ts'o, "An Authenti- - cation Service for Computer Networks," IEEE Communica- - tions Magazine, Vol. 32(9), pp. 33-38 (September 1994). - - [MNSS87] S. P. Miller, B. C. Neuman, J. I. Schiller, and J. H. - Saltzer, Section E.2.1: Kerberos Authentication and - Authorization System, M.I.T. Project Athena, Cambridge, - Massachusetts (December 21, 1987). - - [SNS88] J. G. Steiner, B. C. Neuman, and J. I. Schiller, "Ker- - beros: An Authentication Service for Open Network Sys- - tems," pp. 191-202 in Usenix Conference Proceedings, - Dallas, Texas (February, 1988). - - [NS78] Roger M. Needham and Michael D. Schroeder, "Using - Encryption for Authentication in Large Networks of Com- - puters," Communications of the ACM, Vol. 21(12), - pp. 993-999 (December, 1978). - - [DS81] Dorothy E. Denning and Giovanni Maria Sacco, "Time- - stamps in Key Distribution Protocols," Communications - of the ACM, Vol. 24(8), pp. 533-536 (August 1981). - - [KNT92] John T. Kohl, B. Clifford Neuman, and Theodore Y. Ts'o, - "The Evolution of the Kerberos Authentication Service," - in an IEEE Computer Society Text soon to be published - (June 1992). - - [Neu93] B. Clifford Neuman, "Proxy-Based Authorization and - Accounting for Distributed Systems," in Proceedings of - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - the 13th International Conference on Distributed Com- - puting Systems, Pittsburgh, PA (May, 1993). - - [DS90] Don Davis and Ralph Swick, "Workstation Services and - Kerberos Authentication at Project Athena," Technical - Memorandum TM-424, MIT Laboratory for Computer Science - (February 1990). - - [LGDSR87] P. J. Levine, M. R. Gretzinger, J. M. Diaz, W. E. Som- - merfeld, and K. Raeburn, Section E.1: Service Manage- - ment System, M.I.T. Project Athena, Cambridge, Mas- - sachusetts (1987). - - [X509-88] CCITT, Recommendation X.509: The Directory Authentica- - tion Framework, December 1988. - - [Pat92]. J. Pato, Using Pre-Authentication to Avoid Password - Guessing Attacks, Open Software Foundation DCE Request - for Comments 26 (December 1992). - - [DES77] National Bureau of Standards, U.S. Department of Com- - merce, "Data Encryption Standard," Federal Information - Processing Standards Publication 46, Washington, DC - (1977). - - [DESM80] National Bureau of Standards, U.S. Department of Com- - merce, "DES Modes of Operation," Federal Information - Processing Standards Publication 81, Springfield, VA - (December 1980). - - [SG92] Stuart G. Stubblebine and Virgil D. Gligor, "On Message - Integrity in Cryptographic Protocols," in Proceedings - of the IEEE Symposium on Research in Security and - Privacy, Oakland, California (May 1992). - - [IS3309] International Organization for Standardization, "ISO - Information Processing Systems - Data Communication - - High-Level Data Link Control Procedure - Frame Struc- - ture," IS 3309 (October 1984). 3rd Edition. - - [MD4-92] R. Rivest, "The MD4 Message Digest Algorithm," RFC - 1320, MIT Laboratory for Computer Science (April - 1992). - - [MD5-92] R. Rivest, "The MD5 Message Digest Algorithm," RFC - 1321, MIT Laboratory for Computer Science (April - 1992). - - [KBC96] H. Krawczyk, M. Bellare, and R. Canetti, "HMAC: Keyed- - Hashing for Message Authentication," Working Draft - draft-ietf-ipsec-hmac-md5-01.txt, (August 1996). - - [Horowitz96] Horowitz, M., "Key Derivation for Authentication, - Integrity, and Privacy", draft-horowitz-key-derivation-02.txt, - August 1998. - - [HorowitzB96] Horowitz, M., "Key Derivation for Kerberos V5", draft- - horowitz-kerb-key-derivation-01.txt, September 1998. - - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - [Krawczyk96] Krawczyk, H., Bellare, and M., Canetti, R., "HMAC: - Keyed-Hashing for Message Authentication", draft-ietf-ipsec-hmac- - md5-01.txt, August, 1996. - - A. Pseudo-code for protocol processing - - This appendix provides pseudo-code describing how the messages are to - be constructed and interpreted by clients and servers. - - A.1. KRB_AS_REQ generation - - request.pvno := protocol version; /* pvno = 5 */ - request.msg-type := message type; /* type = KRB_AS_REQ */ - - if(pa_enc_timestamp_required) then - request.padata.padata-type = PA-ENC-TIMESTAMP; - get system_time; - padata-body.patimestamp,pausec = system_time; - encrypt padata-body into request.padata.padata-value - using client.key; /* derived from password */ - endif - - body.kdc-options := users's preferences; - body.cname := user's name; - body.realm := user's realm; - body.sname := service's name; /* usually "krbtgt", - "localrealm" */ - - if (body.kdc-options.POSTDATED is set) then - body.from := requested starting time; - else - omit body.from; - endif - body.till := requested end time; - if (body.kdc-options.RENEWABLE is set) then - body.rtime := requested final renewal time; - endif - body.nonce := random_nonce(); - body.etype := requested etypes; - if (user supplied addresses) then - body.addresses := user's addresses; - else - omit body.addresses; - endif - omit body.enc-authorization-data; - request.req-body := body; - - kerberos := lookup(name of local kerberos server (or servers)); - send(packet,kerberos); - - wait(for response); - if (timed_out) then - retry or use alternate server; - endif - - A.2. KRB_AS_REQ verification and KRB_AS_REP generation - - decode message into req; - - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - client := lookup(req.cname,req.realm); - server := lookup(req.sname,req.realm); - - get system_time; - kdc_time := system_time.seconds; - - if (!client) then - /* no client in Database */ - error_out(KDC_ERR_C_PRINCIPAL_UNKNOWN); - endif - if (!server) then - /* no server in Database */ - error_out(KDC_ERR_S_PRINCIPAL_UNKNOWN); - endif - - if(client.pa_enc_timestamp_required and - pa_enc_timestamp not present) then - error_out(KDC_ERR_PREAUTH_REQUIRED(PA_ENC_TIMESTAMP)); - endif - - if(pa_enc_timestamp present) then - decrypt req.padata-value into decrypted_enc_timestamp - using client.key; - using auth_hdr.authenticator.subkey; - if (decrypt_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - if(decrypted_enc_timestamp is not within allowable skew) - then - error_out(KDC_ERR_PREAUTH_FAILED); - endif - if(decrypted_enc_timestamp and usec is replay) - error_out(KDC_ERR_PREAUTH_FAILED); - endif - add decrypted_enc_timestamp and usec to replay cache; - endif - - use_etype := first supported etype in req.etypes; - - if (no support for req.etypes) then - error_out(KDC_ERR_ETYPE_NOSUPP); - endif - - new_tkt.vno := ticket version; /* = 5 */ - new_tkt.sname := req.sname; - new_tkt.srealm := req.srealm; - reset all flags in new_tkt.flags; - - /* It should be noted that local policy may affect the */ - /* processing of any of these flags. For example, some */ - /* realms may refuse to issue renewable tickets */ - - if (req.kdc-options.FORWARDABLE is set) then - set new_tkt.flags.FORWARDABLE; - endif - if (req.kdc-options.PROXIABLE is set) then - set new_tkt.flags.PROXIABLE; - endif - - if (req.kdc-options.ALLOW-POSTDATE is set) then - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - set new_tkt.flags.MAY-POSTDATE; - endif - if ((req.kdc-options.RENEW is set) or - (req.kdc-options.VALIDATE is set) or - (req.kdc-options.PROXY is set) or - (req.kdc-options.FORWARDED is set) or - (req.kdc-options.ENC-TKT-IN-SKEY is set)) then - error_out(KDC_ERR_BADOPTION); - endif - - new_tkt.session := random_session_key(); - new_tkt.cname := req.cname; - new_tkt.crealm := req.crealm; - new_tkt.transited := empty_transited_field(); - - new_tkt.authtime := kdc_time; - - if (req.kdc-options.POSTDATED is set) then - if (against_postdate_policy(req.from)) then - error_out(KDC_ERR_POLICY); - endif - set new_tkt.flags.POSTDATED; - set new_tkt.flags.INVALID; - new_tkt.starttime := req.from; - else - omit new_tkt.starttime; /* treated as authtime when omitted */ - endif - if (req.till = 0) then - till := infinity; - else - till := req.till; - endif - - new_tkt.endtime := min(till, - new_tkt.starttime+client.max_life, - new_tkt.starttime+server.max_life, - new_tkt.starttime+max_life_for_realm); - - if ((req.kdc-options.RENEWABLE-OK is set) and - (new_tkt.endtime < req.till)) then - /* we set the RENEWABLE option for later processing */ - set req.kdc-options.RENEWABLE; - req.rtime := req.till; - endif - - if (req.rtime = 0) then - rtime := infinity; - else - rtime := req.rtime; - endif - - if (req.kdc-options.RENEWABLE is set) then - set new_tkt.flags.RENEWABLE; - new_tkt.renew-till := min(rtime, - new_tkt.starttime+client.max_rlife, - new_tkt.starttime+server.max_rlife, - new_tkt.starttime+max_rlife_for_realm); - else - omit new_tkt.renew-till; /* only present if RENEWABLE */ - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - endif - - if (req.addresses) then - new_tkt.caddr := req.addresses; - else - omit new_tkt.caddr; - endif - - new_tkt.authorization_data := empty_authorization_data(); - - encode to-be-encrypted part of ticket into OCTET STRING; - new_tkt.enc-part := encrypt OCTET STRING - using etype_for_key(server.key), server.key, server.p_kvno; - - /* Start processing the response */ - - resp.pvno := 5; - resp.msg-type := KRB_AS_REP; - resp.cname := req.cname; - resp.crealm := req.realm; - resp.ticket := new_tkt; - - resp.key := new_tkt.session; - resp.last-req := fetch_last_request_info(client); - resp.nonce := req.nonce; - resp.key-expiration := client.expiration; - resp.flags := new_tkt.flags; - - resp.authtime := new_tkt.authtime; - resp.starttime := new_tkt.starttime; - resp.endtime := new_tkt.endtime; - - if (new_tkt.flags.RENEWABLE) then - resp.renew-till := new_tkt.renew-till; - endif - - resp.realm := new_tkt.realm; - resp.sname := new_tkt.sname; - - resp.caddr := new_tkt.caddr; - - encode body of reply into OCTET STRING; - - resp.enc-part := encrypt OCTET STRING - using use_etype, client.key, client.p_kvno; - send(resp); - - A.3. KRB_AS_REP verification - - decode response into resp; - - if (resp.msg-type = KRB_ERROR) then - if(error = KDC_ERR_PREAUTH_REQUIRED(PA_ENC_TIMESTAMP)) then - set pa_enc_timestamp_required; - goto KRB_AS_REQ; - endif - process_error(resp); - return; - endif - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - - /* On error, discard the response, and zero the session key */ - /* from the response immediately */ - - key = get_decryption_key(resp.enc-part.kvno, resp.enc-part.etype, - resp.padata); - unencrypted part of resp := decode of decrypt of resp.enc-part - using resp.enc-part.etype and key; - zero(key); - - if (common_as_rep_tgs_rep_checks fail) then - destroy resp.key; - return error; - endif - - if near(resp.princ_exp) then - print(warning message); - endif - save_for_later(ticket,session,client,server,times,flags); - - A.4. KRB_AS_REP and KRB_TGS_REP common checks - - if (decryption_error() or - (req.cname != resp.cname) or - (req.realm != resp.crealm) or - (req.sname != resp.sname) or - (req.realm != resp.realm) or - (req.nonce != resp.nonce) or - (req.addresses != resp.caddr)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - - /* make sure no flags are set that shouldn't be, and that all that */ - /* should be are set */ - if (!check_flags_for_compatability(req.kdc-options,resp.flags)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - - if ((req.from = 0) and - (resp.starttime is not within allowable skew)) then - destroy resp.key; - return KRB_AP_ERR_SKEW; - endif - if ((req.from != 0) and (req.from != resp.starttime)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - if ((req.till != 0) and (resp.endtime > req.till)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - - if ((req.kdc-options.RENEWABLE is set) and - (req.rtime != 0) and (resp.renew-till > req.rtime)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - if ((req.kdc-options.RENEWABLE-OK is set) and - (resp.flags.RENEWABLE) and - (req.till != 0) and - (resp.renew-till > req.till)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - - A.5. KRB_TGS_REQ generation - - /* Note that make_application_request might have to recursivly */ - /* call this routine to get the appropriate ticket-granting ticket */ - - request.pvno := protocol version; /* pvno = 5 */ - request.msg-type := message type; /* type = KRB_TGS_REQ */ - - body.kdc-options := users's preferences; - /* If the TGT is not for the realm of the end-server */ - /* then the sname will be for a TGT for the end-realm */ - /* and the realm of the requested ticket (body.realm) */ - /* will be that of the TGS to which the TGT we are */ - /* sending applies */ - body.sname := service's name; - body.realm := service's realm; - - if (body.kdc-options.POSTDATED is set) then - body.from := requested starting time; - else - omit body.from; - endif - body.till := requested end time; - if (body.kdc-options.RENEWABLE is set) then - body.rtime := requested final renewal time; - endif - body.nonce := random_nonce(); - body.etype := requested etypes; - if (user supplied addresses) then - body.addresses := user's addresses; - else - omit body.addresses; - endif - - body.enc-authorization-data := user-supplied data; - if (body.kdc-options.ENC-TKT-IN-SKEY) then - body.additional-tickets_ticket := second TGT; - endif - - request.req-body := body; - check := generate_checksum (req.body,checksumtype); - - request.padata[0].padata-type := PA-TGS-REQ; - request.padata[0].padata-value := create a KRB_AP_REQ using - the TGT and checksum - - /* add in any other padata as required/supplied */ - - kerberos := lookup(name of local kerberose server (or servers)); - send(packet,kerberos); - - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - wait(for response); - if (timed_out) then - retry or use alternate server; - endif - - A.6. KRB_TGS_REQ verification and KRB_TGS_REP generation - - /* note that reading the application request requires first - determining the server for which a ticket was issued, and - choosing the correct key for decryption. The name of the - server appears in the plaintext part of the ticket. */ - - if (no KRB_AP_REQ in req.padata) then - error_out(KDC_ERR_PADATA_TYPE_NOSUPP); - endif - verify KRB_AP_REQ in req.padata; - - /* Note that the realm in which the Kerberos server is - operating is determined by the instance from the - ticket-granting ticket. The realm in the ticket-granting - ticket is the realm under which the ticket granting - ticket was issued. It is possible for a single Kerberos - server to support more than one realm. */ - - auth_hdr := KRB_AP_REQ; - tgt := auth_hdr.ticket; - - if (tgt.sname is not a TGT for local realm and is not req.sname) - then - error_out(KRB_AP_ERR_NOT_US); - - realm := realm_tgt_is_for(tgt); - - decode remainder of request; - - if (auth_hdr.authenticator.cksum is missing) then - error_out(KRB_AP_ERR_INAPP_CKSUM); - endif - - if (auth_hdr.authenticator.cksum type is not supported) then - error_out(KDC_ERR_SUMTYPE_NOSUPP); - endif - if (auth_hdr.authenticator.cksum is not both collision-proof - and keyed) then - error_out(KRB_AP_ERR_INAPP_CKSUM); - endif - - set computed_checksum := checksum(req); - if (computed_checksum != auth_hdr.authenticatory.cksum) then - error_out(KRB_AP_ERR_MODIFIED); - endif - - server := lookup(req.sname,realm); - - if (!server) then - if (is_foreign_tgt_name(req.sname)) then - server := best_intermediate_tgs(req.sname); - else - /* no server in Database */ - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - error_out(KDC_ERR_S_PRINCIPAL_UNKNOWN); - endif - endif - - session := generate_random_session_key(); - - use_etype := first supported etype in req.etypes; - - if (no support for req.etypes) then - error_out(KDC_ERR_ETYPE_NOSUPP); - endif - - new_tkt.vno := ticket version; /* = 5 */ - new_tkt.sname := req.sname; - new_tkt.srealm := realm; - reset all flags in new_tkt.flags; - - /* It should be noted that local policy may affect the */ - /* processing of any of these flags. For example, some */ - /* realms may refuse to issue renewable tickets */ - - new_tkt.caddr := tgt.caddr; - resp.caddr := NULL; /* We only include this if they change */ - if (req.kdc-options.FORWARDABLE is set) then - if (tgt.flags.FORWARDABLE is reset) then - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.FORWARDABLE; - endif - if (req.kdc-options.FORWARDED is set) then - if (tgt.flags.FORWARDABLE is reset) then - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.FORWARDED; - new_tkt.caddr := req.addresses; - resp.caddr := req.addresses; - endif - if (tgt.flags.FORWARDED is set) then - set new_tkt.flags.FORWARDED; - endif - - if (req.kdc-options.PROXIABLE is set) then - if (tgt.flags.PROXIABLE is reset) - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.PROXIABLE; - endif - if (req.kdc-options.PROXY is set) then - if (tgt.flags.PROXIABLE is reset) then - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.PROXY; - new_tkt.caddr := req.addresses; - resp.caddr := req.addresses; - endif - - if (req.kdc-options.ALLOW-POSTDATE is set) then - if (tgt.flags.MAY-POSTDATE is reset) - error_out(KDC_ERR_BADOPTION); - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - endif - set new_tkt.flags.MAY-POSTDATE; - endif - if (req.kdc-options.POSTDATED is set) then - if (tgt.flags.MAY-POSTDATE is reset) then - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.POSTDATED; - set new_tkt.flags.INVALID; - if (against_postdate_policy(req.from)) then - error_out(KDC_ERR_POLICY); - endif - new_tkt.starttime := req.from; - endif - - if (req.kdc-options.VALIDATE is set) then - if (tgt.flags.INVALID is reset) then - error_out(KDC_ERR_POLICY); - endif - if (tgt.starttime > kdc_time) then - error_out(KRB_AP_ERR_NYV); - endif - if (check_hot_list(tgt)) then - error_out(KRB_AP_ERR_REPEAT); - endif - tkt := tgt; - reset new_tkt.flags.INVALID; - endif - - if (req.kdc-options.(any flag except ENC-TKT-IN-SKEY, RENEW, - and those already processed) is set) then - error_out(KDC_ERR_BADOPTION); - endif - - new_tkt.authtime := tgt.authtime; - - if (req.kdc-options.RENEW is set) then - /* Note that if the endtime has already passed, the ticket would */ - /* have been rejected in the initial authentication stage, so */ - /* there is no need to check again here */ - if (tgt.flags.RENEWABLE is reset) then - error_out(KDC_ERR_BADOPTION); - endif - if (tgt.renew-till < kdc_time) then - error_out(KRB_AP_ERR_TKT_EXPIRED); - endif - tkt := tgt; - new_tkt.starttime := kdc_time; - old_life := tgt.endttime - tgt.starttime; - new_tkt.endtime := min(tgt.renew-till, - new_tkt.starttime + old_life); - else - new_tkt.starttime := kdc_time; - if (req.till = 0) then - till := infinity; - else - till := req.till; - endif - new_tkt.endtime := min(till, - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - new_tkt.starttime+client.max_life, - new_tkt.starttime+server.max_life, - new_tkt.starttime+max_life_for_realm, - tgt.endtime); - - if ((req.kdc-options.RENEWABLE-OK is set) and - (new_tkt.endtime < req.till) and - (tgt.flags.RENEWABLE is set) then - /* we set the RENEWABLE option for later processing */ - set req.kdc-options.RENEWABLE; - req.rtime := min(req.till, tgt.renew-till); - endif - endif - - if (req.rtime = 0) then - rtime := infinity; - else - rtime := req.rtime; - endif - - if ((req.kdc-options.RENEWABLE is set) and - (tgt.flags.RENEWABLE is set)) then - set new_tkt.flags.RENEWABLE; - new_tkt.renew-till := min(rtime, - new_tkt.starttime+client.max_rlife, - new_tkt.starttime+server.max_rlife, - new_tkt.starttime+max_rlife_for_realm, - tgt.renew-till); - else - new_tkt.renew-till := OMIT; /* leave the - renew-till field out */ - endif - if (req.enc-authorization-data is present) then - decrypt req.enc-authorization-data into - decrypted_authorization_data - using auth_hdr.authenticator.subkey; - if (decrypt_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - endif - new_tkt.authorization_data := - req.auth_hdr.ticket.authorization_data + - decrypted_authorization_data; - - new_tkt.key := session; - new_tkt.crealm := tgt.crealm; - new_tkt.cname := req.auth_hdr.ticket.cname; - - if (realm_tgt_is_for(tgt) := tgt.realm) then - /* tgt issued by local realm */ - new_tkt.transited := tgt.transited; - else - /* was issued for this realm by some other realm */ - if (tgt.transited.tr-type not supported) then - error_out(KDC_ERR_TRTYPE_NOSUPP); - endif - new_tkt.transited := - compress_transited(tgt.transited + tgt.realm) - /* Don't check tranited field if TGT for foreign realm, - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - * or requested not to check */ - if (is_not_foreign_tgt_name(new_tkt.server) - && req.kdc-options.DISABLE-TRANSITED-CHECK not - set) then - /* Check it, so end-server does not have to - * but don't fail, end-server may still accept it */ - if (check_transited_field(new_tkt.transited) == OK) - set new_tkt.flags.TRANSITED-POLICY-CHECKED; - endif - endif - endif - - encode encrypted part of new_tkt into OCTET STRING; - if (req.kdc-options.ENC-TKT-IN-SKEY is set) then - if (server not specified) then - server = req.second_ticket.client; - endif - if ((req.second_ticket is not a TGT) or - (req.second_ticket.client != server)) then - error_out(KDC_ERR_POLICY); - endif - - new_tkt.enc-part := encrypt OCTET STRING using - using etype_for_key(second-ticket.key), - second-ticket.key; - else - new_tkt.enc-part := encrypt OCTET STRING - using etype_for_key(server.key), - server.key, server.p_kvno; - endif - - resp.pvno := 5; - resp.msg-type := KRB_TGS_REP; - resp.crealm := tgt.crealm; - resp.cname := tgt.cname; - resp.ticket := new_tkt; - - resp.key := session; - resp.nonce := req.nonce; - resp.last-req := fetch_last_request_info(client); - resp.flags := new_tkt.flags; - - resp.authtime := new_tkt.authtime; - resp.starttime := new_tkt.starttime; - resp.endtime := new_tkt.endtime; - - omit resp.key-expiration; - - resp.sname := new_tkt.sname; - resp.realm := new_tkt.realm; - - if (new_tkt.flags.RENEWABLE) then - resp.renew-till := new_tkt.renew-till; - endif - - encode body of reply into OCTET STRING; - - if (req.padata.authenticator.subkey) - resp.enc-part := encrypt OCTET STRING using use_etype, - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - req.padata.authenticator.subkey; - else resp.enc-part := encrypt OCTET STRING using - use_etype, tgt.key; - - send(resp); - - A.7. KRB_TGS_REP verification - - decode response into resp; - - if (resp.msg-type = KRB_ERROR) then - process_error(resp); - return; - endif - - /* On error, discard the response, and zero the session key from - the response immediately */ - - if (req.padata.authenticator.subkey) - unencrypted part of resp := decode of decrypt of - resp.enc-part - using resp.enc-part.etype and subkey; - else unencrypted part of resp := decode of decrypt of - resp.enc-part - using resp.enc-part.etype and - tgt's session key; - if (common_as_rep_tgs_rep_checks fail) then - destroy resp.key; - return error; - endif - - check authorization_data as necessary; - save_for_later(ticket,session,client,server,times,flags); - - A.8. Authenticator generation - - body.authenticator-vno := authenticator vno; /* = 5 */ - body.cname, body.crealm := client name; - if (supplying checksum) then - body.cksum := checksum; - endif - get system_time; - body.ctime, body.cusec := system_time; - if (selecting sub-session key) then - select sub-session key; - body.subkey := sub-session key; - endif - if (using sequence numbers) then - select initial sequence number; - body.seq-number := initial sequence; - endif - - A.9. KRB_AP_REQ generation - - obtain ticket and session_key from cache; - - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_AP_REQ */ - - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - if (desired(MUTUAL_AUTHENTICATION)) then - set packet.ap-options.MUTUAL-REQUIRED; - else - reset packet.ap-options.MUTUAL-REQUIRED; - endif - if (using session key for ticket) then - set packet.ap-options.USE-SESSION-KEY; - else - reset packet.ap-options.USE-SESSION-KEY; - endif - packet.ticket := ticket; /* ticket */ - generate authenticator; - encode authenticator into OCTET STRING; - encrypt OCTET STRING into packet.authenticator using session_key; - - A.10. KRB_AP_REQ verification - - receive packet; - if (packet.pvno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.msg-type != KRB_AP_REQ) then - error_out(KRB_AP_ERR_MSG_TYPE); - endif - if (packet.ticket.tkt_vno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.ap_options.USE-SESSION-KEY is set) then - retrieve session key from ticket-granting ticket for - packet.ticket.{sname,srealm,enc-part.etype}; - else - retrieve service key for - packet.ticket.{sname,srealm,enc-part.etype,enc-part.skvno}; - endif - if (no_key_available) then - if (cannot_find_specified_skvno) then - error_out(KRB_AP_ERR_BADKEYVER); - else - error_out(KRB_AP_ERR_NOKEY); - endif - endif - decrypt packet.ticket.enc-part into decr_ticket using - retrieved key; - if (decryption_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - decrypt packet.authenticator into decr_authenticator - using decr_ticket.key; - if (decryption_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - if (decr_authenticator.{cname,crealm} != - decr_ticket.{cname,crealm}) then - error_out(KRB_AP_ERR_BADMATCH); - endif - if (decr_ticket.caddr is present) then - if (sender_address(packet) is not in - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - decr_ticket.caddr) then - error_out(KRB_AP_ERR_BADADDR); - endif - elseif (application requires addresses) then - error_out(KRB_AP_ERR_BADADDR); - endif - if (not in_clock_skew(decr_authenticator.ctime, - decr_authenticator.cusec)) then - error_out(KRB_AP_ERR_SKEW); - endif - if (repeated(decr_authenticator.{ctime,cusec,cname,crealm})) then - error_out(KRB_AP_ERR_REPEAT); - endif - save_identifier(decr_authenticator.{ctime,cusec,cname,crealm}); - get system_time; - if ((decr_ticket.starttime-system_time > CLOCK_SKEW) or - (decr_ticket.flags.INVALID is set)) then - /* it hasn't yet become valid */ - error_out(KRB_AP_ERR_TKT_NYV); - endif - if (system_time-decr_ticket.endtime > CLOCK_SKEW) then - error_out(KRB_AP_ERR_TKT_EXPIRED); - endif - if (decr_ticket.transited) then - /* caller may ignore the TRANSITED-POLICY-CHECKED and do - * check anyway */ - if (decr_ticket.flags.TRANSITED-POLICY-CHECKED not set) then - if (check_transited_field(decr_ticket.transited) then - error_out(KDC_AP_PATH_NOT_ACCPETED); - endif - endif - endif - /* caller must check decr_ticket.flags for any pertinent details */ - return(OK, decr_ticket, packet.ap_options.MUTUAL-REQUIRED); - - A.11. KRB_AP_REP generation - - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_AP_REP */ - - body.ctime := packet.ctime; - body.cusec := packet.cusec; - if (selecting sub-session key) then - select sub-session key; - body.subkey := sub-session key; - endif - if (using sequence numbers) then - select initial sequence number; - body.seq-number := initial sequence; - endif - - encode body into OCTET STRING; - - select encryption type; - encrypt OCTET STRING into packet.enc-part; - - A.12. KRB_AP_REP verification - - receive packet; - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - if (packet.pvno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.msg-type != KRB_AP_REP) then - error_out(KRB_AP_ERR_MSG_TYPE); - endif - cleartext := decrypt(packet.enc-part) using ticket's session key; - if (decryption_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - if (cleartext.ctime != authenticator.ctime) then - error_out(KRB_AP_ERR_MUT_FAIL); - endif - if (cleartext.cusec != authenticator.cusec) then - error_out(KRB_AP_ERR_MUT_FAIL); - endif - if (cleartext.subkey is present) then - save cleartext.subkey for future use; - endif - if (cleartext.seq-number is present) then - save cleartext.seq-number for future verifications; - endif - return(AUTHENTICATION_SUCCEEDED); - - A.13. KRB_SAFE generation - - collect user data in buffer; - - /* assemble packet: */ - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_SAFE */ - - body.user-data := buffer; /* DATA */ - if (using timestamp) then - get system_time; - body.timestamp, body.usec := system_time; - endif - if (using sequence numbers) then - body.seq-number := sequence number; - endif - body.s-address := sender host addresses; - if (only one recipient) then - body.r-address := recipient host address; - endif - checksum.cksumtype := checksum type; - compute checksum over body; - checksum.checksum := checksum value; /* checksum.checksum */ - packet.cksum := checksum; - packet.safe-body := body; - - A.14. KRB_SAFE verification - - receive packet; - if (packet.pvno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.msg-type != KRB_SAFE) then - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - error_out(KRB_AP_ERR_MSG_TYPE); - endif - if (packet.checksum.cksumtype is not both collision-proof - and keyed) then - error_out(KRB_AP_ERR_INAPP_CKSUM); - endif - if (safe_priv_common_checks_ok(packet)) then - set computed_checksum := checksum(packet.body); - if (computed_checksum != packet.checksum) then - error_out(KRB_AP_ERR_MODIFIED); - endif - return (packet, PACKET_IS_GENUINE); - else - return common_checks_error; - endif - - A.15. KRB_SAFE and KRB_PRIV common checks - - if (packet.s-address != O/S_sender(packet)) then - /* O/S report of sender not who claims to have sent it */ - error_out(KRB_AP_ERR_BADADDR); - endif - if ((packet.r-address is present) and - (packet.r-address != local_host_address)) then - /* was not sent to proper place */ - error_out(KRB_AP_ERR_BADADDR); - endif - if (((packet.timestamp is present) and - (not in_clock_skew(packet.timestamp,packet.usec))) or - (packet.timestamp is not present and timestamp expected)) then - error_out(KRB_AP_ERR_SKEW); - endif - if (repeated(packet.timestamp,packet.usec,packet.s-address)) then - error_out(KRB_AP_ERR_REPEAT); - endif - - if (((packet.seq-number is present) and - ((not in_sequence(packet.seq-number)))) or - (packet.seq-number is not present and sequence expected)) then - error_out(KRB_AP_ERR_BADORDER); - endif - if (packet.timestamp not present and packet.seq-number - not present) then - error_out(KRB_AP_ERR_MODIFIED); - endif - - save_identifier(packet.{timestamp,usec,s-address}, - sender_principal(packet)); - - return PACKET_IS_OK; - - A.16. KRB_PRIV generation - - collect user data in buffer; - - /* assemble packet: */ - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_PRIV */ - - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - packet.enc-part.etype := encryption type; - - body.user-data := buffer; - if (using timestamp) then - get system_time; - body.timestamp, body.usec := system_time; - endif - if (using sequence numbers) then - body.seq-number := sequence number; - endif - body.s-address := sender host addresses; - if (only one recipient) then - body.r-address := recipient host address; - endif - - encode body into OCTET STRING; - - select encryption type; - encrypt OCTET STRING into packet.enc-part.cipher; - - A.17. KRB_PRIV verification - - receive packet; - if (packet.pvno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.msg-type != KRB_PRIV) then - error_out(KRB_AP_ERR_MSG_TYPE); - endif - - cleartext := decrypt(packet.enc-part) using negotiated key; - if (decryption_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - - if (safe_priv_common_checks_ok(cleartext)) then - return(cleartext.DATA, PACKET_IS_GENUINE_AND_UNMODIFIED); - else - return common_checks_error; - endif - - A.18. KRB_CRED generation - - invoke KRB_TGS; /* obtain tickets to be provided to peer */ - - /* assemble packet: */ - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_CRED */ - - for (tickets[n] in tickets to be forwarded) do - packet.tickets[n] = tickets[n].ticket; - done - - packet.enc-part.etype := encryption type; - - for (ticket[n] in tickets to be forwarded) do - body.ticket-info[n].key = tickets[n].session; - body.ticket-info[n].prealm = tickets[n].crealm; - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - body.ticket-info[n].pname = tickets[n].cname; - body.ticket-info[n].flags = tickets[n].flags; - body.ticket-info[n].authtime = tickets[n].authtime; - body.ticket-info[n].starttime = tickets[n].starttime; - body.ticket-info[n].endtime = tickets[n].endtime; - body.ticket-info[n].renew-till = tickets[n].renew-till; - body.ticket-info[n].srealm = tickets[n].srealm; - body.ticket-info[n].sname = tickets[n].sname; - body.ticket-info[n].caddr = tickets[n].caddr; - done - - get system_time; - body.timestamp, body.usec := system_time; - - if (using nonce) then - body.nonce := nonce; - endif - - if (using s-address) then - body.s-address := sender host addresses; - endif - if (limited recipients) then - body.r-address := recipient host address; - endif - - encode body into OCTET STRING; - - select encryption type; - encrypt OCTET STRING into packet.enc-part.cipher - using negotiated encryption key; - - A.19. KRB_CRED verification - - receive packet; - if (packet.pvno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.msg-type != KRB_CRED) then - error_out(KRB_AP_ERR_MSG_TYPE); - endif - - cleartext := decrypt(packet.enc-part) using negotiated key; - if (decryption_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - if ((packet.r-address is present or required) and - (packet.s-address != O/S_sender(packet)) then - /* O/S report of sender not who claims to have sent it */ - error_out(KRB_AP_ERR_BADADDR); - endif - if ((packet.r-address is present) and - (packet.r-address != local_host_address)) then - /* was not sent to proper place */ - error_out(KRB_AP_ERR_BADADDR); - endif - if (not in_clock_skew(packet.timestamp,packet.usec)) then - error_out(KRB_AP_ERR_SKEW); - endif - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - if (repeated(packet.timestamp,packet.usec,packet.s-address)) then - error_out(KRB_AP_ERR_REPEAT); - endif - if (packet.nonce is required or present) and - (packet.nonce != expected-nonce) then - error_out(KRB_AP_ERR_MODIFIED); - endif - - for (ticket[n] in tickets that were forwarded) do - save_for_later(ticket[n],key[n],principal[n], - server[n],times[n],flags[n]); - return - - A.20. KRB_ERROR generation - - /* assemble packet: */ - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_ERROR */ - - get system_time; - packet.stime, packet.susec := system_time; - packet.realm, packet.sname := server name; - - if (client time available) then - packet.ctime, packet.cusec := client_time; - endif - packet.error-code := error code; - if (client name available) then - packet.cname, packet.crealm := client name; - endif - if (error text available) then - packet.e-text := error text; - endif - if (error data available) then - packet.e-data := error data; - endif - - B. Definition of common authorization data elements - - This appendix contains the definitions of common authorization data - elements. These common authorization data elements are recursivly - defined, meaning the ad-data for these types will itself contain a - sequence of authorization data whose interpretation is affected by the - encapsulating element. Depending on the meaning of the encapsulating - element, the encapsulated elements may be ignored, might be interpreted - as issued directly by the KDC, or they might be stored in a separate - plaintext part of the ticket. The types of the encapsulating elements - are specified as part of the Kerberos specification because the - behavior based on these values should be understood across - implementations whereas other elements need only be understood by the - applications which they affect. - - In the definitions that follow, the value of the ad-type for the - element will be specified in the subsection number, and the value of - the ad-data will be as shown in the ASN.1 structure that follows the - subsection heading. - - B.1. If relevant - - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - AD-IF-RELEVANT AuthorizationData - - AD elements encapsulated within the if-relevant element are intended - for interpretation only by application servers that understand the - particular ad-type of the embedded element. Application servers that do - not understand the type of an element embedded within the if-relevant - element may ignore the uninterpretable element. This element promotes - interoperability across implementations which may have local extensions - for authorization. - - B.2. Intended for server - - AD-INTENDED-FOR-SERVER SEQUENCE { - intended-server[0] SEQUENCE OF PrincipalName - elements[1] AuthorizationData - } - - AD elements encapsulated within the intended-for-server element may be - ignored if the application server is not in the list of principal names - of intended servers. Further, a KDC issuing a ticket for an application - server can remove this element if the application server is not in the - list of intended servers. - - Application servers should check for their principal name in the - intended-server field of this element. If their principal name is not - found, this element should be ignored. If found, then the encapsulated - elements should be evaluated in the same manner as if they were present - in the top level authorization data field. Applications and application - servers that do not implement this element should reject tickets that - contain authorization data elements of this type. - - B.3. Intended for application class - - AD-INTENDED-FOR-APPLICATION-CLASS SEQUENCE { - intended-application-class[0] SEQUENCE OF GeneralString elements[1] - AuthorizationData } AD elements encapsulated within the - intended-for-application-class element may be ignored if the - application server is not in one of the named classes of application - servers. Examples of application server classes include "FILESYSTEM", - and other kinds of servers. - - This element and the elements it encapulates may be safely ignored by - applications, application servers, and KDCs that do not implement this - element. - - B.4. KDC Issued - - AD-KDCIssued SEQUENCE { - ad-checksum[0] Checksum, - i-realm[1] Realm OPTIONAL, - i-sname[2] PrincipalName OPTIONAL, - elements[3] AuthorizationData. - } - - ad-checksum - A checksum over the elements field using a cryptographic checksum - method that is identical to the checksum used to protect the - ticket itself (i.e. using the same hash function and the same - encryption algorithm used to encrypt the ticket) and using a key - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - derived from the same key used to protect the ticket. - i-realm, i-sname - The name of the issuing principal if different from the KDC - itself. This field would be used when the KDC can verify the - authenticity of elements signed by the issuing principal and it - allows this KDC to notify the application server of the validity - of those elements. - elements - A sequence of authorization data elements issued by the KDC. - The KDC-issued ad-data field is intended to provide a means for - Kerberos principal credentials to embed within themselves privilege - attributes and other mechanisms for positive authorization, amplifying - the priveleges of the principal beyond what can be done using a - credentials without such an a-data element. - - This can not be provided without this element because the definition of - the authorization-data field allows elements to be added at will by the - bearer of a TGT at the time that they request service tickets and - elements may also be added to a delegated ticket by inclusion in the - authenticator. - - For KDC-issued elements this is prevented because the elements are - signed by the KDC by including a checksum encrypted using the server's - key (the same key used to encrypt the ticket - or a key derived from - that key). Elements encapsulated with in the KDC-issued element will be - ignored by the application server if this "signature" is not present. - Further, elements encapsulated within this element from a ticket - granting ticket may be interpreted by the KDC, and used as a basis - according to policy for including new signed elements within derivative - tickets, but they will not be copied to a derivative ticket directly. - If they are copied directly to a derivative ticket by a KDC that is not - aware of this element, the signature will not be correct for the - application ticket elements, and the field will be ignored by the - application server. - - This element and the elements it encapulates may be safely ignored by - applications, application servers, and KDCs that do not implement this - element. - - B.5. And-Or - - AD-AND-OR SEQUENCE { - condition-count[0] INTEGER, - elements[1] AuthorizationData - } - - When restrictive AD elements encapsulated within the and-or element are - encountered, only the number specified in condition-count of the - encapsulated conditions must be met in order to satisfy this element. - This element may be used to implement an "or" operation by setting the - condition-count field to 1, and it may specify an "and" operation by - setting the condition count to the number of embedded elements. - Application servers that do not implement this element must reject - tickets that contain authorization data elements of this type. - - B.6. Mandatory ticket extensions - - AD-Mandatory-Ticket-Extensions Checksum - - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - An authorization data element of type mandatory-ticket-extensions - specifies a collision-proof checksum using the same hash algorithm used - to protect the integrity of the ticket itself. This checksum will be - calculated over an individual extension field. If there are more than - one extension, multiple Mandatory-Ticket-Extensions authorization data - elements may be present, each with a checksum for a different extension - field. This restriction indicates that the ticket should not be - accepted if a ticket extension is not present in the ticket for which - the checksum does not match that checksum specified in the - authorization data element. Application servers that do not implement - this element must reject tickets that contain authorization data - elements of this type. - - B.7. Authorization Data in ticket extensions - - AD-IN-Ticket-Extensions Checksum - - An authorization data element of type in-ticket-extensions specifies a - collision-proof checksum using the same hash algorithm used to protect - the integrity of the ticket itself. This checksum is calculated over a - separate external AuthorizationData field carried in the ticket - extensions. Application servers that do not implement this element must - reject tickets that contain authorization data elements of this type. - Application servers that do implement this element will search the - ticket extensions for authorization data fields, calculate the - specified checksum over each authorization data field and look for one - matching the checksum in this in-ticket-extensions element. If not - found, then the ticket must be rejected. If found, the corresponding - authorization data elements will be interpreted in the same manner as - if they were contained in the top level authorization data field. - - Note that if multiple external authorization data fields are present in - a ticket, each will have a corresponding element of type - in-ticket-extensions in the top level authorization data field, and the - external entries will be linked to the corresponding element by their - checksums. - - C. Definition of common ticket extensions - - This appendix contains the definitions of common ticket extensions. - Support for these extensions is optional. However, certain extensions - have associated authorization data elements that may require rejection - of a ticket containing an extension by application servers that do not - implement the particular extension. Other extensions have been defined - beyond those described in this specification. Such extensions are - described elswhere and for some of those extensions the reserved number - may be found in the list of constants. - - It is known that older versions of Kerberos did not support this field, - and that some clients will strip this field from a ticket when they - parse and then reassemble a ticket as it is passed to the application - servers. The presence of the extension will not break such clients, but - any functionaly dependent on the extensions will not work when such - tickets are handled by old clients. In such situations, some - implementation may use alternate methods to transmit the information in - the extensions field. - - C.1. Null ticket extension - - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - TE-NullExtension OctetString -- The empty Octet String - - The te-data field in the null ticket extension is an octet string of - lenght zero. This extension may be included in a ticket granting ticket - so that the KDC can determine on presentation of the ticket granting - ticket whether the client software will strip the extensions field. - - C.2. External Authorization Data - - TE-ExternalAuthorizationData AuthorizationData - - The te-data field in the external authorization data ticket extension - is field of type AuthorizationData containing one or more authorization - data elements. If present, a corresponding authorization data element - will be present in the primary authorization data for the ticket and - that element will contain a checksum of the external authorization data - ticket extension. - ----------------------------------------------------------------------- - [TM] Project Athena, Athena, and Kerberos are trademarks of the - Massachusetts Institute of Technology (MIT). No commercial use of these - trademarks may be made without prior written permission of MIT. - - [1] Note, however, that many applications use Kerberos' functions only - upon the initiation of a stream-based network connection. Unless an - application subsequently provides integrity protection for the data - stream, the identity verification applies only to the initiation of the - connection, and does not guarantee that subsequent messages on the - connection originate from the same principal. - - [2] Secret and private are often used interchangeably in the - literature. In our usage, it takes two (or more) to share a secret, - thus a shared DES key is a secret key. Something is only private when - no one but its owner knows it. Thus, in public key cryptosystems, one - has a public and a private key. - - [3] Of course, with appropriate permission the client could arrange - registration of a separately-named prin- cipal in a remote realm, and - engage in normal exchanges with that realm's services. However, for - even small numbers of clients this becomes cumbersome, and more - automatic methods as described here are necessary. - - [4] Though it is permissible to request or issue tick- ets with no - network addresses specified. - - [5] The password-changing request must not be honored unless the - requester can provide the old password (the user's current secret key). - Otherwise, it would be possible for someone to walk up to an unattended - ses- sion and change another user's password. - - [6] To authenticate a user logging on to a local system, the - credentials obtained in the AS exchange may first be used in a TGS - exchange to obtain credentials for a local server. Those credentials - must then be verified by a local server through successful completion - of the Client/Server exchange. - - [7] "Random" means that, among other things, it should be impossible to - guess the next session key based on knowledge of past session keys. - This can only be achieved in a pseudo-random number generator if it is - based on cryptographic principles. It is more desirable to use a truly - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - random number generator, such as one based on measurements of random - physical phenomena. - - [8] Tickets contain both an encrypted and unencrypted portion, so - cleartext here refers to the entire unit, which can be copied from one - message and replayed in another without any cryptographic skill. - - [9] Note that this can make applications based on unreliable transports - difficult to code correctly. If the transport might deliver duplicated - messages, either a new authenticator must be generated for each retry, - or the application server must match requests and replies and replay - the first reply in response to a detected duplicate. - - [10] This is used for user-to-user authentication as described in [8]. - - [11] Note that the rejection here is restricted to authenticators from - the same principal to the same server. Other client principals - communicating with the same server principal should not be have their - authenticators rejected if the time and microsecond fields happen to - match some other client's authenticator. - - [12] In the Kerberos version 4 protocol, the timestamp in the reply was - the client's timestamp plus one. This is not necessary in version 5 - because version 5 messages are formatted in such a way that it is not - possible to create the reply by judicious message surgery (even in - encrypted form) without knowledge of the appropriate encryption keys. - - [13] Note that for encrypting the KRB_AP_REP message, the sub-session - key is not used, even if present in the Authenticator. - - [14] Implementations of the protocol may wish to provide routines to - choose subkeys based on session keys and random numbers and to generate - a negotiated key to be returned in the KRB_AP_REP message. - - [15]This can be accomplished in several ways. It might be known - beforehand (since the realm is part of the principal identifier), it - might be stored in a nameserver, or it might be obtained from a - configura- tion file. If the realm to be used is obtained from a - nameserver, there is a danger of being spoofed if the nameservice - providing the realm name is not authenti- cated. This might result in - the use of a realm which has been compromised, and would result in an - attacker's ability to compromise the authentication of the application - server to the client. - - [16] If the client selects a sub-session key, care must be taken to - ensure the randomness of the selected sub- session key. One approach - would be to generate a random number and XOR it with the session key - from the ticket-granting ticket. - - [17] This allows easy implementation of user-to-user authentication - [8], which uses ticket-granting ticket session keys in lieu of secret - server keys in situa- tions where such secret keys could be easily - comprom- ised. - - [18] For the purpose of appending, the realm preceding the first listed - realm is considered to be the null realm (""). - - [19] For the purpose of interpreting null subfields, the client's realm - is considered to precede those in the transited field, and the server's - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - realm is considered to follow them. - - [20] This means that a client and server running on the same host and - communicating with one another using the KRB_SAFE messages should not - share a common replay cache to detect KRB_SAFE replays. - - [21] The implementation of the Kerberos server need not combine the - database and the server on the same machine; it is feasible to store - the principal database in, say, a network name service, as long as the - entries stored therein are protected from disclosure to and - modification by unauthorized parties. However, we recommend against - such strategies, as they can make system management and threat analysis - quite complex. - - [22] See the discussion of the padata field in section 5.4.2 for - details on why this can be useful. - - [23] Warning for implementations that unpack and repack data structures - during the generation and verification of embedded checksums: Because - any checksums applied to data structures must be checked against the - original data the length of bit strings must be preserved within a data - structure between the time that a checksum is generated through - transmission to the time that the checksum is verified. - - [24] It is NOT recommended that this time value be used to adjust the - workstation's clock since the workstation cannot reliably determine - that such a KRB_AS_REP actually came from the proper KDC in a timely - manner. - - [25] Note, however, that if the time is used as the nonce, one must - make sure that the workstation time is monotonically increasing. If the - time is ever reset backwards, there is a small, but finite, probability - that a nonce will be reused. - - [27] An application code in the encrypted part of a message provides an - additional check that the message was decrypted properly. - - [29] An application code in the encrypted part of a message provides an - additional check that the message was decrypted properly. - - [31] An application code in the encrypted part of a message provides an - additional check that the message was decrypted properly. - - [32] If supported by the encryption method in use, an initialization - vector may be passed to the encryption procedure, in order to achieve - proper cipher chaining. The initialization vector might come from the - last block of the ciphertext from the previous KRB_PRIV message, but it - is the application's choice whether or not to use such an - initialization vector. If left out, the default initialization vector - for the encryption algorithm will be used. - - [33] This prevents an attacker who generates an incorrect AS request - from obtaining verifiable plaintext for use in an off-line password - guessing attack. - - [35] In the above specification, UNTAGGED OCTET STRING(length) is the - notation for an octet string with its tag and length removed. It is not - a valid ASN.1 type. The tag bits and length must be removed from the - confounder since the purpose of the confounder is so that the message - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - starts with random data, but the tag and its length are fixed. For - other fields, the length and tag would be redundant if they were - included because they are specified by the encryption type. [36] The - ordering of the fields in the CipherText is important. Additionally, - messages encoded in this format must include a length as part of the - msg-seq field. This allows the recipient to verify that the message has - not been truncated. Without a length, an attacker could use a chosen - plaintext attack to generate a message which could be truncated, while - leaving the checksum intact. Note that if the msg-seq is an encoding of - an ASN.1 SEQUENCE or OCTET STRING, then the length is part of that - encoding. - - [37] In some cases, it may be necessary to use a different "mix-in" - string for compatibility reasons; see the discussion of padata in - section 5.4.2. - - [38] In some cases, it may be necessary to use a different "mix-in" - string for compatibility reasons; see the discussion of padata in - section 5.4.2. - - [39] A variant of the key is used to limit the use of a key to a - particular function, separating the functions of generating a checksum - from other encryption performed using the session key. The constant - F0F0F0F0F0F0F0F0 was chosen because it maintains key parity. The - properties of DES precluded the use of the complement. The same - constant is used for similar purpose in the Message Integrity Check in - the Privacy Enhanced Mail standard. - - [40] This error carries additional information in the e- data field. - The contents of the e-data field for this message is described in - section 5.9.1. diff --git a/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-cat-kerberos-revisions-06.txt b/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-cat-kerberos-revisions-06.txt deleted file mode 100644 index ae79e8a7c4..0000000000 --- a/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-cat-kerberos-revisions-06.txt +++ /dev/null @@ -1,7301 +0,0 @@ -INTERNET-DRAFT Clifford Neuman - John Kohl - Theodore Ts'o - July 14, 2000 - Expires January 14, 2001 - -The Kerberos Network Authentication Service (V5) - - -draft-ietf-cat-kerberos-revisions-06.txt - -STATUS OF THIS MEMO - -This document is an Internet-Draft and is in full conformance with all -provisions of Section 10 of RFC 2026. Internet-Drafts are working documents -of the Internet Engineering Task Force (IETF), its areas, and its working -groups. Note that other groups may also distribute working documents as -Internet-Drafts. - -Internet-Drafts are draft documents valid for a maximum of six months and -may be updated, replaced, or obsoleted by other documents at any time. It -is inappropriate to use Internet-Drafts as reference material or to cite -them other than as "work in progress." - -The list of current Internet-Drafts can be accessed at -http://www.ietf.org/ietf/1id-abstracts.txt - -The list of Internet-Draft Shadow Directories can be accessed at -http://www.ietf.org/shadow.html. - -To learn the current status of any Internet-Draft, please check the -"1id-abstracts.txt" listing contained in the Internet-Drafts Shadow -Directories on ftp.ietf.org (US East Coast), nic.nordu.net (Europe), -ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim). - -The distribution of this memo is unlimited. It is filed as -draft-ietf-cat-kerberos-revisions-06.txt, and expires January 14, 2001. -Please send comments to: krb-protocol@MIT.EDU - - This document is getting closer to a last call, but there are several - issues to be discussed. Some, but not all of these issues, are - highlighted in comments in the draft. We hope to resolve these issues - on the mailing list for the Kerberos working group, leading up to and - during the Pittsburgh IETF on a section by section basis, since this - is a long document, and it has been difficult to consider it as a - whole. Once sections are agreed to, it is out intent to issue the more - formal WG and IETF last calls. - -ABSTRACT - -This document provides an overview and specification of Version 5 of the -Kerberos protocol, and updates RFC1510 to clarify aspects of the protocol -and its intended use that require more detailed or clearer explanation than -was provided in RFC1510. This document is intended to provide a detailed -description of the protocol, suitable for implementation, together with -descriptions of the appropriate use of protocol messages and fields within -those messages. - -This document is not intended to describe Kerberos to the end user, system -administrator, or application developer. Higher level papers describing -Version 5 of the Kerberos system [NT94] and documenting version 4 [SNS88], -are available elsewhere. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -OVERVIEW - -This INTERNET-DRAFT describes the concepts and model upon which the -Kerberos network authentication system is based. It also specifies Version -5 of the Kerberos protocol. - -The motivations, goals, assumptions, and rationale behind most design -decisions are treated cursorily; they are more fully described in a paper -available in IEEE communications [NT94] and earlier in the Kerberos portion -of the Athena Technical Plan [MNSS87]. The protocols have been a proposed -standard and are being considered for advancement for draft standard -through the IETF standard process. Comments are encouraged on the -presentation, but only minor refinements to the protocol as implemented or -extensions that fit within current protocol framework will be considered at -this time. - -Requests for addition to an electronic mailing list for discussion of -Kerberos, kerberos@MIT.EDU, may be addressed to kerberos-request@MIT.EDU. -This mailing list is gatewayed onto the Usenet as the group -comp.protocols.kerberos. Requests for further information, including -documents and code availability, may be sent to info-kerberos@MIT.EDU. - -BACKGROUND - -The Kerberos model is based in part on Needham and Schroeder's trusted -third-party authentication protocol [NS78] and on modifications suggested -by Denning and Sacco [DS81]. The original design and implementation of -Kerberos Versions 1 through 4 was the work of two former Project Athena -staff members, Steve Miller of Digital Equipment Corporation and Clifford -Neuman (now at the Information Sciences Institute of the University of -Southern California), along with Jerome Saltzer, Technical Director of -Project Athena, and Jeffrey Schiller, MIT Campus Network Manager. Many -other members of Project Athena have also contributed to the work on -Kerberos. - -Version 5 of the Kerberos protocol (described in this document) has evolved -from Version 4 based on new requirements and desires for features not -available in Version 4. The design of Version 5 of the Kerberos protocol -was led by Clifford Neuman and John Kohl with much input from the -community. The development of the MIT reference implementation was led at -MIT by John Kohl and Theodore T'so, with help and contributed code from -many others. Since RFC1510 was issued, extensions and revisions to the -protocol have been proposed by many individuals. Some of these proposals -are reflected in this document. Where such changes involved significant -effort, the document cites the contribution of the proposer. - -Reference implementations of both version 4 and version 5 of Kerberos are -publicly available and commercial implementations have been developed and -are widely used. Details on the differences between Kerberos Versions 4 and -5 can be found in [KNT92]. - -1. Introduction - -Kerberos provides a means of verifying the identities of principals, (e.g. -a workstation user or a network server) on an open (unprotected) network. -This is accomplished without relying on assertions by the host operating -system, without basing trust on host addresses, without requiring physical -security of all the hosts on the network, and under the assumption that -packets traveling along the network can be read, modified, and inserted at -will[1]. Kerberos performs authentication under these conditions as a -trusted third-party authentication service by using conventional (shared -secret key [2] cryptography. Kerberos extensions have been proposed and -implemented that provide for the use of public key cryptography during -certain phases of the authentication protocol. These extensions provide for - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -authentication of users registered with public key certification -authorities, and allow the system to provide certain benefits of public key -cryptography in situations where they are needed. - -The basic Kerberos authentication process proceeds as follows: A client -sends a request to the authentication server (AS) requesting 'credentials' -for a given server. The AS responds with these credentials, encrypted in -the client's key. The credentials consist of 1) a 'ticket' for the server -and 2) a temporary encryption key (often called a "session key"). The -client transmits the ticket (which contains the client's identity and a -copy of the session key, all encrypted in the server's key) to the server. -The session key (now shared by the client and server) is used to -authenticate the client, and may optionally be used to authenticate the -server. It may also be used to encrypt further communication between the -two parties or to exchange a separate sub-session key to be used to encrypt -further communication. - -Implementation of the basic protocol consists of one or more authentication -servers running on physically secure hosts. The authentication servers -maintain a database of principals (i.e., users and servers) and their -secret keys. Code libraries provide encryption and implement the Kerberos -protocol. In order to add authentication to its transactions, a typical -network application adds one or two calls to the Kerberos library directly -or through the Generic Security Services Application Programming Interface, -GSSAPI, described in separate document. These calls result in the -transmission of the necessary messages to achieve authentication. - -The Kerberos protocol consists of several sub-protocols (or exchanges). -There are two basic methods by which a client can ask a Kerberos server for -credentials. In the first approach, the client sends a cleartext request -for a ticket for the desired server to the AS. The reply is sent encrypted -in the client's secret key. Usually this request is for a ticket-granting -ticket (TGT) which can later be used with the ticket-granting server (TGS). -In the second method, the client sends a request to the TGS. The client -uses the TGT to authenticate itself to the TGS in the same manner as if it -were contacting any other application server that requires Kerberos -authentication. The reply is encrypted in the session key from the TGT. -Though the protocol specification describes the AS and the TGS as separate -servers, they are implemented in practice as different protocol entry -points within a single Kerberos server. - -Once obtained, credentials may be used to verify the identity of the -principals in a transaction, to ensure the integrity of messages exchanged -between them, or to preserve privacy of the messages. The application is -free to choose whatever protection may be necessary. - -To verify the identities of the principals in a transaction, the client -transmits the ticket to the application server. Since the ticket is sent -"in the clear" (parts of it are encrypted, but this encryption doesn't -thwart replay) and might be intercepted and reused by an attacker, -additional information is sent to prove that the message originated with -the principal to whom the ticket was issued. This information (called the -authenticator) is encrypted in the session key, and includes a timestamp. -The timestamp proves that the message was recently generated and is not a -replay. Encrypting the authenticator in the session key proves that it was -generated by a party possessing the session key. Since no one except the -requesting principal and the server know the session key (it is never sent -over the network in the clear) this guarantees the identity of the client. - -The integrity of the messages exchanged between principals can also be -guaranteed using the session key (passed in the ticket and contained in the -credentials). This approach provides detection of both replay attacks and -message stream modification attacks. It is accomplished by generating and -transmitting a collision-proof checksum (elsewhere called a hash or digest -function) of the client's message, keyed with the session key. Privacy and - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -integrity of the messages exchanged between principals can be secured by -encrypting the data to be passed using the session key contained in the -ticket or the subsession key found in the authenticator. - -The authentication exchanges mentioned above require read-only access to -the Kerberos database. Sometimes, however, the entries in the database must -be modified, such as when adding new principals or changing a principal's -key. This is done using a protocol between a client and a third Kerberos -server, the Kerberos Administration Server (KADM). There is also a protocol -for maintaining multiple copies of the Kerberos database. Neither of these -protocols are described in this document. - -1.1. Cross-Realm Operation - -The Kerberos protocol is designed to operate across organizational -boundaries. A client in one organization can be authenticated to a server -in another. Each organization wishing to run a Kerberos server establishes -its own 'realm'. The name of the realm in which a client is registered is -part of the client's name, and can be used by the end-service to decide -whether to honor a request. - -By establishing 'inter-realm' keys, the administrators of two realms can -allow a client authenticated in the local realm to prove its identity to -servers in other realms[3]. The exchange of inter-realm keys (a separate -key may be used for each direction) registers the ticket-granting service -of each realm as a principal in the other realm. A client is then able to -obtain a ticket-granting ticket for the remote realm's ticket-granting -service from its local realm. When that ticket-granting ticket is used, the -remote ticket-granting service uses the inter-realm key (which usually -differs from its own normal TGS key) to decrypt the ticket-granting ticket, -and is thus certain that it was issued by the client's own TGS. Tickets -issued by the remote ticket-granting service will indicate to the -end-service that the client was authenticated from another realm. - -A realm is said to communicate with another realm if the two realms share -an inter-realm key, or if the local realm shares an inter-realm key with an -intermediate realm that communicates with the remote realm. An -authentication path is the sequence of intermediate realms that are -transited in communicating from one realm to another. - -Realms are typically organized hierarchically. Each realm shares a key with -its parent and a different key with each child. If an inter-realm key is -not directly shared by two realms, the hierarchical organization allows an -authentication path to be easily constructed. If a hierarchical -organization is not used, it may be necessary to consult a database in -order to construct an authentication path between realms. - -Although realms are typically hierarchical, intermediate realms may be -bypassed to achieve cross-realm authentication through alternate -authentication paths (these might be established to make communication -between two realms more efficient). It is important for the end-service to -know which realms were transited when deciding how much faith to place in -the authentication process. To facilitate this decision, a field in each -ticket contains the names of the realms that were involved in -authenticating the client. - -The application server is ultimately responsible for accepting or rejecting -authentication and should check the transited field. The application server -may choose to rely on the KDC for the application server's realm to check -the transited field. The application server's KDC will set the -TRANSITED-POLICY-CHECKED flag in this case. The KDC's for intermediate -realms may also check the transited field as they issue -ticket-granting-tickets for other realms, but they are encouraged not to do -so. A client may request that the KDC's not check the transited field by -setting the DISABLE-TRANSITED-CHECK flag. KDC's are encouraged but not -required to honor this flag. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - [JBrezak] Should there be a section here on how clients determine what - realm a service is in? Something like: - - The client may not immediately know what realm a particular service - principal is in. There are 2 basic mechanisms that can be used to - determine the realm of a service. The first requires that the client - fully specify the service principal including the realm in the - Kerberos protocol request. If the Kerberos server for the specified - realm does not have a principal that exactly matches the service in - the request, the Kerberos server will return an error indicating that - the service principal was not found. Alternatively the client can make - a request providing just the service principal name and requesting - name canonicalization from the Kerberos server. The Kerberos server - will attempt to locate a service principal in its database that best - matches the request principal or provide a referral to another - Kerberos realm that may be contain the requested service principal. - -1.2. Authorization - -As an authentication service, Kerberos provides a means of verifying the -identity of principals on a network. Authentication is usually useful -primarily as a first step in the process of authorization, determining -whether a client may use a service, which objects the client is allowed to -access, and the type of access allowed for each. Kerberos does not, by -itself, provide authorization. Possession of a client ticket for a service -provides only for authentication of the client to that service, and in the -absence of a separate authorization procedure, it should not be considered -by an application as authorizing the use of that service. - -Such separate authorization methods may be implemented as application -specific access control functions and may be based on files such as the -application server, or on separately issued authorization credentials such -as those based on proxies [Neu93], or on other authorization services. -Separately authenticated authorization credentials may be embedded in a -tickets authorization data when encapsulated by the kdc-issued -authorization data element. - -Applications should not be modified to accept the mere issuance of a -service ticket by the Kerberos server (even by a modified Kerberos server) -as granting authority to use the service, since such applications may -become vulnerable to the bypass of this authorization check in an -environment if they interoperate with other KDCs or where other options for -application authentication (e.g. the PKTAPP proposal) are provided. - -1.3. Environmental assumptions - -Kerberos imposes a few assumptions on the environment in which it can -properly function: - - * 'Denial of service' attacks are not solved with Kerberos. There are - places in these protocols where an intruder can prevent an application - from participating in the proper authentication steps. Detection and - solution of such attacks (some of which can appear to be nnot-uncommon - 'normal' failure modes for the system) is usually best left to the - human administrators and users. - * Principals must keep their secret keys secret. If an intruder somehow - steals a principal's key, it will be able to masquerade as that - principal or impersonate any server to the legitimate principal. - * 'Password guessing' attacks are not solved by Kerberos. If a user - chooses a poor password, it is possible for an attacker to - successfully mount an offline dictionary attack by repeatedly - attempting to decrypt, with successive entries from a dictionary, - messages obtained which are encrypted under a key derived from the - user's password. - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - * Each host on the network must have a clock which is 'loosely - synchronized' to the time of the other hosts; this synchronization is - used to reduce the bookkeeping needs of application servers when they - do replay detection. The degree of "looseness" can be configured on a - per-server basis, but is typically on the order of 5 minutes. If the - clocks are synchronized over the network, the clock synchronization - protocol must itself be secured from network attackers. - * Principal identifiers are not recycled on a short-term basis. A - typical mode of access control will use access control lists (ACLs) to - grant permissions to particular principals. If a stale ACL entry - remains for a deleted principal and the principal identifier is - reused, the new principal will inherit rights specified in the stale - ACL entry. By not re-using principal identifiers, the danger of - inadvertent access is removed. - -1.4. Glossary of terms - -Below is a list of terms used throughout this document. - -Authentication - Verifying the claimed identity of a principal. -Authentication header - A record containing a Ticket and an Authenticator to be presented to a - server as part of the authentication process. -Authentication path - A sequence of intermediate realms transited in the authentication - process when communicating from one realm to another. -Authenticator - A record containing information that can be shown to have been - recently generated using the session key known only by the client and - server. -Authorization - The process of determining whether a client may use a service, which - objects the client is allowed to access, and the type of access - allowed for each. -Capability - A token that grants the bearer permission to access an object or - service. In Kerberos, this might be a ticket whose use is restricted - by the contents of the authorization data field, but which lists no - network addresses, together with the session key necessary to use the - ticket. -Ciphertext - The output of an encryption function. Encryption transforms plaintext - into ciphertext. -Client - A process that makes use of a network service on behalf of a user. - Note that in some cases a Server may itself be a client of some other - server (e.g. a print server may be a client of a file server). -Credentials - A ticket plus the secret session key necessary to successfully use - that ticket in an authentication exchange. -KDC - Key Distribution Center, a network service that supplies tickets and - temporary session keys; or an instance of that service or the host on - which it runs. The KDC services both initial ticket and - ticket-granting ticket requests. The initial ticket portion is - sometimes referred to as the Authentication Server (or service). The - ticket-granting ticket portion is sometimes referred to as the - ticket-granting server (or service). -Kerberos - Aside from the 3-headed dog guarding Hades, the name given to Project - Athena's authentication service, the protocol used by that service, or - the code used to implement the authentication service. -Plaintext - The input to an encryption function or the output of a decryption - function. Decryption transforms ciphertext into plaintext. - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -Principal - A uniquely named client or server instance that participates in a - network communication. -Principal identifier - The name used to uniquely identify each different principal. -Seal - To encipher a record containing several fields in such a way that the - fields cannot be individually replaced without either knowledge of the - encryption key or leaving evidence of tampering. -Secret key - An encryption key shared by a principal and the KDC, distributed - outside the bounds of the system, with a long lifetime. In the case of - a human user's principal, the secret key is derived from a password. -Server - A particular Principal which provides a resource to network clients. - The server is sometimes refered to as the Application Server. -Service - A resource provided to network clients; often provided by more than - one server (for example, remote file service). -Session key - A temporary encryption key used between two principals, with a - lifetime limited to the duration of a single login "session". -Sub-session key - A temporary encryption key used between two principals, selected and - exchanged by the principals using the session key, and with a lifetime - limited to the duration of a single association. -Ticket - A record that helps a client authenticate itself to a server; it - contains the client's identity, a session key, a timestamp, and other - information, all sealed using the server's secret key. It only serves - to authenticate a client when presented along with a fresh - Authenticator. - -2. Ticket flag uses and requests - -Each Kerberos ticket contains a set of flags which are used to indicate -various attributes of that ticket. Most flags may be requested by a client -when the ticket is obtained; some are automatically turned on and off by a -Kerberos server as required. The following sections explain what the -various flags mean, and gives examples of reasons to use such a flag. - -2.1. Initial and pre-authenticated tickets - -The INITIAL flag indicates that a ticket was issued using the AS protocol -and not issued based on a ticket-granting ticket. Application servers that -want to require the demonstrated knowledge of a client's secret key (e.g. a -password-changing program) can insist that this flag be set in any tickets -they accept, and thus be assured that the client's key was recently -presented to the application client. - -The PRE-AUTHENT and HW-AUTHENT flags provide addition information about the -initial authentication, regardless of whether the current ticket was issued -directly (in which case INITIAL will also be set) or issued on the basis of -a ticket-granting ticket (in which case the INITIAL flag is clear, but the -PRE-AUTHENT and HW-AUTHENT flags are carried forward from the -ticket-granting ticket). - -2.2. Invalid tickets - -The INVALID flag indicates that a ticket is invalid. Application servers -must reject tickets which have this flag set. A postdated ticket will -usually be issued in this form. Invalid tickets must be validated by the -KDC before use, by presenting them to the KDC in a TGS request with the -VALIDATE option specified. The KDC will only validate tickets after their -starttime has passed. The validation is required so that postdated tickets -which have been stolen before their starttime can be rendered permanently -invalid (through a hot-list mechanism) (see section 3.3.3.1). - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -2.3. Renewable tickets - -Applications may desire to hold tickets which can be valid for long periods -of time. However, this can expose their credentials to potential theft for -equally long periods, and those stolen credentials would be valid until the -expiration time of the ticket(s). Simply using short-lived tickets and -obtaining new ones periodically would require the client to have long-term -access to its secret key, an even greater risk. Renewable tickets can be -used to mitigate the consequences of theft. Renewable tickets have two -"expiration times": the first is when the current instance of the ticket -expires, and the second is the latest permissible value for an individual -expiration time. An application client must periodically (i.e. before it -expires) present a renewable ticket to the KDC, with the RENEW option set -in the KDC request. The KDC will issue a new ticket with a new session key -and a later expiration time. All other fields of the ticket are left -unmodified by the renewal process. When the latest permissible expiration -time arrives, the ticket expires permanently. At each renewal, the KDC may -consult a hot-list to determine if the ticket had been reported stolen -since its last renewal; it will refuse to renew such stolen tickets, and -thus the usable lifetime of stolen tickets is reduced. - -The RENEWABLE flag in a ticket is normally only interpreted by the -ticket-granting service (discussed below in section 3.3). It can usually be -ignored by application servers. However, some particularly careful -application servers may wish to disallow renewable tickets. - -If a renewable ticket is not renewed by its expiration time, the KDC will -not renew the ticket. The RENEWABLE flag is reset by default, but a client -may request it be set by setting the RENEWABLE option in the KRB_AS_REQ -message. If it is set, then the renew-till field in the ticket contains the -time after which the ticket may not be renewed. - -2.4. Postdated tickets - -Applications may occasionally need to obtain tickets for use much later, -e.g. a batch submission system would need tickets to be valid at the time -the batch job is serviced. However, it is dangerous to hold valid tickets -in a batch queue, since they will be on-line longer and more prone to -theft. Postdated tickets provide a way to obtain these tickets from the KDC -at job submission time, but to leave them "dormant" until they are -activated and validated by a further request of the KDC. If a ticket theft -were reported in the interim, the KDC would refuse to validate the ticket, -and the thief would be foiled. - -The MAY-POSTDATE flag in a ticket is normally only interpreted by the -ticket-granting service. It can be ignored by application servers. This -flag must be set in a ticket-granting ticket in order to issue a postdated -ticket based on the presented ticket. It is reset by default; it may be -requested by a client by setting the ALLOW-POSTDATE option in the -KRB_AS_REQ message. This flag does not allow a client to obtain a postdated -ticket-granting ticket; postdated ticket-granting tickets can only by -obtained by requesting the postdating in the KRB_AS_REQ message. The life -(endtime-starttime) of a postdated ticket will be the remaining life of the -ticket-granting ticket at the time of the request, unless the RENEWABLE -option is also set, in which case it can be the full life -(endtime-starttime) of the ticket-granting ticket. The KDC may limit how -far in the future a ticket may be postdated. - -The POSTDATED flag indicates that a ticket has been postdated. The -application server can check the authtime field in the ticket to see when -the original authentication occurred. Some services may choose to reject -postdated tickets, or they may only accept them within a certain period -after the original authentication. When the KDC issues a POSTDATED ticket, -it will also be marked as INVALID, so that the application client must -present the ticket to the KDC to be validated before use. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -2.5. Proxiable and proxy tickets - -At times it may be necessary for a principal to allow a service to perform -an operation on its behalf. The service must be able to take on the -identity of the client, but only for a particular purpose. A principal can -allow a service to take on the principal's identity for a particular -purpose by granting it a proxy. - -The process of granting a proxy using the proxy and proxiable flags is used -to provide credentials for use with specific services. Though conceptually -also a proxy, user's wishing to delegate their identity for ANY purpose -must use the ticket forwarding mechanism described in the next section to -forward a ticket granting ticket. - -The PROXIABLE flag in a ticket is normally only interpreted by the -ticket-granting service. It can be ignored by application servers. When -set, this flag tells the ticket-granting server that it is OK to issue a -new ticket (but not a ticket-granting ticket) with a different network -address based on this ticket. This flag is set if requested by the client -on initial authentication. By default, the client will request that it be -set when requesting a ticket granting ticket, and reset when requesting any -other ticket. - -This flag allows a client to pass a proxy to a server to perform a remote -request on its behalf, e.g. a print service client can give the print -server a proxy to access the client's files on a particular file server in -order to satisfy a print request. - -In order to complicate the use of stolen credentials, Kerberos tickets are -usually valid from only those network addresses specifically included in -the ticket[4]. When granting a proxy, the client must specify the new -network address from which the proxy is to be used, or indicate that the -proxy is to be issued for use from any address. - -The PROXY flag is set in a ticket by the TGS when it issues a proxy ticket. -Application servers may check this flag and at their option they may -require additional authentication from the agent presenting the proxy in -order to provide an audit trail. - -2.6. Forwardable tickets - -Authentication forwarding is an instance of a proxy where the service is -granted complete use of the client's identity. An example where it might be -used is when a user logs in to a remote system and wants authentication to -work from that system as if the login were local. - -The FORWARDABLE flag in a ticket is normally only interpreted by the -ticket-granting service. It can be ignored by application servers. The -FORWARDABLE flag has an interpretation similar to that of the PROXIABLE -flag, except ticket-granting tickets may also be issued with different -network addresses. This flag is reset by default, but users may request -that it be set by setting the FORWARDABLE option in the AS request when -they request their initial ticket- granting ticket. - -This flag allows for authentication forwarding without requiring the user -to enter a password again. If the flag is not set, then authentication -forwarding is not permitted, but the same result can still be achieved if -the user engages in the AS exchange specifying the requested network -addresses and supplies a password. - -The FORWARDED flag is set by the TGS when a client presents a ticket with -the FORWARDABLE flag set and requests a forwarded ticket by specifying the -FORWARDED KDC option and supplying a set of addresses for the new ticket. -It is also set in all tickets issued based on tickets with the FORWARDED -flag set. Application servers may choose to process FORWARDED tickets -differently than non-FORWARDED tickets. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -2.7 Name canonicalization [JBrezak] - -If a client does not have the full name information for a principal, it can -request that the Kerberos server attempt to lookup the name in its database -and return a canonical form of the requested principal or a referral to a -realm that has the requested principal in its namespace. Name -canonicalization allows a principal to have alternate names. Name -canonicalization must not be used to locate principal names supplied from -wildcards and is not a mechanism to be used to search a Kerberos database. - -The CANONICALIZE flag in a ticket request is used to indicate to the -Kerberos server that the client will accept an alternative name to the -principal in the request or a referral to another realm. Both the AS and -TGS must be able to interpret requests with this flag. - -By using this flag, the client can avoid extensive configuration needed to -map specific host names to a particular realm. - -2.8. Other KDC options - -There are two additional options which may be set in a client's request of -the KDC. The RENEWABLE-OK option indicates that the client will accept a -renewable ticket if a ticket with the requested life cannot otherwise be -provided. If a ticket with the requested life cannot be provided, then the -KDC may issue a renewable ticket with a renew-till equal to the the -requested endtime. The value of the renew-till field may still be adjusted -by site-determined limits or limits imposed by the individual principal or -server. - -The ENC-TKT-IN-SKEY option is honored only by the ticket-granting service. -It indicates that the ticket to be issued for the end server is to be -encrypted in the session key from the a additional second ticket-granting -ticket provided with the request. See section 3.3.3 for specific details. - -3. Message Exchanges - -The following sections describe the interactions between network clients -and servers and the messages involved in those exchanges. - -3.1. The Authentication Service Exchange - - Summary - Message direction Message type Section - 1. Client to Kerberos KRB_AS_REQ 5.4.1 - 2. Kerberos to client KRB_AS_REP or 5.4.2 - KRB_ERROR 5.9.1 - -The Authentication Service (AS) Exchange between the client and the -Kerberos Authentication Server is initiated by a client when it wishes to -obtain authentication credentials for a given server but currently holds no -credentials. In its basic form, the client's secret key is used for -encryption and decryption. This exchange is typically used at the -initiation of a login session to obtain credentials for a Ticket-Granting -Server which will subsequently be used to obtain credentials for other -servers (see section 3.3) without requiring further use of the client's -secret key. This exchange is also used to request credentials for services -which must not be mediated through the Ticket-Granting Service, but rather -require a principal's secret key, such as the password-changing service[5]. -This exchange does not by itself provide any assurance of the the identity -of the user[6]. - -The exchange consists of two messages: KRB_AS_REQ from the client to -Kerberos, and KRB_AS_REP or KRB_ERROR in reply. The formats for these -messages are described in sections 5.4.1, 5.4.2, and 5.9.1. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -In the request, the client sends (in cleartext) its own identity and the -identity of the server for which it is requesting credentials. The -response, KRB_AS_REP, contains a ticket for the client to present to the -server, and a session key that will be shared by the client and the server. -The session key and additional information are encrypted in the client's -secret key. The KRB_AS_REP message contains information which can be used -to detect replays, and to associate it with the message to which it -replies. Various errors can occur; these are indicated by an error response -(KRB_ERROR) instead of the KRB_AS_REP response. The error message is not -encrypted. The KRB_ERROR message contains information which can be used to -associate it with the message to which it replies. The lack of encryption -in the KRB_ERROR message precludes the ability to detect replays, -fabrications, or modifications of such messages. - -Without preautentication, the authentication server does not know whether -the client is actually the principal named in the request. It simply sends -a reply without knowing or caring whether they are the same. This is -acceptable because nobody but the principal whose identity was given in the -request will be able to use the reply. Its critical information is -encrypted in that principal's key. The initial request supports an optional -field that can be used to pass additional information that might be needed -for the initial exchange. This field may be used for preauthentication as -described in section [hl<>]. - -3.1.1. Generation of KRB_AS_REQ message - -The client may specify a number of options in the initial request. Among -these options are whether pre-authentication is to be performed; whether -the requested ticket is to be renewable, proxiable, or forwardable; whether -it should be postdated or allow postdating of derivative tickets; whether -the client requests name-canonicalization; and whether a renewable ticket -will be accepted in lieu of a non-renewable ticket if the requested ticket -expiration date cannot be satisfied by a non-renewable ticket (due to -configuration constraints; see section 4). See section A.1 for pseudocode. - -The client prepares the KRB_AS_REQ message and sends it to the KDC. - -3.1.2. Receipt of KRB_AS_REQ message - -If all goes well, processing the KRB_AS_REQ message will result in the -creation of a ticket for the client to present to the server. The format -for the ticket is described in section 5.3.1. The contents of the ticket -are determined as follows. - -3.1.3. Generation of KRB_AS_REP message - -The authentication server looks up the client and server principals named -in the KRB_AS_REQ in its database, extracting their respective keys. If -the requested client principal named in the request is not found in its -database, then an error message with a KDC_ERR_C_PRINCIPAL_UNKNOWN is -returned. If the request had the CANONICALIZE option set, then the AS can -attempt to lookup the client principal name in an alternate database, if it -is found an error message with a KDC_ERR_WRONG_REALM error code and the -cname and crealm in the error message must contain the true client -principal name and realm. - -If required, the server pre-authenticates the request, and if the -pre-authentication check fails, an error message with the code -KDC_ERR_PREAUTH_FAILED is returned. If the server cannot accommodate the -requested encryption type, an error message with code KDC_ERR_ETYPE_NOSUPP -is returned. Otherwise it generates a 'random' session key[7]. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -If there are multiple encryption keys registered for a client in the -Kerberos database (or if the key registered supports multiple encryption -types; e.g. DES3-CBC-SHA1 and DES3-CBC-SHA1-KD), then the etype field from -the AS request is used by the KDC to select the encryption method to be -used for encrypting the response to the client. If there is more than one -supported, strong encryption type in the etype list, the first valid etype -for which an encryption key is available is used. The encryption method -used to respond to a TGS request is taken from the keytype of the session -key found in the ticket granting ticket. - - JBrezak - the behavior of PW-SALT, and ETYPE-INFO should be explained - here; also about using keys that have different string-to-key - functions like AFSsalt - -When the etype field is present in a KDC request, whether an AS or TGS -request, the KDC will attempt to assign the type of the random session key -from the list of methods in the etype field. The KDC will select the -appropriate type using the list of methods provided together with -information from the Kerberos database indicating acceptable encryption -methods for the application server. The KDC will not issue tickets with a -weak session key encryption type. - -If the requested start time is absent, indicates a time in the past, or is -within the window of acceptable clock skew for the KDC and the POSTDATE -option has not been specified, then the start time of the ticket is set to -the authentication server's current time. If it indicates a time in the -future beyond the acceptable clock skew, but the POSTDATED option has not -been specified then the error KDC_ERR_CANNOT_POSTDATE is returned. -Otherwise the requested start time is checked against the policy of the -local realm (the administrator might decide to prohibit certain types or -ranges of postdated tickets), and if acceptable, the ticket's start time is -set as requested and the INVALID flag is set in the new ticket. The -postdated ticket must be validated before use by presenting it to the KDC -after the start time has been reached. - -The expiration time of the ticket will be set to the minimum of the -following: - - * The expiration time (endtime) requested in the KRB_AS_REQ message. - * The ticket's start time plus the maximum allowable lifetime associated - with the client principal (the authentication server's database - includes a maximum ticket lifetime field in each principal's record; - see section 4). - * The ticket's start time plus the maximum allowable lifetime associated - with the server principal. - * The ticket's start time plus the maximum lifetime set by the policy of - the local realm. - -If the requested expiration time minus the start time (as determined above) -is less than a site-determined minimum lifetime, an error message with code -KDC_ERR_NEVER_VALID is returned. If the requested expiration time for the -ticket exceeds what was determined as above, and if the 'RENEWABLE-OK' -option was requested, then the 'RENEWABLE' flag is set in the new ticket, -and the renew-till value is set as if the 'RENEWABLE' option were requested -(the field and option names are described fully in section 5.4.1). - -If the RENEWABLE option has been requested or if the RENEWABLE-OK option -has been set and a renewable ticket is to be issued, then the renew-till -field is set to the minimum of: - - * Its requested value. - * The start time of the ticket plus the minimum of the two maximum - renewable lifetimes associated with the principals' database entries. - * The start time of the ticket plus the maximum renewable lifetime set - by the policy of the local realm. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -The flags field of the new ticket will have the following options set if -they have been requested and if the policy of the local realm allows: -FORWARDABLE, MAY-POSTDATE, POSTDATED, PROXIABLE, RENEWABLE. If the new -ticket is post-dated (the start time is in the future), its INVALID flag -will also be set. - -If all of the above succeed, the server formats a KRB_AS_REP message (see -section 5.4.2), copying the addresses in the request into the caddr of the -response, placing any required pre-authentication data into the padata of -the response, and encrypts the ciphertext part in the client's key using -the requested encryption method, and sends it to the client. See section -A.2 for pseudocode. - -3.1.4. Generation of KRB_ERROR message - -Several errors can occur, and the Authentication Server responds by -returning an error message, KRB_ERROR, to the client, with the error-code -and e-text fields set to appropriate values. The error message contents and -details are described in Section 5.9.1. - -3.1.5. Receipt of KRB_AS_REP message - -If the reply message type is KRB_AS_REP, then the client verifies that the -cname and crealm fields in the cleartext portion of the reply match what it -requested. If any padata fields are present, they may be used to derive the -proper secret key to decrypt the message. The client decrypts the encrypted -part of the response using its secret key, verifies that the nonce in the -encrypted part matches the nonce it supplied in its request (to detect -replays). It also verifies that the sname and srealm in the response match -those in the request (or are otherwise expected values), and that the host -address field is also correct. It then stores the ticket, session key, -start and expiration times, and other information for later use. The -key-expiration field from the encrypted part of the response may be checked -to notify the user of impending key expiration (the client program could -then suggest remedial action, such as a password change). See section A.3 -for pseudocode. - -Proper decryption of the KRB_AS_REP message is not sufficient to verify the -identity of the user; the user and an attacker could cooperate to generate -a KRB_AS_REP format message which decrypts properly but is not from the -proper KDC. If the host wishes to verify the identity of the user, it must -require the user to present application credentials which can be verified -using a securely-stored secret key for the host. If those credentials can -be verified, then the identity of the user can be assured. - -3.1.6. Receipt of KRB_ERROR message - -If the reply message type is KRB_ERROR, then the client interprets it as an -error and performs whatever application-specific tasks are necessary to -recover. If the client set the CANONICALIZE option and a -KDC_ERR_WRONG_REALM error was returned, the AS request should be retried to -the realm and client principal name specified in the error message crealm -and cname field respectively. - -3.2. The Client/Server Authentication Exchange - - Summary -Message direction Message type Section -Client to Application server KRB_AP_REQ 5.5.1 -[optional] Application server to client KRB_AP_REP or 5.5.2 - KRB_ERROR 5.9.1 - -The client/server authentication (CS) exchange is used by network -applications to authenticate the client to the server and vice versa. The -client must have already acquired credentials for the server using the AS -or TGS exchange. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -3.2.1. The KRB_AP_REQ message - -The KRB_AP_REQ contains authentication information which should be part of -the first message in an authenticated transaction. It contains a ticket, an -authenticator, and some additional bookkeeping information (see section -5.5.1 for the exact format). The ticket by itself is insufficient to -authenticate a client, since tickets are passed across the network in -cleartext[DS90], so the authenticator is used to prevent invalid replay of -tickets by proving to the server that the client knows the session key of -the ticket and thus is entitled to use the ticket. The KRB_AP_REQ message -is referred to elsewhere as the 'authentication header.' - -3.2.2. Generation of a KRB_AP_REQ message - -When a client wishes to initiate authentication to a server, it obtains -(either through a credentials cache, the AS exchange, or the TGS exchange) -a ticket and session key for the desired service. The client may re-use any -tickets it holds until they expire. To use a ticket the client constructs a -new Authenticator from the the system time, its name, and optionally an -application specific checksum, an initial sequence number to be used in -KRB_SAFE or KRB_PRIV messages, and/or a session subkey to be used in -negotiations for a session key unique to this particular session. -Authenticators may not be re-used and will be rejected if replayed to a -server[LGDSR87]. If a sequence number is to be included, it should be -randomly chosen so that even after many messages have been exchanged it is -not likely to collide with other sequence numbers in use. - -The client may indicate a requirement of mutual authentication or the use -of a session-key based ticket by setting the appropriate flag(s) in the -ap-options field of the message. - -The Authenticator is encrypted in the session key and combined with the -ticket to form the KRB_AP_REQ message which is then sent to the end server -along with any additional application-specific information. See section A.9 -for pseudocode. - -3.2.3. Receipt of KRB_AP_REQ message - -Authentication is based on the server's current time of day (clocks must be -loosely synchronized), the authenticator, and the ticket. Several errors -are possible. If an error occurs, the server is expected to reply to the -client with a KRB_ERROR message. This message may be encapsulated in the -application protocol if its 'raw' form is not acceptable to the protocol. -The format of error messages is described in section 5.9.1. - -The algorithm for verifying authentication information is as follows. If -the message type is not KRB_AP_REQ, the server returns the -KRB_AP_ERR_MSG_TYPE error. If the key version indicated by the Ticket in -the KRB_AP_REQ is not one the server can use (e.g., it indicates an old -key, and the server no longer possesses a copy of the old key), the -KRB_AP_ERR_BADKEYVER error is returned. If the USE-SESSION-KEY flag is set -in the ap-options field, it indicates to the server that the ticket is -encrypted in the session key from the server's ticket-granting ticket -rather than its secret key[10]. Since it is possible for the server to be -registered in multiple realms, with different keys in each, the srealm -field in the unencrypted portion of the ticket in the KRB_AP_REQ is used to -specify which secret key the server should use to decrypt that ticket. The -KRB_AP_ERR_NOKEY error code is returned if the server doesn't have the -proper key to decipher the ticket. - -The ticket is decrypted using the version of the server's key specified by -the ticket. If the decryption routines detect a modification of the ticket -(each encryption system must provide safeguards to detect modified -ciphertext; see section 6), the KRB_AP_ERR_BAD_INTEGRITY error is returned -(chances are good that different keys were used to encrypt and decrypt). - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -The authenticator is decrypted using the session key extracted from the -decrypted ticket. If decryption shows it to have been modified, the -KRB_AP_ERR_BAD_INTEGRITY error is returned. The name and realm of the -client from the ticket are compared against the same fields in the -authenticator. If they don't match, the KRB_AP_ERR_BADMATCH error is -returned (they might not match, for example, if the wrong session key was -used to encrypt the authenticator). The addresses in the ticket (if any) -are then searched for an address matching the operating-system reported -address of the client. If no match is found or the server insists on ticket -addresses but none are present in the ticket, the KRB_AP_ERR_BADADDR error -is returned. - -If the local (server) time and the client time in the authenticator differ -by more than the allowable clock skew (e.g., 5 minutes), the -KRB_AP_ERR_SKEW error is returned. If the server name, along with the -client name, time and microsecond fields from the Authenticator match any -recently-seen such tuples, the KRB_AP_ERR_REPEAT error is returned[11]. The -server must remember any authenticator presented within the allowable clock -skew, so that a replay attempt is guaranteed to fail. If a server loses -track of any authenticator presented within the allowable clock skew, it -must reject all requests until the clock skew interval has passed. This -assures that any lost or re-played authenticators will fall outside the -allowable clock skew and can no longer be successfully replayed (If this is -not done, an attacker could conceivably record the ticket and authenticator -sent over the network to a server, then disable the client's host, pose as -the disabled host, and replay the ticket and authenticator to subvert the -authentication.). If a sequence number is provided in the authenticator, -the server saves it for later use in processing KRB_SAFE and/or KRB_PRIV -messages. If a subkey is present, the server either saves it for later use -or uses it to help generate its own choice for a subkey to be returned in a -KRB_AP_REP message. - -The server computes the age of the ticket: local (server) time minus the -start time inside the Ticket. If the start time is later than the current -time by more than the allowable clock skew or if the INVALID flag is set in -the ticket, the KRB_AP_ERR_TKT_NYV error is returned. Otherwise, if the -current time is later than end time by more than the allowable clock skew, -the KRB_AP_ERR_TKT_EXPIRED error is returned. - -If all these checks succeed without an error, the server is assured that -the client possesses the credentials of the principal named in the ticket -and thus, the client has been authenticated to the server. See section A.10 -for pseudocode. - -Passing these checks provides only authentication of the named principal; -it does not imply authorization to use the named service. Applications must -make a separate authorization decisions based upon the authenticated name -of the user, the requested operation, local acces control information such -as that contained in a .k5login or .k5users file, and possibly a separate -distributed authorization service. - -3.2.4. Generation of a KRB_AP_REP message - -Typically, a client's request will include both the authentication -information and its initial request in the same message, and the server -need not explicitly reply to the KRB_AP_REQ. However, if mutual -authentication (not only authenticating the client to the server, but also -the server to the client) is being performed, the KRB_AP_REQ message will - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -have MUTUAL-REQUIRED set in its ap-options field, and a KRB_AP_REP message -is required in response. As with the error message, this message may be -encapsulated in the application protocol if its "raw" form is not -acceptable to the application's protocol. The timestamp and microsecond -field used in the reply must be the client's timestamp and microsecond -field (as provided in the authenticator)[12]. If a sequence number is to be -included, it should be randomly chosen as described above for the -authenticator. A subkey may be included if the server desires to negotiate -a different subkey. The KRB_AP_REP message is encrypted in the session key -extracted from the ticket. See section A.11 for pseudocode. - -3.2.5. Receipt of KRB_AP_REP message - -If a KRB_AP_REP message is returned, the client uses the session key from -the credentials obtained for the server[13] to decrypt the message, and -verifies that the timestamp and microsecond fields match those in the -Authenticator it sent to the server. If they match, then the client is -assured that the server is genuine. The sequence number and subkey (if -present) are retained for later use. See section A.12 for pseudocode. - -3.2.6. Using the encryption key - -After the KRB_AP_REQ/KRB_AP_REP exchange has occurred, the client and -server share an encryption key which can be used by the application. The -'true session key' to be used for KRB_PRIV, KRB_SAFE, or other -application-specific uses may be chosen by the application based on the -subkeys in the KRB_AP_REP message and the authenticator[14]. In some cases, -the use of this session key will be implicit in the protocol; in others the -method of use must be chosen from several alternatives. We leave the -protocol negotiations of how to use the key (e.g. selecting an encryption -or checksum type) to the application programmer; the Kerberos protocol does -not constrain the implementation options, but an example of how this might -be done follows. - -One way that an application may choose to negotiate a key to be used for -subequent integrity and privacy protection is for the client to propose a -key in the subkey field of the authenticator. The server can then choose a -key using the proposed key from the client as input, returning the new -subkey in the subkey field of the application reply. This key could then be -used for subsequent communication. To make this example more concrete, if -the encryption method in use required a 56 bit key, and for whatever -reason, one of the parties was prevented from using a key with more than 40 -unknown bits, this method would allow the the party which is prevented from -using more than 40 bits to either propose (if the client) an initial key -with a known quantity for 16 of those bits, or to mask 16 of the bits (if -the server) with the known quantity. The application implementor is warned, -however, that this is only an example, and that an analysis of the -particular crytosystem to be used, and the reasons for limiting the key -length, must be made before deciding whether it is acceptable to mask bits -of the key. - -With both the one-way and mutual authentication exchanges, the peers should -take care not to send sensitive information to each other without proper -assurances. In particular, applications that require privacy or integrity -should use the KRB_AP_REP response from the server to client to assure both -client and server of their peer's identity. If an application protocol -requires privacy of its messages, it can use the KRB_PRIV message (section -3.5). The KRB_SAFE message (section 3.4) can be used to assure integrity. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -3.3. The Ticket-Granting Service (TGS) Exchange - - Summary - Message direction Message type Section - 1. Client to Kerberos KRB_TGS_REQ 5.4.1 - 2. Kerberos to client KRB_TGS_REP or 5.4.2 - KRB_ERROR 5.9.1 - -The TGS exchange between a client and the Kerberos Ticket-Granting Server -is initiated by a client when it wishes to obtain authentication -credentials for a given server (which might be registered in a remote -realm), when it wishes to renew or validate an existing ticket, or when it -wishes to obtain a proxy ticket. In the first case, the client must already -have acquired a ticket for the Ticket-Granting Service using the AS -exchange (the ticket-granting ticket is usually obtained when a client -initially authenticates to the system, such as when a user logs in). The -message format for the TGS exchange is almost identical to that for the AS -exchange. The primary difference is that encryption and decryption in the -TGS exchange does not take place under the client's key. Instead, the -session key from the ticket-granting ticket or renewable ticket, or -sub-session key from an Authenticator is used. As is the case for all -application servers, expired tickets are not accepted by the TGS, so once a -renewable or ticket-granting ticket expires, the client must use a separate -exchange to obtain valid tickets. - -The TGS exchange consists of two messages: A request (KRB_TGS_REQ) from the -client to the Kerberos Ticket-Granting Server, and a reply (KRB_TGS_REP or -KRB_ERROR). The KRB_TGS_REQ message includes information authenticating the -client plus a request for credentials. The authentication information -consists of the authentication header (KRB_AP_REQ) which includes the -client's previously obtained ticket-granting, renewable, or invalid ticket. -In the ticket-granting ticket and proxy cases, the request may include one -or more of: a list of network addresses, a collection of typed -authorization data to be sealed in the ticket for authorization use by the -application server, or additional tickets (the use of which are described -later). The TGS reply (KRB_TGS_REP) contains the requested credentials, -encrypted in the session key from the ticket-granting ticket or renewable -ticket, or if present, in the sub-session key from the Authenticator (part -of the authentication header). The KRB_ERROR message contains an error code -and text explaining what went wrong. The KRB_ERROR message is not -encrypted. The KRB_TGS_REP message contains information which can be used -to detect replays, and to associate it with the message to which it -replies. The KRB_ERROR message also contains information which can be used -to associate it with the message to which it replies, but the lack of -encryption in the KRB_ERROR message precludes the ability to detect replays -or fabrications of such messages. - -3.3.1. Generation of KRB_TGS_REQ message - -Before sending a request to the ticket-granting service, the client must -determine in which realm the application server is registered[15], if it is -known. If the client does know the service principal name and realm and it -does not already possess a ticket-granting ticket for the appropriate -realm, then one must be obtained. This is first attempted by requesting a -ticket-granting ticket for the destination realm from a Kerberos server for -which the client does posess a ticket-granting ticket (using the -KRB_TGS_REQ message recursively). The Kerberos server may return a TGT for -the desired realm in which case one can proceed. - -If the client does not know the realm of the service or the true service -principal name, then the CANONICALIZE option must be used in the request. -This will cause the TGS to locate the service principal based on the target -service name in the ticket and return the service principal name in the -response. Alternatively, the Kerberos server may return a TGT for a realm -which is 'closer' to the desired realm (further along the standard - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -hierarchical path) or the realm that may contain the requested service -principal name in a request with the CANONCALIZE option set [JBrezak], in -which case this step must be repeated with a Kerberos server in the realm -specified in the returned TGT. If neither are returned, then the request -must be retried with a Kerberos server for a realm higher in the hierarchy. -This request will itself require a ticket-granting ticket for the higher -realm which must be obtained by recursively applying these directions. - -Once the client obtains a ticket-granting ticket for the appropriate realm, -it determines which Kerberos servers serve that realm, and contacts one. -The list might be obtained through a configuration file or network service -or it may be generated from the name of the realm; as long as the secret -keys exchanged by realms are kept secret, only denial of service results -from using a false Kerberos server. - -As in the AS exchange, the client may specify a number of options in the -KRB_TGS_REQ message. The client prepares the KRB_TGS_REQ message, providing -an authentication header as an element of the padata field, and including -the same fields as used in the KRB_AS_REQ message along with several -optional fields: the enc-authorization-data field for application server -use and additional tickets required by some options. - -In preparing the authentication header, the client can select a sub-session -key under which the response from the Kerberos server will be -encrypted[16]. If the sub-session key is not specified, the session key -from the ticket-granting ticket will be used. If the enc-authorization-data -is present, it must be encrypted in the sub-session key, if present, from -the authenticator portion of the authentication header, or if not present, -using the session key from the ticket-granting ticket. - -Once prepared, the message is sent to a Kerberos server for the destination -realm. See section A.5 for pseudocode. - -3.3.2. Receipt of KRB_TGS_REQ message - -The KRB_TGS_REQ message is processed in a manner similar to the KRB_AS_REQ -message, but there are many additional checks to be performed. First, the -Kerberos server must determine which server the accompanying ticket is for -and it must select the appropriate key to decrypt it. For a normal -KRB_TGS_REQ message, it will be for the ticket granting service, and the -TGS's key will be used. If the TGT was issued by another realm, then the -appropriate inter-realm key must be used. If the accompanying ticket is not -a ticket granting ticket for the current realm, but is for an application -server in the current realm, the RENEW, VALIDATE, or PROXY options are -specified in the request, and the server for which a ticket is requested is -the server named in the accompanying ticket, then the KDC will decrypt the -ticket in the authentication header using the key of the server for which -it was issued. If no ticket can be found in the padata field, the -KDC_ERR_PADATA_TYPE_NOSUPP error is returned. - -Once the accompanying ticket has been decrypted, the user-supplied checksum -in the Authenticator must be verified against the contents of the request, -and the message rejected if the checksums do not match (with an error code -of KRB_AP_ERR_MODIFIED) or if the checksum is not keyed or not -collision-proof (with an error code of KRB_AP_ERR_INAPP_CKSUM). If the -checksum type is not supported, the KDC_ERR_SUMTYPE_NOSUPP error is -returned. If the authorization-data are present, they are decrypted using -the sub-session key from the Authenticator. - -If any of the decryptions indicate failed integrity checks, the -KRB_AP_ERR_BAD_INTEGRITY error is returned. If the CANONICALIZE option is -set in the KRB_TGS_REQ, then the requested service name may not be the true -principal name or the service may not be in the TGS realm. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -3.3.3. Generation of KRB_TGS_REP message - -The KRB_TGS_REP message shares its format with the KRB_AS_REP -(KRB_KDC_REP), but with its type field set to KRB_TGS_REP. The detailed -specification is in section 5.4.2. - -The response will include a ticket for the requested server. The Kerberos -database is queried to retrieve the record for the requested server -(including the key with which the ticket will be encrypted). If the request -is for a ticket granting ticket for a remote realm, and if no key is shared -with the requested realm, then the Kerberos server will select the realm -"closest" to the requested realm with which it does share a key, and use -that realm instead. If the CANONICALIZE option is set, the TGS may return a -ticket containing the server name of the true service principal. If the -requested server cannot be found in the TGS database, then a TGT for -another trusted realm may be returned instead of a ticket for the service. -This TGT is a referral mechanism to cause the client to retry the request -to the realm of the TGT. These are the only cases where the response for -the KDC will be for a different server than that requested by the client. - -By default, the address field, the client's name and realm, the list of -transited realms, the time of initial authentication, the expiration time, -and the authorization data of the newly-issued ticket will be copied from -the ticket-granting ticket (TGT) or renewable ticket. If the transited -field needs to be updated, but the transited type is not supported, the -KDC_ERR_TRTYPE_NOSUPP error is returned. - -If the request specifies an endtime, then the endtime of the new ticket is -set to the minimum of (a) that request, (b) the endtime from the TGT, and -(c) the starttime of the TGT plus the minimum of the maximum life for the -application server and the maximum life for the local realm (the maximum -life for the requesting principal was already applied when the TGT was -issued). If the new ticket is to be a renewal, then the endtime above is -replaced by the minimum of (a) the value of the renew_till field of the -ticket and (b) the starttime for the new ticket plus the life -(endtime-starttime) of the old ticket. - -If the FORWARDED option has been requested, then the resulting ticket will -contain the addresses specified by the client. This option will only be -honored if the FORWARDABLE flag is set in the TGT. The PROXY option is -similar; the resulting ticket will contain the addresses specified by the -client. It will be honored only if the PROXIABLE flag in the TGT is set. -The PROXY option will not be honored on requests for additional -ticket-granting tickets. - -If the requested start time is absent, indicates a time in the past, or is -within the window of acceptable clock skew for the KDC and the POSTDATE -option has not been specified, then the start time of the ticket is set to -the authentication server's current time. If it indicates a time in the -future beyond the acceptable clock skew, but the POSTDATED option has not -been specified or the MAY-POSTDATE flag is not set in the TGT, then the -error KDC_ERR_CANNOT_POSTDATE is returned. Otherwise, if the -ticket-granting ticket has the MAY-POSTDATE flag set, then the resulting -ticket will be postdated and the requested starttime is checked against the -policy of the local realm. If acceptable, the ticket's start time is set as -requested, and the INVALID flag is set. The postdated ticket must be -validated before use by presenting it to the KDC after the starttime has -been reached. However, in no case may the starttime, endtime, or renew-till -time of a newly-issued postdated ticket extend beyond the renew-till time -of the ticket-granting ticket. - -If the ENC-TKT-IN-SKEY option has been specified and an additional ticket -has been included in the request, the KDC will decrypt the additional -ticket using the key for the server to which the additional ticket was -issued and verify that it is a ticket-granting ticket. If the name of the - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -requested server is missing from the request, the name of the client in the -additional ticket will be used. Otherwise the name of the requested server -will be compared to the name of the client in the additional ticket and if -different, the request will be rejected. If the request succeeds, the -session key from the additional ticket will be used to encrypt the new -ticket that is issued instead of using the key of the server for which the -new ticket will be used[17]. - -If the name of the server in the ticket that is presented to the KDC as -part of the authentication header is not that of the ticket-granting server -itself, the server is registered in the realm of the KDC, and the RENEW -option is requested, then the KDC will verify that the RENEWABLE flag is -set in the ticket, that the INVALID flag is not set in the ticket, and that -the renew_till time is still in the future. If the VALIDATE option is -rqeuested, the KDC will check that the starttime has passed and the INVALID -flag is set. If the PROXY option is requested, then the KDC will check that -the PROXIABLE flag is set in the ticket. If the tests succeed, and the -ticket passes the hotlist check described in the next paragraph, the KDC -will issue the appropriate new ticket. - -3.3.3.1. Checking for revoked tickets - -Whenever a request is made to the ticket-granting server, the presented -ticket(s) is(are) checked against a hot-list of tickets which have been -canceled. This hot-list might be implemented by storing a range of issue -timestamps for 'suspect tickets'; if a presented ticket had an authtime in -that range, it would be rejected. In this way, a stolen ticket-granting -ticket or renewable ticket cannot be used to gain additional tickets -(renewals or otherwise) once the theft has been reported. Any normal ticket -obtained before it was reported stolen will still be valid (because they -require no interaction with the KDC), but only until their normal -expiration time. - -The ciphertext part of the response in the KRB_TGS_REP message is encrypted -in the sub-session key from the Authenticator, if present, or the session -key key from the ticket-granting ticket. It is not encrypted using the -client's secret key. Furthermore, the client's key's expiration date and -the key version number fields are left out since these values are stored -along with the client's database record, and that record is not needed to -satisfy a request based on a ticket-granting ticket. See section A.6 for -pseudocode. - -3.3.3.2. Encoding the transited field - -If the identity of the server in the TGT that is presented to the KDC as -part of the authentication header is that of the ticket-granting service, -but the TGT was issued from another realm, the KDC will look up the -inter-realm key shared with that realm and use that key to decrypt the -ticket. If the ticket is valid, then the KDC will honor the request, -subject to the constraints outlined above in the section describing the AS -exchange. The realm part of the client's identity will be taken from the -ticket-granting ticket. The name of the realm that issued the -ticket-granting ticket will be added to the transited field of the ticket -to be issued. This is accomplished by reading the transited field from the -ticket-granting ticket (which is treated as an unordered set of realm -names), adding the new realm to the set, then constructing and writing out -its encoded (shorthand) form (this may involve a rearrangement of the -existing encoding). - -Note that the ticket-granting service does not add the name of its own -realm. Instead, its responsibility is to add the name of the previous -realm. This prevents a malicious Kerberos server from intentionally leaving -out its own name (it could, however, omit other realms' names). - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -The names of neither the local realm nor the principal's realm are to be -included in the transited field. They appear elsewhere in the ticket and -both are known to have taken part in authenticating the principal. Since -the endpoints are not included, both local and single-hop inter-realm -authentication result in a transited field that is empty. - -Because the name of each realm transited is added to this field, it might -potentially be very long. To decrease the length of this field, its -contents are encoded. The initially supported encoding is optimized for the -normal case of inter-realm communication: a hierarchical arrangement of -realms using either domain or X.500 style realm names. This encoding -(called DOMAIN-X500-COMPRESS) is now described. - -Realm names in the transited field are separated by a ",". The ",", "\", -trailing "."s, and leading spaces (" ") are special characters, and if they -are part of a realm name, they must be quoted in the transited field by -preced- ing them with a "\". - -A realm name ending with a "." is interpreted as being prepended to the -previous realm. For example, we can encode traversal of EDU, MIT.EDU, -ATHENA.MIT.EDU, WASHINGTON.EDU, and CS.WASHINGTON.EDU as: - - "EDU,MIT.,ATHENA.,WASHINGTON.EDU,CS.". - -Note that if ATHENA.MIT.EDU, or CS.WASHINGTON.EDU were end-points, that -they would not be included in this field, and we would have: - - "EDU,MIT.,WASHINGTON.EDU" - -A realm name beginning with a "/" is interpreted as being appended to the -previous realm[18]. If it is to stand by itself, then it should be preceded -by a space (" "). For example, we can encode traversal of /COM/HP/APOLLO, -/COM/HP, /COM, and /COM/DEC as: - - "/COM,/HP,/APOLLO, /COM/DEC". - -Like the example above, if /COM/HP/APOLLO and /COM/DEC are endpoints, they -they would not be included in this field, and we would have: - - "/COM,/HP" - -A null subfield preceding or following a "," indicates that all realms -between the previous realm and the next realm have been traversed[19]. -Thus, "," means that all realms along the path between the client and the -server have been traversed. ",EDU, /COM," means that that all realms from -the client's realm up to EDU (in a domain style hierarchy) have been -traversed, and that everything from /COM down to the server's realm in an -X.500 style has also been traversed. This could occur if the EDU realm in -one hierarchy shares an inter-realm key directly with the /COM realm in -another hierarchy. - -3.3.4. Receipt of KRB_TGS_REP message - -When the KRB_TGS_REP is received by the client, it is processed in the same -manner as the KRB_AS_REP processing described above. The primary difference -is that the ciphertext part of the response must be decrypted using the -session key from the ticket-granting ticket rather than the client's secret -key. The server name returned in the reply is the true principal name of -the service. See section A.7 for pseudocode. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -3.4. The KRB_SAFE Exchange - -The KRB_SAFE message may be used by clients requiring the ability to detect -modifications of messages they exchange. It achieves this by including a -keyed collision-proof checksum of the user data and some control -information. The checksum is keyed with an encryption key (usually the last -key negotiated via subkeys, or the session key if no negotiation has -occured). - -3.4.1. Generation of a KRB_SAFE message - -When an application wishes to send a KRB_SAFE message, it collects its data -and the appropriate control information and computes a checksum over them. -The checksum algorithm should be a keyed one-way hash function (such as the -RSA- MD5-DES checksum algorithm specified in section 6.4.5, or the DES -MAC), generated using the sub-session key if present, or the session key. -Different algorithms may be selected by changing the checksum type in the -message. Unkeyed or non-collision-proof checksums are not suitable for this -use. - -The control information for the KRB_SAFE message includes both a timestamp -and a sequence number. The designer of an application using the KRB_SAFE -message must choose at least one of the two mechanisms. This choice should -be based on the needs of the application protocol. - -Sequence numbers are useful when all messages sent will be received by -one's peer. Connection state is presently required to maintain the session -key, so maintaining the next sequence number should not present an -additional problem. - -If the application protocol is expected to tolerate lost messages without -them being resent, the use of the timestamp is the appropriate replay -detection mechanism. Using timestamps is also the appropriate mechanism for -multi-cast protocols where all of one's peers share a common sub-session -key, but some messages will be sent to a subset of one's peers. - -After computing the checksum, the client then transmits the information and -checksum to the recipient in the message format specified in section 5.6.1. - -3.4.2. Receipt of KRB_SAFE message - -When an application receives a KRB_SAFE message, it verifies it as follows. -If any error occurs, an error code is reported for use by the application. - -The message is first checked by verifying that the protocol version and -type fields match the current version and KRB_SAFE, respectively. A -mismatch generates a KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE error. -The application verifies that the checksum used is a collision-proof keyed -checksum, and if it is not, a KRB_AP_ERR_INAPP_CKSUM error is generated. If -the sender's address was included in the control information, the recipient -verifies that the operating system's report of the sender's address matches -the sender's address in the message, and (if a recipient address is -specified or the recipient requires an address) that one of the recipient's -addresses appears as the recipient's address in the message. A failed match -for either case generates a KRB_AP_ERR_BADADDR error. Then the timestamp -and usec and/or the sequence number fields are checked. If timestamp and -usec are expected and not present, or they are present but not current, the -KRB_AP_ERR_SKEW error is generated. If the server name, along with the -client name, time and microsecond fields from the Authenticator match any -recently-seen (sent or received[20] ) such tuples, the KRB_AP_ERR_REPEAT -error is generated. If an incorrect sequence number is included, or a -sequence number is expected but not present, the KRB_AP_ERR_BADORDER error -is generated. If neither a time-stamp and usec or a sequence number is -present, a KRB_AP_ERR_MODIFIED error is generated. Finally, the checksum is -computed over the data and control information, and if it doesn't match the -received checksum, a KRB_AP_ERR_MODIFIED error is generated. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -If all the checks succeed, the application is assured that the message was -generated by its peer and was not modi- fied in transit. - -3.5. The KRB_PRIV Exchange - -The KRB_PRIV message may be used by clients requiring confidentiality and -the ability to detect modifications of exchanged messages. It achieves this -by encrypting the messages and adding control information. - -3.5.1. Generation of a KRB_PRIV message - -When an application wishes to send a KRB_PRIV message, it collects its data -and the appropriate control information (specified in section 5.7.1) and -encrypts them under an encryption key (usually the last key negotiated via -subkeys, or the session key if no negotiation has occured). As part of the -control information, the client must choose to use either a timestamp or a -sequence number (or both); see the discussion in section 3.4.1 for -guidelines on which to use. After the user data and control information are -encrypted, the client transmits the ciphertext and some 'envelope' -information to the recipient. - -3.5.2. Receipt of KRB_PRIV message - -When an application receives a KRB_PRIV message, it verifies it as follows. -If any error occurs, an error code is reported for use by the application. - -The message is first checked by verifying that the protocol version and -type fields match the current version and KRB_PRIV, respectively. A -mismatch generates a KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE error. -The application then decrypts the ciphertext and processes the resultant -plaintext. If decryption shows the data to have been modified, a -KRB_AP_ERR_BAD_INTEGRITY error is generated. If the sender's address was -included in the control information, the recipient verifies that the -operating system's report of the sender's address matches the sender's -address in the message, and (if a recipient address is specified or the -recipient requires an address) that one of the recipient's addresses -appears as the recipient's address in the message. A failed match for -either case generates a KRB_AP_ERR_BADADDR error. Then the timestamp and -usec and/or the sequence number fields are checked. If timestamp and usec -are expected and not present, or they are present but not current, the -KRB_AP_ERR_SKEW error is generated. If the server name, along with the -client name, time and microsecond fields from the Authenticator match any -recently-seen such tuples, the KRB_AP_ERR_REPEAT error is generated. If an -incorrect sequence number is included, or a sequence number is expected but -not present, the KRB_AP_ERR_BADORDER error is generated. If neither a -time-stamp and usec or a sequence number is present, a KRB_AP_ERR_MODIFIED -error is generated. - -If all the checks succeed, the application can assume the message was -generated by its peer, and was securely transmitted (without intruders able -to see the unencrypted contents). - -3.6. The KRB_CRED Exchange - -The KRB_CRED message may be used by clients requiring the ability to send -Kerberos credentials from one host to another. It achieves this by sending -the tickets together with encrypted data containing the session keys and -other information associated with the tickets. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -3.6.1. Generation of a KRB_CRED message - -When an application wishes to send a KRB_CRED message it first (using the -KRB_TGS exchange) obtains credentials to be sent to the remote host. It -then constructs a KRB_CRED message using the ticket or tickets so obtained, -placing the session key needed to use each ticket in the key field of the -corresponding KrbCredInfo sequence of the encrypted part of the the -KRB_CRED message. - -Other information associated with each ticket and obtained during the -KRB_TGS exchange is also placed in the corresponding KrbCredInfo sequence -in the encrypted part of the KRB_CRED message. The current time and, if -specifically required by the application the nonce, s-address, and -r-address fields, are placed in the encrypted part of the KRB_CRED message -which is then encrypted under an encryption key previosuly exchanged in the -KRB_AP exchange (usually the last key negotiated via subkeys, or the -session key if no negotiation has occured). - -3.6.2. Receipt of KRB_CRED message - -When an application receives a KRB_CRED message, it verifies it. If any -error occurs, an error code is reported for use by the application. The -message is verified by checking that the protocol version and type fields -match the current version and KRB_CRED, respectively. A mismatch generates -a KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE error. The application then -decrypts the ciphertext and processes the resultant plaintext. If -decryption shows the data to have been modified, a KRB_AP_ERR_BAD_INTEGRITY -error is generated. - -If present or required, the recipient verifies that the operating system's -report of the sender's address matches the sender's address in the message, -and that one of the recipient's addresses appears as the recipient's -address in the message. A failed match for either case generates a -KRB_AP_ERR_BADADDR error. The timestamp and usec fields (and the nonce -field if required) are checked next. If the timestamp and usec are not -present, or they are present but not current, the KRB_AP_ERR_SKEW error is -generated. - -If all the checks succeed, the application stores each of the new tickets -in its ticket cache together with the session key and other information in -the corresponding KrbCredInfo sequence from the encrypted part of the -KRB_CRED message. - -4. The Kerberos Database - -The Kerberos server must have access to a database containing the principal -identifiers and secret keys of principals to be authenticated[21]. - -4.1. Database contents - -A database entry should contain at least the following fields: - -Field Value - -name Principal's identifier -key Principal's secret key -p_kvno Principal's key version -max_life Maximum lifetime for Tickets -max_renewable_life Maximum total lifetime for renewable Tickets - -The name field is an encoding of the principal's identifier. The key field -contains an encryption key. This key is the principal's secret key. (The -key can be encrypted before storage under a Kerberos "master key" to -protect it in case the database is compromised but the master key is not. -In that case, an extra field must be added to indicate the master key - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -version used, see below.) The p_kvno field is the key version number of the -principal's secret key. The max_life field contains the maximum allowable -lifetime (endtime - starttime) for any Ticket issued for this principal. -The max_renewable_life field contains the maximum allowable total lifetime -for any renewable Ticket issued for this principal. (See section 3.1 for a -description of how these lifetimes are used in determining the lifetime of -a given Ticket.) - -A server may provide KDC service to several realms, as long as the database -representation provides a mechanism to distinguish between principal -records with identifiers which differ only in the realm name. - -When an application server's key changes, if the change is routine (i.e. -not the result of disclosure of the old key), the old key should be -retained by the server until all tickets that had been issued using that -key have expired. Because of this, it is possible for several keys to be -active for a single principal. Ciphertext encrypted in a principal's key is -always tagged with the version of the key that was used for encryption, to -help the recipient find the proper key for decryption. - -When more than one key is active for a particular principal, the principal -will have more than one record in the Kerberos database. The keys and key -version numbers will differ between the records (the rest of the fields may -or may not be the same). Whenever Kerberos issues a ticket, or responds to -a request for initial authentication, the most recent key (known by the -Kerberos server) will be used for encryption. This is the key with the -highest key version number. - -4.2. Additional fields - -Project Athena's KDC implementation uses additional fields in its database: - -Field Value - -K_kvno Kerberos' key version -expiration Expiration date for entry -attributes Bit field of attributes -mod_date Timestamp of last modification -mod_name Modifying principal's identifier - -The K_kvno field indicates the key version of the Kerberos master key under -which the principal's secret key is encrypted. - -After an entry's expiration date has passed, the KDC will return an error -to any client attempting to gain tickets as or for the principal. (A -database may want to maintain two expiration dates: one for the principal, -and one for the principal's current key. This allows password aging to work -independently of the principal's expiration date. However, due to the -limited space in the responses, the KDC must combine the key expiration and -principal expiration date into a single value called 'key_exp', which is -used as a hint to the user to take administrative action.) - -The attributes field is a bitfield used to govern the operations involving -the principal. This field might be useful in conjunction with user -registration procedures, for site-specific policy implementations (Project -Athena currently uses it for their user registration process controlled by -the system-wide database service, Moira [LGDSR87]), to identify whether a -principal can play the role of a client or server or both, to note whether -a server is appropriate trusted to recieve credentials delegated by a -client, or to identify the 'string to key' conversion algorithm used for a -principal's key[22]. Other bits are used to indicate that certain ticket -options should not be allowed in tickets encrypted under a principal's key -(one bit each): Disallow issuing postdated tickets, disallow issuing -forwardable tickets, disallow issuing tickets based on TGT authentication, -disallow issuing renewable tickets, disallow issuing proxiable tickets, and -disallow issuing tickets for which the principal is the server. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -The mod_date field contains the time of last modification of the entry, and -the mod_name field contains the name of the principal which last modified -the entry. - -4.3. Frequently Changing Fields - -Some KDC implementations may wish to maintain the last time that a request -was made by a particular principal. Information that might be maintained -includes the time of the last request, the time of the last request for a -ticket-granting ticket, the time of the last use of a ticket-granting -ticket, or other times. This information can then be returned to the user -in the last-req field (see section 5.2). - -Other frequently changing information that can be maintained is the latest -expiration time for any tickets that have been issued using each key. This -field would be used to indicate how long old keys must remain valid to -allow the continued use of outstanding tickets. - -4.4. Site Constants - -The KDC implementation should have the following configurable constants or -options, to allow an administrator to make and enforce policy decisions: - - * The minimum supported lifetime (used to determine whether the - KDC_ERR_NEVER_VALID error should be returned). This constant should - reflect reasonable expectations of round-trip time to the KDC, - encryption/decryption time, and processing time by the client and - target server, and it should allow for a minimum 'useful' lifetime. - * The maximum allowable total (renewable) lifetime of a ticket - (renew_till - starttime). - * The maximum allowable lifetime of a ticket (endtime - starttime). - * Whether to allow the issue of tickets with empty address fields - (including the ability to specify that such tickets may only be issued - if the request specifies some authorization_data). - * Whether proxiable, forwardable, renewable or post-datable tickets are - to be issued. - -5. Message Specifications - -The following sections describe the exact contents and encoding of protocol -messages and objects. The ASN.1 base definitions are presented in the first -subsection. The remaining subsections specify the protocol objects (tickets -and authenticators) and messages. Specification of encryption and checksum -techniques, and the fields related to them, appear in section 6. - -Optional field in ASN.1 sequences - -For optional integer value and date fields in ASN.1 sequences where a -default value has been specified, certain default values will not be -allowed in the encoding because these values will always be represented -through defaulting by the absence of the optional field. For example, one -will not send a microsecond zero value because one must make sure that -there is only one way to encode this value. - -Additional fields in ASN.1 sequences - -Implementations receiving Kerberos messages with additional fields present -in ASN.1 sequences should carry the those fields through, unmodified, when -the message is forwarded. Implementations should not drop such fields if -the sequence is reencoded. - -5.1. ASN.1 Distinguished Encoding Representation - -All uses of ASN.1 in Kerberos shall use the Distinguished Encoding -Representation of the data elements as described in the X.509 -specification, section 8.7 [X509-88]. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -5.2. ASN.1 Base Definitions - -The following ASN.1 base definitions are used in the rest of this section. -Note that since the underscore character (_) is not permitted in ASN.1 -names, the hyphen (-) is used in its place for the purposes of ASN.1 names. - -Realm ::= GeneralString -PrincipalName ::= SEQUENCE { - name-type[0] INTEGER, - name-string[1] SEQUENCE OF GeneralString -} - -Kerberos realms are encoded as GeneralStrings. Realms shall not contain a -character with the code 0 (the ASCII NUL). Most realms will usually consist -of several components separated by periods (.), in the style of Internet -Domain Names, or separated by slashes (/) in the style of X.500 names. -Acceptable forms for realm names are specified in section 7. A -PrincipalName is a typed sequence of components consisting of the following -sub-fields: - -name-type - This field specifies the type of name that follows. Pre-defined values - for this field are specified in section 7.2. The name-type should be - treated as a hint. Ignoring the name type, no two names can be the - same (i.e. at least one of the components, or the realm, must be - different). This constraint may be eliminated in the future. -name-string - This field encodes a sequence of components that form a name, each - component encoded as a GeneralString. Taken together, a PrincipalName - and a Realm form a principal identifier. Most PrincipalNames will have - only a few components (typically one or two). - -KerberosTime ::= GeneralizedTime - -- Specifying UTC time zone (Z) - -The timestamps used in Kerberos are encoded as GeneralizedTimes. An -encoding shall specify the UTC time zone (Z) and shall not include any -fractional portions of the seconds. It further shall not include any -separators. Example: The only valid format for UTC time 6 minutes, 27 -seconds after 9 pm on 6 November 1985 is 19851106210627Z. - -HostAddress ::= SEQUENCE { - addr-type[0] INTEGER, - address[1] OCTET STRING -} - -HostAddresses ::= SEQUENCE OF HostAddress - -The host adddress encodings consists of two fields: - -addr-type - This field specifies the type of address that follows. Pre-defined - values for this field are specified in section 8.1. -address - This field encodes a single address of type addr-type. - -The two forms differ slightly. HostAddress contains exactly one address; -HostAddresses contains a sequence of possibly many addresses. - -AuthorizationData ::= SEQUENCE OF SEQUENCE { - ad-type[0] INTEGER, - ad-data[1] OCTET STRING -} - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -ad-data - This field contains authorization data to be interpreted according to - the value of the corresponding ad-type field. -ad-type - This field specifies the format for the ad-data subfield. All negative - values are reserved for local use. Non-negative values are reserved - for registered use. - -Each sequence of type and data is refered to as an authorization element. -Elements may be application specific, however, there is a common set of -recursive elements that should be understood by all implementations. These -elements contain other elements embedded within them, and the -interpretation of the encapsulating element determines which of the -embedded elements must be interpreted, and which may be ignored. -Definitions for these common elements may be found in Appendix B. - -TicketExtensions ::= SEQUENCE OF SEQUENCE { - te-type[0] INTEGER, - te-data[1] OCTET STRING -} - - - -te-data - This field contains opaque data that must be caried with the ticket to - support extensions to the Kerberos protocol including but not limited - to some forms of inter-realm key exchange and plaintext authorization - data. See appendix C for some common uses of this field. -te-type - This field specifies the format for the te-data subfield. All negative - values are reserved for local use. Non-negative values are reserved - for registered use. - -APOptions ::= BIT STRING - -- reserved(0), - -- use-session-key(1), - -- mutual-required(2) - -TicketFlags ::= BIT STRING - -- reserved(0), - -- forwardable(1), - -- forwarded(2), - -- proxiable(3), - -- proxy(4), - -- may-postdate(5), - -- postdated(6), - -- invalid(7), - -- renewable(8), - -- initial(9), - -- pre-authent(10), - -- hw-authent(11), - -- transited-policy-checked(12), - -- ok-as-delegate(13) - -KDCOptions ::= BIT STRING io - -- reserved(0), - -- forwardable(1), - -- forwarded(2), - -- proxiable(3), - -- proxy(4), - -- allow-postdate(5), - -- postdated(6), - -- unused7(7), - -- renewable(8), - -- unused9(9), - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - -- unused10(10), - -- unused11(11), - -- unused12(12), - -- unused13(13), - -- requestanonymous(14), - -- canonicalize(15), - -- disable-transited-check(26), - -- renewable-ok(27), - -- enc-tkt-in-skey(28), - -- renew(30), - -- validate(31) - -ASN.1 Bit strings have a length and a value. When used in Kerberos for the -APOptions, TicketFlags, and KDCOptions, the length of the bit string on -generated values should be the smallest number of bits needed to include -the highest order bit that is set (1), but in no case less than 32 bits. -The ASN.1 representation of the bit strings uses unnamed bits, with the -meaning of the individual bits defined by the comments in the specification -above. Implementations should accept values of bit strings of any length -and treat the value of flags corresponding to bits beyond the end of the -bit string as if the bit were reset (0). Comparison of bit strings of -different length should treat the smaller string as if it were padded with -zeros beyond the high order bits to the length of the longer string[23]. - -LastReq ::= SEQUENCE OF SEQUENCE { - lr-type[0] INTEGER, - lr-value[1] KerberosTime -} - -lr-type - This field indicates how the following lr-value field is to be - interpreted. Negative values indicate that the information pertains - only to the responding server. Non-negative values pertain to all - servers for the realm. If the lr-type field is zero (0), then no - information is conveyed by the lr-value subfield. If the absolute - value of the lr-type field is one (1), then the lr-value subfield is - the time of last initial request for a TGT. If it is two (2), then the - lr-value subfield is the time of last initial request. If it is three - (3), then the lr-value subfield is the time of issue for the newest - ticket-granting ticket used. If it is four (4), then the lr-value - subfield is the time of the last renewal. If it is five (5), then the - lr-value subfield is the time of last request (of any type). If it is - (6), then the lr-value subfield is the time when the password will - expire. -lr-value - This field contains the time of the last request. the time must be - interpreted according to the contents of the accompanying lr-type - subfield. - -See section 6 for the definitions of Checksum, ChecksumType, EncryptedData, -EncryptionKey, EncryptionType, and KeyType. - -5.3. Tickets and Authenticators - -This section describes the format and encryption parameters for tickets and -authenticators. When a ticket or authenticator is included in a protocol -message it is treated as an opaque object. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -5.3.1. Tickets - -A ticket is a record that helps a client authenticate to a service. A -Ticket contains the following information: - -Ticket ::= [APPLICATION 1] SEQUENCE { - tkt-vno[0] INTEGER, - realm[1] Realm, - sname[2] PrincipalName, - enc-part[3] EncryptedData, - extensions[4] TicketExtensions OPTIONAL -} - --- Encrypted part of ticket -EncTicketPart ::= [APPLICATION 3] SEQUENCE { - flags[0] TicketFlags, - key[1] EncryptionKey, - crealm[2] Realm, - cname[3] PrincipalName, - transited[4] TransitedEncoding, - authtime[5] KerberosTime, - starttime[6] KerberosTime OPTIONAL, - endtime[7] KerberosTime, - renew-till[8] KerberosTime OPTIONAL, - caddr[9] HostAddresses OPTIONAL, - authorization-data[10] AuthorizationData OPTIONAL -} --- encoded Transited field -TransitedEncoding ::= SEQUENCE { - tr-type[0] INTEGER, -- must be -registered - contents[1] OCTET STRING -} - -The encoding of EncTicketPart is encrypted in the key shared by Kerberos -and the end server (the server's secret key). See section 6 for the format -of the ciphertext. - -tkt-vno - This field specifies the version number for the ticket format. This - document describes version number 5. -realm - This field specifies the realm that issued a ticket. It also serves to - identify the realm part of the server's principal identifier. Since a - Kerberos server can only issue tickets for servers within its realm, - the two will always be identical. -sname - This field specifies all components of the name part of the server's - identity, including those parts that identify a specific instance of a - service. -enc-part - This field holds the encrypted encoding of the EncTicketPart sequence. -extensions - This optional field contains a sequence of extentions that may be used - to carry information that must be carried with the ticket to support - several extensions, including but not limited to plaintext - authorization data, tokens for exchanging inter-realm keys, and other - information that must be associated with a ticket for use by the - application server. See Appendix C for definitions of some common - extensions. - - Note that some older versions of Kerberos did not support this field. - Because this is an optional field it will not break older clients, but - older clients might strip this field from the ticket before sending it - to the application server. This limits the usefulness of this ticket - field to environments where the ticket will not be parsed and - reconstructed by these older Kerberos clients. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - If it is known that the client will strip this field from the ticket, - as an interim measure the KDC may append this field to the end of the - enc-part of the ticket and append a traler indicating the lenght of - the appended extensions field. (this paragraph is open for discussion, - including the form of the traler). -flags - This field indicates which of various options were used or requested - when the ticket was issued. It is a bit-field, where the selected - options are indicated by the bit being set (1), and the unselected - options and reserved fields being reset (0). Bit 0 is the most - significant bit. The encoding of the bits is specified in section 5.2. - The flags are described in more detail above in section 2. The - meanings of the flags are: - - Bit(s) Name Description - - 0 RESERVED - Reserved for future expansion of this - field. - - 1 FORWARDABLE - The FORWARDABLE flag is normally only - interpreted by the TGS, and can be - ignored by end servers. When set, this - flag tells the ticket-granting server - that it is OK to issue a new ticket- - granting ticket with a different network - address based on the presented ticket. - - 2 FORWARDED - When set, this flag indicates that the - ticket has either been forwarded or was - issued based on authentication involving - a forwarded ticket-granting ticket. - - 3 PROXIABLE - The PROXIABLE flag is normally only - interpreted by the TGS, and can be - ignored by end servers. The PROXIABLE - flag has an interpretation identical to - that of the FORWARDABLE flag, except - that the PROXIABLE flag tells the - ticket-granting server that only non- - ticket-granting tickets may be issued - with different network addresses. - - 4 PROXY - When set, this flag indicates that a - ticket is a proxy. - - 5 MAY-POSTDATE - The MAY-POSTDATE flag is normally only - interpreted by the TGS, and can be - ignored by end servers. This flag tells - the ticket-granting server that a post- - dated ticket may be issued based on this - ticket-granting ticket. - - 6 POSTDATED - This flag indicates that this ticket has - been postdated. The end-service can - check the authtime field to see when the - original authentication occurred. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - 7 INVALID - This flag indicates that a ticket is - invalid, and it must be validated by the - KDC before use. Application servers - must reject tickets which have this flag - set. - - 8 RENEWABLE - The RENEWABLE flag is normally only - interpreted by the TGS, and can usually - be ignored by end servers (some particu- - larly careful servers may wish to disal- - low renewable tickets). A renewable - ticket can be used to obtain a replace- - ment ticket that expires at a later - date. - - 9 INITIAL - This flag indicates that this ticket was - issued using the AS protocol, and not - issued based on a ticket-granting - ticket. - - 10 PRE-AUTHENT - This flag indicates that during initial - authentication, the client was authenti- - cated by the KDC before a ticket was - issued. The strength of the pre- - authentication method is not indicated, - but is acceptable to the KDC. - - 11 HW-AUTHENT - This flag indicates that the protocol - employed for initial authentication - required the use of hardware expected to - be possessed solely by the named client. - The hardware authentication method is - selected by the KDC and the strength of - the method is not indicated. - - 12 TRANSITED This flag indicates that the KDC for the - POLICY-CHECKED realm has checked the transited field - against a realm defined policy for - trusted certifiers. If this flag is - reset (0), then the application server - must check the transited field itself, - and if unable to do so it must reject - the authentication. If the flag is set - (1) then the application server may skip - its own validation of the transited - field, relying on the validation - performed by the KDC. At its option the - application server may still apply its - own validation based on a separate - policy for acceptance. - - 13 OK-AS-DELEGATE This flag indicates that the server (not - the client) specified in the ticket has - been determined by policy of the realm - to be a suitable recipient of - delegation. A client can use the - presence of this flag to help it make a - decision whether to delegate credentials - (either grant a proxy or a forwarded - ticket granting ticket) to this server. - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - The client is free to ignore the value - of this flag. When setting this flag, - an administrator should consider the - Security and placement of the server on - which the service will run, as well as - whether the service requires the use of - delegated credentials. - - 14 ANONYMOUS - This flag indicates that the principal - named in the ticket is a generic princi- - pal for the realm and does not identify - the individual using the ticket. The - purpose of the ticket is only to - securely distribute a session key, and - not to identify the user. Subsequent - requests using the same ticket and ses- - sion may be considered as originating - from the same user, but requests with - the same username but a different ticket - are likely to originate from different - users. - - 15-31 RESERVED - Reserved for future use. - -key - This field exists in the ticket and the KDC response and is used to - pass the session key from Kerberos to the application server and the - client. The field's encoding is described in section 6.2. -crealm - This field contains the name of the realm in which the client is - registered and in which initial authentication took place. -cname - This field contains the name part of the client's principal - identifier. -transited - This field lists the names of the Kerberos realms that took part in - authenticating the user to whom this ticket was issued. It does not - specify the order in which the realms were transited. See section - 3.3.3.2 for details on how this field encodes the traversed realms. - When the names of CA's are to be embedded inthe transited field (as - specified for some extentions to the protocol), the X.500 names of the - CA's should be mapped into items in the transited field using the - mapping defined by RFC2253. -authtime - This field indicates the time of initial authentication for the named - principal. It is the time of issue for the original ticket on which - this ticket is based. It is included in the ticket to provide - additional information to the end service, and to provide the - necessary information for implementation of a `hot list' service at - the KDC. An end service that is particularly paranoid could refuse to - accept tickets for which the initial authentication occurred "too far" - in the past. This field is also returned as part of the response from - the KDC. When returned as part of the response to initial - authentication (KRB_AS_REP), this is the current time on the Kerberos - server[24]. -starttime - This field in the ticket specifies the time after which the ticket is - valid. Together with endtime, this field specifies the life of the - ticket. If it is absent from the ticket, its value should be treated - as that of the authtime field. - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -endtime - This field contains the time after which the ticket will not be - honored (its expiration time). Note that individual services may place - their own limits on the life of a ticket and may reject tickets which - have not yet expired. As such, this is really an upper bound on the - expiration time for the ticket. -renew-till - This field is only present in tickets that have the RENEWABLE flag set - in the flags field. It indicates the maximum endtime that may be - included in a renewal. It can be thought of as the absolute expiration - time for the ticket, including all renewals. -caddr - This field in a ticket contains zero (if omitted) or more (if present) - host addresses. These are the addresses from which the ticket can be - used. If there are no addresses, the ticket can be used from any - location. The decision by the KDC to issue or by the end server to - accept zero-address tickets is a policy decision and is left to the - Kerberos and end-service administrators; they may refuse to issue or - accept such tickets. The suggested and default policy, however, is - that such tickets will only be issued or accepted when additional - information that can be used to restrict the use of the ticket is - included in the authorization_data field. Such a ticket is a - capability. - - Network addresses are included in the ticket to make it harder for an - attacker to use stolen credentials. Because the session key is not - sent over the network in cleartext, credentials can't be stolen simply - by listening to the network; an attacker has to gain access to the - session key (perhaps through operating system security breaches or a - careless user's unattended session) to make use of stolen tickets. - - It is important to note that the network address from which a - connection is received cannot be reliably determined. Even if it could - be, an attacker who has compromised the client's workstation could use - the credentials from there. Including the network addresses only makes - it more difficult, not impossible, for an attacker to walk off with - stolen credentials and then use them from a "safe" location. -authorization-data - The authorization-data field is used to pass authorization data from - the principal on whose behalf a ticket was issued to the application - service. If no authorization data is included, this field will be left - out. Experience has shown that the name of this field is confusing, - and that a better name for this field would be restrictions. - Unfortunately, it is not possible to change the name of this field at - this time. - - This field contains restrictions on any authority obtained on the - basis of authentication using the ticket. It is possible for any - principal in posession of credentials to add entries to the - authorization data field since these entries further restrict what can - be done with the ticket. Such additions can be made by specifying the - additional entries when a new ticket is obtained during the TGS - exchange, or they may be added during chained delegation using the - authorization data field of the authenticator. - - Because entries may be added to this field by the holder of - credentials, except when an entry is separately authenticated by - encapulation in the kdc-issued element, it is not allowable for the - presence of an entry in the authorization data field of a ticket to - amplify the priveleges one would obtain from using a ticket. - - The data in this field may be specific to the end service; the field - will contain the names of service specific objects, and the rights to - those objects. The format for this field is described in section 5.2. - Although Kerberos is not concerned with the format of the contents of - the sub-fields, it does carry type information (ad-type). - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - By using the authorization_data field, a principal is able to issue a - proxy that is valid for a specific purpose. For example, a client - wishing to print a file can obtain a file server proxy to be passed to - the print server. By specifying the name of the file in the - authorization_data field, the file server knows that the print server - can only use the client's rights when accessing the particular file to - be printed. - - A separate service providing authorization or certifying group - membership may be built using the authorization-data field. In this - case, the entity granting authorization (not the authorized entity), - may obtain a ticket in its own name (e.g. the ticket is issued in the - name of a privelege server), and this entity adds restrictions on its - own authority and delegates the restricted authority through a proxy - to the client. The client would then present this authorization - credential to the application server separately from the - authentication exchange. Alternatively, such authorization credentials - may be embedded in the ticket authenticating the authorized entity, - when the authorization is separately authenticated using the - kdc-issued authorization data element (see B.4). - - Similarly, if one specifies the authorization-data field of a proxy - and leaves the host addresses blank, the resulting ticket and session - key can be treated as a capability. See [Neu93] for some suggested - uses of this field. - - The authorization-data field is optional and does not have to be - included in a ticket. - -5.3.2. Authenticators - -An authenticator is a record sent with a ticket to a server to certify the -client's knowledge of the encryption key in the ticket, to help the server -detect replays, and to help choose a "true session key" to use with the -particular session. The encoding is encrypted in the ticket's session key -shared by the client and the server: - --- Unencrypted authenticator -Authenticator ::= [APPLICATION 2] SEQUENCE { - authenticator-vno[0] INTEGER, - crealm[1] Realm, - cname[2] PrincipalName, - cksum[3] Checksum OPTIONAL, - cusec[4] INTEGER, - ctime[5] KerberosTime, - subkey[6] EncryptionKey OPTIONAL, - seq-number[7] INTEGER OPTIONAL, - authorization-data[8] AuthorizationData OPTIONAL -} - - -authenticator-vno - This field specifies the version number for the format of the - authenticator. This document specifies version 5. -crealm and cname - These fields are the same as those described for the ticket in section - 5.3.1. -cksum - This field contains a checksum of the the applica- tion data that - accompanies the KRB_AP_REQ. -cusec - This field contains the microsecond part of the client's timestamp. - Its value (before encryption) ranges from 0 to 999999. It often - appears along with ctime. The two fields are used together to specify - a reasonably accurate timestamp. - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -ctime - This field contains the current time on the client's host. -subkey - This field contains the client's choice for an encryption key which is - to be used to protect this specific application session. Unless an - application specifies otherwise, if this field is left out the session - key from the ticket will be used. -seq-number - This optional field includes the initial sequence number to be used by - the KRB_PRIV or KRB_SAFE messages when sequence numbers are used to - detect replays (It may also be used by application specific messages). - When included in the authenticator this field specifies the initial - sequence number for messages from the client to the server. When - included in the AP-REP message, the initial sequence number is that - for messages from the server to the client. When used in KRB_PRIV or - KRB_SAFE messages, it is incremented by one after each message is - sent. Sequence numbers fall in the range of 0 through 2^32 - 1 and - wrap to zero following the value 2^32 - 1. - - For sequence numbers to adequately support the detection of replays - they should be non-repeating, even across connection boundaries. The - initial sequence number should be random and uniformly distributed - across the full space of possible sequence numbers, so that it cannot - be guessed by an attacker and so that it and the successive sequence - numbers do not repeat other sequences. -authorization-data - This field is the same as described for the ticket in section 5.3.1. - It is optional and will only appear when additional restrictions are - to be placed on the use of a ticket, beyond those carried in the - ticket itself. - -5.4. Specifications for the AS and TGS exchanges - -This section specifies the format of the messages used in the exchange -between the client and the Kerberos server. The format of possible error -messages appears in section 5.9.1. - -5.4.1. KRB_KDC_REQ definition - -The KRB_KDC_REQ message has no type of its own. Instead, its type is one of -KRB_AS_REQ or KRB_TGS_REQ depending on whether the request is for an -initial ticket or an additional ticket. In either case, the message is sent -from the client to the Authentication Server to request credentials for a -service. - -The message fields are: - -AS-REQ ::= [APPLICATION 10] KDC-REQ -TGS-REQ ::= [APPLICATION 12] KDC-REQ - -KDC-REQ ::= SEQUENCE { - pvno[1] INTEGER, - msg-type[2] INTEGER, - padata[3] SEQUENCE OF PA-DATA OPTIONAL, - req-body[4] KDC-REQ-BODY -} - -PA-DATA ::= SEQUENCE { - padata-type[1] INTEGER, - padata-value[2] OCTET STRING, - -- might be encoded AP-REQ -} - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -KDC-REQ-BODY ::= SEQUENCE { - kdc-options[0] KDCOptions, - cname[1] PrincipalName OPTIONAL, - -- Used only in AS-REQ - realm[2] Realm, -- Server's realm - -- Also client's in AS-REQ - sname[3] PrincipalName OPTIONAL, - from[4] KerberosTime OPTIONAL, - till[5] KerberosTime OPTIONAL, - rtime[6] KerberosTime OPTIONAL, - nonce[7] INTEGER, - etype[8] SEQUENCE OF INTEGER, - -- EncryptionType, - -- in preference order - addresses[9] HostAddresses OPTIONAL, - enc-authorization-data[10] EncryptedData OPTIONAL, - -- Encrypted AuthorizationData - -- encoding - additional-tickets[11] SEQUENCE OF Ticket OPTIONAL -} - -The fields in this message are: - -pvno - This field is included in each message, and specifies the protocol - version number. This document specifies protocol version 5. -msg-type - This field indicates the type of a protocol message. It will almost - always be the same as the application identifier associated with a - message. It is included to make the identifier more readily accessible - to the application. For the KDC-REQ message, this type will be - KRB_AS_REQ or KRB_TGS_REQ. -padata - The padata (pre-authentication data) field contains a sequence of - authentication information which may be needed before credentials can - be issued or decrypted. In the case of requests for additional tickets - (KRB_TGS_REQ), this field will include an element with padata-type of - PA-TGS-REQ and data of an authentication header (ticket-granting - ticket and authenticator). The checksum in the authenticator (which - must be collision-proof) is to be computed over the KDC-REQ-BODY - encoding. In most requests for initial authentication (KRB_AS_REQ) and - most replies (KDC-REP), the padata field will be left out. - - This field may also contain information needed by certain extensions - to the Kerberos protocol. For example, it might be used to initially - verify the identity of a client before any response is returned. When - this field is used to authenticate or pre-authenticate a request, it - should contain a keyed checksum over the KDC-REQ-BODY to bind the - pre-authentication data to rest of the request. The KDC, as a matter - of policy, may decide whether to honor a KDC-REQ which includes any - pre-authentication data that does not contain the checksum field. - PA-ENC-TIMESTAMP defines a pre-authentication data type that is used - for authenticating a client by way of an encrypted timestamp. This is - accomplished with a padata field with padata-type equal to - PA-ENC-TIMESTAMP and padata-value defined as follows (query: the - checksum is new in this definition. If the optional field will break - things we can keep the old PA-ENC-TS-ENC, and define a new alternate - form that includes the checksum). : - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - padata-type ::= PA-ENC-TIMESTAMP - padata-value ::= EncryptedData -- PA-ENC-TS-ENC - - PA-ENC-TS-ENC ::= SEQUENCE { - patimestamp[0] KerberosTime, -- client's time - pausec[1] INTEGER OPTIONAL, - pachecksum[2] checksum OPTIONAL - -- keyed checksum of -KDC-REQ-BODY - } - - with patimestamp containing the client's time and pausec containing - the microseconds which may be omitted if a client will not generate - more than one request per second. The ciphertext (padata-value) - consists of the PA-ENC-TS-ENC sequence, encrypted using the client's - secret key. - - [use-specified-kvno item is here for discussion and may be removed] It - may also be used by the client to specify the version of a key that is - being used for accompanying preauthentication, and/or which should be - used to encrypt the reply from the KDC. - - PA-USE-SPECIFIED-KVNO ::= Integer - - The KDC should only accept and abide by the value of the - use-specified-kvno preauthentication data field when the specified key - is still valid and until use of a new key is confirmed. This situation - is likely to occur primarily during the period during which an updated - key is propagating to other KDC's in a realm. - - The padata field can also contain information needed to help the KDC - or the client select the key needed for generating or decrypting the - response. This form of the padata is useful for supporting the use of - certain token cards with Kerberos. The details of such extensions are - specified in separate documents. See [Pat92] for additional uses of - this field. -padata-type - The padata-type element of the padata field indicates the way that the - padata-value element is to be interpreted. Negative values of - padata-type are reserved for unregistered use; non-negative values are - used for a registered interpretation of the element type. -req-body - This field is a placeholder delimiting the extent of the remaining - fields. If a checksum is to be calculated over the request, it is - calculated over an encoding of the KDC-REQ-BODY sequence which is - enclosed within the req-body field. -kdc-options - This field appears in the KRB_AS_REQ and KRB_TGS_REQ requests to the - KDC and indicates the flags that the client wants set on the tickets - as well as other information that is to modify the behavior of the - KDC. Where appropriate, the name of an option may be the same as the - flag that is set by that option. Although in most case, the bit in the - options field will be the same as that in the flags field, this is not - guaranteed, so it is not acceptable to simply copy the options field - to the flags field. There are various checks that must be made before - honoring an option anyway. - - The kdc_options field is a bit-field, where the selected options are - indicated by the bit being set (1), and the unselected options and - reserved fields being reset (0). The encoding of the bits is specified - in section 5.2. The options are described in more detail above in - section 2. The meanings of the options are: - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - Bit(s) Name Description - 0 RESERVED - Reserved for future expansion of -this - field. - - 1 FORWARDABLE - The FORWARDABLE option indicates -that - the ticket to be issued is to have -its - forwardable flag set. It may only -be - set on the initial request, or in a -sub- - sequent request if the -ticket-granting - ticket on which it is based is also -for- - wardable. - - 2 FORWARDED - The FORWARDED option is only -specified - in a request to the -ticket-granting - server and will only be honored if -the - ticket-granting ticket in the -request - has its FORWARDABLE bit set. -This - option indicates that this is a -request - for forwarding. The address(es) of -the - host from which the resulting ticket -is - to be valid are included in -the - addresses field of the request. - - 3 PROXIABLE - The PROXIABLE option indicates that -the - ticket to be issued is to have its -prox- - iable flag set. It may only be set -on - the initial request, or in a -subsequent - request if the ticket-granting ticket -on - which it is based is also proxiable. - - 4 PROXY - The PROXY option indicates that this -is - a request for a proxy. This option -will - only be honored if the -ticket-granting - ticket in the request has its -PROXIABLE - bit set. The address(es) of the -host - from which the resulting ticket is to -be - valid are included in the -addresses - field of the request. - - 5 ALLOW-POSTDATE - The ALLOW-POSTDATE option indicates -that - the ticket to be issued is to have -its - MAY-POSTDATE flag set. It may only -be - set on the initial request, or in a -sub- - sequent request if the -ticket-granting - ticket on which it is based also has -its - MAY-POSTDATE flag set. - - 6 POSTDATED - The POSTDATED option indicates that -this - is a request for a postdated -ticket. - This option will only be honored if -the - ticket-granting ticket on which it -is - based has its MAY-POSTDATE flag -set. - The resulting ticket will also have -its - INVALID flag set, and that flag may -be - reset by a subsequent request to the -KDC - after the starttime in the ticket -has - been reached. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - 7 UNUSED - This option is presently unused. - - 8 RENEWABLE - The RENEWABLE option indicates that -the - ticket to be issued is to have -its - RENEWABLE flag set. It may only be -set - on the initial request, or when -the - ticket-granting ticket on which -the - request is based is also renewable. -If - this option is requested, then the -rtime - field in the request contains -the - desired absolute expiration time for -the - ticket. - - 9 RESERVED - Reserved for PK-Cross - - 10-13 UNUSED - These options are presently unused. - - 14 REQUEST-ANONYMOUS - The REQUEST-ANONYMOUS option -indicates - that the ticket to be issued is not -to - identify the user to which it -was - issued. Instead, the principal -identif- - ier is to be generic, as specified -by - the policy of the realm (e.g. -usually - anonymous@realm). The purpose of -the - ticket is only to securely distribute -a - session key, and not to identify -the - user. The ANONYMOUS flag on the -ticket - to be returned should be set. If -the - local realms policy does not -permit - anonymous credentials, the request is -to - be rejected. - - 15 CANONICALIZE - The CANONICALIZE option indicates that - the client will accept the return of a - true server name instead of the name - specified in the request. In addition - the client will be able to process - any TGT referrals that will direct - the client to another realm to locate - the requested server. If a KDC does - not support name- canonicalization, - the option is ignored and the - appropriate - KDC_ERR_C_PRINCIPAL_UNKNOWN or - KDC_ERR_S_PRINCIPAL_UNKNOWN error is - returned. [JBrezak] - - 16-25 RESERVED - Reserved for future use. - - 26 DISABLE-TRANSITED-CHECK - By default the KDC will check the - transited field of a ticket-granting- - ticket against the policy of the local - realm before it will issue derivative - tickets based on the ticket granting - ticket. If this flag is set in the - request, checking of the transited -field - is disabled. Tickets issued without -the - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - performance of this check will be -noted - by the reset (0) value of the - TRANSITED-POLICY-CHECKED flag, - indicating to the application server - that the tranisted field must be -checked - locally. KDC's are encouraged but not - required to honor the - DISABLE-TRANSITED-CHECK option. - - 27 RENEWABLE-OK - The RENEWABLE-OK option indicates that -a - renewable ticket will be acceptable if -a - ticket with the requested life -cannot - otherwise be provided. If a ticket -with - the requested life cannot be -provided, - then a renewable ticket may be -issued - with a renew-till equal to the -the - requested endtime. The value of -the - renew-till field may still be limited -by - local limits, or limits selected by -the - individual principal or server. - - 28 ENC-TKT-IN-SKEY - This option is used only by the -ticket- - granting service. The -ENC-TKT-IN-SKEY - option indicates that the ticket for -the - end server is to be encrypted in -the - session key from the additional -ticket- - granting ticket provided. - - 29 RESERVED - Reserved for future use. - - 30 RENEW - This option is used only by the -ticket- - granting service. The RENEW -option - indicates that the present request -is - for a renewal. The ticket provided -is - encrypted in the secret key for -the - server on which it is valid. -This - option will only be honored if -the - ticket to be renewed has its -RENEWABLE - flag set and if the time in its -renew- - till field has not passed. The -ticket - to be renewed is passed in the -padata - field as part of the -authentication - header. - - 31 VALIDATE - This option is used only by the -ticket- - granting service. The VALIDATE -option - indicates that the request is to -vali- - date a postdated ticket. It will -only - be honored if the ticket presented -is - postdated, presently has its -INVALID - flag set, and would be otherwise -usable - at this time. A ticket cannot be -vali- - dated before its starttime. The -ticket - presented for validation is encrypted -in - the key of the server for which it -is - valid and is passed in the padata -field - as part of the authentication header. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -cname and sname - These fields are the same as those described for the ticket in section - 5.3.1. sname may only be absent when the ENC-TKT-IN-SKEY option is - specified. If absent, the name of the server is taken from the name of - the client in the ticket passed as additional-tickets. -enc-authorization-data - The enc-authorization-data, if present (and it can only be present in - the TGS_REQ form), is an encoding of the desired authorization-data - encrypted under the sub-session key if present in the Authenticator, - or alternatively from the session key in the ticket-granting ticket, - both from the padata field in the KRB_AP_REQ. -realm - This field specifies the realm part of the server's principal - identifier. In the AS exchange, this is also the realm part of the - client's principal identifier. If the CANONICALIZE option is set, the - realm is used as a hint to the KDC for its database lookup. -from - This field is included in the KRB_AS_REQ and KRB_TGS_REQ ticket - requests when the requested ticket is to be postdated. It specifies - the desired start time for the requested ticket. If this field is - omitted then the KDC should use the current time instead. -till - This field contains the expiration date requested by the client in a - ticket request. It is optional and if omitted the requested ticket is - to have the maximum endtime permitted according to KDC policy for the - parties to the authentication exchange as limited by expiration date - of the ticket granting ticket or other preauthentication credentials. -rtime - This field is the requested renew-till time sent from a client to the - KDC in a ticket request. It is optional. -nonce - This field is part of the KDC request and response. It it intended to - hold a random number generated by the client. If the same number is - included in the encrypted response from the KDC, it provides evidence - that the response is fresh and has not been replayed by an attacker. - Nonces must never be re-used. Ideally, it should be generated - randomly, but if the correct time is known, it may suffice[25]. -etype - This field specifies the desired encryption algorithm to be used in - the response. -addresses - This field is included in the initial request for tickets, and - optionally included in requests for additional tickets from the - ticket-granting server. It specifies the addresses from which the - requested ticket is to be valid. Normally it includes the addresses - for the client's host. If a proxy is requested, this field will - contain other addresses. The contents of this field are usually copied - by the KDC into the caddr field of the resulting ticket. -additional-tickets - Additional tickets may be optionally included in a request to the - ticket-granting server. If the ENC-TKT-IN-SKEY option has been - specified, then the session key from the additional ticket will be - used in place of the server's key to encrypt the new ticket. When he - ENC-TKT-IN-SKEY option is used for user-to-user authentication, this - addional ticket may be a TGT issued by the local realm or an - inter-realm TGT issued for the current KDC's realm by a remote KDC. If - more than one option which requires additional tickets has been - specified, then the additional tickets are used in the order specified - by the ordering of the options bits (see kdc-options, above). - -The application code will be either ten (10) or twelve (12) depending on -whether the request is for an initial ticket (AS-REQ) or for an additional -ticket (TGS-REQ). - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -The optional fields (addresses, authorization-data and additional-tickets) -are only included if necessary to perform the operation specified in the -kdc-options field. - -It should be noted that in KRB_TGS_REQ, the protocol version number appears -twice and two different message types appear: the KRB_TGS_REQ message -contains these fields as does the authentication header (KRB_AP_REQ) that -is passed in the padata field. - -5.4.2. KRB_KDC_REP definition - -The KRB_KDC_REP message format is used for the reply from the KDC for -either an initial (AS) request or a subsequent (TGS) request. There is no -message type for KRB_KDC_REP. Instead, the type will be either KRB_AS_REP -or KRB_TGS_REP. The key used to encrypt the ciphertext part of the reply -depends on the message type. For KRB_AS_REP, the ciphertext is encrypted in -the client's secret key, and the client's key version number is included in -the key version number for the encrypted data. For KRB_TGS_REP, the -ciphertext is encrypted in the sub-session key from the Authenticator, or -if absent, the session key from the ticket-granting ticket used in the -request. In that case, no version number will be present in the -EncryptedData sequence. - -The KRB_KDC_REP message contains the following fields: - -AS-REP ::= [APPLICATION 11] KDC-REP -TGS-REP ::= [APPLICATION 13] KDC-REP - -KDC-REP ::= SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - padata[2] SEQUENCE OF PA-DATA OPTIONAL, - crealm[3] Realm, - cname[4] PrincipalName, - ticket[5] Ticket, - enc-part[6] EncryptedData -} - -EncASRepPart ::= [APPLICATION 25[27]] EncKDCRepPart -EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart - -EncKDCRepPart ::= SEQUENCE { - key[0] EncryptionKey, - last-req[1] LastReq, - nonce[2] INTEGER, - key-expiration[3] KerberosTime OPTIONAL, - flags[4] TicketFlags, - authtime[5] KerberosTime, - starttime[6] KerberosTime OPTIONAL, - endtime[7] KerberosTime, - renew-till[8] KerberosTime OPTIONAL, - srealm[9] Realm, - sname[10] PrincipalName, - caddr[11] HostAddresses OPTIONAL -} - -pvno and msg-type - These fields are described above in section 5.4.1. msg-type is either - KRB_AS_REP or KRB_TGS_REP. - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -padata - This field is described in detail in section 5.4.1. One possible use - for this field is to encode an alternate "mix-in" string to be used - with a string-to-key algorithm (such as is described in section - 6.3.2). This ability is useful to ease transitions if a realm name - needs to change (e.g. when a company is acquired); in such a case all - existing password-derived entries in the KDC database would be flagged - as needing a special mix-in string until the next password change. -crealm, cname, srealm and sname - These fields are the same as those described for the ticket in section - 5.3.1. -ticket - The newly-issued ticket, from section 5.3.1. -enc-part - This field is a place holder for the ciphertext and related - information that forms the encrypted part of a message. The - description of the encrypted part of the message follows each - appearance of this field. The encrypted part is encoded as described - in section 6.1. -key - This field is the same as described for the ticket in section 5.3.1. -last-req - This field is returned by the KDC and specifies the time(s) of the - last request by a principal. Depending on what information is - available, this might be the last time that a request for a - ticket-granting ticket was made, or the last time that a request based - on a ticket-granting ticket was successful. It also might cover all - servers for a realm, or just the particular server. Some - implementations may display this information to the user to aid in - discovering unauthorized use of one's identity. It is similar in - spirit to the last login time displayed when logging into timesharing - systems. -nonce - This field is described above in section 5.4.1. -key-expiration - The key-expiration field is part of the response from the KDC and - specifies the time that the client's secret key is due to expire. The - expiration might be the result of password aging or an account - expiration. This field will usually be left out of the TGS reply since - the response to the TGS request is encrypted in a session key and no - client information need be retrieved from the KDC database. It is up - to the application client (usually the login program) to take - appropriate action (such as notifying the user) if the expiration time - is imminent. -flags, authtime, starttime, endtime, renew-till and caddr - These fields are duplicates of those found in the encrypted portion of - the attached ticket (see section 5.3.1), provided so the client may - verify they match the intended request and to assist in proper ticket - caching. If the message is of type KRB_TGS_REP, the caddr field will - only be filled in if the request was for a proxy or forwarded ticket, - or if the user is substituting a subset of the addresses from the - ticket granting ticket. If the client-requested addresses are not - present or not used, then the addresses contained in the ticket will - be the same as those included in the ticket-granting ticket. - -5.5. Client/Server (CS) message specifications - -This section specifies the format of the messages used for the -authentication of the client to the application server. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -5.5.1. KRB_AP_REQ definition - -The KRB_AP_REQ message contains the Kerberos protocol version number, the -message type KRB_AP_REQ, an options field to indicate any options in use, -and the ticket and authenticator themselves. The KRB_AP_REQ message is -often referred to as the 'authentication header'. - -AP-REQ ::= [APPLICATION 14] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - ap-options[2] APOptions, - ticket[3] Ticket, - authenticator[4] EncryptedData -} - -APOptions ::= BIT STRING { - reserved(0), - use-session-key(1), - mutual-required(2) -} - - - -pvno and msg-type - These fields are described above in section 5.4.1. msg-type is - KRB_AP_REQ. -ap-options - This field appears in the application request (KRB_AP_REQ) and affects - the way the request is processed. It is a bit-field, where the - selected options are indicated by the bit being set (1), and the - unselected options and reserved fields being reset (0). The encoding - of the bits is specified in section 5.2. The meanings of the options - are: - - Bit(s) Name Description - - 0 RESERVED - Reserved for future expansion of this - field. - - 1 USE-SESSION-KEY - The USE-SESSION-KEY option indicates - that the ticket the client is presenting - to a server is encrypted in the session - key from the server's ticket-granting - ticket. When this option is not speci- - fied, the ticket is encrypted in the - server's secret key. - - 2 MUTUAL-REQUIRED - The MUTUAL-REQUIRED option tells the - server that the client requires mutual - authentication, and that it must respond - with a KRB_AP_REP message. - - 3-31 RESERVED - Reserved for future use. - -ticket - This field is a ticket authenticating the client to the server. -authenticator - This contains the authenticator, which includes the client's choice of - a subkey. Its encoding is described in section 5.3.2. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -5.5.2. KRB_AP_REP definition - -The KRB_AP_REP message contains the Kerberos protocol version number, the -message type, and an encrypted time- stamp. The message is sent in in -response to an application request (KRB_AP_REQ) where the mutual -authentication option has been selected in the ap-options field. - -AP-REP ::= [APPLICATION 15] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - enc-part[2] EncryptedData -} - -EncAPRepPart ::= [APPLICATION 27[29]] SEQUENCE { - ctime[0] KerberosTime, - cusec[1] INTEGER, - subkey[2] EncryptionKey OPTIONAL, - seq-number[3] INTEGER OPTIONAL -} - -The encoded EncAPRepPart is encrypted in the shared session key of the -ticket. The optional subkey field can be used in an application-arranged -negotiation to choose a per association session key. - -pvno and msg-type - These fields are described above in section 5.4.1. msg-type is - KRB_AP_REP. -enc-part - This field is described above in section 5.4.2. -ctime - This field contains the current time on the client's host. -cusec - This field contains the microsecond part of the client's timestamp. -subkey - This field contains an encryption key which is to be used to protect - this specific application session. See section 3.2.6 for specifics on - how this field is used to negotiate a key. Unless an application - specifies otherwise, if this field is left out, the sub-session key - from the authenticator, or if also left out, the session key from the - ticket will be used. - -5.5.3. Error message reply - -If an error occurs while processing the application request, the KRB_ERROR -message will be sent in response. See section 5.9.1 for the format of the -error message. The cname and crealm fields may be left out if the server -cannot determine their appropriate values from the corresponding KRB_AP_REQ -message. If the authenticator was decipherable, the ctime and cusec fields -will contain the values from it. - -5.6. KRB_SAFE message specification - -This section specifies the format of a message that can be used by either -side (client or server) of an application to send a tamper-proof message to -its peer. It presumes that a session key has previously been exchanged (for -example, by using the KRB_AP_REQ/KRB_AP_REP messages). - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -5.6.1. KRB_SAFE definition - -The KRB_SAFE message contains user data along with a collision-proof -checksum keyed with the last encryption key negotiated via subkeys, or the -session key if no negotiation has occured. The message fields are: - -KRB-SAFE ::= [APPLICATION 20] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - safe-body[2] KRB-SAFE-BODY, - cksum[3] Checksum -} - -KRB-SAFE-BODY ::= SEQUENCE { - user-data[0] OCTET STRING, - timestamp[1] KerberosTime OPTIONAL, - usec[2] INTEGER OPTIONAL, - seq-number[3] INTEGER OPTIONAL, - s-address[4] HostAddress OPTIONAL, - r-address[5] HostAddress OPTIONAL -} - -pvno and msg-type - These fields are described above in section 5.4.1. msg-type is - KRB_SAFE. -safe-body - This field is a placeholder for the body of the KRB-SAFE message. -cksum - This field contains the checksum of the application data. Checksum - details are described in section 6.4. The checksum is computed over - the encoding of the KRB-SAFE sequence. First, the cksum is zeroed and - the checksum is computed over the encoding of the KRB-SAFE sequence, - then the checksum is set to the result of that computation, and - finally the KRB-SAFE sequence is encoded again. -user-data - This field is part of the KRB_SAFE and KRB_PRIV messages and contain - the application specific data that is being passed from the sender to - the recipient. -timestamp - This field is part of the KRB_SAFE and KRB_PRIV messages. Its contents - are the current time as known by the sender of the message. By - checking the timestamp, the recipient of the message is able to make - sure that it was recently generated, and is not a replay. -usec - This field is part of the KRB_SAFE and KRB_PRIV headers. It contains - the microsecond part of the timestamp. -seq-number - This field is described above in section 5.3.2. -s-address - This field specifies the address in use by the sender of the message. - It may be omitted if not required by the application protocol. The - application designer considering omission of this field is warned, - that the inclusion of this address prevents some kinds of replay - attacks (e.g., reflection attacks) and that it is only acceptable to - omit this address if there is sufficient information in the integrity - protected part of the application message for the recipient to - unambiguously determine if it was the intended recipient. -r-address - This field specifies the address in use by the recipient of the - message. It may be omitted for some uses (such as broadcast - protocols), but the recipient may arbitrarily reject such messages. - This field along with s-address can be used to help detect messages - which have been incorrectly or maliciously delivered to the wrong - recipient. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -5.7. KRB_PRIV message specification - -This section specifies the format of a message that can be used by either -side (client or server) of an application to securely and privately send a -message to its peer. It presumes that a session key has previously been -exchanged (for example, by using the KRB_AP_REQ/KRB_AP_REP messages). - -5.7.1. KRB_PRIV definition - -The KRB_PRIV message contains user data encrypted in the Session Key. The -message fields are: - -KRB-PRIV ::= [APPLICATION 21] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - enc-part[3] EncryptedData -} - -EncKrbPrivPart ::= [APPLICATION 28[31]] SEQUENCE { - user-data[0] OCTET STRING, - timestamp[1] KerberosTime OPTIONAL, - usec[2] INTEGER OPTIONAL, - seq-number[3] INTEGER OPTIONAL, - s-address[4] HostAddress OPTIONAL, -- sender's -addr - r-address[5] HostAddress OPTIONAL -- recip's -addr -} - -pvno and msg-type - These fields are described above in section 5.4.1. msg-type is - KRB_PRIV. -enc-part - This field holds an encoding of the EncKrbPrivPart sequence encrypted - under the session key[32]. This encrypted encoding is used for the - enc-part field of the KRB-PRIV message. See section 6 for the format - of the ciphertext. -user-data, timestamp, usec, s-address and r-address - These fields are described above in section 5.6.1. -seq-number - This field is described above in section 5.3.2. - -5.8. KRB_CRED message specification - -This section specifies the format of a message that can be used to send -Kerberos credentials from one principal to another. It is presented here to -encourage a common mechanism to be used by applications when forwarding -tickets or providing proxies to subordinate servers. It presumes that a -session key has already been exchanged perhaps by using the -KRB_AP_REQ/KRB_AP_REP messages. - -5.8.1. KRB_CRED definition - -The KRB_CRED message contains a sequence of tickets to be sent and -information needed to use the tickets, including the session key from each. -The information needed to use the tickets is encrypted under an encryption -key previously exchanged or transferred alongside the KRB_CRED message. The -message fields are: - -KRB-CRED ::= [APPLICATION 22] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, -- KRB_CRED - tickets[2] SEQUENCE OF Ticket, - enc-part[3] EncryptedData -} - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -EncKrbCredPart ::= [APPLICATION 29] SEQUENCE { - ticket-info[0] SEQUENCE OF KrbCredInfo, - nonce[1] INTEGER OPTIONAL, - timestamp[2] KerberosTime OPTIONAL, - usec[3] INTEGER OPTIONAL, - s-address[4] HostAddress OPTIONAL, - r-address[5] HostAddress OPTIONAL -} - -KrbCredInfo ::= SEQUENCE { - key[0] EncryptionKey, - prealm[1] Realm OPTIONAL, - pname[2] PrincipalName OPTIONAL, - flags[3] TicketFlags OPTIONAL, - authtime[4] KerberosTime OPTIONAL, - starttime[5] KerberosTime OPTIONAL, - endtime[6] KerberosTime OPTIONAL - renew-till[7] KerberosTime OPTIONAL, - srealm[8] Realm OPTIONAL, - sname[9] PrincipalName OPTIONAL, - caddr[10] HostAddresses OPTIONAL -} - -pvno and msg-type - These fields are described above in section 5.4.1. msg-type is - KRB_CRED. -tickets - These are the tickets obtained from the KDC specifically for use by - the intended recipient. Successive tickets are paired with the - corresponding KrbCredInfo sequence from the enc-part of the KRB-CRED - message. -enc-part - This field holds an encoding of the EncKrbCredPart sequence encrypted - under the session key shared between the sender and the intended - recipient. This encrypted encoding is used for the enc-part field of - the KRB-CRED message. See section 6 for the format of the ciphertext. -nonce - If practical, an application may require the inclusion of a nonce - generated by the recipient of the message. If the same value is - included as the nonce in the message, it provides evidence that the - message is fresh and has not been replayed by an attacker. A nonce - must never be re-used; it should be generated randomly by the - recipient of the message and provided to the sender of the message in - an application specific manner. -timestamp and usec - These fields specify the time that the KRB-CRED message was generated. - The time is used to provide assurance that the message is fresh. -s-address and r-address - These fields are described above in section 5.6.1. They are used - optionally to provide additional assurance of the integrity of the - KRB-CRED message. -key - This field exists in the corresponding ticket passed by the KRB-CRED - message and is used to pass the session key from the sender to the - intended recipient. The field's encoding is described in section 6.2. - -The following fields are optional. If present, they can be associated with -the credentials in the remote ticket file. If left out, then it is assumed -that the recipient of the credentials already knows their value. - -prealm and pname - The name and realm of the delegated principal identity. -flags, authtime, starttime, endtime, renew-till, srealm, sname, and caddr - These fields contain the values of the correspond- ing fields from the - ticket found in the ticket field. Descriptions of the fields are - identical to the descriptions in the KDC-REP message. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -5.9. Error message specification - -This section specifies the format for the KRB_ERROR message. The fields -included in the message are intended to return as much information as -possible about an error. It is not expected that all the information -required by the fields will be available for all types of errors. If the -appropriate information is not available when the message is composed, the -corresponding field will be left out of the message. - -Note that since the KRB_ERROR message is only optionally integrity -protected, it is quite possible for an intruder to synthesize or modify -such a message. In particular, this means that unless appropriate integrity -protection mechanisms have been applied to the KRB_ERROR message, the -client should not use any fields in this message for security-critical -purposes, such as setting a system clock or generating a fresh -authenticator. The message can be useful, however, for advising a user on -the reason for some failure. - -5.9.1. KRB_ERROR definition - -The KRB_ERROR message consists of the following fields: - -KRB-ERROR ::= [APPLICATION 30] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - ctime[2] KerberosTime OPTIONAL, - cusec[3] INTEGER OPTIONAL, - stime[4] KerberosTime, - susec[5] INTEGER, - error-code[6] INTEGER, - crealm[7] Realm OPTIONAL, - cname[8] PrincipalName OPTIONAL, - realm[9] Realm, -- Correct realm - sname[10] PrincipalName, -- Correct name - e-text[11] GeneralString OPTIONAL, - e-data[12] OCTET STRING OPTIONAL, - e-cksum[13] Checksum OPTIONAL, -} - - - -pvno and msg-type - These fields are described above in section 5.4.1. msg-type is - KRB_ERROR. -ctime - This field is described above in section 5.4.1. -cusec - This field is described above in section 5.5.2. -stime - This field contains the current time on the server. It is of type - KerberosTime. -susec - This field contains the microsecond part of the server's timestamp. - Its value ranges from 0 to 999999. It appears along with stime. The - two fields are used in conjunction to specify a reasonably accurate - timestamp. -error-code - This field contains the error code returned by Kerberos or the server - when a request fails. To interpret the value of this field see the - list of error codes in section 8. Implementations are encouraged to - provide for national language support in the display of error - messages. -crealm, cname, srealm and sname - These fields are described above in section 5.3.1. - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -e-text - This field contains additional text to help explain the error code - associated with the failed request (for example, it might include a - principal name which was unknown). -e-data - This field contains additional data about the error for use by the - application to help it recover from or handle the error. If present, - this field will contain the encoding of a sequence of TypedData - (TYPED-DATA below), unless the errorcode is KDC_ERR_PREAUTH_REQUIRED, - in which case it will contain the encoding of a sequence of of padata - fields (METHOD-DATA below), each corresponding to an acceptable - pre-authentication method and optionally containing data for the - method: - - TYPED-DATA ::= SEQUENCE of TypeData - METHOD-DATA ::= SEQUENCE of PA-DATA - - TypedData ::= SEQUENCE { - data-type[0] INTEGER, - data-value[1] OCTET STRING OPTIONAL - } - - Note that e-data-types have been reserved for all PA data types - defined prior to July 1999. For the KDC_ERR_PREAUTH_REQUIRED message, - when using new PA data types defined in July 1999 or later, the - METHOD-DATA sequence must itself be encapsulated in an TypedData - element of type TD-PADATA. All new implementations interpreting the - METHOD-DATA field for the KDC_ERR_PREAUTH_REQUIRED message must accept - a type of TD-PADATA, extract the typed data field and interpret the - use any elements encapsulated in the TD-PADATA elements as if they - were present in the METHOD-DATA sequence. -e-cksum - This field contains an optional checksum for the KRB-ERROR message. - The checksum is calculated over the Kerberos ASN.1 encoding of the - KRB-ERROR message with the checksum absent. The checksum is then added - to the KRB-ERROR structure and the message is re-encoded. The Checksum - should be calculated using the session key from the ticket granting - ticket or service ticket, where available. If the error is in response - to a TGS or AP request, the checksum should be calculated uing the the - session key from the client's ticket. If the error is in response to - an AS request, then the checksum should be calulated using the - client's secret key ONLY if there has been suitable preauthentication - to prove knowledge of the secret key by the client[33]. If a checksum - can not be computed because the key to be used is not available, no - checksum will be included. - - 6. Encryption and Checksum Specifications - - The Kerberos protocols described in this document are designed to use - stream encryption ciphers, which can be simulated using commonly - available block encryption ciphers, such as the Data Encryption - Standard [DES77], and triple DES variants, in conjunction with block - chaining and checksum methods [DESM80]. Encryption is used to prove - the identities of the network entities participating in message - exchanges. The Key Distribution Center for each realm is trusted by - all principals registered in that realm to store a secret key in - confidence. Proof of knowledge of this secret key is used to verify - the authenticity of a principal. - - The KDC uses the principal's secret key (in the AS exchange) or a - shared session key (in the TGS exchange) to encrypt responses to - ticket requests; the ability to obtain the secret key or session key - implies the knowledge of the appropriate keys and the identity of the - KDC. The ability of a principal to decrypt the KDC response and - present a Ticket and a properly formed Authenticator (generated with - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - the session key from the KDC response) to a service verifies the - identity of the principal; likewise the ability of the service to - extract the session key from the Ticket and prove its knowledge - thereof in a response verifies the identity of the service. - - The Kerberos protocols generally assume that the encryption used is - secure from cryptanalysis; however, in some cases, the order of fields - in the encrypted portions of messages are arranged to minimize the - effects of poorly chosen keys. It is still important to choose good - keys. If keys are derived from user-typed passwords, those passwords - need to be well chosen to make brute force attacks more difficult. - Poorly chosen keys still make easy targets for intruders. - - The following sections specify the encryption and checksum mechanisms - currently defined for Kerberos. The encodings, chaining, and padding - requirements for each are described. For encryption methods, it is - often desirable to place random information (often referred to as a - confounder) at the start of the message. The requirements for a - confounder are specified with each encryption mechanism. - - Some encryption systems use a block-chaining method to improve the the - security characteristics of the ciphertext. However, these chaining - methods often don't provide an integrity check upon decryption. Such - systems (such as DES in CBC mode) must be augmented with a checksum of - the plain-text which can be verified at decryption and used to detect - any tampering or damage. Such checksums should be good at detecting - burst errors in the input. If any damage is detected, the decryption - routine is expected to return an error indicating the failure of an - integrity check. Each encryption type is expected to provide and - verify an appropriate checksum. The specification of each encryption - method sets out its checksum requirements. - - Finally, where a key is to be derived from a user's password, an - algorithm for converting the password to a key of the appropriate type - is included. It is desirable for the string to key function to be - one-way, and for the mapping to be different in different realms. This - is important because users who are registered in more than one realm - will often use the same password in each, and it is desirable that an - attacker compromising the Kerberos server in one realm not obtain or - derive the user's key in another. - - For an discussion of the integrity characteristics of the candidate - encryption and checksum methods considered for Kerberos, the reader is - referred to [SG92]. - - 6.1. Encryption Specifications - - The following ASN.1 definition describes all encrypted messages. The - enc-part field which appears in the unencrypted part of messages in - section 5 is a sequence consisting of an encryption type, an optional - key version number, and the ciphertext. - - EncryptedData ::= SEQUENCE { - etype[0] INTEGER, -- EncryptionType - kvno[1] INTEGER OPTIONAL, - cipher[2] OCTET STRING -- ciphertext - } - - - - etype - This field identifies which encryption algorithm was used to - encipher the cipher. Detailed specifications for selected - encryption types appear later in this section. - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - kvno - This field contains the version number of the key under which - data is encrypted. It is only present in messages encrypted under - long lasting keys, such as principals' secret keys. - cipher - This field contains the enciphered text, encoded as an OCTET - STRING. - The cipher field is generated by applying the specified encryption - algorithm to data composed of the message and algorithm-specific - inputs. Encryption mechanisms defined for use with Kerberos must take - sufficient measures to guarantee the integrity of the plaintext, and - we recommend they also take measures to protect against precomputed - dictionary attacks. If the encryption algorithm is not itself capable - of doing so, the protections can often be enhanced by adding a - checksum and a confounder. - - The suggested format for the data to be encrypted includes a - confounder, a checksum, the encoded plaintext, and any necessary - padding. The msg-seq field contains the part of the protocol message - described in section 5 which is to be encrypted. The confounder, - checksum, and padding are all untagged and untyped, and their length - is exactly sufficient to hold the appropriate item. The type and - length is implicit and specified by the particular encryption type - being used (etype). The format for the data to be encrypted for some - methods is described in the following diagram, but other methods may - deviate from this layour - so long as the definition of the method - defines the layout actually in use. - - +-----------+----------+-------------+-----+ - |confounder | check | msg-seq | pad | - +-----------+----------+-------------+-----+ - - The format cannot be described in ASN.1, but for those who prefer an - ASN.1-like notation: - - CipherText ::= ENCRYPTED SEQUENCE { - confounder[0] UNTAGGED[35] OCTET STRING(conf_length) -OPTIONAL, - check[1] UNTAGGED OCTET STRING(checksum_length) -OPTIONAL, - msg-seq[2] MsgSequence, - pad UNTAGGED OCTET STRING(pad_length) OPTIONAL - } - - One generates a random confounder of the appropriate length, placing - it in confounder; zeroes out check; calculates the appropriate - checksum over confounder, check, and msg-seq, placing the result in - check; adds the necessary padding; then encrypts using the specified - encryption type and the appropriate key. - - Unless otherwise specified, a definition of an encryption algorithm - that specifies a checksum, a length for the confounder field, or an - octet boundary for padding uses this ciphertext format[36]. Those - fields which are not specified will be omitted. - - In the interest of allowing all implementations using a particular - encryption type to communicate with all others using that type, the - specification of an encryption type defines any checksum that is - needed as part of the encryption process. If an alternative checksum - is to be used, a new encryption type must be defined. - - Some cryptosystems require additional information beyond the key and - the data to be encrypted. For example, DES, when used in - cipher-block-chaining mode, requires an initialization vector. If - required, the description for each encryption type must specify the - source of such additional information. 6.2. Encryption Keys - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - The sequence below shows the encoding of an encryption key: - - EncryptionKey ::= SEQUENCE { - keytype[0] INTEGER, - keyvalue[1] OCTET STRING - } - - keytype - This field specifies the type of encryption that is to be - performed using the key that follows in the keyvalue field. It - will always correspond to the etype to be used to generate or - decode the EncryptedData. In cases when multiple algorithms use a - common kind of key (e.g., if the encryption algorithm uses an - alternate checksum algorithm for an integrity check, or a - different chaining mechanism), the keytype provides information - needed to determine which algorithm is to be used. - keyvalue - This field contains the key itself, encoded as an octet string. - All negative values for the encryption key type are reserved for local - use. All non-negative values are reserved for officially assigned type - fields and interpreta- tions. - - 6.3. Encryption Systems - - 6.3.1. The NULL Encryption System (null) - - If no encryption is in use, the encryption system is said to be the - NULL encryption system. In the NULL encryption system there is no - checksum, confounder or padding. The ciphertext is simply the - plaintext. The NULL Key is used by the null encryption system and is - zero octets in length, with keytype zero (0). - - 6.3.2. DES in CBC mode with a CRC-32 checksum (des-cbc-crc) - - The des-cbc-crc encryption mode encrypts information under the Data - Encryption Standard [DES77] using the cipher block chaining mode - [DESM80]. A CRC-32 checksum (described in ISO 3309 [ISO3309]) is - applied to the confounder and message sequence (msg-seq) and placed in - the cksum field. DES blocks are 8 bytes. As a result, the data to be - encrypted (the concatenation of confounder, checksum, and message) - must be padded to an 8 byte boundary before encryption. The details of - the encryption of this data are identical to those for the des-cbc-md5 - encryption mode. - - Note that, since the CRC-32 checksum is not collision-proof, an - attacker could use a probabilistic chosen-plaintext attack to generate - a valid message even if a confounder is used [SG92]. The use of - collision-proof checksums is recommended for environments where such - attacks represent a significant threat. The use of the CRC-32 as the - checksum for ticket or authenticator is no longer mandated as an - interoperability requirement for Kerberos Version 5 Specification 1 - (See section 9.1 for specific details). - - 6.3.3. DES in CBC mode with an MD4 checksum (des-cbc-md4) - - The des-cbc-md4 encryption mode encrypts information under the Data - Encryption Standard [DES77] using the cipher block chaining mode - [DESM80]. An MD4 checksum (described in [MD492]) is applied to the - confounder and message sequence (msg-seq) and placed in the cksum - field. DES blocks are 8 bytes. As a result, the data to be encrypted - (the concatenation of confounder, checksum, and message) must be - padded to an 8 byte boundary before encryption. The details of the - encryption of this data are identical to those for the des-cbc-md5 - encryption mode. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - 6.3.4. DES in CBC mode with an MD5 checksum (des-cbc-md5) - - The des-cbc-md5 encryption mode encrypts information under the Data - Encryption Standard [DES77] using the cipher block chaining mode - [DESM80]. An MD5 checksum (described in [MD5-92].) is applied to the - confounder and message sequence (msg-seq) and placed in the cksum - field. DES blocks are 8 bytes. As a result, the data to be encrypted - (the concatenation of confounder, checksum, and message) must be - padded to an 8 byte boundary before encryption. - - Plaintext and DES ciphtertext are encoded as blocks of 8 octets which - are concatenated to make the 64-bit inputs for the DES algorithms. The - first octet supplies the 8 most significant bits (with the octet's - MSbit used as the DES input block's MSbit, etc.), the second octet the - next 8 bits, ..., and the eighth octet supplies the 8 least - significant bits. - - Encryption under DES using cipher block chaining requires an - additional input in the form of an initialization vector. Unless - otherwise specified, zero should be used as the initialization vector. - Kerberos' use of DES requires an 8 octet confounder. - - The DES specifications identify some 'weak' and 'semi-weak' keys; - those keys shall not be used for encrypting messages for use in - Kerberos. Additionally, because of the way that keys are derived for - the encryption of checksums, keys shall not be used that yield 'weak' - or 'semi-weak' keys when eXclusive-ORed with the hexadecimal constant - F0F0F0F0F0F0F0F0. - - A DES key is 8 octets of data, with keytype one (1). This consists of - 56 bits of key, and 8 parity bits (one per octet). The key is encoded - as a series of 8 octets written in MSB-first order. The bits within - the key are also encoded in MSB order. For example, if the encryption - key is (B1,B2,...,B7,P1,B8,...,B14,P2,B15,...,B49,P7,B50,...,B56,P8) - where B1,B2,...,B56 are the key bits in MSB order, and P1,P2,...,P8 - are the parity bits, the first octet of the key would be - B1,B2,...,B7,P1 (with B1 as the MSbit). [See the FIPS 81 introduction - for reference.] - - String to key transformation - - To generate a DES key from a text string (password), a "salt" is - concatenated to the text string, and then padded with ASCII nulls to - an 8 byte boundary. This "salt" is normally the realm and each - component of the principal's name appended. However, sometimes - different salts are used --- for example, when a realm is renamed, or - if a user changes her username, or for compatibility with Kerberos V4 - (whose string-to-key algorithm uses a null string for the salt). This - string is then fan-folded and eXclusive-ORed with itself to form an 8 - byte DES key. Before eXclusive-ORing a block, every byte is shifted - one bit to the left to leave the lowest bit zero. The key is the - "corrected" by correcting the parity on the key, and if the key - matches a 'weak' or 'semi-weak' key as described in the DES - specification, it is eXclusive-ORed with the constant - 00000000000000F0. This key is then used to generate a DES CBC checksum - on the initial string (with the salt appended). The result of the CBC - checksum is the "corrected" as described above to form the result - which is return as the key. Pseudocode follows: - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - name_to_default_salt(realm, name) { - s = realm - for(each component in name) { - s = s + component; - } - return s; - } - - key_correction(key) { - fixparity(key); - if (is_weak_key_key(key)) - key = key XOR 0xF0; - return(key); - } - - string_to_key(string,salt) { - - odd = 1; - s = string + salt; - tempkey = NULL; - pad(s); /* with nulls to 8 byte boundary */ - for(8byteblock in s) { - if(odd == 0) { - odd = 1; - reverse(8byteblock) - } - else odd = 0; - left shift every byte in 8byteblock one bit; - tempkey = tempkey XOR 8byteblock; - } - tempkey = key_correction(tempkey); - key = key_correction(DES-CBC-check(s,tempkey)); - return(key); - } - - 6.3.5. Triple DES with HMAC-SHA1 Kerberos Encryption Type with and - without Key Derivation [Original draft by Marc Horowitz, revisions by - David Miller] - - There are still a few pieces of this specification to be included - by falue, rather than by reference. This will be done before the - Pittsburgh IETF. - This encryption type is based on the Triple DES cryptosystem, the - HMAC-SHA1 [Krawczyk96] message authentication algorithm, and key - derivation for Kerberos V5 [HorowitzB96]. Key derivation may or may - not be used in conjunction with the use of Triple DES keys. - - Algorithm Identifiers - - The des3-cbc-hmac-sha1 encryption type has been assigned the value 7. - The des3-cbc-hmac-sha1-kd encryption type, specifying the key - derivation variant of the encryption type, has been assigned the value - 16. The hmac-sha1-des3 checksum type has been assigned the value 13. - The hmac-sha1-des3-kd checksum type, specifying the key derivation - variant of the checksum, has been assigned the value 12. - - Triple DES Key Production - - The EncryptionKey value is 24 octets long. The 7 most significant bits - of each octet contain key bits, and the least significant bit is the - inverse of the xor of the key bits. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - For the purposes of key derivation, the block size is 64 bits, and the - key size is 168 bits. The 168 bits output by key derivation are - converted to an EncryptionKey value as follows. First, the 168 bits - are divided into three groups of 56 bits, which are expanded - individually into 64 bits as follows: - - 1 2 3 4 5 6 7 p - 9 10 11 12 13 14 15 p - 17 18 19 20 21 22 23 p - 25 26 27 28 29 30 31 p - 33 34 35 36 37 38 39 p - 41 42 43 44 45 46 47 p - 49 50 51 52 53 54 55 p - 56 48 40 32 24 16 8 p - - The "p" bits are parity bits computed over the data bits. The output - of the three expansions are concatenated to form the EncryptionKey - value. - - When the HMAC-SHA1 of a string is computed, the key is used in the - EncryptedKey form. - - The string-to-key function is used to tranform UNICODE passwords into - DES3 keys. The DES3 string-to-key function relies on the "N-fold" - algorithm, which is detailed in [9]. The description of the N-fold - algorithm in that document is as follows: - o To n-fold a number X, replicate the input value to a length that - is the least common multiple of n and the length of X. Before - each repetition, the input is rotated to the right by 13 bit - positions. The successive n-bit chunks are added together using - 1's-complement addition (that is, addition with end-around carry) - to yield an n-bit result" - o The n-fold algorithm, as with DES string-to-key, is applied to - the password string concatenated with a salt value. The salt - value is derived in the same was as for the DES string-to-key - algorithm. For 3-key triple DES then, the operation will involve - a 168-fold of the input password string. The remainder of the - string-to-key function for DES3 is shown here in pseudocode: - - DES3string-to-key(passwordString, key) - - salt = name_to_default_salt(realm, name) - s = passwordString + salt - tmpKey1 = 168-fold(s) - parityFix(tmpKey1); - if not weakKey(tmpKey1) - /* - * Encrypt temp key in itself with a - * zero initialization vector - * - * Function signature is DES3encrypt(plain, key, iv) - * with cipher as the return value - */ - tmpKey2 = DES3encrypt(tmpKey1, tmpKey1, zeroIvec) - /* - * Encrypt resultant temp key in itself with third component - * of first temp key as initialization vector - */ - key = DES3encrypt(tmpKey2, tmpKey1, tmpKey1[2]) - parityFix(key) - if not weakKey(key) - return SUCCESS - else - return FAILURE - else - return FAILURE - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - The weakKey function above is the same weakKey function used with DES - keys, but applied to each of the three single DES keys that comprise - the triple DES key. - - The lengths of UNICODE encoded character strings include the trailing - terminator character (0). - - Encryption Types des3-cbc-hmac-sha1 and des3-cbc-hmac-sha1-kd - - EncryptedData using this type must be generated as described in - [Horowitz96]. The encryption algorithm is Triple DES in Outer-CBC - mode. The checksum algorithm is HMAC-SHA1. If the key derivation - variant of the encryption type is used, encryption key values are - modified according to the method under the Key Derivation section - below. - - Unless otherwise specified, a zero IV must be used. - - If the length of the input data is not a multiple of the block size, - zero octets must be used to pad the plaintext to the next eight-octet - boundary. The counfounder must be eight random octets (one block). - - Checksum Types hmac-sha1-des3 and hmac-sha1-des3-kd - - Checksums using this type must be generated as described in - [Horowitz96]. The keyed hash algorithm is HMAC-SHA1. If the key - derivation variant of the checksum type is used, checksum key values - are modified according to the method under the Key Derivation section - below. - - Key Derivation - - In the Kerberos protocol, cryptographic keys are used in a number of - places. In order to minimize the effect of compromising a key, it is - desirable to use a different key for each of these places. Key - derivation [Horowitz96] can be used to construct different keys for - each operation from the keys transported on the network. For this to - be possible, a small change to the specification is necessary. - - This section specifies a profile for the use of key derivation - [Horowitz96] with Kerberos. For each place where a key is used, a - ``key usage'' must is specified for that purpose. The key, key usage, - and encryption/checksum type together describe the transformation from - plaintext to ciphertext, or plaintext to checksum. - - Key Usage Values - - This is a complete list of places keys are used in the kerberos - protocol, with key usage values and RFC 1510 section numbers: - - 1. AS-REQ PA-ENC-TIMESTAMP padata timestamp, encrypted with the - client key (section 5.4.1) - 2. AS-REP Ticket and TGS-REP Ticket (includes tgs session key or - application session key), encrypted with the service key - (section 5.4.2) - 3. AS-REP encrypted part (includes tgs session key or application - session key), encrypted with the client key (section 5.4.2) - 4. TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the tgs - session key (section 5.4.1) - 5. TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the tgs - authenticator subkey (section 5.4.1) - 6. TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator cksum, keyed - with the tgs session key (sections 5.3.2, 5.4.1) - 7. TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator (includes tgs - authenticator subkey), encrypted with the tgs session key - (section 5.3.2) - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - 8. TGS-REP encrypted part (includes application session key), - encrypted with the tgs session key (section 5.4.2) - 9. TGS-REP encrypted part (includes application session key), - encrypted with the tgs authenticator subkey (section 5.4.2) - 10. AP-REQ Authenticator cksum, keyed with the application session - key (section 5.3.2) - 11. AP-REQ Authenticator (includes application authenticator - subkey), encrypted with the application session key (section - 5.3.2) - 12. AP-REP encrypted part (includes application session subkey), - encrypted with the application session key (section 5.5.2) - 13. KRB-PRIV encrypted part, encrypted with a key chosen by the - application (section 5.7.1) - 14. KRB-CRED encrypted part, encrypted with a key chosen by the - application (section 5.6.1) - 15. KRB-SAVE cksum, keyed with a key chosen by the application - (section 5.8.1) - 18. KRB-ERROR checksum (e-cksum in section 5.9.1) - 19. AD-KDCIssued checksum (ad-checksum in appendix B.1) - 20. Checksum for Mandatory Ticket Extensions (appendix B.6) - 21. Checksum in Authorization Data in Ticket Extensions (appendix B.7) - - Key usage values between 1024 and 2047 (inclusive) are reserved for - application use. Applications should use even values for encryption - and odd values for checksums within this range. - - A few of these key usages need a little clarification. A service which - receives an AP-REQ has no way to know if the enclosed Ticket was part - of an AS-REP or TGS-REP. Therefore, key usage 2 must always be used - for generating a Ticket, whether it is in response to an AS- REQ or - TGS-REQ. - - There might exist other documents which define protocols in terms of - the RFC1510 encryption types or checksum types. Such documents would - not know about key usages. In order that these documents continue to - be meaningful until they are updated, key usages 1024 and 1025 must be - used to derive keys for encryption and checksums, respectively. New - protocols defined in terms of the Kerberos encryption and checksum - types should use their own key usages. Key usages may be registered - with IANA to avoid conflicts. Key usages must be unsigned 32 bit - integers. Zero is not permitted. - - Defining Cryptosystems Using Key Derivation - - Kerberos requires that the ciphertext component of EncryptedData be - tamper-resistant as well as confidential. This implies encryption and - integrity functions, which must each use their own separate keys. So, - for each key usage, two keys must be generated, one for encryption - (Ke), and one for integrity (Ki): - - Ke = DK(protocol key, key usage | 0xAA) - Ki = DK(protocol key, key usage | 0x55) - - where the protocol key is from the EncryptionKey from the wire - protocol, and the key usage is represented as a 32 bit integer in - network byte order. The ciphertest must be generated from the - plaintext as follows: - - ciphertext = E(Ke, confounder | plaintext | padding) | - H(Ki, confounder | plaintext | padding) - - The confounder and padding are specific to the encryption algorithm E. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - When generating a checksum only, there is no need for a confounder or - padding. Again, a new key (Kc) must be used. Checksums must be - generated from the plaintext as follows: - - Kc = DK(protocol key, key usage | 0x99) - MAC = H(Kc, plaintext) - - Note that each enctype is described by an encryption algorithm E and a - keyed hash algorithm H, and each checksum type is described by a keyed - hash algorithm H. HMAC, with an appropriate hash, is required for use - as H. - - Key Derivation from Passwords - - The well-known constant for password key derivation must be the byte - string {0x6b 0x65 0x72 0x62 0x65 0x72 0x6f 0x73}. These values - correspond to the ASCII encoding for the string "kerberos". - - 6.4. Checksums - - The following is the ASN.1 definition used for a checksum: - - Checksum ::= SEQUENCE { - cksumtype[0] INTEGER, - checksum[1] OCTET STRING - } - - cksumtype - This field indicates the algorithm used to generate the - accompanying checksum. - checksum - This field contains the checksum itself, encoded as an octet - string. - Detailed specification of selected checksum types appear later in this - section. Negative values for the checksum type are reserved for local - use. All non-negative values are reserved for officially assigned type - fields and interpretations. - - Checksums used by Kerberos can be classified by two properties: - whether they are collision-proof, and whether they are keyed. It is - infeasible to find two plaintexts which generate the same checksum - value for a collision-proof checksum. A key is required to perturb or - initialize the algorithm in a keyed checksum. To prevent - message-stream modification by an active attacker, unkeyed checksums - should only be used when the checksum and message will be subsequently - encrypted (e.g. the checksums defined as part of the encryption - algorithms covered earlier in this section). - - Collision-proof checksums can be made tamper-proof if the checksum - value is encrypted before inclusion in a message. In such cases, the - composition of the checksum and the encryption algorithm must be - considered a separate checksum algorithm (e.g. RSA-MD5 encrypted using - DES is a new checksum algorithm of type RSA-MD5-DES). For most keyed - checksums, as well as for the encrypted forms of unkeyed - collision-proof checksums, Kerberos prepends a confounder before the - checksum is calculated. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - 6.4.1. The CRC-32 Checksum (crc32) - - The CRC-32 checksum calculates a checksum based on a cyclic redundancy - check as described in ISO 3309 [ISO3309]. The resulting checksum is - four (4) octets in length. The CRC-32 is neither keyed nor - collision-proof. The use of this checksum is not recommended. An - attacker using a probabilistic chosen-plaintext attack as described in - [SG92] might be able to generate an alternative message that satisfies - the checksum. The use of collision-proof checksums is recommended for - environments where such attacks represent a significant threat. - - 6.4.2. The RSA MD4 Checksum (rsa-md4) - - The RSA-MD4 checksum calculates a checksum using the RSA MD4 algorithm - [MD4-92]. The algorithm takes as input an input message of arbitrary - length and produces as output a 128-bit (16 octet) checksum. RSA-MD4 - is believed to be collision-proof. - - 6.4.3. RSA MD4 Cryptographic Checksum Using DES (rsa-md4-des) - - The RSA-MD4-DES checksum calculates a keyed collision-proof checksum - by prepending an 8 octet confounder before the text, applying the RSA - MD4 checksum algorithm, and encrypting the confounder and the checksum - using DES in cipher-block-chaining (CBC) mode using a variant of the - key, where the variant is computed by eXclusive-ORing the key with the - constant F0F0F0F0F0F0F0F0[39]. The initialization vector should be - zero. The resulting checksum is 24 octets long (8 octets of which are - redundant). This checksum is tamper-proof and believed to be - collision-proof. - - The DES specifications identify some weak keys' and 'semi-weak keys'; - those keys shall not be used for generating RSA-MD4 checksums for use - in Kerberos. - - The format for the checksum is described in the follow- ing diagram: - - -+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ - | des-cbc(confounder + rsa-md4(confounder+msg),key=var(key),iv=0) -| - -+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ - - The format cannot be described in ASN.1, but for those who prefer an - ASN.1-like notation: - - rsa-md4-des-checksum ::= ENCRYPTED UNTAGGED SEQUENCE { - confounder[0] UNTAGGED OCTET STRING(8), - check[1] UNTAGGED OCTET STRING(16) - } - - 6.4.4. The RSA MD5 Checksum (rsa-md5) - - The RSA-MD5 checksum calculates a checksum using the RSA MD5 - algorithm. [MD5-92]. The algorithm takes as input an input message of - arbitrary length and produces as output a 128-bit (16 octet) checksum. - RSA-MD5 is believed to be collision-proof. - - 6.4.5. RSA MD5 Cryptographic Checksum Using DES (rsa-md5-des) - - The RSA-MD5-DES checksum calculates a keyed collision-proof checksum - by prepending an 8 octet confounder before the text, applying the RSA - MD5 checksum algorithm, and encrypting the confounder and the checksum - using DES in cipher-block-chaining (CBC) mode using a variant of the - key, where the variant is computed by eXclusive-ORing the key with the - hexadecimal constant F0F0F0F0F0F0F0F0. The initialization vector - should be zero. The resulting checksum is 24 octets long (8 octets of - which are redundant). This checksum is tamper-proof and believed to be - collision-proof. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - The DES specifications identify some 'weak keys' and 'semi-weak keys'; - those keys shall not be used for encrypting RSA-MD5 checksums for use - in Kerberos. - - The format for the checksum is described in the following diagram: - - -+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ - | des-cbc(confounder + rsa-md5(confounder+msg),key=var(key),iv=0) -| - -+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ - - The format cannot be described in ASN.1, but for those who prefer an - ASN.1-like notation: - - rsa-md5-des-checksum ::= ENCRYPTED UNTAGGED SEQUENCE { - confounder[0] UNTAGGED OCTET STRING(8), - check[1] UNTAGGED OCTET STRING(16) - } - - 6.4.6. DES cipher-block chained checksum (des-mac) - - The DES-MAC checksum is computed by prepending an 8 octet confounder - to the plaintext, performing a DES CBC-mode encryption on the result - using the key and an initialization vector of zero, taking the last - block of the ciphertext, prepending the same confounder and encrypting - the pair using DES in cipher-block-chaining (CBC) mode using a a - variant of the key, where the variant is computed by eXclusive-ORing - the key with the hexadecimal constant F0F0F0F0F0F0F0F0. The - initialization vector should be zero. The resulting checksum is 128 - bits (16 octets) long, 64 bits of which are redundant. This checksum - is tamper-proof and collision-proof. - - The format for the checksum is described in the following diagram: - - -+--+--+--+--+--+--+--+--+-----+-----+-----+-----+-----+-----+-----+-----+ - | des-cbc(confounder + des-mac(conf+msg,iv=0,key),key=var(key),iv=0) -| - -+--+--+--+--+--+--+--+--+-----+-----+-----+-----+-----+-----+-----+-----+ - - The format cannot be described in ASN.1, but for those who prefer an - ASN.1-like notation: - - des-mac-checksum ::= ENCRYPTED UNTAGGED SEQUENCE { - confounder[0] UNTAGGED OCTET STRING(8), - check[1] UNTAGGED OCTET STRING(8) - } - - The DES specifications identify some 'weak' and 'semi-weak' keys; - those keys shall not be used for generating DES-MAC checksums for use - in Kerberos, nor shall a key be used whose variant is 'weak' or - 'semi-weak'. - - 6.4.7. RSA MD4 Cryptographic Checksum Using DES alternative - (rsa-md4-des-k) - - The RSA-MD4-DES-K checksum calculates a keyed collision-proof checksum - by applying the RSA MD4 checksum algorithm and encrypting the results - using DES in cipher-block-chaining (CBC) mode using a DES key as both - key and initialization vector. The resulting checksum is 16 octets - long. This checksum is tamper-proof and believed to be - collision-proof. Note that this checksum type is the old method for - encoding the RSA-MD4-DES checksum and it is no longer recommended. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - 6.4.8. DES cipher-block chained checksum alternative (des-mac-k) - - The DES-MAC-K checksum is computed by performing a DES CBC-mode - encryption of the plaintext, and using the last block of the - ciphertext as the checksum value. It is keyed with an encryption key - and an initialization vector; any uses which do not specify an - additional initialization vector will use the key as both key and - initialization vector. The resulting checksum is 64 bits (8 octets) - long. This checksum is tamper-proof and collision-proof. Note that - this checksum type is the old method for encoding the DES-MAC checksum - and it is no longer recommended. The DES specifications identify some - 'weak keys' and 'semi-weak keys'; those keys shall not be used for - generating DES-MAC checksums for use in Kerberos. - - 7. Naming Constraints - - 7.1. Realm Names - - Although realm names are encoded as GeneralStrings and although a - realm can technically select any name it chooses, interoperability - across realm boundaries requires agreement on how realm names are to - be assigned, and what information they imply. - - To enforce these conventions, each realm must conform to the - conventions itself, and it must require that any realms with which - inter-realm keys are shared also conform to the conventions and - require the same from its neighbors. - - Kerberos realm names are case sensitive. Realm names that differ only - in the case of the characters are not equivalent. There are presently - four styles of realm names: domain, X500, other, and reserved. - Examples of each style follow: - - domain: ATHENA.MIT.EDU (example) - X500: C=US/O=OSF (example) - other: NAMETYPE:rest/of.name=without-restrictions (example) - reserved: reserved, but will not conflict with above - - Domain names must look like domain names: they consist of components - separated by periods (.) and they contain neither colons (:) nor - slashes (/). Though domain names themselves are case insensitive, in - order for realms to match, the case must match as well. When - establishing a new realm name based on an internet domain name it is - recommended by convention that the characters be converted to upper - case. - - X.500 names contain an equal (=) and cannot contain a colon (:) before - the equal. The realm names for X.500 names will be string - representations of the names with components separated by slashes. - Leading and trailing slashes will not be included. - - Names that fall into the other category must begin with a prefix that - contains no equal (=) or period (.) and the prefix must be followed by - a colon (:) and the rest of the name. All prefixes must be assigned - before they may be used. Presently none are assigned. - - The reserved category includes strings which do not fall into the - first three categories. All names in this category are reserved. It is - unlikely that names will be assigned to this category unless there is - a very strong argument for not using the 'other' category. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - These rules guarantee that there will be no conflicts between the - various name styles. The following additional constraints apply to the - assignment of realm names in the domain and X.500 categories: the name - of a realm for the domain or X.500 formats must either be used by the - organization owning (to whom it was assigned) an Internet domain name - or X.500 name, or in the case that no such names are registered, - authority to use a realm name may be derived from the authority of the - parent realm. For example, if there is no domain name for E40.MIT.EDU, - then the administrator of the MIT.EDU realm can authorize the creation - of a realm with that name. - - This is acceptable because the organization to which the parent is - assigned is presumably the organization authorized to assign names to - its children in the X.500 and domain name systems as well. If the - parent assigns a realm name without also registering it in the domain - name or X.500 hierarchy, it is the parent's responsibility to make - sure that there will not in the future exists a name identical to the - realm name of the child unless it is assigned to the same entity as - the realm name. - - 7.2. Principal Names - - As was the case for realm names, conventions are needed to ensure that - all agree on what information is implied by a principal name. The - name-type field that is part of the principal name indicates the kind - of information implied by the name. The name-type should be treated as - a hint. Ignoring the name type, no two names can be the same (i.e. at - least one of the components, or the realm, must be different). The - following name types are defined: - - name-type value meaning - - NT-UNKNOWN 0 Name type not known - NT-PRINCIPAL 1 General principal name (e.g. username, DCE -principal) - NT-SRV-INST 2 Service and other unique instance (krbtgt) - NT-SRV-HST 3 Service with host name as instance (telnet, rcmds) - NT-SRV-XHST 4 Service with slash-separated host name components - NT-UID 5 Unique ID - NT-X500-PRINCIPAL 6 Encoded X.509 Distingished name [RFC 1779] - NT-SMTP-NAME 7 Name in form of SMTP email name (e.g. -user@foo.com) - - When a name implies no information other than its uniqueness at a - particular time the name type PRINCIPAL should be used. The principal - name type should be used for users, and it might also be used for a - unique server. If the name is a unique machine generated ID that is - guaranteed never to be reassigned then the name type of UID should be - used (note that it is generally a bad idea to reassign names of any - type since stale entries might remain in access control lists). - - If the first component of a name identifies a service and the - remaining components identify an instance of the service in a server - specified manner, then the name type of SRV-INST should be used. An - example of this name type is the Kerberos ticket-granting service - whose name has a first component of krbtgt and a second component - identifying the realm for which the ticket is valid. - - If instance is a single component following the service name and the - instance identifies the host on which the server is running, then the - name type SRV-HST should be used. This type is typically used for - Internet services such as telnet and the Berkeley R commands. If the - separate components of the host name appear as successive components - following the name of the service, then the name type SRV-XHST should - be used. This type might be used to identify servers on hosts with - X.500 names where the slash (/) might otherwise be ambiguous. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - A name type of NT-X500-PRINCIPAL should be used when a name from an - X.509 certificiate is translated into a Kerberos name. The encoding of - the X.509 name as a Kerberos principal shall conform to the encoding - rules specified in RFC 2253. - - A name type of SMTP allows a name to be of a form that resembles a - SMTP email name. This name type can be used in conjunction with - name-canonicalization to allow a free-form of username to be specified - as a client name and allow the KDC to determine the Kerberos principal - name for the requested name. [JBrezak] - - A name type of UNKNOWN should be used when the form of the name is not - known. When comparing names, a name of type UNKNOWN will match - principals authenticated with names of any type. A principal - authenticated with a name of type UNKNOWN, however, will only match - other names of type UNKNOWN. - - Names of any type with an initial component of 'krbtgt' are reserved - for the Kerberos ticket granting service. See section 8.2.3 for the - form of such names. - - 7.2.1. Name of server principals - - The principal identifier for a server on a host will generally be - composed of two parts: (1) the realm of the KDC with which the server - is registered, and (2) a two-component name of type NT-SRV-HST if the - host name is an Internet domain name or a multi-component name of type - NT-SRV-XHST if the name of the host is of a form such as X.500 that - allows slash (/) separators. The first component of the two- or - multi-component name will identify the service and the latter - components will identify the host. Where the name of the host is not - case sensitive (for example, with Internet domain names) the name of - the host must be lower case. If specified by the application protocol - for services such as telnet and the Berkeley R commands which run with - system privileges, the first component may be the string 'host' - instead of a service specific identifier. When a host has an official - name and one or more aliases, the official name of the host must be - used when constructing the name of the server principal. - - 8. Constants and other defined values - - 8.1. Host address types - - All negative values for the host address type are reserved for local - use. All non-negative values are reserved for officially assigned type - fields and interpretations. - - The values of the types for the following addresses are chosen to - match the defined address family constants in the Berkeley Standard - Distributions of Unix. They can be found in with symbolic names AF_xxx - (where xxx is an abbreviation of the address family name). - - Internet (IPv4) Addresses - - Internet (IPv4) addresses are 32-bit (4-octet) quantities, encoded in - MSB order. The type of IPv4 addresses is two (2). - - Internet (IPv6) Addresses [Westerlund] - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - IPv6 addresses are 128-bit (16-octet) quantities, encoded in MSB - order. The type of IPv6 addresses is twenty-four (24). [RFC1883] - [RFC1884]. The following addresses (see [RFC1884]) MUST not appear in - any Kerberos packet: - o the Unspecified Address - o the Loopback Address - o Link-Local addresses - IPv4-mapped IPv6 addresses MUST be represented as addresses of type 2. - - CHAOSnet addresses - - CHAOSnet addresses are 16-bit (2-octet) quantities, encoded in MSB - order. The type of CHAOSnet addresses is five (5). - - ISO addresses - - ISO addresses are variable-length. The type of ISO addresses is seven - (7). - - Xerox Network Services (XNS) addresses - - XNS addresses are 48-bit (6-octet) quantities, encoded in MSB order. - The type of XNS addresses is six (6). - - AppleTalk Datagram Delivery Protocol (DDP) addresses - - AppleTalk DDP addresses consist of an 8-bit node number and a 16-bit - network number. The first octet of the address is the node number; the - remaining two octets encode the network number in MSB order. The type - of AppleTalk DDP addresses is sixteen (16). - - DECnet Phase IV addresses - - DECnet Phase IV addresses are 16-bit addresses, encoded in LSB order. - The type of DECnet Phase IV addresses is twelve (12). - - Netbios addresses - - Netbios addresses are 16-octet addresses typically composed of 1 to 15 - characters, trailing blank (ascii char 20) filled, with a 16th octet - of 0x0. The type of Netbios addresses is 20 (0x14). - - 8.2. KDC messages - - 8.2.1. UDP/IP transport - - When contacting a Kerberos server (KDC) for a KRB_KDC_REQ request - using UDP IP transport, the client shall send a UDP datagram - containing only an encoding of the request to port 88 (decimal) at the - KDC's IP address; the KDC will respond with a reply datagram - containing only an encoding of the reply message (either a KRB_ERROR - or a KRB_KDC_REP) to the sending port at the sender's IP address. - Kerberos servers supporting IP transport must accept UDP requests on - port 88 (decimal). The response to a request made through UDP/IP - transport must also use UDP/IP transport. - - 8.2.2. TCP/IP transport [Westerlund,Danielsson] - - Kerberos servers (KDC's) should accept TCP requests on port 88 - (decimal) and clients should support the sending of TCP requests on - port 88 (decimal). When the KRB_KDC_REQ message is sent to the KDC - over a TCP stream, a new connection will be established for each - authentication exchange (request and response). The KRB_KDC_REP or - KRB_ERROR message will be returned to the client on the same TCP - stream that was established for the request. The response to a request - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - made through TCP/IP transport must also use TCP/IP transport. - Implementors should note that some extentions to the Kerberos protocol - will not work if any implementation not supporting the TCP transport - is involved (client or KDC). Implementors are strongly urged to - support the TCP transport on both the client and server and are - advised that the current notation of "should" support will likely - change in the future to must support. The KDC may close the TCP stream - after sending a response, but may leave the stream open if it expects - a followup - in which case it may close the stream at any time if - resource constratints or other factors make it desirable to do so. - Care must be taken in managing TCP/IP connections with the KDC to - prevent denial of service attacks based on the number of TCP/IP - connections with the KDC that remain open. If multiple exchanges with - the KDC are needed for certain forms of preauthentication, multiple - TCP connections may be required. A client may close the stream after - receiving response, and should close the stream if it does not expect - to send followup messages. The client must be prepared to have the - stream closed by the KDC at anytime, in which case it must simply - connect again when it is ready to send subsequent messages. - - The first four octets of the TCP stream used to transmit the request - request will encode in network byte order the length of the request - (KRB_KDC_REQ), and the length will be followed by the request itself. - The response will similarly be preceeded by a 4 octet encoding in - network byte order of the length of the KRB_KDC_REP or the KRB_ERROR - message and will be followed by the KRB_KDC_REP or the KRB_ERROR - response. If the sign bit is set on the integer represented by the - first 4 octets, then the next 4 octets will be read, extending the - length of the field by another 4 octets (less the sign bit which is - reserved for future expansion). - - 8.2.3. OSI transport - - During authentication of an OSI client to an OSI server, the mutual - authentication of an OSI server to an OSI client, the transfer of - credentials from an OSI client to an OSI server, or during exchange of - private or integrity checked messages, Kerberos protocol messages may - be treated as opaque objects and the type of the authentication - mechanism will be: - - OBJECT IDENTIFIER ::= {iso (1), org(3), dod(6),internet(1), -security(5),kerberosv5(2)} - - Depending on the situation, the opaque object will be an - authentication header (KRB_AP_REQ), an authentication reply - (KRB_AP_REP), a safe message (KRB_SAFE), a private message (KRB_PRIV), - or a credentials message (KRB_CRED). The opaque data contains an - application code as specified in the ASN.1 description for each - message. The application code may be used by Kerberos to determine the - message type. - - 8.2.3. Name of the TGS - - The principal identifier of the ticket-granting service shall be - composed of three parts: (1) the realm of the KDC issuing the TGS - ticket (2) a two-part name of type NT-SRV-INST, with the first part - "krbtgt" and the second part the name of the realm which will accept - the ticket-granting ticket. For example, a ticket-granting ticket - issued by the ATHENA.MIT.EDU realm to be used to get tickets from the - ATHENA.MIT.EDU KDC has a principal identifier of "ATHENA.MIT.EDU" - (realm), ("krbtgt", "ATHENA.MIT.EDU") (name). A ticket-granting ticket - issued by the ATHENA.MIT.EDU realm to be used to get tickets from the - MIT.EDU realm has a principal identifier of "ATHENA.MIT.EDU" (realm), - ("krbtgt", "MIT.EDU") (name). - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - 8.3. Protocol constants and associated values - - The following tables list constants used in the protocol and defines - their meanings. Ranges are specified in the "specification" section - that limit the values of constants for which values are defined here. - This allows implementations to make assumptions about the maximum - values that will be received for these constants. Implementation - receiving values outside the range specified in the "specification" - section may reject the request, but they must recover cleanly. - - Encryption type etype value block size minimum pad confounder -size - NULL 0 1 0 0 - des-cbc-crc 1 8 4 8 - des-cbc-md4 2 8 0 8 - des-cbc-md5 3 8 0 8 - reserved 4 - des3-cbc-md5 5 8 0 8 - reserved 6 - des3-cbc-sha1 7 8 0 8 - dsaWithSHA1-CmsOID 9 -(pkinit) - md5WithRSAEncryption-CmsOID 10 -(pkinit) - sha1WithRSAEncryption-CmsOID 11 -(pkinit) - rc2CBC-EnvOID 12 -(pkinit) - rsaEncryption-EnvOID 13 (pkinit from PKCS#1 -v1.5) - rsaES-OAEP-ENV-OID 14 (pkinit from PKCS#1 -v2.0) - des-ede3-cbc-Env-OID 15 -(pkinit) - des3-cbc-sha1-kd 16 (Tom -Yu) - rc4-hmac 23 -(swift) - rc4-hmac-exp 24 -(swift) - - reserved 0x8003 - - Checksum type sumtype value checksum size - CRC32 1 4 - rsa-md4 2 16 - rsa-md4-des 3 24 - des-mac 4 16 - des-mac-k 5 8 - rsa-md4-des-k 6 16 (drop rsa ?) - rsa-md5 7 16 (drop rsa ?) - rsa-md5-des 8 24 (drop rsa ?) - rsa-md5-des3 9 24 (drop rsa ?) - hmac-sha1-des3-kd 12 20 - hmac-sha1-des3 13 20 - sha1 (unkeyed) 14 20 - - padata type padata-type value - - PA-TGS-REQ 1 - PA-ENC-TIMESTAMP 2 - PA-PW-SALT 3 - reserved 4 - PA-ENC-UNIX-TIME 5 (depricated) - PA-SANDIA-SECUREID 6 - PA-SESAME 7 - PA-OSF-DCE 8 - PA-CYBERSAFE-SECUREID 9 - PA-AFS3-SALT 10 - PA-ETYPE-INFO 11 - PA-SAM-CHALLENGE 12 (sam/otp) - PA-SAM-RESPONSE 13 (sam/otp) - PA-PK-AS-REQ 14 (pkinit) - PA-PK-AS-REP 15 (pkinit) - PA-USE-SPECIFIED-KVNO 20 - PA-SAM-REDIRECT 21 (sam/otp) - PA-GET-FROM-TYPED-DATA 22 - PA-SAM-ETYPE-INFO 23 (sam/otp) - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - data-type value form of typed-data - - reserved 1-21 - TD-PADATA 22 - TD-PKINIT-CMS-CERTIFICATES 101 CertificateSet from CMS - TD-KRB-PRINCIPAL 102 - TD-KRB-REALM 103 - TD-TRUSTED-CERTIFIERS 104 - TD-CERTIFICATE-INDEX 105 - TD-APP-DEFINED-ERROR 106 - - authorization data type ad-type value - AD-IF-RELEVANT 1 - AD-INTENDED-FOR-SERVER 2 - AD-INTENDED-FOR-APPLICATION-CLASS 3 - AD-KDC-ISSUED 4 - AD-OR 5 - AD-MANDATORY-TICKET-EXTENSIONS 6 - AD-IN-TICKET-EXTENSIONS 7 - reserved values 8-63 - OSF-DCE 64 - SESAME 65 - AD-OSF-DCE-PKI-CERTID 66 (hemsath@us.ibm.com) - AD-WIN200-PAC 128 -(jbrezak@exchange.microsoft.com) - - Ticket Extension Types - - TE-TYPE-NULL 0 Null ticket extension - TE-TYPE-EXTERNAL-ADATA 1 Integrity protected authorization -data - reserved 2 TE-TYPE-PKCROSS-KDC - TE-TYPE-PKCROSS-CLIENT 3 PKCROSS cross realm key ticket - TE-TYPE-CYBERSAFE-EXT 4 Assigned to CyberSafe Corp - reserved 5 TE-TYPE-DEST-HOST - - alternate authentication type method-type value - reserved values 0-63 - ATT-CHALLENGE-RESPONSE 64 - - transited encoding type tr-type value - DOMAIN-X500-COMPRESS 1 - reserved values all others - - Label Value Meaning or MIT code - - pvno 5 current Kerberos protocol version number - - message types - - KRB_AS_REQ 10 Request for initial authentication - KRB_AS_REP 11 Response to KRB_AS_REQ request - KRB_TGS_REQ 12 Request for authentication based on TGT - KRB_TGS_REP 13 Response to KRB_TGS_REQ request - KRB_AP_REQ 14 application request to server - KRB_AP_REP 15 Response to KRB_AP_REQ_MUTUAL - KRB_SAFE 20 Safe (checksummed) application message - KRB_PRIV 21 Private (encrypted) application message - KRB_CRED 22 Private (encrypted) message to forward -credentials - KRB_ERROR 30 Error response - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - name types - - KRB_NT_UNKNOWN 0 Name type not known - KRB_NT_PRINCIPAL 1 Just the name of the principal as in DCE, or -for users - KRB_NT_SRV_INST 2 Service and other unique instance (krbtgt) - KRB_NT_SRV_HST 3 Service with host name as instance (telnet, -rcommands) - KRB_NT_SRV_XHST 4 Service with host as remaining components - KRB_NT_UID 5 Unique ID - KRB_NT_X500_PRINCIPAL 6 Encoded X.509 Distingished name [RFC 2253] - - error codes - - KDC_ERR_NONE 0 No error - KDC_ERR_NAME_EXP 1 Client's entry in database has -expired - KDC_ERR_SERVICE_EXP 2 Server's entry in database has -expired - KDC_ERR_BAD_PVNO 3 Requested protocol version number -not supported - KDC_ERR_C_OLD_MAST_KVNO 4 Client's key encrypted in old -master key - KDC_ERR_S_OLD_MAST_KVNO 5 Server's key encrypted in old -master key - KDC_ERR_C_PRINCIPAL_UNKNOWN 6 Client not found in Kerberos -database - KDC_ERR_S_PRINCIPAL_UNKNOWN 7 Server not found in Kerberos -database - KDC_ERR_PRINCIPAL_NOT_UNIQUE 8 Multiple principal entries in -database - KDC_ERR_NULL_KEY 9 The client or server has a null key - KDC_ERR_CANNOT_POSTDATE 10 Ticket not eligible for postdating - KDC_ERR_NEVER_VALID 11 Requested start time is later than -end time - KDC_ERR_POLICY 12 KDC policy rejects request - KDC_ERR_BADOPTION 13 KDC cannot accommodate requested -option - KDC_ERR_ETYPE_NOSUPP 14 KDC has no support for encryption -type - KDC_ERR_SUMTYPE_NOSUPP 15 KDC has no support for checksum -type - KDC_ERR_PADATA_TYPE_NOSUPP 16 KDC has no support for padata type - KDC_ERR_TRTYPE_NOSUPP 17 KDC has no support for transited -type - KDC_ERR_CLIENT_REVOKED 18 Clients credentials have been -revoked - KDC_ERR_SERVICE_REVOKED 19 Credentials for server have been -revoked - KDC_ERR_TGT_REVOKED 20 TGT has been revoked - KDC_ERR_CLIENT_NOTYET 21 Client not yet valid - try again -later - KDC_ERR_SERVICE_NOTYET 22 Server not yet valid - try again -later - KDC_ERR_KEY_EXPIRED 23 Password has expired - change -password to reset - KDC_ERR_PREAUTH_FAILED 24 Pre-authentication information was -invalid - KDC_ERR_PREAUTH_REQUIRED 25 Additional -pre-authenticationrequired [40] - KDC_ERR_SERVER_NOMATCH 26 Requested server and ticket don't -match - KDC_ERR_MUST_USE_USER2USER 27 Server principal valid for -user2user only - KDC_ERR_PATH_NOT_ACCPETED 28 KDC Policy rejects transited path - KDC_ERR_SVC_UNAVAILABLE 29 A service is not available - KRB_AP_ERR_BAD_INTEGRITY 31 Integrity check on decrypted field -failed - KRB_AP_ERR_TKT_EXPIRED 32 Ticket expired - KRB_AP_ERR_TKT_NYV 33 Ticket not yet valid - KRB_AP_ERR_REPEAT 34 Request is a replay - KRB_AP_ERR_NOT_US 35 The ticket isn't for us - KRB_AP_ERR_BADMATCH 36 Ticket and authenticator don't -match - KRB_AP_ERR_SKEW 37 Clock skew too great - KRB_AP_ERR_BADADDR 38 Incorrect net address - KRB_AP_ERR_BADVERSION 39 Protocol version mismatch - KRB_AP_ERR_MSG_TYPE 40 Invalid msg type - KRB_AP_ERR_MODIFIED 41 Message stream modified - KRB_AP_ERR_BADORDER 42 Message out of order - KRB_AP_ERR_BADKEYVER 44 Specified version of key is not -available - KRB_AP_ERR_NOKEY 45 Service key not available - KRB_AP_ERR_MUT_FAIL 46 Mutual authentication failed - KRB_AP_ERR_BADDIRECTION 47 Incorrect message direction - KRB_AP_ERR_METHOD 48 Alternative authentication method -required - KRB_AP_ERR_BADSEQ 49 Incorrect sequence number in -message - KRB_AP_ERR_INAPP_CKSUM 50 Inappropriate type of checksum in -message - KRB_AP_PATH_NOT_ACCEPTED 51 Policy rejects transited path - KRB_ERR_RESPONSE_TOO_BIG 52 Response too big for UDP, retry -with TCP - KRB_ERR_GENERIC 60 Generic error (description in -e-text) - KRB_ERR_FIELD_TOOLONG 61 Field is too long for this -implementation - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - KDC_ERROR_CLIENT_NOT_TRUSTED 62 (pkinit) - KDC_ERROR_KDC_NOT_TRUSTED 63 (pkinit) - KDC_ERROR_INVALID_SIG 64 (pkinit) - KDC_ERR_KEY_TOO_WEAK 65 (pkinit) - KDC_ERR_CERTIFICATE_MISMATCH 66 (pkinit) - KRB_AP_ERR_NO_TGT 67 (user-to-user) - KDC_ERR_WRONG_REALM 68 (user-to-user) - KRB_AP_ERR_USER_TO_USER_REQUIRED 69 (user-to-user) - KDC_ERR_CANT_VERIFY_CERTIFICATE 70 (pkinit) - KDC_ERR_INVALID_CERTIFICATE 71 (pkinit) - KDC_ERR_REVOKED_CERTIFICATE 72 (pkinit) - KDC_ERR_REVOCATION_STATUS_UNKNOWN 73 (pkinit) - KDC_ERR_REVOCATION_STATUS_UNAVAILABLE 74 (pkinit) - KDC_ERR_CLIENT_NAME_MISMATCH 75 (pkinit) - KDC_ERR_KDC_NAME_MISMATCH 76 (pkinit) - - 9. Interoperability requirements - - Version 5 of the Kerberos protocol supports a myriad of options. Among - these are multiple encryption and checksum types, alternative encoding - schemes for the transited field, optional mechanisms for - pre-authentication, the handling of tickets with no addresses, options - for mutual authentication, user to user authentication, support for - proxies, forwarding, postdating, and renewing tickets, the format of - realm names, and the handling of authorization data. - - In order to ensure the interoperability of realms, it is necessary to - define a minimal configuration which must be supported by all - implementations. This minimal configuration is subject to change as - technology does. For example, if at some later date it is discovered - that one of the required encryption or checksum algorithms is not - secure, it will be replaced. - - 9.1. Specification 2 - - This section defines the second specification of these options. - Implementations which are configured in this way can be said to - support Kerberos Version 5 Specification 2 (5.1). Specification 1 - (depricated) may be found in RFC1510. - - Transport - - TCP/IP and UDP/IP transport must be supported by KDCs claiming - conformance to specification 2. Kerberos clients claiming conformance - to specification 2 must support UDP/IP transport for messages with the - KDC and should support TCP/IP transport. - - Encryption and checksum methods - - The following encryption and checksum mechanisms must be supported. - Implementations may support other mechanisms as well, but the - additional mechanisms may only be used when communicating with - principals known to also support them: This list is to be determined. - - Encryption: DES-CBC-MD5, one triple des variant (tbd) - Checksums: CRC-32, DES-MAC, DES-MAC-K, and DES-MD5 (tbd) - - Realm Names - - All implementations must understand hierarchical realms in both the - Internet Domain and the X.500 style. When a ticket granting ticket for - an unknown realm is requested, the KDC must be able to determine the - names of the intermediate realms between the KDCs realm and the - requested realm. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - Transited field encoding - - DOMAIN-X500-COMPRESS (described in section 3.3.3.2) must be supported. - Alternative encodings may be supported, but they may be used only when - that encoding is supported by ALL intermediate realms. - - Pre-authentication methods - - The TGS-REQ method must be supported. The TGS-REQ method is not used - on the initial request. The PA-ENC-TIMESTAMP method must be supported - by clients but whether it is enabled by default may be determined on a - realm by realm basis. If not used in the initial request and the error - KDC_ERR_PREAUTH_REQUIRED is returned specifying PA-ENC-TIMESTAMP as an - acceptable method, the client should retry the initial request using - the PA-ENC-TIMESTAMP preauthentication method. Servers need not - support the PA-ENC-TIMESTAMP method, but if not supported the server - should ignore the presence of PA-ENC-TIMESTAMP pre-authentication in a - request. - - Mutual authentication - - Mutual authentication (via the KRB_AP_REP message) must be supported. - - Ticket addresses and flags - - All KDC's must pass on tickets that carry no addresses (i.e. if a TGT - contains no addresses, the KDC will return derivative tickets), but - each realm may set its own policy for issuing such tickets, and each - application server will set its own policy with respect to accepting - them. - - Proxies and forwarded tickets must be supported. Individual realms and - application servers can set their own policy on when such tickets will - be accepted. - - All implementations must recognize renewable and postdated tickets, - but need not actually implement them. If these options are not - supported, the starttime and endtime in the ticket shall specify a - ticket's entire useful life. When a postdated ticket is decoded by a - server, all implementations shall make the presence of the postdated - flag visible to the calling server. - - User-to-user authentication - - Support for user to user authentication (via the ENC-TKT-IN-SKEY KDC - option) must be provided by implementations, but individual realms may - decide as a matter of policy to reject such requests on a - per-principal or realm-wide basis. - - Authorization data - - Implementations must pass all authorization data subfields from - ticket-granting tickets to any derivative tickets unless directed to - suppress a subfield as part of the definition of that registered - subfield type (it is never incorrect to pass on a subfield, and no - registered subfield types presently specify suppression at the KDC). - - Implementations must make the contents of any authorization data - subfields available to the server when a ticket is used. - Implementations are not required to allow clients to specify the - contents of the authorization data fields. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - Constant ranges - - All protocol constants are constrained to 32 bit (signed) values - unless further constrained by the protocol definition. This limit is - provided to allow implementations to make assumptions about the - maximum values that will be received for these constants. - Implementation receiving values outside this range may reject the - request, but they must recover cleanly. - - 9.2. Recommended KDC values - - Following is a list of recommended values for a KDC implementation, - based on the list of suggested configuration constants (see section - 4.4). - - minimum lifetime 5 minutes - maximum renewable lifetime 1 week - maximum ticket lifetime 1 day - empty addresses only when suitable restrictions appear - in authorization data - proxiable, etc. Allowed. - - 10. REFERENCES - - [NT94] B. Clifford Neuman and Theodore Y. Ts'o, "An Authenti- - cation Service for Computer Networks," IEEE Communica- - tions Magazine, Vol. 32(9), pp. 33-38 (September 1994). - - [MNSS87] S. P. Miller, B. C. Neuman, J. I. Schiller, and J. H. - Saltzer, Section E.2.1: Kerberos Authentication and - Authorization System, M.I.T. Project Athena, Cambridge, - Massachusetts (December 21, 1987). - - [SNS88] J. G. Steiner, B. C. Neuman, and J. I. Schiller, "Ker- - beros: An Authentication Service for Open Network Sys- - tems," pp. 191-202 in Usenix Conference Proceedings, - Dallas, Texas (February, 1988). - - [NS78] Roger M. Needham and Michael D. Schroeder, "Using - Encryption for Authentication in Large Networks of Com- - puters," Communications of the ACM, Vol. 21(12), - pp. 993-999 (December, 1978). - - [DS81] Dorothy E. Denning and Giovanni Maria Sacco, "Time- - stamps in Key Distribution Protocols," Communications - of the ACM, Vol. 24(8), pp. 533-536 (August 1981). - - [KNT92] John T. Kohl, B. Clifford Neuman, and Theodore Y. Ts'o, - "The Evolution of the Kerberos Authentication Service," - in an IEEE Computer Society Text soon to be published - (June 1992). - - [Neu93] B. Clifford Neuman, "Proxy-Based Authorization and - Accounting for Distributed Systems," in Proceedings of - the 13th International Conference on Distributed Com- - puting Systems, Pittsburgh, PA (May, 1993). - - [DS90] Don Davis and Ralph Swick, "Workstation Services and - Kerberos Authentication at Project Athena," Technical - Memorandum TM-424, MIT Laboratory for Computer Science - (February 1990). - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - [LGDSR87] P. J. Levine, M. R. Gretzinger, J. M. Diaz, W. E. Som- - merfeld, and K. Raeburn, Section E.1: Service Manage- - ment System, M.I.T. Project Athena, Cambridge, Mas- - sachusetts (1987). - - [X509-88] CCITT, Recommendation X.509: The Directory Authentica- - tion Framework, December 1988. - - [Pat92]. J. Pato, Using Pre-Authentication to Avoid Password - Guessing Attacks, Open Software Foundation DCE Request - for Comments 26 (December 1992). - - [DES77] National Bureau of Standards, U.S. Department of Com- - merce, "Data Encryption Standard," Federal Information - Processing Standards Publication 46, Washington, DC - (1977). - - [DESM80] National Bureau of Standards, U.S. Department of Com- - merce, "DES Modes of Operation," Federal Information - Processing Standards Publication 81, Springfield, VA - (December 1980). - - [SG92] Stuart G. Stubblebine and Virgil D. Gligor, "On Message - Integrity in Cryptographic Protocols," in Proceedings - of the IEEE Symposium on Research in Security and - Privacy, Oakland, California (May 1992). - - [IS3309] International Organization for Standardization, "ISO - Information Processing Systems - Data Communication - - High-Level Data Link Control Procedure - Frame Struc- - ture," IS 3309 (October 1984). 3rd Edition. - - [MD4-92] R. Rivest, "The MD4 Message Digest Algorithm," RFC - 1320, MIT Laboratory for Computer Science (April - 1992). - - [MD5-92] R. Rivest, "The MD5 Message Digest Algorithm," RFC - 1321, MIT Laboratory for Computer Science (April - 1992). - - [KBC96] H. Krawczyk, M. Bellare, and R. Canetti, "HMAC: Keyed- - Hashing for Message Authentication," Working Draft - draft-ietf-ipsec-hmac-md5-01.txt, (August 1996). - - [Horowitz96] Horowitz, M., "Key Derivation for Authentication, - Integrity, and Privacy", -draft-horowitz-key-derivation-02.txt, - August 1998. - - [HorowitzB96] Horowitz, M., "Key Derivation for Kerberos V5", draft- - horowitz-kerb-key-derivation-01.txt, September 1998. - - [Krawczyk96] Krawczyk, H., Bellare, and M., Canetti, R., "HMAC: - Keyed-Hashing for Message Authentication", -draft-ietf-ipsec-hmac- - md5-01.txt, August, 1996. - - A. Pseudo-code for protocol processing - - This appendix provides pseudo-code describing how the messages are to - be constructed and interpreted by clients and servers. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - A.1. KRB_AS_REQ generation - - request.pvno := protocol version; /* pvno = 5 */ - request.msg-type := message type; /* type = KRB_AS_REQ */ - - if(pa_enc_timestamp_required) then - request.padata.padata-type = PA-ENC-TIMESTAMP; - get system_time; - padata-body.patimestamp,pausec = system_time; - encrypt padata-body into request.padata.padata-value - using client.key; /* derived from password */ - endif - - body.kdc-options := users's preferences; - body.cname := user's name; - body.realm := user's realm; - body.sname := service's name; /* usually "krbtgt", -"localrealm" */ - if (body.kdc-options.POSTDATED is set) then - body.from := requested starting time; - else - omit body.from; - endif - body.till := requested end time; - if (body.kdc-options.RENEWABLE is set) then - body.rtime := requested final renewal time; - endif - body.nonce := random_nonce(); - body.etype := requested etypes; - if (user supplied addresses) then - body.addresses := user's addresses; - else - omit body.addresses; - endif - omit body.enc-authorization-data; - request.req-body := body; - - kerberos := lookup(name of local kerberos server (or servers)); - send(packet,kerberos); - - wait(for response); - if (timed_out) then - retry or use alternate server; - endif - - A.2. KRB_AS_REQ verification and KRB_AS_REP generation - - decode message into req; - - client := lookup(req.cname,req.realm); - server := lookup(req.sname,req.realm); - - get system_time; - kdc_time := system_time.seconds; - - if (!client) then - /* no client in Database */ - error_out(KDC_ERR_C_PRINCIPAL_UNKNOWN); - endif - if (!server) then - /* no server in Database */ - error_out(KDC_ERR_S_PRINCIPAL_UNKNOWN); - endif - - if(client.pa_enc_timestamp_required and - pa_enc_timestamp not present) then - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - error_out(KDC_ERR_PREAUTH_REQUIRED(PA_ENC_TIMESTAMP)); - endif - - if(pa_enc_timestamp present) then - decrypt req.padata-value into decrypted_enc_timestamp - using client.key; - using auth_hdr.authenticator.subkey; - if (decrypt_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - if(decrypted_enc_timestamp is not within allowable -skew) then - error_out(KDC_ERR_PREAUTH_FAILED); - endif - if(decrypted_enc_timestamp and usec is replay) - error_out(KDC_ERR_PREAUTH_FAILED); - endif - add decrypted_enc_timestamp and usec to replay cache; - endif - - use_etype := first supported etype in req.etypes; - - if (no support for req.etypes) then - error_out(KDC_ERR_ETYPE_NOSUPP); - endif - - new_tkt.vno := ticket version; /* = 5 */ - new_tkt.sname := req.sname; - new_tkt.srealm := req.srealm; - reset all flags in new_tkt.flags; - - /* It should be noted that local policy may affect the */ - /* processing of any of these flags. For example, some */ - /* realms may refuse to issue renewable tickets */ - - if (req.kdc-options.FORWARDABLE is set) then - set new_tkt.flags.FORWARDABLE; - endif - if (req.kdc-options.PROXIABLE is set) then - set new_tkt.flags.PROXIABLE; - endif - - if (req.kdc-options.ALLOW-POSTDATE is set) then - set new_tkt.flags.MAY-POSTDATE; - endif - if ((req.kdc-options.RENEW is set) or - (req.kdc-options.VALIDATE is set) or - (req.kdc-options.PROXY is set) or - (req.kdc-options.FORWARDED is set) or - (req.kdc-options.ENC-TKT-IN-SKEY is set)) then - error_out(KDC_ERR_BADOPTION); - endif - - new_tkt.session := random_session_key(); - new_tkt.cname := req.cname; - new_tkt.crealm := req.crealm; - new_tkt.transited := empty_transited_field(); - - new_tkt.authtime := kdc_time; - - if (req.kdc-options.POSTDATED is set) then - if (against_postdate_policy(req.from)) then - error_out(KDC_ERR_POLICY); - endif - set new_tkt.flags.POSTDATED; - set new_tkt.flags.INVALID; - new_tkt.starttime := req.from; - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - else - omit new_tkt.starttime; /* treated as authtime when omitted -*/ - endif - if (req.till = 0) then - till := infinity; - else - till := req.till; - endif - - new_tkt.endtime := min(till, - new_tkt.starttime+client.max_life, - new_tkt.starttime+server.max_life, - new_tkt.starttime+max_life_for_realm); - - if ((req.kdc-options.RENEWABLE-OK is set) and - (new_tkt.endtime < req.till)) then - /* we set the RENEWABLE option for later processing */ - set req.kdc-options.RENEWABLE; - req.rtime := req.till; - endif - - if (req.rtime = 0) then - rtime := infinity; - else - rtime := req.rtime; - endif - - if (req.kdc-options.RENEWABLE is set) then - set new_tkt.flags.RENEWABLE; - new_tkt.renew-till := min(rtime, - -new_tkt.starttime+client.max_rlife, - -new_tkt.starttime+server.max_rlife, - -new_tkt.starttime+max_rlife_for_realm); - else - omit new_tkt.renew-till; /* only present if RENEWABLE -*/ - endif - - if (req.addresses) then - new_tkt.caddr := req.addresses; - else - omit new_tkt.caddr; - endif - - new_tkt.authorization_data := empty_authorization_data(); - - encode to-be-encrypted part of ticket into OCTET STRING; - new_tkt.enc-part := encrypt OCTET STRING - using etype_for_key(server.key), server.key, -server.p_kvno; - - /* Start processing the response */ - - resp.pvno := 5; - resp.msg-type := KRB_AS_REP; - resp.cname := req.cname; - resp.crealm := req.realm; - resp.ticket := new_tkt; - - resp.key := new_tkt.session; - resp.last-req := fetch_last_request_info(client); - resp.nonce := req.nonce; - resp.key-expiration := client.expiration; - resp.flags := new_tkt.flags; - - resp.authtime := new_tkt.authtime; - resp.starttime := new_tkt.starttime; - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - resp.endtime := new_tkt.endtime; - - if (new_tkt.flags.RENEWABLE) then - resp.renew-till := new_tkt.renew-till; - endif - - resp.realm := new_tkt.realm; - resp.sname := new_tkt.sname; - - resp.caddr := new_tkt.caddr; - - encode body of reply into OCTET STRING; - - resp.enc-part := encrypt OCTET STRING - using use_etype, client.key, client.p_kvno; - send(resp); - - A.3. KRB_AS_REP verification - - decode response into resp; - - if (resp.msg-type = KRB_ERROR) then - if(error = KDC_ERR_PREAUTH_REQUIRED(PA_ENC_TIMESTAMP)) -then - set pa_enc_timestamp_required; - goto KRB_AS_REQ; - endif - process_error(resp); - return; - endif - - /* On error, discard the response, and zero the session key */ - /* from the response immediately */ - - key = get_decryption_key(resp.enc-part.kvno, -resp.enc-part.etype, - resp.padata); - unencrypted part of resp := decode of decrypt of resp.enc-part - using resp.enc-part.etype and key; - zero(key); - - if (common_as_rep_tgs_rep_checks fail) then - destroy resp.key; - return error; - endif - - if near(resp.princ_exp) then - print(warning message); - endif - save_for_later(ticket,session,client,server,times,flags); - - A.4. KRB_AS_REP and KRB_TGS_REP common checks - - if (decryption_error() or - (req.cname != resp.cname) or - (req.realm != resp.crealm) or - (req.sname != resp.sname) or - (req.realm != resp.realm) or - (req.nonce != resp.nonce) or - (req.addresses != resp.caddr)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - - /* make sure no flags are set that shouldn't be, and that all -that */ - /* should be are set -*/ - if (!check_flags_for_compatability(req.kdc-options,resp.flags)) -then - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - - if ((req.from = 0) and - (resp.starttime is not within allowable skew)) then - destroy resp.key; - return KRB_AP_ERR_SKEW; - endif - if ((req.from != 0) and (req.from != resp.starttime)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - if ((req.till != 0) and (resp.endtime > req.till)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - - if ((req.kdc-options.RENEWABLE is set) and - (req.rtime != 0) and (resp.renew-till > req.rtime)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - if ((req.kdc-options.RENEWABLE-OK is set) and - (resp.flags.RENEWABLE) and - (req.till != 0) and - (resp.renew-till > req.till)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - - A.5. KRB_TGS_REQ generation - - /* Note that make_application_request might have to recursivly -*/ - /* call this routine to get the appropriate ticket-granting -ticket */ - - request.pvno := protocol version; /* pvno = 5 */ - request.msg-type := message type; /* type = KRB_TGS_REQ */ - - body.kdc-options := users's preferences; - /* If the TGT is not for the realm of the end-server */ - /* then the sname will be for a TGT for the end-realm */ - /* and the realm of the requested ticket (body.realm) */ - /* will be that of the TGS to which the TGT we are */ - /* sending applies */ - body.sname := service's name; - body.realm := service's realm; - - if (body.kdc-options.POSTDATED is set) then - body.from := requested starting time; - else - omit body.from; - endif - body.till := requested end time; - if (body.kdc-options.RENEWABLE is set) then - body.rtime := requested final renewal time; - endif - body.nonce := random_nonce(); - body.etype := requested etypes; - if (user supplied addresses) then - body.addresses := user's addresses; - else - omit body.addresses; - endif - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - body.enc-authorization-data := user-supplied data; - if (body.kdc-options.ENC-TKT-IN-SKEY) then - body.additional-tickets_ticket := second TGT; - endif - - request.req-body := body; - check := generate_checksum (req.body,checksumtype); - - request.padata[0].padata-type := PA-TGS-REQ; - request.padata[0].padata-value := create a KRB_AP_REQ using - the TGT and checksum - - /* add in any other padata as required/supplied */ - - kerberos := lookup(name of local kerberose server (or -servers)); - send(packet,kerberos); - - wait(for response); - if (timed_out) then - retry or use alternate server; - endif - - A.6. KRB_TGS_REQ verification and KRB_TGS_REP generation - - /* note that reading the application request requires first - determining the server for which a ticket was issued, and -choosing the - correct key for decryption. The name of the server appears in -the - plaintext part of the ticket. */ - - if (no KRB_AP_REQ in req.padata) then - error_out(KDC_ERR_PADATA_TYPE_NOSUPP); - endif - verify KRB_AP_REQ in req.padata; - - /* Note that the realm in which the Kerberos server is -operating is - determined by the instance from the ticket-granting ticket. -The realm - in the ticket-granting ticket is the realm under which the -ticket - granting ticket was issued. It is possible for a single -Kerberos - server to support more than one realm. */ - - auth_hdr := KRB_AP_REQ; - tgt := auth_hdr.ticket; - - if (tgt.sname is not a TGT for local realm and is not -req.sname) then - error_out(KRB_AP_ERR_NOT_US); - - realm := realm_tgt_is_for(tgt); - - decode remainder of request; - - if (auth_hdr.authenticator.cksum is missing) then - error_out(KRB_AP_ERR_INAPP_CKSUM); - endif - - if (auth_hdr.authenticator.cksum type is not supported) then - error_out(KDC_ERR_SUMTYPE_NOSUPP); - endif - if (auth_hdr.authenticator.cksum is not both collision-proof -and keyed) then - error_out(KRB_AP_ERR_INAPP_CKSUM); - endif - - set computed_checksum := checksum(req); - if (computed_checksum != auth_hdr.authenticatory.cksum) then - error_out(KRB_AP_ERR_MODIFIED); - endif - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - - server := lookup(req.sname,realm); - - if (!server) then - if (is_foreign_tgt_name(req.sname)) then - server := best_intermediate_tgs(req.sname); - else - /* no server in Database */ - error_out(KDC_ERR_S_PRINCIPAL_UNKNOWN); - endif - endif - - session := generate_random_session_key(); - - use_etype := first supported etype in req.etypes; - - if (no support for req.etypes) then - error_out(KDC_ERR_ETYPE_NOSUPP); - endif - - new_tkt.vno := ticket version; /* = 5 */ - new_tkt.sname := req.sname; - new_tkt.srealm := realm; - reset all flags in new_tkt.flags; - - /* It should be noted that local policy may affect the */ - /* processing of any of these flags. For example, some */ - /* realms may refuse to issue renewable tickets */ - - new_tkt.caddr := tgt.caddr; - resp.caddr := NULL; /* We only include this if they change */ - if (req.kdc-options.FORWARDABLE is set) then - if (tgt.flags.FORWARDABLE is reset) then - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.FORWARDABLE; - endif - if (req.kdc-options.FORWARDED is set) then - if (tgt.flags.FORWARDABLE is reset) then - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.FORWARDED; - new_tkt.caddr := req.addresses; - resp.caddr := req.addresses; - endif - if (tgt.flags.FORWARDED is set) then - set new_tkt.flags.FORWARDED; - endif - - if (req.kdc-options.PROXIABLE is set) then - if (tgt.flags.PROXIABLE is reset) - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.PROXIABLE; - endif - if (req.kdc-options.PROXY is set) then - if (tgt.flags.PROXIABLE is reset) then - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.PROXY; - new_tkt.caddr := req.addresses; - resp.caddr := req.addresses; - endif - - if (req.kdc-options.ALLOW-POSTDATE is set) then - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - if (tgt.flags.MAY-POSTDATE is reset) - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.MAY-POSTDATE; - endif - if (req.kdc-options.POSTDATED is set) then - if (tgt.flags.MAY-POSTDATE is reset) then - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.POSTDATED; - set new_tkt.flags.INVALID; - if (against_postdate_policy(req.from)) then - error_out(KDC_ERR_POLICY); - endif - new_tkt.starttime := req.from; - endif - - if (req.kdc-options.VALIDATE is set) then - if (tgt.flags.INVALID is reset) then - error_out(KDC_ERR_POLICY); - endif - if (tgt.starttime > kdc_time) then - error_out(KRB_AP_ERR_NYV); - endif - if (check_hot_list(tgt)) then - error_out(KRB_AP_ERR_REPEAT); - endif - tkt := tgt; - reset new_tkt.flags.INVALID; - endif - - if (req.kdc-options.(any flag except ENC-TKT-IN-SKEY, RENEW, - and those already processed) is set) then - error_out(KDC_ERR_BADOPTION); - endif - - new_tkt.authtime := tgt.authtime; - - if (req.kdc-options.RENEW is set) then - /* Note that if the endtime has already passed, the ticket -would */ - /* have been rejected in the initial authentication stage, so -*/ - /* there is no need to check again here -*/ - if (tgt.flags.RENEWABLE is reset) then - error_out(KDC_ERR_BADOPTION); - endif - if (tgt.renew-till < kdc_time) then - error_out(KRB_AP_ERR_TKT_EXPIRED); - endif - tkt := tgt; - new_tkt.starttime := kdc_time; - old_life := tgt.endttime - tgt.starttime; - new_tkt.endtime := min(tgt.renew-till, - new_tkt.starttime + old_life); - else - new_tkt.starttime := kdc_time; - if (req.till = 0) then - till := infinity; - else - till := req.till; - endif - new_tkt.endtime := min(till, - -new_tkt.starttime+client.max_life, - -new_tkt.starttime+server.max_life, - -new_tkt.starttime+max_life_for_realm, - tgt.endtime); - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - - if ((req.kdc-options.RENEWABLE-OK is set) and - (new_tkt.endtime < req.till) and - (tgt.flags.RENEWABLE is set) then - /* we set the RENEWABLE option for later -processing */ - set req.kdc-options.RENEWABLE; - req.rtime := min(req.till, tgt.renew-till); - endif - endif - - if (req.rtime = 0) then - rtime := infinity; - else - rtime := req.rtime; - endif - - if ((req.kdc-options.RENEWABLE is set) and - (tgt.flags.RENEWABLE is set)) then - set new_tkt.flags.RENEWABLE; - new_tkt.renew-till := min(rtime, - -new_tkt.starttime+client.max_rlife, - -new_tkt.starttime+server.max_rlife, - -new_tkt.starttime+max_rlife_for_realm, - tgt.renew-till); - else - new_tkt.renew-till := OMIT; /* leave the renew-till -field out */ - endif - if (req.enc-authorization-data is present) then - decrypt req.enc-authorization-data into -decrypted_authorization_data - using auth_hdr.authenticator.subkey; - if (decrypt_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - endif - new_tkt.authorization_data := -req.auth_hdr.ticket.authorization_data + - decrypted_authorization_data; - - new_tkt.key := session; - new_tkt.crealm := tgt.crealm; - new_tkt.cname := req.auth_hdr.ticket.cname; - - if (realm_tgt_is_for(tgt) := tgt.realm) then - /* tgt issued by local realm */ - new_tkt.transited := tgt.transited; - else - /* was issued for this realm by some other realm */ - if (tgt.transited.tr-type not supported) then - error_out(KDC_ERR_TRTYPE_NOSUPP); - endif - new_tkt.transited := compress_transited(tgt.transited + -tgt.realm) - /* Don't check tranited field if TGT for foreign realm, - * or requested not to check */ - if (is_not_foreign_tgt_name(new_tkt.server) - && req.kdc-options.DISABLE-TRANSITED-CHECK not set) -then - /* Check it, so end-server does not have to - * but don't fail, end-server may still accept -it */ - if (check_transited_field(new_tkt.transited) == -OK) - set -new_tkt.flags.TRANSITED-POLICY-CHECKED; - endif - endif - endif - - encode encrypted part of new_tkt into OCTET STRING; - if (req.kdc-options.ENC-TKT-IN-SKEY is set) then - if (server not specified) then - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - server = req.second_ticket.client; - endif - if ((req.second_ticket is not a TGT) or - (req.second_ticket.client != server)) then - error_out(KDC_ERR_POLICY); - endif - - new_tkt.enc-part := encrypt OCTET STRING using - using etype_for_key(second-ticket.key), -second-ticket.key; - else - new_tkt.enc-part := encrypt OCTET STRING - using etype_for_key(server.key), server.key, -server.p_kvno; - endif - - resp.pvno := 5; - resp.msg-type := KRB_TGS_REP; - resp.crealm := tgt.crealm; - resp.cname := tgt.cname; - resp.ticket := new_tkt; - - resp.key := session; - resp.nonce := req.nonce; - resp.last-req := fetch_last_request_info(client); - resp.flags := new_tkt.flags; - - resp.authtime := new_tkt.authtime; - resp.starttime := new_tkt.starttime; - resp.endtime := new_tkt.endtime; - - omit resp.key-expiration; - - resp.sname := new_tkt.sname; - resp.realm := new_tkt.realm; - - if (new_tkt.flags.RENEWABLE) then - resp.renew-till := new_tkt.renew-till; - endif - - encode body of reply into OCTET STRING; - - if (req.padata.authenticator.subkey) - resp.enc-part := encrypt OCTET STRING using use_etype, - req.padata.authenticator.subkey; - else resp.enc-part := encrypt OCTET STRING using use_etype, -tgt.key; - - send(resp); - - A.7. KRB_TGS_REP verification - - decode response into resp; - - if (resp.msg-type = KRB_ERROR) then - process_error(resp); - return; - endif - - /* On error, discard the response, and zero the session key -from - the response immediately */ - - if (req.padata.authenticator.subkey) - unencrypted part of resp := decode of decrypt of -resp.enc-part - using resp.enc-part.etype and subkey; - else unencrypted part of resp := decode of decrypt of -resp.enc-part - using resp.enc-part.etype and tgt's -session key; - if (common_as_rep_tgs_rep_checks fail) then - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - destroy resp.key; - return error; - endif - - check authorization_data as necessary; - save_for_later(ticket,session,client,server,times,flags); - - A.8. Authenticator generation - - body.authenticator-vno := authenticator vno; /* = 5 */ - body.cname, body.crealm := client name; - if (supplying checksum) then - body.cksum := checksum; - endif - get system_time; - body.ctime, body.cusec := system_time; - if (selecting sub-session key) then - select sub-session key; - body.subkey := sub-session key; - endif - if (using sequence numbers) then - select initial sequence number; - body.seq-number := initial sequence; - endif - - A.9. KRB_AP_REQ generation - - obtain ticket and session_key from cache; - - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_AP_REQ */ - - if (desired(MUTUAL_AUTHENTICATION)) then - set packet.ap-options.MUTUAL-REQUIRED; - else - reset packet.ap-options.MUTUAL-REQUIRED; - endif - if (using session key for ticket) then - set packet.ap-options.USE-SESSION-KEY; - else - reset packet.ap-options.USE-SESSION-KEY; - endif - packet.ticket := ticket; /* ticket */ - generate authenticator; - encode authenticator into OCTET STRING; - encrypt OCTET STRING into packet.authenticator using -session_key; - - A.10. KRB_AP_REQ verification - - receive packet; - if (packet.pvno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.msg-type != KRB_AP_REQ) then - error_out(KRB_AP_ERR_MSG_TYPE); - endif - if (packet.ticket.tkt_vno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.ap_options.USE-SESSION-KEY is set) then - retrieve session key from ticket-granting ticket for - packet.ticket.{sname,srealm,enc-part.etype}; - else - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - retrieve service key for - -packet.ticket.{sname,srealm,enc-part.etype,enc-part.skvno}; - endif - if (no_key_available) then - if (cannot_find_specified_skvno) then - error_out(KRB_AP_ERR_BADKEYVER); - else - error_out(KRB_AP_ERR_NOKEY); - endif - endif - decrypt packet.ticket.enc-part into decr_ticket using retrieved -key; - if (decryption_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - decrypt packet.authenticator into decr_authenticator - using decr_ticket.key; - if (decryption_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - if (decr_authenticator.{cname,crealm} != - decr_ticket.{cname,crealm}) then - error_out(KRB_AP_ERR_BADMATCH); - endif - if (decr_ticket.caddr is present) then - if (sender_address(packet) is not in decr_ticket.caddr) -then - error_out(KRB_AP_ERR_BADADDR); - endif - elseif (application requires addresses) then - error_out(KRB_AP_ERR_BADADDR); - endif - if (not in_clock_skew(decr_authenticator.ctime, - decr_authenticator.cusec)) then - error_out(KRB_AP_ERR_SKEW); - endif - if (repeated(decr_authenticator.{ctime,cusec,cname,crealm})) -then - error_out(KRB_AP_ERR_REPEAT); - endif - save_identifier(decr_authenticator.{ctime,cusec,cname,crealm}); - get system_time; - if ((decr_ticket.starttime-system_time > CLOCK_SKEW) or - (decr_ticket.flags.INVALID is set)) then - /* it hasn't yet become valid */ - error_out(KRB_AP_ERR_TKT_NYV); - endif - if (system_time-decr_ticket.endtime > CLOCK_SKEW) then - error_out(KRB_AP_ERR_TKT_EXPIRED); - endif - if (decr_ticket.transited) then - /* caller may ignore the TRANSITED-POLICY-CHECKED and do - * check anyway */ - if (decr_ticket.flags.TRANSITED-POLICY-CHECKED not set) -then - if (check_transited_field(decr_ticket.transited) then - error_out(KDC_AP_PATH_NOT_ACCPETED); - endif - endif - endif - /* caller must check decr_ticket.flags for any pertinent -details */ - return(OK, decr_ticket, packet.ap_options.MUTUAL-REQUIRED); - - A.11. KRB_AP_REP generation - - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_AP_REP */ - - body.ctime := packet.ctime; - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - body.cusec := packet.cusec; - if (selecting sub-session key) then - select sub-session key; - body.subkey := sub-session key; - endif - if (using sequence numbers) then - select initial sequence number; - body.seq-number := initial sequence; - endif - - encode body into OCTET STRING; - - select encryption type; - encrypt OCTET STRING into packet.enc-part; - - A.12. KRB_AP_REP verification - - receive packet; - if (packet.pvno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.msg-type != KRB_AP_REP) then - error_out(KRB_AP_ERR_MSG_TYPE); - endif - cleartext := decrypt(packet.enc-part) using ticket's session -key; - if (decryption_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - if (cleartext.ctime != authenticator.ctime) then - error_out(KRB_AP_ERR_MUT_FAIL); - endif - if (cleartext.cusec != authenticator.cusec) then - error_out(KRB_AP_ERR_MUT_FAIL); - endif - if (cleartext.subkey is present) then - save cleartext.subkey for future use; - endif - if (cleartext.seq-number is present) then - save cleartext.seq-number for future verifications; - endif - return(AUTHENTICATION_SUCCEEDED); - - A.13. KRB_SAFE generation - - collect user data in buffer; - - /* assemble packet: */ - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_SAFE */ - - body.user-data := buffer; /* DATA */ - if (using timestamp) then - get system_time; - body.timestamp, body.usec := system_time; - endif - if (using sequence numbers) then - body.seq-number := sequence number; - endif - body.s-address := sender host addresses; - if (only one recipient) then - body.r-address := recipient host address; - endif - checksum.cksumtype := checksum type; - compute checksum over body; - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - checksum.checksum := checksum value; /* checksum.checksum */ - packet.cksum := checksum; - packet.safe-body := body; - - A.14. KRB_SAFE verification - - receive packet; - if (packet.pvno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.msg-type != KRB_SAFE) then - error_out(KRB_AP_ERR_MSG_TYPE); - endif - if (packet.checksum.cksumtype is not both collision-proof and -keyed) then - error_out(KRB_AP_ERR_INAPP_CKSUM); - endif - if (safe_priv_common_checks_ok(packet)) then - set computed_checksum := checksum(packet.body); - if (computed_checksum != packet.checksum) then - error_out(KRB_AP_ERR_MODIFIED); - endif - return (packet, PACKET_IS_GENUINE); - else - return common_checks_error; - endif - - A.15. KRB_SAFE and KRB_PRIV common checks - - if (packet.s-address != O/S_sender(packet)) then - /* O/S report of sender not who claims to have sent it -*/ - error_out(KRB_AP_ERR_BADADDR); - endif - if ((packet.r-address is present) and - (packet.r-address != local_host_address)) then - /* was not sent to proper place */ - error_out(KRB_AP_ERR_BADADDR); - endif - if (((packet.timestamp is present) and - (not in_clock_skew(packet.timestamp,packet.usec))) or - (packet.timestamp is not present and timestamp expected)) -then - error_out(KRB_AP_ERR_SKEW); - endif - if (repeated(packet.timestamp,packet.usec,packet.s-address)) -then - error_out(KRB_AP_ERR_REPEAT); - endif - - if (((packet.seq-number is present) and - ((not in_sequence(packet.seq-number)))) or - (packet.seq-number is not present and sequence expected)) -then - error_out(KRB_AP_ERR_BADORDER); - endif - if (packet.timestamp not present and packet.seq-number not -present) then - error_out(KRB_AP_ERR_MODIFIED); - endif - - save_identifier(packet.{timestamp,usec,s-address}, - sender_principal(packet)); - - return PACKET_IS_OK; - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - A.16. KRB_PRIV generation - - collect user data in buffer; - - /* assemble packet: */ - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_PRIV */ - - packet.enc-part.etype := encryption type; - - body.user-data := buffer; - if (using timestamp) then - get system_time; - body.timestamp, body.usec := system_time; - endif - if (using sequence numbers) then - body.seq-number := sequence number; - endif - body.s-address := sender host addresses; - if (only one recipient) then - body.r-address := recipient host address; - endif - - encode body into OCTET STRING; - - select encryption type; - encrypt OCTET STRING into packet.enc-part.cipher; - - A.17. KRB_PRIV verification - - receive packet; - if (packet.pvno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.msg-type != KRB_PRIV) then - error_out(KRB_AP_ERR_MSG_TYPE); - endif - - cleartext := decrypt(packet.enc-part) using negotiated key; - if (decryption_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - - if (safe_priv_common_checks_ok(cleartext)) then - return(cleartext.DATA, -PACKET_IS_GENUINE_AND_UNMODIFIED); - else - return common_checks_error; - endif - - A.18. KRB_CRED generation - - invoke KRB_TGS; /* obtain tickets to be provided to peer */ - - /* assemble packet: */ - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_CRED */ - - for (tickets[n] in tickets to be forwarded) do - packet.tickets[n] = tickets[n].ticket; - done - - packet.enc-part.etype := encryption type; - - for (ticket[n] in tickets to be forwarded) do - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - body.ticket-info[n].key = tickets[n].session; - body.ticket-info[n].prealm = tickets[n].crealm; - body.ticket-info[n].pname = tickets[n].cname; - body.ticket-info[n].flags = tickets[n].flags; - body.ticket-info[n].authtime = tickets[n].authtime; - body.ticket-info[n].starttime = tickets[n].starttime; - body.ticket-info[n].endtime = tickets[n].endtime; - body.ticket-info[n].renew-till = tickets[n].renew-till; - body.ticket-info[n].srealm = tickets[n].srealm; - body.ticket-info[n].sname = tickets[n].sname; - body.ticket-info[n].caddr = tickets[n].caddr; - done - - get system_time; - body.timestamp, body.usec := system_time; - - if (using nonce) then - body.nonce := nonce; - endif - - if (using s-address) then - body.s-address := sender host addresses; - endif - if (limited recipients) then - body.r-address := recipient host address; - endif - - encode body into OCTET STRING; - - select encryption type; - encrypt OCTET STRING into packet.enc-part.cipher - using negotiated encryption key; - - A.19. KRB_CRED verification - - receive packet; - if (packet.pvno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.msg-type != KRB_CRED) then - error_out(KRB_AP_ERR_MSG_TYPE); - endif - - cleartext := decrypt(packet.enc-part) using negotiated key; - if (decryption_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - if ((packet.r-address is present or required) and - (packet.s-address != O/S_sender(packet)) then - /* O/S report of sender not who claims to have sent it -*/ - error_out(KRB_AP_ERR_BADADDR); - endif - if ((packet.r-address is present) and - (packet.r-address != local_host_address)) then - /* was not sent to proper place */ - error_out(KRB_AP_ERR_BADADDR); - endif - if (not in_clock_skew(packet.timestamp,packet.usec)) then - error_out(KRB_AP_ERR_SKEW); - endif - if (repeated(packet.timestamp,packet.usec,packet.s-address)) -then - error_out(KRB_AP_ERR_REPEAT); - endif - if (packet.nonce is required or present) and - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - (packet.nonce != expected-nonce) then - error_out(KRB_AP_ERR_MODIFIED); - endif - - for (ticket[n] in tickets that were forwarded) do - save_for_later(ticket[n],key[n],principal[n], - server[n],times[n],flags[n]); - return - - A.20. KRB_ERROR generation - - /* assemble packet: */ - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_ERROR */ - - get system_time; - packet.stime, packet.susec := system_time; - packet.realm, packet.sname := server name; - - if (client time available) then - packet.ctime, packet.cusec := client_time; - endif - packet.error-code := error code; - if (client name available) then - packet.cname, packet.crealm := client name; - endif - if (error text available) then - packet.e-text := error text; - endif - if (error data available) then - packet.e-data := error data; - endif - - B. Definition of common authorization data elements - - This appendix contains the definitions of common authorization data - elements. These common authorization data elements are recursivly - defined, meaning the ad-data for these types will itself contain a - sequence of authorization data whose interpretation is affected by the - encapsulating element. Depending on the meaning of the encapsulating - element, the encapsulated elements may be ignored, might be - interpreted as issued directly by the KDC, or they might be stored in - a separate plaintext part of the ticket. The types of the - encapsulating elements are specified as part of the Kerberos - specification because the behavior based on these values should be - understood across implementations whereas other elements need only be - understood by the applications which they affect. - - In the definitions that follow, the value of the ad-type for the - element will be specified in the subsection number, and the value of - the ad-data will be as shown in the ASN.1 structure that follows the - subsection heading. - - B.1. If relevant - - AD-IF-RELEVANT AuthorizationData - - AD elements encapsulated within the if-relevant element are intended - for interpretation only by application servers that understand the - particular ad-type of the embedded element. Application servers that - do not understand the type of an element embedded within the - if-relevant element may ignore the uninterpretable element. This - element promotes interoperability across implementations which may - have local extensions for authorization. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - B.2. Intended for server - - AD-INTENDED-FOR-SERVER SEQUENCE { - intended-server[0] SEQUENCE OF PrincipalName - elements[1] AuthorizationData - } - - AD elements encapsulated within the intended-for-server element may be - ignored if the application server is not in the list of principal - names of intended servers. Further, a KDC issuing a ticket for an - application server can remove this element if the application server - is not in the list of intended servers. - - Application servers should check for their principal name in the - intended-server field of this element. If their principal name is not - found, this element should be ignored. If found, then the encapsulated - elements should be evaluated in the same manner as if they were - present in the top level authorization data field. Applications and - application servers that do not implement this element should reject - tickets that contain authorization data elements of this type. - - B.3. Intended for application class - - AD-INTENDED-FOR-APPLICATION-CLASS SEQUENCE { - intended-application-class[0] SEQUENCE OF GeneralString elements[1] - AuthorizationData } AD elements encapsulated within the - intended-for-application-class element may be ignored if the - application server is not in one of the named classes of application - servers. Examples of application server classes include "FILESYSTEM", - and other kinds of servers. - - This element and the elements it encapulates may be safely ignored by - applications, application servers, and KDCs that do not implement this - element. - - B.4. KDC Issued - - AD-KDCIssued SEQUENCE { - ad-checksum[0] Checksum, - i-realm[1] Realm OPTIONAL, - i-sname[2] PrincipalName OPTIONAL, - elements[3] AuthorizationData. - } - - ad-checksum - A checksum over the elements field using a cryptographic checksum - method that is identical to the checksum used to protect the - ticket itself (i.e. using the same hash function and the same - encryption algorithm used to encrypt the ticket) and using a key - derived from the same key used to protect the ticket. - i-realm, i-sname - The name of the issuing principal if different from the KDC - itself. This field would be used when the KDC can verify the - authenticity of elements signed by the issuing principal and it - allows this KDC to notify the application server of the validity - of those elements. - elements - A sequence of authorization data elements issued by the KDC. - The KDC-issued ad-data field is intended to provide a means for - Kerberos principal credentials to embed within themselves privilege - attributes and other mechanisms for positive authorization, amplifying - the priveleges of the principal beyond what can be done using a - credentials without such an a-data element. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - This can not be provided without this element because the definition - of the authorization-data field allows elements to be added at will by - the bearer of a TGT at the time that they request service tickets and - elements may also be added to a delegated ticket by inclusion in the - authenticator. - - For KDC-issued elements this is prevented because the elements are - signed by the KDC by including a checksum encrypted using the server's - key (the same key used to encrypt the ticket - or a key derived from - that key). Elements encapsulated with in the KDC-issued element will - be ignored by the application server if this "signature" is not - present. Further, elements encapsulated within this element from a - ticket granting ticket may be interpreted by the KDC, and used as a - basis according to policy for including new signed elements within - derivative tickets, but they will not be copied to a derivative ticket - directly. If they are copied directly to a derivative ticket by a KDC - that is not aware of this element, the signature will not be correct - for the application ticket elements, and the field will be ignored by - the application server. - - This element and the elements it encapulates may be safely ignored by - applications, application servers, and KDCs that do not implement this - element. - - B.5. And-Or - - AD-AND-OR SEQUENCE { - condition-count[0] INTEGER, - elements[1] AuthorizationData - } - - When restrictive AD elements encapsulated within the and-or element - are encountered, only the number specified in condition-count of the - encapsulated conditions must be met in order to satisfy this element. - This element may be used to implement an "or" operation by setting the - condition-count field to 1, and it may specify an "and" operation by - setting the condition count to the number of embedded elements. - Application servers that do not implement this element must reject - tickets that contain authorization data elements of this type. - - B.6. Mandatory ticket extensions - - AD-Mandatory-Ticket-Extensions SEQUENCE { - te-type[0] INTEGER, - te-checksum[0] Checksum - } - - An authorization data element of type mandatory-ticket-extensions - specifies the type and a collision-proof checksum using the same hash - algorithm used to protect the integrity of the ticket itself. This - checksum will be calculated over an individual extension field of the - type indicated. If there are more than one extension, multiple - Mandatory-Ticket-Extensions authorization data elements may be - present, each with a checksum for a different extension field. This - restriction indicates that the ticket should not be accepted if a - ticket extension is not present in the ticket for which the type and - checksum do not match that checksum specified in the authorization - data element. Note that although the type is redundant for the - purposes of the comparison, it makes the comparison easier when - multiple extensions are present. Application servers that do not - implement this element must reject tickets that contain authorization - data elements of this type. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - B.7. Authorization Data in ticket extensions - - AD-IN-Ticket-Extensions Checksum - - An authorization data element of type in-ticket-extensions specifies a - collision-proof checksum using the same hash algorithm used to protect - the integrity of the ticket itself. This checksum is calculated over a - separate external AuthorizationData field carried in the ticket - extensions. Application servers that do not implement this element - must reject tickets that contain authorization data elements of this - type. Application servers that do implement this element will search - the ticket extensions for authorization data fields, calculate the - specified checksum over each authorization data field and look for one - matching the checksum in this in-ticket-extensions element. If not - found, then the ticket must be rejected. If found, the corresponding - authorization data elements will be interpreted in the same manner as - if they were contained in the top level authorization data field. - - Note that if multiple external authorization data fields are present - in a ticket, each will have a corresponding element of type - in-ticket-extensions in the top level authorization data field, and - the external entries will be linked to the corresponding element by - their checksums. - - C. Definition of common ticket extensions - - This appendix contains the definitions of common ticket extensions. - Support for these extensions is optional. However, certain extensions - have associated authorization data elements that may require rejection - of a ticket containing an extension by application servers that do not - implement the particular extension. Other extensions have been defined - beyond those described in this specification. Such extensions are - described elswhere and for some of those extensions the reserved - number may be found in the list of constants. - - It is known that older versions of Kerberos did not support this - field, and that some clients will strip this field from a ticket when - they parse and then reassemble a ticket as it is passed to the - application servers. The presence of the extension will not break such - clients, but any functionaly dependent on the extensions will not work - when such tickets are handled by old clients. In such situations, some - implementation may use alternate methods to transmit the information - in the extensions field. - - C.1. Null ticket extension - - TE-NullExtension OctetString -- The empty Octet String - - The te-data field in the null ticket extension is an octet string of - lenght zero. This extension may be included in a ticket granting - ticket so that the KDC can determine on presentation of the ticket - granting ticket whether the client software will strip the extensions - field. - - C.2. External Authorization Data - - TE-ExternalAuthorizationData AuthorizationData - - The te-data field in the external authorization data ticket extension - is field of type AuthorizationData containing one or more - authorization data elements. If present, a corresponding authorization - data element will be present in the primary authorization data for the - ticket and that element will contain a checksum of the external - authorization data ticket extension. - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - ---------------------------------------------------------------------- - [TM] Project Athena, Athena, and Kerberos are trademarks of the - Massachusetts Institute of Technology (MIT). No commercial use of - these trademarks may be made without prior written permission of MIT. - - [1] Note, however, that many applications use Kerberos' functions only - upon the initiation of a stream-based network connection. Unless an - application subsequently provides integrity protection for the data - stream, the identity verification applies only to the initiation of - the connection, and does not guarantee that subsequent messages on the - connection originate from the same principal. - - [2] Secret and private are often used interchangeably in the - literature. In our usage, it takes two (or more) to share a secret, - thus a shared DES key is a secret key. Something is only private when - no one but its owner knows it. Thus, in public key cryptosystems, one - has a public and a private key. - - [3] Of course, with appropriate permission the client could arrange - registration of a separately-named prin- cipal in a remote realm, and - engage in normal exchanges with that realm's services. However, for - even small numbers of clients this becomes cumbersome, and more - automatic methods as described here are necessary. - - [4] Though it is permissible to request or issue tick- ets with no - network addresses specified. - - [5] The password-changing request must not be honored unless the - requester can provide the old password (the user's current secret - key). Otherwise, it would be possible for someone to walk up to an - unattended ses- sion and change another user's password. - - [6] To authenticate a user logging on to a local system, the - credentials obtained in the AS exchange may first be used in a TGS - exchange to obtain credentials for a local server. Those credentials - must then be verified by a local server through successful completion - of the Client/Server exchange. - - [7] "Random" means that, among other things, it should be impossible - to guess the next session key based on knowledge of past session keys. - This can only be achieved in a pseudo-random number generator if it is - based on cryptographic principles. It is more desirable to use a truly - random number generator, such as one based on measurements of random - physical phenomena. - - [8] Tickets contain both an encrypted and unencrypted portion, so - cleartext here refers to the entire unit, which can be copied from one - message and replayed in another without any cryptographic skill. - - [9] Note that this can make applications based on unreliable - transports difficult to code correctly. If the transport might deliver - duplicated messages, either a new authenticator must be generated for - each retry, or the application server must match requests and replies - and replay the first reply in response to a detected duplicate. - - [10] This is used for user-to-user authentication as described in [8]. - - [11] Note that the rejection here is restricted to authenticators from - the same principal to the same server. Other client principals - communicating with the same server principal should not be have their - authenticators rejected if the time and microsecond fields happen to - match some other client's authenticator. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - [12] In the Kerberos version 4 protocol, the timestamp in the reply - was the client's timestamp plus one. This is not necessary in version - 5 because version 5 messages are formatted in such a way that it is - not possible to create the reply by judicious message surgery (even in - encrypted form) without knowledge of the appropriate encryption keys. - - [13] Note that for encrypting the KRB_AP_REP message, the sub-session - key is not used, even if present in the Authenticator. - - [14] Implementations of the protocol may wish to provide routines to - choose subkeys based on session keys and random numbers and to - generate a negotiated key to be returned in the KRB_AP_REP message. - - [15]This can be accomplished in several ways. It might be known - beforehand (since the realm is part of the principal identifier), it - might be stored in a nameserver, or it might be obtained from a - configura- tion file. If the realm to be used is obtained from a - nameserver, there is a danger of being spoofed if the nameservice - providing the realm name is not authenti- cated. This might result in - the use of a realm which has been compromised, and would result in an - attacker's ability to compromise the authentication of the application - server to the client. - - [16] If the client selects a sub-session key, care must be taken to - ensure the randomness of the selected sub- session key. One approach - would be to generate a random number and XOR it with the session key - from the ticket-granting ticket. - - [17] This allows easy implementation of user-to-user authentication - [8], which uses ticket-granting ticket session keys in lieu of secret - server keys in situa- tions where such secret keys could be easily - comprom- ised. - - [18] For the purpose of appending, the realm preceding the first - listed realm is considered to be the null realm (""). - - [19] For the purpose of interpreting null subfields, the client's - realm is considered to precede those in the transited field, and the - server's realm is considered to follow them. - - [20] This means that a client and server running on the same host and - communicating with one another using the KRB_SAFE messages should not - share a common replay cache to detect KRB_SAFE replays. - - [21] The implementation of the Kerberos server need not combine the - database and the server on the same machine; it is feasible to store - the principal database in, say, a network name service, as long as the - entries stored therein are protected from disclosure to and - modification by unauthorized parties. However, we recommend against - such strategies, as they can make system management and threat - analysis quite complex. - - [22] See the discussion of the padata field in section 5.4.2 for - details on why this can be useful. - - [23] Warning for implementations that unpack and repack data - structures during the generation and verification of embedded - checksums: Because any checksums applied to data structures must be - checked against the original data the length of bit strings must be - preserved within a data structure between the time that a checksum is - generated through transmission to the time that the checksum is - verified. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - [24] It is NOT recommended that this time value be used to adjust the - workstation's clock since the workstation cannot reliably determine - that such a KRB_AS_REP actually came from the proper KDC in a timely - manner. - - [25] Note, however, that if the time is used as the nonce, one must - make sure that the workstation time is monotonically increasing. If - the time is ever reset backwards, there is a small, but finite, - probability that a nonce will be reused. - - [27] An application code in the encrypted part of a message provides - an additional check that the message was decrypted properly. - - [29] An application code in the encrypted part of a message provides - an additional check that the message was decrypted properly. - - [31] An application code in the encrypted part of a message provides - an additional check that the message was decrypted properly. - - [32] If supported by the encryption method in use, an initialization - vector may be passed to the encryption procedure, in order to achieve - proper cipher chaining. The initialization vector might come from the - last block of the ciphertext from the previous KRB_PRIV message, but - it is the application's choice whether or not to use such an - initialization vector. If left out, the default initialization vector - for the encryption algorithm will be used. - - [33] This prevents an attacker who generates an incorrect AS request - from obtaining verifiable plaintext for use in an off-line password - guessing attack. - - [35] In the above specification, UNTAGGED OCTET STRING(length) is the - notation for an octet string with its tag and length removed. It is - not a valid ASN.1 type. The tag bits and length must be removed from - the confounder since the purpose of the confounder is so that the - message starts with random data, but the tag and its length are fixed. - For other fields, the length and tag would be redundant if they were - included because they are specified by the encryption type. [36] The - ordering of the fields in the CipherText is important. Additionally, - messages encoded in this format must include a length as part of the - msg-seq field. This allows the recipient to verify that the message - has not been truncated. Without a length, an attacker could use a - chosen plaintext attack to generate a message which could be - truncated, while leaving the checksum intact. Note that if the msg-seq - is an encoding of an ASN.1 SEQUENCE or OCTET STRING, then the length - is part of that encoding. - - [37] In some cases, it may be necessary to use a different "mix-in" - string for compatibility reasons; see the discussion of padata in - section 5.4.2. - - [38] In some cases, it may be necessary to use a different "mix-in" - string for compatibility reasons; see the discussion of padata in - section 5.4.2. - - [39] A variant of the key is used to limit the use of a key to a - particular function, separating the functions of generating a checksum - from other encryption performed using the session key. The constant - F0F0F0F0F0F0F0F0 was chosen because it maintains key parity. The - properties of DES precluded the use of the complement. The same - constant is used for similar purpose in the Message Integrity Check in - the Privacy Enhanced Mail standard. - - [40] This error carries additional information in the e- data field. - The contents of the e-data field for this message is described in - section 5.9.1. - - diff --git a/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-cat-kerberos-set-passwd-02.txt b/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-cat-kerberos-set-passwd-02.txt deleted file mode 100644 index 6f7dae0dea..0000000000 --- a/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-cat-kerberos-set-passwd-02.txt +++ /dev/null @@ -1,325 +0,0 @@ - -INTERNET-DRAFT Mike Swift -draft-ietf-cat-kerberos-set-passwd-02.txt Microsoft -March 2000 Jonathan Trostle - Cisco Systems - John Brezak - Microsoft - Bill Gossman - Cybersafe - - Kerberos Set/Change Password: Version 2 - - -0. Status Of This Memo - - This document is an Internet-Draft and is in full conformance with - all provisions of Section 10 of RFC2026 [1]. - - Internet-Drafts are working documents of the Internet Engineering - Task Force (IETF), its areas, and its working groups. Note that - other groups may also distribute working documents as - Internet-Drafts. - - Internet-Drafts are draft documents valid for a maximum of six - months and may be updated, replaced, or obsoleted by other - documents at any time. It is inappropriate to use Internet- - Drafts as reference material or to cite them other than as - "work in progress." - - The list of current Internet-Drafts can be accessed at - http://www.ietf.org/ietf/1id-abstracts.txt - - The list of Internet-Draft Shadow Directories can be accessed at - http://www.ietf.org/shadow.html. - - Comments and suggestions on this document are encouraged. Comments - on this document should be sent to the CAT working group discussion - list: - ietf-cat-wg@stanford.edu - -1. Abstract - - The Kerberos (RFC 1510 [3]) change password protocol (Horowitz [4]), - does not allow for an administrator to set a password for a new user. - This functionality is useful in some environments, and this proposal - extends [4] to allow password setting. The changes are: adding new - fields to the request message to indicate the principal which is - having its password set, not requiring the initial flag in the service - ticket, using a new protocol version number, and adding three new - result codes. We also extend the set/change protocol to allow a - client to send a sequence of keys to the KDC instead of a cleartext - password. If in the cleartext password case, the cleartext password - fails to satisfy password policy, the server should use the result - code KRB5_KPASSWD_POLICY_REJECT. - -2. Conventions used in this document - - The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", - - "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in - this document are to be interpreted as described in RFC-2119 [2]. - -3. The Protocol - - The service must accept requests on UDP port 464 and TCP port 464 as - well. The protocol consists of a single request message followed by - a single reply message. For UDP transport, each message must be fully - contained in a single UDP packet. - - For TCP transport, there is a 4 octet header in network byte order - precedes the message and specifies the length of the message. This - requirement is consistent with the TCP transport header in 1510bis. - -Request Message - - 0 1 2 3 - 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | message length | protocol version number | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | AP_REQ length | AP-REQ data / - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - / KRB-PRIV message / - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - - All 16 bit fields are in network byte order. - - message length field: contains the number of bytes in the message - including this field. - - protocol version number: contains the hex constant 0x0002 (network - byte order). - - AP-REQ length: length of AP-REQ data, in bytes. If the length is zero, - then the last field contains a KRB-ERROR message instead of a KRB-PRIV - message. - - AP-REQ data: (see [3]) The AP-REQ message must be for the service - principal kadmin/changepw@REALM, where REALM is the REALM of the user - who wishes to change/set his password. The ticket in the AP-REQ must - must include a subkey in the Authenticator. To enable setting of - passwords/keys, it is not required that the initial flag be set in the - Kerberos service ticket. The initial flag is required for change requests, - but not for set password requests. We have the following definitions: - - old passwd initial flag target principal can be - in request? required? distinct from - authenticating principal? - - change password: yes yes no - - set password: no no yes - - set key: no policy yes - determined - - KRB-PRIV message (see [3]) This KRB-PRIV message must be generated - using the subkey from the authenticator in the AP-REQ data. - - The user-data component of the message consists of the following ASN.1 - structure encoded as an OCTET STRING: - - ChangePasswdData :: = SEQUENCE { - newpasswdorkeys[0] NewPasswdOrKeys, - targname[1] PrincipalName OPTIONAL, - -- only present in set password: the principal - -- which will have its password set - targrealm[2] Realm OPTIONAL, - -- only present in set password: the realm for - -- the principal which will have its password set - - } - - NewPasswdOrKeys :: = CHOICE { - passwords[0] PasswordSequence, - keyseq[1] KeySequences - } - - KeySequences :: = SEQUENCE OF KeySequence - - KeySequence :: = SEQUENCE { - key[0] EncryptionKey, - salt[1] OCTET STRING OPTIONAL, - salt-type[2] INTEGER OPTIONAL - } - - PasswordSequence :: = SEQUENCE { - newpasswd[0] OCTET STRING, - oldpasswd[1] OCTET STRING OPTIONAL - -- oldpasswd always present for change password - -- but not present for set password - } - - The server must verify the AP-REQ message, check whether the client - principal in the ticket is authorized to set or change the password - (either for that principal, or for the principal in the targname - field if present), and decrypt the new password/keys. The server - also checks whether the initial flag is required for this request, - replying with status 0x0007 if it is not set and should be. An - authorization failure is cause to respond with status 0x0005. For - forward compatibility, the server should be prepared to ignore fields - after targrealm in the structure that it does not understand. - - The newpasswdorkeys field contains either the new cleartext password - (with the old cleartext password for a change password operation), - or a sequence of encryption keys with their respective salts. - - In the cleartext password case, if the old password is sent in the - request, the request is defined to be a change password request. If - the old password is not present in the request, the request is a set - password request. The server should apply policy checks to the old - and new password after verifying that the old password is valid. - The server can check validity by obtaining a key from the old - password with a keytype that is present in the KDC database for the - user and comparing the keys for equality. The server then generates - the appropriate keytypes from the password and stores them in the KDC - - database. If all goes well, status 0x0000 is returned to the client - in the reply message (see below). For a change password operation, - the initial flag in the service ticket MUST be set. - - In the key sequence case, the sequence of keys is sent to the set - password service. For a principal that can act as a server, its - preferred keytype should be sent as the first key in the sequence, - but the KDC is not required to honor this preference. Application - servers should use the key sequence option for changing/setting their - keys. The set password service should check that all keys are in the - proper format, returning the KRB5_KPASSWD_MALFORMED error otherwise. - -Reply Message - - 0 1 2 3 - 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | message length | protocol version number | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | AP_REP length | AP-REP data / - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - / KRB-PRIV message / - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - - - All 16 bit fields are in network byte order. - - message length field: contains the number of bytes in the message - including this field. - - protocol version number: contains the hex constant 0x0002 (network - byte order). (The reply message has the same format as in [4]). - - AP-REP length: length of AP-REP data, in bytes. If the length is zero, - then the last field contains a KRB-ERROR message instead of a KRB-PRIV - message. - - AP-REP data: the AP-REP is the response to the AP-REQ in the request - packet. - - KRB-PRIV from [4]: This KRB-PRIV message must be generated using the - subkey in the authenticator in the AP-REQ data. - - The server will respond with a KRB-PRIV message unless it cannot - validate the client AP-REQ or KRB-PRIV message, in which case it will - respond with a KRB-ERROR message. NOTE: Unlike change password version - 1, the KRB-ERROR message will be sent back without any encapsulation. - - The user-data component of the KRB-PRIV message, or e-data component - of the KRB-ERROR message, must consist of the following data. - - 0 1 2 3 - 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | result code | result string / - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | edata / - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - - result code (16 bits) (result codes 0-4 are from [4]): - The result code must have one of the following values (network - byte order): - KRB5_KPASSWD_SUCCESS 0 request succeeds (This value is not - allowed in a KRB-ERROR message) - KRB5_KPASSWD_MALFORMED 1 request fails due to being malformed - KRB5_KPASSWD_HARDERROR 2 request fails due to "hard" error in - processing the request (for example, - there is a resource or other problem - causing the request to fail) - KRB5_KPASSWD_AUTHERROR 3 request fails due to an error in - authentication processing - KRB5_KPASSWD_SOFTERROR 4 request fails due to a soft error - in processing the request - KRB5_KPASSWD_ACCESSDENIED 5 requestor not authorized - KRB5_KPASSWD_BAD_VERSION 6 protocol version unsupported - KRB5_KPASSWD_INITIAL_FLAG_NEEDED 7 initial flag required - KRB5_KPASSWD_POLICY_REJECT 8 new cleartext password fails policy; - the result string should include a text message to be presented - to the user. - KRB5_KPASSWD_BAD_PRINCIPAL 9 target principal does not exist - (only in response to a set password request). - KRB5_KPASSWD_ETYPE_NOSUPP 10 the request contains a key sequence - containing at least one etype that is not supported by the KDC. - The response edata contains an ASN.1 encoded PKERB-ETYPE-INFO - type that specifies the etypes that the KDC supports: - - KERB-ETYPE-INFO-ENTRY :: = SEQUENCE { - encryption-type[0] INTEGER, - salt[1] OCTET STRING OPTIONAL -- not sent - } - - PKERB-ETYPE-INFO ::= SEQUENCE OF KERB-ETYPE-INFO-ENTRY - - The client should retry the request using only etypes (keytypes) - that are contained within the PKERB-ETYPE-INFO structure in the - previous response. - 0xFFFF if the request fails for some other reason. - The client must interpret any non-zero result code as a failure. - result string - from [4]: - This field is a UTF-8 encoded string which should be displayed - to the user by the client. Specific reasons for a password - set/change policy failure is one use for this string. - edata: used to convey additional information as defined by the - result code. - -4. References - - [1] Bradner, S., "The Internet Standards Process -- Revision 3", BCP - 9, RFC 2026, October 1996. - - [2] Bradner, S., "Key words for use in RFCs to Indicate Requirement - Levels", BCP 14, RFC 2119, March 1997 - - [3] J. Kohl, C. Neuman. The Kerberos Network Authentication - Service (V5), Request for Comments 1510. - - [4] M. Horowitz. Kerberos Change Password Protocol, - ftp://ds.internic.net/internet-drafts/ - draft-ietf-cat-kerb-chg-password-02.txt - -5. Expiration Date - - This draft expires in September 2000. - -6. Authors' Addresses - - Jonathan Trostle - Cisco Systems - 170 W. Tasman Dr. - San Jose, CA 95134 - Email: jtrostle@cisco.com - - Mike Swift - 1 Microsoft Way - Redmond, WA 98052 - Email: mikesw@microsoft.com - - John Brezak - 1 Microsoft Way - Redmond, WA 98052 - Email: jbrezak@microsoft.com - - Bill Gossman - Cybersafe Corporation - 1605 NW Sammamish Rd. - Issaquah, WA 98027-5378 - Email: bill.gossman@cybersafe.com - diff --git a/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-cat-kerberos-set-passwd-03.txt b/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-cat-kerberos-set-passwd-03.txt deleted file mode 100644 index 0319f8bf34..0000000000 --- a/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-cat-kerberos-set-passwd-03.txt +++ /dev/null @@ -1,345 +0,0 @@ - -INTERNET-DRAFT Mike Swift -draft-ietf-cat-kerberos-set-passwd-03.txt Microsoft -April 2000 Jonathan Trostle - Cisco Systems - John Brezak - Microsoft - Bill Gossman - Cybersafe - - Kerberos Set/Change Password: Version 2 - - -0. Status Of This Memo - - This document is an Internet-Draft and is in full conformance with - all provisions of Section 10 of RFC2026 [1]. - - Internet-Drafts are working documents of the Internet Engineering - Task Force (IETF), its areas, and its working groups. Note that - other groups may also distribute working documents as - Internet-Drafts. - - Internet-Drafts are draft documents valid for a maximum of six - months and may be updated, replaced, or obsoleted by other - documents at any time. It is inappropriate to use Internet- - Drafts as reference material or to cite them other than as - "work in progress." - - The list of current Internet-Drafts can be accessed at - http://www.ietf.org/ietf/1id-abstracts.txt - - The list of Internet-Draft Shadow Directories can be accessed at - http://www.ietf.org/shadow.html. - - Comments and suggestions on this document are encouraged. Comments - on this document should be sent to the CAT working group discussion - list: - ietf-cat-wg@stanford.edu - -1. Abstract - - The Kerberos (RFC 1510 [3]) change password protocol (Horowitz [4]), - does not allow for an administrator to set a password for a new user. - This functionality is useful in some environments, and this proposal - extends [4] to allow password setting. The changes are: adding new - fields to the request message to indicate the principal which is - having its password set, not requiring the initial flag in the service - ticket, using a new protocol version number, and adding three new - result codes. We also extend the set/change protocol to allow a - client to send a sequence of keys to the KDC instead of a cleartext - password. If in the cleartext password case, the cleartext password - fails to satisfy password policy, the server should use the result - code KRB5_KPASSWD_POLICY_REJECT. - -2. Conventions used in this document - - The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", - - "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in - this document are to be interpreted as described in RFC-2119 [2]. - -3. The Protocol - - The service must accept requests on UDP port 464 and TCP port 464 as - well. The protocol consists of a single request message followed by - a single reply message. For UDP transport, each message must be fully - contained in a single UDP packet. - - For TCP transport, there is a 4 octet header in network byte order - precedes the message and specifies the length of the message. This - requirement is consistent with the TCP transport header in 1510bis. - -Request Message - - 0 1 2 3 - 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | message length | protocol version number | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | AP_REQ length | AP-REQ data / - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - / KRB-PRIV message / - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - - All 16 bit fields are in network byte order. - - message length field: contains the number of bytes in the message - including this field. - - protocol version number: contains the hex constant 0x0002 (network - byte order). - - AP-REQ length: length of AP-REQ data, in bytes. If the length is zero, - then the last field contains a KRB-ERROR message instead of a KRB-PRIV - message. - - AP-REQ data: (see [3]) For a change password/key request, the AP-REQ - message service ticket sname, srealm principal identifier is - kadmin/changepw@REALM where REALM is the realm of the change password - service. The same applies to a set password/key request except the - principal identifier is kadmin/setpw@REALM. The ticket in the AP-REQ - must include a subkey in the Authenticator. To enable setting of - passwords/keys, it is not required that the initial flag be set in the - Kerberos service ticket. The initial flag is required for change requests, - but not for set requests. We have the following definitions: - - old passwd initial flag target principal can be - in request? required? distinct from - authenticating principal? - - change password: yes yes no - - set password: no policy (*) yes - - set key: no policy (*) yes - - change key: no yes no - - policy (*): implementations SHOULD allow administrators to set the - initial flag required for set requests policy to either yes or no. - Clients MUST be able to retry set requests that fail due to error 7 - (initial flag required) with an initial ticket. Clients SHOULD NOT - cache service tickets targetted at kadmin/changepw. - - KRB-PRIV message (see [3]) This KRB-PRIV message must be generated - using the subkey from the authenticator in the AP-REQ data. - - The user-data component of the message consists of the following ASN.1 - structure encoded as an OCTET STRING: - - ChangePasswdData :: = SEQUENCE { - newpasswdorkeys[0] NewPasswdOrKeys, - targname[1] PrincipalName OPTIONAL, - -- only present in set password/key: the principal - -- which will have its password or keys set. Not - -- present in a set request if the client principal - -- from the ticket is the principal having its - -- passwords or keys set. - targrealm[2] Realm OPTIONAL, - -- only present in set password/key: the realm for - -- the principal which will have its password or - -- keys set. Not present in a set request if the - -- client principal from the ticket is the principal - -- having its passwords or keys set. - } - - NewPasswdOrKeys :: = CHOICE { - passwords[0] PasswordSequence, -- change/set passwd - keyseq[1] KeySequences -- change/set key - } - - KeySequences :: = SEQUENCE OF KeySequence - - KeySequence :: = SEQUENCE { - key[0] EncryptionKey, - salt[1] OCTET STRING OPTIONAL, - salt-type[2] INTEGER OPTIONAL - } - - PasswordSequence :: = SEQUENCE { - newpasswd[0] OCTET STRING, - oldpasswd[1] OCTET STRING OPTIONAL - -- oldpasswd always present for change password - -- but not present for set password, set key, or - -- change key - } - - The server must verify the AP-REQ message, check whether the client - principal in the ticket is authorized to set or change the password - (either for that principal, or for the principal in the targname - field if present), and decrypt the new password/keys. The server - also checks whether the initial flag is required for this request, - replying with status 0x0007 if it is not set and should be. An - authorization failure is cause to respond with status 0x0005. For - forward compatibility, the server should be prepared to ignore fields - after targrealm in the structure that it does not understand. - - The newpasswdorkeys field contains either the new cleartext password - (with the old cleartext password for a change password operation), - or a sequence of encryption keys with their respective salts. - - In the cleartext password case, if the old password is sent in the - request, the request MUST be a change password request. If the old - password is not present in the request, the request MUST be a set - password request. The server should apply policy checks to the old - and new password after verifying that the old password is valid. - The server can check validity by obtaining a key from the old - password with a keytype that is present in the KDC database for the - user and comparing the keys for equality. The server then generates - the appropriate keytypes from the password and stores them in the KDC - database. If all goes well, status 0x0000 is returned to the client - in the reply message (see below). For a change password operation, - the initial flag in the service ticket MUST be set. - - In the key sequence case, the sequence of keys is sent to the change - or set password service (kadmin/changepw or kadmin/setpw respectively). - For a principal that can act as a server, its preferred keytype should - be sent as the first key in the sequence, but the KDC is not required - to honor this preference. Application servers should use the key - sequence option for changing/setting their keys. The change/set password - services should check that all keys are in the proper format, returning - the KRB5_KPASSWD_MALFORMED error otherwise. - -Reply Message - - 0 1 2 3 - 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | message length | protocol version number | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | AP_REP length | AP-REP data / - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - / KRB-PRIV message / - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - - - All 16 bit fields are in network byte order. - - message length field: contains the number of bytes in the message - including this field. - - protocol version number: contains the hex constant 0x0002 (network - byte order). (The reply message has the same format as in [4]). - - AP-REP length: length of AP-REP data, in bytes. If the length is zero, - then the last field contains a KRB-ERROR message instead of a KRB-PRIV - message. - - AP-REP data: the AP-REP is the response to the AP-REQ in the request - packet. - - KRB-PRIV from [4]: This KRB-PRIV message must be generated using the - subkey in the authenticator in the AP-REQ data. - - The server will respond with a KRB-PRIV message unless it cannot - validate the client AP-REQ or KRB-PRIV message, in which case it will - respond with a KRB-ERROR message. NOTE: Unlike change password version - 1, the KRB-ERROR message will be sent back without any encapsulation. - - The user-data component of the KRB-PRIV message, or e-data component - of the KRB-ERROR message, must consist of the following data. - - 0 1 2 3 - 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | result code | result string / - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | edata / - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - - result code (16 bits) (result codes 0-4 are from [4]): - The result code must have one of the following values (network - byte order): - KRB5_KPASSWD_SUCCESS 0 request succeeds (This value is not - allowed in a KRB-ERROR message) - KRB5_KPASSWD_MALFORMED 1 request fails due to being malformed - KRB5_KPASSWD_HARDERROR 2 request fails due to "hard" error in - processing the request (for example, - there is a resource or other problem - causing the request to fail) - KRB5_KPASSWD_AUTHERROR 3 request fails due to an error in - authentication processing - KRB5_KPASSWD_SOFTERROR 4 request fails due to a soft error - in processing the request - KRB5_KPASSWD_ACCESSDENIED 5 requestor not authorized - KRB5_KPASSWD_BAD_VERSION 6 protocol version unsupported - KRB5_KPASSWD_INITIAL_FLAG_NEEDED 7 initial flag required - KRB5_KPASSWD_POLICY_REJECT 8 new cleartext password fails policy; - the result string should include a text message to be presented - to the user. - KRB5_KPASSWD_BAD_PRINCIPAL 9 target principal does not exist - (only in response to a set password request). - KRB5_KPASSWD_ETYPE_NOSUPP 10 the request contains a key sequence - containing at least one etype that is not supported by the KDC. - The response edata contains an ASN.1 encoded PKERB-ETYPE-INFO - type that specifies the etypes that the KDC supports: - - KERB-ETYPE-INFO-ENTRY :: = SEQUENCE { - encryption-type[0] INTEGER, - salt[1] OCTET STRING OPTIONAL -- not sent - } - - PKERB-ETYPE-INFO ::= SEQUENCE OF KERB-ETYPE-INFO-ENTRY - - The client should retry the request using only etypes (keytypes) - that are contained within the PKERB-ETYPE-INFO structure in the - previous response. - 0xFFFF if the request fails for some other reason. - The client must interpret any non-zero result code as a failure. - result string - from [4]: - This field is a UTF-8 encoded string which should be displayed - to the user by the client. Specific reasons for a password - - set/change policy failure is one use for this string. - edata: used to convey additional information as defined by the - result code. - -4. Acknowledgements - - The authors thank Tony Andrea for his input to the document. - -5. References - - [1] Bradner, S., "The Internet Standards Process -- Revision 3", BCP - 9, RFC 2026, October 1996. - - [2] Bradner, S., "Key words for use in RFCs to Indicate Requirement - Levels", BCP 14, RFC 2119, March 1997 - - [3] J. Kohl, C. Neuman. The Kerberos Network Authentication - Service (V5), Request for Comments 1510. - - [4] M. Horowitz. Kerberos Change Password Protocol, - ftp://ds.internic.net/internet-drafts/ - draft-ietf-cat-kerb-chg-password-02.txt - -6. Expiration Date - - This draft expires in October 2000. - -7. Authors' Addresses - - Jonathan Trostle - Cisco Systems - 170 W. Tasman Dr. - San Jose, CA 95134 - Email: jtrostle@cisco.com - - Mike Swift - 1 Microsoft Way - Redmond, WA 98052 - Email: mikesw@microsoft.com - - John Brezak - 1 Microsoft Way - Redmond, WA 98052 - Email: jbrezak@microsoft.com - - Bill Gossman - Cybersafe Corporation - 1605 NW Sammamish Rd. - Issaquah, WA 98027-5378 - Email: bill.gossman@cybersafe.com - diff --git a/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-cat-krb-dns-locate-00.txt b/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-cat-krb-dns-locate-00.txt deleted file mode 100644 index e76a0e402a..0000000000 --- a/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-cat-krb-dns-locate-00.txt +++ /dev/null @@ -1,250 +0,0 @@ -INTERNET-DRAFT Ken Hornstein - NRL -June 21, 1999 Jeffrey Altman -Expires: December 21, 1999 Columbia University - - Distributing Kerberos KDC and Realm Information with DNS - -Status of this Memo - - This document is an Internet-Draft and is in full conformance with - all provisions of Section 10 of RFC2026. - - Internet-Drafts are working documents of the Internet Engineering - Task Force (IETF), its areas, and its working groups. Note that - other groups may also distribute working documents as Internet- - Drafts. - - Internet-Drafts are draft documents valid for a maximum of six months - and may be updated, replaced, or obsoleted by other documents at any - time. It is inappropriate to use Internet- Drafts as reference - material or to cite them other than as "work in progress." - - The list of current Internet-Drafts can be accessed at - http://www.ietf.org/ietf/1id-abstracts.txt - - The list of Internet-Draft Shadow Directories can be accessed at - http://www.ietf.org/shadow.html. - - Distribution of this memo is unlimited. It is filed as , and expires on December 21, 1999. Please - send comments to the authors. - -Abstract - - Neither the Kerberos V5 protocol [RFC1510] nor the Kerberos V4 proto- - col [RFC????] describe any mechanism for clients to learn critical - configuration information necessary for proper operation of the pro- - tocol. Such information includes the location of Kerberos key dis- - tribution centers or a mapping between DNS domains and Kerberos - realms. - - Current Kerberos implementations generally store such configuration - information in a file on each client machine. Experience has shown - this method of storing configuration information presents problems - with out-of-date information and scaling problems, especially when - -Hornstein, Altman [Page 1] - -RFC DRAFT June 21, 1999 - - using cross-realm authentication. - - This memo describes a method for using the Domain Name System - [RFC1035] for storing such configuration information. Specifically, - methods for storing KDC location and hostname/domain name to realm - mapping information are discussed. - -Overview - KDC location information - - KDC location information is to be stored using the DNS SRV RR [RFC - 2052]. The format of this RR is as follows: - - Service.Proto.Realm TTL Class SRV Priority Weight Port Target - - The Service name for Kerberos is always "_kerberos". - - The Proto can be either "_udp" or "_tcp". If these records are to be - used, a "_udp" record MUST be included. If the Kerberos implementa- - tion supports TCP transport, a "_tcp" record SHOULD be included. - - The Realm is the Kerberos realm that this record corresponds to. - - TTL, Class, SRV, Priority, Weight, Port, and Target have the standard - meaning as defined in RFC 2052. - -Example - KDC location information - - These are DNS records for a Kerberos realm ASDF.COM. It has two Ker- - beros servers, kdc1.asdf.com and kdc2.asdf.com. Queries should be - directed to kdc1.asdf.com first as per the specified priority. - Weights are not used in these records. - - _kerberos._udp.ASDF.COM. IN SRV 0 0 88 kdc1.asdf.com. - _kerberos._udp.ASDF.COM. IN SRV 1 0 88 kdc2.asdf.com. - -Overview - KAdmin location information - - Kadmin location information is to be stored using the DNS SRV RR [RFC - 2052]. The format of this RR is as follows: - - Service.Proto.Realm TTL Class SRV Priority Weight Port Target - - The Service name for Kadmin is always "_kadmin". - - The Proto can be either "_udp" or "_tcp". If these records are to be - used, a "_tcp" record MUST be included. If the Kadmin implementation - supports UDP transport, a "_udp" record SHOULD be included. - -Hornstein, Altman [Page 2] - -RFC DRAFT June 21, 1999 - - The Realm is the Kerberos realm that this record corresponds to. - - TTL, Class, SRV, Priority, Weight, Port, and Target have the standard - meaning as defined in RFC 2052. - -Example - Kadmin location information - - These are DNS records for a Kerberos realm ASDF.COM. It has one Kad- - min server, kdc1.asdf.com. - - _kadmin._tcp.ASDF.COM. IN SRV 0 0 88 kdc1.asdf.com. - -Overview - Hostname/domain name to Kerberos realm mapping - - Information on the mapping of DNS hostnames and domain names to Ker- - beros realms is stored using DNS TXT records [RFC 1035]. These - records have the following format. - - Service.Name TTL Class TXT Realm - - The Service field is always "_kerberos", and prefixes all entries of - this type. - - The Name is a DNS hostname or domain name. This is explained in - greater detail below. - - TTL, Class, and TXT have the standard DNS meaning as defined in RFC - 1035. - - The Realm is the data for the TXT RR, and consists simply of the Ker- - beros realm that corresponds to the Name specified. - - When a Kerberos client wishes to utilize a host-specific service, it - will perform a DNS TXT query, using the hostname in the Name field of - the DNS query. If the record is not found, the first label of the - name is stripped and the query is retried. - - Compliant implementations MUST query the full hostname and the most - specific domain name (the hostname with the first label removed). - Compliant implementations SHOULD try stripping all subsequent labels - until a match is found or the Name field is empty. - -Example - Hostname/domain name to Kerberos realm mapping - - For the previously mentioned ASDF.COM realm and domain, some sample - records might be as follows: - - _kerberos.asdf.com. IN TXT "ASDF.COM" - -Hornstein, Altman [Page 3] - -RFC DRAFT June 21, 1999 - - _kerberos.mrkserver.asdf.com. IN TXT "MARKETING.ASDF.COM" - _kerberos.salesserver.asdf.com. IN TXT "SALES.ASDF.COM" - - Let us suppose that in this case, a Kerberos client wishes to use a - Kerberized service on the host foo.asdf.com. It would first query: - - _kerberos.foo.asdf.com. IN TXT - - Finding no match, it would then query: - - _kerberos.asdf.com. IN TXT - - And find an answer of ASDF.COM. This would be the realm that - foo.asdf.com resides in. - - If another Kerberos client wishes to use a Kerberized service on the - host salesserver.asdf.com, it would query: - - _kerberos.salesserver.asdf.com IN TXT - - And find an answer of SALES.ASDF.COM. - -Security considerations - - As DNS is deployed today, it is an unsecure service. Thus the infor- - mation returned by it cannot be trusted. However, the use of DNS to - store this configuration information does not introduce any new secu- - rity risks to the Kerberos protocol. - - Current practice is to use hostnames to indicate KDC hosts (stored in - some implementation-dependent location, but generally a local config - file). These hostnames are vulnerable to the standard set of DNS - attacks (denial of service, spoofed entries, etc). The design of the - Kerberos protocol limits attacks of this sort to denial of service. - However, the use of SRV records does not change this attack in any - way. They have the same vulnerabilities that already exist in the - common practice of using hostnames for KDC locations. - - The same holds true for the TXT records used to indicate the domain - name to realm mapping. Current practice is to configure these map- - pings locally. But this again is vulnerable to spoofing via CNAME - records that point to hosts in other domains. This has the same - effect as a spoofed TXT record. - - While the described protocol does not introduce any new security - risks to the best of our knowledge, implementations SHOULD provide a - way of specifying this information locally without the use of DNS. - However, to make this feature worthwhile a lack of any configuration - -Hornstein, Altman [Page 4] - -RFC DRAFT June 21, 1999 - - information on a client should be interpretted as permission to use - DNS. - -Expiration - - This Internet-Draft expires on December 21, 1999. - -References - - [RFC1510] - The Kerberos Network Authentication System; Kohl, Newman; Sep- - tember 1993. - - [RFC1035] - Domain Names - Implementation and Specification; Mockapetris; - November 1987 - - [RFC2052] - A DNS RR for specifying the location of services (DNS SRV); Gul- - brandsen, Vixie; October 1996 - -Authors' Addresses - - Ken Hornstein - US Naval Research Laboratory - Bldg A-49, Room 2 - 4555 Overlook Avenue - Washington DC 20375 USA - - Phone: +1 (202) 404-4765 - EMail: kenh@cmf.nrl.navy.mil - - Jeffrey Altman - The Kermit Project - Columbia University - 612 West 115th Street #716 - New York NY 10025-7799 USA - - Phone: +1 (212) 854-1344 - EMail: jaltman@columbia.edu - -Hornstein, Altman [Page 5] diff --git a/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-cat-krb-dns-locate-02.txt b/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-cat-krb-dns-locate-02.txt deleted file mode 100644 index bd31750a15..0000000000 --- a/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-cat-krb-dns-locate-02.txt +++ /dev/null @@ -1,339 +0,0 @@ - - - - - - -INTERNET-DRAFT Ken Hornstein - NRL -March 10, 2000 Jeffrey Altman -Expires: September 10, 2000 Columbia University - - - - Distributing Kerberos KDC and Realm Information with DNS - - -Status of this Memo - - This document is an Internet-Draft and is in full conformance with - all provisions of Section 10 of RFC2026. - - Internet-Drafts are working documents of the Internet Engineering - Task Force (IETF), its areas, and its working groups. Note that - other groups may also distribute working documents as Internet- - Drafts. - - Internet-Drafts are draft documents valid for a maximum of six months - and may be updated, replaced, or obsoleted by other documents at any - time. It is inappropriate to use Internet- Drafts as reference - material or to cite them other than as "work in progress." - - The list of current Internet-Drafts can be accessed at - http://www.ietf.org/ietf/1id-abstracts.txt - - The list of Internet-Draft Shadow Directories can be accessed at - http://www.ietf.org/shadow.html. - - Distribution of this memo is unlimited. It is filed as , and expires on September 10, 2000. Please - send comments to the authors. - -Abstract - - Neither the Kerberos V5 protocol [RFC1510] nor the Kerberos V4 proto- - col [RFC????] describe any mechanism for clients to learn critical - configuration information necessary for proper operation of the pro- - tocol. Such information includes the location of Kerberos key dis- - tribution centers or a mapping between DNS domains and Kerberos - realms. - - Current Kerberos implementations generally store such configuration - information in a file on each client machine. Experience has shown - this method of storing configuration information presents problems - with out-of-date information and scaling problems, especially when - - - -Hornstein, Altman [Page 1] - -RFC DRAFT March 10, 2000 - - - using cross-realm authentication. - - This memo describes a method for using the Domain Name System - [RFC1035] for storing such configuration information. Specifically, - methods for storing KDC location and hostname/domain name to realm - mapping information are discussed. - -DNS vs. Kerberos - Case Sensitivity of Realm Names - - In Kerberos, realm names are case sensitive. While it is strongly - encouraged that all realm names be all upper case this recommendation - has not been adopted by all sites. Some sites use all lower case - names and other use mixed case. DNS on the other hand is case insen- - sitive for queries but is case preserving for responses to TXT - queries. Since "MYREALM", "myrealm", and "MyRealm" are all different - it is necessary that the DNS entries be distinguishable. - - Since the recommend realm names are all upper case, we will not - require any quoting to be applied to upper case names. If the realm - name contains lower case characters each character is to be quoted by - a '=' character. So "MyRealm" would be represented as "M=yR=e=a=l=m" - and "myrealm" as "=m=y=r=e=a=l=m". If the realm name contains the - '=' character it will be represented as "==". - - -Overview - KDC location information - - KDC location information is to be stored using the DNS SRV RR [RFC - 2052]. The format of this RR is as follows: - - Service.Proto.Realm TTL Class SRV Priority Weight Port Target - - The Service name for Kerberos is always "_kerberos". - - The Proto can be either "_udp" or "_tcp". If these records are to be - used, a "_udp" record MUST be included. If the Kerberos implementa- - tion supports TCP transport, a "_tcp" record SHOULD be included. - - The Realm is the Kerberos realm that this record corresponds to. - - TTL, Class, SRV, Priority, Weight, Port, and Target have the standard - meaning as defined in RFC 2052. - -Example - KDC location information - - These are DNS records for a Kerberos realm ASDF.COM. It has two Ker- - beros servers, kdc1.asdf.com and kdc2.asdf.com. Queries should be - directed to kdc1.asdf.com first as per the specified priority. - - - -Hornstein, Altman [Page 2] - -RFC DRAFT March 10, 2000 - - - Weights are not used in these records. - - _kerberos._udp.ASDF.COM. IN SRV 0 0 88 kdc1.asdf.com. - _kerberos._udp.ASDF.COM. IN SRV 1 0 88 kdc2.asdf.com. - -Overview - Kerberos password changing server location information - - Kerberos password changing server [KERB-CHG] location is to be stored - using the DNS SRV RR [RFC 2052]. The format of this RR is as fol- - lows: - - Service.Proto.Realm TTL Class SRV Priority Weight Port Target - - The Service name for the password server is always "_kpasswd". - - The Proto MUST be "_udp". - - The Realm is the Kerberos realm that this record corresponds to. - - TTL, Class, SRV, Priority, Weight, Port, and Target have the standard - meaning as defined in RFC 2052. - -Overview - Kerberos admin server location information - - Kerberos admin location information is to be stored using the DNS SRV - RR [RFC 2052]. The format of this RR is as follows: - - Service.Proto.Realm TTL Class SRV Priority Weight Port Target - - The Service name for the admin server is always "_kerberos-adm". - - The Proto can be either "_udp" or "_tcp". If these records are to be - used, a "_tcp" record MUST be included. If the Kerberos admin imple- - mentation supports UDP transport, a "_udp" record SHOULD be included. - - The Realm is the Kerberos realm that this record corresponds to. - - TTL, Class, SRV, Priority, Weight, Port, and Target have the standard - meaning as defined in RFC 2052. - - Note that there is no formal definition of a Kerberos admin protocol, - so the use of this record is optional and implementation-dependent. - -Example - Kerberos administrative server location information - - These are DNS records for a Kerberos realm ASDF.COM. It has one - administrative server, kdc1.asdf.com. - - - - -Hornstein, Altman [Page 3] - -RFC DRAFT March 10, 2000 - - - _kerberos-adm._tcp.ASDF.COM. IN SRV 0 0 88 kdc1.asdf.com. - -Overview - Hostname/domain name to Kerberos realm mapping - - Information on the mapping of DNS hostnames and domain names to Ker- - beros realms is stored using DNS TXT records [RFC 1035]. These - records have the following format. - - Service.Name TTL Class TXT Realm - - The Service field is always "_kerberos", and prefixes all entries of - this type. - - The Name is a DNS hostname or domain name. This is explained in - greater detail below. - - TTL, Class, and TXT have the standard DNS meaning as defined in RFC - 1035. - - The Realm is the data for the TXT RR, and consists simply of the Ker- - beros realm that corresponds to the Name specified. - - When a Kerberos client wishes to utilize a host-specific service, it - will perform a DNS TXT query, using the hostname in the Name field of - the DNS query. If the record is not found, the first label of the - name is stripped and the query is retried. - - Compliant implementations MUST query the full hostname and the most - specific domain name (the hostname with the first label removed). - Compliant implementations SHOULD try stripping all subsequent labels - until a match is found or the Name field is empty. - -Example - Hostname/domain name to Kerberos realm mapping - - For the previously mentioned ASDF.COM realm and domain, some sample - records might be as follows: - - _kerberos.asdf.com. IN TXT "ASDF.COM" - _kerberos.mrkserver.asdf.com. IN TXT "MARKETING.ASDF.COM" - _kerberos.salesserver.asdf.com. IN TXT "SALES.ASDF.COM" - - Let us suppose that in this case, a Kerberos client wishes to use a - Kerberized service on the host foo.asdf.com. It would first query: - - _kerberos.foo.asdf.com. IN TXT - - Finding no match, it would then query: - - - - -Hornstein, Altman [Page 4] - -RFC DRAFT March 10, 2000 - - - _kerberos.asdf.com. IN TXT - - And find an answer of ASDF.COM. This would be the realm that - foo.asdf.com resides in. - - If another Kerberos client wishes to use a Kerberized service on the - host salesserver.asdf.com, it would query: - - _kerberos.salesserver.asdf.com IN TXT - - And find an answer of SALES.ASDF.COM. - -Security considerations - - As DNS is deployed today, it is an unsecure service. Thus the infor- - mation returned by it cannot be trusted. - - Current practice for REALM to KDC mapping is to use hostnames to - indicate KDC hosts (stored in some implementation-dependent location, - but generally a local config file). These hostnames are vulnerable - to the standard set of DNS attacks (denial of service, spoofed - entries, etc). The design of the Kerberos protocol limits attacks of - this sort to denial of service. However, the use of SRV records does - not change this attack in any way. They have the same vulnerabili- - ties that already exist in the common practice of using hostnames for - KDC locations. - - Current practice for HOSTNAME to REALM mapping is to provide a local - configuration of mappings of hostname or domain name to realm which - are then mapped to KDCs. But this again is vulnerable to spoofing - via CNAME records that point to hosts in other domains. This has the - same effect as when a TXT record is spoofed. In a realm with no - cross-realm trusts this is a DoS attack. However, when cross-realm - trusts are used it is possible to redirect a client to use a comprom- - ised realm. - - This is not an exploit of the Kerberos protocol but of the Kerberos - trust model. The same can be done to any application that must - resolve the hostname in order to determine which domain a non-FQDN - belongs to. - - Implementations SHOULD provide a way of specifying this information - locally without the use of DNS. However, to make this feature - worthwhile a lack of any configuration information on a client should - be interpretted as permission to use DNS. - - - - - - -Hornstein, Altman [Page 5] - -RFC DRAFT March 10, 2000 - - -Expiration - - This Internet-Draft expires on September 10, 2000. - -References - - - [RFC1510] - The Kerberos Network Authentication System; Kohl, Newman; Sep- - tember 1993. - - [RFC1035] - Domain Names - Implementation and Specification; Mockapetris; - November 1987 - - [RFC2782] - A DNS RR for specifying the location of services (DNS SRV); Gul- - brandsen, Vixie; Feburary 2000 - - [KERB-CHG] - Kerberos Change Password Protocol; Horowitz; - ftp://ds.internic.net/internet-drafts/draft-ietf-cat-kerb-chg- - password-02.txt - -Authors' Addresses - - Ken Hornstein - US Naval Research Laboratory - Bldg A-49, Room 2 - 4555 Overlook Avenue - Washington DC 20375 USA - - Phone: +1 (202) 404-4765 - EMail: kenh@cmf.nrl.navy.mil - - Jeffrey Altman - The Kermit Project - Columbia University - 612 West 115th Street #716 - New York NY 10025-7799 USA - - Phone: +1 (212) 854-1344 - EMail: jaltman@columbia.edu - - - - - - - - -Hornstein, Altman [Page 6] - diff --git a/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-cat-krb5gss-mech2-03.txt b/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-cat-krb5gss-mech2-03.txt deleted file mode 100644 index 11e5dc9f95..0000000000 --- a/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-cat-krb5gss-mech2-03.txt +++ /dev/null @@ -1,1333 +0,0 @@ - -INTERNET-DRAFT Tom Yu -Common Authentication Technology WG MIT -draft-ietf-cat-krb5gss-mech2-03.txt 04 March 2000 - - The Kerberos Version 5 GSSAPI Mechanism, Version 2 - -Status of This Memo - - This document is an Internet-Draft and is in full conformance with - all provisions of Section 10 of RFC2026. - - Internet-Drafts are working documents of the Internet Engineering - Task Force (IETF), its areas, and its working groups. Note that - other groups may also distribute working documents as Internet- - Drafts. - - Internet-Drafts are draft documents valid for a maximum of six months - and may be updated, replaced, or obsoleted by other documents at any - time. It is inappropriate to use Internet-Drafts as reference - material or to cite them other than as "work in progress." - - The list of current Internet-Drafts can be accessed at - http://www.ietf.org/ietf/1id-abstracts.txt - - The list of Internet-Draft Shadow Directories can be accessed at - http://www.ietf.org/shadow.html. - - Comments on this document should be sent to - "ietf-cat-wg@lists.stanford.edu", the IETF Common Authentication - Technology WG discussion list. - -Abstract - - This document defines protocols, procedures, and conventions to be - employed by peers implementing the Generic Security Service - Application Program Interface (as specified in RFC 2743) when using - Kerberos Version 5 technology (as specified in RFC 1510). This - obsoletes RFC 1964. - -Acknowledgements - - Much of the material in this specification is based on work done for - Cygnus Solutions by Marc Horowitz. - -Table of Contents - - Status of This Memo ............................................ 1 - Abstract ....................................................... 1 - Acknowledgements ............................................... 1 - Table of Contents .............................................. 1 - 1. Introduction ............................................... 3 - 2. Token Formats .............................................. 3 - 2.1. Packet Notation ....................................... 3 - -Yu Document Expiration: 04 Sep 2000 [Page 1] - -Internet-Draft krb5-gss-mech2-03 March 2000 - - 2.2. Mechanism OID ......................................... 4 - 2.3. Context Establishment ................................. 4 - 2.3.1. Option Format .................................... 4 - 2.3.1.1. Delegated Credentials Option ................ 5 - 2.3.1.2. Null Option ................................. 5 - 2.3.2. Initial Token .................................... 6 - 2.3.2.1. Data to be Checksummed in APREQ ............. 8 - 2.3.3. Response Token ................................... 10 - 2.4. Per-message Tokens .................................... 12 - 2.4.1. Sequence Number Usage ............................ 12 - 2.4.2. MIC Token ........................................ 12 - 2.4.2.1. Data to be Checksummed in MIC Token ......... 13 - 2.4.3. Wrap Token ....................................... 14 - 2.4.3.1. Wrap Token With Integrity Only .............. 14 - 2.4.3.2. Wrap Token With Integrity and Encryption - ............................................. 15 - 2.4.3.2.1. Data to be Encrypted in Wrap Token ..... 16 - 3. ASN.1 Encoding of Octet Strings ............................ 17 - 4. Name Types ................................................. 18 - 4.1. Mandatory Name Forms .................................. 18 - 4.1.1. Kerberos Principal Name Form ..................... 18 - 4.1.2. Exported Name Object Form for Kerberos5 - Mechanism ........................................ 19 - 5. Credentials ................................................ 20 - 6. Parameter Definitions ...................................... 20 - 6.1. Minor Status Codes .................................... 20 - 6.1.1. Non-Kerberos-specific codes ...................... 21 - 6.1.2. Kerberos-specific-codes .......................... 21 - 7. Kerberos Protocol Dependencies ............................. 22 - 8. Security Considerations .................................... 22 - 9. References ................................................. 22 - 10. Author's Address .......................................... 23 - - - - - - - - - - - - - - - - - - - - - - -Yu Document Expiration: 04 Sep 2000 [Page 2] - -Internet-Draft krb5-gss-mech2-03 March 2000 - -1. Introduction - - The original Kerberos 5 GSSAPI mechanism[RFC1964] has a number of - shortcomings. This document attempts to remedy them by defining a - completely new Kerberos 5 GSSAPI mechanism. - - The context establishment token format requires that the - authenticator of AP-REQ messages contain a cleartext data structure - in its checksum field, which is a needless and potentially confusing - overloading of that field. This is implemented by a special checksum - algorithm whose purpose is to copy the input data directly into the - checksum field of the authenticator. - - The number assignments for checksum algorithms and for encryption - types are inconsistent between the Kerberos protocol and the original - GSSAPI mechanism. If new encryption or checksum algorithms are added - to the Kerberos protocol at some point, the GSSAPI mechanism will - need to be separately updated to use these new algorithms. - - The original mechanism specifies a crude method of key derivation (by - using the XOR of the context key with a fixed constant), which is - incompatible with newer cryptosystems which specify key derivation - procedures themselves. The original mechanism also assumes that both - checksums and cryptosystem blocksizes are eight bytes. - - Defining all GSSAPI tokens for the new Kerberos 5 mechanism in terms - of the Kerberos protocol specification ensures that new encryption - types and checksum types may be automatically used as they are - defined for the Kerberos protocol. - -2. Token Formats - - All tokens, not just the initial token, are framed as the - InitialContextToken described in RFC 2743 section 3.1. The - innerContextToken element of the token will not itself be encoded in - ASN.1, with the exception of caller-provided application data. - - One rationale for avoiding the use of ASN.1 in the inner token is - that some implementors may wish to implement this mechanism in a - kernel or other similarly constrained application where handling of - full ASN.1 encoding may be cumbersome. Also, due to the poor - availability of the relevant standards documents, ASN.1 encoders and - decoders are difficult to implement completely correctly, so keeping - ASN.1 usage to a minimum decreases the probability of bugs in the - implementation of the mechanism. In particular, bit strings need to - be transferred at certain points in this mechanism. There are many - conflicting common misunderstandings of how to encode and decode - ASN.1 bit strings, which have led difficulties in the implementaion - of the Kerberos protocol. - - - - - -Yu Document Expiration: 04 Sep 2000 [Page 3] - -Internet-Draft krb5-gss-mech2-03 March 2000 - -2.1. Packet Notation - - The order of transmission of this protocol is described at the octet - level. Packet diagrams depict bits in the order of transmission, - assuming that individual octets are transmitted with the most - significant bit (MSB) first. The diagrams read from left to right - and from top to bottom, as in printed English. In each octet, bit - number 7 is the MSB and bit number 0 is the LSB. - - Numbers prefixed by the characters "0x" are in hexadecimal notation, - as in the C programming language. Even though packet diagrams are - drawn 16 bits wide, no padding should be used to align the ends of - variable-length fields to a 32-bit or 16-bit boundary. - - All integer fields are in network byte order. All other fields have - the size shown in the diagrams, with the exception of variable length - fields. - -2.2. Mechanism OID - - The Object Identifier (OID) of the new krb5 v2 mechanism is: - - {iso(1) member-body(2) us(840) mit(113554) infosys(1) gssapi(2) - krb5v2(3)} - - -2.3. Context Establishment - -2.3.1. Option Format - - Context establishment tokens, i.e., the initial ones that the - GSS_Init_sec_context() and the GSS_Accept_sec_context() calls emit - while a security context is being set up, may contain options that - influence the subsequent behavior of the context. This document - describes only a small set of options, but additional types may be - added by documents intended to supplement this one. The generic - format is as follows: - - bit| 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | -byte +-------------------------------+-------------------------------+ - 0 | option type | - +-------------------------------+-------------------------------+ - 2 | | - +-- option length (32 bits) --+ - 4 | | - +-------------------------------+-------------------------------+ - 6 | . | - / option data (variable length) / - | . | - +-------------------------------+-------------------------------+ - - - - -Yu Document Expiration: 04 Sep 2000 [Page 4] - -Internet-Draft krb5-gss-mech2-03 March 2000 - - option type (16 bits) - The type identifier of the following option. - - option length (32 bits) - The length in bytes of the following option. - - option data (variable length) - The actual option data. - - Any number of options may appear in an initator or acceptor token. - The final option in a token must be the null option, in order to mark - the end of the list. Option type 0xffff is reserved. - - The initiator and acceptor shall ignore any options that they do not - understand. - -2.3.1.1. Delegated Credentials Option - - Only the initiator may use this option. The format of the delegated - credentials option is as follows: - - bit| 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | -byte +-------------------------------+-------------------------------+ - 0 | option type = 0x00001 | - +-------------------------------+-------------------------------+ - 2 | | - +-- KRB-CRED length --+ - 4 | | - +-------------------------------+-------------------------------+ - 6 | . | - / KRB-CRED message / - | . | - +-------------------------------+-------------------------------+ - - - option type (16 bits) - The option type for this option shall be 0x0001. - - KRB-CRED length (32 bits) - The length in bytes of the following KRB-CRED message. - - KRB-CRED message (variable length) - The option data for this option shall be the KRB-CRED message - that contains the credentials being delegated (forwarded) to the - context acceptor. Only the initiator may use this option. - -2.3.1.2. Null Option - - The Null option terminates the option list, and must be used by both - the initiator and the acceptor. Its format is as follows: - - - - -Yu Document Expiration: 04 Sep 2000 [Page 5] - -Internet-Draft krb5-gss-mech2-03 March 2000 - - bit| 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | -byte +-------------------------------+-------------------------------+ - 0 | option type = 0 | - +-------------------------------+-------------------------------+ - 2 | | - +-- length = 0 --+ - 4 | | - +-------------------------------+-------------------------------+ - - - option type (16 bits) - The option type of this option must be zero. - - option length (32 bits) - The length of this option must be zero. - -2.3.2. Initial Token - - This is the initial token sent by the context initiator, generated by - GSS_Init_sec_context(). - - bit| 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | -byte +-------------------------------+-------------------------------+ - 0 | initial token id = 0x0101 | - +-------------------------------+-------------------------------+ - 2 | | - +-- reserved flag bits +-----------------------+ - 4 | | I | C | S | R | M | D | - +-------------------------------+-------------------------------+ - 6 | checksum type count | - +-------------------------------+-------------------------------+ - 8 | . | - / checksum type list / - | . | - +-------------------------------+-------------------------------+ - n | . | - / options / - | . | - +-------------------------------+-------------------------------+ - m | | - +-- AP-REQ length --+ - m+2 | | - +-------------------------------+-------------------------------+ - m+4 | . | - / AP-REQ data / - | . | - +-------------------------------+-------------------------------+ - - - initial token ID (16 bits) - Contains the integer 0x0101, which identifies this as the - initial token in the context setup. - - -Yu Document Expiration: 04 Sep 2000 [Page 6] - -Internet-Draft krb5-gss-mech2-03 March 2000 - - reserved flag bits (26 bits) - These bits are reserved for future expansion. They must be set - to zero by the initiator and be ignored by the acceptor. - - I flag (1 bit) - 0x00000020 -- GSS_C_INTEG_FLAG - - C flag (1 bit) - 0x00000010 -- GSS_C_CONF_FLAG - - S flag (1 bit) - 0x00000008 -- GSS_C_SEQUENCE_FLAG - - R flag (1 bit) - 0x00000004 -- GSS_C_REPLAY_FLAG - - M flag (1 bit) - 0x00000002 -- GSS_C_MUTUAL_FLAG - - D flag (1 bit) - 0x00000001 -- GSS_C_DELEG_FLAG; This flag must be set if the - "delegated credentials" option is included. - - checksum type count (16 bits) - The number of checksum types supported by the initiator. - - checksum type list (variable length) - A list of Kerberos checksum types, as defined in RFC 1510 - section 6.4. These checksum types must be collision-proof and - keyed with the context key; no checksum types that are - incompatible with the encryption key shall be used. Each - checksum type number shall be 32 bits wide. This list should - contain all the checksum types supported by the initiator. If - mutual authentication is not used, then this list shall contain - only one checksum type. - - options (variable length) - The context initiation options, described in section 2.3.1. - - AP-REQ length (32 bits) - The length of the following KRB_AP_REQ message. - - AP-REQ data (variable length) - The AP-REQ message as described in RFC 1510. The checksum in - the authenticator will be computed over the items listed in the - next section. - - The optional sequence number field shall be used in the AP-REQ. The - initiator should generate a subkey in the authenticator, and the - acceptor should generate a subkey in the AP-REP. The key used for - the per-message tokens will be the AP-REP subkey, or if that is not - present, the authenticator subkey, or if that is not present, the - session key. When subkeys are generated, it is strongly recommended - -Yu Document Expiration: 04 Sep 2000 [Page 7] - -Internet-Draft krb5-gss-mech2-03 March 2000 - - that they be of the same type as the associated session key. - - XXX The above is not secure. There should be an algorithmic process - to arrive at a subsession key which both sides of the authentication - exchange can perform based on the ticket sessions key and data known - to both parties, and this should probably be part of the revised - Kerberos protocol rather than bound to the GSSAPI mechanism. - -2.3.2.1. Data to be Checksummed in AP-REQ - - The checksum in the AP-REQ message is calculated over the following - items. Like in the actual tokens, no padding should be added to - force integer fields to align on 32 bit boundaries. This particular - set of data should not be sent as a part of any token; it merely - specifies what is to be checksummed in the AP-REQ. The items in this - encoding that precede the initial token ID correspond to the channel - bindings passed to GSS_Init_sec_context(). - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Yu Document Expiration: 04 Sep 2000 [Page 8] - -Internet-Draft krb5-gss-mech2-03 March 2000 - - bit| 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | -byte +-------------------------------+-------------------------------+ - 0 | | - +-- initiator address type --+ - 2 | | - +-------------------------------+-------------------------------+ - 4 | initiator address length | - +-------------------------------+-------------------------------+ - 6 | . | - / initiator address / - | . | - +-------------------------------+-------------------------------+ - n | | - +-- acceptor address type --+ - | | - +-------------------------------+-------------------------------+ - n+4 | acceptor address length | - +-------------------------------+-------------------------------+ - n+6 | . | - / acceptor address / - | . | - +-------------------------------+-------------------------------+ - m | . | - / application data / - | . | - +-------------------------------+-------------------------------+ - k | initial token id = 0x0101 | - +-------------------------------+-------------------------------+ - k+2 | | - +-- flags --+ - k+4 | | - +-------------------------------+-------------------------------+ - k+6 | checksum type count | - +-------------------------------+-------------------------------+ - k+8 | . | - / checksum type list / - | . | - +-------------------------------+-------------------------------+ - j | . | - / options / - | . | - +-------------------------------+-------------------------------+ - - - initiator address type (32 bits) - The initiator address type, as defined in the Kerberos protocol - specification. If no initiator address is provided, this must - be zero. - - initiator address length (16 bits) - The length in bytes of the following initiator address. If - there is no inititator address provided, this must be zero. - - -Yu Document Expiration: 04 Sep 2000 [Page 9] - -Internet-Draft krb5-gss-mech2-03 March 2000 - - initiator address (variable length) - The actual initiator address, in network byte order. - - acceptor address type (32 bits) - The acceptor address type, as defined in the Kerberos protocol - specification. If no acceptor address is provided, this must be - zero. - - acceptor address length (16 bits) - The length in bytes of the following acceptor address. This - must be zero is there is no acceptor address provided. - - initiator address (variable length) - The actual acceptor address, in network byte order. - - applicatation data (variable length) - The application data, if provided, encoded as a ASN.1 octet - string using DER. If no application data are passed as input - channel bindings, this shall be a zero-length ASN.1 octet - string. - - initial token ID (16 bits) - The initial token ID from the initial token. - - flags (32 bits) - The context establishment flags from the initial token. - - checksum type count (16 bits) - The number of checksum types supported by the initiator. - - checksum type list (variable length) - The same list of checksum types contained in the initial token. - - options (variable length) - The options list from the initial token. - -2.3.3. Response Token - - This is the reponse token sent by the context acceptor, if mutual - authentication is enabled. - - - - - - - - - - - - - - -Yu Document Expiration: 04 Sep 2000 [Page 10] - -Internet-Draft krb5-gss-mech2-03 March 2000 - - bit| 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | -byte +-------------------------------+-------------------------------+ - 0 | response token id = 0x0202 | - +-------------------------------+-------------------------------+ - 2 | | - +-- reserved flag bits +-------+ - 4 | | D | E | - +-------------------------------+-------------------------------+ - 6 | | - +-- checksum type --+ - 8 | | - +-------------------------------+-------------------------------+ - 10 | . | - / options / - | . | - +-------------------------------+-------------------------------+ - n | | - +-- AP-REP or KRB-ERROR length --+ - n+2 | | - +-------------------------------+-------------------------------+ - n+4 | . | - / AP-REP or KRB-ERROR data / - | . | - +-------------------------------+-------------------------------+ - m | . | - / MIC data / - | . | - +-------------------------------+-------------------------------+ - - - response token id (16 bits) - Contains the integer 0x0202, which identifies this as the - response token in the context setup. - - reserved flag bits (30 bits) - These bits are reserved for future expansion. They must be set - to zero by the acceptor and be ignored by the initiator. - - D flag -- delegated creds accepted (1 bit) - 0x00000002 -- If this flag is set, the acceptor processed the - delegated credentials, and GSS_C_DELEG_FLAG should be returned - to the caller. - - E flag -- error (1 bit) - 0x00000001 -- If this flag is set, a KRB-ERROR message shall be - present, rather than an AP-REP message. If this flag is not - set, an AP-REP message shall be present. - - checksum type count (16 bits) - The number of checksum types supported by both the initiator and - the acceptor. - - - -Yu Document Expiration: 04 Sep 2000 [Page 11] - -Internet-Draft krb5-gss-mech2-03 March 2000 - - checksum type (32 bits) - A Kerberos checksum type, as defined in RFC 1510 section 6.4. - This checksum type must be among the types listed by the - initiator, and will be used in for subsequent checksums - generated during this security context. - - options (variable length) - The option list, as described earlier. At this time, no options - are defined for the acceptor, but an implementation might make - use of these options to acknowledge an option from the initial - token. After all the options are specified, a null option must - be used to terminate the list. - - AP-REP or KRB-ERROR length (32 bits) - Depending on the value of the error flag, length in bytes of the - AP-REP or KRB-ERROR message. - - AP-REP or KRB-ERROR data (variable length) - Depending on the value of the error flag, the AP-REP or - KRB-ERROR message as described in RFC 1510. If this field - contains an AP-REP message, the sequence number field in the - AP-REP shall be filled. If this is a KRB-ERROR message, no - further fields will be in this message. - - MIC data (variable length) - A MIC token, as described in section 2.4.2, computed over the - concatentation of the response token ID, flags, checksum length - and type fields, and all option fields. This field and the - preceding length field must not be present if the error flag is - set. - -2.4. Per-message Tokens - -2.4.1. Sequence Number Usage - - Sequence numbers for per-message tokens are 31 bit unsigned integers, - which are incremented by 1 after each token. An overflow condition - should result in a wraparound of the sequence number to zero. The - initiator and acceptor each keep their own sequence numbers per - connection. - - The intial sequence number for tokens sent from the initiator to the - acceptor shall be the least significant 31 bits of sequence number in - the AP-REQ message. The initial sequence number for tokens sent from - the acceptor to the initiator shall be the least significant 31 bits - of the sequence number in the AP-REP message if mutual authentication - is used; if mutual authentication is not used, the initial sequence - number from acceptor to initiator shall be the least significant 31 - bits of the sequence number in the AP-REQ message. - - - - - -Yu Document Expiration: 04 Sep 2000 [Page 12] - -Internet-Draft krb5-gss-mech2-03 March 2000 - -2.4.2. MIC Token - - Use of the GSS_GetMIC() call yields a token, separate from the user - data being protected, which can be used to verify the integrity of - that data when it is received. The MIC token has the following - format: - - bit| 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | -byte +-------------------------------+-------------------------------+ - 0 | MIC token id = 0x0303 | - +-------------------------------+-------------------------------+ - 2 | D | | - +---+ sequence number --+ - 4 | | - +-------------------------------+-------------------------------+ - 6 | checksum length | - +-------------------------------+-------------------------------+ - 8 | . | - / checksum data / - | . | - +-------------------------------+-------------------------------+ - - - MIC token id (16 bits) - Contains the integer 0x0303, which identifies this as a MIC - token. - - D -- direction bit (1 bit) - This bit shall be zero if the message is sent from the context - initiator. If the message is sent from the context acceptor, - this bit shall be one. - - sequence number (31 bits) - The sequence number. - - checksum length (16 bits) - The number of bytes in the following checksum data field. - - checksum data (variable length) - The checksum itself, as defined in RFC 1510 section 6.4. The - checksum is calculated over the encoding described in the - following section. The key usage GSS_TOK_MIC -- 22 [XXX need to - register this] shall be used in cryptosystems that support key - derivation. - - The mechanism implementation shall only use the checksum type - returned by the acceptor in the case of mutual authentication. If - mutual authentication is not requested, then only the checksum type - in the initiator token shall be used. - - - - - -Yu Document Expiration: 04 Sep 2000 [Page 13] - -Internet-Draft krb5-gss-mech2-03 March 2000 - -2.4.2.1. Data to be Checksummed in MIC Token - - The checksum in the MIC token shall be calculated over the following - elements. This set of data is not actually included in the token as - is; the description only appears for the purpose of specifying the - method of calculating the checksum. - - bit| 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | -byte +-------------------------------+-------------------------------+ - 0 | MIC token id = 0x0303 | - +-------------------------------+-------------------------------+ - 2 | D | | - +---+ sequence number --+ - 4 | | - +-------------------------------+-------------------------------+ - 6 | . | - / application data / - | . | - +-------------------------------+-------------------------------+ - - - MIC token ID (16 bits) - The MIC token ID from the MIC message. - - D -- direction bit (1 bit) - This bit shall be zero if the message is sent from the context - initiator. If the message is sent from the context acceptor, - this bit shall be one. - - sequence number (31 bits) - The sequence number. - - application data (variable length) - The application-supplied data, encoded as an ASN.1 octet string - using DER. - -2.4.3. Wrap Token - - Use of the GSS_Wrap() call yields a token which encapsulates the - input user data (optionally encrypted) along with associated - integrity check quantities. - -2.4.3.1. Wrap Token With Integrity Only - - - - - - - - - - - -Yu Document Expiration: 04 Sep 2000 [Page 14] - -Internet-Draft krb5-gss-mech2-03 March 2000 - - bit| 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | -byte +-------------------------------+-------------------------------+ - 0 | integrity wrap token id = 0x0404 | - +-------------------------------+-------------------------------+ - 2 | D | | - +---+ sequence number --+ - 4 | | - +-------------------------------+-------------------------------+ - 6 | . | - / application data / - | . | - +-------------------------------+-------------------------------+ - n | checksum length | - +-------------------------------+-------------------------------+ - n+2 | . | - / checksum data / - | . | - +-------------------------------+-------------------------------+ - - - integrity wrap token id (16 bits) - Contains the integer 0x0404, which identifies this as a Wrap - token with integrity only. - - D -- direction bit (1 bit) - This bit shall be zero if the message is sent from the context - initiator. If the message is sent from the context acceptor, - this bit shall be one. - - sequence number (31 bits) - The sequence number. - - application data (variable length) - The application-supplied data, encoded as an ASN.1 octet string - using DER. - - checksum length (16 bits) - The number of bytes in the following checksum data field. - - checksum data (variable length) - The checksum itself, as defined in RFC 1510 section 6.4, - computed over the concatenation of the token ID, sequence - number, direction field, application data length, and - application data, as in the MIC token checksum in the previous - section. The key usage GSS_TOK_WRAP_INTEG -- 23 [XXX need to - register this] shall be used in cryptosystems that support key - derivation. - - The mechanism implementation should only use checksum types which it - knows to be valid for both peers, as described for MIC tokens. - - - - -Yu Document Expiration: 04 Sep 2000 [Page 15] - -Internet-Draft krb5-gss-mech2-03 March 2000 - -2.4.3.2. Wrap Token With Integrity and Encryption - - bit| 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | -byte +-------------------------------+-------------------------------+ - | encrypted wrap token id = 0x0505 | - +-------------------------------+-------------------------------+ - 2 | . | - / encrypted data / - | . | - +-------------------------------+-------------------------------+ - - - encrypted wrap token id (16 bits) - Contains the integer 0x0505, which identifies this as a Wrap - token with integrity and encryption. - - encrypted data (variable length) - The encrypted data itself, as defined in RFC 1510 section 6.3, - encoded as an ASN.1 octet string using DER. Note that this is - not the ASN.1 type EncryptedData as defined in RFC 1510 - section 6.1, but rather the ciphertext without encryption type - or kvno information. The encryption is performed using the - key/enctype exchanged during context setup. The confounder and - checksum are as specified in the Kerberos protocol - specification. The key usage GSS_TOK_WRAP_PRIV -- 24 [XXX need - to register this] shall be used in cryptosystems that support - key derivation. The actual data to be encrypted are specified - below. - -2.4.3.2.1. Data to be Encrypted in Wrap Token - - bit| 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | -byte +-------------------------------+-------------------------------+ - 0 | D | | - +---+ sequence number --+ - 2 | | - +-------------------------------+-------------------------------+ - 4 | . | - / application data / - | . | - +-------------------------------+-------------------------------+ - - - D -- direction bit (1 bit) - This bit shall be zero if the message is sent from the context - initiator. If the message is sent from the context acceptor, - this bit shall be one. - - sequence number (31 bits) - The sequence number. - - application data (variable length) - The application-supplied data, encoded as an ASN.1 octet string - -Yu Document Expiration: 04 Sep 2000 [Page 16] - -Internet-Draft krb5-gss-mech2-03 March 2000 - - using DER. - -3. ASN.1 Encoding of Octet Strings - - In order to encode arbitirarly-sized application data, ASN.1 octet - string encoding is in this protocol. The Distinguished Encoding - Rules (DER) shall always be used in such cases. For reference - purposes, the DER encoding of an ASN.1 octet string, adapted from - ITU-T X.690, follows: - - +--------+-------//-------+-------//-------+ - |00000100| length octets |contents octets | - +--------+-------//-------+-------//-------+ - | - +-- identifier octet = 0x04 = [UNIVERSAL 4] - - - In this section only, the bits in each octet shall be numbered as in - the ASN.1 specification, from 8 to 1, with bit 8 being the MSB of the - octet, and with bit 1 being the LSB of the octet. - - identifier octet (8 bits) - Contains the constant 0x04, the tag for primitive encoding of an - octet string with the default (UNIVERSAL 4) tag. - - length octets (variable length) - Contains the length of the contents octets, in definite form - (since this encoding uses DER). - - contents octets (variable length) - The contents of the octet string. - - The length octets shall consist of either a short form (one byte - only), which is to be used only if the number of octets in the - contents octets is less than or equal to 127, or a long form, which - is to be used in all other cases. The short form shall consist of a - single octet with bit 8 (the MSB) equal to zero, and the remaining - bits encoding the number of contents octets (which may be zero) as an - unsigned binary integer. - - The long form shall consist of an initial octet and one or more - subsequent octets. The first octet shall have bit 8 (the MSB) set to - one, and the remaining bits shall encode the number of subsequent - octets in the length encoding as an unsigned binary integer. The - length must be encoded in the minimum number of octets. An initial - octet of 0xFF is reserved by the ASN.1 specification. Bits 8 to 1 of - the first subsequent octet, followed by bits 8 to 1 of each - subsequent octet in order, shall be the encoding of an unsigned - binary integer, with bit 8 of the first octet being the most - significant bit. Thus, the length encoding within is in network byte - order. - - - -Yu Document Expiration: 04 Sep 2000 [Page 17] - -Internet-Draft krb5-gss-mech2-03 March 2000 - - An initial length octet of 0x80 shall not be used, as that is - reserved by the ASN.1 specification for indefinite lengths in - conjunction with constructed contents encodings, which are not to be - used with DER. - -4. Name Types - - This section discusses the name types which may be passed as input to - the Kerberos 5 GSSAPI mechanism's GSS_Import_name() call, and their - associated identifier values. It defines interface elements in - support of portability, and assumes use of C language bindings per - RFC 2744. In addition to specifying OID values for name type - identifiers, symbolic names are included and recommended to GSSAPI - implementors in the interests of convenience to callers. It is - understood that not all implementations of the Kerberos 5 GSSAPI - mechanism need support all name types in this list, and that - additional name forms will likely be added to this list over time. - Further, the definitions of some or all name types may later migrate - to other, mechanism-independent, specifications. The occurrence of a - name type in this specification is specifically not intended to - suggest that the type may be supported only by an implementation of - the Kerberos 5 mechanism. In particular, the occurrence of the - string "_KRB5_" in the symbolic name strings constitutes a means to - unambiguously register the name strings, avoiding collision with - other documents; it is not meant to limit the name types' usage or - applicability. - - For purposes of clarification to GSSAPI implementors, this section's - discussion of some name forms describes means through which those - forms can be supported with existing Kerberos technology. These - discussions are not intended to preclude alternative implementation - strategies for support of the name forms within Kerberos mechanisms - or mechanisms based on other technologies. To enhance application - portability, implementors of mechanisms are encouraged to support - name forms as defined in this section, even if their mechanisms are - independent of Kerberos 5. - -4.1. Mandatory Name Forms - - This section discusses name forms which are to be supported by all - conformant implementations of the Kerberos 5 GSSAPI mechanism. - -4.1.1. Kerberos Principal Name Form - - This name form shall be represented by the Object Identifier {iso(1) - member-body(2) us(840) mit(113554) infosys(1) gssapi(2) krb5(2) - krb5_name(1)}. The recommended symbolic name for this type is - "GSS_KRB5_NT_PRINCIPAL_NAME". - - This name type corresponds to the single-string representation of a - Kerberos name. (Within the MIT Kerberos 5 implementation, such names - are parseable with the krb5_parse_name() function.) The elements - included within this name representation are as follows, proceeding - -Yu Document Expiration: 04 Sep 2000 [Page 18] - -Internet-Draft krb5-gss-mech2-03 March 2000 - - from the beginning of the string: - - (1) One or more principal name components; if more than one - principal name component is included, the components are - separated by '/'. Arbitrary octets may be included within - principal name components, with the following constraints and - special considerations: - - (1a) Any occurrence of the characters '@' or '/' within a - name component must be immediately preceded by the '\' - quoting character, to prevent interpretation as a component - or realm separator. - - (1b) The ASCII newline, tab, backspace, and null characters - may occur directly within the component or may be - represented, respectively, by '\n', '\t', '\b', or '\0'. - - (1c) If the '\' quoting character occurs outside the contexts - described in (1a) and (1b) above, the following character is - interpreted literally. As a special case, this allows the - doubled representation '\\' to represent a single occurrence - of the quoting character. - - (1d) An occurrence of the '\' quoting character as the last - character of a component is illegal. - - (2) Optionally, a '@' character, signifying that a realm name - immediately follows. If no realm name element is included, the - local realm name is assumed. The '/' , ':', and null characters - may not occur within a realm name; the '@', newline, tab, and - backspace characters may be included using the quoting - conventions described in (1a), (1b), and (1c) above. - -4.1.2. Exported Name Object Form for Kerberos 5 Mechanism - - When generated by the Kerberos 5 mechanism, the Mechanism OID within - the exportable name shall be that of the original Kerberos 5 - mechanism[RFC1964]. The Mechanism OID for the original Kerberos 5 - mechanism is: - - {iso(1) member-body(2) us(840) mit(113554) infosys(1) gssapi(2) - krb5(2)} - - The name component within the exportable name shall be a contiguous - string with structure as defined for the Kerberos Principal Name - Form. - - In order to achieve a distinguished encoding for comparison purposes, - the following additional constraints are imposed on the export - operation: - - (1) all occurrences of the characters '@', '/', and '\' within - principal components or realm names shall be quoted with an - -Yu Document Expiration: 04 Sep 2000 [Page 19] - -Internet-Draft krb5-gss-mech2-03 March 2000 - - immediately-preceding '\'. - - (2) all occurrences of the null, backspace, tab, or newline - characters within principal components or realm names will be - represented, respectively, with '\0', '\b', '\t', or '\n'. - - (3) the '\' quoting character shall not be emitted within an - exported name except to accomodate cases (1) and (2). - -5. Credentials - - The Kerberos 5 protocol uses different credentials (in the GSSAPI - sense) for initiating and accepting security contexts. Normal - clients receive a ticket-granting ticket (TGT) and an associated - session key at "login" time; the pair of a TGT and its corresponding - session key forms a credential which is suitable for initiating - security contexts. A ticket-granting ticket, its session key, and - any other (ticket, key) pairs obtained through use of the - ticket-granting-ticket, are typically stored in a Kerberos 5 - credentials cache, sometimes known as a ticket file. - - The encryption key used by the Kerberos server to seal tickets for a - particular application service forms the credentials suitable for - accepting security contexts. These service keys are typically stored - in a Kerberos 5 key table (keytab), or srvtab file (the Kerberos 4 - terminology). In addition to their use as accepting credentials, - these service keys may also be used to obtain initiating credentials - for their service principal. - - The Kerberos 5 mechanism's credential handle may contain references - to either or both types of credentials. It is a local matter how the - Kerberos 5 mechanism implementation finds the appropriate Kerberos 5 - credentials cache or key table. - - However, when the Kerberos 5 mechanism attempts to obtain initiating - credentials for a service principal which are not available in a - credentials cache, and the key for that service principal is - available in a Kerberos 5 key table, the mechanism should use the - service key to obtain initiating credentials for that service. This - should be accomplished by requesting a ticket-granting-ticket from - the Kerberos Key Distribution Center (KDC), and decrypting the KDC's - reply using the service key. - -6. Parameter Definitions - - This section defines parameter values used by the Kerberos V5 GSSAPI - mechanism. It defines interface elements in support of portability, - and assumes use of C language bindings per RFC 2744. - -6.1. Minor Status Codes - - This section recommends common symbolic names for minor_status values - to be returned by the Kerberos 5 GSSAPI mechanism. Use of these - -Yu Document Expiration: 04 Sep 2000 [Page 20] - -Internet-Draft krb5-gss-mech2-03 March 2000 - - definitions will enable independent implementors to enhance - application portability across different implementations of the - mechanism defined in this specification. (In all cases, - implementations of GSS_Display_status() will enable callers to - convert minor_status indicators to text representations.) Each - implementation should make available, through include files or other - means, a facility to translate these symbolic names into the concrete - values which a particular GSSAPI implementation uses to represent the - minor_status values specified in this section. - - It is recognized that this list may grow over time, and that the need - for additional minor_status codes specific to particular - implementations may arise. It is recommended, however, that - implementations should return a minor_status value as defined on a - mechanism-wide basis within this section when that code is accurately - representative of reportable status rather than using a separate, - implementation-defined code. - -6.1.1. Non-Kerberos-specific codes - - These symbols should likely be incorporated into the generic GSSAPI - C-bindings document, since they really are more general. - -GSS_KRB5_S_G_BAD_SERVICE_NAME - /* "No @ in SERVICE-NAME name string" */ -GSS_KRB5_S_G_BAD_STRING_UID - /* "STRING-UID-NAME contains nondigits" */ -GSS_KRB5_S_G_NOUSER - /* "UID does not resolve to username" */ -GSS_KRB5_S_G_VALIDATE_FAILED - /* "Validation error" */ -GSS_KRB5_S_G_BUFFER_ALLOC - /* "Couldn't allocate gss_buffer_t data" */ -GSS_KRB5_S_G_BAD_MSG_CTX - /* "Message context invalid" */ -GSS_KRB5_S_G_WRONG_SIZE - /* "Buffer is the wrong size" */ -GSS_KRB5_S_G_BAD_USAGE - /* "Credential usage type is unknown" */ -GSS_KRB5_S_G_UNKNOWN_QOP - /* "Unknown quality of protection specified" */ - - -6.1.2. Kerberos-specific-codes - - - - - - - - - - -Yu Document Expiration: 04 Sep 2000 [Page 21] - -Internet-Draft krb5-gss-mech2-03 March 2000 - -GSS_KRB5_S_KG_CCACHE_NOMATCH - /* "Principal in credential cache does not match desired name" */ -GSS_KRB5_S_KG_KEYTAB_NOMATCH - /* "No principal in keytab matches desired name" */ -GSS_KRB5_S_KG_TGT_MISSING - /* "Credential cache has no TGT" */ -GSS_KRB5_S_KG_NO_SUBKEY - /* "Authenticator has no subkey" */ -GSS_KRB5_S_KG_CONTEXT_ESTABLISHED - /* "Context is already fully established" */ -GSS_KRB5_S_KG_BAD_SIGN_TYPE - /* "Unknown signature type in token" */ -GSS_KRB5_S_KG_BAD_LENGTH - /* "Invalid field length in token" */ -GSS_KRB5_S_KG_CTX_INCOMPLETE - /* "Attempt to use incomplete security context" */ - - -7. Kerberos Protocol Dependencies - - This protocol makes several assumptions about the Kerberos protocol, - which may require changes to the successor of RFC 1510. - - Sequence numbers, checksum types, and address types are assumed to be - no wider than 32 bits. The Kerberos protocol specification might - need to be modified to accomodate this. This obviously requires some - further discussion. - - Key usages need to be registered within the Kerberos protocol for use - with GSSAPI per-message tokens. The current specification of the - Kerberos protocol does not include descriptions of key derivations or - key usages, but planned revisions to the protocol will include them. - - This protocol also makes the assumption that any cryptosystem used - with the session key will include integrity protection, i.e., it - assumes that no "raw" cryptosystems will be used. - -8. Security Considerations - - The GSSAPI is a security protocol; therefore, security considerations - are discussed throughout this document. The original Kerberos 5 - GSSAPI mechanism's constraints on possible cryptosystems and checksum - types do not permit it to be readily extended to accomodate more - secure cryptographic technologies with larger checksums or encryption - block sizes. Sites are strongly encouraged to adopt the mechanism - specified in this document in the light of recent publicity about the - deficiencies of DES. - -9. References - - [X.680] ISO/IEC, "Information technology -- Abstract Syntax Notation - One (ASN.1): Specification of basic notation", ITU-T X.680 (1997) | - ISO/IEC 8824-1:1998 - -Yu Document Expiration: 04 Sep 2000 [Page 22] - -Internet-Draft krb5-gss-mech2-03 March 2000 - - [X.690] ISO/IEC, "Information technology -- ASN.1 encoding rules: - Specification of Basic Encoding Rules (BER), Canonical Encoding Rules - (CER) and Distinguished Encoding Rules (DER)", ITU-T X.690 (1997) | - ISO/IEC 8825-1:1998. - - [RFC1510] Kohl, J., Neumann, C., "The Kerberos Network Authentication - Service (V5)", RFC 1510. - - [RFC1964] Linn, J., "The Kerberos Version 5 GSS-API Mechanism", - RFC 1964. - - [RFC2743] Linn, J., "Generic Security Service Application Program - Interface, Version 2, Update 1", RFC 2743. - - [RFC2744] Wray, J., "Generic Security Service API Version 2: - C-bindings", RFC 2744. - -10. Author's Address - - Tom Yu - Massachusetts Institute of Technology - Room E40-345 - 77 Massachusetts Avenue - Cambridge, MA 02139 - USA - - email: tlyu@mit.edu - phone: +1 617 253 1753 - - - - - - - - - - - - - - - - - - - - - - - - - - -Yu Document Expiration: 04 Sep 2000 [Page 23] - diff --git a/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-ftpext-mlst-08.txt b/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-ftpext-mlst-08.txt deleted file mode 100644 index 885cf49676..0000000000 --- a/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-ftpext-mlst-08.txt +++ /dev/null @@ -1,3415 +0,0 @@ -FTPEXT Working Group R. Elz -Internet Draft University of Melbourne -Expiration Date: April 2000 - P. Hethmon - Hethmon Brothers - - October 1999 - - - Extensions to FTP - - - draft-ietf-ftpext-mlst-08.txt - -Status of this Memo - - This document is an Internet-Draft and is NOT offered in accordance - with Section 10 of RFC2026, and the author does not provide the IETF - with any rights other than to publish as an Internet-Draft. - - Internet-Drafts are working documents of the Internet Engineering - Task Force (IETF), its areas, and its working groups. Note that - other groups may also distribute working documents as Internet- - Drafts. - - Internet-Drafts are draft documents valid for a maximum of six months - and may be updated, replaced, or obsoleted by other documents at any - time. It is inappropriate to use Internet-Drafts as reference - material or to cite them other than as "work in progress." - - The list of current Internet-Drafts can be accessed at - http://www.ietf.org/ietf/1id-abstracts.txt. - - To view the list Internet-Draft Shadow Directories, see - http://www.ietf.org/shadow.html. - - This entire section has been prepended to this document automatically - during formatting without any direct involvement by the author(s) of - this draft. - - - - - - - - - - - - -Elz & Hethmon [Expires April 2000] [Page 1] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - -Abstract - - In order to overcome the problems caused by the undefined format of - the current FTP LIST command output, a new command is needed to - transfer standardized listing information from Server-FTP to User- - FTP. Commands to enable this are defined in this document. - - In order to allow consenting clients and servers to interact more - freely, a quite basic, and optional, virtual file store structure is - defined. - - This proposal also extends the FTP protocol to allow character sets - other than US-ASCII[1] by allowing the transmission of 8-bit - characters and the recommended use of UTF-8[2] encoding. - - Much implemented, but long undocumented, mechanisms to permit - restarts of interrupted data transfers in STREAM mode, are also - included here. - - Lastly, the HOST command has been added to allow a style of "virtual - site" to be constructed. - - Changed in this version of this document: Minor corrections as - discussed on the mailing list, including fixing many typographical - errors; Additional examples. This paragraph will be deleted from the - final version of this document. - - - - - - - - - - - - - - - - - - - - - - - - - -Elz & Hethmon [Expires April 2000] [Page 2] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - - -Table of Contents - - Abstract ................................................ 2 - 1 Introduction ............................................ 4 - 2 Document Conventions .................................... 4 - 2.1 Basic Tokens ............................................ 5 - 2.2 Pathnames ............................................... 5 - 2.3 Times ................................................... 7 - 2.4 Server Replies .......................................... 8 - 3 File Modification Time (MDTM) ........................... 8 - 3.1 Syntax .................................................. 9 - 3.2 Error responses ......................................... 9 - 3.3 FEAT response for MDTM .................................. 9 - 3.4 MDTM Examples ........................................... 10 - 4 File SIZE ............................................... 11 - 4.1 Syntax .................................................. 11 - 4.2 Error responses ......................................... 11 - 4.3 FEAT response for SIZE .................................. 12 - 4.4 Size Examples ........................................... 12 - 5 Restart of Interrupted Transfer (REST) .................. 13 - 5.1 Restarting in STREAM Mode ............................... 13 - 5.2 Error Recovery and Restart .............................. 14 - 5.3 Syntax .................................................. 14 - 5.4 FEAT response for REST .................................. 16 - 5.5 REST Example ............................................ 16 - 6 Virtual FTP servers ..................................... 16 - 6.1 The HOST command ........................................ 18 - 6.2 Syntax of the HOST command .............................. 18 - 6.3 HOST command semantics .................................. 19 - 6.4 HOST command errors ..................................... 21 - 6.5 FEAT response for HOST command .......................... 22 - 7 A Trivial Virtual File Store (TVFS) ..................... 23 - 7.1 TVFS File Names ......................................... 23 - 7.2 TVFS Path Names ......................................... 24 - 7.3 FEAT Response for TVFS .................................. 25 - 7.4 OPTS for TVFS ........................................... 26 - 7.5 TVFS Examples ........................................... 26 - 8 Listings for Machine Processing (MLST and MLSD) ......... 28 - 8.1 Format of MLSx Requests ................................. 29 - 8.2 Format of MLSx Response ................................. 29 - 8.3 Filename encoding ....................................... 32 - 8.4 Format of Facts ......................................... 33 - 8.5 Standard Facts .......................................... 33 - 8.6 System Dependent and Local Facts ........................ 41 - 8.7 MLSx Examples ........................................... 42 - 8.8 FEAT response for MLSx .................................. 50 - - - -Elz & Hethmon [Expires April 2000] [Page 3] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - 8.9 OPTS parameters for MLST ................................ 51 - 9 Impact On Other FTP Commands ............................ 55 - 10 Character sets and Internationalization ................. 56 - 11 IANA Considerations ..................................... 56 - 11.1 The OS specific fact registry ........................... 56 - 11.2 The OS specific filetype registry ....................... 57 - 12 Security Considerations ................................. 57 - 13 References .............................................. 58 - Acknowledgments ......................................... 59 - Copyright ............................................... 60 - Editors' Addresses ...................................... 60 - - - - -1. Introduction - - This document amends the File Transfer Protocol (FTP) [3]. Five new - commands are added: "SIZE", "HOST", "MDTM", "MLST", and "MLSD". The - existing command "REST" is modified. Of those, the "SIZE" and "MDTM" - commands, and the modifications to "REST" have been in wide use for - many years. The others are new. - - These commands allow a client to restart an interrupted transfer in - transfer modes not previously supported in any documented way, to - support the notion of virtual hosts, and to obtain a directory - listing in a machine friendly, predictable, format. - - An optional structure for the server's file store (NVFS) is also - defined, allowing servers that support such a structure to convey - that information to clients in a standard way, thus allowing clients - more certainty in constructing and interpreting path names. - -2. Document Conventions - - This document makes use of the document conventions defined in BCP14 - [4]. That provides the interpretation of capitalized imperative - words like MUST, SHOULD, etc. - - This document also uses notation defined in STD 9 [3]. In - particular, the terms "reply", "user", "NVFS", "file", "pathname", - "FTP commands", "DTP", "user-FTP process", "user-PI", "user-DTP", - "server-FTP process", "server-PI", "server-DTP", "mode", "type", - "NVT", "control connection", "data connection", and "ASCII", are all - used here as defined there. - - Syntax required is defined using the Augmented BNF defined in [5]. - Some general ABNF definitions are required throughout the document, - - - -Elz & Hethmon [Expires April 2000] [Page 4] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - those will be defined later in this section. At first reading, it - may be wise to simply recall that these definitions exist here, and - skip to the next section. - -2.1. Basic Tokens - - This document imports the core definitions given in Appendix A of - [5]. There definitions will be found for basic ABNF elements like - ALPHA, DIGIT, SP, etc. To that, the following terms are added for - use in this document. - - TCHAR = VCHAR / SP / HTAB ; visible plus white space - RCHAR = ALPHA / DIGIT / "," / "." / ":" / "!" / - "@" / "#" / "$" / "%" / "^" / - "&" / "(" / ")" / "-" / "_" / - "+" / "?" / "/" / "\" / "'" / - DQUOTE ; <"> -- double quote character (%x22) - - The VCHAR (from [5]), TCHAR, and RCHAR types give basic character - types from varying sub-sets of the ASCII character set for use in - various commands and responses. - - token = 1*RCHAR - - A "token" is a string whose precise meaning depends upon the context - in which it is used. In some cases it will be a value from a set of - possible values maintained elsewhere. In others it might be a string - invented by one party to an FTP conversation from whatever sources it - finds relevant. - - Note that in ABNF, string literals are case insensitive. That - convention is preserved in this document, and implies that FTP - commands added by this specification have names that can be - represented in any case. That is, "MDTM" is the same as "mdtm", - "Mdtm" and "MdTm" etc. However note that ALPHA, in particular, is - case sensitive. That implies that a "token" is a case sensitive - value. That implication is correct. - -2.2. Pathnames - - Various FTP commands take pathnames as arguments, or return pathnames - in responses. When the MLST command is supported, as indicated in - the response to the FEAT command [6], pathnames are to be transferred - in one of the following two formats. - - - - - - - -Elz & Hethmon [Expires April 2000] [Page 5] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - pathname = utf-8-name / raw - utf-8-name = - raw = - - Which format is used is at the option of the user-PI or server-PI - sending the pathname. UTF-8 encodings [2] contain enough internal - structure that it is always, in practice, possible to determine - whether a UTF-8 or raw encoding has been used, in those cases where - it matters. While it is useful for the user-PI to be able to - correctly display a pathname received from the server-PI to the user, - it is far more important for the user-PI to be able to retain and - retransmit the identical pathname when required. Implementations are - advised against converting a UTF-8 pathname to a local encoding, and - then attempting to invert the encoding later. Note that ASCII is a - subset of UTF-8. - - Unless otherwise specified, the pathname is terminated by the CRLF - that terminates the FTP command, or by the CRLF that ends a reply. - Any trailing spaces preceding that CRLF form part of the name. - Exactly one space will precede the pathname and serve as a separator - from the preceding syntax element. Any additional spaces form part - of the pathname. See [7] for a fuller explanation of the character - encoding issues. All implementations supporting MLST MUST support - [7]. - - Implementations should also beware that the control connection uses - Telnet NVT conventions [8], and that the Telnet IAC character, if - part of a pathname sent over the control connection, MUST be - correctly escaped as defined by the Telnet protocol. - - Implementors should also be aware that although Telnet NVT - conventions are used over the control connections, Telnet option - negotiation MUST NOT be attempted. See section 4.1.2.12 of [9]. - -2.2.1. Pathname Syntax - - Except where TVFS is supported (see section 7) this specification - imposes no syntax upon pathnames. Nor does it restrict the character - set from which pathnames are created. This does not imply that the - NVFS is required to make sense of all possible pathnames. Server-PIs - may restrict the syntax of valid pathnames in their NVFS in any - manner appropriate to their implementation or underlying file system. - Similarly, a server-PI may parse the pathname, and assign meaning to - the components detected. - - - - - - - -Elz & Hethmon [Expires April 2000] [Page 6] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - -2.2.2. Wildcarding - - For the commands defined in this specification, all pathnames are to - be treated literally. That is, for a pathname given as a parameter - to a command, the file whose name is identical to the pathname given - is implied. No characters from the pathname may be treated as - special or "magic", thus no pattern matching (other than for exact - equality) between the pathname given and the files present in the - NVFS of the Server-FTP is permitted. - - Clients that desire some form of pattern matching functionality must - obtain a listing of the relevant directory, or directories, and - implement their own filename selection procedures. - -2.3. Times - - The syntax of a time value is: - - time-val = 14DIGIT [ "." 1*DIGIT ] - - The leading, mandatory, fourteen digits are to be interpreted as, in - order from the leftmost, four digits giving the year, with a range of - 1000-9999, two digits giving the month of the year, with a range of - 01-12, two digits giving the day of the month, with a range of 01-31, - two digits giving the hour of the day, with a range of 00-23, two - digits giving minutes past the hour, with a range of 00-59, and - finally, two digits giving seconds past the minute, with a range of - 00-60 (with 60 being used only at a leap second). Years in the tenth - century, and earlier, cannot be expressed. This is not considered a - serious defect of the protocol. - - The optional digits, which are preceded by a period, give decimal - fractions of a second. These may be given to whatever precision is - appropriate to the circumstance, however implementations MUST NOT add - precision to time-vals where that precision does not exist in the - underlying value being transmitted. - - Symbolically, a time-val may be viewed as - - YYYYMMDDHHMMSS.sss - - The "." and subsequent digits ("sss") are optional. However the "." - MUST NOT appear unless at least one following digit also appears. - - Time values are always represented in UTC (GMT), and in the Gregorian - calendar regardless of what calendar may have been in use at the date - and time indicated at the location of the server-PI. - - - - -Elz & Hethmon [Expires April 2000] [Page 7] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - The technical differences between GMT, TAI, UTC, UT1, UT2, etc, are - not considered here. A server-FTP process should always use the same - time reference, so the times it returns will be consistent. Clients - are not expected to be time synchronized with the server, so the - possible difference in times that might be reported by the different - time standards is not considered important. - -2.4. Server Replies - - Section 4.2 of [3] defines the format and meaning of replies by the - server-PI to FTP commands from the user-PI. Those reply conventions - are used here without change. - - error-response = error-code SP *TCHAR CRLF - error-code = ("4" / "5") 2DIGIT - - Implementors should note that the ABNF syntax (which was not used in - [3]) used in this document, and other FTP related documents, - sometimes shows replies using the one line format. Unless otherwise - explicitly stated, that is not intended to imply that multi-line - responses are not permitted. Implementors should assume that, unless - stated to the contrary, any reply to any FTP command (including QUIT) - may be of the multi-line format described in [3]. - - Throughout this document, replies will be identified by the three - digit code that is their first element. Thus the term "500 reply" - means a reply from the server-PI using the three digit code "500". - -3. File Modification Time (MDTM) - - The FTP command, MODIFICATION TIME (MDTM), can be used to determine - when a file in the server NVFS was last modified. This command has - existed in many FTP servers for many years, as an adjunct to the REST - command for STREAM mode, thus is widely available. However, where - supported, the "modify" fact which can be provided in the result from - the new MLST command is recommended as a superior alternative. - - When attempting to restart a RETRieve, if the User-FTP makes use of - the MDTM command, or "modify" fact, it can check and see if the - modification time of the source file is more recent than the - modification time of the partially transferred file. If it is, then - most likely the source file has changed and it would be unsafe to - restart the previously incomplete file transfer. - - When attempting to restart a STORe, the User FTP can use the MDTM - command to discover the modification time of the partially - transferred file. If it is older than the modification time of the - file that is about to be STORed, then most likely the source file has - - - -Elz & Hethmon [Expires April 2000] [Page 8] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - changed and it would be unsafe to restart the file transfer. - - Note that using MLST (described below) where available, can provide - this information, and much more, thus giving an even better - indication that a file has changed, and that restarting a transfer - would not give valid results. - - Note that this is applicable to any RESTart attempt, regardless of - the mode of the file transfer. - -3.1. Syntax - - The syntax for the MDTM command is: - - mdtm = "MdTm" SP pathname CRLF - - As with all FTP commands, the "MDTM" command label is interpreted in - a case insensitive manner. - - The "pathname" specifies an object in the NVFS which may be the - object of a RETR command. Attempts to query the modification time of - files that are unable to be retrieved generate undefined responses. - - The server-PI will respond to the MDTM command with a 213 reply - giving the last modification time of the file whose pathname was - supplied, or a 550 reply if the file does not exist, the modification - time is unavailable, or some other error has occurred. - - mdtm-response = "213" SP time-val CRLF / - error-response - -3.2. Error responses - - Where the command is correctly parsed, but the modification time is - not available, either because the pathname identifies no existing - entity, or because the information is not available for the entity - named, then a 550 reply should be sent. Where the command cannot be - correctly parsed, a 500 or 501 reply should be sent, as specified in - [3]. - -3.3. FEAT response for MDTM - - When replying to the FEAT command [6], an FTP server process that - supports the MDTM command MUST include a line containing the single - word "MDTM". This MAY be sent in upper or lower case, or a mixture - of both (it is case insensitive) but SHOULD be transmitted in upper - case only. That is, the response SHOULD be - - - - -Elz & Hethmon [Expires April 2000] [Page 9] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - C> Feat - S> 211- - S> ... - S> MDTM - S> ... - S> 211 End - - The ellipses indicate place holders where other features may be - included, and are not required. The one space indentation of the - feature lines is mandatory [6]. - -3.4. MDTM Examples - - If we assume the existence of three files, A B and C, and a directory - D, and no other files at all, then the MTDM command may behave as - indicated. The "C>" lines are commands from user-PI to server-PI, - the "S>" lines are server-PI replies. - - C> MDTM A - S> 213 19980615100045.014 - C> MDTM B - S> 213 19980615100045.014 - C> MDTM C - S> 213 19980705132316 - C> MDTM D - S> 550 D is not retrievable - C> MDTM E - S> 550 No file named "E" - C> mdtm file6 - S> 213 19990929003355 - C> MdTm 19990929043300 File6 - S> 213 19991005213102 - C> MdTm 19990929043300 file6 - S> 550 19990929043300 file6: No such file or directory. - - From that we can conclude that both A and B were last modified at the - same time (to the nearest millisecond), and that C was modified 21 - days and several hours later. - - The times are in GMT, so file A was modified on the 15th of June, - 1998, at approximately 11am in London (summer time was then in - effect), or perhaps at 8pm in Melbourne, Australia, or at 6am in New - York. All of those represent the same absolute time of course. The - location where the file was modified, and consequently the local wall - clock time at that location, is not available. - - There is no file named "E" in the current directory, but there are - files named both "file6" and "19990929043300 File6". The - - - -Elz & Hethmon [Expires April 2000] [Page 10] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - modification times of those files were obtained. There is no file - named "19990929043300 file6". - -4. File SIZE - - The FTP command, SIZE OF FILE (SIZE), is used to obtain the transfer - size of a file from the server-FTP process. That is, the exact - number of octets (8 bit bytes) which would be transmitted over the - data connection should that file be transmitted. This value will - change depending on the current STRUcture, MODE and TYPE of the data - connection, or a data connection which would be created were one - created now. Thus, the result of the SIZE command is dependent on - the currently established STRU, MODE and TYPE parameters. - - The SIZE command returns how many octets would be transferred if the - file were to be transferred using the current transfer structure, - mode and type. This command is normally used in conjunction with the - RESTART (REST) command. The server-PI might need to read the - partially transferred file, do any appropriate conversion, and count - the number of octets that would be generated when sending the file in - order to correctly respond to this command. Estimates of the file - transfer size MUST NOT be returned, only precise information is - acceptable. - -4.1. Syntax - - The syntax of the SIZE command is: - - size = "Size" SP pathname CRLF - - The server-PI will respond to the SIZE command with a 213 reply - giving the transfer size of the file whose pathname was supplied, or - an error response if the file does not exist, the size is - unavailable, or some other error has occurred. The value returned is - in a format suitable for use with the RESTART (REST) command for mode - STREAM, provided the transfer mode and type are not altered. - - size-response = "213" SP 1*DIGIT CRLF / - error-response - -4.2. Error responses - - Where the command is correctly parsed, but the size is not available, - either because the pathname identifies no existing entity, or because - the entity named cannot be transferred in the current MODE and TYPE - (or at all), then a 550 reply should be sent. Where the command - cannot be correctly parsed, a 500 or 501 reply should be sent, as - specified in [3]. - - - -Elz & Hethmon [Expires April 2000] [Page 11] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - -4.3. FEAT response for SIZE - - When replying to the FEAT command [6], an FTP server process that - supports the SIZE command MUST include a line containing the single - word "SIZE". This word is case insensitive, and MAY be sent in any - mixture of upper or lower case, however it SHOULD be sent in upper - case. That is, the response SHOULD be - - C> FEAT - S> 211- - S> ... - S> SIZE - S> ... - S> 211 END - - The ellipses indicate place holders where other features may be - included, and are not required. The one space indentation of the - feature lines is mandatory [6]. - -4.4. Size Examples - - Consider a text file "Example" stored on a Unix(TM) server where each - end of line is represented by a single octet. Assume the file - contains 112 lines, and 1830 octets total. Then the SIZE command - would produce: - - C> TYPE I - S> 200 Type set to I. - C> size Example - S> 213 1830 - C> TYPE A - S> 200 Type set to A. - C> Size Example - S> 213 1942 - - Notice that with TYPE=A the SIZE command reports an extra 112 octets. - Those are the extra octets that need to be inserted, one at the end - of each line, to provide correct end of line semantics for a transfer - using TYPE=A. Other systems might need to make other changes to the - transfer format of files when converting between TYPEs and MODEs. - The SIZE command takes all of that into account. - - Since calculating the size of a file with this degree of precision - may take considerable effort on the part of the server-PI, user-PIs - should not used this command unless this precision is essential (such - as when about to restart an interrupted transfer). For other uses, - the "Size" fact of the MLST command (see section 8.5.7) ought be - requested. - - - -Elz & Hethmon [Expires April 2000] [Page 12] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - -5. Restart of Interrupted Transfer (REST) - - To avoid having to resend the entire file if the file is only - partially transferred, both sides need some way to be able to agree - on where in the data stream to restart the data transfer. - - The FTP specification [3] includes three modes of data transfer, - Stream, Block and Compressed. In Block and Compressed modes, the - data stream that is transferred over the data connection is - formatted, allowing the embedding of restart markers into the stream. - The sending DTP can include a restart marker with whatever - information it needs to be able to restart a file transfer at that - point. The receiving DTP can keep a list of these restart markers, - and correlate them with how the file is being saved. To restart the - file transfer, the receiver just sends back that last restart marker, - and both sides know how to resume the data transfer. Note that there - are some flaws in the description of the restart mechanism in RFC 959 - [3]. See section 4.1.3.4 of RFC 1123 [9] for the corrections. - -5.1. Restarting in STREAM Mode - - In Stream mode, the data connection contains just a stream of - unformatted octets of data. Explicit restart markers thus cannot be - inserted into the data stream, they would be indistinguishable from - data. For this reason, the FTP specification [3] did not provide the - ability to do restarts in stream mode. However, there is not really - a need to have explicit restart markers in this case, as restart - markers can be implied by the octet offset into the data stream. - - Because the data stream defines the file in STREAM mode, a different - data stream would represent a different file. Thus, an offset will - always represent the same position within a file. On the other hand, - in other modes than STREAM, the same file can be transferred using - quite different octet sequences, and yet be reconstructed into the - one identical file. Thus an offset into the data stream in transfer - modes other than STREAM would not give an unambiguous restart point. - - If the data representation TYPE is IMAGE, and the STRUcture is File, - for many systems the file will be stored exactly in the same format - as it is sent across the data connection. It is then usually very - easy for the receiver to determine how much data was previously - received, and notify the sender of the offset where the transfer - should be restarted. In other representation types and structures - more effort will be required, but it remains always possible to - determine the offset with finite, but perhaps non-negligible, effort. - In the worst case an FTP process may need to open a data connection - to itself, set the appropriate transfer type and structure, and - actually transmit the file, counting the transmitted octets. - - - -Elz & Hethmon [Expires April 2000] [Page 13] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - If the user-FTP process is intending to restart a retrieve, it will - directly calculate the restart marker, and send that information in - the RESTart command. However, if the user-FTP process is intending - to restart sending the file, it needs to be able to determine how - much data was previously sent, and correctly received and saved. A - new FTP command is needed to get this information. This is the - purpose of the SIZE command, as documented in section 4. - -5.2. Error Recovery and Restart - - STREAM MODE transfers with FILE STRUcture may be restarted even - though no restart marker has been transferred in addition to the data - itself. This is done by using the SIZE command, if needed, in - combination with the RESTART (REST) command, and one of the standard - file transfer commands. - - When using TYPE ASCII or IMAGE, the SIZE command will return the - number of octets that would actually be transferred if the file were - to be sent between the two systems. I.e. with type IMAGE, the SIZE - normally would be the number of octets in the file. With type ASCII, - the SIZE would be the number of octets in the file including any - modifications required to satisfy the TYPE ASCII CR-LF end of line - convention. - -5.3. Syntax - - The syntax for the REST command when the current transfer mode is - STREAM is: - - rest = "Rest" SP 1*DIGIT CRLF - - The numeric value gives the number of octets of the immediately - following transfer to not actually send, effectively causing the - transmission to be restarted at a later point. A value of zero - effectively disables restart, causing the entire file to be - transmitted. The server-PI will respond to the REST command with a - 350 reply, indicating that the REST parameter has been saved, and - that another command, which should be either RETR or STOR, should - then follow to complete the restart. - - rest-response = "350" SP *TCHAR CRLF / - error-response - - Server-FTP processes may permit transfer commands other than RETR and - STOR, such as APPE and STOU, to complete a restart, however, this is - not recommended. STOU (store unique) is undefined in this usage, as - storing the remainder of a file into a unique filename is rarely - going to be useful. If APPE (append) is permitted, it MUST act - - - -Elz & Hethmon [Expires April 2000] [Page 14] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - identically to STOR when a restart marker has been set. That is, in - both cases, octets from the data connection are placed into the file - at the location indicated by the restart marker value. - - The REST command is intended to complete a failed transfer. Use with - RETR is comparatively well defined in all cases, as the client bears - the responsibility of merging the retrieved data with the partially - retrieved file. If it chooses to use the data obtained other than to - complete an earlier transfer, or if it chooses to re-retrieve data - that had been retrieved before, that is its choice. With STOR, - however, the server must insert the data into the file named. The - results are undefined if a client uses REST to do other than restart - to complete a transfer of a file which had previously failed to - completely transfer. In particular, if the restart marker set with a - REST command is not at the end of the data currently stored at the - server, as reported by the server, or if insufficient data are - provided in a STOR that follows a REST to extend the destination file - to at least its previous size, then the effects are undefined. - - The REST command must be the last command issued before the data - transfer command which is to cause a restarted rather than complete - file transfer. The effect of issuing a REST command at any other - time is undefined. The server-PI may react to a badly positioned - REST command by issuing an error response to the following command, - not being a restartable data transfer command, or it may save the - restart value and apply it to the next data transfer command, or it - may silently ignore the inappropriate restart attempt. Because of - this, a user-PI that has issued a REST command, but which has not - successfully transmitted the following data transfer command for any - reason, should send another REST command before the next data - transfer command. If that transfer is not to be restarted, then - "REST 0" should be issued. - - An error-response will follow a REST command only when the server - does not implement the command, or the restart marker value is - syntactically invalid for the current transfer mode. That is, in - STREAM mode, if something other than one or more digits appears in - the parameter to the REST command. Any other errors, including such - problems as restart marker out of range, should be reported when the - following transfer command is issued. Such errors will cause that - transfer request to be rejected with an error indicating the invalid - restart attempt. - - - - - - - - - -Elz & Hethmon [Expires April 2000] [Page 15] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - -5.4. FEAT response for REST - - Where a server-FTP process supports RESTart in STREAM mode, as - specified here, it MUST include in the response to the FEAT command - [6], a line containing exactly the string "REST STREAM". This string - is not case sensitive, but SHOULD be transmitted in upper case. - Where REST is not supported at all, or supported only in block or - compressed modes, the REST line MUST NOT be included in the FEAT - response. Where required, the response SHOULD be - - C> feat - S> 211- - S> ... - S> REST STREAM - S> ... - S> 211 end - - The ellipses indicate place holders where other features may be - included, and are not required. The one space indentation of the - feature lines is mandatory [6]. - -5.5. REST Example - - Assume that the transfer of a largish file has previously been - interrupted after 802816 octets had been received, that the previous - transfer was with TYPE=I, and that it has been verified that the file - on the server has not since changed. - - C> TYPE I - S> 200 Type set to I. - C> PORT 127,0,0,1,15,107 - S> 200 PORT command successful. - C> REST 802816 - S> 350 Restarting at 802816. Send STORE or RETRIEVE - C> RETR cap60.pl198.tar - S> 150 Opening BINARY mode data connection - [...] - S> 226 Transfer complete. - -6. Virtual FTP servers - - It has become common in the Internet for many domain names to be - allocated to a single IP address. This has introduced the concept of - a "virtual host", where a host appears to exist as an independent - entity, but in reality shares all of its resources with one, or more, - other such hosts. - - - - - -Elz & Hethmon [Expires April 2000] [Page 16] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - Such an arrangement presents some problems for FTP Servers, as all - the FTP Server can detect is an incoming FTP connection to a - particular IP address. That is, all domain names which share the IP - address also share the FTP server, and more importantly, its NVFS. - This means that the various virtual hosts cannot offer different - virtual file systems to clients, nor can they offer different - authentication systems. - - No scheme can overcome this without modifications of some kind to the - user-PI and the user-FTP process. That process is the only entity - that knows which virtual host is required. It has performed the - domain name to IP address translation, and thus has the original - domain name available. - - One method which could be used to allow a style of virtual host would - be for the client to simply send a "CWD" command after connecting, - using the virtual host name as the argument to the CWD command. This - would allow the server-FTP process to implement the file stores of - the virtual hosts as sub-directories in its NVFS. This is simple, - and supported by essentially all server-FTP implementations without - requiring any code changes. - - While that method is simple to describe, and to implement, it suffers - from several drawbacks. First, the "CWD" command is available only - after the user-PI has authenticated itself to the server-FTP process. - Thus, all virtual hosts would be required to share a common - authentication scheme. Second, either the server-FTP process needs - to be modified to understand the special nature of this first CWD - command, negating most of the advantage of this scheme, or all users - must see the same identical NVFS view upon connecting (they must - connect in the same initial directory) or the NVFS must implement the - full set of virtual host directories at each possible initial - directory for any possible user, or the virtual host will not be - truly transparent. Third, and again unless the server is specially - modified, a user connecting this way to a virtual host would be able - to trivially move to any other virtual host supported at the same - server-FTP process, exposing the nature of the virtual host. - - Other schemes overloading other existing FTP commands have also been - proposed. None of those have sufficient merit to be worth - discussion. - - The conclusion from the examination of the possibilities seems to be - that to obtain an adequate emulation of "real" FTP servers, server - modifications to support virtual hosts are required. A new command - seems most likely to provide the support required. - - - - - -Elz & Hethmon [Expires April 2000] [Page 17] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - -6.1. The HOST command - - A new command "HOST" is added to the FTP command set to allow - server-FTP process to determine to which of possibly many virtual - hosts the client wishes to connect. This command is intended to be - issued before the user is authenticated, allowing the authentication - scheme, and set of legal users, to be dependent upon the virtual host - chosen. Server-FTP processes may, if they desire, permit the HOST - command to be issued after the user has been authenticated, or may - treat that as an erroneous sequence of commands. The behavior of the - server-FTP process which does allow late HOST commands is undefined. - One reasonable interpretation would be for the user-PI to be returned - to the state that existed after the TCP connection was first - established, before user authentication. - - Servers should note that the response to the HOST command is a - sensible time to send their "welcome" message. This allows the - message to be personalized for any virtual hosts that are supported, - and also allows the client to have determined supported languages, or - representations, for the message, and other messages, via the FEAT - response, and selected an appropriate one via the LANG command. See - [7] for more information. - -6.2. Syntax of the HOST command - - The HOST command is defined as follows. - - host-command = "Host" SP hostname CRLF - hostname = 1*DNCHAR 1*( "." 1*DNCHAR ) [ "." ] - DNCHAR = ALPHA / DIGIT / "-" / "_" / "$" / - "!" / "%" / "[" / "]" / ":" - host-response = host-ok / error-response - host-ok = "220" [ SP *TCHAR ] CRLF - - As with all FTP commands, the "host" command word is case - independent, and may be specified in any character case desired. - - The "hostname" given as a parameter specifies the virtual host to - which access is desired. It should normally be the same name that - was used to obtain the IP address to which the FTP control connection - was made, after any client conversions to convert an abbreviated or - local alias to a complete (fully qualified) domain name, but before - resolving a DNS alias (owner of a CNAME resource record) to its - canonical name. - - If the client was given a network literal address, and consequently - was not required to derive it from a hostname, it should send the - HOST command with the network address, as specified to it, enclosed - - - -Elz & Hethmon [Expires April 2000] [Page 18] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - in brackets (after eliminating any syntax, which might also be - brackets, but is not required to be, from which the server deduced - that a literal address had been specified.) That is, for example - - HOST [10.1.2.3] - - should be sent if the client had been instructed to connect to - "10.1.2.3", or "[10.1.2.3]", or perhaps even IPv4:10.1.2.3. The - method of indicating to a client that a literal address is to be used - is beyond the scope of this specification. - - The parameter is otherwise to be treated as a "complete domain name", - as that term is defined in section 3.1 of RFC 1034 [10]. That - implies that the name is to be treated as a case independent string, - in that upper case ASCII characters are to be treated as equivalent - to the corresponding lower case ASCII characters, but otherwise - preserved as given. It also implies some limits on the length of the - parameter and of the components that create its internal structure. - Those limits are not altered in any way here. - - RFC 1034 imposes no other restrictions upon what kinds of names can - be stored in the DNS. Nor does RFC 1035. This specification, - however, allows only a restricted set of names for the purposes of - the HOST command. Those restrictions can be inferred from the ABNF - grammar given for the "hostname". - -6.3. HOST command semantics - - Upon receiving the HOST command, before authenticating the user-PI, a - server-FTP process should validate that the hostname given represents - a valid virtual host for that server, and if so, establish the - appropriate environment for that virtual host. The meaning of that - is not specified here, and may range from doing nothing at all, or - performing a simple change of working directory, to much more - elaborate state changes, as required. - - If the hostname specified is unknown at the server, or if the server - is otherwise unwilling to treat the particular connection as a - connection to the hostname specified, the server will respond with a - 504 reply. - - Note: servers may require that the name specified is in some sense - equivalent to the particular network address that was used to reach - the server. - - If the hostname specified would normally be acceptable, but for any - reason is temporarily unavailable, the server SHOULD reply to the - HOST command with a 434 reply. - - - -Elz & Hethmon [Expires April 2000] [Page 19] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - The "220" reply code for the HOST command is the same as the code - used on the initial connection established "welcome" message. This - is done deliberately so as to allow the implementation to implement - the front end FTP server as a wrapper which simply waits for the HOST - command, and then invokes an older, RFC959 compliant, server in the - appropriate environment for the particular hostname received. - -6.3.1. The REIN command - - As specified in [3], the REIN command returns the state of the - connection to that it was immediately after the transport connection - was opened. That is not changed here. The effect of a HOST command - will be lost if a REIN command is performed, a new HOST command must - be issued. - - Implementors of user-FTP should be aware that server-FTP - implementations which implement the HOST command as a wrapper around - older implementations will be unable to correctly implement the REIN - command. In such an implementation, REIN will typically return the - server-FTP to the state that existed immediately after the HOST - command was issued, instead of to the state immediately after the - connection was opened. - -6.3.2. User-PI usage of HOST - - A user-PI that conforms to this specification, MUST send the HOST - command after opening the transport connection, or after any REIN - command, before attempting to authenticate the user with the USER - command. - - The following state diagram shows a typical sequence of flow of - control, where the "B" (begin) state is assumed to occur after the - transport connection has opened, or a REIN command has succeeded. - Other commands (such as FEAT [6]) which require no authentication may - have intervened. This diagram is modeled upon (and largely borrowed - from) the similar diagram in section 6 of [3]. - - In this diagram, a three digit reply indicates that precise server - reply code, a single digit on a reply path indicates any server reply - beginning with that digit, other than any three digit replies that - might take another path. - - - - - - - - - - -Elz & Hethmon [Expires April 2000] [Page 20] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - - +---+ HOST +---+ 1,3,5 - | B |---------->| W |----------------- - +---+ +---+ | - | | | - 2,500,502 | | 4,501,503,504 | - -------------- ------------- | - | | | - V 1 | V - +---+ USER +---+-------------->+---+ - | |---------->| W | 2 ----->| E | - +---+ +---+------ | --->+---+ - | | | | | | - 3 | | 4,5 | | | | - -------------- ----- | | | | - | | | | | | - | | | | | | - | --------- | | - | 1| | | | | - V | | | | | - +---+ PASS +---+ 2 | ------->+---+ - | |---------->| W |-------------->| S | - +---+ +---+ ----------->+---+ - | | | | | | - 3 | |4,5| | | | - -------------- -------- | | - | | | | | ---- - | | | | | | - | ----------- | - | 1,3| | | | | - V | 2| | | V - +---+ ACCT +---+-- | ------>+---+ - | |---------->| W | 4,5 --------->| F | - +---+ +---+-------------->+---+ - -6.4. HOST command errors - - The server-PI shall reply with a 500 or 502 reply if the HOST command - is unrecognized or unimplemented. A 503 reply may be sent if the - HOST command is given after a previous HOST command, or after a user - has been authenticated. Alternately, the server may accept the - command at such a time, with server defined behavior. A 501 reply - should be sent if the hostname given is syntactically invalid, and a - 504 reply if a syntactically valid hostname is not a valid virtual - host name for the server. - - In all such cases the server-FTP process should act as if no HOST - command had been given. - - - -Elz & Hethmon [Expires April 2000] [Page 21] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - A user-PI receiving a 500 or 502 reply should assume that the - server-PI does not implement the HOST command style virtual server. - It may then proceed to login as if the HOST command had succeeded, - and perhaps, attempt a CWD command to the hostname after - authenticating the user. - - A user-PI receiving some other error reply should assume that the - virtual HOST is unavailable, and terminate communications. - - A server-PI that receives a USER command, beginning the - authentication sequence, without having received a HOST command - SHOULD NOT reject the USER command. Clients conforming to earlier - FTP specifications do not send HOST commands. In this case the - server may act as if some default virtual host had been explicitly - selected, or may enter an environment different from that of all - supported virtual hosts, perhaps one in which a union of all - available accounts exists, and which presents a NVFS which appears to - contain sub-directories containing the NVFS for all virtual hosts - supported. - -6.5. FEAT response for HOST command - - A server-FTP process that supports the host command, and virtual FTP - servers, MUST include in the response to the FEAT command [6], a - feature line indicating that the HOST command is supported. This - line should contain the single word "HOST". This MAY be sent in - upper or lower case, or a mixture of both (it is case insensitive) - but SHOULD be transmitted in upper case only. That is, the response - SHOULD be - - C> Feat - S> 211- - S> ... - S> HOST - S> ... - S> 211 End - - The ellipses indicate place holders where other features may be - included, and are not required. The one space indentation of the - feature lines is mandatory [6]. - - - - - - - - - - - -Elz & Hethmon [Expires April 2000] [Page 22] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - -7. A Trivial Virtual File Store (TVFS) - - Traditionally, FTP has placed almost no constraints upon the file - store (NVFS) provided by a server. This specification does not alter - that. However, it has become common for servers to attempt to - provide at least file system naming conventions modeled loosely upon - those of the UNIX(TM) file system. That is, a tree structured file - system, built of directories, each of which can contain other - directories, or other kinds of files, or both. Each file and - directory has a file name relative to the directory that contains it, - except for the directory at the root of the tree, which is contained - in no other directory, and hence has no name of its own. - - That which has so far been described is perfectly consistent with the - standard FTP NVFS and access mechanisms. The "CWD" command is used - to move from one directory to an embedded directory. "CDUP" may be - provided to return to the parent directory, and the various file - manipulation commands ("RETR", "STOR", the rename commands, etc) are - used to manipulate files within the current directory. - - However, it is often useful to be able to reference files other than - by changing directories, especially as FTP provides no guaranteed - mechanism to return to a previous directory. The Trivial Virtual - File Store (TVFS), if implemented, provides that mechanism. - -7.1. TVFS File Names - - Where a server implements the TVFS, no elementary filename shall - contain the character "/". Where the underlying natural file store - permits files, or directories, to contain the "/" character in their - names, a server-PI implementing TVFS must encode that character in - some manner whenever file or directory names are being returned to - the user-PI, and reverse that encoding whenever such names are being - accepted from the user-PI. - - The encoding method to be used is not specified here. Where some - other character is illegal in file and directory names in the - underlying file store, a simple transliteration may be sufficient. - Where there is no suitable substitute character a more complex - encoding scheme, possibly using an escape character, is likely to be - required. - - With the one exception of the unnamed root directory, a TVFS file - name may not be empty. That is, all other file names contain at - least one character. - - With the sole exception of the "/" character, any valid IS10646 - character [11] may be used in a TVFS filename. When transmitted, - - - -Elz & Hethmon [Expires April 2000] [Page 23] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - file name characters are encoded using the UTF-8 encoding [2]. - -7.2. TVFS Path Names - - A TVFS "Path Name" combines the file or directory name of a target - file or directory, with the directory names of zero or more enclosing - directories, so as to allow the target file or directory to be - referenced other than when the server's "current working directory" - is the directory directly containing the target file or directory. - - By definition, every TVFS file or directory name is also a TVFS path - name. Such a path name is valid to reference the file from the - directory containing the name, that is, when that directory is the - server-FTP's current working directory. - - Other TVFS path names are constructed by prefixing a path name by a - name of a directory from which the path is valid, and separating the - two with the "/" character. Such a path name is valid to reference - the file or directory from the directory containing the newly added - directory name. - - Where a path name has been extended to the point where the directory - added is the unnamed root directory, the path name will begin with - the "/" character. Such a path is known as a fully qualified path - name. Fully qualified paths may, obviously, not be further extended, - as, by definition, no directory contains the root directory. Being - unnamed, it cannot be represented in any other directory. A fully - qualified path name is valid to reference the named file or directory - from any location (that is, regardless of what the current working - directory may be) in the virtual file store. - - Any path name which is not a fully qualified path name may be - referred to as a "relative path name" and will only correctly - reference the intended file when the current working directory of the - server-FTP is a directory from which the relative path name is valid. - - As a special case, the path name "/" is defined to be a fully - qualified path name referring to the root directory. That is, the - root directory does not have a directory (or file) name, but does - have a path name. This special path name may be used only as is as a - reference to the root directory. It may not be combined with other - path names using the rules above, as doing so would lead to a path - name containing two consecutive "/" characters, which is an undefined - sequence. - - - - - - - -Elz & Hethmon [Expires April 2000] [Page 24] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - -7.2.1. Notes - - + It is not required, or expected, that there be only one fully - qualified path name that will reference any particular file or - directory. - + As a caveat, though the TVFS file store is basically tree - structured, there is no requirement that any file or directory - have only one parent directory. - + As defined, no TVFS path name will ever contain two consecutive - "/" characters. Such a name is not illegal however, and may be - defined by the server for any purpose that suits it. Clients - implementing this specification should not assume any semantics - at all for such names. - + Similarly, other than the special case path that refers to the - root directory, no TVFS path name constructed as defined here - will ever end with the "/" character. Such names are also not - illegal, but are undefined. - + While any legal IS10646 character is permitted to occur in a TVFS - file or directory name, other than "/", server FTP - implementations are not required to support all possible IS10646 - characters. The subset supported is entirely at the discretion - of the server. The case (where it exists) of the characters that - make up file, directory, and path names may be significant. - Unless determined otherwise by means unspecified here, clients - should assume that all such names are comprised of characters - whose case is significant. Servers are free to treat case (or - any other attribute) of a name as irrelevant, and hence map two - names which appear to be distinct onto the same underlying file. - + There are no defined "magic" names, like ".", ".." or "C:". - Servers may implement such names, with any semantics they choose, - but are not required to do so. - + TVFS imposes no particular semantics or properties upon files, - guarantees no access control schemes, or any of the other common - properties of a file store. Only the naming scheme is defined. - -7.3. FEAT Response for TVFS - - In response to the FEAT command [6] a server that wishes to indicate - support for the TVFS as defined here will include a line that begins - with the four characters "TVFS" (in any case, or mixture of cases, - upper case is not required). Servers SHOULD send upper case. - - Such a response to the FEAT command MUST NOT be returned unless the - server implements TVFS as defined here. - - Later specifications may add to the TVFS definition. Such additions - should be notified by means of additional text appended to the TVFS - feature line. Such specifications, if any, will define the extra - - - -Elz & Hethmon [Expires April 2000] [Page 25] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - text. - - Until such a specification is defined, servers should not include - anything after "TVFS" in the TVFS feature line. Clients, however, - should be prepared to deal with arbitrary text following the four - defined characters, and simply ignore it if unrecognized. - - A typical response to the FEAT command issued by a server - implementing only this specification would be: - - C> feat - S> 211- - S> ... - S> TVFS - S> ... - S> 211 end - - The ellipses indicate place holders where other features may be - included, and are not required. The one space indentation of the - feature lines is mandatory [6], and is not counted as one of the - first four characters for the purposes of this feature listing. - - The TVFS feature adds no new commands to the FTP command repertoire. - -7.4. OPTS for TVFS - - There are no options in this TVFS specification, and hence there is - no OPTS command defined. - -7.5. TVFS Examples - - Assume a TVFS file store is comprised of a root directory, which - contains two directories (A and B) and two non-directory files (X and - Y). The A directory contains two directories (C and D) and one other - file (Z). The B directory contains just two non-directory files (P - and Q) and the C directory also two non-directory files (also named P - and Q, by chance). The D directory is empty, that is, contains no - files or directories. - - - - - - - - - - - - - -Elz & Hethmon [Expires April 2000] [Page 26] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - This structure may depicted graphically as... - - (unnamed root) - / | \ \ - / | \ \ - A X B Y - /|\ / \ - / | \ / \ - C D Z P Q - / \ - / \ - P Q - - Given this structure, the following fully qualified path names exist. - - / - /A - /B - /X - /Y - /A/C - /A/D - /A/Z - /A/C/P - /A/C/Q - /B/P - /B/Q - - It is clear that none of the paths / /A /B or /A/D refer to the same - directory, as the contents of each is different. Nor do any of / /A - /A/C or /A/D. However /A/C and /B might be the same directory, there - is insufficient information given to tell. Any of the other path - names (/X /Y /A/Z /A/C/P /A/C/Q /B/P and /B/Q) may refer to the same - underlying files, in almost any combination. - - If the current working directory of the server-FTP is /A then the - following path names, in addition to all the fully qualified path - names, are valid - - C - D - Z - C/P - C/Q - - These all refer to the same files or directories as the corresponding - fully qualified path with "/A/" prepended. - - - - -Elz & Hethmon [Expires April 2000] [Page 27] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - That those path names all exist does not imply that the TVFS sever - will necessarily grant any kind of access rights to the named paths, - or that access to the same file via different path names will - necessarily be granted equal rights. - - None of the following relative paths are valid when the current - directory is /A - - A - B - X - Y - B/P - B/Q - P - Q - - Any of those could be made valid by changing the server-FTP's current - working directory to the appropriate directory. Note that the paths - "P" and "Q" might refer to different files depending upon which - directory is selected to cause those to become valid TVFS relative - paths. - -8. Listings for Machine Processing (MLST and MLSD) - - The MLST and MLSD commands are intended to standardize the file and - directory information returned by the Server-FTP process. These - commands differ from the LIST command in that the format of the - replies is strictly defined although extensible. - - Two commands are defined, MLST which provides data about exactly the - object named on its command line, and no others. MLSD on the other - hand will list the contents of a directory if a directory is named, - otherwise a 501 reply will be returned. In either case, if no object - is named, the current directory is assumed. That will cause MLST to - send a one line response, describing the current directory itself, - and MLSD to list the contents of the current directory. - - In the following, the term MLSx will be used wherever either MLST or - MLSD may be inserted. - - The MLST and MLSD commands also extend the FTP protocol as presented - in RFC 959 [3] and RFC 1123 [9] to allow that transmission of 8-bit - data over the control connection. Note this is not specifying - character sets which are 8-bit, but specifying that FTP - implementations are to specifically allow the transmission and - reception of 8-bit bytes, with all bits significant, over the control - connection. That is, all 256 possible octet values are permitted. - - - -Elz & Hethmon [Expires April 2000] [Page 28] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - The MLSx command allows both UTF-8/Unicode and "raw" forms as - arguments, and in responses both to the MLST and MLSD commands, and - all other FTP commands which take pathnames as arguments. - -8.1. Format of MLSx Requests - - The MLST and MLSD commands each allow a single optional argument. - This argument may be either a directory name or, for MLST only, a - filename. For these purposes, a "filename" is the name of any entity - in the server NVFS which is not a directory. Where TVFS is - supported, any TVFS relative path name valid in the current working - directory, or any TVFS fully qualified path name, may be given. If a - directory name is given then MLSD must return a listing of the - contents of the named directory, otherwise it issues a 501 reply, and - does not open a data connection. In all cases for MLST, a single set - of fact lines (usually a single fact line) containing the information - about the named file or directory shall be returned over the control - connection, without opening a data connection. - - If no argument is given then MLSD must return a listing of the - contents of the current working directory, and MLST must return a - listing giving information about the current working directory - itself. For these purposes, the contents of a directory are whatever - filenames (not pathnames) the server-PI will allow to be referenced - when the current working directory is the directory named, and which - the server-PI desires to reveal to the user-PI. - - No title, header, or summary, lines, or any other formatting, other - than as is specified below, is ever returned in the output of an MLST - or MLSD command. - - If the Client-FTP sends an invalid argument, the Server-FTP MUST - reply with an error code of 501. - - The syntax for the MLSx command is: - - mlst = "MLst" [ SP pathname ] CRLF - mlsd = "MLsD" [ SP pathname ] CRLF - -8.2. Format of MLSx Response - - The format of a response to an MLSx command is as follows: - - mlst-response = control-response / error-response - mlsd-response = ( initial-response final-response ) / - error-response - - - - - -Elz & Hethmon [Expires April 2000] [Page 29] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - control-response = "250-" [ response-message ] CRLF - 1*( SP entry CRLF ) - "250" [ SP response-message ] CRLF - - initial-response = "150" [ SP response-message ] CRLF - final-response = "226" SP response-message CRLF - - response-message = *TCHAR - - data-response = *( entry CRLF ) - - entry = [ facts ] SP pathname - facts = 1*( fact ";" ) - fact = factname "=" value - factname = "Size" / "Modify" / "Create" / - "Type" / "Unique" / "Perm" / - "Lang" / "Media-Type" / "CharSet" / - os-depend-fact / local-fact - os-depend-fact = "." token - local-fact = "X." token - value = *RCHAR - - Upon receipt of a MLSx command, the server will verify the parameter, - and if invalid return an error-response. For this purpose, the - parameter should be considered to be invalid if the client issuing - the command does not have permission to perform the request - operation. - - If valid, then for an MLST command, the server-PI will send the first - (leading) line of the control response, the entry for the pathname - given, or the current directory if no pathname was provided, and the - terminating line. Normally exactly one entry would be returned, more - entries are permitted only when required to represent a file that is - to have multiple "Type" facts returned. - - Note that for MLST the fact set is preceded by a space. That is - provided to guarantee that the fact set cannot be accidentally - interpreted as the terminating line of the control response, but is - required even when that would not be possible. Exactly one space - exists between the set of facts and the pathname. Where no facts are - present, there will be exactly two leading spaces before the - pathname. No spaces are permitted in the facts, any other spaces in - the response are to be treated as being a part of the pathname. - - If the command was an MLSD command, the server will open a data - connection as indicated in section 3.2 of RFC959 [3]. If that fails, - the server will return an error-response. If all is OK, the server - will return the initial-response, send the appropriate data-response - - - -Elz & Hethmon [Expires April 2000] [Page 30] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - over the new data connection, close that connection, and then send - the final-response over the control connection. The grammar above - defines the format for the data-response, which defines the format of - the data returned over the data connection established. - - The data connection opened for a MLSD response shall be a connection - as if the "TYPE L 8", "MODE S", and "STRU F" commands had been given, - whatever FTP transfer type, mode and structure had actually been set, - and without causing those settings to be altered for future commands. - That is, this transfer type shall be set for the duration of the data - connection established for this command only. While the content of - the data sent can be viewed as a series of lines, implementations - should note that there is no maximum line length defined. - Implementations should be prepared to deal with arbitrarily long - lines. - - The facts part of the specification would contain a series of "file - facts" about the file or directory named on the same line. Typical - information to be presented would include file size, last - modification time, creation time, a unique identifier, and a - file/directory flag. - - The complete format for a successful reply to the MLSD command would - be: - - facts SP pathname CRLF - facts SP pathname CRLF - facts SP pathname CRLF - ... - - Note that the format is intended for machine processing, not human - viewing, and as such the format is very rigid. Implementations MUST - NOT vary the format by, for example, inserting extra spaces for - readability, replacing spaces by tabs, including header or title - lines, or inserting blank lines, or in any other way alter this - format. Exactly one space is always required after the set of facts - (which may be empty). More spaces may be present on a line if, and - only if, the file name presented contains significant spaces. The - set of facts must not contain any spaces anywhere inside it. Facts - should be provided in each output line only if they both provide - relevant information about the file named on the same line, and they - are in the set requested by the user-PI. There is no requirement - that the same set of facts be provided for each file, or that the - facts presented occur in the same order for each file. - - - - - - - -Elz & Hethmon [Expires April 2000] [Page 31] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - -8.3. Filename encoding - - An FTP implementation supporting the MLSx commands must be 8-bit - clean. This is necessary in order to transmit UTF-8 encoded - filenames. This specification recommends the use of UTF-8 encoded - filenames. FTP implementations SHOULD use UTF-8 whenever possible to - encourage the maximum interoperability. - - Filenames are not restricted to UTF-8, however treatment of arbitrary - character encodings is not specified by this standard. Applications - are encouraged to treat non-UTF-8 encodings of filenames as octet - sequences. - - Note that this encoding is unrelated to that of the contents of the - file, even if the file contains character data. - - Further information about filename encoding for FTP may be found in - "Internationalization of the File Transfer Protocol" [7]. - -8.3.1. Notes about the Filename - - The filename returned in the MLST response should be the same name as - was specified in the MLST command, or, where TVFS is supported, a - fully qualified TVFS path naming the same file. Where no argument - was given to the MLST command, the server-PI may either include an - empty filename in the response, or it may supply a name that refers - to the current directory, if such a name is available. Where TVFS is - supported, a fully qualified path name of the current directory - SHOULD be returned. - - Filenames returned in the output from an MLSD command SHOULD be - unqualified names within the directory named, or the current - directory if no argument was given. That is, the directory named in - the MLSD command SHOULD NOT appear as a component of the filenames - returned. - - If the server-FTP process is able, and the "type" fact is being - returned, it MAY return in the MLSD response, an entry whose type is - "cdir", which names the directory from which the contents of the - listing were obtained. Where TVFS is supported, the name MAY be the - fully qualified path name of the directory, or MAY be any other path - name which is valid to refer to that directory from the current - working directory of the server-FTP. Where more than one name - exists, multiple of these entries may be returned. In a sense, the - "cdir" entry can be viewed as a heading for the MLSD output. - However, it is not required to be the first entry returned, and may - occur anywhere within the listing. - - - - -Elz & Hethmon [Expires April 2000] [Page 32] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - When TVFS is supported, a user-PI can refer to any file or directory - in the listing by combining a type "cdir" name, with the appropriate - name from the directory listing using the procedure defined in - section 7.2. - - Alternatively, whether TVFS is supported or not, the user-PI can - issue a CWD command ([3]) giving a name of type "cdir" from the - listing returned, and from that point reference the files returned in - the MLSD response from which the cdir was obtained by using the - filename components of the listing. - -8.4. Format of Facts - - The "facts" for a file in a reply to a MLSx command consist of - information about that file. The facts are a series of keyword=value - pairs each followed by semi-colon (";") characters. An individual - fact may not contain a semi-colon in its name or value. The complete - series of facts may not contain the space character. See the - definition or "RCHAR" in section 2.1 for a list of the characters - that can occur in a fact value. Not all are applicable to all facts. - - A sample of a typical series of facts would be: (spread over two - lines for presentation here only) - - size=4161;lang=en-US;modify=19970214165800;create=19961001124534; - type=file;x.myfact=foo,bar; - -8.5. Standard Facts - - This document defines a standard set of facts as follows: - - size -- Size in octets - modify -- Last modification time - create -- Creation time - type -- Entry type - unique -- Unique id of file/directory - perm -- File permissions, whether read, write, execute is - allowed for the login id. - lang -- Language of the filename per IANA[12] registry. - media-type -- MIME media-type of file contents per IANA registry. - charset -- Character set per IANA registry (if not UTF-8) - - Fact names are case-insensitive. Size, size, SIZE, and SiZe are the - same fact. - - Further operating system specific keywords could be specified by - using the IANA operating system name as a prefix (examples only): - - - - -Elz & Hethmon [Expires April 2000] [Page 33] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - OS/2.ea -- OS/2 extended attributes - MACOS.rf -- MacIntosh resource forks - UNIX.mode -- Unix file modes (permissions) - - Implementations may define keywords for experimental, or private use. - All such keywords MUST begin with the two character sequence "x.". - As type names are case independent, "x." and "X." are equivalent. - For example: - - x.ver -- Version information - x.desc -- File description - x.type -- File type - -8.5.1. The type Fact - - The type fact needs a special description. Part of the problem with - current practices is deciding when a file is a directory. If it is a - directory, is it the current directory, a regular directory, or a - parent directory? The MLST specification makes this unambiguous - using the type fact. The type fact given specifies information about - the object listed on the same line of the MLST response. - - Five values are possible for the type fact: - - file -- a file entry - cdir -- the listed directory - pdir -- a parent directory - dir -- a directory or sub-directory - OS.name=type -- an OS or file system dependent file type - - The syntax is defined to be: - - type-fact = type-label "=" type-val - type-label = "Type" - type-val = "File" / "cdir" / "pdir" / "dir" / - os-type - -8.5.1.1. type=file - - The presence of the type=file fact indicates the listed entry is a - file containing non-system data. That is, it may be transferred from - one system to another of quite different characteristics, and perhaps - still be meaningful. - -8.5.1.2. type=cdir - - The type=cdir fact indicates the listed entry contains a pathname of - the directory whose contents are listed. An entry of this type will - - - -Elz & Hethmon [Expires April 2000] [Page 34] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - only be returned as a part of the result of an MLSD command when the - type fact is included, and provides a name for the listed directory, - and facts about that directory. In a sense, it can be viewed as - representing the title of the listing, in a machine friendly format. - It may appear at any point of the listing, it is not restricted to - appearing at the start, though frequently may do so, and may occur - multiple times. It MUST NOT be included if the type fact is not - included, or there would be no way for the user-PI to distinguish the - name of the directory from an entry in the directory. - - Where TVFS is supported by the server-FTP, this name may be used to - construct path names with which to refer to the files and directories - returned in the same MLSD output (see section 7.2). These path names - are only expected to work when the server-PI's position in the NVFS - file tree is the same as its position when the MLSD command was - issued, unless a fully qualified path name results. - - Where TVFS is not supported, the only defined semantics associated - with a "type=cdir" entry are that, provided the current working - directory of the server-PI has not been changed, a pathname of type - "cdir" may be used as an argument to a CWD command, which will cause - the current directory of the server-PI to change so that the - directory which was listed in its current working directory. - -8.5.1.3. type=dir - - If present, the type=dir entry gives the name of a directory. Such - an entry typically cannot be transferred from one system to another - using RETR, etc, but should (permissions permitting) be able to be - the object of an MLSD command. - -8.5.1.4. type=pdir - - If present, which will occur only in the response to a MLSD command - when the type fact is included, the type=pdir entry represents a - pathname of the parent directory of the listed directory. As well as - having the properties of a type=dir, a CWD command that uses the - pathname from this entry should change the user to a parent directory - of the listed directory. If the listed directory is the current - directory, a CDUP command may also have the effect of changing to the - named directory. User-FTP processes should note not all responses - will include this information, and that some systems may provide - multiple type=pdir responses. - - Where TVFS is supported, a "type=pdir" name may be a relative path - name, or a fully qualified path name. A relative path name will be - relative to the directory being listed, not to the current directory - of the server-PI at the time. - - - -Elz & Hethmon [Expires April 2000] [Page 35] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - For the purposes of this type value, a "parent directory" is any - directory in which there is an entry of type=dir which refers to the - directory in which the type=pdir entity was found. Thus it is not - required that all entities with type=pdir refer to the same - directory. The "unique" fact (if supported) can be used to determine - whether there is a relationship between the type=pdir entries or not. - -8.5.1.5. System defined types - - Files types that are specific to a specific operating system, or file - system, can be encoded using the "OS." type names. The format is: - - os-type = "OS." os-name "=" os-type - os-name = - os-type = token - - The "os-name" indicates the specific system type which supports the - particular localtype. OS specific types are registered by the IANA - using the procedures specified in section 11. The "os-type" provides - the system dependent information as to the type of the file listed. - The os-name and os-type strings in an os-type are case independent. - "OS.unix=block" and "OS.Unix=BLOCK" represent the same type (or - would, if such a type were registered.) - - Note: Where the underlying system supports a file type which is - essentially an indirect pointer to another file, the NVFS - representation of that type should normally be to represent the file - which the reference indicates. That is, the underlying basic file - will appear more than once in the NVFS, each time with the "unique" - fact (see immediately following section) containing the same value, - indicating that the same file is represented by all such names. - User-PIs transferring the file need then transfer it only once, and - then insert their own form of indirect reference to construct - alternate names where desired, or perhaps even copy the local file if - that is the only way to provide two names with the same content. A - file which would be a reference to another file, if only the other - file actually existed, may be represented in any OS dependent manner - appropriate, or not represented at all. - -8.5.1.6. Multiple types - - Where a file is such that it may validly, and sensibly, treated by - the server-PI as being of more than one of the above types, then - multiple entries should be returned, each with its own "Type" fact of - the appropriate type, and each containing the same pathname. This - may occur, for example, with a structured file, which may contain - sub-files, and where the server-PI permits the structured file to be - treated as a unit, or treated as a directory allowing the sub-files - - - -Elz & Hethmon [Expires April 2000] [Page 36] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - within it to be referenced. - -8.5.2. The unique Fact - - The unique fact is used to present a unique identifier for a file or - directory in the NVFS accessed via a server-FTP process. The value - of this fact should be the same for any number of pathnames that - refer to the same underlying file. The fact should have different - values for names which reference distinct files. The mapping between - files, and unique fact tokens should be maintained, and remain - consistent, for at least the lifetime of the control connection from - user-PI to server-PI. - - unique-fact = "Unique" "=" token - - This fact would be expected to be used by Server-FTPs whose host - system allows things such as symbolic links so that the same file may - be represented in more than one directory on the server. The only - conclusion that should be drawn is that if two different names each - have the same value for the unique fact, they refer to the same - underlying object. The value of the unique fact (the token) should - be considered an opaque string for comparison purposes, and is a case - dependent value. The tokens "A" and "a" do not represent the same - underlying object. - -8.5.3. The modify Fact - - The modify fact is used to determine the last time the content of the - file (or directory) indicated was modified. Any change of substance - to the file should cause this value to alter. That is, if a change - is made to a file such that the results of a RETR command would - differ, then the value of the modify fact should alter. User-PIs - should not assume that a different modify fact value indicates that - the file contents are necessarily different than when last retrieved. - Some systems may alter the value of the modify fact for other - reasons, though this is discouraged wherever possible. Also a file - may alter, and then be returned to its previous content, which would - often be indicated as two incremental alterations to the value of the - modify fact. - - For directories, this value should alter whenever a change occurs to - the directory such that different filenames would (or might) be - included in MLSD output of that directory. - - - - - - - - -Elz & Hethmon [Expires April 2000] [Page 37] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - modify-fact = "Modify" "=" time-val - -8.5.4. The create Fact - - The create fact indicates when a file, or directory, was first - created. Exactly what "creation" is for this purpose is not - specified here, and may vary from server to server. About all that - can be said about the value returned is that it can never indicate a - later time than the modify fact. - - create-fact = "Create" "=" time-val - - Implementation Note: Implementors of this fact on UNIX(TM) systems - should note that the unix "stat" "st_ctime" field does not give - creation time, and that unix file systems do not record creation - time at all. Unix (and POSIX) implementations will normally not - include this fact. - -8.5.5. The perm Fact - - The perm fact is used to indicate access rights the current FTP user - has over the object listed. Its value is always an unordered - sequence of alphabetic characters. - - perm-fact = "Perm" "=" *pvals - pvals = "a" / "c" / "d" / "e" / "f" / - "l" / "m" / "p" / "r" / "w" - - There are ten permission indicators currently defined. Many are - meaningful only when used with a particular type of object. The - indicators are case independent, "d" and "D" are the same indicator. - - The "a" permission applies to objects of type=file, and indicates - that the APPE (append) command may be applied to the file named. - - The "c" permission applies to objects of type=dir (and type=pdir, - type=cdir). It indicates that files may be created in the directory - named. That is, that a STOU command is likely to succeed, and that - STOR and APPE commands might succeed if the file named did not - previously exist, but is to be created in the directory object that - has the "c" permission. It also indicates that the RNTO command is - likely to succeed for names in the directory. - - The "d" permission applies to all types. It indicates that the - object named may be deleted, that is, that the RMD command may be - applied to it if it is a directory, and otherwise that the DELE - command may be applied to it. - - - - -Elz & Hethmon [Expires April 2000] [Page 38] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - The "e" permission applies to the directory types. When set on an - object of type=dir, type=cdir, or type=pdir it indicates that a CWD - command naming the object should succeed, and the user should be able - to enter the directory named. For type=pdir it also indicates that - the CDUP command may succeed (if this particular pathname is the one - to which a CDUP would apply.) - - The "f" permission for objects indicates that the object named may be - renamed - that is, may be the object of an RNFR command. - - The "l" permission applies to the directory file types, and indicates - that the listing commands, LIST, NLST, and MLSD may be applied to the - directory in question. - - The "m" permission applies to directory types, and indicates that the - MKD command may be used to create a new directory within the - directory under consideration. - - The "p" permission applies to directory types, and indicates that - objects in the directory may be deleted, or (stretching naming a - little) that the directory may be purged. Note: it does not indicate - that the RMD command may be used to remove the directory named - itself, the "d" permission indicator indicates that. - - The "r" permission applies to type=file objects, and for some - systems, perhaps to other types of objects, and indicates that the - RETR command may be applied to that object. - - The "w" permission applies to type=file objects, and for some - systems, perhaps to other types of objects, and indicates that the - STOR command may be applied to the object named. - - Note: That a permission indicator is set can never imply that the - appropriate command is guaranteed to work - just that it might. - Other system specific limitations, such as limitations on - available space for storing files, may cause an operation to - fail, where the permission flags may have indicated that it was - likely to succeed. The permissions are a guide only. - - Implementation note: The permissions are described here as they apply - to FTP commands. They may not map easily into particular - permissions available on the server's operating system. Servers - are expected to synthesize these permission bits from the - permission information available from operating system. For - example, to correctly determine whether the "D" permission bit - should be set on a directory for a server running on the - UNIX(TM) operating system, the server should check that the - directory named is empty, and that the user has write permission - - - -Elz & Hethmon [Expires April 2000] [Page 39] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - on both the directory under consideration, and its parent - directory. - - Some systems may have more specific permissions than those - listed here, such systems should map those to the flags defined - as best they are able. Other systems may have only more broad - access controls. They will generally have just a few possible - permutations of permission flags, however they should attempt to - correctly represent what is permitted. - -8.5.6. The lang Fact - - The lang fact describes the natural language of the filename for use - in display purposes. Values used here should be taken from the - language registry of the IANA. See [13] for the syntax, and - procedures, related to language tags. - - lang-fact = "Lang" "=" token - - Server-FTP implementations MUST NOT guess language values. Language - values must be determined in an unambiguous way such as file system - tagging of language or by user configuration. Note that the lang - fact provides no information at all about the content of a file, only - about the encoding of its name. - -8.5.7. The size Fact - - The size fact applies to non-directory file types and should always - reflect the approximate size of the file. This should be as accurate - as the server can make it, without going to extraordinary lengths, - such as reading the entire file. The size is expressed in units of - octets of data in the file. - - Given limitations in some systems, Client-FTP implementations must - understand this size may not be precise and may change between the - time of a MLST and RETR operation. - - Clients that need highly accurate size information for some - particular reason should use the SIZE command as defined in section - 4. The most common need for this accuracy is likely to be in - conjunction with the REST command described in section 5. The size - fact, on the other hand, should be used for purposes such as - indicating to a human user the approximate size of the file to be - transferred, and perhaps to give an idea of expected transfer - completion time. - - - - - - -Elz & Hethmon [Expires April 2000] [Page 40] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - size-fact = "Size" "=" 1*DIGIT - -8.5.8. The media-type Fact - - The media-type fact represents the IANA media type of the file named, - and applies only to non-directory types. The list of values used - must follow the guidelines set by the IANA registry. - - media-type = "Media-Type" "=" - - Server-FTP implementations MUST NOT guess media type values. Media - type values must be determined in an unambiguous way such as file - system tagging of media-type or by user configuration. This fact - gives information about the content of the file named. Both the - primary media type, and any appropriate subtype should be given, - separated by a slash "/" as is traditional. - -8.5.9. The charset Fact - - The charset fact provides the IANA character set name, or alias, for - the encoded pathnames in a MLSx response. The default character set - is UTF-8 unless specified otherwise. FTP implementations SHOULD use - UTF-8 if possible to encourage maximum interoperability. The value - of this fact applies to the pathname only, and provides no - information about the contents of the file. - - charset-type = "Charset" "=" token - -8.5.10. Required facts - - Servers are not required to support any particular set of the - available facts. However, servers SHOULD, if conceivably possible, - support at least the type, perm, size, unique, and modify facts. - -8.6. System Dependent and Local Facts - - By using an system dependent fact, or a local fact, a server-PI may - communicate to the user-PI information about the file named which is - peculiar to the underlying file system. - -8.6.1. System Dependent Facts - - System dependent fact names are labeled by prefixing a label - identifying the specific information returned by the name of the - appropriate operating system from the IANA maintained list of - operating system names. - - - - - -Elz & Hethmon [Expires April 2000] [Page 41] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - The value of an OS dependent fact may be whatever is appropriate to - convey the information available. It must be encoded as a "token" as - defined in section 2.1 however. - - In order to allow reliable interoperation between users of system - dependent facts, the IANA will maintain a registry of system - dependent fact names, their syntax, and the interpretation to be - given to their values. Registrations of system dependent facts are - to be accomplished according to the procedures of section 11. - -8.6.2. Local Facts - - Implementations may also make available other facts of their own - choosing. As the method of interpretation of such information will - generally not be widely understood, server-PIs should be aware that - clients will typically ignore any local facts provided. As there is - no registration of locally defined facts, it is entirely possible - that different servers will use the same local fact name to provide - vastly different information. Hence user-PIs should be hesitant - about making any use of any information in a locally defined fact - without some other specific assurance that the particular fact is one - that they do comprehend. - - Local fact names all begin with the sequence "X.". The rest of the - name is a "token" (see section 2.1). The value of a local fact can - be anything at all, provided it can be encoded as a "token". - -8.7. MLSx Examples - - The following examples are all taken from dialogues between existing - FTP clients and servers. Because of this, not all possible - variations of possible response formats are shown in the examples. - This should not be taken as limiting the options of other server - implementors. Where the examples show OS dependent information, that - is to be treated as being purely for the purposes of demonstration of - some possible OS specific information that could be defined. As at - the time of the writing of this document, no OS specific facts or - file types have been defined, the examples shown here should not be - treated as in any way to be preferred over other possible similar - definitions. Consult the IANA registries to determine what types and - facts have been defined. - - In the examples shown, only relevant commands and responses have been - included. This is not to imply that other commands (including - authentication, directory modification, PORT or PASV commands, or - similar) would not be present in an actual connection, or were not, - in fact, actually used in the examples before editing. Note also - that the formats shown are those that are transmitted between client - - - -Elz & Hethmon [Expires April 2000] [Page 42] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - and server, not formats which would normally ever be reported to the - user of the client. - - In the examples, lines that begin "C> " were sent over the control - connection from the client to the server, lines that begin "S> " were - sent over the control connection from the server to the client, and - lines that begin "D> " were sent from the server to the client over a - data connection created just to send those lines and closed - immediately after. No examples here show data transferred over a - data connection from the client to the server. In all cases, the - prefixes shown above, including the one space, have been added for - the purposes of this document, and are not a part of the data - exchanged between client and server. - -8.7.1. Simple MLST - - C> PWD - S> 257 "/tmp" is current directory. - C> MLst cap60.pl198.tar.gz - S> 250- Listing cap60.pl198.tar.gz - S> Type=file;Size=1024990;Perm=r; /tmp/cap60.pl198.tar.gz - S> 250 End - - The client first asked to be told the current directory of the - server. This was purely for the purposes of clarity of this example. - The client then requested facts about a specific file. The server - returned the "250-" first control-response line, followed by a single - line of facts about the file, followed by the terminating "250 " - line. The text on the control-response line and the terminating line - can be anything the server decides to send. Notice that the fact - line is indented by a single space. Notice also that there are no - spaces in the set of facts returned, until the single space before - the filename. The filename returned on the fact line is a fully - qualified pathname of the file listed. The facts returned show that - the line refers to a file, that file contains approximately 1024990 - bytes, though more or less than that may be transferred if the file - is retrieved, and a different number may be required to store the - file at the client's file store, and the connected user has - permission to retrieve the file but not to do anything else - particularly interesting. - -8.7.2. MLST of a directory - - C> PWD - S> 257 "/" is current directory. - C> MLst tmp - S> 250- Listing tmp - S> Type=dir;Modify=19981107085215;Perm=el; /tmp - - - -Elz & Hethmon [Expires April 2000] [Page 43] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - S> 250 End - - Again the PWD is just for the purposes of demonstration for the - example. The MLST fact line this time shows that the file listed is - a directory, that it was last modified at 08:52:15 on the 7th of - November, 1998 UTC, and that the user has permission to enter the - directory, and to list its contents, but not to modify it in any way. - Again, the fully qualified path name of the directory listed is - given. - -8.7.3. MLSD of a directory - - C> MLSD tmp - S> 150 BINARY connection open for MLSD tmp - D> Type=cdir;Modify=19981107085215;Perm=el; tmp - D> Type=cdir;Modify=19981107085215;Perm=el; /tmp - D> Type=pdir;Modify=19990112030508;Perm=el; .. - D> Type=file;Size=25730;Modify=19940728095854;Perm=; capmux.tar.z - D> Type=file;Size=1830;Modify=19940916055648;Perm=r; hatch.c - D> Type=file;Size=25624;Modify=19951003165342;Perm=r; MacIP-02.txt - D> Type=file;Size=2154;Modify=19950501105033;Perm=r; uar.netbsd.patch - D> Type=file;Size=54757;Modify=19951105101754;Perm=r; iptnnladev.1.0.sit.hqx - D> Type=file;Size=226546;Modify=19970515023901;Perm=r; melbcs.tif - D> Type=file;Size=12927;Modify=19961025135602;Perm=r; tardis.1.6.sit.hqx - D> Type=file;Size=17867;Modify=19961025135602;Perm=r; timelord.1.4.sit.hqx - D> Type=file;Size=224907;Modify=19980615100045;Perm=r; uar.1.2.3.sit.hqx - D> Type=file;Size=1024990;Modify=19980130010322;Perm=r; cap60.pl198.tar.gz - S> 226 MLSD completed - - In this example notice that there is no leading space on the fact - lines returned over the data connection. Also notice that two lines - of "type=cdir" have been given. These show two alternate names for - the directory listed, one a fully qualified pathname, and the other a - local name relative to the servers current directory when the MLSD - was performed. Note that all other filenames in the output are - relative to the directory listed, though the server could, if it - chose, give a fully qualified path name for the "type=pdir" line. - This server has chosen not to. The other files listed present a - fairly boring set of files that are present in the listed directory. - Note that there is no particular order in which they are listed. - They are not sorted by filename, by size, or by modify time. Note - also that the "perm" fact has an empty value for the file - "capmux.tar.z" indicating that the connected user has no permissions - at all for that file. This server has chosen to present the "cdir" - and "pdir" lines before the lines showing the content of the - directory, it is not required to do so. The "size" fact does not - provide any meaningful information for a directory, so is not - included in the fact lines for the directory types shown. - - - -Elz & Hethmon [Expires April 2000] [Page 44] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - -8.7.4. A more complex example - - C> MLst test - S> 250- Listing test - S> Type=dir;Perm=el;Unique=keVO1+ZF4 test - S> 250 End - C> MLSD test - S> 150 BINARY connection open for MLSD test - D> Type=cdir;Perm=el;Unique=keVO1+ZF4; test - D> Type=pdir;Perm=e;Unique=keVO1+d?3; .. - D> Type=OS.unix=slink:/foobar;Perm=;Unique=keVO1+4G4; foobar - D> Type=OS.unix=chr-13/29;Perm=;Unique=keVO1+5G4; device - D> Type=OS.unix=blk-11/108;Perm=;Unique=keVO1+6G4; block - D> Type=file;Perm=awr;Unique=keVO1+8G4; writable - D> Type=dir;Perm=cpmel;Unique=keVO1+7G4; promiscuous - D> Type=dir;Perm=;Unique=keVO1+1t2; no-exec - D> Type=file;Perm=r;Unique=keVO1+EG4; two words - D> Type=file;Perm=r;Unique=keVO1+IH4; leading space - D> Type=file;Perm=r;Unique=keVO1+1G4; file1 - D> Type=dir;Perm=cpmel;Unique=keVO1+7G4; incoming - D> Type=file;Perm=r;Unique=keVO1+1G4; file2 - D> Type=file;Perm=r;Unique=keVO1+1G4; file3 - D> Type=file;Perm=r;Unique=keVO1+1G4; file4 - S> 226 MLSD completed - C> MLSD test/incoming - S> 150 BINARY connection open for MLSD test/incoming - D> Type=cdir;Perm=cpmel;Unique=keVO1+7G4; test/incoming - D> Type=pdir;Perm=el;Unique=keVO1+ZF4; .. - D> Type=file;Perm=awdrf;Unique=keVO1+EH4; bar - D> Type=file;Perm=awdrf;Unique=keVO1+LH4; - D> Type=file;Perm=rf;Unique=keVO1+1G4; file5 - D> Type=file;Perm=rf;Unique=keVO1+1G4; file6 - D> Type=dir;Perm=cpmdelf;Unique=keVO1+!s2; empty - S> 226 MLSD completed - - For the purposes of this example the fact set requested has been - modified to delete the "size" and "modify" facts, and add the - "unique" fact. First, facts about a filename have been obtained via - MLST. Note that no fully qualified path name was given this time. - That was because the server was unable to determine that information. - Then having determined that the filename represents a directory, that - directory has been listed. That listing also shows no fully - qualified path name, for the same reason, thus has but a single - "type=cdir" line. This directory (which was created especially for - the purpose) contains several interesting files. There are some with - OS dependent file types, several sub-directories, and several - ordinary files. - - - - -Elz & Hethmon [Expires April 2000] [Page 45] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - Not much can be said here about the OS dependent file types, as none - of the information shown there should be treated as any more than - possibilities. It can be seen that the OS type of the server is - "unix" though, which is one of the OS types in the IANA registry of - Operating System names. - - Of the three directories listed, "no-exec" has no permission granted - to this user to access at all. From the "Unique" fact values, it can - be determined that "promiscuous" and "incoming" in fact represent the - same directory. Its permissions show that the connected user has - permission to do essentially anything other than to delete the - directory. That directory was later listed. It happens that the - directory can not be deleted because it is not empty. - - Of the normal files listed, two contain spaces in their names. The - file called " leading space" actually contains two spaces in its - name, one before the "l" and one between the "g" and the "s". The - two spaces that separate the facts from the visible part of the path - name make that clear. The file "writable" has the "a" and "w" - permission bits set, and consequently the connected user should be - able to STOR or APPE to that file. - - The other four file names, "file1", "file2", "file3", and "file4" all - represent the same underlying file, as can be seen from the values of - the "unique" facts of each. It happens that "file1" and "file2" are - Unix "hard" links, and that "file3" and "file4" are "soft" or - "symbolic" links to the first two. None of that information is - available via standard MLST facts, it is sufficient for the purposes - of FTP to note that all represent the same file, and that the same - data would be fetched no matter which of them was retrieved, and that - all would be simultaneously modified were data stored in any. - - Finally, the sub-directory "incoming" is listed. Since "promiscuous" - is the same directory there would be no point listing it as well. In - that directory, the files "file5" and "file6" represent still more - names for the "file1" file we have seen before. Notice the entry - between that for "bar" and "file5". Though it is not possible to - easily represent it in this document, that shows a file with a name - comprising exactly three spaces (" "). A client will have no - difficulty determining that name from the output presented to it - however. The directory "empty" is, as its name implies, empty, - though that is not shown here. It can, however, be deleted, as can - file "bar" and the file whose name is three spaces. All the files - that reside in this directory can be renamed. This is a consequence - of the UNIX semantics of the directory that contains them being - modifiable. - - - - - -Elz & Hethmon [Expires April 2000] [Page 46] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - -8.7.5. More accurate time information - - C> MLst file1 - S> 250- Listing file1 - S> Type=file;Modify=19990929003355.237; file1 - S> 250 End - - In this example, the server-FTP is indicating that "file1" was last - modified 237 milliseconds after 00:33:55 UTC on the 29th of - September, 1999. - -8.7.6. A different server - - C> MLST - S> 250-Begin - S> type=dir;unique=AQkAAAAAAAABCAAA; / - S> 250 End. - C> MLSD . - S> 150 Opening ASCII mode data connection for MLS. - D> type=cdir;unique=AQkAAAAAAAABCAAA; / - D> type=dir;unique=AQkAAAAAAAABEAAA; bin - D> type=dir;unique=AQkAAAAAAAABGAAA; etc - D> type=dir;unique=AQkAAAAAAAAB8AwA; halflife - D> type=dir;unique=AQkAAAAAAAABoAAA; incoming - D> type=dir;unique=AQkAAAAAAAABIAAA; lib - D> type=dir;unique=AQkAAAAAAAABWAEA; linux - D> type=dir;unique=AQkAAAAAAAABKAEA; ncftpd - D> type=dir;unique=AQkAAAAAAAABGAEA; outbox - D> type=dir;unique=AQkAAAAAAAABuAAA; quake2 - D> type=dir;unique=AQkAAAAAAAABQAEA; winstuff - S> 226 Listing completed. - C> MLSD linux - S> 150 Opening ASCII mode data connection for MLS. - D> type=cdir;unique=AQkAAAAAAAABWAEA; /linux - D> type=pdir;unique=AQkAAAAAAAABCAAA; / - D> type=dir;unique=AQkAAAAAAAABeAEA; firewall - D> type=file;size=12;unique=AQkAAAAAAAACWAEA; helo_world - D> type=dir;unique=AQkAAAAAAAABYAEA; kernel - D> type=dir;unique=AQkAAAAAAAABmAEA; scripts - D> type=dir;unique=AQkAAAAAAAABkAEA; security - S> 226 Listing completed. - C> MLSD linux/kernel - S> 150 Opening ASCII mode data connection for MLS. - D> type=cdir;unique=AQkAAAAAAAABYAEA; /linux/kernel - D> type=pdir;unique=AQkAAAAAAAABWAEA; /linux - D> type=file;size=6704;unique=AQkAAAAAAAADYAEA; k.config - D> type=file;size=7269221;unique=AQkAAAAAAAACYAEA; linux-2.0.36.tar.gz - D> type=file;size=12514594;unique=AQkAAAAAAAAEYAEA; linux-2.1.130.tar.gz - - - -Elz & Hethmon [Expires April 2000] [Page 47] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - S> 226 Listing completed. - - Note that this server returns its "unique" fact value in quite a - different format. It also returns fully qualified path names for the - "pdir" entry. - -8.7.7. Some IANA files - - C> MLSD . - S> 150 BINARY connection open for MLSD . - D> Type=cdir;Modify=19990219183438; /iana/assignments - D> Type=pdir;Modify=19990112030453; .. - D> Type=dir;Modify=19990219073522; media-types - D> Type=dir;Modify=19990112033515; character-set-info - D> Type=dir;Modify=19990112033529; languages - D> Type=file;Size=44242;Modify=19990217230400; character-sets - D> Type=file;Size=1947;Modify=19990209215600; operating-system-names - S> 226 MLSD completed - C> MLSD media-types - S> 150 BINARY connection open for MLSD media-types - D> Type=cdir;Modify=19990219073522; media-types - D> Type=cdir;Modify=19990219073522; /iana/assignments/media-types - D> Type=pdir;Modify=19990219183438; .. - D> Type=dir;Modify=19990112033045; text - D> Type=dir;Modify=19990219183442; image - D> Type=dir;Modify=19990112033216; multipart - D> Type=dir;Modify=19990112033254; video - D> Type=file;Size=30249;Modify=19990218032700; media-types - S> 226 MLSD completed - C> MLSD character-set-info - S> 150 BINARY connection open for MLSD character-set-info - D> Type=cdir;Modify=19990112033515; character-set-info - D> Type=cdir;Modify=19990112033515; /iana/assignments/character-set-info - D> Type=pdir;Modify=19990219183438; .. - D> Type=file;Size=1234;Modify=19980903020400; windows-1251 - D> Type=file;Size=4557;Modify=19980922001400; tis-620 - D> Type=file;Size=801;Modify=19970324130000; ibm775 - D> Type=file;Size=552;Modify=19970320130000; ibm866 - D> Type=file;Size=922;Modify=19960505140000; windows-1258 - S> 226 MLSD completed - C> MLSD languages - S> 150 BINARY connection open for MLSD languages - D> Type=cdir;Modify=19990112033529; languages - D> Type=cdir;Modify=19990112033529; /iana/assignments/languages - D> Type=pdir;Modify=19990219183438; .. - D> Type=file;Size=2391;Modify=19980309130000; default - D> Type=file;Size=943;Modify=19980309130000; tags - D> Type=file;Size=870;Modify=19971026130000; navajo - - - -Elz & Hethmon [Expires April 2000] [Page 48] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - D> Type=file;Size=699;Modify=19950911140000; no-bok - S> 226 MLSD completed - C> PWD - S> 257 "/iana/assignments" is current directory. - - This example shows some of the IANA maintained files that are - relevant for this specification in MLSD format. Note that these - listings have been edited by deleting many entries, the actual - listings are much longer. - -8.7.8. A stress test of case (in)dependence - - The following example is intended to make clear some cases where case - dependent strings are permitted in the MLSx commands, and where case - independent strings are required. - - C> MlsD . - S> 150 BINARY connection open for MLSD . - D> Type=pdir;Modify=19990929011228;Perm=el;Unique=keVO1+ZF4; .. - D> Type=file;Size=4096;Modify=19990929011440;Perm=r;Unique=keVO1+Bd8; FILE2 - D> Type=file;Size=4096;Modify=19990929011440;Perm=r;Unique=keVO1+aG8; file3 - D> Type=file;Size=4096;Modify=19990929011440;Perm=r;Unique=keVO1+ag8; FILE3 - D> Type=file;Size=4096;Modify=19990929011440;Perm=r;Unique=keVO1+bD8; file1 - D> Type=file;Size=4096;Modify=19990929011440;Perm=r;Unique=keVO1+bD8; file2 - D> Type=file;Size=4096;Modify=19990929011440;Perm=r;Unique=keVO1+Ag8; File3 - D> Type=file;Size=4096;Modify=19990929011440;Perm=r;Unique=keVO1+bD8; File1 - D> Type=file;Size=4096;Modify=19990929011440;Perm=r;Unique=keVO1+Bd8; File2 - D> Type=file;Size=4096;Modify=19990929011440;Perm=r;Unique=keVO1+bd8; FILE1 - S> 226 MLSD completed - - Note first that the "MLSD" command, shown here as "MlsD" is case - independent. Clients may issue this command in any case, or - combination of cases, they desire. This is the case for all FTP - commands. - - Next, notice the labels of the facts. These are also case - independent strings, Server-FTP is permitted to return them in any - case they desire. User-FTP must be prepared to deal with any case, - though it may do this by mapping the labels to a common case if - desired. - - Then, notice that there are nine objects of "type" file returned. In - a case independent NVFS these would represent three different file - names, "file1", "file2", and "file3". With a case dependent NVFS all - nine represent different file names. Either is possible, server-FTPs - may implement a case dependent or a case independent NVFS. User-FTPs - must allow for case dependent selection of files to manipulate on the - server. - - - -Elz & Hethmon [Expires April 2000] [Page 49] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - Lastly, notice that the value of the "unique" fact is case dependent. - In the example shown, "file1", "File1", and "file2" all have the same - "unique" fact value "keVO1+bD8", and thus all represent the same - underlying file. On the other hand, "FILE1" has a different "unique" - fact value ("keVO1+bd8") and hence represents a different file. - Similarly, "FILE2" and "File2" are two names for the same underlying - file, whereas "file3", "File3" and "FILE3" all represent different - underlying files. - - That the approximate sizes ("size" fact) and last modification times - ("modify" fact) are the same in all cases might be no more than a - coincidence. - - It is not suggested that the operators of server-FTPs create NVFS - which stress the protocols to this extent, however both user and - server implementations must be prepared to deal with such extreme - examples. - -8.8. FEAT response for MLSx - - When responding to the FEAT command, a server-FTP process that - supports MLST, and MLSD, plus internationalization of pathnames, MUST - indicate that this support exists. It does this by including a MLST - feature line. As well as indicating the basic support, the MLST - feature line indicates which MLST facts are available from the - server, and which of those will be returned if no subsequent "OPTS - MLST" command is sent. - - mlst-feat = SP "MLST" [SP factlist] CRLF - factlist = 1*( factname ["*"] ";" ) - - The initial space shown in the mlst-feat response is that required by - the FEAT command, two spaces are not permitted. If no factlist is - given, then the server-FTP process is indicating that it supports - MLST, but implements no facts. Only pathnames can be returned. This - would be a minimal MLST implementation, and useless for most - practical purposes. Where the factlist is present, the factnames - included indicate the facts supported by the server. Where the - optional asterisk appears after a factname, that fact will be - included in MLST format responses, until an "OPTS MLST" is given to - alter the list of facts returned. After that, subsequent FEAT - commands will return the asterisk to show the facts selected by the - most recent "OPTS MLST". - - Note that there is no distinct FEAT output for MLSD. The presence of - the MLST feature indicates that both MLST and MLSD are supported. - - - - - -Elz & Hethmon [Expires April 2000] [Page 50] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - -8.8.1. Examples - - C> Feat - S> 211- Features supported - S> REST STREAM - S> MDTM - S> SIZE - S> TVFS - S> UTF8 - S> MLST Type*;Size*;Modify*;Perm*;Unique*;UNIX.mode;UNIX.chgd;X.hidden; - S> 211 End - - Aside from some features irrelevant here, this server indicates that - it supports MLST including several, but not all, standard facts, all - of which it will send by default. It also supports two OS dependent - facts, and one locally defined fact. The latter three must be - requested expressly by the client for this server to supply them. - - C> Feat - S> 211-Extensions supported: - S> CLNT - S> MDTM - S> MLST type*;size*;modify*;UNIX.mode*;UNIX.owner;UNIX.group;unique; - S> PASV - S> REST STREAM - S> SIZE - S> TVFS - S> Compliance Level: 19981201 (IETF mlst-05) - S> 211 End. - - Again, in addition to some irrelevant features here, this server - indicates that it supports MLST, four of the standard facts, one of - which ("unique") is not enabled by default, and several OS dependent - facts, one of which is provided by the server by default. This - server actually supported more OS dependent facts. Others were - deleted for the purposes of this document to comply with document - formatting restrictions. - -8.9. OPTS parameters for MLST - - For the MLSx commands, the Client-FTP may specify a list of facts it - wishes to be returned in all subsequent MLSx commands until another - OPTS MLST command is sent. The format is specified by: - - - - - - - - -Elz & Hethmon [Expires April 2000] [Page 51] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - mlst-opts = "OPTS" SP "MLST" - [ SP 1*( factname ";" ) ] - - By sending the "OPTS MLST" command, the client requests the server to - include only the facts listed as arguments to the command in - subsequent output from MLSx commands. Facts not included in the - "OPTS MLST" command MUST NOT be returned by the server. Facts that - are included should be returned for each entry returned from the MLSx - command where they meaningfully apply. Facts requested that are not - supported, or which are inappropriate to the file or directory being - listed should simply be omitted from the MLSx output. This is not an - error. Note that where no factname arguments are present, the client - is requesting that only the file names be returned. In this case, - and in any other case where no facts are included in the result, the - space that separates the fact names and their values from the file - name is still required. That is, the first character of the output - line will be a space, (or two characters will be spaces when the line - is returned over the control connection,) and the file name will - start immediately thereafter. - - Clients should note that generating values for some facts can be - possible, but very expensive, for some servers. It is generally - acceptable to retrieve any of the facts that the server offers as its - default set before any "OPTS MLST" command has been given, however - clients should use particular caution before requesting any facts not - in that set. That is, while other facts may be available from the - server, clients should refrain from requesting such facts unless - there is a particular operational requirement for that particular - information, which ought be more significant than perhaps simply - improving the information displayed to an end user. - - Note, there is no "OPTS MLSD" command, the fact names set with the - "OPTS MLST" command apply to both MLST and MLSD commands. - - Servers are not required to accept "OPTS MLST" commands before - authentication of the user-PI, but may choose to permit them. - -8.9.1. OPTS MLST Response - - The "response-message" from [6] to a successful OPTS MLST command has - the following syntax. - - mlst-opt-resp = "MLST OPTS" [ SP 1*( factname ";" ) ] - - This defines the "response-message" as used in the "opts-good" - message in RFC2389 [6]. - - - - - -Elz & Hethmon [Expires April 2000] [Page 52] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - The facts named in the response are those which the server will now - include in MLST (and MLSD) response, after the processing of the - "OPTS MLST" command. Any facts from the request not supported by the - server will be omitted from this response message. If no facts will - be included, the list of facts will be empty. Note that the list of - facts returned will be the same as those marked by a trailing - asterisk ("*") in a subsequent FEAT command response. There is no - requirement that the order of the facts returned be the same as that - in which they were requested, or that in which they will be listed in - a FEAT command response, or that in which facts are returned in MLST - responses. The fixed string "MLST OPTS" in the response may be - returned in any case, or mixture of cases. - -8.9.2. Examples - - C> Feat - S> 211- Features supported - S> MLST Type*;Size;Modify*;Perm;Unique;UNIX.mode;UNIX.chgd;X.hidden; - S> 211 End - C> OptS Mlst Type;UNIX.mode;Perm; - S> 201 MLST OPTS Type;Perm;UNIX.mode; - C> Feat - S> 211- Features supported - S> MLST Type*;Size;Modify;Perm*;Unique;UNIX.mode*;UNIX.chgd;X.hidden; - S> 211 End - C> opts MLst lang;type;charset;create; - S> 201 MLST OPTS Type; - C> Feat - S> 211- Features supported - S> MLST Type*;Size;Modify;Perm;Unique;UNIX.mode;UNIX.chgd;X.hidden; - S> 211 End - C> OPTS mlst size;frogs; - S> 201 MLST OPTS Size; - C> Feat - S> 211- Features supported - S> MLST Type;Size*;Modify;Perm;Unique;UNIX.mode;UNIX.chgd;X.hidden; - S> 211 End - C> opts MLst unique type; - S> 501 Invalid MLST options - C> Feat - S> 211- Features supported - S> MLST Type;Size*;Modify;Perm;Unique;UNIX.mode;UNIX.chgd;X.hidden; - S> 211 End - - For the purposes of this example, features other than MLST have been - deleted from the output to avoid clutter. The example shows the - initial default feature output for MLST. The facts requested are - then changed by the client. The first change shows facts that are - - - -Elz & Hethmon [Expires April 2000] [Page 53] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - available from the server being selected. Subsequent FEAT output - shows the altered features as being returned. The client then - attempts to select some standard features which the server does not - support. This is not an error, however the server simply ignores the - requests for unsupported features, as the FEAT output that follows - shows. Then, the client attempts to request a non-standard, and - unsupported, feature. The server ignores that, and selects only the - supported features requested. Lastly, the client sends a request - containing a syntax error (spaces cannot appear in the factlist.) The - server-FTP sends an error response and completely ignores the - request, leaving the fact set selected as it had been previously. - - Note that in all cases, except the error response, the response lists - the facts that have been selected. - - C> Feat - S> 211- Features supported - S> MLST Type*;Size*;Modify*;Perm*;Unique*;UNIX.mode;UNIX.chgd;X.hidden; - S> 211 End - C> Opts MLST - S> 201 MLST OPTS - C> Feat - S> 211- Features supported - S> MLST Type;Size;Modify;Perm;Unique;UNIX.mode;UNIX.chgd;X.hidden; - S> 211 End - C> MLst tmp - S> 250- Listing tmp - S> /tmp - S> 250 End - C> OPTS mlst unique;size; - S> 201 MLST OPTS Size;Unique; - C> MLst tmp - S> 250- Listing tmp - S> Unique=keVO1+YZ5; /tmp - S> 250 End - C> OPTS mlst unique;type;modify; - S> 201 MLST OPTS Type;Modify;Unique; - C> MLst tmp - S> 250- Listing tmp - S> Type=dir;Modify=19990930152225;Unique=keVO1+YZ5; /tmp - S> 250 End - C> OPTS mlst fish;cakes; - S> 201 MLST OPTS - C> MLst tmp - S> 250- Listing tmp - S> /tmp - S> 250 End - C> OptS Mlst Modify;Unique; - - - -Elz & Hethmon [Expires April 2000] [Page 54] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - S> 201 MLST OPTS Modify;Unique; - C> MLst tmp - S> 250- Listing tmp - S> Modify=19990930152225;Unique=keVO1+YZ5; /tmp - S> 250 End - C> opts MLst fish cakes; - S> 501 Invalid MLST options - C> MLst tmp - S> 250- Listing tmp - S> Modify=19990930152225;Unique=keVO1+YZ5; /tmp - S> 250 End - - This example shows the effect of changing the facts requested upon - subsequent MLST commands. Notice that a syntax error leaves the set - of selected facts unchanged. Also notice exactly two spaces - preceding the pathname when no facts were selected, either - deliberately, or because none of the facts requested were available. - -9. Impact On Other FTP Commands - - Along with the introduction of MLST, traditional FTP commands must be - extended to allow for the use of more than US-ASCII or EBCDIC - character sets. In general, the support of MLST requires support for - arbitrary character sets wherever filenames and directory names are - allowed. This applies equally to both arguments given to the - following commands and to the replies from them, as appropriate. - - CWD - RETR - STOR - STOU - APPE - RNFR - RNTO - DELE - RMD - MKD - PWD - STAT - - The arguments to all of these commands should be processed the same - way that MLST commands and responses are processed with respect to - handling embedded spaces, CRs and NULs. See section 2.2. - - - - - - - - -Elz & Hethmon [Expires April 2000] [Page 55] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - -10. Character sets and Internationalization - - FTP commands are protocol elements, and are always expressed in - ASCII. FTP responses are composed of the numeric code, which is a - protocol element, and a message, which is often expected to convey - information to the user. It is not expected that users normally - interact directly with the protocol elements, rather the user FTP- - process constructs the commands, and interprets the results, in the - manner best suited for the particular user. Explanatory text in - responses generally has no particular meaning to the protocol. The - numeric codes provide all necessary information. Server-PIs are free - to provide the text in any language that can be adequately - represented in ASCII, or where an alternative language and - representation has been negotiated (see [7]) in that language and - representation. - - Pathnames are expected to be encoded in UTF-8 allowing essentially - any character to be represented in a pathname. Meaningful pathnames - are defined by the server NVFS. - - No restrictions at all are placed upon the contents of files - transferred using the FTP protocols. Unless the "media-type" fact is - provided in a MLSx response nor is any advice given here which would - allow determining the content type. That information is assumed to - be obtained via other means. - -11. IANA Considerations - - This specification makes use of some lists of values currently - maintained by the IANA, and creates two new lists for the IANA to - maintain. It does not add any values to any existing registries. - - The existing IANA registries used by this specification are modified - using mechanisms specified elsewhere. - -11.1. The OS specific fact registry - - A registry of OS specific fact names shall be maintained by the IANA. - The OS names for the OS portion of the fact name must be taken from - the IANA's list of registered OS names. To add a fact name to this - OS specific registry of OS specific facts, an applicant must send to - the IANA a request, in which is specified the OS name, the OS - specific fact name, a definition of the syntax of the fact value, - which must conform to the syntax of a token as given in this - document, and a specification of the semantics to be associated with - the particular fact and its values. Upon receipt of such an - application, and if the combination of OS name and OS specific fact - name has not been previously defined, the IANA will add the - - - -Elz & Hethmon [Expires April 2000] [Page 56] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - specification to the registry. - - Any examples of OS specific facts found in this document are to be - treated as examples of possible OS specific facts, and do not form a - part of the IANA's registry merely because of being included in this - document. - -11.2. The OS specific filetype registry - - A registry of OS specific file types shall be maintained by the IANA. - The OS names for the OS portion of the fact name must be taken from - the IANA's list of registered OS names. To add a file type to this - OS specific registry of OS specific file types, an applicant must - send to the IANA a request, in which is specified the OS name, the OS - specific file type, a definition of the syntax of the fact value, - which must conform to the syntax of a token as given in this - document, and a specification of the semantics to be associated with - the particular fact and its values. Upon receipt of such an - application, and if the combination of OS name and OS specific file - type has not been previously defined, the IANA will add the - specification to the registry. - - Any examples of OS specific file types found in this document are to - be treated as potential OS specific file types only, and do not form - a part of the IANA's registry merely because of being included in - this document. - -12. Security Considerations - - This memo does not directly concern security. It is not believed - that any of the mechanisms documented here impact in any particular - way upon the security of FTP. - - Implementing the SIZE command, and perhaps some of the facts of the - MDLx commands, may impose a considerable load on the server, which - could lead to denial of service attacks. Servers have, however, - implemented this for many years, without significant reported - difficulties. - - With the introduction of virtual hosts to FTP, and the possible - accompanying multiple authentication environments, server - implementors will need to take some care to ensure that integrity is - maintained. - - The FEAT and OPTS commands may be issued before the FTP - authentication has occurred [6]. This allows unauthenticated clients - to determine which of the features defined here are supported, and to - negotiate the fact list for MLSx output. No actual MLSx commands may - - - -Elz & Hethmon [Expires April 2000] [Page 57] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - be issued however, and no problems with permitting the selection of - the format prior to authentication are foreseen. - - A general discussion of issues related to the security of FTP can be - found in [14]. - -13. References - - [1] Coded Character Set--7-bit American Standard Code for Information - Interchange, ANSI X3.4-1986. - - [2] Yergeau, F., "UTF-8, a transformation format of Unicode and ISO - 10646", RFC 2044, October 1996. - - [3] Postel, J., Reynolds, J., "File Transfer Protocol (FTP)", - STD 9, RFC 959, October 1985 - - [4] Bradner, S., "Key words for use in RFCs to Indicate - Requirement Levels", BCP 14, RFC 2119, March 1997 - - [5] Crocker, D., Overell, P., "Augmented BNF for Syntax - Specifications: ABNF", RFC 2234, November 1997 - - [6] Hethmon, P., Elz, R., "Feature negotiation mechanism for the - File Transfer Protocol", RFC 2389, August 1998 - - [7] Curtin, W., "Internationalization of the File Transfer Protocol", - RFC 2640, July 1999 - - [8] Postel, J., Reynolds, J., "Telnet protocol Specification" - STD 8, RFC 854, May 1983 - - [9] Braden, R,. "Requirements for Internet Hosts -- Application - and Support", STD 3, RFC 1123, October 1989 - - [10] Mockapetris, P., "Domain Names - Concepts and Facilities" - STD 13, RFC 1034, November 1987 - - [11] ISO/IEC 10646-1:1993 "Universal multiple-octet coded character set - (UCS) -- Part 1: Architecture and basic multilingual plane", - International Standard -- Information Technology, 1993 - - [12] Internet Assigned Numbers Authority. http://www.iana.org - Email: iana@iana.org. - - [13] Alvestrand, H., "Tags for the Identification of Languages" - RFC 1766, March 1995 - - - - -Elz & Hethmon [Expires April 2000] [Page 58] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - [14] Allman, M., Ostermann, S., "FTP Security Considerations" - RFC 2577, May 1999 - -Acknowledgments - - This document is a product of the FTPEXT working group of the IETF. - - The following people are among those who have contributed to this - document: - - Alex Belits - D. J. Bernstein - Dave Cridland - Martin J. Duerst - Mike Gleason - Mark Harris - Alun Jones - James Matthews - Luke Mewburn - Jan Mikkelsen - Keith Moore - Buz Owen - Mark Symons - Stephen Tihor - and the entire FTPEXT working group of the IETF. - - Apologies are offered to any inadvertently omitted. - - Bernhard Rosenkraenzer suggested the HOST command, and initially - described it. - - The description of the modifications to the REST command and the MDTM - and SIZE commands comes from a set of modifications suggested for - RFC959 by Rick Adams in 1989. A draft containing just those - commands, edited by David Borman, has been merged with this document. - - Mike Gleason provided access to the FTP server used in some of the - examples. - - All of the examples in this document are taken from actual - client/server exchanges, though some have been edited for brevity, or - to meet document formatting requirements. - - - - - - - - - -Elz & Hethmon [Expires April 2000] [Page 59] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - -Copyright - - This document is in the public domain. Any and all copyright - protection that might apply in any jurisdiction is expressly - disclaimed. - -Editors' Addresses - - Robert Elz - University of Melbourne - Department of Computer Science - Parkville, Vic 3052 - Australia - - Email: kre@munnari.OZ.AU - - - Paul Hethmon - Hethmon Brothers - 2305 Chukar Road - Knoxville, TN 37923 USA - - Phone: +1 423 690 8990 - Email: phethmon@hethmon.com - - - - - - - - - - - - - - - - - - - - - - - - - - - -Elz & Hethmon [Expires April 2000] [Page 60] diff --git a/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-krb-wg-crypto-03.txt b/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-krb-wg-crypto-03.txt deleted file mode 100644 index b1bee6fa49..0000000000 --- a/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-krb-wg-crypto-03.txt +++ /dev/null @@ -1,2690 +0,0 @@ - - - - - - - - - -INTERNET DRAFT K. Raeburn -Kerberos Working Group MIT -Document: draft-ietf-krb-wg-crypto-03.txt February 24, 2003 - expires August 24, 2003 - - Encryption and Checksum Specifications - for Kerberos 5 - -Abstract - - This document describes a framework for defining encryption and - checksum mechanisms for use with the Kerberos protocol [Kerb], - defining an abstraction layer between the Kerberos protocol and - related protocols, and the actual mechanisms themselves. Several - mechanisms are also defined in this document. Some are taken from - RFC 1510, modified in form to fit this new framework, and - occasionally modified in content when the old specification was - incorrect. New mechanisms are presented here as well. This document - does NOT indicate which mechanisms may be considered "required to - implement". - - Comments should be sent to the editor, or to the IETF Kerberos - working group (ietf-krb-wg@anl.gov). - -Status - - This document is an Internet-Draft and is in full conformance with - all provisions of Section 10 of RFC2026 [RFC2026]. Internet-Drafts - are working documents of the Internet Engineering Task Force (IETF), - its areas, and its working groups. Note that other groups may also - distribute working documents as Internet-Drafts. Internet-Drafts are - draft documents valid for a maximum of six months and may be updated, - replaced, or obsoleted by other documents at any time. It is - inappropriate to use Internet-Drafts as reference material or to cite - them other than as "work in progress." - - The list of current Internet-Drafts can be accessed at - http://www.ietf.org/ietf/1id-abstracts.html. - - The list of Internet-Draft Shadow Directories can be accessed at - http://www.ietf.org/shadow.html. - - - - - - - -Raeburn [Page 1] - -INTERNET DRAFT February 2003 - - - Table of Contents - - -Abstract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 -Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 -Table of Contents . . . . . . . . . . . . . . . . . . . . . . . . . 2 -Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 -1. Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 -2. Encryption algorithm profile . . . . . . . . . . . . . . . . . . 4 -3. Checksum algorithm profile . . . . . . . . . . . . . . . . . . . 9 -4. Simplified profile for CBC ciphers with key derivation . . . . . 10 -4.1. A key derivation function . . . . . . . . . . . . . . . . . . . 10 -4.2. Simplified profile parameters . . . . . . . . . . . . . . . . . 12 -4.3. Cryptosystem profile based on simplified profile . . . . . . . 14 -4.4. Checksum profiles based on simplified profile . . . . . . . . . 16 -5. Profiles for Kerberos encryption and checksum algorithms . . . . 16 -5.1. Unkeyed checksums . . . . . . . . . . . . . . . . . . . . . . . 16 -5.2. DES-based encryption and checksum types . . . . . . . . . . . . 18 -5.3. Triple-DES based encryption and checksum types . . . . . . . . 28 -6. Use of Kerberos encryption outside this specification . . . . . . 30 -7. Assigned Numbers . . . . . . . . . . . . . . . . . . . . . . . . 31 -8. Implementation Notes . . . . . . . . . . . . . . . . . . . . . . 32 -9. Security Considerations . . . . . . . . . . . . . . . . . . . . . 33 -10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 34 -11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 35 -12. Editor's address . . . . . . . . . . . . . . . . . . . . . . . . 35 -13. Full Copyright Statement . . . . . . . . . . . . . . . . . . . . 36 -A. Test vectors . . . . . . . . . . . . . . . . . . . . . . . . . . 36 -A.1. n-fold . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 -A.2. mit_des_string_to_key . . . . . . . . . . . . . . . . . . . . . 38 -A.3. DES3 DR and DK . . . . . . . . . . . . . . . . . . . . . . . . 42 -A.4. DES3string_to_key . . . . . . . . . . . . . . . . . . . . . . . 43 -A.5. Modified CRC-32 . . . . . . . . . . . . . . . . . . . . . . . . 44 -B. Significant Changes from RFC 1510 . . . . . . . . . . . . . . . . 44 -Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 -Normative References . . . . . . . . . . . . . . . . . . . . . . . . 46 -Informative References . . . . . . . . . . . . . . . . . . . . . . . 48 - - - - - - - - - - - - - - -Raeburn [Page 2] - -INTERNET DRAFT February 2003 - - -Introduction - - The Kerberos protocols are designed to encrypt messages of arbitrary - sizes, using block encryption ciphers, or less commonly, stream - encryption ciphers. Encryption is used to prove the identities of - the network entities participating in message exchanges. However, - nothing in the Kerberos protocol requires any specific encryption - algorithm be used, as long as certain operations are available in the - algorithm that is used. - - The following sections specify the encryption and checksum mechanisms - currently defined for Kerberos, as well as a framework for defining - future mechanisms. The encoding, chaining, padding and other - requirements for each are described. Test vectors for several - functions are given in appendix A. - -1. Concepts - - Both encryption and checksum mechanisms are defined in terms of - profiles, detailed in later sections. Each specifies a collection of - operations and attributes that must be defined for a mechanism. A - Kerberos encryption or checksum mechanism specification is not - complete if it does not define all of these operations and - attributes. - - An encryption mechanism must provide for confidentiality and - integrity of the original plaintext. (Integrity checking may be - achieved by incorporating a checksum, if the encryption mode does not - provide an integrity check itself.) It must also provide non- - malleability [Bellare98, Dolev91]. Use of a random confounder - prepended to the plaintext is recommended. It should not be possible - to determine if two ciphertexts correspond to the same plaintext, - without knowledge of the key. - - A checksum mechanism [1] must provide proof of the integrity of the - associated message, and must preserve the confidentiality of the - message in case it is not sent in the clear. It should be infeasible - to find two plaintexts which have the same checksum. It is NOT - required that an eavesdropper be unable to determine if two checksums - are for the same message; it is assumed that the messages themselves - will be visible to any such eavesdropper. - - Due to advances in cryptography, it is considered unwise by some - cryptographers to use the same key for multiple purposes. Since keys - are used in performing a number of different functions in Kerberos, - it is desirable to use different keys for each of these purposes, - even though we start with a single long-term or session key. - - - - -Raeburn [Page 3] - -INTERNET DRAFT February 2003 - - - We do this by enumerating the different uses of keys within Kerberos, - and making the "usage number" an input to the encryption or checksum - mechanisms; this enumeration is outside the scope of this document. - Later sections of this document define simplified profile templates - for encryption and checksum mechanisms that use a key derivation - function applied to a CBC mode (or similar) cipher and a checksum or - hash algorithm. - - We distinguish the "base key" specified by other documents from the - "specific key" to be used for a particular instance of encryption or - checksum operations. It is expected but not required that the - specific key will be one or more separate keys derived from the - original protocol key and the key usage number. The specific key - should not be explicitly referenced outside of this document. The - typical language used in other documents should be something like, - "encrypt this octet string using this key and this usage number"; - generation of the specific key and cipher state (described in the - next section) are implicit. The creation of a new cipher-state - object, or the re-use of one from a previous encryption operation, - may also be explicit. - - New protocols defined in terms of the Kerberos encryption and - checksum types should use their own key usage values. Key usages are - unsigned 32 bit integers; zero is not permitted. - - All data is assumed to be in the form of strings of octets or 8-bit - bytes. Environments with other byte sizes will have to emulate this - behavior in order to get correct results. - - Each algorithm is assigned an encryption type (or "etype") or - checksum type number, for algorithm identification within the - Kerberos protocol. The full list of current type number assignments - is given in section 7. - -2. Encryption algorithm profile - - An encryption mechanism profile must define the following attributes - and operations. The operations must be defined as functions in the - mathematical sense: no additional or implicit inputs (such as - Kerberos principal names or message sequence numbers) are permitted. - - protocol key format - This describes what octet string values represent valid keys. For - encryption mechanisms that don't have perfectly dense key spaces, - this will describe the representation used for encoding keys. It - need not describe specific values that are not valid or desirable - for use; such values should be avoid by all key generation - routines. - - - -Raeburn [Page 4] - -INTERNET DRAFT February 2003 - - - specific key structure - This is not a protocol format at all, but a description of the - keying material derived from the chosen key and used to encrypt or - decrypt data or compute or verify a checksum. It may, for - example, be a single key, a set of keys, or a combination of the - original key with additional data. The authors recommend using - one or more keys derived from the original key via one-way - functions. - - required checksum mechanism - This indicates a checksum mechanism that must be available when - this encryption mechanism is used. Since Kerberos has no built in - mechanism for negotiating checksum mechanisms, once an encryption - mechanism has been decided upon, the corresponding checksum - mechanism can simply be used. - - key-generation seed length, K - This is the length of the random bitstring needed to generate a - key with the encryption scheme's random-to-key function (described - below). This must be a fixed value so that various techniques for - producing a random bitstring of a given length may be used with - key generation functions. - - key generation functions - Keys must be generated in a number of cases, from different types - of inputs. All function specifications must indicate how to - generate keys in the proper wire format, and must avoid generation - of keys that significantly compromise the confidentiality of - encrypted data, if the cryptosystem has such. Entropy from each - source should be preserved as much as possible. Many of the - inputs, while unknown, may be at least partly predictable (e.g., a - password string is likely to be entirely in the ASCII subset and - of fairly short length in many environments; a semi-random string - may include timestamps); the benefit of such predictability to an - attacker must be minimized. - - string-to-key (UTF-8 string, UTF-8 string, opaque)->(protocol-key) - This function generates a key from two UTF-8 strings and an - opaque octet string. One of the strings is normally the - principal's pass phrase, but is in general merely a secret - string. The other string is a "salt" string intended to - produce different keys from the same password for different - users or realms. While the strings provided will use UTF-8 - encoding, no specific version of Unicode should be assumed; all - valid UTF-8 strings should be allowed. - - The third argument, the octet string, may be used to pass - mechanism-specific parameters in to this function. Since doing - - - -Raeburn [Page 5] - -INTERNET DRAFT February 2003 - - - so implies knowledge of the specific encryption system, it is - intended that generating non-default parameter values be an - uncommon operation, and that normal Kerberos applications be - able to treat this parameter block as an opaque object supplied - by the KDC or defaulted to some mechanism-specific constant - value. - - This should be a one-way function, so that compromising a - user's key in one realm does not compromise the user's key in - another realm, even if the same password (but a different salt) - is used. - - random-to-key (bitstring[K])->(protocol-key) - This function generates a key from a random bit string of a - specific size. It may be assumed that all the bits of the - input string are equally random, even though the entropy - present in the random source may be limited. - - key-derivation (protocol-key, integer)->(specific-key) - In this function, the integer input is the key usage value as - described above; the usage values must be assumed to be known - to an attacker. The specific-key output value was described in - section 1. - - string-to-key parameter format - This describes the format of the block of data that can be passed - to the string-to-key function above to configure additional - parameters for that function. Along with the mechanism of - encoding parameter values, bounds on the allowed parameters should - also be described to avoid allowing a spoofed KDC to compromise - the user's password. It may be desirable to construct the - encoding such that values weakening the resulting key unacceptably - cannot be encoded, if practical. - - Tighter bounds might be permitted by local security policy, or to - avoid excess resource consumption; if so, recommended defaults for - those bounds should be given in the specification. The - description should also outline possible weaknesses that may be - caused by not applying bounds checks or other validation to a - parameter string received from the network. - - As mentioned above, this should be considered opaque to most - normal applications. - - default string-to-key parameters (octet string) - This default value for the "params" argument to the string-to-key - function is to be used when the application protocol (Kerberos or - otherwise) does not explicitly set the parameter value. As - - - -Raeburn [Page 6] - -INTERNET DRAFT February 2003 - - - indicated above, this parameter block should be treated as an - opaque object in most cases. - - cipher state - This describes any information that can be carried over from one - encryption or decryption operation to the next, for use in - conjunction with a given specific key. For example, a block - cipher used in CBC mode may put an initial vector of one block in - the cipher state. Other encryption modes may track nonces or - other data. - - This state must be non-empty, and must influence encryption so as - to require that messages be decrypted in the same order they were - encrypted, if the cipher state is carried over from one encryption - to the next. Distinguishing out-of-order or missing messages from - corrupted messages is not required; if desired, this can be done - at a higher level by including sequence numbers and not "chaining" - the cipher state between encryption operations. - - The cipher state may not be reused in multiple encryption or - decryption operations; these operations all generate a new cipher - state that may be used for following operations using the same key - and operation. - - The contents of the cipher state must be treated as opaque outside - of encryption system specifications. - - initial cipher state (specific-key, direction)->(state) - This describes the generation of the initial value for the cipher - state if it is not being carried over from a previous encryption - or decryption operation. - - This describes any initial state setup needed before encrypting - arbitrary amounts of data with a given specific key; the specific - key and the direction of operations to be performed (encrypt - versus decrypt) must be the only input needed for this - initialization. - - This state should be treated as opaque in any uses outside of an - encryption algorithm definition. - - IMPLEMENTATION NOTE: [Kerb1510] was vague on whether and to what - degree an application protocol could exercise control over the - initial vector used in DES CBC operations. Some existing - implementations permit the setting of the initial vector. This - new specification does not permit application control of the - cipher state (beyond "initialize" and "carry over from previous - encryption"), since the form and content of the initial cipher - - - -Raeburn [Page 7] - -INTERNET DRAFT February 2003 - - - state can vary between encryption systems, and may not always be a - single block of random data. - - New Kerberos application protocols should not assume that they can - control the initial vector, or that one even exists. However, a - general-purpose implementation may wish to provide the capability, - in case applications explicitly setting it are encountered. - - encrypt (specific-key, state, octet string)->(state, octet string) - This function takes the specific key, cipher state, and a non- - empty plaintext string as input, and generates ciphertext and a - new cipher state as outputs. If the basic encryption algorithm - itself does not provide for integrity protection (as DES in CBC - mode does not do), then some form of MAC or checksum must be - included that can be verified by the receiver. Some random factor - such as a confounder should be included so that an observer cannot - know if two messages contain the same plaintext, even if the - cipher state and specific keys are the same. The exact length of - the plaintext need not be encoded, but if it is not and if padding - is required, the padding must be added at the end of the string so - that the decrypted version may be parsed from the beginning. - - The specification of the encryption function must not only - indicate the precise contents of the output octet string, but also - the output cipher state. The application protocol may carry - forward the output cipher state from one encryption with a given - specific key to another; the effect of this "chaining" must be - defined. [2] - - Assuming correctly-produced values for the specific key and cipher - state, no input octet string may result in an error indication. - - decrypt (specific-key, state, octet string)->(state, octet string) - This function takes the specific key, cipher state, and ciphertext - as inputs, and verifies the integrity of the supplied ciphertext. - If the ciphertext's integrity is intact, this function produces - the plaintext and a new cipher state as outputs; otherwise, an - error indication must be returned, and the data discarded. - - The result of the decryption may be longer than the original - plaintext, for example if the encryption mode adds padding to - reach a multiple of a block size. If this is the case, any extra - octets must be after the decoded plaintext. An application - protocol which needs to know the exact length of the message must - encode a length or recognizable "end of message" marker within the - plaintext. [3] - - As with the encryption function, a correct specification for this - - - -Raeburn [Page 8] - -INTERNET DRAFT February 2003 - - - function must indicate not only the contents of the output octet - string, but also the resulting cipher state. - - pseudo-random (protocol-key, octet-string)->(octet-string) - This pseudo-random function should generate an octet string of - some size that independent of the octet string input. The PRF - output string should be suitable for use in key generation, even - if the octet string input is public. It should not reveal the - input key, even if the output is made public. - - These operations and attributes are all that should be required to - support Kerberos and various proposed preauthentication schemes. - - A document defining a new encryption type should also describe known - weaknesses or attacks, so that its security may be fairly assessed, - and should include test vectors or other validation procedures for - the operations defined. Specific references to information readily - available elsewhere are sufficient. - -3. Checksum algorithm profile - - A checksum mechanism profile must define the following attributes and - operations: - - associated encryption algorithm(s) - This indicates the types of encryption keys this checksum - mechanism can be used with. - - A keyed checksum mechanism may have more than one associated - encryption algorithm if they share the same wire key format, - string-to-key function, and key derivation function. (This - combination means that, for example, a checksum type, key usage - value and password are adequate to get the specific key used to - compute a checksum.) - - An unkeyed checksum mechanism can be used in conjunction with any - encryption type, since the key is ignored, but its use must be - limited to cases where the checksum itself is protected, to avoid - trivial attacks. - - get_mic function - This function generates a MIC token for a given specific key (see - section 2), and message (represented as an octet string), that may - be used to verify the integrity of the associated message. This - function is not required to return the same deterministic result - on every use; it need only generate a token that the verify_mic - routine can check. - - - - -Raeburn [Page 9] - -INTERNET DRAFT February 2003 - - - The output of this function will also dictate the size of the - checksum. - - verify_mic function - Given a specific key, message, and MIC token, this function - ascertains whether the message integrity has been compromised. - For a deterministic get_mic routine, the corresponding verify_mic - may simply generate another checksum and compare them. - - The get_mic and verify_mic operations must be able to handle inputs - of arbitrary length; if any padding is needed, the padding scheme - must be specified as part of these functions. - - These operations and attributes are all that should be required to - support Kerberos and various proposed preauthentication schemes. - - As with encryption mechanism definition documents, documents defining - new checksum mechanisms should indicate validation processes and - known weaknesses. - -4. Simplified profile for CBC ciphers with key derivation - - The profile outlines in sections 2 and 3 describes a large number of - operations that must be defined for encryption and checksum - algorithms to be used with Kerberos. We describe here a simpler - profile from which both encryption and checksum mechanism definitions - can be generated, filling in uses of key derivation in appropriate - places, providing integrity protection, and defining multiple - operations for the cryptosystem profile based on a smaller set of - operations given in the simplified profile. Not all of the existing - cryptosystems for Kerberos fit into this simplified profile, but we - recommend that future cryptosystems use it or something based on it. - [4] - - Not all of the operations in the complete profiles are defined - through this mechanism; several must still be defined for each new - algorithm pair. - -4.1. A key derivation function - - Rather than define some scheme by which a "protocol key" is composed - of a large number of encryption keys, we use keys derived from a base - key to perform cryptographic operations. The base key must be used - only for generating the derived keys, and this derivation must be - non-invertible and entropy-preserving. Given these restrictions, - compromise of one derived key does not compromise the other subkeys. - Attack of the base key is limited, since it is only used for - derivation, and is not exposed to any user data. - - - -Raeburn [Page 10] - -INTERNET DRAFT February 2003 - - - Since the derived key has as much entropy as the base keys (if the - cryptosystem is good), password-derived keys have the full benefit of - all the entropy in the password. - - To generate a derived key from a base key, we generate a pseudorandom - octet string, using an algorithm DR described below, and generate a - key from that octet string using a function dependent on the - encryption algorithm; the input length needed for that function, - which is also dependent on the encryption algorithm, dictates the - length of the string to be generated by the DR algorithm (the value - "k" below). These procedures are based on the key derivation in - [Blumenthal96]. - - Derived Key = DK(Base Key, Well-Known Constant) - - DK(Key, Constant) = random-to-key(DR(Key, Constant)) - - DR(Key, Constant) = k-truncate(E(Key, Constant, - initial-cipher-state)) - - Here DR is the random-octet generation function described below, and - DK is the key-derivation function produced from it. In this - construction, E(Key, Plaintext, CipherState) is a cipher, Constant is - a well-known constant determined by the specific usage of this - function, and k-truncate truncates its argument by taking the first k - bits. Here, k is the key generation seed length needed for the - encryption system. - - The output of the DR function is a string of bits; the actual key is - produced by applying the cryptosystem's random-to-key operation on - this bitstring. - - If the Constant is smaller than the cipher block size of E, then it - must be expanded with n-fold() so it can be encrypted. If the output - of E is shorter than k bits it is fed back into the encryption as - many times as necessary. The construct is as follows (where | - indicates concatentation): - - K1 = E(Key, n-fold(Constant), initial-cipher-state) - K2 = E(Key, K1, initial-cipher-state) - K3 = E(Key, K2, initial-cipher-state) - K4 = ... - - DR(Key, Constant) = k-truncate(K1 | K2 | K3 | K4 ...) - - n-fold is an algorithm which takes m input bits and ``stretches'' - them to form n output bits with equal contribution from each input - bit to the output, as described in [Blumenthal96]: - - - -Raeburn [Page 11] - -INTERNET DRAFT February 2003 - - - We first define a primitive called n-folding, which takes a - variable-length input block and produces a fixed-length output - sequence. The intent is to give each input bit approximately - equal weight in determining the value of each output bit. Note - that whenever we need to treat a string of octets as a number, the - assumed representation is Big-Endian -- Most Significant Byte - first. - - To n-fold a number X, replicate the input value to a length that - is the least common multiple of n and the length of X. Before - each repetition, the input is rotated to the right by 13 bit - positions. The successive n-bit chunks are added together using - 1's-complement addition (that is, with end-around carry) to yield - a n-bit result.... - - - Test vectors for n-fold are supplied in Appendix A. [5] - - In this section, n-fold is always used to produce c bits of output, - where c is the cipher block size of E. - - The size of the Constant must not be larger than c, because reducing - the length of the Constant by n-folding can cause collisions. - - If the size of the Constant is smaller than c, then the Constant must - be n-folded to length c. This string is used as input to E. If the - block size of E is less than the random-to-key input size, then the - output from E is taken as input to a second invocation of E. This - process is repeated until the number of bits accumulated is greater - than or equal to the random-to-key input size. When enough bits have - been computed, the first k are taken as the random data used to - create the key with the algorithm-dependent random-to-key function. - - Since the derived key is the result of one or more encryptions in the - base key, deriving the base key from the derived key is equivalent to - determining the key from a very small number of plaintext/ciphertext - pairs. Thus, this construction is as strong as the cryptosystem - itself. - -4.2. Simplified profile parameters - - These are the operations and attributes that must be defined: - - - - - - - - - -Raeburn [Page 12] - -INTERNET DRAFT February 2003 - - - protocol key format - string-to-key function - default string-to-key parameters - key-generation seed length, k - random-to-key function - As above for the normal encryption mechanism profile. - - unkeyed hash algorithm, H - This should be a collision-resistant hash algorithm with fixed- - size output, suitable for use in an HMAC [HMAC]. It must support - inputs of arbitrary length. Its output must be at least the - message block size (below). - - HMAC output size, h - This indicates the size of the leading substring output by the - HMAC function that should be used in transmitted messages. It - should be at least half the output size of the hash function H, - and at least 80 bits; it need not match the output size. - - message block size, m - This is the size of the smallest units the cipher can handle in - the mode in which it is being used. Messages will be padded to a - multiple of this size. If a block cipher is used in a mode that - can handle messages that are not multiples of the cipher block - size, such as CBC mode with cipher text stealing (CTS, see [RC5]), - this value would be one octet. For traditional CBC mode with - padding, it will be the underlying cipher's block size. - - This value must be a multiple of 8 bits (one octet). - - encryption/decryption functions, E and D - These are basic encryption and decryption functions for messages - of sizes that are multiples of the message block size. No - integrity checking or confounder should be included here. These - functions take as input the IV or similar data, a protocol-format - key, and a octet string, returning a new IV and octet string. - - The encryption function is not required to use CBC mode, but is - assumed to be using something with similar properties. In - particular, prepending a cipher-block-size confounder to the - plaintext should alter the entire ciphertext (comparable to - choosing and including a random initial vector for CBC mode). - - The result of encrypting one cipher block (of size c, above) must - be deterministic, for the random octet generation function DR in - the previous section to work. For best security, it should also - be no larger than c. - - - - -Raeburn [Page 13] - -INTERNET DRAFT February 2003 - - - cipher block size, c - This is the block size of the block cipher underlying the - encryption and decryption functions indicated above, used for key - derivation and for the size of the message confounder and initial - vector. (If a block cipher is not in use, some comparable - parameter should be determined.) It must be at least 5 octets. - - This is not actually an independent parameter; rather, it is a - property of the functions E and D. It is listed here to clarify - the distinction between it and the message block size, m. - - While there are still a number of properties to specify, they are - fewer and simpler than in the full profile. - -4.3. Cryptosystem profile based on simplified profile - - The above key derivation function is used to produce three - intermediate keys. One is used for computing checksums of - unencrypted data. The other two are used for encrypting and - checksumming plaintext to be sent encrypted. - - The ciphertext output is the concatenation of the output of the basic - encryption function E and a (possibly truncated) HMAC using the - specified hash function H, both applied to the plaintext with a - random confounder prefix and sufficient padding to bring it to a - multiple of the message block size. When the HMAC is computed, the - key is used in the protocol key form. - - Decryption is performed by removing the (partial) HMAC, decrypting - the remainder, and verifying the HMAC. The cipher state is an - initial vector, initialized to zero. - - The substring notation "[1..h]" in the following table should be read - as using 1-based indexing; leading substrings are used. - - - cryptosystem from simplified profile ----------------------------------------------------------------------------- -protocol key format As given. - -specific key structure Three protocol-format keys: { Kc, Ke, Ki }. - -key-generation seed As given. -length - -required checksum As defined below in section 4.4. -mechanism - - - - -Raeburn [Page 14] - -INTERNET DRAFT February 2003 - - - cryptosystem from simplified profile ----------------------------------------------------------------------------- - -cipher state initial vector (usually of length c) - -initial cipher state all bits zero - -encryption function conf = random string of length c - pad = shortest string to bring confounder - and plaintext to a length that's a - multiple of m - C1 = E(Ke, conf | plaintext | pad, - oldstate.ivec) - H1 = HMAC(Ki, conf | plaintext | pad) - ciphertext = C1 | H1[1..h] - newstate.ivec = last c of C1 - -decryption function (C1,H1) = ciphertext - P1 = D(Ke, C1, oldstate.ivec) - if (H1 != HMAC(Ki, P1)[1..h]) - report error - newstate.ivec = last c of C1 - -default string-to-key As given. -params - -pseudo-random function tmp1 = H(octet-string) - tmp2 = truncate tmp1 to multiple of m - PRF = E(protocol-key, tmp2, initial-cipher-state) - -key generation functions: - -string-to-key function As given. - -random-to-key function As given. - -key-derivation function The "well-known constant" used for the DK - function is the key usage number, expressed as - four octets in big-endian order, followed by one - octet indicated below. - - Kc = DK(base-key, usage | 0x99); - Ke = DK(base-key, usage | 0xAA); - Ki = DK(base-key, usage | 0x55); - - - - - - - -Raeburn [Page 15] - -INTERNET DRAFT February 2003 - - -4.4. Checksum profiles based on simplified profile - - When an encryption system is defined using the simplified profile - given in section 4.2, a checksum algorithm may be defined for it as - follows: - - - checksum mechanism from simplified profile - -------------------------------------------------- - associated cryptosystem as defined above - - get_mic HMAC(Kc, message)[1..h] - - verify_mic get_mic and compare - - The HMAC function and key Kc are as described in section 4.3. - -5. Profiles for Kerberos encryption and checksum algorithms - - These profiles describe the encryption and checksum systems defined - for Kerberos. The astute reader will notice that some of them do not - fulfull all of the requirements outlined in previous sections. These - systems are defined for backward compatibility; newer implementations - should (whenever possible) attempt to make use of encryption systems - which satisfy all of the profile requirements. - - The full list of current encryption and checksum type number - assignments, including values currently reserved but not defined in - this document, is given in section 7. - -5.1. Unkeyed checksums - - These checksum types use no encryption keys, and thus can be used in - combination with any encryption type, but may only be used with - caution, in limited circumstances where the lack of a key does not - provide a window for an attack, preferably as part of an encrypted - message. [6] Keyed checksum algorithms are recommended. - -5.1.1. The RSA MD5 Checksum - - The RSA-MD5 checksum calculates a checksum using the RSA MD5 - algorithm [MD5-92]. The algorithm takes as input an input message of - arbitrary length and produces as output a 128-bit (16 octet) - - - - - - - - -Raeburn [Page 16] - -INTERNET DRAFT February 2003 - - - checksum. RSA-MD5 is believed to be collision-proof. - - rsa-md5 - ---------------------------------------------- - associated cryptosystem any - - get_mic rsa-md5(msg) - - verify_mic get_mic and compare - - The rsa-md5 checksum algorithm is assigned a checksum type number of - seven (7). - -5.1.2. The RSA MD4 Checksum - - The RSA-MD4 checksum calculates a checksum using the RSA MD4 - algorithm [MD4-92]. The algorithm takes as input an input message of - arbitrary length and produces as output a 128-bit (16 octet) - checksum. RSA-MD4 is believed to be collision-proof. - - - rsa-md4 - ---------------------------------------------- - associated cryptosystem any - - get_mic md4(msg) - - verify_mic get_mic and compare - - - The rsa-md4 checksum algorithm is assigned a checksum type number of - two (2). - -5.1.3. CRC-32 Checksum - - This CRC-32 checksum calculates a checksum based on a cyclic - redundancy check as described in ISO 3309 [CRC], modified as - described below. The resulting checksum is four (4) octets in - length. The CRC-32 is neither keyed nor collision-proof; thus, the - use of this checksum is not recommended. An attacker using a - probabilistic chosen-plaintext attack as described in [SG92] might be - able to generate an alternative message that satisfies the checksum. - - The CRC-32 checksum used in the des-cbc-crc encryption mode is - identical to the 32-bit FCS described in ISO 3309 with two - exceptions: the sum with the all-ones polynomial times x**k is - omitted, and the final remainder is not ones-complemented. ISO 3309 - describes the FCS in terms of bits, while this document describes the - - - -Raeburn [Page 17] - -INTERNET DRAFT February 2003 - - - Kerberos protocol in terms of octets. To disambiguate the ISO 3309 - definition for the purpose of computing the CRC-32 in the des-cbc-crc - encryption mode, the ordering of bits in each octet shall be assumed - to be LSB-first. Given this assumed ordering of bits within an - octet, the mapping of bits to polynomial coefficients shall be - identical to that specified in ISO 3309. - - Test values for this modified CRC function are included in appendix - A.5. - - - crc32 - ---------------------------------------------- - associated cryptosystem any - - get_mic crc32(msg) - - verify_mic get_mic and compare - - - The crc32 checksum algorithm is assigned a checksum type number of - one (1). - -5.2. DES-based encryption and checksum types - - These encryption systems encrypt information under the Data - Encryption Standard [DES77] using the cipher block chaining mode - [DESM80]. A checksum is computed as described below and placed in - the cksum field. DES blocks are 8 bytes. As a result, the data to - be encrypted (the concatenation of confounder, checksum, and message) - must be padded to an 8 byte boundary before encryption. The values - of the padding bytes are unspecified. - - Plaintext and DES ciphertext are encoded as blocks of 8 octets which - are concatenated to make the 64-bit inputs for the DES algorithms. - The first octet supplies the 8 most significant bits (with the - octet's MSB used as the DES input block's MSB, etc.), the second - octet the next 8 bits, ..., and the eighth octet supplies the 8 least - significant bits. - - Encryption under DES using cipher block chaining requires an - additional input in the form of an initialization vector; this vector - is specified for each encryption system, below. - - The DES specifications [DESI81] identify four 'weak' and twelve - 'semi-weak' keys; those keys shall not be used for encrypting - messages for use in Kerberos. - - - - -Raeburn [Page 18] - -INTERNET DRAFT February 2003 - - - A DES key is 8 octets of data. This consists of 56 bits of actual - key data, and 8 parity bits, one per octet. The key is encoded as a - series of 8 octets written in MSB-first order. The bits within the - key are also encoded in MSB order. For example, if the encryption - key is (B1,B2,...,B7,P1,B8,...,B14,P2,B15,...,B49,P7,B50,...,B56,P8) - where B1,B2,...,B56 are the key bits in MSB order, and P1,P2,...,P8 - are the parity bits, the first octet of the key would be - B1,B2,...,B7,P1 (with B1 as the most significant bit). See the - [DESM80] introduction for reference. - - Encryption data format - - The format for the data to be encrypted includes a one-block - confounder, a checksum, the encoded plaintext, and any necessary - padding, as described in the following diagram. The msg-seq field - contains the part of the protocol message which is to be encrypted. - - +-----------+----------+---------+-----+ - |confounder | checksum | msg-seq | pad | - +-----------+----------+---------+-----+ - - One generates a random confounder of one block, placing it in - 'confounder'; zeroes out the 'checksum' field (of length appropriate - to exactly hold the checksum to be computed); calculates the - appropriate checksum over the whole sequence, placing the result in - 'checksum'; adds the necessary padding; then encrypts using the - specified encryption type and the appropriate key. - - String or random-data to key transformation - - To generate a DES key from two UTF-8 text strings (password and - salt), the two strings are concatenated, password first, and the - result is then padded with zero-valued octets to a multiple of 8 - octets. - - The top bit of each octet (always zero if the password is plain - ASCII, as was assumed when the original specification was written) is - discarded, and a bitstring is formed of the remaining seven bits of - each octet. This bitstring is then fan-folded and eXclusive-ORed - with itself to produce a 56-bit string. An eight-octet key is formed - from this string, each octet using seven bits from the bit string, - leaving the least significant bit unassigned. The key is then - "corrected" by correcting the parity on the key, and if the key - matches a 'weak' or 'semi-weak' key as described in the DES - specification, it is eXclusive-ORed with the constant - 0x00000000000000F0. This key is then used to generate a DES CBC - checksum on the initial string with the salt appended. The result of - the CBC checksum is then "corrected" as described above to form the - - - -Raeburn [Page 19] - -INTERNET DRAFT February 2003 - - - result which is returned as the key. - - For purposes of the string-to-key function, the DES CBC checksum is - calculated by CBC encrypting a string using the key as IV and using - the final 8 byte block as the checksum. - - Pseudocode follows: - - removeMSBits(8byteblock) { - /* Treats a 64 bit block as 8 octets and remove the MSB in - each octect (in big endian mode) and concatenates the - result. E.g., input octet string: - 01110000 01100001 11110011 01110011 11110111 01101111 - 11110010 01100100 - results in output bit string: - 1110000 1100001 1110011 1110011 1110111 1101111 - 1110010 1100100 */ - } - - reverse(56bitblock) { - /* Treats a 56-bit block as a binary string and reverse it. - E.g., input string: - 1000001 1010100 1001000 1000101 1001110 1000001 - 0101110 1001101 - results in output string: - 1011001 0111010 1000001 0111001 1010001 0001001 - 0010101 1000001 */ - } - - add_parity_bits(56bitblock) { - /* Copies a 56-bit block into a 64-bit block, left shift - content in each octet and add DES parity bit. - E.g., input string: - 1100000 0001111 0011100 0110100 1000101 1100100 - 0110110 0010111 - results in output string: - 11000001 00011111 00111000 01101000 10001010 11001000 - 01101101 00101111 */ - } - - key_correction(key) { - fixparity(key); - if (is_weak_key(key)) - key = key XOR 0xF0; - return(key); - } - - - - - -Raeburn [Page 20] - -INTERNET DRAFT February 2003 - - - mit_des_string_to_key(string,salt) { - odd = 1; - s = string | salt; - tempstring = 0; /* 56-bit string */ - pad(s); /* with nulls to 8 byte boundary */ - for (8byteblock in s) { - 56bitstring = removeMSBits(8byteblock); - if (odd == 0) reverse(56bitstring); - odd = ! odd; - tempstring = tempstring XOR 56bitstring; - } - tempkey = key_correction(add_parity_bits(tempstring)); - key = key_correction(DES-CBC-check(s,tempkey)); - return(key); - } - - des_string_to_key(string,salt,params) { - if (length(params) == 0) - type = 0; - else if (length(params) == 1) - type = params[0]; - else - error("invalid params"); - if (type == 0) - mit_des_string_to_key(string,salt); - else - error("invalid params"); - } - - One common extension is to support the "AFS string-to-key" algorithm, - which is not defined here, if the type value above is one (1). - - For generation of a key from a random bit-string, we start with a - 56-bit string, and as with the string-to-key operation above, insert - parity bits, and if the result is a weak or semi-weak key, modify it - by exclusive-OR with the constart 0x00000000000000F0: - - des_random_to_key(bitstring) { - return key_correction(add_parity_bits(bitstring)); - } - -5.2.1. DES with MD5 - - The des-cbc-md5 encryption mode encrypts information under DES in CBC - mode with an all-zero initial vector, with an MD5 checksum (described - in [MD5-92]) computed and placed in the checksum field. - - - - - -Raeburn [Page 21] - -INTERNET DRAFT February 2003 - - - The encryption system parameters for des-cbc-md5 are: - - des-cbc-md5 - -------------------------------------------------------------------- - protocol key format 8 bytes, parity in low bit of each - - specific key structure copy of original key - - required checksum rsa-md5-des - mechanism - - key-generation seed 8 bytes - length - - cipher state 8 bytes (CBC initial vector) - - initial cipher state all-zero - - encryption function des-cbc(confounder | checksum | msg | pad, - ivec=oldstate) - where - checksum = md5(confounder | 0000... - | msg | pad) - - newstate = last block of des-cbc output - - decryption function decrypt encrypted text and verify checksum - - newstate = last block of ciphertext - - default string-to-key empty string - params - - pseudo-random function des-cbc(md5(input-string), ivec=0) - - key generation functions: - - string-to-key des_string_to_key - - random-to-key des_random_to_key - - key-derivation identity - - The des-cbc-md5 encryption type is assigned the etype value three - (3). - - - - - - -Raeburn [Page 22] - -INTERNET DRAFT February 2003 - - -5.2.2. DES with MD4 - - The des-cbc-md4 encryption mode also encrypts information under DES - in CBC mode, with an all-zero initial vector. An MD4 checksum - (described in [MD4-92]) is computed and placed in the checksum field. - - des-cbc-md4 - -------------------------------------------------------------------- - protocol key format 8 bytes, parity in low bit of each - - specific key structure copy of original key - - required checksum rsa-md4-des - mechanism - - key-generation seed 8 bytes - length - - cipher state 8 bytes (CBC initial vector) - - initial cipher state all-zero - - encryption function des-cbc(confounder | checksum | msg | pad, - ivec=oldstate) - where - checksum = md4(confounder | 0000... - | msg | pad) - - newstate = last block of des-cbc output - - decryption function decrypt encrypted text and verify checksum - - newstate = last block of ciphertext - - default string-to-key empty string - params - - pseudo-random function des-cbc(md5(input-string), ivec=0) - - key generation functions: - - string-to-key des_string_to_key - - random-to-key copy input, then fix parity bits - - key-derivation identity - - - - - -Raeburn [Page 23] - -INTERNET DRAFT February 2003 - - - Note that des-cbc-md4 uses md5, not md4, in the PRF definition. - - The des-cbc-md4 encryption algorithm is assigned the etype value two - (2). - -5.2.3. DES with CRC - - The des-cbc-crc encryption type uses DES in CBC mode with the key - used as the initialization vector, with a 4-octet CRC-based checksum - computed as described in section 5.1.3. Note that this is not a - standard CRC-32 checksum, but a slightly modified one. - - - des-cbc-crc - -------------------------------------------------------------------- - protocol key format 8 bytes, parity in low bit of each - - specific key structure copy of original key - - required checksum rsa-md5-des - mechanism - - key-generation seed 8 bytes - length - - cipher state 8 bytes (CBC initial vector) - - initial cipher state copy of original key - - encryption function des-cbc(confounder | checksum | msg | pad, - ivec=oldstate) - where - checksum = crc(confounder | 00000000 - | msg | pad) - - newstate = last block of des-cbc output - - decryption function decrypt encrypted text and verify checksum - - newstate = last block of ciphertext - - default string-to-key empty string - params - - pseudo-random function des-cbc(md5(input-string), ivec=0) - - key generation functions: - - - - -Raeburn [Page 24] - -INTERNET DRAFT February 2003 - - - des-cbc-crc - -------------------------------------------------------------------- - - string-to-key des_string_to_key - - random-to-key copy input, then fix parity bits - - key-derivation identity - - The des-cbc-crc encryption algorithm is assigned the etype value one - (1). - -5.2.4. RSA MD5 Cryptographic Checksum Using DES - - The RSA-MD5-DES checksum calculates a keyed collision-proof checksum - by prepending an 8 octet confounder before the text, applying the RSA - MD5 checksum algorithm, and encrypting the confounder and the - checksum using DES in cipher-block-chaining (CBC) mode using a - variant of the key, where the variant is computed by eXclusive-ORing - the key with the hexadecimal constant 0xF0F0F0F0F0F0F0F0. The - initialization vector should be zero. The resulting checksum is 24 - octets long. This checksum is tamper-proof and believed to be - collision-proof. - - The DES specifications identify some 'weak keys' and 'semi-weak - keys'; those keys shall not be used for encrypting RSA-MD5 checksums - for use in Kerberos. - - - rsa-md5-des - ---------------------------------------------------------------- - associated cryptosystem des-cbc-md5, des-cbc-md4, des-cbc-crc - - get_mic des-cbc(key XOR 0xF0F0F0F0F0F0F0F0, - conf | rsa-md5(conf | msg)) - - verify_mic decrypt and verify rsa-md5 checksum - - - The rsa-md5-des checksum algorithm is assigned a checksum type number - of eight (8). - -5.2.5. RSA MD4 Cryptographic Checksum Using DES - - The RSA-MD4-DES checksum calculates a keyed collision-proof checksum - by prepending an 8 octet confounder before the text, applying the RSA - MD4 checksum algorithm [MD4-92], and encrypting the confounder and - the checksum using DES in cipher-block-chaining (CBC) mode using a - - - -Raeburn [Page 25] - -INTERNET DRAFT February 2003 - - - variant of the key, where the variant is computed by eXclusive-ORing - the key with the constant 0xF0F0F0F0F0F0F0F0. [7] The initialization - vector should be zero. The resulting checksum is 24 octets long. - This checksum is tamper-proof and believed to be collision-proof. - - The DES specifications identify some "weak keys" and "semi-weak - keys"; those keys shall not be used for generating RSA-MD4 checksums - for use in Kerberos. - - rsa-md4-des - ---------------------------------------------------------------- - associated cryptosystem des-cbc-md5, des-cbc-md4, des-cbc-crc - - get_mic des-cbc(key XOR 0xF0F0F0F0F0F0F0F0, - conf | rsa-md4(conf | msg), - ivec=0) - - verify_mic decrypt and verify rsa-md4 checksum - - The rsa-md4-des checksum algorithm is assigned a checksum type number - of three (3). - -5.2.6. RSA MD4 Cryptographic Checksum Using DES alternative - - The RSA-MD4-DES-K checksum calculates a keyed collision-proof - checksum by applying the RSA MD4 checksum algorithm and encrypting - the results using DES in cipher block chaining (CBC) mode using a DES - key as both key and initialization vector. The resulting checksum is - 16 octets long. This checksum is tamper-proof and believed to be - collision-proof. Note that this checksum type is the old method for - encoding the RSA-MD4-DES checksum and it is no longer recommended. - - - rsa-md4-des-k - ---------------------------------------------------------------- - associated cryptosystem des-cbc-md5, des-cbc-md4, des-cbc-crc - - get_mic des-cbc(key, md4(msg), ivec=key) - - verify_mic decrypt, compute checksum and compare - - - The rsa-md4-des-k checksum algorithm is assigned a checksum type - number of six (6). - - - - - - - -Raeburn [Page 26] - -INTERNET DRAFT February 2003 - - -5.2.7. DES CBC checksum - - The DES-MAC checksum is computed by prepending an 8 octet confounder - to the plaintext, padding with zero-valued octets if necessary to - bring the length to a multiple of 8 octets, performing a DES CBC-mode - encryption on the result using the key and an initialization vector - of zero, taking the last block of the ciphertext, prepending the same - confounder and encrypting the pair using DES in cipher-block-chaining - (CBC) mode using a variant of the key, where the variant is computed - by eXclusive-ORing the key with the constant 0xF0F0F0F0F0F0F0F0. The - initialization vector should be zero. The resulting checksum is 128 - bits (16 octets) long, 64 bits of which are redundant. This checksum - is tamper-proof and collision-proof. - - - des-mac - ---------------------------------------------------------------------- - associated des-cbc-md5, des-cbc-md4, des-cbc-crc - cryptosystem - - get_mic des-cbc(key XOR 0xF0F0F0F0F0F0F0F0, - conf | des-mac(key, conf | msg | pad, ivec=0), - ivec=0) - - verify_mic decrypt, compute DES MAC using confounder, compare - - - The des-mac checksum algorithm is assigned a checksum type number of - four (4). - -5.2.8. DES CBC checksum alternative - - The DES-MAC-K checksum is computed by performing a DES CBC-mode - encryption of the plaintext, with zero-valued padding bytes if - necessary to bring the length to a multiple of 8 octets, and using - the last block of the ciphertext as the checksum value. It is keyed - with an encryption key which is also used as the initialization - vector. The resulting checksum is 64 bits (8 octets) long. This - checksum is tamper-proof and collision-proof. Note that this - checksum type is the old method for encoding the DESMAC checksum and - it is no longer recommended. - - - - - - - - - - -Raeburn [Page 27] - -INTERNET DRAFT February 2003 - - - des-mac-k - ---------------------------------------------------------------- - associated cryptosystem des-cbc-md5, des-cbc-md4, des-cbc-crc - - get_mic des-mac(key, msg | pad, ivec=key) - - verify_mic compute MAC and compare - - - The des-mac-k checksum algorithm is assigned a checksum type number - of five (5). - -5.3. Triple-DES based encryption and checksum types - - This encryption and checksum type pair is based on the Triple DES - cryptosystem in Outer-CBC mode, and the HMAC-SHA1 message - authentication algorithm. - - A Triple DES key is the concatenation of three DES keys as described - above for des-cbc-md5. A Triple DES key is generated from random - data by creating three DES keys from separate sequences of random - data. - - Encrypted data using this type must be generated as described in - section 4.3. If the length of the input data is not a multiple of - the block size, zero-valued octets must be used to pad the plaintext - to the next eight-octet boundary. The confounder must be eight - random octets (one block). - - The simplified profile for Triple DES, with key derivation as defined - in section 4, is as follows: - - des3-cbc-hmac-sha1-kd, hmac-sha1-des3-kd - ------------------------------------------------ - protocol key format 24 bytes, parity in low - bit of each - - key-generation seed 21 bytes - length - - hash function SHA-1 - - HMAC output size 160 bits - - message block size 8 bytes - - - - - - -Raeburn [Page 28] - -INTERNET DRAFT February 2003 - - - des3-cbc-hmac-sha1-kd, hmac-sha1-des3-kd - ------------------------------------------------ - default string-to-key empty string - params - - encryption and triple-DES encrypt and - decryption functions decrypt, in outer-CBC - mode (cipher block size - 8 octets) - - key generation functions: - - random-to-key DES3random-to-key (see - below) - - string-to-key DES3string-to-key (see - below) - - The des3-cbc-hmac-sha1-kd encryption type is assigned the value - sixteen (16). The hmac-sha1-des3-kd checksum algorithm is assigned a - checksum type number of twelve (12). - -5.3.1. Triple DES Key Production (random-to-key, string-to-key) - - The 168 bits of random key data are converted to a protocol key value - as follows. First, the 168 bits are divided into three groups of 56 - bits, which are expanded individually into 64 bits as follows: - - DES3random-to-key: - 1 2 3 4 5 6 7 p - 9 10 11 12 13 14 15 p - 17 18 19 20 21 22 23 p - 25 26 27 28 29 30 31 p - 33 34 35 36 37 38 39 p - 41 42 43 44 45 46 47 p - 49 50 51 52 53 54 55 p - 56 48 40 32 24 16 8 p - - The "p" bits are parity bits computed over the data bits. The output - of the three expansions are concatenated to form the protocol key - value. - - The string-to-key function is used to transform UTF-8 passwords into - DES3 keys. The DES3 string-to-key function relies on the "N-fold" - algorithm and DK function, described in section 4. - - The n-fold algorithm is applied to the password string concatenated - with a salt value. For 3-key triple DES, the operation will involve - - - -Raeburn [Page 29] - -INTERNET DRAFT February 2003 - - - a 168-fold of the input password string, to generate an intermediate - key, from which the user's long-term key will be derived with the DK - function. The DES3 string-to-key function is shown here in - pseudocode: - - DES3string-to-key(passwordString, salt, params) - if (params != emptyString) - error("invalid params"); - s = passwordString + salt - tmpKey = random-to-key(168-fold(s)) - key = DK (tmpKey, KerberosConstant) - - No weak-key checking is performed. The KerberosConstant value is the - byte string {0x6b 0x65 0x72 0x62 0x65 0x72 0x6f 0x73}. These values - correspond to the ASCII encoding for the string "kerberos". - -6. Use of Kerberos encryption outside this specification - - Several Kerberos-based application protocols and preauthentication - systems have been designed and deployed that perform encryption and - message integrity checks in various ways. While in some cases there - may be good reason for specifying these protocols in terms of - specific encryption or checksum algorithms, we anticipate that in - many cases this will not be true, and more generic approaches - independent of particular algorithms will be desirable. Rather than - having each protocol designer reinvent schemes for protecting data, - using multiple keys, etc, we have attempted to present in this - section a general framework that should be sufficient not only for - the Kerberos protocol itself but also for many preauthentication - systems and application protocols, while trying to avoid some of the - assumptions that can work their way into such protocol designs. - - Some problematic assumptions we've seen (and sometimes made) include: - that a random bitstring is always valid as a key (not true for DES - keys with parity); that the basic block encryption chaining mode - provides no integrity checking, or can easily be separated from such - checking (not true for many modes in development that do both - simultaneously); that a checksum for a message always results in the - same value (not true if a confounder is incorporated); that an - initial vector is used (may not be true if a block cipher in CBC mode - is not in use). - - Such assumptions, while they may hold for any given set of encryption - and checksum algorithms, may not be true of the next algorithms to be - defined, leaving the application protocol unable to make use of those - algorithms without updates to its specification. - - The Kerberos protocol uses only the attributes and operations - - - -Raeburn [Page 30] - -INTERNET DRAFT February 2003 - - - described in sections 2 and 3. Preauthentication systems and - application protocols making use of Kerberos are encouraged to use - them as well. The specific key and string-to-key parameters should - generally be treated as opaque. While the string-to-key parameters - are manipulated as an octet string, the representation for the - specific key structure is implementation-defined; it may not even be - a single object. - - While we don't recommend it, some application protocols will - undoubtedly continue to use the key data directly, even if only in - some of the currently existing protocol specifications. An - implementation intended to support general Kerberos applications may - therefore need to make the key data available, as well as the - attributes and operations described in sections 2 and 3. [8] - -7. Assigned Numbers - - The following encryption type numbers are already assigned or - reserved for use in Kerberos and related protocols. - - - encryption type etype section or comment - ----------------------------------------------------------------- - des-cbc-crc 1 5.2.3 - des-cbc-md4 2 5.2.2 - des-cbc-md5 3 5.2.1 - [reserved] 4 - des3-cbc-md5 5 - [reserved] 6 - des3-cbc-sha1 7 - dsaWithSHA1-CmsOID 9 (pkinit) - md5WithRSAEncryption-CmsOID 10 (pkinit) - sha1WithRSAEncryption-CmsOID 11 (pkinit) - rc2CBC-EnvOID 12 (pkinit) - rsaEncryption-EnvOID 13 (pkinit from PKCS#1 v1.5) - rsaES-OAEP-ENV-OID 14 (pkinit from PKCS#1 v2.0) - des-ede3-cbc-Env-OID 15 (pkinit) - des3-cbc-sha1-kd 16 5.3 - aes128-cts-hmac-sha1-96 17 [KRB5-AES] - aes256-cts-hmac-sha1-96 18 [KRB5-AES] - rc4-hmac 23 (Microsoft) - rc4-hmac-exp 24 (Microsoft) - subkey-keymaterial 65 (opaque; PacketCable) - - - (The "des3-cbc-sha1" assignment is a deprecated version using no key - derivation. It should not be confused with des3-cbc-sha1-kd.) - - - - -Raeburn [Page 31] - -INTERNET DRAFT February 2003 - - - Several numbers have been reserved for use in encryption systems not - defined here. Encryption type numbers have unfortunately been - overloaded on occasion in Kerberos-related protocols, so some of the - reserved numbers do not and will not correspond to encryption systems - fitting the profile presented here. - - The following checksum type numbers are assigned or reserved. As - with encryption type numbers, some overloading of checksum numbers - has occurred. - - - Checksum type sumtype checksum section or - value size reference - ---------------------------------------------------------------------- - CRC32 1 4 5.1.3 - rsa-md4 2 16 5.1.2 - rsa-md4-des 3 24 5.2.5 - des-mac 4 16 5.2.7 - des-mac-k 5 8 5.2.8 - rsa-md4-des-k 6 16 5.2.6 - rsa-md5 7 16 5.1.1 - rsa-md5-des 8 24 5.2.4 - rsa-md5-des3 9 24 ?? - sha1 (unkeyed) 10 20 ?? - hmac-sha1-des3-kd 12 20 5.3 - hmac-sha1-des3 13 20 ?? - sha1 (unkeyed) 14 20 ?? - hmac-sha1-96-aes128 15 20 [KRB5-AES] - hmac-sha1-96-aes256 16 20 [KRB5-AES] - [reserved] 0x8003 ? [GSS-KRB5] - - - Encryption and checksum type numbers are signed 32-bit values. Zero - is invalid, and negative numbers are reserved for local use. All - standardized values must be positive. - -8. Implementation Notes - - The "interface" described here is the minimal information that must - be defined to make a cryptosystem useful within Kerberos in an - interoperable fashion. Despite the functional notation used in some - places, it is not an attempt to define an API for cryptographic - functionality within Kerberos. Actual implementations providing - clean APIs will probably find it useful to make additional - information available, which should be possible to derive from a - specification written to the framework given here. For example, an - application designer may wish to determine the largest number of - bytes that can be encrypted without overflowing a certain size output - - - -Raeburn [Page 32] - -INTERNET DRAFT February 2003 - - - buffer, or conversely, the maximum number of bytes that might be - obtained by decrypting a ciphertext message of a given size. (In - fact, an implementation of the GSS-API Kerberos mechanism [GSS-KRB5] - will require some of these.) - - The presence of a mechanism in this document should not be taken as - an indication that it must be implemented for compliance with any - specification; required mechanisms will be specified elsewhere. - Indeed, some of the mechanisms described here for backwards - compatibility are now considered rather weak for protecting critical - data. - -9. Security Considerations - - Recent years have brought advancements in the ability to perform - large-scale attacks against DES, to such a degree that it is not - considered a strong encryption mechanism any longer; triple-DES is - generally preferred in its place, despite the poorer performance. - See [ESP-DES] for a summary of some of the potential attacks, and - [EFF-DES] for a detailed discussion of the implementation of - particular attack. However, most Kerberos implementations still have - DES as their primary interoperable encryption type. - - DES has four 'weak' keys and twelve 'semi-weak' keys, and the use of - single-DES here avoids them. However, DES also has 48 'possibly-weak' - keys [Schneier96] (note that the tables in many editions of the - reference contains errors) which are not avoided. - - DES weak keys are keys with the property that E1(E1(P)) = P (where E1 - denotes encryption of a single block with key 1). DES semi-weak keys - or "dual" keys are pairs of keys with the property that E1(P) = - D2(P), and thus E2(E1(P)) = P. Because of the use of CBC mode and - leading random confounder, however, these properties are unlikely to - present a security problem. - - The use of triple-DES in Kerberos makes no effort to avoid these - keys. The nature of the weak keys is such that it is extremely - unlikely that they will weaken the triple-DES encryption -- only - slightly more likely than having the middle of the three sub-keys - match one of the other two, which effectively converts the encryption - to single-DES, which is another case we make no effort to avoid. - - The true CRC-32 checksum is not collision-proof; an attacker could - use a probabilistic chosen-plaintext attack to generate a valid - message even if a confounder is used [SG92]. The use of collision- - proof checksums is of course recommended for environments where such - attacks represent a significant threat. The "simplifications" (read: - bugs) introduced when CRC-32 was implemented for Kerberos cause - - - -Raeburn [Page 33] - -INTERNET DRAFT February 2003 - - - leading zeros to effectively be ignored, so messages differing only - in leading zero bits will have the same checksum. - - [HMAC] and [IPSEC-HMAC] discuss weaknesses of the HMAC algorithm. - Unlike [IPSEC-HMAC], the triple-DES specification here does not use - the suggested truncation of the HMAC output. As pointed out in - [IPSEC-HMAC], SHA-1 was not developed to be used as a keyed hash - function, which is a criterion of HMAC. [HMAC-TEST] contains test - vectors for HMAC-SHA-1. - - The mit_des_string_to_key function was originally constructed with - the assumption that all input would be ASCII; it ignores the top bit - of each input byte. Folding with XOR is also not an especially good - mixing mechanism in terms of preserving randomness. - - The n-fold function used in the string-to-key operation for des3-cbc- - hmac-sha1-kd was designed to cause each bit of input to contribute - equally to the output; it was not designed to maximize or equally - distribute randomness in the input, and there are conceivable cases - of partially structured input where randomness may be lost. This - should only be an issue for highly structured passwords, however. - - [RFC1851] discusses the relative strength of triple-DES encryption. - The relative slow speed of triple-DES encryption may also be an issue - for some applications. - - This document, like the Kerberos protocol, completely ignores the - notion of limiting the amount of data a key may be used with to a - quantity based on the robustness of the algorithm or size of the key. - It is assumed that any defined algorithms and key sizes will be - strong enough to support very large amounts of data, or they will be - deprecated once significant attacks are known. - - This document also places no bounds on the amount of data that can be - handled in various operations. In order to avoid denial of service - attacks, implementations will probably want to restrict message sizes - at some higher level. - -10. IANA Considerations - - None at present. The management of encryption and checksum type - number assignments may be transferred to IANA at some future time. - - - - - - - - - -Raeburn [Page 34] - -INTERNET DRAFT February 2003 - - -11. Acknowledgments - - This document is an extension of the encryption specification - included in [Kerb1510] by B. Clifford Neuman and John Kohl, and much - of the text of the background, concepts, and DES specifications are - drawn directly from that document. - - The abstract framework presented in this document was put together by - Jeff Altman, Sam Hartman, Jeff Hutzelman, Cliff Neuman, Ken Raeburn, - and Tom Yu, and the details were refined several times based on - comments from John Brezak and others. - - Marc Horowitz wrote the original specification of triple-DES and key - derivation in a pair of Internet Drafts (under the names draft- - horowitz-key-derivation and draft-horowitz-kerb-key-derivation) which - were later folded into a draft revision of [Kerb1510], from which - this document was later split off. - - Tom Yu provided the text describing the modifications to the standard - CRC algorithm as Kerberos implementations actually use it. - - Miroslav Jurisic provided information for one of the UTF-8 test cases - for the string-to-key functions. - - Marcus Watts noticed some errors in earlier drafts, and pointed out - that the simplified profile could easily be modified to support - cipher text stealing modes. - - Simon Josefsson contributed some clarifications to the DES "CBC - checksum", string-to-key and weak key descriptions, and some test - vectors. - - Simon Josefsson, Louis LeVay and others also caught some errors in - earlier drafts. - -12. Editor's address - - Kenneth Raeburn - Massachusetts Institute of Technology - 77 Massachusetts Avenue - Cambridge, MA 02139 - raeburn@mit.edu - - - - - - - - - -Raeburn [Page 35] - -INTERNET DRAFT February 2003 - - -13. Full Copyright Statement - - Copyright (C) The Internet Society (2003). All Rights Reserved. - - This document and translations of it may be copied and furnished to - others, and derivative works that comment on or otherwise explain it - or assist in its implementation may be prepared, copied, published - and distributed, in whole or in part, without restriction of any - kind, provided that the above copyright notice and this paragraph are - included on all such copies and derivative works. However, this - document itself may not be modified in any way, such as by removing - the copyright notice or references to the Internet Society or other - Internet organizations, except as needed for the purpose of - developing Internet standards in which case the procedures for - copyrights defined in the Internet Standards process must be - followed, or as required to translate it into languages other than - English. - - The limited permissions granted above are perpetual and will not be - revoked by the Internet Society or its successors or assigns. - - This document and the information contained herein is provided on an - "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING - TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING - BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION - HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF - MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE." - -A. Test vectors - - This section provides test vectors for various functions defined or - described in this document. For convenience, most inputs are ASCII - strings, though some UTF-8 samples are be provided for string-to-key - functions. Keys and other binary data are specified as hexadecimal - strings. - -A.1. n-fold - - The n-fold function is defined in section 4.1. As noted there, the - sample vector in the original paper defining the algorithm appears to - be incorrect. Here are some test cases provided by Marc Horowitz and - Simon Josefsson: - - - - - - - - - -Raeburn [Page 36] - -INTERNET DRAFT February 2003 - - - 64-fold("012345") = - 64-fold(303132333435) = be072631276b1955 - - 56-fold("password") = - 56-fold(70617373776f7264) = 78a07b6caf85fa - - 64-fold("Rough Consensus, and Running Code") = - 64-fold(526f75676820436f6e73656e7375732c20616e642052756e - 6e696e6720436f6465) = bb6ed30870b7f0e0 - - 168-fold("password") = - 168-fold(70617373776f7264) = - 59e4a8ca7c0385c3c37b3f6d2000247cb6e6bd5b3e - - 192-fold("MASSACHVSETTS INSTITVTE OF TECHNOLOGY" - 192-fold(4d41535341434856534554545320494e5354495456544520 - 4f4620544543484e4f4c4f4759) = - db3b0d8f0b061e603282b308a50841229ad798fab9540c1b - - 168-fold("Q") = - 168-fold(51) = - 518a54a2 15a8452a 518a54a2 15a8452a - 518a54a2 15 - - 168-fold("ba") = - 168-fold(6261) = - fb25d531 ae897449 9f52fd92 ea9857c4 - ba24cf29 7e - - Here are some additional values corresponding to folded values of the - string "kerberos"; the 64-bit form is used in the des3 string-to-key - (section 5.3.1). - - 64-fold("kerberos") = - 6b657262 65726f73 - 128-fold("kerberos") = - 6b657262 65726f73 7b9b5b2b 93132b93 - 168-fold("kerberos") = - 8372c236 344e5f15 50cd0747 e15d62ca - 7a5a3bce a4 - 256-fold("kerberos") = - 6b657262 65726f73 7b9b5b2b 93132b93 - 5c9bdcda d95c9899 c4cae4de e6d6cae4 - - Note that the initial octets exactly match the input string when the - output length is a multiple of the input length. - - - - - -Raeburn [Page 37] - -INTERNET DRAFT February 2003 - - -A.2. mit_des_string_to_key - - The function mit_des_string_to_key is defined in section 5.2. We - present here several test values, with some of the intermediate - results. The fourth test demonstrates the use of UTF-8 with three - characters. The last two tests are specifically constructed so as to - trigger the weak-key fixups for the intermediate key produced by fan- - folding; we have no test cases that cause such fixups for the final - key. - - - UTF-8 encodings used in test vector: - eszett C3 9F s-caron C5 A1 c-acute C4 87 - g-clef F0 9D 84 9E - - - Test vector: - - - salt: "ATHENA.MIT.EDUraeburn" - 415448454e412e4d49542e4544557261656275726e - password: "password" 70617373776f7264 - fan-fold result: c01e38688ac86c2e - intermediate key: c11f38688ac86d2f - DES key: cbc22fae235298e3 - - - - salt: "WHITEHOUSE.GOVdanny" 5748495445484f5553452e474f5664616e6e79 - password: "potatoe" 706f7461746f65 - fan-fold result: a028944ee63c0416 - intermediate key: a129944fe63d0416 - DES key: df3d32a74fd92a01 - - - - salt: "EXAMPLE.COMpianist" 4558414D504C452E434F4D7069616E697374 - password: g-clef f09d849e - fan-fold result: 3c4a262c18fab090 - intermediate key: 3d4a262c19fbb091 - DES key: 4ffb26bab0cd9413 - - - - - - - - - - -Raeburn [Page 38] - -INTERNET DRAFT February 2003 - - - salt: "ATHENA.MIT.EDUJuri" + s-caron + "i" + c-acute - 415448454e412e4d49542e4544554a757269c5a169c487 - password: eszett c39f - fan-fold result: b8f6c40e305afc9e - intermediate key: b9f7c40e315bfd9e - DES key: 62c81a5232b5e69d - - - - salt: "AAAAAAAA" 4141414141414141 - password: "11119999" 3131313139393939 - fan-fold result: e0e0e0e0f0f0f0f0 - intermediate key: e0e0e0e0f1f1f101 - DES key: 984054d0f1a73e31 - - - - salt: "FFFFAAAA" 4646464641414141 - password: "NNNN6666" 4e4e4e4e36363636 - fan-fold result: 1e1e1e1e0e0e0e0e - intermediate key: 1f1f1f1f0e0e0efe - DES key: c4bf6b25adf7a4f8 - - - This trace provided by Simon Josefsson shows the intermediate - processing stages of one of the test inputs: - - string_to_key (des-cbc-md5, string, salt) - ;; string: - ;; `password' (length 8 bytes) - ;; 70 61 73 73 77 6f 72 64 - ;; salt: - ;; `ATHENA.MIT.EDUraeburn' (length 21 bytes) - ;; 41 54 48 45 4e 41 2e 4d 49 54 2e 45 44 55 72 61 - ;; 65 62 75 72 6e - des_string_to_key (string, salt) - ;; String: - ;; `password' (length 8 bytes) - ;; 70 61 73 73 77 6f 72 64 - ;; Salt: - ;; `ATHENA.MIT.EDUraeburn' (length 21 bytes) - ;; 41 54 48 45 4e 41 2e 4d 49 54 2e 45 44 55 72 61 - ;; 65 62 75 72 6e - odd = 1; - s = string | salt; - - - - - - -Raeburn [Page 39] - -INTERNET DRAFT February 2003 - - - tempstring = 0; /* 56-bit string */ - pad(s); /* with nulls to 8 byte boundary */ - ;; s = pad(string|salt): - ;; `passwordATHENA.MIT.EDUraeburn\x00\x00\x00' - ;; (length 32 bytes) - ;; 70 61 73 73 77 6f 72 64 41 54 48 45 4e 41 2e 4d - ;; 49 54 2e 45 44 55 72 61 65 62 75 72 6e 00 00 00 - for (8byteblock in s) { - ;; loop iteration 0 - ;; 8byteblock: - ;; `password' (length 8 bytes) - ;; 70 61 73 73 77 6f 72 64 - ;; 01110000 01100001 01110011 01110011 01110111 01101111 - ;; 01110010 01100100 - 56bitstring = removeMSBits(8byteblock); - ;; 56bitstring: - ;; 1110000 1100001 1110011 1110011 1110111 1101111 - ;; 1110010 1100100 - if (odd == 0) reverse(56bitstring); ;; odd=1 - odd = ! odd - tempstring = tempstring XOR 56bitstring; - ;; tempstring - ;; 1110000 1100001 1110011 1110011 1110111 1101111 - ;; 1110010 1100100 - - for (8byteblock in s) { - ;; loop iteration 1 - ;; 8byteblock: - ;; `ATHENA.M' (length 8 bytes) - ;; 41 54 48 45 4e 41 2e 4d - ;; 01000001 01010100 01001000 01000101 01001110 01000001 - ;; 00101110 01001101 - 56bitstring = removeMSBits(8byteblock); - ;; 56bitstring: - ;; 1000001 1010100 1001000 1000101 1001110 1000001 - ;; 0101110 1001101 - if (odd == 0) reverse(56bitstring); ;; odd=0 - reverse(56bitstring) - ;; 56bitstring after reverse - ;; 1011001 0111010 1000001 0111001 1010001 0001001 - ;; 0010101 1000001 - odd = ! odd - tempstring = tempstring XOR 56bitstring; - ;; tempstring - ;; 0101001 1011011 0110010 1001010 0100110 1100110 - ;; 1100111 0100101 - - - - - -Raeburn [Page 40] - -INTERNET DRAFT February 2003 - - - for (8byteblock in s) { - ;; loop iteration 2 - ;; 8byteblock: - ;; `IT.EDUra' (length 8 bytes) - ;; 49 54 2e 45 44 55 72 61 - ;; 01001001 01010100 00101110 01000101 01000100 01010101 - ;; 01110010 01100001 - 56bitstring = removeMSBits(8byteblock); - ;; 56bitstring: - ;; 1001001 1010100 0101110 1000101 1000100 1010101 - ;; 1110010 1100001 - if (odd == 0) reverse(56bitstring); ;; odd=1 - odd = ! odd - tempstring = tempstring XOR 56bitstring; - ;; tempstring - ;; 1100000 0001111 0011100 0001111 1100010 0110011 - ;; 0010101 1000100 - - for (8byteblock in s) { - ;; loop iteration 3 - ;; 8byteblock: - ;; `eburn\x00\x00\x00' (length 8 bytes) - ;; 65 62 75 72 6e 00 00 00 - ;; 01100101 01100010 01110101 01110010 01101110 00000000 - ;; 00000000 00000000 - 56bitstring = removeMSBits(8byteblock); - ;; 56bitstring: - ;; 1100101 1100010 1110101 1110010 1101110 0000000 - ;; 0000000 0000000 - if (odd == 0) reverse(56bitstring); ;; odd=0 - reverse(56bitstring) - ;; 56bitstring after reverse - ;; 0000000 0000000 0000000 0111011 0100111 1010111 - ;; 0100011 1010011 - odd = ! odd - tempstring = tempstring XOR 56bitstring; - ;; tempstring - ;; 1100000 0001111 0011100 0110100 1000101 1100100 - ;; 0110110 0010111 - - for (8byteblock in s) { - } - ;; for loop terminated - - - - - - - - -Raeburn [Page 41] - -INTERNET DRAFT February 2003 - - - tempkey = key_correction(add_parity_bits(tempstring)); - ;; tempkey - ;; `\xc1\x1f8h\x8a\xc8m\x2f' (length 8 bytes) - ;; c1 1f 38 68 8a c8 6d 2f - ;; 11000001 00011111 00111000 01101000 10001010 11001000 - ;; 01101101 00101111 - - key = key_correction(DES-CBC-check(s,tempkey)); - ;; key - ;; `\xcb\xc2\x2f\xae\x23R\x98\xe3' (length 8 bytes) - ;; cb c2 2f ae 23 52 98 e3 - ;; 11001011 11000010 00101111 10101110 00100011 01010010 - ;; 10011000 11100011 - - ;; string_to_key key: - ;; `\xcb\xc2\x2f\xae\x23R\x98\xe3' (length 8 bytes) - ;; cb c2 2f ae 23 52 98 e3 - - -A.3. DES3 DR and DK - - These tests show the derived-random and derived-key values for the - des3-hmac-sha1-kd encryption scheme, using the DR and DK functions - defined in section 5.3.1. The input keys were randomly generated; - the usage values are from this specification. - - - key: dce06b1f64c857a11c3db57c51899b2cc1791008ce973b92 - usage: 0000000155 - DR: 935079d14490a75c3093c4a6e8c3b049c71e6ee705 - DK: 925179d04591a79b5d3192c4a7e9c289b049c71f6ee604cd - - key: 5e13d31c70ef765746578531cb51c15bf11ca82c97cee9f2 - usage: 00000001aa - DR: 9f58e5a047d894101c469845d67ae3c5249ed812f2 - DK: 9e58e5a146d9942a101c469845d67a20e3c4259ed913f207 - - key: 98e6fd8a04a4b6859b75a176540b9752bad3ecd610a252bc - usage: 0000000155 - DR: 12fff90c773f956d13fc2ca0d0840349dbd39908eb - DK: 13fef80d763e94ec6d13fd2ca1d085070249dad39808eabf - - key: 622aec25a2fe2cad7094680b7c64940280084c1a7cec92b5 - usage: 00000001aa - DR: f8debf05b097e7dc0603686aca35d91fd9a5516a70 - DK: f8dfbf04b097e6d9dc0702686bcb3489d91fd9a4516b703e - - - - - -Raeburn [Page 42] - -INTERNET DRAFT February 2003 - - - key: d3f8298ccb166438dcb9b93ee5a7629286a491f838f802fb - usage: 6b65726265726f73 ("kerberos") - DR: 2270db565d2a3d64cfbfdc5305d4f778a6de42d9da - DK: 2370da575d2a3da864cebfdc5204d56df779a7df43d9da43 - - key: c1081649ada74362e6a1459d01dfd30d67c2234c940704da - usage: 0000000155 - DR: 348056ec98fcc517171d2b4d7a9493af482d999175 - DK: 348057ec98fdc48016161c2a4c7a943e92ae492c989175f7 - - key: 5d154af238f46713155719d55e2f1f790dd661f279a7917c - usage: 00000001aa - DR: a8818bc367dadacbe9a6c84627fb60c294b01215e5 - DK: a8808ac267dada3dcbe9a7c84626fbc761c294b01315e5c1 - - key: 798562e049852f57dc8c343ba17f2ca1d97394efc8adc443 - usage: 0000000155 - DR: c813f88b3be2b2f75424ce9175fbc8483b88c8713a - DK: c813f88a3be3b334f75425ce9175fbe3c8493b89c8703b49 - - key: 26dce334b545292f2feab9a8701a89a4b99eb9942cecd016 - usage: 00000001aa - DR: f58efc6f83f93e55e695fd252cf8fe59f7d5ba37ec - DK: f48ffd6e83f83e7354e694fd252cf83bfe58f7d5ba37ec5d - - -A.4. DES3string_to_key - - These are the keys generated for some of the above input strings for - triple-DES with key derivation as defined in section 5.3.1. - - salt: "ATHENA.MIT.EDUraeburn" - passwd: "password" - key: 850bb51358548cd05e86768c313e3bfef7511937dcf72c3e - - salt: "WHITEHOUSE.GOVdanny" - passwd: "potatoe" - key: dfcd233dd0a43204ea6dc437fb15e061b02979c1f74f377a - - salt: "EXAMPLE.COMbuckaroo" - passwd: "penny" - key: 6d2fcdf2d6fbbc3ddcadb5da5710a23489b0d3b69d5d9d4a - - salt: "ATHENA.MIT.EDUJuri" + s-caron + "i" + c-acute - passwd: eszett - key: 16d5a40e1ce3bacb61b9dce00470324c831973a7b952feb0 - - - - - -Raeburn [Page 43] - -INTERNET DRAFT February 2003 - - - salt: "EXAMPLE.COMpianist" - passwd: g-clef - key: 85763726585dbc1cce6ec43e1f751f07f1c4cbb098f40b19 - -A.5. Modified CRC-32 - - Below are modified-CRC32 values for various ASCII and octet strings. - Only the printable ASCII characters are checksummed, no C-style - trailing zero-valued octet. The 32-bit modified CRC and the sequence - of output bytes as used in Kerberos are shown. (The octet values are - separated here to emphasize that they are octet values and not 32-bit - numbers, which will be the most convenient form for manipulation in - some implementations. The bit and byte order used internally for - such a number is irrelevant; the octet sequence generated is what is - important.) - - - mod-crc-32("foo") = 33 bc 32 73 - mod-crc-32("test0123456789") = d6 88 3e b8 - mod-crc-32("MASSACHVSETTS INSTITVTE OF TECHNOLOGY") = f7 80 41 e3 - mod-crc-32(8000) = 4b 98 83 3b - mod-crc-32(0008) = 32 88 db 0e - mod-crc-32(0080) = 20 83 b8 ed - mod-crc-32(80) = 20 83 b8 ed - mod-crc-32(80000000) = 3b b6 59 ed - mod-crc-32(00000001) = 96 30 07 77 - - -B. Significant Changes from RFC 1510 - - The encryption and checksum mechanism profiles are new. The old - specification defined a few operations for various mechanisms, but - didn't outline what should be required of new mechanisms in terms of - abstract properties, nor how to ensure that a mechanism specification - is complete enough for interoperability between implementations. The - new profiles do differ from the old specification in a few ways: - - Some message definitions in [Kerb1510] could be read as permitting - the initial vector to be specified by the application; the text - was too vague. It is specifically not permitted in this - specification. Some encryption algorithms may not use - initialization vectors, so relying on chosen, secret - initialization vectors for security is unwise. Also, the - prepended confounder in the existing algorithms is roughly - equivalent to a per-message initialization vector that is revealed - in encrypted form. However, carrying state across from one - encryption to another is explicitly permitted through the opaque - "cipher state" object. - - - -Raeburn [Page 44] - -INTERNET DRAFT February 2003 - - - The use of key derivation is new. - - Several new methods are introduced, including generation of a key - in wire-protocol format from random input data. - - The means for influencing the string-to-key algorithm are laid out - more clearly. - - Triple-DES support is new. - - The pseudo-random function is new. - - The des-cbc-crc, DES string-to-key and CRC descriptions have been - updated to align them with existing implementations. - - [Kerb1510] had no indication what character set or encoding might be - used for pass phrases and salts. - - In [Kerb1510], key types, encryption algorithms and checksum - algorithms were only loosely associated, and the association was not - well described. In this specification, key types and encryption - algorithms have a one-to-one correspondence, and associations between - encryption and checksum algorithms are described so that checksums - can be computed given negotiated keys, without requiring further - negotiation for checksum types. - -Notes - - [1] While Message Authentication Code (MAC) or Message Integrity - Check (MIC) would be more appropriate terms for many of the - uses in this document, we continue to use the term "checksum" - for historical reasons. - - [2] Extending CBC mode across messages would be one obvious - example of this chaining. Another might be the use of - counter mode, with a counter randomly initialized and - attached to the ciphertext; a second message could continue - incrementing the counter when chaining the cipher state, thus - avoiding having to transmit another counter value. However, - this chaining is only useful for uninterrupted, ordered - sequences of messages. - - [3] In the case of Kerberos, the encrypted objects will generally - be ASN.1 DER encodings, which contain indications of their - length in the first few octets. - - [4] As of the time of this writing, some new modes of operation - have been proposed, some of which may permit encryption and - - - -Raeburn [Page 45] - -INTERNET DRAFT February 2003 - - - integrity protection simultaneously. After some of these - proposals have been subjected to adequate analysis, we may - wish to formulate a new simplified profile based on one of - them. - - [5] It should be noted that the sample vector in Appendix B.2 of - the original paper appears to be incorrect. Two independent - implementations from the specification (one in C by Marc - Horowitz, and another in Scheme by Bill Sommerfeld) agree on - a value different from that in [Blumenthal96]. - - [6] For example, in MIT's implementation of [Kerb1510], the rsa- - md5 unkeyed checksum of application data may be included in - an authenticator encrypted in a service's key; since rsa-md5 - is believed to be collision-proof, even if the application - data is exposed to an attacker, it cannot be modified without - causing the checksum verification to fail. - - [7] A variant of the key is used to limit the use of a key to a - particular function, separating the functions of generating a - checksum from other encryption performed using the session - key. The constant 0xF0F0F0F0F0F0F0F0 was chosen because it - maintains key parity. The properties of DES precluded the - use of the complement. The same constant is used for similar - purpose in the Message Integrity Check in the Privacy - Enhanced Mail standard. - - [8] Perhaps one of the more common reasons for directly - performing encryption is direct control over the negotiation - and to select a "sufficiently strong" encryption algorithm - (whatever that means in the context of a given application). - While Kerberos directly provides no facility for negotiating - encryption types between the application client and server, - there are other means for accomplishing similar goals. For - example, requesting only "strong" session key types from the - KDC, and assuming that the type actually returned by the KDC - will be understood and supported by the application server. - -Normative References - - [Bellare98] - Bellare, M., Desai, A., Pointcheval, D., and P. Rogaway, - "Relations Among Notions of Security for Public-Key Encryption - Schemes". Extended abstract published in Advances in Cryptology- - Crypto 98 Proceedings, Lecture Notes in Computer Science Vol. - 1462, H. Krawcyzk ed., Springer-Verlag, 1998. - - - - - -Raeburn [Page 46] - -INTERNET DRAFT February 2003 - - - [Blumenthal96] - Blumenthal, U., and S. Bellovin, "A Better Key Schedule for DES- - Like Ciphers", Proceedings of PRAGOCRYPT '96, 1996. - [CRC] - International Organization for Standardization, "ISO Information - Processing Systems - Data Communication - High-Level Data Link - Control Procedure - Frame Structure," IS 3309, 3rd Edition, - October 1984. - [DES77] - National Bureau of Standards, U.S. Department of Commerce, "Data - Encryption Standard," Federal Information Processing Standards - Publication 46, Washington, DC, 1977. - [DESI81] - National Bureau of Standards, U.S. Department of Commerce, - "Guidelines for implementing and using NBS Data Encryption - Standard," Federal Information Processing Standards Publication - 74, Washington, DC, 1981. - [DESM80] - National Bureau of Standards, U.S. Department of Commerce, "DES - Modes of Operation," Federal Information Processing Standards - Publication 81, Springfield, VA, December 1980. - [Dolev91] - Dolev, D., Dwork, C., Naor, M., "Non-malleable cryptography", - Proceedings of the 23rd Annual Symposium on Theory of Computing, - ACM, 1991. - [HMAC] - Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-Hashing - for Message Authentication", RFC 2104, February 1997. - [KRB5-AES] - Raeburn, K., "AES Encyrption for Kerberos 5", RFC XXXX, Xxxxxxxx - 2003. - [MD4-92] - Rivest, R., "The MD4 Message Digest Algorithm," RFC 1320, MIT - Laboratory for Computer Science, April 1992. - [MD5-92] - Rivest, R., "The MD5 Message Digest Algorithm," RFC 1321, MIT - Laboratory for Computer Science, April 1992. - [RFC2026] - Bradner, S., "The Internet Standards Process -- Revisions 3," RFC - 2026, October 1996. - [SG92] - Stubblebine, S., and V. D. Gligor, "On Message Integrity in - Cryptographic Protocols," in Proceedings of the IEEE Symposium on - Research in Security and Privacy, Oakland, California, May 1992. - - - - - - - -Raeburn [Page 47] - -INTERNET DRAFT February 2003 - - -Informative References - - [EFF-DES] - Electronic Frontier Foundation, "Cracking DES: Secrets of - Encryption Research, Wiretap Politics, and Chip Design", O'Reilly - & Associates, Inc., May 1998. - [ESP-DES] - Madson, C., and N. Doraswamy, "The ESP DES-CBC Cipher Algorithm - With Explicit IV", RFC 2405, November 1998. - [GSS-KRB5] - Linn, J., "The Kerberos Version 5 GSS-API Mechanism," RFC 1964, - June 1996. - [HMAC-TEST] - Cheng, P., and R. Glenn, "Test Cases for HMAC-MD5 and HMAC-SHA-1", - RFC 2202, September 1997. - [IPSEC-HMAC] - Madson, C., and R. Glenn, "The Use of HMAC-SHA-1-96 within ESP and - AH", RFC 2404, November 1998. - [Kerb] - Neuman, C., Kohl, J., Ts'o, T., Yu, T., Hartman, S., and K. - Raeburn, "The Kerberos Network Authentication Service (V5)", - draft-ietf-krb-wg-kerberos-clarifications-00.txt, February 22, - 2002. Work in progress. - [Kerb1510] - Kohl, J., and C. Neuman, "The Kerberos Network Authentication - Service (V5)", RFC 1510, September 1993. - [RC5] - Baldwin, R, and R. Rivest, "The RC5, RC5-CBC, RC5-CBC-Pad, and - RC5-CTS Algorithms", RFC 2040, October 1996. - [Schneier96] - Schneier, B., "Applied Cryptography Second Edition", John Wiley & - Sons, New York, NY, 1996. ISBN 0-471-12845-7. - -Notes to RFC Editor - - Before publication of this document as an RFC, the following changes - are needed: - - Change the reference "[KRB5-AES]" in Normative References to indicate - the AES draft (draft-raeburn-krb-rijndael-krb-XX) that should be - advancing to RFC at the same time. The RFC number and publication - date are needed. - - If draft-ietf-krb-wg-kerberos-clarifications advances to RFC at the - same time as this document, change the information for [Kerb] in the - Informative References section as well. - - Delete this section. - - - -Raeburn [Page 48] diff --git a/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-krb-wg-kerberos-clarifications-03.txt b/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-krb-wg-kerberos-clarifications-03.txt deleted file mode 100644 index 005ea86b0b..0000000000 --- a/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-krb-wg-kerberos-clarifications-03.txt +++ /dev/null @@ -1,7975 +0,0 @@ - -INTERNET-DRAFT Clifford Neuman - USC-ISI - Tom Yu - Sam Hartman - Ken Raeburn - MIT - March 2, 2003 - Expires 2 September, 2003 - - The Kerberos Network Authentication Service (V5) - draft-ietf-krb-wg-kerberos-clarifications-03.txt - -STATUS OF THIS MEMO - - This document is an Internet-Draft and is in full conformance with - all provisions of Section 10 of RFC 2026. Internet-Drafts are working - documents of the Internet Engineering Task Force (IETF), its areas, - and its working groups. Note that other groups may also distribute - working documents as Internet-Drafts. - - Internet-Drafts are draft documents valid for a maximum of six months - and may be updated, replaced, or obsoleted by other documents at any - time. It is inappropriate to use Internet-Drafts as reference - material or to cite them other than as "work in progress." - - The list of current Internet-Drafts can be accessed at - http://www.ietf.org/ietf/1id-abstracts.txt - - The list of Internet-Draft Shadow Directories can be accessed at - http://www.ietf.org/shadow.html. - - To learn the current status of any Internet-Draft, please check the - "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow - Directories on ftp.ietf.org (US East Coast), nic.nordu.net (Europe), - ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim). - - The distribution of this memo is unlimited. It is filed as draft- - ietf-krb-wg-kerberos-clarifications-03.txt, and expires 2 September - 2003. Please send comments to: ietf-krb-wg@anl.gov - -ABSTRACT - - This document provides an overview and specification of Version 5 of - the Kerberos protocol, and updates RFC1510 to clarify aspects of the - protocol and its intended use that require more detailed or clearer - explanation than was provided in RFC1510. This document is intended - to provide a detailed description of the protocol, suitable for - implementation, together with descriptions of the appropriate use of - protocol messages and fields within those messages. - - - -March 2003 [Page 1] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - This document contains a subset of the changes considered and - discussed in the Kerberos working group and is intended as an interim - description of Kerberos. Additional changes to the Kerberos protocol - have been proposed and will appear in a subsequent extensions - document. - - This document is not intended to describe Kerberos to the end user, - system administrator, or application developer. Higher level papers - describing Version 5 of the Kerberos system [NT94] and documenting - version 4 [SNS88], are available elsewhere. - -OVERVIEW - - This INTERNET-DRAFT describes the concepts and model upon which the - Kerberos network authentication system is based. It also specifies - Version 5 of the Kerberos protocol. - - The motivations, goals, assumptions, and rationale behind most design - decisions are treated cursorily; they are more fully described in a - paper available in IEEE communications [NT94] and earlier in the - Kerberos portion of the Athena Technical Plan [MNSS87]. The protocols - have been a proposed standard and are being considered for - advancement for draft standard through the IETF standard process. - Comments are encouraged on the presentation, but only minor - refinements to the protocol as implemented or extensions that fit - within current protocol framework will be considered at this time. - - Requests for addition to an electronic mailing list for discussion of - Kerberos, kerberos@MIT.EDU, may be addressed to kerberos- - request@MIT.EDU. This mailing list is gatewayed onto the Usenet as - the group comp.protocols.kerberos. Requests for further information, - including documents and code availability, may be sent to info- - kerberos@MIT.EDU. - -BACKGROUND - - The Kerberos model is based in part on Needham and Schroeder's - trusted third-party authentication protocol [NS78] and on - modifications suggested by Denning and Sacco [DS81]. The original - design and implementation of Kerberos Versions 1 through 4 was the - work of two former Project Athena staff members, Steve Miller of - Digital Equipment Corporation and Clifford Neuman (now at the - Information Sciences Institute of the University of Southern - California), along with Jerome Saltzer, Technical Director of Project - Athena, and Jeffrey Schiller, MIT Campus Network Manager. Many other - members of Project Athena have also contributed to the work on - Kerberos. - - - - -March 2003 [Page 2] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - Version 5 of the Kerberos protocol (described in this document) has - evolved from Version 4 based on new requirements and desires for - features not available in Version 4. The design of Version 5 of the - Kerberos protocol was led by Clifford Neuman and John Kohl with much - input from the community. The development of the MIT reference - implementation was led at MIT by John Kohl and Theodore Ts'o, with - help and contributed code from many others. Since RFC1510 was issued, - extensions and revisions to the protocol have been proposed by many - individuals. Some of these proposals are reflected in this document. - Where such changes involved significant effort, the document cites - the contribution of the proposer. - - Reference implementations of both version 4 and version 5 of Kerberos - are publicly available and commercial implementations have been - developed and are widely used. Details on the differences between - Kerberos Versions 4 and 5 can be found in [KNT94]. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -March 2003 [Page 3] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - TTaabbllee ooff CCoonntteennttss - - -1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . 7 -1.1. Cross-realm operation . . . . . . . . . . . . . . . . . . . . . 9 -1.2. Choosing a principal with which to communicate . . . . . . . . 10 -1.3. Authorization . . . . . . . . . . . . . . . . . . . . . . . . . 11 -1.4. Extending Kerberos Without Breaking Interoperability . . . . . 11 -1.4.1. Compatibility with RFC 1510 . . . . . . . . . . . . . . . . . 12 -1.4.2. Sending Extensible Messages . . . . . . . . . . . . . . . . . 13 -1.5. Environmental assumptions . . . . . . . . . . . . . . . . . . . 13 -1.6. Glossary of terms . . . . . . . . . . . . . . . . . . . . . . . 14 -2. Ticket flag uses and requests . . . . . . . . . . . . . . . . . . 16 -2.1. Initial, pre-authenticated, and hardware authenticated - tickets . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 -2.2. Invalid tickets . . . . . . . . . . . . . . . . . . . . . . . . 17 -2.3. Renewable tickets . . . . . . . . . . . . . . . . . . . . . . . 18 -2.4. Postdated tickets . . . . . . . . . . . . . . . . . . . . . . . 18 -2.5. Proxiable and proxy tickets . . . . . . . . . . . . . . . . . . 19 -2.6. Forwardable tickets . . . . . . . . . . . . . . . . . . . . . . 20 -2.7. Transited Policy Checking . . . . . . . . . . . . . . . . . . . 21 -2.8. OK as Delegate . . . . . . . . . . . . . . . . . . . . . . . . 21 -2.9. Other KDC options . . . . . . . . . . . . . . . . . . . . . . . 22 -2.9.1. Renewable-OK . . . . . . . . . . . . . . . . . . . . . . . . 22 -2.9.2. ENC-TKT-IN-SKEY . . . . . . . . . . . . . . . . . . . . . . . 22 -2.9.3. Passwordless Hardware Authentication . . . . . . . . . . . . 22 -3. Message Exchanges . . . . . . . . . . . . . . . . . . . . . . . . 23 -3.1. The Authentication Service Exchange . . . . . . . . . . . . . . 23 -3.1.1. Generation of KRB_AS_REQ message . . . . . . . . . . . . . . 24 -3.1.2. Receipt of KRB_AS_REQ message . . . . . . . . . . . . . . . . 24 -3.1.3. Generation of KRB_AS_REP message . . . . . . . . . . . . . . 25 -3.1.4. Generation of KRB_ERROR message . . . . . . . . . . . . . . . 27 -3.1.5. Receipt of KRB_AS_REP message . . . . . . . . . . . . . . . . 28 -3.1.6. Receipt of KRB_ERROR message . . . . . . . . . . . . . . . . 29 -3.2. The Client/Server Authentication Exchange . . . . . . . . . . . 29 -3.2.1. The KRB_AP_REQ message . . . . . . . . . . . . . . . . . . . 29 -3.2.2. Generation of a KRB_AP_REQ message . . . . . . . . . . . . . 29 -3.2.3. Receipt of KRB_AP_REQ message . . . . . . . . . . . . . . . . 30 -3.2.4. Generation of a KRB_AP_REP message . . . . . . . . . . . . . 32 -3.2.5. Receipt of KRB_AP_REP message . . . . . . . . . . . . . . . . 33 -3.2.6. Using the encryption key . . . . . . . . . . . . . . . . . . 33 -3.3. The Ticket-Granting Service (TGS) Exchange . . . . . . . . . . 34 -3.3.1. Generation of KRB_TGS_REQ message . . . . . . . . . . . . . . 35 -3.3.2. Receipt of KRB_TGS_REQ message . . . . . . . . . . . . . . . 37 -3.3.3. Generation of KRB_TGS_REP message . . . . . . . . . . . . . . 37 -3.3.3.1. Checking for revoked tickets . . . . . . . . . . . . . . . 40 -3.3.3.2. Encoding the transited field . . . . . . . . . . . . . . . 40 -3.3.4. Receipt of KRB_TGS_REP message . . . . . . . . . . . . . . . 42 - - - -March 2003 [Page 4] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - -3.4. The KRB_SAFE Exchange . . . . . . . . . . . . . . . . . . . . . 42 -3.4.1. Generation of a KRB_SAFE message . . . . . . . . . . . . . . 42 -3.4.2. Receipt of KRB_SAFE message . . . . . . . . . . . . . . . . . 43 -3.5. The KRB_PRIV Exchange . . . . . . . . . . . . . . . . . . . . . 44 -3.5.1. Generation of a KRB_PRIV message . . . . . . . . . . . . . . 44 -3.5.2. Receipt of KRB_PRIV message . . . . . . . . . . . . . . . . . 44 -3.6. The KRB_CRED Exchange . . . . . . . . . . . . . . . . . . . . . 45 -3.6.1. Generation of a KRB_CRED message . . . . . . . . . . . . . . 45 -3.6.2. Receipt of KRB_CRED message . . . . . . . . . . . . . . . . . 46 -3.7. User to User Authentication Exchanges . . . . . . . . . . . . . 46 -4. Encryption and Checksum Specifications . . . . . . . . . . . . . 48 -5. Message Specifications . . . . . . . . . . . . . . . . . . . . . 49 -5.1. Specific Compatibility Notes on ASN.1 . . . . . . . . . . . . . 51 -5.1.1. ASN.1 Distinguished Encoding Rules . . . . . . . . . . . . . 51 -5.1.2. Optional Integer Fields . . . . . . . . . . . . . . . . . . . 51 -5.1.3. Empty SEQUENCE OF Types . . . . . . . . . . . . . . . . . . . 51 -5.1.4. Unrecognized Tag Numbers . . . . . . . . . . . . . . . . . . 52 -5.1.5. Tag Numbers Greater Than 30 . . . . . . . . . . . . . . . . . 52 -5.2. Basic Kerberos Types . . . . . . . . . . . . . . . . . . . . . 52 -5.2.1. KerberosString . . . . . . . . . . . . . . . . . . . . . . . 52 -5.2.2. Realm and PrincipalName . . . . . . . . . . . . . . . . . . . 54 -5.2.3. KerberosTime . . . . . . . . . . . . . . . . . . . . . . . . 54 -5.2.4. Constrained Integer types . . . . . . . . . . . . . . . . . . 55 -5.2.5. HostAddress and HostAddresses . . . . . . . . . . . . . . . . 55 -5.2.6. AuthorizationData . . . . . . . . . . . . . . . . . . . . . . 56 -5.2.6.1. IF-RELEVANT . . . . . . . . . . . . . . . . . . . . . . . . 57 -5.2.6.2. KDCIssued . . . . . . . . . . . . . . . . . . . . . . . . . 57 -5.2.6.3. AND-OR . . . . . . . . . . . . . . . . . . . . . . . . . . 59 -5.2.6.4. MANDATORY-FOR-KDC . . . . . . . . . . . . . . . . . . . . . 59 -5.2.7. PA-DATA . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 -5.2.7.1. PA-TGS-REQ . . . . . . . . . . . . . . . . . . . . . . . . 60 -5.2.7.2. Encrypted Timestamp Pre-authentication . . . . . . . . . . 60 -5.2.7.3. PA-PW-SALT . . . . . . . . . . . . . . . . . . . . . . . . 61 -5.2.7.4. PA-ETYPE-INFO . . . . . . . . . . . . . . . . . . . . . . . 61 -5.2.7.5. PA-ETYPE-INFO2 . . . . . . . . . . . . . . . . . . . . . . 62 -5.2.8. KerberosFlags . . . . . . . . . . . . . . . . . . . . . . . . 63 -5.2.9. Cryptosystem-related Types . . . . . . . . . . . . . . . . . 64 -5.3. Tickets . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 -5.4. Specifications for the AS and TGS exchanges . . . . . . . . . . 73 -5.4.1. KRB_KDC_REQ definition . . . . . . . . . . . . . . . . . . . 73 -5.4.2. KRB_KDC_REP definition . . . . . . . . . . . . . . . . . . . 80 -5.5. Client/Server (CS) message specifications . . . . . . . . . . . 84 -5.5.1. KRB_AP_REQ definition . . . . . . . . . . . . . . . . . . . . 84 -5.5.2. KRB_AP_REP definition . . . . . . . . . . . . . . . . . . . . 87 -5.5.3. Error message reply . . . . . . . . . . . . . . . . . . . . . 88 -5.6. KRB_SAFE message specification . . . . . . . . . . . . . . . . 88 -5.6.1. KRB_SAFE definition . . . . . . . . . . . . . . . . . . . . . 88 -5.7. KRB_PRIV message specification . . . . . . . . . . . . . . . . 90 - - - -March 2003 [Page 5] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - -5.7.1. KRB_PRIV definition . . . . . . . . . . . . . . . . . . . . . 90 -5.8. KRB_CRED message specification . . . . . . . . . . . . . . . . 91 -5.8.1. KRB_CRED definition . . . . . . . . . . . . . . . . . . . . . 91 -5.9. Error message specification . . . . . . . . . . . . . . . . . . 93 -5.9.1. KRB_ERROR definition . . . . . . . . . . . . . . . . . . . . 93 -5.10. Application Tag Numbers . . . . . . . . . . . . . . . . . . . 95 -6. Naming Constraints . . . . . . . . . . . . . . . . . . . . . . . 96 -6.1. Realm Names . . . . . . . . . . . . . . . . . . . . . . . . . . 96 -6.2. Principal Names . . . . . . . . . . . . . . . . . . . . . . . . 98 -6.2.1. Name of server principals . . . . . . . . . . . . . . . . . . 99 -7. Constants and other defined values . . . . . . . . . . . . . . . 100 -7.1. Host address types . . . . . . . . . . . . . . . . . . . . . . 100 -7.2. KDC messaging - IP Transports . . . . . . . . . . . . . . . . . 101 -7.2.1. UDP/IP transport . . . . . . . . . . . . . . . . . . . . . . 101 -7.2.2. TCP/IP transport . . . . . . . . . . . . . . . . . . . . . . 101 -7.2.3. KDC Discovery on IP Networks . . . . . . . . . . . . . . . . 103 -7.2.3.1. DNS vs. Kerberos - Case Sensitivity of Realm Names . . . . 103 -7.2.3.2. Specifying KDC Location information with DNS SRV - records . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 -7.2.3.3. KDC Discovery for Domain Style Realm Names on IP - Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 -7.3. Name of the TGS . . . . . . . . . . . . . . . . . . . . . . . . 104 -7.4. OID arc for KerberosV5 . . . . . . . . . . . . . . . . . . . . 104 -7.5. Protocol constants and associated values . . . . . . . . . . . 104 -7.5.1. Key usage numbers . . . . . . . . . . . . . . . . . . . . . . 105 -7.5.2. PreAuthentication Data Types . . . . . . . . . . . . . . . . 106 -7.5.3. Address Types . . . . . . . . . . . . . . . . . . . . . . . . 107 -7.5.4. Authorization Data Types . . . . . . . . . . . . . . . . . . 107 -7.5.5. Transited Encoding Types . . . . . . . . . . . . . . . . . . 107 -7.5.6. Protocol Version Number . . . . . . . . . . . . . . . . . . . 107 -7.5.7. Kerberos Message Types . . . . . . . . . . . . . . . . . . . 108 -7.5.8. Name Types . . . . . . . . . . . . . . . . . . . . . . . . . 108 -7.5.9. Error Codes . . . . . . . . . . . . . . . . . . . . . . . . . 108 -8. Interoperability requirements . . . . . . . . . . . . . . . . . . 110 -8.1. Specification 2 . . . . . . . . . . . . . . . . . . . . . . . . 110 -8.2. Recommended KDC values . . . . . . . . . . . . . . . . . . . . 113 -9. IANA considerations . . . . . . . . . . . . . . . . . . . . . . . 113 -10. Security Considerations . . . . . . . . . . . . . . . . . . . . 113 -11. Author's Addresses . . . . . . . . . . . . . . . . . . . . . . . 117 -12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 117 -13. REFERENCES . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 -A. ASN.1 module . . . . . . . . . . . . . . . . . . . . . . . . . . 120 -B. Changes since RFC-1510 . . . . . . . . . . . . . . . . . . . . . 129 -END NOTES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 - - - - - - - -March 2003 [Page 6] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - -1. Introduction - - Kerberos provides a means of verifying the identities of principals, - (e.g. a workstation user or a network server) on an open - (unprotected) network. This is accomplished without relying on - assertions by the host operating system, without basing trust on host - addresses, without requiring physical security of all the hosts on - the network, and under the assumption that packets traveling along - the network can be read, modified, and inserted at will[1]. Kerberos - performs authentication under these conditions as a trusted third- - party authentication service by using conventional (shared secret key - [2]) cryptography. Kerberos extensions (outside the scope of this - document) can provide for the use of public key cryptography during - certain phases of the authentication protocol [@RFCE: if PKINIT - advances concurrently include reference to the RFC here]. Such - extensions support Kerberos authentication for users registered with - public key certification authorities and provide certain benefits of - public key cryptography in situations where they are needed. - - The basic Kerberos authentication process proceeds as follows: A - client sends a request to the authentication server (AS) requesting - "credentials" for a given server. The AS responds with these - credentials, encrypted in the client's key. The credentials consist - of a "ticket" for the server and a temporary encryption key (often - called a "session key"). The client transmits the ticket (which - contains the client's identity and a copy of the session key, all - encrypted in the server's key) to the server. The session key (now - shared by the client and server) is used to authenticate the client, - and may optionally be used to authenticate the server. It may also be - used to encrypt further communication between the two parties or to - exchange a separate sub-session key to be used to encrypt further - communication. - - Implementation of the basic protocol consists of one or more - authentication servers running on physically secure hosts. The - authentication servers maintain a database of principals (i.e., users - and servers) and their secret keys. Code libraries provide encryption - and implement the Kerberos protocol. In order to add authentication - to its transactions, a typical network application adds one or two - calls to the Kerberos library directly or through the Generic - Security Services Application Programming Interface, GSSAPI, - described in separate document [ref to GSSAPI RFC]. These calls - result in the transmission of the necessary messages to achieve - authentication. - - The Kerberos protocol consists of several sub-protocols (or - exchanges). There are two basic methods by which a client can ask a - Kerberos server for credentials. In the first approach, the client - - - -March 2003 [Page 7] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - sends a cleartext request for a ticket for the desired server to the - AS. The reply is sent encrypted in the client's secret key. Usually - this request is for a ticket-granting ticket (TGT) which can later be - used with the ticket-granting server (TGS). In the second method, - the client sends a request to the TGS. The client uses the TGT to - authenticate itself to the TGS in the same manner as if it were - contacting any other application server that requires Kerberos - authentication. The reply is encrypted in the session key from the - TGT. Though the protocol specification describes the AS and the TGS - as separate servers, they are implemented in practice as different - protocol entry points within a single Kerberos server. - - Once obtained, credentials may be used to verify the identity of the - principals in a transaction, to ensure the integrity of messages - exchanged between them, or to preserve privacy of the messages. The - application is free to choose whatever protection may be necessary. - - To verify the identities of the principals in a transaction, the - client transmits the ticket to the application server. Since the - ticket is sent "in the clear" (parts of it are encrypted, but this - encryption doesn't thwart replay) and might be intercepted and reused - by an attacker, additional information is sent to prove that the - message originated with the principal to whom the ticket was issued. - This information (called the authenticator) is encrypted in the - session key, and includes a timestamp. The timestamp proves that the - message was recently generated and is not a replay. Encrypting the - authenticator in the session key proves that it was generated by a - party possessing the session key. Since no one except the requesting - principal and the server know the session key (it is never sent over - the network in the clear) this guarantees the identity of the client. - - The integrity of the messages exchanged between principals can also - be guaranteed using the session key (passed in the ticket and - contained in the credentials). This approach provides detection of - both replay attacks and message stream modification attacks. It is - accomplished by generating and transmitting a collision-proof - checksum (elsewhere called a hash or digest function) of the client's - message, keyed with the session key. Privacy and integrity of the - messages exchanged between principals can be secured by encrypting - the data to be passed using the session key contained in the ticket - or the sub-session key found in the authenticator. - - The authentication exchanges mentioned above require read-only access - to the Kerberos database. Sometimes, however, the entries in the - database must be modified, such as when adding new principals or - changing a principal's key. This is done using a protocol between a - client and a third Kerberos server, the Kerberos Administration - Server (KADM). There is also a protocol for maintaining multiple - - - -March 2003 [Page 8] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - copies of the Kerberos database. Neither of these protocols are - described in this document. - -1.1. Cross-realm operation - - The Kerberos protocol is designed to operate across organizational - boundaries. A client in one organization can be authenticated to a - server in another. Each organization wishing to run a Kerberos server - establishes its own "realm". The name of the realm in which a client - is registered is part of the client's name, and can be used by the - end-service to decide whether to honor a request. - - By establishing "inter-realm" keys, the administrators of two realms - can allow a client authenticated in the local realm to prove its - identity to servers in other realms[3]. The exchange of inter-realm - keys (a separate key may be used for each direction) registers the - ticket-granting service of each realm as a principal in the other - realm. A client is then able to obtain a ticket-granting ticket for - the remote realm's ticket-granting service from its local realm. When - that ticket-granting ticket is used, the remote ticket-granting - service uses the inter-realm key (which usually differs from its own - normal TGS key) to decrypt the ticket-granting ticket, and is thus - certain that it was issued by the client's own TGS. Tickets issued by - the remote ticket-granting service will indicate to the end-service - that the client was authenticated from another realm. - - A realm is said to communicate with another realm if the two realms - share an inter-realm key, or if the local realm shares an inter-realm - key with an intermediate realm that communicates with the remote - realm. An authentication path is the sequence of intermediate realms - that are transited in communicating from one realm to another. - - Realms may be organized hierarchically. Each realm shares a key with - its parent and a different key with each child. If an inter-realm key - is not directly shared by two realms, the hierarchical organization - allows an authentication path to be easily constructed. If a - hierarchical organization is not used, it may be necessary to consult - a database in order to construct an authentication path between - realms. - - Although realms are typically hierarchical, intermediate realms may - be bypassed to achieve cross-realm authentication through alternate - authentication paths (these might be established to make - communication between two realms more efficient). It is important for - the end-service to know which realms were transited when deciding how - much faith to place in the authentication process. To facilitate this - decision, a field in each ticket contains the names of the realms - that were involved in authenticating the client. - - - -March 2003 [Page 9] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - The application server is ultimately responsible for accepting or - rejecting authentication and SHOULD check the transited field. The - application server may choose to rely on the KDC for the application - server's realm to check the transited field. The application server's - KDC will set the TRANSITED-POLICY-CHECKED flag in this case. The KDCs - for intermediate realms may also check the transited field as they - issue ticket-granting tickets for other realms, but they are - encouraged not to do so. A client may request that the KDCs not check - the transited field by setting the DISABLE-TRANSITED-CHECK flag. KDCs - are encouraged but not required to honor this flag. - -1.2. Choosing a principal with which to communicate - - The Kerberos protocol provides the means for verifying (subject to - the assumptions in 1.5) that the entity with which one communicates - is the same entity that was registered with the KDC using the claimed - identity (principal name). It is still necessary to determine whether - that identity corresponds to the entity with which one intends to - communicate. - - When appropriate data has been exchanged in advance, this - determination may be performed syntactically by the application based - on the application protocol specification, information provided by - the user, and configuration files. For example, the server principal - name (including realm) for a telnet server might be derived from the - user specified host name (from the telnet command line), the "host/" - prefix specified in the application protocol specification, and a - mapping to a Kerberos realm derived syntactically from the domain - part of the specified hostname and information from the local - Kerberos realms database. - - One can also rely on trusted third parties to make this - determination, but only when the data obtained from the third party - is suitably integrity protected while resident on the third party - server and when transmitted. Thus, for example, one should not rely - on an unprotected domain name system record to map a host alias to - the primary name of a server, accepting the primary name as the party - one intends to contact, since an attacker can modify the mapping and - impersonate the party with which one intended to communicate. - - Implementations of Kerberos and protocols based on Kerberos MUST NOT - use insecure DNS queries to canonicalize the hostname components of - the service principal names. In an environment without secure name - service, application authors MAY append a statically configured - domain name to unqualified hostnames before passing the name to the - security mechanisms, but should do no more than that. Secure name - service facilities, if available, might be trusted for hostname - canonicalization, but such canonicalization by the client SHOULD NOT - - - -March 2003 [Page 10] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - be required by an KDC implementation. - - Implementation note: Many current implementations do some degree of - canonicalization of the provided service name, often using DNS even - though it creates security problems. However there is no consistency - among implementations about whether the service name is case folded - to lower case or whether reverse resolution is used. To maximize - interoperability and security, applications SHOULD provide security - mechanisms with names which result from folding the user-entered name - to lower case, without performing any other modifications or - canonicalization. - -1.3. Authorization - - As an authentication service, Kerberos provides a means of verifying - the identity of principals on a network. Authentication is usually - useful primarily as a first step in the process of authorization, - determining whether a client may use a service, which objects the - client is allowed to access, and the type of access allowed for each. - Kerberos does not, by itself, provide authorization. Possession of a - client ticket for a service provides only for authentication of the - client to that service, and in the absence of a separate - authorization procedure, it should not be considered by an - application as authorizing the use of that service. - - Such separate authorization methods MAY be implemented as application - specific access control functions and may utilize files on the - application server, or on separately issued authorization credentials - such as those based on proxies [Neu93], or on other authorization - services. Separately authenticated authorization credentials MAY be - embedded in a ticket's authorization data when encapsulated by the - KDC-issued authorization data element. - - Applications should not accept the mere issuance of a service ticket - by the Kerberos server (even by a modified Kerberos server) as - granting authority to use the service, since such applications may - become vulnerable to the bypass of this authorization check in an - environment if they interoperate with other KDCs or where other - options for application authentication (e.g. the PKTAPP proposal) - are provided. - -1.4. Extending Kerberos Without Breaking Interoperability - - As the deployed base of Kerberos implementations grows, extending - Kerberos becomes more important. Unfortunately some extensions to the - existing Kerberos protocol create interoperability issues because of - uncertainty regarding the treatment of certain extensibility options - by some implementations. This section includes guidelines that will - - - -March 2003 [Page 11] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - enable future implementations to maintain interoperability. - - Kerberos provides a general mechanism for protocol extensibility. - Some protocol messages contain typed holes -- sub-messages that - contain an octet-string along with an integer that defines how to - interpret the octet-string. The integer types are registered - centrally, but can be used both for vendor extensions and for - extensions standardized through the IETF. - -1.4.1. Compatibility with RFC 1510 - - It is important to note that existing Kerberos message formats can - not be readily extended by adding fields to the ASN.1 types. Sending - additional fields often results in the entire message being discarded - without an error indication. Future versions of this specification - will provide guidelines to ensure that ASN.1 fields can be added - without creating an interoperability problem. - - In the meantime, all new or modified implementations of Kerberos that - receive an unknown message extension SHOULD preserve the encoding of - the extension but otherwise ignore the presence of the extension. - Recipients MUST NOT decline a request simply because an extension is - present. - - There is one exception to this rule. If an unknown authorization data - element type is received by a server other than the ticket granting - service either in an AP-REQ or in a ticket contained in an AP-REQ, - then authentication MUST fail. One of the primary uses of - authorization data is to restrict the use of the ticket. If the - service cannot determine whether the restriction applies to that - service then a security weakness may result if the ticket can be used - for that service. Authorization elements that are optional SHOULD be - enclosed in the AD-IF-RELEVANT element. - - The ticket granting service MUST ignore but propagate to derivative - tickets any unknown authorization data types, unless those data types - are embedded in a MANDATORY-FOR-KDC element, in which case the - request will be rejected. This behavior is appropriate because - requiring that the ticket granting service understand unknown - authorization data types would require that KDC software be upgraded - to understand new application-level restrictions before applications - used these restrictions, decreasing the utility of authorization data - as a mechanism for restricting the use of tickets. No security - problem is created because services to which the tickets are issued - will verify the authorization data. - - Implementation note: Many RFC 1510 implementations ignore unknown - authorization data elements. Depending on these implementations to - - - -March 2003 [Page 12] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - honor authorization data restrictions may create a security weakness. - -1.4.2. Sending Extensible Messages - - Care must be taken to ensure that old implementations can understand - messages sent to them even if they do not understand an extension - that is used. Unless the sender knows an extension is supported, the - extension cannot change the semantics of the core message or - previously defined extensions. - - For example, an extension including key information necessary to - decrypt the encrypted part of a KDC-REP could only be used in - situations where the recipient was known to support the extension. - Thus when designing such extensions it is important to provide a way - for the recipient to notify the sender of support for the extension. - For example in the case of an extension that changes the KDC-REP - reply key, the client could indicate support for the extension by - including a padata element in the AS-REQ sequence. The KDC should - only use the extension if this padata element is present in the AS- - REQ. Even if policy requires the use of the extension, it is better - to return an error indicating that the extension is required than to - use the extension when the recipient may not support it; debugging - why implementations do not interoperate is easier when errors are - returned. - -1.5. Environmental assumptions - - Kerberos imposes a few assumptions on the environment in which it can - properly function: - - * "Denial of service" attacks are not solved with Kerberos. There - are places in the protocols where an intruder can prevent an - application from participating in the proper authentication steps. - Detection and solution of such attacks (some of which can appear - to be not-uncommon "normal" failure modes for the system) is - usually best left to the human administrators and users. - - * Principals MUST keep their secret keys secret. If an intruder - somehow steals a principal's key, it will be able to masquerade as - that principal or impersonate any server to the legitimate - principal. - - * "Password guessing" attacks are not solved by Kerberos. If a user - chooses a poor password, it is possible for an attacker to - successfully mount an offline dictionary attack by repeatedly - attempting to decrypt, with successive entries from a dictionary, - messages obtained which are encrypted under a key derived from the - user's password. - - - -March 2003 [Page 13] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - * Each host on the network MUST have a clock which is "loosely - synchronized" to the time of the other hosts; this synchronization - is used to reduce the bookkeeping needs of application servers - when they do replay detection. The degree of "looseness" can be - configured on a per-server basis, but is typically on the order of - 5 minutes. If the clocks are synchronized over the network, the - clock synchronization protocol MUST itself be secured from network - attackers. - - * Principal identifiers are not recycled on a short-term basis. A - typical mode of access control will use access control lists - (ACLs) to grant permissions to particular principals. If a stale - ACL entry remains for a deleted principal and the principal - identifier is reused, the new principal will inherit rights - specified in the stale ACL entry. By not re-using principal - identifiers, the danger of inadvertent access is removed. - -1.6. Glossary of terms - - Below is a list of terms used throughout this document. - - Authentication - Verifying the claimed identity of a principal. - - Authentication header - A record containing a Ticket and an Authenticator to be presented - to a server as part of the authentication process. - - Authentication path - A sequence of intermediate realms transited in the authentication - process when communicating from one realm to another. - - Authenticator - A record containing information that can be shown to have been - recently generated using the session key known only by the client - and server. - - Authorization - The process of determining whether a client may use a service, - which objects the client is allowed to access, and the type of - access allowed for each. - - Capability - A token that grants the bearer permission to access an object or - service. In Kerberos, this might be a ticket whose use is - restricted by the contents of the authorization data field, but - which lists no network addresses, together with the session key - necessary to use the ticket. - - - -March 2003 [Page 14] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - Ciphertext - The output of an encryption function. Encryption transforms - plaintext into ciphertext. - - Client - A process that makes use of a network service on behalf of a user. - Note that in some cases a Server may itself be a client of some - other server (e.g. a print server may be a client of a file - server). - - Credentials - A ticket plus the secret session key necessary to successfully use - that ticket in an authentication exchange. - - Encryption Type (etype) - When associated with encrypted data, an encryption type identifies - the algorithm used to encrypt the data and is used to select the - appropriate algorithm for decrypting the data. Encryption type - tags are communicated in other messages to enumerate algorithms - that are desired, supported, preferred, or allowed to be used for - encryption of data between parties. This preference is combined - with local information and policy to select an algorithm to be - used. - - KDC - Key Distribution Center, a network service that supplies tickets - and temporary session keys; or an instance of that service or the - host on which it runs. The KDC services both initial ticket and - ticket-granting ticket requests. The initial ticket portion is - sometimes referred to as the Authentication Server (or service). - The ticket-granting ticket portion is sometimes referred to as the - ticket-granting server (or service). - - Kerberos - The name given to the Project Athena's authentication service, the - protocol used by that service, or the code used to implement the - authentication service. The name is adopted from the three-headed - dog which guards Hades. - - Key Version Number (kvno) - A tag associated with encrypted data identifies which key was used - for encryption when a long lived key associated with a principal - changes over time. It is used during the transition to a new key - so that the party decrypting a message can tell whether the data - was encrypted using the old or the new key. - - Plaintext - The input to an encryption function or the output of a decryption - - - -March 2003 [Page 15] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - function. Decryption transforms ciphertext into plaintext. - - Principal - A named client or server entity that participates in a network - communication, with one name that is considered canonical. - - Principal identifier - The canonical name used to uniquely identify each different - principal. - - Seal - To encipher a record containing several fields in such a way that - the fields cannot be individually replaced without either - knowledge of the encryption key or leaving evidence of tampering. - - Secret key - An encryption key shared by a principal and the KDC, distributed - outside the bounds of the system, with a long lifetime. In the - case of a human user's principal, the secret key MAY be derived - from a password. - - Server - A particular Principal which provides a resource to network - clients. The server is sometimes referred to as the Application - Server. - - Service - A resource provided to network clients; often provided by more - than one server (for example, remote file service). - - Session key - A temporary encryption key used between two principals, with a - lifetime limited to the duration of a single login "session". - - Sub-session key - A temporary encryption key used between two principals, selected - and exchanged by the principals using the session key, and with a - lifetime limited to the duration of a single association. - - Ticket - A record that helps a client authenticate itself to a server; it - contains the client's identity, a session key, a timestamp, and - other information, all sealed using the server's secret key. It - only serves to authenticate a client when presented along with a - fresh Authenticator. - - -2. Ticket flag uses and requests - - - -March 2003 [Page 16] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - Each Kerberos ticket contains a set of flags which are used to - indicate attributes of that ticket. Most flags may be requested by a - client when the ticket is obtained; some are automatically turned on - and off by a Kerberos server as required. The following sections - explain what the various flags mean and give examples of reasons to - use them. With the exception of the INVALID flag clients MUST ignore - ticket flags that are not recognized. KDCs MUST ignore KDC options - that are not recognized. Some implementations of RFC 1510 are known - to reject unknown KDC options, so clients may need to resend a - request without KDC new options absent if the request was rejected - when sent with option added since RFC 1510. Since new KDCs will - ignore unknown options, clients MUST confirm that the ticket returned - by the KDC meets their needs. - - Note that it is not, in general, possible to determine whether an - option was not honored because it was not understood or because it - was rejected either through configuration or policy. When adding a - new option to the Kerberos protocol, designers should consider - whether the distinction is important for their option. In cases where - it is, a mechanism for the KDC to return an indication that the - option was understood but rejected needs to be provided in the - specification of the option. Often in such cases, the mechanism needs - to be broad enough to permit an error or reason to be returned. - -2.1. Initial, pre-authenticated, and hardware authenticated tickets - - The INITIAL flag indicates that a ticket was issued using the AS - protocol, rather than issued based on a ticket-granting ticket. - Application servers that want to require the demonstrated knowledge - of a client's secret key (e.g. a password-changing program) can - insist that this flag be set in any tickets they accept, and thus be - assured that the client's key was recently presented to the - application client. - - The PRE-AUTHENT and HW-AUTHENT flags provide additional information - about the initial authentication, regardless of whether the current - ticket was issued directly (in which case INITIAL will also be set) - or issued on the basis of a ticket-granting ticket (in which case the - INITIAL flag is clear, but the PRE-AUTHENT and HW-AUTHENT flags are - carried forward from the ticket-granting ticket). - -2.2. Invalid tickets - - The INVALID flag indicates that a ticket is invalid. Application - servers MUST reject tickets which have this flag set. A postdated - ticket will be issued in this form. Invalid tickets MUST be validated - by the KDC before use, by presenting them to the KDC in a TGS request - with the VALIDATE option specified. The KDC will only validate - - - -March 2003 [Page 17] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - tickets after their starttime has passed. The validation is required - so that postdated tickets which have been stolen before their - starttime can be rendered permanently invalid (through a hot-list - mechanism) (see section 3.3.3.1). - -2.3. Renewable tickets - - Applications may desire to hold tickets which can be valid for long - periods of time. However, this can expose their credentials to - potential theft for equally long periods, and those stolen - credentials would be valid until the expiration time of the - ticket(s). Simply using short-lived tickets and obtaining new ones - periodically would require the client to have long-term access to its - secret key, an even greater risk. Renewable tickets can be used to - mitigate the consequences of theft. Renewable tickets have two - "expiration times": the first is when the current instance of the - ticket expires, and the second is the latest permissible value for an - individual expiration time. An application client must periodically - (i.e. before it expires) present a renewable ticket to the KDC, with - the RENEW option set in the KDC request. The KDC will issue a new - ticket with a new session key and a later expiration time. All other - fields of the ticket are left unmodified by the renewal process. When - the latest permissible expiration time arrives, the ticket expires - permanently. At each renewal, the KDC MAY consult a hot-list to - determine if the ticket had been reported stolen since its last - renewal; it will refuse to renew such stolen tickets, and thus the - usable lifetime of stolen tickets is reduced. - - The RENEWABLE flag in a ticket is normally only interpreted by the - ticket-granting service (discussed below in section 3.3). It can - usually be ignored by application servers. However, some particularly - careful application servers MAY disallow renewable tickets. - - If a renewable ticket is not renewed by its expiration time, the KDC - will not renew the ticket. The RENEWABLE flag is reset by default, - but a client MAY request it be set by setting the RENEWABLE option in - the KRB_AS_REQ message. If it is set, then the renew-till field in - the ticket contains the time after which the ticket may not be - renewed. - -2.4. Postdated tickets - - Applications may occasionally need to obtain tickets for use much - later, e.g. a batch submission system would need tickets to be valid - at the time the batch job is serviced. However, it is dangerous to - hold valid tickets in a batch queue, since they will be on-line - longer and more prone to theft. Postdated tickets provide a way to - obtain these tickets from the KDC at job submission time, but to - - - -March 2003 [Page 18] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - leave them "dormant" until they are activated and validated by a - further request of the KDC. If a ticket theft were reported in the - interim, the KDC would refuse to validate the ticket, and the thief - would be foiled. - - The MAY-POSTDATE flag in a ticket is normally only interpreted by the - ticket-granting service. It can be ignored by application servers. - This flag MUST be set in a ticket-granting ticket in order to issue a - postdated ticket based on the presented ticket. It is reset by - default; it MAY be requested by a client by setting the ALLOW- - POSTDATE option in the KRB_AS_REQ message. This flag does not allow - a client to obtain a postdated ticket-granting ticket; postdated - ticket-granting tickets can only by obtained by requesting the - postdating in the KRB_AS_REQ message. The life (endtime-starttime) of - a postdated ticket will be the remaining life of the ticket-granting - ticket at the time of the request, unless the RENEWABLE option is - also set, in which case it can be the full life (endtime-starttime) - of the ticket-granting ticket. The KDC MAY limit how far in the - future a ticket may be postdated. - - The POSTDATED flag indicates that a ticket has been postdated. The - application server can check the authtime field in the ticket to see - when the original authentication occurred. Some services MAY choose - to reject postdated tickets, or they may only accept them within a - certain period after the original authentication. When the KDC issues - a POSTDATED ticket, it will also be marked as INVALID, so that the - application client MUST present the ticket to the KDC to be validated - before use. - -2.5. Proxiable and proxy tickets - - At times it may be necessary for a principal to allow a service to - perform an operation on its behalf. The service must be able to take - on the identity of the client, but only for a particular purpose. A - principal can allow a service to take on the principal's identity for - a particular purpose by granting it a proxy. - - The process of granting a proxy using the proxy and proxiable flags - is used to provide credentials for use with specific services. Though - conceptually also a proxy, users wishing to delegate their identity - in a form usable for all purpose MUST use the ticket forwarding - mechanism described in the next section to forward a ticket-granting - ticket. - - The PROXIABLE flag in a ticket is normally only interpreted by the - ticket-granting service. It can be ignored by application servers. - When set, this flag tells the ticket-granting server that it is OK to - issue a new ticket (but not a ticket-granting ticket) with a - - - -March 2003 [Page 19] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - different network address based on this ticket. This flag is set if - requested by the client on initial authentication. By default, the - client will request that it be set when requesting a ticket-granting - ticket, and reset when requesting any other ticket. - - This flag allows a client to pass a proxy to a server to perform a - remote request on its behalf (e.g. a print service client can give - the print server a proxy to access the client's files on a particular - file server in order to satisfy a print request). - - In order to complicate the use of stolen credentials, Kerberos - tickets are usually valid from only those network addresses - specifically included in the ticket[4]. When granting a proxy, the - client MUST specify the new network address from which the proxy is - to be used, or indicate that the proxy is to be issued for use from - any address. - - The PROXY flag is set in a ticket by the TGS when it issues a proxy - ticket. Application servers MAY check this flag and at their option - they MAY require additional authentication from the agent presenting - the proxy in order to provide an audit trail. - -2.6. Forwardable tickets - - Authentication forwarding is an instance of a proxy where the service - granted is complete use of the client's identity. An example where it - might be used is when a user logs in to a remote system and wants - authentication to work from that system as if the login were local. - - The FORWARDABLE flag in a ticket is normally only interpreted by the - ticket-granting service. It can be ignored by application servers. - The FORWARDABLE flag has an interpretation similar to that of the - PROXIABLE flag, except ticket-granting tickets may also be issued - with different network addresses. This flag is reset by default, but - users MAY request that it be set by setting the FORWARDABLE option in - the AS request when they request their initial ticket-granting - ticket. - - This flag allows for authentication forwarding without requiring the - user to enter a password again. If the flag is not set, then - authentication forwarding is not permitted, but the same result can - still be achieved if the user engages in the AS exchange specifying - the requested network addresses and supplies a password. - - The FORWARDED flag is set by the TGS when a client presents a ticket - with the FORWARDABLE flag set and requests a forwarded ticket by - specifying the FORWARDED KDC option and supplying a set of addresses - for the new ticket. It is also set in all tickets issued based on - - - -March 2003 [Page 20] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - tickets with the FORWARDED flag set. Application servers may choose - to process FORWARDED tickets differently than non-FORWARDED tickets. - - If addressless tickets are forwarded from one system to another, - clients SHOULD still use this option to obtain a new TGT in order to - have different session keys on the different systems. - -2.7. Transited Policy Checking - - In Kerberos, the application server is ultimately responsible for - accepting or rejecting authentication and SHOULD check that only - suitably trusted KDCs are relied upon to authenticate a principal. - The transited field in the ticket identifies which realms (and thus - which KDCs) were involved in the authentication process and an - application server would normally check this field. If any of these - are untrusted to authenticate the indicated client principal - (probably determined by a realm-based policy), the authentication - attempt MUST be rejected. The presence of trusted KDCs in this list - does not provide any guarantee; an untrusted KDC may have fabricated - the list. - - While the end server ultimately decides whether authentication is - valid, the KDC for the end server's realm MAY apply a realm specific - policy for validating the transited field and accepting credentials - for cross-realm authentication. When the KDC applies such checks and - accepts such cross-realm authentication it will set the TRANSITED- - POLICY-CHECKED flag in the service tickets it issues based on the - cross-realm TGT. A client MAY request that the KDCs not check the - transited field by setting the DISABLE-TRANSITED-CHECK flag. KDCs are - encouraged but not required to honor this flag. - - Application servers MUST either do the transited-realm checks - themselves, or reject cross-realm tickets without TRANSITED-POLICY- - CHECKED set. - -2.8. OK as Delegate - - For some applications a client may need to delegate authority to a - server to act on its behalf in contacting other services. This - requires that the client forward credentials to an intermediate - server. The ability for a client to obtain a service ticket to a - server conveys no information to the client about whether the server - should be trusted to accept delegated credentials. The OK-AS- - DELEGATE provides a way for a KDC to communicate local realm policy - to a client regarding whether an intermediate server is trusted to - accept such credentials. - - The OK-AS-DELEGATE flag from the copy of the ticket flags in the - - - -March 2003 [Page 21] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - encrypted part of the KDC reply indicates to the client that the - server (not the client) specified in the ticket has been determined - by policy of the realm to be a suitable recipient of delegation. A - client can use the presence of this flag to help it make a decision - whether to delegate credentials (either grant a proxy or a forwarded - ticket-granting ticket) to this server. Ignore the value of this - flag. When setting this flag, an administrator should consider the - Security and placement of the server on which the service will run, - as well as whether the service requires the use of delegated - credentials. - -2.9. Other KDC options - - There are three additional options which MAY be set in a client's - request of the KDC. - -2.9.1. Renewable-OK - - The RENEWABLE-OK option indicates that the client will accept a - renewable ticket if a ticket with the requested life cannot otherwise - be provided. If a ticket with the requested life cannot be provided, - then the KDC MAY issue a renewable ticket with a renew-till equal to - the requested endtime. The value of the renew-till field MAY still be - adjusted by site-determined limits or limits imposed by the - individual principal or server. - -2.9.2. ENC-TKT-IN-SKEY - - In its basic form the Kerberos protocol supports authentication in a - client-server - setting and is not well suited to authentication in a peer-to-peer - environment because the long term key of the user does not remain on - the workstation after initial login. Authentication of such peers may - be supported by Kerberos in its user-to-user variant. The ENC-TKT-IN- - SKEY option supports user-to-user authentication by allowing the KDC - to issue a service ticket encrypted using the session key from - another ticket-granting ticket issued to another user. The ENC-TKT- - IN-SKEY option is honored only by the ticket-granting service. It - indicates that the ticket to be issued for the end server is to be - encrypted in the session key from the additional second ticket- - granting ticket provided with the request. See section 3.3.3 for - specific details. - -2.9.3. Passwordless Hardware Authentication - - The OPT-HARDWARE-AUTH option indicates that the client wishes to use - some form of hardware authentication instead of or in addition to the - client's password or other long-lived encryption key. OPT-HARDWARE- - - - -March 2003 [Page 22] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - AUTH is honored only by the authentication service. If supported and - allowed by policy, the KDC will return an errorcode - KDC_ERR_PREAUTH_REQUIRED and include the required METHOD-DATA to - perform such authentication. - -3. Message Exchanges - - The following sections describe the interactions between network - clients and servers and the messages involved in those exchanges. - -3.1. The Authentication Service Exchange - - Summary - - Message direction Message type Section - 1. Client to Kerberos KRB_AS_REQ 5.4.1 - 2. Kerberos to client KRB_AS_REP or 5.4.2 - KRB_ERROR 5.9.1 - - The Authentication Service (AS) Exchange between the client and the - Kerberos Authentication Server is initiated by a client when it - wishes to obtain authentication credentials for a given server but - currently holds no credentials. In its basic form, the client's - secret key is used for encryption and decryption. This exchange is - typically used at the initiation of a login session to obtain - credentials for a Ticket-Granting Server which will subsequently be - used to obtain credentials for other servers (see section 3.3) - without requiring further use of the client's secret key. This - exchange is also used to request credentials for services which must - not be mediated through the Ticket-Granting Service, but rather - require a principal's secret key, such as the password-changing - service[5]. This exchange does not by itself provide any assurance of - the identity of the user[6]. - - The exchange consists of two messages: KRB_AS_REQ from the client to - Kerberos, and KRB_AS_REP or KRB_ERROR in reply. The formats for these - messages are described in sections 5.4.1, 5.4.2, and 5.9.1. - - In the request, the client sends (in cleartext) its own identity and - the identity of the server for which it is requesting credentials, - other information about the credentials it is requesting, and a - randomly generated nonce which can be used to detect replays, and to - associate replies with the matching requests. This nonce MUST be - generated randomly by the client and remembered for checking against - the nonce in the expected reply. The response, KRB_AS_REP, contains a - ticket for the client to present to the server, and a session key - that will be shared by the client and the server. The session key - and additional information are encrypted in the client's secret key. - - - -March 2003 [Page 23] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - The encrypted part of the KRB_AS_REP message also contains the nonce - which MUST be matched with the nonce from the KRB_AS_REQ message. - - Without pre-authentication, the authentication server does not know - whether the client is actually the principal named in the request. It - simply sends a reply without knowing or caring whether they are the - same. This is acceptable because nobody but the principal whose - identity was given in the request will be able to use the reply. Its - critical information is encrypted in that principal's key. However, - an attacker can send a KRB_AS_REQ message to get known plaintext in - order to attack the principal's key. Especially if the key is based - on a password, this may create a security exposure. So, the initial - request supports an optional field that can be used to pass - additional information that might be needed for the initial exchange. - This field SHOULD be used for pre-authentication as described in - sections 3.1.1 and 5.2.7. - - Various errors can occur; these are indicated by an error response - (KRB_ERROR) instead of the KRB_AS_REP response. The error message is - not encrypted. The KRB_ERROR message contains information which can - be used to associate it with the message to which it replies. The - contents of the KRB_ERROR message are not integrity-protected. As - such, the client cannot detect replays, fabrications or - modifications. A solution to this problem will be included in a - future version of the protocol. - -3.1.1. Generation of KRB_AS_REQ message - - The client may specify a number of options in the initial request. - Among these options are whether pre-authentication is to be - performed; whether the requested ticket is to be renewable, - proxiable, or forwardable; whether it should be postdated or allow - postdating of derivative tickets; and whether a renewable ticket will - be accepted in lieu of a non-renewable ticket if the requested ticket - expiration date cannot be satisfied by a non-renewable ticket (due to - configuration constraints). - - The client prepares the KRB_AS_REQ message and sends it to the KDC. - -3.1.2. Receipt of KRB_AS_REQ message - - If all goes well, processing the KRB_AS_REQ message will result in - the creation of a ticket for the client to present to the server. The - format for the ticket is described in section 5.3. The contents of - the ticket are determined as follows. - - Because Kerberos can run over unreliable transports such as UDP, the - KDC MUST be prepared to retransmit responses in case they are lost. - - - -March 2003 [Page 24] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - If a KDC receives a request identical to one it has recently - successfully processed, the KDC MUST respond with a KRB_AS_REP - message rather than a replay error. In order to reduce ciphertext - given to a potential attacker, KDCs MAY send the same response - generated when the request was first handled. KDCs MUST obey this - replay behavior even if the actual transport in use is reliable. - -3.1.3. Generation of KRB_AS_REP message - - The authentication server looks up the client and server principals - named in the KRB_AS_REQ in its database, extracting their respective - keys. If the requested client principal named in the request is not - known because it doesn't exist in the KDC's principal database, then - an error message with a KDC_ERR_C_PRINCIPAL_UNKNOWN is returned. - - If required, the server pre-authenticates the request, and if the - pre-authentication check fails, an error message with the code - KDC_ERR_PREAUTH_FAILED is returned. If pre-authentication is - required, but was not present in the request, an error message with - the code KDC_ERR_PREAUTH_REQUIRED is returned and a METHOD-DATA - object will be stored in the e-data field of the KRB-ERROR message to - specify which pre-authentication mechanisms are acceptable. Usually - this will include PA-ETYPE-INFO and/or PA-ETYPE-INFO2 elements as - described below. If the server cannot accommodate any encryption type - requested by the client, an error message with code - KDC_ERR_ETYPE_NOSUPP is returned. Otherwise the KDC generates a - 'random' session key[7]. - - When responding to an AS request, if there are multiple encryption - keys registered for a client in the Kerberos database, then the etype - field from the AS request is used by the KDC to select the encryption - method to be used to protect the encrypted part of the KRB_AS_REP - message which is sent to the client. If there is more than one - supported strong encryption type in the etype list, the KDC SHOULD - use the first valid strong etype for which an encryption key is - available. - - When the user's key is generated from a password or pass phrase, the - string-to-key function for the particular encryption key type is - used, as specified in [@KCRYPTO]. The salt value and additional - parameters for the string-to-key function have default values - (specified by section 4 and by the encryption mechanism - specification, respectively) that may be overridden by pre- - authentication data (PA-PW-SALT, PA-AFS3-SALT, PA-ETYPE-INFO, PA- - ETYPE-INFO2, etc). Since the KDC is presumed to store a copy of the - resulting key only, these values should not be changed for password- - based keys except when changing the principal's key. - - - - -March 2003 [Page 25] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - When the AS server is to include pre-authentication data in a KRB- - ERROR or in an AS-REP, it MUST use PA-ETYPE-INFO2, not PA-ETYPE-INFO, - if the etype field of the client's AS-REQ lists at least one "newer" - encryption type. Otherwise (when the etype field of the client's AS- - REQ does not list any "newer" encryption types) it MUST send both, - PA-ETYPE-INFO2 and PA-ETYPE-INFO (both with an entry for each - enctype). A "newer" enctype is any enctype first officially - specified concurrently with or subsequent to the issue of this RFC. - The enctypes DES, 3DES or RC4 and any defined in [RFC1510] are not - newer enctypes. - - It is not possible to reliably generate a user's key given a pass - phrase without contacting the KDC, since it will not be known whether - alternate salt or parameter values are required. - - The KDC will attempt to assign the type of the random session key - from the list of methods in the etype field. The KDC will select the - appropriate type using the list of methods provided together with - information from the Kerberos database indicating acceptable - encryption methods for the application server. The KDC will not issue - tickets with a weak session key encryption type. - - If the requested start time is absent, indicates a time in the past, - or is within the window of acceptable clock skew for the KDC and the - POSTDATE option has not been specified, then the start time of the - ticket is set to the authentication server's current time. If it - indicates a time in the future beyond the acceptable clock skew, but - the POSTDATED option has not been specified then the error - KDC_ERR_CANNOT_POSTDATE is returned. Otherwise the requested start - time is checked against the policy of the local realm (the - administrator might decide to prohibit certain types or ranges of - postdated tickets), and if acceptable, the ticket's start time is set - as requested and the INVALID flag is set in the new ticket. The - postdated ticket MUST be validated before use by presenting it to the - KDC after the start time has been reached. - - The expiration time of the ticket will be set to the earlier of the - requested endtime and a time determined by local policy, possibly - determined using realm or principal specific factors. For example, - the expiration time MAY be set to the earliest of the following: - - * The expiration time (endtime) requested in the KRB_AS_REQ - message. - - * The ticket's start time plus the maximum allowable lifetime - associated with the client principal from the authentication - server's database. - - - - -March 2003 [Page 26] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - * The ticket's start time plus the maximum allowable lifetime - associated with the server principal. - - * The ticket's start time plus the maximum lifetime set by the - policy of the local realm. - - If the requested expiration time minus the start time (as determined - above) is less than a site-determined minimum lifetime, an error - message with code KDC_ERR_NEVER_VALID is returned. If the requested - expiration time for the ticket exceeds what was determined as above, - and if the 'RENEWABLE-OK' option was requested, then the 'RENEWABLE' - flag is set in the new ticket, and the renew-till value is set as if - the 'RENEWABLE' option were requested (the field and option names are - described fully in section 5.4.1). - - If the RENEWABLE option has been requested or if the RENEWABLE-OK - option has been set and a renewable ticket is to be issued, then the - renew-till field MAY be set to the earliest of: - - * Its requested value. - - * The start time of the ticket plus the minimum of the two - maximum renewable lifetimes associated with the principals' - database entries. - - * The start time of the ticket plus the maximum renewable - lifetime set by the policy of the local realm. - - The flags field of the new ticket will have the following options set - if they have been requested and if the policy of the local realm - allows: FORWARDABLE, MAY-POSTDATE, POSTDATED, PROXIABLE, RENEWABLE. - If the new ticket is postdated (the start time is in the future), its - INVALID flag will also be set. - - If all of the above succeed, the server will encrypt the ciphertext - part of the ticket using the encryption key extracted from the server - principal's record in the Kerberos database using the encryption type - associated with the server principal's key (this choice is NOT - affected by the etype field in the request). It then formats a - KRB_AS_REP message (see section 5.4.2), copying the addresses in the - request into the caddr of the response, placing any required pre- - authentication data into the padata of the response, and encrypts the - ciphertext part in the client's key using an acceptable encryption - method requested in the etype field of the request, or in some key - specified by pre-authentication mechanisms being used. - -3.1.4. Generation of KRB_ERROR message - - - - -March 2003 [Page 27] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - Several errors can occur, and the Authentication Server responds by - returning an error message, KRB_ERROR, to the client, with the error- - code and e-text fields set to appropriate values. The error message - contents and details are described in Section 5.9.1. - -3.1.5. Receipt of KRB_AS_REP message - - If the reply message type is KRB_AS_REP, then the client verifies - that the cname and crealm fields in the cleartext portion of the - reply match what it requested. If any padata fields are present, they - may be used to derive the proper secret key to decrypt the message. - The client decrypts the encrypted part of the response using its - secret key, verifies that the nonce in the encrypted part matches the - nonce it supplied in its request (to detect replays). It also - verifies that the sname and srealm in the response match those in the - request (or are otherwise expected values), and that the host address - field is also correct. It then stores the ticket, session key, start - and expiration times, and other information for later use. The last- - req field (and the deprecated key-expiration field) from the - encrypted part of the response MAY be checked to notify the user of - impending key expiration. This enables the client program to suggest - remedial action, such as a password change. - - Upon validation of the KRB_AS_REP message (by checking the returned - nonce against that sent in the KRB_AS_REQ message) the client knows - that the current time on the KDC is that read from the authtime field - of the encrypted part of the reply. The client can optionally use - this value for clock synchronization in subsequent messages by - recording with the ticket the difference (offset) between the - authtime value and the local clock. This offset can then be used by - the same user to adjust the time read from the system clock when - generating messages [DGT96]. - - This technique MUST be used when adjusting for clock skew instead of - directly changing the system clock because the KDC reply is only - authenticated to the user whose secret key was used, but not to the - system or workstation. If the clock were adjusted, an attacker - colluding with a user logging into a workstation could agree on a - password, resulting in a KDC reply that would be correctly validated - even though it did not originate from a KDC trusted by the - workstation. - - Proper decryption of the KRB_AS_REP message is not sufficient for the - host to verify the identity of the user; the user and an attacker - could cooperate to generate a KRB_AS_REP format message which - decrypts properly but is not from the proper KDC. If the host wishes - to verify the identity of the user, it MUST require the user to - present application credentials which can be verified using a - - - -March 2003 [Page 28] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - securely-stored secret key for the host. If those credentials can be - verified, then the identity of the user can be assured. - -3.1.6. Receipt of KRB_ERROR message - - If the reply message type is KRB_ERROR, then the client interprets it - as an error and performs whatever application-specific tasks are - necessary to recover. - -3.2. The Client/Server Authentication Exchange - - Summary - Message direction Message type Section - Client to Application server KRB_AP_REQ 5.5.1 - [optional] Application server to client KRB_AP_REP or 5.5.2 - KRB_ERROR 5.9.1 - - The client/server authentication (CS) exchange is used by network - applications to authenticate the client to the server and vice versa. - The client MUST have already acquired credentials for the server - using the AS or TGS exchange. - -3.2.1. The KRB_AP_REQ message - - The KRB_AP_REQ contains authentication information which SHOULD be - part of the first message in an authenticated transaction. It - contains a ticket, an authenticator, and some additional bookkeeping - information (see section 5.5.1 for the exact format). The ticket by - itself is insufficient to authenticate a client, since tickets are - passed across the network in cleartext[8], so the authenticator is - used to prevent invalid replay of tickets by proving to the server - that the client knows the session key of the ticket and thus is - entitled to use the ticket. The KRB_AP_REQ message is referred to - elsewhere as the 'authentication header.' - -3.2.2. Generation of a KRB_AP_REQ message - - When a client wishes to initiate authentication to a server, it - obtains (either through a credentials cache, the AS exchange, or the - TGS exchange) a ticket and session key for the desired service. The - client MAY re-use any tickets it holds until they expire. To use a - ticket the client constructs a new Authenticator from the system - time, its name, and optionally an application specific checksum, an - initial sequence number to be used in KRB_SAFE or KRB_PRIV messages, - and/or a session subkey to be used in negotiations for a session key - unique to this particular session. Authenticators MAY NOT be re-used - and will be rejected if replayed to a server[9]. If a sequence number - is to be included, it SHOULD be randomly chosen so that even after - - - -March 2003 [Page 29] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - many messages have been exchanged it is not likely to collide with - other sequence numbers in use. - - The client MAY indicate a requirement of mutual authentication or the - use of a session-key based ticket (for user to user authentication - - see section 3.7) by setting the appropriate flag(s) in the ap-options - field of the message. - - The Authenticator is encrypted in the session key and combined with - the ticket to form the KRB_AP_REQ message which is then sent to the - end server along with any additional application-specific - information. - -3.2.3. Receipt of KRB_AP_REQ message - - Authentication is based on the server's current time of day (clocks - MUST be loosely synchronized), the authenticator, and the ticket. - Several errors are possible. If an error occurs, the server is - expected to reply to the client with a KRB_ERROR message. This - message MAY be encapsulated in the application protocol if its 'raw' - form is not acceptable to the protocol. The format of error messages - is described in section 5.9.1. - - The algorithm for verifying authentication information is as follows. - If the message type is not KRB_AP_REQ, the server returns the - KRB_AP_ERR_MSG_TYPE error. If the key version indicated by the Ticket - in the KRB_AP_REQ is not one the server can use (e.g., it indicates - an old key, and the server no longer possesses a copy of the old - key), the KRB_AP_ERR_BADKEYVER error is returned. If the USE-SESSION- - KEY flag is set in the ap-options field, it indicates to the server - that user-to-user authentication is in use, and that the ticket is - encrypted in the session key from the server's ticket-granting ticket - rather than in the server's secret key. See section 3.7 for a more - complete description of the affect of user to user authentication on - all messages in the Kerberos protocol. - - Since it is possible for the server to be registered in multiple - realms, with different keys in each, the srealm field in the - unencrypted portion of the ticket in the KRB_AP_REQ is used to - specify which secret key the server should use to decrypt that - ticket. The KRB_AP_ERR_NOKEY error code is returned if the server - doesn't have the proper key to decipher the ticket. - - The ticket is decrypted using the version of the server's key - specified by the ticket. If the decryption routines detect a - modification of the ticket (each encryption system MUST provide - safeguards to detect modified ciphertext; see section 6), the - KRB_AP_ERR_BAD_INTEGRITY error is returned (chances are good that - - - -March 2003 [Page 30] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - different keys were used to encrypt and decrypt). - - The authenticator is decrypted using the session key extracted from - the decrypted ticket. If decryption shows it to have been modified, - the KRB_AP_ERR_BAD_INTEGRITY error is returned. The name and realm of - the client from the ticket are compared against the same fields in - the authenticator. If they don't match, the KRB_AP_ERR_BADMATCH - error is returned; this normally is caused by a client error or - attempted attack. The addresses in the ticket (if any) are then - searched for an address matching the operating-system reported - address of the client. If no match is found or the server insists on - ticket addresses but none are present in the ticket, the - KRB_AP_ERR_BADADDR error is returned. If the local (server) time and - the client time in the authenticator differ by more than the - allowable clock skew (e.g., 5 minutes), the KRB_AP_ERR_SKEW error is - returned. - - Unless the application server provides its own suitable means to - protect against replay (for example, a challenge-response sequence - initiated by the server after authentication, or use of a server- - generated encryption subkey), the server MUST utilize a replay cache - to remember any authenticator presented within the allowable clock - skew. Careful analysis of the application protocol and implementation - is recommended before eliminating this cache. The replay cache will - store at least the server name, along with the client name, time and - microsecond fields from the recently-seen authenticators and if a - matching tuple is found, the KRB_AP_ERR_REPEAT error is returned - [10]. If a server loses track of authenticators presented within the - allowable clock skew, it MUST reject all requests until the clock - skew interval has passed, providing assurance that any lost or - replayed authenticators will fall outside the allowable clock skew - and can no longer be successfully replayed [11]. - - Implementation note: If a client generates multiple requests to the - KDC with the same timestamp, including the microsecond field, all but - the first of the requests received will be rejected as replays. This - might happen, for example, if the resolution of the client's clock is - too coarse. Implementations SHOULD ensure that the timestamps are - not reused, possibly by incrementing the microseconds field in the - time stamp when the clock returns the same time for multiple - requests. - - If multiple servers (for example, different services on one machine, - or a single service implemented on multiple machines) share a service - principal (a practice we do not recommend in general, but acknowledge - will be used in some cases), they should also share this replay - cache, or the application protocol should be designed so as to - eliminate the need for it. Note that this applies to all of the - - - -March 2003 [Page 31] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - services, if any of the application protocols does not have replay - protection built in; an authenticator used with such a service could - later be replayed to a different service with the same service - principal but no replay protection, if the former doesn't record the - authenticator information in the common replay cache. - - If a sequence number is provided in the authenticator, the server - saves it for later use in processing KRB_SAFE and/or KRB_PRIV - messages. If a subkey is present, the server either saves it for - later use or uses it to help generate its own choice for a subkey to - be returned in a KRB_AP_REP message. - - The server computes the age of the ticket: local (server) time minus - the start time inside the Ticket. If the start time is later than the - current time by more than the allowable clock skew or if the INVALID - flag is set in the ticket, the KRB_AP_ERR_TKT_NYV error is returned. - Otherwise, if the current time is later than end time by more than - the allowable clock skew, the KRB_AP_ERR_TKT_EXPIRED error is - returned. - - If all these checks succeed without an error, the server is assured - that the client possesses the credentials of the principal named in - the ticket and thus, the client has been authenticated to the server. - - Passing these checks provides only authentication of the named - principal; it does not imply authorization to use the named service. - Applications MUST make a separate authorization decisions based upon - the authenticated name of the user, the requested operation, local - access control information such as that contained in a .k5login or - .k5users file, and possibly a separate distributed authorization - service. - -3.2.4. Generation of a KRB_AP_REP message - - Typically, a client's request will include both the authentication - information and its initial request in the same message, and the - server need not explicitly reply to the KRB_AP_REQ. However, if - mutual authentication (not only authenticating the client to the - server, but also the server to the client) is being performed, the - KRB_AP_REQ message will have MUTUAL-REQUIRED set in its ap-options - field, and a KRB_AP_REP message is required in response. As with the - error message, this message MAY be encapsulated in the application - protocol if its "raw" form is not acceptable to the application's - protocol. The timestamp and microsecond field used in the reply MUST - be the client's timestamp and microsecond field (as provided in the - authenticator) [12]. If a sequence number is to be included, it - SHOULD be randomly chosen as described above for the authenticator. A - subkey MAY be included if the server desires to negotiate a different - - - -March 2003 [Page 32] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - subkey. The KRB_AP_REP message is encrypted in the session key - extracted from the ticket. - -3.2.5. Receipt of KRB_AP_REP message - - If a KRB_AP_REP message is returned, the client uses the session key - from the credentials obtained for the server [13] to decrypt the - message, and verifies that the timestamp and microsecond fields match - those in the Authenticator it sent to the server. If they match, then - the client is assured that the server is genuine. The sequence number - and subkey (if present) are retained for later use. - -3.2.6. Using the encryption key - - After the KRB_AP_REQ/KRB_AP_REP exchange has occurred, the client and - server share an encryption key which can be used by the application. - In some cases, the use of this session key will be implicit in the - protocol; in others the method of use must be chosen from several - alternatives. The 'true session key' to be used for KRB_PRIV, - KRB_SAFE, or other application-specific uses MAY be chosen by the - application based on the session key from the ticket and subkeys in - the KRB_AP_REP message and the authenticator [14]. To mitigate the - effect of failures in random number generation on the client it is - strongly encouraged that any key derived by an application for - subsequent use include the full key entropy derived from the KDC - generated session key carried in the ticket. We leave the protocol - negotiations of how to use the key (e.g. selecting an encryption or - checksum type) to the application programmer; the Kerberos protocol - does not constrain the implementation options, but an example of how - this might be done follows. - - One way that an application may choose to negotiate a key to be used - for subsequent integrity and privacy protection is for the client to - propose a key in the subkey field of the authenticator. The server - can then choose a key using the proposed key from the client as - input, returning the new subkey in the subkey field of the - application reply. This key could then be used for subsequent - communication. - - To make this example more concrete, if the communication patterns of - an application dictates the use of encryption modes of operation - incompatible with the encryption system used for the authenticator, - then a key compatible with the required encryption system may be - generated by either the client, the server, or collaboratively by - both and exchanged using the subkey field. This generation might - involve the use of a random number as a pre-key, initially generated - by either party, which could then be encrypted using the session key - from the ticket, and the result exchanged and used for subsequent - - - -March 2003 [Page 33] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - encryption. By encrypting the pre-key with the session key from the - ticket, randomness from the KDC generated key is assured of being - present in the negotiated key. Application developers must be careful - however, to use a means of introducing this entropy that does not - allow an attacker to learn the session key from the ticket if it - learns the key generated and used for subsequent communication. The - reader should note that this is only an example, and that an analysis - of the particular cryptosystem to be used, must be made before - deciding how to generate values for the subkey fields, and the key to - be used for subsequent communication. - - With both the one-way and mutual authentication exchanges, the peers - should take care not to send sensitive information to each other - without proper assurances. In particular, applications that require - privacy or integrity SHOULD use the KRB_AP_REP response from the - server to client to assure both client and server of their peer's - identity. If an application protocol requires privacy of its - messages, it can use the KRB_PRIV message (section 3.5). The KRB_SAFE - message (section 3.4) can be used to assure integrity. - -3.3. The Ticket-Granting Service (TGS) Exchange - - Summary - Message direction Message type Section - 1. Client to Kerberos KRB_TGS_REQ 5.4.1 - 2. Kerberos to client KRB_TGS_REP or 5.4.2 - KRB_ERROR 5.9.1 - - The TGS exchange between a client and the Kerberos Ticket-Granting - Server is initiated by a client when it wishes to obtain - authentication credentials for a given server (which might be - registered in a remote realm), when it wishes to renew or validate an - existing ticket, or when it wishes to obtain a proxy ticket. In the - first case, the client must already have acquired a ticket for the - Ticket-Granting Service using the AS exchange (the ticket-granting - ticket is usually obtained when a client initially authenticates to - the system, such as when a user logs in). The message format for the - TGS exchange is almost identical to that for the AS exchange. The - primary difference is that encryption and decryption in the TGS - exchange does not take place under the client's key. Instead, the - session key from the ticket-granting ticket or renewable ticket, or - sub-session key from an Authenticator is used. As is the case for all - application servers, expired tickets are not accepted by the TGS, so - once a renewable or ticket-granting ticket expires, the client must - use a separate exchange to obtain valid tickets. - - The TGS exchange consists of two messages: A request (KRB_TGS_REQ) - from the client to the Kerberos Ticket-Granting Server, and a reply - - - -March 2003 [Page 34] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - (KRB_TGS_REP or KRB_ERROR). The KRB_TGS_REQ message includes - information authenticating the client plus a request for credentials. - The authentication information consists of the authentication header - (KRB_AP_REQ) which includes the client's previously obtained ticket- - granting, renewable, or invalid ticket. In the ticket-granting - ticket and proxy cases, the request MAY include one or more of: a - list of network addresses, a collection of typed authorization data - to be sealed in the ticket for authorization use by the application - server, or additional tickets (the use of which are described later). - The TGS reply (KRB_TGS_REP) contains the requested credentials, - encrypted in the session key from the ticket-granting ticket or - renewable ticket, or if present, in the sub-session key from the - Authenticator (part of the authentication header). The KRB_ERROR - message contains an error code and text explaining what went wrong. - The KRB_ERROR message is not encrypted. The KRB_TGS_REP message - contains information which can be used to detect replays, and to - associate it with the message to which it replies. The KRB_ERROR - message also contains information which can be used to associate it - with the message to which it replies. The same comments about - integrity protection of KRB_ERROR messages mentioned in section 3.1 - apply to the TGS exchange. - -3.3.1. Generation of KRB_TGS_REQ message - - Before sending a request to the ticket-granting service, the client - MUST determine in which realm the application server is believed to - be registered [15]. If the client knows the service principal name - and realm and it does not already possess a ticket-granting ticket - for the appropriate realm, then one must be obtained. This is first - attempted by requesting a ticket-granting ticket for the destination - realm from a Kerberos server for which the client possesses a ticket- - granting ticket (using the KRB_TGS_REQ message recursively). The - Kerberos server MAY return a TGT for the desired realm in which case - one can proceed. Alternatively, the Kerberos server MAY return a TGT - for a realm which is 'closer' to the desired realm (further along the - standard hierarchical path between the client's realm and the - requested realm server's realm). It should be noted in this case that - misconfiguration of the Kerberos servers may cause loops in the - resulting authentication path, which the client should be careful to - detect and avoid. - - If the Kerberos server returns a TGT for a 'closer' realm other than - the desired realm, the client MAY use local policy configuration to - verify that the authentication path used is an acceptable one. - Alternatively, a client MAY choose its own authentication path, - rather than relying on the Kerberos server to select one. In either - case, any policy or configuration information used to choose or - validate authentication paths, whether by the Kerberos server or - - - -March 2003 [Page 35] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - client, MUST be obtained from a trusted source. - - When a client obtains a ticket-granting ticket that is 'closer' to - the destination realm, the client MAY cache this ticket and reuse it - in future KRB-TGS exchanges with services in the 'closer' realm. - However, if the client were to obtain a ticket-granting ticket for - the 'closer' realm by starting at the initial KDC rather than as part - of obtaining another ticket, then a shorter path to the 'closer' - realm might be used. This shorter path may be desirable because fewer - intermediate KDCs would know the session key of the ticket involved. - For this reason, clients SHOULD evaluate whether they trust the - realms transited in obtaining the 'closer' ticket when making a - decision to use the ticket in future. - - Once the client obtains a ticket-granting ticket for the appropriate - realm, it determines which Kerberos servers serve that realm, and - contacts one. The list might be obtained through a configuration file - or network service or it MAY be generated from the name of the realm; - as long as the secret keys exchanged by realms are kept secret, only - denial of service results from using a false Kerberos server. - - (This paragraph changed) As in the AS exchange, the client MAY - specify a number of options in the KRB_TGS_REQ message. One of these - options is the ENC-TKT-IN-SKEY option used for user-to-user - authentication. An overview of user to user authentication can be - found in section 3.7. When generating the KRB_TGS_REQ message, this - option indicates that the client is including a ticket-granting - ticket obtained from the application server in the additional tickets - field of the request and that the KDC SHOULD encrypt the ticket for - the application server using the session key from this additional - ticket, instead of using a server key from the principal database. - - The client prepares the KRB_TGS_REQ message, providing an - authentication header as an element of the padata field, and - including the same fields as used in the KRB_AS_REQ message along - with several optional fields: the enc-authorizatfion-data field for - application server use and additional tickets required by some - options. - - In preparing the authentication header, the client can select a sub- - session key under which the response from the Kerberos server will be - encrypted [16]. If the sub-session key is not specified, the session - key from the ticket-granting ticket will be used. If the enc- - authorization-data is present, it MUST be encrypted in the sub- - session key, if present, from the authenticator portion of the - authentication header, or if not present, using the session key from - the ticket-granting ticket. - - - - -March 2003 [Page 36] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - Once prepared, the message is sent to a Kerberos server for the - destination realm. - -3.3.2. Receipt of KRB_TGS_REQ message - - The KRB_TGS_REQ message is processed in a manner similar to the - KRB_AS_REQ message, but there are many additional checks to be - performed. First, the Kerberos server MUST determine which server the - accompanying ticket is for and it MUST select the appropriate key to - decrypt it. For a normal KRB_TGS_REQ message, it will be for the - ticket granting service, and the TGS's key will be used. If the TGT - was issued by another realm, then the appropriate inter-realm key - MUST be used. If the accompanying ticket is not a ticket-granting - ticket for the current realm, but is for an application server in the - current realm, the RENEW, VALIDATE, or PROXY options are specified in - the request, and the server for which a ticket is requested is the - server named in the accompanying ticket, then the KDC will decrypt - the ticket in the authentication header using the key of the server - for which it was issued. If no ticket can be found in the padata - field, the KDC_ERR_PADATA_TYPE_NOSUPP error is returned. - - Once the accompanying ticket has been decrypted, the user-supplied - checksum in the Authenticator MUST be verified against the contents - of the request, and the message rejected if the checksums do not - match (with an error code of KRB_AP_ERR_MODIFIED) or if the checksum - is not keyed or not collision-proof (with an error code of - KRB_AP_ERR_INAPP_CKSUM). If the checksum type is not supported, the - KDC_ERR_SUMTYPE_NOSUPP error is returned. If the authorization-data - are present, they are decrypted using the sub-session key from the - Authenticator. - - If any of the decryptions indicate failed integrity checks, the - KRB_AP_ERR_BAD_INTEGRITY error is returned. - - As discussed in section 3.1.2, the KDC MUST send a valid KRB_TGS_REP - message if it receives a KRB_TGS_REQ message identical to one it has - recently processed. However, if the authenticator is a replay, but - the rest of the request is not identical, then the KDC SHOULD return - KRB_AP_ERR_REPEAT. - -3.3.3. Generation of KRB_TGS_REP message - - The KRB_TGS_REP message shares its format with the KRB_AS_REP - (KRB_KDC_REP), but with its type field set to KRB_TGS_REP. The - detailed specification is in section 5.4.2. - - The response will include a ticket for the requested server or for a - ticket granting server of an intermediate KDC to be contacted to - - - -March 2003 [Page 37] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - obtain the requested ticket. The Kerberos database is queried to - retrieve the record for the appropriate server (including the key - with which the ticket will be encrypted). If the request is for a - ticket-granting ticket for a remote realm, and if no key is shared - with the requested realm, then the Kerberos server will select the - realm 'closest' to the requested realm with which it does share a - key, and use that realm instead. If the requested server cannot be - found in the TGS database, then a TGT for another trusted realm MAY - be returned instead of a ticket for the service. This TGT is a - referral mechanism to cause the client to retry the request to the - realm of the TGT. These are the only cases where the response for - the KDC will be for a different server than that requested by the - client. - - By default, the address field, the client's name and realm, the list - of transited realms, the time of initial authentication, the - expiration time, and the authorization data of the newly-issued - ticket will be copied from the ticket-granting ticket (TGT) or - renewable ticket. If the transited field needs to be updated, but the - transited type is not supported, the KDC_ERR_TRTYPE_NOSUPP error is - returned. - - If the request specifies an endtime, then the endtime of the new - ticket is set to the minimum of (a) that request, (b) the endtime - from the TGT, and (c) the starttime of the TGT plus the minimum of - the maximum life for the application server and the maximum life for - the local realm (the maximum life for the requesting principal was - already applied when the TGT was issued). If the new ticket is to be - a renewal, then the endtime above is replaced by the minimum of (a) - the value of the renew_till field of the ticket and (b) the starttime - for the new ticket plus the life (endtime-starttime) of the old - ticket. - - If the FORWARDED option has been requested, then the resulting ticket - will contain the addresses specified by the client. This option will - only be honored if the FORWARDABLE flag is set in the TGT. The PROXY - option is similar; the resulting ticket will contain the addresses - specified by the client. It will be honored only if the PROXIABLE - flag in the TGT is set. The PROXY option will not be honored on - requests for additional ticket-granting tickets. - - If the requested start time is absent, indicates a time in the past, - or is within the window of acceptable clock skew for the KDC and the - POSTDATE option has not been specified, then the start time of the - ticket is set to the authentication server's current time. If it - indicates a time in the future beyond the acceptable clock skew, but - the POSTDATED option has not been specified or the MAY-POSTDATE flag - is not set in the TGT, then the error KDC_ERR_CANNOT_POSTDATE is - - - -March 2003 [Page 38] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - returned. Otherwise, if the ticket-granting ticket has the MAY- - POSTDATE flag set, then the resulting ticket will be postdated and - the requested starttime is checked against the policy of the local - realm. If acceptable, the ticket's start time is set as requested, - and the INVALID flag is set. The postdated ticket MUST be validated - before use by presenting it to the KDC after the starttime has been - reached. However, in no case may the starttime, endtime, or renew- - till time of a newly-issued postdated ticket extend beyond the renew- - till time of the ticket-granting ticket. - - If the ENC-TKT-IN-SKEY option has been specified and an additional - ticket has been included in the request, it indicates that the client - is using user- to-user authentication to prove its identity to a - server that does not have access to a persistent key. Section 3.7 - describes the affect of this option on the entire Kerberos protocol. - When generating the KRB_TGS_REP message, this option in the - KRB_TGS_REQ message tells the KDC to decrypt the additional ticket - using the key for the server to which the additional ticket was - issued and verify that it is a ticket-granting ticket. If the name of - the requested server is missing from the request, the name of the - client in the additional ticket will be used. Otherwise the name of - the requested server will be compared to the name of the client in - the additional ticket and if different, the request will be rejected. - If the request succeeds, the session key from the additional ticket - will be used to encrypt the new ticket that is issued instead of - using the key of the server for which the new ticket will be used. - - If the name of the server in the ticket that is presented to the KDC - as part of the authentication header is not that of the ticket- - granting server itself, the server is registered in the realm of the - KDC, and the RENEW option is requested, then the KDC will verify that - the RENEWABLE flag is set in the ticket, that the INVALID flag is not - set in the ticket, and that the renew_till time is still in the - future. If the VALIDATE option is requested, the KDC will check that - the starttime has passed and the INVALID flag is set. If the PROXY - option is requested, then the KDC will check that the PROXIABLE flag - is set in the ticket. If the tests succeed, and the ticket passes the - hotlist check described in the next section, the KDC will issue the - appropriate new ticket. - - The ciphertext part of the response in the KRB_TGS_REP message is - encrypted in the sub-session key from the Authenticator, if present, - or the session key from the ticket-granting ticket. It is not - encrypted using the client's secret key. Furthermore, the client's - key's expiration date and the key version number fields are left out - since these values are stored along with the client's database - record, and that record is not needed to satisfy a request based on a - ticket-granting ticket. - - - -March 2003 [Page 39] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - -3.3.3.1. Checking for revoked tickets - - Whenever a request is made to the ticket-granting server, the - presented ticket(s) is(are) checked against a hot-list of tickets - which have been canceled. This hot-list might be implemented by - storing a range of issue timestamps for 'suspect tickets'; if a - presented ticket had an authtime in that range, it would be rejected. - In this way, a stolen ticket-granting ticket or renewable ticket - cannot be used to gain additional tickets (renewals or otherwise) - once the theft has been reported to the KDC for the realm in which - the server resides. Any normal ticket obtained before it was reported - stolen will still be valid (because they require no interaction with - the KDC), but only until their normal expiration time. If TGT's have - been issued for cross-realm authentication, use of the cross-realm - TGT will not be affected unless the hot-list is propagated to the - KDCs for the realms for which such cross-realm tickets were issued. - -3.3.3.2. Encoding the transited field - - If the identity of the server in the TGT that is presented to the KDC - as part of the authentication header is that of the ticket-granting - service, but the TGT was issued from another realm, the KDC will look - up the inter-realm key shared with that realm and use that key to - decrypt the ticket. If the ticket is valid, then the KDC will honor - the request, subject to the constraints outlined above in the section - describing the AS exchange. The realm part of the client's identity - will be taken from the ticket-granting ticket. The name of the realm - that issued the ticket-granting ticket, if it is not the realm of the - client principal, will be added to the transited field of the ticket - to be issued. This is accomplished by reading the transited field - from the ticket-granting ticket (which is treated as an unordered set - of realm names), adding the new realm to the set, then constructing - and writing out its encoded (shorthand) form (this may involve a - rearrangement of the existing encoding). - - Note that the ticket-granting service does not add the name of its - own realm. Instead, its responsibility is to add the name of the - previous realm. This prevents a malicious Kerberos server from - intentionally leaving out its own name (it could, however, omit other - realms' names). - - The names of neither the local realm nor the principal's realm are to - be included in the transited field. They appear elsewhere in the - ticket and both are known to have taken part in authenticating the - principal. Since the endpoints are not included, both local and - single-hop inter-realm authentication result in a transited field - that is empty. - - - - -March 2003 [Page 40] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - Because the name of each realm transited is added to this field, it - might potentially be very long. To decrease the length of this field, - its contents are encoded. The initially supported encoding is - optimized for the normal case of inter-realm communication: a - hierarchical arrangement of realms using either domain or X.500 style - realm names. This encoding (called DOMAIN-X500-COMPRESS) is now - described. - - Realm names in the transited field are separated by a ",". The ",", - "\", trailing "."s, and leading spaces (" ") are special characters, - and if they are part of a realm name, they MUST be quoted in the - transited field by preceding them with a "\". - - A realm name ending with a "." is interpreted as being prepended to - the previous realm. For example, we can encode traversal of EDU, - MIT.EDU, ATHENA.MIT.EDU, WASHINGTON.EDU, and CS.WASHINGTON.EDU as: - - "EDU,MIT.,ATHENA.,WASHINGTON.EDU,CS.". - - Note that if ATHENA.MIT.EDU, or CS.WASHINGTON.EDU were end-points, - that they would not be included in this field, and we would have: - - "EDU,MIT.,WASHINGTON.EDU" - - A realm name beginning with a "/" is interpreted as being appended to - the previous realm. For the purpose of appending, the realm - preceding the first listed realm is considered to be the null realm - (""). If a realm name beginning with a "/" is to stand by itself, - then it SHOULD be preceded by a space (" "). For example, we can - encode traversal of /COM/HP/APOLLO, /COM/HP, /COM, and /COM/DEC as: - - "/COM,/HP,/APOLLO, /COM/DEC". - - Like the example above, if /COM/HP/APOLLO and /COM/DEC are endpoints, - they would not be included in this field, and we would have: - - "/COM,/HP" - - A null subfield preceding or following a "," indicates that all - realms between the previous realm and the next realm have been - traversed. For the purpose of interpreting null subfields, the - client's realm is considered to precede those in the transited field, - and the server's realm is considered to follow them. Thus, "," means - that all realms along the path between the client and the server have - been traversed. ",EDU, /COM," means that all realms from the client's - realm up to EDU (in a domain style hierarchy) have been traversed, - and that everything from /COM down to the server's realm in an X.500 - style has also been traversed. This could occur if the EDU realm in - - - -March 2003 [Page 41] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - one hierarchy shares an inter-realm key directly with the /COM realm - in another hierarchy. - -3.3.4. Receipt of KRB_TGS_REP message - - When the KRB_TGS_REP is received by the client, it is processed in - the same manner as the KRB_AS_REP processing described above. The - primary difference is that the ciphertext part of the response must - be decrypted using the sub-session key from the Authenticator, if it - was specified in the request, or the session key from the ticket- - granting ticket, rather than the client's secret key. The server name - returned in the reply is the true principal name of the service. - -3.4. The KRB_SAFE Exchange - - The KRB_SAFE message MAY be used by clients requiring the ability to - detect modifications of messages they exchange. It achieves this by - including a keyed collision-proof checksum of the user data and some - control information. The checksum is keyed with an encryption key - (usually the last key negotiated via subkeys, or the session key if - no negotiation has occurred). - -3.4.1. Generation of a KRB_SAFE message - - When an application wishes to send a KRB_SAFE message, it collects - its data and the appropriate control information and computes a - checksum over them. The checksum algorithm should be the keyed - checksum mandated to be implemented along with the crypto system used - for the sub-session or session key. The checksum is generated using - the sub-session key if present, and the session key. Some - implementations use a different checksum algorithm for the KRB_SAFE - messages but doing so in a interoperable manner is not always - possible. - - Implementations SHOULD accept any checksum algorithm they implement - that both have adequate security and that have keys compatible with - the sub-session or session key. Unkeyed or non-collision-proof - checksums are not suitable for this use. - - The control information for the KRB_SAFE message includes both a - timestamp and a sequence number. The designer of an application using - the KRB_SAFE message MUST choose at least one of the two mechanisms. - This choice SHOULD be based on the needs of the application protocol. - - Sequence numbers are useful when all messages sent will be received - by one's peer. Connection state is presently required to maintain the - session key, so maintaining the next sequence number should not - present an additional problem. - - - -March 2003 [Page 42] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - If the application protocol is expected to tolerate lost messages - without them being resent, the use of the timestamp is the - appropriate replay detection mechanism. Using timestamps is also the - appropriate mechanism for multi-cast protocols where all of one's - peers share a common sub-session key, but some messages will be sent - to a subset of one's peers. - - After computing the checksum, the client then transmits the - information and checksum to the recipient in the message format - specified in section 5.6.1. - -3.4.2. Receipt of KRB_SAFE message - - When an application receives a KRB_SAFE message, it verifies it as - follows. If any error occurs, an error code is reported for use by - the application. - - The message is first checked by verifying that the protocol version - and type fields match the current version and KRB_SAFE, respectively. - A mismatch generates a KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE - error. The application verifies that the checksum used is a - collision-proof keyed checksum that uses keys compatible with the - sub-session or session key as appropriate (or with the application - key derived from the session or sub-session keys), and if it is not, - a KRB_AP_ERR_INAPP_CKSUM error is generated. The sender's address - MUST be included in the control information; the recipient verifies - that the operating system's report of the sender's address matches - the sender's address in the message, and (if a recipient address is - specified or the recipient requires an address) that one of the - recipient's addresses appears as the recipient's address in the - message. To work with network address translation, senders MAY use - the directional address type specified in section 8.1 for the sender - address and not include recipient addresses. A failed match for - either case generates a KRB_AP_ERR_BADADDR error. Then the timestamp - and usec and/or the sequence number fields are checked. If timestamp - and usec are expected and not present, or they are present but not - current, the KRB_AP_ERR_SKEW error is generated. If the server name, - along with the client name, time and microsecond fields from the - Authenticator match any recently-seen (sent or received) such tuples, - the KRB_AP_ERR_REPEAT error is generated. If an incorrect sequence - number is included, or a sequence number is expected but not present, - the KRB_AP_ERR_BADORDER error is generated. If neither a time-stamp - and usec or a sequence number is present, a KRB_AP_ERR_MODIFIED error - is generated. Finally, the checksum is computed over the data and - control information, and if it doesn't match the received checksum, a - KRB_AP_ERR_MODIFIED error is generated. - - If all the checks succeed, the application is assured that the - - - -March 2003 [Page 43] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - message was generated by its peer and was not modified in transit. - -3.5. The KRB_PRIV Exchange - - The KRB_PRIV message MAY be used by clients requiring confidentiality - and the ability to detect modifications of exchanged messages. It - achieves this by encrypting the messages and adding control - information. - -3.5.1. Generation of a KRB_PRIV message - - When an application wishes to send a KRB_PRIV message, it collects - its data and the appropriate control information (specified in - section 5.7.1) and encrypts them under an encryption key (usually the - last key negotiated via subkeys, or the session key if no negotiation - has occurred). As part of the control information, the client MUST - choose to use either a timestamp or a sequence number (or both); see - the discussion in section 3.4.1 for guidelines on which to use. After - the user data and control information are encrypted, the client - transmits the ciphertext and some 'envelope' information to the - recipient. - -3.5.2. Receipt of KRB_PRIV message - - When an application receives a KRB_PRIV message, it verifies it as - follows. If any error occurs, an error code is reported for use by - the application. - - The message is first checked by verifying that the protocol version - and type fields match the current version and KRB_PRIV, respectively. - A mismatch generates a KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE - error. The application then decrypts the ciphertext and processes the - resultant plaintext. If decryption shows the data to have been - modified, a KRB_AP_ERR_BAD_INTEGRITY error is generated. - - The sender's address MUST be included in the control information; the - recipient verifies that the operating system's report of the sender's - address matches the sender's address in the message. If a recipient - address is specified or the recipient requires an address then one of - the recipient's addresses MUST also appear as the recipient's address - in the message. Where a sender's or receiver's address might not - otherwise match the address in a message because of network address - translation, an application MAY be written to use addresses of the - directional address type in place of the actual network address. - - A failed match for either case generates a KRB_AP_ERR_BADADDR error. - To work with network address translation, implementations MAY use the - directional address type defined in section 7.1 for the sender - - - -March 2003 [Page 44] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - address and include no recipient address. Then the timestamp and usec - and/or the sequence number fields are checked. If timestamp and usec - are expected and not present, or they are present but not current, - the KRB_AP_ERR_SKEW error is generated. If the server name, along - with the client name, time and microsecond fields from the - Authenticator match any recently-seen such tuples, the - KRB_AP_ERR_REPEAT error is generated. If an incorrect sequence number - is included, or a sequence number is expected but not present, the - KRB_AP_ERR_BADORDER error is generated. If neither a time-stamp and - usec or a sequence number is present, a KRB_AP_ERR_MODIFIED error is - generated. - - If all the checks succeed, the application can assume the message was - generated by its peer, and was securely transmitted (without - intruders able to see the unencrypted contents). - -3.6. The KRB_CRED Exchange - - The KRB_CRED message MAY be used by clients requiring the ability to - send Kerberos credentials from one host to another. It achieves this - by sending the tickets together with encrypted data containing the - session keys and other information associated with the tickets. - -3.6.1. Generation of a KRB_CRED message - - When an application wishes to send a KRB_CRED message it first (using - the KRB_TGS exchange) obtains credentials to be sent to the remote - host. It then constructs a KRB_CRED message using the ticket or - tickets so obtained, placing the session key needed to use each - ticket in the key field of the corresponding KrbCredInfo sequence of - the encrypted part of the KRB_CRED message. - - Other information associated with each ticket and obtained during the - KRB_TGS exchange is also placed in the corresponding KrbCredInfo - sequence in the encrypted part of the KRB_CRED message. The current - time and, if specifically required by the application (and - communicated from the recipient to the sender by application specific - means) the nonce, s-address, and r-address fields, are placed in the - encrypted part of the KRB_CRED message which is then encrypted under - an encryption key previously exchanged in the KRB_AP exchange - (usually the last key negotiated via subkeys, or the session key if - no negotiation has occurred). - - Implementation note: When constructing a KRB_CRED message for - inclusion in a GSSAPI initial context token, the MIT implementation - of Kerberos will not encrypt the KRB_CRED message if the session key - is a DES or triple DES key. For interoperability with MIT, the - Microsoft implementation will not encrypt the KRB_CRED in a GSSAPI - - - -March 2003 [Page 45] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - token if it is using a DES session key. Starting at version 1.2.5, - MIT Kerberos can receive and decode either encrypted or unencrypted - KRB_CRED tokens in the GSSAPI exchange. The Heimdal implementation of - Kerberos can also accept either encrypted or unencrypted KRB_CRED - messages. Since the KRB_CRED message in a GSSAPI token is encrypted - in the authenticator, the MIT behavior does not present a security - problem, although it is a violation of the Kerberos specification. - -3.6.2. Receipt of KRB_CRED message - - When an application receives a KRB_CRED message, it verifies it. If - any error occurs, an error code is reported for use by the - application. The message is verified by checking that the protocol - version and type fields match the current version and KRB_CRED, - respectively. A mismatch generates a KRB_AP_ERR_BADVERSION or - KRB_AP_ERR_MSG_TYPE error. The application then decrypts the - ciphertext and processes the resultant plaintext. If decryption shows - the data to have been modified, a KRB_AP_ERR_BAD_INTEGRITY error is - generated. - - If present or required, the recipient MAY verify that the operating - system's report of the sender's address matches the sender's address - in the message, and that one of the recipient's addresses appears as - the recipient's address in the message. The address check does not - provide any added security, since the address if present has already - been checked in the KRB_AP_REQ message and there is not any benefit - to be gained by an attacker in reflecting a KRB_CRED message back to - its originator. Thus, the recipient MAY ignore the address even if - present in order to work better in NAT environments. A failed match - for either case generates a KRB_AP_ERR_BADADDR error. Recipients MAY - skip the address check as the KRB_CRED message cannot generally be - reflected back to the originator. The timestamp and usec fields (and - the nonce field if required) are checked next. If the timestamp and - usec are not present, or they are present but not current, the - KRB_AP_ERR_SKEW error is generated. - - If all the checks succeed, the application stores each of the new - tickets in its credentials cache together with the session key and - other information in the corresponding KrbCredInfo sequence from the - encrypted part of the KRB_CRED message. - -3.7. User to User Authentication Exchanges - - User to User authentication provides a method to perform - authentication when the verifier does not have a access to long term - service key. This might be the case when running a server (for - example a window server) as a user on a workstation. In such cases, - the server may have access to the ticket-granting ticket obtained - - - -March 2003 [Page 46] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - when the user logged in to the workstation, but because the server is - running as an unprivileged user it might not have access to system - keys. Similar situations may arise when running peer-to-peer - applications. - - Summary - Message direction Message type Sections - 0. Message from application server Not Specified - 1. Client to Kerberos KRB_TGS_REQ 3.3 + 5.4.1 - 2. Kerberos to client KRB_TGS_REP or 3.3 + 5.4.2 - KRB_ERROR 5.9.1 - 3. Client to Application server KRB_AP_REQ 3.2 + 5.5.1 - - To address this problem, the Kerberos protocol allows the client to - request that the ticket issued by the KDC be encrypted using a - session key from a ticket-granting ticket issued to the party that - will verify the authentication. This ticket-granting ticket must be - obtained from the verifier by means of an exchange external to the - Kerberos protocol, usually as part of the application protocol. This - message is shown in the summary above as message 0. Note that because - the ticket-granting ticket is encrypted in the KDC's secret key, it - can not be used for authentication without posession of the - corresponding secret key. Furthermore, because the verifier does not - reveal the corresponding secret key, providing a copy of the - verifier's ticket-granting ticket does not allow impersonation of the - verifier. - - Message 0 in the table above represents an application specific - negotation between the client and server, at the end of which both - have determined that they will use user to user authentication and - the client has obtained the server's TGT. - - Next, the client includes the server's TGT as an additional ticket in - its KRB_TGS_REQ request to the KDC (message 1 in the table above) and - specifyies the ENC-TKT-IN-SKEY option in its request. - - If validated according to the instructions in 3.3.3, the application - ticket returned to the client (message 2 in the table above) will be - encrypted using the session key from the additional ticket and the - client will note this when it uses or stores the application ticket. - - When contacting the server using a ticket obtained for user to user - authentication (message 3 in the table above), the client MUST - specify the USE-SESSION-KEY flag in the ap-options field. This tells - the application server to use the session key associated with its - ticket-granting ticket to decrypt the server ticket provided in the - application request. - - - - -March 2003 [Page 47] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - -4. Encryption and Checksum Specifications - - The Kerberos protocols described in this document are designed to - encrypt messages of arbitrary sizes, using stream or block encryption - ciphers. Encryption is used to prove the identities of the network - entities participating in message exchanges. The Key Distribution - Center for each realm is trusted by all principals registered in that - realm to store a secret key in confidence. Proof of knowledge of this - secret key is used to verify the authenticity of a principal. - - The KDC uses the principal's secret key (in the AS exchange) or a - shared session key (in the TGS exchange) to encrypt responses to - ticket requests; the ability to obtain the secret key or session key - implies the knowledge of the appropriate keys and the identity of the - KDC. The ability of a principal to decrypt the KDC response and - present a Ticket and a properly formed Authenticator (generated with - the session key from the KDC response) to a service verifies the - identity of the principal; likewise the ability of the service to - extract the session key from the Ticket and prove its knowledge - thereof in a response verifies the identity of the service. - - [@KCRYPTO] defines a framework for defining encryption and checksum - mechanisms for use with Kerberos. It also defines several such - mechanisms, and more may be added in future updates to that document. - - The string-to-key operation provided by [@KCRYPTO] is used to produce - a long-term key for a principal (generally for a user). The default - salt string, if none is provided via pre-authentication data, is the - concatenation of the principal's realm and name components, in order, - with no separators. Unless otherwise indicated, the default string- - to-key opaque parameter set as defined in [@KCRYPTO] is used. - - Encrypted data, keys and checksums are transmitted using the - EncryptedData, EncryptionKey and Checksum data objects defined in - section 5.2.9. The encryption, decryption, and checksum operations - described in this document use the corresponding encryption, - decryption, and get_mic operations described in [@KCRYPTO], with - implicit "specific key" generation using the "key usage" values - specified in the description of each EncryptedData or Checksum object - to vary the key for each operation. Note that in some cases, the - value to be used is dependent on the method of choosing the key or - the context of the message. - - Key usages are unsigned 32 bit integers; zero is not permitted. The - key usage values for encrypting or checksumming Kerberos messages are - indicated in section 5 along with the message definitions. Key usage - values 512-1023 are reserved for uses internal to a Kerberos - implementation. (For example, seeding a pseudo-random number - - - -March 2003 [Page 48] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - generator with a value produced by encrypting something with a - session key and a key usage value not used for any other purpose.) - Key usage values between 1024 and 2047 (inclusive) are reserved for - application use; applications SHOULD use even values for encryption - and odd values for checksums within this range. Key usage values are - also summarized in a table in section 7.5.1. - - There might exist other documents which define protocols in terms of - the RFC1510 encryption types or checksum types. Such documents would - not know about key usages. In order that these specifications - continue to be meaningful until they are updated, if not key usage - values are specified then key usages 1024 and 1025 must be used to - derive keys for encryption and checksums, respectively (this does not - apply to protocols that do their own encryption independent of this - framework, directly using the key resulting from the Kerberos - authentication exchange.) New protocols defined in terms of the - Kerberos encryption and checksum types SHOULD use their own key usage - values. - - Unless otherwise indicated, no cipher state chaining is done from one - encryption operation to another. - - Implementation note: While not recommended, some application - protocols will continue to use the key data directly, even if only in - currently existing protocol specifications. An implementation - intended to support general Kerberos applications may therefore need - to make key data available, as well as the attributes and operations - described in [@KCRYPTO]. One of the more common reasons for directly - performing encryption is direct control over negotiation and - selection of a "sufficiently strong" encryption algorithm (in the - context of a given application). While Kerberos does not directly - provide a facility for negotiating encryption types between the - application client and server, there are approaches for using - Kerberos to facilitate this negotiation - for example, a client may - request only "sufficiently strong" session key types from the KDC and - expect that any type returned by the KDC will be understood and - supported by the application server. - -5. Message Specifications - - NOTE: The ASN.1 collected here should be identical to the contents of - Appendix A. In case of conflict, the contents of Appendix A shall - take precedence. - - The Kerberos protocol is defined here in terms of Abstract Syntax - Notation One (ASN.1) [X680], which provides a syntax for specifying - both the abstract layout of protocol messages as well as their - encodings. Implementors not utilizing an existing ASN.1 compiler or - - - -March 2003 [Page 49] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - support library are cautioned to thoroughly understand the actual - ASN.1 specification to ensure correct implementation behavior, as - there is more complexity in the notation than is immediately obvious, - and some tutorials and guides to ASN.1 are misleading or erroneous. - - Note that in several places, there have been changes here from RFC - 1510 that change the abstract types. This is in part to address - widespread assumptions that various implementors have made, in some - cases resulting in unintentional violations of the ASN.1 standard. - These are clearly flagged where they occur. The differences between - the abstract types in RFC 1510 and abstract types in this document - can cause incompatible encodings to be emitted when certain encoding - rules, e.g. the Packed Encoding Rules (PER), are used. This - theoretical incompatibility should not be relevant for Kerberos, - since Kerberos explicitly specifies the use of the Distinguished - Encoding Rules (DER). It might be an issue for protocols wishing to - use Kerberos types with other encoding rules. (This practice is not - recommended.) With very few exceptions (most notably the usages of - BIT STRING), the encodings resulting from using the DER remain - identical between the types defined in RFC 1510 and the types defined - in this document. - - The type definitions in this section assume an ASN.1 module - definition of the following form: - - KerberosV5Spec2 { - iso(1) identified-organization(3) dod(6) internet(1) - security(5) kerberosV5(2) modules(4) krb5spec2(2) - } DEFINITIONS EXPLICIT TAGS ::= BEGIN - - -- rest of definitions here - - END - - This specifies that the tagging context for the module will be - explicit and non-automatic. - - Note that in some other publications [RFC1510] [RFC1964], the "dod" - portion of the object identifier is erroneously specified as having - the value "5". In the case of RFC 1964, use of the "correct" OID - value would result in a change in the wire protocol; therefore, it - remains unchanged for now. - - Note that elsewhere in this document, nomenclature for various - message types is inconsistent, but seems to largely follow C language - conventions, including use of underscore (_) characters and all-caps - spelling of names intended to be numeric constants. Also, in some - places, identifiers (especially ones refering to constants) are - - - -March 2003 [Page 50] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - written in all-caps in order to distinguish them from surrounding - explanatory text. - - The ASN.1 notation does not permit underscores in identifiers, so in - actual ASN.1 definitions, underscores are replaced with hyphens (-). - Additionally, structure member names and defined values in ASN.1 MUST - begin with a lowercase letter, while type names MUST begin with an - uppercase letter. - -5.1. Specific Compatibility Notes on ASN.1 - - For compatibility purposes, implementors should heed the following - specific notes regarding the use of ASN.1 in Kerberos. These notes do - not describe deviations from standard usage of ASN.1. The purpose of - these notes is to instead describe some historical quirks and non- - compliance of various implementations, as well as historical - ambiguities, which, while being valid ASN.1, can lead to confusion - during implementation. - -5.1.1. ASN.1 Distinguished Encoding Rules - - The encoding of Kerberos protocol messages shall obey the - Distinguished Encoding Rules (DER) of ASN.1 as described in [X690]. - Some implementations (believed to be primarly ones derived from DCE - 1.1 and earlier) are known to use the more general Basic Encoding - Rules (BER); in particular, these implementations send indefinite - encodings of lengths. Implementations MAY accept such encodings in - the interests of backwards compatibility, though implementors are - warned that decoding fully-general BER is fraught with peril. - -5.1.2. Optional Integer Fields - - Some implementations do not internally distinguish between an omitted - optional integer value and a transmitted value of zero. The places in - the protocol where this is relevant include various microseconds - fields, nonces, and sequence numbers. Implementations SHOULD treat - omitted optional integer values as having been transmitted with a - value of zero, if the application is expecting this. - -5.1.3. Empty SEQUENCE OF Types - - There are places in the protocol where a message contains a SEQUENCE - OF type as an optional member. This can result in an encoding that - contains an empty SEQUENCE OF encoding. The Kerberos protocol does - not semantically distinguish between an absent optional SEQUENCE OF - type and a present optional but empty SEQUENCE OF type. - Implementations SHOULD NOT send empty SEQUENCE OF encodings that are - marked OPTIONAL, but SHOULD accept them as being equivalent to an - - - -March 2003 [Page 51] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - omitted OPTIONAL type. In the ASN.1 syntax describing Kerberos - messages, instances of these problematic optional SEQUENCE OF types - are indicated with a comment. - -5.1.4. Unrecognized Tag Numbers - - Future revisions to this protocol may include new message types with - different APPLICATION class tag numbers. Such revisions should - protect older implementations by only sending the message types to - parties that are known to understand them, e.g. by means of a flag - bit set by the receiver in a preceding request. In the interest of - robust error handling, implementations SHOULD gracefully handle - receiving a message with an unrecognized tag anyway, and return an - error message if appropriate. - -5.1.5. Tag Numbers Greater Than 30 - - A naive implementation of a DER ASN.1 decoder may experience problems - with ASN.1 tag numbers greater than 30, due to such tag numbers being - encoded using more than one byte. Future revisions of this protocol - may utilize tag numbers greater than 30, and implementations SHOULD - be prepared to gracefully return an error, if appropriate, if they do - not recognize the tag. - -5.2. Basic Kerberos Types - - This section defines a number of basic types that are potentially - used in multiple Kerberos protocol messages. - -5.2.1. KerberosString - - The original specification of the Kerberos protocol in RFC 1510 uses - GeneralString in numerous places for human-readable string data. - Historical implementations of Kerberos cannot utilize the full power - of GeneralString. This ASN.1 type requires the use of designation - and invocation escape sequences as specified in ISO-2022/ECMA-35 - [ISO-2022/ECMA-35] to switch character sets, and the default - character set that is designated as G0 is the ISO-646/ECMA-6 - [ISO-646,ECMA-6] International Reference Version (IRV) (aka U.S. - ASCII), which mostly works. - - ISO-2022/ECMA-35 defines four character-set code elements (G0..G3) - and two Control-function code elements (C0..C1). DER prohibits the - designation of character sets as any but the G0 and C0 sets. - Unfortunately, this seems to have the side effect of prohibiting the - use of ISO-8859 (ISO Latin) [ISO-8859] character-sets or any other - character-sets that utilize a 96-character set, since it is - prohibited by ISO-2022/ECMA-35 to designate them as the G0 code - - - -March 2003 [Page 52] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - element. This side effect is being investigated in the ASN.1 - standards community. - - In practice, many implementations treat GeneralStrings as if they - were 8-bit strings of whichever character set the implementation - defaults to, without regard for correct usage of character-set - designation escape sequences. The default character set is often - determined by the current user's operating system dependent locale. - At least one major implementation places unescaped UTF-8 encoded - Unicode characters in the GeneralString. This failure to adhere to - the GeneralString specifications results in interoperability issues - when conflicting character encodings are utilized by the Kerberos - clients, services, and KDC. - - This unfortunate situation is the result of improper documentation of - the restrictions of the ASN.1 GeneralString type in prior Kerberos - specifications. - - The new (post-RFC 1510) type KerberosString, defined below, is a - GeneralString that is constrained to only contain characters in - IA5String - - KerberosString ::= GeneralString (IA5String) - - US-ASCII control characters should in general not be used in - KerberosString, except for cases such as newlines in lengthy error - messages. Control characters SHOULD NOT be used in principal names or - realm names. - - For compatibility, implementations MAY choose to accept GeneralString - values that contain characters other than those permitted by - IA5String, but they should be aware that character set designation - codes will likely be absent, and that the encoding should probably be - treated as locale-specific in almost every way. Implementations MAY - also choose to emit GeneralString values that are beyond those - permitted by IA5String, but should be aware that doing so is - extraordinarily risky from an interoperability perspective. - - Some existing implementations use GeneralString to encode unescaped - locale-specific characters. This is a violation of the ASN.1 - standard. Most of these implementations encode US-ASCII in the left- - hand half, so as long the implementation transmits only US-ASCII, the - ASN.1 standard is not violated in this regard. As soon as such an - implementation encodes unescaped locale-specific characters with the - high bit set, it violates the ASN.1 standard. - - Other implementations have been known to use GeneralString to contain - a UTF-8 encoding. This also violates the ASN.1 standard, since UTF-8 - - - -March 2003 [Page 53] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - is a different encoding, not a 94 or 96 character "G" set as defined - by ISO 2022. It is believed that these implementations do not even - use the ISO 2022 escape sequence to change the character encoding. - Even if implementations were to announce the change of encoding by - using that escape sequence, the ASN.1 standard prohibits the use of - any escape sequences other than those used to designate/invoke "G" or - "C" sets allowed by GeneralString. - - Future revisions to this protocol will almost certainly allow for a - more interoperable representation of principal names, probably - including UTF8String. - - Note that applying a new constraint to a previously unconstrained - type constitutes creation of a new ASN.1 type. In this particular - case, the change does not result in a changed encoding under DER. - -5.2.2. Realm and PrincipalName - - Realm ::= KerberosString - - PrincipalName ::= SEQUENCE { - name-type [0] Int32, - name-string [1] SEQUENCE OF KerberosString - } - - Kerberos realm names are encoded as KerberosStrings. Realms shall not - contain a character with the code 0 (the US-ASCII NUL). Most realms - will usually consist of several components separated by periods (.), - in the style of Internet Domain Names, or separated by slashes (/) in - the style of X.500 names. Acceptable forms for realm names are - specified in section 6.1.. A PrincipalName is a typed sequence of - components consisting of the following sub-fields: - - name-type - This field specifies the type of name that follows. Pre-defined - values for this field are specified in section 6.2. The name-type - SHOULD be treated as a hint. Ignoring the name type, no two names - can be the same (i.e. at least one of the components, or the - realm, must be different). - - name-string - This field encodes a sequence of components that form a name, each - component encoded as a KerberosString. Taken together, a - PrincipalName and a Realm form a principal identifier. Most - PrincipalNames will have only a few components (typically one or - two). - -5.2.3. KerberosTime - - - -March 2003 [Page 54] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - KerberosTime ::= GeneralizedTime -- with no fractional seconds - - The timestamps used in Kerberos are encoded as GeneralizedTimes. A - KerberosTime value shall not include any fractional portions of the - seconds. As required by the DER, it further shall not include any - separators, and it shall specify the UTC time zone (Z). Example: The - only valid format for UTC time 6 minutes, 27 seconds after 9 pm on 6 - November 1985 is 19851106210627Z. - -5.2.4. Constrained Integer types - - Some integer members of types SHOULD be constrained to values - representable in 32 bits, for compatibility with reasonable - implementation limits. - - Int32 ::= INTEGER (-2147483648..2147483647) - -- signed values representable in 32 bits - - UInt32 ::= INTEGER (0..4294967295) - -- unsigned 32 bit values - - Microseconds ::= INTEGER (0..999999) - -- microseconds - - While this results in changes to the abstract types from the RFC 1510 - version, the encoding in DER should be unaltered. Historical - implementations were typically limited to 32-bit integer values - anyway, and assigned numbers SHOULD fall in the space of integer - values representable in 32 bits in order to promote interoperability - anyway. - - There are several integer fields in messages that are constrained to - fixed values. - - pvno - also TKT-VNO or AUTHENTICATOR-VNO, this recurring field is always - the constant integer 5. There is no easy way to make this field - into a useful protocol version number, so its value is fixed. - - msg-type - this integer field is usually identical to the application tag - number of the containing message type. - -5.2.5. HostAddress and HostAddresses - - HostAddress ::= SEQUENCE { - addr-type [0] Int32, - address [1] OCTET STRING - - - -March 2003 [Page 55] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - } - - -- NOTE: HostAddresses is always used as an OPTIONAL field and - -- should not be empty. - HostAddresses -- NOTE: subtly different from rfc1510, - -- but has a value mapping and encodes the same - ::= SEQUENCE OF HostAddress - - The host address encodings consists of two fields: - - addr-type - This field specifies the type of address that follows. Pre-defined - values for this field are specified in section 7.5.3. - - address - This field encodes a single address of type addr-type. - -5.2.6. AuthorizationData - - -- NOTE: AuthorizationData is always used as an OPTIONAL field and - -- should not be empty. - AuthorizationData ::= SEQUENCE OF SEQUENCE { - ad-type [0] Int32, - ad-data [1] OCTET STRING - } - - ad-data - This field contains authorization data to be interpreted according - to the value of the corresponding ad-type field. - - ad-type - This field specifies the format for the ad-data subfield. All - negative values are reserved for local use. Non-negative values - are reserved for registered use. - - Each sequence of type and data is referred to as an authorization - element. Elements MAY be application specific, however, there is a - common set of recursive elements that should be understood by all - implementations. These elements contain other elements embedded - within them, and the interpretation of the encapsulating element - determines which of the embedded elements must be interpreted, and - which may be ignored. - - These common authorization data elements are recursively defined, - meaning the ad-data for these types will itself contain a sequence of - authorization data whose interpretation is affected by the - encapsulating element. Depending on the meaning of the encapsulating - element, the encapsulated elements may be ignored, might be - - - -March 2003 [Page 56] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - interpreted as issued directly by the KDC, or they might be stored in - a separate plaintext part of the ticket. The types of the - encapsulating elements are specified as part of the Kerberos - specification because the behavior based on these values should be - understood across implementations whereas other elements need only be - understood by the applications which they affect. - - Authorization data elements are considered critical if present in a - ticket or authenticator. Unless encapsulated in a known authorization - data element amending the criticality of the elements it contains, if - an unknown authorization data element type is received by a server - either in an AP-REQ or in a ticket contained in an AP-REQ, then - authentication MUST fail. Authorization data is intended to restrict - the use of a ticket. If the service cannot determine whether the - restriction applies to that service then a security weakness may - result if the ticket can be used for that service. Authorization - elements that are optional can be enclosed in AD-IF-RELEVANT element. - - In the definitions that follow, the value of the ad-type for the - element will be specified as the least significant part of the - subsection number, and the value of the ad-data will be as shown in - the ASN.1 structure that follows the subsection heading. - - contents of ad-data ad-type - - DER encoding of AD-IF-RELEVANT 1 - - DER encoding of AD-KDCIssued 4 - - DER encoding of AD-AND-OR 5 - - DER encoding of AD-MANDATORY-FOR-KDC 8 - -5.2.6.1. IF-RELEVANT - - AD-IF-RELEVANT ::= AuthorizationData - - AD elements encapsulated within the if-relevant element are intended - for interpretation only by application servers that understand the - particular ad-type of the embedded element. Application servers that - do not understand the type of an element embedded within the if- - relevant element MAY ignore the uninterpretable element. This element - promotes interoperability across implementations which may have local - extensions for authorization. The ad-type for AD-IF-RELEVANT is (1). - -5.2.6.2. KDCIssued - - AD-KDCIssued ::= SEQUENCE { - - - -March 2003 [Page 57] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - ad-checksum [0] Checksum, - i-realm [1] Realm OPTIONAL, - i-sname [2] PrincipalName OPTIONAL, - elements [3] AuthorizationData - } - - ad-checksum - A checksum over the elements field using a cryptographic checksum - method that is identical to the checksum used to protect the - ticket itself (i.e. using the same hash function and the same - encryption algorithm used to encrypt the ticket) using the key - used to protect the ticket, and a key usage value of 19. - - i-realm, i-sname - The name of the issuing principal if different from the KDC - itself. This field would be used when the KDC can verify the - authenticity of elements signed by the issuing principal and it - allows this KDC to notify the application server of the validity - of those elements. - - elements - A sequence of authorization data elements issued by the KDC. - - The KDC-issued ad-data field is intended to provide a means for - Kerberos principal credentials to embed within themselves privilege - attributes and other mechanisms for positive authorization, - amplifying the privileges of the principal beyond what can be done - using a credentials without such an a-data element. - - This can not be provided without this element because the definition - of the authorization-data field allows elements to be added at will - by the bearer of a TGT at the time that they request service tickets - and elements may also be added to a delegated ticket by inclusion in - the authenticator. - - For KDC-issued elements this is prevented because the elements are - signed by the KDC by including a checksum encrypted using the - server's key (the same key used to encrypt the ticket - or a key - derived from that key). Elements encapsulated with in the KDC-issued - element will be ignored by the application server if this "signature" - is not present. Further, elements encapsulated within this element - from a ticket-granting ticket MAY be interpreted by the KDC, and used - as a basis according to policy for including new signed elements - within derivative tickets, but they will not be copied to a - derivative ticket directly. If they are copied directly to a - derivative ticket by a KDC that is not aware of this element, the - signature will not be correct for the application ticket elements, - and the field will be ignored by the application server. - - - -March 2003 [Page 58] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - This element and the elements it encapulates MAY be safely ignored by - applications, application servers, and KDCs that do not implement - this element. - - The ad-type for AD-KDC-ISSUED is (4). - -5.2.6.3. AND-OR - - AD-AND-OR ::= SEQUENCE { - condition-count [0] INTEGER, - elements [1] AuthorizationData - } - - - When restrictive AD elements are encapsulated within the and-or - element, the and-or element is considered satisfied if and only if at - least the number of encapsulated elements specified in condition- - count are satisifed. Therefore, this element MAY be used to - implement an "or" operation by setting the condition-count field to - 1, and it MAY specify an "and" operation by setting the condition - count to the number of embedded elements. Application servers that do - not implement this element MUST reject tickets that contain - authorization data elements of this type. - - The ad-type for AD-AND-OR is (5). - -5.2.6.4. MANDATORY-FOR-KDC - - AD-MANDATORY-FOR-KDC ::= AuthorizationData - - AD elements encapsulated within the mandatory-for-kdc element are to - be interpreted by the KDC. KDCs that do not understand the type of an - element embedded within the mandatory-for-kdc element MUST reject the - request. - - The ad-type for AD-MANDATORY-FOR-KDC is (8). - -5.2.7. PA-DATA - - Historically, PA-DATA have been known as "pre-authentication data", - meaning that they were used to augment the initial authentication - with the KDC. Since that time, they have also been used as a typed - hole with which to extend protocol exchanges with the KDC. - - PA-DATA ::= SEQUENCE { - -- NOTE: first tag is [1], not [0] - padata-type [1] Int32, - padata-value [2] OCTET STRING -- might be encoded AP-REQ - - - -March 2003 [Page 59] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - } - - padata-type - indicates the way that the padata-value element is to be - interpreted. Negative values of padata-type are reserved for - unregistered use; non-negative values are used for a registered - interpretation of the element type. - - padata-value - Usually contains the DER encoding of another type; the padata-type - field identifies which type is encoded here. - - padata-type name contents of padata-value - - 1 pa-tgs-req DER encoding of AP-REQ - - 2 pa-enc-timestamp DER encoding of PA-ENC-TIMESTAMP - - 3 pa-pw-salt salt (not ASN.1 encoded) - - 11 pa-etype-info DER encoding of ETYPE-INFO - - 19 pa-etype-info2 DER encoding of ETYPE-INFO2 - - This field MAY also contain information needed by certain - extensions to the Kerberos protocol. For example, it might be used - to initially verify the identity of a client before any response - is returned. - - The padata field can also contain information needed to help the - KDC or the client select the key needed for generating or - decrypting the response. This form of the padata is useful for - supporting the use of certain token cards with Kerberos. The - details of such extensions are specified in separate documents. - See [Pat92] for additional uses of this field. - -5.2.7.1. PA-TGS-REQ - - In the case of requests for additional tickets (KRB_TGS_REQ), padata- - value will contain an encoded AP-REQ. The checksum in the - authenticator (which MUST be collision-proof) is to be computed over - the KDC-REQ-BODY encoding. - -5.2.7.2. Encrypted Timestamp Pre-authentication - - There are pre-authentication types that may be used to pre- - authenticate a client by means of an encrypted timestamp. - - - - -March 2003 [Page 60] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - PA-ENC-TIMESTAMP ::= EncryptedData -- PA-ENC-TS-ENC - - PA-ENC-TS-ENC ::= SEQUENCE { - patimestamp [0] KerberosTime -- client's time --, - pausec [1] Microseconds OPTIONAL - } - - Patimestamp contains the client's time, and pausec contains the - microseconds, which MAY be omitted if a client will not generate more - than one request per second. The ciphertext (padata-value) consists - of the PA-ENC-TS-ENC encoding, encrypted using the client's secret - key and a key usage value of 1. - - This pre-authentication type was not present in RFC 1510, but many - implementations support it. - -5.2.7.3. PA-PW-SALT - - The padata-value for this pre-authentication type contains the salt - for the string-to-key to be used by the client to obtain the key for - decrypting the encrypted part of an AS-REP message. Unfortunately, - for historical reasons, the character set to be used is unspecified - and probably locale-specific. - - This pre-authentication type was not present in RFC 1510, but many - implementations support it. It is necessary in any case where the - salt for the string-to-key algorithm is not the default. - - In the trivial example, a zero-length salt string is very commonplace - for realms that have converted their principal databases from - Kerberos 4. - - A KDC SHOULD NOT send PA-PW-SALT when issuing a KRB-ERROR message - that requests additional pre-authentication. Implementation note: - some KDC implementations issue an erroneous PA-PW-SALT when issuing a - KRB-ERROR message that requests additional pre-authentication. - Therefore, clients SHOULD ignore a PA-PW-SALT accompanying a KRB- - ERROR message that requests additional pre-authentication. - -5.2.7.4. PA-ETYPE-INFO - - The ETYPE-INFO pre-authentication type is sent by the KDC in a KRB- - ERROR indicating a requirement for additional pre-authentication. It - is usually used to notify a client of which key to use for the - encryption of an encrypted timestamp for the purposes of sending a - PA-ENC-TIMESTAMP pre-authentication value. It MAY also be sent in an - AS-REP to provide information to the client about which key salt to - use for the string-to-key to be used by the client to obtain the key - - - -March 2003 [Page 61] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - for decrypting the encrypted part the AS-REP. - - ETYPE-INFO-ENTRY ::= SEQUENCE { - etype [0] Int32, - salt [1] OCTET STRING OPTIONAL - } - - ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY - - The salt, like that of PA-PW-SALT, is also completely unspecified - with respect to character set and is probably locale-specific. - - If ETYPE-INFO is sent in an AS-REP, there shall be exactly one ETYPE- - INFO-ENTRY, and its etype shall match that of the enc-part in the AS- - REP. - - This pre-authentication type was not present in RFC 1510, but many - implementations that support encrypted timestamps for pre- - authentication need to support ETYPE-INFO as well. - -5.2.7.5. PA-ETYPE-INFO2 - - The ETYPE-INFO2 pre-authentication type is sent by the KDC in a KRB- - ERROR indicating a requirement for additional pre-authentication. It - is usually used to notify a client of which key to use for the - encryption of an encrypted timestamp for the purposes of sending a - PA-ENC-TIMESTAMP pre-authentication value. It MAY also be sent in an - AS-REP to provide information to the client about which key salt to - use for the string-to-key to be used by the client to obtain the key - for decrypting the encrypted part the AS-REP. - - ETYPE-INFO2-ENTRY ::= SEQUENCE { - etype [0] Int32, - salt [1] KerberosString OPTIONAL, - s2kparams [2] OCTET STRING OPTIONAL - } - - ETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO-ENTRY - - The type of the salt is KerberosString, but existing installations - might have locale-specific characters stored in salt strings, and - implementors MAY choose to handle them. - - The interpretation of s2kparams is specified in the cryptosystem - description associated with the etype. Each cryptosystem has a - default interpretation of s2kparams that will hold if that element is - omitted from the encoding of ETYPE-INFO2-ENTRY. - - - - -March 2003 [Page 62] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - If ETYPE-INFO2 is sent in an AS-REP, there shall be exactly one - ETYPE-INFO2-ENTRY, and its etype shall match that of the enc-part in - the AS-REP. - - The preferred ordering of pre-authentication data that modify client - key selection is: ETYPE-INFO2, followed by ETYPE-INFO, followed by - PW-SALT. A KDC shall send all of these pre-authentication data that - it supports, in the preferred ordering, when issuing an AS-REP or - when issuing a KRB-ERROR requesting additional pre-authentication. - - The ETYPE-INFO2 pre-authentication type was not present in RFC 1510. - -5.2.8. KerberosFlags - - For several message types, a specific constrained bit string type, - KerberosFlags, is used. - - KerberosFlags ::= BIT STRING (SIZE (32..MAX)) -- minimum number of bits - -- shall be sent, but no fewer than 32 - - Compatibility note: the following paragraphs describe a change from - the RFC1510 description of bit strings that would result in - incompatility in the case of an implementation that strictly - conformed to ASN.1 DER and RFC1510. - - ASN.1 bit strings have multiple uses. The simplest use of a bit - string is to contain a vector of bits, with no particular meaning - attached to individual bits. This vector of bits is not necessarily a - multiple of eight bits long. The use in Kerberos of a bit string as - a compact boolean vector wherein each element has a distinct meaning - poses some problems. The natural notation for a compact boolean - vector is the ASN.1 "NamedBit" notation, and the DER require that - encodings of a bit string using "NamedBit" notation exclude any - trailing zero bits. This truncation is easy to neglect, especially - given C language implementations that naturally choose to store - boolean vectors as 32 bit integers. - - For example, if the notation for KDCOptions were to include the - "NamedBit" notation, as in RFC 1510, and a KDCOptions value to be - encoded had only the "forwardable" (bit number one) bit set, the DER - encoding MUST include only two bits: the first reserved bit - ("reserved", bit number zero, value zero) and the one-valued bit (bit - number one) for "forwardable". - - Most existing implementations of Kerberos unconditionally send 32 - bits on the wire when encoding bit strings used as boolean vectors. - This behavior violates the ASN.1 syntax used for flag values in RFC - 1510, but occurs on such a widely installed base that the protocol - - - -March 2003 [Page 63] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - description is being modified to accomodate it. - - Consequently, this document removes the "NamedBit" notations for - individual bits, relegating them to comments. The size constraint on - the KerberosFlags type requires that at least 32 bits be encoded at - all times, though a lenient implementation MAY choose to accept fewer - than 32 bits and to treat the missing bits as set to zero. - - Currently, no uses of KerberosFlags specify more than 32 bits worth - of flags, although future revisions of this document may do so. When - more than 32 bits are to be transmitted in a KerberosFlags value, - future revisions to this document will likely specify that the - smallest number of bits needed to encode the highest-numbered one- - valued bit should be sent. This is somewhat similar to the DER - encoding of a bit string that is declared with the "NamedBit" - notation. - -5.2.9. Cryptosystem-related Types - - Many Kerberos protocol messages contain an EncryptedData as a - container for arbitrary encrypted data, which is often the encrypted - encoding of another data type. Fields within EncryptedData assist the - recipient in selecting a key with which to decrypt the enclosed data. - - EncryptedData ::= SEQUENCE { - etype [0] Int32 -- EncryptionType --, - kvno [1] UInt32 OPTIONAL, - cipher [2] OCTET STRING -- ciphertext - } - - etype - This field identifies which encryption algorithm was used to - encipher the cipher. - - kvno - This field contains the version number of the key under which data - is encrypted. It is only present in messages encrypted under long - lasting keys, such as principals' secret keys. - - cipher - This field contains the enciphered text, encoded as an OCTET - STRING. (Note that the encryption mechanisms defined in - [@KCRYPTO] MUST incorporate integrity protection as well, so no - additional checksum is required.) - - The EncryptionKey type is the means by which cryptographic keys used - for encryption are transfered. - - - - -March 2003 [Page 64] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - EncryptionKey ::= SEQUENCE { - keytype [0] Int32 -- actually encryption type --, - keyvalue [1] OCTET STRING - } - - keytype - This field specifies the encryption type of the encryption key - that follows in the keyvalue field. While its name is "keytype", - it actually specifies an encryption type. Previously, multiple - cryptosystems that performed encryption differently but were - capable of using keys with the same characteristics were permitted - to share an assigned number to designate the type of key; this - usage is now deprecated. - - keyvalue - This field contains the key itself, encoded as an octet string. - - Messages containing cleartext data to be authenticated will usually - do so by using a member of type Checksum. Most instances of Checksum - use a keyed hash, though exceptions will be noted. - - Checksum ::= SEQUENCE { - cksumtype [0] Int32, - checksum [1] OCTET STRING - } - - cksumtype - This field indicates the algorithm used to generate the - accompanying checksum. - - checksum - This field contains the checksum itself, encoded as an octet - string. - - See section 4 for a brief description of the use of encryption and - checksums in Kerberos. - -5.3. Tickets - - This section describes the format and encryption parameters for - tickets and authenticators. When a ticket or authenticator is - included in a protocol message it is treated as an opaque object. A - ticket is a record that helps a client authenticate to a service. A - Ticket contains the following information: - - Ticket ::= [APPLICATION 1] SEQUENCE { - tkt-vno [0] INTEGER (5), - realm [1] Realm, - - - -March 2003 [Page 65] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - sname [2] PrincipalName, - enc-part [3] EncryptedData -- EncTicketPart - } - - -- Encrypted part of ticket - EncTicketPart ::= [APPLICATION 3] SEQUENCE { - flags [0] TicketFlags, - key [1] EncryptionKey, - crealm [2] Realm, - cname [3] PrincipalName, - transited [4] TransitedEncoding, - authtime [5] KerberosTime, - starttime [6] KerberosTime OPTIONAL, - endtime [7] KerberosTime, - renew-till [8] KerberosTime OPTIONAL, - caddr [9] HostAddresses OPTIONAL, - authorization-data [10] AuthorizationData OPTIONAL - } - - -- encoded Transited field - TransitedEncoding ::= SEQUENCE { - tr-type [0] Int32 -- must be registered --, - contents [1] OCTET STRING - } - - TicketFlags ::= KerberosFlags - -- reserved(0), - -- forwardable(1), - -- forwarded(2), - -- proxiable(3), - -- proxy(4), - -- may-postdate(5), - -- postdated(6), - -- invalid(7), - -- renewable(8), - -- initial(9), - -- pre-authent(10), - -- hw-authent(11), - -- the following are new since 1510 - -- transited-policy-checked(12), - -- ok-as-delegate(13) - - tkt-vno - This field specifies the version number for the ticket format. - This document describes version number 5. - - realm - This field specifies the realm that issued a ticket. It also - - - -March 2003 [Page 66] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - serves to identify the realm part of the server's principal - identifier. Since a Kerberos server can only issue tickets for - servers within its realm, the two will always be identical. - - sname - This field specifies all components of the name part of the - server's identity, including those parts that identify a specific - instance of a service. - - enc-part - This field holds the encrypted encoding of the EncTicketPart - sequence. It is encrypted in the key shared by Kerberos and the - end server (the server's secret key), using a key usage value of - 2. - - flags - This field indicates which of various options were used or - requested when the ticket was issued. The meanings of the flags - are: - - Bit(s) Name Description - - 0 reserved Reserved for future expansion of this - field. - - The FORWARDABLE flag is normally only - interpreted by the TGS, and can be - ignored by end servers. When set, this - 1 forwardable flag tells the ticket-granting server - that it is OK to issue a new - ticket-granting ticket with a - different network address based on the - presented ticket. - - When set, this flag indicates that the - ticket has either been forwarded or - 2 forwarded was issued based on authentication - involving a forwarded ticket-granting - ticket. - - The PROXIABLE flag is normally only - interpreted by the TGS, and can be - ignored by end servers. The PROXIABLE - flag has an interpretation identical - 3 proxiable to that of the FORWARDABLE flag, - except that the PROXIABLE flag tells - the ticket-granting server that only - non-ticket-granting tickets may be - - - -March 2003 [Page 67] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - issued with different network - addresses. - - 4 proxy When set, this flag indicates that a - ticket is a proxy. - - The MAY-POSTDATE flag is normally only - interpreted by the TGS, and can be - 5 may-postdate ignored by end servers. This flag - tells the ticket-granting server that - a post-dated ticket MAY be issued - based on this ticket-granting ticket. - - This flag indicates that this ticket - has been postdated. The end-service - 6 postdated can check the authtime field to see - when the original authentication - occurred. - - This flag indicates that a ticket is - invalid, and it must be validated by - 7 invalid the KDC before use. Application - servers must reject tickets which have - this flag set. - - The RENEWABLE flag is normally only - interpreted by the TGS, and can - usually be ignored by end servers - 8 renewable (some particularly careful servers MAY - disallow renewable tickets). A - renewable ticket can be used to obtain - a replacement ticket that expires at a - later date. - - This flag indicates that this ticket - 9 initial was issued using the AS protocol, and - not issued based on a ticket-granting - ticket. - - This flag indicates that during - initial authentication, the client was - authenticated by the KDC before a - 10 pre-authent ticket was issued. The strength of the - pre-authentication method is not - indicated, but is acceptable to the - KDC. - - This flag indicates that the protocol - - - -March 2003 [Page 68] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - employed for initial authentication - required the use of hardware expected - 11 hw-authent to be possessed solely by the named - client. The hardware authentication - method is selected by the KDC and the - strength of the method is not - indicated. - - This flag indicates that the KDC for - the realm has checked the transited - field against a realm defined policy - for trusted certifiers. If this flag - is reset (0), then the application - server must check the transited field - itself, and if unable to do so it must - reject the authentication. If the flag - 12 transited- is set (1) then the application server - policy-checked MAY skip its own validation of the - transited field, relying on the - validation performed by the KDC. At - its option the application server MAY - still apply its own validation based - on a separate policy for acceptance. - - This flag is new since RFC 1510. - - This flag indicates that the server - (not the client) specified in the - ticket has been determined by policy - of the realm to be a suitable - recipient of delegation. A client can - use the presence of this flag to help - it make a decision whether to delegate - credentials (either grant a proxy or a - forwarded ticket-granting ticket) to - 13 ok-as-delegate this server. The client is free to - ignore the value of this flag. When - setting this flag, an administrator - should consider the Security and - placement of the server on which the - service will run, as well as whether - the service requires the use of - delegated credentials. - - This flag is new since RFC 1510. - - 14-31 reserved Reserved for future use. - - - - -March 2003 [Page 69] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - key - This field exists in the ticket and the KDC response and is used - to pass the session key from Kerberos to the application server - and the client. - - crealm - This field contains the name of the realm in which the client is - registered and in which initial authentication took place. - - cname - This field contains the name part of the client's principal - identifier. - - transited - This field lists the names of the Kerberos realms that took part - in authenticating the user to whom this ticket was issued. It does - not specify the order in which the realms were transited. See - section 3.3.3.2 for details on how this field encodes the - traversed realms. When the names of CA's are to be embedded in - the transited field (as specified for some extensions to the - protocol), the X.500 names of the CA's SHOULD be mapped into items - in the transited field using the mapping defined by RFC2253. - - authtime - This field indicates the time of initial authentication for the - named principal. It is the time of issue for the original ticket - on which this ticket is based. It is included in the ticket to - provide additional information to the end service, and to provide - the necessary information for implementation of a `hot list' - service at the KDC. An end service that is particularly paranoid - could refuse to accept tickets for which the initial - authentication occurred "too far" in the past. This field is also - returned as part of the response from the KDC. When returned as - part of the response to initial authentication (KRB_AS_REP), this - is the current time on the Kerberos server. It is NOT recommended - that this time value be used to adjust the workstation's clock - since the workstation cannot reliably determine that such a - KRB_AS_REP actually came from the proper KDC in a timely manner. - - - starttime - - This field in the ticket specifies the time after which the ticket - is valid. Together with endtime, this field specifies the life of - the ticket. If the starttime field is absent from the ticket, then - the authtime field SHOULD be used in its place to determine the - life of the ticket. - - - - -March 2003 [Page 70] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - endtime - This field contains the time after which the ticket will not be - honored (its expiration time). Note that individual services MAY - place their own limits on the life of a ticket and MAY reject - tickets which have not yet expired. As such, this is really an - upper bound on the expiration time for the ticket. - - renew-till - This field is only present in tickets that have the RENEWABLE flag - set in the flags field. It indicates the maximum endtime that may - be included in a renewal. It can be thought of as the absolute - expiration time for the ticket, including all renewals. - - caddr - This field in a ticket contains zero (if omitted) or more (if - present) host addresses. These are the addresses from which the - ticket can be used. If there are no addresses, the ticket can be - used from any location. The decision by the KDC to issue or by the - end server to accept addressless tickets is a policy decision and - is left to the Kerberos and end-service administrators; they MAY - refuse to issue or accept such tickets. Because of the wide - deployment of network address translation, it is recommended that - policy allow the issue and acceptance of such tickets. - - Network addresses are included in the ticket to make it harder for - an attacker to use stolen credentials. Because the session key is - not sent over the network in cleartext, credentials can't be - stolen simply by listening to the network; an attacker has to gain - access to the session key (perhaps through operating system - security breaches or a careless user's unattended session) to make - use of stolen tickets. - - It is important to note that the network address from which a - connection is received cannot be reliably determined. Even if it - could be, an attacker who has compromised the client's workstation - could use the credentials from there. Including the network - addresses only makes it more difficult, not impossible, for an - attacker to walk off with stolen credentials and then use them - from a "safe" location. - - authorization-data - The authorization-data field is used to pass authorization data - from the principal on whose behalf a ticket was issued to the - application service. If no authorization data is included, this - field will be left out. Experience has shown that the name of this - field is confusing, and that a better name for this field would be - restrictions. Unfortunately, it is not possible to change the name - of this field at this time. - - - -March 2003 [Page 71] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - This field contains restrictions on any authority obtained on the - basis of authentication using the ticket. It is possible for any - principal in posession of credentials to add entries to the - authorization data field since these entries further restrict what - can be done with the ticket. Such additions can be made by - specifying the additional entries when a new ticket is obtained - during the TGS exchange, or they MAY be added during chained - delegation using the authorization data field of the - authenticator. - - Because entries may be added to this field by the holder of - credentials, except when an entry is separately authenticated by - encapsulation in the KDC-issued element, it is not allowable for - the presence of an entry in the authorization data field of a - ticket to amplify the privileges one would obtain from using a - ticket. - - The data in this field may be specific to the end service; the - field will contain the names of service specific objects, and the - rights to those objects. The format for this field is described in - section 5.2.6. Although Kerberos is not concerned with the format - of the contents of the sub-fields, it does carry type information - (ad-type). - - By using the authorization_data field, a principal is able to - issue a proxy that is valid for a specific purpose. For example, a - client wishing to print a file can obtain a file server proxy to - be passed to the print server. By specifying the name of the file - in the authorization_data field, the file server knows that the - print server can only use the client's rights when accessing the - particular file to be printed. - - A separate service providing authorization or certifying group - membership may be built using the authorization-data field. In - this case, the entity granting authorization (not the authorized - entity), may obtain a ticket in its own name (e.g. the ticket is - issued in the name of a privilege server), and this entity adds - restrictions on its own authority and delegates the restricted - authority through a proxy to the client. The client would then - present this authorization credential to the application server - separately from the authentication exchange. Alternatively, such - authorization credentials MAY be embedded in the ticket - authenticating the authorized entity, when the authorization is - separately authenticated using the KDC-issued authorization data - element (see 5.2.6.2). - - Similarly, if one specifies the authorization-data field of a - proxy and leaves the host addresses blank, the resulting ticket - - - -March 2003 [Page 72] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - and session key can be treated as a capability. See [Neu93] for - some suggested uses of this field. - - The authorization-data field is optional and does not have to be - included in a ticket. - -5.4. Specifications for the AS and TGS exchanges - - This section specifies the format of the messages used in the - exchange between the client and the Kerberos server. The format of - possible error messages appears in section 5.9.1. - -5.4.1. KRB_KDC_REQ definition - - The KRB_KDC_REQ message has no application tag number of its own. - Instead, it is incorporated into one of KRB_AS_REQ or KRB_TGS_REQ, - which each have an application tag, depending on whether the request - is for an initial ticket or an additional ticket. In either case, the - message is sent from the client to the KDC to request credentials for - a service. - - The message fields are: - - AS-REQ ::= [APPLICATION 10] KDC-REQ - - TGS-REQ ::= [APPLICATION 12] KDC-REQ - - KDC-REQ ::= SEQUENCE { - -- NOTE: first tag is [1], not [0] - pvno [1] INTEGER (5) , - msg-type [2] INTEGER (10 -- AS -- | 12 -- TGS --), - padata [3] SEQUENCE OF PA-DATA OPTIONAL - -- NOTE: not empty --, - req-body [4] KDC-REQ-BODY - } - - KDC-REQ-BODY ::= SEQUENCE { - kdc-options [0] KDCOptions, - cname [1] PrincipalName OPTIONAL - -- Used only in AS-REQ --, - realm [2] Realm - -- Server's realm - -- Also client's in AS-REQ --, - sname [3] PrincipalName OPTIONAL, - from [4] KerberosTime OPTIONAL, - till [5] KerberosTime, - rtime [6] KerberosTime OPTIONAL, - nonce [7] UInt32, - - - -March 2003 [Page 73] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - etype [8] SEQUENCE OF Int32 -- EncryptionType - -- in preference order --, - addresses [9] HostAddresses OPTIONAL, - enc-authorization-data [10] EncryptedData -- AuthorizationData --, - additional-tickets [11] SEQUENCE OF Ticket OPTIONAL - -- NOTE: not empty - } - - KDCOptions ::= KerberosFlags - -- reserved(0), - -- forwardable(1), - -- forwarded(2), - -- proxiable(3), - -- proxy(4), - -- allow-postdate(5), - -- postdated(6), - -- unused7(7), - -- renewable(8), - -- unused9(9), - -- unused10(10), - -- opt-hardware-auth(11), - -- unused12(12), - -- unused13(13), - -- 15 is reserved for canonicalize - -- unused15(15), - -- 26 was unused in 1510 - -- disable-transited-check(26), - -- - -- renewable-ok(27), - -- enc-tkt-in-skey(28), - -- renew(30), - -- validate(31) - - The fields in this message are: - - pvno - This field is included in each message, and specifies the protocol - version number. This document specifies protocol version 5. - - msg-type - This field indicates the type of a protocol message. It will - almost always be the same as the application identifier associated - with a message. It is included to make the identifier more readily - accessible to the application. For the KDC-REQ message, this type - will be KRB_AS_REQ or KRB_TGS_REQ. - - padata - Contains pre-authentication data. Requests for additional tickets - - - -March 2003 [Page 74] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - (KRB_TGS_REQ) MUST contain a padata of PA-TGS-REQ. - - The padata (pre-authentication data) field contains a sequence of - authentication information which may be needed before credentials - can be issued or decrypted. - - req-body - This field is a placeholder delimiting the extent of the remaining - fields. If a checksum is to be calculated over the request, it is - calculated over an encoding of the KDC-REQ-BODY sequence which is - enclosed within the req-body field. - - kdc-options - This field appears in the KRB_AS_REQ and KRB_TGS_REQ requests to - the KDC and indicates the flags that the client wants set on the - tickets as well as other information that is to modify the - behavior of the KDC. Where appropriate, the name of an option may - be the same as the flag that is set by that option. Although in - most case, the bit in the options field will be the same as that - in the flags field, this is not guaranteed, so it is not - acceptable to simply copy the options field to the flags field. - There are various checks that must be made before honoring an - option anyway. - - The kdc_options field is a bit-field, where the selected options - are indicated by the bit being set (1), and the unselected options - and reserved fields being reset (0). The encoding of the bits is - specified in section 5.2. The options are described in more detail - above in section 2. The meanings of the options are: - - Bits Name Description - - 0 RESERVED Reserved for future expansion of - this field. - - The FORWARDABLE option indicates - that the ticket to be issued is to - have its forwardable flag set. It - 1 FORWARDABLE may only be set on the initial - request, or in a subsequent request - if the ticket-granting ticket on - which it is based is also - forwardable. - - The FORWARDED option is only - specified in a request to the - ticket-granting server and will only - be honored if the ticket-granting - - - -March 2003 [Page 75] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - ticket in the request has its - 2 FORWARDED FORWARDABLE bit set. This option - indicates that this is a request for - forwarding. The address(es) of the - host from which the resulting ticket - is to be valid are included in the - addresses field of the request. - - The PROXIABLE option indicates that - the ticket to be issued is to have - its proxiable flag set. It may only - 3 PROXIABLE be set on the initial request, or in - a subsequent request if the - ticket-granting ticket on which it - is based is also proxiable. - - The PROXY option indicates that this - is a request for a proxy. This - option will only be honored if the - ticket-granting ticket in the - 4 PROXY request has its PROXIABLE bit set. - The address(es) of the host from - which the resulting ticket is to be - valid are included in the addresses - field of the request. - - The ALLOW-POSTDATE option indicates - that the ticket to be issued is to - have its MAY-POSTDATE flag set. It - 5 ALLOW-POSTDATE may only be set on the initial - request, or in a subsequent request - if the ticket-granting ticket on - which it is based also has its - MAY-POSTDATE flag set. - - The POSTDATED option indicates that - this is a request for a postdated - ticket. This option will only be - honored if the ticket-granting - ticket on which it is based has its - 6 POSTDATED MAY-POSTDATE flag set. The resulting - ticket will also have its INVALID - flag set, and that flag may be reset - by a subsequent request to the KDC - after the starttime in the ticket - has been reached. - - 7 RESERVED This option is presently unused. - - - -March 2003 [Page 76] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - The RENEWABLE option indicates that - the ticket to be issued is to have - its RENEWABLE flag set. It may only - be set on the initial request, or - when the ticket-granting ticket on - 8 RENEWABLE which the request is based is also - renewable. If this option is - requested, then the rtime field in - the request contains the desired - absolute expiration time for the - ticket. - - 9 RESERVED Reserved for PK-Cross - - 10 RESERVED Reserved for future use. - - 11 RESERVED Reserved for opt-hardware-auth. - - 12-25 RESERVED Reserved for future use. - - By default the KDC will check the - transited field of a - ticket-granting-ticket against the - policy of the local realm before it - will issue derivative tickets based - on the ticket-granting ticket. If - this flag is set in the request, - checking of the transited field is - disabled. Tickets issued without the - 26 DISABLE-TRANSITED-CHECK performance of this check will be - noted by the reset (0) value of the - TRANSITED-POLICY-CHECKED flag, - indicating to the application server - that the tranisted field must be - checked locally. KDCs are - encouraged but not required to honor - the DISABLE-TRANSITED-CHECK option. - - This flag is new since RFC 1510 - - The RENEWABLE-OK option indicates - that a renewable ticket will be - acceptable if a ticket with the - requested life cannot otherwise be - provided. If a ticket with the - requested life cannot be provided, - 27 RENEWABLE-OK then a renewable ticket may be - issued with a renew-till equal to - - - -March 2003 [Page 77] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - the requested endtime. The value - of the renew-till field may still be - limited by local limits, or limits - selected by the individual principal - or server. - - This option is used only by the - ticket-granting service. The - ENC-TKT-IN-SKEY option indicates - 28 ENC-TKT-IN-SKEY that the ticket for the end server - is to be encrypted in the session - key from the additional - ticket-granting ticket provided. - - 29 RESERVED Reserved for future use. - - This option is used only by the - ticket-granting service. The RENEW - option indicates that the present - request is for a renewal. The ticket - provided is encrypted in the secret - key for the server on which it is - 30 RENEW valid. This option will only be - honored if the ticket to be renewed - has its RENEWABLE flag set and if - the time in its renew-till field has - not passed. The ticket to be renewed - is passed in the padata field as - part of the authentication header. - - This option is used only by the - ticket-granting service. The - VALIDATE option indicates that the - request is to validate a postdated - ticket. It will only be honored if - the ticket presented is postdated, - presently has its INVALID flag set, - 31 VALIDATE and would be otherwise usable at - this time. A ticket cannot be - validated before its starttime. The - ticket presented for validation is - encrypted in the key of the server - for which it is valid and is passed - in the padata field as part of the - authentication header. - cname and sname - These fields are the same as those described for the ticket in - section 5.3. The sname may only be absent when the ENC-TKT-IN-SKEY - - - -March 2003 [Page 78] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - option is specified. If absent, the name of the server is taken - from the name of the client in the ticket passed as additional- - tickets. - - enc-authorization-data - The enc-authorization-data, if present (and it can only be present - in the TGS_REQ form), is an encoding of the desired authorization- - data encrypted under the sub-session key if present in the - Authenticator, or alternatively from the session key in the - ticket-granting ticket (both the Authenticator and ticket-granting - ticket come from the padata field in the KRB_TGS_REQ). The key - usage value used when encrypting is 5 if a sub-session key is - used, or 4 if the session key is used. - - realm - This field specifies the realm part of the server's principal - identifier. In the AS exchange, this is also the realm part of the - client's principal identifier. - - from - This field is included in the KRB_AS_REQ and KRB_TGS_REQ ticket - requests when the requested ticket is to be postdated. It - specifies the desired start time for the requested ticket. If this - field is omitted then the KDC SHOULD use the current time instead. - - till - This field contains the expiration date requested by the client in - a ticket request. It is not optional, but if the requested endtime - is "19700101000000Z", the requested ticket is to have the maximum - endtime permitted according to KDC policy. Implementation note: - This special timestamp corresponds to a UNIX time_t value of zero - on most systems. - - rtime - This field is the requested renew-till time sent from a client to - the KDC in a ticket request. It is optional. - - nonce - This field is part of the KDC request and response. It is intended - to hold a random number generated by the client. If the same - number is included in the encrypted response from the KDC, it - provides evidence that the response is fresh and has not been - replayed by an attacker. Nonces MUST NEVER be reused. - - etype - This field specifies the desired encryption algorithm to be used - in the response. - - - - -March 2003 [Page 79] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - addresses - This field is included in the initial request for tickets, and - optionally included in requests for additional tickets from the - ticket-granting server. It specifies the addresses from which the - requested ticket is to be valid. Normally it includes the - addresses for the client's host. If a proxy is requested, this - field will contain other addresses. The contents of this field are - usually copied by the KDC into the caddr field of the resulting - ticket. - - additional-tickets - Additional tickets MAY be optionally included in a request to the - ticket-granting server. If the ENC-TKT-IN-SKEY option has been - specified, then the session key from the additional ticket will be - used in place of the server's key to encrypt the new ticket. When - the ENC-TKT-IN-SKEY option is used for user-to-user - authentication, this addional ticket MAY be a TGT issued by the - local realm or an inter-realm TGT issued for the current KDC's - realm by a remote KDC. If more than one option which requires - additional tickets has been specified, then the additional tickets - are used in the order specified by the ordering of the options - bits (see kdc-options, above). - - The application tag number will be either ten (10) or twelve (12) - depending on whether the request is for an initial ticket (AS-REQ) or - for an additional ticket (TGS-REQ). - - The optional fields (addresses, authorization-data and additional- - tickets) are only included if necessary to perform the operation - specified in the kdc-options field. - - It should be noted that in KRB_TGS_REQ, the protocol version number - appears twice and two different message types appear: the KRB_TGS_REQ - message contains these fields as does the authentication header - (KRB_AP_REQ) that is passed in the padata field. - -5.4.2. KRB_KDC_REP definition - - The KRB_KDC_REP message format is used for the reply from the KDC for - either an initial (AS) request or a subsequent (TGS) request. There - is no message type for KRB_KDC_REP. Instead, the type will be either - KRB_AS_REP or KRB_TGS_REP. The key used to encrypt the ciphertext - part of the reply depends on the message type. For KRB_AS_REP, the - ciphertext is encrypted in the client's secret key, and the client's - key version number is included in the key version number for the - encrypted data. For KRB_TGS_REP, the ciphertext is encrypted in the - sub-session key from the Authenticator, or if absent, the session key - from the ticket-granting ticket used in the request. In that case, - - - -March 2003 [Page 80] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - no version number will be present in the EncryptedData sequence. - - The KRB_KDC_REP message contains the following fields: - - AS-REP ::= [APPLICATION 11] KDC-REP - - TGS-REP ::= [APPLICATION 13] KDC-REP - - KDC-REP ::= SEQUENCE { - pvno [0] INTEGER (5), - msg-type [1] INTEGER (11 -- AS -- | 13 -- TGS --), - padata [2] SEQUENCE OF PA-DATA OPTIONAL - -- NOTE: not empty --, - crealm [3] Realm, - cname [4] PrincipalName, - ticket [5] Ticket, - enc-part [6] EncryptedData - -- EncASRepPart or EncTGSRepPart, - -- as appropriate - } - - EncASRepPart ::= [APPLICATION 25] EncKDCRepPart - - EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart - - EncKDCRepPart ::= SEQUENCE { - key [0] EncryptionKey, - last-req [1] LastReq, - nonce [2] UInt32, - key-expiration [3] KerberosTime OPTIONAL, - flags [4] TicketFlags, - authtime [5] KerberosTime, - starttime [6] KerberosTime OPTIONAL, - endtime [7] KerberosTime, - renew-till [8] KerberosTime OPTIONAL, - srealm [9] Realm, - sname [10] PrincipalName, - caddr [11] HostAddresses OPTIONAL - } - - LastReq ::= SEQUENCE OF SEQUENCE { - lr-type [0] Int32, - lr-value [1] KerberosTime - } - - pvno and msg-type - These fields are described above in section 5.4.1. msg-type is - either KRB_AS_REP or KRB_TGS_REP. - - - -March 2003 [Page 81] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - padata - This field is described in detail in section 5.4.1. One possible - use for this field is to encode an alternate "salt" string to be - used with a string-to-key algorithm. This ability is useful to - ease transitions if a realm name needs to change (e.g. when a - company is acquired); in such a case all existing password-derived - entries in the KDC database would be flagged as needing a special - salt string until the next password change. - - crealm, cname, srealm and sname - These fields are the same as those described for the ticket in - section 5.3. - - ticket - The newly-issued ticket, from section 5.3. - - enc-part - This field is a place holder for the ciphertext and related - information that forms the encrypted part of a message. The - description of the encrypted part of the message follows each - appearance of this field. - - The key usage value for encrypting this field is 3 in an AS-REP - message, using the client's long-term key or another key selected - via pre-authentication mechanisms. In a TGS-REP message, the key - usage value is 8 if the TGS session key is used, or 9 if a TGS - authenticator subkey is used. - - Compatibility note: Some implementations unconditionally send an - encrypted EncTGSRepPart (application tag number 26) in this field - regardless of whether the reply is a AS-REP or a TGS-REP. In the - interests of compatibility, implementors MAY relax the check on - the tag number of the decrypted ENC-PART. - - key - This field is the same as described for the ticket in section 5.3. - - last-req - This field is returned by the KDC and specifies the time(s) of the - last request by a principal. Depending on what information is - available, this might be the last time that a request for a - ticket-granting ticket was made, or the last time that a request - based on a ticket-granting ticket was successful. It also might - cover all servers for a realm, or just the particular server. Some - implementations MAY display this information to the user to aid in - discovering unauthorized use of one's identity. It is similar in - spirit to the last login time displayed when logging into - timesharing systems. - - - -March 2003 [Page 82] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - lr-type - This field indicates how the following lr-value field is to be - interpreted. Negative values indicate that the information - pertains only to the responding server. Non-negative values - pertain to all servers for the realm. - - If the lr-type field is zero (0), then no information is - conveyed by the lr-value subfield. If the absolute value of the - lr-type field is one (1), then the lr-value subfield is the - time of last initial request for a TGT. If it is two (2), then - the lr-value subfield is the time of last initial request. If - it is three (3), then the lr-value subfield is the time of - issue for the newest ticket-granting ticket used. If it is four - (4), then the lr-value subfield is the time of the last - renewal. If it is five (5), then the lr-value subfield is the - time of last request (of any type). If it is (6), then the lr- - value subfield is the time when the password will expire. If - it is (7), then the lr-value subfield is the time when the - account will expire. - - lr-value - This field contains the time of the last request. The time MUST - be interpreted according to the contents of the accompanying - lr-type subfield. - - nonce - This field is described above in section 5.4.1. - - key-expiration - The key-expiration field is part of the response from the KDC and - specifies the time that the client's secret key is due to expire. - The expiration might be the result of password aging or an account - expiration. If present, it SHOULD be set to the earliest of the - user's key expiration and account expiration. The use of this - field is deprecated and the last-req field SHOULD be used to - convey this information instead. This field will usually be left - out of the TGS reply since the response to the TGS request is - encrypted in a session key and no client information need be - retrieved from the KDC database. It is up to the application - client (usually the login program) to take appropriate action - (such as notifying the user) if the expiration time is imminent. - - flags, authtime, starttime, endtime, renew-till and caddr - These fields are duplicates of those found in the encrypted - portion of the attached ticket (see section 5.3), provided so the - client MAY verify they match the intended request and to assist in - proper ticket caching. If the message is of type KRB_TGS_REP, the - caddr field will only be filled in if the request was for a proxy - - - -March 2003 [Page 83] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - or forwarded ticket, or if the user is substituting a subset of - the addresses from the ticket-granting ticket. If the client- - requested addresses are not present or not used, then the - addresses contained in the ticket will be the same as those - included in the ticket-granting ticket. - -5.5. Client/Server (CS) message specifications - - This section specifies the format of the messages used for the - authentication of the client to the application server. - -5.5.1. KRB_AP_REQ definition - - The KRB_AP_REQ message contains the Kerberos protocol version number, - the message type KRB_AP_REQ, an options field to indicate any options - in use, and the ticket and authenticator themselves. The KRB_AP_REQ - message is often referred to as the 'authentication header'. - - AP-REQ ::= [APPLICATION 14] SEQUENCE { - pvno [0] INTEGER (5), - msg-type [1] INTEGER (14), - ap-options [2] APOptions, - ticket [3] Ticket, - authenticator [4] EncryptedData -- Authenticator - } - - APOptions ::= KerberosFlags - -- reserved(0), - -- use-session-key(1), - -- mutual-required(2) - - pvno and msg-type - These fields are described above in section 5.4.1. msg-type is - KRB_AP_REQ. - - ap-options - This field appears in the application request (KRB_AP_REQ) and - affects the way the request is processed. It is a bit-field, where - the selected options are indicated by the bit being set (1), and - the unselected options and reserved fields being reset (0). The - encoding of the bits is specified in section 5.2. The meanings of - the options are: - - Bit(s) Name Description - - 0 reserved Reserved for future expansion of this field. - - The USE-SESSION-KEY option indicates that the - - - -March 2003 [Page 84] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - ticket the client is presenting to a server - 1 use-session-key is encrypted in the session key from the - server's ticket-granting ticket. When this - option is not specified, the ticket is - encrypted in the server's secret key. - - The MUTUAL-REQUIRED option tells the server - 2 mutual-required that the client requires mutual - authentication, and that it must respond with - a KRB_AP_REP message. - - 3-31 reserved Reserved for future use. - - ticket - This field is a ticket authenticating the client to the server. - - authenticator - This contains the encrypted authenticator, which includes the - client's choice of a subkey. - - The encrypted authenticator is included in the AP-REQ; it certifies - to a server that the sender has recent knowledge of the encryption - key in the accompanying ticket, to help the server detect replays. It - also assists in the selection of a "true session key" to use with the - particular session. The DER encoding of the following is encrypted - in the ticket's session key, with a key usage value of 11 in normal - application exchanges, or 7 when used as the PA-TGS-REQ PA-DATA field - of a TGS-REQ exchange (see section 5.4.1): - - -- Unencrypted authenticator - Authenticator ::= [APPLICATION 2] SEQUENCE { - authenticator-vno [0] INTEGER (5), - crealm [1] Realm, - cname [2] PrincipalName, - cksum [3] Checksum OPTIONAL, - cusec [4] Microseconds, - ctime [5] KerberosTime, - subkey [6] EncryptionKey OPTIONAL, - seq-number [7] UInt32 OPTIONAL, - authorization-data [8] AuthorizationData OPTIONAL - } - - authenticator-vno - This field specifies the version number for the format of the - authenticator. This document specifies version 5. - - crealm and cname - These fields are the same as those described for the ticket in - - - -March 2003 [Page 85] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - section 5.3. - - cksum - This field contains a checksum of the application data that - accompanies the KRB_AP_REQ, computed using a key usage value of 10 - in normal application exchanges, or 6 when used in the TGS-REQ PA- - TGS-REQ AP-DATA field. - - cusec - This field contains the microsecond part of the client's - timestamp. Its value (before encryption) ranges from 0 to 999999. - It often appears along with ctime. The two fields are used - together to specify a reasonably accurate timestamp. - - ctime - This field contains the current time on the client's host. - - subkey - This field contains the client's choice for an encryption key - which is to be used to protect this specific application session. - Unless an application specifies otherwise, if this field is left - out the session key from the ticket will be used. - - seq-number - This optional field includes the initial sequence number to be - used by the KRB_PRIV or KRB_SAFE messages when sequence numbers - are used to detect replays (It may also be used by application - specific messages). When included in the authenticator this field - specifies the initial sequence number for messages from the client - to the server. When included in the AP-REP message, the initial - sequence number is that for messages from the server to the - client. When used in KRB_PRIV or KRB_SAFE messages, it is - incremented by one after each message is sent. Sequence numbers - fall in the range of 0 through 2^32 - 1 and wrap to zero following - the value 2^32 - 1. - - For sequence numbers to adequately support the detection of - replays they SHOULD be non-repeating, even across connection - boundaries. The initial sequence number SHOULD be random and - uniformly distributed across the full space of possible sequence - numbers, so that it cannot be guessed by an attacker and so that - it and the successive sequence numbers do not repeat other - sequences. - - Implmentation note: historically, some implementations transmit - signed twos-complement numbers for sequence numbers. In the - interests of compatibility, implementations MAY accept the - equivalent negative number where a positive number greater than - - - -March 2003 [Page 86] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - 2^31 - 1 is expected. - - Implementation note: as noted before, some implementations omit - the optional sequence number when its value would be zero. - Implementations MAY accept an omitted sequence number when - expecting a value of zero, and SHOULD NOT transmit an - Authenticator with a initial sequence number of zero. - - authorization-data - This field is the same as described for the ticket in section 5.3. - It is optional and will only appear when additional restrictions - are to be placed on the use of a ticket, beyond those carried in - the ticket itself. - -5.5.2. KRB_AP_REP definition - - The KRB_AP_REP message contains the Kerberos protocol version number, - the message type, and an encrypted time-stamp. The message is sent in - response to an application request (KRB_AP_REQ) where the mutual - authentication option has been selected in the ap-options field. - - AP-REP ::= [APPLICATION 15] SEQUENCE { - pvno [0] INTEGER (5), - msg-type [1] INTEGER (15), - enc-part [2] EncryptedData -- EncAPRepPart - } - - EncAPRepPart ::= [APPLICATION 27] SEQUENCE { - ctime [0] KerberosTime, - cusec [1] Microseconds, - subkey [2] EncryptionKey OPTIONAL, - seq-number [3] UInt32 OPTIONAL - } - - The encoded EncAPRepPart is encrypted in the shared session key of - the ticket. The optional subkey field can be used in an application- - arranged negotiation to choose a per association session key. - - pvno and msg-type - These fields are described above in section 5.4.1. msg-type is - KRB_AP_REP. - - enc-part - This field is described above in section 5.4.2. It is computed - with a key usage value of 12. - - ctime - This field contains the current time on the client's host. - - - -March 2003 [Page 87] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - cusec - This field contains the microsecond part of the client's - timestamp. - - subkey - This field contains an encryption key which is to be used to - protect this specific application session. See section 3.2.6 for - specifics on how this field is used to negotiate a key. Unless an - application specifies otherwise, if this field is left out, the - sub-session key from the authenticator, or if also left out, the - session key from the ticket will be used. - - seq-number - This field is described above in section 5.3.2. - -5.5.3. Error message reply - - If an error occurs while processing the application request, the - KRB_ERROR message will be sent in response. See section 5.9.1 for the - format of the error message. The cname and crealm fields MAY be left - out if the server cannot determine their appropriate values from the - corresponding KRB_AP_REQ message. If the authenticator was - decipherable, the ctime and cusec fields will contain the values from - it. - -5.6. KRB_SAFE message specification - - This section specifies the format of a message that can be used by - either side (client or server) of an application to send a tamper- - proof message to its peer. It presumes that a session key has - previously been exchanged (for example, by using the - KRB_AP_REQ/KRB_AP_REP messages). - -5.6.1. KRB_SAFE definition - - The KRB_SAFE message contains user data along with a collision-proof - checksum keyed with the last encryption key negotiated via subkeys, - or the session key if no negotiation has occurred. The message fields - are: - - KRB-SAFE ::= [APPLICATION 20] SEQUENCE { - pvno [0] INTEGER (5), - msg-type [1] INTEGER (20), - safe-body [2] KRB-SAFE-BODY, - cksum [3] Checksum - } - - KRB-SAFE-BODY ::= SEQUENCE { - - - -March 2003 [Page 88] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - user-data [0] OCTET STRING, - timestamp [1] KerberosTime OPTIONAL, - usec [2] Microseconds OPTIONAL, - seq-number [3] UInt32 OPTIONAL, - s-address [4] HostAddress, - r-address [5] HostAddress OPTIONAL - } - - pvno and msg-type - These fields are described above in section 5.4.1. msg-type is - KRB_SAFE. - - safe-body - This field is a placeholder for the body of the KRB-SAFE message. - - cksum - This field contains the checksum of the application data, computed - with a key usage value of 15. - - The checksum is computed over the encoding of the KRB-SAFE - sequence. First, the cksum is set to a type zero, zero-length - value and the checksum is computed over the encoding of the KRB- - SAFE sequence, then the checksum is set to the result of that - computation, and finally the KRB-SAFE sequence is encoded again. - This method, while different than the one specified in RFC 1510, - corresponds to existing practice. - - user-data - This field is part of the KRB_SAFE and KRB_PRIV messages and - contain the application specific data that is being passed from - the sender to the recipient. - - timestamp - This field is part of the KRB_SAFE and KRB_PRIV messages. Its - contents are the current time as known by the sender of the - message. By checking the timestamp, the recipient of the message - is able to make sure that it was recently generated, and is not a - replay. - - usec - This field is part of the KRB_SAFE and KRB_PRIV headers. It - contains the microsecond part of the timestamp. - - seq-number - This field is described above in section 5.3.2. - - s-address - Sender's address. - - - -March 2003 [Page 89] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - This field specifies the address in use by the sender of the - message. It MAY be omitted if not required by the application - protocol. - - r-address - This field specifies the address in use by the recipient of the - message. It MAY be omitted for some uses (such as broadcast - protocols), but the recipient MAY arbitrarily reject such - messages. This field, along with s-address, can be used to help - detect messages which have been incorrectly or maliciously - delivered to the wrong recipient. - -5.7. KRB_PRIV message specification - - This section specifies the format of a message that can be used by - either side (client or server) of an application to securely and - privately send a message to its peer. It presumes that a session key - has previously been exchanged (for example, by using the - KRB_AP_REQ/KRB_AP_REP messages). - -5.7.1. KRB_PRIV definition - - The KRB_PRIV message contains user data encrypted in the Session Key. - The message fields are: - - KRB-PRIV ::= [APPLICATION 21] SEQUENCE { - pvno [0] INTEGER (5), - msg-type [1] INTEGER (21), - -- NOTE: there is no [2] tag - enc-part [3] EncryptedData -- EncKrbPrivPart - } - - EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE { - user-data [0] OCTET STRING, - timestamp [1] KerberosTime OPTIONAL, - usec [2] Microseconds OPTIONAL, - seq-number [3] UInt32 OPTIONAL, - s-address [4] HostAddress -- sender's addr --, - r-address [5] HostAddress OPTIONAL -- recip's addr - } - - pvno and msg-type - These fields are described above in section 5.4.1. msg-type is - KRB_PRIV. - - enc-part - This field holds an encoding of the EncKrbPrivPart sequence - encrypted under the session key, with a key usage value of 13. - - - -March 2003 [Page 90] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - This encrypted encoding is used for the enc-part field of the KRB- - PRIV message. - - user-data, timestamp, usec, s-address and r-address - These fields are described above in section 5.6.1. - - seq-number - This field is described above in section 5.3.2. - -5.8. KRB_CRED message specification - - This section specifies the format of a message that can be used to - send Kerberos credentials from one principal to another. It is - presented here to encourage a common mechanism to be used by - applications when forwarding tickets or providing proxies to - subordinate servers. It presumes that a session key has already been - exchanged perhaps by using the KRB_AP_REQ/KRB_AP_REP messages. - -5.8.1. KRB_CRED definition - - The KRB_CRED message contains a sequence of tickets to be sent and - information needed to use the tickets, including the session key from - each. The information needed to use the tickets is encrypted under - an encryption key previously exchanged or transferred alongside the - KRB_CRED message. The message fields are: - - KRB-CRED ::= [APPLICATION 22] SEQUENCE { - pvno [0] INTEGER (5), - msg-type [1] INTEGER (22), - tickets [2] SEQUENCE OF Ticket, - enc-part [3] EncryptedData -- EncKrbCredPart - } - - EncKrbCredPart ::= [APPLICATION 29] SEQUENCE { - ticket-info [0] SEQUENCE OF KrbCredInfo, - nonce [1] UInt32 OPTIONAL, - timestamp [2] KerberosTime OPTIONAL, - usec [3] Microseconds OPTIONAL, - s-address [4] HostAddress OPTIONAL, - r-address [5] HostAddress OPTIONAL - } - - KrbCredInfo ::= SEQUENCE { - key [0] EncryptionKey, - prealm [1] Realm OPTIONAL, - pname [2] PrincipalName OPTIONAL, - flags [3] TicketFlags OPTIONAL, - authtime [4] KerberosTime OPTIONAL, - - - -March 2003 [Page 91] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - starttime [5] KerberosTime OPTIONAL, - endtime [6] KerberosTime OPTIONAL, - renew-till [7] KerberosTime OPTIONAL, - srealm [8] Realm OPTIONAL, - sname [9] PrincipalName OPTIONAL, - caddr [10] HostAddresses OPTIONAL - } - - pvno and msg-type - These fields are described above in section 5.4.1. msg-type is - KRB_CRED. - - tickets - These are the tickets obtained from the KDC specifically for use - by the intended recipient. Successive tickets are paired with the - corresponding KrbCredInfo sequence from the enc-part of the KRB- - CRED message. - - enc-part - This field holds an encoding of the EncKrbCredPart sequence - encrypted under the session key shared between the sender and the - intended recipient, with a key usage value of 14. This encrypted - encoding is used for the enc-part field of the KRB-CRED message. - - Implementation note: implementations of certain applications, most - notably certain implementations of the Kerberos GSS-API mechanism, - do not separately encrypt the contents of the EncKrbCredPart of - the KRB-CRED message when sending it. In the case of those GSS- - API mechanisms, this is not a security vulnerability, as the - entire KRB-CRED message is itself embedded in an encrypted - message. - - nonce - If practical, an application MAY require the inclusion of a nonce - generated by the recipient of the message. If the same value is - included as the nonce in the message, it provides evidence that - the message is fresh and has not been replayed by an attacker. A - nonce MUST NEVER be reused; it SHOULD be generated randomly by the - recipient of the message and provided to the sender of the message - in an application specific manner. - - timestamp and usec - These fields specify the time that the KRB-CRED message was - generated. The time is used to provide assurance that the message - is fresh. - - s-address and r-address - These fields are described above in section 5.6.1. They are used - - - -March 2003 [Page 92] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - optionally to provide additional assurance of the integrity of the - KRB-CRED message. - - key - This field exists in the corresponding ticket passed by the KRB- - CRED message and is used to pass the session key from the sender - to the intended recipient. The field's encoding is described in - section 5.2.9. - - The following fields are optional. If present, they can be associated - with the credentials in the remote ticket file. If left out, then it - is assumed that the recipient of the credentials already knows their - value. - - prealm and pname - The name and realm of the delegated principal identity. - - flags, authtime, starttime, endtime, renew-till, srealm, sname, and - caddr - These fields contain the values of the corresponding fields from - the ticket found in the ticket field. Descriptions of the fields - are identical to the descriptions in the KDC-REP message. - -5.9. Error message specification - - This section specifies the format for the KRB_ERROR message. The - fields included in the message are intended to return as much - information as possible about an error. It is not expected that all - the information required by the fields will be available for all - types of errors. If the appropriate information is not available when - the message is composed, the corresponding field will be left out of - the message. - - Note that since the KRB_ERROR message is not integrity protected, it - is quite possible for an intruder to synthesize or modify such a - message. In particular, this means that the client SHOULD NOT use any - fields in this message for security-critical purposes, such as - setting a system clock or generating a fresh authenticator. The - message can be useful, however, for advising a user on the reason for - some failure. - -5.9.1. KRB_ERROR definition - - The KRB_ERROR message consists of the following fields: - - KRB-ERROR ::= [APPLICATION 30] SEQUENCE { - pvno [0] INTEGER (5), - msg-type [1] INTEGER (30), - - - -March 2003 [Page 93] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - ctime [2] KerberosTime OPTIONAL, - cusec [3] Microseconds OPTIONAL, - stime [4] KerberosTime, - susec [5] Microseconds, - error-code [6] Int32, - crealm [7] Realm OPTIONAL, - cname [8] PrincipalName OPTIONAL, - realm [9] Realm -- service realm --, - sname [10] PrincipalName -- service name --, - e-text [11] KerberosString OPTIONAL, - e-data [12] OCTET STRING OPTIONAL - } - - pvno and msg-type - These fields are described above in section 5.4.1. +A msg-type is - KRB_ERROR. - - ctime - This field is described above in section 5.4.1. - - cusec - This field is described above in section 5.5.2. - - stime - This field contains the current time on the server. It is of type - KerberosTime. - - susec - This field contains the microsecond part of the server's - timestamp. Its value ranges from 0 to 999999. It appears along - with stime. The two fields are used in conjunction to specify a - reasonably accurate timestamp. - - error-code - This field contains the error code returned by Kerberos or the - server when a request fails. To interpret the value of this field - see the list of error codes in section 7.5.9. Implementations are - encouraged to provide for national language support in the display - of error messages. - - crealm, cname, srealm and sname - These fields are described above in section 5.3. - - e-text - This field contains additional text to help explain the error code - associated with the failed request (for example, it might include - a principal name which was unknown). - - - - -March 2003 [Page 94] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - e-data - This field contains additional data about the error for use by the - application to help it recover from or handle the error. If the - errorcode is KDC_ERR_PREAUTH_REQUIRED, then the e-data field will - contain an encoding of a sequence of padata fields, each - corresponding to an acceptable pre-authentication method and - optionally containing data for the method: - - METHOD-DATA ::= SEQUENCE OF PA-DATA - - For error codes defined in this document other than - KDC_ERR_PREAUTH_REQUIRED, the format and contents of the e-data field - are implementation-defined. Similarly, for future error codes, the - format and contents of the e-data field are implementation-defined - unless specified. Whether defined by the implementation or in a - future document, the e-data field MAY take the form of TYPED-DATA: - - TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE { - data-type [0] INTEGER, - data-value [1] OCTET STRING OPTIONAL - } - -5.10. Application Tag Numbers - - The following table lists the application class tag numbers used by - various data types defined in this section. - - Tag Number(s) Type Name Comments - - 0 unused - - 1 Ticket PDU - - 2 Authenticator non-PDU - - 3 EncTicketPart non-PDU - - 4-9 unused - - 10 AS-REQ PDU - - 11 AS-REP PDU - - 12 TGS-REQ PDU - - 13 TGS-REP PDU - - 14 AP-REQ PDU - - - -March 2003 [Page 95] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - 15 AP-REP PDU - - 16 RESERVED16 TGT-REQ (for user-to-user) - - 17 RESERVED17 TGT-REP (for user-to-user) - - 18-19 unused - - 20 KRB-SAFE PDU - - 21 KRB-PRIV PDU - - 22 KRB-CRED PDU - - 23-24 unused - - 25 EncASRepPart non-PDU - - 26 EncTGSRepPart non-PDU - - 27 EncApRepPart non-PDU - - 28 EncKrbPrivPart non-PDU - - 29 EncKrbCredPart non-PDU - - 30 KRB-ERROR PDU - - The ASN.1 types marked as "PDU" (Protocol Data Unit) in the above are - the only ASN.1 types intended as top-level types of the Kerberos - protcol, and are the only types that may be used as elements in - another protocol that makes use of Kerberos. - -6. Naming Constraints - -6.1. Realm Names - - Although realm names are encoded as GeneralStrings and although a - realm can technically select any name it chooses, interoperability - across realm boundaries requires agreement on how realm names are to - be assigned, and what information they imply. - - To enforce these conventions, each realm MUST conform to the - conventions itself, and it MUST require that any realms with which - inter-realm keys are shared also conform to the conventions and - require the same from its neighbors. - - Kerberos realm names are case sensitive. Realm names that differ only - - - -March 2003 [Page 96] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - in the case of the characters are not equivalent. There are presently - three styles of realm names: domain, X500, and other. Examples of - each style follow: - - domain: ATHENA.MIT.EDU - X500: C=US/O=OSF - other: NAMETYPE:rest/of.name=without-restrictions - - Domain syle realm names MUST look like domain names: they consist of - components separated by periods (.) and they contain neither colons - (:) nor slashes (/). Though domain names themselves are case - insensitive, in order for realms to match, the case must match as - well. When establishing a new realm name based on an internet domain - name it is recommended by convention that the characters be converted - to upper case. - - X.500 names contain an equal (=) and cannot contain a colon (:) - before the equal. The realm names for X.500 names will be string - representations of the names with components separated by slashes. - Leading and trailing slashes will not be included. Note that the - slash separator is consistent with Kerberos implementations based on - RFC1510, but it is different from the separator recommended in - RFC2253. - - Names that fall into the other category MUST begin with a prefix that - contains no equal (=) or period (.) and the prefix MUST be followed - by a colon (:) and the rest of the name. All prefixes must be - assigned before they may be used. Presently none are assigned. - - The reserved category includes strings which do not fall into the - first three categories. All names in this category are reserved. It - is unlikely that names will be assigned to this category unless there - is a very strong argument for not using the 'other' category. - - These rules guarantee that there will be no conflicts between the - various name styles. The following additional constraints apply to - the assignment of realm names in the domain and X.500 categories: the - name of a realm for the domain or X.500 formats must either be used - by the organization owning (to whom it was assigned) an Internet - domain name or X.500 name, or in the case that no such names are - registered, authority to use a realm name MAY be derived from the - authority of the parent realm. For example, if there is no domain - name for E40.MIT.EDU, then the administrator of the MIT.EDU realm can - authorize the creation of a realm with that name. - - This is acceptable because the organization to which the parent is - assigned is presumably the organization authorized to assign names to - its children in the X.500 and domain name systems as well. If the - - - -March 2003 [Page 97] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - parent assigns a realm name without also registering it in the domain - name or X.500 hierarchy, it is the parent's responsibility to make - sure that there will not in the future exist a name identical to the - realm name of the child unless it is assigned to the same entity as - the realm name. - -6.2. Principal Names - - As was the case for realm names, conventions are needed to ensure - that all agree on what information is implied by a principal name. - The name-type field that is part of the principal name indicates the - kind of information implied by the name. The name-type SHOULD be - treated only as a hint to interpreting the meaning of a name. It is - not significant when checking for equivalence. Principal names that - differ only in the name-type identify the same principal. The name - type does not partition the name space. Ignoring the name type, no - two names can be the same (i.e. at least one of the components, or - the realm, MUST be different). The following name types are defined: - - name-type value meaning - - name types - - NT-UNKNOWN 0 Name type not known - NT-PRINCIPAL 1 Just the name of the principal as in DCE, or for users - NT-SRV-INST 2 Service and other unique instance (krbtgt) - NT-SRV-HST 3 Service with host name as instance (telnet, rcommands) - NT-SRV-XHST 4 Service with host as remaining components - NT-UID 5 Unique ID - NT-X500-PRINCIPAL 6 Encoded X.509 Distingished name [RFC 2253] - NT-SMTP-NAME 7 Name in form of SMTP email name (e.g. user@foo.com) - NT-ENTERPRISE 10 Enterprise name - may be mapped to principal name - - When a name implies no information other than its uniqueness at a - particular time the name type PRINCIPAL SHOULD be used. The principal - name type SHOULD be used for users, and it might also be used for a - unique server. If the name is a unique machine generated ID that is - guaranteed never to be reassigned then the name type of UID SHOULD be - used (note that it is generally a bad idea to reassign names of any - type since stale entries might remain in access control lists). - - If the first component of a name identifies a service and the - remaining components identify an instance of the service in a server - specified manner, then the name type of SRV-INST SHOULD be used. An - example of this name type is the Kerberos ticket-granting service - whose name has a first component of krbtgt and a second component - identifying the realm for which the ticket is valid. - - - - -March 2003 [Page 98] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - If the first component of a name identifies a service and there is a - single component following the service name identifying the instance - as the host on which the server is running, then the name type SRV- - HST SHOULD be used. This type is typically used for Internet services - such as telnet and the Berkeley R commands. If the separate - components of the host name appear as successive components following - the name of the service, then the name type SRV-XHST SHOULD be used. - This type might be used to identify servers on hosts with X.500 names - where the slash (/) might otherwise be ambiguous. - - A name type of NT-X500-PRINCIPAL SHOULD be used when a name from an - X.509 certificate is translated into a Kerberos name. The encoding of - the X.509 name as a Kerberos principal shall conform to the encoding - rules specified in RFC 2253. - - A name type of SMTP allows a name to be of a form that resembles a - SMTP email name. This name, including an "@" and a domain name, is - used as the one component of the principal name. - - A name type of UNKNOWN SHOULD be used when the form of the name is - not known. When comparing names, a name of type UNKNOWN will match - principals authenticated with names of any type. A principal - authenticated with a name of type UNKNOWN, however, will only match - other names of type UNKNOWN. - - Names of any type with an initial component of 'krbtgt' are reserved - for the Kerberos ticket granting service. See section 7.5.8 for the - form of such names. - -6.2.1. Name of server principals - - The principal identifier for a server on a host will generally be - composed of two parts: (1) the realm of the KDC with which the server - is registered, and (2) a two-component name of type NT-SRV-HST if the - host name is an Internet domain name or a multi-component name of - type NT-SRV-XHST if the name of the host is of a form such as X.500 - that allows slash (/) separators. The first component of the two- or - multi-component name will identify the service and the latter - components will identify the host. Where the name of the host is not - case sensitive (for example, with Internet domain names) the name of - the host MUST be lower case. If specified by the application protocol - for services such as telnet and the Berkeley R commands which run - with system privileges, the first component MAY be the string 'host' - instead of a service specific identifier. When a host has an official - name and one or more aliases and the official name can be reliably - determined, the official name of the host SHOULD be used when - constructing the name of the server principal. - - - - -March 2003 [Page 99] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - -7. Constants and other defined values - -7.1. Host address types - - All negative values for the host address type are reserved for local - use. All non-negative values are reserved for officially assigned - type fields and interpretations. - - Internet (IPv4) Addresses - - Internet (IPv4) addresses are 32-bit (4-octet) quantities, encoded - in MSB order. The IPv4 loopback address SHOULD NOT appear in a - Kerberos packet. The type of IPv4 addresses is two (2). - - Internet (IPv6) Addresses - - IPv6 addresses [RFC2373] are 128-bit (16-octet) quantities, - encoded in MSB order. The type of IPv6 addresses is twenty-four - (24). The following addresses MUST NOT appear in any Kerberos - packet: - - * the Unspecified Address - * the Loopback Address - * Link-Local addresses - - IPv4-mapped IPv6 addresses MUST be represented as addresses of - type 2. - - DECnet Phase IV addresses - - DECnet Phase IV addresses are 16-bit addresses, encoded in LSB - order. The type of DECnet Phase IV addresses is twelve (12). - - Netbios addresses - - Netbios addresses are 16-octet addresses typically composed of 1 - to 15 alphanumeric characters and padded with the US-ASCII SPC - character (code 32). The 16th octet MUST be the US-ASCII NUL - character (code 0). The type of Netbios addresses is twenty (20). - - Directional Addresses - - In many environments, including the sender address in KRB_SAFE and - KRB_PRIV messages is undesirable because the addresses may be - changed in transport by network address translators. However, if - these addresses are removed, the messages may be subject to a - reflection attack in which a message is reflected back to its - originator. The directional address type provides a way to avoid - - - -March 2003 [Page 100] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - transport addresses and reflection attacks. Directional addresses - are encoded as four byte unsigned integers in network byte order. - If the message is originated by the party sending the original - KRB_AP_REQ message, then an address of 0 SHOULD be used. If the - message is originated by the party to whom that KRB_AP_REQ was - sent, then the address 1 SHOULD be used. Applications involving - multiple parties can specify the use of other addresses. - - Directional addresses MUST only be used for the sender address - field in the KRB_SAFE or KRB_PRIV messages. They MUST NOT be used - as a ticket address or in a KRB_AP_REQ message. This address type - SHOULD only be used in situations where the sending party knows - that the receiving party supports the address type. This generally - means that directional addresses may only be used when the - application protocol requires their support. Directional addresses - are type (3). - -7.2. KDC messaging - IP Transports - - Kerberos defines two IP transport mechanisms for communication - between clients and servers: UDP/IP and TCP/IP. - -7.2.1. UDP/IP transport - - Kerberos servers (KDCs) supporting IP transports MUST accept UDP - requests and SHOULD listen for such requests on port 88 (decimal) - unless specifically configured to listen on an alternative UDP port. - Alternate ports MAY be used when running multiple KDCs for multiple - realms on the same host. - - Kerberos clients supporting IP transports SHOULD support the sending - of UDP requests. Clients SHOULD use KDC discovery [7.2.3] to identify - the IP address and port to which they will send their request. - - When contacting a KDC for a KRB_KDC_REQ request using UDP/IP - transport, the client shall send a UDP datagram containing only an - encoding of the request to the KDC. The KDC will respond with a reply - datagram containing only an encoding of the reply message (either a - KRB_ERROR or a KRB_KDC_REP) to the sending port at the sender's IP - address. The response to a request made through UDP/IP transport MUST - also use UDP/IP transport. If the response can not be handled using - UDP (for example because it is too large), the KDC MUST return - KRB_ERR_RESPONSE_TOO_BIG, forcing the client to retry the request - using the TCP transport. - -7.2.2. TCP/IP transport - - Kerberos servers (KDCs) supporting IP transports MUST accept TCP - - - -March 2003 [Page 101] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - requests and SHOULD listen for such requests on port 88 (decimal) - unless specifically configured to listen on an alternate TCP port. - Alternate ports MAY be used when running multiple KDCs for multiple - realms on the same host. - - Clients MUST support the sending of TCP requests, but MAY choose to - intially try a request using the UDP transport. Clients SHOULD use - KDC discovery [7.2.3] to identify the IP address and port to which - they will send their request. - - Implementation note: Some extensions to the Kerberos protocol will - not succeed if any client or KDC not supporting the TCP transport is - involved. Implementations of RFC 1510 were not required to support - TCP/IP transports. - - When the KRB_KDC_REQ message is sent to the KDC over a TCP stream, - the response (KRB_KDC_REP or KRB_ERROR message) MUST be returned to - the client on the same TCP stream that was established for the - request. The KDC MAY close the TCP stream after sending a response, - but MAY leave the stream open for a reasonable period of time if it - expects a followup. Care must be taken in managing TCP/IP connections - on the KDC to prevent denial of service attacks based on the number - of open TCP/IP connections. - - The client MUST be prepared to have the stream closed by the KDC at - anytime after the receipt of a response. A stream closure SHOULD NOT - be treated as a fatal error. Instead, if multiple exchanges are - required (e.g., certain forms of pre-authentication) the client may - need to establish a new connection when it is ready to send - subsequent messages. A client MAY close the stream after receiving a - response, and SHOULD close the stream if it does not expect to send - followup messages. - - A client MAY send multiple requests before receiving responses, - though it must be prepared to handle the connection being closed - after the first response. - - Each request (KRB_KDC_REQ) and response (KRB_KDC_REP or KRB_ERROR) - sent over the TCP stream is preceded by the length of the request as - 4 octets in network byte order. The high bit of the length is - reserved for future expansion and MUST currently be set to zero. - - If multiple requests are sent over a single TCP connection, and the - KDC sends multiple responses, the KDC is not required to send the - responses in the order of the corresponding requests. This may permit - some implementations to send each response as soon as it is ready - even if earlier requests are still being processed (for example, - waiting for a response from an external device or database). - - - -March 2003 [Page 102] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - -7.2.3. KDC Discovery on IP Networks - - Kerberos client implementations MUST provide a means for the client - to determine the location of the Kerberos Key Distribution Centers - (KDCs). Traditionally, Kerberos implementations have stored such - configuration information in a file on each client machine. - Experience has shown this method of storing configuration information - presents problems with out-of-date information and scaling problems, - especially when using cross-realm authentication. This section - describes a method for using the Domain Name System [RFC 1035] for - storing KDC location information. - -7.2.3.1. DNS vs. Kerberos - Case Sensitivity of Realm Names - - In Kerberos, realm names are case sensitive. While it is strongly - encouraged that all realm names be all upper case this recommendation - has not been adopted by all sites. Some sites use all lower case - names and other use mixed case. DNS on the other hand is case - insensitive for queries. Since "MYREALM", "myrealm", and "MyRealm" - are all different it is necessary that only one of the possible - combinations of upper and lower case characters be used. This - restriction may be lifted in the future as the DNS naming scheme is - expanded to support non-US-ASCII names. - -7.2.3.2. Specifying KDC Location information with DNS SRV records - - KDC location information is to be stored using the DNS SRV RR [RFC - 2052]. The format of this RR is as follows: - - Service.Proto.Realm TTL Class SRV Priority Weight Port Target - - The Service name for Kerberos is always "_kerberos". - - The Proto can be one of "_udp", "_tcp". If these SRV records are to - be used, both "_udp" and "_tcp" records MUST be specified for all KDC - deployments. - - The Realm is the Kerberos realm that this record corresponds to. - - TTL, Class, SRV, Priority, Weight, and Target have the standard - meaning as defined in RFC 2052. - - As per RFC 2052 the Port number used for "_udp" and "_tcp" SRV - records SHOULD be the value assigned to "kerberos" by the Internet - Assigned Number Authority: 88 (decimal) unless the KDC is configured - to listen on an alternate TCP port. - - Implementation note: Many existing client implementations do not - - - -March 2003 [Page 103] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - support KDC Discovery and are configured to send requests to the IANA - assigned port (88 decimal), so it is strongly recommended that KDCs - be configured to listen on that port. - -7.2.3.3. KDC Discovery for Domain Style Realm Names on IP Networks - - These are DNS records for a Kerberos realm EXAMPLE.COM. It has two - Kerberos servers, kdc1.example.com and kdc2.example.com. Queries - should be directed to kdc1.example.com first as per the specified - priority. Weights are not used in these sample records. - - _kerberos._udp.EXAMPLE.COM. IN SRV 0 0 88 kdc1.example.com. - _kerberos._udp.EXAMPLE.COM. IN SRV 1 0 88 kdc2.example.com. - _kerberos._tcp.EXAMPLE.COM. IN SRV 0 0 88 kdc1.example.com. - _kerberos._tcp.EXAMPLE.COM. IN SRV 1 0 88 kdc2.example.com. - -7.3. Name of the TGS - - The principal identifier of the ticket-granting service shall be - composed of three parts: (1) the realm of the KDC issuing the TGS - ticket (2) a two-part name of type NT-SRV-INST, with the first part - "krbtgt" and the second part the name of the realm which will accept - the ticket-granting ticket. For example, a ticket-granting ticket - issued by the ATHENA.MIT.EDU realm to be used to get tickets from the - ATHENA.MIT.EDU KDC has a principal identifier of "ATHENA.MIT.EDU" - (realm), ("krbtgt", "ATHENA.MIT.EDU") (name). A ticket-granting - ticket issued by the ATHENA.MIT.EDU realm to be used to get tickets - from the MIT.EDU realm has a principal identifier of "ATHENA.MIT.EDU" - (realm), ("krbtgt", "MIT.EDU") (name). - -7.4. OID arc for KerberosV5 - - This OID MAY be used to identify Kerberos protocol messages - encapsulated in other protocols. It also designates the OID arc for - KerberosV5-related OIDs assigned by future IETF action. - Implementation note:: RFC 1510 had an incorrect value (5) for "dod" - in its OID. - - id-krb5 OBJECT IDENTIFIER ::= { - iso(1) identified-organization(3) dod(6) internet(1) - security(5) kerberosV5(2) - } - - Assignment of OIDs beneath the id-krb5 arc must be obtained by - contacting krb5-oid-registrar@mit.edu. - -7.5. Protocol constants and associated values - - - - -March 2003 [Page 104] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - The following tables list constants used in the protocol and define - their meanings. Ranges are specified in the "specification" section - that limit the values of constants for which values are defined here. - This allows implementations to make assumptions about the maximum - values that will be received for these constants. Implementation - receiving values outside the range specified in the "specification" - section MAY reject the request, but they MUST recover cleanly. - -7.5.1. Key usage numbers - - The encryption and checksum specifications in [@KCRYPTO] require as - input a "key usage number", to alter the encryption key used in any - specific message, to make certain types of cryptographic attack more - difficult. These are the key usage values assigned in this document: - - 1. AS-REQ PA-ENC-TIMESTAMP padata timestamp, encrypted - with the client key (section 5.2.7.2) - 2. AS-REP Ticket and TGS-REP Ticket (includes TGS session - key or application session key), encrypted with the - service key (section 5.3) - 3. AS-REP encrypted part (includes TGS session key or - application session key), encrypted with the client key - (section 5.4.2) - 4. TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with - the TGS session key (section 5.4.1) - 5. TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with - the TGS authenticator subkey (section 5.4.1) - 6. TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator cksum, - keyed with the TGS session key (sections 5.5.1) - 7. TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator - (includes TGS authenticator subkey), encrypted with the - TGS session key (section 5.5.1) - 8. TGS-REP encrypted part (includes application session - key), encrypted with the TGS session key (section - 5.4.2) - 9. TGS-REP encrypted part (includes application session - key), encrypted with the TGS authenticator subkey - (section 5.4.2) - 10. AP-REQ Authenticator cksum, keyed with the application - session key (section 5.5.1) - 11. AP-REQ Authenticator (includes application - authenticator subkey), encrypted with the application - session key (section 5.5.1) - 12. AP-REP encrypted part (includes application session - subkey), encrypted with the application session key - (section 5.5.2) - 13. KRB-PRIV encrypted part, encrypted with a key chosen by - the application (section 5.7.1) - - - -March 2003 [Page 105] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - 14. KRB-CRED encrypted part, encrypted with a key chosen by - the application (section 5.8.1) - 15. KRB-SAFE cksum, keyed with a key chosen by the - application (section 5.6.1) - 19. AD-KDC-ISSUED checksum (ad-checksum in 5.2.6.4) - 22-24. Reserved for use in GSSAPI mechanisms derived from RFC - 1964. (raeburn/MIT) - 16-18,20-21,25-511. Reserved for future use in Kerberos and related - protocols. - 512-1023. Reserved for uses internal to a Kerberos - implementation. - 1024. Encryption for application use in protocols that - do not specify key usage values - 1025. Checksums for application use in protocols that - do not specify key usage values - 1026-2047. Reserved for application use. - - -7.5.2. PreAuthentication Data Types - - padata and data types padata-type value comment - - PA-TGS-REQ 1 - PA-ENC-TIMESTAMP 2 - PA-PW-SALT 3 - [reserved] 4 - PA-ENC-UNIX-TIME 5 (deprecated) - PA-SANDIA-SECUREID 6 - PA-SESAME 7 - PA-OSF-DCE 8 - PA-CYBERSAFE-SECUREID 9 - PA-AFS3-SALT 10 - PA-ETYPE-INFO 11 - PA-SAM-CHALLENGE 12 (sam/otp) - PA-SAM-RESPONSE 13 (sam/otp) - PA-PK-AS-REQ 14 (pkinit) - PA-PK-AS-REP 15 (pkinit) - PA-ETYPE-INFO2 19 (replaces pa-etype-info) - PA-USE-SPECIFIED-KVNO 20 - PA-SAM-REDIRECT 21 (sam/otp) - PA-GET-FROM-TYPED-DATA 22 (embedded in typed data) - TD-PADATA 22 (embeds padata) - PA-SAM-ETYPE-INFO 23 (sam/otp) - PA-ALT-PRINC 24 (crawdad@fnal.gov) - PA-SAM-CHALLENGE2 30 (kenh@pobox.com) - PA-SAM-RESPONSE2 31 (kenh@pobox.com) - PA-EXTRA-TGT 41 Reserved extra TGT - TD-PKINIT-CMS-CERTIFICATES 101 CertificateSet from CMS - - - -March 2003 [Page 106] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - TD-KRB-PRINCIPAL 102 PrincipalName - TD-KRB-REALM 103 Realm - TD-TRUSTED-CERTIFIERS 104 from PKINIT - TD-CERTIFICATE-INDEX 105 from PKINIT - TD-APP-DEFINED-ERROR 106 application specific - TD-REQ-NONCE 107 INTEGER - TD-REQ-SEQ 108 INTEGER - PA-PAC-REQUEST 128 (jbrezak@exchange.microsoft.com) - -7.5.3. Address Types - - Address type value - - IPv4 2 - Directional 3 - ChaosNet 5 - XNS 6 - ISO 7 - DECNET Phase IV 12 - AppleTalk DDP 16 - NetBios 20 - IPv6 24 - -7.5.4. Authorization Data Types - - authorization data type ad-type value - AD-IF-RELEVANT 1 - AD-INTENDED-FOR-SERVER 2 - AD-INTENDED-FOR-APPLICATION-CLASS 3 - AD-KDC-ISSUED 4 - AD-AND-OR 5 - AD-MANDATORY-TICKET-EXTENSIONS 6 - AD-IN-TICKET-EXTENSIONS 7 - AD-MANDATORY-FOR-KDC 8 - reserved values 9-63 - OSF-DCE 64 - SESAME 65 - AD-OSF-DCE-PKI-CERTID 66 (hemsath@us.ibm.com) - AD-WIN2K-PAC 128 (jbrezak@exchange.microsoft.com) - -7.5.5. Transited Encoding Types - - transited encoding type tr-type value - DOMAIN-X500-COMPRESS 1 - reserved values all others - -7.5.6. Protocol Version Number - - - - -March 2003 [Page 107] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - Label Value Meaning or MIT code - - pvno 5 current Kerberos protocol version number - -7.5.7. Kerberos Message Types - - message types - - KRB_AS_REQ 10 Request for initial authentication - KRB_AS_REP 11 Response to KRB_AS_REQ request - KRB_TGS_REQ 12 Request for authentication based on TGT - KRB_TGS_REP 13 Response to KRB_TGS_REQ request - KRB_AP_REQ 14 application request to server - KRB_AP_REP 15 Response to KRB_AP_REQ_MUTUAL - KRB_RESERVED16 16 Reserved for user-to-user krb_tgt_request - KRB_RESERVED17 17 Reserved for user-to-user krb_tgt_reply - KRB_SAFE 20 Safe (checksummed) application message - KRB_PRIV 21 Private (encrypted) application message - KRB_CRED 22 Private (encrypted) message to forward credentials - KRB_ERROR 30 Error response - -7.5.8. Name Types - - name types - - KRB_NT_UNKNOWN 0 Name type not known - KRB_NT_PRINCIPAL 1 Just the name of the principal as in DCE, or for users - KRB_NT_SRV_INST 2 Service and other unique instance (krbtgt) - KRB_NT_SRV_HST 3 Service with host name as instance (telnet, rcommands) - KRB_NT_SRV_XHST 4 Service with host as remaining components - KRB_NT_UID 5 Unique ID - KRB_NT_X500_PRINCIPAL 6 Encoded X.509 Distingished name [RFC 2253] - KRB_NT_SMTP_NAME 7 Name in form of SMTP email name (e.g. user@foo.com) - KRB_NT_ENTERPRISE 10 Enterprise name - may be mapped to principal name - -7.5.9. Error Codes - - error codes - - KDC_ERR_NONE 0 No error - KDC_ERR_NAME_EXP 1 Client's entry in database has expired - KDC_ERR_SERVICE_EXP 2 Server's entry in database has expired - KDC_ERR_BAD_PVNO 3 Requested protocol version number - not supported - KDC_ERR_C_OLD_MAST_KVNO 4 Client's key encrypted in old master key - KDC_ERR_S_OLD_MAST_KVNO 5 Server's key encrypted in old master key - KDC_ERR_C_PRINCIPAL_UNKNOWN 6 Client not found in Kerberos database - KDC_ERR_S_PRINCIPAL_UNKNOWN 7 Server not found in Kerberos database - - - -March 2003 [Page 108] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - KDC_ERR_PRINCIPAL_NOT_UNIQUE 8 Multiple principal entries in database - KDC_ERR_NULL_KEY 9 The client or server has a null key - KDC_ERR_CANNOT_POSTDATE 10 Ticket not eligible for postdating - KDC_ERR_NEVER_VALID 11 Requested start time is later than end time - KDC_ERR_POLICY 12 KDC policy rejects request - KDC_ERR_BADOPTION 13 KDC cannot accommodate requested option - KDC_ERR_ETYPE_NOSUPP 14 KDC has no support for encryption type - KDC_ERR_SUMTYPE_NOSUPP 15 KDC has no support for checksum type - KDC_ERR_PADATA_TYPE_NOSUPP 16 KDC has no support for padata type - KDC_ERR_TRTYPE_NOSUPP 17 KDC has no support for transited type - KDC_ERR_CLIENT_REVOKED 18 Clients credentials have been revoked - KDC_ERR_SERVICE_REVOKED 19 Credentials for server have been revoked - KDC_ERR_TGT_REVOKED 20 TGT has been revoked - KDC_ERR_CLIENT_NOTYET 21 Client not yet valid - try again later - KDC_ERR_SERVICE_NOTYET 22 Server not yet valid - try again later - KDC_ERR_KEY_EXPIRED 23 Password has expired - - change password to reset - KDC_ERR_PREAUTH_FAILED 24 Pre-authentication information was invalid - KDC_ERR_PREAUTH_REQUIRED 25 Additional pre-authenticationrequired - KDC_ERR_SERVER_NOMATCH 26 Requested server and ticket don't match - KDC_ERR_MUST_USE_USER2USER 27 Server principal valid for user2user only - KDC_ERR_PATH_NOT_ACCPETED 28 KDC Policy rejects transited path - KDC_ERR_SVC_UNAVAILABLE 29 A service is not available - KRB_AP_ERR_BAD_INTEGRITY 31 Integrity check on decrypted field failed - KRB_AP_ERR_TKT_EXPIRED 32 Ticket expired - KRB_AP_ERR_TKT_NYV 33 Ticket not yet valid - KRB_AP_ERR_REPEAT 34 Request is a replay - KRB_AP_ERR_NOT_US 35 The ticket isn't for us - KRB_AP_ERR_BADMATCH 36 Ticket and authenticator don't match - KRB_AP_ERR_SKEW 37 Clock skew too great - KRB_AP_ERR_BADADDR 38 Incorrect net address - KRB_AP_ERR_BADVERSION 39 Protocol version mismatch - KRB_AP_ERR_MSG_TYPE 40 Invalid msg type - KRB_AP_ERR_MODIFIED 41 Message stream modified - KRB_AP_ERR_BADORDER 42 Message out of order - KRB_AP_ERR_BADKEYVER 44 Specified version of key is not available - KRB_AP_ERR_NOKEY 45 Service key not available - KRB_AP_ERR_MUT_FAIL 46 Mutual authentication failed - KRB_AP_ERR_BADDIRECTION 47 Incorrect message direction - KRB_AP_ERR_METHOD 48 Alternative authentication method required - KRB_AP_ERR_BADSEQ 49 Incorrect sequence number in message - KRB_AP_ERR_INAPP_CKSUM 50 Inappropriate type of checksum in message - KRB_AP_PATH_NOT_ACCEPTED 51 Policy rejects transited path - KRB_ERR_RESPONSE_TOO_BIG 52 Response too big for UDP, retry with TCP - KRB_ERR_GENERIC 60 Generic error (description in e-text) - KRB_ERR_FIELD_TOOLONG 61 Field is too long for this implementation - KDC_ERROR_CLIENT_NOT_TRUSTED 62 Reserved for PKINIT - KDC_ERROR_KDC_NOT_TRUSTED 63 Reserved for PKINIT - - - -March 2003 [Page 109] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - KDC_ERROR_INVALID_SIG 64 Reserved for PKINIT - KDC_ERR_KEY_TOO_WEAK 65 Reserved for PKINIT - KDC_ERR_CERTIFICATE_MISMATCH 66 Reserved for PKINIT - KRB_AP_ERR_NO_TGT 67 No TGT available to validate USER-TO-USER - KDC_ERR_WRONG_REALM 68 USER-TO-USER TGT issued different KDC - KRB_AP_ERR_USER_TO_USER_REQUIRED 69 Ticket must be for USER-TO-USER - KDC_ERR_CANT_VERIFY_CERTIFICATE 70 Reserved for PKINIT - KDC_ERR_INVALID_CERTIFICATE 71 Reserved for PKINIT - KDC_ERR_REVOKED_CERTIFICATE 72 Reserved for PKINIT - KDC_ERR_REVOCATION_STATUS_UNKNOWN 73 Reserved for PKINIT - KDC_ERR_REVOCATION_STATUS_UNAVAILABLE 74 Reserved for PKINIT - KDC_ERR_CLIENT_NAME_MISMATCH 75 Reserved for PKINIT - KDC_ERR_KDC_NAME_MISMATCH 76 Reserved for PKINIT - -8. Interoperability requirements - - Version 5 of the Kerberos protocol supports a myriad of options. - Among these are multiple encryption and checksum types, alternative - encoding schemes for the transited field, optional mechanisms for - pre-authentication, the handling of tickets with no addresses, - options for mutual authentication, user to user authentication, - support for proxies, forwarding, postdating, and renewing tickets, - the format of realm names, and the handling of authorization data. - - In order to ensure the interoperability of realms, it is necessary to - define a minimal configuration which must be supported by all - implementations. This minimal configuration is subject to change as - technology does. For example, if at some later date it is discovered - that one of the required encryption or checksum algorithms is not - secure, it will be replaced. - -8.1. Specification 2 - - This section defines the second specification of these options. - Implementations which are configured in this way can be said to - support Kerberos Version 5 Specification 2 (5.2). Specification 1 - (deprecated) may be found in RFC1510. - - Transport - - TCP/IP and UDP/IP transport MUST be supported by clients and KDCs - claiming conformance to specification 2. - - Encryption and checksum methods - - The following encryption and checksum mechanisms MUST be - supported. - - - - -March 2003 [Page 110] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - Encryption: AES256-CTS-HMAC-SHA1-96 - Checksums: HMAC-SHA1-96-AES256 - - Implementations SHOULD support other mechanisms as well, but the - additional mechanisms may only be used when communicating with - principals known to also support them. The mechanisms that SHOULD - be supported are: - - Encryption: DES-CBC-MD5, DES3-CBC-SHA1-KD - Checksums: DES-MD5, HMAC-SHA1-DES3-KD - - Implementations MAY support other mechanisms as well, but the - additional mechanisms may only be used when communicating with - principals known to also support them. - - Implementation note: earlier implementations of Kerberos generate - messages using the CRC-32, RSA-MD5 checksum methods. For - interoperability with these earlier releases implementors MAY - consider supporting these checksum methods but should carefully - analyze the security impplications to limit the situations within - which these methods are accepted. - - Realm Names - - All implementations MUST understand hierarchical realms in both - the Internet Domain and the X.500 style. When a ticket-granting - ticket for an unknown realm is requested, the KDC MUST be able to - determine the names of the intermediate realms between the KDCs - realm and the requested realm. - - Transited field encoding - - DOMAIN-X500-COMPRESS (described in section 3.3.3.2) MUST be - supported. Alternative encodings MAY be supported, but they may - be used only when that encoding is supported by ALL intermediate - realms. - - Pre-authentication methods - - The TGS-REQ method MUST be supported. The TGS-REQ method is not - used on the initial request. The PA-ENC-TIMESTAMP method MUST be - supported by clients but whether it is enabled by default MAY be - determined on a realm by realm basis. If not used in the initial - request and the error KDC_ERR_PREAUTH_REQUIRED is returned - specifying PA-ENC-TIMESTAMP as an acceptable method, the client - SHOULD retry the initial request using the PA-ENC-TIMESTAMP pre- - authentication method. Servers need not support the PA-ENC- - TIMESTAMP method, but if not supported the server SHOULD ignore - - - -March 2003 [Page 111] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - the presence of PA-ENC-TIMESTAMP pre-authentication in a request. - - The ETYPE-INFO2 method MUST be supported; this method is used to - communicate the set of supported encryption types, and - corresponding salt and string to key paramters. The ETYPE-INFO - method SHOULD be supported for interoperability with older - implementation. - - Mutual authentication - - Mutual authentication (via the KRB_AP_REP message) MUST be - supported. - - Ticket addresses and flags - - All KDCs MUST pass through tickets that carry no addresses (i.e. - if a TGT contains no addresses, the KDC will return derivative - tickets). Implementations SHOULD default to requesting - addressless tickets as this significantly increases - interoperability with network address translation. In some cases - realms or application servers MAY require that tickets have an - address. - - Implementations SHOULD accept directional address type for the - KRB_SAFE and KRB_PRIV message and SHOULD include directional - addresses in these messages when other address types are not - available. - - Proxies and forwarded tickets MUST be supported. Individual realms - and application servers can set their own policy on when such - tickets will be accepted. - - All implementations MUST recognize renewable and postdated - tickets, but need not actually implement them. If these options - are not supported, the starttime and endtime in the ticket shall - specify a ticket's entire useful life. When a postdated ticket is - decoded by a server, all implementations shall make the presence - of the postdated flag visible to the calling server. - - User-to-user authentication - - Support for user to user authentication (via the ENC-TKT-IN-SKEY - KDC option) MUST be provided by implementations, but individual - realms MAY decide as a matter of policy to reject such requests on - a per-principal or realm-wide basis. - - Authorization data - - - - -March 2003 [Page 112] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - Implementations MUST pass all authorization data subfields from - ticket-granting tickets to any derivative tickets unless directed - to suppress a subfield as part of the definition of that - registered subfield type (it is never incorrect to pass on a - subfield, and no registered subfield types presently specify - suppression at the KDC). - - Implementations MUST make the contents of any authorization data - subfields available to the server when a ticket is used. - Implementations are not required to allow clients to specify the - contents of the authorization data fields. - - Constant ranges - - All protocol constants are constrained to 32 bit (signed) values - unless further constrained by the protocol definition. This limit - is provided to allow implementations to make assumptions about the - maximum values that will be received for these constants. - Implementation receiving values outside this range MAY reject the - request, but they MUST recover cleanly. - -8.2. Recommended KDC values - - Following is a list of recommended values for a KDC configuration. - - minimum lifetime 5 minutes - maximum renewable lifetime 1 week - maximum ticket lifetime 1 day - acceptable clock skew 5 minutes - empty addresses Allowed. - proxiable, etc. Allowed. - -9. IANA considerations - - Section 7 of this document specifies protocol constants and other - defined values required for the interoperability of multiple - implementations. Until otherwise specified in a subsequent RFC, - allocations of additional protocol constants and other defined values - required for extensions to the Kerberos protocol will be administered - by the Kerberos Working Group. - -10. Security Considerations - - As an authentication service, Kerberos provides a means of verifying - the identity of principals on a network. Kerberos does not, by - itself, provide authorization. Applications should not accept the - issuance of a service ticket by the Kerberos server as granting - authority to use the service, since such applications may become - - - -March 2003 [Page 113] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - vulnerable to the bypass of this authorization check in an - environment if they inter-operate with other KDCs or where other - options for application authentication are provided. - - Denial of service attacks are not solved with Kerberos. There are - places in the protocols where an intruder can prevent an application - from participating in the proper authentication steps. Because - authentication is a required step for the use of many services, - successful denial of service attacks on a Kerberos server might - result in the denial of other network services that rely on Kerberos - for authentication. Kerberos is vulnerable to many kinds of denial of - service attacks: denial of service attacks on the network which would - prevent clients from contacting the KDC; denial of service attacks on - the domain name system which could prevent a client from finding the - IP address of the Kerberos server; and denial of service attack by - overloading the Kerberos KDC itself with repeated requests. - - Interoperability conflicts caused by incompatible character-set usage - (see 5.2.1) can result in denial of service for clients that utilize - character-sets in Kerberos strings other than those stored in the KDC - database. - - Authentication servers maintain a database of principals (i.e., users - and servers) and their secret keys. The security of the - authentication server machines is critical. The breach of security of - an authentication server will compromise the security of all servers - that rely upon the compromised KDC, and will compromise the - authentication of any principals registered in the realm of the - compromised KDC. - - Principals must keep their secret keys secret. If an intruder somehow - steals a principal's key, it will be able to masquerade as that - principal or impersonate any server to the legitimate principal. - - Password guessing attacks are not solved by Kerberos. If a user - chooses a poor password, it is possible for an attacker to - successfully mount an off-line dictionary attack by repeatedly - attempting to decrypt, with successive entries from a dictionary, - messages obtained which are encrypted under a key derived from the - user's password. - - Unless pre-authentication options are required by the policy of a - realm, the KDC will not know whether a request for authentication - succeeds. An attacker can request a reply with credentials for any - principal. These credentials will likely not be of much use to the - attacker unless it knows the client's secret key, but the - availability of the response encrypted in the client's secret key - provides the attacker with ciphertext that may be used to mount brute - - - -March 2003 [Page 114] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - force or dictionary attacks to decrypt the credentials, by guessing - the user's password. For this reason it is strongly encouraged that - Kerberos realms require the use of pre-authentication. Even with pre- - authentication, attackers may try brute force or dictionary attacks - against credentials that are observed by eavesdropping on the - network. - - Because a client can request a ticket for any server principal and - can attempt a brute force or dictionary attack against the server - principal's key using that ticket, it is strongly encouraged that - keys be randomly generated (rather than generated from passwords) for - any principals that are usable as the target principal for a - KRB_TGS_REQ or KRB_AS_REQ messages. - - Each host on the network must have a clock which is loosely - synchronized to the time of the other hosts; this synchronization is - used to reduce the bookkeeping needs of application servers when they - do replay detection. The degree of "looseness" can be configured on a - per-server basis, but is typically on the order of 5 minutes. If the - clocks are synchronized over the network, the clock synchronization - protocol must itself be secured from network attackers. - - Principal identifiers must not recycled on a short-term basis. A - typical mode of access control will use access control lists (ACLs) - to grant permissions to particular principals. If a stale ACL entry - remains for a deleted principal and the principal identifier is - reused, the new principal will inherit rights specified in the stale - ACL entry. By not reusing principal identifiers, the danger of - inadvertent access is removed. - - Proper decryption of an KRB_AS_REP message from the KDC is not - sufficient for the host to verify the identity of the user; the user - and an attacker could cooperate to generate a KRB_AS_REP format - message which decrypts properly but is not from the proper KDC. To - authenticate a user logging on to a local system, the credentials - obtained in the AS exchange may first be used in a TGS exchange to - obtain credentials for a local server. Those credentials must then be - verified by a local server through successful completion of the - Client/Server exchange. - - Kerberos credentials contain clear-text information identifying the - principals to which they apply. If privacy of this information is - needed, this exchange should itself be encapsulated in a protocol - providing for confidentiality on the exchange of these credentials. - - Applications must take care to protect communications subsequent to - authentication either by using the KRB_PRIV or KRB_SAFE messages as - appropriate, or by applying their own confidentiality or integrity - - - -March 2003 [Page 115] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - mechanisms on such communications. Completion of the KRB_AP_REQ and - KRB_AP_REP exchange without subsequent use of confidentiality and - integrity mechanisms provides only for authentication of the parties - to the communication and not confidentiality and integrity of the - subsequent communication. Application applying confidentiality and - protections mechanisms other than KRB_PRIV and KRB_SAFE must make - sure that the authentication step is appropriately linked with the - protected communication channel that is established by the - application. - - Unless the application server provides its own suitable means to - protect against replay (for example, a challenge-response sequence - initiated by the server after authentication, or use of a server- - generated encryption subkey), the server must utilize a replay cache - to remember any authenticator presented within the allowable clock - skew. All services sharing a key need to use the same replay cache. - If separate replay caches are used, then and authenticator used with - one such service could later be replayed to a different service with - the same service principal. - - If a server loses track of authenticators presented within the - allowable clock skew, it must reject all requests until the clock - skew interval has passed, providing assurance that any lost or - replayed authenticators will fall outside the allowable clock skew - and can no longer be successfully replayed. - - Implementations of Kerberos should not use untrusted directory - servers to determine the realm of a host. To allow such would allow - the compromise of the directory server to enable an attacker to - direct the client to accept authentication with the wrong principal - (i.e. one with a similar name, but in a realm with which the - legitimate host was not registered). - - Implementations of Kerberos must not use DNS to canonicalize the host - components of service principal names. To allow such canonicalization - would allow a compromise of the DNS to result in a client obtaining - credentials and correctly authenticating to the wrong principal. - Though the client will know who it is communicating with, it will not - be the principal with which it intended to communicate. - - If the Kerberos server returns a TGT for a 'closer' realm other than - the desired realm, the client may use local policy configuration to - verify that the authentication path used is an acceptable one. - Alternatively, a client may choose its own authentication path, - rather than relying on the Kerberos server to select one. In either - case, any policy or configuration information used to choose or - validate authentication paths, whether by the Kerberos server or - client, must be obtained from a trusted source. - - - -March 2003 [Page 116] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - The Kerberos protocol in its basic form does not provide perfect - forward secrecy for communications. If traffic has been recorded by - an eavesdropper, then messages encrypted using the KRB_PRIV message, - or messages encrypted using application specific encryption under - keys exchanged using Kerberos can be decrypted if any of the user's, - application server's, or KDC's key is subsequently discovered. This - is because the session key use to encrypt such messages is - transmitted over the network encrypted in the key of the application - server, and also encrypted under the session key from the user's - ticket-granting ticket when returned to the user in the KRB_TGS_REP - message. The session key from the ticket-granting ticket was sent to - the user in the KRB_AS_REP message encrypted in the user's secret - key, and embedded in the ticket-granting ticket, which was encrypted - in the key of the KDC. Application requiring perfect forward secrecy - must exchange keys through mechanisms that provide such assurance, - but may use Kerberos for authentication of the encrypted channel - established through such other means. - -11. Author's Addresses - - - Clifford Neuman - Information Sciences Institute - University of Southern California - 4676 Admiralty Way - Marina del Rey, CA 90292, USA - Email: bcn@isi.edu - - Tom Yu - Massachusetts Institute of Technology - 77 Massachusetts Avenue - Cambridge, MA 02139, USA - Email: tlyu@mit.edu - - Sam Hartman - Massachusetts Institute of Technology - 77 Massachusetts Avenue - Cambridge, MA 02139, USA - Email: hartmans@mit.edu - - Kenneth Raeburn - Massachusetts Institute of Technology - 77 Massachusetts Avenue - Cambridge, MA 02139, USA - Email: raeburn@MIT.EDU - - -12. Acknowledgements - - - -March 2003 [Page 117] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - This document is a revision to RFC1510 which was co-authored with - John Kohl. The specification of the Kerberos protocol described in - this document is the result of many years of effort. Over this - period many individuals have contributed to the definition of the - protocol and to the writing of the specification. Unfortunately it is - not possible to list all contributors as authors of this document, - though there are many not listed who are authors in spirit, because - they contributed text for parts of some sections, because they - contributed to the design of parts of the protocol, or because they - contributed significantly to the discussion of the protocol in the - IETF common authentication technology (CAT) and Kerberos working - groups. - - Among those contributing to the development and specification of - Kerberos were Jeffrey Altman, John Brezak, Marc Colan, Johan - Danielsson, Don Davis, Doug Engert, Dan Geer, Paul Hill, John Kohl, - Marc Horowitz, Matt Hur, Jeffrey Hutzelman, Paul Leach, John Linn, - Ari Medvinsky, Sasha Medvinsky, Steve Miller, Jon Rochlis, Jerome - Saltzer, Jeffrey Schiller, Jennifer Steiner, Ralph Swick, Mike Swift, - Jonathan Trostle, Theodore Ts'o, Brian Tung, Jacques Vidrine, Assar - Westerlund, and Nicolas Williams. Many other members of MIT Project - Athena, the MIT networking group, and the Kerberos and CAT working - groups of the IETF contributed but are not listed. - -13. REFERENCES - - [@KRYPTO] - RFC-Editor: To be replaced by RFC number for draft-ietf-krb-wg- - crypto. - - [@AES] - RFC-Editor: To be replaced by RFC number for draft-raeburn0krb- - rijndael-krb. - - [DGT96] - Don Davis, Daniel Geer, and Theodore Ts'0, "Kerberos With Clocks - Adrift: History, Protocols, and Implementation", USENIX Computing - Systems 9:1 (Januart 1996). - - [DS81] - Dorothy E. Denning and Giovanni Maria Sacco, "Time-stamps in Key - Distribution Protocols," Communications of the ACM, Vol. 24(8), - pp. 533-536 (August 1981). - - [ISO-646/ECMA-6] - 7-bit Coded Character Set - - [ISO-2022/ECMA-35] - - - -March 2003 [Page 118] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - Character Code Structure and Extension Techniques - - [ISO-4873/ECMA-43] - 8-bit Coded Character Set Structure and Rules - - [KNT94] - - John T. Kohl, B. Clifford Neuman, and Theodore Y. Ts'o, "The - Evolution of the Kerberos Authentication System". In Distributed - Open Systems, pages 78-94. IEEE Computer Society Press, 1994. - - [MNSS87] - S. P. Miller, B. C. Neuman, J. I. Schiller, and J. H. Saltzer, - Section E.2.1: Kerberos Authentication and Authorization System, - M.I.T. Project Athena, Cambridge, Massachusetts (December 21, - 1987). - - [Neu93] - B. Clifford Neuman, "Proxy-Based Authorization and Accounting for - Distributed Systems," in Proceedings of the 13th International - Conference on Distributed Computing Systems, Pittsburgh, PA (May, - 1993). - - [NS78] - Roger M. Needham and Michael D. Schroeder, "Using Encryption for - Authentication in Large Networks of Computers," Communications of - the ACM, Vol. 21(12), pp. 993-999 (December, 1978). - - [NT94] - B. Clifford Neuman and Theodore Y. Ts'o, "An Authentication - Service for Computer Networks," IEEE Communications Magazine, Vol. - 32(9), pp. 33-38 (September 1994). - - [Pat92]. - J. Pato, Using Pre-Authentication to Avoid Password Guessing - Attacks, Open Software Foundation DCE Request for Comments 26 - (December 1992). - - [RFC1035] - P.V. Mockapetris, RFC1035: "Domain Names - Implementations and - Specification," November 1, 1987, Obsoletes - RFC973, RFC882, - RFC883. Updated by RFC1101, RFC1183, RFC1348, RFCRFC1876, RFC1982, - RFC1995, RFC1996, RFC2065, RFC2136, RFC2137, RFC2181, RFC2308, - RFC2535, RFC2845, and RFC3425. Status: Standard. - - [RFC1510] - J. Kohl and B. C. Neuman, RFC1510: "The Kerberos Network - Authentication Service (v5)," September 1993, Status: Proposed - - - -March 2003 [Page 119] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - Standard. - - [RFC2026] - S. Bradner, RFC2026: "The Internet Standard Process - Revision - 3," October 1996, Obsoletes - RFC 1602, Status: Best Current - Practice. - - [RFC2052] - A. Gulbrandsen and P. Vixie, RFC2052: "A DNS RR for Specifying the - Location of Services (DNS SRV)," October 1996, Obseleted by - RFC2782, Status: Experimental - - [RFC2253] - M. Wahl, S. Killie, and T. Howes, RFC2253: "Lightweight Directory - Access Protocol (v3): UTF-8 String Representation or Distinguished - Names," December 1997, Obsoletes - RFC1779, Updated by RFC3377, - Status: Proposed Standard. - - [RFC2273] - D. Levi, P. Meyer, and B. Stewart, RFC2273: "SNMPv3 Applications," - January 1998, Obsoletes - RFC2263, Obsoleted by RFC2573, Status: - Proposed Standard. - - [RFC2373] - R. Hinden, S. Deering, RFC2373: "IP Version 6 Addressing - Architecture," July 1998, Status: Proposed Standard. - - [SNS88] - J. G. Steiner, B. C. Neuman, and J. I. Schiller, "Kerberos: An - Authentication Service for Open Network Systems," pp. 191-202 in - Usenix Conference Proceedings, Dallas, Texas (February, 1988). - - [X680] - Abstract Syntax Notation One (ASN.1): Specification of Basic - Notation, ITU-T Recommendation X.680 (1997) | ISO/IEC - International Standard 8824-1:1998. - - [X690] - ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), - Canonical Encoding Rules (CER) and Distinguished Encoding Rules - (DER), ITU-T Recommendation X.690 (1997)| ISO/IEC International - Standard 8825-1:1998. - -A. ASN.1 module - - KerberosV5Spec2 { - iso(1) identified-organization(3) dod(6) internet(1) - security(5) kerberosV5(2) modules(4) krb5spec2(2) - - - -March 2003 [Page 120] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - } DEFINITIONS EXPLICIT TAGS ::= BEGIN - - -- OID arc for KerberosV5 - -- - -- This OID may be used to identify Kerberos protocol messages - -- encapsulated in other protocols. - -- - -- This OID also designates the OID arc for KerberosV5-related OIDs. - -- - -- NOTE: RFC 1510 had an incorrect value (5) for "dod" in its OID. - id-krb5 OBJECT IDENTIFIER ::= { - iso(1) identified-organization(3) dod(6) internet(1) - security(5) kerberosV5(2) - } - - Int32 ::= INTEGER (-2147483648..2147483647) - -- signed values representable in 32 bits - - UInt32 ::= INTEGER (0..4294967295) - -- unsigned 32 bit values - - Microseconds ::= INTEGER (0..999999) - -- microseconds - - KerberosString ::= GeneralString (IA5String) - - Realm ::= KerberosString - - PrincipalName ::= SEQUENCE { - name-type [0] Int32, - name-string [1] SEQUENCE OF KerberosString - } - - KerberosTime ::= GeneralizedTime -- with no fractional seconds - - HostAddress ::= SEQUENCE { - addr-type [0] Int32, - address [1] OCTET STRING - } - - -- NOTE: HostAddresses is always used as an OPTIONAL field and - -- should not be empty. - HostAddresses -- NOTE: subtly different from rfc1510, - -- but has a value mapping and encodes the same - ::= SEQUENCE OF HostAddress - - -- NOTE: AuthorizationData is always used as an OPTIONAL field and - -- should not be empty. - - - -March 2003 [Page 121] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - AuthorizationData ::= SEQUENCE OF SEQUENCE { - ad-type [0] Int32, - ad-data [1] OCTET STRING - } - - PA-DATA ::= SEQUENCE { - -- NOTE: first tag is [1], not [0] - padata-type [1] Int32, - padata-value [2] OCTET STRING -- might be encoded AP-REQ - } - - KerberosFlags ::= BIT STRING (SIZE (32..MAX)) -- minimum number of bits - -- shall be sent, but no fewer than 32 - - EncryptedData ::= SEQUENCE { - etype [0] Int32 -- EncryptionType --, - kvno [1] UInt32 OPTIONAL, - cipher [2] OCTET STRING -- ciphertext - } - - EncryptionKey ::= SEQUENCE { - keytype [0] Int32 -- actually encryption type --, - keyvalue [1] OCTET STRING - } - - Checksum ::= SEQUENCE { - cksumtype [0] Int32, - checksum [1] OCTET STRING - } - - Ticket ::= [APPLICATION 1] SEQUENCE { - tkt-vno [0] INTEGER (5), - realm [1] Realm, - sname [2] PrincipalName, - enc-part [3] EncryptedData -- EncTicketPart - } - - -- Encrypted part of ticket - EncTicketPart ::= [APPLICATION 3] SEQUENCE { - flags [0] TicketFlags, - key [1] EncryptionKey, - crealm [2] Realm, - cname [3] PrincipalName, - transited [4] TransitedEncoding, - authtime [5] KerberosTime, - starttime [6] KerberosTime OPTIONAL, - endtime [7] KerberosTime, - renew-till [8] KerberosTime OPTIONAL, - - - -March 2003 [Page 122] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - caddr [9] HostAddresses OPTIONAL, - authorization-data [10] AuthorizationData OPTIONAL - } - - -- encoded Transited field - TransitedEncoding ::= SEQUENCE { - tr-type [0] Int32 -- must be registered --, - contents [1] OCTET STRING - } - - TicketFlags ::= KerberosFlags - -- reserved(0), - -- forwardable(1), - -- forwarded(2), - -- proxiable(3), - -- proxy(4), - -- may-postdate(5), - -- postdated(6), - -- invalid(7), - -- renewable(8), - -- initial(9), - -- pre-authent(10), - -- hw-authent(11), - -- the following are new since 1510 - -- transited-policy-checked(12), - -- ok-as-delegate(13) - - AS-REQ ::= [APPLICATION 10] KDC-REQ - - TGS-REQ ::= [APPLICATION 12] KDC-REQ - - KDC-REQ ::= SEQUENCE { - -- NOTE: first tag is [1], not [0] - pvno [1] INTEGER (5) , - msg-type [2] INTEGER (10 -- AS -- | 12 -- TGS --), - padata [3] SEQUENCE OF PA-DATA OPTIONAL - -- NOTE: not empty --, - req-body [4] KDC-REQ-BODY - } - - KDC-REQ-BODY ::= SEQUENCE { - kdc-options [0] KDCOptions, - cname [1] PrincipalName OPTIONAL - -- Used only in AS-REQ --, - realm [2] Realm - -- Server's realm - -- Also client's in AS-REQ --, - sname [3] PrincipalName OPTIONAL, - - - -March 2003 [Page 123] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - from [4] KerberosTime OPTIONAL, - till [5] KerberosTime, - rtime [6] KerberosTime OPTIONAL, - nonce [7] UInt32, - etype [8] SEQUENCE OF Int32 -- EncryptionType - -- in preference order --, - addresses [9] HostAddresses OPTIONAL, - enc-authorization-data [10] EncryptedData -- AuthorizationData --, - additional-tickets [11] SEQUENCE OF Ticket OPTIONAL - -- NOTE: not empty - } - - KDCOptions ::= KerberosFlags - -- reserved(0), - -- forwardable(1), - -- forwarded(2), - -- proxiable(3), - -- proxy(4), - -- allow-postdate(5), - -- postdated(6), - -- unused7(7), - -- renewable(8), - -- unused9(9), - -- unused10(10), - -- opt-hardware-auth(11), - -- unused12(12), - -- unused13(13), - -- 15 is reserved for canonicalize - -- unused15(15), - -- 26 was unused in 1510 - -- disable-transited-check(26), - -- - -- renewable-ok(27), - -- enc-tkt-in-skey(28), - -- renew(30), - -- validate(31) - - AS-REP ::= [APPLICATION 11] KDC-REP - - TGS-REP ::= [APPLICATION 13] KDC-REP - - KDC-REP ::= SEQUENCE { - pvno [0] INTEGER (5), - msg-type [1] INTEGER (11 -- AS -- | 13 -- TGS --), - padata [2] SEQUENCE OF PA-DATA OPTIONAL - -- NOTE: not empty --, - crealm [3] Realm, - cname [4] PrincipalName, - - - -March 2003 [Page 124] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - ticket [5] Ticket, - enc-part [6] EncryptedData - -- EncASRepPart or EncTGSRepPart, - -- as appropriate - } - - EncASRepPart ::= [APPLICATION 25] EncKDCRepPart - - EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart - - EncKDCRepPart ::= SEQUENCE { - key [0] EncryptionKey, - last-req [1] LastReq, - nonce [2] UInt32, - key-expiration [3] KerberosTime OPTIONAL, - flags [4] TicketFlags, - authtime [5] KerberosTime, - starttime [6] KerberosTime OPTIONAL, - endtime [7] KerberosTime, - renew-till [8] KerberosTime OPTIONAL, - srealm [9] Realm, - sname [10] PrincipalName, - caddr [11] HostAddresses OPTIONAL - } - - LastReq ::= SEQUENCE OF SEQUENCE { - lr-type [0] Int32, - lr-value [1] KerberosTime - } - - AP-REQ ::= [APPLICATION 14] SEQUENCE { - pvno [0] INTEGER (5), - msg-type [1] INTEGER (14), - ap-options [2] APOptions, - ticket [3] Ticket, - authenticator [4] EncryptedData -- Authenticator - } - - APOptions ::= KerberosFlags - -- reserved(0), - -- use-session-key(1), - -- mutual-required(2) - - -- Unencrypted authenticator - Authenticator ::= [APPLICATION 2] SEQUENCE { - authenticator-vno [0] INTEGER (5), - crealm [1] Realm, - cname [2] PrincipalName, - - - -March 2003 [Page 125] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - cksum [3] Checksum OPTIONAL, - cusec [4] Microseconds, - ctime [5] KerberosTime, - subkey [6] EncryptionKey OPTIONAL, - seq-number [7] UInt32 OPTIONAL, - authorization-data [8] AuthorizationData OPTIONAL - } - - AP-REP ::= [APPLICATION 15] SEQUENCE { - pvno [0] INTEGER (5), - msg-type [1] INTEGER (15), - enc-part [2] EncryptedData -- EncAPRepPart - } - - EncAPRepPart ::= [APPLICATION 27] SEQUENCE { - ctime [0] KerberosTime, - cusec [1] Microseconds, - subkey [2] EncryptionKey OPTIONAL, - seq-number [3] UInt32 OPTIONAL - } - - KRB-SAFE ::= [APPLICATION 20] SEQUENCE { - pvno [0] INTEGER (5), - msg-type [1] INTEGER (20), - safe-body [2] KRB-SAFE-BODY, - cksum [3] Checksum - } - - KRB-SAFE-BODY ::= SEQUENCE { - user-data [0] OCTET STRING, - timestamp [1] KerberosTime OPTIONAL, - usec [2] Microseconds OPTIONAL, - seq-number [3] UInt32 OPTIONAL, - s-address [4] HostAddress, - r-address [5] HostAddress OPTIONAL - } - - KRB-PRIV ::= [APPLICATION 21] SEQUENCE { - pvno [0] INTEGER (5), - msg-type [1] INTEGER (21), - -- NOTE: there is no [2] tag - enc-part [3] EncryptedData -- EncKrbPrivPart - } - - EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE { - user-data [0] OCTET STRING, - timestamp [1] KerberosTime OPTIONAL, - usec [2] Microseconds OPTIONAL, - - - -March 2003 [Page 126] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - seq-number [3] UInt32 OPTIONAL, - s-address [4] HostAddress -- sender's addr --, - r-address [5] HostAddress OPTIONAL -- recip's addr - } - - KRB-CRED ::= [APPLICATION 22] SEQUENCE { - pvno [0] INTEGER (5), - msg-type [1] INTEGER (22), - tickets [2] SEQUENCE OF Ticket, - enc-part [3] EncryptedData -- EncKrbCredPart - } - - EncKrbCredPart ::= [APPLICATION 29] SEQUENCE { - ticket-info [0] SEQUENCE OF KrbCredInfo, - nonce [1] UInt32 OPTIONAL, - timestamp [2] KerberosTime OPTIONAL, - usec [3] Microseconds OPTIONAL, - s-address [4] HostAddress OPTIONAL, - r-address [5] HostAddress OPTIONAL - } - - KrbCredInfo ::= SEQUENCE { - key [0] EncryptionKey, - prealm [1] Realm OPTIONAL, - pname [2] PrincipalName OPTIONAL, - flags [3] TicketFlags OPTIONAL, - authtime [4] KerberosTime OPTIONAL, - starttime [5] KerberosTime OPTIONAL, - endtime [6] KerberosTime OPTIONAL, - renew-till [7] KerberosTime OPTIONAL, - srealm [8] Realm OPTIONAL, - sname [9] PrincipalName OPTIONAL, - caddr [10] HostAddresses OPTIONAL - } - - KRB-ERROR ::= [APPLICATION 30] SEQUENCE { - pvno [0] INTEGER (5), - msg-type [1] INTEGER (30), - ctime [2] KerberosTime OPTIONAL, - cusec [3] Microseconds OPTIONAL, - stime [4] KerberosTime, - susec [5] Microseconds, - error-code [6] Int32, - crealm [7] Realm OPTIONAL, - cname [8] PrincipalName OPTIONAL, - realm [9] Realm -- service realm --, - sname [10] PrincipalName -- service name --, - e-text [11] KerberosString OPTIONAL, - - - -March 2003 [Page 127] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - e-data [12] OCTET STRING OPTIONAL - } - - METHOD-DATA ::= SEQUENCE OF PA-DATA - - TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE { - data-type [0] INTEGER, - data-value [1] OCTET STRING OPTIONAL - } - - -- preauth stuff follows - - PA-ENC-TIMESTAMP ::= EncryptedData -- PA-ENC-TS-ENC - - PA-ENC-TS-ENC ::= SEQUENCE { - patimestamp [0] KerberosTime -- client's time --, - pausec [1] Microseconds OPTIONAL - } - - ETYPE-INFO-ENTRY ::= SEQUENCE { - etype [0] Int32, - salt [1] OCTET STRING OPTIONAL - } - - ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY - - ETYPE-INFO2-ENTRY ::= SEQUENCE { - etype [0] Int32, - salt [1] KerberosString OPTIONAL, - s2kparams [2] OCTET STRING OPTIONAL - } - - ETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO-ENTRY - - AD-IF-RELEVANT ::= AuthorizationData - - AD-KDCIssued ::= SEQUENCE { - ad-checksum [0] Checksum, - i-realm [1] Realm OPTIONAL, - i-sname [2] PrincipalName OPTIONAL, - elements [3] AuthorizationData - } - - AD-AND-OR ::= SEQUENCE { - condition-count [0] INTEGER, - elements [1] AuthorizationData - } - - - - -March 2003 [Page 128] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - AD-MANDATORY-FOR-KDC ::= AuthorizationData - - END - -B. Changes since RFC-1510 - - This document replaces RFC-1510 and clarifies specification of items - that were not completely specified. Where changes to recommended - implementation choices were made, or where new options were added, - those changes are described within the document and listed in this - section. More significantly, "Specification 2" in section 8 changes - the required encryption and checksum methods to bring them in line - with the best current practices and to deprecate methods that are no - longer considered sufficiently strong. - - Discussion was added to section 1 regarding the ability to rely on - the KDC to check the transited field, and on the inclusion of a flag - in a ticket indicating that this check has occurred. This is a new - capability not present in RFC1510. Pre-existing implementations may - ignore or not set this flag without negative security implications. - - The definition of the secret key says that in the case of a user the - key may be derived from a password. In 1510, it said that the key was - derived from the password. This change was made to accommodate - situations where the user key might be stored on a smart-card, or - otherwise obtained independent of a password. - - The introduction mentions the use of public key cryptography for - initial authentication in Kerberos by reference. RFC1510 did not - include such a reference. - - Section 1.2 was added to explain that while Kerberos provides - authentication of a named principal, it is still the responsibility - of the application to ensure that the authenticated name is the - entity with which the application wishes to communicate. - - Discussion of extensibility has been added to the introduction. - - Discussion of how extensibility affects ticket flags and KDC options - was added to the introduction of section 2. No changes were made to - existing options and flags specified in RFC1510, though some of the - sections in the specification were renumbered, and text was revised - to make the description and intent of existing options clearer, - especially with respect to the ENC-TKT-IN-SKEY option (now section - 2.9.2) which is used for user-to-user authentication. The new option - and ticket flag transited policy checking (section 2.7) was added. - - A warning regarding generation of session keys for application use - - - -March 2003 [Page 129] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - was added to section 3, urging the inclusion of key entropy from the - KDC generated session key in the ticket. An example regarding use of - the sub-session key was added to section 3.2.6. Descriptions of the - pa-etype-info, pa-etype-info2, and pa-pw-salt pre-authentication data - items were added. The recommendation for use of pre-authentication - was changed from "may" to "should" and a note was added regarding - known plaintext attacks. - - In RFC 1510, section 4 described the database in the KDC. This - discussion was not necessary for interoperability and unnecessarily - constrained implementation. The old section 4 was removed. - - The current section 4 was formerly section 6 on encryption and - checksum specifications. The major part of this section was brought - up to date to support new encryption methods, and move to a separate - document. Those few remaining aspects of the encryption and checksum - specification specific to Kerberos are now specified in section 4. - - Significant changes were made to the layout of section 5 to clarify - the correct behavior for optional fields. Many of these changes were - made necessary because of improper ASN.1 description in the original - Kerberos specification which left the correct behavior - underspecified. Additionally, the wording in this section was - tightened wherever possible to ensure that implementations conforming - to this specification will be extensible with the addition of new - fields in future specifications. - - Text was added describing time_t=0 issues in the ASN.1. Text was also - added, clarifying issues with implementations treating omitted - optional integers as zero. Text was added clarifying behavior for - optional SEQUENCE or SEQUENCE OF that may be empty. Discussion was - added regarding sequence numbers and behavior of some - implementations, including "zero" behavior and negative numbers. A - compatibility note was added regarding the unconditional sending of - EncTGSRepPart regardless of the enclosing reply type. Minor changes - were made to the description of the HostAddresses type. Integer types - were constrained. KerberosString was defined as a (significantly) - constrained GeneralString. KerberosFlags was defined to reflect - existing implementation behavior that departs from the definition in - RFC 1510. The transited-policy-checked(12) and the ok-as-delegate(13) - ticket flags were added. The disable-transited-check(26) KDC option - was added. - - Descriptions of commonly implemented PA-DATA were added to section 5. - The description of KRB-SAFE has been updated to note the existing - implementation behavior of double-encoding. - - There were two definitions of METHOD-DATA in RFC 1510. The second - - - -March 2003 [Page 130] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - one, intended for use with KRB_AP_ERR_METHOD was removed leaving the - SEQUENCE OF PA-DATA definition. - - Section 7, naming constraints, from RFC1510 was moved to section 6. - - Words were added describing the convention that domain based realm - names for newly created realms should be specified as upper case. - This recommendation does not make lower case realm names illegal. - Words were added highlighting that the slash separated components in - the X500 style of realm names is consistent with existing RFC1510 - based implementations, but that it conflicts with the general - recommendation of X.500 name representation specified in RFC2253. - - Section 8, network transport, constants and defined values, from - RFC1510 was moved to section 7. Since RFC1510, the definition of the - TCP transport for Kerberos messages was added, and the encryption and - checksum number assignments have been moved into a separate document. - - "Specification 2" in section 8 of the current document changes the - required encryption and checksum methods to bring them in line with - the best current practices and to deprecate methods that are no - longer considered sufficiently strong. - - Two new sections, on IANA considerations and security considerations - were added. - - The pseudo-code has been removed from the appendix. The pseudo-code - was sometimes misinterpreted to limit implementation choices and in - RFC 1510, it was not always consistent with the words in the - specification. Effort was made to clear up any ambiguities in the - specification, rather than to rely on the pseudo-code. - - An appendix was added containing the complete ASN.1 module drawn from - the discussion in section 5 of the current document. - - An appendix was added defining those authorization data elements that - must be understood by all Kerberos implementations. - -END NOTES - - [TM] Project Athena, Athena, and Kerberos are trademarks of the - Massachusetts Institute of Technology (MIT). No commercial use of - these trademarks may be made without prior written permission of MIT. - - [1] Note, however, that many applications use Kerberos' functions - only upon the initiation of a stream-based network connection. Unless - an application subsequently provides integrity protection for the - data stream, the identity verification applies only to the initiation - - - -March 2003 [Page 131] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - of the connection, and does not guarantee that subsequent messages on - the connection originate from the same principal. - - [2] Secret and private are often used interchangeably in the - literature. In our usage, it takes two (or more) to share a secret, - thus a shared DES key is a secret key. Something is only private when - no one but its owner knows it. Thus, in public key cryptosystems, one - has a public and a private key. - - [3] Of course, with appropriate permission the client could arrange - registration of a separately-named principal in a remote realm, and - engage in normal exchanges with that realm's services. However, for - even small numbers of clients this becomes cumbersome, and more - automatic methods as described here are necessary. - - [4] Though it is permissible to request or issue tickets with no - network addresses specified. - - [5] The password-changing request must not be honored unless the - requester can provide the old password (the user's current secret - key). Otherwise, it would be possible for someone to walk up to an - unattended session and change another user's password. - - [6] To authenticate a user logging on to a local system, the - credentials obtained in the AS exchange may first be used in a TGS - exchange to obtain credentials for a local server. Those credentials - must then be verified by a local server through successful completion - of the Client/Server exchange. - - [7] "Random" means that, among other things, it should be impossible - to guess the next session key based on knowledge of past session - keys. This can only be achieved in a pseudo-random number generator - if it is based on cryptographic principles. It is more desirable to - use a truly random number generator, such as one based on - measurements of random physical phenomena. - - [8] Tickets contain both an encrypted and unencrypted portion, so - cleartext here refers to the entire unit, which can be copied from - one message and replayed in another without any cryptographic skill. - - [9] Note that this can make applications based on unreliable - transports difficult to code correctly. If the transport might - deliver duplicated messages, either a new authenticator must be - generated for each retry, or the application server must match - requests and replies and replay the first reply in response to a - detected duplicate. - - [10] Note also that the rejection here is restricted to - - - -March 2003 [Page 132] - - - - - -Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-03.txt DRAFT - - - authenticators from the same principal to the same server. Other - client principals communicating with the same server principal should - not be have their authenticators rejected if the time and microsecond - fields happen to match some other client's authenticator. - - [11] If this is not done, an attacker could subvert the - authentication by recording the ticket and authenticator sent over - the network to a server and replaying them following an event that - caused the server to lose track of recently seen authenticators. - - [12] In the Kerberos version 4 protocol, the timestamp in the reply - was the client's timestamp plus one. This is not necessary in version - 5 because version 5 messages are formatted in such a way that it is - not possible to create the reply by judicious message surgery (even - in encrypted form) without knowledge of the appropriate encryption - keys. - - [13] Note that for encrypting the KRB_AP_REP message, the sub-session - key is not used, even if present in the Authenticator. - - [14] Implementations of the protocol may provide routines to choose - subkeys based on session keys and random numbers and to generate a - negotiated key to be returned in the KRB_AP_REP message. - - [15]This can be accomplished in several ways. It might be known - beforehand (since the realm is part of the principal identifier), it - might be stored in a nameserver, or it might be obtained from a - configuration file. If the realm to be used is obtained from a - nameserver, there is a danger of being spoofed if the nameservice - providing the realm name is not authenticated. This might result in - the use of a realm which has been compromised, and would result in an - attacker's ability to compromise the authentication of the - application server to the client. - - [16] If the client selects a sub-session key, care must be taken to - ensure the randomness of the selected sub-session key. One approach - would be to generate a random number and XOR it with the session key - from the ticket-granting ticket. - - - - - - - - - - - - - -March 2003 [Page 133] - diff --git a/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-krb-wg-kerberos-referrals-00.txt b/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-krb-wg-kerberos-referrals-00.txt deleted file mode 100644 index 5845995f2d..0000000000 --- a/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-krb-wg-kerberos-referrals-00.txt +++ /dev/null @@ -1,725 +0,0 @@ - - -Kerberos Working Group M. Swift -Internet Draft University of WA -Document: draft-ietf-krb-wg-kerberos-referrals-00.txt J. Brezak -Category: Standards Track Microsoft - J. Trostle - Cisco Systems - K. Raeburn - MIT - February 2001 - - - Generating KDC Referrals to locate Kerberos realms - - -Status of this Memo - - This document is an Internet-Draft and is in full conformance with - all provisions of Section 10 of RFC2026 [1]. - - Internet-Drafts are working documents of the Internet Engineering - Task Force (IETF), its areas, and its working groups. Note that - other groups may also distribute working documents as Internet- - Drafts. Internet-Drafts are draft documents valid for a maximum of - six months and may be updated, replaced, or obsoleted by other - documents at any time. It is inappropriate to use Internet- Drafts - as reference material or to cite them other than as "work in - progress." - - The list of current Internet-Drafts can be accessed at - http://www.ietf.org/ietf/1id-abstracts.txt - The list of Internet-Draft Shadow Directories can be accessed at - http://www.ietf.org/shadow.html. - -1. Abstract - - The draft documents a new method for a Kerberos Key Distribution - Center (KDC) to respond to client requests for kerberos tickets when - the client does not have detailed configuration information on the - realms of users or services. The KDC will handle requests for - principals in other realms by returning either a referral error or a - cross-realm TGT to another realm on the referral path. The clients - will use this referral information to reach the realm of the target - principal and then receive the ticket. - -2. Conventions used in this document - - The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", - "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in - this document are to be interpreted as described in RFC-2119 [2]. - -3. Introduction - - - - -Swift Category - Standards Track 1 - - - - - - - - - KDC Referrals February 2001 - - - Current implementations of the Kerberos AS and TGS protocols, as - defined in RFC 1510 [3], use principal names constructed from a - known user or service name and realm. A service name is typically - constructed from a name of the service and the DNS host name of the - computer that is providing the service. Many existing deployments of - Kerberos use a single Kerberos realm where all users and services - would be using the same realm. However in an environment where there - are multiple trusted Kerberos realms, the client needs to be able to - determine what realm a particular user or service is in before - making an AS or TGS request. Traditionally this requires client - configuration to make this possible. - - When having to deal with multiple trusted realms, users are forced - to know what realm they are in before they can obtain a ticket - granting ticket (TGT) with an AS request. However, in many cases the - user would like to use a more familiar name that is not directly - related to the realm of their Kerberos principal name. A good - example of this is an RFC-822 style email name. This document - describes a mechanism that would allow a user to specify a user - principal name that is an alias for the user's Kerberos principal - name. In practice this would be the name that the user specifies to - obtain a TGT from a Kerberos KDC. The user principal name no longer - has a direct relationship with the Kerberos principal or realm. Thus - the administrator is able to move the user's principal to other - realms without the user having to know that it happened. - - Once a user has a TGT, they would like to be able to access services - in any trusted Kerberos realm. To do this requires that the client - be able to determine what realm the target service's host is in - before making the TGS request. Current implementations of Kerberos - typically have a table that maps DNS host names to corresponding - Kerberos realms. In order for this to work on the client, each - application canonicalizes the host name of the service by doing a - DNS lookup followed by a reverse lookup using the returned IP - address. The returned primary host name is then used in the - construction of the principal name for the target service. In order - for the correct realm to be added for the target host, the mapping - table [domain_to_realm] is consulted for the realm corresponding to - the DNS host name. The corresponding realm is then used to complete - the target service principal name. - - This traditional mechanism requires that each client have very - detailed configuration information about the hosts that are - providing services and their corresponding realms. Having client - side configuration information can be very costly from an - administration point of view - especially if there are many realms - and computers in the environment. - - Current implementations of Kerberos also have difficulty with - services on hosts that can have multiple host names (multi-homed - hosts). Traditionally, each host name would need to have a distinct - principal and a corresponding key. An extreme example of this would - be a Web server with multiple host names for each domain that it is - -Swift Category - Standards Track 2 - - - - - - - - - KDC Referrals February 2001 - - - supporting. Principal aliases allow multi-homed hosts to have a - single Kerberos principal (with a single key) that can have - identities for each distinct host name. This mechanism allows the - Kerberos client to request a service ticket for the distinct - hostname and allows the KDC to return a ticket for the single - principal that the host is using. This canonical principal name - allows the host to only have to manage a single key for all of the - identities that it supports. In addition, the client only needs to - know the realm of the canonical service name, not all of the - identities. - - This draft proposes a solution for these problems and simplifies - administration by minimizing the configuration information needed on - each computer using Kerberos. Specifically it describes a mechanism - to allow the KDC to handle Canonicalization of names, provide for - principal aliases for users and services and provide a mechanism for - the KDC to determine the trusted realm authentication path by being - able to generate referrals to other realms in order to locate - principals. - - To rectify these problems, this draft introduces three new kinds of - KDC referrals: - - 1. AS ticket referrals, in which the client doesn't know which realm - contains a user account. - 2. TGS ticket referrals, in which the client doesn't know which - realm contains a server account. - 3. Cross realm shortcut referrals, in which the KDC chooses the next - path on a referral chain - -4. Realm Organization Model - - This draft assumes that the world of principals is arranged on - multiple levels: the realm, the enterprise, and the world. A KDC may - issue tickets for any principal in its realm or cross-realm tickets - for realms with which it has a direct trust relationship. The KDC - also has access to a trusted name service that can resolve any name - from within its enterprise into a realm. This trusted name service - removes the need to use an untrusted DNS lookup for name resolution. - - For example, consider the following configuration, where lines - indicate trust relationships: - - MS.COM - / \ - / \ - OFFICE.MS.COM NT.MS.COM - - In this configuration, all users in the MS.COM enterprise could have - a principal name such as alice@MS.COM, with the same realm portion. - In addition, servers at MS.COM should be able to have DNS host names - from any DNS domain independent of what Kerberos realm their - principal resides in. - -Swift Category - Standards Track 3 - - - - - - - - - KDC Referrals February 2001 - - - -5. Principal Names - -5.1 Service Principal Names - - The standard Kerberos model in RFC 1510 [3] gives each Kerberos - principal a single name. However, if a service is reachable by - several addresses, it is useful for a principal to have multiple - names. Consider a service running on a multi-homed machine. Rather - than requiring a separate principal and password for each name it - exports, a single account with multiple names could be used. - - Multiple names are also useful for services in that clients need not - perform DNS lookups to resolve a host name into a full DNS address. - Instead, the service may have a name for each of its supported host - names, including its IP address. Nonetheless, it is still convenient - for the service to not have to be aware of all these names. Thus a - new name may be added to DNS for a service by updating DNS and the - KDC database without having to notify the service. In addition, it - implies that these aliases are globally unique: they do not include - a specifier dictating what realm contains the principal. Thus, an - alias for a server is of the form "class/instance/name" and may be - transmitted as any name type. - -5.2 Client Principal Names - - Similarly, a client account may also have multiple principal names. - More useful, though, is a globally unique name that allows - unification of email and security principal names. For example, all - users at MS may have a client principal name of the form - "joe@MS.COM" even though the principals are contained in multiple - realms. This global name is again an alias for the true client - principal name, which is indicates what realm contains the - principal. Thus, accounts "alice" in the realm ntdev.MS.COM and - "bob" in office.MS.COM may logon as "alice@MS.COM" and "bob@MS.COM". - This requires a new client principal name type, as the AS-REQ - message only contains a single realm field, and the realm portion of - this name doesn't correspond to any Kerberos realm. Thus, the entire - name "alice@MS.COM" is transmitted in the client name field of the - AS-REQ message, with a name type of KRB-NT-ENTERPRISE-PRINCIPAL. - - KRB-NT-ENTERPRISE-PRINCIPAL 10 - -5.3 Name Canonicalization - - In order to support name aliases, the Kerberos client must - explicitly request the name-canonicalization KDC option (bit 15) in - the ticket flags for the TGS-REQ. This flag indicates to the KDC - that the client is prepared to receive a reply with a different - client or server principal name than the request. Thus, the - KDCOptions types is redefined as: - - KDCOptions ::= BIT STRING { - -Swift Category - Standards Track 4 - - - - - - - - - KDC Referrals February 2001 - - - reserved(0), - forwardable(1), - forwarded(2), - proxiable(3), - proxy(4), - allow-postdate(5), - postdated(6), - unused7(7), - renewable(8), - unused9(9), - unused10(10), - unused11(11), - name-canonicalize(15), - renewable-ok(27), - enc-tkt-in-skey(28), - renew(30), - validate(31) - } - -6. Client Referrals - - The simplest form of ticket referral is for a user requesting a - ticket using an AS-REQ. In this case, the client machine will send - the AS request to a convenient trusted realm, either the realm of - the client machine or the realm of the client name. In the case of - the name Alice@MS.COM, the client may optimistically choose to send - the request to MS.COM. - - The client will send the string "alice@MS.COM" in the client - principal name field using the KRB-NT-ENTERPRISE-PRINCIPAL name type - with the crealm set to MS.COM. The KDC will try to lookup the name - in its local account database. If the account is present in the - crealm of the request, it MUST return a KDC reply structure with the - appropriate ticket. If the account is not present in the crealm - specified in the request and the name-canonicalize flag in the - KDCoptions is set, the KDC will try to lookup the entire name, - Alice@MS.COM, using a name service. If this lookup is unsuccessful, - it MUST return the error KDC_ERR_C_PRINCIPAL_UNKNOWN. If the lookup - is successful, it MUST return an error KDC_ERR_WRONG_REALM (0x44) - and in the error message the cname and crealm field MUST contain the - client name and the true realm of the client. If the KDC contains - the account locally, it MUST return a normal ticket. The client name - and realm portions of the ticket and KDC reply message MUST be the - client's true name in the realm, not the globally unique name. - - If the client receives a KDC_ERR_WRONG_REALM error, it will issue a - new AS request with the same client principal name used to generate - the first referral to the realm specified by the crealm field of the - kerberos error message from the first request. This request MUST - produce a valid AS response with a ticket for the canonical user - name. The ticket MUST also include the ticket extension containing - the TE-REFERRAL-DATA with the referred-names set to the name from - - -Swift Category - Standards Track 5 - - - - - - - - - KDC Referrals February 2001 - - - the AS request. Any other error or referral will terminate the - request and result in a failed AS request. - -7. Server Referrals - - The server referral mechanism is a bit more complex than the client - referral mechanism. The primary problem is that the KDC must return - a referral ticket rather than an error message, so it will include - in the TGS response information about what realm contains the - service. This is done by returning information about the server name - in the pre-auth data field of the KDC reply. - - If the KDC resolves the server principal name into a principal in - its realm, it may return a normal ticket. If the name-canonicalize - flag in the KDCoptions is not set, then the KDC MUST only look up - the name as a normal principal name. Otherwise, it MUST search all - aliases as well. The server principal name in both the ticket and - the KDC reply MUST be the true server principal name instead of one - of the aliases. This frees the application server from needing to - know about all its aliases. - - If the name-canonicalize flag in the KDCoptions is set and the KDC - doesn't find the principal locally, the KDC can return a cross-realm - ticket granting ticket to the next hop on the trust path towards a - realm that may be able to resolve the principal name. - - If the KDC can determine the service principal's realm, it can - return the server realm as ticket extension data. The ticket - extension MUST be encrypted using the session key from the ticket, - and the same etype as is used to protect the TGS reply body. - - The data itself is an ASN.1 encoded structure containing the - server's realm, and if known, canonical principal name and alias - names. The first name in the sequence is the canonical principal - name. - - TE-REFERRAL-INFO 20 - - TE-REFERRAL-DATA ::= SEQUENCE { - referred-server-realm[0] KERB-REALM - referred-names[1] SEQUENCE OF - PrincipalNames OPTIONAL - } - - - The client can use this information to request a chain of cross- - realm ticket granting tickets until it reaches the realm of the - server, and can then expect to receive a valid service ticket. - - In order to facilitate cross-realm interoperability, a client SHOULD - NOT send short names in TGS requests to the KDC. A short name is - defined as a Kerberos name that includes a DNS name that is not - fully qualified. The client MAY use forward DNS lookups to obtain - -Swift Category - Standards Track 6 - - - - - - - - - KDC Referrals February 2001 - - - the long name that corresponds to the user entered short name (the - short name will be a prefix of the corresponding long name). - - The client may use the referred-names field to tell if it already - has a ticket to the server in its ticket cache. - - The client can use this information to request a chain of cross- - realm ticket granting tickets until it reaches the realm of the - server, and can then expect to receive a valid service ticket. - However an implementation should limit the number of referrals that - it processes to avoid infinite referral loops. A suggested limit is - 5 referrals before giving up. - -8. Cross Realm Routing - - The current Kerberos protocol requires the client to explicitly - request a cross-realm TGT for each pair of realms on a referral - chain. As a result, the client machines need to be aware of the - trust hierarchy and of any short-cut trusts (those that aren't - parent-child trusts). This requires more configurations on the - client. Instead, the client should be able to request a TGT to the - target realm from each realm on the route. The KDC will determine - the best path for the client and return a cross-realm TGT. The - client has to be aware that a request for a cross-realm TGT may - return a TGT for a realm different from the one requested. - -9. Security Considerations - - The original Kerberos specification stated that the server principal - name in the KDC reply was the same as the server name in the - request. These protocol changes break that assumption, so the client - may be vulnerable to a denial of service attack by an attacker that - replays replies from previous requests. It can verify that the - request was one of its own by checking the client-address field or - authtime field, though, so the damage is limited and detectable. - - For the AS exchange case, it is important that the logon mechanism - not trust a name that has not been used to authenticate the user. - For example, the name that the user enters as part of a logon - exchange may not be the name that the user authenticates as, given - that the KDC_ERR_WRONG_REALM error may have been returned. The - relevant Kerberos naming information for logon (if any), is the - client name and client realm in the service ticket targeted at the - workstation that was obtained using the user's initial TGT. - - How the client name and client realm is mapped into a local account - for logon is a local matter, but the client logon mechanism MUST use - additional information such as the client realm and/or authorization - attributes from the service ticket presented to the workstation by - the user, when mapping the logon credentials to a local account on - the workstation. - -10. Discussion - -Swift Category - Standards Track 7 - - - - - - - - - KDC Referrals February 2001 - - - - This section contains issues and suggestions that need to be - incorporated into this draft. From Ken Raeburn [raeburn@mit.edu]: - - 1) No means to do name canonicalization if you're not - authenticating. Is it okay to require credentials in order to do - canonicalization? If so, how about this: Send a TGS_REQ for the - service name you have. If you get back a TGS_REP for a service, - great; pull out the name and throw out the credentials. If you - get back a TGS_REP for a TGT service, ask again in the specified - realm. If you get back a KRB_ERROR because policy prohibits you - from authenticating to that service, we can add to the - specification that the {realm,sname} in the KRB_ERROR must be the - canonical name, and the checksum must be used. As long as the - checksum is present, it's still a secure exchange with the KDC. - - If we have to be able to do name canonicalization without any - sort of credentials, either client-side (tickets) or server-side - (tickets automatically acquired via service key), I think we just - lose. But maybe GSSAPI should be changed if that's the case. - - 2) Can't refer to another realm and specify a different service name - to give to that realm's KDC. The local KDC can tell you a - different service name or a different realm name, but not both. - This comes up in the "gnuftp.raeburn.org CNAME ftp.gnu.org" type - of case I've mentioned. - - Except ... the KDC-REP structure includes padata and ticket - extensions fields that are extensible. We could add a required - value to one of them -- perhaps only in the case where you return - a TGT when not asked -- that contains signed information about - the principal name to ask for in the other realm. (It would have - to be required, otherwise a man-in-the-middle could make it go - away.) Signing would be done using the session key for the TGS. - - 3) Secure canonicalization of service name in AS_REQ. If the - response is an AS_REP, we need a way to tell that the altered - server name wasn't a result of a MITM attack on the AS_REQ - message. Again, the KDC-REP extensible fields could have a new - required value added when name canonicalization happens, - indicating what the original principal name (in the AS_REQ - message) was, and signed using the same key as protects the - AS_REP. If it doesn't match what the client requested, the - messages were altered in transit. - - 4) Client name needs referral to another realm, and server name - needs canonicalization of some sort. The above fixes wouldn't - work for this case, and I'm not even sure which KDC should be - doing the canonicalization anyways. - - - The other-principal-name datum would probably look something like: - - -Swift Category - Standards Track 8 - - - - - - - - - KDC Referrals February 2001 - - - PrincipalAndNonce ::= SEQUENCE { - name[0] PrincipalName, - nonce[1] INTEGER -- copied from KDC_REQ - } - SignedPrincipal ::= SEQUENCE { - name-and-nonce[0] PrincipalAndNonce, - cksum[1] Checksum - } - {PA,TE}-ORIGINAL-SERVER-PRINCIPAL ::= SignedPrincipal - {PA,TE}-REMOTE-SERVER-PRINCIPAL ::= SignedPrincipal - - with the checksum computed over the encoding of the 'name-and-nonce' - field, and appropriate PA- or TE- numbers assigned. I don't have a - strong opinion on whether it'd be a pa-data or ticket extension; - conceptually it seems like an abuse of either, but, well, I think - I'd rather abuse them than leave the facility both in and - inadequate. - - The nonce is needed because multiple exchanges may be made with the - same key, and these extension fields aren't packed in with the other - encrypted data in the same response, so a MITM could pick apart - multiple messages and mix-and-match components. (In a TGS_REQ - exchange, a subsession key would help, but it's not required.) - - The extension field would be required to prevent a MITM from - discarding the field from a response; a flag bit in a protected part - of the message (probably in 'flags' in EncKDCRepPart) could also let - us know of a cases where the information can be omitted, namely, - when no name change is done. Perhaps the bit should be set to - indicate that a name change *was* done, and clear if it wasn't, - making the no-change case more directly compatible with RFC1510. - -11. References - - - 1 Bradner, S., "The Internet Standards Process -- Revision 3", BCP - 9, RFC 2026, October 1996. - - 2 Bradner, S., "Key words for use in RFCs to Indicate Requirement - Levels", BCP 14, RFC 2119, March 1997 - - 3 Kohl, J., Neuman, C., "The Kerberos Network Authentication - Service (V5)", RFC 1510, September 1993 - - -12. Author's Addresses - - Michael Swift - University of Washington - Seattle, Washington - Email: mikesw@cs.washington.edu - - John Brezak - -Swift Category - Standards Track 9 - - - - - - - - - KDC Referrals February 2001 - - - Microsoft - One Microsoft Way - Redmond, Washington - Email: jbrezak@Microsoft.com - - Jonathan Trostle - Cisco Systems - 170 W. Tasman Dr. - San Jose, CA 95134 - Email: jtrostle@cisco.com - - Kenneth Raeburn - Massachusetts Institute of Technology 77 - Massachusetts Avenue - Cambridge, Massachusetts 02139 - Email: raeburn@mit.edu - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Swift Category - Standards Track 10 - - - - - - - - - KDC Referrals February 2001 - - - Full Copyright Statement - - Copyright (C) The Internet Society (1999). All Rights Reserved. - - This document and translations of it may be copied and furnished to - others, and derivative works that comment on or otherwise explain it - or assist in its implementation may be prepared, copied, published - and distributed, in whole or in part, without restriction of any - kind, provided that the above copyright notice and this paragraph - are included on all such copies and derivative works. However, this - document itself may not be modified in any way, such as by removing - the copyright notice or references to the Internet Society or other - Internet organizations, except as needed for the purpose of - developing Internet standards in which case the procedures for - copyrights defined in the Internet Standards process must be - followed, or as required to translate it into languages other than - English. - - The limited permissions granted above are perpetual and will not be - revoked by the Internet Society or its successors or assigns. - - This document and the information contained herein is provided on an - "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING - TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING - BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION - HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF - MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE." - - - - - - - - - - - - - - - - - - - - - - - - - - - -Swift Category - Standards Track 11 - - - - - - - diff --git a/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-krb-wg-krb-dns-locate-02.txt b/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-krb-wg-krb-dns-locate-02.txt deleted file mode 100644 index a6dec9d1e0..0000000000 --- a/crypto/heimdal-0.6.3/doc/standardisation/draft-ietf-krb-wg-krb-dns-locate-02.txt +++ /dev/null @@ -1,339 +0,0 @@ - - - - - - -INTERNET-DRAFT Ken Hornstein - NRL -February 28, 2001 Jeffrey Altman -Expires: August 28, 2001 Columbia University - - - - Distributing Kerberos KDC and Realm Information with DNS - - -Status of this Memo - - This document is an Internet-Draft and is in full conformance with - all provisions of Section 10 of RFC2026. - - Internet-Drafts are working documents of the Internet Engineering - Task Force (IETF), its areas, and its working groups. Note that - other groups may also distribute working documents as Internet- - Drafts. - - Internet-Drafts are draft documents valid for a maximum of six months - and may be updated, replaced, or obsoleted by other documents at any - time. It is inappropriate to use Internet- Drafts as reference - material or to cite them other than as "work in progress." - - The list of current Internet-Drafts can be accessed at - http://www.ietf.org/ietf/1id-abstracts.txt - - The list of Internet-Draft Shadow Directories can be accessed at - http://www.ietf.org/shadow.html. - - Distribution of this memo is unlimited. It is filed as , and expires on August 28, 2001. - Please send comments to the authors. - -Abstract - - Neither the Kerberos V5 protocol [RFC1510] nor the Kerberos V4 proto- - col [RFC????] describe any mechanism for clients to learn critical - configuration information necessary for proper operation of the pro- - tocol. Such information includes the location of Kerberos key dis- - tribution centers or a mapping between DNS domains and Kerberos - realms. - - Current Kerberos implementations generally store such configuration - information in a file on each client machine. Experience has shown - this method of storing configuration information presents problems - with out-of-date information and scaling problems, especially when - - - -Hornstein, Altman [Page 1] - -RFC DRAFT February 28, 2001 - - - using cross-realm authentication. - - This memo describes a method for using the Domain Name System - [RFC1035] for storing such configuration information. Specifically, - methods for storing KDC location and hostname/domain name to realm - mapping information are discussed. - -DNS vs. Kerberos - Case Sensitivity of Realm Names - - In Kerberos, realm names are case sensitive. While it is strongly - encouraged that all realm names be all upper case this recommendation - has not been adopted by all sites. Some sites use all lower case - names and other use mixed case. DNS on the other hand is case insen- - sitive for queries but is case preserving for responses to TXT - queries. Since "MYREALM", "myrealm", and "MyRealm" are all different - it is necessary that only one of the possible combinations of upper - and lower case characters be used. This restriction may be lifted in - the future as the DNS naming scheme is expanded to support non-ASCII - names. - -Overview - KDC location information - - KDC location information is to be stored using the DNS SRV RR [RFC - 2052]. The format of this RR is as follows: - - Service.Proto.Realm TTL Class SRV Priority Weight Port Target - - The Service name for Kerberos is always "_kerberos". - - The Proto can be either "_udp" or "_tcp". If these records are to be - used, a "_udp" record MUST be included. If the Kerberos implementa- - tion supports TCP transport, a "_tcp" record SHOULD be included. - - The Realm is the Kerberos realm that this record corresponds to. - - TTL, Class, SRV, Priority, Weight, and Target have the standard mean- - ing as defined in RFC 2052. - - As per RFC 2052 the Port number should be the value assigned to "ker- - beros" by the Internet Assigned Number Authority (88). - -Example - KDC location information - - These are DNS records for a Kerberos realm ASDF.COM. It has two Ker- - beros servers, kdc1.asdf.com and kdc2.asdf.com. Queries should be - directed to kdc1.asdf.com first as per the specified priority. - Weights are not used in these records. - - - - -Hornstein, Altman [Page 2] - -RFC DRAFT February 28, 2001 - - - _kerberos._udp.ASDF.COM. IN SRV 0 0 88 kdc1.asdf.com. - _kerberos._udp.ASDF.COM. IN SRV 1 0 88 kdc2.asdf.com. - -Overview - Kerberos password changing server location information - - Kerberos password changing server [KERB-CHG] location is to be stored - using the DNS SRV RR [RFC 2052]. The format of this RR is as fol- - lows: - - Service.Proto.Realm TTL Class SRV Priority Weight Port Target - - The Service name for the password server is always "_kpasswd". - - The Proto MUST be "_udp". - - The Realm is the Kerberos realm that this record corresponds to. - - TTL, Class, SRV, Priority, Weight, and Target have the standard mean- - ing as defined in RFC 2052. - - As per RFC 2052 the Port number should be the value assigned to - "kpasswd" by the Internet Assigned Number Authority (464). - -Overview - Kerberos admin server location information - - Kerberos admin location information is to be stored using the DNS SRV - RR [RFC 2052]. The format of this RR is as follows: - - Service.Proto.Realm TTL Class SRV Priority Weight Port Target - - The Service name for the admin server is always "_kerberos-adm". - - The Proto can be either "_udp" or "_tcp". If these records are to be - used, a "_tcp" record MUST be included. If the Kerberos admin imple- - mentation supports UDP transport, a "_udp" record SHOULD be included. - - The Realm is the Kerberos realm that this record corresponds to. - - TTL, Class, SRV, Priority, Weight, and Target have the standard mean- - ing as defined in RFC 2052. - - As per RFC 2052 the Port number should be the value assigned to - "kerberos-adm" by the Internet Assigned Number Authority (749). - - Note that there is no formal definition of a Kerberos admin protocol, - so the use of this record is optional and implementation-dependent. - - - - - -Hornstein, Altman [Page 3] - -RFC DRAFT February 28, 2001 - - -Example - Kerberos administrative server location information - - These are DNS records for a Kerberos realm ASDF.COM. It has one - administrative server, kdc1.asdf.com. - - _kerberos-adm._tcp.ASDF.COM. IN SRV 0 0 749 kdc1.asdf.com. - -Overview - Hostname/domain name to Kerberos realm mapping - - Information on the mapping of DNS hostnames and domain names to Ker- - beros realms is stored using DNS TXT records [RFC 1035]. These - records have the following format. - - Service.Name TTL Class TXT Realm - - The Service field is always "_kerberos", and prefixes all entries of - this type. - - The Name is a DNS hostname or domain name. This is explained in - greater detail below. - - TTL, Class, and TXT have the standard DNS meaning as defined in RFC - 1035. - - The Realm is the data for the TXT RR, and consists simply of the Ker- - beros realm that corresponds to the Name specified. - - When a Kerberos client wishes to utilize a host-specific service, it - will perform a DNS TXT query, using the hostname in the Name field of - the DNS query. If the record is not found, the first label of the - name is stripped and the query is retried. - - Compliant implementations MUST query the full hostname and the most - specific domain name (the hostname with the first label removed). - Compliant implementations SHOULD try stripping all subsequent labels - until a match is found or the Name field is empty. - -Example - Hostname/domain name to Kerberos realm mapping - - For the previously mentioned ASDF.COM realm and domain, some sample - records might be as follows: - - _kerberos.asdf.com. IN TXT "ASDF.COM" - _kerberos.mrkserver.asdf.com. IN TXT "MARKETING.ASDF.COM" - _kerberos.salesserver.asdf.com. IN TXT "SALES.ASDF.COM" - - Let us suppose that in this case, a Kerberos client wishes to use a - Kerberized service on the host foo.asdf.com. It would first query: - - - -Hornstein, Altman [Page 4] - -RFC DRAFT February 28, 2001 - - - _kerberos.foo.asdf.com. IN TXT - - Finding no match, it would then query: - - _kerberos.asdf.com. IN TXT - - And find an answer of ASDF.COM. This would be the realm that - foo.asdf.com resides in. - - If another Kerberos client wishes to use a Kerberized service on the - host salesserver.asdf.com, it would query: - - _kerberos.salesserver.asdf.com IN TXT - - And find an answer of SALES.ASDF.COM. - -Security considerations - - As DNS is deployed today, it is an unsecure service. Thus the infor- - mation returned by it cannot be trusted. - - Current practice for REALM to KDC mapping is to use hostnames to - indicate KDC hosts (stored in some implementation-dependent location, - but generally a local config file). These hostnames are vulnerable - to the standard set of DNS attacks (denial of service, spoofed - entries, etc). The design of the Kerberos protocol limits attacks of - this sort to denial of service. However, the use of SRV records does - not change this attack in any way. They have the same vulnerabili- - ties that already exist in the common practice of using hostnames for - KDC locations. - - Current practice for HOSTNAME to REALM mapping is to provide a local - configuration of mappings of hostname or domain name to realm which - are then mapped to KDCs. But this again is vulnerable to spoofing - via CNAME records that point to hosts in other domains. This has the - same effect as when a TXT record is spoofed. In a realm with no - cross-realm trusts this is a DoS attack. However, when cross-realm - trusts are used it is possible to redirect a client to use a comprom- - ised realm. - - This is not an exploit of the Kerberos protocol but of the Kerberos - trust model. The same can be done to any application that must - resolve the hostname in order to determine which domain a non-FQDN - belongs to. - - Implementations SHOULD provide a way of specifying this information - locally without the use of DNS. However, to make this feature - worthwhile a lack of any configuration information on a client should - - - -Hornstein, Altman [Page 5] - -RFC DRAFT February 28, 2001 - - - be interpretted as permission to use DNS. - -Expiration - - This Internet-Draft expires on August 28, 2001. - -References - - - [RFC1510] - The Kerberos Network Authentication System; Kohl, Newman; Sep- - tember 1993. - - [RFC1035] - Domain Names - Implementation and Specification; Mockapetris; - November 1987 - - [RFC2782] - A DNS RR for specifying the location of services (DNS SRV); Gul- - brandsen, Vixie; Feburary 2000 - - [KERB-CHG] - Kerberos Change Password Protocol; Horowitz; - ftp://ds.internic.net/internet-drafts/draft-ietf-cat-kerb-chg- - password-02.txt - -Authors' Addresses - - Ken Hornstein - US Naval Research Laboratory - Bldg A-49, Room 2 - 4555 Overlook Avenue - Washington DC 20375 USA - - Phone: +1 (202) 404-4765 - EMail: kenh@cmf.nrl.navy.mil - - Jeffrey Altman - The Kermit Project - Columbia University - 612 West 115th Street #716 - New York NY 10025-7799 USA - - Phone: +1 (212) 854-1344 - EMail: jaltman@columbia.edu - - - - - - -Hornstein, Altman [Page 6] - diff --git a/crypto/heimdal-0.6.3/doc/standardisation/draft-raeburn-cat-gssapi-krb5-3des-00.txt b/crypto/heimdal-0.6.3/doc/standardisation/draft-raeburn-cat-gssapi-krb5-3des-00.txt deleted file mode 100644 index 24325fdbda..0000000000 --- a/crypto/heimdal-0.6.3/doc/standardisation/draft-raeburn-cat-gssapi-krb5-3des-00.txt +++ /dev/null @@ -1,281 +0,0 @@ -CAT Working Group K. Raeburn -Internet-draft MIT -Category: July 14, 2000 -Updates: RFC 1964 -Document: draft-raeburn-cat-gssapi-krb5-3des-00.txt - - Triple-DES Support for the Kerberos 5 GSSAPI Mechanism - -Status of this Memo - - This document is an Internet-Draft and is in full conformance with - all provisions of Section 10 of RFC2026 [RFC2026]. Internet-Drafts - are working documents of the Internet Engineering Task Force - (IETF), its areas, and its working groups. Note that other groups - may also distribute working documents as - Internet-Drafts. Internet-Drafts are draft documents valid for a - maximum of six months and may be updated, replaced, or obsoleted by - other documents at any time. It is inappropriate to use - Internet-Drafts as reference material or to cite them other than as - "work in progress." - - The list of current Internet-Drafts can be accessed at - http://www.ietf.org/ietf/1id-abstracts.txt - - The list of Internet-Draft Shadow Directories can be accessed at - http://www.ietf.org/shadow.html. - -1. Abstract - - The MIT Kerberos 5 release version 1.2 includes support for - triple-DES with key derivation [KrbRev]. Recent work by the EFF - [EFF] has demonstrated the vulnerability of single-DES mechanisms - to brute-force attacks by sufficiently motivated and well-funded - parties. - - The GSSAPI Kerberos 5 mechanism definition [GSSAPI-KRB5] - specifically enumerates encryption and checksum types, - independently of how such schemes may be used in Kerberos. In the - long run, a new Kerberos-based mechanism, which does not require - separately enumerating for the GSSAPI mechanism each of the - encryption types defined by Kerberos, appears to be a better - approach. Efforts to produce such a specification are under way. - - In the interest of providing increased security in the interim, - however, MIT is proposing adding support for triple-DES to the - existing mechanism, as described here. - -2. Conventions Used in this Document - - The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", - "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in - this document are to be interpreted as described in RFC 2119. - -3. New Algorithm Identifiers - - One new sealing algorithm is defined, for use in WRAP tokens: - - 02 00 - DES3-KD - - This algorithm uses triple-DES with key derivation, with a usage - value KG_USAGE_SEAL. Padding is still to 8-byte multiples, and the - IV for encrypting application data is zero. - - One new signing algorithm is defined, for use in MIC, Wrap, and - Delete tokens: - - 04 00 - HMAC SHA1 DES3-KD - - This algorithm generates an HMAC using SHA-1 and a derived DES3 key - with usage KG_USAGE_SIGN, as (ought to be described) in [KrbRev]. - - [XXX: The current [KrbRev] description refers to expired I-Ds from - Marc Horowitz. The text in [KrbRev] may be inadequate to produce - an interoperable implementation.] - - The checksum size for this algorithm is 20 octets. See section 5.3 - below for the use of checksum lengths of other than eight bytes. - -4. Key Derivation - - For purposes of key derivation, we add three new usage values to the - list defined in [KrbRev]; one for signing messages, one for - sealing messages, and one for encrypting sequence numbers: - - #define KG_USAGE_SEAL 22 - #define KG_USAGE_SIGN 23 - #define KG_USAGE_SEQ 24 - -5. Adjustments to Previous Definitions - -5.1. Quality of Protection - - The GSSAPI specification [GSSAPI] says that a zero QOP value - indicates the "default". The original specification for the - Kerberos 5 mechanism says that a zero QOP value (or a QOP value - with the appropriate bits clear) means DES encryption. - - Rather than continue to force the use of plain DES when the - application doesn't use mechanism-specific QOP values, the better - choice appears to be to redefine the DES QOP value as some non-zero - value, and define a triple-DES value as well. Then a zero value - continues to imply the default, which would be triple-DES - protection when given a triple-DES session key. - - Our values are: - - GSS_KRB5_INTEG_C_QOP_HMAC_SHA1 0x0004 - /* SHA-1 checksum encrypted with key derivation */ - - GSS_KRB5_CONF_C_QOP_DES 0x0100 - /* plain DES encryption */ - GSS_KRB5_CONF_C_QOP_DES3_KD 0x0200 - /* triple-DES with key derivation */ - - Rather than open the question of whether to specify means for - deriving a key of one type given a key of another type, and the - security implications of whether to generate a long key from a - shorter one, our implementation will simply return an error if the - QOP value specified does not correspond to the session key type. - - [Implementation note: MIT's code does not implement QoP, and - returns an error for any non-zero QoP value.] - -5.2. MIC Sequence Number Encryption - - The sequence numbers are encrypted in the context key (as defined - in [GSSAPI-KRB5] -- this will be either the Kerberos session key or - asubkey provided by the context initiator), using whatever - encryption system is designated by the type of that context key. - The IV is formed from the first N bytes of the SGN_CKSUM field, - where N is the number of bytes needed for the IV. (With all - algorithms described here and in [GSSAPI-KRB5], the checksum is at - least as large as the IV.) - -5.3. Message Layout - - Both MIC and Wrap tokens, as defined in [GSSAPI-KRB5], contain an - checksum field SGN_CKSUM. In [GSSAPI-KRB5], this field was - specified as being 8 bytes long. We now change this size to be - "defined by the checksum algorithm", and retroactively amend the - descriptions of all the checksum algorithms described in - [GSSAPI-KRB5] to explicitly specify 8-byte output. Application - data continues to immediately follow the checksum field in the Wrap - token. - - The revised message descriptions are thus: - - MIC: - - Byte no Name Description - 0..1 TOK_ID Identification field. - 2..3 SGN_ALG Integrity algorithm indicator. - 4..7 Filler Contains ff ff ff ff - 8..15 SND_SEQ Sequence number field. - 16..s+15 SGN_CKSUM Checksum of "to-be-signed data", - calculated according to algorithm - specified in SGN_ALG field. - - Wrap: - - Byte no Name Description - 0..1 TOK_ID Identification field. - Tokens emitted by GSS_Wrap() contain - the hex value 02 01 in this field. - 2..3 SGN_ALG Checksum algorithm indicator. - 4..5 SEAL_ALG Sealing algorithm indicator. - 6..7 Filler Contains ff ff - 8..15 SND_SEQ Encrypted sequence number field. - 16..s+15 SGN_CKSUM Checksum of plaintext padded data, - calculated according to algorithm - specified in SGN_ALG field. - s+16..last Data encrypted or plaintext padded data - - Where "s" indicates the size of the checksum. - - As indicated above in section 2, we define the HMAC SHA1 DES3-KD - checksum algorithm to produce a 20-byte output, so encrypted data - begins at byte 36. - -6. Backwards Compatibility Considerations - - The context initiator SHOULD request of the KDC credentials using - session-key cryptosystem types supported by that implementation; if - the only types returned by the KDC are not supported by the - mechanism implementation, it MUST indicate a failure. This may - seem obvious, but early implementations of both Kerberos and the - GSSAPI Kerberos mechanism supported only DES keys, so the - cryptosystem compatibility question was easy to overlook. - - Under the current mechanism, no negotiation of algorithm types - occurs, so server-side (acceptor) implementations cannot request - that clients not use algorithm types not understood by the server. - However, administration of the server's Kerberos data has to be - done in communication with the KDC, and it is from the KDC that the - client will request credentials. The KDC could therefore be tasked - with limiting session keys for a given service to types actually - supported by the Kerberos and GSSAPI software on the server. - - This does have a drawback for cases where a service principal name - is used both for GSSAPI-based and non-GSSAPI-based communication, - if the GSSAPI implementation does not understand triple-DES but the - Kerberos implementation does. It means that triple-DES session - keys cannot be issued for that service principal, which keeps the - protection of non-GSSAPI services weaker than necessary. However, - in the most recent MIT releases thus far, while triple-DES support - has been present, it has required additional work to enable, so it - is not likely to be in use for many services. - - It would also be possible to have clients attempt to get single-DES - session keys before trying to get triple-DES session keys, and have - the KDC refuse to issue the single-DES keys only for the most - critical of services, for which single-DES protection is considered - inadequate. However, that would eliminate the possibility of - connecting with the more secure cryptosystem to any service that - can be accessed with the weaker cryptosystem. - - We have chosen to go with the former approach, putting the burden - on the KDC administration and gaining the best protection possible - for GSSAPI services, possibly at the cost of protection of - non-GSSAPI Kerberos services running earlier versions of the - software. - -6. Security Considerations - - Various tradeoffs arise regarding the mixing of new and old - software, or GSSAPI-based and non-GSSAPI Kerberos authentication. - They are discussed in section 5. - -7. References - - [EFF] Electronic Frontier Foundation, "Cracking DES: Secrets of - Encryption Research, Wiretap Politics, and Chip Design", O'Reilly & - Associates, Inc., May, 1998. - - [GSSAPI] Linn, J., "Generic Security Service Application Program - Interface Version 2, Update 1", RFC 2743, January, 2000. - - [GSSAPI-KRB5] Linn, J., "The Kerberos Version 5 GSS-API Mechanism", - RFC 1964, June, 1996. - - [KrbRev] Neuman, C., Kohl, J., Ts'o, T., "The Kerberos Network - Authentication Service (V5)", - draft-ietf-cat-kerberos-revisions-05.txt, March 10, 2000. - - [RFC2026] Bradner, S., "The Internet Standards Process -- Revision - 3", RFC 2026, October, 1996. - -8. Author's Address - - Kenneth Raeburn - Massachusetts Institute of Technology - 77 Massachusetts Avenue - Cambridge, MA 02139 - -9. Full Copyright Statement - - Copyright (C) The Internet Society (2000). All Rights Reserved. - - This document and translations of it may be copied and furnished to - others, and derivative works that comment on or otherwise explain it - or assist in its implementation may be prepared, copied, published - and distributed, in whole or in part, without restriction of any - kind, provided that the above copyright notice and this paragraph - are included on all such copies and derivative works. However, this - document itself may not be modified in any way, such as by removing - the copyright notice or references to the Internet Society or other - Internet organizations, except as needed for the purpose of - developing Internet standards in which case the procedures for - copyrights defined in the Internet Standards process must be - followed, or as required to translate it into languages other than - English. - - The limited permissions granted above are perpetual and will not be - revoked by the Internet Society or its successors or assigns. - - This document and the information contained herein is provided on an - "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING - TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING - BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION - HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF - MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE." diff --git a/crypto/heimdal-0.6.3/doc/standardisation/draft-raeburn-krb-gssapi-krb5-3des-01.txt b/crypto/heimdal-0.6.3/doc/standardisation/draft-raeburn-krb-gssapi-krb5-3des-01.txt deleted file mode 100644 index 64ca1ac498..0000000000 --- a/crypto/heimdal-0.6.3/doc/standardisation/draft-raeburn-krb-gssapi-krb5-3des-01.txt +++ /dev/null @@ -1,395 +0,0 @@ - - - - - - -Kerberos Working Group K. Raeburn -Category: Informational MIT -Document: draft-raeburn-krb-gssapi-krb5-3des-01.txt November 24, 2000 - - - Triple-DES Support for the Kerberos 5 GSSAPI Mechanism - -Status of this Memo - - This document is an Internet-Draft and is in full conformance with - all provisions of Section 10 of RFC2026 [1]. Internet-Drafts are - working documents of the Internet Engineering Task Force (IETF), its - areas, and its working groups. Note that other groups may also - distribute working documents as Internet-Drafts. Internet-Drafts are - draft documents valid for a maximum of six months and may be updated, - replaced, or obsoleted by other documents at any time. It is - inappropriate to use Internet-Drafts as reference material or to cite - them other than as "work in progress." - - The list of current Internet-Drafts can be accessed at - http://www.ietf.org/ietf/1id-abstracts.txt - - The list of Internet-Draft Shadow Directories can be accessed at - http://www.ietf.org/shadow.html. - -1. Abstract - - The GSSAPI Kerberos 5 mechanism definition [GSSAPI-KRB5] specifically - enumerates encryption and checksum types, independently of how such - schemes may be used in Kerberos. In the long run, a new Kerberos- - based mechanism, which does not require separately enumerating for - the GSSAPI mechanism each of the various encryption types defined by - Kerberos, is probably a better approach. Various people have - expressed interest in designing one, but the work has not yet been - completed. - - The MIT Kerberos 5 release version 1.2 includes support for triple- - DES with key derivation [KrbRev]. Recent work by the EFF [EFF] has - demonstrated the vulnerability of single-DES mechanisms to brute- - force attacks by sufficiently motivated and well-funded parties. So, - in the interest of providing increased security in the near term, MIT - is adding support for triple-DES to the existing mechanism - implementation we ship, as an interim measure. - - - - - - - - -Raeburn [Page 1] - -INTERNET DRAFT Triple-DES for GSSAPI Kerberos November 2000 - - -2. New Algorithm Identifiers - - One new sealing algorithm is defined, for use in Wrap tokens. - - - +--------------------------------------------------------------------+ - | name octet values | - +--------------------------------------------------------------------+ - | DES3-KD 02 00 | - +--------------------------------------------------------------------+ - - This algorithm uses triple-DES with key derivation, with a usage - value KG_USAGE_SEAL. (Unlike the EncryptedData definition in - [KrbRev], no integrity protection is needed, so this is "raw" triple- - DES, with no checksum attached to the encrypted data.) Padding is - still to 8-byte multiples, and the IV for encrypting application data - is zero. - - One new signing algorithm is defined, for use in MIC, Wrap, and - Delete tokens. - - - +--------------------------------------------------------------------+ - | name octet values | - +--------------------------------------------------------------------+ - | HMAC SHA1 DES3-KD 04 00 | - +--------------------------------------------------------------------+ - - This algorithm generates an HMAC using SHA-1 and a derived DES3 key - with usage KG_USAGE_SIGN, as described in [KrbRev]. - - [N.B.: The current [KrbRev] description refers to expired I-Ds from - Marc Horowitz. The text in [KrbRev] may be inadequate to produce an - interoperable implementation.] - - The checksum size for this algorithm is 20 octets. See section 4.3 - below for the use of checksum lengths of other than eight bytes. - - - - - - - - - - - - - - -Raeburn [Page 2] - -INTERNET DRAFT Triple-DES for GSSAPI Kerberos November 2000 - - -3. Key Derivation - - For purposes of key derivation, we add three new usage values to the - list defined in [KrbRev]; one for signing messages, one for sealing - messages, and one for encrypting sequence numbers: - - - +--------------------------------------------------------------------+ - | name value | - +--------------------------------------------------------------------+ - | KG_USAGE_SEAL 22 | - | KG_USAGE_SIGN 23 | - | KG_USAGE_SEQ 24 | - +--------------------------------------------------------------------+ - -4. Adjustments to Previous Definitions - -4.1. Quality of Protection - - The GSSAPI specification [GSSAPI] says that a zero QOP value - indicates the "default". The original specification for the Kerberos - 5 mechanism says that a zero QOP value (or a QOP value with the - appropriate bits clear) means DES encryption. - - Rather than forcing the use of plain DES when the application doesn't - use mechanism-specific QOP values, we redefine the explicit DES QOP - value as a non-zero value, and define a triple-DES value as well. - Then a zero value continues to imply the default, which would be - triple-DES protection when given a triple-DES session key. - - Our values are: - - +--------------------------------------------------------------------+ - | name value meaning | - +--------------------------------------------------------------------+ - | GSS_KRB5_INTEG_C_QOP_HMAC_SHA1 0x0004 SHA-1 HMAC, using | - | key derivation | - | | - | GSS_KRB5_CONF_C_QOP_DES 0x0100 plain DES encryption | - | | - | GSS_KRB5_CONF_C_QOP_DES3_KD 0x0200 triple-DES with key | - | derivation | - +--------------------------------------------------------------------+ - - Rather than attempt to specify a generic mechanism for deriving a key - of one type given a key of another type, and evaluate the security - implications of using a short key to generate a longer key to satisfy - the requested quality of protection, our implementation will simply - - - -Raeburn [Page 3] - -INTERNET DRAFT Triple-DES for GSSAPI Kerberos November 2000 - - - return an error if the nonzero QOP value specified does not - correspond to the session key type. - -4.2. MIC Sequence Number Encryption - - The sequence numbers are encrypted in the context key (as defined in - [GSSAPI-KRB5] -- this will be either the Kerberos session key or - asubkey provided by the context initiator), using whatever encryption - system is designated by the type of that context key. The IV is - formed from the first N bytes of the SGN_CKSUM field, where N is the - number of bytes needed for the IV. (With all algorithms described - here and in [GSSAPI-KRB5], the checksum is at least as large as the - IV.) - -4.3. Message Layout - - Both MIC and Wrap tokens, as defined in [GSSAPI-KRB5], contain an - checksum field SGN_CKSUM. In [GSSAPI-KRB5], this field was specified - as being 8 bytes long. We now change this size to be "defined by the - checksum algorithm", and retroactively amend the descriptions of all - the checksum algorithms described in [GSSAPI-KRB5] to explicitly - specify 8-byte output. Application data continues to immediately - follow the checksum field in the Wrap token. - - The revised message descriptions are thus: - - MIC token: - - Byte # Name Description - ---------------------------------------------------------------------- - 0..1 TOK_ID Identification field. - 2..3 SGN_ALG Integrity algorithm indicator. - 4..7 Filler Contains ff ff ff ff - 8..15 SND_SEQ Sequence number field. - 16..s+15 SGN_CKSUM Checksum of "to-be-signed - data", calculated according to - algorithm specified in SGN_ALG - field. - - - - - - - - - - - - - -Raeburn [Page 4] - -INTERNET DRAFT Triple-DES for GSSAPI Kerberos November 2000 - - - Wrap token: - - Byte # Name Description - ---------------------------------------------------------------------- - 0..1 TOK_ID Identification field. Tokens - emitted by GSS_Wrap() contain the - hex value 02 01 in this field. - 2..3 SGN_ALG Checksum algorithm indicator. - 4..5 SEAL_ALG Sealing algorithm indicator. - 6..7 Filler Contains ff ff - 8..15 SND_SEQ Encrypted sequence number field. - 16..s+15 SGN_CKSUM Checksum of plaintext padded data, - calculated according to algorithm - specified in SGN_ALG field. - s+16..last Data encrypted or plaintext padded data - - - Where "s" indicates the size of the checksum. - - As indicated above in section 2, we define the HMAC SHA1 DES3-KD - checksum algorithm to produce a 20-byte output, so encrypted data - begins at byte 36. - -5. Backwards Compatibility Considerations - - The context initiator should request of the KDC credentials using - session-key cryptosystem types supported by that implementation; if - the only types returned by the KDC are not supported by the mechanism - implementation, it should indicate a failure. This may seem obvious, - but early implementations of both Kerberos and the GSSAPI Kerberos - mechanism supported only DES keys, so the cryptosystem compatibility - question was easy to overlook. - - Under the current mechanism, no negotiation of algorithm types - occurs, so server-side (acceptor) implementations cannot request that - clients not use algorithm types not understood by the server. - However, administration of the server's Kerberos data (e.g., the - service key) has to be done in communication with the KDC, and it is - from the KDC that the client will request credentials. The KDC could - therefore be tasked with limiting session keys for a given service to - types actually supported by the Kerberos and GSSAPI software on the - server. - - This does have a drawback for cases where a service principal name is - used both for GSSAPI-based and non-GSSAPI-based communication (most - notably the "host" service key), if the GSSAPI implementation does - not understand triple-DES but the Kerberos implementation does. It - means that triple-DES session keys cannot be issued for that service - - - -Raeburn [Page 5] - -INTERNET DRAFT Triple-DES for GSSAPI Kerberos November 2000 - - - principal, which keeps the protection of non-GSSAPI services weaker - than necessary. - - It would also be possible to have clients attempt to get single-DES - session keys before trying to get triple-DES session keys, and have - the KDC refuse to issue the single-DES keys only for the most - critical of services, for which single-DES protection is considered - inadequate. However, that would eliminate the possibility of - connecting with the more secure cryptosystem to any service that can - be accessed with the weaker cryptosystem. - - For MIT's 1.2 release, we chose to go with the former approach, - putting the burden on the KDC administration and gaining the best - protection possible for GSSAPI services, possibly at the cost of - weaker protection of non-GSSAPI Kerberos services running earlier - versions of the software. - -6. Security Considerations - - Various tradeoffs arise regarding the mixing of new and old software, - or GSSAPI-based and non-GSSAPI Kerberos authentication. They are - discussed in section 5. - -7. References - - [EFF] Electronic Frontier Foundation, "Cracking DES: Secrets of - Encryption Research, Wiretap Politics, and Chip Design", O'Reilly & - Associates, Inc., May, 1998. - - [GSSAPI] Linn, J., "Generic Security Service Application Program - Interface Version 2, Update 1", RFC 2743, January, 2000. - - [GSSAPI-KRB5] Linn, J., "The Kerberos Version 5 GSS-API Mechanism", - RFC 1964, June, 1996. - - [KrbRev] Neuman, C., Kohl, J., Ts'o, T., "The Kerberos Network - Authentication Service (V5)", draft-ietf-cat-kerberos- - revisions-06.txt, July 4, 2000. - -8. Author's Address - - Kenneth Raeburn Massachusetts Institute of Technology 77 - Massachusetts Avenue Cambridge, MA 02139 - -9. Full Copyright Statement - - Copyright (C) The Internet Society (2000). All Rights Reserved. - - - - -Raeburn [Page 6] - -INTERNET DRAFT Triple-DES for GSSAPI Kerberos November 2000 - - - This document and translations of it may be copied and furnished to - others, and derivative works that comment on or otherwise explain it - or assist in its implementation may be prepared, copied, published - and distributed, in whole or in part, without restriction of any - kind, provided that the above copyright notice and this paragraph are - included on all such copies and derivative works. However, this - document itself may not be modified in any way, such as by removing - the copyright notice or references to the Internet Society or other - Internet organizations, except as needed for the purpose of - developing Internet standards in which case the procedures for - copyrights defined in the Internet Standards process must be - followed, or as required to translate it into languages other than - English. - - The limited permissions granted above are perpetual and will not be - revoked by the Internet Society or its successors or assigns. - - This document and the information contained herein is provided on an - "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING - TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING - BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION - HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF - MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE." - -10. Document Change History - ->From -00 to -01: - - Converted master to GNU troff and tbl, rewriting tables in the - process. - - Specify informational category only. Modify some text to emphasize - that this document intends to describe MIT's extensions. - - Point out that while EncryptedData for 3des-kd includes a checksum, - DES3-KD GSS encryption does not. - - Shorten backwards-compatibility descriptions a little. - - Submit to Kerberos working group rather than CAT. - - - - - - - - - - - -Raeburn [Page 7] - diff --git a/crypto/heimdal-0.6.3/doc/standardisation/draft-raeburn-krb-rijndael-krb-02.txt b/crypto/heimdal-0.6.3/doc/standardisation/draft-raeburn-krb-rijndael-krb-02.txt deleted file mode 100644 index 6b9989f871..0000000000 --- a/crypto/heimdal-0.6.3/doc/standardisation/draft-raeburn-krb-rijndael-krb-02.txt +++ /dev/null @@ -1,618 +0,0 @@ - - - - - - - - - -Kerberos Working Group K. Raeburn -Document: draft-raeburn-krb-rijndael-krb-02.txt MIT - November 1, 2002 - expires May 1, 2003 - - AES Encryption for Kerberos 5 - -Abstract - - Recently the US National Institute of Standards and Technology chose - a new Advanced Encryption Standard [AES], which is significantly - faster and (it is believed) more secure than the old DES algorithm. - This document is a specification for the addition of this algorithm - to the Kerberos cryptosystem suite [KCRYPTO]. - - Comments should be sent to the author, or to the IETF Kerberos - working group (ietf-krb-wg@anl.gov). - -Status of this Memo - - This document is an Internet-Draft and is in full conformance with - all provisions of Section 10 of RFC2026 [RFC2026]. Internet-Drafts - are working documents of the Internet Engineering Task Force (IETF), - its areas, and its working groups. Note that other groups may also - distribute working documents as Internet-Drafts. Internet-Drafts are - draft documents valid for a maximum of six months and may be updated, - replaced, or obsoleted by other documents at any time. It is - inappropriate to use Internet-Drafts as reference material or to cite - them other than as "work in progress." - - The list of current Internet-Drafts can be accessed at - http://www.ietf.org/ietf/1id-abstracts.txt - - The list of Internet-Draft Shadow Directories can be accessed at - http://www.ietf.org/shadow.html. - -1. Introduction - - This document defines encryption key and checksum types for Kerberos - 5 using the AES algorithm recently chosen by NIST. These new types - support 128-bit block encryption, and key sizes of 128 or 256 bits. - - Using the "simplified profile" of [KCRYPTO], we can define a pair of - encryption and checksum schemes. AES is used with cipher text - stealing to avoid message expansion, and SHA-1 [SHA1] is the - - - -Raeburn [Page 1] - -INTERNET DRAFT November 2002 - - - associated checksum function. - -2. Conventions Used in this Document - - The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", - "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this - document are to be interpreted as described in RFC 2119. - -3. Protocol Key Representation - - The profile in [KCRYPTO] treats keys and random octet strings as - conceptually different. But since the AES key space is dense, we can - use any bit string as a key. We use the byte representation for the - key described in [AES], where the first bit of the bit string is the - high bit of the first byte of the byte string (octet string) - representation. - -4. Key Generation From Pass Phrases or Random Data - - Given the above format for keys, we can generate keys from the - appropriate amounts of random data (128 or 256 bits) by simply - copying the input string. - - To generate an encryption key from a pass phrase and salt string, we - use the PBKDF2 function from PKCS #5 v2.0 ([PKCS5]), with parameters - indicated below, to generate an intermediate key (of the same length - as the desired final key), which is then passed into the DK function - with the 8-octet ASCII string "kerberos" as is done for des3-cbc- - hmac-sha1-kd in [KCRYPTO]. (In [KCRYPTO] terms, the PBKDF2 function - produces a "random octet string", hence the application of the - random-to-key function even though it's effectively a simple identity - operation.) The resulting key is the user's long-term key for use - with the encryption algorithm in question. - - tkey = random2key(PBKDF2(passphrase, salt, iter_count, keylength)) - key = DK(tkey, "kerberos") - - The pseudorandom function used by PBKDF2 will be a SHA-1 HMAC of the - passphrase and salt, as described in Appendix B.1 to PKCS#5. - - The number of iterations is specified by the string-to-key parameters - supplied. The parameter string is four octets indicating an unsigned - number in big-endian order. This is the number of iterations to be - performed. If the value is 00 00 00 00, the number of iterations to - be performed is 4294967296 (2**32). (Thus the minimum expressable - iteration count is 1.) - - For environments where slower hardware is the norm, implementations - - - -Raeburn [Page 2] - -INTERNET DRAFT November 2002 - - - may wish to limit the number of iterations to prevent a spoofed - response from consuming lots of client-side CPU time; it is - recommended that this bound be no less than 50000. Even for - environments with fast hardware, 4 billion iterations is likely to - take a fairly long time; much larger bounds might still be enforced, - and it might be wise for implementations to permit interruption of - this operation by the user if the environment allows for it. - - If the string-to-key parameters are not supplied, the default value - to be used is 00 00 b0 00 (decimal 45056, indicating 45056 - iterations, which takes slightly under 1 second on a 300MHz Pentium - II in tests run by the author). - - Sample test vectors are given in the appendix. - -5. Cipher Text Stealing - - Cipher block chaining is used to encrypt messages. Unlike previous - Kerberos cryptosystems, we use cipher text stealing to handle the - possibly partial final block of the message. - - Cipher text stealing is described on pages 195-196 of [AC], and - section 8 of [RC5]; it has the advantage that no message expansion is - done during encryption of messages of arbitrary sizes as is typically - done in CBC mode with padding. - - Cipher text stealing, as defined in [RC5], assumes that more than one - block of plain text is available. Since a one-block confounder is - added in the simplified profile of [KCRYPTO], and [KCRYPTO] requires - that the message to be encrypted cannot be empty, the minimum length - to be encrypted is one block plus one byte. Thus we do not need to - do anything special to meet this constraint. - - For consistency, cipher text stealing is always used for the last two - blocks of the data to be encrypted, as in [RC5]. If the data length - is a multiple of the block size, this is equivalent to plain CBC mode - with the last two cipher text blocks swapped. - - A test vector is given in the appendix. - -6. Kerberos Algorithm Profile Parameters - - This is a summary of the parameters to be used with the simplified - algorithm profile described in [KCRYPTO]: - - - - - - - -Raeburn [Page 3] - -INTERNET DRAFT November 2002 - - - +--------------------------------------------------------------------+ - | protocol key format 128- or 256-bit string | - | | - | string-to-key function PBKDF2+DK with variable | - | iteration count (see | - | above) | - | | - | default string-to-key parameters 00 09 | - | | - | key-generation seed length key size | - | | - | random-to-key function identity function | - | | - | hash function, H SHA-1 | - | | - | HMAC output size, h 12 octets (96 bits) | - | | - | confounder size, c 16 octets | - | | - | message block size, m 1 octet | - | | - | encryption/decryption functions, AES in CBC-CTS mode with | - | E and D zero ivec | - +--------------------------------------------------------------------+ - - Using this profile with each key size gives us two each of encryption - and checksum algorithm definitions. - -7. Assigned Numbers - - The following encryption type numbers are assigned: - - +--------------------------------------------------------------------+ - | encryption types | - +--------------------------------------------------------------------+ - | type name etype value key size | - +--------------------------------------------------------------------+ - | aes128-cts-hmac-sha1-96 17 128 | - | aes256-cts-hmac-sha1-96 18 256 | - +--------------------------------------------------------------------+ - - The following checksum type numbers are assigned: - - - - - - - - - -Raeburn [Page 4] - -INTERNET DRAFT November 2002 - - - +--------------------------------------------------------------------+ - | checksum types | - +--------------------------------------------------------------------+ - | type name sumtype value length | - +--------------------------------------------------------------------+ - | hmac-sha1-96-aes128 10 96 | - | hmac-sha1-96-aes256 11 96 | - +--------------------------------------------------------------------+ - - These checksum types will be used with the corresponding encryption - types defined above. - -8. Recommendations - - Both new cryptosystems are RECOMMENDED. They should be more secure - than DES cryptosystems, and much faster than triple-DES. - -9. Security Considerations - - This new algorithm has not been around long enough to receive the - decades of intense analysis that DES has received. It is possible - that some weakness exists that has not been found by the - cryptographers analyzing these algorithms before and during the AES - selection process. - - The use of the HMAC function has drawbacks for certain pass phrase - lengths. For example, a pass phrase longer than the hash function - block size (64 bytes, for SHA-1) is hashed to a smaller size (20 - bytes) before applying the main HMAC algorithm. However, entropy is - generally sparse in pass phrases, especially in long ones, so this - may not be a problem in the rare cases of users with long pass - phrases. - - Also, generating a 256-bit key from a pass phrase of any length may - be deceptive, since the effective entropy in pass-phrase-derived key - cannot be nearly that large. - - The iteration count in PBKDF2 appears to be useful primarily as a - constant multiplier for the amount of work required for an attacker - using brute-force methods. Unfortunately, it also multiplies, by the - same amount, the work needed by a legitimate user with a valid - password. Thus the work factor imposed on an attacker (who may have - many powerful workstations at his disposal) must be balanced against - the work factor imposed on the legitimate user (who may have a PDA or - cell phone); the available computing power on either side increases - as time goes on, as well. A better way to deal with the brute-force - attack is through preauthentication mechanisms that provide better - protection of, the user's long-term key. Use of such mechanisms is - - - -Raeburn [Page 5] - -INTERNET DRAFT November 2002 - - - out of scope for this document. - - Any benefit against other attacks specific to the HMAC or SHA-1 - algorithms is probably achieved with a fairly small number of - iterations. - - Cipher text stealing mode, since it requires no additional padding, - will reveal the exact length of each message being encrypted, rather - than merely bounding it to a small range of possible lengths as in - CBC mode. Such obfuscation should not be relied upon at higher - levels in any case; if the length must be obscured from an outside - observer, it should be done by intentionally varying the length of - the message to be encrypted. - - The author is not a cryptographer. Caveat emptor. - -10. IANA Considerations - - None. - -11. Acknowledgements - - Thanks to John Brezak, Gerardo Diaz Cuellar and Marcus Watts for - feedback on earlier versions of this document. - -12. Normative References - - [AC] Schneier, B., "Applied Cryptography", second edition, John Wiley - and Sons, New York, 1996. - - [AES] National Institute of Standards and Technology, U.S. Department - of Commerce, "Advanced Encryption Standard", Federal Information - Processing Standards Publication 197, Washington, DC, November 2001. - - [KCRYPTO] Raeburn, K., "Encryption and Checksum Specifications for - Kerberos 5", draft-ietf-krb-wg-crypto-01.txt, May, 2002. Work in - progress. - - [PKCS5] Kaliski, B., "PKCS #5: Password-Based Cryptography - Specification Version 2.0", RFC 2898, September 2000. - - [RC5] Baldwin, R, and R. Rivest, "The RC5, RC5-CBC, RC5-CBC-Pad, and - RC5-CTS Algorithms", RFC 2040, October 1996. - - [RFC2026] Bradner, S., "The Internet Standards Process -- Revision - 3", RFC 2026, October 1996. - - [SHA1] National Institute of Standards and Technology, U.S. - - - -Raeburn [Page 6] - -INTERNET DRAFT November 2002 - - - Department of Commerce, "Secure Hash Standard", Federal Information - Processing Standards Publication 180-1, Washington, DC, April 1995. - -13. Informative References - - [PECMS] Gutmann, P., "Password-based Encryption for CMS", RFC 3211, - December 2001. - -14. Author's Address - - Kenneth Raeburn - Massachusetts Institute of Technology - 77 Massachusetts Avenue - Cambridge, MA 02139 - raeburn@mit.edu - -15. Full Copyright Statement - - Copyright (C) The Internet Society (2002). All Rights Reserved. - - This document and translations of it may be copied and furnished to - others, and derivative works that comment on or otherwise explain it - or assist in its implementation may be prepared, copied, published - and distributed, in whole or in part, without restriction of any - kind, provided that the above copyright notice and this paragraph are - included on all such copies and derivative works. However, this - document itself may not be modified in any way, such as by removing - the copyright notice or references to the Internet Society or other - Internet organizations, except as needed for the purpose of - developing Internet standards in which case the procedures for - copyrights defined in the Internet Standards process must be - followed, or as required to translate it into languages other than - English. - - The limited permissions granted above are perpetual and will not be - revoked by the Internet Society or its successors or assigns. - - This document and the information contained herein is provided on an - "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING - TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING - BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION - HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF - MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE." - -A. Sample test vectors - - Sample values for the string-to-key function are included below. - - - - -Raeburn [Page 7] - -INTERNET DRAFT November 2002 - - - Iteration count = 1 - Pass phrase = "password" - Salt = "ATHENA.MIT.EDUraeburn" - 128-bit PBKDF2 output: - cd ed b5 28 1b b2 f8 01 56 5a 11 22 b2 56 35 15 - 128-bit AES key: - 42 26 3c 6e 89 f4 fc 28 b8 df 68 ee 09 79 9f 15 - 256-bit PBKDF2 output: - cd ed b5 28 1b b2 f8 01 56 5a 11 22 b2 56 35 15 - 0a d1 f7 a0 4b b9 f3 a3 33 ec c0 e2 e1 f7 08 37 - 256-bit AES key: - fe 69 7b 52 bc 0d 3c e1 44 32 ba 03 6a 92 e6 5b - bb 52 28 09 90 a2 fa 27 88 39 98 d7 2a f3 01 61 - - Iteration count = 2 - Pass phrase = "password" - Salt="ATHENA.MIT.EDUraeburn" - 128-bit PBKDF2 output: - 01 db ee 7f 4a 9e 24 3e 98 8b 62 c7 3c da 93 5d - 128-bit AES key: - c6 51 bf 29 e2 30 0a c2 7f a4 69 d6 93 bd da 13 - 256-bit PBKDF2 output: - 01 db ee 7f 4a 9e 24 3e 98 8b 62 c7 3c da 93 5d - a0 53 78 b9 32 44 ec 8f 48 a9 9e 61 ad 79 9d 86 - 256-bit AES key: - a2 e1 6d 16 b3 60 69 c1 35 d5 e9 d2 e2 5f 89 61 - 02 68 56 18 b9 59 14 b4 67 c6 76 22 22 58 24 ff - - Iteration count = 1200 - Pass phrase = "password" - Salt = "ATHENA.MIT.EDUraeburn" - 128-bit PBKDF2 output: - 5c 08 eb 61 fd f7 1e 4e 4e c3 cf 6b a1 f5 51 2b - 128-bit AES key: - 4c 01 cd 46 d6 32 d0 1e 6d be 23 0a 01 ed 64 2a - 256-bit PBKDF2 output: - 5c 08 eb 61 fd f7 1e 4e 4e c3 cf 6b a1 f5 51 2b - a7 e5 2d db c5 e5 14 2f 70 8a 31 e2 e6 2b 1e 13 - 256-bit AES key: - 55 a6 ac 74 0a d1 7b 48 46 94 10 51 e1 e8 b0 a7 - 54 8d 93 b0 ab 30 a8 bc 3f f1 62 80 38 2b 8c 2a - - - - - - - - - - -Raeburn [Page 8] - -INTERNET DRAFT November 2002 - - - Iteration count = 5 - Pass phrase = "password" - Salt=0x1234567878563412 - 128-bit PBKDF2 output: - d1 da a7 86 15 f2 87 e6 a1 c8 b1 20 d7 06 2a 49 - 128-bit AES key: - e9 b2 3d 52 27 37 47 dd 5c 35 cb 55 be 61 9d 8e - 256-bit PBKDF2 output: - d1 da a7 86 15 f2 87 e6 a1 c8 b1 20 d7 06 2a 49 - 3f 98 d2 03 e6 be 49 a6 ad f4 fa 57 4b 6e 64 ee - 256-bit AES key: - 97 a4 e7 86 be 20 d8 1a 38 2d 5e bc 96 d5 90 9c - ab cd ad c8 7c a4 8f 57 45 04 15 9f 16 c3 6e 31 - (This test is based on values given in [PECMS].) - - Iteration count = 1200 - Pass phrase = (64 characters) - "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" - Salt="pass phrase equals block size" - 128-bit PBKDF2 output: - 13 9c 30 c0 96 6b c3 2b a5 5f db f2 12 53 0a c9 - 128-bit AES key: - 59 d1 bb 78 9a 82 8b 1a a5 4e f9 c2 88 3f 69 ed - 256-bit PBKDF2 output: - 13 9c 30 c0 96 6b c3 2b a5 5f db f2 12 53 0a c9 - c5 ec 59 f1 a4 52 f5 cc 9a d9 40 fe a0 59 8e d1 - 256-bit AES key: - 89 ad ee 36 08 db 8b c7 1f 1b fb fe 45 94 86 b0 - 56 18 b7 0c ba e2 20 92 53 4e 56 c5 53 ba 4b 34 - - Iteration count = 1200 - Pass phrase = (65 characters) - "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" - Salt = "pass phrase exceeds block size" - 128-bit PBKDF2 output: - 9c ca d6 d4 68 77 0c d5 1b 10 e6 a6 87 21 be 61 - 128-bit AES key: - cb 80 05 dc 5f 90 17 9a 7f 02 10 4c 00 18 75 1d - 256-bit PBKDF2 output: - 9c ca d6 d4 68 77 0c d5 1b 10 e6 a6 87 21 be 61 - 1a 8b 4d 28 26 01 db 3b 36 be 92 46 91 5e c8 2a - 256-bit AES key: - d7 8c 5c 9c b8 72 a8 c9 da d4 69 7f 0b b5 b2 d2 - 14 96 c8 2b eb 2c ae da 21 12 fc ee a0 57 40 1b - - - - - - - -Raeburn [Page 9] - -INTERNET DRAFT November 2002 - - - Iteration count = 50 - Pass phrase = g-clef (0xf09d849e) - Salt = "EXAMPLE.COMpianist" - 128-bit PBKDF2 output: - 6b 9c f2 6d 45 45 5a 43 a5 b8 bb 27 6a 40 3b 39 - 128-bit AES key: - f1 49 c1 f2 e1 54 a7 34 52 d4 3e 7f e6 2a 56 e5 - 256-bit PBKDF2 output: - 6b 9c f2 6d 45 45 5a 43 a5 b8 bb 27 6a 40 3b 39 - e7 fe 37 a0 c4 1e 02 c2 81 ff 30 69 e1 e9 4f 52 - 256-bit AES key: - 4b 6d 98 39 f8 44 06 df 1f 09 cc 16 6d b4 b8 3c - 57 18 48 b7 84 a3 d6 bd c3 46 58 9a 3e 39 3f 9e - - Some test vectors for CBC with cipher text stealing, using an initial - vector of all-zero. - - AES 128-bit key: - 63 68 69 63 6b 65 6e 20 74 65 72 69 79 61 6b 69 - - Input: - 49 20 77 6f 75 6c 64 20 6c 69 6b 65 20 74 68 65 - 20 - Output: - c6 35 35 68 f2 bf 8c b4 d8 a5 80 36 2d a7 ff 7f - 97 - - Input: - 49 20 77 6f 75 6c 64 20 6c 69 6b 65 20 74 68 65 - 20 47 65 6e 65 72 61 6c 20 47 61 75 27 73 20 - Output: - fc 00 78 3e 0e fd b2 c1 d4 45 d4 c8 ef f7 ed 22 - 97 68 72 68 d6 ec cc c0 c0 7b 25 e2 5e cf e5 - - Input: - 49 20 77 6f 75 6c 64 20 6c 69 6b 65 20 74 68 65 - 20 47 65 6e 65 72 61 6c 20 47 61 75 27 73 20 43 - Output: - 39 31 25 23 a7 86 62 d5 be 7f cb cc 98 eb f5 a8 - 97 68 72 68 d6 ec cc c0 c0 7b 25 e2 5e cf e5 84 - - - - - - - - - - - -Raeburn [Page 10] - -INTERNET DRAFT November 2002 - - - Input: - 49 20 77 6f 75 6c 64 20 6c 69 6b 65 20 74 68 65 - 20 47 65 6e 65 72 61 6c 20 47 61 75 27 73 20 43 - 68 69 63 6b 65 6e 2c 20 70 6c 65 61 73 65 2c - Output: - 97 68 72 68 d6 ec cc c0 c0 7b 25 e2 5e cf e5 84 - b3 ff fd 94 0c 16 a1 8c 1b 55 49 d2 f8 38 02 9e - 39 31 25 23 a7 86 62 d5 be 7f cb cc 98 eb f5 - - Input: - 49 20 77 6f 75 6c 64 20 6c 69 6b 65 20 74 68 65 - 20 47 65 6e 65 72 61 6c 20 47 61 75 27 73 20 43 - 68 69 63 6b 65 6e 2c 20 70 6c 65 61 73 65 2c 20 - Output: - 97 68 72 68 d6 ec cc c0 c0 7b 25 e2 5e cf e5 84 - 9d ad 8b bb 96 c4 cd c0 3b c1 03 e1 a1 94 bb d8 - 39 31 25 23 a7 86 62 d5 be 7f cb cc 98 eb f5 a8 - - Input: - 49 20 77 6f 75 6c 64 20 6c 69 6b 65 20 74 68 65 - 20 47 65 6e 65 72 61 6c 20 47 61 75 27 73 20 43 - 68 69 63 6b 65 6e 2c 20 70 6c 65 61 73 65 2c 20 - 61 6e 64 20 77 6f 6e 74 6f 6e 20 73 6f 75 70 2e - Output: - 97 68 72 68 d6 ec cc c0 c0 7b 25 e2 5e cf e5 84 - 39 31 25 23 a7 86 62 d5 be 7f cb cc 98 eb f5 a8 - 48 07 ef e8 36 ee 89 a5 26 73 0d bc 2f 7b c8 40 - 9d ad 8b bb 96 c4 cd c0 3b c1 03 e1 a1 94 bb d8 - - - - - - - - - - - - - - - - - - - - - - - -Raeburn [Page 11] diff --git a/crypto/heimdal-0.6.3/doc/standardisation/draft-raeburn-krb-rijndael-krb-03.txt b/crypto/heimdal-0.6.3/doc/standardisation/draft-raeburn-krb-rijndael-krb-03.txt deleted file mode 100644 index 70395f2ba8..0000000000 --- a/crypto/heimdal-0.6.3/doc/standardisation/draft-raeburn-krb-rijndael-krb-03.txt +++ /dev/null @@ -1,674 +0,0 @@ - - - - - - - - - -Kerberos Working Group K. Raeburn -Document: draft-raeburn-krb-rijndael-krb-03.txt MIT - February 24, 2003 - expires August 24, 2003 - - AES Encryption for Kerberos 5 - -Abstract - - Recently the US National Institute of Standards and Technology chose - a new Advanced Encryption Standard [AES], which is significantly - faster and (it is believed) more secure than the old DES algorithm. - This document is a specification for the addition of this algorithm - to the Kerberos cryptosystem suite [KCRYPTO]. - - Comments should be sent to the author, or to the IETF Kerberos - working group (ietf-krb-wg@anl.gov). - -Status of this Memo - - This document is an Internet-Draft and is in full conformance with - all provisions of Section 10 of RFC2026 [RFC2026]. Internet-Drafts - are working documents of the Internet Engineering Task Force (IETF), - its areas, and its working groups. Note that other groups may also - distribute working documents as Internet-Drafts. Internet-Drafts are - draft documents valid for a maximum of six months and may be updated, - replaced, or obsoleted by other documents at any time. It is - inappropriate to use Internet-Drafts as reference material or to cite - them other than as "work in progress." - - The list of current Internet-Drafts can be accessed at - http://www.ietf.org/ietf/1id-abstracts.txt - - The list of Internet-Draft Shadow Directories can be accessed at - http://www.ietf.org/shadow.html. - -1. Introduction - - This document defines encryption key and checksum types for Kerberos - 5 using the AES algorithm recently chosen by NIST. These new types - support 128-bit block encryption, and key sizes of 128 or 256 bits. - - Using the "simplified profile" of [KCRYPTO], we can define a pair of - encryption and checksum schemes. AES is used with cipher text - stealing to avoid message expansion, and SHA-1 [SHA1] is the - - - -Raeburn [Page 1] - -INTERNET DRAFT February 2003 - - - associated checksum function. - -2. Conventions Used in this Document - - The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", - "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this - document are to be interpreted as described in RFC 2119. - -3. Protocol Key Representation - - The profile in [KCRYPTO] treats keys and random octet strings as - conceptually different. But since the AES key space is dense, we can - use any bit string of appropriate length as a key. We use the byte - representation for the key described in [AES], where the first bit of - the bit string is the high bit of the first byte of the byte string - (octet string) representation. - -4. Key Generation From Pass Phrases or Random Data - - Given the above format for keys, we can generate keys from the - appropriate amounts of random data (128 or 256 bits) by simply - copying the input string. - - To generate an encryption key from a pass phrase and salt string, we - use the PBKDF2 function from PKCS #5 v2.0 ([PKCS5]), with parameters - indicated below, to generate an intermediate key (of the same length - as the desired final key), which is then passed into the DK function - with the 8-octet ASCII string "kerberos" as is done for des3-cbc- - hmac-sha1-kd in [KCRYPTO]. (In [KCRYPTO] terms, the PBKDF2 function - produces a "random octet string", hence the application of the - random-to-key function even though it's effectively a simple identity - operation.) The resulting key is the user's long-term key for use - with the encryption algorithm in question. - - tkey = random2key(PBKDF2(passphrase, salt, iter_count, keylength)) - key = DK(tkey, "kerberos") - - The pseudorandom function used by PBKDF2 will be a SHA-1 HMAC of the - passphrase and salt, as described in Appendix B.1 to PKCS#5. - - The number of iterations is specified by the string-to-key parameters - supplied. The parameter string is four octets indicating an unsigned - number in big-endian order. This is the number of iterations to be - performed. If the value is 00 00 00 00, the number of iterations to - be performed is 4294967296 (2**32). (Thus the minimum expressable - iteration count is 1.) - - For environments where slower hardware is the norm, implementations - - - -Raeburn [Page 2] - -INTERNET DRAFT February 2003 - - - may wish to limit the number of iterations to prevent a spoofed - response from consuming lots of client-side CPU time; it is - recommended that this bound be no less than 50000. Even for - environments with fast hardware, 4 billion iterations is likely to - take a fairly long time; much larger bounds might still be enforced, - and it might be wise for implementations to permit interruption of - this operation by the user if the environment allows for it. - - If the string-to-key parameters are not supplied, the default value - to be used is 00 00 b0 00 (decimal 45056, indicating 45056 - iterations, which takes slightly under 1 second on a 300MHz Pentium - II in tests run by the author). - - Sample test vectors are given in the appendix. - -5. Cipher Text Stealing - - Cipher block chaining is used to encrypt messages. Unlike previous - Kerberos cryptosystems, we use cipher text stealing to handle the - possibly partial final block of the message. - - Cipher text stealing is described on pages 195-196 of [AC], and - section 8 of [RC5]; it has the advantage that no message expansion is - done during encryption of messages of arbitrary sizes as is typically - done in CBC mode with padding. - - Cipher text stealing, as defined in [RC5], assumes that more than one - block of plain text is available. If exactly one block is to be - encrypted, that block is simply encrypted with AES (also known as ECB - mode). Input of less than one block is padded at the end to one - block; the values of the padding bits are unspecified. - (Implementations may use all-zero padding, but protocols should not - rely on the result being deterministic. Implementations may use - random padding, but protocols should not rely on the result not being - deterministic. Note that in most cases, the Kerberos encryption - profile will add a random confounder independent of this padding.) - - For consistency, cipher text stealing is always used for the last two - blocks of the data to be encrypted, as in [RC5]. If the data length - is a multiple of the block size, this is equivalent to plain CBC mode - with the last two cipher text blocks swapped. - - A test vector is given in the appendix. - - - - - - - - -Raeburn [Page 3] - -INTERNET DRAFT February 2003 - - -6. Kerberos Algorithm Profile Parameters - - This is a summary of the parameters to be used with the simplified - algorithm profile described in [KCRYPTO]: - - +--------------------------------------------------------------------+ - | protocol key format 128- or 256-bit string | - | | - | string-to-key function PBKDF2+DK with variable | - | iteration count (see | - | above) | - | | - | default string-to-key parameters 00 00 b0 00 | - | | - | key-generation seed length key size | - | | - | random-to-key function identity function | - | | - | hash function, H SHA-1 | - | | - | HMAC output size, h 12 octets (96 bits) | - | | - | message block size, m 1 octet | - | | - | encryption/decryption functions, AES in CBC-CTS mode with | - | E and D zero ivec (cipher block | - | size 16 octets) | - +--------------------------------------------------------------------+ - - Using this profile with each key size gives us two each of encryption - and checksum algorithm definitions. - -7. Assigned Numbers - - The following encryption type numbers are assigned: - - +--------------------------------------------------------------------+ - | encryption types | - +--------------------------------------------------------------------+ - | type name etype value key size | - +--------------------------------------------------------------------+ - | aes128-cts-hmac-sha1-96 17 128 | - | aes256-cts-hmac-sha1-96 18 256 | - +--------------------------------------------------------------------+ - - The following checksum type numbers are assigned: - - - - - -Raeburn [Page 4] - -INTERNET DRAFT February 2003 - - - +--------------------------------------------------------------------+ - | checksum types | - +--------------------------------------------------------------------+ - | type name sumtype value length | - +--------------------------------------------------------------------+ - | hmac-sha1-96-aes128 15 96 | - | hmac-sha1-96-aes256 16 96 | - +--------------------------------------------------------------------+ - - These checksum types will be used with the corresponding encryption - types defined above. - -8. Security Considerations - - This new algorithm has not been around long enough to receive the - decades of intense analysis that DES has received. It is possible - that some weakness exists that has not been found by the - cryptographers analyzing these algorithms before and during the AES - selection process. - - The use of the HMAC function has drawbacks for certain pass phrase - lengths. For example, a pass phrase longer than the hash function - block size (64 bytes, for SHA-1) is hashed to a smaller size (20 - bytes) before applying the main HMAC algorithm. However, entropy is - generally sparse in pass phrases, especially in long ones, so this - may not be a problem in the rare cases of users with long pass - phrases. - - Also, generating a 256-bit key from a pass phrase of any length may - be deceptive, since the effective entropy in pass-phrase-derived key - cannot be nearly that large. - - The iteration count in PBKDF2 appears to be useful primarily as a - constant multiplier for the amount of work required for an attacker - using brute-force methods. Unfortunately, it also multiplies, by the - same amount, the work needed by a legitimate user with a valid - password. Thus the work factor imposed on an attacker (who may have - many powerful workstations at his disposal) must be balanced against - the work factor imposed on the legitimate user (who may have a PDA or - cell phone); the available computing power on either side increases - as time goes on, as well. A better way to deal with the brute-force - attack is through preauthentication mechanisms that provide better - protection of, the user's long-term key. Use of such mechanisms is - out of scope for this document. - - If the PBKDF2 iteration count can be spoofed by an intruder on the - network, and the limit on the accepted iteration count is very high, - the intruder may be able to introduce a form of denial of service - - - -Raeburn [Page 5] - -INTERNET DRAFT February 2003 - - - attack against the client by sending a very high iteration count, - causing the client to spend a great deal of CPU time computing an - incorrect key. - - Any benefit against other attacks specific to the HMAC or SHA-1 - algorithms is probably achieved with a fairly small number of - iterations. - - Cipher text stealing mode, since it requires no additional padding in - most cases, will reveal the exact length of each message being - encrypted, rather than merely bounding it to a small range of - possible lengths as in CBC mode. Such obfuscation should not be - relied upon at higher levels in any case; if the length must be - obscured from an outside observer, it should be done by intentionally - varying the length of the message to be encrypted. - - The author is not a cryptographer. Caveat emptor. - -9. IANA Considerations - - None. - -10. Acknowledgements - - Thanks to John Brezak, Gerardo Diaz Cuellar and Marcus Watts for - feedback on earlier versions of this document. - -11. Normative References - - [AC] Schneier, B., "Applied Cryptography", second edition, John Wiley - and Sons, New York, 1996. - - [AES] National Institute of Standards and Technology, U.S. Department - of Commerce, "Advanced Encryption Standard", Federal Information - Processing Standards Publication 197, Washington, DC, November 2001. - - [KCRYPTO] Raeburn, K., "Encryption and Checksum Specifications for - Kerberos 5", draft-ietf-krb-wg-crypto-01.txt, May, 2002. Work in - progress. - - [PKCS5] Kaliski, B., "PKCS #5: Password-Based Cryptography - Specification Version 2.0", RFC 2898, September 2000. - - [RC5] Baldwin, R, and R. Rivest, "The RC5, RC5-CBC, RC5-CBC-Pad, and - RC5-CTS Algorithms", RFC 2040, October 1996. - - [RFC2026] Bradner, S., "The Internet Standards Process -- Revision - 3", RFC 2026, October 1996. - - - -Raeburn [Page 6] - -INTERNET DRAFT February 2003 - - - [SHA1] National Institute of Standards and Technology, U.S. - Department of Commerce, "Secure Hash Standard", Federal Information - Processing Standards Publication 180-1, Washington, DC, April 1995. - -12. Informative References - - [PECMS] Gutmann, P., "Password-based Encryption for CMS", RFC 3211, - December 2001. - -13. Author's Address - - Kenneth Raeburn - Massachusetts Institute of Technology - 77 Massachusetts Avenue - Cambridge, MA 02139 - raeburn@mit.edu - -14. Full Copyright Statement - - Copyright (C) The Internet Society (2003). All Rights Reserved. - - This document and translations of it may be copied and furnished to - others, and derivative works that comment on or otherwise explain it - or assist in its implementation may be prepared, copied, published - and distributed, in whole or in part, without restriction of any - kind, provided that the above copyright notice and this paragraph are - included on all such copies and derivative works. However, this - document itself may not be modified in any way, such as by removing - the copyright notice or references to the Internet Society or other - Internet organizations, except as needed for the purpose of - developing Internet standards in which case the procedures for - copyrights defined in the Internet Standards process must be - followed, or as required to translate it into languages other than - English. - - The limited permissions granted above are perpetual and will not be - revoked by the Internet Society or its successors or assigns. - - This document and the information contained herein is provided on an - "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING - TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING - BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION - HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF - MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE." - -A. Sample test vectors - - Sample values for the string-to-key function are included below. - - - -Raeburn [Page 7] - -INTERNET DRAFT February 2003 - - - Iteration count = 1 - Pass phrase = "password" - Salt = "ATHENA.MIT.EDUraeburn" - 128-bit PBKDF2 output: - cd ed b5 28 1b b2 f8 01 56 5a 11 22 b2 56 35 15 - 128-bit AES key: - 42 26 3c 6e 89 f4 fc 28 b8 df 68 ee 09 79 9f 15 - 256-bit PBKDF2 output: - cd ed b5 28 1b b2 f8 01 56 5a 11 22 b2 56 35 15 - 0a d1 f7 a0 4b b9 f3 a3 33 ec c0 e2 e1 f7 08 37 - 256-bit AES key: - fe 69 7b 52 bc 0d 3c e1 44 32 ba 03 6a 92 e6 5b - bb 52 28 09 90 a2 fa 27 88 39 98 d7 2a f3 01 61 - - Iteration count = 2 - Pass phrase = "password" - Salt="ATHENA.MIT.EDUraeburn" - 128-bit PBKDF2 output: - 01 db ee 7f 4a 9e 24 3e 98 8b 62 c7 3c da 93 5d - 128-bit AES key: - c6 51 bf 29 e2 30 0a c2 7f a4 69 d6 93 bd da 13 - 256-bit PBKDF2 output: - 01 db ee 7f 4a 9e 24 3e 98 8b 62 c7 3c da 93 5d - a0 53 78 b9 32 44 ec 8f 48 a9 9e 61 ad 79 9d 86 - 256-bit AES key: - a2 e1 6d 16 b3 60 69 c1 35 d5 e9 d2 e2 5f 89 61 - 02 68 56 18 b9 59 14 b4 67 c6 76 22 22 58 24 ff - - Iteration count = 1200 - Pass phrase = "password" - Salt = "ATHENA.MIT.EDUraeburn" - 128-bit PBKDF2 output: - 5c 08 eb 61 fd f7 1e 4e 4e c3 cf 6b a1 f5 51 2b - 128-bit AES key: - 4c 01 cd 46 d6 32 d0 1e 6d be 23 0a 01 ed 64 2a - 256-bit PBKDF2 output: - 5c 08 eb 61 fd f7 1e 4e 4e c3 cf 6b a1 f5 51 2b - a7 e5 2d db c5 e5 14 2f 70 8a 31 e2 e6 2b 1e 13 - 256-bit AES key: - 55 a6 ac 74 0a d1 7b 48 46 94 10 51 e1 e8 b0 a7 - 54 8d 93 b0 ab 30 a8 bc 3f f1 62 80 38 2b 8c 2a - - - - - - - - - - -Raeburn [Page 8] - -INTERNET DRAFT February 2003 - - - Iteration count = 5 - Pass phrase = "password" - Salt=0x1234567878563412 - 128-bit PBKDF2 output: - d1 da a7 86 15 f2 87 e6 a1 c8 b1 20 d7 06 2a 49 - 128-bit AES key: - e9 b2 3d 52 27 37 47 dd 5c 35 cb 55 be 61 9d 8e - 256-bit PBKDF2 output: - d1 da a7 86 15 f2 87 e6 a1 c8 b1 20 d7 06 2a 49 - 3f 98 d2 03 e6 be 49 a6 ad f4 fa 57 4b 6e 64 ee - 256-bit AES key: - 97 a4 e7 86 be 20 d8 1a 38 2d 5e bc 96 d5 90 9c - ab cd ad c8 7c a4 8f 57 45 04 15 9f 16 c3 6e 31 - (This test is based on values given in [PECMS].) - - Iteration count = 1200 - Pass phrase = (64 characters) - "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" - Salt="pass phrase equals block size" - 128-bit PBKDF2 output: - 13 9c 30 c0 96 6b c3 2b a5 5f db f2 12 53 0a c9 - 128-bit AES key: - 59 d1 bb 78 9a 82 8b 1a a5 4e f9 c2 88 3f 69 ed - 256-bit PBKDF2 output: - 13 9c 30 c0 96 6b c3 2b a5 5f db f2 12 53 0a c9 - c5 ec 59 f1 a4 52 f5 cc 9a d9 40 fe a0 59 8e d1 - 256-bit AES key: - 89 ad ee 36 08 db 8b c7 1f 1b fb fe 45 94 86 b0 - 56 18 b7 0c ba e2 20 92 53 4e 56 c5 53 ba 4b 34 - - Iteration count = 1200 - Pass phrase = (65 characters) - "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" - Salt = "pass phrase exceeds block size" - 128-bit PBKDF2 output: - 9c ca d6 d4 68 77 0c d5 1b 10 e6 a6 87 21 be 61 - 128-bit AES key: - cb 80 05 dc 5f 90 17 9a 7f 02 10 4c 00 18 75 1d - 256-bit PBKDF2 output: - 9c ca d6 d4 68 77 0c d5 1b 10 e6 a6 87 21 be 61 - 1a 8b 4d 28 26 01 db 3b 36 be 92 46 91 5e c8 2a - 256-bit AES key: - d7 8c 5c 9c b8 72 a8 c9 da d4 69 7f 0b b5 b2 d2 - 14 96 c8 2b eb 2c ae da 21 12 fc ee a0 57 40 1b - - - - - - - -Raeburn [Page 9] - -INTERNET DRAFT February 2003 - - - Iteration count = 50 - Pass phrase = g-clef (0xf09d849e) - Salt = "EXAMPLE.COMpianist" - 128-bit PBKDF2 output: - 6b 9c f2 6d 45 45 5a 43 a5 b8 bb 27 6a 40 3b 39 - 128-bit AES key: - f1 49 c1 f2 e1 54 a7 34 52 d4 3e 7f e6 2a 56 e5 - 256-bit PBKDF2 output: - 6b 9c f2 6d 45 45 5a 43 a5 b8 bb 27 6a 40 3b 39 - e7 fe 37 a0 c4 1e 02 c2 81 ff 30 69 e1 e9 4f 52 - 256-bit AES key: - 4b 6d 98 39 f8 44 06 df 1f 09 cc 16 6d b4 b8 3c - 57 18 48 b7 84 a3 d6 bd c3 46 58 9a 3e 39 3f 9e - - Some test vectors for CBC with cipher text stealing, using an initial - vector of all-zero. - - AES 128-bit key: - 63 68 69 63 6b 65 6e 20 74 65 72 69 79 61 6b 69 - - Input: - 49 20 77 6f 75 6c 64 20 6c 69 6b 65 20 74 68 65 - 20 - Output: - c6 35 35 68 f2 bf 8c b4 d8 a5 80 36 2d a7 ff 7f - 97 - - Input: - 49 20 77 6f 75 6c 64 20 6c 69 6b 65 20 74 68 65 - 20 47 65 6e 65 72 61 6c 20 47 61 75 27 73 20 - Output: - fc 00 78 3e 0e fd b2 c1 d4 45 d4 c8 ef f7 ed 22 - 97 68 72 68 d6 ec cc c0 c0 7b 25 e2 5e cf e5 - - Input: - 49 20 77 6f 75 6c 64 20 6c 69 6b 65 20 74 68 65 - 20 47 65 6e 65 72 61 6c 20 47 61 75 27 73 20 43 - Output: - 39 31 25 23 a7 86 62 d5 be 7f cb cc 98 eb f5 a8 - 97 68 72 68 d6 ec cc c0 c0 7b 25 e2 5e cf e5 84 - - - - - - - - - - - -Raeburn [Page 10] - -INTERNET DRAFT February 2003 - - - Input: - 49 20 77 6f 75 6c 64 20 6c 69 6b 65 20 74 68 65 - 20 47 65 6e 65 72 61 6c 20 47 61 75 27 73 20 43 - 68 69 63 6b 65 6e 2c 20 70 6c 65 61 73 65 2c - Output: - 97 68 72 68 d6 ec cc c0 c0 7b 25 e2 5e cf e5 84 - b3 ff fd 94 0c 16 a1 8c 1b 55 49 d2 f8 38 02 9e - 39 31 25 23 a7 86 62 d5 be 7f cb cc 98 eb f5 - - Input: - 49 20 77 6f 75 6c 64 20 6c 69 6b 65 20 74 68 65 - 20 47 65 6e 65 72 61 6c 20 47 61 75 27 73 20 43 - 68 69 63 6b 65 6e 2c 20 70 6c 65 61 73 65 2c 20 - Output: - 97 68 72 68 d6 ec cc c0 c0 7b 25 e2 5e cf e5 84 - 9d ad 8b bb 96 c4 cd c0 3b c1 03 e1 a1 94 bb d8 - 39 31 25 23 a7 86 62 d5 be 7f cb cc 98 eb f5 a8 - - Input: - 49 20 77 6f 75 6c 64 20 6c 69 6b 65 20 74 68 65 - 20 47 65 6e 65 72 61 6c 20 47 61 75 27 73 20 43 - 68 69 63 6b 65 6e 2c 20 70 6c 65 61 73 65 2c 20 - 61 6e 64 20 77 6f 6e 74 6f 6e 20 73 6f 75 70 2e - Output: - 97 68 72 68 d6 ec cc c0 c0 7b 25 e2 5e cf e5 84 - 39 31 25 23 a7 86 62 d5 be 7f cb cc 98 eb f5 a8 - 48 07 ef e8 36 ee 89 a5 26 73 0d bc 2f 7b c8 40 - 9d ad 8b bb 96 c4 cd c0 3b c1 03 e1 a1 94 bb d8 - -Document History (delete before RFC publication) - - Major changes from -02 to -03: - - Describe encryption of data of one block or less. - - Fix default string-to-key parameters in table to agree with text. - - Remove Recommendations section; the Kerberos RFC will cover - recommendations and requirements. - - Restore change history, added notes to RFC editor saying to remove - it, and update the [KCRYPTO] entry in Normative References. - - Delete confounder size, since it's gone from the simplified profile - in crypto-03. - - Change checksum numbers, since Assar Westerlund says 10 is in use. - - - - -Raeburn [Page 11] - -INTERNET DRAFT February 2003 - - - Add Security Consideration about denial of service caused by very - high spoofed iteration count. - - Major changes from -01 to -02: - - Add test vectors. - - Drop 192/384-bit variants. Prevailing opinion seems to be that - 128-bit keys are good for speed, and 256-bit for paranoia, and no one - cares about the intermediate sizes. - - Update for new string-to-key params per new Kerberos crypto draft and - discussions during the IETF conferences at Salt Lake City, December, - 2001, and Minneapolis, March, 2002. - - Drop Serpent and Twofish; Rijndael is the only one people care about. - Use "AES" in preference to "Rijndael". - - Use cipher text stealing mode intead of plain CBC, and add -cts to - the algorithm names. - - Drop SHA-2, stick with SHA-1. New test cases to exercise boundary - conditions in HMAC used in string-to-key. - - Split References into Normative/Informative. - - Major changes from -00: - - Define different types based on key/hash sizes, with hash size always - twice key size. Use simplified profile of revised section 6 of - RFC1510bis. Drop "-kd" from the names. - - Use PKCS#5 instead of simple hash. Changed string-to-key vector to - use some "Appendix Z" cases also submitted for kerberos-revisions. - -Notes to RFC Editor - - Assuming this document goes through Last Call along with the Kerberos - crypto framework draft, the reference entry for [KCRYPTO] will list - the draft name, not the RFC number. This should be replaced with the - RFC info. - - The "Document History" section should be deleted, as should this one. - - - - - - - - -Raeburn [Page 12] diff --git a/crypto/heimdal-0.6.3/doc/standardisation/draft-smedvinsky-dhc-kerbauth-01.txt b/crypto/heimdal-0.6.3/doc/standardisation/draft-smedvinsky-dhc-kerbauth-01.txt deleted file mode 100644 index 321c5ba099..0000000000 --- a/crypto/heimdal-0.6.3/doc/standardisation/draft-smedvinsky-dhc-kerbauth-01.txt +++ /dev/null @@ -1,929 +0,0 @@ - - -DHC Working Group S. Medvinsky -Internet Draft Motorola -Document: -Category: Standards Track P.Lalwaney -Expires: January 2001 Nokia - - July 2000 - - - Kerberos V Authentication Mode for Uninitialized Clients - - -Status of this Memo - - This document is an Internet-Draft and is in full conformance with - all provisions of Section 10 of RFC2026. - - Internet-Drafts are working documents of the Internet Engineering - Task Force (IETF), its areas, and its working groups. Note that - other groups may also distribute working documents as Internet- - Drafts. Internet-Drafts are draft documents valid for a maximum of - six months and may be updated, replaced, or obsoleted by other - documents at any time. It is inappropriate to use Internet- Drafts - as reference material or to cite them other than as "work in - progress." - - The list of current Internet-Drafts can be accessed at - http://www.ietf.org/ietf/1id-abstracts.txt - - The list of Internet-Draft Shadow Directories can be accessed at - http://www.ietf.org/shadow.html. - - The distribution of this memo is unlimited. It is filed as , and expires January 2001. Please - send comments to the authors. - - - -1. Abstract - - The Dynamic Host Configuration Protocol (DHCP) [1] includes an - option that allows authentication of all DHCP messages, as specified - in [2]. This document specifies a DHCP authentication mode based on - Kerberos V tickets. This provides mutual authentication between a - DHCP client and server, as well as authentication of all DHCP - messages. - - This document specifies Kerberos message exchanges between an - uninitialized client and the KDC (Key Distribution Center) using an - IAKERB proxy [7] so that the Kerberos key management phase is - decoupled from, and precedes the address allocation and network - configuration phase that uses the DHCP authentication option. In - order to make use of the IAKERB proxy, this document specifies a - transport mechanism that works with an uninitialized client (i.e. a - -Kerberos V Authentication Mode for Uninitialized Clients July 2000 - - - client without an assigned IP address). In addition, the document - specifies the format of the Kerberos authenticator to be used with - the DHCP authentication option. - -2. Conventions used in this document - - The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", - "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in - this document are to be interpreted as described in RFC-2119. - -3. Introduction - - 3.1 Terminology - - o "DHCP client" - - A DHCP client is an Internet host using DHCP to obtain configuration - parameters such as a network address. - - o "DHCP server" - - A DHCP server is an Internet host that returns configuration - parameters to DHCP clients. - - O "Ticket" - - A Kerberos term for a record that helps a client authenticate itself - to a server; it contains the client's identity, a session key, a - timestamp, and other information, all sealed using the server's - secret key. It only serves to authenticate a client when presented - along with a fresh Authenticator. - - o "Key Distribution Center" - - Key Distribution Center, a network service that supplies tickets and - temporary session keys; or an instance of that service or the host - on which it runs. The KDC services both initial ticket and Ticket- - Granting Ticket (TGT) requests. The initial ticket portion is - sometimes referred to as the Authentication Server (or service. The - Ticket-Granting Ticket portion is sometimes referred to as the - Ticket-Granting Server (or service). - - o "Realm" - - A Kerberos administrative domain that represents a group of - principals registered at a KDC. A single KDC may be responsible for - one or more realms. A fully qualified principal name includes a - realm name along with a principal name unique within that realm. - -3.2 Protocol Overview - - - -S. Medvinsky, P. Lalwaney -2- - -Kerberos V Authentication Mode for Uninitialized Clients July 2000 - - - DHCP as defined in [1] defines the protocol exchanges for a client - to obtain its IP address and network configuration information from - a DHCP Server. Kerberos V5 as described in [6] defines the protocol - and message exchanges to mutually authenticate two parties. It is - our goal to provide authentication support for DHCP using Kerberos. - This implies that the Kerberos key management exchange has to take - place before a client gets its IP address from the DHCP Server. - Kerberos assumes that the client has a network address and can - contact the Key Distribution Center to obtain its credentials for - authenticated communication with an application server. - - In this specification we utilize the key exchange using an IAKERB - proxy described in [7]. This does not require any changes to either - the IAKERB or the Kerberos V5 specification. This document also - specifies a particular transport that allows an uninitialized client - to contact an IAKERB proxy. - - The Kerberos ticket returned from the key management exchange - discussed in Section 5 of this document is passed to the DHCP Server - inside the DHCP authentication option with the new Kerberos - authenticator type. This is described in Section 6 of this draft. - - -3.3 Related Work - - A prior Internet Draft [3] outlined the use of Kerberos-based - authentication for DHCP. The proposal tightly coupled the Kerberos - client state machines and the DHCP client state machines. As a - result, the Kerberos key management messages were carried in DHCP - messages, along with the Kerberos authenticators. In addition, the - first DHCP message exchange (request, offer) is not authenticated. - - We propose a protocol exchange where Kerberos key management is - decoupled from and precedes authenticated DHCP exchanges. This - implies that the Kerberos ticket returned in the initial key - management exchange could be used to authenticate servers assigning - addresses by non-DHCP address assignment mechanisms like RSIP [4] - and for service specific parameter provisioning mechanisms using SLP - [5]. - - - - - - - - - - - - - - -S. Medvinsky, P. Lalwaney -3- - -Kerberos V Authentication Mode for Uninitialized Clients July 2000 - - - -4. System Architecture - - - Client - -------- -------- - | | 5.Authenticated DHCP | | - | DHCP |<------------------------>| DHCP | - | client | | server | - | | | | - | | | | - |Kerberos| | | - | Client | | | - -------- -------- - ^ - | - | - | - | ------- - ------------------------------>| | - Kerberos Key Mgmt | Proxy | - messages: | | - 1. AS Request / 2.AS Reply ------- - 3. TGS Request / 4.TGS Reply ^ - | Kerberos - | Key Mgmt messages - v (1, 2, 3, 4) - -------- - | | - | KDC | - | | - -------- - - Figure 1: System blocks and message interactions between them - - - In this architecture, the DHCP client obtains a Kerberos ticket from - the Key Distribution Center (KDC) using standard Kerberos messages, - as specified in [6]. The client, however, contacts the KDC via a - proxy server, according to the IAKERB mechanism, described in [7]. - The are several reasons why a client has to go through this proxy in - order to contact the KDC: - - a)The client may not know the host address of the KDC and may be - sending its first request message as a broadcast on a local - network. The KDC may not be located on the local network, and - even if it were - it will be unable to communicate with a client - without an IP address. This document describes a specific - mechanism that may be used by a client to communicate with the - Kerberos proxy. - - - -S. Medvinsky, P. Lalwaney -4- - -Kerberos V Authentication Mode for Uninitialized Clients July 2000 - - - b)The client may not know its Kerberos realm name. The proxy is - able to fill in the missing client realm name in an AS Request - message, as specified in IAKERB. Note that in the case that - PKINIT pre-authenticator is used [8], the realm name in the AS - Request may be the KDC realm name and not the clientÆs realm name. - - c) The client does not know the realm name of the DHCP server. - - According to IAKERB, when the client sends a TGS Request with a - missing server realm name, the proxy will return to the client an - error message containing the missing realm name. - - Note that in this case the proxy could return the client a wrong - realm name and the client could be fooled into obtaining a ticket - for the wrong DHCP server (on the same local network). However, - the wrong DHCP server must still be a registered principal in a - KDC database. In some circumstances this may be an acceptable - compromise. Also, see the security considerations section. - - IAKERB describes the proxy as part of an application server - the - DHCP server in this case. However, in this document we are not - requiring the proxy to be integrated with the DHCP server. The - same IAKERB mechanisms apply in the more general case, where the - proxy is an independent application. This proxy, however, MUST be - reachable by a client via a local network broadcast. - - After a client has obtained a Kerberos ticket for the DHCP server, - it will use it as part of an authentication option in the DHCP - messages. The only extension to the DHCP protocol is the addition - of a new authenticator type based on Kerberos tickets. - -4.1 Cross-Realm Authentication - - Figure 1 shows a client communicating with a single KDC via a proxy. - However, the DHCP clientÆs realm may be different from the DHCP - serverÆs realm. In that case, the client may need to first contact - the KDC in its local realm to obtain a cross-realm TGT. Then, the - client would use the cross-realm TGT to contact the KDC in the DHCP - serverÆs realm, as specified in [6]. - - In the following example a client doesnÆt know its realm or the DHCP - serverÆs realm, which happens to be different from the clientÆs - realm. Here are the steps in obtaining the ticket for the DHCP - server (based on [6] and [7]): - - 1) The client sends AS Request with NULL realm to the proxy. - 2) The proxy fills in the realm and forwards the AS Request to - the KDC in the clientÆs realm. - 3) The KDC issues a TGT and sends back an AS Reply to the - proxy. - 4) The proxy forwards AS Reply to the client. - - -S. Medvinsky, P. Lalwaney -5- - -Kerberos V Authentication Mode for Uninitialized Clients July 2000 - - - 5) The client sends TGS Request for a principal name "dhcpsrvr" - with NULL realm to the proxy. - 6) The proxy returns KRB_AP_ERR_REALM_REQUIRED error with the - DHCP serverÆs realm to the client. - 7) The client sends another TGS Request for a cross-realm TGT - to the proxy. - 8) The proxy forwards the TGS Request to the KDC in the - clientÆs realm. - 9) The KDC issues a cross-realm TGT and sends back a TGS Reply - to the proxy. - 10) The proxy forwards TGS Reply to the client. - 11) The client sends a TGS Request to the proxy for a principal - "dhcpsrvr" with the realm name filled in, using a cross-realm - TGT. - 12) The proxy forwards TGS Request to the KDC in the DHCP - server's realm. - 13) The KDC issues a ticket for the DHCP server and sends TGS - Reply back to the proxy. - 14) The proxy forwards TGS Reply to the client. - - In a most general case, the client may need to contact any number of - KDCs in different realms before it can get a ticket for the DHCP - server. In each case, the client would contact a KDC via the proxy - server, as specified in Section 5 of this document. - -4.2 Public Key Authentication - - This specification also allows clients to perform public key - authentication to the KDC, based on the PKINIT specification [8]. - In this case, the size of an AS Request and AS Reply messages is - likely to exceed the size of typical link MTU's. - - Here is an example, where PKINIT is used by a DHCP client that is - not a registered principal in the KDC principal database: - - 1) The client sends AS Request with a PKINIT Request pre- - authenticator to the proxy. This includes the clientÆs - signature and X.509 certificate. The KDC realm field is - left as NULL. - 2) The proxy fills in the realm and forwards the AS Request to - the KDC in the filled in realm. This is the realm of the - DHCP server. Here, the clientÆs realm is the name of a - Certification Authority - not the same as the KDC realm. - 3) The KDC issues a TGT and sends back an AS Reply with a - PKINIT Reply pre-authenticator to the proxy. - 4) The proxy forwards the AS Reply to the client. - 5) The client sends TGS Request for a principal name "dhcpsrvr" - with the realm found in the TGT to the proxy. - 6) The proxy forwards TGS Request to the KDC in the DHCP - serverÆs realm. - 7) The KDC issues a ticket for the DHCP server and sends TGS - Reply back to the proxy. - -S. Medvinsky, P. Lalwaney -6- - -Kerberos V Authentication Mode for Uninitialized Clients July 2000 - - - 8) The proxy forwards TGS Reply to the client. - - - 5. Key Management Exchange that Precedes Network Address Allocation - - An uninitialized host (e.g. on power-on and reset) does not have a - network address. It does have a link layer address or hardware - address. At this time, the client may not have any information on - its realm or the realm of the address allocation server (DHCP - Server). - - In the Kerberos key management exchange, a client gets its ticket - granting ticket (TGT) by contacting the Authentication Server in the - KDC using the AS_Request / Reply messages (shown as messages 1 and 2 - in Figure 1). The client then contacts the Ticket Granting Server in - the KDC to get the DHCP server ticket (to be used for mutual - authentication with the DHCP server) using the TGS_REQ / TGS_REP - messages (shown as messages 3 and 4 in the above figure). It is - also possible for the client to obtain a DHCP server ticket directly - with the AS Request / Reply exchange, without the use of the TGT. - - In the use of Kerberos for DHCP authentication, the client (a) does - not have an IP/network address (b) does not know he KDCÆs IP address - (c) the KDC may not be on the local network and (d) the client may - not know the DHCP ServerÆs IP address and realm. We therefore - require a Kerberos proxy on the local network to accept broadcast - Kerberos request messages (AS_REQ and TGS_REQ) from uninitialized - clients and relay them to the appropriate KDC. - - The uninitialized client formulates a broadcast AS_REQ or TGS_REQ as - follows: - - The request payload contains the client hardware address in - addresses field with a negative value for the address type. Kerberos - v5 [6] allows for the usage of negative address types for "local" - use. Note that IAKERB [7] discourages the use of the addresses field - as network addresses may not be known or may change in situation - where proxies are used. In this draft we incorporate the negative - values permitted in the Kerberos transport in the address type field - of both the AS_REQ and TGS_REQ messages. The negative value SHOULD - be the negative number of the hardware address type "htype" value - (from assigned numbers RFC) used in RFC 2131. The address field of - the message contains the clients hardware address. - - The request payload is UDP encapsulated and addressed to port 88 on - the server/proxy. The UDP source port is selected by the client. The - source and destination network addresses are the all-zeroÆs address - and the broadcast address, respectively. For IPv4, the source IP - address is set to 0.0.0.0 and the destination IP address is set to - 255.255.255.255. The data link layer header source address - corresponds to the link layer/hardware address of the client. The - - -S. Medvinsky, P. Lalwaney -7- - -Kerberos V Authentication Mode for Uninitialized Clients July 2000 - - - destination link layer address is the broadcast address at the link - layer (e.g. for Ethernet the address is ffffffff). - - In the case where AS_REQ message contains a PKINIT pre-authenticator - for public key-based client authentication (based on [8]), the - message will probably not fit into a single UDP packet given typical - link MTU's. - - It is assumed that the proxy server on a network is configured with - a list of KDCÆs, their realms and their IP addresses. The proxy - server will act as a client to the KDC and forward standard Kerberos - messages to/from the KDC using unicast UDP or TCP transport - mechanisms, according to [6]. - - Upon receiving a broadcast request from a client, the proxy MUST - record the clientÆs hardware address that appears as the source - address on the frame as well as in the addresses field of the - request message. Based on the realm of the KDC specified in the - request, the proxy determines the KDC to which this message is - relayed as a unicast message from the proxy to the KDC. In the case - that the client left the KDC realm name as NULL, it is up to the - proxy to first determine the correct realm name and fill it in the - request (according to [7]). - - On receiving a request, the KDC formulates a response (AS_REP or - TGS_REP). It includes the clientÆs addresses field in the encrypted - part of the ticket (according to [6]). This response is unicast to - the proxy. - - Upon receiving the reply, the proxy MUST first determine the - previously saved hardware address of the client. The proxy - broadcasts the reply on its local network. This is a network layer - broadcast. At the link level, it uses the hardware address obtained - from the addresses field of the request. - - The client on receiving the response (link layer destination address - as its hardware address, network layer address is the broadcast - address) must verify that the hardware address in the ticket - corresponds to its link layer address. - - Upon receiving a TGS_REP (or an AS_REP with the application server - ticket) from the proxy, the client will have enough information to - securely communicate with the application server (the DHCP Server in - this case), as specified in the following section. - - - - - - - - - -S. Medvinsky, P. Lalwaney -8- - -Kerberos V Authentication Mode for Uninitialized Clients July 2000 - - - 6. Authenticated Message Exchange Between the DHCP Client and the - DHCP Server - - The ticket returned in the TGS response is used by the DHCP client - in the construction of the Kerberos authenticator. The Kerberos - ticket serves two purposes: to establish a shared session key with - the DHCP server, and is also included as part of a Kerberos - authenticator in the DHCP request. - - If the size of the authenticator is greater than 255 bytes, the DHCP - authentication option is repeated multiple times. When the values - of all the authentication options are concatenated together, they - will make up the complete authenticator. - - Once the session key is established, the Kerberos structure - containing the ticket (AP REQ) can be omitted from the authenticator - for subsequent messages sent by both the DHCP client and the DHCP - server. - - The Kerberos authenticator for a DHCP request message is specified - below: - - 0 1 2 3 - 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | Code | Length | Protocol | Algorithm | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | | - + Replay Detection (64 bits) + - | | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | | - + Authentication token (n octets) ... + - | | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - - The format of this authenticator is in accordance with [2]. The code - for the authentication option is TBD, and the length field contains - the length of the remainder of the option, starting with the - protocol field. - - The value of the protocol field for this authenticator MUST be set - to 2. - - The algorithm field MUST take one of the following values: - 1 - HMAC-MD5 - 2 - HMAC-SHA-1 - - Replay protection field is a monotonically increasing counter field. - When the Kerberos AP REQ structure is present in the authenticator - the counter may be set to any value. The AP REQ contains its own - replay protection mechanism in the form of a timestamp. - -S. Medvinsky, P. Lalwaney -9- - -Kerberos V Authentication Mode for Uninitialized Clients July 2000 - - - - Once the session key has been established and the AP REQ is not - included in the authenticator, this field MUST be monotonically - increasing in the messages sent by the client. - - Kerberos authenticator token consists of type-length-value - attributes: - - 0 1 2 3 - 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | Type | Reserved | Payload Length | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | attribute value... - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - - The following attributes are included in the Kerberos authenticator - token: - - Type Attribute Name Value - -------------------------------------------------------------------- - 0 Message Integrity Code Depends on the value of the - algorithm field. Its length is - 16 bytes for HMAC-MD5 [9, 10] - and 20 bytes for HMAC-SHA-1 - [11, 10]. The HMAC key must be - derived from Kerberos session - key found in the Kerberos - ticket according to the key - derivation rules in [6]: - - HMAC Key = DK(sess key, - key usage | 0x99) - - Here, DK is defined in [12] and - the key usage value for DHCP is - TBD. - - The HMAC is calculated over the - entire DHCP message. The - Message Integrity Code - attribute MUST be set to all 0s - for the computation of the - HMAC. Because a DHCP relay - agent may alter the values of - the 'giaddr' and 'hops' fields - in the DHCP message, the - contents of those two fields - MUST also be set to zero for - the computation of the HMAC. - Rules specified in Section 3 of - [2] for the exclusion and - -S. Medvinsky, P. Lalwaney -10- - -Kerberos V Authentication Mode for Uninitialized Clients July 2000 - - - processing of the relay agent - information are applicable here - too. - - This field MUST always be - present in the Kerberos - authenticator. - - 1 AP_REQ ASN.1 encoding of a Kerberos - AP_REQ message, as specified - in [6]. This MUST be included - by the client when establishing - a new session key. In all - other cases, this attribute - MUST be omitted. - - AP_REQ contains the Kerberos ticket for the DHCP server and also - contains information needed by the DHCP server to authenticate the - client. After verifying the AP_REQ and decrypting the Kerberos - ticket, the DHCP server is able to extract a session key which it - now shares with the DHCP client. - - The Kerberos authenticator token contains its own replay protection - mechanism inside the AP_REQ structure. The AP_REQ contains a - timestamp that must be within an agreed upon time window at the DHCP - server. However, this does not require the DHCP clients to maintain - an accurate clock between reboots. Kerberos allows clients to - synchronize their clock with the KDC with the help of Kerberos - KRB_AP_ERR_SKEW error message, as specified in [6]. - - The DHCP server MUST save both the session key and its associated - expiration time found in the Kerberos ticket. Up until the - expiration time, the server must accept client requests with the - Kerberos authenticator that does not include the AP REQ, using the - saved session key in calculating HMAC values. - - The Kerberos authenticator inside all DHCP server responses MUST NOT - contain the AP REQ and MUST use the saved Kerberos session key in - calculating HMAC values. - - When the session key expires, it is the client's responsibility to - obtain a new ticket from the KDC and to include an AP REQ inside the - Kerberos authenticator for the next DHCP request message. - - - - - - - - - - -S. Medvinsky, P. Lalwaney -11- - -Kerberos V Authentication Mode for Uninitialized Clients July 2000 - - -7. Detailed message flows for Kerberos and DHCP message Exchanges - - The following flow depicts the Kerberos exchange in which a AS REQ - message is used to directly request the DHCP Server ticket. There - are no changes to transport mechanisms below when the additional - phase of using TGS requests/responses with TGTÆs is used. - - Client IAKERB Proxy KDC - - KB-client-------- AS_REQ ------> - - AS REQ Address type = - (htype) - AS REQ Address= hw address - - src UDP port = senders port - destination UDP port = 88 - - src IP = 0.0.0.0 - destination IP = 255.255.255.255 - - src link layer address = - clientÆs HW/link address [e.g Ethernet address] - - destination link layer address = - link broadcast address [e.g. ffffffff for Ethernet] - - - ---------------------------> - (unicast to UDP port 88) - - - - <-------------------------- - (unicast AS REP) - Encrypted portion of ticket - Includes clients HW address - - - <---------------AS_REP ----------- - - - Ticket includes clientÆs hardware address - - src UDP port = 88 - destination UDP port = copied from src port in AS_REQ - - src IP = ProxyÆs IP address - destination IP = 255.255.255.255 - - src link layer address = ProxyÆs HW/link address - destination link layer address = - ClientÆs link layer address from AS_REQ - - -S. Medvinsky, P. Lalwaney -12- - -Kerberos V Authentication Mode for Uninitialized Clients July 2000 - - - - - - The client uses the ticket received from the KDC in the DHCP -Authentication option as described in Section 6. - - - Client - DHCP-client DHCP Server - - ------DHCPDISCOVER ----> - (Auth Protocol = 2, includes Kerberos - authenticator with AP REQ ) - ----------------------------------- - | HMAC | AP REQ | - ---------------------------------- - | Ticket| Client Authent | - -------------------------- - - 1. Server decrypts ticket - (inside AP REQ) with service - key - 2. Server decrypts client - authenticator (inside AP REQ) - and checks content and - checksum to validate the - client. - 3. Recompute HMAC with session - key and compare. - - - <-------DHCPOFFER---------- - (Auth Protocol = 2, no AP REQ ) - - - - ---------DHCPREQUEST-------> - (Auth Protocol = 2, no AP REQ) - - - <--------DHCPACK------------- - (Auth Protocol = 2, no AP REQ ) - - - - -8. Security Considerations - - DHCP clients that do not know the DHCP serverÆs realm name will get - it from the proxy, as specified in IAKERB [7]. Since the proxy is - not authenticated, a DHCP client can be fooled into obtaining a - ticket for the wrong DHCP server in the wrong realm. - -S. Medvinsky, P. Lalwaney -13- - -Kerberos V Authentication Mode for Uninitialized Clients July 2000 - - - - This could happen when the client leaves out the server realm name - in a TGS Request message to the proxy. It is also possible, - however, for a client to directly request a DHCP server ticket with - an AS Request message. In those cases, the same situation occurs - when the client leaves out the realm name in an AS Request. - - This wrong DHCP server is still registered as a valid principal in a - database of a KDC that can be trusted by the client. In some - circumstances a client may assume that a DHCP server that is a - Kerberos principal registered with a trusted KDC will not attempt to - deliberately misconfigure a client. - - This specification provides a tradeoff between: - - 1) The DHCP clients knowing DHCP serverÆs realm ahead of time, - which provides for full 2-way authentication at the cost of - an additional configuration parameter. - 2) The DHCP clients not requiring any additional configuration - information, besides a password or a key (and a public key - certificate if PKINIT is used). This is at the cost of not - being able to fully authenticate the identity of the DHCP - server. - - - -9. References - - - [1]Droms, R., Arbaugh, W., "Dynamic Host Configuration Protocol", - RFC 2131, Bucknell University, March 1997. - - [2]Droms, R., Arbaugh, W., "Authentication for DHCP Messages", - draft-ietf-dhc-authentication-13.txt, June 2000. - - [3]Hornstein, K., Lemon, T., "DHCP Authentication Via Kerberos V", - draft-hornstein-dhc-kerbauth-02.txt, February 2000. - - [4]Borella, M., Grabelsky, D., Lo, J., Tuniguchi, K., "Realm - Specific IP: Protocol Specification ", draft-ietf-nat-rsip- - protocol-06.txt, March 2000. - - [5]Guttman, E., Perkins, C., Veizades, J., Day, M., "Service - Location Protocol, Version 2", RFC 2608, June 1999. - - [6]Neuman, C., Kohl, J., Ts'o, T., "The Kerberos Network - Authentication Service (V5)", draft-ietf-cat-kerberos-revisions- - 05.txt, March 2000. - - - - - -S. Medvinsky, P. Lalwaney -14- - -Kerberos V Authentication Mode for Uninitialized Clients July 2000 - - - - [7]Swift, M., Trostle, J., "Initial Authentication and Pass Through - Authentication Using Kerberos V5 and the GSS-API (IAKERB)", - draft-ietf-cat-iakerb-03.txt, September 1999. - - [8]Tung, B., C. Neuman, M. Hur, A. Medvinsky, S. Medvinsky, J. Wray, - J. Trostle, "Public Key Cryptography for Initial Authentication - in Kerberos", draft-ietf-cat-pk-init-11.txt, March 2000. - - [9]Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, April - 1992. - - [10]Krawczyk H., M. Bellare and R. Canetti, "HMAC: Keyed-Hashing for - Message Authentication," RFC 2104, February 1997. - - [11]NIST, FIPS PUB 180-1, "Secure Hash Standard", April 1995. - - [12]Horowitz, M., "Key Derivation for Authentication, Integrity, and - Privacy", draft-horowitz-key-derivation-02.txt, August 1998. - - [13]Bradner, S. "The Internet Standards Process -- Revision 3", RFC - 2026. - - - - 10. Author's Addresses - - Sasha Medvinsky - Motorola - 6450 Sequence Drive - San Diego, CA 92121 - Email: smedvinsky@gi.com - - Poornima Lalwaney - Nokia - 12278 Scripps Summit Drive - San Diego, CA 92131 - Email: poornima.lalwaney@nokia.com - - -11. Expiration - - This memo is filed as , and - expires January 1, 2001. - - - -12. Intellectual Property Notices - - - - - - -S. Medvinsky, P. Lalwaney -15- - -Kerberos V Authentication Mode for Uninitialized Clients March 2000 - - - This section contains two notices as required by [13] for - standards track documents. Per [13], section 10.4(A): - - The IETF takes no position regarding the validity or scope of any - intellectual property or other rights that might be claimed to - pertain to the implementation or use of the technology described in - this document or the extent to which any license under such rights - might or might not be available; neither does it represent that it - has made any effort to identify any such rights. Information on the - IETF's procedures with respect to rights in standards-track and - standards-related documentation can be found in BCP-11. Copies of - claims of rights made available for publication and any assurances - of licenses to be made available, or the result of an attempt made - to obtain a general license or permission for the use of such - proprietary rights by implementers or users of this specification - can be obtained from the IETF Secretariat. - - Per [13] section 10.4(D): - - The IETF has been notified of intellectual property rights - claimed in regard to some or all of the specification contained in - this document. For more information consult the online list of - claimed rights. - - 13. Full Copyright Statement - - Copyright (C) The Internet Society (1999). All Rights Reserved. - - This document and translations of it may be copied and furnished to - others, and derivative works that comment on or otherwise explain it - or assist in its implementation may be prepared, copied, published - and distributed, in whole or in part, without restriction of any - kind, provided that the above copyright notice and this paragraph - are included on all such copies and derivative works. However, this - document itself may not be modified in any way, such as by removing - the copyright notice or references to the Internet Society or other - Internet organizations, except as needed for the purpose of - developing Internet standards in which case the procedures for - copyrights defined in the Internet Standards process must be - followed, or as required to translate it into languages other than - English. The limited permissions granted above are perpetual and - will not be revoked by the Internet Society or its successors or - assigns. This document and the information contained herein is - provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE - INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR - IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF - THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED - WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. - - - - - -S. Medvinsky, P. Lalwaney -16- - \ No newline at end of file diff --git a/crypto/heimdal-0.6.3/doc/standardisation/draft-swift-win2k-krb-referrals-01.txt b/crypto/heimdal-0.6.3/doc/standardisation/draft-swift-win2k-krb-referrals-01.txt deleted file mode 100644 index 85d745684b..0000000000 --- a/crypto/heimdal-0.6.3/doc/standardisation/draft-swift-win2k-krb-referrals-01.txt +++ /dev/null @@ -1,5 +0,0 @@ -This Internet-Draft has expired and is no longer available. - -Unrevised documents placed in the Internet-Drafts directories have a -maximum life of six months. After that time, they must be updated, or -they will be deleted. This document was deleted on July 17, 2000. diff --git a/crypto/heimdal-0.6.3/doc/standardisation/draft-swift-win2k-krb-user2user-01.txt b/crypto/heimdal-0.6.3/doc/standardisation/draft-swift-win2k-krb-user2user-01.txt deleted file mode 100644 index 85d745684b..0000000000 --- a/crypto/heimdal-0.6.3/doc/standardisation/draft-swift-win2k-krb-user2user-01.txt +++ /dev/null @@ -1,5 +0,0 @@ -This Internet-Draft has expired and is no longer available. - -Unrevised documents placed in the Internet-Drafts directories have a -maximum life of six months. After that time, they must be updated, or -they will be deleted. This document was deleted on July 17, 2000. diff --git a/crypto/heimdal-0.6.3/doc/standardisation/draft-thomas-snmpv3-kerbusm-00.txt b/crypto/heimdal-0.6.3/doc/standardisation/draft-thomas-snmpv3-kerbusm-00.txt deleted file mode 100644 index 68c170b499..0000000000 --- a/crypto/heimdal-0.6.3/doc/standardisation/draft-thomas-snmpv3-kerbusm-00.txt +++ /dev/null @@ -1,1140 +0,0 @@ - - - - - - -INTERNET-DRAFT Kerberized USM Keying M. Thomas - Cisco Systems - K. McCloghrie - Cisco Systems - July 13, 2000 - - - - - - - Kerberized USM Keying - - draft-thomas-snmpv3-kerbusm-00.txt - - - -Status of this Memo - - This document is an Internet-Draft and is in full conformance with - all provisions of Section 10 of RFC2026. Internet-Drafts are working - documents of the Internet Engineering Task Force (IETF), its areas, - and its working groups. Note that other groups may also distribute - working documents as Internet-Drafts. - - Internet-Drafts are draft documents valid for a maximum of six months - and may be updated, replaced, or obsoleted by other documents at any - time. It is inappropriate to use Internet-Drafts as reference - material or to cite them other than as "work in progress." - - The list of current Internet-Drafts can be accessed at - http://www.ietf.org/ietf/1id-abstracts.txt - - The list of Internet-Draft Shadow Directories can be accessed at - http://www.ietf.org/shadow.html. - -Abstract - - The KerbUSM MIB provides a means of leveraging a trusted third party - authentication and authorization mechanism using Kerberos for SNMP V3 - USM users and their associated VACM views. The MIB encodes the normal - Kerberos AP-REQ and AP-REP means of both authenticating and creating - a shared secret between the SNMP V3 Manager and Agent. - -The SNMP Management Framework - - The SNMP Management Framework presently consists of five major - components: An overall architecture, described in RFC 2571 - - - -Thomas draft-thomas-snmpv3-kerbusm-00 [Page 1] - - - - - -INTERNET-DRAFT Kerberized USM Keying 13 July 2000 - - - [RFC2571]. Mechanisms for describing and naming objects and events - for the purpose of management. The first version of this Structure - of Management Information (SMI) is called SMIv1 and described in STD - 16, RFC 1155 [RFC1155], STD 16, RFC 1212 [RFC1212] and RFC 1215 - [RFC1215]. The second version, called SMIv2, is described in STD 58, - RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 - [RFC2580]. Message protocols for transferring management - information. The first version of the SNMP message protocol is - called SNMPv1 and described in STD 15, RFC 1157 [RFC1157]. A second - version of the SNMP message protocol, which is not an Internet - standards track protocol, is called SNMPv2c and described in RFC 1901 - [RFC1901] and RFC 1906 [RFC1906]. The third version of the message - protocol is called SNMPv3 and described in RFC 1906 [RFC1906], RFC - 2572 [RFC2572] and RFC 2574 [RFC2574]. Protocol operations for - accessing management information. The first set of protocol - operations and associated PDU formats is described in STD 15, RFC - 1157 [RFC1157]. A second set of protocol operations and associated - PDU formats is described in RFC 1905 [RFC1905]. A set of fundamental - applications described in RFC 2573 [RFC2573] and the view-based - access control mechanism described in RFC 2575 [RFC2575]. - - A more detailed introduction to the current SNMP Management Framework - can be found in RFC 2570 [RFC2570]. - - Managed objects are accessed via a virtual information store, termed - the Management Information Base or MIB. Objects in the MIB are - defined using the mechanisms defined in the SMI. - - This memo specifies a MIB module that is compliant to the SMIv2. A - MIB conforming to the SMIv1 can be produced through the appropriate - translations. The resulting translated MIB must be semantically - equivalent, except where objects or events are omitted because no - translation is possible (use of Counter64). Some machine readable - information in SMIv2 will be converted into textual descriptions in - SMIv1 during the translation process. However, this loss of machine - readable information is not considered to change the semantics of the - MIB. - - -Introduction - - The User based Security Model of SNMP V3 (USM) [2] provides a means - of associating different users with different access privileges of - the various MIB's that an agent supports. In conjunction with the - View based Access Control Model of SNMP V3 (VACM) [3], SNMP V3 - provides a means of providing resistance from various threats both - from outside attacks such as spoofing, and inside attacks such as an - user having, say, SET access to MIB variable for which they are not - - - -Thomas draft-thomas-snmpv3-kerbusm-00 [Page 2] - - - - - -INTERNET-DRAFT Kerberized USM Keying 13 July 2000 - - - authorized. - - SNMP V3, unfortunately, does not specify a means of doing key - distribution between the managers and the agents. For small numbers - of agents and managers, the O(n*m) manual keying is a cumbersome, but - possibly tractable problem. For a large number of agents with - distribution of managers, the key distribution quickly goes from - cumbersome to unmanageable. Also: there is always the lingering - concern of the security precautions taken for keys on either local - management stations, or even directories. - - Kerberos [1] provides a means of centralizing key management into an - authentication and authorization server known as a Key Distribution - Center (KDC). At a minimum, Kerberos changes the key distribution - problem from a O(n*m) problem to a O(n) problem since keys are shared - between the KDC and the Kerberos principals rather directly between - each host pair. Kerberos also provides a means to use public key - based authentication which can be used to further scale down the - number of pre-shared secrets required. Furthermore, a KDC is intended - and explicitly expected to be a standalone server which is managed - with a much higher level of security concern than a management - station or even a central directory which may host many services and - thus be exposed to many more possible vectors of attack. - - The MIB defined in this memo describes a means of using the desirable - properties of Kerberos within the context of SNMP V3. Kerberos - defines a standardized means of communicating with the KDC as well as - a standard format of Kerberos tickets which Kerberos principals - exchange in order to authenticate to one another. The actual means of - exchanging tickets, however, is left as application specific. This - MIB defines the SNMP MIB designed to transport Kerberos tickets and - by doing so set up SNMP V3 USM keys for authentication and privacy. - - It should be noted that using Kerberos does introduce reliance on a - key network element, the KDC. This flies in the face of one of SNMP's - dictums of working when the network is misbehaving. While this is a - valid concern, the risk of reliance on the KDC can be significantly - diminished with a few common sense actions. Since Kerberos tickets - can have long life times (days, weeks) a manager of key network - elements can and should maintain Kerberos tickets well ahead ticket - expiration so that likelihood of not being able to rekey a session - while the network is misbehaving is minimized. For non-critical, but - high fanout elements such as user CPE, etc, requiring a pre-fetched - ticket may not be practical, which puts the KDC into the critical - path. However, if all KDC's are unreachable, the non-critical network - elements are probably the least of the worries. - - - - - -Thomas draft-thomas-snmpv3-kerbusm-00 [Page 3] - - - - - -INTERNET-DRAFT Kerberized USM Keying 13 July 2000 - - -Operation - - The normal Kerberos application ticket exchange is accomplished by a - client first fetching a service ticket from a KDC for the service - principal and then sending an AP-REQ to a server to authenticate - itself to the server. The server then sends a AP-REP to finish the - exchange. This MIB maps Kerberos' concept of client and server into - the SNMP V3 concept of Manager and Agent by designating that the - Kerberos Client is the SNMP V3 Agent. Although it could be argued - that an Agent is really a server, in practice there may be many, many - agents and relatively few managers. Also: Kerberos clients may make - use of public key authentication as defined in [4], and it is very - advantageous to take advantage of that capability for Agents rather - than Managers. - - The MIB is intended to be stateless and map USM users to Kerberos - principals. This mapping is explicitly done by putting a Kerberos - principal name into the usmUserSecurityName in the usmUser MIB and - instatiating the krbUsmMibEntry for the usmUserEntry. MIB variables - are accessed with INFORM's or TRAP PDU's and SET's to perform a - normal Kerberos AP-REQ/AP-REP exchange transaction which causes the - keys for a USM user to be derived and installed. The basic structure - of the MIB is a table which augements usmUserEntry's with a Kerberos - principal name as well as the transaction varbinds. In the normal - case, multiple varbinds should be sent in a single PDU which prevents - various race conditions, as well as increasing efficiency. - - It should be noted that this MIB is silent on the subject of how the - Agent and Manager find the KDC. In practice, this may be either - statically provisioned or use either DNS SRV records (RFC 2782) or - Service Location (RFC 2608). This MIB is does not provide for a means - of doing cipher suite negotiation either. It is expected that the - choices for ciphers in the USM MIB will reflect site specific choices - for ciphers. This matches well with the general philosophy of - centralized keying. - -Keying Transactions - - The following shows an error free transaction: - - Note: optional steps or parameters are shown like [ ] - - - - - - - - - - -Thomas draft-thomas-snmpv3-kerbusm-00 [Page 4] - - - - - -INTERNET-DRAFT Kerberized USM Keying 13 July 2000 - - - - Agent Manager KDC - +-- --+ - | 1) <------------------------------- | - | SET (krbUsmPrinTable[usmUserName].krbUsmMibNonce = xxxx; | - | [ krbUsmPrinTable[usmUserName].krbUsmMibTgt = | - | TGT[usmUserSecurityName] ]); | - | | - | 2) -------------------------------> | - | Response | - +-- (optional) --+ - - 3) ---------------------------------------------------------------> - TGS-REQ (krbUsmPrinTable[usmUserName].krbUsmMibMgrPrinName - [, krbUsmPrinTable[usmUserName].krbUsmMibTgt]); - - 4) <-------------------------------------------------------------- - Tick[usmUserSecurityName] = TGS-REP (); - - 5) ------------------------------> - INFORM (krbUsmPrinTable[usmUserName].krbUsmMibApReq = - AP_REQ[Tick[usmUserSecurityName]]; - [ krbUsmPrinTable[usmUserName].krbUsmMibNonce = xxxx]); - - 6) <------------------------------ - SET (krbUsmPrinTable[usmUserName].krbUsmMibApRep = AP_REP[]); - - - 7) ------------------------------> - Response - - - The above flow translates to: - - - 1) This step is used when the Manager does not currently have a ses- - sion with the Agent but wishes to start one. The Manager MAY - place a ticket granting ticket into the krbUsmMibMgrTgt varbind - in the same PDU as the krbUsmMibNonce if it does not share a - secret with the KDC (as would be the case if the Manager used - PKinit to do initial authentication with the KDC). - - - 2) This step acknowledges the SET. There are no MIB specific errors - which can happen here. - - - 3) If the Agent is not already in possession of a service ticket for - - - -Thomas draft-thomas-snmpv3-kerbusm-00 [Page 5] - - - - - -INTERNET-DRAFT Kerberized USM Keying 13 July 2000 - - - the Manager in its ticket cache, it MUST request a service ticket - from the Agent's KDC for the service principal given by - krbUsmMibMgrPrinName in the row that the krbUsmMibNonce was SET - in, optionally adding a krbUsmMibMgrTgt. If the TGT is speci- - fied, the Manager's TGT must be placed in the additional-tickets - field with the ENC-TKT-IN-SKEY option set in the TGS-REQ to - obtain a service ticket (see section 3.3.3 of [1]). - - Note: a Kerberos TGS-REQ is but one way to obtain a service - ticket. An Agent may use any normal Kerberos means to - obtain the service ticket. This flow has also elided ini- - tial authentication (ie, AS-REQ) and any cross realm con- - siderations, though those may be necessary prerequisites - to obtaining the service ticket. - - 4) If step 3 was performed, this step receives the ticket or an - error from the KDC. - - - 5) This step sends a krbUsmMibApReq to the Manager via an INFORM or - TRAP PDU. If the message is the result of a request by the - Manager, krbUsmMibNonce received from the Manager MUST be sent in - the same PDU. If the Manager did not initiate the transaction, - the Agent MUST NOT send a krbUsmMibNonce varbind. The Agent also - MUST check krbUsmMibUnsolicitedNotify is not false, otherwise it - MUST abort the transaction. All krbUsmMibApReq's MUST contain a - sequence nonce so that the resulting krbUsmMibApRep can provide a - proof of the freshness of the message to prevent replay attacks. - - If the Agent encounters an error either generated by the KDC or - internally, the Agent MUST send an INFORM or TRAP PDU indicating - the error in the form of a KRB-ERROR placed in krbUsmMibApReq - with the same rules applied to krbUsmMibNonce and krbUsmMibUnsol- - icitedNotify above. If the Agent suspects that it is being - attacked by a purported Manager which is generating many failed - TGS-REQ's to the KDC, it SHOULD meter its TGS-REQ transactions - for that Manager to the KDC using an exponential backoff mechan- - ism truncated at 10 seconds. - - - - 6) Upon recepit of an INFORM or TRAP PDU with a krbUsmMibApReq, a - Manager may accept the AP-REQ. If it is accompanied with a - krbUsmMibNonce it MUST correlate it with any outstanding transac- - tions using its stored nonce for the transaction. If it does not - correlate with a current nonce, the request MUST be rejected as - it may be a replay. - - - - -Thomas draft-thomas-snmpv3-kerbusm-00 [Page 6] - - - - - -INTERNET-DRAFT Kerberized USM Keying 13 July 2000 - - - If the Manager chooses to reject an unsolicited keying request, - it SHOULD send a WrongValue Error to the Agent with the krbUsmMi- - bApReq as the subject of the WrongValue. If an Agent receives a - WrongValue Error from a Manager it MUST cease retransmission of - the INFORM or TRAP PDU's so as to mitigate event avalanches by - Agents. There is a possible denial of service attack here, but it - must be weighed against the larger problem of network congestion, - flapping, etc. Therefore, if the Agent finds that it cannot can- - cel an unsolicited Notify (ie, it must be reliable), it MUST use - a truncated exponential backoff mechanism with the maximum trun- - cation interval set to 10 minutes. - - Otherwise, the Manager MUST send a SET PDU to the Agent which - contains a krbUsmMibApRep. - - - 7) If the Agent detects an error (including detecting replays) in - the final AP-REP, it MUST send a WrongValue error with a pointer - to the krbUsmMibApRep varbind to indicate its inability to estab- - lish the security association. Otherwise, receipt of the positive - acknowledgement from the final SET indicates to the Manager that - the proper keys have been installed on the Agent in the USM MIB. - -Unsolicited Agent Keying Requests - - An Agent may find that it needs to set up a security association for - a USM user in order to notify a Manager of some event. When the Agent - engine receives a request for a notify, it SHOULD check to see if - keying material has been established for the user and that the keying - material is valid. If the keying material is not valid and the USM - user has been tagged as being a Kerberos principal in a realm, the - Agent SHOULD first try to instantiate a security association by - obtaining a service ticket for the USM User and follow steps 3-7 of - the flow above. This insures that the USM User will have proper key- - ing material and providing a mechanism to allow for casual security - associations to be built up and torn down. This is especially useful - for Agents which may not normally need to be under constant Manager - supervision, such as the case with high fan out user residential CPE - and other SNMP managed "appliances". In all cases, the Agent MUST NOT - send an unsolicited Notify if krbUsmUnsolicitedNotify is set to - false. - - How the Agent obtains the Manager's address, how it determines - whether a Manager, realm, and whether it can be keyed using this MIB - is outside of the scope of this memo. - - Note: Although the MIB allows for a Manager to set up a session - using User-User mode of Kerberos by sending a TGT along with - - - -Thomas draft-thomas-snmpv3-kerbusm-00 [Page 7] - - - - - -INTERNET-DRAFT Kerberized USM Keying 13 July 2000 - - - the nonce, this, is limited to Manager initiated sessions - only since there is no easy way to store the Manager's ticket - in the MIB since it is publicly writable and as such would be - subject to denial of service attacks. Another method might be - to have the Agent send a krbUsmMibNonce to the Manager which - would tell it to instigate a session. Overall, it seems like - a marginal feature to allow a PKinit authenticated user be - the target of unsolicited informs and it would complicate the - transactions. For this reason, this scenario has been omitted - in favor of simplicity. - -Retransmissions - - Since this MIB defines not only variables, but transactions, discus- - sion of the retransmission state machine is in order. There are two - similar but different state machines for the Manager Solicited and - Agent Unsolicited transactions. There is one timer Timeout which - SHOULD take into consideration round trip considerations and MUST - implement a truncated exponential backoff mechanism. In addition, in - the case where an Agent makes an unsolicited Agent keying request, - the Agent SHOULD perform an initial random backoff if the keying - request to the Manager may result in a restart avalanche. A suitable - method is described in section 4.3.4 of [5]. - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Thomas draft-thomas-snmpv3-kerbusm-00 [Page 8] - - - - - -INTERNET-DRAFT Kerberized USM Keying 13 July 2000 - - - -Manager Solicited Retransmission State Machine - - Timeout - +---+ - | | - | V - +-----------+ Set-Ack (2) +----------+ - | |------------>| | - | Set-Nonce | | Ap-Req | - | (1) |<------------| (5) | - +-----------+ Timeout +----------+ - ^ | - | | Set-Ap-Rep - | +----------+ | (6) - +------| |<------+ - Timeout | Estab-wt | - | (7) | - +----------+ - | - | Set-Ap-Rep-Ack (7) - V - +----------+ - | | - | Estab | - | | - - +----------+ - - - - - - - - - - - - - - - - - - - - - - - -Thomas draft-thomas-snmpv3-kerbusm-00 [Page 9] - - - - - -INTERNET-DRAFT Kerberized USM Keying 13 July 2000 - - - -Agent Unsolicited Retransmission State Machine - - Timeout - +---+ - | | - | V - +----------+ - | | - +----> | Ap-Req |-------+ - | | (5) | | - | +----------+ | - | | - | | Set-Ap-Rep - | +----------+ | (6) - +------| |<------+ - Timeout | Estab-wt | - | (7) | - +----------+ - | - | Set-Ap-Rep-Ack (7) - V - +----------+ - | | - | Estab | - | | - +----------+ - -Session Duration and Failures - - The KerbUsmMib uses the ticket lifetime to determine the life of the - USM session. The Agent MUST keep track of whether the ticket which - instigated the session is valid whenever it forms PDU's for that par- - ticular user. If a session expires, or if it wasn't valid to begin - with (from the Agent's perspective), the Agent MUST reject the PDU by - sending a XXX Error [mat: help me here Keith... what does USM say - about this?]. - - Kerberos also inherently implies adding state to the Agent and - Manager since they share not only a key, but a lifetime associated - with that key. This is in some sense soft state because failure of an - Agent will cause it to reject PDU's for Managers with whom it does - not share a secret. The Manager can use the Error PDU's as an indica- - tion that it needs to reauthenticate with the Agent, taking care not - to loop. The Manager is even easier: when it reboots, it can either - check its credential cache to reconstruct state or cause the Agent to - reauthenticate to the Manager with its service ticket by initiating a - authentication transaction with the manager. - - - -Thomas draft-thomas-snmpv3-kerbusm-00 [Page 10] - - - - - -INTERNET-DRAFT Kerberized USM Keying 13 July 2000 - - -Manager Collisions - - Managers may freely set up keys for different USM users using this - MIB without problem since they access different rows in the krbUsm- - PrinTable. However, multiple Managers trying to set up keys for the - same USM user is possible but discouraged. The requirement for the - Manager is that they MUST share the same service key with the KDC so - that they can all decrypt the same service ticket. There are two race - conditions, however, which are not well handled: - - - -1) At the end of a ticket lifetime, one manager may request the agent - to refresh its service ticket causing a new session key to be - installed for the USM user leaving the other managers with stale - keys. The workaround here is that the Agent will reject the stale - manager's PDU's which should inform them to do their own rekeying - operations. - - -2) If multiple managers try to access the same row at the same time, - the Agent SHOULD try to keep the transactions separate based on the - nonce values. The Managers or the Agents SHOULD NOT break the - krbUsmMibNonce and any other additional varbinds into separate PDU's - as this may result in a meta stable state. Given normal MTU sizes, - this should not be an issue in practice, and this should at worst - devolve into the case above. - - In all cases, the krbUsmMibNonce MUST be the last value to be - transmitted, though its position within a PDU is unimportant. - - - - - - - - - - - - - - - - - - - - - -Thomas draft-thomas-snmpv3-kerbusm-00 [Page 11] - - - - - -INTERNET-DRAFT Kerberized USM Keying 13 July 2000 - - - - KrbUSM MIB - - KRB-USM-MIB DEFINITIONS ::= BEGIN - IMPORTS - MODULE-IDENTITY, - OBJECT-TYPE, OBJECT-IDENTITY, - snmpModules, Counter32, Unsigned32 FROM SNMPv2-SMI - TruthValue, DisplayString FROM SNMPv2-TC - usmUserEntry FROM SNMP-USER-BASED-SM-MIB - - - - krbUsmMib MODULE-IDENTITY - LAST-UPDATED "00071300Z" - ORGANIZATION "IETF SNMP V3 Working Group" - CONTACT-INFO - "Michael Thomas - Cisco Systems - 375 E Tasman Drive - San Jose, Ca 95134 - Phone: +1 408-525-5386 - Fax: +1 801-382-5284 - email: mat@cisco.com" - DESCRIPTION - "This MIB contains the MIB variables to - exchange Kerberos credentials and a session - key to be used to authenticate and set up - USM keys" - - ::= { snmpModules nnn } -- not sure what needs to be here. - krbUsmMibObjects OBJECT INDENTIFIER ::= { krbUsmMib 1 } - - krbUsmMibAuthInAttemps - SYNTAX Counter32 - MAX-ACCESS read-only - STATUS current - DESCRIPTION - "Counter of the number of Kerberos - authorization attempts as defined by - receipt of a PDU from a Manager with a - krbUsmMibNonce set in the principal table." - ::= { krbUsmMibObjects 1 } - - krbUsmMibAuthOutAttemps - SYNTAX Counter32 - MAX-ACCESS read-only - STATUS current - - - -Thomas draft-thomas-snmpv3-kerbusm-00 [Page 12] - - - - - -INTERNET-DRAFT Kerberized USM Keying 13 July 2000 - - - DESCRIPTION - "Counter of the number of unsolicited Kerberos - authorization attempts as defined by - an Agent sending an INFORM or TRAP PDU with a - krbUsmMibApRep but without krbUsmApMibNonce - varbind." - ::= { krbUsmMibObjects 2 } - krbUsmMibAuthInFail - SYNTAX Counter32 - MAX-ACCESS read-only - STATUS current - DESCRIPTION - "Counter of the number of Kerberos - authorization failures as defined by - a Manager setting the krbUsmMibNonce - in the principal table which results - in some sort of failure to install keys - in the requested USM user entry." - ::= { krbUsmMibObjects 3 } - - krbUsmMibAuthOutFail - SYNTAX Counter32 - MAX-ACCESS read-only - STATUS current - DESCRIPTION - "Counter of the number of unsolicited Kerberos - authorization failures as defined by - an Agent sending an INFORM or TRAP PDU with a - krbUsmMibApRep but without a krbUsmMibNonce - varbind which does not result in keys being - installed for that USM user entry." - ::= { krbUsmMibObjects 4 } - - krbUsmMibPrinTable OBJECT-TYPE - SYNTAX SEQUENCE OF krbUsmMibEntry - MAX-ACCESS not-accessible - STATUS current - DESCRIPTION - "Table which maps Kerberos principals with USM - users as well as the per user variables to key - up sessions" - ::= { krbUsmMibObjects 5 } - - krbUsmMibPrinEntry OBJECT-TYPE - SYNTAX KrbUsmMibPrinEntry - MAX-ACCESS not-accessible - STATUS current - DESCRIPTION - - - -Thomas draft-thomas-snmpv3-kerbusm-00 [Page 13] - - - - - -INTERNET-DRAFT Kerberized USM Keying 13 July 2000 - - - "an entry into the krbMibPrinTable which is a - parallel table to UsmUserEntry table" - AUGMENTS { usmUserEntry } - ::= { krbUsmMibPrinTable 1 } - - KrbUsmMibPrinEntry SEQUENCE - { - krbUsmMibApReq OCTET STRING, - krbUsmMibApRep OCTET STRING, - krbUsmMibNonce OCTET STRING, - krbUsmMibMgrTGT OCTET STRING, - krbUsmMibUnsolicitedNotify TruthValue, - } - - - krbUsmMibApReq OBJECT-TYPE - SYNTAX OCTET STRING - MAX-ACCESS accessible-for-notify - STATUS current - DESCRIPTION - "This variable contains a DER encoded Kerberos - AP-REQ or KRB-ERROR for the USM user which is - to be keyed. This is sent from the Agent to - the Manager in an INFORM or TRAP request. - KRB-ERROR MUST only be sent to the Manager - if it is in response to a keying request from - the Manager. - " - ::= { krbUsmMibPrinEntry 1 } - - krbUsmMibApRep OBJECT-TYPE - SYNTAX OCTET STRING - MAX-ACCESS read-write - STATUS current - DESCRIPTION - "This variable contains the DER encoded response - to an AP-REQ. This variable is SET by the - Manager to acknowledge receipt of an AP-REQ. If - krbUsmMibApRep contains a Kerberos AP-REP, the - Agent must derive keys from the session key - of the Kerberos ticket in the AP-REQ and place - them in the USM database in a manner specified - by [RFC2574]. If the Manager detects an error, - it will instead place a KRB-ERROR in this - variable to inform the Agent of the error. - - This variable is in effect a write-only variable. - attempts to read this variable will result in a - - - -Thomas draft-thomas-snmpv3-kerbusm-00 [Page 14] - - - - - -INTERNET-DRAFT Kerberized USM Keying 13 July 2000 - - - null octet string being returned" - ::= { krbUsmMibPrinEntry 2 } - - krbUsmMibNonce OBJECT-TYPE - SYNTAX OCTET STRING - MAX-ACCESS read-write - STATUS current - DESCRIPTION - "SET'ing a krbUsmMibnonce allows a Manager to - determine whether an INFORM or TRAP from an - Agent is an outstanding keying request, or - unsolicited from the Agent. The Manager - initiates keying for a particular USM user - by writing a nonce into the row for which - desires to establish a security association. - The nonce is an ASCII string of the form - ``host:port?nonce'' where: - - host: is either an FQDN, or valid ipv4 or ipv6 - numerical notation of the Manager which - desires to initiate keying - port: is the destination port at which that the - Manager may be contacted - nonce: is a number generated by the Manager to - correlate the transaction - - The same nonce MUST be sent to the Manager in a - subsequent INFORM or TRAP with a krbUsmApReq. - The Agent MUST use the host address and port - supplied in the nonce as the destination of a - subsequent INFORM or TRAP. Unsolicited keying - requests MUST NOT contain a nonce, and should - instead use the destination stored Notifies of - this type. - - Nonces MUST be highly collision resistant either - using a time based method or a suitable random - number generator. Managers MUST never create - nonces which are 0. - - This variable is in effect a write-only variable. - Attempts to read this variable will result in a - nonce of value 0 being returned" - - - ::= { krbUsmMibPrinEntry 3 } - - - - - -Thomas draft-thomas-snmpv3-kerbusm-00 [Page 15] - - - - - -INTERNET-DRAFT Kerberized USM Keying 13 July 2000 - - - krbUsmMibMgrTgt OBJECT-TYPE - SYNTAX OCTET STRING - MAX-ACCESS read-write - STATUS current - DESCRIPTION - "If the Manager does not possess a symmetric - key with the KDC as would be the case with - a Manager using PKinit for authentication, - the Manager MUST SET its DER encoded ticket - granting ticket into KrbUsmMgrTgt along - with krbUsmMibNonce. - - The agent will then attach the Manager's TGT - into the additional tickets field of the - TGS-REQ message to the KDC to get a User-User - service ticket. - - This variable is in effect a write-only variable. - Attempts to read this variable will result in a - null octet string being returned" - ::= { krbUsmMibPrinEntry 4 } - - - krbUsmMibUnsolicitedNotify OBJECT-TYPE - SYNTAX TruthValue - MAX-ACCESS read-write - STATUS current - DESCRIPTION - "If this variable is false, the Agent MUST NOT - send unsolicited INFORM or TRAP PDU's to the - Manager. - - Attempts to SET this variable by the no-auth - no-priv user MUST be rejected." - ::= { krbUsmMibPrinEntry 5 } - - -- - -- Conformance section... nothing optional. - - krbUsmMibCompliences MODULE-COMPLIANCE - STATUS current - DESCRIPTION "The compliance statement for SNMP - engines whichimplement the KRB-USM-MIB - " - MODULE -- this module - MANDATORY-GROUPS { krbUsmMib } - ::= { krbUsmMibCompliances 1 } - - - - -Thomas draft-thomas-snmpv3-kerbusm-00 [Page 16] - - - - - -INTERNET-DRAFT Kerberized USM Keying 13 July 2000 - - - END - - -Key Derivation - - The session key provides the basis for the keying material for the - USM user specified in the AP-REQ. The actual keys for use for the - authentication and privacy are produced using the cryptographic hash- - ing function used to protect the ticket itself. The keying material - is derived using this function, F(key, salt), using successive - interations of F over the salt string "SNMPV3RULZ%d", where %d is a - monotonic counter starting at zero. The bits are taken directly from - the successive interations to produce two keys of appropriate size - (as specified in the USM user row) for the authentication transform - first, and the privacy transform second. If the authentication - transform is null, the first bits of the derived key are used for the - privacy transform. - -Security Considerations - - Various elements of this MIB must be readable and writable as the - no-auth, no-priv user. Unless specifically necessary for the key - negotiation, elements of this MIB SHOULD be protected by VACM views - which limit access. In particular, there is no reason anything in - this MIB should be visible to a no-auth, no-priv user with the excep- - tion of KrbUsmMibApReq, KrbUsmMibApRep, KrbUsmMibNonce, and - KrbUsmMibMgrTgt, and then only with the restrictions placed on them - in the MIB. As such, probing attacks are still possible, but should - not be profitable: all of the writable variables with interesting - information in them are defined in such a way as to be write only. - - There are some interesting denial of service attacks which are possi- - ble by attackers spoofing managers and putting load on the KDC to - generate unnecessary tickets. For large numbers or agents this could - be problematic. This can probably be mitigated by the KDC prioritiz- - ing TGS-REQ's though. - - -References - -[1] The CAT Working Group, J. Kohl, C.Neuman, "The Kerberos - Network Authentication Service (V5)", RFC 1510, September - 1993 - -[2] The SNMPV3 Working Group, U. Blumenthal, B. Wijnen, "The - User-based Security Model of SNMP V3", RFC 2574, April 1999 - -[3] The SNMPV3 Working Group, B. Wijnen, R. Presuhn, - - - -Thomas draft-thomas-snmpv3-kerbusm-00 [Page 17] - - - - - -INTERNET-DRAFT Kerberized USM Keying 13 July 2000 - - - K.McCloghrie, "The View-based Access Control Model of SNMP - V3", RFC 2575, April 1999 - -[4] The CAT Working Group, Tung, et al, "Public Key Cryptography - for Initial Authentication in Kerberos", draft-ietf-cat-pk- - init-11, November 1999 - -[5] Arango, et al, "Media Gateway Control Protocl (MGCP)", RFC - 2705, October 1999 - - -[RFC2571] Harrington, D., Presuhn, R., and B. Wijnen, An Architecture - for Describing SNMP Management Frameworks, RFC 2571, April - 1999. - -[RFC1155] Rose, M., and K. McCloghrie, Structure and Identification of - Management Information for TCP/IP-based Internets, STD 16, - RFC 1155, May 1990. - -[RFC1212] Rose, M., and K. McCloghrie, Concise MIB Definitions, STD - 16, RFC 1212, March 1991. - -[RFC1215] M. Rose, A Convention for Defining Traps for use with the - SNMP, RFC 1215, March 1991. - -[RFC2578] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., - Rose, M., and S. Waldbusser, Structure of Management Infor- - mation Version 2 (SMIv2), STD 58, RFC 2578, April 1999. - -[RFC2579] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., - Rose, M., and S. Waldbusser, Textual Conventions for SMIv2, - STD 58, RFC 2579, April 1999. - -[RFC2580] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., - Rose, M., and S. Waldbusser, Conformance Statements for - SMIv2, STD 58, RFC 2580, April 1999. - -[RFC1157] Case, J., Fedor, M., Schoffstall, M., and J. Davin, Simple - Network Management Protocol, STD 15, RFC 1157, May 1990. - -[RFC1901] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, - Introduction to Community-based SNMPv2, RFC 1901, January - 1996. - -[RFC1906] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, Tran- - sport Mappings for Version 2 of the Simple Network Manage- - ment Protocol (SNMPv2), RFC 1906, January 1996. - - - - -Thomas draft-thomas-snmpv3-kerbusm-00 [Page 18] - - - - - -INTERNET-DRAFT Kerberized USM Keying 13 July 2000 - - -[RFC2572] Case, J., Harrington D., Presuhn R., and B. Wijnen, Message - Processing and Dispatching for the Simple Network Management - Protocol (SNMP), RFC 2572, April 1999. - -[RFC2574] Blumenthal, U., and B. Wijnen, User-based Security Model - (USM) for version 3 of the Simple Network Management Proto- - col (SNMPv3), RFC 2574, April 1999. - -[RFC1905] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, Pro- - tocol Operations for Version 2 of the Simple Network Manage- - ment Protocol (SNMPv2), RFC 1905, January 1996. - -[RFC2573] Levi, D., Meyer, P., and B. Stewart, SNMPv3 Applications, - RFC 2573, April 1999. - -[RFC2575] Wijnen, B., Presuhn, R., and K. McCloghrie, View-based - Access Control Model (VACM) for the Simple Network Manage- - ment Protocol (SNMP), RFC 2575, April 1999. - -[RFC2570] Case, J., Mundy, R., Partain, D., and B. Stewart, Introduc- - tion to Version 3 of the Internet-standard Network Manage- - ment Framework, RFC 2570, April 1999. - -Author's Address - - Michael Thomas - Cisco Systems - 375 E Tasman Rd - San Jose, Ca, 95134, USA - Tel: +1 408-525-5386 - email: mat@cisco.com - - - - - - - - - - - - - - - - - - - - -Thomas draft-thomas-snmpv3-kerbusm-00 [Page 19] - - diff --git a/crypto/heimdal-0.6.3/doc/standardisation/draft-trostle-win2k-cat-kerberos-set-passwd-00.txt b/crypto/heimdal-0.6.3/doc/standardisation/draft-trostle-win2k-cat-kerberos-set-passwd-00.txt deleted file mode 100644 index b89108a53b..0000000000 --- a/crypto/heimdal-0.6.3/doc/standardisation/draft-trostle-win2k-cat-kerberos-set-passwd-00.txt +++ /dev/null @@ -1,227 +0,0 @@ - -CAT Working Group Mike Swift -draft-trostle-win2k-cat-kerberos-set-passwd-00.txt Microsoft -February 2000 Jonathan Trostle -Category: Informational Cisco Systems - John Brezak - Microsoft - - Extending Change Password for Setting Kerberos Passwords - - -0. Status Of This Memo - - This document is an Internet-Draft and is in full conformance with - all provisions of Section 10 of RFC2026. - - Internet-Drafts are working documents of the Internet Engineering - Task Force (IETF), its areas, and its working groups. Note that - other groups may also distribute working documents as - Internet-Drafts. - - Internet-Drafts are draft documents valid for a maximum of six - months and may be updated, replaced, or obsoleted by other - documents at any time. It is inappropriate to use Internet- - Drafts as reference material or to cite them other than as - "work in progress." - - The list of current Internet-Drafts can be accessed at - http://www.ietf.org/ietf/1id-abstracts.txt - - The list of Internet-Draft Shadow Directories can be accessed at - http://www.ietf.org/shadow.html. - - Comments and suggestions on this document are encouraged. Comments - on this document should be sent to the CAT working group discussion - list: - ietf-cat-wg@stanford.edu - -1. Abstract - - The Kerberos [1] change password protocol [2], does not allow for - an administrator to set a password for a new user. This functionality - is useful in some environments, and this proposal extends [2] to - allow password setting. The changes are: adding new fields to the - request message to indicate the principal which is having its - password set, not requiring the initial flag in the service ticket, - using a new protocol version number, and adding three new result - codes. - -2. The Protocol - - The service must accept requests on UDP port 464 and TCP port 464 as - well. The protocol consists of a single request message followed by - a single reply message. For UDP transport, each message must be fully - contained in a single UDP packet. - - For TCP transport, there is a 4 octet header in network byte order - precedes the message and specifies the length of the message. This - - requirement is consistent with the TCP transport header in 1510bis. - -Request Message - - 0 1 2 3 - 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | message length | protocol version number | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | AP_REQ length | AP_REQ data / - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - / KRB-PRIV message / - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - - All 16 bit fields are in big-endian order. - - message length field: contains the number of bytes in the message - including this field. - - protocol version number: contains the hex constant 0xff80 (big-endian - integer). - - AP-REQ length: length of AP-REQ data, in bytes. If the length is zero, - then the last field contains a KRB-ERROR message instead of a KRB-PRIV - message. - - AP-REQ data: (see [1]) The AP-REQ message must be for the service - principal kadmin/changepw@REALM, where REALM is the REALM of the user - who wishes to change/set his password. The ticket in the AP-REQ must - must include a subkey in the Authenticator. To enable setting of - passwords, it is not required that the initial flag be set in the - Kerberos service ticket. - - KRB-PRIV message (see [1]) This KRB-PRIV message must be generated - using the subkey from the authenticator in the AP-REQ data. - - The user-data component of the message consists of the following ASN.1 - structure encoded as an OCTET STRING: - - ChangePasswdData ::= SEQUENCE { - newpasswd[0] OCTET STRING, - targname[2] PrincipalName OPTIONAL, - targrealm[3] Realm OPTIONAL - } - - The server must verify the AP-REQ message, check whether the client - principal in the ticket is authorized to set/change the password - (either for that principal, or for the principal in the targname - field if present), and decrypt the new password. The server also - checks whether the initial flag is required for this request, - replying with status 0x0007 if it is not set and should be. An - authorization failure is cause to respond with status 0x0005. For - forward compatibility, the server should be prepared to ignore fields - after targrealm in the structure that it does not understand. - - The newpasswd field contains the cleartext password, and the server - should apply any local policy checks including password policy checks. - The server then generates the appropriate keytypes from the password - - and stores them in the KDC database. If all goes well, status 0x0000 - is returned to the client in the reply message (see below). - -Reply Message - - 0 1 2 3 - 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | message length | protocol version number | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | AP_REP length | AP-REP data / - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - / KRB-PRIV message / - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - - - All 16 bit fields are in big-endian order. - - message length field: contains the number of bytes in the message - including this field. - - protocol version number: contains the hex constant 0x0001 (big-endian - integer). (The reply message has the same format as in [2]). - - AP-REP length: length of AP-REP data, in bytes. If the length is zero, - then the last field contains a KRB-ERROR message instead of a KRB-PRIV - message. - - AP-REP data: the AP-REP is the response to the AP-REQ in the request - packet. - - KRB-PRIV from [2]: This KRB-PRIV message must be generated using the - subkey in the authenticator in the AP-REQ data. - - The server will respond with a KRB-PRIV message unless it cannot - decode the client AP-REQ or KRB-PRIV message, in which case it will - respond with a KRB-ERROR message. NOTE: Unlike change password version - 1, the KRB-ERROR message will be sent back without any encapsulation. - - The user-data component of the KRB-PRIV message, or e-data component - of the KRB-ERROR message, must consist of the following data. - - 0 1 2 3 - 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | result code | result string / - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - - result code (16 bits) (result codes 0-4 are from [2]): - The result code must have one of the following values (big- - endian integer): - KRB5_KPASSWD_SUCCESS 0 request succeeds (This value is not - allowed in a KRB-ERROR message) - KRB5_KPASSWD_MALFORMED 1 request fails due to being malformed - KRB5_KPASSWD_HARDERROR 2 request fails due to "hard" error in - processing the request (for example, - there is a resource or other problem - causing the request to fail) - - KRB5_KPASSWD_AUTHERROR 3 request fails due to an error in - authentication processing - KRB5_KPASSWD_SOFTERROR 4 request fails due to a "soft" error - in processing the request - KRB5_KPASSWD_ACCESSDENIED 5 requestor not authorized - KRB5_KPASSWD_BAD_VERSION 6 protocol version unsupported - KRB5_KPASSWD_INITIAL_FLAG_NEEDED 7 initial flag required - 0xFFFF if the request fails for some other reason. - Although only a few non-zero result codes are specified here, - the client should accept any non-zero result code as indicating - failure. - result string - from [2]: - This field should contain information which the server thinks - might be useful to the user, such as feedback about policy - failures. The string must be encoded in UTF-8. It may be - omitted if the server does not wish to include it. If it is - present, the client should display the string to the user. - This field is analogous to the string which follows the numeric - code in SMTP, FTP, and similar protocols. - -3. References - - [1] J. Kohl, C. Neuman. The Kerberos Network Authentication - Service (V5). Request for Comments 1510. - - [2] M. Horowitz. Kerberos Change Password Protocol. - ftp://ds.internic.net/internet-drafts/ - draft-ietf-cat-kerb-chg-password-02.txt - -4. Expiration Date - - This draft expires in August 2000. - -5. Authors' Addresses - - Jonathan Trostle - Cisco Systems - 170 W. Tasman Dr. - San Jose, CA 95134 - Email: jtrostle@cisco.com - - Mike Swift - 1 Microsoft Way - Redmond, WA 98052 - mikesw@microsoft.com - - John Brezak - 1 Microsoft Way - Redmond, WA 98052 - jbrezak@microsoft.com diff --git a/crypto/heimdal-0.6.3/doc/standardisation/draft-tso-telnet-krb5-04.txt b/crypto/heimdal-0.6.3/doc/standardisation/draft-tso-telnet-krb5-04.txt deleted file mode 100644 index e9611e395b..0000000000 --- a/crypto/heimdal-0.6.3/doc/standardisation/draft-tso-telnet-krb5-04.txt +++ /dev/null @@ -1,327 +0,0 @@ -Network Working Group T. Ts'o, Editor -Internet-Draft Massachusetts Institute of Technology -draft-tso-telnet-krb5-04.txt April 2000 - - Telnet Authentication: Kerberos Version 5 - -Status of this Memo - - This document is an Internet-Draft and is in full conformance with - all provisions of Section 10 of RFC2026. Internet-Drafts are working - documents of the Internet Engineering Task Force (IETF), its areas, - and its working groups. Note that other groups may also distribute - working documents as Internet-Drafts. - - Internet-Drafts are draft documents valid for a maximum of six months - and may be updated, replaced, or obsoleted by other documents at any - time. It is inappropriate to use Internet-Drafts as reference mate- - rial or to cite them other than as "work in progress." - - The list of current Internet-Drafts can be accessed at - http://www.ietf.org/ietf/1id-abstracts.txt - - The list of Internet-Draft Shadow Directories can be accessed at - http://www.ietf.org/shadow.html. - - The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", - "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this - document are to be interpreted as described in RFC 2119. - -0. Abstract - - This document describes how Kerberos Version 5 [1] is used with the - telnet protocol. It describes an telnet authentication sub-option - to be used with the telnet authentication option [2]. This mecha- - nism can also used to provide keying material to provide data confi- - dentiality services in conjuction with the telnet encryption option - [3]. - -1. Command Names and Codes - - Authentication Types - - KERBEROS_V5 2 - - Sub-option Commands - - Expires Sept 2000 [Page 1] - -Internet-Draft Kerberos Version 5 for Telnet April 2000 - - AUTH 0 - REJECT 1 - ACCEPT 2 - RESPONSE 3 - FORWARD 4 - FORWARD_ACCEPT 5 - FORWARD_REJECT 6 - -2. Command Meanings - - IAC SB AUTHENTICATION IS AUTH IAC SE - - This is used to pass the Kerberos V5 [1] KRB_AP_REQ message to the - remote side of the connection. The first octet of the value is KERBEROS_V5, to indicate that Version 5 - of Kerberos is being used. The Kerberos V5 authenticator in the - KRB_AP_REQ message must contain a Kerberos V5 checksum of the - two-byte authentication type pair. This checksum must be verified - by the server to assure that the authentication type pair was cor- - rectly negotiated. The Kerberos V5 authenticator must also in- - clude the optional subkey field, which shall be filled in with a - randomly chosen key. This key shall be used for encryption pur- - poses if encryption is negotiated, and shall be used as the nego- - tiated session key (i.e., used as keyid 0) for the purposes of the - telnet encryption option; if the subkey is not filled in, then the - ticket session key will be used instead. - - If data confidentiality services is desired the ENCRYPT_US- - ING_TELOPT flag must be set in the authentication-type-pair as - specified in [2]. - - IAC SB AUTHENTICATION REPLY ACCEPT IAC SE - - This command indicates that the authentication was successful. - - If the AUTH_HOW_MUTUAL bit is set in the second octet of the au- - thentication-type-pair, the RESPONSE command must be sent before - the ACCEPT command is sent. - - IAC SB AUTHENTICATION REPLY REJECT IAC SE - - This command indicates that the authentication was not successful, - and if there is any more data in the sub-option, it is an ASCII - text message of the reason for the rejection. - - IAC SB AUTHENTICATION REPLY RESPONSE - IAC SE - - Expires Sept 2000 [Page 2] - -Internet-Draft Kerberos Version 5 for Telnet April 2000 - - This command is used to perform mutual authentication. It is only - used when the AUTH_HOW_MUTUAL bit is set in the second octet of - the authentication-type-pair. After an AUTH command is verified, - a RESPONSE command is sent which contains a Kerberos V5 KRB_AP_REP - message to perform the mutual authentication. - - IAC SB AUTHENTICATION FORWARD IAC SE - - This command is used to forward kerberos credentials for use by - the remote session. The credentials are passed as a Kerberos V5 - KRB_CRED message which includes, among other things, the forwarded - Kerberos ticket and a session key associated with the ticket. Part - of the KRB_CRED message is encrypted in the key previously ex- - changed for the telnet session by the AUTH suboption. - - IAC SB AUTHENTICATION FORWARD_ACCEPT IAC - SE - - This command indicates that the credential forwarding was success- - ful. - - IAC SB AUTHENTICATION FORWARD_REJECT IAC SE - - This command indicates that the credential forwarding was not suc- - cessful, and if there is any more data in the sub-option, it is an - ASCII text message of the reason for the rejection. - -3. Implementation Rules - - If the second octet of the authentication-type-pair has the AUTH_WHO - bit set to AUTH_CLIENT_TO_SERVER, then the client sends the initial - AUTH command, and the server responds with either ACCEPT or REJECT. - In addition, if the AUTH_HOW bit is set to AUTH_HOW_MUTUAL, the serv- - er will send a RESPONSE before it sends the ACCEPT. - - If the second octet of the authentication-type-pair has the AUTH_WHO - bit set to AUTH_SERVER_TO_CLIENT, then the server sends the initial - AUTH command, and the client responds with either ACCEPT or REJECT. - In addition, if the AUTH_HOW bit is set to AUTH_HOW_MUTUAL, the - client will send a RESPONSE before it sends the ACCEPT. - - The Kerberos principal used by the server will generally be of the - form "host/@realm". That is, the first component of the - Kerberos principal is "host"; the second component is the fully qual- - ified lower-case hostname of the server; and the realm is the Ker- - beros realm to which the server belongs. - - Expires Sept 2000 [Page 3] - -Internet-Draft Kerberos Version 5 for Telnet April 2000 - - Any Telnet IAC characters that occur in the KRB_AP_REQ or KRB_AP_REP - messages, the KRB_CRED structure, or the optional rejection text - string must be doubled as specified in [4]. Otherwise the following - byte might be mis-interpreted as a Telnet command. - -4. Examples - - User "joe" may wish to log in as user "pete" on machine "foo". If - "pete" has set things up on "foo" to allow "joe" access to his ac- - count, then the client would send IAC SB AUTHENTICATION NAME "pete" - IAC SE IAC SB AUTHENTICATION IS KERBEROS_V5 AUTH - IAC SE - - The server would then authenticate the user as "joe" from the - KRB_AP_REQ_MESSAGE, and if the KRB_AP_REQ_MESSAGE was accepted by - Kerberos, and if "pete" has allowed "joe" to use his account, the - server would then continue the authentication sequence by sending a - RESPONSE (to do mutual authentication, if it was requested) followed - by the ACCEPT. - - If forwarding has been requested, the client then sends IAC SB AU- - THENTICATION IS KERBEROS_V5 CLIENT|MUTUAL FORWARD IAC SE. If the server succeeds in - reading the forwarded credentials, the server sends FORWARD_ACCEPT - else, a FORWARD_REJECT is sent back. - - Client Server - IAC DO AUTHENTICATION - IAC WILL AUTHENTICATION - - [ The server is now free to request authentication information. - ] - - IAC SB AUTHENTICATION SEND - KERBEROS_V5 CLIENT|MUTUAL - KERBEROS_V5 CLIENT|ONE_WAY IAC - SE - - [ The server has requested mutual Version 5 Kerberos - authentication. If mutual authentication is not supported, - then the server is willing to do one-way authentication. - - The client will now respond with the name of the user that it - wants to log in as, and the Kerberos ticket. ] - - IAC SB AUTHENTICATION NAME - "pete" IAC SE - IAC SB AUTHENTICATION IS - KERBEROS_V5 CLIENT|MUTUAL AUTH - IAC SE - - Expires Sept 2000 [Page 4] - -Internet-Draft Kerberos Version 5 for Telnet April 2000 - - [ Since mutual authentication is desired, the server sends across - a RESPONSE to prove that it really is the right server. ] - - IAC SB AUTHENTICATION REPLY - KERBEROS_V5 CLIENT|MUTUAL - RESPONSE - IAC SE - - [ The server responds with an ACCEPT command to state that the - authentication was successful. ] - - IAC SB AUTHENTICATION REPLY KER- - BEROS_V5 CLIENT|MUTUAL ACCEPT - IAC SE - - [ If so requested, the client now sends the FORWARD command to - forward credentials to the remote site. ] - - IAC SB AUTHENTICATION IS KER- - BEROS_V5 CLIENT|MUTUAL - FORWARD IAC - SE - - [ The server responds with a FORWARD_ACCEPT command to state that - the credential forwarding was successful. ] - - Expires Sept 2000 [Page 5] - -Internet-Draft Kerberos Version 5 for Telnet April 2000 - - IAC SB AUTHENTICATION REPLY KER- - BEROS_V5 CLIENT|MUTUAL FOR- - WARD_ACCEPT IAC SE - -5. Security Considerations - - The selection of the random session key in the Kerberos V5 authenti- - cator is critical, since this key will be used for encrypting the - telnet data stream if encryption is enabled. It is strongly advised - that the random key selection be done using cryptographic techniques - that involve the Kerberos ticket's session key. For example, using - the current time, encrypting it with the ticket session key, and then - correcting for key parity is a strong way to generate a subsession - key, since the ticket session key is assumed to be never disclosed to - an attacker. - - Care should be taken before forwarding a user's Kerberos credentials - to the remote server. If the remote server is not trustworthy, this - could result in the user's credentials being compromised. Hence, the - user interface should not forward credentials by default; it would be - far safer to either require the user to explicitly request creden- - tials forwarding for each connection, or to have a trusted list of - hosts for which credentials forwarding is enabled, but to not enable - credentials forwarding by default for all machines. - -6. IANA Considerations - - The authentication type KERBEROS_V5 and its associated suboption values - are registered with IANA. Any suboption values used to extend - the protocol as described in this document must be registered - with IANA before use. IANA is instructed not to issue new suboption - values without submission of documentation of their use. - -7. Acknowledgments - - This document was originally written by Dave Borman of Cray Research, - Inc. Theodore Ts'o of MIT revised it to reflect the latest implemen- - tation experience. Cliff Neuman and Prasad Upasani of USC's Informa- - tion Sciences Institute developed the credential forwarding support. - - In addition, the contributions of the Telnet Working Group are also - gratefully acknowledged. - -8. References - - [1] Kohl, J. and B. Neuman, "The Kerberos Network Authentication Sys- - tem (V5)", RFC 1510, USC/Information Sciences Institute, Septem- - ber 1993. - - [2] Internet Engineering Task Force, "Telnet Authentication", draft- - tso-telnet-auth-enc-04.txt, T. Ts'o, Editor, VA Linux Systems, - April 2000. - - [3] Internet Engineering Task Force, "Telnet Data Encryption Option", - draft-tso-telnet-encryption-04.txt, T. Ts'o, Editor, VA Linux - Systems, April 2000. - - [4] Postel, J.B. and J. Reynolds, "Telnet Option Specifications", RFC - - Expires Sept 2000 [Page 6] - -Internet-Draft Kerberos Version 5 for Telnet April 2000 - - 855, STD 8, USC/Information Sciences Institute, May 1983. - -Editor's Address - - Theodore Ts'o - Massachusetts Institute of Technology - MIT Room E40-343 - 77 Massachusetts Avenue - Cambridge, MA 02139 - - Phone: (617) 253-8091 - EMail: tytso@mit.edu - - Expires Sept 2000 [Page 7] - - - Jeffrey Altman * Sr.Software Designer * Kermit-95 for Win32 and OS/2 - The Kermit Project * Columbia University - 612 West 115th St #716 * New York, NY * 10025 - http://www.kermit-project.org/k95.html * kermit-support@kermit-project.org - - diff --git a/crypto/heimdal-0.6.3/doc/standardisation/rc4-hmac.txt b/crypto/heimdal-0.6.3/doc/standardisation/rc4-hmac.txt deleted file mode 100644 index 202d44e863..0000000000 --- a/crypto/heimdal-0.6.3/doc/standardisation/rc4-hmac.txt +++ /dev/null @@ -1,587 +0,0 @@ -CAT working group M. Swift -Internet Draft J. Brezak -Document: draft-brezak-win2k-krb-rc4-hmac-03.txt Microsoft -Category: Informational June 2000 - - - The Windows 2000 RC4-HMAC Kerberos encryption type - - -Status of this Memo - - This document is an Internet-Draft and is in full conformance with - all provisions of Section 10 of RFC2026 [1]. Internet-Drafts are - working documents of the Internet Engineering Task Force (IETF), its - areas, and its working groups. Note that other groups may also - distribute working documents as Internet-Drafts. Internet-Drafts are - draft documents valid for a maximum of six months and may be - updated, replaced, or obsoleted by other documents at any time. It - is inappropriate to use Internet- Drafts as reference material or to - cite them other than as "work in progress." - - The list of current Internet-Drafts can be accessed at - http://www.ietf.org/ietf/1id-abstracts.txt - The list of Internet-Draft Shadow Directories can be accessed at - http://www.ietf.org/shadow.html. - -1. Abstract - - The Windows 2000 implementation of Kerberos introduces a new - encryption type based on the RC4 encryption algorithm and using an - MD5 HMAC for checksum. This is offered as an alternative to using - the existing DES based encryption types. - - The RC4-HMAC encryption types are used to ease upgrade of existing - Windows NT environments, provide strong crypto (128-bit key - lengths), and provide exportable (meet United States government - export restriction requirements) encryption. - - The Windows 2000 implementation of Kerberos contains new encryption - and checksum types for two reasons: for export reasons early in the - development process, 56 bit DES encryption could not be exported, - and because upon upgrade from Windows NT 4.0 to Windows 2000, - accounts will not have the appropriate DES keying material to do the - standard DES encryption. Furthermore, 3DES is not available for - export, and there was a desire to use a single flavor of encryption - in the product for both US and international products. - - As a result, there are two new encryption types and one new checksum - type introduced in Windows 2000. - - -2. Conventions used in this document - - - -Swift Category - Informational 1 - - Windows 2000 RC4-HMAC Kerberos E-Type June 2000 - - - The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", - "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in - this document are to be interpreted as described in RFC-2119 [2]. - -3. Key Generation - - On upgrade from existing Windows NT domains, the user accounts would - not have a DES based key available to enable the use of DES base - encryption types specified in RFC 1510. The key used for RC4-HMAC is - the same as the existing Windows NT key (NT Password Hash) for - compatibility reasons. Once the account password is changed, the DES - based keys are created and maintained. Once the DES keys are - available DES based encryption types can be used with Kerberos. - - The RC4-HMAC String to key function is defined as follow: - - String2Key(password) - - K = MD4(UNICODE(password)) - - The RC4-HMAC keys are generated by using the Windows UNICODE version - of the password. Each Windows UNICODE character is encoded in - little-endian format of 2 octets each. Then performing an MD4 [6] - hash operation on just the UNICODE characters of the password (not - including the terminating zero octets). - - For an account with a password of "foo", this String2Key("foo") will - return: - - 0xac, 0x8e, 0x65, 0x7f, 0x83, 0xdf, 0x82, 0xbe, - 0xea, 0x5d, 0x43, 0xbd, 0xaf, 0x78, 0x00, 0xcc - -4. Basic Operations - - The MD5 HMAC function is defined in [3]. It is used in this - encryption type for checksum operations. Refer to [3] for details on - its operation. In this document this function is referred to as - HMAC(Key, Data) returning the checksum using the specified key on - the data. - - The basic MD5 hash operation is used in this encryption type and - defined in [7]. In this document this function is referred to as - MD5(Data) returning the checksum of the data. - - RC4 is a stream cipher licensed by RSA Data Security [RSADSI]. A - compatible cipher is described in [8]. In this document the function - is referred to as RC4(Key, Data) returning the encrypted data using - the specified key on the data. - - These encryption types use key derivation as defined in [9] (RFC- - 1510BIS) in Section titled "Key Derivation". With each message, the - message type (T) is used as a component of the keying material. This - summarizes the different key derivation values used in the various - -Swift Category - Informational 2 - - Windows 2000 RC4-HMAC Kerberos E-Type June 2000 - - - operations. Note that these differ from the key derivations used in - other Kerberos encryption types. - - T = 1 for TS-ENC-TS in the AS-Request - T = 8 for the AS-Reply - T = 7 for the Authenticator in the TGS-Request - T = 8 for the TGS-Reply - T = 2 for the Server Ticket in the AP-Request - T = 11 for the Authenticator in the AP-Request - T = 12 for the Server returned AP-Reply - T = 15 in the generation of checksum for the MIC token - T = 0 in the generation of sequence number for the MIC token - T = 13 in the generation of checksum for the WRAP token - T = 0 in the generation of sequence number for the WRAP token - T = 0 in the generation of encrypted data for the WRAPPED token - - All strings in this document are ASCII unless otherwise specified. - The lengths of ASCII encoded character strings include the trailing - terminator character (0). - - The concat(a,b,c,...) function will return the logical concatenation - (left to right) of the values of the arguments. - - The nonce(n) function returns a pseudo-random number of "n" octets. - -5. Checksum Types - - There is one checksum type used in this encryption type. The - Kerberos constant for this type is: - #define KERB_CHECKSUM_HMAC_MD5 (-138) - - The function is defined as follows: - - K - is the Key - T - the message type, encoded as a little-endian four byte integer - - CHKSUM(K, T, data) - - Ksign = HMAC(K, "signaturekey") //includes zero octet at end - tmp = MD5(concat(T, data)) - CHKSUM = HMAC(Ksign, tmp) - - -6. Encryption Types - - There are two encryption types used in these encryption types. The - Kerberos constants for these types are: - #define KERB_ETYPE_RC4_HMAC 23 - #define KERB_ETYPE_RC4_HMAC_EXP 24 - - The basic encryption function is defined as follow: - - T = the message type, encoded as a little-endian four byte integer. - -Swift Category - Informational 3 - - Windows 2000 RC4-HMAC Kerberos E-Type June 2000 - - - - BYTE L40[14] = "fortybits"; - BYTE SK = "signaturekey"; - - ENCRYPT (K, fRC4_EXP, T, data, data_len, edata, edata_len) - { - if (fRC4_EXP){ - *((DWORD *)(L40+10)) = T; - HMAC (K, L40, 10 + 4, K1); - }else{ - HMAC (K, &T, 4, K1); - } - memcpy (K2, K1, 16); - if (fRC4_EXP) memset (K1+7, 0xAB, 9); - add_8_random_bytes(data, data_len, conf_plus_data); - HMAC (K2, conf_plus_data, 8 + data_len, checksum); - HMAC (K1, checksum, 16, K3); - RC4(K3, conf_plus_data, 8 + data_len, edata + 16); - memcpy (edata, checksum, 16); - edata_len = 16 + 8 + data_len; - } - - DECRYPT (K, fRC4_EXP, T, edata, edata_len, data, data_len) - { - if (fRC4_EXP){ - *((DWORD *)(L40+10)) = T; - HMAC (K, L40, 14, K1); - }else{ - HMAC (K, &T, 4, K1); - } - memcpy (K2, K1, 16); - if (fRC4_EXP) memset (K1+7, 0xAB, 9); - HMAC (K1, edata, 16, K3); // checksum is at edata - RC4(K3, edata + 16, edata_len - 16, edata + 16); - data_len = edata_len - 16 - 8; - memcpy (data, edata + 16 + 8, data_len); - - // verify generated and received checksums - HMAC (K2, edata + 16, edata_len - 16, checksum); - if (memcmp(edata, checksum, 16) != 0) - printf("CHECKSUM ERROR !!!!!!\n"); - } - - The header field on the encrypted data in KDC messages is: - - typedef struct _RC4_MDx_HEADER { - UCHAR Checksum[16]; - UCHAR Confounder[8]; - } RC4_MDx_HEADER, *PRC4_MDx_HEADER; - - The KDC message is encrypted using the ENCRYPT function not - including the Checksum in the RC4_MDx_HEADER. - - -Swift Category - Informational 4 - - Windows 2000 RC4-HMAC Kerberos E-Type June 2000 - - - The character constant "fortybits" evolved from the time when a 40- - bit key length was all that was exportable from the United States. - It is now used to recognize that the key length is of "exportable" - length. In this description, the key size is actually 56-bits. - -7. Key Strength Negotiation - - A Kerberos client and server can negotiate over key length if they - are using mutual authentication. If the client is unable to perform - full strength encryption, it may propose a key in the "subkey" field - of the authenticator, using a weaker encryption type. The server - must then either return the same key or suggest its own key in the - subkey field of the AP reply message. The key used to encrypt data - is derived from the key returned by the server. If the client is - able to perform strong encryption but the server is not, it may - propose a subkey in the AP reply without first being sent a subkey - in the authenticator. - -8. GSSAPI Kerberos V5 Mechanism Type - -8.1 Mechanism Specific Changes - - The GSSAPI per-message tokens also require new checksum and - encryption types. The GSS-API per-message tokens must be changed to - support these new encryption types (See [5] Section 1.2.2). The - sealing algorithm identifier (SEAL_ALG) for an RC4 based encryption - is: - Byte 4..5 SEAL_ALG 0x10 0x00 - RC4 - - The signing algorithm identifier (SGN_ALG) for MD5 HMAC is: - Byte 2..3 SGN ALG 0x11 0x00 - HMAC - - The only support quality of protection is: - #define GSS_KRB5_INTEG_C_QOP_DEFAULT 0x0 - - In addition, when using an RC4 based encryption type, the sequence - number is sent in big-endian rather than little-endian order. - - The Windows 2000 implementation also defines new GSSAPI flags in the - initial token passed when initializing a security context. These - flags are passed in the checksum field of the authenticator (See [5] - Section 1.1.1). - - GSS_C_DCE_STYLE - This flag was added for use with Microsoft’s - implementation of DCE RPC, which initially expected three legs of - authentication. Setting this flag causes an extra AP reply to be - sent from the client back to the server after receiving the server’s - AP reply. In addition, the context negotiation tokens do not have - GSSAPI framing - they are raw AP message and do not include object - identifiers. - #define GSS_C_DCE_STYLE 0x1000 - - - -Swift Category - Informational 5 - - Windows 2000 RC4-HMAC Kerberos E-Type June 2000 - - - GSS_C_IDENTIFY_FLAG - This flag allows the client to indicate to the - server that it should only allow the server application to identify - the client by name and ID, but not to impersonate the client. - #define GSS_C_IDENTIFY_FLAG 0x2000 - - GSS_C_EXTENDED_ERROR_FLAG - Setting this flag indicates that the - client wants to be informed of extended error information. In - particular, Windows 2000 status codes may be returned in the data - field of a Kerberos error message. This allows the client to - understand a server failure more precisely. In addition, the server - may return errors to the client that are normally handled at the - application layer in the server, in order to let the client try to - recover. After receiving an error message, the client may attempt to - resubmit an AP request. - #define GSS_C_EXTENDED_ERROR_FLAG 0x4000 - - These flags are only used if a client is aware of these conventions - when using the SSPI on the Windows platform, they are not generally - used by default. - - When NetBIOS addresses are used in the GSSAPI, they are identified - by the GSS_C_AF_NETBIOS value. This value is defined as: - #define GSS_C_AF_NETBIOS 0x14 - NetBios addresses are 16-octet addresses typically composed of 1 to th 15 characters, trailing blank (ascii char 20) filled, with a 16 - octet of 0x0. - -8.2 GSSAPI Checksum Type - - The GSSAPI checksum type and algorithm is defined in Section 5. Only - the first 8 octets of the checksum are used. The resulting checksum - is stored in the SGN_CKSUM field (See [5] Section 1.2) for - GSS_GetMIC() and GSS_Wrap(conf_flag=FALSE). - - MIC (K, fRC4_EXP, seq_num, MIC_hdr, msg, msg_len, - MIC_seq, MIC_checksum) - { - HMAC (K, SK, 13, K4); - T = 15; - memcpy (T_plus_hdr_plus_msg + 00, &T, 4); - memcpy (T_plus_hdr_plus_msg + 04, MIC_hdr, 8); - // 0101 1100 FFFFFFFF - memcpy (T_plus_hdr_plus_msg + 12, msg, msg_len); - MD5 (T_hdr_msg, 4 + 8 + msg_len, MD5_of_T_hdr_msg); - HMAC (K4, MD5_of_T_hdr_msg, CHKSUM); - memcpy (MIC_checksum, CHKSUM, 8); // use only first 8 bytes - - T = 0; - if (fRC4_EXP){ - *((DWORD *)(L40+10)) = T; - HMAC (K, L40, 14, K5); - }else{ - HMAC (K, &T, 4, K5); - -Swift Category - Informational 6 - - Windows 2000 RC4-HMAC Kerberos E-Type June 2000 - - - } - if (fRC4_EXP) memset(K5+7, 0xAB, 9); - HMAC(K5, MIT_checksum, 8, K6); - copy_seq_num_in_big_endian(seq_num, seq_plus_direction); - //0x12345678 - copy_direction_flag (direction_flag, seq_plus_direction + - 4); //0x12345678FFFFFFFF - RC4(K6, seq_plus_direction, 8, MIC_seq); - } - -8.3 GSSAPI Encryption Types - - There are two encryption types for GSSAPI message tokens, one that - is 128 bits in strength, and one that is 56 bits in strength as - defined in Section 6. - - All padding is rounded up to 1 byte. One byte is needed to say that - there is 1 byte of padding. The DES based mechanism type uses 8 byte - padding. See [5] Section 1.2.2.3. - - The encryption mechanism used for GSS wrap based messages is as - follow: - - - WRAP (K, fRC4_EXP, seq_num, WRAP_hdr, msg, msg_len, - WRAP_seq, WRAP_checksum, edata, edata_len) - { - HMAC (K, SK, 13, K7); - T = 13; - PAD = 1; - memcpy (T_hdr_conf_msg_pad + 00, &T, 4); - memcpy (T_hdr_conf_msg_pad + 04, WRAP_hdr, 8); // 0101 1100 - FFFFFFFF - memcpy (T_hdr_conf_msg_pad + 12, msg, msg_len); - memcpy (T_hdr_conf_msg_pad + 12 + msg_len, &PAD, 1); - MD5 (T_hdr_conf_msg_pad, - 4 + 8 + 8 + msg_len + 1, - MD5_of_T_hdr_conf_msg_pad); - HMAC (K7, MD5_of_T_hdr_conf_msg_pad, CHKSUM); - memcpy (WRAP_checksum, CHKSUM, 8); // use only first 8 - bytes - - T = 0; - if (fRC4_EXP){ - *((DWORD *)(L40+10)) = T; - HMAC (K, L40, 14, K8); - }else{ - HMAC (K, &T, 4, K8); - } - if (fRC4_EXP) memset(K8+7, 0xAB, 9); - HMAC(K8, WRAP_checksum, 8, K9); - copy_seq_num_in_big_endian(seq_num, seq_plus_direction); - //0x12345678 - -Swift Category - Informational 7 - - Windows 2000 RC4-HMAC Kerberos E-Type June 2000 - - - copy_direction_flag (direction_flag, seq_plus_direction + - 4); //0x12345678FFFFFFFF - RC4(K9, seq_plus_direction, 8, WRAP_seq); - - for (i = 0; i < 16; i++) K10 [i] ^= 0xF0; // XOR each byte - of key with 0xF0 - T = 0; - if (fRC4_EXP){ - *(DWORD *)(L40+10) = T; - HMAC(K10, L40, 14, K11); - memset(K11+7, 0xAB, 9); - }else{ - HMAC(K10, &T, 4, K11); - } - HMAC(K11, seq_num, 4, K12); - RC4(K12, T_hdr_conf_msg_pad + 4 + 8, 8 + msg_len + 1, - edata); /* skip T & hdr */ - edata_len = 8 + msg_len + 1; // conf + msg_len + pad - } - - - The character constant "fortybits" evolved from the time when a 40- - bit key length was all that was exportable from the United States. - It is now used to recognize that the key length is of "exportable" - length. In this description, the key size is actually 56-bits. - -9. Security Considerations - - Care must be taken in implementing this encryption type because it - uses a stream cipher. If a different IV isn’t used in each direction - when using a session key, the encryption is weak. By using the - sequence number as an IV, this is avoided. - -10. Acknowledgements - - We would like to thank Salil Dangi for the valuable input in - refining the descriptions of the functions and review input. - -11. References - - 1 Bradner, S., "The Internet Standards Process -- Revision 3", BCP - 9, RFC 2026, October 1996. - - 2 Bradner, S., "Key words for use in RFCs to Indicate Requirement - Levels", BCP 14, RFC 2119, March 1997 - - 3 Krawczyk, H., Bellare, M., Canetti, R.,"HMAC: Keyed-Hashing for - Message Authentication", RFC 2104, February 1997 - - 4 Kohl, J., Neuman, C., "The Kerberos Network Authentication - Service (V5)", RFC 1510, September 1993 - - - -Swift Category - Informational 8 - - Windows 2000 RC4-HMAC Kerberos E-Type June 2000 - - - - 5 Linn, J., "The Kerberos Version 5 GSS-API Mechanism", RFC-1964, - June 1996 - - 6 R. Rivest, "The MD4 Message-Digest Algorithm", RFC-1320, April - 1992 - - 7 R. Rivest, "The MD5 Message-Digest Algorithm", RFC-1321, April - 1992 - - 8 Thayer, R. and K. Kaukonen, "A Stream Cipher Encryption - Algorithm", Work in Progress. - - 9 RC4 is a proprietary encryption algorithm available under license - from RSA Data Security Inc. For licensing information, contact: - - RSA Data Security, Inc. - 100 Marine Parkway - Redwood City, CA 94065-1031 - - 10 Neuman, C., Kohl, J., Ts'o, T., "The Kerberos Network - Authentication Service (V5)", draft-ietf-cat-kerberos-revisions- - 04.txt, June 25, 1999 - - -12. Author's Addresses - - Mike Swift - Dept. of Computer Science - Sieg Hall - University of Washington - Seattle, WA 98105 - Email: mikesw@cs.washington.edu - - John Brezak - Microsoft - One Microsoft Way - Redmond, Washington - Email: jbrezak@microsoft.com - - - - - - - - - - - - - - - -Swift Category - Informational 9 - - Windows 2000 RC4-HMAC Kerberos E-Type October 1999 - - - -13. Full Copyright Statement - - "Copyright (C) The Internet Society (2000). All Rights Reserved. - - This document and translations of it may be copied and - furnished to others, and derivative works that comment on or - otherwise explain it or assist in its implementation may be - prepared, copied, published and distributed, in whole or in - part, without restriction of any kind, provided that the above - copyright notice and this paragraph are included on all such - copies and derivative works. However, this document itself may - not be modified in any way, such as by removing the copyright - notice or references to the Internet Society or other Internet - organizations, except as needed for the purpose of developing - Internet standards in which case the procedures for copyrights - defined in the Internet Standards process must be followed, or - as required to translate it into languages other than English. - - The limited permissions granted above are perpetual and will - not be revoked by the Internet Society or its successors or - assigns. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Swift Category - Informational 10 - diff --git a/crypto/heimdal-0.6.3/doc/standardisation/rfc1508.txt b/crypto/heimdal-0.6.3/doc/standardisation/rfc1508.txt deleted file mode 100644 index 132b855e05..0000000000 --- a/crypto/heimdal-0.6.3/doc/standardisation/rfc1508.txt +++ /dev/null @@ -1,2747 +0,0 @@ - - - - - - -Network Working Group J. Linn -Request for Comments: 1508 Geer Zolot Associates - September 1993 - - - Generic Security Service Application Program Interface - -Status of this Memo - - This RFC specifies an Internet standards track protocol for the - Internet community, and requests discussion and suggestions for - improvements. Please refer to the current edition of the "Internet - Official Protocol Standards" for the standardization state and status - of this protocol. Distribution of this memo is unlimited. - -Abstract - - This Generic Security Service Application Program Interface (GSS-API) - definition provides security services to callers in a generic - fashion, supportable with a range of underlying mechanisms and - technologies and hence allowing source-level portability of - applications to different environments. This specification defines - GSS-API services and primitives at a level independent of underlying - mechanism and programming language environment, and is to be - complemented by other, related specifications: - - documents defining specific parameter bindings for particular - language environments - - documents defining token formats, protocols, and procedures to - be implemented in order to realize GSS-API services atop - particular security mechanisms - -Table of Contents - - 1. GSS-API Characteristics and Concepts ....................... 2 - 1.1. GSS-API Constructs ....................................... 5 - 1.1.1. Credentials ........................................... 5 - 1.1.2. Tokens ................................................ 6 - 1.1.3. Security Contexts ..................................... 7 - 1.1.4. Mechanism Types ....................................... 8 - 1.1.5. Naming ................................................ 9 - 1.1.6. Channel Bindings ...................................... 10 - 1.2. GSS-API Features and Issues ............................. 11 - 1.2.1. Status Reporting ...................................... 11 - 1.2.2. Per-Message Security Service Availability ............. 12 - 1.2.3. Per-Message Replay Detection and Sequencing ........... 13 - 1.2.4. Quality of Protection ................................. 15 - - - -Linn [Page 1] - -RFC 1508 Generic Security Interface September 1993 - - - 2. Interface Descriptions ..................................... 15 - 2.1. Credential management calls ............................. 17 - 2.1.1. GSS_Acquire_cred call ................................. 17 - 2.1.2. GSS_Release_cred call ................................. 19 - 2.1.3. GSS_Inquire_cred call ................................. 20 - 2.2. Context-level calls ..................................... 21 - 2.2.1. GSS_Init_sec_context call ............................. 21 - 2.2.2. GSS_Accept_sec_context call ........................... 26 - 2.2.3. GSS_Delete_sec_context call ........................... 29 - 2.2.4. GSS_Process_context_token call ........................ 30 - 2.2.5. GSS_Context_time call ................................. 31 - 2.3. Per-message calls ....................................... 32 - 2.3.1. GSS_Sign call ......................................... 32 - 2.3.2. GSS_Verify call ....................................... 33 - 2.3.3. GSS_Seal call ......................................... 35 - 2.3.4. GSS_Unseal call ....................................... 36 - 2.4. Support calls ........................................... 37 - 2.4.1. GSS_Display_status call ............................... 37 - 2.4.2. GSS_Indicate_mechs call ............................... 38 - 2.4.3. GSS_Compare_name call ................................. 38 - 2.4.4. GSS_Display_name call ................................. 39 - 2.4.5. GSS_Import_name call .................................. 40 - 2.4.6. GSS_Release_name call ................................. 41 - 2.4.7. GSS_Release_buffer call ............................... 41 - 2.4.8. GSS_Release_oid_set call .............................. 42 - 3. Mechanism-Specific Example Scenarios ....................... 42 - 3.1. Kerberos V5, single-TGT ................................. 43 - 3.2. Kerberos V5, double-TGT ................................. 43 - 3.3. X.509 Authentication Framework .......................... 44 - 4. Related Activities ......................................... 45 - 5. Acknowledgments ............................................ 46 - 6. Security Considerations .................................... 46 - 7. Author's Address ........................................... 46 - Appendix A .................................................... 47 - Appendix B .................................................... 48 - Appendix C .................................................... 49 - -1. GSS-API Characteristics and Concepts - - The operational paradigm in which GSS-API operates is as follows. A - typical GSS-API caller is itself a communications protocol, calling - on GSS-API in order to protect its communications with - authentication, integrity, and/or confidentiality security services. - A GSS-API caller accepts tokens provided to it by its local GSS-API - implementation and transfers the tokens to a peer on a remote system; - that peer passes the received tokens to its local GSS-API - implementation for processing. The security services available - through GSS-API in this fashion are implementable (and have been - - - -Linn [Page 2] - -RFC 1508 Generic Security Interface September 1993 - - - implemented) over a range of underlying mechanisms based on secret- - key and public-key cryptographic technologies. - - The GSS-API separates the operations of initializing a security - context between peers, achieving peer entity authentication (This - security service definition, and other definitions used in this - document, corresponds to that provided in International Standard ISO - 7498-2-1988(E), Security Architecture.) (GSS_Init_sec_context() and - GSS_Accept_sec_context() calls), from the operations of providing - per-message data origin authentication and data integrity protection - (GSS_Sign() and GSS_Verify() calls) for messages subsequently - transferred in conjunction with that context. Per-message GSS_Seal() - and GSS_Unseal() calls provide the data origin authentication and - data integrity services which GSS_Sign() and GSS_Verify() offer, and - also support selection of confidentiality services as a caller - option. Additional calls provide supportive functions to the GSS- - API's users. - - The following paragraphs provide an example illustrating the - dataflows involved in use of the GSS-API by a client and server in a - mechanism-independent fashion, establishing a security context and - transferring a protected message. The example assumes that credential - acquisition has already been completed. The example assumes that the - underlying authentication technology is capable of authenticating a - client to a server using elements carried within a single token, and - of authenticating the server to the client (mutual authentication) - with a single returned token; this assumption holds for presently- - documented CAT mechanisms but is not necessarily true for other - cryptographic technologies and associated protocols. - - The client calls GSS_Init_sec_context() to establish a security - context to the server identified by targ_name, and elects to set the - mutual_req_flag so that mutual authentication is performed in the - course of context establishment. GSS_Init_sec_context() returns an - output_token to be passed to the server, and indicates - GSS_CONTINUE_NEEDED status pending completion of the mutual - authentication sequence. Had mutual_req_flag not been set, the - initial call to GSS_Init_sec_context() would have returned - GSS_COMPLETE status. The client sends the output_token to the server. - - The server passes the received token as the input_token parameter to - GSS_Accept_sec_context(). GSS_Accept_sec_context indicates - GSS_COMPLETE status, provides the client's authenticated identity in - the src_name result, and provides an output_token to be passed to the - client. The server sends the output_token to the client. - - The client passes the received token as the input_token parameter to - a successor call to GSS_Init_sec_context(), which processes data - - - -Linn [Page 3] - -RFC 1508 Generic Security Interface September 1993 - - - included in the token in order to achieve mutual authentication from - the client's viewpoint. This call to GSS_Init_sec_context() returns - GSS_COMPLETE status, indicating successful mutual authentication and - the completion of context establishment for this example. - - The client generates a data message and passes it to GSS_Seal(). - GSS_Seal() performs data origin authentication, data integrity, and - (optionally) confidentiality processing on the message and - encapsulates the result into output_message, indicating GSS_COMPLETE - status. The client sends the output_message to the server. - - The server passes the received message to GSS_Unseal(). GSS_Unseal - inverts the encapsulation performed by GSS_Seal(), deciphers the - message if the optional confidentiality feature was applied, and - validates the data origin authentication and data integrity checking - quantities. GSS_Unseal() indicates successful validation by - returning GSS_COMPLETE status along with the resultant - output_message. - - For purposes of this example, we assume that the server knows by - out-of-band means that this context will have no further use after - one protected message is transferred from client to server. Given - this premise, the server now calls GSS_Delete_sec_context() to flush - context-level information. GSS_Delete_sec_context() returns a - context_token for the server to pass to the client. - - The client passes the returned context_token to - GSS_Process_context_token(), which returns GSS_COMPLETE status after - deleting context-level information at the client system. - - The GSS-API design assumes and addresses several basic goals, - including: - - Mechanism independence: The GSS-API defines an interface to - cryptographically implemented strong authentication and other - security services at a generic level which is independent of - particular underlying mechanisms. For example, GSS-API-provided - services can be implemented by secret-key technologies (e.g., - Kerberos) or public-key approaches (e.g., X.509). - - Protocol environment independence: The GSS-API is independent of - the communications protocol suites with which it is employed, - permitting use in a broad range of protocol environments. In - appropriate environments, an intermediate implementation "veneer" - which is oriented to a particular communication protocol (e.g., - Remote Procedure Call (RPC)) may be interposed between - applications which call that protocol and the GSS-API, thereby - invoking GSS-API facilities in conjunction with that protocol's - - - -Linn [Page 4] - -RFC 1508 Generic Security Interface September 1993 - - - communications invocations. - - Protocol association independence: The GSS-API's security context - construct is independent of communications protocol association - constructs. This characteristic allows a single GSS-API - implementation to be utilized by a variety of invoking protocol - modules on behalf of those modules' calling applications. GSS-API - services can also be invoked directly by applications, wholly - independent of protocol associations. - - Suitability to a range of implementation placements: GSS-API - clients are not constrained to reside within any Trusted Computing - Base (TCB) perimeter defined on a system where the GSS-API is - implemented; security services are specified in a manner suitable - to both intra-TCB and extra-TCB callers. - -1.1. GSS-API Constructs - - This section describes the basic elements comprising the GSS-API. - -1.1.1. Credentials - - Credentials structures provide the prerequisites enabling peers to - establish security contexts with each other. A caller may designate - that its default credential be used for context establishment calls - without presenting an explicit handle to that credential. - Alternately, those GSS-API callers which need to make explicit - selection of particular credentials structures may make references to - those credentials through GSS-API-provided credential handles - ("cred_handles"). - - A single credential structure may be used for initiation of outbound - contexts and acceptance of inbound contexts. Callers needing to - operate in only one of these modes may designate this fact when - credentials are acquired for use, allowing underlying mechanisms to - optimize their processing and storage requirements. The credential - elements defined by a particular mechanism may contain multiple - cryptographic keys, e.g., to enable authentication and message - encryption to be performed with different algorithms. - - A single credential structure may accommodate credential information - associated with multiple underlying mechanisms (mech_types); a - credential structure's contents will vary depending on the set of - mech_types supported by a particular GSS-API implementation. - Commonly, a single mech_type will be used for all security contexts - established by a particular initiator to a particular target; the - primary motivation for supporting credential sets representing - multiple mech_types is to allow initiators on systems which are - - - -Linn [Page 5] - -RFC 1508 Generic Security Interface September 1993 - - - equipped to handle multiple types to initiate contexts to targets on - other systems which can accommodate only a subset of the set - supported at the initiator's system. - - It is the responsibility of underlying system-specific mechanisms and - OS functions below the GSS-API to ensure that the ability to acquire - and use credentials associated with a given identity is constrained - to appropriate processes within a system. This responsibility should - be taken seriously by implementors, as the ability for an entity to - utilize a principal's credentials is equivalent to the entity's - ability to successfully assert that principal's identity. - - Once a set of GSS-API credentials is established, the transferability - of that credentials set to other processes or analogous constructs - within a system is a local matter, not defined by the GSS-API. An - example local policy would be one in which any credentials received - as a result of login to a given user account, or of delegation of - rights to that account, are accessible by, or transferable to, - processes running under that account. - - The credential establishment process (particularly when performed on - behalf of users rather than server processes) is likely to require - access to passwords or other quantities which should be protected - locally and exposed for the shortest time possible. As a result, it - will often be appropriate for preliminary credential establishment to - be performed through local means at user login time, with the - result(s) cached for subsequent reference. These preliminary - credentials would be set aside (in a system-specific fashion) for - subsequent use, either: - - to be accessed by an invocation of the GSS-API GSS_Acquire_cred() - call, returning an explicit handle to reference that credential - - as the default credentials installed on behalf of a process - -1.1.2. Tokens - - Tokens are data elements transferred between GSS-API callers, and are - divided into two classes. Context-level tokens are exchanged in order - to establish and manage a security context between peers. Per-message - tokens are exchanged in conjunction with an established context to - provide protective security services for corresponding data messages. - The internal contents of both classes of tokens are specific to the - particular underlying mechanism used to support the GSS-API; Appendix - B of this document provides a uniform recommendation for designers of - GSS-API support mechanisms, encapsulating mechanism-specific - information along with a globally-interpretable mechanism identifier. - - - - -Linn [Page 6] - -RFC 1508 Generic Security Interface September 1993 - - - Tokens are opaque from the viewpoint of GSS-API callers. They are - generated within the GSS-API implementation at an end system, - provided to a GSS-API caller to be transferred to the peer GSS-API - caller at a remote end system, and processed by the GSS-API - implementation at that remote end system. Tokens may be output by - GSS-API primitives (and are to be transferred to GSS-API peers) - independent of the status indications which those primitives - indicate. Token transfer may take place in an in-band manner, - integrated into the same protocol stream used by the GSS-API callers - for other data transfers, or in an out-of-band manner across a - logically separate channel. - - Development of GSS-API support primitives based on a particular - underlying cryptographic technique and protocol does not necessarily - imply that GSS-API callers invoking that GSS-API mechanism type will - be able to interoperate with peers invoking the same technique and - protocol outside the GSS-API paradigm. For example, the format of - GSS-API tokens defined in conjunction with a particular mechanism, - and the techniques used to integrate those tokens into callers' - protocols, may not be the same as those used by non-GSS-API callers - of the same underlying technique. - -1.1.3. Security Contexts - - Security contexts are established between peers, using credentials - established locally in conjunction with each peer or received by - peers via delegation. Multiple contexts may exist simultaneously - between a pair of peers, using the same or different sets of - credentials. Coexistence of multiple contexts using different - credentials allows graceful rollover when credentials expire. - Distinction among multiple contexts based on the same credentials - serves applications by distinguishing different message streams in a - security sense. - - The GSS-API is independent of underlying protocols and addressing - structure, and depends on its callers to transport GSS-API-provided - data elements. As a result of these factors, it is a caller - responsibility to parse communicated messages, separating GSS-API- - related data elements from caller-provided data. The GSS-API is - independent of connection vs. connectionless orientation of the - underlying communications service. - - No correlation between security context and communications protocol - association is dictated. (The optional channel binding facility, - discussed in Section 1.1.6 of this document, represents an - intentional exception to this rule, supporting additional protection - features within GSS-API supporting mechanisms.) This separation - allows the GSS-API to be used in a wide range of communications - - - -Linn [Page 7] - -RFC 1508 Generic Security Interface September 1993 - - - environments, and also simplifies the calling sequences of the - individual calls. In many cases (depending on underlying security - protocol, associated mechanism, and availability of cached - information), the state information required for context setup can be - sent concurrently with initial signed user data, without interposing - additional message exchanges. - -1.1.4. Mechanism Types - - In order to successfully establish a security context with a target - peer, it is necessary to identify an appropriate underlying mechanism - type (mech_type) which both initiator and target peers support. The - definition of a mechanism embodies not only the use of a particular - cryptographic technology (or a hybrid or choice among alternative - cryptographic technologies), but also definition of the syntax and - semantics of data element exchanges which that mechanism will employ - in order to support security services. - - It is recommended that callers initiating contexts specify the - "default" mech_type value, allowing system-specific functions within - or invoked by the GSS-API implementation to select the appropriate - mech_type, but callers may direct that a particular mech_type be - employed when necessary. - - The means for identifying a shared mech_type to establish a security - context with a peer will vary in different environments and - circumstances; examples include (but are not limited to): - - use of a fixed mech_type, defined by configuration, within an - environment - - syntactic convention on a target-specific basis, through - examination of a target's name - - lookup of a target's name in a naming service or other database in - order to identify mech_types supported by that target - - explicit negotiation between GSS-API callers in advance of - security context setup - - When transferred between GSS-API peers, mech_type specifiers (per - Appendix B, represented as Object Identifiers (OIDs)) serve to - qualify the interpretation of associated tokens. (The structure and - encoding of Object Identifiers is defined in ISO/IEC 8824, - "Specification of Abstract Syntax Notation One (ASN.1)" and in - ISO/IEC 8825, "Specification of Basic Encoding Rules for Abstract - Syntax Notation One (ASN.1)".) Use of hierarchically structured OIDs - serves to preclude ambiguous interpretation of mech_type specifiers. - - - -Linn [Page 8] - -RFC 1508 Generic Security Interface September 1993 - - - The OID representing the DASS MechType, for example, is - 1.3.12.2.1011.7.5. - -1.1.5. Naming - - The GSS-API avoids prescription of naming structures, treating the - names transferred across the interface in order to initiate and - accept security contexts as opaque octet string quantities. This - approach supports the GSS-API's goal of implementability atop a range - of underlying security mechanisms, recognizing the fact that - different mechanisms process and authenticate names which are - presented in different forms. Generalized services offering - translation functions among arbitrary sets of naming environments are - outside the scope of the GSS-API; availability and use of local - conversion functions to translate among the naming formats supported - within a given end system is anticipated. - - Two distinct classes of name representations are used in conjunction - with different GSS-API parameters: - - a printable form (denoted by OCTET STRING), for acceptance from - and presentation to users; printable name forms are accompanied by - OID tags identifying the namespace to which they correspond - - an internal form (denoted by INTERNAL NAME), opaque to callers and - defined by individual GSS-API implementations; GSS-API - implementations supporting multiple namespace types are - responsible for maintaining internal tags to disambiguate the - interpretation of particular names - - Tagging of printable names allows GSS-API callers and underlying - GSS-API mechanisms to disambiguate name types and to determine - whether an associated name's type is one which they are capable of - processing, avoiding aliasing problems which could result from - misinterpreting a name of one type as a name of another type. - - In addition to providing means for names to be tagged with types, - this specification defines primitives to support a level of naming - environment independence for certain calling applications. To provide - basic services oriented towards the requirements of callers which - need not themselves interpret the internal syntax and semantics of - names, GSS-API calls for name comparison (GSS_Compare_name()), - human-readable display (GSS_Display_name()), input conversion - (GSS_Import_name()), and internal name deallocation - (GSS_Release_name()) functions are defined. (It is anticipated that - these proposed GSS-API calls will be implemented in many end systems - based on system-specific name manipulation primitives already extant - within those end systems; inclusion within the GSS-API is intended to - - - -Linn [Page 9] - -RFC 1508 Generic Security Interface September 1993 - - - offer GSS-API callers a portable means to perform specific - operations, supportive of authorization and audit requirements, on - authenticated names.) - - GSS_Import_name() implementations can, where appropriate, support - more than one printable syntax corresponding to a given namespace - (e.g., alternative printable representations for X.500 Distinguished - Names), allowing flexibility for their callers to select among - alternative representations. GSS_Display_name() implementations - output a printable syntax selected as appropriate to their - operational environments; this selection is a local matter. Callers - desiring portability across alternative printable syntaxes should - refrain from implementing comparisons based on printable name forms - and should instead use the GSS_Compare_name() call to determine - whether or not one internal-format name matches another. - -1.1.6. Channel Bindings - - The GSS-API accommodates the concept of caller-provided channel - binding ("chan_binding") information, used by GSS-API callers to bind - the establishment of a security context to relevant characteristics - (e.g., addresses, transformed representations of encryption keys) of - the underlying communications channel and of protection mechanisms - applied to that communications channel. Verification by one peer of - chan_binding information provided by the other peer to a context - serves to protect against various active attacks. The caller - initiating a security context must determine the chan_binding values - before making the GSS_Init_sec_context() call, and consistent values - must be provided by both peers to a context. Callers should not - assume that underlying mechanisms provide confidentiality protection - for channel binding information. - - Use or non-use of the GSS-API channel binding facility is a caller - option, and GSS-API supporting mechanisms can support operation in an - environment where NULL channel bindings are presented. When non-NULL - channel bindings are used, certain mechanisms will offer enhanced - security value by interpreting the bindings' content (rather than - simply representing those bindings, or signatures computed on them, - within tokens) and will therefore depend on presentation of specific - data in a defined format. To this end, agreements among mechanism - implementors are defining conventional interpretations for the - contents of channel binding arguments, including address specifiers - (with content dependent on communications protocol environment) for - context initiators and acceptors. (These conventions are being - incorporated into related documents.) In order for GSS-API callers to - be portable across multiple mechanisms and achieve the full security - functionality available from each mechanism, it is strongly - recommended that GSS-API callers provide channel bindings consistent - - - -Linn [Page 10] - -RFC 1508 Generic Security Interface September 1993 - - - with these conventions and those of the networking environment in - which they operate. - -1.2. GSS-API Features and Issues - - This section describes aspects of GSS-API operations, of the security - services which the GSS-API provides, and provides commentary on - design issues. - -1.2.1. Status Reporting - - Each GSS-API call provides two status return values. Major_status - values provide a mechanism-independent indication of call status - (e.g., GSS_COMPLETE, GSS_FAILURE, GSS_CONTINUE_NEEDED), sufficient to - drive normal control flow within the caller in a generic fashion. - Table 1 summarizes the defined major_status return codes in tabular - fashion. - - Table 1: GSS-API Major Status Codes - - FATAL ERROR CODES - - GSS_BAD_BINDINGS channel binding mismatch - GSS_BAD_MECH unsupported mechanism requested - GSS_BAD_NAME invalid name provided - GSS_BAD_NAMETYPE name of unsupported type provided - GSS_BAD_STATUS invalid input status selector - GSS_BAD_SIG token had invalid signature - GSS_CONTEXT_EXPIRED specified security context expired - GSS_CREDENTIALS_EXPIRED expired credentials detected - GSS_DEFECTIVE_CREDENTIAL defective credential detected - GSS_DEFECTIVE_TOKEN defective token detected - GSS_FAILURE failure, unspecified at GSS-API - level - GSS_NO_CONTEXT no valid security context specified - GSS_NO_CRED no valid credentials provided - - INFORMATORY STATUS CODES - - GSS_COMPLETE normal completion - GSS_CONTINUE_NEEDED continuation call to routine - required - GSS_DUPLICATE_TOKEN duplicate per-message token - detected - GSS_OLD_TOKEN timed-out per-message token - detected - GSS_UNSEQ_TOKEN out-of-order per-message token - detected - - - -Linn [Page 11] - -RFC 1508 Generic Security Interface September 1993 - - - Minor_status provides more detailed status information which may - include status codes specific to the underlying security mechanism. - Minor_status values are not specified in this document. - - GSS_CONTINUE_NEEDED major_status returns, and optional message - outputs, are provided in GSS_Init_sec_context() and - GSS_Accept_sec_context() calls so that different mechanisms' - employment of different numbers of messages within their - authentication sequences need not be reflected in separate code paths - within calling applications. Instead, such cases are accomodated with - sequences of continuation calls to GSS_Init_sec_context() and - GSS_Accept_sec_context(). The same mechanism is used to encapsulate - mutual authentication within the GSS-API's context initiation calls. - - For mech_types which require interactions with third-party servers in - order to establish a security context, GSS-API context establishment - calls may block pending completion of such third-party interactions. - On the other hand, no GSS-API calls pend on serialized interactions - with GSS-API peer entities. As a result, local GSS-API status - returns cannot reflect unpredictable or asynchronous exceptions - occurring at remote peers, and reflection of such status information - is a caller responsibility outside the GSS-API. - -1.2.2. Per-Message Security Service Availability - - When a context is established, two flags are returned to indicate the - set of per-message protection security services which will be - available on the context: - - the integ_avail flag indicates whether per-message integrity and - data origin authentication services are available - - the conf_avail flag indicates whether per-message confidentiality - services are available, and will never be returned TRUE unless the - integ_avail flag is also returned TRUE - - GSS-API callers desiring per-message security services should - check the values of these flags at context establishment time, and - must be aware that a returned FALSE value for integ_avail means - that invocation of GSS_Sign() or GSS_Seal() primitives on the - associated context will apply no cryptographic protection to user - data messages. - - The GSS-API per-message protection service primitives, as the - category name implies, are oriented to operation at the granularity - of protocol data units. They perform cryptographic operations on the - data units, transfer cryptographic control information in tokens, - and, in the case of GSS_Seal(), encapsulate the protected data unit. - - - -Linn [Page 12] - -RFC 1508 Generic Security Interface September 1993 - - - As such, these primitives are not oriented to efficient data - protection for stream-paradigm protocols (e.g., Telnet) if - cryptography must be applied on an octet-by-octet basis. - -1.2.3. Per-Message Replay Detection and Sequencing - - Certain underlying mech_types are expected to offer support for - replay detection and/or sequencing of messages transferred on the - contexts they support. These optionally-selectable protection - features are distinct from replay detection and sequencing features - applied to the context establishment operation itself; the presence - or absence of context-level replay or sequencing features is wholly a - function of the underlying mech_type's capabilities, and is not - selected or omitted as a caller option. - - The caller initiating a context provides flags (replay_det_req_flag - and sequence_req_flag) to specify whether the use of per-message - replay detection and sequencing features is desired on the context - being established. The GSS-API implementation at the initiator system - can determine whether these features are supported (and whether they - are optionally selectable) as a function of mech_type, without need - for bilateral negotiation with the target. When enabled, these - features provide recipients with indicators as a result of GSS-API - processing of incoming messages, identifying whether those messages - were detected as duplicates or out-of-sequence. Detection of such - events does not prevent a suspect message from being provided to a - recipient; the appropriate course of action on a suspect message is a - matter of caller policy. - - The semantics of the replay detection and sequencing services applied - to received messages, as visible across the interface which the GSS- - API provides to its clients, are as follows: - - When replay_det_state is TRUE, the possible major_status returns for - well-formed and correctly signed messages are as follows: - - 1. GSS_COMPLETE indicates that the message was within the window - (of time or sequence space) allowing replay events to be detected, - and that the message was not a replay of a previously-processed - message within that window. - - 2. GSS_DUPLICATE_TOKEN indicates that the signature on the - received message was correct, but that the message was recognized - as a duplicate of a previously-processed message. - - 3. GSS_OLD_TOKEN indicates that the signature on the received - message was correct, but that the message is too old to be checked - for duplication. - - - -Linn [Page 13] - -RFC 1508 Generic Security Interface September 1993 - - - When sequence_state is TRUE, the possible major_status returns for - well-formed and correctly signed messages are as follows: - - 1. GSS_COMPLETE indicates that the message was within the window - (of time or sequence space) allowing replay events to be detected, - and that the message was not a replay of a previously-processed - message within that window. - - 2. GSS_DUPLICATE_TOKEN indicates that the signature on the - received message was correct, but that the message was recognized - as a duplicate of a previously-processed message. - - 3. GSS_OLD_TOKEN indicates that the signature on the received - message was correct, but that the token is too old to be checked - for duplication. - - 4. GSS_UNSEQ_TOKEN indicates that the signature on the received - message was correct, but that it is earlier in a sequenced stream - than a message already processed on the context. [Note: - Mechanisms can be architected to provide a stricter form of - sequencing service, delivering particular messages to recipients - only after all predecessor messages in an ordered stream have been - delivered. This type of support is incompatible with the GSS-API - paradigm in which recipients receive all messages, whether in - order or not, and provide them (one at a time, without intra-GSS- - API message buffering) to GSS-API routines for validation. GSS- - API facilities provide supportive functions, aiding clients to - achieve strict message stream integrity in an efficient manner in - conjunction with sequencing provisions in communications - protocols, but the GSS-API does not offer this level of message - stream integrity service by itself.] - - As the message stream integrity features (especially sequencing) may - interfere with certain applications' intended communications - paradigms, and since support for such features is likely to be - resource intensive, it is highly recommended that mech_types - supporting these features allow them to be activated selectively on - initiator request when a context is established. A context initiator - and target are provided with corresponding indicators - (replay_det_state and sequence_state), signifying whether these - features are active on a given context. - - An example mech_type supporting per-message replay detection could - (when replay_det_state is TRUE) implement the feature as follows: The - underlying mechanism would insert timestamps in data elements output - by GSS_Sign() and GSS_Seal(), and would maintain (within a time- - limited window) a cache (qualified by originator-recipient pair) - identifying received data elements processed by GSS_Verify() and - - - -Linn [Page 14] - -RFC 1508 Generic Security Interface September 1993 - - - GSS_Unseal(). When this feature is active, exception status returns - (GSS_DUPLICATE_TOKEN, GSS_ OLD_TOKEN) will be provided when - GSS_Verify() or GSS_Unseal() is presented with a message which is - either a detected duplicate of a prior message or which is too old to - validate against a cache of recently received messages. - -1.2.4. Quality of Protection - - Some mech_types will provide their users with fine granularity - control over the means used to provide per-message protection, - allowing callers to trade off security processing overhead - dynamically against the protection requirements of particular - messages. A per-message quality-of-protection parameter (analogous to - quality-of-service, or QOS) selects among different QOP options - supported by that mechanism. On context establishment for a multi-QOP - mech_type, context-level data provides the prerequisite data for a - range of protection qualities. - - It is expected that the majority of callers will not wish to exert - explicit mechanism-specific QOP control and will therefore request - selection of a default QOP. Definitions of, and choices among, non- - default QOP values are mechanism-specific, and no ordered sequences - of QOP values can be assumed equivalent across different mechanisms. - Meaningful use of non-default QOP values demands that callers be - familiar with the QOP definitions of an underlying mechanism or - mechanisms, and is therefore a non-portable construct. - -2. Interface Descriptions - - This section describes the GSS-API's service interface, dividing the - set of calls offered into four groups. Credential management calls - are related to the acquisition and release of credentials by - principals. Context-level calls are related to the management of - security contexts between principals. Per-message calls are related - to the protection of individual messages on established security - contexts. Support calls provide ancillary functions useful to GSS-API - callers. Table 2 groups and summarizes the calls in tabular fashion. - - - - - - - - - - - - - - -Linn [Page 15] - -RFC 1508 Generic Security Interface September 1993 - - - Table 2: GSS-API Calls - - CREDENTIAL MANAGEMENT - - GSS_Acquire_cred acquire credentials for use - GSS_Release_cred release credentials after use - GSS_Inquire_cred display information about - credentials - - CONTEXT-LEVEL CALLS - - GSS_Init_sec_context initiate outbound security context - GSS_Accept_sec_context accept inbound security context - GSS_Delete_sec_context flush context when no longer needed - GSS_Process_context_token process received control token on - context - GSS_Context_time indicate validity time remaining on - context - - PER-MESSAGE CALLS - - GSS_Sign apply signature, receive as token - separate from message - GSS_Verify validate signature token along with - message - GSS_Seal sign, optionally encrypt, - encapsulate - GSS_Unseal decapsulate, decrypt if needed, - validate signature - - SUPPORT CALLS - - GSS_Display_status translate status codes to printable - form - GSS_Indicate_mechs indicate mech_types supported on - local system - GSS_Compare_name compare two names for equality - GSS_Display_name translate name to printable form - GSS_Import_name convert printable name to - normalized form - GSS_Release_name free storage of normalized-form - name - GSS_Release_buffer free storage of printable name - GSS_Release_oid_set free storage of OID set object - - - - - - - -Linn [Page 16] - -RFC 1508 Generic Security Interface September 1993 - - -2.1. Credential management calls - - These GSS-API calls provide functions related to the management of - credentials. Their characterization with regard to whether or not - they may block pending exchanges with other network entities (e.g., - directories or authentication servers) depends in part on OS-specific - (extra-GSS-API) issues, so is not specified in this document. - - The GSS_Acquire_cred() call is defined within the GSS-API in support - of application portability, with a particular orientation towards - support of portable server applications. It is recognized that (for - certain systems and mechanisms) credentials for interactive users may - be managed differently from credentials for server processes; in such - environments, it is the GSS-API implementation's responsibility to - distinguish these cases and the procedures for making this - distinction are a local matter. The GSS_Release_cred() call provides - a means for callers to indicate to the GSS-API that use of a - credentials structure is no longer required. The GSS_Inquire_cred() - call allows callers to determine information about a credentials - structure. - -2.1.1. GSS_Acquire_cred call - - Inputs: - - o desired_name INTERNAL NAME, -NULL requests locally-determined - default - - o lifetime_req INTEGER,-in seconds; 0 requests default - - o desired_mechs SET OF OBJECT IDENTIFIER,-empty set requests - system-selected default - - o cred_usage INTEGER-0=INITIATE-AND-ACCEPT, 1=INITIATE-ONLY, - 2=ACCEPT-ONLY - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o output_cred_handle OCTET STRING, - - o actual_mechs SET OF OBJECT IDENTIFIER, - - o lifetime_rec INTEGER -in seconds, or reserved value for - INDEFINITE - - - -Linn [Page 17] - -RFC 1508 Generic Security Interface September 1993 - - - Return major_status codes: - - o GSS_COMPLETE indicates that requested credentials were - successfully established, for the duration indicated in - lifetime_rec, suitable for the usage requested in cred_usage, for - the set of mech_types indicated in actual_mechs, and that those - credentials can be referenced for subsequent use with the handle - returned in output_cred_handle. - - o GSS_BAD_MECH indicates that a mech_type unsupported by the GSS-API - implementation type was requested, causing the credential - establishment operation to fail. - - o GSS_BAD_NAMETYPE indicates that the provided desired_name is - uninterpretable or of a type unsupported by the supporting GSS-API - implementation, so no credentials could be established for the - accompanying desired_name. - - o GSS_BAD_NAME indicates that the provided desired_name is - inconsistent in terms of internally-incorporated type specifier - information, so no credentials could be established for the - accompanying desired_name. - - o GSS_FAILURE indicates that credential establishment failed for - reasons unspecified at the GSS-API level, including lack of - authorization to establish and use credentials associated with the - identity named in the input desired_name argument. - - GSS_Acquire_cred() is used to acquire credentials so that a - principal can (as a function of the input cred_usage parameter) - initiate and/or accept security contexts under the identity - represented by the desired_name input argument. On successful - completion, the returned output_cred_handle result provides a handle - for subsequent references to the acquired credentials. Typically, - single-user client processes using only default credentials for - context establishment purposes will have no need to invoke this call. - - A caller may provide the value NULL for desired_name, signifying a - request for credentials corresponding to a default principal - identity. The procedures used by GSS-API implementations to select - the appropriate principal identity in response to this form of - request are local matters. It is possible that multiple pre- - established credentials may exist for the same principal identity - (for example, as a result of multiple user login sessions) when - GSS_Acquire_cred() is called; the means used in such cases to select - a specific credential are local matters. The input lifetime_req - argument to GSS_Acquire_cred() may provide useful information for - local GSS-API implementations to employ in making this disambiguation - - - -Linn [Page 18] - -RFC 1508 Generic Security Interface September 1993 - - - in a manner which will best satisfy a caller's intent. - - The lifetime_rec result indicates the length of time for which the - acquired credentials will be valid, as an offset from the present. A - mechanism may return a reserved value indicating INDEFINITE if no - constraints on credential lifetime are imposed. A caller of - GSS_Acquire_cred() can request a length of time for which acquired - credentials are to be valid (lifetime_req argument), beginning at the - present, or can request credentials with a default validity interval. - (Requests for postdated credentials are not supported within the - GSS-API.) Certain mechanisms and implementations may bind in - credential validity period specifiers at a point preliminary to - invocation of the GSS_Acquire_cred() call (e.g., in conjunction with - user login procedures). As a result, callers requesting non-default - values for lifetime_req must recognize that such requests cannot - always be honored and must be prepared to accommodate the use of - returned credentials with different lifetimes as indicated in - lifetime_rec. - - The caller of GSS_Acquire_cred() can explicitly specify a set of - mech_types which are to be accommodated in the returned credentials - (desired_mechs argument), or can request credentials for a system- - defined default set of mech_types. Selection of the system-specified - default set is recommended in the interests of application - portability. The actual_mechs return value may be interrogated by the - caller to determine the set of mechanisms with which the returned - credentials may be used. - -2.1.2. GSS_Release_cred call - - Input: - - o cred_handle OCTET STRING-NULL specifies default credentials - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER - - Return major_status codes: - - o GSS_COMPLETE indicates that the credentials referenced by the - input cred_handle were released for purposes of subsequent access - by the caller. The effect on other processes which may be - authorized shared access to such credentials is a local matter. - - - - - -Linn [Page 19] - -RFC 1508 Generic Security Interface September 1993 - - - o GSS_NO_CRED indicates that no release operation was performed, - either because the input cred_handle was invalid or because the - caller lacks authorization to access the referenced credentials. - - o GSS_FAILURE indicates that the release operation failed for - reasons unspecified at the GSS-API level. - - Provides a means for a caller to explicitly request that credentials - be released when their use is no longer required. Note that system- - specific credential management functions are also likely to exist, - for example to assure that credentials shared among processes are - properly deleted when all affected processes terminate, even if no - explicit release requests are issued by those processes. Given the - fact that multiple callers are not precluded from gaining authorized - access to the same credentials, invocation of GSS_Release_cred() - cannot be assumed to delete a particular set of credentials on a - system-wide basis. - -2.1.3. GSS_Inquire_cred call - - Input: - - o cred_handle OCTET STRING -NULL specifies default credentials - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o cred_name INTERNAL NAME, - - o lifetime_rec INTEGER -in seconds, or reserved value for - INDEFINITE - - o cred_usage INTEGER, -0=INITIATE-AND-ACCEPT, 1=INITIATE-ONLY, - 2=ACCEPT-ONLY - - o mech_set SET OF OBJECT IDENTIFIER - - Return major_status codes: - - o GSS_COMPLETE indicates that the credentials referenced by the - input cred_handle argument were valid, and that the output - cred_name, lifetime_rec, and cred_usage values represent, - respectively, the credentials' associated principal name, - remaining lifetime, suitable usage modes, and supported - mechanism types. - - - -Linn [Page 20] - -RFC 1508 Generic Security Interface September 1993 - - - o GSS_NO_CRED indicates that no information could be returned - about the referenced credentials, either because the input - cred_handle was invalid or because the caller lacks - authorization to access the referenced credentials. - - o GSS_FAILURE indicates that the release operation failed for - reasons unspecified at the GSS-API level. - - The GSS_Inquire_cred() call is defined primarily for the use of - those callers which make use of default credentials rather than - acquiring credentials explicitly with GSS_Acquire_cred(). It enables - callers to determine a credential structure's associated principal - name, remaining validity period, usability for security context - initiation and/or acceptance, and supported mechanisms. - -2.2. Context-level calls - - This group of calls is devoted to the establishment and management of - security contexts between peers. A context's initiator calls - GSS_Init_sec_context(), resulting in generation of a token which the - caller passes to the target. At the target, that token is passed to - GSS_Accept_sec_context(). Depending on the underlying mech_type and - specified options, additional token exchanges may be performed in the - course of context establishment; such exchanges are accommodated by - GSS_CONTINUE_NEEDED status returns from GSS_Init_sec_context() and - GSS_Accept_sec_context(). Either party to an established context may - invoke GSS_Delete_sec_context() to flush context information when a - context is no longer required. GSS_Process_context_token() is used - to process received tokens carrying context-level control - information. GSS_Context_time() allows a caller to determine the - length of time for which an established context will remain valid. - -2.2.1. GSS_Init_sec_context call - - Inputs: - - o claimant_cred_handle OCTET STRING, -NULL specifies "use - default" - - o input_context_handle INTEGER, -0 specifies "none assigned - yet" - - o targ_name INTERNAL NAME, - - o mech_type OBJECT IDENTIFIER, -NULL parameter specifies "use - default" - - o deleg_req_flag BOOLEAN, - - - -Linn [Page 21] - -RFC 1508 Generic Security Interface September 1993 - - - o mutual_req_flag BOOLEAN, - - o replay_det_req_flag BOOLEAN, - - o sequence_req_flag BOOLEAN, - - o lifetime_req INTEGER,-0 specifies default lifetime - - o chan_bindings OCTET STRING, - - o input_token OCTET STRING-NULL or token received from target - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o output_context_handle INTEGER, - - o mech_type OBJECT IDENTIFIER, -actual mechanism always - indicated, never NULL - - o output_token OCTET STRING, -NULL or token to pass to context - target - - o deleg_state BOOLEAN, - - o mutual_state BOOLEAN, - - o replay_det_state BOOLEAN, - - o sequence_state BOOLEAN, - - o conf_avail BOOLEAN, - - o integ_avail BOOLEAN, - - o lifetime_rec INTEGER - in seconds, or reserved value for - INDEFINITE - - This call may block pending network interactions for those mech_types - in which an authentication server or other network entity must be - consulted on behalf of a context initiator in order to generate an - output_token suitable for presentation to a specified target. - - Return major_status codes: - - - - -Linn [Page 22] - -RFC 1508 Generic Security Interface September 1993 - - - o GSS_COMPLETE indicates that context-level information was - successfully initialized, and that the returned output_token will - provide sufficient information for the target to perform per- - message processing on the newly-established context. - - o GSS_CONTINUE_NEEDED indicates that control information in the - returned output_token must be sent to the target, and that a reply - must be received and passed as the input_token argument to a - continuation call to GSS_Init_sec_context(), before per-message - processing can be performed in conjunction with this context. - - o GSS_DEFECTIVE_TOKEN indicates that consistency checks performed on - the input_token failed, preventing further processing from being - performed based on that token. - - o GSS_DEFECTIVE_CREDENTIAL indicates that consistency checks - performed on the credential structure referenced by - claimant_cred_handle failed, preventing further processing from - being performed using that credential structure. - - o GSS_BAD_SIG indicates that the received input_token contains an - incorrect signature, so context setup cannot be accomplished. - - o GSS_NO_CRED indicates that no context was established, either - because the input cred_handle was invalid, because the referenced - credentials are valid for context acceptor use only, or because - the caller lacks authorization to access the referenced - credentials. - - o GSS_CREDENTIALS_EXPIRED indicates that the credentials provided - through the input claimant_cred_handle argument are no longer - valid, so context establishment cannot be completed. - - o GSS_BAD_BINDINGS indicates that a mismatch between the caller- - provided chan_bindings and those extracted from the input_token - was detected, signifying a security-relevant event and preventing - context establishment. (This result will be returned by - GSS_Init_sec_context only for contexts where mutual_state is - TRUE.) - - o GSS_NO_CONTEXT indicates that no valid context was recognized for - the input context_handle provided; this major status will be - returned only for successor calls following GSS_CONTINUE_NEEDED - status returns. - - o GSS_BAD_NAMETYPE indicates that the provided targ_name is of a - type uninterpretable or unsupported by the supporting GSS-API - implementation, so context establishment cannot be completed. - - - -Linn [Page 23] - -RFC 1508 Generic Security Interface September 1993 - - - o GSS_BAD_NAME indicates that the provided targ_name is inconsistent - in terms of internally-incorporated type specifier information, so - context establishment cannot be accomplished. - - o GSS_FAILURE indicates that context setup could not be accomplished - for reasons unspecified at the GSS-API level, and that no - interface-defined recovery action is available. - - This routine is used by a context initiator, and ordinarily emits one - (or, for the case of a multi-step exchange, more than one) - output_token suitable for use by the target within the selected - mech_type's protocol. Using information in the credentials structure - referenced by claimant_cred_handle, GSS_Init_sec_context() - initializes the data structures required to establish a security - context with target targ_name. The claimant_cred_handle must - correspond to the same valid credentials structure on the initial - call to GSS_Init_sec_context() and on any successor calls resulting - from GSS_CONTINUE_NEEDED status returns; different protocol sequences - modeled by the GSS_CONTINUE_NEEDED mechanism will require access to - credentials at different points in the context establishment - sequence. - - The input_context_handle argument is 0, specifying "not yet - assigned", on the first GSS_Init_sec_context() call relating to a - given context. That call returns an output_context_handle for future - references to this context. When continuation attempts to - GSS_Init_sec_context() are needed to perform context establishment, - the previously-returned non-zero handle value is entered into the - input_context_handle argument and will be echoed in the returned - output_context_handle argument. On such continuation attempts (and - only on continuation attempts) the input_token value is used, to - provide the token returned from the context's target. - - The chan_bindings argument is used by the caller to provide - information binding the security context to security-related - characteristics (e.g., addresses, cryptographic keys) of the - underlying communications channel. See Section 1.1.6 of this document - for more discussion of this argument's usage. - - The input_token argument contains a message received from the target, - and is significant only on a call to GSS_Init_sec_context() which - follows a previous return indicating GSS_CONTINUE_NEEDED - major_status. - - It is the caller's responsibility to establish a communications path - to the target, and to transmit any returned output_token (independent - of the accompanying returned major_status value) to the target over - that path. The output_token can, however, be transmitted along with - - - -Linn [Page 24] - -RFC 1508 Generic Security Interface September 1993 - - - the first application-provided input message to be processed by - GSS_Sign() or GSS_Seal() in conjunction with a successfully- - established context. - - The initiator may request various context-level functions through - input flags: the deleg_req_flag requests delegation of access rights, - the mutual_req_flag requests mutual authentication, the - replay_det_req_flag requests that replay detection features be - applied to messages transferred on the established context, and the - sequence_req_flag requests that sequencing be enforced. (See Section - 1.2.3 for more information on replay detection and sequencing - features.) - - Not all of the optionally-requestable features will be available in - all underlying mech_types; the corresponding return state values - (deleg_state, mutual_state, replay_det_state, sequence_state) - indicate, as a function of mech_type processing capabilities and - initiator-provided input flags, the set of features which will be - active on the context. These state indicators' values are undefined - unless the routine's major_status indicates COMPLETE. Failure to - provide the precise set of features requested by the caller does not - cause context establishment to fail; it is the caller's prerogative - to delete the context if the feature set provided is unsuitable for - the caller's use. The returned mech_type value indicates the - specific mechanism employed on the context, and will never indicate - the value for "default". - - The conf_avail return value indicates whether the context supports - per-message confidentiality services, and so informs the caller - whether or not a request for encryption through the conf_req_flag - input to GSS_Seal() can be honored. In similar fashion, the - integ_avail return value indicates whether per-message integrity - services are available (through either GSS_Sign() or GSS_Seal()) on - the established context. - - The lifetime_req input specifies a desired upper bound for the - lifetime of the context to be established, with a value of 0 used to - request a default lifetime. The lifetime_rec return value indicates - the length of time for which the context will be valid, expressed as - an offset from the present; depending on mechanism capabilities, - credential lifetimes, and local policy, it may not correspond to the - value requested in lifetime_req. If no constraints on context - lifetime are imposed, this may be indicated by returning a reserved - value representing INDEFINITE lifetime_req. The values of conf_avail, - integ_avail, and lifetime_rec are undefined unless the routine's - major_status indicates COMPLETE. - - If the mutual_state is TRUE, this fact will be reflected within the - - - -Linn [Page 25] - -RFC 1508 Generic Security Interface September 1993 - - - output_token. A call to GSS_Accept_sec_context() at the target in - conjunction with such a context will return a token, to be processed - by a continuation call to GSS_Init_sec_context(), in order to achieve - mutual authentication. - -2.2.2. GSS_Accept_sec_context call - - Inputs: - - o acceptor_cred_handle OCTET STRING,-NULL specifies "use - default" - - o input_context_handle INTEGER, -0 specifies "not yet assigned" - - o chan_bindings OCTET STRING, - - o input_token OCTET STRING - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o src_name INTERNAL NAME, - - o mech_type OBJECT IDENTIFIER, - - o output_context_handle INTEGER, - - o deleg_state BOOLEAN, - - o mutual_state BOOLEAN, - - o replay_det_state BOOLEAN, - - o sequence_state BOOLEAN, - - o conf_avail BOOLEAN, - - o integ_avail BOOLEAN, - - o lifetime_rec INTEGER, - in seconds, or reserved value for - INDEFINITE - - o delegated_cred_handle OCTET STRING, - - o output_token OCTET STRING -NULL or token to pass to context - - - -Linn [Page 26] - -RFC 1508 Generic Security Interface September 1993 - - - initiator - - This call may block pending network interactions for those mech_types - in which a directory service or other network entity must be - consulted on behalf of a context acceptor in order to validate a - received input_token. - - Return major_status codes: - - o GSS_COMPLETE indicates that context-level data structures were - successfully initialized, and that per-message processing can now - be performed in conjunction with this context. - - o GSS_CONTINUE_NEEDED indicates that control information in the - returned output_token must be sent to the initiator, and that a - response must be received and passed as the input_token argument - to a continuation call to GSS_Accept_sec_context(), before per- - message processing can be performed in conjunction with this - context. - - o GSS_DEFECTIVE_TOKEN indicates that consistency checks performed on - the input_token failed, preventing further processing from being - performed based on that token. - - o GSS_DEFECTIVE_CREDENTIAL indicates that consistency checks - performed on the credential structure referenced by - acceptor_cred_handle failed, preventing further processing from - being performed using that credential structure. - - o GSS_BAD_SIG indicates that the received input_token contains an - incorrect signature, so context setup cannot be accomplished. - - o GSS_DUPLICATE_TOKEN indicates that the signature on the received - input_token was correct, but that the input_token was recognized - as a duplicate of an input_token already processed. No new context - is established. - - o GSS_OLD_TOKEN indicates that the signature on the received - input_token was correct, but that the input_token is too old to be - checked for duplication against previously-processed input_tokens. - No new context is established. - - o GSS_NO_CRED indicates that no context was established, either - because the input cred_handle was invalid, because the referenced - credentials are valid for context initiator use only, or because - the caller lacks authorization to access the referenced - credentials. - - - - -Linn [Page 27] - -RFC 1508 Generic Security Interface September 1993 - - - o GSS_CREDENTIALS_EXPIRED indicates that the credentials provided - through the input acceptor_cred_handle argument are no longer - valid, so context establishment cannot be completed. - - o GSS_BAD_BINDINGS indicates that a mismatch between the caller- - provided chan_bindings and those extracted from the input_token - was detected, signifying a security-relevant event and preventing - context establishment. - - o GSS_NO_CONTEXT indicates that no valid context was recognized for - the input context_handle provided; this major status will be - returned only for successor calls following GSS_CONTINUE_NEEDED - status returns. - - o GSS_FAILURE indicates that context setup could not be accomplished - for reasons unspecified at the GSS-API level, and that no - interface-defined recovery action is available. - - The GSS_Accept_sec_context() routine is used by a context target. - Using information in the credentials structure referenced by the - input acceptor_cred_handle, it verifies the incoming input_token and - (following the successful completion of a context establishment - sequence) returns the authenticated src_name and the mech_type used. - The acceptor_cred_handle must correspond to the same valid - credentials structure on the initial call to GSS_Accept_sec_context() - and on any successor calls resulting from GSS_CONTINUE_NEEDED status - returns; different protocol sequences modeled by the - GSS_CONTINUE_NEEDED mechanism will require access to credentials at - different points in the context establishment sequence. - - The input_context_handle argument is 0, specifying "not yet - assigned", on the first GSS_Accept_sec_context() call relating to a - given context. That call returns an output_context_handle for future - references to this context; when continuation attempts to - GSS_Accept_sec_context() are needed to perform context - establishment, that handle value will be entered into the - input_context_handle argument. - - The chan_bindings argument is used by the caller to provide - information binding the security context to security-related - characteristics (e.g., addresses, cryptographic keys) of the - underlying communications channel. See Section 1.1.6 of this document - for more discussion of this argument's usage. - - The returned state results (deleg_state, mutual_state, - replay_det_state, and sequence_state) reflect the same context state - values as returned to GSS_Init_sec_context()'s caller at the - initiator system. - - - -Linn [Page 28] - -RFC 1508 Generic Security Interface September 1993 - - - The conf_avail return value indicates whether the context supports - per-message confidentiality services, and so informs the caller - whether or not a request for encryption through the conf_req_flag - input to GSS_Seal() can be honored. In similar fashion, the - integ_avail return value indicates whether per-message integrity - services are available (through either GSS_Sign() or GSS_Seal()) on - the established context. - - The lifetime_rec return value indicates the length of time for which - the context will be valid, expressed as an offset from the present. - The values of deleg_state, mutual_state, replay_det_state, - sequence_state, conf_avail, integ_avail, and lifetime_rec are - undefined unless the accompanying major_status indicates COMPLETE. - - The delegated_cred_handle result is significant only when deleg_state - is TRUE, and provides a means for the target to reference the - delegated credentials. The output_token result, when non-NULL, - provides a context-level token to be returned to the context - initiator to continue a multi-step context establishment sequence. As - noted with GSS_Init_sec_context(), any returned token should be - transferred to the context's peer (in this case, the context - initiator), independent of the value of the accompanying returned - major_status. - - Note: A target must be able to distinguish a context-level - input_token, which is passed to GSS_Accept_sec_context(), from the - per-message data elements passed to GSS_Verify() or GSS_Unseal(). - These data elements may arrive in a single application message, and - GSS_Accept_sec_context() must be performed before per-message - processing can be performed successfully. - -2.2.3. GSS_Delete_sec_context call - - Input: - - o context_handle INTEGER - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o output_context_token OCTET STRING - - Return major_status codes: - - - - - -Linn [Page 29] - -RFC 1508 Generic Security Interface September 1993 - - - o GSS_COMPLETE indicates that the context was recognized, that - relevant context-specific information was flushed, and that the - returned output_context_token is ready for transfer to the - context's peer. - - o GSS_NO_CONTEXT indicates that no valid context was recognized for - the input context_handle provide, so no deletion was performed. - - o GSS_FAILURE indicates that the context is recognized, but that the - GSS_Delete_sec_context() operation could not be performed for - reasons unspecified at the GSS-API level. - - This call may block pending network interactions for mech_types in - which active notification must be made to a central server when a - security context is to be deleted. - - This call can be made by either peer in a security context, to flush - context-specific information and to return an output_context_token - which can be passed to the context's peer informing it that the - peer's corresponding context information can also be flushed. (Once a - context is established, the peers involved are expected to retain - cached credential and context-related information until the - information's expiration time is reached or until a - GSS_Delete_sec_context() call is made.) Attempts to perform per- - message processing on a deleted context will result in error returns. - -2.2.4. GSS_Process_context_token call - - Inputs: - - o context_handle INTEGER, - - o input_context_token OCTET STRING - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - Return major_status codes: - - o GSS_COMPLETE indicates that the input_context_token was - successfully processed in conjunction with the context referenced - by context_handle. - - o GSS_DEFECTIVE_TOKEN indicates that consistency checks performed on - the received context_token failed, preventing further processing - - - -Linn [Page 30] - -RFC 1508 Generic Security Interface September 1993 - - - from being performed with that token. - - o GSS_NO_CONTEXT indicates that no valid context was recognized for - the input context_handle provided. - - o GSS_FAILURE indicates that the context is recognized, but that the - GSS_Process_context_token() operation could not be performed for - reasons unspecified at the GSS-API level. - - This call is used to process context_tokens received from a peer once - a context has been established, with corresponding impact on - context-level state information. One use for this facility is - processing of the context_tokens generated by - GSS_Delete_sec_context(); GSS_Process_context_token() will not block - pending network interactions for that purpose. Another use is to - process tokens indicating remote-peer context establishment failures - after the point where the local GSS-API implementation has already - indicated GSS_COMPLETE status. - -2.2.5. GSS_Context_time call - - Input: - - o context_handle INTEGER, - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o lifetime_rec INTEGER - in seconds, or reserved value for - INDEFINITE - - Return major_status codes: - - o GSS_COMPLETE indicates that the referenced context is valid, and - will remain valid for the amount of time indicated in - lifetime_rec. - - o GSS_CONTEXT_EXPIRED indicates that data items related to the - referenced context have expired. - - o GSS_CREDENTIALS_EXPIRED indicates that the context is recognized, - but that its associated credentials have expired. - - o GSS_NO_CONTEXT indicates that no valid context was recognized for - the input context_handle provided. - - - -Linn [Page 31] - -RFC 1508 Generic Security Interface September 1993 - - - o GSS_FAILURE indicates that the requested operation failed for - reasons unspecified at the GSS-API level. - - This call is used to determine the amount of time for which a - currently established context will remain valid. - -2.3. Per-message calls - - This group of calls is used to perform per-message protection - processing on an established security context. None of these calls - block pending network interactions. These calls may be invoked by a - context's initiator or by the context's target. The four members of - this group should be considered as two pairs; the output from - GSS_Sign() is properly input to GSS_Verify(), and the output from - GSS_Seal() is properly input to GSS_Unseal(). - - GSS_Sign() and GSS_Verify() support data origin authentication and - data integrity services. When GSS_Sign() is invoked on an input - message, it yields a per-message token containing data items which - allow underlying mechanisms to provide the specified security - services. The original message, along with the generated per-message - token, is passed to the remote peer; these two data elements are - processed by GSS_Verify(), which validates the message in - conjunction with the separate token. - - GSS_Seal() and GSS_Unseal() support caller-requested confidentiality - in addition to the data origin authentication and data integrity - services offered by GSS_Sign() and GSS_Verify(). GSS_Seal() outputs - a single data element, encapsulating optionally enciphered user data - as well as associated token data items. The data element output from - GSS_Seal() is passed to the remote peer and processed by - GSS_Unseal() at that system. GSS_Unseal() combines decipherment (as - required) with validation of data items related to authentication and - integrity. - -2.3.1. GSS_Sign call - - Inputs: - - o context_handle INTEGER, - - o qop_req INTEGER,-0 specifies default QOP - - o message OCTET STRING - - Outputs: - - o major_status INTEGER, - - - -Linn [Page 32] - -RFC 1508 Generic Security Interface September 1993 - - - o minor_status INTEGER, - - o per_msg_token OCTET STRING - - Return major_status codes: - - o GSS_COMPLETE indicates that a signature, suitable for an - established security context, was successfully applied and that - the message and corresponding per_msg_token are ready for - transmission. - - o GSS_CONTEXT_EXPIRED indicates that context-related data items have - expired, so that the requested operation cannot be performed. - - o GSS_CREDENTIALS_EXPIRED indicates that the context is recognized, - but that its associated credentials have expired, so that the - requested operation cannot be performed. - - o GSS_NO_CONTEXT indicates that no valid context was recognized for - the input context_handle provided. - - o GSS_FAILURE indicates that the context is recognized, but that the - requested operation could not be performed for reasons unspecified - at the GSS-API level. - - Using the security context referenced by context_handle, apply a - signature to the input message (along with timestamps and/or other - data included in support of mech_type-specific mechanisms) and return - the result in per_msg_token. The qop_req parameter allows quality- - of-protection control. The caller passes the message and the - per_msg_token to the target. - - The GSS_Sign() function completes before the message and - per_msg_token is sent to the peer; successful application of - GSS_Sign() does not guarantee that a corresponding GSS_Verify() has - been (or can necessarily be) performed successfully when the message - arrives at the destination. - -2.3.2. GSS_Verify call - - Inputs: - - o context_handle INTEGER, - - o message OCTET STRING, - - o per_msg_token OCTET STRING - - - - -Linn [Page 33] - -RFC 1508 Generic Security Interface September 1993 - - - Outputs: - - o qop_state INTEGER, - - o major_status INTEGER, - - o minor_status INTEGER, - - Return major_status codes: - - o GSS_COMPLETE indicates that the message was successfully verified. - - o GSS_DEFECTIVE_TOKEN indicates that consistency checks performed on - the received per_msg_token failed, preventing further processing - from being performed with that token. - - o GSS_BAD_SIG indicates that the received per_msg_token contains an - incorrect signature for the message. - - o GSS_DUPLICATE_TOKEN, GSS_OLD_TOKEN, and GSS_UNSEQ_TOKEN values - appear in conjunction with the optional per-message replay - detection features described in Section 1.2.3; their semantics are - described in that section. - - o GSS_CONTEXT_EXPIRED indicates that context-related data items have - expired, so that the requested operation cannot be performed. - - o GSS_CREDENTIALS_EXPIRED indicates that the context is recognized, - but that its associated credentials have expired, so that the - requested operation cannot be performed. - - o GSS_NO_CONTEXT indicates that no valid context was recognized for - the input context_handle provided. - - o GSS_FAILURE indicates that the context is recognized, but that the - GSS_Verify() operation could not be performed for reasons - unspecified at the GSS-API level. - - Using the security context referenced by context_handle, verify that - the input per_msg_token contains an appropriate signature for the - input message, and apply any active replay detection or sequencing - features. Return an indication of the quality-of-protection applied - to the processed message in the qop_state result. - - - - - - - - -Linn [Page 34] - -RFC 1508 Generic Security Interface September 1993 - - -2.3.3. GSS_Seal call - - Inputs: - - o context_handle INTEGER, - - o conf_req_flag BOOLEAN, - - o qop_req INTEGER,-0 specifies default QOP - - o input_message OCTET STRING - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o conf_state BOOLEAN, - - o output_message OCTET STRING - - Return major_status codes: - - o GSS_COMPLETE indicates that the input_message was successfully - processed and that the output_message is ready for transmission. - - o GSS_CONTEXT_EXPIRED indicates that context-related data items have - expired, so that the requested operation cannot be performed. - - o GSS_CREDENTIALS_EXPIRED indicates that the context is recognized, - but that its associated credentials have expired, so that the - requested operation cannot be performed. - - o GSS_NO_CONTEXT indicates that no valid context was recognized for - the input context_handle provided. - - o GSS_FAILURE indicates that the context is recognized, but that the - GSS_Seal() operation could not be performed for reasons - unspecified at the GSS-API level. - - Performs the data origin authentication and data integrity functions - of GSS_Sign(). If the input conf_req_flag is TRUE, requests that - confidentiality be applied to the input_message. Confidentiality may - not be supported in all mech_types or by all implementations; the - returned conf_state flag indicates whether confidentiality was - provided for the input_message. The qop_req parameter allows - quality-of-protection control. - - - -Linn [Page 35] - -RFC 1508 Generic Security Interface September 1993 - - - In all cases, the GSS_Seal() call yields a single output_message - data element containing (optionally enciphered) user data as well as - control information. - -2.3.4. GSS_Unseal call - - Inputs: - - o context_handle INTEGER, - - o input_message OCTET STRING - - Outputs: - - o conf_state BOOLEAN, - - o qop_state INTEGER, - - o major_status INTEGER, - - o minor_status INTEGER, - - o output_message OCTET STRING - - Return major_status codes: - - o GSS_COMPLETE indicates that the input_message was successfully - processed and that the resulting output_message is available. - - o GSS_DEFECTIVE_TOKEN indicates that consistency checks performed on - the per_msg_token extracted from the input_message failed, - preventing further processing from being performed. - - o GSS_BAD_SIG indicates that an incorrect signature was detected for - the message. - - o GSS_DUPLICATE_TOKEN, GSS_OLD_TOKEN, and GSS_UNSEQ_TOKEN values - appear in conjunction with the optional per-message replay - detection features described in Section 1.2.3; their semantics are - described in that section. - - o GSS_CONTEXT_EXPIRED indicates that context-related data items have - expired, so that the requested operation cannot be performed. - - o GSS_CREDENTIALS_EXPIRED indicates that the context is recognized, - but that its associated credentials have expired, so that the - requested operation cannot be performed. - - - - -Linn [Page 36] - -RFC 1508 Generic Security Interface September 1993 - - - o GSS_NO_CONTEXT indicates that no valid context was recognized for - the input context_handle provided. - - o GSS_FAILURE indicates that the context is recognized, but that the - GSS_Unseal() operation could not be performed for reasons - unspecified at the GSS-API level. - - Processes a data element generated (and optionally enciphered) by - GSS_Seal(), provided as input_message. The returned conf_state value - indicates whether confidentiality was applied to the input_message. - If conf_state is TRUE, GSS_Unseal() deciphers the input_message. - Returns an indication of the quality-of-protection applied to the - processed message in the qop_state result. GSS_Seal() performs the - data integrity and data origin authentication checking functions of - GSS_Verify() on the plaintext data. Plaintext data is returned in - output_message. - -2.4. Support calls - - This group of calls provides support functions useful to GSS-API - callers, independent of the state of established contexts. Their - characterization with regard to blocking or non-blocking status in - terms of network interactions is unspecified. - -2.4.1. GSS_Display_status call - - Inputs: - - o status_value INTEGER,-GSS-API major_status or minor_status - return value - - o status_type INTEGER,-1 if major_status, 2 if minor_status - - o mech_type OBJECT IDENTIFIER-mech_type to be used for minor_ - status translation - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o status_string_set SET OF OCTET STRING - - Return major_status codes: - - o GSS_COMPLETE indicates that a valid printable status - representation (possibly representing more than one status event - - - -Linn [Page 37] - -RFC 1508 Generic Security Interface September 1993 - - - encoded within the status_value) is available in the returned - status_string_set. - - o GSS_BAD_MECH indicates that translation in accordance with an - unsupported mech_type was requested, so translation could not be - performed. - - o GSS_BAD_STATUS indicates that the input status_value was invalid, - or that the input status_type carried a value other than 1 or 2, - so translation could not be performed. - - o GSS_FAILURE indicates that the requested operation could not be - performed for reasons unspecified at the GSS-API level. - - Provides a means for callers to translate GSS-API-returned major and - minor status codes into printable string representations. - -2.4.2. GSS_Indicate_mechs call - - Input: - - o (none) - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o mech_set SET OF OBJECT IDENTIFIER - - Return major_status codes: - - o GSS_COMPLETE indicates that a set of available mechanisms has - been returned in mech_set. - - o GSS_FAILURE indicates that the requested operation could not - be performed for reasons unspecified at the GSS-API level. - - Allows callers to determine the set of mechanism types available on - the local system. This call is intended for support of specialized - callers who need to request non-default mech_type sets from - GSS_Acquire_cred(), and should not be needed by other callers. - -2.4.3. GSS_Compare_name call - - Inputs: - - - - -Linn [Page 38] - -RFC 1508 Generic Security Interface September 1993 - - - o name1 INTERNAL NAME, - - o name2 INTERNAL NAME - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o name_equal BOOLEAN - - Return major_status codes: - - o GSS_COMPLETE indicates that name1 and name2 were comparable, and - that the name_equal result indicates whether name1 and name2 were - equal or unequal. - - o GSS_BAD_NAMETYPE indicates that one or both of name1 and name2 - contained internal type specifiers uninterpretable by the - supporting GSS-API implementation, or that the two names' types - are different and incomparable, so the equality comparison could - not be completed. - - o GSS_BAD_NAME indicates that one or both of the input names was - ill-formed in terms of its internal type specifier, so the - equality comparison could not be completed. - - o GSS_FAILURE indicates that the requested operation could not be - performed for reasons unspecified at the GSS-API level. - - Allows callers to compare two internal name representations for - equality. - -2.4.4. GSS_Display_name call - - Inputs: - - o name INTERNAL NAME - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o name_string OCTET STRING, - - - - -Linn [Page 39] - -RFC 1508 Generic Security Interface September 1993 - - - o name_type OBJECT IDENTIFIER - - Return major_status codes: - - o GSS_COMPLETE indicates that a valid printable name representation - is available in the returned name_string. - - o GSS_BAD_NAMETYPE indicates that the provided name was of a type - uninterpretable by the supporting GSS-API implementation, so no - printable representation could be generated. - - o GSS_BAD_NAME indicates that the contents of the provided name were - inconsistent with the internally-indicated name type, so no - printable representation could be generated. - - o GSS_FAILURE indicates that the requested operation could not be - performed for reasons unspecified at the GSS-API level. - - Allows callers to translate an internal name representation into a - printable form with associated namespace type descriptor. The syntax - of the printable form is a local matter. - -2.4.5. GSS_Import_name call - - Inputs: - - o input_name_string OCTET STRING, - - o input_name_type OBJECT IDENTIFIER - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o output_name INTERNAL NAME - - Return major_status codes: - - o GSS_COMPLETE indicates that a valid name representation is output - in output_name and described by the type value in - output_name_type. - - o GSS_BAD_NAMETYPE indicates that the input_name_type is unsupported - by the GSS-API implementation, so the import operation could not - be completed. - - - - -Linn [Page 40] - -RFC 1508 Generic Security Interface September 1993 - - - o GSS_BAD_NAME indicates that the provided input_name_string is - ill-formed in terms of the input_name_type, so the import - operation could not be completed. - - o GSS_FAILURE indicates that the requested operation could not be - performed for reasons unspecified at the GSS-API level. - - Allows callers to provide a printable name representation, designate - the type of namespace in conjunction with which it should be parsed, - and convert that printable representation to an internal form - suitable for input to other GSS-API routines. The syntax of the - input_name is a local matter. - -2.4.6. GSS_Release_name call - - Inputs: - - o name INTERNAL NAME - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER - - Return major_status codes: - - o GSS_COMPLETE indicates that the storage associated with the input - name was successfully released. - - o GSS_BAD_NAME indicates that the input name argument did not - contain a valid name. - - o GSS_FAILURE indicates that the requested operation could not be - performed for reasons unspecified at the GSS-API level. - - Allows callers to release the storage associated with an internal - name representation. - -2.4.7. GSS_Release_buffer call - - Inputs: - - o buffer OCTET STRING - - Outputs: - - o major_status INTEGER, - - - -Linn [Page 41] - -RFC 1508 Generic Security Interface September 1993 - - - o minor_status INTEGER - - Return major_status codes: - - o GSS_COMPLETE indicates that the storage associated with the input - buffer was successfully released. - - o GSS_FAILURE indicates that the requested operation could not be - performed for reasons unspecified at the GSS-API level. - - Allows callers to release the storage associated with an OCTET STRING - buffer allocated by another GSS-API call. - -2.4.8. GSS_Release_oid_set call - - Inputs: - - o buffer SET OF OBJECT IDENTIFIER - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER - - Return major_status codes: - - o GSS_COMPLETE indicates that the storage associated with the input - object identifier set was successfully released. - - o GSS_FAILURE indicates that the requested operation could not be - performed for reasons unspecified at the GSS-API level. - - Allows callers to release the storage associated with an object - identifier set object allocated by another GSS-API call. - -3. Mechanism-Specific Example Scenarios - - This section provides illustrative overviews of the use of various - candidate mechanism types to support the GSS-API. These discussions - are intended primarily for readers familiar with specific security - technologies, demonstrating how GSS-API functions can be used and - implemented by candidate underlying mechanisms. They should not be - regarded as constrictive to implementations or as defining the only - means through which GSS-API functions can be realized with a - particular underlying technology, and do not demonstrate all GSS-API - features with each technology. - - - - -Linn [Page 42] - -RFC 1508 Generic Security Interface September 1993 - - -3.1. Kerberos V5, single-TGT - - OS-specific login functions yield a TGT to the local realm Kerberos - server; TGT is placed in a credentials structure for the client. - Client calls GSS_Acquire_cred() to acquire a cred_handle in order to - reference the credentials for use in establishing security contexts. - - Client calls GSS_Init_sec_context(). If the requested service is - located in a different realm, GSS_Init_sec_context() gets the - necessary TGT/key pairs needed to traverse the path from local to - target realm; these data are placed in the owner's TGT cache. After - any needed remote realm resolution, GSS_Init_sec_context() yields a - service ticket to the requested service with a corresponding session - key; these data are stored in conjunction with the context. GSS-API - code sends KRB_TGS_REQ request(s) and receives KRB_TGS_REP - response(s) (in the successful case) or KRB_ERROR. - - Assuming success, GSS_Init_sec_context() builds a Kerberos-formatted - KRB_AP_REQ message, and returns it in output_token. The client sends - the output_token to the service. - - The service passes the received token as the input_token argument to - GSS_Accept_sec_context(), which verifies the authenticator, provides - the service with the client's authenticated name, and returns an - output_context_handle. - - Both parties now hold the session key associated with the service - ticket, and can use this key in subsequent GSS_Sign(), GSS_Verify(), - GSS_Seal(), and GSS_Unseal() operations. - -3.2. Kerberos V5, double-TGT - - TGT acquisition as above. - - Note: To avoid unnecessary frequent invocations of error paths when - implementing the GSS-API atop Kerberos V5, it seems appropriate to - represent "single-TGT K-V5" and "double-TGT K-V5" with separate - mech_types, and this discussion makes that assumption. - - Based on the (specified or defaulted) mech_type, - GSS_Init_sec_context() determines that the double-TGT protocol - should be employed for the specified target. GSS_Init_sec_context() - returns GSS_CONTINUE_NEEDED major_status, and its returned - output_token contains a request to the service for the service's TGT. - (If a service TGT with suitably long remaining lifetime already - exists in a cache, it may be usable, obviating the need for this - step.) The client passes the output_token to the service. Note: this - scenario illustrates a different use for the GSS_CONTINUE_NEEDED - - - -Linn [Page 43] - -RFC 1508 Generic Security Interface September 1993 - - - status return facility than for support of mutual authentication; - note that both uses can coexist as successive operations within a - single context establishment operation. - - The service passes the received token as the input_token argument to - GSS_Accept_sec_context(), which recognizes it as a request for TGT. - (Note that current Kerberos V5 defines no intra-protocol mechanism to - represent such a request.) GSS_Accept_sec_context() returns - GSS_CONTINUE_NEEDED major_status and provides the service's TGT in - its output_token. The service sends the output_token to the client. - - The client passes the received token as the input_token argument to a - continuation of GSS_Init_sec_context(). GSS_Init_sec_context() caches - the received service TGT and uses it as part of a service ticket - request to the Kerberos authentication server, storing the returned - service ticket and session key in conjunction with the context. - GSS_Init_sec_context() builds a Kerberos-formatted authenticator, - and returns it in output_token along with GSS_COMPLETE return - major_status. The client sends the output_token to the service. - - Service passes the received token as the input_token argument to a - continuation call to GSS_Accept_sec_context(). - GSS_Accept_sec_context() verifies the authenticator, provides the - service with the client's authenticated name, and returns - major_status GSS_COMPLETE. - - GSS_Sign(), GSS_Verify(), GSS_Seal(), and GSS_Unseal() as above. - -3.3. X.509 Authentication Framework - - This example illustrates use of the GSS-API in conjunction with - public-key mechanisms, consistent with the X.509 Directory - Authentication Framework. - - The GSS_Acquire_cred() call establishes a credentials structure, - making the client's private key accessible for use on behalf of the - client. - - The client calls GSS_Init_sec_context(), which interrogates the - Directory to acquire (and validate) a chain of public-key - certificates, thereby collecting the public key of the service. The - certificate validation operation determines that suitable signatures - were applied by trusted authorities and that those certificates have - not expired. GSS_Init_sec_context() generates a secret key for use - in per-message protection operations on the context, and enciphers - that secret key under the service's public key. - - The enciphered secret key, along with an authenticator quantity - - - -Linn [Page 44] - -RFC 1508 Generic Security Interface September 1993 - - - signed with the client's private key, is included in the output_token - from GSS_Init_sec_context(). The output_token also carries a - certification path, consisting of a certificate chain leading from - the service to the client; a variant approach would defer this path - resolution to be performed by the service instead of being asserted - by the client. The client application sends the output_token to the - service. - - The service passes the received token as the input_token argument to - GSS_Accept_sec_context(). GSS_Accept_sec_context() validates the - certification path, and as a result determines a certified binding - between the client's distinguished name and the client's public key. - Given that public key, GSS_Accept_sec_context() can process the - input_token's authenticator quantity and verify that the client's - private key was used to sign the input_token. At this point, the - client is authenticated to the service. The service uses its private - key to decipher the enciphered secret key provided to it for per- - message protection operations on the context. - - The client calls GSS_Sign() or GSS_Seal() on a data message, which - causes per-message authentication, integrity, and (optional) - confidentiality facilities to be applied to that message. The service - uses the context's shared secret key to perform corresponding - GSS_Verify() and GSS_Unseal() calls. - -4. Related Activities - - In order to implement the GSS-API atop existing, emerging, and future - security mechanisms: - - object identifiers must be assigned to candidate GSS-API - mechanisms and the name types which they support - - concrete data element formats must be defined for candidate - mechanisms - - Calling applications must implement formatting conventions which will - enable them to distinguish GSS-API tokens from other data carried in - their application protocols. - - Concrete language bindings are required for the programming - environments in which the GSS-API is to be employed; such bindings - for the C language are available in an associated RFC. - - - - - - - - -Linn [Page 45] - -RFC 1508 Generic Security Interface September 1993 - - -5. Acknowledgments - - This proposal is the result of a collaborative effort. - Acknowledgments are due to the many members of the IETF Security Area - Advisory Group (SAAG) and the Common Authentication Technology (CAT) - Working Group for their contributions at meetings and by electronic - mail. Acknowledgments are also due to Kannan Alagappan, Doug Barlow, - Bill Brown, Cliff Kahn, Charlie Kaufman, Butler Lampson, Richard - Pitkin, Joe Tardo, and John Wray of Digital Equipment Corporation, - and John Carr, John Kohl, Jon Rochlis, Jeff Schiller, and Ted T'so of - MIT and Project Athena. Joe Pato and Bill Sommerfeld of HP/Apollo, - Walt Tuvell of OSF, and Bill Griffith and Mike Merritt of AT&T, - provided inputs which helped to focus and clarify directions. - Precursor work by Richard Pitkin, presented to meetings of the - Trusted Systems Interoperability Group (TSIG), helped to demonstrate - the value of a generic, mechanism-independent security service API. - -6. Security Considerations - - Security issues are discussed throughout this memo. - -7. Author's Address - - John Linn - Geer Zolot Associates - One Main St. - Cambridge, MA 02142 USA - - Phone: +1 617.374.3700 - Email: Linn@gza.com - - - - - - - - - - - - - - - - - - - - - -Linn [Page 46] - -RFC 1508 Generic Security Interface September 1993 - - -APPENDIX A - -PACS AND AUTHORIZATION SERVICES - - Consideration has been given to modifying the GSS-API service - interface to recognize and manipulate Privilege Attribute - Certificates (PACs) as in ECMA 138, carrying authorization data as a - side effect of establishing a security context, but no such - modifications have been incorporated at this time. This appendix - provides rationale for this decision and discusses compatibility - alternatives between PACs and the GSS-API which do not require that - PACs be made visible to GSS-API callers. - - Existing candidate mechanism types such as Kerberos and X.509 do not - incorporate PAC manipulation features, and exclusion of such - mechanisms from the set of candidates equipped to fully support the - GSS-API seems inappropriate. Inclusion (and GSS-API visibility) of a - feature supported by only a limited number of mechanisms could - encourage the development of ostensibly portable applications which - would in fact have only limited portability. - - The status quo, in which PACs are not visible across the GSS-API - interface, does not preclude implementations in which PACs are - carried transparently, within the tokens defined and used for certain - mech_types, and stored within peers' credentials and context-level - data structures. While invisible to API callers, such PACs could be - used by operating system or other local functions as inputs in the - course of mediating access requests made by callers. This course of - action allows dynamic selection of PAC contents, if such selection is - administratively-directed rather than caller-directed. - - In a distributed computing environment, authentication must span - different systems; the need for such authentication provides - motivation for GSS-API definition and usage. Heterogeneous systems in - a network can intercommunicate, with globally authenticated names - comprising the common bond between locally defined access control - policies. Access control policies to which authentication provides - inputs are often local, or specific to particular operating systems - or environments. If the GSS-API made particular authorization models - visible across its service interface, its scope of application would - become less general. The current GSS-API paradigm is consistent with - the precedent set by Kerberos, neither defining the interpretation of - authorization-related data nor enforcing access controls based on - such data. - - The GSS-API is a general interface, whose callers may reside inside - or outside any defined TCB or NTCB boundaries. Given this - characteristic, it appears more realistic to provide facilities which - - - -Linn [Page 47] - -RFC 1508 Generic Security Interface September 1993 - - - provide "value-added" security services to its callers than to offer - facilities which enforce restrictions on those callers. Authorization - decisions must often be mediated below the GSS-API level in a local - manner against (or in spite of) applications, and cannot be - selectively invoked or omitted at those applications' discretion. - Given that the GSS-API's placement prevents it from providing a - comprehensive solution to the authorization issue, the value of a - partial contribution specific to particular authorization models is - debatable. - -APPENDIX B - -MECHANISM-INDEPENDENT TOKEN FORMAT - - This appendix specifies a mechanism-independent level of - encapsulating representation for the initial token of a GSS-API - context establishment sequence, incorporating an identifier of the - mechanism type to be used on that context. Use of this format (with - ASN.1-encoded data elements represented in BER, constrained in the - interests of parsing simplicity to the Distinguished Encoding Rule - (DER) BER subset defined in X.509, clause 8.7) is recommended to the - designers of GSS-API implementations based on various mechanisms, so - that tokens can be interpreted unambiguously at GSS-API peers. There - is no requirement that the mechanism-specific innerContextToken, - innerMsgToken, and sealedUserData data elements be encoded in ASN.1 - BER. - - -- optional top-level token definitions to - -- frame different mechanisms - - GSS-API DEFINITIONS ::= - - BEGIN - - MechType ::= OBJECT IDENTIFIER - -- data structure definitions - - -- callers must be able to distinguish among - -- InitialContextToken, SubsequentContextToken, - -- PerMsgToken, and SealedMessage data elements - -- based on the usage in which they occur - - InitialContextToken ::= - -- option indication (delegation, etc.) indicated within - -- mechanism-specific token - [APPLICATION 0] IMPLICIT SEQUENCE { - thisMech MechType, - innerContextToken ANY DEFINED BY thisMech - - - -Linn [Page 48] - -RFC 1508 Generic Security Interface September 1993 - - - -- contents mechanism-specific - } - - SubsequentContextToken ::= innerContextToken ANY - -- interpretation based on predecessor InitialContextToken - - PerMsgToken ::= - -- as emitted by GSS_Sign and processed by GSS_Verify - innerMsgToken ANY - - SealedMessage ::= - -- as emitted by GSS_Seal and processed by GSS_Unseal - -- includes internal, mechanism-defined indicator - -- of whether or not encrypted - sealedUserData ANY - - END - -APPENDIX C - -MECHANISM DESIGN CONSTRAINTS - - The following constraints on GSS-API mechanism designs are adopted in - response to observed caller protocol requirements, and adherence - thereto is anticipated in subsequent descriptions of GSS-API - mechanisms to be documented in standards-track Internet - specifications. - - Use of the approach defined in Appendix B of this specification, - applying a mechanism type tag to the InitialContextToken, is - required. - - It is strongly recommended that mechanisms offering per-message - protection services also offer at least one of the replay detection - and sequencing services, as mechanisms offering neither of the latter - will fail to satisfy recognized requirements of certain candidate - caller protocols. - - - - - - - - - - - - - - -Linn [Page 49] - \ No newline at end of file diff --git a/crypto/heimdal-0.6.3/doc/standardisation/rfc1509.txt b/crypto/heimdal-0.6.3/doc/standardisation/rfc1509.txt deleted file mode 100644 index f36cd80e6d..0000000000 --- a/crypto/heimdal-0.6.3/doc/standardisation/rfc1509.txt +++ /dev/null @@ -1,2691 +0,0 @@ - - - - - - -Network Working Group J. Wray -Request for Comments: 1509 Digital Equipment Corporation - September 1993 - - - Generic Security Service API : C-bindings - -Status of this Memo - - This RFC specifies an Internet standards track protocol for the - Internet community, and requests discussion and suggestions for - improvements. Please refer to the current edition of the "Internet - Official Protocol Standards" for the standardization state and status - of this protocol. Distribution of this memo is unlimited. - -Abstract - - This document specifies C language bindings for the Generic Security - Service Application Program Interface (GSS-API), which is described - at a language-independent conceptual level in other documents. - - The Generic Security Service Application Programming Interface (GSS- - API) provides security services to its callers, and is intended for - implementation atop alternative underlying cryptographic mechanisms. - Typically, GSS-API callers will be application protocols into which - security enhancements are integrated through invocation of services - provided by the GSS-API. The GSS-API allows a caller application to - authenticate a principal identity associated with a peer application, - to delegate rights to a peer, and to apply security services such as - confidentiality and integrity on a per-message basis. - -1. INTRODUCTION - - The Generic Security Service Application Programming Interface [1] - provides security services to calling applications. It allows a - communicating application to authenticate the user associated with - another application, to delegate rights to another application, and - to apply security services such as confidentiality and integrity on a - per-message basis. - - There are four stages to using the GSSAPI: - - (a) The application acquires a set of credentials with which it may - prove its identity to other processes. The application's - credentials vouch for its global identity, which may or may not - be related to the local username under which it is running. - - - - - -Wray [Page 1] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - (b) A pair of communicating applications establish a joint security - context using their credentials. The security context is a - pair of GSSAPI data structures that contain shared state - information, which is required in order that per-message - security services may be provided. As part of the - establishment of a security context, the context initiator is - authenticated to the responder, and may require that the - responder is authenticated in turn. The initiator may - optionally give the responder the right to initiate further - security contexts. This transfer of rights is termed - delegation, and is achieved by creating a set of credentials, - similar to those used by the originating application, but which - may be used by the responder. To establish and maintain the - shared information that makes up the security context, certain - GSSAPI calls will return a token data structure, which is a - cryptographically protected opaque data type. The caller of - such a GSSAPI routine is responsible for transferring the token - to the peer application, which should then pass it to a - corresponding GSSAPI routine which will decode it and extract - the information. - - (c) Per-message services are invoked to apply either: - - (i) integrity and data origin authentication, or - - (ii) confidentiality, integrity and data origin authentication - to application data, which are treated by GSSAPI as - arbitrary octet-strings. The application transmitting a - message that it wishes to protect will call the appropriate - GSSAPI routine (sign or seal) to apply protection, specifying - the appropriate security context, and send the result to the - receiving application. The receiver will pass the received - data to the corresponding decoding routine (verify or unseal) - to remove the protection and validate the data. - - (d) At the completion of a communications session (which may extend - across several connections), the peer applications call GSSAPI - routines to delete the security context. Multiple contexts may - also be used (either successively or simultaneously) within a - single communications association. - -2. GSSAPI Routines - - This section lists the functions performed by each of the GSSAPI - routines and discusses their major parameters, describing how they - are to be passed to the routines. The routines are listed in figure - 4-1. - - - - -Wray [Page 2] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - Figure 4-1 GSSAPI Routines - - - Routine Function - - gss_acquire_cred Assume a global identity - - gss_release_cred Discard credentials - - gss_init_sec_context Initiate a security context - with a peer application - - gss_accept_sec_context Accept a security context - initiated by a peer - application - - gss_process_context_token Process a token on a security - context from a peer - application - - gss_delete_sec_context Discard a security context - - gss_context_time Determine for how long a - context will remain valid - - gss_sign Sign a message; integrity - service - - gss_verify Check signature on a message - - gss_seal Sign (optionally encrypt) a - message; confidentiality - service - - gss_unseal Verify (optionally decrypt) - message - - gss_display_status Convert an API status code - to text - - gss_indicate_mechs Determine underlying - authentication mechanism - - gss_compare_name Compare two internal-form - names - - gss_display_name Convert opaque name to text - - - - -Wray [Page 3] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - gss_import_name Convert a textual name to - internal-form - - gss_release_name Discard an internal-form - name - - gss_release_buffer Discard a buffer - - gss_release_oid_set Discard a set of object - identifiers - - gss_inquire_cred Determine information about - a credential - - Individual GSSAPI implementations may augment these routines by - providing additional mechanism-specific routines if required - functionality is not available from the generic forms. Applications - are encouraged to use the generic routines wherever possible on - portability grounds. - -2.1. Data Types and Calling Conventions - - The following conventions are used by the GSSAPI: - -2.1.1. Structured data types - - Wherever these GSSAPI C-bindings describe structured data, only - fields that must be provided by all GSSAPI implementation are - documented. Individual implementations may provide additional - fields, either for internal use within GSSAPI routines, or for use by - non-portable applications. - -2.1.2. Integer types - - GSSAPI defines the following integer data type: - - OM_uint32 32-bit unsigned integer - - Where guaranteed minimum bit-count is important, this portable data - type is used by the GSSAPI routine definitions. Individual GSSAPI - implementations will include appropriate typedef definitions to map - this type onto a built-in data type. - -2.1.3. String and similar data - - Many of the GSSAPI routines take arguments and return values that - describe contiguous multiple-byte data. All such data is passed - between the GSSAPI and the caller using the gss_buffer_t data type. - - - -Wray [Page 4] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - This data type is a pointer to a buffer descriptor, which consists of - a length field that contains the total number of bytes in the datum, - and a value field which contains a pointer to the actual datum: - - typedef struct gss_buffer_desc_struct { - size_t length; - void *value; - } gss_buffer_desc, *gss_buffer_t; - - Storage for data passed to the application by a GSSAPI routine using - the gss_buffer_t conventions is allocated by the GSSAPI routine. The - application may free this storage by invoking the gss_release_buffer - routine. Allocation of the gss_buffer_desc object is always the - responsibility of the application; Unused gss_buffer_desc objects - may be initialized to the value GSS_C_EMPTY_BUFFER. - -2.1.3.1. Opaque data types - - Certain multiple-word data items are considered opaque data types at - the GSSAPI, because their internal structure has no significance - either to the GSSAPI or to the caller. Examples of such opaque data - types are the input_token parameter to gss_init_sec_context (which is - opaque to the caller), and the input_message parameter to gss_seal - (which is opaque to the GSSAPI). Opaque data is passed between the - GSSAPI and the application using the gss_buffer_t datatype. - -2.1.3.2. Character strings - - Certain multiple-word data items may be regarded as simple ISO - Latin-1 character strings. An example of this is the - input_name_buffer parameter to gss_import_name. Some GSSAPI routines - also return character strings. Character strings are passed between - the application and the GSSAPI using the gss_buffer_t datatype, - defined earlier. - -2.1.4. Object Identifiers - - Certain GSSAPI procedures take parameters of the type gss_OID, or - Object identifier. This is a type containing ISO-defined tree- - structured values, and is used by the GSSAPI caller to select an - underlying security mechanism. A value of type gss_OID has the - following structure: - - typedef struct gss_OID_desc_struct { - OM_uint32 length; - void *elements; - } gss_OID_desc, *gss_OID; - - - - -Wray [Page 5] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - The elements field of this structure points to the first byte of an - octet string containing the ASN.1 BER encoding of the value of the - gss_OID. The length field contains the number of bytes in this - value. For example, the gss_OID value corresponding to {iso(1) - identified- oganization(3) icd-ecma(12) member-company(2) dec(1011) - cryptoAlgorithms(7) SPX(5)} meaning SPX (Digital's X.509 - authentication mechanism) has a length field of 7 and an elements - field pointing to seven octets containing the following octal values: - 53,14,2,207,163,7,5. GSSAPI implementations should provide constant - gss_OID values to allow callers to request any supported mechanism, - although applications are encouraged on portability grounds to accept - the default mechanism. gss_OID values should also be provided to - allow applications to specify particular name types (see section - 2.1.10). Applications should treat gss_OID_desc values returned by - GSSAPI routines as read-only. In particular, the application should - not attempt to deallocate them. The gss_OID_desc datatype is - equivalent to the X/Open OM_object_identifier datatype [2]. - -2.1.5. Object Identifier Sets - - Certain GSSAPI procedures take parameters of the type gss_OID_set. - This type represents one or more object identifiers (section 2.1.4). - A gss_OID_set object has the following structure: - - typedef struct gss_OID_set_desc_struct { - int count; - gss_OID elements; - } gss_OID_set_desc, *gss_OID_set; - - The count field contains the number of OIDs within the set. The - elements field is a pointer to an array of gss_OID_desc objects, each - of which describes a single OID. gss_OID_set values are used to name - the available mechanisms supported by the GSSAPI, to request the use - of specific mechanisms, and to indicate which mechanisms a given - credential supports. Storage associated with gss_OID_set values - returned to the application by the GSSAPI may be deallocated by the - gss_release_oid_set routine. - -2.1.6. Credentials - - A credential handle is a caller-opaque atomic datum that identifies a - GSSAPI credential data structure. It is represented by the caller- - opaque type gss_cred_id_t, which may be implemented as either an - arithmetic or a pointer type. Credentials describe a principal, and - they give their holder the ability to act as that principal. The - GSSAPI does not make the actual credentials available to - applications; instead the credential handle is used to identify a - particular credential, held internally by GSSAPI or underlying - - - -Wray [Page 6] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - mechanism. Thus the credential handle contains no security-relavent - information, and requires no special protection by the application. - Depending on the implementation, a given credential handle may refer - to different credentials when presented to the GSSAPI by different - callers. Individual GSSAPI implementations should define both the - scope of a credential handle and the scope of a credential itself - (which must be at least as wide as that of a handle). Possibilities - for credential handle scope include the process that acquired the - handle, the acquiring process and its children, or all processes - sharing some local identification information (e.g., UID). If no - handles exist by which a given credential may be reached, the GSSAPI - may delete the credential. - - Certain routines allow credential handle parameters to be omitted to - indicate the use of a default credential. The mechanism by which a - default credential is established and its scope should be defined by - the individual GSSAPI implementation. - -2.1.7. Contexts - - The gss_ctx_id_t data type contains a caller-opaque atomic value that - identifies one end of a GSSAPI security context. It may be - implemented as either an arithmetic or a pointer type. Depending on - the implementation, a given gss_ctx_id_t value may refer to different - GSSAPI security contexts when presented to the GSSAPI by different - callers. The security context holds state information about each end - of a peer communication, including cryptographic state information. - Individual GSSAPI implementations should define the scope of a - context. Since no way is provided by which a new gss_ctx_id_t value - may be obtained for an existing context, the scope of a context - should be the same as the scope of a gss_ctx_id_t. - -2.1.8. Authentication tokens - - A token is a caller-opaque type that GSSAPI uses to maintain - synchronization between the context data structures at each end of a - GSSAPI security context. The token is a cryptographically protected - bit-string, generated by the underlying mechanism at one end of a - GSSAPI security context for use by the peer mechanism at the other - end. Encapsulation (if required) and transfer of the token are the - responsibility of the peer applications. A token is passed between - the GSSAPI and the application using the gss_buffer_t conventions. - -2.1.9. Status values - - One or more status codes are returned by each GSSAPI routine. Two - distinct sorts of status codes are returned. These are termed GSS - status codes and Mechanism status codes. - - - -Wray [Page 7] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - -2.1.9.1. GSS status codes - - GSSAPI routines return GSS status codes as their OM_uint32 function - value. These codes indicate errors that are independent of the - underlying mechanism used to provide the security service. The - errors that can be indicated via a GSS status code are either generic - API routine errors (errors that are defined in the GSSAPI - specification) or calling errors (errors that are specific to these - bindings). - - A GSS status code can indicate a single fatal generic API error from - the routine and a single calling error. In addition, supplementary - status information may be indicated via the setting of bits in the - supplementary info field of a GSS status code. - - These errors are encoded into the 32-bit GSS status code as follows: - - MSB LSB - |------------------------------------------------------------| - | Calling Error | Routine Error | Supplementary Info | - |------------------------------------------------------------| - Bit 31 24 23 16 15 0 - - Hence if a GSSAPI routine returns a GSS status code whose upper 16 - bits contain a non-zero value, the call failed. If the calling error - field is non-zero, the invoking application's call of the routine was - erroneous. Calling errors are defined in table 5-1. If the routine - error field is non-zero, the routine failed for one of the routine- - specific reasons listed below in table 5-2. Whether or not the upper - 16 bits indicate a failure or a success, the routine may indicate - additional information by setting bits in the supplementary info - field of the status code. The meaning of individual bits is listed - below in table 5-3. - - Table 5-1 Calling Errors - - Name Value in Meaning - Field - GSS_S_CALL_INACCESSIBLE_READ 1 A required input - parameter could - not be read. - GSS_S_CALL_INACCESSIBLE_WRITE 2 A required output - parameter could - not be written. - GSS_S_CALL_BAD_STRUCTURE 3 A parameter was - malformed - - - - - -Wray [Page 8] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - Table 5-2 Routine Errors - - Name Value in Meaning - Field - - GSS_S_BAD_MECH 1 An unsupported mechanism was - requested - GSS_S_BAD_NAME 2 An invalid name was supplied - GSS_S_BAD_NAMETYPE 3 A supplied name was of an - unsupported type - GSS_S_BAD_BINDINGS 4 Incorrect channel bindings - were supplied - GSS_S_BAD_STATUS 5 An invalid status code was - supplied - - GSS_S_BAD_SIG 6 A token had an invalid - signature - GSS_S_NO_CRED 7 No credentials were supplied - GSS_S_NO_CONTEXT 8 No context has been - established - GSS_S_DEFECTIVE_TOKEN 9 A token was invalid - GSS_S_DEFECTIVE_CREDENTIAL 10 A credential was invalid - GSS_S_CREDENTIALS_EXPIRED 11 The referenced credentials - have expired - GSS_S_CONTEXT_EXPIRED 12 The context has expired - GSS_S_FAILURE 13 Miscellaneous failure - (see text) - - Table 5-3 Supplementary Status Bits - - Name Bit Number Meaning - GSS_S_CONTINUE_NEEDED 0 (LSB) The routine must be called - again to complete its - function. - See routine documentation for - detailed description. - GSS_S_DUPLICATE_TOKEN 1 The token was a duplicate of - an earlier token - GSS_S_OLD_TOKEN 2 The token's validity period - has expired - GSS_S_UNSEQ_TOKEN 3 A later token has already been - processed - - The routine documentation also uses the name GSS_S_COMPLETE, which is - a zero value, to indicate an absence of any API errors or - supplementary information bits. - - - - - -Wray [Page 9] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - All GSS_S_xxx symbols equate to complete OM_uint32 status codes, - rather than to bitfield values. For example, the actual value of the - symbol GSS_S_BAD_NAMETYPE (value 3 in the routine error field) is 3 - << 16. - - The macros GSS_CALLING_ERROR(), GSS_ROUTINE_ERROR() and - GSS_SUPPLEMENTARY_INFO() are provided, each of which takes a GSS - status code and removes all but the relevant field. For example, the - value obtained by applying GSS_ROUTINE_ERROR to a status code removes - the calling errors and supplementary info fields, leaving only the - routine errors field. The values delivered by these macros may be - directly compared with a GSS_S_xxx symbol of the appropriate type. - The macro GSS_ERROR() is also provided, which when applied to a GSS - status code returns a non-zero value if the status code indicated a - calling or routine error, and a zero value otherwise. - - A GSSAPI implementation may choose to signal calling errors in a - platform-specific manner instead of, or in addition to the routine - value; routine errors and supplementary info should be returned via - routine status values only. - -2.1.9.2. Mechanism-specific status codes - - GSSAPI routines return a minor_status parameter, which is used to - indicate specialized errors from the underlying security mechanism. - This parameter may contain a single mechanism-specific error, - indicated by a OM_uint32 value. - - The minor_status parameter will always be set by a GSSAPI routine, - even if it returns a calling error or one of the generic API errors - indicated above as fatal, although other output parameters may remain - unset in such cases. However, output parameters that are expected to - return pointers to storage allocated by a routine must always set set - by the routine, even in the event of an error, although in such cases - the GSSAPI routine may elect to set the returned parameter value to - NULL to indicate that no storage was actually allocated. Any length - field associated with such pointers (as in a gss_buffer_desc - structure) should also be set to zero in such cases. - - The GSS status code GSS_S_FAILURE is used to indicate that the - underlying mechanism detected an error for which no specific GSS - status code is defined. The mechanism status code will provide more - details about the error. - -2.1.10. Names - - A name is used to identify a person or entity. GSSAPI authenticates - the relationship between a name and the entity claiming the name. - - - -Wray [Page 10] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - Two distinct representations are defined for names: - - (a) A printable form, for presentation to a user - - (b) An internal form, for presentation at the API - - The syntax of a printable name is defined by the GSSAPI - implementation, and may be dependent on local system configuration, - or on individual user preference. The internal form provides a - canonical representation of the name that is independent of - configuration. - - A given GSSAPI implementation may support names drawn from multiple - namespaces. In such an implementation, the internal form of the name - must include fields that identify the namespace from which the name - is drawn. The namespace from which a printable name is drawn is - specified by an accompanying object identifier. - - Routines (gss_import_name and gss_display_name) are provided to - convert names between their printable representations and the - gss_name_t type. gss_import_name may support multiple syntaxes for - each supported namespace, allowing users the freedom to choose a - preferred name representation. gss_display_name should use an - implementation-chosen preferred syntax for each supported name-type. - - Comparison of internal-form names is accomplished via the - gss_compare_names routine. This removes the need for the application - program to understand the syntaxes of the various printable names - that a given GSSAPI implementation may support. - - Storage is allocated by routines that return gss_name_t values. A - procedure, gss_release_name, is provided to free storage associated - with a name. - -2.1.11. Channel Bindings - - GSSAPI supports the use of user-specified tags to identify a given - context to the peer application. These tags are used to identify the - particular communications channel that carries the context. Channel - bindings are communicated to the GSSAPI using the following - structure: - - - - - - - - - - -Wray [Page 11] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - typedef struct gss_channel_bindings_struct { - OM_uint32 initiator_addrtype; - gss_buffer_desc initiator_address; - OM_uint32 acceptor_addrtype; - gss_buffer_desc acceptor_address; - gss_buffer_desc application_data; - } *gss_channel_bindings_t; - - The initiator_addrtype and acceptor_addrtype fields denote the type - of addresses contained in the initiator_address and acceptor_address - buffers. The address type should be one of the following: - - GSS_C_AF_UNSPEC Unspecified address type - GSS_C_AF_LOCAL Host-local address type - GSS_C_AF_INET DARPA Internet address type - GSS_C_AF_IMPLINK ARPAnet IMP address type (eg IP) - GSS_C_AF_PUP pup protocols (eg BSP) address type - GSS_C_AF_CHAOS MIT CHAOS protocol address type - GSS_C_AF_NS XEROX NS address type - GSS_C_AF_NBS nbs address type - GSS_C_AF_ECMA ECMA address type - GSS_C_AF_DATAKIT datakit protocols address type - GSS_C_AF_CCITT CCITT protocols (eg X.25) - GSS_C_AF_SNA IBM SNA address type - GSS_C_AF_DECnet DECnet address type - GSS_C_AF_DLI Direct data link interface address type - GSS_C_AF_LAT LAT address type - GSS_C_AF_HYLINK NSC Hyperchannel address type - GSS_C_AF_APPLETALK AppleTalk address type - GSS_C_AF_BSC BISYNC 2780/3780 address type - GSS_C_AF_DSS Distributed system services address type - GSS_C_AF_OSI OSI TP4 address type - GSS_C_AF_X25 X25 - GSS_C_AF_NULLADDR No address specified - - Note that these name address families rather than specific addressing - formats. For address families that contain several alternative - address forms, the initiator_address and acceptor_address fields must - contain sufficient information to determine which address form is - used. When not otherwise specified, addresses should be specified in - network byte-order. - - Conceptually, the GSSAPI concatenates the initiator_addrtype, - initiator_address, acceptor_addrtype, acceptor_address and - application_data to form an octet string. The mechanism signs this - octet string, and binds the signature to the context establishment - token emitted by gss_init_sec_context. The same bindings are - presented by the context acceptor to gss_accept_sec_context, and a - - - -Wray [Page 12] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - signature is calculated in the same way. The calculated signature is - compared with that found in the token, and if the signatures differ, - gss_accept_sec_context will return a GSS_S_BAD_BINDINGS error, and - the context will not be established. Some mechanisms may include the - actual channel binding data in the token (rather than just a - signature); applications should therefore not use confidential data - as channel-binding components. Individual mechanisms may impose - additional constraints on addresses and address types that may appear - in channel bindings. For example, a mechanism may verify that the - initiator_address field of the channel bindings presented to - gss_init_sec_context contains the correct network address of the host - system. - -2.1.12. Optional parameters - - Various parameters are described as optional. This means that they - follow a convention whereby a default value may be requested. The - following conventions are used for omitted parameters. These - conventions apply only to those parameters that are explicitly - documented as optional. - -2.1.12.1. gss_buffer_t types - - Specify GSS_C_NO_BUFFER as a value. For an input parameter this - signifies that default behavior is requested, while for an output - parameter it indicates that the information that would be returned - via the parameter is not required by the application. - -2.1.12.2. Integer types (input) - - Individual parameter documentation lists values to be used to - indicate default actions. - -2.1.12.3. Integer types (output) - - Specify NULL as the value for the pointer. - -2.1.12.4. Pointer types - - Specify NULL as the value. - -2.1.12.5. Object IDs - - Specify GSS_C_NULL_OID as the value. - -2.1.12.6. Object ID Sets - - Specify GSS_C_NULL_OID_SET as the value. - - - -Wray [Page 13] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - -2.1.12.7. Credentials - - Specify GSS_C_NO_CREDENTIAL to use the default credential handle. - -2.1.12.8. Channel Bindings - - Specify GSS_C_NO_CHANNEL_BINDINGS to indicate that channel bindings - are not to be used. - -3. GSSAPI routine descriptions - -2.1. gss_acquire_cred - - OM_uint32 gss_acquire_cred ( - OM_uint32 * minor_status, - gss_name_t desired_name, - OM_uint32 time_req, - gss_OID_set desired_mechs, - int cred_usage, - gss_cred_id_t * output_cred_handle, - gss_OID_set * actual_mechs, - OM_int32 * time_rec) - Purpose: - - Allows an application to acquire a handle for a pre-existing - credential by name. GSSAPI implementations must impose a local - access-control policy on callers of this routine to prevent - unauthorized callers from acquiring credentials to which they are not - entitled. This routine is not intended to provide a "login to the - network" function, as such a function would result in the creation of - new credentials rather than merely acquiring a handle to existing - credentials. Such functions, if required, should be defined in - implementation-specific extensions to the API. - - If credential acquisition is time-consuming for a mechanism, the - mechanism may chooses to delay the actual acquisition until the - credential is required (e.g., by gss_init_sec_context or - gss_accept_sec_context). Such mechanism-specific implementation - decisions should be invisible to the calling application; thus a call - of gss_inquire_cred immediately following the call of - gss_acquire_cred must return valid credential data, and may therefore - incur the overhead of a deferred credential acquisition. - - Parameters: - - desired_name gss_name_t, read - Name of principal whose credential - should be acquired - - - -Wray [Page 14] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - time_req integer, read - number of seconds that credentials - should remain valid - - desired_mechs Set of Object IDs, read - set of underlying security mechanisms that - may be used. GSS_C_NULL_OID_SET may be used - to obtain an implementation-specific default. - - cred_usage integer, read - GSS_C_BOTH - Credentials may be used - either to initiate or accept - security contexts. - GSS_C_INITIATE - Credentials will only be - used to initiate security - contexts. - GSS_C_ACCEPT - Credentials will only be used to - accept security contexts. - - output_cred_handle gss_cred_id_t, modify - The returned credential handle. - - actual_mechs Set of Object IDs, modify, optional - The set of mechanisms for which the - credential is valid. Specify NULL - if not required. - - time_rec Integer, modify, optional - Actual number of seconds for which the - returned credentials will remain valid. If the - implementation does not support expiration of - credentials, the value GSS_C_INDEFINITE will - be returned. Specify NULL if not required - - minor_status Integer, modify - Mechanism specific status code. - Function value: - - GSS status code: - - GSS_S_COMPLETE Successful completion - - GSS_S_BAD_MECH Unavailable mechanism requested - - GSS_S_BAD_NAMETYPE Type contained within desired_name parameter is - not supported - - GSS_S_BAD_NAME Value supplied for desired_name parameter is - - - -Wray [Page 15] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - ill-formed. - - GSS_S_FAILURE Unspecified failure. The minor_status parameter - contains more detailed information - -3.2. gss_release_cred - - OM_uint32 gss_release_cred ( - OM_uint32 * minor_status, - gss_cred_id_t * cred_handle) - - Purpose: - - Informs GSSAPI that the specified credential handle is no longer - required by the process. When all processes have released a - credential, it will be deleted. - - Parameters: - - cred_handle gss_cred_id_t, modify, optional - buffer containing opaque credential - handle. If GSS_C_NO_CREDENTIAL is supplied, - the default credential will be released - - minor_status integer, modify - Mechanism specific status code. - - Function value: - - GSS status code: - - GSS_S_COMPLETE Successful completion - - GSS_S_NO_CRED Credentials could not be accessed. - - - - - - - - - - - - - - - - - -Wray [Page 16] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - -3.3. gss_init_sec_context - - OM_uint32 gss_init_sec_context ( - OM_uint32 * minor_status, - gss_cred_id_t claimant_cred_handle, - gss_ctx_id_t * context_handle, - gss_name_t target_name, - gss_OID mech_type, - int req_flags, - int time_req, - gss_channel_bindings_t - input_chan_bindings, - gss_buffer_t input_token - gss_OID * actual_mech_type, - gss_buffer_t output_token, - int * ret_flags, - OM_uint32 * time_rec ) - - Purpose: - - Initiates the establishment of a security context between the - application and a remote peer. Initially, the input_token parameter - should be specified as GSS_C_NO_BUFFER. The routine may return a - output_token which should be transferred to the peer application, - where the peer application will present it to gss_accept_sec_context. - If no token need be sent, gss_init_sec_context will indicate this by - setting the length field of the output_token argument to zero. To - complete the context establishment, one or more reply tokens may be - required from the peer application; if so, gss_init_sec_context will - return a status indicating GSS_S_CONTINUE_NEEDED in which case it - should be called again when the reply token is received from the peer - application, passing the token to gss_init_sec_context via the - input_token parameters. - - The values returned via the ret_flags and time_rec parameters are not - defined unless the routine returns GSS_S_COMPLETE. - - Parameters: - - claimant_cred_handle gss_cred_id_t, read, optional - handle for credentials claimed. Supply - GSS_C_NO_CREDENTIAL to use default - credentials. - - context_handle gss_ctx_id_t, read/modify - context handle for new context. Supply - GSS_C_NO_CONTEXT for first call; use value - returned by first call in continuation calls. - - - -Wray [Page 17] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - target_name gss_name_t, read - Name of target - - mech_type OID, read, optional - Object ID of desired mechanism. Supply - GSS_C_NULL_OID to obtain an implementation - specific default - - req_flags bit-mask, read - Contains four independent flags, each of - which requests that the context support a - specific service option. Symbolic - names are provided for each flag, and the - symbolic names corresponding to the required - flags should be logically-ORed - together to form the bit-mask value. The - flags are: - - GSS_C_DELEG_FLAG - True - Delegate credentials to remote peer - False - Don't delegate - GSS_C_MUTUAL_FLAG - True - Request that remote peer - authenticate itself - False - Authenticate self to remote peer - only - GSS_C_REPLAY_FLAG - True - Enable replay detection for signed - or sealed messages - False - Don't attempt to detect - replayed messages - GSS_C_SEQUENCE_FLAG - True - Enable detection of out-of-sequence - signed or sealed messages - False - Don't attempt to detect - out-of-sequence messages - - time_req integer, read - Desired number of seconds for which context - should remain valid. Supply 0 to request a - default validity period. - - input_chan_bindings channel bindings, read - Application-specified bindings. Allows - application to securely bind channel - identification information to the security - context. - - - - -Wray [Page 18] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - input_token buffer, opaque, read, optional (see text) - Token received from peer application. - Supply GSS_C_NO_BUFFER on initial call. - - actual_mech_type OID, modify - actual mechanism used. - - output_token buffer, opaque, modify - token to be sent to peer application. If - the length field of the returned buffer is - zero, no token need be sent to the peer - application. - - ret_flags bit-mask, modify - Contains six independent flags, each of which - indicates that the context supports a specific - service option. Symbolic names are provided - for each flag, and the symbolic names - corresponding to the required flags should be - logically-ANDed with the ret_flags value to test - whether a given option is supported by the - context. The flags are: - - GSS_C_DELEG_FLAG - True - Credentials were delegated to - the remote peer - False - No credentials were delegated - GSS_C_MUTUAL_FLAG - True - Remote peer has been asked to - authenticated itself - False - Remote peer has not been asked to - authenticate itself - GSS_C_REPLAY_FLAG - True - replay of signed or sealed messages - will be detected - False - replayed messages will not be - detected - GSS_C_SEQUENCE_FLAG - True - out-of-sequence signed or sealed - messages will be detected - False - out-of-sequence messages will not - be detected - GSS_C_CONF_FLAG - True - Confidentiality service may be - invoked by calling seal routine - False - No confidentiality service (via - seal) available. seal will provide - message encapsulation, data-origin - - - -Wray [Page 19] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - authentication and integrity - services only. - GSS_C_INTEG_FLAG - True - Integrity service may be invoked by - calling either gss_sign or gss_seal - routines. - False - Per-message integrity service - unavailable. - - time_rec integer, modify, optional - number of seconds for which the context - will remain valid. If the implementation does - not support credential expiration, the value - GSS_C_INDEFINITE will be returned. Specify - NULL if not required. - - minor_status integer, modify - Mechanism specific status code. - - Function value: - - GSS status code: - - GSS_S_COMPLETE Successful completion - - GSS_S_CONTINUE_NEEDED Indicates that a token from the peer - application is required to complete thecontext, and - that gss_init_sec_context must be called again with - that token. - - GSS_S_DEFECTIVE_TOKEN Indicates that consistency checks performed on - the input_token failed - - GSS_S_DEFECTIVE_CREDENTIAL Indicates that consistency checks - performed on the credential failed. - - GSS_S_NO_CRED The supplied credentials were not valid for context - initiation, or the credential handle did not - reference any credentials. - - GSS_S_CREDENTIALS_EXPIRED The referenced credentials have expired - - GSS_S_BAD_BINDINGS The input_token contains different channel - bindings to those specified via the - input_chan_bindings parameter - - GSS_S_BAD_SIG The input_token contains an invalid signature, or a - signature that could not be verified - - - -Wray [Page 20] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - GSS_S_OLD_TOKEN The input_token was too old. This is a fatal error - during context establishment - - GSS_S_DUPLICATE_TOKEN The input_token is valid, but is a duplicate of - a token already processed. This is a fatal error - during context establishment. - - GSS_S_NO_CONTEXT Indicates that the supplied context handle did not - refer to a valid context - - GSS_S_BAD_NAMETYPE The provided target_name parameter contained an - invalid or unsupported type of name - - GSS_S_BAD_NAME The provided target_name parameter was ill-formed. - - GSS_S_FAILURE Failure. See minor_status for more information - -3.4. gss_accept_sec_context - - OM_uint32 gss_accept_sec_context ( - OM_uint32 * minor_status, - gss_ctx_id_t * context_handle, - gss_cred_id_t verifier_cred_handle, - gss_buffer_t input_token_buffer - gss_channel_bindings_t - input_chan_bindings, - gss_name_t * src_name, - gss_OID * mech_type, - gss_buffer_t output_token, - int * ret_flags, - OM_uint32 * time_rec, - gss_cred_id_t * delegated_cred_handle) - - Purpose: - - Allows a remotely initiated security context between the application - and a remote peer to be established. The routine may return a - output_token which should be transferred to the peer application, - where the peer application will present it to gss_init_sec_context. - If no token need be sent, gss_accept_sec_context will indicate this - by setting the length field of the output_token argument to zero. To - complete the context establishment, one or more reply tokens may be - required from the peer application; if so, gss_accept_sec_context - will return a status flag of GSS_S_CONTINUE_NEEDED, in which case it - should be called again when the reply token is received from the peer - application, passing the token to gss_accept_sec_context via the - input_token parameters. - - - - -Wray [Page 21] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - The values returned via the src_name, ret_flags, time_rec, and - delegated_cred_handle parameters are not defined unless the routine - returns GSS_S_COMPLETE. - - Parameters: - - context_handle gss_ctx_id_t, read/modify - context handle for new context. Supply - GSS_C_NO_CONTEXT for first call; use value - returned in subsequent calls. - - verifier_cred_handle gss_cred_id_t, read, optional - Credential handle claimed by context - acceptor. - Specify GSS_C_NO_CREDENTIAL to use default - credentials. If GSS_C_NO_CREDENTIAL is - specified, but the caller has no default - credentials established, an - implementation-defined default credential - may be used. - - input_token_buffer buffer, opaque, read - token obtained from remote application - - input_chan_bindings channel bindings, read - Application-specified bindings. Allows - application to securely bind channel - identification information to the security - context. - - src_name gss_name_t, modify, optional - Authenticated name of context initiator. - After use, this name should be deallocated by - passing it to gss_release_name. If not required, - specify NULL. - - mech_type Object ID, modify - Security mechanism used. The returned - OID value will be a pointer into static - storage, and should be treated as read-only - by the caller. - - output_token buffer, opaque, modify - Token to be passed to peer application. If the - length field of the returned token buffer is 0, - then no token need be passed to the peer - application. - - - - -Wray [Page 22] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - ret_flags bit-mask, modify - Contains six independent flags, each of - which indicates that the context supports a - specific service option. Symbolic names are - provided for each flag, and the symbolic names - corresponding to the required flags - should be logically-ANDed with the ret_flags - value to test whether a given option is - supported by the context. The flags are: - GSS_C_DELEG_FLAG - True - Delegated credentials are available - via the delegated_cred_handle - parameter - False - No credentials were delegated - GSS_C_MUTUAL_FLAG - True - Remote peer asked for mutual - authentication - False - Remote peer did not ask for mutual - authentication - GSS_C_REPLAY_FLAG - True - replay of signed or sealed messages - will be detected - False - replayed messages will not be - detected - GSS_C_SEQUENCE_FLAG - True - out-of-sequence signed or sealed - messages will be detected - False - out-of-sequence messages will not - be detected - GSS_C_CONF_FLAG - True - Confidentiality service may be - invoked by calling seal routine - False - No confidentiality service (via - seal) available. seal will - provide message encapsulation, - data-origin authentication and - integrity services only. - GSS_C_INTEG_FLAG - True - Integrity service may be invoked - by calling either gss_sign or - gss_seal routines. - False - Per-message integrity service - unavailable. - - time_rec integer, modify, optional - number of seconds for which the context - will remain valid. Specify NULL if not required. - - - - -Wray [Page 23] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - delegated_cred_handle - gss_cred_id_t, modify - credential handle for credentials received from - context initiator. Only valid if deleg_flag in - ret_flags is true. - - minor_status integer, modify - Mechanism specific status code. - - Function value: - - GSS status code: - - GSS_S_COMPLETE Successful completion - - GSS_S_CONTINUE_NEEDED Indicates that a token from the peer - application is required to complete the context, - and that gss_accept_sec_context must be called - again with that token. - - GSS_S_DEFECTIVE_TOKEN Indicates that consistency checks - performed on the input_token failed. - - GSS_S_DEFECTIVE_CREDENTIAL Indicates that consistency checks - performed on the credential failed. - - GSS_S_NO_CRED The supplied credentials were not valid for - context acceptance, or the credential handle - did not reference any credentials. - - GSS_S_CREDENTIALS_EXPIRED The referenced credentials have - expired. - - GSS_S_BAD_BINDINGS The input_token contains different channel - bindings to those specified via the - input_chan_bindings parameter. - - GSS_S_NO_CONTEXT Indicates that the supplied context handle did - not refer to a valid context. - - GSS_S_BAD_SIG The input_token contains an invalid signature. - - GSS_S_OLD_TOKEN The input_token was too old. This is a fatal - error during context establishment. - - GSS_S_DUPLICATE_TOKEN The input_token is valid, but is a - duplicate of a token already processed. This - is a fatal error during context establishment. - - - -Wray [Page 24] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - GSS_S_FAILURE Failure. See minor_status for more information. - -3.5. gss_process_context_token - - OM_uint32 gss_process_context_token ( - OM_uint32 * minor_status, - gss_ctx_id_t context_handle, - gss_buffer_t token_buffer) - - Purpose: - - Provides a way to pass a token to the security service. Usually, - tokens are associated either with context establishment (when they - would be passed to gss_init_sec_context or gss_accept_sec_context) or - with per-message security service (when they would be passed to - gss_verify or gss_unseal). Occasionally, tokens may be received at - other times, and gss_process_context_token allows such tokens to be - passed to the underlying security service for processing. At - present, such additional tokens may only be generated by - gss_delete_sec_context. GSSAPI implementation may use this service - to implement deletion of the security context. - - Parameters: - - context_handle gss_ctx_id_t, read - context handle of context on which token is to - be processed - - token_buffer buffer, opaque, read - pointer to first byte of token to process - - minor_status integer, modify - Implementation specific status code. - - Function value: - - GSS status code: - - GSS_S_COMPLETE Successful completion - - GSS_S_DEFECTIVE_TOKEN Indicates that consistency checks - performed on the token failed - - GSS_S_FAILURE Failure. See minor_status for more information - - GSS_S_NO_CONTEXT The context_handle did not refer to a valid - context - - - - -Wray [Page 25] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - -3.6. gss_delete_sec_context - - OM_uint32 gss_delete_sec_context ( - OM_uint32 * minor_status, - gss_ctx_id_t * context_handle, - gss_buffer_t output_token) - - Purpose: - - Delete a security context. gss_delete_sec_context will delete the - local data structures associated with the specified security context, - and generate an output_token, which when passed to the peer - gss_process_context_token will instruct it to do likewise. No - further security services may be obtained using the context specified - by context_handle. - - Parameters: - - minor_status integer, modify - Mechanism specific status code. - - context_handle gss_ctx_id_t, modify - context handle identifying context to delete. - - output_token buffer, opaque, modify - token to be sent to remote application to - instruct it to also delete the context - - Function value: - - GSS status code: - - GSS_S_COMPLETE Successful completion - - GSS_S_FAILURE Failure, see minor_status for more information - - GSS_S_NO_CONTEXT No valid context was supplied - -3.7. gss_context_time - - OM_uint32 gss_context_time ( - OM_uint32 * minor_status, - gss_ctx_id_t context_handle, - OM_uint32 * time_rec) - Purpose: - - Determines the number of seconds for which the specified context will - remain valid. - - - -Wray [Page 26] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - Parameters: - - minor_status integer, modify - Implementation specific status code. - - context_handle gss_ctx_id_t, read - Identifies the context to be interrogated. - - time_rec integer, modify - Number of seconds that the context will remain - valid. If the context has already expired, - zero will be returned. - Function value: - - GSS status code: - - GSS_S_COMPLETE Successful completion - - GSS_S_CONTEXT_EXPIRED The context has already expired - - GSS_S_CREDENTIALS_EXPIRED The context is recognized, but - associated credentials have expired - - GSS_S_NO_CONTEXT The context_handle parameter did not identify a - valid context - -3.8. gss_sign - - OM_uint32 gss_sign ( - OM_uint32 * minor_status, - gss_ctx_id_t context_handle, - int qop_req, - gss_buffer_t message_buffer, - gss_buffer_t msg_token) - Purpose: - - Generates a cryptographic signature for the supplied message, and - places the signature in a token for transfer to the peer application. - The qop_req parameter allows a choice between several cryptographic - algorithms, if supported by the chosen mechanism. - - Parameters: - - minor_status integer, modify - Implementation specific status code. - - context_handle gss_ctx_id_t, read - identifies the context on which the message - - - -Wray [Page 27] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - will be sent - - qop_req integer, read, optional - Specifies requested quality of protection. - Callers are encouraged, on portability grounds, - to accept the default quality of protection - offered by the chosen mechanism, which may be - requested by specifying GSS_C_QOP_DEFAULT for - this parameter. If an unsupported protection - strength is requested, gss_sign will return a - major_status of GSS_S_FAILURE. - - message_buffer buffer, opaque, read - message to be signed - - msg_token buffer, opaque, modify - buffer to receive token - - Function value: - - GSS status code: - - GSS_S_COMPLETE Successful completion - - GSS_S_CONTEXT_EXPIRED The context has already expired - - GSS_S_CREDENTIALS_EXPIRED The context is recognized, but - associated credentials have expired - - GSS_S_NO_CONTEXT The context_handle parameter did not identify a - valid context - - GSS_S_FAILURE Failure. See minor_status for more information. - -3.9. gss_verify - - OM_uint32 gss_verify ( - OM_uint32 * minor_status, - gss_ctx_id_t context_handle, - gss_buffer_t message_buffer, - gss_buffer_t token_buffer, - int * qop_state) - Purpose: - - Verifies that a cryptographic signature, contained in the token - parameter, fits the supplied message. The qop_state parameter allows - a message recipient to determine the strength of protection that was - applied to the message. - - - -Wray [Page 28] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - Parameters: - - minor_status integer, modify - Mechanism specific status code. - - context_handle gss_ctx_id_t, read - identifies the context on which the message - arrived - - message_buffer buffer, opaque, read - message to be verified - - token_buffer buffer, opaque, read - token associated with message - - qop_state integer, modify - quality of protection gained from signature - - Function value: - - GSS status code: - - GSS_S_COMPLETE Successful completion - - GSS_S_DEFECTIVE_TOKEN The token failed consistency checks - - GSS_S_BAD_SIG The signature was incorrect - - GSS_S_DUPLICATE_TOKEN The token was valid, and contained a correct - signature for the message, but it had already - been processed - - GSS_S_OLD_TOKEN The token was valid, and contained a correct - signature for the message, but it is too old - - GSS_S_UNSEQ_TOKEN The token was valid, and contained a correct - signature for the message, but has been - verified out of sequence; an earlier token has - been signed or sealed by the remote - application, but not yet been processed - locally. - - GSS_S_CONTEXT_EXPIRED The context has already expired - - GSS_S_CREDENTIALS_EXPIRED The context is recognized, but - associated credentials have expired - - - - - -Wray [Page 29] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - GSS_S_NO_CONTEXT The context_handle parameter did not identify a - valid context - - GSS_S_FAILURE Failure. See minor_status for more information. - -3.10. gss_seal - - OM_uint32 gss_seal ( - OM_uint32 * minor_status, - gss_ctx_id_t context_handle, - int conf_req_flag, - int qop_req - gss_buffer_t input_message_buffer, - int * conf_state, - gss_buffer_t output_message_buffer) - - Purpose: - - Cryptographically signs and optionally encrypts the specified - input_message. The output_message contains both the signature and - the message. The qop_req parameter allows a choice between several - cryptographic algorithms, if supported by the chosen mechanism. - - Parameters: - - minor_status integer, modify - Mechanism specific status code. - - context_handle gss_ctx_id_t, read - identifies the context on which the message - will be sent - - conf_req_flag boolean, read - True - Both confidentiality and integrity - services are requested - False - Only integrity service is requested - - qop_req integer, read, optional - Specifies required quality of protection. A - mechanism-specific default may be requested by - setting qop_req to GSS_C_QOP_DEFAULT. If an - unsupported protection strength is requested, - gss_seal will return a major_status of - GSS_S_FAILURE. - - input_message_buffer buffer, opaque, read - message to be sealed - - - - -Wray [Page 30] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - conf_state boolean, modify - True - Confidentiality, data origin - authentication and integrity services - have been applied - False - Integrity and data origin services only - has been applied. - - output_message_buffer buffer, opaque, modify - buffer to receive sealed message - - Function value: - - GSS status code: - - GSS_S_COMPLETE Successful completion - - GSS_S_CONTEXT_EXPIRED The context has already expired - - GSS_S_CREDENTIALS_EXPIRED The context is recognized, but - associated credentials have expired - - GSS_S_NO_CONTEXT The context_handle parameter did not identify a - valid context - - GSS_S_FAILURE Failure. See minor_status for more information. - -3.11. gss_unseal - - OM_uint32 gss_unseal ( - OM_uint32 * minor_status, - gss_ctx_id_t context_handle, - gss_buffer_t input_message_buffer, - gss_buffer_t output_message_buffer, - int * conf_state, - int * qop_state) - - Purpose: - - Converts a previously sealed message back to a usable form, verifying - the embedded signature. The conf_state parameter indicates whether - the message was encrypted; the qop_state parameter indicates the - strength of protection that was used to provide the confidentiality - and integrity services. - - Parameters: - - minor_status integer, modify - Mechanism specific status code. - - - -Wray [Page 31] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - context_handle gss_ctx_id_t, read - identifies the context on which the message - arrived - - input_message_buffer buffer, opaque, read - sealed message - - output_message_buffer buffer, opaque, modify - buffer to receive unsealed message - - conf_state boolean, modify - True - Confidentiality and integrity protection - were used - False - Inteegrity service only was used - - qop_state integer, modify - quality of protection gained from signature - - Function value: - - GSS status code: - - GSS_S_COMPLETE Successful completion - - GSS_S_DEFECTIVE_TOKEN The token failed consistency checks - - GSS_S_BAD_SIG The signature was incorrect - - GSS_S_DUPLICATE_TOKEN The token was valid, and contained a - correct signature for the message, but it had - already been processed - - GSS_S_OLD_TOKEN The token was valid, and contained a correct - signature for the message, but it is too old - - GSS_S_UNSEQ_TOKEN The token was valid, and contained a correct - signature for the message, but has been - verified out of sequence; an earlier token has - been signed or sealed by the remote - application, but not yet been processed - locally. - - GSS_S_CONTEXT_EXPIRED The context has already expired - - GSS_S_CREDENTIALS_EXPIRED The context is recognized, but - associated credentials have expired - - - - - -Wray [Page 32] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - GSS_S_NO_CONTEXT The context_handle parameter did not identify a - valid context - - GSS_S_FAILURE Failure. See minor_status for more information. - -3.12. gss_display_status - - OM_uint32 gss_display_status ( - OM_uint32 * minor_status, - int status_value, - int status_type, - gss_OID mech_type, - int * message_context, - gss_buffer_t status_string) - - Purpose: - - Allows an application to obtain a textual representation of a GSSAPI - status code, for display to the user or for logging purposes. Since - some status values may indicate multiple errors, applications may - need to call gss_display_status multiple times, each call generating - a single text string. The message_context parameter is used to - indicate which error message should be extracted from a given - status_value; message_context should be initialized to 0, and - gss_display_status will return a non-zero value if there are further - messages to extract. - - Parameters: - - minor_status integer, modify - Mechanism specific status code. - - status_value integer, read - Status value to be converted - - status_type integer, read - GSS_C_GSS_CODE - status_value is a GSS status - code - GSS_C_MECH_CODE - status_value is a mechanism - status code - - mech_type Object ID, read, optional - Underlying mechanism (used to interpret a - minor status value) Supply GSS_C_NULL_OID to - obtain the system default. - - message_context integer, read/modify - Should be initialized to zero by caller - - - -Wray [Page 33] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - on first call. If further messages are - contained in the status_value parameter, - message_context will be non-zero on return, - and this value should be passed back to - subsequent calls, along with the same - status_value, status_type and mech_type - parameters. - - status_string buffer, character string, modify - textual interpretation of the status_value - - Function value: - - GSS status code: - - GSS_S_COMPLETE Successful completion - - GSS_S_BAD_MECH Indicates that translation in accordance with - an unsupported mechanism type was requested - - GSS_S_BAD_STATUS The status value was not recognized, or the - status type was neither GSS_C_GSS_CODE nor - GSS_C_MECH_CODE. - - -3.13. gss_indicate_mechs - - OM_uint32 gss_indicate_mechs ( - OM_uint32 * minor_status, - gss_OID_set * mech_set) - - Purpose: - - Allows an application to determine which underlying security - mechanisms are available. - - Parameters: - - minor_status integer, modify - Mechanism specific status code. - - mech_set set of Object IDs, modify - set of implementation-supported mechanisms. - The returned gss_OID_set value will be a - pointer into static storage, and should be - treated as read-only by the caller. - - - - - -Wray [Page 34] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - Function value: - - GSS status code: - - GSS_S_COMPLETE Successful completion - -3.14. gss_compare_name - - OM_uint32 gss_compare_name ( - OM_uint32 * minor_status, - gss_name_t name1, - gss_name_t name2, - int * name_equal) - - Purpose: - - Allows an application to compare two internal-form names to determine - whether they refer to the same entity. - - Parameters: - - minor_status integer, modify - Mechanism specific status code. - - name1 gss_name_t, read - internal-form name - - name2 gss_name_t, read - internal-form name - - name_equal boolean, modify - True - names refer to same entity - False - names refer to different entities - (strictly, the names are not known to - refer to the same identity). - Function value: - - GSS status code: - - GSS_S_COMPLETE Successful completion - - GSS_S_BAD_NAMETYPE The type contained within either name1 or - name2 was unrecognized, or the names were of - incomparable types. - - GSS_S_BAD_NAME One or both of name1 or name2 was ill-formed - - - - - -Wray [Page 35] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - -3.15. gss_display_name - - OM_uint32 gss_display_name ( - OM_uint32 * minor_status, - gss_name_t input_name, - gss_buffer_t output_name_buffer, - gss_OID * output_name_type) - - Purpose: - - Allows an application to obtain a textual representation of an opaque - internal-form name for display purposes. The syntax of a printable - name is defined by the GSSAPI implementation. - - Parameters: - - minor_status integer, modify - Mechanism specific status code. - - input_name gss_name_t, read - name to be displayed - - output_name_buffer buffer, character-string, modify - buffer to receive textual name string - - output_name_type Object ID, modify - The type of the returned name. The returned - gss_OID will be a pointer into static storage, - and should be treated as read-only by the caller - - Function value: - - GSS status code: - - GSS_S_COMPLETE Successful completion - - GSS_S_BAD_NAMETYPE The type of input_name was not recognized - - GSS_S_BAD_NAME input_name was ill-formed - -3.16. gss_import_name - - OM_uint32 gss_import_name ( - OM_uint32 * minor_status, - gss_buffer_t input_name_buffer, - gss_OID input_name_type, - gss_name_t * output_name) - - - - -Wray [Page 36] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - Purpose: - - Convert a printable name to internal form. - - Parameters: - - minor_status integer, modify - Mechanism specific status code - - input_name_buffer buffer, character-string, read - buffer containing printable name to convert - - input_name_type Object ID, read, optional - Object Id specifying type of printable - name. Applications may specify either - GSS_C_NULL_OID to use a local system-specific - printable syntax, or an OID registered by the - GSSAPI implementation to name a particular - namespace. - - output_name gss_name_t, modify - returned name in internal form - - Function value: - - GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_BAD_NAMETYPE The input_name_type was unrecognized - - GSS_S_BAD_NAME The input_name parameter could not be - interpreted as a name of the specified type - -3.17. gss_release_name - - OM_uint32 gss_release_name ( - OM_uint32 * minor_status, - gss_name_t * name) - - Purpose: - - Free GSSAPI-allocated storage associated with an internal form name. - - Parameters: - - minor_status integer, modify - Mechanism specific status code - - - -Wray [Page 37] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - name gss_name_t, modify - The name to be deleted - - Function value: - - GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_BAD_NAME The name parameter did not contain a valid name - -3.18. gss_release_buffer - - OM_uint32 gss_release_buffer ( - OM_uint32 * minor_status, - gss_buffer_t buffer) - - Purpose: - - Free storage associated with a buffer format name. The storage must - have been allocated by a GSSAPI routine. In addition to freeing the - associated storage, the routine will zero the length field in the - buffer parameter. - - Parameters: - - minor_status integer, modify - Mechanism specific status code - - buffer buffer, modify - The storage associated with the buffer will be - deleted. The gss_buffer_desc object will not - be freed, but its length field will be zeroed. - - Function value: - - GSS status code - - GSS_S_COMPLETE Successful completion - -3.19. gss_release_oid_set - - OM_uint32 gss_release_oid_set ( - OM_uint32 * minor_status, - gss_OID_set * set) - - Purpose: - - - - -Wray [Page 38] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - Free storage associated with a gss_OID_set object. The storage must - have been allocated by a GSSAPI routine. - - Parameters: - - minor_status integer, modify - Mechanism specific status code - - set Set of Object IDs, modify - The storage associated with the gss_OID_set - will be deleted. - - Function value: - - GSS status code - - GSS_S_COMPLETE Successful completion - -3.20. gss_inquire_cred - - OM_uint32 gss_inquire_cred ( - OM_uint32 * minor_status, - gss_cred_id_t cred_handle, - gss_name_t * name, - OM_uint32 * lifetime, - int * cred_usage, - gss_OID_set * mechanisms ) - - Purpose: - - Obtains information about a credential. The caller must already have - obtained a handle that refers to the credential. - - Parameters: - - minor_status integer, modify - Mechanism specific status code - - cred_handle gss_cred_id_t, read - A handle that refers to the target credential. - Specify GSS_C_NO_CREDENTIAL to inquire about - the default credential. - - name gss_name_t, modify - The name whose identity the credential asserts. - Specify NULL if not required. - - lifetime Integer, modify - - - -Wray [Page 39] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - The number of seconds for which the credential - will remain valid. If the credential has - expired, this parameter will be set to zero. - If the implementation does not support - credential expiration, the value - GSS_C_INDEFINITE will be returned. Specify - NULL if not required. - - cred_usage Integer, modify - How the credential may be used. One of the - following: - GSS_C_INITIATE - GSS_C_ACCEPT - GSS_C_BOTH - Specify NULL if not required. - - mechanisms gss_OID_set, modify - Set of mechanisms supported by the credential. - Specify NULL if not required. - - Function value: - - GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_NO_CRED The referenced credentials could not be - accessed. - - GSS_S_DEFECTIVE_CREDENTIAL The referenced credentials were - invalid. - - GSS_S_CREDENTIALS_EXPIRED The referenced credentials have expired. - If the lifetime parameter was not passed as - NULL, it will be set to 0. - - - #ifndef GSSAPI_H_ - #define GSSAPI_H_ - - /* - * First, define the platform-dependent types. - */ - typedef OM_uint32; - typedef gss_ctx_id_t; - typedef gss_cred_id_t; - typedef gss_name_t; - - - - -Wray [Page 40] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - /* - * Note that a platform supporting the xom.h X/Open header file - * may make use of that header for the definitions of OM_uint32 - * and the structure to which gss_OID_desc equates. - */ - - typedef struct gss_OID_desc_struct { - OM_uint32 length; - void *elements; - } gss_OID_desc, *gss_OID; - - typedef struct gss_OID_set_desc_struct { - int count; - gss_OID elements; - } gss_OID_set_desc, *gss_OID_set; - - typedef struct gss_buffer_desc_struct { - size_t length; - void *value; - } gss_buffer_desc, *gss_buffer_t; - - typedef struct gss_channel_bindings_struct { - OM_uint32 initiator_addrtype; - gss_buffer_desc initiator_address; - OM_uint32 acceptor_addrtype; - gss_buffer_desc acceptor_address; - gss_buffer_desc application_data; - } *gss_channel_bindings_t; - - - /* - * Six independent flags each of which indicates that a context - * supports a specific service option. - */ - #define GSS_C_DELEG_FLAG 1 - #define GSS_C_MUTUAL_FLAG 2 - #define GSS_C_REPLAY_FLAG 4 - #define GSS_C_SEQUENCE_FLAG 8 - #define GSS_C_CONF_FLAG 16 - #define GSS_C_INTEG_FLAG 32 - - - /* - * Credential usage options - */ - #define GSS_C_BOTH 0 - #define GSS_C_INITIATE 1 - #define GSS_C_ACCEPT 2 - - - -Wray [Page 41] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - /* - * Status code types for gss_display_status - */ - #define GSS_C_GSS_CODE 1 - #define GSS_C_MECH_CODE 2 - - /* - * The constant definitions for channel-bindings address families - */ - #define GSS_C_AF_UNSPEC 0; - #define GSS_C_AF_LOCAL 1; - #define GSS_C_AF_INET 2; - #define GSS_C_AF_IMPLINK 3; - #define GSS_C_AF_PUP 4; - #define GSS_C_AF_CHAOS 5; - #define GSS_C_AF_NS 6; - #define GSS_C_AF_NBS 7; - #define GSS_C_AF_ECMA 8; - #define GSS_C_AF_DATAKIT 9; - #define GSS_C_AF_CCITT 10; - #define GSS_C_AF_SNA 11; - #define GSS_C_AF_DECnet 12; - #define GSS_C_AF_DLI 13; - #define GSS_C_AF_LAT 14; - #define GSS_C_AF_HYLINK 15; - #define GSS_C_AF_APPLETALK 16; - #define GSS_C_AF_BSC 17; - #define GSS_C_AF_DSS 18; - #define GSS_C_AF_OSI 19; - #define GSS_C_AF_X25 21; - - #define GSS_C_AF_NULLADDR 255; - - #define GSS_C_NO_BUFFER ((gss_buffer_t) 0) - #define GSS_C_NULL_OID ((gss_OID) 0) - #define GSS_C_NULL_OID_SET ((gss_OID_set) 0) - #define GSS_C_NO_CONTEXT ((gss_ctx_id_t) 0) - #define GSS_C_NO_CREDENTIAL ((gss_cred_id_t) 0) - #define GSS_C_NO_CHANNEL_BINDINGS ((gss_channel_bindings_t) 0) - #define GSS_C_EMPTY_BUFFER {0, NULL} - - /* - * Define the default Quality of Protection for per-message - * services. Note that an implementation that offers multiple - * levels of QOP may either reserve a value (for example zero, - * as assumed here) to mean "default protection", or alternatively - * may simply equate GSS_C_QOP_DEFAULT to a specific explicit QOP - * value. - - - -Wray [Page 42] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - */ - #define GSS_C_QOP_DEFAULT 0 - - /* - * Expiration time of 2^32-1 seconds means infinite lifetime for a - * credential or security context - */ - #define GSS_C_INDEFINITE 0xfffffffful - - - /* Major status codes */ - - #define GSS_S_COMPLETE 0 - - /* - * Some "helper" definitions to make the status code macros obvious. - */ - #define GSS_C_CALLING_ERROR_OFFSET 24 - #define GSS_C_ROUTINE_ERROR_OFFSET 16 - #define GSS_C_SUPPLEMENTARY_OFFSET 0 - #define GSS_C_CALLING_ERROR_MASK 0377ul - #define GSS_C_ROUTINE_ERROR_MASK 0377ul - #define GSS_C_SUPPLEMENTARY_MASK 0177777ul - - /* - * The macros that test status codes for error conditions - */ - #define GSS_CALLING_ERROR(x) \ - (x & (GSS_C_CALLING_ERROR_MASK << GSS_C_CALLING_ERROR_OFFSET)) - #define GSS_ROUTINE_ERROR(x) \ - (x & (GSS_C_ROUTINE_ERROR_MASK << GSS_C_ROUTINE_ERROR_OFFSET)) - #define GSS_SUPPLEMENTARY_INFO(x) \ - (x & (GSS_C_SUPPLEMENTARY_MASK << GSS_C_SUPPLEMENTARY_OFFSET)) - #define GSS_ERROR(x) \ - ((GSS_CALLING_ERROR(x) != 0) || (GSS_ROUTINE_ERROR(x) != 0)) - - - /* - * Now the actual status code definitions - */ - - /* - * Calling errors: - */ - #define GSS_S_CALL_INACCESSIBLE_READ \ - (1ul << GSS_C_CALLING_ERROR_OFFSET) - #define GSS_S_CALL_INACCESSIBLE_WRITE \ - (2ul << GSS_C_CALLING_ERROR_OFFSET) - - - -Wray [Page 43] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - #define GSS_S_CALL_BAD_STRUCTURE \ - (3ul << GSS_C_CALLING_ERROR_OFFSET) - - /* - * Routine errors: - */ - #define GSS_S_BAD_MECH (1ul << GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_BAD_NAME (2ul << GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_BAD_NAMETYPE (3ul << GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_BAD_BINDINGS (4ul << GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_BAD_STATUS (5ul << GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_BAD_SIG (6ul << GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_NO_CRED (7ul << GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_NO_CONTEXT (8ul << GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_DEFECTIVE_TOKEN (9ul << GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_DEFECTIVE_CREDENTIAL (10ul << GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_CREDENTIALS_EXPIRED (11ul << GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_CONTEXT_EXPIRED (12ul << GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_FAILURE (13ul << GSS_C_ROUTINE_ERROR_OFFSET) - - /* - * Supplementary info bits: - */ - #define GSS_S_CONTINUE_NEEDED (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 0)) - #define GSS_S_DUPLICATE_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 1)) - #define GSS_S_OLD_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 2)) - #define GSS_S_UNSEQ_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 3)) - - - /* - * Finally, function prototypes for the GSSAPI routines. - */ - - OM_uint32 gss_acquire_cred - (OM_uint32*, /* minor_status */ - gss_name_t, /* desired_name */ - OM_uint32, /* time_req */ - gss_OID_set, /* desired_mechs */ - int, /* cred_usage */ - gss_cred_id_t*, /* output_cred_handle */ - gss_OID_set*, /* actual_mechs */ - OM_uint32* /* time_rec */ - ); - - OM_uint32 gss_release_cred, - (OM_uint32*, /* minor_status */ - gss_cred_id_t* /* cred_handle */ - ); - - - -Wray [Page 44] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - OM_uint32 gss_init_sec_context - (OM_uint32*, /* minor_status */ - gss_cred_id_t, /* claimant_cred_handle */ - gss_ctx_id_t*, /* context_handle */ - gss_name_t, /* target_name */ - gss_OID, /* mech_type */ - int, /* req_flags */ - OM_uint32, /* time_req */ - gss_channel_bindings_t, - /* input_chan_bindings */ - gss_buffer_t, /* input_token */ - gss_OID*, /* actual_mech_type */ - gss_buffer_t, /* output_token */ - int*, /* ret_flags */ - OM_uint32* /* time_rec */ - ); - - OM_uint32 gss_accept_sec_context - (OM_uint32*, /* minor_status */ - gss_ctx_id_t*, /* context_handle */ - gss_cred_id_t, /* verifier_cred_handle */ - gss_buffer_t, /* input_token_buffer */ - gss_channel_bindings_t, - /* input_chan_bindings */ - gss_name_t*, /* src_name */ - gss_OID*, /* mech_type */ - gss_buffer_t, /* output_token */ - int*, /* ret_flags */ - OM_uint32*, /* time_rec */ - gss_cred_id_t* /* delegated_cred_handle */ - ); - - OM_uint32 gss_process_context_token - (OM_uint32*, /* minor_status */ - gss_ctx_id_t, /* context_handle */ - gss_buffer_t /* token_buffer */ - ); - - OM_uint32 gss_delete_sec_context - (OM_uint32*, /* minor_status */ - gss_ctx_id_t*, /* context_handle */ - gss_buffer_t /* output_token */ - ); - - - - - - - - -Wray [Page 45] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - OM_uint32 gss_context_time - (OM_uint32*, /* minor_status */ - gss_ctx_id_t, /* context_handle */ - OM_uint32* /* time_rec */ - ); - - OM_uint32 gss_sign - (OM_uint32*, /* minor_status */ - gss_ctx_id_t, /* context_handle */ - int, /* qop_req */ - gss_buffer_t, /* message_buffer */ - gss_buffer_t /* message_token */ - ); - - OM_uitn32 gss_verify - (OM_uint32*, /* minor_status */ - gss_ctx_id_t, /* context_handle */ - gss_buffer_t, /* message_buffer */ - gss_buffer_t, /* token_buffer */ - int* /* qop_state */ - ); - - OM_uint32 gss_seal - (OM_uint32*, /* minor_status */ - gss_ctx_id_t, /* context_handle */ - int, /* conf_req_flag */ - int, /* qop_req */ - gss_buffer_t, /* input_message_buffer */ - int*, /* conf_state */ - gss_buffer_t /* output_message_buffer */ - ); - - OM_uint32 gss_unseal - (OM_uint32*, /* minor_status */ - gss_ctx_id_t, /* context_handle */ - gss_buffer_t, /* input_message_buffer */ - gss_buffer_t, /* output_message_buffer */ - int*, /* conf_state */ - int* /* qop_state */ - ); - - - - - - - - - - - -Wray [Page 46] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - OM_uint32 gss_display_status - (OM_uint32*, /* minor_status */ - OM_uint32, /* status_value */ - int, /* status_type */ - gss_OID, /* mech_type */ - int*, /* message_context */ - gss_buffer_t /* status_string */ - ); - - OM_uint32 gss_indicate_mechs - (OM_uint32*, /* minor_status */ - gss_OID_set* /* mech_set */ - ); - - OM_uint32 gss_compare_name - (OM_uint32*, /* minor_status */ - gss_name_t, /* name1 */ - gss_name_t, /* name2 */ - int* /* name_equal */ - ); - - OM_uint32 gss_display_name, - (OM_uint32*, /* minor_status */ - gss_name_t, /* input_name */ - gss_buffer_t, /* output_name_buffer */ - gss_OID* /* output_name_type */ - ); - - OM_uint32 gss_import_name - (OM_uint32*, /* minor_status */ - gss_buffer_t, /* input_name_buffer */ - gss_OID, /* input_name_type */ - gss_name_t* /* output_name */ - ); - - OM_uint32 gss_release_name - (OM_uint32*, /* minor_status */ - gss_name_t* /* input_name */ - ); - - OM_uint32 gss_release_buffer - (OM_uint32*, /* minor_status */ - gss_buffer_t /* buffer */ - ); - - OM_uint32 gss_release_oid_set - (OM_uint32*, /* minor_status */ - gss_OID_set* /* set */ - - - -Wray [Page 47] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - ); - - OM_uint32 gss_inquire_cred - (OM_uint32 *, /* minor_status */ - gss_cred_id_t, /* cred_handle */ - gss_name_t *, /* name */ - OM_uint32 *, /* lifetime */ - int *, /* cred_usage */ - gss_OID_set * /* mechanisms */ - ); - - - - #endif /* GSSAPI_H_ */ - -References - - [1] Linn, J., "Generic Security Service Application Program - Interface", RFC 1508, Geer Zolot Associate, September 1993. - - [2] "OSI Object Management API Specification, Version 2.0 t", X.400 - API Association & X/Open Company Limited, August 24, 1990. - Specification of datatypes and routines for manipulating - information objects. - -Security Considerations - - Security issues are discussed throughout this memo. - -Author's Address - - John Wray - Digital Equipment Corporation - 550 King Street, LKG2-2/AA6 - Littleton, MA 01460 - USA - - Phone: +1-508-486-5210 - EMail: Wray@tuxedo.enet.dec.com - - - - - - - - - - - - -Wray [Page 48] - \ No newline at end of file diff --git a/crypto/heimdal-0.6.3/doc/standardisation/rfc1510.txt b/crypto/heimdal-0.6.3/doc/standardisation/rfc1510.txt deleted file mode 100644 index bc810cc506..0000000000 --- a/crypto/heimdal-0.6.3/doc/standardisation/rfc1510.txt +++ /dev/null @@ -1,6275 +0,0 @@ - - - - - - -Network Working Group J. Kohl -Request for Comments: 1510 Digital Equipment Corporation - C. Neuman - ISI - September 1993 - - - The Kerberos Network Authentication Service (V5) - -Status of this Memo - - This RFC specifies an Internet standards track protocol for the - Internet community, and requests discussion and suggestions for - improvements. Please refer to the current edition of the "Internet - Official Protocol Standards" for the standardization state and status - of this protocol. Distribution of this memo is unlimited. - -Abstract - - This document gives an overview and specification of Version 5 of the - protocol for the Kerberos network authentication system. Version 4, - described elsewhere [1,2], is presently in production use at MIT's - Project Athena, and at other Internet sites. - -Overview - - Project Athena, Athena, Athena MUSE, Discuss, Hesiod, Kerberos, - Moira, and Zephyr are trademarks of the Massachusetts Institute of - Technology (MIT). No commercial use of these trademarks may be made - without prior written permission of MIT. - - This RFC describes the concepts and model upon which the Kerberos - network authentication system is based. It also specifies Version 5 - of the Kerberos protocol. - - The motivations, goals, assumptions, and rationale behind most design - decisions are treated cursorily; for Version 4 they are fully - described in the Kerberos portion of the Athena Technical Plan [1]. - The protocols are under review, and are not being submitted for - consideration as an Internet standard at this time. Comments are - encouraged. Requests for addition to an electronic mailing list for - discussion of Kerberos, kerberos@MIT.EDU, may be addressed to - kerberos-request@MIT.EDU. This mailing list is gatewayed onto the - Usenet as the group comp.protocols.kerberos. Requests for further - information, including documents and code availability, may be sent - to info-kerberos@MIT.EDU. - - - - - -Kohl & Neuman [Page 1] - -RFC 1510 Kerberos September 1993 - - -Background - - The Kerberos model is based in part on Needham and Schroeder's - trusted third-party authentication protocol [3] and on modifications - suggested by Denning and Sacco [4]. The original design and - implementation of Kerberos Versions 1 through 4 was the work of two - former Project Athena staff members, Steve Miller of Digital - Equipment Corporation and Clifford Neuman (now at the Information - Sciences Institute of the University of Southern California), along - with Jerome Saltzer, Technical Director of Project Athena, and - Jeffrey Schiller, MIT Campus Network Manager. Many other members of - Project Athena have also contributed to the work on Kerberos. - Version 4 is publicly available, and has seen wide use across the - Internet. - - Version 5 (described in this document) has evolved from Version 4 - based on new requirements and desires for features not available in - Version 4. Details on the differences between Kerberos Versions 4 - and 5 can be found in [5]. - -Table of Contents - - 1. Introduction ....................................... 5 - 1.1. Cross-Realm Operation ............................ 7 - 1.2. Environmental assumptions ........................ 8 - 1.3. Glossary of terms ................................ 9 - 2. Ticket flag uses and requests ...................... 12 - 2.1. Initial and pre-authenticated tickets ............ 12 - 2.2. Invalid tickets .................................. 12 - 2.3. Renewable tickets ................................ 12 - 2.4. Postdated tickets ................................ 13 - 2.5. Proxiable and proxy tickets ...................... 14 - 2.6. Forwardable tickets .............................. 15 - 2.7. Other KDC options ................................ 15 - 3. Message Exchanges .................................. 16 - 3.1. The Authentication Service Exchange .............. 16 - 3.1.1. Generation of KRB_AS_REQ message ............... 17 - 3.1.2. Receipt of KRB_AS_REQ message .................. 17 - 3.1.3. Generation of KRB_AS_REP message ............... 17 - 3.1.4. Generation of KRB_ERROR message ................ 19 - 3.1.5. Receipt of KRB_AS_REP message .................. 19 - 3.1.6. Receipt of KRB_ERROR message ................... 20 - 3.2. The Client/Server Authentication Exchange ........ 20 - 3.2.1. The KRB_AP_REQ message ......................... 20 - 3.2.2. Generation of a KRB_AP_REQ message ............. 20 - 3.2.3. Receipt of KRB_AP_REQ message .................. 21 - 3.2.4. Generation of a KRB_AP_REP message ............. 23 - 3.2.5. Receipt of KRB_AP_REP message .................. 23 - - - -Kohl & Neuman [Page 2] - -RFC 1510 Kerberos September 1993 - - - 3.2.6. Using the encryption key ....................... 24 - 3.3. The Ticket-Granting Service (TGS) Exchange ....... 24 - 3.3.1. Generation of KRB_TGS_REQ message .............. 25 - 3.3.2. Receipt of KRB_TGS_REQ message ................. 26 - 3.3.3. Generation of KRB_TGS_REP message .............. 27 - 3.3.3.1. Encoding the transited field ................. 29 - 3.3.4. Receipt of KRB_TGS_REP message ................. 31 - 3.4. The KRB_SAFE Exchange ............................ 31 - 3.4.1. Generation of a KRB_SAFE message ............... 31 - 3.4.2. Receipt of KRB_SAFE message .................... 32 - 3.5. The KRB_PRIV Exchange ............................ 33 - 3.5.1. Generation of a KRB_PRIV message ............... 33 - 3.5.2. Receipt of KRB_PRIV message .................... 33 - 3.6. The KRB_CRED Exchange ............................ 34 - 3.6.1. Generation of a KRB_CRED message ............... 34 - 3.6.2. Receipt of KRB_CRED message .................... 34 - 4. The Kerberos Database .............................. 35 - 4.1. Database contents ................................ 35 - 4.2. Additional fields ................................ 36 - 4.3. Frequently Changing Fields ....................... 37 - 4.4. Site Constants ................................... 37 - 5. Message Specifications ............................. 38 - 5.1. ASN.1 Distinguished Encoding Representation ...... 38 - 5.2. ASN.1 Base Definitions ........................... 38 - 5.3. Tickets and Authenticators ....................... 42 - 5.3.1. Tickets ........................................ 42 - 5.3.2. Authenticators ................................. 47 - 5.4. Specifications for the AS and TGS exchanges ...... 49 - 5.4.1. KRB_KDC_REQ definition ......................... 49 - 5.4.2. KRB_KDC_REP definition ......................... 56 - 5.5. Client/Server (CS) message specifications ........ 58 - 5.5.1. KRB_AP_REQ definition .......................... 58 - 5.5.2. KRB_AP_REP definition .......................... 60 - 5.5.3. Error message reply ............................ 61 - 5.6. KRB_SAFE message specification ................... 61 - 5.6.1. KRB_SAFE definition ............................ 61 - 5.7. KRB_PRIV message specification ................... 62 - 5.7.1. KRB_PRIV definition ............................ 62 - 5.8. KRB_CRED message specification ................... 63 - 5.8.1. KRB_CRED definition ............................ 63 - 5.9. Error message specification ...................... 65 - 5.9.1. KRB_ERROR definition ........................... 66 - 6. Encryption and Checksum Specifications ............. 67 - 6.1. Encryption Specifications ........................ 68 - 6.2. Encryption Keys .................................. 71 - 6.3. Encryption Systems ............................... 71 - 6.3.1. The NULL Encryption System (null) .............. 71 - 6.3.2. DES in CBC mode with a CRC-32 checksum (descbc-crc)71 - - - -Kohl & Neuman [Page 3] - -RFC 1510 Kerberos September 1993 - - - 6.3.3. DES in CBC mode with an MD4 checksum (descbc-md4) 72 - 6.3.4. DES in CBC mode with an MD5 checksum (descbc-md5) 72 - 6.4. Checksums ........................................ 74 - 6.4.1. The CRC-32 Checksum (crc32) .................... 74 - 6.4.2. The RSA MD4 Checksum (rsa-md4) ................. 75 - 6.4.3. RSA MD4 Cryptographic Checksum Using DES - (rsa-md4-des) ......................................... 75 - 6.4.4. The RSA MD5 Checksum (rsa-md5) ................. 76 - 6.4.5. RSA MD5 Cryptographic Checksum Using DES - (rsa-md5-des) ......................................... 76 - 6.4.6. DES cipher-block chained checksum (des-mac) - 6.4.7. RSA MD4 Cryptographic Checksum Using DES - alternative (rsa-md4-des-k) ........................... 77 - 6.4.8. DES cipher-block chained checksum alternative - (des-mac-k) ........................................... 77 - 7. Naming Constraints ................................. 78 - 7.1. Realm Names ...................................... 77 - 7.2. Principal Names .................................. 79 - 7.2.1. Name of server principals ...................... 80 - 8. Constants and other defined values ................. 80 - 8.1. Host address types ............................... 80 - 8.2. KDC messages ..................................... 81 - 8.2.1. IP transport ................................... 81 - 8.2.2. OSI transport .................................. 82 - 8.2.3. Name of the TGS ................................ 82 - 8.3. Protocol constants and associated values ......... 82 - 9. Interoperability requirements ...................... 86 - 9.1. Specification 1 .................................. 86 - 9.2. Recommended KDC values ........................... 88 - 10. Acknowledgments ................................... 88 - 11. References ........................................ 89 - 12. Security Considerations ........................... 90 - 13. Authors' Addresses ................................ 90 - A. Pseudo-code for protocol processing ................ 91 - A.1. KRB_AS_REQ generation ............................ 91 - A.2. KRB_AS_REQ verification and KRB_AS_REP generation 92 - A.3. KRB_AS_REP verification .......................... 95 - A.4. KRB_AS_REP and KRB_TGS_REP common checks ......... 96 - A.5. KRB_TGS_REQ generation ........................... 97 - A.6. KRB_TGS_REQ verification and KRB_TGS_REP generation 98 - A.7. KRB_TGS_REP verification ......................... 104 - A.8. Authenticator generation ......................... 104 - A.9. KRB_AP_REQ generation ............................ 105 - A.10. KRB_AP_REQ verification ......................... 105 - A.11. KRB_AP_REP generation ........................... 106 - A.12. KRB_AP_REP verification ......................... 107 - A.13. KRB_SAFE generation ............................. 107 - A.14. KRB_SAFE verification ........................... 108 - - - -Kohl & Neuman [Page 4] - -RFC 1510 Kerberos September 1993 - - - A.15. KRB_SAFE and KRB_PRIV common checks ............. 108 - A.16. KRB_PRIV generation ............................. 109 - A.17. KRB_PRIV verification ........................... 110 - A.18. KRB_CRED generation ............................. 110 - A.19. KRB_CRED verification ........................... 111 - A.20. KRB_ERROR generation ............................ 112 - -1. Introduction - - Kerberos provides a means of verifying the identities of principals, - (e.g., a workstation user or a network server) on an open - (unprotected) network. This is accomplished without relying on - authentication by the host operating system, without basing trust on - host addresses, without requiring physical security of all the hosts - on the network, and under the assumption that packets traveling along - the network can be read, modified, and inserted at will. (Note, - however, that many applications use Kerberos' functions only upon the - initiation of a stream-based network connection, and assume the - absence of any "hijackers" who might subvert such a connection. Such - use implicitly trusts the host addresses involved.) Kerberos - performs authentication under these conditions as a trusted third- - party authentication service by using conventional cryptography, - i.e., shared secret key. (shared secret key - Secret and private are - often used interchangeably in the literature. In our usage, it takes - two (or more) to share a secret, thus a shared DES key is a secret - key. Something is only private when no one but its owner knows it. - Thus, in public key cryptosystems, one has a public and a private - key.) - - The authentication process proceeds as follows: A client sends a - request to the authentication server (AS) requesting "credentials" - for a given server. The AS responds with these credentials, - encrypted in the client's key. The credentials consist of 1) a - "ticket" for the server and 2) a temporary encryption key (often - called a "session key"). The client transmits the ticket (which - contains the client's identity and a copy of the session key, all - encrypted in the server's key) to the server. The session key (now - shared by the client and server) is used to authenticate the client, - and may optionally be used to authenticate the server. It may also - be used to encrypt further communication between the two parties or - to exchange a separate sub-session key to be used to encrypt further - communication. - - The implementation consists of one or more authentication servers - running on physically secure hosts. The authentication servers - maintain a database of principals (i.e., users and servers) and their - secret keys. Code libraries provide encryption and implement the - Kerberos protocol. In order to add authentication to its - - - -Kohl & Neuman [Page 5] - -RFC 1510 Kerberos September 1993 - - - transactions, a typical network application adds one or two calls to - the Kerberos library, which results in the transmission of the - necessary messages to achieve authentication. - - The Kerberos protocol consists of several sub-protocols (or - exchanges). There are two methods by which a client can ask a - Kerberos server for credentials. In the first approach, the client - sends a cleartext request for a ticket for the desired server to the - AS. The reply is sent encrypted in the client's secret key. Usually - this request is for a ticket-granting ticket (TGT) which can later be - used with the ticket-granting server (TGS). In the second method, - the client sends a request to the TGS. The client sends the TGT to - the TGS in the same manner as if it were contacting any other - application server which requires Kerberos credentials. The reply is - encrypted in the session key from the TGT. - - Once obtained, credentials may be used to verify the identity of the - principals in a transaction, to ensure the integrity of messages - exchanged between them, or to preserve privacy of the messages. The - application is free to choose whatever protection may be necessary. - - To verify the identities of the principals in a transaction, the - client transmits the ticket to the server. Since the ticket is sent - "in the clear" (parts of it are encrypted, but this encryption - doesn't thwart replay) and might be intercepted and reused by an - attacker, additional information is sent to prove that the message - was originated by the principal to whom the ticket was issued. This - information (called the authenticator) is encrypted in the session - key, and includes a timestamp. The timestamp proves that the message - was recently generated and is not a replay. Encrypting the - authenticator in the session key proves that it was generated by a - party possessing the session key. Since no one except the requesting - principal and the server know the session key (it is never sent over - the network in the clear) this guarantees the identity of the client. - - The integrity of the messages exchanged between principals can also - be guaranteed using the session key (passed in the ticket and - contained in the credentials). This approach provides detection of - both replay attacks and message stream modification attacks. It is - accomplished by generating and transmitting a collision-proof - checksum (elsewhere called a hash or digest function) of the client's - message, keyed with the session key. Privacy and integrity of the - messages exchanged between principals can be secured by encrypting - the data to be passed using the session key passed in the ticket, and - contained in the credentials. - - The authentication exchanges mentioned above require read-only access - to the Kerberos database. Sometimes, however, the entries in the - - - -Kohl & Neuman [Page 6] - -RFC 1510 Kerberos September 1993 - - - database must be modified, such as when adding new principals or - changing a principal's key. This is done using a protocol between a - client and a third Kerberos server, the Kerberos Administration - Server (KADM). The administration protocol is not described in this - document. There is also a protocol for maintaining multiple copies of - the Kerberos database, but this can be considered an implementation - detail and may vary to support different database technologies. - -1.1. Cross-Realm Operation - - The Kerberos protocol is designed to operate across organizational - boundaries. A client in one organization can be authenticated to a - server in another. Each organization wishing to run a Kerberos - server establishes its own "realm". The name of the realm in which a - client is registered is part of the client's name, and can be used by - the end-service to decide whether to honor a request. - - By establishing "inter-realm" keys, the administrators of two realms - can allow a client authenticated in the local realm to use its - authentication remotely (Of course, with appropriate permission the - client could arrange registration of a separately-named principal in - a remote realm, and engage in normal exchanges with that realm's - services. However, for even small numbers of clients this becomes - cumbersome, and more automatic methods as described here are - necessary). The exchange of inter-realm keys (a separate key may be - used for each direction) registers the ticket-granting service of - each realm as a principal in the other realm. A client is then able - to obtain a ticket-granting ticket for the remote realm's ticket- - granting service from its local realm. When that ticket-granting - ticket is used, the remote ticket-granting service uses the inter- - realm key (which usually differs from its own normal TGS key) to - decrypt the ticket-granting ticket, and is thus certain that it was - issued by the client's own TGS. Tickets issued by the remote ticket- - granting service will indicate to the end-service that the client was - authenticated from another realm. - - A realm is said to communicate with another realm if the two realms - share an inter-realm key, or if the local realm shares an inter-realm - key with an intermediate realm that communicates with the remote - realm. An authentication path is the sequence of intermediate realms - that are transited in communicating from one realm to another. - - Realms are typically organized hierarchically. Each realm shares a - key with its parent and a different key with each child. If an - inter-realm key is not directly shared by two realms, the - hierarchical organization allows an authentication path to be easily - constructed. If a hierarchical organization is not used, it may be - necessary to consult some database in order to construct an - - - -Kohl & Neuman [Page 7] - -RFC 1510 Kerberos September 1993 - - - authentication path between realms. - - Although realms are typically hierarchical, intermediate realms may - be bypassed to achieve cross-realm authentication through alternate - authentication paths (these might be established to make - communication between two realms more efficient). It is important - for the end-service to know which realms were transited when deciding - how much faith to place in the authentication process. To facilitate - this decision, a field in each ticket contains the names of the - realms that were involved in authenticating the client. - -1.2. Environmental assumptions - - Kerberos imposes a few assumptions on the environment in which it can - properly function: - - + "Denial of service" attacks are not solved with Kerberos. There - are places in these protocols where an intruder intruder can - prevent an application from participating in the proper - authentication steps. Detection and solution of such attacks - (some of which can appear to be not-uncommon "normal" failure - modes for the system) is usually best left to the human - administrators and users. - - + Principals must keep their secret keys secret. If an intruder - somehow steals a principal's key, it will be able to masquerade - as that principal or impersonate any server to the legitimate - principal. - - + "Password guessing" attacks are not solved by Kerberos. If a - user chooses a poor password, it is possible for an attacker to - successfully mount an offline dictionary attack by repeatedly - attempting to decrypt, with successive entries from a - dictionary, messages obtained which are encrypted under a key - derived from the user's password. - - + Each host on the network must have a clock which is "loosely - synchronized" to the time of the other hosts; this - synchronization is used to reduce the bookkeeping needs of - application servers when they do replay detection. The degree - of "looseness" can be configured on a per-server basis. If the - clocks are synchronized over the network, the clock - synchronization protocol must itself be secured from network - attackers. - - + Principal identifiers are not recycled on a short-term basis. A - typical mode of access control will use access control lists - (ACLs) to grant permissions to particular principals. If a - - - -Kohl & Neuman [Page 8] - -RFC 1510 Kerberos September 1993 - - - stale ACL entry remains for a deleted principal and the - principal identifier is reused, the new principal will inherit - rights specified in the stale ACL entry. By not re-using - principal identifiers, the danger of inadvertent access is - removed. - -1.3. Glossary of terms - - Below is a list of terms used throughout this document. - - - Authentication Verifying the claimed identity of a - principal. - - - Authentication header A record containing a Ticket and an - Authenticator to be presented to a - server as part of the authentication - process. - - - Authentication path A sequence of intermediate realms transited - in the authentication process when - communicating from one realm to another. - - Authenticator A record containing information that can - be shown to have been recently generated - using the session key known only by the - client and server. - - - Authorization The process of determining whether a - client may use a service, which objects - the client is allowed to access, and the - type of access allowed for each. - - - Capability A token that grants the bearer permission - to access an object or service. In - Kerberos, this might be a ticket whose - use is restricted by the contents of the - authorization data field, but which - lists no network addresses, together - with the session key necessary to use - the ticket. - - - - - - -Kohl & Neuman [Page 9] - -RFC 1510 Kerberos September 1993 - - - Ciphertext The output of an encryption function. - Encryption transforms plaintext into - ciphertext. - - - Client A process that makes use of a network - service on behalf of a user. Note that - in some cases a Server may itself be a - client of some other server (e.g., a - print server may be a client of a file - server). - - - Credentials A ticket plus the secret session key - necessary to successfully use that - ticket in an authentication exchange. - - - KDC Key Distribution Center, a network service - that supplies tickets and temporary - session keys; or an instance of that - service or the host on which it runs. - The KDC services both initial ticket and - ticket-granting ticket requests. The - initial ticket portion is sometimes - referred to as the Authentication Server - (or service). The ticket-granting - ticket portion is sometimes referred to - as the ticket-granting server (or service). - - Kerberos Aside from the 3-headed dog guarding - Hades, the name given to Project - Athena's authentication service, the - protocol used by that service, or the - code used to implement the authentication - service. - - - Plaintext The input to an encryption function or - the output of a decryption function. - Decryption transforms ciphertext into - plaintext. - - - Principal A uniquely named client or server - instance that participates in a network - communication. - - - - -Kohl & Neuman [Page 10] - -RFC 1510 Kerberos September 1993 - - - Principal identifier The name used to uniquely identify each - different principal. - - - Seal To encipher a record containing several - fields in such a way that the fields - cannot be individually replaced without - either knowledge of the encryption key - or leaving evidence of tampering. - - - Secret key An encryption key shared by a principal - and the KDC, distributed outside the - bounds of the system, with a long lifetime. - In the case of a human user's - principal, the secret key is derived - from a password. - - - Server A particular Principal which provides a - resource to network clients. - - - Service A resource provided to network clients; - often provided by more than one server - (for example, remote file service). - - - Session key A temporary encryption key used between - two principals, with a lifetime limited - to the duration of a single login "session". - - - Sub-session key A temporary encryption key used between - two principals, selected and exchanged - by the principals using the session key, - and with a lifetime limited to the duration - of a single association. - - - Ticket A record that helps a client authenticate - itself to a server; it contains the - client's identity, a session key, a - timestamp, and other information, all - sealed using the server's secret key. - It only serves to authenticate a client - when presented along with a fresh - Authenticator. - - - -Kohl & Neuman [Page 11] - -RFC 1510 Kerberos September 1993 - - -2. Ticket flag uses and requests - - Each Kerberos ticket contains a set of flags which are used to - indicate various attributes of that ticket. Most flags may be - requested by a client when the ticket is obtained; some are - automatically turned on and off by a Kerberos server as required. - The following sections explain what the various flags mean, and gives - examples of reasons to use such a flag. - -2.1. Initial and pre-authenticated tickets - - The INITIAL flag indicates that a ticket was issued using the AS - protocol and not issued based on a ticket-granting ticket. - Application servers that want to require the knowledge of a client's - secret key (e.g., a passwordchanging program) can insist that this - flag be set in any tickets they accept, and thus be assured that the - client's key was recently presented to the application client. - - The PRE-AUTHENT and HW-AUTHENT flags provide addition information - about the initial authentication, regardless of whether the current - ticket was issued directly (in which case INITIAL will also be set) - or issued on the basis of a ticket-granting ticket (in which case the - INITIAL flag is clear, but the PRE-AUTHENT and HW-AUTHENT flags are - carried forward from the ticket-granting ticket). - -2.2. Invalid tickets - - The INVALID flag indicates that a ticket is invalid. Application - servers must reject tickets which have this flag set. A postdated - ticket will usually be issued in this form. Invalid tickets must be - validated by the KDC before use, by presenting them to the KDC in a - TGS request with the VALIDATE option specified. The KDC will only - validate tickets after their starttime has passed. The validation is - required so that postdated tickets which have been stolen before - their starttime can be rendered permanently invalid (through a hot- - list mechanism). - -2.3. Renewable tickets - - Applications may desire to hold tickets which can be valid for long - periods of time. However, this can expose their credentials to - potential theft for equally long periods, and those stolen - credentials would be valid until the expiration time of the - ticket(s). Simply using shortlived tickets and obtaining new ones - periodically would require the client to have long-term access to its - secret key, an even greater risk. Renewable tickets can be used to - mitigate the consequences of theft. Renewable tickets have two - "expiration times": the first is when the current instance of the - - - -Kohl & Neuman [Page 12] - -RFC 1510 Kerberos September 1993 - - - ticket expires, and the second is the latest permissible value for an - individual expiration time. An application client must periodically - (i.e., before it expires) present a renewable ticket to the KDC, with - the RENEW option set in the KDC request. The KDC will issue a new - ticket with a new session key and a later expiration time. All other - fields of the ticket are left unmodified by the renewal process. - When the latest permissible expiration time arrives, the ticket - expires permanently. At each renewal, the KDC may consult a hot-list - to determine if the ticket had been reported stolen since its last - renewal; it will refuse to renew such stolen tickets, and thus the - usable lifetime of stolen tickets is reduced. - - The RENEWABLE flag in a ticket is normally only interpreted by the - ticket-granting service (discussed below in section 3.3). It can - usually be ignored by application servers. However, some - particularly careful application servers may wish to disallow - renewable tickets. - - If a renewable ticket is not renewed by its expiration time, the KDC - will not renew the ticket. The RENEWABLE flag is reset by default, - but a client may request it be set by setting the RENEWABLE option - in the KRB_AS_REQ message. If it is set, then the renew-till field - in the ticket contains the time after which the ticket may not be - renewed. - -2.4. Postdated tickets - - Applications may occasionally need to obtain tickets for use much - later, e.g., a batch submission system would need tickets to be valid - at the time the batch job is serviced. However, it is dangerous to - hold valid tickets in a batch queue, since they will be on-line - longer and more prone to theft. Postdated tickets provide a way to - obtain these tickets from the KDC at job submission time, but to - leave them "dormant" until they are activated and validated by a - further request of the KDC. If a ticket theft were reported in the - interim, the KDC would refuse to validate the ticket, and the thief - would be foiled. - - The MAY-POSTDATE flag in a ticket is normally only interpreted by the - ticket-granting service. It can be ignored by application servers. - This flag must be set in a ticket-granting ticket in order to issue a - postdated ticket based on the presented ticket. It is reset by - default; it may be requested by a client by setting the ALLOW- - POSTDATE option in the KRB_AS_REQ message. This flag does not allow - a client to obtain a postdated ticket-granting ticket; postdated - ticket-granting tickets can only by obtained by requesting the - postdating in the KRB_AS_REQ message. The life (endtime-starttime) - of a postdated ticket will be the remaining life of the ticket- - - - -Kohl & Neuman [Page 13] - -RFC 1510 Kerberos September 1993 - - - granting ticket at the time of the request, unless the RENEWABLE - option is also set, in which case it can be the full life (endtime- - starttime) of the ticket-granting ticket. The KDC may limit how far - in the future a ticket may be postdated. - - The POSTDATED flag indicates that a ticket has been postdated. The - application server can check the authtime field in the ticket to see - when the original authentication occurred. Some services may choose - to reject postdated tickets, or they may only accept them within a - certain period after the original authentication. When the KDC issues - a POSTDATED ticket, it will also be marked as INVALID, so that the - application client must present the ticket to the KDC to be validated - before use. - -2.5. Proxiable and proxy tickets - - At times it may be necessary for a principal to allow a service to - perform an operation on its behalf. The service must be able to take - on the identity of the client, but only for a particular purpose. A - principal can allow a service to take on the principal's identity for - a particular purpose by granting it a proxy. - - The PROXIABLE flag in a ticket is normally only interpreted by the - ticket-granting service. It can be ignored by application servers. - When set, this flag tells the ticket-granting server that it is OK to - issue a new ticket (but not a ticket-granting ticket) with a - different network address based on this ticket. This flag is set by - default. - - This flag allows a client to pass a proxy to a server to perform a - remote request on its behalf, e.g., a print service client can give - the print server a proxy to access the client's files on a particular - file server in order to satisfy a print request. - - In order to complicate the use of stolen credentials, Kerberos - tickets are usually valid from only those network addresses - specifically included in the ticket (It is permissible to request or - issue tickets with no network addresses specified, but we do not - recommend it). For this reason, a client wishing to grant a proxy - must request a new ticket valid for the network address of the - service to be granted the proxy. - - The PROXY flag is set in a ticket by the TGS when it issues a - proxy ticket. Application servers may check this flag and require - additional authentication from the agent presenting the proxy in - order to provide an audit trail. - - - - - -Kohl & Neuman [Page 14] - -RFC 1510 Kerberos September 1993 - - -2.6. Forwardable tickets - - Authentication forwarding is an instance of the proxy case where the - service is granted complete use of the client's identity. An example - where it might be used is when a user logs in to a remote system and - wants authentication to work from that system as if the login were - local. - - The FORWARDABLE flag in a ticket is normally only interpreted by the - ticket-granting service. It can be ignored by application servers. - The FORWARDABLE flag has an interpretation similar to that of the - PROXIABLE flag, except ticket-granting tickets may also be issued - with different network addresses. This flag is reset by default, but - users may request that it be set by setting the FORWARDABLE option in - the AS request when they request their initial ticket-granting - ticket. - - This flag allows for authentication forwarding without requiring the - user to enter a password again. If the flag is not set, then - authentication forwarding is not permitted, but the same end result - can still be achieved if the user engages in the AS exchange with the - requested network addresses and supplies a password. - - The FORWARDED flag is set by the TGS when a client presents a ticket - with the FORWARDABLE flag set and requests it be set by specifying - the FORWARDED KDC option and supplying a set of addresses for the new - ticket. It is also set in all tickets issued based on tickets with - the FORWARDED flag set. Application servers may wish to process - FORWARDED tickets differently than non-FORWARDED tickets. - -2.7. Other KDC options - - There are two additional options which may be set in a client's - request of the KDC. The RENEWABLE-OK option indicates that the - client will accept a renewable ticket if a ticket with the requested - life cannot otherwise be provided. If a ticket with the requested - life cannot be provided, then the KDC may issue a renewable ticket - with a renew-till equal to the the requested endtime. The value of - the renew-till field may still be adjusted by site-determined limits - or limits imposed by the individual principal or server. - - The ENC-TKT-IN-SKEY option is honored only by the ticket-granting - service. It indicates that the to-be-issued ticket for the end - server is to be encrypted in the session key from the additional - ticket-granting ticket provided with the request. See section 3.3.3 - for specific details. - - - - - -Kohl & Neuman [Page 15] - -RFC 1510 Kerberos September 1993 - - -3. Message Exchanges - - The following sections describe the interactions between network - clients and servers and the messages involved in those exchanges. - -3.1. The Authentication Service Exchange - - Summary - - Message direction Message type Section - 1. Client to Kerberos KRB_AS_REQ 5.4.1 - 2. Kerberos to client KRB_AS_REP or 5.4.2 - KRB_ERROR 5.9.1 - - The Authentication Service (AS) Exchange between the client and the - Kerberos Authentication Server is usually initiated by a client when - it wishes to obtain authentication credentials for a given server but - currently holds no credentials. The client's secret key is used for - encryption and decryption. This exchange is typically used at the - initiation of a login session, to obtain credentials for a Ticket- - Granting Server, which will subsequently be used to obtain - credentials for other servers (see section 3.3) without requiring - further use of the client's secret key. This exchange is also used - to request credentials for services which must not be mediated - through the Ticket-Granting Service, but rather require a principal's - secret key, such as the password-changing service. (The password- - changing request must not be honored unless the requester can provide - the old password (the user's current secret key). Otherwise, it - would be possible for someone to walk up to an unattended session and - change another user's password.) This exchange does not by itself - provide any assurance of the the identity of the user. (To - authenticate a user logging on to a local system, the credentials - obtained in the AS exchange may first be used in a TGS exchange to - obtain credentials for a local server. Those credentials must then - be verified by the local server through successful completion of the - Client/Server exchange.) - - The exchange consists of two messages: KRB_AS_REQ from the client to - Kerberos, and KRB_AS_REP or KRB_ERROR in reply. The formats for these - messages are described in sections 5.4.1, 5.4.2, and 5.9.1. - - In the request, the client sends (in cleartext) its own identity and - the identity of the server for which it is requesting credentials. - The response, KRB_AS_REP, contains a ticket for the client to present - to the server, and a session key that will be shared by the client - and the server. The session key and additional information are - encrypted in the client's secret key. The KRB_AS_REP message - contains information which can be used to detect replays, and to - - - -Kohl & Neuman [Page 16] - -RFC 1510 Kerberos September 1993 - - - associate it with the message to which it replies. Various errors - can occur; these are indicated by an error response (KRB_ERROR) - instead of the KRB_AS_REP response. The error message is not - encrypted. The KRB_ERROR message also contains information which can - be used to associate it with the message to which it replies. The - lack of encryption in the KRB_ERROR message precludes the ability to - detect replays or fabrications of such messages. - - In the normal case the authentication server does not know whether - the client is actually the principal named in the request. It simply - sends a reply without knowing or caring whether they are the same. - This is acceptable because nobody but the principal whose identity - was given in the request will be able to use the reply. Its critical - information is encrypted in that principal's key. The initial - request supports an optional field that can be used to pass - additional information that might be needed for the initial exchange. - This field may be used for preauthentication if desired, but the - mechanism is not currently specified. - -3.1.1. Generation of KRB_AS_REQ message - - The client may specify a number of options in the initial request. - Among these options are whether preauthentication is to be performed; - whether the requested ticket is to be renewable, proxiable, or - forwardable; whether it should be postdated or allow postdating of - derivative tickets; and whether a renewable ticket will be accepted - in lieu of a non-renewable ticket if the requested ticket expiration - date cannot be satisfied by a nonrenewable ticket (due to - configuration constraints; see section 4). See section A.1 for - pseudocode. - - The client prepares the KRB_AS_REQ message and sends it to the KDC. - -3.1.2. Receipt of KRB_AS_REQ message - - If all goes well, processing the KRB_AS_REQ message will result in - the creation of a ticket for the client to present to the server. - The format for the ticket is described in section 5.3.1. The - contents of the ticket are determined as follows. - -3.1.3. Generation of KRB_AS_REP message - - The authentication server looks up the client and server principals - named in the KRB_AS_REQ in its database, extracting their respective - keys. If required, the server pre-authenticates the request, and if - the pre-authentication check fails, an error message with the code - KDC_ERR_PREAUTH_FAILED is returned. If the server cannot accommodate - the requested encryption type, an error message with code - - - -Kohl & Neuman [Page 17] - -RFC 1510 Kerberos September 1993 - - - KDC_ERR_ETYPE_NOSUPP is returned. Otherwise it generates a "random" - session key ("Random" means that, among other things, it should be - impossible to guess the next session key based on knowledge of past - session keys. This can only be achieved in a pseudo-random number - generator if it is based on cryptographic principles. It would be - more desirable to use a truly random number generator, such as one - based on measurements of random physical phenomena.). - - If the requested start time is absent or indicates a time in the - past, then the start time of the ticket is set to the authentication - server's current time. If it indicates a time in the future, but the - POSTDATED option has not been specified, then the error - KDC_ERR_CANNOT_POSTDATE is returned. Otherwise the requested start - time is checked against the policy of the local realm (the - administrator might decide to prohibit certain types or ranges of - postdated tickets), and if acceptable, the ticket's start time is set - as requested and the INVALID flag is set in the new ticket. The - postdated ticket must be validated before use by presenting it to the - KDC after the start time has been reached. - - The expiration time of the ticket will be set to the minimum of the - following: - - +The expiration time (endtime) requested in the KRB_AS_REQ - message. - - +The ticket's start time plus the maximum allowable lifetime - associated with the client principal (the authentication - server's database includes a maximum ticket lifetime field - in each principal's record; see section 4). - - +The ticket's start time plus the maximum allowable lifetime - associated with the server principal. - - +The ticket's start time plus the maximum lifetime set by - the policy of the local realm. - - If the requested expiration time minus the start time (as determined - above) is less than a site-determined minimum lifetime, an error - message with code KDC_ERR_NEVER_VALID is returned. If the requested - expiration time for the ticket exceeds what was determined as above, - and if the "RENEWABLE-OK" option was requested, then the "RENEWABLE" - flag is set in the new ticket, and the renew-till value is set as if - the "RENEWABLE" option were requested (the field and option names are - described fully in section 5.4.1). If the RENEWABLE option has been - requested or if the RENEWABLE-OK option has been set and a renewable - ticket is to be issued, then the renew-till field is set to the - minimum of: - - - -Kohl & Neuman [Page 18] - -RFC 1510 Kerberos September 1993 - - - +Its requested value. - - +The start time of the ticket plus the minimum of the two - maximum renewable lifetimes associated with the principals' - database entries. - - +The start time of the ticket plus the maximum renewable - lifetime set by the policy of the local realm. - - The flags field of the new ticket will have the following options set - if they have been requested and if the policy of the local realm - allows: FORWARDABLE, MAY-POSTDATE, POSTDATED, PROXIABLE, RENEWABLE. - If the new ticket is postdated (the start time is in the future), its - INVALID flag will also be set. - - If all of the above succeed, the server formats a KRB_AS_REP message - (see section 5.4.2), copying the addresses in the request into the - caddr of the response, placing any required pre-authentication data - into the padata of the response, and encrypts the ciphertext part in - the client's key using the requested encryption method, and sends it - to the client. See section A.2 for pseudocode. - -3.1.4. Generation of KRB_ERROR message - - Several errors can occur, and the Authentication Server responds by - returning an error message, KRB_ERROR, to the client, with the - error-code and e-text fields set to appropriate values. The error - message contents and details are described in Section 5.9.1. - -3.1.5. Receipt of KRB_AS_REP message - - If the reply message type is KRB_AS_REP, then the client verifies - that the cname and crealm fields in the cleartext portion of the - reply match what it requested. If any padata fields are present, - they may be used to derive the proper secret key to decrypt the - message. The client decrypts the encrypted part of the response - using its secret key, verifies that the nonce in the encrypted part - matches the nonce it supplied in its request (to detect replays). It - also verifies that the sname and srealm in the response match those - in the request, and that the host address field is also correct. It - then stores the ticket, session key, start and expiration times, and - other information for later use. The key-expiration field from the - encrypted part of the response may be checked to notify the user of - impending key expiration (the client program could then suggest - remedial action, such as a password change). See section A.3 for - pseudocode. - - Proper decryption of the KRB_AS_REP message is not sufficient to - - - -Kohl & Neuman [Page 19] - -RFC 1510 Kerberos September 1993 - - - verify the identity of the user; the user and an attacker could - cooperate to generate a KRB_AS_REP format message which decrypts - properly but is not from the proper KDC. If the host wishes to - verify the identity of the user, it must require the user to present - application credentials which can be verified using a securely-stored - secret key. If those credentials can be verified, then the identity - of the user can be assured. - -3.1.6. Receipt of KRB_ERROR message - - If the reply message type is KRB_ERROR, then the client interprets it - as an error and performs whatever application-specific tasks are - necessary to recover. - -3.2. The Client/Server Authentication Exchange - - Summary - - Message direction Message type Section - Client to Application server KRB_AP_REQ 5.5.1 - [optional] Application server to client KRB_AP_REP or 5.5.2 - KRB_ERROR 5.9.1 - - The client/server authentication (CS) exchange is used by network - applications to authenticate the client to the server and vice versa. - The client must have already acquired credentials for the server - using the AS or TGS exchange. - -3.2.1. The KRB_AP_REQ message - - The KRB_AP_REQ contains authentication information which should be - part of the first message in an authenticated transaction. It - contains a ticket, an authenticator, and some additional bookkeeping - information (see section 5.5.1 for the exact format). The ticket by - itself is insufficient to authenticate a client, since tickets are - passed across the network in cleartext(Tickets contain both an - encrypted and unencrypted portion, so cleartext here refers to the - entire unit, which can be copied from one message and replayed in - another without any cryptographic skill.), so the authenticator is - used to prevent invalid replay of tickets by proving to the server - that the client knows the session key of the ticket and thus is - entitled to use it. The KRB_AP_REQ message is referred to elsewhere - as the "authentication header." - -3.2.2. Generation of a KRB_AP_REQ message - - When a client wishes to initiate authentication to a server, it - obtains (either through a credentials cache, the AS exchange, or the - - - -Kohl & Neuman [Page 20] - -RFC 1510 Kerberos September 1993 - - - TGS exchange) a ticket and session key for the desired service. The - client may re-use any tickets it holds until they expire. The client - then constructs a new Authenticator from the the system time, its - name, and optionally an application specific checksum, an initial - sequence number to be used in KRB_SAFE or KRB_PRIV messages, and/or a - session subkey to be used in negotiations for a session key unique to - this particular session. Authenticators may not be re-used and will - be rejected if replayed to a server (Note that this can make - applications based on unreliable transports difficult to code - correctly, if the transport might deliver duplicated messages. In - such cases, a new authenticator must be generated for each retry.). - If a sequence number is to be included, it should be randomly chosen - so that even after many messages have been exchanged it is not likely - to collide with other sequence numbers in use. - - The client may indicate a requirement of mutual authentication or the - use of a session-key based ticket by setting the appropriate flag(s) - in the ap-options field of the message. - - The Authenticator is encrypted in the session key and combined with - the ticket to form the KRB_AP_REQ message which is then sent to the - end server along with any additional application-specific - information. See section A.9 for pseudocode. - -3.2.3. Receipt of KRB_AP_REQ message - - Authentication is based on the server's current time of day (clocks - must be loosely synchronized), the authenticator, and the ticket. - Several errors are possible. If an error occurs, the server is - expected to reply to the client with a KRB_ERROR message. This - message may be encapsulated in the application protocol if its "raw" - form is not acceptable to the protocol. The format of error messages - is described in section 5.9.1. - - The algorithm for verifying authentication information is as follows. - If the message type is not KRB_AP_REQ, the server returns the - KRB_AP_ERR_MSG_TYPE error. If the key version indicated by the Ticket - in the KRB_AP_REQ is not one the server can use (e.g., it indicates - an old key, and the server no longer possesses a copy of the old - key), the KRB_AP_ERR_BADKEYVER error is returned. If the USE- - SESSION-KEY flag is set in the ap-options field, it indicates to the - server that the ticket is encrypted in the session key from the - server's ticket-granting ticket rather than its secret key (This is - used for user-to-user authentication as described in [6]). Since it - is possible for the server to be registered in multiple realms, with - different keys in each, the srealm field in the unencrypted portion - of the ticket in the KRB_AP_REQ is used to specify which secret key - the server should use to decrypt that ticket. The KRB_AP_ERR_NOKEY - - - -Kohl & Neuman [Page 21] - -RFC 1510 Kerberos September 1993 - - - error code is returned if the server doesn't have the proper key to - decipher the ticket. - - The ticket is decrypted using the version of the server's key - specified by the ticket. If the decryption routines detect a - modification of the ticket (each encryption system must provide - safeguards to detect modified ciphertext; see section 6), the - KRB_AP_ERR_BAD_INTEGRITY error is returned (chances are good that - different keys were used to encrypt and decrypt). - - The authenticator is decrypted using the session key extracted from - the decrypted ticket. If decryption shows it to have been modified, - the KRB_AP_ERR_BAD_INTEGRITY error is returned. The name and realm - of the client from the ticket are compared against the same fields in - the authenticator. If they don't match, the KRB_AP_ERR_BADMATCH - error is returned (they might not match, for example, if the wrong - session key was used to encrypt the authenticator). The addresses in - the ticket (if any) are then searched for an address matching the - operating-system reported address of the client. If no match is - found or the server insists on ticket addresses but none are present - in the ticket, the KRB_AP_ERR_BADADDR error is returned. - - If the local (server) time and the client time in the authenticator - differ by more than the allowable clock skew (e.g., 5 minutes), the - KRB_AP_ERR_SKEW error is returned. If the server name, along with - the client name, time and microsecond fields from the Authenticator - match any recently-seen such tuples, the KRB_AP_ERR_REPEAT error is - returned (Note that the rejection here is restricted to - authenticators from the same principal to the same server. Other - client principals communicating with the same server principal should - not be have their authenticators rejected if the time and microsecond - fields happen to match some other client's authenticator.). The - server must remember any authenticator presented within the allowable - clock skew, so that a replay attempt is guaranteed to fail. If a - server loses track of any authenticator presented within the - allowable clock skew, it must reject all requests until the clock - skew interval has passed. This assures that any lost or re-played - authenticators will fall outside the allowable clock skew and can no - longer be successfully replayed (If this is not done, an attacker - could conceivably record the ticket and authenticator sent over the - network to a server, then disable the client's host, pose as the - disabled host, and replay the ticket and authenticator to subvert the - authentication.). If a sequence number is provided in the - authenticator, the server saves it for later use in processing - KRB_SAFE and/or KRB_PRIV messages. If a subkey is present, the - server either saves it for later use or uses it to help generate its - own choice for a subkey to be returned in a KRB_AP_REP message. - - - - -Kohl & Neuman [Page 22] - -RFC 1510 Kerberos September 1993 - - - The server computes the age of the ticket: local (server) time minus - the start time inside the Ticket. If the start time is later than - the current time by more than the allowable clock skew or if the - INVALID flag is set in the ticket, the KRB_AP_ERR_TKT_NYV error is - returned. Otherwise, if the current time is later than end time by - more than the allowable clock skew, the KRB_AP_ERR_TKT_EXPIRED error - is returned. - - If all these checks succeed without an error, the server is assured - that the client possesses the credentials of the principal named in - the ticket and thus, the client has been authenticated to the server. - See section A.10 for pseudocode. - -3.2.4. Generation of a KRB_AP_REP message - - Typically, a client's request will include both the authentication - information and its initial request in the same message, and the - server need not explicitly reply to the KRB_AP_REQ. However, if - mutual authentication (not only authenticating the client to the - server, but also the server to the client) is being performed, the - KRB_AP_REQ message will have MUTUAL-REQUIRED set in its ap-options - field, and a KRB_AP_REP message is required in response. As with the - error message, this message may be encapsulated in the application - protocol if its "raw" form is not acceptable to the application's - protocol. The timestamp and microsecond field used in the reply must - be the client's timestamp and microsecond field (as provided in the - authenticator). [Note: In the Kerberos version 4 protocol, the - timestamp in the reply was the client's timestamp plus one. This is - not necessary in version 5 because version 5 messages are formatted - in such a way that it is not possible to create the reply by - judicious message surgery (even in encrypted form) without knowledge - of the appropriate encryption keys.] If a sequence number is to be - included, it should be randomly chosen as described above for the - authenticator. A subkey may be included if the server desires to - negotiate a different subkey. The KRB_AP_REP message is encrypted in - the session key extracted from the ticket. See section A.11 for - pseudocode. - -3.2.5. Receipt of KRB_AP_REP message - - If a KRB_AP_REP message is returned, the client uses the session key - from the credentials obtained for the server (Note that for - encrypting the KRB_AP_REP message, the sub-session key is not used, - even if present in the Authenticator.) to decrypt the message, and - verifies that the timestamp and microsecond fields match those in the - Authenticator it sent to the server. If they match, then the client - is assured that the server is genuine. The sequence number and subkey - (if present) are retained for later use. See section A.12 for - - - -Kohl & Neuman [Page 23] - -RFC 1510 Kerberos September 1993 - - - pseudocode. - -3.2.6. Using the encryption key - - After the KRB_AP_REQ/KRB_AP_REP exchange has occurred, the client and - server share an encryption key which can be used by the application. - The "true session key" to be used for KRB_PRIV, KRB_SAFE, or other - application-specific uses may be chosen by the application based on - the subkeys in the KRB_AP_REP message and the authenticator - (Implementations of the protocol may wish to provide routines to - choose subkeys based on session keys and random numbers and to - orchestrate a negotiated key to be returned in the KRB_AP_REP - message.). In some cases, the use of this session key will be - implicit in the protocol; in others the method of use must be chosen - from a several alternatives. We leave the protocol negotiations of - how to use the key (e.g., selecting an encryption or checksum type) - to the application programmer; the Kerberos protocol does not - constrain the implementation options. - - With both the one-way and mutual authentication exchanges, the peers - should take care not to send sensitive information to each other - without proper assurances. In particular, applications that require - privacy or integrity should use the KRB_AP_REP or KRB_ERROR responses - from the server to client to assure both client and server of their - peer's identity. If an application protocol requires privacy of its - messages, it can use the KRB_PRIV message (section 3.5). The KRB_SAFE - message (section 3.4) can be used to assure integrity. - -3.3. The Ticket-Granting Service (TGS) Exchange - - Summary - - Message direction Message type Section - 1. Client to Kerberos KRB_TGS_REQ 5.4.1 - 2. Kerberos to client KRB_TGS_REP or 5.4.2 - KRB_ERROR 5.9.1 - - The TGS exchange between a client and the Kerberos Ticket-Granting - Server is initiated by a client when it wishes to obtain - authentication credentials for a given server (which might be - registered in a remote realm), when it wishes to renew or validate an - existing ticket, or when it wishes to obtain a proxy ticket. In the - first case, the client must already have acquired a ticket for the - Ticket-Granting Service using the AS exchange (the ticket-granting - ticket is usually obtained when a client initially authenticates to - the system, such as when a user logs in). The message format for the - TGS exchange is almost identical to that for the AS exchange. The - primary difference is that encryption and decryption in the TGS - - - -Kohl & Neuman [Page 24] - -RFC 1510 Kerberos September 1993 - - - exchange does not take place under the client's key. Instead, the - session key from the ticket-granting ticket or renewable ticket, or - sub-session key from an Authenticator is used. As is the case for - all application servers, expired tickets are not accepted by the TGS, - so once a renewable or ticket-granting ticket expires, the client - must use a separate exchange to obtain valid tickets. - - The TGS exchange consists of two messages: A request (KRB_TGS_REQ) - from the client to the Kerberos Ticket-Granting Server, and a reply - (KRB_TGS_REP or KRB_ERROR). The KRB_TGS_REQ message includes - information authenticating the client plus a request for credentials. - The authentication information consists of the authentication header - (KRB_AP_REQ) which includes the client's previously obtained ticket- - granting, renewable, or invalid ticket. In the ticket-granting - ticket and proxy cases, the request may include one or more of: a - list of network addresses, a collection of typed authorization data - to be sealed in the ticket for authorization use by the application - server, or additional tickets (the use of which are described later). - The TGS reply (KRB_TGS_REP) contains the requested credentials, - encrypted in the session key from the ticket-granting ticket or - renewable ticket, or if present, in the subsession key from the - Authenticator (part of the authentication header). The KRB_ERROR - message contains an error code and text explaining what went wrong. - The KRB_ERROR message is not encrypted. The KRB_TGS_REP message - contains information which can be used to detect replays, and to - associate it with the message to which it replies. The KRB_ERROR - message also contains information which can be used to associate it - with the message to which it replies, but the lack of encryption in - the KRB_ERROR message precludes the ability to detect replays or - fabrications of such messages. - -3.3.1. Generation of KRB_TGS_REQ message - - Before sending a request to the ticket-granting service, the client - must determine in which realm the application server is registered - [Note: This can be accomplished in several ways. It might be known - beforehand (since the realm is part of the principal identifier), or - it might be stored in a nameserver. Presently, however, this - information is obtained from a configuration file. If the realm to - be used is obtained from a nameserver, there is a danger of being - spoofed if the nameservice providing the realm name is not - authenticated. This might result in the use of a realm which has - been compromised, and would result in an attacker's ability to - compromise the authentication of the application server to the - client.]. If the client does not already possess a ticket-granting - ticket for the appropriate realm, then one must be obtained. This is - first attempted by requesting a ticket-granting ticket for the - destination realm from the local Kerberos server (using the - - - -Kohl & Neuman [Page 25] - -RFC 1510 Kerberos September 1993 - - - KRB_TGS_REQ message recursively). The Kerberos server may return a - TGT for the desired realm in which case one can proceed. - Alternatively, the Kerberos server may return a TGT for a realm which - is "closer" to the desired realm (further along the standard - hierarchical path), in which case this step must be repeated with a - Kerberos server in the realm specified in the returned TGT. If - neither are returned, then the request must be retried with a - Kerberos server for a realm higher in the hierarchy. This request - will itself require a ticket-granting ticket for the higher realm - which must be obtained by recursively applying these directions. - - Once the client obtains a ticket-granting ticket for the appropriate - realm, it determines which Kerberos servers serve that realm, and - contacts one. The list might be obtained through a configuration file - or network service; as long as the secret keys exchanged by realms - are kept secret, only denial of service results from a false Kerberos - server. - - As in the AS exchange, the client may specify a number of options in - the KRB_TGS_REQ message. The client prepares the KRB_TGS_REQ - message, providing an authentication header as an element of the - padata field, and including the same fields as used in the KRB_AS_REQ - message along with several optional fields: the enc-authorization- - data field for application server use and additional tickets required - by some options. - - In preparing the authentication header, the client can select a sub- - session key under which the response from the Kerberos server will be - encrypted (If the client selects a sub-session key, care must be - taken to ensure the randomness of the selected subsession key. One - approach would be to generate a random number and XOR it with the - session key from the ticket-granting ticket.). If the sub-session key - is not specified, the session key from the ticket-granting ticket - will be used. If the enc-authorization-data is present, it must be - encrypted in the sub-session key, if present, from the authenticator - portion of the authentication header, or if not present in the - session key from the ticket-granting ticket. - - Once prepared, the message is sent to a Kerberos server for the - destination realm. See section A.5 for pseudocode. - -3.3.2. Receipt of KRB_TGS_REQ message - - The KRB_TGS_REQ message is processed in a manner similar to the - KRB_AS_REQ message, but there are many additional checks to be - performed. First, the Kerberos server must determine which server - the accompanying ticket is for and it must select the appropriate key - to decrypt it. For a normal KRB_TGS_REQ message, it will be for the - - - -Kohl & Neuman [Page 26] - -RFC 1510 Kerberos September 1993 - - - ticket granting service, and the TGS's key will be used. If the TGT - was issued by another realm, then the appropriate inter-realm key - must be used. If the accompanying ticket is not a ticket granting - ticket for the current realm, but is for an application server in the - current realm, the RENEW, VALIDATE, or PROXY options are specified in - the request, and the server for which a ticket is requested is the - server named in the accompanying ticket, then the KDC will decrypt - the ticket in the authentication header using the key of the server - for which it was issued. If no ticket can be found in the padata - field, the KDC_ERR_PADATA_TYPE_NOSUPP error is returned. - - Once the accompanying ticket has been decrypted, the user-supplied - checksum in the Authenticator must be verified against the contents - of the request, and the message rejected if the checksums do not - match (with an error code of KRB_AP_ERR_MODIFIED) or if the checksum - is not keyed or not collision-proof (with an error code of - KRB_AP_ERR_INAPP_CKSUM). If the checksum type is not supported, the - KDC_ERR_SUMTYPE_NOSUPP error is returned. If the authorization-data - are present, they are decrypted using the sub-session key from the - Authenticator. - - If any of the decryptions indicate failed integrity checks, the - KRB_AP_ERR_BAD_INTEGRITY error is returned. - -3.3.3. Generation of KRB_TGS_REP message - - The KRB_TGS_REP message shares its format with the KRB_AS_REP - (KRB_KDC_REP), but with its type field set to KRB_TGS_REP. The - detailed specification is in section 5.4.2. - - The response will include a ticket for the requested server. The - Kerberos database is queried to retrieve the record for the requested - server (including the key with which the ticket will be encrypted). - If the request is for a ticket granting ticket for a remote realm, - and if no key is shared with the requested realm, then the Kerberos - server will select the realm "closest" to the requested realm with - which it does share a key, and use that realm instead. This is the - only case where the response from the KDC will be for a different - server than that requested by the client. - - By default, the address field, the client's name and realm, the list - of transited realms, the time of initial authentication, the - expiration time, and the authorization data of the newly-issued - ticket will be copied from the ticket-granting ticket (TGT) or - renewable ticket. If the transited field needs to be updated, but - the transited type is not supported, the KDC_ERR_TRTYPE_NOSUPP error - is returned. - - - - -Kohl & Neuman [Page 27] - -RFC 1510 Kerberos September 1993 - - - If the request specifies an endtime, then the endtime of the new - ticket is set to the minimum of (a) that request, (b) the endtime - from the TGT, and (c) the starttime of the TGT plus the minimum of - the maximum life for the application server and the maximum life for - the local realm (the maximum life for the requesting principal was - already applied when the TGT was issued). If the new ticket is to be - a renewal, then the endtime above is replaced by the minimum of (a) - the value of the renew_till field of the ticket and (b) the starttime - for the new ticket plus the life (endtimestarttime) of the old - ticket. - - If the FORWARDED option has been requested, then the resulting ticket - will contain the addresses specified by the client. This option will - only be honored if the FORWARDABLE flag is set in the TGT. The PROXY - option is similar; the resulting ticket will contain the addresses - specified by the client. It will be honored only if the PROXIABLE - flag in the TGT is set. The PROXY option will not be honored on - requests for additional ticket-granting tickets. - - If the requested start time is absent or indicates a time in the - past, then the start time of the ticket is set to the authentication - server's current time. If it indicates a time in the future, but the - POSTDATED option has not been specified or the MAY-POSTDATE flag is - not set in the TGT, then the error KDC_ERR_CANNOT_POSTDATE is - returned. Otherwise, if the ticket-granting ticket has the - MAYPOSTDATE flag set, then the resulting ticket will be postdated and - the requested starttime is checked against the policy of the local - realm. If acceptable, the ticket's start time is set as requested, - and the INVALID flag is set. The postdated ticket must be validated - before use by presenting it to the KDC after the starttime has been - reached. However, in no case may the starttime, endtime, or renew- - till time of a newly-issued postdated ticket extend beyond the - renew-till time of the ticket-granting ticket. - - If the ENC-TKT-IN-SKEY option has been specified and an additional - ticket has been included in the request, the KDC will decrypt the - additional ticket using the key for the server to which the - additional ticket was issued and verify that it is a ticket-granting - ticket. If the name of the requested server is missing from the - request, the name of the client in the additional ticket will be - used. Otherwise the name of the requested server will be compared to - the name of the client in the additional ticket and if different, the - request will be rejected. If the request succeeds, the session key - from the additional ticket will be used to encrypt the new ticket - that is issued instead of using the key of the server for which the - new ticket will be used (This allows easy implementation of user-to- - user authentication [6], which uses ticket-granting ticket session - keys in lieu of secret server keys in situations where such secret - - - -Kohl & Neuman [Page 28] - -RFC 1510 Kerberos September 1993 - - - keys could be easily compromised.). - - If the name of the server in the ticket that is presented to the KDC - as part of the authentication header is not that of the ticket- - granting server itself, and the server is registered in the realm of - the KDC, If the RENEW option is requested, then the KDC will verify - that the RENEWABLE flag is set in the ticket and that the renew_till - time is still in the future. If the VALIDATE option is rqeuested, - the KDC will check that the starttime has passed and the INVALID flag - is set. If the PROXY option is requested, then the KDC will check - that the PROXIABLE flag is set in the ticket. If the tests succeed, - the KDC will issue the appropriate new ticket. - - Whenever a request is made to the ticket-granting server, the - presented ticket(s) is(are) checked against a hot-list of tickets - which have been canceled. This hot-list might be implemented by - storing a range of issue dates for "suspect tickets"; if a presented - ticket had an authtime in that range, it would be rejected. In this - way, a stolen ticket-granting ticket or renewable ticket cannot be - used to gain additional tickets (renewals or otherwise) once the - theft has been reported. Any normal ticket obtained before it was - reported stolen will still be valid (because they require no - interaction with the KDC), but only until their normal expiration - time. - - The ciphertext part of the response in the KRB_TGS_REP message is - encrypted in the sub-session key from the Authenticator, if present, - or the session key key from the ticket-granting ticket. It is not - encrypted using the client's secret key. Furthermore, the client's - key's expiration date and the key version number fields are left out - since these values are stored along with the client's database - record, and that record is not needed to satisfy a request based on a - ticket-granting ticket. See section A.6 for pseudocode. - -3.3.3.1. Encoding the transited field - - If the identity of the server in the TGT that is presented to the KDC - as part of the authentication header is that of the ticket-granting - service, but the TGT was issued from another realm, the KDC will look - up the inter-realm key shared with that realm and use that key to - decrypt the ticket. If the ticket is valid, then the KDC will honor - the request, subject to the constraints outlined above in the section - describing the AS exchange. The realm part of the client's identity - will be taken from the ticket-granting ticket. The name of the realm - that issued the ticket-granting ticket will be added to the transited - field of the ticket to be issued. This is accomplished by reading - the transited field from the ticket-granting ticket (which is treated - as an unordered set of realm names), adding the new realm to the set, - - - -Kohl & Neuman [Page 29] - -RFC 1510 Kerberos September 1993 - - - then constructing and writing out its encoded (shorthand) form (this - may involve a rearrangement of the existing encoding). - - Note that the ticket-granting service does not add the name of its - own realm. Instead, its responsibility is to add the name of the - previous realm. This prevents a malicious Kerberos server from - intentionally leaving out its own name (it could, however, omit other - realms' names). - - The names of neither the local realm nor the principal's realm are to - be included in the transited field. They appear elsewhere in the - ticket and both are known to have taken part in authenticating the - principal. Since the endpoints are not included, both local and - single-hop inter-realm authentication result in a transited field - that is empty. - - Because the name of each realm transited is added to this field, - it might potentially be very long. To decrease the length of this - field, its contents are encoded. The initially supported encoding is - optimized for the normal case of inter-realm communication: a - hierarchical arrangement of realms using either domain or X.500 style - realm names. This encoding (called DOMAIN-X500-COMPRESS) is now - described. - - Realm names in the transited field are separated by a ",". The ",", - "\", trailing "."s, and leading spaces (" ") are special characters, - and if they are part of a realm name, they must be quoted in the - transited field by preceding them with a "\". - - A realm name ending with a "." is interpreted as being prepended to - the previous realm. For example, we can encode traversal of EDU, - MIT.EDU, ATHENA.MIT.EDU, WASHINGTON.EDU, and CS.WASHINGTON.EDU as: - - "EDU,MIT.,ATHENA.,WASHINGTON.EDU,CS.". - - Note that if ATHENA.MIT.EDU, or CS.WASHINGTON.EDU were endpoints, - that they would not be included in this field, and we would have: - - "EDU,MIT.,WASHINGTON.EDU" - - A realm name beginning with a "/" is interpreted as being appended to - the previous realm (For the purpose of appending, the realm preceding - the first listed realm is considered to be the null realm ("")). If - it is to stand by itself, then it should be preceded by a space (" - "). For example, we can encode traversal of /COM/HP/APOLLO, /COM/HP, - /COM, and /COM/DEC as: - - "/COM,/HP,/APOLLO, /COM/DEC". - - - -Kohl & Neuman [Page 30] - -RFC 1510 Kerberos September 1993 - - - Like the example above, if /COM/HP/APOLLO and /COM/DEC are endpoints, - they they would not be included in this field, and we would have: - - "/COM,/HP" - - A null subfield preceding or following a "," indicates that all - realms between the previous realm and the next realm have been - traversed (For the purpose of interpreting null subfields, the - client's realm is considered to precede those in the transited field, - and the server's realm is considered to follow them.). Thus, "," - means that all realms along the path between the client and the - server have been traversed. ",EDU, /COM," means that that all realms - from the client's realm up to EDU (in a domain style hierarchy) have - been traversed, and that everything from /COM down to the server's - realm in an X.500 style has also been traversed. This could occur if - the EDU realm in one hierarchy shares an inter-realm key directly - with the /COM realm in another hierarchy. - -3.3.4. Receipt of KRB_TGS_REP message - - When the KRB_TGS_REP is received by the client, it is processed in - the same manner as the KRB_AS_REP processing described above. The - primary difference is that the ciphertext part of the response must - be decrypted using the session key from the ticket-granting ticket - rather than the client's secret key. See section A.7 for pseudocode. - -3.4. The KRB_SAFE Exchange - - The KRB_SAFE message may be used by clients requiring the ability to - detect modifications of messages they exchange. It achieves this by - including a keyed collisionproof checksum of the user data and some - control information. The checksum is keyed with an encryption key - (usually the last key negotiated via subkeys, or the session key if - no negotiation has occured). - -3.4.1. Generation of a KRB_SAFE message - - When an application wishes to send a KRB_SAFE message, it collects - its data and the appropriate control information and computes a - checksum over them. The checksum algorithm should be some sort of - keyed one-way hash function (such as the RSA-MD5-DES checksum - algorithm specified in section 6.4.5, or the DES MAC), generated - using the sub-session key if present, or the session key. Different - algorithms may be selected by changing the checksum type in the - message. Unkeyed or non-collision-proof checksums are not suitable - for this use. - - The control information for the KRB_SAFE message includes both a - - - -Kohl & Neuman [Page 31] - -RFC 1510 Kerberos September 1993 - - - timestamp and a sequence number. The designer of an application - using the KRB_SAFE message must choose at least one of the two - mechanisms. This choice should be based on the needs of the - application protocol. - - Sequence numbers are useful when all messages sent will be received - by one's peer. Connection state is presently required to maintain - the session key, so maintaining the next sequence number should not - present an additional problem. - - If the application protocol is expected to tolerate lost messages - without them being resent, the use of the timestamp is the - appropriate replay detection mechanism. Using timestamps is also the - appropriate mechanism for multi-cast protocols where all of one's - peers share a common sub-session key, but some messages will be sent - to a subset of one's peers. - - After computing the checksum, the client then transmits the - information and checksum to the recipient in the message format - specified in section 5.6.1. - -3.4.2. Receipt of KRB_SAFE message - - When an application receives a KRB_SAFE message, it verifies it as - follows. If any error occurs, an error code is reported for use by - the application. - - The message is first checked by verifying that the protocol version - and type fields match the current version and KRB_SAFE, respectively. - A mismatch generates a KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE - error. The application verifies that the checksum used is a - collisionproof keyed checksum, and if it is not, a - KRB_AP_ERR_INAPP_CKSUM error is generated. The recipient verifies - that the operating system's report of the sender's address matches - the sender's address in the message, and (if a recipient address is - specified or the recipient requires an address) that one of the - recipient's addresses appears as the recipient's address in the - message. A failed match for either case generates a - KRB_AP_ERR_BADADDR error. Then the timestamp and usec and/or the - sequence number fields are checked. If timestamp and usec are - expected and not present, or they are present but not current, the - KRB_AP_ERR_SKEW error is generated. If the server name, along with - the client name, time and microsecond fields from the Authenticator - match any recently-seen such tuples, the KRB_AP_ERR_REPEAT error is - generated. If an incorrect sequence number is included, or a - sequence number is expected but not present, the KRB_AP_ERR_BADORDER - error is generated. If neither a timestamp and usec or a sequence - number is present, a KRB_AP_ERR_MODIFIED error is generated. - - - -Kohl & Neuman [Page 32] - -RFC 1510 Kerberos September 1993 - - - Finally, the checksum is computed over the data and control - information, and if it doesn't match the received checksum, a - KRB_AP_ERR_MODIFIED error is generated. - - If all the checks succeed, the application is assured that the - message was generated by its peer and was not modified in transit. - -3.5. The KRB_PRIV Exchange - - The KRB_PRIV message may be used by clients requiring confidentiality - and the ability to detect modifications of exchanged messages. It - achieves this by encrypting the messages and adding control - information. - -3.5.1. Generation of a KRB_PRIV message - - When an application wishes to send a KRB_PRIV message, it collects - its data and the appropriate control information (specified in - section 5.7.1) and encrypts them under an encryption key (usually the - last key negotiated via subkeys, or the session key if no negotiation - has occured). As part of the control information, the client must - choose to use either a timestamp or a sequence number (or both); see - the discussion in section 3.4.1 for guidelines on which to use. - After the user data and control information are encrypted, the client - transmits the ciphertext and some "envelope" information to the - recipient. - -3.5.2. Receipt of KRB_PRIV message - - When an application receives a KRB_PRIV message, it verifies it as - follows. If any error occurs, an error code is reported for use by - the application. - - The message is first checked by verifying that the protocol version - and type fields match the current version and KRB_PRIV, respectively. - A mismatch generates a KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE - error. The application then decrypts the ciphertext and processes - the resultant plaintext. If decryption shows the data to have been - modified, a KRB_AP_ERR_BAD_INTEGRITY error is generated. The - recipient verifies that the operating system's report of the sender's - address matches the sender's address in the message, and (if a - recipient address is specified or the recipient requires an address) - that one of the recipient's addresses appears as the recipient's - address in the message. A failed match for either case generates a - KRB_AP_ERR_BADADDR error. Then the timestamp and usec and/or the - sequence number fields are checked. If timestamp and usec are - expected and not present, or they are present but not current, the - KRB_AP_ERR_SKEW error is generated. If the server name, along with - - - -Kohl & Neuman [Page 33] - -RFC 1510 Kerberos September 1993 - - - the client name, time and microsecond fields from the Authenticator - match any recently-seen such tuples, the KRB_AP_ERR_REPEAT error is - generated. If an incorrect sequence number is included, or a - sequence number is expected but not present, the KRB_AP_ERR_BADORDER - error is generated. If neither a timestamp and usec or a sequence - number is present, a KRB_AP_ERR_MODIFIED error is generated. - - If all the checks succeed, the application can assume the message was - generated by its peer, and was securely transmitted (without - intruders able to see the unencrypted contents). - -3.6. The KRB_CRED Exchange - - The KRB_CRED message may be used by clients requiring the ability to - send Kerberos credentials from one host to another. It achieves this - by sending the tickets together with encrypted data containing the - session keys and other information associated with the tickets. - -3.6.1. Generation of a KRB_CRED message - - When an application wishes to send a KRB_CRED message it first (using - the KRB_TGS exchange) obtains credentials to be sent to the remote - host. It then constructs a KRB_CRED message using the ticket or - tickets so obtained, placing the session key needed to use each - ticket in the key field of the corresponding KrbCredInfo sequence of - the encrypted part of the the KRB_CRED message. - - Other information associated with each ticket and obtained during the - KRB_TGS exchange is also placed in the corresponding KrbCredInfo - sequence in the encrypted part of the KRB_CRED message. The current - time and, if specifically required by the application the nonce, s- - address, and raddress fields, are placed in the encrypted part of the - KRB_CRED message which is then encrypted under an encryption key - previosuly exchanged in the KRB_AP exchange (usually the last key - negotiated via subkeys, or the session key if no negotiation has - occured). - -3.6.2. Receipt of KRB_CRED message - - When an application receives a KRB_CRED message, it verifies it. If - any error occurs, an error code is reported for use by the - application. The message is verified by checking that the protocol - version and type fields match the current version and KRB_CRED, - respectively. A mismatch generates a KRB_AP_ERR_BADVERSION or - KRB_AP_ERR_MSG_TYPE error. The application then decrypts the - ciphertext and processes the resultant plaintext. If decryption shows - the data to have been modified, a KRB_AP_ERR_BAD_INTEGRITY error is - generated. - - - -Kohl & Neuman [Page 34] - -RFC 1510 Kerberos September 1993 - - - If present or required, the recipient verifies that the operating - system's report of the sender's address matches the sender's address - in the message, and that one of the recipient's addresses appears as - the recipient's address in the message. A failed match for either - case generates a KRB_AP_ERR_BADADDR error. The timestamp and usec - fields (and the nonce field if required) are checked next. If the - timestamp and usec are not present, or they are present but not - current, the KRB_AP_ERR_SKEW error is generated. - - If all the checks succeed, the application stores each of the new - tickets in its ticket cache together with the session key and other - information in the corresponding KrbCredInfo sequence from the - encrypted part of the KRB_CRED message. - -4. The Kerberos Database - - The Kerberos server must have access to a database containing the - principal identifiers and secret keys of principals to be - authenticated (The implementation of the Kerberos server need not - combine the database and the server on the same machine; it is - feasible to store the principal database in, say, a network name - service, as long as the entries stored therein are protected from - disclosure to and modification by unauthorized parties. However, we - recommend against such strategies, as they can make system management - and threat analysis quite complex.). - -4.1. Database contents - - A database entry should contain at least the following fields: - - Field Value - - name Principal's identifier - key Principal's secret key - p_kvno Principal's key version - max_life Maximum lifetime for Tickets - max_renewable_life Maximum total lifetime for renewable - Tickets - - The name field is an encoding of the principal's identifier. The key - field contains an encryption key. This key is the principal's secret - key. (The key can be encrypted before storage under a Kerberos - "master key" to protect it in case the database is compromised but - the master key is not. In that case, an extra field must be added to - indicate the master key version used, see below.) The p_kvno field is - the key version number of the principal's secret key. The max_life - field contains the maximum allowable lifetime (endtime - starttime) - for any Ticket issued for this principal. The max_renewable_life - - - -Kohl & Neuman [Page 35] - -RFC 1510 Kerberos September 1993 - - - field contains the maximum allowable total lifetime for any renewable - Ticket issued for this principal. (See section 3.1 for a description - of how these lifetimes are used in determining the lifetime of a - given Ticket.) - - A server may provide KDC service to several realms, as long as the - database representation provides a mechanism to distinguish between - principal records with identifiers which differ only in the realm - name. - - When an application server's key changes, if the change is routine - (i.e., not the result of disclosure of the old key), the old key - should be retained by the server until all tickets that had been - issued using that key have expired. Because of this, it is possible - for several keys to be active for a single principal. Ciphertext - encrypted in a principal's key is always tagged with the version of - the key that was used for encryption, to help the recipient find the - proper key for decryption. - - When more than one key is active for a particular principal, the - principal will have more than one record in the Kerberos database. - The keys and key version numbers will differ between the records (the - rest of the fields may or may not be the same). Whenever Kerberos - issues a ticket, or responds to a request for initial authentication, - the most recent key (known by the Kerberos server) will be used for - encryption. This is the key with the highest key version number. - -4.2. Additional fields - - Project Athena's KDC implementation uses additional fields in its - database: - - Field Value - - K_kvno Kerberos' key version - expiration Expiration date for entry - attributes Bit field of attributes - mod_date Timestamp of last modification - mod_name Modifying principal's identifier - - The K_kvno field indicates the key version of the Kerberos master key - under which the principal's secret key is encrypted. - - After an entry's expiration date has passed, the KDC will return an - error to any client attempting to gain tickets as or for the - principal. (A database may want to maintain two expiration dates: - one for the principal, and one for the principal's current key. This - allows password aging to work independently of the principal's - - - -Kohl & Neuman [Page 36] - -RFC 1510 Kerberos September 1993 - - - expiration date. However, due to the limited space in the responses, - the KDC must combine the key expiration and principal expiration date - into a single value called "key_exp", which is used as a hint to the - user to take administrative action.) - - The attributes field is a bitfield used to govern the operations - involving the principal. This field might be useful in conjunction - with user registration procedures, for site-specific policy - implementations (Project Athena currently uses it for their user - registration process controlled by the system-wide database service, - Moira [7]), or to identify the "string to key" conversion algorithm - used for a principal's key. (See the discussion of the padata field - in section 5.4.2 for details on why this can be useful.) Other bits - are used to indicate that certain ticket options should not be - allowed in tickets encrypted under a principal's key (one bit each): - Disallow issuing postdated tickets, disallow issuing forwardable - tickets, disallow issuing tickets based on TGT authentication, - disallow issuing renewable tickets, disallow issuing proxiable - tickets, and disallow issuing tickets for which the principal is the - server. - - The mod_date field contains the time of last modification of the - entry, and the mod_name field contains the name of the principal - which last modified the entry. - -4.3. Frequently Changing Fields - - Some KDC implementations may wish to maintain the last time that a - request was made by a particular principal. Information that might - be maintained includes the time of the last request, the time of the - last request for a ticket-granting ticket, the time of the last use - of a ticket-granting ticket, or other times. This information can - then be returned to the user in the last-req field (see section 5.2). - - Other frequently changing information that can be maintained is the - latest expiration time for any tickets that have been issued using - each key. This field would be used to indicate how long old keys - must remain valid to allow the continued use of outstanding tickets. - -4.4. Site Constants - - The KDC implementation should have the following configurable - constants or options, to allow an administrator to make and enforce - policy decisions: - - + The minimum supported lifetime (used to determine whether the - KDC_ERR_NEVER_VALID error should be returned). This constant - should reflect reasonable expectations of round-trip time to the - - - -Kohl & Neuman [Page 37] - -RFC 1510 Kerberos September 1993 - - - KDC, encryption/decryption time, and processing time by the client - and target server, and it should allow for a minimum "useful" - lifetime. - - + The maximum allowable total (renewable) lifetime of a ticket - (renew_till - starttime). - - + The maximum allowable lifetime of a ticket (endtime - starttime). - - + Whether to allow the issue of tickets with empty address fields - (including the ability to specify that such tickets may only be - issued if the request specifies some authorization_data). - - + Whether proxiable, forwardable, renewable or post-datable tickets - are to be issued. - -5. Message Specifications - - The following sections describe the exact contents and encoding of - protocol messages and objects. The ASN.1 base definitions are - presented in the first subsection. The remaining subsections specify - the protocol objects (tickets and authenticators) and messages. - Specification of encryption and checksum techniques, and the fields - related to them, appear in section 6. - -5.1. ASN.1 Distinguished Encoding Representation - - All uses of ASN.1 in Kerberos shall use the Distinguished Encoding - Representation of the data elements as described in the X.509 - specification, section 8.7 [8]. - -5.2. ASN.1 Base Definitions - - The following ASN.1 base definitions are used in the rest of this - section. Note that since the underscore character (_) is not - permitted in ASN.1 names, the hyphen (-) is used in its place for the - purposes of ASN.1 names. - - Realm ::= GeneralString - PrincipalName ::= SEQUENCE { - name-type[0] INTEGER, - name-string[1] SEQUENCE OF GeneralString - } - - Kerberos realms are encoded as GeneralStrings. Realms shall not - contain a character with the code 0 (the ASCII NUL). Most realms - will usually consist of several components separated by periods (.), - in the style of Internet Domain Names, or separated by slashes (/) in - - - -Kohl & Neuman [Page 38] - -RFC 1510 Kerberos September 1993 - - - the style of X.500 names. Acceptable forms for realm names are - specified in section 7. A PrincipalName is a typed sequence of - components consisting of the following sub-fields: - - name-type This field specifies the type of name that follows. - Pre-defined values for this field are - specified in section 7.2. The name-type should be - treated as a hint. Ignoring the name type, no two - names can be the same (i.e., at least one of the - components, or the realm, must be different). - This constraint may be eliminated in the future. - - name-string This field encodes a sequence of components that - form a name, each component encoded as a General - String. Taken together, a PrincipalName and a Realm - form a principal identifier. Most PrincipalNames - will have only a few components (typically one or two). - - KerberosTime ::= GeneralizedTime - -- Specifying UTC time zone (Z) - - The timestamps used in Kerberos are encoded as GeneralizedTimes. An - encoding shall specify the UTC time zone (Z) and shall not include - any fractional portions of the seconds. It further shall not include - any separators. Example: The only valid format for UTC time 6 - minutes, 27 seconds after 9 pm on 6 November 1985 is 19851106210627Z. - - HostAddress ::= SEQUENCE { - addr-type[0] INTEGER, - address[1] OCTET STRING - } - - HostAddresses ::= SEQUENCE OF SEQUENCE { - addr-type[0] INTEGER, - address[1] OCTET STRING - } - - - The host adddress encodings consists of two fields: - - addr-type This field specifies the type of address that - follows. Pre-defined values for this field are - specified in section 8.1. - - - address This field encodes a single address of type addr-type. - - The two forms differ slightly. HostAddress contains exactly one - - - -Kohl & Neuman [Page 39] - -RFC 1510 Kerberos September 1993 - - - address; HostAddresses contains a sequence of possibly many - addresses. - - AuthorizationData ::= SEQUENCE OF SEQUENCE { - ad-type[0] INTEGER, - ad-data[1] OCTET STRING - } - - - ad-data This field contains authorization data to be - interpreted according to the value of the - corresponding ad-type field. - - ad-type This field specifies the format for the ad-data - subfield. All negative values are reserved for - local use. Non-negative values are reserved for - registered use. - - APOptions ::= BIT STRING { - reserved(0), - use-session-key(1), - mutual-required(2) - } - - - TicketFlags ::= BIT STRING { - reserved(0), - forwardable(1), - forwarded(2), - proxiable(3), - proxy(4), - may-postdate(5), - postdated(6), - invalid(7), - renewable(8), - initial(9), - pre-authent(10), - hw-authent(11) - } - - KDCOptions ::= BIT STRING { - reserved(0), - forwardable(1), - forwarded(2), - proxiable(3), - proxy(4), - allow-postdate(5), - postdated(6), - - - -Kohl & Neuman [Page 40] - -RFC 1510 Kerberos September 1993 - - - unused7(7), - renewable(8), - unused9(9), - unused10(10), - unused11(11), - renewable-ok(27), - enc-tkt-in-skey(28), - renew(30), - validate(31) - } - - - LastReq ::= SEQUENCE OF SEQUENCE { - lr-type[0] INTEGER, - lr-value[1] KerberosTime - } - - lr-type This field indicates how the following lr-value - field is to be interpreted. Negative values indicate - that the information pertains only to the - responding server. Non-negative values pertain to - all servers for the realm. - - If the lr-type field is zero (0), then no information - is conveyed by the lr-value subfield. If the - absolute value of the lr-type field is one (1), - then the lr-value subfield is the time of last - initial request for a TGT. If it is two (2), then - the lr-value subfield is the time of last initial - request. If it is three (3), then the lr-value - subfield is the time of issue for the newest - ticket-granting ticket used. If it is four (4), - then the lr-value subfield is the time of the last - renewal. If it is five (5), then the lr-value - subfield is the time of last request (of any - type). - - lr-value This field contains the time of the last request. - The time must be interpreted according to the contents - of the accompanying lr-type subfield. - - See section 6 for the definitions of Checksum, ChecksumType, - EncryptedData, EncryptionKey, EncryptionType, and KeyType. - - - - - - - - -Kohl & Neuman [Page 41] - -RFC 1510 Kerberos September 1993 - - -5.3. Tickets and Authenticators - - This section describes the format and encryption parameters for - tickets and authenticators. When a ticket or authenticator is - included in a protocol message it is treated as an opaque object. - -5.3.1. Tickets - - A ticket is a record that helps a client authenticate to a service. - A Ticket contains the following information: - -Ticket ::= [APPLICATION 1] SEQUENCE { - tkt-vno[0] INTEGER, - realm[1] Realm, - sname[2] PrincipalName, - enc-part[3] EncryptedData -} --- Encrypted part of ticket -EncTicketPart ::= [APPLICATION 3] SEQUENCE { - flags[0] TicketFlags, - key[1] EncryptionKey, - crealm[2] Realm, - cname[3] PrincipalName, - transited[4] TransitedEncoding, - authtime[5] KerberosTime, - starttime[6] KerberosTime OPTIONAL, - endtime[7] KerberosTime, - renew-till[8] KerberosTime OPTIONAL, - caddr[9] HostAddresses OPTIONAL, - authorization-data[10] AuthorizationData OPTIONAL -} --- encoded Transited field -TransitedEncoding ::= SEQUENCE { - tr-type[0] INTEGER, -- must be registered - contents[1] OCTET STRING -} - - The encoding of EncTicketPart is encrypted in the key shared by - Kerberos and the end server (the server's secret key). See section 6 - for the format of the ciphertext. - - tkt-vno This field specifies the version number for the ticket - format. This document describes version number 5. - - realm This field specifies the realm that issued a ticket. It - also serves to identify the realm part of the server's - principal identifier. Since a Kerberos server can only - issue tickets for servers within its realm, the two will - - - -Kohl & Neuman [Page 42] - -RFC 1510 Kerberos September 1993 - - - always be identical. - - sname This field specifies the name part of the server's - identity. - - enc-part This field holds the encrypted encoding of the - EncTicketPart sequence. - - flags This field indicates which of various options were used or - requested when the ticket was issued. It is a bit-field, - where the selected options are indicated by the bit being - set (1), and the unselected options and reserved fields - being reset (0). Bit 0 is the most significant bit. The - encoding of the bits is specified in section 5.2. The - flags are described in more detail above in section 2. The - meanings of the flags are: - - Bit(s) Name Description - - 0 RESERVED Reserved for future expansion of this - field. - - 1 FORWARDABLE The FORWARDABLE flag is normally only - interpreted by the TGS, and can be - ignored by end servers. When set, - this flag tells the ticket-granting - server that it is OK to issue a new - ticket- granting ticket with a - different network address based on - the presented ticket. - - 2 FORWARDED When set, this flag indicates that - the ticket has either been forwarded - or was issued based on authentication - involving a forwarded ticket-granting - ticket. - - 3 PROXIABLE The PROXIABLE flag is normally only - interpreted by the TGS, and can be - ignored by end servers. The PROXIABLE - flag has an interpretation identical - to that of the FORWARDABLE flag, - except that the PROXIABLE flag tells - the ticket-granting server that only - non- ticket-granting tickets may be - issued with different network - addresses. - - - - -Kohl & Neuman [Page 43] - -RFC 1510 Kerberos September 1993 - - - 4 PROXY When set, this flag indicates that a - ticket is a proxy. - - 5 MAY-POSTDATE The MAY-POSTDATE flag is normally - only interpreted by the TGS, and can - be ignored by end servers. This flag - tells the ticket-granting server that - a post- dated ticket may be issued - based on this ticket-granting ticket. - - 6 POSTDATED This flag indicates that this ticket - has been postdated. The end-service - can check the authtime field to see - when the original authentication - occurred. - - 7 INVALID This flag indicates that a ticket is - invalid, and it must be validated by - the KDC before use. Application - servers must reject tickets which - have this flag set. - - 8 RENEWABLE The RENEWABLE flag is normally only - interpreted by the TGS, and can - usually be ignored by end servers - (some particularly careful servers - may wish to disallow renewable - tickets). A renewable ticket can be - used to obtain a replacement ticket - that expires at a later date. - - 9 INITIAL This flag indicates that this ticket - was issued using the AS protocol, and - not issued based on a ticket-granting - ticket. - - 10 PRE-AUTHENT This flag indicates that during - initial authentication, the client - was authenticated by the KDC before a - ticket was issued. The strength of - the preauthentication method is not - indicated, but is acceptable to the - KDC. - - 11 HW-AUTHENT This flag indicates that the protocol - employed for initial authentication - required the use of hardware expected - to be possessed solely by the named - - - -Kohl & Neuman [Page 44] - -RFC 1510 Kerberos September 1993 - - - client. The hardware authentication - method is selected by the KDC and the - strength of the method is not - indicated. - - 12-31 RESERVED Reserved for future use. - - key This field exists in the ticket and the KDC response and is - used to pass the session key from Kerberos to the - application server and the client. The field's encoding is - described in section 6.2. - - crealm This field contains the name of the realm in which the - client is registered and in which initial authentication - took place. - - cname This field contains the name part of the client's principal - identifier. - - transited This field lists the names of the Kerberos realms that took - part in authenticating the user to whom this ticket was - issued. It does not specify the order in which the realms - were transited. See section 3.3.3.1 for details on how - this field encodes the traversed realms. - - authtime This field indicates the time of initial authentication for - the named principal. It is the time of issue for the - original ticket on which this ticket is based. It is - included in the ticket to provide additional information to - the end service, and to provide the necessary information - for implementation of a `hot list' service at the KDC. An - end service that is particularly paranoid could refuse to - accept tickets for which the initial authentication - occurred "too far" in the past. - - This field is also returned as part of the response from - the KDC. When returned as part of the response to initial - authentication (KRB_AS_REP), this is the current time on - the Kerberos server (It is NOT recommended that this time - value be used to adjust the workstation's clock since the - workstation cannot reliably determine that such a - KRB_AS_REP actually came from the proper KDC in a timely - manner.). - - starttime This field in the ticket specifies the time after which the - ticket is valid. Together with endtime, this field - specifies the life of the ticket. If it is absent from - the ticket, its value should be treated as that of the - - - -Kohl & Neuman [Page 45] - -RFC 1510 Kerberos September 1993 - - - authtime field. - - endtime This field contains the time after which the ticket will - not be honored (its expiration time). Note that individual - services may place their own limits on the life of a ticket - and may reject tickets which have not yet expired. As - such, this is really an upper bound on the expiration time - for the ticket. - - renew-till This field is only present in tickets that have the - RENEWABLE flag set in the flags field. It indicates the - maximum endtime that may be included in a renewal. It can - be thought of as the absolute expiration time for the - ticket, including all renewals. - - caddr This field in a ticket contains zero (if omitted) or more - (if present) host addresses. These are the addresses from - which the ticket can be used. If there are no addresses, - the ticket can be used from any location. The decision - by the KDC to issue or by the end server to accept zero- - address tickets is a policy decision and is left to the - Kerberos and end-service administrators; they may refuse to - issue or accept such tickets. The suggested and default - policy, however, is that such tickets will only be issued - or accepted when additional information that can be used to - restrict the use of the ticket is included in the - authorization_data field. Such a ticket is a capability. - - Network addresses are included in the ticket to make it - harder for an attacker to use stolen credentials. Because - the session key is not sent over the network in cleartext, - credentials can't be stolen simply by listening to the - network; an attacker has to gain access to the session key - (perhaps through operating system security breaches or a - careless user's unattended session) to make use of stolen - tickets. - - It is important to note that the network address from which - a connection is received cannot be reliably determined. - Even if it could be, an attacker who has compromised the - client's workstation could use the credentials from there. - Including the network addresses only makes it more - difficult, not impossible, for an attacker to walk off with - stolen credentials and then use them from a "safe" - location. - - - - - - -Kohl & Neuman [Page 46] - -RFC 1510 Kerberos September 1993 - - - authorization-data The authorization-data field is used to pass - authorization data from the principal on whose behalf a - ticket was issued to the application service. If no - authorization data is included, this field will be left - out. The data in this field are specific to the end - service. It is expected that the field will contain the - names of service specific objects, and the rights to those - objects. The format for this field is described in section - 5.2. Although Kerberos is not concerned with the format of - the contents of the subfields, it does carry type - information (ad-type). - - By using the authorization_data field, a principal is able - to issue a proxy that is valid for a specific purpose. For - example, a client wishing to print a file can obtain a file - server proxy to be passed to the print server. By - specifying the name of the file in the authorization_data - field, the file server knows that the print server can only - use the client's rights when accessing the particular file - to be printed. - - It is interesting to note that if one specifies the - authorization-data field of a proxy and leaves the host - addresses blank, the resulting ticket and session key can - be treated as a capability. See [9] for some suggested - uses of this field. - - The authorization-data field is optional and does not have - to be included in a ticket. - -5.3.2. Authenticators - - An authenticator is a record sent with a ticket to a server to - certify the client's knowledge of the encryption key in the ticket, - to help the server detect replays, and to help choose a "true session - key" to use with the particular session. The encoding is encrypted - in the ticket's session key shared by the client and the server: - --- Unencrypted authenticator -Authenticator ::= [APPLICATION 2] SEQUENCE { - authenticator-vno[0] INTEGER, - crealm[1] Realm, - cname[2] PrincipalName, - cksum[3] Checksum OPTIONAL, - cusec[4] INTEGER, - ctime[5] KerberosTime, - subkey[6] EncryptionKey OPTIONAL, - seq-number[7] INTEGER OPTIONAL, - - - -Kohl & Neuman [Page 47] - -RFC 1510 Kerberos September 1993 - - - authorization-data[8] AuthorizationData OPTIONAL - } - - authenticator-vno This field specifies the version number for the - format of the authenticator. This document specifies - version 5. - - crealm and cname These fields are the same as those described for the - ticket in section 5.3.1. - - cksum This field contains a checksum of the the application data - that accompanies the KRB_AP_REQ. - - cusec This field contains the microsecond part of the client's - timestamp. Its value (before encryption) ranges from 0 to - 999999. It often appears along with ctime. The two fields - are used together to specify a reasonably accurate - timestamp. - - ctime This field contains the current time on the client's host. - - subkey This field contains the client's choice for an encryption - key which is to be used to protect this specific - application session. Unless an application specifies - otherwise, if this field is left out the session key from - the ticket will be used. - - seq-number This optional field includes the initial sequence number - to be used by the KRB_PRIV or KRB_SAFE messages when - sequence numbers are used to detect replays (It may also be - used by application specific messages). When included in - the authenticator this field specifies the initial sequence - number for messages from the client to the server. When - included in the AP-REP message, the initial sequence number - is that for messages from the server to the client. When - used in KRB_PRIV or KRB_SAFE messages, it is incremented by - one after each message is sent. - - For sequence numbers to adequately support the detection of - replays they should be non-repeating, even across - connection boundaries. The initial sequence number should - be random and uniformly distributed across the full space - of possible sequence numbers, so that it cannot be guessed - by an attacker and so that it and the successive sequence - numbers do not repeat other sequences. - - - - - - -Kohl & Neuman [Page 48] - -RFC 1510 Kerberos September 1993 - - - authorization-data This field is the same as described for the ticket - in section 5.3.1. It is optional and will only appear when - additional restrictions are to be placed on the use of a - ticket, beyond those carried in the ticket itself. - -5.4. Specifications for the AS and TGS exchanges - - This section specifies the format of the messages used in exchange - between the client and the Kerberos server. The format of possible - error messages appears in section 5.9.1. - -5.4.1. KRB_KDC_REQ definition - - The KRB_KDC_REQ message has no type of its own. Instead, its type is - one of KRB_AS_REQ or KRB_TGS_REQ depending on whether the request is - for an initial ticket or an additional ticket. In either case, the - message is sent from the client to the Authentication Server to - request credentials for a service. - -The message fields are: - -AS-REQ ::= [APPLICATION 10] KDC-REQ -TGS-REQ ::= [APPLICATION 12] KDC-REQ - -KDC-REQ ::= SEQUENCE { - pvno[1] INTEGER, - msg-type[2] INTEGER, - padata[3] SEQUENCE OF PA-DATA OPTIONAL, - req-body[4] KDC-REQ-BODY -} - -PA-DATA ::= SEQUENCE { - padata-type[1] INTEGER, - padata-value[2] OCTET STRING, - -- might be encoded AP-REQ -} - -KDC-REQ-BODY ::= SEQUENCE { - kdc-options[0] KDCOptions, - cname[1] PrincipalName OPTIONAL, - -- Used only in AS-REQ - realm[2] Realm, -- Server's realm - -- Also client's in AS-REQ - sname[3] PrincipalName OPTIONAL, - from[4] KerberosTime OPTIONAL, - till[5] KerberosTime, - rtime[6] KerberosTime OPTIONAL, - nonce[7] INTEGER, - - - -Kohl & Neuman [Page 49] - -RFC 1510 Kerberos September 1993 - - - etype[8] SEQUENCE OF INTEGER, -- EncryptionType, - -- in preference order - addresses[9] HostAddresses OPTIONAL, - enc-authorization-data[10] EncryptedData OPTIONAL, - -- Encrypted AuthorizationData encoding - additional-tickets[11] SEQUENCE OF Ticket OPTIONAL -} - - The fields in this message are: - - pvno This field is included in each message, and specifies the - protocol version number. This document specifies protocol - version 5. - - msg-type This field indicates the type of a protocol message. It - will almost always be the same as the application - identifier associated with a message. It is included to - make the identifier more readily accessible to the - application. For the KDC-REQ message, this type will be - KRB_AS_REQ or KRB_TGS_REQ. - - padata The padata (pre-authentication data) field contains a of - authentication information which may be needed before - credentials can be issued or decrypted. In the case of - requests for additional tickets (KRB_TGS_REQ), this field - will include an element with padata-type of PA-TGS-REQ and - data of an authentication header (ticket-granting ticket - and authenticator). The checksum in the authenticator - (which must be collisionproof) is to be computed over the - KDC-REQ-BODY encoding. In most requests for initial - authentication (KRB_AS_REQ) and most replies (KDC-REP), the - padata field will be left out. - - This field may also contain information needed by certain - extensions to the Kerberos protocol. For example, it might - be used to initially verify the identity of a client before - any response is returned. This is accomplished with a - padata field with padata-type equal to PA-ENC-TIMESTAMP and - padata-value defined as follows: - - padata-type ::= PA-ENC-TIMESTAMP - padata-value ::= EncryptedData -- PA-ENC-TS-ENC - - PA-ENC-TS-ENC ::= SEQUENCE { - patimestamp[0] KerberosTime, -- client's time - pausec[1] INTEGER OPTIONAL - } - - - - -Kohl & Neuman [Page 50] - -RFC 1510 Kerberos September 1993 - - - with patimestamp containing the client's time and pausec - containing the microseconds which may be omitted if a - client will not generate more than one request per second. - The ciphertext (padata-value) consists of the PA-ENC-TS-ENC - sequence, encrypted using the client's secret key. - - The padata field can also contain information needed to - help the KDC or the client select the key needed for - generating or decrypting the response. This form of the - padata is useful for supporting the use of certain - "smartcards" with Kerberos. The details of such extensions - are beyond the scope of this specification. See [10] for - additional uses of this field. - - padata-type The padata-type element of the padata field indicates the - way that the padata-value element is to be interpreted. - Negative values of padata-type are reserved for - unregistered use; non-negative values are used for a - registered interpretation of the element type. - - req-body This field is a placeholder delimiting the extent of the - remaining fields. If a checksum is to be calculated over - the request, it is calculated over an encoding of the KDC- - REQ-BODY sequence which is enclosed within the req-body - field. - - kdc-options This field appears in the KRB_AS_REQ and KRB_TGS_REQ - requests to the KDC and indicates the flags that the client - wants set on the tickets as well as other information that - is to modify the behavior of the KDC. Where appropriate, - the name of an option may be the same as the flag that is - set by that option. Although in most case, the bit in the - options field will be the same as that in the flags field, - this is not guaranteed, so it is not acceptable to simply - copy the options field to the flags field. There are - various checks that must be made before honoring an option - anyway. - - The kdc_options field is a bit-field, where the selected - options are indicated by the bit being set (1), and the - unselected options and reserved fields being reset (0). - The encoding of the bits is specified in section 5.2. The - options are described in more detail above in section 2. - The meanings of the options are: - - - - - - - -Kohl & Neuman [Page 51] - -RFC 1510 Kerberos September 1993 - - - Bit(s) Name Description - - 0 RESERVED Reserved for future expansion of this - field. - - 1 FORWARDABLE The FORWARDABLE option indicates that - the ticket to be issued is to have its - forwardable flag set. It may only be - set on the initial request, or in a - subsequent request if the ticket- - granting ticket on which it is based - is also forwardable. - - 2 FORWARDED The FORWARDED option is only specified - in a request to the ticket-granting - server and will only be honored if the - ticket-granting ticket in the request - has its FORWARDABLE bit set. This - option indicates that this is a - request for forwarding. The - address(es) of the host from which the - resulting ticket is to be valid are - included in the addresses field of the - request. - - - 3 PROXIABLE The PROXIABLE option indicates that - the ticket to be issued is to have its - proxiable flag set. It may only be set - on the initial request, or in a - subsequent request if the ticket- - granting ticket on which it is based - is also proxiable. - - 4 PROXY The PROXY option indicates that this - is a request for a proxy. This option - will only be honored if the ticket- - granting ticket in the request has its - PROXIABLE bit set. The address(es) of - the host from which the resulting - ticket is to be valid are included in - the addresses field of the request. - - 5 ALLOW-POSTDATE The ALLOW-POSTDATE option indicates - that the ticket to be issued is to - have its MAY-POSTDATE flag set. It - may only be set on the initial - request, or in a subsequent request if - - - -Kohl & Neuman [Page 52] - -RFC 1510 Kerberos September 1993 - - - the ticket-granting ticket on which it - is based also has its MAY-POSTDATE - flag set. - - 6 POSTDATED The POSTDATED option indicates that - this is a request for a postdated - ticket. This option will only be - honored if the ticket-granting ticket - on which it is based has its MAY- - POSTDATE flag set. The resulting - ticket will also have its INVALID flag - set, and that flag may be reset by a - subsequent request to the KDC after - the starttime in the ticket has been - reached. - - 7 UNUSED This option is presently unused. - - 8 RENEWABLE The RENEWABLE option indicates that - the ticket to be issued is to have its - RENEWABLE flag set. It may only be - set on the initial request, or when - the ticket-granting ticket on which - the request is based is also - renewable. If this option is - requested, then the rtime field in the - request contains the desired absolute - expiration time for the ticket. - - 9-26 RESERVED Reserved for future use. - - 27 RENEWABLE-OK The RENEWABLE-OK option indicates that - a renewable ticket will be acceptable - if a ticket with the requested life - cannot otherwise be provided. If a - ticket with the requested life cannot - be provided, then a renewable ticket - may be issued with a renew-till equal - to the the requested endtime. The - value of the renew-till field may - still be limited by local limits, or - limits selected by the individual - principal or server. - - 28 ENC-TKT-IN-SKEY This option is used only by the - ticket-granting service. The ENC- - TKT-IN-SKEY option indicates that the - ticket for the end server is to be - - - -Kohl & Neuman [Page 53] - -RFC 1510 Kerberos September 1993 - - - encrypted in the session key from the - additional ticket-granting ticket - provided. - - 29 RESERVED Reserved for future use. - - 30 RENEW This option is used only by the - ticket-granting service. The RENEW - option indicates that the present - request is for a renewal. The ticket - provided is encrypted in the secret - key for the server on which it is - valid. This option will only be - honored if the ticket to be renewed - has its RENEWABLE flag set and if the - time in its renew till field has not - passed. The ticket to be renewed is - passed in the padata field as part of - the authentication header. - - 31 VALIDATE This option is used only by the - ticket-granting service. The VALIDATE - option indicates that the request is - to validate a postdated ticket. It - will only be honored if the ticket - presented is postdated, presently has - its INVALID flag set, and would be - otherwise usable at this time. A - ticket cannot be validated before its - starttime. The ticket presented for - validation is encrypted in the key of - the server for which it is valid and - is passed in the padata field as part - of the authentication header. - - cname and sname These fields are the same as those described for the - ticket in section 5.3.1. sname may only be absent when the - ENC-TKT-IN-SKEY option is specified. If absent, the name - of the server is taken from the name of the client in the - ticket passed as additional-tickets. - - enc-authorization-data The enc-authorization-data, if present (and it - can only be present in the TGS_REQ form), is an encoding of - the desired authorization-data encrypted under the sub- - session key if present in the Authenticator, or - alternatively from the session key in the ticket-granting - ticket, both from the padata field in the KRB_AP_REQ. - - - - -Kohl & Neuman [Page 54] - -RFC 1510 Kerberos September 1993 - - - realm This field specifies the realm part of the server's - principal identifier. In the AS exchange, this is also the - realm part of the client's principal identifier. - - from This field is included in the KRB_AS_REQ and KRB_TGS_REQ - ticket requests when the requested ticket is to be - postdated. It specifies the desired start time for the - requested ticket. - - till This field contains the expiration date requested by the - client in a ticket request. - - rtime This field is the requested renew-till time sent from a - client to the KDC in a ticket request. It is optional. - - nonce This field is part of the KDC request and response. It it - intended to hold a random number generated by the client. - If the same number is included in the encrypted response - from the KDC, it provides evidence that the response is - fresh and has not been replayed by an attacker. Nonces - must never be re-used. Ideally, it should be gen erated - randomly, but if the correct time is known, it may suffice - (Note, however, that if the time is used as the nonce, one - must make sure that the workstation time is monotonically - increasing. If the time is ever reset backwards, there is - a small, but finite, probability that a nonce will be - reused.). - - etype This field specifies the desired encryption algorithm to be - used in the response. - - addresses This field is included in the initial request for tickets, - and optionally included in requests for additional tickets - from the ticket-granting server. It specifies the - addresses from which the requested ticket is to be valid. - Normally it includes the addresses for the client's host. - If a proxy is requested, this field will contain other - addresses. The contents of this field are usually copied - by the KDC into the caddr field of the resulting ticket. - - additional-tickets Additional tickets may be optionally included in a - request to the ticket-granting server. If the ENC-TKT-IN- - SKEY option has been specified, then the session key from - the additional ticket will be used in place of the server's - key to encrypt the new ticket. If more than one option - which requires additional tickets has been specified, then - the additional tickets are used in the order specified by - the ordering of the options bits (see kdc-options, above). - - - -Kohl & Neuman [Page 55] - -RFC 1510 Kerberos September 1993 - - - The application code will be either ten (10) or twelve (12) depending - on whether the request is for an initial ticket (AS-REQ) or for an - additional ticket (TGS-REQ). - - The optional fields (addresses, authorization-data and additional- - tickets) are only included if necessary to perform the operation - specified in the kdc-options field. - - It should be noted that in KRB_TGS_REQ, the protocol version number - appears twice and two different message types appear: the KRB_TGS_REQ - message contains these fields as does the authentication header - (KRB_AP_REQ) that is passed in the padata field. - -5.4.2. KRB_KDC_REP definition - - The KRB_KDC_REP message format is used for the reply from the KDC for - either an initial (AS) request or a subsequent (TGS) request. There - is no message type for KRB_KDC_REP. Instead, the type will be either - KRB_AS_REP or KRB_TGS_REP. The key used to encrypt the ciphertext - part of the reply depends on the message type. For KRB_AS_REP, the - ciphertext is encrypted in the client's secret key, and the client's - key version number is included in the key version number for the - encrypted data. For KRB_TGS_REP, the ciphertext is encrypted in the - sub-session key from the Authenticator, or if absent, the session key - from the ticket-granting ticket used in the request. In that case, - no version number will be present in the EncryptedData sequence. - - The KRB_KDC_REP message contains the following fields: - - AS-REP ::= [APPLICATION 11] KDC-REP - TGS-REP ::= [APPLICATION 13] KDC-REP - - KDC-REP ::= SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - padata[2] SEQUENCE OF PA-DATA OPTIONAL, - crealm[3] Realm, - cname[4] PrincipalName, - ticket[5] Ticket, - enc-part[6] EncryptedData - } - - EncASRepPart ::= [APPLICATION 25[25]] EncKDCRepPart - EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart - - EncKDCRepPart ::= SEQUENCE { - key[0] EncryptionKey, - last-req[1] LastReq, - - - -Kohl & Neuman [Page 56] - -RFC 1510 Kerberos September 1993 - - - nonce[2] INTEGER, - key-expiration[3] KerberosTime OPTIONAL, - flags[4] TicketFlags, - authtime[5] KerberosTime, - starttime[6] KerberosTime OPTIONAL, - endtime[7] KerberosTime, - renew-till[8] KerberosTime OPTIONAL, - srealm[9] Realm, - sname[10] PrincipalName, - caddr[11] HostAddresses OPTIONAL - } - - NOTE: In EncASRepPart, the application code in the encrypted - part of a message provides an additional check that - the message was decrypted properly. - - pvno and msg-type These fields are described above in section 5.4.1. - msg-type is either KRB_AS_REP or KRB_TGS_REP. - - padata This field is described in detail in section 5.4.1. One - possible use for this field is to encode an alternate - "mix-in" string to be used with a string-to-key algorithm - (such as is described in section 6.3.2). This ability is - useful to ease transitions if a realm name needs to change - (e.g., when a company is acquired); in such a case all - existing password-derived entries in the KDC database would - be flagged as needing a special mix-in string until the - next password change. - - crealm, cname, srealm and sname These fields are the same as those - described for the ticket in section 5.3.1. - - ticket The newly-issued ticket, from section 5.3.1. - - enc-part This field is a place holder for the ciphertext and related - information that forms the encrypted part of a message. - The description of the encrypted part of the message - follows each appearance of this field. The encrypted part - is encoded as described in section 6.1. - - key This field is the same as described for the ticket in - section 5.3.1. - - last-req This field is returned by the KDC and specifies the time(s) - of the last request by a principal. Depending on what - information is available, this might be the last time that - a request for a ticket-granting ticket was made, or the - last time that a request based on a ticket-granting ticket - - - -Kohl & Neuman [Page 57] - -RFC 1510 Kerberos September 1993 - - - was successful. It also might cover all servers for a - realm, or just the particular server. Some implementations - may display this information to the user to aid in - discovering unauthorized use of one's identity. It is - similar in spirit to the last login time displayed when - logging into timesharing systems. - - nonce This field is described above in section 5.4.1. - - key-expiration The key-expiration field is part of the response from - the KDC and specifies the time that the client's secret key - is due to expire. The expiration might be the result of - password aging or an account expiration. This field will - usually be left out of the TGS reply since the response to - the TGS request is encrypted in a session key and no client - information need be retrieved from the KDC database. It is - up to the application client (usually the login program) to - take appropriate action (such as notifying the user) if the - expira tion time is imminent. - - flags, authtime, starttime, endtime, renew-till and caddr These - fields are duplicates of those found in the encrypted - portion of the attached ticket (see section 5.3.1), - provided so the client may verify they match the intended - request and to assist in proper ticket caching. If the - message is of type KRB_TGS_REP, the caddr field will only - be filled in if the request was for a proxy or forwarded - ticket, or if the user is substituting a subset of the - addresses from the ticket granting ticket. If the client- - requested addresses are not present or not used, then the - addresses contained in the ticket will be the same as those - included in the ticket-granting ticket. - -5.5. Client/Server (CS) message specifications - - This section specifies the format of the messages used for the - authentication of the client to the application server. - -5.5.1. KRB_AP_REQ definition - - The KRB_AP_REQ message contains the Kerberos protocol version number, - the message type KRB_AP_REQ, an options field to indicate any options - in use, and the ticket and authenticator themselves. The KRB_AP_REQ - message is often referred to as the "authentication header". - - AP-REQ ::= [APPLICATION 14] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - - - -Kohl & Neuman [Page 58] - -RFC 1510 Kerberos September 1993 - - - ap-options[2] APOptions, - ticket[3] Ticket, - authenticator[4] EncryptedData - } - - APOptions ::= BIT STRING { - reserved(0), - use-session-key(1), - mutual-required(2) - } - - pvno and msg-type These fields are described above in section 5.4.1. - msg-type is KRB_AP_REQ. - - ap-options This field appears in the application request (KRB_AP_REQ) - and affects the way the request is processed. It is a - bit-field, where the selected options are indicated by the - bit being set (1), and the unselected options and reserved - fields being reset (0). The encoding of the bits is - specified in section 5.2. The meanings of the options are: - - Bit(s) Name Description - - 0 RESERVED Reserved for future expansion of - this field. - - 1 USE-SESSION-KEYThe USE-SESSION-KEY option indicates - that the ticket the client is - presenting to a server is encrypted in - the session key from the server's - ticket-granting ticket. When this - option is not specified, the ticket is - encrypted in the server's secret key. - - 2 MUTUAL-REQUIREDThe MUTUAL-REQUIRED option tells the - server that the client requires mutual - authentication, and that it must - respond with a KRB_AP_REP message. - - 3-31 RESERVED Reserved for future use. - - ticket This field is a ticket authenticating the client to the - server. - - authenticator This contains the authenticator, which includes the - client's choice of a subkey. Its encoding is described in - section 5.3.2. - - - - -Kohl & Neuman [Page 59] - -RFC 1510 Kerberos September 1993 - - -5.5.2. KRB_AP_REP definition - - The KRB_AP_REP message contains the Kerberos protocol version number, - the message type, and an encrypted timestamp. The message is sent in - in response to an application request (KRB_AP_REQ) where the mutual - authentication option has been selected in the ap-options field. - - AP-REP ::= [APPLICATION 15] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - enc-part[2] EncryptedData - } - - EncAPRepPart ::= [APPLICATION 27] SEQUENCE { - ctime[0] KerberosTime, - cusec[1] INTEGER, - subkey[2] EncryptionKey OPTIONAL, - seq-number[3] INTEGER OPTIONAL - } - - NOTE: in EncAPRepPart, the application code in the encrypted part of - a message provides an additional check that the message was decrypted - properly. - - The encoded EncAPRepPart is encrypted in the shared session key of - the ticket. The optional subkey field can be used in an - application-arranged negotiation to choose a per association session - key. - - pvno and msg-type These fields are described above in section 5.4.1. - msg-type is KRB_AP_REP. - - enc-part This field is described above in section 5.4.2. - - ctime This field contains the current time on the client's host. - - cusec This field contains the microsecond part of the client's - timestamp. - - subkey This field contains an encryption key which is to be used - to protect this specific application session. See section - 3.2.6 for specifics on how this field is used to negotiate - a key. Unless an application specifies otherwise, if this - field is left out, the sub-session key from the - authenticator, or if also left out, the session key from - the ticket will be used. - - - - - -Kohl & Neuman [Page 60] - -RFC 1510 Kerberos September 1993 - - -5.5.3. Error message reply - - If an error occurs while processing the application request, the - KRB_ERROR message will be sent in response. See section 5.9.1 for - the format of the error message. The cname and crealm fields may be - left out if the server cannot determine their appropriate values from - the corresponding KRB_AP_REQ message. If the authenticator was - decipherable, the ctime and cusec fields will contain the values from - it. - -5.6. KRB_SAFE message specification - - This section specifies the format of a message that can be used by - either side (client or server) of an application to send a tamper- - proof message to its peer. It presumes that a session key has - previously been exchanged (for example, by using the - KRB_AP_REQ/KRB_AP_REP messages). - -5.6.1. KRB_SAFE definition - - The KRB_SAFE message contains user data along with a collision-proof - checksum keyed with the session key. The message fields are: - - KRB-SAFE ::= [APPLICATION 20] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - safe-body[2] KRB-SAFE-BODY, - cksum[3] Checksum - } - - KRB-SAFE-BODY ::= SEQUENCE { - user-data[0] OCTET STRING, - timestamp[1] KerberosTime OPTIONAL, - usec[2] INTEGER OPTIONAL, - seq-number[3] INTEGER OPTIONAL, - s-address[4] HostAddress, - r-address[5] HostAddress OPTIONAL - } - - pvno and msg-type These fields are described above in section 5.4.1. - msg-type is KRB_SAFE. - - safe-body This field is a placeholder for the body of the KRB-SAFE - message. It is to be encoded separately and then have the - checksum computed over it, for use in the cksum field. - - cksum This field contains the checksum of the application data. - Checksum details are described in section 6.4. The - - - -Kohl & Neuman [Page 61] - -RFC 1510 Kerberos September 1993 - - - checksum is computed over the encoding of the KRB-SAFE-BODY - sequence. - - user-data This field is part of the KRB_SAFE and KRB_PRIV messages - and contain the application specific data that is being - passed from the sender to the recipient. - - timestamp This field is part of the KRB_SAFE and KRB_PRIV messages. - Its contents are the current time as known by the sender of - the message. By checking the timestamp, the recipient of - the message is able to make sure that it was recently - generated, and is not a replay. - - usec This field is part of the KRB_SAFE and KRB_PRIV headers. - It contains the microsecond part of the timestamp. - - seq-number This field is described above in section 5.3.2. - - s-address This field specifies the address in use by the sender of - the message. - - r-address This field specifies the address in use by the recipient of - the message. It may be omitted for some uses (such as - broadcast protocols), but the recipient may arbitrarily - reject such messages. This field along with s-address can - be used to help detect messages which have been incorrectly - or maliciously delivered to the wrong recipient. - -5.7. KRB_PRIV message specification - - This section specifies the format of a message that can be used by - either side (client or server) of an application to securely and - privately send a message to its peer. It presumes that a session key - has previously been exchanged (for example, by using the - KRB_AP_REQ/KRB_AP_REP messages). - -5.7.1. KRB_PRIV definition - - The KRB_PRIV message contains user data encrypted in the Session Key. - The message fields are: - - KRB-PRIV ::= [APPLICATION 21] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - enc-part[3] EncryptedData - } - - - - - -Kohl & Neuman [Page 62] - -RFC 1510 Kerberos September 1993 - - - EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE { - user-data[0] OCTET STRING, - timestamp[1] KerberosTime OPTIONAL, - usec[2] INTEGER OPTIONAL, - seq-number[3] INTEGER OPTIONAL, - s-address[4] HostAddress, -- sender's addr - r-address[5] HostAddress OPTIONAL - -- recip's addr - } - - NOTE: In EncKrbPrivPart, the application code in the encrypted part - of a message provides an additional check that the message was - decrypted properly. - - pvno and msg-type These fields are described above in section 5.4.1. - msg-type is KRB_PRIV. - - enc-part This field holds an encoding of the EncKrbPrivPart sequence - encrypted under the session key (If supported by the - encryption method in use, an initialization vector may be - passed to the encryption procedure, in order to achieve - proper cipher chaining. The initialization vector might - come from the last block of the ciphertext from the - previous KRB_PRIV message, but it is the application's - choice whether or not to use such an initialization vector. - If left out, the default initialization vector for the - encryption algorithm will be used.). This encrypted - encoding is used for the enc-part field of the KRB-PRIV - message. See section 6 for the format of the ciphertext. - - user-data, timestamp, usec, s-address and r-address These fields are - described above in section 5.6.1. - - seq-number This field is described above in section 5.3.2. - -5.8. KRB_CRED message specification - - This section specifies the format of a message that can be used to - send Kerberos credentials from one principal to another. It is - presented here to encourage a common mechanism to be used by - applications when forwarding tickets or providing proxies to - subordinate servers. It presumes that a session key has already been - exchanged perhaps by using the KRB_AP_REQ/KRB_AP_REP messages. - -5.8.1. KRB_CRED definition - - The KRB_CRED message contains a sequence of tickets to be sent and - information needed to use the tickets, including the session key from - - - -Kohl & Neuman [Page 63] - -RFC 1510 Kerberos September 1993 - - - each. The information needed to use the tickets is encryped under an - encryption key previously exchanged. The message fields are: - - KRB-CRED ::= [APPLICATION 22] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, -- KRB_CRED - tickets[2] SEQUENCE OF Ticket, - enc-part[3] EncryptedData - } - - EncKrbCredPart ::= [APPLICATION 29] SEQUENCE { - ticket-info[0] SEQUENCE OF KrbCredInfo, - nonce[1] INTEGER OPTIONAL, - timestamp[2] KerberosTime OPTIONAL, - usec[3] INTEGER OPTIONAL, - s-address[4] HostAddress OPTIONAL, - r-address[5] HostAddress OPTIONAL - } - - KrbCredInfo ::= SEQUENCE { - key[0] EncryptionKey, - prealm[1] Realm OPTIONAL, - pname[2] PrincipalName OPTIONAL, - flags[3] TicketFlags OPTIONAL, - authtime[4] KerberosTime OPTIONAL, - starttime[5] KerberosTime OPTIONAL, - endtime[6] KerberosTime OPTIONAL - renew-till[7] KerberosTime OPTIONAL, - srealm[8] Realm OPTIONAL, - sname[9] PrincipalName OPTIONAL, - caddr[10] HostAddresses OPTIONAL - } - - - pvno and msg-type These fields are described above in section 5.4.1. - msg-type is KRB_CRED. - - tickets - These are the tickets obtained from the KDC specifically - for use by the intended recipient. Successive tickets are - paired with the corresponding KrbCredInfo sequence from the - enc-part of the KRB-CRED message. - - enc-part This field holds an encoding of the EncKrbCredPart sequence - encrypted under the session key shared between the sender - and the intended recipient. This encrypted encoding is - used for the enc-part field of the KRB-CRED message. See - section 6 for the format of the ciphertext. - - - -Kohl & Neuman [Page 64] - -RFC 1510 Kerberos September 1993 - - - nonce If practical, an application may require the inclusion of a - nonce generated by the recipient of the message. If the - same value is included as the nonce in the message, it - provides evidence that the message is fresh and has not - been replayed by an attacker. A nonce must never be re- - used; it should be generated randomly by the recipient of - the message and provided to the sender of the mes sage in - an application specific manner. - - timestamp and usec These fields specify the time that the KRB-CRED - message was generated. The time is used to provide - assurance that the message is fresh. - - s-address and r-address These fields are described above in section - 5.6.1. They are used optionally to provide additional - assurance of the integrity of the KRB-CRED message. - - key This field exists in the corresponding ticket passed by the - KRB-CRED message and is used to pass the session key from - the sender to the intended recipient. The field's encoding - is described in section 6.2. - - The following fields are optional. If present, they can be - associated with the credentials in the remote ticket file. If left - out, then it is assumed that the recipient of the credentials already - knows their value. - - prealm and pname The name and realm of the delegated principal - identity. - - flags, authtime, starttime, endtime, renew-till, srealm, sname, - and caddr These fields contain the values of the - corresponding fields from the ticket found in the ticket - field. Descriptions of the fields are identical to the - descriptions in the KDC-REP message. - -5.9. Error message specification - - This section specifies the format for the KRB_ERROR message. The - fields included in the message are intended to return as much - information as possible about an error. It is not expected that all - the information required by the fields will be available for all - types of errors. If the appropriate information is not available - when the message is composed, the corresponding field will be left - out of the message. - - Note that since the KRB_ERROR message is not protected by any - encryption, it is quite possible for an intruder to synthesize or - - - -Kohl & Neuman [Page 65] - -RFC 1510 Kerberos September 1993 - - - modify such a message. In particular, this means that the client - should not use any fields in this message for security-critical - purposes, such as setting a system clock or generating a fresh - authenticator. The message can be useful, however, for advising a - user on the reason for some failure. - -5.9.1. KRB_ERROR definition - - The KRB_ERROR message consists of the following fields: - - KRB-ERROR ::= [APPLICATION 30] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - ctime[2] KerberosTime OPTIONAL, - cusec[3] INTEGER OPTIONAL, - stime[4] KerberosTime, - susec[5] INTEGER, - error-code[6] INTEGER, - crealm[7] Realm OPTIONAL, - cname[8] PrincipalName OPTIONAL, - realm[9] Realm, -- Correct realm - sname[10] PrincipalName, -- Correct name - e-text[11] GeneralString OPTIONAL, - e-data[12] OCTET STRING OPTIONAL - } - - pvno and msg-type These fields are described above in section 5.4.1. - msg-type is KRB_ERROR. - - ctime This field is described above in section 5.4.1. - - cusec This field is described above in section 5.5.2. - - stime This field contains the current time on the server. It is - of type KerberosTime. - - susec This field contains the microsecond part of the server's - timestamp. Its value ranges from 0 to 999. It appears - along with stime. The two fields are used in conjunction to - specify a reasonably accurate timestamp. - - error-code This field contains the error code returned by Kerberos or - the server when a request fails. To interpret the value of - this field see the list of error codes in section 8. - Implementations are encouraged to provide for national - language support in the display of error messages. - - crealm, cname, srealm and sname These fields are described above in - - - -Kohl & Neuman [Page 66] - -RFC 1510 Kerberos September 1993 - - - section 5.3.1. - - e-text This field contains additional text to help explain the - error code associated with the failed request (for example, - it might include a principal name which was unknown). - - e-data This field contains additional data about the error for use - by the application to help it recover from or handle the - error. If the errorcode is KDC_ERR_PREAUTH_REQUIRED, then - the e-data field will contain an encoding of a sequence of - padata fields, each corresponding to an acceptable pre- - authentication method and optionally containing data for - the method: - - METHOD-DATA ::= SEQUENCE of PA-DATA - - If the error-code is KRB_AP_ERR_METHOD, then the e-data field will - contain an encoding of the following sequence: - - METHOD-DATA ::= SEQUENCE { - method-type[0] INTEGER, - method-data[1] OCTET STRING OPTIONAL - } - - method-type will indicate the required alternate method; method-data - will contain any required additional information. - -6. Encryption and Checksum Specifications - - The Kerberos protocols described in this document are designed to use - stream encryption ciphers, which can be simulated using commonly - available block encryption ciphers, such as the Data Encryption - Standard [11], in conjunction with block chaining and checksum - methods [12]. Encryption is used to prove the identities of the - network entities participating in message exchanges. The Key - Distribution Center for each realm is trusted by all principals - registered in that realm to store a secret key in confidence. Proof - of knowledge of this secret key is used to verify the authenticity of - a principal. - - The KDC uses the principal's secret key (in the AS exchange) or a - shared session key (in the TGS exchange) to encrypt responses to - ticket requests; the ability to obtain the secret key or session key - implies the knowledge of the appropriate keys and the identity of the - KDC. The ability of a principal to decrypt the KDC response and - present a Ticket and a properly formed Authenticator (generated with - the session key from the KDC response) to a service verifies the - identity of the principal; likewise the ability of the service to - - - -Kohl & Neuman [Page 67] - -RFC 1510 Kerberos September 1993 - - - extract the session key from the Ticket and prove its knowledge - thereof in a response verifies the identity of the service. - - The Kerberos protocols generally assume that the encryption used is - secure from cryptanalysis; however, in some cases, the order of - fields in the encrypted portions of messages are arranged to minimize - the effects of poorly chosen keys. It is still important to choose - good keys. If keys are derived from user-typed passwords, those - passwords need to be well chosen to make brute force attacks more - difficult. Poorly chosen keys still make easy targets for intruders. - - The following sections specify the encryption and checksum mechanisms - currently defined for Kerberos. The encodings, chaining, and padding - requirements for each are described. For encryption methods, it is - often desirable to place random information (often referred to as a - confounder) at the start of the message. The requirements for a - confounder are specified with each encryption mechanism. - - Some encryption systems use a block-chaining method to improve the - the security characteristics of the ciphertext. However, these - chaining methods often don't provide an integrity check upon - decryption. Such systems (such as DES in CBC mode) must be augmented - with a checksum of the plaintext which can be verified at decryption - and used to detect any tampering or damage. Such checksums should be - good at detecting burst errors in the input. If any damage is - detected, the decryption routine is expected to return an error - indicating the failure of an integrity check. Each encryption type is - expected to provide and verify an appropriate checksum. The - specification of each encryption method sets out its checksum - requirements. - - Finally, where a key is to be derived from a user's password, an - algorithm for converting the password to a key of the appropriate - type is included. It is desirable for the string to key function to - be one-way, and for the mapping to be different in different realms. - This is important because users who are registered in more than one - realm will often use the same password in each, and it is desirable - that an attacker compromising the Kerberos server in one realm not - obtain or derive the user's key in another. - - For a discussion of the integrity characteristics of the candidate - encryption and checksum methods considered for Kerberos, the the - reader is referred to [13]. - -6.1. Encryption Specifications - - The following ASN.1 definition describes all encrypted messages. The - enc-part field which appears in the unencrypted part of messages in - - - -Kohl & Neuman [Page 68] - -RFC 1510 Kerberos September 1993 - - - section 5 is a sequence consisting of an encryption type, an optional - key version number, and the ciphertext. - - EncryptedData ::= SEQUENCE { - etype[0] INTEGER, -- EncryptionType - kvno[1] INTEGER OPTIONAL, - cipher[2] OCTET STRING -- ciphertext - } - - etype This field identifies which encryption algorithm was used - to encipher the cipher. Detailed specifications for - selected encryption types appear later in this section. - - kvno This field contains the version number of the key under - which data is encrypted. It is only present in messages - encrypted under long lasting keys, such as principals' - secret keys. - - cipher This field contains the enciphered text, encoded as an - OCTET STRING. - - The cipher field is generated by applying the specified encryption - algorithm to data composed of the message and algorithm-specific - inputs. Encryption mechanisms defined for use with Kerberos must - take sufficient measures to guarantee the integrity of the plaintext, - and we recommend they also take measures to protect against - precomputed dictionary attacks. If the encryption algorithm is not - itself capable of doing so, the protections can often be enhanced by - adding a checksum and a confounder. - - The suggested format for the data to be encrypted includes a - confounder, a checksum, the encoded plaintext, and any necessary - padding. The msg-seq field contains the part of the protocol message - described in section 5 which is to be encrypted. The confounder, - checksum, and padding are all untagged and untyped, and their length - is exactly sufficient to hold the appropriate item. The type and - length is implicit and specified by the particular encryption type - being used (etype). The format for the data to be encrypted is - described in the following diagram: - - +-----------+----------+-------------+-----+ - |confounder | check | msg-seq | pad | - +-----------+----------+-------------+-----+ - - The format cannot be described in ASN.1, but for those who prefer an - ASN.1-like notation: - - - - - -Kohl & Neuman [Page 69] - -RFC 1510 Kerberos September 1993 - - -CipherText ::= ENCRYPTED SEQUENCE { - confounder[0] UNTAGGED OCTET STRING(conf_length) OPTIONAL, - check[1] UNTAGGED OCTET STRING(checksum_length) OPTIONAL, - msg-seq[2] MsgSequence, - pad UNTAGGED OCTET STRING(pad_length) OPTIONAL -} - - In the above specification, UNTAGGED OCTET STRING(length) is the - notation for an octet string with its tag and length removed. It is - not a valid ASN.1 type. The tag bits and length must be removed from - the confounder since the purpose of the confounder is so that the - message starts with random data, but the tag and its length are - fixed. For other fields, the length and tag would be redundant if - they were included because they are specified by the encryption type. - - One generates a random confounder of the appropriate length, placing - it in confounder; zeroes out check; calculates the appropriate - checksum over confounder, check, and msg-seq, placing the result in - check; adds the necessary padding; then encrypts using the specified - encryption type and the appropriate key. - - Unless otherwise specified, a definition of an encryption algorithm - that specifies a checksum, a length for the confounder field, or an - octet boundary for padding uses this ciphertext format (The ordering - of the fields in the CipherText is important. Additionally, messages - encoded in this format must include a length as part of the msg-seq - field. This allows the recipient to verify that the message has not - been truncated. Without a length, an attacker could use a chosen - plaintext attack to generate a message which could be truncated, - while leaving the checksum intact. Note that if the msg-seq is an - encoding of an ASN.1 SEQUENCE or OCTET STRING, then the length is - part of that encoding.). Those fields which are not specified will be - omitted. - - In the interest of allowing all implementations using a particular - encryption type to communicate with all others using that type, the - specification of an encryption type defines any checksum that is - needed as part of the encryption process. If an alternative checksum - is to be used, a new encryption type must be defined. - - Some cryptosystems require additional information beyond the key and - the data to be encrypted. For example, DES, when used in cipher- - block-chaining mode, requires an initialization vector. If required, - the description for each encryption type must specify the source of - such additional information. - - - - - - -Kohl & Neuman [Page 70] - -RFC 1510 Kerberos September 1993 - - -6.2. Encryption Keys - - The sequence below shows the encoding of an encryption key: - - EncryptionKey ::= SEQUENCE { - keytype[0] INTEGER, - keyvalue[1] OCTET STRING - } - - keytype This field specifies the type of encryption key that - follows in the keyvalue field. It will almost always - correspond to the encryption algorithm used to generate the - EncryptedData, though more than one algorithm may use the - same type of key (the mapping is many to one). This might - happen, for example, if the encryption algorithm uses an - alternate checksum algorithm for an integrity check, or a - different chaining mechanism. - - keyvalue This field contains the key itself, encoded as an octet - string. - - All negative values for the encryption key type are reserved for - local use. All non-negative values are reserved for officially - assigned type fields and interpretations. - -6.3. Encryption Systems - -6.3.1. The NULL Encryption System (null) - - If no encryption is in use, the encryption system is said to be the - NULL encryption system. In the NULL encryption system there is no - checksum, confounder or padding. The ciphertext is simply the - plaintext. The NULL Key is used by the null encryption system and is - zero octets in length, with keytype zero (0). - -6.3.2. DES in CBC mode with a CRC-32 checksum (des-cbc-crc) - - The des-cbc-crc encryption mode encrypts information under the Data - Encryption Standard [11] using the cipher block chaining mode [12]. - A CRC-32 checksum (described in ISO 3309 [14]) is applied to the - confounder and message sequence (msg-seq) and placed in the cksum - field. DES blocks are 8 bytes. As a result, the data to be - encrypted (the concatenation of confounder, checksum, and message) - must be padded to an 8 byte boundary before encryption. The details - of the encryption of this data are identical to those for the des- - cbc-md5 encryption mode. - - Note that, since the CRC-32 checksum is not collisionproof, an - - - -Kohl & Neuman [Page 71] - -RFC 1510 Kerberos September 1993 - - - attacker could use a probabilistic chosenplaintext attack to generate - a valid message even if a confounder is used [13]. The use of - collision-proof checksums is recommended for environments where such - attacks represent a significant threat. The use of the CRC-32 as the - checksum for ticket or authenticator is no longer mandated as an - interoperability requirement for Kerberos Version 5 Specification 1 - (See section 9.1 for specific details). - -6.3.3. DES in CBC mode with an MD4 checksum (des-cbc-md4) - - The des-cbc-md4 encryption mode encrypts information under the Data - Encryption Standard [11] using the cipher block chaining mode [12]. - An MD4 checksum (described in [15]) is applied to the confounder and - message sequence (msg-seq) and placed in the cksum field. DES blocks - are 8 bytes. As a result, the data to be encrypted (the - concatenation of confounder, checksum, and message) must be padded to - an 8 byte boundary before encryption. The details of the encryption - of this data are identical to those for the descbc-md5 encryption - mode. - -6.3.4. DES in CBC mode with an MD5 checksum (des-cbc-md5) - - The des-cbc-md5 encryption mode encrypts information under the Data - Encryption Standard [11] using the cipher block chaining mode [12]. - An MD5 checksum (described in [16]) is applied to the confounder and - message sequence (msg-seq) and placed in the cksum field. DES blocks - are 8 bytes. As a result, the data to be encrypted (the - concatenation of confounder, checksum, and message) must be padded to - an 8 byte boundary before encryption. - - Plaintext and DES ciphtertext are encoded as 8-octet blocks which are - concatenated to make the 64-bit inputs for the DES algorithms. The - first octet supplies the 8 most significant bits (with the octet's - MSbit used as the DES input block's MSbit, etc.), the second octet - the next 8 bits, ..., and the eighth octet supplies the 8 least - significant bits. - - Encryption under DES using cipher block chaining requires an - additional input in the form of an initialization vector. Unless - otherwise specified, zero should be used as the initialization - vector. Kerberos' use of DES requires an 8-octet confounder. - - The DES specifications identify some "weak" and "semiweak" keys; - those keys shall not be used for encrypting messages for use in - Kerberos. Additionally, because of the way that keys are derived for - the encryption of checksums, keys shall not be used that yield "weak" - or "semi-weak" keys when eXclusive-ORed with the constant - F0F0F0F0F0F0F0F0. - - - -Kohl & Neuman [Page 72] - -RFC 1510 Kerberos September 1993 - - - A DES key is 8 octets of data, with keytype one (1). This consists - of 56 bits of key, and 8 parity bits (one per octet). The key is - encoded as a series of 8 octets written in MSB-first order. The bits - within the key are also encoded in MSB order. For example, if the - encryption key is: - (B1,B2,...,B7,P1,B8,...,B14,P2,B15,...,B49,P7,B50,...,B56,P8) where - B1,B2,...,B56 are the key bits in MSB order, and P1,P2,...,P8 are the - parity bits, the first octet of the key would be B1,B2,...,B7,P1 - (with B1 as the MSbit). [See the FIPS 81 introduction for - reference.] - - To generate a DES key from a text string (password), the text string - normally must have the realm and each component of the principal's - name appended(In some cases, it may be necessary to use a different - "mix-in" string for compatibility reasons; see the discussion of - padata in section 5.4.2.), then padded with ASCII nulls to an 8 byte - boundary. This string is then fan-folded and eXclusive-ORed with - itself to form an 8 byte DES key. The parity is corrected on the - key, and it is used to generate a DES CBC checksum on the initial - string (with the realm and name appended). Next, parity is corrected - on the CBC checksum. If the result matches a "weak" or "semiweak" - key as described in the DES specification, it is eXclusive-ORed with - the constant 00000000000000F0. Finally, the result is returned as - the key. Pseudocode follows: - - string_to_key(string,realm,name) { - odd = 1; - s = string + realm; - for(each component in name) { - s = s + component; - } - tempkey = NULL; - pad(s); /* with nulls to 8 byte boundary */ - for(8byteblock in s) { - if(odd == 0) { - odd = 1; - reverse(8byteblock) - } - else odd = 0; - tempkey = tempkey XOR 8byteblock; - } - fixparity(tempkey); - key = DES-CBC-check(s,tempkey); - fixparity(key); - if(is_weak_key_key(key)) - key = key XOR 0xF0; - return(key); - } - - - -Kohl & Neuman [Page 73] - -RFC 1510 Kerberos September 1993 - - -6.4. Checksums - - The following is the ASN.1 definition used for a checksum: - - Checksum ::= SEQUENCE { - cksumtype[0] INTEGER, - checksum[1] OCTET STRING - } - - cksumtype This field indicates the algorithm used to generate the - accompanying checksum. - - checksum This field contains the checksum itself, encoded - as an octet string. - - Detailed specification of selected checksum types appear later in - this section. Negative values for the checksum type are reserved for - local use. All non-negative values are reserved for officially - assigned type fields and interpretations. - - Checksums used by Kerberos can be classified by two properties: - whether they are collision-proof, and whether they are keyed. It is - infeasible to find two plaintexts which generate the same checksum - value for a collision-proof checksum. A key is required to perturb - or initialize the algorithm in a keyed checksum. To prevent - message-stream modification by an active attacker, unkeyed checksums - should only be used when the checksum and message will be - subsequently encrypted (e.g., the checksums defined as part of the - encryption algorithms covered earlier in this section). Collision- - proof checksums can be made tamper-proof as well if the checksum - value is encrypted before inclusion in a message. In such cases, the - composition of the checksum and the encryption algorithm must be - considered a separate checksum algorithm (e.g., RSA-MD5 encrypted - using DES is a new checksum algorithm of type RSA-MD5-DES). For most - keyed checksums, as well as for the encrypted forms of collisionproof - checksums, Kerberos prepends a confounder before the checksum is - calculated. - -6.4.1. The CRC-32 Checksum (crc32) - - The CRC-32 checksum calculates a checksum based on a cyclic - redundancy check as described in ISO 3309 [14]. The resulting - checksum is four (4) octets in length. The CRC-32 is neither keyed - nor collision-proof. The use of this checksum is not recommended. - An attacker using a probabilistic chosen-plaintext attack as - described in [13] might be able to generate an alternative message - that satisfies the checksum. The use of collision-proof checksums is - recommended for environments where such attacks represent a - - - -Kohl & Neuman [Page 74] - -RFC 1510 Kerberos September 1993 - - - significant threat. - -6.4.2. The RSA MD4 Checksum (rsa-md4) - - The RSA-MD4 checksum calculates a checksum using the RSA MD4 - algorithm [15]. The algorithm takes as input an input message of - arbitrary length and produces as output a 128-bit (16 octet) - checksum. RSA-MD4 is believed to be collision-proof. - -6.4.3. RSA MD4 Cryptographic Checksum Using DES (rsa-md4des) - - The RSA-MD4-DES checksum calculates a keyed collisionproof checksum - by prepending an 8 octet confounder before the text, applying the RSA - MD4 checksum algorithm, and encrypting the confounder and the - checksum using DES in cipher-block-chaining (CBC) mode using a - variant of the key, where the variant is computed by eXclusive-ORing - the key with the constant F0F0F0F0F0F0F0F0 (A variant of the key is - used to limit the use of a key to a particular function, separating - the functions of generating a checksum from other encryption - performed using the session key. The constant F0F0F0F0F0F0F0F0 was - chosen because it maintains key parity. The properties of DES - precluded the use of the complement. The same constant is used for - similar purpose in the Message Integrity Check in the Privacy - Enhanced Mail standard.). The initialization vector should be zero. - The resulting checksum is 24 octets long (8 octets of which are - redundant). This checksum is tamper-proof and believed to be - collision-proof. - - The DES specifications identify some "weak keys"; those keys shall - not be used for generating RSA-MD4 checksums for use in Kerberos. - - The format for the checksum is described in the following diagram: - - +--+--+--+--+--+--+--+-- - | des-cbc(confounder - +--+--+--+--+--+--+--+-- - - +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ - rsa-md4(confounder+msg),key=var(key),iv=0) | - +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ - - The format cannot be described in ASN.1, but for those who prefer an - ASN.1-like notation: - - rsa-md4-des-checksum ::= ENCRYPTED UNTAGGED SEQUENCE { - confounder[0] UNTAGGED OCTET STRING(8), - check[1] UNTAGGED OCTET STRING(16) - } - - - -Kohl & Neuman [Page 75] - -RFC 1510 Kerberos September 1993 - - -6.4.4. The RSA MD5 Checksum (rsa-md5) - - The RSA-MD5 checksum calculates a checksum using the RSA MD5 - algorithm [16]. The algorithm takes as input an input message of - arbitrary length and produces as output a 128-bit (16 octet) - checksum. RSA-MD5 is believed to be collision-proof. - -6.4.5. RSA MD5 Cryptographic Checksum Using DES (rsa-md5des) - - The RSA-MD5-DES checksum calculates a keyed collisionproof checksum - by prepending an 8 octet confounder before the text, applying the RSA - MD5 checksum algorithm, and encrypting the confounder and the - checksum using DES in cipher-block-chaining (CBC) mode using a - variant of the key, where the variant is computed by eXclusive-ORing - the key with the constant F0F0F0F0F0F0F0F0. The initialization - vector should be zero. The resulting checksum is 24 octets long (8 - octets of which are redundant). This checksum is tamper-proof and - believed to be collision-proof. - - The DES specifications identify some "weak keys"; those keys shall - not be used for encrypting RSA-MD5 checksums for use in Kerberos. - - The format for the checksum is described in the following diagram: - - +--+--+--+--+--+--+--+-- - | des-cbc(confounder - +--+--+--+--+--+--+--+-- - - +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ - rsa-md5(confounder+msg),key=var(key),iv=0) | - +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ - - The format cannot be described in ASN.1, but for those who prefer an - ASN.1-like notation: - - rsa-md5-des-checksum ::= ENCRYPTED UNTAGGED SEQUENCE { - confounder[0] UNTAGGED OCTET STRING(8), - check[1] UNTAGGED OCTET STRING(16) - } - -6.4.6. DES cipher-block chained checksum (des-mac) - - The DES-MAC checksum is computed by prepending an 8 octet confounder - to the plaintext, performing a DES CBC-mode encryption on the result - using the key and an initialization vector of zero, taking the last - block of the ciphertext, prepending the same confounder and - encrypting the pair using DES in cipher-block-chaining (CBC) mode - using a a variant of the key, where the variant is computed by - - - -Kohl & Neuman [Page 76] - -RFC 1510 Kerberos September 1993 - - - eXclusive-ORing the key with the constant F0F0F0F0F0F0F0F0. The - initialization vector should be zero. The resulting checksum is 128 - bits (16 octets) long, 64 bits of which are redundant. This checksum - is tamper-proof and collision-proof. - - The format for the checksum is described in the following diagram: - - +--+--+--+--+--+--+--+-- - | des-cbc(confounder - +--+--+--+--+--+--+--+-- - - +-----+-----+-----+-----+-----+-----+-----+-----+ - des-mac(conf+msg,iv=0,key),key=var(key),iv=0) | - +-----+-----+-----+-----+-----+-----+-----+-----+ - - The format cannot be described in ASN.1, but for those who prefer an - ASN.1-like notation: - - des-mac-checksum ::= ENCRYPTED UNTAGGED SEQUENCE { - confounder[0] UNTAGGED OCTET STRING(8), - check[1] UNTAGGED OCTET STRING(8) - } - - The DES specifications identify some "weak" and "semiweak" keys; - those keys shall not be used for generating DES-MAC checksums for use - in Kerberos, nor shall a key be used whose veriant is "weak" or - "semi-weak". - -6.4.7. RSA MD4 Cryptographic Checksum Using DES alternative - (rsa-md4-des-k) - - The RSA-MD4-DES-K checksum calculates a keyed collision-proof - checksum by applying the RSA MD4 checksum algorithm and encrypting - the results using DES in cipherblock-chaining (CBC) mode using a DES - key as both key and initialization vector. The resulting checksum is - 16 octets long. This checksum is tamper-proof and believed to be - collision-proof. Note that this checksum type is the old method for - encoding the RSA-MD4-DES checksum and it is no longer recommended. - -6.4.8. DES cipher-block chained checksum alternative (desmac-k) - - The DES-MAC-K checksum is computed by performing a DES CBC-mode - encryption of the plaintext, and using the last block of the - ciphertext as the checksum value. It is keyed with an encryption key - and an initialization vector; any uses which do not specify an - additional initialization vector will use the key as both key and - initialization vector. The resulting checksum is 64 bits (8 octets) - long. This checksum is tamper-proof and collision-proof. Note that - - - -Kohl & Neuman [Page 77] - -RFC 1510 Kerberos September 1993 - - - this checksum type is the old method for encoding the DESMAC checksum - and it is no longer recommended. - - The DES specifications identify some "weak keys"; those keys shall - not be used for generating DES-MAC checksums for use in Kerberos. - -7. Naming Constraints - -7.1. Realm Names - - Although realm names are encoded as GeneralStrings and although a - realm can technically select any name it chooses, interoperability - across realm boundaries requires agreement on how realm names are to - be assigned, and what information they imply. - - To enforce these conventions, each realm must conform to the - conventions itself, and it must require that any realms with which - inter-realm keys are shared also conform to the conventions and - require the same from its neighbors. - - There are presently four styles of realm names: domain, X500, other, - and reserved. Examples of each style follow: - - domain: host.subdomain.domain (example) - X500: C=US/O=OSF (example) - other: NAMETYPE:rest/of.name=without-restrictions (example) - reserved: reserved, but will not conflict with above - - Domain names must look like domain names: they consist of components - separated by periods (.) and they contain neither colons (:) nor - slashes (/). - - X.500 names contain an equal (=) and cannot contain a colon (:) - before the equal. The realm names for X.500 names will be string - representations of the names with components separated by slashes. - Leading and trailing slashes will not be included. - - Names that fall into the other category must begin with a prefix that - contains no equal (=) or period (.) and the prefix must be followed - by a colon (:) and the rest of the name. All prefixes must be - assigned before they may be used. Presently none are assigned. - - The reserved category includes strings which do not fall into the - first three categories. All names in this category are reserved. It - is unlikely that names will be assigned to this category unless there - is a very strong argument for not using the "other" category. - - These rules guarantee that there will be no conflicts between the - - - -Kohl & Neuman [Page 78] - -RFC 1510 Kerberos September 1993 - - - various name styles. The following additional constraints apply to - the assignment of realm names in the domain and X.500 categories: the - name of a realm for the domain or X.500 formats must either be used - by the organization owning (to whom it was assigned) an Internet - domain name or X.500 name, or in the case that no such names are - registered, authority to use a realm name may be derived from the - authority of the parent realm. For example, if there is no domain - name for E40.MIT.EDU, then the administrator of the MIT.EDU realm can - authorize the creation of a realm with that name. - - This is acceptable because the organization to which the parent is - assigned is presumably the organization authorized to assign names to - its children in the X.500 and domain name systems as well. If the - parent assigns a realm name without also registering it in the domain - name or X.500 hierarchy, it is the parent's responsibility to make - sure that there will not in the future exists a name identical to the - realm name of the child unless it is assigned to the same entity as - the realm name. - -7.2. Principal Names - - As was the case for realm names, conventions are needed to ensure - that all agree on what information is implied by a principal name. - The name-type field that is part of the principal name indicates the - kind of information implied by the name. The name-type should be - treated as a hint. Ignoring the name type, no two names can be the - same (i.e., at least one of the components, or the realm, must be - different). This constraint may be eliminated in the future. The - following name types are defined: - - name-type value meaning - NT-UNKNOWN 0 Name type not known - NT-PRINCIPAL 1 Just the name of the principal as in - DCE, or for users - NT-SRV-INST 2 Service and other unique instance (krbtgt) - NT-SRV-HST 3 Service with host name as instance - (telnet, rcommands) - NT-SRV-XHST 4 Service with host as remaining components - NT-UID 5 Unique ID - - When a name implies no information other than its uniqueness at a - particular time the name type PRINCIPAL should be used. The - principal name type should be used for users, and it might also be - used for a unique server. If the name is a unique machine generated - ID that is guaranteed never to be reassigned then the name type of - UID should be used (note that it is generally a bad idea to reassign - names of any type since stale entries might remain in access control - lists). - - - -Kohl & Neuman [Page 79] - -RFC 1510 Kerberos September 1993 - - - If the first component of a name identifies a service and the - remaining components identify an instance of the service in a server - specified manner, then the name type of SRV-INST should be used. An - example of this name type is the Kerberos ticket-granting ticket - which has a first component of krbtgt and a second component - identifying the realm for which the ticket is valid. - - If instance is a single component following the service name and the - instance identifies the host on which the server is running, then the - name type SRV-HST should be used. This type is typically used for - Internet services such as telnet and the Berkeley R commands. If the - separate components of the host name appear as successive components - following the name of the service, then the name type SRVXHST should - be used. This type might be used to identify servers on hosts with - X.500 names where the slash (/) might otherwise be ambiguous. - - A name type of UNKNOWN should be used when the form of the name is - not known. When comparing names, a name of type UNKNOWN will match - principals authenticated with names of any type. A principal - authenticated with a name of type UNKNOWN, however, will only match - other names of type UNKNOWN. - - Names of any type with an initial component of "krbtgt" are reserved - for the Kerberos ticket granting service. See section 8.2.3 for the - form of such names. - -7.2.1. Name of server principals - - The principal identifier for a server on a host will generally be - composed of two parts: (1) the realm of the KDC with which the server - is registered, and (2) a two-component name of type NT-SRV-HST if the - host name is an Internet domain name or a multi-component name of - type NT-SRV-XHST if the name of the host is of a form such as X.500 - that allows slash (/) separators. The first component of the two- or - multi-component name will identify the service and the latter - components will identify the host. Where the name of the host is not - case sensitive (for example, with Internet domain names) the name of - the host must be lower case. For services such as telnet and the - Berkeley R commands which run with system privileges, the first - component will be the string "host" instead of a service specific - identifier. - -8. Constants and other defined values - -8.1. Host address types - - All negative values for the host address type are reserved for local - use. All non-negative values are reserved for officially assigned - - - -Kohl & Neuman [Page 80] - -RFC 1510 Kerberos September 1993 - - - type fields and interpretations. - - The values of the types for the following addresses are chosen to - match the defined address family constants in the Berkeley Standard - Distributions of Unix. They can be found in with - symbolic names AF_xxx (where xxx is an abbreviation of the address - family name). - - - Internet addresses - - Internet addresses are 32-bit (4-octet) quantities, encoded in MSB - order. The type of internet addresses is two (2). - - CHAOSnet addresses - - CHAOSnet addresses are 16-bit (2-octet) quantities, encoded in MSB - order. The type of CHAOSnet addresses is five (5). - - ISO addresses - - ISO addresses are variable-length. The type of ISO addresses is - seven (7). - - Xerox Network Services (XNS) addresses - - XNS addresses are 48-bit (6-octet) quantities, encoded in MSB - order. The type of XNS addresses is six (6). - - AppleTalk Datagram Delivery Protocol (DDP) addresses - - AppleTalk DDP addresses consist of an 8-bit node number and a 16- - bit network number. The first octet of the address is the node - number; the remaining two octets encode the network number in MSB - order. The type of AppleTalk DDP addresses is sixteen (16). - - DECnet Phase IV addresses - - DECnet Phase IV addresses are 16-bit addresses, encoded in LSB - order. The type of DECnet Phase IV addresses is twelve (12). - -8.2. KDC messages - -8.2.1. IP transport - - When contacting a Kerberos server (KDC) for a KRB_KDC_REQ request - using IP transport, the client shall send a UDP datagram containing - only an encoding of the request to port 88 (decimal) at the KDC's IP - - - -Kohl & Neuman [Page 81] - -RFC 1510 Kerberos September 1993 - - - address; the KDC will respond with a reply datagram containing only - an encoding of the reply message (either a KRB_ERROR or a - KRB_KDC_REP) to the sending port at the sender's IP address. - -8.2.2. OSI transport - - During authentication of an OSI client to and OSI server, the mutual - authentication of an OSI server to an OSI client, the transfer of - credentials from an OSI client to an OSI server, or during exchange - of private or integrity checked messages, Kerberos protocol messages - may be treated as opaque objects and the type of the authentication - mechanism will be: - - OBJECT IDENTIFIER ::= {iso (1), org(3), dod(5),internet(1), - security(5), kerberosv5(2)} - - Depending on the situation, the opaque object will be an - authentication header (KRB_AP_REQ), an authentication reply - (KRB_AP_REP), a safe message (KRB_SAFE), a private message - (KRB_PRIV), or a credentials message (KRB_CRED). The opaque data - contains an application code as specified in the ASN.1 description - for each message. The application code may be used by Kerberos to - determine the message type. - -8.2.3. Name of the TGS - - The principal identifier of the ticket-granting service shall be - composed of three parts: (1) the realm of the KDC issuing the TGS - ticket (2) a two-part name of type NT-SRVINST, with the first part - "krbtgt" and the second part the name of the realm which will accept - the ticket-granting ticket. For example, a ticket-granting ticket - issued by the ATHENA.MIT.EDU realm to be used to get tickets from the - ATHENA.MIT.EDU KDC has a principal identifier of "ATHENA.MIT.EDU" - (realm), ("krbtgt", "ATHENA.MIT.EDU") (name). A ticket-granting - ticket issued by the ATHENA.MIT.EDU realm to be used to get tickets - from the MIT.EDU realm has a principal identifier of "ATHENA.MIT.EDU" - (realm), ("krbtgt", "MIT.EDU") (name). - -8.3. Protocol constants and associated values - - The following tables list constants used in the protocol and defines - their meanings. - - - - - - - - - -Kohl & Neuman [Page 82] - -RFC 1510 Kerberos September 1993 - - ----------------+-----------+----------+----------------+--------------- -Encryption type|etype value|block size|minimum pad size|confounder size ----------------+-----------+----------+----------------+--------------- -NULL 0 1 0 0 -des-cbc-crc 1 8 4 8 -des-cbc-md4 2 8 0 8 -des-cbc-md5 3 8 0 8 - --------------------------------+-------------------+------------- -Checksum type |sumtype value |checksum size --------------------------------+-------------------+------------- -CRC32 1 4 -rsa-md4 2 16 -rsa-md4-des 3 24 -des-mac 4 16 -des-mac-k 5 8 -rsa-md4-des-k 6 16 -rsa-md5 7 16 -rsa-md5-des 8 24 - --------------------------------+----------------- -padata type |padata-type value --------------------------------+----------------- -PA-TGS-REQ 1 -PA-ENC-TIMESTAMP 2 -PA-PW-SALT 3 - --------------------------------+------------- -authorization data type |ad-type value --------------------------------+------------- -reserved values 0-63 -OSF-DCE 64 -SESAME 65 - --------------------------------+----------------- -alternate authentication type |method-type value --------------------------------+----------------- -reserved values 0-63 -ATT-CHALLENGE-RESPONSE 64 - --------------------------------+------------- -transited encoding type |tr-type value --------------------------------+------------- -DOMAIN-X500-COMPRESS 1 -reserved values all others - - - - - - -Kohl & Neuman [Page 83] - -RFC 1510 Kerberos September 1993 - - ---------------+-------+----------------------------------------- -Label |Value |Meaning or MIT code ---------------+-------+----------------------------------------- - -pvno 5 current Kerberos protocol version number - -message types - -KRB_AS_REQ 10 Request for initial authentication -KRB_AS_REP 11 Response to KRB_AS_REQ request -KRB_TGS_REQ 12 Request for authentication based on TGT -KRB_TGS_REP 13 Response to KRB_TGS_REQ request -KRB_AP_REQ 14 application request to server -KRB_AP_REP 15 Response to KRB_AP_REQ_MUTUAL -KRB_SAFE 20 Safe (checksummed) application message -KRB_PRIV 21 Private (encrypted) application message -KRB_CRED 22 Private (encrypted) message to forward - credentials -KRB_ERROR 30 Error response - -name types - -KRB_NT_UNKNOWN 0 Name type not known -KRB_NT_PRINCIPAL 1 Just the name of the principal as in DCE, or - for users -KRB_NT_SRV_INST 2 Service and other unique instance (krbtgt) -KRB_NT_SRV_HST 3 Service with host name as instance (telnet, - rcommands) -KRB_NT_SRV_XHST 4 Service with host as remaining components -KRB_NT_UID 5 Unique ID - -error codes - -KDC_ERR_NONE 0 No error -KDC_ERR_NAME_EXP 1 Client's entry in database has - expired -KDC_ERR_SERVICE_EXP 2 Server's entry in database has - expired -KDC_ERR_BAD_PVNO 3 Requested protocol version number - not supported -KDC_ERR_C_OLD_MAST_KVNO 4 Client's key encrypted in old - master key -KDC_ERR_S_OLD_MAST_KVNO 5 Server's key encrypted in old - master key -KDC_ERR_C_PRINCIPAL_UNKNOWN 6 Client not found in Kerberos database -KDC_ERR_S_PRINCIPAL_UNKNOWN 7 Server not found in Kerberos database -KDC_ERR_PRINCIPAL_NOT_UNIQUE 8 Multiple principal entries in - database - - - -Kohl & Neuman [Page 84] - -RFC 1510 Kerberos September 1993 - - -KDC_ERR_NULL_KEY 9 The client or server has a null key -KDC_ERR_CANNOT_POSTDATE 10 Ticket not eligible for postdating -KDC_ERR_NEVER_VALID 11 Requested start time is later than - end time -KDC_ERR_POLICY 12 KDC policy rejects request -KDC_ERR_BADOPTION 13 KDC cannot accommodate requested - option -KDC_ERR_ETYPE_NOSUPP 14 KDC has no support for encryption - type -KDC_ERR_SUMTYPE_NOSUPP 15 KDC has no support for checksum type -KDC_ERR_PADATA_TYPE_NOSUPP 16 KDC has no support for padata type -KDC_ERR_TRTYPE_NOSUPP 17 KDC has no support for transited type -KDC_ERR_CLIENT_REVOKED 18 Clients credentials have been revoked -KDC_ERR_SERVICE_REVOKED 19 Credentials for server have been - revoked -KDC_ERR_TGT_REVOKED 20 TGT has been revoked -KDC_ERR_CLIENT_NOTYET 21 Client not yet valid - try again - later -KDC_ERR_SERVICE_NOTYET 22 Server not yet valid - try again - later -KDC_ERR_KEY_EXPIRED 23 Password has expired - change - password to reset -KDC_ERR_PREAUTH_FAILED 24 Pre-authentication information - was invalid -KDC_ERR_PREAUTH_REQUIRED 25 Additional pre-authentication - required* -KRB_AP_ERR_BAD_INTEGRITY 31 Integrity check on decrypted field - failed -KRB_AP_ERR_TKT_EXPIRED 32 Ticket expired -KRB_AP_ERR_TKT_NYV 33 Ticket not yet valid -KRB_AP_ERR_REPEAT 34 Request is a replay -KRB_AP_ERR_NOT_US 35 The ticket isn't for us -KRB_AP_ERR_BADMATCH 36 Ticket and authenticator don't match -KRB_AP_ERR_SKEW 37 Clock skew too great -KRB_AP_ERR_BADADDR 38 Incorrect net address -KRB_AP_ERR_BADVERSION 39 Protocol version mismatch -KRB_AP_ERR_MSG_TYPE 40 Invalid msg type -KRB_AP_ERR_MODIFIED 41 Message stream modified -KRB_AP_ERR_BADORDER 42 Message out of order -KRB_AP_ERR_BADKEYVER 44 Specified version of key is not - available -KRB_AP_ERR_NOKEY 45 Service key not available -KRB_AP_ERR_MUT_FAIL 46 Mutual authentication failed -KRB_AP_ERR_BADDIRECTION 47 Incorrect message direction -KRB_AP_ERR_METHOD 48 Alternative authentication method - required* -KRB_AP_ERR_BADSEQ 49 Incorrect sequence number in message -KRB_AP_ERR_INAPP_CKSUM 50 Inappropriate type of checksum in - - - -Kohl & Neuman [Page 85] - -RFC 1510 Kerberos September 1993 - - - message -KRB_ERR_GENERIC 60 Generic error (description in e-text) -KRB_ERR_FIELD_TOOLONG 61 Field is too long for this - implementation - - *This error carries additional information in the e-data field. The - contents of the e-data field for this message is described in section - 5.9.1. - -9. Interoperability requirements - - Version 5 of the Kerberos protocol supports a myriad of options. - Among these are multiple encryption and checksum types, alternative - encoding schemes for the transited field, optional mechanisms for - pre-authentication, the handling of tickets with no addresses, - options for mutual authentication, user to user authentication, - support for proxies, forwarding, postdating, and renewing tickets, - the format of realm names, and the handling of authorization data. - - In order to ensure the interoperability of realms, it is necessary to - define a minimal configuration which must be supported by all - implementations. This minimal configuration is subject to change as - technology does. For example, if at some later date it is discovered - that one of the required encryption or checksum algorithms is not - secure, it will be replaced. - -9.1. Specification 1 - - This section defines the first specification of these options. - Implementations which are configured in this way can be said to - support Kerberos Version 5 Specification 1 (5.1). - - Encryption and checksum methods - - The following encryption and checksum mechanisms must be supported. - Implementations may support other mechanisms as well, but the - additional mechanisms may only be used when communicating with - principals known to also support them: Encryption: DES-CBC-MD5 - Checksums: CRC-32, DES-MAC, DES-MAC-K, and DES-MD5 - - Realm Names - - All implementations must understand hierarchical realms in both the - Internet Domain and the X.500 style. When a ticket granting ticket - for an unknown realm is requested, the KDC must be able to determine - the names of the intermediate realms between the KDCs realm and the - requested realm. - - - - -Kohl & Neuman [Page 86] - -RFC 1510 Kerberos September 1993 - - - Transited field encoding - - DOMAIN-X500-COMPRESS (described in section 3.3.3.1) must be - supported. Alternative encodings may be supported, but they may be - used only when that encoding is supported by ALL intermediate realms. - - Pre-authentication methods - - The TGS-REQ method must be supported. The TGS-REQ method is not used - on the initial request. The PA-ENC-TIMESTAMP method must be supported - by clients but whether it is enabled by default may be determined on - a realm by realm basis. If not used in the initial request and the - error KDC_ERR_PREAUTH_REQUIRED is returned specifying PA-ENCTIMESTAMP - as an acceptable method, the client should retry the initial request - using the PA-ENC-TIMESTAMP preauthentication method. Servers need not - support the PAENC-TIMESTAMP method, but if not supported the server - should ignore the presence of PA-ENC-TIMESTAMP pre-authentication in - a request. - - Mutual authentication - - Mutual authentication (via the KRB_AP_REP message) must be supported. - - Ticket addresses and flags - - All KDC's must pass on tickets that carry no addresses (i.e., if a - TGT contains no addresses, the KDC will return derivative tickets), - but each realm may set its own policy for issuing such tickets, and - each application server will set its own policy with respect to - accepting them. By default, servers should not accept them. - - Proxies and forwarded tickets must be supported. Individual realms - and application servers can set their own policy on when such tickets - will be accepted. - - All implementations must recognize renewable and postdated tickets, - but need not actually implement them. If these options are not - supported, the starttime and endtime in the ticket shall specify a - ticket's entire useful life. When a postdated ticket is decoded by a - server, all implementations shall make the presence of the postdated - flag visible to the calling server. - - User-to-user authentication - - Support for user to user authentication (via the ENC-TKTIN-SKEY KDC - option) must be provided by implementations, but individual realms - may decide as a matter of policy to reject such requests on a per- - principal or realm-wide basis. - - - -Kohl & Neuman [Page 87] - -RFC 1510 Kerberos September 1993 - - - Authorization data - - Implementations must pass all authorization data subfields from - ticket-granting tickets to any derivative tickets unless directed to - suppress a subfield as part of the definition of that registered - subfield type (it is never incorrect to pass on a subfield, and no - registered subfield types presently specify suppression at the KDC). - - Implementations must make the contents of any authorization data - subfields available to the server when a ticket is used. - Implementations are not required to allow clients to specify the - contents of the authorization data fields. - -9.2. Recommended KDC values - - Following is a list of recommended values for a KDC implementation, - based on the list of suggested configuration constants (see section - 4.4). - - minimum lifetime 5 minutes - - maximum renewable lifetime 1 week - - maximum ticket lifetime 1 day - - empty addresses only when suitable restrictions appear - in authorization data - - proxiable, etc. Allowed. - -10. Acknowledgments - - Early versions of this document, describing version 4 of the - protocol, were written by Jennifer Steiner (formerly at Project - Athena); these drafts provided an excellent starting point for this - current version 5 specification. Many people in the Internet - community have contributed ideas and suggested protocol changes for - version 5. Notable contributions came from Ted Anderson, Steve - Bellovin and Michael Merritt [17], Daniel Bernstein, Mike Burrows, - Donald Davis, Ravi Ganesan, Morrie Gasser, Virgil Gligor, Bill - Griffeth, Mark Lillibridge, Mark Lomas, Steve Lunt, Piers McMahon, - Joe Pato, William Sommerfeld, Stuart Stubblebine, Ralph Swick, Ted - T'so, and Stanley Zanarotti. Many others commented and helped shape - this specification into its current form. - - - - - - - -Kohl & Neuman [Page 88] - -RFC 1510 Kerberos September 1993 - - -11. References - - [1] Miller, S., Neuman, C., Schiller, J., and J. Saltzer, "Section - E.2.1: Kerberos Authentication and Authorization System", - M.I.T. Project Athena, Cambridge, Massachusetts, December 21, - 1987. - - [2] Steiner, J., Neuman, C., and J. Schiller, "Kerberos: An - Authentication Service for Open Network Systems", pp. 191-202 in - Usenix Conference Proceedings, Dallas, Texas, February, 1988. - - [3] Needham, R., and M. Schroeder, "Using Encryption for - Authentication in Large Networks of Computers", Communications - of the ACM, Vol. 21 (12), pp. 993-999, December 1978. - - [4] Denning, D., and G. Sacco, "Time stamps in Key Distribution - Protocols", Communications of the ACM, Vol. 24 (8), pp. 533-536, - August 1981. - - [5] Kohl, J., Neuman, C., and T. Ts'o, "The Evolution of the - Kerberos Authentication Service", in an IEEE Computer Society - Text soon to be published, June 1992. - - [6] Davis, D., and R. Swick, "Workstation Services and Kerberos - Authentication at Project Athena", Technical Memorandum TM-424, - MIT Laboratory for Computer Science, February 1990. - - [7] Levine, P., Gretzinger, M, Diaz, J., Sommerfeld, W., and K. - Raeburn, "Section E.1: Service Management System, M.I.T. - Project Athena, Cambridge, Mas sachusetts (1987). - - [8] CCITT, Recommendation X.509: The Directory Authentication - Framework, December 1988. - - [9] Neuman, C., "Proxy-Based Authorization and Accounting for - Distributed Systems," in Proceedings of the 13th International - Conference on Distributed Computing Systems", Pittsburgh, PA, - May 1993. - - [10] Pato, J., "Using Pre-Authentication to Avoid Password Guessing - Attacks", Open Software Foundation DCE Request for Comments 26, - December 1992. - - [11] National Bureau of Standards, U.S. Department of Commerce, "Data - Encryption Standard", Federal Information Processing Standards - Publication 46, Washington, DC (1977). - - - - - -Kohl & Neuman [Page 89] - -RFC 1510 Kerberos September 1993 - - - [12] National Bureau of Standards, U.S. Department of Commerce, "DES - Modes of Operation", Federal Information Processing Standards - Publication 81, Springfield, VA, December 1980. - - [13] Stubblebine S., and V. Gligor, "On Message Integrity in - Cryptographic Protocols", in Proceedings of the IEEE Symposium - on Research in Security and Privacy, Oakland, California, May - 1992. - - [14] International Organization for Standardization, "ISO Information - Processing Systems - Data Communication High-Level Data Link - Control Procedure - Frame Structure", IS 3309, October 1984, 3rd - Edition. - - [15] Rivest, R., "The MD4 Message Digest Algorithm", RFC 1320, MIT - Laboratory for Computer Science, April 1992. - - [16] Rivest, R., "The MD5 Message Digest Algorithm", RFC 1321, MIT - Laboratory for Computer Science, April 1992. - - [17] Bellovin S., and M. Merritt, "Limitations of the Kerberos - Authentication System", Computer Communications Review, Vol. - 20(5), pp. 119-132, October 1990. - -12. Security Considerations - - Security issues are discussed throughout this memo. - -13. Authors' Addresses - - John Kohl - Digital Equipment Corporation - 110 Spit Brook Road, M/S ZKO3-3/U14 - Nashua, NH 03062 - - Phone: 603-881-2481 - EMail: jtkohl@zk3.dec.com - - - B. Clifford Neuman - USC/Information Sciences Institute - 4676 Admiralty Way #1001 - Marina del Rey, CA 90292-6695 - - Phone: 310-822-1511 - EMail: bcn@isi.edu - - - - - -Kohl & Neuman [Page 90] - -RFC 1510 Kerberos September 1993 - - -A. Pseudo-code for protocol processing - - This appendix provides pseudo-code describing how the messages are to - be constructed and interpreted by clients and servers. - -A.1. KRB_AS_REQ generation - request.pvno := protocol version; /* pvno = 5 */ - request.msg-type := message type; /* type = KRB_AS_REQ */ - - if(pa_enc_timestamp_required) then - request.padata.padata-type = PA-ENC-TIMESTAMP; - get system_time; - padata-body.patimestamp,pausec = system_time; - encrypt padata-body into request.padata.padata-value - using client.key; /* derived from password */ - endif - - body.kdc-options := users's preferences; - body.cname := user's name; - body.realm := user's realm; - body.sname := service's name; /* usually "krbtgt", - "localrealm" */ - if (body.kdc-options.POSTDATED is set) then - body.from := requested starting time; - else - omit body.from; - endif - body.till := requested end time; - if (body.kdc-options.RENEWABLE is set) then - body.rtime := requested final renewal time; - endif - body.nonce := random_nonce(); - body.etype := requested etypes; - if (user supplied addresses) then - body.addresses := user's addresses; - else - omit body.addresses; - endif - omit body.enc-authorization-data; - request.req-body := body; - - kerberos := lookup(name of local kerberos server (or servers)); - send(packet,kerberos); - - wait(for response); - if (timed_out) then - retry or use alternate server; - endif - - - -Kohl & Neuman [Page 91] - -RFC 1510 Kerberos September 1993 - - -A.2. KRB_AS_REQ verification and KRB_AS_REP generation - decode message into req; - - client := lookup(req.cname,req.realm); - server := lookup(req.sname,req.realm); - get system_time; - kdc_time := system_time.seconds; - - if (!client) then - /* no client in Database */ - error_out(KDC_ERR_C_PRINCIPAL_UNKNOWN); - endif - if (!server) then - /* no server in Database */ - error_out(KDC_ERR_S_PRINCIPAL_UNKNOWN); - endif - - if(client.pa_enc_timestamp_required and - pa_enc_timestamp not present) then - error_out(KDC_ERR_PREAUTH_REQUIRED(PA_ENC_TIMESTAMP)); - endif - - if(pa_enc_timestamp present) then - decrypt req.padata-value into decrypted_enc_timestamp - using client.key; - using auth_hdr.authenticator.subkey; - if (decrypt_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - if(decrypted_enc_timestamp is not within allowable - skew) then error_out(KDC_ERR_PREAUTH_FAILED); - endif - if(decrypted_enc_timestamp and usec is replay) - error_out(KDC_ERR_PREAUTH_FAILED); - endif - add decrypted_enc_timestamp and usec to replay cache; - endif - - use_etype := first supported etype in req.etypes; - - if (no support for req.etypes) then - error_out(KDC_ERR_ETYPE_NOSUPP); - endif - - new_tkt.vno := ticket version; /* = 5 */ - new_tkt.sname := req.sname; - new_tkt.srealm := req.srealm; - reset all flags in new_tkt.flags; - - - - -Kohl & Neuman [Page 92] - -RFC 1510 Kerberos September 1993 - - - /* It should be noted that local policy may affect the */ - /* processing of any of these flags. For example, some */ - /* realms may refuse to issue renewable tickets */ - - if (req.kdc-options.FORWARDABLE is set) then - set new_tkt.flags.FORWARDABLE; - endif - if (req.kdc-options.PROXIABLE is set) then - set new_tkt.flags.PROXIABLE; - endif - if (req.kdc-options.ALLOW-POSTDATE is set) then - set new_tkt.flags.ALLOW-POSTDATE; - endif - if ((req.kdc-options.RENEW is set) or - (req.kdc-options.VALIDATE is set) or - (req.kdc-options.PROXY is set) or - (req.kdc-options.FORWARDED is set) or - (req.kdc-options.ENC-TKT-IN-SKEY is set)) then - error_out(KDC_ERR_BADOPTION); - endif - - new_tkt.session := random_session_key(); - new_tkt.cname := req.cname; - new_tkt.crealm := req.crealm; - new_tkt.transited := empty_transited_field(); - - new_tkt.authtime := kdc_time; - - if (req.kdc-options.POSTDATED is set) then - if (against_postdate_policy(req.from)) then - error_out(KDC_ERR_POLICY); - endif - set new_tkt.flags.INVALID; - new_tkt.starttime := req.from; - else - omit new_tkt.starttime; /* treated as authtime when - omitted */ - endif - if (req.till = 0) then - till := infinity; - else - till := req.till; - endif - - new_tkt.endtime := min(till, - new_tkt.starttime+client.max_life, - new_tkt.starttime+server.max_life, - new_tkt.starttime+max_life_for_realm); - - - -Kohl & Neuman [Page 93] - -RFC 1510 Kerberos September 1993 - - - if ((req.kdc-options.RENEWABLE-OK is set) and - (new_tkt.endtime < req.till)) then - /* we set the RENEWABLE option for later processing */ - set req.kdc-options.RENEWABLE; - req.rtime := req.till; - endif - - if (req.rtime = 0) then - rtime := infinity; - else - rtime := req.rtime; - endif - - if (req.kdc-options.RENEWABLE is set) then - set new_tkt.flags.RENEWABLE; - new_tkt.renew-till := min(rtime, - new_tkt.starttime+client.max_rlife, - new_tkt.starttime+server.max_rlife, - new_tkt.starttime+max_rlife_for_realm); - else - omit new_tkt.renew-till; /* only present if RENEWABLE */ - endif - - if (req.addresses) then - new_tkt.caddr := req.addresses; - else - omit new_tkt.caddr; - endif - - new_tkt.authorization_data := empty_authorization_data(); - - encode to-be-encrypted part of ticket into OCTET STRING; - new_tkt.enc-part := encrypt OCTET STRING - using etype_for_key(server.key), server.key, server.p_kvno; - - - /* Start processing the response */ - - resp.pvno := 5; - resp.msg-type := KRB_AS_REP; - resp.cname := req.cname; - resp.crealm := req.realm; - resp.ticket := new_tkt; - - resp.key := new_tkt.session; - resp.last-req := fetch_last_request_info(client); - resp.nonce := req.nonce; - resp.key-expiration := client.expiration; - - - -Kohl & Neuman [Page 94] - -RFC 1510 Kerberos September 1993 - - - resp.flags := new_tkt.flags; - - resp.authtime := new_tkt.authtime; - resp.starttime := new_tkt.starttime; - resp.endtime := new_tkt.endtime; - - if (new_tkt.flags.RENEWABLE) then - resp.renew-till := new_tkt.renew-till; - endif - - resp.realm := new_tkt.realm; - resp.sname := new_tkt.sname; - - resp.caddr := new_tkt.caddr; - - encode body of reply into OCTET STRING; - - resp.enc-part := encrypt OCTET STRING - using use_etype, client.key, client.p_kvno; - send(resp); - -A.3. KRB_AS_REP verification - decode response into resp; - - if (resp.msg-type = KRB_ERROR) then - if(error = KDC_ERR_PREAUTH_REQUIRED(PA_ENC_TIMESTAMP)) - then set pa_enc_timestamp_required; - goto KRB_AS_REQ; - endif - process_error(resp); - return; - endif - - /* On error, discard the response, and zero the session key */ - /* from the response immediately */ - - key = get_decryption_key(resp.enc-part.kvno, resp.enc-part.etype, - resp.padata); - unencrypted part of resp := decode of decrypt of resp.enc-part - using resp.enc-part.etype and key; - zero(key); - - if (common_as_rep_tgs_rep_checks fail) then - destroy resp.key; - return error; - endif - - if near(resp.princ_exp) then - - - -Kohl & Neuman [Page 95] - -RFC 1510 Kerberos September 1993 - - - print(warning message); - endif - save_for_later(ticket,session,client,server,times,flags); - -A.4. KRB_AS_REP and KRB_TGS_REP common checks - if (decryption_error() or - (req.cname != resp.cname) or - (req.realm != resp.crealm) or - (req.sname != resp.sname) or - (req.realm != resp.realm) or - (req.nonce != resp.nonce) or - (req.addresses != resp.caddr)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - - /* make sure no flags are set that shouldn't be, and that */ - /* all that should be are set */ - if (!check_flags_for_compatability(req.kdc-options,resp.flags)) - then destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - - if ((req.from = 0) and - (resp.starttime is not within allowable skew)) then - destroy resp.key; - return KRB_AP_ERR_SKEW; - endif - if ((req.from != 0) and (req.from != resp.starttime)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - if ((req.till != 0) and (resp.endtime > req.till)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - - if ((req.kdc-options.RENEWABLE is set) and - (req.rtime != 0) and (resp.renew-till > req.rtime)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - if ((req.kdc-options.RENEWABLE-OK is set) and - (resp.flags.RENEWABLE) and - (req.till != 0) and - (resp.renew-till > req.till)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - - - -Kohl & Neuman [Page 96] - -RFC 1510 Kerberos September 1993 - - - endif - -A.5. KRB_TGS_REQ generation - /* Note that make_application_request might have to */ - /* recursivly call this routine to get the appropriate */ - /* ticket-granting ticket */ - - request.pvno := protocol version; /* pvno = 5 */ - request.msg-type := message type; /* type = KRB_TGS_REQ */ - - body.kdc-options := users's preferences; - /* If the TGT is not for the realm of the end-server */ - /* then the sname will be for a TGT for the end-realm */ - /* and the realm of the requested ticket (body.realm) */ - /* will be that of the TGS to which the TGT we are */ - /* sending applies */ - body.sname := service's name; - body.realm := service's realm; - - if (body.kdc-options.POSTDATED is set) then - body.from := requested starting time; - else - omit body.from; - endif - body.till := requested end time; - if (body.kdc-options.RENEWABLE is set) then - body.rtime := requested final renewal time; - endif - body.nonce := random_nonce(); - body.etype := requested etypes; - if (user supplied addresses) then - body.addresses := user's addresses; - else - omit body.addresses; - endif - - body.enc-authorization-data := user-supplied data; - if (body.kdc-options.ENC-TKT-IN-SKEY) then - body.additional-tickets_ticket := second TGT; - endif - - request.req-body := body; - check := generate_checksum (req.body,checksumtype); - - request.padata[0].padata-type := PA-TGS-REQ; - request.padata[0].padata-value := create a KRB_AP_REQ using - the TGT and checksum - - - - -Kohl & Neuman [Page 97] - -RFC 1510 Kerberos September 1993 - - - /* add in any other padata as required/supplied */ - - kerberos := lookup(name of local kerberose server (or servers)); - send(packet,kerberos); - - wait(for response); - if (timed_out) then - retry or use alternate server; - endif - -A.6. KRB_TGS_REQ verification and KRB_TGS_REP generation - /* note that reading the application request requires first - determining the server for which a ticket was issued, and - choosing the correct key for decryption. The name of the - server appears in the plaintext part of the ticket. */ - - if (no KRB_AP_REQ in req.padata) then - error_out(KDC_ERR_PADATA_TYPE_NOSUPP); - endif - verify KRB_AP_REQ in req.padata; - - /* Note that the realm in which the Kerberos server is - operating is determined by the instance from the - ticket-granting ticket. The realm in the ticket-granting - ticket is the realm under which the ticket granting ticket was - issued. It is possible for a single Kerberos server to - support more than one realm. */ - - auth_hdr := KRB_AP_REQ; - tgt := auth_hdr.ticket; - - if (tgt.sname is not a TGT for local realm and is not - req.sname) then error_out(KRB_AP_ERR_NOT_US); - - realm := realm_tgt_is_for(tgt); - - decode remainder of request; - - if (auth_hdr.authenticator.cksum is missing) then - error_out(KRB_AP_ERR_INAPP_CKSUM); - endif - if (auth_hdr.authenticator.cksum type is not supported) then - error_out(KDC_ERR_SUMTYPE_NOSUPP); - endif - if (auth_hdr.authenticator.cksum is not both collision-proof - and keyed) then - error_out(KRB_AP_ERR_INAPP_CKSUM); - endif - - - -Kohl & Neuman [Page 98] - -RFC 1510 Kerberos September 1993 - - - set computed_checksum := checksum(req); - if (computed_checksum != auth_hdr.authenticatory.cksum) then - error_out(KRB_AP_ERR_MODIFIED); - endif - - server := lookup(req.sname,realm); - - if (!server) then - if (is_foreign_tgt_name(server)) then - server := best_intermediate_tgs(server); - else - /* no server in Database */ - error_out(KDC_ERR_S_PRINCIPAL_UNKNOWN); - endif - endif - - session := generate_random_session_key(); - - - use_etype := first supported etype in req.etypes; - - if (no support for req.etypes) then - error_out(KDC_ERR_ETYPE_NOSUPP); - endif - - new_tkt.vno := ticket version; /* = 5 */ - new_tkt.sname := req.sname; - new_tkt.srealm := realm; - reset all flags in new_tkt.flags; - - /* It should be noted that local policy may affect the */ - /* processing of any of these flags. For example, some */ - /* realms may refuse to issue renewable tickets */ - - new_tkt.caddr := tgt.caddr; - resp.caddr := NULL; /* We only include this if they change */ - if (req.kdc-options.FORWARDABLE is set) then - if (tgt.flags.FORWARDABLE is reset) then - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.FORWARDABLE; - endif - if (req.kdc-options.FORWARDED is set) then - if (tgt.flags.FORWARDABLE is reset) then - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.FORWARDED; - new_tkt.caddr := req.addresses; - - - -Kohl & Neuman [Page 99] - -RFC 1510 Kerberos September 1993 - - - resp.caddr := req.addresses; - endif - if (tgt.flags.FORWARDED is set) then - set new_tkt.flags.FORWARDED; - endif - - if (req.kdc-options.PROXIABLE is set) then - if (tgt.flags.PROXIABLE is reset) - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.PROXIABLE; - endif - if (req.kdc-options.PROXY is set) then - if (tgt.flags.PROXIABLE is reset) then - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.PROXY; - new_tkt.caddr := req.addresses; - resp.caddr := req.addresses; - endif - - if (req.kdc-options.POSTDATE is set) then - if (tgt.flags.POSTDATE is reset) - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.POSTDATE; - endif - if (req.kdc-options.POSTDATED is set) then - if (tgt.flags.POSTDATE is reset) then - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.POSTDATED; - set new_tkt.flags.INVALID; - if (against_postdate_policy(req.from)) then - error_out(KDC_ERR_POLICY); - endif - new_tkt.starttime := req.from; - endif - - - if (req.kdc-options.VALIDATE is set) then - if (tgt.flags.INVALID is reset) then - error_out(KDC_ERR_POLICY); - endif - if (tgt.starttime > kdc_time) then - error_out(KRB_AP_ERR_NYV); - endif - if (check_hot_list(tgt)) then - - - -Kohl & Neuman [Page 100] - -RFC 1510 Kerberos September 1993 - - - error_out(KRB_AP_ERR_REPEAT); - endif - tkt := tgt; - reset new_tkt.flags.INVALID; - endif - - if (req.kdc-options.(any flag except ENC-TKT-IN-SKEY, RENEW, - and those already processed) is set) then - error_out(KDC_ERR_BADOPTION); - endif - - new_tkt.authtime := tgt.authtime; - - if (req.kdc-options.RENEW is set) then - /* Note that if the endtime has already passed, the ticket */ - /* would have been rejected in the initial authentication */ - /* stage, so there is no need to check again here */ - if (tgt.flags.RENEWABLE is reset) then - error_out(KDC_ERR_BADOPTION); - endif - if (tgt.renew-till >= kdc_time) then - error_out(KRB_AP_ERR_TKT_EXPIRED); - endif - tkt := tgt; - new_tkt.starttime := kdc_time; - old_life := tgt.endttime - tgt.starttime; - new_tkt.endtime := min(tgt.renew-till, - new_tkt.starttime + old_life); - else - new_tkt.starttime := kdc_time; - if (req.till = 0) then - till := infinity; - else - till := req.till; - endif - new_tkt.endtime := min(till, - new_tkt.starttime+client.max_life, - new_tkt.starttime+server.max_life, - new_tkt.starttime+max_life_for_realm, - tgt.endtime); - - if ((req.kdc-options.RENEWABLE-OK is set) and - (new_tkt.endtime < req.till) and - (tgt.flags.RENEWABLE is set) then - /* we set the RENEWABLE option for later */ - /* processing */ - set req.kdc-options.RENEWABLE; - req.rtime := min(req.till, tgt.renew-till); - - - -Kohl & Neuman [Page 101] - -RFC 1510 Kerberos September 1993 - - - endif - endif - - if (req.rtime = 0) then - rtime := infinity; - else - rtime := req.rtime; - endif - - if ((req.kdc-options.RENEWABLE is set) and - (tgt.flags.RENEWABLE is set)) then - set new_tkt.flags.RENEWABLE; - new_tkt.renew-till := min(rtime, - new_tkt.starttime+client.max_rlife, - new_tkt.starttime+server.max_rlife, - new_tkt.starttime+max_rlife_for_realm, - tgt.renew-till); - else - new_tkt.renew-till := OMIT; - /* leave the renew-till field out */ - endif - if (req.enc-authorization-data is present) then - decrypt req.enc-authorization-data - into decrypted_authorization_data - using auth_hdr.authenticator.subkey; - if (decrypt_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - endif - new_tkt.authorization_data := - req.auth_hdr.ticket.authorization_data + - decrypted_authorization_data; - - new_tkt.key := session; - new_tkt.crealm := tgt.crealm; - new_tkt.cname := req.auth_hdr.ticket.cname; - - if (realm_tgt_is_for(tgt) := tgt.realm) then - /* tgt issued by local realm */ - new_tkt.transited := tgt.transited; - else - /* was issued for this realm by some other realm */ - if (tgt.transited.tr-type not supported) then - error_out(KDC_ERR_TRTYPE_NOSUPP); - endif - new_tkt.transited - := compress_transited(tgt.transited + tgt.realm) - endif - - - -Kohl & Neuman [Page 102] - -RFC 1510 Kerberos September 1993 - - - encode encrypted part of new_tkt into OCTET STRING; - if (req.kdc-options.ENC-TKT-IN-SKEY is set) then - if (server not specified) then - server = req.second_ticket.client; - endif - if ((req.second_ticket is not a TGT) or - (req.second_ticket.client != server)) then - error_out(KDC_ERR_POLICY); - endif - - new_tkt.enc-part := encrypt OCTET STRING using - using etype_for_key(second-ticket.key), - second-ticket.key; - else - new_tkt.enc-part := encrypt OCTET STRING - using etype_for_key(server.key), server.key, - server.p_kvno; - endif - - resp.pvno := 5; - resp.msg-type := KRB_TGS_REP; - resp.crealm := tgt.crealm; - resp.cname := tgt.cname; - resp.ticket := new_tkt; - - resp.key := session; - resp.nonce := req.nonce; - resp.last-req := fetch_last_request_info(client); - resp.flags := new_tkt.flags; - - resp.authtime := new_tkt.authtime; - resp.starttime := new_tkt.starttime; - resp.endtime := new_tkt.endtime; - - omit resp.key-expiration; - - resp.sname := new_tkt.sname; - resp.realm := new_tkt.realm; - - if (new_tkt.flags.RENEWABLE) then - resp.renew-till := new_tkt.renew-till; - endif - - - encode body of reply into OCTET STRING; - - if (req.padata.authenticator.subkey) - resp.enc-part := encrypt OCTET STRING using use_etype, - - - -Kohl & Neuman [Page 103] - -RFC 1510 Kerberos September 1993 - - - req.padata.authenticator.subkey; - else resp.enc-part := encrypt OCTET STRING - using use_etype, tgt.key; - - send(resp); - -A.7. KRB_TGS_REP verification - decode response into resp; - - if (resp.msg-type = KRB_ERROR) then - process_error(resp); - return; - endif - - /* On error, discard the response, and zero the session key from - the response immediately */ - - if (req.padata.authenticator.subkey) - unencrypted part of resp := - decode of decrypt of resp.enc-part - using resp.enc-part.etype and subkey; - else unencrypted part of resp := - decode of decrypt of resp.enc-part - using resp.enc-part.etype and tgt's session key; - if (common_as_rep_tgs_rep_checks fail) then - destroy resp.key; - return error; - endif - - check authorization_data as necessary; - save_for_later(ticket,session,client,server,times,flags); - -A.8. Authenticator generation - body.authenticator-vno := authenticator vno; /* = 5 */ - body.cname, body.crealm := client name; - if (supplying checksum) then - body.cksum := checksum; - endif - get system_time; - body.ctime, body.cusec := system_time; - if (selecting sub-session key) then - select sub-session key; - body.subkey := sub-session key; - endif - if (using sequence numbers) then - select initial sequence number; - body.seq-number := initial sequence; - endif - - - -Kohl & Neuman [Page 104] - -RFC 1510 Kerberos September 1993 - - -A.9. KRB_AP_REQ generation - obtain ticket and session_key from cache; - - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_AP_REQ */ - - if (desired(MUTUAL_AUTHENTICATION)) then - set packet.ap-options.MUTUAL-REQUIRED; - else - reset packet.ap-options.MUTUAL-REQUIRED; - endif - if (using session key for ticket) then - set packet.ap-options.USE-SESSION-KEY; - else - reset packet.ap-options.USE-SESSION-KEY; - endif - packet.ticket := ticket; /* ticket */ - generate authenticator; - encode authenticator into OCTET STRING; - encrypt OCTET STRING into packet.authenticator - using session_key; - -A.10. KRB_AP_REQ verification - receive packet; - if (packet.pvno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.msg-type != KRB_AP_REQ) then - error_out(KRB_AP_ERR_MSG_TYPE); - endif - if (packet.ticket.tkt_vno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.ap_options.USE-SESSION-KEY is set) then - retrieve session key from ticket-granting ticket for - packet.ticket.{sname,srealm,enc-part.etype}; - else - retrieve service key for - packet.ticket.{sname,srealm,enc-part.etype,enc-part.skvno}; - endif - if (no_key_available) then - if (cannot_find_specified_skvno) then - error_out(KRB_AP_ERR_BADKEYVER); - else - error_out(KRB_AP_ERR_NOKEY); - endif - - - -Kohl & Neuman [Page 105] - -RFC 1510 Kerberos September 1993 - - - endif - decrypt packet.ticket.enc-part into decr_ticket - using retrieved key; - if (decryption_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - decrypt packet.authenticator into decr_authenticator - using decr_ticket.key; - if (decryption_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - if (decr_authenticator.{cname,crealm} != - decr_ticket.{cname,crealm}) then - error_out(KRB_AP_ERR_BADMATCH); - endif - if (decr_ticket.caddr is present) then - if (sender_address(packet) is not in decr_ticket.caddr) - then error_out(KRB_AP_ERR_BADADDR); - endif - elseif (application requires addresses) then - error_out(KRB_AP_ERR_BADADDR); - endif - if (not in_clock_skew(decr_authenticator.ctime, - decr_authenticator.cusec)) then - error_out(KRB_AP_ERR_SKEW); - endif - if (repeated(decr_authenticator.{ctime,cusec,cname,crealm})) - then error_out(KRB_AP_ERR_REPEAT); - endif - save_identifier(decr_authenticator.{ctime,cusec,cname,crealm}); - get system_time; - if ((decr_ticket.starttime-system_time > CLOCK_SKEW) or - (decr_ticket.flags.INVALID is set)) then - /* it hasn't yet become valid */ - error_out(KRB_AP_ERR_TKT_NYV); - endif - if (system_time-decr_ticket.endtime > CLOCK_SKEW) then - error_out(KRB_AP_ERR_TKT_EXPIRED); - endif - /* caller must check decr_ticket.flags for any pertinent */ - /* details */ - return(OK, decr_ticket, packet.ap_options.MUTUAL-REQUIRED); - -A.11. KRB_AP_REP generation - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_AP_REP */ - body.ctime := packet.ctime; - body.cusec := packet.cusec; - - - -Kohl & Neuman [Page 106] - -RFC 1510 Kerberos September 1993 - - - if (selecting sub-session key) then - select sub-session key; - body.subkey := sub-session key; - endif - if (using sequence numbers) then - select initial sequence number; - body.seq-number := initial sequence; - endif - - encode body into OCTET STRING; - - select encryption type; - encrypt OCTET STRING into packet.enc-part; - -A.12. KRB_AP_REP verification - receive packet; - if (packet.pvno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.msg-type != KRB_AP_REP) then - error_out(KRB_AP_ERR_MSG_TYPE); - endif - cleartext := decrypt(packet.enc-part) - using ticket's session key; - if (decryption_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - if (cleartext.ctime != authenticator.ctime) then - error_out(KRB_AP_ERR_MUT_FAIL); - endif - if (cleartext.cusec != authenticator.cusec) then - error_out(KRB_AP_ERR_MUT_FAIL); - endif - if (cleartext.subkey is present) then - save cleartext.subkey for future use; - endif - if (cleartext.seq-number is present) then - save cleartext.seq-number for future verifications; - endif - return(AUTHENTICATION_SUCCEEDED); - -A.13. KRB_SAFE generation - collect user data in buffer; - - /* assemble packet: */ - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_SAFE */ - - - -Kohl & Neuman [Page 107] - -RFC 1510 Kerberos September 1993 - - - body.user-data := buffer; /* DATA */ - if (using timestamp) then - get system_time; - body.timestamp, body.usec := system_time; - endif - if (using sequence numbers) then - body.seq-number := sequence number; - endif - body.s-address := sender host addresses; - if (only one recipient) then - body.r-address := recipient host address; - endif - checksum.cksumtype := checksum type; - compute checksum over body; - checksum.checksum := checksum value; /* checksum.checksum */ - packet.cksum := checksum; - packet.safe-body := body; - -A.14. KRB_SAFE verification - receive packet; - if (packet.pvno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.msg-type != KRB_SAFE) then - error_out(KRB_AP_ERR_MSG_TYPE); - endif - if (packet.checksum.cksumtype is not both collision-proof - and keyed) then - error_out(KRB_AP_ERR_INAPP_CKSUM); - endif - if (safe_priv_common_checks_ok(packet)) then - set computed_checksum := checksum(packet.body); - if (computed_checksum != packet.checksum) then - error_out(KRB_AP_ERR_MODIFIED); - endif - return (packet, PACKET_IS_GENUINE); - else - return common_checks_error; - endif - -A.15. KRB_SAFE and KRB_PRIV common checks - if (packet.s-address != O/S_sender(packet)) then - /* O/S report of sender not who claims to have sent it */ - error_out(KRB_AP_ERR_BADADDR); - endif - if ((packet.r-address is present) and - (packet.r-address != local_host_address)) then - - - -Kohl & Neuman [Page 108] - -RFC 1510 Kerberos September 1993 - - - /* was not sent to proper place */ - error_out(KRB_AP_ERR_BADADDR); - endif - if (((packet.timestamp is present) and - (not in_clock_skew(packet.timestamp,packet.usec))) or - (packet.timestamp is not present and timestamp expected)) - then error_out(KRB_AP_ERR_SKEW); - endif - if (repeated(packet.timestamp,packet.usec,packet.s-address)) - then error_out(KRB_AP_ERR_REPEAT); - endif - if (((packet.seq-number is present) and - ((not in_sequence(packet.seq-number)))) or - (packet.seq-number is not present and sequence expected)) - then error_out(KRB_AP_ERR_BADORDER); - endif - if (packet.timestamp not present and - packet.seq-number not present) then - error_out(KRB_AP_ERR_MODIFIED); - endif - - save_identifier(packet.{timestamp,usec,s-address}, - sender_principal(packet)); - - return PACKET_IS_OK; - -A.16. KRB_PRIV generation - collect user data in buffer; - - /* assemble packet: */ - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_PRIV */ - - packet.enc-part.etype := encryption type; - - body.user-data := buffer; - if (using timestamp) then - get system_time; - body.timestamp, body.usec := system_time; - endif - if (using sequence numbers) then - body.seq-number := sequence number; - endif - body.s-address := sender host addresses; - if (only one recipient) then - body.r-address := recipient host address; - endif - - - - -Kohl & Neuman [Page 109] - -RFC 1510 Kerberos September 1993 - - - encode body into OCTET STRING; - - select encryption type; - encrypt OCTET STRING into packet.enc-part.cipher; - -A.17. KRB_PRIV verification - receive packet; - if (packet.pvno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.msg-type != KRB_PRIV) then - error_out(KRB_AP_ERR_MSG_TYPE); - endif - - cleartext := decrypt(packet.enc-part) using negotiated key; - if (decryption_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - - if (safe_priv_common_checks_ok(cleartext)) then - return(cleartext.DATA, PACKET_IS_GENUINE_AND_UNMODIFIED); - else - return common_checks_error; - endif - -A.18. KRB_CRED generation - invoke KRB_TGS; /* obtain tickets to be provided to peer */ - - /* assemble packet: */ - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_CRED */ - - for (tickets[n] in tickets to be forwarded) do - packet.tickets[n] = tickets[n].ticket; - done - - packet.enc-part.etype := encryption type; - - for (ticket[n] in tickets to be forwarded) do - body.ticket-info[n].key = tickets[n].session; - body.ticket-info[n].prealm = tickets[n].crealm; - body.ticket-info[n].pname = tickets[n].cname; - body.ticket-info[n].flags = tickets[n].flags; - body.ticket-info[n].authtime = tickets[n].authtime; - body.ticket-info[n].starttime = tickets[n].starttime; - body.ticket-info[n].endtime = tickets[n].endtime; - body.ticket-info[n].renew-till = tickets[n].renew-till; - - - -Kohl & Neuman [Page 110] - -RFC 1510 Kerberos September 1993 - - - body.ticket-info[n].srealm = tickets[n].srealm; - body.ticket-info[n].sname = tickets[n].sname; - body.ticket-info[n].caddr = tickets[n].caddr; - done - - get system_time; - body.timestamp, body.usec := system_time; - - if (using nonce) then - body.nonce := nonce; - endif - - if (using s-address) then - body.s-address := sender host addresses; - endif - if (limited recipients) then - body.r-address := recipient host address; - endif - - encode body into OCTET STRING; - - select encryption type; - encrypt OCTET STRING into packet.enc-part.cipher - using negotiated encryption key; - -A.19. KRB_CRED verification - receive packet; - if (packet.pvno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.msg-type != KRB_CRED) then - error_out(KRB_AP_ERR_MSG_TYPE); - endif - - cleartext := decrypt(packet.enc-part) using negotiated key; - if (decryption_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - if ((packet.r-address is present or required) and - (packet.s-address != O/S_sender(packet)) then - /* O/S report of sender not who claims to have sent it */ - error_out(KRB_AP_ERR_BADADDR); - endif - if ((packet.r-address is present) and - (packet.r-address != local_host_address)) then - /* was not sent to proper place */ - error_out(KRB_AP_ERR_BADADDR); - - - -Kohl & Neuman [Page 111] - -RFC 1510 Kerberos September 1993 - - - endif - if (not in_clock_skew(packet.timestamp,packet.usec)) then - error_out(KRB_AP_ERR_SKEW); - endif - if (repeated(packet.timestamp,packet.usec,packet.s-address)) - then error_out(KRB_AP_ERR_REPEAT); - endif - if (packet.nonce is required or present) and - (packet.nonce != expected-nonce) then - error_out(KRB_AP_ERR_MODIFIED); - endif - - for (ticket[n] in tickets that were forwarded) do - save_for_later(ticket[n],key[n],principal[n], - server[n],times[n],flags[n]); - return - -A.20. KRB_ERROR generation - - /* assemble packet: */ - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_ERROR */ - - get system_time; - packet.stime, packet.susec := system_time; - packet.realm, packet.sname := server name; - - if (client time available) then - packet.ctime, packet.cusec := client_time; - endif - packet.error-code := error code; - if (client name available) then - packet.cname, packet.crealm := client name; - endif - if (error text available) then - packet.e-text := error text; - endif - if (error data available) then - packet.e-data := error data; - endif - - - - - - - - - - - -Kohl & Neuman [Page 112] - \ No newline at end of file diff --git a/crypto/heimdal-0.6.3/doc/standardisation/rfc1750.txt b/crypto/heimdal-0.6.3/doc/standardisation/rfc1750.txt deleted file mode 100644 index 56d478c7ee..0000000000 --- a/crypto/heimdal-0.6.3/doc/standardisation/rfc1750.txt +++ /dev/null @@ -1,1683 +0,0 @@ - - - - - - -Network Working Group D. Eastlake, 3rd -Request for Comments: 1750 DEC -Category: Informational S. Crocker - Cybercash - J. Schiller - MIT - December 1994 - - - Randomness Recommendations for Security - -Status of this Memo - - This memo provides information for the Internet community. This memo - does not specify an Internet standard of any kind. Distribution of - this memo is unlimited. - -Abstract - - Security systems today are built on increasingly strong cryptographic - algorithms that foil pattern analysis attempts. However, the security - of these systems is dependent on generating secret quantities for - passwords, cryptographic keys, and similar quantities. The use of - pseudo-random processes to generate secret quantities can result in - pseudo-security. The sophisticated attacker of these security - systems may find it easier to reproduce the environment that produced - the secret quantities, searching the resulting small set of - possibilities, than to locate the quantities in the whole of the - number space. - - Choosing random quantities to foil a resourceful and motivated - adversary is surprisingly difficult. This paper points out many - pitfalls in using traditional pseudo-random number generation - techniques for choosing such quantities. It recommends the use of - truly random hardware techniques and shows that the existing hardware - on many systems can be used for this purpose. It provides - suggestions to ameliorate the problem when a hardware solution is not - available. And it gives examples of how large such quantities need - to be for some particular applications. - - - - - - - - - - - - -Eastlake, Crocker & Schiller [Page 1] - -RFC 1750 Randomness Recommendations for Security December 1994 - - -Acknowledgements - - Comments on this document that have been incorporated were received - from (in alphabetic order) the following: - - David M. Balenson (TIS) - Don Coppersmith (IBM) - Don T. Davis (consultant) - Carl Ellison (Stratus) - Marc Horowitz (MIT) - Christian Huitema (INRIA) - Charlie Kaufman (IRIS) - Steve Kent (BBN) - Hal Murray (DEC) - Neil Haller (Bellcore) - Richard Pitkin (DEC) - Tim Redmond (TIS) - Doug Tygar (CMU) - -Table of Contents - - 1. Introduction........................................... 3 - 2. Requirements........................................... 4 - 3. Traditional Pseudo-Random Sequences.................... 5 - 4. Unpredictability....................................... 7 - 4.1 Problems with Clocks and Serial Numbers............... 7 - 4.2 Timing and Content of External Events................ 8 - 4.3 The Fallacy of Complex Manipulation.................. 8 - 4.4 The Fallacy of Selection from a Large Database....... 9 - 5. Hardware for Randomness............................... 10 - 5.1 Volume Required...................................... 10 - 5.2 Sensitivity to Skew.................................. 10 - 5.2.1 Using Stream Parity to De-Skew..................... 11 - 5.2.2 Using Transition Mappings to De-Skew............... 12 - 5.2.3 Using FFT to De-Skew............................... 13 - 5.2.4 Using Compression to De-Skew....................... 13 - 5.3 Existing Hardware Can Be Used For Randomness......... 14 - 5.3.1 Using Existing Sound/Video Input................... 14 - 5.3.2 Using Existing Disk Drives......................... 14 - 6. Recommended Non-Hardware Strategy..................... 14 - 6.1 Mixing Functions..................................... 15 - 6.1.1 A Trivial Mixing Function.......................... 15 - 6.1.2 Stronger Mixing Functions.......................... 16 - 6.1.3 Diff-Hellman as a Mixing Function.................. 17 - 6.1.4 Using a Mixing Function to Stretch Random Bits..... 17 - 6.1.5 Other Factors in Choosing a Mixing Function........ 18 - 6.2 Non-Hardware Sources of Randomness................... 19 - 6.3 Cryptographically Strong Sequences................... 19 - - - -Eastlake, Crocker & Schiller [Page 2] - -RFC 1750 Randomness Recommendations for Security December 1994 - - - 6.3.1 Traditional Strong Sequences....................... 20 - 6.3.2 The Blum Blum Shub Sequence Generator.............. 21 - 7. Key Generation Standards.............................. 22 - 7.1 US DoD Recommendations for Password Generation....... 23 - 7.2 X9.17 Key Generation................................. 23 - 8. Examples of Randomness Required....................... 24 - 8.1 Password Generation................................. 24 - 8.2 A Very High Security Cryptographic Key............... 25 - 8.2.1 Effort per Key Trial............................... 25 - 8.2.2 Meet in the Middle Attacks......................... 26 - 8.2.3 Other Considerations............................... 26 - 9. Conclusion............................................ 27 - 10. Security Considerations.............................. 27 - References............................................... 28 - Authors' Addresses....................................... 30 - -1. Introduction - - Software cryptography is coming into wider use. Systems like - Kerberos, PEM, PGP, etc. are maturing and becoming a part of the - network landscape [PEM]. These systems provide substantial - protection against snooping and spoofing. However, there is a - potential flaw. At the heart of all cryptographic systems is the - generation of secret, unguessable (i.e., random) numbers. - - For the present, the lack of generally available facilities for - generating such unpredictable numbers is an open wound in the design - of cryptographic software. For the software developer who wants to - build a key or password generation procedure that runs on a wide - range of hardware, the only safe strategy so far has been to force - the local installation to supply a suitable routine to generate - random numbers. To say the least, this is an awkward, error-prone - and unpalatable solution. - - It is important to keep in mind that the requirement is for data that - an adversary has a very low probability of guessing or determining. - This will fail if pseudo-random data is used which only meets - traditional statistical tests for randomness or which is based on - limited range sources, such as clocks. Frequently such random - quantities are determinable by an adversary searching through an - embarrassingly small space of possibilities. - - This informational document suggests techniques for producing random - quantities that will be resistant to such attack. It recommends that - future systems include hardware random number generation or provide - access to existing hardware that can be used for this purpose. It - suggests methods for use if such hardware is not available. And it - gives some estimates of the number of random bits required for sample - - - -Eastlake, Crocker & Schiller [Page 3] - -RFC 1750 Randomness Recommendations for Security December 1994 - - - applications. - -2. Requirements - - Probably the most commonly encountered randomness requirement today - is the user password. This is usually a simple character string. - Obviously, if a password can be guessed, it does not provide - security. (For re-usable passwords, it is desirable that users be - able to remember the password. This may make it advisable to use - pronounceable character strings or phrases composed on ordinary - words. But this only affects the format of the password information, - not the requirement that the password be very hard to guess.) - - Many other requirements come from the cryptographic arena. - Cryptographic techniques can be used to provide a variety of services - including confidentiality and authentication. Such services are - based on quantities, traditionally called "keys", that are unknown to - and unguessable by an adversary. - - In some cases, such as the use of symmetric encryption with the one - time pads [CRYPTO*] or the US Data Encryption Standard [DES], the - parties who wish to communicate confidentially and/or with - authentication must all know the same secret key. In other cases, - using what are called asymmetric or "public key" cryptographic - techniques, keys come in pairs. One key of the pair is private and - must be kept secret by one party, the other is public and can be - published to the world. It is computationally infeasible to - determine the private key from the public key [ASYMMETRIC, CRYPTO*]. - - The frequency and volume of the requirement for random quantities - differs greatly for different cryptographic systems. Using pure RSA - [CRYPTO*], random quantities are required when the key pair is - generated, but thereafter any number of messages can be signed - without any further need for randomness. The public key Digital - Signature Algorithm that has been proposed by the US National - Institute of Standards and Technology (NIST) requires good random - numbers for each signature. And encrypting with a one time pad, in - principle the strongest possible encryption technique, requires a - volume of randomness equal to all the messages to be processed. - - In most of these cases, an adversary can try to determine the - "secret" key by trial and error. (This is possible as long as the - key is enough smaller than the message that the correct key can be - uniquely identified.) The probability of an adversary succeeding at - this must be made acceptably low, depending on the particular - application. The size of the space the adversary must search is - related to the amount of key "information" present in the information - theoretic sense [SHANNON]. This depends on the number of different - - - -Eastlake, Crocker & Schiller [Page 4] - -RFC 1750 Randomness Recommendations for Security December 1994 - - - secret values possible and the probability of each value as follows: - - ----- - \ - Bits-of-info = \ - p * log ( p ) - / i 2 i - / - ----- - - where i varies from 1 to the number of possible secret values and p - sub i is the probability of the value numbered i. (Since p sub i is - less than one, the log will be negative so each term in the sum will - be non-negative.) - - If there are 2^n different values of equal probability, then n bits - of information are present and an adversary would, on the average, - have to try half of the values, or 2^(n-1) , before guessing the - secret quantity. If the probability of different values is unequal, - then there is less information present and fewer guesses will, on - average, be required by an adversary. In particular, any values that - the adversary can know are impossible, or are of low probability, can - be initially ignored by an adversary, who will search through the - more probable values first. - - For example, consider a cryptographic system that uses 56 bit keys. - If these 56 bit keys are derived by using a fixed pseudo-random - number generator that is seeded with an 8 bit seed, then an adversary - needs to search through only 256 keys (by running the pseudo-random - number generator with every possible seed), not the 2^56 keys that - may at first appear to be the case. Only 8 bits of "information" are - in these 56 bit keys. - -3. Traditional Pseudo-Random Sequences - - Most traditional sources of random numbers use deterministic sources - of "pseudo-random" numbers. These typically start with a "seed" - quantity and use numeric or logical operations to produce a sequence - of values. - - [KNUTH] has a classic exposition on pseudo-random numbers. - Applications he mentions are simulation of natural phenomena, - sampling, numerical analysis, testing computer programs, decision - making, and games. None of these have the same characteristics as - the sort of security uses we are talking about. Only in the last two - could there be an adversary trying to find the random quantity. - However, in these cases, the adversary normally has only a single - chance to use a guessed value. In guessing passwords or attempting - to break an encryption scheme, the adversary normally has many, - - - -Eastlake, Crocker & Schiller [Page 5] - -RFC 1750 Randomness Recommendations for Security December 1994 - - - perhaps unlimited, chances at guessing the correct value and should - be assumed to be aided by a computer. - - For testing the "randomness" of numbers, Knuth suggests a variety of - measures including statistical and spectral. These tests check - things like autocorrelation between different parts of a "random" - sequence or distribution of its values. They could be met by a - constant stored random sequence, such as the "random" sequence - printed in the CRC Standard Mathematical Tables [CRC]. - - A typical pseudo-random number generation technique, known as a - linear congruence pseudo-random number generator, is modular - arithmetic where the N+1th value is calculated from the Nth value by - - V = ( V * a + b )(Mod c) - N+1 N - - The above technique has a strong relationship to linear shift - register pseudo-random number generators, which are well understood - cryptographically [SHIFT*]. In such generators bits are introduced - at one end of a shift register as the Exclusive Or (binary sum - without carry) of bits from selected fixed taps into the register. - - For example: - - +----+ +----+ +----+ +----+ - | B | <-- | B | <-- | B | <-- . . . . . . <-- | B | <-+ - | 0 | | 1 | | 2 | | n | | - +----+ +----+ +----+ +----+ | - | | | | - | | V +-----+ - | V +----------------> | | - V +-----------------------------> | XOR | - +---------------------------------------------------> | | - +-----+ - - - V = ( ( V * 2 ) + B .xor. B ... )(Mod 2^n) - N+1 N 0 2 - - The goodness of traditional pseudo-random number generator algorithms - is measured by statistical tests on such sequences. Carefully chosen - values of the initial V and a, b, and c or the placement of shift - register tap in the above simple processes can produce excellent - statistics. - - - - - - -Eastlake, Crocker & Schiller [Page 6] - -RFC 1750 Randomness Recommendations for Security December 1994 - - - These sequences may be adequate in simulations (Monte Carlo - experiments) as long as the sequence is orthogonal to the structure - of the space being explored. Even there, subtle patterns may cause - problems. However, such sequences are clearly bad for use in - security applications. They are fully predictable if the initial - state is known. Depending on the form of the pseudo-random number - generator, the sequence may be determinable from observation of a - short portion of the sequence [CRYPTO*, STERN]. For example, with - the generators above, one can determine V(n+1) given knowledge of - V(n). In fact, it has been shown that with these techniques, even if - only one bit of the pseudo-random values is released, the seed can be - determined from short sequences. - - Not only have linear congruent generators been broken, but techniques - are now known for breaking all polynomial congruent generators - [KRAWCZYK]. - -4. Unpredictability - - Randomness in the traditional sense described in section 3 is NOT the - same as the unpredictability required for security use. - - For example, use of a widely available constant sequence, such as - that from the CRC tables, is very weak against an adversary. Once - they learn of or guess it, they can easily break all security, future - and past, based on the sequence [CRC]. Yet the statistical - properties of these tables are good. - - The following sections describe the limitations of some randomness - generation techniques and sources. - -4.1 Problems with Clocks and Serial Numbers - - Computer clocks, or similar operating system or hardware values, - provide significantly fewer real bits of unpredictability than might - appear from their specifications. - - Tests have been done on clocks on numerous systems and it was found - that their behavior can vary widely and in unexpected ways. One - version of an operating system running on one set of hardware may - actually provide, say, microsecond resolution in a clock while a - different configuration of the "same" system may always provide the - same lower bits and only count in the upper bits at much lower - resolution. This means that successive reads on the clock may - produce identical values even if enough time has passed that the - value "should" change based on the nominal clock resolution. There - are also cases where frequently reading a clock can produce - artificial sequential values because of extra code that checks for - - - -Eastlake, Crocker & Schiller [Page 7] - -RFC 1750 Randomness Recommendations for Security December 1994 - - - the clock being unchanged between two reads and increases it by one! - Designing portable application code to generate unpredictable numbers - based on such system clocks is particularly challenging because the - system designer does not always know the properties of the system - clocks that the code will execute on. - - Use of a hardware serial number such as an Ethernet address may also - provide fewer bits of uniqueness than one would guess. Such - quantities are usually heavily structured and subfields may have only - a limited range of possible values or values easily guessable based - on approximate date of manufacture or other data. For example, it is - likely that most of the Ethernet cards installed on Digital Equipment - Corporation (DEC) hardware within DEC were manufactured by DEC - itself, which significantly limits the range of built in addresses. - - Problems such as those described above related to clocks and serial - numbers make code to produce unpredictable quantities difficult if - the code is to be ported across a variety of computer platforms and - systems. - -4.2 Timing and Content of External Events - - It is possible to measure the timing and content of mouse movement, - key strokes, and similar user events. This is a reasonable source of - unguessable data with some qualifications. On some machines, inputs - such as key strokes are buffered. Even though the user's inter- - keystroke timing may have sufficient variation and unpredictability, - there might not be an easy way to access that variation. Another - problem is that no standard method exists to sample timing details. - This makes it hard to build standard software intended for - distribution to a large range of machines based on this technique. - - The amount of mouse movement or the keys actually hit are usually - easier to access than timings but may yield less unpredictability as - the user may provide highly repetitive input. - - Other external events, such as network packet arrival times, can also - be used with care. In particular, the possibility of manipulation of - such times by an adversary must be considered. - -4.3 The Fallacy of Complex Manipulation - - One strategy which may give a misleading appearance of - unpredictability is to take a very complex algorithm (or an excellent - traditional pseudo-random number generator with good statistical - properties) and calculate a cryptographic key by starting with the - current value of a computer system clock as the seed. An adversary - who knew roughly when the generator was started would have a - - - -Eastlake, Crocker & Schiller [Page 8] - -RFC 1750 Randomness Recommendations for Security December 1994 - - - relatively small number of seed values to test as they would know - likely values of the system clock. Large numbers of pseudo-random - bits could be generated but the search space an adversary would need - to check could be quite small. - - Thus very strong and/or complex manipulation of data will not help if - the adversary can learn what the manipulation is and there is not - enough unpredictability in the starting seed value. Even if they can - not learn what the manipulation is, they may be able to use the - limited number of results stemming from a limited number of seed - values to defeat security. - - Another serious strategy error is to assume that a very complex - pseudo-random number generation algorithm will produce strong random - numbers when there has been no theory behind or analysis of the - algorithm. There is a excellent example of this fallacy right near - the beginning of chapter 3 in [KNUTH] where the author describes a - complex algorithm. It was intended that the machine language program - corresponding to the algorithm would be so complicated that a person - trying to read the code without comments wouldn't know what the - program was doing. Unfortunately, actual use of this algorithm - showed that it almost immediately converged to a single repeated - value in one case and a small cycle of values in another case. - - Not only does complex manipulation not help you if you have a limited - range of seeds but blindly chosen complex manipulation can destroy - the randomness in a good seed! - -4.4 The Fallacy of Selection from a Large Database - - Another strategy that can give a misleading appearance of - unpredictability is selection of a quantity randomly from a database - and assume that its strength is related to the total number of bits - in the database. For example, typical USENET servers as of this date - process over 35 megabytes of information per day. Assume a random - quantity was selected by fetching 32 bytes of data from a random - starting point in this data. This does not yield 32*8 = 256 bits - worth of unguessability. Even after allowing that much of the data - is human language and probably has more like 2 or 3 bits of - information per byte, it doesn't yield 32*2.5 = 80 bits of - unguessability. For an adversary with access to the same 35 - megabytes the unguessability rests only on the starting point of the - selection. That is, at best, about 25 bits of unguessability in this - case. - - The same argument applies to selecting sequences from the data on a - CD ROM or Audio CD recording or any other large public database. If - the adversary has access to the same database, this "selection from a - - - -Eastlake, Crocker & Schiller [Page 9] - -RFC 1750 Randomness Recommendations for Security December 1994 - - - large volume of data" step buys very little. However, if a selection - can be made from data to which the adversary has no access, such as - system buffers on an active multi-user system, it may be of some - help. - -5. Hardware for Randomness - - Is there any hope for strong portable randomness in the future? - There might be. All that's needed is a physical source of - unpredictable numbers. - - A thermal noise or radioactive decay source and a fast, free-running - oscillator would do the trick directly [GIFFORD]. This is a trivial - amount of hardware, and could easily be included as a standard part - of a computer system's architecture. Furthermore, any system with a - spinning disk or the like has an adequate source of randomness - [DAVIS]. All that's needed is the common perception among computer - vendors that this small additional hardware and the software to - access it is necessary and useful. - -5.1 Volume Required - - How much unpredictability is needed? Is it possible to quantify the - requirement in, say, number of random bits per second? - - The answer is not very much is needed. For DES, the key is 56 bits - and, as we show in an example in Section 8, even the highest security - system is unlikely to require a keying material of over 200 bits. If - a series of keys are needed, it can be generated from a strong random - seed using a cryptographically strong sequence as explained in - Section 6.3. A few hundred random bits generated once a day would be - enough using such techniques. Even if the random bits are generated - as slowly as one per second and it is not possible to overlap the - generation process, it should be tolerable in high security - applications to wait 200 seconds occasionally. - - These numbers are trivial to achieve. It could be done by a person - repeatedly tossing a coin. Almost any hardware process is likely to - be much faster. - -5.2 Sensitivity to Skew - - Is there any specific requirement on the shape of the distribution of - the random numbers? The good news is the distribution need not be - uniform. All that is needed is a conservative estimate of how non- - uniform it is to bound performance. Two simple techniques to de-skew - the bit stream are given below and stronger techniques are mentioned - in Section 6.1.2 below. - - - -Eastlake, Crocker & Schiller [Page 10] - -RFC 1750 Randomness Recommendations for Security December 1994 - - -5.2.1 Using Stream Parity to De-Skew - - Consider taking a sufficiently long string of bits and map the string - to "zero" or "one". The mapping will not yield a perfectly uniform - distribution, but it can be as close as desired. One mapping that - serves the purpose is to take the parity of the string. This has the - advantages that it is robust across all degrees of skew up to the - estimated maximum skew and is absolutely trivial to implement in - hardware. - - The following analysis gives the number of bits that must be sampled: - - Suppose the ratio of ones to zeros is 0.5 + e : 0.5 - e, where e is - between 0 and 0.5 and is a measure of the "eccentricity" of the - distribution. Consider the distribution of the parity function of N - bit samples. The probabilities that the parity will be one or zero - will be the sum of the odd or even terms in the binomial expansion of - (p + q)^N, where p = 0.5 + e, the probability of a one, and q = 0.5 - - e, the probability of a zero. - - These sums can be computed easily as - - N N - 1/2 * ( ( p + q ) + ( p - q ) ) - and - N N - 1/2 * ( ( p + q ) - ( p - q ) ). - - (Which one corresponds to the probability the parity will be 1 - depends on whether N is odd or even.) - - Since p + q = 1 and p - q = 2e, these expressions reduce to - - N - 1/2 * [1 + (2e) ] - and - N - 1/2 * [1 - (2e) ]. - - Neither of these will ever be exactly 0.5 unless e is zero, but we - can bring them arbitrarily close to 0.5. If we want the - probabilities to be within some delta d of 0.5, i.e. then - - N - ( 0.5 + ( 0.5 * (2e) ) ) < 0.5 + d. - - - - - - -Eastlake, Crocker & Schiller [Page 11] - -RFC 1750 Randomness Recommendations for Security December 1994 - - - Solving for N yields N > log(2d)/log(2e). (Note that 2e is less than - 1, so its log is negative. Division by a negative number reverses - the sense of an inequality.) - - The following table gives the length of the string which must be - sampled for various degrees of skew in order to come within 0.001 of - a 50/50 distribution. - - +---------+--------+-------+ - | Prob(1) | e | N | - +---------+--------+-------+ - | 0.5 | 0.00 | 1 | - | 0.6 | 0.10 | 4 | - | 0.7 | 0.20 | 7 | - | 0.8 | 0.30 | 13 | - | 0.9 | 0.40 | 28 | - | 0.95 | 0.45 | 59 | - | 0.99 | 0.49 | 308 | - +---------+--------+-------+ - - The last entry shows that even if the distribution is skewed 99% in - favor of ones, the parity of a string of 308 samples will be within - 0.001 of a 50/50 distribution. - -5.2.2 Using Transition Mappings to De-Skew - - Another technique, originally due to von Neumann [VON NEUMANN], is to - examine a bit stream as a sequence of non-overlapping pairs. You - could then discard any 00 or 11 pairs found, interpret 01 as a 0 and - 10 as a 1. Assume the probability of a 1 is 0.5+e and the - probability of a 0 is 0.5-e where e is the eccentricity of the source - and described in the previous section. Then the probability of each - pair is as follows: - - +------+-----------------------------------------+ - | pair | probability | - +------+-----------------------------------------+ - | 00 | (0.5 - e)^2 = 0.25 - e + e^2 | - | 01 | (0.5 - e)*(0.5 + e) = 0.25 - e^2 | - | 10 | (0.5 + e)*(0.5 - e) = 0.25 - e^2 | - | 11 | (0.5 + e)^2 = 0.25 + e + e^2 | - +------+-----------------------------------------+ - - This technique will completely eliminate any bias but at the expense - of taking an indeterminate number of input bits for any particular - desired number of output bits. The probability of any particular - pair being discarded is 0.5 + 2e^2 so the expected number of input - bits to produce X output bits is X/(0.25 - e^2). - - - -Eastlake, Crocker & Schiller [Page 12] - -RFC 1750 Randomness Recommendations for Security December 1994 - - - This technique assumes that the bits are from a stream where each bit - has the same probability of being a 0 or 1 as any other bit in the - stream and that bits are not correlated, i.e., that the bits are - identical independent distributions. If alternate bits were from two - correlated sources, for example, the above analysis breaks down. - - The above technique also provides another illustration of how a - simple statistical analysis can mislead if one is not always on the - lookout for patterns that could be exploited by an adversary. If the - algorithm were mis-read slightly so that overlapping successive bits - pairs were used instead of non-overlapping pairs, the statistical - analysis given is the same; however, instead of provided an unbiased - uncorrelated series of random 1's and 0's, it instead produces a - totally predictable sequence of exactly alternating 1's and 0's. - -5.2.3 Using FFT to De-Skew - - When real world data consists of strongly biased or correlated bits, - it may still contain useful amounts of randomness. This randomness - can be extracted through use of the discrete Fourier transform or its - optimized variant, the FFT. - - Using the Fourier transform of the data, strong correlations can be - discarded. If adequate data is processed and remaining correlations - decay, spectral lines approaching statistical independence and - normally distributed randomness can be produced [BRILLINGER]. - -5.2.4 Using Compression to De-Skew - - Reversible compression techniques also provide a crude method of de- - skewing a skewed bit stream. This follows directly from the - definition of reversible compression and the formula in Section 2 - above for the amount of information in a sequence. Since the - compression is reversible, the same amount of information must be - present in the shorter output than was present in the longer input. - By the Shannon information equation, this is only possible if, on - average, the probabilities of the different shorter sequences are - more uniformly distributed than were the probabilities of the longer - sequences. Thus the shorter sequences are de-skewed relative to the - input. - - However, many compression techniques add a somewhat predicatable - preface to their output stream and may insert such a sequence again - periodically in their output or otherwise introduce subtle patterns - of their own. They should be considered only a rough technique - compared with those described above or in Section 6.1.2. At a - minimum, the beginning of the compressed sequence should be skipped - and only later bits used for applications requiring random bits. - - - -Eastlake, Crocker & Schiller [Page 13] - -RFC 1750 Randomness Recommendations for Security December 1994 - - -5.3 Existing Hardware Can Be Used For Randomness - - As described below, many computers come with hardware that can, with - care, be used to generate truly random quantities. - -5.3.1 Using Existing Sound/Video Input - - Increasingly computers are being built with inputs that digitize some - real world analog source, such as sound from a microphone or video - input from a camera. Under appropriate circumstances, such input can - provide reasonably high quality random bits. The "input" from a - sound digitizer with no source plugged in or a camera with the lens - cap on, if the system has enough gain to detect anything, is - essentially thermal noise. - - For example, on a SPARCstation, one can read from the /dev/audio - device with nothing plugged into the microphone jack. Such data is - essentially random noise although it should not be trusted without - some checking in case of hardware failure. It will, in any case, - need to be de-skewed as described elsewhere. - - Combining this with compression to de-skew one can, in UNIXese, - generate a huge amount of medium quality random data by doing - - cat /dev/audio | compress - >random-bits-file - -5.3.2 Using Existing Disk Drives - - Disk drives have small random fluctuations in their rotational speed - due to chaotic air turbulence [DAVIS]. By adding low level disk seek - time instrumentation to a system, a series of measurements can be - obtained that include this randomness. Such data is usually highly - correlated so that significant processing is needed, including FFT - (see section 5.2.3). Nevertheless experimentation has shown that, - with such processing, disk drives easily produce 100 bits a minute or - more of excellent random data. - - Partly offsetting this need for processing is the fact that disk - drive failure will normally be rapidly noticed. Thus, problems with - this method of random number generation due to hardware failure are - very unlikely. - -6. Recommended Non-Hardware Strategy - - What is the best overall strategy for meeting the requirement for - unguessable random numbers in the absence of a reliable hardware - source? It is to obtain random input from a large number of - uncorrelated sources and to mix them with a strong mixing function. - - - -Eastlake, Crocker & Schiller [Page 14] - -RFC 1750 Randomness Recommendations for Security December 1994 - - - Such a function will preserve the randomness present in any of the - sources even if other quantities being combined are fixed or easily - guessable. This may be advisable even with a good hardware source as - hardware can also fail, though this should be weighed against any - increase in the chance of overall failure due to added software - complexity. - -6.1 Mixing Functions - - A strong mixing function is one which combines two or more inputs and - produces an output where each output bit is a different complex non- - linear function of all the input bits. On average, changing any - input bit will change about half the output bits. But because the - relationship is complex and non-linear, no particular output bit is - guaranteed to change when any particular input bit is changed. - - Consider the problem of converting a stream of bits that is skewed - towards 0 or 1 to a shorter stream which is more random, as discussed - in Section 5.2 above. This is simply another case where a strong - mixing function is desired, mixing the input bits to produce a - smaller number of output bits. The technique given in Section 5.2.1 - of using the parity of a number of bits is simply the result of - successively Exclusive Or'ing them which is examined as a trivial - mixing function immediately below. Use of stronger mixing functions - to extract more of the randomness in a stream of skewed bits is - examined in Section 6.1.2. - -6.1.1 A Trivial Mixing Function - - A trivial example for single bit inputs is the Exclusive Or function, - which is equivalent to addition without carry, as show in the table - below. This is a degenerate case in which the one output bit always - changes for a change in either input bit. But, despite its - simplicity, it will still provide a useful illustration. - - +-----------+-----------+----------+ - | input 1 | input 2 | output | - +-----------+-----------+----------+ - | 0 | 0 | 0 | - | 0 | 1 | 1 | - | 1 | 0 | 1 | - | 1 | 1 | 0 | - +-----------+-----------+----------+ - - If inputs 1 and 2 are uncorrelated and combined in this fashion then - the output will be an even better (less skewed) random bit than the - inputs. If we assume an "eccentricity" e as defined in Section 5.2 - above, then the output eccentricity relates to the input eccentricity - - - -Eastlake, Crocker & Schiller [Page 15] - -RFC 1750 Randomness Recommendations for Security December 1994 - - - as follows: - - e = 2 * e * e - output input 1 input 2 - - Since e is never greater than 1/2, the eccentricity is always - improved except in the case where at least one input is a totally - skewed constant. This is illustrated in the following table where - the top and left side values are the two input eccentricities and the - entries are the output eccentricity: - - +--------+--------+--------+--------+--------+--------+--------+ - | e | 0.00 | 0.10 | 0.20 | 0.30 | 0.40 | 0.50 | - +--------+--------+--------+--------+--------+--------+--------+ - | 0.00 | 0.00 | 0.00 | 0.00 | 0.00 | 0.00 | 0.00 | - | 0.10 | 0.00 | 0.02 | 0.04 | 0.06 | 0.08 | 0.10 | - | 0.20 | 0.00 | 0.04 | 0.08 | 0.12 | 0.16 | 0.20 | - | 0.30 | 0.00 | 0.06 | 0.12 | 0.18 | 0.24 | 0.30 | - | 0.40 | 0.00 | 0.08 | 0.16 | 0.24 | 0.32 | 0.40 | - | 0.50 | 0.00 | 0.10 | 0.20 | 0.30 | 0.40 | 0.50 | - +--------+--------+--------+--------+--------+--------+--------+ - - However, keep in mind that the above calculations assume that the - inputs are not correlated. If the inputs were, say, the parity of - the number of minutes from midnight on two clocks accurate to a few - seconds, then each might appear random if sampled at random intervals - much longer than a minute. Yet if they were both sampled and - combined with xor, the result would be zero most of the time. - -6.1.2 Stronger Mixing Functions - - The US Government Data Encryption Standard [DES] is an example of a - strong mixing function for multiple bit quantities. It takes up to - 120 bits of input (64 bits of "data" and 56 bits of "key") and - produces 64 bits of output each of which is dependent on a complex - non-linear function of all input bits. Other strong encryption - functions with this characteristic can also be used by considering - them to mix all of their key and data input bits. - - Another good family of mixing functions are the "message digest" or - hashing functions such as The US Government Secure Hash Standard - [SHS] and the MD2, MD4, MD5 [MD2, MD4, MD5] series. These functions - all take an arbitrary amount of input and produce an output mixing - all the input bits. The MD* series produce 128 bits of output and SHS - produces 160 bits. - - - - - - -Eastlake, Crocker & Schiller [Page 16] - -RFC 1750 Randomness Recommendations for Security December 1994 - - - Although the message digest functions are designed for variable - amounts of input, DES and other encryption functions can also be used - to combine any number of inputs. If 64 bits of output is adequate, - the inputs can be packed into a 64 bit data quantity and successive - 56 bit keys, padding with zeros if needed, which are then used to - successively encrypt using DES in Electronic Codebook Mode [DES - MODES]. If more than 64 bits of output are needed, use more complex - mixing. For example, if inputs are packed into three quantities, A, - B, and C, use DES to encrypt A with B as a key and then with C as a - key to produce the 1st part of the output, then encrypt B with C and - then A for more output and, if necessary, encrypt C with A and then B - for yet more output. Still more output can be produced by reversing - the order of the keys given above to stretch things. The same can be - done with the hash functions by hashing various subsets of the input - data to produce multiple outputs. But keep in mind that it is - impossible to get more bits of "randomness" out than are put in. - - An example of using a strong mixing function would be to reconsider - the case of a string of 308 bits each of which is biased 99% towards - zero. The parity technique given in Section 5.2.1 above reduced this - to one bit with only a 1/1000 deviance from being equally likely a - zero or one. But, applying the equation for information given in - Section 2, this 308 bit sequence has 5 bits of information in it. - Thus hashing it with SHS or MD5 and taking the bottom 5 bits of the - result would yield 5 unbiased random bits as opposed to the single - bit given by calculating the parity of the string. - -6.1.3 Diffie-Hellman as a Mixing Function - - Diffie-Hellman exponential key exchange is a technique that yields a - shared secret between two parties that can be made computationally - infeasible for a third party to determine even if they can observe - all the messages between the two communicating parties. This shared - secret is a mixture of initial quantities generated by each of them - [D-H]. If these initial quantities are random, then the shared - secret contains the combined randomness of them both, assuming they - are uncorrelated. - -6.1.4 Using a Mixing Function to Stretch Random Bits - - While it is not necessary for a mixing function to produce the same - or fewer bits than its inputs, mixing bits cannot "stretch" the - amount of random unpredictability present in the inputs. Thus four - inputs of 32 bits each where there is 12 bits worth of - unpredicatability (such as 4,096 equally probable values) in each - input cannot produce more than 48 bits worth of unpredictable output. - The output can be expanded to hundreds or thousands of bits by, for - example, mixing with successive integers, but the clever adversary's - - - -Eastlake, Crocker & Schiller [Page 17] - -RFC 1750 Randomness Recommendations for Security December 1994 - - - search space is still 2^48 possibilities. Furthermore, mixing to - fewer bits than are input will tend to strengthen the randomness of - the output the way using Exclusive Or to produce one bit from two did - above. - - The last table in Section 6.1.1 shows that mixing a random bit with a - constant bit with Exclusive Or will produce a random bit. While this - is true, it does not provide a way to "stretch" one random bit into - more than one. If, for example, a random bit is mixed with a 0 and - then with a 1, this produces a two bit sequence but it will always be - either 01 or 10. Since there are only two possible values, there is - still only the one bit of original randomness. - -6.1.5 Other Factors in Choosing a Mixing Function - - For local use, DES has the advantages that it has been widely tested - for flaws, is widely documented, and is widely implemented with - hardware and software implementations available all over the world - including source code available by anonymous FTP. The SHS and MD* - family are younger algorithms which have been less tested but there - is no particular reason to believe they are flawed. Both MD5 and SHS - were derived from the earlier MD4 algorithm. They all have source - code available by anonymous FTP [SHS, MD2, MD4, MD5]. - - DES and SHS have been vouched for the the US National Security Agency - (NSA) on the basis of criteria that primarily remain secret. While - this is the cause of much speculation and doubt, investigation of DES - over the years has indicated that NSA involvement in modifications to - its design, which originated with IBM, was primarily to strengthen - it. No concealed or special weakness has been found in DES. It is - almost certain that the NSA modification to MD4 to produce the SHS - similarly strengthened the algorithm, possibly against threats not - yet known in the public cryptographic community. - - DES, SHS, MD4, and MD5 are royalty free for all purposes. MD2 has - been freely licensed only for non-profit use in connection with - Privacy Enhanced Mail [PEM]. Between the MD* algorithms, some people - believe that, as with "Goldilocks and the Three Bears", MD2 is strong - but too slow, MD4 is fast but too weak, and MD5 is just right. - - Another advantage of the MD* or similar hashing algorithms over - encryption algorithms is that they are not subject to the same - regulations imposed by the US Government prohibiting the unlicensed - export or import of encryption/decryption software and hardware. The - same should be true of DES rigged to produce an irreversible hash - code but most DES packages are oriented to reversible encryption. - - - - - -Eastlake, Crocker & Schiller [Page 18] - -RFC 1750 Randomness Recommendations for Security December 1994 - - -6.2 Non-Hardware Sources of Randomness - - The best source of input for mixing would be a hardware randomness - such as disk drive timing affected by air turbulence, audio input - with thermal noise, or radioactive decay. However, if that is not - available there are other possibilities. These include system - clocks, system or input/output buffers, user/system/hardware/network - serial numbers and/or addresses and timing, and user input. - Unfortunately, any of these sources can produce limited or - predicatable values under some circumstances. - - Some of the sources listed above would be quite strong on multi-user - systems where, in essence, each user of the system is a source of - randomness. However, on a small single user system, such as a - typical IBM PC or Apple Macintosh, it might be possible for an - adversary to assemble a similar configuration. This could give the - adversary inputs to the mixing process that were sufficiently - correlated to those used originally as to make exhaustive search - practical. - - The use of multiple random inputs with a strong mixing function is - recommended and can overcome weakness in any particular input. For - example, the timing and content of requested "random" user keystrokes - can yield hundreds of random bits but conservative assumptions need - to be made. For example, assuming a few bits of randomness if the - inter-keystroke interval is unique in the sequence up to that point - and a similar assumption if the key hit is unique but assuming that - no bits of randomness are present in the initial key value or if the - timing or key value duplicate previous values. The results of mixing - these timings and characters typed could be further combined with - clock values and other inputs. - - This strategy may make practical portable code to produce good random - numbers for security even if some of the inputs are very weak on some - of the target systems. However, it may still fail against a high - grade attack on small single user systems, especially if the - adversary has ever been able to observe the generation process in the - past. A hardware based random source is still preferable. - -6.3 Cryptographically Strong Sequences - - In cases where a series of random quantities must be generated, an - adversary may learn some values in the sequence. In general, they - should not be able to predict other values from the ones that they - know. - - - - - - -Eastlake, Crocker & Schiller [Page 19] - -RFC 1750 Randomness Recommendations for Security December 1994 - - - The correct technique is to start with a strong random seed, take - cryptographically strong steps from that seed [CRYPTO2, CRYPTO3], and - do not reveal the complete state of the generator in the sequence - elements. If each value in the sequence can be calculated in a fixed - way from the previous value, then when any value is compromised, all - future values can be determined. This would be the case, for - example, if each value were a constant function of the previously - used values, even if the function were a very strong, non-invertible - message digest function. - - It should be noted that if your technique for generating a sequence - of key values is fast enough, it can trivially be used as the basis - for a confidentiality system. If two parties use the same sequence - generating technique and start with the same seed material, they will - generate identical sequences. These could, for example, be xor'ed at - one end with data being send, encrypting it, and xor'ed with this - data as received, decrypting it due to the reversible properties of - the xor operation. - -6.3.1 Traditional Strong Sequences - - A traditional way to achieve a strong sequence has been to have the - values be produced by hashing the quantities produced by - concatenating the seed with successive integers or the like and then - mask the values obtained so as to limit the amount of generator state - available to the adversary. - - It may also be possible to use an "encryption" algorithm with a - random key and seed value to encrypt and feedback some or all of the - output encrypted value into the value to be encrypted for the next - iteration. Appropriate feedback techniques will usually be - recommended with the encryption algorithm. An example is shown below - where shifting and masking are used to combine the cypher output - feedback. This type of feedback is recommended by the US Government - in connection with DES [DES MODES]. - - - - - - - - - - - - - - - - -Eastlake, Crocker & Schiller [Page 20] - -RFC 1750 Randomness Recommendations for Security December 1994 - - - +---------------+ - | V | - | | n | - +--+------------+ - | | +---------+ - | +---------> | | +-----+ - +--+ | Encrypt | <--- | Key | - | +-------- | | +-----+ - | | +---------+ - V V - +------------+--+ - | V | | - | n+1 | - +---------------+ - - Note that if a shift of one is used, this is the same as the shift - register technique described in Section 3 above but with the all - important difference that the feedback is determined by a complex - non-linear function of all bits rather than a simple linear or - polynomial combination of output from a few bit position taps. - - It has been shown by Donald W. Davies that this sort of shifted - partial output feedback significantly weakens an algorithm compared - will feeding all of the output bits back as input. In particular, - for DES, repeated encrypting a full 64 bit quantity will give an - expected repeat in about 2^63 iterations. Feeding back anything less - than 64 (and more than 0) bits will give an expected repeat in - between 2**31 and 2**32 iterations! - - To predict values of a sequence from others when the sequence was - generated by these techniques is equivalent to breaking the - cryptosystem or inverting the "non-invertible" hashing involved with - only partial information available. The less information revealed - each iteration, the harder it will be for an adversary to predict the - sequence. Thus it is best to use only one bit from each value. It - has been shown that in some cases this makes it impossible to break a - system even when the cryptographic system is invertible and can be - broken if all of each generated value was revealed. - -6.3.2 The Blum Blum Shub Sequence Generator - - Currently the generator which has the strongest public proof of - strength is called the Blum Blum Shub generator after its inventors - [BBS]. It is also very simple and is based on quadratic residues. - It's only disadvantage is that is is computationally intensive - compared with the traditional techniques give in 6.3.1 above. This - is not a serious draw back if it is used for moderately infrequent - purposes, such as generating session keys. - - - -Eastlake, Crocker & Schiller [Page 21] - -RFC 1750 Randomness Recommendations for Security December 1994 - - - Simply choose two large prime numbers, say p and q, which both have - the property that you get a remainder of 3 if you divide them by 4. - Let n = p * q. Then you choose a random number x relatively prime to - n. The initial seed for the generator and the method for calculating - subsequent values are then - - 2 - s = ( x )(Mod n) - 0 - - 2 - s = ( s )(Mod n) - i+1 i - - You must be careful to use only a few bits from the bottom of each s. - It is always safe to use only the lowest order bit. If you use no - more than the - - log ( log ( s ) ) - 2 2 i - - low order bits, then predicting any additional bits from a sequence - generated in this manner is provable as hard as factoring n. As long - as the initial x is secret, you can even make n public if you want. - - An intersting characteristic of this generator is that you can - directly calculate any of the s values. In particular - - i - ( ( 2 )(Mod (( p - 1 ) * ( q - 1 )) ) ) - s = ( s )(Mod n) - i 0 - - This means that in applications where many keys are generated in this - fashion, it is not necessary to save them all. Each key can be - effectively indexed and recovered from that small index and the - initial s and n. - -7. Key Generation Standards - - Several public standards are now in place for the generation of keys. - Two of these are described below. Both use DES but any equally - strong or stronger mixing function could be substituted. - - - - - - - - -Eastlake, Crocker & Schiller [Page 22] - -RFC 1750 Randomness Recommendations for Security December 1994 - - -7.1 US DoD Recommendations for Password Generation - - The United States Department of Defense has specific recommendations - for password generation [DoD]. They suggest using the US Data - Encryption Standard [DES] in Output Feedback Mode [DES MODES] as - follows: - - use an initialization vector determined from - the system clock, - system ID, - user ID, and - date and time; - use a key determined from - system interrupt registers, - system status registers, and - system counters; and, - as plain text, use an external randomly generated 64 bit - quantity such as 8 characters typed in by a system - administrator. - - The password can then be calculated from the 64 bit "cipher text" - generated in 64-bit Output Feedback Mode. As many bits as are needed - can be taken from these 64 bits and expanded into a pronounceable - word, phrase, or other format if a human being needs to remember the - password. - -7.2 X9.17 Key Generation - - The American National Standards Institute has specified a method for - generating a sequence of keys as follows: - - s is the initial 64 bit seed - 0 - - g is the sequence of generated 64 bit key quantities - n - - k is a random key reserved for generating this key sequence - - t is the time at which a key is generated to as fine a resolution - as is available (up to 64 bits). - - DES ( K, Q ) is the DES encryption of quantity Q with key K - - - - - - - - -Eastlake, Crocker & Schiller [Page 23] - -RFC 1750 Randomness Recommendations for Security December 1994 - - - g = DES ( k, DES ( k, t ) .xor. s ) - n n - - s = DES ( k, DES ( k, t ) .xor. g ) - n+1 n - - If g sub n is to be used as a DES key, then every eighth bit should - be adjusted for parity for that use but the entire 64 bit unmodified - g should be used in calculating the next s. - -8. Examples of Randomness Required - - Below are two examples showing rough calculations of needed - randomness for security. The first is for moderate security - passwords while the second assumes a need for a very high security - cryptographic key. - -8.1 Password Generation - - Assume that user passwords change once a year and it is desired that - the probability that an adversary could guess the password for a - particular account be less than one in a thousand. Further assume - that sending a password to the system is the only way to try a - password. Then the crucial question is how often an adversary can - try possibilities. Assume that delays have been introduced into a - system so that, at most, an adversary can make one password try every - six seconds. That's 600 per hour or about 15,000 per day or about - 5,000,000 tries in a year. Assuming any sort of monitoring, it is - unlikely someone could actually try continuously for a year. In - fact, even if log files are only checked monthly, 500,000 tries is - more plausible before the attack is noticed and steps taken to change - passwords and make it harder to try more passwords. - - To have a one in a thousand chance of guessing the password in - 500,000 tries implies a universe of at least 500,000,000 passwords or - about 2^29. Thus 29 bits of randomness are needed. This can probably - be achieved using the US DoD recommended inputs for password - generation as it has 8 inputs which probably average over 5 bits of - randomness each (see section 7.1). Using a list of 1000 words, the - password could be expressed as a three word phrase (1,000,000,000 - possibilities) or, using case insensitive letters and digits, six - would suffice ((26+10)^6 = 2,176,782,336 possibilities). - - For a higher security password, the number of bits required goes up. - To decrease the probability by 1,000 requires increasing the universe - of passwords by the same factor which adds about 10 bits. Thus to - have only a one in a million chance of a password being guessed under - the above scenario would require 39 bits of randomness and a password - - - -Eastlake, Crocker & Schiller [Page 24] - -RFC 1750 Randomness Recommendations for Security December 1994 - - - that was a four word phrase from a 1000 word list or eight - letters/digits. To go to a one in 10^9 chance, 49 bits of randomness - are needed implying a five word phrase or ten letter/digit password. - - In a real system, of course, there are also other factors. For - example, the larger and harder to remember passwords are, the more - likely users are to write them down resulting in an additional risk - of compromise. - -8.2 A Very High Security Cryptographic Key - - Assume that a very high security key is needed for symmetric - encryption / decryption between two parties. Assume an adversary can - observe communications and knows the algorithm being used. Within - the field of random possibilities, the adversary can try key values - in hopes of finding the one in use. Assume further that brute force - trial of keys is the best the adversary can do. - -8.2.1 Effort per Key Trial - - How much effort will it take to try each key? For very high security - applications it is best to assume a low value of effort. Even if it - would clearly take tens of thousands of computer cycles or more to - try a single key, there may be some pattern that enables huge blocks - of key values to be tested with much less effort per key. Thus it is - probably best to assume no more than a couple hundred cycles per key. - (There is no clear lower bound on this as computers operate in - parallel on a number of bits and a poor encryption algorithm could - allow many keys or even groups of keys to be tested in parallel. - However, we need to assume some value and can hope that a reasonably - strong algorithm has been chosen for our hypothetical high security - task.) - - If the adversary can command a highly parallel processor or a large - network of work stations, 2*10^10 cycles per second is probably a - minimum assumption for availability today. Looking forward just a - couple years, there should be at least an order of magnitude - improvement. Thus assuming 10^9 keys could be checked per second or - 3.6*10^11 per hour or 6*10^13 per week or 2.4*10^14 per month is - reasonable. This implies a need for a minimum of 51 bits of - randomness in keys to be sure they cannot be found in a month. Even - then it is possible that, a few years from now, a highly determined - and resourceful adversary could break the key in 2 weeks (on average - they need try only half the keys). - - - - - - - -Eastlake, Crocker & Schiller [Page 25] - -RFC 1750 Randomness Recommendations for Security December 1994 - - -8.2.2 Meet in the Middle Attacks - - If chosen or known plain text and the resulting encrypted text are - available, a "meet in the middle" attack is possible if the structure - of the encryption algorithm allows it. (In a known plain text - attack, the adversary knows all or part of the messages being - encrypted, possibly some standard header or trailer fields. In a - chosen plain text attack, the adversary can force some chosen plain - text to be encrypted, possibly by "leaking" an exciting text that - would then be sent by the adversary over an encrypted channel.) - - An oversimplified explanation of the meet in the middle attack is as - follows: the adversary can half-encrypt the known or chosen plain - text with all possible first half-keys, sort the output, then half- - decrypt the encoded text with all the second half-keys. If a match - is found, the full key can be assembled from the halves and used to - decrypt other parts of the message or other messages. At its best, - this type of attack can halve the exponent of the work required by - the adversary while adding a large but roughly constant factor of - effort. To be assured of safety against this, a doubling of the - amount of randomness in the key to a minimum of 102 bits is required. - - The meet in the middle attack assumes that the cryptographic - algorithm can be decomposed in this way but we can not rule that out - without a deep knowledge of the algorithm. Even if a basic algorithm - is not subject to a meet in the middle attack, an attempt to produce - a stronger algorithm by applying the basic algorithm twice (or two - different algorithms sequentially) with different keys may gain less - added security than would be expected. Such a composite algorithm - would be subject to a meet in the middle attack. - - Enormous resources may be required to mount a meet in the middle - attack but they are probably within the range of the national - security services of a major nation. Essentially all nations spy on - other nations government traffic and several nations are believed to - spy on commercial traffic for economic advantage. - -8.2.3 Other Considerations - - Since we have not even considered the possibilities of special - purpose code breaking hardware or just how much of a safety margin we - want beyond our assumptions above, probably a good minimum for a very - high security cryptographic key is 128 bits of randomness which - implies a minimum key length of 128 bits. If the two parties agree - on a key by Diffie-Hellman exchange [D-H], then in principle only - half of this randomness would have to be supplied by each party. - However, there is probably some correlation between their random - inputs so it is probably best to assume that each party needs to - - - -Eastlake, Crocker & Schiller [Page 26] - -RFC 1750 Randomness Recommendations for Security December 1994 - - - provide at least 96 bits worth of randomness for very high security - if Diffie-Hellman is used. - - This amount of randomness is beyond the limit of that in the inputs - recommended by the US DoD for password generation and could require - user typing timing, hardware random number generation, or other - sources. - - It should be noted that key length calculations such at those above - are controversial and depend on various assumptions about the - cryptographic algorithms in use. In some cases, a professional with - a deep knowledge of code breaking techniques and of the strength of - the algorithm in use could be satisfied with less than half of the - key size derived above. - -9. Conclusion - - Generation of unguessable "random" secret quantities for security use - is an essential but difficult task. - - We have shown that hardware techniques to produce such randomness - would be relatively simple. In particular, the volume and quality - would not need to be high and existing computer hardware, such as - disk drives, can be used. Computational techniques are available to - process low quality random quantities from multiple sources or a - larger quantity of such low quality input from one source and produce - a smaller quantity of higher quality, less predictable key material. - In the absence of hardware sources of randomness, a variety of user - and software sources can frequently be used instead with care; - however, most modern systems already have hardware, such as disk - drives or audio input, that could be used to produce high quality - randomness. - - Once a sufficient quantity of high quality seed key material (a few - hundred bits) is available, strong computational techniques are - available to produce cryptographically strong sequences of - unpredicatable quantities from this seed material. - -10. Security Considerations - - The entirety of this document concerns techniques and recommendations - for generating unguessable "random" quantities for use as passwords, - cryptographic keys, and similar security uses. - - - - - - - - -Eastlake, Crocker & Schiller [Page 27] - -RFC 1750 Randomness Recommendations for Security December 1994 - - -References - - [ASYMMETRIC] - Secure Communications and Asymmetric Cryptosystems, - edited by Gustavus J. Simmons, AAAS Selected Symposium 69, Westview - Press, Inc. - - [BBS] - A Simple Unpredictable Pseudo-Random Number Generator, SIAM - Journal on Computing, v. 15, n. 2, 1986, L. Blum, M. Blum, & M. Shub. - - [BRILLINGER] - Time Series: Data Analysis and Theory, Holden-Day, - 1981, David Brillinger. - - [CRC] - C.R.C. Standard Mathematical Tables, Chemical Rubber - Publishing Company. - - [CRYPTO1] - Cryptography: A Primer, A Wiley-Interscience Publication, - John Wiley & Sons, 1981, Alan G. Konheim. - - [CRYPTO2] - Cryptography: A New Dimension in Computer Data Security, - A Wiley-Interscience Publication, John Wiley & Sons, 1982, Carl H. - Meyer & Stephen M. Matyas. - - [CRYPTO3] - Applied Cryptography: Protocols, Algorithms, and Source - Code in C, John Wiley & Sons, 1994, Bruce Schneier. - - [DAVIS] - Cryptographic Randomness from Air Turbulence in Disk - Drives, Advances in Cryptology - Crypto '94, Springer-Verlag Lecture - Notes in Computer Science #839, 1984, Don Davis, Ross Ihaka, and - Philip Fenstermacher. - - [DES] - Data Encryption Standard, United States of America, - Department of Commerce, National Institute of Standards and - Technology, Federal Information Processing Standard (FIPS) 46-1. - - Data Encryption Algorithm, American National Standards Institute, - ANSI X3.92-1981. - (See also FIPS 112, Password Usage, which includes FORTRAN code for - performing DES.) - - [DES MODES] - DES Modes of Operation, United States of America, - Department of Commerce, National Institute of Standards and - Technology, Federal Information Processing Standard (FIPS) 81. - - Data Encryption Algorithm - Modes of Operation, American National - Standards Institute, ANSI X3.106-1983. - - [D-H] - New Directions in Cryptography, IEEE Transactions on - Information Technology, November, 1976, Whitfield Diffie and Martin - E. Hellman. - - - - -Eastlake, Crocker & Schiller [Page 28] - -RFC 1750 Randomness Recommendations for Security December 1994 - - - [DoD] - Password Management Guideline, United States of America, - Department of Defense, Computer Security Center, CSC-STD-002-85. - (See also FIPS 112, Password Usage, which incorporates CSC-STD-002-85 - as one of its appendices.) - - [GIFFORD] - Natural Random Number, MIT/LCS/TM-371, September 1988, - David K. Gifford - - [KNUTH] - The Art of Computer Programming, Volume 2: Seminumerical - Algorithms, Chapter 3: Random Numbers. Addison Wesley Publishing - Company, Second Edition 1982, Donald E. Knuth. - - [KRAWCZYK] - How to Predict Congruential Generators, Journal of - Algorithms, V. 13, N. 4, December 1992, H. Krawczyk - - [MD2] - The MD2 Message-Digest Algorithm, RFC1319, April 1992, B. - Kaliski - [MD4] - The MD4 Message-Digest Algorithm, RFC1320, April 1992, R. - Rivest - [MD5] - The MD5 Message-Digest Algorithm, RFC1321, April 1992, R. - Rivest - - [PEM] - RFCs 1421 through 1424: - - RFC 1424, Privacy Enhancement for Internet Electronic Mail: Part - IV: Key Certification and Related Services, 02/10/1993, B. Kaliski - - RFC 1423, Privacy Enhancement for Internet Electronic Mail: Part - III: Algorithms, Modes, and Identifiers, 02/10/1993, D. Balenson - - RFC 1422, Privacy Enhancement for Internet Electronic Mail: Part - II: Certificate-Based Key Management, 02/10/1993, S. Kent - - RFC 1421, Privacy Enhancement for Internet Electronic Mail: Part I: - Message Encryption and Authentication Procedures, 02/10/1993, J. Linn - - [SHANNON] - The Mathematical Theory of Communication, University of - Illinois Press, 1963, Claude E. Shannon. (originally from: Bell - System Technical Journal, July and October 1948) - - [SHIFT1] - Shift Register Sequences, Aegean Park Press, Revised - Edition 1982, Solomon W. Golomb. - - [SHIFT2] - Cryptanalysis of Shift-Register Generated Stream Cypher - Systems, Aegean Park Press, 1984, Wayne G. Barker. - - [SHS] - Secure Hash Standard, United States of American, National - Institute of Science and Technology, Federal Information Processing - Standard (FIPS) 180, April 1993. - - [STERN] - Secret Linear Congruential Generators are not - Cryptograhically Secure, Proceedings of IEEE STOC, 1987, J. Stern. - - - -Eastlake, Crocker & Schiller [Page 29] - -RFC 1750 Randomness Recommendations for Security December 1994 - - - [VON NEUMANN] - Various techniques used in connection with random - digits, von Neumann's Collected Works, Vol. 5, Pergamon Press, 1963, - J. von Neumann. - -Authors' Addresses - - Donald E. Eastlake 3rd - Digital Equipment Corporation - 550 King Street, LKG2-1/BB3 - Littleton, MA 01460 - - Phone: +1 508 486 6577(w) +1 508 287 4877(h) - EMail: dee@lkg.dec.com - - - Stephen D. Crocker - CyberCash Inc. - 2086 Hunters Crest Way - Vienna, VA 22181 - - Phone: +1 703-620-1222(w) +1 703-391-2651 (fax) - EMail: crocker@cybercash.com - - - Jeffrey I. Schiller - Massachusetts Institute of Technology - 77 Massachusetts Avenue - Cambridge, MA 02139 - - Phone: +1 617 253 0161(w) - EMail: jis@mit.edu - - - - - - - - - - - - - - - - - - - - -Eastlake, Crocker & Schiller [Page 30] - diff --git a/crypto/heimdal-0.6.3/doc/standardisation/rfc1831.txt b/crypto/heimdal-0.6.3/doc/standardisation/rfc1831.txt deleted file mode 100644 index 0556c9e83f..0000000000 --- a/crypto/heimdal-0.6.3/doc/standardisation/rfc1831.txt +++ /dev/null @@ -1,1011 +0,0 @@ - - - - - - -Network Working Group R. Srinivasan -Request for Comments: 1831 Sun Microsystems -Category: Standards Track August 1995 - - - RPC: Remote Procedure Call Protocol Specification Version 2 - -Status of this Memo - - This document specifies an Internet standards track protocol for the - Internet community, and requests discussion and suggestions for - improvements. Please refer to the current edition of the "Internet - Official Protocol Standards" (STD 1) for the standardization state - and status of this protocol. Distribution of this memo is unlimited. - -ABSTRACT - - This document describes the ONC Remote Procedure Call (ONC RPC - Version 2) protocol as it is currently deployed and accepted. "ONC" - stands for "Open Network Computing". - -TABLE OF CONTENTS - - 1. INTRODUCTION 2 - 2. TERMINOLOGY 2 - 3. THE RPC MODEL 2 - 4. TRANSPORTS AND SEMANTICS 4 - 5. BINDING AND RENDEZVOUS INDEPENDENCE 5 - 6. AUTHENTICATION 5 - 7. RPC PROTOCOL REQUIREMENTS 5 - 7.1 RPC Programs and Procedures 6 - 7.2 Authentication 7 - 7.3 Program Number Assignment 8 - 7.4 Other Uses of the RPC Protocol 8 - 7.4.1 Batching 8 - 7.4.2 Broadcast Remote Procedure Calls 8 - 8. THE RPC MESSAGE PROTOCOL 9 - 9. AUTHENTICATION PROTOCOLS 12 - 9.1 Null Authentication 13 - 10. RECORD MARKING STANDARD 13 - 11. THE RPC LANGUAGE 13 - 11.1 An Example Service Described in the RPC Language 13 - 11.2 The RPC Language Specification 14 - 11.3 Syntax Notes 15 - APPENDIX A: SYSTEM AUTHENTICATION 16 - REFERENCES 17 - Security Considerations 18 - Author's Address 18 - - - -Srinivasan Standards Track [Page 1] - -RFC 1831 Remote Procedure Call Protocol Version 2 August 1995 - - -1. INTRODUCTION - - This document specifies version two of the message protocol used in - ONC Remote Procedure Call (RPC). The message protocol is specified - with the eXternal Data Representation (XDR) language [9]. This - document assumes that the reader is familiar with XDR. It does not - attempt to justify remote procedure calls systems or describe their - use. The paper by Birrell and Nelson [1] is recommended as an - excellent background for the remote procedure call concept. - -2. TERMINOLOGY - - This document discusses clients, calls, servers, replies, services, - programs, procedures, and versions. Each remote procedure call has - two sides: an active client side that makes the call to a server, - which sends back a reply. A network service is a collection of one - or more remote programs. A remote program implements one or more - remote procedures; the procedures, their parameters, and results are - documented in the specific program's protocol specification. A - server may support more than one version of a remote program in order - to be compatible with changing protocols. - - For example, a network file service may be composed of two programs. - One program may deal with high-level applications such as file system - access control and locking. The other may deal with low-level file - input and output and have procedures like "read" and "write". A - client of the network file service would call the procedures - associated with the two programs of the service on behalf of the - client. - - The terms client and server only apply to a particular transaction; a - particular hardware entity (host) or software entity (process or - program) could operate in both roles at different times. For - example, a program that supplies remote execution service could also - be a client of a network file service. - -3. THE RPC MODEL - - The ONC RPC protocol is based on the remote procedure call model, - which is similar to the local procedure call model. In the local - case, the caller places arguments to a procedure in some well- - specified location (such as a register window). It then transfers - control to the procedure, and eventually regains control. At that - point, the results of the procedure are extracted from the well- - specified location, and the caller continues execution. - - - - - - -Srinivasan Standards Track [Page 2] - -RFC 1831 Remote Procedure Call Protocol Version 2 August 1995 - - - The remote procedure call model is similar. One thread of control - logically winds through two processes: the caller's process, and a - server's process. The caller process first sends a call message to - the server process and waits (blocks) for a reply message. The call - message includes the procedure's parameters, and the reply message - includes the procedure's results. Once the reply message is - received, the results of the procedure are extracted, and caller's - execution is resumed. - - On the server side, a process is dormant awaiting the arrival of a - call message. When one arrives, the server process extracts the - procedure's parameters, computes the results, sends a reply message, - and then awaits the next call message. - - In this model, only one of the two processes is active at any given - time. However, this model is only given as an example. The ONC RPC - protocol makes no restrictions on the concurrency model implemented, - and others are possible. For example, an implementation may choose - to have RPC calls be asynchronous, so that the client may do useful - work while waiting for the reply from the server. Another - possibility is to have the server create a separate task to process - an incoming call, so that the original server can be free to receive - other requests. - - There are a few important ways in which remote procedure calls differ - from local procedure calls: - - 1. Error handling: failures of the remote server or network must - be handled when using remote procedure calls. - - 2. Global variables and side-effects: since the server does not - have access to the client's address space, hidden arguments cannot - be passed as global variables or returned as side effects. - - 3. Performance: remote procedures usually operate one or more - orders of magnitude slower than local procedure calls. - - 4. Authentication: since remote procedure calls can be transported - over unsecured networks, authentication may be necessary. - Authentication prevents one entity from masquerading as some other - entity. - - The conclusion is that even though there are tools to automatically - generate client and server libraries for a given service, protocols - must still be designed carefully. - - - - - - -Srinivasan Standards Track [Page 3] - -RFC 1831 Remote Procedure Call Protocol Version 2 August 1995 - - -4. TRANSPORTS AND SEMANTICS - - The RPC protocol can be implemented on several different transport - protocols. The RPC protocol does not care how a message is passed - from one process to another, but only with specification and - interpretation of messages. However, the application may wish to - obtain information about (and perhaps control over) the transport - layer through an interface not specified in this document. For - example, the transport protocol may impose a restriction on the - maximum size of RPC messages, or it may be stream-oriented like TCP - with no size limit. The client and server must agree on their - transport protocol choices. - - It is important to point out that RPC does not try to implement any - kind of reliability and that the application may need to be aware of - the type of transport protocol underneath RPC. If it knows it is - running on top of a reliable transport such as TCP [6], then most of - the work is already done for it. On the other hand, if it is running - on top of an unreliable transport such as UDP [7], it must implement - its own time-out, retransmission, and duplicate detection policies as - the RPC protocol does not provide these services. - - Because of transport independence, the RPC protocol does not attach - specific semantics to the remote procedures or their execution - requirements. Semantics can be inferred from (but should be - explicitly specified by) the underlying transport protocol. For - example, consider RPC running on top of an unreliable transport such - as UDP. If an application retransmits RPC call messages after time- - outs, and does not receive a reply, it cannot infer anything about - the number of times the procedure was executed. If it does receive a - reply, then it can infer that the procedure was executed at least - once. - - A server may wish to remember previously granted requests from a - client and not regrant them in order to insure some degree of - execute-at-most-once semantics. A server can do this by taking - advantage of the transaction ID that is packaged with every RPC - message. The main use of this transaction ID is by the client RPC - entity in matching replies to calls. However, a client application - may choose to reuse its previous transaction ID when retransmitting a - call. The server may choose to remember this ID after executing a - call and not execute calls with the same ID in order to achieve some - degree of execute-at-most-once semantics. The server is not allowed - to examine this ID in any other way except as a test for equality. - - On the other hand, if using a "reliable" transport such as TCP, the - application can infer from a reply message that the procedure was - executed exactly once, but if it receives no reply message, it cannot - - - -Srinivasan Standards Track [Page 4] - -RFC 1831 Remote Procedure Call Protocol Version 2 August 1995 - - - assume that the remote procedure was not executed. Note that even if - a connection-oriented protocol like TCP is used, an application still - needs time-outs and reconnection to handle server crashes. - - There are other possibilities for transports besides datagram- or - connection-oriented protocols. For example, a request-reply protocol - such as VMTP [2] is perhaps a natural transport for RPC. ONC RPC - uses both TCP and UDP transport protocols. Section 10 (RECORD - MARKING STANDARD) describes the mechanism employed by ONC RPC to - utilize a connection-oriented, stream-oriented transport such as TCP. - -5. BINDING AND RENDEZVOUS INDEPENDENCE - - The act of binding a particular client to a particular service and - transport parameters is NOT part of this RPC protocol specification. - This important and necessary function is left up to some higher-level - software. - - Implementors could think of the RPC protocol as the jump-subroutine - instruction ("JSR") of a network; the loader (binder) makes JSR - useful, and the loader itself uses JSR to accomplish its task. - Likewise, the binding software makes RPC useful, possibly using RPC - to accomplish this task. - -6. AUTHENTICATION - - The RPC protocol provides the fields necessary for a client to - identify itself to a service, and vice-versa, in each call and reply - message. Security and access control mechanisms can be built on top - of this message authentication. Several different authentication - protocols can be supported. A field in the RPC header indicates - which protocol is being used. More information on specific - authentication protocols is in section 9: "Authentication Protocols". - -7. RPC PROTOCOL REQUIREMENTS - - The RPC protocol must provide for the following: - - (1) Unique specification of a procedure to be called. - (2) Provisions for matching response messages to request messages. - (3) Provisions for authenticating the caller to service and - vice-versa. - - - - - - - - - -Srinivasan Standards Track [Page 5] - -RFC 1831 Remote Procedure Call Protocol Version 2 August 1995 - - - Besides these requirements, features that detect the following are - worth supporting because of protocol roll-over errors, implementation - bugs, user error, and network administration: - - (1) RPC protocol mismatches. - (2) Remote program protocol version mismatches. - (3) Protocol errors (such as misspecification of a procedure's - parameters). - (4) Reasons why remote authentication failed. - (5) Any other reasons why the desired procedure was not called. - -7.1 RPC Programs and Procedures - - The RPC call message has three unsigned integer fields -- remote - program number, remote program version number, and remote procedure - number -- which uniquely identify the procedure to be called. - Program numbers are administered by a central authority - (rpc@sun.com). Once implementors have a program number, they can - implement their remote program; the first implementation would most - likely have the version number 1. Because most new protocols evolve, - a version field of the call message identifies which version of the - protocol the caller is using. Version numbers enable support of both - old and new protocols through the same server process. - - The procedure number identifies the procedure to be called. These - numbers are documented in the specific program's protocol - specification. For example, a file service's protocol specification - may state that its procedure number 5 is "read" and procedure number - 12 is "write". - - Just as remote program protocols may change over several versions, - the actual RPC message protocol could also change. Therefore, the - call message also has in it the RPC version number, which is always - equal to two for the version of RPC described here. - - The reply message to a request message has enough information to - distinguish the following error conditions: - - (1) The remote implementation of RPC does not support protocol - version 2. The lowest and highest supported RPC version numbers - are returned. - - (2) The remote program is not available on the remote system. - - (3) The remote program does not support the requested version - number. The lowest and highest supported remote program version - numbers are returned. - - - - -Srinivasan Standards Track [Page 6] - -RFC 1831 Remote Procedure Call Protocol Version 2 August 1995 - - - (4) The requested procedure number does not exist. (This is - usually a client side protocol or programming error.) - - (5) The parameters to the remote procedure appear to be garbage - from the server's point of view. (Again, this is usually caused - by a disagreement about the protocol between client and service.) - -7.2 Authentication - - Provisions for authentication of caller to service and vice-versa are - provided as a part of the RPC protocol. The call message has two - authentication fields, the credential and verifier. The reply - message has one authentication field, the response verifier. The RPC - protocol specification defines all three fields to be the following - opaque type (in the eXternal Data Representation (XDR) language [9]): - - enum auth_flavor { - AUTH_NONE = 0, - AUTH_SYS = 1, - AUTH_SHORT = 2 - /* and more to be defined */ - }; - - struct opaque_auth { - auth_flavor flavor; - opaque body<400>; - }; - - In other words, any "opaque_auth" structure is an "auth_flavor" - enumeration followed by up to 400 bytes which are opaque to - (uninterpreted by) the RPC protocol implementation. - - The interpretation and semantics of the data contained within the - authentication fields is specified by individual, independent - authentication protocol specifications. (Section 9 defines the - various authentication protocols.) - - If authentication parameters were rejected, the reply message - contains information stating why they were rejected. - - - - - - - - - - - - -Srinivasan Standards Track [Page 7] - -RFC 1831 Remote Procedure Call Protocol Version 2 August 1995 - - -7.3 Program Number Assignment - - Program numbers are given out in groups of hexadecimal 20000000 - (decimal 536870912) according to the following chart: - - 0 - 1fffffff defined by rpc@sun.com - 20000000 - 3fffffff defined by user - 40000000 - 5fffffff transient - 60000000 - 7fffffff reserved - 80000000 - 9fffffff reserved - a0000000 - bfffffff reserved - c0000000 - dfffffff reserved - e0000000 - ffffffff reserved - - The first group is a range of numbers administered by rpc@sun.com and - should be identical for all sites. The second range is for - applications peculiar to a particular site. This range is intended - primarily for debugging new programs. When a site develops an - application that might be of general interest, that application - should be given an assigned number in the first range. Application - developers may apply for blocks of RPC program numbers in the first - range by sending electronic mail to "rpc@sun.com". The third group - is for applications that generate program numbers dynamically. The - final groups are reserved for future use, and should not be used. - -7.4 Other Uses of the RPC Protocol - - The intended use of this protocol is for calling remote procedures. - Normally, each call message is matched with a reply message. - However, the protocol itself is a message-passing protocol with which - other (non-procedure call) protocols can be implemented. - -7.4.1 Batching - - Batching is useful when a client wishes to send an arbitrarily large - sequence of call messages to a server. Batching typically uses - reliable byte stream protocols (like TCP) for its transport. In the - case of batching, the client never waits for a reply from the server, - and the server does not send replies to batch calls. A sequence of - batch calls is usually terminated by a legitimate remote procedure - call operation in order to flush the pipeline and get positive - acknowledgement. - -7.4.2 Broadcast Remote Procedure Calls - - In broadcast protocols, the client sends a broadcast call to the - network and waits for numerous replies. This requires the use of - packet-based protocols (like UDP) as its transport protocol. Servers - - - -Srinivasan Standards Track [Page 8] - -RFC 1831 Remote Procedure Call Protocol Version 2 August 1995 - - - that support broadcast protocols usually respond only when the call - is successfully processed and are silent in the face of errors, but - this varies with the application. - - The principles of broadcast RPC also apply to multicasting - an RPC - request can be sent to a multicast address. - -8. THE RPC MESSAGE PROTOCOL - - This section defines the RPC message protocol in the XDR data - description language [9]. - - enum msg_type { - CALL = 0, - REPLY = 1 - }; - - A reply to a call message can take on two forms: The message was - either accepted or rejected. - - enum reply_stat { - MSG_ACCEPTED = 0, - MSG_DENIED = 1 - }; - - Given that a call message was accepted, the following is the status - of an attempt to call a remote procedure. - - enum accept_stat { - SUCCESS = 0, /* RPC executed successfully */ - PROG_UNAVAIL = 1, /* remote hasn't exported program */ - PROG_MISMATCH = 2, /* remote can't support version # */ - PROC_UNAVAIL = 3, /* program can't support procedure */ - GARBAGE_ARGS = 4, /* procedure can't decode params */ - SYSTEM_ERR = 5 /* errors like memory allocation failure */ - }; - - Reasons why a call message was rejected: - - enum reject_stat { - RPC_MISMATCH = 0, /* RPC version number != 2 */ - AUTH_ERROR = 1 /* remote can't authenticate caller */ - }; - - Why authentication failed: - - enum auth_stat { - AUTH_OK = 0, /* success */ - - - -Srinivasan Standards Track [Page 9] - -RFC 1831 Remote Procedure Call Protocol Version 2 August 1995 - - - /* - * failed at remote end - */ - AUTH_BADCRED = 1, /* bad credential (seal broken) */ - AUTH_REJECTEDCRED = 2, /* client must begin new session */ - AUTH_BADVERF = 3, /* bad verifier (seal broken) */ - AUTH_REJECTEDVERF = 4, /* verifier expired or replayed */ - AUTH_TOOWEAK = 5, /* rejected for security reasons */ - /* - * failed locally - */ - AUTH_INVALIDRESP = 6, /* bogus response verifier */ - AUTH_FAILED = 7 /* reason unknown */ - }; - - The RPC message: - - All messages start with a transaction identifier, xid, followed by a - two-armed discriminated union. The union's discriminant is a - msg_type which switches to one of the two types of the message. The - xid of a REPLY message always matches that of the initiating CALL - message. NB: The xid field is only used for clients matching reply - messages with call messages or for servers detecting retransmissions; - the service side cannot treat this id as any type of sequence number. - - struct rpc_msg { - unsigned int xid; - union switch (msg_type mtype) { - case CALL: - call_body cbody; - case REPLY: - reply_body rbody; - } body; - }; - - Body of an RPC call: - - In version 2 of the RPC protocol specification, rpcvers must be equal - to 2. The fields prog, vers, and proc specify the remote program, - its version number, and the procedure within the remote program to be - called. After these fields are two authentication parameters: cred - (authentication credential) and verf (authentication verifier). The - two authentication parameters are followed by the parameters to the - remote procedure, which are specified by the specific program - protocol. - - The purpose of the authentication verifier is to validate the - authentication credential. Note that these two items are - - - -Srinivasan Standards Track [Page 10] - -RFC 1831 Remote Procedure Call Protocol Version 2 August 1995 - - - historically separate, but are always used together as one logical - entity. - - struct call_body { - unsigned int rpcvers; /* must be equal to two (2) */ - unsigned int prog; - unsigned int vers; - unsigned int proc; - opaque_auth cred; - opaque_auth verf; - /* procedure specific parameters start here */ - }; - - Body of a reply to an RPC call: - - union reply_body switch (reply_stat stat) { - case MSG_ACCEPTED: - accepted_reply areply; - case MSG_DENIED: - rejected_reply rreply; - } reply; - - Reply to an RPC call that was accepted by the server: - - There could be an error even though the call was accepted. The first - field is an authentication verifier that the server generates in - order to validate itself to the client. It is followed by a union - whose discriminant is an enum accept_stat. The SUCCESS arm of the - union is protocol specific. The PROG_UNAVAIL, PROC_UNAVAIL, - GARBAGE_ARGS, and SYSTEM_ERR arms of the union are void. The - PROG_MISMATCH arm specifies the lowest and highest version numbers of - the remote program supported by the server. - - struct accepted_reply { - opaque_auth verf; - union switch (accept_stat stat) { - case SUCCESS: - opaque results[0]; - /* - * procedure-specific results start here - */ - case PROG_MISMATCH: - struct { - unsigned int low; - unsigned int high; - } mismatch_info; - default: - /* - - - -Srinivasan Standards Track [Page 11] - -RFC 1831 Remote Procedure Call Protocol Version 2 August 1995 - - - * Void. Cases include PROG_UNAVAIL, PROC_UNAVAIL, - * GARBAGE_ARGS, and SYSTEM_ERR. - */ - void; - } reply_data; - }; - - Reply to an RPC call that was rejected by the server: - - The call can be rejected for two reasons: either the server is not - running a compatible version of the RPC protocol (RPC_MISMATCH), or - the server rejects the identity of the caller (AUTH_ERROR). In case - of an RPC version mismatch, the server returns the lowest and highest - supported RPC version numbers. In case of invalid authentication, - failure status is returned. - - union rejected_reply switch (reject_stat stat) { - case RPC_MISMATCH: - struct { - unsigned int low; - unsigned int high; - } mismatch_info; - case AUTH_ERROR: - auth_stat stat; - }; - -9. AUTHENTICATION PROTOCOLS - - As previously stated, authentication parameters are opaque, but - open-ended to the rest of the RPC protocol. This section defines two - standard "flavors" of authentication. Implementors are free to - invent new authentication types, with the same rules of flavor number - assignment as there is for program number assignment. The "flavor" - of a credential or verifier refers to the value of the "flavor" field - in the opaque_auth structure. Flavor numbers, like RPC program - numbers, are also administered centrally, and developers may assign - new flavor numbers by applying through electronic mail to - "rpc@sun.com". Credentials and verifiers are represented as variable - length opaque data (the "body" field in the opaque_auth structure). - - In this document, two flavors of authentication are described. Of - these, Null authentication (described in the next subsection) is - mandatory - it must be available in all implementations. System - authentication is described in Appendix A. It is strongly - recommended that implementors include System authentication in their - implementations. Many applications use this style of authentication, - and availability of this flavor in an implementation will enhance - interoperability. - - - -Srinivasan Standards Track [Page 12] - -RFC 1831 Remote Procedure Call Protocol Version 2 August 1995 - - -9.1 Null Authentication - - Often calls must be made where the client does not care about its - identity or the server does not care who the client is. In this - case, the flavor of the RPC message's credential, verifier, and reply - verifier is "AUTH_NONE". Opaque data associated with "AUTH_NONE" is - undefined. It is recommended that the length of the opaque data be - zero. - -10. RECORD MARKING STANDARD - - When RPC messages are passed on top of a byte stream transport - protocol (like TCP), it is necessary to delimit one message from - another in order to detect and possibly recover from protocol errors. - This is called record marking (RM). One RPC message fits into one RM - record. - - A record is composed of one or more record fragments. A record - fragment is a four-byte header followed by 0 to (2**31) - 1 bytes of - fragment data. The bytes encode an unsigned binary number; as with - XDR integers, the byte order is from highest to lowest. The number - encodes two values -- a boolean which indicates whether the fragment - is the last fragment of the record (bit value 1 implies the fragment - is the last fragment) and a 31-bit unsigned binary value which is the - length in bytes of the fragment's data. The boolean value is the - highest-order bit of the header; the length is the 31 low-order bits. - (Note that this record specification is NOT in XDR standard form!) - -11. THE RPC LANGUAGE - - Just as there was a need to describe the XDR data-types in a formal - language, there is also need to describe the procedures that operate - on these XDR data-types in a formal language as well. The RPC - Language is an extension to the XDR language, with the addition of - "program", "procedure", and "version" declarations. The following - example is used to describe the essence of the language. - -11.1 An Example Service Described in the RPC Language - - Here is an example of the specification of a simple ping program. - - program PING_PROG { - /* - * Latest and greatest version - */ - version PING_VERS_PINGBACK { - void - PINGPROC_NULL(void) = 0; - - - -Srinivasan Standards Track [Page 13] - -RFC 1831 Remote Procedure Call Protocol Version 2 August 1995 - - - /* - * Ping the client, return the round-trip time - * (in microseconds). Returns -1 if the operation - * timed out. - */ - int - PINGPROC_PINGBACK(void) = 1; - } = 2; - - /* - * Original version - */ - version PING_VERS_ORIG { - void - PINGPROC_NULL(void) = 0; - } = 1; - } = 1; - - const PING_VERS = 2; /* latest version */ - - The first version described is PING_VERS_PINGBACK with two - procedures, PINGPROC_NULL and PINGPROC_PINGBACK. PINGPROC_NULL takes - no arguments and returns no results, but it is useful for computing - round-trip times from the client to the server and back again. By - convention, procedure 0 of any RPC protocol should have the same - semantics, and never require any kind of authentication. The second - procedure is used for the client to have the server do a reverse ping - operation back to the client, and it returns the amount of time (in - microseconds) that the operation used. The next version, - PING_VERS_ORIG, is the original version of the protocol and it does - not contain PINGPROC_PINGBACK procedure. It is useful for - compatibility with old client programs, and as this program matures - it may be dropped from the protocol entirely. - -11.2 The RPC Language Specification - - The RPC language is identical to the XDR language defined in RFC - 1014, except for the added definition of a "program-def" described - below. - - program-def: - "program" identifier "{" - version-def - version-def * - "}" "=" constant ";" - - version-def: - "version" identifier "{" - - - -Srinivasan Standards Track [Page 14] - -RFC 1831 Remote Procedure Call Protocol Version 2 August 1995 - - - procedure-def - procedure-def * - "}" "=" constant ";" - - procedure-def: - type-specifier identifier "(" type-specifier - ("," type-specifier )* ")" "=" constant ";" - -11.3 Syntax Notes - - (1) The following keywords are added and cannot be used as - identifiers: "program" and "version"; - - (2) A version name cannot occur more than once within the scope of a - program definition. Nor can a version number occur more than once - within the scope of a program definition. - - (3) A procedure name cannot occur more than once within the scope of - a version definition. Nor can a procedure number occur more than once - within the scope of version definition. - - (4) Program identifiers are in the same name space as constant and - type identifiers. - - (5) Only unsigned constants can be assigned to programs, versions and - procedures. - - - - - - - - - - - - - - - - - - - - - - - - - -Srinivasan Standards Track [Page 15] - -RFC 1831 Remote Procedure Call Protocol Version 2 August 1995 - - -APPENDIX A: SYSTEM AUTHENTICATION - - The client may wish to identify itself, for example, as it is - identified on a UNIX(tm) system. The flavor of the client credential - is "AUTH_SYS". The opaque data constituting the credential encodes - the following structure: - - struct authsys_parms { - unsigned int stamp; - string machinename<255>; - unsigned int uid; - unsigned int gid; - unsigned int gids<16>; - }; - - The "stamp" is an arbitrary ID which the caller machine may generate. - The "machinename" is the name of the caller's machine (like - "krypton"). The "uid" is the caller's effective user ID. The "gid" - is the caller's effective group ID. The "gids" is a counted array of - groups which contain the caller as a member. The verifier - accompanying the credential should have "AUTH_NONE" flavor value - (defined above). Note this credential is only unique within a - particular domain of machine names, uids, and gids. - - The flavor value of the verifier received in the reply message from - the server may be "AUTH_NONE" or "AUTH_SHORT". In the case of - "AUTH_SHORT", the bytes of the reply verifier's string encode an - opaque structure. This new opaque structure may now be passed to the - server instead of the original "AUTH_SYS" flavor credential. The - server may keep a cache which maps shorthand opaque structures - (passed back by way of an "AUTH_SHORT" style reply verifier) to the - original credentials of the caller. The caller can save network - bandwidth and server cpu cycles by using the shorthand credential. - - The server may flush the shorthand opaque structure at any time. If - this happens, the remote procedure call message will be rejected due - to an authentication error. The reason for the failure will be - "AUTH_REJECTEDCRED". At this point, the client may wish to try the - original "AUTH_SYS" style of credential. - - It should be noted that use of this flavor of authentication does not - guarantee any security for the users or providers of a service, in - itself. The authentication provided by this scheme can be considered - legitimate only when applications using this scheme and the network - can be secured externally, and privileged transport addresses are - used for the communicating end-points (an example of this is the use - of privileged TCP/UDP ports in Unix systems - note that not all - systems enforce privileged transport address mechanisms). - - - -Srinivasan Standards Track [Page 16] - -RFC 1831 Remote Procedure Call Protocol Version 2 August 1995 - - -REFERENCES - - [1] Birrell, A. D. & Nelson, B. J., "Implementing Remote Procedure - Calls", XEROX CSL-83-7, October 1983. - - [2] Cheriton, D., "VMTP: Versatile Message Transaction Protocol", - Preliminary Version 0.3, Stanford University, January 1987. - - [3] Diffie & Hellman, "New Directions in Cryptography", IEEE - Transactions on Information Theory IT-22, November 1976. - - [4] Mills, D., "Network Time Protocol", RFC 1305, UDEL, - March 1992. - - [5] National Bureau of Standards, "Data Encryption Standard", - Federal Information Processing Standards Publication 46, January - 1977. - - [6] Postel, J., "Transmission Control Protocol - DARPA Internet - Program Protocol Specification", STD 7, RFC 793, USC/Information - Sciences Institute, September 1981. - - [7] Postel, J., "User Datagram Protocol", STD 6, RFC 768, - USC/Information Sciences Institute, August 1980. - - [8] Reynolds, J., and Postel, J., "Assigned Numbers", STD 2, - RFC 1700, USC/Information Sciences Institute, October 1994. - - [9] Srinivasan, R., "XDR: External Data Representation Standard", - RFC 1832, Sun Microsystems, Inc., August 1995. - - [10] Miller, S., Neuman, C., Schiller, J., and J. Saltzer, "Section - E.2.1: Kerberos Authentication and Authorization System", - M.I.T. Project Athena, Cambridge, Massachusetts, December 21, - 1987. - - [11] Steiner, J., Neuman, C., and J. Schiller, "Kerberos: An - Authentication Service for Open Network Systems", pp. 191-202 in - Usenix Conference Proceedings, Dallas, Texas, February 1988. - - [12] Kohl, J. and C. Neuman, "The Kerberos Network Authentication - Service (V5)", RFC 1510, Digital Equipment Corporation, - USC/Information Sciences Institute, September 1993. - - - - - - - - -Srinivasan Standards Track [Page 17] - -RFC 1831 Remote Procedure Call Protocol Version 2 August 1995 - - -Security Considerations - - Security issues are not discussed in this memo. - -Author's Address - - Raj Srinivasan - Sun Microsystems, Inc. - ONC Technologies - 2550 Garcia Avenue - M/S MTV-5-40 - Mountain View, CA 94043 - USA - - Phone: 415-336-2478 - Fax: 415-336-6015 - EMail: raj@eng.sun.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Srinivasan Standards Track [Page 18] - diff --git a/crypto/heimdal-0.6.3/doc/standardisation/rfc1964.txt b/crypto/heimdal-0.6.3/doc/standardisation/rfc1964.txt deleted file mode 100644 index f2960b961d..0000000000 --- a/crypto/heimdal-0.6.3/doc/standardisation/rfc1964.txt +++ /dev/null @@ -1,1123 +0,0 @@ - - - - - - -Network Working Group J. Linn -Request for Comments: 1964 OpenVision Technologies -Category: Standards Track June 1996 - - - The Kerberos Version 5 GSS-API Mechanism - -Status of this Memo - - This document specifies an Internet standards track protocol for the - Internet community, and requests discussion and suggestions for - improvements. Please refer to the current edition of the "Internet - Official Protocol Standards" (STD 1) for the standardization state - and status of this protocol. Distribution of this memo is unlimited. - -ABSTRACT - - This specification defines protocols, procedures, and conventions to - be employed by peers implementing the Generic Security Service - Application Program Interface (as specified in RFCs 1508 and 1509) - when using Kerberos Version 5 technology (as specified in RFC 1510). - -ACKNOWLEDGMENTS - - Much of the material in this memo is based on working documents - drafted by John Wray of Digital Equipment Corporation and on - discussions, implementation activities, and interoperability testing - involving Marc Horowitz, Ted Ts'o, and John Wray. Particular thanks - are due to each of these individuals for their contributions towards - development and availability of GSS-API support within the Kerberos - Version 5 code base. - -1. Token Formats - - This section discusses protocol-visible characteristics of the GSS- - API mechanism to be implemented atop Kerberos V5 security technology - per RFC-1508 and RFC-1510; it defines elements of protocol for - interoperability and is independent of language bindings per RFC- - 1509. - - Tokens transferred between GSS-API peers (for security context - management and per-message protection purposes) are defined. The - data elements exchanged between a GSS-API endpoint implementation and - the Kerberos KDC are not specific to GSS-API usage and are therefore - defined within RFC-1510 rather than within this specification. - - - - - - -Linn Standards Track [Page 1] - -RFC 1964 Kerberos Version 5 GSS-API June 1996 - - - To support ongoing experimentation, testing, and evolution of the - specification, the Kerberos V5 GSS-API mechanism as defined in this - and any successor memos will be identified with the following Object - Identifier, as defined in RFC-1510, until the specification is - advanced to the level of Proposed Standard RFC: - - {iso(1), org(3), dod(5), internet(1), security(5), kerberosv5(2)} - - Upon advancement to the level of Proposed Standard RFC, the Kerberos - V5 GSS-API mechanism will be identified by an Object Identifier - having the value: - - {iso(1) member-body(2) United States(840) mit(113554) infosys(1) - gssapi(2) krb5(2)} - -1.1. Context Establishment Tokens - - Per RFC-1508, Appendix B, the initial context establishment token - will be enclosed within framing as follows: - - InitialContextToken ::= - [APPLICATION 0] IMPLICIT SEQUENCE { - thisMech MechType - -- MechType is OBJECT IDENTIFIER - -- representing "Kerberos V5" - innerContextToken ANY DEFINED BY thisMech - -- contents mechanism-specific; - -- ASN.1 usage within innerContextToken - -- is not required - } - - The innerContextToken of the initial context token will consist of a - Kerberos V5 KRB_AP_REQ message, preceded by a two-byte token-id - (TOK_ID) field, which shall contain the value 01 00. - - The above GSS-API framing shall be applied to all tokens emitted by - the Kerberos V5 GSS-API mechanism, including KRB_AP_REP, KRB_ERROR, - context-deletion, and per-message tokens, not just to the initial - token in a context establishment sequence. While not required by - RFC-1508, this enables implementations to perform enhanced error- - checking. The innerContextToken field of context establishment tokens - for the Kerberos V5 GSS-API mechanism will contain a Kerberos message - (KRB_AP_REQ, KRB_AP_REP or KRB_ERROR), preceded by a 2-byte TOK_ID - field containing 01 00 for KRB_AP_REQ messages, 02 00 for KRB_AP_REP - messages and 03 00 for KRB_ERROR messages. - - - - - - -Linn Standards Track [Page 2] - -RFC 1964 Kerberos Version 5 GSS-API June 1996 - - -1.1.1. Initial Token - - Relevant KRB_AP_REQ syntax (from RFC-1510) is as follows: - - AP-REQ ::= [APPLICATION 14] SEQUENCE { - pvno [0] INTEGER, -- indicates Version 5 - msg-type [1] INTEGER, -- indicates KRB_AP_REQ - ap-options[2] APOptions, - ticket[3] Ticket, - authenticator[4] EncryptedData - } - - APOptions ::= BIT STRING { - reserved (0), - use-session-key (1), - mutual-required (2) - } - - Ticket ::= [APPLICATION 1] SEQUENCE { - tkt-vno [0] INTEGER, -- indicates Version 5 - realm [1] Realm, - sname [2] PrincipalName, - enc-part [3] EncryptedData - } - - -- Encrypted part of ticket - EncTicketPart ::= [APPLICATION 3] SEQUENCE { - flags[0] TicketFlags, - key[1] EncryptionKey, - crealm[2] Realm, - cname[3] PrincipalName, - transited[4] TransitedEncoding, - authtime[5] KerberosTime, - starttime[6] KerberosTime OPTIONAL, - endtime[7] KerberosTime, - renew-till[8] KerberosTime OPTIONAL, - caddr[9] HostAddresses OPTIONAL, - authorization-data[10] AuthorizationData OPTIONAL - } - - -- Unencrypted authenticator - Authenticator ::= [APPLICATION 2] SEQUENCE { - authenticator-vno[0] INTEGER, - crealm[1] Realm, - cname[2] PrincipalName, - cksum[3] Checksum OPTIONAL, - cusec[4] INTEGER, - ctime[5] KerberosTime, - - - -Linn Standards Track [Page 3] - -RFC 1964 Kerberos Version 5 GSS-API June 1996 - - - subkey[6] EncryptionKey OPTIONAL, - seq-number[7] INTEGER OPTIONAL, - authorization-data[8] AuthorizationData OPTIONAL - } - - For purposes of this specification, the authenticator shall include - the optional sequence number, and the checksum field shall be used to - convey channel binding, service flags, and optional delegation - information. The checksum will have a type of 0x8003 (a value being - registered within the Kerberos protocol specification), and a value - field of at least 24 bytes in length. The length of the value field - is extended beyond 24 bytes if and only if an optional facility to - carry a Kerberos-defined KRB_CRED message for delegation purposes is - supported by an implementation and active on a context. When - delegation is active, a TGT with its FORWARDABLE flag set will be - transferred within the KRB_CRED message. - - The checksum value field's format is as follows: - - Byte Name Description - 0..3 Lgth Number of bytes in Bnd field; - Currently contains hex 10 00 00 00 - (16, represented in little-endian form) - 4..19 Bnd MD5 hash of channel bindings, taken over all non-null - components of bindings, in order of declaration. - Integer fields within channel bindings are represented - in little-endian order for the purposes of the MD5 - calculation. - 20..23 Flags Bit vector of context-establishment flags, - with values consistent with RFC-1509, p. 41: - GSS_C_DELEG_FLAG: 1 - GSS_C_MUTUAL_FLAG: 2 - GSS_C_REPLAY_FLAG: 4 - GSS_C_SEQUENCE_FLAG: 8 - GSS_C_CONF_FLAG: 16 - GSS_C_INTEG_FLAG: 32 - The resulting bit vector is encoded into bytes 20..23 - in little-endian form. - 24..25 DlgOpt The Delegation Option identifier (=1) [optional] - 26..27 Dlgth The length of the Deleg field. [optional] - 28..n Deleg A KRB_CRED message (n = Dlgth + 29) [optional] - - In computing the contents of the "Bnd" field, the following detailed - points apply: - - (1) Each integer field shall be formatted into four bytes, using - little-endian byte ordering, for purposes of MD5 hash - computation. - - - -Linn Standards Track [Page 4] - -RFC 1964 Kerberos Version 5 GSS-API June 1996 - - - (2) All input length fields within gss_buffer_desc elements of a - gss_channel_bindings_struct, even those which are zero-valued, - shall be included in the hash calculation; the value elements of - gss_buffer_desc elements shall be dereferenced, and the - resulting data shall be included within the hash computation, - only for the case of gss_buffer_desc elements having non-zero - length specifiers. - - (3) If the caller passes the value GSS_C_NO_BINDINGS instead of - a valid channel bindings structure, the Bnd field shall be set - to 16 zero-valued bytes. - - In the initial Kerberos V5 GSS-API mechanism token (KRB_AP_REQ token) - from initiator to target, the GSS_C_DELEG_FLAG, GSS_C_MUTUAL_FLAG, - GSS_C_REPLAY_FLAG, and GSS_C_SEQUENCE_FLAG values shall each be set - as the logical AND of the initiator's corresponding request flag to - GSS_Init_sec_context() and a Boolean indicator of whether that - optional service is available to GSS_Init_sec_context()'s caller. - GSS_C_CONF_FLAG and GSS_C_INTEG_FLAG, for which no corresponding - context-level input indicator flags to GSS_Init_sec_context() exist, - shall each be set to indicate whether their respective per-message - protection services are available for use on the context being - established. - - When input source address channel binding values are provided by a - caller (i.e., unless the input argument is GSS_C_NO_BINDINGS or the - source address specifier value within the input structure is - GSS_C_NULL_ADDRTYPE), and the corresponding token received from the - context's peer bears address restrictions, it is recommended that an - implementation of the Kerberos V5 GSS-API mechanism should check that - the source address as provided by the caller matches that in the - received token, and should return the GSS_S_BAD_BINDINGS major_status - value if a mismatch is detected. Note: discussion is ongoing about - the strength of recommendation to be made in this area, and on the - circumstances under which such a recommendation should be applicable; - implementors are therefore advised that changes on this matter may be - included in subsequent versions of this specification. - -1.1.2. Response Tokens - - A context establishment sequence based on the Kerberos V5 mechanism - will perform one-way authentication (without confirmation or any - return token from target to initiator in response to the initiator's - KRB_AP_REQ) if the mutual_req bit is not set in the application's - call to GSS_Init_sec_context(). Applications requiring confirmation - that their authentication was successful should request mutual - authentication, resulting in a "mutual-required" indication within - KRB_AP_REQ APoptions and the setting of the mutual_req bit in the - - - -Linn Standards Track [Page 5] - -RFC 1964 Kerberos Version 5 GSS-API June 1996 - - - flags field of the authenticator checksum. In response to such a - request, the context target will reply to the initiator with a token - containing either a KRB_AP_REP or KRB_ERROR, completing the mutual - context establishment exchange. - - Relevant KRB_AP_REP syntax is as follows: - - AP-REP ::= [APPLICATION 15] SEQUENCE { - pvno [0] INTEGER, -- represents Kerberos V5 - msg-type [1] INTEGER, -- represents KRB_AP_REP - enc-part [2] EncryptedData - } - - EncAPRepPart ::= [APPLICATION 27] SEQUENCE { - ctime [0] KerberosTime, - cusec [1] INTEGER, - subkey [2] EncryptionKey OPTIONAL, - seq-number [3] INTEGER OPTIONAL - } - - The optional seq-number element within the AP-REP's EncAPRepPart - shall be included. - - The syntax of KRB_ERROR is as follows: - - KRB-ERROR ::= [APPLICATION 30] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - ctime[2] KerberosTime OPTIONAL, - cusec[3] INTEGER OPTIONAL, - stime[4] KerberosTime, - susec[5] INTEGER, - error-code[6] INTEGER, - crealm[7] Realm OPTIONAL, - cname[8] PrincipalName OPTIONAL, - realm[9] Realm, -- Correct realm - sname[10] PrincipalName, -- Correct name - e-text[11] GeneralString OPTIONAL, - e-data[12] OCTET STRING OPTIONAL - } - - Values to be transferred in the error-code field of a KRB-ERROR - message are defined in [RFC-1510], not in this specification. - - - - - - - - -Linn Standards Track [Page 6] - -RFC 1964 Kerberos Version 5 GSS-API June 1996 - - -1.2. Per-Message and Context Deletion Tokens - - Three classes of tokens are defined in this section: "MIC" tokens, - emitted by calls to GSS_GetMIC() (formerly GSS_Sign()) and consumed - by calls to GSS_VerifyMIC() (formerly GSS_Verify()), "Wrap" tokens, - emitted by calls to GSS_Wrap() (formerly GSS_Seal()) and consumed by - calls to GSS_Unwrap() (formerly GSS_Unseal()), and context deletion - tokens, emitted by calls to GSS_Delete_sec_context() and consumed by - calls to GSS_Process_context_token(). Note: References to GSS-API - per-message routines in the remainder of this specification will be - based on those routines' newer recommended names rather than those - names' predecessors. - - Several variants of cryptographic keys are used in generation and - processing of per-message tokens: - - (1) context key: uses Kerberos session key (or subkey, if - present in authenticator emitted by context initiator) directly - - (2) confidentiality key: forms variant of context key by - exclusive-OR with the hexadecimal constant f0f0f0f0f0f0f0f0. - - (3) MD2.5 seed key: forms variant of context key by reversing - the bytes of the context key (i.e. if the original key is the - 8-byte sequence {aa, bb, cc, dd, ee, ff, gg, hh}, the seed key - will be {hh, gg, ff, ee, dd, cc, bb, aa}). - -1.2.1. Per-message Tokens - MIC - -Use of the GSS_GetMIC() call yields a token, separate from the user -data being protected, which can be used to verify the integrity of -that data as received. The token has the following format: - - Byte no Name Description - 0..1 TOK_ID Identification field. - Tokens emitted by GSS_GetMIC() contain - the hex value 01 01 in this field. - 2..3 SGN_ALG Integrity algorithm indicator. - 00 00 - DES MAC MD5 - 01 00 - MD2.5 - 02 00 - DES MAC - 4..7 Filler Contains ff ff ff ff - 8..15 SND_SEQ Sequence number field. - 16..23 SGN_CKSUM Checksum of "to-be-signed data", - calculated according to algorithm - specified in SGN_ALG field. - - - - - -Linn Standards Track [Page 7] - -RFC 1964 Kerberos Version 5 GSS-API June 1996 - - - GSS-API tokens must be encapsulated within the higher-level protocol - by the application; no embedded length field is necessary. - -1.2.1.1. Checksum - - Checksum calculation procedure (common to all algorithms): Checksums - are calculated over the data field, logically prepended by the first - 8 bytes of the plaintext packet header. The resulting value binds - the data to the packet type and signature algorithm identifier - fields. - - DES MAC MD5 algorithm: The checksum is formed by computing an MD5 - [RFC-1321] hash over the plaintext data, and then computing a DES-CBC - MAC on the 16-byte MD5 result. A standard 64-bit DES-CBC MAC is - computed per [FIPS-PUB-113], employing the context key and a zero IV. - The 8-byte result is stored in the SGN_CKSUM field. - - MD2.5 algorithm: The checksum is formed by first DES-CBC encrypting a - 16-byte zero-block, using a zero IV and a key formed by reversing the - bytes of the context key (i.e. if the original key is the 8-byte - sequence {aa, bb, cc, dd, ee, ff, gg, hh}, the checksum key will be - {hh, gg, ff, ee, dd, cc, bb, aa}). The resulting 16-byte value is - logically prepended to the to-be-signed data. A standard MD5 - checksum is calculated over the combined data, and the first 8 bytes - of the result are stored in the SGN_CKSUM field. Note 1: we refer to - this algorithm informally as "MD2.5" to connote the fact that it uses - half of the 128 bits generated by MD5; use of only a subset of the - MD5 bits is intended to protect against the prospect that data could - be postfixed to an existing message with corresponding modifications - being made to the checksum. Note 2: This algorithm is fairly novel - and has received more limited evaluation than that to which other - integrity algorithms have been subjected. An initial, limited - evaluation indicates that it may be significantly weaker than DES MAC - MD5. - - DES-MAC algorithm: A standard 64-bit DES-CBC MAC is computed on the - plaintext data per [FIPS-PUB-113], employing the context key and a - zero IV. Padding procedures to accomodate plaintext data lengths - which may not be integral multiples of 8 bytes are defined in [FIPS- - PUB-113]. The result is an 8-byte value, which is stored in the - SGN_CKSUM field. Support for this algorithm may not be present in - all implementations. - -1.2.1.2. Sequence Number - - Sequence number field: The 8 byte plaintext sequence number field is - formed from the sender's four-byte sequence number as follows. If - the four bytes of the sender's sequence number are named s0, s1, s2 - - - -Linn Standards Track [Page 8] - -RFC 1964 Kerberos Version 5 GSS-API June 1996 - - - and s3 (from least to most significant), the plaintext sequence - number field is the 8 byte sequence: (s0, s1, s2, s3, di, di, di, - di), where 'di' is the direction-indicator (Hex 0 - sender is the - context initiator, Hex FF - sender is the context acceptor). The - field is then DES-CBC encrypted using the context key and an IV - formed from the first 8 bytes of the previously calculated SGN_CKSUM - field. After sending a GSS_GetMIC() or GSS_Wrap() token, the sender's - sequence number is incremented by one. - - The receiver of the token will first verify the SGN_CKSUM field. If - valid, the sequence number field may be decrypted and compared to the - expected sequence number. The repetition of the (effectively 1-bit) - direction indicator within the sequence number field provides - redundancy so that the receiver may verify that the decryption - succeeded. - - Since the checksum computation is used as an IV to the sequence - number decryption, attempts to splice a checksum and sequence number - from different messages will be detected. The direction indicator - will detect packets that have been maliciously reflected. - - The sequence number provides a basis for detection of replayed - tokens. Replay detection can be performed using state information - retained on received sequence numbers, interpreted in conjunction - with the security context on which they arrive. - - Provision of per-message replay and out-of-sequence detection - services is optional for implementations of the Kerberos V5 GSS-API - mechanism. Further, it is recommended that implementations of the - Kerberos V5 GSS-API mechanism which offer these services should honor - a caller's request that the services be disabled on a context. - Specifically, if replay_det_req_flag is input FALSE, replay_det_state - should be returned FALSE and the GSS_DUPLICATE_TOKEN and - GSS_OLD_TOKEN stati should not be indicated as a result of duplicate - detection when tokens are processed; if sequence_req_flag is input - FALSE, sequence_state should be returned FALSE and - GSS_DUPLICATE_TOKEN, GSS_OLD_TOKEN, and GSS_UNSEQ_TOKEN stati should - not be indicated as a result of out-of-sequence detection when tokens - are processed. - -1.2.2. Per-message Tokens - Wrap - - Use of the GSS_Wrap() call yields a token which encapsulates the - input user data (optionally encrypted) along with associated - integrity check quantities. The token emitted by GSS_Wrap() consists - of an integrity header whose format is identical to that emitted by - GSS_GetMIC() (except that the TOK_ID field contains the value 02 01), - followed by a body portion that contains either the plaintext data - - - -Linn Standards Track [Page 9] - -RFC 1964 Kerberos Version 5 GSS-API June 1996 - - - (if SEAL_ALG = ff ff) or encrypted data for any other supported value - of SEAL_ALG. Currently, only SEAL_ALG = 00 00 is supported, and - means that DES-CBC encryption is being used to protect the data. - - The GSS_Wrap() token has the following format: - - Byte no Name Description - 0..1 TOK_ID Identification field. - Tokens emitted by GSS_Wrap() contain - the hex value 02 01 in this field. - 2..3 SGN_ALG Checksum algorithm indicator. - 00 00 - DES MAC MD5 - 01 00 - MD2.5 - 02 00 - DES MAC - 4..5 SEAL_ALG ff ff - none - 00 00 - DES - 6..7 Filler Contains ff ff - 8..15 SND_SEQ Encrypted sequence number field. - 16..23 SGN_CKSUM Checksum of plaintext padded data, - calculated according to algorithm - specified in SGN_ALG field. - 24..last Data encrypted or plaintext padded data - - GSS-API tokens must be encapsulated within the higher-level protocol - by the application; no embedded length field is necessary. - -1.2.2.1. Checksum - - Checksum calculation procedure (common to all algorithms): Checksums - are calculated over the plaintext padded data field, logically - prepended by the first 8 bytes of the plaintext packet header. The - resulting signature binds the data to the packet type, protocol - version, and signature algorithm identifier fields. - - DES MAC MD5 algorithm: The checksum is formed by computing an MD5 - hash over the plaintext padded data, and then computing a DES-CBC MAC - on the 16-byte MD5 result. A standard 64-bit DES-CBC MAC is computed - per [FIPS-PUB-113], employing the context key and a zero IV. The 8- - byte result is stored in the SGN_CKSUM field. - - MD2.5 algorithm: The checksum is formed by first DES-CBC encrypting a - 16-byte zero-block, using a zero IV and a key formed by reversing the - bytes of the context key (i.e., if the original key is the 8-byte - sequence {aa, bb, cc, dd, ee, ff, gg, hh}, the checksum key will be - {hh, gg, ff, ee, dd, cc, bb, aa}). The resulting 16-byte value is - logically pre-pended to the "to-be-signed data". A standard MD5 - checksum is calculated over the combined data, and the first 8 bytes - of the result are stored in the SGN_CKSUM field. - - - -Linn Standards Track [Page 10] - -RFC 1964 Kerberos Version 5 GSS-API June 1996 - - - DES-MAC algorithm: A standard 64-bit DES-CBC MAC is computed on the - plaintext padded data per [FIPS-PUB-113], employing the context key - and a zero IV. The plaintext padded data is already assured to be an - integral multiple of 8 bytes; no additional padding is required or - applied in order to accomplish MAC calculation. The result is an 8- - byte value, which is stored in the SGN_CKSUM field. Support for this - lgorithm may not be present in all implementations. - -1.2.2.2. Sequence Number - - Sequence number field: The 8 byte plaintext sequence number field is - formed from the sender's four-byte sequence number as follows. If - the four bytes of the sender's sequence number are named s0, s1, s2 - and s3 (from least to most significant), the plaintext sequence - number field is the 8 byte sequence: (s0, s1, s2, s3, di, di, di, - di), where 'di' is the direction-indicator (Hex 0 - sender is the - context initiator, Hex FF - sender is the context acceptor). - - The field is then DES-CBC encrypted using the context key and an IV - formed from the first 8 bytes of the SEAL_CKSUM field. - - After sending a GSS_GetMIC() or GSS_Wrap() token, the sender's - sequence numbers are incremented by one. - -1.2.2.3. Padding - - Data padding: Before encryption and/or signature calculation, - plaintext data is padded to the next highest multiple of 8 bytes, by - appending between 1 and 8 bytes, the value of each such byte being - the total number of pad bytes. For example, given data of length 20 - bytes, four pad bytes will be appended, and each byte will contain - the hex value 04. An 8-byte random confounder is prepended to the - data, and signatures are calculated over the resulting padded - plaintext. - - After padding, the data is encrypted according to the algorithm - specified in the SEAL_ALG field. For SEAL_ALG=DES (the only non-null - algorithm currently supported), the data is encrypted using DES-CBC, - with an IV of zero. The key used is derived from the established - context key by XOR-ing the context key with the hexadecimal constant - f0f0f0f0f0f0f0f0. - -1.2.3. Context deletion token - - The token emitted by GSS_Delete_sec_context() is based on the packet - format for tokens emitted by GSS_GetMIC(). The context-deletion - token has the following format: - - - - -Linn Standards Track [Page 11] - -RFC 1964 Kerberos Version 5 GSS-API June 1996 - - - Byte no Name Description - 0..1 TOK_ID Identification field. - Tokens emitted by - GSS_Delete_sec_context() contain - the hex value 01 02 in this field. - 2..3 SGN_ALG Integrity algorithm indicator. - 00 00 - DES MAC MD5 - 01 00 - MD2.5 - 02 00 - DES MAC - 4..7 Filler Contains ff ff ff ff - 8..15 SND_SEQ Sequence number field. - 16..23 SGN_CKSUM Checksum of "to-be-signed data", - calculated according to algorithm - specified in SGN_ALG field. - - SGN_ALG and SND_SEQ will be calculated as for tokens emitted by - GSS_GetMIC(). The SGN_CKSUM will be calculated as for tokens emitted - by GSS_GetMIC(), except that the user-data component of the "to-be- - signed" data will be a zero-length string. - -2. Name Types and Object Identifiers - - This section discusses the name types which may be passed as input to - the Kerberos V5 GSS-API mechanism's GSS_Import_name() call, and their - associated identifier values. It defines interface elements in - support of portability, and assumes use of C language bindings per - RFC-1509. In addition to specifying OID values for name type - identifiers, symbolic names are included and recommended to GSS-API - implementors in the interests of convenience to callers. It is - understood that not all implementations of the Kerberos V5 GSS-API - mechanism need support all name types in this list, and that - additional name forms will likely be added to this list over time. - Further, the definitions of some or all name types may later migrate - to other, mechanism-independent, specifications. The occurrence of a - name type in this specification is specifically not intended to - suggest that the type may be supported only by an implementation of - the Kerberos V5 mechanism. In particular, the occurrence of the - string "_KRB5_" in the symbolic name strings constitutes a means to - unambiguously register the name strings, avoiding collision with - other documents; it is not meant to limit the name types' usage or - applicability. - - For purposes of clarification to GSS-API implementors, this section's - discussion of some name forms describes means through which those - forms can be supported with existing Kerberos technology. These - discussions are not intended to preclude alternative implementation - strategies for support of the name forms within Kerberos mechanisms - or mechanisms based on other technologies. To enhance application - - - -Linn Standards Track [Page 12] - -RFC 1964 Kerberos Version 5 GSS-API June 1996 - - - portability, implementors of mechanisms are encouraged to support - name forms as defined in this section, even if their mechanisms are - independent of Kerberos V5. - -2.1. Mandatory Name Forms - - This section discusses name forms which are to be supported by all - conformant implementations of the Kerberos V5 GSS-API mechanism. - -2.1.1. Kerberos Principal Name Form - - This name form shall be represented by the Object Identifier {iso(1) - member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) - krb5(2) krb5_name(1)}. The recommended symbolic name for this type - is "GSS_KRB5_NT_PRINCIPAL_NAME". - - This name type corresponds to the single-string representation of a - Kerberos name. (Within the MIT Kerberos V5 implementation, such - names are parseable with the krb5_parse_name() function.) The - elements included within this name representation are as follows, - proceeding from the beginning of the string: - - (1) One or more principal name components; if more than one - principal name component is included, the components are - separated by `/`. Arbitrary octets may be included within - principal name components, with the following constraints and - special considerations: - - (1a) Any occurrence of the characters `@` or `/` within a - name component must be immediately preceded by the `\` - quoting character, to prevent interpretation as a component - or realm separator. - - (1b) The ASCII newline, tab, backspace, and null characters - may occur directly within the component or may be - represented, respectively, by `\n`, `\t`, `\b`, or `\0`. - - (1c) If the `\` quoting character occurs outside the contexts - described in (1a) and (1b) above, the following character is - interpreted literally. As a special case, this allows the - doubled representation `\\` to represent a single occurrence - of the quoting character. - - (1d) An occurrence of the `\` quoting character as the last - character of a component is illegal. - - - - - - -Linn Standards Track [Page 13] - -RFC 1964 Kerberos Version 5 GSS-API June 1996 - - - (2) Optionally, a `@` character, signifying that a realm name - immediately follows. If no realm name element is included, the - local realm name is assumed. The `/` , `:`, and null characters - may not occur within a realm name; the `@`, newline, tab, and - backspace characters may be included using the quoting - conventions described in (1a), (1b), and (1c) above. - -2.1.2. Host-Based Service Name Form - - This name form has been incorporated at the mechanism-independent - GSS-API level as of GSS-API, Version 2. This subsection retains the - Object Identifier and symbolic name assignments previously made at - the Kerberos V5 GSS-API mechanism level, and adopts the definition as - promoted to the mechanism-independent level. - - This name form shall be represented by the Object Identifier {iso(1) - member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) - generic(1) service_name(4)}. The previously recommended symbolic - name for this type is "GSS_KRB5_NT_HOSTBASED_SERVICE_NAME". The - currently preferred symbolic name for this type is - "GSS_C_NT_HOSTBASED_SERVICE". - - This name type is used to represent services associated with host - computers. This name form is constructed using two elements, - "service" and "hostname", as follows: - - service@hostname - - When a reference to a name of this type is resolved, the "hostname" - is canonicalized by attempting a DNS lookup and using the fully- - qualified domain name which is returned, or by using the "hostname" - as provided if the DNS lookup fails. The canonicalization operation - also maps the host's name into lower-case characters. - - The "hostname" element may be omitted. If no "@" separator is - included, the entire name is interpreted as the service specifier, - with the "hostname" defaulted to the canonicalized name of the local - host. - - Values for the "service" element will be registered with the IANA. - -2.1.3. Exported Name Object Form for Kerberos V5 Mechanism - - Support for this name form is not required for GSS-V1 - implementations, but will be required for use in conjunction with the - GSS_Export_name() call planned for GSS-API Version 2. Use of this - name form will be signified by a "GSS-API Exported Name Object" OID - value which will be defined at the mechanism-independent level for - - - -Linn Standards Track [Page 14] - -RFC 1964 Kerberos Version 5 GSS-API June 1996 - - - GSS-API Version 2. - - This name type represents a self-describing object, whose framing - structure will be defined at the mechanism-independent level for - GSS-API Version 2. When generated by the Kerberos V5 mechanism, the - Mechanism OID within the exportable name shall be that of the - Kerberos V5 mechanism. The name component within the exportable name - shall be a contiguous string with structure as defined for the - Kerberos Principal Name Form. - - In order to achieve a distinguished encoding for comparison purposes, - the following additional constraints are imposed on the export - operation: - - (1) all occurrences of the characters `@`, `/`, and `\` within - principal components or realm names shall be quoted with an - immediately-preceding `\`. - - (2) all occurrences of the null, backspace, tab, or newline - characters within principal components or realm names will be - represented, respectively, with `\0`, `\b`, `\t`, or `\n`. - - (3) the `\` quoting character shall not be emitted within an - exported name except to accomodate cases (1) and (2). - -2.2. Optional Name Forms - - This section discusses additional name forms which may optionally be - supported by implementations of the Kerberos V5 GSS-API mechanism. - It is recognized that some of the name forms cited here are derived - from UNIX(tm) operating system platforms; some listed forms may be - irrelevant to non-UNIX platforms, and definition of additional forms - corresponding to such platforms may also be appropriate. It is also - recognized that OS-specific functions outside GSS-API are likely to - exist in order to perform translations among these forms, and that - GSS-API implementations supporting these forms may themselves be - layered atop such OS-specific functions. Inclusion of this support - within GSS-API implementations is intended as a convenience to - applications. - -2.2.1. User Name Form - - This name form shall be represented by the Object Identifier {iso(1) - member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) - generic(1) user_name(1)}. The recommended symbolic name for this - type is "GSS_KRB5_NT_USER_NAME". - - This name type is used to indicate a named user on a local system. - - - -Linn Standards Track [Page 15] - -RFC 1964 Kerberos Version 5 GSS-API June 1996 - - - Its interpretation is OS-specific. This name form is constructed as: - - username - - Assuming that users' principal names are the same as their local - operating system names, an implementation of GSS_Import_name() based - on Kerberos V5 technology can process names of this form by - postfixing an "@" sign and the name of the local realm. - -2.2.2. Machine UID Form - - This name form shall be represented by the Object Identifier {iso(1) - member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) - generic(1) machine_uid_name(2)}. The recommended symbolic name for - this type is "GSS_KRB5_NT_MACHINE_UID_NAME". - - This name type is used to indicate a numeric user identifier - corresponding to a user on a local system. Its interpretation is - OS-specific. The gss_buffer_desc representing a name of this type - should contain a locally-significant uid_t, represented in host byte - order. The GSS_Import_name() operation resolves this uid into a - username, which is then treated as the User Name Form. - -2.2.3. String UID Form - - This name form shall be represented by the Object Identifier {iso(1) - member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) - generic(1) string_uid_name(3)}. The recommended symbolic name for - this type is "GSS_KRB5_NT_STRING_UID_NAME". - - This name type is used to indicate a string of digits representing - the numeric user identifier of a user on a local system. Its - interpretation is OS-specific. This name type is similar to the - Machine UID Form, except that the buffer contains a string - representing the uid_t. - -3. Credentials Management - - The Kerberos V5 protocol uses different credentials (in the GSSAPI - sense) for initiating and accepting security contexts. Normal - clients receive a ticket-granting ticket (TGT) and an associated - session key at "login" time; the pair of a TGT and its corresponding - session key forms a credential which is suitable for initiating - security contexts. A ticket-granting ticket, its session key, and - any other (ticket, key) pairs obtained through use of the ticket- - granting-ticket, are typically stored in a Kerberos V5 credentials - cache, sometimes known as a ticket file. - - - - -Linn Standards Track [Page 16] - -RFC 1964 Kerberos Version 5 GSS-API June 1996 - - - The encryption key used by the Kerberos server to seal tickets for a - particular application service forms the credentials suitable for - accepting security contexts. These service keys are typically stored - in a Kerberos V5 key table, or srvtab file. In addition to their use - as accepting credentials, these service keys may also be used to - obtain initiating credentials for their service principal. - - The Kerberos V5 mechanism's credential handle may contain references - to either or both types of credentials. It is a local matter how the - Kerberos V5 mechanism implementation finds the appropriate Kerberos - V5 credentials cache or key table. - - However, when the Kerberos V5 mechanism attempts to obtain initiating - credentials for a service principal which are not available in a - credentials cache, and the key for that service principal is - available in a Kerberos V5 key table, the mechanism should use the - service key to obtain initiating credentials for that service. This - should be accomplished by requesting a ticket-granting-ticket from - the Kerberos Key Distribution Center (KDC), and decrypting the KDC's - reply using the service key. - -4. Parameter Definitions - - This section defines parameter values used by the Kerberos V5 GSS-API - mechanism. It defines interface elements in support of portability, - and assumes use of C language bindings per RFC-1509. - -4.1. Minor Status Codes - - This section recommends common symbolic names for minor_status values - to be returned by the Kerberos V5 GSS-API mechanism. Use of these - definitions will enable independent implementors to enhance - application portability across different implementations of the - mechanism defined in this specification. (In all cases, - implementations of GSS_Display_status() will enable callers to - convert minor_status indicators to text representations.) Each - implementation should make available, through include files or other - means, a facility to translate these symbolic names into the concrete - values which a particular GSS-API implementation uses to represent - the minor_status values specified in this section. - - It is recognized that this list may grow over time, and that the need - for additional minor_status codes specific to particular - implementations may arise. It is recommended, however, that - implementations should return a minor_status value as defined on a - mechanism-wide basis within this section when that code is accurately - representative of reportable status rather than using a separate, - implementation-defined code. - - - -Linn Standards Track [Page 17] - -RFC 1964 Kerberos Version 5 GSS-API June 1996 - - -4.1.1. Non-Kerberos-specific codes - - GSS_KRB5_S_G_BAD_SERVICE_NAME - /* "No @ in SERVICE-NAME name string" */ - GSS_KRB5_S_G_BAD_STRING_UID - /* "STRING-UID-NAME contains nondigits" */ - GSS_KRB5_S_G_NOUSER - /* "UID does not resolve to username" */ - GSS_KRB5_S_G_VALIDATE_FAILED - /* "Validation error" */ - GSS_KRB5_S_G_BUFFER_ALLOC - /* "Couldn't allocate gss_buffer_t data" */ - GSS_KRB5_S_G_BAD_MSG_CTX - /* "Message context invalid" */ - GSS_KRB5_S_G_WRONG_SIZE - /* "Buffer is the wrong size" */ - GSS_KRB5_S_G_BAD_USAGE - /* "Credential usage type is unknown" */ - GSS_KRB5_S_G_UNKNOWN_QOP - /* "Unknown quality of protection specified" */ - -4.1.2. Kerberos-specific-codes - - GSS_KRB5_S_KG_CCACHE_NOMATCH - /* "Principal in credential cache does not match desired name" */ - GSS_KRB5_S_KG_KEYTAB_NOMATCH - /* "No principal in keytab matches desired name" */ - GSS_KRB5_S_KG_TGT_MISSING - /* "Credential cache has no TGT" */ - GSS_KRB5_S_KG_NO_SUBKEY - /* "Authenticator has no subkey" */ - GSS_KRB5_S_KG_CONTEXT_ESTABLISHED - /* "Context is already fully established" */ - GSS_KRB5_S_KG_BAD_SIGN_TYPE - /* "Unknown signature type in token" */ - GSS_KRB5_S_KG_BAD_LENGTH - /* "Invalid field length in token" */ - GSS_KRB5_S_KG_CTX_INCOMPLETE - /* "Attempt to use incomplete security context" */ - -4.2. Quality of Protection Values - - This section defines Quality of Protection (QOP) values to be used - with the Kerberos V5 GSS-API mechanism as input to GSS_Wrap() and - GSS_GetMIC() routines in order to select among alternate integrity - and confidentiality algorithms. Additional QOP values may be added in - future versions of this specification. Non-overlapping bit positions - are and will be employed in order that both integrity and - - - -Linn Standards Track [Page 18] - -RFC 1964 Kerberos Version 5 GSS-API June 1996 - - - confidentiality QOP may be selected within a single parameter, via - inclusive-OR of the specified integrity and confidentiality values. - -4.2.1. Integrity Algorithms - - The following Quality of Protection (QOP) values are currently - defined for the Kerberos V5 GSS-API mechanism, and are used to select - among alternate integrity checking algorithms. - - GSS_KRB5_INTEG_C_QOP_MD5 (numeric value: 1) - /* Integrity using partial MD5 ("MD2.5") of plaintext */ - - GSS_KRB5_INTEG_C_QOP_DES_MD5 (numeric value: 2) - /* Integrity using DES MAC of MD5 of plaintext */ - - GSS_KRB5_INTEG_C_QOP_DES_MAC (numeric value: 3) - /* Integrity using DES MAC of plaintext */ - -4.2.2. Confidentiality Algorithms - - Only one confidentiality QOP value is currently defined for the - Kerberos V5 GSS-API mechanism: - - GSS_KRB5_CONF_C_QOP_DES (numeric value: 0) - /* Confidentiality with DES */ - - Note: confidentiality QOP should be indicated only by GSS-API calls - capable of providing confidentiality services. If non-zero - confidentiality QOP values are defined in future to represent - different algorithms, therefore, the bit positions containing those - values should be cleared before being returned by implementations of - GSS_GetMIC() and GSS_VerifyMIC(). - -4.3. Buffer Sizes - - All implementations of this specification shall be capable of - accepting buffers of at least 16 Kbytes as input to GSS_GetMIC(), - GSS_VerifyMIC(), and GSS_Wrap(), and shall be capable of accepting - the output_token generated by GSS_Wrap() for a 16 Kbyte input buffer - as input to GSS_Unwrap(). Support for larger buffer sizes is optional - but recommended. - - - - - - - - - - -Linn Standards Track [Page 19] - -RFC 1964 Kerberos Version 5 GSS-API June 1996 - - -5. Security Considerations - - Security issues are discussed throughout this memo. - -6. References - - - [RFC-1321]: Rivest, R., "The MD5 Message-Digest Algorithm", RFC - 1321, April 1992. - - [RFC-1508]: Linn, J., "Generic Security Service Application Program - Interface", RFC 1508, September 1993. - - [RFC-1509]: Wray, J., "Generic Security Service Application Program - Interface: C-bindings", RFC 1509, September 1993. - - [RFC-1510]: Kohl, J., and C. Neuman, "The Kerberos Network - Authentication Service (V5)", RFC 1510, September 1993. - - [FIPS-PUB-113]: National Bureau of Standards, Federal Information - Processing Standard 113, "Computer Data Authentication", May 1985. - -AUTHOR'S ADDRESS - - John Linn - OpenVision Technologies - One Main St. - Cambridge, MA 02142 USA - - Phone: +1 617.374.2245 - EMail: John.Linn@ov.com - - - - - - - - - - - - - - - - - - - - -Linn Standards Track [Page 20] - diff --git a/crypto/heimdal-0.6.3/doc/standardisation/rfc2078.txt b/crypto/heimdal-0.6.3/doc/standardisation/rfc2078.txt deleted file mode 100644 index 1dd1e4aebd..0000000000 --- a/crypto/heimdal-0.6.3/doc/standardisation/rfc2078.txt +++ /dev/null @@ -1,4763 +0,0 @@ - - - - - - -Network Working Group J. Linn -Request for Comments: 2078 OpenVision Technologies -Category: Standards Track January 1997 -Obsoletes: 1508 - - - Generic Security Service Application Program Interface, Version 2 - -Status of this Memo - - This document specifies an Internet standards track protocol for the - Internet community, and requests discussion and suggestions for - improvements. Please refer to the current edition of the "Internet - Official Protocol Standards" (STD 1) for the standardization state - and status of this protocol. Distribution of this memo is unlimited. - -Abstract - - The Generic Security Service Application Program Interface (GSS-API), - as defined in RFC-1508, provides security services to callers in a - generic fashion, supportable with a range of underlying mechanisms - and technologies and hence allowing source-level portability of - applications to different environments. This specification defines - GSS-API services and primitives at a level independent of underlying - mechanism and programming language environment, and is to be - complemented by other, related specifications: - - documents defining specific parameter bindings for particular - language environments - - documents defining token formats, protocols, and procedures to be - implemented in order to realize GSS-API services atop particular - security mechanisms - - This memo revises RFC-1508, making specific, incremental changes in - response to implementation experience and liaison requests. It is - intended, therefore, that this memo or a successor version thereto - will become the basis for subsequent progression of the GSS-API - specification on the standards track. - -Table of Contents - - 1: GSS-API Characteristics and Concepts.......................... 3 - 1.1: GSS-API Constructs.......................................... 6 - 1.1.1: Credentials.............................................. 6 - 1.1.1.1: Credential Constructs and Concepts...................... 6 - 1.1.1.2: Credential Management................................... 7 - 1.1.1.3: Default Credential Resolution........................... 8 - - - -Linn Standards Track [Page 1] - -RFC 2078 GSS-API January 1997 - - - 1.1.2: Tokens.................................................... 9 - 1.1.3: Security Contexts........................................ 10 - 1.1.4: Mechanism Types.......................................... 11 - 1.1.5: Naming................................................... 12 - 1.1.6: Channel Bindings......................................... 14 - 1.2: GSS-API Features and Issues................................ 15 - 1.2.1: Status Reporting......................................... 15 - 1.2.2: Per-Message Security Service Availability................. 17 - 1.2.3: Per-Message Replay Detection and Sequencing............... 18 - 1.2.4: Quality of Protection.................................... 20 - 1.2.5: Anonymity Support......................................... 21 - 1.2.6: Initialization............................................ 22 - 1.2.7: Per-Message Protection During Context Establishment....... 22 - 1.2.8: Implementation Robustness................................. 23 - 2: Interface Descriptions....................................... 23 - 2.1: Credential management calls................................ 25 - 2.1.1: GSS_Acquire_cred call.................................... 26 - 2.1.2: GSS_Release_cred call.................................... 28 - 2.1.3: GSS_Inquire_cred call.................................... 29 - 2.1.4: GSS_Add_cred call........................................ 31 - 2.1.5: GSS_Inquire_cred_by_mech call............................ 33 - 2.2: Context-level calls........................................ 34 - 2.2.1: GSS_Init_sec_context call................................ 34 - 2.2.2: GSS_Accept_sec_context call.............................. 40 - 2.2.3: GSS_Delete_sec_context call.............................. 44 - 2.2.4: GSS_Process_context_token call........................... 46 - 2.2.5: GSS_Context_time call.................................... 47 - 2.2.6: GSS_Inquire_context call................................. 47 - 2.2.7: GSS_Wrap_size_limit call................................. 49 - 2.2.8: GSS_Export_sec_context call.............................. 50 - 2.2.9: GSS_Import_sec_context call.............................. 52 - 2.3: Per-message calls.......................................... 53 - 2.3.1: GSS_GetMIC call.......................................... 54 - 2.3.2: GSS_VerifyMIC call....................................... 55 - 2.3.3: GSS_Wrap call............................................ 56 - 2.3.4: GSS_Unwrap call.......................................... 58 - 2.4: Support calls.............................................. 59 - 2.4.1: GSS_Display_status call.................................. 60 - 2.4.2: GSS_Indicate_mechs call.................................. 60 - 2.4.3: GSS_Compare_name call.................................... 61 - 2.4.4: GSS_Display_name call.................................... 62 - 2.4.5: GSS_Import_name call..................................... 63 - 2.4.6: GSS_Release_name call.................................... 64 - 2.4.7: GSS_Release_buffer call.................................. 65 - 2.4.8: GSS_Release_OID_set call................................. 65 - 2.4.9: GSS_Create_empty_OID_set call............................ 66 - 2.4.10: GSS_Add_OID_set_member call.............................. 67 - 2.4.11: GSS_Test_OID_set_member call............................. 67 - - - -Linn Standards Track [Page 2] - -RFC 2078 GSS-API January 1997 - - - 2.4.12: GSS_Release_OID call..................................... 68 - 2.4.13: GSS_OID_to_str call...................................... 68 - 2.4.14: GSS_Str_to_OID call...................................... 69 - 2.4.15: GSS_Inquire_names_for_mech call.......................... 69 - 2.4.16: GSS_Inquire_mechs_for_name call.......................... 70 - 2.4.17: GSS_Canonicalize_name call............................... 71 - 2.4.18: GSS_Export_name call..................................... 72 - 2.4.19: GSS_Duplicate_name call.................................. 73 - 3: Data Structure Definitions for GSS-V2 Usage................... 73 - 3.1: Mechanism-Independent Token Format.......................... 74 - 3.2: Mechanism-Independent Exported Name Object Format........... 77 - 4: Name Type Definitions......................................... 77 - 4.1: Host-Based Service Name Form................................ 77 - 4.2: User Name Form.............................................. 78 - 4.3: Machine UID Form............................................ 78 - 4.4: String UID Form............................................. 79 - 5: Mechanism-Specific Example Scenarios......................... 79 - 5.1: Kerberos V5, single-TGT..................................... 79 - 5.2: Kerberos V5, double-TGT..................................... 80 - 5.3: X.509 Authentication Framework............................. 81 - 6: Security Considerations...................................... 82 - 7: Related Activities........................................... 82 - Appendix A: Mechanism Design Constraints......................... 83 - Appendix B: Compatibility with GSS-V1............................ 83 - -1: GSS-API Characteristics and Concepts - - GSS-API operates in the following paradigm. A typical GSS-API caller - is itself a communications protocol, calling on GSS-API in order to - protect its communications with authentication, integrity, and/or - confidentiality security services. A GSS-API caller accepts tokens - provided to it by its local GSS-API implementation and transfers the - tokens to a peer on a remote system; that peer passes the received - tokens to its local GSS-API implementation for processing. The - security services available through GSS-API in this fashion are - implementable (and have been implemented) over a range of underlying - mechanisms based on secret-key and public-key cryptographic - technologies. - - The GSS-API separates the operations of initializing a security - context between peers, achieving peer entity authentication (This - security service definition, and other definitions used in this - document, corresponds to that provided in International Standard ISO - 7498-2-1988(E), Security Architecture.) (GSS_Init_sec_context() and - GSS_Accept_sec_context() calls), from the operations of providing - per-message data origin authentication and data integrity protection - (GSS_GetMIC() and GSS_VerifyMIC() calls) for messages subsequently - transferred in conjunction with that context. When establishing a - - - -Linn Standards Track [Page 3] - -RFC 2078 GSS-API January 1997 - - - security context, the GSS-API enables a context initiator to - optionally permit its credentials to be delegated, meaning that the - context acceptor may initiate further security contexts on behalf of - the initiating caller. Per-message GSS_Wrap() and GSS_Unwrap() calls - provide the data origin authentication and data integrity services - which GSS_GetMIC() and GSS_VerifyMIC() offer, and also support - selection of confidentiality services as a caller option. Additional - calls provide supportive functions to the GSS-API's users. - - The following paragraphs provide an example illustrating the - dataflows involved in use of the GSS-API by a client and server in a - mechanism-independent fashion, establishing a security context and - transferring a protected message. The example assumes that credential - acquisition has already been completed. The example assumes that the - underlying authentication technology is capable of authenticating a - client to a server using elements carried within a single token, and - of authenticating the server to the client (mutual authentication) - with a single returned token; this assumption holds for presently- - documented CAT mechanisms but is not necessarily true for other - cryptographic technologies and associated protocols. - - The client calls GSS_Init_sec_context() to establish a security - context to the server identified by targ_name, and elects to set the - mutual_req_flag so that mutual authentication is performed in the - course of context establishment. GSS_Init_sec_context() returns an - output_token to be passed to the server, and indicates - GSS_S_CONTINUE_NEEDED status pending completion of the mutual - authentication sequence. Had mutual_req_flag not been set, the - initial call to GSS_Init_sec_context() would have returned - GSS_S_COMPLETE status. The client sends the output_token to the - server. - - The server passes the received token as the input_token parameter to - GSS_Accept_sec_context(). GSS_Accept_sec_context indicates - GSS_S_COMPLETE status, provides the client's authenticated identity - in the src_name result, and provides an output_token to be passed to - the client. The server sends the output_token to the client. - - The client passes the received token as the input_token parameter to - a successor call to GSS_Init_sec_context(), which processes data - included in the token in order to achieve mutual authentication from - the client's viewpoint. This call to GSS_Init_sec_context() returns - GSS_S_COMPLETE status, indicating successful mutual authentication - and the completion of context establishment for this example. - - The client generates a data message and passes it to GSS_Wrap(). - GSS_Wrap() performs data origin authentication, data integrity, and - (optionally) confidentiality processing on the message and - - - -Linn Standards Track [Page 4] - -RFC 2078 GSS-API January 1997 - - - encapsulates the result into output_message, indicating - GSS_S_COMPLETE status. The client sends the output_message to the - server. - - The server passes the received message to GSS_Unwrap(). GSS_Unwrap() - inverts the encapsulation performed by GSS_Wrap(), deciphers the - message if the optional confidentiality feature was applied, and - validates the data origin authentication and data integrity checking - quantities. GSS_Unwrap() indicates successful validation by - returning GSS_S_COMPLETE status along with the resultant - output_message. - - For purposes of this example, we assume that the server knows by - out-of-band means that this context will have no further use after - one protected message is transferred from client to server. Given - this premise, the server now calls GSS_Delete_sec_context() to flush - context-level information. Optionally, the server-side application - may provide a token buffer to GSS_Delete_sec_context(), to receive a - context_token to be transferred to the client in order to request - that client-side context-level information be deleted. - - If a context_token is transferred, the client passes the - context_token to GSS_Process_context_token(), which returns - GSS_S_COMPLETE status after deleting context-level information at the - client system. - - The GSS-API design assumes and addresses several basic goals, - including: - - Mechanism independence: The GSS-API defines an interface to - cryptographically implemented strong authentication and other - security services at a generic level which is independent of - particular underlying mechanisms. For example, GSS-API-provided - services can be implemented by secret-key technologies (e.g., - Kerberos) or public-key approaches (e.g., X.509). - - Protocol environment independence: The GSS-API is independent of - the communications protocol suites with which it is employed, - permitting use in a broad range of protocol environments. In - appropriate environments, an intermediate implementation "veneer" - which is oriented to a particular communication protocol (e.g., - Remote Procedure Call (RPC)) may be interposed between - applications which call that protocol and the GSS-API, thereby - invoking GSS-API facilities in conjunction with that protocol's - communications invocations. - - Protocol association independence: The GSS-API's security context - construct is independent of communications protocol association - - - -Linn Standards Track [Page 5] - -RFC 2078 GSS-API January 1997 - - - constructs. This characteristic allows a single GSS-API - implementation to be utilized by a variety of invoking protocol - modules on behalf of those modules' calling applications. GSS-API - services can also be invoked directly by applications, wholly - independent of protocol associations. - - Suitability to a range of implementation placements: GSS-API - clients are not constrained to reside within any Trusted Computing - Base (TCB) perimeter defined on a system where the GSS-API is - implemented; security services are specified in a manner suitable - to both intra-TCB and extra-TCB callers. - -1.1: GSS-API Constructs - - This section describes the basic elements comprising the GSS-API. - -1.1.1: Credentials - -1.1.1.1: Credential Constructs and Concepts - - Credentials provide the prerequisites which permit GSS-API peers to - establish security contexts with each other. A caller may designate - that the credential elements which are to be applied for context - initiation or acceptance be selected by default. Alternately, those - GSS-API callers which need to make explicit selection of particular - credentials structures may make references to those credentials - through GSS-API-provided credential handles ("cred_handles"). In all - cases, callers' credential references are indirect, mediated by GSS- - API implementations and not requiring callers to access the selected - credential elements. - - A single credential structure may be used to initiate outbound - contexts and to accept inbound contexts. Callers needing to operate - in only one of these modes may designate this fact when credentials - are acquired for use, allowing underlying mechanisms to optimize - their processing and storage requirements. The credential elements - defined by a particular mechanism may contain multiple cryptographic - keys, e.g., to enable authentication and message encryption to be - performed with different algorithms. - - A GSS-API credential structure may contain multiple credential - elements, each containing mechanism-specific information for a - particular underlying mechanism (mech_type), but the set of elements - within a given credential structure represent a common entity. A - credential structure's contents will vary depending on the set of - mech_types supported by a particular GSS-API implementation. Each - credential element identifies the data needed by its mechanism in - order to establish contexts on behalf of a particular principal, and - - - -Linn Standards Track [Page 6] - -RFC 2078 GSS-API January 1997 - - - may contain separate credential references for use in context - initiation and context acceptance. Multiple credential elements - within a given credential having overlapping combinations of - mechanism, usage mode, and validity period are not permitted. - - Commonly, a single mech_type will be used for all security contexts - established by a particular initiator to a particular target. A major - motivation for supporting credential sets representing multiple - mech_types is to allow initiators on systems which are equipped to - handle multiple types to initiate contexts to targets on other - systems which can accommodate only a subset of the set supported at - the initiator's system. - -1.1.1.2: Credential Management - - It is the responsibility of underlying system-specific mechanisms and - OS functions below the GSS-API to ensure that the ability to acquire - and use credentials associated with a given identity is constrained - to appropriate processes within a system. This responsibility should - be taken seriously by implementors, as the ability for an entity to - utilize a principal's credentials is equivalent to the entity's - ability to successfully assert that principal's identity. - - Once a set of GSS-API credentials is established, the transferability - of that credentials set to other processes or analogous constructs - within a system is a local matter, not defined by the GSS-API. An - example local policy would be one in which any credentials received - as a result of login to a given user account, or of delegation of - rights to that account, are accessible by, or transferable to, - processes running under that account. - - The credential establishment process (particularly when performed on - behalf of users rather than server processes) is likely to require - access to passwords or other quantities which should be protected - locally and exposed for the shortest time possible. As a result, it - will often be appropriate for preliminary credential establishment to - be performed through local means at user login time, with the - result(s) cached for subsequent reference. These preliminary - credentials would be set aside (in a system-specific fashion) for - subsequent use, either: - - to be accessed by an invocation of the GSS-API GSS_Acquire_cred() - call, returning an explicit handle to reference that credential - - to comprise default credential elements to be installed, and to be - used when default credential behavior is requested on behalf of a - process - - - - -Linn Standards Track [Page 7] - -RFC 2078 GSS-API January 1997 - - -1.1.1.3: Default Credential Resolution - - The gss_init_sec_context and gss_accept_sec_context routines allow - the value GSS_C_NO_CREDENTIAL to be specified as their credential - handle parameter. This special credential-handle indicates a desire - by the application to act as a default principal. While individual - GSS-API implementations are free to determine such default behavior - as appropriate to the mechanism, the following default behavior by - these routines is recommended for portability: - - GSS_Init_sec_context: - - (i) If there is only a single principal capable of initiating - security contexts that the application is authorized to act on - behalf of, then that principal shall be used, otherwise - - (ii) If the platform maintains a concept of a default network- - identity, and if the application is authorized to act on behalf of - that identity for the purpose of initiating security contexts, - then the principal corresponding to that identity shall be used, - otherwise - - (iii) If the platform maintains a concept of a default local - identity, and provides a means to map local identities into - network-identities, and if the application is authorized to act on - behalf of the network-identity image of the default local identity - for the purpose of initiating security contexts, then the - principal corresponding to that identity shall be used, otherwise - - (iv) A user-configurable default identity should be used. - - GSS_Accept_sec_context: - - (i) If there is only a single authorized principal identity - capable of accepting security contexts, then that principal shall - be used, otherwise - - (ii) If the mechanism can determine the identity of the target - principal by examining the context-establishment token, and if the - accepting application is authorized to act as that principal for - the purpose of accepting security contexts, then that principal - identity shall be used, otherwise - - (iii) If the mechanism supports context acceptance by any - principal, and mutual authentication was not requested, any - principal that the application is authorized to accept security - contexts under may be used, otherwise - - - - -Linn Standards Track [Page 8] - -RFC 2078 GSS-API January 1997 - - - (iv) A user-configurable default identity shall be used. - - The purpose of the above rules is to allow security contexts to be - established by both initiator and acceptor using the default behavior - wherever possible. Applications requesting default behavior are - likely to be more portable across mechanisms and platforms than ones - that use GSS_Acquire_cred to request a specific identity. - -1.1.2: Tokens - - Tokens are data elements transferred between GSS-API callers, and are - divided into two classes. Context-level tokens are exchanged in order - to establish and manage a security context between peers. Per-message - tokens relate to an established context and are exchanged to provide - protective security services (i.e., data origin authentication, - integrity, and optional confidentiality) for corresponding data - messages. - - The first context-level token obtained from GSS_Init_sec_context() is - required to indicate at its very beginning a globally-interpretable - mechanism identifier, i.e., an Object Identifier (OID) of the - security mechanism. The remaining part of this token as well as the - whole content of all other tokens are specific to the particular - underlying mechanism used to support the GSS-API. Section 3 of this - document provides, for designers of GSS-API support mechanisms, the - description of the header of the first context-level token which is - then followed by mechanism-specific information. - - Tokens' contents are opaque from the viewpoint of GSS-API callers. - They are generated within the GSS-API implementation at an end - system, provided to a GSS-API caller to be transferred to the peer - GSS-API caller at a remote end system, and processed by the GSS-API - implementation at that remote end system. Tokens may be output by - GSS-API calls (and should be transferred to GSS-API peers) whether or - not the calls' status indicators indicate successful completion. - Token transfer may take place in an in-band manner, integrated into - the same protocol stream used by the GSS-API callers for other data - transfers, or in an out-of-band manner across a logically separate - channel. - - Different GSS-API tokens are used for different purposes (e.g., - context initiation, context acceptance, protected message data on an - established context), and it is the responsibility of a GSS-API - caller receiving tokens to distinguish their types, associate them - with corresponding security contexts, and pass them to appropriate - GSS-API processing routines. Depending on the caller protocol - environment, this distinction may be accomplished in several ways. - - - - -Linn Standards Track [Page 9] - -RFC 2078 GSS-API January 1997 - - - The following examples illustrate means through which tokens' types - may be distinguished: - - - implicit tagging based on state information (e.g., all tokens on - a new association are considered to be context establishment - tokens until context establishment is completed, at which point - all tokens are considered to be wrapped data objects for that - context), - - - explicit tagging at the caller protocol level, - - - a hybrid of these approaches. - - Commonly, the encapsulated data within a token includes internal - mechanism-specific tagging information, enabling mechanism-level - processing modules to distinguish tokens used within the mechanism - for different purposes. Such internal mechanism-level tagging is - recommended to mechanism designers, and enables mechanisms to - determine whether a caller has passed a particular token for - processing by an inappropriate GSS-API routine. - - Development of GSS-API support primitives based on a particular - underlying cryptographic technique and protocol (i.e., conformant to - a specific GSS-API mechanism definition) does not necessarily imply - that GSS-API callers using that GSS-API mechanism will be able to - interoperate with peers invoking the same technique and protocol - outside the GSS-API paradigm, or with peers implementing a different - GSS-API mechanism based on the same underlying technology. The - format of GSS-API tokens defined in conjunction with a particular - mechanism, and the techniques used to integrate those tokens into - callers' protocols, may not be interoperable with the tokens used by - non-GSS-API callers of the same underlying technique. - -1.1.3: Security Contexts - - Security contexts are established between peers, using credentials - established locally in conjunction with each peer or received by - peers via delegation. Multiple contexts may exist simultaneously - between a pair of peers, using the same or different sets of - credentials. Coexistence of multiple contexts using different - credentials allows graceful rollover when credentials expire. - Distinction among multiple contexts based on the same credentials - serves applications by distinguishing different message streams in a - security sense. - - The GSS-API is independent of underlying protocols and addressing - structure, and depends on its callers to transport GSS-API-provided - data elements. As a result of these factors, it is a caller - - - -Linn Standards Track [Page 10] - -RFC 2078 GSS-API January 1997 - - - responsibility to parse communicated messages, separating GSS-API- - related data elements from caller-provided data. The GSS-API is - independent of connection vs. connectionless orientation of the - underlying communications service. - - No correlation between security context and communications protocol - association is dictated. (The optional channel binding facility, - discussed in Section 1.1.6 of this document, represents an - intentional exception to this rule, supporting additional protection - features within GSS-API supporting mechanisms.) This separation - allows the GSS-API to be used in a wide range of communications - environments, and also simplifies the calling sequences of the - individual calls. In many cases (depending on underlying security - protocol, associated mechanism, and availability of cached - information), the state information required for context setup can be - sent concurrently with initial signed user data, without interposing - additional message exchanges. - -1.1.4: Mechanism Types - - In order to successfully establish a security context with a target - peer, it is necessary to identify an appropriate underlying mechanism - type (mech_type) which both initiator and target peers support. The - definition of a mechanism embodies not only the use of a particular - cryptographic technology (or a hybrid or choice among alternative - cryptographic technologies), but also definition of the syntax and - semantics of data element exchanges which that mechanism will employ - in order to support security services. - - It is recommended that callers initiating contexts specify the - "default" mech_type value, allowing system-specific functions within - or invoked by the GSS-API implementation to select the appropriate - mech_type, but callers may direct that a particular mech_type be - employed when necessary. - - The means for identifying a shared mech_type to establish a security - context with a peer will vary in different environments and - circumstances; examples include (but are not limited to): - - use of a fixed mech_type, defined by configuration, within an - environment - - syntactic convention on a target-specific basis, through - examination of a target's name - - lookup of a target's name in a naming service or other database in - order to identify mech_types supported by that target - - - - -Linn Standards Track [Page 11] - -RFC 2078 GSS-API January 1997 - - - explicit negotiation between GSS-API callers in advance of - security context setup - - When transferred between GSS-API peers, mech_type specifiers (per - Section 3, represented as Object Identifiers (OIDs)) serve to qualify - the interpretation of associated tokens. (The structure and encoding - of Object Identifiers is defined in ISO/IEC 8824, "Specification of - Abstract Syntax Notation One (ASN.1)" and in ISO/IEC 8825, - "Specification of Basic Encoding Rules for Abstract Syntax Notation - One (ASN.1)".) Use of hierarchically structured OIDs serves to - preclude ambiguous interpretation of mech_type specifiers. The OID - representing the DASS MechType, for example, is 1.3.12.2.1011.7.5, - and that of the Kerberos V5 mechanism, once advanced to the level of - Proposed Standard, will be 1.2.840.113554.1.2.2. - -1.1.5: Naming - - The GSS-API avoids prescribing naming structures, treating the names - which are transferred across the interface in order to initiate and - accept security contexts as opaque objects. This approach supports - the GSS-API's goal of implementability atop a range of underlying - security mechanisms, recognizing the fact that different mechanisms - process and authenticate names which are presented in different - forms. Generalized services offering translation functions among - arbitrary sets of naming environments are outside the scope of the - GSS-API; availability and use of local conversion functions to - translate among the naming formats supported within a given end - system is anticipated. - - Different classes of name representations are used in conjunction - with different GSS-API parameters: - - - Internal form (denoted in this document by INTERNAL NAME), - opaque to callers and defined by individual GSS-API - implementations. GSS-API implementations supporting multiple - namespace types must maintain internal tags to disambiguate the - interpretation of particular names. A Mechanism Name (MN) is a - special case of INTERNAL NAME, guaranteed to contain elements - corresponding to one and only one mechanism; calls which are - guaranteed to emit MNs or which require MNs as input are so - identified within this specification. - - - Contiguous string ("flat") form (denoted in this document by - OCTET STRING); accompanied by OID tags identifying the namespace - to which they correspond. Depending on tag value, flat names may - or may not be printable strings for direct acceptance from and - presentation to users. Tagging of flat names allows GSS-API - callers and underlying GSS-API mechanisms to disambiguate name - - - -Linn Standards Track [Page 12] - -RFC 2078 GSS-API January 1997 - - - types and to determine whether an associated name's type is one - which they are capable of processing, avoiding aliasing problems - which could result from misinterpreting a name of one type as a - name of another type. - - - The GSS-API Exported Name Object, a special case of flat name - designated by a reserved OID value, carries a canonicalized form - of a name suitable for binary comparisons. - - In addition to providing means for names to be tagged with types, - this specification defines primitives to support a level of naming - environment independence for certain calling applications. To provide - basic services oriented towards the requirements of callers which - need not themselves interpret the internal syntax and semantics of - names, GSS-API calls for name comparison (GSS_Compare_name()), - human-readable display (GSS_Display_name()), input conversion - (GSS_Import_name()), internal name deallocation (GSS_Release_name()), - and internal name duplication (GSS_Duplicate_name()) functions are - defined. (It is anticipated that these proposed GSS-API calls will be - implemented in many end systems based on system-specific name - manipulation primitives already extant within those end systems; - inclusion within the GSS-API is intended to offer GSS-API callers a - portable means to perform specific operations, supportive of - authorization and audit requirements, on authenticated names.) - - GSS_Import_name() implementations can, where appropriate, support - more than one printable syntax corresponding to a given namespace - (e.g., alternative printable representations for X.500 Distinguished - Names), allowing flexibility for their callers to select among - alternative representations. GSS_Display_name() implementations - output a printable syntax selected as appropriate to their - operational environments; this selection is a local matter. Callers - desiring portability across alternative printable syntaxes should - refrain from implementing comparisons based on printable name forms - and should instead use the GSS_Compare_name() call to determine - whether or not one internal-format name matches another. - - The GSS_Canonicalize_name() and GSS_Export_name() calls enable - callers to acquire and process Exported Name Objects, canonicalized - and translated in accordance with the procedures of a particular - GSS-API mechanism. Exported Name Objects can, in turn, be input to - GSS_Import_name(), yielding equivalent MNs. These facilities are - designed specifically to enable efficient storage and comparison of - names (e.g., for use in access control lists). - - - - - - - -Linn Standards Track [Page 13] - -RFC 2078 GSS-API January 1997 - - - The following diagram illustrates the intended dataflow among name- - related GSS-API processing routines. - - GSS-API library defaults - | - | - V text, for - text --------------> internal_name (IN) -----------> display only - import_name() / display_name() - / - / - / - accept_sec_context() / - | / - | / - | / canonicalize_name() - | / - | / - | / - | / - | / - | | - V V <--------------------- - single mechanism import_name() exported name: flat - internal_name (MN) binary "blob" usable - ----------------------> for access control - export_name() - -1.1.6: Channel Bindings - - The GSS-API accommodates the concept of caller-provided channel - binding ("chan_binding") information. Channel bindings are used to - strengthen the quality with which peer entity authentication is - provided during context establishment, by limiting the scope within - which an intercepted context establishment token can be reused by an - attacker. Specifically, they enable GSS-API callers to bind the - establishment of a security context to relevant characteristics - (e.g., addresses, transformed representations of encryption keys) of - the underlying communications channel, of protection mechanisms - applied to that communications channel, and to application-specific - data. - - The caller initiating a security context must determine the - appropriate channel binding values to provide as input to the - GSS_Init_sec_context() call, and consistent values must be provided - to GSS_Accept_sec_context() by the context's target, in order for - both peers' GSS-API mechanisms to validate that received tokens - possess correct channel-related characteristics. Use or non-use of - - - -Linn Standards Track [Page 14] - -RFC 2078 GSS-API January 1997 - - - the GSS-API channel binding facility is a caller option. GSS-API - mechanisms can operate in an environment where NULL channel bindings - are presented; mechanism implementors are encouraged, but not - required, to make use of caller-provided channel binding data within - their mechanisms. Callers should not assume that underlying - mechanisms provide confidentiality protection for channel binding - information. - - When non-NULL channel bindings are provided by callers, certain - mechanisms can offer enhanced security value by interpreting the - bindings' content (rather than simply representing those bindings, or - integrity check values computed on them, within tokens) and will - therefore depend on presentation of specific data in a defined - format. To this end, agreements among mechanism implementors are - defining conventional interpretations for the contents of channel - binding arguments, including address specifiers (with content - dependent on communications protocol environment) for context - initiators and acceptors. (These conventions are being incorporated - in GSS-API mechanism specifications and into the GSS-API C language - bindings specification.) In order for GSS-API callers to be portable - across multiple mechanisms and achieve the full security - functionality which each mechanism can provide, it is strongly - recommended that GSS-API callers provide channel bindings consistent - with these conventions and those of the networking environment in - which they operate. - -1.2: GSS-API Features and Issues - - This section describes aspects of GSS-API operations, of the security - services which the GSS-API provides, and provides commentary on - design issues. - -1.2.1: Status Reporting - - Each GSS-API call provides two status return values. Major_status - values provide a mechanism-independent indication of call status - (e.g., GSS_S_COMPLETE, GSS_S_FAILURE, GSS_S_CONTINUE_NEEDED), - sufficient to drive normal control flow within the caller in a - generic fashion. Table 1 summarizes the defined major_status return - codes in tabular fashion. - - - - - - - - - - - -Linn Standards Track [Page 15] - -RFC 2078 GSS-API January 1997 - - -Table 1: GSS-API Major Status Codes - - FATAL ERROR CODES - - GSS_S_BAD_BINDINGS channel binding mismatch - GSS_S_BAD_MECH unsupported mechanism requested - GSS_S_BAD_NAME invalid name provided - GSS_S_BAD_NAMETYPE name of unsupported type provided - GSS_S_BAD_STATUS invalid input status selector - GSS_S_BAD_SIG token had invalid integrity check - GSS_S_CONTEXT_EXPIRED specified security context expired - GSS_S_CREDENTIALS_EXPIRED expired credentials detected - GSS_S_DEFECTIVE_CREDENTIAL defective credential detected - GSS_S_DEFECTIVE_TOKEN defective token detected - GSS_S_FAILURE failure, unspecified at GSS-API - level - GSS_S_NO_CONTEXT no valid security context specified - GSS_S_NO_CRED no valid credentials provided - GSS_S_BAD_QOP unsupported QOP value - GSS_S_UNAUTHORIZED operation unauthorized - GSS_S_UNAVAILABLE operation unavailable - GSS_S_DUPLICATE_ELEMENT duplicate credential element requested - GSS_S_NAME_NOT_MN name contains multi-mechanism elements - - INFORMATORY STATUS CODES - - GSS_S_COMPLETE normal completion - GSS_S_CONTINUE_NEEDED continuation call to routine - required - GSS_S_DUPLICATE_TOKEN duplicate per-message token - detected - GSS_S_OLD_TOKEN timed-out per-message token - detected - GSS_S_UNSEQ_TOKEN reordered (early) per-message token - detected - GSS_S_GAP_TOKEN skipped predecessor token(s) - detected - - Minor_status provides more detailed status information which may - include status codes specific to the underlying security mechanism. - Minor_status values are not specified in this document. - - GSS_S_CONTINUE_NEEDED major_status returns, and optional message - outputs, are provided in GSS_Init_sec_context() and - GSS_Accept_sec_context() calls so that different mechanisms' - employment of different numbers of messages within their - authentication sequences need not be reflected in separate code paths - within calling applications. Instead, such cases are accommodated - - - -Linn Standards Track [Page 16] - -RFC 2078 GSS-API January 1997 - - - with sequences of continuation calls to GSS_Init_sec_context() and - GSS_Accept_sec_context(). The same mechanism is used to encapsulate - mutual authentication within the GSS-API's context initiation calls. - - For mech_types which require interactions with third-party servers in - order to establish a security context, GSS-API context establishment - calls may block pending completion of such third-party interactions. - - On the other hand, no GSS-API calls pend on serialized interactions - with GSS-API peer entities. As a result, local GSS-API status - returns cannot reflect unpredictable or asynchronous exceptions - occurring at remote peers, and reflection of such status information - is a caller responsibility outside the GSS-API. - -1.2.2: Per-Message Security Service Availability - - When a context is established, two flags are returned to indicate the - set of per-message protection security services which will be - available on the context: - - the integ_avail flag indicates whether per-message integrity and - data origin authentication services are available - - the conf_avail flag indicates whether per-message confidentiality - services are available, and will never be returned TRUE unless the - integ_avail flag is also returned TRUE - - GSS-API callers desiring per-message security services should - check the values of these flags at context establishment time, and - must be aware that a returned FALSE value for integ_avail means - that invocation of GSS_GetMIC() or GSS_Wrap() primitives on the - associated context will apply no cryptographic protection to user - data messages. - - The GSS-API per-message integrity and data origin authentication - services provide assurance to a receiving caller that protection was - applied to a message by the caller's peer on the security context, - corresponding to the entity named at context initiation. The GSS-API - per-message confidentiality service provides assurance to a sending - caller that the message's content is protected from access by - entities other than the context's named peer. - - - - - - - - - - -Linn Standards Track [Page 17] - -RFC 2078 GSS-API January 1997 - - - The GSS-API per-message protection service primitives, as the - category name implies, are oriented to operation at the granularity - of protocol data units. They perform cryptographic operations on the - data units, transfer cryptographic control information in tokens, - and, in the case of GSS_Wrap(), encapsulate the protected data unit. - As such, these primitives are not oriented to efficient data - protection for stream-paradigm protocols (e.g., Telnet) if - cryptography must be applied on an octet-by-octet basis. - -1.2.3: Per-Message Replay Detection and Sequencing - - Certain underlying mech_types offer support for replay detection - and/or sequencing of messages transferred on the contexts they - support. These optionally-selectable protection features are distinct - from replay detection and sequencing features applied to the context - establishment operation itself; the presence or absence of context- - level replay or sequencing features is wholly a function of the - underlying mech_type's capabilities, and is not selected or omitted - as a caller option. - - The caller initiating a context provides flags (replay_det_req_flag - and sequence_req_flag) to specify whether the use of per-message - replay detection and sequencing features is desired on the context - being established. The GSS-API implementation at the initiator system - can determine whether these features are supported (and whether they - are optionally selectable) as a function of mech_type, without need - for bilateral negotiation with the target. When enabled, these - features provide recipients with indicators as a result of GSS-API - processing of incoming messages, identifying whether those messages - were detected as duplicates or out-of-sequence. Detection of such - events does not prevent a suspect message from being provided to a - recipient; the appropriate course of action on a suspect message is a - matter of caller policy. - - The semantics of the replay detection and sequencing services applied - to received messages, as visible across the interface which the GSS- - API provides to its clients, are as follows: - - When replay_det_state is TRUE, the possible major_status returns for - well-formed and correctly signed messages are as follows: - - 1. GSS_S_COMPLETE indicates that the message was within the window - (of time or sequence space) allowing replay events to be detected, - and that the message was not a replay of a previously-processed - message within that window. - - - - - - -Linn Standards Track [Page 18] - -RFC 2078 GSS-API January 1997 - - - 2. GSS_S_DUPLICATE_TOKEN indicates that the cryptographic - checkvalue on the received message was correct, but that the - message was recognized as a duplicate of a previously-processed - message. - - 3. GSS_S_OLD_TOKEN indicates that the cryptographic checkvalue on - the received message was correct, but that the message is too old - to be checked for duplication. - - When sequence_state is TRUE, the possible major_status returns for - well-formed and correctly signed messages are as follows: - - 1. GSS_S_COMPLETE indicates that the message was within the window - (of time or sequence space) allowing replay events to be detected, - that the message was not a replay of a previously-processed - message within that window, and that no predecessor sequenced - messages are missing relative to the last received message (if - any) processed on the context with a correct cryptographic - checkvalue. - - 2. GSS_S_DUPLICATE_TOKEN indicates that the integrity check value - on the received message was correct, but that the message was - recognized as a duplicate of a previously-processed message. - - 3. GSS_S_OLD_TOKEN indicates that the integrity check value on the - received message was correct, but that the token is too old to be - checked for duplication. - - 4. GSS_S_UNSEQ_TOKEN indicates that the cryptographic checkvalue - on the received message was correct, but that it is earlier in a - sequenced stream than a message already processed on the context. - [Note: Mechanisms can be architected to provide a stricter form of - sequencing service, delivering particular messages to recipients - only after all predecessor messages in an ordered stream have been - delivered. This type of support is incompatible with the GSS-API - paradigm in which recipients receive all messages, whether in - order or not, and provide them (one at a time, without intra-GSS- - API message buffering) to GSS-API routines for validation. GSS- - API facilities provide supportive functions, aiding clients to - achieve strict message stream integrity in an efficient manner in - conjunction with sequencing provisions in communications - protocols, but the GSS-API does not offer this level of message - stream integrity service by itself.] - - - - - - - - -Linn Standards Track [Page 19] - -RFC 2078 GSS-API January 1997 - - - 5. GSS_S_GAP_TOKEN indicates that the cryptographic checkvalue on - the received message was correct, but that one or more predecessor - sequenced messages have not been successfully processed relative - to the last received message (if any) processed on the context - with a correct cryptographic checkvalue. - - As the message stream integrity features (especially sequencing) may - interfere with certain applications' intended communications - paradigms, and since support for such features is likely to be - resource intensive, it is highly recommended that mech_types - supporting these features allow them to be activated selectively on - initiator request when a context is established. A context initiator - and target are provided with corresponding indicators - (replay_det_state and sequence_state), signifying whether these - features are active on a given context. - - An example mech_type supporting per-message replay detection could - (when replay_det_state is TRUE) implement the feature as follows: The - underlying mechanism would insert timestamps in data elements output - by GSS_GetMIC() and GSS_Wrap(), and would maintain (within a time- - limited window) a cache (qualified by originator-recipient pair) - identifying received data elements processed by GSS_VerifyMIC() and - GSS_Unwrap(). When this feature is active, exception status returns - (GSS_S_DUPLICATE_TOKEN, GSS_S_OLD_TOKEN) will be provided when - GSS_VerifyMIC() or GSS_Unwrap() is presented with a message which is - either a detected duplicate of a prior message or which is too old to - validate against a cache of recently received messages. - -1.2.4: Quality of Protection - - Some mech_types provide their users with fine granularity control - over the means used to provide per-message protection, allowing - callers to trade off security processing overhead dynamically against - the protection requirements of particular messages. A per-message - quality-of-protection parameter (analogous to quality-of-service, or - QOS) selects among different QOP options supported by that mechanism. - On context establishment for a multi-QOP mech_type, context-level - data provides the prerequisite data for a range of protection - qualities. - - It is expected that the majority of callers will not wish to exert - explicit mechanism-specific QOP control and will therefore request - selection of a default QOP. Definitions of, and choices among, non- - default QOP values are mechanism-specific, and no ordered sequences - of QOP values can be assumed equivalent across different mechanisms. - Meaningful use of non-default QOP values demands that callers be - familiar with the QOP definitions of an underlying mechanism or - mechanisms, and is therefore a non-portable construct. The - - - -Linn Standards Track [Page 20] - -RFC 2078 GSS-API January 1997 - - - GSS_S_BAD_QOP major_status value is defined in order to indicate that - a provided QOP value is unsupported for a security context, most - likely because that value is unrecognized by the underlying - mechanism. - -1.2.5: Anonymity Support - - In certain situations or environments, an application may wish to - authenticate a peer and/or protect communications using GSS-API per- - message services without revealing its own identity. For example, - consider an application which provides read access to a research - database, and which permits queries by arbitrary requestors. A - client of such a service might wish to authenticate the service, to - establish trust in the information received from it, but might not - wish to disclose its identity to the service for privacy reasons. - - In ordinary GSS-API usage, a context initiator's identity is made - available to the context acceptor as part of the context - establishment process. To provide for anonymity support, a facility - (input anon_req_flag to GSS_Init_sec_context()) is provided through - which context initiators may request that their identity not be - provided to the context acceptor. Mechanisms are not required to - honor this request, but a caller will be informed (via returned - anon_state indicator from GSS_Init_sec_context()) whether or not the - request is honored. Note that authentication as the anonymous - principal does not necessarily imply that credentials are not - required in order to establish a context. - - The following Object Identifier value is provided as a means to - identify anonymous names, and can be compared against in order to - determine, in a mechanism-independent fashion, whether a name refers - to an anonymous principal: - - {1(iso), 3(org), 6(dod), 1(internet), 5(security), 6(nametypes), - 3(gss-anonymous-name)} - - The recommended symbolic name corresponding to this definition is - GSS_C_NT_ANONYMOUS. - - Four possible combinations of anon_state and mutual_state are - possible, with the following results: - - anon_state == FALSE, mutual_state == FALSE: initiator - authenticated to target. - - anon_state == FALSE, mutual_state == TRUE: initiator authenticated - to target, target authenticated to initiator. - - - - -Linn Standards Track [Page 21] - -RFC 2078 GSS-API January 1997 - - - anon_state == TRUE, mutual_state == FALSE: initiator authenticated - as anonymous principal to target. - - anon_state == TRUE, mutual_state == TRUE: initiator authenticated - as anonymous principal to target, target authenticated to - initiator. - -1.2.6: Initialization - - No initialization calls (i.e., calls which must be invoked prior to - invocation of other facilities in the interface) are defined in GSS- - API. As an implication of this fact, GSS-API implementations must - themselves be self-initializing. - -1.2.7: Per-Message Protection During Context Establishment - - A facility is defined in GSS-V2 to enable protection and buffering of - data messages for later transfer while a security context's - establishment is in GSS_S_CONTINUE_NEEDED status, to be used in cases - where the caller side already possesses the necessary session key to - enable this processing. Specifically, a new state Boolean, called - prot_ready_state, is added to the set of information returned by - GSS_Init_sec_context(), GSS_Accept_sec_context(), and - GSS_Inquire_context(). - - For context establishment calls, this state Boolean is valid and - interpretable when the associated major_status is either - GSS_S_CONTINUE_NEEDED, or GSS_S_COMPLETE. Callers of GSS-API (both - initiators and acceptors) can assume that per-message protection (via - GSS_Wrap(), GSS_Unwrap(), GSS_GetMIC() and GSS_VerifyMIC()) is - available and ready for use if either: prot_ready_state == TRUE, or - major_status == GSS_S_COMPLETE, though mutual authentication (if - requested) cannot be guaranteed until GSS_S_COMPLETE is returned. - - This achieves full, transparent backward compatibility for GSS-API V1 - callers, who need not even know of the existence of prot_ready_state, - and who will get the expected behavior from GSS_S_COMPLETE, but who - will not be able to use per-message protection before GSS_S_COMPLETE - is returned. - - It is not a requirement that GSS-V2 mechanisms ever return TRUE - prot_ready_state before completion of context establishment (indeed, - some mechanisms will not evolve usable message protection keys, - especially at the context acceptor, before context establishment is - complete). It is expected but not required that GSS-V2 mechanisms - will return TRUE prot_ready_state upon completion of context - establishment if they support per-message protection at all (however - GSS-V2 applications should not assume that TRUE prot_ready_state will - - - -Linn Standards Track [Page 22] - -RFC 2078 GSS-API January 1997 - - - always be returned together with the GSS_S_COMPLETE major_status, - since GSS-V2 implementations may continue to support GSS-V1 mechanism - code, which will never return TRUE prot_ready_state). - - When prot_ready_state is returned TRUE, mechanisms shall also set - those context service indicator flags (deleg_state, mutual_state, - replay_det_state, sequence_state, anon_state, trans_state, - conf_avail, integ_avail) which represent facilities confirmed, at - that time, to be available on the context being established. In - situations where prot_ready_state is returned before GSS_S_COMPLETE, - it is possible that additional facilities may be confirmed and - subsequently indicated when GSS_S_COMPLETE is returned. - -1.2.8: Implementation Robustness - - This section recommends aspects of GSS-API implementation behavior in - the interests of overall robustness. - - If a token is presented for processing on a GSS-API security context - and that token is determined to be invalid for that context, the - context's state should not be disrupted for purposes of processing - subsequent valid tokens. - - Certain local conditions at a GSS-API implementation (e.g., - unavailability of memory) may preclude, temporarily or permanently, - the successful processing of tokens on a GSS-API security context, - typically generating GSS_S_FAILURE major_status returns along with - locally-significant minor_status. For robust operation under such - conditions, the following recommendations are made: - - Failing calls should free any memory they allocate, so that - callers may retry without causing further loss of resources. - - Failure of an individual call on an established context should not - preclude subsequent calls from succeeding on the same context. - - Whenever possible, it should be possible for - GSS_Delete_sec_context() calls to be successfully processed even - if other calls cannot succeed, thereby enabling context-related - resources to be released. - -2: Interface Descriptions - - This section describes the GSS-API's service interface, dividing the - set of calls offered into four groups. Credential management calls - are related to the acquisition and release of credentials by - principals. Context-level calls are related to the management of - security contexts between principals. Per-message calls are related - - - -Linn Standards Track [Page 23] - -RFC 2078 GSS-API January 1997 - - - to the protection of individual messages on established security - contexts. Support calls provide ancillary functions useful to GSS-API - callers. Table 2 groups and summarizes the calls in tabular fashion. - -Table 2: GSS-API Calls - - CREDENTIAL MANAGEMENT - - GSS_Acquire_cred acquire credentials for use - GSS_Release_cred release credentials after use - GSS_Inquire_cred display information about - credentials - GSS_Add_cred construct credentials incrementally - GSS_Inquire_cred_by_mech display per-mechanism credential - information - - CONTEXT-LEVEL CALLS - - GSS_Init_sec_context initiate outbound security context - GSS_Accept_sec_context accept inbound security context - GSS_Delete_sec_context flush context when no longer needed - GSS_Process_context_token process received control token on - context - GSS_Context_time indicate validity time remaining on - context - GSS_Inquire_context display information about context - GSS_Wrap_size_limit determine GSS_Wrap token size limit - GSS_Export_sec_context transfer context to other process - GSS_Import_sec_context import transferred context - - PER-MESSAGE CALLS - - GSS_GetMIC apply integrity check, receive as - token separate from message - GSS_VerifyMIC validate integrity check token - along with message - GSS_Wrap sign, optionally encrypt, - encapsulate - GSS_Unwrap decapsulate, decrypt if needed, - validate integrity check - - - - - - - - - - - -Linn Standards Track [Page 24] - -RFC 2078 GSS-API January 1997 - - - SUPPORT CALLS - - GSS_Display_status translate status codes to printable - form - GSS_Indicate_mechs indicate mech_types supported on - local system - GSS_Compare_name compare two names for equality - GSS_Display_name translate name to printable form - GSS_Import_name convert printable name to - normalized form - GSS_Release_name free storage of normalized-form - name - GSS_Release_buffer free storage of printable name - GSS_Release_OID free storage of OID object - GSS_Release_OID_set free storage of OID set object - GSS_Create_empty_OID_set create empty OID set - GSS_Add_OID_set_member add member to OID set - GSS_Test_OID_set_member test if OID is member of OID set - GSS_OID_to_str display OID as string - GSS_Str_to_OID construct OID from string - GSS_Inquire_names_for_mech indicate name types supported by - mechanism - GSS_Inquire_mechs_for_name indicates mechanisms supporting name - type - GSS_Canonicalize_name translate name to per-mechanism form - GSS_Export_name externalize per-mechanism name - GSS_Duplicate_name duplicate name object - -2.1: Credential management calls - - These GSS-API calls provide functions related to the management of - credentials. Their characterization with regard to whether or not - they may block pending exchanges with other network entities (e.g., - directories or authentication servers) depends in part on OS-specific - (extra-GSS-API) issues, so is not specified in this document. - - The GSS_Acquire_cred() call is defined within the GSS-API in support - of application portability, with a particular orientation towards - support of portable server applications. It is recognized that (for - certain systems and mechanisms) credentials for interactive users may - be managed differently from credentials for server processes; in such - environments, it is the GSS-API implementation's responsibility to - distinguish these cases and the procedures for making this - distinction are a local matter. The GSS_Release_cred() call provides - a means for callers to indicate to the GSS-API that use of a - credentials structure is no longer required. The GSS_Inquire_cred() - call allows callers to determine information about a credentials - structure. The GSS_Add_cred() call enables callers to append - - - -Linn Standards Track [Page 25] - -RFC 2078 GSS-API January 1997 - - - elements to an existing credential structure, allowing iterative - construction of a multi-mechanism credential. The - GSS_Inquire_cred_by_mech() call enables callers to extract per- - mechanism information describing a credentials structure. - -2.1.1: GSS_Acquire_cred call - - Inputs: - - o desired_name INTERNAL NAME, -NULL requests locally-determined - default - - o lifetime_req INTEGER,-in seconds; 0 requests default - - o desired_mechs SET OF OBJECT IDENTIFIER,-empty set requests - system-selected default - - o cred_usage INTEGER -0=INITIATE-AND-ACCEPT, 1=INITIATE-ONLY, - 2=ACCEPT-ONLY - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o output_cred_handle CREDENTIAL HANDLE, - - o actual_mechs SET OF OBJECT IDENTIFIER, - - o lifetime_rec INTEGER -in seconds, or reserved value for - INDEFINITE - - Return major_status codes: - - o GSS_S_COMPLETE indicates that requested credentials were - successfully established, for the duration indicated in - lifetime_rec, suitable for the usage requested in cred_usage, - for the set of mech_types indicated in actual_mechs, and that - those credentials can be referenced for subsequent use with - the handle returned in output_cred_handle. - - o GSS_S_BAD_MECH indicates that a mech_type unsupported by the - GSS-API implementation type was requested, causing the - credential establishment operation to fail. - - - - - - -Linn Standards Track [Page 26] - -RFC 2078 GSS-API January 1997 - - - o GSS_S_BAD_NAMETYPE indicates that the provided desired_name is - uninterpretable or of a type unsupported by the applicable - underlying GSS-API mechanism(s), so no credentials could be - established for the accompanying desired_name. - - o GSS_S_BAD_NAME indicates that the provided desired_name is - inconsistent in terms of internally-incorporated type specifier - information, so no credentials could be established for the - accompanying desired_name. - - o GSS_S_FAILURE indicates that credential establishment failed - for reasons unspecified at the GSS-API level, including lack - of authorization to establish and use credentials associated - with the identity named in the input desired_name argument. - - GSS_Acquire_cred() is used to acquire credentials so that a - principal can (as a function of the input cred_usage parameter) - initiate and/or accept security contexts under the identity - represented by the desired_name input argument. On successful - completion, the returned output_cred_handle result provides a handle - for subsequent references to the acquired credentials. Typically, - single-user client processes requesting that default credential - behavior be applied for context establishment purposes will have no - need to invoke this call. - - A caller may provide the value NULL for desired_name, signifying a - request for credentials corresponding to a principal identity - selected by default for the caller. The procedures used by GSS-API - implementations to select the appropriate principal identity in - response to such a request are local matters. It is possible that - multiple pre-established credentials may exist for the same principal - identity (for example, as a result of multiple user login sessions) - when GSS_Acquire_cred() is called; the means used in such cases to - select a specific credential are local matters. The input - lifetime_req argument to GSS_Acquire_cred() may provide useful - information for local GSS-API implementations to employ in making - this disambiguation in a manner which will best satisfy a caller's - intent. - - The lifetime_rec result indicates the length of time for which the - acquired credentials will be valid, as an offset from the present. A - mechanism may return a reserved value indicating INDEFINITE if no - constraints on credential lifetime are imposed. A caller of - GSS_Acquire_cred() can request a length of time for which acquired - credentials are to be valid (lifetime_req argument), beginning at the - present, or can request credentials with a default validity interval. - (Requests for postdated credentials are not supported within the - GSS-API.) Certain mechanisms and implementations may bind in - - - -Linn Standards Track [Page 27] - -RFC 2078 GSS-API January 1997 - - - credential validity period specifiers at a point preliminary to - invocation of the GSS_Acquire_cred() call (e.g., in conjunction with - user login procedures). As a result, callers requesting non-default - values for lifetime_req must recognize that such requests cannot - always be honored and must be prepared to accommodate the use of - returned credentials with different lifetimes as indicated in - lifetime_rec. - - The caller of GSS_Acquire_cred() can explicitly specify a set of - mech_types which are to be accommodated in the returned credentials - (desired_mechs argument), or can request credentials for a system- - defined default set of mech_types. Selection of the system-specified - default set is recommended in the interests of application - portability. The actual_mechs return value may be interrogated by the - caller to determine the set of mechanisms with which the returned - credentials may be used. - -2.1.2: GSS_Release_cred call - - Input: - - o cred_handle CREDENTIAL HANDLE - NULL specifies that - the credential elements used when default credential behavior - is requested be released. - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER - - Return major_status codes: - - o GSS_S_COMPLETE indicates that the credentials referenced by the - input cred_handle were released for purposes of subsequent - access by the caller. The effect on other processes which may - be authorized shared access to such credentials is a local - matter. - - o GSS_S_NO_CRED indicates that no release operation was - performed, either because the input cred_handle was invalid or - because the caller lacks authorization to access the - referenced credentials. - - o GSS_S_FAILURE indicates that the release operation failed for - reasons unspecified at the GSS-API level. - - - - - -Linn Standards Track [Page 28] - -RFC 2078 GSS-API January 1997 - - - Provides a means for a caller to explicitly request that credentials - be released when their use is no longer required. Note that system- - specific credential management functions are also likely to exist, - for example to assure that credentials shared among processes are - properly deleted when all affected processes terminate, even if no - explicit release requests are issued by those processes. Given the - fact that multiple callers are not precluded from gaining authorized - access to the same credentials, invocation of GSS_Release_cred() - cannot be assumed to delete a particular set of credentials on a - system-wide basis. - -2.1.3: GSS_Inquire_cred call - - Input: - - o cred_handle CREDENTIAL HANDLE -NULL specifies that the - credential elements used when default credential behavior is - requested are to be queried - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o cred_name INTERNAL NAME, - - o lifetime_rec INTEGER -in seconds, or reserved value for - INDEFINITE - - o cred_usage INTEGER, -0=INITIATE-AND-ACCEPT, 1=INITIATE-ONLY, - 2=ACCEPT-ONLY - - o mech_set SET OF OBJECT IDENTIFIER - - Return major_status codes: - - o GSS_S_COMPLETE indicates that the credentials referenced by the - input cred_handle argument were valid, and that the output - cred_name, lifetime_rec, and cred_usage values represent, - respectively, the credentials' associated principal name, - remaining lifetime, suitable usage modes, and supported - mechanism types. - - o GSS_S_NO_CRED indicates that no information could be returned - about the referenced credentials, either because the input - cred_handle was invalid or because the caller lacks - authorization to access the referenced credentials. - - - -Linn Standards Track [Page 29] - -RFC 2078 GSS-API January 1997 - - - o GSS_S_DEFECTIVE_CREDENTIAL indicates that the referenced - credentials are invalid. - - o GSS_S_CREDENTIALS_EXPIRED indicates that the referenced - credentials have expired. - - o GSS_S_FAILURE indicates that the operation failed for - reasons unspecified at the GSS-API level. - - The GSS_Inquire_cred() call is defined primarily for the use of those - callers which request use of default credential behavior rather than - acquiring credentials explicitly with GSS_Acquire_cred(). It enables - callers to determine a credential structure's associated principal - name, remaining validity period, usability for security context - initiation and/or acceptance, and supported mechanisms. - - For a multi-mechanism credential, the returned "lifetime" specifier - indicates the shortest lifetime of any of the mechanisms' elements in - the credential (for either context initiation or acceptance - purposes). - - GSS_Inquire_cred() should indicate INITIATE-AND-ACCEPT for - "cred_usage" if both of the following conditions hold: - - (1) there exists in the credential an element which allows context - initiation using some mechanism - - (2) there exists in the credential an element which allows context - acceptance using some mechanism (allowably, but not necessarily, - one of the same mechanism(s) qualifying for (1)). - - If condition (1) holds but not condition (2), GSS_Inquire_cred() - should indicate INITIATE-ONLY for "cred_usage". If condition (2) - holds but not condition (1), GSS_Inquire_cred() should indicate - ACCEPT-ONLY for "cred_usage". - - Callers requiring finer disambiguation among available combinations - of lifetimes, usage modes, and mechanisms should call the - GSS_Inquire_cred_by_mech() routine, passing that routine one of the - mech OIDs returned by GSS_Inquire_cred(). - - - - - - - - - - - -Linn Standards Track [Page 30] - -RFC 2078 GSS-API January 1997 - - -2.1.4: GSS_Add_cred call - - Inputs: - - o input_cred_handle CREDENTIAL HANDLE - handle to credential - structure created with prior GSS_Acquire_cred() or - GSS_Add_cred() call, or NULL to append elements to the set - which are applied for the caller when default credential - behavior is specified. - - o desired_name INTERNAL NAME - NULL requests locally-determined - default - - o initiator_time_req INTEGER - in seconds; 0 requests default - - o acceptor_time_req INTEGER - in seconds; 0 requests default - - o desired_mech OBJECT IDENTIFIER - - o cred_usage INTEGER - 0=INITIATE-AND-ACCEPT, 1=INITIATE-ONLY, - 2=ACCEPT-ONLY - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o output_cred_handle CREDENTIAL HANDLE, - NULL to request that - credential elements be added "in place" to the credential - structure identified by input_cred_handle, non-NULL pointer - to request that a new credential structure and handle be created. - - o actual_mechs SET OF OBJECT IDENTIFIER, - - o initiator_time_rec INTEGER - in seconds, or reserved value for - INDEFINITE - - o acceptor_time_rec INTEGER - in seconds, or reserved value for - INDEFINITE - - o cred_usage INTEGER, -0=INITIATE-AND-ACCEPT, 1=INITIATE-ONLY, - 2=ACCEPT-ONLY - - o mech_set SET OF OBJECT IDENTIFIER -- full set of mechanisms - supported by resulting credential. - - - - - -Linn Standards Track [Page 31] - -RFC 2078 GSS-API January 1997 - - - Return major_status codes: - - o GSS_S_COMPLETE indicates that the credentials referenced by - the input_cred_handle argument were valid, and that the - resulting credential from GSS_Add_cred() is valid for the - durations indicated in initiator_time_rec and acceptor_time_rec, - suitable for the usage requested in cred_usage, and for the - mechanisms indicated in actual_mechs. - - o GSS_S_DUPLICATE_ELEMENT indicates that the input desired_mech - specified a mechanism for which the referenced credential - already contained a credential element with overlapping - cred_usage and validity time specifiers. - - o GSS_S_BAD_MECH indicates that the input desired_mech specified - a mechanism unsupported by the GSS-API implementation, causing - the GSS_Add_cred() operation to fail. - - o GSS_S_BAD_NAMETYPE indicates that the provided desired_name - is uninterpretable or of a type unsupported by the applicable - underlying GSS-API mechanism(s), so the GSS_Add_cred() operation - could not be performed for that name. - - o GSS_S_BAD_NAME indicates that the provided desired_name is - inconsistent in terms of internally-incorporated type specifier - information, so the GSS_Add_cred() operation could not be - performed for that name. - - o GSS_S_NO_CRED indicates that the input_cred_handle referenced - invalid or inaccessible credentials. - - o GSS_S_FAILURE indicates that the operation failed for - reasons unspecified at the GSS-API level, including lack of - authorization to establish or use credentials representing - the requested identity. - - GSS_Add_cred() enables callers to construct credentials iteratively - by adding credential elements in successive operations, corresponding - to different mechanisms. This offers particular value in multi- - mechanism environments, as the major_status and minor_status values - returned on each iteration are individually visible and can therefore - be interpreted unambiguously on a per-mechanism basis. - - The same input desired_name, or default reference, should be used on - all GSS_Acquire_cred() and GSS_Add_cred() calls corresponding to a - particular credential. - - - - - -Linn Standards Track [Page 32] - -RFC 2078 GSS-API January 1997 - - -2.1.5: GSS_Inquire_cred_by_mech call - - Inputs: - - o cred_handle CREDENTIAL HANDLE -- NULL specifies that the - credential elements used when default credential behavior is - requested are to be queried - - o mech_type OBJECT IDENTIFIER -- specific mechanism for - which credentials are being queried - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o cred_name INTERNAL NAME, -- guaranteed to be MN - - o lifetime_rec_initiate INTEGER -- in seconds, or reserved value for - INDEFINITE - - o lifetime_rec_accept INTEGER -- in seconds, or reserved value for - INDEFINITE - - o cred_usage INTEGER, -0=INITIATE-AND-ACCEPT, 1=INITIATE-ONLY, - 2=ACCEPT-ONLY - - Return major_status codes: - - o GSS_S_COMPLETE indicates that the credentials referenced by the - input cred_handle argument were valid, that the mechanism - indicated by the input mech_type was represented with elements - within those credentials, and that the output cred_name, - lifetime_rec_initiate, lifetime_rec_accept, and cred_usage values - represent, respectively, the credentials' associated principal - name, remaining lifetimes, and suitable usage modes. - - o GSS_S_NO_CRED indicates that no information could be returned - about the referenced credentials, either because the input - cred_handle was invalid or because the caller lacks - authorization to access the referenced credentials. - - o GSS_S_DEFECTIVE_CREDENTIAL indicates that the referenced - credentials are invalid. - - o GSS_S_CREDENTIALS_EXPIRED indicates that the referenced - credentials have expired. - - - -Linn Standards Track [Page 33] - -RFC 2078 GSS-API January 1997 - - - o GSS_S_BAD_MECH indicates that the referenced credentials do not - contain elements for the requested mechanism. - - o GSS_S_FAILURE indicates that the operation failed for reasons - unspecified at the GSS-API level. - - The GSS_Inquire_cred_by_mech() call enables callers in multi- - mechanism environments to acquire specific data about available - combinations of lifetimes, usage modes, and mechanisms within a - credential structure. The lifetime_rec_initiate result indicates the - available lifetime for context initiation purposes; the - lifetime_rec_accept result indicates the available lifetime for - context acceptance purposes. - -2.2: Context-level calls - - This group of calls is devoted to the establishment and management of - security contexts between peers. A context's initiator calls - GSS_Init_sec_context(), resulting in generation of a token which the - caller passes to the target. At the target, that token is passed to - GSS_Accept_sec_context(). Depending on the underlying mech_type and - specified options, additional token exchanges may be performed in the - course of context establishment; such exchanges are accommodated by - GSS_S_CONTINUE_NEEDED status returns from GSS_Init_sec_context() and - GSS_Accept_sec_context(). - - Either party to an established context may invoke - GSS_Delete_sec_context() to flush context information when a context - is no longer required. GSS_Process_context_token() is used to - process received tokens carrying context-level control information. - GSS_Context_time() allows a caller to determine the length of time - for which an established context will remain valid. - GSS_Inquire_context() returns status information describing context - characteristics. GSS_Wrap_size_limit() allows a caller to determine - the size of a token which will be generated by a GSS_Wrap() - operation. GSS_Export_sec_context() and GSS_Import_sec_context() - enable transfer of active contexts between processes on an end - system. - -2.2.1: GSS_Init_sec_context call - - Inputs: - - o claimant_cred_handle CREDENTIAL HANDLE, -NULL specifies "use - default" - - o input_context_handle CONTEXT HANDLE, -0 specifies "none assigned - yet" - - - -Linn Standards Track [Page 34] - -RFC 2078 GSS-API January 1997 - - - o targ_name INTERNAL NAME, - - o mech_type OBJECT IDENTIFIER, -NULL parameter specifies "use - default" - - o deleg_req_flag BOOLEAN, - - o mutual_req_flag BOOLEAN, - - o replay_det_req_flag BOOLEAN, - - o sequence_req_flag BOOLEAN, - - o anon_req_flag BOOLEAN, - - o lifetime_req INTEGER,-0 specifies default lifetime - - o chan_bindings OCTET STRING, - - o input_token OCTET STRING-NULL or token received from target - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o output_context_handle CONTEXT HANDLE, - - o mech_type OBJECT IDENTIFIER, -actual mechanism always - indicated, never NULL - - o output_token OCTET STRING, -NULL or token to pass to context - target - - o deleg_state BOOLEAN, - - o mutual_state BOOLEAN, - - o replay_det_state BOOLEAN, - - o sequence_state BOOLEAN, - - o anon_state BOOLEAN, - - o trans_state BOOLEAN, - - o prot_ready_state BOOLEAN, -- see Section 1.2.7 - - - -Linn Standards Track [Page 35] - -RFC 2078 GSS-API January 1997 - - - o conf_avail BOOLEAN, - - o integ_avail BOOLEAN, - - o lifetime_rec INTEGER - in seconds, or reserved value for - INDEFINITE - - This call may block pending network interactions for those mech_types - in which an authentication server or other network entity must be - consulted on behalf of a context initiator in order to generate an - output_token suitable for presentation to a specified target. - - Return major_status codes: - - o GSS_S_COMPLETE indicates that context-level information was - successfully initialized, and that the returned output_token - will provide sufficient information for the target to perform - per-message processing on the newly-established context. - - o GSS_S_CONTINUE_NEEDED indicates that control information in the - returned output_token must be sent to the target, and that a - reply must be received and passed as the input_token argument - to a continuation call to GSS_Init_sec_context(), before - per-message processing can be performed in conjunction with - this context. - - o GSS_S_DEFECTIVE_TOKEN indicates that consistency checks - performed on the input_token failed, preventing further - processing from being performed based on that token. - - o GSS_S_DEFECTIVE_CREDENTIAL indicates that consistency checks - performed on the credential structure referenced by - claimant_cred_handle failed, preventing further processing from - being performed using that credential structure. - - o GSS_S_BAD_SIG indicates that the received input_token - contains an incorrect integrity check, so context setup cannot - be accomplished. - - o GSS_S_NO_CRED indicates that no context was established, - either because the input cred_handle was invalid, because the - referenced credentials are valid for context acceptor use - only, or because the caller lacks authorization to access the - referenced credentials. - - o GSS_S_CREDENTIALS_EXPIRED indicates that the credentials - provided through the input claimant_cred_handle argument are no - longer valid, so context establishment cannot be completed. - - - -Linn Standards Track [Page 36] - -RFC 2078 GSS-API January 1997 - - - o GSS_S_BAD_BINDINGS indicates that a mismatch between the - caller-provided chan_bindings and those extracted from the - input_token was detected, signifying a security-relevant - event and preventing context establishment. (This result will - be returned by GSS_Init_sec_context only for contexts where - mutual_state is TRUE.) - - o GSS_S_OLD_TOKEN indicates that the input_token is too old to - be checked for integrity. This is a fatal error during context - establishment. - - o GSS_S_DUPLICATE_TOKEN indicates that the input token has a - correct integrity check, but is a duplicate of a token already - processed. This is a fatal error during context establishment. - - o GSS_S_NO_CONTEXT indicates that no valid context was recognized - for the input context_handle provided; this major status will - be returned only for successor calls following GSS_S_CONTINUE_ - NEEDED status returns. - - o GSS_S_BAD_NAMETYPE indicates that the provided targ_name is - of a type uninterpretable or unsupported by the applicable - underlying GSS-API mechanism(s), so context establishment - cannot be completed. - - o GSS_S_BAD_NAME indicates that the provided targ_name is - inconsistent in terms of internally-incorporated type specifier - information, so context establishment cannot be accomplished. - - o GSS_S_BAD_MECH indicates receipt of a context establishment token - or of a caller request specifying a mechanism unsupported by - the local system or with the caller's active credentials - - o GSS_S_FAILURE indicates that context setup could not be - accomplished for reasons unspecified at the GSS-API level, and - that no interface-defined recovery action is available. - - This routine is used by a context initiator, and ordinarily emits one - (or, for the case of a multi-step exchange, more than one) - output_token suitable for use by the target within the selected - mech_type's protocol. Using information in the credentials structure - referenced by claimant_cred_handle, GSS_Init_sec_context() - initializes the data structures required to establish a security - context with target targ_name. The targ_name may be any valid - INTERNAL NAME; it need not be an MN. The claimant_cred_handle must - correspond to the same valid credentials structure on the initial - call to GSS_Init_sec_context() and on any successor calls resulting - from GSS_S_CONTINUE_NEEDED status returns; different protocol - - - -Linn Standards Track [Page 37] - -RFC 2078 GSS-API January 1997 - - - sequences modeled by the GSS_S_CONTINUE_NEEDED facility will require - access to credentials at different points in the context - establishment sequence. - - The input_context_handle argument is 0, specifying "not yet - assigned", on the first GSS_Init_sec_context() call relating to a - given context. If successful (i.e., if accompanied by major_status - GSS_S_COMPLETE or GSS_S_CONTINUE_NEEDED), and only if successful, the - initial GSS_Init_sec_context() call returns a non-zero - output_context_handle for use in future references to this context. - Once a non-zero output_context_handle has been returned, GSS-API - callers should call GSS_Delete_sec_context() to release context- - related resources if errors occur in later phases of context - establishment, or when an established context is no longer required. - - When continuation attempts to GSS_Init_sec_context() are needed to - perform context establishment, the previously-returned non-zero - handle value is entered into the input_context_handle argument and - will be echoed in the returned output_context_handle argument. On - such continuation attempts (and only on continuation attempts) the - input_token value is used, to provide the token returned from the - context's target. - - The chan_bindings argument is used by the caller to provide - information binding the security context to security-related - characteristics (e.g., addresses, cryptographic keys) of the - underlying communications channel. See Section 1.1.6 of this document - for more discussion of this argument's usage. - - The input_token argument contains a message received from the target, - and is significant only on a call to GSS_Init_sec_context() which - follows a previous return indicating GSS_S_CONTINUE_NEEDED - major_status. - - It is the caller's responsibility to establish a communications path - to the target, and to transmit any returned output_token (independent - of the accompanying returned major_status value) to the target over - that path. The output_token can, however, be transmitted along with - the first application-provided input message to be processed by - GSS_GetMIC() or GSS_Wrap() in conjunction with a successfully- - established context. - - The initiator may request various context-level functions through - input flags: the deleg_req_flag requests delegation of access rights, - the mutual_req_flag requests mutual authentication, the - replay_det_req_flag requests that replay detection features be - applied to messages transferred on the established context, and the - sequence_req_flag requests that sequencing be enforced. (See Section - - - -Linn Standards Track [Page 38] - -RFC 2078 GSS-API January 1997 - - - 1.2.3 for more information on replay detection and sequencing - features.) The anon_req_flag requests that the initiator's identity - not be transferred within tokens to be sent to the acceptor. - - Not all of the optionally-requestable features will be available in - all underlying mech_types. The corresponding return state values - deleg_state, mutual_state, replay_det_state, and sequence_state - indicate, as a function of mech_type processing capabilities and - initiator-provided input flags, the set of features which will be - active on the context. The returned trans_state value indicates - whether the context is transferable to other processes through use of - GSS_Export_sec_context(). These state indicators' values are - undefined unless either the routine's major_status indicates - GSS_S_COMPLETE, or TRUE prot_ready_state is returned along with - GSS_S_CONTINUE_NEEDED major_status; for the latter case, it is - possible that additional features, not confirmed or indicated along - with TRUE prot_ready_state, will be confirmed and indicated when - GSS_S_COMPLETE is subsequently returned. - - The returned anon_state and prot_ready_state values are significant - for both GSS_S_COMPLETE and GSS_S_CONTINUE_NEEDED major_status - returns from GSS_Init_sec_context(). When anon_state is returned - TRUE, this indicates that neither the current token nor its - predecessors delivers or has delivered the initiator's identity. - Callers wishing to perform context establishment only if anonymity - support is provided should transfer a returned token from - GSS_Init_sec_context() to the peer only if it is accompanied by a - TRUE anon_state indicator. When prot_ready_state is returned TRUE in - conjunction with GSS_S_CONTINUE_NEEDED major_status, this indicates - that per-message protection operations may be applied on the context: - see Section 1.2.7 for further discussion of this facility. - - Failure to provide the precise set of features requested by the - caller does not cause context establishment to fail; it is the - caller's prerogative to delete the context if the feature set - provided is unsuitable for the caller's use. - - The returned mech_type value indicates the specific mechanism - employed on the context, is valid only along with major_status - GSS_S_COMPLETE, and will never indicate the value for "default". - Note that, for the case of certain mechanisms which themselves - perform negotiation, the returned mech_type result may indicate - selection of a mechanism identified by an OID different than that - passed in the input mech_type argument. - - The conf_avail return value indicates whether the context supports - per-message confidentiality services, and so informs the caller - whether or not a request for encryption through the conf_req_flag - - - -Linn Standards Track [Page 39] - -RFC 2078 GSS-API January 1997 - - - input to GSS_Wrap() can be honored. In similar fashion, the - integ_avail return value indicates whether per-message integrity - services are available (through either GSS_GetMIC() or GSS_Wrap()) on - the established context. These state indicators' values are undefined - unless either the routine's major_status indicates GSS_S_COMPLETE, or - TRUE prot_ready_state is returned along with GSS_S_CONTINUE_NEEDED - major_status. - - The lifetime_req input specifies a desired upper bound for the - lifetime of the context to be established, with a value of 0 used to - request a default lifetime. The lifetime_rec return value indicates - the length of time for which the context will be valid, expressed as - an offset from the present; depending on mechanism capabilities, - credential lifetimes, and local policy, it may not correspond to the - value requested in lifetime_req. If no constraints on context - lifetime are imposed, this may be indicated by returning a reserved - value representing INDEFINITE lifetime_req. The value of lifetime_rec - is undefined unless the routine's major_status indicates - GSS_S_COMPLETE. - - If the mutual_state is TRUE, this fact will be reflected within the - output_token. A call to GSS_Accept_sec_context() at the target in - conjunction with such a context will return a token, to be processed - by a continuation call to GSS_Init_sec_context(), in order to - achieve mutual authentication. - -2.2.2: GSS_Accept_sec_context call - - Inputs: - - o acceptor_cred_handle CREDENTIAL HANDLE, -- NULL specifies - "use default" - - o input_context_handle CONTEXT HANDLE, -- 0 specifies - "not yet assigned" - - o chan_bindings OCTET STRING, - - o input_token OCTET STRING - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o src_name INTERNAL NAME, -- guaranteed to be MN - - - - -Linn Standards Track [Page 40] - -RFC 2078 GSS-API January 1997 - - - o mech_type OBJECT IDENTIFIER, - - o output_context_handle CONTEXT HANDLE, - - o deleg_state BOOLEAN, - - o mutual_state BOOLEAN, - - o replay_det_state BOOLEAN, - - o sequence_state BOOLEAN, - - o anon_state BOOLEAN, - - o trans_state BOOLEAN, - - o prot_ready_state BOOLEAN, -- see Section 1.2.7 for discussion - - o conf_avail BOOLEAN, - - o integ_avail BOOLEAN, - - o lifetime_rec INTEGER, - in seconds, or reserved value for - INDEFINITE - - o delegated_cred_handle CREDENTIAL HANDLE, - - o output_token OCTET STRING -NULL or token to pass to context - initiator - - This call may block pending network interactions for those mech_types - in which a directory service or other network entity must be - consulted on behalf of a context acceptor in order to validate a - received input_token. - - Return major_status codes: - - o GSS_S_COMPLETE indicates that context-level data structures - were successfully initialized, and that per-message processing - can now be performed in conjunction with this context. - - o GSS_S_CONTINUE_NEEDED indicates that control information in the - returned output_token must be sent to the initiator, and that - a response must be received and passed as the input_token - argument to a continuation call to GSS_Accept_sec_context(), - before per-message processing can be performed in conjunction - with this context. - - - - -Linn Standards Track [Page 41] - -RFC 2078 GSS-API January 1997 - - - o GSS_S_DEFECTIVE_TOKEN indicates that consistency checks performed - on the input_token failed, preventing further processing from - being performed based on that token. - - o GSS_S_DEFECTIVE_CREDENTIAL indicates that consistency checks - performed on the credential structure referenced by - acceptor_cred_handle failed, preventing further processing from - being performed using that credential structure. - - o GSS_S_BAD_SIG indicates that the received input_token contains - an incorrect integrity check, so context setup cannot be - accomplished. - - o GSS_S_DUPLICATE_TOKEN indicates that the integrity check on the - received input_token was correct, but that the input_token - was recognized as a duplicate of an input_token already - processed. No new context is established. - - o GSS_S_OLD_TOKEN indicates that the integrity check on the received - input_token was correct, but that the input_token is too old - to be checked for duplication against previously-processed - input_tokens. No new context is established. - - o GSS_S_NO_CRED indicates that no context was established, either - because the input cred_handle was invalid, because the - referenced credentials are valid for context initiator use - only, or because the caller lacks authorization to access the - referenced credentials. - - o GSS_S_CREDENTIALS_EXPIRED indicates that the credentials provided - through the input acceptor_cred_handle argument are no - longer valid, so context establishment cannot be completed. - - o GSS_S_BAD_BINDINGS indicates that a mismatch between the - caller-provided chan_bindings and those extracted from the - input_token was detected, signifying a security-relevant - event and preventing context establishment. - - o GSS_S_NO_CONTEXT indicates that no valid context was recognized - for the input context_handle provided; this major status will - be returned only for successor calls following GSS_S_CONTINUE_ - NEEDED status returns. - - o GSS_S_BAD_MECH indicates receipt of a context establishment token - specifying a mechanism unsupported by the local system or with - the caller's active credentials. - - - - - -Linn Standards Track [Page 42] - -RFC 2078 GSS-API January 1997 - - - o GSS_S_FAILURE indicates that context setup could not be - accomplished for reasons unspecified at the GSS-API level, and - that no interface-defined recovery action is available. - - The GSS_Accept_sec_context() routine is used by a context target. - Using information in the credentials structure referenced by the - input acceptor_cred_handle, it verifies the incoming input_token and - (following the successful completion of a context establishment - sequence) returns the authenticated src_name and the mech_type used. - The returned src_name is guaranteed to be an MN, processed by the - mechanism under which the context was established. The - acceptor_cred_handle must correspond to the same valid credentials - structure on the initial call to GSS_Accept_sec_context() and on any - successor calls resulting from GSS_S_CONTINUE_NEEDED status returns; - different protocol sequences modeled by the GSS_S_CONTINUE_NEEDED - mechanism will require access to credentials at different points in - the context establishment sequence. - - The input_context_handle argument is 0, specifying "not yet - assigned", on the first GSS_Accept_sec_context() call relating to a - given context. If successful (i.e., if accompanied by major_status - GSS_S_COMPLETE or GSS_S_CONTINUE_NEEDED), and only if successful, the - initial GSS_Accept_sec_context() call returns a non-zero - output_context_handle for use in future references to this context. - Once a non-zero output_context_handle has been returned, GSS-API - callers should call GSS_Delete_sec_context() to release context- - related resources if errors occur in later phases of context - establishment, or when an established context is no longer required. - - The chan_bindings argument is used by the caller to provide - information binding the security context to security-related - characteristics (e.g., addresses, cryptographic keys) of the - underlying communications channel. See Section 1.1.6 of this document - for more discussion of this argument's usage. - - The returned state results (deleg_state, mutual_state, - replay_det_state, sequence_state, anon_state, trans_state, and - prot_ready_state) reflect the same information as described for - GSS_Init_sec_context(), and their values are significant under the - same return state conditions. - - - - - - - - - - - -Linn Standards Track [Page 43] - -RFC 2078 GSS-API January 1997 - - - The conf_avail return value indicates whether the context supports - per-message confidentiality services, and so informs the caller - whether or not a request for encryption through the conf_req_flag - input to GSS_Wrap() can be honored. In similar fashion, the - integ_avail return value indicates whether per-message integrity - services are available (through either GSS_GetMIC() or GSS_Wrap()) - on the established context. These values are significant under the - same return state conditions as described under - GSS_Init_sec_context(). - - The lifetime_rec return value is significant only in conjunction with - GSS_S_COMPLETE major_status, and indicates the length of time for - which the context will be valid, expressed as an offset from the - present. - - The mech_type return value indicates the specific mechanism employed - on the context, is valid only along with major_status GSS_S_COMPLETE, - and will never indicate the value for "default". - - The delegated_cred_handle result is significant only when deleg_state - is TRUE, and provides a means for the target to reference the - delegated credentials. The output_token result, when non-NULL, - provides a context-level token to be returned to the context - initiator to continue a multi-step context establishment sequence. As - noted with GSS_Init_sec_context(), any returned token should be - transferred to the context's peer (in this case, the context - initiator), independent of the value of the accompanying returned - major_status. - - Note: A target must be able to distinguish a context-level - input_token, which is passed to GSS_Accept_sec_context(), from the - per-message data elements passed to GSS_VerifyMIC() or GSS_Unwrap(). - These data elements may arrive in a single application message, and - GSS_Accept_sec_context() must be performed before per-message - processing can be performed successfully. - -2.2.3: GSS_Delete_sec_context call - - Input: - - o context_handle CONTEXT HANDLE - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - - - -Linn Standards Track [Page 44] - -RFC 2078 GSS-API January 1997 - - - o output_context_token OCTET STRING - - Return major_status codes: - - o GSS_S_COMPLETE indicates that the context was recognized, and that - relevant context-specific information was flushed. If the caller - provides a non-null buffer to receive an output_context_token, and - the mechanism returns a non-NULL token into that buffer, the - returned output_context_token is ready for transfer to the - context's peer. - - o GSS_S_NO_CONTEXT indicates that no valid context was recognized - for the input context_handle provided, so no deletion was - performed. - - o GSS_S_FAILURE indicates that the context is recognized, but - that the GSS_Delete_sec_context() operation could not be - performed for reasons unspecified at the GSS-API level. - - This call may block pending network interactions for mech_types in - which active notification must be made to a central server when a - security context is to be deleted. - - This call can be made by either peer in a security context, to flush - context-specific information. If a non-null output_context_token - parameter is provided by the caller, an output_context_token may be - returned to the caller. If an output_context_token is provided to - the caller, it can be passed to the context's peer to inform the - peer's GSS-API implementation that the peer's corresponding context - information can also be flushed. (Once a context is established, the - peers involved are expected to retain cached credential and context- - related information until the information's expiration time is - reached or until a GSS_Delete_sec_context() call is made.) - - The facility for context_token usage to signal context deletion is - retained for compatibility with GSS-API Version 1. For current - usage, it is recommended that both peers to a context invoke - GSS_Delete_sec_context() independently, passing a null - output_context_token buffer to indicate that no context_token is - required. Implementations of GSS_Delete_sec_context() should delete - relevant locally-stored context information. - - Attempts to perform per-message processing on a deleted context will - result in error returns. - - - - - - - -Linn Standards Track [Page 45] - -RFC 2078 GSS-API January 1997 - - -2.2.4: GSS_Process_context_token call - - Inputs: - - o context_handle CONTEXT HANDLE, - - o input_context_token OCTET STRING - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - Return major_status codes: - - o GSS_S_COMPLETE indicates that the input_context_token was - successfully processed in conjunction with the context - referenced by context_handle. - - o GSS_S_DEFECTIVE_TOKEN indicates that consistency checks - performed on the received context_token failed, preventing - further processing from being performed with that token. - - o GSS_S_NO_CONTEXT indicates that no valid context was recognized - for the input context_handle provided. - - o GSS_S_FAILURE indicates that the context is recognized, but - that the GSS_Process_context_token() operation could not be - performed for reasons unspecified at the GSS-API level. - - This call is used to process context_tokens received from a peer once - a context has been established, with corresponding impact on - context-level state information. One use for this facility is - processing of the context_tokens generated by - GSS_Delete_sec_context(); GSS_Process_context_token() will not block - pending network interactions for that purpose. Another use is to - process tokens indicating remote-peer context establishment failures - after the point where the local GSS-API implementation has already - indicated GSS_S_COMPLETE status. - - - - - - - - - - - -Linn Standards Track [Page 46] - -RFC 2078 GSS-API January 1997 - - -2.2.5: GSS_Context_time call - - Input: - - o context_handle CONTEXT HANDLE, - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o lifetime_rec INTEGER - in seconds, or reserved value for - INDEFINITE - - Return major_status codes: - - o GSS_S_COMPLETE indicates that the referenced context is valid, - and will remain valid for the amount of time indicated in - lifetime_rec. - - o GSS_S_CONTEXT_EXPIRED indicates that data items related to the - referenced context have expired. - - o GSS_S_CREDENTIALS_EXPIRED indicates that the context is - recognized, but that its associated credentials have expired. - - o GSS_S_NO_CONTEXT indicates that no valid context was recognized - for the input context_handle provided. - - o GSS_S_FAILURE indicates that the requested operation failed for - reasons unspecified at the GSS-API level. - - This call is used to determine the amount of time for which a - currently established context will remain valid. - -2.2.6: GSS_Inquire_context call - - Input: - - o context_handle CONTEXT HANDLE, - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - - - -Linn Standards Track [Page 47] - -RFC 2078 GSS-API January 1997 - - - o src_name INTERNAL NAME, -- name of context initiator, - -- guaranteed to be MN - - o targ_name INTERNAL NAME, -- name of context target, - -- guaranteed to be MN - - - o lifetime_rec INTEGER -- in seconds, or reserved value for - INDEFINITE, - - o mech_type OBJECT IDENTIFIER, -- the mechanism supporting this - security context - - o deleg_state BOOLEAN, - - o mutual_state BOOLEAN, - - o replay_det_state BOOLEAN, - - o sequence_state BOOLEAN, - - o anon_state BOOLEAN, - - o trans_state BOOLEAN, - - o prot_ready_state BOOLEAN, - - o conf_avail BOOLEAN, - - o integ_avail BOOLEAN, - - o locally_initiated BOOLEAN, -- TRUE if initiator, FALSE if acceptor - - Return major_status codes: - - o GSS_S_COMPLETE indicates that the referenced context is valid - and that src_name, targ_name, lifetime_rec, mech_type, deleg_state, - mutual_state, replay_det_state, sequence_state, anon_state, - trans_state, prot_ready_state, conf_avail, integ_avail, and - locally_initiated return values describe the corresponding - characteristics of the context. - - o GSS_S_CONTEXT_EXPIRED indicates that the provided input - context_handle is recognized, but that the referenced context - has expired. Return values other than major_status and - minor_status are undefined. - - - - - -Linn Standards Track [Page 48] - -RFC 2078 GSS-API January 1997 - - - o GSS_S_NO_CONTEXT indicates that no valid context was recognized - for the input context_handle provided. Return values other than - major_status and minor_status are undefined. - - o GSS_S_FAILURE indicates that the requested operation failed for - reasons unspecified at the GSS-API level. Return values other than - major_status and minor_status are undefined. - - This call is used to extract information describing characteristics - of a security context. - -2.2.7: GSS_Wrap_size_limit call - - Inputs: - - o context_handle CONTEXT HANDLE, - - o qop INTEGER, - - o output_size INTEGER - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o max_input_size INTEGER - - Return major_status codes: - - o GSS_S_COMPLETE indicates a successful token size determination: - an input message with a length in octets equal to the - returned max_input_size value will, when passed to GSS_Wrap() - for processing on the context identified by the context_handle - parameter and with the quality of protection specifier provided - in the qop parameter, yield an output token no larger than the - value of the provided output_size parameter. - - o GSS_S_CONTEXT_EXPIRED indicates that the provided input - context_handle is recognized, but that the referenced context - has expired. Return values other than major_status and - minor_status are undefined. - - o GSS_S_NO_CONTEXT indicates that no valid context was recognized - for the input context_handle provided. Return values other than - major_status and minor_status are undefined. - - - - -Linn Standards Track [Page 49] - -RFC 2078 GSS-API January 1997 - - - o GSS_S_BAD_QOP indicates that the provided QOP value is not - recognized or supported for the context. - - o GSS_S_FAILURE indicates that the requested operation failed for - reasons unspecified at the GSS-API level. Return values other than - major_status and minor_status are undefined. - - This call is used to determine the largest input datum which may be - passed to GSS_Wrap() without yielding an output token larger than a - caller-specified value. - -2.2.8: GSS_Export_sec_context call - - Inputs: - - o context_handle CONTEXT HANDLE - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o interprocess_token OCTET STRING - - Return major_status codes: - - o GSS_S_COMPLETE indicates that the referenced context has been - successfully exported to a representation in the interprocess_token, - and is no longer available for use by the caller. - - o GSS_S_UNAVAILABLE indicates that the context export facility - is not available for use on the referenced context. (This status - should occur only for contexts for which the trans_state value is - FALSE.) Return values other than major_status and minor_status are - undefined. - - o GSS_S_CONTEXT_EXPIRED indicates that the provided input - context_handle is recognized, but that the referenced context has - expired. Return values other than major_status and minor_status are - undefined. - - o GSS_S_NO_CONTEXT indicates that no valid context was recognized - for the input context_handle provided. Return values other than - major_status and minor_status are undefined. - - - - - - -Linn Standards Track [Page 50] - -RFC 2078 GSS-API January 1997 - - - o GSS_S_FAILURE indicates that the requested operation failed for - reasons unspecified at the GSS-API level. Return values other than - major_status and minor_status are undefined. - - This call generates an interprocess token for transfer to another - process within an end system, in order to transfer control of a - security context to that process. The recipient of the interprocess - token will call GSS_Import_sec_context() to accept the transfer. The - GSS_Export_sec_context() operation is defined for use only with - security contexts which are fully and successfully established (i.e., - those for which GSS_Init_sec_context() and GSS_Accept_sec_context() - have returned GSS_S_COMPLETE major_status). - - To ensure portability, a caller of GSS_Export_sec_context() must not - assume that a context may continue to be used once it has been - exported; following export, the context referenced by the - context_handle cannot be assumed to remain valid. Further, portable - callers must not assume that a given interprocess token can be - imported by GSS_Import_sec_context() more than once, thereby creating - multiple instantiations of a single context. GSS-API implementations - may detect and reject attempted multiple imports, but are not - required to do so. - - The internal representation contained within the interprocess token - is an implementation-defined local matter. Interprocess tokens - cannot be assumed to be transferable across different GSS-API - implementations. - - It is recommended that GSS-API implementations adopt policies suited - to their operational environments in order to define the set of - processes eligible to import a context, but specific constraints in - this area are local matters. Candidate examples include transfers - between processes operating on behalf of the same user identity, or - processes comprising a common job. However, it may be impossible to - enforce such policies in some implementations. - - In support of the above goals, implementations may protect the - transferred context data by using cryptography to protect data within - the interprocess token, or by using interprocess tokens as a means to - reference local interprocess communication facilities (protected by - other means) rather than storing the context data directly within the - tokens. - - Transfer of an open context may, for certain mechanisms and - implementations, reveal data about the credential which was used to - establish the context. Callers should, therefore, be cautious about - the trustworthiness of processes to which they transfer contexts. - Although the GSS-API implementation may provide its own set of - - - -Linn Standards Track [Page 51] - -RFC 2078 GSS-API January 1997 - - - protections over the exported context, the caller is responsible for - protecting the interprocess token from disclosure, and for taking - care that the context is transferred to an appropriate destination - process. - -2.2.9: GSS_Import_sec_context call - - Inputs: - - o interprocess_token OCTET STRING - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o context_handle CONTEXT HANDLE - - Return major_status codes: - - o GSS_S_COMPLETE indicates that the context represented by the - input interprocess_token has been successfully transferred to - the caller, and is available for future use via the output - context_handle. - - o GSS_S_CONTEXT_EXPIRED indicates that the context represented by - the input interprocess_token has expired. Return values other - than major_status and minor_status are undefined. - - o GSS_S_NO_CONTEXT indicates that the context represented by the - input interprocess_token was invalid. Return values other than - major_status and minor_status are undefined. - - o GSS_S_DEFECTIVE_TOKEN indicates that the input interprocess_token - was defective. Return values other than major_status and - minor_status are undefined. - - o GSS_S_UNAVAILABLE indicates that the context import facility - is not available for use on the referenced context. Return values - other than major_status and minor_status are undefined. - - o GSS_S_UNAUTHORIZED indicates that the context represented by - the input interprocess_token is unauthorized for transfer to the - caller. Return values other than major_status and minor_status - are undefined. - - - - - -Linn Standards Track [Page 52] - -RFC 2078 GSS-API January 1997 - - - o GSS_S_FAILURE indicates that the requested operation failed for - reasons unspecified at the GSS-API level. Return values other than - major_status and minor_status are undefined. - - This call processes an interprocess token generated by - GSS_Export_sec_context(), making the transferred context available - for use by the caller. After a successful GSS_Import_sec_context() - operation, the imported context is available for use by the importing - process. - - For further discussion of the security and authorization issues - regarding this call, please see the discussion in Section 2.2.8. - -2.3: Per-message calls - - This group of calls is used to perform per-message protection - processing on an established security context. None of these calls - block pending network interactions. These calls may be invoked by a - context's initiator or by the context's target. The four members of - this group should be considered as two pairs; the output from - GSS_GetMIC() is properly input to GSS_VerifyMIC(), and the output - from GSS_Wrap() is properly input to GSS_Unwrap(). - - GSS_GetMIC() and GSS_VerifyMIC() support data origin authentication - and data integrity services. When GSS_GetMIC() is invoked on an - input message, it yields a per-message token containing data items - which allow underlying mechanisms to provide the specified security - services. The original message, along with the generated per-message - token, is passed to the remote peer; these two data elements are - processed by GSS_VerifyMIC(), which validates the message in - conjunction with the separate token. - - GSS_Wrap() and GSS_Unwrap() support caller-requested confidentiality - in addition to the data origin authentication and data integrity - services offered by GSS_GetMIC() and GSS_VerifyMIC(). GSS_Wrap() - outputs a single data element, encapsulating optionally enciphered - user data as well as associated token data items. The data element - output from GSS_Wrap() is passed to the remote peer and processed by - GSS_Unwrap() at that system. GSS_Unwrap() combines decipherment (as - required) with validation of data items related to authentication and - integrity. - - - - - - - - - - -Linn Standards Track [Page 53] - -RFC 2078 GSS-API January 1997 - - -2.3.1: GSS_GetMIC call - - Note: This call is functionally equivalent to the GSS_Sign call as - defined in previous versions of this specification. In the interests - of backward compatibility, it is recommended that implementations - support this function under both names for the present; future - references to this function as GSS_Sign are deprecated. - - Inputs: - - o context_handle CONTEXT HANDLE, - - o qop_req INTEGER,-0 specifies default QOP - - o message OCTET STRING - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o per_msg_token OCTET STRING - - Return major_status codes: - - o GSS_S_COMPLETE indicates that an integrity check, suitable for an - established security context, was successfully applied and - that the message and corresponding per_msg_token are ready - for transmission. - - o GSS_S_CONTEXT_EXPIRED indicates that context-related data - items have expired, so that the requested operation cannot be - performed. - - o GSS_S_CREDENTIALS_EXPIRED indicates that the context is recognized, - but that its associated credentials have expired, so - that the requested operation cannot be performed. - - o GSS_S_NO_CONTEXT indicates that no valid context was recognized - for the input context_handle provided. - - o GSS_S_BAD_QOP indicates that the provided QOP value is not - recognized or supported for the context. - - o GSS_S_FAILURE indicates that the context is recognized, but - that the requested operation could not be performed for - reasons unspecified at the GSS-API level. - - - -Linn Standards Track [Page 54] - -RFC 2078 GSS-API January 1997 - - - Using the security context referenced by context_handle, apply an - integrity check to the input message (along with timestamps and/or - other data included in support of mech_type-specific mechanisms) and - return the result in per_msg_token. The qop_req parameter, - interpretation of which is discussed in Section 1.2.4, allows - quality-of-protection control. The caller passes the message and the - per_msg_token to the target. - - The GSS_GetMIC() function completes before the message and - per_msg_token is sent to the peer; successful application of - GSS_GetMIC() does not guarantee that a corresponding GSS_VerifyMIC() - has been (or can necessarily be) performed successfully when the - message arrives at the destination. - - Mechanisms which do not support per-message protection services - should return GSS_S_FAILURE if this routine is called. - -2.3.2: GSS_VerifyMIC call - - Note: This call is functionally equivalent to the GSS_Verify call as - defined in previous versions of this specification. In the interests - of backward compatibility, it is recommended that implementations - support this function under both names for the present; future - references to this function as GSS_Verify are deprecated. - - Inputs: - - o context_handle CONTEXT HANDLE, - - o message OCTET STRING, - - o per_msg_token OCTET STRING - - Outputs: - - o qop_state INTEGER, - - o major_status INTEGER, - - o minor_status INTEGER, - - Return major_status codes: - - o GSS_S_COMPLETE indicates that the message was successfully - verified. - - - - - - -Linn Standards Track [Page 55] - -RFC 2078 GSS-API January 1997 - - - o GSS_S_DEFECTIVE_TOKEN indicates that consistency checks performed - on the received per_msg_token failed, preventing - further processing from being performed with that token. - - o GSS_S_BAD_SIG indicates that the received per_msg_token contains - an incorrect integrity check for the message. - - o GSS_S_DUPLICATE_TOKEN, GSS_S_OLD_TOKEN, GSS_S_UNSEQ_TOKEN, - and GSS_S_GAP_TOKEN values appear in conjunction with the - optional per-message replay detection features described - in Section 1.2.3; their semantics are described in that section. - - o GSS_S_CONTEXT_EXPIRED indicates that context-related data - items have expired, so that the requested operation cannot be - performed. - - o GSS_S_CREDENTIALS_EXPIRED indicates that the context is - recognized, - but that its associated credentials have expired, so - that the requested operation cannot be performed. - - o GSS_S_NO_CONTEXT indicates that no valid context was recognized - for the input context_handle provided. - - o GSS_S_FAILURE indicates that the context is recognized, but - that the GSS_VerifyMIC() operation could not be performed for - reasons unspecified at the GSS-API level. - - Using the security context referenced by context_handle, verify that - the input per_msg_token contains an appropriate integrity check for - the input message, and apply any active replay detection or - sequencing features. Return an indication of the quality-of- - protection applied to the processed message in the qop_state result. - Since the GSS_VerifyMIC() routine never provides a confidentiality - service, its implementations should not return non-zero values in the - confidentiality fields of the output qop_state. - - Mechanisms which do not support per-message protection services - should return GSS_S_FAILURE if this routine is called. - -2.3.3: GSS_Wrap call - - Note: This call is functionally equivalent to the GSS_Seal call as - defined in previous versions of this specification. In the interests - of backward compatibility, it is recommended that implementations - support this function under both names for the present; future - references to this function as GSS_Seal are deprecated. - - - - -Linn Standards Track [Page 56] - -RFC 2078 GSS-API January 1997 - - - Inputs: - - o context_handle CONTEXT HANDLE, - - o conf_req_flag BOOLEAN, - - o qop_req INTEGER,-0 specifies default QOP - - o input_message OCTET STRING - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o conf_state BOOLEAN, - - o output_message OCTET STRING - - Return major_status codes: - - o GSS_S_COMPLETE indicates that the input_message was successfully - processed and that the output_message is ready for - transmission. - - o GSS_S_CONTEXT_EXPIRED indicates that context-related data - items have expired, so that the requested operation cannot be - performed. - - o GSS_S_CREDENTIALS_EXPIRED indicates that the context is - recognized, - but that its associated credentials have expired, so - that the requested operation cannot be performed. - - o GSS_S_NO_CONTEXT indicates that no valid context was recognized - for the input context_handle provided. - - o GSS_S_BAD_QOP indicates that the provided QOP value is not - recognized or supported for the context. - - o GSS_S_FAILURE indicates that the context is recognized, but - that the GSS_Wrap() operation could not be performed for - reasons unspecified at the GSS-API level. - - Performs the data origin authentication and data integrity functions - of GSS_GetMIC(). If the input conf_req_flag is TRUE, requests that - confidentiality be applied to the input_message. Confidentiality may - - - -Linn Standards Track [Page 57] - -RFC 2078 GSS-API January 1997 - - - not be supported in all mech_types or by all implementations; the - returned conf_state flag indicates whether confidentiality was - provided for the input_message. The qop_req parameter, interpretation - of which is discussed in Section 1.2.4, allows quality-of-protection - control. - - In all cases, the GSS_Wrap() call yields a single output_message - data element containing (optionally enciphered) user data as well as - control information. - - Mechanisms which do not support per-message protection services - should return GSS_S_FAILURE if this routine is called. - -2.3.4: GSS_Unwrap call - - Note: This call is functionally equivalent to the GSS_Unseal call as - defined in previous versions of this specification. In the interests - of backward compatibility, it is recommended that implementations - support this function under both names for the present; future - references to this function as GSS_Unseal are deprecated. - - Inputs: - - o context_handle CONTEXT HANDLE, - - o input_message OCTET STRING - - Outputs: - - o conf_state BOOLEAN, - - o qop_state INTEGER, - - o major_status INTEGER, - - o minor_status INTEGER, - - o output_message OCTET STRING - - Return major_status codes: - - o GSS_S_COMPLETE indicates that the input_message was - successfully processed and that the resulting output_message is - available. - - o GSS_S_DEFECTIVE_TOKEN indicates that consistency checks performed - on the per_msg_token extracted from the input_message - failed, preventing further processing from being performed. - - - -Linn Standards Track [Page 58] - -RFC 2078 GSS-API January 1997 - - - o GSS_S_BAD_SIG indicates that an incorrect integrity check was - detected - for the message. - - o GSS_S_DUPLICATE_TOKEN, GSS_S_OLD_TOKEN, GSS_S_UNSEQ_TOKEN, - and GSS_S_GAP_TOKEN values appear in conjunction with the - optional per-message replay detection features described - in Section 1.2.3; their semantics are described in that section. - - o GSS_S_CONTEXT_EXPIRED indicates that context-related data - items have expired, so that the requested operation cannot be - performed. - - o GSS_S_CREDENTIALS_EXPIRED indicates that the context is - recognized, - but that its associated credentials have expired, so - that the requested operation cannot be performed. - - o GSS_S_NO_CONTEXT indicates that no valid context was recognized - for the input context_handle provided. - - o GSS_S_FAILURE indicates that the context is recognized, but - that the GSS_Unwrap() operation could not be performed for - reasons unspecified at the GSS-API level. - - Processes a data element generated (and optionally enciphered) by - GSS_Wrap(), provided as input_message. The returned conf_state value - indicates whether confidentiality was applied to the input_message. - If conf_state is TRUE, GSS_Unwrap() deciphers the input_message. - Returns an indication of the quality-of-protection applied to the - processed message in the qop_state result. GSS_Wrap() performs the - data integrity and data origin authentication checking functions of - GSS_VerifyMIC() on the plaintext data. Plaintext data is returned in - output_message. - - Mechanisms which do not support per-message protection services - should return GSS_S_FAILURE if this routine is called. - -2.4: Support calls - - This group of calls provides support functions useful to GSS-API - callers, independent of the state of established contexts. Their - characterization with regard to blocking or non-blocking status in - terms of network interactions is unspecified. - - - - - - - -Linn Standards Track [Page 59] - -RFC 2078 GSS-API January 1997 - - -2.4.1: GSS_Display_status call - - Inputs: - - o status_value INTEGER,-GSS-API major_status or minor_status - return value - - o status_type INTEGER,-1 if major_status, 2 if minor_status - - o mech_type OBJECT IDENTIFIER-mech_type to be used for minor_ - status translation - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o status_string_set SET OF OCTET STRING - - Return major_status codes: - - o GSS_S_COMPLETE indicates that a valid printable status - representation (possibly representing more than one status event - encoded within the status_value) is available in the returned - status_string_set. - - o GSS_S_BAD_MECH indicates that translation in accordance with an - unsupported mech_type was requested, so translation could not - be performed. - - o GSS_S_BAD_STATUS indicates that the input status_value was - invalid, or that the input status_type carried a value other - than 1 or 2, so translation could not be performed. - - o GSS_S_FAILURE indicates that the requested operation could not - be performed for reasons unspecified at the GSS-API level. - - Provides a means for callers to translate GSS-API-returned major and - minor status codes into printable string representations. - -2.4.2: GSS_Indicate_mechs call - - Input: - - o (none) - - - - - -Linn Standards Track [Page 60] - -RFC 2078 GSS-API January 1997 - - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o mech_set SET OF OBJECT IDENTIFIER - - Return major_status codes: - - o GSS_S_COMPLETE indicates that a set of available mechanisms has - been returned in mech_set. - - o GSS_S_FAILURE indicates that the requested operation could not - be performed for reasons unspecified at the GSS-API level. - - Allows callers to determine the set of mechanism types available on - the local system. This call is intended for support of specialized - callers who need to request non-default mech_type sets from - GSS_Acquire_cred(), and should not be needed by other callers. - -2.4.3: GSS_Compare_name call - - Inputs: - - o name1 INTERNAL NAME, - - o name2 INTERNAL NAME - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o name_equal BOOLEAN - - Return major_status codes: - - o GSS_S_COMPLETE indicates that name1 and name2 were comparable, - and that the name_equal result indicates whether name1 and - name2 represent the same entity. - - o GSS_S_BAD_NAMETYPE indicates that one or both of name1 and - name2 contained internal type specifiers uninterpretable - by the applicable underlying GSS-API mechanism(s), or that - the two names' types are different and incomparable, so that - the comparison operation could not be completed. - - - -Linn Standards Track [Page 61] - -RFC 2078 GSS-API January 1997 - - - o GSS_S_BAD_NAME indicates that one or both of the input names - was ill-formed in terms of its internal type specifier, so - the comparison operation could not be completed. - - o GSS_S_FAILURE indicates that the call's operation could not - be performed for reasons unspecified at the GSS-API level. - - Allows callers to compare two internal name representations to - determine whether they refer to the same entity. If either name - presented to GSS_Compare_name() denotes an anonymous principal, - GSS_Compare_name() shall indicate FALSE. It is not required that - either or both inputs name1 and name2 be MNs; for some - implementations and cases, GSS_S_BAD_NAMETYPE may be returned, - indicating name incomparability, for the case where neither input - name is an MN. - -2.4.4: GSS_Display_name call - - Inputs: - - o name INTERNAL NAME - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o name_string OCTET STRING, - - o name_type OBJECT IDENTIFIER - - Return major_status codes: - - o GSS_S_COMPLETE indicates that a valid printable name - representation is available in the returned name_string. - - o GSS_S_BAD_NAMETYPE indicates that the provided name was of a - type uninterpretable by the applicable underlying GSS-API - mechanism(s), so no printable representation could be generated. - - o GSS_S_BAD_NAME indicates that the contents of the provided name - were inconsistent with the internally-indicated name type, so - no printable representation could be generated. - - o GSS_S_FAILURE indicates that the requested operation could not - be performed for reasons unspecified at the GSS-API level. - - - - -Linn Standards Track [Page 62] - -RFC 2078 GSS-API January 1997 - - - Allows callers to translate an internal name representation into a - printable form with associated namespace type descriptor. The syntax - of the printable form is a local matter. - - If the input name represents an anonymous identity, a reserved value - (GSS_C_NT_ANONYMOUS) shall be returned for name_type. - -2.4.5: GSS_Import_name call - - Inputs: - - o input_name_string OCTET STRING, - - o input_name_type OBJECT IDENTIFIER - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o output_name INTERNAL NAME - - Return major_status codes: - - o GSS_S_COMPLETE indicates that a valid name representation is - output in output_name and described by the type value in - output_name_type. - - o GSS_S_BAD_NAMETYPE indicates that the input_name_type is unsupported - by the applicable underlying GSS-API mechanism(s), so the import - operation could not be completed. - - o GSS_S_BAD_NAME indicates that the provided input_name_string - is ill-formed in terms of the input_name_type, so the import - operation could not be completed. - - o GSS_S_FAILURE indicates that the requested operation could not - be performed for reasons unspecified at the GSS-API level. - - Allows callers to provide a name representation as a contiguous octet - string, designate the type of namespace in conjunction with which it - should be parsed, and convert that representation to an internal form - suitable for input to other GSS-API routines. The syntax of the - input_name_string is defined in conjunction with its associated name - type; depending on the input_name_type, the associated - input_name_string may or may not be a printable string. Note: The - input_name_type argument serves to describe and qualify the - - - -Linn Standards Track [Page 63] - -RFC 2078 GSS-API January 1997 - - - interpretation of the associated input_name_string; it does not - specify the data type of the returned output_name. - - If a mechanism claims support for a particular name type, its - GSS_Import_name() operation shall be able to accept all possible - values conformant to the external name syntax as defined for that - name type. These imported values may correspond to: - - (1) locally registered entities (for which credentials may be - acquired), - - (2) non-local entities (for which local credentials cannot be - acquired, but which may be referenced as targets of initiated - security contexts or initiators of accepted security contexts), or - to - - (3) neither of the above. - - Determination of whether a particular name belongs to class (1), (2), - or (3) as described above is not guaranteed to be performed by the - GSS_Import_name() function. - - The internal name generated by a GSS_Import_name() operation may be a - single-mechanism MN, and is likely to be an MN within a single- - mechanism implementation, but portable callers must not depend on - this property (and must not, therefore, assume that the output from - GSS_Import_name() can be passed directly to GSS_Export_name() without - first being processed through GSS_Canonicalize_name()). - -2.4.6: GSS_Release_name call - - Inputs: - - o name INTERNAL NAME - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER - - Return major_status codes: - - o GSS_S_COMPLETE indicates that the storage associated with the - input name was successfully released. - - o GSS_S_BAD_NAME indicates that the input name argument did not - contain a valid name. - - - -Linn Standards Track [Page 64] - -RFC 2078 GSS-API January 1997 - - - o GSS_S_FAILURE indicates that the requested operation could not - be performed for reasons unspecified at the GSS-API level. - - Allows callers to release the storage associated with an internal - name representation. This call's specific behavior depends on the - language and programming environment within which a GSS-API - implementation operates, and is therefore detailed within applicable - bindings specifications; in particular, this call may be superfluous - within bindings where memory management is automatic. - -2.4.7: GSS_Release_buffer call - - Inputs: - - o buffer OCTET STRING - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER - - Return major_status codes: - - o GSS_S_COMPLETE indicates that the storage associated with the - input buffer was successfully released. - - o GSS_S_FAILURE indicates that the requested operation could not - be performed for reasons unspecified at the GSS-API level. - - Allows callers to release the storage associated with an OCTET STRING - buffer allocated by another GSS-API call. This call's specific - behavior depends on the language and programming environment within - which a GSS-API implementation operates, and is therefore detailed - within applicable bindings specifications; in particular, this call - may be superfluous within bindings where memory management is - automatic. - -2.4.8: GSS_Release_OID_set call - - Inputs: - - o buffer SET OF OBJECT IDENTIFIER - - Outputs: - - o major_status INTEGER, - - - - -Linn Standards Track [Page 65] - -RFC 2078 GSS-API January 1997 - - - o minor_status INTEGER - - Return major_status codes: - - o GSS_S_COMPLETE indicates that the storage associated with the - input object identifier set was successfully released. - - o GSS_S_FAILURE indicates that the requested operation could not - be performed for reasons unspecified at the GSS-API level. - - Allows callers to release the storage associated with an object - identifier set object allocated by another GSS-API call. This call's - specific behavior depends on the language and programming environment - within which a GSS-API implementation operates, and is therefore - detailed within applicable bindings specifications; in particular, - this call may be superfluous within bindings where memory management - is automatic. - -2.4.9: GSS_Create_empty_OID_set call - - Inputs: - - o (none) - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o oid_set SET OF OBJECT IDENTIFIER - - Return major_status codes: - - o GSS_S_COMPLETE indicates successful completion - - o GSS_S_FAILURE indicates that the operation failed - - Creates an object identifier set containing no object identifiers, to - which members may be subsequently added using the - GSS_Add_OID_set_member() routine. These routines are intended to be - used to construct sets of mechanism object identifiers, for input to - GSS_Acquire_cred(). - - - - - - - - -Linn Standards Track [Page 66] - -RFC 2078 GSS-API January 1997 - - -2.4.10: GSS_Add_OID_set_member call - - Inputs: - - o member_oid OBJECT IDENTIFIER, - - o oid_set SET OF OBJECT IDENTIFIER - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - Return major_status codes: - - o GSS_S_COMPLETE indicates successful completion - - o GSS_S_FAILURE indicates that the operation failed - - Adds an Object Identifier to an Object Identifier set. This routine - is intended for use in conjunction with GSS_Create_empty_OID_set() - when constructing a set of mechanism OIDs for input to - GSS_Acquire_cred(). - -2.4.11: GSS_Test_OID_set_member call - - Inputs: - - o member OBJECT IDENTIFIER, - - o set SET OF OBJECT IDENTIFIER - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o present BOOLEAN - - Return major_status codes: - - o GSS_S_COMPLETE indicates successful completion - - o GSS_S_FAILURE indicates that the operation failed - - - - - -Linn Standards Track [Page 67] - -RFC 2078 GSS-API January 1997 - - - Interrogates an Object Identifier set to determine whether a - specified Object Identifier is a member. This routine is intended to - be used with OID sets returned by GSS_Indicate_mechs(), - GSS_Acquire_cred(), and GSS_Inquire_cred(). - -2.4.12: GSS_Release_OID call - - Inputs: - - o oid OBJECT IDENTIFIER - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER - - Return major_status codes: - - o GSS_S_COMPLETE indicates successful completion - - o GSS_S_FAILURE indicates that the operation failed - - Allows the caller to release the storage associated with an OBJECT - IDENTIFIER buffer allocated by another GSS-API call. This call's - specific behavior depends on the language and programming environment - within which a GSS-API implementation operates, and is therefore - detailed within applicable bindings specifications; in particular, - this call may be superfluous within bindings where memory management - is automatic. - -2.4.13: GSS_OID_to_str call - - Inputs: - - o oid OBJECT IDENTIFIER - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o oid_str OCTET STRING - - Return major_status codes: - - o GSS_S_COMPLETE indicates successful completion - - - -Linn Standards Track [Page 68] - -RFC 2078 GSS-API January 1997 - - - o GSS_S_FAILURE indicates that the operation failed - - The function GSS_OID_to_str() returns a string representing the input - OID in numeric ASN.1 syntax format (curly-brace enclosed, space- - delimited, e.g., "{2 16 840 1 113687 1 2 1}"). The string is - releasable using GSS_Release_buffer(). If the input "oid" does not - represent a syntactically valid object identifier, GSS_S_FAILURE - status is returned and the returned oid_str result is NULL. - -2.4.14: GSS_Str_to_OID call - - Inputs: - - o oid_str OCTET STRING - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o oid OBJECT IDENTIFIER - - Return major_status codes: - - o GSS_S_COMPLETE indicates successful completion - - o GSS_S_FAILURE indicates that the operation failed - - The function GSS_Str_to_OID() constructs and returns an OID from its - printable form; implementations should be able to accept the numeric - ASN.1 syntax form as described for GSS_OID_to_str(), and this form - should be used for portability, but implementations of this routine - may also accept other formats (e.g., "1.2.3.3"). The OID is suitable - for release using the function GSS_Release_OID(). If the input - oid_str cannot be translated into an OID, GSS_S_FAILURE status is - returned and the "oid" result is NULL. - -2.4.15: GSS_Inquire_names_for_mech call - - Input: - - o input_mech_type OBJECT IDENTIFIER, -- mechanism type - - Outputs: - - o major_status INTEGER, - - - - -Linn Standards Track [Page 69] - -RFC 2078 GSS-API January 1997 - - - o minor_status INTEGER, - - o name_type_set SET OF OBJECT IDENTIFIER - - Return major_status codes: - - o GSS_S_COMPLETE indicates that the output name_type_set contains - a list of name types which are supported by the locally available - mechanism identified by input_mech_type. - - o GSS_S_BAD_MECH indicates that the mechanism identified by - input_mech_type was unsupported within the local implementation, - causing the query to fail. - - o GSS_S_FAILURE indicates that the requested operation could not - be performed for reasons unspecified at the GSS-API level. - - Allows callers to determine the set of name types which are - supportable by a specific locally-available mechanism. - -2.4.16: GSS_Inquire_mechs_for_name call - - Inputs: - - o input_name INTERNAL NAME, - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o mech_types SET OF OBJECT IDENTIFIER - - Return major_status codes: - - o GSS_S_COMPLETE indicates that a set of object identifiers, - corresponding to the set of mechanisms suitable for processing - the input_name, is available in mech_types. - - o GSS_S_BAD_NAME indicates that the input_name could not be - processed. - - o GSS_S_BAD_NAMETYPE indicates that the type of the input_name - is unsupported by the GSS-API implementation. - - o GSS_S_FAILURE indicates that the requested operation could not - be performed for reasons unspecified at the GSS-API level. - - - -Linn Standards Track [Page 70] - -RFC 2078 GSS-API January 1997 - - - This routine returns the mechanism set with which the input_name may - be processed. After use, the mech_types object should be freed by - the caller via the GSS_Release_OID_set() call. Note: it is - anticipated that implementations of GSS_Inquire_mechs_for_name() will - commonly operate based on type information describing the - capabilities of available mechanisms; it is not guaranteed that all - identified mechanisms will necessarily be able to canonicalize (via - GSS_Canonicalize_name()) a particular name. - -2.4.17: GSS_Canonicalize_name call - - Inputs: - - o input_name INTERNAL NAME, - - o mech_type OBJECT IDENTIFIER -- must be explicit mechanism, - not "default" specifier - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o output_name INTERNAL NAME - - Return major_status codes: - - o GSS_S_COMPLETE indicates that a mechanism-specific reduction of - the input_name, as processed by the mechanism identified by - mech_type, is available in output_name. - - o GSS_S_BAD_MECH indicates that the identified mechanism is - unsupported. - - o GSS_S_BAD_NAMETYPE indicates that the input name does not - contain an element with suitable type for processing by the - identified mechanism. - - o GSS_S_BAD_NAME indicates that the input name contains an - element with suitable type for processing by the identified - mechanism, but that this element could not be processed - successfully. - - o GSS_S_FAILURE indicates that the requested operation could not - be performed for reasons unspecified at the GSS-API level. - - - - - -Linn Standards Track [Page 71] - -RFC 2078 GSS-API January 1997 - - - This routine reduces a GSS-API internal name, which may in general - contain elements corresponding to multiple mechanisms, to a - mechanism-specific Mechanism Name (MN) by applying the translations - corresponding to the mechanism identified by mech_type. - -2.4.18: GSS_Export_name call - - Inputs: - - o input_name INTERNAL NAME, -- required to be MN - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o output_name OCTET STRING - - Return major_status codes: - - o GSS_S_COMPLETE indicates that a flat representation of the - input name is available in output_name. - - o GSS_S_NAME_NOT_MN indicates that the input name contained - elements corresponding to multiple mechanisms, so cannot - be exported into a single-mechanism flat form. - - o GSS_S_BAD_NAME indicates that the input name was an MN, - but could not be processed. - - o GSS_S_BAD_NAMETYPE indicates that the input name was an MN, - but that its type is unsupported by the GSS-API implementation. - - o GSS_S_FAILURE indicates that the requested operation could not - be performed for reasons unspecified at the GSS-API level. - - This routine creates a flat name representation, suitable for - bytewise comparison or for input to GSS_Import_name() in conjunction - with the reserved GSS-API Exported Name Object OID, from a internal- - form Mechanism Name (MN) as emitted, e.g., by GSS_Canonicalize_name() - or GSS_Accept_sec_context(). - - The emitted GSS-API Exported Name Object is self-describing; no - associated parameter-level OID need be emitted by this call. This - flat representation consists of a mechanism-independent wrapper - layer, defined in Section 3.2 of this document, enclosing a - mechanism-defined name representation. - - - -Linn Standards Track [Page 72] - -RFC 2078 GSS-API January 1997 - - - In all cases, the flat name output by GSS_Export_name() to correspond - to a particular input MN must be invariant over time within a - particular installation. - - The GSS_S_NAME_NOT_MN status code is provided to enable - implementations to reject input names which are not MNs. It is not, - however, required for purposes of conformance to this specification - that all non-MN input names must necessarily be rejected. - -2.4.19: GSS_Duplicate_name call - - Inputs: - - o src_name INTERNAL NAME - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o dest_name INTERNAL NAME - - Return major_status codes: - - o GSS_S_COMPLETE indicates that dest_name references an internal - name object containing the same name as passed to src_name. - - o GSS_S_BAD_NAME indicates that the input name was invalid. - - o GSS_S_BAD_NAMETYPE indicates that the input name's type - is unsupported by the GSS-API implementation. - - o GSS_S_FAILURE indicates that the requested operation could not - be performed for reasons unspecified at the GSS-API level. - - This routine takes input internal name src_name, and returns another - reference (dest_name) to that name which can be used even if src_name - is later freed. (Note: This may be implemented by copying or through - use of reference counts.) - -3: Data Structure Definitions for GSS-V2 Usage - - Subsections of this section define, for interoperability and - portability purposes, certain data structures for use with GSS-V2. - - - - - - -Linn Standards Track [Page 73] - -RFC 2078 GSS-API January 1997 - - -3.1: Mechanism-Independent Token Format - - This section specifies a mechanism-independent level of encapsulating - representation for the initial token of a GSS-API context - establishment sequence, incorporating an identifier of the mechanism - type to be used on that context and enabling tokens to be interpreted - unambiguously at GSS-API peers. Use of this format is required for - initial context establishment tokens of Internet standards-track - GSS-API mechanisms; use in non-initial tokens is optional. - - The encoding format for the token tag is derived from ASN.1 and DER - (per illustrative ASN.1 syntax included later within this - subsection), but its concrete representation is defined directly in - terms of octets rather than at the ASN.1 level in order to facilitate - interoperable implementation without use of general ASN.1 processing - code. The token tag consists of the following elements, in order: - - 1. 0x60 -- Tag for [APPLICATION 0] SEQUENCE; indicates that - constructed form, definite length encoding follows. - - 2. Token length octets, specifying length of subsequent data - (i.e., the summed lengths of elements 3-5 in this list, and of the - mechanism-defined token object following the tag). This element - comprises a variable number of octets: - - 2a. If the indicated value is less than 128, it shall be - represented in a single octet with bit 8 (high order) set to "0" - and the remaining bits representing the value. - - 2b. If the indicated value is 128 or more, it shall be represented - in two or more octets, with bit 8 of the first octet set to "1" - and the remaining bits of the first octet specifying the number of - additional octets. The subsequent octets carry the value, 8 bits - per octet, most significant digit first. The minimum number of - octets shall be used to encode the length (i.e., no octets - representing leading zeros shall be included within the length - encoding). - - 3. 0x06 -- Tag for OBJECT IDENTIFIER - - 4. Object identifier length -- length (number of octets) of the - encoded object identifier contained in element 5, encoded per - rules as described in 2a. and 2b. above. - - 5. Object identifier octets -- variable number of octets, encoded - per ASN.1 BER rules: - - - - - -Linn Standards Track [Page 74] - -RFC 2078 GSS-API January 1997 - - - 5a. The first octet contains the sum of two values: (1) the top- - level object identifier component, multiplied by 40 (decimal), and - (2) the second-level object identifier component. This special - case is the only point within an object identifier encoding where - a single octet represents contents of more than one component. - - 5b. Subsequent octets, if required, encode successively-lower - components in the represented object identifier. A component's - encoding may span multiple octets, encoding 7 bits per octet (most - significant bits first) and with bit 8 set to "1" on all but the - final octet in the component's encoding. The minimum number of - octets shall be used to encode each component (i.e., no octets - representing leading zeros shall be included within a component's - encoding). - - (Note: In many implementations, elements 3-5 may be stored and - referenced as a contiguous string constant.) - - The token tag is immediately followed by a mechanism-defined token - object. Note that no independent size specifier intervenes following - the object identifier value to indicate the size of the mechanism- - defined token object. While ASN.1 usage within mechanism-defined - tokens is permitted, there is no requirement that the mechanism- - specific innerContextToken, innerMsgToken, and sealedUserData data - elements must employ ASN.1 BER/DER encoding conventions. - - - - - - - - - - - - - - - - - - - - - - - - - - -Linn Standards Track [Page 75] - -RFC 2078 GSS-API January 1997 - - - The following ASN.1 syntax is included for descriptive purposes only, - to illustrate structural relationships among token and tag objects. - For interoperability purposes, token and tag encoding shall be - performed using the concrete encoding procedures described earlier in - this subsection. - - GSS-API DEFINITIONS ::= - - BEGIN - - MechType ::= OBJECT IDENTIFIER - -- data structure definitions - - -- callers must be able to distinguish among - -- InitialContextToken, SubsequentContextToken, - -- PerMsgToken, and SealedMessage data elements - -- based on the usage in which they occur - - InitialContextToken ::= - -- option indication (delegation, etc.) indicated within - -- mechanism-specific token - [APPLICATION 0] IMPLICIT SEQUENCE { - thisMech MechType, - innerContextToken ANY DEFINED BY thisMech - -- contents mechanism-specific - -- ASN.1 structure not required - } - - SubsequentContextToken ::= innerContextToken ANY - -- interpretation based on predecessor InitialContextToken - -- ASN.1 structure not required - - PerMsgToken ::= - -- as emitted by GSS_GetMIC and processed by GSS_VerifyMIC - -- ASN.1 structure not required - innerMsgToken ANY - - SealedMessage ::= - -- as emitted by GSS_Wrap and processed by GSS_Unwrap - -- includes internal, mechanism-defined indicator - -- of whether or not encrypted - -- ASN.1 structure not required - sealedUserData ANY - - END - - - - - - -Linn Standards Track [Page 76] - -RFC 2078 GSS-API January 1997 - - -3.2: Mechanism-Independent Exported Name Object Format - - This section specifies a mechanism-independent level of encapsulating - representation for names exported via the GSS_Export_name() call, - including an object identifier representing the exporting mechanism. - The format of names encapsulated via this representation shall be - defined within individual mechanism drafts. Name objects of this - type will be identified with the following Object Identifier: - - {1(iso), 3(org), 6(dod), 1(internet), 5(security), 6(nametypes), - 4(gss-api-exported-name)} - - No name type OID is included in this mechanism-independent level of - format definition, since (depending on individual mechanism - specifications) the enclosed name may be implicitly typed or may be - explicitly typed using a means other than OID encoding. - - Length Name Description - - 2 TOK_ID Token Identifier - For exported name objects, this - must be hex 04 01. - 2 MECH_OID_LEN Length of the Mechanism OID - MECH_OID_LEN MECH_OID Mechanism OID, in DER - 4 NAME_LEN Length of name - NAME_LEN NAME Exported name; format defined in - applicable mechanism draft. - -4: Name Type Definitions - - This section includes definitions for name types and associated - syntaxes which are defined in a mechanism-independent fashion at the - GSS-API level rather than being defined in individual mechanism - specifications. - -4.1: Host-Based Service Name Form - - The following Object Identifier value is provided as a means to - identify this name form: - - {1(iso), 3(org), 6(dod), 1(internet), 5(security), 6(nametypes), - 2(gss-host-based-services)} - - The recommended symbolic name for this type is - "GSS_C_NT_HOSTBASED_SERVICE". - - - - - - -Linn Standards Track [Page 77] - -RFC 2078 GSS-API January 1997 - - - This name type is used to represent services associated with host - computers. This name form is constructed using two elements, - "service" and "hostname", as follows: - - service@hostname - - When a reference to a name of this type is resolved, the "hostname" - is canonicalized by attempting a DNS lookup and using the fully- - qualified domain name which is returned, or by using the "hostname" - as provided if the DNS lookup fails. The canonicalization operation - also maps the host's name into lower-case characters. - - The "hostname" element may be omitted. If no "@" separator is - included, the entire name is interpreted as the service specifier, - with the "hostname" defaulted to the canonicalized name of the local - host. - - Values for the "service" element are registered with the IANA. - -4.2: User Name Form - - This name form shall be represented by the Object Identifier {iso(1) - member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) - generic(1) user_name(1)}. The recommended mechanism-independent - symbolic name for this type is "GSS_C_NT_USER_NAME". (Note: the same - name form and OID is defined within the Kerberos V5 GSS-API - mechanism, but the symbolic name recommended there begins with a - "GSS_KRB5_NT_" prefix.) - - This name type is used to indicate a named user on a local system. - Its interpretation is OS-specific. This name form is constructed as: - - username - -4.3: Machine UID Form - - This name form shall be represented by the Object Identifier {iso(1) - member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) - generic(1) machine_uid_name(2)}. The recommended mechanism- - independent symbolic name for this type is - "GSS_C_NT_MACHINE_UID_NAME". (Note: the same name form and OID is - defined within the Kerberos V5 GSS-API mechanism, but the symbolic - name recommended there begins with a "GSS_KRB5_NT_" prefix.) - - This name type is used to indicate a numeric user identifier - corresponding to a user on a local system. Its interpretation is - OS-specific. The gss_buffer_desc representing a name of this type - should contain a locally-significant uid_t, represented in host byte - - - -Linn Standards Track [Page 78] - -RFC 2078 GSS-API January 1997 - - - order. The GSS_Import_name() operation resolves this uid into a - username, which is then treated as the User Name Form. - -4.4: String UID Form - - This name form shall be represented by the Object Identifier {iso(1) - member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) - generic(1) string_uid_name(3)}. The recommended symbolic name for - this type is "GSS_C_NT_STRING_UID_NAME". (Note: the same name form - and OID is defined within the Kerberos V5 GSS-API mechanism, but the - symbolic name recommended there begins with a "GSS_KRB5_NT_" prefix.) - - This name type is used to indicate a string of digits representing - the numeric user identifier of a user on a local system. Its - interpretation is OS-specific. This name type is similar to the - Machine UID Form, except that the buffer contains a string - representing the uid_t. - -5: Mechanism-Specific Example Scenarios - - This section provides illustrative overviews of the use of various - candidate mechanism types to support the GSS-API. These discussions - are intended primarily for readers familiar with specific security - technologies, demonstrating how GSS-API functions can be used and - implemented by candidate underlying mechanisms. They should not be - regarded as constrictive to implementations or as defining the only - means through which GSS-API functions can be realized with a - particular underlying technology, and do not demonstrate all GSS-API - features with each technology. - -5.1: Kerberos V5, single-TGT - - OS-specific login functions yield a TGT to the local realm Kerberos - server; TGT is placed in a credentials structure for the client. - Client calls GSS_Acquire_cred() to acquire a cred_handle in order to - reference the credentials for use in establishing security contexts. - - Client calls GSS_Init_sec_context(). If the requested service is - located in a different realm, GSS_Init_sec_context() gets the - necessary TGT/key pairs needed to traverse the path from local to - target realm; these data are placed in the owner's TGT cache. After - any needed remote realm resolution, GSS_Init_sec_context() yields a - service ticket to the requested service with a corresponding session - key; these data are stored in conjunction with the context. GSS-API - code sends KRB_TGS_REQ request(s) and receives KRB_TGS_REP - response(s) (in the successful case) or KRB_ERROR. - - - - - -Linn Standards Track [Page 79] - -RFC 2078 GSS-API January 1997 - - - Assuming success, GSS_Init_sec_context() builds a Kerberos-formatted - KRB_AP_REQ message, and returns it in output_token. The client sends - the output_token to the service. - - The service passes the received token as the input_token argument to - GSS_Accept_sec_context(), which verifies the authenticator, provides - the service with the client's authenticated name, and returns an - output_context_handle. - - Both parties now hold the session key associated with the service - ticket, and can use this key in subsequent GSS_GetMIC(), - GSS_VerifyMIC(), GSS_Wrap(), and GSS_Unwrap() operations. - -5.2: Kerberos V5, double-TGT - - TGT acquisition as above. - - Note: To avoid unnecessary frequent invocations of error paths when - implementing the GSS-API atop Kerberos V5, it seems appropriate to - represent "single-TGT K-V5" and "double-TGT K-V5" with separate - mech_types, and this discussion makes that assumption. - - Based on the (specified or defaulted) mech_type, - GSS_Init_sec_context() determines that the double-TGT protocol - should be employed for the specified target. GSS_Init_sec_context() - returns GSS_S_CONTINUE_NEEDED major_status, and its returned - output_token contains a request to the service for the service's TGT. - (If a service TGT with suitably long remaining lifetime already - exists in a cache, it may be usable, obviating the need for this - step.) The client passes the output_token to the service. Note: this - scenario illustrates a different use for the GSS_S_CONTINUE_NEEDED - status return facility than for support of mutual authentication; - note that both uses can coexist as successive operations within a - single context establishment operation. - - The service passes the received token as the input_token argument to - GSS_Accept_sec_context(), which recognizes it as a request for TGT. - (Note that current Kerberos V5 defines no intra-protocol mechanism to - represent such a request.) GSS_Accept_sec_context() returns - GSS_S_CONTINUE_NEEDED major_status and provides the service's TGT in - its output_token. The service sends the output_token to the client. - - The client passes the received token as the input_token argument to a - continuation of GSS_Init_sec_context(). GSS_Init_sec_context() caches - the received service TGT and uses it as part of a service ticket - request to the Kerberos authentication server, storing the returned - service ticket and session key in conjunction with the context. - GSS_Init_sec_context() builds a Kerberos-formatted authenticator, - - - -Linn Standards Track [Page 80] - -RFC 2078 GSS-API January 1997 - - - and returns it in output_token along with GSS_S_COMPLETE return - major_status. The client sends the output_token to the service. - - Service passes the received token as the input_token argument to a - continuation call to GSS_Accept_sec_context(). - GSS_Accept_sec_context() verifies the authenticator, provides the - service with the client's authenticated name, and returns - major_status GSS_S_COMPLETE. - - GSS_GetMIC(), GSS_VerifyMIC(), GSS_Wrap(), and GSS_Unwrap() as - above. - -5.3: X.509 Authentication Framework - - This example illustrates use of the GSS-API in conjunction with - public-key mechanisms, consistent with the X.509 Directory - Authentication Framework. - - The GSS_Acquire_cred() call establishes a credentials structure, - making the client's private key accessible for use on behalf of the - client. - - The client calls GSS_Init_sec_context(), which interrogates the - Directory to acquire (and validate) a chain of public-key - certificates, thereby collecting the public key of the service. The - certificate validation operation determines that suitable integrity - checks were applied by trusted authorities and that those - certificates have not expired. GSS_Init_sec_context() generates a - secret key for use in per-message protection operations on the - context, and enciphers that secret key under the service's public - key. - - The enciphered secret key, along with an authenticator quantity - signed with the client's private key, is included in the output_token - from GSS_Init_sec_context(). The output_token also carries a - certification path, consisting of a certificate chain leading from - the service to the client; a variant approach would defer this path - resolution to be performed by the service instead of being asserted - by the client. The client application sends the output_token to the - service. - - The service passes the received token as the input_token argument to - GSS_Accept_sec_context(). GSS_Accept_sec_context() validates the - certification path, and as a result determines a certified binding - between the client's distinguished name and the client's public key. - Given that public key, GSS_Accept_sec_context() can process the - input_token's authenticator quantity and verify that the client's - private key was used to sign the input_token. At this point, the - - - -Linn Standards Track [Page 81] - -RFC 2078 GSS-API January 1997 - - - client is authenticated to the service. The service uses its private - key to decipher the enciphered secret key provided to it for per- - message protection operations on the context. - - The client calls GSS_GetMIC() or GSS_Wrap() on a data message, which - causes per-message authentication, integrity, and (optional) - confidentiality facilities to be applied to that message. The service - uses the context's shared secret key to perform corresponding - GSS_VerifyMIC() and GSS_Unwrap() calls. - -6: Security Considerations - - Security issues are discussed throughout this memo. - -7: Related Activities - - In order to implement the GSS-API atop existing, emerging, and future - security mechanisms: - - object identifiers must be assigned to candidate GSS-API - mechanisms and the name types which they support - - concrete data element formats and processing procedures must be - defined for candidate mechanisms - - Calling applications must implement formatting conventions which will - enable them to distinguish GSS-API tokens from other data carried in - their application protocols. - - Concrete language bindings are required for the programming - environments in which the GSS-API is to be employed, as RFC-1509 - defines for the C programming language and GSS-V1. - - - - - - - - - - - - - - - - - - - -Linn Standards Track [Page 82] - -RFC 2078 GSS-API January 1997 - - -APPENDIX A - -MECHANISM DESIGN CONSTRAINTS - - The following constraints on GSS-API mechanism designs are adopted in - response to observed caller protocol requirements, and adherence - thereto is anticipated in subsequent descriptions of GSS-API - mechanisms to be documented in standards-track Internet - specifications. - - It is strongly recommended that mechanisms offering per-message - protection services also offer at least one of the replay detection - and sequencing services, as mechanisms offering neither of the latter - will fail to satisfy recognized requirements of certain candidate - caller protocols. - -APPENDIX B - - COMPATIBILITY WITH GSS-V1 - - It is the intent of this document to define an interface and - procedures which preserve compatibility between GSS-V1 (RFC-1508) - callers and GSS- V2 providers. All calls defined in GSS-V1 are - preserved, and it has been a goal that GSS-V1 callers should be able - to operate atop GSS-V2 provider implementations. Certain detailed - changes, summarized in this section, have been made in order to - resolve omissions identified in GSS-V1. - - The following GSS-V1 constructs, while supported within GSS-V2, are - deprecated: - - Names for per-message processing routines: GSS_Seal() deprecated - in favor of GSS_Wrap(); GSS_Sign() deprecated in favor of - GSS_GetMIC(); GSS_Unseal() deprecated in favor of GSS_Unwrap(); - GSS_Verify() deprecated in favor of GSS_VerifyMIC(). - - GSS_Delete_sec_context() facility for context_token usage, - allowing mechanisms to signal context deletion, is retained for - compatibility with GSS-V1. For current usage, it is recommended - that both peers to a context invoke GSS_Delete_sec_context() - independently, passing a null output_context_token buffer to - indicate that no context_token is required. Implementations of - GSS_Delete_sec_context() should delete relevant locally-stored - context information. - - - - - - - -Linn Standards Track [Page 83] - -RFC 2078 GSS-API January 1997 - - - This GSS-V2 specification adds the following calls which are not - present in GSS-V1: - - Credential management calls: GSS_Add_cred(), - GSS_Inquire_cred_by_mech(). - - Context-level calls: GSS_Inquire_context(), GSS_Wrap_size_limit(), - GSS_Export_sec_context(), GSS_Import_sec_context(). - - Per-message calls: No new calls. Existing calls have been renamed. - - Support calls: GSS_Create_empty_OID_set(), - GSS_Add_OID_set_member(), GSS_Test_OID_set_member(), - GSS_Release_OID(), GSS_OID_to_str(), GSS_Str_to_OID(), - GSS_Inquire_names_for_mech(), GSS_Inquire_mechs_for_name(), - GSS_Canonicalize_name(), GSS_Export_name(), GSS_Duplicate_name(). - - This GSS-V2 specification introduces three new facilities applicable - to security contexts, indicated using the following context state - values which are not present in GSS-V1: - - anon_state, set TRUE to indicate that a context's initiator is - anonymous from the viewpoint of the target; Section 1.2.5 of this - specification provides a summary description of the GSS-V2 - anonymity support facility, support and use of which is optional. - - prot_ready_state, set TRUE to indicate that a context may be used - for per-message protection before final completion of context - establishment; Section 1.2.7 of this specification provides a - summary description of the GSS-V2 facility enabling mechanisms to - selectively permit per-message protection during context - establishment, support and use of which is optional. - - trans_state, set TRUE to indicate that a context is transferable to - another process using the GSS-V2 GSS_Export_sec_context() facility. - - These state values are represented (at the C bindings level) in - positions within a bit vector which are unused in GSS-V1, and may be - safely ignored by GSS-V1 callers. - - Relative to GSS-V1, GSS-V2 provides additional guidance to GSS-API - implementors in the following areas: implementation robustness, - credential management, behavior in multi-mechanism configurations, - naming support, and inclusion of optional sequencing services. The - token tagging facility as defined in GSS-V2, Section 3.1, is now - described directly in terms of octets to facilitate interoperable - implementation without general ASN.1 processing code; the - corresponding ASN.1 syntax, included for descriptive purposes, is - - - -Linn Standards Track [Page 84] - -RFC 2078 GSS-API January 1997 - - - unchanged from that in GSS-V1. For use in conjunction with added - naming support facilities, a new Exported Name Object construct is - added. Additional name types are introduced in Section 4. - - This GSS-V2 specification adds the following major_status values - which are not defined in GSS-V1: - - GSS_S_BAD_QOP unsupported QOP value - GSS_S_UNAUTHORIZED operation unauthorized - GSS_S_UNAVAILABLE operation unavailable - GSS_S_DUPLICATE_ELEMENT duplicate credential element requested - GSS_S_NAME_NOT_MN name contains multi-mechanism elements - GSS_S_GAP_TOKEN skipped predecessor token(s) - detected - - Of these added status codes, only two values are defined to be - returnable by calls existing in GSS-V1: GSS_S_BAD_QOP (returnable by - GSS_GetMIC() and GSS_Wrap()), and GSS_S_GAP_TOKEN (returnable by - GSS_VerifyMIC() and GSS_Unwrap()). - - Additionally, GSS-V2 descriptions of certain calls present in GSS-V1 - have been updated to allow return of additional major_status values - from the set as defined in GSS-V1: GSS_Inquire_cred() has - GSS_S_DEFECTIVE_CREDENTIAL and GSS_S_CREDENTIALS_EXPIRED defined as - returnable, GSS_Init_sec_context() has GSS_S_OLD_TOKEN, - GSS_S_DUPLICATE_TOKEN, and GSS_S_BAD_MECH defined as returnable, and - GSS_Accept_sec_context() has GSS_S_BAD_MECH defined as returnable. - -Author's Address - - John Linn - OpenVision Technologies - One Main St. - Cambridge, MA 02142 USA - - Phone: +1 617.374.2245 - EMail: John.Linn@ov.com - - - - - - - - - - - - - - -Linn Standards Track [Page 85] - diff --git a/crypto/heimdal-0.6.3/doc/standardisation/rfc2203.txt b/crypto/heimdal-0.6.3/doc/standardisation/rfc2203.txt deleted file mode 100644 index 2f6a8a0d0f..0000000000 --- a/crypto/heimdal-0.6.3/doc/standardisation/rfc2203.txt +++ /dev/null @@ -1,1291 +0,0 @@ - - - - - - -Network Working Group M. Eisler -Request for Comments: 2203 A. Chiu -Category: Standards Track L. Ling - September 1997 - - - RPCSEC_GSS Protocol Specification - -Status of this Memo - - This document specifies an Internet standards track protocol for the - Internet community, and requests discussion and suggestions for - improvements. Please refer to the current edition of the "Internet - Official Protocol Standards" (STD 1) for the standardization state - and status of this protocol. Distribution of this memo is unlimited. - -Abstract - - This memo describes an ONC/RPC security flavor that allows RPC - protocols to access the Generic Security Services Application - Programming Interface (referred to henceforth as GSS-API). - -Table of Contents - - 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2 - 2. The ONC RPC Message Protocol . . . . . . . . . . . . . . . . . 2 - 3. Flavor Number Assignment . . . . . . . . . . . . . . . . . . . 3 - 4. New auth_stat Values . . . . . . . . . . . . . . . . . . . . . 3 - 5. Elements of the RPCSEC_GSS Security Protocol . . . . . . . . . 3 - 5.1. Version Selection . . . . . . . . . . . . . . . . . . . . . 5 - 5.2. Context Creation . . . . . . . . . . . . . . . . . . . . . . 5 - 5.2.1. Mechanism and QOP Selection . . . . . . . . . . . . . . . 5 - 5.2.2. Context Creation Requests . . . . . . . . . . . . . . . . 6 - 5.2.3. Context Creation Responses . . . . . . . . . . . . . . . . 8 - 5.2.3.1. Context Creation Response - Successful Acceptance . . . 8 - 5.2.3.1.1. Client Processing of Successful Context Creation - Responses . . . . . . . . . . . . . . . . . . . . . . 9 - 5.2.3.2. Context Creation Response - Unsuccessful Cases . . . . . 9 - 5.3. RPC Data Exchange . . . . . . . . . . . . . . . . . . . . 10 - 5.3.1. RPC Request Header . . . . . . . . . . . . . . . . . . . 10 - 5.3.2. RPC Request Data . . . . . . . . . . . . . . . . . . . . 11 - 5.3.2.1. RPC Request Data - No Data Integrity . . . . . . . . . 11 - 5.3.2.2. RPC Request Data - With Data Integrity . . . . . . . . 11 - 5.3.2.3. RPC Request Data - With Data Privacy . . . . . . . . . 12 - 5.3.3. Server Processing of RPC Data Requests . . . . . . . . . 12 - 5.3.3.1. Context Management . . . . . . . . . . . . . . . . . . 12 - 5.3.3.2. Server Reply - Request Accepted . . . . . . . . . . . 14 - 5.3.3.3. Server Reply - Request Denied . . . . . . . . . . . . 15 - - - -Eisler, et. al. Standards Track [Page 1] - -RFC 2203 RPCSEC_GSS Protocol Specification September 1997 - - - 5.3.3.4. Mapping of GSS-API Errors to Server Responses . . . . 16 - 5.3.3.4.1. GSS_GetMIC() Failure . . . . . . . . . . . . . . . . 16 - 5.3.3.4.2. GSS_VerifyMIC() Failure . . . . . . . . . . . . . . 16 - 5.3.3.4.3. GSS_Unwrap() Failure . . . . . . . . . . . . . . . . 16 - 5.3.3.4.4. GSS_Wrap() Failure . . . . . . . . . . . . . . . . . 16 - 5.4. Context Destruction . . . . . . . . . . . . . . . . . . . 17 - 6. Set of GSS-API Mechanisms . . . . . . . . . . . . . . . . . 17 - 7. Security Considerations . . . . . . . . . . . . . . . . . . 18 - 7.1. Privacy of Call Header . . . . . . . . . . . . . . . . . . 18 - 7.2. Sequence Number Attacks . . . . . . . . . . . . . . . . . 18 - 7.2.1. Sequence Numbers Above the Window . . . . . . . . . . . 18 - 7.2.2. Sequence Numbers Within or Below the Window . . . . . . 18 - 7.3. Message Stealing Attacks . . . . . . . . . . . . . . . . . 19 - Appendix A. GSS-API Major Status Codes . . . . . . . . . . . . . 20 - Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 22 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23 - -1. Introduction - - This document describes the protocol used by the RPCSEC_GSS security - flavor. Security flavors have been called authentication flavors for - historical reasons. This memo recognizes that there are two other - security services besides authentication, integrity, and privacy, and - so defines a new RPCSEC_GSS security flavor. - - The protocol is described using the XDR language [Srinivasan-xdr]. - The reader is assumed to be familiar with ONC RPC and the security - flavor mechanism [Srinivasan-rpc]. The reader is also assumed to be - familiar with the GSS-API framework [Linn]. The RPCSEC_GSS security - flavor uses GSS-API interfaces to provide security services that are - independent of the underlying security mechanism. - -2. The ONC RPC Message Protocol - - This memo refers to the following XDR types of the ONC RPC protocol, - which are described in the document entitled Remote Procedure Call - Protocol Specification Version 2 [Srinivasan-rpc]: - - msg_type - reply_stat - auth_flavor - accept_stat - reject_stat - auth_stat - opaque_auth - rpc_msg - call_body - reply_body - - - -Eisler, et. al. Standards Track [Page 2] - -RFC 2203 RPCSEC_GSS Protocol Specification September 1997 - - - accepted_reply - rejected_reply - -3. Flavor Number Assignment - - The RPCSEC_GSS security flavor has been assigned the value of 6: - - enum auth_flavor { - ... - RPCSEC_GSS = 6 /* RPCSEC_GSS security flavor */ - }; - -4. New auth_stat Values - - RPCSEC_GSS requires the addition of two new values to the auth_stat - enumerated type definition: - - enum auth_stat { - ... - /* - * RPCSEC_GSS errors - */ - RPCSEC_GSS_CREDPROBLEM = 13, - RPCSEC_GSS_CTXPROBLEM = 14 - }; - - The descriptions of these two new values are defined later in this - memo. - -5. Elements of the RPCSEC_GSS Security Protocol - - An RPC session based on the RPCSEC_GSS security flavor consists of - three phases: context creation, RPC data exchange, and context - destruction. In the following discussion, protocol elements for - these three phases are described. - - The following description of the RPCSEC_GSS protocol uses some of the - definitions within XDR language description of the RPC protocol. - - Context creation and destruction use control messages that are not - dispatched to service procedures registered by an RPC server. The - program and version numbers used in these control messages are the - same as the RPC service's program and version numbers. The procedure - number used is NULLPROC (zero). A field in the credential - information (the gss_proc field which is defined in the - rpc_gss_cred_t structure below) specifies whether a message is to be - interpreted as a control message or a regular RPC message. If this - field is set to RPCSEC_GSS_DATA, no control action is implied; in - - - -Eisler, et. al. Standards Track [Page 3] - -RFC 2203 RPCSEC_GSS Protocol Specification September 1997 - - - this case, it is a regular data message. If this field is set to any - other value, a control action is implied. This is described in the - following sections. - - Just as with normal RPC data exchange messages, the transaction - identifier (the xid field in struct rpc_msg), should be set to unique - values on each call for context creation and context destruction. - - The following definitions are used for describing the protocol. - - /* RPCSEC_GSS control procedures */ - - - enum rpc_gss_proc_t { - RPCSEC_GSS_DATA = 0, - RPCSEC_GSS_INIT = 1, - RPCSEC_GSS_CONTINUE_INIT = 2, - RPCSEC_GSS_DESTROY = 3 - }; - - /* RPCSEC_GSS services */ - - enum rpc_gss_service_t { - /* Note: the enumerated value for 0 is reserved. */ - rpc_gss_svc_none = 1, - rpc_gss_svc_integrity = 2, - rpc_gss_svc_privacy = 3 - }; - - /* Credential */ - - /* - * Note: version 0 is reserved for possible future - * definition of a version negotiation protocol - * - */ - #define RPCSEC_GSS_VERS_1 1 - - struct rpc_gss_cred_t { - union switch (unsigned int version) { /* version of - RPCSEC_GSS */ - case RPCSEC_GSS_VERS_1: - struct { - rpc_gss_proc_t gss_proc; /* control procedure */ - unsigned int seq_num; /* sequence number */ - rpc_gss_service_t service; /* service used */ - opaque handle<>; /* context handle */ - } rpc_gss_cred_vers_1_t; - - - -Eisler, et. al. Standards Track [Page 4] - -RFC 2203 RPCSEC_GSS Protocol Specification September 1997 - - - } - }; - - /* Maximum sequence number value */ - - #define MAXSEQ 0x80000000 - -5.1. Version Selection - - This document defines just one protocol version (RPCSEC_GSS_VERS_1). - The client should assume that the server supports RPCSEC_GSS_VERS_1 - and issue a Context Creation message (as described in the section - RPCSEC_GSS_VERS_1, the RPC response will have a reply_stat of - MSG_DENIED, a rejection status of AUTH_ERROR, and an auth_stat of - AUTH_REJECTED_CRED. - -5.2. Context Creation - - Before RPC data is exchanged on a session using the RPCSEC_GSS - flavor, a context must be set up between the client and the server. - Context creation may involve zero or more RPC exchanges. The number - of exchanges depends on the security mechanism. - -5.2.1. Mechanism and QOP Selection - - There is no facility in the RPCSEC_GSS protocol to negotiate GSS-API - mechanism identifiers or QOP values. At minimum, it is expected that - implementations of the RPCSEC_GSS protocol provide a means to: - - * specify mechanism identifiers, QOP values, and RPCSEC_GSS - service values on the client side, and to - - * enforce mechanism identifiers, QOP values, and RPCSEC_GSS - service values on a per-request basis on the server side. - - It is necessary that above capabilities exist so that applications - have the means to conform the required set of required set of - tuples (See the section entitled Set of - GSS-API Mechanisms). An application may negotiate selection within its protocol or via an out of band - protocol. Hence it may be necessary for RPCSEC_GSS implementations to - provide programming interfaces for the specification and enforcement - of . - - Additionally, implementations may depend on negotiation schemes - constructed as pseudo-mechanisms under the GSS-API. Because such - schemes are below the GSS-API layer, the RPCSEC_GSS protocol, as - specified in this document, can make use of them. - - - -Eisler, et. al. Standards Track [Page 5] - -RFC 2203 RPCSEC_GSS Protocol Specification September 1997 - - -5.2.2. Context Creation Requests - - The first RPC request from the client to the server initiates context - creation. Within the RPC message protocol's call_body structure, - rpcvers is set to 2. prog and vers are always those for the service - being accessed. The proc is always set to NULLPROC (zero). - - Within the RPC message protocol's cred structure, flavor is set to - RPCSEC_GSS (6). The opaque data of the cred structure (the body - field) constituting the credential encodes the rpc_gss_cred_t - structure defined previously. - - The values of the fields contained in the rpc_gss_cred_t structure - are set as follows. The version field is set to the version of the - RPCSEC_GSS protocol the client wants to use. The remainder of this - memo documents version RPCSEC_GSS_VERS_1 of RPCSEC_GSS, and so the - version field would be set to RPCSEC_GSS_VERS_1. The gss_proc field - must be set to RPCSEC_GSS_INIT for the first creation request. In - subsequent creation requests, the gss_proc field must be set to - RPCSEC_GSS_CONTINUE_INIT. In a creation request, the seq_num and - service fields are undefined and both must be ignored by the server. - In the first creation request, the handle field is NULL (opaque data - of zero length). In subsequent creation requests, handle must be - equal to the value returned by the server. The handle field serves - as the identifier for the context, and will not change for the - duration of the context, including responses to - RPCSEC_GSS_CONTINUE_INIT. - - The verifier field in the RPC message header is also described by the - opaque_auth structure. All creation requests have the NULL verifier - (AUTH_NONE flavor with zero length opaque data). - - Following the verifier are the call data (procedure specific - parameters). Note that the proc field of the call_body structure is - set to NULLPROC, and thus normally there would be zero octets - following the verifier. However, since there is no RPC data exchange - during a context creation, it is safe to transfer information - following the verifier. It is necessary to "overload" the call data - in this way, rather than pack the GSS-API token into the RPC header, - because RPC Version 2 restricts the amount of data that can be sent - in the header. The opaque body of the credential and verifier fields - can be each at most 400 octets long, and GSS tokens can be longer - than 800 octets. - - - - - - - - -Eisler, et. al. Standards Track [Page 6] - -RFC 2203 RPCSEC_GSS Protocol Specification September 1997 - - - The call data for a context creation request is described by the - following structure for all creation requests: - - struct rpc_gss_init_arg { - opaque gss_token<>; - }; - - Here, gss_token is the token returned by the call to GSS-API's - GSS_Init_sec_context() routine, opaquely encoded. The value of this - field will likely be different in each creation request, if there is - more than one creation request. If no token is returned by the call - to GSS_Init_sec_context(), the context must have been created - (assuming no errors), and there will not be any more creation - requests. - - When GSS_Init_sec_context() is called, the parameters - replay_det_req_flag and sequence_req_flag must be turned off. The - reasons for this are: - - * ONC RPC can be used over unreliable transports and provides no - layer to reliably re-assemble messages. Thus it is possible for - gaps in message sequencing to occur, as well as out of order - messages. - - * RPC servers can be multi-threaded, and thus the order in which - GSS-API messages are signed or wrapped can be different from the - order in which the messages are verified or unwrapped, even if - the requests are sent on reliable transports. - - * To maximize convenience of implementation, the order in which an - ONC RPC entity will verify the header and verify/unwrap the body - of an RPC call or reply is left unspecified. - - The RPCSEC_GSS protocol provides for protection from replay attack, - yet tolerates out-of-order delivery or processing of messages and - tolerates dropped requests. - - - - - - - - - - - - - - - -Eisler, et. al. Standards Track [Page 7] - -RFC 2203 RPCSEC_GSS Protocol Specification September 1997 - - -5.2.3. Context Creation Responses - -5.2.3.1. Context Creation Response - Successful Acceptance - - The response to a successful creation request has an MSG_ACCEPTED - response with a status of SUCCESS. The results field encodes a - response with the following structure: - - struct rpc_gss_init_res { - opaque handle<>; - unsigned int gss_major; - unsigned int gss_minor; - unsigned int seq_window; - opaque gss_token<>; - }; - - Here, handle is non-NULL opaque data that serves as the context - identifier. The client must use this value in all subsequent requests - whether control messages or otherwise). The gss_major and gss_minor - fields contain the results of the call to GSS_Accept_sec_context() - executed by the server. The values for the gss_major field are - defined in Appendix A of this document. The values for the gss_minor - field are GSS-API mechanism specific and are defined in the - mechanism's specification. If gss_major is not one of GSS_S_COMPLETE - or GSS_S_CONTINUE_NEEDED, the context setup has failed; in this case - handle and gss_token must be set to NULL by the server. The value of - gss_minor is dependent on the value of gss_major and the security - mechanism used. The gss_token field contains any token returned by - the GSS_Accept_sec_context() call executed by the server. A token - may be returned for both successful values of gss_major. If the - value is GSS_S_COMPLETE, it indicates that the server is not - expecting any more tokens, and the RPC Data Exchange phase must begin - on the subsequent request from the client. If the value is - GSS_S_CONTINUE_NEEDED, the server is expecting another token. Hence - the client must send at least one more creation request (with - gss_proc set to RPCSEC_GSS_CONTINUE_INIT in the request's credential) - carrying the required token. - - In a successful response, the seq_window field is set to the sequence - window length supported by the server for this context. This window - specifies the maximum number of client requests that may be - outstanding for this context. The server will accept "seq_window" - requests at a time, and these may be out of order. The client may - use this number to determine the number of threads that can - simultaneously send requests on this context. - - - - - - -Eisler, et. al. Standards Track [Page 8] - -RFC 2203 RPCSEC_GSS Protocol Specification September 1997 - - - If gss_major is GSS_S_COMPLETE, the verifier's (the verf element in - the response) flavor field is set to RPCSEC_GSS, and the body field - set to the checksum of the seq_window (in network order). The QOP - used for this checksum is 0 (zero), which is the default QOP. For - all other values of gss_major, a NULL verifier (AUTH_NONE flavor with - zero-length opaque data) is used. - -5.2.3.1.1. Client Processing of Successful Context Creation Responses - - If the value of gss_major in the response is GSS_S_CONTINUE_NEEDED, - then the client, per the GSS-API specification, must invoke - GSS_Init_sec_context() using the token returned in gss_token in the - context creation response. The client must then generate a context - creation request, with gss_proc set to RPCSEC_GSS_CONTINUE_INIT. - - If the value of gss_major in the response is GSS_S_COMPLETE, and if - the client's previous invocation of GSS_Init_sec_context() returned a - gss_major value of GSS_S_CONTINUE_NEEDED, then the client, per the - GSS-API specification, must invoke GSS_Init_sec_context() using the - token returned in gss_token in the context creation response. If - GSS_Init_sec_context() returns GSS_S_COMPLETE, the context is - successfully set up, and the RPC data exchange phase must begin on - the subsequent request from the client. - -5.2.3.2. Context Creation Response - Unsuccessful Cases - - An MSG_ACCEPTED reply (to a creation request) with an acceptance - status of other than SUCCESS has a NULL verifier (flavor set to - AUTH_NONE, and zero length opaque data in the body field), and is - formulated as usual for different status values. - - An MSG_DENIED reply (to a creation request) is also formulated as - usual. Note that MSG_DENIED could be returned because the server's - RPC implementation does not recognize the RPCSEC_GSS security flavor. - RFC 1831 does not specify the appropriate reply status in this - instance, but common implementation practice appears to be to return - a rejection status of AUTH_ERROR with an auth_stat of - AUTH_REJECTEDCRED. Even though two new values (RPCSEC_GSS_CREDPROBLEM - and RPCSEC_GSS_CTXPROBLEM) have been defined for the auth_stat type, - neither of these two can be returned in responses to context creation - requests. The auth_stat new values can be used for responses to - normal (data) requests. This is described later. - - MSG_DENIED might also be returned if the RPCSEC_GSS version number in - the credential is not supported on the server. In that case, the - server returns a rejection status of AUTH_ERROR, with an auth_stat of - - AUTH_REJECTED_CRED. - - - -Eisler, et. al. Standards Track [Page 9] - -RFC 2203 RPCSEC_GSS Protocol Specification September 1997 - - -5.3. RPC Data Exchange - - The data exchange phase is entered after a context has been - successfully set up. The format of the data exchanged depends on the - security service used for the request. Although clients can change - the security service and QOP used on a per-request basis, this may - not be acceptable to all RPC services; some RPC services may "lock" - the data exchange phase into using the QOP and service used on the - first data exchange message. For all three modes of service (no data - integrity, data integrity, data privacy), the RPC request header has - the same format. - -5.3.1. RPC Request Header - - The credential has the opaque_auth structure described earlier. The - flavor field is set to RPCSEC_GSS. The credential body is created by - XDR encoding the rpc_gss_cred_t structure listed earlier into an - octet stream, and then opaquely encoding this octet stream as the - body field. - - Values of the fields contained in the rpc_gss_cred_t structure are - set as follows. The version field is set to same version value that - was used to create the context, which within the scope of this memo - will always be RPCSEC_GSS_VERS_1. The gss_proc field is set to - RPCSEC_GSS_DATA. The service field is set to indicate the desired - service (one of rpc_gss_svc_none, rpc_gss_svc_integrity, or - rpc_gss_svc_privacy). The handle field is set to the context handle - value received from the RPC server during context creation. The - seq_num field can start at any value below MAXSEQ, and must be - incremented (by one or more) for successive requests. Use of - sequence numbers is described in detail when server processing of the - request is discussed. - - The verifier has the opaque_auth structure described earlier. The - flavor field is set to RPCSEC_GSS. The body field is set as follows. - The checksum of the RPC header (up to and including the credential) - is computed using the GSS_GetMIC() call with the desired QOP. This - returns the checksum as an opaque octet stream and its length. This - is encoded into the body field. Note that the QOP is not explicitly - specified anywhere in the request. It is implicit in the checksum or - encrypted data. The same QOP value as is used for the header - checksum must also be used for the data (for checksumming or - encrypting), unless the service used for the request is - rpc_gss_svc_none. - - - - - - - -Eisler, et. al. Standards Track [Page 10] - -RFC 2203 RPCSEC_GSS Protocol Specification September 1997 - - -5.3.2. RPC Request Data - -5.3.2.1. RPC Request Data - No Data Integrity - - If the service specified is rpc_gss_svc_none, the data (procedure - arguments) are not integrity or privacy protected. They are sent in - exactly the same way as they would be if the AUTH_NONE flavor were - used (following the verifier). Note, however, that since the RPC - header is integrity protected, the sender will still be authenticated - in this case. - -5.3.2.2. RPC Request Data - With Data Integrity - - When data integrity is used, the request data is represented as - follows: - - struct rpc_gss_integ_data { - opaque databody_integ<>; - opaque checksum<>; - }; - - The databody_integ field is created as follows. A structure - consisting of a sequence number followed by the procedure arguments - is constructed. This is shown below as the type rpc_gss_data_t: - - struct rpc_gss_data_t { - unsigned int seq_num; - proc_req_arg_t arg; - }; - - Here, seq_num must have the same value as in the credential. The - type proc_req_arg_t is the procedure specific XDR type describing the - procedure arguments (and so is not specified here). The octet stream - corresponding to the XDR encoded rpc_gss_data_t structure and its - length are placed in the databody_integ field. Note that because the - XDR type of databody_integ is opaque, the XDR encoding of - databody_integ will include an initial four octet length field, - followed by the XDR encoded octet stream of rpc_gss_data_t. - - The checksum field represents the checksum of the XDR encoded octet - stream corresponding to the XDR encoded rpc_gss_data_t structure - (note, this is not the checksum of the databody_integ field). This - is obtained using the GSS_GetMIC() call, with the same QOP as was - used to compute the header checksum (in the verifier). The - - - - - - - -Eisler, et. al. Standards Track [Page 11] - -RFC 2203 RPCSEC_GSS Protocol Specification September 1997 - - - GSS_GetMIC() call returns the checksum as an opaque octet stream and - its length. The checksum field of struct rpc_gss_integ_data has an - XDR type of opaque. Thus the checksum length from GSS_GetMIC() is - encoded as a four octet length field, followed by the checksum, - padded to a multiple of four octets. - -5.3.2.3. RPC Request Data - With Data Privacy - - When data privacy is used, the request data is represented as - follows: - - struct rpc_gss_priv_data { - opaque databody_priv<> - }; - - The databody_priv field is created as follows. The rpc_gss_data_t - structure described earlier is constructed again in the same way as - for the case of data integrity. Next, the GSS_Wrap() call is invoked - to encrypt the octet stream corresponding to the rpc_gss_data_t - structure, using the same value for QOP (argument qop_req to - GSS_Wrap()) as was used for the header checksum (in the verifier) and - conf_req_flag (an argument to GSS_Wrap()) of TRUE. The GSS_Wrap() - call returns an opaque octet stream (representing the encrypted - rpc_gss_data_t structure) and its length, and this is encoded as the - databody_priv field. Since databody_priv has an XDR type of opaque, - the length returned by GSS_Wrap() is encoded as the four octet - length, followed by the encrypted octet stream (padded to a multiple - of four octets). - -5.3.3. Server Processing of RPC Data Requests - -5.3.3.1. Context Management - - When a request is received by the server, the following are verified - to be acceptable: - - * the version number in the credential - - * the service specified in the credential - - * the context handle specified in the credential - - * the header checksum in the verifier (via GSS_VerifyMIC()) - - * the sequence number (seq_num) specified in the credential (more - on this follows) - - - - - -Eisler, et. al. Standards Track [Page 12] - -RFC 2203 RPCSEC_GSS Protocol Specification September 1997 - - - The gss_proc field in the credential must be set to RPCSEC_GSS_DATA - for data requests (otherwise, the message will be interpreted as a - control message). - - The server maintains a window of "seq_window" sequence numbers, - starting with the last sequence number seen and extending backwards. - If a sequence number higher than the last number seen is received - (AND if GSS_VerifyMIC() on the header checksum from the verifier - returns GSS_S_COMPLETE), the window is moved forward to the new - sequence number. If the last sequence number seen is N, the server - is prepared to receive requests with sequence numbers in the range N - through (N - seq_window + 1), both inclusive. If the sequence number - received falls below this range, it is silently discarded. If the - sequence number is within this range, and the server has not seen it, - the request is accepted, and the server turns on a bit to "remember" - that this sequence number has been seen. If the server determines - that it has already seen a sequence number within the window, the - request is silently discarded. The server should select a seq_window - value based on the number requests it expects to process - simultaneously. For example, in a threaded implementation seq_window - might be equal to the number of server threads. There are no known - security issues with selecting a large window. The primary issue is - how much space the server is willing to allocate to keep track of - requests received within the window. - - The reason for discarding requests silently is that the server is - unable to determine if the duplicate or out of range request was due - to a sequencing problem in the client, network, or the operating - system, or due to some quirk in routing, or a replay attack by an - intruder. Discarding the request allows the client to recover after - timing out, if indeed the duplication was unintentional or well - intended. Note that a consequence of the silent discard is that - clients may increment the seq_num by more than one. The effect of - this is that the window will move forward more quickly. It is not - believed that there is any benefit to doing this. - - Note that the sequence number algorithm requires that the client - increment the sequence number even if it is retrying a request with - the same RPC transaction identifier. It is not infrequent for - clients to get into a situation where they send two or more attempts - and a slow server sends the reply for the first attempt. With - RPCSEC_GSS, each request and reply will have a unique sequence - number. If the client wishes to improve turn around time on the RPC - call, it can cache the RPCSEC_GSS sequence number of each request it - sends. Then when it receives a response with a matching RPC - transaction identifier, it can compute the checksum of each sequence - number in the cache to try to match the checksum in the reply's - verifier. - - - -Eisler, et. al. Standards Track [Page 13] - -RFC 2203 RPCSEC_GSS Protocol Specification September 1997 - - - The data is decoded according to the service specified in the - credential. In the case of integrity or privacy, the server ensures - that the QOP value is acceptable, and that it is the same as that - used for the header checksum in the verifier. Also, in the case of - integrity or privacy, the server will reject the message (with a - reply status of MSG_ACCEPTED, and an acceptance status of - GARBAGE_ARGS) if the sequence number embedded in the request body is - different from the sequence number in the credential. - -5.3.3.2. Server Reply - Request Accepted - - An MSG_ACCEPTED reply to a request in the data exchange phase will - have the verifier's (the verf element in the response) flavor field - set to RPCSEC_GSS, and the body field set to the checksum (the output - of GSS_GetMIC()) of the sequence number (in network order) of the - corresponding request. The QOP used is the same as the QOP used for - the corresponding request. - - If the status of the reply is not SUCCESS, the rest of the message is - formatted as usual. - - If the status of the message is SUCCESS, the format of the rest of - the message depends on the service specified in the corresponding - request message. Basically, what follows the verifier in this case - are the procedure results, formatted in different ways depending on - the requested service. - - If no data integrity was requested, the procedure results are - formatted as for the AUTH_NONE security flavor. - - If data integrity was requested, the results are encoded in exactly - the same way as the procedure arguments were in the corresponding - request. See the section 'RPC Request Data - With Data Integrity.' - The only difference is that the structure representing the - procedure's result - proc_res_arg_t - must be substituted in place of - the request argument structure proc_req_arg_t. The QOP used for the - checksum must be the same as that used for constructing the reply - verifier. - - If data privacy was requested, the results are encoded in exactly the - same way as the procedure arguments were in the corresponding - request. See the section 'RPC Request Data - With Data Privacy.' The - QOP used for encryption must be the same as that used for - constructing the reply verifier. - - - - - - - -Eisler, et. al. Standards Track [Page 14] - -RFC 2203 RPCSEC_GSS Protocol Specification September 1997 - - -5.3.3.3. Server Reply - Request Denied - - An MSG_DENIED reply (to a data request) is formulated as usual. Two - new values (RPCSEC_GSS_CREDPROBLEM and RPCSEC_GSS_CTXPROBLEM) have - been defined for the auth_stat type. When the reason for denial of - the request is a reject_stat of AUTH_ERROR, one of the two new - auth_stat values could be returned in addition to the existing - values. These two new values have special significance from the - existing reasons for denial of a request. - - The server maintains a list of contexts for the clients that are - currently in session with it. Normally, a context is destroyed when - the client ends the session corresponding to it. However, due to - resource constraints, the server may destroy a context prematurely - (on an LRU basis, or if the server machine is rebooted, for example). - In this case, when a client request comes in, there may not be a - context corresponding to its handle. The server rejects the request, - with the reason RPCSEC_GSS_CREDPROBLEM in this case. Upon receiving - this error, the client must refresh the context - that is, - reestablish it after destroying the old one - and try the request - again. This error is also returned if the context handle matches - that of a different context that was allocated after the client's - context was destroyed (this will be detected by a failure in - verifying the header checksum). - - If the GSS_VerifyMIC() call on the header checksum (contained in the - verifier) fails to return GSS_S_COMPLETE, the server rejects the - request and returns an auth_stat of RPCSEC_GSS_CREDPROBLEM. - - When the client's sequence number exceeds the maximum the server will - allow, the server will reject the request with the reason - RPCSEC_GSS_CTXPROBLEM. Also, if security credentials become stale - while in use (due to ticket expiry in the case of the Kerberos V5 - mechanism, for example), the failures which result cause the - RPCSEC_GSS_CTXPROBLEM reason to be returned. In these cases also, - the client must refresh the context, and retry the request. - - For other errors, retrying will not rectify the problem and the - client must not refresh the context until the problem causing the - client request to be denied is rectified. - - If the version field in the credential does not match the version of - RPCSEC_GSS that was used when the context was created, the - AUTH_BADCRED value is returned. - - If there is a problem with the credential, such a bad length, illegal - control procedure, or an illegal service, the appropriate auth_stat - status is AUTH_BADCRED. - - - -Eisler, et. al. Standards Track [Page 15] - -RFC 2203 RPCSEC_GSS Protocol Specification September 1997 - - - Other errors can be returned as appropriate. - -5.3.3.4. Mapping of GSS-API Errors to Server Responses - - During the data exchange phase, the server may invoke GSS_GetMIC(), - GSS_VerifyMIC(), GSS_Unwrap(), and GSS_Wrap(). If any of these - routines fail to return GSS_S_COMPLETE, then various unsuccessful - responses can be returned. The are described as follows for each of - the aforementioned four interfaces. - -5.3.3.4.1. GSS_GetMIC() Failure - - When GSS_GetMIC() is called to generate the verifier in the response, - a failure results in an RPC response with a reply status of - MSG_DENIED, reject status of AUTH_ERROR and an auth status of - RPCSEC_GSS_CTXPROBLEM. - - When GSS_GetMIC() is called to sign the call results (service is - rpc_gss_svc_integrity), a failure results in no RPC response being - sent. Since ONC RPC server applications will typically control when a - response is sent, the failure indication will be returned to the - server application and it can take appropriate action (such as - logging the error). - -5.3.3.4.2. GSS_VerifyMIC() Failure - - When GSS_VerifyMIC() is called to verify the verifier in request, a - failure results in an RPC response with a reply status of MSG_DENIED, - reject status of AUTH_ERROR and an auth status of - RPCSEC_GSS_CREDPROBLEM. - - When GSS_VerifyMIC() is called to verify the call arguments (service - is rpc_gss_svc_integrity), a failure results in an RPC response with - a reply status of MSG_ACCEPTED, and an acceptance status of - GARBAGE_ARGS. - -5.3.3.4.3. GSS_Unwrap() Failure - - When GSS_Unwrap() is called to decrypt the call arguments (service is - rpc_gss_svc_privacy), a failure results in an RPC response with a - reply status of MSG_ACCEPTED, and an acceptance status of - GARBAGE_ARGS. - -5.3.3.4.4. GSS_Wrap() Failure - - When GSS_Wrap() is called to encrypt the call results (service is - rpc_gss_svc_privacy), a failure results in no RPC response being - sent. Since ONC RPC server applications will typically control when a - - - -Eisler, et. al. Standards Track [Page 16] - -RFC 2203 RPCSEC_GSS Protocol Specification September 1997 - - - response is sent, the failure indication will be returned to the - application and it can take appropriate action (such as logging the - error). - -5.4. Context Destruction - - When the client is done using the session, it must send a control - message informing the server that it no longer requires the context. - This message is formulated just like a data request packet, with the - following differences: the credential has gss_proc set to - RPCSEC_GSS_DESTROY, the procedure specified in the header is - NULLPROC, and there are no procedure arguments. The sequence number - in the request must be valid, and the header checksum in the verifier - must be valid, for the server to accept the message. The server - sends a response as it would to a data request. The client and - server must then destroy the context for the session. - - If the request to destroy the context fails for some reason, the - client need not take any special action. The server must be prepared - to deal with situations where clients never inform the server that - they no longer are in session and so don't need the server to - maintain a context. An LRU mechanism or an aging mechanism should be - employed by the server to clean up in such cases. - -6. Set of GSS-API Mechanisms - - RPCSEC_GSS is effectively a "pass-through" to the GSS-API layer, and - as such it is inappropriate for the RPCSEC_GSS specification to - enumerate a minimum set of required security mechanisms and/or - quality of protections. - - If an application protocol specification references RPCSEC_GSS, the - protocol specification must list a mandatory set of { mechanism, QOP, - service } triples, such that an implementation cannot claim - conformance to the protocol specification unless it implements the - set of triples. Within each triple, mechanism is a GSS-API security - mechanism, QOP is a valid quality-of-protection within the mechanism, - and service is either rpc_gss_svc_integrity or rpc_gss_svc_privacy. - - For example, a network filing protocol built on RPC that depends on - RPCSEC_GSS for security, might require that Kerberos V5 with the - default QOP using the rpc_gss_svc_integrity service be supported by - implementations conforming to the network filing protocol - specification. - - - - - - - -Eisler, et. al. Standards Track [Page 17] - -RFC 2203 RPCSEC_GSS Protocol Specification September 1997 - - -7. Security Considerations - -7.1. Privacy of Call Header - - The reader will note that for the privacy option, only the call - arguments and results are encrypted. Information about the - application in the form of RPC program number, program version - number, and program procedure number is transmitted in the clear. - Encrypting these fields in the RPC call header would have changed the - size and format of the call header. This would have required revising - the RPC protocol which was beyond the scope of this proposal. Storing - the encrypted numbers in the credential would have obviated a - protocol change, but would have introduced more overloading of fields - and would have made implementations of RPC more complex. Even if the - fields were encrypted somehow, in most cases an attacker can - determine the program number and version number by examining the - destination address of the request and querying the rpcbind service - on the destination host [Srinivasan-bind]. In any case, even by not - encrypting the three numbers, RPCSEC_GSS still improves the state of - security over what existing RPC services have had available - previously. Implementors of new RPC services that are concerned about - this risk may opt to design in a "sub-procedure" field that is - included in the service specific call arguments. - -7.2. Sequence Number Attacks - -7.2.1. Sequence Numbers Above the Window - - An attacker cannot coax the server into raising the sequence number - beyond the range the legitimate client is aware of (and thus engineer - a denial of server attack) without constructing an RPC request that - will pass the header checksum. If the cost of verifying the header - checksum is sufficiently large (depending on the speed of the - processor doing the checksum and the cost of checksum algorithm), it - is possible to envision a denial of service attack (vandalism, in the - form of wasting processing resources) whereby the attacker sends - requests that are above the window. The simplest method might be for - the attacker to monitor the network traffic and then choose a - sequence number that is far above the current sequence number. Then - the attacker can send bogus requests using the above window sequence - number. - -7.2.2. Sequence Numbers Within or Below the Window - - If the attacker sends requests that are within or below the window, - then even if the header checksum is successfully verified, the server - will silently discard the requests because the server assumes it has - already processed the request. In this case, a server can optimize by - - - -Eisler, et. al. Standards Track [Page 18] - -RFC 2203 RPCSEC_GSS Protocol Specification September 1997 - - - skipping the header checksum verification if the sequence number is - below the window, or if it is within the window, not attempt the - checksum verification if the sequence number has already been seen. - -7.3. Message Stealing Attacks - - This proposal does not address attacks where an attacker can block or - steal messages without being detected by the server. To implement - such protection would be tantamount to assuming a state in the RPC - service. RPCSEC_GSS does not worsen this situation. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Eisler, et. al. Standards Track [Page 19] - -RFC 2203 RPCSEC_GSS Protocol Specification September 1997 - - -Appendix A. GSS-API Major Status Codes - - The GSS-API definition [Linn] does not include numerical values for - the various GSS-API major status codes. It is expected that this will - be addressed in future RFC. Until then, this appendix defines the - values for each GSS-API major status code listed in the GSS-API - definition. If in the future, the GSS-API definition defines values - for the codes that are different than what follows, then implementors - of RPCSEC_GSS will be obliged to map them into the values defined - below. If in the future, the GSS-API definition defines additional - status codes not defined below, then the RPCSEC_GSS definition will - subsume those additional values. - - Here are the definitions of each GSS_S_* major status that the - implementor of RPCSEC_GSS can expect in the gss_major major field of - rpc_gss_init_res. These definitions are not in RPC description - language form. The numbers are in base 16 (hexadecimal): - - GSS_S_COMPLETE 0x00000000 - GSS_S_CONTINUE_NEEDED 0x00000001 - GSS_S_DUPLICATE_TOKEN 0x00000002 - GSS_S_OLD_TOKEN 0x00000004 - GSS_S_UNSEQ_TOKEN 0x00000008 - GSS_S_GAP_TOKEN 0x00000010 - GSS_S_BAD_MECH 0x00010000 - GSS_S_BAD_NAME 0x00020000 - GSS_S_BAD_NAMETYPE 0x00030000 - GSS_S_BAD_BINDINGS 0x00040000 - GSS_S_BAD_STATUS 0x00050000 - GSS_S_BAD_MIC 0x00060000 - GSS_S_BAD_SIG 0x00060000 - GSS_S_NO_CRED 0x00070000 - GSS_S_NO_CONTEXT 0x00080000 - GSS_S_DEFECTIVE_TOKEN 0x00090000 - GSS_S_DEFECTIVE_CREDENTIAL 0x000a0000 - GSS_S_CREDENTIALS_EXPIRED 0x000b0000 - GSS_S_CONTEXT_EXPIRED 0x000c0000 - GSS_S_FAILURE 0x000d0000 - GSS_S_BAD_QOP 0x000e0000 - GSS_S_UNAUTHORIZED 0x000f0000 - GSS_S_UNAVAILABLE 0x00100000 - GSS_S_DUPLICATE_ELEMENT 0x00110000 - GSS_S_NAME_NOT_MN 0x00120000 - GSS_S_CALL_INACCESSIBLE_READ 0x01000000 - GSS_S_CALL_INACCESSIBLE_WRITE 0x02000000 - GSS_S_CALL_BAD_STRUCTURE 0x03000000 - - - - - -Eisler, et. al. Standards Track [Page 20] - -RFC 2203 RPCSEC_GSS Protocol Specification September 1997 - - - Note that the GSS-API major status is split into three fields as - follows: - - Most Significant Bit Least Significant Bit - |------------------------------------------------------------| - | Calling Error | Routine Error | Supplementary Info | - |------------------------------------------------------------| - Bit 31 24 23 16 15 0 - - Up to one status in the Calling Error field can be logically ORed - with up to one status in the Routine Error field which in turn can be - logically ORed with zero or more statuses in the Supplementary Info - field. If the resulting major status has a non-zero Calling Error - and/or a non-zero Routine Error, then the applicable GSS-API - operation has failed. For purposes of RPCSEC_GSS, this means that - the GSS_Accept_sec_context() call executed by the server has failed. - - If the major status is equal GSS_S_COMPLETE, then this indicates the - absence of any Errors or Supplementary Info. - - The meanings of most of the GSS_S_* status are defined in the GSS-API - definition, which the exceptions of: - - GSS_S_BAD_MIC This code has the same meaning as GSS_S_BAD_SIG. - - GSS_S_CALL_INACCESSIBLE_READ - A required input parameter could not be read. - - GSS_S_CALL_INACCESSIBLE_WRITE - A required input parameter could not be written. - - GSS_S_CALL_BAD_STRUCTURE - A parameter was malformed. - - - - - - - - - - - - - - - - - - -Eisler, et. al. Standards Track [Page 21] - -RFC 2203 RPCSEC_GSS Protocol Specification September 1997 - - -Acknowledgements - - Much of the protocol was based on the AUTH_GSSAPI security flavor - developed by Open Vision Technologies [Jaspan]. In particular, we - acknowledge Barry Jaspan, Marc Horowitz, John Linn, and Ellen - McDermott. - - Raj Srinivasan designed RPCSEC_GSS [Eisler] with input from Mike - Eisler. Raj, Roland Schemers, Lin Ling, and Alex Chiu contributed to - Sun Microsystems' implementation of RPCSEC_GSS. - - Brent Callaghan, Marc Horowitz, Barry Jaspan, John Linn, Hilarie - Orman, Martin Rex, Ted Ts'o, and John Wroclawski analyzed the - specification and gave valuable feedback. - - Steve Nahm and Kathy Slattery reviewed various drafts of this - specification. - - Much of content of Appendix A was excerpted from John Wray's Work in - Progress on GSS-API Version 2 C-bindings. - -References - - [Eisler] Eisler, M., Schemers, R., and Srinivasan, R. - (1996). "Security Mechanism Independence in ONC - RPC," Proceedings of the Sixth Annual USENIX - Security Symposium, pp. 51-65. - - [Jaspan] Jaspan, B. (1995). "GSS-API Security for ONC - RPC," `95 Proceedings of The Internet Society - Symposium on Network and Distributed System - Security, pp. 144- 151. - - [Linn] Linn, J., "Generic Security Service Application - Program Interface, Version 2", RFC 2078, January - 1997. - - [Srinivasan-bind] Srinivasan, R., "Binding Protocols for - ONC RPC Version 2", RFC 1833, August 1995. - - [Srinivasan-rpc] Srinivasan, R., "RPC: Remote Procedure Call - Protocol Specification Version 2", RFC 1831, - August 1995. - - [Srinivasan-xdr] Srinivasan, R., "XDR: External Data - Representation Standard", RFC 1832, August 1995. - - - - - -Eisler, et. al. Standards Track [Page 22] - -RFC 2203 RPCSEC_GSS Protocol Specification September 1997 - - -Authors' Addresses - - Michael Eisler - Sun Microsystems, Inc. - M/S UCOS03 - 2550 Garcia Avenue - Mountain View, CA 94043 - - Phone: +1 (719) 599-9026 - EMail: mre@eng.sun.com - - - Alex Chiu - Sun Microsystems, Inc. - M/S UMPK17-203 - 2550 Garcia Avenue - Mountain View, CA 94043 - - Phone: +1 (415) 786-6465 - EMail: hacker@eng.sun.com - - - Lin Ling - Sun Microsystems, Inc. - M/S UMPK17-201 - 2550 Garcia Avenue - Mountain View, CA 94043 - - Phone: +1 (415) 786-5084 - EMail: lling@eng.sun.com - - - - - - - - - - - - - - - - - - - - - -Eisler, et. al. Standards Track [Page 23] - diff --git a/crypto/heimdal-0.6.3/doc/standardisation/rfc2228.txt b/crypto/heimdal-0.6.3/doc/standardisation/rfc2228.txt deleted file mode 100644 index 1fbfcbfa09..0000000000 --- a/crypto/heimdal-0.6.3/doc/standardisation/rfc2228.txt +++ /dev/null @@ -1,1515 +0,0 @@ - - - - - - -Network Working Group M. Horowitz -Request for Comments: 2228 Cygnus Solutions -Updates: 959 S. Lunt -Category: Standards Track Bellcore - October 1997 - - FTP Security Extensions - -Status of this Memo - - This document specifies an Internet standards track protocol for the - Internet community, and requests discussion and suggestions for - improvements. Please refer to the current edition of the "Internet - Official Protocol Standards" (STD 1) for the standardization state - and status of this protocol. Distribution of this memo is unlimited. - -Copyright Notice - - Copyright (C) The Internet Society (1997). All Rights Reserved. - -Abstract - - This document defines extensions to the FTP specification STD 9, RFC - 959, "FILE TRANSFER PROTOCOL (FTP)" (October 1985). These extensions - provide strong authentication, integrity, and confidentiality on both - the control and data channels with the introduction of new optional - commands, replies, and file transfer encodings. - - The following new optional commands are introduced in this - specification: - - AUTH (Authentication/Security Mechanism), - ADAT (Authentication/Security Data), - PROT (Data Channel Protection Level), - PBSZ (Protection Buffer Size), - CCC (Clear Command Channel), - MIC (Integrity Protected Command), - CONF (Confidentiality Protected Command), and - ENC (Privacy Protected Command). - - A new class of reply types (6yz) is also introduced for protected - replies. - - None of the above commands are required to be implemented, but - interdependencies exist. These dependencies are documented with the - commands. - - Note that this specification is compatible with STD 9, RFC 959. - - - -Horowitz & Lunt Standards Track [Page 1] - -RFC 2228 FTP Security Extensions October 1997 - - -1. Introduction - - The File Transfer Protocol (FTP) currently defined in STD 9, RFC 959 - and in place on the Internet uses usernames and passwords passed in - cleartext to authenticate clients to servers (via the USER and PASS - commands). Except for services such as "anonymous" FTP archives, - this represents a security risk whereby passwords can be stolen - through monitoring of local and wide-area networks. This either aids - potential attackers through password exposure and/or limits - accessibility of files by FTP servers who cannot or will not accept - the inherent security risks. - - Aside from the problem of authenticating users in a secure manner, - there is also the problem of authenticating servers, protecting - sensitive data and/or verifying its integrity. An attacker may be - able to access valuable or sensitive data merely by monitoring a - network, or through active means may be able to delete or modify the - data being transferred so as to corrupt its integrity. An active - attacker may also initiate spurious file transfers to and from a site - of the attacker's choice, and may invoke other commands on the - server. FTP does not currently have any provision for the encryption - or verification of the authenticity of commands, replies, or - transferred data. Note that these security services have value even - to anonymous file access. - - Current practice for sending files securely is generally either: - - 1. via FTP of files pre-encrypted under keys which are manually - distributed, - - 2. via electronic mail containing an encoding of a file encrypted - under keys which are manually distributed, - - 3. via a PEM message, or - - 4. via the rcp command enhanced to use Kerberos. - - None of these means could be considered even a de facto standard, and - none are truly interactive. A need exists to securely transfer files - using FTP in a secure manner which is supported within the FTP - protocol in a consistent manner and which takes advantage of existing - security infrastructure and technology. Extensions are necessary to - the FTP specification if these security services are to be introduced - into the protocol in an interoperable way. - - - - - - - -Horowitz & Lunt Standards Track [Page 2] - -RFC 2228 FTP Security Extensions October 1997 - - - Although the FTP control connection follows the Telnet protocol, and - Telnet has defined an authentication and encryption option [TELNET- - SEC], [RFC-1123] explicitly forbids the use of Telnet option - negotiation over the control connection (other than Synch and IP). - - Also, the Telnet authentication and encryption option does not - provide for integrity protection only (without confidentiality), and - does not address the protection of the data channel. - -2. FTP Security Overview - - At the highest level, the FTP security extensions seek to provide an - abstract mechanism for authenticating and/or authorizing connections, - and integrity and/or confidentiality protecting commands, replies, - and data transfers. - - In the context of FTP security, authentication is the establishment - of a client's identity and/or a server's identity in a secure way, - usually using cryptographic techniques. The basic FTP protocol does - not have a concept of authentication. - - Authorization is the process of validating a user for login. The - basic authorization process involves the USER, PASS, and ACCT - commands. With the FTP security extensions, authentication - established using a security mechanism may also be used to make the - authorization decision. - - Without the security extensions, authentication of the client, as - this term is usually understood, never happens. FTP authorization is - accomplished with a password, passed on the network in the clear as - the argument to the PASS command. The possessor of this password is - assumed to be authorized to transfer files as the user named in the - USER command, but the identity of the client is never securely - established. - - An FTP security interaction begins with a client telling the server - what security mechanism it wants to use with the AUTH command. The - server will either accept this mechanism, reject this mechanism, or, - in the case of a server which does not implement the security - extensions, reject the command completely. The client may try - multiple security mechanisms until it requests one which the server - accepts. This allows a rudimentary form of negotiation to take - place. (If more complex negotiation is desired, this may be - implemented as a security mechanism.) The server's reply will - indicate if the client must respond with additional data for the - - - - - - -Horowitz & Lunt Standards Track [Page 3] - -RFC 2228 FTP Security Extensions October 1997 - - - security mechanism to interpret. If none is needed, this will - usually mean that the mechanism is one where the password (specified - by the PASS command) is to be interpreted differently, such as with a - token or one-time password system. - - If the server requires additional security information, then the - client and server will enter into a security data exchange. The - client will send an ADAT command containing the first block of - security data. The server's reply will indicate if the data exchange - is complete, if there was an error, or if more data is needed. The - server's reply can optionally contain security data for the client to - interpret. If more data is needed, the client will send another ADAT - command containing the next block of data, and await the server's - reply. This exchange can continue as many times as necessary. Once - this exchange completes, the client and server have established a - security association. This security association may include - authentication (client, server, or mutual) and keying information for - integrity and/or confidentiality, depending on the mechanism in use. - - The term "security data" here is carefully chosen. The purpose of - the security data exchange is to establish a security association, - which might not actually include any authentication at all, between - the client and the server as described above. For instance, a - Diffie-Hellman exchange establishes a secret key, but no - authentication takes place. If an FTP server has an RSA key pair but - the client does not, then the client can authenticate the server, but - the server cannot authenticate the client. - - Once a security association is established, authentication which is a - part of this association may be used instead of or in addition to the - standard username/password exchange for authorizing a user to connect - to the server. A username specified by the USER command is always - required to specify the identity to be used on the server. - - In order to prevent an attacker from inserting or deleting commands - on the control stream, if the security association supports - integrity, then the server and client must use integrity protection - on the control stream, unless it first transmits a CCC command to - turn off this requirement. Integrity protection is performed with - the MIC and ENC commands, and the 63z reply codes. The CCC command - and its reply must be transmitted with integrity protection. - Commands and replies may be transmitted without integrity (that is, - in the clear or with confidentiality only) only if no security - association is established, the negotiated security association does - not support integrity, or the CCC command has succeeded. - - - - - - -Horowitz & Lunt Standards Track [Page 4] - -RFC 2228 FTP Security Extensions October 1997 - - - Once the client and server have negotiated with the PBSZ command an - acceptable buffer size for encapsulating protected data over the data - channel, the security mechanism may also be used to protect data - channel transfers. - - Policy is not specified by this document. In particular, client and - server implementations may choose to implement restrictions on what - operations can be performed depending on the security association - which exists. For example, a server may require that a client - authorize via a security mechanism rather than using a password, - require that the client provide a one-time password from a token, - require at least integrity protection on the command channel, or - require that certain files only be transmitted encrypted. An - anonymous ftp client might refuse to do file transfers without - integrity protection in order to insure the validity of files - downloaded. - - No particular set of functionality is required, except as - dependencies described in the next section. This means that none of - authentication, integrity, or confidentiality are required of an - implementation, although a mechanism which does none of these is not - of much use. For example, it is acceptable for a mechanism to - implement only integrity protection, one-way authentication and/or - encryption, encryption without any authentication or integrity - protection, or any other subset of functionality if policy or - technical considerations make this desirable. Of course, one peer - might require as a matter of policy stronger protection than the - other is able to provide, preventing perfect interoperability. - -3. New FTP Commands - - The following commands are optional, but dependent on each other. - They are extensions to the FTP Access Control Commands. - - The reply codes documented here are generally described as - recommended, rather than required. The intent is that reply codes - describing the full range of success and failure modes exist, but - that servers be allowed to limit information presented to the client. - For example, a server might implement a particular security - mechanism, but have a policy restriction against using it. The - server should respond with a 534 reply code in this case, but may - respond with a 504 reply code if it does not wish to divulge that the - disallowed mechanism is supported. If the server does choose to use - a different reply code than the recommended one, it should try to use - a reply code which only differs in the last digit. In all cases, the - server must use a reply code which is documented as returnable from - the command received, and this reply code must begin with the same - digit as the recommended reply code for the situation. - - - -Horowitz & Lunt Standards Track [Page 5] - -RFC 2228 FTP Security Extensions October 1997 - - - AUTHENTICATION/SECURITY MECHANISM (AUTH) - - The argument field is a Telnet string identifying a supported - mechanism. This string is case-insensitive. Values must be - registered with the IANA, except that values beginning with "X-" - are reserved for local use. - - If the server does not recognize the AUTH command, it must respond - with reply code 500. This is intended to encompass the large - deployed base of non-security-aware ftp servers, which will - respond with reply code 500 to any unrecognized command. If the - server does recognize the AUTH command but does not implement the - security extensions, it should respond with reply code 502. - - If the server does not understand the named security mechanism, it - should respond with reply code 504. - - If the server is not willing to accept the named security - mechanism, it should respond with reply code 534. - - If the server is not able to accept the named security mechanism, - such as if a required resource is unavailable, it should respond - with reply code 431. - - If the server is willing to accept the named security mechanism, - but requires security data, it must respond with reply code 334. - - If the server is willing to accept the named security mechanism, - and does not require any security data, it must respond with reply - code 234. - - If the server is responding with a 334 reply code, it may include - security data as described in the next section. - - Some servers will allow the AUTH command to be reissued in order - to establish new authentication. The AUTH command, if accepted, - removes any state associated with prior FTP Security commands. - The server must also require that the user reauthorize (that is, - reissue some or all of the USER, PASS, and ACCT commands) in this - case (see section 4 for an explanation of "authorize" in this - context). - - - - - - - - - - -Horowitz & Lunt Standards Track [Page 6] - -RFC 2228 FTP Security Extensions October 1997 - - - AUTHENTICATION/SECURITY DATA (ADAT) - - The argument field is a Telnet string representing base 64 encoded - security data (see Section 9, "Base 64 Encoding"). If a reply - code indicating success is returned, the server may also use a - string of the form "ADAT=base64data" as the text part of the reply - if it wishes to convey security data back to the client. - - The data in both cases is specific to the security mechanism - specified by the previous AUTH command. The ADAT command, and the - associated replies, allow the client and server to conduct an - arbitrary security protocol. The security data exchange must - include enough information for both peers to be aware of which - optional features are available. For example, if the client does - not support data encryption, the server must be made aware of - this, so it will know not to send encrypted command channel - replies. It is strongly recommended that the security mechanism - provide sequencing on the command channel, to insure that commands - are not deleted, reordered, or replayed. - - The ADAT command must be preceded by a successful AUTH command, - and cannot be issued once a security data exchange completes - (successfully or unsuccessfully), unless it is preceded by an AUTH - command to reset the security state. - - If the server has not yet received an AUTH command, or if a prior - security data exchange completed, but the security state has not - been reset with an AUTH command, it should respond with reply code - 503. - - If the server cannot base 64 decode the argument, it should - respond with reply code 501. - - If the server rejects the security data (if a checksum fails, for - instance), it should respond with reply code 535. - - If the server accepts the security data, and requires additional - data, it should respond with reply code 335. - - If the server accepts the security data, but does not require any - additional data (i.e., the security data exchange has completed - successfully), it must respond with reply code 235. - - If the server is responding with a 235 or 335 reply code, then it - may include security data in the text part of the reply as - specified above. - - - - - -Horowitz & Lunt Standards Track [Page 7] - -RFC 2228 FTP Security Extensions October 1997 - - - If the ADAT command returns an error, the security data exchange - will fail, and the client must reset its internal security state. - If the client becomes unsynchronized with the server (for example, - the server sends a 234 reply code to an AUTH command, but the - client has more data to transmit), then the client must reset the - server's security state. - - PROTECTION BUFFER SIZE (PBSZ) - - The argument is a decimal integer representing the maximum size, - in bytes, of the encoded data blocks to be sent or received during - file transfer. This number shall be no greater than can be - represented in a 32-bit unsigned integer. - - This command allows the FTP client and server to negotiate a - maximum protected buffer size for the connection. There is no - default size; the client must issue a PBSZ command before it can - issue the first PROT command. - - The PBSZ command must be preceded by a successful security data - exchange. - - If the server cannot parse the argument, or if it will not fit in - 32 bits, it should respond with a 501 reply code. - - If the server has not completed a security data exchange with the - client, it should respond with a 503 reply code. - - Otherwise, the server must reply with a 200 reply code. If the - size provided by the client is too large for the server, it must - use a string of the form "PBSZ=number" in the text part of the - reply to indicate a smaller buffer size. The client and the - server must use the smaller of the two buffer sizes if both buffer - sizes are specified. - - DATA CHANNEL PROTECTION LEVEL (PROT) - - The argument is a single Telnet character code specifying the data - channel protection level. - - This command indicates to the server what type of data channel - protection the client and server will be using. The following - codes are assigned: - - C - Clear - S - Safe - E - Confidential - P - Private - - - -Horowitz & Lunt Standards Track [Page 8] - -RFC 2228 FTP Security Extensions October 1997 - - - The default protection level if no other level is specified is - Clear. The Clear protection level indicates that the data channel - will carry the raw data of the file transfer, with no security - applied. The Safe protection level indicates that the data will - be integrity protected. The Confidential protection level - indicates that the data will be confidentiality protected. The - Private protection level indicates that the data will be integrity - and confidentiality protected. - - It is reasonable for a security mechanism not to provide all data - channel protection levels. It is also reasonable for a mechanism - to provide more protection at a level than is required (for - instance, a mechanism might provide Confidential protection, but - include integrity-protection in that encoding, due to API or other - considerations). - - The PROT command must be preceded by a successful protection - buffer size negotiation. - - If the server does not understand the specified protection level, - it should respond with reply code 504. - - If the current security mechanism does not support the specified - protection level, the server should respond with reply code 536. - - If the server has not completed a protection buffer size - negotiation with the client, it should respond with a 503 reply - code. - - The PROT command will be rejected and the server should reply 503 - if no previous PBSZ command was issued. - - If the server is not willing to accept the specified protection - level, it should respond with reply code 534. - - If the server is not able to accept the specified protection - level, such as if a required resource is unavailable, it should - respond with reply code 431. - - Otherwise, the server must reply with a 200 reply code to indicate - that the specified protection level is accepted. - - CLEAR COMMAND CHANNEL (CCC) - - This command does not take an argument. - - - - - - -Horowitz & Lunt Standards Track [Page 9] - -RFC 2228 FTP Security Extensions October 1997 - - - It is desirable in some environments to use a security mechanism - to authenticate and/or authorize the client and server, but not to - perform any integrity checking on the subsequent commands. This - might be used in an environment where IP security is in place, - insuring that the hosts are authenticated and that TCP streams - cannot be tampered, but where user authentication is desired. - - If unprotected commands are allowed on any connection, then an - attacker could insert a command on the control stream, and the - server would have no way to know that it was invalid. In order to - prevent such attacks, once a security data exchange completes - successfully, if the security mechanism supports integrity, then - integrity (via the MIC or ENC command, and 631 or 632 reply) must - be used, until the CCC command is issued to enable non-integrity - protected control channel messages. The CCC command itself must - be integrity protected. - - Once the CCC command completes successfully, if a command is not - protected, then the reply to that command must also not be - protected. This is to support interoperability with clients which - do not support protection once the CCC command has been issued. - - This command must be preceded by a successful security data - exchange. - - If the command is not integrity-protected, the server must respond - with a 533 reply code. - - If the server is not willing to turn off the integrity - requirement, it should respond with a 534 reply code. - - Otherwise, the server must reply with a 200 reply code to indicate - that unprotected commands and replies may now be used on the - command channel. - - INTEGRITY PROTECTED COMMAND (MIC) and - CONFIDENTIALITY PROTECTED COMMAND (CONF) and - PRIVACY PROTECTED COMMAND (ENC) - - The argument field of MIC is a Telnet string consisting of a base - 64 encoded "safe" message produced by a security mechanism - specific message integrity procedure. The argument field of CONF - is a Telnet string consisting of a base 64 encoded "confidential" - message produced by a security mechanism specific confidentiality - procedure. The argument field of ENC is a Telnet string - consisting of a base 64 encoded "private" message produced by a - security mechanism specific message integrity and confidentiality - procedure. - - - -Horowitz & Lunt Standards Track [Page 10] - -RFC 2228 FTP Security Extensions October 1997 - - - The server will decode and/or verify the encoded message. - - This command must be preceded by a successful security data - exchange. - - A server may require that the first command after a successful - security data exchange be CCC, and not implement the protection - commands at all. In this case, the server should respond with a - 502 reply code. - - If the server cannot base 64 decode the argument, it should - respond with a 501 reply code. - - If the server has not completed a security data exchange with the - client, it should respond with a 503 reply code. - - If the server has completed a security data exchange with the - client using a mechanism which supports integrity, and requires a - CCC command due to policy or implementation limitations, it should - respond with a 503 reply code. - - If the server rejects the command because it is not supported by - the current security mechanism, the server should respond with - reply code 537. - - If the server rejects the command (if a checksum fails, for - instance), it should respond with reply code 535. - - If the server is not willing to accept the command (if privacy is - required by policy, for instance, or if a CONF command is received - before a CCC command), it should respond with reply code 533. - - Otherwise, the command will be interpreted as an FTP command. An - end-of-line code need not be included, but if one is included, it - must be a Telnet end-of-line code, not a local end-of-line code. - - The server may require that, under some or all circumstances, all - commands be protected. In this case, it should make a 533 reply - to commands other than MIC, CONF, and ENC. - -4. Login Authorization - - The security data exchange may, among other things, establish the - identity of the client in a secure way to the server. This identity - may be used as one input to the login authorization process. - - - - - - -Horowitz & Lunt Standards Track [Page 11] - -RFC 2228 FTP Security Extensions October 1997 - - - In response to the FTP login commands (AUTH, PASS, ACCT), the server - may choose to change the sequence of commands and replies specified - by RFC 959 as follows. There are also some new replies available. - - If the server is willing to allow the user named by the USER command - to log in based on the identity established by the security data - exchange, it should respond with reply code 232. - - If the security mechanism requires a challenge/response password, it - should respond to the USER command with reply code 336. The text - part of the reply should contain the challenge. The client must - display the challenge to the user before prompting for the password - in this case. This is particularly relevant to more sophisticated - clients or graphical user interfaces which provide dialog boxes or - other modal input. These clients should be careful not to prompt for - the password before the username has been sent to the server, in case - the user needs the challenge in the 336 reply to construct a valid - password. - -5. New FTP Replies - - The new reply codes are divided into two classes. The first class is - new replies made necessary by the new FTP Security commands. The - second class is a new reply type to indicate protected replies. - - 5.1. New individual reply codes - - 232 User logged in, authorized by security data exchange. - 234 Security data exchange complete. - 235 [ADAT=base64data] - ; This reply indicates that the security data exchange - ; completed successfully. The square brackets are not - ; to be included in the reply, but indicate that - ; security data in the reply is optional. - - 334 [ADAT=base64data] - ; This reply indicates that the requested security mechanism - ; is ok, and includes security data to be used by the client - ; to construct the next command. The square brackets are not - ; to be included in the reply, but indicate that - ; security data in the reply is optional. - 335 [ADAT=base64data] - ; This reply indicates that the security data is - ; acceptable, and more is required to complete the - ; security data exchange. The square brackets - ; are not to be included in the reply, but indicate - ; that security data in the reply is optional. - - - - -Horowitz & Lunt Standards Track [Page 12] - -RFC 2228 FTP Security Extensions October 1997 - - - 336 Username okay, need password. Challenge is "...." - ; The exact representation of the challenge should be chosen - ; by the mechanism to be sensible to the human user of the - ; system. - - 431 Need some unavailable resource to process security. - - 533 Command protection level denied for policy reasons. - 534 Request denied for policy reasons. - 535 Failed security check (hash, sequence, etc). - 536 Requested PROT level not supported by mechanism. - 537 Command protection level not supported by security mechanism. - - 5.2. Protected replies. - - One new reply type is introduced: - - 6yz Protected reply - - There are three reply codes of this type. The first, reply - code 631 indicates an integrity protected reply. The - second, reply code 632, indicates a confidentiality and - integrity protected reply. the third, reply code 633, - indicates a confidentiality protected reply. - - The text part of a 631 reply is a Telnet string consisting - of a base 64 encoded "safe" message produced by a security - mechanism specific message integrity procedure. The text - part of a 632 reply is a Telnet string consisting of a base - 64 encoded "private" message produced by a security - mechanism specific message confidentiality and integrity - procedure. The text part of a 633 reply is a Telnet string - consisting of a base 64 encoded "confidential" message - produced by a security mechanism specific message - confidentiality procedure. - - The client will decode and verify the encoded reply. How - failures decoding or verifying replies are handled is - implementation-specific. An end-of-line code need not be - included, but if one is included, it must be a Telnet end- - of-line code, not a local end-of-line code. - - A protected reply may only be sent if a security data - exchange has succeeded. - - The 63z reply may be a multiline reply. In this case, the - plaintext reply must be broken up into a number of - fragments. Each fragment must be protected, then base 64 - - - -Horowitz & Lunt Standards Track [Page 13] - -RFC 2228 FTP Security Extensions October 1997 - - - encoded in order into a separate line of the multiline - reply. There need not be any correspondence between the - line breaks in the plaintext reply and the encoded reply. - Telnet end-of-line codes must appear in the plaintext of the - encoded reply, except for the final end-of-line code, which - is optional. - - The multiline reply must be formatted more strictly than the - continuation specification in RFC 959. In particular, each - line before the last must be formed by the reply code, - followed immediately by a hyphen, followed by a base 64 - encoded fragment of the reply. - - For example, if the plaintext reply is - - 123-First line - Second line - 234 A line beginning with numbers - 123 The last line - - then the resulting protected reply could be any of the - following (the first example has a line break only to fit - within the margins): - - 631 base64(protect("123-First line\r\nSecond line\r\n 234 A line - 631-base64(protect("123-First line\r\n")) - 631-base64(protect("Second line\r\n")) - 631-base64(protect(" 234 A line beginning with numbers\r\n")) - 631 base64(protect("123 The last line")) - - 631-base64(protect("123-First line\r\nSecond line\r\n 234 A line b")) - 631 base64(protect("eginning with numbers\r\n123 The last line\r\n")) - -6. Data Channel Encapsulation - - When data transfers are protected between the client and server (in - either direction), certain transformations and encapsulations must be - performed so that the recipient can properly decode the transmitted - file. - - The sender must apply all protection services after transformations - associated with the representation type, file structure, and transfer - mode have been performed. The data sent over the data channel is, - for the purposes of protection, to be treated as a byte stream. - - When performing a data transfer in an authenticated manner, the - authentication checks are performed on individual blocks of the file, - rather than on the file as a whole. Consequently, it is possible for - - - -Horowitz & Lunt Standards Track [Page 14] - -RFC 2228 FTP Security Extensions October 1997 - - - insertion attacks to insert blocks into the data stream (i.e., - replays) that authenticate correctly, but result in a corrupted file - being undetected by the receiver. To guard against such attacks, the - specific security mechanism employed should include mechanisms to - protect against such attacks. Many GSS-API mechanisms usable with - the specification in Appendix I, and the Kerberos mechanism in - Appendix II do so. - - The sender must take the input byte stream, and break it up into - blocks such that each block, when encoded using a security mechanism - specific procedure, will be no larger than the buffer size negotiated - by the client with the PBSZ command. Each block must be encoded, - then transmitted with the length of the encoded block prepended as a - four byte unsigned integer, most significant byte first. - - When the end of the file is reached, the sender must encode a block - of zero bytes, and send this final block to the recipient before - closing the data connection. - - The recipient will read the four byte length, read a block of data - that many bytes long, then decode and verify this block with a - security mechanism specific procedure. This must be repeated until a - block encoding a buffer of zero bytes is received. This indicates - the end of the encoded byte stream. - - Any transformations associated with the representation type, file - structure, and transfer mode are to be performed by the recipient on - the byte stream resulting from the above process. - - When using block transfer mode, the sender's (cleartext) buffer size - is independent of the block size. - - The server will reply 534 to a STOR, STOU, RETR, LIST, NLST, or APPE - command if the current protection level is not at the level dictated - by the server's security requirements for the particular file - transfer. - - If any data protection services fail at any time during data transfer - at the server end (including an attempt to send a buffer size greater - than the negotiated maximum), the server will send a 535 reply to the - data transfer command (either STOR, STOU, RETR, LIST, NLST, or APPE). - - - - - - - - - - -Horowitz & Lunt Standards Track [Page 15] - -RFC 2228 FTP Security Extensions October 1997 - - -7. Potential policy considerations - - While there are no restrictions on client and server policy, there - are a few recommendations which an implementation should implement. - - - Once a security data exchange takes place, a server should require - all commands be protected (with integrity and/or confidentiality), - and it should protect all replies. Replies should use the same - level of protection as the command which produced them. This - includes replies which indicate failure of the MIC, CONF, and ENC - commands. In particular, it is not meaningful to require that - AUTH and ADAT be protected; it is meaningful and useful to require - that PROT and PBSZ be protected. In particular, the use of CCC is - not recommended, but is defined in the interest of - interoperability between implementations which might desire such - functionality. - - - A client should encrypt the PASS command whenever possible. It is - reasonable for the server to refuse to accept a non-encrypted PASS - command if the server knows encryption is available. - - - Although no security commands are required to be implemented, it - is recommended that an implementation provide all commands which - can be implemented, given the mechanisms supported and the policy - considerations of the site (export controls, for instance). - -8. Declarative specifications - - These sections are modelled after sections 5.3 and 5.4 of RFC 959, - which describe the same information, except for the standard FTP - commands and replies. - - 8.1. FTP Security commands and arguments - - AUTH - ADAT - PROT - PBSZ - MIC - CONF - ENC - - ::= - ::= - ; must be formatted as described in section 9 - ::= C | S | E | P - ::= any decimal integer from 1 to (2^32)-1 - - - - -Horowitz & Lunt Standards Track [Page 16] - -RFC 2228 FTP Security Extensions October 1997 - - - 8.2. Command-Reply sequences - - Security Association Setup - AUTH - 234 - 334 - 502, 504, 534, 431 - 500, 501, 421 - ADAT - 235 - 335 - 503, 501, 535 - 500, 501, 421 - Data protection negotiation commands - PBSZ - 200 - 503 - 500, 501, 421, 530 - PROT - 200 - 504, 536, 503, 534, 431 - 500, 501, 421, 530 - Command channel protection commands - MIC - 535, 533 - 500, 501, 421 - CONF - 535, 533 - 500, 501, 421 - ENC - 535, 533 - 500, 501, 421 - Security-Enhanced login commands (only new replies listed) - USER - 232 - 336 - Data channel commands (only new replies listed) - STOR - 534, 535 - STOU - 534, 535 - RETR - 534, 535 - - - - - - - - -Horowitz & Lunt Standards Track [Page 17] - -RFC 2228 FTP Security Extensions October 1997 - - - LIST - 534, 535 - NLST - 534, 535 - APPE - 534, 535 - - In addition to these reply codes, any security command can return - 500, 501, 502, 533, or 421. Any ftp command can return a reply - code encapsulated in a 631, 632, or 633 reply once a security data - exchange has completed successfully. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Horowitz & Lunt Standards Track [Page 18] - -RFC 2228 FTP Security Extensions October 1997 - - -9. State Diagrams - - This section includes a state diagram which demonstrates the flow of - authentication and authorization in a security enhanced FTP - implementation. The rectangular blocks show states where the client - must issue a command, and the diamond blocks show states where the - server must issue a response. - - - ,------------------, USER - __\| Unauthenticated |_________\ - | /| (new connection) | /| - | `------------------' | - | | | - | | AUTH | - | V | - | / \ | - | 4yz,5yz / \ 234 | - |<--------< >------------->. | - | \ / | | - | \_/ | | - | | | | - | | 334 | | - | V | | - | ,--------------------, | | - | | Need Security Data |<--. | | - | `--------------------' | | | - | | | | | - | | ADAT | | | - | V | | | - | / \ | | | - | 4yz,5yz / \ 335 | | | - `<--------< >-----------' | | - \ / | | - \_/ | | - | | | - | 235 | | - V | | - ,---------------. | | - ,--->| Authenticated |<--------' | After the client and server - | `---------------' | have completed authenti- - | | | cation, command must be - | | USER | integrity-protected if - | | | integrity is available. The - | |<-------------------' CCC command may be issued to - | V relax this restriction. - - - - - -Horowitz & Lunt Standards Track [Page 19] - -RFC 2228 FTP Security Extensions October 1997 - - - | / \ - | 4yz,5yz / \ 2yz - |<--------< >------------->. - | \ / | - | \_/ | - | | | - | | 3yz | - | V | - | ,---------------. | - | | Need Password | | - | `---------------' | - | | | - | | PASS | - | V | - | / \ | - | 4yz,5yz / \ 2yz | - |<--------< >------------->| - | \ / | - | \_/ | - | | | - | | 3yz | - | V | - | ,--------------. | - | | Need Account | | - | `--------------' | - | | | - | | ACCT | - | V | - | / \ | - | 4yz,5yz / \ 2yz | - `<--------< >------------->| - \ / | - \_/ | - | | - | 3yz | - V | - ,-------------. | - | Authorized |/________| - | (Logged in) |\ - `-------------' - - - - - - - - - - - -Horowitz & Lunt Standards Track [Page 20] - -RFC 2228 FTP Security Extensions October 1997 - - -10. Base 64 Encoding - - Base 64 encoding is the same as the Printable Encoding described in - Section 4.3.2.4 of [RFC-1421], except that line breaks must not be - included. This encoding is defined as follows. - - Proceeding from left to right, the bit string resulting from the - mechanism specific protection routine is encoded into characters - which are universally representable at all sites, though not - necessarily with the same bit patterns (e.g., although the character - "E" is represented in an ASCII-based system as hexadecimal 45 and as - hexadecimal C5 in an EBCDIC-based system, the local significance of - the two representations is equivalent). - - A 64-character subset of International Alphabet IA5 is used, enabling - 6 bits to be represented per printable character. (The proposed - subset of characters is represented identically in IA5 and ASCII.) - The character "=" signifies a special processing function used for - padding within the printable encoding procedure. - - The encoding process represents 24-bit groups of input bits as output - strings of 4 encoded characters. Proceeding from left to right - across a 24-bit input group output from the security mechanism - specific message protection procedure, each 6-bit group is used as an - index into an array of 64 printable characters, namely "[A-Z][a- - z][0-9]+/". The character referenced by the index is placed in the - output string. These characters are selected so as to be universally - representable, and the set excludes characters with particular - significance to Telnet (e.g., "", "", IAC). - - Special processing is performed if fewer than 24 bits are available - in an input group at the end of a message. A full encoding quantum - is always completed at the end of a message. When fewer than 24 - input bits are available in an input group, zero bits are added (on - the right) to form an integral number of 6-bit groups. Output - character positions which are not required to represent actual input - data are set to the character "=". Since all canonically encoded - output is an integral number of octets, only the following cases can - arise: (1) the final quantum of encoding input is an integral - multiple of 24 bits; here, the final unit of encoded output will be - an integral multiple of 4 characters with no "=" padding, (2) the - final quantum of encoding input is exactly 8 bits; here, the final - unit of encoded output will be two characters followed by two "=" - padding characters, or (3) the final quantum of encoding input is - exactly 16 bits; here, the final unit of encoded output will be three - characters followed by one "=" padding character. - - - - - -Horowitz & Lunt Standards Track [Page 21] - -RFC 2228 FTP Security Extensions October 1997 - - - Implementors must keep in mind that the base 64 encodings in ADAT, - MIC, CONF, and ENC commands, and in 63z replies may be arbitrarily - long. Thus, the entire line must be read before it can be processed. - Several successive reads on the control channel may be necessary. It - is not appropriate to for a server to reject a command containing a - base 64 encoding simply because it is too long (assuming that the - decoding is otherwise well formed in the context in which it was - sent). - - Case must not be ignored when reading commands and replies containing - base 64 encodings. - -11. Security Considerations - - This entire document deals with security considerations related to - the File Transfer Protocol. - - Third party file transfers cannot be secured using these extensions, - since a security context cannot be established between two servers - using these facilities (no control connection exists between servers - over which to pass ADAT tokens). Further work in this area is - deferred. - -12. Acknowledgements - - I would like to thank the members of the CAT WG, as well as all - participants in discussions on the "cat-ietf@mit.edu" mailing list, - for their contributions to this document. I would especially like to - thank Sam Sjogren, John Linn, Ted Ts'o, Jordan Brown, Michael Kogut, - Derrick Brashear, John Gardiner Myers, Denis Pinkas, and Karri Balk - for their contributions to this work. Of course, without Steve Lunt, - the author of the first six revisions of this document, it would not - exist at all. - -13. References - - [TELNET-SEC] Borman, D., "Telnet Authentication and Encryption - Option", Work in Progress. - - [RFC-1123] Braden, R., "Requirements for Internet Hosts -- - Application and Support", STD 3, RFC 1123, October 1989. - - [RFC-1421] Linn, J., "Privacy Enhancement for Internet Electronic - Mail: Part I: Message Encryption and Authentication Procedures", - RFC 1421, February 1993. - - - - - - -Horowitz & Lunt Standards Track [Page 22] - -RFC 2228 FTP Security Extensions October 1997 - - -14. Author's Address - - Marc Horowitz - Cygnus Solutions - 955 Massachusetts Avenue - Cambridge, MA 02139 - - Phone: +1 617 354 7688 - EMail: marc@cygnus.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Horowitz & Lunt Standards Track [Page 23] - -RFC 2228 FTP Security Extensions October 1997 - - -Appendix I: Specification under the GSSAPI - - In order to maximise the utility of new security mechanisms, it is - desirable that new mechanisms be implemented as GSSAPI mechanisms - rather than as FTP security mechanisms. This will enable existing - ftp implementations to support the new mechanisms more easily, since - little or no code will need to be changed. In addition, the - mechanism will be usable by other protocols, such as IMAP, which are - built on top of the GSSAPI, with no additional specification or - implementation work needed by the mechanism designers. - - The security mechanism name (for the AUTH command) associated with - all mechanisms employing the GSSAPI is GSSAPI. If the server - supports a security mechanism employing the GSSAPI, it must respond - with a 334 reply code indicating that an ADAT command is expected - next. - - The client must begin the authentication exchange by calling - GSS_Init_Sec_Context, passing in 0 for input_context_handle - (initially), and a targ_name equal to output_name from - GSS_Import_Name called with input_name_type of Host-Based Service and - input_name_string of "ftp@hostname" where "hostname" is the fully - qualified host name of the server with all letters in lower case. - (Failing this, the client may try again using input_name_string of - "host@hostname".) The output_token must then be base 64 encoded and - sent to the server as the argument to an ADAT command. If - GSS_Init_Sec_Context returns GSS_S_CONTINUE_NEEDED, then the client - must expect a token to be returned in the reply to the ADAT command. - This token must subsequently be passed to another call to - GSS_Init_Sec_Context. In this case, if GSS_Init_Sec_Context returns - no output_token, then the reply code from the server for the previous - ADAT command must have been 235. If GSS_Init_Sec_Context returns - GSS_S_COMPLETE, then no further tokens are expected from the server, - and the client must consider the server authenticated. - - The server must base 64 decode the argument to the ADAT command and - pass the resultant token to GSS_Accept_Sec_Context as input_token, - setting acceptor_cred_handle to NULL (for "use default credentials"), - and 0 for input_context_handle (initially). If an output_token is - returned, it must be base 64 encoded and returned to the client by - including "ADAT=base64string" in the text of the reply. If - GSS_Accept_Sec_Context returns GSS_S_COMPLETE, the reply code must be - 235, and the server must consider the client authenticated. If - GSS_Accept_Sec_Context returns GSS_S_CONTINUE_NEEDED, the reply code - must be 335. Otherwise, the reply code should be 535, and the text - of the reply should contain a descriptive error message. - - - - - -Horowitz & Lunt Standards Track [Page 24] - -RFC 2228 FTP Security Extensions October 1997 - - - The chan_bindings input to GSS_Init_Sec_Context and - GSS_Accept_Sec_Context should use the client internet address and - server internet address as the initiator and acceptor addresses, - respectively. The address type for both should be GSS_C_AF_INET. No - application data should be specified. - - Since GSSAPI supports anonymous peers to security contexts, it is - possible that the client's authentication of the server does not - actually establish an identity. - - The procedure associated with MIC commands, 631 replies, and Safe - file transfers is: - - GSS_Wrap for the sender, with conf_flag == FALSE - - GSS_Unwrap for the receiver - - The procedure associated with ENC commands, 632 replies, and Private - file transfers is: - - GSS_Wrap for the sender, with conf_flag == TRUE - GSS_Unwrap for the receiver - - CONF commands and 633 replies are not supported. - - Both the client and server should inspect the value of conf_avail to - determine whether the peer supports confidentiality services. - - When the security state is reset (when AUTH is received a second - time, or when REIN is received), this should be done by calling the - GSS_Delete_sec_context function. - -Appendix II: Specification under Kerberos version 4 - - The security mechanism name (for the AUTH command) associated with - Kerberos Version 4 is KERBEROS_V4. If the server supports - KERBEROS_V4, it must respond with a 334 reply code indicating that an - ADAT command is expected next. - - The client must retrieve a ticket for the Kerberos principal - "ftp.hostname@realm" by calling krb_mk_req(3) with a principal name - of "ftp", an instance equal to the first part of the canonical host - name of the server with all letters in lower case (as returned by - krb_get_phost(3)), the server's realm name (as returned by - krb_realmofhost(3)), and an arbitrary checksum. The ticket must then - be base 64 encoded and sent as the argument to an ADAT command. - - - - - -Horowitz & Lunt Standards Track [Page 25] - -RFC 2228 FTP Security Extensions October 1997 - - - If the "ftp" principal name is not a registered principal in the - Kerberos database, then the client may fall back on the "rcmd" - principal name (same instance and realm). However, servers must - accept only one or the other of these principal names, and must not - be willing to accept either. Generally, if the server has a key for - the "ftp" principal in its srvtab, then that principal only must be - used, otherwise the "rcmd" principal only must be used. - - The server must base 64 decode the argument to the ADAT command and - pass the result to krb_rd_req(3). The server must add one to the - checksum from the authenticator, convert the result to network byte - order (most significant byte first), and sign it using - krb_mk_safe(3), and base 64 encode the result. Upon success, the - server must reply to the client with a 235 code and include - "ADAT=base64string" in the text of the reply. Upon failure, the - server should reply 535. - - Upon receipt of the 235 reply from the server, the client must parse - the text of the reply for the base 64 encoded data, decode it, - convert it from network byte order, and pass the result to - krb_rd_safe(3). The client must consider the server authenticated if - the resultant checksum is equal to one plus the value previously - sent. - - The procedure associated with MIC commands, 631 replies, and Safe - file transfers is: - - krb_mk_safe(3) for the sender - krb_rd_safe(3) for the receiver - - The procedure associated with ENC commands, 632 replies, and Private - file transfers is: - - krb_mk_priv(3) for the sender - krb_rd_priv(3) for the receiver - - CONF commands and 633 replies are not supported. - - Note that this specification for KERBEROS_V4 contains no provision - for negotiating alternate means for integrity and confidentiality - routines. Note also that the ADAT exchange does not convey whether - the peer supports confidentiality services. - - In order to stay within the allowed PBSZ, implementors must take note - that a cleartext buffer will grow by 31 bytes when processed by - krb_mk_safe(3) and will grow by 26 bytes when processed by - krb_mk_priv(3). - - - - -Horowitz & Lunt Standards Track [Page 26] - -RFC 2228 FTP Security Extensions October 1997 - - -Full Copyright Statement - - Copyright (C) The Internet Society (1997). All Rights Reserved. - - This document and translations of it may be copied and furnished to - others, and derivative works that comment on or otherwise explain it - or assist in its implmentation may be prepared, copied, published - andand distributed, in whole or in part, without restriction of any - kind, provided that the above copyright notice and this paragraph are - included on all such copies and derivative works. However, this - document itself may not be modified in any way, such as by removing - the copyright notice or references to the Internet Society or other - Internet organizations, except as needed for the purpose of - developing Internet standards in which case the procedures for - copyrights defined in the Internet Standards process must be - followed, or as required to translate it into languages other than - English. - - The limited permissions granted above are perpetual and will not be - revoked by the Internet Society or its successors or assigns. - - This document and the information contained herein is provided on an - "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING - TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING - BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION - HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF - MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. - - - - - - - - - - - - - - - - - - - - - - - - -Horowitz & Lunt Standards Track [Page 27] - diff --git a/crypto/heimdal-0.6.3/doc/standardisation/rfc2743.txt b/crypto/heimdal-0.6.3/doc/standardisation/rfc2743.txt deleted file mode 100644 index e5da571abb..0000000000 --- a/crypto/heimdal-0.6.3/doc/standardisation/rfc2743.txt +++ /dev/null @@ -1,5659 +0,0 @@ - - - - - - -Network Working Group J. Linn -Request for Comments: 2743 RSA Laboratories -Obsoletes: 2078 January 2000 -Category: Standards Track - - - Generic Security Service Application Program Interface - Version 2, Update 1 - - -Status of this Memo - - This document specifies an Internet standards track protocol for the - Internet community, and requests discussion and suggestions for - improvements. Please refer to the current edition of the "Internet - Official Protocol Standards" (STD 1) for the standardization state - and status of this protocol. Distribution of this memo is unlimited. - -Copyright Notice - - Copyright (C) The Internet Society (2000). All Rights Reserved. - -Abstract - - The Generic Security Service Application Program Interface (GSS-API), - Version 2, as defined in [RFC-2078], provides security services to - callers in a generic fashion, supportable with a range of underlying - mechanisms and technologies and hence allowing source-level - portability of applications to different environments. This - specification defines GSS-API services and primitives at a level - independent of underlying mechanism and programming language - environment, and is to be complemented by other, related - specifications: - - documents defining specific parameter bindings for particular - language environments - - documents defining token formats, protocols, and procedures to be - implemented in order to realize GSS-API services atop particular - security mechanisms - - This memo obsoletes [RFC-2078], making specific, incremental changes - in response to implementation experience and liaison requests. It is - intended, therefore, that this memo or a successor version thereto - will become the basis for subsequent progression of the GSS-API - specification on the standards track. - - - - - -Linn Standards Track [Page 1] - -RFC 2743 GSS-API January 2000 - - -TABLE OF CONTENTS - - 1: GSS-API Characteristics and Concepts . . . . . . . . . . . . 4 - 1.1: GSS-API Constructs . . . . . . . . . . . . . . . . . . . . 6 - 1.1.1: Credentials . . . . . . . . . . . . . . . . . . . . . . 6 - 1.1.1.1: Credential Constructs and Concepts . . . . . . . . . . 6 - 1.1.1.2: Credential Management . . . . . . . . . . . . . . . . 7 - 1.1.1.3: Default Credential Resolution . . . . . . . . . . . . 8 - 1.1.2: Tokens . . . . . . . . . . . . . . . . . . . . . . . . . 9 - 1.1.3: Security Contexts . . . . . . . . . . . . . . . . . . . 11 - 1.1.4: Mechanism Types . . . . . . . . . . . . . . . . . . . . 12 - 1.1.5: Naming . . . . . . . . . . . . . . . . . . . . . . . . 13 - 1.1.6: Channel Bindings . . . . . . . . . . . . . . . . . . . 16 - 1.2: GSS-API Features and Issues . . . . . . . . . . . . . . . 17 - 1.2.1: Status Reporting and Optional Service Support . . . . 17 - 1.2.1.1: Status Reporting . . . . . . . . . . . . . . . . . . . 17 - 1.2.1.2: Optional Service Support . . . . . . . . . . . . . . . 19 - 1.2.2: Per-Message Security Service Availability . . . . . . . 20 - 1.2.3: Per-Message Replay Detection and Sequencing . . . . . . 21 - 1.2.4: Quality of Protection . . . . . . . . . . . . . . . . . 24 - 1.2.5: Anonymity Support . . . . . . . . . . . . . . . . . . . 25 - 1.2.6: Initialization . . . . . . . . . . . . . . . . . . . . . 25 - 1.2.7: Per-Message Protection During Context Establishment . . 26 - 1.2.8: Implementation Robustness . . . . . . . . . . . . . . . 27 - 1.2.9: Delegation . . . . . . . . . . . . . . . . . . . . . . . 28 - 1.2.10: Interprocess Context Transfer . . . . . . . . . . . . . 28 - 2: Interface Descriptions . . . . . . . . . . . . . . . . . . 29 - 2.1: Credential management calls . . . . . . . . . . . . . . . 31 - 2.1.1: GSS_Acquire_cred call . . . . . . . . . . . . . . . . . 31 - 2.1.2: GSS_Release_cred call . . . . . . . . . . . . . . . . . 34 - 2.1.3: GSS_Inquire_cred call . . . . . . . . . . . . . . . . . 35 - 2.1.4: GSS_Add_cred call . . . . . . . . . . . . . . . . . . . 37 - 2.1.5: GSS_Inquire_cred_by_mech call . . . . . . . . . . . . . 40 - 2.2: Context-level calls . . . . . . . . . . . . . . . . . . . 41 - 2.2.1: GSS_Init_sec_context call . . . . . . . . . . . . . . . 42 - 2.2.2: GSS_Accept_sec_context call . . . . . . . . . . . . . . 49 - 2.2.3: GSS_Delete_sec_context call . . . . . . . . . . . . . . 53 - 2.2.4: GSS_Process_context_token call . . . . . . . . . . . . 54 - 2.2.5: GSS_Context_time call . . . . . . . . . . . . . . . . . 55 - 2.2.6: GSS_Inquire_context call . . . . . . . . . . . . . . . 56 - 2.2.7: GSS_Wrap_size_limit call . . . . . . . . . . . . . . . 57 - 2.2.8: GSS_Export_sec_context call . . . . . . . . . . . . . . 59 - 2.2.9: GSS_Import_sec_context call . . . . . . . . . . . . . . 61 - 2.3: Per-message calls . . . . . . . . . . . . . . . . . . . . 62 - 2.3.1: GSS_GetMIC call . . . . . . . . . . . . . . . . . . . . 63 - 2.3.2: GSS_VerifyMIC call . . . . . . . . . . . . . . . . . . 64 - 2.3.3: GSS_Wrap call . . . . . . . . . . . . . . . . . . . . . 65 - 2.3.4: GSS_Unwrap call . . . . . . . . . . . . . . . . . . . . 66 - - - -Linn Standards Track [Page 2] - -RFC 2743 GSS-API January 2000 - - - 2.4: Support calls . . . . . . . . . . . . . . . . . . . . . . 68 - 2.4.1: GSS_Display_status call . . . . . . . . . . . . . . . . 68 - 2.4.2: GSS_Indicate_mechs call . . . . . . . . . . . . . . . . 69 - 2.4.3: GSS_Compare_name call . . . . . . . . . . . . . . . . . 70 - 2.4.4: GSS_Display_name call . . . . . . . . . . . . . . . . . 71 - 2.4.5: GSS_Import_name call . . . . . . . . . . . . . . . . . 72 - 2.4.6: GSS_Release_name call . . . . . . . . . . . . . . . . . 73 - 2.4.7: GSS_Release_buffer call . . . . . . . . . . . . . . . . 74 - 2.4.8: GSS_Release_OID_set call . . . . . . . . . . . . . . . 74 - 2.4.9: GSS_Create_empty_OID_set call . . . . . . . . . . . . . 75 - 2.4.10: GSS_Add_OID_set_member call . . . . . . . . . . . . . . 76 - 2.4.11: GSS_Test_OID_set_member call . . . . . . . . . . . . . 76 - 2.4.12: GSS_Inquire_names_for_mech call . . . . . . . . . . . . 77 - 2.4.13: GSS_Inquire_mechs_for_name call . . . . . . . . . . . . 77 - 2.4.14: GSS_Canonicalize_name call . . . . . . . . . . . . . . 78 - 2.4.15: GSS_Export_name call . . . . . . . . . . . . . . . . . 79 - 2.4.16: GSS_Duplicate_name call . . . . . . . . . . . . . . . . 80 - 3: Data Structure Definitions for GSS-V2 Usage . . . . . . . . 81 - 3.1: Mechanism-Independent Token Format . . . . . . . . . . . . 81 - 3.2: Mechanism-Independent Exported Name Object Format . . . . 84 - 4: Name Type Definitions . . . . . . . . . . . . . . . . . . . 85 - 4.1: Host-Based Service Name Form . . . . . . . . . . . . . . . 85 - 4.2: User Name Form . . . . . . . . . . . . . . . . . . . . . . 86 - 4.3: Machine UID Form . . . . . . . . . . . . . . . . . . . . . 87 - 4.4: String UID Form . . . . . . . . . . . . . . . . . . . . . 87 - 4.5: Anonymous Nametype . . . . . . . . . . . . . . . . . . . . 87 - 4.6: GSS_C_NO_OID . . . . . . . . . . . . . . . . . . . . . . . 88 - 4.7: Exported Name Object . . . . . . . . . . . . . . . . . . . 88 - 4.8: GSS_C_NO_NAME . . . . . . . . . . . . . . . . . . . . . . 88 - 5: Mechanism-Specific Example Scenarios . . . . . . . . . . . 88 - 5.1: Kerberos V5, single-TGT . . . . . . . . . . . . . . . . . 89 - 5.2: Kerberos V5, double-TGT . . . . . . . . . . . . . . . . . 89 - 5.3: X.509 Authentication Framework . . . . . . . . . . . . . 90 - 6: Security Considerations . . . . . . . . . . . . . . . . . . 91 - 7: Related Activities . . . . . . . . . . . . . . . . . . . . 92 - 8: Referenced Documents . . . . . . . . . . . . . . . . . . . 93 - Appendix A: Mechanism Design Constraints . . . . . . . . . . . 94 - Appendix B: Compatibility with GSS-V1 . . . . . . . . . . . . . 94 - Appendix C: Changes Relative to RFC-2078 . . . . . . . . . . . 96 - Author's Address . . . . . . . . . . . . . . . . . . . . . . .100 - Full Copyright Statement . . . . . . . . . . . . . . . . . . .101 - - - - - - - - - - -Linn Standards Track [Page 3] - -RFC 2743 GSS-API January 2000 - - -1: GSS-API Characteristics and Concepts - - GSS-API operates in the following paradigm. A typical GSS-API caller - is itself a communications protocol, calling on GSS-API in order to - protect its communications with authentication, integrity, and/or - confidentiality security services. A GSS-API caller accepts tokens - provided to it by its local GSS-API implementation and transfers the - tokens to a peer on a remote system; that peer passes the received - tokens to its local GSS-API implementation for processing. The - security services available through GSS-API in this fashion are - implementable (and have been implemented) over a range of underlying - mechanisms based on secret-key and public-key cryptographic - technologies. - - The GSS-API separates the operations of initializing a security - context between peers, achieving peer entity authentication - (GSS_Init_sec_context() and GSS_Accept_sec_context() calls), from the - operations of providing per-message data origin authentication and - data integrity protection (GSS_GetMIC() and GSS_VerifyMIC() calls) - for messages subsequently transferred in conjunction with that - context. (The definition for the peer entity authentication service, - and other definitions used in this document, corresponds to that - provided in [ISO-7498-2].) When establishing a security context, the - GSS-API enables a context initiator to optionally permit its - credentials to be delegated, meaning that the context acceptor may - initiate further security contexts on behalf of the initiating - caller. Per-message GSS_Wrap() and GSS_Unwrap() calls provide the - data origin authentication and data integrity services which - GSS_GetMIC() and GSS_VerifyMIC() offer, and also support selection of - confidentiality services as a caller option. Additional calls provide - supportive functions to the GSS-API's users. - - The following paragraphs provide an example illustrating the - dataflows involved in use of the GSS-API by a client and server in a - mechanism-independent fashion, establishing a security context and - transferring a protected message. The example assumes that credential - acquisition has already been completed. The example also assumes - that the underlying authentication technology is capable of - authenticating a client to a server using elements carried within a - single token, and of authenticating the server to the client (mutual - authentication) with a single returned token; this assumption holds - for some presently-documented CAT mechanisms but is not necessarily - true for other cryptographic technologies and associated protocols. - - The client calls GSS_Init_sec_context() to establish a security - context to the server identified by targ_name, and elects to set the - mutual_req_flag so that mutual authentication is performed in the - course of context establishment. GSS_Init_sec_context() returns an - - - -Linn Standards Track [Page 4] - -RFC 2743 GSS-API January 2000 - - - output_token to be passed to the server, and indicates - GSS_S_CONTINUE_NEEDED status pending completion of the mutual - authentication sequence. Had mutual_req_flag not been set, the - initial call to GSS_Init_sec_context() would have returned - GSS_S_COMPLETE status. The client sends the output_token to the - server. - - The server passes the received token as the input_token parameter to - GSS_Accept_sec_context(). GSS_Accept_sec_context indicates - GSS_S_COMPLETE status, provides the client's authenticated identity - in the src_name result, and provides an output_token to be passed to - the client. The server sends the output_token to the client. - - The client passes the received token as the input_token parameter to - a successor call to GSS_Init_sec_context(), which processes data - included in the token in order to achieve mutual authentication from - the client's viewpoint. This call to GSS_Init_sec_context() returns - GSS_S_COMPLETE status, indicating successful mutual authentication - and the completion of context establishment for this example. - - The client generates a data message and passes it to GSS_Wrap(). - GSS_Wrap() performs data origin authentication, data integrity, and - (optionally) confidentiality processing on the message and - encapsulates the result into output_message, indicating - GSS_S_COMPLETE status. The client sends the output_message to the - server. - - The server passes the received message to GSS_Unwrap(). GSS_Unwrap() - inverts the encapsulation performed by GSS_Wrap(), deciphers the - message if the optional confidentiality feature was applied, and - validates the data origin authentication and data integrity checking - quantities. GSS_Unwrap() indicates successful validation by returning - GSS_S_COMPLETE status along with the resultant output_message. - - For purposes of this example, we assume that the server knows by - out-of-band means that this context will have no further use after - one protected message is transferred from client to server. Given - this premise, the server now calls GSS_Delete_sec_context() to flush - context-level information. Optionally, the server-side application - may provide a token buffer to GSS_Delete_sec_context(), to receive a - context_token to be transferred to the client in order to request - that client-side context-level information be deleted. - - If a context_token is transferred, the client passes the - context_token to GSS_Process_context_token(), which returns - GSS_S_COMPLETE status after deleting context-level information at the - client system. - - - - -Linn Standards Track [Page 5] - -RFC 2743 GSS-API January 2000 - - - The GSS-API design assumes and addresses several basic goals, - including: - - Mechanism independence: The GSS-API defines an interface to - cryptographically implemented strong authentication and other - security services at a generic level which is independent of - particular underlying mechanisms. For example, GSS-API-provided - services have been implemented using secret-key technologies - (e.g., Kerberos, per [RFC-1964]) and with public-key approaches - (e.g., SPKM, per [RFC-2025]). - - Protocol environment independence: The GSS-API is independent of - the communications protocol suites with which it is employed, - permitting use in a broad range of protocol environments. In - appropriate environments, an intermediate implementation "veneer" - which is oriented to a particular communication protocol may be - interposed between applications which call that protocol and the - GSS-API (e.g., as defined in [RFC-2203] for Open Network Computing - Remote Procedure Call (RPC)), thereby invoking GSS-API facilities - in conjunction with that protocol's communications invocations. - - Protocol association independence: The GSS-API's security context - construct is independent of communications protocol association - constructs. This characteristic allows a single GSS-API - implementation to be utilized by a variety of invoking protocol - modules on behalf of those modules' calling applications. GSS-API - services can also be invoked directly by applications, wholly - independent of protocol associations. - - Suitability to a range of implementation placements: GSS-API - clients are not constrained to reside within any Trusted Computing - Base (TCB) perimeter defined on a system where the GSS-API is - implemented; security services are specified in a manner suitable - to both intra-TCB and extra-TCB callers. - -1.1: GSS-API Constructs - - This section describes the basic elements comprising the GSS-API. - -1.1.1: Credentials - -1.1.1.1: Credential Constructs and Concepts - - Credentials provide the prerequisites which permit GSS-API peers to - establish security contexts with each other. A caller may designate - that the credential elements which are to be applied for context - initiation or acceptance be selected by default. Alternately, those - GSS-API callers which need to make explicit selection of particular - - - -Linn Standards Track [Page 6] - -RFC 2743 GSS-API January 2000 - - - credentials structures may make references to those credentials - through GSS-API-provided credential handles ("cred_handles"). In all - cases, callers' credential references are indirect, mediated by GSS- - API implementations and not requiring callers to access the selected - credential elements. - - A single credential structure may be used to initiate outbound - contexts and to accept inbound contexts. Callers needing to operate - in only one of these modes may designate this fact when credentials - are acquired for use, allowing underlying mechanisms to optimize - their processing and storage requirements. The credential elements - defined by a particular mechanism may contain multiple cryptographic - keys, e.g., to enable authentication and message encryption to be - performed with different algorithms. - - A GSS-API credential structure may contain multiple credential - elements, each containing mechanism-specific information for a - particular underlying mechanism (mech_type), but the set of elements - within a given credential structure represent a common entity. A - credential structure's contents will vary depending on the set of - mech_types supported by a particular GSS-API implementation. Each - credential element identifies the data needed by its mechanism in - order to establish contexts on behalf of a particular principal, and - may contain separate credential references for use in context - initiation and context acceptance. Multiple credential elements - within a given credential having overlapping combinations of - mechanism, usage mode, and validity period are not permitted. - - Commonly, a single mech_type will be used for all security contexts - established by a particular initiator to a particular target. A major - motivation for supporting credential sets representing multiple - mech_types is to allow initiators on systems which are equipped to - handle multiple types to initiate contexts to targets on other - systems which can accommodate only a subset of the set supported at - the initiator's system. - -1.1.1.2: Credential Management - - It is the responsibility of underlying system-specific mechanisms and - OS functions below the GSS-API to ensure that the ability to acquire - and use credentials associated with a given identity is constrained - to appropriate processes within a system. This responsibility should - be taken seriously by implementors, as the ability for an entity to - utilize a principal's credentials is equivalent to the entity's - ability to successfully assert that principal's identity. - - - - - - -Linn Standards Track [Page 7] - -RFC 2743 GSS-API January 2000 - - - Once a set of GSS-API credentials is established, the transferability - of that credentials set to other processes or analogous constructs - within a system is a local matter, not defined by the GSS-API. An - example local policy would be one in which any credentials received - as a result of login to a given user account, or of delegation of - rights to that account, are accessible by, or transferable to, - processes running under that account. - - The credential establishment process (particularly when performed on - behalf of users rather than server processes) is likely to require - access to passwords or other quantities which should be protected - locally and exposed for the shortest time possible. As a result, it - will often be appropriate for preliminary credential establishment to - be performed through local means at user login time, with the - result(s) cached for subsequent reference. These preliminary - credentials would be set aside (in a system-specific fashion) for - subsequent use, either: - - to be accessed by an invocation of the GSS-API GSS_Acquire_cred() - call, returning an explicit handle to reference that credential - - to comprise default credential elements to be installed, and to be - used when default credential behavior is requested on behalf of a - process - -1.1.1.3: Default Credential Resolution - - The GSS_Init_sec_context() and GSS_Accept_sec_context() routines - allow the value GSS_C_NO_CREDENTIAL to be specified as their - credential handle parameter. This special credential handle - indicates a desire by the application to act as a default principal. - In support of application portability, support for the default - resolution behavior described below for initiator credentials - (GSS_Init_sec_context() usage) is mandated; support for the default - resolution behavior described below for acceptor credentials - (GSS_Accept_sec_context() usage) is recommended. If default - credential resolution fails, GSS_S_NO_CRED status is to be returned. - - GSS_Init_sec_context: - - (i) If there is only a single principal capable of initiating - security contexts that the application is authorized to act on - behalf of, then that principal shall be used, otherwise - - - - - - - - -Linn Standards Track [Page 8] - -RFC 2743 GSS-API January 2000 - - - (ii) If the platform maintains a concept of a default network- - identity, and if the application is authorized to act on behalf - of that identity for the purpose of initiating security - contexts, then the principal corresponding to that identity - shall be used, otherwise - - (iii) If the platform maintains a concept of a default local - identity, and provides a means to map local identities into - network-identities, and if the application is authorized to act - on behalf of the network-identity image of the default local - identity for the purpose of initiating security contexts, then - the principal corresponding to that identity shall be used, - otherwise - - (iv) A user-configurable default identity should be used. - - GSS_Accept_sec_context: - - (i) If there is only a single authorized principal identity - capable of accepting security contexts, then that principal - shall be used, otherwise - - (ii) If the mechanism can determine the identity of the target - principal by examining the context-establishment token, and if - the accepting application is authorized to act as that - principal for the purpose of accepting security contexts, then - that principal identity shall be used, otherwise - - (iii) If the mechanism supports context acceptance by any - principal, and mutual authentication was not requested, any - principal that the application is authorized to accept security - contexts under may be used, otherwise - - (iv) A user-configurable default identity shall be used. - - The purpose of the above rules is to allow security contexts to be - established by both initiator and acceptor using the default behavior - wherever possible. Applications requesting default behavior are - likely to be more portable across mechanisms and platforms than those - that use GSS_Acquire_cred() to request a specific identity. - -1.1.2: Tokens - - Tokens are data elements transferred between GSS-API callers, and are - divided into two classes. Context-level tokens are exchanged in order - to establish and manage a security context between peers. Per-message - tokens relate to an established context and are exchanged to provide - - - - -Linn Standards Track [Page 9] - -RFC 2743 GSS-API January 2000 - - - protective security services (i.e., data origin authentication, - integrity, and optional confidentiality) for corresponding data - messages. - - The first context-level token obtained from GSS_Init_sec_context() is - required to indicate at its very beginning a globally-interpretable - mechanism identifier, i.e., an Object Identifier (OID) of the - security mechanism. The remaining part of this token as well as the - whole content of all other tokens are specific to the particular - underlying mechanism used to support the GSS-API. Section 3.1 of this - document provides, for designers of GSS-API mechanisms, the - description of the header of the first context-level token which is - then followed by mechanism-specific information. - - Tokens' contents are opaque from the viewpoint of GSS-API callers. - They are generated within the GSS-API implementation at an end - system, provided to a GSS-API caller to be transferred to the peer - GSS-API caller at a remote end system, and processed by the GSS-API - implementation at that remote end system. - - Context-level tokens may be output by GSS-API calls (and should be - transferred to GSS-API peers) whether or not the calls' status - indicators indicate successful completion. Per-message tokens, in - contrast, are to be returned only upon successful completion of per- - message calls. Zero-length tokens are never returned by GSS routines - for transfer to a peer. Token transfer may take place in an in-band - manner, integrated into the same protocol stream used by the GSS-API - callers for other data transfers, or in an out-of-band manner across - a logically separate channel. - - Different GSS-API tokens are used for different purposes (e.g., - context initiation, context acceptance, protected message data on an - established context), and it is the responsibility of a GSS-API - caller receiving tokens to distinguish their types, associate them - with corresponding security contexts, and pass them to appropriate - GSS-API processing routines. Depending on the caller protocol - environment, this distinction may be accomplished in several ways. - - The following examples illustrate means through which tokens' types - may be distinguished: - - - implicit tagging based on state information (e.g., all tokens on - a new association are considered to be context establishment - tokens until context establishment is completed, at which point - all tokens are considered to be wrapped data objects for that - context), - - - - - -Linn Standards Track [Page 10] - -RFC 2743 GSS-API January 2000 - - - - explicit tagging at the caller protocol level, - - - a hybrid of these approaches. - - Commonly, the encapsulated data within a token includes internal - mechanism-specific tagging information, enabling mechanism-level - processing modules to distinguish tokens used within the mechanism - for different purposes. Such internal mechanism-level tagging is - recommended to mechanism designers, and enables mechanisms to - determine whether a caller has passed a particular token for - processing by an inappropriate GSS-API routine. - - Development of GSS-API mechanisms based on a particular underlying - cryptographic technique and protocol (i.e., conformant to a specific - GSS-API mechanism definition) does not necessarily imply that GSS-API - callers using that GSS-API mechanism will be able to interoperate - with peers invoking the same technique and protocol outside the GSS- - API paradigm, or with peers implementing a different GSS-API - mechanism based on the same underlying technology. The format of - GSS-API tokens defined in conjunction with a particular mechanism, - and the techniques used to integrate those tokens into callers' - protocols, may not be interoperable with the tokens used by non-GSS- - API callers of the same underlying technique. - -1.1.3: Security Contexts - - Security contexts are established between peers, using credentials - established locally in conjunction with each peer or received by - peers via delegation. Multiple contexts may exist simultaneously - between a pair of peers, using the same or different sets of - credentials. Coexistence of multiple contexts using different - credentials allows graceful rollover when credentials expire. - Distinction among multiple contexts based on the same credentials - serves applications by distinguishing different message streams in a - security sense. - - The GSS-API is independent of underlying protocols and addressing - structure, and depends on its callers to transport GSS-API-provided - data elements. As a result of these factors, it is a caller - responsibility to parse communicated messages, separating GSS-API- - related data elements from caller-provided data. The GSS-API is - independent of connection vs. connectionless orientation of the - underlying communications service. - - No correlation between security context and communications protocol - association is dictated. (The optional channel binding facility, - discussed in Section 1.1.6 of this document, represents an - intentional exception to this rule, supporting additional protection - - - -Linn Standards Track [Page 11] - -RFC 2743 GSS-API January 2000 - - - features within GSS-API supporting mechanisms.) This separation - allows the GSS-API to be used in a wide range of communications - environments, and also simplifies the calling sequences of the - individual calls. In many cases (depending on underlying security - protocol, associated mechanism, and availability of cached - information), the state information required for context setup can be - sent concurrently with initial signed user data, without interposing - additional message exchanges. Messages may be protected and - transferred in both directions on an established GSS-API security - context concurrently; protection of messages in one direction does - not interfere with protection of messages in the reverse direction. - - GSS-API implementations are expected to retain inquirable context - data on a context until the context is released by a caller, even - after the context has expired, although underlying cryptographic data - elements may be deleted after expiration in order to limit their - exposure. - -1.1.4: Mechanism Types - - In order to successfully establish a security context with a target - peer, it is necessary to identify an appropriate underlying mechanism - type (mech_type) which both initiator and target peers support. The - definition of a mechanism embodies not only the use of a particular - cryptographic technology (or a hybrid or choice among alternative - cryptographic technologies), but also definition of the syntax and - semantics of data element exchanges which that mechanism will employ - in order to support security services. - - It is recommended that callers initiating contexts specify the - "default" mech_type value, allowing system-specific functions within - or invoked by the GSS-API implementation to select the appropriate - mech_type, but callers may direct that a particular mech_type be - employed when necessary. - - For GSS-API purposes, the phrase "negotiating mechanism" refers to a - mechanism which itself performs negotiation in order to select a - concrete mechanism which is shared between peers and is then used for - context establishment. Only those mechanisms which are defined in - their specifications as negotiating mechanisms are to yield selected - mechanisms with different identifier values than the value which is - input by a GSS-API caller, except for the case of a caller requesting - the "default" mech_type. - - The means for identifying a shared mech_type to establish a security - context with a peer will vary in different environments and - circumstances; examples include (but are not limited to): - - - - -Linn Standards Track [Page 12] - -RFC 2743 GSS-API January 2000 - - - use of a fixed mech_type, defined by configuration, within an - environment - - syntactic convention on a target-specific basis, through - examination of a target's name lookup of a target's name in a - naming service or other database in order to identify mech_types - supported by that target - - explicit negotiation between GSS-API callers in advance of - security context setup - - use of a negotiating mechanism - - When transferred between GSS-API peers, mech_type specifiers (per - Section 3 of this document, represented as Object Identifiers (OIDs)) - serve to qualify the interpretation of associated tokens. (The - structure and encoding of Object Identifiers is defined in [ISOIEC- - 8824] and [ISOIEC-8825].) Use of hierarchically structured OIDs - serves to preclude ambiguous interpretation of mech_type specifiers. - The OID representing the DASS ([RFC-1507]) MechType, for example, is - 1.3.12.2.1011.7.5, and that of the Kerberos V5 mechanism ([RFC- - 1964]), having been advanced to the level of Proposed Standard, is - 1.2.840.113554.1.2.2. - -1.1.5: Naming - - The GSS-API avoids prescribing naming structures, treating the names - which are transferred across the interface in order to initiate and - accept security contexts as opaque objects. This approach supports - the GSS-API's goal of implementability atop a range of underlying - security mechanisms, recognizing the fact that different mechanisms - process and authenticate names which are presented in different - forms. Generalized services offering translation functions among - arbitrary sets of naming environments are outside the scope of the - GSS-API; availability and use of local conversion functions to - translate among the naming formats supported within a given end - system is anticipated. - - Different classes of name representations are used in conjunction - with different GSS-API parameters: - - - Internal form (denoted in this document by INTERNAL NAME), - opaque to callers and defined by individual GSS-API - implementations. GSS-API implementations supporting multiple - namespace types must maintain internal tags to disambiguate the - interpretation of particular names. A Mechanism Name (MN) is a - special case of INTERNAL NAME, guaranteed to contain elements - - - - -Linn Standards Track [Page 13] - -RFC 2743 GSS-API January 2000 - - - corresponding to one and only one mechanism; calls which are - guaranteed to emit MNs or which require MNs as input are so - identified within this specification. - - - Contiguous string ("flat") form (denoted in this document by - OCTET STRING); accompanied by OID tags identifying the namespace - to which they correspond. Depending on tag value, flat names may - or may not be printable strings for direct acceptance from and - presentation to users. Tagging of flat names allows GSS-API - callers and underlying GSS-API mechanisms to disambiguate name - types and to determine whether an associated name's type is one - which they are capable of processing, avoiding aliasing problems - which could result from misinterpreting a name of one type as a - name of another type. - - - The GSS-API Exported Name Object, a special case of flat name - designated by a reserved OID value, carries a canonicalized form - of a name suitable for binary comparisons. - - In addition to providing means for names to be tagged with types, - this specification defines primitives to support a level of naming - environment independence for certain calling applications. To provide - basic services oriented towards the requirements of callers which - need not themselves interpret the internal syntax and semantics of - names, GSS-API calls for name comparison (GSS_Compare_name()), - human-readable display (GSS_Display_name()), input conversion - (GSS_Import_name()), internal name deallocation (GSS_Release_name()), - and internal name duplication (GSS_Duplicate_name()) functions are - defined. (It is anticipated that these proposed GSS-API calls will be - implemented in many end systems based on system-specific name - manipulation primitives already extant within those end systems; - inclusion within the GSS-API is intended to offer GSS-API callers a - portable means to perform specific operations, supportive of - authorization and audit requirements, on authenticated names.) - - GSS_Import_name() implementations can, where appropriate, support - more than one printable syntax corresponding to a given namespace - (e.g., alternative printable representations for X.500 Distinguished - Names), allowing flexibility for their callers to select among - alternative representations. GSS_Display_name() implementations - output a printable syntax selected as appropriate to their - operational environments; this selection is a local matter. Callers - desiring portability across alternative printable syntaxes should - refrain from implementing comparisons based on printable name forms - and should instead use the GSS_Compare_name() call to determine - whether or not one internal-format name matches another. - - - - - -Linn Standards Track [Page 14] - -RFC 2743 GSS-API January 2000 - - - When used in large access control lists, the overhead of invoking - GSS_Import_name() and GSS_Compare_name() on each name from the ACL - may be prohibitive. As an alternative way of supporting this case, - GSS-API defines a special form of the contiguous string name which - may be compared directly (e.g., with memcmp()). Contiguous names - suitable for comparison are generated by the GSS_Export_name() - routine, which requires an MN as input. Exported names may be re- - imported by the GSS_Import_name() routine, and the resulting internal - name will also be an MN. The symbolic constant GSS_C_NT_EXPORT_NAME - identifies the "export name" type. Structurally, an exported name - object consists of a header containing an OID identifying the - mechanism that authenticated the name, and a trailer containing the - name itself, where the syntax of the trailer is defined by the - individual mechanism specification. The precise format of an - exported name is defined in Section 3.2 of this specification. - - Note that the results obtained by using GSS_Compare_name() will in - general be different from those obtained by invoking - GSS_Canonicalize_name() and GSS_Export_name(), and then comparing the - exported names. The first series of operations determines whether - two (unauthenticated) names identify the same principal; the second - whether a particular mechanism would authenticate them as the same - principal. These two operations will in general give the same - results only for MNs. - - The following diagram illustrates the intended dataflow among name- - related GSS-API processing routines. - - - - - - - - - - - - - - - - - - - - - - - - -Linn Standards Track [Page 15] - -RFC 2743 GSS-API January 2000 - - - GSS-API library defaults - | - | - V text, for - text --------------> internal_name (IN) -----------> display only - import_name() / display_name() - / - / - / - accept_sec_context() / - | / - | / - | / canonicalize_name() - | / - | / - | / - | / - | / - | | - V V <--------------------- - single mechanism import_name() exported name: flat - internal_name (MN) binary "blob" usable - ----------------------> for access control - export_name() - -1.1.6: Channel Bindings - - The GSS-API accommodates the concept of caller-provided channel - binding ("chan_binding") information. Channel bindings are used to - strengthen the quality with which peer entity authentication is - provided during context establishment, by limiting the scope within - which an intercepted context establishment token can be reused by an - attacker. Specifically, they enable GSS-API callers to bind the - establishment of a security context to relevant characteristics - (e.g., addresses, transformed representations of encryption keys) of - the underlying communications channel, of protection mechanisms - applied to that communications channel, and to application-specific - data. - - The caller initiating a security context must determine the - appropriate channel binding values to provide as input to the - GSS_Init_sec_context() call, and consistent values must be provided - to GSS_Accept_sec_context() by the context's target, in order for - both peers' GSS-API mechanisms to validate that received tokens - possess correct channel-related characteristics. Use or non-use of - the GSS-API channel binding facility is a caller option. GSS-API - mechanisms can operate in an environment where NULL channel bindings - are presented; mechanism implementors are encouraged, but not - - - -Linn Standards Track [Page 16] - -RFC 2743 GSS-API January 2000 - - - required, to make use of caller-provided channel binding data within - their mechanisms. Callers should not assume that underlying - mechanisms provide confidentiality protection for channel binding - information. - - When non-NULL channel bindings are provided by callers, certain - mechanisms can offer enhanced security value by interpreting the - bindings' content (rather than simply representing those bindings, or - integrity check values computed on them, within tokens) and will - therefore depend on presentation of specific data in a defined - format. To this end, agreements among mechanism implementors are - defining conventional interpretations for the contents of channel - binding arguments, including address specifiers (with content - dependent on communications protocol environment) for context - initiators and acceptors. (These conventions are being incorporated - in GSS-API mechanism specifications and into the GSS-API C language - bindings specification.) In order for GSS-API callers to be portable - across multiple mechanisms and achieve the full security - functionality which each mechanism can provide, it is strongly - recommended that GSS-API callers provide channel bindings consistent - with these conventions and those of the networking environment in - which they operate. - -1.2: GSS-API Features and Issues - - This section describes aspects of GSS-API operations, of the security - services which the GSS-API provides, and provides commentary on - design issues. - -1.2.1: Status Reporting and Optional Service Support - -1.2.1.1: Status Reporting - - Each GSS-API call provides two status return values. Major_status - values provide a mechanism-independent indication of call status - (e.g., GSS_S_COMPLETE, GSS_S_FAILURE, GSS_S_CONTINUE_NEEDED), - sufficient to drive normal control flow within the caller in a - generic fashion. Table 1 summarizes the defined major_status return - codes in tabular fashion. - - Sequencing-related informatory major_status codes - (GSS_S_DUPLICATE_TOKEN, GSS_S_OLD_TOKEN, GSS_S_UNSEQ_TOKEN, and - GSS_S_GAP_TOKEN) can be indicated in conjunction with either - GSS_S_COMPLETE or GSS_S_FAILURE status for GSS-API per-message calls. - For context establishment calls, these sequencing-related codes will - be indicated only in conjunction with GSS_S_FAILURE status (never in - - - - - -Linn Standards Track [Page 17] - -RFC 2743 GSS-API January 2000 - - - conjunction with GSS_S_COMPLETE or GSS_S_CONTINUE_NEEDED), and, - therefore, always correspond to fatal failures if encountered during - the context establishment phase. - - Table 1: GSS-API Major Status Codes - - FATAL ERROR CODES - - GSS_S_BAD_BINDINGS channel binding mismatch - GSS_S_BAD_MECH unsupported mechanism requested - GSS_S_BAD_NAME invalid name provided - GSS_S_BAD_NAMETYPE name of unsupported type provided - GSS_S_BAD_STATUS invalid input status selector - GSS_S_BAD_SIG token had invalid integrity check - GSS_S_BAD_MIC preferred alias for GSS_S_BAD_SIG - GSS_S_CONTEXT_EXPIRED specified security context expired - GSS_S_CREDENTIALS_EXPIRED expired credentials detected - GSS_S_DEFECTIVE_CREDENTIAL defective credential detected - GSS_S_DEFECTIVE_TOKEN defective token detected - GSS_S_FAILURE failure, unspecified at GSS-API - level - GSS_S_NO_CONTEXT no valid security context specified - GSS_S_NO_CRED no valid credentials provided - GSS_S_BAD_QOP unsupported QOP value - GSS_S_UNAUTHORIZED operation unauthorized - GSS_S_UNAVAILABLE operation unavailable - GSS_S_DUPLICATE_ELEMENT duplicate credential element requested - GSS_S_NAME_NOT_MN name contains multi-mechanism elements - - INFORMATORY STATUS CODES - - GSS_S_COMPLETE normal completion - GSS_S_CONTINUE_NEEDED continuation call to routine - required - GSS_S_DUPLICATE_TOKEN duplicate per-message token - detected - GSS_S_OLD_TOKEN timed-out per-message token - detected - GSS_S_UNSEQ_TOKEN reordered (early) per-message token - detected - GSS_S_GAP_TOKEN skipped predecessor token(s) - detected - - Minor_status provides more detailed status information which may - include status codes specific to the underlying security mechanism. - Minor_status values are not specified in this document. - - - - - -Linn Standards Track [Page 18] - -RFC 2743 GSS-API January 2000 - - - GSS_S_CONTINUE_NEEDED major_status returns, and optional message - outputs, are provided in GSS_Init_sec_context() and - GSS_Accept_sec_context() calls so that different mechanisms' - employment of different numbers of messages within their - authentication sequences need not be reflected in separate code paths - within calling applications. Instead, such cases are accommodated - with sequences of continuation calls to GSS_Init_sec_context() and - GSS_Accept_sec_context(). The same facility is used to encapsulate - mutual authentication within the GSS-API's context initiation calls. - - For mech_types which require interactions with third-party servers in - order to establish a security context, GSS-API context establishment - calls may block pending completion of such third-party interactions. - On the other hand, no GSS-API calls pend on serialized interactions - with GSS-API peer entities. As a result, local GSS-API status - returns cannot reflect unpredictable or asynchronous exceptions - occurring at remote peers, and reflection of such status information - is a caller responsibility outside the GSS-API. - -1.2.1.2: Optional Service Support - - A context initiator may request various optional services at context - establishment time. Each of these services is requested by setting a - flag in the req_flags input parameter to GSS_Init_sec_context(). - - The optional services currently defined are: - - - Delegation - The (usually temporary) transfer of rights from - initiator to acceptor, enabling the acceptor to authenticate - itself as an agent of the initiator. - - - Mutual Authentication - In addition to the initiator - authenticating its identity to the context acceptor, the context - acceptor should also authenticate itself to the initiator. - - - Replay detection - In addition to providing message integrity - services, GSS_GetMIC() and GSS_Wrap() should include message - numbering information to enable GSS_VerifyMIC() and GSS_Unwrap() - to detect if a message has been duplicated. - - - Out-of-sequence detection - In addition to providing message - integrity services, GSS_GetMIC() and GSS_Wrap() should include - message sequencing information to enable GSS_VerifyMIC() and - GSS_Unwrap() to detect if a message has been received out of - sequence. - - - - - - -Linn Standards Track [Page 19] - -RFC 2743 GSS-API January 2000 - - - - Anonymous authentication - The establishment of the security - context should not reveal the initiator's identity to the context - acceptor. - - - Available per-message confidentiality - requests that per- - message confidentiality services be available on the context. - - - Available per-message integrity - requests that per-message - integrity services be available on the context. - - Any currently undefined bits within such flag arguments should be - ignored by GSS-API implementations when presented by an application, - and should be set to zero when returned to the application by the - GSS-API implementation. - - Some mechanisms may not support all optional services, and some - mechanisms may only support some services in conjunction with others. - Both GSS_Init_sec_context() and GSS_Accept_sec_context() inform the - applications which services will be available from the context when - the establishment phase is complete, via the ret_flags output - parameter. In general, if the security mechanism is capable of - providing a requested service, it should do so, even if additional - services must be enabled in order to provide the requested service. - If the mechanism is incapable of providing a requested service, it - should proceed without the service, leaving the application to abort - the context establishment process if it considers the requested - service to be mandatory. - - Some mechanisms may specify that support for some services is - optional, and that implementors of the mechanism need not provide it. - This is most commonly true of the confidentiality service, often - because of legal restrictions on the use of data-encryption, but may - apply to any of the services. Such mechanisms are required to send - at least one token from acceptor to initiator during context - establishment when the initiator indicates a desire to use such a - service, so that the initiating GSS-API can correctly indicate - whether the service is supported by the acceptor's GSS-API. - -1.2.2: Per-Message Security Service Availability - - When a context is established, two flags are returned to indicate the - set of per-message protection security services which will be - available on the context: - - the integ_avail flag indicates whether per-message integrity and - data origin authentication services are available - - - - - -Linn Standards Track [Page 20] - -RFC 2743 GSS-API January 2000 - - - the conf_avail flag indicates whether per-message confidentiality - services are available, and will never be returned TRUE unless the - integ_avail flag is also returned TRUE - - GSS-API callers desiring per-message security services should check - the values of these flags at context establishment time, and must be - aware that a returned FALSE value for integ_avail means that - invocation of GSS_GetMIC() or GSS_Wrap() primitives on the associated - context will apply no cryptographic protection to user data messages. - - The GSS-API per-message integrity and data origin authentication - services provide assurance to a receiving caller that protection was - applied to a message by the caller's peer on the security context, - corresponding to the entity named at context initiation. The GSS-API - per-message confidentiality service provides assurance to a sending - caller that the message's content is protected from access by - entities other than the context's named peer. - - The GSS-API per-message protection service primitives, as the - category name implies, are oriented to operation at the granularity - of protocol data units. They perform cryptographic operations on the - data units, transfer cryptographic control information in tokens, - and, in the case of GSS_Wrap(), encapsulate the protected data unit. - As such, these primitives are not oriented to efficient data - protection for stream-paradigm protocols (e.g., Telnet) if - cryptography must be applied on an octet-by-octet basis. - -1.2.3: Per-Message Replay Detection and Sequencing - - Certain underlying mech_types offer support for replay detection - and/or sequencing of messages transferred on the contexts they - support. These optionally-selectable protection features are distinct - from replay detection and sequencing features applied to the context - establishment operation itself; the presence or absence of context- - level replay or sequencing features is wholly a function of the - underlying mech_type's capabilities, and is not selected or omitted - as a caller option. - - The caller initiating a context provides flags (replay_det_req_flag - and sequence_req_flag) to specify whether the use of per-message - replay detection and sequencing features is desired on the context - being established. The GSS-API implementation at the initiator system - can determine whether these features are supported (and whether they - are optionally selectable) as a function of the selected mechanism, - without need for bilateral negotiation with the target. When enabled, - these features provide recipients with indicators as a result of - GSS-API processing of incoming messages, identifying whether those - messages were detected as duplicates or out-of-sequence. Detection of - - - -Linn Standards Track [Page 21] - -RFC 2743 GSS-API January 2000 - - - such events does not prevent a suspect message from being provided to - a recipient; the appropriate course of action on a suspect message is - a matter of caller policy. - - The semantics of the replay detection and sequencing services applied - to received messages, as visible across the interface which the GSS- - API provides to its clients, are as follows: - - When replay_det_state is TRUE, the possible major_status returns for - well-formed and correctly signed messages are as follows: - - 1. GSS_S_COMPLETE, without concurrent indication of - GSS_S_DUPLICATE_TOKEN or GSS_S_OLD_TOKEN, indicates that the - message was within the window (of time or sequence space) allowing - replay events to be detected, and that the message was not a - replay of a previously-processed message within that window. - - 2. GSS_S_DUPLICATE_TOKEN indicates that the cryptographic - checkvalue on the received message was correct, but that the - message was recognized as a duplicate of a previously-processed - message. In addition to identifying duplicated tokens originated - by a context's peer, this status may also be used to identify - reflected copies of locally-generated tokens; it is recommended - that mechanism designers include within their protocols facilities - to detect and report such tokens. - - 3. GSS_S_OLD_TOKEN indicates that the cryptographic checkvalue on - the received message was correct, but that the message is too old - to be checked for duplication. - - When sequence_state is TRUE, the possible major_status returns for - well-formed and correctly signed messages are as follows: - - 1. GSS_S_COMPLETE, without concurrent indication of - GSS_S_DUPLICATE_TOKEN, GSS_S_OLD_TOKEN, GSS_S_UNSEQ_TOKEN, or - GSS_S_GAP_TOKEN, indicates that the message was within the window - (of time or sequence space) allowing replay events to be detected, - that the message was not a replay of a previously-processed - message within that window, and that no predecessor sequenced - messages are missing relative to the last received message (if - any) processed on the context with a correct cryptographic - checkvalue. - - 2. GSS_S_DUPLICATE_TOKEN indicates that the integrity check value - on the received message was correct, but that the message was - recognized as a duplicate of a previously-processed message. In - addition to identifying duplicated tokens originated by a - context's peer, this status may also be used to identify reflected - - - -Linn Standards Track [Page 22] - -RFC 2743 GSS-API January 2000 - - - copies of locally-generated tokens; it is recommended that - mechanism designers include within their protocols facilities to - detect and report such tokens. - - 3. GSS_S_OLD_TOKEN indicates that the integrity check value on the - received message was correct, but that the token is too old to be - checked for duplication. - - 4. GSS_S_UNSEQ_TOKEN indicates that the cryptographic checkvalue - on the received message was correct, but that it is earlier in a - sequenced stream than a message already processed on the context. - [Note: Mechanisms can be architected to provide a stricter form of - sequencing service, delivering particular messages to recipients - only after all predecessor messages in an ordered stream have been - delivered. This type of support is incompatible with the GSS-API - paradigm in which recipients receive all messages, whether in - order or not, and provide them (one at a time, without intra-GSS- - API message buffering) to GSS-API routines for validation. GSS- - API facilities provide supportive functions, aiding clients to - achieve strict message stream integrity in an efficient manner in - conjunction with sequencing provisions in communications - protocols, but the GSS-API does not offer this level of message - stream integrity service by itself.] - - 5. GSS_S_GAP_TOKEN indicates that the cryptographic checkvalue on - the received message was correct, but that one or more predecessor - sequenced messages have not been successfully processed relative - to the last received message (if any) processed on the context - with a correct cryptographic checkvalue. - - As the message stream integrity features (especially sequencing) may - interfere with certain applications' intended communications - paradigms, and since support for such features is likely to be - resource intensive, it is highly recommended that mech_types - supporting these features allow them to be activated selectively on - initiator request when a context is established. A context initiator - and target are provided with corresponding indicators - (replay_det_state and sequence_state), signifying whether these - features are active on a given context. - - An example mech_type supporting per-message replay detection could - (when replay_det_state is TRUE) implement the feature as follows: The - underlying mechanism would insert timestamps in data elements output - by GSS_GetMIC() and GSS_Wrap(), and would maintain (within a time- - limited window) a cache (qualified by originator-recipient pair) - identifying received data elements processed by GSS_VerifyMIC() and - GSS_Unwrap(). When this feature is active, exception status returns - (GSS_S_DUPLICATE_TOKEN, GSS_S_OLD_TOKEN) will be provided when - - - -Linn Standards Track [Page 23] - -RFC 2743 GSS-API January 2000 - - - GSS_VerifyMIC() or GSS_Unwrap() is presented with a message which is - either a detected duplicate of a prior message or which is too old to - validate against a cache of recently received messages. - -1.2.4: Quality of Protection - - Some mech_types provide their users with fine granularity control - over the means used to provide per-message protection, allowing - callers to trade off security processing overhead dynamically against - the protection requirements of particular messages. A per-message - quality-of-protection parameter (analogous to quality-of-service, or - QOS) selects among different QOP options supported by that mechanism. - On context establishment for a multi-QOP mech_type, context-level - data provides the prerequisite data for a range of protection - qualities. - - It is expected that the majority of callers will not wish to exert - explicit mechanism-specific QOP control and will therefore request - selection of a default QOP. Definitions of, and choices among, non- - default QOP values are mechanism-specific, and no ordered sequences - of QOP values can be assumed equivalent across different mechanisms. - Meaningful use of non-default QOP values demands that callers be - familiar with the QOP definitions of an underlying mechanism or - mechanisms, and is therefore a non-portable construct. The - GSS_S_BAD_QOP major_status value is defined in order to indicate that - a provided QOP value is unsupported for a security context, most - likely because that value is unrecognized by the underlying - mechanism. - - In the interests of interoperability, mechanisms which allow optional - support of particular QOP values shall satisfy one of the following - conditions. Either: - - (i) All implementations of the mechanism are required to be - capable of processing messages protected using any QOP value, - regardless of whether they can apply protection corresponding to - that QOP, or - - (ii) The set of mutually-supported receiver QOP values must be - determined during context establishment, and messages may be - protected by either peer using only QOP values from this - mutually-supported set. - - NOTE: (i) is just a special-case of (ii), where implementations are - required to support all QOP values on receipt. - - - - - - -Linn Standards Track [Page 24] - -RFC 2743 GSS-API January 2000 - - -1.2.5: Anonymity Support - - In certain situations or environments, an application may wish to - authenticate a peer and/or protect communications using GSS-API per- - message services without revealing its own identity. For example, - consider an application which provides read access to a research - database, and which permits queries by arbitrary requestors. A - client of such a service might wish to authenticate the service, to - establish trust in the information received from it, but might not - wish to disclose its identity to the service for privacy reasons. - - In ordinary GSS-API usage, a context initiator's identity is made - available to the context acceptor as part of the context - establishment process. To provide for anonymity support, a facility - (input anon_req_flag to GSS_Init_sec_context()) is provided through - which context initiators may request that their identity not be - provided to the context acceptor. Mechanisms are not required to - honor this request, but a caller will be informed (via returned - anon_state indicator from GSS_Init_sec_context()) whether or not the - request is honored. Note that authentication as the anonymous - principal does not necessarily imply that credentials are not - required in order to establish a context. - - Section 4.5 of this document defines the Object Identifier value used - to identify an anonymous principal. - - Four possible combinations of anon_state and mutual_state are - possible, with the following results: - - anon_state == FALSE, mutual_state == FALSE: initiator - authenticated to target. - - anon_state == FALSE, mutual_state == TRUE: initiator authenticated - to target, target authenticated to initiator. - - anon_state == TRUE, mutual_state == FALSE: initiator authenticated - as anonymous principal to target. - - anon_state == TRUE, mutual_state == TRUE: initiator authenticated - as anonymous principal to target, target authenticated to - initiator. - -1.2.6: Initialization - - No initialization calls (i.e., calls which must be invoked prior to - invocation of other facilities in the interface) are defined in GSS- - API. As an implication of this fact, GSS-API implementations must - themselves be self-initializing. - - - -Linn Standards Track [Page 25] - -RFC 2743 GSS-API January 2000 - - -1.2.7: Per-Message Protection During Context Establishment - - A facility is defined in GSS-V2 to enable protection and buffering of - data messages for later transfer while a security context's - establishment is in GSS_S_CONTINUE_NEEDED status, to be used in cases - where the caller side already possesses the necessary session key to - enable this processing. Specifically, a new state Boolean, called - prot_ready_state, is added to the set of information returned by - GSS_Init_sec_context(), GSS_Accept_sec_context(), and - GSS_Inquire_context(). - - For context establishment calls, this state Boolean is valid and - interpretable when the associated major_status is either - GSS_S_CONTINUE_NEEDED, or GSS_S_COMPLETE. Callers of GSS-API (both - initiators and acceptors) can assume that per-message protection (via - GSS_Wrap(), GSS_Unwrap(), GSS_GetMIC() and GSS_VerifyMIC()) is - available and ready for use if either: prot_ready_state == TRUE, or - major_status == GSS_S_COMPLETE, though mutual authentication (if - requested) cannot be guaranteed until GSS_S_COMPLETE is returned. - Callers making use of per-message protection services in advance of - GSS_S_COMPLETE status should be aware of the possibility that a - subsequent context establishment step may fail, and that certain - context data (e.g., mech_type) as returned for subsequent calls may - change. - - This approach achieves full, transparent backward compatibility for - GSS-API V1 callers, who need not even know of the existence of - prot_ready_state, and who will get the expected behavior from - GSS_S_COMPLETE, but who will not be able to use per-message - protection before GSS_S_COMPLETE is returned. - - It is not a requirement that GSS-V2 mechanisms ever return TRUE - prot_ready_state before completion of context establishment (indeed, - some mechanisms will not evolve usable message protection keys, - especially at the context acceptor, before context establishment is - complete). It is expected but not required that GSS-V2 mechanisms - will return TRUE prot_ready_state upon completion of context - establishment if they support per-message protection at all (however - GSS-V2 applications should not assume that TRUE prot_ready_state will - always be returned together with the GSS_S_COMPLETE major_status, - since GSS-V2 implementations may continue to support GSS-V1 mechanism - code, which will never return TRUE prot_ready_state). - - When prot_ready_state is returned TRUE, mechanisms shall also set - those context service indicator flags (deleg_state, mutual_state, - replay_det_state, sequence_state, anon_state, trans_state, - conf_avail, integ_avail) which represent facilities confirmed, at - that time, to be available on the context being established. In - - - -Linn Standards Track [Page 26] - -RFC 2743 GSS-API January 2000 - - - situations where prot_ready_state is returned before GSS_S_COMPLETE, - it is possible that additional facilities may be confirmed and - subsequently indicated when GSS_S_COMPLETE is returned. - -1.2.8: Implementation Robustness - - This section recommends aspects of GSS-API implementation behavior in - the interests of overall robustness. - - Invocation of GSS-API calls is to incur no undocumented side effects - visible at the GSS-API level. - - If a token is presented for processing on a GSS-API security context - and that token generates a fatal error in processing or is otherwise - determined to be invalid for that context, the context's state should - not be disrupted for purposes of processing subsequent valid tokens. - - Certain local conditions at a GSS-API implementation (e.g., - unavailability of memory) may preclude, temporarily or permanently, - the successful processing of tokens on a GSS-API security context, - typically generating GSS_S_FAILURE major_status returns along with - locally-significant minor_status. For robust operation under such - conditions, the following recommendations are made: - - Failing calls should free any memory they allocate, so that - callers may retry without causing further loss of resources. - - Failure of an individual call on an established context should not - preclude subsequent calls from succeeding on the same context. - - Whenever possible, it should be possible for - GSS_Delete_sec_context() calls to be successfully processed even - if other calls cannot succeed, thereby enabling context-related - resources to be released. - - A failure of GSS_GetMIC() or GSS_Wrap() due to an attempt to use an - unsupported QOP will not interfere with context validity, nor shall - such a failure impact the ability of the application to subsequently - invoke GSS_GetMIC() or GSS_Wrap() using a supported QOP. Any state - information concerning sequencing of outgoing messages shall be - unchanged by an unsuccessful call of GSS_GetMIC() or GSS_Wrap(). - - - - - - - - - - -Linn Standards Track [Page 27] - -RFC 2743 GSS-API January 2000 - - -1.2.9: Delegation - - The GSS-API allows delegation to be controlled by the initiating - application via a Boolean parameter to GSS_Init_sec_context(), the - routine that establishes a security context. Some mechanisms do not - support delegation, and for such mechanisms attempts by an - application to enable delegation are ignored. - - The acceptor of a security context for which the initiator enabled - delegation will receive (via the delegated_cred_handle parameter of - GSS_Accept_sec_context()) a credential handle that contains the - delegated identity, and this credential handle may be used to - initiate subsequent GSS-API security contexts as an agent or delegate - of the initiator. If the original initiator's identity is "A" and - the delegate's identity is "B", then, depending on the underlying - mechanism, the identity embodied by the delegated credential may be - either "A" or "B acting for A". - - For many mechanisms that support delegation, a simple Boolean does - not provide enough control. Examples of additional aspects of - delegation control that a mechanism might provide to an application - are duration of delegation, network addresses from which delegation - is valid, and constraints on the tasks that may be performed by a - delegate. Such controls are presently outside the scope of the GSS- - API. GSS-API implementations supporting mechanisms offering - additional controls should provide extension routines that allow - these controls to be exercised (perhaps by modifying the initiator's - GSS-API credential prior to its use in establishing a context). - However, the simple delegation control provided by GSS-API should - always be able to over-ride other mechanism-specific delegation - controls; if the application instructs GSS_Init_sec_context() that - delegation is not desired, then the implementation must not permit - delegation to occur. This is an exception to the general rule that a - mechanism may enable services even if they are not requested; - delegation may only be provided at the explicit request of the - application. - -1.2.10: Interprocess Context Transfer - - GSS-API V2 provides routines (GSS_Export_sec_context() and - GSS_Import_sec_context()) which allow a security context to be - transferred between processes on a single machine. The most common - use for such a feature is a client-server design where the server is - implemented as a single process that accepts incoming security - contexts, which then launches child processes to deal with the data - on these contexts. In such a design, the child processes must have - access to the security context data structure created within the - - - - -Linn Standards Track [Page 28] - -RFC 2743 GSS-API January 2000 - - - parent by its call to GSS_Accept_sec_context() so that they can use - per-message protection services and delete the security context when - the communication session ends. - - Since the security context data structure is expected to contain - sequencing information, it is impractical in general to share a - context between processes. Thus GSS-API provides a call - (GSS_Export_sec_context()) that the process which currently owns the - context can call to declare that it has no intention to use the - context subsequently, and to create an inter-process token containing - information needed by the adopting process to successfully import the - context. After successful completion of this call, the original - security context is made inaccessible to the calling process by GSS- - API, and any context handles referring to this context are no longer - valid. The originating process transfers the inter-process token to - the adopting process, which passes it to GSS_Import_sec_context(), - and a fresh context handle is created such that it is functionally - identical to the original context. - - The inter-process token may contain sensitive data from the original - security context (including cryptographic keys). Applications using - inter-process tokens to transfer security contexts must take - appropriate steps to protect these tokens in transit. - Implementations are not required to support the inter-process - transfer of security contexts. The ability to transfer a security - context is indicated when the context is created, by - GSS_Init_sec_context() or GSS_Accept_sec_context() indicating a TRUE - trans_state return value. - -2: Interface Descriptions - - This section describes the GSS-API's service interface, dividing the - set of calls offered into four groups. Credential management calls - are related to the acquisition and release of credentials by - principals. Context-level calls are related to the management of - security contexts between principals. Per-message calls are related - to the protection of individual messages on established security - contexts. Support calls provide ancillary functions useful to GSS-API - callers. Table 2 groups and summarizes the calls in tabular fashion. - - Table 2: GSS-API Calls - - CREDENTIAL MANAGEMENT - - GSS_Acquire_cred acquire credentials for use - GSS_Release_cred release credentials after use - GSS_Inquire_cred display information about - credentials - - - -Linn Standards Track [Page 29] - -RFC 2743 GSS-API January 2000 - - - GSS_Add_cred construct credentials incrementally - GSS_Inquire_cred_by_mech display per-mechanism credential - information - - CONTEXT-LEVEL CALLS - - GSS_Init_sec_context initiate outbound security context - GSS_Accept_sec_context accept inbound security context - GSS_Delete_sec_context flush context when no longer needed - GSS_Process_context_token process received control token on - context - GSS_Context_time indicate validity time remaining on - context - GSS_Inquire_context display information about context - GSS_Wrap_size_limit determine GSS_Wrap token size limit - GSS_Export_sec_context transfer context to other process - GSS_Import_sec_context import transferred context - - PER-MESSAGE CALLS - - GSS_GetMIC apply integrity check, receive as - token separate from message - GSS_VerifyMIC validate integrity check token - along with message - GSS_Wrap sign, optionally encrypt, - encapsulate - GSS_Unwrap decapsulate, decrypt if needed, - validate integrity check - - SUPPORT CALLS - - GSS_Display_status translate status codes to printable - form - GSS_Indicate_mechs indicate mech_types supported on - local system - GSS_Compare_name compare two names for equality - GSS_Display_name translate name to printable form - GSS_Import_name convert printable name to - normalized form - GSS_Release_name free storage of normalized-form - name - GSS_Release_buffer free storage of general GSS-allocated - object - GSS_Release_OID_set free storage of OID set object - GSS_Create_empty_OID_set create empty OID set - GSS_Add_OID_set_member add member to OID set - GSS_Test_OID_set_member test if OID is member of OID set - GSS_Inquire_names_for_mech indicate name types supported by - - - -Linn Standards Track [Page 30] - -RFC 2743 GSS-API January 2000 - - - mechanism - GSS_Inquire_mechs_for_name indicates mechanisms supporting name - type - GSS_Canonicalize_name translate name to per-mechanism form - GSS_Export_name externalize per-mechanism name - GSS_Duplicate_name duplicate name object - -2.1: Credential management calls - - These GSS-API calls provide functions related to the management of - credentials. Their characterization with regard to whether or not - they may block pending exchanges with other network entities (e.g., - directories or authentication servers) depends in part on OS-specific - (extra-GSS-API) issues, so is not specified in this document. - - The GSS_Acquire_cred() call is defined within the GSS-API in support - of application portability, with a particular orientation towards - support of portable server applications. It is recognized that (for - certain systems and mechanisms) credentials for interactive users may - be managed differently from credentials for server processes; in such - environments, it is the GSS-API implementation's responsibility to - distinguish these cases and the procedures for making this - distinction are a local matter. The GSS_Release_cred() call provides - a means for callers to indicate to the GSS-API that use of a - credentials structure is no longer required. The GSS_Inquire_cred() - call allows callers to determine information about a credentials - structure. The GSS_Add_cred() call enables callers to append - elements to an existing credential structure, allowing iterative - construction of a multi-mechanism credential. The - GSS_Inquire_cred_by_mech() call enables callers to extract per- - mechanism information describing a credentials structure. - -2.1.1: GSS_Acquire_cred call - - Inputs: - - o desired_name INTERNAL NAME, -- NULL requests locally-determined - -- default - - o lifetime_req INTEGER, -- in seconds; 0 requests default - - o desired_mechs SET OF OBJECT IDENTIFIER, -- NULL requests - -- system-selected default - - o cred_usage INTEGER -- 0=INITIATE-AND-ACCEPT, 1=INITIATE-ONLY, - -- 2=ACCEPT-ONLY - - - - - -Linn Standards Track [Page 31] - -RFC 2743 GSS-API January 2000 - - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o output_cred_handle CREDENTIAL HANDLE, -- if returned non-NULL, - -- caller must release with GSS_Release_cred() - - o actual_mechs SET OF OBJECT IDENTIFIER, -- if returned non-NULL, - -- caller must release with GSS_Release_oid_set() - - o lifetime_rec INTEGER -- in seconds, or reserved value for - -- INDEFINITE - - Return major_status codes: - - o GSS_S_COMPLETE indicates that requested credentials were - successfully established, for the duration indicated in lifetime_rec, - suitable for the usage requested in cred_usage, for the set of - mech_types indicated in actual_mechs, and that those credentials can - be referenced for subsequent use with the handle returned in - output_cred_handle. - - o GSS_S_BAD_MECH indicates that a mech_type unsupported by the GSS- - API implementation type was requested, causing the credential - establishment operation to fail. - - o GSS_S_BAD_NAMETYPE indicates that the provided desired_name is - uninterpretable or of a type unsupported by the applicable underlying - GSS-API mechanism(s), so no credentials could be established for the - accompanying desired_name. - - o GSS_S_BAD_NAME indicates that the provided desired_name is - inconsistent in terms of internally-incorporated type specifier - information, so no credentials could be established for the - accompanying desired_name. - - o GSS_S_CREDENTIALS_EXPIRED indicates that underlying credential - elements corresponding to the requested desired_name have expired, so - requested credentials could not be established. - - o GSS_S_NO_CRED indicates that no credential elements corresponding - to the requested desired_name and usage could be accessed, so - requested credentials could not be established. In particular, this - status should be returned upon temporary user-fixable conditions - - - - - -Linn Standards Track [Page 32] - -RFC 2743 GSS-API January 2000 - - - preventing successful credential establishment and upon lack of - authorization to establish and use credentials associated with the - identity named in the input desired_name argument. - - o GSS_S_FAILURE indicates that credential establishment failed for - reasons unspecified at the GSS-API level. - - GSS_Acquire_cred() is used to acquire credentials so that a principal - can (as a function of the input cred_usage parameter) initiate and/or - accept security contexts under the identity represented by the - desired_name input argument. On successful completion, the returned - output_cred_handle result provides a handle for subsequent references - to the acquired credentials. Typically, single-user client processes - requesting that default credential behavior be applied for context - establishment purposes will have no need to invoke this call. - - A caller may provide the value NULL (GSS_C_NO_NAME) for desired_name, - which will be interpreted as a request for a credential handle that - will invoke default behavior when passed to GSS_Init_sec_context(), - if cred_usage is GSS_C_INITIATE or GSS_C_BOTH, or - GSS_Accept_sec_context(), if cred_usage is GSS_C_ACCEPT or - GSS_C_BOTH. It is possible that multiple pre-established credentials - may exist for the same principal identity (for example, as a result - of multiple user login sessions) when GSS_Acquire_cred() is called; - the means used in such cases to select a specific credential are - local matters. The input lifetime_req argument to GSS_Acquire_cred() - may provide useful information for local GSS-API implementations to - employ in making this disambiguation in a manner which will best - satisfy a caller's intent. - - This routine is expected to be used primarily by context acceptors, - since implementations are likely to provide mechanism-specific ways - of obtaining GSS-API initiator credentials from the system login - process. Some implementations may therefore not support the - acquisition of GSS_C_INITIATE or GSS_C_BOTH credentials via - GSS_Acquire_cred() for any name other than GSS_C_NO_NAME, or a name - resulting from applying GSS_Inquire_context() to an active context, - or a name resulting from applying GSS_Inquire_cred() against a - credential handle corresponding to default behavior. It is important - to recognize that the explicit name which is yielded by resolving a - default reference may change over time, e.g., as a result of local - credential element management operations outside GSS-API; once - resolved, however, the value of such an explicit name will remain - constant. - - The lifetime_rec result indicates the length of time for which the - acquired credentials will be valid, as an offset from the present. A - mechanism may return a reserved value indicating INDEFINITE if no - - - -Linn Standards Track [Page 33] - -RFC 2743 GSS-API January 2000 - - - constraints on credential lifetime are imposed. A caller of - GSS_Acquire_cred() can request a length of time for which acquired - credentials are to be valid (lifetime_req argument), beginning at the - present, or can request credentials with a default validity interval. - (Requests for postdated credentials are not supported within the - GSS-API.) Certain mechanisms and implementations may bind in - credential validity period specifiers at a point preliminary to - invocation of the GSS_Acquire_cred() call (e.g., in conjunction with - user login procedures). As a result, callers requesting non-default - values for lifetime_req must recognize that such requests cannot - always be honored and must be prepared to accommodate the use of - returned credentials with different lifetimes as indicated in - lifetime_rec. - - The caller of GSS_Acquire_cred() can explicitly specify a set of - mech_types which are to be accommodated in the returned credentials - (desired_mechs argument), or can request credentials for a system- - defined default set of mech_types. Selection of the system-specified - default set is recommended in the interests of application - portability. The actual_mechs return value may be interrogated by the - caller to determine the set of mechanisms with which the returned - credentials may be used. - -2.1.2: GSS_Release_cred call - - Input: - - o cred_handle CREDENTIAL HANDLE -- if GSS_C_NO_CREDENTIAL - -- is specified, the call will complete successfully, but - -- will have no effect; no credential elements will be - -- released. - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER - - Return major_status codes: - - o GSS_S_COMPLETE indicates that the credentials referenced by the - input cred_handle were released for purposes of subsequent access by - the caller. The effect on other processes which may be authorized - shared access to such credentials is a local matter. - - - - - - - -Linn Standards Track [Page 34] - -RFC 2743 GSS-API January 2000 - - - o GSS_S_NO_CRED indicates that no release operation was performed, - either because the input cred_handle was invalid or because the - caller lacks authorization to access the referenced credentials. - - o GSS_S_FAILURE indicates that the release operation failed for - reasons unspecified at the GSS-API level. - - Provides a means for a caller to explicitly request that credentials - be released when their use is no longer required. Note that system- - specific credential management functions are also likely to exist, - for example to assure that credentials shared among processes are - properly deleted when all affected processes terminate, even if no - explicit release requests are issued by those processes. Given the - fact that multiple callers are not precluded from gaining authorized - access to the same credentials, invocation of GSS_Release_cred() - cannot be assumed to delete a particular set of credentials on a - system-wide basis. - -2.1.3: GSS_Inquire_cred call - - Input: - - o cred_handle CREDENTIAL HANDLE -- if GSS_C_NO_CREDENTIAL - -- is specified, default initiator credentials are queried - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o cred_name INTERNAL NAME, -- caller must release with - -- GSS_Release_name() - - o lifetime_rec INTEGER -- in seconds, or reserved value for - -- INDEFINITE - - o cred_usage INTEGER, -- 0=INITIATE-AND-ACCEPT, 1=INITIATE-ONLY, - -- 2=ACCEPT-ONLY - - o mech_set SET OF OBJECT IDENTIFIER -- caller must release - -- with GSS_Release_oid_set() - - - - - - - - - -Linn Standards Track [Page 35] - -RFC 2743 GSS-API January 2000 - - - Return major_status codes: - - o GSS_S_COMPLETE indicates that the credentials referenced by the - input cred_handle argument were valid, and that the output cred_name, - lifetime_rec, and cred_usage values represent, respectively, the - credentials' associated principal name, remaining lifetime, suitable - usage modes, and supported mechanism types. - - o GSS_S_NO_CRED indicates that no information could be returned - about the referenced credentials, either because the input - cred_handle was invalid or because the caller lacks authorization to - access the referenced credentials. - - o GSS_S_DEFECTIVE_CREDENTIAL indicates that the referenced - credentials are invalid. - - o GSS_S_CREDENTIALS_EXPIRED indicates that the referenced - credentials have expired. - - o GSS_S_FAILURE indicates that the operation failed for reasons - unspecified at the GSS-API level. - - The GSS_Inquire_cred() call is defined primarily for the use of those - callers which request use of default credential behavior rather than - acquiring credentials explicitly with GSS_Acquire_cred(). It enables - callers to determine a credential structure's associated principal - name, remaining validity period, usability for security context - initiation and/or acceptance, and supported mechanisms. - - For a multi-mechanism credential, the returned "lifetime" specifier - indicates the shortest lifetime of any of the mechanisms' elements in - the credential (for either context initiation or acceptance - purposes). - - GSS_Inquire_cred() should indicate INITIATE-AND-ACCEPT for - "cred_usage" if both of the following conditions hold: - - (1) there exists in the credential an element which allows context - initiation using some mechanism - - (2) there exists in the credential an element which allows context - acceptance using some mechanism (allowably, but not necessarily, - one of the same mechanism(s) qualifying for (1)). - - If condition (1) holds but not condition (2), GSS_Inquire_cred() - should indicate INITIATE-ONLY for "cred_usage". If condition (2) - holds but not condition (1), GSS_Inquire_cred() should indicate - ACCEPT-ONLY for "cred_usage". - - - -Linn Standards Track [Page 36] - -RFC 2743 GSS-API January 2000 - - - Callers requiring finer disambiguation among available combinations - of lifetimes, usage modes, and mechanisms should call the - GSS_Inquire_cred_by_mech() routine, passing that routine one of the - mech OIDs returned by GSS_Inquire_cred(). - -2.1.4: GSS_Add_cred call - - Inputs: - - o input_cred_handle CREDENTIAL HANDLE -- handle to credential - -- structure created with prior GSS_Acquire_cred() or - -- GSS_Add_cred() call; see text for definition of behavior - -- when GSS_C_NO_CREDENTIAL provided. - - o desired_name INTERNAL NAME - - o initiator_time_req INTEGER -- in seconds; 0 requests default - - o acceptor_time_req INTEGER -- in seconds; 0 requests default - - o desired_mech OBJECT IDENTIFIER - - o cred_usage INTEGER -- 0=INITIATE-AND-ACCEPT, 1=INITIATE-ONLY, - -- 2=ACCEPT-ONLY - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o output_cred_handle CREDENTIAL HANDLE, -- NULL to request that - -- credential elements be added "in place" to the credential - -- structure identified by input_cred_handle, - -- non-NULL pointer to request that - -- a new credential structure and handle be created. - -- if credential handle returned, caller must release with - -- GSS_Release_cred() - - o actual_mechs SET OF OBJECT IDENTIFIER, -- if returned, caller must - -- release with GSS_Release_oid_set() - - o initiator_time_rec INTEGER -- in seconds, or reserved value for - -- INDEFINITE - - o acceptor_time_rec INTEGER -- in seconds, or reserved value for - -- INDEFINITE - - - - -Linn Standards Track [Page 37] - -RFC 2743 GSS-API January 2000 - - - o cred_usage INTEGER, -- 0=INITIATE-AND-ACCEPT, 1=INITIATE-ONLY, - -- 2=ACCEPT-ONLY - - o mech_set SET OF OBJECT IDENTIFIER -- full set of mechanisms - -- supported by resulting credential. - - Return major_status codes: - - o GSS_S_COMPLETE indicates that the credentials referenced by the - input_cred_handle argument were valid, and that the resulting - credential from GSS_Add_cred() is valid for the durations indicated - in initiator_time_rec and acceptor_time_rec, suitable for the usage - requested in cred_usage, and for the mechanisms indicated in - actual_mechs. - - o GSS_S_DUPLICATE_ELEMENT indicates that the input desired_mech - specified a mechanism for which the referenced credential already - contained a credential element with overlapping cred_usage and - validity time specifiers. - - o GSS_S_BAD_MECH indicates that the input desired_mech specified a - mechanism unsupported by the GSS-API implementation, causing the - GSS_Add_cred() operation to fail. - - o GSS_S_BAD_NAMETYPE indicates that the provided desired_name is - uninterpretable or of a type unsupported by the applicable underlying - GSS-API mechanism(s), so the GSS_Add_cred() operation could not be - performed for that name. - - o GSS_S_BAD_NAME indicates that the provided desired_name is - inconsistent in terms of internally-incorporated type specifier - information, so the GSS_Add_cred() operation could not be performed - for that name. - - o GSS_S_NO_CRED indicates that the input_cred_handle referenced - invalid or inaccessible credentials. In particular, this status - should be returned upon temporary user-fixable conditions preventing - successful credential establishment or upon lack of authorization to - establish or use credentials representing the requested identity. - - o GSS_S_CREDENTIALS_EXPIRED indicates that referenced credential - elements have expired, so the GSS_Add_cred() operation could not be - performed. - - o GSS_S_FAILURE indicates that the operation failed for reasons - unspecified at the GSS-API level. - - - - - -Linn Standards Track [Page 38] - -RFC 2743 GSS-API January 2000 - - - GSS_Add_cred() enables callers to construct credentials iteratively - by adding credential elements in successive operations, corresponding - to different mechanisms. This offers particular value in multi- - mechanism environments, as the major_status and minor_status values - returned on each iteration are individually visible and can therefore - be interpreted unambiguously on a per-mechanism basis. A credential - element is identified by the name of the principal to which it - refers. GSS-API implementations must impose a local access control - policy on callers of this routine to prevent unauthorized callers - from acquiring credential elements to which they are not entitled. - This routine is not intended to provide a "login to the network" - function, as such a function would involve the creation of new - mechanism-specific authentication data, rather than merely acquiring - a GSS-API handle to existing data. Such functions, if required, - should be defined in implementation-specific extension routines. - - If credential acquisition is time-consuming for a mechanism, the - mechanism may choose to delay the actual acquisition until the - credential is required (e.g. by GSS_Init_sec_context() or - GSS_Accept_sec_context()). Such mechanism-specific implementation - decisions should be invisible to the calling application; thus a call - of GSS_Inquire_cred() immediately following the call of - GSS_Acquire_cred() must return valid credential data, and may - therefore incur the overhead of a deferred credential acquisition. - - If GSS_C_NO_CREDENTIAL is specified as input_cred_handle, a non-NULL - output_cred_handle must be supplied. For the case of - GSS_C_NO_CREDENTIAL as input_cred_handle, GSS_Add_cred() will create - the credential referenced by its output_cred_handle based on default - behavior. That is, the call will have the same effect as if the - caller had previously called GSS_Acquire_cred(), specifying the same - usage and passing GSS_C_NO_NAME as the desired_name parameter - (thereby obtaining an explicit credential handle corresponding to - default behavior), had passed that credential handle to - GSS_Add_cred(), and had finally called GSS_Release_cred() on the - credential handle received from GSS_Acquire_cred(). - - This routine is expected to be used primarily by context acceptors, - since implementations are likely to provide mechanism-specific ways - of obtaining GSS-API initiator credentials from the system login - process. Some implementations may therefore not support the - acquisition of GSS_C_INITIATE or GSS_C_BOTH credentials via - GSS_Acquire_cred() for any name other than GSS_C_NO_NAME, or a name - resulting from applying GSS_Inquire_context() to an active context, - or a name resulting from applying GSS_Inquire_cred() against a - credential handle corresponding to default behavior. It is important - to recognize that the explicit name which is yielded by resolving a - default reference may change over time, e.g., as a result of local - - - -Linn Standards Track [Page 39] - -RFC 2743 GSS-API January 2000 - - - credential element management operations outside GSS-API; once - resolved, however, the value of such an explicit name will remain - constant. - - A caller may provide the value NULL (GSS_C_NO_NAME) for desired_name, - which will be interpreted as a request for a credential handle that - will invoke default behavior when passed to GSS_Init_sec_context(), - if cred_usage is GSS_C_INITIATE or GSS_C_BOTH, or - GSS_Accept_sec_context(), if cred_usage is GSS_C_ACCEPT or - GSS_C_BOTH. - - The same input desired_name, or default reference, should be used on - all GSS_Acquire_cred() and GSS_Add_cred() calls corresponding to a - particular credential. - -2.1.5: GSS_Inquire_cred_by_mech call - - Inputs: - - o cred_handle CREDENTIAL HANDLE -- if GSS_C_NO_CREDENTIAL - -- specified, default initiator credentials are queried - - o mech_type OBJECT IDENTIFIER -- specific mechanism for - -- which credentials are being queried - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o cred_name INTERNAL NAME, -- guaranteed to be MN; caller must - -- release with GSS_Release_name() - - o lifetime_rec_initiate INTEGER -- in seconds, or reserved value for - -- INDEFINITE - - o lifetime_rec_accept INTEGER -- in seconds, or reserved value for - -- INDEFINITE - - o cred_usage INTEGER, -- 0=INITIATE-AND-ACCEPT, 1=INITIATE-ONLY, - -- 2=ACCEPT-ONLY - - Return major_status codes: - - o GSS_S_COMPLETE indicates that the credentials referenced by the - input cred_handle argument were valid, that the mechanism indicated - by the input mech_type was represented with elements within those - - - -Linn Standards Track [Page 40] - -RFC 2743 GSS-API January 2000 - - - credentials, and that the output cred_name, lifetime_rec_initiate, - lifetime_rec_accept, and cred_usage values represent, respectively, - the credentials' associated principal name, remaining lifetimes, and - suitable usage modes. - - o GSS_S_NO_CRED indicates that no information could be returned - about the referenced credentials, either because the input - cred_handle was invalid or because the caller lacks authorization to - access the referenced credentials. - - o GSS_S_DEFECTIVE_CREDENTIAL indicates that the referenced - credentials are invalid. - - o GSS_S_CREDENTIALS_EXPIRED indicates that the referenced - credentials have expired. - - o GSS_S_BAD_MECH indicates that the referenced credentials do not - contain elements for the requested mechanism. - - o GSS_S_FAILURE indicates that the operation failed for reasons - unspecified at the GSS-API level. - - The GSS_Inquire_cred_by_mech() call enables callers in multi- - mechanism environments to acquire specific data about available - combinations of lifetimes, usage modes, and mechanisms within a - credential structure. The lifetime_rec_initiate result indicates the - available lifetime for context initiation purposes; the - lifetime_rec_accept result indicates the available lifetime for - context acceptance purposes. - -2.2: Context-level calls - - This group of calls is devoted to the establishment and management of - security contexts between peers. A context's initiator calls - GSS_Init_sec_context(), resulting in generation of a token which the - caller passes to the target. At the target, that token is passed to - GSS_Accept_sec_context(). Depending on the underlying mech_type and - specified options, additional token exchanges may be performed in the - course of context establishment; such exchanges are accommodated by - GSS_S_CONTINUE_NEEDED status returns from GSS_Init_sec_context() and - GSS_Accept_sec_context(). - - Either party to an established context may invoke - GSS_Delete_sec_context() to flush context information when a context - is no longer required. GSS_Process_context_token() is used to process - received tokens carrying context-level control information. - GSS_Context_time() allows a caller to determine the length of time - for which an established context will remain valid. - - - -Linn Standards Track [Page 41] - -RFC 2743 GSS-API January 2000 - - - GSS_Inquire_context() returns status information describing context - characteristics. GSS_Wrap_size_limit() allows a caller to determine - the size of a token which will be generated by a GSS_Wrap() - operation. GSS_Export_sec_context() and GSS_Import_sec_context() - enable transfer of active contexts between processes on an end - system. - -2.2.1: GSS_Init_sec_context call - - Inputs: - - o claimant_cred_handle CREDENTIAL HANDLE, -- NULL specifies "use - -- default" - - o input_context_handle CONTEXT HANDLE, -- 0 - -- (GSS_C_NO_CONTEXT) specifies "none assigned yet" - - o targ_name INTERNAL NAME, - - o mech_type OBJECT IDENTIFIER, -- NULL parameter specifies "use - -- default" - - o deleg_req_flag BOOLEAN, - - o mutual_req_flag BOOLEAN, - - o replay_det_req_flag BOOLEAN, - - o sequence_req_flag BOOLEAN, - - o anon_req_flag BOOLEAN, - - o conf_req_flag BOOLEAN, - - o integ_req_flag BOOLEAN, - - o lifetime_req INTEGER, -- 0 specifies default lifetime - - o chan_bindings OCTET STRING, - - o input_token OCTET STRING -- NULL or token received from target - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - - - -Linn Standards Track [Page 42] - -RFC 2743 GSS-API January 2000 - - - o output_context_handle CONTEXT HANDLE, -- once returned non-NULL, - -- caller must release with GSS_Delete_sec_context() - - o mech_type OBJECT IDENTIFIER, -- actual mechanism always - -- indicated, never NULL; caller should treat as read-only - -- and should not attempt to release - - o output_token OCTET STRING, -- NULL or token to pass to context - -- target; caller must release with GSS_Release_buffer() - - o deleg_state BOOLEAN, - - o mutual_state BOOLEAN, - - o replay_det_state BOOLEAN, - - o sequence_state BOOLEAN, - - o anon_state BOOLEAN, - - o trans_state BOOLEAN, - - o prot_ready_state BOOLEAN, -- see Section 1.2.7 - - o conf_avail BOOLEAN, - - o integ_avail BOOLEAN, - - o lifetime_rec INTEGER -- in seconds, or reserved value for - -- INDEFINITE - - This call may block pending network interactions for those mech_types - in which an authentication server or other network entity must be - consulted on behalf of a context initiator in order to generate an - output_token suitable for presentation to a specified target. - - Return major_status codes: - - o GSS_S_COMPLETE indicates that context-level information was - successfully initialized, and that the returned output_token will - provide sufficient information for the target to perform per-message - processing on the newly-established context. - - o GSS_S_CONTINUE_NEEDED indicates that control information in the - returned output_token must be sent to the target, and that a reply - must be received and passed as the input_token argument - - - - - -Linn Standards Track [Page 43] - -RFC 2743 GSS-API January 2000 - - - to a continuation call to GSS_Init_sec_context(), before per-message - processing can be performed in conjunction with this context (unless - the prot_ready_state value is concurrently returned TRUE). - - o GSS_S_DEFECTIVE_TOKEN indicates that consistency checks performed - on the input_token failed, preventing further processing from being - performed based on that token. - - o GSS_S_DEFECTIVE_CREDENTIAL indicates that consistency checks - performed on the credential structure referenced by - claimant_cred_handle failed, preventing further processing from being - performed using that credential structure. - - o GSS_S_BAD_SIG (GSS_S_BAD_MIC) indicates that the received - input_token contains an incorrect integrity check, so context setup - cannot be accomplished. - - o GSS_S_NO_CRED indicates that no context was established, either - because the input cred_handle was invalid, because the referenced - credentials are valid for context acceptor use only, because the - caller lacks authorization to access the referenced credentials, or - because the resolution of default credentials failed. - - o GSS_S_CREDENTIALS_EXPIRED indicates that the credentials provided - through the input claimant_cred_handle argument are no longer valid, - so context establishment cannot be completed. - - o GSS_S_BAD_BINDINGS indicates that a mismatch between the caller- - provided chan_bindings and those extracted from the input_token was - detected, signifying a security-relevant event and preventing context - establishment. (This result will be returned by - GSS_Init_sec_context() only for contexts where mutual_state is TRUE.) - - o GSS_S_OLD_TOKEN indicates that the input_token is too old to be - checked for integrity. This is a fatal error during context - establishment. - - o GSS_S_DUPLICATE_TOKEN indicates that the input token has a correct - integrity check, but is a duplicate of a token already processed. - This is a fatal error during context establishment. - - o GSS_S_NO_CONTEXT indicates that no valid context was recognized - for the input context_handle provided; this major status will be - returned only for successor calls following GSS_S_CONTINUE_ NEEDED - status returns. - - - - - - -Linn Standards Track [Page 44] - -RFC 2743 GSS-API January 2000 - - - o GSS_S_BAD_NAMETYPE indicates that the provided targ_name is of a - type uninterpretable or unsupported by the applicable underlying - GSS-API mechanism(s), so context establishment cannot be completed. - - o GSS_S_BAD_NAME indicates that the provided targ_name is - inconsistent in terms of internally-incorporated type specifier - information, so context establishment cannot be accomplished. - - o GSS_S_BAD_MECH indicates receipt of a context establishment token - or of a caller request specifying a mechanism unsupported by the - local system or with the caller's active credentials - - o GSS_S_FAILURE indicates that context setup could not be - accomplished for reasons unspecified at the GSS-API level, and that - no interface-defined recovery action is available. - - This routine is used by a context initiator, and ordinarily emits an - output_token suitable for use by the target within the selected - mech_type's protocol. For the case of a multi-step exchange, this - output_token will be one in a series, each generated by a successive - call. Using information in the credentials structure referenced by - claimant_cred_handle, GSS_Init_sec_context() initializes the data - structures required to establish a security context with target - targ_name. - - The targ_name may be any valid INTERNAL NAME; it need not be an MN. - In addition to support for other name types, it is recommended (newly - as of GSS-V2, Update 1) that mechanisms be able to accept - GSS_C_NO_NAME as an input type for targ_name. While recommended, - such support is not required, and it is recognized that not all - mechanisms can construct tokens without explicitly naming the context - target, even when mutual authentication of the target is not - obtained. Callers wishing to make use of this facility and concerned - with portability should be aware that support for GSS_C_NO_NAME as - input targ_name type is unlikely to be provided within mechanism - definitions specified prior to GSS-V2, Update 1. - - The claimant_cred_handle must correspond to the same valid - credentials structure on the initial call to GSS_Init_sec_context() - and on any successor calls resulting from GSS_S_CONTINUE_NEEDED - status returns; different protocol sequences modeled by the - GSS_S_CONTINUE_NEEDED facility will require access to credentials at - different points in the context establishment sequence. - - The caller-provided input_context_handle argument is to be 0 - (GSS_C_NO_CONTEXT), specifying "not yet assigned", on the first - GSS_Init_sec_context() call relating to a given context. If - successful (i.e., if accompanied by major_status GSS_S_COMPLETE or - - - -Linn Standards Track [Page 45] - -RFC 2743 GSS-API January 2000 - - - GSS_S_CONTINUE_NEEDED), and only if successful, the initial - GSS_Init_sec_context() call returns a non-zero output_context_handle - for use in future references to this context. Once a non-zero - output_context_handle has been returned, GSS-API callers should call - GSS_Delete_sec_context() to release context-related resources if - errors occur in later phases of context establishment, or when an - established context is no longer required. If GSS_Init_sec_context() - is passed the handle of a context which is already fully established, - GSS_S_FAILURE status is returned. - - When continuation attempts to GSS_Init_sec_context() are needed to - perform context establishment, the previously-returned non-zero - handle value is entered into the input_context_handle argument and - will be echoed in the returned output_context_handle argument. On - such continuation attempts (and only on continuation attempts) the - input_token value is used, to provide the token returned from the - context's target. - - The chan_bindings argument is used by the caller to provide - information binding the security context to security-related - characteristics (e.g., addresses, cryptographic keys) of the - underlying communications channel. See Section 1.1.6 of this document - for more discussion of this argument's usage. - - The input_token argument contains a message received from the target, - and is significant only on a call to GSS_Init_sec_context() which - follows a previous return indicating GSS_S_CONTINUE_NEEDED - major_status. - - It is the caller's responsibility to establish a communications path - to the target, and to transmit any returned output_token (independent - of the accompanying returned major_status value) to the target over - that path. The output_token can, however, be transmitted along with - the first application-provided input message to be processed by - GSS_GetMIC() or GSS_Wrap() in conjunction with a successfully- - established context. (Note: when the GSS-V2 prot_ready_state - indicator is returned TRUE, it can be possible to transfer a - protected message before context establishment is complete: see also - Section 1.2.7) - - The initiator may request various context-level functions through - input flags: the deleg_req_flag requests delegation of access rights, - the mutual_req_flag requests mutual authentication, the - replay_det_req_flag requests that replay detection features be - applied to messages transferred on the established context, and the - sequence_req_flag requests that sequencing be enforced. (See Section - - - - - -Linn Standards Track [Page 46] - -RFC 2743 GSS-API January 2000 - - - 1.2.3 for more information on replay detection and sequencing - features.) The anon_req_flag requests that the initiator's identity - not be transferred within tokens to be sent to the acceptor. - - The conf_req_flag and integ_req_flag provide informatory inputs to - the GSS-API implementation as to whether, respectively, per-message - confidentiality and per-message integrity services will be required - on the context. This information is important as an input to - negotiating mechanisms. It is important to recognize, however, that - the inclusion of these flags (which are newly defined for GSS-V2) - introduces a backward incompatibility with callers implemented to - GSS-V1, where the flags were not defined. Since no GSS-V1 callers - would set these flags, even if per-message services are desired, - GSS-V2 mechanism implementations which enable such services - selectively based on the flags' values may fail to provide them to - contexts established for GSS-V1 callers. It may be appropriate under - certain circumstances, therefore, for such mechanism implementations - to infer these service request flags to be set if a caller is known - to be implemented to GSS-V1. - - Not all of the optionally-requestable features will be available in - all underlying mech_types. The corresponding return state values - deleg_state, mutual_state, replay_det_state, and sequence_state - indicate, as a function of mech_type processing capabilities and - initiator-provided input flags, the set of features which will be - active on the context. The returned trans_state value indicates - whether the context is transferable to other processes through use of - GSS_Export_sec_context(). These state indicators' values are - undefined unless either the routine's major_status indicates - GSS_S_COMPLETE, or TRUE prot_ready_state is returned along with - GSS_S_CONTINUE_NEEDED major_status; for the latter case, it is - possible that additional features, not confirmed or indicated along - with TRUE prot_ready_state, will be confirmed and indicated when - GSS_S_COMPLETE is subsequently returned. - - The returned anon_state and prot_ready_state values are significant - for both GSS_S_COMPLETE and GSS_S_CONTINUE_NEEDED major_status - returns from GSS_Init_sec_context(). When anon_state is returned - TRUE, this indicates that neither the current token nor its - predecessors delivers or has delivered the initiator's identity. - Callers wishing to perform context establishment only if anonymity - support is provided should transfer a returned token from - GSS_Init_sec_context() to the peer only if it is accompanied by a - TRUE anon_state indicator. When prot_ready_state is returned TRUE in - conjunction with GSS_S_CONTINUE_NEEDED major_status, this indicates - that per-message protection operations may be applied on the context: - see Section 1.2.7 for further discussion of this facility. - - - - -Linn Standards Track [Page 47] - -RFC 2743 GSS-API January 2000 - - - Failure to provide the precise set of features requested by the - caller does not cause context establishment to fail; it is the - caller's prerogative to delete the context if the feature set - provided is unsuitable for the caller's use. - - The returned mech_type value indicates the specific mechanism - employed on the context; it will never indicate the value for - "default". A valid mech_type result must be returned along with a - GSS_S_COMPLETE status return; GSS-API implementations may (but are - not required to) also return mech_type along with predecessor calls - indicating GSS_S_CONTINUE_NEEDED status or (if a mechanism is - determinable) in conjunction with fatal error cases. For the case of - mechanisms which themselves perform negotiation, the returned - mech_type result may indicate selection of a mechanism identified by - an OID different than that passed in the input mech_type argument, - and the returned value may change between successive calls returning - GSS_S_CONTINUE_NEEDED and the final call returning GSS_S_COMPLETE. - - The conf_avail return value indicates whether the context supports - per-message confidentiality services, and so informs the caller - whether or not a request for encryption through the conf_req_flag - input to GSS_Wrap() can be honored. In similar fashion, the - integ_avail return value indicates whether per-message integrity - services are available (through either GSS_GetMIC() or GSS_Wrap()) on - the established context. These state indicators' values are undefined - unless either the routine's major_status indicates GSS_S_COMPLETE, or - TRUE prot_ready_state is returned along with GSS_S_CONTINUE_NEEDED - major_status. - - The lifetime_req input specifies a desired upper bound for the - lifetime of the context to be established, with a value of 0 used to - request a default lifetime. The lifetime_rec return value indicates - the length of time for which the context will be valid, expressed as - an offset from the present; depending on mechanism capabilities, - credential lifetimes, and local policy, it may not correspond to the - value requested in lifetime_req. If no constraints on context - lifetime are imposed, this may be indicated by returning a reserved - value representing INDEFINITE lifetime_req. The value of lifetime_rec - is undefined unless the routine's major_status indicates - GSS_S_COMPLETE. - - If the mutual_state is TRUE, this fact will be reflected within the - output_token. A call to GSS_Accept_sec_context() at the target in - conjunction with such a context will return a token, to be processed - by a continuation call to GSS_Init_sec_context(), in order to achieve - mutual authentication. - - - - - -Linn Standards Track [Page 48] - -RFC 2743 GSS-API January 2000 - - -2.2.2: GSS_Accept_sec_context call - - Inputs: - - o acceptor_cred_handle CREDENTIAL HANDLE, -- NULL specifies - -- "use default" - - o input_context_handle CONTEXT HANDLE, -- 0 - -- (GSS_C_NO_CONTEXT) specifies "not yet assigned" - - o chan_bindings OCTET STRING, - - o input_token OCTET STRING - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o src_name INTERNAL NAME, -- guaranteed to be MN - -- once returned, caller must release with GSS_Release_name() - - o mech_type OBJECT IDENTIFIER, -- caller should treat as - -- read-only; does not need to be released - - o output_context_handle CONTEXT HANDLE, -- once returned - -- non-NULL in context establishment sequence, caller - -- must release with GSS_Delete_sec_context() - - o deleg_state BOOLEAN, - - o mutual_state BOOLEAN, - - o replay_det_state BOOLEAN, - - o sequence_state BOOLEAN, - - o anon_state BOOLEAN, - - o trans_state BOOLEAN, - - o prot_ready_state BOOLEAN, -- see Section 1.2.7 for discussion - - o conf_avail BOOLEAN, - - o integ_avail BOOLEAN, - - - - -Linn Standards Track [Page 49] - -RFC 2743 GSS-API January 2000 - - - o lifetime_rec INTEGER, -- in seconds, or reserved value for - -- INDEFINITE - - o delegated_cred_handle CREDENTIAL HANDLE, -- if returned non-NULL, - -- caller must release with GSS_Release_cred() - - o output_token OCTET STRING -- NULL or token to pass to context - -- initiator; if returned non-NULL, caller must release with - -- GSS_Release_buffer() - - This call may block pending network interactions for those mech_types - in which a directory service or other network entity must be - consulted on behalf of a context acceptor in order to validate a - received input_token. - - Return major_status codes: - - o GSS_S_COMPLETE indicates that context-level data structures were - successfully initialized, and that per-message processing can now be - performed in conjunction with this context. - - o GSS_S_CONTINUE_NEEDED indicates that control information in the - returned output_token must be sent to the initiator, and that a - response must be received and passed as the input_token argument to a - continuation call to GSS_Accept_sec_context(), before per-message - processing can be performed in conjunction with this context. - - o GSS_S_DEFECTIVE_TOKEN indicates that consistency checks performed - on the input_token failed, preventing further processing from being - performed based on that token. - - o GSS_S_DEFECTIVE_CREDENTIAL indicates that consistency checks - performed on the credential structure referenced by - acceptor_cred_handle failed, preventing further processing from being - performed using that credential structure. - - o GSS_S_BAD_SIG (GSS_S_BAD_MIC) indicates that the received - input_token contains an incorrect integrity check, so context setup - cannot be accomplished. - - o GSS_S_DUPLICATE_TOKEN indicates that the integrity check on the - received input_token was correct, but that the input_token was - recognized as a duplicate of an input_token already processed. No new - context is established. - - - - - - - -Linn Standards Track [Page 50] - -RFC 2743 GSS-API January 2000 - - - o GSS_S_OLD_TOKEN indicates that the integrity check on the received - input_token was correct, but that the input_token is too old to be - checked for duplication against previously-processed input_tokens. No - new context is established. - - o GSS_S_NO_CRED indicates that no context was established, either - because the input cred_handle was invalid, because the referenced - credentials are valid for context initiator use only, because the - caller lacks authorization to access the referenced credentials, or - because the procedure for default credential resolution failed. - - o GSS_S_CREDENTIALS_EXPIRED indicates that the credentials provided - through the input acceptor_cred_handle argument are no longer valid, - so context establishment cannot be completed. - - o GSS_S_BAD_BINDINGS indicates that a mismatch between the caller- - provided chan_bindings and those extracted from the input_token was - detected, signifying a security-relevant event and preventing context - establishment. - - o GSS_S_NO_CONTEXT indicates that no valid context was recognized - for the input context_handle provided; this major status will be - returned only for successor calls following GSS_S_CONTINUE_ NEEDED - status returns. - - o GSS_S_BAD_MECH indicates receipt of a context establishment token - specifying a mechanism unsupported by the local system or with the - caller's active credentials. - - o GSS_S_FAILURE indicates that context setup could not be - accomplished for reasons unspecified at the GSS-API level, and that - no interface-defined recovery action is available. - - The GSS_Accept_sec_context() routine is used by a context target. - Using information in the credentials structure referenced by the - input acceptor_cred_handle, it verifies the incoming input_token and - (following the successful completion of a context establishment - sequence) returns the authenticated src_name and the mech_type used. - The returned src_name is guaranteed to be an MN, processed by the - mechanism under which the context was established. The - acceptor_cred_handle must correspond to the same valid credentials - structure on the initial call to GSS_Accept_sec_context() and on any - successor calls resulting from GSS_S_CONTINUE_NEEDED status returns; - different protocol sequences modeled by the GSS_S_CONTINUE_NEEDED - mechanism will require access to credentials at different points in - the context establishment sequence. - - - - - -Linn Standards Track [Page 51] - -RFC 2743 GSS-API January 2000 - - - The caller-provided input_context_handle argument is to be 0 - (GSS_C_NO_CONTEXT), specifying "not yet assigned", on the first - GSS_Accept_sec_context() call relating to a given context. If - successful (i.e., if accompanied by major_status GSS_S_COMPLETE or - GSS_S_CONTINUE_NEEDED), and only if successful, the initial - GSS_Accept_sec_context() call returns a non-zero - output_context_handle for use in future references to this context. - Once a non-zero output_context_handle has been returned, GSS-API - callers should call GSS_Delete_sec_context() to release context- - related resources if errors occur in later phases of context - establishment, or when an established context is no longer required. - If GSS_Accept_sec_context() is passed the handle of a context which - is already fully established, GSS_S_FAILURE status is returned. - - The chan_bindings argument is used by the caller to provide - information binding the security context to security-related - characteristics (e.g., addresses, cryptographic keys) of the - underlying communications channel. See Section 1.1.6 of this document - for more discussion of this argument's usage. - - The returned state results (deleg_state, mutual_state, - replay_det_state, sequence_state, anon_state, trans_state, and - prot_ready_state) reflect the same information as described for - GSS_Init_sec_context(), and their values are significant under the - same return state conditions. - - The conf_avail return value indicates whether the context supports - per-message confidentiality services, and so informs the caller - whether or not a request for encryption through the conf_req_flag - input to GSS_Wrap() can be honored. In similar fashion, the - integ_avail return value indicates whether per-message integrity - services are available (through either GSS_GetMIC() or GSS_Wrap()) - on the established context. These values are significant under the - same return state conditions as described under - GSS_Init_sec_context(). - - The lifetime_rec return value is significant only in conjunction with - GSS_S_COMPLETE major_status, and indicates the length of time for - which the context will be valid, expressed as an offset from the - present. - - The returned mech_type value indicates the specific mechanism - employed on the context; it will never indicate the value for - "default". A valid mech_type result must be returned whenever - GSS_S_COMPLETE status is indicated; GSS-API implementations may (but - are not required to) also return mech_type along with predecessor - calls indicating GSS_S_CONTINUE_NEEDED status or (if a mechanism is - determinable) in conjunction with fatal error cases. For the case of - - - -Linn Standards Track [Page 52] - -RFC 2743 GSS-API January 2000 - - - mechanisms which themselves perform negotiation, the returned - mech_type result may indicate selection of a mechanism identified by - an OID different than that passed in the input mech_type argument, - and the returned value may change between successive calls returning - GSS_S_CONTINUE_NEEDED and the final call returning GSS_S_COMPLETE. - - The delegated_cred_handle result is significant only when deleg_state - is TRUE, and provides a means for the target to reference the - delegated credentials. The output_token result, when non-NULL, - provides a context-level token to be returned to the context - initiator to continue a multi-step context establishment sequence. As - noted with GSS_Init_sec_context(), any returned token should be - transferred to the context's peer (in this case, the context - initiator), independent of the value of the accompanying returned - major_status. - - Note: A target must be able to distinguish a context-level - input_token, which is passed to GSS_Accept_sec_context(), from the - per-message data elements passed to GSS_VerifyMIC() or GSS_Unwrap(). - These data elements may arrive in a single application message, and - GSS_Accept_sec_context() must be performed before per-message - processing can be performed successfully. - -2.2.3: GSS_Delete_sec_context call - - Input: - - o context_handle CONTEXT HANDLE - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o output_context_token OCTET STRING - - Return major_status codes: - - o GSS_S_COMPLETE indicates that the context was recognized, and that - relevant context-specific information was flushed. If the caller - provides a non-null buffer to receive an output_context_token, and - the mechanism returns a non-NULL token into that buffer, the returned - output_context_token is ready for transfer to the context's peer. - - o GSS_S_NO_CONTEXT indicates that no valid context was recognized - for the input context_handle provided, so no deletion was performed. - - - - -Linn Standards Track [Page 53] - -RFC 2743 GSS-API January 2000 - - - o GSS_S_FAILURE indicates that the context is recognized, but that - the GSS_Delete_sec_context() operation could not be performed for - reasons unspecified at the GSS-API level. - - This call can be made by either peer in a security context, to flush - context-specific information. Once a non-zero output_context_handle - has been returned by context establishment calls, GSS-API callers - should call GSS_Delete_sec_context() to release context-related - resources if errors occur in later phases of context establishment, - or when an established context is no longer required. This call may - block pending network interactions for mech_types in which active - notification must be made to a central server when a security context - is to be deleted. - - If a non-null output_context_token parameter is provided by the - caller, an output_context_token may be returned to the caller. If an - output_context_token is provided to the caller, it can be passed to - the context's peer to inform the peer's GSS-API implementation that - the peer's corresponding context information can also be flushed. - (Once a context is established, the peers involved are expected to - retain cached credential and context-related information until the - information's expiration time is reached or until a - GSS_Delete_sec_context() call is made.) - - The facility for context_token usage to signal context deletion is - retained for compatibility with GSS-API Version 1. For current - usage, it is recommended that both peers to a context invoke - GSS_Delete_sec_context() independently, passing a null - output_context_token buffer to indicate that no context_token is - required. Implementations of GSS_Delete_sec_context() should delete - relevant locally-stored context information. - - Attempts to perform per-message processing on a deleted context will - result in error returns. - -2.2.4: GSS_Process_context_token call - - Inputs: - - o context_handle CONTEXT HANDLE, - - o input_context_token OCTET STRING - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - - -Linn Standards Track [Page 54] - -RFC 2743 GSS-API January 2000 - - - Return major_status codes: - - o GSS_S_COMPLETE indicates that the input_context_token was - successfully processed in conjunction with the context referenced by - context_handle. - - o GSS_S_DEFECTIVE_TOKEN indicates that consistency checks performed - on the received context_token failed, preventing further processing - from being performed with that token. - - o GSS_S_NO_CONTEXT indicates that no valid context was recognized - for the input context_handle provided. - - o GSS_S_FAILURE indicates that the context is recognized, but that - the GSS_Process_context_token() operation could not be performed for - reasons unspecified at the GSS-API level. - - This call is used to process context_tokens received from a peer once - a context has been established, with corresponding impact on - context-level state information. One use for this facility is - processing of the context_tokens generated by - GSS_Delete_sec_context(); GSS_Process_context_token() will not block - pending network interactions for that purpose. Another use is to - process tokens indicating remote-peer context establishment failures - after the point where the local GSS-API implementation has already - indicated GSS_S_COMPLETE status. - -2.2.5: GSS_Context_time call - - Input: - - o context_handle CONTEXT HANDLE, - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o lifetime_rec INTEGER -- in seconds, or reserved value for - -- INDEFINITE - - Return major_status codes: - - o GSS_S_COMPLETE indicates that the referenced context is valid, and - will remain valid for the amount of time indicated in lifetime_rec. - - - - - -Linn Standards Track [Page 55] - -RFC 2743 GSS-API January 2000 - - - o GSS_S_CONTEXT_EXPIRED indicates that data items related to the - referenced context have expired. - - o GSS_S_NO_CONTEXT indicates that no valid context was recognized - for the input context_handle provided. - - o GSS_S_FAILURE indicates that the requested operation failed for - reasons unspecified at the GSS-API level. - - This call is used to determine the amount of time for which a - currently established context will remain valid. - -2.2.6: GSS_Inquire_context call - - Input: - - o context_handle CONTEXT HANDLE, - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o src_name INTERNAL NAME, -- name of context initiator, - -- guaranteed to be MN; - -- caller must release with GSS_Release_name() if returned - - o targ_name INTERNAL NAME, -- name of context target, - -- guaranteed to be MN; - -- caller must release with GSS_Release_name() if returned - - o lifetime_rec INTEGER -- in seconds, or reserved value for - -- INDEFINITE or EXPIRED - - o mech_type OBJECT IDENTIFIER, -- the mechanism supporting this - -- security context; caller should treat as read-only and not - -- attempt to release - - o deleg_state BOOLEAN, - - o mutual_state BOOLEAN, - - o replay_det_state BOOLEAN, - - o sequence_state BOOLEAN, - - o anon_state BOOLEAN, - - - -Linn Standards Track [Page 56] - -RFC 2743 GSS-API January 2000 - - - o trans_state BOOLEAN, - - o prot_ready_state BOOLEAN, - - o conf_avail BOOLEAN, - - o integ_avail BOOLEAN, - - o locally_initiated BOOLEAN, -- TRUE if initiator, FALSE if acceptor - - o open BOOLEAN, -- TRUE if context fully established, FALSE - -- if partly established (in CONTINUE_NEEDED state) - - Return major_status codes: - - o GSS_S_COMPLETE indicates that the referenced context is valid and - that deleg_state, mutual_state, replay_det_state, sequence_state, - anon_state, trans_state, prot_ready_state, conf_avail, integ_avail, - locally_initiated, and open return values describe the corresponding - characteristics of the context. If open is TRUE, lifetime_rec is - also returned: if open is TRUE and the context peer's name is known, - src_name and targ_name are valid in addition to the values listed - above. The mech_type value must be returned for contexts where open - is TRUE and may be returned for contexts where open is FALSE. - - o GSS_S_NO_CONTEXT indicates that no valid context was recognized - for the input context_handle provided. Return values other than - major_status and minor_status are undefined. - - o GSS_S_FAILURE indicates that the requested operation failed for - reasons unspecified at the GSS-API level. Return values other than - major_status and minor_status are undefined. - - This call is used to extract information describing characteristics - of a security context. Note that GSS-API implementations are - expected to retain inquirable context data on a context until the - context is released by a caller, even after the context has expired, - although underlying cryptographic data elements may be deleted after - expiration in order to limit their exposure. - -2.2.7: GSS_Wrap_size_limit call - - Inputs: - - o context_handle CONTEXT HANDLE, - - o conf_req_flag BOOLEAN, - - - - -Linn Standards Track [Page 57] - -RFC 2743 GSS-API January 2000 - - - o qop INTEGER, - - o output_size INTEGER - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o max_input_size INTEGER - - Return major_status codes: - - o GSS_S_COMPLETE indicates a successful token size determination: - an input message with a length in octets equal to the returned - max_input_size value will, when passed to GSS_Wrap() for processing - on the context identified by the context_handle parameter with the - confidentiality request state as provided in conf_req_flag and with - the quality of protection specifier provided in the qop parameter, - yield an output token no larger than the value of the provided - output_size parameter. - - o GSS_S_CONTEXT_EXPIRED indicates that the provided input - context_handle is recognized, but that the referenced context has - expired. Return values other than major_status and minor_status are - undefined. - - o GSS_S_NO_CONTEXT indicates that no valid context was recognized - for the input context_handle provided. Return values other than - major_status and minor_status are undefined. - - o GSS_S_BAD_QOP indicates that the provided QOP value is not - recognized or supported for the context. - - o GSS_S_FAILURE indicates that the requested operation failed for - reasons unspecified at the GSS-API level. Return values other than - major_status and minor_status are undefined. - - This call is used to determine the largest input datum which may be - passed to GSS_Wrap() without yielding an output token larger than a - caller-specified value. - - - - - - - - - -Linn Standards Track [Page 58] - -RFC 2743 GSS-API January 2000 - - -2.2.8: GSS_Export_sec_context call - - Inputs: - - o context_handle CONTEXT HANDLE - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o interprocess_token OCTET STRING -- caller must release - -- with GSS_Release_buffer() - - Return major_status codes: - - o GSS_S_COMPLETE indicates that the referenced context has been - successfully exported to a representation in the interprocess_token, - and is no longer available for use by the caller. - - o GSS_S_UNAVAILABLE indicates that the context export facility is - not available for use on the referenced context. (This status should - occur only for contexts for which the trans_state value is FALSE.) - Return values other than major_status and minor_status are undefined. - - o GSS_S_CONTEXT_EXPIRED indicates that the provided input - context_handle is recognized, but that the referenced context has - expired. Return values other than major_status and minor_status are - undefined. - - o GSS_S_NO_CONTEXT indicates that no valid context was recognized - for the input context_handle provided. Return values other than - major_status and minor_status are undefined. - - o GSS_S_FAILURE indicates that the requested operation failed for - reasons unspecified at the GSS-API level. Return values other than - major_status and minor_status are undefined. - - This call generates an interprocess token for transfer to another - process within an end system, in order to transfer control of a - security context to that process. The recipient of the interprocess - token will call GSS_Import_sec_context() to accept the transfer. The - GSS_Export_sec_context() operation is defined for use only with - security contexts which are fully and successfully established (i.e., - those for which GSS_Init_sec_context() and GSS_Accept_sec_context() - have returned GSS_S_COMPLETE major_status). - - - - -Linn Standards Track [Page 59] - -RFC 2743 GSS-API January 2000 - - - A successful GSS_Export_sec_context() operation deactivates the - security context for the calling process; for this case, the GSS-API - implementation shall deallocate all process-wide resources associated - with the security context and shall set the context_handle to - GSS_C_NO_CONTEXT. In the event of an error that makes it impossible - to complete export of the security context, the GSS-API - implementation must not return an interprocess token and should - strive to leave the security context referenced by the context_handle - untouched. If this is impossible, it is permissible for the - implementation to delete the security context, provided that it also - sets the context_handle parameter to GSS_C_NO_CONTEXT. - - Portable callers must not assume that a given interprocess token can - be imported by GSS_Import_sec_context() more than once, thereby - creating multiple instantiations of a single context. GSS-API - implementations may detect and reject attempted multiple imports, but - are not required to do so. - - The internal representation contained within the interprocess token - is an implementation-defined local matter. Interprocess tokens - cannot be assumed to be transferable across different GSS-API - implementations. - - It is recommended that GSS-API implementations adopt policies suited - to their operational environments in order to define the set of - processes eligible to import a context, but specific constraints in - this area are local matters. Candidate examples include transfers - between processes operating on behalf of the same user identity, or - processes comprising a common job. However, it may be impossible to - enforce such policies in some implementations. - - In support of the above goals, implementations may protect the - transferred context data by using cryptography to protect data within - the interprocess token, or by using interprocess tokens as a means to - reference local interprocess communication facilities (protected by - other means) rather than storing the context data directly within the - tokens. - - Transfer of an open context may, for certain mechanisms and - implementations, reveal data about the credential which was used to - establish the context. Callers should, therefore, be cautious about - the trustworthiness of processes to which they transfer contexts. - Although the GSS-API implementation may provide its own set of - protections over the exported context, the caller is responsible for - protecting the interprocess token from disclosure, and for taking - care that the context is transferred to an appropriate destination - process. - - - - -Linn Standards Track [Page 60] - -RFC 2743 GSS-API January 2000 - - -2.2.9: GSS_Import_sec_context call - - Inputs: - - o interprocess_token OCTET STRING - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o context_handle CONTEXT HANDLE -- if successfully returned, - -- caller must release with GSS_Delete_sec_context() - - Return major_status codes: - - o GSS_S_COMPLETE indicates that the context represented by the input - interprocess_token has been successfully transferred to the caller, - and is available for future use via the output context_handle. - - o GSS_S_NO_CONTEXT indicates that the context represented by the - input interprocess_token was invalid. Return values other than - major_status and minor_status are undefined. - - o GSS_S_DEFECTIVE_TOKEN indicates that the input interprocess_token - was defective. Return values other than major_status and - minor_status are undefined. - - o GSS_S_UNAVAILABLE indicates that the context import facility is - not available for use on the referenced context. Return values other - than major_status and minor_status are undefined. - - o GSS_S_UNAUTHORIZED indicates that the context represented by the - input interprocess_token is unauthorized for transfer to the caller. - Return values other than major_status and minor_status are undefined. - - o GSS_S_FAILURE indicates that the requested operation failed for - reasons unspecified at the GSS-API level. Return values other than - major_status and minor_status are undefined. - - This call processes an interprocess token generated by - GSS_Export_sec_context(), making the transferred context available - for use by the caller. After a successful GSS_Import_sec_context() - operation, the imported context is available for use by the importing - process. In particular, the imported context is usable for all per- - message operations and may be deleted or exported by its importer. - The inability to receive delegated credentials through - - - -Linn Standards Track [Page 61] - -RFC 2743 GSS-API January 2000 - - - gss_import_sec_context() precludes establishment of new contexts - based on information delegated to the importer's end system within - the context which is being imported, unless those delegated - credentials are obtained through separate routines (e.g., XGSS-API - calls) outside the GSS-V2 definition. - - For further discussion of the security and authorization issues - regarding this call, please see the discussion in Section 2.2.8. - -2.3: Per-message calls - - This group of calls is used to perform per-message protection - processing on an established security context. None of these calls - block pending network interactions. These calls may be invoked by a - context's initiator or by the context's target. The four members of - this group should be considered as two pairs; the output from - GSS_GetMIC() is properly input to GSS_VerifyMIC(), and the output - from GSS_Wrap() is properly input to GSS_Unwrap(). - - GSS_GetMIC() and GSS_VerifyMIC() support data origin authentication - and data integrity services. When GSS_GetMIC() is invoked on an input - message, it yields a per-message token containing data items which - allow underlying mechanisms to provide the specified security - services. The original message, along with the generated per-message - token, is passed to the remote peer; these two data elements are - processed by GSS_VerifyMIC(), which validates the message in - conjunction with the separate token. - - GSS_Wrap() and GSS_Unwrap() support caller-requested confidentiality - in addition to the data origin authentication and data integrity - services offered by GSS_GetMIC() and GSS_VerifyMIC(). GSS_Wrap() - outputs a single data element, encapsulating optionally enciphered - user data as well as associated token data items. The data element - output from GSS_Wrap() is passed to the remote peer and processed by - GSS_Unwrap() at that system. GSS_Unwrap() combines decipherment (as - required) with validation of data items related to authentication and - integrity. - - Although zero-length tokens are never returned by GSS calls for - transfer to a context's peer, a zero-length object may be passed by a - caller into GSS_Wrap(), in which case the corresponding peer calling - GSS_Unwrap() on the transferred token will receive a zero-length - object as output from GSS_Unwrap(). Similarly, GSS_GetMIC() can be - called on an empty object, yielding a MIC which GSS_VerifyMIC() will - successfully verify against the active security context in - conjunction with a zero-length object. - - - - - -Linn Standards Track [Page 62] - -RFC 2743 GSS-API January 2000 - - -2.3.1: GSS_GetMIC call - - Note: This call is functionally equivalent to the GSS_Sign call as - defined in previous versions of this specification. In the interests - of backward compatibility, it is recommended that implementations - support this function under both names for the present; future - references to this function as GSS_Sign are deprecated. - - Inputs: - - o context_handle CONTEXT HANDLE, - - o qop_req INTEGER, -- 0 specifies default QOP - - o message OCTET STRING - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o per_msg_token OCTET STRING -- caller must release - -- with GSS_Release_buffer() - - Return major_status codes: - - o GSS_S_COMPLETE indicates that an integrity check, suitable for an - established security context, was successfully applied and that the - message and corresponding per_msg_token are ready for transmission. - - o GSS_S_CONTEXT_EXPIRED indicates that context-related data items - have expired, so that the requested operation cannot be performed. - - o GSS_S_NO_CONTEXT indicates that no context was recognized for the - input context_handle provided. - - o GSS_S_BAD_QOP indicates that the provided QOP value is not - recognized or supported for the context. - - o GSS_S_FAILURE indicates that the context is recognized, but that - the requested operation could not be performed for reasons - unspecified at the GSS-API level. - - Using the security context referenced by context_handle, apply an - integrity check to the input message (along with timestamps and/or - other data included in support of mech_type-specific mechanisms) and - (if GSS_S_COMPLETE status is indicated) return the result in - - - -Linn Standards Track [Page 63] - -RFC 2743 GSS-API January 2000 - - - per_msg_token. The qop_req parameter, interpretation of which is - discussed in Section 1.2.4, allows quality-of-protection control. The - caller passes the message and the per_msg_token to the target. - - The GSS_GetMIC() function completes before the message and - per_msg_token is sent to the peer; successful application of - GSS_GetMIC() does not guarantee that a corresponding GSS_VerifyMIC() - has been (or can necessarily be) performed successfully when the - message arrives at the destination. - - Mechanisms which do not support per-message protection services - should return GSS_S_FAILURE if this routine is called. - -2.3.2: GSS_VerifyMIC call - - Note: This call is functionally equivalent to the GSS_Verify call as - defined in previous versions of this specification. In the interests - of backward compatibility, it is recommended that implementations - support this function under both names for the present; future - references to this function as GSS_Verify are deprecated. - - Inputs: - - o context_handle CONTEXT HANDLE, - - o message OCTET STRING, - - o per_msg_token OCTET STRING - - Outputs: - - o qop_state INTEGER, - - o major_status INTEGER, - - o minor_status INTEGER, - - Return major_status codes: - - o GSS_S_COMPLETE indicates that the message was successfully - verified. - - o GSS_S_DEFECTIVE_TOKEN indicates that consistency checks performed - on the received per_msg_token failed, preventing further processing - from being performed with that token. - - o GSS_S_BAD_SIG (GSS_S_BAD_MIC) indicates that the received - per_msg_token contains an incorrect integrity check for the message. - - - -Linn Standards Track [Page 64] - -RFC 2743 GSS-API January 2000 - - - o GSS_S_DUPLICATE_TOKEN, GSS_S_OLD_TOKEN, GSS_S_UNSEQ_TOKEN, and - GSS_S_GAP_TOKEN values appear in conjunction with the optional per- - message replay detection features described in Section 1.2.3; their - semantics are described in that section. - - o GSS_S_CONTEXT_EXPIRED indicates that context-related data items - have expired, so that the requested operation cannot be performed. - - o GSS_S_NO_CONTEXT indicates that no context was recognized for the - input context_handle provided. - - o GSS_S_FAILURE indicates that the context is recognized, but that - the GSS_VerifyMIC() operation could not be performed for reasons - unspecified at the GSS-API level. - - Using the security context referenced by context_handle, verify that - the input per_msg_token contains an appropriate integrity check for - the input message, and apply any active replay detection or - sequencing features. Returns an indication of the quality-of- - protection applied to the processed message in the qop_state result. - - Mechanisms which do not support per-message protection services - should return GSS_S_FAILURE if this routine is called. - -2.3.3: GSS_Wrap call - - Note: This call is functionally equivalent to the GSS_Seal call as - defined in previous versions of this specification. In the interests - of backward compatibility, it is recommended that implementations - support this function under both names for the present; future - references to this function as GSS_Seal are deprecated. - - Inputs: - - o context_handle CONTEXT HANDLE, - - o conf_req_flag BOOLEAN, - - o qop_req INTEGER, -- 0 specifies default QOP - - o input_message OCTET STRING - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - - - -Linn Standards Track [Page 65] - -RFC 2743 GSS-API January 2000 - - - o conf_state BOOLEAN, - - o output_message OCTET STRING -- caller must release with - -- GSS_Release_buffer() - - Return major_status codes: - - o GSS_S_COMPLETE indicates that the input_message was successfully - processed and that the output_message is ready for transmission. - - o GSS_S_CONTEXT_EXPIRED indicates that context-related data items - have expired, so that the requested operation cannot be performed. - - o GSS_S_NO_CONTEXT indicates that no context was recognized for the - input context_handle provided. - - o GSS_S_BAD_QOP indicates that the provided QOP value is not - recognized or supported for the context. - - o GSS_S_FAILURE indicates that the context is recognized, but that - the GSS_Wrap() operation could not be performed for reasons - unspecified at the GSS-API level. - - Performs the data origin authentication and data integrity functions - of GSS_GetMIC(). If the input conf_req_flag is TRUE, requests that - confidentiality be applied to the input_message. Confidentiality may - not be supported in all mech_types or by all implementations; the - returned conf_state flag indicates whether confidentiality was - provided for the input_message. The qop_req parameter, interpretation - of which is discussed in Section 1.2.4, allows quality-of-protection - control. - - When GSS_S_COMPLETE status is returned, the GSS_Wrap() call yields a - single output_message data element containing (optionally enciphered) - user data as well as control information. - - Mechanisms which do not support per-message protection services - should return GSS_S_FAILURE if this routine is called. - -2.3.4: GSS_Unwrap call - - Note: This call is functionally equivalent to the GSS_Unseal call as - defined in previous versions of this specification. In the interests - of backward compatibility, it is recommended that implementations - support this function under both names for the present; future - references to this function as GSS_Unseal are deprecated. - - - - - -Linn Standards Track [Page 66] - -RFC 2743 GSS-API January 2000 - - - Inputs: - - o context_handle CONTEXT HANDLE, - - o input_message OCTET STRING - - Outputs: - - o conf_state BOOLEAN, - - o qop_state INTEGER, - - o major_status INTEGER, - - o minor_status INTEGER, - - o output_message OCTET STRING -- caller must release with - -- GSS_Release_buffer() - - Return major_status codes: - - o GSS_S_COMPLETE indicates that the input_message was successfully - processed and that the resulting output_message is available. - - o GSS_S_DEFECTIVE_TOKEN indicates that consistency checks performed - on the per_msg_token extracted from the input_message failed, - preventing further processing from being performed. - - o GSS_S_BAD_SIG (GSS_S_BAD_MIC) indicates that an incorrect - integrity check was detected for the message. - - o GSS_S_DUPLICATE_TOKEN, GSS_S_OLD_TOKEN, GSS_S_UNSEQ_TOKEN, and - GSS_S_GAP_TOKEN values appear in conjunction with the optional per- - message replay detection features described in Section 1.2.3; their - semantics are described in that section. - - o GSS_S_CONTEXT_EXPIRED indicates that context-related data items - have expired, so that the requested operation cannot be performed. - - o GSS_S_NO_CONTEXT indicates that no context was recognized for the - input context_handle provided. - - o GSS_S_FAILURE indicates that the context is recognized, but that - the GSS_Unwrap() operation could not be performed for reasons - unspecified at the GSS-API level. - - - - - - -Linn Standards Track [Page 67] - -RFC 2743 GSS-API January 2000 - - - Processes a data element generated (and optionally enciphered) by - GSS_Wrap(), provided as input_message. The returned conf_state value - indicates whether confidentiality was applied to the input_message. - If conf_state is TRUE, GSS_Unwrap() has deciphered the input_message. - Returns an indication of the quality-of-protection applied to the - processed message in the qop_state result. GSS_Unwrap() performs the - data integrity and data origin authentication checking functions of - GSS_VerifyMIC() on the plaintext data. Plaintext data is returned in - output_message. - - Mechanisms which do not support per-message protection services - should return GSS_S_FAILURE if this routine is called. - -2.4: Support calls - - This group of calls provides support functions useful to GSS-API - callers, independent of the state of established contexts. Their - characterization with regard to blocking or non-blocking status in - terms of network interactions is unspecified. - -2.4.1: GSS_Display_status call - - Inputs: - - o status_value INTEGER, -- GSS-API major_status or minor_status - -- return value - - o status_type INTEGER, -- 1 if major_status, 2 if minor_status - - o mech_type OBJECT IDENTIFIER -- mech_type to be used for - -- minor_status translation - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o status_string_set SET OF OCTET STRING -- required calls for - -- release by caller are specific to language bindings - - Return major_status codes: - - o GSS_S_COMPLETE indicates that a valid printable status - representation (possibly representing more than one status event - encoded within the status_value) is available in the returned - status_string_set. - - - - -Linn Standards Track [Page 68] - -RFC 2743 GSS-API January 2000 - - - o GSS_S_BAD_MECH indicates that translation in accordance with an - unsupported mech_type was requested, so translation could not be - performed. - - o GSS_S_BAD_STATUS indicates that the input status_value was - invalid, or that the input status_type carried a value other than 1 - or 2, so translation could not be performed. - - o GSS_S_FAILURE indicates that the requested operation could not be - performed for reasons unspecified at the GSS-API level. - - Provides a means for callers to translate GSS-API-returned major and - minor status codes into printable string representations. Note: some - language bindings may employ an iterative approach in order to emit - successive status components; this approach is acceptable but not - required for conformance with the current specification. - - Although not contemplated in [RFC-2078], it has been observed that - some existing GSS-API implementations return GSS_S_CONTINUE_NEEDED - status when iterating through successive messages returned from - GSS_Display_status(). This behavior is deprecated; - GSS_S_CONTINUE_NEEDED should be returned only by - GSS_Init_sec_context() and GSS_Accept_sec_context(). For maximal - portability, however, it is recommended that defensive callers be - able to accept and ignore GSS_S_CONTINUE_NEEDED status if indicated - by GSS_Display_status() or any other call other than - GSS_Init_sec_context() or GSS_Accept_sec_context(). - -2.4.2: GSS_Indicate_mechs call - - Input: - - o (none) - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o mech_set SET OF OBJECT IDENTIFIER -- caller must release - -- with GSS_Release_oid_set() - - Return major_status codes: - - o GSS_S_COMPLETE indicates that a set of available mechanisms has - been returned in mech_set. - - - - -Linn Standards Track [Page 69] - -RFC 2743 GSS-API January 2000 - - - o GSS_S_FAILURE indicates that the requested operation could not be - performed for reasons unspecified at the GSS-API level. - - Allows callers to determine the set of mechanism types available on - the local system. This call is intended for support of specialized - callers who need to request non-default mech_type sets from GSS-API - calls which accept input mechanism type specifiers. - -2.4.3: GSS_Compare_name call - - Inputs: - - o name1 INTERNAL NAME, - - o name2 INTERNAL NAME - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o name_equal BOOLEAN - - Return major_status codes: - - o GSS_S_COMPLETE indicates that name1 and name2 were comparable, and - that the name_equal result indicates whether name1 and name2 - represent the same entity. - - o GSS_S_BAD_NAMETYPE indicates that the two input names' types are - different and incomparable, so that the comparison operation could - not be completed. - - o GSS_S_BAD_NAME indicates that one or both of the input names was - ill-formed in terms of its internal type specifier, so the comparison - operation could not be completed. - - o GSS_S_FAILURE indicates that the call's operation could not be - performed for reasons unspecified at the GSS-API level. - - Allows callers to compare two internal name representations to - determine whether they refer to the same entity. If either name - presented to GSS_Compare_name() denotes an anonymous principal, - GSS_Compare_name() shall indicate FALSE. It is not required that - either or both inputs name1 and name2 be MNs; for some - - - - - -Linn Standards Track [Page 70] - -RFC 2743 GSS-API January 2000 - - - implementations and cases, GSS_S_BAD_NAMETYPE may be returned, - indicating name incomparability, for the case where neither input - name is an MN. - -2.4.4: GSS_Display_name call - - Inputs: - - o name INTERNAL NAME - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o name_string OCTET STRING, -- caller must release - -- with GSS_Release_buffer() - - o name_type OBJECT IDENTIFIER -- caller should treat - -- as read-only; does not need to be released - - Return major_status codes: - - o GSS_S_COMPLETE indicates that a valid printable name - representation is available in the returned name_string. - - o GSS_S_BAD_NAME indicates that the contents of the provided name - were inconsistent with the internally-indicated name type, so no - printable representation could be generated. - - o GSS_S_FAILURE indicates that the requested operation could not be - performed for reasons unspecified at the GSS-API level. - - Allows callers to translate an internal name representation into a - printable form with associated namespace type descriptor. The syntax - of the printable form is a local matter. - - If the input name represents an anonymous identity, a reserved value - (GSS_C_NT_ANONYMOUS) shall be returned for name_type. - - The GSS_C_NO_OID name type is to be returned only when the - corresponding internal name was created through import with - GSS_C_NO_OID. It is acceptable for mechanisms to normalize names - imported with GSS_C_NO_OID into other supported types and, therefore, - to display them with types other than GSS_C_NO_OID. - - - - - -Linn Standards Track [Page 71] - -RFC 2743 GSS-API January 2000 - - -2.4.5: GSS_Import_name call - - Inputs: - - o input_name_string OCTET STRING, - - o input_name_type OBJECT IDENTIFIER - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o output_name INTERNAL NAME -- caller must release with - -- GSS_Release_name() - - Return major_status codes: - - o GSS_S_COMPLETE indicates that a valid name representation is - output in output_name and described by the type value in - output_name_type. - - o GSS_S_BAD_NAMETYPE indicates that the input_name_type is - unsupported by the applicable underlying GSS-API mechanism(s), so the - import operation could not be completed. - - o GSS_S_BAD_NAME indicates that the provided input_name_string is - ill-formed in terms of the input_name_type, so the import operation - could not be completed. - - o GSS_S_BAD_MECH indicates that the input presented for import was - an exported name object and that its enclosed mechanism type was not - recognized or was unsupported by the GSS-API implementation. - - o GSS_S_FAILURE indicates that the requested operation could not be - performed for reasons unspecified at the GSS-API level. - - Allows callers to provide a name representation as a contiguous octet - string, designate the type of namespace in conjunction with which it - should be parsed, and convert that representation to an internal form - suitable for input to other GSS-API routines. The syntax of the - input_name_string is defined in conjunction with its associated name - type; depending on the input_name_type, the associated - input_name_string may or may not be a printable string. If the - input_name_type's value is GSS_C_NO_OID, a mechanism-specific default - printable syntax (which shall be specified in the corresponding GSS- - V2 mechanism specification) is assumed for the input_name_string; - - - -Linn Standards Track [Page 72] - -RFC 2743 GSS-API January 2000 - - - other input_name_type values as registered by GSS-API implementations - can be used to indicate specific non-default name syntaxes. Note: The - input_name_type argument serves to describe and qualify the - interpretation of the associated input_name_string; it does not - specify the data type of the returned output_name. - - If a mechanism claims support for a particular name type, its - GSS_Import_name() operation shall be able to accept all possible - values conformant to the external name syntax as defined for that - name type. These imported values may correspond to: - - (1) locally registered entities (for which credentials may be - acquired), - - (2) non-local entities (for which local credentials cannot be - acquired, but which may be referenced as targets of initiated - security contexts or initiators of accepted security contexts), or - to - - (3) neither of the above. - - Determination of whether a particular name belongs to class (1), (2), - or (3) as described above is not guaranteed to be performed by the - GSS_Import_name() function. - - The internal name generated by a GSS_Import_name() operation may be a - single-mechanism MN, and is likely to be an MN within a single- - mechanism implementation, but portable callers must not depend on - this property (and must not, therefore, assume that the output from - GSS_Import_name() can be passed directly to GSS_Export_name() without - first being processed through GSS_Canonicalize_name()). - -2.4.6: GSS_Release_name call - - Inputs: - - o name INTERNAL NAME - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER - - Return major_status codes: - - o GSS_S_COMPLETE indicates that the storage associated with the - input name was successfully released. - - - -Linn Standards Track [Page 73] - -RFC 2743 GSS-API January 2000 - - - o GSS_S_BAD_NAME indicates that the input name argument did not - contain a valid name. - - o GSS_S_FAILURE indicates that the requested operation could not be - performed for reasons unspecified at the GSS-API level. - - Allows callers to release the storage associated with an internal - name representation. This call's specific behavior depends on the - language and programming environment within which a GSS-API - implementation operates, and is therefore detailed within applicable - bindings specifications; in particular, implementation and invocation - of this call may be superfluous (and may be omitted) within bindings - where memory management is automatic. - -2.4.7: GSS_Release_buffer call - - Inputs: - - o buffer OCTET STRING - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER - - Return major_status codes: - - o GSS_S_COMPLETE indicates that the storage associated with the - input buffer was successfully released. - - o GSS_S_FAILURE indicates that the requested operation could not be - performed for reasons unspecified at the GSS-API level. - - Allows callers to release the storage associated with an OCTET STRING - buffer allocated by another GSS-API call. This call's specific - behavior depends on the language and programming environment within - which a GSS-API implementation operates, and is therefore detailed - within applicable bindings specifications; in particular, - implementation and invocation of this call may be superfluous (and - may be omitted) within bindings where memory management is automatic. - -2.4.8: GSS_Release_OID_set call - - Inputs: - - o buffer SET OF OBJECT IDENTIFIER - - - - -Linn Standards Track [Page 74] - -RFC 2743 GSS-API January 2000 - - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER - - Return major_status codes: - - o GSS_S_COMPLETE indicates that the storage associated with the - input object identifier set was successfully released. - - o GSS_S_FAILURE indicates that the requested operation could not be - performed for reasons unspecified at the GSS-API level. - - Allows callers to release the storage associated with an object - identifier set object allocated by another GSS-API call. This call's - specific behavior depends on the language and programming environment - within which a GSS-API implementation operates, and is therefore - detailed within applicable bindings specifications; in particular, - implementation and invocation of this call may be superfluous (and - may be omitted) within bindings where memory management is automatic. - -2.4.9: GSS_Create_empty_OID_set call - - Inputs: - - o (none) - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o oid_set SET OF OBJECT IDENTIFIER -- caller must release - -- with GSS_Release_oid_set() - - Return major_status codes: - - o GSS_S_COMPLETE indicates successful completion - - o GSS_S_FAILURE indicates that the operation failed - - Creates an object identifier set containing no object identifiers, to - which members may be subsequently added using the - GSS_Add_OID_set_member() routine. These routines are intended to be - used to construct sets of mechanism object identifiers, for input to - GSS_Acquire_cred(). - - - -Linn Standards Track [Page 75] - -RFC 2743 GSS-API January 2000 - - -2.4.10: GSS_Add_OID_set_member call - - Inputs: - - o member_oid OBJECT IDENTIFIER, - - o oid_set SET OF OBJECT IDENTIFIER - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - Return major_status codes: - - o GSS_S_COMPLETE indicates successful completion - - o GSS_S_FAILURE indicates that the operation failed - - Adds an Object Identifier to an Object Identifier set. This routine - is intended for use in conjunction with GSS_Create_empty_OID_set() - when constructing a set of mechanism OIDs for input to - GSS_Acquire_cred(). - -2.4.11: GSS_Test_OID_set_member call - - Inputs: - - o member OBJECT IDENTIFIER, - - o set SET OF OBJECT IDENTIFIER - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o present BOOLEAN - - Return major_status codes: - - o GSS_S_COMPLETE indicates successful completion - - o GSS_S_FAILURE indicates that the operation failed - - - - - -Linn Standards Track [Page 76] - -RFC 2743 GSS-API January 2000 - - - Interrogates an Object Identifier set to determine whether a - specified Object Identifier is a member. This routine is intended to - be used with OID sets returned by GSS_Indicate_mechs(), - GSS_Acquire_cred(), and GSS_Inquire_cred(). - -2.4.12: GSS_Inquire_names_for_mech call - - Input: - - o input_mech_type OBJECT IDENTIFIER, -- mechanism type - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o name_type_set SET OF OBJECT IDENTIFIER -- caller must release - -- with GSS_Release_oid_set() - - Return major_status codes: - - o GSS_S_COMPLETE indicates that the output name_type_set contains a - list of name types which are supported by the locally available - mechanism identified by input_mech_type. - - o GSS_S_BAD_MECH indicates that the mechanism identified by - input_mech_type was unsupported within the local implementation, - causing the query to fail. - - o GSS_S_FAILURE indicates that the requested operation could not be - performed for reasons unspecified at the GSS-API level. - - Allows callers to determine the set of name types which are - supportable by a specific locally-available mechanism. - -2.4.13: GSS_Inquire_mechs_for_name call - - Inputs: - - o input_name INTERNAL NAME, - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - - - -Linn Standards Track [Page 77] - -RFC 2743 GSS-API January 2000 - - - o mech_types SET OF OBJECT IDENTIFIER -- caller must release - -- with GSS_Release_oid_set() - - Return major_status codes: - - o GSS_S_COMPLETE indicates that a set of object identifiers, - corresponding to the set of mechanisms suitable for processing the - input_name, is available in mech_types. - - o GSS_S_BAD_NAME indicates that the input_name was ill-formed and - could not be processed. - - o GSS_S_BAD_NAMETYPE indicates that the input_name parameter - contained an invalid name type or a name type unsupported by the - GSS-API implementation. - - o GSS_S_FAILURE indicates that the requested operation could not be - performed for reasons unspecified at the GSS-API level. - - This routine returns the mechanism set with which the input_name may - be processed. - - Each mechanism returned will recognize at least one element within - the name. It is permissible for this routine to be implemented within - a mechanism-independent GSS-API layer, using the type information - contained within the presented name, and based on registration - information provided by individual mechanism implementations. This - means that the returned mech_types result may indicate that a - particular mechanism will understand a particular name when in fact - it would refuse to accept that name as input to - GSS_Canonicalize_name(), GSS_Init_sec_context(), GSS_Acquire_cred(), - or GSS_Add_cred(), due to some property of the particular name rather - than a property of the name type. Thus, this routine should be used - only as a pre-filter for a call to a subsequent mechanism-specific - routine. - -2.4.14: GSS_Canonicalize_name call - - Inputs: - - o input_name INTERNAL NAME, - - o mech_type OBJECT IDENTIFIER -- must be explicit mechanism, - -- not "default" specifier or identifier of negotiating mechanism - - Outputs: - - o major_status INTEGER, - - - -Linn Standards Track [Page 78] - -RFC 2743 GSS-API January 2000 - - - o minor_status INTEGER, - - o output_name INTERNAL NAME -- caller must release with - -- GSS_Release_name() - - Return major_status codes: - - o GSS_S_COMPLETE indicates that a mechanism-specific reduction of - the input_name, as processed by the mechanism identified by - mech_type, is available in output_name. - - o GSS_S_BAD_MECH indicates that the identified mechanism is - unsupported for this operation; this may correspond either to a - mechanism wholly unsupported by the local GSS-API implementation or - to a negotiating mechanism with which the canonicalization operation - cannot be performed. - - o GSS_S_BAD_NAMETYPE indicates that the input name does not contain - an element with suitable type for processing by the identified - mechanism. - - o GSS_S_BAD_NAME indicates that the input name contains an element - with suitable type for processing by the identified mechanism, but - that this element could not be processed successfully. - - o GSS_S_FAILURE indicates that the requested operation could not be - performed for reasons unspecified at the GSS-API level. - - This routine reduces a GSS-API internal name input_name, which may in - general contain elements corresponding to multiple mechanisms, to a - mechanism-specific Mechanism Name (MN) output_name by applying the - translations corresponding to the mechanism identified by mech_type. - The contents of input_name are unaffected by the - GSS_Canonicalize_name() operation. References to output_name will - remain valid until output_name is released, independent of whether or - not input_name is subsequently released. - -2.4.15: GSS_Export_name call - - Inputs: - - o input_name INTERNAL NAME, -- required to be MN - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - - -Linn Standards Track [Page 79] - -RFC 2743 GSS-API January 2000 - - - o output_name OCTET STRING -- caller must release - -- with GSS_Release_buffer() - - Return major_status codes: - - o GSS_S_COMPLETE indicates that a flat representation of the input - name is available in output_name. - - o GSS_S_NAME_NOT_MN indicates that the input name contained elements - corresponding to multiple mechanisms, so cannot be exported into a - single-mechanism flat form. - - o GSS_S_BAD_NAME indicates that the input name was an MN, but could - not be processed. - - o GSS_S_BAD_NAMETYPE indicates that the input name was an MN, but - that its type is unsupported by the GSS-API implementation. - - o GSS_S_FAILURE indicates that the requested operation could not be - performed for reasons unspecified at the GSS-API level. - - This routine creates a flat name representation, suitable for - bytewise comparison or for input to GSS_Import_name() in conjunction - with the reserved GSS-API Exported Name Object OID, from a internal- - form Mechanism Name (MN) as emitted, e.g., by GSS_Canonicalize_name() - or GSS_Accept_sec_context(). - - The emitted GSS-API Exported Name Object is self-describing; no - associated parameter-level OID need be emitted by this call. This - flat representation consists of a mechanism-independent wrapper - layer, defined in Section 3.2 of this document, enclosing a - mechanism-defined name representation. - - In all cases, the flat name output by GSS_Export_name() to correspond - to a particular input MN must be invariant over time within a - particular installation. - - The GSS_S_NAME_NOT_MN status code is provided to enable - implementations to reject input names which are not MNs. It is not, - however, required for purposes of conformance to this specification - that all non-MN input names must necessarily be rejected. - -2.4.16: GSS_Duplicate_name call - - Inputs: - - o src_name INTERNAL NAME - - - - -Linn Standards Track [Page 80] - -RFC 2743 GSS-API January 2000 - - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o dest_name INTERNAL NAME -- caller must release - -- with GSS_Release_name() - - Return major_status codes: - - o GSS_S_COMPLETE indicates that dest_name references an internal - name object containing the same name as passed to src_name. - - o GSS_S_BAD_NAME indicates that the input name was invalid. - - o GSS_S_FAILURE indicates that the requested operation could not be - performed for reasons unspecified at the GSS-API level. - - This routine takes input internal name src_name, and returns another - reference (dest_name) to that name which can be used even if src_name - is later freed. (Note: This may be implemented by copying or through - use of reference counts.) - -3: Data Structure Definitions for GSS-V2 Usage - - Subsections of this section define, for interoperability and - portability purposes, certain data structures for use with GSS-V2. - -3.1: Mechanism-Independent Token Format - - This section specifies a mechanism-independent level of encapsulating - representation for the initial token of a GSS-API context - establishment sequence, incorporating an identifier of the mechanism - type to be used on that context and enabling tokens to be interpreted - unambiguously at GSS-API peers. Use of this format is required for - initial context establishment tokens of Internet standards-track - GSS-API mechanisms; use in non-initial tokens is optional. - - The encoding format for the token tag is derived from ASN.1 and DER - (per illustrative ASN.1 syntax included later within this - subsection), but its concrete representation is defined directly in - terms of octets rather than at the ASN.1 level in order to facilitate - interoperable implementation without use of general ASN.1 processing - code. The token tag consists of the following elements, in order: - - 1. 0x60 -- Tag for [APPLICATION 0] SEQUENCE; indicates that - -- constructed form, definite length encoding follows. - - - -Linn Standards Track [Page 81] - -RFC 2743 GSS-API January 2000 - - - 2. Token length octets, specifying length of subsequent data - (i.e., the summed lengths of elements 3-5 in this list, and of the - mechanism-defined token object following the tag). This element - comprises a variable number of octets: - - 2a. If the indicated value is less than 128, it shall be - represented in a single octet with bit 8 (high order) set to - "0" and the remaining bits representing the value. - - 2b. If the indicated value is 128 or more, it shall be - represented in two or more octets, with bit 8 of the first - octet set to "1" and the remaining bits of the first octet - specifying the number of additional octets. The subsequent - octets carry the value, 8 bits per octet, most significant - digit first. The minimum number of octets shall be used to - encode the length (i.e., no octets representing leading zeros - shall be included within the length encoding). - - 3. 0x06 -- Tag for OBJECT IDENTIFIER - - 4. Object identifier length -- length (number of octets) of - -- the encoded object identifier contained in element 5, - -- encoded per rules as described in 2a. and 2b. above. - - 5. Object identifier octets -- variable number of octets, - -- encoded per ASN.1 BER rules: - - 5a. The first octet contains the sum of two values: (1) the - top-level object identifier component, multiplied by 40 - (decimal), and (2) the second-level object identifier - component. This special case is the only point within an - object identifier encoding where a single octet represents - contents of more than one component. - - 5b. Subsequent octets, if required, encode successively-lower - components in the represented object identifier. A component's - encoding may span multiple octets, encoding 7 bits per octet - (most significant bits first) and with bit 8 set to "1" on all - but the final octet in the component's encoding. The minimum - number of octets shall be used to encode each component (i.e., - no octets representing leading zeros shall be included within a - component's encoding). - - (Note: In many implementations, elements 3-5 may be stored and - referenced as a contiguous string constant.) - - - - - - -Linn Standards Track [Page 82] - -RFC 2743 GSS-API January 2000 - - - The token tag is immediately followed by a mechanism-defined token - object. Note that no independent size specifier intervenes following - the object identifier value to indicate the size of the mechanism- - defined token object. While ASN.1 usage within mechanism-defined - tokens is permitted, there is no requirement that the mechanism- - specific innerContextToken, innerMsgToken, and sealedUserData data - elements must employ ASN.1 BER/DER encoding conventions. - - The following ASN.1 syntax is included for descriptive purposes only, - to illustrate structural relationships among token and tag objects. - For interoperability purposes, token and tag encoding shall be - performed using the concrete encoding procedures described earlier in - this subsection. - - GSS-API DEFINITIONS ::= - - BEGIN - - MechType ::= OBJECT IDENTIFIER - -- data structure definitions - -- callers must be able to distinguish among - -- InitialContextToken, SubsequentContextToken, - -- PerMsgToken, and SealedMessage data elements - -- based on the usage in which they occur - - InitialContextToken ::= - -- option indication (delegation, etc.) indicated within - -- mechanism-specific token - [APPLICATION 0] IMPLICIT SEQUENCE { - thisMech MechType, - innerContextToken ANY DEFINED BY thisMech - -- contents mechanism-specific - -- ASN.1 structure not required - } - - SubsequentContextToken ::= innerContextToken ANY - -- interpretation based on predecessor InitialContextToken - -- ASN.1 structure not required - - PerMsgToken ::= - -- as emitted by GSS_GetMIC and processed by GSS_VerifyMIC - -- ASN.1 structure not required - innerMsgToken ANY - - SealedMessage ::= - -- as emitted by GSS_Wrap and processed by GSS_Unwrap - -- includes internal, mechanism-defined indicator - -- of whether or not encrypted - - - -Linn Standards Track [Page 83] - -RFC 2743 GSS-API January 2000 - - - -- ASN.1 structure not required - sealedUserData ANY - - END - -3.2: Mechanism-Independent Exported Name Object Format - - This section specifies a mechanism-independent level of encapsulating - representation for names exported via the GSS_Export_name() call, - including an object identifier representing the exporting mechanism. - The format of names encapsulated via this representation shall be - defined within individual mechanism drafts. The Object Identifier - value to indicate names of this type is defined in Section 4.7 of - this document. - - No name type OID is included in this mechanism-independent level of - format definition, since (depending on individual mechanism - specifications) the enclosed name may be implicitly typed or may be - explicitly typed using a means other than OID encoding. - - The bytes within MECH_OID_LEN and NAME_LEN elements are represented - most significant byte first (equivalently, in IP network byte order). - - Length Name Description - - 2 TOK_ID Token Identifier - For exported name objects, this - must be hex 04 01. - 2 MECH_OID_LEN Length of the Mechanism OID - MECH_OID_LEN MECH_OID Mechanism OID, in DER - 4 NAME_LEN Length of name - NAME_LEN NAME Exported name; format defined in - applicable mechanism draft. - - A concrete example of the contents of an exported name object, - derived from the Kerberos Version 5 mechanism, is as follows: - - 04 01 00 0B 06 09 2A 86 48 86 F7 12 01 02 02 hx xx xx xl pp qq ... zz - - 04 01 mandatory token identifier - - 00 0B 2-byte length of the immediately following DER-encoded - ASN.1 value of type OID, most significant octet first - - - - - - - - -Linn Standards Track [Page 84] - -RFC 2743 GSS-API January 2000 - - - 06 09 2A 86 48 86 F7 12 01 02 02 DER-encoded ASN.1 value - of type OID; Kerberos V5 - mechanism OID indicates - Kerberos V5 exported name - - in Detail: 06 Identifier octet (6=OID) - 09 Length octet(s) - 2A 86 48 86 F7 12 01 02 02 Content octet(s) - - hx xx xx xl 4-byte length of the immediately following exported - name blob, most significant octet first - - pp qq ... zz exported name blob of specified length, - bits and bytes specified in the - (Kerberos 5) GSS-API v2 mechanism spec - -4: Name Type Definitions - - This section includes definitions for name types and associated - syntaxes which are defined in a mechanism-independent fashion at the - GSS-API level rather than being defined in individual mechanism - specifications. - -4.1: Host-Based Service Name Form - - This name form shall be represented by the Object Identifier: - - {iso(1) member-body(2) United States(840) mit(113554) infosys(1) - "gssapi(2) generic(1) service_name(4)}. - - The recommended symbolic name for this type is - "GSS_C_NT_HOSTBASED_SERVICE". - - For reasons of compatibility with existing implementations, it is - recommended that this OID be used rather than the alternate value as - included in [RFC-2078]: - - {1(iso), 3(org), 6(dod), 1(internet), 5(security), 6(nametypes), - 2(gss-host-based-services)} - - While it is not recommended that this alternate value be emitted on - output by GSS implementations, it is recommended that it be accepted - on input as equivalent to the recommended value. - - - - - - - - -Linn Standards Track [Page 85] - -RFC 2743 GSS-API January 2000 - - - This name type is used to represent services associated with host - computers. Support for this name form is recommended to mechanism - designers in the interests of portability, but is not mandated by - this specification. This name form is constructed using two elements, - "service" and "hostname", as follows: - - service@hostname - - When a reference to a name of this type is resolved, the "hostname" - may (as an example implementation strategy) be canonicalized by - attempting a DNS lookup and using the fully-qualified domain name - which is returned, or by using the "hostname" as provided if the DNS - lookup fails. The canonicalization operation also maps the host's - name into lower-case characters. - - The "hostname" element may be omitted. If no "@" separator is - included, the entire name is interpreted as the service specifier, - with the "hostname" defaulted to the canonicalized name of the local - host. - - Documents specifying means for GSS integration into a particular - protocol should state either: - - (a) that a specific IANA-registered name associated with that - protocol shall be used for the "service" element (this admits, if - needed, the possibility that a single name can be registered and - shared among a related set of protocols), or - - (b) that the generic name "host" shall be used for the "service" - element, or - - (c) that, for that protocol, fallback in specified order (a, then - b) or (b, then a) shall be applied. - - IANA registration of specific names per (a) should be handled in - accordance with the "Specification Required" assignment policy, - defined by BCP 26, RFC 2434 as follows: "Values and their meaning - must be documented in an RFC or other available reference, in - sufficient detail so that interoperability between independent - implementations is possible." - -4.2: User Name Form - - This name form shall be represented by the Object Identifier {iso(1) - member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) - generic(1) user_name(1)}. The recommended mechanism-independent - symbolic name for this type is "GSS_C_NT_USER_NAME". (Note: the same - - - - -Linn Standards Track [Page 86] - -RFC 2743 GSS-API January 2000 - - - name form and OID is defined within the Kerberos V5 GSS-API - mechanism, but the symbolic name recommended there begins with a - "GSS_KRB5_NT_" prefix.) - - This name type is used to indicate a named user on a local system. - Its syntax and interpretation may be OS-specific. This name form is - constructed as: - - username - -4.3: Machine UID Form - - This name form shall be represented by the Object Identifier {iso(1) - member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) - generic(1) machine_uid_name(2)}. The recommended mechanism- - independent symbolic name for this type is - "GSS_C_NT_MACHINE_UID_NAME". (Note: the same name form and OID is - defined within the Kerberos V5 GSS-API mechanism, but the symbolic - name recommended there begins with a "GSS_KRB5_NT_" prefix.) - - This name type is used to indicate a numeric user identifier - corresponding to a user on a local system. Its interpretation is - OS-specific. The gss_buffer_desc representing a name of this type - should contain a locally-significant user ID, represented in host - byte order. The GSS_Import_name() operation resolves this uid into a - username, which is then treated as the User Name Form. - -4.4: String UID Form - - This name form shall be represented by the Object Identifier {iso(1) - member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) - generic(1) string_uid_name(3)}. The recommended symbolic name for - this type is "GSS_C_NT_STRING_UID_NAME". (Note: the same name form - and OID is defined within the Kerberos V5 GSS-API mechanism, but the - symbolic name recommended there begins with a "GSS_KRB5_NT_" prefix.) - - This name type is used to indicate a string of digits representing - the numeric user identifier of a user on a local system. Its - interpretation is OS-specific. This name type is similar to the - Machine UID Form, except that the buffer contains a string - representing the user ID. - -4.5: Anonymous Nametype - - The following Object Identifier value is provided as a means to - identify anonymous names, and can be compared against in order to - determine, in a mechanism-independent fashion, whether a name refers - to an anonymous principal: - - - -Linn Standards Track [Page 87] - -RFC 2743 GSS-API January 2000 - - - {1(iso), 3(org), 6(dod), 1(internet), 5(security), 6(nametypes), - 3(gss-anonymous-name)} - - The recommended symbolic name corresponding to this definition is - GSS_C_NT_ANONYMOUS. - -4.6: GSS_C_NO_OID - - The recommended symbolic name GSS_C_NO_OID corresponds to a null - input value instead of an actual object identifier. Where specified, - it indicates interpretation of an associated name based on a - mechanism-specific default printable syntax. - -4.7: Exported Name Object - - Name objects of the Mechanism-Independent Exported Name Object type, - as defined in Section 3.2 of this document, will be identified with - the following Object Identifier: - - {1(iso), 3(org), 6(dod), 1(internet), 5(security), 6(nametypes), - 4(gss-api-exported-name)} - - The recommended symbolic name corresponding to this definition is - GSS_C_NT_EXPORT_NAME. - -4.8: GSS_C_NO_NAME - - The recommended symbolic name GSS_C_NO_NAME indicates that no name is - being passed within a particular value of a parameter used for the - purpose of transferring names. Note: GSS_C_NO_NAME is not an actual - name type, and is not represented by an OID; its acceptability in - lieu of an actual name is confined to specific calls - (GSS_Acquire_cred(), GSS_Add_cred(), and GSS_Init_sec_context()) with - usages as identified within this specification. - -5: Mechanism-Specific Example Scenarios - - This section provides illustrative overviews of the use of various - candidate mechanism types to support the GSS-API. These discussions - are intended primarily for readers familiar with specific security - technologies, demonstrating how GSS-API functions can be used and - implemented by candidate underlying mechanisms. They should not be - regarded as constrictive to implementations or as defining the only - means through which GSS-API functions can be realized with a - particular underlying technology, and do not demonstrate all GSS-API - features with each technology. - - - - - -Linn Standards Track [Page 88] - -RFC 2743 GSS-API January 2000 - - -5.1: Kerberos V5, single-TGT - - OS-specific login functions yield a TGT to the local realm Kerberos - server; TGT is placed in a credentials structure for the client. - Client calls GSS_Acquire_cred() to acquire a cred_handle in order to - reference the credentials for use in establishing security contexts. - - Client calls GSS_Init_sec_context(). If the requested service is - located in a different realm, GSS_Init_sec_context() gets the - necessary TGT/key pairs needed to traverse the path from local to - target realm; these data are placed in the owner's TGT cache. After - any needed remote realm resolution, GSS_Init_sec_context() yields a - service ticket to the requested service with a corresponding session - key; these data are stored in conjunction with the context. GSS-API - code sends KRB_TGS_REQ request(s) and receives KRB_TGS_REP - response(s) (in the successful case) or KRB_ERROR. - - Assuming success, GSS_Init_sec_context() builds a Kerberos-formatted - KRB_AP_REQ message, and returns it in output_token. The client sends - the output_token to the service. - - The service passes the received token as the input_token argument to - GSS_Accept_sec_context(), which verifies the authenticator, provides - the service with the client's authenticated name, and returns an - output_context_handle. - - Both parties now hold the session key associated with the service - ticket, and can use this key in subsequent GSS_GetMIC(), - GSS_VerifyMIC(), GSS_Wrap(), and GSS_Unwrap() operations. - -5.2: Kerberos V5, double-TGT - - TGT acquisition as above. - - Note: To avoid unnecessary frequent invocations of error paths when - implementing the GSS-API atop Kerberos V5, it seems appropriate to - represent "single-TGT K-V5" and "double-TGT K-V5" with separate - mech_types, and this discussion makes that assumption. - - Based on the (specified or defaulted) mech_type, - GSS_Init_sec_context() determines that the double-TGT protocol - should be employed for the specified target. GSS_Init_sec_context() - returns GSS_S_CONTINUE_NEEDED major_status, and its returned - output_token contains a request to the service for the service's TGT. - (If a service TGT with suitably long remaining lifetime already - exists in a cache, it may be usable, obviating the need for this - step.) The client passes the output_token to the service. Note: this - scenario illustrates a different use for the GSS_S_CONTINUE_NEEDED - - - -Linn Standards Track [Page 89] - -RFC 2743 GSS-API January 2000 - - - status return facility than for support of mutual authentication; - note that both uses can coexist as successive operations within a - single context establishment operation. - - The service passes the received token as the input_token argument to - GSS_Accept_sec_context(), which recognizes it as a request for TGT. - (Note that current Kerberos V5 defines no intra-protocol mechanism to - represent such a request.) GSS_Accept_sec_context() returns - GSS_S_CONTINUE_NEEDED major_status and provides the service's TGT in - its output_token. The service sends the output_token to the client. - - The client passes the received token as the input_token argument to a - continuation of GSS_Init_sec_context(). GSS_Init_sec_context() caches - the received service TGT and uses it as part of a service ticket - request to the Kerberos authentication server, storing the returned - service ticket and session key in conjunction with the context. - GSS_Init_sec_context() builds a Kerberos-formatted authenticator, and - returns it in output_token along with GSS_S_COMPLETE return - major_status. The client sends the output_token to the service. - - Service passes the received token as the input_token argument to a - continuation call to GSS_Accept_sec_context(). - GSS_Accept_sec_context() verifies the authenticator, provides the - service with the client's authenticated name, and returns - major_status GSS_S_COMPLETE. - - GSS_GetMIC(), GSS_VerifyMIC(), GSS_Wrap(), and GSS_Unwrap() as - above. - -5.3: X.509 Authentication Framework - - This example illustrates use of the GSS-API in conjunction with - public-key mechanisms, consistent with the X.509 Directory - Authentication Framework. - - The GSS_Acquire_cred() call establishes a credentials structure, - making the client's private key accessible for use on behalf of the - client. - - The client calls GSS_Init_sec_context(), which interrogates the - Directory to acquire (and validate) a chain of public-key - certificates, thereby collecting the public key of the service. The - certificate validation operation determines that suitable integrity - checks were applied by trusted authorities and that those - certificates have not expired. GSS_Init_sec_context() generates a - secret key for use in per-message protection operations on the - context, and enciphers that secret key under the service's public - key. - - - -Linn Standards Track [Page 90] - -RFC 2743 GSS-API January 2000 - - - The enciphered secret key, along with an authenticator quantity - signed with the client's private key, is included in the output_token - from GSS_Init_sec_context(). The output_token also carries a - certification path, consisting of a certificate chain leading from - the service to the client; a variant approach would defer this path - resolution to be performed by the service instead of being asserted - by the client. The client application sends the output_token to the - service. - - The service passes the received token as the input_token argument to - GSS_Accept_sec_context(). GSS_Accept_sec_context() validates the - certification path, and as a result determines a certified binding - between the client's distinguished name and the client's public key. - Given that public key, GSS_Accept_sec_context() can process the - input_token's authenticator quantity and verify that the client's - private key was used to sign the input_token. At this point, the - client is authenticated to the service. The service uses its private - key to decipher the enciphered secret key provided to it for per- - message protection operations on the context. - - The client calls GSS_GetMIC() or GSS_Wrap() on a data message, which - causes per-message authentication, integrity, and (optional) - confidentiality facilities to be applied to that message. The service - uses the context's shared secret key to perform corresponding - GSS_VerifyMIC() and GSS_Unwrap() calls. - -6: Security Considerations - - This document specifies a service interface for security facilities - and services; as such, security considerations are considered - throughout the specification. Nonetheless, it is appropriate to - summarize certain specific points relevant to GSS-API implementors - and calling applications. Usage of the GSS-API interface does not in - itself provide security services or assurance; instead, these - attributes are dependent on the underlying mechanism(s) which support - a GSS-API implementation. Callers must be attentive to the requests - made to GSS-API calls and to the status indicators returned by GSS- - API, as these specify the security service characteristics which - GSS-API will provide. When the interprocess context transfer - facility is used, appropriate local controls should be applied to - constrain access to interprocess tokens and to the sensitive data - which they contain. - - - - - - - - - -Linn Standards Track [Page 91] - -RFC 2743 GSS-API January 2000 - - -7: Related Activities - - In order to implement the GSS-API atop existing, emerging, and future - security mechanisms: - - object identifiers must be assigned to candidate GSS-API - mechanisms and the name types which they support - - concrete data element formats and processing procedures must be - defined for candidate mechanisms - - Calling applications must implement formatting conventions which will - enable them to distinguish GSS-API tokens from other data carried in - their application protocols. - - Concrete language bindings are required for the programming - environments in which the GSS-API is to be employed, as [RFC-1509] - defines for the C programming language and GSS-V1. C Language - bindings for GSS-V2 are defined in [RFC-2744]. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Linn Standards Track [Page 92] - -RFC 2743 GSS-API January 2000 - - -8: Referenced Documents - - [ISO-7498-2] International Standard ISO 7498-2-1988(E), Security - Architecture. - - [ISOIEC-8824] ISO/IEC 8824, "Specification of Abstract Syntax - Notation One (ASN.1)". - - [ISOIEC-8825] ISO/IEC 8825, "Specification of Basic Encoding Rules - for Abstract Syntax Notation One (ASN.1)".) - - [RFC-1507]: Kaufman, C., "DASS: Distributed Authentication Security - Service", RFC 1507, September 1993. - - [RFC-1508]: Linn, J., "Generic Security Service Application Program - Interface", RFC 1508, September 1993. - - [RFC-1509]: Wray, J., "Generic Security Service API: C-bindings", - RFC 1509, September 1993. - - [RFC-1964]: Linn, J., "The Kerberos Version 5 GSS-API Mechanism", - RFC 1964, June 1996. - - [RFC-2025]: Adams, C., "The Simple Public-Key GSS-API Mechanism - (SPKM)", RFC 2025, October 1996. - - [RFC-2078]: Linn, J., "Generic Security Service Application Program - Interface, Version 2", RFC 2078, January 1997. - - [RFC-2203]: Eisler, M., Chiu, A. and L. Ling, "RPCSEC_GSS Protocol - Specification", RFC 2203, September 1997. - - [RFC-2744]: Wray, J., "Generic Security Service API Version 2 : - C-bindings", RFC 2744, January 2000. - - - - - - - - - - - - - - - - - -Linn Standards Track [Page 93] - -RFC 2743 GSS-API January 2000 - - -APPENDIX A - -MECHANISM DESIGN CONSTRAINTS - - The following constraints on GSS-API mechanism designs are adopted in - response to observed caller protocol requirements, and adherence - thereto is anticipated in subsequent descriptions of GSS-API - mechanisms to be documented in standards-track Internet - specifications. - - It is strongly recommended that mechanisms offering per-message - protection services also offer at least one of the replay detection - and sequencing services, as mechanisms offering neither of the latter - will fail to satisfy recognized requirements of certain candidate - caller protocols. - -APPENDIX B - -COMPATIBILITY WITH GSS-V1 - - It is the intent of this document to define an interface and - procedures which preserve compatibility between GSS-V1 [RFC-1508] - callers and GSS-V2 providers. All calls defined in GSS-V1 are - preserved, and it has been a goal that GSS-V1 callers should be able - to operate atop GSS-V2 provider implementations. Certain detailed - changes, summarized in this section, have been made in order to - resolve omissions identified in GSS-V1. - - The following GSS-V1 constructs, while supported within GSS-V2, are - deprecated: - - Names for per-message processing routines: GSS_Seal() deprecated - in favor of GSS_Wrap(); GSS_Sign() deprecated in favor of - GSS_GetMIC(); GSS_Unseal() deprecated in favor of GSS_Unwrap(); - GSS_Verify() deprecated in favor of GSS_VerifyMIC(). - - GSS_Delete_sec_context() facility for context_token usage, - allowing mechanisms to signal context deletion, is retained for - compatibility with GSS-V1. For current usage, it is recommended - that both peers to a context invoke GSS_Delete_sec_context() - independently, passing a null output_context_token buffer to - indicate that no context_token is required. Implementations of - GSS_Delete_sec_context() should delete relevant locally-stored - context information. - - This GSS-V2 specification adds the following calls which are not - present in GSS-V1: - - - - -Linn Standards Track [Page 94] - -RFC 2743 GSS-API January 2000 - - - Credential management calls: GSS_Add_cred(), - GSS_Inquire_cred_by_mech(). - - Context-level calls: GSS_Inquire_context(), GSS_Wrap_size_limit(), - GSS_Export_sec_context(), GSS_Import_sec_context(). - - Per-message calls: No new calls. Existing calls have been - renamed. - - Support calls: GSS_Create_empty_OID_set(), - GSS_Add_OID_set_member(), GSS_Test_OID_set_member(), - GSS_Inquire_names_for_mech(), GSS_Inquire_mechs_for_name(), - GSS_Canonicalize_name(), GSS_Export_name(), GSS_Duplicate_name(). - - This GSS-V2 specification introduces three new facilities applicable - to security contexts, indicated using the following context state - values which are not present in GSS-V1: - - anon_state, set TRUE to indicate that a context's initiator is - anonymous from the viewpoint of the target; Section 1.2.5 of this - specification provides a summary description of the GSS-V2 - anonymity support facility, support and use of which is optional. - - prot_ready_state, set TRUE to indicate that a context may be used - for per-message protection before final completion of context - establishment; Section 1.2.7 of this specification provides a - summary description of the GSS-V2 facility enabling mechanisms to - selectively permit per-message protection during context - establishment, support and use of which is optional. - - trans_state, set TRUE to indicate that a context is transferable - to another process using the GSS-V2 GSS_Export_sec_context() - facility. - - These state values are represented (at the C bindings level) in - positions within a bit vector which are unused in GSS-V1, and may be - safely ignored by GSS-V1 callers. - - New conf_req_flag and integ_req_flag inputs are defined for - GSS_Init_sec_context(), primarily to provide information to - negotiating mechanisms. This introduces a compatibility issue with - GSS-V1 callers, discussed in section 2.2.1 of this specification. - - - - - - - - - -Linn Standards Track [Page 95] - -RFC 2743 GSS-API January 2000 - - - Relative to GSS-V1, GSS-V2 provides additional guidance to GSS-API - implementors in the following areas: implementation robustness, - credential management, behavior in multi-mechanism configurations, - naming support, and inclusion of optional sequencing services. The - token tagging facility as defined in GSS-V2, Section 3.1, is now - described directly in terms of octets to facilitate interoperable - implementation without general ASN.1 processing code; the - corresponding ASN.1 syntax, included for descriptive purposes, is - unchanged from that in GSS-V1. For use in conjunction with added - naming support facilities, a new Exported Name Object construct is - added. Additional name types are introduced in Section 4. - - This GSS-V2 specification adds the following major_status values - which are not defined in GSS-V1: - - GSS_S_BAD_QOP unsupported QOP value - GSS_S_UNAUTHORIZED operation unauthorized - GSS_S_UNAVAILABLE operation unavailable - GSS_S_DUPLICATE_ELEMENT duplicate credential element - requested - GSS_S_NAME_NOT_MN name contains multi-mechanism - elements - GSS_S_GAP_TOKEN skipped predecessor token(s) - detected - - Of these added status codes, only two values are defined to be - returnable by calls existing in GSS-V1: GSS_S_BAD_QOP (returnable by - GSS_GetMIC() and GSS_Wrap()), and GSS_S_GAP_TOKEN (returnable by - GSS_VerifyMIC() and GSS_Unwrap()). - - Additionally, GSS-V2 descriptions of certain calls present in GSS-V1 - have been updated to allow return of additional major_status values - from the set as defined in GSS-V1: GSS_Inquire_cred() has - GSS_S_DEFECTIVE_CREDENTIAL and GSS_S_CREDENTIALS_EXPIRED defined as - returnable, GSS_Init_sec_context() has GSS_S_OLD_TOKEN, - GSS_S_DUPLICATE_TOKEN, and GSS_S_BAD_MECH defined as returnable, and - GSS_Accept_sec_context() has GSS_S_BAD_MECH defined as returnable. - -APPENDIX C - -CHANGES RELATIVE TO RFC-2078 - - This document incorporates a number of changes relative to RFC-2078, - made primarily in response to implementation experience, for purposes - of alignment with the GSS-V2 C language bindings document, and to add - informative clarification. This section summarizes technical changes - incorporated. - - - - -Linn Standards Track [Page 96] - -RFC 2743 GSS-API January 2000 - - - General: - - Clarified usage of object release routines, and incorporated - statement that some may be omitted within certain operating - environments. - - Removed GSS_Release_OID, GSS_OID_to_str(), and GSS_Str_to_OID() - routines. - - Clarified circumstances under which zero-length tokens may validly - exist as inputs and outputs to/from GSS-API calls. - - Added GSS_S_BAD_MIC status code as alias for GSS_S_BAD_SIG. - - For GSS_Display_status(), deferred to language bindings the choice - of whether to return multiple status values in parallel or via - iteration, and added commentary deprecating return of - GSS_S_CONTINUE_NEEDED. - - Adapted and incorporated clarifying material on optional service - support, delegation, and interprocess context transfer from C - bindings document. - - Added and updated references to related documents, and to current - status of cited Kerberos mechanism OID. - - Added general statement about GSS-API calls having no side effects - visible at the GSS-API level. - - Context-related (including per-message protection issues): - - Clarified GSS_Delete_sec_context() usage for partially-established - contexts. - - Added clarification on GSS_Export_sec_context() and - GSS_Import_sec_context() behavior and context usage following an - export-import sequence. - - Added informatory conf_req_flag, integ_req_flag inputs to - GSS_Init_sec_context(). (Note: this facility introduces a - backward incompatibility with GSS-V1 callers, discussed in Section - 2.2.1; this implication was recognized and accepted in working - group discussion.) - - Stated that GSS_S_FAILURE is to be returned if - GSS_Init_sec_context() or GSS_Accept_sec_context() is passed the - handle of a context which is already fully established. - - - - -Linn Standards Track [Page 97] - -RFC 2743 GSS-API January 2000 - - - Re GSS_Inquire_sec_context(), stated that src_name and targ_name - are not returned until GSS_S_COMPLETE status is reached; removed - use of GSS_S_CONTEXT_EXPIRED status code (replacing with EXPIRED - lifetime return value); stated requirement to retain inquirable - data until context released by caller; added result value - indicating whether or not context is fully open. - - Added discussion of interoperability conditions for mechanisms - permitting optional support of QOPs. Removed reference to - structured QOP elements in GSS_Verify_MIC(). - - Added discussion of use of GSS_S_DUPLICATE_TOKEN status to - indicate reflected per-message tokens. - - Clarified use of informational sequencing codes from per-message - protection calls in conjunction with GSS_S_COMPLETE and - GSS_S_FAILURE major_status returns, adjusting status code - descriptions accordingly. - - Added specific statements about impact of GSS_GetMIC() and - GSS_Wrap() failures on context state information, and generalized - existing statements about impact of processing failures on - received per-message tokens. - - For GSS_Init_sec_context() and GSS_Accept_sec_context(), permitted - returned mech_type to be valid before GSS_S_COMPLETE, recognizing - that the value may change on successive continuation calls in the - negotiated mechanism case. - - Deleted GSS_S_CONTEXT_EXPIRED status from - GSS_Import_sec_context(). - - Added conf_req_flag input to GSS_Wrap_size_limit(). - - Stated requirement for mechanisms' support of per-message - protection services to be usable concurrently in both directions - on a context. - - Credential-related: - - For GSS_Acquire_cred() and GSS_Add_cred(), aligned with C bindings - statement of likely non-support for INITIATE or BOTH credentials - if input name is neither empty nor a name resulting from applying - GSS_Inquire_cred() against the default credential. Further, - stated that an explicit name returned by GSS_Inquire_context() - should also be accepted. Added commentary about potentially - time-variant results of default resolution and attendant - implications. Aligned with C bindings re behavior when - - - -Linn Standards Track [Page 98] - -RFC 2743 GSS-API January 2000 - - - GSS_C_NO_NAME provided for desired_name. In GSS_Acquire_cred(), - stated that NULL, rather than empty OID set, should be used for - desired_mechs in order to request default mechanism set. - - Added GSS_S_CREDENTIALS_EXPIRED as returnable major_status for - GSS_Acquire_cred(), GSS_Add_cred(), also specifying GSS_S_NO_CRED - as appropriate return for temporary, user-fixable credential - unavailability. GSS_Acquire_cred() and GSS_Add_cred() are also to - return GSS_S_NO_CRED if an authorization failure is encountered - upon credential acquisition. - - Removed GSS_S_CREDENTIALS_EXPIRED status return from per-message - protection, GSS_Context_time(), and GSS_Inquire_context() calls. - - For GSS_Add_cred(), aligned with C bindings' description of - behavior when addition of elements to the default credential is - requested. - - Upgraded recommended default credential resolution algorithm to - status of requirement for initiator credentials. - - For GSS_Release_cred(), GSS_Inquire_cred(), and - GSS_Inquire_cred_by_mech(), clarified behavior for input - GSS_C_NO_CREDENTIAL. - - Name-related: - - Aligned GSS_Inquire_mechs_for_name() description with C bindings. - - Removed GSS_S_BAD_NAMETYPE status return from - GSS_Duplicate_name(), GSS_Display_name(); constrained its - applicability for GSS_Compare_name(). - - Aligned with C bindings statement re GSS_Import_name() behavior - with GSS_C_NO_OID input name type, and stated that GSS-V2 - mechanism specifications are to define processing procedures - applicable to their mechanisms. Also clarified GSS_C_NO_OID usage - with GSS_Display_name(). - - Downgraded reference to name canonicalization via DNS lookup to an - example. - - For GSS_Canonicalize_name(), stated that neither negotiated - mechanisms nor the default mechanism are supported input - mech_types for this operation, and specified GSS_S_BAD_MECH status - to be returned in this case. Clarified that the - GSS_Canonicalize_name() operation is non-destructive to its input - name. - - - -Linn Standards Track [Page 99] - -RFC 2743 GSS-API January 2000 - - - Clarified semantics of GSS_C_NT_USER_NAME name type. - - Added descriptions of additional name types. Also added - discussion of GSS_C_NO_NAME and its constrained usage with - specific GSS calls. - - Adapted and incorporated C bindings discussion about name - comparisons with exported name objects. - - Added recommendation to mechanism designers for support of host- - based service name type, deferring any requirement statement to - individual mechanism specifications. Added discussion of host- - based service's service name element and proposed approach for - IANA registration policy therefor. - - Clarified byte ordering within exported name object. Stated that - GSS_S_BAD_MECH is to be returned if, in the course of attempted - import of an exported name object, the name object's enclosed - mechanism type is unrecognized or unsupported. - - Stated that mechanisms may optionally accept GSS_C_NO_NAME as an - input target name to GSS_Init_sec_context(), with comment that - such support is unlikely within mechanisms predating GSS-V2, - Update 1. - -AUTHOR'S ADDRESS - - John Linn - RSA Laboratories - 20 Crosby Drive - Bedford, MA 01730 USA - - Phone: +1 781.687.7817 - EMail: jlinn@rsasecurity.com - - - - - - - - - - - - - - - - - -Linn Standards Track [Page 100] - -RFC 2743 GSS-API January 2000 - - -Full Copyright Statement - - Copyright (C) The Internet Society (2000). All Rights Reserved. - - This document and translations of it may be copied and furnished to - others, and derivative works that comment on or otherwise explain it - or assist in its implementation may be prepared, copied, published - and distributed, in whole or in part, without restriction of any - kind, provided that the above copyright notice and this paragraph are - included on all such copies and derivative works. However, this - document itself may not be modified in any way, such as by removing - the copyright notice or references to the Internet Society or other - Internet organizations, except as needed for the purpose of - developing Internet standards in which case the procedures for - copyrights defined in the Internet Standards process must be - followed, or as required to translate it into languages other than - English. - - The limited permissions granted above are perpetual and will not be - revoked by the Internet Society or its successors or assigns. - - This document and the information contained herein is provided on an - "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING - TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING - BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION - HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF - MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. - -Acknowledgement - - Funding for the RFC Editor function is currently provided by the - Internet Society. - - - - - - - - - - - - - - - - - - - -Linn Standards Track [Page 101] - diff --git a/crypto/heimdal-0.6.3/doc/standardisation/rfc2744.txt b/crypto/heimdal-0.6.3/doc/standardisation/rfc2744.txt deleted file mode 100644 index 7f0c61946f..0000000000 --- a/crypto/heimdal-0.6.3/doc/standardisation/rfc2744.txt +++ /dev/null @@ -1,5659 +0,0 @@ - - - - - - -Network Working Group J. Wray -Request for Comments: 2744 Iris Associates -Obsoletes: 1509 January 2000 -Category: Standards Track - - - Generic Security Service API Version 2 : C-bindings - -Status of this Memo - - This document specifies an Internet standards track protocol for the - Internet community, and requests discussion and suggestions for - improvements. Please refer to the current edition of the "Internet - Official Protocol Standards" (STD 1) for the standardization state - and status of this protocol. Distribution of this memo is unlimited. - -Copyright Notice - - Copyright (C) The Internet Society (2000). All Rights Reserved. - -Abstract - - This document specifies C language bindings for Version 2, Update 1 - of the Generic Security Service Application Program Interface (GSS- - API), which is described at a language-independent conceptual level - in RFC-2743 [GSSAPI]. It obsoletes RFC-1509, making specific - incremental changes in response to implementation experience and - liaison requests. It is intended, therefore, that this memo or a - successor version thereof will become the basis for subsequent - progression of the GSS-API specification on the standards track. - - The Generic Security Service Application Programming Interface - provides security services to its callers, and is intended for - implementation atop a variety of underlying cryptographic mechanisms. - Typically, GSS-API callers will be application protocols into which - security enhancements are integrated through invocation of services - provided by the GSS-API. The GSS-API allows a caller application to - authenticate a principal identity associated with a peer application, - to delegate rights to a peer, and to apply security services such as - confidentiality and integrity on a per-message basis. - - - - - - - - - - - -Wray Standards Track [Page 1] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - -1. Introduction - - The Generic Security Service Application Programming Interface - [GSSAPI] provides security services to calling applications. It - allows a communicating application to authenticate the user - associated with another application, to delegate rights to another - application, and to apply security services such as confidentiality - and integrity on a per-message basis. - - There are four stages to using the GSS-API: - - a) The application acquires a set of credentials with which it may - prove its identity to other processes. The application's - credentials vouch for its global identity, which may or may not be - related to any local username under which it may be running. - - b) A pair of communicating applications establish a joint security - context using their credentials. The security context is a pair - of GSS-API data structures that contain shared state information, - which is required in order that per-message security services may - be provided. Examples of state that might be shared between - applications as part of a security context are cryptographic keys, - and message sequence numbers. As part of the establishment of a - security context, the context initiator is authenticated to the - responder, and may require that the responder is authenticated in - turn. The initiator may optionally give the responder the right - to initiate further security contexts, acting as an agent or - delegate of the initiator. This transfer of rights is termed - delegation, and is achieved by creating a set of credentials, - similar to those used by the initiating application, but which may - be used by the responder. - - To establish and maintain the shared information that makes up the - security context, certain GSS-API calls will return a token data - structure, which is an opaque data type that may contain - cryptographically protected data. The caller of such a GSS-API - routine is responsible for transferring the token to the peer - application, encapsulated if necessary in an application- - application protocol. On receipt of such a token, the peer - application should pass it to a corresponding GSS-API routine - which will decode the token and extract the information, updating - the security context state information accordingly. - - - - - - - - - -Wray Standards Track [Page 2] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - c) Per-message services are invoked to apply either: - - integrity and data origin authentication, or confidentiality, - integrity and data origin authentication to application data, - which are treated by GSS-API as arbitrary octet-strings. An - application transmitting a message that it wishes to protect will - call the appropriate GSS-API routine (gss_get_mic or gss_wrap) to - apply protection, specifying the appropriate security context, and - send the resulting token to the receiving application. The - receiver will pass the received token (and, in the case of data - protected by gss_get_mic, the accompanying message-data) to the - corresponding decoding routine (gss_verify_mic or gss_unwrap) to - remove the protection and validate the data. - - d) At the completion of a communications session (which may extend - across several transport connections), each application calls a - GSS-API routine to delete the security context. Multiple contexts - may also be used (either successively or simultaneously) within a - single communications association, at the option of the - applications. - -2. GSS-API Routines - - This section lists the routines that make up the GSS-API, and - offers a brief description of the purpose of each routine. - Detailed descriptions of each routine are listed in alphabetical - order in section 5. - - Table 2-1 GSS-API Credential-management Routines - - Routine Section Function - ------- ------- -------- - gss_acquire_cred 5.2 Assume a global identity; Obtain - a GSS-API credential handle for - pre-existing credentials. - gss_add_cred 5.3 Construct credentials - incrementally - gss_inquire_cred 5.21 Obtain information about a - credential - gss_inquire_cred_by_mech 5.22 Obtain per-mechanism information - about a credential. - gss_release_cred 5.27 Discard a credential handle. - - - - - - - - - -Wray Standards Track [Page 3] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - Table 2-2 GSS-API Context-Level Routines - - Routine Section Function - ------- ------- -------- - gss_init_sec_context 5.19 Initiate a security context with - a peer application - gss_accept_sec_context 5.1 Accept a security context - initiated by a - peer application - gss_delete_sec_context 5.9 Discard a security context - gss_process_context_token 5.25 Process a token on a security - context from a peer application - gss_context_time 5.7 Determine for how long a context - will remain valid - gss_inquire_context 5.20 Obtain information about a - security context - gss_wrap_size_limit 5.34 Determine token-size limit for - gss_wrap on a context - gss_export_sec_context 5.14 Transfer a security context to - another process - gss_import_sec_context 5.17 Import a transferred context - - - Table 2-3 GSS-API Per-message Routines - - Routine Section Function - ------- ------- -------- - gss_get_mic 5.15 Calculate a cryptographic message - integrity code (MIC) for a - message; integrity service - gss_verify_mic 5.32 Check a MIC against a message; - verify integrity of a received - message - gss_wrap 5.33 Attach a MIC to a message, and - optionally encrypt the message - content; - confidentiality service - gss_unwrap 5.31 Verify a message with attached - MIC, and decrypt message content - if necessary. - - - - - - - - - - - -Wray Standards Track [Page 4] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - Table 2-4 GSS-API Name manipulation Routines - - Routine Section Function - ------- ------- -------- - gss_import_name 5.16 Convert a contiguous string name - to internal-form - gss_display_name 5.10 Convert internal-form name to - text - gss_compare_name 5.6 Compare two internal-form names - - gss_release_name 5.28 Discard an internal-form name - gss_inquire_names_for_mech 5.24 List the name-types supported by - the specified mechanism - gss_inquire_mechs_for_name 5.23 List mechanisms that support the - specified name-type - gss_canonicalize_name 5.5 Convert an internal name to an MN - gss_export_name 5.13 Convert an MN to export form - gss_duplicate_name 5.12 Create a copy of an internal name - - - Table 2-5 GSS-API Miscellaneous Routines - - Routine Section Function - ------- ------- -------- - gss_add_oid_set_member 5.4 Add an object identifier to - a set - gss_display_status 5.11 Convert a GSS-API status code - to text - gss_indicate_mechs 5.18 Determine available underlying - authentication mechanisms - gss_release_buffer 5.26 Discard a buffer - gss_release_oid_set 5.29 Discard a set of object - identifiers - gss_create_empty_oid_set 5.8 Create a set containing no - object identifiers - gss_test_oid_set_member 5.30 Determines whether an object - identifier is a member of a set. - - Individual GSS-API implementations may augment these routines by - providing additional mechanism-specific routines if required - functionality is not available from the generic forms. Applications - are encouraged to use the generic routines wherever possible on - portability grounds. - - - - - - - - -Wray Standards Track [Page 5] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - -3. Data Types and Calling Conventions - - The following conventions are used by the GSS-API C-language - bindings: - -3.1. Integer types - - GSS-API uses the following integer data type: - - OM_uint32 32-bit unsigned integer - - Where guaranteed minimum bit-count is important, this portable data - type is used by the GSS-API routine definitions. Individual GSS-API - implementations will include appropriate typedef definitions to map - this type onto a built-in data type. If the platform supports the - X/Open xom.h header file, the OM_uint32 definition contained therein - should be used; the GSS-API header file in Appendix A contains logic - that will detect the prior inclusion of xom.h, and will not attempt - to re-declare OM_uint32. If the X/Open header file is not available - on the platform, the GSS-API implementation should use the smallest - natural unsigned integer type that provides at least 32 bits of - precision. - -3.2. String and similar data - - Many of the GSS-API routines take arguments and return values that - describe contiguous octet-strings. All such data is passed between - the GSS-API and the caller using the gss_buffer_t data type. This - data type is a pointer to a buffer descriptor, which consists of a - length field that contains the total number of bytes in the datum, - and a value field which contains a pointer to the actual datum: - - typedef struct gss_buffer_desc_struct { - size_t length; - void *value; - } gss_buffer_desc, *gss_buffer_t; - - Storage for data returned to the application by a GSS-API routine - using the gss_buffer_t conventions is allocated by the GSS-API - routine. The application may free this storage by invoking the - gss_release_buffer routine. Allocation of the gss_buffer_desc object - is always the responsibility of the application; unused - gss_buffer_desc objects may be initialized to the value - GSS_C_EMPTY_BUFFER. - - - - - - - -Wray Standards Track [Page 6] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - -3.2.1. Opaque data types - - Certain multiple-word data items are considered opaque data types at - the GSS-API, because their internal structure has no significance - either to the GSS-API or to the caller. Examples of such opaque data - types are the input_token parameter to gss_init_sec_context (which is - opaque to the caller), and the input_message parameter to gss_wrap - (which is opaque to the GSS-API). Opaque data is passed between the - GSS-API and the application using the gss_buffer_t datatype. - -3.2.2. Character strings - - Certain multiple-word data items may be regarded as simple ISO - Latin-1 character strings. Examples are the printable strings passed - to gss_import_name via the input_name_buffer parameter. Some GSS-API - routines also return character strings. All such character strings - are passed between the application and the GSS-API implementation - using the gss_buffer_t datatype, which is a pointer to a - gss_buffer_desc object. - - When a gss_buffer_desc object describes a printable string, the - length field of the gss_buffer_desc should only count printable - characters within the string. In particular, a trailing NUL - character should NOT be included in the length count, nor should - either the GSS-API implementation or the application assume the - presence of an uncounted trailing NUL. - -3.3. Object Identifiers - - Certain GSS-API procedures take parameters of the type gss_OID, or - Object identifier. This is a type containing ISO-defined tree- - structured values, and is used by the GSS-API caller to select an - underlying security mechanism and to specify namespaces. A value of - type gss_OID has the following structure: - - typedef struct gss_OID_desc_struct { - OM_uint32 length; - void *elements; - } gss_OID_desc, *gss_OID; - - The elements field of this structure points to the first byte of an - octet string containing the ASN.1 BER encoding of the value portion - of the normal BER TLV encoding of the gss_OID. The length field - contains the number of bytes in this value. For example, the gss_OID - value corresponding to {iso(1) identified-organization(3) icd- - ecma(12) member-company(2) dec(1011) cryptoAlgorithms(7) DASS(5)}, - meaning the DASS X.509 authentication mechanism, has a length field - of 7 and an elements field pointing to seven octets containing the - - - -Wray Standards Track [Page 7] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - following octal values: 53,14,2,207,163,7,5. GSS-API implementations - should provide constant gss_OID values to allow applications to - request any supported mechanism, although applications are encouraged - on portability grounds to accept the default mechanism. gss_OID - values should also be provided to allow applications to specify - particular name types (see section 3.10). Applications should treat - gss_OID_desc values returned by GSS-API routines as read-only. In - particular, the application should not attempt to deallocate them - with free(). The gss_OID_desc datatype is equivalent to the X/Open - OM_object_identifier datatype[XOM]. - -3.4. Object Identifier Sets - - Certain GSS-API procedures take parameters of the type gss_OID_set. - This type represents one or more object identifiers (section 2.3). A - gss_OID_set object has the following structure: - - typedef struct gss_OID_set_desc_struct { - size_t count; - gss_OID elements; - } gss_OID_set_desc, *gss_OID_set; - - The count field contains the number of OIDs within the set. The - elements field is a pointer to an array of gss_OID_desc objects, each - of which describes a single OID. gss_OID_set values are used to name - the available mechanisms supported by the GSS-API, to request the use - of specific mechanisms, and to indicate which mechanisms a given - credential supports. - - All OID sets returned to the application by GSS-API are dynamic - objects (the gss_OID_set_desc, the "elements" array of the set, and - the "elements" array of each member OID are all dynamically - allocated), and this storage must be deallocated by the application - using the gss_release_oid_set() routine. - -3.5. Credentials - - A credential handle is a caller-opaque atomic datum that identifies a - GSS-API credential data structure. It is represented by the caller- - opaque type gss_cred_id_t, which should be implemented as a pointer - or arithmetic type. If a pointer implementation is chosen, care must - be taken to ensure that two gss_cred_id_t values may be compared with - the == operator. - - GSS-API credentials can contain mechanism-specific principal - authentication data for multiple mechanisms. A GSS-API credential is - composed of a set of credential-elements, each of which is applicable - to a single mechanism. A credential may contain at most one - - - -Wray Standards Track [Page 8] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - credential-element for each supported mechanism. A credential-element - identifies the data needed by a single mechanism to authenticate a - single principal, and conceptually contains two credential-references - that describe the actual mechanism-specific authentication data, one - to be used by GSS-API for initiating contexts, and one to be used - for accepting contexts. For mechanisms that do not distinguish - between acceptor and initiator credentials, both references would - point to the same underlying mechanism-specific authentication data. - - Credentials describe a set of mechanism-specific principals, and give - their holder the ability to act as any of those principals. All - principal identities asserted by a single GSS-API credential should - belong to the same entity, although enforcement of this property is - an implementation-specific matter. The GSS-API does not make the - actual credentials available to applications; instead a credential - handle is used to identify a particular credential, held internally - by GSS-API. The combination of GSS-API credential handle and - mechanism identifies the principal whose identity will be asserted by - the credential when used with that mechanism. - - The gss_init_sec_context and gss_accept_sec_context routines allow - the value GSS_C_NO_CREDENTIAL to be specified as their credential - handle parameter. This special credential-handle indicates a desire - by the application to act as a default principal. While individual - GSS-API implementations are free to determine such default behavior - as appropriate to the mechanism, the following default behavior by - these routines is recommended for portability: - - gss_init_sec_context - - 1) If there is only a single principal capable of initiating - security contexts for the chosen mechanism that the application - is authorized to act on behalf of, then that principal shall be - used, otherwise - - 2) If the platform maintains a concept of a default network- - identity for the chosen mechanism, and if the application is - authorized to act on behalf of that identity for the purpose of - initiating security contexts, then the principal corresponding - to that identity shall be used, otherwise - - 3) If the platform maintains a concept of a default local - identity, and provides a means to map local identities into - network-identities for the chosen mechanism, and if the - application is authorized to act on behalf of the network- - identity image of the default local identity for the purpose of - - - - - -Wray Standards Track [Page 9] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - initiating security contexts using the chosen mechanism, then - the principal corresponding to that identity shall be used, - otherwise - - 4) A user-configurable default identity should be used. - - gss_accept_sec_context - - 1) If there is only a single authorized principal identity capable - of accepting security contexts for the chosen mechanism, then - that principal shall be used, otherwise - - 2) If the mechanism can determine the identity of the target - principal by examining the context-establishment token, and if - the accepting application is authorized to act as that - principal for the purpose of accepting security contexts using - the chosen mechanism, then that principal identity shall be - used, otherwise - - 3) If the mechanism supports context acceptance by any principal, - and if mutual authentication was not requested, any principal - that the application is authorized to accept security contexts - under using the chosen mechanism may be used, otherwise - - 4)A user-configurable default identity shall be used. - - The purpose of the above rules is to allow security contexts to be - established by both initiator and acceptor using the default behavior - wherever possible. Applications requesting default behavior are - likely to be more portable across mechanisms and platforms than ones - that use gss_acquire_cred to request a specific identity. - -3.6. Contexts - - The gss_ctx_id_t data type contains a caller-opaque atomic value that - identifies one end of a GSS-API security context. It should be - implemented as a pointer or arithmetic type. If a pointer type is - chosen, care should be taken to ensure that two gss_ctx_id_t values - may be compared with the == operator. - - The security context holds state information about each end of a peer - communication, including cryptographic state information. - - - - - - - - - -Wray Standards Track [Page 10] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - -3.7. Authentication tokens - - A token is a caller-opaque type that GSS-API uses to maintain - synchronization between the context data structures at each end of a - GSS-API security context. The token is a cryptographically protected - octet-string, generated by the underlying mechanism at one end of a - GSS-API security context for use by the peer mechanism at the other - end. Encapsulation (if required) and transfer of the token are the - responsibility of the peer applications. A token is passed between - the GSS-API and the application using the gss_buffer_t conventions. - -3.8. Interprocess tokens - - Certain GSS-API routines are intended to transfer data between - processes in multi-process programs. These routines use a caller- - opaque octet-string, generated by the GSS-API in one process for use - by the GSS-API in another process. The calling application is - responsible for transferring such tokens between processes in an OS- - specific manner. Note that, while GSS-API implementors are - encouraged to avoid placing sensitive information within interprocess - tokens, or to cryptographically protect them, many implementations - will be unable to avoid placing key material or other sensitive data - within them. It is the application's responsibility to ensure that - interprocess tokens are protected in transit, and transferred only to - processes that are trustworthy. An interprocess token is passed - between the GSS-API and the application using the gss_buffer_t - conventions. - -3.9. Status values - - Every GSS-API routine returns two distinct values to report status - information to the caller: GSS status codes and Mechanism status - codes. - -3.9.1. GSS status codes - - GSS-API routines return GSS status codes as their OM_uint32 function - value. These codes indicate errors that are independent of the - underlying mechanism(s) used to provide the security service. The - errors that can be indicated via a GSS status code are either generic - API routine errors (errors that are defined in the GSS-API - specification) or calling errors (errors that are specific to these - language bindings). - - A GSS status code can indicate a single fatal generic API error from - the routine and a single calling error. In addition, supplementary - status information may be indicated via the setting of bits in the - supplementary info field of a GSS status code. - - - -Wray Standards Track [Page 11] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - These errors are encoded into the 32-bit GSS status code as follows: - - MSB LSB - |------------------------------------------------------------| - | Calling Error | Routine Error | Supplementary Info | - |------------------------------------------------------------| - Bit 31 24 23 16 15 0 - - Hence if a GSS-API routine returns a GSS status code whose upper 16 - bits contain a non-zero value, the call failed. If the calling error - field is non-zero, the invoking application's call of the routine was - erroneous. Calling errors are defined in table 5-1. If the routine - error field is non-zero, the routine failed for one of the routine- - specific reasons listed below in table 5-2. Whether or not the upper - 16 bits indicate a failure or a success, the routine may indicate - additional information by setting bits in the supplementary info - field of the status code. The meaning of individual bits is listed - below in table 5-3. - - Table 3-1 Calling Errors - - Name Value in field Meaning - ---- -------------- ------- - GSS_S_CALL_INACCESSIBLE_READ 1 A required input parameter - could not be read - GSS_S_CALL_INACCESSIBLE_WRITE 2 A required output parameter - could not be written. - GSS_S_CALL_BAD_STRUCTURE 3 A parameter was malformed - - - - - - - - - - - - - - - - - - - - - - - -Wray Standards Track [Page 12] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - Table 3-2 Routine Errors - - Name Value in field Meaning - ---- -------------- ------- - GSS_S_BAD_MECH 1 An unsupported mechanism - was requested - GSS_S_BAD_NAME 2 An invalid name was - supplied - GSS_S_BAD_NAMETYPE 3 A supplied name was of an - unsupported type - GSS_S_BAD_BINDINGS 4 Incorrect channel bindings - were supplied - GSS_S_BAD_STATUS 5 An invalid status code was - supplied - GSS_S_BAD_MIC GSS_S_BAD_SIG 6 A token had an invalid MIC - GSS_S_NO_CRED 7 No credentials were - supplied, or the - credentials were - unavailable or - inaccessible. - GSS_S_NO_CONTEXT 8 No context has been - established - GSS_S_DEFECTIVE_TOKEN 9 A token was invalid - GSS_S_DEFECTIVE_CREDENTIAL 10 A credential was invalid - GSS_S_CREDENTIALS_EXPIRED 11 The referenced credentials - have expired - GSS_S_CONTEXT_EXPIRED 12 The context has expired - GSS_S_FAILURE 13 Miscellaneous failure (see - text) - GSS_S_BAD_QOP 14 The quality-of-protection - requested could not be - provided - GSS_S_UNAUTHORIZED 15 The operation is forbidden - by local security policy - GSS_S_UNAVAILABLE 16 The operation or option is - unavailable - GSS_S_DUPLICATE_ELEMENT 17 The requested credential - element already exists - GSS_S_NAME_NOT_MN 18 The provided name was not a - mechanism name - - - - - - - - - - - -Wray Standards Track [Page 13] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - Table 3-3 Supplementary Status Bits - - Name Bit Number Meaning - ---- ---------- ------- - GSS_S_CONTINUE_NEEDED 0 (LSB) Returned only by - gss_init_sec_context or - gss_accept_sec_context. The - routine must be called again - to complete its function. - See routine documentation for - detailed description - GSS_S_DUPLICATE_TOKEN 1 The token was a duplicate of - an earlier token - GSS_S_OLD_TOKEN 2 The token's validity period - has expired - GSS_S_UNSEQ_TOKEN 3 A later token has already been - processed - GSS_S_GAP_TOKEN 4 An expected per-message token - was not received - - The routine documentation also uses the name GSS_S_COMPLETE, which is - a zero value, to indicate an absence of any API errors or - supplementary information bits. - - All GSS_S_xxx symbols equate to complete OM_uint32 status codes, - rather than to bitfield values. For example, the actual value of the - symbol GSS_S_BAD_NAMETYPE (value 3 in the routine error field) is - 3<<16. The macros GSS_CALLING_ERROR(), GSS_ROUTINE_ERROR() and - GSS_SUPPLEMENTARY_INFO() are provided, each of which takes a GSS - status code and removes all but the relevant field. For example, the - value obtained by applying GSS_ROUTINE_ERROR to a status code removes - the calling errors and supplementary info fields, leaving only the - routine errors field. The values delivered by these macros may be - directly compared with a GSS_S_xxx symbol of the appropriate type. - The macro GSS_ERROR() is also provided, which when applied to a GSS - status code returns a non-zero value if the status code indicated a - calling or routine error, and a zero value otherwise. All macros - defined by GSS-API evaluate their argument(s) exactly once. - - A GSS-API implementation may choose to signal calling errors in a - platform-specific manner instead of, or in addition to the routine - value; routine errors and supplementary info should be returned via - major status values only. - - The GSS major status code GSS_S_FAILURE is used to indicate that the - underlying mechanism detected an error for which no specific GSS - status code is defined. The mechanism-specific status code will - provide more details about the error. - - - -Wray Standards Track [Page 14] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - -3.9.2. Mechanism-specific status codes - - GSS-API routines return a minor_status parameter, which is used to - indicate specialized errors from the underlying security mechanism. - This parameter may contain a single mechanism-specific error, - indicated by a OM_uint32 value. - - The minor_status parameter will always be set by a GSS-API routine, - even if it returns a calling error or one of the generic API errors - indicated above as fatal, although most other output parameters may - remain unset in such cases. However, output parameters that are - expected to return pointers to storage allocated by a routine must - always be set by the routine, even in the event of an error, although - in such cases the GSS-API routine may elect to set the returned - parameter value to NULL to indicate that no storage was actually - allocated. Any length field associated with such pointers (as in a - gss_buffer_desc structure) should also be set to zero in such cases. - -3.10. Names - - A name is used to identify a person or entity. GSS-API authenticates - the relationship between a name and the entity claiming the name. - - Since different authentication mechanisms may employ different - namespaces for identifying their principals, GSSAPI's naming support - is necessarily complex in multi-mechanism environments (or even in - some single-mechanism environments where the underlying mechanism - supports multiple namespaces). - - Two distinct representations are defined for names: - - An internal form. This is the GSS-API "native" format for names, - represented by the implementation-specific gss_name_t type. It is - opaque to GSS-API callers. A single gss_name_t object may contain - multiple names from different namespaces, but all names should - refer to the same entity. An example of such an internal name - would be the name returned from a call to the gss_inquire_cred - routine, when applied to a credential containing credential - elements for multiple authentication mechanisms employing - different namespaces. This gss_name_t object will contain a - distinct name for the entity for each authentication mechanism. - - For GSS-API implementations supporting multiple namespaces, - objects of type gss_name_t must contain sufficient information to - determine the namespace to which each primitive name belongs. - - - - - - -Wray Standards Track [Page 15] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - Mechanism-specific contiguous octet-string forms. A format - capable of containing a single name (from a single namespace). - Contiguous string names are always accompanied by an object - identifier specifying the namespace to which the name belongs, and - their format is dependent on the authentication mechanism that - employs the name. Many, but not all, contiguous string names will - be printable, and may therefore be used by GSS-API applications - for communication with their users. - - Routines (gss_import_name and gss_display_name) are provided to - convert names between contiguous string representations and the - internal gss_name_t type. gss_import_name may support multiple - syntaxes for each supported namespace, allowing users the freedom to - choose a preferred name representation. gss_display_name should use - an implementation-chosen printable syntax for each supported name- - type. - - If an application calls gss_display_name(), passing the internal name - resulting from a call to gss_import_name(), there is no guarantee the - the resulting contiguous string name will be the same as the original - imported string name. Nor do name-space identifiers necessarily - survive unchanged after a journey through the internal name-form. An - example of this might be a mechanism that authenticates X.500 names, - but provides an algorithmic mapping of Internet DNS names into X.500. - That mechanism's implementation of gss_import_name() might, when - presented with a DNS name, generate an internal name that contained - both the original DNS name and the equivalent X.500 name. - Alternatively, it might only store the X.500 name. In the latter - case, gss_display_name() would most likely generate a printable X.500 - name, rather than the original DNS name. - - The process of authentication delivers to the context acceptor an - internal name. Since this name has been authenticated by a single - mechanism, it contains only a single name (even if the internal name - presented by the context initiator to gss_init_sec_context had - multiple components). Such names are termed internal mechanism - names, or "MN"s and the names emitted by gss_accept_sec_context() are - always of this type. Since some applications may require MNs without - wanting to incur the overhead of an authentication operation, a - second function, gss_canonicalize_name(), is provided to convert a - general internal name into an MN. - - Comparison of internal-form names may be accomplished via the - gss_compare_name() routine, which returns true if the two names being - compared refer to the same entity. This removes the need for the - application program to understand the syntaxes of the various - printable names that a given GSS-API implementation may support. - Since GSS-API assumes that all primitive names contained within a - - - -Wray Standards Track [Page 16] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - given internal name refer to the same entity, gss_compare_name() can - return true if the two names have at least one primitive name in - common. If the implementation embodies knowledge of equivalence - relationships between names taken from different namespaces, this - knowledge may also allow successful comparison of internal names - containing no overlapping primitive elements. - - When used in large access control lists, the overhead of invoking - gss_import_name() and gss_compare_name() on each name from the ACL - may be prohibitive. As an alternative way of supporting this case, - GSS-API defines a special form of the contiguous string name which - may be compared directly (e.g. with memcmp()). Contiguous names - suitable for comparison are generated by the gss_export_name() - routine, which requires an MN as input. Exported names may be re- - imported by the gss_import_name() routine, and the resulting internal - name will also be an MN. The gss_OID constant GSS_C_NT_EXPORT_NAME - indentifies the "export name" type, and the value of this constant is - given in Appendix A. Structurally, an exported name object consists - of a header containing an OID identifying the mechanism that - authenticated the name, and a trailer containing the name itself, - where the syntax of the trailer is defined by the individual - mechanism specification. The precise format of an export name is - defined in the language-independent GSS-API specification [GSSAPI]. - - Note that the results obtained by using gss_compare_name() will in - general be different from those obtained by invoking - gss_canonicalize_name() and gss_export_name(), and then comparing the - exported names. The first series of operation determines whether two - (unauthenticated) names identify the same principal; the second - whether a particular mechanism would authenticate them as the same - principal. These two operations will in general give the same - results only for MNs. - - The gss_name_t datatype should be implemented as a pointer type. To - allow the compiler to aid the application programmer by performing - type-checking, the use of (void *) is discouraged. A pointer to an - implementation-defined type is the preferred choice. - - Storage is allocated by routines that return gss_name_t values. A - procedure, gss_release_name, is provided to free storage associated - with an internal-form name. - - - - - - - - - - -Wray Standards Track [Page 17] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - -3.11. Channel Bindings - - GSS-API supports the use of user-specified tags to identify a given - context to the peer application. These tags are intended to be used - to identify the particular communications channel that carries the - context. Channel bindings are communicated to the GSS-API using the - following structure: - - typedef struct gss_channel_bindings_struct { - OM_uint32 initiator_addrtype; - gss_buffer_desc initiator_address; - OM_uint32 acceptor_addrtype; - gss_buffer_desc acceptor_address; - gss_buffer_desc application_data; - } *gss_channel_bindings_t; - - The initiator_addrtype and acceptor_addrtype fields denote the type - of addresses contained in the initiator_address and acceptor_address - buffers. The address type should be one of the following: - - GSS_C_AF_UNSPEC Unspecified address type - GSS_C_AF_LOCAL Host-local address type - GSS_C_AF_INET Internet address type (e.g. IP) - GSS_C_AF_IMPLINK ARPAnet IMP address type - GSS_C_AF_PUP pup protocols (eg BSP) address type - GSS_C_AF_CHAOS MIT CHAOS protocol address type - GSS_C_AF_NS XEROX NS address type - GSS_C_AF_NBS nbs address type - GSS_C_AF_ECMA ECMA address type - GSS_C_AF_DATAKIT datakit protocols address type - GSS_C_AF_CCITT CCITT protocols - GSS_C_AF_SNA IBM SNA address type - GSS_C_AF_DECnet DECnet address type - GSS_C_AF_DLI Direct data link interface address type - GSS_C_AF_LAT LAT address type - GSS_C_AF_HYLINK NSC Hyperchannel address type - GSS_C_AF_APPLETALK AppleTalk address type - GSS_C_AF_BSC BISYNC 2780/3780 address type - GSS_C_AF_DSS Distributed system services address type - GSS_C_AF_OSI OSI TP4 address type - GSS_C_AF_X25 X.25 - GSS_C_AF_NULLADDR No address specified - - Note that these symbols name address families rather than specific - addressing formats. For address families that contain several - alternative address forms, the initiator_address and acceptor_address - fields must contain sufficient information to determine which address - - - - -Wray Standards Track [Page 18] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - form is used. When not otherwise specified, addresses should be - specified in network byte-order (that is, native byte-ordering for - the address family). - - Conceptually, the GSS-API concatenates the initiator_addrtype, - initiator_address, acceptor_addrtype, acceptor_address and - application_data to form an octet string. The mechanism calculates a - MIC over this octet string, and binds the MIC to the context - establishment token emitted by gss_init_sec_context. The same - bindings are presented by the context acceptor to - gss_accept_sec_context, and a MIC is calculated in the same way. The - calculated MIC is compared with that found in the token, and if the - MICs differ, gss_accept_sec_context will return a GSS_S_BAD_BINDINGS - error, and the context will not be established. Some mechanisms may - include the actual channel binding data in the token (rather than - just a MIC); applications should therefore not use confidential data - as channel-binding components. - - Individual mechanisms may impose additional constraints on addresses - and address types that may appear in channel bindings. For example, - a mechanism may verify that the initiator_address field of the - channel bindings presented to gss_init_sec_context contains the - correct network address of the host system. Portable applications - should therefore ensure that they either provide correct information - for the address fields, or omit addressing information, specifying - GSS_C_AF_NULLADDR as the address-types. - -3.12. Optional parameters - - Various parameters are described as optional. This means that they - follow a convention whereby a default value may be requested. The - following conventions are used for omitted parameters. These - conventions apply only to those parameters that are explicitly - documented as optional. - -3.12.1. gss_buffer_t types - - Specify GSS_C_NO_BUFFER as a value. For an input parameter this - signifies that default behavior is requested, while for an output - parameter it indicates that the information that would be returned - via the parameter is not required by the application. - -3.12.2. Integer types (input) - - Individual parameter documentation lists values to be used to - indicate default actions. - - - - - -Wray Standards Track [Page 19] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - -3.12.3. Integer types (output) - - Specify NULL as the value for the pointer. - -3.12.4. Pointer types - - Specify NULL as the value. - -3.12.5. Object IDs - - Specify GSS_C_NO_OID as the value. - -3.12.6. Object ID Sets - - Specify GSS_C_NO_OID_SET as the value. - -3.12.7. Channel Bindings - - Specify GSS_C_NO_CHANNEL_BINDINGS to indicate that channel bindings - are not to be used. - -4. Additional Controls - - This section discusses the optional services that a context initiator - may request of the GSS-API at context establishment. Each of these - services is requested by setting a flag in the req_flags input - parameter to gss_init_sec_context. - - The optional services currently defined are: - - Delegation - The (usually temporary) transfer of rights from - initiator to acceptor, enabling the acceptor to authenticate - itself as an agent of the initiator. - - Mutual Authentication - In addition to the initiator authenticating - its identity to the context acceptor, the context acceptor should - also authenticate itself to the initiator. - - Replay detection - In addition to providing message integrity - services, gss_get_mic and gss_wrap should include message - numbering information to enable gss_verify_mic and gss_unwrap to - detect if a message has been duplicated. - - Out-of-sequence detection - In addition to providing message - integrity services, gss_get_mic and gss_wrap should include - message sequencing information to enable gss_verify_mic and - gss_unwrap to detect if a message has been received out of - sequence. - - - -Wray Standards Track [Page 20] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - Anonymous authentication - The establishment of the security context - should not reveal the initiator's identity to the context - acceptor. - - Any currently undefined bits within such flag arguments should be - ignored by GSS-API implementations when presented by an application, - and should be set to zero when returned to the application by the - GSS-API implementation. - - Some mechanisms may not support all optional services, and some - mechanisms may only support some services in conjunction with others. - Both gss_init_sec_context and gss_accept_sec_context inform the - applications which services will be available from the context when - the establishment phase is complete, via the ret_flags output - parameter. In general, if the security mechanism is capable of - providing a requested service, it should do so, even if additional - services must be enabled in order to provide the requested service. - If the mechanism is incapable of providing a requested service, it - should proceed without the service, leaving the application to abort - the context establishment process if it considers the requested - service to be mandatory. - - Some mechanisms may specify that support for some services is - optional, and that implementors of the mechanism need not provide it. - This is most commonly true of the confidentiality service, often - because of legal restrictions on the use of data-encryption, but may - apply to any of the services. Such mechanisms are required to send - at least one token from acceptor to initiator during context - establishment when the initiator indicates a desire to use such a - service, so that the initiating GSS-API can correctly indicate - whether the service is supported by the acceptor's GSS-API. - -4.1. Delegation - - The GSS-API allows delegation to be controlled by the initiating - application via a boolean parameter to gss_init_sec_context(), the - routine that establishes a security context. Some mechanisms do not - support delegation, and for such mechanisms attempts by an - application to enable delegation are ignored. - - The acceptor of a security context for which the initiator enabled - delegation will receive (via the delegated_cred_handle parameter of - gss_accept_sec_context) a credential handle that contains the - delegated identity, and this credential handle may be used to - initiate subsequent GSS-API security contexts as an agent or delegate - of the initiator. If the original initiator's identity is "A" and - the delegate's identity is "B", then, depending on the underlying - mechanism, the identity embodied by the delegated credential may be - - - -Wray Standards Track [Page 21] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - either "A" or "B acting for A". - - For many mechanisms that support delegation, a simple boolean does - not provide enough control. Examples of additional aspects of - delegation control that a mechanism might provide to an application - are duration of delegation, network addresses from which delegation - is valid, and constraints on the tasks that may be performed by a - delegate. Such controls are presently outside the scope of the GSS- - API. GSS-API implementations supporting mechanisms offering - additional controls should provide extension routines that allow - these controls to be exercised (perhaps by modifying the initiator's - GSS-API credential prior to its use in establishing a context). - However, the simple delegation control provided by GSS-API should - always be able to over-ride other mechanism-specific delegation - controls - If the application instructs gss_init_sec_context() that - delegation is not desired, then the implementation must not permit - delegation to occur. This is an exception to the general rule that a - mechanism may enable services even if they are not requested - - delegation may only be provided at the explicit request of the - application. - -4.2. Mutual authentication - - Usually, a context acceptor will require that a context initiator - authenticate itself so that the acceptor may make an access-control - decision prior to performing a service for the initiator. In some - cases, the initiator may also request that the acceptor authenticate - itself. GSS-API allows the initiating application to request this - mutual authentication service by setting a flag when calling - gss_init_sec_context. - - The initiating application is informed as to whether or not the - context acceptor has authenticated itself. Note that some mechanisms - may not support mutual authentication, and other mechanisms may - always perform mutual authentication, whether or not the initiating - application requests it. In particular, mutual authentication my be - required by some mechanisms in order to support replay or out-of- - sequence message detection, and for such mechanisms a request for - either of these services will automatically enable mutual - authentication. - - - - - - - - - - - -Wray Standards Track [Page 22] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - -4.3. Replay and out-of-sequence detection - - The GSS-API may provide detection of mis-ordered message once a - security context has been established. Protection may be applied to - messages by either application, by calling either gss_get_mic or - gss_wrap, and verified by the peer application by calling - gss_verify_mic or gss_unwrap. - - gss_get_mic calculates a cryptographic MIC over an application - message, and returns that MIC in a token. The application should - pass both the token and the message to the peer application, which - presents them to gss_verify_mic. - - gss_wrap calculates a cryptographic MIC of an application message, - and places both the MIC and the message inside a single token. The - Application should pass the token to the peer application, which - presents it to gss_unwrap to extract the message and verify the MIC. - - Either pair of routines may be capable of detecting out-of-sequence - message delivery, or duplication of messages. Details of such mis- - ordered messages are indicated through supplementary status bits in - the major status code returned by gss_verify_mic or gss_unwrap. The - relevant supplementary bits are: - - GSS_S_DUPLICATE_TOKEN - The token is a duplicate of one that has - already been received and processed. Only - contexts that claim to provide replay detection - may set this bit. - GSS_S_OLD_TOKEN - The token is too old to determine whether or - not it is a duplicate. Contexts supporting - out-of-sequence detection but not replay - detection should always set this bit if - GSS_S_UNSEQ_TOKEN is set; contexts that support - replay detection should only set this bit if the - token is so old that it cannot be checked for - duplication. - GSS_S_UNSEQ_TOKEN - A later token has already been processed. - GSS_S_GAP_TOKEN - An earlier token has not yet been received. - - A mechanism need not maintain a list of all tokens that have been - processed in order to support these status codes. A typical - mechanism might retain information about only the most recent "N" - tokens processed, allowing it to distinguish duplicates and missing - tokens within the most recent "N" messages; the receipt of a token - older than the most recent "N" would result in a GSS_S_OLD_TOKEN - status. - - - - - -Wray Standards Track [Page 23] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - -4.4. Anonymous Authentication - - In certain situations, an application may wish to initiate the - authentication process to authenticate a peer, without revealing its - own identity. As an example, consider an application providing - access to a database containing medical information, and offering - unrestricted access to the service. A client of such a service might - wish to authenticate the service (in order to establish trust in any - information retrieved from it), but might not wish the service to be - able to obtain the client's identity (perhaps due to privacy concerns - about the specific inquiries, or perhaps simply to avoid being placed - on mailing-lists). - - In normal use of the GSS-API, the initiator's identity is made - available to the acceptor as a result of the context establishment - process. However, context initiators may request that their identity - not be revealed to the context acceptor. Many mechanisms do not - support anonymous authentication, and for such mechanisms the request - will not be honored. An authentication token will be still be - generated, but the application is always informed if a requested - service is unavailable, and has the option to abort context - establishment if anonymity is valued above the other security - services that would require a context to be established. - - In addition to informing the application that a context is - established anonymously (via the ret_flags outputs from - gss_init_sec_context and gss_accept_sec_context), the optional - src_name output from gss_accept_sec_context and gss_inquire_context - will, for such contexts, return a reserved internal-form name, - defined by the implementation. - - When presented to gss_display_name, this reserved internal-form name - will result in a printable name that is syntactically distinguishable - from any valid principal name supported by the implementation, - associated with a name-type object identifier with the value - GSS_C_NT_ANONYMOUS, whose value us given in Appendix A. The - printable form of an anonymous name should be chosen such that it - implies anonymity, since this name may appear in, for example, audit - logs. For example, the string "" might be a good choice, - if no valid printable names supported by the implementation can begin - with "<" and end with ">". - -4.5. Confidentiality - - If a context supports the confidentiality service, gss_wrap may be - used to encrypt application messages. Messages are selectively - encrypted, under the control of the conf_req_flag input parameter to - gss_wrap. - - - -Wray Standards Track [Page 24] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - -4.6. Inter-process context transfer - - GSS-API V2 provides routines (gss_export_sec_context and - gss_import_sec_context) which allow a security context to be - transferred between processes on a single machine. The most common - use for such a feature is a client-server design where the server is - implemented as a single process that accepts incoming security - contexts, which then launches child processes to deal with the data - on these contexts. In such a design, the child processes must have - access to the security context data structure created within the - parent by its call to gss_accept_sec_context so that they can use - per-message protection services and delete the security context when - the communication session ends. - - Since the security context data structure is expected to contain - sequencing information, it is impractical in general to share a - context between processes. Thus GSS-API provides a call - (gss_export_sec_context) that the process which currently owns the - context can call to declare that it has no intention to use the - context subsequently, and to create an inter-process token containing - information needed by the adopting process to successfully import the - context. After successful completion of gss_export_sec_context, the - original security context is made inaccessible to the calling process - by GSS-API, and any context handles referring to this context are no - longer valid. The originating process transfers the inter-process - token to the adopting process, which passes it to - gss_import_sec_context, and a fresh gss_ctx_id_t is created such that - it is functionally identical to the original context. - - The inter-process token may contain sensitive data from the original - security context (including cryptographic keys). Applications using - inter-process tokens to transfer security contexts must take - appropriate steps to protect these tokens in transit. - - Implementations are not required to support the inter-process - transfer of security contexts. The ability to transfer a security - context is indicated when the context is created, by - gss_init_sec_context or gss_accept_sec_context setting the - GSS_C_TRANS_FLAG bit in their ret_flags parameter. - -4.7. The use of incomplete contexts - - Some mechanisms may allow the per-message services to be used before - the context establishment process is complete. For example, a - mechanism may include sufficient information in its initial context- - level token for the context acceptor to immediately decode messages - protected with gss_wrap or gss_get_mic. For such a mechanism, the - initiating application need not wait until subsequent context-level - - - -Wray Standards Track [Page 25] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - tokens have been sent and received before invoking the per-message - protection services. - - The ability of a context to provide per-message services in advance - of complete context establishment is indicated by the setting of the - GSS_C_PROT_READY_FLAG bit in the ret_flags parameter from - gss_init_sec_context and gss_accept_sec_context. Applications wishing - to use per-message protection services on partially-established - contexts should check this flag before attempting to invoke gss_wrap - or gss_get_mic. - -5. GSS-API Routine Descriptions - - In addition to the explicit major status codes documented here, the - code GSS_S_FAILURE may be returned by any routine, indicating an - implementation-specific or mechanism-specific error condition, - further details of which are reported via the minor_status parameter. - -5.1. gss_accept_sec_context - - OM_uint32 gss_accept_sec_context ( - OM_uint32 *minor_status, - gss_ctx_id_t *context_handle, - const gss_cred_id_t acceptor_cred_handle, - const gss_buffer_t input_token_buffer, - const gss_channel_bindings_t input_chan_bindings, - const gss_name_t *src_name, - gss_OID *mech_type, - gss_buffer_t output_token, - OM_uint32 *ret_flags, - OM_uint32 *time_rec, - gss_cred_id_t *delegated_cred_handle) - - Purpose: - - Allows a remotely initiated security context between the application - and a remote peer to be established. The routine may return a - output_token which should be transferred to the peer application, - where the peer application will present it to gss_init_sec_context. - If no token need be sent, gss_accept_sec_context will indicate this - by setting the length field of the output_token argument to zero. To - complete the context establishment, one or more reply tokens may be - required from the peer application; if so, gss_accept_sec_context - will return a status flag of GSS_S_CONTINUE_NEEDED, in which case it - should be called again when the reply token is received from the peer - application, passing the token to gss_accept_sec_context via the - input_token parameters. - - - - -Wray Standards Track [Page 26] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - Portable applications should be constructed to use the token length - and return status to determine whether a token needs to be sent or - waited for. Thus a typical portable caller should always invoke - gss_accept_sec_context within a loop: - - gss_ctx_id_t context_hdl = GSS_C_NO_CONTEXT; - - do { - receive_token_from_peer(input_token); - maj_stat = gss_accept_sec_context(&min_stat, - &context_hdl, - cred_hdl, - input_token, - input_bindings, - &client_name, - &mech_type, - output_token, - &ret_flags, - &time_rec, - &deleg_cred); - if (GSS_ERROR(maj_stat)) { - report_error(maj_stat, min_stat); - }; - if (output_token->length != 0) { - send_token_to_peer(output_token); - - gss_release_buffer(&min_stat, output_token); - }; - if (GSS_ERROR(maj_stat)) { - if (context_hdl != GSS_C_NO_CONTEXT) - gss_delete_sec_context(&min_stat, - &context_hdl, - GSS_C_NO_BUFFER); - break; - }; - } while (maj_stat & GSS_S_CONTINUE_NEEDED); - - Whenever the routine returns a major status that includes the value - GSS_S_CONTINUE_NEEDED, the context is not fully established and the - following restrictions apply to the output parameters: - - The value returned via the time_rec parameter is undefined Unless the - accompanying ret_flags parameter contains the bit - GSS_C_PROT_READY_FLAG, indicating that per-message services may be - applied in advance of a successful completion status, the value - returned via the mech_type parameter may be undefined until the - routine returns a major status value of GSS_S_COMPLETE. - - - - -Wray Standards Track [Page 27] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - The values of the GSS_C_DELEG_FLAG, - GSS_C_MUTUAL_FLAG,GSS_C_REPLAY_FLAG, GSS_C_SEQUENCE_FLAG, - GSS_C_CONF_FLAG,GSS_C_INTEG_FLAG and GSS_C_ANON_FLAG bits returned - via the ret_flags parameter should contain the values that the - implementation expects would be valid if context establishment were - to succeed. - - The values of the GSS_C_PROT_READY_FLAG and GSS_C_TRANS_FLAG bits - within ret_flags should indicate the actual state at the time - gss_accept_sec_context returns, whether or not the context is fully - established. - - Although this requires that GSS-API implementations set the - GSS_C_PROT_READY_FLAG in the final ret_flags returned to a caller - (i.e. when accompanied by a GSS_S_COMPLETE status code), applications - should not rely on this behavior as the flag was not defined in - Version 1 of the GSS-API. Instead, applications should be prepared to - use per-message services after a successful context establishment, - according to the GSS_C_INTEG_FLAG and GSS_C_CONF_FLAG values. - - All other bits within the ret_flags argument should be set to zero. - While the routine returns GSS_S_CONTINUE_NEEDED, the values returned - via the ret_flags argument indicate the services that the - implementation expects to be available from the established context. - - If the initial call of gss_accept_sec_context() fails, the - implementation should not create a context object, and should leave - the value of the context_handle parameter set to GSS_C_NO_CONTEXT to - indicate this. In the event of a failure on a subsequent call, the - implementation is permitted to delete the "half-built" security - context (in which case it should set the context_handle parameter to - GSS_C_NO_CONTEXT), but the preferred behavior is to leave the - security context (and the context_handle parameter) untouched for the - application to delete (using gss_delete_sec_context). - - During context establishment, the informational status bits - GSS_S_OLD_TOKEN and GSS_S_DUPLICATE_TOKEN indicate fatal errors, and - GSS-API mechanisms should always return them in association with a - routine error of GSS_S_FAILURE. This requirement for pairing did not - exist in version 1 of the GSS-API specification, so applications that - wish to run over version 1 implementations must special-case these - codes. - - - - - - - - - -Wray Standards Track [Page 28] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - Parameters: - - context_handle gss_ctx_id_t, read/modify context handle for new - context. Supply GSS_C_NO_CONTEXT for first - call; use value returned in subsequent calls. - Once gss_accept_sec_context() has returned a - value via this parameter, resources have been - assigned to the corresponding context, and must - be freed by the application after use with a - call to gss_delete_sec_context(). - - - acceptor_cred_handle gss_cred_id_t, read Credential handle claimed - by context acceptor. Specify - GSS_C_NO_CREDENTIAL to accept the context as a - default principal. If GSS_C_NO_CREDENTIAL is - specified, but no default acceptor principal is - defined, GSS_S_NO_CRED will be returned. - - input_token_buffer buffer, opaque, read token obtained from remote - application. - - input_chan_bindings channel bindings, read, optional Application- - specified bindings. Allows application to - securely bind channel identification information - to the security context. If channel bindings - are not used, specify GSS_C_NO_CHANNEL_BINDINGS. - - src_name gss_name_t, modify, optional Authenticated name - of context initiator. After use, this name - should be deallocated by passing it to - gss_release_name(). If not required, specify - NULL. - - mech_type Object ID, modify, optional Security mechanism - used. The returned OID value will be a pointer - into static storage, and should be treated as - read-only by the caller (in particular, it does - not need to be freed). If not required, specify - NULL. - - output_token buffer, opaque, modify Token to be passed to - peer application. If the length field of the - returned token buffer is 0, then no token need - be passed to the peer application. If a non- - zero length field is returned, the associated - storage must be freed after use by the - application with a call to gss_release_buffer(). - - - -Wray Standards Track [Page 29] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - ret_flags bit-mask, modify, optional Contains various - independent flags, each of which indicates that - the context supports a specific service option. - If not needed, specify NULL. Symbolic names are - provided for each flag, and the symbolic names - corresponding to the required flags should be - logically-ANDed with the ret_flags value to test - whether a given option is supported by the - context. The flags are: - GSS_C_DELEG_FLAG - True - Delegated credentials are available - via the delegated_cred_handle - parameter - False - No credentials were delegated - GSS_C_MUTUAL_FLAG - True - Remote peer asked for mutual - authentication - False - Remote peer did not ask for mutual - authentication - GSS_C_REPLAY_FLAG - True - replay of protected messages - will be detected - False - replayed messages will not be - detected - GSS_C_SEQUENCE_FLAG - True - out-of-sequence protected - messages will be detected - False - out-of-sequence messages will not - be detected - GSS_C_CONF_FLAG - True - Confidentiality service may be - invoked by calling the gss_wrap - routine - False - No confidentiality service (via - gss_wrap) available. gss_wrap will - provide message encapsulation, - data-origin authentication and - integrity services only. - GSS_C_INTEG_FLAG - True - Integrity service may be invoked by - calling either gss_get_mic or - gss_wrap routines. - False - Per-message integrity service - unavailable. - GSS_C_ANON_FLAG - True - The initiator does not wish to - be authenticated; the src_name - parameter (if requested) contains - - - -Wray Standards Track [Page 30] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - an anonymous internal name. - False - The initiator has been - authenticated normally. - GSS_C_PROT_READY_FLAG - True - Protection services (as specified - by the states of the GSS_C_CONF_FLAG - and GSS_C_INTEG_FLAG) are available - if the accompanying major status - return value is either GSS_S_COMPLETE - or GSS_S_CONTINUE_NEEDED. - False - Protection services (as specified - by the states of the GSS_C_CONF_FLAG - and GSS_C_INTEG_FLAG) are available - only if the accompanying major status - return value is GSS_S_COMPLETE. - GSS_C_TRANS_FLAG - True - The resultant security context may - be transferred to other processes via - a call to gss_export_sec_context(). - False - The security context is not - transferable. - All other bits should be set to zero. - - time_rec Integer, modify, optional - number of seconds for which the context will - remain valid. Specify NULL if not required. - - delegated_cred_handle - gss_cred_id_t, modify, optional credential - handle for credentials received from context - initiator. Only valid if deleg_flag in - ret_flags is true, in which case an explicit - credential handle (i.e. not GSS_C_NO_CREDENTIAL) - will be returned; if deleg_flag is false, - gss_accept_context() will set this parameter to - GSS_C_NO_CREDENTIAL. If a credential handle is - returned, the associated resources must be - released by the application after use with a - call to gss_release_cred(). Specify NULL if not - required. - - minor_status Integer, modify - Mechanism specific status code. - - GSS_S_CONTINUE_NEEDED Indicates that a token from the peer - application is required to complete the - context, and that gss_accept_sec_context must - be called again with that token. - - - -Wray Standards Track [Page 31] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - GSS_S_DEFECTIVE_TOKEN Indicates that consistency checks performed on - the input_token failed. - - GSS_S_DEFECTIVE_CREDENTIAL Indicates that consistency checks - performed on the credential failed. - - GSS_S_NO_CRED The supplied credentials were not valid for context - acceptance, or the credential handle did not - reference any credentials. - - GSS_S_CREDENTIALS_EXPIRED The referenced credentials have expired. - - GSS_S_BAD_BINDINGS The input_token contains different channel - bindings to those specified via the - input_chan_bindings parameter. - - GSS_S_NO_CONTEXT Indicates that the supplied context handle did not - refer to a valid context. - - GSS_S_BAD_SIG The input_token contains an invalid MIC. - - GSS_S_OLD_TOKEN The input_token was too old. This is a fatal error - during context establishment. - - GSS_S_DUPLICATE_TOKEN The input_token is valid, but is a duplicate of - a token already processed. This is a fatal - error during context establishment. - - GSS_S_BAD_MECH The received token specified a mechanism that is - not supported by the implementation or the - provided credential. - -5.2. gss_acquire_cred - - OM_uint32 gss_acquire_cred ( - OM_uint32 *minor_status, - const gss_name_t desired_name, - OM_uint32 time_req, - const gss_OID_set desired_mechs, - gss_cred_usage_t cred_usage, - gss_cred_id_t *output_cred_handle, - gss_OID_set *actual_mechs, - OM_uint32 *time_rec) - - - - - - - - -Wray Standards Track [Page 32] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - Purpose: - - Allows an application to acquire a handle for a pre-existing - credential by name. GSS-API implementations must impose a local - access-control policy on callers of this routine to prevent - unauthorized callers from acquiring credentials to which they are not - entitled. This routine is not intended to provide a "login to the - network" function, as such a function would involve the creation of - new credentials rather than merely acquiring a handle to existing - credentials. Such functions, if required, should be defined in - implementation-specific extensions to the API. - - If desired_name is GSS_C_NO_NAME, the call is interpreted as a - request for a credential handle that will invoke default behavior - when passed to gss_init_sec_context() (if cred_usage is - GSS_C_INITIATE or GSS_C_BOTH) or gss_accept_sec_context() (if - cred_usage is GSS_C_ACCEPT or GSS_C_BOTH). - - Mechanisms should honor the desired_mechs parameter, and return a - credential that is suitable to use only with the requested - mechanisms. An exception to this is the case where one underlying - credential element can be shared by multiple mechanisms; in this case - it is permissible for an implementation to indicate all mechanisms - with which the credential element may be used. If desired_mechs is - an empty set, behavior is undefined. - - This routine is expected to be used primarily by context acceptors, - since implementations are likely to provide mechanism-specific ways - of obtaining GSS-API initiator credentials from the system login - process. Some implementations may therefore not support the - acquisition of GSS_C_INITIATE or GSS_C_BOTH credentials via - gss_acquire_cred for any name other than GSS_C_NO_NAME, or a name - produced by applying either gss_inquire_cred to a valid credential, - or gss_inquire_context to an active context. - - If credential acquisition is time-consuming for a mechanism, the - mechanism may choose to delay the actual acquisition until the - credential is required (e.g. by gss_init_sec_context or - gss_accept_sec_context). Such mechanism-specific implementation - decisions should be invisible to the calling application; thus a call - of gss_inquire_cred immediately following the call of - gss_acquire_cred must return valid credential data, and may therefore - incur the overhead of a deferred credential acquisition. - - - - - - - - -Wray Standards Track [Page 33] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - Parameters: - - desired_name gss_name_t, read - Name of principal whose credential - should be acquired - - time_req Integer, read, optional - number of seconds that credentials - should remain valid. Specify GSS_C_INDEFINITE - to request that the credentials have the maximum - permitted lifetime. - - desired_mechs Set of Object IDs, read, optional - set of underlying security mechanisms that - may be used. GSS_C_NO_OID_SET may be used - to obtain an implementation-specific default. - - cred_usage gss_cred_usage_t, read - GSS_C_BOTH - Credentials may be used - either to initiate or accept - security contexts. - GSS_C_INITIATE - Credentials will only be - used to initiate security contexts. - GSS_C_ACCEPT - Credentials will only be used to - accept security contexts. - - output_cred_handle gss_cred_id_t, modify - The returned credential handle. Resources - associated with this credential handle must - be released by the application after use - with a call to gss_release_cred(). - - actual_mechs Set of Object IDs, modify, optional - The set of mechanisms for which the - credential is valid. Storage associated - with the returned OID-set must be released by - the application after use with a call to - gss_release_oid_set(). Specify NULL if not - required. - - time_rec Integer, modify, optional - Actual number of seconds for which the - returned credentials will remain valid. If the - implementation does not support expiration of - credentials, the value GSS_C_INDEFINITE will - be returned. Specify NULL if not required - - - - - -Wray Standards Track [Page 34] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - minor_status Integer, modify - Mechanism specific status code. - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_BAD_MECH Unavailable mechanism requested - - GSS_S_BAD_NAMETYPE Type contained within desired_name parameter - is not supported - - GSS_S_BAD_NAME Value supplied for desired_name parameter is ill - formed. - - GSS_S_CREDENTIALS_EXPIRED The credentials could not be acquired - Because they have expired. - - GSS_S_NO_CRED No credentials were found for the specified name. - -5.3. gss_add_cred - - OM_uint32 gss_add_cred ( - OM_uint32 *minor_status, - const gss_cred_id_t input_cred_handle, - const gss_name_t desired_name, - const gss_OID desired_mech, - gss_cred_usage_t cred_usage, - OM_uint32 initiator_time_req, - OM_uint32 acceptor_time_req, - gss_cred_id_t *output_cred_handle, - gss_OID_set *actual_mechs, - OM_uint32 *initiator_time_rec, - OM_uint32 *acceptor_time_rec) - - Purpose: - - Adds a credential-element to a credential. The credential-element is - identified by the name of the principal to which it refers. GSS-API - implementations must impose a local access-control policy on callers - of this routine to prevent unauthorized callers from acquiring - credential-elements to which they are not entitled. This routine is - not intended to provide a "login to the network" function, as such a - function would involve the creation of new mechanism-specific - authentication data, rather than merely acquiring a GSS-API handle to - existing data. Such functions, if required, should be defined in - implementation-specific extensions to the API. - - - - -Wray Standards Track [Page 35] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - If desired_name is GSS_C_NO_NAME, the call is interpreted as a - request to add a credential element that will invoke default behavior - when passed to gss_init_sec_context() (if cred_usage is - GSS_C_INITIATE or GSS_C_BOTH) or gss_accept_sec_context() (if - cred_usage is GSS_C_ACCEPT or GSS_C_BOTH). - - This routine is expected to be used primarily by context acceptors, - since implementations are likely to provide mechanism-specific ways - of obtaining GSS-API initiator credentials from the system login - process. Some implementations may therefore not support the - acquisition of GSS_C_INITIATE or GSS_C_BOTH credentials via - gss_acquire_cred for any name other than GSS_C_NO_NAME, or a name - produced by applying either gss_inquire_cred to a valid credential, - or gss_inquire_context to an active context. - - If credential acquisition is time-consuming for a mechanism, the - mechanism may choose to delay the actual acquisition until the - credential is required (e.g. by gss_init_sec_context or - gss_accept_sec_context). Such mechanism-specific implementation - decisions should be invisible to the calling application; thus a call - of gss_inquire_cred immediately following the call of gss_add_cred - must return valid credential data, and may therefore incur the - overhead of a deferred credential acquisition. - - This routine can be used to either compose a new credential - containing all credential-elements of the original in addition to the - newly-acquire credential-element, or to add the new credential- - element to an existing credential. If NULL is specified for the - output_cred_handle parameter argument, the new credential-element - will be added to the credential identified by input_cred_handle; if a - valid pointer is specified for the output_cred_handle parameter, a - new credential handle will be created. - - If GSS_C_NO_CREDENTIAL is specified as the input_cred_handle, - gss_add_cred will compose a credential (and set the - output_cred_handle parameter accordingly) based on default behavior. - That is, the call will have the same effect as if the application had - first made a call to gss_acquire_cred(), specifying the same usage - and passing GSS_C_NO_NAME as the desired_name parameter to obtain an - explicit credential handle embodying default behavior, passed this - credential handle to gss_add_cred(), and finally called - gss_release_cred() on the first credential handle. - - If GSS_C_NO_CREDENTIAL is specified as the input_cred_handle - parameter, a non-NULL output_cred_handle must be supplied. - - - - - - -Wray Standards Track [Page 36] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - Parameters: - - minor_status Integer, modify - Mechanism specific status code. - - input_cred_handle gss_cred_id_t, read, optional - The credential to which a credential-element - will be added. If GSS_C_NO_CREDENTIAL is - specified, the routine will compose the new - credential based on default behavior (see - description above). Note that, while the - credential-handle is not modified by - gss_add_cred(), the underlying credential - will be modified if output_credential_handle - is NULL. - - desired_name gss_name_t, read. - Name of principal whose credential - should be acquired. - - desired_mech Object ID, read - Underlying security mechanism with which the - credential may be used. - - cred_usage gss_cred_usage_t, read - GSS_C_BOTH - Credential may be used - either to initiate or accept - security contexts. - GSS_C_INITIATE - Credential will only be - used to initiate security - contexts. - GSS_C_ACCEPT - Credential will only be used to - accept security contexts. - - initiator_time_req Integer, read, optional - number of seconds that the credential - should remain valid for initiating security - contexts. This argument is ignored if the - composed credentials are of type GSS_C_ACCEPT. - Specify GSS_C_INDEFINITE to request that the - credentials have the maximum permitted - initiator lifetime. - - acceptor_time_req Integer, read, optional - number of seconds that the credential - should remain valid for accepting security - contexts. This argument is ignored if the - composed credentials are of type GSS_C_INITIATE. - - - -Wray Standards Track [Page 37] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - Specify GSS_C_INDEFINITE to request that the - credentials have the maximum permitted initiator - lifetime. - - output_cred_handle gss_cred_id_t, modify, optional - The returned credential handle, containing - the new credential-element and all the - credential-elements from input_cred_handle. - If a valid pointer to a gss_cred_id_t is - supplied for this parameter, gss_add_cred - creates a new credential handle containing all - credential-elements from the input_cred_handle - and the newly acquired credential-element; if - NULL is specified for this parameter, the newly - acquired credential-element will be added - to the credential identified by input_cred_handle. - - The resources associated with any credential - handle returned via this parameter must be - released by the application after use with a - call to gss_release_cred(). - - actual_mechs Set of Object IDs, modify, optional - The complete set of mechanisms for which - the new credential is valid. Storage for - the returned OID-set must be freed by the - application after use with a call to - gss_release_oid_set(). Specify NULL if - not required. - - initiator_time_rec Integer, modify, optional - Actual number of seconds for which the - returned credentials will remain valid for - initiating contexts using the specified - mechanism. If the implementation or mechanism - does not support expiration of credentials, the - value GSS_C_INDEFINITE will be returned. Specify - NULL if not required - - acceptor_time_rec Integer, modify, optional - Actual number of seconds for which the - returned credentials will remain valid for - accepting security contexts using the specified - mechanism. If the implementation or mechanism - does not support expiration of credentials, the - value GSS_C_INDEFINITE will be returned. Specify - NULL if not required - - - - -Wray Standards Track [Page 38] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_BAD_MECH Unavailable mechanism requested - - GSS_S_BAD_NAMETYPE Type contained within desired_name parameter - is not supported - - GSS_S_BAD_NAME Value supplied for desired_name parameter is - ill-formed. - - GSS_S_DUPLICATE_ELEMENT The credential already contains an element - for the requested mechanism with overlapping - usage and validity period. - - GSS_S_CREDENTIALS_EXPIRED The required credentials could not be - added because they have expired. - - GSS_S_NO_CRED No credentials were found for the specified name. - -5.4. gss_add_oid_set_member - - OM_uint32 gss_add_oid_set_member ( - OM_uint32 *minor_status, - const gss_OID member_oid, - gss_OID_set *oid_set) - - Purpose: - - Add an Object Identifier to an Object Identifier set. This routine - is intended for use in conjunction with gss_create_empty_oid_set when - constructing a set of mechanism OIDs for input to gss_acquire_cred. - The oid_set parameter must refer to an OID-set that was created by - GSS-API (e.g. a set returned by gss_create_empty_oid_set()). GSS-API - creates a copy of the member_oid and inserts this copy into the set, - expanding the storage allocated to the OID-set's elements array if - necessary. The routine may add the new member OID anywhere within - the elements array, and implementations should verify that the new - member_oid is not already contained within the elements array; if the - member_oid is already present, the oid_set should remain unchanged. - - Parameters: - - minor_status Integer, modify - Mechanism specific status code - - - - - -Wray Standards Track [Page 39] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - member_oid Object ID, read - The object identifier to copied into - the set. - - oid_set Set of Object ID, modify - The set in which the object identifier - should be inserted. - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - -5.5. gss_canonicalize_name - - OM_uint32 gss_canonicalize_name ( - OM_uint32 *minor_status, - const gss_name_t input_name, - const gss_OID mech_type, - gss_name_t *output_name) - - Purpose: - - Generate a canonical mechanism name (MN) from an arbitrary internal - name. The mechanism name is the name that would be returned to a - context acceptor on successful authentication of a context where the - initiator used the input_name in a successful call to - gss_acquire_cred, specifying an OID set containing as its - only member, followed by a call to gss_init_sec_context, specifying - as the authentication mechanism. - - Parameters: - - minor_status Integer, modify - Mechanism specific status code - - input_name gss_name_t, read - The name for which a canonical form is - desired - - mech_type Object ID, read - The authentication mechanism for which the - canonical form of the name is desired. The - desired mechanism must be specified explicitly; - no default is provided. - - - - - - - -Wray Standards Track [Page 40] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - output_name gss_name_t, modify - The resultant canonical name. Storage - associated with this name must be freed by - the application after use with a call to - gss_release_name(). - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion. - - GSS_S_BAD_MECH The identified mechanism is not supported. - - GSS_S_BAD_NAMETYPE The provided internal name contains no elements - that could be processed by the specified - mechanism. - - GSS_S_BAD_NAME The provided internal name was ill-formed. - -5.6. gss_compare_name - - OM_uint32 gss_compare_name ( - OM_uint32 *minor_status, - const gss_name_t name1, - const gss_name_t name2, - int *name_equal) - - Purpose: - - Allows an application to compare two internal-form names to determine - whether they refer to the same entity. - - If either name presented to gss_compare_name denotes an anonymous - principal, the routines should indicate that the two names do not - refer to the same identity. - - Parameters: - - minor_status Integer, modify - Mechanism specific status code. - - name1 gss_name_t, read - internal-form name - - name2 gss_name_t, read - internal-form name - - - - - - -Wray Standards Track [Page 41] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - name_equal boolean, modify - non-zero - names refer to same entity - zero - names refer to different entities - (strictly, the names are not known - to refer to the same identity). - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_BAD_NAMETYPE The two names were of incomparable types. - - GSS_S_BAD_NAME One or both of name1 or name2 was ill-formed. - -5.7. gss_context_time - - OM_uint32 gss_context_time ( - OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - OM_uint32 *time_rec) - - Purpose: - - Determines the number of seconds for which the specified context will - remain valid. - - Parameters: - - minor_status Integer, modify - Implementation specific status code. - - context_handle gss_ctx_id_t, read - Identifies the context to be interrogated. - - time_rec Integer, modify - Number of seconds that the context will remain - valid. If the context has already expired, - zero will be returned. - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_CONTEXT_EXPIRED The context has already expired - - GSS_S_NO_CONTEXT The context_handle parameter did not identify - a valid context - - - - -Wray Standards Track [Page 42] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - -5.8. gss_create_empty_oid_set - - OM_uint32 gss_create_empty_oid_set ( - OM_uint32 *minor_status, - gss_OID_set *oid_set) - - Purpose: - - Create an object-identifier set containing no object identifiers, to - which members may be subsequently added using the - gss_add_oid_set_member() routine. These routines are intended to be - used to construct sets of mechanism object identifiers, for input to - gss_acquire_cred. - - Parameters: - - minor_status Integer, modify - Mechanism specific status code - - oid_set Set of Object IDs, modify - The empty object identifier set. - The routine will allocate the - gss_OID_set_desc object, which the - application must free after use with - a call to gss_release_oid_set(). - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - -5.9. gss_delete_sec_context - - OM_uint32 gss_delete_sec_context ( - OM_uint32 *minor_status, - gss_ctx_id_t *context_handle, - gss_buffer_t output_token) - - Purpose: - - Delete a security context. gss_delete_sec_context will delete the - local data structures associated with the specified security context, - and may generate an output_token, which when passed to the peer - gss_process_context_token will instruct it to do likewise. If no - token is required by the mechanism, the GSS-API should set the length - field of the output_token (if provided) to zero. No further security - services may be obtained using the context specified by - context_handle. - - - - -Wray Standards Track [Page 43] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - In addition to deleting established security contexts, - gss_delete_sec_context must also be able to delete "half-built" - security contexts resulting from an incomplete sequence of - gss_init_sec_context()/gss_accept_sec_context() calls. - - The output_token parameter is retained for compatibility with version - 1 of the GSS-API. It is recommended that both peer applications - invoke gss_delete_sec_context passing the value GSS_C_NO_BUFFER for - the output_token parameter, indicating that no token is required, and - that gss_delete_sec_context should simply delete local context data - structures. If the application does pass a valid buffer to - gss_delete_sec_context, mechanisms are encouraged to return a zero- - length token, indicating that no peer action is necessary, and that - no token should be transferred by the application. - - Parameters: - - minor_status Integer, modify - Mechanism specific status code. - - context_handle gss_ctx_id_t, modify - context handle identifying context to delete. - After deleting the context, the GSS-API will set - this context handle to GSS_C_NO_CONTEXT. - - output_token buffer, opaque, modify, optional - token to be sent to remote application to - instruct it to also delete the context. It - is recommended that applications specify - GSS_C_NO_BUFFER for this parameter, requesting - local deletion only. If a buffer parameter is - provided by the application, the mechanism may - return a token in it; mechanisms that implement - only local deletion should set the length field of - this token to zero to indicate to the application - that no token is to be sent to the peer. - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_NO_CONTEXT No valid context was supplied - - - - - - - - - -Wray Standards Track [Page 44] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - -5.10.gss_display_name - - OM_uint32 gss_display_name ( - OM_uint32 *minor_status, - const gss_name_t input_name, - gss_buffer_t output_name_buffer, - gss_OID *output_name_type) - - Purpose: - - Allows an application to obtain a textual representation of an opaque - internal-form name for display purposes. The syntax of a printable - name is defined by the GSS-API implementation. - - If input_name denotes an anonymous principal, the implementation - should return the gss_OID value GSS_C_NT_ANONYMOUS as the - output_name_type, and a textual name that is syntactically distinct - from all valid supported printable names in output_name_buffer. - - If input_name was created by a call to gss_import_name, specifying - GSS_C_NO_OID as the name-type, implementations that employ lazy - conversion between name types may return GSS_C_NO_OID via the - output_name_type parameter. - - Parameters: - - minor_status Integer, modify - Mechanism specific status code. - - input_name gss_name_t, read - name to be displayed - - output_name_buffer buffer, character-string, modify - buffer to receive textual name string. - The application must free storage associated - with this name after use with a call to - gss_release_buffer(). - - output_name_type Object ID, modify, optional - The type of the returned name. The returned - gss_OID will be a pointer into static storage, - and should be treated as read-only by the caller - (in particular, the application should not attempt - to free it). Specify NULL if not required. - - - - - - - -Wray Standards Track [Page 45] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_BAD_NAME input_name was ill-formed - -5.11.gss_display_status - - OM_uint32 gss_display_status ( - OM_uint32 *minor_status, - OM_uint32 status_value, - int status_type, - const gss_OID mech_type, - OM_uint32 *message_context, - gss_buffer_t status_string) - - Purpose: - - Allows an application to obtain a textual representation of a GSS-API - status code, for display to the user or for logging purposes. Since - some status values may indicate multiple conditions, applications may - need to call gss_display_status multiple times, each call generating - a single text string. The message_context parameter is used by - gss_display_status to store state information about which error - messages have already been extracted from a given status_value; - message_context must be initialized to 0 by the application prior to - the first call, and gss_display_status will return a non-zero value - in this parameter if there are further messages to extract. - - The message_context parameter contains all state information required - by gss_display_status in order to extract further messages from the - status_value; even when a non-zero value is returned in this - parameter, the application is not required to call gss_display_status - again unless subsequent messages are desired. The following code - extracts all messages from a given status code and prints them to - stderr: - - OM_uint32 message_context; - OM_uint32 status_code; - OM_uint32 maj_status; - OM_uint32 min_status; - gss_buffer_desc status_string; - - ... - - message_context = 0; - - do { - - - -Wray Standards Track [Page 46] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - maj_status = gss_display_status ( - &min_status, - status_code, - GSS_C_GSS_CODE, - GSS_C_NO_OID, - &message_context, - &status_string) - - fprintf(stderr, - "%.*s\n", - (int)status_string.length, - - (char *)status_string.value); - - gss_release_buffer(&min_status, &status_string); - - } while (message_context != 0); - - - Parameters: - - minor_status Integer, modify - Mechanism specific status code. - - status_value Integer, read - Status value to be converted - - status_type Integer, read - GSS_C_GSS_CODE - status_value is a GSS status - code - - GSS_C_MECH_CODE - status_value is a mechanism - status code - - mech_type Object ID, read, optional - Underlying mechanism (used to interpret a - minor status value) Supply GSS_C_NO_OID to - obtain the system default. - - message_context Integer, read/modify - Should be initialized to zero by the - application prior to the first call. - On return from gss_display_status(), - a non-zero status_value parameter indicates - that additional messages may be extracted - from the status code via subsequent calls - - - - - -Wray Standards Track [Page 47] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - to gss_display_status(), passing the same - status_value, status_type, mech_type, and - message_context parameters. - - status_string buffer, character string, modify - textual interpretation of the status_value. - Storage associated with this parameter must - be freed by the application after use with - a call to gss_release_buffer(). - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_BAD_MECH Indicates that translation in accordance with - an unsupported mechanism type was requested - - GSS_S_BAD_STATUS The status value was not recognized, or the - status type was neither GSS_C_GSS_CODE nor - GSS_C_MECH_CODE. - -5.12. gss_duplicate_name - - OM_uint32 gss_duplicate_name ( - OM_uint32 *minor_status, - const gss_name_t src_name, - gss_name_t *dest_name) - - Purpose: - - Create an exact duplicate of the existing internal name src_name. - The new dest_name will be independent of src_name (i.e. src_name and - dest_name must both be released, and the release of one shall not - affect the validity of the other). - - Parameters: - - minor_status Integer, modify - Mechanism specific status code. - - src_name gss_name_t, read - internal name to be duplicated. - - dest_name gss_name_t, modify - The resultant copy of . - Storage associated with this name must - be freed by the application after use - with a call to gss_release_name(). - - - -Wray Standards Track [Page 48] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_BAD_NAME The src_name parameter was ill-formed. - -5.13. gss_export_name - - OM_uint32 gss_export_name ( - OM_uint32 *minor_status, - const gss_name_t input_name, - gss_buffer_t exported_name) - - Purpose: - - To produce a canonical contiguous string representation of a - mechanism name (MN), suitable for direct comparison (e.g. with - memcmp) for use in authorization functions (e.g. matching entries in - an access-control list). The parameter must specify a - valid MN (i.e. an internal name generated by gss_accept_sec_context - or by gss_canonicalize_name). - - Parameters: - - minor_status Integer, modify - Mechanism specific status code - - input_name gss_name_t, read - The MN to be exported - - exported_name gss_buffer_t, octet-string, modify - The canonical contiguous string form of - . Storage associated with - this string must freed by the application - after use with gss_release_buffer(). - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_NAME_NOT_MN The provided internal name was not a mechanism - name. - - GSS_S_BAD_NAME The provided internal name was ill-formed. - - GSS_S_BAD_NAMETYPE The internal name was of a type not supported - by the GSS-API implementation. - - - - -Wray Standards Track [Page 49] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - -5.14. gss_export_sec_context - - OM_uint32 gss_export_sec_context ( - OM_uint32 *minor_status, - gss_ctx_id_t *context_handle, - gss_buffer_t interprocess_token) - - Purpose: - - Provided to support the sharing of work between multiple processes. - This routine will typically be used by the context-acceptor, in an - application where a single process receives incoming connection - requests and accepts security contexts over them, then passes the - established context to one or more other processes for message - exchange. gss_export_sec_context() deactivates the security context - for the calling process and creates an interprocess token which, when - passed to gss_import_sec_context in another process, will re-activate - the context in the second process. Only a single instantiation of a - given context may be active at any one time; a subsequent attempt by - a context exporter to access the exported security context will fail. - - The implementation may constrain the set of processes by which the - interprocess token may be imported, either as a function of local - security policy, or as a result of implementation decisions. For - example, some implementations may constrain contexts to be passed - only between processes that run under the same account, or which are - part of the same process group. - - The interprocess token may contain security-sensitive information - (for example cryptographic keys). While mechanisms are encouraged to - either avoid placing such sensitive information within interprocess - tokens, or to encrypt the token before returning it to the - application, in a typical object-library GSS-API implementation this - may not be possible. Thus the application must take care to protect - the interprocess token, and ensure that any process to which the - token is transferred is trustworthy. - - If creation of the interprocess token is successful, the - implementation shall deallocate all process-wide resources associated - with the security context, and set the context_handle to - GSS_C_NO_CONTEXT. In the event of an error that makes it impossible - to complete the export of the security context, the implementation - must not return an interprocess token, and should strive to leave the - security context referenced by the context_handle parameter - untouched. If this is impossible, it is permissible for the - implementation to delete the security context, providing it also sets - the context_handle parameter to GSS_C_NO_CONTEXT. - - - - -Wray Standards Track [Page 50] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - Parameters: - - minor_status Integer, modify - Mechanism specific status code - - context_handle gss_ctx_id_t, modify - context handle identifying the context to - transfer. - - interprocess_token buffer, opaque, modify - token to be transferred to target process. - Storage associated with this token must be - freed by the application after use with a - call to gss_release_buffer(). - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_CONTEXT_EXPIRED The context has expired - - GSS_S_NO_CONTEXT The context was invalid - - GSS_S_UNAVAILABLE The operation is not supported. - -5.15. gss_get_mic - - OM_uint32 gss_get_mic ( - OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - gss_qop_t qop_req, - const gss_buffer_t message_buffer, - gss_buffer_t msg_token) - - Purpose: - - Generates a cryptographic MIC for the supplied message, and places - the MIC in a token for transfer to the peer application. The qop_req - parameter allows a choice between several cryptographic algorithms, - if supported by the chosen mechanism. - - Since some application-level protocols may wish to use tokens emitted - by gss_wrap() to provide "secure framing", implementations must - support derivation of MICs from zero-length messages. - - - - - - - -Wray Standards Track [Page 51] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - Parameters: - - minor_status Integer, modify - Implementation specific status code. - - context_handle gss_ctx_id_t, read - identifies the context on which the message - will be sent - - qop_req gss_qop_t, read, optional - Specifies requested quality of protection. - Callers are encouraged, on portability grounds, - to accept the default quality of protection - offered by the chosen mechanism, which may be - requested by specifying GSS_C_QOP_DEFAULT for - this parameter. If an unsupported protection - strength is requested, gss_get_mic will return a - major_status of GSS_S_BAD_QOP. - - message_buffer buffer, opaque, read - message to be protected - - msg_token buffer, opaque, modify - buffer to receive token. The application must - free storage associated with this buffer after - use with a call to gss_release_buffer(). - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_CONTEXT_EXPIRED The context has already expired - - GSS_S_NO_CONTEXT The context_handle parameter did not identify - a valid context - - GSS_S_BAD_QOP The specified QOP is not supported by the - mechanism. - -5.16. gss_import_name - - OM_uint32 gss_import_name ( - OM_uint32 *minor_status, - const gss_buffer_t input_name_buffer, - const gss_OID input_name_type, - gss_name_t *output_name) - - - - - -Wray Standards Track [Page 52] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - Purpose: - - Convert a contiguous string name to internal form. In general, the - internal name returned (via the parameter) will not be - an MN; the exception to this is if the indicates - that the contiguous string provided via the - parameter is of type GSS_C_NT_EXPORT_NAME, in which case the returned - internal name will be an MN for the mechanism that exported the name. - - Parameters: - - minor_status Integer, modify - Mechanism specific status code - - input_name_buffer buffer, octet-string, read - buffer containing contiguous string name to convert - - input_name_type Object ID, read, optional - Object ID specifying type of printable - name. Applications may specify either - GSS_C_NO_OID to use a mechanism-specific - default printable syntax, or an OID recognized - by the GSS-API implementation to name a - specific namespace. - - output_name gss_name_t, modify - returned name in internal form. Storage - associated with this name must be freed - by the application after use with a call - to gss_release_name(). - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_BAD_NAMETYPE The input_name_type was unrecognized - - GSS_S_BAD_NAME The input_name parameter could not be interpreted - as a name of the specified type - - GSS_S_BAD_MECH The input name-type was GSS_C_NT_EXPORT_NAME, - but the mechanism contained within the - input-name is not supported - - - - - - - - -Wray Standards Track [Page 53] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - -5.17. gss_import_sec_context - - OM_uint32 gss_import_sec_context ( - OM_uint32 *minor_status, - const gss_buffer_t interprocess_token, - gss_ctx_id_t *context_handle) - - Purpose: - - Allows a process to import a security context established by another - process. A given interprocess token may be imported only once. See - gss_export_sec_context. - - Parameters: - - minor_status Integer, modify - Mechanism specific status code - - interprocess_token buffer, opaque, modify - token received from exporting process - - context_handle gss_ctx_id_t, modify - context handle of newly reactivated context. - Resources associated with this context handle - must be released by the application after use - with a call to gss_delete_sec_context(). - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion. - - GSS_S_NO_CONTEXT The token did not contain a valid context - reference. - - GSS_S_DEFECTIVE_TOKEN The token was invalid. - - GSS_S_UNAVAILABLE The operation is unavailable. - - GSS_S_UNAUTHORIZED Local policy prevents the import of this context - by the current process. - -5.18. gss_indicate_mechs - - OM_uint32 gss_indicate_mechs ( - OM_uint32 *minor_status, - gss_OID_set *mech_set) - - - - - -Wray Standards Track [Page 54] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - Purpose: - - Allows an application to determine which underlying security - mechanisms are available. - - Parameters: - - minor_status Integer, modify - Mechanism specific status code. - - mech_set set of Object IDs, modify - set of implementation-supported mechanisms. - The returned gss_OID_set value will be a - dynamically-allocated OID set, that should - be released by the caller after use with a - call to gss_release_oid_set(). - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - -5.19. gss_init_sec_context - - OM_uint32 gss_init_sec_context ( - OM_uint32 *minor_status, - const gss_cred_id_t initiator_cred_handle, - gss_ctx_id_t *context_handle,\ - const gss_name_t target_name, - const gss_OID mech_type, - OM_uint32 req_flags, - OM_uint32 time_req, - const gss_channel_bindings_t input_chan_bindings, - const gss_buffer_t input_token - gss_OID *actual_mech_type, - gss_buffer_t output_token, - OM_uint32 *ret_flags, - OM_uint32 *time_rec ) - - Purpose: - - Initiates the establishment of a security context between the - application and a remote peer. Initially, the input_token parameter - should be specified either as GSS_C_NO_BUFFER, or as a pointer to a - gss_buffer_desc object whose length field contains the value zero. - The routine may return a output_token which should be transferred to - the peer application, where the peer application will present it to - gss_accept_sec_context. If no token need be sent, - gss_init_sec_context will indicate this by setting the length field - - - -Wray Standards Track [Page 55] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - of the output_token argument to zero. To complete the context - establishment, one or more reply tokens may be required from the peer - application; if so, gss_init_sec_context will return a status - containing the supplementary information bit GSS_S_CONTINUE_NEEDED. - In this case, gss_init_sec_context should be called again when the - reply token is received from the peer application, passing the reply - token to gss_init_sec_context via the input_token parameters. - - Portable applications should be constructed to use the token length - and return status to determine whether a token needs to be sent or - waited for. Thus a typical portable caller should always invoke - gss_init_sec_context within a loop: - - int context_established = 0; - gss_ctx_id_t context_hdl = GSS_C_NO_CONTEXT; - ... - input_token->length = 0; - - while (!context_established) { - maj_stat = gss_init_sec_context(&min_stat, - cred_hdl, - &context_hdl, - target_name, - desired_mech, - desired_services, - desired_time, - input_bindings, - input_token, - &actual_mech, - output_token, - &actual_services, - &actual_time); - if (GSS_ERROR(maj_stat)) { - report_error(maj_stat, min_stat); - }; - - if (output_token->length != 0) { - send_token_to_peer(output_token); - gss_release_buffer(&min_stat, output_token) - }; - if (GSS_ERROR(maj_stat)) { - - if (context_hdl != GSS_C_NO_CONTEXT) - gss_delete_sec_context(&min_stat, - &context_hdl, - GSS_C_NO_BUFFER); - break; - }; - - - -Wray Standards Track [Page 56] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - if (maj_stat & GSS_S_CONTINUE_NEEDED) { - receive_token_from_peer(input_token); - } else { - context_established = 1; - }; - }; - - Whenever the routine returns a major status that includes the value - GSS_S_CONTINUE_NEEDED, the context is not fully established and the - following restrictions apply to the output parameters: - - The value returned via the time_rec parameter is undefined Unless - the accompanying ret_flags parameter contains the bit - GSS_C_PROT_READY_FLAG, indicating that per-message services may be - applied in advance of a successful completion status, the value - returned via the actual_mech_type parameter is undefined until the - routine returns a major status value of GSS_S_COMPLETE. - - The values of the GSS_C_DELEG_FLAG, GSS_C_MUTUAL_FLAG, - GSS_C_REPLAY_FLAG, GSS_C_SEQUENCE_FLAG, GSS_C_CONF_FLAG, - GSS_C_INTEG_FLAG and GSS_C_ANON_FLAG bits returned via the - ret_flags parameter should contain the values that the - implementation expects would be valid if context establishment - were to succeed. In particular, if the application has requested - a service such as delegation or anonymous authentication via the - req_flags argument, and such a service is unavailable from the - underlying mechanism, gss_init_sec_context should generate a token - that will not provide the service, and indicate via the ret_flags - argument that the service will not be supported. The application - may choose to abort the context establishment by calling - gss_delete_sec_context (if it cannot continue in the absence of - the service), or it may choose to transmit the token and continue - context establishment (if the service was merely desired but not - mandatory). - - The values of the GSS_C_PROT_READY_FLAG and GSS_C_TRANS_FLAG bits - within ret_flags should indicate the actual state at the time - gss_init_sec_context returns, whether or not the context is fully - established. - - GSS-API implementations that support per-message protection are - encouraged to set the GSS_C_PROT_READY_FLAG in the final ret_flags - returned to a caller (i.e. when accompanied by a GSS_S_COMPLETE - status code). However, applications should not rely on this - behavior as the flag was not defined in Version 1 of the GSS-API. - Instead, applications should determine what per-message services - are available after a successful context establishment according - to the GSS_C_INTEG_FLAG and GSS_C_CONF_FLAG values. - - - -Wray Standards Track [Page 57] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - All other bits within the ret_flags argument should be set to - zero. - - If the initial call of gss_init_sec_context() fails, the - implementation should not create a context object, and should leave - the value of the context_handle parameter set to GSS_C_NO_CONTEXT to - indicate this. In the event of a failure on a subsequent call, the - implementation is permitted to delete the "half-built" security - context (in which case it should set the context_handle parameter to - GSS_C_NO_CONTEXT), but the preferred behavior is to leave the - security context untouched for the application to delete (using - gss_delete_sec_context). - - During context establishment, the informational status bits - GSS_S_OLD_TOKEN and GSS_S_DUPLICATE_TOKEN indicate fatal errors, and - GSS-API mechanisms should always return them in association with a - routine error of GSS_S_FAILURE. This requirement for pairing did not - exist in version 1 of the GSS-API specification, so applications that - wish to run over version 1 implementations must special-case these - codes. - - Parameters: - - minor_status Integer, modify - Mechanism specific status code. - - initiator_cred_handle gss_cred_id_t, read, optional - handle for credentials claimed. Supply - GSS_C_NO_CREDENTIAL to act as a default - initiator principal. If no default - initiator is defined, the function will - return GSS_S_NO_CRED. - - context_handle gss_ctx_id_t, read/modify - context handle for new context. Supply - GSS_C_NO_CONTEXT for first call; use value - returned by first call in continuation calls. - Resources associated with this context-handle - must be released by the application after use - with a call to gss_delete_sec_context(). - - target_name gss_name_t, read - Name of target - - mech_type OID, read, optional - Object ID of desired mechanism. Supply - GSS_C_NO_OID to obtain an implementation - specific default - - - -Wray Standards Track [Page 58] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - req_flags bit-mask, read - Contains various independent flags, each of - which requests that the context support a - specific service option. Symbolic - names are provided for each flag, and the - symbolic names corresponding to the required - flags should be logically-ORed - together to form the bit-mask value. The - flags are: - - GSS_C_DELEG_FLAG - True - Delegate credentials to remote peer - False - Don't delegate - - GSS_C_MUTUAL_FLAG - True - Request that remote peer - authenticate itself - False - Authenticate self to remote peer - only - - GSS_C_REPLAY_FLAG - True - Enable replay detection for - messages protected with gss_wrap - or gss_get_mic - False - Don't attempt to detect - replayed messages - - GSS_C_SEQUENCE_FLAG - True - Enable detection of out-of-sequence - protected messages - False - Don't attempt to detect - out-of-sequence messages - - GSS_C_CONF_FLAG - True - Request that confidentiality service - be made available (via gss_wrap) - False - No per-message confidentiality service - is required. - - GSS_C_INTEG_FLAG - True - Request that integrity service be - made available (via gss_wrap or - gss_get_mic) - False - No per-message integrity service - is required. - - - - - - -Wray Standards Track [Page 59] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - GSS_C_ANON_FLAG - True - Do not reveal the initiator's - identity to the acceptor. - False - Authenticate normally. - - time_req Integer, read, optional - Desired number of seconds for which context - should remain valid. Supply 0 to request a - default validity period. - - input_chan_bindings channel bindings, read, optional - Application-specified bindings. Allows - application to securely bind channel - identification information to the security - context. Specify GSS_C_NO_CHANNEL_BINDINGS - if channel bindings are not used. - - input_token buffer, opaque, read, optional (see text) - Token received from peer application. - Supply GSS_C_NO_BUFFER, or a pointer to - a buffer containing the value GSS_C_EMPTY_BUFFER - on initial call. - - actual_mech_type OID, modify, optional - Actual mechanism used. The OID returned via - this parameter will be a pointer to static - storage that should be treated as read-only; - In particular the application should not attempt - to free it. Specify NULL if not required. - - output_token buffer, opaque, modify - token to be sent to peer application. If - the length field of the returned buffer is - zero, no token need be sent to the peer - application. Storage associated with this - buffer must be freed by the application - after use with a call to gss_release_buffer(). - - ret_flags bit-mask, modify, optional - Contains various independent flags, each of which - indicates that the context supports a specific - service option. Specify NULL if not - required. Symbolic names are provided - for each flag, and the symbolic names - corresponding to the required flags should be - logically-ANDed with the ret_flags value to test - whether a given option is supported by the - context. The flags are: - - - -Wray Standards Track [Page 60] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - GSS_C_DELEG_FLAG - True - Credentials were delegated to - the remote peer - False - No credentials were delegated - - GSS_C_MUTUAL_FLAG - True - The remote peer has authenticated - itself. - False - Remote peer has not authenticated - itself. - - GSS_C_REPLAY_FLAG - True - replay of protected messages - will be detected - False - replayed messages will not be - detected - - GSS_C_SEQUENCE_FLAG - True - out-of-sequence protected - messages will be detected - False - out-of-sequence messages will - not be detected - - GSS_C_CONF_FLAG - True - Confidentiality service may be - invoked by calling gss_wrap routine - False - No confidentiality service (via - gss_wrap) available. gss_wrap will - provide message encapsulation, - data-origin authentication and - integrity services only. - - GSS_C_INTEG_FLAG - True - Integrity service may be invoked by - calling either gss_get_mic or gss_wrap - routines. - False - Per-message integrity service - unavailable. - - GSS_C_ANON_FLAG - True - The initiator's identity has not been - revealed, and will not be revealed if - any emitted token is passed to the - acceptor. - False - The initiator's identity has been or - will be authenticated normally. - - GSS_C_PROT_READY_FLAG - - - -Wray Standards Track [Page 61] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - True - Protection services (as specified - by the states of the GSS_C_CONF_FLAG - and GSS_C_INTEG_FLAG) are available for - use if the accompanying major status - return value is either GSS_S_COMPLETE or - GSS_S_CONTINUE_NEEDED. - False - Protection services (as specified - by the states of the GSS_C_CONF_FLAG - and GSS_C_INTEG_FLAG) are available - only if the accompanying major status - return value is GSS_S_COMPLETE. - - GSS_C_TRANS_FLAG - True - The resultant security context may - be transferred to other processes via - a call to gss_export_sec_context(). - False - The security context is not - transferable. - - All other bits should be set to zero. - - time_rec Integer, modify, optional - number of seconds for which the context - will remain valid. If the implementation does - not support context expiration, the value - GSS_C_INDEFINITE will be returned. Specify - NULL if not required. - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_CONTINUE_NEEDED Indicates that a token from the peer - application is required to complete the - context, and that gss_init_sec_context - must be called again with that token. - - GSS_S_DEFECTIVE_TOKEN Indicates that consistency checks performed - on the input_token failed - - GSS_S_DEFECTIVE_CREDENTIAL Indicates that consistency checks - performed on the credential failed. - - GSS_S_NO_CRED The supplied credentials were not valid for - context initiation, or the credential handle - did not reference any credentials. - - GSS_S_CREDENTIALS_EXPIRED The referenced credentials have expired - - - -Wray Standards Track [Page 62] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - GSS_S_BAD_BINDINGS The input_token contains different channel - bindings to those specified via the - input_chan_bindings parameter - - GSS_S_BAD_SIG The input_token contains an invalid MIC, or a MIC - that could not be verified - - GSS_S_OLD_TOKEN The input_token was too old. This is a fatal - error during context establishment - - GSS_S_DUPLICATE_TOKEN The input_token is valid, but is a duplicate - of a token already processed. This is a - fatal error during context establishment. - - GSS_S_NO_CONTEXT Indicates that the supplied context handle did - not refer to a valid context - - GSS_S_BAD_NAMETYPE The provided target_name parameter contained an - invalid or unsupported type of name - - GSS_S_BAD_NAME The provided target_name parameter was ill-formed. - - GSS_S_BAD_MECH The specified mechanism is not supported by the - provided credential, or is unrecognized by the - implementation. - -5.20. gss_inquire_context - - OM_uint32 gss_inquire_context ( - OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - gss_name_t *src_name, - gss_name_t *targ_name, - OM_uint32 *lifetime_rec, - gss_OID *mech_type, - OM_uint32 *ctx_flags, - int *locally_initiated, - int *open ) - - Purpose: - - Obtains information about a security context. The caller must - already have obtained a handle that refers to the context, although - the context need not be fully established. - - - - - - - -Wray Standards Track [Page 63] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - Parameters: - - minor_status Integer, modify - Mechanism specific status code - - context_handle gss_ctx_id_t, read - A handle that refers to the security context. - - src_name gss_name_t, modify, optional - The name of the context initiator. - If the context was established using anonymous - authentication, and if the application invoking - gss_inquire_context is the context acceptor, - an anonymous name will be returned. Storage - associated with this name must be freed by the - application after use with a call to - gss_release_name(). Specify NULL if not - required. - - targ_name gss_name_t, modify, optional - The name of the context acceptor. - Storage associated with this name must be - freed by the application after use with a call - to gss_release_name(). If the context acceptor - did not authenticate itself, and if the initiator - did not specify a target name in its call to - gss_init_sec_context(), the value GSS_C_NO_NAME - will be returned. Specify NULL if not required. - - lifetime_rec Integer, modify, optional - The number of seconds for which the context - will remain valid. If the context has - expired, this parameter will be set to zero. - If the implementation does not support - context expiration, the value - GSS_C_INDEFINITE will be returned. Specify - NULL if not required. - - mech_type gss_OID, modify, optional - The security mechanism providing the - context. The returned OID will be a - pointer to static storage that should - be treated as read-only by the application; - in particular the application should not - attempt to free it. Specify NULL if not - required. - - - - - -Wray Standards Track [Page 64] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - ctx_flags bit-mask, modify, optional - Contains various independent flags, each of - which indicates that the context supports - (or is expected to support, if ctx_open is - false) a specific service option. If not - needed, specify NULL. Symbolic names are - provided for each flag, and the symbolic names - corresponding to the required flags - should be logically-ANDed with the ret_flags - value to test whether a given option is - supported by the context. The flags are: - - GSS_C_DELEG_FLAG - True - Credentials were delegated from - the initiator to the acceptor. - False - No credentials were delegated - - GSS_C_MUTUAL_FLAG - True - The acceptor was authenticated - to the initiator - False - The acceptor did not authenticate - itself. - - GSS_C_REPLAY_FLAG - True - replay of protected messages - will be detected - False - replayed messages will not be - detected - - GSS_C_SEQUENCE_FLAG - True - out-of-sequence protected - messages will be detected - False - out-of-sequence messages will not - be detected - - GSS_C_CONF_FLAG - True - Confidentiality service may be invoked - by calling gss_wrap routine - False - No confidentiality service (via - gss_wrap) available. gss_wrap will - provide message encapsulation, - data-origin authentication and - integrity services only. - - GSS_C_INTEG_FLAG - True - Integrity service may be invoked by - calling either gss_get_mic or gss_wrap - routines. - - - -Wray Standards Track [Page 65] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - False - Per-message integrity service - unavailable. - - GSS_C_ANON_FLAG - True - The initiator's identity will not - be revealed to the acceptor. - The src_name parameter (if - requested) contains an anonymous - internal name. - False - The initiator has been - authenticated normally. - - GSS_C_PROT_READY_FLAG - True - Protection services (as specified - by the states of the GSS_C_CONF_FLAG - and GSS_C_INTEG_FLAG) are available - for use. - False - Protection services (as specified - by the states of the GSS_C_CONF_FLAG - and GSS_C_INTEG_FLAG) are available - only if the context is fully - established (i.e. if the open parameter - is non-zero). - - GSS_C_TRANS_FLAG - True - The resultant security context may - be transferred to other processes via - a call to gss_export_sec_context(). - False - The security context is not - transferable. - - locally_initiated Boolean, modify - Non-zero if the invoking application is the - context initiator. - Specify NULL if not required. - - open Boolean, modify - Non-zero if the context is fully established; - Zero if a context-establishment token - is expected from the peer application. - Specify NULL if not required. - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_NO_CONTEXT The referenced context could not be accessed. - - - - -Wray Standards Track [Page 66] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - -5.21. gss_inquire_cred - - OM_uint32 gss_inquire_cred ( - OM_uint32 *minor_status, - const gss_cred_id_t cred_handle, - gss_name_t *name, - OM_uint32 *lifetime, - gss_cred_usage_t *cred_usage, - gss_OID_set *mechanisms ) - - Purpose: - - Obtains information about a credential. - - Parameters: - - minor_status Integer, modify - Mechanism specific status code - - cred_handle gss_cred_id_t, read - A handle that refers to the target credential. - Specify GSS_C_NO_CREDENTIAL to inquire about - the default initiator principal. - - name gss_name_t, modify, optional - The name whose identity the credential asserts. - Storage associated with this name should be freed - by the application after use with a call to - gss_release_name(). Specify NULL if not required. - - lifetime Integer, modify, optional - The number of seconds for which the credential - will remain valid. If the credential has - expired, this parameter will be set to zero. - If the implementation does not support - credential expiration, the value - GSS_C_INDEFINITE will be returned. Specify - NULL if not required. - - cred_usage gss_cred_usage_t, modify, optional - How the credential may be used. One of the - following: - GSS_C_INITIATE - GSS_C_ACCEPT - GSS_C_BOTH - Specify NULL if not required. - - - - - -Wray Standards Track [Page 67] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - mechanisms gss_OID_set, modify, optional - Set of mechanisms supported by the credential. - Storage associated with this OID set must be - freed by the application after use with a call - to gss_release_oid_set(). Specify NULL if not - required. - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_NO_CRED The referenced credentials could not be accessed. - - GSS_S_DEFECTIVE_CREDENTIAL The referenced credentials were invalid. - - GSS_S_CREDENTIALS_EXPIRED The referenced credentials have expired. - If the lifetime parameter was not passed as NULL, - it will be set to 0. - -5.22. gss_inquire_cred_by_mech - - OM_uint32 gss_inquire_cred_by_mech ( - OM_uint32 *minor_status, - const gss_cred_id_t cred_handle, - const gss_OID mech_type, - gss_name_t *name, - OM_uint32 *initiator_lifetime, - OM_uint32 *acceptor_lifetime, - gss_cred_usage_t *cred_usage ) - - Purpose: - - Obtains per-mechanism information about a credential. - - Parameters: - - minor_status Integer, modify - Mechanism specific status code - - cred_handle gss_cred_id_t, read - A handle that refers to the target credential. - Specify GSS_C_NO_CREDENTIAL to inquire about - the default initiator principal. - - mech_type gss_OID, read - The mechanism for which information should be - returned. - - - - -Wray Standards Track [Page 68] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - name gss_name_t, modify, optional - The name whose identity the credential asserts. - Storage associated with this name must be - freed by the application after use with a call - to gss_release_name(). Specify NULL if not - required. - - initiator_lifetime Integer, modify, optional - The number of seconds for which the credential - will remain capable of initiating security contexts - under the specified mechanism. If the credential - can no longer be used to initiate contexts, or if - the credential usage for this mechanism is - GSS_C_ACCEPT, this parameter will be set to zero. - If the implementation does not support expiration - of initiator credentials, the value - GSS_C_INDEFINITE will be returned. Specify NULL - if not required. - - acceptor_lifetime Integer, modify, optional - The number of seconds for which the credential - will remain capable of accepting security contexts - under the specified mechanism. If the credential - can no longer be used to accept contexts, or if - the credential usage for this mechanism is - GSS_C_INITIATE, this parameter will be set to zero. - - If the implementation does not support expiration - of acceptor credentials, the value GSS_C_INDEFINITE - will be returned. Specify NULL if not required. - - cred_usage gss_cred_usage_t, modify, optional - How the credential may be used with the specified - mechanism. One of the following: - GSS_C_INITIATE - GSS_C_ACCEPT - GSS_C_BOTH - Specify NULL if not required. - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_NO_CRED The referenced credentials could not be accessed. - - GSS_S_DEFECTIVE_CREDENTIAL The referenced credentials were invalid. - - - - - -Wray Standards Track [Page 69] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - GSS_S_CREDENTIALS_EXPIRED The referenced credentials have expired. - If the lifetime parameter was not passed as NULL, - it will be set to 0. - -5.23. gss_inquire_mechs_for_name - - OM_uint32 gss_inquire_mechs_for_name ( - OM_uint32 *minor_status, - const gss_name_t input_name, - gss_OID_set *mech_types ) - - Purpose: - - Returns the set of mechanisms supported by the GSS-API implementation - that may be able to process the specified name. - - Each mechanism returned will recognize at least one element within - the name. It is permissible for this routine to be implemented - within a mechanism-independent GSS-API layer, using the type - information contained within the presented name, and based on - registration information provided by individual mechanism - implementations. This means that the returned mech_types set may - indicate that a particular mechanism will understand the name when in - fact it would refuse to accept the name as input to - gss_canonicalize_name, gss_init_sec_context, gss_acquire_cred or - gss_add_cred (due to some property of the specific name, as opposed - to the name type). Thus this routine should be used only as a pre- - filter for a call to a subsequent mechanism-specific routine. - - Parameters: - - minor_status Integer, modify - Implementation specific status code. - - input_name gss_name_t, read - The name to which the inquiry relates. - - mech_types gss_OID_set, modify - Set of mechanisms that may support the - specified name. The returned OID set - must be freed by the caller after use - with a call to gss_release_oid_set(). - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_BAD_NAME The input_name parameter was ill-formed. - - - -Wray Standards Track [Page 70] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - GSS_S_BAD_NAMETYPE The input_name parameter contained an invalid or - unsupported type of name - -5.24. gss_inquire_names_for_mech - - OM_uint32 gss_inquire_names_for_mech ( - OM_uint32 *minor_status, - const gss_OID mechanism, - gss_OID_set *name_types) - - Purpose: - - Returns the set of nametypes supported by the specified mechanism. - - Parameters: - - minor_status Integer, modify - Implementation specific status code. - - mechanism gss_OID, read - The mechanism to be interrogated. - - name_types gss_OID_set, modify - Set of name-types supported by the specified - mechanism. The returned OID set must be - freed by the application after use with a - call to gss_release_oid_set(). - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - -5.25. gss_process_context_token - - OM_uint32 gss_process_context_token ( - OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t token_buffer) - - Purpose: - - Provides a way to pass an asynchronous token to the security service. - Most context-level tokens are emitted and processed synchronously by - gss_init_sec_context and gss_accept_sec_context, and the application - is informed as to whether further tokens are expected by the - GSS_C_CONTINUE_NEEDED major status bit. Occasionally, a mechanism - may need to emit a context-level token at a point when the peer - entity is not expecting a token. For example, the initiator's final - - - -Wray Standards Track [Page 71] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - call to gss_init_sec_context may emit a token and return a status of - GSS_S_COMPLETE, but the acceptor's call to gss_accept_sec_context may - fail. The acceptor's mechanism may wish to send a token containing - an error indication to the initiator, but the initiator is not - expecting a token at this point, believing that the context is fully - established. Gss_process_context_token provides a way to pass such a - token to the mechanism at any time. - - Parameters: - - minor_status Integer, modify - Implementation specific status code. - - context_handle gss_ctx_id_t, read - context handle of context on which token is to - be processed - - token_buffer buffer, opaque, read - token to process - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_DEFECTIVE_TOKEN Indicates that consistency checks performed - on the token failed - - GSS_S_NO_CONTEXT The context_handle did not refer to a valid context - -5.26. gss_release_buffer - - OM_uint32 gss_release_buffer ( - OM_uint32 *minor_status, - gss_buffer_t buffer) - - Purpose: - - Free storage associated with a buffer. The storage must have been - allocated by a GSS-API routine. In addition to freeing the - associated storage, the routine will zero the length field in the - descriptor to which the buffer parameter refers, and implementations - are encouraged to additionally set the pointer field in the - descriptor to NULL. Any buffer object returned by a GSS-API routine - may be passed to gss_release_buffer (even if there is no storage - associated with the buffer). - - - - - - -Wray Standards Track [Page 72] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - Parameters: - - minor_status Integer, modify - Mechanism specific status code - - buffer buffer, modify - The storage associated with the buffer will be - deleted. The gss_buffer_desc object will not - be freed, but its length field will be zeroed. - - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - -5.27. gss_release_cred - - OM_uint32 gss_release_cred ( - OM_uint32 *minor_status, - gss_cred_id_t *cred_handle) - - Purpose: - - Informs GSS-API that the specified credential handle is no longer - required by the application, and frees associated resources. - Implementations are encouraged to set the cred_handle to - GSS_C_NO_CREDENTIAL on successful completion of this call. - - Parameters: - - cred_handle gss_cred_id_t, modify, optional - Opaque handle identifying credential - to be released. If GSS_C_NO_CREDENTIAL - is supplied, the routine will complete - successfully, but will do nothing. - - minor_status Integer, modify - Mechanism specific status code. - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_NO_CRED Credentials could not be accessed. - - - - - - - -Wray Standards Track [Page 73] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - -5.28. gss_release_name - - OM_uint32 gss_release_name ( - OM_uint32 *minor_status, - gss_name_t *name) - - Purpose: - - Free GSSAPI-allocated storage associated with an internal-form name. - Implementations are encouraged to set the name to GSS_C_NO_NAME on - successful completion of this call. - - Parameters: - - minor_status Integer, modify - Mechanism specific status code - - name gss_name_t, modify - The name to be deleted - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_BAD_NAME The name parameter did not contain a valid name - -5.29. gss_release_oid_set - - OM_uint32 gss_release_oid_set ( - OM_uint32 *minor_status, - gss_OID_set *set) - - Purpose: - - Free storage associated with a GSSAPI-generated gss_OID_set object. - The set parameter must refer to an OID-set that was returned from a - GSS-API routine. gss_release_oid_set() will free the storage - associated with each individual member OID, the OID set's elements - array, and the gss_OID_set_desc. - - Implementations are encouraged to set the gss_OID_set parameter to - GSS_C_NO_OID_SET on successful completion of this routine. - - Parameters: - - minor_status Integer, modify - Mechanism specific status code - - - - -Wray Standards Track [Page 74] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - set Set of Object IDs, modify - The storage associated with the gss_OID_set - will be deleted. - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - -5.30. gss_test_oid_set_member - - OM_uint32 gss_test_oid_set_member ( - OM_uint32 *minor_status, - const gss_OID member, - const gss_OID_set set, - int *present) - - Purpose: - - Interrogate an Object Identifier set to determine whether a specified - Object Identifier is a member. This routine is intended to be used - with OID sets returned by gss_indicate_mechs(), gss_acquire_cred(), - and gss_inquire_cred(), but will also work with user-generated sets. - - Parameters: - - minor_status Integer, modify - Mechanism specific status code - - member Object ID, read - The object identifier whose presence - is to be tested. - - set Set of Object ID, read - The Object Identifier set. - - present Boolean, modify - non-zero if the specified OID is a member - of the set, zero if not. - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - - - - - - - - -Wray Standards Track [Page 75] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - -5.31. gss_unwrap - - OM_uint32 gss_unwrap ( - OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t input_message_buffer, - gss_buffer_t output_message_buffer, - int *conf_state, - gss_qop_t *qop_state) - - Purpose: - - Converts a message previously protected by gss_wrap back to a usable - form, verifying the embedded MIC. The conf_state parameter indicates - whether the message was encrypted; the qop_state parameter indicates - the strength of protection that was used to provide the - confidentiality and integrity services. - - Since some application-level protocols may wish to use tokens emitted - by gss_wrap() to provide "secure framing", implementations must - support the wrapping and unwrapping of zero-length messages. - - Parameters: - - minor_status Integer, modify - Mechanism specific status code. - - context_handle gss_ctx_id_t, read - Identifies the context on which the message - arrived - - input_message_buffer buffer, opaque, read - protected message - - output_message_buffer buffer, opaque, modify - Buffer to receive unwrapped message. - Storage associated with this buffer must - be freed by the application after use use - with a call to gss_release_buffer(). - - conf_state boolean, modify, optional - Non-zero - Confidentiality and integrity - protection were used - Zero - Integrity service only was used - Specify NULL if not required - - - - - - -Wray Standards Track [Page 76] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - qop_state gss_qop_t, modify, optional - Quality of protection provided. - Specify NULL if not required - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_DEFECTIVE_TOKEN The token failed consistency checks - - GSS_S_BAD_SIG The MIC was incorrect - - GSS_S_DUPLICATE_TOKEN The token was valid, and contained a correct - MIC for the message, but it had already been - processed - - GSS_S_OLD_TOKEN The token was valid, and contained a correct MIC - for the message, but it is too old to check for - duplication. - - GSS_S_UNSEQ_TOKEN The token was valid, and contained a correct MIC - for the message, but has been verified out of - sequence; a later token has already been - received. - - GSS_S_GAP_TOKEN The token was valid, and contained a correct MIC - for the message, but has been verified out of - sequence; an earlier expected token has not yet - been received. - - GSS_S_CONTEXT_EXPIRED The context has already expired - - GSS_S_NO_CONTEXT The context_handle parameter did not identify - a valid context - -5.32. gss_verify_mic - - OM_uint32 gss_verify_mic ( - OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t message_buffer, - const gss_buffer_t token_buffer, - gss_qop_t *qop_state) - - - - - - - - -Wray Standards Track [Page 77] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - Purpose: - - Verifies that a cryptographic MIC, contained in the token parameter, - fits the supplied message. The qop_state parameter allows a message - recipient to determine the strength of protection that was applied to - the message. - - Since some application-level protocols may wish to use tokens emitted - by gss_wrap() to provide "secure framing", implementations must - support the calculation and verification of MICs over zero-length - messages. - - Parameters: - - minor_status Integer, modify - Mechanism specific status code. - - context_handle gss_ctx_id_t, read - Identifies the context on which the message - arrived - - message_buffer buffer, opaque, read - Message to be verified - - token_buffer buffer, opaque, read - Token associated with message - - qop_state gss_qop_t, modify, optional - quality of protection gained from MIC - Specify NULL if not required - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_DEFECTIVE_TOKEN The token failed consistency checks - - GSS_S_BAD_SIG The MIC was incorrect - - GSS_S_DUPLICATE_TOKEN The token was valid, and contained a correct - MIC for the message, but it had already been - processed - - GSS_S_OLD_TOKEN The token was valid, and contained a correct MIC - for the message, but it is too old to check for - duplication. - - - - - -Wray Standards Track [Page 78] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - GSS_S_UNSEQ_TOKEN The token was valid, and contained a correct MIC - for the message, but has been verified out of - sequence; a later token has already been received. - - GSS_S_GAP_TOKEN The token was valid, and contained a correct MIC - for the message, but has been verified out of - sequence; an earlier expected token has not yet - been received. - - GSS_S_CONTEXT_EXPIRED The context has already expired - - GSS_S_NO_CONTEXT The context_handle parameter did not identify a - valid context - -5.33. gss_wrap - - OM_uint32 gss_wrap ( - OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - int conf_req_flag, - gss_qop_t qop_req - const gss_buffer_t input_message_buffer, - int *conf_state, - gss_buffer_t output_message_buffer ) - - Purpose: - - Attaches a cryptographic MIC and optionally encrypts the specified - input_message. The output_message contains both the MIC and the - message. The qop_req parameter allows a choice between several - cryptographic algorithms, if supported by the chosen mechanism. - - Since some application-level protocols may wish to use tokens emitted - by gss_wrap() to provide "secure framing", implementations must - support the wrapping of zero-length messages. - - Parameters: - - minor_status Integer, modify - Mechanism specific status code. - - context_handle gss_ctx_id_t, read - Identifies the context on which the message - will be sent - - - - - - - -Wray Standards Track [Page 79] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - conf_req_flag boolean, read - Non-zero - Both confidentiality and integrity - services are requested - Zero - Only integrity service is requested - - qop_req gss_qop_t, read, optional - Specifies required quality of protection. A - mechanism-specific default may be requested by - setting qop_req to GSS_C_QOP_DEFAULT. If an - unsupported protection strength is requested, - gss_wrap will return a major_status of - GSS_S_BAD_QOP. - - input_message_buffer buffer, opaque, read - Message to be protected - - conf_state boolean, modify, optional - Non-zero - Confidentiality, data origin - authentication and integrity - services have been applied - Zero - Integrity and data origin services only - has been applied. - Specify NULL if not required - - output_message_buffer buffer, opaque, modify - Buffer to receive protected message. - Storage associated with this message must - be freed by the application after use with - a call to gss_release_buffer(). - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_CONTEXT_EXPIRED The context has already expired - - GSS_S_NO_CONTEXT The context_handle parameter did not identify a - valid context - - GSS_S_BAD_QOP The specified QOP is not supported by the - mechanism. - - - - - - - - - - -Wray Standards Track [Page 80] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - -5.34. gss_wrap_size_limit - - OM_uint32 gss_wrap_size_limit ( - OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - int conf_req_flag, - gss_qop_t qop_req, - OM_uint32 req_output_size, - OM_uint32 *max_input_size) - - Purpose: - - Allows an application to determine the maximum message size that, if - presented to gss_wrap with the same conf_req_flag and qop_req - parameters, will result in an output token containing no more than - req_output_size bytes. - - This call is intended for use by applications that communicate over - protocols that impose a maximum message size. It enables the - application to fragment messages prior to applying protection. - - GSS-API implementations are recommended but not required to detect - invalid QOP values when gss_wrap_size_limit() is called. This routine - guarantees only a maximum message size, not the availability of - specific QOP values for message protection. - - Successful completion of this call does not guarantee that gss_wrap - will be able to protect a message of length max_input_size bytes, - since this ability may depend on the availability of system resources - at the time that gss_wrap is called. However, if the implementation - itself imposes an upper limit on the length of messages that may be - processed by gss_wrap, the implementation should not return a value - via max_input_bytes that is greater than this length. - - Parameters: - - minor_status Integer, modify - Mechanism specific status code - - context_handle gss_ctx_id_t, read - A handle that refers to the security over - which the messages will be sent. - - conf_req_flag Boolean, read - Indicates whether gss_wrap will be asked - to apply confidentiality protection in - - - - - -Wray Standards Track [Page 81] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - addition to integrity protection. See - the routine description for gss_wrap - for more details. - - qop_req gss_qop_t, read - Indicates the level of protection that - gss_wrap will be asked to provide. See - the routine description for gss_wrap for - more details. - - req_output_size Integer, read - The desired maximum size for tokens emitted - by gss_wrap. - - max_input_size Integer, modify - The maximum input message size that may - be presented to gss_wrap in order to - guarantee that the emitted token shall - be no larger than req_output_size bytes. - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_NO_CONTEXT The referenced context could not be accessed. - - GSS_S_CONTEXT_EXPIRED The context has expired. - - GSS_S_BAD_QOP The specified QOP is not supported by the - mechanism. - -6. Security Considerations - - This document specifies a service interface for security facilities - and services; as such, security considerations appear throughout the - specification. Nonetheless, it is appropriate to summarize certain - specific points relevant to GSS-API implementors and calling - applications. Usage of the GSS-API interface does not in itself - provide security services or assurance; instead, these attributes are - dependent on the underlying mechanism(s) which support a GSS-API - implementation. Callers must be attentive to the requests made to - GSS-API calls and to the status indicators returned by GSS-API, as - these specify the security service characteristics which GSS-API will - provide. When the interprocess context transfer facility is used, - appropriate local controls should be applied to constrain access to - interprocess tokens and to the sensitive data which they contain. - - - - - -Wray Standards Track [Page 82] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - Appendix A. GSS-API C header file gssapi.h - - C-language GSS-API implementations should include a copy of the - following header-file. - - #ifndef GSSAPI_H_ - #define GSSAPI_H_ - - - - /* - * First, include stddef.h to get size_t defined. - */ - #include - - /* - * If the platform supports the xom.h header file, it should be - * included here. - */ - #include - - - /* - * Now define the three implementation-dependent types. - */ - typedef gss_ctx_id_t; - typedef gss_cred_id_t; - typedef gss_name_t; - - /* - * The following type must be defined as the smallest natural - * unsigned integer supported by the platform that has at least - * 32 bits of precision. - */ - typedef gss_uint32; - - - #ifdef OM_STRING - /* - * We have included the xom.h header file. Verify that OM_uint32 - * is defined correctly. - */ - - #if sizeof(gss_uint32) != sizeof(OM_uint32) - #error Incompatible definition of OM_uint32 from xom.h - #endif - - typedef OM_object_identifier gss_OID_desc, *gss_OID; - - - -Wray Standards Track [Page 83] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - #else - - /* - * We can't use X/Open definitions, so roll our own. - */ - - typedef gss_uint32 OM_uint32; - - typedef struct gss_OID_desc_struct { - OM_uint32 length; - void *elements; - } gss_OID_desc, *gss_OID; - - #endif - - typedef struct gss_OID_set_desc_struct { - size_t count; - gss_OID elements; - } gss_OID_set_desc, *gss_OID_set; - - typedef struct gss_buffer_desc_struct { - size_t length; - void *value; - } gss_buffer_desc, *gss_buffer_t; - - typedef struct gss_channel_bindings_struct { - OM_uint32 initiator_addrtype; - gss_buffer_desc initiator_address; - OM_uint32 acceptor_addrtype; - gss_buffer_desc acceptor_address; - gss_buffer_desc application_data; - } *gss_channel_bindings_t; - - /* - * For now, define a QOP-type as an OM_uint32 - */ - typedef OM_uint32 gss_qop_t; - - typedef int gss_cred_usage_t; - - /* - * Flag bits for context-level services. - */ - - - - - - - - -Wray Standards Track [Page 84] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - #define GSS_C_DELEG_FLAG 1 - #define GSS_C_MUTUAL_FLAG 2 - #define GSS_C_REPLAY_FLAG 4 - #define GSS_C_SEQUENCE_FLAG 8 - #define GSS_C_CONF_FLAG 16 - #define GSS_C_INTEG_FLAG 32 - #define GSS_C_ANON_FLAG 64 - #define GSS_C_PROT_READY_FLAG 128 - #define GSS_C_TRANS_FLAG 256 - - /* - * Credential usage options - */ - #define GSS_C_BOTH 0 - #define GSS_C_INITIATE 1 - #define GSS_C_ACCEPT 2 - - /* - * Status code types for gss_display_status - */ - #define GSS_C_GSS_CODE 1 - #define GSS_C_MECH_CODE 2 - - /* - * The constant definitions for channel-bindings address families - */ - #define GSS_C_AF_UNSPEC 0 - #define GSS_C_AF_LOCAL 1 - #define GSS_C_AF_INET 2 - #define GSS_C_AF_IMPLINK 3 - #define GSS_C_AF_PUP 4 - #define GSS_C_AF_CHAOS 5 - #define GSS_C_AF_NS 6 - #define GSS_C_AF_NBS 7 - #define GSS_C_AF_ECMA 8 - #define GSS_C_AF_DATAKIT 9 - #define GSS_C_AF_CCITT 10 - #define GSS_C_AF_SNA 11 - #define GSS_C_AF_DECnet 12 - #define GSS_C_AF_DLI 13 - #define GSS_C_AF_LAT 14 - #define GSS_C_AF_HYLINK 15 - #define GSS_C_AF_APPLETALK 16 - #define GSS_C_AF_BSC 17 - #define GSS_C_AF_DSS 18 - #define GSS_C_AF_OSI 19 - #define GSS_C_AF_X25 21 - - - - -Wray Standards Track [Page 85] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - #define GSS_C_AF_NULLADDR 255 - - /* - * Various Null values - */ - #define GSS_C_NO_NAME ((gss_name_t) 0) - #define GSS_C_NO_BUFFER ((gss_buffer_t) 0) - #define GSS_C_NO_OID ((gss_OID) 0) - #define GSS_C_NO_OID_SET ((gss_OID_set) 0) - #define GSS_C_NO_CONTEXT ((gss_ctx_id_t) 0) - #define GSS_C_NO_CREDENTIAL ((gss_cred_id_t) 0) - #define GSS_C_NO_CHANNEL_BINDINGS ((gss_channel_bindings_t) 0) - #define GSS_C_EMPTY_BUFFER {0, NULL} - - /* - * Some alternate names for a couple of the above - * values. These are defined for V1 compatibility. - */ - #define GSS_C_NULL_OID GSS_C_NO_OID - #define GSS_C_NULL_OID_SET GSS_C_NO_OID_SET - - /* - * Define the default Quality of Protection for per-message - * services. Note that an implementation that offers multiple - * levels of QOP may define GSS_C_QOP_DEFAULT to be either zero - * (as done here) to mean "default protection", or to a specific - * explicit QOP value. However, a value of 0 should always be - * interpreted by a GSS-API implementation as a request for the - * default protection level. - */ - #define GSS_C_QOP_DEFAULT 0 - - /* - * Expiration time of 2^32-1 seconds means infinite lifetime for a - * credential or security context - */ - #define GSS_C_INDEFINITE 0xfffffffful - - /* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {10, (void *)"\x2a\x86\x48\x86\xf7\x12" - * "\x01\x02\x01\x01"}, - * corresponding to an object-identifier value of - * {iso(1) member-body(2) United States(840) mit(113554) - * infosys(1) gssapi(2) generic(1) user_name(1)}. The constant - * GSS_C_NT_USER_NAME should be initialized to point - * to that gss_OID_desc. - - - -Wray Standards Track [Page 86] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - */ - extern gss_OID GSS_C_NT_USER_NAME; - - /* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {10, (void *)"\x2a\x86\x48\x86\xf7\x12" - * "\x01\x02\x01\x02"}, - * corresponding to an object-identifier value of - * {iso(1) member-body(2) United States(840) mit(113554) - * infosys(1) gssapi(2) generic(1) machine_uid_name(2)}. - * The constant GSS_C_NT_MACHINE_UID_NAME should be - * initialized to point to that gss_OID_desc. - */ - extern gss_OID GSS_C_NT_MACHINE_UID_NAME; - - /* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {10, (void *)"\x2a\x86\x48\x86\xf7\x12" - * "\x01\x02\x01\x03"}, - * corresponding to an object-identifier value of - * {iso(1) member-body(2) United States(840) mit(113554) - * infosys(1) gssapi(2) generic(1) string_uid_name(3)}. - * The constant GSS_C_NT_STRING_UID_NAME should be - * initialized to point to that gss_OID_desc. - */ - extern gss_OID GSS_C_NT_STRING_UID_NAME; - - /* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {6, (void *)"\x2b\x06\x01\x05\x06\x02"}, - * corresponding to an object-identifier value of - * {iso(1) org(3) dod(6) internet(1) security(5) - * nametypes(6) gss-host-based-services(2)). The constant - * GSS_C_NT_HOSTBASED_SERVICE_X should be initialized to point - * to that gss_OID_desc. This is a deprecated OID value, and - * implementations wishing to support hostbased-service names - * should instead use the GSS_C_NT_HOSTBASED_SERVICE OID, - * defined below, to identify such names; - * GSS_C_NT_HOSTBASED_SERVICE_X should be accepted a synonym - * for GSS_C_NT_HOSTBASED_SERVICE when presented as an input - * parameter, but should not be emitted by GSS-API - * implementations - */ - extern gss_OID GSS_C_NT_HOSTBASED_SERVICE_X; - - - - -Wray Standards Track [Page 87] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - /* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {10, (void *)"\x2a\x86\x48\x86\xf7\x12" - * "\x01\x02\x01\x04"}, corresponding to an - * object-identifier value of {iso(1) member-body(2) - * Unites States(840) mit(113554) infosys(1) gssapi(2) - * generic(1) service_name(4)}. The constant - * GSS_C_NT_HOSTBASED_SERVICE should be initialized - * to point to that gss_OID_desc. - */ - extern gss_OID GSS_C_NT_HOSTBASED_SERVICE; - - /* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {6, (void *)"\x2b\x06\01\x05\x06\x03"}, - * corresponding to an object identifier value of - * {1(iso), 3(org), 6(dod), 1(internet), 5(security), - * 6(nametypes), 3(gss-anonymous-name)}. The constant - * and GSS_C_NT_ANONYMOUS should be initialized to point - * to that gss_OID_desc. - */ - extern gss_OID GSS_C_NT_ANONYMOUS; - - - /* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {6, (void *)"\x2b\x06\x01\x05\x06\x04"}, - * corresponding to an object-identifier value of - * {1(iso), 3(org), 6(dod), 1(internet), 5(security), - * 6(nametypes), 4(gss-api-exported-name)}. The constant - * GSS_C_NT_EXPORT_NAME should be initialized to point - * to that gss_OID_desc. - */ - extern gss_OID GSS_C_NT_EXPORT_NAME; - - - /* Major status codes */ - - #define GSS_S_COMPLETE 0 - - /* - * Some "helper" definitions to make the status code macros obvious. - */ - #define GSS_C_CALLING_ERROR_OFFSET 24 - #define GSS_C_ROUTINE_ERROR_OFFSET 16 - - - -Wray Standards Track [Page 88] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - #define GSS_C_SUPPLEMENTARY_OFFSET 0 - #define GSS_C_CALLING_ERROR_MASK 0377ul - #define GSS_C_ROUTINE_ERROR_MASK 0377ul - #define GSS_C_SUPPLEMENTARY_MASK 0177777ul - - /* - * The macros that test status codes for error conditions. - * Note that the GSS_ERROR() macro has changed slightly from - * the V1 GSS-API so that it now evaluates its argument - * only once. - */ - #define GSS_CALLING_ERROR(x) \ - (x & (GSS_C_CALLING_ERROR_MASK << GSS_C_CALLING_ERROR_OFFSET)) - #define GSS_ROUTINE_ERROR(x) \ - (x & (GSS_C_ROUTINE_ERROR_MASK << GSS_C_ROUTINE_ERROR_OFFSET)) - #define GSS_SUPPLEMENTARY_INFO(x) \ - (x & (GSS_C_SUPPLEMENTARY_MASK << GSS_C_SUPPLEMENTARY_OFFSET)) - #define GSS_ERROR(x) \ - (x & ((GSS_C_CALLING_ERROR_MASK << GSS_C_CALLING_ERROR_OFFSET) | \ - (GSS_C_ROUTINE_ERROR_MASK << GSS_C_ROUTINE_ERROR_OFFSET))) - - /* - * Now the actual status code definitions - */ - - /* - * Calling errors: - - */ - #define GSS_S_CALL_INACCESSIBLE_READ \ - (1ul << GSS_C_CALLING_ERROR_OFFSET) - #define GSS_S_CALL_INACCESSIBLE_WRITE \ - (2ul << GSS_C_CALLING_ERROR_OFFSET) - #define GSS_S_CALL_BAD_STRUCTURE \ - (3ul << GSS_C_CALLING_ERROR_OFFSET) - - /* - * Routine errors: - */ - #define GSS_S_BAD_MECH (1ul << - GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_BAD_NAME (2ul << - GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_BAD_NAMETYPE (3ul << - GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_BAD_BINDINGS (4ul << - GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_BAD_STATUS (5ul << - - - -Wray Standards Track [Page 89] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_BAD_SIG (6ul << - GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_BAD_MIC GSS_S_BAD_SIG - #define GSS_S_NO_CRED (7ul << - GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_NO_CONTEXT (8ul << - GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_DEFECTIVE_TOKEN (9ul << - GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_DEFECTIVE_CREDENTIAL (10ul << - GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_CREDENTIALS_EXPIRED (11ul << - GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_CONTEXT_EXPIRED (12ul << - GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_FAILURE (13ul << - GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_BAD_QOP (14ul << - GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_UNAUTHORIZED (15ul << - GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_UNAVAILABLE (16ul << - GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_DUPLICATE_ELEMENT (17ul << - GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_NAME_NOT_MN (18ul << - GSS_C_ROUTINE_ERROR_OFFSET) - - /* - * Supplementary info bits: - */ - #define GSS_S_CONTINUE_NEEDED \ - (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 0)) - #define GSS_S_DUPLICATE_TOKEN \ - (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 1)) - #define GSS_S_OLD_TOKEN \ - (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 2)) - #define GSS_S_UNSEQ_TOKEN \ - (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 3)) - #define GSS_S_GAP_TOKEN \ - (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 4)) - - /* - * Finally, function prototypes for the GSS-API routines. - */ - - - - - -Wray Standards Track [Page 90] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - OM_uint32 gss_acquire_cred - (OM_uint32 , /* minor_status */ - const gss_name_t, /* desired_name */ - OM_uint32, /* time_req */ - const gss_OID_set, /* desired_mechs */ - gss_cred_usage_t, /* cred_usage */ - gss_cred_id_t , /* output_cred_handle */ - gss_OID_set , /* actual_mechs */ - OM_uint32 * /* time_rec */ - ); - - OM_uint32 gss_release_cred - (OM_uint32 , /* minor_status */ - gss_cred_id_t * /* cred_handle */ - ); - - OM_uint32 gss_init_sec_context - (OM_uint32 , /* minor_status */ - const gss_cred_id_t, /* initiator_cred_handle */ - gss_ctx_id_t , /* context_handle */ - const gss_name_t, /* target_name */ - const gss_OID, /* mech_type */ - OM_uint32, /* req_flags */ - OM_uint32, /* time_req */ - const gss_channel_bindings_t, - /* input_chan_bindings */ - const gss_buffer_t, /* input_token */ - gss_OID , /* actual_mech_type */ - gss_buffer_t, /* output_token */ - OM_uint32 , /* ret_flags */ - OM_uint32 * /* time_rec */ - ); - - OM_uint32 gss_accept_sec_context - (OM_uint32 , /* minor_status */ - gss_ctx_id_t , /* context_handle */ - const gss_cred_id_t, /* acceptor_cred_handle */ - const gss_buffer_t, /* input_token_buffer */ - const gss_channel_bindings_t, - /* input_chan_bindings */ - gss_name_t , /* src_name */ - gss_OID , /* mech_type */ - gss_buffer_t, /* output_token */ - OM_uint32 , /* ret_flags */ - OM_uint32 , /* time_rec */ - gss_cred_id_t * /* delegated_cred_handle */ - ); - - - - -Wray Standards Track [Page 91] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - OM_uint32 gss_process_context_token - (OM_uint32 , /* minor_status */ - const gss_ctx_id_t, /* context_handle */ - const gss_buffer_t /* token_buffer */ - ); - - OM_uint32 gss_delete_sec_context - (OM_uint32 , /* minor_status */ - gss_ctx_id_t , /* context_handle */ - gss_buffer_t /* output_token */ - ); - - OM_uint32 gss_context_time - (OM_uint32 , /* minor_status */ - const gss_ctx_id_t, /* context_handle */ - OM_uint32 * /* time_rec */ - ); - - OM_uint32 gss_get_mic - (OM_uint32 , /* minor_status */ - const gss_ctx_id_t, /* context_handle */ - gss_qop_t, /* qop_req */ - const gss_buffer_t, /* message_buffer */ - gss_buffer_t /* message_token */ - ); - - OM_uint32 gss_verify_mic - (OM_uint32 , /* minor_status */ - const gss_ctx_id_t, /* context_handle */ - const gss_buffer_t, /* message_buffer */ - const gss_buffer_t, /* token_buffer */ - gss_qop_t * /* qop_state */ - ); - - OM_uint32 gss_wrap - (OM_uint32 , /* minor_status */ - const gss_ctx_id_t, /* context_handle */ - int, /* conf_req_flag */ - gss_qop_t, /* qop_req */ - const gss_buffer_t, /* input_message_buffer */ - int , /* conf_state */ - gss_buffer_t /* output_message_buffer */ - ); - - - - - - - - -Wray Standards Track [Page 92] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - OM_uint32 gss_unwrap - (OM_uint32 , /* minor_status */ - const gss_ctx_id_t, /* context_handle */ - const gss_buffer_t, /* input_message_buffer */ - gss_buffer_t, /* output_message_buffer */ - int , /* conf_state */ - gss_qop_t * /* qop_state */ - ); - - - - OM_uint32 gss_display_status - (OM_uint32 , /* minor_status */ - OM_uint32, /* status_value */ - int, /* status_type */ - const gss_OID, /* mech_type */ - OM_uint32 , /* message_context */ - gss_buffer_t /* status_string */ - ); - - OM_uint32 gss_indicate_mechs - (OM_uint32 , /* minor_status */ - gss_OID_set * /* mech_set */ - ); - - OM_uint32 gss_compare_name - (OM_uint32 , /* minor_status */ - const gss_name_t, /* name1 */ - const gss_name_t, /* name2 */ - int * /* name_equal */ - ); - - OM_uint32 gss_display_name - (OM_uint32 , /* minor_status */ - const gss_name_t, /* input_name */ - gss_buffer_t, /* output_name_buffer */ - gss_OID * /* output_name_type */ - ); - - OM_uint32 gss_import_name - (OM_uint32 , /* minor_status */ - const gss_buffer_t, /* input_name_buffer */ - const gss_OID, /* input_name_type */ - gss_name_t * /* output_name */ - ); - - - - - - -Wray Standards Track [Page 93] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - OM_uint32 gss_export_name - (OM_uint32, /* minor_status */ - const gss_name_t, /* input_name */ - gss_buffer_t /* exported_name */ - ); - - OM_uint32 gss_release_name - (OM_uint32 *, /* minor_status */ - gss_name_t * /* input_name */ - ); - - OM_uint32 gss_release_buffer - (OM_uint32 , /* minor_status */ - gss_buffer_t /* buffer */ - ); - - OM_uint32 gss_release_oid_set - (OM_uint32 , /* minor_status */ - gss_OID_set * /* set */ - ); - - OM_uint32 gss_inquire_cred - (OM_uint32 , /* minor_status */ - const gss_cred_id_t, /* cred_handle */ - gss_name_t , /* name */ - OM_uint32 , /* lifetime */ - gss_cred_usage_t , /* cred_usage */ - gss_OID_set * /* mechanisms */ - ); - - OM_uint32 gss_inquire_context ( - OM_uint32 , /* minor_status */ - const gss_ctx_id_t, /* context_handle */ - gss_name_t , /* src_name */ - gss_name_t , /* targ_name */ - OM_uint32 , /* lifetime_rec */ - gss_OID , /* mech_type */ - OM_uint32 , /* ctx_flags */ - int , /* locally_initiated */ - int * /* open */ - ); - - - - - - - - - - -Wray Standards Track [Page 94] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - OM_uint32 gss_wrap_size_limit ( - OM_uint32 , /* minor_status */ - const gss_ctx_id_t, /* context_handle */ - int, /* conf_req_flag */ - gss_qop_t, /* qop_req */ - OM_uint32, /* req_output_size */ - OM_uint32 * /* max_input_size */ - ); - - OM_uint32 gss_add_cred ( - OM_uint32 , /* minor_status */ - const gss_cred_id_t, /* input_cred_handle */ - const gss_name_t, /* desired_name */ - const gss_OID, /* desired_mech */ - gss_cred_usage_t, /* cred_usage */ - OM_uint32, /* initiator_time_req */ - OM_uint32, /* acceptor_time_req */ - gss_cred_id_t , /* output_cred_handle */ - gss_OID_set , /* actual_mechs */ - OM_uint32 , /* initiator_time_rec */ - OM_uint32 * /* acceptor_time_rec */ - ); - - OM_uint32 gss_inquire_cred_by_mech ( - OM_uint32 , /* minor_status */ - const gss_cred_id_t, /* cred_handle */ - const gss_OID, /* mech_type */ - gss_name_t , /* name */ - OM_uint32 , /* initiator_lifetime */ - OM_uint32 , /* acceptor_lifetime */ - gss_cred_usage_t * /* cred_usage */ - ); - - OM_uint32 gss_export_sec_context ( - OM_uint32 , /* minor_status */ - gss_ctx_id_t , /* context_handle */ - gss_buffer_t /* interprocess_token */ - ); - - OM_uint32 gss_import_sec_context ( - OM_uint32 , /* minor_status */ - const gss_buffer_t, /* interprocess_token */ - gss_ctx_id_t * /* context_handle */ - ); - - - - - - - -Wray Standards Track [Page 95] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - OM_uint32 gss_create_empty_oid_set ( - OM_uint32 , /* minor_status */ - gss_OID_set * /* oid_set */ - ); - - OM_uint32 gss_add_oid_set_member ( - OM_uint32 , /* minor_status */ - const gss_OID, /* member_oid */ - gss_OID_set * /* oid_set */ - ); - - OM_uint32 gss_test_oid_set_member ( - OM_uint32 , /* minor_status */ - const gss_OID, /* member */ - const gss_OID_set, /* set */ - int * /* present */ - ); - - OM_uint32 gss_inquire_names_for_mech ( - OM_uint32 , /* minor_status */ - const gss_OID, /* mechanism */ - gss_OID_set * /* name_types */ - ); - - OM_uint32 gss_inquire_mechs_for_name ( - OM_uint32 , /* minor_status */ - const gss_name_t, /* input_name */ - gss_OID_set * /* mech_types */ - ); - - OM_uint32 gss_canonicalize_name ( - OM_uint32 , /* minor_status */ - const gss_name_t, /* input_name */ - const gss_OID, /* mech_type */ - gss_name_t * /* output_name */ - ); - - OM_uint32 gss_duplicate_name ( - OM_uint32 , /* minor_status */ - const gss_name_t, /* src_name */ - gss_name_t * /* dest_name */ - ); - - /* - * The following routines are obsolete variants of gss_get_mic, - * gss_verify_mic, gss_wrap and gss_unwrap. They should be - * provided by GSS-API V2 implementations for backwards - * compatibility with V1 applications. Distinct entrypoints - - - -Wray Standards Track [Page 96] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - * (as opposed to #defines) should be provided, both to allow - * GSS-API V1 applications to link against GSS-API V2 - implementations, - * and to retain the slight parameter type differences between the - * obsolete versions of these routines and their current forms. - */ - - OM_uint32 gss_sign - (OM_uint32 , /* minor_status */ - gss_ctx_id_t, /* context_handle */ - int, /* qop_req */ - gss_buffer_t, /* message_buffer */ - gss_buffer_t /* message_token */ - ); - - - OM_uint32 gss_verify - (OM_uint32 , /* minor_status */ - gss_ctx_id_t, /* context_handle */ - gss_buffer_t, /* message_buffer */ - gss_buffer_t, /* token_buffer */ - int * /* qop_state */ - ); - - OM_uint32 gss_seal - (OM_uint32 , /* minor_status */ - gss_ctx_id_t, /* context_handle */ - int, /* conf_req_flag */ - int, /* qop_req */ - gss_buffer_t, /* input_message_buffer */ - int , /* conf_state */ - gss_buffer_t /* output_message_buffer */ - ); - - - OM_uint32 gss_unseal - (OM_uint32 , /* minor_status */ - gss_ctx_id_t, /* context_handle */ - gss_buffer_t, /* input_message_buffer */ - gss_buffer_t, /* output_message_buffer */ - int , /* conf_state */ - int * /* qop_state */ - ); - - #endif /* GSSAPI_H_ */ - - - - - - -Wray Standards Track [Page 97] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - -Appendix B. Additional constraints for application binary portability - - The purpose of this C-bindings document is to encourage source-level - portability of applications across GSS-API implementations on - different platforms and atop different mechanisms. Additional goals - that have not been explicitly addressed by this document are link- - time and run-time portability. - - Link-time portability provides the ability to compile an application - against one implementation of GSS-API, and then link it against a - different implementation on the same platform. It is a stricter - requirement than source-level portability. - - Run-time portability differs from link-time portability only on those - platforms that implement dynamically loadable GSS-API - implementations, but do not offer load-time symbol resolution. On - such platforms, run-time portability is a stricter requirement than - link-time portability, and will typically include the precise - placement of the various GSS-API routines within library entrypoint - vectors. - - Individual platforms will impose their own rules that must be - followed to achieve link-time (and run-time, if different) - portability. In order to ensure either form of binary portability, - an ABI specification must be written for GSS-API implementations on - that platform. However, it is recognized that there are some issues - that are likely to be common to all such ABI specifications. This - appendix is intended to be a repository for such common issues, and - contains some suggestions that individual ABI specifications may - choose to reference. Since machine architectures vary greatly, it may - not be possible or desirable to follow these suggestions on all - platforms. - -B.1. Pointers - - While ANSI-C provides a single pointer type for each declared type, - plus a single (void *) type, some platforms (notably those using - segmented memory architectures) augment this with various modified - pointer types (e.g. far pointers, near pointers). These language - bindings assume ANSI-C, and thus do not address such non-standard - implementations. GSS-API implementations for such platforms must - choose an appropriate memory model, and should use it consistently - throughout. For example, if a memory model is chosen that requires - the use of far pointers when passing routine parameters, then far - pointers should also be used within the structures defined by GSS- - API. - - - - - -Wray Standards Track [Page 98] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - -B.2. Internal structure alignment - - GSS-API defines several data-structures containing differently-sized - fields. An ABI specification should include a detailed description - of how the fields of such structures are aligned, and if there is any - internal padding in these data structures. The use of compiler - defaults for the platform is recommended. - -B.3. Handle types - - The C bindings specify that the gss_cred_id_t and gss_ctx_id_t types - should be implemented as either pointer or arithmetic types, and that - if pointer types are used, care should be taken to ensure that two - handles may be compared with the == operator. Note that ANSI-C does - not guarantee that two pointer values may be compared with the == - operator unless either the two pointers point to members of a single - array, or at least one of the pointers contains a NULL value. - - For binary portability, additional constraints are required. The - following is an attempt at defining platform-independent constraints. - - The size of the handle type must be the same as sizeof(void *), using - the appropriate memory model. - - The == operator for the chosen type must be a simple bit-wise - comparison. That is, for two in-memory handle objects h1 and h2, the - boolean value of the expression - - (h1 == h2) - - should always be the same as the boolean value of the expression - - (memcmp(&h1, &h2, sizeof(h1)) == 0) - - The actual use of the type (void *) for handle types is discouraged, - not for binary portability reasons, but since it effectively disables - much of the compile-time type-checking that the compiler can - otherwise perform, and is therefore not "programmer-friendly". If a - pointer implementation is desired, and if the platform's - implementation of pointers permits, the handles should be implemented - as pointers to distinct implementation-defined types. - -B.4. The gss_name_t type - - The gss_name_t type, representing the internal name object, should be - implemented as a pointer type. The use of the (void *) type is - discouraged as it does not allow the compiler to perform strong - type-checking. However, the pointer type chosen should be of the - - - -Wray Standards Track [Page 99] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - same size as the (void *) type. Provided this rule is obeyed, ABI - specifications need not further constrain the implementation of - gss_name_t objects. - -B.5. The int and size_t types - - Some platforms may support differently sized implementations of the - "int" and "size_t" types, perhaps chosen through compiler switches, - and perhaps dependent on memory model. An ABI specification for such - a platform should include required implementations for these types. - It is recommended that the default implementation (for the chosen - memory model, if appropriate) is chosen. - -B.6. Procedure-calling conventions - - Some platforms support a variety of different binary conventions for - calling procedures. Such conventions cover things like the format of - the stack frame, the order in which the routine parameters are pushed - onto the stack, whether or not a parameter count is pushed onto the - stack, whether some argument(s) or return values are to be passed in - registers, and whether the called routine or the caller is - responsible for removing the stack frame on return. For such - platforms, an ABI specification should specify which calling - convention is to be used for GSS-API implementations. - -References - - [GSSAPI] Linn, J., "Generic Security Service Application Program - Interface Version 2, Update 1", RFC 2743, January 2000. - - [XOM] OSI Object Management API Specification, Version 2.0 t", - X.400 API Association & X/Open Company Limited, August - 24, 1990 Specification of datatypes and routines for - manipulating information objects. - -Author's Address - - John Wray - Iris Associates - 5 Technology Park Drive, - Westford, MA 01886 - USA - - Phone: +1-978-392-6689 - EMail: John_Wray@Iris.com - - - - - - -Wray Standards Track [Page 100] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - -Full Copyright Statement - - Copyright (C) The Internet Society (2000). All Rights Reserved. - - This document and translations of it may be copied and furnished to - others, and derivative works that comment on or otherwise explain it - or assist in its implementation may be prepared, copied, published - and distributed, in whole or in part, without restriction of any - kind, provided that the above copyright notice and this paragraph are - included on all such copies and derivative works. However, this - document itself may not be modified in any way, such as by removing - the copyright notice or references to the Internet Society or other - Internet organizations, except as needed for the purpose of - developing Internet standards in which case the procedures for - copyrights defined in the Internet Standards process must be - followed, or as required to translate it into languages other than - English. - - The limited permissions granted above are perpetual and will not be - revoked by the Internet Society or its successors or assigns. - - This document and the information contained herein is provided on an - "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING - TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING - BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION - HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF - MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. - -Acknowledgement - - Funding for the RFC Editor function is currently provided by the - Internet Society. - - - - - - - - - - - - - - - - - - - -Wray Standards Track [Page 101] - diff --git a/crypto/heimdal-0.6.3/doc/whatis.texi b/crypto/heimdal-0.6.3/doc/whatis.texi deleted file mode 100644 index eff52d779c..0000000000 --- a/crypto/heimdal-0.6.3/doc/whatis.texi +++ /dev/null @@ -1,151 +0,0 @@ -@c $Id: whatis.texi,v 1.5 2001/01/28 22:11:23 assar Exp $ - -@node What is Kerberos?, Building and Installing, Introduction, Top -@chapter What is Kerberos? - -@quotation -@flushleft - Now this Cerberus had three heads of dogs, - the tail of a dragon, and on his back the - heads of all sorts of snakes. - --- Pseudo-Apollodorus Library 2.5.12 -@end flushleft -@end quotation - -Kerberos is a system for authenticating users and services on a network. -It is built upon the assumption that the network is ``unsafe''. For -example, data sent over the network can be eavesdropped and altered, and -addresses can also be faked. Therefore they cannot be used for -authentication purposes. -@cindex authentication - -Kerberos is a trusted third-party service. That means that there is a -third party (the kerberos server) that is trusted by all the entities on -the network (users and services, usually called @dfn{principals}). All -principals share a secret password (or key) with the kerberos server and -this enables principals to verify that the messages from the kerberos -server are authentic. Thus trusting the kerberos server, users and -services can authenticate each other. - -@section Basic mechanism - -@ifinfo -@macro sub{arg} -<\arg\> -@end macro -@end ifinfo - -@tex -@def@xsub#1{$_{#1}$} -@global@let@sub=@xsub -@end tex - -@ifhtml -@macro sub{arg} -<\arg\> -@end macro -@end ifhtml - -@quotation -@strong{Note:} This discussion is about Kerberos version 4, but version -5 works similarly. -@end quotation - -In Kerberos, principals use @dfn{tickets} to prove that they are who -they claim to be. In the following example, @var{A} is the initiator of -the authentication exchange, usually a user, and @var{B} is the service -that @var{A} wishes to use. - -To obtain a ticket for a specific service, @var{A} sends a ticket -request to the kerberos server. The request contains @var{A}'s and -@var{B}'s names (along with some other fields). The kerberos server -checks that both @var{A} and @var{B} are valid principals. - -Having verified the validity of the principals, it creates a packet -containing @var{A}'s and @var{B}'s names, @var{A}'s network address -(@var{A@sub{addr}}), the current time (@var{t@sub{issue}}), the lifetime -of the ticket (@var{life}), and a secret @dfn{session key} -@cindex session key -(@var{K@sub{AB}}). This packet is encrypted with @var{B}'s secret key -(@var{K@sub{B}}). The actual ticket (@var{T@sub{AB}}) looks like this: -(@{@var{A}, @var{B}, @var{A@sub{addr}}, @var{t@sub{issue}}, @var{life}, -@var{K@sub{AB}}@}@var{K@sub{B}}). - -The reply to @var{A} consists of the ticket (@var{T@sub{AB}}), @var{B}'s -name, the current time, the lifetime of the ticket, and the session key, all -encrypted in @var{A}'s secret key (@{@var{B}, @var{t@sub{issue}}, -@var{life}, @var{K@sub{AB}}, @var{T@sub{AB}}@}@var{K@sub{A}}). @var{A} -decrypts the reply and retains it for later use. - -@sp 1 - -Before sending a message to @var{B}, @var{A} creates an authenticator -consisting of @var{A}'s name, @var{A}'s address, the current time, and a -``checksum'' chosen by @var{A}, all encrypted with the secret session -key (@{@var{A}, @var{A@sub{addr}}, @var{t@sub{current}}, -@var{checksum}@}@var{K@sub{AB}}). This is sent together with the ticket -received from the kerberos server to @var{B}. Upon reception, @var{B} -decrypts the ticket using @var{B}'s secret key. Since the ticket -contains the session key that the authenticator was encrypted with, -@var{B} can now also decrypt the authenticator. To verify that @var{A} -really is @var{A}, @var{B} now has to compare the contents of the ticket -with that of the authenticator. If everything matches, @var{B} now -considers @var{A} as properly authenticated. - -@c (here we should have some more explanations) - -@section Different attacks - -@subheading Impersonating A - -An impostor, @var{C} could steal the authenticator and the ticket as it -is transmitted across the network, and use them to impersonate -@var{A}. The address in the ticket and the authenticator was added to -make it more difficult to perform this attack. To succeed @var{C} will -have to either use the same machine as @var{A} or fake the source -addresses of the packets. By including the time stamp in the -authenticator, @var{C} does not have much time in which to mount the -attack. - -@subheading Impersonating B - -@var{C} can hijack @var{B}'s network address, and when @var{A} sends -her credentials, @var{C} just pretend to verify them. @var{C} can't -be sure that she is talking to @var{A}. - -@section Defense strategies - -It would be possible to add a @dfn{replay cache} -@cindex replay cache -to the server side. The idea is to save the authenticators sent during -the last few minutes, so that @var{B} can detect when someone is trying -to retransmit an already used message. This is somewhat impractical -(mostly regarding efficiency), and is not part of Kerberos 4; MIT -Kerberos 5 contains it. - -To authenticate @var{B}, @var{A} might request that @var{B} sends -something back that proves that @var{B} has access to the session -key. An example of this is the checksum that @var{A} sent as part of the -authenticator. One typical procedure is to add one to the checksum, -encrypt it with the session key and send it back to @var{A}. This is -called @dfn{mutual authentication}. - -The session key can also be used to add cryptographic checksums to the -messages sent between @var{A} and @var{B} (known as @dfn{message -integrity}). Encryption can also be added (@dfn{message -confidentiality}). This is probably the best approach in all cases. -@cindex integrity -@cindex confidentiality - -@section Further reading - -The original paper on Kerberos from 1988 is @cite{Kerberos: An -Authentication Service for Open Network Systems}, by Jennifer Steiner, -Clifford Neuman and Jeffrey I. Schiller. - -A less technical description can be found in @cite{Designing an -Authentication System: a Dialogue in Four Scenes} by Bill Bryant, also -from 1988. - -These documents can be found on our web-page at -@url{http://www.pdc.kth.se/kth-krb/}. diff --git a/crypto/heimdal-0.6.3/doc/win2k.texi b/crypto/heimdal-0.6.3/doc/win2k.texi deleted file mode 100644 index 2db4da1e62..0000000000 --- a/crypto/heimdal-0.6.3/doc/win2k.texi +++ /dev/null @@ -1,288 +0,0 @@ -@c $Id: win2k.texi,v 1.15 2001/07/19 16:44:41 assar Exp $ - -@node Windows 2000 compatability, Programming with Kerberos, Kerberos 4 issues, Top -@comment node-name, next, previous, up -@chapter Windows 2000 compatability - -Windows 2000 (formerly known as Windows NT 5) from Microsoft implements -Kerberos 5. Their implementation, however, has some quirks, -peculiarities, and bugs. This chapter is a short summary of the things -that we have found out while trying to test Heimdal against Windows -2000. Another big problem with the Kerberos implementation in Windows -2000 is that the available documentation is more focused on getting -things to work rather than how they work and not that useful in figuring -out how things really work. - -This information should apply to Heimdal @value{VERSION} and Windows -2000 Professional. It's of course subject all the time and mostly consists of -our not so inspired guesses. Hopefully it's still somewhat useful. - -@menu -* Configuring Windows 2000 to use a Heimdal KDC:: -* Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC:: -* Create account mappings:: -* Encryption types:: -* Authorization data:: -* Quirks of Windows 2000 KDC:: -* Useful links when reading about the Windows 2000:: -@end menu - -@node Configuring Windows 2000 to use a Heimdal KDC, Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC, Windows 2000 compatability, Windows 2000 compatability -@comment node-name, next, precious, up -@section Configuring Windows 2000 to use a Heimdal KDC - -You need the command line program called @code{ksetup.exe} which is available -in the file @code{SUPPORT/TOOLS/SUPPORT.CAB} on the Windows 2000 Professional -CD-ROM. This program is used to configure the Kerberos settings on a -Workstation. - -@code{Ksetup} store the domain information under the registry key: -@code{HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\Kerberos\Domains}. - -Use the kadmin program in Heimdal to create a host principal in the -Kerberos realm. - -@example -unix% kadmin -kadmin> ank -pw password host/datan.my.domain -@end example - -You must configure the Workstation as a member of a workgroup, as opposed -to a member in an NT domain, and specify the KDC server of the realm -as follows: -@example -C:> ksetup /setdomain MY.REALM -C:> ksetup /addkdc MY.REALM kdc.my.domain -@end example - -Set the machine password, i.e. create the local keytab: -@example -C:> ksetup /setmachpassword password -@end example - -The workstation must now be rebooted. - -A mapping between local NT users and Kerberos principals must be specified, -you have two choices: - -@example -C:> ksetup /mapuser user@@MY.REALM nt_user -@end example - -This will map a user to a specific principal, this allows you to have -other usernames in the realm than in your NT user database. (Don't ask -me why on earth you would want that...) - -You can also say: -@example -C:> ksetup /mapuser * * -@end example -The Windows machine will now map any user to the corresponding principal, -for example @samp{nisse} to the principal @samp{nisse@@MY.REALM}. -(This is most likely what you want.) - -@node Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC, Create account mappings, Configuring Windows 2000 to use a Heimdal KDC, Windows 2000 compatability -@comment node-name, next, precious, up -@section Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC - -See also the Step-by-Step guide from Microsoft, referenced below. - -Install Windows 2000, and create a new controller (Active Directory -Server) for the domain. - -By default the trust will be non-transitive. This means that only users -directly from the trusted domain may authenticate. This can be changed -to transitive by using the @code{netdom.exe} tool. - -You need to tell Windows 2000 on what hosts to find the KDCs for the -non-Windows realm with @code{ksetup}, see @xref{Configuring Windows 2000 -to use a Heimdal KDC}. - -This need to be done on all computers that want enable cross-realm -login with @code{Mapped Names}. - -Then you need to add the inter-realm keys on the Windows kdc. Start the -Domain Tree Management tool. (Found in Programs, Administrative tools, -Active Directory Domains and Trusts). - -Right click on Properties of your domain, select the Trust tab. Press -Add on the appropriate trust windows and enter domain name and -password. When prompted if this is a non-Windows Kerberos realm, press -OK. - -Do not forget to add trusts in both directions. - -You also need to add the inter-realm keys to the Heimdal KDC. There are -some tweaks that you need to do to @file{krb5.conf} beforehand. - -@example -[libdefaults] - default_etypes = des-cbc-crc - default_etypes_des = des-cbc-crc -@end example - -since otherwise checksum types that are not understood by Windows 2000 -will be generated (@xref{Quirks of Windows 2000 KDC}.). - -Another issue is salting. Since Windows 2000 does not seem to -understand Kerberos 4 salted hashes you might need to turn off anything -similar to the following if you have it, at least while adding the -principals that are going to share keys with Windows 2000. - -@example - [kadmin]default_keys = v5 v4 -@end example - -You must also set: - -Once that is also done, you can add the required inter-realm keys: - -@example -kadmin add krbtgt/NT.REALM.EXAMPLE.COM@@EXAMPLE.COM -kadmin add krbtgt/REALM.EXAMPLE.COM@@NT.EXAMPLE.COM -@end example - -Use the same passwords for both keys. - -Do not forget to reboot before trying the new realm-trust (after running -@code{ksetup}). It looks like it might work, but packets are never sent to the -non-Windows KDC. - -@node Create account mappings, Encryption types, Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC, Windows 2000 compatability -@comment node-name, next, precious, up -@section Create account mappings - -Start the @code{Active Directory Users and Computers} tool. Select the -View menu, that is in the left corner just below the real menu (or press -Alt-V), and select Advanced Features. Right click on the user that you -are going to do a name mapping for and choose Name mapping. - -Click on the Kerberos Names tab and add a new principal from the -non-Windows domain. - -@node Encryption types, Authorization data, Create account mappings, Windows 2000 compatability -@comment node-name, next, previous, up -@section Encryption types - -Windows 2000 supports both the standard DES encryptions (des-cbc-crc and -des-cbc-md5) and its own proprietary encryption that is based on MD4 and -rc4 that is documented in and is supposed to be described in -@file{draft-brezak-win2k-krb-rc4-hmac-03.txt}. New users will get both -MD4 and DES keys. Users that are converted from a NT4 database, will -only have MD4 passwords and will need a password change to get a DES -key. - -Heimdal implements both of these encryption types, but since DES is the -standard and the hmac-code is somewhat newer, it is likely to work better. - -@node Authorization data, Quirks of Windows 2000 KDC, Encryption types, Windows 2000 compatability -@comment node-name, next, previous, up -@section Authorization data - -The Windows 2000 KDC also adds extra authorization data in tickets. -It is at this point unclear what triggers it to do this. The format of -this data is only available under a ``secret'' license from Microsoft, -which prohibits you implementing it. - -A simple way of getting hold of the data to be able to understand it -better is described here. - -@enumerate -@item Find the client example on using the SSPI in the SDK documentation. -@item Change ``AuthSamp'' in the source code to lowercase. -@item Build the program. -@item Add the ``authsamp'' principal with a known password to the -database. Make sure it has a DES key. -@item Run @kbd{ktutil add} to add the key for that principal to a -keytab. -@item Run @kbd{appl/test/nt_gss_server -p 2000 -s authsamp ---dump-auth=file} where file is an appropriate file. -@item It should authenticate and dump for you the authorization data in -the file. -@item The tool @kbd{lib/asn1/asn1_print} is somewhat useful for -analyzing the data. -@end enumerate - -@node Quirks of Windows 2000 KDC, Useful links when reading about the Windows 2000, Authorization data, Windows 2000 compatability -@comment node-name, next, previous, up -@section Quirks of Windows 2000 KDC - -There are some issues with salts and Windows 2000. Using an empty salt, -which is the only one that Kerberos 4 supported and is therefore known -as a Kerberos 4 compatible salt does not work, as far as we can tell -from out experiments and users reports. Therefore, you have to make -sure you keep around keys with all the different types of salts that are -required. - -Microsoft seems also to have forgotten to implement the checksum -algorithms @samp{rsa-md4-des} and @samp{rsa-md5-des}. This can make Name -mapping (@pxref{Create account mappings}) fail if a @code{des-cbc-md5} key -is used. To make the KDC return only @code{des-cbc-crc} you must delete -the @code{des-cbc-md5} key from the kdc using the @code{kadmin -del_enctype} command. - -@example -kadmin del_enctype lha des-cbc-md5 -@end example - -You should also add the following entries to the @file{krb5.conf} file: - -@example -[libdefaults] - default_etypes = des-cbc-crc - default_etypes_des = des-cbc-crc -@end example - -These configuration options will make sure that no checksums of the -unsupported types are generated. - -@node Useful links when reading about the Windows 2000, , Quirks of Windows 2000 KDC, Windows 2000 compatability -@comment node-name, next, previous, up -@section Useful links when reading about the Windows 2000 - -See also our paper presented at the 2001 usenix Annual Technical -Conference, available in the proceedings or at -@url{http://www.usenix.org/publications/library/proceedings/usenix01/freenix01/westerlund.html}. - -There are lots of text about Kerberos on Microsoft's web site, here is a -short list of the interesting documents that we have managed to find. - -@itemize @bullet - -@item Step-by-Step Guide to Kerberos 5 (krb5 1.0) Interoperability - -@url{http://www.microsoft.com/windows2000/library/planning/security/kerbsteps.asp} -Kerberos GSS-API (in Windows-ize SSPI), Windows as a client in a -non-Windows KDC realm, adding unix clients to a Windows 2000 KDC, and -adding cross-realm trust (@xref{Inter-Realm keys (trust) between Windows 2000 -and a Heimdal KDC}.). - -@item Windows 2000 Kerberos Authentication - -@url{http://www.microsoft.com/TechNet/win2000/win2ksrv/technote/kerberos.asp} -White paper that describes how Kerberos is used in Windows 2000. - -@item Overview of kerberos - -@url{http://support.microsoft.com/support/kb/articles/Q248/7/58.ASP} -Links to useful other links. - -@item Klist for windows - -@url{http://msdn.microsoft.com/library/periodic/period00/security0500.htm} -Describes where to get a klist for Windows 2000. - -@item Event logging for kerberos - -@url{http://support.microsoft.com/support/kb/articles/Q262/1/77.ASP}. -Basicly it say that you can add a registry key -@code{HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\LogLevel} -with value DWORD equal to 1, and then you'll get logging in the Event -Logger. - -@item Access to the active directory through LDAP -@url{http://msdn.microsoft.com/library/techart/kerberossamp.htm} - -@end itemize - -Other useful programs include these: - -@itemize @bullet -@item pwdump2 -@url{http://www.webspan.net/~tas/pwdump2/} -@end itemize diff --git a/crypto/heimdal-0.6.3/etc/services.append b/crypto/heimdal-0.6.3/etc/services.append deleted file mode 100644 index 9ee650d974..0000000000 --- a/crypto/heimdal-0.6.3/etc/services.append +++ /dev/null @@ -1,29 +0,0 @@ -# -# $Id: services.append,v 1.6 2001/08/08 15:48:37 assar Exp $ -# -# Kerberos services -# -kerberos 88/udp kerberos-sec # Kerberos v5 UDP -kerberos 88/tcp kerberos-sec # Kerberos v5 TCP -kpasswd 464/udp # password changing -kpasswd 464/tcp # password changing -klogin 543/tcp # Kerberos authenticated rlogin -kshell 544/tcp krcmd # and remote shell -ekshell 545/tcp # Kerberos encrypted remote shell -kfall -ekshell2 2106/tcp # What U of Colorado @ Boulder uses? -kerberos-adm 749/udp # v5 kadmin -kerberos-adm 749/tcp # v5 kadmin -kerberos-iv 750/udp kdc # Kerberos authentication--udp -kerberos-iv 750/tcp kdc # Kerberos authentication--tcp -kerberos_master 751/udp # v4 kadmin -kerberos_master 751/tcp # v4 kadmin -krb_prop 754/tcp hprop # Kerberos slave propagation -kpop 1109/tcp # Pop with Kerberos -eklogin 2105/tcp # Kerberos encrypted rlogin -rkinit 2108/tcp # Kerberos remote kinit -kf 2110/tcp # forward credentials -kx 2111/tcp # X over kerberos -kip 2112/tcp # IP over kerberos -kauth 2120/tcp # Remote kauth -iprop 2121/tcp # incremental propagation -krb524 4444/udp # MIT 5->4 diff --git a/crypto/heimdal-0.6.3/include/Makefile.am b/crypto/heimdal-0.6.3/include/Makefile.am deleted file mode 100644 index c283cd2a49..0000000000 --- a/crypto/heimdal-0.6.3/include/Makefile.am +++ /dev/null @@ -1,56 +0,0 @@ -# $Id: Makefile.am,v 1.33 2002/09/10 19:59:25 joda Exp $ - -include $(top_srcdir)/Makefile.am.common - -SUBDIRS = kadm5 - -noinst_PROGRAMS = bits make_crypto -CHECK_LOCAL = - -INCLUDES += -DHOST=\"$(CANONICAL_HOST)\" - -include_HEADERS = krb5-types.h -noinst_HEADERS = crypto-headers.h - -krb5-types.h: bits$(EXEEXT) - ./bits$(EXEEXT) krb5-types.h - -crypto-headers.h: make_crypto$(EXEEXT) - ./make_crypto$(EXEEXT) crypto-headers.h - -CLEANFILES = \ - asn1.h \ - asn1_err.h \ - base64.h \ - com_err.h \ - com_right.h \ - crypto-headers.h\ - der.h \ - des.h \ - editline.h \ - err.h \ - getarg.h \ - glob.h \ - gssapi.h \ - hdb.h \ - hdb_asn1.h \ - hdb_err.h \ - heim_err.h \ - kafs.h \ - krb5-protos.h \ - krb5-private.h \ - krb5-types.h \ - krb5.h \ - krb5_err.h \ - md4.h \ - md5.h \ - rc4.h \ - otp.h \ - parse_time.h \ - parse_units.h \ - resolve.h \ - roken-common.h \ - roken.h \ - sha.h \ - sl.h \ - xdbm.h diff --git a/crypto/heimdal-0.6.3/include/Makefile.in b/crypto/heimdal-0.6.3/include/Makefile.in deleted file mode 100644 index 7b18f68078..0000000000 --- a/crypto/heimdal-0.6.3/include/Makefile.in +++ /dev/null @@ -1,919 +0,0 @@ -# Makefile.in generated by automake 1.8.3 from Makefile.am. -# @configure_input@ - -# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004 Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -# $Id: Makefile.am,v 1.33 2002/09/10 19:59:25 joda Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $ - - -SOURCES = bits.c make_crypto.c - -srcdir = @srcdir@ -top_srcdir = @top_srcdir@ -VPATH = @srcdir@ -pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -top_builddir = .. -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = @INSTALL@ -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_HEADER = $(INSTALL_DATA) -transform = $(program_transform_name) -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_triplet = @host@ -DIST_COMMON = $(include_HEADERS) $(noinst_HEADERS) \ - $(srcdir)/Makefile.am $(srcdir)/Makefile.in \ - $(srcdir)/config.h.in $(top_srcdir)/Makefile.am.common \ - $(top_srcdir)/cf/Makefile.am.common -noinst_PROGRAMS = bits$(EXEEXT) make_crypto$(EXEEXT) -subdir = include -ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \ - $(top_srcdir)/cf/auth-modules.m4 \ - $(top_srcdir)/cf/broken-getaddrinfo.m4 \ - $(top_srcdir)/cf/broken-getnameinfo.m4 \ - $(top_srcdir)/cf/broken-glob.m4 \ - $(top_srcdir)/cf/broken-realloc.m4 \ - $(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \ - $(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \ - $(top_srcdir)/cf/capabilities.m4 \ - $(top_srcdir)/cf/check-compile-et.m4 \ - $(top_srcdir)/cf/check-declaration.m4 \ - $(top_srcdir)/cf/check-getpwnam_r-posix.m4 \ - $(top_srcdir)/cf/check-man.m4 \ - $(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \ - $(top_srcdir)/cf/check-type-extra.m4 \ - $(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \ - $(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \ - $(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \ - $(top_srcdir)/cf/dlopen.m4 \ - $(top_srcdir)/cf/find-func-no-libs.m4 \ - $(top_srcdir)/cf/find-func-no-libs2.m4 \ - $(top_srcdir)/cf/find-func.m4 \ - $(top_srcdir)/cf/find-if-not-broken.m4 \ - $(top_srcdir)/cf/have-struct-field.m4 \ - $(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \ - $(top_srcdir)/cf/krb-bigendian.m4 \ - $(top_srcdir)/cf/krb-func-getlogin.m4 \ - $(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \ - $(top_srcdir)/cf/krb-readline.m4 \ - $(top_srcdir)/cf/krb-struct-spwd.m4 \ - $(top_srcdir)/cf/krb-struct-winsize.m4 \ - $(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \ - $(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \ - $(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \ - $(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \ - $(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \ - $(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \ - $(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in -am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ - $(ACLOCAL_M4) -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = config.h -CONFIG_CLEAN_FILES = -PROGRAMS = $(noinst_PROGRAMS) -bits_SOURCES = bits.c -bits_OBJECTS = bits.$(OBJEXT) -bits_LDADD = $(LDADD) -make_crypto_SOURCES = make_crypto.c -make_crypto_OBJECTS = make_crypto.$(OBJEXT) -make_crypto_LDADD = $(LDADD) -DEFAULT_INCLUDES = -I. -I$(srcdir) -I. -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \ - $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ - $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -SOURCES = bits.c make_crypto.c -DIST_SOURCES = bits.c make_crypto.c -RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \ - html-recursive info-recursive install-data-recursive \ - install-exec-recursive install-info-recursive \ - install-recursive installcheck-recursive installdirs-recursive \ - pdf-recursive ps-recursive uninstall-info-recursive \ - uninstall-recursive -am__installdirs = "$(DESTDIR)$(includedir)" -includeHEADERS_INSTALL = $(INSTALL_HEADER) -HEADERS = $(include_HEADERS) $(noinst_HEADERS) -ETAGS = etags -CTAGS = ctags -DIST_SUBDIRS = $(SUBDIRS) -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) -ACLOCAL = @ACLOCAL@ -AIX4_FALSE = @AIX4_FALSE@ -AIX4_TRUE = @AIX4_TRUE@ -AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@ -AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@ -AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@ -AIX_FALSE = @AIX_FALSE@ -AIX_TRUE = @AIX_TRUE@ -AMTAR = @AMTAR@ -AR = @AR@ -AUTOCONF = @AUTOCONF@ -AUTOHEADER = @AUTOHEADER@ -AUTOMAKE = @AUTOMAKE@ -AWK = @AWK@ -CANONICAL_HOST = @CANONICAL_HOST@ -CATMAN = @CATMAN@ -CATMANEXT = @CATMANEXT@ -CATMAN_FALSE = @CATMAN_FALSE@ -CATMAN_TRUE = @CATMAN_TRUE@ -CC = @CC@ -CFLAGS = @CFLAGS@ -COMPILE_ET = @COMPILE_ET@ -CPP = @CPP@ -CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXFLAGS = @CXXFLAGS@ -CYGPATH_W = @CYGPATH_W@ -DBLIB = @DBLIB@ -DCE_FALSE = @DCE_FALSE@ -DCE_TRUE = @DCE_TRUE@ -DEFS = @DEFS@ -DIR_com_err = @DIR_com_err@ -DIR_des = @DIR_des@ -DIR_roken = @DIR_roken@ -ECHO = @ECHO@ -ECHO_C = @ECHO_C@ -ECHO_N = @ECHO_N@ -ECHO_T = @ECHO_T@ -EGREP = @EGREP@ -EXEEXT = @EXEEXT@ -EXTRA_LIB45 = @EXTRA_LIB45@ -F77 = @F77@ -FFLAGS = @FFLAGS@ -GROFF = @GROFF@ -HAVE_DB1_FALSE = @HAVE_DB1_FALSE@ -HAVE_DB1_TRUE = @HAVE_DB1_TRUE@ -HAVE_DB3_FALSE = @HAVE_DB3_FALSE@ -HAVE_DB3_TRUE = @HAVE_DB3_TRUE@ -HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@ -HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@ -HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@ -HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@ -HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@ -HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@ -HAVE_X_FALSE = @HAVE_X_FALSE@ -HAVE_X_TRUE = @HAVE_X_TRUE@ -INCLUDES_roken = @INCLUDES_roken@ -INCLUDE_des = @INCLUDE_des@ -INCLUDE_hesiod = @INCLUDE_hesiod@ -INCLUDE_krb4 = @INCLUDE_krb4@ -INCLUDE_openldap = @INCLUDE_openldap@ -INCLUDE_readline = @INCLUDE_readline@ -INSTALL_DATA = @INSTALL_DATA@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -IRIX_FALSE = @IRIX_FALSE@ -IRIX_TRUE = @IRIX_TRUE@ -KRB4_FALSE = @KRB4_FALSE@ -KRB4_TRUE = @KRB4_TRUE@ -KRB5_FALSE = @KRB5_FALSE@ -KRB5_TRUE = @KRB5_TRUE@ -LDFLAGS = @LDFLAGS@ -LEX = @LEX@ -LEXLIB = @LEXLIB@ -LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ -LIBOBJS = @LIBOBJS@ -LIBS = @LIBS@ -LIBTOOL = @LIBTOOL@ -LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@ -LIB_NDBM = @LIB_NDBM@ -LIB_XauFileName = @LIB_XauFileName@ -LIB_XauReadAuth = @LIB_XauReadAuth@ -LIB_XauWriteAuth = @LIB_XauWriteAuth@ -LIB_bswap16 = @LIB_bswap16@ -LIB_bswap32 = @LIB_bswap32@ -LIB_com_err = @LIB_com_err@ -LIB_com_err_a = @LIB_com_err_a@ -LIB_com_err_so = @LIB_com_err_so@ -LIB_crypt = @LIB_crypt@ -LIB_db_create = @LIB_db_create@ -LIB_dbm_firstkey = @LIB_dbm_firstkey@ -LIB_dbopen = @LIB_dbopen@ -LIB_des = @LIB_des@ -LIB_des_a = @LIB_des_a@ -LIB_des_appl = @LIB_des_appl@ -LIB_des_so = @LIB_des_so@ -LIB_dlopen = @LIB_dlopen@ -LIB_dn_expand = @LIB_dn_expand@ -LIB_el_init = @LIB_el_init@ -LIB_freeaddrinfo = @LIB_freeaddrinfo@ -LIB_gai_strerror = @LIB_gai_strerror@ -LIB_getaddrinfo = @LIB_getaddrinfo@ -LIB_gethostbyname = @LIB_gethostbyname@ -LIB_gethostbyname2 = @LIB_gethostbyname2@ -LIB_getnameinfo = @LIB_getnameinfo@ -LIB_getpwnam_r = @LIB_getpwnam_r@ -LIB_getsockopt = @LIB_getsockopt@ -LIB_hesiod = @LIB_hesiod@ -LIB_hstrerror = @LIB_hstrerror@ -LIB_kdb = @LIB_kdb@ -LIB_krb4 = @LIB_krb4@ -LIB_krb_disable_debug = @LIB_krb_disable_debug@ -LIB_krb_enable_debug = @LIB_krb_enable_debug@ -LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@ -LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@ -LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@ -LIB_loadquery = @LIB_loadquery@ -LIB_logout = @LIB_logout@ -LIB_logwtmp = @LIB_logwtmp@ -LIB_openldap = @LIB_openldap@ -LIB_openpty = @LIB_openpty@ -LIB_otp = @LIB_otp@ -LIB_pidfile = @LIB_pidfile@ -LIB_readline = @LIB_readline@ -LIB_res_nsearch = @LIB_res_nsearch@ -LIB_res_search = @LIB_res_search@ -LIB_roken = @LIB_roken@ -LIB_security = @LIB_security@ -LIB_setsockopt = @LIB_setsockopt@ -LIB_socket = @LIB_socket@ -LIB_syslog = @LIB_syslog@ -LIB_tgetent = @LIB_tgetent@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -MAINT = @MAINT@ -MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@ -MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@ -MAKEINFO = @MAKEINFO@ -NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ -NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ -NROFF = @NROFF@ -OBJEXT = @OBJEXT@ -OTP_FALSE = @OTP_FALSE@ -OTP_TRUE = @OTP_TRUE@ -PACKAGE = @PACKAGE@ -PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ -PACKAGE_NAME = @PACKAGE_NAME@ -PACKAGE_STRING = @PACKAGE_STRING@ -PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_VERSION = @PACKAGE_VERSION@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -RANLIB = @RANLIB@ -SET_MAKE = @SET_MAKE@ -SHELL = @SHELL@ -STRIP = @STRIP@ -VERSION = @VERSION@ -VOID_RETSIGTYPE = @VOID_RETSIGTYPE@ -WFLAGS = @WFLAGS@ -WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@ -WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@ -X_CFLAGS = @X_CFLAGS@ -X_EXTRA_LIBS = @X_EXTRA_LIBS@ -X_LIBS = @X_LIBS@ -X_PRE_LIBS = @X_PRE_LIBS@ -YACC = @YACC@ -ac_ct_AR = @ac_ct_AR@ -ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ -ac_ct_RANLIB = @ac_ct_RANLIB@ -ac_ct_STRIP = @ac_ct_STRIP@ -am__leading_dot = @am__leading_dot@ -bindir = @bindir@ -build = @build@ -build_alias = @build_alias@ -build_cpu = @build_cpu@ -build_os = @build_os@ -build_vendor = @build_vendor@ -datadir = @datadir@ -do_roken_rename_FALSE = @do_roken_rename_FALSE@ -do_roken_rename_TRUE = @do_roken_rename_TRUE@ -dpagaix_cflags = @dpagaix_cflags@ -dpagaix_ldadd = @dpagaix_ldadd@ -dpagaix_ldflags = @dpagaix_ldflags@ -el_compat_FALSE = @el_compat_FALSE@ -el_compat_TRUE = @el_compat_TRUE@ -exec_prefix = @exec_prefix@ -have_err_h_FALSE = @have_err_h_FALSE@ -have_err_h_TRUE = @have_err_h_TRUE@ -have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@ -have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@ -have_glob_h_FALSE = @have_glob_h_FALSE@ -have_glob_h_TRUE = @have_glob_h_TRUE@ -have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@ -have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@ -have_vis_h_FALSE = @have_vis_h_FALSE@ -have_vis_h_TRUE = @have_vis_h_TRUE@ -host = @host@ -host_alias = @host_alias@ -host_cpu = @host_cpu@ -host_os = @host_os@ -host_vendor = @host_vendor@ -includedir = @includedir@ -infodir = @infodir@ -install_sh = @install_sh@ -libdir = @libdir@ -libexecdir = @libexecdir@ -localstatedir = @localstatedir@ -mandir = @mandir@ -mkdir_p = @mkdir_p@ -oldincludedir = @oldincludedir@ -prefix = @prefix@ -program_transform_name = @program_transform_name@ -sbindir = @sbindir@ -sharedstatedir = @sharedstatedir@ -sysconfdir = @sysconfdir@ -target_alias = @target_alias@ -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) -DHOST=\"$(CANONICAL_HOST)\" -@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME -AM_CFLAGS = $(WFLAGS) -CP = cp -buildinclude = $(top_builddir)/include -LIB_getattr = @LIB_getattr@ -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_setpcred = @LIB_setpcred@ -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -NROFF_MAN = groff -mandoc -Tascii -LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) -@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la - -@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la -@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la -SUBDIRS = kadm5 -CHECK_LOCAL = -include_HEADERS = krb5-types.h -noinst_HEADERS = crypto-headers.h -CLEANFILES = \ - asn1.h \ - asn1_err.h \ - base64.h \ - com_err.h \ - com_right.h \ - crypto-headers.h\ - der.h \ - des.h \ - editline.h \ - err.h \ - getarg.h \ - glob.h \ - gssapi.h \ - hdb.h \ - hdb_asn1.h \ - hdb_err.h \ - heim_err.h \ - kafs.h \ - krb5-protos.h \ - krb5-private.h \ - krb5-types.h \ - krb5.h \ - krb5_err.h \ - md4.h \ - md5.h \ - rc4.h \ - otp.h \ - parse_time.h \ - parse_units.h \ - resolve.h \ - roken-common.h \ - roken.h \ - sha.h \ - sl.h \ - xdbm.h - -all: config.h - $(MAKE) $(AM_MAKEFLAGS) all-recursive - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps) - @for dep in $?; do \ - case '$(am__configure_deps)' in \ - *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ - exit 1;; \ - esac; \ - done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign --ignore-deps include/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign --ignore-deps include/Makefile -.PRECIOUS: Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - @case '$?' in \ - *config.status*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ - *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ - esac; - -$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -config.h: stamp-h1 - @if test ! -f $@; then \ - rm -f stamp-h1; \ - $(MAKE) stamp-h1; \ - else :; fi - -stamp-h1: $(srcdir)/config.h.in $(top_builddir)/config.status - @rm -f stamp-h1 - cd $(top_builddir) && $(SHELL) ./config.status include/config.h -$(srcdir)/config.h.in: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) - cd $(top_srcdir) && $(AUTOHEADER) - rm -f stamp-h1 - touch $@ - -distclean-hdr: - -rm -f config.h stamp-h1 - -clean-noinstPROGRAMS: - @list='$(noinst_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -bits$(EXEEXT): $(bits_OBJECTS) $(bits_DEPENDENCIES) - @rm -f bits$(EXEEXT) - $(LINK) $(bits_LDFLAGS) $(bits_OBJECTS) $(bits_LDADD) $(LIBS) -make_crypto$(EXEEXT): $(make_crypto_OBJECTS) $(make_crypto_DEPENDENCIES) - @rm -f make_crypto$(EXEEXT) - $(LINK) $(make_crypto_LDFLAGS) $(make_crypto_OBJECTS) $(make_crypto_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c $< - -.c.obj: - $(COMPILE) -c `$(CYGPATH_W) '$<'` - -.c.lo: - $(LTCOMPILE) -c -o $@ $< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: -install-includeHEADERS: $(include_HEADERS) - @$(NORMAL_INSTALL) - test -z "$(includedir)" || $(mkdir_p) "$(DESTDIR)$(includedir)" - @list='$(include_HEADERS)'; for p in $$list; do \ - if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(includeHEADERS_INSTALL) '$$d$$p' '$(DESTDIR)$(includedir)/$$f'"; \ - $(includeHEADERS_INSTALL) "$$d$$p" "$(DESTDIR)$(includedir)/$$f"; \ - done - -uninstall-includeHEADERS: - @$(NORMAL_UNINSTALL) - @list='$(include_HEADERS)'; for p in $$list; do \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " rm -f '$(DESTDIR)$(includedir)/$$f'"; \ - rm -f "$(DESTDIR)$(includedir)/$$f"; \ - done - -# This directory's subdirectories are mostly independent; you can cd -# into them and run `make' without going through this Makefile. -# To change the values of `make' variables: instead of editing Makefiles, -# (1) if the variable is set in `config.status', edit `config.status' -# (which will cause the Makefiles to be regenerated when you run `make'); -# (2) otherwise, pass the desired values on the `make' command line. -$(RECURSIVE_TARGETS): - @set fnord $$MAKEFLAGS; amf=$$2; \ - dot_seen=no; \ - target=`echo $@ | sed s/-recursive//`; \ - list='$(SUBDIRS)'; for subdir in $$list; do \ - echo "Making $$target in $$subdir"; \ - if test "$$subdir" = "."; then \ - dot_seen=yes; \ - local_target="$$target-am"; \ - else \ - local_target="$$target"; \ - fi; \ - (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ - || case "$$amf" in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \ - done; \ - if test "$$dot_seen" = "no"; then \ - $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \ - fi; test -z "$$fail" - -mostlyclean-recursive clean-recursive distclean-recursive \ -maintainer-clean-recursive: - @set fnord $$MAKEFLAGS; amf=$$2; \ - dot_seen=no; \ - case "$@" in \ - distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \ - *) list='$(SUBDIRS)' ;; \ - esac; \ - rev=''; for subdir in $$list; do \ - if test "$$subdir" = "."; then :; else \ - rev="$$subdir $$rev"; \ - fi; \ - done; \ - rev="$$rev ."; \ - target=`echo $@ | sed s/-recursive//`; \ - for subdir in $$rev; do \ - echo "Making $$target in $$subdir"; \ - if test "$$subdir" = "."; then \ - local_target="$$target-am"; \ - else \ - local_target="$$target"; \ - fi; \ - (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ - || case "$$amf" in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \ - done && test -z "$$fail" -tags-recursive: - list='$(SUBDIRS)'; for subdir in $$list; do \ - test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \ - done -ctags-recursive: - list='$(SUBDIRS)'; for subdir in $$list; do \ - test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) ctags); \ - done - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique -tags: TAGS - -TAGS: tags-recursive $(HEADERS) $(SOURCES) config.h.in $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - if (etags --etags-include --version) >/dev/null 2>&1; then \ - include_option=--etags-include; \ - else \ - include_option=--include; \ - fi; \ - list='$(SUBDIRS)'; for subdir in $$list; do \ - if test "$$subdir" = .; then :; else \ - test -f $$subdir/TAGS && \ - tags="$$tags $$include_option=$$here/$$subdir/TAGS"; \ - fi; \ - done; \ - list='$(SOURCES) $(HEADERS) config.h.in $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique -ctags: CTAGS -CTAGS: ctags-recursive $(HEADERS) $(SOURCES) config.h.in $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) config.h.in $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ - || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - -distdir: $(DISTFILES) - $(mkdir_p) $(distdir)/.. $(distdir)/../cf - @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \ - list='$(DISTFILES)'; for file in $$list; do \ - case $$file in \ - $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \ - $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \ - esac; \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkdir_p) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - list='$(SUBDIRS)'; for subdir in $$list; do \ - if test "$$subdir" = .; then :; else \ - test -d "$(distdir)/$$subdir" \ - || mkdir "$(distdir)/$$subdir" \ - || exit 1; \ - (cd $$subdir && \ - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="../$(top_distdir)" \ - distdir="../$(distdir)/$$subdir" \ - distdir) \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="$(top_distdir)" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-recursive -all-am: Makefile $(PROGRAMS) $(HEADERS) config.h all-local -installdirs: installdirs-recursive -installdirs-am: - for dir in "$(DESTDIR)$(includedir)"; do \ - test -z "$$dir" || $(mkdir_p) "$$dir"; \ - done -install: install-recursive -install-exec: install-exec-recursive -install-data: install-data-recursive -uninstall: uninstall-recursive - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-recursive -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) - -distclean-generic: - -rm -f $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-recursive - -clean-am: clean-generic clean-libtool clean-noinstPROGRAMS \ - mostlyclean-am - -distclean: distclean-recursive - -rm -f Makefile -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-hdr distclean-libtool distclean-tags - -dvi: dvi-recursive - -dvi-am: - -html: html-recursive - -info: info-recursive - -info-am: - -install-data-am: install-includeHEADERS - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-data-hook - -install-exec-am: - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-recursive - -install-man: - -installcheck-am: - -maintainer-clean: maintainer-clean-recursive - -rm -f Makefile -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-recursive - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -pdf: pdf-recursive - -pdf-am: - -ps: ps-recursive - -ps-am: - -uninstall-am: uninstall-includeHEADERS uninstall-info-am - -uninstall-info: uninstall-info-recursive - -.PHONY: $(RECURSIVE_TARGETS) CTAGS GTAGS all all-am all-local check \ - check-am check-local clean clean-generic clean-libtool \ - clean-noinstPROGRAMS clean-recursive ctags ctags-recursive \ - distclean distclean-compile distclean-generic distclean-hdr \ - distclean-libtool distclean-recursive distclean-tags distdir \ - dvi dvi-am html html-am info info-am install install-am \ - install-data install-data-am install-exec install-exec-am \ - install-includeHEADERS install-info install-info-am \ - install-man install-strip installcheck installcheck-am \ - installdirs installdirs-am maintainer-clean \ - maintainer-clean-generic maintainer-clean-recursive \ - mostlyclean mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool mostlyclean-recursive pdf pdf-am ps ps-am \ - tags tags-recursive uninstall uninstall-am \ - uninstall-includeHEADERS uninstall-info-am - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-hook: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< - -krb5-types.h: bits$(EXEEXT) - ./bits$(EXEEXT) krb5-types.h - -crypto-headers.h: make_crypto$(EXEEXT) - ./make_crypto$(EXEEXT) crypto-headers.h -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal-0.6.3/include/bits.c b/crypto/heimdal-0.6.3/include/bits.c deleted file mode 100644 index 3c517424fb..0000000000 --- a/crypto/heimdal-0.6.3/include/bits.c +++ /dev/null @@ -1,240 +0,0 @@ -/* - * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: bits.c,v 1.22 2002/08/28 16:08:44 joda Exp $"); -#endif -#include -#include -#include -#include - -#define BITSIZE(TYPE) \ -{ \ - int b = 0; TYPE x = 1, zero = 0; const char *pre = "u"; \ - char tmp[128], tmp2[128]; \ - while(x){ x <<= 1; b++; if(x < zero) pre=""; } \ - if(b >= len){ \ - int tabs; \ - sprintf(tmp, "%sint%d_t" , pre, len); \ - sprintf(tmp2, "typedef %s %s;", #TYPE, tmp); \ - tabs = 5 - strlen(tmp2) / 8; \ - fprintf(f, "%s", tmp2); \ - while(tabs-- > 0) fprintf(f, "\t"); \ - fprintf(f, "/* %2d bits */\n", b); \ - return; \ - } \ -} - -#ifndef HAVE___ATTRIBUTE__ -#define __attribute__(x) -#endif - -static void -try_signed(FILE *f, int len) __attribute__ ((unused)); - -static void -try_unsigned(FILE *f, int len) __attribute__ ((unused)); - -static int -print_bt(FILE *f, int flag) __attribute__ ((unused)); - -static void -try_signed(FILE *f, int len) -{ - BITSIZE(signed char); - BITSIZE(short); - BITSIZE(int); - BITSIZE(long); -#ifdef HAVE_LONG_LONG - BITSIZE(long long); -#endif - fprintf(f, "/* There is no %d bit type */\n", len); -} - -static void -try_unsigned(FILE *f, int len) -{ - BITSIZE(unsigned char); - BITSIZE(unsigned short); - BITSIZE(unsigned int); - BITSIZE(unsigned long); -#ifdef HAVE_LONG_LONG - BITSIZE(unsigned long long); -#endif - fprintf(f, "/* There is no %d bit type */\n", len); -} - -static int -print_bt(FILE *f, int flag) -{ - if(flag == 0){ - fprintf(f, "/* For compatibility with various type definitions */\n"); - fprintf(f, "#ifndef __BIT_TYPES_DEFINED__\n"); - fprintf(f, "#define __BIT_TYPES_DEFINED__\n"); - fprintf(f, "\n"); - } - return 1; -} - -int main(int argc, char **argv) -{ - FILE *f; - int flag; - char *fn, *hb; - - if(argc < 2){ - fn = "bits.h"; - hb = "__BITS_H__"; - f = stdout; - } else { - char *p; - fn = argv[1]; - hb = malloc(strlen(fn) + 5); - sprintf(hb, "__%s__", fn); - for(p = hb; *p; p++){ - if(!isalnum((unsigned char)*p)) - *p = '_'; - } - f = fopen(argv[1], "w"); - } - fprintf(f, "/* %s -- this file was generated for %s by\n", fn, HOST); - fprintf(f, " %*s %s */\n\n", (int)strlen(fn), "", - "$Id: bits.c,v 1.22 2002/08/28 16:08:44 joda Exp $"); - fprintf(f, "#ifndef %s\n", hb); - fprintf(f, "#define %s\n", hb); - fprintf(f, "\n"); -#ifdef HAVE_INTTYPES_H - fprintf(f, "#include \n"); -#endif -#ifdef HAVE_SYS_TYPES_H - fprintf(f, "#include \n"); -#endif -#ifdef HAVE_SYS_BITYPES_H - fprintf(f, "#include \n"); -#endif -#ifdef HAVE_BIND_BITYPES_H - fprintf(f, "#include \n"); -#endif -#ifdef HAVE_NETINET_IN6_MACHTYPES_H - fprintf(f, "#include \n"); -#endif -#ifdef HAVE_SOCKLEN_T - fprintf(f, "#include \n"); -#endif - fprintf(f, "\n"); - - flag = 0; -#ifndef HAVE_INT8_T - flag = print_bt(f, flag); - try_signed (f, 8); -#endif /* HAVE_INT8_T */ -#ifndef HAVE_INT16_T - flag = print_bt(f, flag); - try_signed (f, 16); -#endif /* HAVE_INT16_T */ -#ifndef HAVE_INT32_T - flag = print_bt(f, flag); - try_signed (f, 32); -#endif /* HAVE_INT32_T */ -#if 0 -#ifndef HAVE_INT64_T - flag = print_bt(f, flag); - try_signed (f, 64); -#endif /* HAVE_INT64_T */ -#endif - -#ifndef HAVE_UINT8_T - flag = print_bt(f, flag); - try_unsigned (f, 8); -#endif /* HAVE_UINT8_T */ -#ifndef HAVE_UINT16_T - flag = print_bt(f, flag); - try_unsigned (f, 16); -#endif /* HAVE_UINT16_T */ -#ifndef HAVE_UINT32_T - flag = print_bt(f, flag); - try_unsigned (f, 32); -#endif /* HAVE_UINT32_T */ -#if 0 -#ifndef HAVE_UINT64_T - flag = print_bt(f, flag); - try_unsigned (f, 64); -#endif /* HAVE_UINT64_T */ -#endif - -#define X(S) fprintf(f, "typedef uint" #S "_t u_int" #S "_t;\n") -#ifndef HAVE_U_INT8_T - flag = print_bt(f, flag); - X(8); -#endif /* HAVE_U_INT8_T */ -#ifndef HAVE_U_INT16_T - flag = print_bt(f, flag); - X(16); -#endif /* HAVE_U_INT16_T */ -#ifndef HAVE_U_INT32_T - flag = print_bt(f, flag); - X(32); -#endif /* HAVE_U_INT32_T */ -#if 0 -#ifndef HAVE_U_INT64_T - flag = print_bt(f, flag); - X(64); -#endif /* HAVE_U_INT64_T */ -#endif - - if(flag){ - fprintf(f, "\n"); - fprintf(f, "#endif /* __BIT_TYPES_DEFINED__ */\n\n"); - } -#ifdef KRB5 - fprintf(f, "\n"); -#if defined(HAVE_SOCKLEN_T) - fprintf(f, "typedef socklen_t krb5_socklen_t;\n"); -#else - fprintf(f, "typedef int krb5_socklen_t;\n"); -#endif -#if defined(HAVE_SSIZE_T) -#ifdef HAVE_UNISTD_H - fprintf(f, "#include \n"); -#endif - fprintf(f, "typedef ssize_t krb5_ssize_t;\n"); -#else - fprintf(f, "typedef int krb5_ssize_t;\n"); -#endif - fprintf(f, "\n"); -#endif /* KRB5 */ - fprintf(f, "#endif /* %s */\n", hb); - return 0; -} diff --git a/crypto/heimdal-0.6.3/include/config.h.in b/crypto/heimdal-0.6.3/include/config.h.in deleted file mode 100644 index 147b3cef6b..0000000000 --- a/crypto/heimdal-0.6.3/include/config.h.in +++ /dev/null @@ -1,1427 +0,0 @@ -/* include/config.h.in. Generated from configure.in by autoheader. */ - -#ifndef RCSID -#define RCSID(msg) \ -static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg } -#endif - -/* Maximum values on all known systems */ -#define MaxHostNameLen (64+4) -#define MaxPathLen (1024+4) - - - -/* Define if you want authentication support in telnet. */ -#undef AUTHENTICATION - -/* path to bin */ -#undef BINDIR - -/* Define if realloc(NULL) doesn't work. */ -#undef BROKEN_REALLOC - -/* Define if you want support for DCE/DFS PAG's. */ -#undef DCE - -/* Define if you want to use DES encryption in telnet. */ -#undef DES_ENCRYPTION - -/* Define this to enable diagnostics in telnet. */ -#undef DIAGNOSTICS - -/* Define if you want encryption support in telnet. */ -#undef ENCRYPTION - -/* define if sys/param.h defines the endiness */ -#undef ENDIANESS_IN_SYS_PARAM_H - -/* Define this if you want support for broken ENV_{VAR,VAL} telnets. */ -#undef ENV_HACK - -/* define if prototype of gethostbyaddr is compatible with struct hostent - *gethostbyaddr(const void *, size_t, int) */ -#undef GETHOSTBYADDR_PROTO_COMPATIBLE - -/* define if prototype of gethostbyname is compatible with struct hostent - *gethostbyname(const char *) */ -#undef GETHOSTBYNAME_PROTO_COMPATIBLE - -/* define if prototype of getservbyname is compatible with struct servent - *getservbyname(const char *, const char *) */ -#undef GETSERVBYNAME_PROTO_COMPATIBLE - -/* define if prototype of getsockname is compatible with int getsockname(int, - struct sockaddr*, socklen_t*) */ -#undef GETSOCKNAME_PROTO_COMPATIBLE - -/* Define if you have the `altzone' variable. */ -#undef HAVE_ALTZONE - -/* define if your system declares altzone */ -#undef HAVE_ALTZONE_DECLARATION - -/* Define to 1 if you have the header file. */ -#undef HAVE_ARPA_FTP_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_ARPA_INET_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_ARPA_NAMESER_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_ARPA_TELNET_H - -/* Define to 1 if you have the `asnprintf' function. */ -#undef HAVE_ASNPRINTF - -/* Define to 1 if you have the `asprintf' function. */ -#undef HAVE_ASPRINTF - -/* Define to 1 if you have the `atexit' function. */ -#undef HAVE_ATEXIT - -/* Define to 1 if you have the header file. */ -#undef HAVE_BIND_BITYPES_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_BSDSETJMP_H - -/* Define to 1 if you have the `bswap16' function. */ -#undef HAVE_BSWAP16 - -/* Define to 1 if you have the `bswap32' function. */ -#undef HAVE_BSWAP32 - -/* Define to 1 if you have the header file. */ -#undef HAVE_CAPABILITY_H - -/* Define to 1 if you have the `cap_set_proc' function. */ -#undef HAVE_CAP_SET_PROC - -/* Define to 1 if you have the `cgetent' function. */ -#undef HAVE_CGETENT - -/* Define if you have the function `chown'. */ -#undef HAVE_CHOWN - -/* Define to 1 if you have the header file. */ -#undef HAVE_CONFIG_H - -/* Define if you have the function `copyhostent'. */ -#undef HAVE_COPYHOSTENT - -/* Define to 1 if you have the `crypt' function. */ -#undef HAVE_CRYPT - -/* Define to 1 if you have the header file. */ -#undef HAVE_CRYPT_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_CURSES_H - -/* Define if you have the function `daemon'. */ -#undef HAVE_DAEMON - -/* define if you have a berkeley db1/2 library */ -#undef HAVE_DB1 - -/* define if you have a berkeley db3/4 library */ -#undef HAVE_DB3 - -/* Define to 1 if you have the header file. */ -#undef HAVE_DB3_DB_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_DB4_DB_H - -/* Define to 1 if you have the `dbm_firstkey' function. */ -#undef HAVE_DBM_FIRSTKEY - -/* Define to 1 if you have the header file. */ -#undef HAVE_DBM_H - -/* Define to 1 if you have the `dbopen' function. */ -#undef HAVE_DBOPEN - -/* Define to 1 if you have the header file. */ -#undef HAVE_DB_185_H - -/* Define to 1 if you have the `db_create' function. */ -#undef HAVE_DB_CREATE - -/* Define to 1 if you have the header file. */ -#undef HAVE_DB_H - -/* define if you have ndbm compat in db */ -#undef HAVE_DB_NDBM - -/* Define to 1 if you have the header file. */ -#undef HAVE_DIRENT_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_DLFCN_H - -/* Define to 1 if you have the `dlopen' function. */ -#undef HAVE_DLOPEN - -/* Define to 1 if you have the `dn_expand' function. */ -#undef HAVE_DN_EXPAND - -/* Define if you have the function `ecalloc'. */ -#undef HAVE_ECALLOC - -/* Define to 1 if you have the `el_init' function. */ -#undef HAVE_EL_INIT - -/* Define if you have the function `emalloc'. */ -#undef HAVE_EMALLOC - -/* define if your system declares environ */ -#undef HAVE_ENVIRON_DECLARATION - -/* Define if you have the function `erealloc'. */ -#undef HAVE_EREALLOC - -/* Define if you have the function `err'. */ -#undef HAVE_ERR - -/* Define to 1 if you have the header file. */ -#undef HAVE_ERRNO_H - -/* Define if you have the function `errx'. */ -#undef HAVE_ERRX - -/* Define to 1 if you have the header file. */ -#undef HAVE_ERR_H - -/* Define if you have the function `estrdup'. */ -#undef HAVE_ESTRDUP - -/* Define if you have the function `fchown'. */ -#undef HAVE_FCHOWN - -/* Define to 1 if you have the `fcntl' function. */ -#undef HAVE_FCNTL - -/* Define to 1 if you have the header file. */ -#undef HAVE_FCNTL_H - -/* Define if you have the function `flock'. */ -#undef HAVE_FLOCK - -/* Define if you have the function `fnmatch'. */ -#undef HAVE_FNMATCH - -/* Define to 1 if you have the header file. */ -#undef HAVE_FNMATCH_H - -/* Define if el_init takes four arguments. */ -#undef HAVE_FOUR_VALUED_EL_INIT - -/* define if krb_put_int takes four arguments. */ -#undef HAVE_FOUR_VALUED_KRB_PUT_INT - -/* Define to 1 if you have the `freeaddrinfo' function. */ -#undef HAVE_FREEADDRINFO - -/* Define if you have the function `freehostent'. */ -#undef HAVE_FREEHOSTENT - -/* Define to 1 if you have the `gai_strerror' function. */ -#undef HAVE_GAI_STRERROR - -/* Define to 1 if you have the header file. */ -#undef HAVE_GDBM_NDBM_H - -/* Define to 1 if you have the `getaddrinfo' function. */ -#undef HAVE_GETADDRINFO - -/* Define to 1 if you have the `getconfattr' function. */ -#undef HAVE_GETCONFATTR - -/* Define if you have the function `getcwd'. */ -#undef HAVE_GETCWD - -/* Define if you have the function `getdtablesize'. */ -#undef HAVE_GETDTABLESIZE - -/* Define if you have the function `getegid'. */ -#undef HAVE_GETEGID - -/* Define if you have the function `geteuid'. */ -#undef HAVE_GETEUID - -/* Define if you have the function `getgid'. */ -#undef HAVE_GETGID - -/* Define to 1 if you have the `gethostbyname' function. */ -#undef HAVE_GETHOSTBYNAME - -/* Define to 1 if you have the `gethostbyname2' function. */ -#undef HAVE_GETHOSTBYNAME2 - -/* Define if you have the function `gethostname'. */ -#undef HAVE_GETHOSTNAME - -/* Define if you have the function `getifaddrs'. */ -#undef HAVE_GETIFADDRS - -/* Define if you have the function `getipnodebyaddr'. */ -#undef HAVE_GETIPNODEBYADDR - -/* Define if you have the function `getipnodebyname'. */ -#undef HAVE_GETIPNODEBYNAME - -/* Define to 1 if you have the `getlogin' function. */ -#undef HAVE_GETLOGIN - -/* Define if you have a working getmsg. */ -#undef HAVE_GETMSG - -/* Define to 1 if you have the `getnameinfo' function. */ -#undef HAVE_GETNAMEINFO - -/* Define if you have the function `getopt'. */ -#undef HAVE_GETOPT - -/* Define to 1 if you have the `getpagesize' function. */ -#undef HAVE_GETPAGESIZE - -/* Define to 1 if you have the `getprogname' function. */ -#undef HAVE_GETPROGNAME - -/* Define to 1 if you have the `getpwnam_r' function. */ -#undef HAVE_GETPWNAM_R - -/* Define to 1 if you have the `getrlimit' function. */ -#undef HAVE_GETRLIMIT - -/* Define to 1 if you have the `getsockopt' function. */ -#undef HAVE_GETSOCKOPT - -/* Define to 1 if you have the `getspnam' function. */ -#undef HAVE_GETSPNAM - -/* Define if you have the function `gettimeofday'. */ -#undef HAVE_GETTIMEOFDAY - -/* Define to 1 if you have the `getudbnam' function. */ -#undef HAVE_GETUDBNAM - -/* Define if you have the function `getuid'. */ -#undef HAVE_GETUID - -/* Define if you have the function `getusershell'. */ -#undef HAVE_GETUSERSHELL - -/* define if you have a glob() that groks GLOB_BRACE, GLOB_NOCHECK, - GLOB_QUOTE, GLOB_TILDE, and GLOB_LIMIT */ -#undef HAVE_GLOB - -/* Define to 1 if you have the `grantpt' function. */ -#undef HAVE_GRANTPT - -/* Define to 1 if you have the header file. */ -#undef HAVE_GRP_H - -/* Define to 1 if you have the `hstrerror' function. */ -#undef HAVE_HSTRERROR - -/* Define if you have the `h_errlist' variable. */ -#undef HAVE_H_ERRLIST - -/* define if your system declares h_errlist */ -#undef HAVE_H_ERRLIST_DECLARATION - -/* Define if you have the `h_errno' variable. */ -#undef HAVE_H_ERRNO - -/* define if your system declares h_errno */ -#undef HAVE_H_ERRNO_DECLARATION - -/* Define if you have the `h_nerr' variable. */ -#undef HAVE_H_NERR - -/* define if your system declares h_nerr */ -#undef HAVE_H_NERR_DECLARATION - -/* Define to 1 if you have the header file. */ -#undef HAVE_IFADDRS_H - -/* Define if you have the in6addr_loopback variable */ -#undef HAVE_IN6ADDR_LOOPBACK - -/* define */ -#undef HAVE_INET_ATON - -/* define */ -#undef HAVE_INET_NTOP - -/* define */ -#undef HAVE_INET_PTON - -/* Define if you have the function `initgroups'. */ -#undef HAVE_INITGROUPS - -/* Define to 1 if you have the `initstate' function. */ -#undef HAVE_INITSTATE - -/* Define if you have the function `innetgr'. */ -#undef HAVE_INNETGR - -/* Define to 1 if the system has the type `int16_t'. */ -#undef HAVE_INT16_T - -/* Define to 1 if the system has the type `int32_t'. */ -#undef HAVE_INT32_T - -/* Define to 1 if the system has the type `int64_t'. */ -#undef HAVE_INT64_T - -/* Define to 1 if the system has the type `int8_t'. */ -#undef HAVE_INT8_T - -/* Define to 1 if you have the header file. */ -#undef HAVE_INTTYPES_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_IO_H - -/* Define if you have IPv6. */ -#undef HAVE_IPV6 - -/* Define if you have the function `iruserok'. */ -#undef HAVE_IRUSEROK - -/* Define to 1 if you have the `issetugid' function. */ -#undef HAVE_ISSETUGID - -/* Define to 1 if you have the `krb_disable_debug' function. */ -#undef HAVE_KRB_DISABLE_DEBUG - -/* Define to 1 if you have the `krb_enable_debug' function. */ -#undef HAVE_KRB_ENABLE_DEBUG - -/* Define to 1 if you have the `krb_get_kdc_time_diff' function. */ -#undef HAVE_KRB_GET_KDC_TIME_DIFF - -/* Define to 1 if you have the `krb_get_our_ip_for_realm' function. */ -#undef HAVE_KRB_GET_OUR_IP_FOR_REALM - -/* Define to 1 if you have the `krb_kdctimeofday' function. */ -#undef HAVE_KRB_KDCTIMEOFDAY - -/* Define to 1 if you have the header file. */ -#undef HAVE_LIBUTIL_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_LIMITS_H - -/* Define to 1 if you have the `loadquery' function. */ -#undef HAVE_LOADQUERY - -/* Define if you have the function `localtime_r'. */ -#undef HAVE_LOCALTIME_R - -/* Define to 1 if you have the `logout' function. */ -#undef HAVE_LOGOUT - -/* Define to 1 if you have the `logwtmp' function. */ -#undef HAVE_LOGWTMP - -/* Define to 1 if the system has the type `long long'. */ -#undef HAVE_LONG_LONG - -/* Define if you have the function `lstat'. */ -#undef HAVE_LSTAT - -/* Define to 1 if you have the header file. */ -#undef HAVE_MAILLOCK_H - -/* Define if you have the function `memmove'. */ -#undef HAVE_MEMMOVE - -/* Define to 1 if you have the header file. */ -#undef HAVE_MEMORY_H - -/* Define if you have the function `mkstemp'. */ -#undef HAVE_MKSTEMP - -/* Define to 1 if you have the `mktime' function. */ -#undef HAVE_MKTIME - -/* Define to 1 if you have a working `mmap' system call. */ -#undef HAVE_MMAP - -/* define if you have a ndbm library */ -#undef HAVE_NDBM - -/* Define to 1 if you have the header file. */ -#undef HAVE_NDBM_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_NETDB_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_NETGROUP_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_NETINET6_IN6_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_NETINET6_IN6_VAR_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_NETINET_IN6_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_NETINET_IN6_MACHTYPES_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_NETINET_IN_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_NETINET_IN_SYSTM_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_NETINET_IP_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_NETINET_TCP_H - -/* Define if you want to use Netinfo instead of krb5.conf. */ -#undef HAVE_NETINFO - -/* Define to 1 if you have the header file. */ -#undef HAVE_NETINFO_NI_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_NET_IF_H - -/* Define if NDBM really is DB (creates files *.db) */ -#undef HAVE_NEW_DB - -/* define if you have hash functions like md4_finito() */ -#undef HAVE_OLD_HASH_NAMES - -/* Define to 1 if you have the `on_exit' function. */ -#undef HAVE_ON_EXIT - -/* Define to 1 if you have the `openpty' function. */ -#undef HAVE_OPENPTY - -/* define to use openssl's libcrypto */ -#undef HAVE_OPENSSL - -/* define if your system declares optarg */ -#undef HAVE_OPTARG_DECLARATION - -/* define if your system declares opterr */ -#undef HAVE_OPTERR_DECLARATION - -/* define if your system declares optind */ -#undef HAVE_OPTIND_DECLARATION - -/* define if your system declares optopt */ -#undef HAVE_OPTOPT_DECLARATION - -/* Define to enable basic OSF C2 support. */ -#undef HAVE_OSFC2 - -/* Define to 1 if you have the header file. */ -#undef HAVE_PATHS_H - -/* Define to 1 if you have the `pidfile' function. */ -#undef HAVE_PIDFILE - -/* Define to 1 if you have the header file. */ -#undef HAVE_PTHREAD_H - -/* Define to 1 if you have the `ptsname' function. */ -#undef HAVE_PTSNAME - -/* Define to 1 if you have the header file. */ -#undef HAVE_PTY_H - -/* Define if you have the function `putenv'. */ -#undef HAVE_PUTENV - -/* Define to 1 if you have the header file. */ -#undef HAVE_PWD_H - -/* Define to 1 if you have the `rand' function. */ -#undef HAVE_RAND - -/* Define to 1 if you have the `random' function. */ -#undef HAVE_RANDOM - -/* Define if you have the function `rcmd'. */ -#undef HAVE_RCMD - -/* Define if you have a readline compatible library. */ -#undef HAVE_READLINE - -/* Define if you have the function `readv'. */ -#undef HAVE_READV - -/* Define if you have the function `recvmsg'. */ -#undef HAVE_RECVMSG - -/* Define to 1 if you have the header file. */ -#undef HAVE_RESOLV_H - -/* Define to 1 if you have the `res_nsearch' function. */ -#undef HAVE_RES_NSEARCH - -/* Define to 1 if you have the `res_search' function. */ -#undef HAVE_RES_SEARCH - -/* Define to 1 if you have the `revoke' function. */ -#undef HAVE_REVOKE - -/* Define to 1 if you have the header file. */ -#undef HAVE_RPCSVC_YPCLNT_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_SAC_H - -/* Define to 1 if the system has the type `sa_family_t'. */ -#undef HAVE_SA_FAMILY_T - -/* Define to 1 if you have the header file. */ -#undef HAVE_SECURITY_PAM_MODULES_H - -/* Define to 1 if you have the `select' function. */ -#undef HAVE_SELECT - -/* Define if you have the function `sendmsg'. */ -#undef HAVE_SENDMSG - -/* Define if you have the function `setegid'. */ -#undef HAVE_SETEGID - -/* Define if you have the function `setenv'. */ -#undef HAVE_SETENV - -/* Define if you have the function `seteuid'. */ -#undef HAVE_SETEUID - -/* Define to 1 if you have the `setitimer' function. */ -#undef HAVE_SETITIMER - -/* Define to 1 if you have the `setlim' function. */ -#undef HAVE_SETLIM - -/* Define to 1 if you have the `setlogin' function. */ -#undef HAVE_SETLOGIN - -/* Define to 1 if you have the `setpcred' function. */ -#undef HAVE_SETPCRED - -/* Define to 1 if you have the `setpgid' function. */ -#undef HAVE_SETPGID - -/* Define to 1 if you have the `setproctitle' function. */ -#undef HAVE_SETPROCTITLE - -/* Define to 1 if you have the `setprogname' function. */ -#undef HAVE_SETPROGNAME - -/* Define to 1 if you have the `setregid' function. */ -#undef HAVE_SETREGID - -/* Define to 1 if you have the `setresgid' function. */ -#undef HAVE_SETRESGID - -/* Define to 1 if you have the `setresuid' function. */ -#undef HAVE_SETRESUID - -/* Define to 1 if you have the `setreuid' function. */ -#undef HAVE_SETREUID - -/* Define to 1 if you have the `setsid' function. */ -#undef HAVE_SETSID - -/* Define to 1 if you have the `setsockopt' function. */ -#undef HAVE_SETSOCKOPT - -/* Define to 1 if you have the `setstate' function. */ -#undef HAVE_SETSTATE - -/* Define to 1 if you have the `setutent' function. */ -#undef HAVE_SETUTENT - -/* Define to 1 if you have the `sgi_getcapabilitybyname' function. */ -#undef HAVE_SGI_GETCAPABILITYBYNAME - -/* Define to 1 if you have the header file. */ -#undef HAVE_SGTTY_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_SHADOW_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_SIAD_H - -/* Define to 1 if you have the `sigaction' function. */ -#undef HAVE_SIGACTION - -/* Define to 1 if you have the header file. */ -#undef HAVE_SIGNAL_H - -/* define if you have a working snprintf */ -#undef HAVE_SNPRINTF - -/* Define to 1 if you have the `socket' function. */ -#undef HAVE_SOCKET - -/* Define to 1 if the system has the type `socklen_t'. */ -#undef HAVE_SOCKLEN_T - -/* Define to 1 if the system has the type `ssize_t'. */ -#undef HAVE_SSIZE_T - -/* Define to 1 if you have the header file. */ -#undef HAVE_STANDARDS_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_STDINT_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_STDLIB_H - -/* Define if you have the function `strcasecmp'. */ -#undef HAVE_STRCASECMP - -/* Define if you have the function `strdup'. */ -#undef HAVE_STRDUP - -/* Define if you have the function `strerror'. */ -#undef HAVE_STRERROR - -/* Define if you have the function `strftime'. */ -#undef HAVE_STRFTIME - -/* Define to 1 if you have the header file. */ -#undef HAVE_STRINGS_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_STRING_H - -/* Define if you have the function `strlcat'. */ -#undef HAVE_STRLCAT - -/* Define if you have the function `strlcpy'. */ -#undef HAVE_STRLCPY - -/* Define if you have the function `strlwr'. */ -#undef HAVE_STRLWR - -/* Define if you have the function `strncasecmp'. */ -#undef HAVE_STRNCASECMP - -/* Define if you have the function `strndup'. */ -#undef HAVE_STRNDUP - -/* Define if you have the function `strnlen'. */ -#undef HAVE_STRNLEN - -/* Define to 1 if you have the header file. */ -#undef HAVE_STROPTS_H - -/* Define if you have the function `strptime'. */ -#undef HAVE_STRPTIME - -/* Define if you have the function `strsep'. */ -#undef HAVE_STRSEP - -/* Define if you have the function `strsep_copy'. */ -#undef HAVE_STRSEP_COPY - -/* Define to 1 if you have the `strstr' function. */ -#undef HAVE_STRSTR - -/* Define to 1 if you have the `strsvis' function. */ -#undef HAVE_STRSVIS - -/* Define if you have the function `strtok_r'. */ -#undef HAVE_STRTOK_R - -/* Define to 1 if the system has the type `struct addrinfo'. */ -#undef HAVE_STRUCT_ADDRINFO - -/* Define to 1 if the system has the type `struct ifaddrs'. */ -#undef HAVE_STRUCT_IFADDRS - -/* Define to 1 if the system has the type `struct iovec'. */ -#undef HAVE_STRUCT_IOVEC - -/* Define to 1 if the system has the type `struct msghdr'. */ -#undef HAVE_STRUCT_MSGHDR - -/* Define to 1 if the system has the type `struct sockaddr'. */ -#undef HAVE_STRUCT_SOCKADDR - -/* Define if struct sockaddr has field sa_len. */ -#undef HAVE_STRUCT_SOCKADDR_SA_LEN - -/* Define to 1 if the system has the type `struct sockaddr_storage'. */ -#undef HAVE_STRUCT_SOCKADDR_STORAGE - -/* define if you have struct spwd */ -#undef HAVE_STRUCT_SPWD - -/* Define if struct tm has field tm_gmtoff. */ -#undef HAVE_STRUCT_TM_TM_GMTOFF - -/* Define if struct tm has field tm_zone. */ -#undef HAVE_STRUCT_TM_TM_ZONE - -/* Define if struct utmpx has field ut_exit. */ -#undef HAVE_STRUCT_UTMPX_UT_EXIT - -/* Define if struct utmpx has field ut_syslen. */ -#undef HAVE_STRUCT_UTMPX_UT_SYSLEN - -/* Define if struct utmp has field ut_addr. */ -#undef HAVE_STRUCT_UTMP_UT_ADDR - -/* Define if struct utmp has field ut_host. */ -#undef HAVE_STRUCT_UTMP_UT_HOST - -/* Define if struct utmp has field ut_id. */ -#undef HAVE_STRUCT_UTMP_UT_ID - -/* Define if struct utmp has field ut_pid. */ -#undef HAVE_STRUCT_UTMP_UT_PID - -/* Define if struct utmp has field ut_type. */ -#undef HAVE_STRUCT_UTMP_UT_TYPE - -/* Define if struct utmp has field ut_user. */ -#undef HAVE_STRUCT_UTMP_UT_USER - -/* define if struct winsize is declared in sys/termios.h */ -#undef HAVE_STRUCT_WINSIZE - -/* Define to 1 if you have the `strunvis' function. */ -#undef HAVE_STRUNVIS - -/* Define if you have the function `strupr'. */ -#undef HAVE_STRUPR - -/* Define to 1 if you have the `strvis' function. */ -#undef HAVE_STRVIS - -/* Define to 1 if you have the `strvisx' function. */ -#undef HAVE_STRVISX - -/* Define to 1 if you have the `svis' function. */ -#undef HAVE_SVIS - -/* Define if you have the function `swab'. */ -#undef HAVE_SWAB - -/* Define to 1 if you have the `sysconf' function. */ -#undef HAVE_SYSCONF - -/* Define to 1 if you have the `sysctl' function. */ -#undef HAVE_SYSCTL - -/* Define to 1 if you have the `syslog' function. */ -#undef HAVE_SYSLOG - -/* Define to 1 if you have the header file. */ -#undef HAVE_SYSLOG_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_SYS_BITYPES_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_SYS_BSWAP_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_SYS_CAPABILITY_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_SYS_CATEGORY_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_SYS_FILE_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_SYS_FILIO_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_SYS_IOCCOM_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_SYS_IOCTL_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_SYS_MMAN_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_SYS_PARAM_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_SYS_PROC_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_SYS_PTYIO_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_SYS_PTYVAR_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_SYS_PTY_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_SYS_RESOURCE_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_SYS_SELECT_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_SYS_SOCKET_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_SYS_SOCKIO_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_SYS_STAT_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_SYS_STREAM_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_SYS_STROPTS_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_SYS_STRTTY_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_SYS_STR_TTY_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_SYS_SYSCALL_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_SYS_SYSCTL_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_SYS_TERMIO_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_SYS_TIMEB_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_SYS_TIMES_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_SYS_TIME_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_SYS_TTY_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_SYS_TYPES_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_SYS_UIO_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_SYS_UN_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_SYS_UTSNAME_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_SYS_WAIT_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_TERMCAP_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_TERMIOS_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_TERMIO_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_TERM_H - -/* Define to 1 if you have the `tgetent' function. */ -#undef HAVE_TGETENT - -/* Define to 1 if you have the `timegm' function. */ -#undef HAVE_TIMEGM - -/* Define if you have the `timezone' variable. */ -#undef HAVE_TIMEZONE - -/* define if your system declares timezone */ -#undef HAVE_TIMEZONE_DECLARATION - -/* Define to 1 if you have the header file. */ -#undef HAVE_TIME_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_TMPDIR_H - -/* Define to 1 if you have the `ttyname' function. */ -#undef HAVE_TTYNAME - -/* Define to 1 if you have the `ttyslot' function. */ -#undef HAVE_TTYSLOT - -/* Define to 1 if you have the header file. */ -#undef HAVE_UDB_H - -/* Define to 1 if the system has the type `uint16_t'. */ -#undef HAVE_UINT16_T - -/* Define to 1 if the system has the type `uint32_t'. */ -#undef HAVE_UINT32_T - -/* Define to 1 if the system has the type `uint64_t'. */ -#undef HAVE_UINT64_T - -/* Define to 1 if the system has the type `uint8_t'. */ -#undef HAVE_UINT8_T - -/* Define to 1 if you have the `umask' function. */ -#undef HAVE_UMASK - -/* Define to 1 if you have the `uname' function. */ -#undef HAVE_UNAME - -/* Define to 1 if you have the header file. */ -#undef HAVE_UNISTD_H - -/* Define to 1 if you have the `unlockpt' function. */ -#undef HAVE_UNLOCKPT - -/* Define if you have the function `unsetenv'. */ -#undef HAVE_UNSETENV - -/* Define to 1 if you have the `unvis' function. */ -#undef HAVE_UNVIS - -/* Define to 1 if you have the header file. */ -#undef HAVE_USERCONF_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_USERSEC_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_UTIL_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_UTMPX_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_UTMP_H - -/* Define to 1 if the system has the type `u_int16_t'. */ -#undef HAVE_U_INT16_T - -/* Define to 1 if the system has the type `u_int32_t'. */ -#undef HAVE_U_INT32_T - -/* Define to 1 if the system has the type `u_int64_t'. */ -#undef HAVE_U_INT64_T - -/* Define to 1 if the system has the type `u_int8_t'. */ -#undef HAVE_U_INT8_T - -/* Define to 1 if you have the `vasnprintf' function. */ -#undef HAVE_VASNPRINTF - -/* Define to 1 if you have the `vasprintf' function. */ -#undef HAVE_VASPRINTF - -/* Define if you have the function `verr'. */ -#undef HAVE_VERR - -/* Define if you have the function `verrx'. */ -#undef HAVE_VERRX - -/* Define to 1 if you have the `vhangup' function. */ -#undef HAVE_VHANGUP - -/* Define to 1 if you have the `vis' function. */ -#undef HAVE_VIS - -/* Define to 1 if you have the header file. */ -#undef HAVE_VIS_H - -/* define if you have a working vsnprintf */ -#undef HAVE_VSNPRINTF - -/* Define if you have the function `vsyslog'. */ -#undef HAVE_VSYSLOG - -/* Define if you have the function `vwarn'. */ -#undef HAVE_VWARN - -/* Define if you have the function `vwarnx'. */ -#undef HAVE_VWARNX - -/* Define if you have the function `warn'. */ -#undef HAVE_WARN - -/* Define if you have the function `warnx'. */ -#undef HAVE_WARNX - -/* Define if you have the function `writev'. */ -#undef HAVE_WRITEV - -/* define if struct winsize has ws_xpixel */ -#undef HAVE_WS_XPIXEL - -/* define if struct winsize has ws_ypixel */ -#undef HAVE_WS_YPIXEL - -/* Define to 1 if you have the `XauFileName' function. */ -#undef HAVE_XAUFILENAME - -/* Define to 1 if you have the `XauReadAuth' function. */ -#undef HAVE_XAUREADAUTH - -/* Define to 1 if you have the `XauWriteAuth' function. */ -#undef HAVE_XAUWRITEAUTH - -/* Define to 1 if you have the `yp_get_default_domain' function. */ -#undef HAVE_YP_GET_DEFAULT_DOMAIN - -/* Define to 1 if you have the `_getpty' function. */ -#undef HAVE__GETPTY - -/* Define if you have the `_res' variable. */ -#undef HAVE__RES - -/* define if your system declares _res */ -#undef HAVE__RES_DECLARATION - -/* Define to 1 if you have the `_scrsize' function. */ -#undef HAVE__SCRSIZE - -/* define if your compiler has __attribute__ */ -#undef HAVE___ATTRIBUTE__ - -/* Define if you have the `__progname' variable. */ -#undef HAVE___PROGNAME - -/* define if your system declares __progname */ -#undef HAVE___PROGNAME_DECLARATION - -/* Define if you have the hesiod package. */ -#undef HESIOD - -/* Define if you are running IRIX 4. */ -#undef IRIX4 - -/* Define if you have the krb4 package. */ -#undef KRB4 - -/* Enable Kerberos 5 support in applications. */ -#undef KRB5 - -/* Define if krb_mk_req takes const char * */ -#undef KRB_MK_REQ_CONST - -/* This is the krb4 sendauth version. */ -#undef KRB_SENDAUTH_VERS - -/* Define to zero if your krb.h doesn't */ -#undef KRB_VERIFY_NOT_SECURE - -/* Define to one if your krb.h doesn't */ -#undef KRB_VERIFY_SECURE - -/* Define to two if your krb.h doesn't */ -#undef KRB_VERIFY_SECURE_FAIL - -/* path to lib */ -#undef LIBDIR - -/* path to libexec */ -#undef LIBEXECDIR - -/* path to localstate */ -#undef LOCALSTATEDIR - -/* define if the system is missing a prototype for asnprintf() */ -#undef NEED_ASNPRINTF_PROTO - -/* define if the system is missing a prototype for asprintf() */ -#undef NEED_ASPRINTF_PROTO - -/* define if the system is missing a prototype for crypt() */ -#undef NEED_CRYPT_PROTO - -/* define if the system is missing a prototype for gethostname() */ -#undef NEED_GETHOSTNAME_PROTO - -/* define if the system is missing a prototype for getusershell() */ -#undef NEED_GETUSERSHELL_PROTO - -/* define if the system is missing a prototype for glob() */ -#undef NEED_GLOB_PROTO - -/* define if the system is missing a prototype for hstrerror() */ -#undef NEED_HSTRERROR_PROTO - -/* define if the system is missing a prototype for inet_aton() */ -#undef NEED_INET_ATON_PROTO - -/* define if the system is missing a prototype for mkstemp() */ -#undef NEED_MKSTEMP_PROTO - -/* define if the system is missing a prototype for setenv() */ -#undef NEED_SETENV_PROTO - -/* define if the system is missing a prototype for snprintf() */ -#undef NEED_SNPRINTF_PROTO - -/* define if the system is missing a prototype for strndup() */ -#undef NEED_STRNDUP_PROTO - -/* define if the system is missing a prototype for strsep() */ -#undef NEED_STRSEP_PROTO - -/* define if the system is missing a prototype for strsvis() */ -#undef NEED_STRSVIS_PROTO - -/* define if the system is missing a prototype for strtok_r() */ -#undef NEED_STRTOK_R_PROTO - -/* define if the system is missing a prototype for strunvis() */ -#undef NEED_STRUNVIS_PROTO - -/* define if the system is missing a prototype for strvisx() */ -#undef NEED_STRVISX_PROTO - -/* define if the system is missing a prototype for strvis() */ -#undef NEED_STRVIS_PROTO - -/* define if the system is missing a prototype for svis() */ -#undef NEED_SVIS_PROTO - -/* define if the system is missing a prototype for unsetenv() */ -#undef NEED_UNSETENV_PROTO - -/* define if the system is missing a prototype for unvis() */ -#undef NEED_UNVIS_PROTO - -/* define if the system is missing a prototype for vasnprintf() */ -#undef NEED_VASNPRINTF_PROTO - -/* define if the system is missing a prototype for vasprintf() */ -#undef NEED_VASPRINTF_PROTO - -/* define if the system is missing a prototype for vis() */ -#undef NEED_VIS_PROTO - -/* define if the system is missing a prototype for vsnprintf() */ -#undef NEED_VSNPRINTF_PROTO - -/* Define if you don't want to use mmap. */ -#undef NO_MMAP - -/* Define this to enable old environment option in telnet. */ -#undef OLD_ENVIRON - -/* Define if you have the openldap package. */ -#undef OPENLDAP - -/* define if prototype of openlog is compatible with void openlog(const char - *, int, int) */ -#undef OPENLOG_PROTO_COMPATIBLE - -/* Define if you want OTP support in applications. */ -#undef OTP - -/* Name of package */ -#undef PACKAGE - -/* Define to the address where bug reports for this package should be sent. */ -#undef PACKAGE_BUGREPORT - -/* Define to the full name of this package. */ -#undef PACKAGE_NAME - -/* Define to the full name and version of this package. */ -#undef PACKAGE_STRING - -/* Define to the one symbol short name of this package. */ -#undef PACKAGE_TARNAME - -/* Define to the version of this package. */ -#undef PACKAGE_VERSION - -/* Define if getlogin has POSIX flavour (and not BSD). */ -#undef POSIX_GETLOGIN - -/* Define if getpwnam_r has POSIX flavour. */ -#undef POSIX_GETPWNAM_R - -/* Define if you have the readline package. */ -#undef READLINE - -/* Define as the return type of signal handlers (`int' or `void'). */ -#undef RETSIGTYPE - -/* path to sbin */ -#undef SBINDIR - -/* Define to 1 if you have the ANSI C header files. */ -#undef STDC_HEADERS - -/* Define if you have streams ptys. */ -#undef STREAMSPTY - -/* path to sysconf */ -#undef SYSCONFDIR - -/* Define to what version of SunOS you are running. */ -#undef SunOS - -/* Define to 1 if you can safely include both and . */ -#undef TIME_WITH_SYS_TIME - -/* Define to 1 if your declares `struct tm'. */ -#undef TM_IN_SYS_TIME - -/* Version number of package */ -#undef VERSION - -/* Define if signal handlers return void. */ -#undef VOID_RETSIGTYPE - -/* define if target is big endian */ -#undef WORDS_BIGENDIAN - -/* Define to 1 if the X Window System is missing or not being used. */ -#undef X_DISPLAY_MISSING - -/* Define to 1 if `lex' declares `yytext' as a `char *' by default, not a - `char[]'. */ -#undef YYTEXT_POINTER - -/* Number of bits in a file offset, on hosts where this is settable. */ -#undef _FILE_OFFSET_BITS - -/* Define to enable extensions on glibc-based systems such as Linux. */ -#undef _GNU_SOURCE - -/* Define for large files, on AIX-style hosts. */ -#undef _LARGE_FILES - -/* Define to empty if `const' does not conform to ANSI C. */ -#undef const - -/* Define to `int' if doesn't define. */ -#undef gid_t - -/* Define to `__inline__' or `__inline' if that's what the C compiler - calls it, or to nothing if 'inline' is not supported under any name. */ -#ifndef __cplusplus -#undef inline -#endif - -/* Define this to what the type mode_t should be. */ -#undef mode_t - -/* Define to `long' if does not define. */ -#undef off_t - -/* Define to `int' if does not define. */ -#undef pid_t - -/* Define this to what the type sig_atomic_t should be. */ -#undef sig_atomic_t - -/* Define to `unsigned' if does not define. */ -#undef size_t - -/* Define to `int' if doesn't define. */ -#undef uid_t - -#if defined(HAVE_FOUR_VALUED_KRB_PUT_INT) || !defined(KRB4) -#define KRB_PUT_INT(F, T, L, S) krb_put_int((F), (T), (L), (S)) -#else -#define KRB_PUT_INT(F, T, L, S) krb_put_int((F), (T), (S)) -#endif - - - -#if defined(ENCRYPTION) && !defined(AUTHENTICATION) -#define AUTHENTICATION 1 -#endif - -/* Set this to the default system lead string for telnetd - * can contain %-escapes: %s=sysname, %m=machine, %r=os-release - * %v=os-version, %t=tty, %h=hostname, %d=date and time - */ -#undef USE_IM - -/* Used with login -p */ -#undef LOGIN_ARGS - -/* set this to a sensible login */ -#ifndef LOGIN_PATH -#define LOGIN_PATH BINDIR "/login" -#endif - - -#ifdef ROKEN_RENAME -#include "roken_rename.h" -#endif - -#ifndef HAVE_KRB_KDCTIMEOFDAY -#define krb_kdctimeofday(X) gettimeofday((X), NULL) -#endif - -#ifndef HAVE_KRB_GET_KDC_TIME_DIFF -#define krb_get_kdc_time_diff() (0) -#endif - -#ifdef VOID_RETSIGTYPE -#define SIGRETURN(x) return -#else -#define SIGRETURN(x) return (RETSIGTYPE)(x) -#endif - -#ifdef BROKEN_REALLOC -#define realloc(X, Y) isoc_realloc((X), (Y)) -#define isoc_realloc(X, Y) ((X) ? realloc((X), (Y)) : malloc(Y)) -#endif - - -#if ENDIANESS_IN_SYS_PARAM_H -# include -# include -# if BYTE_ORDER == BIG_ENDIAN -# define WORDS_BIGENDIAN 1 -# endif -#endif - - -#if _AIX -#define _ALL_SOURCE -/* XXX this is gross, but kills about a gazillion warnings */ -struct ether_addr; -struct sockaddr; -struct sockaddr_dl; -struct sockaddr_in; -#endif - - -/* IRIX 4 braindamage */ -#if IRIX == 4 && !defined(__STDC__) -#define __STDC__ 0 -#endif - diff --git a/crypto/heimdal-0.6.3/include/kadm5/Makefile.am b/crypto/heimdal-0.6.3/include/kadm5/Makefile.am deleted file mode 100644 index e0647b8474..0000000000 --- a/crypto/heimdal-0.6.3/include/kadm5/Makefile.am +++ /dev/null @@ -1,5 +0,0 @@ -# $Id: Makefile.am,v 1.6 1999/03/20 13:58:17 joda Exp $ - -include $(top_srcdir)/Makefile.am.common - -CLEANFILES = admin.h kadm5_err.h private.h diff --git a/crypto/heimdal-0.6.3/include/kadm5/Makefile.in b/crypto/heimdal-0.6.3/include/kadm5/Makefile.in deleted file mode 100644 index 10c34e1414..0000000000 --- a/crypto/heimdal-0.6.3/include/kadm5/Makefile.in +++ /dev/null @@ -1,638 +0,0 @@ -# Makefile.in generated by automake 1.8.3 from Makefile.am. -# @configure_input@ - -# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004 Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -# $Id: Makefile.am,v 1.6 1999/03/20 13:58:17 joda Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $ -srcdir = @srcdir@ -top_srcdir = @top_srcdir@ -VPATH = @srcdir@ -pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -top_builddir = ../.. -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = @INSTALL@ -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_HEADER = $(INSTALL_DATA) -transform = $(program_transform_name) -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_triplet = @host@ -DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \ - $(top_srcdir)/Makefile.am.common \ - $(top_srcdir)/cf/Makefile.am.common -subdir = include/kadm5 -ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \ - $(top_srcdir)/cf/auth-modules.m4 \ - $(top_srcdir)/cf/broken-getaddrinfo.m4 \ - $(top_srcdir)/cf/broken-getnameinfo.m4 \ - $(top_srcdir)/cf/broken-glob.m4 \ - $(top_srcdir)/cf/broken-realloc.m4 \ - $(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \ - $(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \ - $(top_srcdir)/cf/capabilities.m4 \ - $(top_srcdir)/cf/check-compile-et.m4 \ - $(top_srcdir)/cf/check-declaration.m4 \ - $(top_srcdir)/cf/check-getpwnam_r-posix.m4 \ - $(top_srcdir)/cf/check-man.m4 \ - $(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \ - $(top_srcdir)/cf/check-type-extra.m4 \ - $(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \ - $(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \ - $(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \ - $(top_srcdir)/cf/dlopen.m4 \ - $(top_srcdir)/cf/find-func-no-libs.m4 \ - $(top_srcdir)/cf/find-func-no-libs2.m4 \ - $(top_srcdir)/cf/find-func.m4 \ - $(top_srcdir)/cf/find-if-not-broken.m4 \ - $(top_srcdir)/cf/have-struct-field.m4 \ - $(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \ - $(top_srcdir)/cf/krb-bigendian.m4 \ - $(top_srcdir)/cf/krb-func-getlogin.m4 \ - $(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \ - $(top_srcdir)/cf/krb-readline.m4 \ - $(top_srcdir)/cf/krb-struct-spwd.m4 \ - $(top_srcdir)/cf/krb-struct-winsize.m4 \ - $(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \ - $(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \ - $(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \ - $(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \ - $(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \ - $(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \ - $(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in -am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ - $(ACLOCAL_M4) -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -depcomp = -am__depfiles_maybe = -SOURCES = -DIST_SOURCES = -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) -ACLOCAL = @ACLOCAL@ -AIX4_FALSE = @AIX4_FALSE@ -AIX4_TRUE = @AIX4_TRUE@ -AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@ -AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@ -AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@ -AIX_FALSE = @AIX_FALSE@ -AIX_TRUE = @AIX_TRUE@ -AMTAR = @AMTAR@ -AR = @AR@ -AUTOCONF = @AUTOCONF@ -AUTOHEADER = @AUTOHEADER@ -AUTOMAKE = @AUTOMAKE@ -AWK = @AWK@ -CANONICAL_HOST = @CANONICAL_HOST@ -CATMAN = @CATMAN@ -CATMANEXT = @CATMANEXT@ -CATMAN_FALSE = @CATMAN_FALSE@ -CATMAN_TRUE = @CATMAN_TRUE@ -CC = @CC@ -CFLAGS = @CFLAGS@ -COMPILE_ET = @COMPILE_ET@ -CPP = @CPP@ -CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXFLAGS = @CXXFLAGS@ -CYGPATH_W = @CYGPATH_W@ -DBLIB = @DBLIB@ -DCE_FALSE = @DCE_FALSE@ -DCE_TRUE = @DCE_TRUE@ -DEFS = @DEFS@ -DIR_com_err = @DIR_com_err@ -DIR_des = @DIR_des@ -DIR_roken = @DIR_roken@ -ECHO = @ECHO@ -ECHO_C = @ECHO_C@ -ECHO_N = @ECHO_N@ -ECHO_T = @ECHO_T@ -EGREP = @EGREP@ -EXEEXT = @EXEEXT@ -EXTRA_LIB45 = @EXTRA_LIB45@ -F77 = @F77@ -FFLAGS = @FFLAGS@ -GROFF = @GROFF@ -HAVE_DB1_FALSE = @HAVE_DB1_FALSE@ -HAVE_DB1_TRUE = @HAVE_DB1_TRUE@ -HAVE_DB3_FALSE = @HAVE_DB3_FALSE@ -HAVE_DB3_TRUE = @HAVE_DB3_TRUE@ -HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@ -HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@ -HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@ -HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@ -HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@ -HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@ -HAVE_X_FALSE = @HAVE_X_FALSE@ -HAVE_X_TRUE = @HAVE_X_TRUE@ -INCLUDES_roken = @INCLUDES_roken@ -INCLUDE_des = @INCLUDE_des@ -INCLUDE_hesiod = @INCLUDE_hesiod@ -INCLUDE_krb4 = @INCLUDE_krb4@ -INCLUDE_openldap = @INCLUDE_openldap@ -INCLUDE_readline = @INCLUDE_readline@ -INSTALL_DATA = @INSTALL_DATA@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -IRIX_FALSE = @IRIX_FALSE@ -IRIX_TRUE = @IRIX_TRUE@ -KRB4_FALSE = @KRB4_FALSE@ -KRB4_TRUE = @KRB4_TRUE@ -KRB5_FALSE = @KRB5_FALSE@ -KRB5_TRUE = @KRB5_TRUE@ -LDFLAGS = @LDFLAGS@ -LEX = @LEX@ -LEXLIB = @LEXLIB@ -LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ -LIBOBJS = @LIBOBJS@ -LIBS = @LIBS@ -LIBTOOL = @LIBTOOL@ -LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@ -LIB_NDBM = @LIB_NDBM@ -LIB_XauFileName = @LIB_XauFileName@ -LIB_XauReadAuth = @LIB_XauReadAuth@ -LIB_XauWriteAuth = @LIB_XauWriteAuth@ -LIB_bswap16 = @LIB_bswap16@ -LIB_bswap32 = @LIB_bswap32@ -LIB_com_err = @LIB_com_err@ -LIB_com_err_a = @LIB_com_err_a@ -LIB_com_err_so = @LIB_com_err_so@ -LIB_crypt = @LIB_crypt@ -LIB_db_create = @LIB_db_create@ -LIB_dbm_firstkey = @LIB_dbm_firstkey@ -LIB_dbopen = @LIB_dbopen@ -LIB_des = @LIB_des@ -LIB_des_a = @LIB_des_a@ -LIB_des_appl = @LIB_des_appl@ -LIB_des_so = @LIB_des_so@ -LIB_dlopen = @LIB_dlopen@ -LIB_dn_expand = @LIB_dn_expand@ -LIB_el_init = @LIB_el_init@ -LIB_freeaddrinfo = @LIB_freeaddrinfo@ -LIB_gai_strerror = @LIB_gai_strerror@ -LIB_getaddrinfo = @LIB_getaddrinfo@ -LIB_gethostbyname = @LIB_gethostbyname@ -LIB_gethostbyname2 = @LIB_gethostbyname2@ -LIB_getnameinfo = @LIB_getnameinfo@ -LIB_getpwnam_r = @LIB_getpwnam_r@ -LIB_getsockopt = @LIB_getsockopt@ -LIB_hesiod = @LIB_hesiod@ -LIB_hstrerror = @LIB_hstrerror@ -LIB_kdb = @LIB_kdb@ -LIB_krb4 = @LIB_krb4@ -LIB_krb_disable_debug = @LIB_krb_disable_debug@ -LIB_krb_enable_debug = @LIB_krb_enable_debug@ -LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@ -LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@ -LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@ -LIB_loadquery = @LIB_loadquery@ -LIB_logout = @LIB_logout@ -LIB_logwtmp = @LIB_logwtmp@ -LIB_openldap = @LIB_openldap@ -LIB_openpty = @LIB_openpty@ -LIB_otp = @LIB_otp@ -LIB_pidfile = @LIB_pidfile@ -LIB_readline = @LIB_readline@ -LIB_res_nsearch = @LIB_res_nsearch@ -LIB_res_search = @LIB_res_search@ -LIB_roken = @LIB_roken@ -LIB_security = @LIB_security@ -LIB_setsockopt = @LIB_setsockopt@ -LIB_socket = @LIB_socket@ -LIB_syslog = @LIB_syslog@ -LIB_tgetent = @LIB_tgetent@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -MAINT = @MAINT@ -MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@ -MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@ -MAKEINFO = @MAKEINFO@ -NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ -NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ -NROFF = @NROFF@ -OBJEXT = @OBJEXT@ -OTP_FALSE = @OTP_FALSE@ -OTP_TRUE = @OTP_TRUE@ -PACKAGE = @PACKAGE@ -PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ -PACKAGE_NAME = @PACKAGE_NAME@ -PACKAGE_STRING = @PACKAGE_STRING@ -PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_VERSION = @PACKAGE_VERSION@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -RANLIB = @RANLIB@ -SET_MAKE = @SET_MAKE@ -SHELL = @SHELL@ -STRIP = @STRIP@ -VERSION = @VERSION@ -VOID_RETSIGTYPE = @VOID_RETSIGTYPE@ -WFLAGS = @WFLAGS@ -WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@ -WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@ -X_CFLAGS = @X_CFLAGS@ -X_EXTRA_LIBS = @X_EXTRA_LIBS@ -X_LIBS = @X_LIBS@ -X_PRE_LIBS = @X_PRE_LIBS@ -YACC = @YACC@ -ac_ct_AR = @ac_ct_AR@ -ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ -ac_ct_RANLIB = @ac_ct_RANLIB@ -ac_ct_STRIP = @ac_ct_STRIP@ -am__leading_dot = @am__leading_dot@ -bindir = @bindir@ -build = @build@ -build_alias = @build_alias@ -build_cpu = @build_cpu@ -build_os = @build_os@ -build_vendor = @build_vendor@ -datadir = @datadir@ -do_roken_rename_FALSE = @do_roken_rename_FALSE@ -do_roken_rename_TRUE = @do_roken_rename_TRUE@ -dpagaix_cflags = @dpagaix_cflags@ -dpagaix_ldadd = @dpagaix_ldadd@ -dpagaix_ldflags = @dpagaix_ldflags@ -el_compat_FALSE = @el_compat_FALSE@ -el_compat_TRUE = @el_compat_TRUE@ -exec_prefix = @exec_prefix@ -have_err_h_FALSE = @have_err_h_FALSE@ -have_err_h_TRUE = @have_err_h_TRUE@ -have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@ -have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@ -have_glob_h_FALSE = @have_glob_h_FALSE@ -have_glob_h_TRUE = @have_glob_h_TRUE@ -have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@ -have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@ -have_vis_h_FALSE = @have_vis_h_FALSE@ -have_vis_h_TRUE = @have_vis_h_TRUE@ -host = @host@ -host_alias = @host_alias@ -host_cpu = @host_cpu@ -host_os = @host_os@ -host_vendor = @host_vendor@ -includedir = @includedir@ -infodir = @infodir@ -install_sh = @install_sh@ -libdir = @libdir@ -libexecdir = @libexecdir@ -localstatedir = @localstatedir@ -mandir = @mandir@ -mkdir_p = @mkdir_p@ -oldincludedir = @oldincludedir@ -prefix = @prefix@ -program_transform_name = @program_transform_name@ -sbindir = @sbindir@ -sharedstatedir = @sharedstatedir@ -sysconfdir = @sysconfdir@ -target_alias = @target_alias@ -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) -@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME -AM_CFLAGS = $(WFLAGS) -CP = cp -buildinclude = $(top_builddir)/include -LIB_getattr = @LIB_getattr@ -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_setpcred = @LIB_setpcred@ -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -NROFF_MAN = groff -mandoc -Tascii -LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) -@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la - -@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la -@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la -CLEANFILES = admin.h kadm5_err.h private.h -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c -$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps) - @for dep in $?; do \ - case '$(am__configure_deps)' in \ - *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ - exit 1;; \ - esac; \ - done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign --ignore-deps include/kadm5/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign --ignore-deps include/kadm5/Makefile -.PRECIOUS: Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - @case '$?' in \ - *config.status*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ - *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ - esac; - -$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: -tags: TAGS -TAGS: - -ctags: CTAGS -CTAGS: - - -distdir: $(DISTFILES) - $(mkdir_p) $(distdir)/../.. $(distdir)/../../cf - @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \ - list='$(DISTFILES)'; for file in $$list; do \ - case $$file in \ - $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \ - $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \ - esac; \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkdir_p) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="$(top_distdir)" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile all-local -installdirs: -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) - -distclean-generic: - -rm -f $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-generic clean-libtool mostlyclean-am - -distclean: distclean-am - -rm -f Makefile -distclean-am: clean-am distclean-generic distclean-libtool - -dvi: dvi-am - -dvi-am: - -html: html-am - -info: info-am - -info-am: - -install-data-am: - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-data-hook - -install-exec-am: - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -rm -f Makefile -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-generic mostlyclean-libtool - -pdf: pdf-am - -pdf-am: - -ps: ps-am - -ps-am: - -uninstall-am: uninstall-info-am - -.PHONY: all all-am all-local check check-am check-local clean \ - clean-generic clean-libtool distclean distclean-generic \ - distclean-libtool distdir dvi dvi-am html html-am info info-am \ - install install-am install-data install-data-am install-exec \ - install-exec-am install-info install-info-am install-man \ - install-strip installcheck installcheck-am installdirs \ - maintainer-clean maintainer-clean-generic mostlyclean \ - mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ - uninstall uninstall-am uninstall-info-am - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-hook: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal-0.6.3/include/make_crypto.c b/crypto/heimdal-0.6.3/include/make_crypto.c deleted file mode 100644 index 2215f3fe25..0000000000 --- a/crypto/heimdal-0.6.3/include/make_crypto.c +++ /dev/null @@ -1,99 +0,0 @@ -/* - * Copyright (c) 2002 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: make_crypto.c,v 1.4.2.1 2003/05/05 20:10:27 joda Exp $"); -#endif -#include -#include -#include -#include - -int -main(int argc, char **argv) -{ - char *p; - FILE *f; - if(argc != 2) { - fprintf(stderr, "Usage: make_crypto file\n"); - exit(1); - } - f = fopen(argv[1], "w"); - if(f == NULL) { - perror(argv[1]); - exit(1); - } - for(p = argv[1]; *p; p++) - if(!isalnum((int)*p)) - *p = '_'; - fprintf(f, "#ifndef __%s__\n", argv[1]); - fprintf(f, "#define __%s__\n", argv[1]); -#ifdef HAVE_OPENSSL - fputs("#define OPENSSL_DES_LIBDES_COMPATIBILITY\n", f); - fputs("#include \n", f); - fputs("#include \n", f); - fputs("#include \n", f); - fputs("#include \n", f); - fputs("#include \n", f); -#if ENABLE_AES - fputs("#include \n", f); -#endif -#else - fputs("#include \n", f); - fputs("#include \n", f); - fputs("#include \n", f); - fputs("#include \n", f); - fputs("#include \n", f); -#ifdef HAVE_OLD_HASH_NAMES - fputs("\n", f); - fputs(" typedef struct md4 MD4_CTX;\n", f); - fputs("#define MD4_Init md4_init\n", f); - fputs("#define MD4_Update md4_update\n", f); - fputs("#define MD4_Final(D, C) md4_finito((C), (D))\n", f); - fputs("\n", f); - fputs(" typedef struct md5 MD5_CTX;\n", f); - fputs("#define MD5_Init md5_init\n", f); - fputs("#define MD5_Update md5_update\n", f); - fputs("#define MD5_Final(D, C) md5_finito((C), (D))\n", f); - fputs("\n", f); - fputs(" typedef struct sha SHA_CTX;\n", f); - fputs("#define SHA1_Init sha_init\n", f); - fputs("#define SHA1_Update sha_update\n", f); - fputs("#define SHA1_Final(D, C) sha_finito((C), (D))\n", f); -#endif -#endif - fprintf(f, "#endif /* __%s__ */\n", argv[1]); - fclose(f); - exit(0); -} diff --git a/crypto/heimdal-0.6.3/install-sh b/crypto/heimdal-0.6.3/install-sh deleted file mode 100644 index 77bc38144f..0000000000 --- a/crypto/heimdal-0.6.3/install-sh +++ /dev/null @@ -1,316 +0,0 @@ -#!/bin/sh -# install - install a program, script, or datafile - -scriptversion=2004-02-15.20 - -# This originates from X11R5 (mit/util/scripts/install.sh), which was -# later released in X11R6 (xc/config/util/install.sh) with the -# following copyright and license. -# -# Copyright (C) 1994 X Consortium -# -# Permission is hereby granted, free of charge, to any person obtaining a copy -# of this software and associated documentation files (the "Software"), to -# deal in the Software without restriction, including without limitation the -# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or -# sell copies of the Software, and to permit persons to whom the Software is -# furnished to do so, subject to the following conditions: -# -# The above copyright notice and this permission notice shall be included in -# all copies or substantial portions of the Software. -# -# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -# X CONSORTIUM BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN -# AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNEC- -# TION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. -# -# Except as contained in this notice, the name of the X Consortium shall not -# be used in advertising or otherwise to promote the sale, use or other deal- -# ings in this Software without prior written authorization from the X Consor- -# tium. -# -# -# FSF changes to this file are in the public domain. -# -# Calling this script install-sh is preferred over install.sh, to prevent -# `make' implicit rules from creating a file called install from it -# when there is no Makefile. -# -# This script is compatible with the BSD install script, but was written -# from scratch. It can only install one file at a time, a restriction -# shared with many OS's install programs. - -# set DOITPROG to echo to test this script - -# Don't use :- since 4.3BSD and earlier shells don't like it. -doit="${DOITPROG-}" - -# put in absolute paths if you don't have them in your path; or use env. vars. - -mvprog="${MVPROG-mv}" -cpprog="${CPPROG-cp}" -chmodprog="${CHMODPROG-chmod}" -chownprog="${CHOWNPROG-chown}" -chgrpprog="${CHGRPPROG-chgrp}" -stripprog="${STRIPPROG-strip}" -rmprog="${RMPROG-rm}" -mkdirprog="${MKDIRPROG-mkdir}" - -transformbasename= -transform_arg= -instcmd="$mvprog" -chmodcmd="$chmodprog 0755" -chowncmd= -chgrpcmd= -stripcmd= -rmcmd="$rmprog -f" -mvcmd="$mvprog" -src= -dst= -dir_arg= - -usage="Usage: $0 [OPTION]... SRCFILE DSTFILE - or: $0 [OPTION]... SRCFILES... DIRECTORY - or: $0 -d DIRECTORIES... - -In the first form, install SRCFILE to DSTFILE, removing SRCFILE by default. -In the second, create the directory path DIR. - -Options: --b=TRANSFORMBASENAME --c copy source (using $cpprog) instead of moving (using $mvprog). --d create directories instead of installing files. --g GROUP $chgrp installed files to GROUP. --m MODE $chmod installed files to MODE. --o USER $chown installed files to USER. --s strip installed files (using $stripprog). --t=TRANSFORM ---help display this help and exit. ---version display version info and exit. - -Environment variables override the default commands: - CHGRPPROG CHMODPROG CHOWNPROG CPPROG MKDIRPROG MVPROG RMPROG STRIPPROG -" - -while test -n "$1"; do - case $1 in - -b=*) transformbasename=`echo $1 | sed 's/-b=//'` - shift - continue;; - - -c) instcmd=$cpprog - shift - continue;; - - -d) dir_arg=true - shift - continue;; - - -g) chgrpcmd="$chgrpprog $2" - shift - shift - continue;; - - --help) echo "$usage"; exit 0;; - - -m) chmodcmd="$chmodprog $2" - shift - shift - continue;; - - -o) chowncmd="$chownprog $2" - shift - shift - continue;; - - -s) stripcmd=$stripprog - shift - continue;; - - -t=*) transformarg=`echo $1 | sed 's/-t=//'` - shift - continue;; - - --version) echo "$0 $scriptversion"; exit 0;; - - *) # When -d is used, all remaining arguments are directories to create. - test -n "$dir_arg" && break - # Otherwise, the last argument is the destination. Remove it from $@. - for arg - do - if test -n "$dstarg"; then - # $@ is not empty: it contains at least $arg. - set fnord "$@" "$dstarg" - shift # fnord - fi - shift # arg - dstarg=$arg - done - break;; - esac -done - -if test -z "$1"; then - if test -z "$dir_arg"; then - echo "$0: no input file specified." >&2 - exit 1 - fi - # It's OK to call `install-sh -d' without argument. - # This can happen when creating conditional directories. - exit 0 -fi - -for src -do - # Protect names starting with `-'. - case $src in - -*) src=./$src ;; - esac - - if test -n "$dir_arg"; then - dst=$src - src= - - if test -d "$dst"; then - instcmd=: - chmodcmd= - else - instcmd=$mkdirprog - fi - else - # Waiting for this to be detected by the "$instcmd $src $dsttmp" command - # might cause directories to be created, which would be especially bad - # if $src (and thus $dsttmp) contains '*'. - if test ! -f "$src" && test ! -d "$src"; then - echo "$0: $src does not exist." >&2 - exit 1 - fi - - if test -z "$dstarg"; then - echo "$0: no destination specified." >&2 - exit 1 - fi - - dst=$dstarg - # Protect names starting with `-'. - case $dst in - -*) dst=./$dst ;; - esac - - # If destination is a directory, append the input filename; won't work - # if double slashes aren't ignored. - if test -d "$dst"; then - dst=$dst/`basename "$src"` - fi - fi - - # This sed command emulates the dirname command. - dstdir=`echo "$dst" | sed -e 's,[^/]*$,,;s,/$,,;s,^$,.,'` - - # Make sure that the destination directory exists. - - # Skip lots of stat calls in the usual case. - if test ! -d "$dstdir"; then - defaultIFS=' - ' - IFS="${IFS-$defaultIFS}" - - oIFS=$IFS - # Some sh's can't handle IFS=/ for some reason. - IFS='%' - set - `echo "$dstdir" | sed -e 's@/@%@g' -e 's@^%@/@'` - IFS=$oIFS - - pathcomp= - - while test $# -ne 0 ; do - pathcomp=$pathcomp$1 - shift - if test ! -d "$pathcomp"; then - $mkdirprog "$pathcomp" || lasterr=$? - # mkdir can fail with a `File exist' error in case several - # install-sh are creating the directory concurrently. This - # is OK. - test ! -d "$pathcomp" && { (exit ${lasterr-1}); exit; } - fi - pathcomp=$pathcomp/ - done - fi - - if test -n "$dir_arg"; then - $doit $instcmd "$dst" \ - && { test -z "$chowncmd" || $doit $chowncmd "$dst"; } \ - && { test -z "$chgrpcmd" || $doit $chgrpcmd "$dst"; } \ - && { test -z "$stripcmd" || $doit $stripcmd "$dst"; } \ - && { test -z "$chmodcmd" || $doit $chmodcmd "$dst"; } - - else - # If we're going to rename the final executable, determine the name now. - if test -z "$transformarg"; then - dstfile=`basename "$dst"` - else - dstfile=`basename "$dst" $transformbasename \ - | sed $transformarg`$transformbasename - fi - - # don't allow the sed command to completely eliminate the filename. - test -z "$dstfile" && dstfile=`basename "$dst"` - - # Make a couple of temp file names in the proper directory. - dsttmp=$dstdir/_inst.$$_ - rmtmp=$dstdir/_rm.$$_ - - # Trap to clean up those temp files at exit. - trap 'status=$?; rm -f "$dsttmp" "$rmtmp" && exit $status' 0 - trap '(exit $?); exit' 1 2 13 15 - - # Move or copy the file name to the temp name - $doit $instcmd "$src" "$dsttmp" && - - # and set any options; do chmod last to preserve setuid bits. - # - # If any of these fail, we abort the whole thing. If we want to - # ignore errors from any of these, just make sure not to ignore - # errors from the above "$doit $instcmd $src $dsttmp" command. - # - { test -z "$chowncmd" || $doit $chowncmd "$dsttmp"; } \ - && { test -z "$chgrpcmd" || $doit $chgrpcmd "$dsttmp"; } \ - && { test -z "$stripcmd" || $doit $stripcmd "$dsttmp"; } \ - && { test -z "$chmodcmd" || $doit $chmodcmd "$dsttmp"; } && - - # Now remove or move aside any old file at destination location. We - # try this two ways since rm can't unlink itself on some systems and - # the destination file might be busy for other reasons. In this case, - # the final cleanup might fail but the new file should still install - # successfully. - { - if test -f "$dstdir/$dstfile"; then - $doit $rmcmd -f "$dstdir/$dstfile" 2>/dev/null \ - || $doit $mvcmd -f "$dstdir/$dstfile" "$rmtmp" 2>/dev/null \ - || { - echo "$0: cannot unlink or rename $dstdir/$dstfile" >&2 - (exit 1); exit - } - else - : - fi - } && - - # Now rename the file to the real destination. - $doit $mvcmd "$dsttmp" "$dstdir/$dstfile" - fi || { (exit 1); exit; } -done - -# The final little trick to "correctly" pass the exit status to the exit trap. -{ - (exit 0); exit -} - -# Local variables: -# eval: (add-hook 'write-file-hooks 'time-stamp) -# time-stamp-start: "scriptversion=" -# time-stamp-format: "%:y-%02m-%02d.%02H" -# time-stamp-end: "$" -# End: diff --git a/crypto/heimdal-0.6.3/kadmin/ChangeLog b/crypto/heimdal-0.6.3/kadmin/ChangeLog deleted file mode 100644 index 8bfbeed7fd..0000000000 --- a/crypto/heimdal-0.6.3/kadmin/ChangeLog +++ /dev/null @@ -1,635 +0,0 @@ -2004-04-29 Love Hörquist Åstrand - - * version4.c: 1.30: (handle_v4): make sure length is longer then - 2, Pointed out by Evgeny Demidov - - * kadmind.c: 1.31: make kerberos4 support default turned off - -2003-04-14 Love Hörquist Åstrand - - * util.c: cast argument to tolower to unsigned char, from - Christian Biere via NetBSD - -2003-04-06 Love Hörquist Åstrand - - * kadmind.8: s/kerberos/Kerberos/ - -2003-03-31 Love Hörquist Åstrand - - * kadmin.8: initialises -> initializes, from Perry E. Metzger" - - - * kadmin.c: principal, not pricipal. From Thomas Klausner - - -2003-02-04 Love Hörquist Åstrand - - * kadmind.8: spelling, from jmc - - * kadmin.8: spelling, from jmc - -2003-01-29 Love Hörquist Åstrand - - * server.c (kadmind_dispatch): kadm_chpass: require the password - to pass the password quality check in case the user changes the - user's own password kadm_chpass_with_key: disallow the user to - change it own password to a key, since that password might violate - the password quality check. - -2002-10-23 Assar Westerlund - - * version4.c (decode_packet): check the length of the version - string and that rlen has a reasonable value - -2002-10-21 Johan Danielsson - - * version4.c: check size of rlen - -2002-09-10 Johan Danielsson - - * server.c: constify match_appl_version() - - * version4.c: change some lingering krb_err_base - -2002-09-09 Jacques Vidrine - - * server.c (kadmind_dispatch): while decoding arguments for - kadm_chpass_with_key, sanity check the number of keys given. - Potential problem pointed out by - Sebastian Krahmer . - -2002-09-04 Johan Danielsson - - * load.c (parse_generation): return if there is no generation - (spotted by Daniel Kouril) - -2002-06-07 Jacques Vidrine - - * ank.c: do not attempt to free uninitialized pointer when - kadm5_randkey_principal fails. - -2002-06-07 Johan Danielsson - - * util.c: remove unused variable; reported by Hans Insulander - -2002-03-05 Johan Danielsson - - * kadmind.8: clarify some acl wording, and add an example file - -2002-02-11 Johan Danielsson - - * ext.c: no need to use the "modify" keytab anymore - -2001-09-20 Assar Westerlund - - * add-random-users.c: allocate several buffers for the list of - words, instead of one strdup per word (running under efence does - not work very well otherwise) - -2001-09-13 Assar Westerlund - - * add-random-users.c: allow specifying the number of users to - create - -2001-08-24 Assar Westerlund - - * Makefile.am: rename variable name to avoid error from current - automake - -2001-08-22 Assar Westerlund - - * kadmin_locl.h: include libutil.h if it exists - -2001-08-10 Johan Danielsson - - * util.c: do something to handle C-c in prompts - - * load.c: remove unused etypes code, and add parsing of the - generation field - - * ank.c: add a --use-defaults option to just use default values - without questions - - * kadmin.c: add "del" alias for delete - - * cpw.c: call this operation "passwd" in usage - - * kadmin_locl.h: prototype for set_defaults - - * util.c (edit_entry): move setting of default values to a - separate function, set_defaults - -2001-08-01 Johan Danielsson - - * kadmin.c: print help message on bad options - -2001-07-31 Assar Westerlund - - * add-random-users.c (main): handle --version - -2001-07-30 Johan Danielsson - - * load.c: increase line buffer to 8k - -2001-06-12 Assar Westerlund - - * ext.c (ext_keytab): use the default modify keytab per default - -2001-05-17 Assar Westerlund - - * kadm_conn.c (start_server): fix krb5_eai_to_heim_errno call - -2001-05-15 Assar Westerlund - - * kadmin.c (main): some error cleaning required - -2001-05-14 Assar Westerlund - - * kadmind.c: new krb5_config_parse_file - * kadmin.c: new krb5_config_parse_file - * kadm_conn.c: update to new krb5_sockaddr2address - -2001-05-07 Assar Westerlund - - * kadmin_locl.h (foreach_principal): update prototype - * get.c (getit): new foreach_principal - * ext.c (ext_keytab): new foreach_principal - * del.c (del_entry): new foreach_principal - * cpw.c (cpw_entry): new foreach_principal - * util.c (foreach_principal): add `funcname' and try printing the - error string - -2001-05-04 Johan Danielsson - - * rename.c: fix argument number test - -2001-04-19 Johan Danielsson - - * del_enctype.c: fix argument count check after getarg change; - spotted by mark@MCS.VUW.AC.NZ - -2001-02-15 Assar Westerlund - - * kadmind.c (main): use a `struct sockaddr_storage' to be able to - store all types of addresses - -2001-02-07 Assar Westerlund - - * kadmin.c: add --keytab / _K, from Leif Johansson - - -2001-01-29 Assar Westerlund - - * kadm_conn.c (spawn_child): close the newly created socket in the - packet, it's not used. from - * version4.c (decode_packet): check success of - krb5_425_conv_principal. from - -2001-01-12 Assar Westerlund - - * util.c (parse_attributes): make empty string mean no attributes, - specifying the empty string at the command line should give you no - attributes, but just pressing return at the prompt gives you - default attributes - (edit_entry): only pick up values from the default principal if they - aren't set in the principal being edited - -2001-01-04 Assar Westerlund - - * load.c (doit): print an error and bail out if storing an entry - in the database fails. The most likely reason for it failing is - out-of-space. - -2000-12-31 Assar Westerlund - - * kadmind.c (main): handle krb5_init_context failure consistently - * kadmin.c (main): handle krb5_init_context failure consistently - * add-random-users.c (add_user): handle krb5_init_context failure - consistently - - * kadm_conn.c (spawn_child): use a struct sockaddr_storage - -2000-12-15 Johan Danielsson - - * get.c: avoid asprintf'ing NULL strings - -2000-12-14 Johan Danielsson - - * load.c: fix option parsing - -2000-11-16 Assar Westerlund - - * kadm_conn.c (wait_for_connection): check for fd's being too - large to select on - -2000-11-09 Johan Danielsson - - * get.c: don't try to print modifier name if it isn't set (from - Jacques A. Vidrine" ) - -2000-09-19 Assar Westerlund - - * server.c (kadmind_loop): send in keytab to v4 handling function - * version4.c: allow the specification of what keytab to use - - * get.c (print_entry_long): actually print the actual saltvalue - used if it's not the default - -2000-09-10 Johan Danielsson - - * kadmin.c: add option parsing, and add `privs' as an alias for - `privileges' - - * init.c: complain if there's no realm name specified - - * rename.c: add option parsing - - * load.c: add option parsing - - * get.c: make `get' and `list' aliases to each other, but with - different defaults - - * del_enctype.c: add option parsing - - * del.c: add option parsing - - * ank.c: calling the command `add' make more sense from an english - pov - - * Makefile.am: add kadmin manpage - - * kadmin.8: short manpage - - * kadmin.c: `quit' should be a alias for `exit', not `help' - -2000-08-27 Assar Westerlund - - * server.c (handle_v5): do not try to perform stupid stunts when - printing errors - -2000-08-19 Assar Westerlund - - * util.c (str2time_t): add alias for `now'. - -2000-08-18 Assar Westerlund - - * server.c (handle_v5): accept any kadmin/admin@* principal as the - server - * kadmind.c: remove extra prototype of kadmind_loop - * kadmin_locl.h (kadmind_loop): add prototype - - * init.c (usage): print init-usage and not add-dito - -2000-08-07 Johan Danielsson - - * kadmind.c: use roken_getsockname - -2000-08-07 Assar Westerlund - - * kadmind.c, kadm_conn.c: use socklen_t instead of int where - appropriate. From - -2000-08-04 Johan Danielsson - - * Makefile.am: link with pidfile library - - * kadmind.c: write a pid file, and setup password quality - functions - - * kadmin_locl.h: util.h - -2000-07-27 Assar Westerlund - - * version4.c (decode_packet): be totally consistent with the - prototype of des_cbc_cksum - * kadmind.c: use sa_size instead of sa_len, some systems define - this to emulate anonymous unions - * kadm_conn.c: use sa_size instead of sa_len, some systems define - this to emulate anonymous unions - -2000-07-24 Assar Westerlund - - * kadmin.c (commands): add quit - * load.c (doit): truncate the log since there's no way of knowing - what changes are going to be added - -2000-07-23 Assar Westerlund - - * util.c (str2time_t): be more careful with strptime that might - zero out the `struct tm' - -2000-07-22 Johan Danielsson - - * kadm_conn.c: make the parent process wait for children and - terminate after receiving a signal, also terminate on SIGINT - -2000-07-22 Assar Westerlund - - * version4.c: map both princ_expire_time and pw_expiration to v4 - principal expiration - -2000-07-22 Johan Danielsson - - * version4.c (handle_v4): check for termination - - * server.c (v5_loop): check for termination - - * kadm_conn.c (wait_term): if we're doing something, set just set - a flag otherwise exit rightaway - - * server.c: use krb5_read_priv_message; (v5_loop): check for EOF - -2000-07-21 Assar Westerlund - - * kadm_conn.c: remove sys/select.h. make signal handlers - type-correct and static - - * kadmin_locl.h: add limits.h and sys/select.h - -2000-07-20 Assar Westerlund - - * init.c (init): also create `kadmin/hprop' - * kadmind.c: ports is a string argument - * kadm_conn.c (start_server): fix printf format - - * kadmin_locl.h: add - * kadm_conn.c: remove sys/select.h. make signal handlers - type-correct and static - - * kadmin_locl.h: add limits.h and sys/select.h - -2000-07-17 Johan Danielsson - - * kadm_conn.c: put all processes in a new process group - - * server.c (v5_loop): use krb5_{read,write}_priv_message - -2000-07-11 Johan Danielsson - - * version4.c: change log strings to match the v5 counterparts - - * mod.c: allow setting kvno - - * kadmind.c: if stdin is not a socket create and listen to sockets - - * kadm_conn.c: socket creation functions - - * util.c (deltat2str): treat 0 and INT_MAX as never - -2000-07-08 Assar Westerlund - - * Makefile.am (INCLUDES): add ../lib/krb5 - * kadmin_locl.h: add krb5_locl.h (since we just use some stuff - from there) - -2000-06-07 Assar Westerlund - - * add-random-users.c: new testing program that adds a number of - randomly generated users - -2000-04-12 Assar Westerlund - - * cpw.c (do_cpw_entry): call set_password if no argument is given, - it will prompt for the password. - * kadmin.c: make help only print the commands that are actually - available. - -2000-04-03 Assar Westerlund - - * del_enctype.c (del_enctype): set ignore correctly - -2000-04-02 Assar Westerlund - - * kadmin.c (main): make parse errors a fatal error - * init.c (init): create changepw/kerberos with disallow-tgt and - pwchange attributes - -2000-03-23 Assar Westerlund - - * util.c (hex2n, parse_des_key): add - * server.c (kadmind_dispatch): add kadm_chpass_with_key - * cpw.c: add --key - * ank.c: add --key - -2000-02-16 Assar Westerlund - - * load.c (doit): check return value from parse_hdbflags2int - correctly - -2000-01-25 Assar Westerlund - - * load.c: checking all parsing for errors and all memory - allocations also - -2000-01-02 Assar Westerlund - - * server.c: check initial flag in ticket and allow users to change - their own password if it's set - * ext.c (do_ext_keytab): set timestamp - -1999-12-14 Assar Westerlund - - * del_enctype.c (usage): don't use arg_printusage - -1999-11-25 Assar Westerlund - - * del_enctype.c (del_enctype): try not to leak memory - - * version4.c (kadm_ser_mod): use kadm5_s_modify_principal (no - _with_key) - - * kadmin.c: add `del_enctype' - - * del_enctype.c (del_enctype): new function for deleting enctypes - from a principal - - * Makefile.am (kadmin_SOURCES): add del_enctype.c - -1999-11-09 Johan Danielsson - - * server.c: cope with old clients - - * kadmin_locl.h: remove version string - -1999-10-17 Assar Westerlund - - * Makefile.am (kadmin_LDADD): add LIB_dlopen - -1999-10-01 Assar Westerlund - - * ank.c (add_one_principal): `password' can cactually be NULL in - the overwrite code, check for it. - -1999-09-20 Assar Westerlund - - * mod.c (mod_entry): print the correct principal name in error - messages. From Love - -1999-09-10 Assar Westerlund - - * init.c (init): also create `changepw/kerberos' - - * version4.c: only create you loose packets when we fail decoding - and not when an operation is not performed for some reason - (decode_packet): read the service key from the hdb - (dispatch, decode_packet): return proper error messages - - * version4.c (kadm_ser_cpw): add password quality functions - -1999-08-27 Johan Danielsson - - * server.c (handle_v5): give more informative message if - KRB5_KT_NOTFOUND - -1999-08-26 Johan Danielsson - - * kadmind.c: use HDB keytabs - -1999-08-25 Assar Westerlund - - * cpw.c (set_password): use correct variable. From Love - - - * server.c (v5_loop): use correct error code - - * ank.c (add_one_principal): initialize `default_ent' - -1999-08-21 Assar Westerlund - - * random_password.c: new file, stolen from krb4 - - * kadmin_locl.h: add prototype for random_password - - * cpw.c: add support for --random-password - - * ank.c: add support for --random-password - - * Makefile.am (kadmin_SOURCES): add random_password.c - -1999-08-19 Assar Westerlund - - * util.c (edit_timet): break when we manage to parse the time not - the inverse. - - * mod.c: add parsing of lots of options. From Love - - - * ank.c: add setting of expiration and password expiration - - * kadmin_locl.h: update util.c prototypes - - * util.c: move-around. clean-up, rename, make consistent (and - some other weird stuff). based on patches from Love - - - * version4.c (kadm_ser_cpw): initialize password - (handle_v4): remove unused variable `ret' - -1999-08-16 Assar Westerlund - - * version4.c (handle_v4): more error checking and more correct - error messages - - * server.c (v5_loop, kadmind_loop): more error checking and more - correct error messages - -1999-07-24 Assar Westerlund - - * util.c (str2timeval, edit_time): functions for parsing and - editing times. Based on patches from Love . - (edit_entry): call new functions - - * mod.c (mod_entry): allow modifying expiration times - - * kadmin_locl.h (str2timeval): add prototype - - * ank.c (add_one_principal): allow setting expiration times - -1999-07-03 Assar Westerlund - - * server.c (v5_loop): handle data allocation with krb5_data_alloc - and check return value - -1999-06-23 Assar Westerlund - - * version4.c (kadm_ser_cpw): read the key in the strange order - it's sent - - * util.c (edit_entry): look at default - (edit_time): always set mask even if value == 0 - - * kadmin_locl.h (edit_entry): update - - * ank.c: make ank use the values of the default principal for - prompting - - * version4.c (values_to_ent): convert key data correctly - -1999-05-23 Assar Westerlund - - * init.c (create_random_entry): more correct setting of mask - -1999-05-21 Assar Westerlund - - * server.c (handle_v5): read sendauth version correctly. - -1999-05-14 Assar Westerlund - - * version4.c (error_code): try to handle really old krb4 - distributions - -1999-05-11 Assar Westerlund - - * init.c (init): initialize realm_max_life and realm_max_rlife - -1999-05-07 Assar Westerlund - - * ank.c (add_new_key): initialize more variables - -1999-05-04 Assar Westerlund - - * version4.c (kadm_ser_cpw): always allow a user to change her - password - (kadm_ser_*): make logging work - clean-up and restructure - - * kadmin_locl.h (set_entry): add prototype - - * kadmin.c (usage): update usage string - - * init.c (init): new arguments realm-max-ticket-life and - realm-max-renewable-life - - * util.c (edit_time, edit_attributes): don't do anything if it's - already set - (set_entry): new function - - * ank.c (add_new_key): new options for setting max-ticket-life, - max-renewable-life, and attributes - - * server.c (v5_loop): remove unused variable - - * kadmin_locl.h: add prototypes - - * version4.c: re-insert krb_err.h and other miss - - * server.c (kadmind_loop): break-up and restructure - - * version4.c: add ACL checks more error code checks restructure - -1999-05-03 Johan Danielsson - - * load.c: check for (un-)encrypted keys - - * dump.c: use hdb_print_entry - - * version4.c: version 4 support - - * Makefile.am: link with krb4 - - * kadmin_locl.h: include - - * server.c: move from lib/kadm5, and add basic support for krb4 - kadmin protocol - - * kadmind.c: move recvauth to kadmind_loop() diff --git a/crypto/heimdal-0.6.3/kadmin/Makefile.am b/crypto/heimdal-0.6.3/kadmin/Makefile.am deleted file mode 100644 index 3e9e4066fb..0000000000 --- a/crypto/heimdal-0.6.3/kadmin/Makefile.am +++ /dev/null @@ -1,74 +0,0 @@ -# $Id: Makefile.am,v 1.34 2001/08/28 08:31:26 assar Exp $ - -include $(top_srcdir)/Makefile.am.common - -INCLUDES += $(INCLUDE_readline) $(INCLUDE_krb4) $(INCLUDE_des) -I$(srcdir)/../lib/krb5 - -sbin_PROGRAMS = kadmin - -libexec_PROGRAMS = kadmind - -man_MANS = kadmin.8 kadmind.8 - -noinst_PROGRAMS = add_random_users - -kadmin_SOURCES = \ - ank.c \ - cpw.c \ - del.c \ - del_enctype.c \ - dump.c \ - ext.c \ - get.c \ - init.c \ - kadmin.c \ - load.c \ - mod.c \ - rename.c \ - util.c \ - random_password.c \ - kadmin_locl.h - -if KRB4 -KRB4LIB = $(LIB_krb4) -version4_c = version4.c -endif - -kadmind_SOURCES = \ - kadmind.c \ - server.c \ - kadmin_locl.h \ - $(version4_c) \ - kadm_conn.c - -EXTRA_kadmind_SOURCES = version4.c - -add_random_users_SOURCES = add-random-users.c - -LDADD_common = \ - $(top_builddir)/lib/hdb/libhdb.la \ - $(LIB_openldap) \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(LIB_des) \ - $(top_builddir)/lib/asn1/libasn1.la \ - $(LIB_roken) \ - $(DBLIB) - -kadmind_LDADD = $(KRB4LIB) $(top_builddir)/lib/kadm5/libkadm5srv.la \ - $(LDADD_common) \ - $(LIB_pidfile) \ - $(LIB_dlopen) - -kadmin_LDADD = \ - $(top_builddir)/lib/kadm5/libkadm5clnt.la \ - $(top_builddir)/lib/kadm5/libkadm5srv.la \ - $(top_builddir)/lib/sl/libsl.la \ - $(LIB_readline) \ - $(LDADD_common) \ - $(LIB_dlopen) - -add_random_users_LDADD = \ - $(top_builddir)/lib/kadm5/libkadm5clnt.la \ - $(top_builddir)/lib/kadm5/libkadm5srv.la \ - $(LDADD_common) \ - $(LIB_dlopen) diff --git a/crypto/heimdal-0.6.3/kadmin/Makefile.in b/crypto/heimdal-0.6.3/kadmin/Makefile.in deleted file mode 100644 index 19d7215852..0000000000 --- a/crypto/heimdal-0.6.3/kadmin/Makefile.in +++ /dev/null @@ -1,936 +0,0 @@ -# Makefile.in generated by automake 1.8.3 from Makefile.am. -# @configure_input@ - -# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004 Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -# $Id: Makefile.am,v 1.34 2001/08/28 08:31:26 assar Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $ - -SOURCES = $(add_random_users_SOURCES) $(kadmin_SOURCES) $(kadmind_SOURCES) $(EXTRA_kadmind_SOURCES) - -srcdir = @srcdir@ -top_srcdir = @top_srcdir@ -VPATH = @srcdir@ -pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -top_builddir = .. -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = @INSTALL@ -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_HEADER = $(INSTALL_DATA) -transform = $(program_transform_name) -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_triplet = @host@ -DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \ - $(top_srcdir)/Makefile.am.common \ - $(top_srcdir)/cf/Makefile.am.common ChangeLog -sbin_PROGRAMS = kadmin$(EXEEXT) -libexec_PROGRAMS = kadmind$(EXEEXT) -noinst_PROGRAMS = add_random_users$(EXEEXT) -subdir = kadmin -ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \ - $(top_srcdir)/cf/auth-modules.m4 \ - $(top_srcdir)/cf/broken-getaddrinfo.m4 \ - $(top_srcdir)/cf/broken-getnameinfo.m4 \ - $(top_srcdir)/cf/broken-glob.m4 \ - $(top_srcdir)/cf/broken-realloc.m4 \ - $(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \ - $(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \ - $(top_srcdir)/cf/capabilities.m4 \ - $(top_srcdir)/cf/check-compile-et.m4 \ - $(top_srcdir)/cf/check-declaration.m4 \ - $(top_srcdir)/cf/check-getpwnam_r-posix.m4 \ - $(top_srcdir)/cf/check-man.m4 \ - $(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \ - $(top_srcdir)/cf/check-type-extra.m4 \ - $(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \ - $(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \ - $(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \ - $(top_srcdir)/cf/dlopen.m4 \ - $(top_srcdir)/cf/find-func-no-libs.m4 \ - $(top_srcdir)/cf/find-func-no-libs2.m4 \ - $(top_srcdir)/cf/find-func.m4 \ - $(top_srcdir)/cf/find-if-not-broken.m4 \ - $(top_srcdir)/cf/have-struct-field.m4 \ - $(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \ - $(top_srcdir)/cf/krb-bigendian.m4 \ - $(top_srcdir)/cf/krb-func-getlogin.m4 \ - $(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \ - $(top_srcdir)/cf/krb-readline.m4 \ - $(top_srcdir)/cf/krb-struct-spwd.m4 \ - $(top_srcdir)/cf/krb-struct-winsize.m4 \ - $(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \ - $(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \ - $(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \ - $(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \ - $(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \ - $(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \ - $(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in -am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ - $(ACLOCAL_M4) -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -am__installdirs = "$(DESTDIR)$(libexecdir)" "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man8dir)" -libexecPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -sbinPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -PROGRAMS = $(libexec_PROGRAMS) $(noinst_PROGRAMS) $(sbin_PROGRAMS) -am_add_random_users_OBJECTS = add-random-users.$(OBJEXT) -add_random_users_OBJECTS = $(am_add_random_users_OBJECTS) -am__DEPENDENCIES_1 = -am__DEPENDENCIES_2 = $(top_builddir)/lib/hdb/libhdb.la \ - $(am__DEPENDENCIES_1) $(top_builddir)/lib/krb5/libkrb5.la \ - $(am__DEPENDENCIES_1) $(top_builddir)/lib/asn1/libasn1.la \ - $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) -add_random_users_DEPENDENCIES = \ - $(top_builddir)/lib/kadm5/libkadm5clnt.la \ - $(top_builddir)/lib/kadm5/libkadm5srv.la $(am__DEPENDENCIES_2) \ - $(am__DEPENDENCIES_1) -am_kadmin_OBJECTS = ank.$(OBJEXT) cpw.$(OBJEXT) del.$(OBJEXT) \ - del_enctype.$(OBJEXT) dump.$(OBJEXT) ext.$(OBJEXT) \ - get.$(OBJEXT) init.$(OBJEXT) kadmin.$(OBJEXT) load.$(OBJEXT) \ - mod.$(OBJEXT) rename.$(OBJEXT) util.$(OBJEXT) \ - random_password.$(OBJEXT) -kadmin_OBJECTS = $(am_kadmin_OBJECTS) -kadmin_DEPENDENCIES = $(top_builddir)/lib/kadm5/libkadm5clnt.la \ - $(top_builddir)/lib/kadm5/libkadm5srv.la \ - $(top_builddir)/lib/sl/libsl.la $(am__DEPENDENCIES_1) \ - $(am__DEPENDENCIES_2) $(am__DEPENDENCIES_1) -am__kadmind_SOURCES_DIST = kadmind.c server.c kadmin_locl.h version4.c \ - kadm_conn.c -@KRB4_TRUE@am__objects_1 = version4.$(OBJEXT) -am_kadmind_OBJECTS = kadmind.$(OBJEXT) server.$(OBJEXT) \ - $(am__objects_1) kadm_conn.$(OBJEXT) -kadmind_OBJECTS = $(am_kadmind_OBJECTS) -@KRB4_TRUE@am__DEPENDENCIES_3 = $(am__DEPENDENCIES_1) -kadmind_DEPENDENCIES = $(am__DEPENDENCIES_3) \ - $(top_builddir)/lib/kadm5/libkadm5srv.la $(am__DEPENDENCIES_2) \ - $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \ - $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ - $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -SOURCES = $(add_random_users_SOURCES) $(kadmin_SOURCES) \ - $(kadmind_SOURCES) $(EXTRA_kadmind_SOURCES) -DIST_SOURCES = $(add_random_users_SOURCES) $(kadmin_SOURCES) \ - $(am__kadmind_SOURCES_DIST) $(EXTRA_kadmind_SOURCES) -man8dir = $(mandir)/man8 -MANS = $(man_MANS) -ETAGS = etags -CTAGS = ctags -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) -ACLOCAL = @ACLOCAL@ -AIX4_FALSE = @AIX4_FALSE@ -AIX4_TRUE = @AIX4_TRUE@ -AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@ -AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@ -AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@ -AIX_FALSE = @AIX_FALSE@ -AIX_TRUE = @AIX_TRUE@ -AMTAR = @AMTAR@ -AR = @AR@ -AUTOCONF = @AUTOCONF@ -AUTOHEADER = @AUTOHEADER@ -AUTOMAKE = @AUTOMAKE@ -AWK = @AWK@ -CANONICAL_HOST = @CANONICAL_HOST@ -CATMAN = @CATMAN@ -CATMANEXT = @CATMANEXT@ -CATMAN_FALSE = @CATMAN_FALSE@ -CATMAN_TRUE = @CATMAN_TRUE@ -CC = @CC@ -CFLAGS = @CFLAGS@ -COMPILE_ET = @COMPILE_ET@ -CPP = @CPP@ -CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXFLAGS = @CXXFLAGS@ -CYGPATH_W = @CYGPATH_W@ -DBLIB = @DBLIB@ -DCE_FALSE = @DCE_FALSE@ -DCE_TRUE = @DCE_TRUE@ -DEFS = @DEFS@ -DIR_com_err = @DIR_com_err@ -DIR_des = @DIR_des@ -DIR_roken = @DIR_roken@ -ECHO = @ECHO@ -ECHO_C = @ECHO_C@ -ECHO_N = @ECHO_N@ -ECHO_T = @ECHO_T@ -EGREP = @EGREP@ -EXEEXT = @EXEEXT@ -EXTRA_LIB45 = @EXTRA_LIB45@ -F77 = @F77@ -FFLAGS = @FFLAGS@ -GROFF = @GROFF@ -HAVE_DB1_FALSE = @HAVE_DB1_FALSE@ -HAVE_DB1_TRUE = @HAVE_DB1_TRUE@ -HAVE_DB3_FALSE = @HAVE_DB3_FALSE@ -HAVE_DB3_TRUE = @HAVE_DB3_TRUE@ -HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@ -HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@ -HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@ -HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@ -HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@ -HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@ -HAVE_X_FALSE = @HAVE_X_FALSE@ -HAVE_X_TRUE = @HAVE_X_TRUE@ -INCLUDES_roken = @INCLUDES_roken@ -INCLUDE_des = @INCLUDE_des@ -INCLUDE_hesiod = @INCLUDE_hesiod@ -INCLUDE_krb4 = @INCLUDE_krb4@ -INCLUDE_openldap = @INCLUDE_openldap@ -INCLUDE_readline = @INCLUDE_readline@ -INSTALL_DATA = @INSTALL_DATA@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -IRIX_FALSE = @IRIX_FALSE@ -IRIX_TRUE = @IRIX_TRUE@ -KRB4_FALSE = @KRB4_FALSE@ -KRB4_TRUE = @KRB4_TRUE@ -KRB5_FALSE = @KRB5_FALSE@ -KRB5_TRUE = @KRB5_TRUE@ -LDFLAGS = @LDFLAGS@ -LEX = @LEX@ -LEXLIB = @LEXLIB@ -LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ -LIBOBJS = @LIBOBJS@ -LIBS = @LIBS@ -LIBTOOL = @LIBTOOL@ -LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@ -LIB_NDBM = @LIB_NDBM@ -LIB_XauFileName = @LIB_XauFileName@ -LIB_XauReadAuth = @LIB_XauReadAuth@ -LIB_XauWriteAuth = @LIB_XauWriteAuth@ -LIB_bswap16 = @LIB_bswap16@ -LIB_bswap32 = @LIB_bswap32@ -LIB_com_err = @LIB_com_err@ -LIB_com_err_a = @LIB_com_err_a@ -LIB_com_err_so = @LIB_com_err_so@ -LIB_crypt = @LIB_crypt@ -LIB_db_create = @LIB_db_create@ -LIB_dbm_firstkey = @LIB_dbm_firstkey@ -LIB_dbopen = @LIB_dbopen@ -LIB_des = @LIB_des@ -LIB_des_a = @LIB_des_a@ -LIB_des_appl = @LIB_des_appl@ -LIB_des_so = @LIB_des_so@ -LIB_dlopen = @LIB_dlopen@ -LIB_dn_expand = @LIB_dn_expand@ -LIB_el_init = @LIB_el_init@ -LIB_freeaddrinfo = @LIB_freeaddrinfo@ -LIB_gai_strerror = @LIB_gai_strerror@ -LIB_getaddrinfo = @LIB_getaddrinfo@ -LIB_gethostbyname = @LIB_gethostbyname@ -LIB_gethostbyname2 = @LIB_gethostbyname2@ -LIB_getnameinfo = @LIB_getnameinfo@ -LIB_getpwnam_r = @LIB_getpwnam_r@ -LIB_getsockopt = @LIB_getsockopt@ -LIB_hesiod = @LIB_hesiod@ -LIB_hstrerror = @LIB_hstrerror@ -LIB_kdb = @LIB_kdb@ -LIB_krb4 = @LIB_krb4@ -LIB_krb_disable_debug = @LIB_krb_disable_debug@ -LIB_krb_enable_debug = @LIB_krb_enable_debug@ -LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@ -LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@ -LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@ -LIB_loadquery = @LIB_loadquery@ -LIB_logout = @LIB_logout@ -LIB_logwtmp = @LIB_logwtmp@ -LIB_openldap = @LIB_openldap@ -LIB_openpty = @LIB_openpty@ -LIB_otp = @LIB_otp@ -LIB_pidfile = @LIB_pidfile@ -LIB_readline = @LIB_readline@ -LIB_res_nsearch = @LIB_res_nsearch@ -LIB_res_search = @LIB_res_search@ -LIB_roken = @LIB_roken@ -LIB_security = @LIB_security@ -LIB_setsockopt = @LIB_setsockopt@ -LIB_socket = @LIB_socket@ -LIB_syslog = @LIB_syslog@ -LIB_tgetent = @LIB_tgetent@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -MAINT = @MAINT@ -MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@ -MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@ -MAKEINFO = @MAKEINFO@ -NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ -NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ -NROFF = @NROFF@ -OBJEXT = @OBJEXT@ -OTP_FALSE = @OTP_FALSE@ -OTP_TRUE = @OTP_TRUE@ -PACKAGE = @PACKAGE@ -PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ -PACKAGE_NAME = @PACKAGE_NAME@ -PACKAGE_STRING = @PACKAGE_STRING@ -PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_VERSION = @PACKAGE_VERSION@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -RANLIB = @RANLIB@ -SET_MAKE = @SET_MAKE@ -SHELL = @SHELL@ -STRIP = @STRIP@ -VERSION = @VERSION@ -VOID_RETSIGTYPE = @VOID_RETSIGTYPE@ -WFLAGS = @WFLAGS@ -WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@ -WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@ -X_CFLAGS = @X_CFLAGS@ -X_EXTRA_LIBS = @X_EXTRA_LIBS@ -X_LIBS = @X_LIBS@ -X_PRE_LIBS = @X_PRE_LIBS@ -YACC = @YACC@ -ac_ct_AR = @ac_ct_AR@ -ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ -ac_ct_RANLIB = @ac_ct_RANLIB@ -ac_ct_STRIP = @ac_ct_STRIP@ -am__leading_dot = @am__leading_dot@ -bindir = @bindir@ -build = @build@ -build_alias = @build_alias@ -build_cpu = @build_cpu@ -build_os = @build_os@ -build_vendor = @build_vendor@ -datadir = @datadir@ -do_roken_rename_FALSE = @do_roken_rename_FALSE@ -do_roken_rename_TRUE = @do_roken_rename_TRUE@ -dpagaix_cflags = @dpagaix_cflags@ -dpagaix_ldadd = @dpagaix_ldadd@ -dpagaix_ldflags = @dpagaix_ldflags@ -el_compat_FALSE = @el_compat_FALSE@ -el_compat_TRUE = @el_compat_TRUE@ -exec_prefix = @exec_prefix@ -have_err_h_FALSE = @have_err_h_FALSE@ -have_err_h_TRUE = @have_err_h_TRUE@ -have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@ -have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@ -have_glob_h_FALSE = @have_glob_h_FALSE@ -have_glob_h_TRUE = @have_glob_h_TRUE@ -have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@ -have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@ -have_vis_h_FALSE = @have_vis_h_FALSE@ -have_vis_h_TRUE = @have_vis_h_TRUE@ -host = @host@ -host_alias = @host_alias@ -host_cpu = @host_cpu@ -host_os = @host_os@ -host_vendor = @host_vendor@ -includedir = @includedir@ -infodir = @infodir@ -install_sh = @install_sh@ -libdir = @libdir@ -libexecdir = @libexecdir@ -localstatedir = @localstatedir@ -mandir = @mandir@ -mkdir_p = @mkdir_p@ -oldincludedir = @oldincludedir@ -prefix = @prefix@ -program_transform_name = @program_transform_name@ -sbindir = @sbindir@ -sharedstatedir = @sharedstatedir@ -sysconfdir = @sysconfdir@ -target_alias = @target_alias@ -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_readline) $(INCLUDE_krb4) $(INCLUDE_des) -I$(srcdir)/../lib/krb5 -@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME -AM_CFLAGS = $(WFLAGS) -CP = cp -buildinclude = $(top_builddir)/include -LIB_getattr = @LIB_getattr@ -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_setpcred = @LIB_setpcred@ -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -NROFF_MAN = groff -mandoc -Tascii -LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) -@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la - -@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la -@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la -man_MANS = kadmin.8 kadmind.8 -kadmin_SOURCES = \ - ank.c \ - cpw.c \ - del.c \ - del_enctype.c \ - dump.c \ - ext.c \ - get.c \ - init.c \ - kadmin.c \ - load.c \ - mod.c \ - rename.c \ - util.c \ - random_password.c \ - kadmin_locl.h - -@KRB4_TRUE@KRB4LIB = $(LIB_krb4) -@KRB4_TRUE@version4_c = version4.c -kadmind_SOURCES = \ - kadmind.c \ - server.c \ - kadmin_locl.h \ - $(version4_c) \ - kadm_conn.c - -EXTRA_kadmind_SOURCES = version4.c -add_random_users_SOURCES = add-random-users.c -LDADD_common = \ - $(top_builddir)/lib/hdb/libhdb.la \ - $(LIB_openldap) \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(LIB_des) \ - $(top_builddir)/lib/asn1/libasn1.la \ - $(LIB_roken) \ - $(DBLIB) - -kadmind_LDADD = $(KRB4LIB) $(top_builddir)/lib/kadm5/libkadm5srv.la \ - $(LDADD_common) \ - $(LIB_pidfile) \ - $(LIB_dlopen) - -kadmin_LDADD = \ - $(top_builddir)/lib/kadm5/libkadm5clnt.la \ - $(top_builddir)/lib/kadm5/libkadm5srv.la \ - $(top_builddir)/lib/sl/libsl.la \ - $(LIB_readline) \ - $(LDADD_common) \ - $(LIB_dlopen) - -add_random_users_LDADD = \ - $(top_builddir)/lib/kadm5/libkadm5clnt.la \ - $(top_builddir)/lib/kadm5/libkadm5srv.la \ - $(LDADD_common) \ - $(LIB_dlopen) - -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps) - @for dep in $?; do \ - case '$(am__configure_deps)' in \ - *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ - exit 1;; \ - esac; \ - done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign --ignore-deps kadmin/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign --ignore-deps kadmin/Makefile -.PRECIOUS: Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - @case '$?' in \ - *config.status*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ - *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ - esac; - -$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -install-libexecPROGRAMS: $(libexec_PROGRAMS) - @$(NORMAL_INSTALL) - test -z "$(libexecdir)" || $(mkdir_p) "$(DESTDIR)$(libexecdir)" - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(libexecPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(libexecdir)/$$f'"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(libexecPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(libexecdir)/$$f" || exit 1; \ - else :; fi; \ - done - -uninstall-libexecPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f '$(DESTDIR)$(libexecdir)/$$f'"; \ - rm -f "$(DESTDIR)$(libexecdir)/$$f"; \ - done - -clean-libexecPROGRAMS: - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done - -clean-noinstPROGRAMS: - @list='$(noinst_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -install-sbinPROGRAMS: $(sbin_PROGRAMS) - @$(NORMAL_INSTALL) - test -z "$(sbindir)" || $(mkdir_p) "$(DESTDIR)$(sbindir)" - @list='$(sbin_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(sbinPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(sbindir)/$$f'"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(sbinPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(sbindir)/$$f" || exit 1; \ - else :; fi; \ - done - -uninstall-sbinPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(sbin_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f '$(DESTDIR)$(sbindir)/$$f'"; \ - rm -f "$(DESTDIR)$(sbindir)/$$f"; \ - done - -clean-sbinPROGRAMS: - @list='$(sbin_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -add_random_users$(EXEEXT): $(add_random_users_OBJECTS) $(add_random_users_DEPENDENCIES) - @rm -f add_random_users$(EXEEXT) - $(LINK) $(add_random_users_LDFLAGS) $(add_random_users_OBJECTS) $(add_random_users_LDADD) $(LIBS) -kadmin$(EXEEXT): $(kadmin_OBJECTS) $(kadmin_DEPENDENCIES) - @rm -f kadmin$(EXEEXT) - $(LINK) $(kadmin_LDFLAGS) $(kadmin_OBJECTS) $(kadmin_LDADD) $(LIBS) -kadmind$(EXEEXT): $(kadmind_OBJECTS) $(kadmind_DEPENDENCIES) - @rm -f kadmind$(EXEEXT) - $(LINK) $(kadmind_LDFLAGS) $(kadmind_OBJECTS) $(kadmind_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c $< - -.c.obj: - $(COMPILE) -c `$(CYGPATH_W) '$<'` - -.c.lo: - $(LTCOMPILE) -c -o $@ $< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: -install-man8: $(man8_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - test -z "$(man8dir)" || $(mkdir_p) "$(DESTDIR)$(man8dir)" - @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.8*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 8*) ;; \ - *) ext='8' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ - $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \ - done -uninstall-man8: - @$(NORMAL_UNINSTALL) - @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.8*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 8*) ;; \ - *) ext='8' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \ - rm -f "$(DESTDIR)$(man8dir)/$$inst"; \ - done - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique -tags: TAGS - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique -ctags: CTAGS -CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ - || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - -distdir: $(DISTFILES) - $(mkdir_p) $(distdir)/.. $(distdir)/../cf - @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \ - list='$(DISTFILES)'; for file in $$list; do \ - case $$file in \ - $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \ - $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \ - esac; \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkdir_p) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="$(top_distdir)" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(PROGRAMS) $(MANS) all-local -installdirs: - for dir in "$(DESTDIR)$(libexecdir)" "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man8dir)"; do \ - test -z "$$dir" || $(mkdir_p) "$$dir"; \ - done -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-generic clean-libexecPROGRAMS clean-libtool \ - clean-noinstPROGRAMS clean-sbinPROGRAMS mostlyclean-am - -distclean: distclean-am - -rm -f Makefile -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -html: html-am - -info: info-am - -info-am: - -install-data-am: install-man - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-data-hook - -install-exec-am: install-libexecPROGRAMS install-sbinPROGRAMS - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: install-man8 - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -rm -f Makefile -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -pdf: pdf-am - -pdf-am: - -ps: ps-am - -ps-am: - -uninstall-am: uninstall-info-am uninstall-libexecPROGRAMS \ - uninstall-man uninstall-sbinPROGRAMS - -uninstall-man: uninstall-man8 - -.PHONY: CTAGS GTAGS all all-am all-local check check-am check-local \ - clean clean-generic clean-libexecPROGRAMS clean-libtool \ - clean-noinstPROGRAMS clean-sbinPROGRAMS ctags distclean \ - distclean-compile distclean-generic distclean-libtool \ - distclean-tags distdir dvi dvi-am html html-am info info-am \ - install install-am install-data install-data-am install-exec \ - install-exec-am install-info install-info-am \ - install-libexecPROGRAMS install-man install-man8 \ - install-sbinPROGRAMS install-strip installcheck \ - installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ - tags uninstall uninstall-am uninstall-info-am \ - uninstall-libexecPROGRAMS uninstall-man uninstall-man8 \ - uninstall-sbinPROGRAMS - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-hook: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal-0.6.3/kadmin/add-random-users.c b/crypto/heimdal-0.6.3/kadmin/add-random-users.c deleted file mode 100644 index ebd114945d..0000000000 --- a/crypto/heimdal-0.6.3/kadmin/add-random-users.c +++ /dev/null @@ -1,184 +0,0 @@ -/* - * Copyright (c) 2000 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kadmin_locl.h" - -RCSID("$Id: add-random-users.c,v 1.6 2001/09/20 09:17:33 assar Exp $"); - -#define WORDS_FILENAME "/usr/share/dict/words" - -#define NUSERS 1000 - -#define WORDBUF_SIZE 65535 - -static unsigned -read_words (const char *filename, char ***ret_w) -{ - unsigned n, alloc; - FILE *f; - char buf[256]; - char **w = NULL; - char *wbuf = NULL, *wptr = NULL, *wend = NULL; - - f = fopen (filename, "r"); - if (f == NULL) - err (1, "cannot open %s", filename); - alloc = n = 0; - while (fgets (buf, sizeof(buf), f) != NULL) { - size_t len; - - if (buf[strlen (buf) - 1] == '\n') - buf[strlen (buf) - 1] = '\0'; - if (n >= alloc) { - alloc = max(alloc + 16, alloc * 2); - w = erealloc (w, alloc * sizeof(char **)); - } - len = strlen(buf); - if (wptr + len + 1 >= wend) { - wptr = wbuf = emalloc (WORDBUF_SIZE); - wend = wbuf + WORDBUF_SIZE; - } - memmove (wptr, buf, len + 1); - w[n++] = wptr; - wptr += len + 1; - } - *ret_w = w; - return n; -} - -static void -add_user (krb5_context context, void *kadm_handle, - unsigned nwords, char **words) -{ - kadm5_principal_ent_rec princ; - char name[64]; - int r1, r2; - krb5_error_code ret; - int mask; - - r1 = rand(); - r2 = rand(); - - snprintf (name, sizeof(name), "%s%d", words[r1 % nwords], r2 % 1000); - - mask = KADM5_PRINCIPAL; - - memset(&princ, 0, sizeof(princ)); - ret = krb5_parse_name(context, name, &princ.principal); - if (ret) - krb5_err(context, 1, ret, "krb5_parse_name"); - - ret = kadm5_create_principal (kadm_handle, &princ, mask, name); - if (ret) - krb5_err (context, 1, ret, "kadm5_create_principal"); - kadm5_free_principal_ent(kadm_handle, &princ); - printf ("%s\n", name); -} - -static void -add_users (const char *filename, unsigned n) -{ - krb5_error_code ret; - int i; - void *kadm_handle; - krb5_context context; - unsigned nwords; - char **words; - - ret = krb5_init_context(&context); - if (ret) - errx (1, "krb5_init_context failed: %d", ret); - ret = kadm5_s_init_with_password_ctx(context, - KADM5_ADMIN_SERVICE, - NULL, - KADM5_ADMIN_SERVICE, - NULL, 0, 0, - &kadm_handle); - if(ret) - krb5_err(context, 1, ret, "kadm5_init_with_password"); - - nwords = read_words (filename, &words); - - for (i = 0; i < n; ++i) - add_user (context, kadm_handle, nwords, words); - kadm5_destroy(kadm_handle); - krb5_free_context(context); -} - -static int version_flag = 0; -static int help_flag = 0; - -static struct getargs args[] = { - { "version", 0, arg_flag, &version_flag }, - { "help", 0, arg_flag, &help_flag } -}; - -static void -usage (int ret) -{ - arg_printusage (args, - sizeof(args)/sizeof(*args), - NULL, - "[filename [n]]"); - exit (ret); -} - -int -main(int argc, char **argv) -{ - int optind = 0; - int n = NUSERS; - const char *filename = WORDS_FILENAME; - - setprogname(argv[0]); - if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind)) - usage(1); - if (help_flag) - usage (0); - if (version_flag) { - print_version(NULL); - return 0; - } - srand (0); - argc -= optind; - argv += optind; - - if (argc > 0) { - if (argc > 1) - n = atoi(argv[1]); - filename = argv[0]; - } - - add_users (filename, n); - return 0; -} diff --git a/crypto/heimdal-0.6.3/kadmin/ank.c b/crypto/heimdal-0.6.3/kadmin/ank.c deleted file mode 100644 index a166fb2377..0000000000 --- a/crypto/heimdal-0.6.3/kadmin/ank.c +++ /dev/null @@ -1,316 +0,0 @@ -/* - * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kadmin_locl.h" - -RCSID("$Id: ank.c,v 1.25 2002/12/03 14:11:24 joda Exp $"); - -/* - * fetch the default principal corresponding to `princ' - */ - -static krb5_error_code -get_default (kadm5_server_context *context, - krb5_principal princ, - kadm5_principal_ent_t default_ent) -{ - krb5_error_code ret; - krb5_principal def_principal; - krb5_realm *realm = krb5_princ_realm(context->context, princ); - - ret = krb5_make_principal (context->context, &def_principal, - *realm, "default", NULL); - if (ret) - return ret; - ret = kadm5_get_principal (context, def_principal, default_ent, - KADM5_PRINCIPAL_NORMAL_MASK); - krb5_free_principal (context->context, def_principal); - return ret; -} - -/* - * Add the principal `name' to the database. - * Prompt for all data not given by the input parameters. - */ - -static krb5_error_code -add_one_principal (const char *name, - int rand_key, - int rand_password, - int use_defaults, - char *password, - krb5_key_data *key_data, - const char *max_ticket_life, - const char *max_renewable_life, - const char *attributes, - const char *expiration, - const char *pw_expiration) -{ - krb5_error_code ret; - kadm5_principal_ent_rec princ, defrec; - kadm5_principal_ent_rec *default_ent = NULL; - krb5_principal princ_ent = NULL; - int mask = 0; - int default_mask = 0; - char pwbuf[1024]; - - memset(&princ, 0, sizeof(princ)); - ret = krb5_parse_name(context, name, &princ_ent); - if (ret) { - krb5_warn(context, ret, "krb5_parse_name"); - return ret; - } - princ.principal = princ_ent; - mask |= KADM5_PRINCIPAL; - - ret = set_entry(context, &princ, &mask, - max_ticket_life, max_renewable_life, - expiration, pw_expiration, attributes); - if (ret) - goto out; - - default_ent = &defrec; - ret = get_default (kadm_handle, princ_ent, default_ent); - if (ret) { - default_ent = NULL; - default_mask = 0; - } else { - default_mask = KADM5_ATTRIBUTES | KADM5_MAX_LIFE | KADM5_MAX_RLIFE | - KADM5_PRINC_EXPIRE_TIME | KADM5_PW_EXPIRATION; - } - - if(use_defaults) - set_defaults(&princ, &mask, default_ent, default_mask); - else - if(edit_entry(&princ, &mask, default_ent, default_mask)) - goto out; - if(rand_key || key_data) { - princ.attributes |= KRB5_KDB_DISALLOW_ALL_TIX; - mask |= KADM5_ATTRIBUTES; - strlcpy (pwbuf, "hemlig", sizeof(pwbuf)); - password = pwbuf; - } else if (rand_password) { - random_password (pwbuf, sizeof(pwbuf)); - password = pwbuf; - } else if(password == NULL) { - char *princ_name; - char *prompt; - - krb5_unparse_name(context, princ_ent, &princ_name); - asprintf (&prompt, "%s's Password: ", princ_name); - free (princ_name); - ret = des_read_pw_string (pwbuf, sizeof(pwbuf), prompt, 1); - free (prompt); - if (ret) - goto out; - password = pwbuf; - } - - ret = kadm5_create_principal(kadm_handle, &princ, mask, password); - if(ret) { - krb5_warn(context, ret, "kadm5_create_principal"); - goto out; - } - if(rand_key) { - krb5_keyblock *new_keys; - int n_keys, i; - ret = kadm5_randkey_principal(kadm_handle, princ_ent, - &new_keys, &n_keys); - if(ret){ - krb5_warn(context, ret, "kadm5_randkey_principal"); - n_keys = 0; - } - for(i = 0; i < n_keys; i++) - krb5_free_keyblock_contents(context, &new_keys[i]); - if (n_keys > 0) - free(new_keys); - kadm5_get_principal(kadm_handle, princ_ent, &princ, - KADM5_PRINCIPAL | KADM5_KVNO | KADM5_ATTRIBUTES); - princ.attributes &= (~KRB5_KDB_DISALLOW_ALL_TIX); - princ.kvno = 1; - kadm5_modify_principal(kadm_handle, &princ, - KADM5_ATTRIBUTES | KADM5_KVNO); - kadm5_free_principal_ent(kadm_handle, &princ); - } else if (key_data) { - ret = kadm5_chpass_principal_with_key (kadm_handle, princ_ent, - 3, key_data); - if (ret) { - krb5_warn(context, ret, "kadm5_chpass_principal_with_key"); - } - kadm5_get_principal(kadm_handle, princ_ent, &princ, - KADM5_PRINCIPAL | KADM5_ATTRIBUTES); - princ.attributes &= (~KRB5_KDB_DISALLOW_ALL_TIX); - kadm5_modify_principal(kadm_handle, &princ, KADM5_ATTRIBUTES); - kadm5_free_principal_ent(kadm_handle, &princ); - } else if (rand_password) { - char *princ_name; - - krb5_unparse_name(context, princ_ent, &princ_name); - printf ("added %s with password `%s'\n", princ_name, password); - free (princ_name); - } -out: - if (princ_ent) - krb5_free_principal (context, princ_ent); - if(default_ent) - kadm5_free_principal_ent (context, default_ent); - if (password != NULL) - memset (password, 0, strlen(password)); - return ret; -} - -/* - * parse the string `key_string' into `key', returning 0 iff succesful. - */ - -/* - * the ank command - */ - -static struct getargs args[] = { - { "random-key", 'r', arg_flag, NULL, "set random key" }, - { "random-password", 0, arg_flag, NULL, "set random password" }, - { "password", 'p', arg_string, NULL, "princial's password" }, - { "key", 0, arg_string, NULL, "DES-key in hex" }, - { "max-ticket-life", 0, arg_string, NULL, "max ticket lifetime", - "lifetime"}, - { "max-renewable-life", 0, arg_string, NULL, - "max renewable lifetime", "lifetime" }, - { "attributes", 0, arg_string, NULL, "principal attributes", - "attributes"}, - { "expiration-time",0, arg_string, NULL, "expiration time", - "time"}, - { "pw-expiration-time", 0, arg_string, NULL, - "password expiration time", "time"}, - { "use-defaults", 0, arg_flag, NULL, "use default values" } -}; - -static int num_args = sizeof(args) / sizeof(args[0]); - -static void -usage(void) -{ - arg_printusage (args, num_args, "add", "principal..."); -} - -/* - * Parse arguments and add all the principals. - */ - -int -add_new_key(int argc, char **argv) -{ - char *password = NULL; - char *key = NULL; - int random_key = 0; - int random_password = 0; - int optind = 0; - krb5_error_code ret; - char *max_ticket_life = NULL; - char *max_renewable_life = NULL; - char *attributes = NULL; - char *expiration = NULL; - char *pw_expiration = NULL; - int use_defaults = 0; - int i; - int num; - krb5_key_data key_data[3]; - krb5_key_data *kdp = NULL; - - args[0].value = &random_key; - args[1].value = &random_password; - args[2].value = &password; - args[3].value = &key; - args[4].value = &max_ticket_life; - args[5].value = &max_renewable_life; - args[6].value = &attributes; - args[7].value = &expiration; - args[8].value = &pw_expiration; - args[9].value = &use_defaults; - - if(getarg(args, num_args, argc, argv, &optind)) { - usage (); - return 0; - } - if(optind == argc) { - usage (); - return 0; - } - - num = 0; - if (random_key) - ++num; - if (random_password) - ++num; - if (password) - ++num; - if (key) - ++num; - - if (num > 1) { - printf ("give only one of " - "--random-key, --random-password, --password, --key\n"); - return 0; - } - - if (key) { - const char *error; - - if (parse_des_key (key, key_data, &error)) { - printf ("failed parsing key `%s': %s\n", key, error); - return 0; - } - kdp = key_data; - } - - for (i = optind; i < argc; ++i) { - ret = add_one_principal (argv[i], random_key, random_password, - use_defaults, - password, - kdp, - max_ticket_life, - max_renewable_life, - attributes, - expiration, - pw_expiration); - if (ret) { - krb5_warn (context, ret, "adding %s", argv[i]); - break; - } - } - if (kdp) { - int16_t dummy = 3; - kadm5_free_key_data (kadm_handle, &dummy, key_data); - } - return 0; -} diff --git a/crypto/heimdal-0.6.3/kadmin/cpw.c b/crypto/heimdal-0.6.3/kadmin/cpw.c deleted file mode 100644 index 50c1cb27eb..0000000000 --- a/crypto/heimdal-0.6.3/kadmin/cpw.c +++ /dev/null @@ -1,213 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kadmin_locl.h" - -RCSID("$Id: cpw.c,v 1.13 2001/08/10 08:05:35 joda Exp $"); - -struct cpw_entry_data { - int random_key; - int random_password; - char *password; - krb5_key_data *key_data; -}; - -static struct getargs args[] = { - { "random-key", 'r', arg_flag, NULL, "set random key" }, - { "random-password", 0, arg_flag, NULL, "set random password" }, - { "password", 'p', arg_string, NULL, "princial's password" }, - { "key", 0, arg_string, NULL, "DES key in hex" } -}; - -static int num_args = sizeof(args) / sizeof(args[0]); - -static void -usage(void) -{ - arg_printusage(args, num_args, "passwd", "principal..."); -} - -static int -set_random_key (krb5_principal principal) -{ - krb5_error_code ret; - int i; - krb5_keyblock *keys; - int num_keys; - - ret = kadm5_randkey_principal(kadm_handle, principal, &keys, &num_keys); - if(ret) - return ret; - for(i = 0; i < num_keys; i++) - krb5_free_keyblock_contents(context, &keys[i]); - free(keys); - return 0; -} - -static int -set_random_password (krb5_principal principal) -{ - krb5_error_code ret; - char pw[128]; - - random_password (pw, sizeof(pw)); - ret = kadm5_chpass_principal(kadm_handle, principal, pw); - if (ret == 0) { - char *princ_name; - - krb5_unparse_name(context, principal, &princ_name); - - printf ("%s's password set to `%s'\n", princ_name, pw); - free (princ_name); - } - memset (pw, 0, sizeof(pw)); - return ret; -} - -static int -set_password (krb5_principal principal, char *password) -{ - krb5_error_code ret = 0; - char pwbuf[128]; - - if(password == NULL) { - char *princ_name; - char *prompt; - - krb5_unparse_name(context, principal, &princ_name); - asprintf(&prompt, "%s's Password: ", princ_name); - free (princ_name); - ret = des_read_pw_string(pwbuf, sizeof(pwbuf), prompt, 1); - free (prompt); - if(ret){ - return 0; /* XXX error code? */ - } - password = pwbuf; - } - if(ret == 0) - ret = kadm5_chpass_principal(kadm_handle, principal, password); - memset(pwbuf, 0, sizeof(pwbuf)); - return ret; -} - -static int -set_key_data (krb5_principal principal, krb5_key_data *key_data) -{ - krb5_error_code ret; - - ret = kadm5_chpass_principal_with_key (kadm_handle, principal, - 3, key_data); - return ret; -} - -static int -do_cpw_entry(krb5_principal principal, void *data) -{ - struct cpw_entry_data *e = data; - - if (e->random_key) - return set_random_key (principal); - else if (e->random_password) - return set_random_password (principal); - else if (e->key_data) - return set_key_data (principal, e->key_data); - else - return set_password (principal, e->password); -} - -int -cpw_entry(int argc, char **argv) -{ - krb5_error_code ret; - int i; - int optind = 0; - struct cpw_entry_data data; - int num; - char *key_string; - krb5_key_data key_data[3]; - - data.random_key = 0; - data.random_password = 0; - data.password = NULL; - data.key_data = NULL; - - key_string = NULL; - - args[0].value = &data.random_key; - args[1].value = &data.random_password; - args[2].value = &data.password; - args[3].value = &key_string; - if(getarg(args, num_args, argc, argv, &optind)){ - usage(); - return 0; - } - - num = 0; - if (data.random_key) - ++num; - if (data.random_password) - ++num; - if (data.password) - ++num; - if (key_string) - ++num; - - if (num > 1) { - printf ("give only one of " - "--random-key, --random-password, --password, --key\n"); - return 0; - } - - if (key_string) { - const char *error; - - if (parse_des_key (key_string, key_data, &error)) { - printf ("failed parsing key `%s': %s\n", key_string, error); - return 0; - } - data.key_data = key_data; - } - - argc -= optind; - argv += optind; - - for(i = 0; i < argc; i++) - ret = foreach_principal(argv[i], do_cpw_entry, "cpw", &data); - - if (data.key_data) { - int16_t dummy; - kadm5_free_key_data (kadm_handle, &dummy, key_data); - } - - return 0; -} diff --git a/crypto/heimdal-0.6.3/kadmin/del.c b/crypto/heimdal-0.6.3/kadmin/del.c deleted file mode 100644 index 1697656de2..0000000000 --- a/crypto/heimdal-0.6.3/kadmin/del.c +++ /dev/null @@ -1,80 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kadmin_locl.h" - -RCSID("$Id: del.c,v 1.6 2001/05/07 05:30:50 assar Exp $"); - -static int -do_del_entry(krb5_principal principal, void *data) -{ - return kadm5_delete_principal(kadm_handle, principal); -} - -static struct getargs args[] = { - { "help", 'h', arg_flag, NULL } -}; - -static int num_args = sizeof(args) / sizeof(args[0]); - -static void -usage(void) -{ - arg_printusage (args, num_args, "delete", "principal..."); -} - - -int -del_entry(int argc, char **argv) -{ - int optind = 0; - int help_flag = 0; - - int i; - krb5_error_code ret; - - args[0].value = &help_flag; - - if(getarg(args, num_args, argc, argv, &optind)) { - usage (); - return 0; - } - if(optind == argc || help_flag) { - usage (); - return 0; - } - - for(i = 1; i < argc; i++) - ret = foreach_principal(argv[i], do_del_entry, "del", NULL); - return 0; -} diff --git a/crypto/heimdal-0.6.3/kadmin/del_enctype.c b/crypto/heimdal-0.6.3/kadmin/del_enctype.c deleted file mode 100644 index 985cc84f37..0000000000 --- a/crypto/heimdal-0.6.3/kadmin/del_enctype.c +++ /dev/null @@ -1,148 +0,0 @@ -/* - * Copyright (c) 1999-2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kadmin_locl.h" - -RCSID("$Id: del_enctype.c,v 1.7 2001/04/19 07:26:52 joda Exp $"); - -/* - * del_enctype principal enctypes... - */ - -static struct getargs args[] = { - { "help", 'h', arg_flag, NULL } -}; - -static int num_args = sizeof(args) / sizeof(args[0]); - -static void -usage(void) -{ - arg_printusage (args, num_args, "del_enctype", "principal enctypes..."); -} - - -int -del_enctype(int argc, char **argv) -{ - int optind = 0; - int help_flag = 0; - - kadm5_principal_ent_rec princ; - krb5_principal princ_ent = NULL; - krb5_error_code ret; - const char *princ_name; - int i, j, k; - krb5_key_data *new_key_data; - int n_etypes; - krb5_enctype *etypes; - - args[0].value = &help_flag; - - if(getarg(args, num_args, argc, argv, &optind)) { - usage (); - return 0; - } - if(argc - optind < 2 || help_flag) { - usage (); - return 0; - } - - memset (&princ, 0, sizeof(princ)); - princ_name = argv[1]; - n_etypes = argc - 2; - etypes = malloc (n_etypes * sizeof(*etypes)); - if (etypes == NULL) { - krb5_warnx (context, "out of memory"); - return 0; - } - for (i = 0; i < n_etypes; ++i) { - ret = krb5_string_to_enctype (context, argv[i + 2], &etypes[i]); - if (ret) { - krb5_warnx (context, "bad enctype `%s'", argv[i + 2]); - goto out2; - } - } - - ret = krb5_parse_name(context, princ_name, &princ_ent); - if (ret) { - krb5_warn (context, ret, "krb5_parse_name %s", princ_name); - goto out2; - } - - ret = kadm5_get_principal(kadm_handle, princ_ent, &princ, - KADM5_PRINCIPAL | KADM5_KEY_DATA); - if (ret) { - krb5_free_principal (context, princ_ent); - krb5_warnx (context, "no such principal: %s", princ_name); - goto out2; - } - - new_key_data = malloc(princ.n_key_data * sizeof(*new_key_data)); - if (new_key_data == NULL) { - krb5_warnx (context, "out of memory"); - goto out; - } - - for (i = 0, j = 0; i < princ.n_key_data; ++i) { - krb5_key_data *key = &princ.key_data[i]; - int docopy = 1; - - for (k = 0; k < n_etypes; ++k) - if (etypes[k] == key->key_data_type[0]) { - docopy = 0; - break; - } - if (docopy) { - new_key_data[j++] = *key; - } else { - int16_t ignore = 1; - - kadm5_free_key_data (kadm_handle, &ignore, key); - } - } - - free (princ.key_data); - princ.n_key_data = j; - princ.key_data = new_key_data; - - ret = kadm5_modify_principal (kadm_handle, &princ, KADM5_KEY_DATA); - if (ret) - krb5_warn(context, ret, "kadm5_modify_principal"); -out: - krb5_free_principal (context, princ_ent); - kadm5_free_principal_ent(kadm_handle, &princ); -out2: - free (etypes); - return 0; -} diff --git a/crypto/heimdal-0.6.3/kadmin/dump.c b/crypto/heimdal-0.6.3/kadmin/dump.c deleted file mode 100644 index a57309c593..0000000000 --- a/crypto/heimdal-0.6.3/kadmin/dump.c +++ /dev/null @@ -1,80 +0,0 @@ -/* - * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kadmin_locl.h" -#include - -RCSID("$Id: dump.c,v 1.26 1999/12/02 17:04:58 joda Exp $"); - -int -dump(int argc, char **argv) -{ - krb5_error_code ret; - FILE *f; - HDB *db = _kadm5_s_get_db(kadm_handle); - int decrypt = 0; - int optind = 0; - - struct getargs args[] = { - { "decrypt", 'd', arg_flag, NULL, "decrypt keys" } - }; - args[0].value = &decrypt; - - if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind)) { - arg_printusage(args, sizeof(args) / sizeof(args[0]), "kadmin dump", - "[dump-file]"); - return 0; - } - - argc -= optind; - argv += optind; - if(argc < 1) - f = stdout; - else - f = fopen(argv[0], "w"); - - ret = db->open(context, db, O_RDONLY, 0600); - if(ret){ - krb5_warn(context, ret, "hdb_open"); - if(f != stdout) - fclose(f); - return 0; - } - - hdb_foreach(context, db, decrypt ? HDB_F_DECRYPT : 0, hdb_print_entry, f); - - if(f != stdout) - fclose(f); - db->close(context, db); - return 0; -} diff --git a/crypto/heimdal-0.6.3/kadmin/ext.c b/crypto/heimdal-0.6.3/kadmin/ext.c deleted file mode 100644 index c945fea4c4..0000000000 --- a/crypto/heimdal-0.6.3/kadmin/ext.c +++ /dev/null @@ -1,116 +0,0 @@ -/* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kadmin_locl.h" - -RCSID("$Id: ext.c,v 1.8 2002/02/11 14:29:52 joda Exp $"); - -struct ext_keytab_data { - krb5_keytab keytab; -}; - -static struct getargs args[] = { - { "keytab", 'k', arg_string, NULL, "keytab to use" }, -}; - -static int num_args = sizeof(args) / sizeof(args[0]); - -static void -usage(void) -{ - arg_printusage(args, num_args, "ext", "principal..."); -} - -static int -do_ext_keytab(krb5_principal principal, void *data) -{ - krb5_error_code ret; - int i; - kadm5_principal_ent_rec princ; - struct ext_keytab_data *e = data; - - ret = kadm5_get_principal(kadm_handle, principal, &princ, - KADM5_PRINCIPAL|KADM5_KVNO|KADM5_KEY_DATA); - if(ret) - return ret; - for(i = 0; i < princ.n_key_data; i++){ - krb5_keytab_entry key; - krb5_key_data *k = &princ.key_data[i]; - key.principal = princ.principal; - key.vno = k->key_data_kvno; - key.keyblock.keytype = k->key_data_type[0]; - key.keyblock.keyvalue.length = k->key_data_length[0]; - key.keyblock.keyvalue.data = k->key_data_contents[0]; - key.timestamp = time(NULL); - ret = krb5_kt_add_entry(context, e->keytab, &key); - if(ret) - krb5_warn(context, ret, "krb5_kt_add_entry"); - } - kadm5_free_principal_ent(kadm_handle, &princ); - return 0; -} - -int -ext_keytab(int argc, char **argv) -{ - krb5_error_code ret; - int i; - int optind = 0; - char *keytab = NULL; - struct ext_keytab_data data; - - args[0].value = &keytab; - if(getarg(args, num_args, argc, argv, &optind)){ - usage(); - return 0; - } - if (keytab == NULL) - ret = krb5_kt_default(context, &data.keytab); - else - ret = krb5_kt_resolve(context, keytab, &data.keytab); - - if(ret){ - krb5_warn(context, ret, "krb5_kt_resolve"); - return 0; - } - - argc -= optind; - argv += optind; - - for(i = 0; i < argc; i++) - foreach_principal(argv[i], do_ext_keytab, "ext", &data); - - krb5_kt_close(context, data.keytab); - - return 0; -} diff --git a/crypto/heimdal-0.6.3/kadmin/get.c b/crypto/heimdal-0.6.3/kadmin/get.c deleted file mode 100644 index 30eea9dfcf..0000000000 --- a/crypto/heimdal-0.6.3/kadmin/get.c +++ /dev/null @@ -1,290 +0,0 @@ -/* - * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kadmin_locl.h" -#include - -RCSID("$Id: get.c,v 1.13 2001/05/07 05:31:43 assar Exp $"); - -struct get_entry_data { - void (*header)(void); - void (*format)(kadm5_principal_ent_t); -}; - -static void -print_entry_terse(kadm5_principal_ent_t princ) -{ - char *p; - krb5_unparse_name(context, princ->principal, &p); - printf(" %s\n", p); - free(p); -} - -static void -print_header_short(void) -{ - printf("%-20s ", "Principal"); - - printf("%-10s ", "Expires"); - - printf("%-10s ", "PW-exp"); - - printf("%-10s ", "PW-change"); - - printf("%-9s ", "Max life"); - - printf("%-9s ", "Max renew"); - - printf("\n"); -} - -static void -print_entry_short(kadm5_principal_ent_t princ) -{ - char buf[1024]; - - krb5_unparse_name_fixed_short(context, princ->principal, buf, sizeof(buf)); - printf("%-20s ", buf); - - time_t2str(princ->princ_expire_time, buf, sizeof(buf), 0); - printf("%-10s ", buf); - - time_t2str(princ->pw_expiration, buf, sizeof(buf), 0); - printf("%-10s ", buf); - - time_t2str(princ->last_pwd_change, buf, sizeof(buf), 0); - printf("%-10s ", buf); - - deltat2str(princ->max_life, buf, sizeof(buf)); - printf("%-9s ", buf); - - deltat2str(princ->max_renewable_life, buf, sizeof(buf)); - printf("%-9s ", buf); - -#if 0 - time_t2str(princ->mod_date, buf, sizeof(buf), 0); - printf("%-10s ", buf); - - krb5_unparse_name_fixed(context, princ->mod_name, buf, sizeof(buf)); - printf("%-24s", buf); -#endif - - printf("\n"); -} - -/* - * return 0 iff `salt' actually is the same as the current salt in `k' - */ - -static int -cmp_salt (const krb5_salt *salt, const krb5_key_data *k) -{ - if (salt->salttype != k->key_data_type[1]) - return 1; - if (salt->saltvalue.length != k->key_data_length[1]) - return 1; - return memcmp (salt->saltvalue.data, k->key_data_contents[1], - salt->saltvalue.length); -} - -static void -print_entry_long(kadm5_principal_ent_t princ) -{ - char buf[1024]; - int i; - krb5_salt def_salt; - - krb5_unparse_name_fixed(context, princ->principal, buf, sizeof(buf)); - printf("%24s: %s\n", "Principal", buf); - time_t2str(princ->princ_expire_time, buf, sizeof(buf), 1); - printf("%24s: %s\n", "Principal expires", buf); - - time_t2str(princ->pw_expiration, buf, sizeof(buf), 1); - printf("%24s: %s\n", "Password expires", buf); - - time_t2str(princ->last_pwd_change, buf, sizeof(buf), 1); - printf("%24s: %s\n", "Last password change", buf); - - deltat2str(princ->max_life, buf, sizeof(buf)); - printf("%24s: %s\n", "Max ticket life", buf); - - deltat2str(princ->max_renewable_life, buf, sizeof(buf)); - printf("%24s: %s\n", "Max renewable life", buf); - printf("%24s: %d\n", "Kvno", princ->kvno); - printf("%24s: %d\n", "Mkvno", princ->mkvno); - printf("%24s: %s\n", "Policy", princ->policy ? princ->policy : "none"); - time_t2str(princ->last_success, buf, sizeof(buf), 1); - printf("%24s: %s\n", "Last successful login", buf); - time_t2str(princ->last_failed, buf, sizeof(buf), 1); - printf("%24s: %s\n", "Last failed login", buf); - printf("%24s: %d\n", "Failed login count", princ->fail_auth_count); - time_t2str(princ->mod_date, buf, sizeof(buf), 1); - printf("%24s: %s\n", "Last modified", buf); - if(princ->mod_name != NULL) { - krb5_unparse_name_fixed(context, princ->mod_name, buf, sizeof(buf)); - printf("%24s: %s\n", "Modifier", buf); - } - attributes2str (princ->attributes, buf, sizeof(buf)); - printf("%24s: %s\n", "Attributes", buf); - - printf("%24s: ", "Keytypes(salttype[(salt-value)])"); - - krb5_get_pw_salt (context, princ->principal, &def_salt); - - for (i = 0; i < princ->n_key_data; ++i) { - krb5_key_data *k = &princ->key_data[i]; - krb5_error_code ret; - char *e_string, *s_string, *salt; - - ret = krb5_enctype_to_string (context, - k->key_data_type[0], - &e_string); - if (ret) - asprintf (&e_string, "unknown(%d)", k->key_data_type[0]); - - ret = krb5_salttype_to_string (context, - k->key_data_type[0], - k->key_data_type[1], - &s_string); - if (ret) - asprintf (&s_string, "unknown(%d)", k->key_data_type[1]); - - if (cmp_salt(&def_salt, k) == 0) - salt = strdup(""); - else if(k->key_data_length[1] == 0) - salt = strdup("()"); - else - asprintf (&salt, "(%.*s)", k->key_data_length[1], - (char *)k->key_data_contents[1]); - - - printf ("%s%s(%s%s)", (i != 0) ? ", " : "", e_string, s_string, salt); - free (e_string); - free (s_string); - free (salt); - } - krb5_free_salt (context, def_salt); - printf("\n\n"); -} - -static int -do_get_entry(krb5_principal principal, void *data) -{ - kadm5_principal_ent_rec princ; - krb5_error_code ret; - struct get_entry_data *e = data; - - memset(&princ, 0, sizeof(princ)); - ret = kadm5_get_principal(kadm_handle, principal, - &princ, - KADM5_PRINCIPAL_NORMAL_MASK|KADM5_KEY_DATA); - if(ret) - return ret; - else { - if(e->header) { - (*e->header)(); - e->header = NULL; /* XXX only once */ - } - (e->format)(&princ); - kadm5_free_principal_ent(kadm_handle, &princ); - } - return 0; -} - -static int -getit(const char *name, int terse_flag, int argc, char **argv) -{ - int i; - krb5_error_code ret; - struct get_entry_data data; - struct getargs args[] = { - { "long", 'l', arg_flag, NULL, "long format" }, - { "short", 's', arg_flag, NULL, "short format" }, - { "terse", 't', arg_flag, NULL, "terse format" }, - }; - int num_args = sizeof(args) / sizeof(args[0]); - int optind = 0; - int long_flag = -1; - int short_flag = -1; - - args[0].value = &long_flag; - args[1].value = &short_flag; - args[2].value = &terse_flag; - - if(getarg(args, num_args, argc, argv, &optind)) - goto usage; - if(optind == argc) - goto usage; - - if(long_flag == -1 && (short_flag == 1 || terse_flag == 1)) - long_flag = 0; - if(short_flag == -1 && (long_flag == 1 || terse_flag == 1)) - short_flag = 0; - if(terse_flag == -1 && (long_flag == 1 || short_flag == 1)) - terse_flag = 0; - if(long_flag == 0 && short_flag == 0 && terse_flag == 0) - short_flag = 1; - - if(long_flag) { - data.format = print_entry_long; - data.header = NULL; - } else if(short_flag){ - data.format = print_entry_short; - data.header = print_header_short; - } else if(terse_flag) { - data.format = print_entry_terse; - data.header = NULL; - } - - argc -= optind; - argv += optind; - - for(i = 0; i < argc; i++) - ret = foreach_principal(argv[i], do_get_entry, "get", &data); - return 0; -usage: - arg_printusage (args, num_args, name, "principal..."); - return 0; -} - -int -get_entry(int argc, char **argv) -{ - return getit("get", 0, argc, argv); -} - -int -list_princs(int argc, char **argv) -{ - return getit("list", 1, argc, argv); -} diff --git a/crypto/heimdal-0.6.3/kadmin/init.c b/crypto/heimdal-0.6.3/kadmin/init.c deleted file mode 100644 index 587458b17f..0000000000 --- a/crypto/heimdal-0.6.3/kadmin/init.c +++ /dev/null @@ -1,238 +0,0 @@ -/* - * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kadmin_locl.h" -#include - -RCSID("$Id: init.c,v 1.29 2002/12/03 14:08:17 joda Exp $"); - -static kadm5_ret_t -create_random_entry(krb5_principal princ, - unsigned max_life, - unsigned max_rlife, - u_int32_t attributes) -{ - kadm5_principal_ent_rec ent; - kadm5_ret_t ret; - int mask = 0; - krb5_keyblock *keys; - int n_keys, i; - - memset(&ent, 0, sizeof(ent)); - ent.principal = princ; - mask |= KADM5_PRINCIPAL; - if (max_life) { - ent.max_life = max_life; - mask |= KADM5_MAX_LIFE; - } - if (max_rlife) { - ent.max_renewable_life = max_rlife; - mask |= KADM5_MAX_RLIFE; - } - ent.attributes |= attributes | KRB5_KDB_DISALLOW_ALL_TIX; - mask |= KADM5_ATTRIBUTES; - - ret = kadm5_create_principal(kadm_handle, &ent, mask, "hemlig"); - if(ret) - return ret; - ret = kadm5_randkey_principal(kadm_handle, princ, &keys, &n_keys); - if(ret) - return ret; - for(i = 0; i < n_keys; i++) - krb5_free_keyblock_contents(context, &keys[i]); - free(keys); - ret = kadm5_get_principal(kadm_handle, princ, &ent, - KADM5_PRINCIPAL | KADM5_ATTRIBUTES); - if(ret) - return ret; - ent.attributes &= (~KRB5_KDB_DISALLOW_ALL_TIX); - ent.kvno = 1; - ret = kadm5_modify_principal(kadm_handle, &ent, - KADM5_ATTRIBUTES|KADM5_KVNO); - kadm5_free_principal_ent (kadm_handle, &ent); - if(ret) - return ret; - return 0; -} - -static struct getargs args[] = { - { "realm-max-ticket-life", 0, arg_string, NULL, - "realm max ticket lifetime" }, - { "realm-max-renewable-life", 0, arg_string, NULL, - "realm max renewable lifetime" }, - { "help", 'h', arg_flag, NULL }, -}; - -static int num_args = sizeof(args) / sizeof(args[0]); - -static void -usage(void) -{ - arg_printusage (args, num_args, "init", "realm..."); -} - -int -init(int argc, char **argv) -{ - kadm5_ret_t ret; - int i; - char *realm_max_life = NULL; - char *realm_max_rlife = NULL; - int help_flag = 0; - HDB *db; - int optind = 0; - krb5_deltat max_life, max_rlife; - - args[0].value = &realm_max_life; - args[1].value = &realm_max_rlife; - args[2].value = &help_flag; - - if(getarg(args, num_args, argc, argv, &optind) || help_flag) { - usage(); - return 0; - } - - if(argc - optind < 1) { - usage(); - return 0; - } - - if (realm_max_life) { - if (str2deltat (realm_max_life, &max_life) != 0) { - krb5_warnx (context, "unable to parse `%s'", realm_max_life); - return 0; - } - } - if (realm_max_rlife) { - if (str2deltat (realm_max_rlife, &max_rlife) != 0) { - krb5_warnx (context, "unable to parse `%s'", realm_max_rlife); - return 0; - } - } - - db = _kadm5_s_get_db(kadm_handle); - - ret = db->open(context, db, O_RDWR | O_CREAT, 0600); - if(ret){ - krb5_warn(context, ret, "hdb_open"); - return 0; - } - db->close(context, db); - for(i = optind; i < argc; i++){ - krb5_principal princ; - const char *realm = argv[i]; - - /* Create `krbtgt/REALM' */ - ret = krb5_make_principal(context, &princ, realm, - KRB5_TGS_NAME, realm, NULL); - if(ret) - return 0; - if (realm_max_life == NULL) { - max_life = 0; - if(edit_deltat ("Realm max ticket life", &max_life, NULL, 0)) { - krb5_free_principal(context, princ); - return 0; - } - } - if (realm_max_rlife == NULL) { - max_rlife = 0; - if(edit_deltat("Realm max renewable ticket life", &max_rlife, - NULL, 0)) { - krb5_free_principal(context, princ); - return 0; - } - } - create_random_entry(princ, max_life, max_rlife, 0); - krb5_free_principal(context, princ); - - /* Create `kadmin/changepw' */ - krb5_make_principal(context, &princ, realm, - "kadmin", "changepw", NULL); - create_random_entry(princ, 5*60, 5*60, - KRB5_KDB_DISALLOW_TGT_BASED| - KRB5_KDB_PWCHANGE_SERVICE| - KRB5_KDB_DISALLOW_POSTDATED| - KRB5_KDB_DISALLOW_FORWARDABLE| - KRB5_KDB_DISALLOW_RENEWABLE| - KRB5_KDB_DISALLOW_PROXIABLE| - KRB5_KDB_REQUIRES_PRE_AUTH); - krb5_free_principal(context, princ); - - /* Create `kadmin/admin' */ - krb5_make_principal(context, &princ, realm, - "kadmin", "admin", NULL); - create_random_entry(princ, 60*60, 60*60, KRB5_KDB_REQUIRES_PRE_AUTH); - krb5_free_principal(context, princ); - - /* Create `changepw/kerberos' (for v4 compat) */ - krb5_make_principal(context, &princ, realm, - "changepw", "kerberos", NULL); - create_random_entry(princ, 60*60, 60*60, - KRB5_KDB_DISALLOW_TGT_BASED| - KRB5_KDB_PWCHANGE_SERVICE); - - krb5_free_principal(context, princ); - - /* Create `kadmin/hprop' for database propagation */ - krb5_make_principal(context, &princ, realm, - "kadmin", "hprop", NULL); - create_random_entry(princ, 60*60, 60*60, - KRB5_KDB_REQUIRES_PRE_AUTH| - KRB5_KDB_DISALLOW_TGT_BASED); - krb5_free_principal(context, princ); - - /* Create `default' */ - { - kadm5_principal_ent_rec ent; - int mask = 0; - - memset (&ent, 0, sizeof(ent)); - mask |= KADM5_PRINCIPAL; - krb5_make_principal(context, &ent.principal, realm, - "default", NULL); - mask |= KADM5_MAX_LIFE; - ent.max_life = 24 * 60 * 60; - mask |= KADM5_MAX_RLIFE; - ent.max_renewable_life = 7 * ent.max_life; - ent.attributes = KRB5_KDB_DISALLOW_ALL_TIX; - mask |= KADM5_ATTRIBUTES; - - ret = kadm5_create_principal(kadm_handle, &ent, mask, ""); - if (ret) - krb5_err (context, 1, ret, "kadm5_create_principal"); - - krb5_free_principal(context, ent.principal); - } - } - return 0; -} diff --git a/crypto/heimdal-0.6.3/kadmin/kadm_conn.c b/crypto/heimdal-0.6.3/kadmin/kadm_conn.c deleted file mode 100644 index ae44c43095..0000000000 --- a/crypto/heimdal-0.6.3/kadmin/kadm_conn.c +++ /dev/null @@ -1,292 +0,0 @@ -/* - * Copyright (c) 2000 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kadmin_locl.h" -#ifdef HAVE_SYS_WAIT_H -#include -#endif - -RCSID("$Id: kadm_conn.c,v 1.14 2002/10/21 13:21:24 joda Exp $"); - -struct kadm_port { - char *port; - unsigned short def_port; - struct kadm_port *next; -} *kadm_ports; - -static void -add_kadm_port(krb5_context context, const char *service, unsigned int port) -{ - struct kadm_port *p; - p = malloc(sizeof(*p)); - if(p == NULL) { - krb5_warnx(context, "failed to allocate %lu bytes\n", - (unsigned long)sizeof(*p)); - return; - } - - p->port = strdup(service); - p->def_port = port; - - p->next = kadm_ports; - kadm_ports = p; -} - -extern int do_kerberos4; - -static void -add_standard_ports (krb5_context context) -{ - add_kadm_port(context, "kerberos-adm", 749); -#ifdef KRB4 - if(do_kerberos4) - add_kadm_port(context, "kerberos-master", 751); -#endif -} - -/* - * parse the set of space-delimited ports in `str' and add them. - * "+" => all the standard ones - * otherwise it's port|service[/protocol] - */ - -void -parse_ports(krb5_context context, const char *str) -{ - char p[128]; - - while(strsep_copy(&str, " \t", p, sizeof(p)) != -1) { - if(strcmp(p, "+") == 0) - add_standard_ports(context); - else - add_kadm_port(context, p, 0); - } -} - -static pid_t pgrp; -sig_atomic_t term_flag, doing_useful_work; - -static RETSIGTYPE -sigchld(int sig) -{ - int status; - waitpid(-1, &status, 0); - SIGRETURN(0); -} - -static RETSIGTYPE -terminate(int sig) -{ - if(getpid() == pgrp) { - /* parent */ - term_flag = 1; - signal(sig, SIG_IGN); - killpg(pgrp, sig); - } else { - /* child */ - if(doing_useful_work) - term_flag = 1; - else - exit(0); - } - SIGRETURN(0); -} - -static int -spawn_child(krb5_context context, int *socks, int num_socks, int this_sock) -{ - int e, i; - struct sockaddr_storage __ss; - struct sockaddr *sa = (struct sockaddr *)&__ss; - socklen_t sa_size = sizeof(__ss); - int s; - pid_t pid; - krb5_address addr; - char buf[128]; - size_t buf_len; - - s = accept(socks[this_sock], sa, &sa_size); - if(s < 0) { - krb5_warn(context, errno, "accept"); - return 1; - } - e = krb5_sockaddr2address(context, sa, &addr); - if(e) - krb5_warn(context, e, "krb5_sockaddr2address"); - else { - e = krb5_print_address (&addr, buf, sizeof(buf), - &buf_len); - if(e) - krb5_warn(context, e, "krb5_print_address"); - else - krb5_warnx(context, "connection from %s", buf); - krb5_free_address(context, &addr); - } - - pid = fork(); - if(pid == 0) { - for(i = 0; i < num_socks; i++) - close(socks[i]); - dup2(s, STDIN_FILENO); - dup2(s, STDOUT_FILENO); - if(s != STDIN_FILENO && s != STDOUT_FILENO) - close(s); - return 0; - } else { - close(s); - } - return 1; -} - -static int -wait_for_connection(krb5_context context, - int *socks, int num_socks) -{ - int i, e; - fd_set orig_read_set, read_set; - int max_fd = -1; - - FD_ZERO(&orig_read_set); - - for(i = 0; i < num_socks; i++) { - if (socks[i] >= FD_SETSIZE) - errx (1, "fd too large"); - FD_SET(socks[i], &orig_read_set); - max_fd = max(max_fd, socks[i]); - } - - pgrp = getpid(); - - if(setpgid(0, pgrp) < 0) - err(1, "setpgid"); - - signal(SIGTERM, terminate); - signal(SIGINT, terminate); - signal(SIGCHLD, sigchld); - - while (term_flag == 0) { - read_set = orig_read_set; - e = select(max_fd + 1, &read_set, NULL, NULL, NULL); - if(e < 0) { - if(errno != EINTR) - krb5_warn(context, errno, "select"); - } else if(e == 0) - krb5_warnx(context, "select returned 0"); - else { - for(i = 0; i < num_socks; i++) { - if(FD_ISSET(socks[i], &read_set)) - if(spawn_child(context, socks, num_socks, i) == 0) - return 0; - } - } - } - signal(SIGCHLD, SIG_IGN); - while(1) { - int status; - pid_t pid; - pid = waitpid(-1, &status, 0); - if(pid == -1 && errno == ECHILD) - break; - } - exit(0); -} - - -int -start_server(krb5_context context) -{ - int e; - struct kadm_port *p; - - int *socks = NULL, *tmp; - int num_socks = 0; - int i; - - for(p = kadm_ports; p; p = p->next) { - struct addrinfo hints, *ai, *ap; - char portstr[32]; - memset (&hints, 0, sizeof(hints)); - hints.ai_flags = AI_PASSIVE; - hints.ai_socktype = SOCK_STREAM; - - e = getaddrinfo(NULL, p->port, &hints, &ai); - if(e) { - snprintf(portstr, sizeof(portstr), "%u", p->def_port); - e = getaddrinfo(NULL, portstr, &hints, &ai); - } - - if(e) { - krb5_warn(context, krb5_eai_to_heim_errno(e, errno), - "%s", portstr); - continue; - } - i = 0; - for(ap = ai; ap; ap = ap->ai_next) - i++; - tmp = realloc(socks, (num_socks + i) * sizeof(*socks)); - if(tmp == NULL) { - krb5_warnx(context, "failed to reallocate %lu bytes", - (unsigned long)(num_socks + i) * sizeof(*socks)); - continue; - } - socks = tmp; - for(ap = ai; ap; ap = ap->ai_next) { - int one = 1; - int s = socket(ap->ai_family, ap->ai_socktype, ap->ai_protocol); - if(s < 0) { - krb5_warn(context, errno, "socket"); - continue; - } -#if defined(SO_REUSEADDR) && defined(HAVE_SETSOCKOPT) - if(setsockopt(s, SOL_SOCKET, SO_REUSEADDR, (void *)&one, - sizeof(one)) < 0) - krb5_warn(context, errno, "setsockopt"); -#endif - if (bind (s, ap->ai_addr, ap->ai_addrlen) < 0) { - krb5_warn(context, errno, "bind"); - close(s); - continue; - } - if (listen (s, SOMAXCONN) < 0) { - krb5_warn(context, errno, "listen"); - close(s); - continue; - } - socks[num_socks++] = s; - } - freeaddrinfo (ai); - } - if(num_socks == 0) - krb5_errx(context, 1, "no sockets to listen to - exiting"); - return wait_for_connection(context, socks, num_socks); -} diff --git a/crypto/heimdal-0.6.3/kadmin/kadmin.8 b/crypto/heimdal-0.6.3/kadmin/kadmin.8 deleted file mode 100644 index cf7ebe857b..0000000000 --- a/crypto/heimdal-0.6.3/kadmin/kadmin.8 +++ /dev/null @@ -1,286 +0,0 @@ -.\" Copyright (c) 2000 - 2003 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: kadmin.8,v 1.10 2003/03/31 10:42:32 lha Exp $ -.\" -.Dd September 10, 2000 -.Dt KADMIN 8 -.Os HEIMDAL -.Sh NAME -.Nm kadmin -.Nd Kerberos administration utility -.Sh SYNOPSIS -.Nm -.Oo Fl p Ar string \*(Ba Xo -.Fl -principal= Ns Ar string -.Xc -.Oc -.Oo Fl K Ar string \*(Ba Xo -.Fl -keytab= Ns Ar string -.Xc -.Oc -.Oo Fl c Ar file \*(Ba Xo -.Fl -config-file= Ns Ar file -.Xc -.Oc -.Oo Fl k Ar file \*(Ba Xo -.Fl -key-file= Ns Ar file -.Xc -.Oc -.Oo Fl r Ar realm \*(Ba Xo -.Fl -realm= Ns Ar realm -.Xc -.Oc -.Oo Fl a Ar host \*(Ba Xo -.Fl -admin-server= Ns Ar host -.Xc -.Oc -.Oo Fl s Ar port number \*(Ba Xo -.Fl -server-port= Ns Ar port number -.Xc -.Oc -.Op Fl l | Fl -local -.Op Fl h | Fl -help -.Op Fl v | Fl -version -.Op Ar command -.Sh DESCRIPTION -The -.Nm -program is used to make modifications to the Kerberos database, either remotely via the -.Xr kadmind 8 -daemon, or locally (with the -.Fl l -option). -.Pp -Supported options: -.Bl -tag -width Ds -.It Xo -.Fl p Ar string , -.Fl -principal= Ns Ar string -.Xc -principal to authenticate as -.It Xo -.Fl K Ar string , -.Fl -keytab= Ns Ar string -.Xc -keytab for authentication principal -.It Xo -.Fl c Ar file , -.Fl -config-file= Ns Ar file -.Xc -location of config file -.It Xo -.Fl k Ar file , -.Fl -key-file= Ns Ar file -.Xc -location of master key file -.It Xo -.Fl r Ar realm , -.Fl -realm= Ns Ar realm -.Xc -realm to use -.It Xo -.Fl a Ar host , -.Fl -admin-server= Ns Ar host -.Xc -server to contact -.It Xo -.Fl s Ar port number , -.Fl -server-port= Ns Ar port number -.Xc -port to use -.It Xo -.Fl l , -.Fl -local -.Xc -local admin mode -.El -.Pp -If no -.Ar command -is given on the command line, -.Nm -will prompt for commands to process. Commands include: -.\" not using a list here, since groff apparently gets confused -.\" with nested Xo/Xc -.Bd -ragged -offset indent -.Nm add -.Op Fl r | Fl -random-key -.Op Fl -random-password -.Oo Fl p Ar string \*(Ba Xo -.Fl -password= Ns Ar string -.Xc -.Oc -.Op Fl -key= Ns Ar string -.Op Fl -max-ticket-life= Ns Ar lifetime -.Op Fl -max-renewable-life= Ns Ar lifetime -.Op Fl -attributes= Ns Ar attributes -.Op Fl -expiration-time= Ns Ar time -.Op Fl -pw-expiration-time= Ns Ar time -.Ar principal... -.Pp -.Bd -ragged -offset indent -creates a new principal -.Ed -.Pp -.Nm passwd -.Op Fl r | Fl -random-key -.Op Fl -random-password -.Oo Fl p Ar string \*(Ba Xo -.Fl -password= Ns Ar string -.Xc -.Oc -.Op Fl -key= Ns Ar string -.Ar principal... -.Pp -.Bd -ragged -offset indent -changes the password of an existing principal -.Ed -.Pp -.Nm delete -.Ar principal... -.Pp -.Bd -ragged -offset indent -removes a principal -.Ed -.Pp -.Nm del_enctype -.Ar principal enctypes... -.Pp -.Bd -ragged -offset indent -removes some enctypes from a principal. This can be useful the service -belonging to the principal is known to not handle certain enctypes -.Ed -.Pp -.Nm ext_keytab -.Oo Fl k Ar string \*(Ba Xo -.Fl -keytab= Ns Ar string -.Xc -.Oc -.Ar principal... -.Pp -.Bd -ragged -offset indent -creates a keytab with the keys of the specified principals -.Ed -.Pp -.Nm get -.Op Fl l | Fl -long -.Op Fl s | Fl -short -.Op Fl t | Fl -terse -.Ar expression... -.Pp -.Bd -ragged -offset indent -lists the principals that match the expressions (which are shell glob -like), long format gives more information, and terse just prints the -names -.Ed -.Pp -.Nm rename -.Ar from to -.Pp -.Bd -ragged -offset indent -renames a principal -.Ed -.Pp -.Nm modify -.Oo Fl a Ar attributes \*(Ba Xo -.Fl -attributes= Ns Ar attributes -.Xc -.Oc -.Op Fl -max-ticket-life= Ns Ar lifetime -.Op Fl -max-renewable-life= Ns Ar lifetime -.Op Fl -expiration-time= Ns Ar time -.Op Fl -pw-expiration-time= Ns Ar time -.Op Fl -kvno= Ns Ar number -.Ar principal -.Pp -.Bd -ragged -offset indent -modifies certain attributes of a principal -.Ed -.Pp -.Nm privileges -.Pp -.Bd -ragged -offset indent -lists the operations you are allowed to perform -.Ed -.Pp -.Ed -.Pp -When running in local mode, the following commands can also be used: -.Bd -ragged -offset indent -.Nm dump -.Op Fl d | Fl -decrypt -.Op Ar dump-file -.Pp -.Bd -ragged -offset indent -writes the database in -.Dq human readable -form to the specified file, or standard out -.Ed -.Pp -.Nm init -.Op Fl -realm-max-ticket-life= Ns Ar string -.Op Fl -realm-max-renewable-life= Ns Ar string -.Ar realm -.Pp -.Bd -ragged -offset indent -initializes the Kerberos database with entries for a new realm. It's -possible to have more than one realm served by one server -.Ed -.Pp -.Nm load -.Ar file -.Pp -.Bd -ragged -offset indent -reads a previously dumped database, and re-creates that database from scratch -.Ed -.Pp -.Nm merge -.Ar file -.Pp -.Bd -ragged -offset indent -similar to -.Nm list -but just modifies the database with the entries in the dump file -.Ed -.Pp -.Ed -.\".Sh ENVIRONMENT -.\".Sh FILES -.\".Sh EXAMPLES -.\".Sh DIAGNOSTICS -.Sh SEE ALSO -.Xr kadmind 8 , -.Xr kdc 8 -.\".Sh STANDARDS -.\".Sh HISTORY -.\".Sh AUTHORS -.\".Sh BUGS diff --git a/crypto/heimdal-0.6.3/kadmin/kadmin.c b/crypto/heimdal-0.6.3/kadmin/kadmin.c deleted file mode 100644 index 9438587255..0000000000 --- a/crypto/heimdal-0.6.3/kadmin/kadmin.c +++ /dev/null @@ -1,322 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kadmin_locl.h" -#include - -RCSID("$Id: kadmin.c,v 1.42 2003/03/31 10:20:19 lha Exp $"); - -static char *config_file; -static char *keyfile; -static int local_flag; -static int help_flag; -static int version_flag; -static char *realm; -static char *admin_server; -static int server_port = 0; -static char *client_name; -static char *keytab; - -static struct getargs args[] = { - { "principal", 'p', arg_string, &client_name, - "principal to authenticate as" }, - { "keytab", 'K', arg_string, &keytab, - "keytab for authentication principal" }, - { - "config-file", 'c', arg_string, &config_file, - "location of config file", "file" - }, - { - "key-file", 'k', arg_string, &keyfile, - "location of master key file", "file" - }, - { - "realm", 'r', arg_string, &realm, - "realm to use", "realm" - }, - { - "admin-server", 'a', arg_string, &admin_server, - "server to contact", "host" - }, - { - "server-port", 's', arg_integer, &server_port, - "port to use", "port number" - }, - { "local", 'l', arg_flag, &local_flag, "local admin mode" }, - { "help", 'h', arg_flag, &help_flag }, - { "version", 'v', arg_flag, &version_flag } -}; - -static int num_args = sizeof(args) / sizeof(args[0]); - -static SL_cmd commands[] = { - /* commands that are only available with `-l' */ - { - "dump", dump, "dump [file]", - "Dumps the database in a human readable format to the\n" - "specified file, or the standard out." - }, - { - "load", load, "load file", - "Loads a previously dumped file." - }, - { - "merge", merge, "merge file" , - "Merges the contents of a dump file into the database." - }, - { - "init", init, "init realm...", - "Initializes the default principals for a realm.\n" - "Creates the database if necessary." - }, - /* common commands */ - { - "add", add_new_key, "add principal" , - "Adds a principal to the database." - }, - { "add_new_key"}, - { "ank"}, - { - "passwd", cpw_entry, "passwd expression..." , - "Changes the password of one or more principals\n" - "matching the expressions." - }, - { "change_password"}, - { "cpw"}, - { - "delete", del_entry, "delete expression...", - "Deletes all principals matching the expressions." - }, - { "del_entry" }, - { "del" }, - { - "del_enctype", del_enctype, "del_enctype principal enctype...", - "Delete all the mentioned enctypes for principal." - }, - { - "ext_keytab", ext_keytab, "ext_keytab expression...", - "Extracts the keys of all principals matching the expressions,\n" - "and stores them in a keytab." - }, - { - "get", get_entry, "get expression...", - "Shows information about principals matching the expressions." - }, - { "get_entry" }, - { - "rename", rename_entry, "rename source target", - "Renames `source' to `target'." - }, - { - "modify", mod_entry, "modify principal", - "Modifies some attributes of the specified principal." - }, - { - "privileges", get_privs, "privileges", - "Shows which kinds of operations you are allowed to perform." - }, - { "privs" }, - { - "list", list_princs, "list expression...", - "Lists principals in a terse format. The same as `get -t'." - }, - { "help", help, "help"}, - { "?"}, - { "exit", exit_kadmin, "exit"}, - { "quit" }, - { NULL} -}; - -krb5_context context; -void *kadm_handle; - -static SL_cmd *actual_cmds; - -int -help(int argc, char **argv) -{ - sl_help(actual_cmds, argc, argv); - return 0; -} - -int -exit_kadmin (int argc, char **argv) -{ - return 1; -} - -static void -usage(int ret) -{ - arg_printusage (args, num_args, NULL, "[command]"); - exit (ret); -} - -int -get_privs(int argc, char **argv) -{ - u_int32_t privs; - char str[128]; - kadm5_ret_t ret; - - int help_flag = 0; - struct getargs args[] = { - { "help", 'h', arg_flag, NULL } - }; - int num_args = sizeof(args) / sizeof(args[0]); - int optind = 0; - - args[0].value = &help_flag; - - if(getarg(args, num_args, argc, argv, &optind)) { - arg_printusage (args, num_args, "privileges", NULL); - return 0; - } - if(help_flag) { - arg_printusage (args, num_args, "privileges", NULL); - return 0; - } - - ret = kadm5_get_privs(kadm_handle, &privs); - if(ret) - krb5_warn(context, ret, "kadm5_get_privs"); - else{ - ret =_kadm5_privs_to_string(privs, str, sizeof(str)); - printf("%s\n", str); - } - return 0; -} - -int -main(int argc, char **argv) -{ - krb5_error_code ret; - krb5_config_section *cf = NULL; - kadm5_config_params conf; - int optind = 0; - - setprogname(argv[0]); - - ret = krb5_init_context(&context); - if (ret) - errx (1, "krb5_init_context failed: %d", ret); - - if(getarg(args, num_args, argc, argv, &optind)) - usage(1); - - if (help_flag) - usage (0); - - if (version_flag) { - print_version(NULL); - exit(0); - } - - argc -= optind; - argv += optind; - - if (config_file == NULL) - config_file = HDB_DB_DIR "/kdc.conf"; - - if(krb5_config_parse_file(context, config_file, &cf) == 0) { - const char *p = krb5_config_get_string (context, cf, - "kdc", "key-file", NULL); - if (p) - keyfile = strdup(p); - } - krb5_clear_error_string (context); - - memset(&conf, 0, sizeof(conf)); - if(realm) { - krb5_set_default_realm(context, realm); /* XXX should be fixed - some other way */ - conf.realm = realm; - conf.mask |= KADM5_CONFIG_REALM; - } - - if (admin_server) { - conf.admin_server = admin_server; - conf.mask |= KADM5_CONFIG_ADMIN_SERVER; - } - - if (server_port) { - conf.kadmind_port = htons(server_port); - conf.mask |= KADM5_CONFIG_KADMIND_PORT; - } - - if(local_flag){ - ret = kadm5_s_init_with_password_ctx(context, - KADM5_ADMIN_SERVICE, - NULL, - KADM5_ADMIN_SERVICE, - &conf, 0, 0, - &kadm_handle); - actual_cmds = commands; - } else if (keytab) { - ret = kadm5_c_init_with_skey_ctx(context, - client_name, - keytab, - KADM5_ADMIN_SERVICE, - &conf, 0, 0, - &kadm_handle); - actual_cmds = commands + 4; /* XXX */ - } else { - ret = kadm5_c_init_with_password_ctx(context, - client_name, - NULL, - KADM5_ADMIN_SERVICE, - &conf, 0, 0, - &kadm_handle); - actual_cmds = commands + 4; /* XXX */ - } - - if(ret) - krb5_err(context, 1, ret, "kadm5_init_with_password"); - - signal(SIGINT, SIG_IGN); /* ignore signals for now, the sl command - parser will handle SIGINT its own way; - we should really take care of this in - each function, f.i `get' might be - interruptable, but not `create' */ - if (argc != 0) { - ret = sl_command (actual_cmds, argc, argv); - if(ret == -1) - krb5_warnx (context, "unrecognized command: %s", argv[0]); - } else - ret = sl_loop (actual_cmds, "kadmin> ") != 0; - - kadm5_destroy(kadm_handle); - krb5_config_file_free (context, cf); - krb5_free_context(context); - return ret; -} diff --git a/crypto/heimdal-0.6.3/kadmin/kadmin.cat8 b/crypto/heimdal-0.6.3/kadmin/kadmin.cat8 deleted file mode 100644 index 449c3f4b80..0000000000 --- a/crypto/heimdal-0.6.3/kadmin/kadmin.cat8 +++ /dev/null @@ -1,123 +0,0 @@ - -KADMIN(8) UNIX System Manager's Manual KADMIN(8) - -NNAAMMEE - kkaaddmmiinn - Kerberos administration utility - -SSYYNNOOPPSSIISS - kkaaddmmiinn [--pp _s_t_r_i_n_g | ----pprriinncciippaall==_s_t_r_i_n_g] [--KK _s_t_r_i_n_g | ----kkeeyyttaabb==_s_t_r_i_n_g] [--cc - _f_i_l_e | ----ccoonnffiigg--ffiillee==_f_i_l_e] [--kk _f_i_l_e | ----kkeeyy--ffiillee==_f_i_l_e] [--rr _r_e_a_l_m | - ----rreeaallmm==_r_e_a_l_m] [--aa _h_o_s_t | ----aaddmmiinn--sseerrvveerr==_h_o_s_t] [--ss _p_o_r_t _n_u_m_b_e_r | - ----sseerrvveerr--ppoorrtt==_p_o_r_t _n_u_m_b_e_r] [--ll | ----llooccaall] [--hh | ----hheellpp] [--vv | ----vveerrssiioonn] - [_c_o_m_m_a_n_d] - -DDEESSCCRRIIPPTTIIOONN - The kkaaddmmiinn program is used to make modifications to the Kerberos - database, either remotely via the kadmind(8) daemon, or locally (with the - --ll option). - - Supported options: - - --pp _s_t_r_i_n_g, ----pprriinncciippaall==_s_t_r_i_n_g - principal to authenticate as - - --KK _s_t_r_i_n_g, ----kkeeyyttaabb==_s_t_r_i_n_g - keytab for authentication principal - - --cc _f_i_l_e, ----ccoonnffiigg--ffiillee==_f_i_l_e - location of config file - - --kk _f_i_l_e, ----kkeeyy--ffiillee==_f_i_l_e - location of master key file - - --rr _r_e_a_l_m, ----rreeaallmm==_r_e_a_l_m - realm to use - - --aa _h_o_s_t, ----aaddmmiinn--sseerrvveerr==_h_o_s_t - server to contact - - --ss _p_o_r_t _n_u_m_b_e_r, ----sseerrvveerr--ppoorrtt==_p_o_r_t _n_u_m_b_e_r - port to use - - --ll, ----llooccaall - local admin mode - - If no _c_o_m_m_a_n_d is given on the command line, kkaaddmmiinn will prompt for com- - mands to process. Commands include: - - aadddd [--rr | ----rraannddoomm--kkeeyy] [----rraannddoomm--ppaasssswwoorrdd] [--pp _s_t_r_i_n_g | - ----ppaasssswwoorrdd==_s_t_r_i_n_g] [----kkeeyy==_s_t_r_i_n_g] [----mmaaxx--ttiicckkeett--lliiffee==_l_i_f_e_t_i_m_e] - [----mmaaxx--rreenneewwaabbllee--lliiffee==_l_i_f_e_t_i_m_e] [----aattttrriibbuutteess==_a_t_t_r_i_b_u_t_e_s] - [----eexxppiirraattiioonn--ttiimmee==_t_i_m_e] [----ppww--eexxppiirraattiioonn--ttiimmee==_t_i_m_e] _p_r_i_n_c_i_p_a_l_._._. - - creates a new principal - - ppaasssswwdd [--rr | ----rraannddoomm--kkeeyy] [----rraannddoomm--ppaasssswwoorrdd] [--pp _s_t_r_i_n_g | - ----ppaasssswwoorrdd==_s_t_r_i_n_g] [----kkeeyy==_s_t_r_i_n_g] _p_r_i_n_c_i_p_a_l_._._. - - changes the password of an existing principal - - ddeelleettee _p_r_i_n_c_i_p_a_l_._._. - - removes a principal - - ddeell__eennccttyyppee _p_r_i_n_c_i_p_a_l _e_n_c_t_y_p_e_s_._._. - - - removes some enctypes from a principal. This can be useful - the service belonging to the principal is known to not handle - certain enctypes - - eexxtt__kkeeyyttaabb [--kk _s_t_r_i_n_g | ----kkeeyyttaabb==_s_t_r_i_n_g] _p_r_i_n_c_i_p_a_l_._._. - - creates a keytab with the keys of the specified principals - - ggeett [--ll | ----lloonngg] [--ss | ----sshhoorrtt] [--tt | ----tteerrssee] _e_x_p_r_e_s_s_i_o_n_._._. - - lists the principals that match the expressions (which are - shell glob like), long format gives more information, and - terse just prints the names - - rreennaammee _f_r_o_m _t_o - - renames a principal - - mmooddiiffyy [--aa _a_t_t_r_i_b_u_t_e_s | ----aattttrriibbuutteess==_a_t_t_r_i_b_u_t_e_s] - [----mmaaxx--ttiicckkeett--lliiffee==_l_i_f_e_t_i_m_e] [----mmaaxx--rreenneewwaabbllee--lliiffee==_l_i_f_e_t_i_m_e] - [----eexxppiirraattiioonn--ttiimmee==_t_i_m_e] [----ppww--eexxppiirraattiioonn--ttiimmee==_t_i_m_e] - [----kkvvnnoo==_n_u_m_b_e_r] _p_r_i_n_c_i_p_a_l - - modifies certain attributes of a principal - - pprriivviilleeggeess - - lists the operations you are allowed to perform - - When running in local mode, the following commands can also be used: - - dduummpp [--dd | ----ddeeccrryypptt] [_d_u_m_p_-_f_i_l_e] - - writes the database in ``human readable'' form to the speci- - fied file, or standard out - - iinniitt [----rreeaallmm--mmaaxx--ttiicckkeett--lliiffee==_s_t_r_i_n_g] - [----rreeaallmm--mmaaxx--rreenneewwaabbllee--lliiffee==_s_t_r_i_n_g] _r_e_a_l_m - - initializes the Kerberos database with entries for a new - realm. It's possible to have more than one realm served by - one server - - llooaadd _f_i_l_e - - reads a previously dumped database, and re-creates that - database from scratch - - mmeerrggee _f_i_l_e - - similar to lliisstt but just modifies the database with the en- - tries in the dump file - -SSEEEE AALLSSOO - kadmind(8), kdc(8) - - HEIMDAL September 10, 2000 2 diff --git a/crypto/heimdal-0.6.3/kadmin/kadmin_locl.h b/crypto/heimdal-0.6.3/kadmin/kadmin_locl.h deleted file mode 100644 index 59c1bd29a0..0000000000 --- a/crypto/heimdal-0.6.3/kadmin/kadmin_locl.h +++ /dev/null @@ -1,192 +0,0 @@ -/* - * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* - * $Id: kadmin_locl.h,v 1.41 2002/09/10 20:04:45 joda Exp $ - */ - -#ifndef __ADMIN_LOCL_H__ -#define __ADMIN_LOCL_H__ - -#ifdef HAVE_CONFIG_H -#include -#endif -#include -#include -#include -#include -#include -#include -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_SYS_SELECT_H -#include -#endif -#ifdef HAVE_FCNTL_H -#include -#endif -#ifdef HAVE_SYS_SOCKET_H -#include -#endif -#ifdef HAVE_SYS_SELECT_H -#include -#endif -#ifdef HAVE_NETINET_IN_H -#include -#endif -#ifdef HAVE_NETINET_IN6_H -#include -#endif -#ifdef HAVE_NETINET6_IN6_H -#include -#endif - -#ifdef HAVE_UTIL_H -#include -#endif -#ifdef HAVE_LIBUTIL_H -#include -#endif -#ifdef HAVE_NETDB_H -#include -#endif -#ifdef HAVE_SYS_UN_H -#include -#endif -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - - -extern krb5_context context; -extern void * kadm_handle; - -#define DECL(X) int X(int, char **) - -DECL(add_new_key); -DECL(cpw_entry); -DECL(del_entry); -DECL(del_enctype); -DECL(exit_kadmin); -DECL(ext_keytab); -DECL(get_entry); -DECL(get_privs); -DECL(help); -DECL(list_princs); -DECL(mod_entry); -DECL(rename_entry); -DECL(init); -DECL(dump); -DECL(load); -DECL(merge); - -#undef ALLOC -#define ALLOC(X) ((X) = malloc(sizeof(*(X)))) - -/* util.c */ - -void attributes2str(krb5_flags attributes, char *str, size_t len); -int str2attributes(const char *str, krb5_flags *flags); -int parse_attributes (const char *resp, krb5_flags *attr, int *mask, int bit); -int edit_attributes (const char *prompt, krb5_flags *attr, int *mask, - int bit); - -void time_t2str(time_t t, char *str, size_t len, int include_time); -int str2time_t (const char *str, time_t *time); -int parse_timet (const char *resp, krb5_timestamp *value, int *mask, int bit); -int edit_timet (const char *prompt, krb5_timestamp *value, int *mask, - int bit); - -void deltat2str(unsigned t, char *str, size_t len); -int str2deltat(const char *str, krb5_deltat *delta); -int parse_deltat (const char *resp, krb5_deltat *value, int *mask, int bit); -int edit_deltat (const char *prompt, krb5_deltat *value, int *mask, int bit); - -int edit_entry(kadm5_principal_ent_t ent, int *mask, - kadm5_principal_ent_t default_ent, int default_mask); -void set_defaults(kadm5_principal_ent_t ent, int *mask, - kadm5_principal_ent_t default_ent, int default_mask); -int set_entry(krb5_context context, - kadm5_principal_ent_t ent, - int *mask, - const char *max_ticket_life, - const char *max_renewable_life, - const char *expiration, - const char *pw_expiration, - const char *attributes); -int -foreach_principal(const char *exp, - int (*func)(krb5_principal, void*), - const char *funcname, - void *data); - -int parse_des_key (const char *key_string, - krb5_key_data *key_data, const char **err); - -/* server.c */ - -krb5_error_code -kadmind_loop (krb5_context, krb5_auth_context, krb5_keytab, int); - -/* version4.c */ - -void -handle_v4(krb5_context context, krb5_keytab keytab, int len, int fd); - -/* random_password.c */ - -void -random_password(char *pw, size_t len); - -/* kadm_conn.c */ - -extern sig_atomic_t term_flag, doing_useful_work; - -void parse_ports(krb5_context, const char*); -int start_server(krb5_context); - -/* server.c */ - -krb5_error_code -kadmind_loop (krb5_context, krb5_auth_context, krb5_keytab, int); - -#endif /* __ADMIN_LOCL_H__ */ diff --git a/crypto/heimdal-0.6.3/kadmin/kadmind.8 b/crypto/heimdal-0.6.3/kadmin/kadmind.8 deleted file mode 100644 index 5663225913..0000000000 --- a/crypto/heimdal-0.6.3/kadmin/kadmind.8 +++ /dev/null @@ -1,186 +0,0 @@ -.\" Copyright (c) 2002 - 2003 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: kadmind.8,v 1.14 2003/04/06 17:47:57 lha Exp $ -.\" -.Dd March 5, 2002 -.Dt KADMIND 8 -.Os HEIMDAL -.Sh NAME -.Nm kadmind -.Nd "server for administrative access to Kerberos database" -.Sh SYNOPSIS -.Nm -.Oo Fl c Ar file \*(Ba Xo -.Fl -config-file= Ns Ar file -.Xc -.Oc -.Oo Fl k Ar file \*(Ba Xo -.Fl -key-file= Ns Ar file -.Xc -.Oc -.Op Fl -keytab= Ns Ar keytab -.Oo Fl r Ar realm \*(Ba Xo -.Fl -realm= Ns Ar realm -.Xc -.Oc -.Op Fl d | Fl -debug -.Oo Fl p Ar port \*(Ba Xo -.Fl -ports= Ns Ar port -.Xc -.Oc -.Op Fl -no-kerberos4 -.Sh DESCRIPTION -.Nm -listens for requests for changes to the Kerberos database and performs -these, subject to permissions. When starting, if stdin is a socket it -assumes that it has been started by -.Xr inetd 8 , -otherwise it behaves as a daemon, forking processes for each new -connection. The -.Fl -debug -option causes -.Nm -to accept exactly one connection, which is useful for debugging. -.Pp -If built with krb4 support, it implements both the Heimdal Kerberos 5 -administrative protocol and the Kerberos 4 protocol. Password changes -via the Kerberos 4 protocol are also performed by -.Nm kadmind , -but the -.Xr kpasswdd 8 -daemon is responsible for the Kerberos 5 password changing protocol -(used by -.Xr kpasswd 1 ) -. -.Pp -This daemon should only be run on the master server, and not on any -slaves. -.Pp -Principals are always allowed to change their own password and list -their own principal. Apart from that, doing any operation requires -permission explicitly added in the ACL file -.Pa /var/heimdal/kadmind.acl . -The format of this file is: -.Bd -ragged -.Va principal -.Va rights -.Op Va principal-pattern -.Ed -.Pp -Where rights is any (comma separated) combination of: -.Bl -bullet -compact -.It -change-password or cpw -.It -list -.It -delete -.It -modify -.It -add -.It -get -.It -all -.El -.Pp -And the optional -.Ar principal-pattern -restricts the rights to operations on principals that match the -glob-style pattern. -.Pp -Supported options: -.Bl -tag -width Ds -.It Xo -.Fl c Ar file , -.Fl -config-file= Ns Ar file -.Xc -location of config file -.It Xo -.Fl k Ar file , -.Fl -key-file= Ns Ar file -.Xc -location of master key file -.It Xo -.Fl -keytab= Ns Ar keytab -.Xc -what keytab to use -.It Xo -.Fl r Ar realm , -.Fl -realm= Ns Ar realm -.Xc -realm to use -.It Xo -.Fl d , -.Fl -debug -.Xc -enable debugging -.It Xo -.Fl p Ar port , -.Fl -ports= Ns Ar port -.Xc -ports to listen to. By default, if run as a daemon, it listens to ports -749, and 751 (if Kerberos 4 support is built and enabled), but you can -add any number of ports with this option. The port string is a -whitespace separated list of port specifications, with the special -string -.Dq + -representing the default set of ports. -.It Fl -no-kerberos4 -make -.Nm -ignore Kerberos 4 kadmin requests. -.El -.\".Sh ENVIRONMENT -.Sh FILES -.Pa /var/heimdal/kadmind.acl -.Sh EXAMPLES -This will cause -.Nm -to listen to port 4711 in addition to any -compiled in defaults: -.Pp -.D1 Nm Fl -ports Ns Li "=\*[q]+ 4711\*[q] &" -.Pp -This acl file will grant Joe all rights, and allow Mallory to view and -add host principals. -.Bd -literal -offset indent -joe/admin@EXAMPLE.COM all -mallory/admin@EXAMPLE.COM add,get host/*@EXAMPLE.COM -.Ed -.\".Sh DIAGNOSTICS -.Sh SEE ALSO -.Xr kpasswd 1 , -.Xr kadmin 8 , -.Xr kdc 8 , -.Xr kpasswdd 8 diff --git a/crypto/heimdal-0.6.3/kadmin/kadmind.c b/crypto/heimdal-0.6.3/kadmin/kadmind.c deleted file mode 100644 index 7c52637b26..0000000000 --- a/crypto/heimdal-0.6.3/kadmin/kadmind.c +++ /dev/null @@ -1,178 +0,0 @@ -/* - * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kadmin_locl.h" - -RCSID("$Id: kadmind.c,v 1.28.2.1 2004/04/29 12:30:32 lha Exp $"); - -static char *check_library = NULL; -static char *check_function = NULL; -static char *config_file; -static char *keyfile; -static char *keytab_str = "HDB:"; -static int help_flag; -static int version_flag; -static int debug_flag; -static char *port_str; -char *realm; -#ifdef KRB4 -int do_kerberos4 = 0; -#endif - -static struct getargs args[] = { - { - "config-file", 'c', arg_string, &config_file, - "location of config file", "file" - }, - { - "key-file", 'k', arg_string, &keyfile, - "location of master key file", "file" - }, - { - "keytab", 0, arg_string, &keytab_str, - "what keytab to use", "keytab" - }, - { "realm", 'r', arg_string, &realm, - "realm to use", "realm" - }, -#ifdef HAVE_DLOPEN - { "check-library", 0, arg_string, &check_library, - "library to load password check function from", "library" }, - { "check-function", 0, arg_string, &check_function, - "password check function to load", "function" }, -#endif - { "debug", 'd', arg_flag, &debug_flag, - "enable debugging" - }, -#ifdef KRB4 - { "kerberos4", 0, arg_flag, &do_kerberos4, - "don't respond to kerberos 4 requests" - }, -#endif - { "ports", 'p', arg_string, &port_str, - "ports to listen to", "port" }, - { "help", 'h', arg_flag, &help_flag }, - { "version", 'v', arg_flag, &version_flag } -}; - -static int num_args = sizeof(args) / sizeof(args[0]); - -krb5_context context; - -static void -usage(int ret) -{ - arg_printusage (args, num_args, NULL, ""); - exit (ret); -} - -int -main(int argc, char **argv) -{ - krb5_error_code ret; - krb5_config_section *cf; - int optind = 0; - int e; - krb5_log_facility *logf; - krb5_keytab keytab; - - setprogname(argv[0]); - - ret = krb5_init_context(&context); - if (ret) - errx (1, "krb5_init_context failed: %d", ret); - - ret = krb5_openlog(context, "kadmind", &logf); - ret = krb5_set_warn_dest(context, logf); - - while((e = getarg(args, num_args, argc, argv, &optind))) - warnx("error at argument `%s'", argv[optind]); - - if (help_flag) - usage (0); - - if (version_flag) { - print_version(NULL); - exit(0); - } - - argc -= optind; - argv += optind; - - ret = krb5_kt_register(context, &hdb_kt_ops); - if(ret) - krb5_err(context, 1, ret, "krb5_kt_register"); - - if (config_file == NULL) - config_file = HDB_DB_DIR "/kdc.conf"; - - if(krb5_config_parse_file(context, config_file, &cf) == 0) { - const char *p = krb5_config_get_string (context, cf, - "kdc", "key-file", NULL); - if (p) - keyfile = strdup(p); - } - - ret = krb5_kt_resolve(context, keytab_str, &keytab); - if(ret) - krb5_err(context, 1, ret, "krb5_kt_resolve"); - - kadm5_setup_passwd_quality_check (context, check_library, check_function); - - { - int fd = 0; - struct sockaddr_storage __ss; - struct sockaddr *sa = (struct sockaddr *)&__ss; - socklen_t sa_size = sizeof(__ss); - krb5_auth_context ac = NULL; - int debug_port; - - if(debug_flag) { - if(port_str == NULL) - debug_port = krb5_getportbyname (context, "kerberos-adm", - "tcp", 749); - else - debug_port = htons(atoi(port_str)); - mini_inetd(debug_port); - } else if(roken_getsockname(STDIN_FILENO, sa, &sa_size) < 0 && - errno == ENOTSOCK) { - parse_ports(context, port_str ? port_str : "+"); - pidfile(NULL); - start_server(context); - } - if(realm) - krb5_set_default_realm(context, realm); /* XXX */ - kadmind_loop(context, ac, keytab, fd); - } - return 0; -} diff --git a/crypto/heimdal-0.6.3/kadmin/kadmind.cat8 b/crypto/heimdal-0.6.3/kadmin/kadmind.cat8 deleted file mode 100644 index f9d61eb2ca..0000000000 --- a/crypto/heimdal-0.6.3/kadmin/kadmind.cat8 +++ /dev/null @@ -1,94 +0,0 @@ - -KADMIND(8) UNIX System Manager's Manual KADMIND(8) - -NNAAMMEE - kkaaddmmiinndd - server for administrative access to Kerberos database - -SSYYNNOOPPSSIISS - kkaaddmmiinndd [--cc _f_i_l_e | ----ccoonnffiigg--ffiillee==_f_i_l_e] [--kk _f_i_l_e | ----kkeeyy--ffiillee==_f_i_l_e] - [----kkeeyyttaabb==_k_e_y_t_a_b] [--rr _r_e_a_l_m | ----rreeaallmm==_r_e_a_l_m] [--dd | ----ddeebbuugg] [--pp _p_o_r_t | - ----ppoorrttss==_p_o_r_t] [----nnoo--kkeerrbbeerrooss44] - -DDEESSCCRRIIPPTTIIOONN - kkaaddmmiinndd listens for requests for changes to the Kerberos database and - performs these, subject to permissions. When starting, if stdin is a - socket it assumes that it has been started by inetd(8), otherwise it be- - haves as a daemon, forking processes for each new connection. The ----ddeebbuugg - option causes kkaaddmmiinndd to accept exactly one connection, which is useful - for debugging. - - If built with krb4 support, it implements both the Heimdal Kerberos 5 ad- - ministrative protocol and the Kerberos 4 protocol. Password changes via - the Kerberos 4 protocol are also performed by kkaaddmmiinndd, but the kpass- - wdd(8) daemon is responsible for the Kerberos 5 password changing proto- - col (used by kpasswd(1)) - - This daemon should only be run on the master server, and not on any - slaves. - - Principals are always allowed to change their own password and list their - own principal. Apart from that, doing any operation requires permission - explicitly added in the ACL file _/_v_a_r_/_h_e_i_m_d_a_l_/_k_a_d_m_i_n_d_._a_c_l. The format of - this file is: - - _p_r_i_n_c_i_p_a_l _r_i_g_h_t_s [_p_r_i_n_c_i_p_a_l_-_p_a_t_t_e_r_n] - - Where rights is any (comma separated) combination of: - ++oo change-password or cpw - ++oo list - ++oo delete - ++oo modify - ++oo add - ++oo get - ++oo all - - And the optional _p_r_i_n_c_i_p_a_l_-_p_a_t_t_e_r_n restricts the rights to operations on - principals that match the glob-style pattern. - - Supported options: - - --cc _f_i_l_e, ----ccoonnffiigg--ffiillee==_f_i_l_e - location of config file - - --kk _f_i_l_e, ----kkeeyy--ffiillee==_f_i_l_e - location of master key file - - ----kkeeyyttaabb==_k_e_y_t_a_b - what keytab to use - - --rr _r_e_a_l_m, ----rreeaallmm==_r_e_a_l_m - realm to use - - --dd, ----ddeebbuugg - enable debugging - - --pp _p_o_r_t, ----ppoorrttss==_p_o_r_t - ports to listen to. By default, if run as a daemon, it listens to - ports 749, and 751 (if Kerberos 4 support is built and enabled), - but you can add any number of ports with this option. The port - string is a whitespace separated list of port specifications, - with the special string ``+'' representing the default set of - ports. - - ----nnoo--kkeerrbbeerrooss44 - make kkaaddmmiinndd ignore Kerberos 4 kadmin requests. - -FFIILLEESS - _/_v_a_r_/_h_e_i_m_d_a_l_/_k_a_d_m_i_n_d_._a_c_l - -EEXXAAMMPPLLEESS - This will cause kkaaddmmiinndd to listen to port 4711 in addition to any com- - piled in defaults: - - kkaaddmmiinndd----ppoorrttss="+ 4711" & - - This acl file will grant Joe all rights, and allow Mallory to view and - add host principals. - - joe/admin@EXAMPLE.COM all - mallory/admin@EXAMPLE.COM add,get host/*@EXAMPLE.COM - -SSEEEE AALLSSOO - kpasswd(1), kadmin(8), kdc(8), kpasswdd(8) - - HEIMDAL March 5, 2002 2 diff --git a/crypto/heimdal-0.6.3/kadmin/load.c b/crypto/heimdal-0.6.3/kadmin/load.c deleted file mode 100644 index 3635023cbb..0000000000 --- a/crypto/heimdal-0.6.3/kadmin/load.c +++ /dev/null @@ -1,540 +0,0 @@ -/* - * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kadmin_locl.h" -#include - -RCSID("$Id: load.c,v 1.44 2002/09/04 20:44:35 joda Exp $"); - -struct entry { - char *principal; - char *key; - char *max_life; - char *max_renew; - char *created; - char *modified; - char *valid_start; - char *valid_end; - char *pw_end; - char *flags; - char *generation; -}; - -static char * -skip_next(char *p) -{ - while(*p && !isspace((unsigned char)*p)) - p++; - *p++ = 0; - while(*p && isspace((unsigned char)*p)) - p++; - return p; -} - -/* - * Parse the time in `s', returning: - * -1 if error parsing - * 0 if none present - * 1 if parsed ok - */ - -static int -parse_time_string(time_t *t, const char *s) -{ - int year, month, date, hour, minute, second; - struct tm tm; - - if(strcmp(s, "-") == 0) - return 0; - if(sscanf(s, "%04d%02d%02d%02d%02d%02d", - &year, &month, &date, &hour, &minute, &second) != 6) - return -1; - tm.tm_year = year - 1900; - tm.tm_mon = month - 1; - tm.tm_mday = date; - tm.tm_hour = hour; - tm.tm_min = minute; - tm.tm_sec = second; - tm.tm_isdst = 0; - *t = timegm(&tm); - return 1; -} - -/* - * parse time, allocating space in *t if it's there - */ - -static int -parse_time_string_alloc (time_t **t, const char *s) -{ - time_t tmp; - int ret; - - *t = NULL; - ret = parse_time_string (&tmp, s); - if (ret == 1) { - *t = malloc (sizeof (**t)); - if (*t == NULL) - krb5_errx (context, 1, "malloc: out of memory"); - **t = tmp; - } - return ret; -} - -/* - * see parse_time_string for calling convention - */ - -static int -parse_integer(unsigned *u, const char *s) -{ - if(strcmp(s, "-") == 0) - return 0; - if (sscanf(s, "%u", u) != 1) - return -1; - return 1; -} - -static int -parse_integer_alloc (int **u, const char *s) -{ - unsigned tmp; - int ret; - - *u = NULL; - ret = parse_integer (&tmp, s); - if (ret == 1) { - *u = malloc (sizeof (**u)); - if (*u == NULL) - krb5_errx (context, 1, "malloc: out of memory"); - **u = tmp; - } - return ret; -} - -/* - * Parse dumped keys in `str' and store them in `ent' - * return -1 if parsing failed - */ - -static int -parse_keys(hdb_entry *ent, char *str) -{ - krb5_error_code ret; - int tmp; - char *p; - int i; - - p = strsep(&str, ":"); - if (sscanf(p, "%d", &tmp) != 1) - return 1; - ent->kvno = tmp; - p = strsep(&str, ":"); - while(p){ - Key *key; - key = realloc(ent->keys.val, - (ent->keys.len + 1) * sizeof(*ent->keys.val)); - if(key == NULL) - krb5_errx (context, 1, "realloc: out of memory"); - ent->keys.val = key; - key = ent->keys.val + ent->keys.len; - ent->keys.len++; - memset(key, 0, sizeof(*key)); - if(sscanf(p, "%d", &tmp) == 1) { - key->mkvno = malloc(sizeof(*key->mkvno)); - *key->mkvno = tmp; - } else - key->mkvno = NULL; - p = strsep(&str, ":"); - if (sscanf(p, "%d", &tmp) != 1) - return 1; - key->key.keytype = tmp; - p = strsep(&str, ":"); - ret = krb5_data_alloc(&key->key.keyvalue, (strlen(p) - 1) / 2 + 1); - if (ret) - krb5_err (context, 1, ret, "krb5_data_alloc"); - for(i = 0; i < strlen(p); i += 2) { - if(sscanf(p + i, "%02x", &tmp) != 1) - return 1; - ((u_char*)key->key.keyvalue.data)[i / 2] = tmp; - } - p = strsep(&str, ":"); - if(strcmp(p, "-") != 0){ - unsigned type; - size_t p_len; - - if(sscanf(p, "%u/", &type) != 1) - return 1; - p = strchr(p, '/'); - if(p == NULL) - return 1; - p++; - p_len = strlen(p); - - key->salt = malloc(sizeof(*key->salt)); - if (key->salt == NULL) - krb5_errx (context, 1, "malloc: out of memory"); - key->salt->type = type; - - if (p_len) { - if(*p == '\"') { - ret = krb5_data_copy(&key->salt->salt, p + 1, p_len - 2); - if (ret) - krb5_err (context, 1, ret, "krb5_data_copy"); - } else { - ret = krb5_data_alloc(&key->salt->salt, - (p_len - 1) / 2 + 1); - if (ret) - krb5_err (context, 1, ret, "krb5_data_alloc"); - for(i = 0; i < p_len; i += 2){ - if (sscanf(p + i, "%02x", &tmp) != 1) - return 1; - ((u_char*)key->salt->salt.data)[i / 2] = tmp; - } - } - } else - krb5_data_zero (&key->salt->salt); - } - p = strsep(&str, ":"); - } - return 0; -} - -/* - * see parse_time_string for calling convention - */ - -static int -parse_event(Event *ev, char *s) -{ - krb5_error_code ret; - char *p; - - if(strcmp(s, "-") == 0) - return 0; - memset(ev, 0, sizeof(*ev)); - p = strsep(&s, ":"); - if(parse_time_string(&ev->time, p) != 1) - return -1; - p = strsep(&s, ":"); - ret = krb5_parse_name(context, p, &ev->principal); - if (ret) - return -1; - return 1; -} - -static int -parse_event_alloc (Event **ev, char *s) -{ - Event tmp; - int ret; - - *ev = NULL; - ret = parse_event (&tmp, s); - if (ret == 1) { - *ev = malloc (sizeof (**ev)); - if (*ev == NULL) - krb5_errx (context, 1, "malloc: out of memory"); - **ev = tmp; - } - return ret; -} - -static int -parse_hdbflags2int(HDBFlags *f, const char *s) -{ - int ret; - unsigned tmp; - - ret = parse_integer (&tmp, s); - if (ret == 1) - *f = int2HDBFlags (tmp); - return ret; -} - -static int -parse_generation(char *str, GENERATION **gen) -{ - char *p; - int v; - - if(strcmp(str, "-") == 0 || *str == '\0') { - *gen = NULL; - return 0; - } - *gen = calloc(1, sizeof(**gen)); - - p = strsep(&str, ":"); - if(parse_time_string(&(*gen)->time, p) != 1) - return -1; - p = strsep(&str, ":"); - if(sscanf(p, "%d", &v) != 1) - return -1; - (*gen)->usec = v; - p = strsep(&str, ":"); - if(sscanf(p, "%d", &v) != 1) - return -1; - (*gen)->gen = v - 1; /* XXX gets bumped in _hdb_store */ - return 0; -} - - -/* - * Parse the dump file in `filename' and create the database (merging - * iff merge) - */ - -static int -doit(const char *filename, int merge) -{ - krb5_error_code ret; - FILE *f; - char s[8192]; /* XXX should fix this properly */ - char *p; - int line; - int flags = O_RDWR; - struct entry e; - hdb_entry ent; - HDB *db = _kadm5_s_get_db(kadm_handle); - - f = fopen(filename, "r"); - if(f == NULL){ - krb5_warn(context, errno, "fopen(%s)", filename); - return 1; - } - ret = kadm5_log_truncate (kadm_handle); - if (ret) { - fclose (f); - krb5_warn(context, ret, "kadm5_log_truncate"); - return 1; - } - - if(!merge) - flags |= O_CREAT | O_TRUNC; - ret = db->open(context, db, flags, 0600); - if(ret){ - krb5_warn(context, ret, "hdb_open"); - fclose(f); - return 1; - } - line = 0; - ret = 0; - while(fgets(s, sizeof(s), f) != NULL) { - ret = 0; - line++; - e.principal = s; - for(p = s; *p; p++){ - if(*p == '\\') - p++; - else if(isspace((unsigned char)*p)) { - *p = 0; - break; - } - } - p = skip_next(p); - - e.key = p; - p = skip_next(p); - - e.created = p; - p = skip_next(p); - - e.modified = p; - p = skip_next(p); - - e.valid_start = p; - p = skip_next(p); - - e.valid_end = p; - p = skip_next(p); - - e.pw_end = p; - p = skip_next(p); - - e.max_life = p; - p = skip_next(p); - - e.max_renew = p; - p = skip_next(p); - - e.flags = p; - p = skip_next(p); - - e.generation = p; - p = skip_next(p); - - memset(&ent, 0, sizeof(ent)); - ret = krb5_parse_name(context, e.principal, &ent.principal); - if(ret) { - fprintf(stderr, "%s:%d:%s (%s)\n", - filename, - line, - krb5_get_err_text(context, ret), - e.principal); - continue; - } - - if (parse_keys(&ent, e.key)) { - fprintf (stderr, "%s:%d:error parsing keys (%s)\n", - filename, line, e.key); - hdb_free_entry (context, &ent); - continue; - } - - if (parse_event(&ent.created_by, e.created) == -1) { - fprintf (stderr, "%s:%d:error parsing created event (%s)\n", - filename, line, e.created); - hdb_free_entry (context, &ent); - continue; - } - if (parse_event_alloc (&ent.modified_by, e.modified) == -1) { - fprintf (stderr, "%s:%d:error parsing event (%s)\n", - filename, line, e.modified); - hdb_free_entry (context, &ent); - continue; - } - if (parse_time_string_alloc (&ent.valid_start, e.valid_start) == -1) { - fprintf (stderr, "%s:%d:error parsing time (%s)\n", - filename, line, e.valid_start); - hdb_free_entry (context, &ent); - continue; - } - if (parse_time_string_alloc (&ent.valid_end, e.valid_end) == -1) { - fprintf (stderr, "%s:%d:error parsing time (%s)\n", - filename, line, e.valid_end); - hdb_free_entry (context, &ent); - continue; - } - if (parse_time_string_alloc (&ent.pw_end, e.pw_end) == -1) { - fprintf (stderr, "%s:%d:error parsing time (%s)\n", - filename, line, e.pw_end); - hdb_free_entry (context, &ent); - continue; - } - - if (parse_integer_alloc (&ent.max_life, e.max_life) == -1) { - fprintf (stderr, "%s:%d:error parsing lifetime (%s)\n", - filename, line, e.max_life); - hdb_free_entry (context, &ent); - continue; - - } - if (parse_integer_alloc (&ent.max_renew, e.max_renew) == -1) { - fprintf (stderr, "%s:%d:error parsing lifetime (%s)\n", - filename, line, e.max_renew); - hdb_free_entry (context, &ent); - continue; - } - - if (parse_hdbflags2int (&ent.flags, e.flags) != 1) { - fprintf (stderr, "%s:%d:error parsing flags (%s)\n", - filename, line, e.flags); - hdb_free_entry (context, &ent); - continue; - } - - if(parse_generation(e.generation, &ent.generation) == -1) { - fprintf (stderr, "%s:%d:error parsing generation (%s)\n", - filename, line, e.generation); - hdb_free_entry (context, &ent); - continue; - } - - ret = db->store(context, db, HDB_F_REPLACE, &ent); - hdb_free_entry (context, &ent); - if (ret) { - krb5_warn(context, ret, "db_store"); - break; - } - } - db->close(context, db); - fclose(f); - return ret != 0; -} - - -static struct getargs args[] = { - { "help", 'h', arg_flag, NULL } -}; - -static int num_args = sizeof(args) / sizeof(args[0]); - -static void -usage(const char *name) -{ - arg_printusage (args, num_args, name, "file"); -} - - - -int -load(int argc, char **argv) -{ - int optind = 0; - int help_flag = 0; - - args[0].value = &help_flag; - - if(getarg(args, num_args, argc, argv, &optind)) { - usage ("load"); - return 0; - } - if(argc - optind != 1 || help_flag) { - usage ("load"); - return 0; - } - - doit(argv[optind], 0); - return 0; -} - -int -merge(int argc, char **argv) -{ - int optind = 0; - int help_flag = 0; - - args[0].value = &help_flag; - - if(getarg(args, num_args, argc, argv, &optind)) { - usage ("merge"); - return 0; - } - if(argc - optind != 1 || help_flag) { - usage ("merge"); - return 0; - } - - doit(argv[optind], 1); - return 0; -} diff --git a/crypto/heimdal-0.6.3/kadmin/mod.c b/crypto/heimdal-0.6.3/kadmin/mod.c deleted file mode 100644 index 0e9cd08c7f..0000000000 --- a/crypto/heimdal-0.6.3/kadmin/mod.c +++ /dev/null @@ -1,151 +0,0 @@ -/* - * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kadmin_locl.h" - -RCSID("$Id: mod.c,v 1.11 2002/12/03 14:12:30 joda Exp $"); - -static int parse_args (krb5_context context, kadm5_principal_ent_t ent, - int argc, char **argv, int *optind, char *name, - int *mask); - -static int -parse_args(krb5_context context, kadm5_principal_ent_t ent, - int argc, char **argv, int *optind, char *name, - int *mask) -{ - char *attr_str = NULL; - char *max_life_str = NULL; - char *max_rlife_str = NULL; - char *expiration_str = NULL; - char *pw_expiration_str = NULL; - int new_kvno = -1; - int ret, i; - - struct getargs args[] = { - {"attributes", 'a', arg_string, NULL, "Attributies", - "attributes"}, - {"max-ticket-life", 0, arg_string, NULL, "max ticket lifetime", - "lifetime"}, - {"max-renewable-life", 0, arg_string, NULL, - "max renewable lifetime", "lifetime" }, - {"expiration-time", 0, arg_string, - NULL, "Expiration time", "time"}, - {"pw-expiration-time", 0, arg_string, - NULL, "Password expiration time", "time"}, - {"kvno", 0, arg_integer, - NULL, "Key version number", "number"}, - }; - - i = 0; - args[i++].value = &attr_str; - args[i++].value = &max_life_str; - args[i++].value = &max_rlife_str; - args[i++].value = &expiration_str; - args[i++].value = &pw_expiration_str; - args[i++].value = &new_kvno; - - *optind = 0; /* XXX */ - - if(getarg(args, sizeof(args) / sizeof(args[0]), - argc, argv, optind)){ - arg_printusage(args, - sizeof(args) / sizeof(args[0]), - name ? name : "", - "principal"); - return -1; - } - - ret = set_entry(context, ent, mask, max_life_str, max_rlife_str, - expiration_str, pw_expiration_str, attr_str); - if (ret) - return ret; - - if(new_kvno != -1) { - ent->kvno = new_kvno; - *mask |= KADM5_KVNO; - } - return 0; -} - -int -mod_entry(int argc, char **argv) -{ - kadm5_principal_ent_rec princ; - int mask = 0; - krb5_error_code ret; - krb5_principal princ_ent = NULL; - int optind; - - memset (&princ, 0, sizeof(princ)); - - ret = parse_args (context, &princ, argc, argv, - &optind, "mod", &mask); - if (ret) - return 0; - - argc -= optind; - argv += optind; - - if (argc != 1) { - printf ("Usage: mod [options] principal\n"); - return 0; - } - - krb5_parse_name(context, argv[0], &princ_ent); - - if (mask == 0) { - memset(&princ, 0, sizeof(princ)); - ret = kadm5_get_principal(kadm_handle, princ_ent, &princ, - KADM5_PRINCIPAL | KADM5_ATTRIBUTES | - KADM5_MAX_LIFE | KADM5_MAX_RLIFE | - KADM5_PRINC_EXPIRE_TIME | - KADM5_PW_EXPIRATION); - krb5_free_principal (context, princ_ent); - if (ret) { - printf ("no such principal: %s\n", argv[0]); - return 0; - } - if(edit_entry(&princ, &mask, NULL, 0)) - goto out; - } else { - princ.principal = princ_ent; - } - - ret = kadm5_modify_principal(kadm_handle, &princ, mask); - if(ret) - krb5_warn(context, ret, "kadm5_modify_principal"); - out: - kadm5_free_principal_ent(kadm_handle, &princ); - return 0; -} diff --git a/crypto/heimdal-0.6.3/kadmin/random_password.c b/crypto/heimdal-0.6.3/kadmin/random_password.c deleted file mode 100644 index 92fb2fcddb..0000000000 --- a/crypto/heimdal-0.6.3/kadmin/random_password.c +++ /dev/null @@ -1,157 +0,0 @@ -/* - * Copyright (c) 1998, 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kadmin_locl.h" - -RCSID("$Id: random_password.c,v 1.4 2001/02/15 04:20:53 assar Exp $"); - -/* This file defines some a function that generates a random password, - that can be used when creating a large amount of principals (such - as for a batch of students). Since this is a political matter, you - should think about how secure generated passwords has to be. - - Both methods defined here will give you at least 55 bits of - entropy. - */ - -/* If you want OTP-style passwords, define OTP_STYLE */ - -#ifdef OTP_STYLE -#include -#else -static void generate_password(char **pw, int num_classes, ...); -#endif - -void -random_password(char *pw, size_t len) -{ -#ifdef OTP_STYLE - { - OtpKey newkey; - - krb5_generate_random_block(&newkey, sizeof(newkey)); - otp_print_stddict (newkey, pw, len); - strlwr(pw); - } -#else - char *pass; - generate_password(&pass, 3, - "abcdefghijklmnopqrstuvwxyz", 7, - "ABCDEFGHIJKLMNOPQRSTUVWXYZ", 2, - "@$%&*()-+=:,/<>1234567890", 1); - strlcpy(pw, pass, len); - memset(pass, 0, strlen(pass)); - free(pass); -#endif -} - -/* some helper functions */ - -#ifndef OTP_STYLE -/* return a random value in range 0-127 */ -static int -RND(unsigned char *key, int keylen, int *left) -{ - if(*left == 0){ - krb5_generate_random_block(key, keylen); - *left = keylen; - } - (*left)--; - return ((unsigned char*)key)[*left]; -} - -/* This a helper function that generates a random password with a - number of characters from a set of character classes. - - If there are n classes, and the size of each class is Pi, and the - number of characters from each class is Ni, the number of possible - passwords are (given that the character classes are disjoint): - - n n - ----- / ---- \ - | | Ni | \ | - | | Pi | \ Ni| ! - | | ---- * | / | - | | Ni! | /___ | - i=1 \ i=1 / - - Since it uses the RND function above, neither the size of each - class, nor the total length of the generated password should be - larger than 127 (without fixing RND). - - */ -static void -generate_password(char **pw, int num_classes, ...) -{ - struct { - const char *str; - int len; - int freq; - } *classes; - va_list ap; - int len, i; - unsigned char rbuf[8]; /* random buffer */ - int rleft = 0; - - classes = malloc(num_classes * sizeof(*classes)); - va_start(ap, num_classes); - len = 0; - for(i = 0; i < num_classes; i++){ - classes[i].str = va_arg(ap, const char*); - classes[i].len = strlen(classes[i].str); - classes[i].freq = va_arg(ap, int); - len += classes[i].freq; - } - va_end(ap); - *pw = malloc(len + 1); - if(*pw == NULL) - return; - for(i = 0; i < len; i++) { - int j; - int x = RND(rbuf, sizeof(rbuf), &rleft) % (len - i); - int t = 0; - for(j = 0; j < num_classes; j++) { - if(x < t + classes[j].freq) { - (*pw)[i] = classes[j].str[RND(rbuf, sizeof(rbuf), &rleft) - % classes[j].len]; - classes[j].freq--; - break; - } - t += classes[j].freq; - } - } - (*pw)[len] = '\0'; - memset(rbuf, 0, sizeof(rbuf)); - free(classes); -} -#endif diff --git a/crypto/heimdal-0.6.3/kadmin/rename.c b/crypto/heimdal-0.6.3/kadmin/rename.c deleted file mode 100644 index ac5f4d699d..0000000000 --- a/crypto/heimdal-0.6.3/kadmin/rename.c +++ /dev/null @@ -1,88 +0,0 @@ -/* - * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kadmin_locl.h" - -RCSID("$Id: rename.c,v 1.4 2001/05/04 13:07:03 joda Exp $"); - -static struct getargs args[] = { - { "help", 'h', arg_flag, NULL } -}; - -static int num_args = sizeof(args) / sizeof(args[0]); - -static void -usage(void) -{ - arg_printusage (args, num_args, "rename", "from to"); -} - -int -rename_entry(int argc, char **argv) -{ - int optind = 0; - int help_flag = 0; - - krb5_error_code ret; - krb5_principal princ1, princ2; - - args[0].value = &help_flag; - - if(getarg(args, num_args, argc, argv, &optind)) { - usage (); - return 0; - } - if(argc - optind != 2 || help_flag) { - usage (); - return 0; - } - - ret = krb5_parse_name(context, argv[1], &princ1); - if(ret){ - krb5_warn(context, ret, "krb5_parse_name(%s)", argv[1]); - return 0; - } - ret = krb5_parse_name(context, argv[2], &princ2); - if(ret){ - krb5_free_principal(context, princ2); - krb5_warn(context, ret, "krb5_parse_name(%s)", argv[2]); - return 0; - } - ret = kadm5_rename_principal(kadm_handle, princ1, princ2); - if(ret) - krb5_warn(context, ret, "rename"); - krb5_free_principal(context, princ1); - krb5_free_principal(context, princ2); - return 0; -} - diff --git a/crypto/heimdal-0.6.3/kadmin/server.c b/crypto/heimdal-0.6.3/kadmin/server.c deleted file mode 100644 index adaf6cfa70..0000000000 --- a/crypto/heimdal-0.6.3/kadmin/server.c +++ /dev/null @@ -1,577 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kadmin_locl.h" -#include - -RCSID("$Id: server.c,v 1.38 2003/01/29 12:33:05 lha Exp $"); - -static kadm5_ret_t -kadmind_dispatch(void *kadm_handle, krb5_boolean initial, - krb5_data *in, krb5_data *out) -{ - kadm5_ret_t ret; - int32_t cmd, mask, tmp; - kadm5_server_context *context = kadm_handle; - char client[128], name[128], name2[128]; - char *op = ""; - krb5_principal princ, princ2; - kadm5_principal_ent_rec ent; - char *password, *exp; - krb5_keyblock *new_keys; - int n_keys; - char **princs; - int n_princs; - krb5_storage *sp; - - krb5_unparse_name_fixed(context->context, context->caller, - client, sizeof(client)); - - sp = krb5_storage_from_data(in); - - krb5_ret_int32(sp, &cmd); - switch(cmd){ - case kadm_get:{ - op = "GET"; - ret = krb5_ret_principal(sp, &princ); - if(ret) - goto fail; - ret = krb5_ret_int32(sp, &mask); - if(ret){ - krb5_free_principal(context->context, princ); - goto fail; - } - krb5_unparse_name_fixed(context->context, princ, name, sizeof(name)); - krb5_warnx(context->context, "%s: %s %s", client, op, name); - ret = _kadm5_acl_check_permission(context, KADM5_PRIV_GET, princ); - if(ret){ - krb5_free_principal(context->context, princ); - goto fail; - } - ret = kadm5_get_principal(kadm_handle, princ, &ent, mask); - krb5_storage_free(sp); - sp = krb5_storage_emem(); - krb5_store_int32(sp, ret); - if(ret == 0){ - kadm5_store_principal_ent(sp, &ent); - kadm5_free_principal_ent(kadm_handle, &ent); - } - krb5_free_principal(context->context, princ); - break; - } - case kadm_delete:{ - op = "DELETE"; - ret = krb5_ret_principal(sp, &princ); - if(ret) - goto fail; - krb5_unparse_name_fixed(context->context, princ, name, sizeof(name)); - krb5_warnx(context->context, "%s: %s %s", client, op, name); - ret = _kadm5_acl_check_permission(context, KADM5_PRIV_DELETE, princ); - if(ret){ - krb5_free_principal(context->context, princ); - goto fail; - } - ret = kadm5_delete_principal(kadm_handle, princ); - krb5_free_principal(context->context, princ); - krb5_storage_free(sp); - sp = krb5_storage_emem(); - krb5_store_int32(sp, ret); - break; - } - case kadm_create:{ - op = "CREATE"; - ret = kadm5_ret_principal_ent(sp, &ent); - if(ret) - goto fail; - ret = krb5_ret_int32(sp, &mask); - if(ret){ - kadm5_free_principal_ent(context->context, &ent); - goto fail; - } - ret = krb5_ret_string(sp, &password); - if(ret){ - kadm5_free_principal_ent(context->context, &ent); - goto fail; - } - krb5_unparse_name_fixed(context->context, ent.principal, - name, sizeof(name)); - krb5_warnx(context->context, "%s: %s %s", client, op, name); - ret = _kadm5_acl_check_permission(context, KADM5_PRIV_ADD, - ent.principal); - if(ret){ - kadm5_free_principal_ent(context->context, &ent); - memset(password, 0, strlen(password)); - free(password); - goto fail; - } - ret = kadm5_create_principal(kadm_handle, &ent, - mask, password); - kadm5_free_principal_ent(kadm_handle, &ent); - memset(password, 0, strlen(password)); - free(password); - krb5_storage_free(sp); - sp = krb5_storage_emem(); - krb5_store_int32(sp, ret); - break; - } - case kadm_modify:{ - op = "MODIFY"; - ret = kadm5_ret_principal_ent(sp, &ent); - if(ret) - goto fail; - ret = krb5_ret_int32(sp, &mask); - if(ret){ - kadm5_free_principal_ent(context, &ent); - goto fail; - } - krb5_unparse_name_fixed(context->context, ent.principal, - name, sizeof(name)); - krb5_warnx(context->context, "%s: %s %s", client, op, name); - ret = _kadm5_acl_check_permission(context, KADM5_PRIV_MODIFY, - ent.principal); - if(ret){ - kadm5_free_principal_ent(context, &ent); - goto fail; - } - ret = kadm5_modify_principal(kadm_handle, &ent, mask); - kadm5_free_principal_ent(kadm_handle, &ent); - krb5_storage_free(sp); - sp = krb5_storage_emem(); - krb5_store_int32(sp, ret); - break; - } - case kadm_rename:{ - op = "RENAME"; - ret = krb5_ret_principal(sp, &princ); - if(ret) - goto fail; - ret = krb5_ret_principal(sp, &princ2); - if(ret){ - krb5_free_principal(context->context, princ); - goto fail; - } - krb5_unparse_name_fixed(context->context, princ, name, sizeof(name)); - krb5_unparse_name_fixed(context->context, princ2, name2, sizeof(name2)); - krb5_warnx(context->context, "%s: %s %s -> %s", - client, op, name, name2); - ret = _kadm5_acl_check_permission(context, - KADM5_PRIV_ADD, - princ2) - || _kadm5_acl_check_permission(context, - KADM5_PRIV_DELETE, - princ); - if(ret){ - krb5_free_principal(context->context, princ); - goto fail; - } - ret = kadm5_rename_principal(kadm_handle, princ, princ2); - krb5_free_principal(context->context, princ); - krb5_free_principal(context->context, princ2); - krb5_storage_free(sp); - sp = krb5_storage_emem(); - krb5_store_int32(sp, ret); - break; - } - case kadm_chpass:{ - op = "CHPASS"; - ret = krb5_ret_principal(sp, &princ); - if(ret) - goto fail; - ret = krb5_ret_string(sp, &password); - if(ret){ - krb5_free_principal(context->context, princ); - goto fail; - } - krb5_unparse_name_fixed(context->context, princ, name, sizeof(name)); - krb5_warnx(context->context, "%s: %s %s", client, op, name); - - /* - * The change is allowed if at least one of: - - * a) it's for the principal him/herself and this was an - * initial ticket, but then, check with the password quality - * function. - * b) the user is on the CPW ACL. - */ - - if (initial - && krb5_principal_compare (context->context, context->caller, - princ)) - { - krb5_data pwd_data; - const char *pwd_reason; - - pwd_data.data = password; - pwd_data.length = strlen(password); - - pwd_reason = kadm5_check_password_quality (context->context, - princ, &pwd_data); - if (pwd_reason != NULL) - ret = KADM5_PASS_Q_DICT; - else - ret = 0; - } else - ret = _kadm5_acl_check_permission(context, KADM5_PRIV_CPW, princ); - - if(ret) { - krb5_free_principal(context->context, princ); - memset(password, 0, strlen(password)); - free(password); - goto fail; - } - ret = kadm5_chpass_principal(kadm_handle, princ, password); - krb5_free_principal(context->context, princ); - memset(password, 0, strlen(password)); - free(password); - krb5_storage_free(sp); - sp = krb5_storage_emem(); - krb5_store_int32(sp, ret); - break; - } - case kadm_chpass_with_key:{ - int i; - krb5_key_data *key_data; - int n_key_data; - - op = "CHPASS_WITH_KEY"; - ret = krb5_ret_principal(sp, &princ); - if(ret) - goto fail; - ret = krb5_ret_int32(sp, &n_key_data); - if (ret) { - krb5_free_principal(context->context, princ); - goto fail; - } - /* n_key_data will be squeezed into an int16_t below. */ - if (n_key_data < 0 || n_key_data >= 1 << 16 || - n_key_data > UINT_MAX/sizeof(*key_data)) { - ret = ERANGE; - krb5_free_principal(context->context, princ); - goto fail; - } - - key_data = malloc (n_key_data * sizeof(*key_data)); - if (key_data == NULL) { - ret = ENOMEM; - krb5_free_principal(context->context, princ); - goto fail; - } - - for (i = 0; i < n_key_data; ++i) { - ret = kadm5_ret_key_data (sp, &key_data[i]); - if (ret) { - int16_t dummy = i; - - kadm5_free_key_data (context, &dummy, key_data); - free (key_data); - krb5_free_principal(context->context, princ); - goto fail; - } - } - - krb5_unparse_name_fixed(context->context, princ, name, sizeof(name)); - krb5_warnx(context->context, "%s: %s %s", client, op, name); - - /* - * The change is only allowed if the user is on the CPW ACL, - * this it to force password quality check on the user. - */ - - ret = _kadm5_acl_check_permission(context, KADM5_PRIV_CPW, princ); - if(ret) { - int16_t dummy = n_key_data; - - kadm5_free_key_data (context, &dummy, key_data); - free (key_data); - krb5_free_principal(context->context, princ); - goto fail; - } - ret = kadm5_chpass_principal_with_key(kadm_handle, princ, - n_key_data, key_data); - { - int16_t dummy = n_key_data; - kadm5_free_key_data (context, &dummy, key_data); - } - free (key_data); - krb5_free_principal(context->context, princ); - krb5_storage_free(sp); - sp = krb5_storage_emem(); - krb5_store_int32(sp, ret); - break; - } - case kadm_randkey:{ - op = "RANDKEY"; - ret = krb5_ret_principal(sp, &princ); - if(ret) - goto fail; - krb5_unparse_name_fixed(context->context, princ, name, sizeof(name)); - krb5_warnx(context->context, "%s: %s %s", client, op, name); - /* - * The change is allowed if at least one of: - * a) it's for the principal him/herself and this was an initial ticket - * b) the user is on the CPW ACL. - */ - - if (initial - && krb5_principal_compare (context->context, context->caller, - princ)) - ret = 0; - else - ret = _kadm5_acl_check_permission(context, KADM5_PRIV_CPW, princ); - - if(ret) { - krb5_free_principal(context->context, princ); - goto fail; - } - ret = kadm5_randkey_principal(kadm_handle, princ, - &new_keys, &n_keys); - krb5_free_principal(context->context, princ); - krb5_storage_free(sp); - sp = krb5_storage_emem(); - krb5_store_int32(sp, ret); - if(ret == 0){ - int i; - krb5_store_int32(sp, n_keys); - for(i = 0; i < n_keys; i++){ - krb5_store_keyblock(sp, new_keys[i]); - krb5_free_keyblock_contents(context->context, &new_keys[i]); - } - } - break; - } - case kadm_get_privs:{ - ret = kadm5_get_privs(kadm_handle, &mask); - krb5_storage_free(sp); - sp = krb5_storage_emem(); - krb5_store_int32(sp, ret); - if(ret == 0) - krb5_store_int32(sp, mask); - break; - } - case kadm_get_princs:{ - op = "LIST"; - ret = krb5_ret_int32(sp, &tmp); - if(ret) - goto fail; - if(tmp){ - ret = krb5_ret_string(sp, &exp); - if(ret) - goto fail; - }else - exp = NULL; - krb5_warnx(context->context, "%s: %s %s", client, op, exp ? exp : "*"); - ret = _kadm5_acl_check_permission(context, KADM5_PRIV_LIST, NULL); - if(ret){ - free(exp); - goto fail; - } - ret = kadm5_get_principals(kadm_handle, exp, &princs, &n_princs); - free(exp); - krb5_storage_free(sp); - sp = krb5_storage_emem(); - krb5_store_int32(sp, ret); - if(ret == 0){ - int i; - krb5_store_int32(sp, n_princs); - for(i = 0; i < n_princs; i++) - krb5_store_string(sp, princs[i]); - kadm5_free_name_list(kadm_handle, princs, &n_princs); - } - break; - } - default: - krb5_warnx(context->context, "%s: UNKNOWN OP %d", client, cmd); - krb5_storage_free(sp); - sp = krb5_storage_emem(); - krb5_store_int32(sp, KADM5_FAILURE); - break; - } - krb5_storage_to_data(sp, out); - krb5_storage_free(sp); - return 0; -fail: - krb5_warn(context->context, ret, "%s", op); - krb5_storage_seek(sp, 0, SEEK_SET); - krb5_store_int32(sp, ret); - krb5_storage_to_data(sp, out); - krb5_storage_free(sp); - return 0; -} - -static void -v5_loop (krb5_context context, - krb5_auth_context ac, - krb5_boolean initial, - void *kadm_handle, - int fd) -{ - krb5_error_code ret; - krb5_data in, out; - - for (;;) { - doing_useful_work = 0; - if(term_flag) - exit(0); - ret = krb5_read_priv_message(context, ac, &fd, &in); - if(ret == HEIM_ERR_EOF) - exit(0); - if(ret) - krb5_err(context, 1, ret, "krb5_read_priv_message"); - doing_useful_work = 1; - kadmind_dispatch(kadm_handle, initial, &in, &out); - krb5_data_free(&in); - ret = krb5_write_priv_message(context, ac, &fd, &out); - if(ret) - krb5_err(context, 1, ret, "krb5_write_priv_message"); - } -} - -static krb5_boolean -match_appl_version(const void *data, const char *appl_version) -{ - unsigned minor; - if(sscanf(appl_version, "KADM0.%u", &minor) != 1) - return 0; - *(unsigned*)data = minor; - return 1; -} - -static void -handle_v5(krb5_context context, - krb5_auth_context ac, - krb5_keytab keytab, - int len, - int fd) -{ - krb5_error_code ret; - u_char version[sizeof(KRB5_SENDAUTH_VERSION)]; - krb5_ticket *ticket; - char *server_name; - char *client; - void *kadm_handle; - ssize_t n; - krb5_boolean initial; - - unsigned kadm_version; - kadm5_config_params realm_params; - - if (len != sizeof(KRB5_SENDAUTH_VERSION)) - krb5_errx(context, 1, "bad sendauth len %d", len); - n = krb5_net_read(context, &fd, version, len); - if (n < 0) - krb5_err (context, 1, errno, "reading sendauth version"); - if (n == 0) - krb5_errx (context, 1, "EOF reading sendauth version"); - if(memcmp(version, KRB5_SENDAUTH_VERSION, len) != 0) - krb5_errx(context, 1, "bad sendauth version %.8s", version); - - ret = krb5_recvauth_match_version(context, &ac, &fd, - match_appl_version, &kadm_version, - NULL, KRB5_RECVAUTH_IGNORE_VERSION, - keytab, &ticket); - if(ret == KRB5_KT_NOTFOUND) - krb5_errx(context, 1, "krb5_recvauth: key not found"); - if(ret) - krb5_err(context, 1, ret, "krb5_recvauth"); - - ret = krb5_unparse_name (context, ticket->server, &server_name); - if (ret) - krb5_err (context, 1, ret, "krb5_unparse_name"); - - if (strncmp (server_name, KADM5_ADMIN_SERVICE, - strlen(KADM5_ADMIN_SERVICE)) != 0) - krb5_errx (context, 1, "ticket for strange principal (%s)", - server_name); - - free (server_name); - - memset(&realm_params, 0, sizeof(realm_params)); - - if(kadm_version == 1) { - krb5_data params; - ret = krb5_read_priv_message(context, ac, &fd, ¶ms); - if(ret) - krb5_err(context, 1, ret, "krb5_read_priv_message"); - _kadm5_unmarshal_params(context, ¶ms, &realm_params); - } - - initial = ticket->ticket.flags.initial; - ret = krb5_unparse_name(context, ticket->client, &client); - if (ret) - krb5_err (context, 1, ret, "krb5_unparse_name"); - krb5_free_ticket (context, ticket); - ret = kadm5_init_with_password_ctx(context, - client, - NULL, - KADM5_ADMIN_SERVICE, - &realm_params, - 0, 0, - &kadm_handle); - if(ret) - krb5_err (context, 1, ret, "kadm5_init_with_password_ctx"); - v5_loop (context, ac, initial, kadm_handle, fd); -} - -extern int do_kerberos4; - -krb5_error_code -kadmind_loop(krb5_context context, - krb5_auth_context ac, - krb5_keytab keytab, - int fd) -{ - unsigned char tmp[4]; - ssize_t n; - unsigned long len; - - n = krb5_net_read(context, &fd, tmp, 4); - if(n == 0) - exit(0); - if(n < 0) - krb5_err(context, 1, errno, "read"); - _krb5_get_int(tmp, &len, 4); - if(len > 0xffff && (len & 0xffff) == ('K' << 8) + 'A') { - len >>= 16; -#ifdef KRB4 - if(do_kerberos4) - handle_v4(context, keytab, len, fd); - else - krb5_errx(context, 1, "version 4 kadmin is disabled"); -#else - krb5_errx(context, 1, "packet appears to be version 4"); -#endif - } else { - handle_v5(context, ac, keytab, len, fd); - } - return 0; -} diff --git a/crypto/heimdal-0.6.3/kadmin/util.c b/crypto/heimdal-0.6.3/kadmin/util.c deleted file mode 100644 index b25bf2a60c..0000000000 --- a/crypto/heimdal-0.6.3/kadmin/util.c +++ /dev/null @@ -1,641 +0,0 @@ -/* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kadmin_locl.h" -#include - -RCSID("$Id: util.c,v 1.39 2003/04/14 11:55:27 lha Exp $"); - -/* - * util.c - functions for parsing, unparsing, and editing different - * types of data used in kadmin. - */ - -static int -get_response(const char *prompt, const char *def, char *buf, size_t len); - -/* - * attributes - */ - -struct units kdb_attrs[] = { - { "new-princ", KRB5_KDB_NEW_PRINC }, - { "support-desmd5", KRB5_KDB_SUPPORT_DESMD5 }, - { "pwchange-service", KRB5_KDB_PWCHANGE_SERVICE }, - { "disallow-svr", KRB5_KDB_DISALLOW_SVR }, - { "requires-pw-change", KRB5_KDB_REQUIRES_PWCHANGE }, - { "requires-hw-auth", KRB5_KDB_REQUIRES_HW_AUTH }, - { "requires-pre-auth", KRB5_KDB_REQUIRES_PRE_AUTH }, - { "disallow-all-tix", KRB5_KDB_DISALLOW_ALL_TIX }, - { "disallow-dup-skey", KRB5_KDB_DISALLOW_DUP_SKEY }, - { "disallow-proxiable", KRB5_KDB_DISALLOW_PROXIABLE }, - { "disallow-renewable", KRB5_KDB_DISALLOW_RENEWABLE }, - { "disallow-tgt-based", KRB5_KDB_DISALLOW_TGT_BASED }, - { "disallow-forwardable", KRB5_KDB_DISALLOW_FORWARDABLE }, - { "disallow-postdated", KRB5_KDB_DISALLOW_POSTDATED }, - { NULL } -}; - -/* - * convert the attributes in `attributes' into a printable string - * in `str, len' - */ - -void -attributes2str(krb5_flags attributes, char *str, size_t len) -{ - unparse_flags (attributes, kdb_attrs, str, len); -} - -/* - * convert the string in `str' into attributes in `flags' - * return 0 if parsed ok, else -1. - */ - -int -str2attributes(const char *str, krb5_flags *flags) -{ - int res; - - res = parse_flags (str, kdb_attrs, *flags); - if (res < 0) - return res; - else { - *flags = res; - return 0; - } -} - -/* - * try to parse the string `resp' into attributes in `attr', also - * setting the `bit' in `mask' if attributes are given and valid. - */ - -int -parse_attributes (const char *resp, krb5_flags *attr, int *mask, int bit) -{ - krb5_flags tmp = *attr; - - if (str2attributes(resp, &tmp) == 0) { - *attr = tmp; - if (mask) - *mask |= bit; - return 0; - } else if(*resp == '?') { - print_flags_table (kdb_attrs, stderr); - } else { - fprintf (stderr, "Unable to parse '%s'\n", resp); - } - return -1; -} - -/* - * allow the user to edit the attributes in `attr', prompting with `prompt' - */ - -int -edit_attributes (const char *prompt, krb5_flags *attr, int *mask, int bit) -{ - char buf[1024], resp[1024]; - - if (mask && (*mask & bit)) - return 0; - - attributes2str(*attr, buf, sizeof(buf)); - for (;;) { - if(get_response("Attributes", buf, resp, sizeof(resp)) != 0) - return 1; - if (resp[0] == '\0') - break; - if (parse_attributes (resp, attr, mask, bit) == 0) - break; - } - return 0; -} - -/* - * time_t - * the special value 0 means ``never'' - */ - -/* - * Convert the time `t' to a string representation in `str' (of max - * size `len'). If include_time also include time, otherwise just - * date. - */ - -void -time_t2str(time_t t, char *str, size_t len, int include_time) -{ - if(t) { - if(include_time) - strftime(str, len, "%Y-%m-%d %H:%M:%S UTC", gmtime(&t)); - else - strftime(str, len, "%Y-%m-%d", gmtime(&t)); - } else - snprintf(str, len, "never"); -} - -/* - * Convert the time representation in `str' to a time in `time'. - * Return 0 if succesful, else -1. - */ - -int -str2time_t (const char *str, time_t *t) -{ - const char *p; - struct tm tm, tm2; - - memset (&tm, 0, sizeof (tm)); - - if(strcasecmp(str, "never") == 0) { - *t = 0; - return 0; - } - - if(strcasecmp(str, "now") == 0) { - *t = time(NULL); - return 0; - } - - p = strptime (str, "%Y-%m-%d", &tm); - - if (p == NULL) - return -1; - - /* Do it on the end of the day */ - tm2.tm_hour = 23; - tm2.tm_min = 59; - tm2.tm_sec = 59; - - if(strptime (p, "%H:%M:%S", &tm2) != NULL) { - tm.tm_hour = tm2.tm_hour; - tm.tm_min = tm2.tm_min; - tm.tm_sec = tm2.tm_sec; - } - - *t = tm2time (tm, 0); - return 0; -} - -/* - * try to parse the time in `resp' storing it in `value' - */ - -int -parse_timet (const char *resp, krb5_timestamp *value, int *mask, int bit) -{ - time_t tmp; - - if (str2time_t(resp, &tmp) == 0) { - *value = tmp; - if(mask) - *mask |= bit; - return 0; - } else if(*resp == '?') { - printf ("Print date on format YYYY-mm-dd [hh:mm:ss]\n"); - } else { - fprintf (stderr, "Unable to parse time '%s'\n", resp); - } - return -1; -} - -/* - * allow the user to edit the time in `value' - */ - -int -edit_timet (const char *prompt, krb5_timestamp *value, int *mask, int bit) -{ - char buf[1024], resp[1024]; - - if (mask && (*mask & bit)) - return 0; - - time_t2str (*value, buf, sizeof (buf), 0); - - for (;;) { - if(get_response(prompt, buf, resp, sizeof(resp)) != 0) - return 1; - if (parse_timet (resp, value, mask, bit) == 0) - break; - } - return 0; -} - -/* - * deltat - * the special value 0 means ``unlimited'' - */ - -/* - * convert the delta_t value in `t' into a printable form in `str, len' - */ - -void -deltat2str(unsigned t, char *str, size_t len) -{ - if(t == 0 || t == INT_MAX) - snprintf(str, len, "unlimited"); - else - unparse_time(t, str, len); -} - -/* - * parse the delta value in `str', storing result in `*delta' - * return 0 if ok, else -1 - */ - -int -str2deltat(const char *str, krb5_deltat *delta) -{ - int res; - - if(strcasecmp(str, "unlimited") == 0) { - *delta = 0; - return 0; - } - res = parse_time(str, "day"); - if (res < 0) - return res; - else { - *delta = res; - return 0; - } -} - -/* - * try to parse the string in `resp' into a deltad in `value' - * `mask' will get the bit `bit' set if a value was given. - */ - -int -parse_deltat (const char *resp, krb5_deltat *value, int *mask, int bit) -{ - krb5_deltat tmp; - - if (str2deltat(resp, &tmp) == 0) { - *value = tmp; - if (mask) - *mask |= bit; - return 0; - } else if(*resp == '?') { - print_time_table (stderr); - } else { - fprintf (stderr, "Unable to parse time '%s'\n", resp); - } - return -1; -} - -/* - * allow the user to edit the deltat in `value' - */ - -int -edit_deltat (const char *prompt, krb5_deltat *value, int *mask, int bit) -{ - char buf[1024], resp[1024]; - - if (mask && (*mask & bit)) - return 0; - - deltat2str(*value, buf, sizeof(buf)); - for (;;) { - if(get_response(prompt, buf, resp, sizeof(resp)) != 0) - return 1; - if (parse_deltat (resp, value, mask, bit) == 0) - break; - } - return 0; -} - -/* - * allow the user to edit `ent' - */ - -void -set_defaults(kadm5_principal_ent_t ent, int *mask, - kadm5_principal_ent_t default_ent, int default_mask) -{ - if (default_ent - && (default_mask & KADM5_MAX_LIFE) - && !(*mask & KADM5_MAX_LIFE)) - ent->max_life = default_ent->max_life; - - if (default_ent - && (default_mask & KADM5_MAX_RLIFE) - && !(*mask & KADM5_MAX_RLIFE)) - ent->max_renewable_life = default_ent->max_renewable_life; - - if (default_ent - && (default_mask & KADM5_PRINC_EXPIRE_TIME) - && !(*mask & KADM5_PRINC_EXPIRE_TIME)) - ent->princ_expire_time = default_ent->princ_expire_time; - - if (default_ent - && (default_mask & KADM5_PW_EXPIRATION) - && !(*mask & KADM5_PW_EXPIRATION)) - ent->pw_expiration = default_ent->pw_expiration; - - if (default_ent - && (default_mask & KADM5_ATTRIBUTES) - && !(*mask & KADM5_ATTRIBUTES)) - ent->attributes = default_ent->attributes & ~KRB5_KDB_DISALLOW_ALL_TIX; -} - -int -edit_entry(kadm5_principal_ent_t ent, int *mask, - kadm5_principal_ent_t default_ent, int default_mask) -{ - - set_defaults(ent, mask, default_ent, default_mask); - - if(edit_deltat ("Max ticket life", &ent->max_life, mask, - KADM5_MAX_LIFE) != 0) - return 1; - - if(edit_deltat ("Max renewable life", &ent->max_renewable_life, mask, - KADM5_MAX_RLIFE) != 0) - return 1; - - if(edit_timet ("Principal expiration time", &ent->princ_expire_time, mask, - KADM5_PRINC_EXPIRE_TIME) != 0) - return 1; - - if(edit_timet ("Password expiration time", &ent->pw_expiration, mask, - KADM5_PW_EXPIRATION) != 0) - return 1; - - if(edit_attributes ("Attributes", &ent->attributes, mask, - KADM5_ATTRIBUTES) != 0) - return 1; - - return 0; -} - -/* - * Parse the arguments, set the fields in `ent' and the `mask' for the - * entries having been set. - * Return 1 on failure and 0 on success. - */ - -int -set_entry(krb5_context context, - kadm5_principal_ent_t ent, - int *mask, - const char *max_ticket_life, - const char *max_renewable_life, - const char *expiration, - const char *pw_expiration, - const char *attributes) -{ - if (max_ticket_life != NULL) { - if (parse_deltat (max_ticket_life, &ent->max_life, - mask, KADM5_MAX_LIFE)) { - krb5_warnx (context, "unable to parse `%s'", max_ticket_life); - return 1; - } - } - if (max_renewable_life != NULL) { - if (parse_deltat (max_renewable_life, &ent->max_renewable_life, - mask, KADM5_MAX_RLIFE)) { - krb5_warnx (context, "unable to parse `%s'", max_renewable_life); - return 1; - } - } - - if (expiration) { - if (parse_timet (expiration, &ent->princ_expire_time, - mask, KADM5_PRINC_EXPIRE_TIME)) { - krb5_warnx (context, "unable to parse `%s'", expiration); - return 1; - } - } - if (pw_expiration) { - if (parse_timet (pw_expiration, &ent->pw_expiration, - mask, KADM5_PW_EXPIRATION)) { - krb5_warnx (context, "unable to parse `%s'", pw_expiration); - return 1; - } - } - if (attributes != NULL) { - if (parse_attributes (attributes, &ent->attributes, - mask, KADM5_ATTRIBUTES)) { - krb5_warnx (context, "unable to parse `%s'", attributes); - return 1; - } - } - return 0; -} - -/* - * Does `string' contain any globing characters? - */ - -static int -is_expression(const char *string) -{ - const char *p; - int quote = 0; - - for(p = string; *p; p++) { - if(quote) { - quote = 0; - continue; - } - if(*p == '\\') - quote++; - else if(strchr("[]*?", *p) != NULL) - return 1; - } - return 0; -} - -/* loop over all principals matching exp */ -int -foreach_principal(const char *exp, - int (*func)(krb5_principal, void*), - const char *funcname, - void *data) -{ - char **princs; - int num_princs; - int i; - krb5_error_code ret; - krb5_principal princ_ent; - int is_expr; - - /* if this isn't an expression, there is no point in wading - through the whole database looking for matches */ - is_expr = is_expression(exp); - if(is_expr) - ret = kadm5_get_principals(kadm_handle, exp, &princs, &num_princs); - if(!is_expr || ret == KADM5_AUTH_LIST) { - /* we might be able to perform the requested opreration even - if we're not allowed to list principals */ - num_princs = 1; - princs = malloc(sizeof(*princs)); - if(princs == NULL) - return ENOMEM; - princs[0] = strdup(exp); - if(princs[0] == NULL){ - free(princs); - return ENOMEM; - } - } else if(ret) { - krb5_warn(context, ret, "kadm5_get_principals"); - return ret; - } - for(i = 0; i < num_princs; i++) { - ret = krb5_parse_name(context, princs[i], &princ_ent); - if(ret){ - krb5_warn(context, ret, "krb5_parse_name(%s)", princs[i]); - continue; - } - ret = (*func)(princ_ent, data); - if(ret) - krb5_warn(context, ret, "%s %s", funcname, princs[i]); - krb5_free_principal(context, princ_ent); - } - kadm5_free_name_list(kadm_handle, princs, &num_princs); - return 0; -} - -/* - * prompt with `prompt' and default value `def', and store the reply - * in `buf, len' - */ - -#include - -static jmp_buf jmpbuf; - -static void -interrupt(int sig) -{ - longjmp(jmpbuf, 1); -} - -static int -get_response(const char *prompt, const char *def, char *buf, size_t len) -{ - char *p; - void (*osig)(int); - - osig = signal(SIGINT, interrupt); - if(setjmp(jmpbuf)) { - signal(SIGINT, osig); - printf("\n"); - return 1; - } - - printf("%s [%s]:", prompt, def); - if(fgets(buf, len, stdin) == NULL) { - int save_errno = errno; - if(ferror(stdin)) - krb5_err(context, 1, save_errno, ""); - signal(SIGINT, osig); - return 1; - } - p = strchr(buf, '\n'); - if(p) - *p = '\0'; - if(strcmp(buf, "") == 0) - strlcpy(buf, def, len); - signal(SIGINT, osig); - return 0; -} - -/* - * return [0, 16) or -1 - */ - -static int -hex2n (char c) -{ - static char hexdigits[] = "0123456789abcdef"; - const char *p; - - p = strchr (hexdigits, tolower((unsigned char)c)); - if (p == NULL) - return -1; - else - return p - hexdigits; -} - -/* - * convert a key in a readable format into a keyblock. - * return 0 iff succesful, otherwise `err' should point to an error message - */ - -int -parse_des_key (const char *key_string, krb5_key_data *key_data, - const char **err) -{ - const char *p = key_string; - unsigned char bits[8]; - int i; - - if (strlen (key_string) != 16) { - *err = "bad length, should be 16 for DES key"; - return 1; - } - for (i = 0; i < 8; ++i) { - int d1, d2; - - d1 = hex2n(p[2 * i]); - d2 = hex2n(p[2 * i + 1]); - if (d1 < 0 || d2 < 0) { - *err = "non-hex character"; - return 1; - } - bits[i] = (d1 << 4) | d2; - } - for (i = 0; i < 3; ++i) { - key_data[i].key_data_ver = 2; - key_data[i].key_data_kvno = 0; - /* key */ - key_data[i].key_data_type[0] = ETYPE_DES_CBC_CRC; - key_data[i].key_data_length[0] = 8; - key_data[i].key_data_contents[0] = malloc(8); - memcpy (key_data[i].key_data_contents[0], bits, 8); - /* salt */ - key_data[i].key_data_type[1] = KRB5_PW_SALT; - key_data[i].key_data_length[1] = 0; - key_data[i].key_data_contents[1] = NULL; - } - key_data[0].key_data_type[0] = ETYPE_DES_CBC_MD5; - key_data[1].key_data_type[0] = ETYPE_DES_CBC_MD4; - return 0; -} diff --git a/crypto/heimdal-0.6.3/kadmin/version4.c b/crypto/heimdal-0.6.3/kadmin/version4.c deleted file mode 100644 index ffa9c07f85..0000000000 --- a/crypto/heimdal-0.6.3/kadmin/version4.c +++ /dev/null @@ -1,1016 +0,0 @@ -/* - * Copyright (c) 1999 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of KTH nor the names of its contributors may be - * used to endorse or promote products derived from this software without - * specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY - * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR - * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, - * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR - * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF - * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ - -#include "kadmin_locl.h" -#include - -#define Principal krb4_Principal -#define kadm_get krb4_kadm_get -#undef ALLOC -#include -#include -#include -#include - -RCSID("$Id: version4.c,v 1.29.2.1 2004/04/29 12:29:23 lha Exp $"); - -#define KADM_NO_OPCODE -1 -#define KADM_NO_ENCRYPT -2 - -/* - * make an error packet if we fail encrypting - */ - -static void -make_you_lose_packet(int code, krb5_data *reply) -{ - krb5_data_alloc(reply, KADM_VERSIZE + 4); - memcpy(reply->data, KADM_ULOSE, KADM_VERSIZE); - _krb5_put_int((char*)reply->data + KADM_VERSIZE, code, 4); -} - -static int -ret_fields(krb5_storage *sp, char *fields) -{ - return krb5_storage_read(sp, fields, FLDSZ); -} - -static int -store_fields(krb5_storage *sp, char *fields) -{ - return krb5_storage_write(sp, fields, FLDSZ); -} - -static void -ret_vals(krb5_storage *sp, Kadm_vals *vals) -{ - int field; - char *tmp_string; - - memset(vals, 0, sizeof(*vals)); - - ret_fields(sp, vals->fields); - - for(field = 31; field >= 0; field--) { - if(IS_FIELD(field, vals->fields)) { - switch(field) { - case KADM_NAME: - krb5_ret_stringz(sp, &tmp_string); - strlcpy(vals->name, tmp_string, sizeof(vals->name)); - free(tmp_string); - break; - case KADM_INST: - krb5_ret_stringz(sp, &tmp_string); - strlcpy(vals->instance, tmp_string, - sizeof(vals->instance)); - free(tmp_string); - break; - case KADM_EXPDATE: - krb5_ret_int32(sp, &vals->exp_date); - break; - case KADM_ATTR: - krb5_ret_int16(sp, &vals->attributes); - break; - case KADM_MAXLIFE: - krb5_ret_int8(sp, &vals->max_life); - break; - case KADM_DESKEY: - krb5_ret_int32(sp, &vals->key_high); - krb5_ret_int32(sp, &vals->key_low); - break; -#ifdef EXTENDED_KADM - case KADM_MODDATE: - krb5_ret_int32(sp, &vals->mod_date); - break; - case KADM_MODNAME: - krb5_ret_stringz(sp, &tmp_string); - strlcpy(vals->mod_name, tmp_string, - sizeof(vals->mod_name)); - free(tmp_string); - break; - case KADM_MODINST: - krb5_ret_stringz(sp, &tmp_string); - strlcpy(vals->mod_instance, tmp_string, - sizeof(vals->mod_instance)); - free(tmp_string); - break; - case KADM_KVNO: - krb5_ret_int8(sp, &vals->key_version); - break; -#endif - default: - break; - } - } - } -} - -static void -store_vals(krb5_storage *sp, Kadm_vals *vals) -{ - int field; - - store_fields(sp, vals->fields); - - for(field = 31; field >= 0; field--) { - if(IS_FIELD(field, vals->fields)) { - switch(field) { - case KADM_NAME: - krb5_store_stringz(sp, vals->name); - break; - case KADM_INST: - krb5_store_stringz(sp, vals->instance); - break; - case KADM_EXPDATE: - krb5_store_int32(sp, vals->exp_date); - break; - case KADM_ATTR: - krb5_store_int16(sp, vals->attributes); - break; - case KADM_MAXLIFE: - krb5_store_int8(sp, vals->max_life); - break; - case KADM_DESKEY: - krb5_store_int32(sp, vals->key_high); - krb5_store_int32(sp, vals->key_low); - break; -#ifdef EXTENDED_KADM - case KADM_MODDATE: - krb5_store_int32(sp, vals->mod_date); - break; - case KADM_MODNAME: - krb5_store_stringz(sp, vals->mod_name); - break; - case KADM_MODINST: - krb5_store_stringz(sp, vals->mod_instance); - break; - case KADM_KVNO: - krb5_store_int8(sp, vals->key_version); - break; -#endif - default: - break; - } - } - } -} - -static int -flags_4_to_5(char *flags) -{ - int i; - int32_t mask = 0; - for(i = 31; i >= 0; i--) { - if(IS_FIELD(i, flags)) - switch(i) { - case KADM_NAME: - case KADM_INST: - mask |= KADM5_PRINCIPAL; - case KADM_EXPDATE: - mask |= KADM5_PRINC_EXPIRE_TIME; - case KADM_MAXLIFE: - mask |= KADM5_MAX_LIFE; -#ifdef EXTENDED_KADM - case KADM_KVNO: - mask |= KADM5_KEY_DATA; - case KADM_MODDATE: - mask |= KADM5_MOD_TIME; - case KADM_MODNAME: - case KADM_MODINST: - mask |= KADM5_MOD_NAME; -#endif - } - } - return mask; -} - -static void -ent_to_values(krb5_context context, - kadm5_principal_ent_t ent, - int32_t mask, - Kadm_vals *vals) -{ - krb5_error_code ret; - char realm[REALM_SZ]; - time_t exp = 0; - - memset(vals, 0, sizeof(*vals)); - if(mask & KADM5_PRINCIPAL) { - ret = krb5_524_conv_principal(context, ent->principal, - vals->name, vals->instance, realm); - SET_FIELD(KADM_NAME, vals->fields); - SET_FIELD(KADM_INST, vals->fields); - } - if(mask & KADM5_PRINC_EXPIRE_TIME) { - if(ent->princ_expire_time != 0) - exp = ent->princ_expire_time; - } - if(mask & KADM5_PW_EXPIRATION) { - if(ent->pw_expiration != 0 && (exp == 0 || exp > ent->pw_expiration)) - exp = ent->pw_expiration; - } - if(exp) { - vals->exp_date = exp; - SET_FIELD(KADM_EXPDATE, vals->fields); - } - if(mask & KADM5_MAX_LIFE) { - if(ent->max_life == 0) - vals->max_life = 255; - else - vals->max_life = krb_time_to_life(0, ent->max_life); - SET_FIELD(KADM_MAXLIFE, vals->fields); - } - if(mask & KADM5_KEY_DATA) { - if(ent->n_key_data > 0) { -#ifdef EXTENDED_KADM - vals->key_version = ent->key_data[0].key_data_kvno; - SET_FIELD(KADM_KVNO, vals->fields); -#endif - } - /* XXX the key itself? */ - } -#ifdef EXTENDED_KADM - if(mask & KADM5_MOD_TIME) { - vals->mod_date = ent->mod_date; - SET_FIELD(KADM_MODDATE, vals->fields); - } - if(mask & KADM5_MOD_NAME) { - krb5_524_conv_principal(context, ent->mod_name, - vals->mod_name, vals->mod_instance, realm); - SET_FIELD(KADM_MODNAME, vals->fields); - SET_FIELD(KADM_MODINST, vals->fields); - } -#endif -} - -/* - * convert the kadm4 values in `vals' to `ent' (and `mask') - */ - -static krb5_error_code -values_to_ent(krb5_context context, - Kadm_vals *vals, - kadm5_principal_ent_t ent, - int32_t *mask) -{ - krb5_error_code ret; - *mask = 0; - memset(ent, 0, sizeof(*ent)); - - if(IS_FIELD(KADM_NAME, vals->fields)) { - char *inst = NULL; - if(IS_FIELD(KADM_INST, vals->fields)) - inst = vals->instance; - ret = krb5_425_conv_principal(context, - vals->name, - inst, - NULL, - &ent->principal); - if(ret) - return ret; - *mask |= KADM5_PRINCIPAL; - } - if(IS_FIELD(KADM_EXPDATE, vals->fields)) { - ent->princ_expire_time = vals->exp_date; - *mask |= KADM5_PRINC_EXPIRE_TIME; - } - if(IS_FIELD(KADM_MAXLIFE, vals->fields)) { - ent->max_life = krb_life_to_time(0, vals->max_life); - *mask |= KADM5_MAX_LIFE; - } - - if(IS_FIELD(KADM_DESKEY, vals->fields)) { - int i; - ent->key_data = calloc(3, sizeof(*ent->key_data)); - if(ent->key_data == NULL) - return ENOMEM; - for(i = 0; i < 3; i++) { - u_int32_t key_low, key_high; - - ent->key_data[i].key_data_ver = 2; -#ifdef EXTENDED_KADM - if(IS_FIELD(KADM_KVNO, vals->fields)) - ent->key_data[i].key_data_kvno = vals->key_version; -#endif - ent->key_data[i].key_data_type[0] = ETYPE_DES_CBC_MD5; - ent->key_data[i].key_data_length[0] = 8; - if((ent->key_data[i].key_data_contents[0] = malloc(8)) == NULL) - return ENOMEM; - - key_low = ntohl(vals->key_low); - key_high = ntohl(vals->key_high); - memcpy(ent->key_data[i].key_data_contents[0], - &key_low, 4); - memcpy((char*)ent->key_data[i].key_data_contents[0] + 4, - &key_high, 4); - ent->key_data[i].key_data_type[1] = KRB5_PW_SALT; - ent->key_data[i].key_data_length[1] = 0; - ent->key_data[i].key_data_contents[1] = NULL; - } - ent->key_data[1].key_data_type[0] = ETYPE_DES_CBC_MD4; - ent->key_data[2].key_data_type[0] = ETYPE_DES_CBC_CRC; - ent->n_key_data = 3; - *mask |= KADM5_KEY_DATA; - } - -#ifdef EXTENDED_KADM - if(IS_FIELD(KADM_MODDATE, vals->fields)) { - ent->mod_date = vals->mod_date; - *mask |= KADM5_MOD_TIME; - } - if(IS_FIELD(KADM_MODNAME, vals->fields)) { - char *inst = NULL; - if(IS_FIELD(KADM_MODINST, vals->fields)) - inst = vals->mod_instance; - ret = krb5_425_conv_principal(context, - vals->mod_name, - inst, - NULL, - &ent->mod_name); - if(ret) - return ret; - *mask |= KADM5_MOD_NAME; - } -#endif - return 0; -} - -/* - * Try to translate a KADM5 error code into a v4 kadmin one. - */ - -static int -error_code(int ret) -{ - switch (ret) { - case 0: - return 0; - case KADM5_FAILURE : - case KADM5_AUTH_GET : - case KADM5_AUTH_ADD : - case KADM5_AUTH_MODIFY : - case KADM5_AUTH_DELETE : - case KADM5_AUTH_INSUFFICIENT : - return KADM_UNAUTH; - case KADM5_BAD_DB : - return KADM_UK_RERROR; - case KADM5_DUP : - return KADM_INUSE; - case KADM5_RPC_ERROR : - case KADM5_NO_SRV : - return KADM_NO_SERV; - case KADM5_NOT_INIT : - return KADM_NO_CONN; - case KADM5_UNK_PRINC : - return KADM_NOENTRY; - case KADM5_PASS_Q_TOOSHORT : -#ifdef KADM_PASS_Q_TOOSHORT - return KADM_PASS_Q_TOOSHORT; -#else - return KADM_INSECURE_PW; -#endif - case KADM5_PASS_Q_CLASS : -#ifdef KADM_PASS_Q_CLASS - return KADM_PASS_Q_CLASS; -#else - return KADM_INSECURE_PW; -#endif - case KADM5_PASS_Q_DICT : -#ifdef KADM_PASS_Q_DICT - return KADM_PASS_Q_DICT; -#else - return KADM_INSECURE_PW; -#endif - case KADM5_PASS_REUSE : - case KADM5_PASS_TOOSOON : - case KADM5_BAD_PASSWORD : - return KADM_INSECURE_PW; - case KADM5_PROTECT_PRINCIPAL : - return KADM_IMMUTABLE; - case KADM5_POLICY_REF : - case KADM5_INIT : - case KADM5_BAD_HIST_KEY : - case KADM5_UNK_POLICY : - case KADM5_BAD_MASK : - case KADM5_BAD_CLASS : - case KADM5_BAD_LENGTH : - case KADM5_BAD_POLICY : - case KADM5_BAD_PRINCIPAL : - case KADM5_BAD_AUX_ATTR : - case KADM5_BAD_HISTORY : - case KADM5_BAD_MIN_PASS_LIFE : - case KADM5_BAD_SERVER_HANDLE : - case KADM5_BAD_STRUCT_VERSION : - case KADM5_OLD_STRUCT_VERSION : - case KADM5_NEW_STRUCT_VERSION : - case KADM5_BAD_API_VERSION : - case KADM5_OLD_LIB_API_VERSION : - case KADM5_OLD_SERVER_API_VERSION : - case KADM5_NEW_LIB_API_VERSION : - case KADM5_NEW_SERVER_API_VERSION : - case KADM5_SECURE_PRINC_MISSING : - case KADM5_NO_RENAME_SALT : - case KADM5_BAD_CLIENT_PARAMS : - case KADM5_BAD_SERVER_PARAMS : - case KADM5_AUTH_LIST : - case KADM5_AUTH_CHANGEPW : - case KADM5_BAD_TL_TYPE : - case KADM5_MISSING_CONF_PARAMS : - case KADM5_BAD_SERVER_NAME : - default : - return KADM_UNAUTH; /* XXX */ - } -} - -/* - * server functions - */ - -static int -kadm_ser_cpw(krb5_context context, - void *kadm_handle, - krb5_principal principal, - const char *principal_string, - krb5_storage *message, - krb5_storage *reply) -{ - char key[8]; - char *password = NULL; - krb5_error_code ret; - - krb5_warnx(context, "v4-compat %s: CHPASS %s", - principal_string, principal_string); - - ret = krb5_storage_read(message, key + 4, 4); - ret = krb5_storage_read(message, key, 4); - ret = krb5_ret_stringz(message, &password); - - if(password) { - krb5_data pwd_data; - const char *tmp; - - pwd_data.data = password; - pwd_data.length = strlen(password); - - tmp = kadm5_check_password_quality (context, principal, &pwd_data); - - if (tmp != NULL) { - krb5_store_stringz (reply, (char *)tmp); - ret = KADM5_PASS_Q_DICT; - goto fail; - } - ret = kadm5_chpass_principal(kadm_handle, principal, password); - } else { - krb5_key_data key_data[3]; - int i; - for(i = 0; i < 3; i++) { - key_data[i].key_data_ver = 2; - key_data[i].key_data_kvno = 0; - /* key */ - key_data[i].key_data_type[0] = ETYPE_DES_CBC_CRC; - key_data[i].key_data_length[0] = 8; - key_data[i].key_data_contents[0] = malloc(8); - memcpy(key_data[i].key_data_contents[0], &key, 8); - /* salt */ - key_data[i].key_data_type[1] = KRB5_PW_SALT; - key_data[i].key_data_length[1] = 0; - key_data[i].key_data_contents[1] = NULL; - } - key_data[0].key_data_type[0] = ETYPE_DES_CBC_MD5; - key_data[1].key_data_type[0] = ETYPE_DES_CBC_MD4; - ret = kadm5_s_chpass_principal_with_key(kadm_handle, - principal, 3, key_data); - } - - if(ret != 0) { - krb5_store_stringz(reply, (char*)krb5_get_err_text(context, ret)); - goto fail; - } - return 0; -fail: - krb5_warn(context, ret, "v4-compat CHPASS"); - return error_code(ret); -} - -static int -kadm_ser_add(krb5_context context, - void *kadm_handle, - krb5_principal principal, - const char *principal_string, - krb5_storage *message, - krb5_storage *reply) -{ - int32_t mask; - kadm5_principal_ent_rec ent, out; - Kadm_vals values; - krb5_error_code ret; - char name[128]; - - ret_vals(message, &values); - - ret = values_to_ent(context, &values, &ent, &mask); - if(ret) - goto fail; - - krb5_unparse_name_fixed(context, ent.principal, name, sizeof(name)); - krb5_warnx(context, "v4-compat %s: ADD %s", - principal_string, name); - - ret = _kadm5_acl_check_permission (kadm_handle, KADM5_PRIV_ADD, - ent.principal); - if (ret) - goto fail; - - ret = kadm5_s_create_principal_with_key(kadm_handle, &ent, mask); - if(ret) { - kadm5_free_principal_ent(kadm_handle, &ent); - goto fail; - } - - mask = KADM5_PRINCIPAL | KADM5_PRINC_EXPIRE_TIME | KADM5_MAX_LIFE | - KADM5_KEY_DATA | KADM5_MOD_TIME | KADM5_MOD_NAME; - - kadm5_get_principal(kadm_handle, ent.principal, &out, mask); - ent_to_values(context, &out, mask, &values); - kadm5_free_principal_ent(kadm_handle, &ent); - kadm5_free_principal_ent(kadm_handle, &out); - store_vals(reply, &values); - return 0; -fail: - krb5_warn(context, ret, "v4-compat ADD"); - return error_code(ret); -} - -static int -kadm_ser_get(krb5_context context, - void *kadm_handle, - krb5_principal principal, - const char *principal_string, - krb5_storage *message, - krb5_storage *reply) -{ - krb5_error_code ret; - Kadm_vals values; - kadm5_principal_ent_rec ent, out; - int32_t mask; - char flags[FLDSZ]; - char name[128]; - - ret_vals(message, &values); - /* XXX BRAIN DAMAGE! these flags are not stored in the same order - as in the header */ - krb5_ret_int8(message, &flags[3]); - krb5_ret_int8(message, &flags[2]); - krb5_ret_int8(message, &flags[1]); - krb5_ret_int8(message, &flags[0]); - ret = values_to_ent(context, &values, &ent, &mask); - if(ret) - goto fail; - - krb5_unparse_name_fixed(context, ent.principal, name, sizeof(name)); - krb5_warnx(context, "v4-compat %s: GET %s", - principal_string, name); - - ret = _kadm5_acl_check_permission (kadm_handle, KADM5_PRIV_GET, - ent.principal); - if (ret) - goto fail; - - mask = flags_4_to_5(flags); - - ret = kadm5_get_principal(kadm_handle, ent.principal, &out, mask); - kadm5_free_principal_ent(kadm_handle, &ent); - - if (ret) - goto fail; - - ent_to_values(context, &out, mask, &values); - - kadm5_free_principal_ent(kadm_handle, &out); - - store_vals(reply, &values); - return 0; -fail: - krb5_warn(context, ret, "v4-compat GET"); - return error_code(ret); -} - -static int -kadm_ser_mod(krb5_context context, - void *kadm_handle, - krb5_principal principal, - const char *principal_string, - krb5_storage *message, - krb5_storage *reply) -{ - Kadm_vals values1, values2; - kadm5_principal_ent_rec ent, out; - int32_t mask; - krb5_error_code ret; - char name[128]; - - ret_vals(message, &values1); - /* why are the old values sent? is the mask the same in the old and - the new entry? */ - ret_vals(message, &values2); - - ret = values_to_ent(context, &values2, &ent, &mask); - if(ret) - goto fail; - - krb5_unparse_name_fixed(context, ent.principal, name, sizeof(name)); - krb5_warnx(context, "v4-compat %s: MOD %s", - principal_string, name); - - ret = _kadm5_acl_check_permission (kadm_handle, KADM5_PRIV_MODIFY, - ent.principal); - if (ret) - goto fail; - - ret = kadm5_s_modify_principal(kadm_handle, &ent, mask); - if(ret) { - kadm5_free_principal_ent(kadm_handle, &ent); - krb5_warn(context, ret, "kadm5_s_modify_principal"); - goto fail; - } - - ret = kadm5_get_principal(kadm_handle, ent.principal, &out, mask); - if(ret) { - kadm5_free_principal_ent(kadm_handle, &ent); - krb5_warn(context, ret, "kadm5_s_modify_principal"); - goto fail; - } - - ent_to_values(context, &out, mask, &values1); - - kadm5_free_principal_ent(kadm_handle, &ent); - kadm5_free_principal_ent(kadm_handle, &out); - - store_vals(reply, &values1); - return 0; -fail: - krb5_warn(context, ret, "v4-compat MOD"); - return error_code(ret); -} - -static int -kadm_ser_del(krb5_context context, - void *kadm_handle, - krb5_principal principal, - const char *principal_string, - krb5_storage *message, - krb5_storage *reply) -{ - Kadm_vals values; - kadm5_principal_ent_rec ent; - int32_t mask; - krb5_error_code ret; - char name[128]; - - ret_vals(message, &values); - - ret = values_to_ent(context, &values, &ent, &mask); - if(ret) - goto fail; - - krb5_unparse_name_fixed(context, ent.principal, name, sizeof(name)); - krb5_warnx(context, "v4-compat %s: DEL %s", - principal_string, name); - - ret = _kadm5_acl_check_permission (kadm_handle, KADM5_PRIV_DELETE, - ent.principal); - if (ret) - goto fail; - - ret = kadm5_delete_principal(kadm_handle, ent.principal); - - kadm5_free_principal_ent(kadm_handle, &ent); - - if (ret) - goto fail; - - return 0; -fail: - krb5_warn(context, ret, "v4-compat ADD"); - return error_code(ret); -} - -static int -dispatch(krb5_context context, - void *kadm_handle, - krb5_principal principal, - const char *principal_string, - krb5_data msg, - krb5_data *reply) -{ - int retval; - int8_t command; - krb5_storage *sp_in, *sp_out; - - sp_in = krb5_storage_from_data(&msg); - krb5_ret_int8(sp_in, &command); - - sp_out = krb5_storage_emem(); - krb5_storage_write(sp_out, KADM_VERSTR, KADM_VERSIZE); - krb5_store_int32(sp_out, 0); - - switch(command) { - case CHANGE_PW: - retval = kadm_ser_cpw(context, kadm_handle, principal, - principal_string, - sp_in, sp_out); - break; - case ADD_ENT: - retval = kadm_ser_add(context, kadm_handle, principal, - principal_string, - sp_in, sp_out); - break; - case GET_ENT: - retval = kadm_ser_get(context, kadm_handle, principal, - principal_string, - sp_in, sp_out); - break; - case MOD_ENT: - retval = kadm_ser_mod(context, kadm_handle, principal, - principal_string, - sp_in, sp_out); - break; - case DEL_ENT: - retval = kadm_ser_del(context, kadm_handle, principal, - principal_string, - sp_in, sp_out); - break; - default: - krb5_warnx(context, "v4-compat %s: unknown opcode: %d", - principal_string, command); - retval = KADM_NO_OPCODE; - break; - } - krb5_storage_free(sp_in); - if(retval) { - krb5_storage_seek(sp_out, KADM_VERSIZE, SEEK_SET); - krb5_store_int32(sp_out, retval); - } - krb5_storage_to_data(sp_out, reply); - krb5_storage_free(sp_out); - return retval; -} - -/* - * Decode a v4 kadmin packet in `message' and create a reply in `reply' - */ - -static void -decode_packet(krb5_context context, - krb5_keytab keytab, - struct sockaddr_in *admin_addr, - struct sockaddr_in *client_addr, - krb5_data message, - krb5_data *reply) -{ - int ret; - KTEXT_ST authent; - AUTH_DAT ad; - MSG_DAT msg_dat; - off_t off = 0; - unsigned long rlen; - char sname[] = "changepw", sinst[] = "kerberos"; - unsigned long checksum; - des_key_schedule schedule; - char *msg = message.data; - void *kadm_handle; - krb5_principal client; - char *client_str; - krb5_keytab_entry entry; - - if(message.length < KADM_VERSIZE + 4 - || strncmp(msg, KADM_VERSTR, KADM_VERSIZE) != 0) { - make_you_lose_packet (KADM_BAD_VER, reply); - return; - } - - off = KADM_VERSIZE; - off += _krb5_get_int(msg + off, &rlen, 4); - memset(&authent, 0, sizeof(authent)); - authent.length = message.length - rlen - KADM_VERSIZE - 4; - - if(rlen > message.length - KADM_VERSIZE - 4 - || authent.length > MAX_KTXT_LEN) { - krb5_warnx(context, "received bad rlen (%lu)", (unsigned long)rlen); - make_you_lose_packet (KADM_LENGTH_ERROR, reply); - return; - } - - memcpy(authent.dat, (char*)msg + off, authent.length); - off += authent.length; - - { - krb5_principal principal; - krb5_keyblock *key; - - ret = krb5_make_principal(context, &principal, NULL, - "changepw", "kerberos", NULL); - if (ret) { - krb5_warn (context, ret, "krb5_make_principal"); - make_you_lose_packet (KADM_NOMEM, reply); - return; - } - ret = krb5_kt_get_entry (context, keytab, principal, 0, - ETYPE_DES_CBC_MD5, &entry); - krb5_kt_close (context, keytab); - if (ret) { - krb5_free_principal(context, principal); - make_you_lose_packet (KADM_NO_AUTH, reply); - return; - } - ret = krb5_copy_keyblock (context, &entry.keyblock,& key); - krb5_kt_free_entry(context, &entry); - krb5_free_principal(context, principal); - if(ret) { - if(ret == KRB5_KT_NOTFOUND) - make_you_lose_packet(KADM_NO_AUTH, reply); - else - /* XXX */ - make_you_lose_packet(KADM_NO_AUTH, reply); - krb5_warn(context, ret, "krb5_kt_read_service_key"); - return; - } - - if(key->keyvalue.length != 8) - krb5_abortx(context, "key has wrong length (%lu)", - (unsigned long)key->keyvalue.length); - krb_set_key(key->keyvalue.data, 0); - krb5_free_keyblock(context, key); - } - - ret = krb_rd_req(&authent, sname, sinst, - client_addr->sin_addr.s_addr, &ad, NULL); - - if(ret) { - make_you_lose_packet(ERROR_TABLE_BASE_krb + ret, reply); - krb5_warnx(context, "krb_rd_req: %d", ret); - return; - } - - ret = krb5_425_conv_principal(context, ad.pname, ad.pinst, ad.prealm, - &client); - if (ret) { - krb5_warnx (context, "krb5_425_conv_principal: %d", ret); - make_you_lose_packet (KADM_NOMEM, reply); - return; - } - - krb5_unparse_name(context, client, &client_str); - - ret = kadm5_init_with_password_ctx(context, - client_str, - NULL, - KADM5_ADMIN_SERVICE, - NULL, 0, 0, - &kadm_handle); - if (ret) { - krb5_warn (context, ret, "kadm5_init_with_password_ctx"); - make_you_lose_packet (KADM_NOMEM, reply); - goto out; - } - - checksum = des_quad_cksum((void *)(msg + off), NULL, rlen, 0, &ad.session); - if(checksum != ad.checksum) { - krb5_warnx(context, "decode_packet: bad checksum"); - make_you_lose_packet (KADM_BAD_CHK, reply); - goto out; - } - des_set_key(&ad.session, schedule); - ret = krb_rd_priv(msg + off, rlen, schedule, &ad.session, - client_addr, admin_addr, &msg_dat); - if (ret) { - make_you_lose_packet (ERROR_TABLE_BASE_krb + ret, reply); - krb5_warnx(context, "krb_rd_priv: %d", ret); - goto out; - } - - { - krb5_data d, r; - int retval; - - d.data = msg_dat.app_data; - d.length = msg_dat.app_length; - - retval = dispatch(context, kadm_handle, - client, client_str, d, &r); - krb5_data_alloc(reply, r.length + 26); - reply->length = krb_mk_priv(r.data, reply->data, r.length, - schedule, &ad.session, - admin_addr, client_addr); - if((ssize_t)reply->length < 0) { - make_you_lose_packet(KADM_NO_ENCRYPT, reply); - goto out; - } - } -out: - krb5_free_principal(context, client); - free(client_str); -} - -void -handle_v4(krb5_context context, - krb5_keytab keytab, - int len, - int fd) -{ - int first = 1; - struct sockaddr_in admin_addr, client_addr; - socklen_t addr_len; - krb5_data message, reply; - ssize_t n; - - addr_len = sizeof(client_addr); - if (getsockname(fd, (struct sockaddr*)&admin_addr, &addr_len) < 0) - krb5_errx (context, 1, "getsockname"); - addr_len = sizeof(client_addr); - if (getpeername(fd, (struct sockaddr*)&client_addr, &addr_len) < 0) - krb5_errx (context, 1, "getpeername"); - - while(1) { - doing_useful_work = 0; - if(term_flag) - exit(0); - if(first) { - if (len < 2) - krb5_errx(context, 1, "received too short len (%d < 2)", len); - /* first time around, we have already read len, and two - bytes of the version string */ - krb5_data_alloc(&message, len); - memcpy(message.data, "KA", 2); - n = krb5_net_read(context, &fd, (char*)message.data + 2, - len - 2); - if (n == 0) - exit (0); - if (n < 0) - krb5_err (context, 1, errno, "krb5_net_read"); - first = 0; - } else { - char buf[2]; - unsigned long tmp; - ssize_t n; - - n = krb5_net_read(context, &fd, buf, sizeof(2)); - if (n == 0) - exit (0); - if (n < 0) - krb5_err (context, 1, errno, "krb5_net_read"); - _krb5_get_int(buf, &tmp, 2); - krb5_data_alloc(&message, tmp); - n = krb5_net_read(context, &fd, message.data, message.length); - if (n == 0) - krb5_errx (context, 1, "EOF in krb5_net_read"); - if (n < 0) - krb5_err (context, 1, errno, "krb5_net_read"); - } - doing_useful_work = 1; - decode_packet(context, keytab, &admin_addr, &client_addr, - message, &reply); - krb5_data_free(&message); - { - char buf[2]; - - _krb5_put_int(buf, reply.length, sizeof(buf)); - n = krb5_net_write(context, &fd, buf, sizeof(buf)); - if (n < 0) - krb5_err (context, 1, errno, "krb5_net_write"); - n = krb5_net_write(context, &fd, reply.data, reply.length); - if (n < 0) - krb5_err (context, 1, errno, "krb5_net_write"); - krb5_data_free(&reply); - } - } -} diff --git a/crypto/heimdal-0.6.3/kdc/524.c b/crypto/heimdal-0.6.3/kdc/524.c deleted file mode 100644 index 225594e6fc..0000000000 --- a/crypto/heimdal-0.6.3/kdc/524.c +++ /dev/null @@ -1,371 +0,0 @@ -/* - * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kdc_locl.h" - -RCSID("$Id: 524.c,v 1.29 2003/03/17 05:35:47 assar Exp $"); - -#ifndef KRB4 -#include -#endif - -/* - * fetch the server from `t', returning the name in malloced memory in - * `spn' and the entry itself in `server' - */ - -static krb5_error_code -fetch_server (const Ticket *t, - char **spn, - hdb_entry **server, - const char *from) -{ - krb5_error_code ret; - krb5_principal sprinc; - - ret = principalname2krb5_principal(&sprinc, t->sname, t->realm); - if (ret) { - kdc_log(0, "principalname2krb5_principal: %s", - krb5_get_err_text(context, ret)); - return ret; - } - ret = krb5_unparse_name(context, sprinc, spn); - if (ret) { - krb5_free_principal(context, sprinc); - kdc_log(0, "krb5_unparse_name: %s", krb5_get_err_text(context, ret)); - return ret; - } - ret = db_fetch(sprinc, server); - krb5_free_principal(context, sprinc); - if (ret) { - kdc_log(0, - "Request to convert ticket from %s for unknown principal %s: %s", - from, *spn, krb5_get_err_text(context, ret)); - if (ret == HDB_ERR_NOENTRY) - ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; - return ret; - } - return 0; -} - -static krb5_error_code -log_524 (const EncTicketPart *et, - const char *from, - const char *spn) -{ - krb5_principal client; - char *cpn; - krb5_error_code ret; - - ret = principalname2krb5_principal(&client, et->cname, et->crealm); - if (ret) { - kdc_log(0, "principalname2krb5_principal: %s", - krb5_get_err_text (context, ret)); - return ret; - } - ret = krb5_unparse_name(context, client, &cpn); - if (ret) { - krb5_free_principal(context, client); - kdc_log(0, "krb5_unparse_name: %s", - krb5_get_err_text (context, ret)); - return ret; - } - kdc_log(1, "524-REQ %s from %s for %s", cpn, from, spn); - free(cpn); - krb5_free_principal(context, client); - return 0; -} - -static krb5_error_code -verify_flags (const EncTicketPart *et, - const char *spn) -{ - if(et->endtime < kdc_time){ - kdc_log(0, "Ticket expired (%s)", spn); - return KRB5KRB_AP_ERR_TKT_EXPIRED; - } - if(et->flags.invalid){ - kdc_log(0, "Ticket not valid (%s)", spn); - return KRB5KRB_AP_ERR_TKT_NYV; - } - return 0; -} - -/* - * set the `et->caddr' to the most appropriate address to use, where - * `addr' is the address the request was received from. - */ - -static krb5_error_code -set_address (EncTicketPart *et, - struct sockaddr *addr, - const char *from) -{ - krb5_error_code ret; - krb5_address *v4_addr; - - v4_addr = malloc (sizeof(*v4_addr)); - if (v4_addr == NULL) - return ENOMEM; - - ret = krb5_sockaddr2address(context, addr, v4_addr); - if(ret) { - free (v4_addr); - kdc_log(0, "Failed to convert address (%s)", from); - return ret; - } - - if (et->caddr && !krb5_address_search (context, v4_addr, et->caddr)) { - kdc_log(0, "Incorrect network address (%s)", from); - krb5_free_address(context, v4_addr); - free (v4_addr); - return KRB5KRB_AP_ERR_BADADDR; - } - if(v4_addr->addr_type == KRB5_ADDRESS_INET) { - /* we need to collapse the addresses in the ticket to a - single address; best guess is to use the address the - connection came from */ - - if (et->caddr != NULL) { - free_HostAddresses(et->caddr); - } else { - et->caddr = malloc (sizeof (*et->caddr)); - if (et->caddr == NULL) { - krb5_free_address(context, v4_addr); - free(v4_addr); - return ENOMEM; - } - } - et->caddr->val = v4_addr; - et->caddr->len = 1; - } else { - krb5_free_address(context, v4_addr); - free(v4_addr); - } - return 0; -} - - -static krb5_error_code -encrypt_v4_ticket(void *buf, - size_t len, - krb5_keyblock *skey, - EncryptedData *reply) -{ - krb5_crypto crypto; - krb5_error_code ret; - ret = krb5_crypto_init(context, skey, ETYPE_DES_PCBC_NONE, &crypto); - if (ret) { - free(buf); - kdc_log(0, "krb5_crypto_init failed: %s", - krb5_get_err_text(context, ret)); - return ret; - } - - ret = krb5_encrypt_EncryptedData(context, - crypto, - KRB5_KU_TICKET, - buf, - len, - 0, - reply); - krb5_crypto_destroy(context, crypto); - if(ret) { - kdc_log(0, "Failed to encrypt data: %s", - krb5_get_err_text(context, ret)); - return ret; - } - return 0; -} - -static krb5_error_code -encode_524_response(const char *spn, const EncTicketPart et, const Ticket *t, - hdb_entry *server, EncryptedData *ticket, int *kvno) -{ - krb5_error_code ret; - int use_2b; - size_t len; - - use_2b = krb5_config_get_bool(context, NULL, "kdc", "use_2b", spn, NULL); - if(use_2b) { - ASN1_MALLOC_ENCODE(EncryptedData, - ticket->cipher.data, ticket->cipher.length, - &t->enc_part, &len, ret); - - if (ret) { - kdc_log(0, "Failed to encode v4 (2b) ticket (%s)", spn); - return ret; - } - - ticket->etype = 0; - ticket->kvno = NULL; - *kvno = 213; /* 2b's use this magic kvno */ - } else { - unsigned char buf[MAX_KTXT_LEN + 4 * 4]; - Key *skey; - - if (!enable_v4_cross_realm && strcmp (et.crealm, t->realm) != 0) { - kdc_log(0, "524 cross-realm %s -> %s disabled", et.crealm, - t->realm); - return KRB5KDC_ERR_POLICY; - } - - ret = encode_v4_ticket(buf + sizeof(buf) - 1, sizeof(buf), - &et, &t->sname, &len); - if(ret){ - kdc_log(0, "Failed to encode v4 ticket (%s)", spn); - return ret; - } - ret = get_des_key(server, TRUE, FALSE, &skey); - if(ret){ - kdc_log(0, "no suitable DES key for server (%s)", spn); - return ret; - } - ret = encrypt_v4_ticket(buf + sizeof(buf) - len, len, - &skey->key, ticket); - if(ret){ - kdc_log(0, "Failed to encrypt v4 ticket (%s)", spn); - return ret; - } - *kvno = server->kvno; - } - - return 0; -} - -/* - * process a 5->4 request, based on `t', and received `from, addr', - * returning the reply in `reply' - */ - -krb5_error_code -do_524(const Ticket *t, krb5_data *reply, - const char *from, struct sockaddr *addr) -{ - krb5_error_code ret = 0; - krb5_crypto crypto; - hdb_entry *server = NULL; - Key *skey; - krb5_data et_data; - EncTicketPart et; - EncryptedData ticket; - krb5_storage *sp; - char *spn = NULL; - unsigned char buf[MAX_KTXT_LEN + 4 * 4]; - size_t len; - int kvno; - - if(!enable_524) { - ret = KRB5KDC_ERR_POLICY; - kdc_log(0, "Rejected ticket conversion request from %s", from); - goto out; - } - - ret = fetch_server (t, &spn, &server, from); - if (ret) { - goto out; - } - - ret = hdb_enctype2key(context, server, t->enc_part.etype, &skey); - if(ret){ - kdc_log(0, "No suitable key found for server (%s) from %s", spn, from); - goto out; - } - ret = krb5_crypto_init(context, &skey->key, 0, &crypto); - if (ret) { - kdc_log(0, "krb5_crypto_init failed: %s", - krb5_get_err_text(context, ret)); - goto out; - } - ret = krb5_decrypt_EncryptedData (context, - crypto, - KRB5_KU_TICKET, - &t->enc_part, - &et_data); - krb5_crypto_destroy(context, crypto); - if(ret){ - kdc_log(0, "Failed to decrypt ticket from %s for %s", from, spn); - goto out; - } - ret = krb5_decode_EncTicketPart(context, et_data.data, et_data.length, - &et, &len); - krb5_data_free(&et_data); - if(ret){ - kdc_log(0, "Failed to decode ticket from %s for %s", from, spn); - goto out; - } - - ret = log_524 (&et, from, spn); - if (ret) { - free_EncTicketPart(&et); - goto out; - } - - ret = verify_flags (&et, spn); - if (ret) { - free_EncTicketPart(&et); - goto out; - } - - ret = set_address (&et, addr, from); - if (ret) { - free_EncTicketPart(&et); - goto out; - } - - ret = encode_524_response(spn, et, t, server, &ticket, &kvno); - free_EncTicketPart(&et); - -out: - /* make reply */ - memset(buf, 0, sizeof(buf)); - sp = krb5_storage_from_mem(buf, sizeof(buf)); - krb5_store_int32(sp, ret); - if(ret == 0){ - krb5_store_int32(sp, kvno); - krb5_store_data(sp, ticket.cipher); - /* Aargh! This is coded as a KTEXT_ST. */ - krb5_storage_seek(sp, MAX_KTXT_LEN - ticket.cipher.length, SEEK_CUR); - krb5_store_int32(sp, 0); /* mbz */ - free_EncryptedData(&ticket); - } - ret = krb5_storage_to_data(sp, reply); - reply->length = krb5_storage_seek(sp, 0, SEEK_CUR); - krb5_storage_free(sp); - - if(spn) - free(spn); - if(server) - free_ent (server); - return ret; -} diff --git a/crypto/heimdal-0.6.3/kdc/Makefile.am b/crypto/heimdal-0.6.3/kdc/Makefile.am deleted file mode 100644 index f41f46eb51..0000000000 --- a/crypto/heimdal-0.6.3/kdc/Makefile.am +++ /dev/null @@ -1,71 +0,0 @@ -# $Id: Makefile.am,v 1.44 2003/01/14 05:47:06 lha Exp $ - -include $(top_srcdir)/Makefile.am.common - -INCLUDES += $(INCLUDE_krb4) $(INCLUDE_des) -I$(srcdir)/../lib/krb5 - -bin_PROGRAMS = string2key - -sbin_PROGRAMS = kstash - -libexec_PROGRAMS = hprop hpropd kdc - -man_MANS = kdc.8 kstash.8 hprop.8 hpropd.8 string2key.8 - -hprop_SOURCES = hprop.c mit_dump.c v4_dump.c hprop.h kadb.h -hpropd_SOURCES = hpropd.c hprop.h - -kstash_SOURCES = kstash.c headers.h - -string2key_SOURCES = string2key.c headers.h - -if KRB4 -krb4_sources = kaserver.c rx.h -else -krb4_sources = -endif - -kdc_SOURCES = \ - config.c \ - connect.c \ - kdc_locl.h \ - kerberos5.c \ - log.c \ - main.c \ - misc.c \ - 524.c \ - kerberos4.c \ - $(krb4_sources) - - -hprop_LDADD = \ - $(top_builddir)/lib/hdb/libhdb.la \ - $(LIB_openldap) \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(LIB_kdb) $(LIB_krb4) \ - $(LIB_des) \ - $(top_builddir)/lib/asn1/libasn1.la \ - $(LIB_roken) \ - $(DBLIB) - -hpropd_LDADD = \ - $(top_builddir)/lib/hdb/libhdb.la \ - $(LIB_openldap) \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(LIB_kdb) $(LIB_krb4) \ - $(LIB_des) \ - $(top_builddir)/lib/asn1/libasn1.la \ - $(LIB_roken) \ - $(DBLIB) - -LDADD = $(top_builddir)/lib/hdb/libhdb.la \ - $(LIB_openldap) \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(LIB_krb4) \ - $(LIB_des) \ - $(top_builddir)/lib/asn1/libasn1.la \ - $(LIB_roken) \ - $(DBLIB) - -kdc_LDADD = $(LDADD) $(LIB_pidfile) - diff --git a/crypto/heimdal-0.6.3/kdc/Makefile.in b/crypto/heimdal-0.6.3/kdc/Makefile.in deleted file mode 100644 index 6e5f5ca528..0000000000 --- a/crypto/heimdal-0.6.3/kdc/Makefile.in +++ /dev/null @@ -1,973 +0,0 @@ -# Makefile.in generated by automake 1.8.3 from Makefile.am. -# @configure_input@ - -# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004 Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -# $Id: Makefile.am,v 1.44 2003/01/14 05:47:06 lha Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $ - -SOURCES = $(hprop_SOURCES) $(hpropd_SOURCES) $(kdc_SOURCES) $(kstash_SOURCES) $(string2key_SOURCES) - -srcdir = @srcdir@ -top_srcdir = @top_srcdir@ -VPATH = @srcdir@ -pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -top_builddir = .. -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = @INSTALL@ -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_HEADER = $(INSTALL_DATA) -transform = $(program_transform_name) -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_triplet = @host@ -DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \ - $(top_srcdir)/Makefile.am.common \ - $(top_srcdir)/cf/Makefile.am.common -bin_PROGRAMS = string2key$(EXEEXT) -sbin_PROGRAMS = kstash$(EXEEXT) -libexec_PROGRAMS = hprop$(EXEEXT) hpropd$(EXEEXT) kdc$(EXEEXT) -subdir = kdc -ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \ - $(top_srcdir)/cf/auth-modules.m4 \ - $(top_srcdir)/cf/broken-getaddrinfo.m4 \ - $(top_srcdir)/cf/broken-getnameinfo.m4 \ - $(top_srcdir)/cf/broken-glob.m4 \ - $(top_srcdir)/cf/broken-realloc.m4 \ - $(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \ - $(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \ - $(top_srcdir)/cf/capabilities.m4 \ - $(top_srcdir)/cf/check-compile-et.m4 \ - $(top_srcdir)/cf/check-declaration.m4 \ - $(top_srcdir)/cf/check-getpwnam_r-posix.m4 \ - $(top_srcdir)/cf/check-man.m4 \ - $(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \ - $(top_srcdir)/cf/check-type-extra.m4 \ - $(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \ - $(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \ - $(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \ - $(top_srcdir)/cf/dlopen.m4 \ - $(top_srcdir)/cf/find-func-no-libs.m4 \ - $(top_srcdir)/cf/find-func-no-libs2.m4 \ - $(top_srcdir)/cf/find-func.m4 \ - $(top_srcdir)/cf/find-if-not-broken.m4 \ - $(top_srcdir)/cf/have-struct-field.m4 \ - $(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \ - $(top_srcdir)/cf/krb-bigendian.m4 \ - $(top_srcdir)/cf/krb-func-getlogin.m4 \ - $(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \ - $(top_srcdir)/cf/krb-readline.m4 \ - $(top_srcdir)/cf/krb-struct-spwd.m4 \ - $(top_srcdir)/cf/krb-struct-winsize.m4 \ - $(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \ - $(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \ - $(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \ - $(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \ - $(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \ - $(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \ - $(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in -am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ - $(ACLOCAL_M4) -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -am__installdirs = "$(DESTDIR)$(bindir)" "$(DESTDIR)$(libexecdir)" "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man8dir)" -binPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -libexecPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -sbinPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -PROGRAMS = $(bin_PROGRAMS) $(libexec_PROGRAMS) $(sbin_PROGRAMS) -am_hprop_OBJECTS = hprop.$(OBJEXT) mit_dump.$(OBJEXT) \ - v4_dump.$(OBJEXT) -hprop_OBJECTS = $(am_hprop_OBJECTS) -am__DEPENDENCIES_1 = -hprop_DEPENDENCIES = $(top_builddir)/lib/hdb/libhdb.la \ - $(am__DEPENDENCIES_1) $(top_builddir)/lib/krb5/libkrb5.la \ - $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ - $(am__DEPENDENCIES_1) $(top_builddir)/lib/asn1/libasn1.la \ - $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) -am_hpropd_OBJECTS = hpropd.$(OBJEXT) -hpropd_OBJECTS = $(am_hpropd_OBJECTS) -hpropd_DEPENDENCIES = $(top_builddir)/lib/hdb/libhdb.la \ - $(am__DEPENDENCIES_1) $(top_builddir)/lib/krb5/libkrb5.la \ - $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ - $(am__DEPENDENCIES_1) $(top_builddir)/lib/asn1/libasn1.la \ - $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) -am__kdc_SOURCES_DIST = config.c connect.c kdc_locl.h kerberos5.c log.c \ - main.c misc.c 524.c kerberos4.c kaserver.c rx.h -@KRB4_TRUE@am__objects_1 = kaserver.$(OBJEXT) -am_kdc_OBJECTS = config.$(OBJEXT) connect.$(OBJEXT) \ - kerberos5.$(OBJEXT) log.$(OBJEXT) main.$(OBJEXT) \ - misc.$(OBJEXT) 524.$(OBJEXT) kerberos4.$(OBJEXT) \ - $(am__objects_1) -kdc_OBJECTS = $(am_kdc_OBJECTS) -am__DEPENDENCIES_2 = $(top_builddir)/lib/hdb/libhdb.la \ - $(am__DEPENDENCIES_1) $(top_builddir)/lib/krb5/libkrb5.la \ - $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ - $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) \ - $(am__DEPENDENCIES_1) -kdc_DEPENDENCIES = $(am__DEPENDENCIES_2) $(am__DEPENDENCIES_1) -am_kstash_OBJECTS = kstash.$(OBJEXT) -kstash_OBJECTS = $(am_kstash_OBJECTS) -kstash_LDADD = $(LDADD) -kstash_DEPENDENCIES = $(top_builddir)/lib/hdb/libhdb.la \ - $(am__DEPENDENCIES_1) $(top_builddir)/lib/krb5/libkrb5.la \ - $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ - $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) \ - $(am__DEPENDENCIES_1) -am_string2key_OBJECTS = string2key.$(OBJEXT) -string2key_OBJECTS = $(am_string2key_OBJECTS) -string2key_LDADD = $(LDADD) -string2key_DEPENDENCIES = $(top_builddir)/lib/hdb/libhdb.la \ - $(am__DEPENDENCIES_1) $(top_builddir)/lib/krb5/libkrb5.la \ - $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ - $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) \ - $(am__DEPENDENCIES_1) -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \ - $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ - $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -SOURCES = $(hprop_SOURCES) $(hpropd_SOURCES) $(kdc_SOURCES) \ - $(kstash_SOURCES) $(string2key_SOURCES) -DIST_SOURCES = $(hprop_SOURCES) $(hpropd_SOURCES) \ - $(am__kdc_SOURCES_DIST) $(kstash_SOURCES) \ - $(string2key_SOURCES) -man8dir = $(mandir)/man8 -MANS = $(man_MANS) -ETAGS = etags -CTAGS = ctags -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) -ACLOCAL = @ACLOCAL@ -AIX4_FALSE = @AIX4_FALSE@ -AIX4_TRUE = @AIX4_TRUE@ -AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@ -AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@ -AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@ -AIX_FALSE = @AIX_FALSE@ -AIX_TRUE = @AIX_TRUE@ -AMTAR = @AMTAR@ -AR = @AR@ -AUTOCONF = @AUTOCONF@ -AUTOHEADER = @AUTOHEADER@ -AUTOMAKE = @AUTOMAKE@ -AWK = @AWK@ -CANONICAL_HOST = @CANONICAL_HOST@ -CATMAN = @CATMAN@ -CATMANEXT = @CATMANEXT@ -CATMAN_FALSE = @CATMAN_FALSE@ -CATMAN_TRUE = @CATMAN_TRUE@ -CC = @CC@ -CFLAGS = @CFLAGS@ -COMPILE_ET = @COMPILE_ET@ -CPP = @CPP@ -CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXFLAGS = @CXXFLAGS@ -CYGPATH_W = @CYGPATH_W@ -DBLIB = @DBLIB@ -DCE_FALSE = @DCE_FALSE@ -DCE_TRUE = @DCE_TRUE@ -DEFS = @DEFS@ -DIR_com_err = @DIR_com_err@ -DIR_des = @DIR_des@ -DIR_roken = @DIR_roken@ -ECHO = @ECHO@ -ECHO_C = @ECHO_C@ -ECHO_N = @ECHO_N@ -ECHO_T = @ECHO_T@ -EGREP = @EGREP@ -EXEEXT = @EXEEXT@ -EXTRA_LIB45 = @EXTRA_LIB45@ -F77 = @F77@ -FFLAGS = @FFLAGS@ -GROFF = @GROFF@ -HAVE_DB1_FALSE = @HAVE_DB1_FALSE@ -HAVE_DB1_TRUE = @HAVE_DB1_TRUE@ -HAVE_DB3_FALSE = @HAVE_DB3_FALSE@ -HAVE_DB3_TRUE = @HAVE_DB3_TRUE@ -HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@ -HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@ -HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@ -HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@ -HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@ -HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@ -HAVE_X_FALSE = @HAVE_X_FALSE@ -HAVE_X_TRUE = @HAVE_X_TRUE@ -INCLUDES_roken = @INCLUDES_roken@ -INCLUDE_des = @INCLUDE_des@ -INCLUDE_hesiod = @INCLUDE_hesiod@ -INCLUDE_krb4 = @INCLUDE_krb4@ -INCLUDE_openldap = @INCLUDE_openldap@ -INCLUDE_readline = @INCLUDE_readline@ -INSTALL_DATA = @INSTALL_DATA@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -IRIX_FALSE = @IRIX_FALSE@ -IRIX_TRUE = @IRIX_TRUE@ -KRB4_FALSE = @KRB4_FALSE@ -KRB4_TRUE = @KRB4_TRUE@ -KRB5_FALSE = @KRB5_FALSE@ -KRB5_TRUE = @KRB5_TRUE@ -LDFLAGS = @LDFLAGS@ -LEX = @LEX@ -LEXLIB = @LEXLIB@ -LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ -LIBOBJS = @LIBOBJS@ -LIBS = @LIBS@ -LIBTOOL = @LIBTOOL@ -LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@ -LIB_NDBM = @LIB_NDBM@ -LIB_XauFileName = @LIB_XauFileName@ -LIB_XauReadAuth = @LIB_XauReadAuth@ -LIB_XauWriteAuth = @LIB_XauWriteAuth@ -LIB_bswap16 = @LIB_bswap16@ -LIB_bswap32 = @LIB_bswap32@ -LIB_com_err = @LIB_com_err@ -LIB_com_err_a = @LIB_com_err_a@ -LIB_com_err_so = @LIB_com_err_so@ -LIB_crypt = @LIB_crypt@ -LIB_db_create = @LIB_db_create@ -LIB_dbm_firstkey = @LIB_dbm_firstkey@ -LIB_dbopen = @LIB_dbopen@ -LIB_des = @LIB_des@ -LIB_des_a = @LIB_des_a@ -LIB_des_appl = @LIB_des_appl@ -LIB_des_so = @LIB_des_so@ -LIB_dlopen = @LIB_dlopen@ -LIB_dn_expand = @LIB_dn_expand@ -LIB_el_init = @LIB_el_init@ -LIB_freeaddrinfo = @LIB_freeaddrinfo@ -LIB_gai_strerror = @LIB_gai_strerror@ -LIB_getaddrinfo = @LIB_getaddrinfo@ -LIB_gethostbyname = @LIB_gethostbyname@ -LIB_gethostbyname2 = @LIB_gethostbyname2@ -LIB_getnameinfo = @LIB_getnameinfo@ -LIB_getpwnam_r = @LIB_getpwnam_r@ -LIB_getsockopt = @LIB_getsockopt@ -LIB_hesiod = @LIB_hesiod@ -LIB_hstrerror = @LIB_hstrerror@ -LIB_kdb = @LIB_kdb@ -LIB_krb4 = @LIB_krb4@ -LIB_krb_disable_debug = @LIB_krb_disable_debug@ -LIB_krb_enable_debug = @LIB_krb_enable_debug@ -LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@ -LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@ -LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@ -LIB_loadquery = @LIB_loadquery@ -LIB_logout = @LIB_logout@ -LIB_logwtmp = @LIB_logwtmp@ -LIB_openldap = @LIB_openldap@ -LIB_openpty = @LIB_openpty@ -LIB_otp = @LIB_otp@ -LIB_pidfile = @LIB_pidfile@ -LIB_readline = @LIB_readline@ -LIB_res_nsearch = @LIB_res_nsearch@ -LIB_res_search = @LIB_res_search@ -LIB_roken = @LIB_roken@ -LIB_security = @LIB_security@ -LIB_setsockopt = @LIB_setsockopt@ -LIB_socket = @LIB_socket@ -LIB_syslog = @LIB_syslog@ -LIB_tgetent = @LIB_tgetent@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -MAINT = @MAINT@ -MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@ -MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@ -MAKEINFO = @MAKEINFO@ -NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ -NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ -NROFF = @NROFF@ -OBJEXT = @OBJEXT@ -OTP_FALSE = @OTP_FALSE@ -OTP_TRUE = @OTP_TRUE@ -PACKAGE = @PACKAGE@ -PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ -PACKAGE_NAME = @PACKAGE_NAME@ -PACKAGE_STRING = @PACKAGE_STRING@ -PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_VERSION = @PACKAGE_VERSION@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -RANLIB = @RANLIB@ -SET_MAKE = @SET_MAKE@ -SHELL = @SHELL@ -STRIP = @STRIP@ -VERSION = @VERSION@ -VOID_RETSIGTYPE = @VOID_RETSIGTYPE@ -WFLAGS = @WFLAGS@ -WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@ -WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@ -X_CFLAGS = @X_CFLAGS@ -X_EXTRA_LIBS = @X_EXTRA_LIBS@ -X_LIBS = @X_LIBS@ -X_PRE_LIBS = @X_PRE_LIBS@ -YACC = @YACC@ -ac_ct_AR = @ac_ct_AR@ -ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ -ac_ct_RANLIB = @ac_ct_RANLIB@ -ac_ct_STRIP = @ac_ct_STRIP@ -am__leading_dot = @am__leading_dot@ -bindir = @bindir@ -build = @build@ -build_alias = @build_alias@ -build_cpu = @build_cpu@ -build_os = @build_os@ -build_vendor = @build_vendor@ -datadir = @datadir@ -do_roken_rename_FALSE = @do_roken_rename_FALSE@ -do_roken_rename_TRUE = @do_roken_rename_TRUE@ -dpagaix_cflags = @dpagaix_cflags@ -dpagaix_ldadd = @dpagaix_ldadd@ -dpagaix_ldflags = @dpagaix_ldflags@ -el_compat_FALSE = @el_compat_FALSE@ -el_compat_TRUE = @el_compat_TRUE@ -exec_prefix = @exec_prefix@ -have_err_h_FALSE = @have_err_h_FALSE@ -have_err_h_TRUE = @have_err_h_TRUE@ -have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@ -have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@ -have_glob_h_FALSE = @have_glob_h_FALSE@ -have_glob_h_TRUE = @have_glob_h_TRUE@ -have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@ -have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@ -have_vis_h_FALSE = @have_vis_h_FALSE@ -have_vis_h_TRUE = @have_vis_h_TRUE@ -host = @host@ -host_alias = @host_alias@ -host_cpu = @host_cpu@ -host_os = @host_os@ -host_vendor = @host_vendor@ -includedir = @includedir@ -infodir = @infodir@ -install_sh = @install_sh@ -libdir = @libdir@ -libexecdir = @libexecdir@ -localstatedir = @localstatedir@ -mandir = @mandir@ -mkdir_p = @mkdir_p@ -oldincludedir = @oldincludedir@ -prefix = @prefix@ -program_transform_name = @program_transform_name@ -sbindir = @sbindir@ -sharedstatedir = @sharedstatedir@ -sysconfdir = @sysconfdir@ -target_alias = @target_alias@ -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4) $(INCLUDE_des) -I$(srcdir)/../lib/krb5 -@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME -AM_CFLAGS = $(WFLAGS) -CP = cp -buildinclude = $(top_builddir)/include -LIB_getattr = @LIB_getattr@ -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_setpcred = @LIB_setpcred@ -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -NROFF_MAN = groff -mandoc -Tascii -LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) -@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la - -@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la -@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la -man_MANS = kdc.8 kstash.8 hprop.8 hpropd.8 string2key.8 -hprop_SOURCES = hprop.c mit_dump.c v4_dump.c hprop.h kadb.h -hpropd_SOURCES = hpropd.c hprop.h -kstash_SOURCES = kstash.c headers.h -string2key_SOURCES = string2key.c headers.h -@KRB4_FALSE@krb4_sources = -@KRB4_TRUE@krb4_sources = kaserver.c rx.h -kdc_SOURCES = \ - config.c \ - connect.c \ - kdc_locl.h \ - kerberos5.c \ - log.c \ - main.c \ - misc.c \ - 524.c \ - kerberos4.c \ - $(krb4_sources) - -hprop_LDADD = \ - $(top_builddir)/lib/hdb/libhdb.la \ - $(LIB_openldap) \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(LIB_kdb) $(LIB_krb4) \ - $(LIB_des) \ - $(top_builddir)/lib/asn1/libasn1.la \ - $(LIB_roken) \ - $(DBLIB) - -hpropd_LDADD = \ - $(top_builddir)/lib/hdb/libhdb.la \ - $(LIB_openldap) \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(LIB_kdb) $(LIB_krb4) \ - $(LIB_des) \ - $(top_builddir)/lib/asn1/libasn1.la \ - $(LIB_roken) \ - $(DBLIB) - -LDADD = $(top_builddir)/lib/hdb/libhdb.la \ - $(LIB_openldap) \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(LIB_krb4) \ - $(LIB_des) \ - $(top_builddir)/lib/asn1/libasn1.la \ - $(LIB_roken) \ - $(DBLIB) - -kdc_LDADD = $(LDADD) $(LIB_pidfile) -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps) - @for dep in $?; do \ - case '$(am__configure_deps)' in \ - *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ - exit 1;; \ - esac; \ - done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign --ignore-deps kdc/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign --ignore-deps kdc/Makefile -.PRECIOUS: Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - @case '$?' in \ - *config.status*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ - *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ - esac; - -$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -install-binPROGRAMS: $(bin_PROGRAMS) - @$(NORMAL_INSTALL) - test -z "$(bindir)" || $(mkdir_p) "$(DESTDIR)$(bindir)" - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(bindir)/$$f'"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(bindir)/$$f" || exit 1; \ - else :; fi; \ - done - -uninstall-binPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f '$(DESTDIR)$(bindir)/$$f'"; \ - rm -f "$(DESTDIR)$(bindir)/$$f"; \ - done - -clean-binPROGRAMS: - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -install-libexecPROGRAMS: $(libexec_PROGRAMS) - @$(NORMAL_INSTALL) - test -z "$(libexecdir)" || $(mkdir_p) "$(DESTDIR)$(libexecdir)" - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(libexecPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(libexecdir)/$$f'"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(libexecPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(libexecdir)/$$f" || exit 1; \ - else :; fi; \ - done - -uninstall-libexecPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f '$(DESTDIR)$(libexecdir)/$$f'"; \ - rm -f "$(DESTDIR)$(libexecdir)/$$f"; \ - done - -clean-libexecPROGRAMS: - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -install-sbinPROGRAMS: $(sbin_PROGRAMS) - @$(NORMAL_INSTALL) - test -z "$(sbindir)" || $(mkdir_p) "$(DESTDIR)$(sbindir)" - @list='$(sbin_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(sbinPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(sbindir)/$$f'"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(sbinPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(sbindir)/$$f" || exit 1; \ - else :; fi; \ - done - -uninstall-sbinPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(sbin_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f '$(DESTDIR)$(sbindir)/$$f'"; \ - rm -f "$(DESTDIR)$(sbindir)/$$f"; \ - done - -clean-sbinPROGRAMS: - @list='$(sbin_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -hprop$(EXEEXT): $(hprop_OBJECTS) $(hprop_DEPENDENCIES) - @rm -f hprop$(EXEEXT) - $(LINK) $(hprop_LDFLAGS) $(hprop_OBJECTS) $(hprop_LDADD) $(LIBS) -hpropd$(EXEEXT): $(hpropd_OBJECTS) $(hpropd_DEPENDENCIES) - @rm -f hpropd$(EXEEXT) - $(LINK) $(hpropd_LDFLAGS) $(hpropd_OBJECTS) $(hpropd_LDADD) $(LIBS) -kdc$(EXEEXT): $(kdc_OBJECTS) $(kdc_DEPENDENCIES) - @rm -f kdc$(EXEEXT) - $(LINK) $(kdc_LDFLAGS) $(kdc_OBJECTS) $(kdc_LDADD) $(LIBS) -kstash$(EXEEXT): $(kstash_OBJECTS) $(kstash_DEPENDENCIES) - @rm -f kstash$(EXEEXT) - $(LINK) $(kstash_LDFLAGS) $(kstash_OBJECTS) $(kstash_LDADD) $(LIBS) -string2key$(EXEEXT): $(string2key_OBJECTS) $(string2key_DEPENDENCIES) - @rm -f string2key$(EXEEXT) - $(LINK) $(string2key_LDFLAGS) $(string2key_OBJECTS) $(string2key_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c $< - -.c.obj: - $(COMPILE) -c `$(CYGPATH_W) '$<'` - -.c.lo: - $(LTCOMPILE) -c -o $@ $< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: -install-man8: $(man8_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - test -z "$(man8dir)" || $(mkdir_p) "$(DESTDIR)$(man8dir)" - @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.8*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 8*) ;; \ - *) ext='8' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ - $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \ - done -uninstall-man8: - @$(NORMAL_UNINSTALL) - @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.8*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 8*) ;; \ - *) ext='8' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \ - rm -f "$(DESTDIR)$(man8dir)/$$inst"; \ - done - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique -tags: TAGS - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique -ctags: CTAGS -CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ - || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - -distdir: $(DISTFILES) - $(mkdir_p) $(distdir)/.. $(distdir)/../cf - @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \ - list='$(DISTFILES)'; for file in $$list; do \ - case $$file in \ - $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \ - $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \ - esac; \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkdir_p) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="$(top_distdir)" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(PROGRAMS) $(MANS) all-local -installdirs: - for dir in "$(DESTDIR)$(bindir)" "$(DESTDIR)$(libexecdir)" "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man8dir)"; do \ - test -z "$$dir" || $(mkdir_p) "$$dir"; \ - done -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-binPROGRAMS clean-generic clean-libexecPROGRAMS \ - clean-libtool clean-sbinPROGRAMS mostlyclean-am - -distclean: distclean-am - -rm -f Makefile -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -html: html-am - -info: info-am - -info-am: - -install-data-am: install-man - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-data-hook - -install-exec-am: install-binPROGRAMS install-libexecPROGRAMS \ - install-sbinPROGRAMS - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: install-man8 - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -rm -f Makefile -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -pdf: pdf-am - -pdf-am: - -ps: ps-am - -ps-am: - -uninstall-am: uninstall-binPROGRAMS uninstall-info-am \ - uninstall-libexecPROGRAMS uninstall-man uninstall-sbinPROGRAMS - -uninstall-man: uninstall-man8 - -.PHONY: CTAGS GTAGS all all-am all-local check check-am check-local \ - clean clean-binPROGRAMS clean-generic clean-libexecPROGRAMS \ - clean-libtool clean-sbinPROGRAMS ctags distclean \ - distclean-compile distclean-generic distclean-libtool \ - distclean-tags distdir dvi dvi-am html html-am info info-am \ - install install-am install-binPROGRAMS install-data \ - install-data-am install-exec install-exec-am install-info \ - install-info-am install-libexecPROGRAMS install-man \ - install-man8 install-sbinPROGRAMS install-strip installcheck \ - installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ - tags uninstall uninstall-am uninstall-binPROGRAMS \ - uninstall-info-am uninstall-libexecPROGRAMS uninstall-man \ - uninstall-man8 uninstall-sbinPROGRAMS - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-hook: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal-0.6.3/kdc/config.c b/crypto/heimdal-0.6.3/kdc/config.c deleted file mode 100644 index 8ab826a1cc..0000000000 --- a/crypto/heimdal-0.6.3/kdc/config.c +++ /dev/null @@ -1,437 +0,0 @@ -/* - * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kdc_locl.h" -#include -#include - -RCSID("$Id: config.c,v 1.46.2.2 2003/10/27 11:06:52 joda Exp $"); - -static const char *config_file; /* location of kdc config file */ - -int require_preauth = -1; /* 1 == require preauth for all principals */ - -size_t max_request; /* maximal size of a request */ - -static char *max_request_str; /* `max_request' as a string */ - -time_t kdc_warn_pwexpire; /* time before expiration to print a warning */ - -struct dbinfo *databases; -HDB **db; -int num_db; - -const char *port_str; - -#ifdef HAVE_DAEMON -int detach_from_console = -1; -#define DETACH_IS_DEFAULT FALSE -#endif - -int enable_http = -1; -krb5_boolean encode_as_rep_as_tgs_rep; /* bug compatibility */ - -krb5_boolean check_ticket_addresses; -krb5_boolean allow_null_ticket_addresses; -krb5_boolean allow_anonymous; -int trpolicy; -static const char *trpolicy_str; - -static struct getarg_strings addresses_str; /* addresses to listen on */ -krb5_addresses explicit_addresses; - -#ifdef KRB4 -char *v4_realm; -int enable_v4 = -1; -int enable_kaserver = -1; -#endif - -int enable_524 = -1; -int enable_v4_cross_realm = -1; - -static int help_flag; -static int version_flag; - -static struct getargs args[] = { - { - "config-file", 'c', arg_string, &config_file, - "location of config file", "file" - }, - { - "require-preauth", 'p', arg_negative_flag, &require_preauth, - "don't require pa-data in as-reqs" - }, - { - "max-request", 0, arg_string, &max_request, - "max size for a kdc-request", "size" - }, -#if 0 - { - "database", 'd', arg_string, &databases, - "location of database", "database" - }, -#endif - { "enable-http", 'H', arg_flag, &enable_http, "turn on HTTP support" }, - { "524", 0, arg_negative_flag, &enable_524, - "don't respond to 524 requests" - }, -#ifdef KRB4 - { - "kaserver", 'K', arg_flag, &enable_kaserver, - "enable kaserver support" - }, - { "kerberos4", 0, arg_flag, &enable_v4, - "respond to kerberos 4 requests" - }, - { - "v4-realm", 'r', arg_string, &v4_realm, - "realm to serve v4-requests for" - }, -#endif - { "kerberos4-cross-realm", 0, arg_flag, - &enable_v4_cross_realm, - "respond to kerberos 4 requests from foreign realms" - }, - { "ports", 'P', arg_string, &port_str, - "ports to listen to", "portspec" - }, -#ifdef HAVE_DAEMON -#if DETACH_IS_DEFAULT - { - "detach", 'D', arg_negative_flag, &detach_from_console, - "don't detach from console" - }, -#else - { - "detach", 0 , arg_flag, &detach_from_console, - "detach from console" - }, -#endif -#endif - { "addresses", 0, arg_strings, &addresses_str, - "addresses to listen on", "list of addresses" }, - { "help", 'h', arg_flag, &help_flag }, - { "version", 'v', arg_flag, &version_flag } -}; - -static int num_args = sizeof(args) / sizeof(args[0]); - -static void -usage(int ret) -{ - arg_printusage (args, num_args, NULL, ""); - exit (ret); -} - -static void -get_dbinfo(void) -{ - const krb5_config_binding *top_binding = NULL; - const krb5_config_binding *db_binding; - const krb5_config_binding *default_binding = NULL; - struct dbinfo *di, **dt; - const char *default_dbname = HDB_DEFAULT_DB; - const char *default_mkey = HDB_DB_DIR "/m-key"; - const char *p; - - databases = NULL; - dt = &databases; - while((db_binding = (const krb5_config_binding *) - krb5_config_get_next(context, NULL, &top_binding, - krb5_config_list, - "kdc", - "database", - NULL))) { - p = krb5_config_get_string(context, db_binding, "realm", NULL); - if(p == NULL) { - if(default_binding) { - krb5_warnx(context, "WARNING: more than one realm-less " - "database specification"); - krb5_warnx(context, "WARNING: using the first encountered"); - } else - default_binding = db_binding; - continue; - } - di = calloc(1, sizeof(*di)); - di->realm = strdup(p); - p = krb5_config_get_string(context, db_binding, "dbname", NULL); - if(p) - di->dbname = strdup(p); - p = krb5_config_get_string(context, db_binding, "mkey_file", NULL); - if(p) - di->mkey_file = strdup(p); - *dt = di; - dt = &di->next; - } - if(default_binding) { - di = calloc(1, sizeof(*di)); - p = krb5_config_get_string(context, default_binding, "dbname", NULL); - if(p) { - di->dbname = strdup(p); - default_dbname = p; - } - p = krb5_config_get_string(context, default_binding, "mkey_file", NULL); - if(p) { - di->mkey_file = strdup(p); - default_mkey = p; - } - *dt = di; - dt = &di->next; - } else if(databases == NULL) { - /* if there are none specified, use some default */ - di = calloc(1, sizeof(*di)); - di->dbname = strdup(default_dbname); - di->mkey_file = strdup(default_mkey); - *dt = di; - dt = &di->next; - } - for(di = databases; di; di = di->next) { - if(di->dbname == NULL) - di->dbname = strdup(default_dbname); - if(di->mkey_file == NULL) { - p = strrchr(di->dbname, '.'); - if(p == NULL || strchr(p, '/') != NULL) - /* final pathname component does not contain a . */ - asprintf(&di->mkey_file, "%s.mkey", di->dbname); - else - /* the filename is something.else, replace .else with - .mkey */ - asprintf(&di->mkey_file, "%.*s.mkey", - (int)(p - di->dbname), di->dbname); - } - } -} - -static void -add_one_address (const char *str, int first) -{ - krb5_error_code ret; - krb5_addresses tmp; - - ret = krb5_parse_address (context, str, &tmp); - if (ret) - krb5_err (context, 1, ret, "parse_address `%s'", str); - if (first) - krb5_copy_addresses(context, &tmp, &explicit_addresses); - else - krb5_append_addresses(context, &explicit_addresses, &tmp); - krb5_free_addresses (context, &tmp); -} - -void -configure(int argc, char **argv) -{ - int optind = 0; - int e; - const char *p; - - while((e = getarg(args, num_args, argc, argv, &optind))) - warnx("error at argument `%s'", argv[optind]); - - if(help_flag) - usage (0); - - if (version_flag) { - print_version(NULL); - exit(0); - } - - argc -= optind; - argv += optind; - - if (argc != 0) - usage(1); - - { - krb5_error_code ret; - char **files; - char *tmp; - if(config_file == NULL) - config_file = _PATH_KDC_CONF; - asprintf(&tmp, "%s:%s", config_file, krb5_config_file); - if(tmp == NULL) - krb5_errx(context, 1, "out of memory"); - - krb5_config_file = tmp; - - ret = krb5_get_default_config_files(&files); - if(ret) - krb5_err(context, 1, ret, "reading configuration files"); - ret = krb5_set_config_files(context, files); - krb5_free_config_files(files); - if(ret) - krb5_err(context, 1, ret, "reading configuration files"); - } - - get_dbinfo(); - - if(max_request_str) - max_request = parse_bytes(max_request_str, NULL); - - if(max_request == 0){ - p = krb5_config_get_string (context, - NULL, - "kdc", - "max-request", - NULL); - if(p) - max_request = parse_bytes(p, NULL); - } - - if(require_preauth == -1) - require_preauth = krb5_config_get_bool(context, NULL, "kdc", - "require-preauth", NULL); - - if(port_str == NULL){ - p = krb5_config_get_string(context, NULL, "kdc", "ports", NULL); - if (p != NULL) - port_str = strdup(p); - } - - explicit_addresses.len = 0; - - if (addresses_str.num_strings) { - int i; - - for (i = 0; i < addresses_str.num_strings; ++i) - add_one_address (addresses_str.strings[i], i == 0); - free_getarg_strings (&addresses_str); - } else { - char **foo = krb5_config_get_strings (context, NULL, - "kdc", "addresses", NULL); - - if (foo != NULL) { - add_one_address (*foo++, TRUE); - while (*foo) - add_one_address (*foo++, FALSE); - } - } - -#ifdef KRB4 - if(enable_v4 == -1) - enable_v4 = krb5_config_get_bool_default(context, NULL, FALSE, "kdc", - "enable-kerberos4", NULL); -#else -#define enable_v4 0 -#endif - if(enable_v4_cross_realm == -1) - enable_v4_cross_realm = - krb5_config_get_bool_default(context, NULL, - FALSE, "kdc", - "enable-kerberos4-cross-realm", - NULL); - if(enable_524 == -1) - enable_524 = krb5_config_get_bool_default(context, NULL, enable_v4, - "kdc", "enable-524", NULL); - - if(enable_http == -1) - enable_http = krb5_config_get_bool(context, NULL, "kdc", - "enable-http", NULL); - check_ticket_addresses = - krb5_config_get_bool_default(context, NULL, TRUE, "kdc", - "check-ticket-addresses", NULL); - allow_null_ticket_addresses = - krb5_config_get_bool_default(context, NULL, TRUE, "kdc", - "allow-null-ticket-addresses", NULL); - - allow_anonymous = - krb5_config_get_bool(context, NULL, "kdc", - "allow-anonymous", NULL); - trpolicy_str = - krb5_config_get_string_default(context, NULL, "always-check", "kdc", - "transited-policy", NULL); - if(strcasecmp(trpolicy_str, "always-check") == 0) - trpolicy = TRPOLICY_ALWAYS_CHECK; - else if(strcasecmp(trpolicy_str, "allow-per-principal") == 0) - trpolicy = TRPOLICY_ALLOW_PER_PRINCIPAL; - else if(strcasecmp(trpolicy_str, "always-honour-request") == 0) - trpolicy = TRPOLICY_ALWAYS_HONOUR_REQUEST; - else { - kdc_log(0, "unknown transited-policy: %s, reverting to always-check", - trpolicy_str); - trpolicy = TRPOLICY_ALWAYS_CHECK; - } - - krb5_config_get_bool_default(context, NULL, TRUE, "kdc", - "enforce-transited-policy", NULL); -#ifdef KRB4 - if(v4_realm == NULL){ - p = krb5_config_get_string (context, NULL, - "kdc", - "v4-realm", - NULL); - if(p != NULL) { - v4_realm = strdup(p); - if (v4_realm == NULL) - krb5_errx(context, 1, "out of memory"); - } - } - if (enable_kaserver == -1) - enable_kaserver = krb5_config_get_bool_default(context, NULL, FALSE, - "kdc", - "enable-kaserver", - NULL); -#endif - - encode_as_rep_as_tgs_rep = krb5_config_get_bool(context, NULL, "kdc", - "encode_as_rep_as_tgs_rep", - NULL); - - kdc_warn_pwexpire = krb5_config_get_time (context, NULL, - "kdc", - "kdc_warn_pwexpire", - NULL); - -#ifdef HAVE_DAEMON - if(detach_from_console == -1) - detach_from_console = krb5_config_get_bool_default(context, NULL, - DETACH_IS_DEFAULT, - "kdc", - "detach", NULL); -#endif - kdc_openlog(); - if(max_request == 0) - max_request = 64 * 1024; - if(require_preauth == -1) - require_preauth = 1; - if (port_str == NULL) - port_str = "+"; -#ifdef KRB4 - if(v4_realm == NULL){ - v4_realm = malloc(40); /* REALM_SZ */ - if (v4_realm == NULL) - krb5_errx(context, 1, "out of memory"); - krb_get_lrealm(v4_realm, 1); - } -#endif -} diff --git a/crypto/heimdal-0.6.3/kdc/connect.c b/crypto/heimdal-0.6.3/kdc/connect.c deleted file mode 100644 index 9e9e481235..0000000000 --- a/crypto/heimdal-0.6.3/kdc/connect.c +++ /dev/null @@ -1,810 +0,0 @@ -/* - * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kdc_locl.h" - -RCSID("$Id: connect.c,v 1.90.2.2 2004/04/02 20:50:53 lha Exp $"); - -/* - * a tuple describing on what to listen - */ - -struct port_desc{ - int family; - int type; - int port; -}; - -/* the current ones */ - -static struct port_desc *ports; -static int num_ports; - -/* - * add `family, port, protocol' to the list with duplicate suppresion. - */ - -static void -add_port(int family, int port, const char *protocol) -{ - int type; - int i; - - if(strcmp(protocol, "udp") == 0) - type = SOCK_DGRAM; - else if(strcmp(protocol, "tcp") == 0) - type = SOCK_STREAM; - else - return; - for(i = 0; i < num_ports; i++){ - if(ports[i].type == type - && ports[i].port == port - && ports[i].family == family) - return; - } - ports = realloc(ports, (num_ports + 1) * sizeof(*ports)); - if (ports == NULL) - krb5_err (context, 1, errno, "realloc"); - ports[num_ports].family = family; - ports[num_ports].type = type; - ports[num_ports].port = port; - num_ports++; -} - -/* - * add a triple but with service -> port lookup - * (this prints warnings for stuff that does not exist) - */ - -static void -add_port_service(int family, const char *service, int port, - const char *protocol) -{ - port = krb5_getportbyname (context, service, protocol, port); - add_port (family, port, protocol); -} - -/* - * add the port with service -> port lookup or string -> number - * (no warning is printed) - */ - -static void -add_port_string (int family, const char *port_str, const char *protocol) -{ - struct servent *sp; - int port; - - sp = roken_getservbyname (port_str, protocol); - if (sp != NULL) { - port = sp->s_port; - } else { - char *end; - - port = htons(strtol(port_str, &end, 0)); - if (end == port_str) - return; - } - add_port (family, port, protocol); -} - -/* - * add the standard collection of ports for `family' - */ - -static void -add_standard_ports (int family) -{ - add_port_service(family, "kerberos", 88, "udp"); - add_port_service(family, "kerberos", 88, "tcp"); - add_port_service(family, "kerberos-sec", 88, "udp"); - add_port_service(family, "kerberos-sec", 88, "tcp"); - if(enable_http) - add_port_service(family, "http", 80, "tcp"); - if(enable_524) { - add_port_service(family, "krb524", 4444, "udp"); - add_port_service(family, "krb524", 4444, "tcp"); - } -#ifdef KRB4 - if(enable_v4) { - add_port_service(family, "kerberos-iv", 750, "udp"); - add_port_service(family, "kerberos-iv", 750, "tcp"); - } - if (enable_kaserver) - add_port_service(family, "afs3-kaserver", 7004, "udp"); -#endif -} - -/* - * parse the set of space-delimited ports in `str' and add them. - * "+" => all the standard ones - * otherwise it's port|service[/protocol] - */ - -static void -parse_ports(const char *str) -{ - char *pos = NULL; - char *p; - char *str_copy = strdup (str); - - p = strtok_r(str_copy, " \t", &pos); - while(p != NULL) { - if(strcmp(p, "+") == 0) { -#ifdef HAVE_IPV6 - add_standard_ports(AF_INET6); -#endif - add_standard_ports(AF_INET); - } else { - char *q = strchr(p, '/'); - if(q){ - *q++ = 0; -#ifdef HAVE_IPV6 - add_port_string(AF_INET6, p, q); -#endif - add_port_string(AF_INET, p, q); - }else { -#ifdef HAVE_IPV6 - add_port_string(AF_INET6, p, "udp"); - add_port_string(AF_INET6, p, "tcp"); -#endif - add_port_string(AF_INET, p, "udp"); - add_port_string(AF_INET, p, "tcp"); - } - } - - p = strtok_r(NULL, " \t", &pos); - } - free (str_copy); -} - -/* - * every socket we listen on - */ - -struct descr { - int s; - int type; - unsigned char *buf; - size_t size; - size_t len; - time_t timeout; - struct sockaddr_storage __ss; - struct sockaddr *sa; - socklen_t sock_len; - char addr_string[128]; -}; - -static void -init_descr(struct descr *d) -{ - memset(d, 0, sizeof(*d)); - d->sa = (struct sockaddr *)&d->__ss; - d->s = -1; -} - -/* - * re-initialize all `n' ->sa in `d'. - */ - -static void -reinit_descrs (struct descr *d, int n) -{ - int i; - - for (i = 0; i < n; ++i) - d[i].sa = (struct sockaddr *)&d[i].__ss; -} - -/* - * Create the socket (family, type, port) in `d' - */ - -static void -init_socket(struct descr *d, krb5_address *a, int family, int type, int port) -{ - krb5_error_code ret; - struct sockaddr_storage __ss; - struct sockaddr *sa = (struct sockaddr *)&__ss; - int sa_size = sizeof(__ss); - - init_descr (d); - - ret = krb5_addr2sockaddr (context, a, sa, &sa_size, port); - if (ret) { - krb5_warn(context, ret, "krb5_addr2sockaddr"); - close(d->s); - d->s = -1; - return; - } - - if (sa->sa_family != family) - return; - - d->s = socket(family, type, 0); - if(d->s < 0){ - krb5_warn(context, errno, "socket(%d, %d, 0)", family, type); - d->s = -1; - return; - } -#if defined(HAVE_SETSOCKOPT) && defined(SOL_SOCKET) && defined(SO_REUSEADDR) - { - int one = 1; - setsockopt(d->s, SOL_SOCKET, SO_REUSEADDR, (void *)&one, sizeof(one)); - } -#endif - d->type = type; - - if(bind(d->s, sa, sa_size) < 0){ - char a_str[256]; - size_t len; - - krb5_print_address (a, a_str, sizeof(a_str), &len); - krb5_warn(context, errno, "bind %s/%d", a_str, ntohs(port)); - close(d->s); - d->s = -1; - return; - } - if(type == SOCK_STREAM && listen(d->s, SOMAXCONN) < 0){ - char a_str[256]; - size_t len; - - krb5_print_address (a, a_str, sizeof(a_str), &len); - krb5_warn(context, errno, "listen %s/%d", a_str, ntohs(port)); - close(d->s); - d->s = -1; - return; - } -} - -/* - * Allocate descriptors for all the sockets that we should listen on - * and return the number of them. - */ - -static int -init_sockets(struct descr **desc) -{ - krb5_error_code ret; - int i, j; - struct descr *d; - int num = 0; - krb5_addresses addresses; - - if (explicit_addresses.len) { - addresses = explicit_addresses; - } else { - ret = krb5_get_all_server_addrs (context, &addresses); - if (ret) - krb5_err (context, 1, ret, "krb5_get_all_server_addrs"); - } - parse_ports(port_str); - d = malloc(addresses.len * num_ports * sizeof(*d)); - if (d == NULL) - krb5_errx(context, 1, "malloc(%lu) failed", - (unsigned long)num_ports * sizeof(*d)); - - for (i = 0; i < num_ports; i++){ - for (j = 0; j < addresses.len; ++j) { - init_socket(&d[num], &addresses.val[j], - ports[i].family, ports[i].type, ports[i].port); - if(d[num].s != -1){ - char a_str[80]; - size_t len; - - krb5_print_address (&addresses.val[j], a_str, - sizeof(a_str), &len); - - kdc_log(5, "listening on %s port %u/%s", - a_str, - ntohs(ports[i].port), - (ports[i].type == SOCK_STREAM) ? "tcp" : "udp"); - /* XXX */ - num++; - } - } - } - krb5_free_addresses (context, &addresses); - d = realloc(d, num * sizeof(*d)); - if (d == NULL && num != 0) - krb5_errx(context, 1, "realloc(%lu) failed", - (unsigned long)num * sizeof(*d)); - reinit_descrs (d, num); - *desc = d; - return num; -} - -/* - * handle the request in `buf, len', from `addr' (or `from' as a string), - * sending a reply in `reply'. - */ - -static int -process_request(unsigned char *buf, - size_t len, - krb5_data *reply, - int *sendlength, - const char *from, - struct sockaddr *addr) -{ - KDC_REQ req; - Ticket ticket; - krb5_error_code ret; - size_t i; - - gettimeofday(&now, NULL); - if(decode_AS_REQ(buf, len, &req, &i) == 0){ - ret = as_rep(&req, reply, from, addr); - free_AS_REQ(&req); - return ret; - }else if(decode_TGS_REQ(buf, len, &req, &i) == 0){ - ret = tgs_rep(&req, reply, from, addr); - free_TGS_REQ(&req); - return ret; - }else if(decode_Ticket(buf, len, &ticket, &i) == 0){ - ret = do_524(&ticket, reply, from, addr); - free_Ticket(&ticket); - return ret; -#ifdef KRB4 - } else if(maybe_version4(buf, len)){ - *sendlength = 0; /* elbitapmoc sdrawkcab XXX */ - do_version4(buf, len, reply, from, (struct sockaddr_in*)addr); - return 0; - } else if (enable_kaserver) { - ret = do_kaserver (buf, len, reply, from, (struct sockaddr_in*)addr); - return ret; -#endif - } - - return -1; -} - -static void -addr_to_string(struct sockaddr *addr, size_t addr_len, char *str, size_t len) -{ - krb5_address a; - if(krb5_sockaddr2address(context, addr, &a) == 0) { - if(krb5_print_address(&a, str, len, &len) == 0) { - krb5_free_address(context, &a); - return; - } - krb5_free_address(context, &a); - } - snprintf(str, len, "", addr->sa_family); -} - -/* - * Handle the request in `buf, len' to socket `d' - */ - -static void -do_request(void *buf, size_t len, int sendlength, - struct descr *d) -{ - krb5_error_code ret; - krb5_data reply; - - reply.length = 0; - ret = process_request(buf, len, &reply, &sendlength, - d->addr_string, d->sa); - if(reply.length){ - kdc_log(5, "sending %lu bytes to %s", (unsigned long)reply.length, - d->addr_string); - if(sendlength){ - unsigned char len[4]; - len[0] = (reply.length >> 24) & 0xff; - len[1] = (reply.length >> 16) & 0xff; - len[2] = (reply.length >> 8) & 0xff; - len[3] = reply.length & 0xff; - if(sendto(d->s, len, sizeof(len), 0, d->sa, d->sock_len) < 0) { - kdc_log (0, "sendto(%s): %s", d->addr_string, strerror(errno)); - krb5_data_free(&reply); - return; - } - } - if(sendto(d->s, reply.data, reply.length, 0, d->sa, d->sock_len) < 0) { - kdc_log (0, "sendto(%s): %s", d->addr_string, strerror(errno)); - krb5_data_free(&reply); - return; - } - krb5_data_free(&reply); - } - if(ret) - kdc_log(0, "Failed processing %lu byte request from %s", - (unsigned long)len, d->addr_string); -} - -/* - * Handle incoming data to the UDP socket in `d' - */ - -static void -handle_udp(struct descr *d) -{ - unsigned char *buf; - int n; - - buf = malloc(max_request); - if(buf == NULL){ - kdc_log(0, "Failed to allocate %lu bytes", (unsigned long)max_request); - return; - } - - d->sock_len = sizeof(d->__ss); - n = recvfrom(d->s, buf, max_request, 0, d->sa, &d->sock_len); - if(n < 0) - krb5_warn(context, errno, "recvfrom"); - else { - addr_to_string (d->sa, d->sock_len, - d->addr_string, sizeof(d->addr_string)); - do_request(buf, n, 0, d); - } - free (buf); -} - -static void -clear_descr(struct descr *d) -{ - if(d->buf) - memset(d->buf, 0, d->size); - d->len = 0; - if(d->s != -1) - close(d->s); - d->s = -1; -} - - -/* remove HTTP %-quoting from buf */ -static int -de_http(char *buf) -{ - char *p, *q; - for(p = q = buf; *p; p++, q++) { - if(*p == '%' && isxdigit(p[1]) && isxdigit(p[2])) { - unsigned int x; - if(sscanf(p + 1, "%2x", &x) != 1) - return -1; - *q = x; - p += 2; - } else - *q = *p; - } - *q = '\0'; - return 0; -} - -#define TCP_TIMEOUT 4 - -/* - * accept a new TCP connection on `d[parent]' and store it in `d[child]' - */ - -static void -add_new_tcp (struct descr *d, int parent, int child) -{ - int s; - - if (child == -1) - return; - - d[child].sock_len = sizeof(d[child].__ss); - s = accept(d[parent].s, d[child].sa, &d[child].sock_len); - if(s < 0) { - krb5_warn(context, errno, "accept"); - return; - } - - if (s >= FD_SETSIZE) { - krb5_warnx(context, "socket FD too large"); - close (s); - return; - } - - d[child].s = s; - d[child].timeout = time(NULL) + TCP_TIMEOUT; - d[child].type = SOCK_STREAM; - addr_to_string (d[child].sa, d[child].sock_len, - d[child].addr_string, sizeof(d[child].addr_string)); -} - -/* - * Grow `d' to handle at least `n'. - * Return != 0 if fails - */ - -static int -grow_descr (struct descr *d, size_t n) -{ - if (d->size - d->len < n) { - unsigned char *tmp; - size_t grow; - - grow = max(1024, d->len + n); - if (d->size + grow > max_request) { - kdc_log(0, "Request exceeds max request size (%lu bytes).", - (unsigned long)d->size + grow); - clear_descr(d); - return -1; - } - tmp = realloc (d->buf, d->size + grow); - if (tmp == NULL) { - kdc_log(0, "Failed to re-allocate %lu bytes.", - (unsigned long)d->size + grow); - clear_descr(d); - return -1; - } - d->size += grow; - d->buf = tmp; - } - return 0; -} - -/* - * Try to handle the TCP data at `d->buf, d->len'. - * Return -1 if failed, 0 if succesful, and 1 if data is complete. - */ - -static int -handle_vanilla_tcp (struct descr *d) -{ - krb5_storage *sp; - int32_t len; - - sp = krb5_storage_from_mem(d->buf, d->len); - if (sp == NULL) { - kdc_log (0, "krb5_storage_from_mem failed"); - return -1; - } - krb5_ret_int32(sp, &len); - krb5_storage_free(sp); - if(d->len - 4 >= len) { - memmove(d->buf, d->buf + 4, d->len - 4); - return 1; - } - return 0; -} - -/* - * Try to handle the TCP/HTTP data at `d->buf, d->len'. - * Return -1 if failed, 0 if succesful, and 1 if data is complete. - */ - -static int -handle_http_tcp (struct descr *d) -{ - char *s, *p, *t; - void *data; - char *proto; - int len; - - s = (char *)d->buf; - - p = strstr(s, "\r\n"); - if (p == NULL) { - kdc_log(0, "Malformed HTTP request from %s", d->addr_string); - return -1; - } - *p = 0; - - p = NULL; - t = strtok_r(s, " \t", &p); - if (t == NULL) { - kdc_log(0, "Malformed HTTP request from %s", d->addr_string); - return -1; - } - t = strtok_r(NULL, " \t", &p); - if(t == NULL) { - kdc_log(0, "Malformed HTTP request from %s", d->addr_string); - return -1; - } - data = malloc(strlen(t)); - if (data == NULL) { - kdc_log(0, "Failed to allocate %lu bytes", - (unsigned long)strlen(t)); - return -1; - } - if(*t == '/') - t++; - if(de_http(t) != 0) { - kdc_log(0, "Malformed HTTP request from %s", d->addr_string); - kdc_log(5, "Request: %s", t); - free(data); - return -1; - } - proto = strtok_r(NULL, " \t", &p); - if (proto == NULL) { - kdc_log(0, "Malformed HTTP request from %s", d->addr_string); - free(data); - return -1; - } - len = base64_decode(t, data); - if(len <= 0){ - const char *msg = - " 404 Not found\r\n" - "Server: Heimdal/" VERSION "\r\n" - "Cache-Control: no-cache\r\n" - "Pragma: no-cache\r\n" - "Content-type: text/html\r\n" - "Content-transfer-encoding: 8bit\r\n\r\n" - "404 Not found\r\n" - "

404 Not found

\r\n" - "That page doesn't exist, maybe you are looking for " - "Heimdal?\r\n"; - write(d->s, proto, strlen(proto)); - write(d->s, msg, strlen(msg)); - kdc_log(0, "HTTP request from %s is non KDC request", d->addr_string); - kdc_log(5, "Request: %s", t); - free(data); - return -1; - } - { - const char *msg = - " 200 OK\r\n" - "Server: Heimdal/" VERSION "\r\n" - "Cache-Control: no-cache\r\n" - "Pragma: no-cache\r\n" - "Content-type: application/octet-stream\r\n" - "Content-transfer-encoding: binary\r\n\r\n"; - write(d->s, proto, strlen(proto)); - write(d->s, msg, strlen(msg)); - } - memcpy(d->buf, data, len); - d->len = len; - free(data); - return 1; -} - -/* - * Handle incoming data to the TCP socket in `d[index]' - */ - -static void -handle_tcp(struct descr *d, int index, int min_free) -{ - unsigned char buf[1024]; - int n; - int ret = 0; - - if (d[index].timeout == 0) { - add_new_tcp (d, index, min_free); - return; - } - - n = recvfrom(d[index].s, buf, sizeof(buf), 0, NULL, NULL); - if(n < 0){ - krb5_warn(context, errno, "recvfrom"); - return; - } else if (n == 0) { - krb5_warnx(context, "connection closed before end of data after %lu " - "bytes from %s", - (unsigned long)d[index].len, d[index].addr_string); - clear_descr (d + index); - return; - } - if (grow_descr (&d[index], n)) - return; - memcpy(d[index].buf + d[index].len, buf, n); - d[index].len += n; - if(d[index].len > 4 && d[index].buf[0] == 0) { - ret = handle_vanilla_tcp (&d[index]); - } else if(enable_http && - d[index].len >= 4 && - strncmp((char *)d[index].buf, "GET ", 4) == 0 && - strncmp((char *)d[index].buf + d[index].len - 4, - "\r\n\r\n", 4) == 0) { - ret = handle_http_tcp (&d[index]); - if (ret < 0) - clear_descr (d + index); - } else if (d[index].len > 4) { - kdc_log (0, "TCP data of strange type from %s", d[index].addr_string); - return; - } - if (ret < 0) - return; - else if (ret == 1) { - do_request(d[index].buf, d[index].len, 1, &d[index]); - clear_descr(d + index); - } -} - -void -loop(void) -{ - struct descr *d; - int ndescr; - - ndescr = init_sockets(&d); - if(ndescr <= 0) - krb5_errx(context, 1, "No sockets!"); - while(exit_flag == 0){ - struct timeval tmout; - fd_set fds; - int min_free = -1; - int max_fd = 0; - int i; - - FD_ZERO(&fds); - for(i = 0; i < ndescr; i++) { - if(d[i].s >= 0){ - if(d[i].type == SOCK_STREAM && - d[i].timeout && d[i].timeout < time(NULL)) { - kdc_log(1, "TCP-connection from %s expired after %lu bytes", - d[i].addr_string, (unsigned long)d[i].len); - clear_descr(&d[i]); - continue; - } - if(max_fd < d[i].s) - max_fd = d[i].s; - if (max_fd >= FD_SETSIZE) - krb5_errx(context, 1, "fd too large"); - FD_SET(d[i].s, &fds); - } else if(min_free < 0 || i < min_free) - min_free = i; - } - if(min_free == -1){ - struct descr *tmp; - tmp = realloc(d, (ndescr + 4) * sizeof(*d)); - if(tmp == NULL) - krb5_warnx(context, "No memory"); - else { - d = tmp; - reinit_descrs (d, ndescr); - memset(d + ndescr, 0, 4 * sizeof(*d)); - for(i = ndescr; i < ndescr + 4; i++) - init_descr (&d[i]); - min_free = ndescr; - ndescr += 4; - } - } - - tmout.tv_sec = TCP_TIMEOUT; - tmout.tv_usec = 0; - switch(select(max_fd + 1, &fds, 0, 0, &tmout)){ - case 0: - break; - case -1: - if (errno != EINTR) - krb5_warn(context, errno, "select"); - break; - default: - for(i = 0; i < ndescr; i++) - if(d[i].s >= 0 && FD_ISSET(d[i].s, &fds)) { - if(d[i].type == SOCK_DGRAM) - handle_udp(&d[i]); - else if(d[i].type == SOCK_STREAM) - handle_tcp(d, i, min_free); - } - } - } - free (d); -} diff --git a/crypto/heimdal-0.6.3/kdc/headers.h b/crypto/heimdal-0.6.3/kdc/headers.h deleted file mode 100644 index 91e4d50b7e..0000000000 --- a/crypto/heimdal-0.6.3/kdc/headers.h +++ /dev/null @@ -1,108 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* - * $Id: headers.h,v 1.15 2002/09/10 20:04:46 joda Exp $ - */ - -#ifndef __HEADERS_H__ -#define __HEADERS_H__ - -#ifdef HAVE_CONFIG_H -#include -#endif -#include -#include -#include -#include -#include -#include -#include -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_FCNTL_H -#include -#endif -#ifdef HAVE_SYS_SELECT_H -#include -#endif -#ifdef HAVE_SYS_SOCKET_H -#include -#endif -#ifdef HAVE_NETINET_IN_H -#include -#endif -#ifdef HAVE_NETINET_IN6_H -#include -#endif -#ifdef HAVE_NETINET6_IN6_H -#include -#endif -#ifdef HAVE_ARPA_INET_H -#include -#endif -#ifdef HAVE_NETDB_H -#include -#endif -#ifdef HAVE_UTIL_H -#include -#endif -#ifdef HAVE_LIBUTIL_H -#include -#endif -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include /* copy_octet_string */ - -#ifdef KRB4 -#include -#include -#define Principal Principal4 -#include -#endif - -#undef ALLOC -#define ALLOC(X) ((X) = malloc(sizeof(*(X)))) -#undef ALLOC_SEQ -#define ALLOC_SEQ(X, N) do { (X)->len = (N); \ -(X)->val = calloc((X)->len, sizeof(*(X)->val)); } while(0) - -#endif /* __HEADERS_H__ */ diff --git a/crypto/heimdal-0.6.3/kdc/hprop.8 b/crypto/heimdal-0.6.3/kdc/hprop.8 deleted file mode 100644 index f5e3879cf2..0000000000 --- a/crypto/heimdal-0.6.3/kdc/hprop.8 +++ /dev/null @@ -1,201 +0,0 @@ -.\" Copyright (c) 2000 - 2003 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: hprop.8,v 1.18 2003/02/16 21:10:19 lha Exp $ -.\" -.Dd June 19, 2000 -.Dt HPROP 8 -.Os HEIMDAL -.Sh NAME -.Nm hprop -.Nd propagate the KDC database -.Sh SYNOPSIS -.Nm -.Oo Fl m Ar file \*(Ba Xo -.Fl -master-key= Ns Pa file -.Xc -.Oc -.Oo Fl d Ar file \*(Ba Xo -.Fl -database= Ns Pa file -.Xc -.Oc -.Op Fl -source= Ns Ar heimdal|mit-dump|krb4-dump|krb4-db|kaserver -.Oo Fl r Ar string \*(Ba Xo -.Fl -v4-realm= Ns Ar string -.Xc -.Oc -.Oo Fl c Ar cell \*(Ba Xo -.Fl -cell= Ns Ar cell -.Xc -.Oc -.Op Fl S | Fl -kaspecials -.Oo Fl k Ar keytab \*(Ba Xo -.Fl -keytab= Ns Ar keytab -.Xc -.Oc -.Oo Fl R Ar string \*(Ba Xo -.Fl -v5-realm= Ns Ar string -.Xc -.Oc -.Op Fl D | Fl -decrypt -.Op Fl E | Fl -encrypt -.Op Fl n | Fl -stdout -.Op Fl v | Fl -verbose -.Op Fl -version -.Op Fl h | Fl -help -.Op Ar host Ns Op : Ns Ar port -.Ar ... -.Sh DESCRIPTION -.Nm -takes a principal database in a specified format and converts it into -a stream of Heimdal database records. This stream can either be -written to standard out, or (more commonly) be propagated to a -.Xr hpropd 8 -server running on a different machine. -.Pp -If propagating, it connects to all -.Ar hosts -specified on the command by opening a TCP connection to port 754 -(service hprop) and sends the database in encrypted form. -.Pp -Supported options: -.Bl -tag -width Ds -.It Xo -.Fl m Ar file , -.Fl -master-key= Ns Pa file -.Xc -Where to find the master key to encrypt or decrypt keys with. -.It Xo -.Fl d Ar file , -.Fl -database= Ns Pa file -.Xc -The database to be propagated. -.It Xo -.Fl -source= Ns Ar heimdal|mit-dump|krb4-dump|krb4-db|kaserver -.Xc -Specifies the type of the source database. Alternatives include: -.Pp -.Bl -tag -width krb4-dump -compact -offset indent -.It heimdal -a Heimdal database -.It mit-dump -a MIT Kerberos 5 dump file -.It krb4-db -a Kerberos 4 database -.It krb4-dump -a Kerberos 4 dump file -.It kaserver -an AFS kaserver database -.El -.It Xo -.Fl k Ar keytab , -.Fl -keytab= Ns Ar keytab -.Xc -The keytab to use for fetching the key to be used for authenticating -to the propagation daemon(s). The key -.Pa kadmin/hprop -is used from this keytab. The default is to fetch the key from the -KDC database. -.It Xo -.Fl R Ar string , -.Fl -v5-realm= Ns Ar string -.Xc -Local realm override. -.It Xo -.Fl D , -.Fl -decrypt -.Xc -The encryption keys in the database can either be in clear, or -encrypted with a master key. This option transmits the database with -unencrypted keys. -.It Xo -.Fl E , -.Fl -encrypt -.Xc -This option transmits the database with encrypted keys. -.It Xo -.Fl n , -.Fl -stdout -.Xc -Dump the database on stdout, in a format that can be fed to hpropd. -.El -.Pp -The following options are only valid if -.Nm hprop -is compiled with support for Kerberos 4 (kaserver). -.Bl -tag -width Ds -.It Xo -.Fl r Ar string , -.Fl -v4-realm= Ns Ar string -.Xc -v4 realm to use. -.It Xo -.Fl c Ar cell , -.Fl -cell= Ns Ar cell -.Xc -The AFS cell name, used if reading a kaserver database. -.It Xo -.Fl S , -.Fl -kaspecials -.Xc -Also dump the principals marked as special in the kaserver database. -.It Xo -.Fl 4 , -.Fl -v4-db -.Xc -Deprecated, identical to -.Sq --source=krb4-db . -.It Xo -.Fl K , -.Fl -ka-db -.Xc -Deprecated, identical to -.Sq --source=kaserver . -.El -.Sh EXAMPLES -The following will propagate a database to another machine (which -should run -.Xr hpropd 8): -.Bd -literal -offset indent -$ hprop slave-1 slave-2 -.Ed -.Pp -Copy a Kerberos 4 database to a Kerberos 5 slave: -.Bd -literal -offset indent -$ hprop --source=krb4-db -E krb5-slave -.Ed -.Pp -Convert a Kerberos 4 dump-file for use with a Heimdal KDC: -.Bd -literal -offset indent -$ hprop -n --source=krb4-dump -d /var/kerberos/principal.dump --master-key=/.k | hpropd -n -.Ed -.Sh SEE ALSO -.Xr hpropd 8 diff --git a/crypto/heimdal-0.6.3/kdc/hprop.c b/crypto/heimdal-0.6.3/kdc/hprop.c deleted file mode 100644 index 3bc066fe19..0000000000 --- a/crypto/heimdal-0.6.3/kdc/hprop.c +++ /dev/null @@ -1,868 +0,0 @@ -/* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "hprop.h" - -RCSID("$Id: hprop.c,v 1.70 2002/09/04 18:19:41 joda Exp $"); - -static int version_flag; -static int help_flag; -static const char *ktname = HPROP_KEYTAB; -static const char *database; -static char *mkeyfile; -static int to_stdout; -static int verbose_flag; -static int encrypt_flag; -static int decrypt_flag; -static hdb_master_key mkey5; - -static char *source_type; - -static char *afs_cell; -static char *v4_realm; - -static int kaspecials_flag; -static int ka_use_null_salt; - -static char *local_realm=NULL; - -static int -open_socket(krb5_context context, const char *hostname, const char *port) -{ - struct addrinfo *ai, *a; - struct addrinfo hints; - int error; - - memset (&hints, 0, sizeof(hints)); - hints.ai_socktype = SOCK_STREAM; - hints.ai_protocol = IPPROTO_TCP; - - error = getaddrinfo (hostname, port, &hints, &ai); - if (error) { - warnx ("%s: %s", hostname, gai_strerror(error)); - return -1; - } - - for (a = ai; a != NULL; a = a->ai_next) { - int s; - - s = socket (a->ai_family, a->ai_socktype, a->ai_protocol); - if (s < 0) - continue; - if (connect (s, a->ai_addr, a->ai_addrlen) < 0) { - warn ("connect(%s)", hostname); - close (s); - continue; - } - freeaddrinfo (ai); - return s; - } - warnx ("failed to contact %s", hostname); - freeaddrinfo (ai); - return -1; -} - -krb5_error_code -v5_prop(krb5_context context, HDB *db, hdb_entry *entry, void *appdata) -{ - krb5_error_code ret; - struct prop_data *pd = appdata; - krb5_data data; - - if(encrypt_flag) { - ret = hdb_seal_keys_mkey(context, entry, mkey5); - if (ret) { - krb5_warn(context, ret, "hdb_seal_keys_mkey"); - return ret; - } - } - if(decrypt_flag) { - ret = hdb_unseal_keys_mkey(context, entry, mkey5); - if (ret) { - krb5_warn(context, ret, "hdb_unseal_keys_mkey"); - return ret; - } - } - - ret = hdb_entry2value(context, entry, &data); - if(ret) { - krb5_warn(context, ret, "hdb_entry2value"); - return ret; - } - - if(to_stdout) - ret = krb5_write_message(context, &pd->sock, &data); - else - ret = krb5_write_priv_message(context, pd->auth_context, - &pd->sock, &data); - krb5_data_free(&data); - return ret; -} - -#ifdef KRB4 - -static char realm_buf[REALM_SZ]; - -static int -kdb_prop(void *arg, Principal *p) -{ - int ret; - struct v4_principal pr; - - memset(&pr, 0, sizeof(pr)); - - if(p->attributes != 0) { - warnx("%s.%s has non-zero attributes - skipping", - p->name, p->instance); - return 0; - } - strlcpy(pr.name, p->name, sizeof(pr.name)); - strlcpy(pr.instance, p->instance, sizeof(pr.instance)); - - copy_to_key(&p->key_low, &p->key_high, pr.key); - pr.exp_date = p->exp_date; - pr.mod_date = p->mod_date; - strlcpy(pr.mod_name, p->mod_name, sizeof(pr.mod_name)); - strlcpy(pr.mod_instance, p->mod_instance, sizeof(pr.mod_instance)); - pr.max_life = p->max_life; - pr.mkvno = p->kdc_key_ver; - pr.kvno = p->key_version; - - ret = v4_prop(arg, &pr); - memset(&pr, 0, sizeof(pr)); - return ret; -} - -#endif /* KRB4 */ - -#ifndef KRB4 -static time_t -krb_life_to_time(time_t start, int life) -{ - static int lifetimes[] = { - 38400, 41055, 43894, 46929, 50174, 53643, 57352, 61318, - 65558, 70091, 74937, 80119, 85658, 91581, 97914, 104684, - 111922, 119661, 127935, 136781, 146239, 156350, 167161, 178720, - 191077, 204289, 218415, 233517, 249664, 266926, 285383, 305116, - 326213, 348769, 372885, 398668, 426234, 455705, 487215, 520904, - 556921, 595430, 636601, 680618, 727680, 777995, 831789, 889303, - 950794, 1016537, 1086825, 1161973, 1242318, 1328218, 1420057, 1518247, - 1623226, 1735464, 1855462, 1983758, 2120925, 2267576, 2424367, 2592000 - }; - -#if 0 - int i; - double q = exp((log(2592000.0) - log(38400.0)) / 63); - double x = 38400; - for(i = 0; i < 64; i++) { - lifetimes[i] = (int)x; - x *= q; - } -#endif - - if(life == 0xff) - return NEVERDATE; - if(life < 0x80) - return start + life * 5 * 60; - if(life > 0xbf) - life = 0xbf; - return start + lifetimes[life - 0x80]; -} -#endif /* !KRB4 */ - -int -v4_prop(void *arg, struct v4_principal *p) -{ - struct prop_data *pd = arg; - hdb_entry ent; - krb5_error_code ret; - - memset(&ent, 0, sizeof(ent)); - - ret = krb5_425_conv_principal(pd->context, p->name, p->instance, v4_realm, - &ent.principal); - if(ret) { - krb5_warn(pd->context, ret, - "krb5_425_conv_principal %s.%s@%s", - p->name, p->instance, v4_realm); - return 0; - } - - if(verbose_flag) { - char *s; - krb5_unparse_name_short(pd->context, ent.principal, &s); - krb5_warnx(pd->context, "%s.%s -> %s", p->name, p->instance, s); - free(s); - } - - ent.kvno = p->kvno; - ent.keys.len = 3; - ent.keys.val = malloc(ent.keys.len * sizeof(*ent.keys.val)); - if(p->mkvno != -1) { - ent.keys.val[0].mkvno = malloc (sizeof(*ent.keys.val[0].mkvno)); - *(ent.keys.val[0].mkvno) = p->mkvno; - } else - ent.keys.val[0].mkvno = NULL; - ent.keys.val[0].salt = calloc(1, sizeof(*ent.keys.val[0].salt)); - ent.keys.val[0].salt->type = KRB5_PADATA_PW_SALT; - ent.keys.val[0].key.keytype = ETYPE_DES_CBC_MD5; - krb5_data_alloc(&ent.keys.val[0].key.keyvalue, sizeof(des_cblock)); - memcpy(ent.keys.val[0].key.keyvalue.data, p->key, 8); - - copy_Key(&ent.keys.val[0], &ent.keys.val[1]); - ent.keys.val[1].key.keytype = ETYPE_DES_CBC_MD4; - copy_Key(&ent.keys.val[0], &ent.keys.val[2]); - ent.keys.val[2].key.keytype = ETYPE_DES_CBC_CRC; - - { - int life = krb_life_to_time(0, p->max_life); - if(life == NEVERDATE){ - ent.max_life = NULL; - } else { - /* clean up lifetime a bit */ - if(life > 86400) - life = (life + 86399) / 86400 * 86400; - else if(life > 3600) - life = (life + 3599) / 3600 * 3600; - ALLOC(ent.max_life); - *ent.max_life = life; - } - } - - ALLOC(ent.valid_end); - *ent.valid_end = p->exp_date; - - ret = krb5_make_principal(pd->context, &ent.created_by.principal, - v4_realm, - "kadmin", - "hprop", - NULL); - if(ret){ - krb5_warn(pd->context, ret, "krb5_make_principal"); - ret = 0; - goto out; - } - ent.created_by.time = time(NULL); - ALLOC(ent.modified_by); - ret = krb5_425_conv_principal(pd->context, p->mod_name, p->mod_instance, - v4_realm, &ent.modified_by->principal); - if(ret){ - krb5_warn(pd->context, ret, "%s.%s@%s", p->name, p->instance, v4_realm); - ent.modified_by->principal = NULL; - ret = 0; - goto out; - } - ent.modified_by->time = p->mod_date; - - ent.flags.forwardable = 1; - ent.flags.renewable = 1; - ent.flags.proxiable = 1; - ent.flags.postdate = 1; - ent.flags.client = 1; - ent.flags.server = 1; - - /* special case password changing service */ - if(strcmp(p->name, "changepw") == 0 && - strcmp(p->instance, "kerberos") == 0) { - ent.flags.forwardable = 0; - ent.flags.renewable = 0; - ent.flags.proxiable = 0; - ent.flags.postdate = 0; - ent.flags.initial = 1; - ent.flags.change_pw = 1; - } - - ret = v5_prop(pd->context, NULL, &ent, pd); - - if (strcmp (p->name, "krbtgt") == 0 - && strcmp (v4_realm, p->instance) != 0) { - krb5_free_principal (pd->context, ent.principal); - ret = krb5_425_conv_principal (pd->context, p->name, - v4_realm, p->instance, - &ent.principal); - if (ret == 0) - ret = v5_prop (pd->context, NULL, &ent, pd); - } - - out: - hdb_free_entry(pd->context, &ent); - return ret; -} - -#include "kadb.h" - -/* read a `ka_entry' from `fd' at offset `pos' */ -static void -read_block(krb5_context context, int fd, int32_t pos, void *buf, size_t len) -{ - krb5_error_code ret; -#ifdef HAVE_PREAD - if((ret = pread(fd, buf, len, 64 + pos)) < 0) - krb5_err(context, 1, errno, "pread(%u)", 64 + pos); -#else - if(lseek(fd, 64 + pos, SEEK_SET) == (off_t)-1) - krb5_err(context, 1, errno, "lseek(%u)", 64 + pos); - ret = read(fd, buf, len); - if(ret < 0) - krb5_err(context, 1, errno, "read(%lu)", (unsigned long)len); -#endif - if(ret != len) - krb5_errx(context, 1, "read(%lu) = %u", (unsigned long)len, ret); -} - -static int -ka_convert(struct prop_data *pd, int fd, struct ka_entry *ent) -{ - int32_t flags = ntohl(ent->flags); - krb5_error_code ret; - hdb_entry hdb; - - if(!kaspecials_flag - && (flags & KAFNORMAL) == 0) /* remove special entries */ - return 0; - memset(&hdb, 0, sizeof(hdb)); - ret = krb5_425_conv_principal(pd->context, ent->name, ent->instance, - v4_realm, &hdb.principal); - if(ret) { - krb5_warn(pd->context, ret, - "krb5_425_conv_principal (%s.%s@%s)", - ent->name, ent->instance, v4_realm); - return 0; - } - hdb.kvno = ntohl(ent->kvno); - hdb.keys.len = 3; - hdb.keys.val = malloc(hdb.keys.len * sizeof(*hdb.keys.val)); - hdb.keys.val[0].mkvno = NULL; - hdb.keys.val[0].salt = calloc(1, sizeof(*hdb.keys.val[0].salt)); - if (ka_use_null_salt) { - hdb.keys.val[0].salt->type = hdb_pw_salt; - hdb.keys.val[0].salt->salt.data = NULL; - hdb.keys.val[0].salt->salt.length = 0; - } else { - hdb.keys.val[0].salt->type = hdb_afs3_salt; - hdb.keys.val[0].salt->salt.data = strdup(afs_cell); - hdb.keys.val[0].salt->salt.length = strlen(afs_cell); - } - - hdb.keys.val[0].key.keytype = ETYPE_DES_CBC_MD5; - krb5_data_copy(&hdb.keys.val[0].key.keyvalue, ent->key, sizeof(ent->key)); - copy_Key(&hdb.keys.val[0], &hdb.keys.val[1]); - hdb.keys.val[1].key.keytype = ETYPE_DES_CBC_MD4; - copy_Key(&hdb.keys.val[0], &hdb.keys.val[2]); - hdb.keys.val[2].key.keytype = ETYPE_DES_CBC_CRC; - - ALLOC(hdb.max_life); - *hdb.max_life = ntohl(ent->max_life); - - if(ntohl(ent->valid_end) != NEVERDATE && ntohl(ent->valid_end) != -1){ - ALLOC(hdb.valid_end); - *hdb.valid_end = ntohl(ent->valid_end); - } - - if (ntohl(ent->pw_change) != NEVERDATE && - ent->pw_expire != 255 && - ent->pw_expire != 0) { - ALLOC(hdb.pw_end); - *hdb.pw_end = ntohl(ent->pw_change) - + 24 * 60 * 60 * ent->pw_expire; - } - - ret = krb5_make_principal(pd->context, &hdb.created_by.principal, - v4_realm, - "kadmin", - "hprop", - NULL); - hdb.created_by.time = time(NULL); - - if(ent->mod_ptr){ - struct ka_entry mod; - ALLOC(hdb.modified_by); - read_block(pd->context, fd, ntohl(ent->mod_ptr), &mod, sizeof(mod)); - - krb5_425_conv_principal(pd->context, mod.name, mod.instance, v4_realm, - &hdb.modified_by->principal); - hdb.modified_by->time = ntohl(ent->mod_time); - memset(&mod, 0, sizeof(mod)); - } - - hdb.flags.forwardable = 1; - hdb.flags.renewable = 1; - hdb.flags.proxiable = 1; - hdb.flags.postdate = 1; - /* XXX - AFS 3.4a creates krbtgt.REALMOFCELL as NOTGS+NOSEAL */ - if (strcmp(ent->name, "krbtgt") == 0 && - (flags & (KAFNOTGS|KAFNOSEAL)) == (KAFNOTGS|KAFNOSEAL)) - flags &= ~(KAFNOTGS|KAFNOSEAL); - - hdb.flags.client = (flags & KAFNOTGS) == 0; - hdb.flags.server = (flags & KAFNOSEAL) == 0; - - ret = v5_prop(pd->context, NULL, &hdb, pd); - hdb_free_entry(pd->context, &hdb); - return ret; -} - -static int -ka_dump(struct prop_data *pd, const char *file) -{ - struct ka_header header; - int i; - int fd = open(file, O_RDONLY); - - if(fd < 0) - krb5_err(pd->context, 1, errno, "open(%s)", file); - read_block(pd->context, fd, 0, &header, sizeof(header)); - if(header.version1 != header.version2) - krb5_errx(pd->context, 1, "Version mismatch in header: %ld/%ld", - (long)ntohl(header.version1), (long)ntohl(header.version2)); - if(ntohl(header.version1) != 5) - krb5_errx(pd->context, 1, "Unknown database version %ld (expected 5)", - (long)ntohl(header.version1)); - for(i = 0; i < ntohl(header.hashsize); i++){ - int32_t pos = ntohl(header.hash[i]); - while(pos){ - struct ka_entry ent; - read_block(pd->context, fd, pos, &ent, sizeof(ent)); - ka_convert(pd, fd, &ent); - pos = ntohl(ent.next); - } - } - return 0; -} - - - -struct getargs args[] = { - { "master-key", 'm', arg_string, &mkeyfile, "v5 master key file", "file" }, - { "database", 'd', arg_string, &database, "database", "file" }, - { "source", 0, arg_string, &source_type, "type of database to read", - "heimdal" - "|mit-dump" - "|krb4-dump" -#ifdef KRB4 - "|krb4-db" -#endif - "|kaserver" - }, - - { "v4-realm", 'r', arg_string, &v4_realm, "v4 realm to use" }, - { "cell", 'c', arg_string, &afs_cell, "name of AFS cell" }, - { "kaspecials", 'S', arg_flag, &kaspecials_flag, "dump KASPECIAL keys"}, - { "keytab", 'k', arg_string, &ktname, "keytab to use for authentication", "keytab" }, - { "v5-realm", 'R', arg_string, &local_realm, "v5 realm to use" }, - { "decrypt", 'D', arg_flag, &decrypt_flag, "decrypt keys" }, - { "encrypt", 'E', arg_flag, &encrypt_flag, "encrypt keys" }, - { "stdout", 'n', arg_flag, &to_stdout, "dump to stdout" }, - { "verbose", 'v', arg_flag, &verbose_flag }, - { "version", 0, arg_flag, &version_flag }, - { "help", 'h', arg_flag, &help_flag } -}; - -static int num_args = sizeof(args) / sizeof(args[0]); - -static void -usage(int ret) -{ - arg_printusage (args, num_args, NULL, "[host[:port]] ..."); - exit (ret); -} - -static void -get_creds(krb5_context context, krb5_ccache *cache) -{ - krb5_keytab keytab; - krb5_principal client; - krb5_error_code ret; - krb5_get_init_creds_opt init_opts; - krb5_preauthtype preauth = KRB5_PADATA_ENC_TIMESTAMP; - krb5_creds creds; - - ret = krb5_kt_register(context, &hdb_kt_ops); - if(ret) krb5_err(context, 1, ret, "krb5_kt_register"); - - ret = krb5_kt_resolve(context, ktname, &keytab); - if(ret) krb5_err(context, 1, ret, "krb5_kt_resolve"); - - ret = krb5_make_principal(context, &client, NULL, - "kadmin", HPROP_NAME, NULL); - if(ret) krb5_err(context, 1, ret, "krb5_make_principal"); - - krb5_get_init_creds_opt_init(&init_opts); - krb5_get_init_creds_opt_set_preauth_list(&init_opts, &preauth, 1); - - ret = krb5_get_init_creds_keytab(context, &creds, client, keytab, 0, NULL, &init_opts); - if(ret) krb5_err(context, 1, ret, "krb5_get_init_creds"); - - ret = krb5_kt_close(context, keytab); - if(ret) krb5_err(context, 1, ret, "krb5_kt_close"); - - ret = krb5_cc_gen_new(context, &krb5_mcc_ops, cache); - if(ret) krb5_err(context, 1, ret, "krb5_cc_gen_new"); - - ret = krb5_cc_initialize(context, *cache, client); - if(ret) krb5_err(context, 1, ret, "krb5_cc_initialize"); - - krb5_free_principal(context, client); - - ret = krb5_cc_store_cred(context, *cache, &creds); - if(ret) krb5_err(context, 1, ret, "krb5_cc_store_cred"); - - krb5_free_creds_contents(context, &creds); -} - -enum hprop_source { - HPROP_HEIMDAL = 1, - HPROP_KRB4_DB, - HPROP_KRB4_DUMP, - HPROP_KASERVER, - HPROP_MIT_DUMP -}; - -#define IS_TYPE_V4(X) ((X) == HPROP_KRB4_DB || (X) == HPROP_KRB4_DUMP || (X) == HPROP_KASERVER) - -struct { - int type; - const char *name; -} types[] = { - { HPROP_HEIMDAL, "heimdal" }, - { HPROP_KRB4_DUMP, "krb4-dump" }, -#ifdef KRB4 - { HPROP_KRB4_DB, "krb4-db" }, -#endif - { HPROP_KASERVER, "kaserver" }, - { HPROP_MIT_DUMP, "mit-dump" } -}; - -static int -parse_source_type(const char *s) -{ - int i; - for(i = 0; i < sizeof(types) / sizeof(types[0]); i++) { - if(strstr(types[i].name, s) == types[i].name) - return types[i].type; - } - return 0; -} - -static void -iterate (krb5_context context, - const char *database, - HDB *db, - int type, - struct prop_data *pd) -{ - int ret; - - switch(type) { - case HPROP_KRB4_DUMP: - ret = v4_prop_dump(pd, database); - break; -#ifdef KRB4 - case HPROP_KRB4_DB: - ret = kerb_db_iterate ((k_iter_proc_t)kdb_prop, pd); - if(ret) - krb5_errx(context, 1, "kerb_db_iterate: %s", - krb_get_err_text(ret)); - break; -#endif /* KRB4 */ - case HPROP_KASERVER: - ret = ka_dump(pd, database); - if(ret) - krb5_err(context, 1, ret, "ka_dump"); - break; - case HPROP_MIT_DUMP: - ret = mit_prop_dump(pd, database); - if (ret) - krb5_errx(context, 1, "mit_prop_dump: %s", - krb5_get_err_text(context, ret)); - break; - case HPROP_HEIMDAL: - ret = hdb_foreach(context, db, HDB_F_DECRYPT, v5_prop, pd); - if(ret) - krb5_err(context, 1, ret, "hdb_foreach"); - break; - } -} - -static int -dump_database (krb5_context context, int type, - const char *database, HDB *db) -{ - krb5_error_code ret; - struct prop_data pd; - krb5_data data; - - pd.context = context; - pd.auth_context = NULL; - pd.sock = STDOUT_FILENO; - - iterate (context, database, db, type, &pd); - krb5_data_zero (&data); - ret = krb5_write_message (context, &pd.sock, &data); - if (ret) - krb5_err(context, 1, ret, "krb5_write_message"); - - return 0; -} - -static int -propagate_database (krb5_context context, int type, - const char *database, - HDB *db, krb5_ccache ccache, - int optind, int argc, char **argv) -{ - krb5_principal server; - krb5_error_code ret; - int i; - - for(i = optind; i < argc; i++){ - krb5_auth_context auth_context; - int fd; - struct prop_data pd; - krb5_data data; - - char *port, portstr[NI_MAXSERV]; - - port = strchr(argv[i], ':'); - if(port == NULL) { - snprintf(portstr, sizeof(portstr), "%u", - ntohs(krb5_getportbyname (context, "hprop", "tcp", - HPROP_PORT))); - port = portstr; - } else - *port++ = '\0'; - - fd = open_socket(context, argv[i], port); - if(fd < 0) { - krb5_warn (context, errno, "connect %s", argv[i]); - continue; - } - - ret = krb5_sname_to_principal(context, argv[i], - HPROP_NAME, KRB5_NT_SRV_HST, &server); - if(ret) { - krb5_warn(context, ret, "krb5_sname_to_principal(%s)", argv[i]); - close(fd); - continue; - } - - if (local_realm) { - krb5_realm my_realm; - krb5_get_default_realm(context,&my_realm); - - free (*krb5_princ_realm(context, server)); - krb5_princ_set_realm(context,server,&my_realm); - } - - auth_context = NULL; - ret = krb5_sendauth(context, - &auth_context, - &fd, - HPROP_VERSION, - NULL, - server, - AP_OPTS_MUTUAL_REQUIRED | AP_OPTS_USE_SUBKEY, - NULL, /* in_data */ - NULL, /* in_creds */ - ccache, - NULL, - NULL, - NULL); - - krb5_free_principal(context, server); - - if(ret) { - krb5_warn(context, ret, "krb5_sendauth"); - close(fd); - continue; - } - - pd.context = context; - pd.auth_context = auth_context; - pd.sock = fd; - - iterate (context, database, db, type, &pd); - - krb5_data_zero (&data); - ret = krb5_write_priv_message(context, auth_context, &fd, &data); - if(ret) - krb5_warn(context, ret, "krb5_write_priv_message"); - - ret = krb5_read_priv_message(context, auth_context, &fd, &data); - if(ret) - krb5_warn(context, ret, "krb5_read_priv_message"); - else - krb5_data_free (&data); - - krb5_auth_con_free(context, auth_context); - close(fd); - } - return 0; -} - -int -main(int argc, char **argv) -{ - krb5_error_code ret; - krb5_context context; - krb5_ccache ccache = NULL; - HDB *db = NULL; - int optind = 0; - - int type = 0; - - setprogname(argv[0]); - - if(getarg(args, num_args, argc, argv, &optind)) - usage(1); - - if(help_flag) - usage(0); - - if(version_flag){ - print_version(NULL); - exit(0); - } - - ret = krb5_init_context(&context); - if(ret) - exit(1); - - if(local_realm) - krb5_set_default_realm(context, local_realm); - - if(v4_realm == NULL) { - ret = krb5_get_default_realm(context, &v4_realm); - if(ret) - krb5_err(context, 1, ret, "krb5_get_default_realm"); - } - - if(afs_cell == NULL) { - afs_cell = strdup(v4_realm); - if(afs_cell == NULL) - krb5_errx(context, 1, "out of memory"); - strlwr(afs_cell); - } - - - if(encrypt_flag && decrypt_flag) - krb5_errx(context, 1, - "only one of `--encrypt' and `--decrypt' is meaningful"); - - if(source_type != NULL) { - if(type != 0) - krb5_errx(context, 1, "more than one database type specified"); - type = parse_source_type(source_type); - if(type == 0) - krb5_errx(context, 1, "unknown source type `%s'", source_type); - } else if(type == 0) - type = HPROP_HEIMDAL; - - if(!to_stdout) - get_creds(context, &ccache); - - if(decrypt_flag || encrypt_flag) { - ret = hdb_read_master_key(context, mkeyfile, &mkey5); - if(ret && ret != ENOENT) - krb5_err(context, 1, ret, "hdb_read_master_key"); - if(ret) - krb5_errx(context, 1, "No master key file found"); - } - -#ifdef KRB4 - if (IS_TYPE_V4(type)) { - int e; - - if (v4_realm == NULL) { - e = krb_get_lrealm(realm_buf, 1); - if(e) - krb5_errx(context, 1, "krb_get_lrealm: %s", - krb_get_err_text(e)); - v4_realm = realm_buf; - } - } -#endif - - switch(type) { -#ifdef KRB4 - case HPROP_KRB4_DB: - if (database == NULL) - krb5_errx(context, 1, "no database specified"); - break; -#endif - case HPROP_KASERVER: - if (database == NULL) - database = DEFAULT_DATABASE; - ka_use_null_salt = krb5_config_get_bool_default(context, NULL, FALSE, - "hprop", - "afs_uses_null_salt", - NULL); - - break; - case HPROP_KRB4_DUMP: - if (database == NULL) - krb5_errx(context, 1, "no dump file specified"); - - break; - case HPROP_MIT_DUMP: - if (database == NULL) - krb5_errx(context, 1, "no dump file specified"); - break; - case HPROP_HEIMDAL: - ret = hdb_create (context, &db, database); - if(ret) - krb5_err(context, 1, ret, "hdb_create: %s", database); - ret = db->open(context, db, O_RDONLY, 0); - if(ret) - krb5_err(context, 1, ret, "db->open"); - break; - default: - krb5_errx(context, 1, "unknown dump type `%d'", type); - break; - } - - if (to_stdout) - dump_database (context, type, database, db); - else - propagate_database (context, type, database, - db, ccache, optind, argc, argv); - - if(ccache != NULL) - krb5_cc_destroy(context, ccache); - - if(db != NULL) - (*db->destroy)(context, db); - - krb5_free_context(context); - return 0; -} diff --git a/crypto/heimdal-0.6.3/kdc/hprop.cat8 b/crypto/heimdal-0.6.3/kdc/hprop.cat8 deleted file mode 100644 index c3f87e1d7b..0000000000 --- a/crypto/heimdal-0.6.3/kdc/hprop.cat8 +++ /dev/null @@ -1,101 +0,0 @@ - -HPROP(8) UNIX System Manager's Manual HPROP(8) - -NNAAMMEE - hhpprroopp - propagate the KDC database - -SSYYNNOOPPSSIISS - hhpprroopp [--mm _f_i_l_e | ----mmaasstteerr--kkeeyy==_f_i_l_e] [--dd _f_i_l_e | ----ddaattaabbaassee==_f_i_l_e] - [----ssoouurrccee==_h_e_i_m_d_a_l_|_m_i_t_-_d_u_m_p_|_k_r_b_4_-_d_u_m_p_|_k_r_b_4_-_d_b_|_k_a_s_e_r_v_e_r] [--rr _s_t_r_i_n_g | - ----vv44--rreeaallmm==_s_t_r_i_n_g] [--cc _c_e_l_l | ----cceellll==_c_e_l_l] [--SS | ----kkaassppeecciiaallss] [--kk _k_e_y_t_a_b - | ----kkeeyyttaabb==_k_e_y_t_a_b] [--RR _s_t_r_i_n_g | ----vv55--rreeaallmm==_s_t_r_i_n_g] [--DD | ----ddeeccrryypptt] [--EE | - ----eennccrryypptt] [--nn | ----ssttddoouutt] [--vv | ----vveerrbboossee] [----vveerrssiioonn] [--hh | ----hheellpp] - [_h_o_s_t[:_p_o_r_t]] _._._. - -DDEESSCCRRIIPPTTIIOONN - hhpprroopp takes a principal database in a specified format and converts it - into a stream of Heimdal database records. This stream can either be - written to standard out, or (more commonly) be propagated to a hpropd(8) - server running on a different machine. - - If propagating, it connects to all _h_o_s_t_s specified on the command by - opening a TCP connection to port 754 (service hprop) and sends the - database in encrypted form. - - Supported options: - - --mm _f_i_l_e, ----mmaasstteerr--kkeeyy==_f_i_l_e - Where to find the master key to encrypt or decrypt keys with. - - --dd _f_i_l_e, ----ddaattaabbaassee==_f_i_l_e - The database to be propagated. - - ----ssoouurrccee==_h_e_i_m_d_a_l_|_m_i_t_-_d_u_m_p_|_k_r_b_4_-_d_u_m_p_|_k_r_b_4_-_d_b_|_k_a_s_e_r_v_e_r - Specifies the type of the source database. Alternatives include: - - heimdal a Heimdal database - mit-dump a MIT Kerberos 5 dump file - krb4-db a Kerberos 4 database - krb4-dump a Kerberos 4 dump file - kaserver an AFS kaserver database - - --kk _k_e_y_t_a_b, ----kkeeyyttaabb==_k_e_y_t_a_b - The keytab to use for fetching the key to be used for authenti- - cating to the propagation daemon(s). The key _k_a_d_m_i_n_/_h_p_r_o_p is used - from this keytab. The default is to fetch the key from the KDC - database. - - --RR _s_t_r_i_n_g, ----vv55--rreeaallmm==_s_t_r_i_n_g - Local realm override. - - --DD, ----ddeeccrryypptt - The encryption keys in the database can either be in clear, or - encrypted with a master key. This option transmits the database - with unencrypted keys. - - --EE, ----eennccrryypptt - This option transmits the database with encrypted keys. - - --nn, ----ssttddoouutt - Dump the database on stdout, in a format that can be fed to - hpropd. - - The following options are only valid if hhpprroopp is compiled with support - - - for Kerberos 4 (kaserver). - - --rr _s_t_r_i_n_g, ----vv44--rreeaallmm==_s_t_r_i_n_g - v4 realm to use. - - --cc _c_e_l_l, ----cceellll==_c_e_l_l - The AFS cell name, used if reading a kaserver database. - - --SS, ----kkaassppeecciiaallss - Also dump the principals marked as special in the kaserver - database. - - --44, ----vv44--ddbb - Deprecated, identical to `--source=krb4-db'. - - --KK, ----kkaa--ddbb - Deprecated, identical to `--source=kaserver'. - -EEXXAAMMPPLLEESS - The following will propagate a database to another machine (which should - run hpropd(8):) - - $ hprop slave-1 slave-2 - - Copy a Kerberos 4 database to a Kerberos 5 slave: - - $ hprop --source=krb4-db -E krb5-slave - - Convert a Kerberos 4 dump-file for use with a Heimdal KDC: - - $ hprop -n --source=krb4-dump -d /var/kerberos/principal.dump --master-key=/.k | hpropd -n - -SSEEEE AALLSSOO - hpropd(8) - - HEIMDAL June 19, 2000 2 diff --git a/crypto/heimdal-0.6.3/kdc/hprop.h b/crypto/heimdal-0.6.3/kdc/hprop.h deleted file mode 100644 index 0bcab88b4f..0000000000 --- a/crypto/heimdal-0.6.3/kdc/hprop.h +++ /dev/null @@ -1,75 +0,0 @@ -/* - * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: hprop.h,v 1.13 2001/01/26 15:54:19 joda Exp $ */ - -#ifndef __HPROP_H__ -#define __HPROP_H__ - -#include "headers.h" - -struct prop_data{ - krb5_context context; - krb5_auth_context auth_context; - int sock; -}; - -#define HPROP_VERSION "hprop-0.0" -#define HPROP_NAME "hprop" -#define HPROP_KEYTAB "HDB:" -#define HPROP_PORT 754 - -#ifndef NEVERDATE -#define NEVERDATE ((1U << 31) - 1) -#endif - -krb5_error_code v5_prop(krb5_context, HDB*, hdb_entry*, void*); -int mit_prop_dump(void*, const char*); - -struct v4_principal { - char name[64]; - char instance[64]; - des_cblock key; - int kvno; - int mkvno; - time_t exp_date; - time_t mod_date; - char mod_name[64]; - char mod_instance[64]; - int max_life; -}; - -int v4_prop(void*, struct v4_principal*); -int v4_prop_dump(void *arg, const char*); - -#endif /* __HPROP_H__ */ diff --git a/crypto/heimdal-0.6.3/kdc/hpropd.8 b/crypto/heimdal-0.6.3/kdc/hpropd.8 deleted file mode 100644 index 7bb2debe16..0000000000 --- a/crypto/heimdal-0.6.3/kdc/hpropd.8 +++ /dev/null @@ -1,105 +0,0 @@ -.\" Copyright (c) 1997, 2000 - 2003 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: hpropd.8,v 1.11 2003/02/16 21:10:20 lha Exp $ -.\" -.Dd August 27, 1997 -.Dt HPROPD 8 -.Os HEIMDAL -.Sh NAME -.Nm hpropd -.Nd receive a propagated database -.Sh SYNOPSIS -.Nm -.Oo Fl d Ar file \*(Ba Xo -.Fl -database= Ns Ar file -.Xc -.Oc -.Op Fl n | Fl -stdin -.Op Fl -print -.Op Fl i | Fl -no-inetd -.Oo Fl k Ar keytab \*(Ba Xo -.Fl -keytab= Ns Ar keytab -.Xc -.Oc -.Op Fl 4 | Fl -v4dump -.Sh DESCRIPTION -.Nm -receives a database sent by -.Nm hprop . -and writes it as a local database. -.Pp -By default, -.Nm -expects to be started from -.Nm inetd -if stdin is a socket and expects to receive the dumped database over -stdin otherwise. -If the database is sent over the network, it is authenticated and -encrypted. -Only connections from -.Nm kadmin Ns / Ns Nm hprop -are accepted. -.Pp -Options supported: -.Bl -tag -width Ds -.It Xo -.Fl d Ar file , -.Fl -database= Ns Ar file -.Xc -database -.It Xo -.Fl n , -.Fl -stdin -.Xc -read from stdin -.It Xo -.Fl -print -.Xc -print dump to stdout -.It Xo -.Fl i , -.Fl -no-inetd -.Xc -not started from inetd -.It Xo -.Fl k Ar keytab , -.Fl -keytab= Ns Ar keytab -.Xc -keytab to use for authentication -.It Xo -.Fl 4 , -.Fl -v4dump -.Xc -create v4 type DB -.El -.Sh SEE ALSO -.Xr hprop 8 diff --git a/crypto/heimdal-0.6.3/kdc/hpropd.c b/crypto/heimdal-0.6.3/kdc/hpropd.c deleted file mode 100644 index d27ff25727..0000000000 --- a/crypto/heimdal-0.6.3/kdc/hpropd.c +++ /dev/null @@ -1,439 +0,0 @@ -/* - * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "hprop.h" - -RCSID("$Id: hpropd.c,v 1.36 2003/04/16 15:46:32 lha Exp $"); - -#ifdef KRB4 -static des_cblock mkey4; -static des_key_schedule msched4; - -static char * -time2str(time_t t) -{ - static char buf[128]; - strftime(buf, sizeof(buf), "%Y%m%d%H%M", gmtime(&t)); - return buf; -} - -static int -dump_krb4(krb5_context context, hdb_entry *ent, int fd) -{ - char name[ANAME_SZ]; - char instance[INST_SZ]; - char realm[REALM_SZ]; - char buf[1024]; - char *p; - int i; - int ret; - char *princ_name; - Event *modifier; - krb5_realm *realms; - int cmp; - - ret = krb5_524_conv_principal(context, ent->principal, - name, instance, realm); - if (ret) { - krb5_unparse_name(context, ent->principal, &princ_name); - krb5_warn(context, ret, "%s", princ_name); - free(princ_name); - return -1; - } - - ret = krb5_get_default_realms (context, &realms); - if (ret) { - krb5_warn(context, ret, "krb5_get_default_realms"); - return -1; - } - - cmp = strcmp (realms[0], ent->principal->realm); - krb5_free_host_realm (context, realms); - if (cmp != 0) - return -1; - - snprintf (buf, sizeof(buf), "%s %s ", name, - (strlen(instance) != 0) ? instance : "*"); - - if (ent->max_life) { - asprintf(&p, "%d", krb_time_to_life(0, *ent->max_life)); - strlcat(buf, p, sizeof(buf)); - free(p); - } else - strlcat(buf, "255", sizeof(buf)); - strlcat(buf, " ", sizeof(buf)); - - i = 0; - while (i < ent->keys.len && - ent->keys.val[i].key.keytype != KEYTYPE_DES) - ++i; - - if (i == ent->keys.len) { - krb5_warnx(context, "No DES key for %s.%s", name, instance); - return -1; - } - - if (ent->keys.val[i].mkvno) - asprintf(&p, "%d ", *ent->keys.val[i].mkvno); - else - asprintf(&p, "%d ", 1); - strlcat(buf, p, sizeof(buf)); - free(p); - - asprintf(&p, "%d ", ent->kvno); - strlcat(buf, p, sizeof(buf)); - free(p); - - asprintf(&p, "%d ", 0); /* Attributes are always 0*/ - strlcat(buf, p, sizeof(buf)); - free(p); - - { - u_int32_t *key = ent->keys.val[i].key.keyvalue.data; - kdb_encrypt_key((des_cblock*)key, (des_cblock*)key, - &mkey4, msched4, DES_ENCRYPT); - asprintf(&p, "%x %x ", (int)htonl(*key), (int)htonl(*(key+1))); - strlcat(buf, p, sizeof(buf)); - free(p); - } - - if (ent->valid_end == NULL) - strlcat(buf, time2str(60*60*24*365*50), sizeof(buf)); /*no expiration*/ - else - strlcat(buf, time2str(*ent->valid_end), sizeof(buf)); - strlcat(buf, " ", sizeof(buf)); - - if (ent->modified_by == NULL) - modifier = &ent->created_by; - else - modifier = ent->modified_by; - - ret = krb5_524_conv_principal(context, modifier->principal, - name, instance, realm); - if (ret) { - krb5_unparse_name(context, modifier->principal, &princ_name); - krb5_warn(context, ret, "%s", princ_name); - free(princ_name); - return -1; - } - asprintf(&p, "%s %s %s\n", time2str(modifier->time), - (strlen(name) != 0) ? name : "*", - (strlen(instance) != 0) ? instance : "*"); - strlcat(buf, p, sizeof(buf)); - free(p); - - ret = write(fd, buf, strlen(buf)); - if (ret == -1) - krb5_warnx(context, "write"); - return 0; -} -#endif /* KRB4 */ - -static int inetd_flag = -1; -static int help_flag; -static int version_flag; -static int print_dump; -static const char *database = HDB_DEFAULT_DB; -static int from_stdin; -static char *local_realm; -#ifdef KRB4 -static int v4dump; -#endif -static char *ktname = NULL; - -struct getargs args[] = { - { "database", 'd', arg_string, &database, "database", "file" }, - { "stdin", 'n', arg_flag, &from_stdin, "read from stdin" }, - { "print", 0, arg_flag, &print_dump, "print dump to stdout" }, - { "inetd", 'i', arg_negative_flag, &inetd_flag, - "Not started from inetd" }, - { "keytab", 'k', arg_string, &ktname, "keytab to use for authentication", "keytab" }, - { "realm", 'r', arg_string, &local_realm, "realm to use" }, -#ifdef KRB4 - { "v4dump", '4', arg_flag, &v4dump, "create v4 type DB" }, -#endif - { "version", 0, arg_flag, &version_flag, NULL, NULL }, - { "help", 'h', arg_flag, &help_flag, NULL, NULL} -}; - -static int num_args = sizeof(args) / sizeof(args[0]); - -static void -usage(int ret) -{ - arg_printusage (args, num_args, NULL, ""); - exit (ret); -} - -int -main(int argc, char **argv) -{ - krb5_error_code ret; - krb5_context context; - krb5_auth_context ac = NULL; - krb5_principal c1, c2; - krb5_authenticator authent; - krb5_keytab keytab; - int fd; - HDB *db; - int optind = 0; - char *tmp_db; - krb5_log_facility *fac; - int nprincs; -#ifdef KRB4 - int e; - int fd_out = -1; -#endif - - setprogname(argv[0]); - - ret = krb5_init_context(&context); - if(ret) - exit(1); - - ret = krb5_openlog(context, "hpropd", &fac); - if(ret) - ; - krb5_set_warn_dest(context, fac); - - if(getarg(args, num_args, argc, argv, &optind)) - usage(1); - -#ifdef KRB4 - if (v4dump && database == HDB_DEFAULT_DB) - database = "/var/kerberos/524_dump"; -#endif /* KRB4 */ - - if(local_realm != NULL) - krb5_set_default_realm(context, local_realm); - - if(help_flag) - usage(0); - if(version_flag) { - print_version(NULL); - exit(0); - } - - argc -= optind; - argv += optind; - - if (argc != 0) - usage(1); - - if(from_stdin) - fd = STDIN_FILENO; - else { - struct sockaddr_storage ss; - struct sockaddr *sa = (struct sockaddr *)&ss; - socklen_t sin_len = sizeof(ss); - char addr_name[256]; - krb5_ticket *ticket; - char *server; - - fd = STDIN_FILENO; - if (inetd_flag == -1) { - if (getpeername (fd, sa, &sin_len) < 0) - inetd_flag = 0; - else - inetd_flag = 1; - } - if (!inetd_flag) { - mini_inetd (krb5_getportbyname (context, "hprop", "tcp", - HPROP_PORT)); - } - sin_len = sizeof(ss); - if(getpeername(fd, sa, &sin_len) < 0) - krb5_err(context, 1, errno, "getpeername"); - - if (inet_ntop(sa->sa_family, - socket_get_address (sa), - addr_name, - sizeof(addr_name)) == NULL) - strlcpy (addr_name, "unknown address", - sizeof(addr_name)); - - krb5_log(context, fac, 0, "Connection from %s", addr_name); - - ret = krb5_kt_register(context, &hdb_kt_ops); - if(ret) - krb5_err(context, 1, ret, "krb5_kt_register"); - - if (ktname != NULL) { - ret = krb5_kt_resolve(context, ktname, &keytab); - if (ret) - krb5_err (context, 1, ret, "krb5_kt_resolve %s", ktname); - } else { - ret = krb5_kt_default (context, &keytab); - if (ret) - krb5_err (context, 1, ret, "krb5_kt_default"); - } - - ret = krb5_recvauth(context, &ac, &fd, HPROP_VERSION, NULL, - 0, keytab, &ticket); - if(ret) - krb5_err(context, 1, ret, "krb5_recvauth"); - - ret = krb5_unparse_name(context, ticket->server, &server); - if (ret) - krb5_err(context, 1, ret, "krb5_unparse_name"); - if (strncmp(server, "hprop/", 5) != 0) - krb5_errx(context, 1, "ticket not for hprop (%s)", server); - - free(server); - krb5_free_ticket (context, ticket); - - ret = krb5_auth_con_getauthenticator(context, ac, &authent); - if(ret) - krb5_err(context, 1, ret, "krb5_auth_con_getauthenticator"); - - ret = krb5_make_principal(context, &c1, NULL, "kadmin", "hprop", NULL); - if(ret) - krb5_err(context, 1, ret, "krb5_make_principal"); - principalname2krb5_principal(&c2, authent->cname, authent->crealm); - if(!krb5_principal_compare(context, c1, c2)) { - char *s; - krb5_unparse_name(context, c2, &s); - krb5_errx(context, 1, "Unauthorized connection from %s", s); - } - krb5_free_principal(context, c1); - krb5_free_principal(context, c2); - - ret = krb5_kt_close(context, keytab); - if(ret) - krb5_err(context, 1, ret, "krb5_kt_close"); - } - - if(!print_dump) { - asprintf(&tmp_db, "%s~", database); -#ifdef KRB4 - if (v4dump) { - fd_out = open(tmp_db, O_WRONLY | O_CREAT | O_TRUNC, 0600); - if (fd_out == -1) - krb5_errx(context, 1, "%s", strerror(errno)); - } - else -#endif /* KRB4 */ - { - ret = hdb_create(context, &db, tmp_db); - if(ret) - krb5_err(context, 1, ret, "hdb_create(%s)", tmp_db); - ret = db->open(context, db, O_RDWR | O_CREAT | O_TRUNC, 0600); - if(ret) - krb5_err(context, 1, ret, "hdb_open(%s)", tmp_db); - } - } - -#ifdef KRB4 - if (v4dump) { - e = kdb_get_master_key(0, &mkey4, msched4); - if(e) - krb5_errx(context, 1, "kdb_get_master_key: %s", - krb_get_err_text(e)); - } -#endif /* KRB4 */ - - nprincs = 0; - while(1){ - krb5_data data; - hdb_entry entry; - - if(from_stdin) { - ret = krb5_read_message(context, &fd, &data); - if(ret != 0 && ret != HEIM_ERR_EOF) - krb5_err(context, 1, ret, "krb5_read_message"); - } else { - ret = krb5_read_priv_message(context, ac, &fd, &data); - if(ret) - krb5_err(context, 1, ret, "krb5_read_priv_message"); - } - - if(ret == HEIM_ERR_EOF || data.length == 0) { - if(!from_stdin) { - data.data = NULL; - data.length = 0; - krb5_write_priv_message(context, ac, &fd, &data); - } - if(!print_dump) { -#ifdef KRB4 - if (v4dump) { - ret = rename(tmp_db, database); - if (ret) - krb5_errx(context, 1, "rename"); - ret = close(fd_out); - if (ret) - krb5_errx(context, 1, "close"); - } else -#endif /* KRB4 */ - { - ret = db->rename(context, db, database); - if(ret) - krb5_err(context, 1, ret, "db_rename"); - ret = db->close(context, db); - if(ret) - krb5_err(context, 1, ret, "db_close"); - } - } - break; - } - ret = hdb_value2entry(context, &data, &entry); - if(ret) - krb5_err(context, 1, ret, "hdb_value2entry"); - if(print_dump) - hdb_print_entry(context, db, &entry, stdout); - else { -#ifdef KRB4 - if (v4dump) { - ret = dump_krb4(context, &entry, fd_out); - if(!ret) nprincs++; - } - else -#endif /* KRB4 */ - { - ret = db->store(context, db, 0, &entry); - if(ret == HDB_ERR_EXISTS) { - char *s; - krb5_unparse_name(context, entry.principal, &s); - krb5_warnx(context, "Entry exists: %s", s); - free(s); - } else if(ret) - krb5_err(context, 1, ret, "db_store"); - else - nprincs++; - } - } - hdb_free_entry(context, &entry); - } - if (!print_dump) - krb5_log(context, fac, 0, "Received %d principals", nprincs); - exit(0); -} diff --git a/crypto/heimdal-0.6.3/kdc/hpropd.cat8 b/crypto/heimdal-0.6.3/kdc/hpropd.cat8 deleted file mode 100644 index 07ce0aee0f..0000000000 --- a/crypto/heimdal-0.6.3/kdc/hpropd.cat8 +++ /dev/null @@ -1,43 +0,0 @@ - -HPROPD(8) UNIX System Manager's Manual HPROPD(8) - -NNAAMMEE - hhpprrooppdd - receive a propagated database - -SSYYNNOOPPSSIISS - hhpprrooppdd [--dd _f_i_l_e | ----ddaattaabbaassee==_f_i_l_e] [--nn | ----ssttddiinn] [----pprriinntt] [--ii | - ----nnoo--iinneettdd] [--kk _k_e_y_t_a_b | ----kkeeyyttaabb==_k_e_y_t_a_b] [--44 | ----vv44dduummpp] - -DDEESSCCRRIIPPTTIIOONN - hhpprrooppdd receives a database sent by hhpprroopp. and writes it as a local - database. - - By default, hhpprrooppdd expects to be started from iinneettdd if stdin is a socket - and expects to receive the dumped database over stdin otherwise. If the - database is sent over the network, it is authenticated and encrypted. - Only connections from kkaaddmmiinn/hhpprroopp are accepted. - - Options supported: - - --dd _f_i_l_e, ----ddaattaabbaassee==_f_i_l_e - database - - --nn, ----ssttddiinn - read from stdin - - ----pprriinntt - print dump to stdout - - --ii, ----nnoo--iinneettdd - not started from inetd - - --kk _k_e_y_t_a_b, ----kkeeyyttaabb==_k_e_y_t_a_b - keytab to use for authentication - - --44, ----vv44dduummpp - create v4 type DB - -SSEEEE AALLSSOO - hprop(8) - - HEIMDAL August 27, 1997 1 diff --git a/crypto/heimdal-0.6.3/kdc/kadb.h b/crypto/heimdal-0.6.3/kdc/kadb.h deleted file mode 100644 index 5c98ccc77a..0000000000 --- a/crypto/heimdal-0.6.3/kdc/kadb.h +++ /dev/null @@ -1,84 +0,0 @@ -/* - * Copyright (c) 1998 - 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: kadb.h,v 1.3 2000/03/03 12:36:26 assar Exp $ */ - -#ifndef __kadb_h__ -#define __kadb_h__ - -#define HASHSIZE 8191 - -struct ka_header { - int32_t version1; /* file format version, should - match version2 */ - int32_t size; - int32_t free_ptr; - int32_t eof_ptr; - int32_t kvno_ptr; - int32_t stats[8]; - int32_t admin_accounts; - int32_t special_keys_version; - int32_t hashsize; /* allocated size of hash */ - int32_t hash[HASHSIZE]; - int32_t version2; -}; - -struct ka_entry { - int32_t flags; /* see below */ - int32_t next; /* next in hash list */ - int32_t valid_end; /* expiration date */ - int32_t mod_time; /* time last modified */ - int32_t mod_ptr; /* pointer to modifier */ - int32_t pw_change; /* last pw change */ - int32_t max_life; /* max ticket life */ - int32_t kvno; - int32_t foo2[2]; /* huh? */ - char name[64]; - char instance[64]; - char key[8]; - u_char pw_expire; /* # days before password expires */ - u_char spare; - u_char attempts; - u_char locktime; -}; - -#define KAFNORMAL (1<<0) -#define KAFADMIN (1<<2) /* an administrator */ -#define KAFNOTGS (1<<3) /* ! allow principal to get or use TGT */ -#define KAFNOSEAL (1<<5) /* ! allow principal as server in GetTicket */ -#define KAFNOCPW (1<<6) /* ! allow principal to change its own key */ -#define KAFSPECIAL (1<<8) /* set if special AuthServer principal */ - -#define DEFAULT_DATABASE "/usr/afs/db/kaserver.DB0" - -#endif /* __kadb_h__ */ diff --git a/crypto/heimdal-0.6.3/kdc/kaserver.c b/crypto/heimdal-0.6.3/kdc/kaserver.c deleted file mode 100644 index 869447180b..0000000000 --- a/crypto/heimdal-0.6.3/kdc/kaserver.c +++ /dev/null @@ -1,839 +0,0 @@ -/* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kdc_locl.h" - -RCSID("$Id: kaserver.c,v 1.21.2.1 2003/10/06 21:02:35 lha Exp $"); - - -#include - -#define KA_AUTHENTICATION_SERVICE 731 -#define KA_TICKET_GRANTING_SERVICE 732 -#define KA_MAINTENANCE_SERVICE 733 - -#define AUTHENTICATE_OLD 1 -#define CHANGEPASSWORD 2 -#define GETTICKET_OLD 3 -#define SETPASSWORD 4 -#define SETFIELDS 5 -#define CREATEUSER 6 -#define DELETEUSER 7 -#define GETENTRY 8 -#define LISTENTRY 9 -#define GETSTATS 10 -#define DEBUG 11 -#define GETPASSWORD 12 -#define GETRANDOMKEY 13 -#define AUTHENTICATE 21 -#define AUTHENTICATE_V2 22 -#define GETTICKET 23 - -/* XXX - Where do we get these? */ - -#define RXGEN_OPCODE (-455) - -#define KADATABASEINCONSISTENT (180480L) -#define KAEXIST (180481L) -#define KAIO (180482L) -#define KACREATEFAIL (180483L) -#define KANOENT (180484L) -#define KAEMPTY (180485L) -#define KABADNAME (180486L) -#define KABADINDEX (180487L) -#define KANOAUTH (180488L) -#define KAANSWERTOOLONG (180489L) -#define KABADREQUEST (180490L) -#define KAOLDINTERFACE (180491L) -#define KABADARGUMENT (180492L) -#define KABADCMD (180493L) -#define KANOKEYS (180494L) -#define KAREADPW (180495L) -#define KABADKEY (180496L) -#define KAUBIKINIT (180497L) -#define KAUBIKCALL (180498L) -#define KABADPROTOCOL (180499L) -#define KANOCELLS (180500L) -#define KANOCELL (180501L) -#define KATOOMANYUBIKS (180502L) -#define KATOOMANYKEYS (180503L) -#define KABADTICKET (180504L) -#define KAUNKNOWNKEY (180505L) -#define KAKEYCACHEINVALID (180506L) -#define KABADSERVER (180507L) -#define KABADUSER (180508L) -#define KABADCPW (180509L) -#define KABADCREATE (180510L) -#define KANOTICKET (180511L) -#define KAASSOCUSER (180512L) -#define KANOTSPECIAL (180513L) -#define KACLOCKSKEW (180514L) -#define KANORECURSE (180515L) -#define KARXFAIL (180516L) -#define KANULLPASSWORD (180517L) -#define KAINTERNALERROR (180518L) -#define KAPWEXPIRED (180519L) -#define KAREUSED (180520L) -#define KATOOSOON (180521L) -#define KALOCKED (180522L) - -static void -decode_rx_header (krb5_storage *sp, - struct rx_header *h) -{ - krb5_ret_int32(sp, &h->epoch); - krb5_ret_int32(sp, &h->connid); - krb5_ret_int32(sp, &h->callid); - krb5_ret_int32(sp, &h->seqno); - krb5_ret_int32(sp, &h->serialno); - krb5_ret_int8(sp, &h->type); - krb5_ret_int8(sp, &h->flags); - krb5_ret_int8(sp, &h->status); - krb5_ret_int8(sp, &h->secindex); - krb5_ret_int16(sp, &h->reserved); - krb5_ret_int16(sp, &h->serviceid); -} - -static void -encode_rx_header (struct rx_header *h, - krb5_storage *sp) -{ - krb5_store_int32(sp, h->epoch); - krb5_store_int32(sp, h->connid); - krb5_store_int32(sp, h->callid); - krb5_store_int32(sp, h->seqno); - krb5_store_int32(sp, h->serialno); - krb5_store_int8(sp, h->type); - krb5_store_int8(sp, h->flags); - krb5_store_int8(sp, h->status); - krb5_store_int8(sp, h->secindex); - krb5_store_int16(sp, h->reserved); - krb5_store_int16(sp, h->serviceid); -} - -static void -init_reply_header (struct rx_header *hdr, - struct rx_header *reply_hdr, - u_char type, - u_char flags) -{ - reply_hdr->epoch = hdr->epoch; - reply_hdr->connid = hdr->connid; - reply_hdr->callid = hdr->callid; - reply_hdr->seqno = 1; - reply_hdr->serialno = 1; - reply_hdr->type = type; - reply_hdr->flags = flags; - reply_hdr->status = 0; - reply_hdr->secindex = 0; - reply_hdr->reserved = 0; - reply_hdr->serviceid = hdr->serviceid; -} - -static void -make_error_reply (struct rx_header *hdr, - u_int32_t ret, - krb5_data *reply) - -{ - krb5_storage *sp; - struct rx_header reply_hdr; - - init_reply_header (hdr, &reply_hdr, HT_ABORT, HF_LAST); - sp = krb5_storage_emem(); - encode_rx_header (&reply_hdr, sp); - krb5_store_int32(sp, ret); - krb5_storage_to_data (sp, reply); - krb5_storage_free (sp); -} - -static krb5_error_code -krb5_ret_xdr_data(krb5_storage *sp, - krb5_data *data) -{ - int ret; - int size; - ret = krb5_ret_int32(sp, &size); - if(ret) - return ret; - if(size < 0) - return ERANGE; - data->length = size; - if (size) { - u_char foo[4]; - size_t pad = (4 - size % 4) % 4; - - data->data = malloc(size); - if (data->data == NULL) - return ENOMEM; - ret = krb5_storage_read(sp, data->data, size); - if(ret != size) - return (ret < 0)? errno : KRB5_CC_END; - if (pad) { - ret = krb5_storage_read(sp, foo, pad); - if (ret != pad) - return (ret < 0)? errno : KRB5_CC_END; - } - } else - data->data = NULL; - return 0; -} - -static krb5_error_code -krb5_store_xdr_data(krb5_storage *sp, - krb5_data data) -{ - u_char zero[4] = {0, 0, 0, 0}; - int ret; - size_t pad; - - ret = krb5_store_int32(sp, data.length); - if(ret < 0) - return ret; - ret = krb5_storage_write(sp, data.data, data.length); - if(ret != data.length){ - if(ret < 0) - return errno; - return KRB5_CC_END; - } - pad = (4 - data.length % 4) % 4; - if (pad) { - ret = krb5_storage_write(sp, zero, pad); - if (ret != pad) { - if (ret < 0) - return errno; - return KRB5_CC_END; - } - } - return 0; -} - - -static krb5_error_code -create_reply_ticket (struct rx_header *hdr, - Key *skey, - char *name, char *instance, char *realm, - struct sockaddr_in *addr, - int life, - int kvno, - int32_t max_seq_len, - const char *sname, const char *sinstance, - u_int32_t challenge, - const char *label, - des_cblock *key, - krb5_data *reply) -{ - KTEXT_ST ticket; - des_cblock session; - krb5_storage *sp; - krb5_data enc_data; - des_key_schedule schedule; - struct rx_header reply_hdr; - des_cblock zero; - size_t pad; - unsigned fyrtiosjuelva; - - /* create the ticket */ - - des_new_random_key(&session); - - krb_create_ticket (&ticket, 0, name, instance, realm, - addr->sin_addr.s_addr, - &session, life, kdc_time, - sname, sinstance, skey->key.keyvalue.data); - - /* create the encrypted part of the reply */ - sp = krb5_storage_emem (); - krb5_generate_random_block(&fyrtiosjuelva, sizeof(fyrtiosjuelva)); - fyrtiosjuelva &= 0xffffffff; - krb5_store_int32 (sp, fyrtiosjuelva); - krb5_store_int32 (sp, challenge); - krb5_storage_write (sp, session, 8); - memset (&session, 0, sizeof(session)); - krb5_store_int32 (sp, kdc_time); - krb5_store_int32 (sp, kdc_time + krb_life_to_time (0, life)); - krb5_store_int32 (sp, kvno); - krb5_store_int32 (sp, ticket.length); - krb5_store_stringz (sp, name); - krb5_store_stringz (sp, instance); -#if 1 /* XXX - Why shouldn't the realm go here? */ - krb5_store_stringz (sp, ""); -#else - krb5_store_stringz (sp, realm); -#endif - krb5_store_stringz (sp, sname); - krb5_store_stringz (sp, sinstance); - krb5_storage_write (sp, ticket.dat, ticket.length); - krb5_storage_write (sp, label, strlen(label)); - - /* pad to DES block */ - memset (zero, 0, sizeof(zero)); - pad = (8 - krb5_storage_seek (sp, 0, SEEK_CUR) % 8) % 8; - krb5_storage_write (sp, zero, pad); - - krb5_storage_to_data (sp, &enc_data); - krb5_storage_free (sp); - - if (enc_data.length > max_seq_len) { - krb5_data_free (&enc_data); - make_error_reply (hdr, KAANSWERTOOLONG, reply); - return 0; - } - - /* encrypt it */ - des_set_key (key, schedule); - des_pcbc_encrypt (enc_data.data, - enc_data.data, - enc_data.length, - schedule, - key, - DES_ENCRYPT); - memset (&schedule, 0, sizeof(schedule)); - - /* create the reply packet */ - init_reply_header (hdr, &reply_hdr, HT_DATA, HF_LAST); - sp = krb5_storage_emem (); - encode_rx_header (&reply_hdr, sp); - krb5_store_int32 (sp, max_seq_len); - krb5_store_xdr_data (sp, enc_data); - krb5_data_free (&enc_data); - krb5_storage_to_data (sp, reply); - krb5_storage_free (sp); - return 0; -} - -static krb5_error_code -unparse_auth_args (krb5_storage *sp, - char **name, - char **instance, - time_t *start_time, - time_t *end_time, - krb5_data *request, - int32_t *max_seq_len) -{ - krb5_data data; - int32_t tmp; - - krb5_ret_xdr_data (sp, &data); - *name = malloc(data.length + 1); - if (*name == NULL) - return ENOMEM; - memcpy (*name, data.data, data.length); - (*name)[data.length] = '\0'; - krb5_data_free (&data); - - krb5_ret_xdr_data (sp, &data); - *instance = malloc(data.length + 1); - if (*instance == NULL) { - free (*name); - return ENOMEM; - } - memcpy (*instance, data.data, data.length); - (*instance)[data.length] = '\0'; - krb5_data_free (&data); - - krb5_ret_int32 (sp, &tmp); - *start_time = tmp; - krb5_ret_int32 (sp, &tmp); - *end_time = tmp; - krb5_ret_xdr_data (sp, request); - krb5_ret_int32 (sp, max_seq_len); - /* ignore the rest */ - return 0; -} - -static void -do_authenticate (struct rx_header *hdr, - krb5_storage *sp, - struct sockaddr_in *addr, - krb5_data *reply) -{ - krb5_error_code ret; - char *name = NULL; - char *instance = NULL; - time_t start_time; - time_t end_time; - krb5_data request; - int32_t max_seq_len; - hdb_entry *client_entry = NULL; - hdb_entry *server_entry = NULL; - Key *ckey = NULL; - Key *skey = NULL; - des_cblock key; - des_key_schedule schedule; - krb5_storage *reply_sp; - time_t max_life; - u_int8_t life; - int32_t chal; - char client_name[256]; - char server_name[256]; - - krb5_data_zero (&request); - - unparse_auth_args (sp, &name, &instance, &start_time, &end_time, - &request, &max_seq_len); - if (request.length < 8) { - make_error_reply (hdr, KABADREQUEST, reply); - goto out; - } - - snprintf (client_name, sizeof(client_name), "%s.%s@%s", - name, instance, v4_realm); - - ret = db_fetch4 (name, instance, v4_realm, &client_entry); - if (ret) { - kdc_log(0, "Client not found in database: %s: %s", - client_name, krb5_get_err_text(context, ret)); - make_error_reply (hdr, KANOENT, reply); - goto out; - } - - snprintf (server_name, sizeof(server_name), "%s.%s@%s", - "krbtgt", v4_realm, v4_realm); - - ret = db_fetch4 ("krbtgt", v4_realm, v4_realm, &server_entry); - if (ret) { - kdc_log(0, "Server not found in database: %s: %s", - server_name, krb5_get_err_text(context, ret)); - make_error_reply (hdr, KANOENT, reply); - goto out; - } - - ret = check_flags (client_entry, client_name, - server_entry, server_name, - TRUE); - if (ret) { - make_error_reply (hdr, KAPWEXPIRED, reply); - goto out; - } - - /* find a DES key */ - ret = get_des_key(client_entry, FALSE, TRUE, &ckey); - if(ret){ - kdc_log(0, "no suitable DES key for client"); - make_error_reply (hdr, KANOKEYS, reply); - goto out; - } - - /* find a DES key */ - ret = get_des_key(server_entry, TRUE, TRUE, &skey); - if(ret){ - kdc_log(0, "no suitable DES key for server"); - make_error_reply (hdr, KANOKEYS, reply); - goto out; - } - - /* try to decode the `request' */ - memcpy (&key, ckey->key.keyvalue.data, sizeof(key)); - des_set_key (&key, schedule); - des_pcbc_encrypt (request.data, - request.data, - request.length, - schedule, - &key, - DES_DECRYPT); - memset (&schedule, 0, sizeof(schedule)); - - /* check for the magic label */ - if (memcmp ((char *)request.data + 4, "gTGS", 4) != 0) { - make_error_reply (hdr, KABADREQUEST, reply); - goto out; - } - - reply_sp = krb5_storage_from_mem (request.data, 4); - krb5_ret_int32 (reply_sp, &chal); - krb5_storage_free (reply_sp); - - if (abs(chal - kdc_time) > context->max_skew) { - make_error_reply (hdr, KACLOCKSKEW, reply); - goto out; - } - - /* life */ - max_life = end_time - kdc_time; - /* end_time - kdc_time can sometimes be non-positive due to slight - time skew between client and server. Let's make sure it is postive */ - if(max_life < 1) - max_life = 1; - if (client_entry->max_life) - max_life = min(max_life, *client_entry->max_life); - if (server_entry->max_life) - max_life = min(max_life, *server_entry->max_life); - - life = krb_time_to_life(kdc_time, kdc_time + max_life); - - create_reply_ticket (hdr, skey, - name, instance, v4_realm, - addr, life, server_entry->kvno, - max_seq_len, - "krbtgt", v4_realm, - chal + 1, "tgsT", - &key, reply); - memset (&key, 0, sizeof(key)); - -out: - if (request.length) { - memset (request.data, 0, request.length); - krb5_data_free (&request); - } - if (name) - free (name); - if (instance) - free (instance); - if (client_entry) - free_ent (client_entry); - if (server_entry) - free_ent (server_entry); -} - -static krb5_error_code -unparse_getticket_args (krb5_storage *sp, - int *kvno, - char **auth_domain, - krb5_data *ticket, - char **name, - char **instance, - krb5_data *times, - int32_t *max_seq_len) -{ - krb5_data data; - int32_t tmp; - - krb5_ret_int32 (sp, &tmp); - *kvno = tmp; - - krb5_ret_xdr_data (sp, &data); - *auth_domain = malloc(data.length + 1); - if (*auth_domain == NULL) - return ENOMEM; - memcpy (*auth_domain, data.data, data.length); - (*auth_domain)[data.length] = '\0'; - krb5_data_free (&data); - - krb5_ret_xdr_data (sp, ticket); - - krb5_ret_xdr_data (sp, &data); - *name = malloc(data.length + 1); - if (*name == NULL) { - free (*auth_domain); - return ENOMEM; - } - memcpy (*name, data.data, data.length); - (*name)[data.length] = '\0'; - krb5_data_free (&data); - - krb5_ret_xdr_data (sp, &data); - *instance = malloc(data.length + 1); - if (*instance == NULL) { - free (*auth_domain); - free (*name); - return ENOMEM; - } - memcpy (*instance, data.data, data.length); - (*instance)[data.length] = '\0'; - krb5_data_free (&data); - - krb5_ret_xdr_data (sp, times); - - krb5_ret_int32 (sp, max_seq_len); - /* ignore the rest */ - return 0; -} - -static void -do_getticket (struct rx_header *hdr, - krb5_storage *sp, - struct sockaddr_in *addr, - krb5_data *reply) -{ - krb5_error_code ret; - int kvno; - char *auth_domain = NULL; - krb5_data aticket; - char *name = NULL; - char *instance = NULL; - krb5_data times; - int32_t max_seq_len; - hdb_entry *server_entry = NULL; - hdb_entry *krbtgt_entry = NULL; - Key *kkey = NULL; - Key *skey = NULL; - des_cblock key; - des_key_schedule schedule; - des_cblock session; - time_t max_life; - int8_t life; - time_t start_time, end_time; - char pname[ANAME_SZ]; - char pinst[INST_SZ]; - char prealm[REALM_SZ]; - char server_name[256]; - - krb5_data_zero (&aticket); - krb5_data_zero (×); - - unparse_getticket_args (sp, &kvno, &auth_domain, &aticket, - &name, &instance, ×, &max_seq_len); - if (times.length < 8) { - make_error_reply (hdr, KABADREQUEST, reply); - goto out; - - } - - snprintf (server_name, sizeof(server_name), - "%s.%s@%s", name, instance, v4_realm); - - ret = db_fetch4 (name, instance, v4_realm, &server_entry); - if (ret) { - kdc_log(0, "Server not found in database: %s: %s", - server_name, krb5_get_err_text(context, ret)); - make_error_reply (hdr, KANOENT, reply); - goto out; - } - - ret = check_flags (NULL, NULL, - server_entry, server_name, - FALSE); - if (ret) { - make_error_reply (hdr, KAPWEXPIRED, reply); - goto out; - } - - ret = db_fetch4 ("krbtgt", v4_realm, v4_realm, &krbtgt_entry); - if (ret) { - kdc_log(0, "Server not found in database: %s.%s@%s: %s", - "krbtgt", v4_realm, v4_realm, krb5_get_err_text(context, ret)); - make_error_reply (hdr, KANOENT, reply); - goto out; - } - - /* find a DES key */ - ret = get_des_key(krbtgt_entry, TRUE, TRUE, &kkey); - if(ret){ - kdc_log(0, "no suitable DES key for krbtgt"); - make_error_reply (hdr, KANOKEYS, reply); - goto out; - } - - /* find a DES key */ - ret = get_des_key(server_entry, TRUE, TRUE, &skey); - if(ret){ - kdc_log(0, "no suitable DES key for server"); - make_error_reply (hdr, KANOKEYS, reply); - goto out; - } - - /* decrypt the incoming ticket */ - memcpy (&key, kkey->key.keyvalue.data, sizeof(key)); - - /* unpack the ticket */ - { - KTEXT_ST ticket; - u_char flags; - int life; - u_int32_t time_sec; - char sname[ANAME_SZ]; - char sinstance[SNAME_SZ]; - u_int32_t paddress; - - if (aticket.length > sizeof(ticket.dat)) { - kdc_log(0, "ticket too long (%u > %u)", - (unsigned)aticket.length, - (unsigned)sizeof(ticket.dat)); - make_error_reply (hdr, KABADTICKET, reply); - goto out; - } - - ticket.length = aticket.length; - memcpy (ticket.dat, aticket.data, ticket.length); - - des_set_key (&key, schedule); - decomp_ticket (&ticket, &flags, pname, pinst, prealm, - &paddress, session, &life, &time_sec, - sname, sinstance, - &key, schedule); - - if (strcmp (sname, "krbtgt") != 0 - || strcmp (sinstance, v4_realm) != 0) { - kdc_log(0, "no TGT: %s.%s for %s.%s@%s", - sname, sinstance, - pname, pinst, prealm); - make_error_reply (hdr, KABADTICKET, reply); - goto out; - } - - if (kdc_time > krb_life_to_time(time_sec, life)) { - kdc_log(0, "TGT expired: %s.%s@%s", - pname, pinst, prealm); - make_error_reply (hdr, KABADTICKET, reply); - goto out; - } - } - - /* decrypt the times */ - des_set_key (&session, schedule); - des_ecb_encrypt (times.data, - times.data, - schedule, - DES_DECRYPT); - memset (&schedule, 0, sizeof(schedule)); - - /* and extract them */ - { - krb5_storage *sp; - int32_t tmp; - - sp = krb5_storage_from_mem (times.data, times.length); - krb5_ret_int32 (sp, &tmp); - start_time = tmp; - krb5_ret_int32 (sp, &tmp); - end_time = tmp; - krb5_storage_free (sp); - } - - /* life */ - max_life = end_time - kdc_time; - /* end_time - kdc_time can sometimes be non-positive due to slight - time skew between client and server. Let's make sure it is postive */ - if(max_life < 1) - max_life = 1; - if (krbtgt_entry->max_life) - max_life = min(max_life, *krbtgt_entry->max_life); - if (server_entry->max_life) - max_life = min(max_life, *server_entry->max_life); - - life = krb_time_to_life(kdc_time, kdc_time + max_life); - - create_reply_ticket (hdr, skey, - pname, pinst, prealm, - addr, life, server_entry->kvno, - max_seq_len, - name, instance, - 0, "gtkt", - &session, reply); - memset (&session, 0, sizeof(session)); - -out: - if (aticket.length) { - memset (aticket.data, 0, aticket.length); - krb5_data_free (&aticket); - } - if (times.length) { - memset (times.data, 0, times.length); - krb5_data_free (×); - } - if (auth_domain) - free (auth_domain); - if (name) - free (name); - if (instance) - free (instance); - if (krbtgt_entry) - free_ent (krbtgt_entry); - if (server_entry) - free_ent (server_entry); -} - -krb5_error_code -do_kaserver(unsigned char *buf, - size_t len, - krb5_data *reply, - const char *from, - struct sockaddr_in *addr) -{ - krb5_error_code ret = 0; - struct rx_header hdr; - u_int32_t op; - krb5_storage *sp; - - if (len < RX_HEADER_SIZE) - return -1; - sp = krb5_storage_from_mem (buf, len); - - decode_rx_header (sp, &hdr); - buf += RX_HEADER_SIZE; - len -= RX_HEADER_SIZE; - - switch (hdr.type) { - case HT_DATA : - break; - case HT_ACK : - case HT_BUSY : - case HT_ABORT : - case HT_ACKALL : - case HT_CHAL : - case HT_RESP : - case HT_DEBUG : - default: - /* drop */ - goto out; - } - - - if (hdr.serviceid != KA_AUTHENTICATION_SERVICE - && hdr.serviceid != KA_TICKET_GRANTING_SERVICE) { - ret = -1; - goto out; - } - - krb5_ret_int32(sp, &op); - switch (op) { - case AUTHENTICATE : - do_authenticate (&hdr, sp, addr, reply); - break; - case GETTICKET : - do_getticket (&hdr, sp, addr, reply); - break; - case AUTHENTICATE_OLD : - case CHANGEPASSWORD : - case GETTICKET_OLD : - case SETPASSWORD : - case SETFIELDS : - case CREATEUSER : - case DELETEUSER : - case GETENTRY : - case LISTENTRY : - case GETSTATS : - case DEBUG : - case GETPASSWORD : - case GETRANDOMKEY : - case AUTHENTICATE_V2 : - default : - make_error_reply (&hdr, RXGEN_OPCODE, reply); - break; - } - -out: - krb5_storage_free (sp); - return ret; -} diff --git a/crypto/heimdal-0.6.3/kdc/kdc.8 b/crypto/heimdal-0.6.3/kdc/kdc.8 deleted file mode 100644 index 29cca73abd..0000000000 --- a/crypto/heimdal-0.6.3/kdc/kdc.8 +++ /dev/null @@ -1,233 +0,0 @@ -.\" Copyright (c) 2003 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: kdc.8,v 1.23.2.1 2003/10/21 20:06:01 lha Exp $ -.\" -.Dd October 21, 2003 -.Dt KDC 8 -.Os HEIMDAL -.Sh NAME -.Nm kdc -.Nd Kerberos 5 server -.Sh SYNOPSIS -.Nm -.Oo Fl c Ar file \*(Ba Xo -.Fl -config-file= Ns Ar file -.Xc -.Oc -.Op Fl p | Fl -no-require-preauth -.Op Fl -max-request= Ns Ar size -.Op Fl H | Fl -enable-http -.Op Fl -no-524 -.Op Fl -kerberos4 -.Op Fl -kerberos4-cross-realm -.Oo Fl r Ar string \*(Ba Xo -.Fl -v4-realm= Ns Ar string -.Xc -.Oc -.Op Fl K | Fl -kaserver -.Oo Fl P Ar portspec \*(Ba Xo -.Fl -ports= Ns Ar portspec -.Xc -.Oc -.Op Fl -detach -.Op Fl -addresses= Ns Ar list of addresses -.Sh DESCRIPTION -.Nm -serves requests for tickets. -When it starts, it first checks the flags passed, any options that are -not specified with a command line flag are taken from a config file, -or from a default compiled-in value. -.Pp -Options supported: -.Bl -tag -width Ds -.It Xo -.Fl c Ar file , -.Fl -config-file= Ns Ar file -.Xc -Specifies the location of the config file, the default is -.Pa /var/heimdal/kdc.conf . -This is the only value that can't be specified in the config file. -.It Xo -.Fl p , -.Fl -no-require-preauth -.Xc -Turn off the requirement for pre-autentication in the initial AS-REQ -for all principals. -The use of pre-authentication makes it more difficult to do offline -password attacks. -You might want to turn it off if you have clients -that don't support pre-authentication. -Since the version 4 protocol doesn't support any pre-authentication, -serving version 4 clients is just about the same as not requiring -pre-athentication. -The default is to require pre-authentication. -Adding the require-preauth per principal is a more flexible way of -handling this. -.It Xo -.Fl -max-request= Ns Ar size -.Xc -Gives an upper limit on the size of the requests that the kdc is -willing to handle. -.It Xo -.Fl H , -.Fl -enable-http -.Xc -Makes the kdc listen on port 80 and handle requests encapsulated in HTTP. -.It Xo -.Fl -no-524 -.Xc -don't respond to 524 requests -.It Xo -.Fl -kerberos4 -.Xc -respond to Kerberos 4 requests -.It Xo -.Fl -kerberos4-cross-realm -.Xc -respond to Kerberos 4 requests from foreign realms. -This is a known security hole and should not be enabled unless you -understand the consequences and are willing to live with them. -.It Xo -.Fl r Ar string , -.Fl -v4-realm= Ns Ar string -.Xc -What realm this server should act as when dealing with version 4 -requests. -The database can contain any number of realms, but since the version 4 -protocol doesn't contain a realm for the server, it must be explicitly -specified. -The default is whatever is returned by -.Fn krb_get_lrealm . -This option is only availabe if the KDC has been compiled with version -4 support. -.It Xo -.Fl K , -.Fl -kaserver -.Xc -Enable kaserver emulation (in case it's compiled in). -.It Xo -.Fl P Ar portspec , -.Fl -ports= Ns Ar portspec -.Xc -Specifies the set of ports the KDC should listen on. -It is given as a -white-space separated list of services or port numbers. -.It Fl -addresses= Ns Ar list of addresses -The list of addresses to listen for requests on. -By default, the kdc will listen on all the locally configured -addresses. -If only a subset is desired, or the automatic detection fails, this -option might be used. -.El -.Pp -All activities are logged to one or more destinations, see -.Xr krb5.conf 5 , -and -.Xr krb5_openlog 3 . -The entity used for logging is -.Nm kdc . -.Sh CONFIGURATION FILE -The configuration file has the same syntax as -.Xr krb5.conf 5 , -but will be read before -.Pa /etc/krb5.conf , -so it may override settings found there. -Options specific to the KDC only are found in the -.Dq [kdc] -section. -All the command-line options can preferably be added in the -configuration file. -The only difference is the pre-authentication flag, which has to be -specified as: -.Pp -.Dl require-preauth = no -.Pp -(in fact you can specify the option as -.Fl -require-preauth=no ) . -.Pp -And there are some configuration options which do not have -command-line equivalents: -.Bl -tag -width "xxx" -offset indent -.It Li check-ticket-addresses = Va boolean -Check the addresses in the ticket when processing TGS requests. -The default is FALSE. -.It Li allow-null-ticket-addresses = Va boolean -Permit tickets with no addresses. -This option is only relevant when check-ticket-addresses is TRUE. -.It Li allow-anonymous = Va boolean -Permit anonymous tickets with no addresses. -.It Li enforce-transited-policy = Va boolean -Always verify the transited policy, ignoring the -.Va disable-transited-check -flag if set in the KDC client request. -.It encode_as_rep_as_tgs_rep = Va boolean -Encode AS-Rep as TGS-Rep to be bug-compatible with old DCE code. -The Heimdal clients allow both. -.It kdc_warn_pwexpire = Va time -How long before password/principal expiration the KDC should start -sending out warning messages. -.El -.Pp -The configuration file is only read when the -.Nm -is started. -If changes made to the configuration file are to take effect, the -.Nm -needs to be restarted. -.Pp -An example of a config file: -.Bd -literal -offset indent -[kdc] - require-preauth = no - v4-realm = FOO.SE - key-file = /key-file -.Ed -.Sh BUGS -If the machine running the KDC has new addresses added to it, the KDC -will have to be restarted to listen to them. -The reason it doesn't just listen to wildcarded (like INADDR_ANY) -addresses, is that the replies has to come from the same address they -were sent to, and most OS:es doesn't pass this information to the -application. -If your normal mode of operation require that you add and remove -addresses, the best option is probably to listen to a wildcarded TCP -socket, and make sure your clients use TCP to connect. -For instance, this will listen to IPv4 TCP port 88 only: -.Bd -literal -offset indent -kdc --addresses=0.0.0.0 --ports="88/tcp" -.Ed -.Pp -There should be a way to specify protocol, port, and address triplets, -not just addresses and protocol, port tuples. -.Sh SEE ALSO -.Xr kinit 1 , -.Xr krb5.conf 5 diff --git a/crypto/heimdal-0.6.3/kdc/kdc.cat8 b/crypto/heimdal-0.6.3/kdc/kdc.cat8 deleted file mode 100644 index 3405fb6f89..0000000000 --- a/crypto/heimdal-0.6.3/kdc/kdc.cat8 +++ /dev/null @@ -1,148 +0,0 @@ - -KDC(8) UNIX System Manager's Manual KDC(8) - -NNAAMMEE - kkddcc - Kerberos 5 server - -SSYYNNOOPPSSIISS - kkddcc [--cc _f_i_l_e | ----ccoonnffiigg--ffiillee==_f_i_l_e] [--pp | ----nnoo--rreeqquuiirree--pprreeaauutthh] - [----mmaaxx--rreeqquueesstt==_s_i_z_e] [--HH | ----eennaabbllee--hhttttpp] [----nnoo--552244] [----kkeerrbbeerrooss44] - [----kkeerrbbeerrooss44--ccrroossss--rreeaallmm] [--rr _s_t_r_i_n_g | ----vv44--rreeaallmm==_s_t_r_i_n_g] [--KK | - ----kkaasseerrvveerr] [--PP _p_o_r_t_s_p_e_c | ----ppoorrttss==_p_o_r_t_s_p_e_c] [----ddeettaacchh] [----aaddddrreesssseess==_l_i_s_t - _o_f _a_d_d_r_e_s_s_e_s] - -DDEESSCCRRIIPPTTIIOONN - kkddcc serves requests for tickets. When it starts, it first checks the - flags passed, any options that are not specified with a command line flag - are taken from a config file, or from a default compiled-in value. - - Options supported: - - --cc _f_i_l_e, ----ccoonnffiigg--ffiillee==_f_i_l_e - Specifies the location of the config file, the default is - _/_v_a_r_/_h_e_i_m_d_a_l_/_k_d_c_._c_o_n_f. This is the only value that can't be spec- - ified in the config file. - - --pp, ----nnoo--rreeqquuiirree--pprreeaauutthh - Turn off the requirement for pre-autentication in the initial AS- - REQ for all principals. The use of pre-authentication makes it - more difficult to do offline password attacks. You might want to - turn it off if you have clients that don't support pre-authenti- - cation. Since the version 4 protocol doesn't support any pre-au- - thentication, serving version 4 clients is just about the same as - not requiring pre-athentication. The default is to require pre- - authentication. Adding the require-preauth per principal is a - more flexible way of handling this. - - ----mmaaxx--rreeqquueesstt==_s_i_z_e - Gives an upper limit on the size of the requests that the kdc is - willing to handle. - - --HH, ----eennaabbllee--hhttttpp - Makes the kdc listen on port 80 and handle requests encapsulated - in HTTP. - - ----nnoo--552244 - don't respond to 524 requests - - ----kkeerrbbeerrooss44 - respond to Kerberos 4 requests - - ----kkeerrbbeerrooss44--ccrroossss--rreeaallmm - respond to Kerberos 4 requests from foreign realms. This is a - known security hole and should not be enabled unless you under- - stand the consequences and are willing to live with them. - - --rr _s_t_r_i_n_g, ----vv44--rreeaallmm==_s_t_r_i_n_g - What realm this server should act as when dealing with version 4 - requests. The database can contain any number of realms, but - since the version 4 protocol doesn't contain a realm for the - server, it must be explicitly specified. The default is whatever - is returned by kkrrbb__ggeett__llrreeaallmm(). This option is only availabe if - the KDC has been compiled with version 4 support. - - --KK, ----kkaasseerrvveerr - - Enable kaserver emulation (in case it's compiled in). - - --PP _p_o_r_t_s_p_e_c, ----ppoorrttss==_p_o_r_t_s_p_e_c - Specifies the set of ports the KDC should listen on. It is given - as a white-space separated list of services or port numbers. - - ----aaddddrreesssseess==_l_i_s_t _o_f _a_d_d_r_e_s_s_e_s - The list of addresses to listen for requests on. By default, the - kdc will listen on all the locally configured addresses. If only - a subset is desired, or the automatic detection fails, this op- - tion might be used. - - All activities are logged to one or more destinations, see krb5.conf(5), - and krb5_openlog(3). The entity used for logging is kkddcc. - -CCOONNFFIIGGUURRAATTIIOONN FFIILLEE - The configuration file has the same syntax as krb5.conf(5), but will be - read before _/_e_t_c_/_k_r_b_5_._c_o_n_f, so it may override settings found there. Op- - tions specific to the KDC only are found in the ``[kdc]'' section. All - the command-line options can preferably be added in the configuration - file. The only difference is the pre-authentication flag, which has to - be specified as: - - require-preauth = no - - (in fact you can specify the option as ----rreeqquuiirree--pprreeaauutthh==nnoo). - - And there are some configuration options which do not have command-line - equivalents: - - check-ticket-addresses = _b_o_o_l_e_a_n - Check the addresses in the ticket when processing TGS re- - quests. The default is FALSE. - - allow-null-ticket-addresses = _b_o_o_l_e_a_n - Permit tickets with no addresses. This option is only rele- - vant when check-ticket-addresses is TRUE. - - allow-anonymous = _b_o_o_l_e_a_n - Permit anonymous tickets with no addresses. - - enforce-transited-policy = _b_o_o_l_e_a_n - Always verify the transited policy, ignoring the _d_i_s_a_b_l_e_- - _t_r_a_n_s_i_t_e_d_-_c_h_e_c_k flag if set in the KDC client request. - - encode_as_rep_as_tgs_rep = _b_o_o_l_e_a_n - Encode AS-Rep as TGS-Rep to be bug-compatible with old DCE - code. The Heimdal clients allow both. - - kdc_warn_pwexpire = _t_i_m_e - How long before password/principal expiration the KDC should - start sending out warning messages. - - The configuration file is only read when the kkddcc is started. If changes - made to the configuration file are to take effect, the kkddcc needs to be - restarted. - - An example of a config file: - - [kdc] - require-preauth = no - v4-realm = FOO.SE - key-file = /key-file - -BBUUGGSS - If the machine running the KDC has new addresses added to it, the KDC - will have to be restarted to listen to them. The reason it doesn't just - listen to wildcarded (like INADDR_ANY) addresses, is that the replies has - to come from the same address they were sent to, and most OS:es doesn't - pass this information to the application. If your normal mode of opera- - tion require that you add and remove addresses, the best option is proba- - bly to listen to a wildcarded TCP socket, and make sure your clients use - TCP to connect. For instance, this will listen to IPv4 TCP port 88 only: - - kdc --addresses=0.0.0.0 --ports="88/tcp" - - There should be a way to specify protocol, port, and address triplets, - not just addresses and protocol, port tuples. - -SSEEEE AALLSSOO - kinit(1), krb5.conf(5) - - HEIMDAL October 21, 2003 3 diff --git a/crypto/heimdal-0.6.3/kdc/kdc_locl.h b/crypto/heimdal-0.6.3/kdc/kdc_locl.h deleted file mode 100644 index ed69f54573..0000000000 --- a/crypto/heimdal-0.6.3/kdc/kdc_locl.h +++ /dev/null @@ -1,125 +0,0 @@ -/* - * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* - * $Id: kdc_locl.h,v 1.58.2.2 2003/10/27 11:07:16 joda Exp $ - */ - -#ifndef __KDC_LOCL_H__ -#define __KDC_LOCL_H__ - -#include "headers.h" - -extern krb5_context context; - -extern int require_preauth; -extern sig_atomic_t exit_flag; -extern size_t max_request; -extern time_t kdc_warn_pwexpire; -extern struct dbinfo { - char *realm; - char *dbname; - char *mkey_file; - struct dbinfo *next; -} *databases; -extern HDB **db; -extern int num_db; -extern const char *port_str; -extern krb5_addresses explicit_addresses; - -extern int enable_http; -extern krb5_boolean encode_as_rep_as_tgs_rep; -extern krb5_boolean check_ticket_addresses; -extern krb5_boolean allow_null_ticket_addresses; -extern krb5_boolean allow_anonymous; -enum { TRPOLICY_ALWAYS_CHECK, - TRPOLICY_ALLOW_PER_PRINCIPAL, - TRPOLICY_ALWAYS_HONOUR_REQUEST }; -extern int trpolicy; -extern int enable_524; -extern int enable_v4_cross_realm; - -#ifdef KRB4 -extern char *v4_realm; -extern int enable_v4; -extern krb5_boolean enable_kaserver; -#endif - -#define _PATH_KDC_CONF HDB_DB_DIR "/kdc.conf" -#define DEFAULT_LOG_DEST "0-1/FILE:" HDB_DB_DIR "/kdc.log" - -extern struct timeval now; -#define kdc_time (now.tv_sec) - -krb5_error_code as_rep (KDC_REQ*, krb5_data*, const char*, struct sockaddr*); -void configure (int, char**); -krb5_error_code db_fetch (krb5_principal, hdb_entry**); -void free_ent(hdb_entry *); -void kdc_log (int, const char*, ...) - __attribute__ ((format (printf, 2,3))); - -char* kdc_log_msg (int, const char*, ...) - __attribute__ ((format (printf, 2,3))); -char* kdc_log_msg_va (int, const char*, va_list) - __attribute__ ((format (printf, 2,0))); -void kdc_openlog (void); -void loop (void); -void set_master_key (EncryptionKey); -krb5_error_code tgs_rep (KDC_REQ*, krb5_data*, const char*, struct sockaddr *); -Key* unseal_key (Key*); -krb5_error_code check_flags(hdb_entry *client, const char *client_name, - hdb_entry *server, const char *server_name, - krb5_boolean is_as_req); - -krb5_error_code get_des_key(hdb_entry*, krb5_boolean, krb5_boolean, Key**); -krb5_error_code encode_v4_ticket (void*, size_t, const EncTicketPart*, - const PrincipalName*, size_t*); -krb5_error_code do_524 (const Ticket*, krb5_data*, const char*, struct sockaddr*); - -#ifdef KRB4 -krb5_error_code db_fetch4 (const char*, const char*, const char*, hdb_entry**); -krb5_error_code do_version4 (unsigned char*, size_t, krb5_data*, const char*, - struct sockaddr_in*); -int maybe_version4 (unsigned char*, int); -#endif - -#ifdef KRB4 -krb5_error_code do_kaserver (unsigned char*, size_t, krb5_data*, const char*, - struct sockaddr_in*); -#endif - -#ifdef HAVE_OPENSSL -#define des_new_random_key des_random_key -#endif - -#endif /* __KDC_LOCL_H__ */ diff --git a/crypto/heimdal-0.6.3/kdc/kerberos4.c b/crypto/heimdal-0.6.3/kdc/kerberos4.c deleted file mode 100644 index 050db5d8f5..0000000000 --- a/crypto/heimdal-0.6.3/kdc/kerberos4.c +++ /dev/null @@ -1,656 +0,0 @@ -/* - * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kdc_locl.h" - -RCSID("$Id: kerberos4.c,v 1.45.2.1 2004/03/30 10:29:27 lha Exp $"); - -#ifdef KRB4 - -#ifndef swap32 -static u_int32_t -swap32(u_int32_t x) -{ - return ((x << 24) & 0xff000000) | - ((x << 8) & 0xff0000) | - ((x >> 8) & 0xff00) | - ((x >> 24) & 0xff); -} -#endif /* swap32 */ - -int -maybe_version4(unsigned char *buf, int len) -{ - return len > 0 && *buf == 4; -} - -static void -make_err_reply(krb5_data *reply, int code, const char *msg) -{ - KTEXT_ST er; - - /* name, instance and realm are not checked in most (all?) - implementations; msg is also never used, but we send it anyway - (for debugging purposes) */ - - if(msg == NULL) - msg = krb_get_err_text(code); - cr_err_reply(&er, "", "", "", kdc_time, code, (char*)msg); - krb5_data_copy(reply, er.dat, er.length); -} - -static krb5_boolean -valid_princ(krb5_context context, krb5_principal princ) -{ - krb5_error_code ret; - char *s; - hdb_entry *ent; - - ret = krb5_unparse_name(context, princ, &s); - if (ret) - return FALSE; - ret = db_fetch(princ, &ent); - if (ret) { - kdc_log(7, "Lookup %s failed: %s", s, - krb5_get_err_text (context, ret)); - free(s); - return FALSE; - } - kdc_log(7, "Lookup %s succeeded", s); - free(s); - free_ent(ent); - return TRUE; -} - -krb5_error_code -db_fetch4(const char *name, const char *instance, const char *realm, - hdb_entry **ent) -{ - krb5_principal p; - krb5_error_code ret; - - ret = krb5_425_conv_principal_ext(context, name, instance, realm, - valid_princ, 0, &p); - if(ret) - return ret; - ret = db_fetch(p, ent); - krb5_free_principal(context, p); - return ret; -} - -#define RCHECK(X, L) if(X){make_err_reply(reply, KFAILURE, "Packet too short"); goto L;} - -/* - * Process the v4 request in `buf, len' (received from `addr' - * (with string `from'). - * Return an error code and a reply in `reply'. - */ - -krb5_error_code -do_version4(unsigned char *buf, - size_t len, - krb5_data *reply, - const char *from, - struct sockaddr_in *addr) -{ - krb5_storage *sp; - krb5_error_code ret; - hdb_entry *client = NULL, *server = NULL; - Key *ckey, *skey; - int8_t pvno; - int8_t msg_type; - int lsb; - char *name = NULL, *inst = NULL, *realm = NULL; - char *sname = NULL, *sinst = NULL; - int32_t req_time; - time_t max_life, max_end, actual_end, issue_time; - u_int8_t life; - char client_name[256]; - char server_name[256]; - - if(!enable_v4) { - kdc_log(0, "Rejected version 4 request from %s", from); - make_err_reply(reply, KDC_GEN_ERR, "function not enabled"); - return 0; - } - - sp = krb5_storage_from_mem(buf, len); - RCHECK(krb5_ret_int8(sp, &pvno), out); - if(pvno != 4){ - kdc_log(0, "Protocol version mismatch (krb4) (%d)", pvno); - make_err_reply(reply, KDC_PKT_VER, NULL); - goto out; - } - RCHECK(krb5_ret_int8(sp, &msg_type), out); - lsb = msg_type & 1; - msg_type &= ~1; - switch(msg_type){ - case AUTH_MSG_KDC_REQUEST: - RCHECK(krb5_ret_stringz(sp, &name), out1); - RCHECK(krb5_ret_stringz(sp, &inst), out1); - RCHECK(krb5_ret_stringz(sp, &realm), out1); - RCHECK(krb5_ret_int32(sp, &req_time), out1); - if(lsb) - req_time = swap32(req_time); - RCHECK(krb5_ret_int8(sp, &life), out1); - RCHECK(krb5_ret_stringz(sp, &sname), out1); - RCHECK(krb5_ret_stringz(sp, &sinst), out1); - snprintf (client_name, sizeof(client_name), - "%s.%s@%s", name, inst, realm); - snprintf (server_name, sizeof(server_name), - "%s.%s@%s", sname, sinst, v4_realm); - - kdc_log(0, "AS-REQ (krb4) %s from %s for %s", - client_name, from, server_name); - - ret = db_fetch4(name, inst, realm, &client); - if(ret) { - kdc_log(0, "Client not found in database: %s: %s", - client_name, krb5_get_err_text(context, ret)); - make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, NULL); - goto out1; - } - ret = db_fetch4(sname, sinst, v4_realm, &server); - if(ret){ - kdc_log(0, "Server not found in database: %s: %s", - server_name, krb5_get_err_text(context, ret)); - make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, NULL); - goto out1; - } - - ret = check_flags (client, client_name, - server, server_name, - TRUE); - if (ret) { - /* good error code? */ - make_err_reply(reply, KERB_ERR_NAME_EXP, NULL); - goto out1; - } - - /* - * There's no way to do pre-authentication in v4 and thus no - * good error code to return if preauthentication is required. - */ - - if (require_preauth - || client->flags.require_preauth - || server->flags.require_preauth) { - kdc_log(0, - "Pre-authentication required for v4-request: " - "%s for %s", - client_name, server_name); - make_err_reply(reply, KERB_ERR_NULL_KEY, NULL); - goto out1; - } - - ret = get_des_key(client, FALSE, FALSE, &ckey); - if(ret){ - kdc_log(0, "no suitable DES key for client"); - make_err_reply(reply, KDC_NULL_KEY, - "no suitable DES key for client"); - goto out1; - } - -#if 0 - /* this is not necessary with the new code in libkrb */ - /* find a properly salted key */ - while(ckey->salt == NULL || ckey->salt->salt.length != 0) - ret = hdb_next_keytype2key(context, client, KEYTYPE_DES, &ckey); - if(ret){ - kdc_log(0, "No version-4 salted key in database -- %s.%s@%s", - name, inst, realm); - make_err_reply(reply, KDC_NULL_KEY, - "No version-4 salted key in database"); - goto out1; - } -#endif - - ret = get_des_key(server, TRUE, FALSE, &skey); - if(ret){ - kdc_log(0, "no suitable DES key for server"); - /* XXX */ - make_err_reply(reply, KDC_NULL_KEY, - "no suitable DES key for server"); - goto out1; - } - - max_life = krb_life_to_time(0, life); - if(client->max_life) - max_life = min(max_life, *client->max_life); - if(server->max_life) - max_life = min(max_life, *server->max_life); - - life = krb_time_to_life(kdc_time, kdc_time + max_life); - - { - KTEXT_ST cipher, ticket; - KTEXT r; - des_cblock session; - - des_new_random_key(&session); - - krb_create_ticket(&ticket, 0, name, inst, v4_realm, - addr->sin_addr.s_addr, session, life, kdc_time, - sname, sinst, skey->key.keyvalue.data); - - create_ciph(&cipher, session, sname, sinst, v4_realm, - life, server->kvno % 256, &ticket, kdc_time, - ckey->key.keyvalue.data); - memset(&session, 0, sizeof(session)); - r = create_auth_reply(name, inst, realm, req_time, 0, - client->pw_end ? *client->pw_end : 0, - client->kvno % 256, &cipher); - krb5_data_copy(reply, r->dat, r->length); - memset(&cipher, 0, sizeof(cipher)); - memset(&ticket, 0, sizeof(ticket)); - } - out1: - break; - case AUTH_MSG_APPL_REQUEST: { - int8_t kvno; - int8_t ticket_len; - int8_t req_len; - KTEXT_ST auth; - AUTH_DAT ad; - size_t pos; - krb5_principal tgt_princ = NULL; - hdb_entry *tgt = NULL; - Key *tkey; - - RCHECK(krb5_ret_int8(sp, &kvno), out2); - RCHECK(krb5_ret_stringz(sp, &realm), out2); - - ret = krb5_425_conv_principal(context, "krbtgt", realm, v4_realm, - &tgt_princ); - if(ret){ - kdc_log(0, "Converting krbtgt principal (krb4): %s", - krb5_get_err_text(context, ret)); - make_err_reply(reply, KFAILURE, - "Failed to convert v4 principal (krbtgt)"); - goto out2; - } - - ret = db_fetch(tgt_princ, &tgt); - if(ret){ - char *s; - s = kdc_log_msg(0, "Ticket-granting ticket not " - "found in database (krb4): krbtgt.%s@%s: %s", - realm, v4_realm, - krb5_get_err_text(context, ret)); - make_err_reply(reply, KFAILURE, s); - free(s); - goto out2; - } - - if(tgt->kvno % 256 != kvno){ - kdc_log(0, "tgs-req (krb4) with old kvno %d (current %d) for " - "krbtgt.%s@%s", kvno, tgt->kvno % 256, realm, v4_realm); - make_err_reply(reply, KDC_AUTH_EXP, - "old krbtgt kvno used"); - goto out2; - } - - ret = get_des_key(tgt, TRUE, FALSE, &tkey); - if(ret){ - kdc_log(0, "no suitable DES key for krbtgt (krb4)"); - /* XXX */ - make_err_reply(reply, KDC_NULL_KEY, - "no suitable DES key for krbtgt"); - goto out2; - } - - RCHECK(krb5_ret_int8(sp, &ticket_len), out2); - RCHECK(krb5_ret_int8(sp, &req_len), out2); - - pos = krb5_storage_seek(sp, ticket_len + req_len, SEEK_CUR); - - memset(&auth, 0, sizeof(auth)); - memcpy(&auth.dat, buf, pos); - auth.length = pos; - krb_set_key(tkey->key.keyvalue.data, 0); - - krb_ignore_ip_address = !check_ticket_addresses; - - ret = krb_rd_req(&auth, "krbtgt", realm, - addr->sin_addr.s_addr, &ad, 0); - if(ret){ - kdc_log(0, "krb_rd_req: %s", krb_get_err_text(ret)); - make_err_reply(reply, ret, NULL); - goto out2; - } - - RCHECK(krb5_ret_int32(sp, &req_time), out2); - if(lsb) - req_time = swap32(req_time); - RCHECK(krb5_ret_int8(sp, &life), out2); - RCHECK(krb5_ret_stringz(sp, &sname), out2); - RCHECK(krb5_ret_stringz(sp, &sinst), out2); - snprintf (server_name, sizeof(server_name), - "%s.%s@%s", - sname, sinst, v4_realm); - - kdc_log(0, "TGS-REQ (krb4) %s.%s@%s from %s for %s", - ad.pname, ad.pinst, ad.prealm, from, server_name); - - if(strcmp(ad.prealm, realm)){ - kdc_log(0, "Can't hop realms (krb4) %s -> %s", realm, ad.prealm); - make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, - "Can't hop realms"); - goto out2; - } - - if (!enable_v4_cross_realm && strcmp(realm, v4_realm) != 0) { - kdc_log(0, "krb4 Cross-realm %s -> %s disabled", realm, v4_realm); - make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, - "Can't hop realms"); - goto out2; - } - - if(strcmp(sname, "changepw") == 0){ - kdc_log(0, "Bad request for changepw ticket (krb4)"); - make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, - "Can't authorize password change based on TGT"); - goto out2; - } - -#if 0 - ret = db_fetch4(ad.pname, ad.pinst, ad.prealm, &client); - if(ret){ - char *s; - s = kdc_log_msg(0, "Client not found in database: (krb4) " - "%s.%s@%s: %s", - ad.pname, ad.pinst, ad.prealm, - krb5_get_err_text(context, ret)); - make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, s); - free(s); - goto out2; - } -#endif - - ret = db_fetch4(sname, sinst, v4_realm, &server); - if(ret){ - char *s; - s = kdc_log_msg(0, "Server not found in database (krb4): %s: %s", - server_name, krb5_get_err_text(context, ret)); - make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, s); - free(s); - goto out2; - } - - ret = check_flags (NULL, NULL, - server, server_name, - FALSE); - if (ret) { - /* good error code? */ - make_err_reply(reply, KERB_ERR_NAME_EXP, NULL); - goto out2; - } - - ret = get_des_key(server, TRUE, FALSE, &skey); - if(ret){ - kdc_log(0, "no suitable DES key for server (krb4)"); - /* XXX */ - make_err_reply(reply, KDC_NULL_KEY, - "no suitable DES key for server"); - goto out2; - } - - max_end = krb_life_to_time(ad.time_sec, ad.life); - max_end = min(max_end, krb_life_to_time(kdc_time, life)); - life = min(life, krb_time_to_life(kdc_time, max_end)); - - issue_time = kdc_time; - actual_end = krb_life_to_time(issue_time, life); - while (actual_end > max_end && life > 1) { - /* move them into the next earlier lifetime bracket */ - life--; - actual_end = krb_life_to_time(issue_time, life); - } - if (actual_end > max_end) { - /* if life <= 1 and it's still too long, backdate the ticket */ - issue_time -= actual_end - max_end; - } - - { - KTEXT_ST cipher, ticket; - KTEXT r; - des_cblock session; - des_new_random_key(&session); - - krb_create_ticket(&ticket, 0, ad.pname, ad.pinst, ad.prealm, - addr->sin_addr.s_addr, &session, life, - issue_time, - sname, sinst, skey->key.keyvalue.data); - - create_ciph(&cipher, session, sname, sinst, v4_realm, - life, server->kvno % 256, &ticket, - issue_time, &ad.session); - - memset(&session, 0, sizeof(session)); - memset(ad.session, 0, sizeof(ad.session)); - - r = create_auth_reply(ad.pname, ad.pinst, ad.prealm, - req_time, 0, 0, 0, &cipher); - krb5_data_copy(reply, r->dat, r->length); - memset(&cipher, 0, sizeof(cipher)); - memset(&ticket, 0, sizeof(ticket)); - } - out2: - if(tgt_princ) - krb5_free_principal(context, tgt_princ); - if(tgt) - free_ent(tgt); - break; - } - - case AUTH_MSG_ERR_REPLY: - break; - default: - kdc_log(0, "Unknown message type (krb4): %d from %s", - msg_type, from); - - make_err_reply(reply, KFAILURE, "Unknown message type"); - } -out: - if(name) - free(name); - if(inst) - free(inst); - if(realm) - free(realm); - if(sname) - free(sname); - if(sinst) - free(sinst); - if(client) - free_ent(client); - if(server) - free_ent(server); - krb5_storage_free(sp); - return 0; -} - -#else /* KRB4 */ - -#include - -#endif /* KRB4 */ - -krb5_error_code -encode_v4_ticket(void *buf, size_t len, const EncTicketPart *et, - const PrincipalName *service, size_t *size) -{ - krb5_storage *sp; - krb5_error_code ret; - char name[40], inst[40], realm[40]; - char sname[40], sinst[40]; - - { - krb5_principal princ; - principalname2krb5_principal(&princ, - *service, - et->crealm); - ret = krb5_524_conv_principal(context, - princ, - sname, - sinst, - realm); - krb5_free_principal(context, princ); - if(ret) - return ret; - - principalname2krb5_principal(&princ, - et->cname, - et->crealm); - - ret = krb5_524_conv_principal(context, - princ, - name, - inst, - realm); - krb5_free_principal(context, princ); - } - if(ret) - return ret; - - sp = krb5_storage_emem(); - - krb5_store_int8(sp, 0); /* flags */ - krb5_store_stringz(sp, name); - krb5_store_stringz(sp, inst); - krb5_store_stringz(sp, realm); - { - unsigned char tmp[4] = { 0, 0, 0, 0 }; - int i; - if(et->caddr){ - for(i = 0; i < et->caddr->len; i++) - if(et->caddr->val[i].addr_type == AF_INET && - et->caddr->val[i].address.length == 4){ - memcpy(tmp, et->caddr->val[i].address.data, 4); - break; - } - } - krb5_storage_write(sp, tmp, sizeof(tmp)); - } - - if((et->key.keytype != ETYPE_DES_CBC_MD5 && - et->key.keytype != ETYPE_DES_CBC_MD4 && - et->key.keytype != ETYPE_DES_CBC_CRC) || - et->key.keyvalue.length != 8) - return -1; - krb5_storage_write(sp, et->key.keyvalue.data, 8); - - { - time_t start = et->starttime ? *et->starttime : et->authtime; - krb5_store_int8(sp, krb_time_to_life(start, et->endtime)); - krb5_store_int32(sp, start); - } - - krb5_store_stringz(sp, sname); - krb5_store_stringz(sp, sinst); - - { - krb5_data data; - krb5_storage_to_data(sp, &data); - krb5_storage_free(sp); - *size = (data.length + 7) & ~7; /* pad to 8 bytes */ - if(*size > len) - return -1; - memset((unsigned char*)buf - *size + 1, 0, *size); - memcpy((unsigned char*)buf - *size + 1, data.data, data.length); - krb5_data_free(&data); - } - return 0; -} - -krb5_error_code -get_des_key(hdb_entry *principal, krb5_boolean is_server, - krb5_boolean prefer_afs_key, Key **ret_key) -{ - Key *v5_key = NULL, *v4_key = NULL, *afs_key = NULL, *server_key = NULL; - int i; - krb5_enctype etypes[] = { ETYPE_DES_CBC_MD5, - ETYPE_DES_CBC_MD4, - ETYPE_DES_CBC_CRC }; - - for(i = 0; - i < sizeof(etypes)/sizeof(etypes[0]) - && (v5_key == NULL || v4_key == NULL || - afs_key == NULL || server_key == NULL); - ++i) { - Key *key = NULL; - while(hdb_next_enctype2key(context, principal, etypes[i], &key) == 0) { - if(key->salt == NULL) { - if(v5_key == NULL) - v5_key = key; - } else if(key->salt->type == hdb_pw_salt && - key->salt->salt.length == 0) { - if(v4_key == NULL) - v4_key = key; - } else if(key->salt->type == hdb_afs3_salt) { - if(afs_key == NULL) - afs_key = key; - } else if(server_key == NULL) - server_key = key; - } - } - - if(prefer_afs_key) { - if(afs_key) - *ret_key = afs_key; - else if(v4_key) - *ret_key = v4_key; - else if(v5_key) - *ret_key = v5_key; - else if(is_server && server_key) - *ret_key = server_key; - else - return KERB_ERR_NULL_KEY; - } else { - if(v4_key) - *ret_key = v4_key; - else if(afs_key) - *ret_key = afs_key; - else if(v5_key) - *ret_key = v5_key; - else if(is_server && server_key) - *ret_key = server_key; - else - return KERB_ERR_NULL_KEY; - } - - if((*ret_key)->key.keyvalue.length == 0) - return KERB_ERR_NULL_KEY; - return 0; -} - diff --git a/crypto/heimdal-0.6.3/kdc/kerberos5.c b/crypto/heimdal-0.6.3/kdc/kerberos5.c deleted file mode 100644 index f2736fd284..0000000000 --- a/crypto/heimdal-0.6.3/kdc/kerberos5.c +++ /dev/null @@ -1,1915 +0,0 @@ -/* - * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kdc_locl.h" - -RCSID("$Id: kerberos5.c,v 1.145.2.4 2004/08/13 19:28:26 lha Exp $"); - -#define MAX_TIME ((time_t)((1U << 31) - 1)) - -static void -fix_time(time_t **t) -{ - if(*t == NULL){ - ALLOC(*t); - **t = MAX_TIME; - } - if(**t == 0) **t = MAX_TIME; /* fix for old clients */ -} - -static void -set_salt_padata (METHOD_DATA **m, Salt *salt) -{ - if (salt) { - ALLOC(*m); - (*m)->len = 1; - ALLOC((*m)->val); - (*m)->val->padata_type = salt->type; - copy_octet_string(&salt->salt, - &(*m)->val->padata_value); - } -} - -static PA_DATA* -find_padata(KDC_REQ *req, int *start, int type) -{ - while(*start < req->padata->len){ - (*start)++; - if(req->padata->val[*start - 1].padata_type == type) - return &req->padata->val[*start - 1]; - } - return NULL; -} - -/* - * return the first appropriate key of `princ' in `ret_key'. Look for - * all the etypes in (`etypes', `len'), stopping as soon as we find - * one, but preferring one that has default salt - */ - -static krb5_error_code -find_etype(hdb_entry *princ, krb5_enctype *etypes, unsigned len, - Key **ret_key, krb5_enctype *ret_etype) -{ - int i; - krb5_error_code ret = KRB5KDC_ERR_ETYPE_NOSUPP; - - for(i = 0; ret != 0 && i < len ; i++) { - Key *key = NULL; - - while (hdb_next_enctype2key(context, princ, etypes[i], &key) == 0) { - if (key->key.keyvalue.length == 0) { - ret = KRB5KDC_ERR_NULL_KEY; - continue; - } - *ret_key = key; - *ret_etype = etypes[i]; - ret = 0; - if (key->salt == NULL) - return ret; - } - } - return ret; -} - -static krb5_error_code -find_keys(hdb_entry *client, - hdb_entry *server, - Key **ckey, - krb5_enctype *cetype, - Key **skey, - krb5_enctype *setype, - krb5_enctype *etypes, - unsigned num_etypes) -{ - krb5_error_code ret; - - if(client){ - /* find client key */ - ret = find_etype(client, etypes, num_etypes, ckey, cetype); - if (ret) { - kdc_log(0, "Client has no support for etypes"); - return ret; - } - } - - if(server){ - /* find server key */ - ret = find_etype(server, etypes, num_etypes, skey, setype); - if (ret) { - kdc_log(0, "Server has no support for etypes"); - return ret; - } - } - return 0; -} - -static krb5_error_code -make_anonymous_principalname (PrincipalName *pn) -{ - pn->name_type = KRB5_NT_PRINCIPAL; - pn->name_string.len = 1; - pn->name_string.val = malloc(sizeof(*pn->name_string.val)); - if (pn->name_string.val == NULL) - return ENOMEM; - pn->name_string.val[0] = strdup("anonymous"); - if (pn->name_string.val[0] == NULL) { - free(pn->name_string.val); - pn->name_string.val = NULL; - return ENOMEM; - } - return 0; -} - -static krb5_error_code -encode_reply(KDC_REP *rep, EncTicketPart *et, EncKDCRepPart *ek, - krb5_enctype etype, - int skvno, EncryptionKey *skey, - int ckvno, EncryptionKey *ckey, - const char **e_text, - krb5_data *reply) -{ - unsigned char *buf; - size_t buf_size; - size_t len; - krb5_error_code ret; - krb5_crypto crypto; - - ASN1_MALLOC_ENCODE(EncTicketPart, buf, buf_size, et, &len, ret); - if(ret) { - kdc_log(0, "Failed to encode ticket: %s", - krb5_get_err_text(context, ret)); - return ret; - } - if(buf_size != len) { - free(buf); - kdc_log(0, "Internal error in ASN.1 encoder"); - *e_text = "KDC internal error"; - return KRB5KRB_ERR_GENERIC; - } - - ret = krb5_crypto_init(context, skey, etype, &crypto); - if (ret) { - free(buf); - kdc_log(0, "krb5_crypto_init failed: %s", - krb5_get_err_text(context, ret)); - return ret; - } - - ret = krb5_encrypt_EncryptedData(context, - crypto, - KRB5_KU_TICKET, - buf, - len, - skvno, - &rep->ticket.enc_part); - free(buf); - krb5_crypto_destroy(context, crypto); - if(ret) { - kdc_log(0, "Failed to encrypt data: %s", - krb5_get_err_text(context, ret)); - return ret; - } - - if(rep->msg_type == krb_as_rep && !encode_as_rep_as_tgs_rep) - ASN1_MALLOC_ENCODE(EncASRepPart, buf, buf_size, ek, &len, ret); - else - ASN1_MALLOC_ENCODE(EncTGSRepPart, buf, buf_size, ek, &len, ret); - if(ret) { - kdc_log(0, "Failed to encode KDC-REP: %s", - krb5_get_err_text(context, ret)); - return ret; - } - if(buf_size != len) { - free(buf); - kdc_log(0, "Internal error in ASN.1 encoder"); - *e_text = "KDC internal error"; - return KRB5KRB_ERR_GENERIC; - } - ret = krb5_crypto_init(context, ckey, 0, &crypto); - if (ret) { - free(buf); - kdc_log(0, "krb5_crypto_init failed: %s", - krb5_get_err_text(context, ret)); - return ret; - } - if(rep->msg_type == krb_as_rep) { - krb5_encrypt_EncryptedData(context, - crypto, - KRB5_KU_AS_REP_ENC_PART, - buf, - len, - ckvno, - &rep->enc_part); - free(buf); - ASN1_MALLOC_ENCODE(AS_REP, buf, buf_size, rep, &len, ret); - } else { - krb5_encrypt_EncryptedData(context, - crypto, - KRB5_KU_TGS_REP_ENC_PART_SESSION, - buf, - len, - ckvno, - &rep->enc_part); - free(buf); - ASN1_MALLOC_ENCODE(TGS_REP, buf, buf_size, rep, &len, ret); - } - krb5_crypto_destroy(context, crypto); - if(ret) { - kdc_log(0, "Failed to encode KDC-REP: %s", - krb5_get_err_text(context, ret)); - return ret; - } - if(buf_size != len) { - free(buf); - kdc_log(0, "Internal error in ASN.1 encoder"); - *e_text = "KDC internal error"; - return KRB5KRB_ERR_GENERIC; - } - reply->data = buf; - reply->length = buf_size; - return 0; -} - -static int -realloc_method_data(METHOD_DATA *md) -{ - PA_DATA *pa; - pa = realloc(md->val, (md->len + 1) * sizeof(*md->val)); - if(pa == NULL) - return ENOMEM; - md->val = pa; - md->len++; - return 0; -} - -static krb5_error_code -make_etype_info_entry(ETYPE_INFO_ENTRY *ent, Key *key) -{ - ent->etype = key->key.keytype; - if(key->salt){ - ALLOC(ent->salttype); -#if 0 - if(key->salt->type == hdb_pw_salt) - *ent->salttype = 0; /* or 1? or NULL? */ - else if(key->salt->type == hdb_afs3_salt) - *ent->salttype = 2; - else { - kdc_log(0, "unknown salt-type: %d", - key->salt->type); - return KRB5KRB_ERR_GENERIC; - } - /* according to `the specs', we can't send a salt if - we have AFS3 salted key, but that requires that you - *know* what cell you are using (e.g by assuming - that the cell is the same as the realm in lower - case) */ -#else - *ent->salttype = key->salt->type; -#endif - krb5_copy_data(context, &key->salt->salt, - &ent->salt); - } else { - /* we return no salt type at all, as that should indicate - * the default salt type and make everybody happy. some - * systems (like w2k) dislike being told the salt type - * here. */ - - ent->salttype = NULL; - ent->salt = NULL; - } - return 0; -} - -static krb5_error_code -get_pa_etype_info(METHOD_DATA *md, hdb_entry *client, - ENCTYPE *etypes, unsigned int etypes_len) -{ - krb5_error_code ret = 0; - int i, j; - unsigned int n = 0; - ETYPE_INFO pa; - unsigned char *buf; - size_t len; - - - pa.len = client->keys.len; - if(pa.len > UINT_MAX/sizeof(*pa.val)) - return ERANGE; - pa.val = malloc(pa.len * sizeof(*pa.val)); - if(pa.val == NULL) - return ENOMEM; - - for(j = 0; j < etypes_len; j++) { - for (i = 0; i < n; i++) - if (pa.val[i].etype == etypes[j]) - goto skip1; - for(i = 0; i < client->keys.len; i++) { - if(client->keys.val[i].key.keytype == etypes[j]) - if((ret = make_etype_info_entry(&pa.val[n++], - &client->keys.val[i])) != 0) { - free_ETYPE_INFO(&pa); - return ret; - } - } - skip1:; - } - for(i = 0; i < client->keys.len; i++) { - for(j = 0; j < etypes_len; j++) { - if(client->keys.val[i].key.keytype == etypes[j]) - goto skip2; - } - if((ret = make_etype_info_entry(&pa.val[n++], - &client->keys.val[i])) != 0) { - free_ETYPE_INFO(&pa); - return ret; - } - skip2:; - } - - if(n != pa.len) { - char *name; - krb5_unparse_name(context, client->principal, &name); - kdc_log(0, "internal error in get_pa_etype_info(%s): %d != %d", - name, n, pa.len); - free(name); - pa.len = n; - } - - ASN1_MALLOC_ENCODE(ETYPE_INFO, buf, len, &pa, &len, ret); - free_ETYPE_INFO(&pa); - if(ret) - return ret; - ret = realloc_method_data(md); - if(ret) { - free(buf); - return ret; - } - md->val[md->len - 1].padata_type = KRB5_PADATA_ETYPE_INFO; - md->val[md->len - 1].padata_value.length = len; - md->val[md->len - 1].padata_value.data = buf; - return 0; -} - -/* - * verify the flags on `client' and `server', returning 0 - * if they are OK and generating an error messages and returning - * and error code otherwise. - */ - -krb5_error_code -check_flags(hdb_entry *client, const char *client_name, - hdb_entry *server, const char *server_name, - krb5_boolean is_as_req) -{ - if(client != NULL) { - /* check client */ - if (client->flags.invalid) { - kdc_log(0, "Client (%s) has invalid bit set", client_name); - return KRB5KDC_ERR_POLICY; - } - - if(!client->flags.client){ - kdc_log(0, "Principal may not act as client -- %s", - client_name); - return KRB5KDC_ERR_POLICY; - } - - if (client->valid_start && *client->valid_start > kdc_time) { - kdc_log(0, "Client not yet valid -- %s", client_name); - return KRB5KDC_ERR_CLIENT_NOTYET; - } - - if (client->valid_end && *client->valid_end < kdc_time) { - kdc_log(0, "Client expired -- %s", client_name); - return KRB5KDC_ERR_NAME_EXP; - } - - if (client->pw_end && *client->pw_end < kdc_time - && !server->flags.change_pw) { - kdc_log(0, "Client's key has expired -- %s", client_name); - return KRB5KDC_ERR_KEY_EXPIRED; - } - } - - /* check server */ - - if (server != NULL) { - if (server->flags.invalid) { - kdc_log(0, "Server has invalid flag set -- %s", server_name); - return KRB5KDC_ERR_POLICY; - } - - if(!server->flags.server){ - kdc_log(0, "Principal may not act as server -- %s", - server_name); - return KRB5KDC_ERR_POLICY; - } - - if(!is_as_req && server->flags.initial) { - kdc_log(0, "AS-REQ is required for server -- %s", server_name); - return KRB5KDC_ERR_POLICY; - } - - if (server->valid_start && *server->valid_start > kdc_time) { - kdc_log(0, "Server not yet valid -- %s", server_name); - return KRB5KDC_ERR_SERVICE_NOTYET; - } - - if (server->valid_end && *server->valid_end < kdc_time) { - kdc_log(0, "Server expired -- %s", server_name); - return KRB5KDC_ERR_SERVICE_EXP; - } - - if (server->pw_end && *server->pw_end < kdc_time) { - kdc_log(0, "Server's key has expired -- %s", server_name); - return KRB5KDC_ERR_KEY_EXPIRED; - } - } - return 0; -} - -/* - * Return TRUE if `from' is part of `addresses' taking into consideration - * the configuration variables that tells us how strict we should be about - * these checks - */ - -static krb5_boolean -check_addresses(HostAddresses *addresses, const struct sockaddr *from) -{ - krb5_error_code ret; - krb5_address addr; - krb5_boolean result; - - if(check_ticket_addresses == 0) - return TRUE; - - if(addresses == NULL) - return allow_null_ticket_addresses; - - ret = krb5_sockaddr2address (context, from, &addr); - if(ret) - return FALSE; - - result = krb5_address_search(context, &addr, addresses); - krb5_free_address (context, &addr); - return result; -} - -krb5_error_code -as_rep(KDC_REQ *req, - krb5_data *reply, - const char *from, - struct sockaddr *from_addr) -{ - KDC_REQ_BODY *b = &req->req_body; - AS_REP rep; - KDCOptions f = b->kdc_options; - hdb_entry *client = NULL, *server = NULL; - krb5_enctype cetype, setype; - EncTicketPart et; - EncKDCRepPart ek; - krb5_principal client_princ = NULL, server_princ = NULL; - char *client_name = NULL, *server_name = NULL; - krb5_error_code ret = 0; - const char *e_text = NULL; - krb5_crypto crypto; - Key *ckey, *skey; - - memset(&rep, 0, sizeof(rep)); - - if(b->sname == NULL){ - ret = KRB5KRB_ERR_GENERIC; - e_text = "No server in request"; - } else{ - principalname2krb5_principal (&server_princ, *(b->sname), b->realm); - krb5_unparse_name(context, server_princ, &server_name); - } - if (ret) { - kdc_log(0, "AS-REQ malformed server name from %s", from); - goto out; - } - - if(b->cname == NULL){ - ret = KRB5KRB_ERR_GENERIC; - e_text = "No client in request"; - } else { - principalname2krb5_principal (&client_princ, *(b->cname), b->realm); - krb5_unparse_name(context, client_princ, &client_name); - } - if (ret) { - kdc_log(0, "AS-REQ malformed client name from %s", from); - goto out; - } - - kdc_log(0, "AS-REQ %s from %s for %s", client_name, from, server_name); - - ret = db_fetch(client_princ, &client); - if(ret){ - kdc_log(0, "UNKNOWN -- %s: %s", client_name, - krb5_get_err_text(context, ret)); - ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; - goto out; - } - - ret = db_fetch(server_princ, &server); - if(ret){ - kdc_log(0, "UNKNOWN -- %s: %s", server_name, - krb5_get_err_text(context, ret)); - ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; - goto out; - } - - ret = check_flags(client, client_name, server, server_name, TRUE); - if(ret) - goto out; - - memset(&et, 0, sizeof(et)); - memset(&ek, 0, sizeof(ek)); - - if(req->padata){ - int i = 0; - PA_DATA *pa; - int found_pa = 0; - kdc_log(5, "Looking for pa-data -- %s", client_name); - while((pa = find_padata(req, &i, KRB5_PADATA_ENC_TIMESTAMP))){ - krb5_data ts_data; - PA_ENC_TS_ENC p; - time_t patime; - size_t len; - EncryptedData enc_data; - Key *pa_key; - - found_pa = 1; - - ret = decode_EncryptedData(pa->padata_value.data, - pa->padata_value.length, - &enc_data, - &len); - if (ret) { - ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; - kdc_log(5, "Failed to decode PA-DATA -- %s", - client_name); - goto out; - } - - ret = hdb_enctype2key(context, client, enc_data.etype, &pa_key); - if(ret){ - char *estr; - e_text = "No key matches pa-data"; - ret = KRB5KDC_ERR_PREAUTH_FAILED; - if(krb5_enctype_to_string(context, enc_data.etype, &estr)) - estr = NULL; - if(estr == NULL) - kdc_log(5, "No client key matching pa-data (%d) -- %s", - enc_data.etype, client_name); - else - kdc_log(5, "No client key matching pa-data (%s) -- %s", - estr, client_name); - free(estr); - - free_EncryptedData(&enc_data); - continue; - } - - try_next_key: - ret = krb5_crypto_init(context, &pa_key->key, 0, &crypto); - if (ret) { - kdc_log(0, "krb5_crypto_init failed: %s", - krb5_get_err_text(context, ret)); - free_EncryptedData(&enc_data); - continue; - } - - ret = krb5_decrypt_EncryptedData (context, - crypto, - KRB5_KU_PA_ENC_TIMESTAMP, - &enc_data, - &ts_data); - krb5_crypto_destroy(context, crypto); - if(ret){ - if(hdb_next_enctype2key(context, client, - enc_data.etype, &pa_key) == 0) - goto try_next_key; - free_EncryptedData(&enc_data); - e_text = "Failed to decrypt PA-DATA"; - kdc_log (5, "Failed to decrypt PA-DATA -- %s", - client_name); - ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; - continue; - } - free_EncryptedData(&enc_data); - ret = decode_PA_ENC_TS_ENC(ts_data.data, - ts_data.length, - &p, - &len); - krb5_data_free(&ts_data); - if(ret){ - e_text = "Failed to decode PA-ENC-TS-ENC"; - ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; - kdc_log (5, "Failed to decode PA-ENC-TS_ENC -- %s", - client_name); - continue; - } - patime = p.patimestamp; - free_PA_ENC_TS_ENC(&p); - if (abs(kdc_time - p.patimestamp) > context->max_skew) { - ret = KRB5KDC_ERR_PREAUTH_FAILED; - e_text = "Too large time skew"; - kdc_log(0, "Too large time skew -- %s", client_name); - goto out; - } - et.flags.pre_authent = 1; - kdc_log(2, "Pre-authentication succeded -- %s", client_name); - break; - } - if(found_pa == 0 && require_preauth) - goto use_pa; - /* We come here if we found a pa-enc-timestamp, but if there - was some problem with it, other than too large skew */ - if(found_pa && et.flags.pre_authent == 0){ - kdc_log(0, "%s -- %s", e_text, client_name); - e_text = NULL; - goto out; - } - }else if (require_preauth - || client->flags.require_preauth - || server->flags.require_preauth) { - METHOD_DATA method_data; - PA_DATA *pa; - unsigned char *buf; - size_t len; - krb5_data foo_data; - - use_pa: - method_data.len = 0; - method_data.val = NULL; - - ret = realloc_method_data(&method_data); - pa = &method_data.val[method_data.len-1]; - pa->padata_type = KRB5_PADATA_ENC_TIMESTAMP; - pa->padata_value.length = 0; - pa->padata_value.data = NULL; - - ret = get_pa_etype_info(&method_data, client, - b->etype.val, b->etype.len); /* XXX check ret */ - - ASN1_MALLOC_ENCODE(METHOD_DATA, buf, len, &method_data, &len, ret); - free_METHOD_DATA(&method_data); - foo_data.data = buf; - foo_data.length = len; - - ret = KRB5KDC_ERR_PREAUTH_REQUIRED; - krb5_mk_error(context, - ret, - "Need to use PA-ENC-TIMESTAMP", - &foo_data, - client_princ, - server_princ, - NULL, - NULL, - reply); - free(buf); - kdc_log(0, "No PA-ENC-TIMESTAMP -- %s", client_name); - ret = 0; - goto out2; - } - - ret = find_keys(client, server, &ckey, &cetype, &skey, &setype, - b->etype.val, b->etype.len); - if(ret) { - kdc_log(0, "Server/client has no support for etypes"); - goto out; - } - - { - char *cet; - char *set; - - ret = krb5_enctype_to_string(context, cetype, &cet); - if(ret == 0) { - ret = krb5_enctype_to_string(context, setype, &set); - if (ret == 0) { - kdc_log(5, "Using %s/%s", cet, set); - free(set); - } - free(cet); - } - if (ret != 0) - kdc_log(5, "Using e-types %d/%d", cetype, setype); - } - - { - char str[128]; - unparse_flags(KDCOptions2int(f), KDCOptions_units, str, sizeof(str)); - if(*str) - kdc_log(2, "Requested flags: %s", str); - } - - - if(f.renew || f.validate || f.proxy || f.forwarded || f.enc_tkt_in_skey - || (f.request_anonymous && !allow_anonymous)) { - ret = KRB5KDC_ERR_BADOPTION; - kdc_log(0, "Bad KDC options -- %s", client_name); - goto out; - } - - rep.pvno = 5; - rep.msg_type = krb_as_rep; - copy_Realm(&b->realm, &rep.crealm); - if (f.request_anonymous) - make_anonymous_principalname (&rep.cname); - else - copy_PrincipalName(b->cname, &rep.cname); - rep.ticket.tkt_vno = 5; - copy_Realm(&b->realm, &rep.ticket.realm); - copy_PrincipalName(b->sname, &rep.ticket.sname); - - et.flags.initial = 1; - if(client->flags.forwardable && server->flags.forwardable) - et.flags.forwardable = f.forwardable; - else if (f.forwardable) { - ret = KRB5KDC_ERR_POLICY; - kdc_log(0, "Ticket may not be forwardable -- %s", client_name); - goto out; - } - if(client->flags.proxiable && server->flags.proxiable) - et.flags.proxiable = f.proxiable; - else if (f.proxiable) { - ret = KRB5KDC_ERR_POLICY; - kdc_log(0, "Ticket may not be proxiable -- %s", client_name); - goto out; - } - if(client->flags.postdate && server->flags.postdate) - et.flags.may_postdate = f.allow_postdate; - else if (f.allow_postdate){ - ret = KRB5KDC_ERR_POLICY; - kdc_log(0, "Ticket may not be postdatable -- %s", client_name); - goto out; - } - - /* check for valid set of addresses */ - if(!check_addresses(b->addresses, from_addr)) { - ret = KRB5KRB_AP_ERR_BADADDR; - kdc_log(0, "Bad address list requested -- %s", client_name); - goto out; - } - - krb5_generate_random_keyblock(context, setype, &et.key); - copy_PrincipalName(&rep.cname, &et.cname); - copy_Realm(&b->realm, &et.crealm); - - { - time_t start; - time_t t; - - start = et.authtime = kdc_time; - - if(f.postdated && req->req_body.from){ - ALLOC(et.starttime); - start = *et.starttime = *req->req_body.from; - et.flags.invalid = 1; - et.flags.postdated = 1; /* XXX ??? */ - } - fix_time(&b->till); - t = *b->till; - - /* be careful not overflowing */ - - if(client->max_life) - t = start + min(t - start, *client->max_life); - if(server->max_life) - t = start + min(t - start, *server->max_life); -#if 0 - t = min(t, start + realm->max_life); -#endif - et.endtime = t; - if(f.renewable_ok && et.endtime < *b->till){ - f.renewable = 1; - if(b->rtime == NULL){ - ALLOC(b->rtime); - *b->rtime = 0; - } - if(*b->rtime < *b->till) - *b->rtime = *b->till; - } - if(f.renewable && b->rtime){ - t = *b->rtime; - if(t == 0) - t = MAX_TIME; - if(client->max_renew) - t = start + min(t - start, *client->max_renew); - if(server->max_renew) - t = start + min(t - start, *server->max_renew); -#if 0 - t = min(t, start + realm->max_renew); -#endif - ALLOC(et.renew_till); - *et.renew_till = t; - et.flags.renewable = 1; - } - } - - if (f.request_anonymous) - et.flags.anonymous = 1; - - if(b->addresses){ - ALLOC(et.caddr); - copy_HostAddresses(b->addresses, et.caddr); - } - - et.transited.tr_type = DOMAIN_X500_COMPRESS; - krb5_data_zero(&et.transited.contents); - - copy_EncryptionKey(&et.key, &ek.key); - - /* The MIT ASN.1 library (obviously) doesn't tell lengths encoded - * as 0 and as 0x80 (meaning indefinite length) apart, and is thus - * incapable of correctly decoding SEQUENCE OF's of zero length. - * - * To fix this, always send at least one no-op last_req - * - * If there's a pw_end or valid_end we will use that, - * otherwise just a dummy lr. - */ - ek.last_req.val = malloc(2 * sizeof(*ek.last_req.val)); - ek.last_req.len = 0; - if (client->pw_end - && (kdc_warn_pwexpire == 0 - || kdc_time + kdc_warn_pwexpire <= *client->pw_end)) { - ek.last_req.val[ek.last_req.len].lr_type = LR_PW_EXPTIME; - ek.last_req.val[ek.last_req.len].lr_value = *client->pw_end; - ++ek.last_req.len; - } - if (client->valid_end) { - ek.last_req.val[ek.last_req.len].lr_type = LR_ACCT_EXPTIME; - ek.last_req.val[ek.last_req.len].lr_value = *client->valid_end; - ++ek.last_req.len; - } - if (ek.last_req.len == 0) { - ek.last_req.val[ek.last_req.len].lr_type = LR_NONE; - ek.last_req.val[ek.last_req.len].lr_value = 0; - ++ek.last_req.len; - } - ek.nonce = b->nonce; - if (client->valid_end || client->pw_end) { - ALLOC(ek.key_expiration); - if (client->valid_end) { - if (client->pw_end) - *ek.key_expiration = min(*client->valid_end, *client->pw_end); - else - *ek.key_expiration = *client->valid_end; - } else - *ek.key_expiration = *client->pw_end; - } else - ek.key_expiration = NULL; - ek.flags = et.flags; - ek.authtime = et.authtime; - if (et.starttime) { - ALLOC(ek.starttime); - *ek.starttime = *et.starttime; - } - ek.endtime = et.endtime; - if (et.renew_till) { - ALLOC(ek.renew_till); - *ek.renew_till = *et.renew_till; - } - copy_Realm(&rep.ticket.realm, &ek.srealm); - copy_PrincipalName(&rep.ticket.sname, &ek.sname); - if(et.caddr){ - ALLOC(ek.caddr); - copy_HostAddresses(et.caddr, ek.caddr); - } - - set_salt_padata (&rep.padata, ckey->salt); - ret = encode_reply(&rep, &et, &ek, setype, server->kvno, &skey->key, - client->kvno, &ckey->key, &e_text, reply); - free_EncTicketPart(&et); - free_EncKDCRepPart(&ek); - out: - free_AS_REP(&rep); - if(ret){ - krb5_mk_error(context, - ret, - e_text, - NULL, - client_princ, - server_princ, - NULL, - NULL, - reply); - ret = 0; - } - out2: - if (client_princ) - krb5_free_principal(context, client_princ); - free(client_name); - if (server_princ) - krb5_free_principal(context, server_princ); - free(server_name); - if(client) - free_ent(client); - if(server) - free_ent(server); - return ret; -} - - -static krb5_error_code -check_tgs_flags(KDC_REQ_BODY *b, EncTicketPart *tgt, EncTicketPart *et) -{ - KDCOptions f = b->kdc_options; - - if(f.validate){ - if(!tgt->flags.invalid || tgt->starttime == NULL){ - kdc_log(0, "Bad request to validate ticket"); - return KRB5KDC_ERR_BADOPTION; - } - if(*tgt->starttime > kdc_time){ - kdc_log(0, "Early request to validate ticket"); - return KRB5KRB_AP_ERR_TKT_NYV; - } - /* XXX tkt = tgt */ - et->flags.invalid = 0; - }else if(tgt->flags.invalid){ - kdc_log(0, "Ticket-granting ticket has INVALID flag set"); - return KRB5KRB_AP_ERR_TKT_INVALID; - } - - if(f.forwardable){ - if(!tgt->flags.forwardable){ - kdc_log(0, "Bad request for forwardable ticket"); - return KRB5KDC_ERR_BADOPTION; - } - et->flags.forwardable = 1; - } - if(f.forwarded){ - if(!tgt->flags.forwardable){ - kdc_log(0, "Request to forward non-forwardable ticket"); - return KRB5KDC_ERR_BADOPTION; - } - et->flags.forwarded = 1; - et->caddr = b->addresses; - } - if(tgt->flags.forwarded) - et->flags.forwarded = 1; - - if(f.proxiable){ - if(!tgt->flags.proxiable){ - kdc_log(0, "Bad request for proxiable ticket"); - return KRB5KDC_ERR_BADOPTION; - } - et->flags.proxiable = 1; - } - if(f.proxy){ - if(!tgt->flags.proxiable){ - kdc_log(0, "Request to proxy non-proxiable ticket"); - return KRB5KDC_ERR_BADOPTION; - } - et->flags.proxy = 1; - et->caddr = b->addresses; - } - if(tgt->flags.proxy) - et->flags.proxy = 1; - - if(f.allow_postdate){ - if(!tgt->flags.may_postdate){ - kdc_log(0, "Bad request for post-datable ticket"); - return KRB5KDC_ERR_BADOPTION; - } - et->flags.may_postdate = 1; - } - if(f.postdated){ - if(!tgt->flags.may_postdate){ - kdc_log(0, "Bad request for postdated ticket"); - return KRB5KDC_ERR_BADOPTION; - } - if(b->from) - *et->starttime = *b->from; - et->flags.postdated = 1; - et->flags.invalid = 1; - }else if(b->from && *b->from > kdc_time + context->max_skew){ - kdc_log(0, "Ticket cannot be postdated"); - return KRB5KDC_ERR_CANNOT_POSTDATE; - } - - if(f.renewable){ - if(!tgt->flags.renewable){ - kdc_log(0, "Bad request for renewable ticket"); - return KRB5KDC_ERR_BADOPTION; - } - et->flags.renewable = 1; - ALLOC(et->renew_till); - fix_time(&b->rtime); - *et->renew_till = *b->rtime; - } - if(f.renew){ - time_t old_life; - if(!tgt->flags.renewable || tgt->renew_till == NULL){ - kdc_log(0, "Request to renew non-renewable ticket"); - return KRB5KDC_ERR_BADOPTION; - } - old_life = tgt->endtime; - if(tgt->starttime) - old_life -= *tgt->starttime; - else - old_life -= tgt->authtime; - et->endtime = *et->starttime + old_life; - if (et->renew_till != NULL) - et->endtime = min(*et->renew_till, et->endtime); - } - - /* checks for excess flags */ - if(f.request_anonymous && !allow_anonymous){ - kdc_log(0, "Request for anonymous ticket"); - return KRB5KDC_ERR_BADOPTION; - } - return 0; -} - -static krb5_error_code -fix_transited_encoding(krb5_boolean check_policy, - TransitedEncoding *tr, - EncTicketPart *et, - const char *client_realm, - const char *server_realm, - const char *tgt_realm) -{ - krb5_error_code ret = 0; - char **realms, **tmp; - int num_realms; - int i; - - if(tr->tr_type != DOMAIN_X500_COMPRESS) { - kdc_log(0, "Unknown transited type: %u", tr->tr_type); - return KRB5KDC_ERR_TRTYPE_NOSUPP; - } - - ret = krb5_domain_x500_decode(context, - tr->contents, - &realms, - &num_realms, - client_realm, - server_realm); - if(ret){ - krb5_warn(context, ret, "Decoding transited encoding"); - return ret; - } - if(strcmp(client_realm, tgt_realm) && strcmp(server_realm, tgt_realm)) { - /* not us, so add the previous realm to transited set */ - if (num_realms < 0 || num_realms + 1 > UINT_MAX/sizeof(*realms)) { - ret = ERANGE; - goto free_realms; - } - tmp = realloc(realms, (num_realms + 1) * sizeof(*realms)); - if(tmp == NULL){ - ret = ENOMEM; - goto free_realms; - } - realms = tmp; - realms[num_realms] = strdup(tgt_realm); - if(realms[num_realms] == NULL){ - ret = ENOMEM; - goto free_realms; - } - num_realms++; - } - if(num_realms == 0) { - if(strcmp(client_realm, server_realm)) - kdc_log(0, "cross-realm %s -> %s", client_realm, server_realm); - } else { - size_t l = 0; - char *rs; - for(i = 0; i < num_realms; i++) - l += strlen(realms[i]) + 2; - rs = malloc(l); - if(rs != NULL) { - *rs = '\0'; - for(i = 0; i < num_realms; i++) { - if(i > 0) - strlcat(rs, ", ", l); - strlcat(rs, realms[i], l); - } - kdc_log(0, "cross-realm %s -> %s via [%s]", client_realm, server_realm, rs); - free(rs); - } - } - if(check_policy) { - ret = krb5_check_transited(context, client_realm, - server_realm, - realms, num_realms, NULL); - if(ret) { - krb5_warn(context, ret, "cross-realm %s -> %s", - client_realm, server_realm); - goto free_realms; - } - et->flags.transited_policy_checked = 1; - } - et->transited.tr_type = DOMAIN_X500_COMPRESS; - ret = krb5_domain_x500_encode(realms, num_realms, &et->transited.contents); - if(ret) - krb5_warn(context, ret, "Encoding transited encoding"); - free_realms: - for(i = 0; i < num_realms; i++) - free(realms[i]); - free(realms); - return ret; -} - - -static krb5_error_code -tgs_make_reply(KDC_REQ_BODY *b, - EncTicketPart *tgt, - EncTicketPart *adtkt, - AuthorizationData *auth_data, - hdb_entry *server, - hdb_entry *client, - krb5_principal client_principal, - hdb_entry *krbtgt, - krb5_enctype cetype, - const char **e_text, - krb5_data *reply) -{ - KDC_REP rep; - EncKDCRepPart ek; - EncTicketPart et; - KDCOptions f = b->kdc_options; - krb5_error_code ret; - krb5_enctype etype; - Key *skey; - EncryptionKey *ekey; - - if(adtkt) { - int i; - krb5_keytype kt; - ekey = &adtkt->key; - for(i = 0; i < b->etype.len; i++){ - ret = krb5_enctype_to_keytype(context, b->etype.val[i], &kt); - if(ret) - continue; - if(adtkt->key.keytype == kt) - break; - } - if(i == b->etype.len) - return KRB5KDC_ERR_ETYPE_NOSUPP; - etype = b->etype.val[i]; - }else{ - ret = find_keys(NULL, server, NULL, NULL, &skey, &etype, - b->etype.val, b->etype.len); - if(ret) { - kdc_log(0, "Server has no support for etypes"); - return ret; - } - ekey = &skey->key; - } - - memset(&rep, 0, sizeof(rep)); - memset(&et, 0, sizeof(et)); - memset(&ek, 0, sizeof(ek)); - - rep.pvno = 5; - rep.msg_type = krb_tgs_rep; - - et.authtime = tgt->authtime; - fix_time(&b->till); - et.endtime = min(tgt->endtime, *b->till); - ALLOC(et.starttime); - *et.starttime = kdc_time; - - ret = check_tgs_flags(b, tgt, &et); - if(ret) - goto out; - - /* We should check the transited encoding if: - 1) the request doesn't ask not to be checked - 2) globally enforcing a check - 3) principal requires checking - 4) we allow non-check per-principal, but principal isn't marked as allowing this - 5) we don't globally allow this - */ - -#define GLOBAL_FORCE_TRANSITED_CHECK (trpolicy == TRPOLICY_ALWAYS_CHECK) -#define GLOBAL_ALLOW_PER_PRINCIPAL (trpolicy == TRPOLICY_ALLOW_PER_PRINCIPAL) -#define GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK (trpolicy == TRPOLICY_ALWAYS_HONOUR_REQUEST) -/* these will consult the database in future release */ -#define PRINCIPAL_FORCE_TRANSITED_CHECK(P) 0 -#define PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(P) 0 - - ret = fix_transited_encoding(!f.disable_transited_check || - GLOBAL_FORCE_TRANSITED_CHECK || - PRINCIPAL_FORCE_TRANSITED_CHECK(server) || - !((GLOBAL_ALLOW_PER_PRINCIPAL && - PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(server)) || - GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK), - &tgt->transited, &et, - *krb5_princ_realm(context, client_principal), - *krb5_princ_realm(context, server->principal), - *krb5_princ_realm(context, krbtgt->principal)); - if(ret) - goto out; - - copy_Realm(krb5_princ_realm(context, server->principal), - &rep.ticket.realm); - krb5_principal2principalname(&rep.ticket.sname, server->principal); - copy_Realm(&tgt->crealm, &rep.crealm); - if (f.request_anonymous) - make_anonymous_principalname (&tgt->cname); - else - copy_PrincipalName(&tgt->cname, &rep.cname); - rep.ticket.tkt_vno = 5; - - ek.caddr = et.caddr; - if(et.caddr == NULL) - et.caddr = tgt->caddr; - - { - time_t life; - life = et.endtime - *et.starttime; - if(client && client->max_life) - life = min(life, *client->max_life); - if(server->max_life) - life = min(life, *server->max_life); - et.endtime = *et.starttime + life; - } - if(f.renewable_ok && tgt->flags.renewable && - et.renew_till == NULL && et.endtime < *b->till){ - et.flags.renewable = 1; - ALLOC(et.renew_till); - *et.renew_till = *b->till; - } - if(et.renew_till){ - time_t renew; - renew = *et.renew_till - et.authtime; - if(client && client->max_renew) - renew = min(renew, *client->max_renew); - if(server->max_renew) - renew = min(renew, *server->max_renew); - *et.renew_till = et.authtime + renew; - } - - if(et.renew_till){ - *et.renew_till = min(*et.renew_till, *tgt->renew_till); - *et.starttime = min(*et.starttime, *et.renew_till); - et.endtime = min(et.endtime, *et.renew_till); - } - - *et.starttime = min(*et.starttime, et.endtime); - - if(*et.starttime == et.endtime){ - ret = KRB5KDC_ERR_NEVER_VALID; - goto out; - } - if(et.renew_till && et.endtime == *et.renew_till){ - free(et.renew_till); - et.renew_till = NULL; - et.flags.renewable = 0; - } - - et.flags.pre_authent = tgt->flags.pre_authent; - et.flags.hw_authent = tgt->flags.hw_authent; - et.flags.anonymous = tgt->flags.anonymous; - - /* XXX Check enc-authorization-data */ - et.authorization_data = auth_data; - - krb5_generate_random_keyblock(context, etype, &et.key); - et.crealm = tgt->crealm; - et.cname = tgt->cname; - - ek.key = et.key; - /* MIT must have at least one last_req */ - ek.last_req.len = 1; - ek.last_req.val = calloc(1, sizeof(*ek.last_req.val)); - ek.nonce = b->nonce; - ek.flags = et.flags; - ek.authtime = et.authtime; - ek.starttime = et.starttime; - ek.endtime = et.endtime; - ek.renew_till = et.renew_till; - ek.srealm = rep.ticket.realm; - ek.sname = rep.ticket.sname; - - /* It is somewhat unclear where the etype in the following - encryption should come from. What we have is a session - key in the passed tgt, and a list of preferred etypes - *for the new ticket*. Should we pick the best possible - etype, given the keytype in the tgt, or should we look - at the etype list here as well? What if the tgt - session key is DES3 and we want a ticket with a (say) - CAST session key. Should the DES3 etype be added to the - etype list, even if we don't want a session key with - DES3? */ - ret = encode_reply(&rep, &et, &ek, etype, adtkt ? 0 : server->kvno, ekey, - 0, &tgt->key, e_text, reply); - out: - free_TGS_REP(&rep); - free_TransitedEncoding(&et.transited); - if(et.starttime) - free(et.starttime); - if(et.renew_till) - free(et.renew_till); - free_LastReq(&ek.last_req); - memset(et.key.keyvalue.data, 0, et.key.keyvalue.length); - free_EncryptionKey(&et.key); - return ret; -} - -static krb5_error_code -tgs_check_authenticator(krb5_auth_context ac, - KDC_REQ_BODY *b, - const char **e_text, - krb5_keyblock *key) -{ - krb5_authenticator auth; - size_t len; - unsigned char *buf; - size_t buf_size; - krb5_error_code ret; - krb5_crypto crypto; - - krb5_auth_con_getauthenticator(context, ac, &auth); - if(auth->cksum == NULL){ - kdc_log(0, "No authenticator in request"); - ret = KRB5KRB_AP_ERR_INAPP_CKSUM; - goto out; - } - /* - * according to RFC1510 it doesn't need to be keyed, - * but according to the latest draft it needs to. - */ - if ( -#if 0 -!krb5_checksum_is_keyed(context, auth->cksum->cksumtype) - || -#endif - !krb5_checksum_is_collision_proof(context, auth->cksum->cksumtype)) { - kdc_log(0, "Bad checksum type in authenticator: %d", - auth->cksum->cksumtype); - ret = KRB5KRB_AP_ERR_INAPP_CKSUM; - goto out; - } - - /* XXX should not re-encode this */ - ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, b, &len, ret); - if(ret){ - kdc_log(0, "Failed to encode KDC-REQ-BODY: %s", - krb5_get_err_text(context, ret)); - goto out; - } - if(buf_size != len) { - free(buf); - kdc_log(0, "Internal error in ASN.1 encoder"); - *e_text = "KDC internal error"; - ret = KRB5KRB_ERR_GENERIC; - goto out; - } - ret = krb5_crypto_init(context, key, 0, &crypto); - if (ret) { - free(buf); - kdc_log(0, "krb5_crypto_init failed: %s", - krb5_get_err_text(context, ret)); - goto out; - } - ret = krb5_verify_checksum(context, - crypto, - KRB5_KU_TGS_REQ_AUTH_CKSUM, - buf, - len, - auth->cksum); - free(buf); - krb5_crypto_destroy(context, crypto); - if(ret){ - kdc_log(0, "Failed to verify checksum: %s", - krb5_get_err_text(context, ret)); - } -out: - free_Authenticator(auth); - free(auth); - return ret; -} - -/* - * return the realm of a krbtgt-ticket or NULL - */ - -static Realm -get_krbtgt_realm(const PrincipalName *p) -{ - if(p->name_string.len == 2 - && strcmp(p->name_string.val[0], KRB5_TGS_NAME) == 0) - return p->name_string.val[1]; - else - return NULL; -} - -static Realm -find_rpath(Realm crealm, Realm srealm) -{ - const char *new_realm = krb5_config_get_string(context, - NULL, - "capaths", - crealm, - srealm, - NULL); - return (Realm)new_realm; -} - - -static krb5_boolean -need_referral(krb5_principal server, krb5_realm **realms) -{ - if(server->name.name_type != KRB5_NT_SRV_INST || - server->name.name_string.len != 2) - return FALSE; - - return krb5_get_host_realm_int(context, server->name.name_string.val[1], - FALSE, realms) == 0; -} - -static krb5_error_code -tgs_rep2(KDC_REQ_BODY *b, - PA_DATA *tgs_req, - krb5_data *reply, - const char *from, - const struct sockaddr *from_addr, - time_t **csec, - int **cusec) -{ - krb5_ap_req ap_req; - krb5_error_code ret; - krb5_principal princ; - krb5_auth_context ac = NULL; - krb5_ticket *ticket = NULL; - krb5_flags ap_req_options; - krb5_flags verify_ap_req_flags; - const char *e_text = NULL; - krb5_crypto crypto; - - hdb_entry *krbtgt = NULL; - EncTicketPart *tgt; - Key *tkey; - krb5_enctype cetype; - krb5_principal cp = NULL; - krb5_principal sp = NULL; - AuthorizationData *auth_data = NULL; - - *csec = NULL; - *cusec = NULL; - - memset(&ap_req, 0, sizeof(ap_req)); - ret = krb5_decode_ap_req(context, &tgs_req->padata_value, &ap_req); - if(ret){ - kdc_log(0, "Failed to decode AP-REQ: %s", - krb5_get_err_text(context, ret)); - goto out2; - } - - if(!get_krbtgt_realm(&ap_req.ticket.sname)){ - /* XXX check for ticket.sname == req.sname */ - kdc_log(0, "PA-DATA is not a ticket-granting ticket"); - ret = KRB5KDC_ERR_POLICY; /* ? */ - goto out2; - } - - principalname2krb5_principal(&princ, - ap_req.ticket.sname, - ap_req.ticket.realm); - - ret = db_fetch(princ, &krbtgt); - - if(ret) { - char *p; - krb5_unparse_name(context, princ, &p); - krb5_free_principal(context, princ); - kdc_log(0, "Ticket-granting ticket not found in database: %s: %s", - p, krb5_get_err_text(context, ret)); - free(p); - ret = KRB5KRB_AP_ERR_NOT_US; - goto out2; - } - - if(ap_req.ticket.enc_part.kvno && - *ap_req.ticket.enc_part.kvno != krbtgt->kvno){ - char *p; - - krb5_unparse_name (context, princ, &p); - krb5_free_principal(context, princ); - kdc_log(0, "Ticket kvno = %d, DB kvno = %d (%s)", - *ap_req.ticket.enc_part.kvno, - krbtgt->kvno, - p); - free (p); - ret = KRB5KRB_AP_ERR_BADKEYVER; - goto out2; - } - - ret = hdb_enctype2key(context, krbtgt, ap_req.ticket.enc_part.etype, &tkey); - if(ret){ - char *str; - krb5_enctype_to_string(context, ap_req.ticket.enc_part.etype, &str); - kdc_log(0, "No server key found for %s", str); - free(str); - ret = KRB5KRB_AP_ERR_BADKEYVER; - goto out2; - } - - if (b->kdc_options.validate) - verify_ap_req_flags = KRB5_VERIFY_AP_REQ_IGNORE_INVALID; - else - verify_ap_req_flags = 0; - - ret = krb5_verify_ap_req2(context, - &ac, - &ap_req, - princ, - &tkey->key, - verify_ap_req_flags, - &ap_req_options, - &ticket, - KRB5_KU_TGS_REQ_AUTH); - - krb5_free_principal(context, princ); - if(ret) { - kdc_log(0, "Failed to verify AP-REQ: %s", - krb5_get_err_text(context, ret)); - goto out2; - } - - { - krb5_authenticator auth; - - ret = krb5_auth_con_getauthenticator(context, ac, &auth); - if (ret == 0) { - *csec = malloc(sizeof(**csec)); - if (*csec == NULL) { - krb5_free_authenticator(context, &auth); - kdc_log(0, "malloc failed"); - goto out2; - } - **csec = auth->ctime; - *cusec = malloc(sizeof(**cusec)); - if (*cusec == NULL) { - krb5_free_authenticator(context, &auth); - kdc_log(0, "malloc failed"); - goto out2; - } - **csec = auth->cusec; - krb5_free_authenticator(context, &auth); - } - } - - cetype = ap_req.authenticator.etype; - - tgt = &ticket->ticket; - - ret = tgs_check_authenticator(ac, b, &e_text, &tgt->key); - - if (b->enc_authorization_data) { - krb5_keyblock *subkey; - krb5_data ad; - ret = krb5_auth_con_getremotesubkey(context, - ac, - &subkey); - if(ret){ - krb5_auth_con_free(context, ac); - kdc_log(0, "Failed to get remote subkey: %s", - krb5_get_err_text(context, ret)); - goto out2; - } - if(subkey == NULL){ - ret = krb5_auth_con_getkey(context, ac, &subkey); - if(ret) { - krb5_auth_con_free(context, ac); - kdc_log(0, "Failed to get session key: %s", - krb5_get_err_text(context, ret)); - goto out2; - } - } - if(subkey == NULL){ - krb5_auth_con_free(context, ac); - kdc_log(0, "Failed to get key for enc-authorization-data"); - ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */ - goto out2; - } - ret = krb5_crypto_init(context, subkey, 0, &crypto); - if (ret) { - krb5_auth_con_free(context, ac); - kdc_log(0, "krb5_crypto_init failed: %s", - krb5_get_err_text(context, ret)); - goto out2; - } - ret = krb5_decrypt_EncryptedData (context, - crypto, - KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY, - b->enc_authorization_data, - &ad); - krb5_crypto_destroy(context, crypto); - if(ret){ - krb5_auth_con_free(context, ac); - kdc_log(0, "Failed to decrypt enc-authorization-data"); - ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */ - goto out2; - } - krb5_free_keyblock(context, subkey); - ALLOC(auth_data); - ret = decode_AuthorizationData(ad.data, ad.length, auth_data, NULL); - if(ret){ - krb5_auth_con_free(context, ac); - free(auth_data); - auth_data = NULL; - kdc_log(0, "Failed to decode authorization data"); - ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */ - goto out2; - } - } - - krb5_auth_con_free(context, ac); - - if(ret){ - kdc_log(0, "Failed to verify authenticator: %s", - krb5_get_err_text(context, ret)); - goto out2; - } - - { - PrincipalName *s; - Realm r; - char *spn = NULL, *cpn = NULL; - hdb_entry *server = NULL, *client = NULL; - int loop = 0; - EncTicketPart adtkt; - char opt_str[128]; - - s = b->sname; - r = b->realm; - if(b->kdc_options.enc_tkt_in_skey){ - Ticket *t; - hdb_entry *uu; - krb5_principal p; - Key *tkey; - - if(b->additional_tickets == NULL || - b->additional_tickets->len == 0){ - ret = KRB5KDC_ERR_BADOPTION; /* ? */ - kdc_log(0, "No second ticket present in request"); - goto out; - } - t = &b->additional_tickets->val[0]; - if(!get_krbtgt_realm(&t->sname)){ - kdc_log(0, "Additional ticket is not a ticket-granting ticket"); - ret = KRB5KDC_ERR_POLICY; - goto out2; - } - principalname2krb5_principal(&p, t->sname, t->realm); - ret = db_fetch(p, &uu); - krb5_free_principal(context, p); - if(ret){ - if (ret == HDB_ERR_NOENTRY) - ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; - goto out; - } - ret = hdb_enctype2key(context, uu, t->enc_part.etype, &tkey); - if(ret){ - ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */ - goto out; - } - ret = krb5_decrypt_ticket(context, t, &tkey->key, &adtkt, 0); - - if(ret) - goto out; - s = &adtkt.cname; - r = adtkt.crealm; - } - - principalname2krb5_principal(&sp, *s, r); - krb5_unparse_name(context, sp, &spn); - principalname2krb5_principal(&cp, tgt->cname, tgt->crealm); - krb5_unparse_name(context, cp, &cpn); - unparse_flags (KDCOptions2int(b->kdc_options), KDCOptions_units, - opt_str, sizeof(opt_str)); - if(*opt_str) - kdc_log(0, "TGS-REQ %s from %s for %s [%s]", - cpn, from, spn, opt_str); - else - kdc_log(0, "TGS-REQ %s from %s for %s", cpn, from, spn); - server_lookup: - ret = db_fetch(sp, &server); - - if(ret){ - Realm req_rlm, new_rlm; - krb5_realm *realms; - - if ((req_rlm = get_krbtgt_realm(&sp->name)) != NULL) { - if(loop++ < 2) { - new_rlm = find_rpath(tgt->crealm, req_rlm); - if(new_rlm) { - kdc_log(5, "krbtgt for realm %s not found, trying %s", - req_rlm, new_rlm); - krb5_free_principal(context, sp); - free(spn); - krb5_make_principal(context, &sp, r, - KRB5_TGS_NAME, new_rlm, NULL); - krb5_unparse_name(context, sp, &spn); - goto server_lookup; - } - } - } else if(need_referral(sp, &realms)) { - if (strcmp(realms[0], sp->realm) != 0) { - kdc_log(5, "returning a referral to realm %s for " - "server %s that was not found", - realms[0], spn); - krb5_free_principal(context, sp); - free(spn); - krb5_make_principal(context, &sp, r, KRB5_TGS_NAME, - realms[0], NULL); - krb5_unparse_name(context, sp, &spn); - krb5_free_host_realm(context, realms); - goto server_lookup; - } - krb5_free_host_realm(context, realms); - } - kdc_log(0, "Server not found in database: %s: %s", spn, - krb5_get_err_text(context, ret)); - if (ret == HDB_ERR_NOENTRY) - ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; - goto out; - } - - ret = db_fetch(cp, &client); - if(ret) - kdc_log(1, "Client not found in database: %s: %s", - cpn, krb5_get_err_text(context, ret)); -#if 0 - /* XXX check client only if same realm as krbtgt-instance */ - if(ret){ - kdc_log(0, "Client not found in database: %s: %s", - cpn, krb5_get_err_text(context, ret)); - if (ret == HDB_ERR_NOENTRY) - ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; - goto out; - } -#endif - - if(strcmp(krb5_principal_get_realm(context, sp), - krb5_principal_get_comp_string(context, krbtgt->principal, 1)) != 0) { - char *tpn; - ret = krb5_unparse_name(context, krbtgt->principal, &tpn); - kdc_log(0, "Request with wrong krbtgt: %s", (ret == 0) ? tpn : ""); - if(ret == 0) - free(tpn); - ret = KRB5KRB_AP_ERR_NOT_US; - goto out; - - } - - ret = check_flags(client, cpn, server, spn, FALSE); - if(ret) - goto out; - - if((b->kdc_options.validate || b->kdc_options.renew) && - !krb5_principal_compare(context, - krbtgt->principal, - server->principal)){ - kdc_log(0, "Inconsistent request."); - ret = KRB5KDC_ERR_SERVER_NOMATCH; - goto out; - } - - /* check for valid set of addresses */ - if(!check_addresses(tgt->caddr, from_addr)) { - ret = KRB5KRB_AP_ERR_BADADDR; - kdc_log(0, "Request from wrong address"); - goto out; - } - - ret = tgs_make_reply(b, - tgt, - b->kdc_options.enc_tkt_in_skey ? &adtkt : NULL, - auth_data, - server, - client, - cp, - krbtgt, - cetype, - &e_text, - reply); - - out: - free(spn); - free(cpn); - - if(server) - free_ent(server); - if(client) - free_ent(client); - } -out2: - if(ret) { - krb5_mk_error(context, - ret, - e_text, - NULL, - cp, - sp, - NULL, - NULL, - reply); - free(*csec); - free(*cusec); - *csec = NULL; - *cusec = NULL; - } - krb5_free_principal(context, cp); - krb5_free_principal(context, sp); - if (ticket) { - krb5_free_ticket(context, ticket); - free(ticket); - } - free_AP_REQ(&ap_req); - if(auth_data){ - free_AuthorizationData(auth_data); - free(auth_data); - } - - if(krbtgt) - free_ent(krbtgt); - - return ret; -} - - -krb5_error_code -tgs_rep(KDC_REQ *req, - krb5_data *data, - const char *from, - struct sockaddr *from_addr) -{ - krb5_error_code ret; - int i = 0; - PA_DATA *tgs_req = NULL; - time_t *csec = NULL; - int *cusec = NULL; - - if(req->padata == NULL){ - ret = KRB5KDC_ERR_PREAUTH_REQUIRED; /* XXX ??? */ - kdc_log(0, "TGS-REQ from %s without PA-DATA", from); - goto out; - } - - tgs_req = find_padata(req, &i, KRB5_PADATA_TGS_REQ); - - if(tgs_req == NULL){ - ret = KRB5KDC_ERR_PADATA_TYPE_NOSUPP; - - kdc_log(0, "TGS-REQ from %s without PA-TGS-REQ", from); - goto out; - } - ret = tgs_rep2(&req->req_body, tgs_req, data, from, from_addr, - &csec, &cusec); -out: - if(ret && data->data == NULL){ - krb5_mk_error(context, - ret, - NULL, - NULL, - NULL, - NULL, - csec, - cusec, - data); - } - free(csec); - free(cusec); - return 0; -} diff --git a/crypto/heimdal-0.6.3/kdc/kstash.8 b/crypto/heimdal-0.6.3/kdc/kstash.8 deleted file mode 100644 index 3bd46c63ac..0000000000 --- a/crypto/heimdal-0.6.3/kdc/kstash.8 +++ /dev/null @@ -1,60 +0,0 @@ -.\" $Id: kstash.8,v 1.7 2002/08/20 16:37:14 joda Exp $ -.\" -.Dd September 1, 2000 -.Dt KSTASH 8 -.Os HEIMDAL -.Sh NAME -.Nm kstash -.Nd "store the KDC master password in a file" -.Sh SYNOPSIS -.Nm -.Oo Fl e Ar string \*(Ba Xo -.Fl -enctype= Ns Ar string -.Xc -.Oc -.Oo Fl k Ar file \*(Ba Xo -.Fl -key-file= Ns Ar file -.Xc -.Oc -.Op Fl -convert-file -.Op Fl -master-key-fd= Ns Ar fd -.Op Fl h | Fl -help -.Op Fl -version -.Sh DESCRIPTION -.Nm -reads the Kerberos master key and stores it in a file that will be -used by the KDC. -.Pp -Supported options: -.Bl -tag -width Ds -.It Xo -.Fl e Ar string , -.Fl -enctype= Ns Ar string -.Xc -the encryption type to use, defaults to DES3-CBC-SHA1 -.It Xo -.Fl k Ar file , -.Fl -key-file= Ns Ar file -.Xc -the name of the master key file -.It Xo -.Fl -convert-file -.Xc -don't ask for a new master key, just read an old master key file, and -write it back in the new keyfile format -.It Xo -.Fl -master-key-fd= Ns Ar fd -.Xc -filedescriptor to read passphrase from, if not specified the -passphrase will be read from the terminal -.El -.\".Sh ENVIRONMENT -.\".Sh FILES -.\".Sh EXAMPLES -.\".Sh DIAGNOSTICS -.Sh SEE ALSO -.Xr kdc 8 -.\".Sh STANDARDS -.\".Sh HISTORY -.\".Sh AUTHORS -.\".Sh BUGS diff --git a/crypto/heimdal-0.6.3/kdc/kstash.c b/crypto/heimdal-0.6.3/kdc/kstash.c deleted file mode 100644 index dc0621a6f6..0000000000 --- a/crypto/heimdal-0.6.3/kdc/kstash.c +++ /dev/null @@ -1,148 +0,0 @@ -/* - * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "headers.h" - -RCSID("$Id: kstash.c,v 1.15 2002/04/18 09:47:25 joda Exp $"); - -krb5_context context; - -const char *keyfile = HDB_DB_DIR "/m-key"; -int convert_flag; -int help_flag; -int version_flag; - -int master_key_fd = -1; - -const char *enctype_str = "des3-cbc-sha1"; - -struct getargs args[] = { - { "enctype", 'e', arg_string, &enctype_str, "encryption type" }, - { "key-file", 'k', arg_string, &keyfile, "master key file", "file" }, - { "convert-file", 0, arg_flag, &convert_flag, - "just convert keyfile to new format" }, - { "master-key-fd", 0, arg_integer, &master_key_fd, - "filedescriptor to read passphrase from", "fd" }, - { "help", 'h', arg_flag, &help_flag }, - { "version", 0, arg_flag, &version_flag } -}; - -int num_args = sizeof(args) / sizeof(args[0]); - -int -main(int argc, char **argv) -{ - char buf[1024]; - krb5_error_code ret; - - krb5_enctype enctype; - - hdb_master_key mkey; - - krb5_program_setup(&context, argc, argv, args, num_args, NULL); - - if(help_flag) - krb5_std_usage(0, args, num_args); - if(version_flag){ - print_version(NULL); - exit(0); - } - - ret = krb5_string_to_enctype(context, enctype_str, &enctype); - if(ret) - krb5_err(context, 1, ret, "krb5_string_to_enctype"); - - ret = hdb_read_master_key(context, keyfile, &mkey); - if(ret && ret != ENOENT) - krb5_err(context, 1, ret, "reading master key from %s", keyfile); - - if (convert_flag) { - if (ret) - krb5_err(context, 1, ret, "reading master key from %s", keyfile); - } else { - krb5_keyblock key; - krb5_salt salt; - salt.salttype = KRB5_PW_SALT; - /* XXX better value? */ - salt.saltvalue.data = NULL; - salt.saltvalue.length = 0; - if(master_key_fd != -1) { - ssize_t n; - n = read(master_key_fd, buf, sizeof(buf)); - if(n <= 0) - krb5_err(context, 1, errno, "failed to read passphrase"); - buf[n] = '\0'; - buf[strcspn(buf, "\r\n")] = '\0'; - } else { - if(des_read_pw_string(buf, sizeof(buf), "Master key: ", 1)) - exit(1); - } - krb5_string_to_key_salt(context, enctype, buf, salt, &key); - ret = hdb_add_master_key(context, &key, &mkey); - - krb5_free_keyblock_contents(context, &key); - - } - - { - char *new, *old; - asprintf(&old, "%s.old", keyfile); - asprintf(&new, "%s.new", keyfile); - if(unlink(new) < 0 && errno != ENOENT) { - ret = errno; - goto out; - } - krb5_warnx(context, "writing key to `%s'", keyfile); - ret = hdb_write_master_key(context, new, mkey); - if(ret) - unlink(new); - else { - unlink(old); - if(link(keyfile, old) < 0 && errno != ENOENT) { - ret = errno; - unlink(new); - } else if(rename(new, keyfile) < 0) { - ret = errno; - } - } - out: - free(old); - free(new); - if(ret) - krb5_warn(context, errno, "writing master key file"); - } - - hdb_free_master_key(context, mkey); - - exit(ret != 0); -} diff --git a/crypto/heimdal-0.6.3/kdc/kstash.cat8 b/crypto/heimdal-0.6.3/kdc/kstash.cat8 deleted file mode 100644 index b3cd2e9906..0000000000 --- a/crypto/heimdal-0.6.3/kdc/kstash.cat8 +++ /dev/null @@ -1,34 +0,0 @@ - -KSTASH(8) UNIX System Manager's Manual KSTASH(8) - -NNAAMMEE - kkssttaasshh - store the KDC master password in a file - -SSYYNNOOPPSSIISS - kkssttaasshh [--ee _s_t_r_i_n_g | ----eennccttyyppee==_s_t_r_i_n_g] [--kk _f_i_l_e | ----kkeeyy--ffiillee==_f_i_l_e] - [----ccoonnvveerrtt--ffiillee] [----mmaasstteerr--kkeeyy--ffdd==_f_d] [--hh | ----hheellpp] [----vveerrssiioonn] - -DDEESSCCRRIIPPTTIIOONN - kkssttaasshh reads the Kerberos master key and stores it in a file that will be - used by the KDC. - - Supported options: - - --ee _s_t_r_i_n_g, ----eennccttyyppee==_s_t_r_i_n_g - the encryption type to use, defaults to DES3-CBC-SHA1 - - --kk _f_i_l_e, ----kkeeyy--ffiillee==_f_i_l_e - the name of the master key file - - ----ccoonnvveerrtt--ffiillee - don't ask for a new master key, just read an old master key file, - and write it back in the new keyfile format - - ----mmaasstteerr--kkeeyy--ffdd==_f_d - filedescriptor to read passphrase from, if not specified the - passphrase will be read from the terminal - -SSEEEE AALLSSOO - kdc(8) - - HEIMDAL September 1, 2000 1 diff --git a/crypto/heimdal-0.6.3/kdc/log.c b/crypto/heimdal-0.6.3/kdc/log.c deleted file mode 100644 index aa430aa7ce..0000000000 --- a/crypto/heimdal-0.6.3/kdc/log.c +++ /dev/null @@ -1,84 +0,0 @@ -/* - * Copyright (c) 1997, 1998, 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kdc_locl.h" -RCSID("$Id: log.c,v 1.14 2002/08/19 12:17:49 joda Exp $"); - -static krb5_log_facility *logf; - -void -kdc_openlog(void) -{ - char **s = NULL, **p; - krb5_initlog(context, "kdc", &logf); - s = krb5_config_get_strings(context, NULL, "kdc", "logging", NULL); - if(s == NULL) - s = krb5_config_get_strings(context, NULL, "logging", "kdc", NULL); - if(s){ - for(p = s; *p; p++) - krb5_addlog_dest(context, logf, *p); - krb5_config_free_strings(s); - }else - krb5_addlog_dest(context, logf, DEFAULT_LOG_DEST); - krb5_set_warn_dest(context, logf); -} - -char* -kdc_log_msg_va(int level, const char *fmt, va_list ap) -{ - char *msg; - krb5_vlog_msg(context, logf, &msg, level, fmt, ap); - return msg; -} - -char* -kdc_log_msg(int level, const char *fmt, ...) -{ - va_list ap; - char *s; - va_start(ap, fmt); - s = kdc_log_msg_va(level, fmt, ap); - va_end(ap); - return s; -} - -void -kdc_log(int level, const char *fmt, ...) -{ - va_list ap; - char *s; - va_start(ap, fmt); - s = kdc_log_msg_va(level, fmt, ap); - if(s) free(s); - va_end(ap); -} diff --git a/crypto/heimdal-0.6.3/kdc/main.c b/crypto/heimdal-0.6.3/kdc/main.c deleted file mode 100644 index 32ae20f5c2..0000000000 --- a/crypto/heimdal-0.6.3/kdc/main.c +++ /dev/null @@ -1,114 +0,0 @@ -/* - * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kdc_locl.h" -#ifdef HAVE_UTIL_H -#include -#endif - -RCSID("$Id: main.c,v 1.27 2002/08/28 21:27:16 joda Exp $"); - -sig_atomic_t exit_flag = 0; -krb5_context context; - -#ifdef HAVE_DAEMON -extern int detach_from_console; -#endif - -static RETSIGTYPE -sigterm(int sig) -{ - exit_flag = 1; -} - -int -main(int argc, char **argv) -{ - krb5_error_code ret; - setprogname(argv[0]); - - ret = krb5_init_context(&context); - if (ret) - errx (1, "krb5_init_context failed: %d", ret); - - configure(argc, argv); - - if(databases == NULL) { - db = malloc(sizeof(*db)); - num_db = 1; - ret = hdb_create(context, &db[0], NULL); - if(ret) - krb5_err(context, 1, ret, "hdb_create %s", HDB_DEFAULT_DB); - ret = hdb_set_master_keyfile(context, db[0], NULL); - if (ret) - krb5_err(context, 1, ret, "hdb_set_master_keyfile"); - } else { - struct dbinfo *d; - int i; - /* count databases */ - for(d = databases, i = 0; d; d = d->next, i++); - db = malloc(i * sizeof(*db)); - for(d = databases, num_db = 0; d; d = d->next, num_db++) { - ret = hdb_create(context, &db[num_db], d->dbname); - if(ret) - krb5_err(context, 1, ret, "hdb_create %s", d->dbname); - ret = hdb_set_master_keyfile(context, db[num_db], d->mkey_file); - if (ret) - krb5_err(context, 1, ret, "hdb_set_master_keyfile"); - } - } - -#ifdef HAVE_SIGACTION - { - struct sigaction sa; - - sa.sa_flags = 0; - sa.sa_handler = sigterm; - sigemptyset(&sa.sa_mask); - - sigaction(SIGINT, &sa, NULL); - sigaction(SIGTERM, &sa, NULL); - } -#else - signal(SIGINT, sigterm); - signal(SIGTERM, sigterm); -#endif -#ifdef HAVE_DAEMON - if (detach_from_console) - daemon(0, 0); -#endif - pidfile(NULL); - loop(); - krb5_free_context(context); - return 0; -} diff --git a/crypto/heimdal-0.6.3/kdc/misc.c b/crypto/heimdal-0.6.3/kdc/misc.c deleted file mode 100644 index aebdc6895b..0000000000 --- a/crypto/heimdal-0.6.3/kdc/misc.c +++ /dev/null @@ -1,76 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kdc_locl.h" - -RCSID("$Id: misc.c,v 1.22 2001/01/30 03:54:21 assar Exp $"); - -struct timeval now; - -krb5_error_code -db_fetch(krb5_principal principal, hdb_entry **h) -{ - hdb_entry *ent; - krb5_error_code ret = HDB_ERR_NOENTRY; - int i; - - ent = malloc (sizeof (*ent)); - if (ent == NULL) - return ENOMEM; - ent->principal = principal; - - for(i = 0; i < num_db; i++) { - ret = db[i]->open(context, db[i], O_RDONLY, 0); - if (ret) { - kdc_log(0, "Failed to open database: %s", - krb5_get_err_text(context, ret)); - continue; - } - ret = db[i]->fetch(context, db[i], HDB_F_DECRYPT, ent); - db[i]->close(context, db[i]); - if(ret == 0) { - *h = ent; - return 0; - } - } - free(ent); - return ret; -} - -void -free_ent(hdb_entry *ent) -{ - hdb_free_entry (context, ent); - free (ent); -} - diff --git a/crypto/heimdal-0.6.3/kdc/mit_dump.c b/crypto/heimdal-0.6.3/kdc/mit_dump.c deleted file mode 100644 index 336d265791..0000000000 --- a/crypto/heimdal-0.6.3/kdc/mit_dump.c +++ /dev/null @@ -1,370 +0,0 @@ -/* - * Copyright (c) 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "hprop.h" - -RCSID("$Id: mit_dump.c,v 1.3 2000/08/09 09:57:37 joda Exp $"); - -/* -can have any number of princ stanzas. -format is as follows (only \n indicates newlines) -princ\t%d\t (%d is KRB5_KDB_V1_BASE_LENGTH, always 38) -%d\t (strlen of principal e.g. shadow/foo@ANDREW.CMU.EDU) -%d\t (number of tl_data) -%d\t (number of key data, e.g. how many keys for this user) -%d\t (extra data length) -%s\t (principal name) -%d\t (attributes) -%d\t (max lifetime, seconds) -%d\t (max renewable life, seconds) -%d\t (expiration, seconds since epoch or 2145830400 for never) -%d\t (password expiration, seconds, 0 for never) -%d\t (last successful auth, seconds since epoch) -%d\t (last failed auth, per above) -%d\t (failed auth count) -foreach tl_data 0 to number of tl_data - 1 as above - %d\t%d\t (data type, data length) - foreach tl_data 0 to length-1 - %02x (tl data contents[element n]) - except if tl_data length is 0 - %d (always -1) - \t -foreach key 0 to number of keys - 1 as above - %d\t%d\t (key data version, kvno) - foreach version 0 to key data version - 1 (a key or a salt) - %d\t%d\t(data type for this key, data length for this key) - foreach key data length 0 to length-1 - %02x (key data contents[element n]) - except if key_data length is 0 - %d (always -1) - \t -foreach extra data length 0 to length - 1 - %02x (extra data part) -unless no extra data - %d (always -1) -;\n - -*/ - -static int -hex_to_octet_string(const char *ptr, krb5_data *data) -{ - int i; - unsigned int v; - for(i = 0; i < data->length; i++) { - if(sscanf(ptr + 2 * i, "%02x", &v) != 1) - return -1; - ((unsigned char*)data->data)[i] = v; - } - return 2 * i; -} - -static char * -nexttoken(char **p) -{ - char *q; - do { - q = strsep(p, " \t"); - } while(q && *q == '\0'); - return q; -} - -static size_t -getdata(char **p, unsigned char *buf, size_t len) -{ - size_t i; - int v; - char *q = nexttoken(p); - i = 0; - while(*q && i < len) { - if(sscanf(q, "%02x", &v) != 1) - break; - buf[i++] = v; - q += 2; - } - return i; -} - -static int -getint(char **p) -{ - int val; - char *q = nexttoken(p); - sscanf(q, "%d", &val); - return val; -} - -#include - -static void -attr_to_flags(unsigned attr, HDBFlags *flags) -{ - flags->postdate = !(attr & KRB5_KDB_DISALLOW_POSTDATED); - flags->forwardable = !(attr & KRB5_KDB_DISALLOW_FORWARDABLE); - flags->initial = !!(attr & KRB5_KDB_DISALLOW_TGT_BASED); - flags->renewable = !(attr & KRB5_KDB_DISALLOW_RENEWABLE); - flags->proxiable = !(attr & KRB5_KDB_DISALLOW_PROXIABLE); - /* DUP_SKEY */ - flags->invalid = !!(attr & KRB5_KDB_DISALLOW_ALL_TIX); - flags->require_preauth = !!(attr & KRB5_KDB_REQUIRES_PRE_AUTH); - /* HW_AUTH */ - flags->server = !(attr & KRB5_KDB_DISALLOW_SVR); - flags->change_pw = !!(attr & KRB5_KDB_PWCHANGE_SERVICE); - flags->client = 1; /* XXX */ -} - -#define KRB5_KDB_SALTTYPE_NORMAL 0 -#define KRB5_KDB_SALTTYPE_V4 1 -#define KRB5_KDB_SALTTYPE_NOREALM 2 -#define KRB5_KDB_SALTTYPE_ONLYREALM 3 -#define KRB5_KDB_SALTTYPE_SPECIAL 4 -#define KRB5_KDB_SALTTYPE_AFS3 5 - -static krb5_error_code -fix_salt(krb5_context context, hdb_entry *ent, int key_num) -{ - krb5_error_code ret; - Salt *salt = ent->keys.val[key_num].salt; - /* fix salt type */ - switch((int)salt->type) { - case KRB5_KDB_SALTTYPE_NORMAL: - salt->type = KRB5_PADATA_PW_SALT; - break; - case KRB5_KDB_SALTTYPE_V4: - krb5_data_free(&salt->salt); - salt->type = KRB5_PADATA_PW_SALT; - break; - case KRB5_KDB_SALTTYPE_NOREALM: - { - size_t len; - int i; - krb5_error_code ret; - char *p; - - len = 0; - for (i = 0; i < ent->principal->name.name_string.len; ++i) - len += strlen(ent->principal->name.name_string.val[i]); - ret = krb5_data_alloc (&salt->salt, len); - if (ret) - return ret; - p = salt->salt.data; - for (i = 0; i < ent->principal->name.name_string.len; ++i) { - memcpy (p, - ent->principal->name.name_string.val[i], - strlen(ent->principal->name.name_string.val[i])); - p += strlen(ent->principal->name.name_string.val[i]); - } - - salt->type = KRB5_PADATA_PW_SALT; - break; - } - case KRB5_KDB_SALTTYPE_ONLYREALM: - krb5_data_free(&salt->salt); - ret = krb5_data_copy(&salt->salt, - ent->principal->realm, - strlen(ent->principal->realm)); - if(ret) - return ret; - salt->type = KRB5_PADATA_PW_SALT; - break; - case KRB5_KDB_SALTTYPE_SPECIAL: - salt->type = KRB5_PADATA_PW_SALT; - break; - case KRB5_KDB_SALTTYPE_AFS3: - krb5_data_free(&salt->salt); - ret = krb5_data_copy(&salt->salt, - ent->principal->realm, - strlen(ent->principal->realm)); - if(ret) - return ret; - salt->type = KRB5_PADATA_AFS3_SALT; - break; - default: - abort(); - } - return 0; -} - -int -mit_prop_dump(void *arg, const char *file) -{ - krb5_error_code ret; - char buf [1024]; - FILE *f; - int lineno = 0; - struct hdb_entry ent; - - struct prop_data *pd = arg; - - f = fopen(file, "r"); - if(f == NULL) - return errno; - - while(fgets(buf, sizeof(buf), f)) { - char *p = buf, *q; - - int i; - - int num_tl_data; - int num_key_data; - int extra_data_length; - int attributes; - - int tmp; - - lineno++; - - memset(&ent, 0, sizeof(ent)); - - q = nexttoken(&p); - if(strcmp(q, "kdb5_util") == 0) { - int major; - q = nexttoken(&p); /* load_dump */ - if(strcmp(q, "load_dump")) - errx(1, "line %d: unknown version", lineno); - q = nexttoken(&p); /* load_dump */ - if(strcmp(q, "version")) - errx(1, "line %d: unknown version", lineno); - q = nexttoken(&p); /* x.0 */ - if(sscanf(q, "%d", &major) != 1) - errx(1, "line %d: unknown version", lineno); - if(major != 4) - errx(1, "unknown dump file format, got %d, expected 4", major); - continue; - } else if(strcmp(q, "princ") != 0) { - warnx("line %d: not a principal", lineno); - continue; - } - tmp = getint(&p); - if(tmp != 38) { - warnx("line %d: bad base length %d != 38", lineno, tmp); - continue; - } - q = nexttoken(&p); /* length of principal */ - num_tl_data = getint(&p); /* number of tl-data */ - num_key_data = getint(&p); /* number of key-data */ - extra_data_length = getint(&p); /* length of extra data */ - q = nexttoken(&p); /* principal name */ - krb5_parse_name(pd->context, q, &ent.principal); - attributes = getint(&p); /* attributes */ - attr_to_flags(attributes, &ent.flags); - tmp = getint(&p); /* max life */ - if(tmp != 0) { - ALLOC(ent.max_life); - *ent.max_life = tmp; - } - tmp = getint(&p); /* max renewable life */ - if(tmp != 0) { - ALLOC(ent.max_renew); - *ent.max_renew = tmp; - } - tmp = getint(&p); /* expiration */ - if(tmp != 0 && tmp != 2145830400) { - ALLOC(ent.valid_end); - *ent.valid_end = tmp; - } - tmp = getint(&p); /* pw expiration */ - if(tmp != 0) { - ALLOC(ent.pw_end); - *ent.pw_end = tmp; - } - q = nexttoken(&p); /* last auth */ - q = nexttoken(&p); /* last failed auth */ - q = nexttoken(&p); /* fail auth count */ - for(i = 0; i < num_tl_data; i++) { - unsigned long val; - int tl_type, tl_length; - unsigned char *buf; - krb5_principal princ; - - tl_type = getint(&p); /* data type */ - tl_length = getint(&p); /* data length */ - -#define KRB5_TL_LAST_PWD_CHANGE 1 -#define KRB5_TL_MOD_PRINC 2 - switch(tl_type) { - case KRB5_TL_MOD_PRINC: - buf = malloc(tl_length); - getdata(&p, buf, tl_length); /* data itself */ - val = buf[0] | (buf[1] << 8) | (buf[2] << 16) | (buf[3] << 24); - ret = krb5_parse_name(pd->context, buf + 4, &princ); - free(buf); - ALLOC(ent.modified_by); - ent.modified_by->time = val; - ent.modified_by->principal = princ; - break; - default: - nexttoken(&p); - break; - } - } - ALLOC_SEQ(&ent.keys, num_key_data); - for(i = 0; i < num_key_data; i++) { - int key_versions; - key_versions = getint(&p); /* key data version */ - ent.kvno = getint(&p); /* XXX kvno */ - - ALLOC(ent.keys.val[i].mkvno); - *ent.keys.val[i].mkvno = 0; - - /* key version 0 -- actual key */ - ent.keys.val[i].key.keytype = getint(&p); /* key type */ - tmp = getint(&p); /* key length */ - /* the first two bytes of the key is the key length -- - skip it */ - krb5_data_alloc(&ent.keys.val[i].key.keyvalue, tmp - 2); - q = nexttoken(&p); /* key itself */ - hex_to_octet_string(q + 4, &ent.keys.val[i].key.keyvalue); - - if(key_versions > 1) { - /* key version 1 -- optional salt */ - ALLOC(ent.keys.val[i].salt); - ent.keys.val[i].salt->type = getint(&p); /* salt type */ - tmp = getint(&p); /* salt length */ - if(tmp > 0) { - krb5_data_alloc(&ent.keys.val[i].salt->salt, tmp - 2); - q = nexttoken(&p); /* salt itself */ - hex_to_octet_string(q + 4, &ent.keys.val[i].salt->salt); - } else { - ent.keys.val[i].salt->salt.length = 0; - ent.keys.val[i].salt->salt.data = NULL; - tmp = getint(&p); /* -1, if no data. */ - } - fix_salt(pd->context, &ent, i); - } - } - q = nexttoken(&p); /* extra data */ - v5_prop(pd->context, NULL, &ent, arg); - } - return 0; -} diff --git a/crypto/heimdal-0.6.3/kdc/rx.h b/crypto/heimdal-0.6.3/kdc/rx.h deleted file mode 100644 index ab8ec80523..0000000000 --- a/crypto/heimdal-0.6.3/kdc/rx.h +++ /dev/null @@ -1,79 +0,0 @@ -/* - * Copyright (c) 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: rx.h,v 1.4 1999/12/02 17:05:00 joda Exp $ */ - -#ifndef __RX_H__ -#define __RX_H__ - -/* header of a RPC packet */ - -enum rx_header_type { - HT_DATA = 1, - HT_ACK = 2, - HT_BUSY = 3, - HT_ABORT = 4, - HT_ACKALL = 5, - HT_CHAL = 6, - HT_RESP = 7, - HT_DEBUG = 8 -}; - -/* For flags in header */ - -enum rx_header_flag { - HF_CLIENT_INITIATED = 1, - HF_REQ_ACK = 2, - HF_LAST = 4, - HF_MORE = 8 -}; - -struct rx_header { - u_int32_t epoch; - u_int32_t connid; /* And channel ID */ - u_int32_t callid; - u_int32_t seqno; - u_int32_t serialno; - u_char type; - u_char flags; - u_char status; - u_char secindex; - u_int16_t reserved; /* ??? verifier? */ - u_int16_t serviceid; -/* This should be the other way around according to everything but */ -/* tcpdump */ -}; - -#define RX_HEADER_SIZE 28 - -#endif /* __RX_H__ */ diff --git a/crypto/heimdal-0.6.3/kdc/string2key.8 b/crypto/heimdal-0.6.3/kdc/string2key.8 deleted file mode 100644 index dc9d63b5f7..0000000000 --- a/crypto/heimdal-0.6.3/kdc/string2key.8 +++ /dev/null @@ -1,110 +0,0 @@ -.\" Copyright (c) 2000 - 2002 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: string2key.8,v 1.6 2003/02/16 21:10:21 lha Exp $ -.\" -.Dd March 4, 2000 -.Dt STRING2KEY 8 -.Os HEIMDAL -.Sh NAME -.Nm string2key -.Nd map a password into a key -.Sh SYNOPSIS -.Nm -.Op Fl 5 | Fl -version5 -.Op Fl 4 | Fl -version4 -.Op Fl a | Fl -afs -.Oo Fl c Ar cell \*(Ba Xo -.Fl -cell= Ns Ar cell -.Xc -.Oc -.Oo Fl w Ar password \*(Ba Xo -.Fl -password= Ns Ar password -.Xc -.Oc -.Oo Fl p Ar principal \*(Ba Xo -.Fl -principal= Ns Ar principal -.Xc -.Oc -.Oo Fl k Ar string \*(Ba Xo -.Fl -keytype= Ns Ar string -.Xc -.Oc -.Ar password -.Sh DESCRIPTION -.Nm -performs the string-to-key function. -This is useful when you want to handle the raw key instead of the password. -Supported options: -.Bl -tag -width Ds -.It Xo -.Fl 5 , -.Fl -version5 -.Xc -Output Kerberos v5 string-to-key -.It Xo -.Fl 4 , -.Fl -version4 -.Xc -Output Kerberos v4 string-to-key -.It Xo -.Fl a , -.Fl -afs -.Xc -Output AFS string-to-key -.It Xo -.Fl c Ar cell , -.Fl -cell= Ns Ar cell -.Xc -AFS cell to use -.It Xo -.Fl w Ar password , -.Fl -password= Ns Ar password -.Xc -Password to use -.It Xo -.Fl p Ar principal , -.Fl -principal= Ns Ar principal -.Xc -Kerberos v5 principal to use -.It Xo -.Fl k Ar string , -.Fl -keytype= Ns Ar string -.Xc -Keytype -.It Xo -.Fl -version -.Xc -print version -.It Xo -.Fl -help -.Xc -.El diff --git a/crypto/heimdal-0.6.3/kdc/string2key.c b/crypto/heimdal-0.6.3/kdc/string2key.c deleted file mode 100644 index 8a38442be9..0000000000 --- a/crypto/heimdal-0.6.3/kdc/string2key.c +++ /dev/null @@ -1,194 +0,0 @@ -/* - * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "headers.h" -#include - -RCSID("$Id: string2key.c,v 1.20 2003/03/25 12:28:52 joda Exp $"); - -int version5; -int version4; -int afs; -char *principal; -char *cell; -char *password; -const char *keytype_str = "des3-cbc-sha1"; -int version; -int help; - -struct getargs args[] = { - { "version5", '5', arg_flag, &version5, "Output Kerberos v5 string-to-key" }, - { "version4", '4', arg_flag, &version4, "Output Kerberos v4 string-to-key" }, - { "afs", 'a', arg_flag, &afs, "Output AFS string-to-key" }, - { "cell", 'c', arg_string, &cell, "AFS cell to use", "cell" }, - { "password", 'w', arg_string, &password, "Password to use", "password" }, - { "principal",'p', arg_string, &principal, "Kerberos v5 principal to use", "principal" }, - { "keytype", 'k', arg_string, &keytype_str, "Keytype" }, - { "version", 0, arg_flag, &version, "print version" }, - { "help", 0, arg_flag, &help, NULL } -}; - -int num_args = sizeof(args) / sizeof(args[0]); - -static void -usage(int status) -{ - arg_printusage (args, num_args, NULL, "password"); - exit(status); -} - -static void -tokey(krb5_context context, - krb5_enctype enctype, - const char *password, - krb5_salt salt, - const char *label) -{ - int i; - krb5_keyblock key; - char *e; - krb5_string_to_key_salt(context, enctype, password, salt, &key); - krb5_enctype_to_string(context, enctype, &e); - printf(label, e); - printf(": "); - for(i = 0; i < key.keyvalue.length; i++) - printf("%02x", ((unsigned char*)key.keyvalue.data)[i]); - printf("\n"); - krb5_free_keyblock_contents(context, &key); -} - -int -main(int argc, char **argv) -{ - krb5_context context; - krb5_principal princ; - krb5_salt salt; - int optind; - char buf[1024]; - krb5_enctype etype; - krb5_error_code ret; - - optind = krb5_program_setup(&context, argc, argv, args, num_args, NULL); - - if(help) - usage(0); - - if(version){ - print_version (NULL); - return 0; - } - - argc -= optind; - argv += optind; - - if (argc > 1) - usage(1); - - if(!version5 && !version4 && !afs) - version5 = 1; - - ret = krb5_string_to_enctype(context, keytype_str, &etype); - if(ret) { - krb5_keytype keytype; - int *etypes; - unsigned num; - ret = krb5_string_to_keytype(context, keytype_str, &keytype); - if(ret) - krb5_err(context, 1, ret, "%s", keytype_str); - ret = krb5_keytype_to_enctypes(context, keytype, &num, &etypes); - if(ret) - krb5_err(context, 1, ret, "%s", keytype_str); - if(num == 0) - krb5_errx(context, 1, "there are no encryption types for that keytype"); - etype = etypes[0]; - krb5_enctype_to_string(context, etype, &keytype_str); - if(num > 1 && version5) - krb5_warnx(context, "ambiguous keytype, using %s", keytype_str); - } - - if((etype != ETYPE_DES_CBC_CRC && - etype != ETYPE_DES_CBC_MD4 && - etype != ETYPE_DES_CBC_MD5) && - (afs || version4)) { - if(!version5) { - etype = ETYPE_DES_CBC_CRC; - } else { - krb5_errx(context, 1, - "DES is the only valid keytype for AFS and Kerberos 4"); - } - } - - if(version5 && principal == NULL){ - printf("Kerberos v5 principal: "); - if(fgets(buf, sizeof(buf), stdin) == NULL) - return 1; - if(buf[strlen(buf) - 1] == '\n') - buf[strlen(buf) - 1] = '\0'; - principal = estrdup(buf); - } - if(afs && cell == NULL){ - printf("AFS cell: "); - if(fgets(buf, sizeof(buf), stdin) == NULL) - return 1; - if(buf[strlen(buf) - 1] == '\n') - buf[strlen(buf) - 1] = '\0'; - cell = estrdup(buf); - } - if(argv[0]) - password = argv[0]; - if(password == NULL){ - if(des_read_pw_string(buf, sizeof(buf), "Password: ", 0)) - return 1; - password = buf; - } - - if(version5){ - krb5_parse_name(context, principal, &princ); - krb5_get_pw_salt(context, princ, &salt); - tokey(context, etype, password, salt, "Kerberos 5 (%s)"); - krb5_free_salt(context, salt); - } - if(version4){ - salt.salttype = KRB5_PW_SALT; - salt.saltvalue.length = 0; - salt.saltvalue.data = NULL; - tokey(context, ETYPE_DES_CBC_MD5, password, salt, "Kerberos 4"); - } - if(afs){ - salt.salttype = KRB5_AFS3_SALT; - salt.saltvalue.length = strlen(cell); - salt.saltvalue.data = cell; - tokey(context, ETYPE_DES_CBC_MD5, password, salt, "AFS"); - } - return 0; -} diff --git a/crypto/heimdal-0.6.3/kdc/string2key.cat8 b/crypto/heimdal-0.6.3/kdc/string2key.cat8 deleted file mode 100644 index d70e150b50..0000000000 --- a/crypto/heimdal-0.6.3/kdc/string2key.cat8 +++ /dev/null @@ -1,42 +0,0 @@ - -STRING2KEY(8) UNIX System Manager's Manual STRING2KEY(8) - -NNAAMMEE - ssttrriinngg22kkeeyy - map a password into a key - -SSYYNNOOPPSSIISS - ssttrriinngg22kkeeyy [--55 | ----vveerrssiioonn55] [--44 | ----vveerrssiioonn44] [--aa | ----aaffss] [--cc _c_e_l_l | - ----cceellll==_c_e_l_l] [--ww _p_a_s_s_w_o_r_d | ----ppaasssswwoorrdd==_p_a_s_s_w_o_r_d] [--pp _p_r_i_n_c_i_p_a_l | - ----pprriinncciippaall==_p_r_i_n_c_i_p_a_l] [--kk _s_t_r_i_n_g | ----kkeeyyttyyppee==_s_t_r_i_n_g] _p_a_s_s_w_o_r_d - -DDEESSCCRRIIPPTTIIOONN - ssttrriinngg22kkeeyy performs the string-to-key function. This is useful when you - want to handle the raw key instead of the password. Supported options: - - --55, ----vveerrssiioonn55 - Output Kerberos v5 string-to-key - - --44, ----vveerrssiioonn44 - Output Kerberos v4 string-to-key - - --aa, ----aaffss - Output AFS string-to-key - - --cc _c_e_l_l, ----cceellll==_c_e_l_l - AFS cell to use - - --ww _p_a_s_s_w_o_r_d, ----ppaasssswwoorrdd==_p_a_s_s_w_o_r_d - Password to use - - --pp _p_r_i_n_c_i_p_a_l, ----pprriinncciippaall==_p_r_i_n_c_i_p_a_l - Kerberos v5 principal to use - - --kk _s_t_r_i_n_g, ----kkeeyyttyyppee==_s_t_r_i_n_g - Keytype - - ----vveerrssiioonn - print version - - ----hheellpp - - HEIMDAL March 4, 2000 1 diff --git a/crypto/heimdal-0.6.3/kdc/v4_dump.c b/crypto/heimdal-0.6.3/kdc/v4_dump.c deleted file mode 100644 index ddf8222bce..0000000000 --- a/crypto/heimdal-0.6.3/kdc/v4_dump.c +++ /dev/null @@ -1,142 +0,0 @@ -/* - * Copyright (c) 2000 - 2001, 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "hprop.h" - -RCSID("$Id: v4_dump.c,v 1.4.8.1 2003/04/28 12:24:54 lha Exp $"); - -static time_t -time_parse(const char *cp) -{ - char wbuf[5]; - struct tm tp; - int local; - - memset(&tp, 0, sizeof(tp)); /* clear out the struct */ - - /* new format is YYYYMMDDHHMM UTC, - old format is YYMMDDHHMM local time */ - if (strlen(cp) > 10) { /* new format */ - strlcpy(wbuf, cp, sizeof(wbuf)); - tp.tm_year = atoi(wbuf) - 1900; - cp += 4; - local = 0; - } else { - wbuf[0] = *cp++; - wbuf[1] = *cp++; - wbuf[2] = '\0'; - tp.tm_year = atoi(wbuf); - if(tp.tm_year < 38) - tp.tm_year += 100; - local = 1; - } - - wbuf[0] = *cp++; - wbuf[1] = *cp++; - wbuf[2] = 0; - tp.tm_mon = atoi(wbuf) - 1; - - wbuf[0] = *cp++; - wbuf[1] = *cp++; - tp.tm_mday = atoi(wbuf); - - wbuf[0] = *cp++; - wbuf[1] = *cp++; - tp.tm_hour = atoi(wbuf); - - wbuf[0] = *cp++; - wbuf[1] = *cp++; - tp.tm_min = atoi(wbuf); - - return(tm2time(tp, local)); -} - -/* convert a version 4 dump file */ -int -v4_prop_dump(void *arg, const char *file) -{ - char buf [1024]; - FILE *f; - int lineno = 0; - - f = fopen(file, "r"); - if(f == NULL) - return errno; - - while(fgets(buf, sizeof(buf), f)) { - int ret; - unsigned long key[2]; /* yes, long */ - char exp_date[64], mod_date[64]; - struct v4_principal pr; - int attributes; - - memset(&pr, 0, sizeof(pr)); - errno = 0; - lineno++; - ret = sscanf(buf, "%63s %63s %d %d %d %d %lx %lx %63s %63s %63s %63s", - pr.name, pr.instance, - &pr.max_life, &pr.mkvno, &pr.kvno, - &attributes, - &key[0], &key[1], - exp_date, mod_date, - pr.mod_name, pr.mod_instance); - if(ret != 12){ - warnx("Line %d malformed (ignored)", lineno); - continue; - } - if(attributes != 0) { - warnx("Line %d (%s.%s) has non-zero attributes - skipping", - lineno, pr.name, pr.instance); - continue; - } - pr.key[0] = (key[0] >> 24) & 0xff; - pr.key[1] = (key[0] >> 16) & 0xff; - pr.key[2] = (key[0] >> 8) & 0xff; - pr.key[3] = (key[0] >> 0) & 0xff; - pr.key[4] = (key[1] >> 24) & 0xff; - pr.key[5] = (key[1] >> 16) & 0xff; - pr.key[6] = (key[1] >> 8) & 0xff; - pr.key[7] = (key[1] >> 0) & 0xff; - pr.exp_date = time_parse(exp_date); - pr.mod_date = time_parse(mod_date); - if (pr.instance[0] == '*') - pr.instance[0] = '\0'; - if (pr.mod_name[0] == '*') - pr.mod_name[0] = '\0'; - if (pr.mod_instance[0] == '*') - pr.mod_instance[0] = '\0'; - v4_prop(arg, &pr); - memset(&pr, 0, sizeof(pr)); - } - return 0; -} diff --git a/crypto/heimdal-0.6.3/kpasswd/Makefile.am b/crypto/heimdal-0.6.3/kpasswd/Makefile.am deleted file mode 100644 index 5e287a9c37..0000000000 --- a/crypto/heimdal-0.6.3/kpasswd/Makefile.am +++ /dev/null @@ -1,31 +0,0 @@ -# $Id: Makefile.am,v 1.16 2001/08/28 08:31:29 assar Exp $ - -include $(top_srcdir)/Makefile.am.common - -INCLUDES += $(INCLUDE_des) - -man_MANS = kpasswd.1 kpasswdd.8 - -bin_PROGRAMS = kpasswd - -kpasswd_SOURCES = kpasswd.c kpasswd_locl.h - -libexec_PROGRAMS = kpasswdd - -noinst_PROGRAMS = kpasswd-generator - -kpasswdd_SOURCES = kpasswdd.c kpasswd_locl.h - -kpasswdd_LDADD = \ - $(top_builddir)/lib/kadm5/libkadm5srv.la \ - $(top_builddir)/lib/hdb/libhdb.la \ - $(LIB_openldap) \ - $(LDADD) \ - $(LIB_pidfile) \ - $(LIB_dlopen) \ - $(DBLIB) - -LDADD = $(top_builddir)/lib/krb5/libkrb5.la \ - $(LIB_des) \ - $(top_builddir)/lib/asn1/libasn1.la \ - $(LIB_roken) diff --git a/crypto/heimdal-0.6.3/kpasswd/Makefile.in b/crypto/heimdal-0.6.3/kpasswd/Makefile.in deleted file mode 100644 index f29cde7f41..0000000000 --- a/crypto/heimdal-0.6.3/kpasswd/Makefile.in +++ /dev/null @@ -1,932 +0,0 @@ -# Makefile.in generated by automake 1.8.3 from Makefile.am. -# @configure_input@ - -# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004 Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -# $Id: Makefile.am,v 1.16 2001/08/28 08:31:29 assar Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $ - -SOURCES = $(kpasswd_SOURCES) kpasswd-generator.c $(kpasswdd_SOURCES) - -srcdir = @srcdir@ -top_srcdir = @top_srcdir@ -VPATH = @srcdir@ -pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -top_builddir = .. -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = @INSTALL@ -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_HEADER = $(INSTALL_DATA) -transform = $(program_transform_name) -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_triplet = @host@ -DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \ - $(top_srcdir)/Makefile.am.common \ - $(top_srcdir)/cf/Makefile.am.common -bin_PROGRAMS = kpasswd$(EXEEXT) -libexec_PROGRAMS = kpasswdd$(EXEEXT) -noinst_PROGRAMS = kpasswd-generator$(EXEEXT) -subdir = kpasswd -ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \ - $(top_srcdir)/cf/auth-modules.m4 \ - $(top_srcdir)/cf/broken-getaddrinfo.m4 \ - $(top_srcdir)/cf/broken-getnameinfo.m4 \ - $(top_srcdir)/cf/broken-glob.m4 \ - $(top_srcdir)/cf/broken-realloc.m4 \ - $(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \ - $(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \ - $(top_srcdir)/cf/capabilities.m4 \ - $(top_srcdir)/cf/check-compile-et.m4 \ - $(top_srcdir)/cf/check-declaration.m4 \ - $(top_srcdir)/cf/check-getpwnam_r-posix.m4 \ - $(top_srcdir)/cf/check-man.m4 \ - $(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \ - $(top_srcdir)/cf/check-type-extra.m4 \ - $(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \ - $(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \ - $(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \ - $(top_srcdir)/cf/dlopen.m4 \ - $(top_srcdir)/cf/find-func-no-libs.m4 \ - $(top_srcdir)/cf/find-func-no-libs2.m4 \ - $(top_srcdir)/cf/find-func.m4 \ - $(top_srcdir)/cf/find-if-not-broken.m4 \ - $(top_srcdir)/cf/have-struct-field.m4 \ - $(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \ - $(top_srcdir)/cf/krb-bigendian.m4 \ - $(top_srcdir)/cf/krb-func-getlogin.m4 \ - $(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \ - $(top_srcdir)/cf/krb-readline.m4 \ - $(top_srcdir)/cf/krb-struct-spwd.m4 \ - $(top_srcdir)/cf/krb-struct-winsize.m4 \ - $(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \ - $(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \ - $(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \ - $(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \ - $(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \ - $(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \ - $(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in -am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ - $(ACLOCAL_M4) -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -am__installdirs = "$(DESTDIR)$(bindir)" "$(DESTDIR)$(libexecdir)" "$(DESTDIR)$(man1dir)" "$(DESTDIR)$(man8dir)" -binPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -libexecPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -PROGRAMS = $(bin_PROGRAMS) $(libexec_PROGRAMS) $(noinst_PROGRAMS) -am_kpasswd_OBJECTS = kpasswd.$(OBJEXT) -kpasswd_OBJECTS = $(am_kpasswd_OBJECTS) -kpasswd_LDADD = $(LDADD) -am__DEPENDENCIES_1 = -kpasswd_DEPENDENCIES = $(top_builddir)/lib/krb5/libkrb5.la \ - $(am__DEPENDENCIES_1) $(top_builddir)/lib/asn1/libasn1.la \ - $(am__DEPENDENCIES_1) -kpasswd_generator_SOURCES = kpasswd-generator.c -kpasswd_generator_OBJECTS = kpasswd-generator.$(OBJEXT) -kpasswd_generator_LDADD = $(LDADD) -kpasswd_generator_DEPENDENCIES = $(top_builddir)/lib/krb5/libkrb5.la \ - $(am__DEPENDENCIES_1) $(top_builddir)/lib/asn1/libasn1.la \ - $(am__DEPENDENCIES_1) -am_kpasswdd_OBJECTS = kpasswdd.$(OBJEXT) -kpasswdd_OBJECTS = $(am_kpasswdd_OBJECTS) -am__DEPENDENCIES_2 = $(top_builddir)/lib/krb5/libkrb5.la \ - $(am__DEPENDENCIES_1) $(top_builddir)/lib/asn1/libasn1.la \ - $(am__DEPENDENCIES_1) -kpasswdd_DEPENDENCIES = $(top_builddir)/lib/kadm5/libkadm5srv.la \ - $(top_builddir)/lib/hdb/libhdb.la $(am__DEPENDENCIES_1) \ - $(am__DEPENDENCIES_2) $(am__DEPENDENCIES_1) \ - $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \ - $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ - $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -SOURCES = $(kpasswd_SOURCES) kpasswd-generator.c $(kpasswdd_SOURCES) -DIST_SOURCES = $(kpasswd_SOURCES) kpasswd-generator.c \ - $(kpasswdd_SOURCES) -man1dir = $(mandir)/man1 -man8dir = $(mandir)/man8 -MANS = $(man_MANS) -ETAGS = etags -CTAGS = ctags -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) -ACLOCAL = @ACLOCAL@ -AIX4_FALSE = @AIX4_FALSE@ -AIX4_TRUE = @AIX4_TRUE@ -AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@ -AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@ -AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@ -AIX_FALSE = @AIX_FALSE@ -AIX_TRUE = @AIX_TRUE@ -AMTAR = @AMTAR@ -AR = @AR@ -AUTOCONF = @AUTOCONF@ -AUTOHEADER = @AUTOHEADER@ -AUTOMAKE = @AUTOMAKE@ -AWK = @AWK@ -CANONICAL_HOST = @CANONICAL_HOST@ -CATMAN = @CATMAN@ -CATMANEXT = @CATMANEXT@ -CATMAN_FALSE = @CATMAN_FALSE@ -CATMAN_TRUE = @CATMAN_TRUE@ -CC = @CC@ -CFLAGS = @CFLAGS@ -COMPILE_ET = @COMPILE_ET@ -CPP = @CPP@ -CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXFLAGS = @CXXFLAGS@ -CYGPATH_W = @CYGPATH_W@ -DBLIB = @DBLIB@ -DCE_FALSE = @DCE_FALSE@ -DCE_TRUE = @DCE_TRUE@ -DEFS = @DEFS@ -DIR_com_err = @DIR_com_err@ -DIR_des = @DIR_des@ -DIR_roken = @DIR_roken@ -ECHO = @ECHO@ -ECHO_C = @ECHO_C@ -ECHO_N = @ECHO_N@ -ECHO_T = @ECHO_T@ -EGREP = @EGREP@ -EXEEXT = @EXEEXT@ -EXTRA_LIB45 = @EXTRA_LIB45@ -F77 = @F77@ -FFLAGS = @FFLAGS@ -GROFF = @GROFF@ -HAVE_DB1_FALSE = @HAVE_DB1_FALSE@ -HAVE_DB1_TRUE = @HAVE_DB1_TRUE@ -HAVE_DB3_FALSE = @HAVE_DB3_FALSE@ -HAVE_DB3_TRUE = @HAVE_DB3_TRUE@ -HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@ -HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@ -HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@ -HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@ -HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@ -HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@ -HAVE_X_FALSE = @HAVE_X_FALSE@ -HAVE_X_TRUE = @HAVE_X_TRUE@ -INCLUDES_roken = @INCLUDES_roken@ -INCLUDE_des = @INCLUDE_des@ -INCLUDE_hesiod = @INCLUDE_hesiod@ -INCLUDE_krb4 = @INCLUDE_krb4@ -INCLUDE_openldap = @INCLUDE_openldap@ -INCLUDE_readline = @INCLUDE_readline@ -INSTALL_DATA = @INSTALL_DATA@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -IRIX_FALSE = @IRIX_FALSE@ -IRIX_TRUE = @IRIX_TRUE@ -KRB4_FALSE = @KRB4_FALSE@ -KRB4_TRUE = @KRB4_TRUE@ -KRB5_FALSE = @KRB5_FALSE@ -KRB5_TRUE = @KRB5_TRUE@ -LDFLAGS = @LDFLAGS@ -LEX = @LEX@ -LEXLIB = @LEXLIB@ -LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ -LIBOBJS = @LIBOBJS@ -LIBS = @LIBS@ -LIBTOOL = @LIBTOOL@ -LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@ -LIB_NDBM = @LIB_NDBM@ -LIB_XauFileName = @LIB_XauFileName@ -LIB_XauReadAuth = @LIB_XauReadAuth@ -LIB_XauWriteAuth = @LIB_XauWriteAuth@ -LIB_bswap16 = @LIB_bswap16@ -LIB_bswap32 = @LIB_bswap32@ -LIB_com_err = @LIB_com_err@ -LIB_com_err_a = @LIB_com_err_a@ -LIB_com_err_so = @LIB_com_err_so@ -LIB_crypt = @LIB_crypt@ -LIB_db_create = @LIB_db_create@ -LIB_dbm_firstkey = @LIB_dbm_firstkey@ -LIB_dbopen = @LIB_dbopen@ -LIB_des = @LIB_des@ -LIB_des_a = @LIB_des_a@ -LIB_des_appl = @LIB_des_appl@ -LIB_des_so = @LIB_des_so@ -LIB_dlopen = @LIB_dlopen@ -LIB_dn_expand = @LIB_dn_expand@ -LIB_el_init = @LIB_el_init@ -LIB_freeaddrinfo = @LIB_freeaddrinfo@ -LIB_gai_strerror = @LIB_gai_strerror@ -LIB_getaddrinfo = @LIB_getaddrinfo@ -LIB_gethostbyname = @LIB_gethostbyname@ -LIB_gethostbyname2 = @LIB_gethostbyname2@ -LIB_getnameinfo = @LIB_getnameinfo@ -LIB_getpwnam_r = @LIB_getpwnam_r@ -LIB_getsockopt = @LIB_getsockopt@ -LIB_hesiod = @LIB_hesiod@ -LIB_hstrerror = @LIB_hstrerror@ -LIB_kdb = @LIB_kdb@ -LIB_krb4 = @LIB_krb4@ -LIB_krb_disable_debug = @LIB_krb_disable_debug@ -LIB_krb_enable_debug = @LIB_krb_enable_debug@ -LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@ -LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@ -LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@ -LIB_loadquery = @LIB_loadquery@ -LIB_logout = @LIB_logout@ -LIB_logwtmp = @LIB_logwtmp@ -LIB_openldap = @LIB_openldap@ -LIB_openpty = @LIB_openpty@ -LIB_otp = @LIB_otp@ -LIB_pidfile = @LIB_pidfile@ -LIB_readline = @LIB_readline@ -LIB_res_nsearch = @LIB_res_nsearch@ -LIB_res_search = @LIB_res_search@ -LIB_roken = @LIB_roken@ -LIB_security = @LIB_security@ -LIB_setsockopt = @LIB_setsockopt@ -LIB_socket = @LIB_socket@ -LIB_syslog = @LIB_syslog@ -LIB_tgetent = @LIB_tgetent@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -MAINT = @MAINT@ -MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@ -MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@ -MAKEINFO = @MAKEINFO@ -NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ -NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ -NROFF = @NROFF@ -OBJEXT = @OBJEXT@ -OTP_FALSE = @OTP_FALSE@ -OTP_TRUE = @OTP_TRUE@ -PACKAGE = @PACKAGE@ -PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ -PACKAGE_NAME = @PACKAGE_NAME@ -PACKAGE_STRING = @PACKAGE_STRING@ -PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_VERSION = @PACKAGE_VERSION@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -RANLIB = @RANLIB@ -SET_MAKE = @SET_MAKE@ -SHELL = @SHELL@ -STRIP = @STRIP@ -VERSION = @VERSION@ -VOID_RETSIGTYPE = @VOID_RETSIGTYPE@ -WFLAGS = @WFLAGS@ -WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@ -WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@ -X_CFLAGS = @X_CFLAGS@ -X_EXTRA_LIBS = @X_EXTRA_LIBS@ -X_LIBS = @X_LIBS@ -X_PRE_LIBS = @X_PRE_LIBS@ -YACC = @YACC@ -ac_ct_AR = @ac_ct_AR@ -ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ -ac_ct_RANLIB = @ac_ct_RANLIB@ -ac_ct_STRIP = @ac_ct_STRIP@ -am__leading_dot = @am__leading_dot@ -bindir = @bindir@ -build = @build@ -build_alias = @build_alias@ -build_cpu = @build_cpu@ -build_os = @build_os@ -build_vendor = @build_vendor@ -datadir = @datadir@ -do_roken_rename_FALSE = @do_roken_rename_FALSE@ -do_roken_rename_TRUE = @do_roken_rename_TRUE@ -dpagaix_cflags = @dpagaix_cflags@ -dpagaix_ldadd = @dpagaix_ldadd@ -dpagaix_ldflags = @dpagaix_ldflags@ -el_compat_FALSE = @el_compat_FALSE@ -el_compat_TRUE = @el_compat_TRUE@ -exec_prefix = @exec_prefix@ -have_err_h_FALSE = @have_err_h_FALSE@ -have_err_h_TRUE = @have_err_h_TRUE@ -have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@ -have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@ -have_glob_h_FALSE = @have_glob_h_FALSE@ -have_glob_h_TRUE = @have_glob_h_TRUE@ -have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@ -have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@ -have_vis_h_FALSE = @have_vis_h_FALSE@ -have_vis_h_TRUE = @have_vis_h_TRUE@ -host = @host@ -host_alias = @host_alias@ -host_cpu = @host_cpu@ -host_os = @host_os@ -host_vendor = @host_vendor@ -includedir = @includedir@ -infodir = @infodir@ -install_sh = @install_sh@ -libdir = @libdir@ -libexecdir = @libexecdir@ -localstatedir = @localstatedir@ -mandir = @mandir@ -mkdir_p = @mkdir_p@ -oldincludedir = @oldincludedir@ -prefix = @prefix@ -program_transform_name = @program_transform_name@ -sbindir = @sbindir@ -sharedstatedir = @sharedstatedir@ -sysconfdir = @sysconfdir@ -target_alias = @target_alias@ -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_des) -@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME -AM_CFLAGS = $(WFLAGS) -CP = cp -buildinclude = $(top_builddir)/include -LIB_getattr = @LIB_getattr@ -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_setpcred = @LIB_setpcred@ -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -NROFF_MAN = groff -mandoc -Tascii -LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) -@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la - -@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la -@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la -man_MANS = kpasswd.1 kpasswdd.8 -kpasswd_SOURCES = kpasswd.c kpasswd_locl.h -kpasswdd_SOURCES = kpasswdd.c kpasswd_locl.h -kpasswdd_LDADD = \ - $(top_builddir)/lib/kadm5/libkadm5srv.la \ - $(top_builddir)/lib/hdb/libhdb.la \ - $(LIB_openldap) \ - $(LDADD) \ - $(LIB_pidfile) \ - $(LIB_dlopen) \ - $(DBLIB) - -LDADD = $(top_builddir)/lib/krb5/libkrb5.la \ - $(LIB_des) \ - $(top_builddir)/lib/asn1/libasn1.la \ - $(LIB_roken) - -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps) - @for dep in $?; do \ - case '$(am__configure_deps)' in \ - *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ - exit 1;; \ - esac; \ - done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign --ignore-deps kpasswd/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign --ignore-deps kpasswd/Makefile -.PRECIOUS: Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - @case '$?' in \ - *config.status*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ - *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ - esac; - -$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -install-binPROGRAMS: $(bin_PROGRAMS) - @$(NORMAL_INSTALL) - test -z "$(bindir)" || $(mkdir_p) "$(DESTDIR)$(bindir)" - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(bindir)/$$f'"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(bindir)/$$f" || exit 1; \ - else :; fi; \ - done - -uninstall-binPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f '$(DESTDIR)$(bindir)/$$f'"; \ - rm -f "$(DESTDIR)$(bindir)/$$f"; \ - done - -clean-binPROGRAMS: - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -install-libexecPROGRAMS: $(libexec_PROGRAMS) - @$(NORMAL_INSTALL) - test -z "$(libexecdir)" || $(mkdir_p) "$(DESTDIR)$(libexecdir)" - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(libexecPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(libexecdir)/$$f'"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(libexecPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(libexecdir)/$$f" || exit 1; \ - else :; fi; \ - done - -uninstall-libexecPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f '$(DESTDIR)$(libexecdir)/$$f'"; \ - rm -f "$(DESTDIR)$(libexecdir)/$$f"; \ - done - -clean-libexecPROGRAMS: - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done - -clean-noinstPROGRAMS: - @list='$(noinst_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -kpasswd$(EXEEXT): $(kpasswd_OBJECTS) $(kpasswd_DEPENDENCIES) - @rm -f kpasswd$(EXEEXT) - $(LINK) $(kpasswd_LDFLAGS) $(kpasswd_OBJECTS) $(kpasswd_LDADD) $(LIBS) -kpasswd-generator$(EXEEXT): $(kpasswd_generator_OBJECTS) $(kpasswd_generator_DEPENDENCIES) - @rm -f kpasswd-generator$(EXEEXT) - $(LINK) $(kpasswd_generator_LDFLAGS) $(kpasswd_generator_OBJECTS) $(kpasswd_generator_LDADD) $(LIBS) -kpasswdd$(EXEEXT): $(kpasswdd_OBJECTS) $(kpasswdd_DEPENDENCIES) - @rm -f kpasswdd$(EXEEXT) - $(LINK) $(kpasswdd_LDFLAGS) $(kpasswdd_OBJECTS) $(kpasswdd_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c $< - -.c.obj: - $(COMPILE) -c `$(CYGPATH_W) '$<'` - -.c.lo: - $(LTCOMPILE) -c -o $@ $< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: -install-man1: $(man1_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - test -z "$(man1dir)" || $(mkdir_p) "$(DESTDIR)$(man1dir)" - @list='$(man1_MANS) $(dist_man1_MANS) $(nodist_man1_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.1*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 1*) ;; \ - *) ext='1' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man1dir)/$$inst'"; \ - $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man1dir)/$$inst"; \ - done -uninstall-man1: - @$(NORMAL_UNINSTALL) - @list='$(man1_MANS) $(dist_man1_MANS) $(nodist_man1_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.1*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 1*) ;; \ - *) ext='1' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f '$(DESTDIR)$(man1dir)/$$inst'"; \ - rm -f "$(DESTDIR)$(man1dir)/$$inst"; \ - done -install-man8: $(man8_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - test -z "$(man8dir)" || $(mkdir_p) "$(DESTDIR)$(man8dir)" - @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.8*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 8*) ;; \ - *) ext='8' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ - $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \ - done -uninstall-man8: - @$(NORMAL_UNINSTALL) - @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.8*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 8*) ;; \ - *) ext='8' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \ - rm -f "$(DESTDIR)$(man8dir)/$$inst"; \ - done - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique -tags: TAGS - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique -ctags: CTAGS -CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ - || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - -distdir: $(DISTFILES) - $(mkdir_p) $(distdir)/.. $(distdir)/../cf - @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \ - list='$(DISTFILES)'; for file in $$list; do \ - case $$file in \ - $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \ - $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \ - esac; \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkdir_p) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="$(top_distdir)" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(PROGRAMS) $(MANS) all-local -installdirs: - for dir in "$(DESTDIR)$(bindir)" "$(DESTDIR)$(libexecdir)" "$(DESTDIR)$(man1dir)" "$(DESTDIR)$(man8dir)"; do \ - test -z "$$dir" || $(mkdir_p) "$$dir"; \ - done -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-binPROGRAMS clean-generic clean-libexecPROGRAMS \ - clean-libtool clean-noinstPROGRAMS mostlyclean-am - -distclean: distclean-am - -rm -f Makefile -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -html: html-am - -info: info-am - -info-am: - -install-data-am: install-man - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-data-hook - -install-exec-am: install-binPROGRAMS install-libexecPROGRAMS - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: install-man1 install-man8 - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -rm -f Makefile -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -pdf: pdf-am - -pdf-am: - -ps: ps-am - -ps-am: - -uninstall-am: uninstall-binPROGRAMS uninstall-info-am \ - uninstall-libexecPROGRAMS uninstall-man - -uninstall-man: uninstall-man1 uninstall-man8 - -.PHONY: CTAGS GTAGS all all-am all-local check check-am check-local \ - clean clean-binPROGRAMS clean-generic clean-libexecPROGRAMS \ - clean-libtool clean-noinstPROGRAMS ctags distclean \ - distclean-compile distclean-generic distclean-libtool \ - distclean-tags distdir dvi dvi-am html html-am info info-am \ - install install-am install-binPROGRAMS install-data \ - install-data-am install-exec install-exec-am install-info \ - install-info-am install-libexecPROGRAMS install-man \ - install-man1 install-man8 install-strip installcheck \ - installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ - tags uninstall uninstall-am uninstall-binPROGRAMS \ - uninstall-info-am uninstall-libexecPROGRAMS uninstall-man \ - uninstall-man1 uninstall-man8 - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-hook: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal-0.6.3/kpasswd/kpasswd-generator.c b/crypto/heimdal-0.6.3/kpasswd/kpasswd-generator.c deleted file mode 100644 index 202dcfc877..0000000000 --- a/crypto/heimdal-0.6.3/kpasswd/kpasswd-generator.c +++ /dev/null @@ -1,200 +0,0 @@ -/* - * Copyright (c) 2000 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kpasswd_locl.h" - -RCSID("$Id: kpasswd-generator.c,v 1.5 2001/07/31 02:44:42 assar Exp $"); - -static unsigned -read_words (const char *filename, char ***ret_w) -{ - unsigned n, alloc; - FILE *f; - char buf[256]; - char **w = NULL; - - f = fopen (filename, "r"); - if (f == NULL) - err (1, "cannot open %s", filename); - alloc = n = 0; - while (fgets (buf, sizeof(buf), f) != NULL) { - if (buf[strlen (buf) - 1] == '\n') - buf[strlen (buf) - 1] = '\0'; - if (n >= alloc) { - alloc += 16; - w = erealloc (w, alloc * sizeof(char **)); - } - w[n++] = estrdup (buf); - } - *ret_w = w; - return n; -} - -static int -nop_prompter (krb5_context context, - void *data, - const char *name, - const char *banner, - int num_prompts, - krb5_prompt prompts[]) -{ - return 0; -} - -static void -generate_requests (const char *filename, unsigned nreq) -{ - krb5_context context; - krb5_error_code ret; - int i; - char **words; - unsigned nwords; - - ret = krb5_init_context (&context); - if (ret) - errx (1, "krb5_init_context failed: %d", ret); - - nwords = read_words (filename, &words); - - for (i = 0; i < nreq; ++i) { - char *name = words[rand() % nwords]; - krb5_get_init_creds_opt opt; - krb5_creds cred; - krb5_principal principal; - int result_code; - krb5_data result_code_string, result_string; - char *old_pwd, *new_pwd; - - krb5_get_init_creds_opt_init (&opt); - krb5_get_init_creds_opt_set_tkt_life (&opt, 300); - krb5_get_init_creds_opt_set_forwardable (&opt, FALSE); - krb5_get_init_creds_opt_set_proxiable (&opt, FALSE); - - ret = krb5_parse_name (context, name, &principal); - if (ret) - krb5_err (context, 1, ret, "krb5_parse_name %s", name); - - asprintf (&old_pwd, "%s", name); - asprintf (&new_pwd, "%s2", name); - - ret = krb5_get_init_creds_password (context, - &cred, - principal, - old_pwd, - nop_prompter, - NULL, - 0, - "kadmin/changepw", - &opt); - if( ret == KRB5KRB_AP_ERR_BAD_INTEGRITY - || ret == KRB5KRB_AP_ERR_MODIFIED) { - char *tmp; - - tmp = new_pwd; - new_pwd = old_pwd; - old_pwd = tmp; - - ret = krb5_get_init_creds_password (context, - &cred, - principal, - old_pwd, - nop_prompter, - NULL, - 0, - "kadmin/changepw", - &opt); - } - if (ret) - krb5_err (context, 1, ret, "krb5_get_init_creds_password"); - - krb5_free_principal (context, principal); - - ret = krb5_change_password (context, &cred, new_pwd, - &result_code, - &result_code_string, - &result_string); - if (ret) - krb5_err (context, 1, ret, "krb5_change_password"); - - free (old_pwd); - free (new_pwd); - krb5_free_creds_contents (context, &cred); - } -} - -static int version_flag = 0; -static int help_flag = 0; - -static struct getargs args[] = { - { "version", 0, arg_flag, &version_flag }, - { "help", 0, arg_flag, &help_flag } -}; - -static void -usage (int ret) -{ - arg_printusage (args, - sizeof(args)/sizeof(*args), - NULL, - "file [number]"); - exit (ret); -} - -int -main(int argc, char **argv) -{ - int optind = 0; - int nreq; - char *end; - - setprogname(argv[0]); - if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind)) - usage(1); - if (help_flag) - usage (0); - if (version_flag) { - print_version(NULL); - return 0; - } - argc -= optind; - argv += optind; - - if (argc != 2) - usage (1); - srand (0); - nreq = strtol (argv[1], &end, 0); - if (argv[1] == end || *end != '\0') - usage (1); - generate_requests (argv[0], nreq); - return 0; -} diff --git a/crypto/heimdal-0.6.3/kpasswd/kpasswd.1 b/crypto/heimdal-0.6.3/kpasswd/kpasswd.1 deleted file mode 100644 index 1c2e26c143..0000000000 --- a/crypto/heimdal-0.6.3/kpasswd/kpasswd.1 +++ /dev/null @@ -1,50 +0,0 @@ -.\" Copyright (c) 1997, 2000 - 2002 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: kpasswd.1,v 1.5 2003/02/16 21:10:22 lha Exp $ -.\" -.Dd August 27, 1997 -.Dt KPASSWD 1 -.Os HEIMDAL -.Sh NAME -.Nm kpasswd -.Nd Kerberos 5 password changing program -.Sh SYNOPSIS -.Nm -.Op Ar principal -.Sh DESCRIPTION -.Nm -is the client for changing passwords. -.Sh DIAGNOSTICS -If the password quality check fails or some other error occurs, an -explanation is printed. -.Sh SEE ALSO -.Xr kpasswdd 8 diff --git a/crypto/heimdal-0.6.3/kpasswd/kpasswd.c b/crypto/heimdal-0.6.3/kpasswd/kpasswd.c deleted file mode 100644 index 02f9557925..0000000000 --- a/crypto/heimdal-0.6.3/kpasswd/kpasswd.c +++ /dev/null @@ -1,146 +0,0 @@ -/* - * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kpasswd_locl.h" -RCSID("$Id: kpasswd.c,v 1.24 2001/09/27 01:29:40 assar Exp $"); - -static int version_flag; -static int help_flag; - -static struct getargs args[] = { - { "version", 0, arg_flag, &version_flag }, - { "help", 0, arg_flag, &help_flag } -}; - -static void -usage (int ret, struct getargs *a, int num_args) -{ - arg_printusage (a, num_args, NULL, "[principal]"); - exit (ret); -} - -int -main (int argc, char **argv) -{ - krb5_error_code ret; - krb5_context context; - krb5_principal principal; - int optind = 0; - krb5_get_init_creds_opt opt; - krb5_creds cred; - int result_code; - krb5_data result_code_string, result_string; - char pwbuf[BUFSIZ]; - - optind = krb5_program_setup(&context, argc, argv, - args, sizeof(args) / sizeof(args[0]), usage); - - if (help_flag) - usage (0, args, sizeof(args) / sizeof(args[0])); - - if(version_flag){ - print_version (NULL); - exit(0); - } - - krb5_get_init_creds_opt_init (&opt); - - krb5_get_init_creds_opt_set_tkt_life (&opt, 300); - krb5_get_init_creds_opt_set_forwardable (&opt, FALSE); - krb5_get_init_creds_opt_set_proxiable (&opt, FALSE); - - argc -= optind; - argv += optind; - - if (argc > 1) - usage (1, args, sizeof(args) / sizeof(args[0])); - - ret = krb5_init_context (&context); - if (ret) - errx (1, "krb5_init_context failed: %d", ret); - - if(argv[0]) { - ret = krb5_parse_name (context, argv[0], &principal); - if (ret) - krb5_err (context, 1, ret, "krb5_parse_name"); - } else - principal = NULL; - - ret = krb5_get_init_creds_password (context, - &cred, - principal, - NULL, - krb5_prompter_posix, - NULL, - 0, - "kadmin/changepw", - &opt); - switch (ret) { - case 0: - break; - case KRB5_LIBOS_PWDINTR : - return 1; - case KRB5KRB_AP_ERR_BAD_INTEGRITY : - case KRB5KRB_AP_ERR_MODIFIED : - krb5_errx(context, 1, "Password incorrect"); - break; - default: - krb5_err(context, 1, ret, "krb5_get_init_creds"); - } - - krb5_data_zero (&result_code_string); - krb5_data_zero (&result_string); - - if(des_read_pw_string (pwbuf, sizeof(pwbuf), "New password: ", 1) != 0) - return 1; - - ret = krb5_change_password (context, &cred, pwbuf, - &result_code, - &result_code_string, - &result_string); - if (ret) - krb5_err (context, 1, ret, "krb5_change_password"); - - printf ("%s%s%.*s\n", krb5_passwd_result_to_string(context, - result_code), - result_string.length > 0 ? " : " : "", - (int)result_string.length, - (char *)result_string.data); - - krb5_data_free (&result_code_string); - krb5_data_free (&result_string); - - krb5_free_creds_contents (context, &cred); - krb5_free_context (context); - return result_code; -} diff --git a/crypto/heimdal-0.6.3/kpasswd/kpasswd.cat1 b/crypto/heimdal-0.6.3/kpasswd/kpasswd.cat1 deleted file mode 100644 index b307e117eb..0000000000 --- a/crypto/heimdal-0.6.3/kpasswd/kpasswd.cat1 +++ /dev/null @@ -1,20 +0,0 @@ - -KPASSWD(1) UNIX Reference Manual KPASSWD(1) - -NNAAMMEE - kkppaasssswwdd - Kerberos 5 password changing program - -SSYYNNOOPPSSIISS - kkppaasssswwdd [_p_r_i_n_c_i_p_a_l] - -DDEESSCCRRIIPPTTIIOONN - kkppaasssswwdd is the client for changing passwords. - -DDIIAAGGNNOOSSTTIICCSS - If the password quality check fails or some other error occurs, an expla- - nation is printed. - -SSEEEE AALLSSOO - kpasswdd(8) - - HEIMDAL August 27, 1997 1 diff --git a/crypto/heimdal-0.6.3/kpasswd/kpasswd_locl.h b/crypto/heimdal-0.6.3/kpasswd/kpasswd_locl.h deleted file mode 100644 index c254f6f20f..0000000000 --- a/crypto/heimdal-0.6.3/kpasswd/kpasswd_locl.h +++ /dev/null @@ -1,104 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: kpasswd_locl.h,v 1.13 2002/09/10 20:03:48 joda Exp $ */ - -#ifndef __KPASSWD_LOCL_H__ -#define __KPASSWD_LOCL_H__ - -#ifdef HAVE_CONFIG_H -#include -#endif - -#include -#include -#include -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_FCNTL_H -#include -#endif -#ifdef HAVE_SYS_UIO_H -#include -#endif -#ifdef HAVE_UNISTD_H -#include -#endif -#ifdef HAVE_PWD_H -#include -#endif -#ifdef HAVE_SYS_TIME_H -#include -#endif -#ifdef HAVE_SYS_SELECT_H -#include -#endif -#ifdef HAVE_SYS_SOCKET_H -#include -#endif -#ifdef HAVE_NETINET_IN_H -#include -#endif -#ifdef HAVE_NETINET_IN6_H -#include -#endif -#ifdef HAVE_NETINET6_IN6_H -#include -#endif - -#ifdef HAVE_ARPA_INET_H -#include -#endif -#ifdef HAVE_NETDB_H -#include -#endif -#ifdef HAVE_ERRNO_H -#include -#endif -#ifdef HAVE_DLFCN_H -#include -#endif -#ifdef HAVE_UTIL_H -#include -#endif -#ifdef HAVE_LIBUTIL_H -#include -#endif -#include -#include -#include -#include -#include "crypto-headers.h" /* for des_read_pw_string */ - -#endif /* __KPASSWD_LOCL_H__ */ diff --git a/crypto/heimdal-0.6.3/kpasswd/kpasswdd.8 b/crypto/heimdal-0.6.3/kpasswd/kpasswdd.8 deleted file mode 100644 index 899b3a35c2..0000000000 --- a/crypto/heimdal-0.6.3/kpasswd/kpasswdd.8 +++ /dev/null @@ -1,88 +0,0 @@ -.\" $Id: kpasswdd.8,v 1.8 2003/02/04 21:48:01 lha Exp $ -.\" -.Dd April 19, 1999 -.Dt KPASSWDD 8 -.Os HEIMDAL -.Sh NAME -.Nm kpasswdd -.Nd Kerberos 5 password changing server -.Sh SYNOPSIS -.Nm -.Op Fl -check-library= Ns Ar library -.Op Fl -check-function= Ns Ar function -.Oo Fl k Ar kspec \*(Ba Xo -.Fl -keytab= Ns Ar kspec -.Xc -.Oc -.Oo Fl r Ar realm \*(Ba Xo -.Fl -realm= Ns Ar realm -.Xc -.Oc -.Oo Fl p Ar string \*(Ba Xo -.Fl -port= Ns Ar string -.Xc -.Oc -.Op Fl -version -.Op Fl -help -.Sh DESCRIPTION -.Nm -serves request for password changes. It listens on UDP port 464 -(service kpasswd) and processes requests when they arrive. It changes -the database directly and should thus only run on the master KDC. -.Pp -Supported options: -.Bl -tag -width Ds -.It Xo -.Fl -check-library= Ns Ar library -.Xc -If your system has support for dynamic loading of shared libraries, -you can use an external function to check password quality. This -option specifies which library to load. -.It Xo -.Fl -check-function= Ns Ar function -.Xc -This is the function to call in the loaded library. The function -should look like this: -.Pp -.Ft const char * -.Fn passwd_check "krb5_context context" "krb5_principal principal" "krb5_data *password" -.Pp -.Fa context -is an initialized context; -.Fa principal -is the one who tries to change passwords, and -.Fa password -is the new password. Note that the password (in -.Fa password->data ) -is not zero terminated. -.It Xo -.Fl k Ar kspec , -.Fl -keytab= Ns Ar kspec -.Xc -Keytab to get authentication key from -.It Xo -.Fl r Ar realm , -.Fl -realm= Ns Ar realm -.Xc -Default realm -.It Xo -.Fl p Ar string , -.Fl -port= Ns Ar string -.Xc -Port to listen on (default service kpasswd - 464). -.El -.Sh DIAGNOSTICS -If an error occurs, the error message is returned to the user and/or -logged to syslog. -.Sh BUGS -The default password quality checks are too basic. -.Sh SEE ALSO -.Xr kpasswd 1 , -.Xr kdc 8 -.\".Sh ENVIRONMENT -.\".Sh FILES -.\".Sh EXAMPLES -.\".Sh SEE ALSO -.\".Sh STANDARDS -.\".Sh HISTORY -.\".Sh AUTHORS diff --git a/crypto/heimdal-0.6.3/kpasswd/kpasswdd.c b/crypto/heimdal-0.6.3/kpasswd/kpasswdd.c deleted file mode 100644 index 6b3373296f..0000000000 --- a/crypto/heimdal-0.6.3/kpasswd/kpasswdd.c +++ /dev/null @@ -1,612 +0,0 @@ -/* - * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kpasswd_locl.h" -RCSID("$Id: kpasswdd.c,v 1.54 2002/12/02 14:31:52 joda Exp $"); - -#include -#ifdef HAVE_SYS_UN_H -#include -#endif -#include -#include - -static krb5_context context; -static krb5_log_facility *log_facility; - -static sig_atomic_t exit_flag = 0; - -static void -send_reply (int s, - struct sockaddr *sa, - int sa_size, - krb5_data *ap_rep, - krb5_data *rest) -{ - struct msghdr msghdr; - struct iovec iov[3]; - u_int16_t len, ap_rep_len; - u_char header[6]; - u_char *p; - - if (ap_rep) - ap_rep_len = ap_rep->length; - else - ap_rep_len = 0; - - len = 6 + ap_rep_len + rest->length; - p = header; - *p++ = (len >> 8) & 0xFF; - *p++ = (len >> 0) & 0xFF; - *p++ = 0; - *p++ = 1; - *p++ = (ap_rep_len >> 8) & 0xFF; - *p++ = (ap_rep_len >> 0) & 0xFF; - - memset (&msghdr, 0, sizeof(msghdr)); - msghdr.msg_name = (void *)sa; - msghdr.msg_namelen = sa_size; - msghdr.msg_iov = iov; - msghdr.msg_iovlen = sizeof(iov)/sizeof(*iov); -#if 0 - msghdr.msg_control = NULL; - msghdr.msg_controllen = 0; -#endif - - iov[0].iov_base = (char *)header; - iov[0].iov_len = 6; - if (ap_rep_len) { - iov[1].iov_base = ap_rep->data; - iov[1].iov_len = ap_rep->length; - } else { - iov[1].iov_base = NULL; - iov[1].iov_len = 0; - } - iov[2].iov_base = rest->data; - iov[2].iov_len = rest->length; - - if (sendmsg (s, &msghdr, 0) < 0) - krb5_warn (context, errno, "sendmsg"); -} - -static int -make_result (krb5_data *data, - u_int16_t result_code, - const char *expl) -{ - krb5_data_zero (data); - - data->length = asprintf ((char **)&data->data, - "%c%c%s", - (result_code >> 8) & 0xFF, - result_code & 0xFF, - expl); - - if (data->data == NULL) { - krb5_warnx (context, "Out of memory generating error reply"); - return 1; - } - return 0; -} - -static void -reply_error (krb5_principal server, - int s, - struct sockaddr *sa, - int sa_size, - krb5_error_code error_code, - u_int16_t result_code, - const char *expl) -{ - krb5_error_code ret; - krb5_data error_data; - krb5_data e_data; - - if (make_result(&e_data, result_code, expl)) - return; - - ret = krb5_mk_error (context, - error_code, - NULL, - &e_data, - NULL, - server, - NULL, - NULL, - &error_data); - krb5_data_free (&e_data); - if (ret) { - krb5_warn (context, ret, "Could not even generate error reply"); - return; - } - send_reply (s, sa, sa_size, NULL, &error_data); - krb5_data_free (&error_data); -} - -static void -reply_priv (krb5_auth_context auth_context, - int s, - struct sockaddr *sa, - int sa_size, - u_int16_t result_code, - const char *expl) -{ - krb5_error_code ret; - krb5_data krb_priv_data; - krb5_data ap_rep_data; - krb5_data e_data; - - ret = krb5_mk_rep (context, - auth_context, - &ap_rep_data); - if (ret) { - krb5_warn (context, ret, "Could not even generate error reply"); - return; - } - - if (make_result(&e_data, result_code, expl)) - return; - - ret = krb5_mk_priv (context, - auth_context, - &e_data, - &krb_priv_data, - NULL); - krb5_data_free (&e_data); - if (ret) { - krb5_warn (context, ret, "Could not even generate error reply"); - return; - } - send_reply (s, sa, sa_size, &ap_rep_data, &krb_priv_data); - krb5_data_free (&ap_rep_data); - krb5_data_free (&krb_priv_data); -} - -/* - * Change the password for `principal', sending the reply back on `s' - * (`sa', `sa_size') to `pwd_data'. - */ - -static void -change (krb5_auth_context auth_context, - krb5_principal principal, - int s, - struct sockaddr *sa, - int sa_size, - krb5_data *pwd_data) -{ - krb5_error_code ret; - char *client; - const char *pwd_reason; - kadm5_config_params conf; - void *kadm5_handle; - char *tmp; - - memset (&conf, 0, sizeof(conf)); - - krb5_unparse_name (context, principal, &client); - - ret = kadm5_init_with_password_ctx(context, - client, - NULL, - KADM5_ADMIN_SERVICE, - &conf, 0, 0, - &kadm5_handle); - if (ret) { - free (client); - krb5_warn (context, ret, "kadm5_init_with_password_ctx"); - reply_priv (auth_context, s, sa, sa_size, 2, - "Internal error"); - return; - } - - krb5_warnx (context, "Changing password for %s", client); - free (client); - - pwd_reason = kadm5_check_password_quality (context, principal, pwd_data); - if (pwd_reason != NULL ) { - krb5_warnx (context, "%s", pwd_reason); - reply_priv (auth_context, s, sa, sa_size, 4, pwd_reason); - kadm5_destroy (kadm5_handle); - return; - } - - tmp = malloc (pwd_data->length + 1); - if (tmp == NULL) { - krb5_warnx (context, "malloc: out of memory"); - reply_priv (auth_context, s, sa, sa_size, 2, - "Internal error"); - goto out; - } - memcpy (tmp, pwd_data->data, pwd_data->length); - tmp[pwd_data->length] = '\0'; - - ret = kadm5_s_chpass_principal_cond (kadm5_handle, principal, tmp); - memset (tmp, 0, pwd_data->length); - free (tmp); - if (ret) { - krb5_warn (context, ret, "kadm5_s_chpass_principal_cond"); - reply_priv (auth_context, s, sa, sa_size, 2, - "Internal error"); - goto out; - } - reply_priv (auth_context, s, sa, sa_size, 0, "Password changed"); -out: - kadm5_destroy (kadm5_handle); -} - -static int -verify (krb5_auth_context *auth_context, - krb5_principal server, - krb5_keytab keytab, - krb5_ticket **ticket, - krb5_data *out_data, - int s, - struct sockaddr *sa, - int sa_size, - u_char *msg, - size_t len) -{ - krb5_error_code ret; - u_int16_t pkt_len, pkt_ver, ap_req_len; - krb5_data ap_req_data; - krb5_data krb_priv_data; - - pkt_len = (msg[0] << 8) | (msg[1]); - pkt_ver = (msg[2] << 8) | (msg[3]); - ap_req_len = (msg[4] << 8) | (msg[5]); - if (pkt_len != len) { - krb5_warnx (context, "Strange len: %ld != %ld", - (long)pkt_len, (long)len); - reply_error (server, s, sa, sa_size, 0, 1, "Bad request"); - return 1; - } - if (pkt_ver != 0x0001) { - krb5_warnx (context, "Bad version (%d)", pkt_ver); - reply_error (server, s, sa, sa_size, 0, 1, "Wrong program version"); - return 1; - } - - ap_req_data.data = msg + 6; - ap_req_data.length = ap_req_len; - - ret = krb5_rd_req (context, - auth_context, - &ap_req_data, - server, - keytab, - NULL, - ticket); - if (ret) { - if(ret == KRB5_KT_NOTFOUND) { - char *name; - krb5_unparse_name(context, server, &name); - krb5_warnx (context, "krb5_rd_req: %s (%s)", - krb5_get_err_text(context, ret), name); - free(name); - } else - krb5_warn (context, ret, "krb5_rd_req"); - reply_error (server, s, sa, sa_size, ret, 3, "Authentication failed"); - return 1; - } - - if (!(*ticket)->ticket.flags.initial) { - krb5_warnx (context, "initial flag not set"); - reply_error (server, s, sa, sa_size, ret, 1, - "Bad request"); - goto out; - } - krb_priv_data.data = msg + 6 + ap_req_len; - krb_priv_data.length = len - 6 - ap_req_len; - - ret = krb5_rd_priv (context, - *auth_context, - &krb_priv_data, - out_data, - NULL); - - if (ret) { - krb5_warn (context, ret, "krb5_rd_priv"); - reply_error (server, s, sa, sa_size, ret, 3, "Bad request"); - goto out; - } - return 0; -out: - krb5_free_ticket (context, *ticket); - return 1; -} - -static void -process (krb5_principal server, - krb5_keytab keytab, - int s, - krb5_address *this_addr, - struct sockaddr *sa, - int sa_size, - u_char *msg, - int len) -{ - krb5_error_code ret; - krb5_auth_context auth_context = NULL; - krb5_data out_data; - krb5_ticket *ticket; - krb5_address other_addr; - - krb5_data_zero (&out_data); - - ret = krb5_auth_con_init (context, &auth_context); - if (ret) { - krb5_warn (context, ret, "krb5_auth_con_init"); - return; - } - - krb5_auth_con_setflags (context, auth_context, - KRB5_AUTH_CONTEXT_DO_SEQUENCE); - - ret = krb5_sockaddr2address (context, sa, &other_addr); - if (ret) { - krb5_warn (context, ret, "krb5_sockaddr2address"); - goto out; - } - - ret = krb5_auth_con_setaddrs (context, - auth_context, - this_addr, - &other_addr); - krb5_free_address (context, &other_addr); - if (ret) { - krb5_warn (context, ret, "krb5_auth_con_setaddr"); - goto out; - } - - if (verify (&auth_context, server, keytab, &ticket, &out_data, - s, sa, sa_size, msg, len) == 0) { - change (auth_context, - ticket->client, - s, - sa, sa_size, - &out_data); - memset (out_data.data, 0, out_data.length); - krb5_free_ticket (context, ticket); - free (ticket); - } - -out: - krb5_data_free (&out_data); - krb5_auth_con_free (context, auth_context); -} - -static int -doit (krb5_keytab keytab, int port) -{ - krb5_error_code ret; - krb5_principal server; - int *sockets; - int maxfd; - char *realm; - krb5_addresses addrs; - unsigned n, i; - fd_set real_fdset; - struct sockaddr_storage __ss; - struct sockaddr *sa = (struct sockaddr *)&__ss; - - ret = krb5_get_default_realm (context, &realm); - if (ret) - krb5_err (context, 1, ret, "krb5_get_default_realm"); - - ret = krb5_build_principal (context, - &server, - strlen(realm), - realm, - "kadmin", - "changepw", - NULL); - if (ret) - krb5_err (context, 1, ret, "krb5_build_principal"); - - free (realm); - - ret = krb5_get_all_server_addrs (context, &addrs); - if (ret) - krb5_err (context, 1, ret, "krb5_get_all_server_addrs"); - - n = addrs.len; - - sockets = malloc (n * sizeof(*sockets)); - if (sockets == NULL) - krb5_errx (context, 1, "out of memory"); - maxfd = -1; - FD_ZERO(&real_fdset); - for (i = 0; i < n; ++i) { - int sa_size = sizeof(__ss); - - krb5_addr2sockaddr (context, &addrs.val[i], sa, &sa_size, port); - - sockets[i] = socket (sa->sa_family, SOCK_DGRAM, 0); - if (sockets[i] < 0) - krb5_err (context, 1, errno, "socket"); - if (bind (sockets[i], sa, sa_size) < 0) { - char str[128]; - size_t len; - int save_errno = errno; - - ret = krb5_print_address (&addrs.val[i], str, sizeof(str), &len); - if (ret) - strlcpy(str, "unknown address", sizeof(str)); - krb5_warn (context, save_errno, "bind(%s)", str); - continue; - } - maxfd = max (maxfd, sockets[i]); - if (maxfd >= FD_SETSIZE) - krb5_errx (context, 1, "fd too large"); - FD_SET(sockets[i], &real_fdset); - } - if (maxfd == -1) - krb5_errx (context, 1, "No sockets!"); - - while(exit_flag == 0) { - int ret; - fd_set fdset = real_fdset; - - ret = select (maxfd + 1, &fdset, NULL, NULL, NULL); - if (ret < 0) { - if (errno == EINTR) - continue; - else - krb5_err (context, 1, errno, "select"); - } - for (i = 0; i < n; ++i) - if (FD_ISSET(sockets[i], &fdset)) { - u_char buf[BUFSIZ]; - socklen_t addrlen = sizeof(__ss); - - ret = recvfrom (sockets[i], buf, sizeof(buf), 0, - sa, &addrlen); - if (ret < 0) { - if(errno == EINTR) - break; - else - krb5_err (context, 1, errno, "recvfrom"); - } - - process (server, keytab, sockets[i], - &addrs.val[i], - sa, addrlen, - buf, ret); - } - } - krb5_free_addresses (context, &addrs); - krb5_free_principal (context, server); - krb5_free_context (context); - return 0; -} - -static RETSIGTYPE -sigterm(int sig) -{ - exit_flag = 1; -} - -const char *check_library = NULL; -const char *check_function = NULL; -char *keytab_str = "HDB:"; -char *realm_str; -int version_flag; -int help_flag; -char *port_str; - -struct getargs args[] = { -#ifdef HAVE_DLOPEN - { "check-library", 0, arg_string, &check_library, - "library to load password check function from", "library" }, - { "check-function", 0, arg_string, &check_function, - "password check function to load", "function" }, -#endif - { "keytab", 'k', arg_string, &keytab_str, - "keytab to get authentication key from", "kspec" }, - { "realm", 'r', arg_string, &realm_str, "default realm", "realm" }, - { "port", 'p', arg_string, &port_str, "port" }, - { "version", 0, arg_flag, &version_flag }, - { "help", 0, arg_flag, &help_flag } -}; -int num_args = sizeof(args) / sizeof(args[0]); - -int -main (int argc, char **argv) -{ - int optind; - krb5_keytab keytab; - krb5_error_code ret; - int port; - - optind = krb5_program_setup(&context, argc, argv, args, num_args, NULL); - - if(help_flag) - krb5_std_usage(0, args, num_args); - if(version_flag) { - print_version(NULL); - exit(0); - } - - if(realm_str) - krb5_set_default_realm(context, realm_str); - - krb5_openlog (context, "kpasswdd", &log_facility); - krb5_set_warn_dest(context, log_facility); - - if (port_str != NULL) { - struct servent *s = roken_getservbyname (port_str, "udp"); - - if (s != NULL) - port = s->s_port; - else { - char *ptr; - - port = strtol (port_str, &ptr, 10); - if (port == 0 && ptr == port_str) - krb5_errx (context, 1, "bad port `%s'", port_str); - port = htons(port); - } - } else - port = krb5_getportbyname (context, "kpasswd", "udp", KPASSWD_PORT); - - ret = krb5_kt_register(context, &hdb_kt_ops); - if(ret) - krb5_err(context, 1, ret, "krb5_kt_register"); - - ret = krb5_kt_resolve(context, keytab_str, &keytab); - if(ret) - krb5_err(context, 1, ret, "%s", keytab_str); - - kadm5_setup_passwd_quality_check (context, check_library, check_function); - -#ifdef HAVE_SIGACTION - { - struct sigaction sa; - - sa.sa_flags = 0; - sa.sa_handler = sigterm; - sigemptyset(&sa.sa_mask); - - sigaction(SIGINT, &sa, NULL); - sigaction(SIGTERM, &sa, NULL); - } -#else - signal(SIGINT, sigterm); - signal(SIGTERM, sigterm); -#endif - - pidfile(NULL); - - return doit (keytab, port); -} diff --git a/crypto/heimdal-0.6.3/kpasswd/kpasswdd.cat8 b/crypto/heimdal-0.6.3/kpasswd/kpasswdd.cat8 deleted file mode 100644 index 55d12a2b30..0000000000 --- a/crypto/heimdal-0.6.3/kpasswd/kpasswdd.cat8 +++ /dev/null @@ -1,54 +0,0 @@ - -KPASSWDD(8) UNIX System Manager's Manual KPASSWDD(8) - -NNAAMMEE - kkppaasssswwdddd - Kerberos 5 password changing server - -SSYYNNOOPPSSIISS - kkppaasssswwdddd [----cchheecckk--lliibbrraarryy==_l_i_b_r_a_r_y] [----cchheecckk--ffuunnccttiioonn==_f_u_n_c_t_i_o_n] [--kk _k_s_p_e_c - | ----kkeeyyttaabb==_k_s_p_e_c] [--rr _r_e_a_l_m | ----rreeaallmm==_r_e_a_l_m] [--pp _s_t_r_i_n_g | ----ppoorrtt==_s_t_r_i_n_g] - [----vveerrssiioonn] [----hheellpp] - -DDEESSCCRRIIPPTTIIOONN - kkppaasssswwdddd serves request for password changes. It listens on UDP port 464 - (service kpasswd) and processes requests when they arrive. It changes the - database directly and should thus only run on the master KDC. - - Supported options: - - ----cchheecckk--lliibbrraarryy==_l_i_b_r_a_r_y - If your system has support for dynamic loading of shared li- - braries, you can use an external function to check password qual- - ity. This option specifies which library to load. - - ----cchheecckk--ffuunnccttiioonn==_f_u_n_c_t_i_o_n - This is the function to call in the loaded library. The function - should look like this: - - _c_o_n_s_t _c_h_a_r _* ppaasssswwdd__cchheecckk(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___p_r_i_n_c_i_p_a_l - _p_r_i_n_c_i_p_a_l, _k_r_b_5___d_a_t_a _*_p_a_s_s_w_o_r_d) - - _c_o_n_t_e_x_t is an initialized context; _p_r_i_n_c_i_p_a_l is the one who tries - to change passwords, and _p_a_s_s_w_o_r_d is the new password. Note that - the password (in _p_a_s_s_w_o_r_d_-_>_d_a_t_a) is not zero terminated. - - --kk _k_s_p_e_c, ----kkeeyyttaabb==_k_s_p_e_c - Keytab to get authentication key from - - --rr _r_e_a_l_m, ----rreeaallmm==_r_e_a_l_m - Default realm - - --pp _s_t_r_i_n_g, ----ppoorrtt==_s_t_r_i_n_g - Port to listen on (default service kpasswd - 464). - -DDIIAAGGNNOOSSTTIICCSS - If an error occurs, the error message is returned to the user and/or - logged to syslog. - -BBUUGGSS - The default password quality checks are too basic. - -SSEEEE AALLSSOO - kpasswd(1), kdc(8) - - HEIMDAL April 19, 1999 1 diff --git a/crypto/heimdal-0.6.3/krb5.conf b/crypto/heimdal-0.6.3/krb5.conf deleted file mode 100644 index c9f4c44a5e..0000000000 --- a/crypto/heimdal-0.6.3/krb5.conf +++ /dev/null @@ -1,26 +0,0 @@ -[libdefaults] - default_realm = MY.REALM - clockskew = 300 - v4_instance_resolve = false - v4_name_convert = { - host = { - rcmd = host - ftp = ftp - } - plain = { - something = something-else - } - } - -[realms] - MY.REALM = { - kdc = MY.COMPUTER - } - OTHER.REALM = { - v4_instance_convert = { - kerberos = kerberos - computer = computer.some.other.domain - } - } -[domain_realm] - .my.domain = MY.REALM diff --git a/crypto/heimdal-0.6.3/kuser/Makefile.am b/crypto/heimdal-0.6.3/kuser/Makefile.am deleted file mode 100644 index e33b948671..0000000000 --- a/crypto/heimdal-0.6.3/kuser/Makefile.am +++ /dev/null @@ -1,33 +0,0 @@ -# $Id: Makefile.am,v 1.31 2003/03/18 13:15:27 lha Exp $ - -include $(top_srcdir)/Makefile.am.common - -INCLUDES += $(INCLUDE_krb4) $(INCLUDE_des) -I$(srcdir)/../lib/krb5 - -man_MANS = kinit.1 klist.1 kdestroy.1 kgetcred.1 - -bin_PROGRAMS = kinit klist kdestroy kgetcred - -noinst_PROGRAMS = kverify kdecode_ticket generate-requests - -kinit_LDADD = \ - $(LIB_kafs) \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(LIB_krb4) \ - $(LIB_des) \ - $(top_builddir)/lib/asn1/libasn1.la \ - $(LIB_roken) - -kdestroy_LDADD = $(kinit_LDADD) - -klist_LDADD = $(kinit_LDADD) - -LDADD = \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(LIB_des) \ - $(top_builddir)/lib/asn1/libasn1.la \ - $(LIB_roken) - -# make sure install-exec-hook doesn't have any commands in Makefile.am.common -install-exec-hook: - (cd $(DESTDIR)$(bindir) && rm -f kauth && $(LN_S) kinit kauth) diff --git a/crypto/heimdal-0.6.3/kuser/Makefile.in b/crypto/heimdal-0.6.3/kuser/Makefile.in deleted file mode 100644 index 01e24a6677..0000000000 --- a/crypto/heimdal-0.6.3/kuser/Makefile.in +++ /dev/null @@ -1,893 +0,0 @@ -# Makefile.in generated by automake 1.8.3 from Makefile.am. -# @configure_input@ - -# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004 Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -# $Id: Makefile.am,v 1.31 2003/03/18 13:15:27 lha Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $ - -SOURCES = generate-requests.c kdecode_ticket.c kdestroy.c kgetcred.c kinit.c klist.c kverify.c - -srcdir = @srcdir@ -top_srcdir = @top_srcdir@ -VPATH = @srcdir@ -pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -top_builddir = .. -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = @INSTALL@ -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_HEADER = $(INSTALL_DATA) -transform = $(program_transform_name) -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_triplet = @host@ -DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \ - $(top_srcdir)/Makefile.am.common \ - $(top_srcdir)/cf/Makefile.am.common -bin_PROGRAMS = kinit$(EXEEXT) klist$(EXEEXT) kdestroy$(EXEEXT) \ - kgetcred$(EXEEXT) -noinst_PROGRAMS = kverify$(EXEEXT) kdecode_ticket$(EXEEXT) \ - generate-requests$(EXEEXT) -subdir = kuser -ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \ - $(top_srcdir)/cf/auth-modules.m4 \ - $(top_srcdir)/cf/broken-getaddrinfo.m4 \ - $(top_srcdir)/cf/broken-getnameinfo.m4 \ - $(top_srcdir)/cf/broken-glob.m4 \ - $(top_srcdir)/cf/broken-realloc.m4 \ - $(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \ - $(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \ - $(top_srcdir)/cf/capabilities.m4 \ - $(top_srcdir)/cf/check-compile-et.m4 \ - $(top_srcdir)/cf/check-declaration.m4 \ - $(top_srcdir)/cf/check-getpwnam_r-posix.m4 \ - $(top_srcdir)/cf/check-man.m4 \ - $(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \ - $(top_srcdir)/cf/check-type-extra.m4 \ - $(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \ - $(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \ - $(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \ - $(top_srcdir)/cf/dlopen.m4 \ - $(top_srcdir)/cf/find-func-no-libs.m4 \ - $(top_srcdir)/cf/find-func-no-libs2.m4 \ - $(top_srcdir)/cf/find-func.m4 \ - $(top_srcdir)/cf/find-if-not-broken.m4 \ - $(top_srcdir)/cf/have-struct-field.m4 \ - $(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \ - $(top_srcdir)/cf/krb-bigendian.m4 \ - $(top_srcdir)/cf/krb-func-getlogin.m4 \ - $(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \ - $(top_srcdir)/cf/krb-readline.m4 \ - $(top_srcdir)/cf/krb-struct-spwd.m4 \ - $(top_srcdir)/cf/krb-struct-winsize.m4 \ - $(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \ - $(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \ - $(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \ - $(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \ - $(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \ - $(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \ - $(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in -am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ - $(ACLOCAL_M4) -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -am__installdirs = "$(DESTDIR)$(bindir)" "$(DESTDIR)$(man1dir)" -binPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -PROGRAMS = $(bin_PROGRAMS) $(noinst_PROGRAMS) -generate_requests_SOURCES = generate-requests.c -generate_requests_OBJECTS = generate-requests.$(OBJEXT) -generate_requests_LDADD = $(LDADD) -am__DEPENDENCIES_1 = -generate_requests_DEPENDENCIES = $(top_builddir)/lib/krb5/libkrb5.la \ - $(am__DEPENDENCIES_1) $(top_builddir)/lib/asn1/libasn1.la \ - $(am__DEPENDENCIES_1) -kdecode_ticket_SOURCES = kdecode_ticket.c -kdecode_ticket_OBJECTS = kdecode_ticket.$(OBJEXT) -kdecode_ticket_LDADD = $(LDADD) -kdecode_ticket_DEPENDENCIES = $(top_builddir)/lib/krb5/libkrb5.la \ - $(am__DEPENDENCIES_1) $(top_builddir)/lib/asn1/libasn1.la \ - $(am__DEPENDENCIES_1) -kdestroy_SOURCES = kdestroy.c -kdestroy_OBJECTS = kdestroy.$(OBJEXT) -am__DEPENDENCIES_2 = $(top_builddir)/lib/kafs/libkafs.la \ - $(am__DEPENDENCIES_1) -am__DEPENDENCIES_3 = $(am__DEPENDENCIES_2) \ - $(top_builddir)/lib/krb5/libkrb5.la $(am__DEPENDENCIES_1) \ - $(am__DEPENDENCIES_1) $(top_builddir)/lib/asn1/libasn1.la \ - $(am__DEPENDENCIES_1) -kdestroy_DEPENDENCIES = $(am__DEPENDENCIES_3) -kgetcred_SOURCES = kgetcred.c -kgetcred_OBJECTS = kgetcred.$(OBJEXT) -kgetcred_LDADD = $(LDADD) -kgetcred_DEPENDENCIES = $(top_builddir)/lib/krb5/libkrb5.la \ - $(am__DEPENDENCIES_1) $(top_builddir)/lib/asn1/libasn1.la \ - $(am__DEPENDENCIES_1) -kinit_SOURCES = kinit.c -kinit_OBJECTS = kinit.$(OBJEXT) -kinit_DEPENDENCIES = $(am__DEPENDENCIES_2) \ - $(top_builddir)/lib/krb5/libkrb5.la $(am__DEPENDENCIES_1) \ - $(am__DEPENDENCIES_1) $(top_builddir)/lib/asn1/libasn1.la \ - $(am__DEPENDENCIES_1) -klist_SOURCES = klist.c -klist_OBJECTS = klist.$(OBJEXT) -klist_DEPENDENCIES = $(am__DEPENDENCIES_3) -kverify_SOURCES = kverify.c -kverify_OBJECTS = kverify.$(OBJEXT) -kverify_LDADD = $(LDADD) -kverify_DEPENDENCIES = $(top_builddir)/lib/krb5/libkrb5.la \ - $(am__DEPENDENCIES_1) $(top_builddir)/lib/asn1/libasn1.la \ - $(am__DEPENDENCIES_1) -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \ - $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ - $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -SOURCES = generate-requests.c kdecode_ticket.c kdestroy.c kgetcred.c \ - kinit.c klist.c kverify.c -DIST_SOURCES = generate-requests.c kdecode_ticket.c kdestroy.c \ - kgetcred.c kinit.c klist.c kverify.c -man1dir = $(mandir)/man1 -MANS = $(man_MANS) -ETAGS = etags -CTAGS = ctags -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) -ACLOCAL = @ACLOCAL@ -AIX4_FALSE = @AIX4_FALSE@ -AIX4_TRUE = @AIX4_TRUE@ -AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@ -AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@ -AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@ -AIX_FALSE = @AIX_FALSE@ -AIX_TRUE = @AIX_TRUE@ -AMTAR = @AMTAR@ -AR = @AR@ -AUTOCONF = @AUTOCONF@ -AUTOHEADER = @AUTOHEADER@ -AUTOMAKE = @AUTOMAKE@ -AWK = @AWK@ -CANONICAL_HOST = @CANONICAL_HOST@ -CATMAN = @CATMAN@ -CATMANEXT = @CATMANEXT@ -CATMAN_FALSE = @CATMAN_FALSE@ -CATMAN_TRUE = @CATMAN_TRUE@ -CC = @CC@ -CFLAGS = @CFLAGS@ -COMPILE_ET = @COMPILE_ET@ -CPP = @CPP@ -CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXFLAGS = @CXXFLAGS@ -CYGPATH_W = @CYGPATH_W@ -DBLIB = @DBLIB@ -DCE_FALSE = @DCE_FALSE@ -DCE_TRUE = @DCE_TRUE@ -DEFS = @DEFS@ -DIR_com_err = @DIR_com_err@ -DIR_des = @DIR_des@ -DIR_roken = @DIR_roken@ -ECHO = @ECHO@ -ECHO_C = @ECHO_C@ -ECHO_N = @ECHO_N@ -ECHO_T = @ECHO_T@ -EGREP = @EGREP@ -EXEEXT = @EXEEXT@ -EXTRA_LIB45 = @EXTRA_LIB45@ -F77 = @F77@ -FFLAGS = @FFLAGS@ -GROFF = @GROFF@ -HAVE_DB1_FALSE = @HAVE_DB1_FALSE@ -HAVE_DB1_TRUE = @HAVE_DB1_TRUE@ -HAVE_DB3_FALSE = @HAVE_DB3_FALSE@ -HAVE_DB3_TRUE = @HAVE_DB3_TRUE@ -HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@ -HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@ -HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@ -HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@ -HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@ -HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@ -HAVE_X_FALSE = @HAVE_X_FALSE@ -HAVE_X_TRUE = @HAVE_X_TRUE@ -INCLUDES_roken = @INCLUDES_roken@ -INCLUDE_des = @INCLUDE_des@ -INCLUDE_hesiod = @INCLUDE_hesiod@ -INCLUDE_krb4 = @INCLUDE_krb4@ -INCLUDE_openldap = @INCLUDE_openldap@ -INCLUDE_readline = @INCLUDE_readline@ -INSTALL_DATA = @INSTALL_DATA@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -IRIX_FALSE = @IRIX_FALSE@ -IRIX_TRUE = @IRIX_TRUE@ -KRB4_FALSE = @KRB4_FALSE@ -KRB4_TRUE = @KRB4_TRUE@ -KRB5_FALSE = @KRB5_FALSE@ -KRB5_TRUE = @KRB5_TRUE@ -LDFLAGS = @LDFLAGS@ -LEX = @LEX@ -LEXLIB = @LEXLIB@ -LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ -LIBOBJS = @LIBOBJS@ -LIBS = @LIBS@ -LIBTOOL = @LIBTOOL@ -LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@ -LIB_NDBM = @LIB_NDBM@ -LIB_XauFileName = @LIB_XauFileName@ -LIB_XauReadAuth = @LIB_XauReadAuth@ -LIB_XauWriteAuth = @LIB_XauWriteAuth@ -LIB_bswap16 = @LIB_bswap16@ -LIB_bswap32 = @LIB_bswap32@ -LIB_com_err = @LIB_com_err@ -LIB_com_err_a = @LIB_com_err_a@ -LIB_com_err_so = @LIB_com_err_so@ -LIB_crypt = @LIB_crypt@ -LIB_db_create = @LIB_db_create@ -LIB_dbm_firstkey = @LIB_dbm_firstkey@ -LIB_dbopen = @LIB_dbopen@ -LIB_des = @LIB_des@ -LIB_des_a = @LIB_des_a@ -LIB_des_appl = @LIB_des_appl@ -LIB_des_so = @LIB_des_so@ -LIB_dlopen = @LIB_dlopen@ -LIB_dn_expand = @LIB_dn_expand@ -LIB_el_init = @LIB_el_init@ -LIB_freeaddrinfo = @LIB_freeaddrinfo@ -LIB_gai_strerror = @LIB_gai_strerror@ -LIB_getaddrinfo = @LIB_getaddrinfo@ -LIB_gethostbyname = @LIB_gethostbyname@ -LIB_gethostbyname2 = @LIB_gethostbyname2@ -LIB_getnameinfo = @LIB_getnameinfo@ -LIB_getpwnam_r = @LIB_getpwnam_r@ -LIB_getsockopt = @LIB_getsockopt@ -LIB_hesiod = @LIB_hesiod@ -LIB_hstrerror = @LIB_hstrerror@ -LIB_kdb = @LIB_kdb@ -LIB_krb4 = @LIB_krb4@ -LIB_krb_disable_debug = @LIB_krb_disable_debug@ -LIB_krb_enable_debug = @LIB_krb_enable_debug@ -LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@ -LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@ -LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@ -LIB_loadquery = @LIB_loadquery@ -LIB_logout = @LIB_logout@ -LIB_logwtmp = @LIB_logwtmp@ -LIB_openldap = @LIB_openldap@ -LIB_openpty = @LIB_openpty@ -LIB_otp = @LIB_otp@ -LIB_pidfile = @LIB_pidfile@ -LIB_readline = @LIB_readline@ -LIB_res_nsearch = @LIB_res_nsearch@ -LIB_res_search = @LIB_res_search@ -LIB_roken = @LIB_roken@ -LIB_security = @LIB_security@ -LIB_setsockopt = @LIB_setsockopt@ -LIB_socket = @LIB_socket@ -LIB_syslog = @LIB_syslog@ -LIB_tgetent = @LIB_tgetent@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -MAINT = @MAINT@ -MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@ -MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@ -MAKEINFO = @MAKEINFO@ -NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ -NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ -NROFF = @NROFF@ -OBJEXT = @OBJEXT@ -OTP_FALSE = @OTP_FALSE@ -OTP_TRUE = @OTP_TRUE@ -PACKAGE = @PACKAGE@ -PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ -PACKAGE_NAME = @PACKAGE_NAME@ -PACKAGE_STRING = @PACKAGE_STRING@ -PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_VERSION = @PACKAGE_VERSION@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -RANLIB = @RANLIB@ -SET_MAKE = @SET_MAKE@ -SHELL = @SHELL@ -STRIP = @STRIP@ -VERSION = @VERSION@ -VOID_RETSIGTYPE = @VOID_RETSIGTYPE@ -WFLAGS = @WFLAGS@ -WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@ -WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@ -X_CFLAGS = @X_CFLAGS@ -X_EXTRA_LIBS = @X_EXTRA_LIBS@ -X_LIBS = @X_LIBS@ -X_PRE_LIBS = @X_PRE_LIBS@ -YACC = @YACC@ -ac_ct_AR = @ac_ct_AR@ -ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ -ac_ct_RANLIB = @ac_ct_RANLIB@ -ac_ct_STRIP = @ac_ct_STRIP@ -am__leading_dot = @am__leading_dot@ -bindir = @bindir@ -build = @build@ -build_alias = @build_alias@ -build_cpu = @build_cpu@ -build_os = @build_os@ -build_vendor = @build_vendor@ -datadir = @datadir@ -do_roken_rename_FALSE = @do_roken_rename_FALSE@ -do_roken_rename_TRUE = @do_roken_rename_TRUE@ -dpagaix_cflags = @dpagaix_cflags@ -dpagaix_ldadd = @dpagaix_ldadd@ -dpagaix_ldflags = @dpagaix_ldflags@ -el_compat_FALSE = @el_compat_FALSE@ -el_compat_TRUE = @el_compat_TRUE@ -exec_prefix = @exec_prefix@ -have_err_h_FALSE = @have_err_h_FALSE@ -have_err_h_TRUE = @have_err_h_TRUE@ -have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@ -have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@ -have_glob_h_FALSE = @have_glob_h_FALSE@ -have_glob_h_TRUE = @have_glob_h_TRUE@ -have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@ -have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@ -have_vis_h_FALSE = @have_vis_h_FALSE@ -have_vis_h_TRUE = @have_vis_h_TRUE@ -host = @host@ -host_alias = @host_alias@ -host_cpu = @host_cpu@ -host_os = @host_os@ -host_vendor = @host_vendor@ -includedir = @includedir@ -infodir = @infodir@ -install_sh = @install_sh@ -libdir = @libdir@ -libexecdir = @libexecdir@ -localstatedir = @localstatedir@ -mandir = @mandir@ -mkdir_p = @mkdir_p@ -oldincludedir = @oldincludedir@ -prefix = @prefix@ -program_transform_name = @program_transform_name@ -sbindir = @sbindir@ -sharedstatedir = @sharedstatedir@ -sysconfdir = @sysconfdir@ -target_alias = @target_alias@ -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4) $(INCLUDE_des) -I$(srcdir)/../lib/krb5 -@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME -AM_CFLAGS = $(WFLAGS) -CP = cp -buildinclude = $(top_builddir)/include -LIB_getattr = @LIB_getattr@ -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_setpcred = @LIB_setpcred@ -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -NROFF_MAN = groff -mandoc -Tascii -LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) -@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la - -@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la -@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la -man_MANS = kinit.1 klist.1 kdestroy.1 kgetcred.1 -kinit_LDADD = \ - $(LIB_kafs) \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(LIB_krb4) \ - $(LIB_des) \ - $(top_builddir)/lib/asn1/libasn1.la \ - $(LIB_roken) - -kdestroy_LDADD = $(kinit_LDADD) -klist_LDADD = $(kinit_LDADD) -LDADD = \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(LIB_des) \ - $(top_builddir)/lib/asn1/libasn1.la \ - $(LIB_roken) - -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps) - @for dep in $?; do \ - case '$(am__configure_deps)' in \ - *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ - exit 1;; \ - esac; \ - done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign --ignore-deps kuser/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign --ignore-deps kuser/Makefile -.PRECIOUS: Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - @case '$?' in \ - *config.status*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ - *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ - esac; - -$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -install-binPROGRAMS: $(bin_PROGRAMS) - @$(NORMAL_INSTALL) - test -z "$(bindir)" || $(mkdir_p) "$(DESTDIR)$(bindir)" - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(bindir)/$$f'"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(bindir)/$$f" || exit 1; \ - else :; fi; \ - done - -uninstall-binPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f '$(DESTDIR)$(bindir)/$$f'"; \ - rm -f "$(DESTDIR)$(bindir)/$$f"; \ - done - -clean-binPROGRAMS: - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done - -clean-noinstPROGRAMS: - @list='$(noinst_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -generate-requests$(EXEEXT): $(generate_requests_OBJECTS) $(generate_requests_DEPENDENCIES) - @rm -f generate-requests$(EXEEXT) - $(LINK) $(generate_requests_LDFLAGS) $(generate_requests_OBJECTS) $(generate_requests_LDADD) $(LIBS) -kdecode_ticket$(EXEEXT): $(kdecode_ticket_OBJECTS) $(kdecode_ticket_DEPENDENCIES) - @rm -f kdecode_ticket$(EXEEXT) - $(LINK) $(kdecode_ticket_LDFLAGS) $(kdecode_ticket_OBJECTS) $(kdecode_ticket_LDADD) $(LIBS) -kdestroy$(EXEEXT): $(kdestroy_OBJECTS) $(kdestroy_DEPENDENCIES) - @rm -f kdestroy$(EXEEXT) - $(LINK) $(kdestroy_LDFLAGS) $(kdestroy_OBJECTS) $(kdestroy_LDADD) $(LIBS) -kgetcred$(EXEEXT): $(kgetcred_OBJECTS) $(kgetcred_DEPENDENCIES) - @rm -f kgetcred$(EXEEXT) - $(LINK) $(kgetcred_LDFLAGS) $(kgetcred_OBJECTS) $(kgetcred_LDADD) $(LIBS) -kinit$(EXEEXT): $(kinit_OBJECTS) $(kinit_DEPENDENCIES) - @rm -f kinit$(EXEEXT) - $(LINK) $(kinit_LDFLAGS) $(kinit_OBJECTS) $(kinit_LDADD) $(LIBS) -klist$(EXEEXT): $(klist_OBJECTS) $(klist_DEPENDENCIES) - @rm -f klist$(EXEEXT) - $(LINK) $(klist_LDFLAGS) $(klist_OBJECTS) $(klist_LDADD) $(LIBS) -kverify$(EXEEXT): $(kverify_OBJECTS) $(kverify_DEPENDENCIES) - @rm -f kverify$(EXEEXT) - $(LINK) $(kverify_LDFLAGS) $(kverify_OBJECTS) $(kverify_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c $< - -.c.obj: - $(COMPILE) -c `$(CYGPATH_W) '$<'` - -.c.lo: - $(LTCOMPILE) -c -o $@ $< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: -install-man1: $(man1_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - test -z "$(man1dir)" || $(mkdir_p) "$(DESTDIR)$(man1dir)" - @list='$(man1_MANS) $(dist_man1_MANS) $(nodist_man1_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.1*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 1*) ;; \ - *) ext='1' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man1dir)/$$inst'"; \ - $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man1dir)/$$inst"; \ - done -uninstall-man1: - @$(NORMAL_UNINSTALL) - @list='$(man1_MANS) $(dist_man1_MANS) $(nodist_man1_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.1*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 1*) ;; \ - *) ext='1' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f '$(DESTDIR)$(man1dir)/$$inst'"; \ - rm -f "$(DESTDIR)$(man1dir)/$$inst"; \ - done - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique -tags: TAGS - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique -ctags: CTAGS -CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ - || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - -distdir: $(DISTFILES) - $(mkdir_p) $(distdir)/.. $(distdir)/../cf - @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \ - list='$(DISTFILES)'; for file in $$list; do \ - case $$file in \ - $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \ - $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \ - esac; \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkdir_p) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="$(top_distdir)" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(PROGRAMS) $(MANS) all-local -installdirs: - for dir in "$(DESTDIR)$(bindir)" "$(DESTDIR)$(man1dir)"; do \ - test -z "$$dir" || $(mkdir_p) "$$dir"; \ - done -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-binPROGRAMS clean-generic clean-libtool \ - clean-noinstPROGRAMS mostlyclean-am - -distclean: distclean-am - -rm -f Makefile -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -html: html-am - -info: info-am - -info-am: - -install-data-am: install-man - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-data-hook - -install-exec-am: install-binPROGRAMS - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: install-man1 - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -rm -f Makefile -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -pdf: pdf-am - -pdf-am: - -ps: ps-am - -ps-am: - -uninstall-am: uninstall-binPROGRAMS uninstall-info-am uninstall-man - -uninstall-man: uninstall-man1 - -.PHONY: CTAGS GTAGS all all-am all-local check check-am check-local \ - clean clean-binPROGRAMS clean-generic clean-libtool \ - clean-noinstPROGRAMS ctags distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am html html-am info info-am install install-am \ - install-binPROGRAMS install-data install-data-am install-exec \ - install-exec-am install-info install-info-am install-man \ - install-man1 install-strip installcheck installcheck-am \ - installdirs maintainer-clean maintainer-clean-generic \ - mostlyclean mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool pdf pdf-am ps ps-am tags uninstall \ - uninstall-am uninstall-binPROGRAMS uninstall-info-am \ - uninstall-man uninstall-man1 - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-hook: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< - -# make sure install-exec-hook doesn't have any commands in Makefile.am.common -install-exec-hook: - (cd $(DESTDIR)$(bindir) && rm -f kauth && $(LN_S) kinit kauth) -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal-0.6.3/kuser/generate-requests.c b/crypto/heimdal-0.6.3/kuser/generate-requests.c deleted file mode 100644 index 993a8b04e1..0000000000 --- a/crypto/heimdal-0.6.3/kuser/generate-requests.c +++ /dev/null @@ -1,160 +0,0 @@ -/* - * Copyright (c) 2000 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kuser_locl.h" - -RCSID("$Id: generate-requests.c,v 1.4 2001/08/24 01:07:22 assar Exp $"); - -static krb5_error_code -null_key_proc (krb5_context context, - krb5_enctype type, - krb5_salt salt, - krb5_const_pointer keyseed, - krb5_keyblock **key) -{ - return ENOTTY; -} - -static unsigned -read_words (const char *filename, char ***ret_w) -{ - unsigned n, alloc; - FILE *f; - char buf[256]; - char **w = NULL; - - f = fopen (filename, "r"); - if (f == NULL) - err (1, "cannot open %s", filename); - alloc = n = 0; - while (fgets (buf, sizeof(buf), f) != NULL) { - if (buf[strlen (buf) - 1] == '\n') - buf[strlen (buf) - 1] = '\0'; - if (n >= alloc) { - alloc += 16; - w = erealloc (w, alloc * sizeof(char **)); - } - w[n++] = estrdup (buf); - } - *ret_w = w; - return n; -} - -static void -generate_requests (const char *filename, unsigned nreq) -{ - krb5_context context; - krb5_error_code ret; - krb5_creds cred; - int i; - char **words; - unsigned nwords; - - ret = krb5_init_context (&context); - if (ret) - errx (1, "krb5_init_context failed: %d", ret); - - nwords = read_words (filename, &words); - - for (i = 0; i < nreq; ++i) { - char *name = words[rand() % nwords]; - krb5_realm *client_realm; - - memset(&cred, 0, sizeof(cred)); - - ret = krb5_parse_name (context, name, &cred.client); - if (ret) - krb5_err (context, 1, ret, "krb5_parse_name %s", name); - client_realm = krb5_princ_realm (context, cred.client); - - ret = krb5_make_principal(context, &cred.server, *client_realm, - KRB5_TGS_NAME, *client_realm, NULL); - if (ret) - krb5_err (context, 1, ret, "krb5_make_principal"); - - ret = krb5_get_in_cred (context, 0, NULL, NULL, NULL, NULL, - null_key_proc, NULL, NULL, NULL, - &cred, NULL); - krb5_free_creds_contents (context, &cred); - } -} - -static int version_flag = 0; -static int help_flag = 0; - -static struct getargs args[] = { - { "version", 0, arg_flag, &version_flag }, - { "help", 0, arg_flag, &help_flag } -}; - -static void -usage (int ret) -{ - arg_printusage (args, - sizeof(args)/sizeof(*args), - NULL, - "file number"); - exit (ret); -} - -int -main(int argc, char **argv) -{ - int optind = 0; - int nreq; - char *end; - - setprogname(argv[0]); - if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind)) - usage(1); - - if (help_flag) - usage (0); - - if(version_flag) { - print_version(NULL); - exit(0); - } - - argc -= optind; - argv += optind; - - if (argc != 2) - usage (1); - srand (0); - nreq = strtol (argv[1], &end, 0); - if (argv[1] == end || *end != '\0') - usage (1); - generate_requests (argv[0], nreq); - return 0; -} diff --git a/crypto/heimdal-0.6.3/kuser/kauth_options.c b/crypto/heimdal-0.6.3/kuser/kauth_options.c deleted file mode 100644 index c432d32ac1..0000000000 --- a/crypto/heimdal-0.6.3/kuser/kauth_options.c +++ /dev/null @@ -1,40 +0,0 @@ -/* - * Copyright (c) 1998 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kuser_locl.h" -RCSID("$Id: kauth_options.c,v 1.2 1999/12/02 17:05:00 joda Exp $"); - -#ifdef KRB4 -int do_afslog = 1; -int get_v4_tgt = 1; -#endif diff --git a/crypto/heimdal-0.6.3/kuser/kdecode_ticket.c b/crypto/heimdal-0.6.3/kuser/kdecode_ticket.c deleted file mode 100644 index 74ca5af88e..0000000000 --- a/crypto/heimdal-0.6.3/kuser/kdecode_ticket.c +++ /dev/null @@ -1,162 +0,0 @@ -/* - * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kuser_locl.h" - -RCSID("$Id: kdecode_ticket.c,v 1.5 2001/02/20 01:44:51 assar Exp $"); - -static char *etype_str; -static int version_flag; -static int help_flag; - -static void -print_and_decode_tkt (krb5_context context, - krb5_data *ticket, - krb5_principal server, - krb5_enctype enctype) -{ - krb5_error_code ret; - krb5_crypto crypto; - krb5_data dec_data; - size_t len; - EncTicketPart decr_part; - krb5_keyblock key; - Ticket tkt; - - ret = decode_Ticket (ticket->data, ticket->length, &tkt, &len); - if (ret) - krb5_err (context, 1, ret, "decode_Ticket"); - - ret = krb5_string_to_key (context, enctype, "foo", server, &key); - if (ret) - krb5_err (context, 1, ret, "krb5_string_to_key"); - - ret = krb5_crypto_init(context, &key, 0, &crypto); - if (ret) - krb5_err (context, 1, ret, "krb5_crypto_init"); - - ret = krb5_decrypt_EncryptedData (context, crypto, KRB5_KU_TICKET, - &tkt.enc_part, &dec_data); - krb5_crypto_destroy (context, crypto); - if (ret) - krb5_err (context, 1, ret, "krb5_decrypt_EncryptedData"); - ret = krb5_decode_EncTicketPart (context, dec_data.data, dec_data.length, - &decr_part, &len); - krb5_data_free (&dec_data); - if (ret) - krb5_err (context, 1, ret, "krb5_decode_EncTicketPart"); -} - -struct getargs args[] = { - { "enctype", 'e', arg_string, &etype_str, - "encryption type to use", "enctype"}, - { "version", 0, arg_flag, &version_flag }, - { "help", 0, arg_flag, &help_flag } -}; - -static void -usage (int ret) -{ - arg_printusage (args, - sizeof(args)/sizeof(*args), - NULL, - "service"); - exit (ret); -} - -int -main(int argc, char **argv) -{ - krb5_error_code ret; - krb5_context context; - krb5_ccache cache; - krb5_creds in, *out; - int optind = 0; - - setprogname (argv[0]); - - ret = krb5_init_context (&context); - if (ret) - errx(1, "krb5_init_context failed: %d", ret); - - if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind)) - usage(1); - - if (help_flag) - usage (0); - - if(version_flag) { - print_version(NULL); - exit(0); - } - - argc -= optind; - argv += optind; - - if (argc != 1) - usage (1); - - ret = krb5_cc_default(context, &cache); - if (ret) - krb5_err (context, 1, ret, "krb5_cc_default"); - - memset(&in, 0, sizeof(in)); - - if (etype_str) { - krb5_enctype enctype; - - ret = krb5_string_to_enctype(context, etype_str, &enctype); - if (ret) - krb5_errx (context, 1, "unrecognized enctype: %s", etype_str); - in.session.keytype = enctype; - } - - ret = krb5_cc_get_principal(context, cache, &in.client); - if (ret) - krb5_err (context, 1, ret, "krb5_cc_get_principal"); - - ret = krb5_parse_name(context, argv[0], &in.server); - if (ret) - krb5_err (context, 1, ret, "krb5_parse_name %s", argv[0]); - - in.times.endtime = 0; - ret = krb5_get_credentials(context, 0, cache, &in, &out); - if (ret) - krb5_err (context, 1, ret, "krb5_get_credentials"); - - print_and_decode_tkt (context, &out->ticket, out->server, - out->session.keytype); - - krb5_free_creds_contents(context, out); - return 0; -} diff --git a/crypto/heimdal-0.6.3/kuser/kdestroy.1 b/crypto/heimdal-0.6.3/kuser/kdestroy.1 deleted file mode 100644 index 8910e9a0dc..0000000000 --- a/crypto/heimdal-0.6.3/kuser/kdestroy.1 +++ /dev/null @@ -1,64 +0,0 @@ -.\" Copyright (c) 1997, 1999, 2001 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: kdestroy.1,v 1.4 2003/02/16 21:10:23 lha Exp $ -.\" -.Dd August 27, 1997 -.Dt KDESTROY 1 -.Os HEIMDAL -.Sh NAME -.Nm kdestroy -.Nd destroy the current ticket file -.Sh SYNOPSIS -.Nm -.Op Fl c Ar cachefile -.Op Fl -cache= Ns Ar cachefile -.Op Fl -no-unlog -.Op Fl -no-delete-v4 -.Op Fl -version -.Op Fl -help -.Sh DESCRIPTION -.Nm -remove the current set of tickets. -.Pp -Supported options: -.Bl -tag -width Ds -.It Fl c Ar cachefile -.It Fl cache= Ns Ar cachefile -The cache file to remove. -.It Fl -no-unlog -Do not remove AFS tokens. -.It Fl -no-delete-v4 -Do not remove v4 tickets. -.El -.Sh SEE ALSO -.Xr kinit 1 , -.Xr klist 1 diff --git a/crypto/heimdal-0.6.3/kuser/kdestroy.c b/crypto/heimdal-0.6.3/kuser/kdestroy.c deleted file mode 100644 index 4d232455c0..0000000000 --- a/crypto/heimdal-0.6.3/kuser/kdestroy.c +++ /dev/null @@ -1,130 +0,0 @@ -/* - * Copyright (c) 1997 - 2000, 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kuser_locl.h" -RCSID("$Id: kdestroy.c,v 1.14.2.1 2003/05/08 18:59:17 lha Exp $"); - -static const char *cache; -static int help_flag; -static int version_flag; -static int unlog_flag = 1; -static int dest_tkt_flag = 1; - -struct getargs args[] = { - { "cache", 'c', arg_string, &cache, "cache to destroy", "cache" }, - { "unlog", 0, arg_negative_flag, &unlog_flag, - "do not destroy tokens", NULL }, - { "delete-v4", 0, arg_negative_flag, &dest_tkt_flag, - "do not destroy v4 tickets", NULL }, - { "version", 0, arg_flag, &version_flag, NULL, NULL }, - { "help", 'h', arg_flag, &help_flag, NULL, NULL} -}; - -int num_args = sizeof(args) / sizeof(args[0]); - -static void -usage (int status) -{ - arg_printusage (args, num_args, NULL, ""); - exit (status); -} - -int -main (int argc, char **argv) -{ - krb5_error_code ret; - krb5_context context; - krb5_ccache ccache; - int optind = 0; - int exit_val = 0; - - setprogname (argv[0]); - - if(getarg(args, num_args, argc, argv, &optind)) - usage(1); - - if (help_flag) - usage (0); - - if(version_flag){ - print_version(NULL); - exit(0); - } - - argc -= optind; - argv += optind; - - if (argc != 0) - usage (1); - - ret = krb5_init_context (&context); - if (ret) - errx (1, "krb5_init_context failed: %d", ret); - - if(cache == NULL) { - cache = krb5_cc_default_name(context); - if (cache == NULL) { - warnx ("krb5_cc_default_name: %s", krb5_get_err_text(context, ret)); - exit(1); - } - } - - ret = krb5_cc_resolve(context, - cache, - &ccache); - - if (ret == 0) { - ret = krb5_cc_destroy (context, ccache); - if (ret) { - warnx ("krb5_cc_destroy: %s", krb5_get_err_text(context, ret)); - exit_val = 1; - } - } else { - warnx ("krb5_cc_resolve(%s): %s", cache, - krb5_get_err_text(context, ret)); - exit_val = 1; - } - - krb5_free_context (context); - -#if KRB4 - if(dest_tkt_flag && dest_tkt ()) - exit_val = 1; -#endif - if (unlog_flag && k_hasafs ()) { - if (k_unlog ()) - exit_val = 1; - } - - return exit_val; -} diff --git a/crypto/heimdal-0.6.3/kuser/kdestroy.cat1 b/crypto/heimdal-0.6.3/kuser/kdestroy.cat1 deleted file mode 100644 index 0949f9687b..0000000000 --- a/crypto/heimdal-0.6.3/kuser/kdestroy.cat1 +++ /dev/null @@ -1,30 +0,0 @@ - -KDESTROY(1) UNIX Reference Manual KDESTROY(1) - -NNAAMMEE - kkddeessttrrooyy - destroy the current ticket file - -SSYYNNOOPPSSIISS - kkddeessttrrooyy [--cc _c_a_c_h_e_f_i_l_e] [----ccaacchhee==_c_a_c_h_e_f_i_l_e] [----nnoo--uunnlloogg] [----nnoo--ddeelleettee--vv44] - [----vveerrssiioonn] [----hheellpp] - -DDEESSCCRRIIPPTTIIOONN - kkddeessttrrooyy remove the current set of tickets. - - Supported options: - - --cc _c_a_c_h_e_f_i_l_e - - --ccaacchhee==_c_a_c_h_e_f_i_l_e - The cache file to remove. - - ----nnoo--uunnlloogg - Do not remove AFS tokens. - - ----nnoo--ddeelleettee--vv44 - Do not remove v4 tickets. - -SSEEEE AALLSSOO - kinit(1), klist(1) - - HEIMDAL August 27, 1997 1 diff --git a/crypto/heimdal-0.6.3/kuser/kgetcred.1 b/crypto/heimdal-0.6.3/kuser/kgetcred.1 deleted file mode 100644 index f69e411167..0000000000 --- a/crypto/heimdal-0.6.3/kuser/kgetcred.1 +++ /dev/null @@ -1,72 +0,0 @@ -.\" Copyright (c) 1999, 2001 - 2002 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: kgetcred.1,v 1.6 2003/02/16 21:10:24 lha Exp $ -.\" -.Dd May 14, 1999 -.Dt KGETCRED 1 -.Os HEIMDAL -.Sh NAME -.Nm kgetcred -.Nd "get a ticket for a particular service" -.Sh SYNOPSIS -.Nm -.Oo Fl e Ar enctype \*(Ba Xo -.Fl -enctype= Ns Ar enctype -.Xc -.Oc -.Op Fl -version -.Op Fl -help -.Ar service -.Sh DESCRIPTION -.Nm -obtains a ticket for a service. -Usually tickets for services are obtained automatically when needed -but sometimes for some odd reason you want to obtain a particular -ticket or of a special type. -.Pp -Supported options: -.Bl -tag -width Ds -.It Xo -.Fl e Ar enctype , -.Fl -enctype= Ns Ar enctype -.Xc -encryption type to use -.It Xo -.Fl -version -.Xc -.It Xo -.Fl -help -.Xc -.El -.Sh SEE ALSO -.Xr kinit 1 , -.Xr klist 1 diff --git a/crypto/heimdal-0.6.3/kuser/kgetcred.c b/crypto/heimdal-0.6.3/kuser/kgetcred.c deleted file mode 100644 index 670745535d..0000000000 --- a/crypto/heimdal-0.6.3/kuser/kgetcred.c +++ /dev/null @@ -1,121 +0,0 @@ -/* - * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kuser_locl.h" - -RCSID("$Id: kgetcred.c,v 1.5 2001/02/20 01:44:51 assar Exp $"); - -static char *etype_str; -static int version_flag; -static int help_flag; - -struct getargs args[] = { - { "enctype", 'e', arg_string, &etype_str, - "encryption type to use", "enctype"}, - { "version", 0, arg_flag, &version_flag }, - { "help", 0, arg_flag, &help_flag } -}; - -static void -usage (int ret) -{ - arg_printusage (args, - sizeof(args)/sizeof(*args), - NULL, - "service"); - exit (ret); -} - -int -main(int argc, char **argv) -{ - krb5_error_code ret; - krb5_context context; - krb5_ccache cache; - krb5_creds in, *out; - int optind = 0; - - setprogname (argv[0]); - - ret = krb5_init_context (&context); - if (ret) - errx(1, "krb5_init_context failed: %d", ret); - - if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind)) - usage(1); - - if (help_flag) - usage (0); - - if(version_flag) { - print_version(NULL); - exit(0); - } - - argc -= optind; - argv += optind; - - if (argc != 1) - usage (1); - - ret = krb5_cc_default(context, &cache); - if (ret) - krb5_err (context, 1, ret, "krb5_cc_default"); - - memset(&in, 0, sizeof(in)); - - if (etype_str) { - krb5_enctype enctype; - - ret = krb5_string_to_enctype(context, etype_str, &enctype); - if (ret) - krb5_errx (context, 1, "unrecognized enctype: %s", etype_str); - in.session.keytype = enctype; - } - - ret = krb5_cc_get_principal(context, cache, &in.client); - if (ret) - krb5_err (context, 1, ret, "krb5_cc_get_principal"); - - ret = krb5_parse_name(context, argv[0], &in.server); - if (ret) - krb5_err (context, 1, ret, "krb5_parse_name %s", argv[0]); - - in.times.endtime = 0; - ret = krb5_get_credentials(context, 0, cache, &in, &out); - if (ret) - krb5_err (context, 1, ret, "krb5_get_credentials"); - - krb5_free_creds_contents(context, out); - return 0; -} diff --git a/crypto/heimdal-0.6.3/kuser/kgetcred.cat1 b/crypto/heimdal-0.6.3/kuser/kgetcred.cat1 deleted file mode 100644 index 63a6c983a7..0000000000 --- a/crypto/heimdal-0.6.3/kuser/kgetcred.cat1 +++ /dev/null @@ -1,27 +0,0 @@ - -KGETCRED(1) UNIX Reference Manual KGETCRED(1) - -NNAAMMEE - kkggeettccrreedd - get a ticket for a particular service - -SSYYNNOOPPSSIISS - kkggeettccrreedd [--ee _e_n_c_t_y_p_e | ----eennccttyyppee==_e_n_c_t_y_p_e] [----vveerrssiioonn] [----hheellpp] _s_e_r_v_i_c_e - -DDEESSCCRRIIPPTTIIOONN - kkggeettccrreedd obtains a ticket for a service. Usually tickets for services - are obtained automatically when needed but sometimes for some odd reason - you want to obtain a particular ticket or of a special type. - - Supported options: - - --ee _e_n_c_t_y_p_e, ----eennccttyyppee==_e_n_c_t_y_p_e - encryption type to use - - ----vveerrssiioonn - - ----hheellpp - -SSEEEE AALLSSOO - kinit(1), klist(1) - - HEIMDAL May 14, 1999 1 diff --git a/crypto/heimdal-0.6.3/kuser/kinit.1 b/crypto/heimdal-0.6.3/kuser/kinit.1 deleted file mode 100644 index 97ed2af62d..0000000000 --- a/crypto/heimdal-0.6.3/kuser/kinit.1 +++ /dev/null @@ -1,273 +0,0 @@ -.\" Copyright (c) 1998 - 2002 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: kinit.1,v 1.23 2003/04/06 17:49:05 lha Exp $ -.\" -.Dd May 29, 1998 -.Dt KINIT 1 -.Os HEIMDAL -.Sh NAME -.Nm kinit -.Nm kauth -.Nd acquire initial tickets -.Sh SYNOPSIS -.Nm kinit -.Op Fl 4 | Fl -524init -.Op Fl 9 | Fl -524convert -.Op Fl -afslog -.Oo Fl c Ar cachename \*(Ba Xo -.Fl -cache= Ns Ar cachename -.Xc -.Oc -.Op Fl f | Fl -forwardable -.Oo Fl t Ar keytabname \*(Ba Xo -.Fl -keytab= Ns Ar keytabname -.Xc -.Oc -.Oo Fl l Ar time \*(Ba Xo -.Fl -lifetime= Ns Ar time -.Xc -.Oc -.Op Fl p | Fl -proxiable -.Op Fl R | Fl -renew -.Op Fl -renewable -.Oo Fl r Ar time \*(Ba Xo -.Fl -renewable-life= Ns Ar time -.Xc -.Oc -.Oo Fl S Ar principal \*(Ba Xo -.Fl -server= Ns Ar principal -.Xc -.Oc -.Oo Fl s Ar time \*(Ba Xo -.Fl -start-time= Ns Ar time -.Xc -.Oc -.Op Fl k | Fl -use-keytab -.Op Fl v | Fl -validate -.Oo Fl e Ar enctypes \*(Ba Xo -.Fl -enctypes= Ns Ar enctypes -.Xc -.Oc -.Oo Fl a Ar addresses \*(Ba Xo -.Fl -extra-addresses= Ns Ar addresses -.Xc -.Oc -.Op Fl -fcache-version= Ns Ar integer -.Op Fl -no-addresses -.Op Fl -anonymous -.Op Fl -version -.Op Fl -help -.Op Ar principal Op Ar command -.Sh DESCRIPTION -.Nm -is used to authenticate to the Kerberos server as -.Ar principal , -or if none is given, a system generated default (typically your login -name at the default realm), and acquire a ticket granting ticket that -can later be used to obtain tickets for other services. -.Pp -If you have compiled -.Nm kinit -with Kerberos 4 support and you have a -Kerberos 4 server, -.Nm -will detect this and get you Kerberos 4 tickets. -.Pp -Supported options: -.Bl -tag -width Ds -.It Xo -.Fl c Ar cachename -.Fl -cache= Ns Ar cachename -.Xc -The credentials cache to put the acquired ticket in, if other than -default. -.It Xo -.Fl f , -.Fl -forwardable -.Xc -Get ticket that can be forwarded to another host. -.It Xo -.Fl t Ar keytabname , -.Fl -keytab= Ns Ar keytabname -.Xc -Don't ask for a password, but instead get the key from the specified -keytab. -.It Xo -.Fl l Ar time , -.Fl -lifetime= Ns Ar time -.Xc -Specifies the lifetime of the ticket. The argument can either be in -seconds, or a more human readable string like -.Sq 1h . -.It Xo -.Fl p , -.Fl -proxiable -.Xc -Request tickets with the proxiable flag set. -.It Xo -.Fl R , -.Fl -renew -.Xc -Try to renew ticket. The ticket must have the -.Sq renewable -flag set, and must not be expired. -.It Fl -renewable -The same as -.Fl -renewable-life , -with an infinite time. -.It Xo -.Fl r Ar time , -.Fl -renewable-life= Ns Ar time -.Xc -The max renewable ticket life. -.It Xo -.Fl S Ar principal , -.Fl -server= Ns Ar principal -.Xc -Get a ticket for a service other than krbtgt/LOCAL.REALM. -.It Xo -.Fl s Ar time , -.Fl -start-time= Ns Ar time -.Xc -Obtain a ticket that starts to be valid -.Ar time -(which can really be a generic time specification, like -.Sq 1h ) -seconds into the future. -.It Xo -.Fl k , -.Fl -use-keytab -.Xc -The same as -.Fl -keytab , -but with the default keytab name (normally -.Ar FILE:/etc/krb5.keytab ) . -.It Xo -.Fl v , -.Fl -validate -.Xc -Try to validate an invalid ticket. -.It Xo -.Fl e , -.Fl -enctypes= Ns Ar enctypes -.Xc -Request tickets with this particular enctype. -.It Xo -.Fl -fcache-version= Ns Ar version -.Xc -Create a credentials cache of version -.Nm version . -.It Xo -.Fl a , -.Fl -extra-addresses= Ns Ar enctypes -.Xc -Adds a set of addresses that will, in addition to the systems local -addresses, be put in the ticket. This can be useful if all addresses a -client can use can't be automatically figured out. One such example is -if the client is behind a firewall. Also settable via -.Li libdefaults/extra_addresses -in -.Xr krb5.conf 5 . -.It Xo -.Fl -no-addresses -.Xc -Request a ticket with no addresses. -.It Xo -.Fl -anonymous -.Xc -Request an anonymous ticket (which means that the ticket will be -issued to an anonymous principal, typically -.Dq anonymous@REALM ) . -.El -.Pp -The following options are only available if -.Nm -has been compiled with support for Kerberos 4. -.Bl -tag -width Ds -.It Xo -.Fl 4 , -.Fl -524init -.Xc -Try to convert the obtained Kerberos 5 krbtgt to a version 4 -compatible ticket. It will store this ticket in the default Kerberos 4 -ticket file. -.It Xo -.Fl 9 , -.Fl -524convert -.Xc -only convert ticket to version 4 -.It Fl -afslog -Gets AFS tickets, converts them to version 4 format, and stores them -in the kernel. Only useful if you have AFS. -.El -.Pp -The -.Ar forwardable , -.Ar proxiable , -.Ar ticket_life , -and -.Ar renewable_life -options can be set to a default value from the -.Dv appdefaults -section in krb5.conf, see -.Xr krb5_appdefault 3 . -.Pp -If a -.Ar command -is given, -.Nm kinit -will setup new credentials caches, and AFS PAG, and then run the given -command. When it finishes the credentials will be removed. -.Sh ENVIRONMENT -.Bl -tag -width Ds -.It Ev KRB5CCNAME -Specifies the default credentials cache. -.It Ev KRB5_CONFIG -The file name of -.Pa krb5.conf -, the default being -.Pa /etc/krb5.conf . -.It Ev KRBTKFILE -Specifies the Kerberos 4 ticket file to store version 4 tickets in. -.El -.\".Sh FILES -.\".Sh EXAMPLES -.\".Sh DIAGNOSTICS -.Sh SEE ALSO -.Xr kdestroy 1 , -.Xr klist 1 , -.Xr krb5_appdefault 3 , -.Xr krb5.conf 5 -.\".Sh STANDARDS -.\".Sh HISTORY -.\".Sh AUTHORS -.\".Sh BUGS diff --git a/crypto/heimdal-0.6.3/kuser/kinit.c b/crypto/heimdal-0.6.3/kuser/kinit.c deleted file mode 100644 index 4b8b24a38f..0000000000 --- a/crypto/heimdal-0.6.3/kuser/kinit.c +++ /dev/null @@ -1,711 +0,0 @@ -/* - * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kuser_locl.h" -RCSID("$Id: kinit.c,v 1.90.4.5 2004/06/21 08:17:06 lha Exp $"); - -int forwardable_flag = -1; -int proxiable_flag = -1; -int renewable_flag = -1; -int renew_flag = 0; -int validate_flag = 0; -int version_flag = 0; -int help_flag = 0; -int addrs_flag = 1; -struct getarg_strings extra_addresses; -int anonymous_flag = 0; -char *lifetime = NULL; -char *renew_life = NULL; -char *server = NULL; -char *cred_cache = NULL; -char *start_str = NULL; -struct getarg_strings etype_str; -int use_keytab = 0; -char *keytab_str = NULL; -int do_afslog = -1; -#ifdef KRB4 -int get_v4_tgt = -1; -int convert_524; -#endif -int fcache_version; - -static struct getargs args[] = { -#ifdef KRB4 - { "524init", '4', arg_flag, &get_v4_tgt, - "obtain version 4 TGT" }, - - { "524convert", '9', arg_flag, &convert_524, - "only convert ticket to version 4" }, -#endif - { "afslog", 0 , arg_flag, &do_afslog, - "obtain afs tokens" }, - - { "cache", 'c', arg_string, &cred_cache, - "credentials cache", "cachename" }, - - { "forwardable", 'f', arg_flag, &forwardable_flag, - "get forwardable tickets"}, - - { "keytab", 't', arg_string, &keytab_str, - "keytab to use", "keytabname" }, - - { "lifetime", 'l', arg_string, &lifetime, - "lifetime of tickets", "time"}, - - { "proxiable", 'p', arg_flag, &proxiable_flag, - "get proxiable tickets" }, - - { "renew", 'R', arg_flag, &renew_flag, - "renew TGT" }, - - { "renewable", 0, arg_flag, &renewable_flag, - "get renewable tickets" }, - - { "renewable-life", 'r', arg_string, &renew_life, - "renewable lifetime of tickets", "time" }, - - { "server", 'S', arg_string, &server, - "server to get ticket for", "principal" }, - - { "start-time", 's', arg_string, &start_str, - "when ticket gets valid", "time" }, - - { "use-keytab", 'k', arg_flag, &use_keytab, - "get key from keytab" }, - - { "validate", 'v', arg_flag, &validate_flag, - "validate TGT" }, - - { "enctypes", 'e', arg_strings, &etype_str, - "encryption types to use", "enctypes" }, - - { "fcache-version", 0, arg_integer, &fcache_version, - "file cache version to create" }, - - { "addresses", 0, arg_negative_flag, &addrs_flag, - "request a ticket with no addresses" }, - - { "extra-addresses",'a', arg_strings, &extra_addresses, - "include these extra addresses", "addresses" }, - - { "anonymous", 0, arg_flag, &anonymous_flag, - "request an anonymous ticket" }, - - { "version", 0, arg_flag, &version_flag }, - { "help", 0, arg_flag, &help_flag } -}; - -static void -usage (int ret) -{ - arg_printusage (args, - sizeof(args)/sizeof(*args), - NULL, - "[principal [command]]"); - exit (ret); -} - -#ifdef KRB4 -/* for when the KDC tells us it's a v4 one, we try to talk that */ - -static int -key_to_key(const char *user, - char *instance, - const char *realm, - const void *arg, - des_cblock *key) -{ - memcpy(key, arg, sizeof(des_cblock)); - return 0; -} - -static int -do_v4_fallback (krb5_context context, - const krb5_principal principal, - int lifetime, - int use_srvtab, const char *srvtab_str, - const char *passwd) -{ - int ret; - krb_principal princ; - des_cblock key; - krb5_error_code kret; - - if (lifetime == 0) - lifetime = DEFAULT_TKT_LIFE; - else - lifetime = krb_time_to_life (0, lifetime); - - kret = krb5_524_conv_principal (context, principal, - princ.name, - princ.instance, - princ.realm); - if (kret) { - krb5_warn (context, kret, "krb5_524_conv_principal"); - return 1; - } - - if (use_srvtab || srvtab_str) { - if (srvtab_str == NULL) - srvtab_str = KEYFILE; - - ret = read_service_key (princ.name, princ.instance, princ.realm, - 0, srvtab_str, (char *)&key); - if (ret) { - warnx ("read_service_key %s: %s", srvtab_str, - krb_get_err_text (ret)); - return 1; - } - ret = krb_get_in_tkt (princ.name, princ.instance, princ.realm, - KRB_TICKET_GRANTING_TICKET, princ.realm, - lifetime, key_to_key, NULL, key); - } else { - ret = krb_get_pw_in_tkt(princ.name, princ.instance, princ.realm, - KRB_TICKET_GRANTING_TICKET, princ.realm, - lifetime, passwd); - } - memset (key, 0, sizeof(key)); - if (ret) { - warnx ("%s", krb_get_err_text(ret)); - return 1; - } - if (do_afslog && k_hasafs()) { - if ((ret = krb_afslog(NULL, NULL)) != 0 && ret != KDC_PR_UNKNOWN) { - if(ret > 0) - warnx ("%s", krb_get_err_text(ret)); - else - warnx ("failed to store AFS token"); - } - } - return 0; -} - - -/* - * the special version of get_default_principal that takes v4 into account - */ - -static krb5_error_code -kinit_get_default_principal (krb5_context context, - krb5_principal *princ) -{ - krb5_error_code ret; - krb5_ccache id; - krb_principal v4_princ; - int kret; - - ret = krb5_cc_default (context, &id); - if (ret == 0) { - ret = krb5_cc_get_principal (context, id, princ); - krb5_cc_close (context, id); - if (ret == 0) - return 0; - } - - kret = krb_get_tf_fullname (tkt_string(), - v4_princ.name, - v4_princ.instance, - v4_princ.realm); - if (kret == KSUCCESS) { - ret = krb5_425_conv_principal (context, - v4_princ.name, - v4_princ.instance, - v4_princ.realm, - princ); - if (ret == 0) - return 0; - } - return krb5_get_default_principal (context, princ); -} - -#else /* !KRB4 */ - -static krb5_error_code -kinit_get_default_principal (krb5_context context, - krb5_principal *princ) -{ - return krb5_get_default_principal (context, princ); -} - -#endif /* !KRB4 */ - -static krb5_error_code -get_server(krb5_context context, - krb5_principal client, - const char *server, - krb5_principal *princ) -{ - krb5_realm *client_realm; - if(server) - return krb5_parse_name(context, server, princ); - - client_realm = krb5_princ_realm (context, client); - return krb5_make_principal(context, princ, *client_realm, - KRB5_TGS_NAME, *client_realm, NULL); -} - -#ifdef KRB4 -static krb5_error_code -do_524init(krb5_context context, krb5_ccache ccache, - krb5_creds *creds, const char *server) -{ - krb5_error_code ret; - CREDENTIALS c; - krb5_creds in_creds, *real_creds; - - if(creds != NULL) - real_creds = creds; - else { - krb5_principal client; - krb5_cc_get_principal(context, ccache, &client); - memset(&in_creds, 0, sizeof(in_creds)); - ret = get_server(context, client, server, &in_creds.server); - if(ret) { - krb5_free_principal(context, client); - return ret; - } - in_creds.client = client; - ret = krb5_get_credentials(context, 0, ccache, &in_creds, &real_creds); - krb5_free_principal(context, client); - krb5_free_principal(context, in_creds.server); - if(ret) - return ret; - } - ret = krb524_convert_creds_kdc_ccache(context, ccache, real_creds, &c); - if(ret) - krb5_warn(context, ret, "converting creds"); - else { - int tret = tf_setup(&c, c.pname, c.pinst); - if(tret) - krb5_warnx(context, "saving v4 creds: %s", krb_get_err_text(tret)); - } - - if(creds == NULL) - krb5_free_creds(context, real_creds); - memset(&c, 0, sizeof(c)); - - return ret; -} -#endif - -static int -renew_validate(krb5_context context, - int renew, - int validate, - krb5_ccache cache, - const char *server, - krb5_deltat life) -{ - krb5_error_code ret; - krb5_creds in, *out; - krb5_kdc_flags flags; - - memset(&in, 0, sizeof(in)); - - ret = krb5_cc_get_principal(context, cache, &in.client); - if(ret) { - krb5_warn(context, ret, "krb5_cc_get_principal"); - return ret; - } - ret = get_server(context, in.client, server, &in.server); - if(ret) { - krb5_warn(context, ret, "get_server"); - goto out; - } - flags.i = 0; - flags.b.renewable = flags.b.renew = renew; - flags.b.validate = validate; - if (forwardable_flag != -1) - flags.b.forwardable = forwardable_flag; - if (proxiable_flag != -1) - flags.b.proxiable = proxiable_flag; - if (anonymous_flag != -1) - flags.b.request_anonymous = anonymous_flag; - if(life) - in.times.endtime = time(NULL) + life; - - ret = krb5_get_kdc_cred(context, - cache, - flags, - NULL, - NULL, - &in, - &out); - if(ret) { - krb5_warn(context, ret, "krb5_get_kdc_cred"); - goto out; - } - ret = krb5_cc_initialize(context, cache, in.client); - if(ret) { - krb5_free_creds (context, out); - krb5_warn(context, ret, "krb5_cc_initialize"); - goto out; - } - ret = krb5_cc_store_cred(context, cache, out); - - if(ret == 0 && server == NULL) { -#ifdef KRB4 - /* only do this if it's a general renew-my-tgt request */ - if(get_v4_tgt) - do_524init(context, cache, out, NULL); -#endif - if(do_afslog && k_hasafs()) - krb5_afslog(context, cache, NULL, NULL); - } - - krb5_free_creds (context, out); - if(ret) { - krb5_warn(context, ret, "krb5_cc_store_cred"); - goto out; - } -out: - krb5_free_creds_contents(context, &in); - return ret; -} - -static krb5_error_code -get_new_tickets(krb5_context context, - krb5_principal principal, - krb5_ccache ccache, - krb5_deltat ticket_life) -{ - krb5_error_code ret; - krb5_get_init_creds_opt opt; - krb5_addresses no_addrs; - krb5_creds cred; - char passwd[256]; - krb5_deltat start_time = 0; - krb5_deltat renew = 0; - - memset(&cred, 0, sizeof(cred)); - - krb5_get_init_creds_opt_init (&opt); - - krb5_get_init_creds_opt_set_default_flags(context, "kinit", - /* XXX */principal->realm, &opt); - - if(forwardable_flag != -1) - krb5_get_init_creds_opt_set_forwardable (&opt, forwardable_flag); - if(proxiable_flag != -1) - krb5_get_init_creds_opt_set_proxiable (&opt, proxiable_flag); - if(anonymous_flag != -1) - krb5_get_init_creds_opt_set_anonymous (&opt, anonymous_flag); - - if (!addrs_flag) { - no_addrs.len = 0; - no_addrs.val = NULL; - - krb5_get_init_creds_opt_set_address_list (&opt, &no_addrs); - } - - if (renew_life == NULL && renewable_flag) - renew_life = "1 month"; - if(renew_life) { - renew = parse_time (renew_life, "s"); - if (renew < 0) - errx (1, "unparsable time: %s", renew_life); - - krb5_get_init_creds_opt_set_renew_life (&opt, renew); - } - - if(ticket_life != 0) - krb5_get_init_creds_opt_set_tkt_life (&opt, ticket_life); - - if(start_str) { - int tmp = parse_time (start_str, "s"); - if (tmp < 0) - errx (1, "unparsable time: %s", start_str); - - start_time = tmp; - } - - if(etype_str.num_strings) { - krb5_enctype *enctype = NULL; - int i; - enctype = malloc(etype_str.num_strings * sizeof(*enctype)); - if(enctype == NULL) - errx(1, "out of memory"); - for(i = 0; i < etype_str.num_strings; i++) { - ret = krb5_string_to_enctype(context, - etype_str.strings[i], - &enctype[i]); - if(ret) - errx(1, "unrecognized enctype: %s", etype_str.strings[i]); - } - krb5_get_init_creds_opt_set_etype_list(&opt, enctype, - etype_str.num_strings); - } - - if(use_keytab || keytab_str) { - krb5_keytab kt; - if(keytab_str) - ret = krb5_kt_resolve(context, keytab_str, &kt); - else - ret = krb5_kt_default(context, &kt); - if (ret) - krb5_err (context, 1, ret, "resolving keytab"); - ret = krb5_get_init_creds_keytab (context, - &cred, - principal, - kt, - start_time, - server, - &opt); - krb5_kt_close(context, kt); - } else { - char *p, *prompt; - - krb5_unparse_name (context, principal, &p); - asprintf (&prompt, "%s's Password: ", p); - free (p); - - if (des_read_pw_string(passwd, sizeof(passwd)-1, prompt, 0)){ - memset(passwd, 0, sizeof(passwd)); - exit(1); - } - - free (prompt); - - ret = krb5_get_init_creds_password (context, - &cred, - principal, - passwd, - krb5_prompter_posix, - NULL, - start_time, - server, - &opt); - } -#ifdef KRB4 - if (ret == KRB5KRB_AP_ERR_V4_REPLY || ret == KRB5_KDC_UNREACH) { - int exit_val; - - exit_val = do_v4_fallback (context, principal, ticket_life, - use_keytab, keytab_str, passwd); - get_v4_tgt = 0; - do_afslog = 0; - memset(passwd, 0, sizeof(passwd)); - if (exit_val == 0 || ret == KRB5KRB_AP_ERR_V4_REPLY) - return exit_val; - } -#endif - memset(passwd, 0, sizeof(passwd)); - - switch(ret){ - case 0: - break; - case KRB5_LIBOS_PWDINTR: /* don't print anything if it was just C-c:ed */ - exit(1); - case KRB5KRB_AP_ERR_BAD_INTEGRITY: - case KRB5KRB_AP_ERR_MODIFIED: - krb5_errx(context, 1, "Password incorrect"); - break; - default: - krb5_err(context, 1, ret, "krb5_get_init_creds"); - } - - if(ticket_life != 0) { - if(abs(cred.times.endtime - cred.times.starttime - ticket_life) > 30) { - char life[32]; - unparse_time(cred.times.endtime - cred.times.starttime, - life, sizeof(life)); - krb5_warnx(context, "NOTICE: ticket lifetime is %s", life); - } - } - if(renew != 0) { - if(abs(cred.times.renew_till - cred.times.starttime - renew) > 30) { - char life[32]; - unparse_time(cred.times.renew_till - cred.times.starttime, - life, sizeof(life)); - krb5_warnx(context, "NOTICE: ticket renewable lifetime is %s", - life); - } - } - - ret = krb5_cc_initialize (context, ccache, cred.client); - if (ret) - krb5_err (context, 1, ret, "krb5_cc_initialize"); - - ret = krb5_cc_store_cred (context, ccache, &cred); - if (ret) - krb5_err (context, 1, ret, "krb5_cc_store_cred"); - - krb5_free_creds_contents (context, &cred); - - return 0; -} - -int -main (int argc, char **argv) -{ - krb5_error_code ret; - krb5_context context; - krb5_ccache ccache; - krb5_principal principal; - int optind = 0; - krb5_deltat ticket_life = 0; - - setprogname (argv[0]); - - ret = krb5_init_context (&context); - if (ret) - errx(1, "krb5_init_context failed: %d", ret); - - if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind)) - usage(1); - - if (help_flag) - usage (0); - - if(version_flag) { - print_version(NULL); - exit(0); - } - - argc -= optind; - argv += optind; - - if (argv[0]) { - ret = krb5_parse_name (context, argv[0], &principal); - if (ret) - krb5_err (context, 1, ret, "krb5_parse_name"); - } else { - ret = kinit_get_default_principal (context, &principal); - if (ret) - krb5_err (context, 1, ret, "krb5_get_default_principal"); - } - - if(fcache_version) - krb5_set_fcache_version(context, fcache_version); - - if(cred_cache) - ret = krb5_cc_resolve(context, cred_cache, &ccache); - else { - if(argc > 1) { - char s[1024]; - ret = krb5_cc_gen_new(context, &krb5_fcc_ops, &ccache); - if(ret) - krb5_err(context, 1, ret, "creating cred cache"); - snprintf(s, sizeof(s), "%s:%s", - krb5_cc_get_type(context, ccache), - krb5_cc_get_name(context, ccache)); - setenv("KRB5CCNAME", s, 1); -#ifdef KRB4 - { - int fd; - snprintf(s, sizeof(s), "%s_XXXXXX", TKT_ROOT); - if((fd = mkstemp(s)) >= 0) { - close(fd); - setenv("KRBTKFILE", s, 1); - } - } -#endif - } else - ret = krb5_cc_default (context, &ccache); - } - if (ret) - krb5_err (context, 1, ret, "resolving credentials cache"); - - if (argc > 1 && k_hasafs ()) - k_setpag(); - - if (lifetime) { - int tmp = parse_time (lifetime, "s"); - if (tmp < 0) - errx (1, "unparsable time: %s", lifetime); - - ticket_life = tmp; - } -#ifdef KRB4 - if(get_v4_tgt == -1) - krb5_appdefault_boolean(context, "kinit", - krb5_principal_get_realm(context, principal), - "krb4_get_tickets", TRUE, &get_v4_tgt); -#endif - if(do_afslog == -1) - krb5_appdefault_boolean(context, "kinit", - krb5_principal_get_realm(context, principal), - "afslog", TRUE, &do_afslog); - - if(!addrs_flag && extra_addresses.num_strings > 0) - krb5_errx(context, 1, "specifying both extra addresses and " - "no addresses makes no sense"); - { - int i; - krb5_addresses addresses; - memset(&addresses, 0, sizeof(addresses)); - for(i = 0; i < extra_addresses.num_strings; i++) { - ret = krb5_parse_address(context, extra_addresses.strings[i], - &addresses); - if (ret == 0) { - krb5_add_extra_addresses(context, &addresses); - krb5_free_addresses(context, &addresses); - } - } - free_getarg_strings(&extra_addresses); - } - - - if(renew_flag || validate_flag) { - ret = renew_validate(context, renew_flag, validate_flag, - ccache, server, ticket_life); - exit(ret != 0); - } - -#ifdef KRB4 - if(!convert_524) -#endif - get_new_tickets(context, principal, ccache, ticket_life); - -#ifdef KRB4 - if(get_v4_tgt) - do_524init(context, ccache, NULL, server); -#endif - if(do_afslog && k_hasafs()) - krb5_afslog(context, ccache, NULL, NULL); - if(argc > 1) { - ret = simple_execvp(argv[1], argv+1); - krb5_cc_destroy(context, ccache); -#ifdef KRB4 - dest_tkt(); -#endif - if(k_hasafs()) - k_unlog(); - } else { - krb5_cc_close (context, ccache); - ret = 0; - } - krb5_free_principal(context, principal); - krb5_free_context (context); - return ret; -} diff --git a/crypto/heimdal-0.6.3/kuser/kinit.cat1 b/crypto/heimdal-0.6.3/kuser/kinit.cat1 deleted file mode 100644 index 147cd3b943..0000000000 --- a/crypto/heimdal-0.6.3/kuser/kinit.cat1 +++ /dev/null @@ -1,129 +0,0 @@ - -KINIT(1) UNIX Reference Manual KINIT(1) - -NNAAMMEE - kkiinniitt kkaauutthh - acquire initial tickets - -SSYYNNOOPPSSIISS - kkiinniitt [--44 | ----552244iinniitt] [--99 | ----552244ccoonnvveerrtt] [----aaffsslloogg] [--cc _c_a_c_h_e_n_a_m_e | - ----ccaacchhee==_c_a_c_h_e_n_a_m_e] [--ff | ----ffoorrwwaarrddaabbllee] [--tt _k_e_y_t_a_b_n_a_m_e | - ----kkeeyyttaabb==_k_e_y_t_a_b_n_a_m_e] [--ll _t_i_m_e | ----lliiffeettiimmee==_t_i_m_e] [--pp | ----pprrooxxiiaabbllee] - [--RR | ----rreenneeww] [----rreenneewwaabbllee] [--rr _t_i_m_e | ----rreenneewwaabbllee--lliiffee==_t_i_m_e] [--SS - _p_r_i_n_c_i_p_a_l | ----sseerrvveerr==_p_r_i_n_c_i_p_a_l] [--ss _t_i_m_e | ----ssttaarrtt--ttiimmee==_t_i_m_e] [--kk | - ----uussee--kkeeyyttaabb] [--vv | ----vvaalliiddaattee] [--ee _e_n_c_t_y_p_e_s | ----eennccttyyppeess==_e_n_c_t_y_p_e_s] - [--aa _a_d_d_r_e_s_s_e_s | ----eexxttrraa--aaddddrreesssseess==_a_d_d_r_e_s_s_e_s] - [----ffccaacchhee--vveerrssiioonn==_i_n_t_e_g_e_r] [----nnoo--aaddddrreesssseess] [----aannoonnyymmoouuss] - [----vveerrssiioonn] [----hheellpp] [_p_r_i_n_c_i_p_a_l [_c_o_m_m_a_n_d]] - -DDEESSCCRRIIPPTTIIOONN - kkiinniitt is used to authenticate to the Kerberos server as _p_r_i_n_c_i_p_a_l, or if - none is given, a system generated default (typically your login name at - the default realm), and acquire a ticket granting ticket that can later - be used to obtain tickets for other services. - - If you have compiled kkiinniitt with Kerberos 4 support and you have a Ker- - beros 4 server, kkiinniitt will detect this and get you Kerberos 4 tickets. - - Supported options: - - --cc _c_a_c_h_e_n_a_m_e ----ccaacchhee==_c_a_c_h_e_n_a_m_e - The credentials cache to put the acquired ticket in, if other - than default. - - --ff, ----ffoorrwwaarrddaabbllee - Get ticket that can be forwarded to another host. - - --tt _k_e_y_t_a_b_n_a_m_e, ----kkeeyyttaabb==_k_e_y_t_a_b_n_a_m_e - Don't ask for a password, but instead get the key from the speci- - fied keytab. - - --ll _t_i_m_e, ----lliiffeettiimmee==_t_i_m_e - Specifies the lifetime of the ticket. The argument can either be - in seconds, or a more human readable string like `1h'. - - --pp, ----pprrooxxiiaabbllee - Request tickets with the proxiable flag set. - - --RR, ----rreenneeww - Try to renew ticket. The ticket must have the `renewable' flag - set, and must not be expired. - - ----rreenneewwaabbllee - The same as ----rreenneewwaabbllee--lliiffee, with an infinite time. - - --rr _t_i_m_e, ----rreenneewwaabbllee--lliiffee==_t_i_m_e - The max renewable ticket life. - - --SS _p_r_i_n_c_i_p_a_l, ----sseerrvveerr==_p_r_i_n_c_i_p_a_l - Get a ticket for a service other than krbtgt/LOCAL.REALM. - - --ss _t_i_m_e, ----ssttaarrtt--ttiimmee==_t_i_m_e - Obtain a ticket that starts to be valid _t_i_m_e (which can really be - a generic time specification, like `1h') seconds into the future. - - --kk, ----uussee--kkeeyyttaabb - The same as ----kkeeyyttaabb, but with the default keytab name (normally - - _F_I_L_E_:_/_e_t_c_/_k_r_b_5_._k_e_y_t_a_b). - - --vv, ----vvaalliiddaattee - Try to validate an invalid ticket. - - --ee, ----eennccttyyppeess==_e_n_c_t_y_p_e_s - Request tickets with this particular enctype. - - ----ffccaacchhee--vveerrssiioonn==_v_e_r_s_i_o_n - Create a credentials cache of version vveerrssiioonn. - - --aa, ----eexxttrraa--aaddddrreesssseess==_e_n_c_t_y_p_e_s - Adds a set of addresses that will, in addition to the systems lo- - cal addresses, be put in the ticket. This can be useful if all - addresses a client can use can't be automatically figured out. - One such example is if the client is behind a firewall. Also set- - table via libdefaults/extra_addresses in krb5.conf(5). - - ----nnoo--aaddddrreesssseess - Request a ticket with no addresses. - - ----aannoonnyymmoouuss - Request an anonymous ticket (which means that the ticket will be - issued to an anonymous principal, typically ``anonymous@REALM''). - - The following options are only available if kkiinniitt has been compiled with - support for Kerberos 4. - - --44, ----552244iinniitt - Try to convert the obtained Kerberos 5 krbtgt to a version 4 com- - patible ticket. It will store this ticket in the default Kerberos - 4 ticket file. - - --99, ----552244ccoonnvveerrtt - only convert ticket to version 4 - - ----aaffsslloogg - Gets AFS tickets, converts them to version 4 format, and stores - them in the kernel. Only useful if you have AFS. - - The _f_o_r_w_a_r_d_a_b_l_e, _p_r_o_x_i_a_b_l_e, _t_i_c_k_e_t___l_i_f_e, and _r_e_n_e_w_a_b_l_e___l_i_f_e options can - be set to a default value from the appdefaults section in krb5.conf, see - krb5_appdefault(3). - - If a _c_o_m_m_a_n_d is given, kkiinniitt will setup new credentials caches, and AFS - PAG, and then run the given command. When it finishes the credentials - will be removed. - -EENNVVIIRROONNMMEENNTT - KRB5CCNAME - Specifies the default credentials cache. - - KRB5_CONFIG - The file name of _k_r_b_5_._c_o_n_f , the default being _/_e_t_c_/_k_r_b_5_._c_o_n_f. - - KRBTKFILE - Specifies the Kerberos 4 ticket file to store version 4 tickets - in. - -SSEEEE AALLSSOO - kdestroy(1), klist(1), krb5_appdefault(3), krb5.conf(5) - - HEIMDAL May 29, 1998 2 diff --git a/crypto/heimdal-0.6.3/kuser/kinit_options.c b/crypto/heimdal-0.6.3/kuser/kinit_options.c deleted file mode 100644 index 5a7dcd9875..0000000000 --- a/crypto/heimdal-0.6.3/kuser/kinit_options.c +++ /dev/null @@ -1,40 +0,0 @@ -/* - * Copyright (c) 1998 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kuser_locl.h" -RCSID("$Id: kinit_options.c,v 1.2 1999/12/02 17:05:01 joda Exp $"); - -#ifdef KRB4 -int do_afslog = 0; -int get_v4_tgt = 0; -#endif diff --git a/crypto/heimdal-0.6.3/kuser/klist.1 b/crypto/heimdal-0.6.3/kuser/klist.1 deleted file mode 100644 index a144365993..0000000000 --- a/crypto/heimdal-0.6.3/kuser/klist.1 +++ /dev/null @@ -1,150 +0,0 @@ -.\" Copyright (c) 2000 - 2002 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: klist.1,v 1.12 2003/02/16 21:10:26 lha Exp $ -.\" -.Dd July 8, 2000 -.Dt KLIST 1 -.Os HEIMDAL -.Sh NAME -.Nm klist -.Nd list Kerberos credentials -.Sh SYNOPSIS -.Nm -.Oo Fl c Ar cache \*(Ba Xo -.Fl -cache= Ns Ar cache -.Xc -.Oc -.Op Fl s | Fl t | Fl -test -.Op Fl 4 | Fl -v4 -.Op Fl T | Fl -tokens -.Op Fl 5 | Fl -v5 -.Op Fl v | Fl -verbose -.Op Fl f -.Op Fl -version -.Op Fl -help -.Sh DESCRIPTION -.Nm -reads and displays the current tickets in the crential cache (also -known as the ticket file). -.Pp -Options supported: -.Bl -tag -width Ds -.It Xo -.Fl c Ar cache , -.Fl -cache= Ns Ar cache -.Xc -credentials cache to list -.It Xo -.Fl s , -.Fl t , -.Fl -test -.Xc -Test for there being an active and valid TGT for the local realm of -the user in the credential cache. -.It Xo -.Fl 4 , -.Fl -v4 -.Xc -display v4 tickets -.It Xo -.Fl T , -.Fl -tokens -.Xc -display AFS tokens -.It Xo -.Fl 5 , -.Fl -v5 -.Xc -display v5 cred cache (this is the default) -.It Fl f -Include ticket flags in short form, each charcted stands for a -specific flag, as follows: -.Bl -tag -width XXX -compact -offset indent -.It F -forwardable -.It f -forwarded -.It P -proxiable -.It p -proxied -.It D -postdate-able -.It d -postdated -.It R -renewable -.It I -initial -.It i -invalid -.It A -pre-authenticated -.It H -hardware authenticated -.El -.Pp -This information is also output with the -.Fl -verbose -option, but in a more verbose way. -.It Xo -.Fl v , -.Fl -verbose -.Xc -Verbose output. Include all possible information: -.Bl -tag -width XXXX -offset indent -.It Server -the princial the ticket is for -.It Ticket etype -the encryption type use in the ticket, followed by the key version of -the ticket, if it is available -.It Session key -the encryption type of the session key, if it's different from the -encryption type of the ticket -.It Auth time -the time the authentication exchange took place -.It Start time -the time that this tickets is valid from (only printed if it's -different from the auth time) -.It End time -when the ticket expires, if it has already expired this is also noted -.It Renew till -the maximum possible end time of any ticket derived from this one -.It Ticket flags -the flags set on the ticket -.It Addresses -the set of addresses from which this ticket is valid -.El -.El -.Sh SEE ALSO -.Xr kdestroy 1 , -.Xr kinit 1 diff --git a/crypto/heimdal-0.6.3/kuser/klist.c b/crypto/heimdal-0.6.3/kuser/klist.c deleted file mode 100644 index 3521e2e721..0000000000 --- a/crypto/heimdal-0.6.3/kuser/klist.c +++ /dev/null @@ -1,691 +0,0 @@ -/* - * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kuser_locl.h" -#include "rtbl.h" - -RCSID("$Id: klist.c,v 1.68.2.2 2003/10/13 15:13:39 joda Exp $"); - -static char* -printable_time(time_t t) -{ - static char s[128]; - strcpy(s, ctime(&t)+ 4); - s[15] = 0; - return s; -} - -static char* -printable_time_long(time_t t) -{ - static char s[128]; - strcpy(s, ctime(&t)+ 4); - s[20] = 0; - return s; -} - -#define COL_ISSUED " Issued" -#define COL_EXPIRES " Expires" -#define COL_FLAGS "Flags" -#define COL_PRINCIPAL " Principal" -#define COL_PRINCIPAL_KVNO " Principal (kvno)" - -static void -print_cred(krb5_context context, krb5_creds *cred, rtbl_t ct, int do_flags) -{ - char *str; - krb5_error_code ret; - krb5_timestamp sec; - - krb5_timeofday (context, &sec); - - - if(cred->times.starttime) - rtbl_add_column_entry(ct, COL_ISSUED, - printable_time(cred->times.starttime)); - else - rtbl_add_column_entry(ct, COL_ISSUED, - printable_time(cred->times.authtime)); - - if(cred->times.endtime > sec) - rtbl_add_column_entry(ct, COL_EXPIRES, - printable_time(cred->times.endtime)); - else - rtbl_add_column_entry(ct, COL_EXPIRES, ">>>Expired<<<"); - ret = krb5_unparse_name (context, cred->server, &str); - if (ret) - krb5_err(context, 1, ret, "krb5_unparse_name"); - rtbl_add_column_entry(ct, COL_PRINCIPAL, str); - if(do_flags) { - char s[16], *sp = s; - if(cred->flags.b.forwardable) - *sp++ = 'F'; - if(cred->flags.b.forwarded) - *sp++ = 'f'; - if(cred->flags.b.proxiable) - *sp++ = 'P'; - if(cred->flags.b.proxy) - *sp++ = 'p'; - if(cred->flags.b.may_postdate) - *sp++ = 'D'; - if(cred->flags.b.postdated) - *sp++ = 'd'; - if(cred->flags.b.renewable) - *sp++ = 'R'; - if(cred->flags.b.initial) - *sp++ = 'I'; - if(cred->flags.b.invalid) - *sp++ = 'i'; - if(cred->flags.b.pre_authent) - *sp++ = 'A'; - if(cred->flags.b.hw_authent) - *sp++ = 'H'; - *sp++ = '\0'; - rtbl_add_column_entry(ct, COL_FLAGS, s); - } - free(str); -} - -static void -print_cred_verbose(krb5_context context, krb5_creds *cred) -{ - int j; - char *str; - krb5_error_code ret; - int first_flag; - krb5_timestamp sec; - - krb5_timeofday (context, &sec); - - ret = krb5_unparse_name(context, cred->server, &str); - if(ret) - exit(1); - printf("Server: %s\n", str); - free (str); - { - Ticket t; - size_t len; - char *s; - - decode_Ticket(cred->ticket.data, cred->ticket.length, &t, &len); - ret = krb5_enctype_to_string(context, t.enc_part.etype, &s); - printf("Ticket etype: "); - if (ret == 0) { - printf("%s", s); - free(s); - } else { - printf("unknown(%d)", t.enc_part.etype); - } - if(t.enc_part.kvno) - printf(", kvno %d", *t.enc_part.kvno); - printf("\n"); - if(cred->session.keytype != t.enc_part.etype) { - ret = krb5_keytype_to_string(context, cred->session.keytype, &str); - if(ret == KRB5_PROG_KEYTYPE_NOSUPP) - ret = krb5_enctype_to_string(context, cred->session.keytype, - &str); - if(ret) - krb5_warn(context, ret, "session keytype"); - else { - printf("Session key: %s\n", str); - free(str); - } - } - free_Ticket(&t); - } - printf("Auth time: %s\n", printable_time_long(cred->times.authtime)); - if(cred->times.authtime != cred->times.starttime) - printf("Start time: %s\n", printable_time_long(cred->times.starttime)); - printf("End time: %s", printable_time_long(cred->times.endtime)); - if(sec > cred->times.endtime) - printf(" (expired)"); - printf("\n"); - if(cred->flags.b.renewable) - printf("Renew till: %s\n", - printable_time_long(cred->times.renew_till)); - printf("Ticket flags: "); -#define PRINT_FLAG2(f, s) if(cred->flags.b.f) { if(!first_flag) printf(", "); printf("%s", #s); first_flag = 0; } -#define PRINT_FLAG(f) PRINT_FLAG2(f, f) - first_flag = 1; - PRINT_FLAG(forwardable); - PRINT_FLAG(forwarded); - PRINT_FLAG(proxiable); - PRINT_FLAG(proxy); - PRINT_FLAG2(may_postdate, may-postdate); - PRINT_FLAG(postdated); - PRINT_FLAG(invalid); - PRINT_FLAG(renewable); - PRINT_FLAG(initial); - PRINT_FLAG2(pre_authent, pre-authenticated); - PRINT_FLAG2(hw_authent, hw-authenticated); - PRINT_FLAG2(transited_policy_checked, transited-policy-checked); - PRINT_FLAG2(ok_as_delegate, ok-as-delegate); - PRINT_FLAG(anonymous); - printf("\n"); - printf("Addresses: "); - for(j = 0; j < cred->addresses.len; j++){ - char buf[128]; - size_t len; - if(j) printf(", "); - ret = krb5_print_address(&cred->addresses.val[j], - buf, sizeof(buf), &len); - - if(ret == 0) - printf("%s", buf); - } - printf("\n\n"); -} - -/* - * Print all tickets in `ccache' on stdout, verbosily iff do_verbose. - */ - -static void -print_tickets (krb5_context context, - krb5_ccache ccache, - krb5_principal principal, - int do_verbose, - int do_flags) -{ - krb5_error_code ret; - char *str; - krb5_cc_cursor cursor; - krb5_creds creds; - - rtbl_t ct = NULL; - - ret = krb5_unparse_name (context, principal, &str); - if (ret) - krb5_err (context, 1, ret, "krb5_unparse_name"); - - printf ("%17s: %s:%s\n", - "Credentials cache", - krb5_cc_get_type(context, ccache), - krb5_cc_get_name(context, ccache)); - printf ("%17s: %s\n", "Principal", str); - free (str); - - if(do_verbose) - printf ("%17s: %d\n", "Cache version", - krb5_cc_get_version(context, ccache)); - - if (do_verbose && context->kdc_sec_offset) { - char buf[BUFSIZ]; - int val; - int sig; - - val = context->kdc_sec_offset; - sig = 1; - if (val < 0) { - sig = -1; - val = -val; - } - - unparse_time (val, buf, sizeof(buf)); - - printf ("%17s: %s%s\n", "KDC time offset", - sig == -1 ? "-" : "", buf); - } - - printf("\n"); - - ret = krb5_cc_start_seq_get (context, ccache, &cursor); - if (ret) - krb5_err(context, 1, ret, "krb5_cc_start_seq_get"); - - if(!do_verbose) { - ct = rtbl_create(); - rtbl_add_column(ct, COL_ISSUED, 0); - rtbl_add_column(ct, COL_EXPIRES, 0); - if(do_flags) - rtbl_add_column(ct, COL_FLAGS, 0); - rtbl_add_column(ct, COL_PRINCIPAL, 0); - rtbl_set_prefix(ct, " "); - rtbl_set_column_prefix(ct, COL_ISSUED, ""); - } - while ((ret = krb5_cc_next_cred (context, - ccache, - &cursor, - &creds)) == 0) { - if(do_verbose){ - print_cred_verbose(context, &creds); - }else{ - print_cred(context, &creds, ct, do_flags); - } - krb5_free_creds_contents (context, &creds); - } - if(ret != KRB5_CC_END) - krb5_err(context, 1, ret, "krb5_cc_get_next"); - ret = krb5_cc_end_seq_get (context, ccache, &cursor); - if (ret) - krb5_err (context, 1, ret, "krb5_cc_end_seq_get"); - if(!do_verbose) { - rtbl_format(ct, stdout); - rtbl_destroy(ct); - } -} - -/* - * Check if there's a tgt for the realm of `principal' and ccache and - * if so return 0, else 1 - */ - -static int -check_for_tgt (krb5_context context, - krb5_ccache ccache, - krb5_principal principal) -{ - krb5_error_code ret; - krb5_creds pattern; - krb5_creds creds; - krb5_realm *client_realm; - int expired; - - client_realm = krb5_princ_realm (context, principal); - - ret = krb5_make_principal (context, &pattern.server, - *client_realm, KRB5_TGS_NAME, *client_realm, - NULL); - if (ret) - krb5_err (context, 1, ret, "krb5_make_principal"); - - ret = krb5_cc_retrieve_cred (context, ccache, 0, &pattern, &creds); - expired = time(NULL) > creds.times.endtime; - krb5_free_principal (context, pattern.server); - krb5_free_creds_contents (context, &creds); - if (ret) { - if (ret == KRB5_CC_END) - return 1; - krb5_err (context, 1, ret, "krb5_cc_retrieve_cred"); - } - return expired; -} - -#ifdef KRB4 -/* prints the approximate kdc time differential as something human - readable */ - -static void -print_time_diff(int do_verbose) -{ - int d = abs(krb_get_kdc_time_diff()); - char buf[80]; - - if ((do_verbose && d > 0) || d > 60) { - unparse_time_approx (d, buf, sizeof(buf)); - printf ("Time diff:\t%s\n", buf); - } -} - -/* - * return a short representation of `dp' in string form. - */ - -static char * -short_date(int32_t dp) -{ - char *cp; - time_t t = (time_t)dp; - - if (t == (time_t)(-1L)) return "*** Never *** "; - cp = ctime(&t) + 4; - cp[15] = '\0'; - return (cp); -} - -/* - * Print a list of all the v4 tickets - */ - -static int -display_v4_tickets (int do_verbose) -{ - char *file; - int ret; - krb_principal princ; - CREDENTIALS cred; - int found = 0; - - rtbl_t ct; - - file = getenv ("KRBTKFILE"); - if (file == NULL) - file = TKT_FILE; - - printf("%17s: %s\n", "V4-ticket file", file); - - ret = krb_get_tf_realm (file, princ.realm); - if (ret) { - warnx ("%s", krb_get_err_text(ret)); - return 1; - } - - ret = tf_init (file, R_TKT_FIL); - if (ret) { - warnx ("tf_init: %s", krb_get_err_text(ret)); - return 1; - } - ret = tf_get_pname (princ.name); - if (ret) { - tf_close (); - warnx ("tf_get_pname: %s", krb_get_err_text(ret)); - return 1; - } - ret = tf_get_pinst (princ.instance); - if (ret) { - tf_close (); - warnx ("tf_get_pname: %s", krb_get_err_text(ret)); - return 1; - } - - printf ("%17s: %s\n", "Principal", krb_unparse_name(&princ)); - print_time_diff(do_verbose); - printf("\n"); - - ct = rtbl_create(); - rtbl_add_column(ct, COL_ISSUED, 0); - rtbl_add_column(ct, COL_EXPIRES, 0); - if (do_verbose) - rtbl_add_column(ct, COL_PRINCIPAL_KVNO, 0); - else - rtbl_add_column(ct, COL_PRINCIPAL, 0); - rtbl_set_prefix(ct, " "); - rtbl_set_column_prefix(ct, COL_ISSUED, ""); - - while ((ret = tf_get_cred(&cred)) == KSUCCESS) { - struct timeval tv; - char buf1[20], buf2[20]; - const char *pp; - - found++; - - strlcpy(buf1, - short_date(cred.issue_date), - sizeof(buf1)); - cred.issue_date = krb_life_to_time(cred.issue_date, cred.lifetime); - krb_kdctimeofday(&tv); - if (do_verbose || tv.tv_sec < (unsigned long) cred.issue_date) - strlcpy(buf2, - short_date(cred.issue_date), - sizeof(buf2)); - else - strlcpy(buf2, - ">>> Expired <<<", - sizeof(buf2)); - rtbl_add_column_entry(ct, COL_ISSUED, buf1); - rtbl_add_column_entry(ct, COL_EXPIRES, buf2); - pp = krb_unparse_name_long(cred.service, - cred.instance, - cred.realm); - if (do_verbose) { - char *tmp; - - asprintf(&tmp, "%s (%d)", pp, cred.kvno); - rtbl_add_column_entry(ct, COL_PRINCIPAL_KVNO, tmp); - free(tmp); - } else { - rtbl_add_column_entry(ct, COL_PRINCIPAL, pp); - } - } - rtbl_format(ct, stdout); - rtbl_destroy(ct); - if (!found && ret == EOF) - printf("No tickets in file.\n"); - tf_close(); - - /* - * should do NAT stuff here - */ - return 0; -} -#endif /* KRB4 */ - -/* - * Print a list of all AFS tokens - */ - -static void -display_tokens(int do_verbose) -{ - u_int32_t i; - unsigned char t[4096]; - struct ViceIoctl parms; - - parms.in = (void *)&i; - parms.in_size = sizeof(i); - parms.out = (void *)t; - parms.out_size = sizeof(t); - - for (i = 0;; i++) { - int32_t size_secret_tok, size_public_tok; - unsigned char *cell; - struct ClearToken ct; - unsigned char *r = t; - struct timeval tv; - char buf1[20], buf2[20]; - - if(k_pioctl(NULL, VIOCGETTOK, &parms, 0) < 0) { - if(errno == EDOM) - break; - continue; - } - if(parms.out_size > sizeof(t)) - continue; - if(parms.out_size < sizeof(size_secret_tok)) - continue; - t[min(parms.out_size,sizeof(t)-1)] = 0; - memcpy(&size_secret_tok, r, sizeof(size_secret_tok)); - /* dont bother about the secret token */ - r += size_secret_tok + sizeof(size_secret_tok); - if (parms.out_size < (r - t) + sizeof(size_public_tok)) - continue; - memcpy(&size_public_tok, r, sizeof(size_public_tok)); - r += sizeof(size_public_tok); - if (parms.out_size < (r - t) + size_public_tok + sizeof(int32_t)) - continue; - memcpy(&ct, r, size_public_tok); - r += size_public_tok; - /* there is a int32_t with length of cellname, but we dont read it */ - r += sizeof(int32_t); - cell = r; - - gettimeofday (&tv, NULL); - strlcpy (buf1, printable_time(ct.BeginTimestamp), - sizeof(buf1)); - if (do_verbose || tv.tv_sec < ct.EndTimestamp) - strlcpy (buf2, printable_time(ct.EndTimestamp), - sizeof(buf2)); - else - strlcpy (buf2, ">>> Expired <<<", sizeof(buf2)); - - printf("%s %s ", buf1, buf2); - - if ((ct.EndTimestamp - ct.BeginTimestamp) & 1) - printf("User's (AFS ID %d) tokens for %s", ct.ViceId, cell); - else - printf("Tokens for %s", cell); - if (do_verbose) - printf(" (%d)", ct.AuthHandle); - putchar('\n'); - } -} - -/* - * display the ccache in `cred_cache' - */ - -static int -display_v5_ccache (const char *cred_cache, int do_test, int do_verbose, - int do_flags) -{ - krb5_error_code ret; - krb5_context context; - krb5_ccache ccache; - krb5_principal principal; - int exit_status = 0; - - ret = krb5_init_context (&context); - if (ret) - errx (1, "krb5_init_context failed: %d", ret); - - if(cred_cache) { - ret = krb5_cc_resolve(context, cred_cache, &ccache); - if (ret) - krb5_err (context, 1, ret, "%s", cred_cache); - } else { - ret = krb5_cc_default (context, &ccache); - if (ret) - krb5_err (context, 1, ret, "krb5_cc_resolve"); - } - - ret = krb5_cc_get_principal (context, ccache, &principal); - if (ret) { - if(ret == ENOENT) { - if (!do_test) - krb5_warnx(context, "No ticket file: %s", - krb5_cc_get_name(context, ccache)); - return 1; - } else - krb5_err (context, 1, ret, "krb5_cc_get_principal"); - } - if (do_test) - exit_status = check_for_tgt (context, ccache, principal); - else - print_tickets (context, ccache, principal, do_verbose, do_flags); - - ret = krb5_cc_close (context, ccache); - if (ret) - krb5_err (context, 1, ret, "krb5_cc_close"); - - krb5_free_principal (context, principal); - krb5_free_context (context); - return exit_status; -} - -static int version_flag = 0; -static int help_flag = 0; -static int do_verbose = 0; -static int do_test = 0; -#ifdef KRB4 -static int do_v4 = 1; -#endif -static int do_tokens = 0; -static int do_v5 = 1; -static char *cred_cache; -static int do_flags = 0; - -static struct getargs args[] = { - { NULL, 'f', arg_flag, &do_flags }, - { "cache", 'c', arg_string, &cred_cache, - "credentials cache to list", "cache" }, - { "test", 't', arg_flag, &do_test, - "test for having tickets", NULL }, - { NULL, 's', arg_flag, &do_test }, -#ifdef KRB4 - { "v4", '4', arg_flag, &do_v4, - "display v4 tickets", NULL }, -#endif - { "tokens", 'T', arg_flag, &do_tokens, - "display AFS tokens", NULL }, - { "v5", '5', arg_flag, &do_v5, - "display v5 cred cache", NULL}, - { "verbose", 'v', arg_flag, &do_verbose, - "verbose output", NULL }, - { NULL, 'a', arg_flag, &do_verbose }, - { NULL, 'n', arg_flag, &do_verbose }, - { "version", 0, arg_flag, &version_flag, - "print version", NULL }, - { "help", 0, arg_flag, &help_flag, - NULL, NULL} -}; - -static void -usage (int ret) -{ - arg_printusage (args, - sizeof(args)/sizeof(*args), - NULL, - ""); - exit (ret); -} - -int -main (int argc, char **argv) -{ - int optind = 0; - int exit_status = 0; - - setprogname (argv[0]); - - if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind)) - usage(1); - - if (help_flag) - usage (0); - - if(version_flag){ - print_version(NULL); - exit(0); - } - - argc -= optind; - argv += optind; - - if (argc != 0) - usage (1); - - if (do_v5) - exit_status = display_v5_ccache (cred_cache, do_test, - do_verbose, do_flags); - - if (!do_test) { -#ifdef KRB4 - if (do_v4) { - if (do_v5) - printf ("\n"); - display_v4_tickets (do_verbose); - } -#endif - if (do_tokens && k_hasafs ()) { - if (do_v5) - printf ("\n"); -#ifdef KRB4 - else if (do_v4) - printf ("\n"); -#endif - display_tokens (do_verbose); - } - } - - return exit_status; -} diff --git a/crypto/heimdal-0.6.3/kuser/klist.cat1 b/crypto/heimdal-0.6.3/kuser/klist.cat1 deleted file mode 100644 index 6cea15b9c1..0000000000 --- a/crypto/heimdal-0.6.3/kuser/klist.cat1 +++ /dev/null @@ -1,89 +0,0 @@ - -KLIST(1) UNIX Reference Manual KLIST(1) - -NNAAMMEE - kklliisstt - list Kerberos credentials - -SSYYNNOOPPSSIISS - kklliisstt [--cc _c_a_c_h_e | ----ccaacchhee==_c_a_c_h_e] [--ss | --tt | ----tteesstt] [--44 | ----vv44] [--TT | - ----ttookkeennss] [--55 | ----vv55] [--vv | ----vveerrbboossee] [--ff] [----vveerrssiioonn] [----hheellpp] - -DDEESSCCRRIIPPTTIIOONN - kklliisstt reads and displays the current tickets in the crential cache (also - known as the ticket file). - - Options supported: - - --cc _c_a_c_h_e, ----ccaacchhee==_c_a_c_h_e - credentials cache to list - - --ss, --tt, ----tteesstt - Test for there being an active and valid TGT for the local realm - of the user in the credential cache. - - --44, ----vv44 - display v4 tickets - - --TT, ----ttookkeennss - display AFS tokens - - --55, ----vv55 - display v5 cred cache (this is the default) - - --ff Include ticket flags in short form, each charcted stands for a - specific flag, as follows: - F forwardable - f forwarded - P proxiable - p proxied - D postdate-able - d postdated - R renewable - I initial - i invalid - A pre-authenticated - H hardware authenticated - - This information is also output with the ----vveerrbboossee option, but in - a more verbose way. - - --vv, ----vveerrbboossee - Verbose output. Include all possible information: - - Server - the princial the ticket is for - - Ticket etype - the encryption type use in the ticket, followed by - the key version of the ticket, if it is available - - Session key - the encryption type of the session key, if it's dif- - ferent from the encryption type of the ticket - - Auth time - - the time the authentication exchange took place - - Start time - the time that this tickets is valid from (only print- - ed if it's different from the auth time) - - End time - when the ticket expires, if it has already expired - this is also noted - - Renew till - the maximum possible end time of any ticket derived - from this one - - Ticket flags - the flags set on the ticket - - Addresses - the set of addresses from which this ticket is valid - -SSEEEE AALLSSOO - kdestroy(1), kinit(1) - - HEIMDAL July 8, 2000 2 diff --git a/crypto/heimdal-0.6.3/kuser/kuser_locl.h b/crypto/heimdal-0.6.3/kuser/kuser_locl.h deleted file mode 100644 index 06403cbe67..0000000000 --- a/crypto/heimdal-0.6.3/kuser/kuser_locl.h +++ /dev/null @@ -1,90 +0,0 @@ -/* - * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: kuser_locl.h,v 1.13 2003/01/21 14:13:51 nectar Exp $ */ - -#ifndef __KUSER_LOCL_H__ -#define __KUSER_LOCL_H__ - -#ifdef HAVE_CONFIG_H -#include -#endif - -#include -#include -#include -#include -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_PWD_H -#include -#endif -#ifdef HAVE_SYS_TIME_H -#include -#endif -#ifdef HAVE_SYS_SOCKET_H -#include -#endif -#ifdef HAVE_NETINET_IN_H -#include -#endif -#ifdef HAVE_NETINET_IN6_H -#include -#endif -#ifdef HAVE_NETINET6_IN6_H -#include -#endif - -#ifdef HAVE_ARPA_INET_H -#include -#endif -#include -#include -#include -#include -#include - -#ifdef KRB4 -#include -#endif -#if defined(HAVE_SYS_IOCTL_H) && SunOS != 40 -#include -#endif -#ifdef HAVE_SYS_IOCCOM_H -#include -#endif -#include -#include "crypto-headers.h" /* for des_read_pw_string */ - -#endif /* __KUSER_LOCL_H__ */ diff --git a/crypto/heimdal-0.6.3/kuser/kverify.c b/crypto/heimdal-0.6.3/kuser/kverify.c deleted file mode 100644 index 3501f009cd..0000000000 --- a/crypto/heimdal-0.6.3/kuser/kverify.c +++ /dev/null @@ -1,116 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kuser_locl.h" - -RCSID("$Id: kverify.c,v 1.6 2001/08/24 01:08:13 assar Exp $"); - -static int help_flag = 0; -static int version_flag = 0; - -static struct getargs args[] = { - { "version", 0, arg_flag, &version_flag }, - { "help", 0, arg_flag, &help_flag } -}; - -static void -usage (int ret) -{ - arg_printusage (args, - sizeof(args)/sizeof(*args), - NULL, - "[principal]"); - exit (ret); -} - -int -main(int argc, char **argv) -{ - krb5_context context; - krb5_error_code ret; - krb5_creds cred; - krb5_preauthtype pre_auth_types[] = {KRB5_PADATA_ENC_TIMESTAMP}; - krb5_get_init_creds_opt get_options; - krb5_verify_init_creds_opt verify_options; - int optind = 0; - - setprogname (argv[0]); - - if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind)) - usage(1); - - if (help_flag) - usage (0); - - if(version_flag) { - print_version(NULL); - exit(0); - } - - ret = krb5_init_context(&context); - if (ret) - errx (1, "krb5_init_context failed: %d", ret); - - krb5_get_init_creds_opt_init (&get_options); - - krb5_get_init_creds_opt_set_preauth_list (&get_options, - pre_auth_types, - 1); - - krb5_verify_init_creds_opt_init (&verify_options); - - ret = krb5_get_init_creds_password (context, - &cred, - NULL, - NULL, - krb5_prompter_posix, - NULL, - 0, - NULL, - &get_options); - if (ret) - errx (1, "krb5_get_init_creds: %s", krb5_get_err_text(context, ret)); - - ret = krb5_verify_init_creds (context, - &cred, - NULL, - NULL, - NULL, - &verify_options); - if (ret) - errx (1, "krb5_verify_init_creds: %s", - krb5_get_err_text(context, ret)); - krb5_free_creds_contents (context, &cred); - krb5_free_context (context); - return 0; -} diff --git a/crypto/heimdal-0.6.3/lib/45/45_locl.h b/crypto/heimdal-0.6.3/lib/45/45_locl.h deleted file mode 100644 index 8104179d5b..0000000000 --- a/crypto/heimdal-0.6.3/lib/45/45_locl.h +++ /dev/null @@ -1,52 +0,0 @@ -/* - * Copyright (c) 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifndef __45_LOCL_H__ -#define __45_LOCL_H__ - -#ifdef HAVE_CONFIG_H -#include -#endif - -#include -#include - -#ifdef HAVE_SYS_TIME_H -#include -#endif - -#include -#include -#include - -#endif /* __45_LOCL_H__ */ diff --git a/crypto/heimdal-0.6.3/lib/45/Makefile.am b/crypto/heimdal-0.6.3/lib/45/Makefile.am deleted file mode 100644 index 50d47fdb39..0000000000 --- a/crypto/heimdal-0.6.3/lib/45/Makefile.am +++ /dev/null @@ -1,11 +0,0 @@ -# $Id: Makefile.am,v 1.5 1999/03/20 13:58:17 joda Exp $ - -include $(top_srcdir)/Makefile.am.common - -INCLUDES += $(INCLUDE_krb4) - -lib_LIBRARIES = @EXTRA_LIB45@ - -EXTRA_LIBRARIES = lib45.a - -lib45_a_SOURCES = get_ad_tkt.c mk_req.c 45_locl.h diff --git a/crypto/heimdal-0.6.3/lib/45/Makefile.in b/crypto/heimdal-0.6.3/lib/45/Makefile.in deleted file mode 100644 index cef1000c19..0000000000 --- a/crypto/heimdal-0.6.3/lib/45/Makefile.in +++ /dev/null @@ -1,758 +0,0 @@ -# Makefile.in generated by automake 1.8.3 from Makefile.am. -# @configure_input@ - -# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004 Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -# $Id: Makefile.am,v 1.5 1999/03/20 13:58:17 joda Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $ - -SOURCES = $(lib45_a_SOURCES) - -srcdir = @srcdir@ -top_srcdir = @top_srcdir@ -VPATH = @srcdir@ -pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -top_builddir = ../.. -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = @INSTALL@ -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_HEADER = $(INSTALL_DATA) -transform = $(program_transform_name) -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_triplet = @host@ -DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \ - $(top_srcdir)/Makefile.am.common \ - $(top_srcdir)/cf/Makefile.am.common -subdir = lib/45 -ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \ - $(top_srcdir)/cf/auth-modules.m4 \ - $(top_srcdir)/cf/broken-getaddrinfo.m4 \ - $(top_srcdir)/cf/broken-getnameinfo.m4 \ - $(top_srcdir)/cf/broken-glob.m4 \ - $(top_srcdir)/cf/broken-realloc.m4 \ - $(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \ - $(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \ - $(top_srcdir)/cf/capabilities.m4 \ - $(top_srcdir)/cf/check-compile-et.m4 \ - $(top_srcdir)/cf/check-declaration.m4 \ - $(top_srcdir)/cf/check-getpwnam_r-posix.m4 \ - $(top_srcdir)/cf/check-man.m4 \ - $(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \ - $(top_srcdir)/cf/check-type-extra.m4 \ - $(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \ - $(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \ - $(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \ - $(top_srcdir)/cf/dlopen.m4 \ - $(top_srcdir)/cf/find-func-no-libs.m4 \ - $(top_srcdir)/cf/find-func-no-libs2.m4 \ - $(top_srcdir)/cf/find-func.m4 \ - $(top_srcdir)/cf/find-if-not-broken.m4 \ - $(top_srcdir)/cf/have-struct-field.m4 \ - $(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \ - $(top_srcdir)/cf/krb-bigendian.m4 \ - $(top_srcdir)/cf/krb-func-getlogin.m4 \ - $(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \ - $(top_srcdir)/cf/krb-readline.m4 \ - $(top_srcdir)/cf/krb-struct-spwd.m4 \ - $(top_srcdir)/cf/krb-struct-winsize.m4 \ - $(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \ - $(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \ - $(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \ - $(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \ - $(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \ - $(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \ - $(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in -am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ - $(ACLOCAL_M4) -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -ARFLAGS = cru -am__installdirs = "$(DESTDIR)$(libdir)" -libLIBRARIES_INSTALL = $(INSTALL_DATA) -LIBRARIES = $(lib_LIBRARIES) -lib45_a_AR = $(AR) $(ARFLAGS) -lib45_a_LIBADD = -am_lib45_a_OBJECTS = get_ad_tkt.$(OBJEXT) mk_req.$(OBJEXT) -lib45_a_OBJECTS = $(am_lib45_a_OBJECTS) -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \ - $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ - $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -SOURCES = $(lib45_a_SOURCES) -DIST_SOURCES = $(lib45_a_SOURCES) -ETAGS = etags -CTAGS = ctags -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) -ACLOCAL = @ACLOCAL@ -AIX4_FALSE = @AIX4_FALSE@ -AIX4_TRUE = @AIX4_TRUE@ -AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@ -AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@ -AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@ -AIX_FALSE = @AIX_FALSE@ -AIX_TRUE = @AIX_TRUE@ -AMTAR = @AMTAR@ -AR = @AR@ -AUTOCONF = @AUTOCONF@ -AUTOHEADER = @AUTOHEADER@ -AUTOMAKE = @AUTOMAKE@ -AWK = @AWK@ -CANONICAL_HOST = @CANONICAL_HOST@ -CATMAN = @CATMAN@ -CATMANEXT = @CATMANEXT@ -CATMAN_FALSE = @CATMAN_FALSE@ -CATMAN_TRUE = @CATMAN_TRUE@ -CC = @CC@ -CFLAGS = @CFLAGS@ -COMPILE_ET = @COMPILE_ET@ -CPP = @CPP@ -CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXFLAGS = @CXXFLAGS@ -CYGPATH_W = @CYGPATH_W@ -DBLIB = @DBLIB@ -DCE_FALSE = @DCE_FALSE@ -DCE_TRUE = @DCE_TRUE@ -DEFS = @DEFS@ -DIR_com_err = @DIR_com_err@ -DIR_des = @DIR_des@ -DIR_roken = @DIR_roken@ -ECHO = @ECHO@ -ECHO_C = @ECHO_C@ -ECHO_N = @ECHO_N@ -ECHO_T = @ECHO_T@ -EGREP = @EGREP@ -EXEEXT = @EXEEXT@ -EXTRA_LIB45 = @EXTRA_LIB45@ -F77 = @F77@ -FFLAGS = @FFLAGS@ -GROFF = @GROFF@ -HAVE_DB1_FALSE = @HAVE_DB1_FALSE@ -HAVE_DB1_TRUE = @HAVE_DB1_TRUE@ -HAVE_DB3_FALSE = @HAVE_DB3_FALSE@ -HAVE_DB3_TRUE = @HAVE_DB3_TRUE@ -HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@ -HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@ -HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@ -HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@ -HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@ -HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@ -HAVE_X_FALSE = @HAVE_X_FALSE@ -HAVE_X_TRUE = @HAVE_X_TRUE@ -INCLUDES_roken = @INCLUDES_roken@ -INCLUDE_des = @INCLUDE_des@ -INCLUDE_hesiod = @INCLUDE_hesiod@ -INCLUDE_krb4 = @INCLUDE_krb4@ -INCLUDE_openldap = @INCLUDE_openldap@ -INCLUDE_readline = @INCLUDE_readline@ -INSTALL_DATA = @INSTALL_DATA@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -IRIX_FALSE = @IRIX_FALSE@ -IRIX_TRUE = @IRIX_TRUE@ -KRB4_FALSE = @KRB4_FALSE@ -KRB4_TRUE = @KRB4_TRUE@ -KRB5_FALSE = @KRB5_FALSE@ -KRB5_TRUE = @KRB5_TRUE@ -LDFLAGS = @LDFLAGS@ -LEX = @LEX@ -LEXLIB = @LEXLIB@ -LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ -LIBOBJS = @LIBOBJS@ -LIBS = @LIBS@ -LIBTOOL = @LIBTOOL@ -LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@ -LIB_NDBM = @LIB_NDBM@ -LIB_XauFileName = @LIB_XauFileName@ -LIB_XauReadAuth = @LIB_XauReadAuth@ -LIB_XauWriteAuth = @LIB_XauWriteAuth@ -LIB_bswap16 = @LIB_bswap16@ -LIB_bswap32 = @LIB_bswap32@ -LIB_com_err = @LIB_com_err@ -LIB_com_err_a = @LIB_com_err_a@ -LIB_com_err_so = @LIB_com_err_so@ -LIB_crypt = @LIB_crypt@ -LIB_db_create = @LIB_db_create@ -LIB_dbm_firstkey = @LIB_dbm_firstkey@ -LIB_dbopen = @LIB_dbopen@ -LIB_des = @LIB_des@ -LIB_des_a = @LIB_des_a@ -LIB_des_appl = @LIB_des_appl@ -LIB_des_so = @LIB_des_so@ -LIB_dlopen = @LIB_dlopen@ -LIB_dn_expand = @LIB_dn_expand@ -LIB_el_init = @LIB_el_init@ -LIB_freeaddrinfo = @LIB_freeaddrinfo@ -LIB_gai_strerror = @LIB_gai_strerror@ -LIB_getaddrinfo = @LIB_getaddrinfo@ -LIB_gethostbyname = @LIB_gethostbyname@ -LIB_gethostbyname2 = @LIB_gethostbyname2@ -LIB_getnameinfo = @LIB_getnameinfo@ -LIB_getpwnam_r = @LIB_getpwnam_r@ -LIB_getsockopt = @LIB_getsockopt@ -LIB_hesiod = @LIB_hesiod@ -LIB_hstrerror = @LIB_hstrerror@ -LIB_kdb = @LIB_kdb@ -LIB_krb4 = @LIB_krb4@ -LIB_krb_disable_debug = @LIB_krb_disable_debug@ -LIB_krb_enable_debug = @LIB_krb_enable_debug@ -LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@ -LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@ -LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@ -LIB_loadquery = @LIB_loadquery@ -LIB_logout = @LIB_logout@ -LIB_logwtmp = @LIB_logwtmp@ -LIB_openldap = @LIB_openldap@ -LIB_openpty = @LIB_openpty@ -LIB_otp = @LIB_otp@ -LIB_pidfile = @LIB_pidfile@ -LIB_readline = @LIB_readline@ -LIB_res_nsearch = @LIB_res_nsearch@ -LIB_res_search = @LIB_res_search@ -LIB_roken = @LIB_roken@ -LIB_security = @LIB_security@ -LIB_setsockopt = @LIB_setsockopt@ -LIB_socket = @LIB_socket@ -LIB_syslog = @LIB_syslog@ -LIB_tgetent = @LIB_tgetent@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -MAINT = @MAINT@ -MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@ -MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@ -MAKEINFO = @MAKEINFO@ -NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ -NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ -NROFF = @NROFF@ -OBJEXT = @OBJEXT@ -OTP_FALSE = @OTP_FALSE@ -OTP_TRUE = @OTP_TRUE@ -PACKAGE = @PACKAGE@ -PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ -PACKAGE_NAME = @PACKAGE_NAME@ -PACKAGE_STRING = @PACKAGE_STRING@ -PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_VERSION = @PACKAGE_VERSION@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -RANLIB = @RANLIB@ -SET_MAKE = @SET_MAKE@ -SHELL = @SHELL@ -STRIP = @STRIP@ -VERSION = @VERSION@ -VOID_RETSIGTYPE = @VOID_RETSIGTYPE@ -WFLAGS = @WFLAGS@ -WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@ -WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@ -X_CFLAGS = @X_CFLAGS@ -X_EXTRA_LIBS = @X_EXTRA_LIBS@ -X_LIBS = @X_LIBS@ -X_PRE_LIBS = @X_PRE_LIBS@ -YACC = @YACC@ -ac_ct_AR = @ac_ct_AR@ -ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ -ac_ct_RANLIB = @ac_ct_RANLIB@ -ac_ct_STRIP = @ac_ct_STRIP@ -am__leading_dot = @am__leading_dot@ -bindir = @bindir@ -build = @build@ -build_alias = @build_alias@ -build_cpu = @build_cpu@ -build_os = @build_os@ -build_vendor = @build_vendor@ -datadir = @datadir@ -do_roken_rename_FALSE = @do_roken_rename_FALSE@ -do_roken_rename_TRUE = @do_roken_rename_TRUE@ -dpagaix_cflags = @dpagaix_cflags@ -dpagaix_ldadd = @dpagaix_ldadd@ -dpagaix_ldflags = @dpagaix_ldflags@ -el_compat_FALSE = @el_compat_FALSE@ -el_compat_TRUE = @el_compat_TRUE@ -exec_prefix = @exec_prefix@ -have_err_h_FALSE = @have_err_h_FALSE@ -have_err_h_TRUE = @have_err_h_TRUE@ -have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@ -have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@ -have_glob_h_FALSE = @have_glob_h_FALSE@ -have_glob_h_TRUE = @have_glob_h_TRUE@ -have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@ -have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@ -have_vis_h_FALSE = @have_vis_h_FALSE@ -have_vis_h_TRUE = @have_vis_h_TRUE@ -host = @host@ -host_alias = @host_alias@ -host_cpu = @host_cpu@ -host_os = @host_os@ -host_vendor = @host_vendor@ -includedir = @includedir@ -infodir = @infodir@ -install_sh = @install_sh@ -libdir = @libdir@ -libexecdir = @libexecdir@ -localstatedir = @localstatedir@ -mandir = @mandir@ -mkdir_p = @mkdir_p@ -oldincludedir = @oldincludedir@ -prefix = @prefix@ -program_transform_name = @program_transform_name@ -sbindir = @sbindir@ -sharedstatedir = @sharedstatedir@ -sysconfdir = @sysconfdir@ -target_alias = @target_alias@ -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4) -@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME -AM_CFLAGS = $(WFLAGS) -CP = cp -buildinclude = $(top_builddir)/include -LIB_getattr = @LIB_getattr@ -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_setpcred = @LIB_setpcred@ -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -NROFF_MAN = groff -mandoc -Tascii -LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) -@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la - -@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la -@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la -lib_LIBRARIES = @EXTRA_LIB45@ -EXTRA_LIBRARIES = lib45.a -lib45_a_SOURCES = get_ad_tkt.c mk_req.c 45_locl.h -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps) - @for dep in $?; do \ - case '$(am__configure_deps)' in \ - *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ - exit 1;; \ - esac; \ - done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign --ignore-deps lib/45/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign --ignore-deps lib/45/Makefile -.PRECIOUS: Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - @case '$?' in \ - *config.status*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ - *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ - esac; - -$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -install-libLIBRARIES: $(lib_LIBRARIES) - @$(NORMAL_INSTALL) - test -z "$(libdir)" || $(mkdir_p) "$(DESTDIR)$(libdir)" - @list='$(lib_LIBRARIES)'; for p in $$list; do \ - if test -f $$p; then \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(libLIBRARIES_INSTALL) '$$p' '$(DESTDIR)$(libdir)/$$f'"; \ - $(libLIBRARIES_INSTALL) "$$p" "$(DESTDIR)$(libdir)/$$f"; \ - else :; fi; \ - done - @$(POST_INSTALL) - @list='$(lib_LIBRARIES)'; for p in $$list; do \ - if test -f $$p; then \ - p="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(RANLIB) '$(DESTDIR)$(libdir)/$$p'"; \ - $(RANLIB) "$(DESTDIR)$(libdir)/$$p"; \ - else :; fi; \ - done - -uninstall-libLIBRARIES: - @$(NORMAL_UNINSTALL) - @list='$(lib_LIBRARIES)'; for p in $$list; do \ - p="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " rm -f '$(DESTDIR)$(libdir)/$$p'"; \ - rm -f "$(DESTDIR)$(libdir)/$$p"; \ - done - -clean-libLIBRARIES: - -test -z "$(lib_LIBRARIES)" || rm -f $(lib_LIBRARIES) -lib45.a: $(lib45_a_OBJECTS) $(lib45_a_DEPENDENCIES) - -rm -f lib45.a - $(lib45_a_AR) lib45.a $(lib45_a_OBJECTS) $(lib45_a_LIBADD) - $(RANLIB) lib45.a - -mostlyclean-compile: - -rm -f *.$(OBJEXT) - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c $< - -.c.obj: - $(COMPILE) -c `$(CYGPATH_W) '$<'` - -.c.lo: - $(LTCOMPILE) -c -o $@ $< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique -tags: TAGS - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique -ctags: CTAGS -CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ - || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - -distdir: $(DISTFILES) - $(mkdir_p) $(distdir)/../.. $(distdir)/../../cf - @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \ - list='$(DISTFILES)'; for file in $$list; do \ - case $$file in \ - $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \ - $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \ - esac; \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkdir_p) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="$(top_distdir)" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(LIBRARIES) all-local -installdirs: - for dir in "$(DESTDIR)$(libdir)"; do \ - test -z "$$dir" || $(mkdir_p) "$$dir"; \ - done -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-generic clean-libLIBRARIES clean-libtool \ - mostlyclean-am - -distclean: distclean-am - -rm -f Makefile -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -html: html-am - -info: info-am - -info-am: - -install-data-am: - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-data-hook - -install-exec-am: install-libLIBRARIES - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -rm -f Makefile -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -pdf: pdf-am - -pdf-am: - -ps: ps-am - -ps-am: - -uninstall-am: uninstall-info-am uninstall-libLIBRARIES - -.PHONY: CTAGS GTAGS all all-am all-local check check-am check-local \ - clean clean-generic clean-libLIBRARIES clean-libtool ctags \ - distclean distclean-compile distclean-generic \ - distclean-libtool distclean-tags distdir dvi dvi-am html \ - html-am info info-am install install-am install-data \ - install-data-am install-exec install-exec-am install-info \ - install-info-am install-libLIBRARIES install-man install-strip \ - installcheck installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ - tags uninstall uninstall-am uninstall-info-am \ - uninstall-libLIBRARIES - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-hook: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal-0.6.3/lib/45/get_ad_tkt.c b/crypto/heimdal-0.6.3/lib/45/get_ad_tkt.c deleted file mode 100644 index 3be18a1ead..0000000000 --- a/crypto/heimdal-0.6.3/lib/45/get_ad_tkt.c +++ /dev/null @@ -1,116 +0,0 @@ -/* - * Copyright (c) 1997, 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "45_locl.h" - -RCSID("$Id: get_ad_tkt.c,v 1.4 2001/06/18 13:11:05 assar Exp $"); - -/* get an additional version 4 ticket via the 524 protocol */ - -#ifndef NEVERDATE -#define NEVERDATE ((unsigned long)0x7fffffffL) -#endif - -int -get_ad_tkt(char *service, char *sinstance, char *realm, int lifetime) -{ - krb5_error_code ret; - int code; - krb5_context context; - krb5_ccache id; - krb5_creds in_creds, *out_creds; - CREDENTIALS cred; - time_t now; - char pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ]; - - ret = krb5_init_context(&context); - if(ret) - return KFAILURE; - ret = krb5_cc_default(context, &id); - if(ret){ - krb5_free_context(context); - return KFAILURE; - } - memset(&in_creds, 0, sizeof(in_creds)); - now = time(NULL); - in_creds.times.endtime = krb_life_to_time(time(NULL), lifetime); - if(in_creds.times.endtime == NEVERDATE) - in_creds.times.endtime = 0; - ret = krb5_cc_get_principal(context, id, &in_creds.client); - if(ret){ - krb5_cc_close(context, id); - krb5_free_context(context); - return KFAILURE; - } - ret = krb5_524_conv_principal(context, in_creds.client, - pname, pinst, prealm); - if(ret){ - krb5_free_principal(context, in_creds.client); - krb5_cc_close(context, id); - krb5_free_context(context); - return KFAILURE; - } - ret = krb5_425_conv_principal(context, service, sinstance, realm, - &in_creds.server); - if(ret){ - krb5_free_principal(context, in_creds.client); - krb5_cc_close(context, id); - krb5_free_context(context); - return KFAILURE; - } - ret = krb5_get_credentials(context, - 0, - id, - &in_creds, - &out_creds); - krb5_free_principal(context, in_creds.client); - krb5_free_principal(context, in_creds.server); - if(ret){ - krb5_cc_close(context, id); - krb5_free_context(context); - return KFAILURE; - } - ret = krb524_convert_creds_kdc_ccache(context, id, out_creds, &cred); - krb5_cc_close(context, id); - krb5_free_context(context); - krb5_free_creds(context, out_creds); - if(ret) - return KFAILURE; - code = save_credentials(cred.service, cred.instance, cred.realm, - cred.session, cred.lifetime, cred.kvno, - &cred.ticket_st, now); - if(code == NO_TKT_FIL) - code = tf_setup(&cred, pname, pinst); - memset(&cred.session, 0, sizeof(cred.session)); - return code; -} diff --git a/crypto/heimdal-0.6.3/lib/45/mk_req.c b/crypto/heimdal-0.6.3/lib/45/mk_req.c deleted file mode 100644 index b06f558562..0000000000 --- a/crypto/heimdal-0.6.3/lib/45/mk_req.c +++ /dev/null @@ -1,139 +0,0 @@ -/* - * Copyright (c) 1997 - 2000, 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* implementation of krb_mk_req that uses 524 protocol */ - -#include "45_locl.h" - -RCSID("$Id: mk_req.c,v 1.7 2002/05/24 15:21:00 joda Exp $"); - -static int lifetime = 255; - -static void -build_request(KTEXT req, - const char *name, const char *inst, const char *realm, - u_int32_t checksum) -{ - struct timeval tv; - krb5_storage *sp; - krb5_data data; - sp = krb5_storage_emem(); - krb5_store_stringz(sp, name); - krb5_store_stringz(sp, inst); - krb5_store_stringz(sp, realm); - krb5_store_int32(sp, checksum); - gettimeofday(&tv, NULL); - krb5_store_int8(sp, tv.tv_usec / 5000); - krb5_store_int32(sp, tv.tv_sec); - krb5_storage_to_data(sp, &data); - krb5_storage_free(sp); - memcpy(req->dat, data.data, data.length); - req->length = (data.length + 7) & ~7; - krb5_data_free(&data); -} - -#ifdef KRB_MK_REQ_CONST -int -krb_mk_req(KTEXT authent, - const char *service, const char *instance, const char *realm, - int32_t checksum) -#else -int -krb_mk_req(KTEXT authent, - char *service, char *instance, char *realm, - int32_t checksum) - -#endif -{ - CREDENTIALS cr; - KTEXT_ST req; - krb5_storage *sp; - int code; - /* XXX get user realm */ - const char *myrealm = realm; - krb5_data a; - - code = krb_get_cred(service, instance, realm, &cr); - if(code || time(NULL) > krb_life_to_time(cr.issue_date, cr.lifetime)){ - code = get_ad_tkt((char *)service, - (char *)instance, (char *)realm, lifetime); - if(code == KSUCCESS) - code = krb_get_cred(service, instance, realm, &cr); - } - - if(code) - return code; - - sp = krb5_storage_emem(); - - krb5_store_int8(sp, KRB_PROT_VERSION); - krb5_store_int8(sp, AUTH_MSG_APPL_REQUEST); - - krb5_store_int8(sp, cr.kvno); - krb5_store_stringz(sp, realm); - krb5_store_int8(sp, cr.ticket_st.length); - - build_request(&req, cr.pname, cr.pinst, myrealm, checksum); - encrypt_ktext(&req, &cr.session, DES_ENCRYPT); - - krb5_store_int8(sp, req.length); - - krb5_storage_write(sp, cr.ticket_st.dat, cr.ticket_st.length); - krb5_storage_write(sp, req.dat, req.length); - krb5_storage_to_data(sp, &a); - krb5_storage_free(sp); - memcpy(authent->dat, a.data, a.length); - authent->length = a.length; - krb5_data_free(&a); - - memset(&cr, 0, sizeof(cr)); - memset(&req, 0, sizeof(req)); - - return KSUCCESS; -} - -/* - * krb_set_lifetime sets the default lifetime for additional tickets - * obtained via krb_mk_req(). - * - * It returns the previous value of the default lifetime. - */ - -int -krb_set_lifetime(int newval) -{ - int olife = lifetime; - - lifetime = newval; - return(olife); -} diff --git a/crypto/heimdal-0.6.3/lib/Makefile.am b/crypto/heimdal-0.6.3/lib/Makefile.am deleted file mode 100644 index 3c8dc71efb..0000000000 --- a/crypto/heimdal-0.6.3/lib/Makefile.am +++ /dev/null @@ -1,16 +0,0 @@ -# $Id: Makefile.am,v 1.22 2001/08/28 18:44:41 nectar Exp $ - -include $(top_srcdir)/Makefile.am.common - -if KRB4 -dir_45 = 45 -endif -if OTP -dir_otp = otp -endif -if DCE -dir_dce = kdfs -endif - -SUBDIRS = @DIR_roken@ vers editline @DIR_com_err@ sl asn1 @DIR_des@ krb5 \ - kafs hdb kadm5 gssapi auth $(dir_45) $(dir_otp) $(dir_dce) diff --git a/crypto/heimdal-0.6.3/lib/Makefile.in b/crypto/heimdal-0.6.3/lib/Makefile.in deleted file mode 100644 index 1d2a76a759..0000000000 --- a/crypto/heimdal-0.6.3/lib/Makefile.in +++ /dev/null @@ -1,782 +0,0 @@ -# Makefile.in generated by automake 1.8.3 from Makefile.am. -# @configure_input@ - -# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004 Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -# $Id: Makefile.am,v 1.22 2001/08/28 18:44:41 nectar Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $ -srcdir = @srcdir@ -top_srcdir = @top_srcdir@ -VPATH = @srcdir@ -pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -top_builddir = .. -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = @INSTALL@ -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_HEADER = $(INSTALL_DATA) -transform = $(program_transform_name) -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_triplet = @host@ -DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \ - $(top_srcdir)/Makefile.am.common \ - $(top_srcdir)/cf/Makefile.am.common -subdir = lib -ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \ - $(top_srcdir)/cf/auth-modules.m4 \ - $(top_srcdir)/cf/broken-getaddrinfo.m4 \ - $(top_srcdir)/cf/broken-getnameinfo.m4 \ - $(top_srcdir)/cf/broken-glob.m4 \ - $(top_srcdir)/cf/broken-realloc.m4 \ - $(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \ - $(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \ - $(top_srcdir)/cf/capabilities.m4 \ - $(top_srcdir)/cf/check-compile-et.m4 \ - $(top_srcdir)/cf/check-declaration.m4 \ - $(top_srcdir)/cf/check-getpwnam_r-posix.m4 \ - $(top_srcdir)/cf/check-man.m4 \ - $(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \ - $(top_srcdir)/cf/check-type-extra.m4 \ - $(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \ - $(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \ - $(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \ - $(top_srcdir)/cf/dlopen.m4 \ - $(top_srcdir)/cf/find-func-no-libs.m4 \ - $(top_srcdir)/cf/find-func-no-libs2.m4 \ - $(top_srcdir)/cf/find-func.m4 \ - $(top_srcdir)/cf/find-if-not-broken.m4 \ - $(top_srcdir)/cf/have-struct-field.m4 \ - $(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \ - $(top_srcdir)/cf/krb-bigendian.m4 \ - $(top_srcdir)/cf/krb-func-getlogin.m4 \ - $(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \ - $(top_srcdir)/cf/krb-readline.m4 \ - $(top_srcdir)/cf/krb-struct-spwd.m4 \ - $(top_srcdir)/cf/krb-struct-winsize.m4 \ - $(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \ - $(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \ - $(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \ - $(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \ - $(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \ - $(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \ - $(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in -am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ - $(ACLOCAL_M4) -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -depcomp = -am__depfiles_maybe = -SOURCES = -DIST_SOURCES = -RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \ - html-recursive info-recursive install-data-recursive \ - install-exec-recursive install-info-recursive \ - install-recursive installcheck-recursive installdirs-recursive \ - pdf-recursive ps-recursive uninstall-info-recursive \ - uninstall-recursive -ETAGS = etags -CTAGS = ctags -DIST_SUBDIRS = @DIR_roken@ vers editline @DIR_com_err@ sl asn1 \ - @DIR_des@ krb5 kafs hdb kadm5 gssapi auth 45 otp kdfs -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) -ACLOCAL = @ACLOCAL@ -AIX4_FALSE = @AIX4_FALSE@ -AIX4_TRUE = @AIX4_TRUE@ -AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@ -AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@ -AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@ -AIX_FALSE = @AIX_FALSE@ -AIX_TRUE = @AIX_TRUE@ -AMTAR = @AMTAR@ -AR = @AR@ -AUTOCONF = @AUTOCONF@ -AUTOHEADER = @AUTOHEADER@ -AUTOMAKE = @AUTOMAKE@ -AWK = @AWK@ -CANONICAL_HOST = @CANONICAL_HOST@ -CATMAN = @CATMAN@ -CATMANEXT = @CATMANEXT@ -CATMAN_FALSE = @CATMAN_FALSE@ -CATMAN_TRUE = @CATMAN_TRUE@ -CC = @CC@ -CFLAGS = @CFLAGS@ -COMPILE_ET = @COMPILE_ET@ -CPP = @CPP@ -CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXFLAGS = @CXXFLAGS@ -CYGPATH_W = @CYGPATH_W@ -DBLIB = @DBLIB@ -DCE_FALSE = @DCE_FALSE@ -DCE_TRUE = @DCE_TRUE@ -DEFS = @DEFS@ -DIR_com_err = @DIR_com_err@ -DIR_des = @DIR_des@ -DIR_roken = @DIR_roken@ -ECHO = @ECHO@ -ECHO_C = @ECHO_C@ -ECHO_N = @ECHO_N@ -ECHO_T = @ECHO_T@ -EGREP = @EGREP@ -EXEEXT = @EXEEXT@ -EXTRA_LIB45 = @EXTRA_LIB45@ -F77 = @F77@ -FFLAGS = @FFLAGS@ -GROFF = @GROFF@ -HAVE_DB1_FALSE = @HAVE_DB1_FALSE@ -HAVE_DB1_TRUE = @HAVE_DB1_TRUE@ -HAVE_DB3_FALSE = @HAVE_DB3_FALSE@ -HAVE_DB3_TRUE = @HAVE_DB3_TRUE@ -HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@ -HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@ -HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@ -HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@ -HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@ -HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@ -HAVE_X_FALSE = @HAVE_X_FALSE@ -HAVE_X_TRUE = @HAVE_X_TRUE@ -INCLUDES_roken = @INCLUDES_roken@ -INCLUDE_des = @INCLUDE_des@ -INCLUDE_hesiod = @INCLUDE_hesiod@ -INCLUDE_krb4 = @INCLUDE_krb4@ -INCLUDE_openldap = @INCLUDE_openldap@ -INCLUDE_readline = @INCLUDE_readline@ -INSTALL_DATA = @INSTALL_DATA@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -IRIX_FALSE = @IRIX_FALSE@ -IRIX_TRUE = @IRIX_TRUE@ -KRB4_FALSE = @KRB4_FALSE@ -KRB4_TRUE = @KRB4_TRUE@ -KRB5_FALSE = @KRB5_FALSE@ -KRB5_TRUE = @KRB5_TRUE@ -LDFLAGS = @LDFLAGS@ -LEX = @LEX@ -LEXLIB = @LEXLIB@ -LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ -LIBOBJS = @LIBOBJS@ -LIBS = @LIBS@ -LIBTOOL = @LIBTOOL@ -LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@ -LIB_NDBM = @LIB_NDBM@ -LIB_XauFileName = @LIB_XauFileName@ -LIB_XauReadAuth = @LIB_XauReadAuth@ -LIB_XauWriteAuth = @LIB_XauWriteAuth@ -LIB_bswap16 = @LIB_bswap16@ -LIB_bswap32 = @LIB_bswap32@ -LIB_com_err = @LIB_com_err@ -LIB_com_err_a = @LIB_com_err_a@ -LIB_com_err_so = @LIB_com_err_so@ -LIB_crypt = @LIB_crypt@ -LIB_db_create = @LIB_db_create@ -LIB_dbm_firstkey = @LIB_dbm_firstkey@ -LIB_dbopen = @LIB_dbopen@ -LIB_des = @LIB_des@ -LIB_des_a = @LIB_des_a@ -LIB_des_appl = @LIB_des_appl@ -LIB_des_so = @LIB_des_so@ -LIB_dlopen = @LIB_dlopen@ -LIB_dn_expand = @LIB_dn_expand@ -LIB_el_init = @LIB_el_init@ -LIB_freeaddrinfo = @LIB_freeaddrinfo@ -LIB_gai_strerror = @LIB_gai_strerror@ -LIB_getaddrinfo = @LIB_getaddrinfo@ -LIB_gethostbyname = @LIB_gethostbyname@ -LIB_gethostbyname2 = @LIB_gethostbyname2@ -LIB_getnameinfo = @LIB_getnameinfo@ -LIB_getpwnam_r = @LIB_getpwnam_r@ -LIB_getsockopt = @LIB_getsockopt@ -LIB_hesiod = @LIB_hesiod@ -LIB_hstrerror = @LIB_hstrerror@ -LIB_kdb = @LIB_kdb@ -LIB_krb4 = @LIB_krb4@ -LIB_krb_disable_debug = @LIB_krb_disable_debug@ -LIB_krb_enable_debug = @LIB_krb_enable_debug@ -LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@ -LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@ -LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@ -LIB_loadquery = @LIB_loadquery@ -LIB_logout = @LIB_logout@ -LIB_logwtmp = @LIB_logwtmp@ -LIB_openldap = @LIB_openldap@ -LIB_openpty = @LIB_openpty@ -LIB_otp = @LIB_otp@ -LIB_pidfile = @LIB_pidfile@ -LIB_readline = @LIB_readline@ -LIB_res_nsearch = @LIB_res_nsearch@ -LIB_res_search = @LIB_res_search@ -LIB_roken = @LIB_roken@ -LIB_security = @LIB_security@ -LIB_setsockopt = @LIB_setsockopt@ -LIB_socket = @LIB_socket@ -LIB_syslog = @LIB_syslog@ -LIB_tgetent = @LIB_tgetent@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -MAINT = @MAINT@ -MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@ -MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@ -MAKEINFO = @MAKEINFO@ -NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ -NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ -NROFF = @NROFF@ -OBJEXT = @OBJEXT@ -OTP_FALSE = @OTP_FALSE@ -OTP_TRUE = @OTP_TRUE@ -PACKAGE = @PACKAGE@ -PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ -PACKAGE_NAME = @PACKAGE_NAME@ -PACKAGE_STRING = @PACKAGE_STRING@ -PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_VERSION = @PACKAGE_VERSION@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -RANLIB = @RANLIB@ -SET_MAKE = @SET_MAKE@ -SHELL = @SHELL@ -STRIP = @STRIP@ -VERSION = @VERSION@ -VOID_RETSIGTYPE = @VOID_RETSIGTYPE@ -WFLAGS = @WFLAGS@ -WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@ -WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@ -X_CFLAGS = @X_CFLAGS@ -X_EXTRA_LIBS = @X_EXTRA_LIBS@ -X_LIBS = @X_LIBS@ -X_PRE_LIBS = @X_PRE_LIBS@ -YACC = @YACC@ -ac_ct_AR = @ac_ct_AR@ -ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ -ac_ct_RANLIB = @ac_ct_RANLIB@ -ac_ct_STRIP = @ac_ct_STRIP@ -am__leading_dot = @am__leading_dot@ -bindir = @bindir@ -build = @build@ -build_alias = @build_alias@ -build_cpu = @build_cpu@ -build_os = @build_os@ -build_vendor = @build_vendor@ -datadir = @datadir@ -do_roken_rename_FALSE = @do_roken_rename_FALSE@ -do_roken_rename_TRUE = @do_roken_rename_TRUE@ -dpagaix_cflags = @dpagaix_cflags@ -dpagaix_ldadd = @dpagaix_ldadd@ -dpagaix_ldflags = @dpagaix_ldflags@ -el_compat_FALSE = @el_compat_FALSE@ -el_compat_TRUE = @el_compat_TRUE@ -exec_prefix = @exec_prefix@ -have_err_h_FALSE = @have_err_h_FALSE@ -have_err_h_TRUE = @have_err_h_TRUE@ -have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@ -have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@ -have_glob_h_FALSE = @have_glob_h_FALSE@ -have_glob_h_TRUE = @have_glob_h_TRUE@ -have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@ -have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@ -have_vis_h_FALSE = @have_vis_h_FALSE@ -have_vis_h_TRUE = @have_vis_h_TRUE@ -host = @host@ -host_alias = @host_alias@ -host_cpu = @host_cpu@ -host_os = @host_os@ -host_vendor = @host_vendor@ -includedir = @includedir@ -infodir = @infodir@ -install_sh = @install_sh@ -libdir = @libdir@ -libexecdir = @libexecdir@ -localstatedir = @localstatedir@ -mandir = @mandir@ -mkdir_p = @mkdir_p@ -oldincludedir = @oldincludedir@ -prefix = @prefix@ -program_transform_name = @program_transform_name@ -sbindir = @sbindir@ -sharedstatedir = @sharedstatedir@ -sysconfdir = @sysconfdir@ -target_alias = @target_alias@ -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) -@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME -AM_CFLAGS = $(WFLAGS) -CP = cp -buildinclude = $(top_builddir)/include -LIB_getattr = @LIB_getattr@ -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_setpcred = @LIB_setpcred@ -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -NROFF_MAN = groff -mandoc -Tascii -LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) -@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la - -@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la -@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la -@KRB4_TRUE@dir_45 = 45 -@OTP_TRUE@dir_otp = otp -@DCE_TRUE@dir_dce = kdfs -SUBDIRS = @DIR_roken@ vers editline @DIR_com_err@ sl asn1 @DIR_des@ krb5 \ - kafs hdb kadm5 gssapi auth $(dir_45) $(dir_otp) $(dir_dce) - -all: all-recursive - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c -$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps) - @for dep in $?; do \ - case '$(am__configure_deps)' in \ - *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ - exit 1;; \ - esac; \ - done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign --ignore-deps lib/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign --ignore-deps lib/Makefile -.PRECIOUS: Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - @case '$?' in \ - *config.status*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ - *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ - esac; - -$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: - -# This directory's subdirectories are mostly independent; you can cd -# into them and run `make' without going through this Makefile. -# To change the values of `make' variables: instead of editing Makefiles, -# (1) if the variable is set in `config.status', edit `config.status' -# (which will cause the Makefiles to be regenerated when you run `make'); -# (2) otherwise, pass the desired values on the `make' command line. -$(RECURSIVE_TARGETS): - @set fnord $$MAKEFLAGS; amf=$$2; \ - dot_seen=no; \ - target=`echo $@ | sed s/-recursive//`; \ - list='$(SUBDIRS)'; for subdir in $$list; do \ - echo "Making $$target in $$subdir"; \ - if test "$$subdir" = "."; then \ - dot_seen=yes; \ - local_target="$$target-am"; \ - else \ - local_target="$$target"; \ - fi; \ - (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ - || case "$$amf" in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \ - done; \ - if test "$$dot_seen" = "no"; then \ - $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \ - fi; test -z "$$fail" - -mostlyclean-recursive clean-recursive distclean-recursive \ -maintainer-clean-recursive: - @set fnord $$MAKEFLAGS; amf=$$2; \ - dot_seen=no; \ - case "$@" in \ - distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \ - *) list='$(SUBDIRS)' ;; \ - esac; \ - rev=''; for subdir in $$list; do \ - if test "$$subdir" = "."; then :; else \ - rev="$$subdir $$rev"; \ - fi; \ - done; \ - rev="$$rev ."; \ - target=`echo $@ | sed s/-recursive//`; \ - for subdir in $$rev; do \ - echo "Making $$target in $$subdir"; \ - if test "$$subdir" = "."; then \ - local_target="$$target-am"; \ - else \ - local_target="$$target"; \ - fi; \ - (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ - || case "$$amf" in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \ - done && test -z "$$fail" -tags-recursive: - list='$(SUBDIRS)'; for subdir in $$list; do \ - test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \ - done -ctags-recursive: - list='$(SUBDIRS)'; for subdir in $$list; do \ - test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) ctags); \ - done - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique -tags: TAGS - -TAGS: tags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - if (etags --etags-include --version) >/dev/null 2>&1; then \ - include_option=--etags-include; \ - else \ - include_option=--include; \ - fi; \ - list='$(SUBDIRS)'; for subdir in $$list; do \ - if test "$$subdir" = .; then :; else \ - test -f $$subdir/TAGS && \ - tags="$$tags $$include_option=$$here/$$subdir/TAGS"; \ - fi; \ - done; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique -ctags: CTAGS -CTAGS: ctags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ - || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - -distdir: $(DISTFILES) - $(mkdir_p) $(distdir)/.. $(distdir)/../cf - @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \ - list='$(DISTFILES)'; for file in $$list; do \ - case $$file in \ - $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \ - $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \ - esac; \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkdir_p) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - list='$(DIST_SUBDIRS)'; for subdir in $$list; do \ - if test "$$subdir" = .; then :; else \ - test -d "$(distdir)/$$subdir" \ - || mkdir "$(distdir)/$$subdir" \ - || exit 1; \ - (cd $$subdir && \ - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="../$(top_distdir)" \ - distdir="../$(distdir)/$$subdir" \ - distdir) \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="$(top_distdir)" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-recursive -all-am: Makefile all-local -installdirs: installdirs-recursive -installdirs-am: -install: install-recursive -install-exec: install-exec-recursive -install-data: install-data-recursive -uninstall: uninstall-recursive - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-recursive -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-recursive - -clean-am: clean-generic clean-libtool mostlyclean-am - -distclean: distclean-recursive - -rm -f Makefile -distclean-am: clean-am distclean-generic distclean-libtool \ - distclean-tags - -dvi: dvi-recursive - -dvi-am: - -html: html-recursive - -info: info-recursive - -info-am: - -install-data-am: - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-data-hook - -install-exec-am: - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-recursive - -install-man: - -installcheck-am: - -maintainer-clean: maintainer-clean-recursive - -rm -f Makefile -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-recursive - -mostlyclean-am: mostlyclean-generic mostlyclean-libtool - -pdf: pdf-recursive - -pdf-am: - -ps: ps-recursive - -ps-am: - -uninstall-am: uninstall-info-am - -uninstall-info: uninstall-info-recursive - -.PHONY: $(RECURSIVE_TARGETS) CTAGS GTAGS all all-am all-local check \ - check-am check-local clean clean-generic clean-libtool \ - clean-recursive ctags ctags-recursive distclean \ - distclean-generic distclean-libtool distclean-recursive \ - distclean-tags distdir dvi dvi-am html html-am info info-am \ - install install-am install-data install-data-am install-exec \ - install-exec-am install-info install-info-am install-man \ - install-strip installcheck installcheck-am installdirs \ - installdirs-am maintainer-clean maintainer-clean-generic \ - maintainer-clean-recursive mostlyclean mostlyclean-generic \ - mostlyclean-libtool mostlyclean-recursive pdf pdf-am ps ps-am \ - tags tags-recursive uninstall uninstall-am uninstall-info-am - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-hook: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal-0.6.3/lib/asn1/Makefile.am b/crypto/heimdal-0.6.3/lib/asn1/Makefile.am deleted file mode 100644 index f6ece7577c..0000000000 --- a/crypto/heimdal-0.6.3/lib/asn1/Makefile.am +++ /dev/null @@ -1,129 +0,0 @@ -# $Id: Makefile.am,v 1.69.2.3 2004/06/21 08:26:44 lha Exp $ - -include $(top_srcdir)/Makefile.am.common - -YFLAGS = -d - -lib_LTLIBRARIES = libasn1.la -libasn1_la_LDFLAGS = -version-info 6:2:0 - -libasn1_la_LIBADD = @LIB_com_err@ - -BUILT_SOURCES = \ - $(gen_files:.x=.c) \ - asn1_err.h \ - asn1_err.c - -gen_files = \ - asn1_APOptions.x \ - asn1_AP_REP.x \ - asn1_AP_REQ.x \ - asn1_AS_REP.x \ - asn1_AS_REQ.x \ - asn1_Authenticator.x \ - asn1_AuthorizationData.x \ - asn1_CKSUMTYPE.x \ - asn1_ChangePasswdDataMS.x \ - asn1_Checksum.x \ - asn1_ENCTYPE.x \ - asn1_ETYPE_INFO.x \ - asn1_ETYPE_INFO_ENTRY.x \ - asn1_EncAPRepPart.x \ - asn1_EncASRepPart.x \ - asn1_EncKDCRepPart.x \ - asn1_EncKrbCredPart.x \ - asn1_EncKrbPrivPart.x \ - asn1_EncTGSRepPart.x \ - asn1_EncTicketPart.x \ - asn1_EncryptedData.x \ - asn1_EncryptionKey.x \ - asn1_HostAddress.x \ - asn1_HostAddresses.x \ - asn1_KDCOptions.x \ - asn1_KDC_REP.x \ - asn1_KDC_REQ.x \ - asn1_KDC_REQ_BODY.x \ - asn1_KRB_CRED.x \ - asn1_KRB_ERROR.x \ - asn1_KRB_PRIV.x \ - asn1_KRB_SAFE.x \ - asn1_KRB_SAFE_BODY.x \ - asn1_KerberosTime.x \ - asn1_KrbCredInfo.x \ - asn1_LastReq.x \ - asn1_LR_TYPE.x \ - asn1_MESSAGE_TYPE.x \ - asn1_METHOD_DATA.x \ - asn1_NAME_TYPE.x \ - asn1_PADATA_TYPE.x \ - asn1_PA_DATA.x \ - asn1_PA_ENC_TS_ENC.x \ - asn1_Principal.x \ - asn1_PrincipalName.x \ - asn1_Realm.x \ - asn1_TGS_REP.x \ - asn1_TGS_REQ.x \ - asn1_Ticket.x \ - asn1_TicketFlags.x \ - asn1_TransitedEncoding.x \ - asn1_UNSIGNED.x - - -noinst_PROGRAMS = asn1_compile asn1_print -check_PROGRAMS = check-der check-gen -TESTS = check-der check-gen - -check_der_SOURCES = check-der.c check-common.c -check_gen_SOURCES = check-gen.c check-common.c - - -asn1_compile_SOURCES = \ - gen.c \ - gen_copy.c \ - gen_decode.c \ - gen_encode.c \ - gen_free.c \ - gen_glue.c \ - gen_length.c \ - hash.c \ - lex.l \ - main.c \ - parse.y \ - symbol.c - -libasn1_la_SOURCES = \ - der_get.c \ - der_put.c \ - der_free.c \ - der_length.c \ - der_copy.c \ - timegm.c \ - $(BUILT_SOURCES) - -asn1_compile_LDADD = \ - $(LIB_roken) $(LEXLIB) - -check_der_LDADD = \ - libasn1.la \ - $(LIB_roken) - -check_gen_LDADD = $(check_der_LDADD) -asn1_print_LDADD = $(check_der_LDADD) - -CLEANFILES = lex.c parse.c parse.h krb5_asn1.h $(BUILT_SOURCES) \ - $(gen_files) asn1_files - -include_HEADERS = krb5_asn1.h asn1_err.h der.h - -$(asn1_compile_OBJECTS): parse.h parse.c - -$(gen_files) krb5_asn1.h: asn1_files - -asn1_files: asn1_compile$(EXEEXT) $(srcdir)/k5.asn1 - ./asn1_compile$(EXEEXT) $(srcdir)/k5.asn1 krb5_asn1 - -$(libasn1_la_OBJECTS): krb5_asn1.h asn1_err.h - -$(asn1_print_OBJECTS): krb5_asn1.h - -EXTRA_DIST = asn1_err.et diff --git a/crypto/heimdal-0.6.3/lib/asn1/Makefile.in b/crypto/heimdal-0.6.3/lib/asn1/Makefile.in deleted file mode 100644 index 491040da43..0000000000 --- a/crypto/heimdal-0.6.3/lib/asn1/Makefile.in +++ /dev/null @@ -1,1075 +0,0 @@ -# Makefile.in generated by automake 1.8.3 from Makefile.am. -# @configure_input@ - -# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004 Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -# $Id: Makefile.am,v 1.69.2.3 2004/06/21 08:26:44 lha Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $ - - - -SOURCES = $(libasn1_la_SOURCES) $(asn1_compile_SOURCES) asn1_print.c $(check_der_SOURCES) $(check_gen_SOURCES) - -srcdir = @srcdir@ -top_srcdir = @top_srcdir@ -VPATH = @srcdir@ -pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -top_builddir = ../.. -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = @INSTALL@ -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_HEADER = $(INSTALL_DATA) -transform = $(program_transform_name) -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_triplet = @host@ -DIST_COMMON = $(include_HEADERS) $(srcdir)/Makefile.am \ - $(srcdir)/Makefile.in $(top_srcdir)/Makefile.am.common \ - $(top_srcdir)/cf/Makefile.am.common lex.c parse.c parse.h -noinst_PROGRAMS = asn1_compile$(EXEEXT) asn1_print$(EXEEXT) -check_PROGRAMS = check-der$(EXEEXT) check-gen$(EXEEXT) -subdir = lib/asn1 -ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \ - $(top_srcdir)/cf/auth-modules.m4 \ - $(top_srcdir)/cf/broken-getaddrinfo.m4 \ - $(top_srcdir)/cf/broken-getnameinfo.m4 \ - $(top_srcdir)/cf/broken-glob.m4 \ - $(top_srcdir)/cf/broken-realloc.m4 \ - $(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \ - $(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \ - $(top_srcdir)/cf/capabilities.m4 \ - $(top_srcdir)/cf/check-compile-et.m4 \ - $(top_srcdir)/cf/check-declaration.m4 \ - $(top_srcdir)/cf/check-getpwnam_r-posix.m4 \ - $(top_srcdir)/cf/check-man.m4 \ - $(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \ - $(top_srcdir)/cf/check-type-extra.m4 \ - $(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \ - $(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \ - $(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \ - $(top_srcdir)/cf/dlopen.m4 \ - $(top_srcdir)/cf/find-func-no-libs.m4 \ - $(top_srcdir)/cf/find-func-no-libs2.m4 \ - $(top_srcdir)/cf/find-func.m4 \ - $(top_srcdir)/cf/find-if-not-broken.m4 \ - $(top_srcdir)/cf/have-struct-field.m4 \ - $(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \ - $(top_srcdir)/cf/krb-bigendian.m4 \ - $(top_srcdir)/cf/krb-func-getlogin.m4 \ - $(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \ - $(top_srcdir)/cf/krb-readline.m4 \ - $(top_srcdir)/cf/krb-struct-spwd.m4 \ - $(top_srcdir)/cf/krb-struct-winsize.m4 \ - $(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \ - $(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \ - $(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \ - $(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \ - $(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \ - $(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \ - $(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in -am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ - $(ACLOCAL_M4) -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -am__installdirs = "$(DESTDIR)$(libdir)" "$(DESTDIR)$(includedir)" -libLTLIBRARIES_INSTALL = $(INSTALL) -LTLIBRARIES = $(lib_LTLIBRARIES) -libasn1_la_DEPENDENCIES = -am__objects_1 = asn1_APOptions.lo asn1_AP_REP.lo asn1_AP_REQ.lo \ - asn1_AS_REP.lo asn1_AS_REQ.lo asn1_Authenticator.lo \ - asn1_AuthorizationData.lo asn1_CKSUMTYPE.lo \ - asn1_ChangePasswdDataMS.lo asn1_Checksum.lo asn1_ENCTYPE.lo \ - asn1_ETYPE_INFO.lo asn1_ETYPE_INFO_ENTRY.lo \ - asn1_EncAPRepPart.lo asn1_EncASRepPart.lo \ - asn1_EncKDCRepPart.lo asn1_EncKrbCredPart.lo \ - asn1_EncKrbPrivPart.lo asn1_EncTGSRepPart.lo \ - asn1_EncTicketPart.lo asn1_EncryptedData.lo \ - asn1_EncryptionKey.lo asn1_HostAddress.lo \ - asn1_HostAddresses.lo asn1_KDCOptions.lo asn1_KDC_REP.lo \ - asn1_KDC_REQ.lo asn1_KDC_REQ_BODY.lo asn1_KRB_CRED.lo \ - asn1_KRB_ERROR.lo asn1_KRB_PRIV.lo asn1_KRB_SAFE.lo \ - asn1_KRB_SAFE_BODY.lo asn1_KerberosTime.lo asn1_KrbCredInfo.lo \ - asn1_LastReq.lo asn1_LR_TYPE.lo asn1_MESSAGE_TYPE.lo \ - asn1_METHOD_DATA.lo asn1_NAME_TYPE.lo asn1_PADATA_TYPE.lo \ - asn1_PA_DATA.lo asn1_PA_ENC_TS_ENC.lo asn1_Principal.lo \ - asn1_PrincipalName.lo asn1_Realm.lo asn1_TGS_REP.lo \ - asn1_TGS_REQ.lo asn1_Ticket.lo asn1_TicketFlags.lo \ - asn1_TransitedEncoding.lo asn1_UNSIGNED.lo -am__objects_2 = $(am__objects_1) asn1_err.lo -am_libasn1_la_OBJECTS = der_get.lo der_put.lo der_free.lo \ - der_length.lo der_copy.lo timegm.lo $(am__objects_2) -libasn1_la_OBJECTS = $(am_libasn1_la_OBJECTS) -PROGRAMS = $(noinst_PROGRAMS) -am_asn1_compile_OBJECTS = gen.$(OBJEXT) gen_copy.$(OBJEXT) \ - gen_decode.$(OBJEXT) gen_encode.$(OBJEXT) gen_free.$(OBJEXT) \ - gen_glue.$(OBJEXT) gen_length.$(OBJEXT) hash.$(OBJEXT) \ - lex.$(OBJEXT) main.$(OBJEXT) parse.$(OBJEXT) symbol.$(OBJEXT) -asn1_compile_OBJECTS = $(am_asn1_compile_OBJECTS) -am__DEPENDENCIES_1 = -asn1_compile_DEPENDENCIES = $(am__DEPENDENCIES_1) \ - $(am__DEPENDENCIES_1) -asn1_print_SOURCES = asn1_print.c -asn1_print_OBJECTS = asn1_print.$(OBJEXT) -am__DEPENDENCIES_2 = libasn1.la $(am__DEPENDENCIES_1) -asn1_print_DEPENDENCIES = $(am__DEPENDENCIES_2) -am_check_der_OBJECTS = check-der.$(OBJEXT) check-common.$(OBJEXT) -check_der_OBJECTS = $(am_check_der_OBJECTS) -check_der_DEPENDENCIES = libasn1.la $(am__DEPENDENCIES_1) -am_check_gen_OBJECTS = check-gen.$(OBJEXT) check-common.$(OBJEXT) -check_gen_OBJECTS = $(am_check_gen_OBJECTS) -check_gen_DEPENDENCIES = $(am__DEPENDENCIES_2) -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \ - $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ - $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -LEXCOMPILE = $(LEX) $(LFLAGS) $(AM_LFLAGS) -LTLEXCOMPILE = $(LIBTOOL) --mode=compile $(LEX) $(LFLAGS) $(AM_LFLAGS) -YACCCOMPILE = $(YACC) $(YFLAGS) $(AM_YFLAGS) -LTYACCCOMPILE = $(LIBTOOL) --mode=compile $(YACC) $(YFLAGS) \ - $(AM_YFLAGS) -SOURCES = $(libasn1_la_SOURCES) $(asn1_compile_SOURCES) asn1_print.c \ - $(check_der_SOURCES) $(check_gen_SOURCES) -DIST_SOURCES = $(libasn1_la_SOURCES) $(asn1_compile_SOURCES) \ - asn1_print.c $(check_der_SOURCES) $(check_gen_SOURCES) -includeHEADERS_INSTALL = $(INSTALL_HEADER) -HEADERS = $(include_HEADERS) -ETAGS = etags -CTAGS = ctags -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) -ACLOCAL = @ACLOCAL@ -AIX4_FALSE = @AIX4_FALSE@ -AIX4_TRUE = @AIX4_TRUE@ -AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@ -AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@ -AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@ -AIX_FALSE = @AIX_FALSE@ -AIX_TRUE = @AIX_TRUE@ -AMTAR = @AMTAR@ -AR = @AR@ -AUTOCONF = @AUTOCONF@ -AUTOHEADER = @AUTOHEADER@ -AUTOMAKE = @AUTOMAKE@ -AWK = @AWK@ -CANONICAL_HOST = @CANONICAL_HOST@ -CATMAN = @CATMAN@ -CATMANEXT = @CATMANEXT@ -CATMAN_FALSE = @CATMAN_FALSE@ -CATMAN_TRUE = @CATMAN_TRUE@ -CC = @CC@ -CFLAGS = @CFLAGS@ -COMPILE_ET = @COMPILE_ET@ -CPP = @CPP@ -CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXFLAGS = @CXXFLAGS@ -CYGPATH_W = @CYGPATH_W@ -DBLIB = @DBLIB@ -DCE_FALSE = @DCE_FALSE@ -DCE_TRUE = @DCE_TRUE@ -DEFS = @DEFS@ -DIR_com_err = @DIR_com_err@ -DIR_des = @DIR_des@ -DIR_roken = @DIR_roken@ -ECHO = @ECHO@ -ECHO_C = @ECHO_C@ -ECHO_N = @ECHO_N@ -ECHO_T = @ECHO_T@ -EGREP = @EGREP@ -EXEEXT = @EXEEXT@ -EXTRA_LIB45 = @EXTRA_LIB45@ -F77 = @F77@ -FFLAGS = @FFLAGS@ -GROFF = @GROFF@ -HAVE_DB1_FALSE = @HAVE_DB1_FALSE@ -HAVE_DB1_TRUE = @HAVE_DB1_TRUE@ -HAVE_DB3_FALSE = @HAVE_DB3_FALSE@ -HAVE_DB3_TRUE = @HAVE_DB3_TRUE@ -HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@ -HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@ -HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@ -HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@ -HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@ -HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@ -HAVE_X_FALSE = @HAVE_X_FALSE@ -HAVE_X_TRUE = @HAVE_X_TRUE@ -INCLUDES_roken = @INCLUDES_roken@ -INCLUDE_des = @INCLUDE_des@ -INCLUDE_hesiod = @INCLUDE_hesiod@ -INCLUDE_krb4 = @INCLUDE_krb4@ -INCLUDE_openldap = @INCLUDE_openldap@ -INCLUDE_readline = @INCLUDE_readline@ -INSTALL_DATA = @INSTALL_DATA@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -IRIX_FALSE = @IRIX_FALSE@ -IRIX_TRUE = @IRIX_TRUE@ -KRB4_FALSE = @KRB4_FALSE@ -KRB4_TRUE = @KRB4_TRUE@ -KRB5_FALSE = @KRB5_FALSE@ -KRB5_TRUE = @KRB5_TRUE@ -LDFLAGS = @LDFLAGS@ -LEX = @LEX@ -LEXLIB = @LEXLIB@ -LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ -LIBOBJS = @LIBOBJS@ -LIBS = @LIBS@ -LIBTOOL = @LIBTOOL@ -LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@ -LIB_NDBM = @LIB_NDBM@ -LIB_XauFileName = @LIB_XauFileName@ -LIB_XauReadAuth = @LIB_XauReadAuth@ -LIB_XauWriteAuth = @LIB_XauWriteAuth@ -LIB_bswap16 = @LIB_bswap16@ -LIB_bswap32 = @LIB_bswap32@ -LIB_com_err = @LIB_com_err@ -LIB_com_err_a = @LIB_com_err_a@ -LIB_com_err_so = @LIB_com_err_so@ -LIB_crypt = @LIB_crypt@ -LIB_db_create = @LIB_db_create@ -LIB_dbm_firstkey = @LIB_dbm_firstkey@ -LIB_dbopen = @LIB_dbopen@ -LIB_des = @LIB_des@ -LIB_des_a = @LIB_des_a@ -LIB_des_appl = @LIB_des_appl@ -LIB_des_so = @LIB_des_so@ -LIB_dlopen = @LIB_dlopen@ -LIB_dn_expand = @LIB_dn_expand@ -LIB_el_init = @LIB_el_init@ -LIB_freeaddrinfo = @LIB_freeaddrinfo@ -LIB_gai_strerror = @LIB_gai_strerror@ -LIB_getaddrinfo = @LIB_getaddrinfo@ -LIB_gethostbyname = @LIB_gethostbyname@ -LIB_gethostbyname2 = @LIB_gethostbyname2@ -LIB_getnameinfo = @LIB_getnameinfo@ -LIB_getpwnam_r = @LIB_getpwnam_r@ -LIB_getsockopt = @LIB_getsockopt@ -LIB_hesiod = @LIB_hesiod@ -LIB_hstrerror = @LIB_hstrerror@ -LIB_kdb = @LIB_kdb@ -LIB_krb4 = @LIB_krb4@ -LIB_krb_disable_debug = @LIB_krb_disable_debug@ -LIB_krb_enable_debug = @LIB_krb_enable_debug@ -LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@ -LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@ -LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@ -LIB_loadquery = @LIB_loadquery@ -LIB_logout = @LIB_logout@ -LIB_logwtmp = @LIB_logwtmp@ -LIB_openldap = @LIB_openldap@ -LIB_openpty = @LIB_openpty@ -LIB_otp = @LIB_otp@ -LIB_pidfile = @LIB_pidfile@ -LIB_readline = @LIB_readline@ -LIB_res_nsearch = @LIB_res_nsearch@ -LIB_res_search = @LIB_res_search@ -LIB_roken = @LIB_roken@ -LIB_security = @LIB_security@ -LIB_setsockopt = @LIB_setsockopt@ -LIB_socket = @LIB_socket@ -LIB_syslog = @LIB_syslog@ -LIB_tgetent = @LIB_tgetent@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -MAINT = @MAINT@ -MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@ -MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@ -MAKEINFO = @MAKEINFO@ -NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ -NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ -NROFF = @NROFF@ -OBJEXT = @OBJEXT@ -OTP_FALSE = @OTP_FALSE@ -OTP_TRUE = @OTP_TRUE@ -PACKAGE = @PACKAGE@ -PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ -PACKAGE_NAME = @PACKAGE_NAME@ -PACKAGE_STRING = @PACKAGE_STRING@ -PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_VERSION = @PACKAGE_VERSION@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -RANLIB = @RANLIB@ -SET_MAKE = @SET_MAKE@ -SHELL = @SHELL@ -STRIP = @STRIP@ -VERSION = @VERSION@ -VOID_RETSIGTYPE = @VOID_RETSIGTYPE@ -WFLAGS = @WFLAGS@ -WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@ -WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@ -X_CFLAGS = @X_CFLAGS@ -X_EXTRA_LIBS = @X_EXTRA_LIBS@ -X_LIBS = @X_LIBS@ -X_PRE_LIBS = @X_PRE_LIBS@ -YACC = @YACC@ -ac_ct_AR = @ac_ct_AR@ -ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ -ac_ct_RANLIB = @ac_ct_RANLIB@ -ac_ct_STRIP = @ac_ct_STRIP@ -am__leading_dot = @am__leading_dot@ -bindir = @bindir@ -build = @build@ -build_alias = @build_alias@ -build_cpu = @build_cpu@ -build_os = @build_os@ -build_vendor = @build_vendor@ -datadir = @datadir@ -do_roken_rename_FALSE = @do_roken_rename_FALSE@ -do_roken_rename_TRUE = @do_roken_rename_TRUE@ -dpagaix_cflags = @dpagaix_cflags@ -dpagaix_ldadd = @dpagaix_ldadd@ -dpagaix_ldflags = @dpagaix_ldflags@ -el_compat_FALSE = @el_compat_FALSE@ -el_compat_TRUE = @el_compat_TRUE@ -exec_prefix = @exec_prefix@ -have_err_h_FALSE = @have_err_h_FALSE@ -have_err_h_TRUE = @have_err_h_TRUE@ -have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@ -have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@ -have_glob_h_FALSE = @have_glob_h_FALSE@ -have_glob_h_TRUE = @have_glob_h_TRUE@ -have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@ -have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@ -have_vis_h_FALSE = @have_vis_h_FALSE@ -have_vis_h_TRUE = @have_vis_h_TRUE@ -host = @host@ -host_alias = @host_alias@ -host_cpu = @host_cpu@ -host_os = @host_os@ -host_vendor = @host_vendor@ -includedir = @includedir@ -infodir = @infodir@ -install_sh = @install_sh@ -libdir = @libdir@ -libexecdir = @libexecdir@ -localstatedir = @localstatedir@ -mandir = @mandir@ -mkdir_p = @mkdir_p@ -oldincludedir = @oldincludedir@ -prefix = @prefix@ -program_transform_name = @program_transform_name@ -sbindir = @sbindir@ -sharedstatedir = @sharedstatedir@ -sysconfdir = @sysconfdir@ -target_alias = @target_alias@ -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) -@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME -AM_CFLAGS = $(WFLAGS) -CP = cp -buildinclude = $(top_builddir)/include -LIB_getattr = @LIB_getattr@ -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_setpcred = @LIB_setpcred@ -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -NROFF_MAN = groff -mandoc -Tascii -LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) -@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la - -@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la -@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la -YFLAGS = -d -lib_LTLIBRARIES = libasn1.la -libasn1_la_LDFLAGS = -version-info 6:2:0 -libasn1_la_LIBADD = @LIB_com_err@ -BUILT_SOURCES = \ - $(gen_files:.x=.c) \ - asn1_err.h \ - asn1_err.c - -gen_files = \ - asn1_APOptions.x \ - asn1_AP_REP.x \ - asn1_AP_REQ.x \ - asn1_AS_REP.x \ - asn1_AS_REQ.x \ - asn1_Authenticator.x \ - asn1_AuthorizationData.x \ - asn1_CKSUMTYPE.x \ - asn1_ChangePasswdDataMS.x \ - asn1_Checksum.x \ - asn1_ENCTYPE.x \ - asn1_ETYPE_INFO.x \ - asn1_ETYPE_INFO_ENTRY.x \ - asn1_EncAPRepPart.x \ - asn1_EncASRepPart.x \ - asn1_EncKDCRepPart.x \ - asn1_EncKrbCredPart.x \ - asn1_EncKrbPrivPart.x \ - asn1_EncTGSRepPart.x \ - asn1_EncTicketPart.x \ - asn1_EncryptedData.x \ - asn1_EncryptionKey.x \ - asn1_HostAddress.x \ - asn1_HostAddresses.x \ - asn1_KDCOptions.x \ - asn1_KDC_REP.x \ - asn1_KDC_REQ.x \ - asn1_KDC_REQ_BODY.x \ - asn1_KRB_CRED.x \ - asn1_KRB_ERROR.x \ - asn1_KRB_PRIV.x \ - asn1_KRB_SAFE.x \ - asn1_KRB_SAFE_BODY.x \ - asn1_KerberosTime.x \ - asn1_KrbCredInfo.x \ - asn1_LastReq.x \ - asn1_LR_TYPE.x \ - asn1_MESSAGE_TYPE.x \ - asn1_METHOD_DATA.x \ - asn1_NAME_TYPE.x \ - asn1_PADATA_TYPE.x \ - asn1_PA_DATA.x \ - asn1_PA_ENC_TS_ENC.x \ - asn1_Principal.x \ - asn1_PrincipalName.x \ - asn1_Realm.x \ - asn1_TGS_REP.x \ - asn1_TGS_REQ.x \ - asn1_Ticket.x \ - asn1_TicketFlags.x \ - asn1_TransitedEncoding.x \ - asn1_UNSIGNED.x - -TESTS = check-der check-gen -check_der_SOURCES = check-der.c check-common.c -check_gen_SOURCES = check-gen.c check-common.c -asn1_compile_SOURCES = \ - gen.c \ - gen_copy.c \ - gen_decode.c \ - gen_encode.c \ - gen_free.c \ - gen_glue.c \ - gen_length.c \ - hash.c \ - lex.l \ - main.c \ - parse.y \ - symbol.c - -libasn1_la_SOURCES = \ - der_get.c \ - der_put.c \ - der_free.c \ - der_length.c \ - der_copy.c \ - timegm.c \ - $(BUILT_SOURCES) - -asn1_compile_LDADD = \ - $(LIB_roken) $(LEXLIB) - -check_der_LDADD = \ - libasn1.la \ - $(LIB_roken) - -check_gen_LDADD = $(check_der_LDADD) -asn1_print_LDADD = $(check_der_LDADD) -CLEANFILES = lex.c parse.c parse.h krb5_asn1.h $(BUILT_SOURCES) \ - $(gen_files) asn1_files - -include_HEADERS = krb5_asn1.h asn1_err.h der.h -EXTRA_DIST = asn1_err.et -all: $(BUILT_SOURCES) - $(MAKE) $(AM_MAKEFLAGS) all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .l .lo .o .obj .y -$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps) - @for dep in $?; do \ - case '$(am__configure_deps)' in \ - *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ - exit 1;; \ - esac; \ - done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign --ignore-deps lib/asn1/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign --ignore-deps lib/asn1/Makefile -.PRECIOUS: Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - @case '$?' in \ - *config.status*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ - *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ - esac; - -$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -install-libLTLIBRARIES: $(lib_LTLIBRARIES) - @$(NORMAL_INSTALL) - test -z "$(libdir)" || $(mkdir_p) "$(DESTDIR)$(libdir)" - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - if test -f $$p; then \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(libdir)/$$f'"; \ - $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(libdir)/$$f"; \ - else :; fi; \ - done - -uninstall-libLTLIBRARIES: - @$(NORMAL_UNINSTALL) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - p="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$p'"; \ - $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$p"; \ - done - -clean-libLTLIBRARIES: - -test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ - test "$$dir" = "$$p" && dir=.; \ - echo "rm -f \"$${dir}/so_locations\""; \ - rm -f "$${dir}/so_locations"; \ - done -libasn1.la: $(libasn1_la_OBJECTS) $(libasn1_la_DEPENDENCIES) - $(LINK) -rpath $(libdir) $(libasn1_la_LDFLAGS) $(libasn1_la_OBJECTS) $(libasn1_la_LIBADD) $(LIBS) - -clean-checkPROGRAMS: - @list='$(check_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done - -clean-noinstPROGRAMS: - @list='$(noinst_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -parse.h: parse.c - @if test ! -f $@; then \ - rm -f parse.c; \ - $(MAKE) parse.c; \ - else :; fi -asn1_compile$(EXEEXT): $(asn1_compile_OBJECTS) $(asn1_compile_DEPENDENCIES) - @rm -f asn1_compile$(EXEEXT) - $(LINK) $(asn1_compile_LDFLAGS) $(asn1_compile_OBJECTS) $(asn1_compile_LDADD) $(LIBS) -asn1_print$(EXEEXT): $(asn1_print_OBJECTS) $(asn1_print_DEPENDENCIES) - @rm -f asn1_print$(EXEEXT) - $(LINK) $(asn1_print_LDFLAGS) $(asn1_print_OBJECTS) $(asn1_print_LDADD) $(LIBS) -check-der$(EXEEXT): $(check_der_OBJECTS) $(check_der_DEPENDENCIES) - @rm -f check-der$(EXEEXT) - $(LINK) $(check_der_LDFLAGS) $(check_der_OBJECTS) $(check_der_LDADD) $(LIBS) -check-gen$(EXEEXT): $(check_gen_OBJECTS) $(check_gen_DEPENDENCIES) - @rm -f check-gen$(EXEEXT) - $(LINK) $(check_gen_LDFLAGS) $(check_gen_OBJECTS) $(check_gen_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c $< - -.c.obj: - $(COMPILE) -c `$(CYGPATH_W) '$<'` - -.c.lo: - $(LTCOMPILE) -c -o $@ $< - -.l.c: - $(LEXCOMPILE) $< - sed '/^#/ s|$(LEX_OUTPUT_ROOT)\.c|$@|' $(LEX_OUTPUT_ROOT).c >$@ - rm -f $(LEX_OUTPUT_ROOT).c - -.y.c: - $(YACCCOMPILE) $< - if test -f y.tab.h; then \ - to=`echo "$*_H" | sed \ - -e 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/' \ - -e 's/[^ABCDEFGHIJKLMNOPQRSTUVWXYZ]/_/g'`; \ - sed "/^#/ s/Y_TAB_H/$$to/g" y.tab.h >$*.ht; \ - rm -f y.tab.h; \ - if cmp -s $*.ht $*.h; then \ - rm -f $*.ht ;\ - else \ - mv $*.ht $*.h; \ - fi; \ - fi - if test -f y.output; then \ - mv y.output $*.output; \ - fi - sed '/^#/ s|y\.tab\.c|$@|' y.tab.c >$@t && mv $@t $@ - rm -f y.tab.c - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: -install-includeHEADERS: $(include_HEADERS) - @$(NORMAL_INSTALL) - test -z "$(includedir)" || $(mkdir_p) "$(DESTDIR)$(includedir)" - @list='$(include_HEADERS)'; for p in $$list; do \ - if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(includeHEADERS_INSTALL) '$$d$$p' '$(DESTDIR)$(includedir)/$$f'"; \ - $(includeHEADERS_INSTALL) "$$d$$p" "$(DESTDIR)$(includedir)/$$f"; \ - done - -uninstall-includeHEADERS: - @$(NORMAL_UNINSTALL) - @list='$(include_HEADERS)'; for p in $$list; do \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " rm -f '$(DESTDIR)$(includedir)/$$f'"; \ - rm -f "$(DESTDIR)$(includedir)/$$f"; \ - done - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique -tags: TAGS - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique -ctags: CTAGS -CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ - || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - -check-TESTS: $(TESTS) - @failed=0; all=0; xfail=0; xpass=0; skip=0; \ - srcdir=$(srcdir); export srcdir; \ - list='$(TESTS)'; \ - if test -n "$$list"; then \ - for tst in $$list; do \ - if test -f ./$$tst; then dir=./; \ - elif test -f $$tst; then dir=; \ - else dir="$(srcdir)/"; fi; \ - if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \ - all=`expr $$all + 1`; \ - case " $(XFAIL_TESTS) " in \ - *" $$tst "*) \ - xpass=`expr $$xpass + 1`; \ - failed=`expr $$failed + 1`; \ - echo "XPASS: $$tst"; \ - ;; \ - *) \ - echo "PASS: $$tst"; \ - ;; \ - esac; \ - elif test $$? -ne 77; then \ - all=`expr $$all + 1`; \ - case " $(XFAIL_TESTS) " in \ - *" $$tst "*) \ - xfail=`expr $$xfail + 1`; \ - echo "XFAIL: $$tst"; \ - ;; \ - *) \ - failed=`expr $$failed + 1`; \ - echo "FAIL: $$tst"; \ - ;; \ - esac; \ - else \ - skip=`expr $$skip + 1`; \ - echo "SKIP: $$tst"; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - if test "$$xfail" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="All $$all tests behaved as expected ($$xfail expected failures)"; \ - fi; \ - else \ - if test "$$xpass" -eq 0; then \ - banner="$$failed of $$all tests failed"; \ - else \ - banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \ - fi; \ - fi; \ - dashes="$$banner"; \ - skipped=""; \ - if test "$$skip" -ne 0; then \ - skipped="($$skip tests were not run)"; \ - test `echo "$$skipped" | wc -c` -gt `echo "$$banner" | wc -c` && \ - dashes="$$skipped"; \ - fi; \ - report=""; \ - if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \ - report="Please report to $(PACKAGE_BUGREPORT)"; \ - test `echo "$$report" | wc -c` -gt `echo "$$banner" | wc -c` && \ - dashes="$$report"; \ - fi; \ - dashes=`echo "$$dashes" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - test -n "$$skipped" && echo "$$skipped"; \ - test -n "$$report" && echo "$$report"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - else :; fi - -distdir: $(DISTFILES) - $(mkdir_p) $(distdir)/../.. $(distdir)/../../cf - @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \ - list='$(DISTFILES)'; for file in $$list; do \ - case $$file in \ - $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \ - $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \ - esac; \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkdir_p) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="$(top_distdir)" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS) - $(MAKE) $(AM_MAKEFLAGS) check-TESTS check-local -check: $(BUILT_SOURCES) - $(MAKE) $(AM_MAKEFLAGS) check-am -all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(HEADERS) all-local -installdirs: - for dir in "$(DESTDIR)$(libdir)" "$(DESTDIR)$(includedir)"; do \ - test -z "$$dir" || $(mkdir_p) "$$dir"; \ - done -install: $(BUILT_SOURCES) - $(MAKE) $(AM_MAKEFLAGS) install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) - -distclean-generic: - -rm -f $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." - -test -z "$(BUILT_SOURCES)" || rm -f $(BUILT_SOURCES) - -rm -f parse.h - -rm -f lex.c - -rm -f parse.c -clean: clean-am - -clean-am: clean-checkPROGRAMS clean-generic clean-libLTLIBRARIES \ - clean-libtool clean-noinstPROGRAMS mostlyclean-am - -distclean: distclean-am - -rm -f Makefile -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -html: html-am - -info: info-am - -info-am: - -install-data-am: install-includeHEADERS - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-data-hook - -install-exec-am: install-libLTLIBRARIES - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -rm -f Makefile -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -pdf: pdf-am - -pdf-am: - -ps: ps-am - -ps-am: - -uninstall-am: uninstall-includeHEADERS uninstall-info-am \ - uninstall-libLTLIBRARIES - -.PHONY: CTAGS GTAGS all all-am all-local check check-TESTS check-am \ - check-local clean clean-checkPROGRAMS clean-generic \ - clean-libLTLIBRARIES clean-libtool clean-noinstPROGRAMS ctags \ - distclean distclean-compile distclean-generic \ - distclean-libtool distclean-tags distdir dvi dvi-am html \ - html-am info info-am install install-am install-data \ - install-data-am install-exec install-exec-am \ - install-includeHEADERS install-info install-info-am \ - install-libLTLIBRARIES install-man install-strip installcheck \ - installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ - tags uninstall uninstall-am uninstall-includeHEADERS \ - uninstall-info-am uninstall-libLTLIBRARIES - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-hook: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< - -$(asn1_compile_OBJECTS): parse.h parse.c - -$(gen_files) krb5_asn1.h: asn1_files - -asn1_files: asn1_compile$(EXEEXT) $(srcdir)/k5.asn1 - ./asn1_compile$(EXEEXT) $(srcdir)/k5.asn1 krb5_asn1 - -$(libasn1_la_OBJECTS): krb5_asn1.h asn1_err.h - -$(asn1_print_OBJECTS): krb5_asn1.h -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal-0.6.3/lib/asn1/asn1-common.h b/crypto/heimdal-0.6.3/lib/asn1/asn1-common.h deleted file mode 100644 index 251d401d56..0000000000 --- a/crypto/heimdal-0.6.3/lib/asn1/asn1-common.h +++ /dev/null @@ -1,21 +0,0 @@ -/* $Id: asn1-common.h,v 1.2 2001/09/25 13:39:25 assar Exp $ */ - -#include -#include - -#ifndef __asn1_common_definitions__ -#define __asn1_common_definitions__ - -typedef struct octet_string { - size_t length; - void *data; -} octet_string; - -typedef char *general_string; - -typedef struct oid { - size_t length; - unsigned *components; -} oid; - -#endif diff --git a/crypto/heimdal-0.6.3/lib/asn1/asn1_err.et b/crypto/heimdal-0.6.3/lib/asn1/asn1_err.et deleted file mode 100644 index 8f1f272ccc..0000000000 --- a/crypto/heimdal-0.6.3/lib/asn1/asn1_err.et +++ /dev/null @@ -1,20 +0,0 @@ -# -# Error messages for the asn.1 library -# -# This might look like a com_err file, but is not -# -id "$Id: asn1_err.et,v 1.5 1998/02/16 16:17:17 joda Exp $" - -error_table asn1 -prefix ASN1 -error_code BAD_TIMEFORMAT, "ASN.1 failed call to system time library" -error_code MISSING_FIELD, "ASN.1 structure is missing a required field" -error_code MISPLACED_FIELD, "ASN.1 unexpected field number" -error_code TYPE_MISMATCH, "ASN.1 type numbers are inconsistent" -error_code OVERFLOW, "ASN.1 value too large" -error_code OVERRUN, "ASN.1 encoding ended unexpectedly" -error_code BAD_ID, "ASN.1 identifier doesn't match expected value" -error_code BAD_LENGTH, "ASN.1 length doesn't match expected value" -error_code BAD_FORMAT, "ASN.1 badly-formatted encoding" -error_code PARSE_ERROR, "ASN.1 parse error" -end diff --git a/crypto/heimdal-0.6.3/lib/asn1/asn1_print.c b/crypto/heimdal-0.6.3/lib/asn1/asn1_print.c deleted file mode 100644 index d3199e8edd..0000000000 --- a/crypto/heimdal-0.6.3/lib/asn1/asn1_print.c +++ /dev/null @@ -1,255 +0,0 @@ -/* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "der_locl.h" -#include -#include -#include -#include -#include - -RCSID("$Id: asn1_print.c,v 1.11 2002/08/29 20:45:35 assar Exp $"); - -const char *class_names[] = { - "UNIV", /* 0 */ - "APPL", /* 1 */ - "CONTEXT", /* 2 */ - "PRIVATE" /* 3 */ -}; - -const char *type_names[] = { - "PRIM", /* 0 */ - "CONS" /* 1 */ -}; - -const char *tag_names[] = { - NULL, /* 0 */ - NULL, /* 1 */ - "Integer", /* 2 */ - "BitString", /* 3 */ - "OctetString", /* 4 */ - "Null", /* 5 */ - "ObjectID", /* 6 */ - NULL, /* 7 */ - NULL, /* 8 */ - NULL, /* 9 */ - NULL, /* 10 */ - NULL, /* 11 */ - NULL, /* 12 */ - NULL, /* 13 */ - NULL, /* 14 */ - NULL, /* 15 */ - "Sequence", /* 16 */ - "Set", /* 17 */ - NULL, /* 18 */ - "PrintableString", /* 19 */ - NULL, /* 20 */ - NULL, /* 21 */ - "IA5String", /* 22 */ - "UTCTime", /* 23 */ - "GeneralizedTime", /* 24 */ - NULL, /* 25 */ - "VisibleString", /* 26 */ - "GeneralString" /* 27 */ -}; - -static int -loop (unsigned char *buf, size_t len, int indent) -{ - while (len > 0) { - int ret; - Der_class class; - Der_type type; - int tag; - size_t sz; - size_t length; - int i; - - ret = der_get_tag (buf, len, &class, &type, &tag, &sz); - if (ret) - errx (1, "der_get_tag: %s", error_message (ret)); - if (sz > len) - errx (1, "unreasonable length (%u) > %u", - (unsigned)sz, (unsigned)len); - buf += sz; - len -= sz; - for (i = 0; i < indent; ++i) - printf (" "); - printf ("%s %s ", class_names[class], type_names[type]); - if (tag_names[tag]) - printf ("%s = ", tag_names[tag]); - else - printf ("tag %d = ", tag); - ret = der_get_length (buf, len, &length, &sz); - if (ret) - errx (1, "der_get_tag: %s", error_message (ret)); - buf += sz; - len -= sz; - - if (class == CONTEXT) { - printf ("[%d]\n", tag); - loop (buf, length, indent); - } else if (class == UNIV) { - switch (tag) { - case UT_Sequence : - printf ("{\n"); - loop (buf, length, indent + 2); - for (i = 0; i < indent; ++i) - printf (" "); - printf ("}\n"); - break; - case UT_Integer : { - int val; - - ret = der_get_int (buf, length, &val, NULL); - if (ret) - errx (1, "der_get_int: %s", error_message (ret)); - printf ("integer %d\n", val); - break; - } - case UT_OctetString : { - octet_string str; - int i; - unsigned char *uc; - - ret = der_get_octet_string (buf, length, &str, NULL); - if (ret) - errx (1, "der_get_octet_string: %s", error_message (ret)); - printf ("(length %lu), ", (unsigned long)length); - uc = (unsigned char *)str.data; - for (i = 0; i < 16; ++i) - printf ("%02x", uc[i]); - printf ("\n"); - free (str.data); - break; - } - case UT_GeneralizedTime : - case UT_GeneralString : { - general_string str; - - ret = der_get_general_string (buf, length, &str, NULL); - if (ret) - errx (1, "der_get_general_string: %s", - error_message (ret)); - printf ("\"%s\"\n", str); - free (str); - break; - } - case UT_OID: { - oid o; - int i; - - ret = der_get_oid(buf, length, &o, NULL); - if (ret) - errx (1, "der_get_oid: %s", error_message (ret)); - - for (i = 0; i < o.length ; i++) - printf("%d%s", o.components[i], - i < o.length - 1 ? "." : ""); - printf("\n"); - free_oid(&o); - break; - } - default : - printf ("%lu bytes\n", (unsigned long)length); - break; - } - } - buf += length; - len -= length; - } - return 0; -} - -static int -doit (const char *filename) -{ - int fd = open (filename, O_RDONLY); - struct stat sb; - unsigned char *buf; - size_t len; - int ret; - - if(fd < 0) - err (1, "opening %s for read", filename); - if (fstat (fd, &sb) < 0) - err (1, "stat %s", filename); - len = sb.st_size; - buf = malloc (len); - if (buf == NULL) - err (1, "malloc %u", (unsigned)len); - if (read (fd, buf, len) != len) - errx (1, "read failed"); - close (fd); - ret = loop (buf, len, 0); - free (buf); - return ret; -} - - -static int version_flag; -static int help_flag; -struct getargs args[] = { - { "version", 0, arg_flag, &version_flag }, - { "help", 0, arg_flag, &help_flag } -}; -int num_args = sizeof(args) / sizeof(args[0]); - -static void -usage(int code) -{ - arg_printusage(args, num_args, NULL, "dump-file"); - exit(code); -} - -int -main(int argc, char **argv) -{ - int optind = 0; - - setprogname (argv[0]); - initialize_asn1_error_table (); - if(getarg(args, num_args, argc, argv, &optind)) - usage(1); - if(help_flag) - usage(0); - if(version_flag) { - print_version(NULL); - exit(0); - } - argv += optind; - argc -= optind; - if (argc != 1) - usage (1); - return doit (argv[0]); -} diff --git a/crypto/heimdal-0.6.3/lib/asn1/check-common.c b/crypto/heimdal-0.6.3/lib/asn1/check-common.c deleted file mode 100644 index 20a41ad859..0000000000 --- a/crypto/heimdal-0.6.3/lib/asn1/check-common.c +++ /dev/null @@ -1,125 +0,0 @@ -/* - * Copyright (c) 1999 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -#endif -#include -#include -#include -#include - -#include "check-common.h" - -RCSID("$Id: check-common.c,v 1.1 2003/01/23 10:21:36 lha Exp $"); - -static void -print_bytes (unsigned const char *buf, size_t len) -{ - int i; - - for (i = 0; i < len; ++i) - printf ("%02x ", buf[i]); -} - -int -generic_test (const struct test_case *tests, - unsigned ntests, - size_t data_size, - int (*encode)(unsigned char *, size_t, void *, size_t *), - int (*length)(void *), - int (*decode)(unsigned char *, size_t, void *, size_t *), - int (*cmp)(void *a, void *b)) -{ - unsigned char buf[4711]; - int i; - int failures = 0; - void *val = malloc (data_size); - - if (data_size != 0 && val == NULL) - err (1, "malloc"); - - for (i = 0; i < ntests; ++i) { - int ret; - size_t sz, consumed_sz, length_sz; - unsigned char *beg; - - ret = (*encode) (buf + sizeof(buf) - 1, sizeof(buf), - tests[i].val, &sz); - beg = buf + sizeof(buf) - sz; - if (ret != 0) { - printf ("encoding of %s failed\n", tests[i].name); - ++failures; - } - if (sz != tests[i].byte_len) { - printf ("encoding of %s has wrong len (%lu != %lu)\n", - tests[i].name, - (unsigned long)sz, (unsigned long)tests[i].byte_len); - ++failures; - } - - length_sz = (*length) (tests[i].val); - if (sz != length_sz) { - printf ("length for %s is bad (%lu != %lu)\n", - tests[i].name, (unsigned long)length_sz, (unsigned long)sz); - ++failures; - } - - if (memcmp (beg, tests[i].bytes, tests[i].byte_len) != 0) { - printf ("encoding of %s has bad bytes:\n" - "correct: ", tests[i].name); - print_bytes (tests[i].bytes, tests[i].byte_len); - printf ("\nactual: "); - print_bytes (beg, sz); - printf ("\n"); - ++failures; - } - ret = (*decode) (beg, sz, val, &consumed_sz); - if (ret != 0) { - printf ("decoding of %s failed\n", tests[i].name); - ++failures; - } - if (sz != consumed_sz) { - printf ("different length decoding %s (%ld != %ld)\n", - tests[i].name, - (unsigned long)sz, (unsigned long)consumed_sz); - ++failures; - } - if ((*cmp)(val, tests[i].val) != 0) { - printf ("%s: comparison failed\n", tests[i].name); - ++failures; - } - } - free (val); - return failures; -} diff --git a/crypto/heimdal-0.6.3/lib/asn1/check-common.h b/crypto/heimdal-0.6.3/lib/asn1/check-common.h deleted file mode 100644 index 52d59cb4f7..0000000000 --- a/crypto/heimdal-0.6.3/lib/asn1/check-common.h +++ /dev/null @@ -1,53 +0,0 @@ -/* - * Copyright (c) 1999 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -struct test_case { - void *val; - int byte_len; - const unsigned char *bytes; - char *name; -}; - -typedef int (*generic_encode)(unsigned char *, size_t, void *, size_t *); -typedef int (*generic_length)(void *); -typedef int (*generic_decode)(unsigned char *, size_t, void *, size_t *); - -int -generic_test (const struct test_case *tests, - unsigned ntests, - size_t data_size, - int (*encode)(unsigned char *, size_t, void *, size_t *), - int (*length)(void *), - int (*decode)(unsigned char *, size_t, void *, size_t *), - int (*cmp)(void *a, void *b)); - diff --git a/crypto/heimdal-0.6.3/lib/asn1/check-der.c b/crypto/heimdal-0.6.3/lib/asn1/check-der.c deleted file mode 100644 index 7cb057749e..0000000000 --- a/crypto/heimdal-0.6.3/lib/asn1/check-der.c +++ /dev/null @@ -1,197 +0,0 @@ -/* - * Copyright (c) 1999 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -#endif -#include -#include -#include -#include - -#include -#include -#include - -#include "check-common.h" - -RCSID("$Id: check-der.c,v 1.9 2003/01/23 10:19:49 lha Exp $"); - -static int -cmp_integer (void *a, void *b) -{ - int *ia = (int *)a; - int *ib = (int *)b; - - return *ib - *ia; -} - -static int -test_integer (void) -{ - struct test_case tests[] = { - {NULL, 3, "\x02\x01\x00"}, - {NULL, 3, "\x02\x01\x7f"}, - {NULL, 4, "\x02\x02\x00\x80"}, - {NULL, 4, "\x02\x02\x01\x00"}, - {NULL, 3, "\x02\x01\x80"}, - {NULL, 4, "\x02\x02\xff\x7f"}, - {NULL, 3, "\x02\x01\xff"}, - {NULL, 4, "\x02\x02\xff\x01"}, - {NULL, 4, "\x02\x02\x00\xff"}, - {NULL, 6, "\x02\x04\x80\x00\x00\x00"}, - {NULL, 6, "\x02\x04\x7f\xff\xff\xff"} - }; - - int values[] = {0, 127, 128, 256, -128, -129, -1, -255, 255, - 0x80000000, 0x7fffffff}; - int i; - int ntests = sizeof(tests) / sizeof(*tests); - - for (i = 0; i < ntests; ++i) { - tests[i].val = &values[i]; - asprintf (&tests[i].name, "integer %d", values[i]); - } - - return generic_test (tests, ntests, sizeof(int), - (generic_encode)encode_integer, - (generic_length) length_integer, - (generic_decode)decode_integer, - cmp_integer); -} - -static int -cmp_octet_string (void *a, void *b) -{ - octet_string *oa = (octet_string *)a; - octet_string *ob = (octet_string *)b; - - if (oa->length != ob->length) - return ob->length - oa->length; - - return (memcmp (oa->data, ob->data, oa->length)); -} - -static int -test_octet_string (void) -{ - octet_string s1 = {8, "\x01\x23\x45\x67\x89\xab\xcd\xef"}; - - struct test_case tests[] = { - {NULL, 10, "\x04\x08\x01\x23\x45\x67\x89\xab\xcd\xef"} - }; - int ntests = sizeof(tests) / sizeof(*tests); - - tests[0].val = &s1; - asprintf (&tests[0].name, "a octet string"); - - return generic_test (tests, ntests, sizeof(octet_string), - (generic_encode)encode_octet_string, - (generic_length)length_octet_string, - (generic_decode)decode_octet_string, - cmp_octet_string); -} - -static int -cmp_general_string (void *a, void *b) -{ - unsigned char **sa = (unsigned char **)a; - unsigned char **sb = (unsigned char **)b; - - return strcmp (*sa, *sb); -} - -static int -test_general_string (void) -{ - unsigned char *s1 = "Test User 1"; - - struct test_case tests[] = { - {NULL, 13, "\x1b\x0b\x54\x65\x73\x74\x20\x55\x73\x65\x72\x20\x31"} - }; - int ntests = sizeof(tests) / sizeof(*tests); - - tests[0].val = &s1; - asprintf (&tests[0].name, "the string \"%s\"", s1); - - return generic_test (tests, ntests, sizeof(unsigned char *), - (generic_encode)encode_general_string, - (generic_length)length_general_string, - (generic_decode)decode_general_string, - cmp_general_string); -} - -static int -cmp_generalized_time (void *a, void *b) -{ - time_t *ta = (time_t *)a; - time_t *tb = (time_t *)b; - - return *tb - *ta; -} - -static int -test_generalized_time (void) -{ - struct test_case tests[] = { - {NULL, 17, "\x18\x0f""19700101000000Z"}, - {NULL, 17, "\x18\x0f""19851106210627Z"} - }; - time_t values[] = {0, 500159187}; - int i; - int ntests = sizeof(tests) / sizeof(*tests); - - for (i = 0; i < ntests; ++i) { - tests[i].val = &values[i]; - asprintf (&tests[i].name, "time %d", (int)values[i]); - } - - return generic_test (tests, ntests, sizeof(time_t), - (generic_encode)encode_generalized_time, - (generic_length)length_generalized_time, - (generic_decode)decode_generalized_time, - cmp_generalized_time); -} - -int -main(int argc, char **argv) -{ - int ret = 0; - - ret += test_integer (); - ret += test_octet_string (); - ret += test_general_string (); - ret += test_generalized_time (); - - return ret; -} diff --git a/crypto/heimdal-0.6.3/lib/asn1/check-gen.c b/crypto/heimdal-0.6.3/lib/asn1/check-gen.c deleted file mode 100644 index 0b0bec939b..0000000000 --- a/crypto/heimdal-0.6.3/lib/asn1/check-gen.c +++ /dev/null @@ -1,193 +0,0 @@ -/* - * Copyright (c) 1999 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -#endif -#include -#include -#include -#include - -#include -#include -#include -#include - -#include "check-common.h" - -RCSID("$Id: check-gen.c,v 1.2.2.1 2003/05/06 16:49:57 joda Exp $"); - -static char *lha_princ[] = { "lha" }; -static char *lharoot_princ[] = { "lha", "root" }; -static char *datan_princ[] = { "host", "nutcracker.e.kth.se" }; - - -#define COMPARE_STRING(ac,bc,e) \ - do { if (strcmp((ac)->e, (bc)->e) != 0) return 1; } while(0) -#define COMPARE_INTEGER(ac,bc,e) \ - do { if ((ac)->e != (bc)->e) return 1; } while(0) -#define COMPARE_MEM(ac,bc,e,len) \ - do { if (memcmp((ac)->e, (bc)->e,len) != 0) return 1; } while(0) - -static int -cmp_principal (void *a, void *b) -{ - Principal *pa = a; - Principal *pb = b; - int i; - - COMPARE_STRING(pa,pb,realm); - COMPARE_INTEGER(pa,pb,name.name_type); - COMPARE_INTEGER(pa,pb,name.name_string.len); - - for (i = 0; i < pa->name.name_string.len; i++) - COMPARE_STRING(pa,pb,name.name_string.val[i]); - - return 0; -} - -static int -test_principal (void) -{ - - struct test_case tests[] = { - { NULL, 29, - (unsigned char*)"\x30\x1b\xa0\x10\x30\x0e\xa0\x03\x02\x01\x01\xa1\x07\x30\x05\x1b" - "\x03\x6c\x68\x61\xa1\x07\x1b\x05\x53\x55\x2e\x53\x45" - }, - { NULL, 35, - (unsigned char*)"\x30\x21\xa0\x16\x30\x14\xa0\x03\x02\x01\x01\xa1\x0d\x30\x0b\x1b" - "\x03\x6c\x68\x61\x1b\x04\x72\x6f\x6f\x74\xa1\x07\x1b\x05\x53\x55" - "\x2e\x53\x45" - }, - { NULL, 54, - (unsigned char*)"\x30\x34\xa0\x26\x30\x24\xa0\x03\x02\x01\x03\xa1\x1d\x30\x1b\x1b" - "\x04\x68\x6f\x73\x74\x1b\x13\x6e\x75\x74\x63\x72\x61\x63\x6b\x65" - "\x72\x2e\x65\x2e\x6b\x74\x68\x2e\x73\x65\xa1\x0a\x1b\x08\x45\x2e" - "\x4b\x54\x48\x2e\x53\x45" - } - }; - - - Principal values[] = { - { { KRB5_NT_PRINCIPAL, { 1, lha_princ } }, "SU.SE" }, - { { KRB5_NT_PRINCIPAL, { 2, lharoot_princ } }, "SU.SE" }, - { { KRB5_NT_SRV_HST, { 2, datan_princ } }, "E.KTH.SE" } - }; - int i; - int ntests = sizeof(tests) / sizeof(*tests); - - for (i = 0; i < ntests; ++i) { - tests[i].val = &values[i]; - asprintf (&tests[i].name, "Principal %d", i); - } - - return generic_test (tests, ntests, sizeof(Principal), - (generic_encode)encode_Principal, - (generic_length)length_Principal, - (generic_decode)decode_Principal, - cmp_principal); -} - -static int -cmp_authenticator (void *a, void *b) -{ - Authenticator *aa = a; - Authenticator *ab = b; - int i; - - COMPARE_INTEGER(aa,ab,authenticator_vno); - COMPARE_STRING(aa,ab,crealm); - - COMPARE_INTEGER(aa,ab,cname.name_type); - COMPARE_INTEGER(aa,ab,cname.name_string.len); - - for (i = 0; i < aa->cname.name_string.len; i++) - COMPARE_STRING(aa,ab,cname.name_string.val[i]); - - return 0; -} - -static int -test_authenticator (void) -{ - struct test_case tests[] = { - { NULL, 63, - (unsigned char*)"\x62\x3d\x30\x3b\xa0\x03\x02\x01\x05\xa1\x0a\x1b\x08" - "\x45\x2e\x4b\x54\x48\x2e\x53\x45\xa2\x10\x30\x0e\xa0" - "\x03\x02\x01\x01\xa1\x07\x30\x05\x1b\x03\x6c\x68\x61" - "\xa4\x03\x02\x01\x0a\xa5\x11\x18\x0f\x31\x39\x37\x30" - "\x30\x31\x30\x31\x30\x30\x30\x31\x33\x39\x5a" - }, - { NULL, 67, - (unsigned char*)"\x62\x41\x30\x3f\xa0\x03\x02\x01\x05\xa1\x07\x1b\x05" - "\x53\x55\x2e\x53\x45\xa2\x16\x30\x14\xa0\x03\x02\x01" - "\x01\xa1\x0d\x30\x0b\x1b\x03\x6c\x68\x61\x1b\x04\x72" - "\x6f\x6f\x74\xa4\x04\x02\x02\x01\x24\xa5\x11\x18\x0f" - "\x31\x39\x37\x30\x30\x31\x30\x31\x30\x30\x31\x36\x33" - "\x39\x5a" - } - }; - - Authenticator values[] = { - { 5, "E.KTH.SE", { KRB5_NT_PRINCIPAL, { 1, lha_princ } }, - NULL, 10, 99, NULL, NULL, NULL }, - { 5, "SU.SE", { KRB5_NT_PRINCIPAL, { 2, lharoot_princ } }, - NULL, 292, 999, NULL, NULL, NULL } - }; - int i; - int ntests = sizeof(tests) / sizeof(*tests); - - for (i = 0; i < ntests; ++i) { - tests[i].val = &values[i]; - asprintf (&tests[i].name, "Authenticator %d", i); - } - - return generic_test (tests, ntests, sizeof(Authenticator), - (generic_encode)encode_Authenticator, - (generic_length)length_Authenticator, - (generic_decode)decode_Authenticator, - cmp_authenticator); -} - -int -main(int argc, char **argv) -{ - int ret = 0; - - ret += test_principal (); - ret += test_authenticator(); - - return ret; -} diff --git a/crypto/heimdal-0.6.3/lib/asn1/der.h b/crypto/heimdal-0.6.3/lib/asn1/der.h deleted file mode 100644 index 738c8d7e7a..0000000000 --- a/crypto/heimdal-0.6.3/lib/asn1/der.h +++ /dev/null @@ -1,152 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: der.h,v 1.22 2001/09/27 16:20:35 assar Exp $ */ - -#ifndef __DER_H__ -#define __DER_H__ - -#include - -typedef enum {UNIV = 0, APPL = 1, CONTEXT = 2 , PRIVATE = 3} Der_class; - -typedef enum {PRIM = 0, CONS = 1} Der_type; - -/* Universal tags */ - -enum { - UT_Boolean = 1, - UT_Integer = 2, - UT_BitString = 3, - UT_OctetString = 4, - UT_Null = 5, - UT_OID = 6, - UT_Enumerated = 10, - UT_Sequence = 16, - UT_Set = 17, - UT_PrintableString = 19, - UT_IA5String = 22, - UT_UTCTime = 23, - UT_GeneralizedTime = 24, - UT_VisibleString = 26, - UT_GeneralString = 27 -}; - -#define ASN1_INDEFINITE 0xdce0deed - -#ifndef HAVE_TIMEGM -time_t timegm (struct tm *); -#endif - -int time2generalizedtime (time_t t, octet_string *s); - -int der_get_int (const unsigned char *p, size_t len, int *ret, size_t *size); -int der_get_length (const unsigned char *p, size_t len, - size_t *val, size_t *size); -int der_get_general_string (const unsigned char *p, size_t len, - general_string *str, size_t *size); -int der_get_octet_string (const unsigned char *p, size_t len, - octet_string *data, size_t *size); -int der_get_oid (const unsigned char *p, size_t len, - oid *data, size_t *size); -int der_get_tag (const unsigned char *p, size_t len, - Der_class *class, Der_type *type, - int *tag, size_t *size); - -int der_match_tag (const unsigned char *p, size_t len, - Der_class class, Der_type type, - int tag, size_t *size); -int der_match_tag_and_length (const unsigned char *p, size_t len, - Der_class class, Der_type type, int tag, - size_t *length_ret, size_t *size); - -int decode_integer (const unsigned char*, size_t, int*, size_t*); -int decode_unsigned (const unsigned char*, size_t, unsigned*, size_t*); -int decode_enumerated (const unsigned char*, size_t, unsigned*, size_t*); -int decode_general_string (const unsigned char*, size_t, - general_string*, size_t*); -int decode_oid (const unsigned char *p, size_t len, - oid *k, size_t *size); -int decode_octet_string (const unsigned char*, size_t, octet_string*, size_t*); -int decode_generalized_time (const unsigned char*, size_t, time_t*, size_t*); - -int der_put_int (unsigned char *p, size_t len, int val, size_t*); -int der_put_length (unsigned char *p, size_t len, size_t val, size_t*); -int der_put_general_string (unsigned char *p, size_t len, - const general_string *str, size_t*); -int der_put_octet_string (unsigned char *p, size_t len, - const octet_string *data, size_t*); -int der_put_oid (unsigned char *p, size_t len, - const oid *data, size_t *size); -int der_put_tag (unsigned char *p, size_t len, Der_class class, Der_type type, - int tag, size_t*); -int der_put_length_and_tag (unsigned char*, size_t, size_t, - Der_class, Der_type, int, size_t*); - -int encode_integer (unsigned char *p, size_t len, - const int *data, size_t*); -int encode_unsigned (unsigned char *p, size_t len, - const unsigned *data, size_t*); -int encode_enumerated (unsigned char *p, size_t len, - const unsigned *data, size_t*); -int encode_general_string (unsigned char *p, size_t len, - const general_string *data, size_t*); -int encode_octet_string (unsigned char *p, size_t len, - const octet_string *k, size_t*); -int encode_oid (unsigned char *p, size_t len, - const oid *k, size_t*); -int encode_generalized_time (unsigned char *p, size_t len, - const time_t *t, size_t*); - -void free_integer (int *num); -void free_general_string (general_string *str); -void free_octet_string (octet_string *k); -void free_oid (oid *k); -void free_generalized_time (time_t *t); - -size_t length_len (size_t len); -size_t length_integer (const int *data); -size_t length_unsigned (const unsigned *data); -size_t length_enumerated (const unsigned *data); -size_t length_general_string (const general_string *data); -size_t length_octet_string (const octet_string *k); -size_t length_oid (const oid *k); -size_t length_generalized_time (const time_t *t); - -int copy_general_string (const general_string *from, general_string *to); -int copy_octet_string (const octet_string *from, octet_string *to); -int copy_oid (const oid *from, oid *to); - -int fix_dce(size_t reallen, size_t *len); - -#endif /* __DER_H__ */ diff --git a/crypto/heimdal-0.6.3/lib/asn1/der_copy.c b/crypto/heimdal-0.6.3/lib/asn1/der_copy.c deleted file mode 100644 index eefc914170..0000000000 --- a/crypto/heimdal-0.6.3/lib/asn1/der_copy.c +++ /dev/null @@ -1,67 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "der_locl.h" - -RCSID("$Id: der_copy.c,v 1.10 2003/04/17 07:13:08 lha Exp $"); - -int -copy_general_string (const general_string *from, general_string *to) -{ - *to = strdup(*from); - if(*to == NULL) - return ENOMEM; - return 0; -} - -int -copy_octet_string (const octet_string *from, octet_string *to) -{ - to->length = from->length; - to->data = malloc(to->length); - if(to->length != 0 && to->data == NULL) - return ENOMEM; - memcpy(to->data, from->data, to->length); - return 0; -} - -int -copy_oid (const oid *from, oid *to) -{ - to->length = from->length; - to->components = malloc(to->length * sizeof(*to->components)); - if (to->length != 0 && to->components == NULL) - return ENOMEM; - memcpy(to->components, from->components, to->length); - return 0; -} diff --git a/crypto/heimdal-0.6.3/lib/asn1/der_free.c b/crypto/heimdal-0.6.3/lib/asn1/der_free.c deleted file mode 100644 index 8cedeb73ed..0000000000 --- a/crypto/heimdal-0.6.3/lib/asn1/der_free.c +++ /dev/null @@ -1,57 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "der_locl.h" - -RCSID("$Id: der_free.c,v 1.8.6.1 2003/08/20 16:24:20 joda Exp $"); - -void -free_general_string (general_string *str) -{ - free(*str); - *str = NULL; -} - -void -free_octet_string (octet_string *k) -{ - free(k->data); - k->data = NULL; -} - -void -free_oid (oid *k) -{ - free(k->components); - k->components = NULL; -} diff --git a/crypto/heimdal-0.6.3/lib/asn1/der_get.c b/crypto/heimdal-0.6.3/lib/asn1/der_get.c deleted file mode 100644 index 429fd66ed4..0000000000 --- a/crypto/heimdal-0.6.3/lib/asn1/der_get.c +++ /dev/null @@ -1,483 +0,0 @@ -/* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "der_locl.h" - -RCSID("$Id: der_get.c,v 1.33 2002/09/03 16:21:49 nectar Exp $"); - -#include - -/* - * All decoding functions take a pointer `p' to first position in - * which to read, from the left, `len' which means the maximum number - * of characters we are able to read, `ret' were the value will be - * returned and `size' where the number of used bytes is stored. - * Either 0 or an error code is returned. - */ - -static int -der_get_unsigned (const unsigned char *p, size_t len, - unsigned *ret, size_t *size) -{ - unsigned val = 0; - size_t oldlen = len; - - while (len--) - val = val * 256 + *p++; - *ret = val; - if(size) *size = oldlen; - return 0; -} - -int -der_get_int (const unsigned char *p, size_t len, - int *ret, size_t *size) -{ - int val = 0; - size_t oldlen = len; - - if (len > 0) { - val = (signed char)*p++; - while (--len) - val = val * 256 + *p++; - } - *ret = val; - if(size) *size = oldlen; - return 0; -} - -int -der_get_length (const unsigned char *p, size_t len, - size_t *val, size_t *size) -{ - size_t v; - - if (len <= 0) - return ASN1_OVERRUN; - --len; - v = *p++; - if (v < 128) { - *val = v; - if(size) *size = 1; - } else { - int e; - size_t l; - unsigned tmp; - - if(v == 0x80){ - *val = ASN1_INDEFINITE; - if(size) *size = 1; - return 0; - } - v &= 0x7F; - if (len < v) - return ASN1_OVERRUN; - e = der_get_unsigned (p, v, &tmp, &l); - if(e) return e; - *val = tmp; - if(size) *size = l + 1; - } - return 0; -} - -int -der_get_general_string (const unsigned char *p, size_t len, - general_string *str, size_t *size) -{ - char *s; - - s = malloc (len + 1); - if (s == NULL) - return ENOMEM; - memcpy (s, p, len); - s[len] = '\0'; - *str = s; - if(size) *size = len; - return 0; -} - -int -der_get_octet_string (const unsigned char *p, size_t len, - octet_string *data, size_t *size) -{ - data->length = len; - data->data = malloc(len); - if (data->data == NULL && data->length != 0) - return ENOMEM; - memcpy (data->data, p, len); - if(size) *size = len; - return 0; -} - -int -der_get_oid (const unsigned char *p, size_t len, - oid *data, size_t *size) -{ - int n; - size_t oldlen = len; - - if (len < 1) - return ASN1_OVERRUN; - - data->components = malloc(len * sizeof(*data->components)); - if (data->components == NULL && len != 0) - return ENOMEM; - data->components[0] = (*p) / 40; - data->components[1] = (*p) % 40; - --len; - ++p; - for (n = 2; len > 0; ++n) { - unsigned u = 0; - - do { - --len; - u = u * 128 + (*p++ % 128); - } while (len > 0 && p[-1] & 0x80); - data->components[n] = u; - } - if (p[-1] & 0x80) { - free_oid (data); - return ASN1_OVERRUN; - } - data->length = n; - if (size) - *size = oldlen; - return 0; -} - -int -der_get_tag (const unsigned char *p, size_t len, - Der_class *class, Der_type *type, - int *tag, size_t *size) -{ - if (len < 1) - return ASN1_OVERRUN; - *class = (Der_class)(((*p) >> 6) & 0x03); - *type = (Der_type)(((*p) >> 5) & 0x01); - *tag = (*p) & 0x1F; - if(size) *size = 1; - return 0; -} - -int -der_match_tag (const unsigned char *p, size_t len, - Der_class class, Der_type type, - int tag, size_t *size) -{ - size_t l; - Der_class thisclass; - Der_type thistype; - int thistag; - int e; - - e = der_get_tag (p, len, &thisclass, &thistype, &thistag, &l); - if (e) return e; - if (class != thisclass || type != thistype) - return ASN1_BAD_ID; - if(tag > thistag) - return ASN1_MISPLACED_FIELD; - if(tag < thistag) - return ASN1_MISSING_FIELD; - if(size) *size = l; - return 0; -} - -int -der_match_tag_and_length (const unsigned char *p, size_t len, - Der_class class, Der_type type, int tag, - size_t *length_ret, size_t *size) -{ - size_t l, ret = 0; - int e; - - e = der_match_tag (p, len, class, type, tag, &l); - if (e) return e; - p += l; - len -= l; - ret += l; - e = der_get_length (p, len, length_ret, &l); - if (e) return e; - p += l; - len -= l; - ret += l; - if(size) *size = ret; - return 0; -} - -int -decode_integer (const unsigned char *p, size_t len, - int *num, size_t *size) -{ - size_t ret = 0; - size_t l, reallen; - int e; - - e = der_match_tag (p, len, UNIV, PRIM, UT_Integer, &l); - if (e) return e; - p += l; - len -= l; - ret += l; - e = der_get_length (p, len, &reallen, &l); - if (e) return e; - p += l; - len -= l; - ret += l; - if (reallen > len) - return ASN1_OVERRUN; - e = der_get_int (p, reallen, num, &l); - if (e) return e; - p += l; - len -= l; - ret += l; - if(size) *size = ret; - return 0; -} - -int -decode_unsigned (const unsigned char *p, size_t len, - unsigned *num, size_t *size) -{ - size_t ret = 0; - size_t l, reallen; - int e; - - e = der_match_tag (p, len, UNIV, PRIM, UT_Integer, &l); - if (e) return e; - p += l; - len -= l; - ret += l; - e = der_get_length (p, len, &reallen, &l); - if (e) return e; - p += l; - len -= l; - ret += l; - if (reallen > len) - return ASN1_OVERRUN; - e = der_get_unsigned (p, reallen, num, &l); - if (e) return e; - p += l; - len -= l; - ret += l; - if(size) *size = ret; - return 0; -} - -int -decode_enumerated (const unsigned char *p, size_t len, - unsigned *num, size_t *size) -{ - size_t ret = 0; - size_t l, reallen; - int e; - - e = der_match_tag (p, len, UNIV, PRIM, UT_Enumerated, &l); - if (e) return e; - p += l; - len -= l; - ret += l; - e = der_get_length (p, len, &reallen, &l); - if (e) return e; - p += l; - len -= l; - ret += l; - e = der_get_int (p, reallen, num, &l); - if (e) return e; - p += l; - len -= l; - ret += l; - if(size) *size = ret; - return 0; -} - -int -decode_general_string (const unsigned char *p, size_t len, - general_string *str, size_t *size) -{ - size_t ret = 0; - size_t l; - int e; - size_t slen; - - e = der_match_tag (p, len, UNIV, PRIM, UT_GeneralString, &l); - if (e) return e; - p += l; - len -= l; - ret += l; - - e = der_get_length (p, len, &slen, &l); - if (e) return e; - p += l; - len -= l; - ret += l; - if (len < slen) - return ASN1_OVERRUN; - - e = der_get_general_string (p, slen, str, &l); - if (e) return e; - p += l; - len -= l; - ret += l; - if(size) *size = ret; - return 0; -} - -int -decode_octet_string (const unsigned char *p, size_t len, - octet_string *k, size_t *size) -{ - size_t ret = 0; - size_t l; - int e; - size_t slen; - - e = der_match_tag (p, len, UNIV, PRIM, UT_OctetString, &l); - if (e) return e; - p += l; - len -= l; - ret += l; - - e = der_get_length (p, len, &slen, &l); - if (e) return e; - p += l; - len -= l; - ret += l; - if (len < slen) - return ASN1_OVERRUN; - - e = der_get_octet_string (p, slen, k, &l); - if (e) return e; - p += l; - len -= l; - ret += l; - if(size) *size = ret; - return 0; -} - -int -decode_oid (const unsigned char *p, size_t len, - oid *k, size_t *size) -{ - size_t ret = 0; - size_t l; - int e; - size_t slen; - - e = der_match_tag (p, len, UNIV, PRIM, UT_OID, &l); - if (e) return e; - p += l; - len -= l; - ret += l; - - e = der_get_length (p, len, &slen, &l); - if (e) return e; - p += l; - len -= l; - ret += l; - if (len < slen) - return ASN1_OVERRUN; - - e = der_get_oid (p, slen, k, &l); - if (e) return e; - p += l; - len -= l; - ret += l; - if(size) *size = ret; - return 0; -} - -static void -generalizedtime2time (const char *s, time_t *t) -{ - struct tm tm; - - memset(&tm, 0, sizeof(tm)); - sscanf (s, "%04d%02d%02d%02d%02d%02dZ", - &tm.tm_year, &tm.tm_mon, &tm.tm_mday, &tm.tm_hour, - &tm.tm_min, &tm.tm_sec); - tm.tm_year -= 1900; - tm.tm_mon -= 1; - *t = timegm (&tm); -} - -int -decode_generalized_time (const unsigned char *p, size_t len, - time_t *t, size_t *size) -{ - octet_string k; - char *times; - size_t ret = 0; - size_t l; - int e; - size_t slen; - - e = der_match_tag (p, len, UNIV, PRIM, UT_GeneralizedTime, &l); - if (e) return e; - p += l; - len -= l; - ret += l; - - e = der_get_length (p, len, &slen, &l); - if (e) return e; - p += l; - len -= l; - ret += l; - if (len < slen) - return ASN1_OVERRUN; - e = der_get_octet_string (p, slen, &k, &l); - if (e) return e; - p += l; - len -= l; - ret += l; - times = realloc(k.data, k.length + 1); - if (times == NULL){ - free(k.data); - return ENOMEM; - } - times[k.length] = 0; - generalizedtime2time (times, t); - free (times); - if(size) *size = ret; - return 0; -} - - -int -fix_dce(size_t reallen, size_t *len) -{ - if(reallen == ASN1_INDEFINITE) - return 1; - if(*len < reallen) - return -1; - *len = reallen; - return 0; -} diff --git a/crypto/heimdal-0.6.3/lib/asn1/der_length.c b/crypto/heimdal-0.6.3/lib/asn1/der_length.c deleted file mode 100644 index 913a1f8ff8..0000000000 --- a/crypto/heimdal-0.6.3/lib/asn1/der_length.c +++ /dev/null @@ -1,161 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "der_locl.h" - -RCSID("$Id: der_length.c,v 1.12.6.2 2004/02/12 18:45:51 joda Exp $"); - -size_t -_heim_len_unsigned (unsigned val) -{ - size_t ret = 0; - - do { - ++ret; - val /= 256; - } while (val); - return ret; -} - -size_t -_heim_len_int (int val) -{ - unsigned char q; - size_t ret = 0; - - if (val >= 0) { - do { - q = val % 256; - ret++; - val /= 256; - } while(val); - if(q >= 128) - ret++; - } else { - val = ~val; - do { - q = ~(val % 256); - ret++; - val /= 256; - } while(val); - if(q < 128) - ret++; - } - return ret; -} - -static size_t -len_oid (const oid *oid) -{ - size_t ret = 1; - int n; - - for (n = 2; n < oid->length; ++n) { - unsigned u = oid->components[n]; - - ++ret; - u /= 128; - while (u > 0) { - ++ret; - u /= 128; - } - } - return ret; -} - -size_t -length_len (size_t len) -{ - if (len < 128) - return 1; - else - return _heim_len_unsigned (len) + 1; -} - -size_t -length_integer (const int *data) -{ - size_t len = _heim_len_int (*data); - - return 1 + length_len(len) + len; -} - -size_t -length_unsigned (const unsigned *data) -{ - size_t len = _heim_len_unsigned (*data); - - return 1 + length_len(len) + len; -} - -size_t -length_enumerated (const unsigned *data) -{ - size_t len = _heim_len_int (*data); - - return 1 + length_len(len) + len; -} - -size_t -length_general_string (const general_string *data) -{ - char *str = *data; - size_t len = strlen(str); - return 1 + length_len(len) + len; -} - -size_t -length_octet_string (const octet_string *k) -{ - return 1 + length_len(k->length) + k->length; -} - -size_t -length_oid (const oid *k) -{ - size_t len = len_oid (k); - - return 1 + length_len(len) + len; -} - -size_t -length_generalized_time (const time_t *t) -{ - octet_string k; - size_t ret; - - time2generalizedtime (*t, &k); - ret = 1 + length_len(k.length) + k.length; - free (k.data); - return ret; -} diff --git a/crypto/heimdal-0.6.3/lib/asn1/der_locl.h b/crypto/heimdal-0.6.3/lib/asn1/der_locl.h deleted file mode 100644 index 1d931d3135..0000000000 --- a/crypto/heimdal-0.6.3/lib/asn1/der_locl.h +++ /dev/null @@ -1,59 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: der_locl.h,v 1.4.6.1 2004/02/09 17:54:05 lha Exp $ */ - -#ifndef __DER_LOCL_H__ -#define __DER_LOCL_H__ - -#ifdef HAVE_CONFIG_H -#include -#endif -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include -#include -#include - -size_t _heim_len_unsigned (unsigned); -size_t _heim_len_int (int); - -#endif /* __DER_LOCL_H__ */ diff --git a/crypto/heimdal-0.6.3/lib/asn1/der_put.c b/crypto/heimdal-0.6.3/lib/asn1/der_put.c deleted file mode 100644 index 41733c57b3..0000000000 --- a/crypto/heimdal-0.6.3/lib/asn1/der_put.c +++ /dev/null @@ -1,421 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "der_locl.h" - -RCSID("$Id: der_put.c,v 1.28 2003/04/17 07:12:24 lha Exp $"); - -/* - * All encoding functions take a pointer `p' to first position in - * which to write, from the right, `len' which means the maximum - * number of characters we are able to write. The function returns - * the number of characters written in `size' (if non-NULL). - * The return value is 0 or an error. - */ - -static int -der_put_unsigned (unsigned char *p, size_t len, unsigned val, size_t *size) -{ - unsigned char *base = p; - - if (val) { - while (len > 0 && val) { - *p-- = val % 256; - val /= 256; - --len; - } - if (val != 0) - return ASN1_OVERFLOW; - else { - *size = base - p; - return 0; - } - } else if (len < 1) - return ASN1_OVERFLOW; - else { - *p = 0; - *size = 1; - return 0; - } -} - -int -der_put_int (unsigned char *p, size_t len, int val, size_t *size) -{ - unsigned char *base = p; - - if(val >= 0) { - do { - if(len < 1) - return ASN1_OVERFLOW; - *p-- = val % 256; - len--; - val /= 256; - } while(val); - if(p[1] >= 128) { - if(len < 1) - return ASN1_OVERFLOW; - *p-- = 0; - len--; - } - } else { - val = ~val; - do { - if(len < 1) - return ASN1_OVERFLOW; - *p-- = ~(val % 256); - len--; - val /= 256; - } while(val); - if(p[1] < 128) { - if(len < 1) - return ASN1_OVERFLOW; - *p-- = 0xff; - len--; - } - } - *size = base - p; - return 0; -} - - -int -der_put_length (unsigned char *p, size_t len, size_t val, size_t *size) -{ - if (len < 1) - return ASN1_OVERFLOW; - if (val < 128) { - *p = val; - *size = 1; - return 0; - } else { - size_t l; - int e; - - e = der_put_unsigned (p, len - 1, val, &l); - if (e) - return e; - p -= l; - *p = 0x80 | l; - *size = l + 1; - return 0; - } -} - -int -der_put_general_string (unsigned char *p, size_t len, - const general_string *str, size_t *size) -{ - size_t slen = strlen(*str); - - if (len < slen) - return ASN1_OVERFLOW; - p -= slen; - len -= slen; - memcpy (p+1, *str, slen); - *size = slen; - return 0; -} - -int -der_put_octet_string (unsigned char *p, size_t len, - const octet_string *data, size_t *size) -{ - if (len < data->length) - return ASN1_OVERFLOW; - p -= data->length; - len -= data->length; - memcpy (p+1, data->data, data->length); - *size = data->length; - return 0; -} - -int -der_put_oid (unsigned char *p, size_t len, - const oid *data, size_t *size) -{ - unsigned char *base = p; - int n; - - for (n = data->length - 1; n >= 2; --n) { - unsigned u = data->components[n]; - - if (len < 1) - return ASN1_OVERFLOW; - *p-- = u % 128; - u /= 128; - --len; - while (u > 0) { - if (len < 1) - return ASN1_OVERFLOW; - *p-- = 128 + u % 128; - u /= 128; - --len; - } - } - if (len < 1) - return ASN1_OVERFLOW; - *p-- = 40 * data->components[0] + data->components[1]; - *size = base - p; - return 0; -} - -int -der_put_tag (unsigned char *p, size_t len, Der_class class, Der_type type, - int tag, size_t *size) -{ - if (len < 1) - return ASN1_OVERFLOW; - *p = (class << 6) | (type << 5) | tag; /* XXX */ - *size = 1; - return 0; -} - -int -der_put_length_and_tag (unsigned char *p, size_t len, size_t len_val, - Der_class class, Der_type type, int tag, size_t *size) -{ - size_t ret = 0; - size_t l; - int e; - - e = der_put_length (p, len, len_val, &l); - if(e) - return e; - p -= l; - len -= l; - ret += l; - e = der_put_tag (p, len, class, type, tag, &l); - if(e) - return e; - p -= l; - len -= l; - ret += l; - *size = ret; - return 0; -} - -int -encode_integer (unsigned char *p, size_t len, const int *data, size_t *size) -{ - int num = *data; - size_t ret = 0; - size_t l; - int e; - - e = der_put_int (p, len, num, &l); - if(e) - return e; - p -= l; - len -= l; - ret += l; - e = der_put_length_and_tag (p, len, l, UNIV, PRIM, UT_Integer, &l); - if (e) - return e; - p -= l; - len -= l; - ret += l; - *size = ret; - return 0; -} - -int -encode_unsigned (unsigned char *p, size_t len, const unsigned *data, - size_t *size) -{ - unsigned num = *data; - size_t ret = 0; - size_t l; - int e; - - e = der_put_unsigned (p, len, num, &l); - if(e) - return e; - p -= l; - len -= l; - ret += l; - e = der_put_length_and_tag (p, len, l, UNIV, PRIM, UT_Integer, &l); - if (e) - return e; - p -= l; - len -= l; - ret += l; - *size = ret; - return 0; -} - -int -encode_enumerated (unsigned char *p, size_t len, const unsigned *data, - size_t *size) -{ - unsigned num = *data; - size_t ret = 0; - size_t l; - int e; - - e = der_put_int (p, len, num, &l); - if(e) - return e; - p -= l; - len -= l; - ret += l; - e = der_put_length_and_tag (p, len, l, UNIV, PRIM, UT_Enumerated, &l); - if (e) - return e; - p -= l; - len -= l; - ret += l; - *size = ret; - return 0; -} - -int -encode_general_string (unsigned char *p, size_t len, - const general_string *data, size_t *size) -{ - size_t ret = 0; - size_t l; - int e; - - e = der_put_general_string (p, len, data, &l); - if (e) - return e; - p -= l; - len -= l; - ret += l; - e = der_put_length_and_tag (p, len, l, UNIV, PRIM, UT_GeneralString, &l); - if (e) - return e; - p -= l; - len -= l; - ret += l; - *size = ret; - return 0; -} - -int -encode_octet_string (unsigned char *p, size_t len, - const octet_string *k, size_t *size) -{ - size_t ret = 0; - size_t l; - int e; - - e = der_put_octet_string (p, len, k, &l); - if (e) - return e; - p -= l; - len -= l; - ret += l; - e = der_put_length_and_tag (p, len, l, UNIV, PRIM, UT_OctetString, &l); - if (e) - return e; - p -= l; - len -= l; - ret += l; - *size = ret; - return 0; -} - -int -encode_oid(unsigned char *p, size_t len, - const oid *k, size_t *size) -{ - size_t ret = 0; - size_t l; - int e; - - e = der_put_oid (p, len, k, &l); - if (e) - return e; - p -= l; - len -= l; - ret += l; - e = der_put_length_and_tag (p, len, l, UNIV, PRIM, UT_OID, &l); - if (e) - return e; - p -= l; - len -= l; - ret += l; - *size = ret; - return 0; -} - -int -time2generalizedtime (time_t t, octet_string *s) -{ - struct tm *tm; - size_t len; - - len = 15; - - s->data = malloc(len + 1); - if (s->data == NULL) - return ENOMEM; - s->length = len; - tm = gmtime (&t); - snprintf (s->data, len + 1, "%04d%02d%02d%02d%02d%02dZ", - tm->tm_year + 1900, tm->tm_mon + 1, tm->tm_mday, - tm->tm_hour, tm->tm_min, tm->tm_sec); - return 0; -} - -int -encode_generalized_time (unsigned char *p, size_t len, - const time_t *t, size_t *size) -{ - size_t ret = 0; - size_t l; - octet_string k; - int e; - - e = time2generalizedtime (*t, &k); - if (e) - return e; - e = der_put_octet_string (p, len, &k, &l); - free (k.data); - if (e) - return e; - p -= l; - len -= l; - ret += l; - e = der_put_length_and_tag (p, len, k.length, UNIV, PRIM, - UT_GeneralizedTime, &l); - if (e) - return e; - p -= l; - len -= l; - ret += l; - *size = ret; - return 0; -} diff --git a/crypto/heimdal-0.6.3/lib/asn1/gen.c b/crypto/heimdal-0.6.3/lib/asn1/gen.c deleted file mode 100644 index 8580360c60..0000000000 --- a/crypto/heimdal-0.6.3/lib/asn1/gen.c +++ /dev/null @@ -1,460 +0,0 @@ -/* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gen_locl.h" - -RCSID("$Id: gen.c,v 1.50 2003/04/17 07:09:18 lha Exp $"); - -FILE *headerfile, *codefile, *logfile; - -#define STEM "asn1" - -static const char *orig_filename; -static char *header; -static char *headerbase = STEM; - -/* - * list of all IMPORTs - */ - -struct import { - const char *module; - struct import *next; -}; - -static struct import *imports = NULL; - -void -add_import (const char *module) -{ - struct import *tmp = emalloc (sizeof(*tmp)); - - tmp->module = module; - tmp->next = imports; - imports = tmp; -} - -const char * -filename (void) -{ - return orig_filename; -} - -void -init_generate (const char *filename, const char *base) -{ - orig_filename = filename; - if(base) - asprintf(&headerbase, "%s", base); - asprintf(&header, "%s.h", headerbase); - headerfile = fopen (header, "w"); - if (headerfile == NULL) - err (1, "open %s", header); - fprintf (headerfile, - "/* Generated from %s */\n" - "/* Do not edit */\n\n", - filename); - fprintf (headerfile, - "#ifndef __%s_h__\n" - "#define __%s_h__\n\n", headerbase, headerbase); - fprintf (headerfile, - "#include \n" - "#include \n\n"); -#ifndef HAVE_TIMEGM - fprintf (headerfile, "time_t timegm (struct tm*);\n\n"); -#endif - fprintf (headerfile, - "#ifndef __asn1_common_definitions__\n" - "#define __asn1_common_definitions__\n\n"); - fprintf (headerfile, - "typedef struct octet_string {\n" - " size_t length;\n" - " void *data;\n" - "} octet_string;\n\n"); - fprintf (headerfile, - "typedef char *general_string;\n\n" - ); - fprintf (headerfile, - "typedef struct oid {\n" - " size_t length;\n" - " unsigned *components;\n" - "} oid;\n\n"); - fputs("#define ASN1_MALLOC_ENCODE(T, B, BL, S, L, R) \\\n" - " do { \\\n" - " (BL) = length_##T((S)); \\\n" - " (B) = malloc((BL)); \\\n" - " if((B) == NULL) { \\\n" - " (R) = ENOMEM; \\\n" - " } else { \\\n" - " (R) = encode_##T(((unsigned char*)(B)) + (BL) - 1, (BL), \\\n" - " (S), (L)); \\\n" - " if((R) != 0) { \\\n" - " free((B)); \\\n" - " (B) = NULL; \\\n" - " } \\\n" - " } \\\n" - " } while (0)\n\n", - headerfile); - fprintf (headerfile, "#endif\n\n"); - logfile = fopen(STEM "_files", "w"); - if (logfile == NULL) - err (1, "open " STEM "_files"); -} - -void -close_generate (void) -{ - fprintf (headerfile, "#endif /* __%s_h__ */\n", headerbase); - - fclose (headerfile); - fprintf (logfile, "\n"); - fclose (logfile); -} - -void -generate_constant (const Symbol *s) -{ - fprintf (headerfile, "enum { %s = %d };\n\n", - s->gen_name, s->constant); -} - -static void -space(int level) -{ - while(level-- > 0) - fprintf(headerfile, " "); -} - -static void -define_asn1 (int level, Type *t) -{ - switch (t->type) { - case TType: - space(level); - fprintf (headerfile, "%s", t->symbol->name); - break; - case TInteger: - space(level); - fprintf (headerfile, "INTEGER"); - break; - case TUInteger: - space(level); - fprintf (headerfile, "UNSIGNED INTEGER"); - break; - case TOctetString: - space(level); - fprintf (headerfile, "OCTET STRING"); - break; - case TOID : - space(level); - fprintf(headerfile, "OBJECT IDENTIFIER"); - break; - case TBitString: { - Member *m; - int tag = -1; - - space(level); - fprintf (headerfile, "BIT STRING {\n"); - for (m = t->members; m && m->val != tag; m = m->next) { - if (tag == -1) - tag = m->val; - space(level + 1); - fprintf (headerfile, "%s(%d)%s\n", m->name, m->val, - m->next->val == tag?"":","); - - } - space(level); - fprintf (headerfile, "}"); - break; - } - case TEnumerated : { - Member *m; - int tag = -1; - - space(level); - fprintf (headerfile, "ENUMERATED {\n"); - for (m = t->members; m && m->val != tag; m = m->next) { - if (tag == -1) - tag = m->val; - space(level + 1); - fprintf (headerfile, "%s(%d)%s\n", m->name, m->val, - m->next->val == tag?"":","); - - } - space(level); - fprintf (headerfile, "}"); - break; - } - case TSequence: { - Member *m; - int tag; - int max_width = 0; - - space(level); - fprintf (headerfile, "SEQUENCE {\n"); - for (m = t->members, tag = -1; m && m->val != tag; m = m->next) { - if (tag == -1) - tag = m->val; - if(strlen(m->name) + (m->val > 9) > max_width) - max_width = strlen(m->name) + (m->val > 9); - } - max_width += 3 + 2; - if(max_width < 16) max_width = 16; - for (m = t->members, tag = -1 ; m && m->val != tag; m = m->next) { - int width; - if (tag == -1) - tag = m->val; - space(level + 1); - fprintf(headerfile, "%s[%d]", m->name, m->val); - width = max_width - strlen(m->name) - 3 - (m->val > 9) - 2; - fprintf(headerfile, "%*s", width, ""); - define_asn1(level + 1, m->type); - if(m->optional) - fprintf(headerfile, " OPTIONAL"); - if(m->next->val != tag) - fprintf (headerfile, ","); - fprintf (headerfile, "\n"); - } - space(level); - fprintf (headerfile, "}"); - break; - } - case TSequenceOf: { - space(level); - fprintf (headerfile, "SEQUENCE OF "); - define_asn1 (0, t->subtype); - break; - } - case TGeneralizedTime: - space(level); - fprintf (headerfile, "GeneralizedTime"); - break; - case TGeneralString: - space(level); - fprintf (headerfile, "GeneralString"); - break; - case TApplication: - fprintf (headerfile, "[APPLICATION %d] ", t->application); - define_asn1 (level, t->subtype); - break; - default: - abort (); - } -} - -static void -define_type (int level, char *name, Type *t, int typedefp) -{ - switch (t->type) { - case TType: - space(level); - fprintf (headerfile, "%s %s;\n", t->symbol->gen_name, name); - break; - case TInteger: - space(level); - if(t->members == NULL) { - fprintf (headerfile, "int %s;\n", name); - } else { - Member *m; - int tag = -1; - fprintf (headerfile, "enum %s {\n", typedefp ? name : ""); - for (m = t->members; m && m->val != tag; m = m->next) { - if(tag == -1) - tag = m->val; - space (level + 1); - fprintf(headerfile, "%s = %d%s\n", m->gen_name, m->val, - m->next->val == tag ? "" : ","); - } - fprintf (headerfile, "} %s;\n", name); - } - break; - case TUInteger: - space(level); - fprintf (headerfile, "unsigned int %s;\n", name); - break; - case TOctetString: - space(level); - fprintf (headerfile, "octet_string %s;\n", name); - break; - case TOID : - space(level); - fprintf (headerfile, "oid %s;\n", name); - break; - case TBitString: { - Member *m; - Type i; - int tag = -1; - - i.type = TUInteger; - space(level); - fprintf (headerfile, "struct %s {\n", typedefp ? name : ""); - for (m = t->members; m && m->val != tag; m = m->next) { - char *n; - - asprintf (&n, "%s:1", m->gen_name); - define_type (level + 1, n, &i, FALSE); - free (n); - if (tag == -1) - tag = m->val; - } - space(level); - fprintf (headerfile, "} %s;\n\n", name); - break; - } - case TEnumerated: { - Member *m; - int tag = -1; - - space(level); - fprintf (headerfile, "enum %s {\n", typedefp ? name : ""); - for (m = t->members; m && m->val != tag; m = m->next) { - if (tag == -1) - tag = m->val; - space(level + 1); - fprintf (headerfile, "%s = %d%s\n", m->gen_name, m->val, - m->next->val == tag ? "" : ","); - } - space(level); - fprintf (headerfile, "} %s;\n\n", name); - break; - } - case TSequence: { - Member *m; - int tag = -1; - - space(level); - fprintf (headerfile, "struct %s {\n", typedefp ? name : ""); - for (m = t->members; m && m->val != tag; m = m->next) { - if (m->optional) { - char *n; - - asprintf (&n, "*%s", m->gen_name); - define_type (level + 1, n, m->type, FALSE); - free (n); - } else - define_type (level + 1, m->gen_name, m->type, FALSE); - if (tag == -1) - tag = m->val; - } - space(level); - fprintf (headerfile, "} %s;\n", name); - break; - } - case TSequenceOf: { - Type i; - - i.type = TUInteger; - i.application = 0; - - space(level); - fprintf (headerfile, "struct %s {\n", typedefp ? name : ""); - define_type (level + 1, "len", &i, FALSE); - define_type (level + 1, "*val", t->subtype, FALSE); - space(level); - fprintf (headerfile, "} %s;\n", name); - break; - } - case TGeneralizedTime: - space(level); - fprintf (headerfile, "time_t %s;\n", name); - break; - case TGeneralString: - space(level); - fprintf (headerfile, "general_string %s;\n", name); - break; - case TApplication: - define_type (level, name, t->subtype, FALSE); - break; - default: - abort (); - } -} - -static void -generate_type_header (const Symbol *s) -{ - fprintf (headerfile, "/*\n"); - fprintf (headerfile, "%s ::= ", s->name); - define_asn1 (0, s->type); - fprintf (headerfile, "\n*/\n\n"); - - fprintf (headerfile, "typedef "); - define_type (0, s->gen_name, s->type, TRUE); - - fprintf (headerfile, "\n"); -} - - -void -generate_type (const Symbol *s) -{ - struct import *i; - char *filename; - - asprintf (&filename, "%s_%s.x", STEM, s->gen_name); - codefile = fopen (filename, "w"); - if (codefile == NULL) - err (1, "fopen %s", filename); - fprintf(logfile, "%s ", filename); - free(filename); - fprintf (codefile, - "/* Generated from %s */\n" - "/* Do not edit */\n\n" - "#include \n" - "#include \n" - "#include \n" - "#include \n" - "#include \n", - orig_filename); - - for (i = imports; i != NULL; i = i->next) - fprintf (codefile, - "#include <%s_asn1.h>\n", - i->module); - fprintf (codefile, - "#include <%s.h>\n", - headerbase); - fprintf (codefile, - "#include \n" - "#include \n" - "#include \n\n"); - generate_type_header (s); - generate_type_encode (s); - generate_type_decode (s); - generate_type_free (s); - generate_type_length (s); - generate_type_copy (s); - generate_glue (s); - fprintf(headerfile, "\n\n"); - fclose(codefile); -} diff --git a/crypto/heimdal-0.6.3/lib/asn1/gen.h b/crypto/heimdal-0.6.3/lib/asn1/gen.h deleted file mode 100644 index 369b6e392a..0000000000 --- a/crypto/heimdal-0.6.3/lib/asn1/gen.h +++ /dev/null @@ -1,38 +0,0 @@ -/* - * Copyright (c) 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: gen.h,v 1.4 1999/12/02 17:05:02 joda Exp $ */ - -#include -#include "symbol.h" - diff --git a/crypto/heimdal-0.6.3/lib/asn1/gen_copy.c b/crypto/heimdal-0.6.3/lib/asn1/gen_copy.c deleted file mode 100644 index 20f0d5b569..0000000000 --- a/crypto/heimdal-0.6.3/lib/asn1/gen_copy.c +++ /dev/null @@ -1,151 +0,0 @@ -/* - * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gen_locl.h" - -RCSID("$Id: gen_copy.c,v 1.12 2001/09/25 13:39:26 assar Exp $"); - -static void -copy_primitive (const char *typename, const char *from, const char *to) -{ - fprintf (codefile, "if(copy_%s(%s, %s)) return ENOMEM;\n", - typename, from, to); -} - -static void -copy_type (const char *from, const char *to, const Type *t) -{ - switch (t->type) { - case TType: -#if 0 - copy_type (from, to, t->symbol->type); -#endif - fprintf (codefile, "if(copy_%s(%s, %s)) return ENOMEM;\n", - t->symbol->gen_name, from, to); - break; - case TInteger: - case TUInteger: - case TEnumerated : - fprintf(codefile, "*(%s) = *(%s);\n", to, from); - break; - case TOctetString: - copy_primitive ("octet_string", from, to); - break; - case TOID: - copy_primitive ("oid", from, to); - break; - case TBitString: { - fprintf(codefile, "*(%s) = *(%s);\n", to, from); - break; - } - case TSequence: { - Member *m; - int tag = -1; - - if (t->members == NULL) - break; - - for (m = t->members; m && tag != m->val; m = m->next) { - char *f; - char *t; - - asprintf (&f, "%s(%s)->%s", - m->optional ? "" : "&", from, m->gen_name); - asprintf (&t, "%s(%s)->%s", - m->optional ? "" : "&", to, m->gen_name); - if(m->optional){ - fprintf(codefile, "if(%s) {\n", f); - fprintf(codefile, "%s = malloc(sizeof(*%s));\n", t, t); - fprintf(codefile, "if(%s == NULL) return ENOMEM;\n", t); - } - copy_type (f, t, m->type); - if(m->optional){ - fprintf(codefile, "}else\n"); - fprintf(codefile, "%s = NULL;\n", t); - } - if (tag == -1) - tag = m->val; - free (f); - free (t); - } - break; - } - case TSequenceOf: { - char *f; - char *T; - - fprintf (codefile, "if(((%s)->val = " - "malloc((%s)->len * sizeof(*(%s)->val))) == NULL && (%s)->len != 0)\n", - to, from, to, from); - fprintf (codefile, "return ENOMEM;\n"); - fprintf(codefile, - "for((%s)->len = 0; (%s)->len < (%s)->len; (%s)->len++){\n", - to, to, from, to); - asprintf(&f, "&(%s)->val[(%s)->len]", from, to); - asprintf(&T, "&(%s)->val[(%s)->len]", to, to); - copy_type(f, T, t->subtype); - fprintf(codefile, "}\n"); - free(f); - free(T); - break; - } - case TGeneralizedTime: - fprintf(codefile, "*(%s) = *(%s);\n", to, from); - break; - case TGeneralString: - copy_primitive ("general_string", from, to); - break; - case TApplication: - copy_type (from, to, t->subtype); - break; - default : - abort (); - } -} - -void -generate_type_copy (const Symbol *s) -{ - fprintf (headerfile, - "int copy_%s (const %s *, %s *);\n", - s->gen_name, s->gen_name, s->gen_name); - - fprintf (codefile, "int\n" - "copy_%s(const %s *from, %s *to)\n" - "{\n", - s->gen_name, s->gen_name, s->gen_name); - - copy_type ("from", "to", s->type); - fprintf (codefile, "return 0;\n}\n\n"); -} - diff --git a/crypto/heimdal-0.6.3/lib/asn1/gen_decode.c b/crypto/heimdal-0.6.3/lib/asn1/gen_decode.c deleted file mode 100644 index 7237e4e421..0000000000 --- a/crypto/heimdal-0.6.3/lib/asn1/gen_decode.c +++ /dev/null @@ -1,394 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gen_locl.h" - -RCSID("$Id: gen_decode.c,v 1.18 2002/08/09 15:37:34 joda Exp $"); - -static void -decode_primitive (const char *typename, const char *name) -{ - fprintf (codefile, - "e = decode_%s(p, len, %s, &l);\n" - "FORW;\n", - typename, - name); -} - -static void -decode_type (const char *name, const Type *t) -{ - switch (t->type) { - case TType: -#if 0 - decode_type (name, t->symbol->type); -#endif - fprintf (codefile, - "e = decode_%s(p, len, %s, &l);\n" - "FORW;\n", - t->symbol->gen_name, name); - break; - case TInteger: - if(t->members == NULL) - decode_primitive ("integer", name); - else { - char *s; - asprintf(&s, "(int*)%s", name); - if(s == NULL) - errx (1, "out of memory"); - decode_primitive ("integer", s); - free(s); - } - break; - case TUInteger: - decode_primitive ("unsigned", name); - break; - case TEnumerated: - decode_primitive ("enumerated", name); - break; - case TOctetString: - decode_primitive ("octet_string", name); - break; - case TOID : - decode_primitive ("oid", name); - break; - case TBitString: { - Member *m; - int tag = -1; - int pos; - - fprintf (codefile, - "e = der_match_tag_and_length (p, len, UNIV, PRIM, UT_BitString," - "&reallen, &l);\n" - "FORW;\n" - "if(len < reallen)\n" - "return ASN1_OVERRUN;\n" - "p++;\n" - "len--;\n" - "reallen--;\n" - "ret++;\n"); - pos = 0; - for (m = t->members; m && tag != m->val; m = m->next) { - while (m->val / 8 > pos / 8) { - fprintf (codefile, - "p++; len--; reallen--; ret++;\n"); - pos += 8; - } - fprintf (codefile, - "%s->%s = (*p >> %d) & 1;\n", - name, m->gen_name, 7 - m->val % 8); - if (tag == -1) - tag = m->val; - } - fprintf (codefile, - "p += reallen; len -= reallen; ret += reallen;\n"); - break; - } - case TSequence: { - Member *m; - int tag = -1; - - if (t->members == NULL) - break; - - fprintf (codefile, - "e = der_match_tag_and_length (p, len, UNIV, CONS, UT_Sequence," - "&reallen, &l);\n" - "FORW;\n" - "{\n" - "int dce_fix;\n" - "if((dce_fix = fix_dce(reallen, &len)) < 0)\n" - "return ASN1_BAD_FORMAT;\n"); - - for (m = t->members; m && tag != m->val; m = m->next) { - char *s; - - asprintf (&s, "%s(%s)->%s", m->optional ? "" : "&", name, m->gen_name); - if (0 && m->type->type == TType){ - if(m->optional) - fprintf (codefile, - "%s = malloc(sizeof(*%s));\n" - "if(%s == NULL) return ENOMEM;\n", s, s, s); - fprintf (codefile, - "e = decode_seq_%s(p, len, %d, %d, %s, &l);\n", - m->type->symbol->gen_name, - m->val, - m->optional, - s); - if(m->optional) - fprintf (codefile, - "if (e == ASN1_MISSING_FIELD) {\n" - "free(%s);\n" - "%s = NULL;\n" - "e = l = 0;\n" - "}\n", - s, s); - - fprintf (codefile, "FORW;\n"); - - }else{ - fprintf (codefile, "{\n" - "size_t newlen, oldlen;\n\n" - "e = der_match_tag (p, len, CONTEXT, CONS, %d, &l);\n", - m->val); - fprintf (codefile, - "if (e)\n"); - if(m->optional) - /* XXX should look at e */ - fprintf (codefile, - "%s = NULL;\n", s); - else - fprintf (codefile, - "return e;\n"); - fprintf (codefile, - "else {\n"); - fprintf (codefile, - "p += l;\n" - "len -= l;\n" - "ret += l;\n" - "e = der_get_length (p, len, &newlen, &l);\n" - "FORW;\n" - "{\n" - - "int dce_fix;\n" - "oldlen = len;\n" - "if((dce_fix = fix_dce(newlen, &len)) < 0)" - "return ASN1_BAD_FORMAT;\n"); - if (m->optional) - fprintf (codefile, - "%s = malloc(sizeof(*%s));\n" - "if(%s == NULL) return ENOMEM;\n", s, s, s); - decode_type (s, m->type); - fprintf (codefile, - "if(dce_fix){\n" - "e = der_match_tag_and_length (p, len, " - "(Der_class)0, (Der_type)0, 0, &reallen, &l);\n" - "FORW;\n" - "}else \n" - "len = oldlen - newlen;\n" - "}\n" - "}\n"); - fprintf (codefile, - "}\n"); - } - if (tag == -1) - tag = m->val; - free (s); - } - fprintf(codefile, - "if(dce_fix){\n" - "e = der_match_tag_and_length (p, len, " - "(Der_class)0, (Der_type)0, 0, &reallen, &l);\n" - "FORW;\n" - "}\n" - "}\n"); - - break; - } - case TSequenceOf: { - char *n; - - fprintf (codefile, - "e = der_match_tag_and_length (p, len, UNIV, CONS, UT_Sequence," - "&reallen, &l);\n" - "FORW;\n" - "if(len < reallen)\n" - "return ASN1_OVERRUN;\n" - "len = reallen;\n"); - - fprintf (codefile, - "{\n" - "size_t origlen = len;\n" - "int oldret = ret;\n" - "ret = 0;\n" - "(%s)->len = 0;\n" - "(%s)->val = NULL;\n" - "while(ret < origlen) {\n" - "(%s)->len++;\n" - "(%s)->val = realloc((%s)->val, sizeof(*((%s)->val)) * (%s)->len);\n", - name, name, name, name, name, name, name); - asprintf (&n, "&(%s)->val[(%s)->len-1]", name, name); - decode_type (n, t->subtype); - fprintf (codefile, - "len = origlen - ret;\n" - "}\n" - "ret += oldret;\n" - "}\n"); - free (n); - break; - } - case TGeneralizedTime: - decode_primitive ("generalized_time", name); - break; - case TGeneralString: - decode_primitive ("general_string", name); - break; - case TApplication: - fprintf (codefile, - "e = der_match_tag_and_length (p, len, APPL, CONS, %d, " - "&reallen, &l);\n" - "FORW;\n" - "{\n" - "int dce_fix;\n" - "if((dce_fix = fix_dce(reallen, &len)) < 0)\n" - "return ASN1_BAD_FORMAT;\n", - t->application); - decode_type (name, t->subtype); - fprintf(codefile, - "if(dce_fix){\n" - "e = der_match_tag_and_length (p, len, " - "(Der_class)0, (Der_type)0, 0, &reallen, &l);\n" - "FORW;\n" - "}\n" - "}\n"); - - break; - default : - abort (); - } -} - -void -generate_type_decode (const Symbol *s) -{ - fprintf (headerfile, - "int " - "decode_%s(const unsigned char *, size_t, %s *, size_t *);\n", - s->gen_name, s->gen_name); - - fprintf (codefile, "#define FORW " - "if(e) goto fail; " - "p += l; " - "len -= l; " - "ret += l\n\n"); - - - fprintf (codefile, "int\n" - "decode_%s(const unsigned char *p," - " size_t len, %s *data, size_t *size)\n" - "{\n", - s->gen_name, s->gen_name); - - switch (s->type->type) { - case TInteger: - case TUInteger: - case TOctetString: - case TOID: - case TGeneralizedTime: - case TGeneralString: - case TBitString: - case TSequence: - case TSequenceOf: - case TApplication: - case TType: - fprintf (codefile, - "size_t ret = 0, reallen;\n" - "size_t l;\n" - "int e;\n\n"); - fprintf (codefile, "memset(data, 0, sizeof(*data));\n"); - fprintf (codefile, "reallen = 0;\n"); /* hack to avoid `unused variable' */ - - decode_type ("data", s->type); - fprintf (codefile, - "if(size) *size = ret;\n" - "return 0;\n"); - fprintf (codefile, - "fail:\n" - "free_%s(data);\n" - "return e;\n", - s->gen_name); - break; - default: - abort (); - } - fprintf (codefile, "}\n\n"); -} - -void -generate_seq_type_decode (const Symbol *s) -{ - fprintf (headerfile, - "int decode_seq_%s(const unsigned char *, size_t, int, int, " - "%s *, size_t *);\n", - s->gen_name, s->gen_name); - - fprintf (codefile, "int\n" - "decode_seq_%s(const unsigned char *p, size_t len, int tag, " - "int optional, %s *data, size_t *size)\n" - "{\n", - s->gen_name, s->gen_name); - - fprintf (codefile, - "size_t newlen, oldlen;\n" - "size_t l, ret = 0;\n" - "int e;\n" - "int dce_fix;\n"); - - fprintf (codefile, - "e = der_match_tag(p, len, CONTEXT, CONS, tag, &l);\n" - "if (e)\n" - "return e;\n"); - fprintf (codefile, - "p += l;\n" - "len -= l;\n" - "ret += l;\n" - "e = der_get_length(p, len, &newlen, &l);\n" - "if (e)\n" - "return e;\n" - "p += l;\n" - "len -= l;\n" - "ret += l;\n" - "oldlen = len;\n" - "if ((dce_fix = fix_dce(newlen, &len)) < 0)\n" - "return ASN1_BAD_FORMAT;\n" - "e = decode_%s(p, len, data, &l);\n" - "if (e)\n" - "return e;\n" - "p += l;\n" - "len -= l;\n" - "ret += l;\n" - "if (dce_fix) {\n" - "size_t reallen;\n\n" - "e = der_match_tag_and_length(p, len, " - "(Der_class)0, (Der_type)0, 0, &reallen, &l);\n" - "if (e)\n" - "return e;\n" - "ret += l;\n" - "}\n", - s->gen_name); - fprintf (codefile, - "if(size) *size = ret;\n" - "return 0;\n"); - - fprintf (codefile, "}\n\n"); -} diff --git a/crypto/heimdal-0.6.3/lib/asn1/gen_encode.c b/crypto/heimdal-0.6.3/lib/asn1/gen_encode.c deleted file mode 100644 index ba50d5da4c..0000000000 --- a/crypto/heimdal-0.6.3/lib/asn1/gen_encode.c +++ /dev/null @@ -1,265 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gen_locl.h" - -RCSID("$Id: gen_encode.c,v 1.12 2001/09/25 13:39:26 assar Exp $"); - -static void -encode_primitive (const char *typename, const char *name) -{ - fprintf (codefile, - "e = encode_%s(p, len, %s, &l);\n" - "BACK;\n", - typename, - name); -} - -static void -encode_type (const char *name, const Type *t) -{ - switch (t->type) { - case TType: -#if 0 - encode_type (name, t->symbol->type); -#endif - fprintf (codefile, - "e = encode_%s(p, len, %s, &l);\n" - "BACK;\n", - t->symbol->gen_name, name); - break; - case TInteger: - if(t->members == NULL) - encode_primitive ("integer", name); - else { - char *s; - asprintf(&s, "(const int*)%s", name); - if(s == NULL) - errx(1, "out of memory"); - encode_primitive ("integer", s); - free(s); - } - break; - case TUInteger: - encode_primitive ("unsigned", name); - break; - case TOctetString: - encode_primitive ("octet_string", name); - break; - case TOID : - encode_primitive ("oid", name); - break; - case TBitString: { - Member *m; - int pos; - int rest; - int tag = -1; - - if (t->members == NULL) - break; - - fprintf (codefile, "{\n" - "unsigned char c = 0;\n"); - pos = t->members->prev->val; - /* fix for buggy MIT (and OSF?) code */ - if (pos > 31) - abort (); - /* - * It seems that if we do not always set pos to 31 here, the MIT - * code will do the wrong thing. - * - * I hate ASN.1 (and DER), but I hate it even more when everybody - * has to screw it up differently. - */ - pos = 31; - rest = 7 - (pos % 8); - - for (m = t->members->prev; m && tag != m->val; m = m->prev) { - while (m->val / 8 < pos / 8) { - fprintf (codefile, - "*p-- = c; len--; ret++;\n" - "c = 0;\n"); - pos -= 8; - } - fprintf (codefile, - "if(%s->%s) c |= 1<<%d;\n", name, m->gen_name, - 7 - m->val % 8); - - if (tag == -1) - tag = m->val; - } - - fprintf (codefile, - "*p-- = c;\n" - "*p-- = %d;\n" - "len -= 2;\n" - "ret += 2;\n" - "}\n\n" - "e = der_put_length_and_tag (p, len, ret, UNIV, PRIM," - "UT_BitString, &l);\n" - "BACK;\n", - rest); - break; - } - case TEnumerated : { - encode_primitive ("enumerated", name); - break; - } - case TSequence: { - Member *m; - int tag = -1; - - if (t->members == NULL) - break; - - for (m = t->members->prev; m && tag != m->val; m = m->prev) { - char *s; - - asprintf (&s, "%s(%s)->%s", m->optional ? "" : "&", name, m->gen_name); - if (m->optional) - fprintf (codefile, - "if(%s)\n", - s); -#if 1 - fprintf (codefile, "{\n" - "int oldret = ret;\n" - "ret = 0;\n"); -#endif - encode_type (s, m->type); - fprintf (codefile, - "e = der_put_length_and_tag (p, len, ret, CONTEXT, CONS, " - "%d, &l);\n" - "BACK;\n", - m->val); -#if 1 - fprintf (codefile, - "ret += oldret;\n" - "}\n"); -#endif - if (tag == -1) - tag = m->val; - free (s); - } - fprintf (codefile, - "e = der_put_length_and_tag (p, len, ret, UNIV, CONS, UT_Sequence, &l);\n" - "BACK;\n"); - break; - } - case TSequenceOf: { - char *n; - - fprintf (codefile, - "for(i = (%s)->len - 1; i >= 0; --i) {\n" -#if 1 - "int oldret = ret;\n" - "ret = 0;\n", -#else - , -#endif - name); - asprintf (&n, "&(%s)->val[i]", name); - encode_type (n, t->subtype); - fprintf (codefile, -#if 1 - "ret += oldret;\n" -#endif - "}\n" - "e = der_put_length_and_tag (p, len, ret, UNIV, CONS, UT_Sequence, &l);\n" - "BACK;\n"); - free (n); - break; - } - case TGeneralizedTime: - encode_primitive ("generalized_time", name); - break; - case TGeneralString: - encode_primitive ("general_string", name); - break; - case TApplication: - encode_type (name, t->subtype); - fprintf (codefile, - "e = der_put_length_and_tag (p, len, ret, APPL, CONS, %d, &l);\n" - "BACK;\n", - t->application); - break; - default: - abort (); - } -} - -void -generate_type_encode (const Symbol *s) -{ - fprintf (headerfile, - "int " - "encode_%s(unsigned char *, size_t, const %s *, size_t *);\n", - s->gen_name, s->gen_name); - - fprintf (codefile, "#define BACK if (e) return e; p -= l; len -= l; ret += l\n\n"); - - - fprintf (codefile, "int\n" - "encode_%s(unsigned char *p, size_t len," - " const %s *data, size_t *size)\n" - "{\n", - s->gen_name, s->gen_name); - - switch (s->type->type) { - case TInteger: - case TUInteger: - case TOctetString: - case TGeneralizedTime: - case TGeneralString: - case TBitString: - case TEnumerated: - case TOID: - case TSequence: - case TSequenceOf: - case TApplication: - case TType: - fprintf (codefile, - "size_t ret = 0;\n" - "size_t l;\n" - "int i, e;\n\n"); - fprintf(codefile, "i = 0;\n"); /* hack to avoid `unused variable' */ - - encode_type("data", s->type); - - fprintf (codefile, "*size = ret;\n" - "return 0;\n"); - break; - default: - abort (); - } - fprintf (codefile, "}\n\n"); -} diff --git a/crypto/heimdal-0.6.3/lib/asn1/gen_free.c b/crypto/heimdal-0.6.3/lib/asn1/gen_free.c deleted file mode 100644 index 9487c42d0b..0000000000 --- a/crypto/heimdal-0.6.3/lib/asn1/gen_free.c +++ /dev/null @@ -1,137 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gen_locl.h" - -RCSID("$Id: gen_free.c,v 1.9.6.1 2003/08/20 16:25:01 joda Exp $"); - -static void -free_primitive (const char *typename, const char *name) -{ - fprintf (codefile, "free_%s(%s);\n", typename, name); -} - -static void -free_type (const char *name, const Type *t) -{ - switch (t->type) { - case TType: -#if 0 - free_type (name, t->symbol->type); -#endif - fprintf (codefile, "free_%s(%s);\n", t->symbol->gen_name, name); - break; - case TInteger: - case TUInteger: - case TEnumerated : - break; - case TOctetString: - free_primitive ("octet_string", name); - break; - case TOID : - free_primitive ("oid", name); - break; - case TBitString: { - break; - } - case TSequence: { - Member *m; - int tag = -1; - - if (t->members == NULL) - break; - - for (m = t->members; m && tag != m->val; m = m->next) { - char *s; - - asprintf (&s, "%s(%s)->%s", - m->optional ? "" : "&", name, m->gen_name); - if(m->optional) - fprintf(codefile, "if(%s) {\n", s); - free_type (s, m->type); - if(m->optional) - fprintf(codefile, - "free(%s);\n" - "%s = NULL;\n" - "}\n", s, s); - if (tag == -1) - tag = m->val; - free (s); - } - break; - } - case TSequenceOf: { - char *n; - - fprintf (codefile, "while((%s)->len){\n", name); - asprintf (&n, "&(%s)->val[(%s)->len-1]", name, name); - free_type(n, t->subtype); - fprintf(codefile, - "(%s)->len--;\n" - "}\n", - name); - fprintf(codefile, - "free((%s)->val);\n" - "(%s)->val = NULL;\n", name, name); - free(n); - break; - } - case TGeneralizedTime: - break; - case TGeneralString: - free_primitive ("general_string", name); - break; - case TApplication: - free_type (name, t->subtype); - break; - default : - abort (); - } -} - -void -generate_type_free (const Symbol *s) -{ - fprintf (headerfile, - "void free_%s (%s *);\n", - s->gen_name, s->gen_name); - - fprintf (codefile, "void\n" - "free_%s(%s *data)\n" - "{\n", - s->gen_name, s->gen_name); - - free_type ("data", s->type); - fprintf (codefile, "}\n\n"); -} - diff --git a/crypto/heimdal-0.6.3/lib/asn1/gen_glue.c b/crypto/heimdal-0.6.3/lib/asn1/gen_glue.c deleted file mode 100644 index 2f6280ad6c..0000000000 --- a/crypto/heimdal-0.6.3/lib/asn1/gen_glue.c +++ /dev/null @@ -1,139 +0,0 @@ -/* - * Copyright (c) 1997, 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gen_locl.h" - -RCSID("$Id: gen_glue.c,v 1.7 1999/12/02 17:05:02 joda Exp $"); - -static void -generate_2int (const Symbol *s) -{ - Type *t = s->type; - Member *m; - int tag = -1; - - fprintf (headerfile, - "unsigned %s2int(%s);\n", - s->gen_name, s->gen_name); - - fprintf (codefile, - "unsigned %s2int(%s f)\n" - "{\n" - "unsigned r = 0;\n", - s->gen_name, s->gen_name); - - for (m = t->members; m && m->val != tag; m = m->next) { - fprintf (codefile, "if(f.%s) r |= (1U << %d);\n", - m->gen_name, m->val); - - if (tag == -1) - tag = m->val; - } - fprintf (codefile, "return r;\n" - "}\n\n"); -} - -static void -generate_int2 (const Symbol *s) -{ - Type *t = s->type; - Member *m; - int tag = -1; - - fprintf (headerfile, - "%s int2%s(unsigned);\n", - s->gen_name, s->gen_name); - - fprintf (codefile, - "%s int2%s(unsigned n)\n" - "{\n" - "\t%s flags;\n\n", - s->gen_name, s->gen_name, s->gen_name); - - for (m = t->members; m && m->val != tag; m = m->next) { - fprintf (codefile, "\tflags.%s = (n >> %d) & 1;\n", - m->gen_name, m->val); - - if (tag == -1) - tag = m->val; - } - fprintf (codefile, "\treturn flags;\n" - "}\n\n"); -} - -/* - * This depends on the bit string being declared in increasing order - */ - -static void -generate_units (const Symbol *s) -{ - Type *t = s->type; - Member *m; - int tag = -1; - - fprintf (headerfile, - "extern struct units %s_units[];", - s->gen_name); - - fprintf (codefile, - "struct units %s_units[] = {\n", - s->gen_name); - - if(t->members) - for (m = t->members->prev; m && m->val != tag; m = m->prev) { - fprintf (codefile, - "\t{\"%s\",\t1U << %d},\n", m->gen_name, m->val); - - if (tag == -1) - tag = m->val; - } - - fprintf (codefile, - "\t{NULL,\t0}\n" - "};\n\n"); -} - -void -generate_glue (const Symbol *s) -{ - switch(s->type->type) { - case TBitString : - generate_2int (s); - generate_int2 (s); - generate_units (s); - break; - default : - break; - } -} diff --git a/crypto/heimdal-0.6.3/lib/asn1/gen_length.c b/crypto/heimdal-0.6.3/lib/asn1/gen_length.c deleted file mode 100644 index 6b60997b0f..0000000000 --- a/crypto/heimdal-0.6.3/lib/asn1/gen_length.c +++ /dev/null @@ -1,175 +0,0 @@ -/* - * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gen_locl.h" - -RCSID("$Id: gen_length.c,v 1.11.6.1 2004/01/26 09:26:10 lha Exp $"); - -static void -length_primitive (const char *typename, - const char *name, - const char *variable) -{ - fprintf (codefile, "%s += length_%s(%s);\n", variable, typename, name); -} - -static void -length_type (const char *name, const Type *t, const char *variable) -{ - switch (t->type) { - case TType: -#if 0 - length_type (name, t->symbol->type); -#endif - fprintf (codefile, "%s += length_%s(%s);\n", - variable, t->symbol->gen_name, name); - break; - case TInteger: - if(t->members == NULL) - length_primitive ("integer", name, variable); - else { - char *s; - asprintf(&s, "(const int*)%s", name); - if(s == NULL) - errx (1, "out of memory"); - length_primitive ("integer", s, variable); - free(s); - } - break; - case TUInteger: - length_primitive ("unsigned", name, variable); - break; - case TEnumerated : - length_primitive ("enumerated", name, variable); - break; - case TOctetString: - length_primitive ("octet_string", name, variable); - break; - case TOID : - length_primitive ("oid", name, variable); - break; - case TBitString: { - /* - * XXX - Hope this is correct - * look at TBitString case in `encode_type' - */ - fprintf (codefile, "%s += 7;\n", variable); - break; - } - case TSequence: { - Member *m; - int tag = -1; - - if (t->members == NULL) - break; - - for (m = t->members; m && tag != m->val; m = m->next) { - char *s; - - asprintf (&s, "%s(%s)->%s", - m->optional ? "" : "&", name, m->gen_name); - if (m->optional) - fprintf (codefile, "if(%s)", s); - fprintf (codefile, "{\n" - "int oldret = %s;\n" - "%s = 0;\n", variable, variable); - length_type (s, m->type, "ret"); - fprintf (codefile, "%s += 1 + length_len(%s) + oldret;\n", - variable, variable); - fprintf (codefile, "}\n"); - if (tag == -1) - tag = m->val; - free (s); - } - fprintf (codefile, - "%s += 1 + length_len(%s);\n", variable, variable); - break; - } - case TSequenceOf: { - char *n; - - fprintf (codefile, - "{\n" - "int oldret = %s;\n" - "int i;\n" - "%s = 0;\n", - variable, variable); - - fprintf (codefile, "for(i = (%s)->len - 1; i >= 0; --i){\n", name); - fprintf (codefile, "int oldret = %s;\n" - "%s = 0;\n", variable, variable); - asprintf (&n, "&(%s)->val[i]", name); - length_type(n, t->subtype, variable); - fprintf (codefile, "%s += oldret;\n", - variable); - fprintf (codefile, "}\n"); - - fprintf (codefile, - "%s += 1 + length_len(%s) + oldret;\n" - "}\n", variable, variable); - free(n); - break; - } - case TGeneralizedTime: - length_primitive ("generalized_time", name, variable); - break; - case TGeneralString: - length_primitive ("general_string", name, variable); - break; - case TApplication: - length_type (name, t->subtype, variable); - fprintf (codefile, "ret += 1 + length_len (ret);\n"); - break; - default : - abort (); - } -} - -void -generate_type_length (const Symbol *s) -{ - fprintf (headerfile, - "size_t length_%s(const %s *);\n", - s->gen_name, s->gen_name); - - fprintf (codefile, - "size_t\n" - "length_%s(const %s *data)\n" - "{\n" - "size_t ret = 0;\n", - s->gen_name, s->gen_name); - - length_type ("data", s->type, "ret"); - fprintf (codefile, "return ret;\n}\n\n"); -} - diff --git a/crypto/heimdal-0.6.3/lib/asn1/gen_locl.h b/crypto/heimdal-0.6.3/lib/asn1/gen_locl.h deleted file mode 100644 index 212c3217c1..0000000000 --- a/crypto/heimdal-0.6.3/lib/asn1/gen_locl.h +++ /dev/null @@ -1,74 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: gen_locl.h,v 1.9 2001/09/27 16:21:47 assar Exp $ */ - -#ifndef __GEN_LOCL_H__ -#define __GEN_LOCL_H__ - -#ifdef HAVE_CONFIG_H -#include -#endif -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include "hash.h" -#include "symbol.h" - -void generate_type (const Symbol *); -void generate_constant (const Symbol *); -void generate_type_encode (const Symbol *s); -void generate_type_decode (const Symbol *s); -void generate_seq_type_decode (const Symbol *s); -void generate_type_free (const Symbol *s); -void generate_type_length (const Symbol *s); -void generate_type_copy (const Symbol *s); -void generate_type_maybe (const Symbol *s); -void generate_glue (const Symbol *s); - -void init_generate (const char *filename, const char *basename); -const char *filename (void); -void close_generate(void); -void add_import(const char *module); -int yyparse(void); - -extern FILE *headerfile, *codefile, *logfile; - -#endif /* __GEN_LOCL_H__ */ diff --git a/crypto/heimdal-0.6.3/lib/asn1/hash.c b/crypto/heimdal-0.6.3/lib/asn1/hash.c deleted file mode 100644 index a8d3eb39f9..0000000000 --- a/crypto/heimdal-0.6.3/lib/asn1/hash.c +++ /dev/null @@ -1,207 +0,0 @@ -/* - * Copyright (c) 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* - * Hash table functions - */ - -#include "gen_locl.h" - -RCSID("$Id: hash.c,v 1.8 1999/12/02 17:05:02 joda Exp $"); - -static Hashentry *_search(Hashtab * htab, /* The hash table */ - void *ptr); /* And key */ - -Hashtab * -hashtabnew(int sz, - int (*cmp) (void *, void *), - unsigned (*hash) (void *)) -{ - Hashtab *htab; - int i; - - assert(sz > 0); - - htab = (Hashtab *) malloc(sizeof(Hashtab) + (sz - 1) * sizeof(Hashentry *)); - for (i = 0; i < sz; ++i) - htab->tab[i] = NULL; - - if (htab == NULL) { - return NULL; - } else { - htab->cmp = cmp; - htab->hash = hash; - htab->sz = sz; - return htab; - } -} - -/* Intern search function */ - -static Hashentry * -_search(Hashtab * htab, void *ptr) -{ - Hashentry *hptr; - - assert(htab && ptr); - - for (hptr = htab->tab[(*htab->hash) (ptr) % htab->sz]; - hptr; - hptr = hptr->next) - if ((*htab->cmp) (ptr, hptr->ptr) == 0) - break; - return hptr; -} - -/* Search for element in hash table */ - -void * -hashtabsearch(Hashtab * htab, void *ptr) -{ - Hashentry *tmp; - - tmp = _search(htab, ptr); - return tmp ? tmp->ptr : tmp; -} - -/* add element to hash table */ -/* if already there, set new value */ -/* !NULL if succesful */ - -void * -hashtabadd(Hashtab * htab, void *ptr) -{ - Hashentry *h = _search(htab, ptr); - Hashentry **tabptr; - - assert(htab && ptr); - - if (h) - free((void *) h->ptr); - else { - h = (Hashentry *) malloc(sizeof(Hashentry)); - if (h == NULL) { - return NULL; - } - tabptr = &htab->tab[(*htab->hash) (ptr) % htab->sz]; - h->next = *tabptr; - *tabptr = h; - h->prev = tabptr; - if (h->next) - h->next->prev = &h->next; - } - h->ptr = ptr; - return h; -} - -/* delete element with key key. Iff freep, free Hashentry->ptr */ - -int -_hashtabdel(Hashtab * htab, void *ptr, int freep) -{ - Hashentry *h; - - assert(htab && ptr); - - h = _search(htab, ptr); - if (h) { - if (freep) - free(h->ptr); - if ((*(h->prev) = h->next)) - h->next->prev = h->prev; - free(h); - return 0; - } else - return -1; -} - -/* Do something for each element */ - -void -hashtabforeach(Hashtab * htab, int (*func) (void *ptr, void *arg), - void *arg) -{ - Hashentry **h, *g; - - assert(htab); - - for (h = htab->tab; h < &htab->tab[htab->sz]; ++h) - for (g = *h; g; g = g->next) - if ((*func) (g->ptr, arg)) - return; -} - -/* standard hash-functions for strings */ - -unsigned -hashadd(const char *s) -{ /* Standard hash function */ - unsigned i; - - assert(s); - - for (i = 0; *s; ++s) - i += *s; - return i; -} - -unsigned -hashcaseadd(const char *s) -{ /* Standard hash function */ - unsigned i; - - assert(s); - - for (i = 0; *s; ++s) - i += toupper(*s); - return i; -} - -#define TWELVE (sizeof(unsigned)) -#define SEVENTYFIVE (6*sizeof(unsigned)) -#define HIGH_BITS (~((unsigned)(~0) >> TWELVE)) - -unsigned -hashjpw(const char *ss) -{ /* another hash function */ - unsigned h = 0; - unsigned g; - const unsigned char *s = (const unsigned char *)ss; - - for (; *s; ++s) { - h = (h << TWELVE) + *s; - if ((g = h & HIGH_BITS)) - h = (h ^ (g >> SEVENTYFIVE)) & ~HIGH_BITS; - } - return h; -} diff --git a/crypto/heimdal-0.6.3/lib/asn1/hash.h b/crypto/heimdal-0.6.3/lib/asn1/hash.h deleted file mode 100644 index b54e10234a..0000000000 --- a/crypto/heimdal-0.6.3/lib/asn1/hash.h +++ /dev/null @@ -1,87 +0,0 @@ -/* - * Copyright (c) 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* - * hash.h. Header file for hash table functions - */ - -/* $Id: hash.h,v 1.3 1999/12/02 17:05:02 joda Exp $ */ - -struct hashentry { /* Entry in bucket */ - struct hashentry **prev; - struct hashentry *next; - void *ptr; -}; - -typedef struct hashentry Hashentry; - -struct hashtab { /* Hash table */ - int (*cmp)(void *, void *); /* Compare function */ - unsigned (*hash)(void *); /* hash function */ - int sz; /* Size */ - Hashentry *tab[1]; /* The table */ -}; - -typedef struct hashtab Hashtab; - -/* prototypes */ - -Hashtab *hashtabnew(int sz, - int (*cmp)(void *, void *), - unsigned (*hash)(void *)); /* Make new hash table */ - -void *hashtabsearch(Hashtab *htab, /* The hash table */ - void *ptr); /* The key */ - - -void *hashtabadd(Hashtab *htab, /* The hash table */ - void *ptr); /* The element */ - -int _hashtabdel(Hashtab *htab, /* The table */ - void *ptr, /* Key */ - int freep); /* Free data part? */ - -void hashtabforeach(Hashtab *htab, - int (*func)(void *ptr, void *arg), - void *arg); - -unsigned hashadd(const char *s); /* Standard hash function */ -unsigned hashcaseadd(const char *s); /* Standard hash function */ -unsigned hashjpw(const char *s); /* another hash function */ - -/* macros */ - - /* Don't free space */ -#define hashtabdel(htab,key) _hashtabdel(htab,key,FALSE) - -#define hashtabfree(htab,key) _hashtabdel(htab,key,TRUE) /* Do! */ diff --git a/crypto/heimdal-0.6.3/lib/asn1/k5.asn1 b/crypto/heimdal-0.6.3/lib/asn1/k5.asn1 deleted file mode 100644 index d9be266174..0000000000 --- a/crypto/heimdal-0.6.3/lib/asn1/k5.asn1 +++ /dev/null @@ -1,458 +0,0 @@ --- $Id: k5.asn1,v 1.28.2.1 2004/06/21 08:25:45 lha Exp $ - -KERBEROS5 DEFINITIONS ::= -BEGIN - -NAME-TYPE ::= INTEGER { - KRB5_NT_UNKNOWN(0), -- Name type not known - KRB5_NT_PRINCIPAL(1), -- Just the name of the principal as in - KRB5_NT_SRV_INST(2), -- Service and other unique instance (krbtgt) - KRB5_NT_SRV_HST(3), -- Service with host name as instance - KRB5_NT_SRV_XHST(4), -- Service with host as remaining components - KRB5_NT_UID(5), -- Unique ID - KRB5_NT_X500_PRINCIPAL(6) -- PKINIT -} - --- message types - -MESSAGE-TYPE ::= INTEGER { - krb-as-req(10), -- Request for initial authentication - krb-as-rep(11), -- Response to KRB_AS_REQ request - krb-tgs-req(12), -- Request for authentication based on TGT - krb-tgs-rep(13), -- Response to KRB_TGS_REQ request - krb-ap-req(14), -- application request to server - krb-ap-rep(15), -- Response to KRB_AP_REQ_MUTUAL - krb-safe(20), -- Safe (checksummed) application message - krb-priv(21), -- Private (encrypted) application message - krb-cred(22), -- Private (encrypted) message to forward credentials - krb-error(30) -- Error response -} - - --- pa-data types - -PADATA-TYPE ::= INTEGER { - KRB5-PADATA-NONE(0), - KRB5-PADATA-TGS-REQ(1), - KRB5-PADATA-AP-REQ(1), - KRB5-PADATA-ENC-TIMESTAMP(2), - KRB5-PADATA-PW-SALT(3), - KRB5-PADATA-ENC-UNIX-TIME(5), - KRB5-PADATA-SANDIA-SECUREID(6), - KRB5-PADATA-SESAME(7), - KRB5-PADATA-OSF-DCE(8), - KRB5-PADATA-CYBERSAFE-SECUREID(9), - KRB5-PADATA-AFS3-SALT(10), - KRB5-PADATA-ETYPE-INFO(11), - KRB5-PADATA-SAM-CHALLENGE(12), -- (sam/otp) - KRB5-PADATA-SAM-RESPONSE(13), -- (sam/otp) - KRB5-PADATA-PK-AS-REQ(14), -- (PKINIT) - KRB5-PADATA-PK-AS-REP(15), -- (PKINIT) - KRB5-PADATA-PK-AS-SIGN(16), -- (PKINIT) - KRB5-PADATA-PK-KEY-REQ(17), -- (PKINIT) - KRB5-PADATA-PK-KEY-REP(18), -- (PKINIT) - KRB5-PADATA-ETYPE-INFO2(19), - KRB5-PADATA-USE-SPECIFIED-KVNO(20), - KRB5-PADATA-SAM-REDIRECT(21), -- (sam/otp) - KRB5-PADATA-GET-FROM-TYPED-DATA(22), - KRB5-PADATA-SAM-ETYPE-INFO(23) -} - --- checksumtypes - -CKSUMTYPE ::= INTEGER { - CKSUMTYPE_NONE(0), - CKSUMTYPE_CRC32(1), - CKSUMTYPE_RSA_MD4(2), - CKSUMTYPE_RSA_MD4_DES(3), - CKSUMTYPE_DES_MAC(4), - CKSUMTYPE_DES_MAC_K(5), - CKSUMTYPE_RSA_MD4_DES_K(6), - CKSUMTYPE_RSA_MD5(7), - CKSUMTYPE_RSA_MD5_DES(8), - CKSUMTYPE_RSA_MD5_DES3(9), - CKSUMTYPE_HMAC_SHA1_96_AES_128(10), - CKSUMTYPE_HMAC_SHA1_96_AES_256(11), - CKSUMTYPE_HMAC_SHA1_DES3(12), - CKSUMTYPE_SHA1(1000), -- correct value? 10 (9 also) - CKSUMTYPE_GSSAPI(0x8003), - CKSUMTYPE_HMAC_MD5(-138), -- unofficial microsoft number - CKSUMTYPE_HMAC_MD5_ENC(-1138) -- even more unofficial -} - ---enctypes -ENCTYPE ::= INTEGER { - ETYPE_NULL(0), - ETYPE_DES_CBC_CRC(1), - ETYPE_DES_CBC_MD4(2), - ETYPE_DES_CBC_MD5(3), - ETYPE_DES3_CBC_MD5(5), - ETYPE_OLD_DES3_CBC_SHA1(7), - ETYPE_SIGN_DSA_GENERATE(8), - ETYPE_ENCRYPT_RSA_PRIV(9), - ETYPE_ENCRYPT_RSA_PUB(10), - ETYPE_DES3_CBC_SHA1(16), -- with key derivation - ETYPE_AES128_CTS_HMAC_SHA1_96(17), - ETYPE_AES256_CTS_HMAC_SHA1_96(18), - ETYPE_ARCFOUR_HMAC_MD5(23), - ETYPE_ARCFOUR_HMAC_MD5_56(24), - ETYPE_ENCTYPE_PK_CROSS(48), --- these are for Heimdal internal use - ETYPE_DES_CBC_NONE(-0x1000), - ETYPE_DES3_CBC_NONE(-0x1001), - ETYPE_DES_CFB64_NONE(-0x1002), - ETYPE_DES_PCBC_NONE(-0x1003) -} - --- this is sugar to make something ASN1 does not have: unsigned - -UNSIGNED ::= INTEGER (0..4294967295) - -Realm ::= GeneralString -PrincipalName ::= SEQUENCE { - name-type[0] NAME-TYPE, - name-string[1] SEQUENCE OF GeneralString -} - --- this is not part of RFC1510 -Principal ::= SEQUENCE { - name[0] PrincipalName, - realm[1] Realm -} - -HostAddress ::= SEQUENCE { - addr-type[0] INTEGER, - address[1] OCTET STRING -} - --- This is from RFC1510. --- --- HostAddresses ::= SEQUENCE OF SEQUENCE { --- addr-type[0] INTEGER, --- address[1] OCTET STRING --- } - --- This seems much better. -HostAddresses ::= SEQUENCE OF HostAddress - - -KerberosTime ::= GeneralizedTime -- Specifying UTC time zone (Z) - -AuthorizationData ::= SEQUENCE OF SEQUENCE { - ad-type[0] INTEGER, - ad-data[1] OCTET STRING -} - -APOptions ::= BIT STRING { - reserved(0), - use-session-key(1), - mutual-required(2) -} - -TicketFlags ::= BIT STRING { - reserved(0), - forwardable(1), - forwarded(2), - proxiable(3), - proxy(4), - may-postdate(5), - postdated(6), - invalid(7), - renewable(8), - initial(9), - pre-authent(10), - hw-authent(11), - transited-policy-checked(12), - ok-as-delegate(13), - anonymous(14) -} - -KDCOptions ::= BIT STRING { - reserved(0), - forwardable(1), - forwarded(2), - proxiable(3), - proxy(4), - allow-postdate(5), - postdated(6), - unused7(7), - renewable(8), - unused9(9), - unused10(10), - unused11(11), - request-anonymous(14), - canonicalize(15), - disable-transited-check(26), - renewable-ok(27), - enc-tkt-in-skey(28), - renew(30), - validate(31) -} - -LR-TYPE ::= INTEGER { - LR_NONE(0), -- no information - LR_INITIAL_TGT(1), -- last initial TGT request - LR_INITIAL(2), -- last initial request - LR_ISSUE_USE_TGT(3), -- time of newest TGT used - LR_RENEWAL(4), -- time of last renewal - LR_REQUEST(5), -- time of last request (of any type) - LR_PW_EXPTIME(6), -- expiration time of password - LR_ACCT_EXPTIME(7) -- expiration time of account -} - -LastReq ::= SEQUENCE OF SEQUENCE { - lr-type[0] LR-TYPE, - lr-value[1] KerberosTime -} - - -EncryptedData ::= SEQUENCE { - etype[0] ENCTYPE, -- EncryptionType - kvno[1] INTEGER OPTIONAL, - cipher[2] OCTET STRING -- ciphertext -} - -EncryptionKey ::= SEQUENCE { - keytype[0] INTEGER, - keyvalue[1] OCTET STRING -} - --- encoded Transited field -TransitedEncoding ::= SEQUENCE { - tr-type[0] INTEGER, -- must be registered - contents[1] OCTET STRING -} - -Ticket ::= [APPLICATION 1] SEQUENCE { - tkt-vno[0] INTEGER, - realm[1] Realm, - sname[2] PrincipalName, - enc-part[3] EncryptedData -} --- Encrypted part of ticket -EncTicketPart ::= [APPLICATION 3] SEQUENCE { - flags[0] TicketFlags, - key[1] EncryptionKey, - crealm[2] Realm, - cname[3] PrincipalName, - transited[4] TransitedEncoding, - authtime[5] KerberosTime, - starttime[6] KerberosTime OPTIONAL, - endtime[7] KerberosTime, - renew-till[8] KerberosTime OPTIONAL, - caddr[9] HostAddresses OPTIONAL, - authorization-data[10] AuthorizationData OPTIONAL -} - -Checksum ::= SEQUENCE { - cksumtype[0] CKSUMTYPE, - checksum[1] OCTET STRING -} - -Authenticator ::= [APPLICATION 2] SEQUENCE { - authenticator-vno[0] INTEGER, - crealm[1] Realm, - cname[2] PrincipalName, - cksum[3] Checksum OPTIONAL, - cusec[4] INTEGER, - ctime[5] KerberosTime, - subkey[6] EncryptionKey OPTIONAL, - seq-number[7] UNSIGNED OPTIONAL, - authorization-data[8] AuthorizationData OPTIONAL - } - -PA-DATA ::= SEQUENCE { - -- might be encoded AP-REQ - padata-type[1] PADATA-TYPE, - padata-value[2] OCTET STRING -} - -ETYPE-INFO-ENTRY ::= SEQUENCE { - etype[0] ENCTYPE, - salt[1] OCTET STRING OPTIONAL, - salttype[2] INTEGER OPTIONAL -} - -ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY - -METHOD-DATA ::= SEQUENCE OF PA-DATA - -KDC-REQ-BODY ::= SEQUENCE { - kdc-options[0] KDCOptions, - cname[1] PrincipalName OPTIONAL, -- Used only in AS-REQ - realm[2] Realm, -- Server's realm - -- Also client's in AS-REQ - sname[3] PrincipalName OPTIONAL, - from[4] KerberosTime OPTIONAL, - till[5] KerberosTime OPTIONAL, - rtime[6] KerberosTime OPTIONAL, - nonce[7] INTEGER, - etype[8] SEQUENCE OF ENCTYPE, -- EncryptionType, - -- in preference order - addresses[9] HostAddresses OPTIONAL, - enc-authorization-data[10] EncryptedData OPTIONAL, - -- Encrypted AuthorizationData encoding - additional-tickets[11] SEQUENCE OF Ticket OPTIONAL -} - -KDC-REQ ::= SEQUENCE { - pvno[1] INTEGER, - msg-type[2] MESSAGE-TYPE, - padata[3] METHOD-DATA OPTIONAL, - req-body[4] KDC-REQ-BODY -} - -AS-REQ ::= [APPLICATION 10] KDC-REQ -TGS-REQ ::= [APPLICATION 12] KDC-REQ - --- padata-type ::= PA-ENC-TIMESTAMP --- padata-value ::= EncryptedData - PA-ENC-TS-ENC - -PA-ENC-TS-ENC ::= SEQUENCE { - patimestamp[0] KerberosTime, -- client's time - pausec[1] INTEGER OPTIONAL -} - -KDC-REP ::= SEQUENCE { - pvno[0] INTEGER, - msg-type[1] MESSAGE-TYPE, - padata[2] METHOD-DATA OPTIONAL, - crealm[3] Realm, - cname[4] PrincipalName, - ticket[5] Ticket, - enc-part[6] EncryptedData -} - -AS-REP ::= [APPLICATION 11] KDC-REP -TGS-REP ::= [APPLICATION 13] KDC-REP - -EncKDCRepPart ::= SEQUENCE { - key[0] EncryptionKey, - last-req[1] LastReq, - nonce[2] INTEGER, - key-expiration[3] KerberosTime OPTIONAL, - flags[4] TicketFlags, - authtime[5] KerberosTime, - starttime[6] KerberosTime OPTIONAL, - endtime[7] KerberosTime, - renew-till[8] KerberosTime OPTIONAL, - srealm[9] Realm, - sname[10] PrincipalName, - caddr[11] HostAddresses OPTIONAL -} - -EncASRepPart ::= [APPLICATION 25] EncKDCRepPart -EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart - -AP-REQ ::= [APPLICATION 14] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] MESSAGE-TYPE, - ap-options[2] APOptions, - ticket[3] Ticket, - authenticator[4] EncryptedData -} - -AP-REP ::= [APPLICATION 15] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] MESSAGE-TYPE, - enc-part[2] EncryptedData -} - -EncAPRepPart ::= [APPLICATION 27] SEQUENCE { - ctime[0] KerberosTime, - cusec[1] INTEGER, - subkey[2] EncryptionKey OPTIONAL, - seq-number[3] UNSIGNED OPTIONAL -} - -KRB-SAFE-BODY ::= SEQUENCE { - user-data[0] OCTET STRING, - timestamp[1] KerberosTime OPTIONAL, - usec[2] INTEGER OPTIONAL, - seq-number[3] UNSIGNED OPTIONAL, - s-address[4] HostAddress OPTIONAL, - r-address[5] HostAddress OPTIONAL -} - -KRB-SAFE ::= [APPLICATION 20] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] MESSAGE-TYPE, - safe-body[2] KRB-SAFE-BODY, - cksum[3] Checksum -} - -KRB-PRIV ::= [APPLICATION 21] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] MESSAGE-TYPE, - enc-part[3] EncryptedData -} -EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE { - user-data[0] OCTET STRING, - timestamp[1] KerberosTime OPTIONAL, - usec[2] INTEGER OPTIONAL, - seq-number[3] UNSIGNED OPTIONAL, - s-address[4] HostAddress OPTIONAL, -- sender's addr - r-address[5] HostAddress OPTIONAL -- recip's addr -} - -KRB-CRED ::= [APPLICATION 22] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] MESSAGE-TYPE, -- KRB_CRED - tickets[2] SEQUENCE OF Ticket, - enc-part[3] EncryptedData -} - -KrbCredInfo ::= SEQUENCE { - key[0] EncryptionKey, - prealm[1] Realm OPTIONAL, - pname[2] PrincipalName OPTIONAL, - flags[3] TicketFlags OPTIONAL, - authtime[4] KerberosTime OPTIONAL, - starttime[5] KerberosTime OPTIONAL, - endtime[6] KerberosTime OPTIONAL, - renew-till[7] KerberosTime OPTIONAL, - srealm[8] Realm OPTIONAL, - sname[9] PrincipalName OPTIONAL, - caddr[10] HostAddresses OPTIONAL -} - -EncKrbCredPart ::= [APPLICATION 29] SEQUENCE { - ticket-info[0] SEQUENCE OF KrbCredInfo, - nonce[1] INTEGER OPTIONAL, - timestamp[2] KerberosTime OPTIONAL, - usec[3] INTEGER OPTIONAL, - s-address[4] HostAddress OPTIONAL, - r-address[5] HostAddress OPTIONAL -} - -KRB-ERROR ::= [APPLICATION 30] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] MESSAGE-TYPE, - ctime[2] KerberosTime OPTIONAL, - cusec[3] INTEGER OPTIONAL, - stime[4] KerberosTime, - susec[5] INTEGER, - error-code[6] INTEGER, - crealm[7] Realm OPTIONAL, - cname[8] PrincipalName OPTIONAL, - realm[9] Realm, -- Correct realm - sname[10] PrincipalName, -- Correct name - e-text[11] GeneralString OPTIONAL, - e-data[12] OCTET STRING OPTIONAL -} - -ChangePasswdDataMS ::= SEQUENCE { - newpasswd[0] OCTET STRING, - targname[1] PrincipalName OPTIONAL, - targrealm[2] Realm OPTIONAL -} - -pvno INTEGER ::= 5 -- current Kerberos protocol version number - --- transited encodings - -DOMAIN-X500-COMPRESS INTEGER ::= 1 - -END - --- etags -r '/\([A-Za-z][-A-Za-z0-9]*\).*::=/\1/' k5.asn1 diff --git a/crypto/heimdal-0.6.3/lib/asn1/lex.h b/crypto/heimdal-0.6.3/lib/asn1/lex.h deleted file mode 100644 index 9f5cadf92b..0000000000 --- a/crypto/heimdal-0.6.3/lib/asn1/lex.h +++ /dev/null @@ -1,41 +0,0 @@ -/* - * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: lex.h,v 1.5 2000/07/01 20:21:34 assar Exp $ */ - -#include - -void error_message (const char *, ...) -__attribute__ ((format (printf, 1, 2))); - -int yylex(void); diff --git a/crypto/heimdal-0.6.3/lib/asn1/lex.l b/crypto/heimdal-0.6.3/lib/asn1/lex.l deleted file mode 100644 index 3abc17ee67..0000000000 --- a/crypto/heimdal-0.6.3/lib/asn1/lex.l +++ /dev/null @@ -1,122 +0,0 @@ -%{ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: lex.l,v 1.19 2001/09/25 23:28:03 assar Exp $ */ - -#ifdef HAVE_CONFIG_H -#include -#endif -#include -#include -#include -#include -#ifdef HAVE_UNISTD_H -#include -#endif -#undef ECHO -#include "symbol.h" -#include "parse.h" -#include "lex.h" -#include "gen_locl.h" - -static unsigned lineno = 1; - -#define YY_NO_UNPUT - -#undef ECHO - -%} - - -%% -INTEGER { return INTEGER; } -IMPORTS { return IMPORTS; } -FROM { return FROM; } -SEQUENCE { return SEQUENCE; } -OF { return OF; } -OCTET { return OCTET; } -STRING { return STRING; } -GeneralizedTime { return GeneralizedTime; } -GeneralString { return GeneralString; } -BIT { return BIT; } -APPLICATION { return APPLICATION; } -OPTIONAL { return OPTIONAL; } -BEGIN { return TBEGIN; } -END { return END; } -DEFINITIONS { return DEFINITIONS; } -ENUMERATED { return ENUMERATED; } -EXTERNAL { return EXTERNAL; } -OBJECT { return OBJECT; } -IDENTIFIER { return IDENTIFIER; } -[,;{}()|] { return *yytext; } -"[" { return *yytext; } -"]" { return *yytext; } -::= { return EEQUAL; } ---[^\n]*\n { ++lineno; } --?(0x)?[0-9]+ { char *e, *y = yytext; - yylval.constant = strtol((const char *)yytext, - &e, 0); - if(e == y) - error_message("malformed constant (%s)", yytext); - else - return CONSTANT; - } -[A-Za-z][-A-Za-z0-9_]* { - yylval.name = strdup ((const char *)yytext); - return IDENT; - } -[ \t] ; -\n { ++lineno; } -\.\. { return DOTDOT; } -. { error_message("Ignoring char(%c)\n", *yytext); } -%% - -#ifndef yywrap /* XXX */ -int -yywrap () -{ - return 1; -} -#endif - -void -error_message (const char *format, ...) -{ - va_list args; - - va_start (args, format); - fprintf (stderr, "%s:%d: ", filename(), lineno); - vfprintf (stderr, format, args); - va_end (args); -} diff --git a/crypto/heimdal-0.6.3/lib/asn1/main.c b/crypto/heimdal-0.6.3/lib/asn1/main.c deleted file mode 100644 index 8b1b4093cb..0000000000 --- a/crypto/heimdal-0.6.3/lib/asn1/main.c +++ /dev/null @@ -1,90 +0,0 @@ -/* - * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gen_locl.h" -#include - -RCSID("$Id: main.c,v 1.11 2001/02/20 01:44:52 assar Exp $"); - -extern FILE *yyin; - -int version_flag; -int help_flag; -struct getargs args[] = { - { "version", 0, arg_flag, &version_flag }, - { "help", 0, arg_flag, &help_flag } -}; -int num_args = sizeof(args) / sizeof(args[0]); - -static void -usage(int code) -{ - arg_printusage(args, num_args, NULL, "[asn1-file [name]]"); - exit(code); -} - -int -main(int argc, char **argv) -{ - int ret; - char *file; - char *name = NULL; - int optind = 0; - - setprogname(argv[0]); - if(getarg(args, num_args, argc, argv, &optind)) - usage(1); - if(help_flag) - usage(0); - if(version_flag) { - print_version(NULL); - exit(0); - } - if (argc == optind) { - file = "stdin"; - name = "stdin"; - yyin = stdin; - } else { - file = argv[optind]; - yyin = fopen (file, "r"); - if (yyin == NULL) - err (1, "open %s", file); - name = argv[optind + 1]; - } - - init_generate (file, name); - initsym (); - ret = yyparse (); - close_generate (); - return ret; -} diff --git a/crypto/heimdal-0.6.3/lib/asn1/parse.y b/crypto/heimdal-0.6.3/lib/asn1/parse.y deleted file mode 100644 index fc78086036..0000000000 --- a/crypto/heimdal-0.6.3/lib/asn1/parse.y +++ /dev/null @@ -1,263 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: parse.y,v 1.19 2001/09/27 16:21:47 assar Exp $ */ - -%{ -#ifdef HAVE_CONFIG_H -#include -#endif -#include -#include -#include -#include "symbol.h" -#include "lex.h" -#include "gen_locl.h" - -RCSID("$Id: parse.y,v 1.19 2001/09/27 16:21:47 assar Exp $"); - -static Type *new_type (Typetype t); -void yyerror (char *); - -static void append (Member *l, Member *r); - -%} - -%union { - int constant; - char *name; - Type *type; - Member *member; -} - -%token INTEGER SEQUENCE OF OCTET STRING GeneralizedTime GeneralString -%token BIT APPLICATION OPTIONAL EEQUAL TBEGIN END DEFINITIONS ENUMERATED -%token EXTERNAL -%token DOTDOT -%token IMPORTS FROM -%token OBJECT IDENTIFIER -%token IDENT -%token CONSTANT - -%type constant optional2 -%type type -%type memberdecls memberdecl bitdecls bitdecl - -%start envelope - -%% - -envelope : IDENT DEFINITIONS EEQUAL TBEGIN specification END {} - ; - -specification : - | specification declaration - ; - -declaration : imports_decl - | type_decl - | constant_decl - ; - -referencenames : IDENT ',' referencenames - { - Symbol *s = addsym($1); - s->stype = Stype; - } - | IDENT - { - Symbol *s = addsym($1); - s->stype = Stype; - } - ; - -imports_decl : IMPORTS referencenames FROM IDENT ';' - { add_import($4); } - ; - -type_decl : IDENT EEQUAL type - { - Symbol *s = addsym ($1); - s->stype = Stype; - s->type = $3; - generate_type (s); - } - ; - -constant_decl : IDENT type EEQUAL constant - { - Symbol *s = addsym ($1); - s->stype = SConstant; - s->constant = $4; - generate_constant (s); - } - ; - -type : INTEGER { $$ = new_type(TInteger); } - | INTEGER '(' constant DOTDOT constant ')' { - if($3 != 0) - error_message("Only 0 supported as low range"); - if($5 != INT_MIN && $5 != UINT_MAX && $5 != INT_MAX) - error_message("Only %u supported as high range", - UINT_MAX); - $$ = new_type(TUInteger); - } - | INTEGER '{' bitdecls '}' - { - $$ = new_type(TInteger); - $$->members = $3; - } - | OBJECT IDENTIFIER { $$ = new_type(TOID); } - | ENUMERATED '{' bitdecls '}' - { - $$ = new_type(TEnumerated); - $$->members = $3; - } - | OCTET STRING { $$ = new_type(TOctetString); } - | GeneralString { $$ = new_type(TGeneralString); } - | GeneralizedTime { $$ = new_type(TGeneralizedTime); } - | SEQUENCE OF type - { - $$ = new_type(TSequenceOf); - $$->subtype = $3; - } - | SEQUENCE '{' memberdecls '}' - { - $$ = new_type(TSequence); - $$->members = $3; - } - | BIT STRING '{' bitdecls '}' - { - $$ = new_type(TBitString); - $$->members = $4; - } - | IDENT - { - Symbol *s = addsym($1); - $$ = new_type(TType); - if(s->stype != Stype) - error_message ("%s is not a type\n", $1); - else - $$->symbol = s; - } - | '[' APPLICATION constant ']' type - { - $$ = new_type(TApplication); - $$->subtype = $5; - $$->application = $3; - } - ; - -memberdecls : { $$ = NULL; } - | memberdecl { $$ = $1; } - | memberdecls ',' memberdecl { $$ = $1; append($$, $3); } - ; - -memberdecl : IDENT '[' constant ']' type optional2 - { - $$ = malloc(sizeof(*$$)); - $$->name = $1; - $$->gen_name = strdup($1); - output_name ($$->gen_name); - $$->val = $3; - $$->optional = $6; - $$->type = $5; - $$->next = $$->prev = $$; - } - ; - -optional2 : { $$ = 0; } - | OPTIONAL { $$ = 1; } - ; - -bitdecls : { $$ = NULL; } - | bitdecl { $$ = $1; } - | bitdecls ',' bitdecl { $$ = $1; append($$, $3); } - ; - -bitdecl : IDENT '(' constant ')' - { - $$ = malloc(sizeof(*$$)); - $$->name = $1; - $$->gen_name = strdup($1); - output_name ($$->gen_name); - $$->val = $3; - $$->optional = 0; - $$->type = NULL; - $$->prev = $$->next = $$; - } - ; - -constant : CONSTANT { $$ = $1; } - | IDENT { - Symbol *s = addsym($1); - if(s->stype != SConstant) - error_message ("%s is not a constant\n", - s->name); - else - $$ = s->constant; - } - ; -%% - -void -yyerror (char *s) -{ - error_message ("%s\n", s); -} - -static Type * -new_type (Typetype tt) -{ - Type *t = malloc(sizeof(*t)); - if (t == NULL) { - error_message ("out of memory in malloc(%lu)", - (unsigned long)sizeof(*t)); - exit (1); - } - t->type = tt; - t->application = 0; - t->members = NULL; - t->subtype = NULL; - t->symbol = NULL; - return t; -} - -static void -append (Member *l, Member *r) -{ - l->prev->next = r; - r->prev = l->prev; - l->prev = r; - r->next = l; -} diff --git a/crypto/heimdal-0.6.3/lib/asn1/pkinit.asn1 b/crypto/heimdal-0.6.3/lib/asn1/pkinit.asn1 deleted file mode 100644 index 92c5de75da..0000000000 --- a/crypto/heimdal-0.6.3/lib/asn1/pkinit.asn1 +++ /dev/null @@ -1,189 +0,0 @@ -PKINIT DEFINITIONS ::= BEGIN - -IMPORTS EncryptionKey, PrincipalName, Realm, KerberosTime, TypedData - FROM krb5; -IMPORTS SignedData, EnvelopedData FROM CMS; -IMPORTS CertificateSerialNumber, AttributeTypeAndValue, Name FROM X509; - - --- 3.1 - -CertPrincipalName ::= SEQUENCE { - name-type[0] INTEGER, - name-string[1] SEQUENCE OF UTF8String -} - - --- 3.2.2 - - -TrustedCertifiers ::= SEQUENCE OF PrincipalName - -- X.500 name encoded as a principal name - -- see Section 3.1 -CertificateIndex ::= INTEGER - -- 0 = 1st certificate, - -- (in order of encoding) - -- 1 = 2nd certificate, etc - -PA-PK-AS-REP ::= CHOICE { - -- PA TYPE 15 - dhSignedData[0] SignedData, - -- Defined in CMS and used only with - -- Diffie-Hellman key exchange (if the - -- client public value was present in the - -- request). - -- This choice MUST be supported - -- by compliant implementations. - encKeyPack[1] EnvelopedData - -- Defined in CMS - -- The temporary key is encrypted - -- using the client public key - -- key - -- SignedReplyKeyPack, encrypted - -- with the temporary key, is also - -- included. -} - - - -KdcDHKeyInfo ::= SEQUENCE { - -- used only when utilizing Diffie-Hellman - nonce[0] INTEGER, - -- binds responce to the request - subjectPublicKey[2] BIT STRING - -- Equals public exponent (g^a mod p) - -- INTEGER encoded as payload of - -- BIT STRING -} - -ReplyKeyPack ::= SEQUENCE { - -- not used for Diffie-Hellman - replyKey[0] EncryptionKey, - -- used to encrypt main reply - -- ENCTYPE is at least as strong as - -- ENCTYPE of session key - nonce[1] INTEGER - -- binds response to the request - -- must be same as the nonce - -- passed in the PKAuthenticator -} - --- subjectAltName EXTENSION ::= { --- SYNTAX GeneralNames --- IDENTIFIED BY id-ce-subjectAltName --- } - -OtherName ::= SEQUENCE { - type-id OBJECT IDENTIFIER, - value[0] OCTET STRING --- value[0] EXPLICIT ANY DEFINED BY type-id -} - -GeneralName ::= CHOICE { - otherName [0] OtherName, - ... -} - -GeneralNames ::= SEQUENCE -- SIZE(1..MAX) - OF GeneralName - -KerberosName ::= SEQUENCE { - realm[0] Realm, - -- as defined in RFC 1510 - principalName[1] CertPrincipalName - -- defined above -} - - --- krb5 OBJECT IDENTIFIER ::= { --- iso (1) org (3) dod (6) internet (1) security (5) kerberosv5 (2) --- } - --- krb5PrincipalName OBJECT IDENTIFIER ::= { krb5 2 } - --- 3.2.1 - - -IssuerAndSerialNumber ::= SEQUENCE { - issuer Name, - serialNumber CertificateSerialNumber -} - -TrustedCas ::= CHOICE { - principalName[0] KerberosName, - -- as defined below - caName[1] Name, - -- fully qualified X.500 name - -- as defined by X.509 - issuerAndSerial[2] IssuerAndSerialNumber - -- Since a CA may have a number of - -- certificates, only one of which - -- a client trusts -} - -PA-PK-AS-REQ ::= SEQUENCE { - -- PA TYPE 14 - signedAuthPack[0] SignedData, - -- defined in CMS [11] - -- AuthPack (below) defines the data - -- that is signed - trustedCertifiers[1] SEQUENCE OF TrustedCas OPTIONAL, - -- CAs that the client trusts - kdcCert[2] IssuerAndSerialNumber OPTIONAL, - -- as defined in CMS [11] - -- specifies a particular KDC - -- certificate if the client - -- already has it; - encryptionCert[3] IssuerAndSerialNumber OPTIONAL - -- For example, this may be the - -- client's Diffie-Hellman - -- certificate, or it may be the - -- client's RSA encryption - -- certificate. -} - -PKAuthenticator ::= SEQUENCE { - kdcName[0] PrincipalName, - kdcRealm[1] Realm, - cusec[2] INTEGER, - -- for replay prevention as in RFC1510 - ctime[3] KerberosTime, - -- for replay prevention as in RFC1510 - nonce[4] INTEGER -} - --- This is the real definition of AlgorithmIdentifier --- AlgorithmIdentifier ::= SEQUENCE { --- algorithm ALGORITHM.&id, --- parameters ALGORITHM.&Type --- } -- as specified by the X.509 recommendation[10] - --- But we'll use this one instead: - -AlgorithmIdentifier ::= SEQUENCE { - algorithm OBJECT IDENTIFIER, - parameters CHOICE { - a INTEGER - } -} - - - -SubjectPublicKeyInfo ::= SEQUENCE { - algorithm AlgorithmIdentifier, - -- dhKeyAgreement - subjectPublicKey BIT STRING - -- for DH, equals - -- public exponent (INTEGER encoded - -- as payload of BIT STRING) -} -- as specified by the X.509 recommendation[10] - -AuthPack ::= SEQUENCE { - pkAuthenticator[0] PKAuthenticator, - clientPublicValue[1] SubjectPublicKeyInfo OPTIONAL - -- if client is using Diffie-Hellman - -- (ephemeral-ephemeral only) -} - - -END diff --git a/crypto/heimdal-0.6.3/lib/asn1/rfc2459.asn1 b/crypto/heimdal-0.6.3/lib/asn1/rfc2459.asn1 deleted file mode 100644 index c9adec6093..0000000000 --- a/crypto/heimdal-0.6.3/lib/asn1/rfc2459.asn1 +++ /dev/null @@ -1,21 +0,0 @@ -RFC2459 DEFINITIONS ::= BEGIN - -AttributeType ::= OBJECT-IDENTIFIER - -AttributeValue ::= OCTET STRING --ANY DEFINED BY AttributeType - -AttributeTypeAndValue ::= SEQUENCE { - type AttributeType, - value AttributeValue -} - -RelativeDistinguishedName ::= --SET -SEQUENCE OF AttributeTypeAndValue - -RDNSequence ::= SEQUENCE OF RelativeDistinguishedName - -Name ::= CHOICE { -- RFC2459 - x RDNSequence -} - -END \ No newline at end of file diff --git a/crypto/heimdal-0.6.3/lib/asn1/symbol.c b/crypto/heimdal-0.6.3/lib/asn1/symbol.c deleted file mode 100644 index 5f69c10925..0000000000 --- a/crypto/heimdal-0.6.3/lib/asn1/symbol.c +++ /dev/null @@ -1,90 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gen_locl.h" - -RCSID("$Id: symbol.c,v 1.9 2001/09/25 13:39:27 assar Exp $"); - -static Hashtab *htab; - -static int -cmp (void *a, void *b) -{ - Symbol *s1 = (Symbol *)a; - Symbol *s2 = (Symbol *)b; - - return strcmp (s1->name, s2->name); -} - -static unsigned -hash (void *a) -{ - Symbol *s = (Symbol *)a; - - return hashjpw (s->name); -} - -void -initsym (void) -{ - htab = hashtabnew (101, cmp, hash); -} - - -void -output_name (char *s) -{ - char *p; - - for (p = s; *p; ++p) - if (*p == '-') - *p = '_'; -} - -Symbol* -addsym (char *name) -{ - Symbol key, *s; - - key.name = name; - s = (Symbol *)hashtabsearch (htab, (void *)&key); - if (s == NULL) { - s = (Symbol *)malloc (sizeof (*s)); - s->name = name; - s->gen_name = strdup(name); - output_name (s->gen_name); - s->stype = SUndefined; - hashtabadd (htab, s); - } - return s; -} diff --git a/crypto/heimdal-0.6.3/lib/asn1/symbol.h b/crypto/heimdal-0.6.3/lib/asn1/symbol.h deleted file mode 100644 index 1bd9cd8ade..0000000000 --- a/crypto/heimdal-0.6.3/lib/asn1/symbol.h +++ /dev/null @@ -1,83 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: symbol.h,v 1.6 2001/09/25 13:39:27 assar Exp $ */ - -#ifndef _SYMBOL_H -#define _SYMBOL_H - -enum typetype { TInteger, TOctetString, TBitString, TSequence, TSequenceOf, - TGeneralizedTime, TGeneralString, TApplication, TType, - TUInteger, TEnumerated, TOID }; - -typedef enum typetype Typetype; - -struct type; - -struct member { - char *name; - char *gen_name; - int val; - int optional; - struct type *type; - struct member *next, *prev; -}; - -typedef struct member Member; - -struct symbol; - -struct type { - Typetype type; - int application; - Member *members; - struct type *subtype; - struct symbol *symbol; -}; - -typedef struct type Type; - -struct symbol { - char *name; - char *gen_name; - enum { SUndefined, SConstant, Stype } stype; - int constant; - Type *type; -}; - -typedef struct symbol Symbol; - -void initsym (void); -Symbol *addsym (char *); -void output_name (char *); -#endif diff --git a/crypto/heimdal-0.6.3/lib/asn1/timegm.c b/crypto/heimdal-0.6.3/lib/asn1/timegm.c deleted file mode 100644 index bdc997fa44..0000000000 --- a/crypto/heimdal-0.6.3/lib/asn1/timegm.c +++ /dev/null @@ -1,71 +0,0 @@ -/* - * Copyright (c) 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "der_locl.h" - -RCSID("$Id: timegm.c,v 1.7 1999/12/02 17:05:02 joda Exp $"); - -#ifndef HAVE_TIMEGM - -static int -is_leap(unsigned y) -{ - y += 1900; - return (y % 4) == 0 && ((y % 100) != 0 || (y % 400) == 0); -} - -time_t -timegm (struct tm *tm) -{ - static const unsigned ndays[2][12] ={ - {31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31}, - {31, 29, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31}}; - time_t res = 0; - unsigned i; - - for (i = 70; i < tm->tm_year; ++i) - res += is_leap(i) ? 366 : 365; - - for (i = 0; i < tm->tm_mon; ++i) - res += ndays[is_leap(tm->tm_year)][i]; - res += tm->tm_mday - 1; - res *= 24; - res += tm->tm_hour; - res *= 60; - res += tm->tm_min; - res *= 60; - res += tm->tm_sec; - return res; -} - -#endif /* HAVE_TIMEGM */ diff --git a/crypto/heimdal-0.6.3/lib/asn1/x509.asn1 b/crypto/heimdal-0.6.3/lib/asn1/x509.asn1 deleted file mode 100644 index 4a15844c85..0000000000 --- a/crypto/heimdal-0.6.3/lib/asn1/x509.asn1 +++ /dev/null @@ -1,23 +0,0 @@ -X509 DEFINITIONS ::= BEGIN - -CertificateSerialNumber ::= INTEGER -- X.509 '97 - -AttributeType ::= OBJECT-IDENTIFIER - -AttributeValue ::= OCTET STRING --ANY DEFINED BY AttributeType - -AttributeTypeAndValue ::= SEQUENCE { - type AttributeType, - value AttributeValue -} - -RelativeDistinguishedName ::= --SET -SEQUENCE OF AttributeTypeAndValue - -RDNSequence ::= SEQUENCE OF RelativeDistinguishedName - -Name ::= CHOICE { -- RFC2459 - x RDNSequence -} - -END \ No newline at end of file diff --git a/crypto/heimdal-0.6.3/lib/auth/ChangeLog b/crypto/heimdal-0.6.3/lib/auth/ChangeLog deleted file mode 100644 index c85ad35efa..0000000000 --- a/crypto/heimdal-0.6.3/lib/auth/ChangeLog +++ /dev/null @@ -1,168 +0,0 @@ -2004-09-08 Johan Danielsson - - * afskauthlib/verify.c: pull up 1.27->1.28: use - krb5_appdefault_boolean instead of krb5_config_get_bool - -2003-05-08 Love Hörnquist Åstrand - - * sia/Makefile.am: 1.15->1.16: inline COMPILE since (modern) - automake doesn't add it by itself for some reason - -2003-03-27 Love Hörnquist Åstrand - - * sia/Makefile.am: libkafs is always built now, lets include it - -2002-05-19 Johan Danielsson - - * pam/Makefile.am: set SUFFIXES with += - -2001-10-27 Assar Westerlund - - * pam/Makefile.am: actually build the pam module - -2001-09-18 Johan Danielsson - - * sia/Makefile.am: also don't compress krb5 library, at least - siacfg fails with compressed libraries - -2001-09-13 Assar Westerlund - - * sia/sia.c: move krb5_error_code inside a ifdef KRB5 - * sia/sia_locl.h: move roken.h earlier to grab definition of - socklen_t - -2001-08-28 Johan Danielsson - - * sia/krb5_matrix.conf: athena -> heimdal - -2001-07-17 Assar Westerlund - - * sia/Makefile.am: use make-rpath to sort rpath arguments - -2001-07-15 Assar Westerlund - - * afskauthlib/Makefile.am: use LIB_des, so that we link with - libcrypto/libdes from krb4 - -2001-07-12 Assar Westerlund - - * sia/Makefile.am: use $(CC) instead of ld for linking - -2001-07-06 Assar Westerlund - - * sia/Makefile.am: use LDFLAGS, and conditional libdes - -2001-03-06 Assar Westerlund - - * sia/Makefile.am: make sure of using -rpath and not -R when - calling ld - -2001-02-15 Assar Westerlund - - * pam/pam.c (psyslog): do not log to console - -2001-01-29 Assar Westerlund - - * sia/Makefile.am (libsia_krb5.so): actually run ld in the case - shared library case - -2000-12-31 Assar Westerlund - - * sia/sia.c (siad_ses_init): handle krb5_init_context failure - consistently - * afskauthlib/verify.c (verify_krb5): handle krb5_init_context - failure consistently - -2000-11-30 Johan Danielsson - - * afskauthlib/Makefile.am: use libtool - - * afskauthlib/Makefile.am: work with krb4 only - -2000-07-30 Johan Danielsson - - * sia/Makefile.am: don't compress library, since 5.0 seems to have - a problem with this - -2000-07-02 Assar Westerlund - - * afskauthlib/verify.c: fixes for pag setting - -1999-12-30 Assar Westerlund - - * sia/Makefile.am: try to link with shared libraries if we don't - find any static ones - -1999-12-20 Johan Danielsson - - * sia/sia.c: don't use string concatenation with TKT_ROOT - -1999-11-15 Assar Westerlund - - * */lib/Makefile.in: set LIBNAME. From Enrico Scholz - - -1999-10-17 Assar Westerlund - - * afskauthlib/verify.c (verify_krb5): need realm for v5 -> v4 - -1999-10-03 Assar Westerlund - - * afskauthlib/verify.c (verify_krb5): update to new - krb524_convert_creds_kdc - -1999-09-28 Assar Westerlund - - * sia/sia.c (doauth): use krb5_get_local_realms and - krb5_verify_user_lrealm - - * afskauthlib/verify.c (verify_krb5): remove krb5_kuserok. use - krb5_verify_user_lrealm - -1999-08-27 Johan Danielsson - - * pam/Makefile.in: link with res_search/dn_expand libraries - -1999-08-11 Johan Danielsson - - * afskauthlib/verify.c: make this compile w/o krb4 - -1999-08-04 Assar Westerlund - - * afskauthlib/verify.c: incorporate patches from Miroslav Ruda - - -Thu Apr 8 14:35:34 1999 Johan Danielsson - - * sia/sia.c: remove definition of KRB_VERIFY_USER (moved to - config.h) - - * sia/Makefile.am: make it build w/o krb4 - - * afskauthlib/verify.c: add krb5 support - - * afskauthlib/Makefile.am: build afskauthlib.so - -Wed Apr 7 14:06:22 1999 Johan Danielsson - - * sia/sia.c: make it compile w/o krb4 - - * sia/Makefile.am: make it compile w/o krb4 - -Thu Apr 1 18:09:23 1999 Johan Danielsson - - * sia/sia_locl.h: POSIX_GETPWNAM_R is defined in config.h - -Sun Mar 21 14:08:30 1999 Johan Danielsson - - * sia/Makefile.in: add posix_getpw.c - - * sia/Makefile.am: makefile for sia - - * sia/posix_getpw.c: move from sia.c - - * sia/sia_locl.h: merge with krb5 version - - * sia/sia.c: merge with krb5 version - - * sia/sia5.c: remove unused variables diff --git a/crypto/heimdal-0.6.3/lib/auth/Makefile.am b/crypto/heimdal-0.6.3/lib/auth/Makefile.am deleted file mode 100644 index 0310dc36d6..0000000000 --- a/crypto/heimdal-0.6.3/lib/auth/Makefile.am +++ /dev/null @@ -1,6 +0,0 @@ -# $Id: Makefile.am,v 1.2 1999/03/21 17:11:08 joda Exp $ - -include $(top_srcdir)/Makefile.am.common - -SUBDIRS = @LIB_AUTH_SUBDIRS@ -DIST_SUBDIRS = afskauthlib pam sia diff --git a/crypto/heimdal-0.6.3/lib/auth/Makefile.in b/crypto/heimdal-0.6.3/lib/auth/Makefile.in deleted file mode 100644 index 0eafe827b4..0000000000 --- a/crypto/heimdal-0.6.3/lib/auth/Makefile.in +++ /dev/null @@ -1,776 +0,0 @@ -# Makefile.in generated by automake 1.8.3 from Makefile.am. -# @configure_input@ - -# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004 Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -# $Id: Makefile.am,v 1.2 1999/03/21 17:11:08 joda Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $ -srcdir = @srcdir@ -top_srcdir = @top_srcdir@ -VPATH = @srcdir@ -pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -top_builddir = ../.. -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = @INSTALL@ -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_HEADER = $(INSTALL_DATA) -transform = $(program_transform_name) -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_triplet = @host@ -DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \ - $(top_srcdir)/Makefile.am.common \ - $(top_srcdir)/cf/Makefile.am.common ChangeLog -subdir = lib/auth -ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \ - $(top_srcdir)/cf/auth-modules.m4 \ - $(top_srcdir)/cf/broken-getaddrinfo.m4 \ - $(top_srcdir)/cf/broken-getnameinfo.m4 \ - $(top_srcdir)/cf/broken-glob.m4 \ - $(top_srcdir)/cf/broken-realloc.m4 \ - $(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \ - $(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \ - $(top_srcdir)/cf/capabilities.m4 \ - $(top_srcdir)/cf/check-compile-et.m4 \ - $(top_srcdir)/cf/check-declaration.m4 \ - $(top_srcdir)/cf/check-getpwnam_r-posix.m4 \ - $(top_srcdir)/cf/check-man.m4 \ - $(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \ - $(top_srcdir)/cf/check-type-extra.m4 \ - $(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \ - $(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \ - $(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \ - $(top_srcdir)/cf/dlopen.m4 \ - $(top_srcdir)/cf/find-func-no-libs.m4 \ - $(top_srcdir)/cf/find-func-no-libs2.m4 \ - $(top_srcdir)/cf/find-func.m4 \ - $(top_srcdir)/cf/find-if-not-broken.m4 \ - $(top_srcdir)/cf/have-struct-field.m4 \ - $(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \ - $(top_srcdir)/cf/krb-bigendian.m4 \ - $(top_srcdir)/cf/krb-func-getlogin.m4 \ - $(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \ - $(top_srcdir)/cf/krb-readline.m4 \ - $(top_srcdir)/cf/krb-struct-spwd.m4 \ - $(top_srcdir)/cf/krb-struct-winsize.m4 \ - $(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \ - $(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \ - $(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \ - $(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \ - $(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \ - $(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \ - $(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in -am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ - $(ACLOCAL_M4) -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -depcomp = -am__depfiles_maybe = -SOURCES = -DIST_SOURCES = -RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \ - html-recursive info-recursive install-data-recursive \ - install-exec-recursive install-info-recursive \ - install-recursive installcheck-recursive installdirs-recursive \ - pdf-recursive ps-recursive uninstall-info-recursive \ - uninstall-recursive -ETAGS = etags -CTAGS = ctags -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) -ACLOCAL = @ACLOCAL@ -AIX4_FALSE = @AIX4_FALSE@ -AIX4_TRUE = @AIX4_TRUE@ -AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@ -AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@ -AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@ -AIX_FALSE = @AIX_FALSE@ -AIX_TRUE = @AIX_TRUE@ -AMTAR = @AMTAR@ -AR = @AR@ -AUTOCONF = @AUTOCONF@ -AUTOHEADER = @AUTOHEADER@ -AUTOMAKE = @AUTOMAKE@ -AWK = @AWK@ -CANONICAL_HOST = @CANONICAL_HOST@ -CATMAN = @CATMAN@ -CATMANEXT = @CATMANEXT@ -CATMAN_FALSE = @CATMAN_FALSE@ -CATMAN_TRUE = @CATMAN_TRUE@ -CC = @CC@ -CFLAGS = @CFLAGS@ -COMPILE_ET = @COMPILE_ET@ -CPP = @CPP@ -CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXFLAGS = @CXXFLAGS@ -CYGPATH_W = @CYGPATH_W@ -DBLIB = @DBLIB@ -DCE_FALSE = @DCE_FALSE@ -DCE_TRUE = @DCE_TRUE@ -DEFS = @DEFS@ -DIR_com_err = @DIR_com_err@ -DIR_des = @DIR_des@ -DIR_roken = @DIR_roken@ -ECHO = @ECHO@ -ECHO_C = @ECHO_C@ -ECHO_N = @ECHO_N@ -ECHO_T = @ECHO_T@ -EGREP = @EGREP@ -EXEEXT = @EXEEXT@ -EXTRA_LIB45 = @EXTRA_LIB45@ -F77 = @F77@ -FFLAGS = @FFLAGS@ -GROFF = @GROFF@ -HAVE_DB1_FALSE = @HAVE_DB1_FALSE@ -HAVE_DB1_TRUE = @HAVE_DB1_TRUE@ -HAVE_DB3_FALSE = @HAVE_DB3_FALSE@ -HAVE_DB3_TRUE = @HAVE_DB3_TRUE@ -HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@ -HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@ -HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@ -HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@ -HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@ -HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@ -HAVE_X_FALSE = @HAVE_X_FALSE@ -HAVE_X_TRUE = @HAVE_X_TRUE@ -INCLUDES_roken = @INCLUDES_roken@ -INCLUDE_des = @INCLUDE_des@ -INCLUDE_hesiod = @INCLUDE_hesiod@ -INCLUDE_krb4 = @INCLUDE_krb4@ -INCLUDE_openldap = @INCLUDE_openldap@ -INCLUDE_readline = @INCLUDE_readline@ -INSTALL_DATA = @INSTALL_DATA@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -IRIX_FALSE = @IRIX_FALSE@ -IRIX_TRUE = @IRIX_TRUE@ -KRB4_FALSE = @KRB4_FALSE@ -KRB4_TRUE = @KRB4_TRUE@ -KRB5_FALSE = @KRB5_FALSE@ -KRB5_TRUE = @KRB5_TRUE@ -LDFLAGS = @LDFLAGS@ -LEX = @LEX@ -LEXLIB = @LEXLIB@ -LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ -LIBOBJS = @LIBOBJS@ -LIBS = @LIBS@ -LIBTOOL = @LIBTOOL@ -LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@ -LIB_NDBM = @LIB_NDBM@ -LIB_XauFileName = @LIB_XauFileName@ -LIB_XauReadAuth = @LIB_XauReadAuth@ -LIB_XauWriteAuth = @LIB_XauWriteAuth@ -LIB_bswap16 = @LIB_bswap16@ -LIB_bswap32 = @LIB_bswap32@ -LIB_com_err = @LIB_com_err@ -LIB_com_err_a = @LIB_com_err_a@ -LIB_com_err_so = @LIB_com_err_so@ -LIB_crypt = @LIB_crypt@ -LIB_db_create = @LIB_db_create@ -LIB_dbm_firstkey = @LIB_dbm_firstkey@ -LIB_dbopen = @LIB_dbopen@ -LIB_des = @LIB_des@ -LIB_des_a = @LIB_des_a@ -LIB_des_appl = @LIB_des_appl@ -LIB_des_so = @LIB_des_so@ -LIB_dlopen = @LIB_dlopen@ -LIB_dn_expand = @LIB_dn_expand@ -LIB_el_init = @LIB_el_init@ -LIB_freeaddrinfo = @LIB_freeaddrinfo@ -LIB_gai_strerror = @LIB_gai_strerror@ -LIB_getaddrinfo = @LIB_getaddrinfo@ -LIB_gethostbyname = @LIB_gethostbyname@ -LIB_gethostbyname2 = @LIB_gethostbyname2@ -LIB_getnameinfo = @LIB_getnameinfo@ -LIB_getpwnam_r = @LIB_getpwnam_r@ -LIB_getsockopt = @LIB_getsockopt@ -LIB_hesiod = @LIB_hesiod@ -LIB_hstrerror = @LIB_hstrerror@ -LIB_kdb = @LIB_kdb@ -LIB_krb4 = @LIB_krb4@ -LIB_krb_disable_debug = @LIB_krb_disable_debug@ -LIB_krb_enable_debug = @LIB_krb_enable_debug@ -LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@ -LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@ -LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@ -LIB_loadquery = @LIB_loadquery@ -LIB_logout = @LIB_logout@ -LIB_logwtmp = @LIB_logwtmp@ -LIB_openldap = @LIB_openldap@ -LIB_openpty = @LIB_openpty@ -LIB_otp = @LIB_otp@ -LIB_pidfile = @LIB_pidfile@ -LIB_readline = @LIB_readline@ -LIB_res_nsearch = @LIB_res_nsearch@ -LIB_res_search = @LIB_res_search@ -LIB_roken = @LIB_roken@ -LIB_security = @LIB_security@ -LIB_setsockopt = @LIB_setsockopt@ -LIB_socket = @LIB_socket@ -LIB_syslog = @LIB_syslog@ -LIB_tgetent = @LIB_tgetent@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -MAINT = @MAINT@ -MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@ -MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@ -MAKEINFO = @MAKEINFO@ -NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ -NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ -NROFF = @NROFF@ -OBJEXT = @OBJEXT@ -OTP_FALSE = @OTP_FALSE@ -OTP_TRUE = @OTP_TRUE@ -PACKAGE = @PACKAGE@ -PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ -PACKAGE_NAME = @PACKAGE_NAME@ -PACKAGE_STRING = @PACKAGE_STRING@ -PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_VERSION = @PACKAGE_VERSION@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -RANLIB = @RANLIB@ -SET_MAKE = @SET_MAKE@ -SHELL = @SHELL@ -STRIP = @STRIP@ -VERSION = @VERSION@ -VOID_RETSIGTYPE = @VOID_RETSIGTYPE@ -WFLAGS = @WFLAGS@ -WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@ -WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@ -X_CFLAGS = @X_CFLAGS@ -X_EXTRA_LIBS = @X_EXTRA_LIBS@ -X_LIBS = @X_LIBS@ -X_PRE_LIBS = @X_PRE_LIBS@ -YACC = @YACC@ -ac_ct_AR = @ac_ct_AR@ -ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ -ac_ct_RANLIB = @ac_ct_RANLIB@ -ac_ct_STRIP = @ac_ct_STRIP@ -am__leading_dot = @am__leading_dot@ -bindir = @bindir@ -build = @build@ -build_alias = @build_alias@ -build_cpu = @build_cpu@ -build_os = @build_os@ -build_vendor = @build_vendor@ -datadir = @datadir@ -do_roken_rename_FALSE = @do_roken_rename_FALSE@ -do_roken_rename_TRUE = @do_roken_rename_TRUE@ -dpagaix_cflags = @dpagaix_cflags@ -dpagaix_ldadd = @dpagaix_ldadd@ -dpagaix_ldflags = @dpagaix_ldflags@ -el_compat_FALSE = @el_compat_FALSE@ -el_compat_TRUE = @el_compat_TRUE@ -exec_prefix = @exec_prefix@ -have_err_h_FALSE = @have_err_h_FALSE@ -have_err_h_TRUE = @have_err_h_TRUE@ -have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@ -have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@ -have_glob_h_FALSE = @have_glob_h_FALSE@ -have_glob_h_TRUE = @have_glob_h_TRUE@ -have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@ -have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@ -have_vis_h_FALSE = @have_vis_h_FALSE@ -have_vis_h_TRUE = @have_vis_h_TRUE@ -host = @host@ -host_alias = @host_alias@ -host_cpu = @host_cpu@ -host_os = @host_os@ -host_vendor = @host_vendor@ -includedir = @includedir@ -infodir = @infodir@ -install_sh = @install_sh@ -libdir = @libdir@ -libexecdir = @libexecdir@ -localstatedir = @localstatedir@ -mandir = @mandir@ -mkdir_p = @mkdir_p@ -oldincludedir = @oldincludedir@ -prefix = @prefix@ -program_transform_name = @program_transform_name@ -sbindir = @sbindir@ -sharedstatedir = @sharedstatedir@ -sysconfdir = @sysconfdir@ -target_alias = @target_alias@ -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) -@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME -AM_CFLAGS = $(WFLAGS) -CP = cp -buildinclude = $(top_builddir)/include -LIB_getattr = @LIB_getattr@ -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_setpcred = @LIB_setpcred@ -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -NROFF_MAN = groff -mandoc -Tascii -LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) -@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la - -@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la -@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la -SUBDIRS = @LIB_AUTH_SUBDIRS@ -DIST_SUBDIRS = afskauthlib pam sia -all: all-recursive - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c -$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps) - @for dep in $?; do \ - case '$(am__configure_deps)' in \ - *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ - exit 1;; \ - esac; \ - done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign --ignore-deps lib/auth/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign --ignore-deps lib/auth/Makefile -.PRECIOUS: Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - @case '$?' in \ - *config.status*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ - *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ - esac; - -$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: - -# This directory's subdirectories are mostly independent; you can cd -# into them and run `make' without going through this Makefile. -# To change the values of `make' variables: instead of editing Makefiles, -# (1) if the variable is set in `config.status', edit `config.status' -# (which will cause the Makefiles to be regenerated when you run `make'); -# (2) otherwise, pass the desired values on the `make' command line. -$(RECURSIVE_TARGETS): - @set fnord $$MAKEFLAGS; amf=$$2; \ - dot_seen=no; \ - target=`echo $@ | sed s/-recursive//`; \ - list='$(SUBDIRS)'; for subdir in $$list; do \ - echo "Making $$target in $$subdir"; \ - if test "$$subdir" = "."; then \ - dot_seen=yes; \ - local_target="$$target-am"; \ - else \ - local_target="$$target"; \ - fi; \ - (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ - || case "$$amf" in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \ - done; \ - if test "$$dot_seen" = "no"; then \ - $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \ - fi; test -z "$$fail" - -mostlyclean-recursive clean-recursive distclean-recursive \ -maintainer-clean-recursive: - @set fnord $$MAKEFLAGS; amf=$$2; \ - dot_seen=no; \ - case "$@" in \ - distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \ - *) list='$(SUBDIRS)' ;; \ - esac; \ - rev=''; for subdir in $$list; do \ - if test "$$subdir" = "."; then :; else \ - rev="$$subdir $$rev"; \ - fi; \ - done; \ - rev="$$rev ."; \ - target=`echo $@ | sed s/-recursive//`; \ - for subdir in $$rev; do \ - echo "Making $$target in $$subdir"; \ - if test "$$subdir" = "."; then \ - local_target="$$target-am"; \ - else \ - local_target="$$target"; \ - fi; \ - (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ - || case "$$amf" in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \ - done && test -z "$$fail" -tags-recursive: - list='$(SUBDIRS)'; for subdir in $$list; do \ - test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \ - done -ctags-recursive: - list='$(SUBDIRS)'; for subdir in $$list; do \ - test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) ctags); \ - done - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique -tags: TAGS - -TAGS: tags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - if (etags --etags-include --version) >/dev/null 2>&1; then \ - include_option=--etags-include; \ - else \ - include_option=--include; \ - fi; \ - list='$(SUBDIRS)'; for subdir in $$list; do \ - if test "$$subdir" = .; then :; else \ - test -f $$subdir/TAGS && \ - tags="$$tags $$include_option=$$here/$$subdir/TAGS"; \ - fi; \ - done; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique -ctags: CTAGS -CTAGS: ctags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ - || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - -distdir: $(DISTFILES) - $(mkdir_p) $(distdir)/../.. $(distdir)/../../cf - @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \ - list='$(DISTFILES)'; for file in $$list; do \ - case $$file in \ - $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \ - $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \ - esac; \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkdir_p) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - list='$(DIST_SUBDIRS)'; for subdir in $$list; do \ - if test "$$subdir" = .; then :; else \ - test -d "$(distdir)/$$subdir" \ - || mkdir "$(distdir)/$$subdir" \ - || exit 1; \ - (cd $$subdir && \ - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="../$(top_distdir)" \ - distdir="../$(distdir)/$$subdir" \ - distdir) \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="$(top_distdir)" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-recursive -all-am: Makefile all-local -installdirs: installdirs-recursive -installdirs-am: -install: install-recursive -install-exec: install-exec-recursive -install-data: install-data-recursive -uninstall: uninstall-recursive - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-recursive -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-recursive - -clean-am: clean-generic clean-libtool mostlyclean-am - -distclean: distclean-recursive - -rm -f Makefile -distclean-am: clean-am distclean-generic distclean-libtool \ - distclean-tags - -dvi: dvi-recursive - -dvi-am: - -html: html-recursive - -info: info-recursive - -info-am: - -install-data-am: - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-data-hook - -install-exec-am: - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-recursive - -install-man: - -installcheck-am: - -maintainer-clean: maintainer-clean-recursive - -rm -f Makefile -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-recursive - -mostlyclean-am: mostlyclean-generic mostlyclean-libtool - -pdf: pdf-recursive - -pdf-am: - -ps: ps-recursive - -ps-am: - -uninstall-am: uninstall-info-am - -uninstall-info: uninstall-info-recursive - -.PHONY: $(RECURSIVE_TARGETS) CTAGS GTAGS all all-am all-local check \ - check-am check-local clean clean-generic clean-libtool \ - clean-recursive ctags ctags-recursive distclean \ - distclean-generic distclean-libtool distclean-recursive \ - distclean-tags distdir dvi dvi-am html html-am info info-am \ - install install-am install-data install-data-am install-exec \ - install-exec-am install-info install-info-am install-man \ - install-strip installcheck installcheck-am installdirs \ - installdirs-am maintainer-clean maintainer-clean-generic \ - maintainer-clean-recursive mostlyclean mostlyclean-generic \ - mostlyclean-libtool mostlyclean-recursive pdf pdf-am ps ps-am \ - tags tags-recursive uninstall uninstall-am uninstall-info-am - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-hook: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal-0.6.3/lib/auth/afskauthlib/Makefile.am b/crypto/heimdal-0.6.3/lib/auth/afskauthlib/Makefile.am deleted file mode 100644 index 8d9faae463..0000000000 --- a/crypto/heimdal-0.6.3/lib/auth/afskauthlib/Makefile.am +++ /dev/null @@ -1,49 +0,0 @@ -# $Id: Makefile.am,v 1.6 2001/07/15 04:21:07 assar Exp $ - -include $(top_srcdir)/Makefile.am.common - -INCLUDES += $(INCLUDE_krb4) - -DEFS = @DEFS@ - -foodir = $(libdir) -foo_DATA = afskauthlib.so - -SUFFIXES += .c .o - -SRCS = verify.c -OBJS = verify.o - -CLEANFILES = $(foo_DATA) $(OBJS) so_locations - -afskauthlib.so: $(OBJS) - $(LINK) -shared $(OBJS) $(L) - -.c.o: - $(COMPILE) -c $< - -if KRB4 -KAFS = $(top_builddir)/lib/kafs/libkafs.la -endif - -if KRB5 -L = \ - $(KAFS) \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la \ - $(LIB_krb4) \ - $(LIB_des) \ - $(top_builddir)/lib/roken/libroken.la \ - -lc - -else - -L = \ - $(KAFS) \ - $(LIB_krb4) \ - $(LIB_des) \ - $(top_builddir)/lib/roken/libroken.la \ - -lc -endif - -$(OBJS): $(top_builddir)/include/config.h diff --git a/crypto/heimdal-0.6.3/lib/auth/afskauthlib/Makefile.in b/crypto/heimdal-0.6.3/lib/auth/afskauthlib/Makefile.in deleted file mode 100644 index ef36bf5418..0000000000 --- a/crypto/heimdal-0.6.3/lib/auth/afskauthlib/Makefile.in +++ /dev/null @@ -1,692 +0,0 @@ -# Makefile.in generated by automake 1.8.3 from Makefile.am. -# @configure_input@ - -# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004 Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -# $Id: Makefile.am,v 1.6 2001/07/15 04:21:07 assar Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $ - -srcdir = @srcdir@ -top_srcdir = @top_srcdir@ -VPATH = @srcdir@ -pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -top_builddir = ../../.. -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = @INSTALL@ -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_HEADER = $(INSTALL_DATA) -transform = $(program_transform_name) -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_triplet = @host@ -DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \ - $(top_srcdir)/Makefile.am.common \ - $(top_srcdir)/cf/Makefile.am.common -subdir = lib/auth/afskauthlib -ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \ - $(top_srcdir)/cf/auth-modules.m4 \ - $(top_srcdir)/cf/broken-getaddrinfo.m4 \ - $(top_srcdir)/cf/broken-getnameinfo.m4 \ - $(top_srcdir)/cf/broken-glob.m4 \ - $(top_srcdir)/cf/broken-realloc.m4 \ - $(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \ - $(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \ - $(top_srcdir)/cf/capabilities.m4 \ - $(top_srcdir)/cf/check-compile-et.m4 \ - $(top_srcdir)/cf/check-declaration.m4 \ - $(top_srcdir)/cf/check-getpwnam_r-posix.m4 \ - $(top_srcdir)/cf/check-man.m4 \ - $(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \ - $(top_srcdir)/cf/check-type-extra.m4 \ - $(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \ - $(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \ - $(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \ - $(top_srcdir)/cf/dlopen.m4 \ - $(top_srcdir)/cf/find-func-no-libs.m4 \ - $(top_srcdir)/cf/find-func-no-libs2.m4 \ - $(top_srcdir)/cf/find-func.m4 \ - $(top_srcdir)/cf/find-if-not-broken.m4 \ - $(top_srcdir)/cf/have-struct-field.m4 \ - $(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \ - $(top_srcdir)/cf/krb-bigendian.m4 \ - $(top_srcdir)/cf/krb-func-getlogin.m4 \ - $(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \ - $(top_srcdir)/cf/krb-readline.m4 \ - $(top_srcdir)/cf/krb-struct-spwd.m4 \ - $(top_srcdir)/cf/krb-struct-winsize.m4 \ - $(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \ - $(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \ - $(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \ - $(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \ - $(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \ - $(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \ - $(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in -am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ - $(ACLOCAL_M4) -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -depcomp = -am__depfiles_maybe = -SOURCES = -DIST_SOURCES = -am__installdirs = "$(DESTDIR)$(foodir)" -fooDATA_INSTALL = $(INSTALL_DATA) -DATA = $(foo_DATA) -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) -ACLOCAL = @ACLOCAL@ -AIX4_FALSE = @AIX4_FALSE@ -AIX4_TRUE = @AIX4_TRUE@ -AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@ -AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@ -AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@ -AIX_FALSE = @AIX_FALSE@ -AIX_TRUE = @AIX_TRUE@ -AMTAR = @AMTAR@ -AR = @AR@ -AUTOCONF = @AUTOCONF@ -AUTOHEADER = @AUTOHEADER@ -AUTOMAKE = @AUTOMAKE@ -AWK = @AWK@ -CANONICAL_HOST = @CANONICAL_HOST@ -CATMAN = @CATMAN@ -CATMANEXT = @CATMANEXT@ -CATMAN_FALSE = @CATMAN_FALSE@ -CATMAN_TRUE = @CATMAN_TRUE@ -CC = @CC@ -CFLAGS = @CFLAGS@ -COMPILE_ET = @COMPILE_ET@ -CPP = @CPP@ -CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXFLAGS = @CXXFLAGS@ -CYGPATH_W = @CYGPATH_W@ -DBLIB = @DBLIB@ -DCE_FALSE = @DCE_FALSE@ -DCE_TRUE = @DCE_TRUE@ -DEFS = @DEFS@ -DIR_com_err = @DIR_com_err@ -DIR_des = @DIR_des@ -DIR_roken = @DIR_roken@ -ECHO = @ECHO@ -ECHO_C = @ECHO_C@ -ECHO_N = @ECHO_N@ -ECHO_T = @ECHO_T@ -EGREP = @EGREP@ -EXEEXT = @EXEEXT@ -EXTRA_LIB45 = @EXTRA_LIB45@ -F77 = @F77@ -FFLAGS = @FFLAGS@ -GROFF = @GROFF@ -HAVE_DB1_FALSE = @HAVE_DB1_FALSE@ -HAVE_DB1_TRUE = @HAVE_DB1_TRUE@ -HAVE_DB3_FALSE = @HAVE_DB3_FALSE@ -HAVE_DB3_TRUE = @HAVE_DB3_TRUE@ -HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@ -HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@ -HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@ -HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@ -HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@ -HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@ -HAVE_X_FALSE = @HAVE_X_FALSE@ -HAVE_X_TRUE = @HAVE_X_TRUE@ -INCLUDES_roken = @INCLUDES_roken@ -INCLUDE_des = @INCLUDE_des@ -INCLUDE_hesiod = @INCLUDE_hesiod@ -INCLUDE_krb4 = @INCLUDE_krb4@ -INCLUDE_openldap = @INCLUDE_openldap@ -INCLUDE_readline = @INCLUDE_readline@ -INSTALL_DATA = @INSTALL_DATA@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -IRIX_FALSE = @IRIX_FALSE@ -IRIX_TRUE = @IRIX_TRUE@ -KRB4_FALSE = @KRB4_FALSE@ -KRB4_TRUE = @KRB4_TRUE@ -KRB5_FALSE = @KRB5_FALSE@ -KRB5_TRUE = @KRB5_TRUE@ -LDFLAGS = @LDFLAGS@ -LEX = @LEX@ -LEXLIB = @LEXLIB@ -LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ -LIBOBJS = @LIBOBJS@ -LIBS = @LIBS@ -LIBTOOL = @LIBTOOL@ -LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@ -LIB_NDBM = @LIB_NDBM@ -LIB_XauFileName = @LIB_XauFileName@ -LIB_XauReadAuth = @LIB_XauReadAuth@ -LIB_XauWriteAuth = @LIB_XauWriteAuth@ -LIB_bswap16 = @LIB_bswap16@ -LIB_bswap32 = @LIB_bswap32@ -LIB_com_err = @LIB_com_err@ -LIB_com_err_a = @LIB_com_err_a@ -LIB_com_err_so = @LIB_com_err_so@ -LIB_crypt = @LIB_crypt@ -LIB_db_create = @LIB_db_create@ -LIB_dbm_firstkey = @LIB_dbm_firstkey@ -LIB_dbopen = @LIB_dbopen@ -LIB_des = @LIB_des@ -LIB_des_a = @LIB_des_a@ -LIB_des_appl = @LIB_des_appl@ -LIB_des_so = @LIB_des_so@ -LIB_dlopen = @LIB_dlopen@ -LIB_dn_expand = @LIB_dn_expand@ -LIB_el_init = @LIB_el_init@ -LIB_freeaddrinfo = @LIB_freeaddrinfo@ -LIB_gai_strerror = @LIB_gai_strerror@ -LIB_getaddrinfo = @LIB_getaddrinfo@ -LIB_gethostbyname = @LIB_gethostbyname@ -LIB_gethostbyname2 = @LIB_gethostbyname2@ -LIB_getnameinfo = @LIB_getnameinfo@ -LIB_getpwnam_r = @LIB_getpwnam_r@ -LIB_getsockopt = @LIB_getsockopt@ -LIB_hesiod = @LIB_hesiod@ -LIB_hstrerror = @LIB_hstrerror@ -LIB_kdb = @LIB_kdb@ -LIB_krb4 = @LIB_krb4@ -LIB_krb_disable_debug = @LIB_krb_disable_debug@ -LIB_krb_enable_debug = @LIB_krb_enable_debug@ -LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@ -LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@ -LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@ -LIB_loadquery = @LIB_loadquery@ -LIB_logout = @LIB_logout@ -LIB_logwtmp = @LIB_logwtmp@ -LIB_openldap = @LIB_openldap@ -LIB_openpty = @LIB_openpty@ -LIB_otp = @LIB_otp@ -LIB_pidfile = @LIB_pidfile@ -LIB_readline = @LIB_readline@ -LIB_res_nsearch = @LIB_res_nsearch@ -LIB_res_search = @LIB_res_search@ -LIB_roken = @LIB_roken@ -LIB_security = @LIB_security@ -LIB_setsockopt = @LIB_setsockopt@ -LIB_socket = @LIB_socket@ -LIB_syslog = @LIB_syslog@ -LIB_tgetent = @LIB_tgetent@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -MAINT = @MAINT@ -MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@ -MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@ -MAKEINFO = @MAKEINFO@ -NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ -NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ -NROFF = @NROFF@ -OBJEXT = @OBJEXT@ -OTP_FALSE = @OTP_FALSE@ -OTP_TRUE = @OTP_TRUE@ -PACKAGE = @PACKAGE@ -PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ -PACKAGE_NAME = @PACKAGE_NAME@ -PACKAGE_STRING = @PACKAGE_STRING@ -PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_VERSION = @PACKAGE_VERSION@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -RANLIB = @RANLIB@ -SET_MAKE = @SET_MAKE@ -SHELL = @SHELL@ -STRIP = @STRIP@ -VERSION = @VERSION@ -VOID_RETSIGTYPE = @VOID_RETSIGTYPE@ -WFLAGS = @WFLAGS@ -WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@ -WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@ -X_CFLAGS = @X_CFLAGS@ -X_EXTRA_LIBS = @X_EXTRA_LIBS@ -X_LIBS = @X_LIBS@ -X_PRE_LIBS = @X_PRE_LIBS@ -YACC = @YACC@ -ac_ct_AR = @ac_ct_AR@ -ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ -ac_ct_RANLIB = @ac_ct_RANLIB@ -ac_ct_STRIP = @ac_ct_STRIP@ -am__leading_dot = @am__leading_dot@ -bindir = @bindir@ -build = @build@ -build_alias = @build_alias@ -build_cpu = @build_cpu@ -build_os = @build_os@ -build_vendor = @build_vendor@ -datadir = @datadir@ -do_roken_rename_FALSE = @do_roken_rename_FALSE@ -do_roken_rename_TRUE = @do_roken_rename_TRUE@ -dpagaix_cflags = @dpagaix_cflags@ -dpagaix_ldadd = @dpagaix_ldadd@ -dpagaix_ldflags = @dpagaix_ldflags@ -el_compat_FALSE = @el_compat_FALSE@ -el_compat_TRUE = @el_compat_TRUE@ -exec_prefix = @exec_prefix@ -have_err_h_FALSE = @have_err_h_FALSE@ -have_err_h_TRUE = @have_err_h_TRUE@ -have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@ -have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@ -have_glob_h_FALSE = @have_glob_h_FALSE@ -have_glob_h_TRUE = @have_glob_h_TRUE@ -have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@ -have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@ -have_vis_h_FALSE = @have_vis_h_FALSE@ -have_vis_h_TRUE = @have_vis_h_TRUE@ -host = @host@ -host_alias = @host_alias@ -host_cpu = @host_cpu@ -host_os = @host_os@ -host_vendor = @host_vendor@ -includedir = @includedir@ -infodir = @infodir@ -install_sh = @install_sh@ -libdir = @libdir@ -libexecdir = @libexecdir@ -localstatedir = @localstatedir@ -mandir = @mandir@ -mkdir_p = @mkdir_p@ -oldincludedir = @oldincludedir@ -prefix = @prefix@ -program_transform_name = @program_transform_name@ -sbindir = @sbindir@ -sharedstatedir = @sharedstatedir@ -sysconfdir = @sysconfdir@ -target_alias = @target_alias@ -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .o -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4) -@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME -AM_CFLAGS = $(WFLAGS) -CP = cp -buildinclude = $(top_builddir)/include -LIB_getattr = @LIB_getattr@ -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_setpcred = @LIB_setpcred@ -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -NROFF_MAN = groff -mandoc -Tascii -LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) -@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la - -@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la -@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la -foodir = $(libdir) -foo_DATA = afskauthlib.so -SRCS = verify.c -OBJS = verify.o -CLEANFILES = $(foo_DATA) $(OBJS) so_locations -@KRB4_TRUE@KAFS = $(top_builddir)/lib/kafs/libkafs.la -@KRB5_FALSE@L = \ -@KRB5_FALSE@ $(KAFS) \ -@KRB5_FALSE@ $(LIB_krb4) \ -@KRB5_FALSE@ $(LIB_des) \ -@KRB5_FALSE@ $(top_builddir)/lib/roken/libroken.la \ -@KRB5_FALSE@ -lc - -@KRB5_TRUE@L = \ -@KRB5_TRUE@ $(KAFS) \ -@KRB5_TRUE@ $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la \ -@KRB5_TRUE@ $(LIB_krb4) \ -@KRB5_TRUE@ $(LIB_des) \ -@KRB5_TRUE@ $(top_builddir)/lib/roken/libroken.la \ -@KRB5_TRUE@ -lc - -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .o -$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps) - @for dep in $?; do \ - case '$(am__configure_deps)' in \ - *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ - exit 1;; \ - esac; \ - done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign --ignore-deps lib/auth/afskauthlib/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign --ignore-deps lib/auth/afskauthlib/Makefile -.PRECIOUS: Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - @case '$?' in \ - *config.status*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ - *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ - esac; - -$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: -install-fooDATA: $(foo_DATA) - @$(NORMAL_INSTALL) - test -z "$(foodir)" || $(mkdir_p) "$(DESTDIR)$(foodir)" - @list='$(foo_DATA)'; for p in $$list; do \ - if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(fooDATA_INSTALL) '$$d$$p' '$(DESTDIR)$(foodir)/$$f'"; \ - $(fooDATA_INSTALL) "$$d$$p" "$(DESTDIR)$(foodir)/$$f"; \ - done - -uninstall-fooDATA: - @$(NORMAL_UNINSTALL) - @list='$(foo_DATA)'; for p in $$list; do \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " rm -f '$(DESTDIR)$(foodir)/$$f'"; \ - rm -f "$(DESTDIR)$(foodir)/$$f"; \ - done -tags: TAGS -TAGS: - -ctags: CTAGS -CTAGS: - - -distdir: $(DISTFILES) - $(mkdir_p) $(distdir)/../../.. $(distdir)/../../../cf - @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \ - list='$(DISTFILES)'; for file in $$list; do \ - case $$file in \ - $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \ - $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \ - esac; \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkdir_p) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="$(top_distdir)" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(DATA) all-local -installdirs: - for dir in "$(DESTDIR)$(foodir)"; do \ - test -z "$$dir" || $(mkdir_p) "$$dir"; \ - done -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) - -distclean-generic: - -rm -f $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-generic clean-libtool mostlyclean-am - -distclean: distclean-am - -rm -f Makefile -distclean-am: clean-am distclean-generic distclean-libtool - -dvi: dvi-am - -dvi-am: - -html: html-am - -info: info-am - -info-am: - -install-data-am: install-fooDATA - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-data-hook - -install-exec-am: - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -rm -f Makefile -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-generic mostlyclean-libtool - -pdf: pdf-am - -pdf-am: - -ps: ps-am - -ps-am: - -uninstall-am: uninstall-fooDATA uninstall-info-am - -.PHONY: all all-am all-local check check-am check-local clean \ - clean-generic clean-libtool distclean distclean-generic \ - distclean-libtool distdir dvi dvi-am html html-am info info-am \ - install install-am install-data install-data-am install-exec \ - install-exec-am install-fooDATA install-info install-info-am \ - install-man install-strip installcheck installcheck-am \ - installdirs maintainer-clean maintainer-clean-generic \ - mostlyclean mostlyclean-generic mostlyclean-libtool pdf pdf-am \ - ps ps-am uninstall uninstall-am uninstall-fooDATA \ - uninstall-info-am - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-hook: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< - -afskauthlib.so: $(OBJS) - $(LINK) -shared $(OBJS) $(L) - -.c.o: - $(COMPILE) -c $< - -$(OBJS): $(top_builddir)/include/config.h -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal-0.6.3/lib/auth/afskauthlib/verify.c b/crypto/heimdal-0.6.3/lib/auth/afskauthlib/verify.c deleted file mode 100644 index 3f24298ffd..0000000000 --- a/crypto/heimdal-0.6.3/lib/auth/afskauthlib/verify.c +++ /dev/null @@ -1,305 +0,0 @@ -/* - * Copyright (c) 1995-2000, 2004 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: verify.c,v 1.25.12.1 2004/09/08 09:14:26 joda Exp $"); -#endif -#include -#include -#include -#ifdef KRB5 -#include -#endif -#ifdef KRB4 -#include -#include -#endif -#include - -#ifdef KRB5 -static char krb5ccname[128]; -#endif -#ifdef KRB4 -static char krbtkfile[128]; -#endif - -/* - In some cases is afs_gettktstring called twice (once before - afs_verify and once after afs_verify). - In some cases (rlogin with access allowed via .rhosts) - afs_verify is not called! - So we can't rely on correct value in krbtkfile in some - cases! -*/ - -static int correct_tkfilename=0; -static int pag_set=0; - -#ifdef KRB4 -static void -set_krbtkfile(uid_t uid) -{ - snprintf (krbtkfile, sizeof(krbtkfile), "%s%d", TKT_ROOT, (unsigned)uid); - krb_set_tkt_string (krbtkfile); - correct_tkfilename = 1; -} -#endif - -/* XXX this has to be the default cache name, since the KRB5CCNAME - * environment variable isn't exported by login/xdm - */ - -#ifdef KRB5 -static void -set_krb5ccname(uid_t uid) -{ - snprintf (krb5ccname, sizeof(krb5ccname), "FILE:/tmp/krb5cc_%d", uid); -#ifdef KRB4 - snprintf (krbtkfile, sizeof(krbtkfile), "%s%d", TKT_ROOT, (unsigned)uid); -#endif - correct_tkfilename = 1; -} -#endif - -static void -set_spec_krbtkfile(void) -{ - int fd; -#ifdef KRB4 - snprintf (krbtkfile, sizeof(krbtkfile), "%s_XXXXXX", TKT_ROOT); - fd = mkstemp(krbtkfile); - close(fd); - unlink(krbtkfile); - krb_set_tkt_string (krbtkfile); -#endif -#ifdef KRB5 - snprintf(krb5ccname, sizeof(krb5ccname),"FILE:/tmp/krb5cc_XXXXXX"); - fd=mkstemp(krb5ccname+5); - close(fd); - unlink(krb5ccname+5); -#endif -} - -#ifdef KRB5 -static int -verify_krb5(struct passwd *pwd, - char *password, - int32_t *exp, - int quiet) -{ - krb5_context context; - krb5_error_code ret; - krb5_ccache ccache; - krb5_principal principal; - - ret = krb5_init_context(&context); - if (ret) { - syslog(LOG_AUTH|LOG_DEBUG, "krb5_init_context failed: %d", ret); - goto out; - } - - ret = krb5_parse_name (context, pwd->pw_name, &principal); - if (ret) { - syslog(LOG_AUTH|LOG_DEBUG, "krb5_parse_name: %s", - krb5_get_err_text(context, ret)); - goto out; - } - - set_krb5ccname(pwd->pw_uid); - ret = krb5_cc_resolve(context, krb5ccname, &ccache); - if(ret) { - syslog(LOG_AUTH|LOG_DEBUG, "krb5_cc_resolve: %s", - krb5_get_err_text(context, ret)); - goto out; - } - - ret = krb5_verify_user_lrealm(context, - principal, - ccache, - password, - TRUE, - NULL); - if(ret) { - syslog(LOG_AUTH|LOG_DEBUG, "krb5_verify_user: %s", - krb5_get_err_text(context, ret)); - goto out; - } - - if(chown(krb5_cc_get_name(context, ccache), pwd->pw_uid, pwd->pw_gid)) { - syslog(LOG_AUTH|LOG_DEBUG, "chown: %s", - krb5_get_err_text(context, errno)); - goto out; - } - -#ifdef KRB4 - { - krb5_realm realm = NULL; - krb5_boolean get_v4_tgt; - - krb5_get_default_realm(context, &realm); - krb5_appdefault_boolean(context, "afskauthlib", - realm, - "krb4_get_tickets", FALSE, &get_v4_tgt); - if (get_v4_tgt) { - CREDENTIALS c; - krb5_creds mcred, cred; - - krb5_make_principal(context, &mcred.server, realm, - "krbtgt", - realm, - NULL); - ret = krb5_cc_retrieve_cred(context, ccache, 0, &mcred, &cred); - if(ret == 0) { - ret = krb524_convert_creds_kdc_ccache(context, ccache, &cred, &c); - if(ret) - krb5_warn(context, ret, "converting creds"); - else { - set_krbtkfile(pwd->pw_uid); - tf_setup(&c, c.pname, c.pinst); - } - memset(&c, 0, sizeof(c)); - krb5_free_creds_contents(context, &cred); - } else - syslog(LOG_AUTH|LOG_DEBUG, "krb5_cc_retrieve_cred: %s", - krb5_get_err_text(context, ret)); - - krb5_free_principal(context, mcred.server); - } - free(realm); - if (!pag_set && k_hasafs()) { - k_setpag(); - pag_set = 1; - } - - if (pag_set) - krb5_afslog_uid_home(context, ccache, NULL, NULL, - pwd->pw_uid, pwd->pw_dir); - } -#endif - out: - if(ret && !quiet) - printf ("%s\n", krb5_get_err_text (context, ret)); - return ret; -} -#endif - -#ifdef KRB4 -static int -verify_krb4(struct passwd *pwd, - char *password, - int32_t *exp, - int quiet) -{ - int ret = 1; - char lrealm[REALM_SZ]; - - if (krb_get_lrealm (lrealm, 1) != KFAILURE) { - set_krbtkfile(pwd->pw_uid); - ret = krb_verify_user (pwd->pw_name, "", lrealm, password, - KRB_VERIFY_SECURE, NULL); - if (ret == KSUCCESS) { - if (!pag_set && k_hasafs()) { - k_setpag (); - pag_set = 1; - } - if (pag_set) - krb_afslog_uid_home (0, 0, pwd->pw_uid, pwd->pw_dir); - } else if (!quiet) - printf ("%s\n", krb_get_err_text (ret)); - } - return ret; -} -#endif - -int -afs_verify(char *name, - char *password, - int32_t *exp, - int quiet) -{ - int ret = 1; - struct passwd *pwd = k_getpwnam (name); - - if(pwd == NULL) - return 1; - - if (!pag_set && k_hasafs()) { - k_setpag(); - pag_set=1; - } - - if (ret) - ret = unix_verify_user (name, password); -#ifdef KRB5 - if (ret) - ret = verify_krb5(pwd, password, exp, quiet); -#endif -#ifdef KRB4 - if(ret) - ret = verify_krb4(pwd, password, exp, quiet); -#endif - return ret; -} - -char * -afs_gettktstring (void) -{ - char *ptr; - struct passwd *pwd; - - if (!correct_tkfilename) { - ptr = getenv("LOGNAME"); - if (ptr != NULL && ((pwd = getpwnam(ptr)) != NULL)) { - set_krb5ccname(pwd->pw_uid); -#ifdef KRB4 - set_krbtkfile(pwd->pw_uid); - if (!pag_set && k_hasafs()) { - k_setpag(); - pag_set=1; - } -#endif - } else { - set_spec_krbtkfile(); - } - } -#ifdef KRB5 - esetenv("KRB5CCNAME",krb5ccname,1); -#endif -#ifdef KRB4 - esetenv("KRBTKFILE",krbtkfile,1); - return krbtkfile; -#else - return ""; -#endif -} diff --git a/crypto/heimdal-0.6.3/lib/auth/pam/Makefile.am b/crypto/heimdal-0.6.3/lib/auth/pam/Makefile.am deleted file mode 100644 index 963d2ce5ae..0000000000 --- a/crypto/heimdal-0.6.3/lib/auth/pam/Makefile.am +++ /dev/null @@ -1,63 +0,0 @@ -# $Id: Makefile.am,v 1.4 2002/05/19 18:43:44 joda Exp $ - -include $(top_srcdir)/Makefile.am.common - -INCLUDES += $(INCLUDE_krb4) - -WFLAGS += $(WFLAGS_NOIMPLICITINT) - -DEFS = @DEFS@ - -## this is horribly ugly, but automake/libtool doesn't allow us to -## unconditionally build shared libraries, and it does not allow us to -## link with non-installed libraries - -if KRB4 -KAFS=$(top_builddir)/lib/kafs/.libs/libkafs.a -KAFS_S=$(top_builddir)/lib/kafs/.libs/libkafs.so - -L = \ - $(KAFS) \ - $(top_builddir)/lib/krb/.libs/libkrb.a \ - $(LIB_des_a) \ - $(top_builddir)/lib/roken/.libs/libroken.a \ - -lc - -L_shared = \ - $(KAFS_S) \ - $(top_builddir)/lib/krb/.libs/libkrb.so \ - $(LIB_des_so) \ - $(top_builddir)/lib/roken/.libs/libroken.so \ - $(LIB_getpwnam_r) \ - -lc - -MOD = pam_krb4.so - -endif - -EXTRA_DIST = pam.conf.add - -foodir = $(libdir) -foo_DATA = $(MOD) - -LDFLAGS = @LDFLAGS@ - -OBJS = pam.o - -pam_krb4.so: $(OBJS) - @if test -f $(top_builddir)/lib/krb/.libs/libkrb.a; then \ - echo "$(CC) -shared -o $@ $(LDFLAGS) $(OBJS) $(L)"; \ - $(CC) -shared -o $@ $(LDFLAGS) $(OBJS) $(L); \ - elif test -f $(top_builddir)/lib/krb/.libs/libkrb.so; then \ - echo "$(CC) -shared -o $@ $(LDFLAGS) $(OBJS) $(L_shared)"; \ - $(CC) -shared -o $@ $(LDFLAGS) $(OBJS) $(L_shared); \ - else \ - echo "missing libraries"; exit 1; \ - fi - -CLEANFILES = $(MOD) $(OBJS) - -SUFFIXES += .c .o - -.c.o: - $(COMPILE) -c $< diff --git a/crypto/heimdal-0.6.3/lib/auth/pam/Makefile.in b/crypto/heimdal-0.6.3/lib/auth/pam/Makefile.in deleted file mode 100644 index 349c18c34a..0000000000 --- a/crypto/heimdal-0.6.3/lib/auth/pam/Makefile.in +++ /dev/null @@ -1,699 +0,0 @@ -# Makefile.in generated by automake 1.8.3 from Makefile.am. -# @configure_input@ - -# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004 Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -# $Id: Makefile.am,v 1.4 2002/05/19 18:43:44 joda Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $ - -srcdir = @srcdir@ -top_srcdir = @top_srcdir@ -VPATH = @srcdir@ -pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -top_builddir = ../../.. -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = @INSTALL@ -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_HEADER = $(INSTALL_DATA) -transform = $(program_transform_name) -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_triplet = @host@ -DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \ - $(top_srcdir)/Makefile.am.common \ - $(top_srcdir)/cf/Makefile.am.common -subdir = lib/auth/pam -ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \ - $(top_srcdir)/cf/auth-modules.m4 \ - $(top_srcdir)/cf/broken-getaddrinfo.m4 \ - $(top_srcdir)/cf/broken-getnameinfo.m4 \ - $(top_srcdir)/cf/broken-glob.m4 \ - $(top_srcdir)/cf/broken-realloc.m4 \ - $(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \ - $(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \ - $(top_srcdir)/cf/capabilities.m4 \ - $(top_srcdir)/cf/check-compile-et.m4 \ - $(top_srcdir)/cf/check-declaration.m4 \ - $(top_srcdir)/cf/check-getpwnam_r-posix.m4 \ - $(top_srcdir)/cf/check-man.m4 \ - $(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \ - $(top_srcdir)/cf/check-type-extra.m4 \ - $(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \ - $(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \ - $(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \ - $(top_srcdir)/cf/dlopen.m4 \ - $(top_srcdir)/cf/find-func-no-libs.m4 \ - $(top_srcdir)/cf/find-func-no-libs2.m4 \ - $(top_srcdir)/cf/find-func.m4 \ - $(top_srcdir)/cf/find-if-not-broken.m4 \ - $(top_srcdir)/cf/have-struct-field.m4 \ - $(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \ - $(top_srcdir)/cf/krb-bigendian.m4 \ - $(top_srcdir)/cf/krb-func-getlogin.m4 \ - $(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \ - $(top_srcdir)/cf/krb-readline.m4 \ - $(top_srcdir)/cf/krb-struct-spwd.m4 \ - $(top_srcdir)/cf/krb-struct-winsize.m4 \ - $(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \ - $(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \ - $(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \ - $(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \ - $(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \ - $(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \ - $(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in -am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ - $(ACLOCAL_M4) -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -depcomp = -am__depfiles_maybe = -SOURCES = -DIST_SOURCES = -am__installdirs = "$(DESTDIR)$(foodir)" -fooDATA_INSTALL = $(INSTALL_DATA) -DATA = $(foo_DATA) -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) -ACLOCAL = @ACLOCAL@ -AIX4_FALSE = @AIX4_FALSE@ -AIX4_TRUE = @AIX4_TRUE@ -AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@ -AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@ -AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@ -AIX_FALSE = @AIX_FALSE@ -AIX_TRUE = @AIX_TRUE@ -AMTAR = @AMTAR@ -AR = @AR@ -AUTOCONF = @AUTOCONF@ -AUTOHEADER = @AUTOHEADER@ -AUTOMAKE = @AUTOMAKE@ -AWK = @AWK@ -CANONICAL_HOST = @CANONICAL_HOST@ -CATMAN = @CATMAN@ -CATMANEXT = @CATMANEXT@ -CATMAN_FALSE = @CATMAN_FALSE@ -CATMAN_TRUE = @CATMAN_TRUE@ -CC = @CC@ -CFLAGS = @CFLAGS@ -COMPILE_ET = @COMPILE_ET@ -CPP = @CPP@ -CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXFLAGS = @CXXFLAGS@ -CYGPATH_W = @CYGPATH_W@ -DBLIB = @DBLIB@ -DCE_FALSE = @DCE_FALSE@ -DCE_TRUE = @DCE_TRUE@ -DEFS = @DEFS@ -DIR_com_err = @DIR_com_err@ -DIR_des = @DIR_des@ -DIR_roken = @DIR_roken@ -ECHO = @ECHO@ -ECHO_C = @ECHO_C@ -ECHO_N = @ECHO_N@ -ECHO_T = @ECHO_T@ -EGREP = @EGREP@ -EXEEXT = @EXEEXT@ -EXTRA_LIB45 = @EXTRA_LIB45@ -F77 = @F77@ -FFLAGS = @FFLAGS@ -GROFF = @GROFF@ -HAVE_DB1_FALSE = @HAVE_DB1_FALSE@ -HAVE_DB1_TRUE = @HAVE_DB1_TRUE@ -HAVE_DB3_FALSE = @HAVE_DB3_FALSE@ -HAVE_DB3_TRUE = @HAVE_DB3_TRUE@ -HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@ -HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@ -HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@ -HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@ -HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@ -HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@ -HAVE_X_FALSE = @HAVE_X_FALSE@ -HAVE_X_TRUE = @HAVE_X_TRUE@ -INCLUDES_roken = @INCLUDES_roken@ -INCLUDE_des = @INCLUDE_des@ -INCLUDE_hesiod = @INCLUDE_hesiod@ -INCLUDE_krb4 = @INCLUDE_krb4@ -INCLUDE_openldap = @INCLUDE_openldap@ -INCLUDE_readline = @INCLUDE_readline@ -INSTALL_DATA = @INSTALL_DATA@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -IRIX_FALSE = @IRIX_FALSE@ -IRIX_TRUE = @IRIX_TRUE@ -KRB4_FALSE = @KRB4_FALSE@ -KRB4_TRUE = @KRB4_TRUE@ -KRB5_FALSE = @KRB5_FALSE@ -KRB5_TRUE = @KRB5_TRUE@ -LDFLAGS = @LDFLAGS@ -LEX = @LEX@ -LEXLIB = @LEXLIB@ -LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ -LIBOBJS = @LIBOBJS@ -LIBS = @LIBS@ -LIBTOOL = @LIBTOOL@ -LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@ -LIB_NDBM = @LIB_NDBM@ -LIB_XauFileName = @LIB_XauFileName@ -LIB_XauReadAuth = @LIB_XauReadAuth@ -LIB_XauWriteAuth = @LIB_XauWriteAuth@ -LIB_bswap16 = @LIB_bswap16@ -LIB_bswap32 = @LIB_bswap32@ -LIB_com_err = @LIB_com_err@ -LIB_com_err_a = @LIB_com_err_a@ -LIB_com_err_so = @LIB_com_err_so@ -LIB_crypt = @LIB_crypt@ -LIB_db_create = @LIB_db_create@ -LIB_dbm_firstkey = @LIB_dbm_firstkey@ -LIB_dbopen = @LIB_dbopen@ -LIB_des = @LIB_des@ -LIB_des_a = @LIB_des_a@ -LIB_des_appl = @LIB_des_appl@ -LIB_des_so = @LIB_des_so@ -LIB_dlopen = @LIB_dlopen@ -LIB_dn_expand = @LIB_dn_expand@ -LIB_el_init = @LIB_el_init@ -LIB_freeaddrinfo = @LIB_freeaddrinfo@ -LIB_gai_strerror = @LIB_gai_strerror@ -LIB_getaddrinfo = @LIB_getaddrinfo@ -LIB_gethostbyname = @LIB_gethostbyname@ -LIB_gethostbyname2 = @LIB_gethostbyname2@ -LIB_getnameinfo = @LIB_getnameinfo@ -LIB_getpwnam_r = @LIB_getpwnam_r@ -LIB_getsockopt = @LIB_getsockopt@ -LIB_hesiod = @LIB_hesiod@ -LIB_hstrerror = @LIB_hstrerror@ -LIB_kdb = @LIB_kdb@ -LIB_krb4 = @LIB_krb4@ -LIB_krb_disable_debug = @LIB_krb_disable_debug@ -LIB_krb_enable_debug = @LIB_krb_enable_debug@ -LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@ -LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@ -LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@ -LIB_loadquery = @LIB_loadquery@ -LIB_logout = @LIB_logout@ -LIB_logwtmp = @LIB_logwtmp@ -LIB_openldap = @LIB_openldap@ -LIB_openpty = @LIB_openpty@ -LIB_otp = @LIB_otp@ -LIB_pidfile = @LIB_pidfile@ -LIB_readline = @LIB_readline@ -LIB_res_nsearch = @LIB_res_nsearch@ -LIB_res_search = @LIB_res_search@ -LIB_roken = @LIB_roken@ -LIB_security = @LIB_security@ -LIB_setsockopt = @LIB_setsockopt@ -LIB_socket = @LIB_socket@ -LIB_syslog = @LIB_syslog@ -LIB_tgetent = @LIB_tgetent@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -MAINT = @MAINT@ -MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@ -MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@ -MAKEINFO = @MAKEINFO@ -NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ -NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ -NROFF = @NROFF@ -OBJEXT = @OBJEXT@ -OTP_FALSE = @OTP_FALSE@ -OTP_TRUE = @OTP_TRUE@ -PACKAGE = @PACKAGE@ -PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ -PACKAGE_NAME = @PACKAGE_NAME@ -PACKAGE_STRING = @PACKAGE_STRING@ -PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_VERSION = @PACKAGE_VERSION@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -RANLIB = @RANLIB@ -SET_MAKE = @SET_MAKE@ -SHELL = @SHELL@ -STRIP = @STRIP@ -VERSION = @VERSION@ -VOID_RETSIGTYPE = @VOID_RETSIGTYPE@ -WFLAGS = @WFLAGS@ $(WFLAGS_NOIMPLICITINT) -WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@ -WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@ -X_CFLAGS = @X_CFLAGS@ -X_EXTRA_LIBS = @X_EXTRA_LIBS@ -X_LIBS = @X_LIBS@ -X_PRE_LIBS = @X_PRE_LIBS@ -YACC = @YACC@ -ac_ct_AR = @ac_ct_AR@ -ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ -ac_ct_RANLIB = @ac_ct_RANLIB@ -ac_ct_STRIP = @ac_ct_STRIP@ -am__leading_dot = @am__leading_dot@ -bindir = @bindir@ -build = @build@ -build_alias = @build_alias@ -build_cpu = @build_cpu@ -build_os = @build_os@ -build_vendor = @build_vendor@ -datadir = @datadir@ -do_roken_rename_FALSE = @do_roken_rename_FALSE@ -do_roken_rename_TRUE = @do_roken_rename_TRUE@ -dpagaix_cflags = @dpagaix_cflags@ -dpagaix_ldadd = @dpagaix_ldadd@ -dpagaix_ldflags = @dpagaix_ldflags@ -el_compat_FALSE = @el_compat_FALSE@ -el_compat_TRUE = @el_compat_TRUE@ -exec_prefix = @exec_prefix@ -have_err_h_FALSE = @have_err_h_FALSE@ -have_err_h_TRUE = @have_err_h_TRUE@ -have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@ -have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@ -have_glob_h_FALSE = @have_glob_h_FALSE@ -have_glob_h_TRUE = @have_glob_h_TRUE@ -have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@ -have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@ -have_vis_h_FALSE = @have_vis_h_FALSE@ -have_vis_h_TRUE = @have_vis_h_TRUE@ -host = @host@ -host_alias = @host_alias@ -host_cpu = @host_cpu@ -host_os = @host_os@ -host_vendor = @host_vendor@ -includedir = @includedir@ -infodir = @infodir@ -install_sh = @install_sh@ -libdir = @libdir@ -libexecdir = @libexecdir@ -localstatedir = @localstatedir@ -mandir = @mandir@ -mkdir_p = @mkdir_p@ -oldincludedir = @oldincludedir@ -prefix = @prefix@ -program_transform_name = @program_transform_name@ -sbindir = @sbindir@ -sharedstatedir = @sharedstatedir@ -sysconfdir = @sysconfdir@ -target_alias = @target_alias@ -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .o -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4) -@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME -AM_CFLAGS = $(WFLAGS) -CP = cp -buildinclude = $(top_builddir)/include -LIB_getattr = @LIB_getattr@ -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_setpcred = @LIB_setpcred@ -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -NROFF_MAN = groff -mandoc -Tascii -LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) -@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la - -@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la -@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la -@KRB4_TRUE@KAFS = $(top_builddir)/lib/kafs/.libs/libkafs.a -@KRB4_TRUE@KAFS_S = $(top_builddir)/lib/kafs/.libs/libkafs.so -@KRB4_TRUE@L = \ -@KRB4_TRUE@ $(KAFS) \ -@KRB4_TRUE@ $(top_builddir)/lib/krb/.libs/libkrb.a \ -@KRB4_TRUE@ $(LIB_des_a) \ -@KRB4_TRUE@ $(top_builddir)/lib/roken/.libs/libroken.a \ -@KRB4_TRUE@ -lc - -@KRB4_TRUE@L_shared = \ -@KRB4_TRUE@ $(KAFS_S) \ -@KRB4_TRUE@ $(top_builddir)/lib/krb/.libs/libkrb.so \ -@KRB4_TRUE@ $(LIB_des_so) \ -@KRB4_TRUE@ $(top_builddir)/lib/roken/.libs/libroken.so \ -@KRB4_TRUE@ $(LIB_getpwnam_r) \ -@KRB4_TRUE@ -lc - -@KRB4_TRUE@MOD = pam_krb4.so -EXTRA_DIST = pam.conf.add -foodir = $(libdir) -foo_DATA = $(MOD) -OBJS = pam.o -CLEANFILES = $(MOD) $(OBJS) -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .o -$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps) - @for dep in $?; do \ - case '$(am__configure_deps)' in \ - *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ - exit 1;; \ - esac; \ - done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign --ignore-deps lib/auth/pam/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign --ignore-deps lib/auth/pam/Makefile -.PRECIOUS: Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - @case '$?' in \ - *config.status*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ - *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ - esac; - -$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: -install-fooDATA: $(foo_DATA) - @$(NORMAL_INSTALL) - test -z "$(foodir)" || $(mkdir_p) "$(DESTDIR)$(foodir)" - @list='$(foo_DATA)'; for p in $$list; do \ - if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(fooDATA_INSTALL) '$$d$$p' '$(DESTDIR)$(foodir)/$$f'"; \ - $(fooDATA_INSTALL) "$$d$$p" "$(DESTDIR)$(foodir)/$$f"; \ - done - -uninstall-fooDATA: - @$(NORMAL_UNINSTALL) - @list='$(foo_DATA)'; for p in $$list; do \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " rm -f '$(DESTDIR)$(foodir)/$$f'"; \ - rm -f "$(DESTDIR)$(foodir)/$$f"; \ - done -tags: TAGS -TAGS: - -ctags: CTAGS -CTAGS: - - -distdir: $(DISTFILES) - $(mkdir_p) $(distdir)/../../.. $(distdir)/../../../cf - @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \ - list='$(DISTFILES)'; for file in $$list; do \ - case $$file in \ - $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \ - $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \ - esac; \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkdir_p) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="$(top_distdir)" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(DATA) all-local -installdirs: - for dir in "$(DESTDIR)$(foodir)"; do \ - test -z "$$dir" || $(mkdir_p) "$$dir"; \ - done -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) - -distclean-generic: - -rm -f $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-generic clean-libtool mostlyclean-am - -distclean: distclean-am - -rm -f Makefile -distclean-am: clean-am distclean-generic distclean-libtool - -dvi: dvi-am - -dvi-am: - -html: html-am - -info: info-am - -info-am: - -install-data-am: install-fooDATA - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-data-hook - -install-exec-am: - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -rm -f Makefile -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-generic mostlyclean-libtool - -pdf: pdf-am - -pdf-am: - -ps: ps-am - -ps-am: - -uninstall-am: uninstall-fooDATA uninstall-info-am - -.PHONY: all all-am all-local check check-am check-local clean \ - clean-generic clean-libtool distclean distclean-generic \ - distclean-libtool distdir dvi dvi-am html html-am info info-am \ - install install-am install-data install-data-am install-exec \ - install-exec-am install-fooDATA install-info install-info-am \ - install-man install-strip installcheck installcheck-am \ - installdirs maintainer-clean maintainer-clean-generic \ - mostlyclean mostlyclean-generic mostlyclean-libtool pdf pdf-am \ - ps ps-am uninstall uninstall-am uninstall-fooDATA \ - uninstall-info-am - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-hook: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< - -pam_krb4.so: $(OBJS) - @if test -f $(top_builddir)/lib/krb/.libs/libkrb.a; then \ - echo "$(CC) -shared -o $@ $(LDFLAGS) $(OBJS) $(L)"; \ - $(CC) -shared -o $@ $(LDFLAGS) $(OBJS) $(L); \ - elif test -f $(top_builddir)/lib/krb/.libs/libkrb.so; then \ - echo "$(CC) -shared -o $@ $(LDFLAGS) $(OBJS) $(L_shared)"; \ - $(CC) -shared -o $@ $(LDFLAGS) $(OBJS) $(L_shared); \ - else \ - echo "missing libraries"; exit 1; \ - fi - -.c.o: - $(COMPILE) -c $< -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal-0.6.3/lib/auth/pam/pam.c b/crypto/heimdal-0.6.3/lib/auth/pam/pam.c deleted file mode 100644 index 68446c3fc9..0000000000 --- a/crypto/heimdal-0.6.3/lib/auth/pam/pam.c +++ /dev/null @@ -1,443 +0,0 @@ -/* - * Copyright (c) 1995 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: pam.c,v 1.28 2002/09/09 15:57:24 joda Exp $"); -#endif - -#include -#include -#include -#include -#include -#include -#include - -#include -#include -#ifndef PAM_AUTHTOK_RECOVERY_ERR /* Fix linsux typo. */ -#define PAM_AUTHTOK_RECOVERY_ERR PAM_AUTHTOK_RECOVER_ERR -#endif - -#include -#include -#include - -#if 0 -/* Debugging PAM modules is a royal pain, truss helps. */ -#define DEBUG(msg) (access(msg " at line", __LINE__)) -#endif - -static void -psyslog(int level, const char *format, ...) -{ - va_list args; - va_start(args, format); - openlog("pam_krb4", LOG_PID, LOG_AUTH); - vsyslog(level, format, args); - va_end(args); - closelog(); -} - -enum { - KRB4_DEBUG, - KRB4_USE_FIRST_PASS, - KRB4_TRY_FIRST_PASS, - KRB4_IGNORE_ROOT, - KRB4_NO_VERIFY, - KRB4_REAFSLOG, - KRB4_CTRLS /* Number of ctrl arguments defined. */ -}; - -#define KRB4_DEFAULTS 0 - -static int ctrl_flags = KRB4_DEFAULTS; -#define ctrl_on(x) (krb4_args[x].flag & ctrl_flags) -#define ctrl_off(x) (!ctrl_on(x)) - -typedef struct -{ - const char *token; - unsigned int flag; -} krb4_ctrls_t; - -static krb4_ctrls_t krb4_args[KRB4_CTRLS] = -{ - /* KRB4_DEBUG */ { "debug", 0x01 }, - /* KRB4_USE_FIRST_PASS */ { "use_first_pass", 0x02 }, - /* KRB4_TRY_FIRST_PASS */ { "try_first_pass", 0x04 }, - /* KRB4_IGNORE_ROOT */ { "ignore_root", 0x08 }, - /* KRB4_NO_VERIFY */ { "no_verify", 0x10 }, - /* KRB4_REAFSLOG */ { "reafslog", 0x20 }, -}; - -static void -parse_ctrl(int argc, const char **argv) -{ - int i, j; - - ctrl_flags = KRB4_DEFAULTS; - for (i = 0; i < argc; i++) - { - for (j = 0; j < KRB4_CTRLS; j++) - if (strcmp(argv[i], krb4_args[j].token) == 0) - break; - - if (j >= KRB4_CTRLS) - psyslog(LOG_ALERT, "unrecognized option [%s]", *argv); - else - ctrl_flags |= krb4_args[j].flag; - } -} - -static void -pdeb(const char *format, ...) -{ - va_list args; - if (ctrl_off(KRB4_DEBUG)) - return; - va_start(args, format); - openlog("pam_krb4", LOG_PID, LOG_AUTH); - vsyslog(LOG_DEBUG, format, args); - va_end(args); - closelog(); -} - -#define ENTRY(func) pdeb("%s() flags = %d ruid = %d euid = %d", func, flags, getuid(), geteuid()) - -static void -set_tkt_string(uid_t uid) -{ - char buf[128]; - - snprintf(buf, sizeof(buf), "%s%u", TKT_ROOT, (unsigned)uid); - krb_set_tkt_string(buf); - -#if 0 - /* pam_set_data+pam_get_data are not guaranteed to work, grr. */ - pam_set_data(pamh, "KRBTKFILE", strdup(t), cleanup); - if (pam_get_data(pamh, "KRBTKFILE", (const void**)&tkt) == PAM_SUCCESS) - { - pam_putenv(pamh, var); - } -#endif - - /* We don't want to inherit this variable. - * If we still do, it must have a sane value. */ - if (getenv("KRBTKFILE") != 0) - { - char *var = malloc(sizeof(buf)); - snprintf(var, sizeof(buf), "KRBTKFILE=%s", tkt_string()); - putenv(var); - /* free(var); XXX */ - } -} - -static int -verify_pass(pam_handle_t *pamh, - const char *name, - const char *inst, - const char *pass) -{ - char realm[REALM_SZ]; - int ret, krb_verify, old_euid, old_ruid; - - krb_get_lrealm(realm, 1); - if (ctrl_on(KRB4_NO_VERIFY)) - krb_verify = KRB_VERIFY_SECURE_FAIL; - else - krb_verify = KRB_VERIFY_SECURE; - old_ruid = getuid(); - old_euid = geteuid(); - setreuid(0, 0); - ret = krb_verify_user(name, inst, realm, pass, krb_verify, NULL); - pdeb("krb_verify_user(`%s', `%s', `%s', pw, %d, NULL) returns %s", - name, inst, realm, krb_verify, - krb_get_err_text(ret)); - setreuid(old_ruid, old_euid); - if (getuid() != old_ruid || geteuid() != old_euid) - { - psyslog(LOG_ALERT , "setreuid(%d, %d) failed at line %d", - old_ruid, old_euid, __LINE__); - exit(1); - } - - switch(ret) { - case KSUCCESS: - return PAM_SUCCESS; - case KDC_PR_UNKNOWN: - return PAM_USER_UNKNOWN; - case SKDC_CANT: - case SKDC_RETRY: - case RD_AP_TIME: - return PAM_AUTHINFO_UNAVAIL; - default: - return PAM_AUTH_ERR; - } -} - -static int -krb4_auth(pam_handle_t *pamh, - int flags, - const char *name, - const char *inst, - struct pam_conv *conv) -{ - struct pam_response *resp; - char prompt[128]; - struct pam_message msg, *pmsg = &msg; - int ret; - - if (ctrl_on(KRB4_TRY_FIRST_PASS) || ctrl_on(KRB4_USE_FIRST_PASS)) - { - char *pass = 0; - ret = pam_get_item(pamh, PAM_AUTHTOK, (void **) &pass); - if (ret != PAM_SUCCESS) - { - psyslog(LOG_ERR , "pam_get_item returned error to get-password"); - return ret; - } - else if (pass != 0 && verify_pass(pamh, name, inst, pass) == PAM_SUCCESS) - return PAM_SUCCESS; - else if (ctrl_on(KRB4_USE_FIRST_PASS)) - return PAM_AUTHTOK_RECOVERY_ERR; /* Wrong password! */ - else - /* We tried the first password but it didn't work, cont. */; - } - - msg.msg_style = PAM_PROMPT_ECHO_OFF; - if (*inst == 0) - snprintf(prompt, sizeof(prompt), "%s's Password: ", name); - else - snprintf(prompt, sizeof(prompt), "%s.%s's Password: ", name, inst); - msg.msg = prompt; - - ret = conv->conv(1, &pmsg, &resp, conv->appdata_ptr); - if (ret != PAM_SUCCESS) - return ret; - - ret = verify_pass(pamh, name, inst, resp->resp); - if (ret == PAM_SUCCESS) - { - memset(resp->resp, 0, strlen(resp->resp)); /* Erase password! */ - free(resp->resp); - free(resp); - } - else - { - pam_set_item(pamh, PAM_AUTHTOK, resp->resp); /* Save password. */ - /* free(resp->resp); XXX */ - /* free(resp); XXX */ - } - - return ret; -} - -int -pam_sm_authenticate(pam_handle_t *pamh, - int flags, - int argc, - const char **argv) -{ - char *user; - int ret; - struct pam_conv *conv; - struct passwd *pw; - uid_t uid = -1; - const char *name, *inst; - char realm[REALM_SZ]; - realm[0] = 0; - - parse_ctrl(argc, argv); - ENTRY("pam_sm_authenticate"); - - ret = pam_get_user(pamh, &user, "login: "); - if (ret != PAM_SUCCESS) - return ret; - - if (ctrl_on(KRB4_IGNORE_ROOT) && strcmp(user, "root") == 0) - return PAM_AUTHINFO_UNAVAIL; - - ret = pam_get_item(pamh, PAM_CONV, (void*)&conv); - if (ret != PAM_SUCCESS) - return ret; - - pw = getpwnam(user); - if (pw != 0) - { - uid = pw->pw_uid; - set_tkt_string(uid); - } - - if (strcmp(user, "root") == 0 && getuid() != 0) - { - pw = getpwuid(getuid()); - if (pw != 0) - { - name = strdup(pw->pw_name); - inst = "root"; - } - } - else - { - name = user; - inst = ""; - } - - ret = krb4_auth(pamh, flags, name, inst, conv); - - /* - * The realm was lost inside krb_verify_user() so we can't simply do - * a krb_kuserok() when inst != "". - */ - if (ret == PAM_SUCCESS && inst[0] != 0) - { - uid_t old_euid = geteuid(); - uid_t old_ruid = getuid(); - - setreuid(0, 0); /* To read ticket file. */ - if (krb_get_tf_fullname(tkt_string(), 0, 0, realm) != KSUCCESS) - ret = PAM_SERVICE_ERR; - else if (krb_kuserok(name, inst, realm, user) != KSUCCESS) - { - setreuid(0, uid); /* To read ~/.klogin. */ - if (krb_kuserok(name, inst, realm, user) != KSUCCESS) - ret = PAM_PERM_DENIED; - } - - if (ret != PAM_SUCCESS) - { - dest_tkt(); /* Passwd known, ok to kill ticket. */ - psyslog(LOG_NOTICE, - "%s.%s@%s is not allowed to log in as %s", - name, inst, realm, user); - } - - setreuid(old_ruid, old_euid); - if (getuid() != old_ruid || geteuid() != old_euid) - { - psyslog(LOG_ALERT , "setreuid(%d, %d) failed at line %d", - old_ruid, old_euid, __LINE__); - exit(1); - } - } - - if (ret == PAM_SUCCESS) - { - psyslog(LOG_INFO, - "%s.%s@%s authenticated as user %s", - name, inst, realm, user); - if (chown(tkt_string(), uid, -1) == -1) - { - dest_tkt(); - psyslog(LOG_ALERT , "chown(%s, %d, -1) failed", tkt_string(), uid); - exit(1); - } - } - - /* - * Kludge alert!!! Sun dtlogin unlock screen fails to call - * pam_setcred(3) with PAM_REFRESH_CRED after a successful - * authentication attempt, sic. - * - * This hack is designed as a workaround to that problem. - */ - if (ctrl_on(KRB4_REAFSLOG)) - if (ret == PAM_SUCCESS) - pam_sm_setcred(pamh, PAM_REFRESH_CRED, argc, argv); - - return ret; -} - -int -pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) -{ - parse_ctrl(argc, argv); - ENTRY("pam_sm_setcred"); - - switch (flags & ~PAM_SILENT) { - case 0: - case PAM_ESTABLISH_CRED: - if (k_hasafs()) - k_setpag(); - /* Fall through, fill PAG with credentials below. */ - case PAM_REINITIALIZE_CRED: - case PAM_REFRESH_CRED: - if (k_hasafs()) - { - void *user = 0; - - if (pam_get_item(pamh, PAM_USER, &user) == PAM_SUCCESS) - { - struct passwd *pw = getpwnam((char *)user); - if (pw != 0) - krb_afslog_uid_home(/*cell*/ 0,/*realm_hint*/ 0, - pw->pw_uid, pw->pw_dir); - } - } - break; - case PAM_DELETE_CRED: - dest_tkt(); - if (k_hasafs()) - k_unlog(); - break; - default: - psyslog(LOG_ALERT , "pam_sm_setcred: unknown flags 0x%x", flags); - break; - } - - return PAM_SUCCESS; -} - -int -pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) -{ - parse_ctrl(argc, argv); - ENTRY("pam_sm_open_session"); - - return PAM_SUCCESS; -} - - -int -pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char**argv) -{ - parse_ctrl(argc, argv); - ENTRY("pam_sm_close_session"); - - /* This isn't really kosher, but it's handy. */ - pam_sm_setcred(pamh, PAM_DELETE_CRED, argc, argv); - - return PAM_SUCCESS; -} diff --git a/crypto/heimdal-0.6.3/lib/auth/pam/pam.conf.add b/crypto/heimdal-0.6.3/lib/auth/pam/pam.conf.add deleted file mode 100644 index 7db3e3d85a..0000000000 --- a/crypto/heimdal-0.6.3/lib/auth/pam/pam.conf.add +++ /dev/null @@ -1,97 +0,0 @@ -To enable PAM in dtlogin and /bin/login under SunOS 5.6 apply this patch: - ---- /etc/pam.conf.DIST Mon Jul 20 15:37:46 1998 -+++ /etc/pam.conf Tue Feb 15 19:39:12 2000 -@@ -4,15 +4,19 @@ - # - # Authentication management - # -+login auth sufficient /usr/athena/lib/pam_krb4.so - login auth required /usr/lib/security/pam_unix.so.1 - login auth required /usr/lib/security/pam_dial_auth.so.1 - # - rlogin auth sufficient /usr/lib/security/pam_rhosts_auth.so.1 - rlogin auth required /usr/lib/security/pam_unix.so.1 - # -+dtlogin auth sufficient /usr/athena/lib/pam_krb4.so - dtlogin auth required /usr/lib/security/pam_unix.so.1 - # - rsh auth required /usr/lib/security/pam_rhosts_auth.so.1 -+# Reafslog is for dtlogin lock display -+other auth sufficient /usr/athena/lib/pam_krb4.so reafslog - other auth required /usr/lib/security/pam_unix.so.1 - # - # Account management -@@ -24,6 +28,8 @@ - # - # Session management - # -+dtlogin session required /usr/athena/lib/pam_krb4.so -+login session required /usr/athena/lib/pam_krb4.so - other session required /usr/lib/security/pam_unix.so.1 - # - # Password management ---------------------------------------------------------------------------- -To enable PAM in /bin/login and xdm under Red Hat 6.? apply these patches: - ---- /etc/pam.d/login~ Tue Dec 7 12:01:35 1999 -+++ /etc/pam.d/login Wed May 31 16:27:55 2000 -@@ -1,9 +1,12 @@ - #%PAM-1.0 -+# Updated to work with kerberos -+auth sufficient /usr/athena/lib/pam_krb4.so.1.0.1 - auth required /lib/security/pam_securetty.so - auth required /lib/security/pam_pwdb.so shadow nullok - auth required /lib/security/pam_nologin.so - account required /lib/security/pam_pwdb.so - password required /lib/security/pam_cracklib.so - password required /lib/security/pam_pwdb.so nullok use_authtok md5 shadow -+session required /usr/athena/lib/pam_krb4.so.1.0.1 - session required /lib/security/pam_pwdb.so - session optional /lib/security/pam_console.so ---- /etc/pam.d/xdm~ Wed May 31 16:33:54 2000 -+++ /etc/pam.d/xdm Wed May 31 16:28:29 2000 -@@ -1,8 +1,11 @@ - #%PAM-1.0 -+# Updated to work with kerberos -+auth sufficient /usr/athena/lib/pam_krb4.so.1.0.1 - auth required /lib/security/pam_pwdb.so shadow nullok - auth required /lib/security/pam_nologin.so - account required /lib/security/pam_pwdb.so - password required /lib/security/pam_cracklib.so - password required /lib/security/pam_pwdb.so shadow nullok use_authtok -+session required /usr/athena/lib/pam_krb4.so.1.0.1 - session required /lib/security/pam_pwdb.so - session optional /lib/security/pam_console.so ---- /etc/pam.d/gdm~ Wed May 31 16:33:54 2000 -+++ /etc/pam.d/gdm Wed May 31 16:34:28 2000 -@@ -1,8 +1,11 @@ - #%PAM-1.0 -+# Updated to work with kerberos -+auth sufficient /usr/athena/lib/pam_krb4.so.1.0.1 - auth required /lib/security/pam_pwdb.so shadow nullok - auth required /lib/security/pam_nologin.so - account required /lib/security/pam_pwdb.so - password required /lib/security/pam_cracklib.so - password required /lib/security/pam_pwdb.so shadow nullok use_authtok -+session required /usr/athena/lib/pam_krb4.so.1.0.1 - session required /lib/security/pam_pwdb.so - session optional /lib/security/pam_console.so - --------------------------------------------------------------------------- - -This stuff may work under some other system. - -# To get this to work, you will have to add entries to /etc/pam.conf -# -# To make login kerberos-aware, you might change pam.conf to look -# like: - -# login authorization -login auth sufficient /lib/security/pam_krb4.so -login auth required /lib/security/pam_securetty.so -login auth required /lib/security/pam_unix_auth.so -login account required /lib/security/pam_unix_acct.so -login password required /lib/security/pam_unix_passwd.so -login session required /lib/security/pam_krb4.so -login session required /lib/security/pam_unix_session.so diff --git a/crypto/heimdal-0.6.3/lib/auth/sia/Makefile.am b/crypto/heimdal-0.6.3/lib/auth/sia/Makefile.am deleted file mode 100644 index 30bf011cd9..0000000000 --- a/crypto/heimdal-0.6.3/lib/auth/sia/Makefile.am +++ /dev/null @@ -1,112 +0,0 @@ -# $Id: Makefile.am,v 1.15.2.1 2003/05/08 10:31:48 lha Exp $ - -include $(top_srcdir)/Makefile.am.common - -INCLUDES += $(INCLUDE_krb4) - -WFLAGS += $(WFLAGS_NOIMPLICITINT) - -DEFS = @DEFS@ - -## this is horribly ugly, but automake/libtool doesn't allow us to -## unconditionally build shared libraries, and it does not allow us to -## link with non-installed libraries - -KAFS=$(top_builddir)/lib/kafs/.libs/libkafs.a -KAFS_S=$(top_builddir)/lib/kafs/.libs/libkafs.so - -if KRB5 -L = \ - $(KAFS) \ - $(top_builddir)/lib/krb5/.libs/libkrb5.a \ - $(top_builddir)/lib/asn1/.libs/libasn1.a \ - $(LIB_krb4) \ - $(LIB_des_a) \ - $(LIB_com_err_a) \ - $(top_builddir)/lib/roken/.libs/libroken.a \ - $(LIB_getpwnam_r) \ - -lc - -L_shared = \ - $(KAFS_S) \ - $(top_builddir)/lib/krb5/.libs/libkrb5.so \ - $(top_builddir)/lib/asn1/.libs/libasn1.so \ - $(LIB_krb4) \ - $(LIB_des_so) \ - $(LIB_com_err_so) \ - $(top_builddir)/lib/roken/.libs/libroken.so \ - $(LIB_getpwnam_r) \ - -lc - -MOD = libsia_krb5.so - -else - -L = \ - $(KAFS) \ - $(top_builddir)/lib/kadm/.libs/libkadm.a \ - $(top_builddir)/lib/krb/.libs/libkrb.a \ - $(LIB_des_a) \ - $(top_builddir)/lib/com_err/.libs/libcom_err.a \ - $(top_builddir)/lib/roken/.libs/libroken.a \ - $(LIB_getpwnam_r) \ - -lc - -L_shared = \ - $(KAFS_S) \ - $(top_builddir)/lib/kadm/.libs/libkadm.so \ - $(top_builddir)/lib/krb/.libs/libkrb.so \ - $(LIB_des_so) \ - $(top_builddir)/lib/com_err/.libs/libcom_err.so \ - $(top_builddir)/lib/roken/.libs/libroken.so \ - $(LIB_getpwnam_r) \ - -lc - -MOD = libsia_krb4.so - -endif - -EXTRA_DIST = sia.c krb4_matrix.conf krb4+c2_matrix.conf \ - krb5_matrix.conf krb5+c2_matrix.conf security.patch - -foodir = $(libdir) -foo_DATA = $(MOD) - -LDFLAGS = @LDFLAGS@ -rpath $(libdir) -Wl,-hidden -Wl,-exported_symbol -Wl,siad_\* - -OBJS = sia.o posix_getpw.o - -libsia_krb5.so: $(OBJS) - @if test -f $(top_builddir)/lib/krb5/.libs/libkrb5.a; then \ - echo "$(CC) -shared -o $@ `$(SHELL) $(srcdir)/make-rpath $(LDFLAGS) $(OBJS) $(L)`"; \ - $(CC) -shared -o $@ `$(SHELL) $(srcdir)/make-rpath $(LDFLAGS) $(OBJS) $(L)`; \ - elif test -f $(top_builddir)/lib/krb5/.libs/libkrb5.so; then \ - echo "$(CC) -shared -o $@ `$(SHELL) $(srcdir)/make-rpath $(LDFLAGS) $(OBJS) $(L_shared)`"; \ - $(CC) -shared -o $@ `$(SHELL) $(srcdir)/make-rpath $(LDFLAGS) $(OBJS) $(L_shared)`; \ - else \ - echo "missing libraries"; exit 1; \ - fi - ostrip -x $@ - -libsia_krb4.so: $(OBJS) - @if test -f $(top_builddir)/lib/krb/.libs/libkrb.a; then \ - echo "$(CC) -shared -o $@ `$(SHELL) $(srcdir)/make-rpath $(LDFLAGS) $(OBJS) $(L)`"; \ - $(CC) -shared -o $@ `$(SHELL) $(srcdir)/make-rpath $(LDFLAGS) $(OBJS) $(L)`; \ - elif test -f $(top_builddir)/lib/krb/.libs/libkrb.so; then \ - echo "$(CC) -shared -o $@ `$(SHELL) $(srcdir)/make-rpath $(LDFLAGS) $(OBJS) $(L_shared)`"; \ - $(CC) -shared -o $@ `$(SHELL) $(srcdir)/make-rpath $(LDFLAGS) $(OBJS) $(L_shared)`; \ - else \ - echo "missing libraries"; exit 1; \ - fi - ostrip -x $@ - -CLEANFILES = $(MOD) $(OBJS) so_locations - -SUFFIXES += .c .o - -# XXX inline COMPILE since automake wont add it - -.c.o: - $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) \ - -c `test -f '$<' || echo '$(srcdir)/'`$< diff --git a/crypto/heimdal-0.6.3/lib/auth/sia/Makefile.in b/crypto/heimdal-0.6.3/lib/auth/sia/Makefile.in deleted file mode 100644 index b6dd8f89b7..0000000000 --- a/crypto/heimdal-0.6.3/lib/auth/sia/Makefile.in +++ /dev/null @@ -1,746 +0,0 @@ -# Makefile.in generated by automake 1.8.3 from Makefile.am. -# @configure_input@ - -# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004 Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -# $Id: Makefile.am,v 1.15.2.1 2003/05/08 10:31:48 lha Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $ - -srcdir = @srcdir@ -top_srcdir = @top_srcdir@ -VPATH = @srcdir@ -pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -top_builddir = ../../.. -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = @INSTALL@ -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_HEADER = $(INSTALL_DATA) -transform = $(program_transform_name) -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_triplet = @host@ -DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \ - $(top_srcdir)/Makefile.am.common \ - $(top_srcdir)/cf/Makefile.am.common -subdir = lib/auth/sia -ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \ - $(top_srcdir)/cf/auth-modules.m4 \ - $(top_srcdir)/cf/broken-getaddrinfo.m4 \ - $(top_srcdir)/cf/broken-getnameinfo.m4 \ - $(top_srcdir)/cf/broken-glob.m4 \ - $(top_srcdir)/cf/broken-realloc.m4 \ - $(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \ - $(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \ - $(top_srcdir)/cf/capabilities.m4 \ - $(top_srcdir)/cf/check-compile-et.m4 \ - $(top_srcdir)/cf/check-declaration.m4 \ - $(top_srcdir)/cf/check-getpwnam_r-posix.m4 \ - $(top_srcdir)/cf/check-man.m4 \ - $(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \ - $(top_srcdir)/cf/check-type-extra.m4 \ - $(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \ - $(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \ - $(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \ - $(top_srcdir)/cf/dlopen.m4 \ - $(top_srcdir)/cf/find-func-no-libs.m4 \ - $(top_srcdir)/cf/find-func-no-libs2.m4 \ - $(top_srcdir)/cf/find-func.m4 \ - $(top_srcdir)/cf/find-if-not-broken.m4 \ - $(top_srcdir)/cf/have-struct-field.m4 \ - $(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \ - $(top_srcdir)/cf/krb-bigendian.m4 \ - $(top_srcdir)/cf/krb-func-getlogin.m4 \ - $(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \ - $(top_srcdir)/cf/krb-readline.m4 \ - $(top_srcdir)/cf/krb-struct-spwd.m4 \ - $(top_srcdir)/cf/krb-struct-winsize.m4 \ - $(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \ - $(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \ - $(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \ - $(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \ - $(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \ - $(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \ - $(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in -am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ - $(ACLOCAL_M4) -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -depcomp = -am__depfiles_maybe = -SOURCES = -DIST_SOURCES = -am__installdirs = "$(DESTDIR)$(foodir)" -fooDATA_INSTALL = $(INSTALL_DATA) -DATA = $(foo_DATA) -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) -ACLOCAL = @ACLOCAL@ -AIX4_FALSE = @AIX4_FALSE@ -AIX4_TRUE = @AIX4_TRUE@ -AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@ -AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@ -AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@ -AIX_FALSE = @AIX_FALSE@ -AIX_TRUE = @AIX_TRUE@ -AMTAR = @AMTAR@ -AR = @AR@ -AUTOCONF = @AUTOCONF@ -AUTOHEADER = @AUTOHEADER@ -AUTOMAKE = @AUTOMAKE@ -AWK = @AWK@ -CANONICAL_HOST = @CANONICAL_HOST@ -CATMAN = @CATMAN@ -CATMANEXT = @CATMANEXT@ -CATMAN_FALSE = @CATMAN_FALSE@ -CATMAN_TRUE = @CATMAN_TRUE@ -CC = @CC@ -CFLAGS = @CFLAGS@ -COMPILE_ET = @COMPILE_ET@ -CPP = @CPP@ -CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXFLAGS = @CXXFLAGS@ -CYGPATH_W = @CYGPATH_W@ -DBLIB = @DBLIB@ -DCE_FALSE = @DCE_FALSE@ -DCE_TRUE = @DCE_TRUE@ -DEFS = @DEFS@ -DIR_com_err = @DIR_com_err@ -DIR_des = @DIR_des@ -DIR_roken = @DIR_roken@ -ECHO = @ECHO@ -ECHO_C = @ECHO_C@ -ECHO_N = @ECHO_N@ -ECHO_T = @ECHO_T@ -EGREP = @EGREP@ -EXEEXT = @EXEEXT@ -EXTRA_LIB45 = @EXTRA_LIB45@ -F77 = @F77@ -FFLAGS = @FFLAGS@ -GROFF = @GROFF@ -HAVE_DB1_FALSE = @HAVE_DB1_FALSE@ -HAVE_DB1_TRUE = @HAVE_DB1_TRUE@ -HAVE_DB3_FALSE = @HAVE_DB3_FALSE@ -HAVE_DB3_TRUE = @HAVE_DB3_TRUE@ -HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@ -HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@ -HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@ -HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@ -HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@ -HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@ -HAVE_X_FALSE = @HAVE_X_FALSE@ -HAVE_X_TRUE = @HAVE_X_TRUE@ -INCLUDES_roken = @INCLUDES_roken@ -INCLUDE_des = @INCLUDE_des@ -INCLUDE_hesiod = @INCLUDE_hesiod@ -INCLUDE_krb4 = @INCLUDE_krb4@ -INCLUDE_openldap = @INCLUDE_openldap@ -INCLUDE_readline = @INCLUDE_readline@ -INSTALL_DATA = @INSTALL_DATA@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -IRIX_FALSE = @IRIX_FALSE@ -IRIX_TRUE = @IRIX_TRUE@ -KRB4_FALSE = @KRB4_FALSE@ -KRB4_TRUE = @KRB4_TRUE@ -KRB5_FALSE = @KRB5_FALSE@ -KRB5_TRUE = @KRB5_TRUE@ -LDFLAGS = @LDFLAGS@ -rpath $(libdir) -Wl,-hidden -Wl,-exported_symbol -Wl,siad_\* -LEX = @LEX@ -LEXLIB = @LEXLIB@ -LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ -LIBOBJS = @LIBOBJS@ -LIBS = @LIBS@ -LIBTOOL = @LIBTOOL@ -LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@ -LIB_NDBM = @LIB_NDBM@ -LIB_XauFileName = @LIB_XauFileName@ -LIB_XauReadAuth = @LIB_XauReadAuth@ -LIB_XauWriteAuth = @LIB_XauWriteAuth@ -LIB_bswap16 = @LIB_bswap16@ -LIB_bswap32 = @LIB_bswap32@ -LIB_com_err = @LIB_com_err@ -LIB_com_err_a = @LIB_com_err_a@ -LIB_com_err_so = @LIB_com_err_so@ -LIB_crypt = @LIB_crypt@ -LIB_db_create = @LIB_db_create@ -LIB_dbm_firstkey = @LIB_dbm_firstkey@ -LIB_dbopen = @LIB_dbopen@ -LIB_des = @LIB_des@ -LIB_des_a = @LIB_des_a@ -LIB_des_appl = @LIB_des_appl@ -LIB_des_so = @LIB_des_so@ -LIB_dlopen = @LIB_dlopen@ -LIB_dn_expand = @LIB_dn_expand@ -LIB_el_init = @LIB_el_init@ -LIB_freeaddrinfo = @LIB_freeaddrinfo@ -LIB_gai_strerror = @LIB_gai_strerror@ -LIB_getaddrinfo = @LIB_getaddrinfo@ -LIB_gethostbyname = @LIB_gethostbyname@ -LIB_gethostbyname2 = @LIB_gethostbyname2@ -LIB_getnameinfo = @LIB_getnameinfo@ -LIB_getpwnam_r = @LIB_getpwnam_r@ -LIB_getsockopt = @LIB_getsockopt@ -LIB_hesiod = @LIB_hesiod@ -LIB_hstrerror = @LIB_hstrerror@ -LIB_kdb = @LIB_kdb@ -LIB_krb4 = @LIB_krb4@ -LIB_krb_disable_debug = @LIB_krb_disable_debug@ -LIB_krb_enable_debug = @LIB_krb_enable_debug@ -LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@ -LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@ -LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@ -LIB_loadquery = @LIB_loadquery@ -LIB_logout = @LIB_logout@ -LIB_logwtmp = @LIB_logwtmp@ -LIB_openldap = @LIB_openldap@ -LIB_openpty = @LIB_openpty@ -LIB_otp = @LIB_otp@ -LIB_pidfile = @LIB_pidfile@ -LIB_readline = @LIB_readline@ -LIB_res_nsearch = @LIB_res_nsearch@ -LIB_res_search = @LIB_res_search@ -LIB_roken = @LIB_roken@ -LIB_security = @LIB_security@ -LIB_setsockopt = @LIB_setsockopt@ -LIB_socket = @LIB_socket@ -LIB_syslog = @LIB_syslog@ -LIB_tgetent = @LIB_tgetent@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -MAINT = @MAINT@ -MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@ -MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@ -MAKEINFO = @MAKEINFO@ -NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ -NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ -NROFF = @NROFF@ -OBJEXT = @OBJEXT@ -OTP_FALSE = @OTP_FALSE@ -OTP_TRUE = @OTP_TRUE@ -PACKAGE = @PACKAGE@ -PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ -PACKAGE_NAME = @PACKAGE_NAME@ -PACKAGE_STRING = @PACKAGE_STRING@ -PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_VERSION = @PACKAGE_VERSION@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -RANLIB = @RANLIB@ -SET_MAKE = @SET_MAKE@ -SHELL = @SHELL@ -STRIP = @STRIP@ -VERSION = @VERSION@ -VOID_RETSIGTYPE = @VOID_RETSIGTYPE@ -WFLAGS = @WFLAGS@ $(WFLAGS_NOIMPLICITINT) -WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@ -WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@ -X_CFLAGS = @X_CFLAGS@ -X_EXTRA_LIBS = @X_EXTRA_LIBS@ -X_LIBS = @X_LIBS@ -X_PRE_LIBS = @X_PRE_LIBS@ -YACC = @YACC@ -ac_ct_AR = @ac_ct_AR@ -ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ -ac_ct_RANLIB = @ac_ct_RANLIB@ -ac_ct_STRIP = @ac_ct_STRIP@ -am__leading_dot = @am__leading_dot@ -bindir = @bindir@ -build = @build@ -build_alias = @build_alias@ -build_cpu = @build_cpu@ -build_os = @build_os@ -build_vendor = @build_vendor@ -datadir = @datadir@ -do_roken_rename_FALSE = @do_roken_rename_FALSE@ -do_roken_rename_TRUE = @do_roken_rename_TRUE@ -dpagaix_cflags = @dpagaix_cflags@ -dpagaix_ldadd = @dpagaix_ldadd@ -dpagaix_ldflags = @dpagaix_ldflags@ -el_compat_FALSE = @el_compat_FALSE@ -el_compat_TRUE = @el_compat_TRUE@ -exec_prefix = @exec_prefix@ -have_err_h_FALSE = @have_err_h_FALSE@ -have_err_h_TRUE = @have_err_h_TRUE@ -have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@ -have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@ -have_glob_h_FALSE = @have_glob_h_FALSE@ -have_glob_h_TRUE = @have_glob_h_TRUE@ -have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@ -have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@ -have_vis_h_FALSE = @have_vis_h_FALSE@ -have_vis_h_TRUE = @have_vis_h_TRUE@ -host = @host@ -host_alias = @host_alias@ -host_cpu = @host_cpu@ -host_os = @host_os@ -host_vendor = @host_vendor@ -includedir = @includedir@ -infodir = @infodir@ -install_sh = @install_sh@ -libdir = @libdir@ -libexecdir = @libexecdir@ -localstatedir = @localstatedir@ -mandir = @mandir@ -mkdir_p = @mkdir_p@ -oldincludedir = @oldincludedir@ -prefix = @prefix@ -program_transform_name = @program_transform_name@ -sbindir = @sbindir@ -sharedstatedir = @sharedstatedir@ -sysconfdir = @sysconfdir@ -target_alias = @target_alias@ -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .o -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4) -@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME -AM_CFLAGS = $(WFLAGS) -CP = cp -buildinclude = $(top_builddir)/include -LIB_getattr = @LIB_getattr@ -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_setpcred = @LIB_setpcred@ -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -NROFF_MAN = groff -mandoc -Tascii -LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) -@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la - -@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la -@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la -KAFS = $(top_builddir)/lib/kafs/.libs/libkafs.a -KAFS_S = $(top_builddir)/lib/kafs/.libs/libkafs.so -@KRB5_FALSE@L = \ -@KRB5_FALSE@ $(KAFS) \ -@KRB5_FALSE@ $(top_builddir)/lib/kadm/.libs/libkadm.a \ -@KRB5_FALSE@ $(top_builddir)/lib/krb/.libs/libkrb.a \ -@KRB5_FALSE@ $(LIB_des_a) \ -@KRB5_FALSE@ $(top_builddir)/lib/com_err/.libs/libcom_err.a \ -@KRB5_FALSE@ $(top_builddir)/lib/roken/.libs/libroken.a \ -@KRB5_FALSE@ $(LIB_getpwnam_r) \ -@KRB5_FALSE@ -lc - -@KRB5_TRUE@L = \ -@KRB5_TRUE@ $(KAFS) \ -@KRB5_TRUE@ $(top_builddir)/lib/krb5/.libs/libkrb5.a \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/.libs/libasn1.a \ -@KRB5_TRUE@ $(LIB_krb4) \ -@KRB5_TRUE@ $(LIB_des_a) \ -@KRB5_TRUE@ $(LIB_com_err_a) \ -@KRB5_TRUE@ $(top_builddir)/lib/roken/.libs/libroken.a \ -@KRB5_TRUE@ $(LIB_getpwnam_r) \ -@KRB5_TRUE@ -lc - -@KRB5_FALSE@L_shared = \ -@KRB5_FALSE@ $(KAFS_S) \ -@KRB5_FALSE@ $(top_builddir)/lib/kadm/.libs/libkadm.so \ -@KRB5_FALSE@ $(top_builddir)/lib/krb/.libs/libkrb.so \ -@KRB5_FALSE@ $(LIB_des_so) \ -@KRB5_FALSE@ $(top_builddir)/lib/com_err/.libs/libcom_err.so \ -@KRB5_FALSE@ $(top_builddir)/lib/roken/.libs/libroken.so \ -@KRB5_FALSE@ $(LIB_getpwnam_r) \ -@KRB5_FALSE@ -lc - -@KRB5_TRUE@L_shared = \ -@KRB5_TRUE@ $(KAFS_S) \ -@KRB5_TRUE@ $(top_builddir)/lib/krb5/.libs/libkrb5.so \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/.libs/libasn1.so \ -@KRB5_TRUE@ $(LIB_krb4) \ -@KRB5_TRUE@ $(LIB_des_so) \ -@KRB5_TRUE@ $(LIB_com_err_so) \ -@KRB5_TRUE@ $(top_builddir)/lib/roken/.libs/libroken.so \ -@KRB5_TRUE@ $(LIB_getpwnam_r) \ -@KRB5_TRUE@ -lc - -@KRB5_FALSE@MOD = libsia_krb4.so -@KRB5_TRUE@MOD = libsia_krb5.so -EXTRA_DIST = sia.c krb4_matrix.conf krb4+c2_matrix.conf \ - krb5_matrix.conf krb5+c2_matrix.conf security.patch - -foodir = $(libdir) -foo_DATA = $(MOD) -OBJS = sia.o posix_getpw.o -CLEANFILES = $(MOD) $(OBJS) so_locations -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .o -$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps) - @for dep in $?; do \ - case '$(am__configure_deps)' in \ - *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ - exit 1;; \ - esac; \ - done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign --ignore-deps lib/auth/sia/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign --ignore-deps lib/auth/sia/Makefile -.PRECIOUS: Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - @case '$?' in \ - *config.status*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ - *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ - esac; - -$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: -install-fooDATA: $(foo_DATA) - @$(NORMAL_INSTALL) - test -z "$(foodir)" || $(mkdir_p) "$(DESTDIR)$(foodir)" - @list='$(foo_DATA)'; for p in $$list; do \ - if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(fooDATA_INSTALL) '$$d$$p' '$(DESTDIR)$(foodir)/$$f'"; \ - $(fooDATA_INSTALL) "$$d$$p" "$(DESTDIR)$(foodir)/$$f"; \ - done - -uninstall-fooDATA: - @$(NORMAL_UNINSTALL) - @list='$(foo_DATA)'; for p in $$list; do \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " rm -f '$(DESTDIR)$(foodir)/$$f'"; \ - rm -f "$(DESTDIR)$(foodir)/$$f"; \ - done -tags: TAGS -TAGS: - -ctags: CTAGS -CTAGS: - - -distdir: $(DISTFILES) - $(mkdir_p) $(distdir)/../../.. $(distdir)/../../../cf - @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \ - list='$(DISTFILES)'; for file in $$list; do \ - case $$file in \ - $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \ - $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \ - esac; \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkdir_p) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="$(top_distdir)" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(DATA) all-local -installdirs: - for dir in "$(DESTDIR)$(foodir)"; do \ - test -z "$$dir" || $(mkdir_p) "$$dir"; \ - done -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) - -distclean-generic: - -rm -f $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-generic clean-libtool mostlyclean-am - -distclean: distclean-am - -rm -f Makefile -distclean-am: clean-am distclean-generic distclean-libtool - -dvi: dvi-am - -dvi-am: - -html: html-am - -info: info-am - -info-am: - -install-data-am: install-fooDATA - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-data-hook - -install-exec-am: - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -rm -f Makefile -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-generic mostlyclean-libtool - -pdf: pdf-am - -pdf-am: - -ps: ps-am - -ps-am: - -uninstall-am: uninstall-fooDATA uninstall-info-am - -.PHONY: all all-am all-local check check-am check-local clean \ - clean-generic clean-libtool distclean distclean-generic \ - distclean-libtool distdir dvi dvi-am html html-am info info-am \ - install install-am install-data install-data-am install-exec \ - install-exec-am install-fooDATA install-info install-info-am \ - install-man install-strip installcheck installcheck-am \ - installdirs maintainer-clean maintainer-clean-generic \ - mostlyclean mostlyclean-generic mostlyclean-libtool pdf pdf-am \ - ps ps-am uninstall uninstall-am uninstall-fooDATA \ - uninstall-info-am - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-hook: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< - -libsia_krb5.so: $(OBJS) - @if test -f $(top_builddir)/lib/krb5/.libs/libkrb5.a; then \ - echo "$(CC) -shared -o $@ `$(SHELL) $(srcdir)/make-rpath $(LDFLAGS) $(OBJS) $(L)`"; \ - $(CC) -shared -o $@ `$(SHELL) $(srcdir)/make-rpath $(LDFLAGS) $(OBJS) $(L)`; \ - elif test -f $(top_builddir)/lib/krb5/.libs/libkrb5.so; then \ - echo "$(CC) -shared -o $@ `$(SHELL) $(srcdir)/make-rpath $(LDFLAGS) $(OBJS) $(L_shared)`"; \ - $(CC) -shared -o $@ `$(SHELL) $(srcdir)/make-rpath $(LDFLAGS) $(OBJS) $(L_shared)`; \ - else \ - echo "missing libraries"; exit 1; \ - fi - ostrip -x $@ - -libsia_krb4.so: $(OBJS) - @if test -f $(top_builddir)/lib/krb/.libs/libkrb.a; then \ - echo "$(CC) -shared -o $@ `$(SHELL) $(srcdir)/make-rpath $(LDFLAGS) $(OBJS) $(L)`"; \ - $(CC) -shared -o $@ `$(SHELL) $(srcdir)/make-rpath $(LDFLAGS) $(OBJS) $(L)`; \ - elif test -f $(top_builddir)/lib/krb/.libs/libkrb.so; then \ - echo "$(CC) -shared -o $@ `$(SHELL) $(srcdir)/make-rpath $(LDFLAGS) $(OBJS) $(L_shared)`"; \ - $(CC) -shared -o $@ `$(SHELL) $(srcdir)/make-rpath $(LDFLAGS) $(OBJS) $(L_shared)`; \ - else \ - echo "missing libraries"; exit 1; \ - fi - ostrip -x $@ - -# XXX inline COMPILE since automake wont add it - -.c.o: - $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) \ - -c `test -f '$<' || echo '$(srcdir)/'`$< -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal-0.6.3/lib/auth/sia/krb4+c2_matrix.conf b/crypto/heimdal-0.6.3/lib/auth/sia/krb4+c2_matrix.conf deleted file mode 100644 index 4b90e0264a..0000000000 --- a/crypto/heimdal-0.6.3/lib/auth/sia/krb4+c2_matrix.conf +++ /dev/null @@ -1,58 +0,0 @@ -# Copyright (c) 1998 Kungliga Tekniska Högskolan -# (Royal Institute of Technology, Stockholm, Sweden). -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# 3. Neither the name of the Institute nor the names of its contributors -# may be used to endorse or promote products derived from this software -# without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. - -# $Id: krb4+c2_matrix.conf,v 1.4 1999/12/02 16:58:37 joda Exp $ - -# sia matrix configuration file (Kerberos 4 + C2) - -siad_init=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so) -siad_chk_invoker=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so) -siad_ses_init=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so) -siad_ses_authent=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so) -siad_ses_estab=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so) -siad_ses_launch=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so) -siad_ses_suauthent=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so) -siad_ses_reauthent=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so) -siad_chg_finger=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so) -siad_chg_password=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so) -siad_chg_shell=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so) -siad_getpwent=(BSD,libc.so) -siad_getpwuid=(BSD,libc.so) -siad_getpwnam=(BSD,libc.so) -siad_setpwent=(BSD,libc.so) -siad_endpwent=(BSD,libc.so) -siad_getgrent=(BSD,libc.so) -siad_getgrgid=(BSD,libc.so) -siad_getgrnam=(BSD,libc.so) -siad_setgrent=(BSD,libc.so) -siad_endgrent=(BSD,libc.so) -siad_ses_release=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so) -siad_chk_user=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so) diff --git a/crypto/heimdal-0.6.3/lib/auth/sia/krb4_matrix.conf b/crypto/heimdal-0.6.3/lib/auth/sia/krb4_matrix.conf deleted file mode 100644 index 4f55a810ce..0000000000 --- a/crypto/heimdal-0.6.3/lib/auth/sia/krb4_matrix.conf +++ /dev/null @@ -1,59 +0,0 @@ -# Copyright (c) 1998 Kungliga Tekniska Högskolan -# (Royal Institute of Technology, Stockholm, Sweden). -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# 3. Neither the name of the Institute nor the names of its contributors -# may be used to endorse or promote products derived from this software -# without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. - -# $Id: krb4_matrix.conf,v 1.6 1999/12/02 16:58:37 joda Exp $ - -# sia matrix configuration file (Kerberos 4 + BSD) - -siad_init=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so) -siad_chk_invoker=(BSD,libc.so) -siad_ses_init=(KRB4,/usr/athena/lib/libsia_krb4.so) -siad_ses_authent=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so) -siad_ses_estab=(BSD,libc.so) -siad_ses_launch=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so) -siad_ses_suauthent=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so) -siad_ses_reauthent=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so) -siad_chg_finger=(BSD,libc.so) -siad_chg_password=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so) -siad_chg_shell=(BSD,libc.so) -siad_getpwent=(BSD,libc.so) -siad_getpwuid=(BSD,libc.so) -siad_getpwnam=(BSD,libc.so) -siad_setpwent=(BSD,libc.so) -siad_endpwent=(BSD,libc.so) -siad_getgrent=(BSD,libc.so) -siad_getgrgid=(BSD,libc.so) -siad_getgrnam=(BSD,libc.so) -siad_setgrent=(BSD,libc.so) -siad_endgrent=(BSD,libc.so) -siad_ses_release=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so) -siad_chk_user=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so) - diff --git a/crypto/heimdal-0.6.3/lib/auth/sia/krb5+c2_matrix.conf b/crypto/heimdal-0.6.3/lib/auth/sia/krb5+c2_matrix.conf deleted file mode 100644 index c2952e2db8..0000000000 --- a/crypto/heimdal-0.6.3/lib/auth/sia/krb5+c2_matrix.conf +++ /dev/null @@ -1,27 +0,0 @@ -# $Id: krb5+c2_matrix.conf,v 1.2 1998/11/26 20:58:18 assar Exp $ - -# sia matrix configuration file (Kerberos 5 + C2) - -siad_init=(KRB5,/usr/athena/lib/libsia_krb5.so)(BSD,libc.so) -siad_chk_invoker=(OSFC2,/usr/shlib/libsecurity.so) -siad_ses_init=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so) -siad_ses_authent=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so) -siad_ses_estab=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so) -siad_ses_launch=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so) -siad_ses_suauthent=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so) -siad_ses_reauthent=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so) -siad_chg_finger=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so) -siad_chg_password=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so) -siad_chg_shell=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so) -siad_getpwent=(BSD,libc.so) -siad_getpwuid=(BSD,libc.so) -siad_getpwnam=(BSD,libc.so) -siad_setpwent=(BSD,libc.so) -siad_endpwent=(BSD,libc.so) -siad_getgrent=(BSD,libc.so) -siad_getgrgid=(BSD,libc.so) -siad_getgrnam=(BSD,libc.so) -siad_setgrent=(BSD,libc.so) -siad_endgrent=(BSD,libc.so) -siad_ses_release=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so) -siad_chk_user=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so) diff --git a/crypto/heimdal-0.6.3/lib/auth/sia/krb5_matrix.conf b/crypto/heimdal-0.6.3/lib/auth/sia/krb5_matrix.conf deleted file mode 100644 index e8804725dd..0000000000 --- a/crypto/heimdal-0.6.3/lib/auth/sia/krb5_matrix.conf +++ /dev/null @@ -1,27 +0,0 @@ -# $Id: krb5_matrix.conf,v 1.2 2001/08/28 08:49:20 joda Exp $ - -# sia matrix configuration file (Kerberos 5 + BSD) - -siad_init=(KRB5,/usr/heimdal/lib/libsia_krb5.so)(BSD,libc.so) -siad_chk_invoker=(BSD,libc.so) -siad_ses_init=(KRB5,/usr/heimdal/lib/libsia_krb5.so) -siad_ses_authent=(KRB5,/usr/heimdal/lib/libsia_krb5.so)(BSD,libc.so) -siad_ses_estab=(BSD,libc.so) -siad_ses_launch=(KRB5,/usr/heimdal/lib/libsia_krb5.so)(BSD,libc.so) -siad_ses_suauthent=(KRB5,/usr/heimdal/lib/libsia_krb5.so)(BSD,libc.so) -siad_ses_reauthent=(BSD,libc.so) -siad_chg_finger=(BSD,libc.so) -siad_chg_password=(BSD,libc.so) -siad_chg_shell=(BSD,libc.so) -siad_getpwent=(BSD,libc.so) -siad_getpwuid=(BSD,libc.so) -siad_getpwnam=(BSD,libc.so) -siad_setpwent=(BSD,libc.so) -siad_endpwent=(BSD,libc.so) -siad_getgrent=(BSD,libc.so) -siad_getgrgid=(BSD,libc.so) -siad_getgrnam=(BSD,libc.so) -siad_setgrent=(BSD,libc.so) -siad_endgrent=(BSD,libc.so) -siad_ses_release=(KRB5,/usr/heimdal/lib/libsia_krb5.so)(BSD,libc.so) -siad_chk_user=(BSD,libc.so) diff --git a/crypto/heimdal-0.6.3/lib/auth/sia/make-rpath b/crypto/heimdal-0.6.3/lib/auth/sia/make-rpath deleted file mode 100644 index 2223aa00b0..0000000000 --- a/crypto/heimdal-0.6.3/lib/auth/sia/make-rpath +++ /dev/null @@ -1,34 +0,0 @@ -#!/bin/sh -# $Id: make-rpath,v 1.1 2001/07/17 15:15:31 assar Exp $ -rlist= -rest= -while test $# -gt 0; do -case $1 in --R|-rpath) - if test "$rlist"; then - rlist="${rlist}:$2" - else - rlist="$2" - fi - shift 2 - ;; --R*) - d=`echo $1 | sed 's,^-R,,'` - if test "$rlist"; then - rlist="${rlist}:${d}" - else - rlist="${d}" - fi - shift - ;; -*) - rest="${rest} $1" - shift - ;; -esac -done -rpath= -if test "$rlist"; then - rpath="-rpath $rlist " -fi -echo "${rpath}${rest}" diff --git a/crypto/heimdal-0.6.3/lib/auth/sia/posix_getpw.c b/crypto/heimdal-0.6.3/lib/auth/sia/posix_getpw.c deleted file mode 100644 index c5961dcd2c..0000000000 --- a/crypto/heimdal-0.6.3/lib/auth/sia/posix_getpw.c +++ /dev/null @@ -1,78 +0,0 @@ -/* - * Copyright (c) 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of KTH nor the names of its contributors may be - * used to endorse or promote products derived from this software without - * specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY - * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR - * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, - * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR - * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF - * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ - -#include "sia_locl.h" - -RCSID("$Id: posix_getpw.c,v 1.1 1999/03/21 17:07:02 joda Exp $"); - -#ifndef POSIX_GETPWNAM_R -/* - * These functions translate from the old Digital UNIX 3.x interface - * to POSIX.1c. - */ - -int -posix_getpwnam_r(const char *name, struct passwd *pwd, - char *buffer, int len, struct passwd **result) -{ - int ret = getpwnam_r(name, pwd, buffer, len); - if(ret == 0) - *result = pwd; - else{ - *result = NULL; - ret = _Geterrno(); - if(ret == 0){ - ret = ERANGE; - _Seterrno(ret); - } - } - return ret; -} - -int -posix_getpwuid_r(uid_t uid, struct passwd *pwd, - char *buffer, int len, struct passwd **result) -{ - int ret = getpwuid_r(uid, pwd, buffer, len); - if(ret == 0) - *result = pwd; - else{ - *result = NULL; - ret = _Geterrno(); - if(ret == 0){ - ret = ERANGE; - _Seterrno(ret); - } - } - return ret; -} -#endif /* POSIX_GETPWNAM_R */ diff --git a/crypto/heimdal-0.6.3/lib/auth/sia/security.patch b/crypto/heimdal-0.6.3/lib/auth/sia/security.patch deleted file mode 100644 index c407876d63..0000000000 --- a/crypto/heimdal-0.6.3/lib/auth/sia/security.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- /sbin/init.d/security~ Tue Aug 20 22:44:09 1996 -+++ /sbin/init.d/security Fri Nov 1 14:52:56 1996 -@@ -49,7 +49,7 @@ - SECURITY=BASE - fi - ;; -- BASE) -+ BASE|KRB4) - ;; - *) - echo "security configuration set to default (BASE)." diff --git a/crypto/heimdal-0.6.3/lib/auth/sia/sia.c b/crypto/heimdal-0.6.3/lib/auth/sia/sia.c deleted file mode 100644 index d2de063218..0000000000 --- a/crypto/heimdal-0.6.3/lib/auth/sia/sia.c +++ /dev/null @@ -1,678 +0,0 @@ -/* - * Copyright (c) 1995-2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "sia_locl.h" - -RCSID("$Id: sia.c,v 1.36 2001/09/13 01:19:14 assar Exp $"); - -int -siad_init(void) -{ - return SIADSUCCESS; -} - -int -siad_chk_invoker(void) -{ - SIA_DEBUG(("DEBUG", "siad_chk_invoker")); - return SIADFAIL; -} - -int -siad_ses_init(SIAENTITY *entity, int pkgind) -{ - struct state *s = malloc(sizeof(*s)); - - SIA_DEBUG(("DEBUG", "siad_ses_init")); - if(s == NULL) - return SIADFAIL; - memset(s, 0, sizeof(*s)); -#ifdef SIA_KRB5 - { - krb5_error_code ret; - ret = krb5_init_context(&s->context); - if (ret) - return SIADFAIL; - } -#endif - entity->mech[pkgind] = (int*)s; - return SIADSUCCESS; -} - -static int -setup_name(SIAENTITY *e, prompt_t *p) -{ - SIA_DEBUG(("DEBUG", "setup_name")); - e->name = malloc(SIANAMEMIN + 1); - if(e->name == NULL){ - SIA_DEBUG(("DEBUG", "failed to malloc %u bytes", SIANAMEMIN+1)); - return SIADFAIL; - } - p->prompt = (unsigned char*)"login: "; - p->result = (unsigned char*)e->name; - p->min_result_length = 1; - p->max_result_length = SIANAMEMIN; - p->control_flags = 0; - return SIADSUCCESS; -} - -static int -setup_password(SIAENTITY *e, prompt_t *p) -{ - SIA_DEBUG(("DEBUG", "setup_password")); - e->password = malloc(SIAMXPASSWORD + 1); - if(e->password == NULL){ - SIA_DEBUG(("DEBUG", "failed to malloc %u bytes", SIAMXPASSWORD+1)); - return SIADFAIL; - } - p->prompt = (unsigned char*)"Password: "; - p->result = (unsigned char*)e->password; - p->min_result_length = 0; - p->max_result_length = SIAMXPASSWORD; - p->control_flags = SIARESINVIS; - return SIADSUCCESS; -} - - -static int -doauth(SIAENTITY *entity, int pkgind, char *name) -{ - struct passwd pw, *pwd; - char pwbuf[1024]; - struct state *s = (struct state*)entity->mech[pkgind]; -#ifdef SIA_KRB5 - krb5_realm *realms, *r; - krb5_principal principal; - krb5_ccache ccache; - krb5_error_code ret; -#endif -#ifdef SIA_KRB4 - char realm[REALM_SZ]; - char *toname, *toinst; - int ret; - struct passwd fpw, *fpwd; - char fpwbuf[1024]; - int secure; -#endif - - if(getpwnam_r(name, &pw, pwbuf, sizeof(pwbuf), &pwd) != 0){ - SIA_DEBUG(("DEBUG", "failed to getpwnam(%s)", name)); - return SIADFAIL; - } - -#ifdef SIA_KRB5 - ret = krb5_get_default_realms(s->context, &realms); - - for (r = realms; *r != NULL; ++r) { - krb5_make_principal (s->context, &principal, *r, entity->name, NULL); - - if(krb5_kuserok(s->context, principal, entity->name)) - break; - } - krb5_free_host_realm (s->context, realms); - if (*r == NULL) - return SIADFAIL; - - sprintf(s->ticket, "FILE:/tmp/krb5_cc%d_%d", pwd->pw_uid, getpid()); - ret = krb5_cc_resolve(s->context, s->ticket, &ccache); - if(ret) - return SIADFAIL; -#endif - -#ifdef SIA_KRB4 - snprintf(s->ticket, sizeof(s->ticket), - "%s%u_%u", TKT_ROOT, (unsigned)pwd->pw_uid, (unsigned)getpid()); - krb_get_lrealm(realm, 1); - toname = name; - toinst = ""; - if(entity->authtype == SIA_A_SUAUTH){ - uid_t ouid; -#ifdef HAVE_SIAENTITY_OUID - ouid = entity->ouid; -#else - ouid = getuid(); -#endif - if(getpwuid_r(ouid, &fpw, fpwbuf, sizeof(fpwbuf), &fpwd) != 0){ - SIA_DEBUG(("DEBUG", "failed to getpwuid(%u)", ouid)); - return SIADFAIL; - } - snprintf(s->ticket, sizeof(s->ticket), "%s_%s_to_%s_%d", - TKT_ROOT, fpwd->pw_name, pwd->pw_name, getpid()); - if(strcmp(pwd->pw_name, "root") == 0){ - toname = fpwd->pw_name; - toinst = pwd->pw_name; - } - } - if(entity->authtype == SIA_A_REAUTH) - snprintf(s->ticket, sizeof(s->ticket), "%s", tkt_string()); - - krb_set_tkt_string(s->ticket); - - setuid(0); /* XXX fix for fix in tf_util.c */ - if(krb_kuserok(toname, toinst, realm, name)){ - SIA_DEBUG(("DEBUG", "%s.%s@%s is not allowed to login as %s", - toname, toinst, realm, name)); - return SIADFAIL; - } -#endif -#ifdef SIA_KRB5 - ret = krb5_verify_user_lrealm(s->context, principal, ccache, - entity->password, 1, NULL); - if(ret){ - /* if this is most likely a local user (such as - root), just silently return failure when the - principal doesn't exist */ - if(ret != KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN && - ret != KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN) - SIALOG("WARNING", "krb5_verify_user(%s): %s", - entity->name, error_message(ret)); - return SIADFAIL; - } -#endif -#ifdef SIA_KRB4 - if (getuid () == 0) - secure = KRB_VERIFY_SECURE; - else - secure = KRB_VERIFY_NOT_SECURE; - - ret = krb_verify_user(toname, toinst, realm, - entity->password, secure, NULL); - if(ret){ - SIA_DEBUG(("DEBUG", "krb_verify_user: %s", krb_get_err_text(ret))); - if(ret != KDC_PR_UNKNOWN) - /* since this is most likely a local user (such as - root), just silently return failure when the - principal doesn't exist */ - SIALOG("WARNING", "krb_verify_user(%s.%s): %s", - toname, toinst, krb_get_err_text(ret)); - return SIADFAIL; - } -#endif - if(sia_make_entity_pwd(pwd, entity) == SIAFAIL) - return SIADFAIL; - s->valid = 1; - return SIADSUCCESS; -} - - -static int -common_auth(sia_collect_func_t *collect, - SIAENTITY *entity, - int siastat, - int pkgind) -{ - prompt_t prompts[2], *pr; - char *name; - - SIA_DEBUG(("DEBUG", "common_auth")); - if((siastat == SIADSUCCESS) && (geteuid() == 0)) - return SIADSUCCESS; - if(entity == NULL) { - SIA_DEBUG(("DEBUG", "entity == NULL")); - return SIADFAIL | SIADSTOP; - } - name = entity->name; - if(entity->acctname) - name = entity->acctname; - - if((collect != NULL) && entity->colinput) { - int num; - pr = prompts; - if(name == NULL){ - if(setup_name(entity, pr) != SIADSUCCESS) - return SIADFAIL; - pr++; - } - if(entity->password == NULL){ - if(setup_password(entity, pr) != SIADSUCCESS) - return SIADFAIL; - pr++; - } - num = pr - prompts; - if(num == 1){ - if((*collect)(240, SIAONELINER, (unsigned char*)"", num, - prompts) != SIACOLSUCCESS){ - SIA_DEBUG(("DEBUG", "collect failed")); - return SIADFAIL | SIADSTOP; - } - } else if(num > 0){ - if((*collect)(0, SIAFORM, (unsigned char*)"", num, - prompts) != SIACOLSUCCESS){ - SIA_DEBUG(("DEBUG", "collect failed")); - return SIADFAIL | SIADSTOP; - } - } - } - if(name == NULL) - name = entity->name; - if(name == NULL || name[0] == '\0'){ - SIA_DEBUG(("DEBUG", "name is null")); - return SIADFAIL; - } - - if(entity->password == NULL || strlen(entity->password) > SIAMXPASSWORD){ - SIA_DEBUG(("DEBUG", "entity->password is null")); - return SIADFAIL; - } - - return doauth(entity, pkgind, name); -} - - -int -siad_ses_authent(sia_collect_func_t *collect, - SIAENTITY *entity, - int siastat, - int pkgind) -{ - SIA_DEBUG(("DEBUG", "siad_ses_authent")); - return common_auth(collect, entity, siastat, pkgind); -} - -int -siad_ses_estab(sia_collect_func_t *collect, - SIAENTITY *entity, int pkgind) -{ - SIA_DEBUG(("DEBUG", "siad_ses_estab")); - return SIADFAIL; -} - -int -siad_ses_launch(sia_collect_func_t *collect, - SIAENTITY *entity, - int pkgind) -{ - static char env[MaxPathLen]; - struct state *s = (struct state*)entity->mech[pkgind]; - SIA_DEBUG(("DEBUG", "siad_ses_launch")); - if(s->valid){ -#ifdef SIA_KRB5 - chown(s->ticket + sizeof("FILE:") - 1, - entity->pwd->pw_uid, - entity->pwd->pw_gid); - snprintf(env, sizeof(env), "KRB5CCNAME=%s", s->ticket); -#endif -#ifdef SIA_KRB4 - chown(s->ticket, entity->pwd->pw_uid, entity->pwd->pw_gid); - snprintf(env, sizeof(env), "KRBTKFILE=%s", s->ticket); -#endif - putenv(env); - } -#ifdef KRB4 - if (k_hasafs()) { - char cell[64]; - k_setpag(); - if(k_afs_cell_of_file(entity->pwd->pw_dir, cell, sizeof(cell)) == 0) - krb_afslog(cell, 0); - krb_afslog_home(0, 0, entity->pwd->pw_dir); - } -#endif - return SIADSUCCESS; -} - -int -siad_ses_release(SIAENTITY *entity, int pkgind) -{ - SIA_DEBUG(("DEBUG", "siad_ses_release")); - if(entity->mech[pkgind]){ -#ifdef SIA_KRB5 - struct state *s = (struct state*)entity->mech[pkgind]; - krb5_free_context(s->context); -#endif - free(entity->mech[pkgind]); - } - return SIADSUCCESS; -} - -int -siad_ses_suauthent(sia_collect_func_t *collect, - SIAENTITY *entity, - int siastat, - int pkgind) -{ - SIA_DEBUG(("DEBUG", "siad_ses_suauth")); - if(geteuid() != 0) - return SIADFAIL; - if(entity->name == NULL) - return SIADFAIL; - if(entity->name[0] == '\0') { - free(entity->name); - entity->name = strdup("root"); - if (entity->name == NULL) - return SIADFAIL; - } - return common_auth(collect, entity, siastat, pkgind); -} - -int -siad_ses_reauthent (sia_collect_func_t *collect, - SIAENTITY *entity, - int siastat, - int pkgind) -{ - int ret; - SIA_DEBUG(("DEBUG", "siad_ses_reauthent")); - if(entity == NULL || entity->name == NULL) - return SIADFAIL; - ret = common_auth(collect, entity, siastat, pkgind); - if((ret & SIADSUCCESS)){ - /* launch isn't (always?) called when doing reauth, so we must - duplicate some code here... */ - struct state *s = (struct state*)entity->mech[pkgind]; - chown(s->ticket, entity->pwd->pw_uid, entity->pwd->pw_gid); -#ifdef KRB4 - if(k_hasafs()) { - char cell[64]; - if(k_afs_cell_of_file(entity->pwd->pw_dir, - cell, sizeof(cell)) == 0) - krb_afslog(cell, 0); - krb_afslog_home(0, 0, entity->pwd->pw_dir); - } -#endif - } - return ret; -} - -int -siad_chg_finger (sia_collect_func_t *collect, - const char *username, - int argc, - char *argv[]) -{ - SIA_DEBUG(("DEBUG", "siad_chg_finger")); - return SIADFAIL; -} - -#ifdef SIA_KRB5 -int -siad_chg_password (sia_collect_func_t *collect, - const char *username, - int argc, - char *argv[]) -{ - return SIADFAIL; -} -#endif - -#ifdef SIA_KRB4 -static void -sia_message(sia_collect_func_t *collect, int rendition, - const char *title, const char *message) -{ - prompt_t prompt; - prompt.prompt = (unsigned char*)message; - (*collect)(0, rendition, (unsigned char*)title, 1, &prompt); -} - -static int -init_change(sia_collect_func_t *collect, krb_principal *princ) -{ - prompt_t prompt; - char old_pw[MAX_KPW_LEN+1]; - char *msg; - char tktstring[128]; - int ret; - - SIA_DEBUG(("DEBUG", "init_change")); - prompt.prompt = (unsigned char*)"Old password: "; - prompt.result = (unsigned char*)old_pw; - prompt.min_result_length = 0; - prompt.max_result_length = sizeof(old_pw) - 1; - prompt.control_flags = SIARESINVIS; - asprintf(&msg, "Changing password for %s", krb_unparse_name(princ)); - if(msg == NULL){ - SIA_DEBUG(("DEBUG", "out of memory")); - return SIADFAIL; - } - ret = (*collect)(60, SIAONELINER, (unsigned char*)msg, 1, &prompt); - free(msg); - SIA_DEBUG(("DEBUG", "ret = %d", ret)); - if(ret != SIACOLSUCCESS) - return SIADFAIL; - snprintf(tktstring, sizeof(tktstring), - "%s_cpw_%u", TKT_ROOT, (unsigned)getpid()); - krb_set_tkt_string(tktstring); - - ret = krb_get_pw_in_tkt(princ->name, princ->instance, princ->realm, - PWSERV_NAME, KADM_SINST, 1, old_pw); - if (ret != KSUCCESS) { - SIA_DEBUG(("DEBUG", "krb_get_pw_in_tkt: %s", krb_get_err_text(ret))); - if (ret == INTK_BADPW) - sia_message(collect, SIAWARNING, "", "Incorrect old password."); - else - sia_message(collect, SIAWARNING, "", "Kerberos error."); - memset(old_pw, 0, sizeof(old_pw)); - return SIADFAIL; - } - if(chown(tktstring, getuid(), -1) < 0){ - dest_tkt(); - return SIADFAIL; - } - memset(old_pw, 0, sizeof(old_pw)); - return SIADSUCCESS; -} - -int -siad_chg_password (sia_collect_func_t *collect, - const char *username, - int argc, - char *argv[]) -{ - prompt_t prompts[2]; - krb_principal princ; - int ret; - char new_pw1[MAX_KPW_LEN+1]; - char new_pw2[MAX_KPW_LEN+1]; - static struct et_list *et_list; - - setprogname(argv[0]); - - SIA_DEBUG(("DEBUG", "siad_chg_password")); - if(collect == NULL) - return SIADFAIL; - - if(username == NULL) - username = getlogin(); - - ret = krb_parse_name(username, &princ); - if(ret) - return SIADFAIL; - if(princ.realm[0] == '\0') - krb_get_lrealm(princ.realm, 1); - - if(et_list == NULL) { - initialize_kadm_error_table_r(&et_list); - initialize_krb_error_table_r(&et_list); - } - - ret = init_change(collect, &princ); - if(ret != SIADSUCCESS) - return ret; - -again: - prompts[0].prompt = (unsigned char*)"New password: "; - prompts[0].result = (unsigned char*)new_pw1; - prompts[0].min_result_length = MIN_KPW_LEN; - prompts[0].max_result_length = sizeof(new_pw1) - 1; - prompts[0].control_flags = SIARESINVIS; - prompts[1].prompt = (unsigned char*)"Verify new password: "; - prompts[1].result = (unsigned char*)new_pw2; - prompts[1].min_result_length = MIN_KPW_LEN; - prompts[1].max_result_length = sizeof(new_pw2) - 1; - prompts[1].control_flags = SIARESINVIS; - if((*collect)(120, SIAFORM, (unsigned char*)"", 2, prompts) != - SIACOLSUCCESS) { - dest_tkt(); - return SIADFAIL; - } - if(strcmp(new_pw1, new_pw2) != 0){ - sia_message(collect, SIAWARNING, "", "Password mismatch."); - goto again; - } - ret = kadm_check_pw(new_pw1); - if(ret) { - sia_message(collect, SIAWARNING, "", com_right(et_list, ret)); - goto again; - } - - memset(new_pw2, 0, sizeof(new_pw2)); - ret = kadm_init_link (PWSERV_NAME, KRB_MASTER, princ.realm); - if (ret != KADM_SUCCESS) - sia_message(collect, SIAWARNING, "Error initing kadmin connection", - com_right(et_list, ret)); - else { - des_cblock newkey; - char *pw_msg; /* message from server */ - - des_string_to_key(new_pw1, &newkey); - ret = kadm_change_pw_plain((unsigned char*)&newkey, new_pw1, &pw_msg); - memset(newkey, 0, sizeof(newkey)); - - if (ret == KADM_INSECURE_PW) - sia_message(collect, SIAWARNING, "Insecure password", pw_msg); - else if (ret != KADM_SUCCESS) - sia_message(collect, SIAWARNING, "Error changing password", - com_right(et_list, ret)); - } - memset(new_pw1, 0, sizeof(new_pw1)); - - if (ret != KADM_SUCCESS) - sia_message(collect, SIAWARNING, "", "Password NOT changed."); - else - sia_message(collect, SIAINFO, "", "Password changed."); - - dest_tkt(); - if(ret) - return SIADFAIL; - return SIADSUCCESS; -} -#endif - -int -siad_chg_shell (sia_collect_func_t *collect, - const char *username, - int argc, - char *argv[]) -{ - return SIADFAIL; -} - -int -siad_getpwent(struct passwd *result, - char *buf, - int bufsize, - struct sia_context *context) -{ - return SIADFAIL; -} - -int -siad_getpwuid (uid_t uid, - struct passwd *result, - char *buf, - int bufsize, - struct sia_context *context) -{ - return SIADFAIL; -} - -int -siad_getpwnam (const char *name, - struct passwd *result, - char *buf, - int bufsize, - struct sia_context *context) -{ - return SIADFAIL; -} - -int -siad_setpwent (struct sia_context *context) -{ - return SIADFAIL; -} - -int -siad_endpwent (struct sia_context *context) -{ - return SIADFAIL; -} - -int -siad_getgrent(struct group *result, - char *buf, - int bufsize, - struct sia_context *context) -{ - return SIADFAIL; -} - -int -siad_getgrgid (gid_t gid, - struct group *result, - char *buf, - int bufsize, - struct sia_context *context) -{ - return SIADFAIL; -} - -int -siad_getgrnam (const char *name, - struct group *result, - char *buf, - int bufsize, - struct sia_context *context) -{ - return SIADFAIL; -} - -int -siad_setgrent (struct sia_context *context) -{ - return SIADFAIL; -} - -int -siad_endgrent (struct sia_context *context) -{ - return SIADFAIL; -} - -int -siad_chk_user (const char *logname, int checkflag) -{ - if(checkflag != CHGPASSWD) - return SIADFAIL; - return SIADSUCCESS; -} diff --git a/crypto/heimdal-0.6.3/lib/auth/sia/sia_locl.h b/crypto/heimdal-0.6.3/lib/auth/sia/sia_locl.h deleted file mode 100644 index 7b411596f6..0000000000 --- a/crypto/heimdal-0.6.3/lib/auth/sia/sia_locl.h +++ /dev/null @@ -1,93 +0,0 @@ -/* - * Copyright (c) 1999 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of KTH nor the names of its contributors may be - * used to endorse or promote products derived from this software without - * specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY - * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR - * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, - * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR - * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF - * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ - -/* $Id: sia_locl.h,v 1.3 2001/09/13 01:15:34 assar Exp $ */ - -#ifndef __sia_locl_h__ -#define __sia_locl_h__ - -#ifdef HAVE_CONFIG_H -#include -#endif -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#ifdef KRB5 -#define SIA_KRB5 -#elif defined(KRB4) -#define SIA_KRB4 -#endif - -#ifdef SIA_KRB5 -#include -#include -#endif -#ifdef SIA_KRB4 -#include -#include -#include -#include -#endif -#ifdef KRB4 -#include -#endif - -#ifndef POSIX_GETPWNAM_R - -#define getpwnam_r posix_getpwnam_r -#define getpwuid_r posix_getpwuid_r - -#endif /* POSIX_GETPWNAM_R */ - -#ifndef DEBUG -#define SIA_DEBUG(X) -#else -#define SIA_DEBUG(X) SIALOG X -#endif - -struct state{ -#ifdef SIA_KRB5 - krb5_context context; - krb5_auth_context auth_context; -#endif - char ticket[MaxPathLen]; - int valid; -}; - -#endif /* __sia_locl_h__ */ diff --git a/crypto/heimdal-0.6.3/lib/com_err/ChangeLog b/crypto/heimdal-0.6.3/lib/com_err/ChangeLog deleted file mode 100644 index 23d5403894..0000000000 --- a/crypto/heimdal-0.6.3/lib/com_err/ChangeLog +++ /dev/null @@ -1,166 +0,0 @@ -2002-08-20 Johan Danielsson - - * compile_et.c: don't add comma after last enum member - -2002-08-12 Johan Danielsson - - * compile_et.c: just declare er_list directly instead of including - com_right in generated header files - -2002-03-11 Assar Westerlund - - * Makefile.am (libcom_err_la_LDFLAGS): set version to 2:1:1 - -2002-03-10 Assar Westerlund - - * com_err.c (error_message): do not call strerror with a negative error - -2001-05-17 Assar Westerlund - - * Makefile.am: bump version to 2:0:1 - -2001-05-11 Assar Westerlund - - * com_err.h (add_to_error_table): add prototype - * com_err.c (add_to_error_table): new function, from Derrick J - Brashear - -2001-05-06 Assar Westerlund - - * com_err.h: add printf formats for gcc - -2001-02-28 Johan Danielsson - - * error.c (initialize_error_table_r): put table at end of the list - -2001-02-15 Assar Westerlund - - * com_err.c (default_proc): add printf attributes - -2000-08-16 Assar Westerlund - - * Makefile.am: bump version to 1:1:0 - -2000-07-31 Assar Westerlund - - * com_right.h (initialize_error_table_r): fix prototype - -2000-04-05 Assar Westerlund - - * com_err.c (_et_lit): explicitly initialize it to NULL to make - dyld on Darwin/MacOS X happy - -2000-01-16 Assar Westerlund - - * com_err.h: remove __P definition (now in com_right.h). this - file always includes com_right.h so that's where it should reside. - * com_right.h: moved __P here and added it to the function - prototypes - * com_err.h (error_table_name): add __P - -1999-07-03 Assar Westerlund - - * parse.y (statement): use asprintf - -1999-06-13 Assar Westerlund - - * Makefile.in: make it solaris make vpath-safe - -Thu Apr 1 11:13:53 1999 Johan Danielsson - - * compile_et.c: use getargs - -Sat Mar 20 00:16:30 1999 Assar Westerlund - - * compile_et.c: static-ize - -Thu Mar 18 11:22:13 1999 Johan Danielsson - - * Makefile.am: include Makefile.am.common - -Tue Mar 16 22:30:05 1999 Assar Westerlund - - * parse.y: use YYACCEPT instead of return - -Sat Mar 13 22:22:56 1999 Assar Westerlund - - * compile_et.c (generate_h): cast when calling is* to get rid of a - warning - -Thu Mar 11 15:00:51 1999 Johan Danielsson - - * parse.y: prototype for error_message - -Sun Nov 22 10:39:02 1998 Assar Westerlund - - * compile_et.h: include ctype and roken - - * compile_et.c: include err.h - (generate_h): remove unused variable - - * Makefile.in (WFLAGS): set - -Fri Nov 20 06:58:59 1998 Assar Westerlund - - * lex.l: undef ECHO to work around AIX lex bug - -Sun Sep 27 02:23:59 1998 Johan Danielsson - - * com_err.c (error_message): try to pass code to strerror, to see - if it might be an errno code (this if broken, but some MIT code - seems to expect this behaviour) - -Sat Sep 26 17:42:39 1998 Johan Danielsson - - * compile_et.c: -> "foo_err.h" - -Tue Jun 30 17:17:36 1998 Assar Westerlund - - * Makefile.in: add str{cpy,cat}_truncate - -Mon May 25 05:24:39 1998 Assar Westerlund - - * Makefile.in (clean): try to remove shared library debris - -Sun Apr 19 09:50:17 1998 Assar Westerlund - - * Makefile.in: add symlink magic for linux - -Sun Apr 5 09:22:11 1998 Assar Westerlund - - * parse.y: define alloca to malloc in case we're using bison but - don't have alloca - -Tue Mar 24 05:13:01 1998 Assar Westerlund - - * Makefile.in: link with snprintf (From Derrick J Brashear - ) - -Fri Feb 27 05:01:42 1998 Assar Westerlund - - * parse.y: initialize ec->next - -Thu Feb 26 02:22:25 1998 Assar Westerlund - - * Makefile.am: @LEXLIB@ - -Sat Feb 21 15:18:54 1998 assar westerlund - - * Makefile.in: set YACC and LEX - -Tue Feb 17 22:20:27 1998 Bjoern Groenvall - - * com_right.h: Change typedefs so that one may mix MIT compile_et - generated code with krb4 dito. - -Tue Feb 17 16:30:55 1998 Johan Danielsson - - * compile_et.c (generate): Always return a value. - - * parse.y: Files don't have to end with `end'. - -Mon Feb 16 16:09:20 1998 Johan Danielsson - - * lex.l (getstring): Replace getc() with input(). - - * Makefile.am: Fixes for new compile_et. diff --git a/crypto/heimdal-0.6.3/lib/com_err/Makefile.am b/crypto/heimdal-0.6.3/lib/com_err/Makefile.am deleted file mode 100644 index ae48cb5f3b..0000000000 --- a/crypto/heimdal-0.6.3/lib/com_err/Makefile.am +++ /dev/null @@ -1,24 +0,0 @@ -# $Id: Makefile.am,v 1.27 2002/03/10 23:52:41 assar Exp $ - -include $(top_srcdir)/Makefile.am.common - -YFLAGS = -d - -lib_LTLIBRARIES = libcom_err.la -libcom_err_la_LDFLAGS = -version-info 2:1:1 - -bin_PROGRAMS = compile_et - -include_HEADERS = com_err.h com_right.h - -compile_et_SOURCES = compile_et.c compile_et.h parse.y lex.l - -libcom_err_la_SOURCES = error.c com_err.c roken_rename.h - -CLEANFILES = lex.c parse.c parse.h - -$(compile_et_OBJECTS): parse.h parse.c ## XXX broken automake 1.4s - -compile_et_LDADD = \ - $(LIB_roken) \ - $(LEXLIB) diff --git a/crypto/heimdal-0.6.3/lib/com_err/Makefile.in b/crypto/heimdal-0.6.3/lib/com_err/Makefile.in deleted file mode 100644 index 579f9c14a4..0000000000 --- a/crypto/heimdal-0.6.3/lib/com_err/Makefile.in +++ /dev/null @@ -1,867 +0,0 @@ -# Makefile.in generated by automake 1.8.3 from Makefile.am. -# @configure_input@ - -# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004 Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -# $Id: Makefile.am,v 1.27 2002/03/10 23:52:41 assar Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $ - - - -SOURCES = $(libcom_err_la_SOURCES) $(compile_et_SOURCES) - -srcdir = @srcdir@ -top_srcdir = @top_srcdir@ -VPATH = @srcdir@ -pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -top_builddir = ../.. -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = @INSTALL@ -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_HEADER = $(INSTALL_DATA) -transform = $(program_transform_name) -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_triplet = @host@ -DIST_COMMON = $(include_HEADERS) $(srcdir)/Makefile.am \ - $(srcdir)/Makefile.in $(top_srcdir)/Makefile.am.common \ - $(top_srcdir)/cf/Makefile.am.common ChangeLog lex.c parse.c \ - parse.h -bin_PROGRAMS = compile_et$(EXEEXT) -subdir = lib/com_err -ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \ - $(top_srcdir)/cf/auth-modules.m4 \ - $(top_srcdir)/cf/broken-getaddrinfo.m4 \ - $(top_srcdir)/cf/broken-getnameinfo.m4 \ - $(top_srcdir)/cf/broken-glob.m4 \ - $(top_srcdir)/cf/broken-realloc.m4 \ - $(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \ - $(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \ - $(top_srcdir)/cf/capabilities.m4 \ - $(top_srcdir)/cf/check-compile-et.m4 \ - $(top_srcdir)/cf/check-declaration.m4 \ - $(top_srcdir)/cf/check-getpwnam_r-posix.m4 \ - $(top_srcdir)/cf/check-man.m4 \ - $(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \ - $(top_srcdir)/cf/check-type-extra.m4 \ - $(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \ - $(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \ - $(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \ - $(top_srcdir)/cf/dlopen.m4 \ - $(top_srcdir)/cf/find-func-no-libs.m4 \ - $(top_srcdir)/cf/find-func-no-libs2.m4 \ - $(top_srcdir)/cf/find-func.m4 \ - $(top_srcdir)/cf/find-if-not-broken.m4 \ - $(top_srcdir)/cf/have-struct-field.m4 \ - $(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \ - $(top_srcdir)/cf/krb-bigendian.m4 \ - $(top_srcdir)/cf/krb-func-getlogin.m4 \ - $(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \ - $(top_srcdir)/cf/krb-readline.m4 \ - $(top_srcdir)/cf/krb-struct-spwd.m4 \ - $(top_srcdir)/cf/krb-struct-winsize.m4 \ - $(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \ - $(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \ - $(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \ - $(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \ - $(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \ - $(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \ - $(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in -am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ - $(ACLOCAL_M4) -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -am__installdirs = "$(DESTDIR)$(libdir)" "$(DESTDIR)$(bindir)" "$(DESTDIR)$(includedir)" -libLTLIBRARIES_INSTALL = $(INSTALL) -LTLIBRARIES = $(lib_LTLIBRARIES) -libcom_err_la_LIBADD = -am_libcom_err_la_OBJECTS = error.lo com_err.lo -libcom_err_la_OBJECTS = $(am_libcom_err_la_OBJECTS) -binPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -PROGRAMS = $(bin_PROGRAMS) -am_compile_et_OBJECTS = compile_et.$(OBJEXT) parse.$(OBJEXT) \ - lex.$(OBJEXT) -compile_et_OBJECTS = $(am_compile_et_OBJECTS) -am__DEPENDENCIES_1 = -compile_et_DEPENDENCIES = $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \ - $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ - $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -LEXCOMPILE = $(LEX) $(LFLAGS) $(AM_LFLAGS) -LTLEXCOMPILE = $(LIBTOOL) --mode=compile $(LEX) $(LFLAGS) $(AM_LFLAGS) -YACCCOMPILE = $(YACC) $(YFLAGS) $(AM_YFLAGS) -LTYACCCOMPILE = $(LIBTOOL) --mode=compile $(YACC) $(YFLAGS) \ - $(AM_YFLAGS) -SOURCES = $(libcom_err_la_SOURCES) $(compile_et_SOURCES) -DIST_SOURCES = $(libcom_err_la_SOURCES) $(compile_et_SOURCES) -includeHEADERS_INSTALL = $(INSTALL_HEADER) -HEADERS = $(include_HEADERS) -ETAGS = etags -CTAGS = ctags -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) -ACLOCAL = @ACLOCAL@ -AIX4_FALSE = @AIX4_FALSE@ -AIX4_TRUE = @AIX4_TRUE@ -AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@ -AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@ -AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@ -AIX_FALSE = @AIX_FALSE@ -AIX_TRUE = @AIX_TRUE@ -AMTAR = @AMTAR@ -AR = @AR@ -AUTOCONF = @AUTOCONF@ -AUTOHEADER = @AUTOHEADER@ -AUTOMAKE = @AUTOMAKE@ -AWK = @AWK@ -CANONICAL_HOST = @CANONICAL_HOST@ -CATMAN = @CATMAN@ -CATMANEXT = @CATMANEXT@ -CATMAN_FALSE = @CATMAN_FALSE@ -CATMAN_TRUE = @CATMAN_TRUE@ -CC = @CC@ -CFLAGS = @CFLAGS@ -COMPILE_ET = @COMPILE_ET@ -CPP = @CPP@ -CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXFLAGS = @CXXFLAGS@ -CYGPATH_W = @CYGPATH_W@ -DBLIB = @DBLIB@ -DCE_FALSE = @DCE_FALSE@ -DCE_TRUE = @DCE_TRUE@ -DEFS = @DEFS@ -DIR_com_err = @DIR_com_err@ -DIR_des = @DIR_des@ -DIR_roken = @DIR_roken@ -ECHO = @ECHO@ -ECHO_C = @ECHO_C@ -ECHO_N = @ECHO_N@ -ECHO_T = @ECHO_T@ -EGREP = @EGREP@ -EXEEXT = @EXEEXT@ -EXTRA_LIB45 = @EXTRA_LIB45@ -F77 = @F77@ -FFLAGS = @FFLAGS@ -GROFF = @GROFF@ -HAVE_DB1_FALSE = @HAVE_DB1_FALSE@ -HAVE_DB1_TRUE = @HAVE_DB1_TRUE@ -HAVE_DB3_FALSE = @HAVE_DB3_FALSE@ -HAVE_DB3_TRUE = @HAVE_DB3_TRUE@ -HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@ -HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@ -HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@ -HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@ -HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@ -HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@ -HAVE_X_FALSE = @HAVE_X_FALSE@ -HAVE_X_TRUE = @HAVE_X_TRUE@ -INCLUDES_roken = @INCLUDES_roken@ -INCLUDE_des = @INCLUDE_des@ -INCLUDE_hesiod = @INCLUDE_hesiod@ -INCLUDE_krb4 = @INCLUDE_krb4@ -INCLUDE_openldap = @INCLUDE_openldap@ -INCLUDE_readline = @INCLUDE_readline@ -INSTALL_DATA = @INSTALL_DATA@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -IRIX_FALSE = @IRIX_FALSE@ -IRIX_TRUE = @IRIX_TRUE@ -KRB4_FALSE = @KRB4_FALSE@ -KRB4_TRUE = @KRB4_TRUE@ -KRB5_FALSE = @KRB5_FALSE@ -KRB5_TRUE = @KRB5_TRUE@ -LDFLAGS = @LDFLAGS@ -LEX = @LEX@ -LEXLIB = @LEXLIB@ -LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ -LIBOBJS = @LIBOBJS@ -LIBS = @LIBS@ -LIBTOOL = @LIBTOOL@ -LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@ -LIB_NDBM = @LIB_NDBM@ -LIB_XauFileName = @LIB_XauFileName@ -LIB_XauReadAuth = @LIB_XauReadAuth@ -LIB_XauWriteAuth = @LIB_XauWriteAuth@ -LIB_bswap16 = @LIB_bswap16@ -LIB_bswap32 = @LIB_bswap32@ -LIB_com_err = @LIB_com_err@ -LIB_com_err_a = @LIB_com_err_a@ -LIB_com_err_so = @LIB_com_err_so@ -LIB_crypt = @LIB_crypt@ -LIB_db_create = @LIB_db_create@ -LIB_dbm_firstkey = @LIB_dbm_firstkey@ -LIB_dbopen = @LIB_dbopen@ -LIB_des = @LIB_des@ -LIB_des_a = @LIB_des_a@ -LIB_des_appl = @LIB_des_appl@ -LIB_des_so = @LIB_des_so@ -LIB_dlopen = @LIB_dlopen@ -LIB_dn_expand = @LIB_dn_expand@ -LIB_el_init = @LIB_el_init@ -LIB_freeaddrinfo = @LIB_freeaddrinfo@ -LIB_gai_strerror = @LIB_gai_strerror@ -LIB_getaddrinfo = @LIB_getaddrinfo@ -LIB_gethostbyname = @LIB_gethostbyname@ -LIB_gethostbyname2 = @LIB_gethostbyname2@ -LIB_getnameinfo = @LIB_getnameinfo@ -LIB_getpwnam_r = @LIB_getpwnam_r@ -LIB_getsockopt = @LIB_getsockopt@ -LIB_hesiod = @LIB_hesiod@ -LIB_hstrerror = @LIB_hstrerror@ -LIB_kdb = @LIB_kdb@ -LIB_krb4 = @LIB_krb4@ -LIB_krb_disable_debug = @LIB_krb_disable_debug@ -LIB_krb_enable_debug = @LIB_krb_enable_debug@ -LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@ -LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@ -LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@ -LIB_loadquery = @LIB_loadquery@ -LIB_logout = @LIB_logout@ -LIB_logwtmp = @LIB_logwtmp@ -LIB_openldap = @LIB_openldap@ -LIB_openpty = @LIB_openpty@ -LIB_otp = @LIB_otp@ -LIB_pidfile = @LIB_pidfile@ -LIB_readline = @LIB_readline@ -LIB_res_nsearch = @LIB_res_nsearch@ -LIB_res_search = @LIB_res_search@ -LIB_roken = @LIB_roken@ -LIB_security = @LIB_security@ -LIB_setsockopt = @LIB_setsockopt@ -LIB_socket = @LIB_socket@ -LIB_syslog = @LIB_syslog@ -LIB_tgetent = @LIB_tgetent@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -MAINT = @MAINT@ -MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@ -MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@ -MAKEINFO = @MAKEINFO@ -NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ -NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ -NROFF = @NROFF@ -OBJEXT = @OBJEXT@ -OTP_FALSE = @OTP_FALSE@ -OTP_TRUE = @OTP_TRUE@ -PACKAGE = @PACKAGE@ -PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ -PACKAGE_NAME = @PACKAGE_NAME@ -PACKAGE_STRING = @PACKAGE_STRING@ -PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_VERSION = @PACKAGE_VERSION@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -RANLIB = @RANLIB@ -SET_MAKE = @SET_MAKE@ -SHELL = @SHELL@ -STRIP = @STRIP@ -VERSION = @VERSION@ -VOID_RETSIGTYPE = @VOID_RETSIGTYPE@ -WFLAGS = @WFLAGS@ -WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@ -WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@ -X_CFLAGS = @X_CFLAGS@ -X_EXTRA_LIBS = @X_EXTRA_LIBS@ -X_LIBS = @X_LIBS@ -X_PRE_LIBS = @X_PRE_LIBS@ -YACC = @YACC@ -ac_ct_AR = @ac_ct_AR@ -ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ -ac_ct_RANLIB = @ac_ct_RANLIB@ -ac_ct_STRIP = @ac_ct_STRIP@ -am__leading_dot = @am__leading_dot@ -bindir = @bindir@ -build = @build@ -build_alias = @build_alias@ -build_cpu = @build_cpu@ -build_os = @build_os@ -build_vendor = @build_vendor@ -datadir = @datadir@ -do_roken_rename_FALSE = @do_roken_rename_FALSE@ -do_roken_rename_TRUE = @do_roken_rename_TRUE@ -dpagaix_cflags = @dpagaix_cflags@ -dpagaix_ldadd = @dpagaix_ldadd@ -dpagaix_ldflags = @dpagaix_ldflags@ -el_compat_FALSE = @el_compat_FALSE@ -el_compat_TRUE = @el_compat_TRUE@ -exec_prefix = @exec_prefix@ -have_err_h_FALSE = @have_err_h_FALSE@ -have_err_h_TRUE = @have_err_h_TRUE@ -have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@ -have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@ -have_glob_h_FALSE = @have_glob_h_FALSE@ -have_glob_h_TRUE = @have_glob_h_TRUE@ -have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@ -have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@ -have_vis_h_FALSE = @have_vis_h_FALSE@ -have_vis_h_TRUE = @have_vis_h_TRUE@ -host = @host@ -host_alias = @host_alias@ -host_cpu = @host_cpu@ -host_os = @host_os@ -host_vendor = @host_vendor@ -includedir = @includedir@ -infodir = @infodir@ -install_sh = @install_sh@ -libdir = @libdir@ -libexecdir = @libexecdir@ -localstatedir = @localstatedir@ -mandir = @mandir@ -mkdir_p = @mkdir_p@ -oldincludedir = @oldincludedir@ -prefix = @prefix@ -program_transform_name = @program_transform_name@ -sbindir = @sbindir@ -sharedstatedir = @sharedstatedir@ -sysconfdir = @sysconfdir@ -target_alias = @target_alias@ -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) -@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME -AM_CFLAGS = $(WFLAGS) -CP = cp -buildinclude = $(top_builddir)/include -LIB_getattr = @LIB_getattr@ -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_setpcred = @LIB_setpcred@ -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -NROFF_MAN = groff -mandoc -Tascii -LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) -@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la - -@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la -@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la -YFLAGS = -d -lib_LTLIBRARIES = libcom_err.la -libcom_err_la_LDFLAGS = -version-info 2:1:1 -include_HEADERS = com_err.h com_right.h -compile_et_SOURCES = compile_et.c compile_et.h parse.y lex.l -libcom_err_la_SOURCES = error.c com_err.c roken_rename.h -CLEANFILES = lex.c parse.c parse.h -compile_et_LDADD = \ - $(LIB_roken) \ - $(LEXLIB) - -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .l .lo .o .obj .y -$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps) - @for dep in $?; do \ - case '$(am__configure_deps)' in \ - *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ - exit 1;; \ - esac; \ - done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign --ignore-deps lib/com_err/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign --ignore-deps lib/com_err/Makefile -.PRECIOUS: Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - @case '$?' in \ - *config.status*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ - *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ - esac; - -$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -install-libLTLIBRARIES: $(lib_LTLIBRARIES) - @$(NORMAL_INSTALL) - test -z "$(libdir)" || $(mkdir_p) "$(DESTDIR)$(libdir)" - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - if test -f $$p; then \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(libdir)/$$f'"; \ - $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(libdir)/$$f"; \ - else :; fi; \ - done - -uninstall-libLTLIBRARIES: - @$(NORMAL_UNINSTALL) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - p="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$p'"; \ - $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$p"; \ - done - -clean-libLTLIBRARIES: - -test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ - test "$$dir" = "$$p" && dir=.; \ - echo "rm -f \"$${dir}/so_locations\""; \ - rm -f "$${dir}/so_locations"; \ - done -libcom_err.la: $(libcom_err_la_OBJECTS) $(libcom_err_la_DEPENDENCIES) - $(LINK) -rpath $(libdir) $(libcom_err_la_LDFLAGS) $(libcom_err_la_OBJECTS) $(libcom_err_la_LIBADD) $(LIBS) -install-binPROGRAMS: $(bin_PROGRAMS) - @$(NORMAL_INSTALL) - test -z "$(bindir)" || $(mkdir_p) "$(DESTDIR)$(bindir)" - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(bindir)/$$f'"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(bindir)/$$f" || exit 1; \ - else :; fi; \ - done - -uninstall-binPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f '$(DESTDIR)$(bindir)/$$f'"; \ - rm -f "$(DESTDIR)$(bindir)/$$f"; \ - done - -clean-binPROGRAMS: - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -parse.h: parse.c - @if test ! -f $@; then \ - rm -f parse.c; \ - $(MAKE) parse.c; \ - else :; fi -compile_et$(EXEEXT): $(compile_et_OBJECTS) $(compile_et_DEPENDENCIES) - @rm -f compile_et$(EXEEXT) - $(LINK) $(compile_et_LDFLAGS) $(compile_et_OBJECTS) $(compile_et_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c $< - -.c.obj: - $(COMPILE) -c `$(CYGPATH_W) '$<'` - -.c.lo: - $(LTCOMPILE) -c -o $@ $< - -.l.c: - $(LEXCOMPILE) $< - sed '/^#/ s|$(LEX_OUTPUT_ROOT)\.c|$@|' $(LEX_OUTPUT_ROOT).c >$@ - rm -f $(LEX_OUTPUT_ROOT).c - -.y.c: - $(YACCCOMPILE) $< - if test -f y.tab.h; then \ - to=`echo "$*_H" | sed \ - -e 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/' \ - -e 's/[^ABCDEFGHIJKLMNOPQRSTUVWXYZ]/_/g'`; \ - sed "/^#/ s/Y_TAB_H/$$to/g" y.tab.h >$*.ht; \ - rm -f y.tab.h; \ - if cmp -s $*.ht $*.h; then \ - rm -f $*.ht ;\ - else \ - mv $*.ht $*.h; \ - fi; \ - fi - if test -f y.output; then \ - mv y.output $*.output; \ - fi - sed '/^#/ s|y\.tab\.c|$@|' y.tab.c >$@t && mv $@t $@ - rm -f y.tab.c - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: -install-includeHEADERS: $(include_HEADERS) - @$(NORMAL_INSTALL) - test -z "$(includedir)" || $(mkdir_p) "$(DESTDIR)$(includedir)" - @list='$(include_HEADERS)'; for p in $$list; do \ - if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(includeHEADERS_INSTALL) '$$d$$p' '$(DESTDIR)$(includedir)/$$f'"; \ - $(includeHEADERS_INSTALL) "$$d$$p" "$(DESTDIR)$(includedir)/$$f"; \ - done - -uninstall-includeHEADERS: - @$(NORMAL_UNINSTALL) - @list='$(include_HEADERS)'; for p in $$list; do \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " rm -f '$(DESTDIR)$(includedir)/$$f'"; \ - rm -f "$(DESTDIR)$(includedir)/$$f"; \ - done - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique -tags: TAGS - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique -ctags: CTAGS -CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ - || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - -distdir: $(DISTFILES) - $(mkdir_p) $(distdir)/../.. $(distdir)/../../cf - @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \ - list='$(DISTFILES)'; for file in $$list; do \ - case $$file in \ - $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \ - $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \ - esac; \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkdir_p) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="$(top_distdir)" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(HEADERS) all-local -install-binPROGRAMS: install-libLTLIBRARIES - -installdirs: - for dir in "$(DESTDIR)$(libdir)" "$(DESTDIR)$(bindir)" "$(DESTDIR)$(includedir)"; do \ - test -z "$$dir" || $(mkdir_p) "$$dir"; \ - done -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) - -distclean-generic: - -rm -f $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." - -rm -f parse.h - -rm -f lex.c - -rm -f parse.c -clean: clean-am - -clean-am: clean-binPROGRAMS clean-generic clean-libLTLIBRARIES \ - clean-libtool mostlyclean-am - -distclean: distclean-am - -rm -f Makefile -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -html: html-am - -info: info-am - -info-am: - -install-data-am: install-includeHEADERS - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-data-hook - -install-exec-am: install-binPROGRAMS install-libLTLIBRARIES - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -rm -f Makefile -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -pdf: pdf-am - -pdf-am: - -ps: ps-am - -ps-am: - -uninstall-am: uninstall-binPROGRAMS uninstall-includeHEADERS \ - uninstall-info-am uninstall-libLTLIBRARIES - -.PHONY: CTAGS GTAGS all all-am all-local check check-am check-local \ - clean clean-binPROGRAMS clean-generic clean-libLTLIBRARIES \ - clean-libtool ctags distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am html html-am info info-am install install-am \ - install-binPROGRAMS install-data install-data-am install-exec \ - install-exec-am install-includeHEADERS install-info \ - install-info-am install-libLTLIBRARIES install-man \ - install-strip installcheck installcheck-am installdirs \ - maintainer-clean maintainer-clean-generic mostlyclean \ - mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ - pdf pdf-am ps ps-am tags uninstall uninstall-am \ - uninstall-binPROGRAMS uninstall-includeHEADERS \ - uninstall-info-am uninstall-libLTLIBRARIES - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-hook: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< - -$(compile_et_OBJECTS): parse.h parse.c ## XXX broken automake 1.4s -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal-0.6.3/lib/com_err/com_err.c b/crypto/heimdal-0.6.3/lib/com_err/com_err.c deleted file mode 100644 index ea0ac7c967..0000000000 --- a/crypto/heimdal-0.6.3/lib/com_err/com_err.c +++ /dev/null @@ -1,173 +0,0 @@ -/* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: com_err.c,v 1.18 2002/03/10 23:07:01 assar Exp $"); -#endif -#include -#include -#include -#include -#include "com_err.h" - -struct et_list *_et_list = NULL; - - -const char * -error_message (long code) -{ - static char msg[128]; - const char *p = com_right(_et_list, code); - if (p == NULL) { - if (code < 0) - sprintf(msg, "Unknown error %ld", code); - else - p = strerror(code); - } - if (p != NULL && *p != '\0') { - strncpy(msg, p, sizeof(msg) - 1); - msg[sizeof(msg) - 1] = 0; - } else - sprintf(msg, "Unknown error %ld", code); - return msg; -} - -int -init_error_table(const char **msgs, long base, int count) -{ - initialize_error_table_r(&_et_list, msgs, count, base); - return 0; -} - -static void -default_proc (const char *whoami, long code, const char *fmt, va_list args) - __attribute__((__format__(__printf__, 3, 0))); - -static void -default_proc (const char *whoami, long code, const char *fmt, va_list args) -{ - if (whoami) - fprintf(stderr, "%s: ", whoami); - if (code) - fprintf(stderr, "%s ", error_message(code)); - if (fmt) - vfprintf(stderr, fmt, args); - fprintf(stderr, "\r\n"); /* ??? */ -} - -static errf com_err_hook = default_proc; - -void -com_err_va (const char *whoami, - long code, - const char *fmt, - va_list args) -{ - (*com_err_hook) (whoami, code, fmt, args); -} - -void -com_err (const char *whoami, - long code, - const char *fmt, - ...) -{ - va_list ap; - va_start(ap, fmt); - com_err_va (whoami, code, fmt, ap); - va_end(ap); -} - -errf -set_com_err_hook (errf new) -{ - errf old = com_err_hook; - - if (new) - com_err_hook = new; - else - com_err_hook = default_proc; - - return old; -} - -errf -reset_com_err_hook (void) -{ - return set_com_err_hook(NULL); -} - -#define ERRCODE_RANGE 8 /* # of bits to shift table number */ -#define BITS_PER_CHAR 6 /* # bits to shift per character in name */ - -static const char char_set[] = - "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_"; - -static char buf[6]; - -const char * -error_table_name(int num) -{ - int ch; - int i; - char *p; - - /* num = aa aaa abb bbb bcc ccc cdd ddd d?? ??? ??? */ - p = buf; - num >>= ERRCODE_RANGE; - /* num = ?? ??? ??? aaa aaa bbb bbb ccc ccc ddd ddd */ - num &= 077777777; - /* num = 00 000 000 aaa aaa bbb bbb ccc ccc ddd ddd */ - for (i = 4; i >= 0; i--) { - ch = (num >> BITS_PER_CHAR * i) & ((1 << BITS_PER_CHAR) - 1); - if (ch != 0) - *p++ = char_set[ch-1]; - } - *p = '\0'; - return(buf); -} - -void -add_to_error_table(struct et_list *new_table) -{ - struct et_list *et; - - for (et = _et_list; et; et = et->next) { - if (et->table->base == new_table->table->base) - return; - } - - new_table->next = _et_list; - _et_list = new_table; -} diff --git a/crypto/heimdal-0.6.3/lib/com_err/com_err.h b/crypto/heimdal-0.6.3/lib/com_err/com_err.h deleted file mode 100644 index a76214bdc5..0000000000 --- a/crypto/heimdal-0.6.3/lib/com_err/com_err.h +++ /dev/null @@ -1,65 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: com_err.h,v 1.9 2001/05/11 20:03:36 assar Exp $ */ - -/* MIT compatible com_err library */ - -#ifndef __COM_ERR_H__ -#define __COM_ERR_H__ - -#include - -#if !defined(__GNUC__) && !defined(__attribute__) -#define __attribute__(X) -#endif - -typedef void (*errf) __P((const char *, long, const char *, va_list)); - -const char * error_message __P((long)); -int init_error_table __P((const char**, long, int)); - -void com_err_va __P((const char *, long, const char *, va_list)) - __attribute__((format(printf, 3, 0))); - -void com_err __P((const char *, long, const char *, ...)) - __attribute__((format(printf, 3, 4))); - -errf set_com_err_hook __P((errf)); -errf reset_com_err_hook __P((void)); - -const char *error_table_name __P((int num)); - -void add_to_error_table __P((struct et_list *new_table)); - -#endif /* __COM_ERR_H__ */ diff --git a/crypto/heimdal-0.6.3/lib/com_err/com_right.h b/crypto/heimdal-0.6.3/lib/com_err/com_right.h deleted file mode 100644 index c87bb0d1de..0000000000 --- a/crypto/heimdal-0.6.3/lib/com_err/com_right.h +++ /dev/null @@ -1,66 +0,0 @@ -/* - * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: com_right.h,v 1.11 2000/07/31 01:11:08 assar Exp $ */ - -#ifndef __COM_RIGHT_H__ -#define __COM_RIGHT_H__ - -#ifdef __STDC__ -#include -#endif - -#ifndef __P -#ifdef __STDC__ -#define __P(X) X -#else -#define __P(X) () -#endif -#endif - -struct error_table { - char const * const * msgs; - long base; - int n_msgs; -}; -struct et_list { - struct et_list *next; - struct error_table *table; -}; -extern struct et_list *_et_list; - -const char *com_right __P((struct et_list *list, long code)); -void initialize_error_table_r __P((struct et_list **, const char **, int, long)); -void free_error_table __P((struct et_list *)); - -#endif /* __COM_RIGHT_H__ */ diff --git a/crypto/heimdal-0.6.3/lib/com_err/compile_et.c b/crypto/heimdal-0.6.3/lib/com_err/compile_et.c deleted file mode 100644 index b19b21808e..0000000000 --- a/crypto/heimdal-0.6.3/lib/com_err/compile_et.c +++ /dev/null @@ -1,237 +0,0 @@ -/* - * Copyright (c) 1998-2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#undef ROKEN_RENAME -#include "compile_et.h" -#include - -RCSID("$Id: compile_et.c,v 1.16 2002/08/20 12:44:51 joda Exp $"); - -#include -#include -#include "parse.h" - -int numerror; -extern FILE *yyin; - -extern void yyparse(void); - -long base; -int number; -char *prefix; -char *id_str; - -char name[128]; -char Basename[128]; - -#ifdef YYDEBUG -extern int yydebug = 1; -#endif - -char *filename; -char hfn[128]; -char cfn[128]; - -struct error_code *codes = NULL; - -static int -generate_c(void) -{ - int n; - struct error_code *ec; - - FILE *c_file = fopen(cfn, "w"); - if(c_file == NULL) - return 1; - - fprintf(c_file, "/* Generated from %s */\n", filename); - if(id_str) - fprintf(c_file, "/* %s */\n", id_str); - fprintf(c_file, "\n"); - fprintf(c_file, "#include \n"); - fprintf(c_file, "#include \n"); - fprintf(c_file, "#include \"%s\"\n", hfn); - fprintf(c_file, "\n"); - - fprintf(c_file, "static const char *%s_error_strings[] = {\n", name); - - for(ec = codes, n = 0; ec; ec = ec->next, n++) { - while(n < ec->number) { - fprintf(c_file, "\t/* %03d */ \"Reserved %s error (%d)\",\n", - n, name, n); - n++; - - } - fprintf(c_file, "\t/* %03d */ \"%s\",\n", ec->number, ec->string); - } - - fprintf(c_file, "\tNULL\n"); - fprintf(c_file, "};\n"); - fprintf(c_file, "\n"); - fprintf(c_file, "#define num_errors %d\n", number); - fprintf(c_file, "\n"); - fprintf(c_file, - "void initialize_%s_error_table_r(struct et_list **list)\n", - name); - fprintf(c_file, "{\n"); - fprintf(c_file, - " initialize_error_table_r(list, %s_error_strings, " - "num_errors, ERROR_TABLE_BASE_%s);\n", name, name); - fprintf(c_file, "}\n"); - fprintf(c_file, "\n"); - fprintf(c_file, "void initialize_%s_error_table(void)\n", name); - fprintf(c_file, "{\n"); - fprintf(c_file, - " init_error_table(%s_error_strings, ERROR_TABLE_BASE_%s, " - "num_errors);\n", name, name); - fprintf(c_file, "}\n"); - - fclose(c_file); - return 0; -} - -static int -generate_h(void) -{ - struct error_code *ec; - char fn[128]; - FILE *h_file = fopen(hfn, "w"); - char *p; - - if(h_file == NULL) - return 1; - - snprintf(fn, sizeof(fn), "__%s__", hfn); - for(p = fn; *p; p++) - if(!isalnum((unsigned char)*p)) - *p = '_'; - - fprintf(h_file, "/* Generated from %s */\n", filename); - if(id_str) - fprintf(h_file, "/* %s */\n", id_str); - fprintf(h_file, "\n"); - fprintf(h_file, "#ifndef %s\n", fn); - fprintf(h_file, "#define %s\n", fn); - fprintf(h_file, "\n"); - fprintf(h_file, "struct et_list;\n"); - fprintf(h_file, "\n"); - fprintf(h_file, - "void initialize_%s_error_table_r(struct et_list **);\n", - name); - fprintf(h_file, "\n"); - fprintf(h_file, "void initialize_%s_error_table(void);\n", name); - fprintf(h_file, "#define init_%s_err_tbl initialize_%s_error_table\n", - name, name); - fprintf(h_file, "\n"); - fprintf(h_file, "typedef enum %s_error_number{\n", name); - - for(ec = codes; ec; ec = ec->next) { - fprintf(h_file, "\t%s = %ld%s\n", ec->name, base + ec->number, - (ec->next != NULL) ? "," : ""); - } - - fprintf(h_file, "} %s_error_number;\n", name); - fprintf(h_file, "\n"); - fprintf(h_file, "#define ERROR_TABLE_BASE_%s %ld\n", name, base); - fprintf(h_file, "\n"); - fprintf(h_file, "#endif /* %s */\n", fn); - - - fclose(h_file); - return 0; -} - -static int -generate(void) -{ - return generate_c() || generate_h(); -} - -int version_flag; -int help_flag; -struct getargs args[] = { - { "version", 0, arg_flag, &version_flag }, - { "help", 0, arg_flag, &help_flag } -}; -int num_args = sizeof(args) / sizeof(args[0]); - -static void -usage(int code) -{ - arg_printusage(args, num_args, NULL, "error-table"); - exit(code); -} - -int -main(int argc, char **argv) -{ - char *p; - int optind = 0; - - setprogname(argv[0]); - if(getarg(args, num_args, argc, argv, &optind)) - usage(1); - if(help_flag) - usage(0); - if(version_flag) { - print_version(NULL); - exit(0); - } - - if(optind == argc) - usage(1); - filename = argv[optind]; - yyin = fopen(filename, "r"); - if(yyin == NULL) - err(1, "%s", filename); - - - p = strrchr(filename, '/'); - if(p) - p++; - else - p = filename; - strncpy(Basename, p, sizeof(Basename)); - Basename[sizeof(Basename) - 1] = '\0'; - - Basename[strcspn(Basename, ".")] = '\0'; - - snprintf(hfn, sizeof(hfn), "%s.h", Basename); - snprintf(cfn, sizeof(cfn), "%s.c", Basename); - - yyparse(); - if(numerror) - return 1; - - return generate(); -} diff --git a/crypto/heimdal-0.6.3/lib/com_err/compile_et.h b/crypto/heimdal-0.6.3/lib/com_err/compile_et.h deleted file mode 100644 index 86dd1131a7..0000000000 --- a/crypto/heimdal-0.6.3/lib/com_err/compile_et.h +++ /dev/null @@ -1,79 +0,0 @@ -/* - * Copyright (c) 1998 - 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: compile_et.h,v 1.6 2000/07/01 20:21:48 assar Exp $ */ - -#ifndef __COMPILE_ET_H__ -#define __COMPILE_ET_H__ - -#ifdef HAVE_CONFIG_H -#include -#endif - -#include -#include -#include -#include -#include -#include - -extern long base; -extern int number; -extern char *prefix; -extern char name[128]; -extern char *id_str; -extern char *filename; -extern int numerror; - -struct error_code { - unsigned number; - char *name; - char *string; - struct error_code *next, **tail; -}; - -extern struct error_code *codes; - -#define APPEND(L, V) \ -do { \ - if((L) == NULL) { \ - (L) = (V); \ - (L)->tail = &(V)->next; \ - (L)->next = NULL; \ - }else{ \ - *(L)->tail = (V); \ - (L)->tail = &(V)->next; \ - } \ -}while(0) - -#endif /* __COMPILE_ET_H__ */ diff --git a/crypto/heimdal-0.6.3/lib/com_err/error.c b/crypto/heimdal-0.6.3/lib/com_err/error.c deleted file mode 100644 index b22f25b41a..0000000000 --- a/crypto/heimdal-0.6.3/lib/com_err/error.c +++ /dev/null @@ -1,91 +0,0 @@ -/* - * Copyright (c) 1997, 1998, 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: error.c,v 1.15 2001/02/28 20:00:13 joda Exp $"); -#endif -#include -#include -#include -#include - -const char * -com_right(struct et_list *list, long code) -{ - struct et_list *p; - for (p = list; p; p = p->next) { - if (code >= p->table->base && code < p->table->base + p->table->n_msgs) - return p->table->msgs[code - p->table->base]; - } - return NULL; -} - -struct foobar { - struct et_list etl; - struct error_table et; -}; - -void -initialize_error_table_r(struct et_list **list, - const char **messages, - int num_errors, - long base) -{ - struct et_list *et, **end; - struct foobar *f; - for (end = list, et = *list; et; end = &et->next, et = et->next) - if (et->table->msgs == messages) - return; - f = malloc(sizeof(*f)); - if (f == NULL) - return; - et = &f->etl; - et->table = &f->et; - et->table->msgs = messages; - et->table->n_msgs = num_errors; - et->table->base = base; - et->next = NULL; - *end = et; -} - - -void -free_error_table(struct et_list *et) -{ - while(et){ - struct et_list *p = et; - et = et->next; - free(p); - } -} diff --git a/crypto/heimdal-0.6.3/lib/com_err/lex.h b/crypto/heimdal-0.6.3/lib/com_err/lex.h deleted file mode 100644 index 9912bf4f09..0000000000 --- a/crypto/heimdal-0.6.3/lib/com_err/lex.h +++ /dev/null @@ -1,39 +0,0 @@ -/* - * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: lex.h,v 1.1 2000/06/22 00:42:52 assar Exp $ */ - -void error_message (const char *, ...) -__attribute__ ((format (printf, 1, 2))); - -int yylex(void); diff --git a/crypto/heimdal-0.6.3/lib/com_err/lex.l b/crypto/heimdal-0.6.3/lib/com_err/lex.l deleted file mode 100644 index e98db6f865..0000000000 --- a/crypto/heimdal-0.6.3/lib/com_err/lex.l +++ /dev/null @@ -1,126 +0,0 @@ -%{ -/* - * Copyright (c) 1998 - 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* - * This is to handle the definition of this symbol in some AIX - * headers, which will conflict with the definition that lex will - * generate for it. It's only a problem for AIX lex. - */ - -#undef ECHO - -#include "compile_et.h" -#include "parse.h" -#include "lex.h" - -RCSID("$Id: lex.l,v 1.6 2000/06/22 00:42:52 assar Exp $"); - -static unsigned lineno = 1; -static int getstring(void); - -#define YY_NO_UNPUT - -#undef ECHO - -%} - - -%% -et { return ET; } -error_table { return ET; } -ec { return EC; } -error_code { return EC; } -prefix { return PREFIX; } -index { return INDEX; } -id { return ID; } -end { return END; } -[0-9]+ { yylval.number = atoi(yytext); return NUMBER; } -#[^\n]* ; -[ \t] ; -\n { lineno++; } -\" { return getstring(); } -[a-zA-Z0-9_]+ { yylval.string = strdup(yytext); return STRING; } -. { return *yytext; } -%% - -#ifndef yywrap /* XXX */ -int -yywrap () -{ - return 1; -} -#endif - -static int -getstring(void) -{ - char x[128]; - int i = 0; - int c; - int quote = 0; - while((c = input()) != EOF){ - if(quote) { - x[i++] = c; - quote = 0; - continue; - } - if(c == '\n'){ - error_message("unterminated string"); - lineno++; - break; - } - if(c == '\\'){ - quote++; - continue; - } - if(c == '\"') - break; - x[i++] = c; - } - x[i] = '\0'; - yylval.string = strdup(x); - return STRING; -} - -void -error_message (const char *format, ...) -{ - va_list args; - - va_start (args, format); - fprintf (stderr, "%s:%d:", filename, lineno); - vfprintf (stderr, format, args); - va_end (args); - numerror++; -} diff --git a/crypto/heimdal-0.6.3/lib/com_err/parse.y b/crypto/heimdal-0.6.3/lib/com_err/parse.y deleted file mode 100644 index 82e99ffb80..0000000000 --- a/crypto/heimdal-0.6.3/lib/com_err/parse.y +++ /dev/null @@ -1,167 +0,0 @@ -%{ -/* - * Copyright (c) 1998 - 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "compile_et.h" -#include "lex.h" - -RCSID("$Id: parse.y,v 1.11 2000/06/22 00:42:52 assar Exp $"); - -void yyerror (char *s); -static long name2number(const char *str); - -extern char *yytext; - -/* This is for bison */ - -#if !defined(alloca) && !defined(HAVE_ALLOCA) -#define alloca(x) malloc(x) -#endif - -%} - -%union { - char *string; - int number; -} - -%token ET INDEX PREFIX EC ID END -%token STRING -%token NUMBER - -%% - -file : /* */ - | header statements - ; - -header : id et - | et - ; - -id : ID STRING - { - id_str = $2; - } - ; - -et : ET STRING - { - base = name2number($2); - strncpy(name, $2, sizeof(name)); - name[sizeof(name) - 1] = '\0'; - free($2); - } - | ET STRING STRING - { - base = name2number($2); - strncpy(name, $3, sizeof(name)); - name[sizeof(name) - 1] = '\0'; - free($2); - free($3); - } - ; - -statements : statement - | statements statement - ; - -statement : INDEX NUMBER - { - number = $2; - } - | PREFIX STRING - { - prefix = realloc(prefix, strlen($2) + 2); - strcpy(prefix, $2); - strcat(prefix, "_"); - free($2); - } - | PREFIX - { - prefix = realloc(prefix, 1); - *prefix = '\0'; - } - | EC STRING ',' STRING - { - struct error_code *ec = malloc(sizeof(*ec)); - - ec->next = NULL; - ec->number = number; - if(prefix && *prefix != '\0') { - asprintf (&ec->name, "%s%s", prefix, $2); - free($2); - } else - ec->name = $2; - ec->string = $4; - APPEND(codes, ec); - number++; - } - | END - { - YYACCEPT; - } - ; - -%% - -static long -name2number(const char *str) -{ - const char *p; - long base = 0; - const char *x = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" - "abcdefghijklmnopqrstuvwxyz0123456789_"; - if(strlen(str) > 4) { - yyerror("table name too long"); - return 0; - } - for(p = str; *p; p++){ - char *q = strchr(x, *p); - if(q == NULL) { - yyerror("invalid character in table name"); - return 0; - } - base = (base << 6) + (q - x) + 1; - } - base <<= 8; - if(base > 0x7fffffff) - base = -(0xffffffff - base + 1); - return base; -} - -void -yyerror (char *s) -{ - error_message ("%s\n", s); -} diff --git a/crypto/heimdal-0.6.3/lib/com_err/roken_rename.h b/crypto/heimdal-0.6.3/lib/com_err/roken_rename.h deleted file mode 100644 index 173c9a7d5a..0000000000 --- a/crypto/heimdal-0.6.3/lib/com_err/roken_rename.h +++ /dev/null @@ -1,39 +0,0 @@ -/* - * Copyright (c) 1998 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: roken_rename.h,v 1.3 1999/12/02 16:58:38 joda Exp $ */ - -#ifndef __roken_rename_h__ -#define __roken_rename_h__ - -#endif /* __roken_rename_h__ */ diff --git a/crypto/heimdal-0.6.3/lib/des/COPYRIGHT b/crypto/heimdal-0.6.3/lib/des/COPYRIGHT deleted file mode 100644 index db46855817..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/COPYRIGHT +++ /dev/null @@ -1,50 +0,0 @@ -Copyright (C) 1995-1997 Eric Young (eay@mincom.oz.au) -All rights reserved. - -This package is an DES implementation written by Eric Young (eay@mincom.oz.au). -The implementation was written so as to conform with MIT's libdes. - -This library is free for commercial and non-commercial use as long as -the following conditions are aheared to. The following conditions -apply to all code found in this distribution. - -Copyright remains Eric Young's, and as such any Copyright notices in -the code are not to be removed. -If this package is used in a product, Eric Young should be given attribution -as the author of that the SSL library. This can be in the form of a textual -message at program startup or in documentation (online or textual) provided -with the package. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions -are met: -1. Redistributions of source code must retain the copyright - notice, this list of conditions and the following disclaimer. -2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. -3. All advertising materials mentioning features or use of this software - must display the following acknowledgement: - This product includes software developed by Eric Young (eay@mincom.oz.au) - -THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND -ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -SUCH DAMAGE. - -The license and distribution terms for any publically available version or -derivative of this code cannot be changed. i.e. this code cannot simply be -copied and put under another distrubution license -[including the GNU Public License.] - -The reason behind this being stated in this direct manner is past -experience in code simply being copied and the attribution removed -from it and then being distributed as part of other packages. This -implementation was a non-trivial and unpaid effort. diff --git a/crypto/heimdal-0.6.3/lib/des/ChangeLog b/crypto/heimdal-0.6.3/lib/des/ChangeLog deleted file mode 100644 index 9f988da392..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/ChangeLog +++ /dev/null @@ -1,172 +0,0 @@ -2003-03-19 Love Hörnquist Åstrand - - * des.1: sunOS -> SunOS, from jmc - -2003-03-19 Love Hörnquist Åstrand - - * des.1: spelling, from - -2002-08-28 Johan Danielsson - - * read_pwd.c: move NeXT SGTTY stuff here - -2001-05-17 Assar Westerlund - - * Makefile.am: bump version to 3:1:0 - -2001-05-11 Assar Westerlund - - * str2key.c (des_string_to_key, des_string_to_2keys): avoid weak - keys - -2001-02-16 Assar Westerlund - - * set_key.c: correct weak keys and update comment - -2001-02-14 Assar Westerlund - - * set_key.c: correct the two last weak keys in accordance with - FIPS 74. noted by - -2001-01-30 Assar Westerlund - - * Makefile.am (libdes_la_LDFLAGS): bump version to 3:0:0 - -2000-10-19 Assar Westerlund - - * Makefile.in (LIBSRC, LIBOBJ): add rc4* and enc_{read,write} - files so that this library contains the same things as libdes in - Heimdal - -2000-08-16 Assar Westerlund - - * Makefile.am: bump version to 2:1:0 - -2000-08-03 Johan Danielsson - - * enc_writ.c: BSIZE -> des_BSIZE to avoid conflicts with AIX - jfs/fsparam.h - - * enc_read.c: BSIZE -> des_BSIZE to avoid conflicts with AIX - jfs/fsparam.h - - * des_locl.h: BSIZE -> des_BSIZE to avoid conflicts with AIX - jfs/fsparam.h - -2000-02-07 Assar Westerlund - - * Makefile.am: set version to 2:0:0 - -2000-01-26 Assar Westerlund - - * mdtest.c: update to pseudo-standard APIs for md4,md5,sha. - * md4.c, md4.h, md5.c, md5.h, sha.c, sha.h: move to the - pseudo-standard APIs - -1999-12-06 Assar Westerlund - - * Makefile.am: set version to 1:0:1 - -1999-11-29 Assar Westerlund - - * fcrypt.c (crypt_md5): add trailing $ - -1999-11-13 Assar Westerlund - - * Makefile.am (include_HEADERS): add rc4.h - (libdes_la_SOURCES): add rc4_skey.c - -1999-10-28 Assar Westerlund - - * md5crypt_test.c: change the test case. apparently we should not - include $ after the salt. also make it print more useful stuff - when failing. - -1999-10-20 Assar Westerlund - - * Makefile.am: bump version to 0:2:0 - -1999-09-21 Johan Danielsson - - * des.h: make this work with mips 64-bit abi - -1999-08-14 Johan Danielsson - - * fcrypt.c (crypt_md5): don't use snprintf - -1999-08-13 Assar Westerlund - - * Makefile.am: add md5crypt_test - - * Makefile.in: add md5crypt_test - - * md5crypt_test.c: test md5 crypt - - * fcrypt.c: always enable md5 crypt - -1999-07-26 Johan Danielsson - - * Makefile.am: bump version number (changes to md*, sha) - -1999-06-15 Assar Westerlund - - * sha.c (swap_u_int32_t): add _CRAY - -Sat Apr 10 23:02:30 1999 Johan Danielsson - - * destest.c: fixes for crays - -Thu Apr 1 11:26:38 1999 Johan Danielsson - - * Makefile.am: noinst_PROGRAMS -> check_PROGRAMS; add TESTS; don't - build rpw, and speed - -Mon Mar 22 20:16:26 1999 Johan Danielsson - - * Makefile.am: hash.h - - * sha.c: use hash.h; fixes for crays - - * md5.c: use hash.h; fixes for crays - - * md4.c: use hash.h; fixes for crays - - * hash.h: common stuff from md4, md5, and sha1 - -Sat Mar 20 00:16:53 1999 Assar Westerlund - - * rnd_keys.c (des_rand_data): move declaration to get rid of - warning - -Thu Mar 18 11:22:28 1999 Johan Danielsson - - * Makefile.am: include Makefile.am.common - -Mon Mar 15 17:36:41 1999 Johan Danielsson - - * rnd_keys.c (des_rand_data): if not using setitimer, block - SIGCHLD around fork(), also make sure we get the status of the - child process - (fake_signal): emulate signal using sigaction - -Tue Jan 12 05:06:54 1999 Assar Westerlund - - * des.h: sparcv9 is also 64 bits, use `unsigned int' instead of - `unsigned long' - -Sun Nov 22 10:40:09 1998 Assar Westerlund - - * Makefile.in (WFLAGS): set - -Mon May 25 05:24:56 1998 Assar Westerlund - - * Makefile.in (clean): try to remove shared library debris - -Sun Apr 19 09:50:53 1998 Assar Westerlund - - * Makefile.in: add symlink magic for linux - -Sun Nov 9 07:14:45 1997 Assar Westerlund - - * mdtest.c: print out old and new string - diff --git a/crypto/heimdal-0.6.3/lib/des/DES.pm b/crypto/heimdal-0.6.3/lib/des/DES.pm deleted file mode 100644 index 6a175b6ca4..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/DES.pm +++ /dev/null @@ -1,19 +0,0 @@ -package DES; - -require Exporter; -require DynaLoader; -@ISA = qw(Exporter DynaLoader); -# Items to export into callers namespace by default -# (move infrequently used names to @EXPORT_OK below) -@EXPORT = qw( -); -# Other items we are prepared to export if requested -@EXPORT_OK = qw( -crypt -); - -# Preloaded methods go here. Autoload methods go after __END__, and are -# processed by the autosplit program. -bootstrap DES; -1; -__END__ diff --git a/crypto/heimdal-0.6.3/lib/des/DES.pod b/crypto/heimdal-0.6.3/lib/des/DES.pod deleted file mode 100644 index 8a739e7ca0..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/DES.pod +++ /dev/null @@ -1,16 +0,0 @@ -crypt <= crypt(buf,salt) -key <= set_odd_parity(key) -int <= is_weak_key(key) -keysched<= set_key(key) -key <= ecb_encrypt(string8,ks,enc) -key <= ecb3_encrypt(input,ks1,ks2,enc) -string <= cbc_encrypt(input,ks,ivec,enc) => ivec -string <= cbc3_encrypt(input,ks1,ks2,ivec1,ivec2,enc) => ivec1&ivec2 -ck1,ck2 <= cbc_cksum(input,ks,ivec) => ivec -string <= pcbc_encrypt(input,ks,ivec,enc) => ivec -string <= ofb_encrypt(input,numbits,ks,ivec) => ivec -string <= cfb_encrypt(input,numbits,ks,ivec,enc) => ivec -key <= random_key() -key <= string_to_key(string) -key1,key2<= string_to_2keys(string) - diff --git a/crypto/heimdal-0.6.3/lib/des/DES.xs b/crypto/heimdal-0.6.3/lib/des/DES.xs deleted file mode 100644 index def220b36b..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/DES.xs +++ /dev/null @@ -1,268 +0,0 @@ -#include "EXTERN.h" -#include "perl.h" -#include "XSUB.h" -#include "des.h" - -#define deschar char -static STRLEN len; - -static int -not_here(s) -char *s; -{ - croak("%s not implemented on this architecture", s); - return -1; -} - -MODULE = DES PACKAGE = DES PREFIX = des_ - -char * -des_crypt(buf,salt) - char * buf - char * salt - -void -des_set_odd_parity(key) - des_cblock * key -PPCODE: - { - SV *s; - - s=sv_newmortal(); - sv_setpvn(s,(char *)key,8); - des_set_odd_parity((des_cblock *)SvPV(s,na)); - PUSHs(s); - } - -int -des_is_weak_key(key) - des_cblock * key - -des_key_schedule -des_set_key(key) - des_cblock * key -CODE: - des_set_key(key,RETVAL); -OUTPUT: -RETVAL - -des_cblock -des_ecb_encrypt(input,ks,encrypt) - des_cblock * input - des_key_schedule * ks - int encrypt -CODE: - des_ecb_encrypt(input,&RETVAL,*ks,encrypt); -OUTPUT: -RETVAL - -void -des_cbc_encrypt(input,ks,ivec,encrypt) - char * input - des_key_schedule * ks - des_cblock * ivec - int encrypt -PPCODE: - { - SV *s; - STRLEN len,l; - char *c; - - l=SvCUR(ST(0)); - len=((((unsigned long)l)+7)/8)*8; - s=sv_newmortal(); - sv_setpvn(s,"",0); - SvGROW(s,len); - SvCUR_set(s,len); - c=(char *)SvPV(s,na); - des_cbc_encrypt((des_cblock *)input,(des_cblock *)c, - l,*ks,ivec,encrypt); - sv_setpvn(ST(2),(char *)c[len-8],8); - PUSHs(s); - } - -void -des_cbc3_encrypt(input,ks1,ks2,ivec1,ivec2,encrypt) - char * input - des_key_schedule * ks1 - des_key_schedule * ks2 - des_cblock * ivec1 - des_cblock * ivec2 - int encrypt -PPCODE: - { - SV *s; - STRLEN len,l; - - l=SvCUR(ST(0)); - len=((((unsigned long)l)+7)/8)*8; - s=sv_newmortal(); - sv_setpvn(s,"",0); - SvGROW(s,len); - SvCUR_set(s,len); - des_3cbc_encrypt((des_cblock *)input,(des_cblock *)SvPV(s,na), - l,*ks1,*ks2,ivec1,ivec2,encrypt); - sv_setpvn(ST(3),(char *)ivec1,8); - sv_setpvn(ST(4),(char *)ivec2,8); - PUSHs(s); - } - -void -des_cbc_cksum(input,ks,ivec) - char * input - des_key_schedule * ks - des_cblock * ivec -PPCODE: - { - SV *s1,*s2; - STRLEN len,l; - des_cblock c; - unsigned long i1,i2; - - s1=sv_newmortal(); - s2=sv_newmortal(); - l=SvCUR(ST(0)); - des_cbc_cksum((des_cblock *)input,(des_cblock *)c, - l,*ks,ivec); - i1=c[4]|(c[5]<<8)|(c[6]<<16)|(c[7]<<24); - i2=c[0]|(c[1]<<8)|(c[2]<<16)|(c[3]<<24); - sv_setiv(s1,i1); - sv_setiv(s2,i2); - sv_setpvn(ST(2),(char *)c,8); - PUSHs(s1); - PUSHs(s2); - } - -void -des_cfb_encrypt(input,numbits,ks,ivec,encrypt) - char * input - int numbits - des_key_schedule * ks - des_cblock * ivec - int encrypt -PPCODE: - { - SV *s; - STRLEN len; - char *c; - - len=SvCUR(ST(0)); - s=sv_newmortal(); - sv_setpvn(s,"",0); - SvGROW(s,len); - SvCUR_set(s,len); - c=(char *)SvPV(s,na); - des_cfb_encrypt((unsigned char *)input,(unsigned char *)c, - (int)numbits,(long)len,*ks,ivec,encrypt); - sv_setpvn(ST(3),(char *)ivec,8); - PUSHs(s); - } - -des_cblock * -des_ecb3_encrypt(input,ks1,ks2,encrypt) - des_cblock * input - des_key_schedule * ks1 - des_key_schedule * ks2 - int encrypt -CODE: - { - des_cblock c; - - des_3ecb_encrypt((des_cblock *)input,(des_cblock *)&c, - *ks1,*ks2,encrypt); - RETVAL= &c; - } -OUTPUT: -RETVAL - -void -des_ofb_encrypt(input,numbits,ks,ivec) - unsigned char * input - int numbits - des_key_schedule * ks - des_cblock * ivec -PPCODE: - { - SV *s; - STRLEN len,l; - unsigned char *c; - - len=SvCUR(ST(0)); - s=sv_newmortal(); - sv_setpvn(s,"",0); - SvGROW(s,len); - SvCUR_set(s,len); - c=(unsigned char *)SvPV(s,na); - des_ofb_encrypt((unsigned char *)input,(unsigned char *)c, - numbits,len,*ks,ivec); - sv_setpvn(ST(3),(char *)ivec,8); - PUSHs(s); - } - -void -des_pcbc_encrypt(input,ks,ivec,encrypt) - char * input - des_key_schedule * ks - des_cblock * ivec - int encrypt -PPCODE: - { - SV *s; - STRLEN len,l; - char *c; - - l=SvCUR(ST(0)); - len=((((unsigned long)l)+7)/8)*8; - s=sv_newmortal(); - sv_setpvn(s,"",0); - SvGROW(s,len); - SvCUR_set(s,len); - c=(char *)SvPV(s,na); - des_pcbc_encrypt((des_cblock *)input,(des_cblock *)c, - l,*ks,ivec,encrypt); - sv_setpvn(ST(2),(char *)c[len-8],8); - PUSHs(s); - } - -des_cblock * -des_random_key() -CODE: - { - des_cblock c; - - des_random_key(c); - RETVAL=&c; - } -OUTPUT: -RETVAL - -des_cblock * -des_string_to_key(str) -char * str -CODE: - { - des_cblock c; - - des_string_to_key(str,&c); - RETVAL=&c; - } -OUTPUT: -RETVAL - -void -des_string_to_2keys(str) -char * str -PPCODE: - { - des_cblock c1,c2; - SV *s1,*s2; - - des_string_to_2keys(str,&c1,&c2); - EXTEND(sp,2); - s1=sv_newmortal(); - sv_setpvn(s1,(char *)c1,8); - s2=sv_newmortal(); - sv_setpvn(s2,(char *)c2,8); - PUSHs(s1); - PUSHs(s2); - } diff --git a/crypto/heimdal-0.6.3/lib/des/FILES b/crypto/heimdal-0.6.3/lib/des/FILES deleted file mode 100644 index 4c7ea2de7a..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/FILES +++ /dev/null @@ -1,96 +0,0 @@ -/* General stuff */ -COPYRIGHT - Copyright info. -MODES.DES - A description of the features of the different modes of DES. -FILES - This file. -INSTALL - How to make things compile. -Imakefile - For use with kerberos. -README - What this package is. -VERSION - Which version this is and what was changed. -KERBEROS - Kerberos version 4 notes. -Makefile.PL - An old makefile to build with perl5, not current. -Makefile.ssl - The SSLeay makefile -Makefile.uni - The normal unix makefile. -GNUmakefile - The makefile for use with glibc. -makefile.bc - A Borland C makefile -times - Some outputs from 'speed' on some machines. -vms.com - For use when compiling under VMS - -/* My SunOS des(1) replacement */ -des.c - des(1) source code. -des.man - des(1) manual. - -/* Testing and timing programs. */ -destest.c - Source for libdes.a test program. -speed.c - Source for libdes.a timing program. -rpw.c - Source for libdes.a testing password reading routines. - -/* libdes.a source code */ -des_crypt.man - libdes.a manual page. -des.h - Public libdes.a header file. -ecb_enc.c - des_ecb_encrypt() source, this contains the basic DES code. -ecb3_enc.c - des_ecb3_encrypt() source. -cbc_ckm.c - des_cbc_cksum() source. -cbc_enc.c - des_cbc_encrypt() source. -ncbc_enc.c - des_cbc_encrypt() that is 'normal' in that it copies - the new iv values back in the passed iv vector. -ede_enc.c - des_ede3_cbc_encrypt() cbc mode des using triple DES. -cbc3_enc.c - des_3cbc_encrypt() source, don't use this function. -cfb_enc.c - des_cfb_encrypt() source. -cfb64enc.c - des_cfb64_encrypt() cfb in 64 bit mode but setup to be - used as a stream cipher. -cfb64ede.c - des_ede3_cfb64_encrypt() cfb in 64 bit mode but setup to be - used as a stream cipher and using triple DES. -ofb_enc.c - des_cfb_encrypt() source. -ofb64_enc.c - des_ofb_encrypt() ofb in 64 bit mode but setup to be - used as a stream cipher. -ofb64ede.c - des_ede3_ofb64_encrypt() ofb in 64 bit mode but setup to be - used as a stream cipher and using triple DES. -enc_read.c - des_enc_read() source. -enc_writ.c - des_enc_write() source. -pcbc_enc.c - des_pcbc_encrypt() source. -qud_cksm.c - quad_cksum() source. -rand_key.c - des_random_key() source. -read_pwd.c - Source for des_read_password() plus related functions. -set_key.c - Source for des_set_key(). -str2key.c - Covert a string of any length into a key. -fcrypt.c - A small, fast version of crypt(3). -des_locl.h - Internal libdes.a header file. -podd.h - Odd parity tables - used in des_set_key(). -sk.h - Lookup tables used in des_set_key(). -spr.h - What is left of the S tables - used in ecb_encrypt(). -des_ver.h - header file for the external definition of the - version string. -des.doc - SSLeay documentation for the library. - -/* The perl scripts - you can ignore these files they are only - * included for the curious */ -des.pl - des in perl anyone? des_set_key and des_ecb_encrypt - both done in a perl library. -testdes.pl - Testing program for des.pl -doIP - Perl script used to develop IP xor/shift code. -doPC1 - Perl script used to develop PC1 xor/shift code. -doPC2 - Generates sk.h. -PC1 - Output of doPC1 should be the same as output from PC1. -PC2 - used in development of doPC2. -shifts.pl - Perl library used by my perl scripts. - -/* I started making a perl5 dynamic library for libdes - * but did not fully finish, these files are part of that effort. */ -DES.pm -DES.pod -DES.xs -t -typemap - -/* The following are for use with sun RPC implementaions. */ -rpc_des.h -rpc_enc.c - -/* The following are contibuted by Mark Murray . They - * are not normally built into libdes due to machine specific routines - * contained in them. They are for use in the most recent incarnation of - * export kerberos v 4 (eBones). */ -supp.c -new_rkey.c - - diff --git a/crypto/heimdal-0.6.3/lib/des/INSTALL b/crypto/heimdal-0.6.3/lib/des/INSTALL deleted file mode 100644 index 3b8dae6b5f..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/INSTALL +++ /dev/null @@ -1,69 +0,0 @@ -Check the CC and CFLAGS lines in the makefile - -If your C library does not support the times(3) function, change the -#define TIMES to -#undef TIMES in speed.c -If it does, check the HZ value for the times(3) function. -If your system does not define CLK_TCK it will be assumed to -be 100.0. - -If possible use gcc v 2.7.? -Turn on the maximum optimising (normally '-O3 -fomit-frame-pointer' for gcc) -In recent times, some system compilers give better performace. - -type 'make' - -run './destest' to check things are ok. -run './rpw' to check the tty code for reading passwords works. -run './speed' to see how fast those optimisations make the library run :-) -run './des_opts' to determin the best compile time options. - -The output from des_opts should be put in the makefile options and des_enc.c -should be rebuilt. For 64 bit computers, do not use the DES_PTR option. -For the DEC Alpha, edit des.h and change DES_LONG to 'unsigned int' -and then you can use the 'DES_PTR' option. - -The file options.txt has the options listed for best speed on quite a -few systems. Look and the options (UNROLL, PTR, RISC2 etc) and then -turn on the relevent option in the Makefile - -There are some special Makefile targets that make life easier. -make cc - standard cc build -make gcc - standard gcc build -make x86-elf - x86 assember (elf), linux-elf. -make x86-out - x86 assember (a.out), FreeBSD -make x86-solaris- x86 assember -make x86-bsdi - x86 assember (a.out with primative assember). - -If at all possible use the assember (for Windows NT/95, use -asm/win32.obj to link with). The x86 assember is very very fast. - -A make install will by default install -libdes.a in /usr/local/lib/libdes.a -des in /usr/local/bin/des -des_crypt.man in /usr/local/man/man3/des_crypt.3 -des.man in /usr/local/man/man1/des.1 -des.h in /usr/include/des.h - -des(1) should be compatible with sunOS's but I have been unable to -test it. - -These routines should compile on MSDOS, most 32bit and 64bit version -of Unix (BSD and SYSV) and VMS, without modification. -The only problems should be #include files that are in the wrong places. - -These routines can be compiled under MSDOS. -I have successfully encrypted files using des(1) under MSDOS and then -decrypted the files on a SparcStation. -I have been able to compile and test the routines with -Microsoft C v 5.1 and Turbo C v 2.0. -The code in this library is in no way optimised for the 16bit -operation of MSDOS. - -When building for glibc, ignore all of the above and just unpack into -glibc-1.??/des and then gmake as per normal. - -As a final note on performace. Certain CPUs like sparcs and Alpha often give -a %10 speed difference depending on the link order. It is rather anoying -when one program reports 'x' DES encrypts a second and another reports -'x*0.9' the speed. diff --git a/crypto/heimdal-0.6.3/lib/des/Imakefile b/crypto/heimdal-0.6.3/lib/des/Imakefile deleted file mode 100644 index 1b9b5629e1..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/Imakefile +++ /dev/null @@ -1,35 +0,0 @@ -# This Imakefile has not been tested for a while but it should still -# work when placed in the correct directory in the kerberos v 4 distribution - -SRCS= cbc_cksm.c cbc_enc.c ecb_enc.c pcbc_enc.c \ - qud_cksm.c rand_key.c read_pwd.c set_key.c str2key.c \ - enc_read.c enc_writ.c fcrypt.c cfb_enc.c \ - ecb3_enc.c ofb_enc.c ofb64enc.c - -OBJS= cbc_cksm.o cbc_enc.o ecb_enc.o pcbc_enc.o \ - qud_cksm.o rand_key.o read_pwd.o set_key.o str2key.o \ - enc_read.o enc_writ.o fcrypt.o cfb_enc.o \ - ecb3_enc.o ofb_enc.o ofb64enc.o - -GENERAL=COPYRIGHT FILES INSTALL Imakefile README VERSION makefile times \ - vms.com KERBEROS -DES= des.c des.man -TESTING=destest.c speed.c rpw.c -LIBDES= des_crypt.man des.h des_locl.h podd.h sk.h spr.h - -PERL= des.pl testdes.pl doIP doPC1 doPC2 PC1 PC2 shifts.pl - -CODE= $(GENERAL) $(DES) $(TESTING) $(SRCS) $(LIBDES) $(PERL) - -SRCDIR=$(SRCTOP)/lib/des - -DBG= -O -INCLUDE= -I$(SRCDIR) -CC= cc - -library_obj_rule() - -install_library_target(des,$(OBJS),$(SRCS),) - -test(destest,libdes.a,) -test(rpw,libdes.a,) diff --git a/crypto/heimdal-0.6.3/lib/des/KERBEROS b/crypto/heimdal-0.6.3/lib/des/KERBEROS deleted file mode 100644 index f401b10014..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/KERBEROS +++ /dev/null @@ -1,41 +0,0 @@ - [ This is an old file, I don't know if it is true anymore - but I will leave the file here - eay 21/11/95 ] - -To use this library with Bones (kerberos without DES): -1) Get my modified Bones - eBones. It can be found on - gondwana.ecr.mu.oz.au (128.250.1.63) /pub/athena/eBones-p9.tar.Z - and - nic.funet.fi (128.214.6.100) /pub/unix/security/Kerberos/eBones-p9.tar.Z - -2) Unpack this library in src/lib/des, makeing sure it is version - 3.00 or greater (libdes.tar.93-10-07.Z). This versions differences - from the version in comp.sources.misc volume 29 patchlevel2. - The primarily difference is that it should compile under kerberos :-). - It can be found at. - ftp.psy.uq.oz.au (130.102.32.1) /pub/DES/libdes.tar.93-10-07.Z - -Now do a normal kerberos build and things should work. - -One problem I found when I was build on my local sun. ---- -For sunOS 4.1.1 apply the following patch to src/util/ss/make_commands.c - -*** make_commands.c.orig Fri Jul 3 04:18:35 1987 ---- make_commands.c Wed May 20 08:47:42 1992 -*************** -*** 98,104 **** - if (!rename(o_file, z_file)) { - if (!vfork()) { - chdir("/tmp"); -! execl("/bin/ld", "ld", "-o", o_file+5, "-s", "-r", "-n", - z_file+5, 0); - perror("/bin/ld"); - _exit(1); ---- 98,104 ---- - if (!rename(o_file, z_file)) { - if (!vfork()) { - chdir("/tmp"); -! execl("/bin/ld", "ld", "-o", o_file+5, "-s", "-r", - z_file+5, 0); - perror("/bin/ld"); - _exit(1); diff --git a/crypto/heimdal-0.6.3/lib/des/MODES.DES b/crypto/heimdal-0.6.3/lib/des/MODES.DES deleted file mode 100644 index 18934b56c3..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/MODES.DES +++ /dev/null @@ -1,84 +0,0 @@ -Modes of DES -Quite a bit of the following information has been taken from - AS 2805.5.2 - Australian Standard - Electronic funds transfer - Requirements for interfaces, - Part 5.2: Modes of operation for an n-bit block cipher algorithm - Appendix A - -There are several different modes in which DES can be used, they are -as follows. - -Electronic Codebook Mode (ECB) (des_ecb_encrypt()) -- 64 bits are enciphered at a time. -- The order of the blocks can be rearranged without detection. -- The same plaintext block always produces the same ciphertext block - (for the same key) making it vulnerable to a 'dictionary attack'. -- An error will only affect one ciphertext block. - -Cipher Block Chaining Mode (CBC) (des_cbc_encrypt()) -- a multiple of 64 bits are enciphered at a time. -- The CBC mode produces the same ciphertext whenever the same - plaintext is encrypted using the same key and starting variable. -- The chaining operation makes the ciphertext blocks dependent on the - current and all preceding plaintext blocks and therefore blocks can not - be rearranged. -- The use of different starting variables prevents the same plaintext - enciphering to the same ciphertext. -- An error will affect the current and the following ciphertext blocks. - -Cipher Feedback Mode (CFB) (des_cfb_encrypt()) -- a number of bits (j) <= 64 are enciphered at a time. -- The CFB mode produces the same ciphertext whenever the same - plaintext is encrypted using the same key and starting variable. -- The chaining operation makes the ciphertext variables dependent on the - current and all preceding variables and therefore j-bit variables are - chained together and con not be rearranged. -- The use of different starting variables prevents the same plaintext - enciphering to the same ciphertext. -- The strength of the CFB mode depends on the size of k (maximal if - j == k). In my implementation this is always the case. -- Selection of a small value for j will require more cycles through - the encipherment algorithm per unit of plaintext and thus cause - greater processing overheads. -- Only multiples of j bits can be enciphered. -- An error will affect the current and the following ciphertext variables. - -Output Feedback Mode (OFB) (des_ofb_encrypt()) -- a number of bits (j) <= 64 are enciphered at a time. -- The OFB mode produces the same ciphertext whenever the same - plaintext enciphered using the same key and starting variable. More - over, in the OFB mode the same key stream is produced when the same - key and start variable are used. Consequently, for security reasons - a specific start variable should be used only once for a given key. -- The absence of chaining makes the OFB more vulnerable to specific attacks. -- The use of different start variables values prevents the same - plaintext enciphering to the same ciphertext, by producing different - key streams. -- Selection of a small value for j will require more cycles through - the encipherment algorithm per unit of plaintext and thus cause - greater processing overheads. -- Only multiples of j bits can be enciphered. -- OFB mode of operation does not extend ciphertext errors in the - resultant plaintext output. Every bit error in the ciphertext causes - only one bit to be in error in the deciphered plaintext. -- OFB mode is not self-synchronising. If the two operation of - encipherment and decipherment get out of synchronism, the system needs - to be re-initialised. -- Each re-initialisation should use a value of the start variable -different from the start variable values used before with the same -key. The reason for this is that an identical bit stream would be -produced each time from the same parameters. This would be -susceptible to a 'known plaintext' attack. - -Triple ECB Mode (des_3ecb_encrypt()) -- Encrypt with key1, decrypt with key2 and encrypt with key1 again. -- As for ECB encryption but increases the effective key length to 112 bits. -- If both keys are the same it is equivalent to encrypting once with - just one key. - -Triple CBC Mode (des_3cbc_encrypt()) -- Encrypt with key1, decrypt with key2 and encrypt with key1 again. -- As for CBC encryption but increases the effective key length to 112 bits. -- If both keys are the same it is equivalent to encrypting once with - just one key. diff --git a/crypto/heimdal-0.6.3/lib/des/Makefile.PL b/crypto/heimdal-0.6.3/lib/des/Makefile.PL deleted file mode 100644 index b54a24387c..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/Makefile.PL +++ /dev/null @@ -1,14 +0,0 @@ -use ExtUtils::MakeMaker; -# See lib/ExtUtils/MakeMaker.pm for details of how to influence -# the contents of the Makefile being created. -&writeMakefile( - 'potential_libs' => '', # e.g., '-lm' - 'INC' => '', # e.g., '-I/usr/include/other' - 'DISTNAME' => 'DES', - 'VERSION' => '0.1', - 'DEFINE' => '-DPERL5', - 'OBJECT' => 'DES.o cbc_cksm.o cbc_enc.o ecb_enc.o pcbc_enc.o \ - rand_key.o set_key.o str2key.o \ - enc_read.o enc_writ.o fcrypt.o cfb_enc.o \ - ecb3_enc.o ofb_enc.o cbc3_enc.o des_enc.o', - ); diff --git a/crypto/heimdal-0.6.3/lib/des/Makefile.am b/crypto/heimdal-0.6.3/lib/des/Makefile.am deleted file mode 100644 index f8a745ba42..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/Makefile.am +++ /dev/null @@ -1,116 +0,0 @@ -# $Id: Makefile.am,v 1.26 2001/08/04 03:10:23 assar Exp $ - -include $(top_srcdir)/Makefile.am.common - -lib_LTLIBRARIES = libdes.la -libdes_la_LDFLAGS = -version-info 3:1:0 - -include_HEADERS = des.h md4.h md5.h sha.h rc4.h - -build_HEADERZ = $(include_HEADERS) - -check_PROGRAMS = destest mdtest md5crypt_test - -TESTS = destest mdtest md5crypt_test -CHECK_LOCAL = -bin_PROGRAMS = des #rpw speed - -des_SOURCES = des.c des_ver.h - -LDADD = $(lib_LTLIBRARIES) - -libdes_la_SOURCES = \ - cbc3_enc.c \ - cbc_cksm.c \ - cbc_enc.c \ - cfb64ede.c \ - cfb64enc.c \ - cfb_enc.c \ - des_enc.c \ - des_locl.h \ - ecb3_enc.c \ - ecb_enc.c \ - ede_enc.c \ - enc_read.c \ - enc_writ.c \ - fcrypt.c \ - hash.h \ - key_par.c \ - md4.c \ - md5.c \ - ncbc_enc.c \ - ofb64ede.c \ - ofb64enc.c \ - ofb_enc.c \ - pcbc_enc.c \ - podd.h \ - qud_cksm.c \ - rc4_skey.c \ - rc4_enc.c \ - read_pwd.c \ - rnd_keys.c \ - set_key.c \ - sha.c \ - sk.h \ - spr.h \ - str2key.c \ - xcbc_enc.c - -EXTRA_libdes_la_SOURCES = dllmain.c passwd_dialog.aps passwd_dialog.clw \ - passwd_dialog.rc passwd_dialog.res passwd_dlg.c passwd_dlg.h resource.h - -man_MANS = des.1 des_crypt.3 - -## this is an awful lot of junk, but it's just as well to include everything -EXTRA_DIST = \ - COPYRIGHT \ - DES.pm \ - DES.pod \ - DES.xs \ - FILES \ - Imakefile \ - KERBEROS \ - MODES.DES \ - Makefile.PL \ - Makefile.ssl \ - Makefile.uni \ - PC1 \ - PC2 \ - VERSION \ - des.def \ - des.dsp \ - des.doc \ - des.mak \ - des.man \ - des.org \ - des.pl \ - des_crypt.man \ - des_locl.org \ - des_opts.c \ - doIP \ - doPC1 \ - doPC2 \ - makefile.bc \ - rand_key.c \ - rpc_des.h \ - rpc_enc.c \ - shifts.pl \ - supp.c \ - testdes.pl \ - times \ - typemap \ - version.h \ - vms.com - -asm_files = des-som2.pl des-som3.pl des586.pl des686.pl desboth.pl \ - dx86-cpp.s dx86unix.cpp readme win32.asm win32.obj win32.uu x86ms.pl \ - x86unix.pl - -dist-hook: - $(mkinstalldirs) $(distdir)/t - $(INSTALL_DATA) $(srcdir)/t/perl $(distdir)/t - $(INSTALL_DATA) $(srcdir)/t/test $(distdir)/t - $(mkinstalldirs) $(distdir)/asm - (cd $(srcdir)/asm && tar cf - $(asm_files)) \ - | (cd $(distdir)/asm; tar xf -) - diff --git a/crypto/heimdal-0.6.3/lib/des/Makefile.in b/crypto/heimdal-0.6.3/lib/des/Makefile.in deleted file mode 100644 index 676d1e7e98..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/Makefile.in +++ /dev/null @@ -1,1124 +0,0 @@ -# Makefile.in generated by automake 1.8.3 from Makefile.am. -# @configure_input@ - -# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004 Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -# $Id: Makefile.am,v 1.26 2001/08/04 03:10:23 assar Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $ - - - -SOURCES = $(libdes_la_SOURCES) $(EXTRA_libdes_la_SOURCES) $(des_SOURCES) destest.c md5crypt_test.c mdtest.c - -srcdir = @srcdir@ -top_srcdir = @top_srcdir@ -VPATH = @srcdir@ -pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -top_builddir = ../.. -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = @INSTALL@ -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_HEADER = $(INSTALL_DATA) -transform = $(program_transform_name) -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_triplet = @host@ -DIST_COMMON = README $(include_HEADERS) $(srcdir)/Makefile.am \ - $(srcdir)/Makefile.in $(top_srcdir)/Makefile.am.common \ - $(top_srcdir)/cf/Makefile.am.common ChangeLog INSTALL -check_PROGRAMS = destest$(EXEEXT) mdtest$(EXEEXT) \ - md5crypt_test$(EXEEXT) -bin_PROGRAMS = des$(EXEEXT) -subdir = lib/des -ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \ - $(top_srcdir)/cf/auth-modules.m4 \ - $(top_srcdir)/cf/broken-getaddrinfo.m4 \ - $(top_srcdir)/cf/broken-getnameinfo.m4 \ - $(top_srcdir)/cf/broken-glob.m4 \ - $(top_srcdir)/cf/broken-realloc.m4 \ - $(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \ - $(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \ - $(top_srcdir)/cf/capabilities.m4 \ - $(top_srcdir)/cf/check-compile-et.m4 \ - $(top_srcdir)/cf/check-declaration.m4 \ - $(top_srcdir)/cf/check-getpwnam_r-posix.m4 \ - $(top_srcdir)/cf/check-man.m4 \ - $(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \ - $(top_srcdir)/cf/check-type-extra.m4 \ - $(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \ - $(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \ - $(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \ - $(top_srcdir)/cf/dlopen.m4 \ - $(top_srcdir)/cf/find-func-no-libs.m4 \ - $(top_srcdir)/cf/find-func-no-libs2.m4 \ - $(top_srcdir)/cf/find-func.m4 \ - $(top_srcdir)/cf/find-if-not-broken.m4 \ - $(top_srcdir)/cf/have-struct-field.m4 \ - $(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \ - $(top_srcdir)/cf/krb-bigendian.m4 \ - $(top_srcdir)/cf/krb-func-getlogin.m4 \ - $(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \ - $(top_srcdir)/cf/krb-readline.m4 \ - $(top_srcdir)/cf/krb-struct-spwd.m4 \ - $(top_srcdir)/cf/krb-struct-winsize.m4 \ - $(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \ - $(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \ - $(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \ - $(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \ - $(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \ - $(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \ - $(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in -am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ - $(ACLOCAL_M4) -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -am__installdirs = "$(DESTDIR)$(libdir)" "$(DESTDIR)$(bindir)" "$(DESTDIR)$(man1dir)" "$(DESTDIR)$(man3dir)" "$(DESTDIR)$(includedir)" -libLTLIBRARIES_INSTALL = $(INSTALL) -LTLIBRARIES = $(lib_LTLIBRARIES) -libdes_la_LIBADD = -am_libdes_la_OBJECTS = cbc3_enc.lo cbc_cksm.lo cbc_enc.lo cfb64ede.lo \ - cfb64enc.lo cfb_enc.lo des_enc.lo ecb3_enc.lo ecb_enc.lo \ - ede_enc.lo enc_read.lo enc_writ.lo fcrypt.lo key_par.lo md4.lo \ - md5.lo ncbc_enc.lo ofb64ede.lo ofb64enc.lo ofb_enc.lo \ - pcbc_enc.lo qud_cksm.lo rc4_skey.lo rc4_enc.lo read_pwd.lo \ - rnd_keys.lo set_key.lo sha.lo str2key.lo xcbc_enc.lo -libdes_la_OBJECTS = $(am_libdes_la_OBJECTS) -binPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -PROGRAMS = $(bin_PROGRAMS) -am_des_OBJECTS = des.$(OBJEXT) -des_OBJECTS = $(am_des_OBJECTS) -des_LDADD = $(LDADD) -am__DEPENDENCIES_1 = libdes.la -des_DEPENDENCIES = $(am__DEPENDENCIES_1) -destest_SOURCES = destest.c -destest_OBJECTS = destest.$(OBJEXT) -destest_LDADD = $(LDADD) -destest_DEPENDENCIES = $(am__DEPENDENCIES_1) -md5crypt_test_SOURCES = md5crypt_test.c -md5crypt_test_OBJECTS = md5crypt_test.$(OBJEXT) -md5crypt_test_LDADD = $(LDADD) -md5crypt_test_DEPENDENCIES = $(am__DEPENDENCIES_1) -mdtest_SOURCES = mdtest.c -mdtest_OBJECTS = mdtest.$(OBJEXT) -mdtest_LDADD = $(LDADD) -mdtest_DEPENDENCIES = $(am__DEPENDENCIES_1) -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \ - $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ - $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -SOURCES = $(libdes_la_SOURCES) $(EXTRA_libdes_la_SOURCES) \ - $(des_SOURCES) destest.c md5crypt_test.c mdtest.c -DIST_SOURCES = $(libdes_la_SOURCES) $(EXTRA_libdes_la_SOURCES) \ - $(des_SOURCES) destest.c md5crypt_test.c mdtest.c -man1dir = $(mandir)/man1 -man3dir = $(mandir)/man3 -MANS = $(man_MANS) -includeHEADERS_INSTALL = $(INSTALL_HEADER) -HEADERS = $(include_HEADERS) -ETAGS = etags -CTAGS = ctags -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) -ACLOCAL = @ACLOCAL@ -AIX4_FALSE = @AIX4_FALSE@ -AIX4_TRUE = @AIX4_TRUE@ -AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@ -AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@ -AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@ -AIX_FALSE = @AIX_FALSE@ -AIX_TRUE = @AIX_TRUE@ -AMTAR = @AMTAR@ -AR = @AR@ -AUTOCONF = @AUTOCONF@ -AUTOHEADER = @AUTOHEADER@ -AUTOMAKE = @AUTOMAKE@ -AWK = @AWK@ -CANONICAL_HOST = @CANONICAL_HOST@ -CATMAN = @CATMAN@ -CATMANEXT = @CATMANEXT@ -CATMAN_FALSE = @CATMAN_FALSE@ -CATMAN_TRUE = @CATMAN_TRUE@ -CC = @CC@ -CFLAGS = @CFLAGS@ -COMPILE_ET = @COMPILE_ET@ -CPP = @CPP@ -CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXFLAGS = @CXXFLAGS@ -CYGPATH_W = @CYGPATH_W@ -DBLIB = @DBLIB@ -DCE_FALSE = @DCE_FALSE@ -DCE_TRUE = @DCE_TRUE@ -DEFS = @DEFS@ -DIR_com_err = @DIR_com_err@ -DIR_des = @DIR_des@ -DIR_roken = @DIR_roken@ -ECHO = @ECHO@ -ECHO_C = @ECHO_C@ -ECHO_N = @ECHO_N@ -ECHO_T = @ECHO_T@ -EGREP = @EGREP@ -EXEEXT = @EXEEXT@ -EXTRA_LIB45 = @EXTRA_LIB45@ -F77 = @F77@ -FFLAGS = @FFLAGS@ -GROFF = @GROFF@ -HAVE_DB1_FALSE = @HAVE_DB1_FALSE@ -HAVE_DB1_TRUE = @HAVE_DB1_TRUE@ -HAVE_DB3_FALSE = @HAVE_DB3_FALSE@ -HAVE_DB3_TRUE = @HAVE_DB3_TRUE@ -HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@ -HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@ -HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@ -HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@ -HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@ -HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@ -HAVE_X_FALSE = @HAVE_X_FALSE@ -HAVE_X_TRUE = @HAVE_X_TRUE@ -INCLUDES_roken = @INCLUDES_roken@ -INCLUDE_des = @INCLUDE_des@ -INCLUDE_hesiod = @INCLUDE_hesiod@ -INCLUDE_krb4 = @INCLUDE_krb4@ -INCLUDE_openldap = @INCLUDE_openldap@ -INCLUDE_readline = @INCLUDE_readline@ -INSTALL_DATA = @INSTALL_DATA@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -IRIX_FALSE = @IRIX_FALSE@ -IRIX_TRUE = @IRIX_TRUE@ -KRB4_FALSE = @KRB4_FALSE@ -KRB4_TRUE = @KRB4_TRUE@ -KRB5_FALSE = @KRB5_FALSE@ -KRB5_TRUE = @KRB5_TRUE@ -LDFLAGS = @LDFLAGS@ -LEX = @LEX@ -LEXLIB = @LEXLIB@ -LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ -LIBOBJS = @LIBOBJS@ -LIBS = @LIBS@ -LIBTOOL = @LIBTOOL@ -LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@ -LIB_NDBM = @LIB_NDBM@ -LIB_XauFileName = @LIB_XauFileName@ -LIB_XauReadAuth = @LIB_XauReadAuth@ -LIB_XauWriteAuth = @LIB_XauWriteAuth@ -LIB_bswap16 = @LIB_bswap16@ -LIB_bswap32 = @LIB_bswap32@ -LIB_com_err = @LIB_com_err@ -LIB_com_err_a = @LIB_com_err_a@ -LIB_com_err_so = @LIB_com_err_so@ -LIB_crypt = @LIB_crypt@ -LIB_db_create = @LIB_db_create@ -LIB_dbm_firstkey = @LIB_dbm_firstkey@ -LIB_dbopen = @LIB_dbopen@ -LIB_des = @LIB_des@ -LIB_des_a = @LIB_des_a@ -LIB_des_appl = @LIB_des_appl@ -LIB_des_so = @LIB_des_so@ -LIB_dlopen = @LIB_dlopen@ -LIB_dn_expand = @LIB_dn_expand@ -LIB_el_init = @LIB_el_init@ -LIB_freeaddrinfo = @LIB_freeaddrinfo@ -LIB_gai_strerror = @LIB_gai_strerror@ -LIB_getaddrinfo = @LIB_getaddrinfo@ -LIB_gethostbyname = @LIB_gethostbyname@ -LIB_gethostbyname2 = @LIB_gethostbyname2@ -LIB_getnameinfo = @LIB_getnameinfo@ -LIB_getpwnam_r = @LIB_getpwnam_r@ -LIB_getsockopt = @LIB_getsockopt@ -LIB_hesiod = @LIB_hesiod@ -LIB_hstrerror = @LIB_hstrerror@ -LIB_kdb = @LIB_kdb@ -LIB_krb4 = @LIB_krb4@ -LIB_krb_disable_debug = @LIB_krb_disable_debug@ -LIB_krb_enable_debug = @LIB_krb_enable_debug@ -LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@ -LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@ -LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@ -LIB_loadquery = @LIB_loadquery@ -LIB_logout = @LIB_logout@ -LIB_logwtmp = @LIB_logwtmp@ -LIB_openldap = @LIB_openldap@ -LIB_openpty = @LIB_openpty@ -LIB_otp = @LIB_otp@ -LIB_pidfile = @LIB_pidfile@ -LIB_readline = @LIB_readline@ -LIB_res_nsearch = @LIB_res_nsearch@ -LIB_res_search = @LIB_res_search@ -LIB_roken = @LIB_roken@ -LIB_security = @LIB_security@ -LIB_setsockopt = @LIB_setsockopt@ -LIB_socket = @LIB_socket@ -LIB_syslog = @LIB_syslog@ -LIB_tgetent = @LIB_tgetent@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -MAINT = @MAINT@ -MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@ -MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@ -MAKEINFO = @MAKEINFO@ -NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ -NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ -NROFF = @NROFF@ -OBJEXT = @OBJEXT@ -OTP_FALSE = @OTP_FALSE@ -OTP_TRUE = @OTP_TRUE@ -PACKAGE = @PACKAGE@ -PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ -PACKAGE_NAME = @PACKAGE_NAME@ -PACKAGE_STRING = @PACKAGE_STRING@ -PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_VERSION = @PACKAGE_VERSION@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -RANLIB = @RANLIB@ -SET_MAKE = @SET_MAKE@ -SHELL = @SHELL@ -STRIP = @STRIP@ -VERSION = @VERSION@ -VOID_RETSIGTYPE = @VOID_RETSIGTYPE@ -WFLAGS = @WFLAGS@ -WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@ -WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@ -X_CFLAGS = @X_CFLAGS@ -X_EXTRA_LIBS = @X_EXTRA_LIBS@ -X_LIBS = @X_LIBS@ -X_PRE_LIBS = @X_PRE_LIBS@ -YACC = @YACC@ -ac_ct_AR = @ac_ct_AR@ -ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ -ac_ct_RANLIB = @ac_ct_RANLIB@ -ac_ct_STRIP = @ac_ct_STRIP@ -am__leading_dot = @am__leading_dot@ -bindir = @bindir@ -build = @build@ -build_alias = @build_alias@ -build_cpu = @build_cpu@ -build_os = @build_os@ -build_vendor = @build_vendor@ -datadir = @datadir@ -do_roken_rename_FALSE = @do_roken_rename_FALSE@ -do_roken_rename_TRUE = @do_roken_rename_TRUE@ -dpagaix_cflags = @dpagaix_cflags@ -dpagaix_ldadd = @dpagaix_ldadd@ -dpagaix_ldflags = @dpagaix_ldflags@ -el_compat_FALSE = @el_compat_FALSE@ -el_compat_TRUE = @el_compat_TRUE@ -exec_prefix = @exec_prefix@ -have_err_h_FALSE = @have_err_h_FALSE@ -have_err_h_TRUE = @have_err_h_TRUE@ -have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@ -have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@ -have_glob_h_FALSE = @have_glob_h_FALSE@ -have_glob_h_TRUE = @have_glob_h_TRUE@ -have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@ -have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@ -have_vis_h_FALSE = @have_vis_h_FALSE@ -have_vis_h_TRUE = @have_vis_h_TRUE@ -host = @host@ -host_alias = @host_alias@ -host_cpu = @host_cpu@ -host_os = @host_os@ -host_vendor = @host_vendor@ -includedir = @includedir@ -infodir = @infodir@ -install_sh = @install_sh@ -libdir = @libdir@ -libexecdir = @libexecdir@ -localstatedir = @localstatedir@ -mandir = @mandir@ -mkdir_p = @mkdir_p@ -oldincludedir = @oldincludedir@ -prefix = @prefix@ -program_transform_name = @program_transform_name@ -sbindir = @sbindir@ -sharedstatedir = @sharedstatedir@ -sysconfdir = @sysconfdir@ -target_alias = @target_alias@ -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) -@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME -AM_CFLAGS = $(WFLAGS) -CP = cp -buildinclude = $(top_builddir)/include -LIB_getattr = @LIB_getattr@ -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_setpcred = @LIB_setpcred@ -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -NROFF_MAN = groff -mandoc -Tascii -LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) -@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la - -@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la -@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la -lib_LTLIBRARIES = libdes.la -libdes_la_LDFLAGS = -version-info 3:1:0 -include_HEADERS = des.h md4.h md5.h sha.h rc4.h -build_HEADERZ = $(include_HEADERS) -TESTS = destest mdtest md5crypt_test -CHECK_LOCAL = -des_SOURCES = des.c des_ver.h -LDADD = $(lib_LTLIBRARIES) -libdes_la_SOURCES = \ - cbc3_enc.c \ - cbc_cksm.c \ - cbc_enc.c \ - cfb64ede.c \ - cfb64enc.c \ - cfb_enc.c \ - des_enc.c \ - des_locl.h \ - ecb3_enc.c \ - ecb_enc.c \ - ede_enc.c \ - enc_read.c \ - enc_writ.c \ - fcrypt.c \ - hash.h \ - key_par.c \ - md4.c \ - md5.c \ - ncbc_enc.c \ - ofb64ede.c \ - ofb64enc.c \ - ofb_enc.c \ - pcbc_enc.c \ - podd.h \ - qud_cksm.c \ - rc4_skey.c \ - rc4_enc.c \ - read_pwd.c \ - rnd_keys.c \ - set_key.c \ - sha.c \ - sk.h \ - spr.h \ - str2key.c \ - xcbc_enc.c - -EXTRA_libdes_la_SOURCES = dllmain.c passwd_dialog.aps passwd_dialog.clw \ - passwd_dialog.rc passwd_dialog.res passwd_dlg.c passwd_dlg.h resource.h - -man_MANS = des.1 des_crypt.3 -EXTRA_DIST = \ - COPYRIGHT \ - DES.pm \ - DES.pod \ - DES.xs \ - FILES \ - Imakefile \ - KERBEROS \ - MODES.DES \ - Makefile.PL \ - Makefile.ssl \ - Makefile.uni \ - PC1 \ - PC2 \ - VERSION \ - des.def \ - des.dsp \ - des.doc \ - des.mak \ - des.man \ - des.org \ - des.pl \ - des_crypt.man \ - des_locl.org \ - des_opts.c \ - doIP \ - doPC1 \ - doPC2 \ - makefile.bc \ - rand_key.c \ - rpc_des.h \ - rpc_enc.c \ - shifts.pl \ - supp.c \ - testdes.pl \ - times \ - typemap \ - version.h \ - vms.com - -asm_files = des-som2.pl des-som3.pl des586.pl des686.pl desboth.pl \ - dx86-cpp.s dx86unix.cpp readme win32.asm win32.obj win32.uu x86ms.pl \ - x86unix.pl - -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps) - @for dep in $?; do \ - case '$(am__configure_deps)' in \ - *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ - exit 1;; \ - esac; \ - done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign --ignore-deps lib/des/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign --ignore-deps lib/des/Makefile -.PRECIOUS: Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - @case '$?' in \ - *config.status*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ - *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ - esac; - -$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -install-libLTLIBRARIES: $(lib_LTLIBRARIES) - @$(NORMAL_INSTALL) - test -z "$(libdir)" || $(mkdir_p) "$(DESTDIR)$(libdir)" - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - if test -f $$p; then \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(libdir)/$$f'"; \ - $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(libdir)/$$f"; \ - else :; fi; \ - done - -uninstall-libLTLIBRARIES: - @$(NORMAL_UNINSTALL) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - p="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$p'"; \ - $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$p"; \ - done - -clean-libLTLIBRARIES: - -test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ - test "$$dir" = "$$p" && dir=.; \ - echo "rm -f \"$${dir}/so_locations\""; \ - rm -f "$${dir}/so_locations"; \ - done -libdes.la: $(libdes_la_OBJECTS) $(libdes_la_DEPENDENCIES) - $(LINK) -rpath $(libdir) $(libdes_la_LDFLAGS) $(libdes_la_OBJECTS) $(libdes_la_LIBADD) $(LIBS) -install-binPROGRAMS: $(bin_PROGRAMS) - @$(NORMAL_INSTALL) - test -z "$(bindir)" || $(mkdir_p) "$(DESTDIR)$(bindir)" - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(bindir)/$$f'"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(bindir)/$$f" || exit 1; \ - else :; fi; \ - done - -uninstall-binPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f '$(DESTDIR)$(bindir)/$$f'"; \ - rm -f "$(DESTDIR)$(bindir)/$$f"; \ - done - -clean-binPROGRAMS: - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done - -clean-checkPROGRAMS: - @list='$(check_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -des$(EXEEXT): $(des_OBJECTS) $(des_DEPENDENCIES) - @rm -f des$(EXEEXT) - $(LINK) $(des_LDFLAGS) $(des_OBJECTS) $(des_LDADD) $(LIBS) -destest$(EXEEXT): $(destest_OBJECTS) $(destest_DEPENDENCIES) - @rm -f destest$(EXEEXT) - $(LINK) $(destest_LDFLAGS) $(destest_OBJECTS) $(destest_LDADD) $(LIBS) -md5crypt_test$(EXEEXT): $(md5crypt_test_OBJECTS) $(md5crypt_test_DEPENDENCIES) - @rm -f md5crypt_test$(EXEEXT) - $(LINK) $(md5crypt_test_LDFLAGS) $(md5crypt_test_OBJECTS) $(md5crypt_test_LDADD) $(LIBS) -mdtest$(EXEEXT): $(mdtest_OBJECTS) $(mdtest_DEPENDENCIES) - @rm -f mdtest$(EXEEXT) - $(LINK) $(mdtest_LDFLAGS) $(mdtest_OBJECTS) $(mdtest_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c $< - -.c.obj: - $(COMPILE) -c `$(CYGPATH_W) '$<'` - -.c.lo: - $(LTCOMPILE) -c -o $@ $< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: -install-man1: $(man1_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - test -z "$(man1dir)" || $(mkdir_p) "$(DESTDIR)$(man1dir)" - @list='$(man1_MANS) $(dist_man1_MANS) $(nodist_man1_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.1*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 1*) ;; \ - *) ext='1' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man1dir)/$$inst'"; \ - $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man1dir)/$$inst"; \ - done -uninstall-man1: - @$(NORMAL_UNINSTALL) - @list='$(man1_MANS) $(dist_man1_MANS) $(nodist_man1_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.1*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 1*) ;; \ - *) ext='1' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f '$(DESTDIR)$(man1dir)/$$inst'"; \ - rm -f "$(DESTDIR)$(man1dir)/$$inst"; \ - done -install-man3: $(man3_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - test -z "$(man3dir)" || $(mkdir_p) "$(DESTDIR)$(man3dir)" - @list='$(man3_MANS) $(dist_man3_MANS) $(nodist_man3_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.3*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 3*) ;; \ - *) ext='3' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man3dir)/$$inst'"; \ - $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man3dir)/$$inst"; \ - done -uninstall-man3: - @$(NORMAL_UNINSTALL) - @list='$(man3_MANS) $(dist_man3_MANS) $(nodist_man3_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.3*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 3*) ;; \ - *) ext='3' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f '$(DESTDIR)$(man3dir)/$$inst'"; \ - rm -f "$(DESTDIR)$(man3dir)/$$inst"; \ - done -install-includeHEADERS: $(include_HEADERS) - @$(NORMAL_INSTALL) - test -z "$(includedir)" || $(mkdir_p) "$(DESTDIR)$(includedir)" - @list='$(include_HEADERS)'; for p in $$list; do \ - if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(includeHEADERS_INSTALL) '$$d$$p' '$(DESTDIR)$(includedir)/$$f'"; \ - $(includeHEADERS_INSTALL) "$$d$$p" "$(DESTDIR)$(includedir)/$$f"; \ - done - -uninstall-includeHEADERS: - @$(NORMAL_UNINSTALL) - @list='$(include_HEADERS)'; for p in $$list; do \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " rm -f '$(DESTDIR)$(includedir)/$$f'"; \ - rm -f "$(DESTDIR)$(includedir)/$$f"; \ - done - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique -tags: TAGS - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique -ctags: CTAGS -CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ - || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - -check-TESTS: $(TESTS) - @failed=0; all=0; xfail=0; xpass=0; skip=0; \ - srcdir=$(srcdir); export srcdir; \ - list='$(TESTS)'; \ - if test -n "$$list"; then \ - for tst in $$list; do \ - if test -f ./$$tst; then dir=./; \ - elif test -f $$tst; then dir=; \ - else dir="$(srcdir)/"; fi; \ - if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \ - all=`expr $$all + 1`; \ - case " $(XFAIL_TESTS) " in \ - *" $$tst "*) \ - xpass=`expr $$xpass + 1`; \ - failed=`expr $$failed + 1`; \ - echo "XPASS: $$tst"; \ - ;; \ - *) \ - echo "PASS: $$tst"; \ - ;; \ - esac; \ - elif test $$? -ne 77; then \ - all=`expr $$all + 1`; \ - case " $(XFAIL_TESTS) " in \ - *" $$tst "*) \ - xfail=`expr $$xfail + 1`; \ - echo "XFAIL: $$tst"; \ - ;; \ - *) \ - failed=`expr $$failed + 1`; \ - echo "FAIL: $$tst"; \ - ;; \ - esac; \ - else \ - skip=`expr $$skip + 1`; \ - echo "SKIP: $$tst"; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - if test "$$xfail" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="All $$all tests behaved as expected ($$xfail expected failures)"; \ - fi; \ - else \ - if test "$$xpass" -eq 0; then \ - banner="$$failed of $$all tests failed"; \ - else \ - banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \ - fi; \ - fi; \ - dashes="$$banner"; \ - skipped=""; \ - if test "$$skip" -ne 0; then \ - skipped="($$skip tests were not run)"; \ - test `echo "$$skipped" | wc -c` -gt `echo "$$banner" | wc -c` && \ - dashes="$$skipped"; \ - fi; \ - report=""; \ - if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \ - report="Please report to $(PACKAGE_BUGREPORT)"; \ - test `echo "$$report" | wc -c` -gt `echo "$$banner" | wc -c` && \ - dashes="$$report"; \ - fi; \ - dashes=`echo "$$dashes" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - test -n "$$skipped" && echo "$$skipped"; \ - test -n "$$report" && echo "$$report"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - else :; fi - -distdir: $(DISTFILES) - $(mkdir_p) $(distdir)/../.. $(distdir)/../../cf - @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \ - list='$(DISTFILES)'; for file in $$list; do \ - case $$file in \ - $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \ - $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \ - esac; \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkdir_p) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="$(top_distdir)" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS) - $(MAKE) $(AM_MAKEFLAGS) check-TESTS check-local -check: check-am -all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(MANS) $(HEADERS) \ - all-local -install-binPROGRAMS: install-libLTLIBRARIES - -installdirs: - for dir in "$(DESTDIR)$(libdir)" "$(DESTDIR)$(bindir)" "$(DESTDIR)$(man1dir)" "$(DESTDIR)$(man3dir)" "$(DESTDIR)$(includedir)"; do \ - test -z "$$dir" || $(mkdir_p) "$$dir"; \ - done -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-binPROGRAMS clean-checkPROGRAMS clean-generic \ - clean-libLTLIBRARIES clean-libtool mostlyclean-am - -distclean: distclean-am - -rm -f Makefile -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -html: html-am - -info: info-am - -info-am: - -install-data-am: install-includeHEADERS install-man - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-data-hook - -install-exec-am: install-binPROGRAMS install-libLTLIBRARIES - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: install-man1 install-man3 - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -rm -f Makefile -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -pdf: pdf-am - -pdf-am: - -ps: ps-am - -ps-am: - -uninstall-am: uninstall-binPROGRAMS uninstall-includeHEADERS \ - uninstall-info-am uninstall-libLTLIBRARIES uninstall-man - -uninstall-man: uninstall-man1 uninstall-man3 - -.PHONY: CTAGS GTAGS all all-am all-local check check-TESTS check-am \ - check-local clean clean-binPROGRAMS clean-checkPROGRAMS \ - clean-generic clean-libLTLIBRARIES clean-libtool ctags \ - distclean distclean-compile distclean-generic \ - distclean-libtool distclean-tags distdir dvi dvi-am html \ - html-am info info-am install install-am install-binPROGRAMS \ - install-data install-data-am install-exec install-exec-am \ - install-includeHEADERS install-info install-info-am \ - install-libLTLIBRARIES install-man install-man1 install-man3 \ - install-strip installcheck installcheck-am installdirs \ - maintainer-clean maintainer-clean-generic mostlyclean \ - mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ - pdf pdf-am ps ps-am tags uninstall uninstall-am \ - uninstall-binPROGRAMS uninstall-includeHEADERS \ - uninstall-info-am uninstall-libLTLIBRARIES uninstall-man \ - uninstall-man1 uninstall-man3 - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-hook: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< - -dist-hook: - $(mkinstalldirs) $(distdir)/t - $(INSTALL_DATA) $(srcdir)/t/perl $(distdir)/t - $(INSTALL_DATA) $(srcdir)/t/test $(distdir)/t - $(mkinstalldirs) $(distdir)/asm - (cd $(srcdir)/asm && tar cf - $(asm_files)) \ - | (cd $(distdir)/asm; tar xf -) -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal-0.6.3/lib/des/Makefile.ssl b/crypto/heimdal-0.6.3/lib/des/Makefile.ssl deleted file mode 100644 index c415d393c7..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/Makefile.ssl +++ /dev/null @@ -1,108 +0,0 @@ -# -# SSLeay/crypto/des/Makefile -# - -DIR= des -TOP= ../.. -CC= cc -CPP= cc -E -INCLUDES= -CFLAG=-g -INSTALLTOP=/usr/local/ssl -MAKE= make -f Makefile.ssl -MAKEDEPEND= makedepend -fMakefile.ssl -MAKEFILE= Makefile.ssl -DES_ENC= des_enc.o - -CFLAGS= $(INCLUDES) $(CFLAG) - -GENERAL=Makefile des.org des_locl.org -TEST=destest.c -APPS= - -LIB=$(TOP)/libcrypto.a -LIBSRC= cbc3_enc.c cbc_cksm.c cbc_enc.c cfb64enc.c cfb_enc.c \ - ecb3_enc.c ecb_enc.c ede_enc.c enc_read.c enc_writ.c \ - fcrypt.c ncbc_enc.c ofb64enc.c ofb_enc.c pcbc_enc.c \ - qud_cksm.c rand_key.c read_pwd.c rpc_enc.c set_key.c \ - xcbc_enc.c des_enc.c \ - str2key.c cfb64ede.c ofb64ede.c supp.c - -LIBOBJ= set_key.o ecb_enc.o ede_enc.o cbc_enc.o cbc3_enc.o \ - ecb3_enc.o cfb64enc.o cfb64ede.o cfb_enc.o ofb64ede.o \ - enc_read.o enc_writ.o fcrypt.o ncbc_enc.o ofb64enc.o \ - ofb_enc.o str2key.o pcbc_enc.o qud_cksm.o rand_key.o \ - xcbc_enc.o ${DES_ENC} \ - read_pwd.o rpc_enc.o cbc_cksm.o supp.o - -SRC= $(LIBSRC) - -EXHEADER= des.h -HEADER= des_locl.h rpc_des.h podd.h sk.h spr.h des_ver.h $(EXHEADER) - -ALL= $(GENERAL) $(SRC) $(HEADER) - -top: - (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all) - -all: lib - -lib: $(LIBOBJ) - ar r $(LIB) $(LIBOBJ) - sh $(TOP)/util/ranlib.sh $(LIB) - @touch lib - -asm/dx86-elf.o: asm/dx86-cpp.s asm/dx86unix.cpp - $(CPP) -DELF asm/dx86unix.cpp | as -o asm/dx86-elf.o - -asm/dx86-sol.o: asm/dx86-cpp.s asm/dx86unix.cpp - $(CPP) -DSOL asm/dx86unix.cpp | as -o asm/dx86-sol.o - -asm/dx86-out.o: asm/dx86-cpp.s asm/dx86unix.cpp - $(CPP) -DOUT asm/dx86unix.cpp | as -o asm/dx86-out.o - -asm/dx86bsdi.o: asm/dx86-cpp.s asm/dx86unix.cpp - $(CPP) -DBSDI asm/dx86unix.cpp | as -o asm/dx86bsdi.o - -files: - perl $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO - -links: - /bin/rm -f Makefile - $(TOP)/util/point.sh Makefile.ssl Makefile ; - /bin/rm -f des.doc - $(TOP)/util/point.sh ../../doc/des.doc des.doc ; - $(TOP)/util/mklink.sh ../../include $(EXHEADER) - $(TOP)/util/mklink.sh ../../test $(TEST) - $(TOP)/util/mklink.sh ../../apps $(APPS) - -install: installs - -installs: - @for i in $(EXHEADER) ; \ - do \ - (cp $$i $(INSTALLTOP)/include/$$i; \ - chmod 644 $(INSTALLTOP)/include/$$i ) \ - done; - -tags: - ctags $(SRC) - -tests: - -lint: - lint -DLINT $(INCLUDES) $(SRC)>fluff - -depend: - $(MAKEDEPEND) $(INCLUDES) $(PROGS) $(LIBSRC) - -dclean: - perl -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new - mv -f Makefile.new $(MAKEFILE) - -clean: - /bin/rm -f *.o asm/*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff - -errors: - -# DO NOT DELETE THIS LINE -- make depend depends on it. diff --git a/crypto/heimdal-0.6.3/lib/des/Makefile.uni b/crypto/heimdal-0.6.3/lib/des/Makefile.uni deleted file mode 100644 index f78ea14c95..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/Makefile.uni +++ /dev/null @@ -1,207 +0,0 @@ -# You must select the correct terminal control system to be used to -# turn character echo off when reading passwords. There a 5 systems -# SGTTY - the old BSD system -# TERMIO - most system V boxes -# TERMIOS - SGI (ala IRIX). -# VMS - the DEC operating system -# MSDOS - we all know what it is :-) -# read_pwd.c makes a reasonable guess at what is correct. - -# If you are on a DEC Alpha, edit des.h and change the DES_LONG -# define to 'unsigned int'. I have seen this give a %20 speedup. - -OPTS0= -DRAND -DTERMIO #-DNOCONST - -# Version 1.94 has changed the strings_to_key function so that it is -# now compatible with MITs when the string is longer than 8 characters. -# If you wish to keep the old version, uncomment the following line. -# This will affect the -E/-D options on des(1). -#OPTS1= -DOLD_STR_TO_KEY - -# There are 4 possible performance options -# -DDES_PTR -# -DDES_RISC1 -# -DDES_RISC2 (only one of DES_RISC1 and DES_RISC2) -# -DDES_UNROLL -# after the initial build, run 'des_opts' to see which options are best -# for your platform. There are some listed in options.txt -#OPTS2= -DDES_PTR -#OPTS3= -DDES_RISC1 # or DES_RISC2 -OPTS4= -DDES_UNROLL - -OPTS= $(OPTS0) $(OPTS1) $(OPTS2) $(OPTS3) $(OPTS4) - -CC=cc -CFLAGS= -D_HPUX_SOURCE -Aa +O2 $(OPTS) $(CFLAG) - -#CC=gcc -#CFLAGS= -O3 -fomit-frame-pointer $(OPTS) $(CFLAG) - -CPP=$(CC) -E - -DES_ENC=des_enc.o # normal C version -#DES_ENC=asm/dx86-elf.o # elf format x86 -#DES_ENC=asm/dx86-out.o # a.out format x86 -#DES_ENC=asm/dx86-sol.o # solaris format x86 -#DES_ENC=asm/dx86bsdi.o # bsdi format x86 - -LIBDIR=/usr/local/lib -BINDIR=/usr/local/bin -INCDIR=/usr/local/include -MANDIR=/usr/local/man -MAN1=1 -MAN3=3 -SHELL=/bin/sh -OBJS= cbc3_enc.o cbc_cksm.o cbc_enc.o ncbc_enc.o pcbc_enc.o qud_cksm.o \ - cfb64ede.o cfb64enc.o cfb_enc.o ecb3_enc.o ecb_enc.o ede_enc.o \ - enc_read.o enc_writ.o fcrypt.o ofb64ede.o ofb64enc.o ofb_enc.o \ - rand_key.o read_pwd.o set_key.o rpc_enc.o str2key.o supp.o \ - $(DES_ENC) xcbc_enc.o - -GENERAL=$(GENERAL_LIT) FILES Imakefile times vms.com KERBEROS MODES.DES \ - GNUmakefile des.man DES.pm DES.pod DES.xs Makefile.PL \ - Makefile.uni typemap t Makefile.ssl makefile.bc Makefile.lit \ - des.org des_locl.org -DES= des.c -TESTING=rpw.c $(TESTING_LIT) -HEADERS= $(HEADERS_LIT) rpc_des.h -LIBDES= cbc_cksm.c pcbc_enc.c qud_cksm.c \ - cfb64ede.c cfb64enc.c cfb_enc.c ecb3_enc.c cbc3_enc.c \ - enc_read.c enc_writ.c ofb64ede.c ofb64enc.c ofb_enc.c \ - rand_key.c rpc_enc.c str2key.c supp.c \ - xcbc_enc.c $(LIBDES_LIT) read_pwd.c - -TESTING_LIT=destest.c speed.c des_opts.c -GENERAL_LIT=COPYRIGHT INSTALL README VERSION Makefile des_crypt.man \ - des.doc options.txt asm -HEADERS_LIT=des_ver.h des.h des_locl.h podd.h sk.h spr.h -LIBDES_LIT=ede_enc.c cbc_enc.c ncbc_enc.c ecb_enc.c fcrypt.c set_key.c des_enc.c - -PERL= des.pl testdes.pl doIP doIP2 doPC1 doPC2 PC1 PC2 shifts.pl - -ALL= $(GENERAL) $(DES) $(TESTING) $(LIBDES) $(PERL) $(HEADERS) - -DLIB= libdes.a - -all: $(DLIB) destest rpw des speed des_opts - -cc: - make CC=cc CFLAGS="-O $(OPTS) $(CFLAG)" all - -gcc: - make CC=gcc CFLAGS="-O3 -fomit-frame-pointer $(OPTS) $(CFLAG)" all - -x86-elf: - make DES_ENC=asm/dx86-elf.o CC=gcc CFLAGS="-DELF -O3 -fomit-frame-pointer $(OPTS) $(CFLAG)" all - -x86-out: - make DES_ENC=asm/dx86-out.o CC=gcc CFLAGS="-DOUT -O3 -fomit-frame-pointer $(OPTS) $(CFLAG)" all - -x86-solaris: - make DES_ENC=asm/dx86-sol.o CFLAGS="-DSOL -O $(OPTS) $(CFLAG)" all - -x86-bsdi: - make DES_ENC=asm/dx86bsdi.o CC=gcc CFLAGS="-DBSDI -O3 -fomit-frame-pointer $(OPTS) $(CFLAG)" all - -asm/dx86-elf.o: asm/dx86-cpp.s asm/dx86unix.cpp - $(CPP) -DELF asm/dx86unix.cpp | as -o asm/dx86-elf.o - -asm/dx86-sol.o: asm/dx86-cpp.s asm/dx86unix.cpp - $(CPP) -DSOL asm/dx86unix.cpp | as -o asm/dx86-sol.o - -asm/dx86-out.o: asm/dx86-cpp.s asm/dx86unix.cpp - $(CPP) -DOUT asm/dx86unix.cpp | as -o asm/dx86-out.o - -asm/dx86bsdi.o: asm/dx86-cpp.s asm/dx86unix.cpp - $(CPP) -DBSDI asm/dx86unix.cpp | as -o asm/dx86bsdi.o - -test: all - ./destest - -$(DLIB): $(OBJS) - /bin/rm -f $(DLIB) - ar cr $(DLIB) $(OBJS) - -if test -s /bin/ranlib; then /bin/ranlib $(DLIB); \ - else if test -s /usr/bin/ranlib; then /usr/bin/ranlib $(DLIB); \ - else exit 0; fi; fi - -des_opts: des_opts.o libdes.a - $(CC) $(CFLAGS) -o des_opts des_opts.o libdes.a - -destest: destest.o libdes.a - $(CC) $(CFLAGS) -o destest destest.o libdes.a - -rpw: rpw.o libdes.a - $(CC) $(CFLAGS) -o rpw rpw.o libdes.a - -speed: speed.o libdes.a - $(CC) $(CFLAGS) -o speed speed.o libdes.a - -des: des.o libdes.a - $(CC) $(CFLAGS) -o des des.o libdes.a - -tags: - ctags $(DES) $(TESTING) $(LIBDES) - -tar_lit: - /bin/mv Makefile Makefile.tmp - /bin/cp Makefile.lit Makefile - tar chf libdes-l.tar $(LIBDES_LIT) $(HEADERS_LIT) \ - $(GENERAL_LIT) $(TESTING_LIT) - /bin/rm -f Makefile - /bin/mv Makefile.tmp Makefile - -tar: - tar chf libdes.tar $(ALL) - -shar: - shar $(ALL) >libdes.shar - -depend: - makedepend $(LIBDES) $(DES) $(TESTING) - -clean: - /bin/rm -f *.o tags core rpw destest des speed $(DLIB) .nfs* *.old \ - *.bak destest rpw des_opts asm/*.o - -dclean: - sed -e '/^# DO NOT DELETE THIS LINE/ q' Makefile >Makefile.new - mv -f Makefile.new Makefile - -# Eric is probably going to choke when he next looks at this --tjh -install: $(DLIB) des - if test $(INSTALLTOP); then \ - echo SSL style install; \ - cp $(DLIB) $(INSTALLTOP)/lib; \ - if test -s /bin/ranlib; then \ - /bin/ranlib $(INSTALLTOP)/lib/$(DLIB); \ - else \ - if test -s /usr/bin/ranlib; then \ - /usr/bin/ranlib $(INSTALLTOP)/lib/$(DLIB); \ - fi; fi; \ - chmod 644 $(INSTALLTOP)/lib/$(DLIB); \ - cp des.h $(INSTALLTOP)/include; \ - chmod 644 $(INSTALLTOP)/include/des.h; \ - cp des $(INSTALLTOP)/bin; \ - chmod 755 $(INSTALLTOP)/bin/des; \ - else \ - echo Standalone install; \ - cp $(DLIB) $(LIBDIR)/$(DLIB); \ - if test -s /bin/ranlib; then \ - /bin/ranlib $(LIBDIR)/$(DLIB); \ - else \ - if test -s /usr/bin/ranlib; then \ - /usr/bin/ranlib $(LIBDIR)/$(DLIB); \ - fi; \ - fi; \ - chmod 644 $(LIBDIR)/$(DLIB); \ - cp des $(BINDIR)/des; \ - chmod 711 $(BINDIR)/des; \ - cp des_crypt.man $(MANDIR)/man$(MAN3)/des_crypt.$(MAN3); \ - chmod 644 $(MANDIR)/man$(MAN3)/des_crypt.$(MAN3); \ - cp des.man $(MANDIR)/man$(MAN1)/des.$(MAN1); \ - chmod 644 $(MANDIR)/man$(MAN1)/des.$(MAN1); \ - cp des.h $(INCDIR)/des.h; \ - chmod 644 $(INCDIR)/des.h; \ - fi -# DO NOT DELETE THIS LINE -- make depend depends on it. diff --git a/crypto/heimdal-0.6.3/lib/des/PC1 b/crypto/heimdal-0.6.3/lib/des/PC1 deleted file mode 100644 index efb8348b72..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/PC1 +++ /dev/null @@ -1,28 +0,0 @@ -#!/usr/local/bin/perl - -@PC1=( 57,49,41,33,25,17, 9, - 1,58,50,42,34,26,18, - 10, 2,59,51,43,35,27, - 19,11, 3,60,52,44,36, - "-","-","-","-", - 63,55,47,39,31,23,15, - 7,62,54,46,38,30,22, - 14, 6,61,53,45,37,29, - 21,13, 5,28,20,12, 4, - "-","-","-","-", - ); - -foreach (@PC1) - { - if ($_ ne "-") - { - $_--; - $_=int($_/8)*8+7-($_%8); - printf "%2d ",$_; - } - else - { print "-- "; } - print "\n" if (((++$i) % 8) == 0); - print "\n" if ((($i) % 32) == 0); - } - diff --git a/crypto/heimdal-0.6.3/lib/des/PC2 b/crypto/heimdal-0.6.3/lib/des/PC2 deleted file mode 100644 index 2d560270ec..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/PC2 +++ /dev/null @@ -1,57 +0,0 @@ -#!/usr/local/bin/perl - -@PC2_C=(14,17,11,24, 1, 5, - 3,28,15, 6,21,10, - 23,19,12, 4,26, 8, - 16, 7,27,20,13, 2, - ); - -@PC2_D=(41,52,31,37,47,55, - 30,40,51,45,33,48, - 44,49,39,56,34,53, - 46,42,50,36,29,32, - ); - -foreach (@PC2_C) { - if ($_ ne "-") - { - $_--; - printf "%2d ",$_; } - else { print "-- "; } - $C{$_}=1; - print "\n" if (((++$i) % 8) == 0); - } -$i=0; -print "\n"; -foreach (@PC2_D) { - if ($_ ne "-") - { - $_-=29; - printf "%2d ",$_; } - else { print "-- "; } - $D{$_}=1; - print "\n" if (((++$i) % 8) == 0); } - -print "\n"; -foreach $i (0 .. 27) - { - $_=$C{$i}; - if ($_ ne "-") {printf "%2d ",$_;} - else { print "-- "; } - print "\n" if (((++$i) % 8) == 0); - } -print "\n"; - -print "\n"; -foreach $i (0 .. 27) - { - $_=$D{$i}; - if ($_ ne "-") {printf "%2d ",$_;} - else { print "-- "; } - print "\n" if (((++$i) % 8) == 0); - } -print "\n"; -sub numsort - { - $a-$b; - } diff --git a/crypto/heimdal-0.6.3/lib/des/README b/crypto/heimdal-0.6.3/lib/des/README deleted file mode 100644 index 58280c26e9..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/README +++ /dev/null @@ -1,54 +0,0 @@ - - libdes, Version 4.01 13-Jan-97 - - Copyright (c) 1997, Eric Young - All rights reserved. - - This program is free software; you can redistribute it and/or modify - it under the terms specified in COPYRIGHT. - --- -The primary ftp site for this library is -ftp://ftp.psy.uq.oz.au/pub/Crypto/DES/libdes-x.xx.tar.gz -libdes is now also shipped with SSLeay. Primary ftp site of -ftp://ftp.psy.uq.oz.au/pub/Crypto/SSL/SSLeay-x.x.x.tar.gz - -The best way to build this library is to build it as part of SSLeay. - -This kit builds a DES encryption library and a DES encryption program. -It supports ecb, cbc, ofb, cfb, triple ecb, triple cbc, triple ofb, -triple cfb, desx, and MIT's pcbc encryption modes and also has a fast -implementation of crypt(3). -It contains support routines to read keys from a terminal, -generate a random key, generate a key from an arbitrary length string, -read/write encrypted data from/to a file descriptor. - -The implementation was written so as to conform with the manual entry -for the des_crypt(3) library routines from MIT's project Athena. - -destest should be run after compilation to test the des routines. -rpw should be run after compilation to test the read password routines. -The des program is a replacement for the sun des command. I believe it -conforms to the sun version. - -The Imakefile is setup for use in the kerberos distribution. - -These routines are best compiled with gcc or any other good -optimising compiler. -Just turn you optimiser up to the highest settings and run destest -after the build to make sure everything works. - -I believe these routines are close to the fastest and most portable DES -routines that use small lookup tables (4.5k) that are publicly available. -The fcrypt routine is faster than ufc's fcrypt (when compiling with -gcc2 -O2) on the sparc 2 (1410 vs 1270) but is not so good on other machines -(on a sun3/260 168 vs 336). It is a function of CPU on chip cache size. -[ 10-Jan-97 and a function of an incorrect speed testing program in - ufc which gave much better test figures that reality ]. - -It is worth noting that on sparc and Alpha CPUs, performance of the DES -library can vary by upto %10 due to the positioning of files after application -linkage. - -Eric Young (eay@mincom.oz.au) - diff --git a/crypto/heimdal-0.6.3/lib/des/VERSION b/crypto/heimdal-0.6.3/lib/des/VERSION deleted file mode 100644 index bb00c3eb12..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/VERSION +++ /dev/null @@ -1,382 +0,0 @@ -Version 4.01 14/01/97 - Even faster inner loop in the DES assember for x86 and a modification - for IP/FP which is faster on x86. Both of these changes are - from Svend Olaf Mikkelsen . His - changes make the assember run %40 faster on a pentium. This is just - a case of getting the instruction sequence 'just right'. - All credit to 'Svend' :-) - Quite a few special x86 'make' targets. - A libdes-l (lite) distribution. - -Version 4.00 - After a bit of a pause, I'll up the major version number since this - is mostly a performace release. I've added x86 assember and - added more options for performance. A %28 speedup for gcc - on a pentium and the assember is a %50 speedup. - MIPS CPU's, sparc and Alpha are the main CPU's with speedups. - Run des_opts to work out which options should be used. - DES_RISC1/DES_RISC2 use alternative inner loops which use - more registers but should give speedups on any CPU that does - dual issue (pentium). DES_UNROLL unrolls the inner loop, - which costs in code size. - -Version 3.26 - I've finally removed one of the shifts in D_ENCRYPT. This - meant I've changed the des_SPtrans table (spr.h), the set_key() - function and some things in des_enc.c. This has definitly - made things faster :-). I've known about this one for some - time but I've been too lazy to follow it up :-). - Noticed that in the D_ENCRYPT() macro, we can just do L^=(..)^(..)^.. - instead of L^=((..)|(..)|(..).. This should save a register at - least. - Assember for x86. The file to replace is des_enc.c, which is replaced - by one of the assember files found in asm. Look at des/asm/readme - for more info. - - /* Modification to fcrypt so it can be compiled to support - HPUX 10.x's long password format, define -DLONGCRYPT to use this. - Thanks to Jens Kupferschmidt . */ - - SIGWINCH case put in des_read_passwd() so the function does not - 'exit' if this function is recieved. - -Version 3.25 17/07/96 - Modified read_pwd.c so that stdin can be read if not a tty. - Thanks to Jeff Barber for the patches. - des_init_random_number_generator() shortened due to VMS linker - limits. - Added RSA's DESX cbc mode. It is a form of cbc encryption, with 2 - 8 byte quantites xored before and after encryption. - des_xcbc_encryption() - the name is funny to preserve the des_ - prefix on all functions. - -Version 3.24 20/04/96 - The DES_PTR macro option checked and used by SSLeay configuration - -Version 3.23 11/04/96 - Added DES_LONG. If defined to 'unsigned int' on the DEC Alpha, - it gives a %20 speedup :-) - Fixed the problem with des.pl under perl5. The patches were - sent by Ed Kubaitis (ejk@uiuc.edu). - if fcrypt.c, changed values to handle illegal salt values the way - normal crypt() implementations do. Some programs apparently use - them :-(. The patch was sent by Bjorn Gronvall - -Version 3.22 29/11/95 - Bug in des(1), an error with the uuencoding stuff when the - 'data' is small, thanks to Geoff Keating - for the patch. - -Version 3.21 22/11/95 - After some emailing back and forth with - Colin Plumb , I've tweaked a few things - and in a future version I will probably put in some of the - optimisation he suggested for use with the DES_USE_PTR option. - Extra routines from Mark Murray for use in - freeBSD. They mostly involve random number generation for use - with kerberos. They involve evil machine specific system calls - etc so I would normally suggest pushing this stuff into the - application and/or using RAND_seed()/RAND_bytes() if you are - using this DES library as part of SSLeay. - Redone the read_pw() function so that it is cleaner and - supports termios, thanks to Sameer Parekh - for the initial patches for this. - Renamed 3ecb_encrypt() to ecb3_encrypt(). This has been - done just to make things more consistent. - I have also now added triple DES versions of cfb and ofb. - -Version 3.20 - Damn, Damn, Damn, as pointed out by Mike_Spreitzer.PARC@xerox.com, - my des_random_seed() function was only copying 4 bytes of the - passed seed into the init structure. It is now fixed to copy 8. - My own suggestion is to used something like MD5 :-) - -Version 3.19 - While looking at my code one day, I though, why do I keep on - calling des_encrypt(in,out,ks,enc) when every function that - calls it has in and out the same. So I dropped the 'out' - parameter, people should not be using this function. - -Version 3.18 30/08/95 - Fixed a few bit with the distribution and the filenames. - 3.17 had been munged via a move to DOS and back again. - NO CODE CHANGES - -Version 3.17 14/07/95 - Fixed ede3 cbc which I had broken in 3.16. I have also - removed some unneeded variables in 7-8 of the routines. - -Version 3.16 26/06/95 - Added des_encrypt2() which does not use IP/FP, used by triple - des routines. Tweaked things a bit elsewhere. %13 speedup on - sparc and %6 on a R4400 for ede3 cbc mode. - -Version 3.15 06/06/95 - Added des_ncbc_encrypt(), it is des_cbc mode except that it is - 'normal' and copies the new iv value back over the top of the - passed parameter. - CHANGED des_ede3_cbc_encrypt() so that it too now overwrites - the iv. THIS WILL BREAK EXISTING CODE, but since this function - only new, I feel I can change it, not so with des_cbc_encrypt :-(. - I need to update the documentation. - -Version 3.14 31/05/95 - New release upon the world, as part of my SSL implementation. - New copyright and usage stuff. Basically free for all to use - as long as you say it came from me :-) - -Version 3.13 31/05/95 - A fix in speed.c, if HZ is not defined, I set it to 100.0 - which is reasonable for most unixes except SunOS 4.x. - I now have a #ifdef sun but timing for SunOS 4.x looked very - good :-(. At my last job where I used SunOS 4.x, it was - defined to be 60.0 (look at the old INSTALL documentation), at - the last release had it changed to 100.0 since I now work with - Solaris2 and SVR4 boxes. - Thanks to Rory Chisholm for pointing this - one out. - -Version 3.12 08/05/95 - As pointed out by The Crypt Keeper , - my D_ENCRYPT macro in crypt() had an un-necessary variable. - It has been removed. - -Version 3.11 03/05/95 - Added des_ede3_cbc_encrypt() which is cbc mode des with 3 keys - and one iv. It is a standard and I needed it for my SSL code. - It makes more sense to use this for triple DES than - 3cbc_encrypt(). I have also added (or should I say tested :-) - cfb64_encrypt() which is cfb64 but it will encrypt a partial - number of bytes - 3 bytes in 3 bytes out. Again this is for - my SSL library, as a form of encryption to use with SSL - telnet. - -Version 3.10 22/03/95 - Fixed a bug in 3cbc_encrypt() :-(. When making repeated calls - to cbc3_encrypt, the 2 iv values that were being returned to - be used in the next call were reversed :-(. - Many thanks to Bill Wade for pointing out - this error. - -Version 3.09 01/02/95 - Fixed des_random_key to far more random, it was rather feeble - with regards to picking the initial seed. The problem was - pointed out by Olaf Kirch . - -Version 3.08 14/12/94 - Added Makefile.PL so libdes can be built into perl5. - Changed des_locl.h so RAND is always defined. - -Version 3.07 05/12/94 - Added GNUmake and stuff so the library can be build with - glibc. - -Version 3.06 30/08/94 - Added rpc_enc.c which contains _des_crypt. This is for use in - secure_rpc v 4.0 - Finally fixed the cfb_enc problems. - Fixed a few parameter parsing bugs in des (-3 and -b), thanks - to Rob McMillan - -Version 3.05 21/04/94 - for unsigned long l; gcc does not produce ((l>>34) == 0) - This causes bugs in cfb_enc. - Thanks to Hadmut Danisch - -Version 3.04 20/04/94 - Added a version number to des.c and libdes.a - -Version 3.03 12/01/94 - Fixed a bug in non zero iv in 3cbc_enc. - -Version 3.02 29/10/93 - I now work in a place where there are 6+ architectures and 14+ - OS versions :-). - Fixed TERMIO definition so the most sys V boxes will work :-) - -Release upon comp.sources.misc -Version 3.01 08/10/93 - Added des_3cbc_encrypt() - -Version 3.00 07/10/93 - Fixed up documentation. - quad_cksum definitely compatible with MIT's now. - -Version 2.30 24/08/93 - Triple DES now defaults to triple cbc but can do triple ecb - with the -b flag. - Fixed some MSDOS uuen/uudecoding problems, thanks to - Added prototypes. - -Version 2.22 29/06/93 - Fixed a bug in des_is_weak_key() which stopped it working :-( - thanks to engineering@MorningStar.Com. - -Version 2.21 03/06/93 - des(1) with no arguments gives quite a bit of help. - Added -c (generate ckecksum) flag to des(1). - Added -3 (triple DES) flag to des(1). - Added cfb and ofb routines to the library. - -Version 2.20 11/03/93 - Added -u (uuencode) flag to des(1). - I have been playing with byte order in quad_cksum to make it - compatible with MIT's version. All I can say is avid this - function if possible since MIT's output is endian dependent. - -Version 2.12 14/10/92 - Added MSDOS specific macro in ecb_encrypt which gives a %70 - speed up when the code is compiled with turbo C. - -Version 2.11 12/10/92 - Speedup in set_key (recoding of PC-1) - I now do it in 47 simple operations, down from 60. - Thanks to John Fletcher (john_fletcher@lccmail.ocf.llnl.gov) - for motivating me to look for a faster system :-) - The speedup is probably less that 1% but it is still 13 - instructions less :-). - -Version 2.10 06/10/92 - The code now works on the 64bit ETA10 and CRAY without modifications or - #defines. I believe the code should work on any machine that - defines long, int or short to be 8 bytes long. - Thanks to Shabbir J. Safdar (shabby@mentor.cc.purdue.edu) - for helping me fix the code to run on 64bit machines (he had - access to an ETA10). - Thanks also to John Fletcher - for testing the routines on a CRAY. - read_password.c has been renamed to read_passwd.c - string_to_key.c has been renamed to string2key.c - -Version 2.00 14/09/92 - Made mods so that the library should work on 64bit CPU's. - Removed all my uchar and ulong defs. To many different - versions of unix define them in their header files in too many - different combinations :-) - IRIX - Sillicon Graphics mods (mostly in read_password.c). - Thanks to Andrew Daviel (advax@erich.triumf.ca) - -Version 1.99 26/08/92 - Fixed a bug or 2 in enc_read.c - Fixed a bug in enc_write.c - Fixed a pseudo bug in fcrypt.c (very obscure). - -Version 1.98 31/07/92 - Support for the ETA10. This is a strange machine that defines - longs and ints as 8 bytes and shorts as 4 bytes. - Since I do evil things with long * that assume that they are 4 - bytes. Look in the Makefile for the option to compile for - this machine. quad_cksum appears to have problems but I - will don't have the time to fix it right now, and this is not - a function that uses DES and so will not effect the main uses - of the library. - -Version 1.97 20/05/92 eay - Fixed the Imakefile and made some changes to des.h to fix some - problems when building this package with Kerberos v 4. - -Version 1.96 18/05/92 eay - Fixed a small bug in string_to_key() where problems could - occur if des_check_key was set to true and the string - generated a weak key. - -Patch2 posted to comp.sources.misc -Version 1.95 13/05/92 eay - Added an alternative version of the D_ENCRYPT macro in - ecb_encrypt and fcrypt. Depending on the compiler, one version or the - other will be faster. This was inspired by - Dana How , and her pointers about doing the - *(ulong *)((uchar *)ptr+(value&0xfc)) - vs - ptr[value&0x3f] - to stop the C compiler doing a <<2 to convert the long array index. - -Version 1.94 05/05/92 eay - Fixed an incompatibility between my string_to_key and the MIT - version. When the key is longer than 8 chars, I was wrapping - with a different method. To use the old version, define - OLD_STR_TO_KEY in the makefile. Thanks to - viktor@newsu.shearson.com (Viktor Dukhovni). - -Version 1.93 28/04/92 eay - Fixed the VMS mods so that echo is now turned off in - read_password. Thanks again to brennan@coco.cchs.su.oz.AU. - MSDOS support added. The routines can be compiled with - Turbo C (v2.0) and MSC (v5.1). Make sure MSDOS is defined. - -Patch1 posted to comp.sources.misc -Version 1.92 13/04/92 eay - Changed D_ENCRYPT so that the rotation of R occurs outside of - the loop. This required rotating all the longs in sp.h (now - called spr.h). Thanks to Richard Outerbridge <71755.204@CompuServe.COM> - speed.c has been changed so it will work without SIGALRM. If - times(3) is not present it will try to use ftime() instead. - -Version 1.91 08/04/92 eay - Added -E/-D options to des(1) so it can use string_to_key. - Added SVR4 mods suggested by witr@rwwa.COM - Added VMS mods suggested by brennan@coco.cchs.su.oz.AU. If - anyone knows how to turn of tty echo in VMS please tell me or - implement it yourself :-). - Changed FILE *IN/*OUT to *DES_IN/*DES_OUT since it appears VMS - does not like IN/OUT being used. - -Libdes posted to comp.sources.misc -Version 1.9 24/03/92 eay - Now contains a fast small crypt replacement. - Added des(1) command. - Added des_rw_mode so people can use cbc encryption with - enc_read and enc_write. - -Version 1.8 15/10/91 eay - Bug in cbc_cksum. - Many thanks to Keith Reynolds (keithr@sco.COM) for pointing this - one out. - -Version 1.7 24/09/91 eay - Fixed set_key :-) - set_key is 4 times faster and takes less space. - There are a few minor changes that could be made. - -Version 1.6 19/09/1991 eay - Finally go IP and FP finished. - Now I need to fix set_key. - This version is quite a bit faster that 1.51 - -Version 1.52 15/06/1991 eay - 20% speedup in ecb_encrypt by changing the E bit selection - to use 2 32bit words. This also required modification of the - sp table. There is still a way to speedup the IP and IP-1 - (hints from outer@sq.com) still working on this one :-(. - -Version 1.51 07/06/1991 eay - Faster des_encrypt by loop unrolling - Fixed bug in quad_cksum.c (thanks to hughes@logos.ucs.indiana.edu) - -Version 1.50 28/05/1991 eay - Optimised the code a bit more for the sparc. I have improved the - speed of the inner des_encrypt by speeding up the initial and - final permutations. - -Version 1.40 23/10/1990 eay - Fixed des_random_key, it did not produce a random key :-( - -Version 1.30 2/10/1990 eay - Have made des_quad_cksum the same as MIT's, the full package - should be compatible with MIT's - Have tested on a DECstation 3100 - Still need to fix des_set_key (make it faster). - Does des_cbc_encrypts at 70.5k/sec on a 3100. - -Version 1.20 18/09/1990 eay - Fixed byte order dependencies. - Fixed (I hope) all the word alignment problems. - Speedup in des_ecb_encrypt. - -Version 1.10 11/09/1990 eay - Added des_enc_read and des_enc_write. - Still need to fix des_quad_cksum. - Still need to document des_enc_read and des_enc_write. - -Version 1.00 27/08/1990 eay - diff --git a/crypto/heimdal-0.6.3/lib/des/asm/des-som2.pl b/crypto/heimdal-0.6.3/lib/des/asm/des-som2.pl deleted file mode 100644 index 911d985e84..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/asm/des-som2.pl +++ /dev/null @@ -1,308 +0,0 @@ -#!/usr/local/bin/perl -# -# The inner loop instruction sequence and the IP/FP modifications are from -# Svend Olaf Mikkelsen -# - -$prog="des-som2.pl"; - -# base code is in microsft -# op dest, source -# format. -# - -require "desboth.pl"; - -if ( ($ARGV[0] eq "elf")) - { require "x86unix.pl"; } -elsif ( ($ARGV[0] eq "a.out")) - { $aout=1; require "x86unix.pl"; } -elsif ( ($ARGV[0] eq "sol")) - { $sol=1; require "x86unix.pl"; } -elsif ( ($ARGV[0] eq "cpp")) - { $cpp=1; require "x86unix.pl"; } -elsif ( ($ARGV[0] eq "win32")) - { require "x86ms.pl"; } -else - { - print STDERR <<"EOF"; -Pick one target type from - elf - linux, FreeBSD etc - a.out - old linux - sol - x86 solaris - cpp - format so x86unix.cpp can be used - win32 - Windows 95/Windows NT -EOF - exit(1); - } - -&comment("Don't even think of reading this code"); -&comment("It was automatically generated by $prog"); -&comment("Which is a perl program used to generate the x86 assember for"); -&comment("any of elf, a.out, Win32, or Solaris"); -&comment("It can be found in SSLeay 0.6.5+ or in libdes 3.26+"); -&comment("eric "); -&comment("The inner loop instruction sequence and the IP/FP modifications"); -&comment("are from Svend Olaf Mikkelsen "); - -&comment(""); - -&file("dx86xxxx"); - -$L="edi"; -$R="esi"; - -&des_encrypt("des_encrypt",1); -&des_encrypt("des_encrypt2",0); - -&des_encrypt3("des_encrypt3",1); -&des_encrypt3("des_decrypt3",0); - -&file_end(); - -sub des_encrypt - { - local($name,$do_ip)=@_; - - &function_begin($name,3); - - &comment(""); - &comment("Load the 2 words"); - &mov("eax",&wparam(0)); - &mov($R,&DWP(0,"eax","",0)); - &mov($L,&DWP(4,"eax","",0)); - - if ($do_ip) - { - &comment(""); - &comment("IP"); - &IP_new($R,$L,"eax",3); -# &comment(""); -# &comment("fixup rotate"); -# &rotl($R,3); -# &rotl($L,3); - } - else - { - &comment(""); - &comment("fixup rotate"); - &rotl($R,3); - &rotl($L,3); - } - - &comment(""); - &comment("load counter, key_schedule and enc flag"); - - # encrypting part - - $ks="ebp"; -# &xor( "ebx", "ebx" ); - &mov("eax",&wparam(2)); # get encrypt flag - &xor( "ecx", "ecx" ); - &cmp("eax","0"); - &mov( $ks, &wparam(1) ); - &je(&label("start_decrypt")); - - for ($i=0; $i<16; $i+=2) - { - &comment(""); - &comment("Round $i"); - &D_ENCRYPT($i,$L,$R,$i*2,$ks,"des_SPtrans","eax","ebx","ecx","edx"); - - &comment(""); - &comment("Round ".sprintf("%d",$i+1)); - &D_ENCRYPT($i+1,$R,$L,($i+1)*2,$ks,"des_SPtrans","eax","ebx","ecx","edx"); - } - &jmp(&label("end")); - - &set_label("start_decrypt"); - - for ($i=15; $i>0; $i-=2) - { - &comment(""); - &comment("Round $i"); - &D_ENCRYPT(15-$i,$L,$R,$i*2,$ks,"des_SPtrans","eax","ebx","ecx","edx"); - &comment(""); - &comment("Round ".sprintf("%d",$i-1)); - &D_ENCRYPT(15-$i+1,$R,$L,($i-1)*2,$ks,"des_SPtrans","eax","ebx","ecx","edx"); - } - - &set_label("end"); - - if ($do_ip) - { -# &comment(""); -# &comment("Fixup"); -# &rotr($L,3); # r -# &rotr($R,3); # l - &comment(""); - &comment("FP"); - &FP_new($R,$L,"eax",3); - } - else - { - &comment(""); - &comment("Fixup"); - &rotr($L,3); # r - &rotr($R,3); # l - } - - &mov("eax",&wparam(0)); - &mov(&DWP(0,"eax","",0),$L); - &mov(&DWP(4,"eax","",0),$R); - - &function_end($name); - } - -sub D_ENCRYPT - { - local($r,$L,$R,$S,$ks,$desSP,$u,$tmp1,$tmp2,$t)=@_; - - &mov( $u, &DWP(&n2a($S*4),$ks,"",0)); - &xor( $tmp1, $tmp1); - &mov( $t, &DWP(&n2a(($S+1)*4),$ks,"",0)); - &xor( $u, $R); - &xor( $t, $R); - &and( $u, "0xfcfcfcfc" ); - &and( $t, "0xcfcfcfcf" ); - &movb( &LB($tmp1), &LB($u) ); - &movb( &LB($tmp2), &HB($u) ); - &rotr( $t, 4 ); - &mov( $ks, &DWP(" $desSP",$tmp1,"",0)); - &movb( &LB($tmp1), &LB($t) ); - &xor( $L, $ks); - &mov( $ks, &DWP("0x200+$desSP",$tmp2,"",0)); - &xor( $L, $ks); ###### - &movb( &LB($tmp2), &HB($t) ); - &shr( $u, 16); - &mov( $ks, &DWP("0x100+$desSP",$tmp1,"",0)); - &xor( $L, $ks); ###### - &movb( &LB($tmp1), &HB($u) ); - &shr( $t, 16); - &mov( $ks, &DWP("0x300+$desSP",$tmp2,"",0)); - &xor( $L, $ks); - &mov( $ks, &DWP(24,"esp","",0)); #### - &movb( &LB($tmp2), &HB($t) ); - &and( $u, "0xff" ); - &and( $t, "0xff" ); - &mov( $tmp1, &DWP("0x600+$desSP",$tmp1,"",0)); - &xor( $L, $tmp1); - &mov( $tmp1, &DWP("0x700+$desSP",$tmp2,"",0)); - &xor( $L, $tmp1); - &mov( $tmp1, &DWP("0x400+$desSP",$u,"",0)); - &xor( $L, $tmp1); - &mov( $tmp1, &DWP("0x500+$desSP",$t,"",0)); - &xor( $L, $tmp1); - } - -sub PERM_OP - { - local($a,$b,$tt,$shift,$mask)=@_; - - &mov( $tt, $a ); - &shr( $tt, $shift ); - &xor( $tt, $b ); - &and( $tt, $mask ); - &xor( $b, $tt ); - &shl( $tt, $shift ); - &xor( $a, $tt ); - } - -sub IP - { - local($l,$r,$tt)=@_; - - &PERM_OP($r,$l,$tt, 4,"0x0f0f0f0f"); - &PERM_OP($l,$r,$tt,16,"0x0000ffff"); - &PERM_OP($r,$l,$tt, 2,"0x33333333"); - &PERM_OP($l,$r,$tt, 8,"0x00ff00ff"); - &PERM_OP($r,$l,$tt, 1,"0x55555555"); - } - -sub FP - { - local($l,$r,$tt)=@_; - - &PERM_OP($l,$r,$tt, 1,"0x55555555"); - &PERM_OP($r,$l,$tt, 8,"0x00ff00ff"); - &PERM_OP($l,$r,$tt, 2,"0x33333333"); - &PERM_OP($r,$l,$tt,16,"0x0000ffff"); - &PERM_OP($l,$r,$tt, 4,"0x0f0f0f0f"); - } - -sub n2a - { - sprintf("%d",$_[0]); - } - -# now has a side affect of rotating $a by $shift -sub R_PERM_OP - { - local($a,$b,$tt,$shift,$mask,$last)=@_; - - &rotl( $a, $shift ) if ($shift != 0); - &mov( $tt, $b ); - &xor( $tt, $a ); - &and( $tt, $mask ); - if ($last eq $b) - { - &xor( $a, $tt ); - &xor( $b, $tt ); - } - else - { - &xor( $b, $tt ); - &xor( $a, $tt ); - } - &comment(""); - } - -sub IP_new - { - local($l,$r,$tt,$lr)=@_; - - &R_PERM_OP($l,$r,$tt, 4,"0xf0f0f0f0",$l); - &R_PERM_OP($r,$l,$tt,20,"0xfff0000f",$l); - &R_PERM_OP($r,$l,$tt,14,"0x33333333",$r); - &R_PERM_OP($l,$r,$tt,22,"0x03fc03fc",$r); - &R_PERM_OP($l,$r,$tt, 9,"0xaaaaaaaa",$r); - - if ($lr != 3) - { - if (($lr-3) < 0) - { &rotr($l, 3-$lr); } - else { &rotl($l, $lr-3); } - } - if ($lr != 2) - { - if (($lr-2) < 0) - { &rotr($r, 2-$lr); } - else { &rotl($r, $lr-2); } - } - } - -sub FP_new - { - local($r,$l,$tt,$lr)=@_; - - if ($lr != 2) - { - if (($lr-2) < 0) - { &rotl($r, 2-$lr); } - else { &rotr($r, $lr-2); } - } - if ($lr != 3) - { - if (($lr-3) < 0) - { &rotl($l, 3-$lr); } - else { &rotr($l, $lr-3); } - } - - &R_PERM_OP($l,$r,$tt, 0,"0xaaaaaaaa",$r); - &R_PERM_OP($l,$r,$tt,23,"0x03fc03fc",$r); - &R_PERM_OP($l,$r,$tt,10,"0x33333333",$l); - &R_PERM_OP($r,$l,$tt,18,"0xfff0000f",$l); - &R_PERM_OP($r,$l,$tt,12,"0xf0f0f0f0",$r); - &rotr($l , 4); - } - diff --git a/crypto/heimdal-0.6.3/lib/des/asm/des-som3.pl b/crypto/heimdal-0.6.3/lib/des/asm/des-som3.pl deleted file mode 100644 index e1ba3bc2b4..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/asm/des-som3.pl +++ /dev/null @@ -1,266 +0,0 @@ -#!/usr/local/bin/perl -# -# The inner loop instruction sequence and the IP/FP modifications are from -# Svend Olaf Mikkelsen -# - -$prog="des-som3.pl"; - -# base code is in microsft -# op dest, source -# format. -# - -require "desboth.pl"; - -if ( ($ARGV[0] eq "elf")) - { require "x86unix.pl"; } -elsif ( ($ARGV[0] eq "a.out")) - { $aout=1; require "x86unix.pl"; } -elsif ( ($ARGV[0] eq "sol")) - { $sol=1; require "x86unix.pl"; } -elsif ( ($ARGV[0] eq "cpp")) - { $cpp=1; require "x86unix.pl"; } -elsif ( ($ARGV[0] eq "win32")) - { require "x86ms.pl"; } -else - { - print STDERR <<"EOF"; -Pick one target type from - elf - linux, FreeBSD etc - a.out - old linux - sol - x86 solaris - cpp - format so x86unix.cpp can be used - win32 - Windows 95/Windows NT -EOF - exit(1); - } - -&comment("Don't even think of reading this code"); -&comment("It was automatically generated by $prog"); -&comment("Which is a perl program used to generate the x86 assember for"); -&comment("any of elf, a.out, Win32, or Solaris"); -&comment("It can be found in SSLeay 0.6.5+ or in libdes 3.26+"); -&comment("eric "); -&comment("The inner loop instruction sequence and the IP/FP modifications"); -&comment("are from Svend Olaf Mikkelsen "); - -&comment(""); - -&file("dx86xxxx"); - -$L="edi"; -$R="esi"; - -&des_encrypt("des_encrypt",1); -&des_encrypt("des_encrypt2",0); - -&des_encrypt3("des_encrypt3",1); -&des_encrypt3("des_decrypt3",0); - -&file_end(); - -sub des_encrypt - { - local($name,$do_ip)=@_; - - &function_begin($name,3); - - &comment(""); - &comment("Load the 2 words"); - $ks="ebp"; - - if ($do_ip) - { - &mov($R,&wparam(0)); - &xor( "ecx", "ecx" ); - &mov("eax",&DWP(0,$R,"",0)); - &mov("ebx",&wparam(2)); # get encrypt flag - &mov($L,&DWP(4,$R,"",0)); - &comment(""); - &comment("IP"); - &IP_new("eax",$L,$R,3); - } - else - { - &mov("eax",&wparam(0)); - &xor( "ecx", "ecx" ); - &mov($R,&DWP(0,"eax","",0)); - &mov("ebx",&wparam(2)); # get encrypt flag - &rotl($R,3); - &mov($L,&DWP(4,"eax","",0)); - &rotl($L,3); - } - - &cmp("ebx","0"); - &mov( $ks, &wparam(1) ); - &je(&label("start_decrypt")); - - for ($i=0; $i<16; $i+=2) - { - &comment(""); - &comment("Round $i"); - &D_ENCRYPT($i,$L,$R,$i*2,$ks,"des_SPtrans","eax","ebx","ecx","edx"); - - &comment(""); - &comment("Round ".sprintf("%d",$i+1)); - &D_ENCRYPT($i+1,$R,$L,($i+1)*2,$ks,"des_SPtrans","eax","ebx","ecx","edx"); - } - &jmp(&label("end")); - - &set_label("start_decrypt"); - - for ($i=15; $i>0; $i-=2) - { - &comment(""); - &comment("Round $i"); - &D_ENCRYPT(15-$i,$L,$R,$i*2,$ks,"des_SPtrans","eax","ebx","ecx","edx"); - &comment(""); - &comment("Round ".sprintf("%d",$i-1)); - &D_ENCRYPT(15-$i+1,$R,$L,($i-1)*2,$ks,"des_SPtrans","eax","ebx","ecx","edx"); - } - - &set_label("end"); - - if ($do_ip) - { - &comment(""); - &comment("FP"); - &mov("edx",&wparam(0)); - &FP_new($L,$R,"eax",3); - - &mov(&DWP(0,"edx","",0),"eax"); - &mov(&DWP(4,"edx","",0),$R); - } - else - { - &comment(""); - &comment("Fixup"); - &rotr($L,3); # r - &mov("eax",&wparam(0)); - &rotr($R,3); # l - &mov(&DWP(0,"eax","",0),$L); - &mov(&DWP(4,"eax","",0),$R); - } - - - &function_end($name); - } - -sub D_ENCRYPT - { - local($r,$L,$R,$S,$ks,$desSP,$u,$tmp1,$tmp2,$t)=@_; - - &mov( $u, &DWP(&n2a($S*4),$ks,"",0)); - &xor( $tmp1, $tmp1); - &mov( $t, &DWP(&n2a(($S+1)*4),$ks,"",0)); - &xor( $u, $R); - &xor( $t, $R); - &and( $u, "0xfcfcfcfc" ); - &and( $t, "0xcfcfcfcf" ); - &movb( &LB($tmp1), &LB($u) ); - &movb( &LB($tmp2), &HB($u) ); - &rotr( $t, 4 ); - &mov( $ks, &DWP(" $desSP",$tmp1,"",0)); - &movb( &LB($tmp1), &LB($t) ); - &xor( $L, $ks); - &mov( $ks, &DWP("0x200+$desSP",$tmp2,"",0)); - &xor( $L, $ks); ###### - &movb( &LB($tmp2), &HB($t) ); - &shr( $u, 16); - &mov( $ks, &DWP("0x100+$desSP",$tmp1,"",0)); - &xor( $L, $ks); ###### - &movb( &LB($tmp1), &HB($u) ); - &shr( $t, 16); - &mov( $ks, &DWP("0x300+$desSP",$tmp2,"",0)); - &xor( $L, $ks); - &mov( $ks, &DWP(24,"esp","",0)); #### - &movb( &LB($tmp2), &HB($t) ); - &and( $u, "0xff" ); - &and( $t, "0xff" ); - &mov( $tmp1, &DWP("0x600+$desSP",$tmp1,"",0)); - &xor( $L, $tmp1); - &mov( $tmp1, &DWP("0x700+$desSP",$tmp2,"",0)); - &xor( $L, $tmp1); - &mov( $tmp1, &DWP("0x400+$desSP",$u,"",0)); - &xor( $L, $tmp1); - &mov( $tmp1, &DWP("0x500+$desSP",$t,"",0)); - &xor( $L, $tmp1); - } - -sub n2a - { - sprintf("%d",$_[0]); - } - -# now has a side affect of rotating $a by $shift -sub R_PERM_OP - { - local($a,$b,$tt,$shift,$mask,$last)=@_; - - &rotl( $a, $shift ) if ($shift != 0); - &mov( $tt, $a ); - &xor( $a, $b ); - &and( $a, $mask ); - if ($notlast eq $b) - { - &xor( $b, $a ); - &xor( $tt, $a ); - } - else - { - &xor( $tt, $a ); - &xor( $b, $a ); - } - &comment(""); - } - -sub IP_new - { - local($l,$r,$tt,$lr)=@_; - - &R_PERM_OP($l,$r,$tt, 4,"0xf0f0f0f0",$l); - &R_PERM_OP($r,$tt,$l,20,"0xfff0000f",$l); - &R_PERM_OP($l,$tt,$r,14,"0x33333333",$r); - &R_PERM_OP($tt,$r,$l,22,"0x03fc03fc",$r); - &R_PERM_OP($l,$r,$tt, 9,"0xaaaaaaaa",$r); - - if ($lr != 3) - { - if (($lr-3) < 0) - { &rotr($tt, 3-$lr); } - else { &rotl($tt, $lr-3); } - } - if ($lr != 2) - { - if (($lr-2) < 0) - { &rotr($r, 2-$lr); } - else { &rotl($r, $lr-2); } - } - } - -sub FP_new - { - local($l,$r,$tt,$lr)=@_; - - if ($lr != 2) - { - if (($lr-2) < 0) - { &rotl($r, 2-$lr); } - else { &rotr($r, $lr-2); } - } - if ($lr != 3) - { - if (($lr-3) < 0) - { &rotl($l, 3-$lr); } - else { &rotr($l, $lr-3); } - } - - &R_PERM_OP($l,$r,$tt, 0,"0xaaaaaaaa",$r); - &R_PERM_OP($tt,$r,$l,23,"0x03fc03fc",$r); - &R_PERM_OP($l,$r,$tt,10,"0x33333333",$l); - &R_PERM_OP($r,$tt,$l,18,"0xfff0000f",$l); - &R_PERM_OP($l,$tt,$r,12,"0xf0f0f0f0",$r); - &rotr($tt , 4); - } - diff --git a/crypto/heimdal-0.6.3/lib/des/asm/des586.pl b/crypto/heimdal-0.6.3/lib/des/asm/des586.pl deleted file mode 100644 index c2bee84b70..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/asm/des586.pl +++ /dev/null @@ -1,210 +0,0 @@ -#!/usr/local/bin/perl - -$prog="des586.pl"; - -# base code is in microsft -# op dest, source -# format. -# - -# WILL NOT WORK ANYMORE WITH desboth.pl -require "desboth.pl"; - -if ( ($ARGV[0] eq "elf")) - { require "x86unix.pl"; } -elsif ( ($ARGV[0] eq "a.out")) - { $aout=1; require "x86unix.pl"; } -elsif ( ($ARGV[0] eq "sol")) - { $sol=1; require "x86unix.pl"; } -elsif ( ($ARGV[0] eq "cpp")) - { $cpp=1; require "x86unix.pl"; } -elsif ( ($ARGV[0] eq "win32")) - { require "x86ms.pl"; } -else - { - print STDERR <<"EOF"; -Pick one target type from - elf - linux, FreeBSD etc - a.out - old linux - sol - x86 solaris - cpp - format so x86unix.cpp can be used - win32 - Windows 95/Windows NT -EOF - exit(1); - } - -&comment("Don't even think of reading this code"); -&comment("It was automatically generated by $prog"); -&comment("Which is a perl program used to generate the x86 assember for"); -&comment("any of elf, a.out, Win32, or Solaris"); -&comment("It can be found in SSLeay 0.6.5+ or in libdes 3.26+"); -&comment("eric "); -&comment(""); - -&file("dx86xxxx"); - -$L="edi"; -$R="esi"; - -&des_encrypt("des_encrypt",1); -&des_encrypt("des_encrypt2",0); - -&des_encrypt3("des_encrypt3",1); -&des_encrypt3("des_decrypt3",0); - -&file_end(); - -sub des_encrypt - { - local($name,$do_ip)=@_; - - &function_begin($name,3); - - &comment(""); - &comment("Load the 2 words"); - &mov("eax",&wparam(0)); - &mov($R,&DWP(0,"eax","",0)); - &mov($L,&DWP(4,"eax","",0)); - - if ($do_ip) - { - &comment(""); - &comment("IP"); - &IP($R,$L,"eax"); - } - - &comment(""); - &comment("fixup rotate"); - &rotl($R,3); - &rotl($L,3); - - &comment(""); - &comment("load counter, key_schedule and enc flag"); - - # encrypting part - - $ks="ebp"; - &xor( "ebx", "ebx" ); - &mov("eax",&wparam(2)); # get encrypt flag - &xor( "ecx", "ecx" ); - &cmp("eax","0"); - &mov( $ks, &wparam(1) ); - &je(&label("start_decrypt")); - - for ($i=0; $i<16; $i+=2) - { - &comment(""); - &comment("Round $i"); - &D_ENCRYPT($i,$L,$R,$i*2,$ks,"des_SPtrans","eax","ebx","ecx","edx"); - - &comment(""); - &comment("Round ".sprintf("%d",$i+1)); - &D_ENCRYPT($i+1,$R,$L,($i+1)*2,$ks,"des_SPtrans","eax","ebx","ecx","edx"); - } - &jmp(&label("end")); - - &set_label("start_decrypt"); - - for ($i=15; $i>0; $i-=2) - { - &comment(""); - &comment("Round $i"); - &D_ENCRYPT(15-$i,$L,$R,$i*2,$ks,"des_SPtrans","eax","ebx","ecx","edx"); - &comment(""); - &comment("Round ".sprintf("%d",$i-1)); - &D_ENCRYPT(15-$i+1,$R,$L,($i-1)*2,$ks,"des_SPtrans","eax","ebx","ecx","edx"); - } - - &set_label("end"); - - &comment(""); - &comment("Fixup"); - &rotr($L,3); # r - &rotr($R,3); # l - - if ($do_ip) - { - &comment(""); - &comment("FP"); - &FP($R,$L,"eax"); - } - - &mov("eax",&wparam(0)); - &mov(&DWP(0,"eax","",0),$L); - &mov(&DWP(4,"eax","",0),$R); - - &function_end($name); - } - -sub D_ENCRYPT - { - local($r,$L,$R,$S,$ks,$desSP,$u,$tmp1,$tmp2,$t)=@_; - - &mov( $t, &DWP(&n2a(($S+1)*4),$ks,"",0)); - &mov( $u, &DWP(&n2a($S*4),$ks,"",0)); - &xor( $t, $R); - &xor( $u, $R); - &rotr( $t, 4 ); - &and( $u, "0xfcfcfcfc" ); - &and( $t, "0xfcfcfcfc" ); - &movb( &LB($tmp1), &LB($u) ); - &movb( &LB($tmp2), &HB($u) ); - &xor( $L, &DWP(" $desSP",$tmp1,"",0)); - &shr( $u, 16); - &xor( $L, &DWP("0x200+$desSP",$tmp2,"",0)); - &movb( &LB($tmp1), &LB($u) ); - &movb( &LB($tmp2), &HB($u) ); - &xor( $L, &DWP("0x400+$desSP",$tmp1,"",0)); - &mov( $u, &DWP("0x600+$desSP",$tmp2,"",0)); - - &movb( &LB($tmp1), &LB($t) ); - &movb( &LB($tmp2), &HB($t) ); - &xor( $L, &DWP("0x100+$desSP",$tmp1,"",0)); - &shr( $t, 16); - &xor( $u, &DWP("0x300+$desSP",$tmp2,"",0)); - &movb( &LB($tmp1), &LB($t) ); - &movb( &LB($tmp2), &HB($t) ); - &xor( $L, &DWP("0x500+$desSP",$tmp1,"",0)); - &xor( $u, &DWP("0x700+$desSP",$tmp2,"",0)); - &xor( $L, $u); - } - -sub PERM_OP - { - local($a,$b,$tt,$shift,$mask)=@_; - - &mov( $tt, $a ); - &shr( $tt, $shift ); - &xor( $tt, $b ); - &and( $tt, $mask ); - &xor( $b, $tt ); - &shl( $tt, $shift ); - &xor( $a, $tt ); - } - -sub IP - { - local($l,$r,$tt)=@_; - - &PERM_OP($r,$l,$tt, 4,"0x0f0f0f0f"); - &PERM_OP($l,$r,$tt,16,"0x0000ffff"); - &PERM_OP($r,$l,$tt, 2,"0x33333333"); - &PERM_OP($l,$r,$tt, 8,"0x00ff00ff"); - &PERM_OP($r,$l,$tt, 1,"0x55555555"); - } - -sub FP - { - local($l,$r,$tt)=@_; - - &PERM_OP($l,$r,$tt, 1,"0x55555555"); - &PERM_OP($r,$l,$tt, 8,"0x00ff00ff"); - &PERM_OP($l,$r,$tt, 2,"0x33333333"); - &PERM_OP($r,$l,$tt,16,"0x0000ffff"); - &PERM_OP($l,$r,$tt, 4,"0x0f0f0f0f"); - } - -sub n2a - { - sprintf("%d",$_[0]); - } diff --git a/crypto/heimdal-0.6.3/lib/des/asm/des686.pl b/crypto/heimdal-0.6.3/lib/des/asm/des686.pl deleted file mode 100644 index eda500312b..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/asm/des686.pl +++ /dev/null @@ -1,230 +0,0 @@ -#!/usr/local/bin/perl - -$prog="des686.pl"; - -# base code is in microsft -# op dest, source -# format. -# - -# WILL NOT WORK ANYMORE WITH desboth.pl -require "desboth.pl"; - -if ( ($ARGV[0] eq "elf")) - { require "x86unix.pl"; } -elsif ( ($ARGV[0] eq "a.out")) - { $aout=1; require "x86unix.pl"; } -elsif ( ($ARGV[0] eq "sol")) - { $sol=1; require "x86unix.pl"; } -elsif ( ($ARGV[0] eq "cpp")) - { $cpp=1; require "x86unix.pl"; } -elsif ( ($ARGV[0] eq "win32")) - { require "x86ms.pl"; } -else - { - print STDERR <<"EOF"; -Pick one target type from - elf - linux, FreeBSD etc - a.out - old linux - sol - x86 solaris - cpp - format so x86unix.cpp can be used - win32 - Windows 95/Windows NT -EOF - exit(1); - } - -&comment("Don't even think of reading this code"); -&comment("It was automatically generated by $prog"); -&comment("Which is a perl program used to generate the x86 assember for"); -&comment("any of elf, a.out, Win32, or Solaris"); -&comment("It can be found in SSLeay 0.6.5+ or in libdes 3.26+"); -&comment("eric "); -&comment(""); - -&file("dx86xxxx"); - -$L="edi"; -$R="esi"; - -&des_encrypt("des_encrypt",1); -&des_encrypt("des_encrypt2",0); - -&des_encrypt3("des_encrypt3",1); -&des_encrypt3("des_decrypt3",0); - -&file_end(); - -sub des_encrypt - { - local($name,$do_ip)=@_; - - &function_begin($name,3); - - &comment(""); - &comment("Load the 2 words"); - &mov("eax",&wparam(0)); - &mov($L,&DWP(0,"eax","",0)); - &mov($R,&DWP(4,"eax","",0)); - - $ksp=&wparam(1); - - if ($do_ip) - { - &comment(""); - &comment("IP"); - &IP($L,$R,"eax"); - } - - &comment(""); - &comment("fixup rotate"); - &rotl($R,3); - &rotl($L,3); - &exch($L,$R); - - &comment(""); - &comment("load counter, key_schedule and enc flag"); - &mov("eax",&wparam(2)); # get encrypt flag - &mov("ebp",&wparam(1)); # get ks - &cmp("eax","0"); - &je(&label("start_decrypt")); - - # encrypting part - - for ($i=0; $i<16; $i+=2) - { - &comment(""); - &comment("Round $i"); - &D_ENCRYPT($L,$R,$i*2,"ebp","des_SPtrans","ecx","edx","eax","ebx"); - - &comment(""); - &comment("Round ".sprintf("%d",$i+1)); - &D_ENCRYPT($R,$L,($i+1)*2,"ebp","des_SPtrans","ecx","edx","eax","ebx"); - } - &jmp(&label("end")); - - &set_label("start_decrypt"); - - for ($i=15; $i>0; $i-=2) - { - &comment(""); - &comment("Round $i"); - &D_ENCRYPT($L,$R,$i*2,"ebp","des_SPtrans","ecx","edx","eax","ebx"); - &comment(""); - &comment("Round ".sprintf("%d",$i-1)); - &D_ENCRYPT($R,$L,($i-1)*2,"ebp","des_SPtrans","ecx","edx","eax","ebx"); - } - - &set_label("end"); - - &comment(""); - &comment("Fixup"); - &rotr($L,3); # r - &rotr($R,3); # l - - if ($do_ip) - { - &comment(""); - &comment("FP"); - &FP($R,$L,"eax"); - } - - &mov("eax",&wparam(0)); - &mov(&DWP(0,"eax","",0),$L); - &mov(&DWP(4,"eax","",0),$R); - - &function_end($name); - } - - -# The logic is to load R into 2 registers and operate on both at the same time. -# We also load the 2 R's into 2 more registers so we can do the 'move word down a byte' -# while also masking the other copy and doing a lookup. We then also accumulate the -# L value in 2 registers then combine them at the end. -sub D_ENCRYPT - { - local($L,$R,$S,$ks,$desSP,$u,$t,$tmp1,$tmp2,$tmp3)=@_; - - &mov( $u, &DWP(&n2a($S*4),$ks,"",0)); - &mov( $t, &DWP(&n2a(($S+1)*4),$ks,"",0)); - &xor( $u, $R ); - &xor( $t, $R ); - &rotr( $t, 4 ); - - # the numbers at the end of the line are origional instruction order - &mov( $tmp2, $u ); # 1 2 - &mov( $tmp1, $t ); # 1 1 - &and( $tmp2, "0xfc" ); # 1 4 - &and( $tmp1, "0xfc" ); # 1 3 - &shr( $t, 8 ); # 1 5 - &xor( $L, &DWP("0x100+$desSP",$tmp1,"",0)); # 1 7 - &shr( $u, 8 ); # 1 6 - &mov( $tmp1, &DWP(" $desSP",$tmp2,"",0)); # 1 8 - - &mov( $tmp2, $u ); # 2 2 - &xor( $L, $tmp1 ); # 1 9 - &and( $tmp2, "0xfc" ); # 2 4 - &mov( $tmp1, $t ); # 2 1 - &and( $tmp1, "0xfc" ); # 2 3 - &shr( $t, 8 ); # 2 5 - &xor( $L, &DWP("0x300+$desSP",$tmp1,"",0)); # 2 7 - &shr( $u, 8 ); # 2 6 - &mov( $tmp1, &DWP("0x200+$desSP",$tmp2,"",0)); # 2 8 - &mov( $tmp2, $u ); # 3 2 - - &xor( $L, $tmp1 ); # 2 9 - &and( $tmp2, "0xfc" ); # 3 4 - - &mov( $tmp1, $t ); # 3 1 - &shr( $u, 8 ); # 3 6 - &and( $tmp1, "0xfc" ); # 3 3 - &shr( $t, 8 ); # 3 5 - &xor( $L, &DWP("0x500+$desSP",$tmp1,"",0)); # 3 7 - &mov( $tmp1, &DWP("0x400+$desSP",$tmp2,"",0)); # 3 8 - - &and( $t, "0xfc" ); # 4 1 - &xor( $L, $tmp1 ); # 3 9 - - &and( $u, "0xfc" ); # 4 2 - &xor( $L, &DWP("0x700+$desSP",$t,"",0)); # 4 3 - &xor( $L, &DWP("0x600+$desSP",$u,"",0)); # 4 4 - } - -sub PERM_OP - { - local($a,$b,$tt,$shift,$mask)=@_; - - &mov( $tt, $a ); - &shr( $tt, $shift ); - &xor( $tt, $b ); - &and( $tt, $mask ); - &xor( $b, $tt ); - &shl( $tt, $shift ); - &xor( $a, $tt ); - } - -sub IP - { - local($l,$r,$tt)=@_; - - &PERM_OP($r,$l,$tt, 4,"0x0f0f0f0f"); - &PERM_OP($l,$r,$tt,16,"0x0000ffff"); - &PERM_OP($r,$l,$tt, 2,"0x33333333"); - &PERM_OP($l,$r,$tt, 8,"0x00ff00ff"); - &PERM_OP($r,$l,$tt, 1,"0x55555555"); - } - -sub FP - { - local($l,$r,$tt)=@_; - - &PERM_OP($l,$r,$tt, 1,"0x55555555"); - &PERM_OP($r,$l,$tt, 8,"0x00ff00ff"); - &PERM_OP($l,$r,$tt, 2,"0x33333333"); - &PERM_OP($r,$l,$tt,16,"0x0000ffff"); - &PERM_OP($l,$r,$tt, 4,"0x0f0f0f0f"); - } - -sub n2a - { - sprintf("%d",$_[0]); - } diff --git a/crypto/heimdal-0.6.3/lib/des/asm/desboth.pl b/crypto/heimdal-0.6.3/lib/des/asm/desboth.pl deleted file mode 100644 index 125aec8f33..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/asm/desboth.pl +++ /dev/null @@ -1,67 +0,0 @@ -#!/usr/local/bin/perl - -$L="edi"; -$R="esi"; - -sub des_encrypt3 - { - local($name,$enc)=@_; - - &function_begin($name,4); - - &comment(""); - &comment("Load the data words"); - &mov("ebx",&wparam(0)); - &mov($L,&DWP(0,"ebx","",0)); - &mov($R,&DWP(4,"ebx","",0)); - - &comment(""); - &comment("IP"); - &IP_new($L,$R,"edx",0); - - # put them back - - if ($enc) - { - &mov(&DWP(4,"ebx","",0),$R); - &mov("eax",&wparam(1)); - &mov(&DWP(0,"ebx","",0),"edx"); - &mov("edi",&wparam(2)); - &mov("esi",&wparam(3)); - } - else - { - &mov(&DWP(4,"ebx","",0),$R); - &mov("esi",&wparam(1)); - &mov(&DWP(0,"ebx","",0),"edx"); - &mov("edi",&wparam(2)); - &mov("eax",&wparam(3)); - } - &push(($enc)?"1":"0"); - &push("eax"); - &push("ebx"); - &call("des_encrypt2"); - &push(($enc)?"0":"1"); - &push("edi"); - &push("ebx"); - &call("des_encrypt2"); - &push(($enc)?"1":"0"); - &push("esi"); - &push("ebx"); - &call("des_encrypt2"); - - &mov($L,&DWP(0,"ebx","",0)); - &add("esp",36); - &mov($R,&DWP(4,"ebx","",0)); - - &comment(""); - &comment("FP"); - &FP_new($L,$R,"eax",0); - - &mov(&DWP(0,"ebx","",0),"eax"); - &mov(&DWP(4,"ebx","",0),$R); - - &function_end($name); - } - - diff --git a/crypto/heimdal-0.6.3/lib/des/asm/dx86-cpp.s b/crypto/heimdal-0.6.3/lib/des/asm/dx86-cpp.s deleted file mode 100644 index 27d6ceea27..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/asm/dx86-cpp.s +++ /dev/null @@ -1,2780 +0,0 @@ - /* Don't even think of reading this code */ - /* It was automatically generated by des-som2.pl */ - /* Which is a perl program used to generate the x86 assember for */ - /* any of elf, a.out, Win32, or Solaris */ - /* It can be found in SSLeay 0.6.5+ or in libdes 3.26+ */ - /* eric */ - /* The inner loop instruction sequence and the IP/FP modifications */ - /* are from Svend Olaf Mikkelsen */ - - .file "dx86xxxx.s" - .version "01.01" -gcc2_compiled.: -.text - .align ALIGN -.globl des_encrypt - TYPE(des_encrypt,@function) -des_encrypt: - pushl %ebp - pushl %ebx - pushl %esi - pushl %edi - - - /* Load the 2 words */ - movl 20(%esp), %esi - xorl %ecx, %ecx - movl (%esi), %eax - movl 28(%esp), %ebx - movl 4(%esi), %edi - - /* IP */ - roll $4, %eax - movl %eax, %esi - xorl %edi, %eax - andl $0xf0f0f0f0, %eax - xorl %eax, %esi - xorl %eax, %edi - - roll $20, %edi - movl %edi, %eax - xorl %esi, %edi - andl $0xfff0000f, %edi - xorl %edi, %eax - xorl %edi, %esi - - roll $14, %eax - movl %eax, %edi - xorl %esi, %eax - andl $0x33333333, %eax - xorl %eax, %edi - xorl %eax, %esi - - roll $22, %esi - movl %esi, %eax - xorl %edi, %esi - andl $0x03fc03fc, %esi - xorl %esi, %eax - xorl %esi, %edi - - roll $9, %eax - movl %eax, %esi - xorl %edi, %eax - andl $0xaaaaaaaa, %eax - xorl %eax, %esi - xorl %eax, %edi - - roll $1, %edi - cmpl $0, %ebx - movl 24(%esp), %ebp - je .L000start_decrypt - - /* Round 0 */ - movl (%ebp), %eax - xorl %ebx, %ebx - movl 4(%ebp), %edx - xorl %esi, %eax - xorl %esi, %edx - andl $0xfcfcfcfc, %eax - andl $0xcfcfcfcf, %edx - movb %al, %bl - movb %ah, %cl - rorl $4, %edx - movl des_SPtrans(%ebx),%ebp - movb %dl, %bl - xorl %ebp, %edi - movl 0x200+des_SPtrans(%ecx),%ebp - xorl %ebp, %edi - movb %dh, %cl - shrl $16, %eax - movl 0x100+des_SPtrans(%ebx),%ebp - xorl %ebp, %edi - movb %ah, %bl - shrl $16, %edx - movl 0x300+des_SPtrans(%ecx),%ebp - xorl %ebp, %edi - movl 24(%esp), %ebp - movb %dh, %cl - andl $0xff, %eax - andl $0xff, %edx - movl 0x600+des_SPtrans(%ebx),%ebx - xorl %ebx, %edi - movl 0x700+des_SPtrans(%ecx),%ebx - xorl %ebx, %edi - movl 0x400+des_SPtrans(%eax),%ebx - xorl %ebx, %edi - movl 0x500+des_SPtrans(%edx),%ebx - xorl %ebx, %edi - - /* Round 1 */ - movl 8(%ebp), %eax - xorl %ebx, %ebx - movl 12(%ebp), %edx - xorl %edi, %eax - xorl %edi, %edx - andl $0xfcfcfcfc, %eax - andl $0xcfcfcfcf, %edx - movb %al, %bl - movb %ah, %cl - rorl $4, %edx - movl des_SPtrans(%ebx),%ebp - movb %dl, %bl - xorl %ebp, %esi - movl 0x200+des_SPtrans(%ecx),%ebp - xorl %ebp, %esi - movb %dh, %cl - shrl $16, %eax - movl 0x100+des_SPtrans(%ebx),%ebp - xorl %ebp, %esi - movb %ah, %bl - shrl $16, %edx - movl 0x300+des_SPtrans(%ecx),%ebp - xorl %ebp, %esi - movl 24(%esp), %ebp - movb %dh, %cl - andl $0xff, %eax - andl $0xff, %edx - movl 0x600+des_SPtrans(%ebx),%ebx - xorl %ebx, %esi - movl 0x700+des_SPtrans(%ecx),%ebx - xorl %ebx, %esi - movl 0x400+des_SPtrans(%eax),%ebx - xorl %ebx, %esi - movl 0x500+des_SPtrans(%edx),%ebx - xorl %ebx, %esi - - /* Round 2 */ - movl 16(%ebp), %eax - xorl %ebx, %ebx - movl 20(%ebp), %edx - xorl %esi, %eax - xorl %esi, %edx - andl $0xfcfcfcfc, %eax - andl $0xcfcfcfcf, %edx - movb %al, %bl - movb %ah, %cl - rorl $4, %edx - movl des_SPtrans(%ebx),%ebp - movb %dl, %bl - xorl %ebp, %edi - movl 0x200+des_SPtrans(%ecx),%ebp - xorl %ebp, %edi - movb %dh, %cl - shrl $16, %eax - movl 0x100+des_SPtrans(%ebx),%ebp - xorl %ebp, %edi - movb %ah, %bl - shrl $16, %edx - movl 0x300+des_SPtrans(%ecx),%ebp - xorl %ebp, %edi - movl 24(%esp), %ebp - movb %dh, %cl - andl $0xff, %eax - andl $0xff, %edx - movl 0x600+des_SPtrans(%ebx),%ebx - xorl %ebx, %edi - movl 0x700+des_SPtrans(%ecx),%ebx - xorl %ebx, %edi - movl 0x400+des_SPtrans(%eax),%ebx - xorl %ebx, %edi - movl 0x500+des_SPtrans(%edx),%ebx - xorl %ebx, %edi - - /* Round 3 */ - movl 24(%ebp), %eax - xorl %ebx, %ebx - movl 28(%ebp), %edx - xorl %edi, %eax - xorl %edi, %edx - andl $0xfcfcfcfc, %eax - andl $0xcfcfcfcf, %edx - movb %al, %bl - movb %ah, %cl - rorl $4, %edx - movl des_SPtrans(%ebx),%ebp - movb %dl, %bl - xorl %ebp, %esi - movl 0x200+des_SPtrans(%ecx),%ebp - xorl %ebp, %esi - movb %dh, %cl - shrl $16, %eax - movl 0x100+des_SPtrans(%ebx),%ebp - xorl %ebp, %esi - movb %ah, %bl - shrl $16, %edx - movl 0x300+des_SPtrans(%ecx),%ebp - xorl %ebp, %esi - movl 24(%esp), %ebp - movb %dh, %cl - andl $0xff, %eax - andl $0xff, %edx - movl 0x600+des_SPtrans(%ebx),%ebx - xorl %ebx, %esi - movl 0x700+des_SPtrans(%ecx),%ebx - xorl %ebx, %esi - movl 0x400+des_SPtrans(%eax),%ebx - xorl %ebx, %esi - movl 0x500+des_SPtrans(%edx),%ebx - xorl %ebx, %esi - - /* Round 4 */ - movl 32(%ebp), %eax - xorl %ebx, %ebx - movl 36(%ebp), %edx - xorl %esi, %eax - xorl %esi, %edx - andl $0xfcfcfcfc, %eax - andl $0xcfcfcfcf, %edx - movb %al, %bl - movb %ah, %cl - rorl $4, %edx - movl des_SPtrans(%ebx),%ebp - movb %dl, %bl - xorl %ebp, %edi - movl 0x200+des_SPtrans(%ecx),%ebp - xorl %ebp, %edi - movb %dh, %cl - shrl $16, %eax - movl 0x100+des_SPtrans(%ebx),%ebp - xorl %ebp, %edi - movb %ah, %bl - shrl $16, %edx - movl 0x300+des_SPtrans(%ecx),%ebp - xorl %ebp, %edi - movl 24(%esp), %ebp - movb %dh, %cl - andl $0xff, %eax - andl $0xff, %edx - movl 0x600+des_SPtrans(%ebx),%ebx - xorl %ebx, %edi - movl 0x700+des_SPtrans(%ecx),%ebx - xorl %ebx, %edi - movl 0x400+des_SPtrans(%eax),%ebx - xorl %ebx, %edi - movl 0x500+des_SPtrans(%edx),%ebx - xorl %ebx, %edi - - /* Round 5 */ - movl 40(%ebp), %eax - xorl %ebx, %ebx - movl 44(%ebp), %edx - xorl %edi, %eax - xorl %edi, %edx - andl $0xfcfcfcfc, %eax - andl $0xcfcfcfcf, %edx - movb %al, %bl - movb %ah, %cl - rorl $4, %edx - movl des_SPtrans(%ebx),%ebp - movb %dl, %bl - xorl %ebp, %esi - movl 0x200+des_SPtrans(%ecx),%ebp - xorl %ebp, %esi - movb %dh, %cl - shrl $16, %eax - movl 0x100+des_SPtrans(%ebx),%ebp - xorl %ebp, %esi - movb %ah, %bl - shrl $16, %edx - movl 0x300+des_SPtrans(%ecx),%ebp - xorl %ebp, %esi - movl 24(%esp), %ebp - movb %dh, %cl - andl $0xff, %eax - andl $0xff, %edx - movl 0x600+des_SPtrans(%ebx),%ebx - xorl %ebx, %esi - movl 0x700+des_SPtrans(%ecx),%ebx - xorl %ebx, %esi - movl 0x400+des_SPtrans(%eax),%ebx - xorl %ebx, %esi - movl 0x500+des_SPtrans(%edx),%ebx - xorl %ebx, %esi - - /* Round 6 */ - movl 48(%ebp), %eax - xorl %ebx, %ebx - movl 52(%ebp), %edx - xorl %esi, %eax - xorl %esi, %edx - andl $0xfcfcfcfc, %eax - andl $0xcfcfcfcf, %edx - movb %al, %bl - movb %ah, %cl - rorl $4, %edx - movl des_SPtrans(%ebx),%ebp - movb %dl, %bl - xorl %ebp, %edi - movl 0x200+des_SPtrans(%ecx),%ebp - xorl %ebp, %edi - movb %dh, %cl - shrl $16, %eax - movl 0x100+des_SPtrans(%ebx),%ebp - xorl %ebp, %edi - movb %ah, %bl - shrl $16, %edx - movl 0x300+des_SPtrans(%ecx),%ebp - xorl %ebp, %edi - movl 24(%esp), %ebp - movb %dh, %cl - andl $0xff, %eax - andl $0xff, %edx - movl 0x600+des_SPtrans(%ebx),%ebx - xorl %ebx, %edi - movl 0x700+des_SPtrans(%ecx),%ebx - xorl %ebx, %edi - movl 0x400+des_SPtrans(%eax),%ebx - xorl %ebx, %edi - movl 0x500+des_SPtrans(%edx),%ebx - xorl %ebx, %edi - - /* Round 7 */ - movl 56(%ebp), %eax - xorl %ebx, %ebx - movl 60(%ebp), %edx - xorl %edi, %eax - xorl %edi, %edx - andl $0xfcfcfcfc, %eax - andl $0xcfcfcfcf, %edx - movb %al, %bl - movb %ah, %cl - rorl $4, %edx - movl des_SPtrans(%ebx),%ebp - movb %dl, %bl - xorl %ebp, %esi - movl 0x200+des_SPtrans(%ecx),%ebp - xorl %ebp, %esi - movb %dh, %cl - shrl $16, %eax - movl 0x100+des_SPtrans(%ebx),%ebp - xorl %ebp, %esi - movb %ah, %bl - shrl $16, %edx - movl 0x300+des_SPtrans(%ecx),%ebp - xorl %ebp, %esi - movl 24(%esp), %ebp - movb %dh, %cl - andl $0xff, %eax - andl $0xff, %edx - movl 0x600+des_SPtrans(%ebx),%ebx - xorl %ebx, %esi - movl 0x700+des_SPtrans(%ecx),%ebx - xorl %ebx, %esi - movl 0x400+des_SPtrans(%eax),%ebx - xorl %ebx, %esi - movl 0x500+des_SPtrans(%edx),%ebx - xorl %ebx, %esi - - /* Round 8 */ - movl 64(%ebp), %eax - xorl %ebx, %ebx - movl 68(%ebp), %edx - xorl %esi, %eax - xorl %esi, %edx - andl $0xfcfcfcfc, %eax - andl $0xcfcfcfcf, %edx - movb %al, %bl - movb %ah, %cl - rorl $4, %edx - movl des_SPtrans(%ebx),%ebp - movb %dl, %bl - xorl %ebp, %edi - movl 0x200+des_SPtrans(%ecx),%ebp - xorl %ebp, %edi - movb %dh, %cl - shrl $16, %eax - movl 0x100+des_SPtrans(%ebx),%ebp - xorl %ebp, %edi - movb %ah, %bl - shrl $16, %edx - movl 0x300+des_SPtrans(%ecx),%ebp - xorl %ebp, %edi - movl 24(%esp), %ebp - movb %dh, %cl - andl $0xff, %eax - andl $0xff, %edx - movl 0x600+des_SPtrans(%ebx),%ebx - xorl %ebx, %edi - movl 0x700+des_SPtrans(%ecx),%ebx - xorl %ebx, %edi - movl 0x400+des_SPtrans(%eax),%ebx - xorl %ebx, %edi - movl 0x500+des_SPtrans(%edx),%ebx - xorl %ebx, %edi - - /* Round 9 */ - movl 72(%ebp), %eax - xorl %ebx, %ebx - movl 76(%ebp), %edx - xorl %edi, %eax - xorl %edi, %edx - andl $0xfcfcfcfc, %eax - andl $0xcfcfcfcf, %edx - movb %al, %bl - movb %ah, %cl - rorl $4, %edx - movl des_SPtrans(%ebx),%ebp - movb %dl, %bl - xorl %ebp, %esi - movl 0x200+des_SPtrans(%ecx),%ebp - xorl %ebp, %esi - movb %dh, %cl - shrl $16, %eax - movl 0x100+des_SPtrans(%ebx),%ebp - xorl %ebp, %esi - movb %ah, %bl - shrl $16, %edx - movl 0x300+des_SPtrans(%ecx),%ebp - xorl %ebp, %esi - movl 24(%esp), %ebp - movb %dh, %cl - andl $0xff, %eax - andl $0xff, %edx - movl 0x600+des_SPtrans(%ebx),%ebx - xorl %ebx, %esi - movl 0x700+des_SPtrans(%ecx),%ebx - xorl %ebx, %esi - movl 0x400+des_SPtrans(%eax),%ebx - xorl %ebx, %esi - movl 0x500+des_SPtrans(%edx),%ebx - xorl %ebx, %esi - - /* Round 10 */ - movl 80(%ebp), %eax - xorl %ebx, %ebx - movl 84(%ebp), %edx - xorl %esi, %eax - xorl %esi, %edx - andl $0xfcfcfcfc, %eax - andl $0xcfcfcfcf, %edx - movb %al, %bl - movb %ah, %cl - rorl $4, %edx - movl des_SPtrans(%ebx),%ebp - movb %dl, %bl - xorl %ebp, %edi - movl 0x200+des_SPtrans(%ecx),%ebp - xorl %ebp, %edi - movb %dh, %cl - shrl $16, %eax - movl 0x100+des_SPtrans(%ebx),%ebp - xorl %ebp, %edi - movb %ah, %bl - shrl $16, %edx - movl 0x300+des_SPtrans(%ecx),%ebp - xorl %ebp, %edi - movl 24(%esp), %ebp - movb %dh, %cl - andl $0xff, %eax - andl $0xff, %edx - movl 0x600+des_SPtrans(%ebx),%ebx - xorl %ebx, %edi - movl 0x700+des_SPtrans(%ecx),%ebx - xorl %ebx, %edi - movl 0x400+des_SPtrans(%eax),%ebx - xorl %ebx, %edi - movl 0x500+des_SPtrans(%edx),%ebx - xorl %ebx, %edi - - /* Round 11 */ - movl 88(%ebp), %eax - xorl %ebx, %ebx - movl 92(%ebp), %edx - xorl %edi, %eax - xorl %edi, %edx - andl $0xfcfcfcfc, %eax - andl $0xcfcfcfcf, %edx - movb %al, %bl - movb %ah, %cl - rorl $4, %edx - movl des_SPtrans(%ebx),%ebp - movb %dl, %bl - xorl %ebp, %esi - movl 0x200+des_SPtrans(%ecx),%ebp - xorl %ebp, %esi - movb %dh, %cl - shrl $16, %eax - movl 0x100+des_SPtrans(%ebx),%ebp - xorl %ebp, %esi - movb %ah, %bl - shrl $16, %edx - movl 0x300+des_SPtrans(%ecx),%ebp - xorl %ebp, %esi - movl 24(%esp), %ebp - movb %dh, %cl - andl $0xff, %eax - andl $0xff, %edx - movl 0x600+des_SPtrans(%ebx),%ebx - xorl %ebx, %esi - movl 0x700+des_SPtrans(%ecx),%ebx - xorl %ebx, %esi - movl 0x400+des_SPtrans(%eax),%ebx - xorl %ebx, %esi - movl 0x500+des_SPtrans(%edx),%ebx - xorl %ebx, %esi - - /* Round 12 */ - movl 96(%ebp), %eax - xorl %ebx, %ebx - movl 100(%ebp), %edx - xorl %esi, %eax - xorl %esi, %edx - andl $0xfcfcfcfc, %eax - andl $0xcfcfcfcf, %edx - movb %al, %bl - movb %ah, %cl - rorl $4, %edx - movl des_SPtrans(%ebx),%ebp - movb %dl, %bl - xorl %ebp, %edi - movl 0x200+des_SPtrans(%ecx),%ebp - xorl %ebp, %edi - movb %dh, %cl - shrl $16, %eax - movl 0x100+des_SPtrans(%ebx),%ebp - xorl %ebp, %edi - movb %ah, %bl - shrl $16, %edx - movl 0x300+des_SPtrans(%ecx),%ebp - xorl %ebp, %edi - movl 24(%esp), %ebp - movb %dh, %cl - andl $0xff, %eax - andl $0xff, %edx - movl 0x600+des_SPtrans(%ebx),%ebx - xorl %ebx, %edi - movl 0x700+des_SPtrans(%ecx),%ebx - xorl %ebx, %edi - movl 0x400+des_SPtrans(%eax),%ebx - xorl %ebx, %edi - movl 0x500+des_SPtrans(%edx),%ebx - xorl %ebx, %edi - - /* Round 13 */ - movl 104(%ebp), %eax - xorl %ebx, %ebx - movl 108(%ebp), %edx - xorl %edi, %eax - xorl %edi, %edx - andl $0xfcfcfcfc, %eax - andl $0xcfcfcfcf, %edx - movb %al, %bl - movb %ah, %cl - rorl $4, %edx - movl des_SPtrans(%ebx),%ebp - movb %dl, %bl - xorl %ebp, %esi - movl 0x200+des_SPtrans(%ecx),%ebp - xorl %ebp, %esi - movb %dh, %cl - shrl $16, %eax - movl 0x100+des_SPtrans(%ebx),%ebp - xorl %ebp, %esi - movb %ah, %bl - shrl $16, %edx - movl 0x300+des_SPtrans(%ecx),%ebp - xorl %ebp, %esi - movl 24(%esp), %ebp - movb %dh, %cl - andl $0xff, %eax - andl $0xff, %edx - movl 0x600+des_SPtrans(%ebx),%ebx - xorl %ebx, %esi - movl 0x700+des_SPtrans(%ecx),%ebx - xorl %ebx, %esi - movl 0x400+des_SPtrans(%eax),%ebx - xorl %ebx, %esi - movl 0x500+des_SPtrans(%edx),%ebx - xorl %ebx, %esi - - /* Round 14 */ - movl 112(%ebp), %eax - xorl %ebx, %ebx - movl 116(%ebp), %edx - xorl %esi, %eax - xorl %esi, %edx - andl $0xfcfcfcfc, %eax - andl $0xcfcfcfcf, %edx - movb %al, %bl - movb %ah, %cl - rorl $4, %edx - movl des_SPtrans(%ebx),%ebp - movb %dl, %bl - xorl %ebp, %edi - movl 0x200+des_SPtrans(%ecx),%ebp - xorl %ebp, %edi - movb %dh, %cl - shrl $16, %eax - movl 0x100+des_SPtrans(%ebx),%ebp - xorl %ebp, %edi - movb %ah, %bl - shrl $16, %edx - movl 0x300+des_SPtrans(%ecx),%ebp - xorl %ebp, %edi - movl 24(%esp), %ebp - movb %dh, %cl - andl $0xff, %eax - andl $0xff, %edx - movl 0x600+des_SPtrans(%ebx),%ebx - xorl %ebx, %edi - movl 0x700+des_SPtrans(%ecx),%ebx - xorl %ebx, %edi - movl 0x400+des_SPtrans(%eax),%ebx - xorl %ebx, %edi - movl 0x500+des_SPtrans(%edx),%ebx - xorl %ebx, %edi - - /* Round 15 */ - movl 120(%ebp), %eax - xorl %ebx, %ebx - movl 124(%ebp), %edx - xorl %edi, %eax - xorl %edi, %edx - andl $0xfcfcfcfc, %eax - andl $0xcfcfcfcf, %edx - movb %al, %bl - movb %ah, %cl - rorl $4, %edx - movl des_SPtrans(%ebx),%ebp - movb %dl, %bl - xorl %ebp, %esi - movl 0x200+des_SPtrans(%ecx),%ebp - xorl %ebp, %esi - movb %dh, %cl - shrl $16, %eax - movl 0x100+des_SPtrans(%ebx),%ebp - xorl %ebp, %esi - movb %ah, %bl - shrl $16, %edx - movl 0x300+des_SPtrans(%ecx),%ebp - xorl %ebp, %esi - movl 24(%esp), %ebp - movb %dh, %cl - andl $0xff, %eax - andl $0xff, %edx - movl 0x600+des_SPtrans(%ebx),%ebx - xorl %ebx, %esi - movl 0x700+des_SPtrans(%ecx),%ebx - xorl %ebx, %esi - movl 0x400+des_SPtrans(%eax),%ebx - xorl %ebx, %esi - movl 0x500+des_SPtrans(%edx),%ebx - xorl %ebx, %esi - jmp .L001end -.align ALIGN -.L000start_decrypt: - - /* Round 15 */ - movl 120(%ebp), %eax - xorl %ebx, %ebx - movl 124(%ebp), %edx - xorl %esi, %eax - xorl %esi, %edx - andl $0xfcfcfcfc, %eax - andl $0xcfcfcfcf, %edx - movb %al, %bl - movb %ah, %cl - rorl $4, %edx - movl des_SPtrans(%ebx),%ebp - movb %dl, %bl - xorl %ebp, %edi - movl 0x200+des_SPtrans(%ecx),%ebp - xorl %ebp, %edi - movb %dh, %cl - shrl $16, %eax - movl 0x100+des_SPtrans(%ebx),%ebp - xorl %ebp, %edi - movb %ah, %bl - shrl $16, %edx - movl 0x300+des_SPtrans(%ecx),%ebp - xorl %ebp, %edi - movl 24(%esp), %ebp - movb %dh, %cl - andl $0xff, %eax - andl $0xff, %edx - movl 0x600+des_SPtrans(%ebx),%ebx - xorl %ebx, %edi - movl 0x700+des_SPtrans(%ecx),%ebx - xorl %ebx, %edi - movl 0x400+des_SPtrans(%eax),%ebx - xorl %ebx, %edi - movl 0x500+des_SPtrans(%edx),%ebx - xorl %ebx, %edi - - /* Round 14 */ - movl 112(%ebp), %eax - xorl %ebx, %ebx - movl 116(%ebp), %edx - xorl %edi, %eax - xorl %edi, %edx - andl $0xfcfcfcfc, %eax - andl $0xcfcfcfcf, %edx - movb %al, %bl - movb %ah, %cl - rorl $4, %edx - movl des_SPtrans(%ebx),%ebp - movb %dl, %bl - xorl %ebp, %esi - movl 0x200+des_SPtrans(%ecx),%ebp - xorl %ebp, %esi - movb %dh, %cl - shrl $16, %eax - movl 0x100+des_SPtrans(%ebx),%ebp - xorl %ebp, %esi - movb %ah, %bl - shrl $16, %edx - movl 0x300+des_SPtrans(%ecx),%ebp - xorl %ebp, %esi - movl 24(%esp), %ebp - movb %dh, %cl - andl $0xff, %eax - andl $0xff, %edx - movl 0x600+des_SPtrans(%ebx),%ebx - xorl %ebx, %esi - movl 0x700+des_SPtrans(%ecx),%ebx - xorl %ebx, %esi - movl 0x400+des_SPtrans(%eax),%ebx - xorl %ebx, %esi - movl 0x500+des_SPtrans(%edx),%ebx - xorl %ebx, %esi - - /* Round 13 */ - movl 104(%ebp), %eax - xorl %ebx, %ebx - movl 108(%ebp), %edx - xorl %esi, %eax - xorl %esi, %edx - andl $0xfcfcfcfc, %eax - andl $0xcfcfcfcf, %edx - movb %al, %bl - movb %ah, %cl - rorl $4, %edx - movl des_SPtrans(%ebx),%ebp - movb %dl, %bl - xorl %ebp, %edi - movl 0x200+des_SPtrans(%ecx),%ebp - xorl %ebp, %edi - movb %dh, %cl - shrl $16, %eax - movl 0x100+des_SPtrans(%ebx),%ebp - xorl %ebp, %edi - movb %ah, %bl - shrl $16, %edx - movl 0x300+des_SPtrans(%ecx),%ebp - xorl %ebp, %edi - movl 24(%esp), %ebp - movb %dh, %cl - andl $0xff, %eax - andl $0xff, %edx - movl 0x600+des_SPtrans(%ebx),%ebx - xorl %ebx, %edi - movl 0x700+des_SPtrans(%ecx),%ebx - xorl %ebx, %edi - movl 0x400+des_SPtrans(%eax),%ebx - xorl %ebx, %edi - movl 0x500+des_SPtrans(%edx),%ebx - xorl %ebx, %edi - - /* Round 12 */ - movl 96(%ebp), %eax - xorl %ebx, %ebx - movl 100(%ebp), %edx - xorl %edi, %eax - xorl %edi, %edx - andl $0xfcfcfcfc, %eax - andl $0xcfcfcfcf, %edx - movb %al, %bl - movb %ah, %cl - rorl $4, %edx - movl des_SPtrans(%ebx),%ebp - movb %dl, %bl - xorl %ebp, %esi - movl 0x200+des_SPtrans(%ecx),%ebp - xorl %ebp, %esi - movb %dh, %cl - shrl $16, %eax - movl 0x100+des_SPtrans(%ebx),%ebp - xorl %ebp, %esi - movb %ah, %bl - shrl $16, %edx - movl 0x300+des_SPtrans(%ecx),%ebp - xorl %ebp, %esi - movl 24(%esp), %ebp - movb %dh, %cl - andl $0xff, %eax - andl $0xff, %edx - movl 0x600+des_SPtrans(%ebx),%ebx - xorl %ebx, %esi - movl 0x700+des_SPtrans(%ecx),%ebx - xorl %ebx, %esi - movl 0x400+des_SPtrans(%eax),%ebx - xorl %ebx, %esi - movl 0x500+des_SPtrans(%edx),%ebx - xorl %ebx, %esi - - /* Round 11 */ - movl 88(%ebp), %eax - xorl %ebx, %ebx - movl 92(%ebp), %edx - xorl %esi, %eax - xorl %esi, %edx - andl $0xfcfcfcfc, %eax - andl $0xcfcfcfcf, %edx - movb %al, %bl - movb %ah, %cl - rorl $4, %edx - movl des_SPtrans(%ebx),%ebp - movb %dl, %bl - xorl %ebp, %edi - movl 0x200+des_SPtrans(%ecx),%ebp - xorl %ebp, %edi - movb %dh, %cl - shrl $16, %eax - movl 0x100+des_SPtrans(%ebx),%ebp - xorl %ebp, %edi - movb %ah, %bl - shrl $16, %edx - movl 0x300+des_SPtrans(%ecx),%ebp - xorl %ebp, %edi - movl 24(%esp), %ebp - movb %dh, %cl - andl $0xff, %eax - andl $0xff, %edx - movl 0x600+des_SPtrans(%ebx),%ebx - xorl %ebx, %edi - movl 0x700+des_SPtrans(%ecx),%ebx - xorl %ebx, %edi - movl 0x400+des_SPtrans(%eax),%ebx - xorl %ebx, %edi - movl 0x500+des_SPtrans(%edx),%ebx - xorl %ebx, %edi - - /* Round 10 */ - movl 80(%ebp), %eax - xorl %ebx, %ebx - movl 84(%ebp), %edx - xorl %edi, %eax - xorl %edi, %edx - andl $0xfcfcfcfc, %eax - andl $0xcfcfcfcf, %edx - movb %al, %bl - movb %ah, %cl - rorl $4, %edx - movl des_SPtrans(%ebx),%ebp - movb %dl, %bl - xorl %ebp, %esi - movl 0x200+des_SPtrans(%ecx),%ebp - xorl %ebp, %esi - movb %dh, %cl - shrl $16, %eax - movl 0x100+des_SPtrans(%ebx),%ebp - xorl %ebp, %esi - movb %ah, %bl - shrl $16, %edx - movl 0x300+des_SPtrans(%ecx),%ebp - xorl %ebp, %esi - movl 24(%esp), %ebp - movb %dh, %cl - andl $0xff, %eax - andl $0xff, %edx - movl 0x600+des_SPtrans(%ebx),%ebx - xorl %ebx, %esi - movl 0x700+des_SPtrans(%ecx),%ebx - xorl %ebx, %esi - movl 0x400+des_SPtrans(%eax),%ebx - xorl %ebx, %esi - movl 0x500+des_SPtrans(%edx),%ebx - xorl %ebx, %esi - - /* Round 9 */ - movl 72(%ebp), %eax - xorl %ebx, %ebx - movl 76(%ebp), %edx - xorl %esi, %eax - xorl %esi, %edx - andl $0xfcfcfcfc, %eax - andl $0xcfcfcfcf, %edx - movb %al, %bl - movb %ah, %cl - rorl $4, %edx - movl des_SPtrans(%ebx),%ebp - movb %dl, %bl - xorl %ebp, %edi - movl 0x200+des_SPtrans(%ecx),%ebp - xorl %ebp, %edi - movb %dh, %cl - shrl $16, %eax - movl 0x100+des_SPtrans(%ebx),%ebp - xorl %ebp, %edi - movb %ah, %bl - shrl $16, %edx - movl 0x300+des_SPtrans(%ecx),%ebp - xorl %ebp, %edi - movl 24(%esp), %ebp - movb %dh, %cl - andl $0xff, %eax - andl $0xff, %edx - movl 0x600+des_SPtrans(%ebx),%ebx - xorl %ebx, %edi - movl 0x700+des_SPtrans(%ecx),%ebx - xorl %ebx, %edi - movl 0x400+des_SPtrans(%eax),%ebx - xorl %ebx, %edi - movl 0x500+des_SPtrans(%edx),%ebx - xorl %ebx, %edi - - /* Round 8 */ - movl 64(%ebp), %eax - xorl %ebx, %ebx - movl 68(%ebp), %edx - xorl %edi, %eax - xorl %edi, %edx - andl $0xfcfcfcfc, %eax - andl $0xcfcfcfcf, %edx - movb %al, %bl - movb %ah, %cl - rorl $4, %edx - movl des_SPtrans(%ebx),%ebp - movb %dl, %bl - xorl %ebp, %esi - movl 0x200+des_SPtrans(%ecx),%ebp - xorl %ebp, %esi - movb %dh, %cl - shrl $16, %eax - movl 0x100+des_SPtrans(%ebx),%ebp - xorl %ebp, %esi - movb %ah, %bl - shrl $16, %edx - movl 0x300+des_SPtrans(%ecx),%ebp - xorl %ebp, %esi - movl 24(%esp), %ebp - movb %dh, %cl - andl $0xff, %eax - andl $0xff, %edx - movl 0x600+des_SPtrans(%ebx),%ebx - xorl %ebx, %esi - movl 0x700+des_SPtrans(%ecx),%ebx - xorl %ebx, %esi - movl 0x400+des_SPtrans(%eax),%ebx - xorl %ebx, %esi - movl 0x500+des_SPtrans(%edx),%ebx - xorl %ebx, %esi - - /* Round 7 */ - movl 56(%ebp), %eax - xorl %ebx, %ebx - movl 60(%ebp), %edx - xorl %esi, %eax - xorl %esi, %edx - andl $0xfcfcfcfc, %eax - andl $0xcfcfcfcf, %edx - movb %al, %bl - movb %ah, %cl - rorl $4, %edx - movl des_SPtrans(%ebx),%ebp - movb %dl, %bl - xorl %ebp, %edi - movl 0x200+des_SPtrans(%ecx),%ebp - xorl %ebp, %edi - movb %dh, %cl - shrl $16, %eax - movl 0x100+des_SPtrans(%ebx),%ebp - xorl %ebp, %edi - movb %ah, %bl - shrl $16, %edx - movl 0x300+des_SPtrans(%ecx),%ebp - xorl %ebp, %edi - movl 24(%esp), %ebp - movb %dh, %cl - andl $0xff, %eax - andl $0xff, %edx - movl 0x600+des_SPtrans(%ebx),%ebx - xorl %ebx, %edi - movl 0x700+des_SPtrans(%ecx),%ebx - xorl %ebx, %edi - movl 0x400+des_SPtrans(%eax),%ebx - xorl %ebx, %edi - movl 0x500+des_SPtrans(%edx),%ebx - xorl %ebx, %edi - - /* Round 6 */ - movl 48(%ebp), %eax - xorl %ebx, %ebx - movl 52(%ebp), %edx - xorl %edi, %eax - xorl %edi, %edx - andl $0xfcfcfcfc, %eax - andl $0xcfcfcfcf, %edx - movb %al, %bl - movb %ah, %cl - rorl $4, %edx - movl des_SPtrans(%ebx),%ebp - movb %dl, %bl - xorl %ebp, %esi - movl 0x200+des_SPtrans(%ecx),%ebp - xorl %ebp, %esi - movb %dh, %cl - shrl $16, %eax - movl 0x100+des_SPtrans(%ebx),%ebp - xorl %ebp, %esi - movb %ah, %bl - shrl $16, %edx - movl 0x300+des_SPtrans(%ecx),%ebp - xorl %ebp, %esi - movl 24(%esp), %ebp - movb %dh, %cl - andl $0xff, %eax - andl $0xff, %edx - movl 0x600+des_SPtrans(%ebx),%ebx - xorl %ebx, %esi - movl 0x700+des_SPtrans(%ecx),%ebx - xorl %ebx, %esi - movl 0x400+des_SPtrans(%eax),%ebx - xorl %ebx, %esi - movl 0x500+des_SPtrans(%edx),%ebx - xorl %ebx, %esi - - /* Round 5 */ - movl 40(%ebp), %eax - xorl %ebx, %ebx - movl 44(%ebp), %edx - xorl %esi, %eax - xorl %esi, %edx - andl $0xfcfcfcfc, %eax - andl $0xcfcfcfcf, %edx - movb %al, %bl - movb %ah, %cl - rorl $4, %edx - movl des_SPtrans(%ebx),%ebp - movb %dl, %bl - xorl %ebp, %edi - movl 0x200+des_SPtrans(%ecx),%ebp - xorl %ebp, %edi - movb %dh, %cl - shrl $16, %eax - movl 0x100+des_SPtrans(%ebx),%ebp - xorl %ebp, %edi - movb %ah, %bl - shrl $16, %edx - movl 0x300+des_SPtrans(%ecx),%ebp - xorl %ebp, %edi - movl 24(%esp), %ebp - movb %dh, %cl - andl $0xff, %eax - andl $0xff, %edx - movl 0x600+des_SPtrans(%ebx),%ebx - xorl %ebx, %edi - movl 0x700+des_SPtrans(%ecx),%ebx - xorl %ebx, %edi - movl 0x400+des_SPtrans(%eax),%ebx - xorl %ebx, %edi - movl 0x500+des_SPtrans(%edx),%ebx - xorl %ebx, %edi - - /* Round 4 */ - movl 32(%ebp), %eax - xorl %ebx, %ebx - movl 36(%ebp), %edx - xorl %edi, %eax - xorl %edi, %edx - andl $0xfcfcfcfc, %eax - andl $0xcfcfcfcf, %edx - movb %al, %bl - movb %ah, %cl - rorl $4, %edx - movl des_SPtrans(%ebx),%ebp - movb %dl, %bl - xorl %ebp, %esi - movl 0x200+des_SPtrans(%ecx),%ebp - xorl %ebp, %esi - movb %dh, %cl - shrl $16, %eax - movl 0x100+des_SPtrans(%ebx),%ebp - xorl %ebp, %esi - movb %ah, %bl - shrl $16, %edx - movl 0x300+des_SPtrans(%ecx),%ebp - xorl %ebp, %esi - movl 24(%esp), %ebp - movb %dh, %cl - andl $0xff, %eax - andl $0xff, %edx - movl 0x600+des_SPtrans(%ebx),%ebx - xorl %ebx, %esi - movl 0x700+des_SPtrans(%ecx),%ebx - xorl %ebx, %esi - movl 0x400+des_SPtrans(%eax),%ebx - xorl %ebx, %esi - movl 0x500+des_SPtrans(%edx),%ebx - xorl %ebx, %esi - - /* Round 3 */ - movl 24(%ebp), %eax - xorl %ebx, %ebx - movl 28(%ebp), %edx - xorl %esi, %eax - xorl %esi, %edx - andl $0xfcfcfcfc, %eax - andl $0xcfcfcfcf, %edx - movb %al, %bl - movb %ah, %cl - rorl $4, %edx - movl des_SPtrans(%ebx),%ebp - movb %dl, %bl - xorl %ebp, %edi - movl 0x200+des_SPtrans(%ecx),%ebp - xorl %ebp, %edi - movb %dh, %cl - shrl $16, %eax - movl 0x100+des_SPtrans(%ebx),%ebp - xorl %ebp, %edi - movb %ah, %bl - shrl $16, %edx - movl 0x300+des_SPtrans(%ecx),%ebp - xorl %ebp, %edi - movl 24(%esp), %ebp - movb %dh, %cl - andl $0xff, %eax - andl $0xff, %edx - movl 0x600+des_SPtrans(%ebx),%ebx - xorl %ebx, %edi - movl 0x700+des_SPtrans(%ecx),%ebx - xorl %ebx, %edi - movl 0x400+des_SPtrans(%eax),%ebx - xorl %ebx, %edi - movl 0x500+des_SPtrans(%edx),%ebx - xorl %ebx, %edi - - /* Round 2 */ - movl 16(%ebp), %eax - xorl %ebx, %ebx - movl 20(%ebp), %edx - xorl %edi, %eax - xorl %edi, %edx - andl $0xfcfcfcfc, %eax - andl $0xcfcfcfcf, %edx - movb %al, %bl - movb %ah, %cl - rorl $4, %edx - movl des_SPtrans(%ebx),%ebp - movb %dl, %bl - xorl %ebp, %esi - movl 0x200+des_SPtrans(%ecx),%ebp - xorl %ebp, %esi - movb %dh, %cl - shrl $16, %eax - movl 0x100+des_SPtrans(%ebx),%ebp - xorl %ebp, %esi - movb %ah, %bl - shrl $16, %edx - movl 0x300+des_SPtrans(%ecx),%ebp - xorl %ebp, %esi - movl 24(%esp), %ebp - movb %dh, %cl - andl $0xff, %eax - andl $0xff, %edx - movl 0x600+des_SPtrans(%ebx),%ebx - xorl %ebx, %esi - movl 0x700+des_SPtrans(%ecx),%ebx - xorl %ebx, %esi - movl 0x400+des_SPtrans(%eax),%ebx - xorl %ebx, %esi - movl 0x500+des_SPtrans(%edx),%ebx - xorl %ebx, %esi - - /* Round 1 */ - movl 8(%ebp), %eax - xorl %ebx, %ebx - movl 12(%ebp), %edx - xorl %esi, %eax - xorl %esi, %edx - andl $0xfcfcfcfc, %eax - andl $0xcfcfcfcf, %edx - movb %al, %bl - movb %ah, %cl - rorl $4, %edx - movl des_SPtrans(%ebx),%ebp - movb %dl, %bl - xorl %ebp, %edi - movl 0x200+des_SPtrans(%ecx),%ebp - xorl %ebp, %edi - movb %dh, %cl - shrl $16, %eax - movl 0x100+des_SPtrans(%ebx),%ebp - xorl %ebp, %edi - movb %ah, %bl - shrl $16, %edx - movl 0x300+des_SPtrans(%ecx),%ebp - xorl %ebp, %edi - movl 24(%esp), %ebp - movb %dh, %cl - andl $0xff, %eax - andl $0xff, %edx - movl 0x600+des_SPtrans(%ebx),%ebx - xorl %ebx, %edi - movl 0x700+des_SPtrans(%ecx),%ebx - xorl %ebx, %edi - movl 0x400+des_SPtrans(%eax),%ebx - xorl %ebx, %edi - movl 0x500+des_SPtrans(%edx),%ebx - xorl %ebx, %edi - - /* Round 0 */ - movl (%ebp), %eax - xorl %ebx, %ebx - movl 4(%ebp), %edx - xorl %edi, %eax - xorl %edi, %edx - andl $0xfcfcfcfc, %eax - andl $0xcfcfcfcf, %edx - movb %al, %bl - movb %ah, %cl - rorl $4, %edx - movl des_SPtrans(%ebx),%ebp - movb %dl, %bl - xorl %ebp, %esi - movl 0x200+des_SPtrans(%ecx),%ebp - xorl %ebp, %esi - movb %dh, %cl - shrl $16, %eax - movl 0x100+des_SPtrans(%ebx),%ebp - xorl %ebp, %esi - movb %ah, %bl - shrl $16, %edx - movl 0x300+des_SPtrans(%ecx),%ebp - xorl %ebp, %esi - movl 24(%esp), %ebp - movb %dh, %cl - andl $0xff, %eax - andl $0xff, %edx - movl 0x600+des_SPtrans(%ebx),%ebx - xorl %ebx, %esi - movl 0x700+des_SPtrans(%ecx),%ebx - xorl %ebx, %esi - movl 0x400+des_SPtrans(%eax),%ebx - xorl %ebx, %esi - movl 0x500+des_SPtrans(%edx),%ebx - xorl %ebx, %esi -.align ALIGN -.L001end: - - /* FP */ - movl 20(%esp), %edx - rorl $1, %esi - movl %edi, %eax - xorl %esi, %edi - andl $0xaaaaaaaa, %edi - xorl %edi, %eax - xorl %edi, %esi - - roll $23, %eax - movl %eax, %edi - xorl %esi, %eax - andl $0x03fc03fc, %eax - xorl %eax, %edi - xorl %eax, %esi - - roll $10, %edi - movl %edi, %eax - xorl %esi, %edi - andl $0x33333333, %edi - xorl %edi, %eax - xorl %edi, %esi - - roll $18, %esi - movl %esi, %edi - xorl %eax, %esi - andl $0xfff0000f, %esi - xorl %esi, %edi - xorl %esi, %eax - - roll $12, %edi - movl %edi, %esi - xorl %eax, %edi - andl $0xf0f0f0f0, %edi - xorl %edi, %esi - xorl %edi, %eax - - rorl $4, %eax - movl %eax, (%edx) - movl %esi, 4(%edx) - popl %edi - popl %esi - popl %ebx - popl %ebp - ret -.des_encrypt_end: - SIZE(des_encrypt,.des_encrypt_end-des_encrypt) -.ident "desasm.pl" -.text - .align ALIGN -.globl des_encrypt2 - TYPE(des_encrypt2,@function) -des_encrypt2: - pushl %ebp - pushl %ebx - pushl %esi - pushl %edi - - - /* Load the 2 words */ - movl 20(%esp), %eax - xorl %ecx, %ecx - movl (%eax), %esi - movl 28(%esp), %ebx - roll $3, %esi - movl 4(%eax), %edi - roll $3, %edi - cmpl $0, %ebx - movl 24(%esp), %ebp - je .L002start_decrypt - - /* Round 0 */ - movl (%ebp), %eax - xorl %ebx, %ebx - movl 4(%ebp), %edx - xorl %esi, %eax - xorl %esi, %edx - andl $0xfcfcfcfc, %eax - andl $0xcfcfcfcf, %edx - movb %al, %bl - movb %ah, %cl - rorl $4, %edx - movl des_SPtrans(%ebx),%ebp - movb %dl, %bl - xorl %ebp, %edi - movl 0x200+des_SPtrans(%ecx),%ebp - xorl %ebp, %edi - movb %dh, %cl - shrl $16, %eax - movl 0x100+des_SPtrans(%ebx),%ebp - xorl %ebp, %edi - movb %ah, %bl - shrl $16, %edx - movl 0x300+des_SPtrans(%ecx),%ebp - xorl %ebp, %edi - movl 24(%esp), %ebp - movb %dh, %cl - andl $0xff, %eax - andl $0xff, %edx - movl 0x600+des_SPtrans(%ebx),%ebx - xorl %ebx, %edi - movl 0x700+des_SPtrans(%ecx),%ebx - xorl %ebx, %edi - movl 0x400+des_SPtrans(%eax),%ebx - xorl %ebx, %edi - movl 0x500+des_SPtrans(%edx),%ebx - xorl %ebx, %edi - - /* Round 1 */ - movl 8(%ebp), %eax - xorl %ebx, %ebx - movl 12(%ebp), %edx - xorl %edi, %eax - xorl %edi, %edx - andl $0xfcfcfcfc, %eax - andl $0xcfcfcfcf, %edx - movb %al, %bl - movb %ah, %cl - rorl $4, %edx - movl des_SPtrans(%ebx),%ebp - movb %dl, %bl - xorl %ebp, %esi - movl 0x200+des_SPtrans(%ecx),%ebp - xorl %ebp, %esi - movb %dh, %cl - shrl $16, %eax - movl 0x100+des_SPtrans(%ebx),%ebp - xorl %ebp, %esi - movb %ah, %bl - shrl $16, %edx - movl 0x300+des_SPtrans(%ecx),%ebp - xorl %ebp, %esi - movl 24(%esp), %ebp - movb %dh, %cl - andl $0xff, %eax - andl $0xff, %edx - movl 0x600+des_SPtrans(%ebx),%ebx - xorl %ebx, %esi - movl 0x700+des_SPtrans(%ecx),%ebx - xorl %ebx, %esi - movl 0x400+des_SPtrans(%eax),%ebx - xorl %ebx, %esi - movl 0x500+des_SPtrans(%edx),%ebx - xorl %ebx, %esi - - /* Round 2 */ - movl 16(%ebp), %eax - xorl %ebx, %ebx - movl 20(%ebp), %edx - xorl %esi, %eax - xorl %esi, %edx - andl $0xfcfcfcfc, %eax - andl $0xcfcfcfcf, %edx - movb %al, %bl - movb %ah, %cl - rorl $4, %edx - movl des_SPtrans(%ebx),%ebp - movb %dl, %bl - xorl %ebp, %edi - movl 0x200+des_SPtrans(%ecx),%ebp - xorl %ebp, %edi - movb %dh, %cl - shrl $16, %eax - movl 0x100+des_SPtrans(%ebx),%ebp - xorl %ebp, %edi - movb %ah, %bl - shrl $16, %edx - movl 0x300+des_SPtrans(%ecx),%ebp - xorl %ebp, %edi - movl 24(%esp), %ebp - movb %dh, %cl - andl $0xff, %eax - andl $0xff, %edx - movl 0x600+des_SPtrans(%ebx),%ebx - xorl %ebx, %edi - movl 0x700+des_SPtrans(%ecx),%ebx - xorl %ebx, %edi - movl 0x400+des_SPtrans(%eax),%ebx - xorl %ebx, %edi - movl 0x500+des_SPtrans(%edx),%ebx - xorl %ebx, %edi - - /* Round 3 */ - movl 24(%ebp), %eax - xorl %ebx, %ebx - movl 28(%ebp), %edx - xorl %edi, %eax - xorl %edi, %edx - andl $0xfcfcfcfc, %eax - andl $0xcfcfcfcf, %edx - movb %al, %bl - movb %ah, %cl - rorl $4, %edx - movl des_SPtrans(%ebx),%ebp - movb %dl, %bl - xorl %ebp, %esi - movl 0x200+des_SPtrans(%ecx),%ebp - xorl %ebp, %esi - movb %dh, %cl - shrl $16, %eax - movl 0x100+des_SPtrans(%ebx),%ebp - xorl %ebp, %esi - movb %ah, %bl - shrl $16, %edx - movl 0x300+des_SPtrans(%ecx),%ebp - xorl %ebp, %esi - movl 24(%esp), %ebp - movb %dh, %cl - andl $0xff, %eax - andl $0xff, %edx - movl 0x600+des_SPtrans(%ebx),%ebx - xorl %ebx, %esi - movl 0x700+des_SPtrans(%ecx),%ebx - xorl %ebx, %esi - movl 0x400+des_SPtrans(%eax),%ebx - xorl %ebx, %esi - movl 0x500+des_SPtrans(%edx),%ebx - xorl %ebx, %esi - - /* Round 4 */ - movl 32(%ebp), %eax - xorl %ebx, %ebx - movl 36(%ebp), %edx - xorl %esi, %eax - xorl %esi, %edx - andl $0xfcfcfcfc, %eax - andl $0xcfcfcfcf, %edx - movb %al, %bl - movb %ah, %cl - rorl $4, %edx - movl des_SPtrans(%ebx),%ebp - movb %dl, %bl - xorl %ebp, %edi - movl 0x200+des_SPtrans(%ecx),%ebp - xorl %ebp, %edi - movb %dh, %cl - shrl $16, %eax - movl 0x100+des_SPtrans(%ebx),%ebp - xorl %ebp, %edi - movb %ah, %bl - shrl $16, %edx - movl 0x300+des_SPtrans(%ecx),%ebp - xorl %ebp, %edi - movl 24(%esp), %ebp - movb %dh, %cl - andl $0xff, %eax - andl $0xff, %edx - movl 0x600+des_SPtrans(%ebx),%ebx - xorl %ebx, %edi - movl 0x700+des_SPtrans(%ecx),%ebx - xorl %ebx, %edi - movl 0x400+des_SPtrans(%eax),%ebx - xorl %ebx, %edi - movl 0x500+des_SPtrans(%edx),%ebx - xorl %ebx, %edi - - /* Round 5 */ - movl 40(%ebp), %eax - xorl %ebx, %ebx - movl 44(%ebp), %edx - xorl %edi, %eax - xorl %edi, %edx - andl $0xfcfcfcfc, %eax - andl $0xcfcfcfcf, %edx - movb %al, %bl - movb %ah, %cl - rorl $4, %edx - movl des_SPtrans(%ebx),%ebp - movb %dl, %bl - xorl %ebp, %esi - movl 0x200+des_SPtrans(%ecx),%ebp - xorl %ebp, %esi - movb %dh, %cl - shrl $16, %eax - movl 0x100+des_SPtrans(%ebx),%ebp - xorl %ebp, %esi - movb %ah, %bl - shrl $16, %edx - movl 0x300+des_SPtrans(%ecx),%ebp - xorl %ebp, %esi - movl 24(%esp), %ebp - movb %dh, %cl - andl $0xff, %eax - andl $0xff, %edx - movl 0x600+des_SPtrans(%ebx),%ebx - xorl %ebx, %esi - movl 0x700+des_SPtrans(%ecx),%ebx - xorl %ebx, %esi - movl 0x400+des_SPtrans(%eax),%ebx - xorl %ebx, %esi - movl 0x500+des_SPtrans(%edx),%ebx - xorl %ebx, %esi - - /* Round 6 */ - movl 48(%ebp), %eax - xorl %ebx, %ebx - movl 52(%ebp), %edx - xorl %esi, %eax - xorl %esi, %edx - andl $0xfcfcfcfc, %eax - andl $0xcfcfcfcf, %edx - movb %al, %bl - movb %ah, %cl - rorl $4, %edx - movl des_SPtrans(%ebx),%ebp - movb %dl, %bl - xorl %ebp, %edi - movl 0x200+des_SPtrans(%ecx),%ebp - xorl %ebp, %edi - movb %dh, %cl - shrl $16, %eax - movl 0x100+des_SPtrans(%ebx),%ebp - xorl %ebp, %edi - movb %ah, %bl - shrl $16, %edx - movl 0x300+des_SPtrans(%ecx),%ebp - xorl %ebp, %edi - movl 24(%esp), %ebp - movb %dh, %cl - andl $0xff, %eax - andl $0xff, %edx - movl 0x600+des_SPtrans(%ebx),%ebx - xorl %ebx, %edi - movl 0x700+des_SPtrans(%ecx),%ebx - xorl %ebx, %edi - movl 0x400+des_SPtrans(%eax),%ebx - xorl %ebx, %edi - movl 0x500+des_SPtrans(%edx),%ebx - xorl %ebx, %edi - - /* Round 7 */ - movl 56(%ebp), %eax - xorl %ebx, %ebx - movl 60(%ebp), %edx - xorl %edi, %eax - xorl %edi, %edx - andl $0xfcfcfcfc, %eax - andl $0xcfcfcfcf, %edx - movb %al, %bl - movb %ah, %cl - rorl $4, %edx - movl des_SPtrans(%ebx),%ebp - movb %dl, %bl - xorl %ebp, %esi - movl 0x200+des_SPtrans(%ecx),%ebp - xorl %ebp, %esi - movb %dh, %cl - shrl $16, %eax - movl 0x100+des_SPtrans(%ebx),%ebp - xorl %ebp, %esi - movb %ah, %bl - shrl $16, %edx - movl 0x300+des_SPtrans(%ecx),%ebp - xorl %ebp, %esi - movl 24(%esp), %ebp - movb %dh, %cl - andl $0xff, %eax - andl $0xff, %edx - movl 0x600+des_SPtrans(%ebx),%ebx - xorl %ebx, %esi - movl 0x700+des_SPtrans(%ecx),%ebx - xorl %ebx, %esi - movl 0x400+des_SPtrans(%eax),%ebx - xorl %ebx, %esi - movl 0x500+des_SPtrans(%edx),%ebx - xorl %ebx, %esi - - /* Round 8 */ - movl 64(%ebp), %eax - xorl %ebx, %ebx - movl 68(%ebp), %edx - xorl %esi, %eax - xorl %esi, %edx - andl $0xfcfcfcfc, %eax - andl $0xcfcfcfcf, %edx - movb %al, %bl - movb %ah, %cl - rorl $4, %edx - movl des_SPtrans(%ebx),%ebp - movb %dl, %bl - xorl %ebp, %edi - movl 0x200+des_SPtrans(%ecx),%ebp - xorl %ebp, %edi - movb %dh, %cl - shrl $16, %eax - movl 0x100+des_SPtrans(%ebx),%ebp - xorl %ebp, %edi - movb %ah, %bl - shrl $16, %edx - movl 0x300+des_SPtrans(%ecx),%ebp - xorl %ebp, %edi - movl 24(%esp), %ebp - movb %dh, %cl - andl $0xff, %eax - andl $0xff, %edx - movl 0x600+des_SPtrans(%ebx),%ebx - xorl %ebx, %edi - movl 0x700+des_SPtrans(%ecx),%ebx - xorl %ebx, %edi - movl 0x400+des_SPtrans(%eax),%ebx - xorl %ebx, %edi - movl 0x500+des_SPtrans(%edx),%ebx - xorl %ebx, %edi - - /* Round 9 */ - movl 72(%ebp), %eax - xorl %ebx, %ebx - movl 76(%ebp), %edx - xorl %edi, %eax - xorl %edi, %edx - andl $0xfcfcfcfc, %eax - andl $0xcfcfcfcf, %edx - movb %al, %bl - movb %ah, %cl - rorl $4, %edx - movl des_SPtrans(%ebx),%ebp - movb %dl, %bl - xorl %ebp, %esi - movl 0x200+des_SPtrans(%ecx),%ebp - xorl %ebp, %esi - movb %dh, %cl - shrl $16, %eax - movl 0x100+des_SPtrans(%ebx),%ebp - xorl %ebp, %esi - movb %ah, %bl - shrl $16, %edx - movl 0x300+des_SPtrans(%ecx),%ebp - xorl %ebp, %esi - movl 24(%esp), %ebp - movb %dh, %cl - andl $0xff, %eax - andl $0xff, %edx - movl 0x600+des_SPtrans(%ebx),%ebx - xorl %ebx, %esi - movl 0x700+des_SPtrans(%ecx),%ebx - xorl %ebx, %esi - movl 0x400+des_SPtrans(%eax),%ebx - xorl %ebx, %esi - movl 0x500+des_SPtrans(%edx),%ebx - xorl %ebx, %esi - - /* Round 10 */ - movl 80(%ebp), %eax - xorl %ebx, %ebx - movl 84(%ebp), %edx - xorl %esi, %eax - xorl %esi, %edx - andl $0xfcfcfcfc, %eax - andl $0xcfcfcfcf, %edx - movb %al, %bl - movb %ah, %cl - rorl $4, %edx - movl des_SPtrans(%ebx),%ebp - movb %dl, %bl - xorl %ebp, %edi - movl 0x200+des_SPtrans(%ecx),%ebp - xorl %ebp, %edi - movb %dh, %cl - shrl $16, %eax - movl 0x100+des_SPtrans(%ebx),%ebp - xorl %ebp, %edi - movb %ah, %bl - shrl $16, %edx - movl 0x300+des_SPtrans(%ecx),%ebp - xorl %ebp, %edi - movl 24(%esp), %ebp - movb %dh, %cl - andl $0xff, %eax - andl $0xff, %edx - movl 0x600+des_SPtrans(%ebx),%ebx - xorl %ebx, %edi - movl 0x700+des_SPtrans(%ecx),%ebx - xorl %ebx, %edi - movl 0x400+des_SPtrans(%eax),%ebx - xorl %ebx, %edi - movl 0x500+des_SPtrans(%edx),%ebx - xorl %ebx, %edi - - /* Round 11 */ - movl 88(%ebp), %eax - xorl %ebx, %ebx - movl 92(%ebp), %edx - xorl %edi, %eax - xorl %edi, %edx - andl $0xfcfcfcfc, %eax - andl $0xcfcfcfcf, %edx - movb %al, %bl - movb %ah, %cl - rorl $4, %edx - movl des_SPtrans(%ebx),%ebp - movb %dl, %bl - xorl %ebp, %esi - movl 0x200+des_SPtrans(%ecx),%ebp - xorl %ebp, %esi - movb %dh, %cl - shrl $16, %eax - movl 0x100+des_SPtrans(%ebx),%ebp - xorl %ebp, %esi - movb %ah, %bl - shrl $16, %edx - movl 0x300+des_SPtrans(%ecx),%ebp - xorl %ebp, %esi - movl 24(%esp), %ebp - movb %dh, %cl - andl $0xff, %eax - andl $0xff, %edx - movl 0x600+des_SPtrans(%ebx),%ebx - xorl %ebx, %esi - movl 0x700+des_SPtrans(%ecx),%ebx - xorl %ebx, %esi - movl 0x400+des_SPtrans(%eax),%ebx - xorl %ebx, %esi - movl 0x500+des_SPtrans(%edx),%ebx - xorl %ebx, %esi - - /* Round 12 */ - movl 96(%ebp), %eax - xorl %ebx, %ebx - movl 100(%ebp), %edx - xorl %esi, %eax - xorl %esi, %edx - andl $0xfcfcfcfc, %eax - andl $0xcfcfcfcf, %edx - movb %al, %bl - movb %ah, %cl - rorl $4, %edx - movl des_SPtrans(%ebx),%ebp - movb %dl, %bl - xorl %ebp, %edi - movl 0x200+des_SPtrans(%ecx),%ebp - xorl %ebp, %edi - movb %dh, %cl - shrl $16, %eax - movl 0x100+des_SPtrans(%ebx),%ebp - xorl %ebp, %edi - movb %ah, %bl - shrl $16, %edx - movl 0x300+des_SPtrans(%ecx),%ebp - xorl %ebp, %edi - movl 24(%esp), %ebp - movb %dh, %cl - andl $0xff, %eax - andl $0xff, %edx - movl 0x600+des_SPtrans(%ebx),%ebx - xorl %ebx, %edi - movl 0x700+des_SPtrans(%ecx),%ebx - xorl %ebx, %edi - movl 0x400+des_SPtrans(%eax),%ebx - xorl %ebx, %edi - movl 0x500+des_SPtrans(%edx),%ebx - xorl %ebx, %edi - - /* Round 13 */ - movl 104(%ebp), %eax - xorl %ebx, %ebx - movl 108(%ebp), %edx - xorl %edi, %eax - xorl %edi, %edx - andl $0xfcfcfcfc, %eax - andl $0xcfcfcfcf, %edx - movb %al, %bl - movb %ah, %cl - rorl $4, %edx - movl des_SPtrans(%ebx),%ebp - movb %dl, %bl - xorl %ebp, %esi - movl 0x200+des_SPtrans(%ecx),%ebp - xorl %ebp, %esi - movb %dh, %cl - shrl $16, %eax - movl 0x100+des_SPtrans(%ebx),%ebp - xorl %ebp, %esi - movb %ah, %bl - shrl $16, %edx - movl 0x300+des_SPtrans(%ecx),%ebp - xorl %ebp, %esi - movl 24(%esp), %ebp - movb %dh, %cl - andl $0xff, %eax - andl $0xff, %edx - movl 0x600+des_SPtrans(%ebx),%ebx - xorl %ebx, %esi - movl 0x700+des_SPtrans(%ecx),%ebx - xorl %ebx, %esi - movl 0x400+des_SPtrans(%eax),%ebx - xorl %ebx, %esi - movl 0x500+des_SPtrans(%edx),%ebx - xorl %ebx, %esi - - /* Round 14 */ - movl 112(%ebp), %eax - xorl %ebx, %ebx - movl 116(%ebp), %edx - xorl %esi, %eax - xorl %esi, %edx - andl $0xfcfcfcfc, %eax - andl $0xcfcfcfcf, %edx - movb %al, %bl - movb %ah, %cl - rorl $4, %edx - movl des_SPtrans(%ebx),%ebp - movb %dl, %bl - xorl %ebp, %edi - movl 0x200+des_SPtrans(%ecx),%ebp - xorl %ebp, %edi - movb %dh, %cl - shrl $16, %eax - movl 0x100+des_SPtrans(%ebx),%ebp - xorl %ebp, %edi - movb %ah, %bl - shrl $16, %edx - movl 0x300+des_SPtrans(%ecx),%ebp - xorl %ebp, %edi - movl 24(%esp), %ebp - movb %dh, %cl - andl $0xff, %eax - andl $0xff, %edx - movl 0x600+des_SPtrans(%ebx),%ebx - xorl %ebx, %edi - movl 0x700+des_SPtrans(%ecx),%ebx - xorl %ebx, %edi - movl 0x400+des_SPtrans(%eax),%ebx - xorl %ebx, %edi - movl 0x500+des_SPtrans(%edx),%ebx - xorl %ebx, %edi - - /* Round 15 */ - movl 120(%ebp), %eax - xorl %ebx, %ebx - movl 124(%ebp), %edx - xorl %edi, %eax - xorl %edi, %edx - andl $0xfcfcfcfc, %eax - andl $0xcfcfcfcf, %edx - movb %al, %bl - movb %ah, %cl - rorl $4, %edx - movl des_SPtrans(%ebx),%ebp - movb %dl, %bl - xorl %ebp, %esi - movl 0x200+des_SPtrans(%ecx),%ebp - xorl %ebp, %esi - movb %dh, %cl - shrl $16, %eax - movl 0x100+des_SPtrans(%ebx),%ebp - xorl %ebp, %esi - movb %ah, %bl - shrl $16, %edx - movl 0x300+des_SPtrans(%ecx),%ebp - xorl %ebp, %esi - movl 24(%esp), %ebp - movb %dh, %cl - andl $0xff, %eax - andl $0xff, %edx - movl 0x600+des_SPtrans(%ebx),%ebx - xorl %ebx, %esi - movl 0x700+des_SPtrans(%ecx),%ebx - xorl %ebx, %esi - movl 0x400+des_SPtrans(%eax),%ebx - xorl %ebx, %esi - movl 0x500+des_SPtrans(%edx),%ebx - xorl %ebx, %esi - jmp .L003end -.align ALIGN -.L002start_decrypt: - - /* Round 15 */ - movl 120(%ebp), %eax - xorl %ebx, %ebx - movl 124(%ebp), %edx - xorl %esi, %eax - xorl %esi, %edx - andl $0xfcfcfcfc, %eax - andl $0xcfcfcfcf, %edx - movb %al, %bl - movb %ah, %cl - rorl $4, %edx - movl des_SPtrans(%ebx),%ebp - movb %dl, %bl - xorl %ebp, %edi - movl 0x200+des_SPtrans(%ecx),%ebp - xorl %ebp, %edi - movb %dh, %cl - shrl $16, %eax - movl 0x100+des_SPtrans(%ebx),%ebp - xorl %ebp, %edi - movb %ah, %bl - shrl $16, %edx - movl 0x300+des_SPtrans(%ecx),%ebp - xorl %ebp, %edi - movl 24(%esp), %ebp - movb %dh, %cl - andl $0xff, %eax - andl $0xff, %edx - movl 0x600+des_SPtrans(%ebx),%ebx - xorl %ebx, %edi - movl 0x700+des_SPtrans(%ecx),%ebx - xorl %ebx, %edi - movl 0x400+des_SPtrans(%eax),%ebx - xorl %ebx, %edi - movl 0x500+des_SPtrans(%edx),%ebx - xorl %ebx, %edi - - /* Round 14 */ - movl 112(%ebp), %eax - xorl %ebx, %ebx - movl 116(%ebp), %edx - xorl %edi, %eax - xorl %edi, %edx - andl $0xfcfcfcfc, %eax - andl $0xcfcfcfcf, %edx - movb %al, %bl - movb %ah, %cl - rorl $4, %edx - movl des_SPtrans(%ebx),%ebp - movb %dl, %bl - xorl %ebp, %esi - movl 0x200+des_SPtrans(%ecx),%ebp - xorl %ebp, %esi - movb %dh, %cl - shrl $16, %eax - movl 0x100+des_SPtrans(%ebx),%ebp - xorl %ebp, %esi - movb %ah, %bl - shrl $16, %edx - movl 0x300+des_SPtrans(%ecx),%ebp - xorl %ebp, %esi - movl 24(%esp), %ebp - movb %dh, %cl - andl $0xff, %eax - andl $0xff, %edx - movl 0x600+des_SPtrans(%ebx),%ebx - xorl %ebx, %esi - movl 0x700+des_SPtrans(%ecx),%ebx - xorl %ebx, %esi - movl 0x400+des_SPtrans(%eax),%ebx - xorl %ebx, %esi - movl 0x500+des_SPtrans(%edx),%ebx - xorl %ebx, %esi - - /* Round 13 */ - movl 104(%ebp), %eax - xorl %ebx, %ebx - movl 108(%ebp), %edx - xorl %esi, %eax - xorl %esi, %edx - andl $0xfcfcfcfc, %eax - andl $0xcfcfcfcf, %edx - movb %al, %bl - movb %ah, %cl - rorl $4, %edx - movl des_SPtrans(%ebx),%ebp - movb %dl, %bl - xorl %ebp, %edi - movl 0x200+des_SPtrans(%ecx),%ebp - xorl %ebp, %edi - movb %dh, %cl - shrl $16, %eax - movl 0x100+des_SPtrans(%ebx),%ebp - xorl %ebp, %edi - movb %ah, %bl - shrl $16, %edx - movl 0x300+des_SPtrans(%ecx),%ebp - xorl %ebp, %edi - movl 24(%esp), %ebp - movb %dh, %cl - andl $0xff, %eax - andl $0xff, %edx - movl 0x600+des_SPtrans(%ebx),%ebx - xorl %ebx, %edi - movl 0x700+des_SPtrans(%ecx),%ebx - xorl %ebx, %edi - movl 0x400+des_SPtrans(%eax),%ebx - xorl %ebx, %edi - movl 0x500+des_SPtrans(%edx),%ebx - xorl %ebx, %edi - - /* Round 12 */ - movl 96(%ebp), %eax - xorl %ebx, %ebx - movl 100(%ebp), %edx - xorl %edi, %eax - xorl %edi, %edx - andl $0xfcfcfcfc, %eax - andl $0xcfcfcfcf, %edx - movb %al, %bl - movb %ah, %cl - rorl $4, %edx - movl des_SPtrans(%ebx),%ebp - movb %dl, %bl - xorl %ebp, %esi - movl 0x200+des_SPtrans(%ecx),%ebp - xorl %ebp, %esi - movb %dh, %cl - shrl $16, %eax - movl 0x100+des_SPtrans(%ebx),%ebp - xorl %ebp, %esi - movb %ah, %bl - shrl $16, %edx - movl 0x300+des_SPtrans(%ecx),%ebp - xorl %ebp, %esi - movl 24(%esp), %ebp - movb %dh, %cl - andl $0xff, %eax - andl $0xff, %edx - movl 0x600+des_SPtrans(%ebx),%ebx - xorl %ebx, %esi - movl 0x700+des_SPtrans(%ecx),%ebx - xorl %ebx, %esi - movl 0x400+des_SPtrans(%eax),%ebx - xorl %ebx, %esi - movl 0x500+des_SPtrans(%edx),%ebx - xorl %ebx, %esi - - /* Round 11 */ - movl 88(%ebp), %eax - xorl %ebx, %ebx - movl 92(%ebp), %edx - xorl %esi, %eax - xorl %esi, %edx - andl $0xfcfcfcfc, %eax - andl $0xcfcfcfcf, %edx - movb %al, %bl - movb %ah, %cl - rorl $4, %edx - movl des_SPtrans(%ebx),%ebp - movb %dl, %bl - xorl %ebp, %edi - movl 0x200+des_SPtrans(%ecx),%ebp - xorl %ebp, %edi - movb %dh, %cl - shrl $16, %eax - movl 0x100+des_SPtrans(%ebx),%ebp - xorl %ebp, %edi - movb %ah, %bl - shrl $16, %edx - movl 0x300+des_SPtrans(%ecx),%ebp - xorl %ebp, %edi - movl 24(%esp), %ebp - movb %dh, %cl - andl $0xff, %eax - andl $0xff, %edx - movl 0x600+des_SPtrans(%ebx),%ebx - xorl %ebx, %edi - movl 0x700+des_SPtrans(%ecx),%ebx - xorl %ebx, %edi - movl 0x400+des_SPtrans(%eax),%ebx - xorl %ebx, %edi - movl 0x500+des_SPtrans(%edx),%ebx - xorl %ebx, %edi - - /* Round 10 */ - movl 80(%ebp), %eax - xorl %ebx, %ebx - movl 84(%ebp), %edx - xorl %edi, %eax - xorl %edi, %edx - andl $0xfcfcfcfc, %eax - andl $0xcfcfcfcf, %edx - movb %al, %bl - movb %ah, %cl - rorl $4, %edx - movl des_SPtrans(%ebx),%ebp - movb %dl, %bl - xorl %ebp, %esi - movl 0x200+des_SPtrans(%ecx),%ebp - xorl %ebp, %esi - movb %dh, %cl - shrl $16, %eax - movl 0x100+des_SPtrans(%ebx),%ebp - xorl %ebp, %esi - movb %ah, %bl - shrl $16, %edx - movl 0x300+des_SPtrans(%ecx),%ebp - xorl %ebp, %esi - movl 24(%esp), %ebp - movb %dh, %cl - andl $0xff, %eax - andl $0xff, %edx - movl 0x600+des_SPtrans(%ebx),%ebx - xorl %ebx, %esi - movl 0x700+des_SPtrans(%ecx),%ebx - xorl %ebx, %esi - movl 0x400+des_SPtrans(%eax),%ebx - xorl %ebx, %esi - movl 0x500+des_SPtrans(%edx),%ebx - xorl %ebx, %esi - - /* Round 9 */ - movl 72(%ebp), %eax - xorl %ebx, %ebx - movl 76(%ebp), %edx - xorl %esi, %eax - xorl %esi, %edx - andl $0xfcfcfcfc, %eax - andl $0xcfcfcfcf, %edx - movb %al, %bl - movb %ah, %cl - rorl $4, %edx - movl des_SPtrans(%ebx),%ebp - movb %dl, %bl - xorl %ebp, %edi - movl 0x200+des_SPtrans(%ecx),%ebp - xorl %ebp, %edi - movb %dh, %cl - shrl $16, %eax - movl 0x100+des_SPtrans(%ebx),%ebp - xorl %ebp, %edi - movb %ah, %bl - shrl $16, %edx - movl 0x300+des_SPtrans(%ecx),%ebp - xorl %ebp, %edi - movl 24(%esp), %ebp - movb %dh, %cl - andl $0xff, %eax - andl $0xff, %edx - movl 0x600+des_SPtrans(%ebx),%ebx - xorl %ebx, %edi - movl 0x700+des_SPtrans(%ecx),%ebx - xorl %ebx, %edi - movl 0x400+des_SPtrans(%eax),%ebx - xorl %ebx, %edi - movl 0x500+des_SPtrans(%edx),%ebx - xorl %ebx, %edi - - /* Round 8 */ - movl 64(%ebp), %eax - xorl %ebx, %ebx - movl 68(%ebp), %edx - xorl %edi, %eax - xorl %edi, %edx - andl $0xfcfcfcfc, %eax - andl $0xcfcfcfcf, %edx - movb %al, %bl - movb %ah, %cl - rorl $4, %edx - movl des_SPtrans(%ebx),%ebp - movb %dl, %bl - xorl %ebp, %esi - movl 0x200+des_SPtrans(%ecx),%ebp - xorl %ebp, %esi - movb %dh, %cl - shrl $16, %eax - movl 0x100+des_SPtrans(%ebx),%ebp - xorl %ebp, %esi - movb %ah, %bl - shrl $16, %edx - movl 0x300+des_SPtrans(%ecx),%ebp - xorl %ebp, %esi - movl 24(%esp), %ebp - movb %dh, %cl - andl $0xff, %eax - andl $0xff, %edx - movl 0x600+des_SPtrans(%ebx),%ebx - xorl %ebx, %esi - movl 0x700+des_SPtrans(%ecx),%ebx - xorl %ebx, %esi - movl 0x400+des_SPtrans(%eax),%ebx - xorl %ebx, %esi - movl 0x500+des_SPtrans(%edx),%ebx - xorl %ebx, %esi - - /* Round 7 */ - movl 56(%ebp), %eax - xorl %ebx, %ebx - movl 60(%ebp), %edx - xorl %esi, %eax - xorl %esi, %edx - andl $0xfcfcfcfc, %eax - andl $0xcfcfcfcf, %edx - movb %al, %bl - movb %ah, %cl - rorl $4, %edx - movl des_SPtrans(%ebx),%ebp - movb %dl, %bl - xorl %ebp, %edi - movl 0x200+des_SPtrans(%ecx),%ebp - xorl %ebp, %edi - movb %dh, %cl - shrl $16, %eax - movl 0x100+des_SPtrans(%ebx),%ebp - xorl %ebp, %edi - movb %ah, %bl - shrl $16, %edx - movl 0x300+des_SPtrans(%ecx),%ebp - xorl %ebp, %edi - movl 24(%esp), %ebp - movb %dh, %cl - andl $0xff, %eax - andl $0xff, %edx - movl 0x600+des_SPtrans(%ebx),%ebx - xorl %ebx, %edi - movl 0x700+des_SPtrans(%ecx),%ebx - xorl %ebx, %edi - movl 0x400+des_SPtrans(%eax),%ebx - xorl %ebx, %edi - movl 0x500+des_SPtrans(%edx),%ebx - xorl %ebx, %edi - - /* Round 6 */ - movl 48(%ebp), %eax - xorl %ebx, %ebx - movl 52(%ebp), %edx - xorl %edi, %eax - xorl %edi, %edx - andl $0xfcfcfcfc, %eax - andl $0xcfcfcfcf, %edx - movb %al, %bl - movb %ah, %cl - rorl $4, %edx - movl des_SPtrans(%ebx),%ebp - movb %dl, %bl - xorl %ebp, %esi - movl 0x200+des_SPtrans(%ecx),%ebp - xorl %ebp, %esi - movb %dh, %cl - shrl $16, %eax - movl 0x100+des_SPtrans(%ebx),%ebp - xorl %ebp, %esi - movb %ah, %bl - shrl $16, %edx - movl 0x300+des_SPtrans(%ecx),%ebp - xorl %ebp, %esi - movl 24(%esp), %ebp - movb %dh, %cl - andl $0xff, %eax - andl $0xff, %edx - movl 0x600+des_SPtrans(%ebx),%ebx - xorl %ebx, %esi - movl 0x700+des_SPtrans(%ecx),%ebx - xorl %ebx, %esi - movl 0x400+des_SPtrans(%eax),%ebx - xorl %ebx, %esi - movl 0x500+des_SPtrans(%edx),%ebx - xorl %ebx, %esi - - /* Round 5 */ - movl 40(%ebp), %eax - xorl %ebx, %ebx - movl 44(%ebp), %edx - xorl %esi, %eax - xorl %esi, %edx - andl $0xfcfcfcfc, %eax - andl $0xcfcfcfcf, %edx - movb %al, %bl - movb %ah, %cl - rorl $4, %edx - movl des_SPtrans(%ebx),%ebp - movb %dl, %bl - xorl %ebp, %edi - movl 0x200+des_SPtrans(%ecx),%ebp - xorl %ebp, %edi - movb %dh, %cl - shrl $16, %eax - movl 0x100+des_SPtrans(%ebx),%ebp - xorl %ebp, %edi - movb %ah, %bl - shrl $16, %edx - movl 0x300+des_SPtrans(%ecx),%ebp - xorl %ebp, %edi - movl 24(%esp), %ebp - movb %dh, %cl - andl $0xff, %eax - andl $0xff, %edx - movl 0x600+des_SPtrans(%ebx),%ebx - xorl %ebx, %edi - movl 0x700+des_SPtrans(%ecx),%ebx - xorl %ebx, %edi - movl 0x400+des_SPtrans(%eax),%ebx - xorl %ebx, %edi - movl 0x500+des_SPtrans(%edx),%ebx - xorl %ebx, %edi - - /* Round 4 */ - movl 32(%ebp), %eax - xorl %ebx, %ebx - movl 36(%ebp), %edx - xorl %edi, %eax - xorl %edi, %edx - andl $0xfcfcfcfc, %eax - andl $0xcfcfcfcf, %edx - movb %al, %bl - movb %ah, %cl - rorl $4, %edx - movl des_SPtrans(%ebx),%ebp - movb %dl, %bl - xorl %ebp, %esi - movl 0x200+des_SPtrans(%ecx),%ebp - xorl %ebp, %esi - movb %dh, %cl - shrl $16, %eax - movl 0x100+des_SPtrans(%ebx),%ebp - xorl %ebp, %esi - movb %ah, %bl - shrl $16, %edx - movl 0x300+des_SPtrans(%ecx),%ebp - xorl %ebp, %esi - movl 24(%esp), %ebp - movb %dh, %cl - andl $0xff, %eax - andl $0xff, %edx - movl 0x600+des_SPtrans(%ebx),%ebx - xorl %ebx, %esi - movl 0x700+des_SPtrans(%ecx),%ebx - xorl %ebx, %esi - movl 0x400+des_SPtrans(%eax),%ebx - xorl %ebx, %esi - movl 0x500+des_SPtrans(%edx),%ebx - xorl %ebx, %esi - - /* Round 3 */ - movl 24(%ebp), %eax - xorl %ebx, %ebx - movl 28(%ebp), %edx - xorl %esi, %eax - xorl %esi, %edx - andl $0xfcfcfcfc, %eax - andl $0xcfcfcfcf, %edx - movb %al, %bl - movb %ah, %cl - rorl $4, %edx - movl des_SPtrans(%ebx),%ebp - movb %dl, %bl - xorl %ebp, %edi - movl 0x200+des_SPtrans(%ecx),%ebp - xorl %ebp, %edi - movb %dh, %cl - shrl $16, %eax - movl 0x100+des_SPtrans(%ebx),%ebp - xorl %ebp, %edi - movb %ah, %bl - shrl $16, %edx - movl 0x300+des_SPtrans(%ecx),%ebp - xorl %ebp, %edi - movl 24(%esp), %ebp - movb %dh, %cl - andl $0xff, %eax - andl $0xff, %edx - movl 0x600+des_SPtrans(%ebx),%ebx - xorl %ebx, %edi - movl 0x700+des_SPtrans(%ecx),%ebx - xorl %ebx, %edi - movl 0x400+des_SPtrans(%eax),%ebx - xorl %ebx, %edi - movl 0x500+des_SPtrans(%edx),%ebx - xorl %ebx, %edi - - /* Round 2 */ - movl 16(%ebp), %eax - xorl %ebx, %ebx - movl 20(%ebp), %edx - xorl %edi, %eax - xorl %edi, %edx - andl $0xfcfcfcfc, %eax - andl $0xcfcfcfcf, %edx - movb %al, %bl - movb %ah, %cl - rorl $4, %edx - movl des_SPtrans(%ebx),%ebp - movb %dl, %bl - xorl %ebp, %esi - movl 0x200+des_SPtrans(%ecx),%ebp - xorl %ebp, %esi - movb %dh, %cl - shrl $16, %eax - movl 0x100+des_SPtrans(%ebx),%ebp - xorl %ebp, %esi - movb %ah, %bl - shrl $16, %edx - movl 0x300+des_SPtrans(%ecx),%ebp - xorl %ebp, %esi - movl 24(%esp), %ebp - movb %dh, %cl - andl $0xff, %eax - andl $0xff, %edx - movl 0x600+des_SPtrans(%ebx),%ebx - xorl %ebx, %esi - movl 0x700+des_SPtrans(%ecx),%ebx - xorl %ebx, %esi - movl 0x400+des_SPtrans(%eax),%ebx - xorl %ebx, %esi - movl 0x500+des_SPtrans(%edx),%ebx - xorl %ebx, %esi - - /* Round 1 */ - movl 8(%ebp), %eax - xorl %ebx, %ebx - movl 12(%ebp), %edx - xorl %esi, %eax - xorl %esi, %edx - andl $0xfcfcfcfc, %eax - andl $0xcfcfcfcf, %edx - movb %al, %bl - movb %ah, %cl - rorl $4, %edx - movl des_SPtrans(%ebx),%ebp - movb %dl, %bl - xorl %ebp, %edi - movl 0x200+des_SPtrans(%ecx),%ebp - xorl %ebp, %edi - movb %dh, %cl - shrl $16, %eax - movl 0x100+des_SPtrans(%ebx),%ebp - xorl %ebp, %edi - movb %ah, %bl - shrl $16, %edx - movl 0x300+des_SPtrans(%ecx),%ebp - xorl %ebp, %edi - movl 24(%esp), %ebp - movb %dh, %cl - andl $0xff, %eax - andl $0xff, %edx - movl 0x600+des_SPtrans(%ebx),%ebx - xorl %ebx, %edi - movl 0x700+des_SPtrans(%ecx),%ebx - xorl %ebx, %edi - movl 0x400+des_SPtrans(%eax),%ebx - xorl %ebx, %edi - movl 0x500+des_SPtrans(%edx),%ebx - xorl %ebx, %edi - - /* Round 0 */ - movl (%ebp), %eax - xorl %ebx, %ebx - movl 4(%ebp), %edx - xorl %edi, %eax - xorl %edi, %edx - andl $0xfcfcfcfc, %eax - andl $0xcfcfcfcf, %edx - movb %al, %bl - movb %ah, %cl - rorl $4, %edx - movl des_SPtrans(%ebx),%ebp - movb %dl, %bl - xorl %ebp, %esi - movl 0x200+des_SPtrans(%ecx),%ebp - xorl %ebp, %esi - movb %dh, %cl - shrl $16, %eax - movl 0x100+des_SPtrans(%ebx),%ebp - xorl %ebp, %esi - movb %ah, %bl - shrl $16, %edx - movl 0x300+des_SPtrans(%ecx),%ebp - xorl %ebp, %esi - movl 24(%esp), %ebp - movb %dh, %cl - andl $0xff, %eax - andl $0xff, %edx - movl 0x600+des_SPtrans(%ebx),%ebx - xorl %ebx, %esi - movl 0x700+des_SPtrans(%ecx),%ebx - xorl %ebx, %esi - movl 0x400+des_SPtrans(%eax),%ebx - xorl %ebx, %esi - movl 0x500+des_SPtrans(%edx),%ebx - xorl %ebx, %esi -.align ALIGN -.L003end: - - /* Fixup */ - rorl $3, %edi - movl 20(%esp), %eax - rorl $3, %esi - movl %edi, (%eax) - movl %esi, 4(%eax) - popl %edi - popl %esi - popl %ebx - popl %ebp - ret -.des_encrypt2_end: - SIZE(des_encrypt2,.des_encrypt2_end-des_encrypt2) -.ident "desasm.pl" -.text - .align ALIGN -.globl des_encrypt3 - TYPE(des_encrypt3,@function) -des_encrypt3: - pushl %ebp - pushl %ebx - pushl %esi - pushl %edi - - - /* Load the data words */ - movl 20(%esp), %ebx - movl (%ebx), %edi - movl 4(%ebx), %esi - - /* IP */ - roll $4, %edi - movl %edi, %edx - xorl %esi, %edi - andl $0xf0f0f0f0, %edi - xorl %edi, %edx - xorl %edi, %esi - - roll $20, %esi - movl %esi, %edi - xorl %edx, %esi - andl $0xfff0000f, %esi - xorl %esi, %edi - xorl %esi, %edx - - roll $14, %edi - movl %edi, %esi - xorl %edx, %edi - andl $0x33333333, %edi - xorl %edi, %esi - xorl %edi, %edx - - roll $22, %edx - movl %edx, %edi - xorl %esi, %edx - andl $0x03fc03fc, %edx - xorl %edx, %edi - xorl %edx, %esi - - roll $9, %edi - movl %edi, %edx - xorl %esi, %edi - andl $0xaaaaaaaa, %edi - xorl %edi, %edx - xorl %edi, %esi - - rorl $3, %edx - rorl $2, %esi - movl %esi, 4(%ebx) - movl 24(%esp), %eax - movl %edx, (%ebx) - movl 28(%esp), %edi - movl 32(%esp), %esi - pushl $1 - pushl %eax - pushl %ebx - call des_encrypt2 - pushl $0 - pushl %edi - pushl %ebx - call des_encrypt2 - pushl $1 - pushl %esi - pushl %ebx - call des_encrypt2 - movl (%ebx), %edi - addl $36, %esp - movl 4(%ebx), %esi - - /* FP */ - roll $2, %esi - roll $3, %edi - movl %edi, %eax - xorl %esi, %edi - andl $0xaaaaaaaa, %edi - xorl %edi, %eax - xorl %edi, %esi - - roll $23, %eax - movl %eax, %edi - xorl %esi, %eax - andl $0x03fc03fc, %eax - xorl %eax, %edi - xorl %eax, %esi - - roll $10, %edi - movl %edi, %eax - xorl %esi, %edi - andl $0x33333333, %edi - xorl %edi, %eax - xorl %edi, %esi - - roll $18, %esi - movl %esi, %edi - xorl %eax, %esi - andl $0xfff0000f, %esi - xorl %esi, %edi - xorl %esi, %eax - - roll $12, %edi - movl %edi, %esi - xorl %eax, %edi - andl $0xf0f0f0f0, %edi - xorl %edi, %esi - xorl %edi, %eax - - rorl $4, %eax - movl %eax, (%ebx) - movl %esi, 4(%ebx) - popl %edi - popl %esi - popl %ebx - popl %ebp - ret -.des_encrypt3_end: - SIZE(des_encrypt3,.des_encrypt3_end-des_encrypt3) -.ident "desasm.pl" -.text - .align ALIGN -.globl des_decrypt3 - TYPE(des_decrypt3,@function) -des_decrypt3: - pushl %ebp - pushl %ebx - pushl %esi - pushl %edi - - - /* Load the data words */ - movl 20(%esp), %ebx - movl (%ebx), %edi - movl 4(%ebx), %esi - - /* IP */ - roll $4, %edi - movl %edi, %edx - xorl %esi, %edi - andl $0xf0f0f0f0, %edi - xorl %edi, %edx - xorl %edi, %esi - - roll $20, %esi - movl %esi, %edi - xorl %edx, %esi - andl $0xfff0000f, %esi - xorl %esi, %edi - xorl %esi, %edx - - roll $14, %edi - movl %edi, %esi - xorl %edx, %edi - andl $0x33333333, %edi - xorl %edi, %esi - xorl %edi, %edx - - roll $22, %edx - movl %edx, %edi - xorl %esi, %edx - andl $0x03fc03fc, %edx - xorl %edx, %edi - xorl %edx, %esi - - roll $9, %edi - movl %edi, %edx - xorl %esi, %edi - andl $0xaaaaaaaa, %edi - xorl %edi, %edx - xorl %edi, %esi - - rorl $3, %edx - rorl $2, %esi - movl %esi, 4(%ebx) - movl 24(%esp), %esi - movl %edx, (%ebx) - movl 28(%esp), %edi - movl 32(%esp), %eax - pushl $0 - pushl %eax - pushl %ebx - call des_encrypt2 - pushl $1 - pushl %edi - pushl %ebx - call des_encrypt2 - pushl $0 - pushl %esi - pushl %ebx - call des_encrypt2 - movl (%ebx), %edi - addl $36, %esp - movl 4(%ebx), %esi - - /* FP */ - roll $2, %esi - roll $3, %edi - movl %edi, %eax - xorl %esi, %edi - andl $0xaaaaaaaa, %edi - xorl %edi, %eax - xorl %edi, %esi - - roll $23, %eax - movl %eax, %edi - xorl %esi, %eax - andl $0x03fc03fc, %eax - xorl %eax, %edi - xorl %eax, %esi - - roll $10, %edi - movl %edi, %eax - xorl %esi, %edi - andl $0x33333333, %edi - xorl %edi, %eax - xorl %edi, %esi - - roll $18, %esi - movl %esi, %edi - xorl %eax, %esi - andl $0xfff0000f, %esi - xorl %esi, %edi - xorl %esi, %eax - - roll $12, %edi - movl %edi, %esi - xorl %eax, %edi - andl $0xf0f0f0f0, %edi - xorl %edi, %esi - xorl %edi, %eax - - rorl $4, %eax - movl %eax, (%ebx) - movl %esi, 4(%ebx) - popl %edi - popl %esi - popl %ebx - popl %ebp - ret -.des_decrypt3_end: - SIZE(des_decrypt3,.des_decrypt3_end-des_decrypt3) -.ident "desasm.pl" diff --git a/crypto/heimdal-0.6.3/lib/des/asm/dx86unix.cpp b/crypto/heimdal-0.6.3/lib/des/asm/dx86unix.cpp deleted file mode 100644 index b4eb397d58..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/asm/dx86unix.cpp +++ /dev/null @@ -1,39 +0,0 @@ - -#define TYPE(a,b) .type a,b -#define SIZE(a,b) .size a,b - -#ifdef OUT -#define OK 1 -#define des_SPtrans _des_SPtrans -#define des_encrypt _des_encrypt -#define des_encrypt2 _des_encrypt2 -#define des_encrypt3 _des_encrypt3 -#define ALIGN 4 -#endif - -#ifdef BSDI -#define OK 1 -#define des_SPtrans _des_SPtrans -#define des_encrypt _des_encrypt -#define des_encrypt2 _des_encrypt2 -#define des_encrypt3 _des_encrypt3 -#define ALIGN 4 -#undef SIZE -#undef TYPE -#endif - -#if defined(ELF) || defined(SOL) -#define OK 1 -#define ALIGN 16 -#endif - -#ifndef OK -You need to define one of -ELF - elf systems - linux-elf, NetBSD and DG-UX -OUT - a.out systems - linux-a.out and FreeBSD -SOL - solaris systems, which are elf with strange comment lines -BSDI - a.out with a very primative version of as. -#endif - -#include "dx86-cpp.s" - diff --git a/crypto/heimdal-0.6.3/lib/des/asm/readme b/crypto/heimdal-0.6.3/lib/des/asm/readme deleted file mode 100644 index bb1a8e9956..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/asm/readme +++ /dev/null @@ -1,130 +0,0 @@ -First up, let me say I don't like writing in assembler. It is not portable, -dependant on the particular CPU architecture release and is generally a pig -to debug and get right. Having said that, the x86 architecture is probably -the most important for speed due to number of boxes and since -it appears to be the worst architecture to to get -good C compilers for. So due to this, I have lowered myself to do -assembler for the inner DES routines in libdes :-). - -The file to implement in assembler is des_enc.c. Replace the following -4 functions -des_encrypt(DES_LONG data[2],des_key_schedule ks, int encrypt); -des_encrypt2(DES_LONG data[2],des_key_schedule ks, int encrypt); -des_encrypt3(DES_LONG data[2],des_key_schedule ks1,ks2,ks3); -des_decrypt3(DES_LONG data[2],des_key_schedule ks1,ks2,ks3); - -They encrypt/decrypt the 64 bits held in 'data' using -the 'ks' key schedules. The only difference between the 4 functions is that -des_encrypt2() does not perform IP() or FP() on the data (this is an -optimization for when doing triple DES and des_encrypt3() and des_decrypt3() -perform triple des. The triple DES routines are in here because it does -make a big difference to have them located near the des_encrypt2 function -at link time.. - -Now as we all know, there are lots of different operating systems running on -x86 boxes, and unfortunately they normally try to make sure their assembler -formating is not the same as the other peoples. -The 4 main formats I know of are -Microsoft Windows 95/Windows NT -Elf Includes Linux and FreeBSD(?). -a.out The older Linux. -Solaris Same as Elf but different comments :-(. - -Now I was not overly keen to write 4 different copies of the same code, -so I wrote a few perl routines to output the correct assembler, given -a target assembler type. This code is ugly and is just a hack. -The libraries are x86unix.pl and x86ms.pl. -des586.pl, des686.pl and des-som[23].pl are the programs to actually -generate the assembler. - -So to generate elf assembler -perl des-som3.pl elf >dx86-elf.s -For Windows 95/NT -perl des-som2.pl win32 >win32.asm - -[ update 4 Jan 1996 ] -I have added another way to do things. -perl des-som3.pl cpp >dx86-cpp.s -generates a file that will be included by dx86unix.cpp when it is compiled. -To build for elf, a.out, solaris, bsdi etc, -cc -E -DELF asm/dx86unix.cpp | as -o asm/dx86-elf.o -cc -E -DSOL asm/dx86unix.cpp | as -o asm/dx86-sol.o -cc -E -DOUT asm/dx86unix.cpp | as -o asm/dx86-out.o -cc -E -DBSDI asm/dx86unix.cpp | as -o asm/dx86bsdi.o -This was done to cut down the number of files in the distribution. - -Now the ugly part. I acquired my copy of Intels -"Optimization's For Intel's 32-Bit Processors" and found a few interesting -things. First, the aim of the exersize is to 'extract' one byte at a time -from a word and do an array lookup. This involves getting the byte from -the 4 locations in the word and moving it to a new word and doing the lookup. -The most obvious way to do this is -xor eax, eax # clear word -movb al, cl # get low byte -xor edi DWORD PTR 0x100+des_SP[eax] # xor in word -movb al, ch # get next byte -xor edi DWORD PTR 0x300+des_SP[eax] # xor in word -shr ecx 16 -which seems ok. For the pentium, this system appears to be the best. -One has to do instruction interleaving to keep both functional units -operating, but it is basically very efficient. - -Now the crunch. When a full register is used after a partial write, eg. -mov al, cl -xor edi, DWORD PTR 0x100+des_SP[eax] -386 - 1 cycle stall -486 - 1 cycle stall -586 - 0 cycle stall -686 - at least 7 cycle stall (page 22 of the above mentioned document). - -So the technique that produces the best results on a pentium, according to -the documentation, will produce hideous results on a pentium pro. - -To get around this, des686.pl will generate code that is not as fast on -a pentium, should be very good on a pentium pro. -mov eax, ecx # copy word -shr ecx, 8 # line up next byte -and eax, 0fch # mask byte -xor edi DWORD PTR 0x100+des_SP[eax] # xor in array lookup -mov eax, ecx # get word -shr ecx 8 # line up next byte -and eax, 0fch # mask byte -xor edi DWORD PTR 0x300+des_SP[eax] # xor in array lookup - -Due to the execution units in the pentium, this actually works quite well. -For a pentium pro it should be very good. This is the type of output -Visual C++ generates. - -There is a third option. instead of using -mov al, ch -which is bad on the pentium pro, one may be able to use -movzx eax, ch -which may not incur the partial write penalty. On the pentium, -this instruction takes 4 cycles so is not worth using but on the -pentium pro it appears it may be worth while. I need access to one to -experiment :-). - -eric (20 Oct 1996) - -22 Nov 1996 - I have asked people to run the 2 different version on pentium -pros and it appears that the intel documentation is wrong. The -mov al,bh is still faster on a pentium pro, so just use the des586.pl -install des686.pl - -3 Dec 1996 - I added des_encrypt3/des_decrypt3 because I have moved these -functions into des_enc.c because it does make a massive performance -difference on some boxes to have the functions code located close to -the des_encrypt2() function. - -9 Jan 1996 - des-som2.pl is now the correct perl script to use for -pentiums. It contains an inner loop from -Svend Olaf Mikkelsen which does raw ecb DES calls at -273,000 per second. He had a previous version at 250,000 and the best -I was able to get was 203,000. The content has not changed, this is all -due to instruction sequencing (and actual instructions choice) which is able -to keep both functional units of the pentium going. -We may have lost the ugly register usage restrictions when x86 went 32 bit -but for the pentium it has been replaced by evil instruction ordering tricks. - -13 Jan 1996 - des-som3.pl, more optimizations from Svend Olaf. -raw DES at 281,000 per second on a pentium 100. diff --git a/crypto/heimdal-0.6.3/lib/des/asm/win32.asm b/crypto/heimdal-0.6.3/lib/des/asm/win32.asm deleted file mode 100644 index 29c915f78f..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/asm/win32.asm +++ /dev/null @@ -1,2766 +0,0 @@ - ; Don't even think of reading this code - ; It was automatically generated by des-som2.pl - ; Which is a perl program used to generate the x86 assember for - ; any of elf, a.out, Win32, or Solaris - ; It can be found in SSLeay 0.6.5+ or in libdes 3.26+ - ; eric - ; The inner loop instruction sequence and the IP/FP modifications - ; are from Svend Olaf Mikkelsen - - ; - TITLE dx86xxxx.asm - .386 -.model FLAT -_TEXT SEGMENT -PUBLIC _des_encrypt -EXTRN _des_SPtrans:DWORD -_des_encrypt PROC NEAR - push ebp - push ebx - push esi - push edi - ; - ; Load the 2 words - mov esi, DWORD PTR 20[esp] - xor ecx, ecx - mov eax, DWORD PTR [esi] - mov ebx, DWORD PTR 28[esp] - mov edi, DWORD PTR 4[esi] - ; - ; IP - rol eax, 4 - mov esi, eax - xor eax, edi - and eax, 0f0f0f0f0h - xor esi, eax - xor edi, eax - ; - rol edi, 20 - mov eax, edi - xor edi, esi - and edi, 0fff0000fh - xor eax, edi - xor esi, edi - ; - rol eax, 14 - mov edi, eax - xor eax, esi - and eax, 033333333h - xor edi, eax - xor esi, eax - ; - rol esi, 22 - mov eax, esi - xor esi, edi - and esi, 003fc03fch - xor eax, esi - xor edi, esi - ; - rol eax, 9 - mov esi, eax - xor eax, edi - and eax, 0aaaaaaaah - xor esi, eax - xor edi, eax - ; - rol edi, 1 - cmp ebx, 0 - mov ebp, DWORD PTR 24[esp] - je $L000start_decrypt - ; - ; Round 0 - mov eax, DWORD PTR [ebp] - xor ebx, ebx - mov edx, DWORD PTR 4[ebp] - xor eax, esi - xor edx, esi - and eax, 0fcfcfcfch - and edx, 0cfcfcfcfh - mov bl, al - mov cl, ah - ror edx, 4 - mov ebp, DWORD PTR _des_SPtrans[ebx] - mov bl, dl - xor edi, ebp - mov ebp, DWORD PTR _des_SPtrans[0200h+ecx] - xor edi, ebp - mov cl, dh - shr eax, 16 - mov ebp, DWORD PTR _des_SPtrans[0100h+ebx] - xor edi, ebp - mov bl, ah - shr edx, 16 - mov ebp, DWORD PTR _des_SPtrans[0300h+ecx] - xor edi, ebp - mov ebp, DWORD PTR 24[esp] - mov cl, dh - and eax, 0ffh - and edx, 0ffh - mov ebx, DWORD PTR _des_SPtrans[0600h+ebx] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0700h+ecx] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0400h+eax] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0500h+edx] - xor edi, ebx - ; - ; Round 1 - mov eax, DWORD PTR 8[ebp] - xor ebx, ebx - mov edx, DWORD PTR 12[ebp] - xor eax, edi - xor edx, edi - and eax, 0fcfcfcfch - and edx, 0cfcfcfcfh - mov bl, al - mov cl, ah - ror edx, 4 - mov ebp, DWORD PTR _des_SPtrans[ebx] - mov bl, dl - xor esi, ebp - mov ebp, DWORD PTR _des_SPtrans[0200h+ecx] - xor esi, ebp - mov cl, dh - shr eax, 16 - mov ebp, DWORD PTR _des_SPtrans[0100h+ebx] - xor esi, ebp - mov bl, ah - shr edx, 16 - mov ebp, DWORD PTR _des_SPtrans[0300h+ecx] - xor esi, ebp - mov ebp, DWORD PTR 24[esp] - mov cl, dh - and eax, 0ffh - and edx, 0ffh - mov ebx, DWORD PTR _des_SPtrans[0600h+ebx] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0700h+ecx] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0400h+eax] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0500h+edx] - xor esi, ebx - ; - ; Round 2 - mov eax, DWORD PTR 16[ebp] - xor ebx, ebx - mov edx, DWORD PTR 20[ebp] - xor eax, esi - xor edx, esi - and eax, 0fcfcfcfch - and edx, 0cfcfcfcfh - mov bl, al - mov cl, ah - ror edx, 4 - mov ebp, DWORD PTR _des_SPtrans[ebx] - mov bl, dl - xor edi, ebp - mov ebp, DWORD PTR _des_SPtrans[0200h+ecx] - xor edi, ebp - mov cl, dh - shr eax, 16 - mov ebp, DWORD PTR _des_SPtrans[0100h+ebx] - xor edi, ebp - mov bl, ah - shr edx, 16 - mov ebp, DWORD PTR _des_SPtrans[0300h+ecx] - xor edi, ebp - mov ebp, DWORD PTR 24[esp] - mov cl, dh - and eax, 0ffh - and edx, 0ffh - mov ebx, DWORD PTR _des_SPtrans[0600h+ebx] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0700h+ecx] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0400h+eax] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0500h+edx] - xor edi, ebx - ; - ; Round 3 - mov eax, DWORD PTR 24[ebp] - xor ebx, ebx - mov edx, DWORD PTR 28[ebp] - xor eax, edi - xor edx, edi - and eax, 0fcfcfcfch - and edx, 0cfcfcfcfh - mov bl, al - mov cl, ah - ror edx, 4 - mov ebp, DWORD PTR _des_SPtrans[ebx] - mov bl, dl - xor esi, ebp - mov ebp, DWORD PTR _des_SPtrans[0200h+ecx] - xor esi, ebp - mov cl, dh - shr eax, 16 - mov ebp, DWORD PTR _des_SPtrans[0100h+ebx] - xor esi, ebp - mov bl, ah - shr edx, 16 - mov ebp, DWORD PTR _des_SPtrans[0300h+ecx] - xor esi, ebp - mov ebp, DWORD PTR 24[esp] - mov cl, dh - and eax, 0ffh - and edx, 0ffh - mov ebx, DWORD PTR _des_SPtrans[0600h+ebx] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0700h+ecx] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0400h+eax] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0500h+edx] - xor esi, ebx - ; - ; Round 4 - mov eax, DWORD PTR 32[ebp] - xor ebx, ebx - mov edx, DWORD PTR 36[ebp] - xor eax, esi - xor edx, esi - and eax, 0fcfcfcfch - and edx, 0cfcfcfcfh - mov bl, al - mov cl, ah - ror edx, 4 - mov ebp, DWORD PTR _des_SPtrans[ebx] - mov bl, dl - xor edi, ebp - mov ebp, DWORD PTR _des_SPtrans[0200h+ecx] - xor edi, ebp - mov cl, dh - shr eax, 16 - mov ebp, DWORD PTR _des_SPtrans[0100h+ebx] - xor edi, ebp - mov bl, ah - shr edx, 16 - mov ebp, DWORD PTR _des_SPtrans[0300h+ecx] - xor edi, ebp - mov ebp, DWORD PTR 24[esp] - mov cl, dh - and eax, 0ffh - and edx, 0ffh - mov ebx, DWORD PTR _des_SPtrans[0600h+ebx] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0700h+ecx] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0400h+eax] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0500h+edx] - xor edi, ebx - ; - ; Round 5 - mov eax, DWORD PTR 40[ebp] - xor ebx, ebx - mov edx, DWORD PTR 44[ebp] - xor eax, edi - xor edx, edi - and eax, 0fcfcfcfch - and edx, 0cfcfcfcfh - mov bl, al - mov cl, ah - ror edx, 4 - mov ebp, DWORD PTR _des_SPtrans[ebx] - mov bl, dl - xor esi, ebp - mov ebp, DWORD PTR _des_SPtrans[0200h+ecx] - xor esi, ebp - mov cl, dh - shr eax, 16 - mov ebp, DWORD PTR _des_SPtrans[0100h+ebx] - xor esi, ebp - mov bl, ah - shr edx, 16 - mov ebp, DWORD PTR _des_SPtrans[0300h+ecx] - xor esi, ebp - mov ebp, DWORD PTR 24[esp] - mov cl, dh - and eax, 0ffh - and edx, 0ffh - mov ebx, DWORD PTR _des_SPtrans[0600h+ebx] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0700h+ecx] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0400h+eax] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0500h+edx] - xor esi, ebx - ; - ; Round 6 - mov eax, DWORD PTR 48[ebp] - xor ebx, ebx - mov edx, DWORD PTR 52[ebp] - xor eax, esi - xor edx, esi - and eax, 0fcfcfcfch - and edx, 0cfcfcfcfh - mov bl, al - mov cl, ah - ror edx, 4 - mov ebp, DWORD PTR _des_SPtrans[ebx] - mov bl, dl - xor edi, ebp - mov ebp, DWORD PTR _des_SPtrans[0200h+ecx] - xor edi, ebp - mov cl, dh - shr eax, 16 - mov ebp, DWORD PTR _des_SPtrans[0100h+ebx] - xor edi, ebp - mov bl, ah - shr edx, 16 - mov ebp, DWORD PTR _des_SPtrans[0300h+ecx] - xor edi, ebp - mov ebp, DWORD PTR 24[esp] - mov cl, dh - and eax, 0ffh - and edx, 0ffh - mov ebx, DWORD PTR _des_SPtrans[0600h+ebx] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0700h+ecx] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0400h+eax] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0500h+edx] - xor edi, ebx - ; - ; Round 7 - mov eax, DWORD PTR 56[ebp] - xor ebx, ebx - mov edx, DWORD PTR 60[ebp] - xor eax, edi - xor edx, edi - and eax, 0fcfcfcfch - and edx, 0cfcfcfcfh - mov bl, al - mov cl, ah - ror edx, 4 - mov ebp, DWORD PTR _des_SPtrans[ebx] - mov bl, dl - xor esi, ebp - mov ebp, DWORD PTR _des_SPtrans[0200h+ecx] - xor esi, ebp - mov cl, dh - shr eax, 16 - mov ebp, DWORD PTR _des_SPtrans[0100h+ebx] - xor esi, ebp - mov bl, ah - shr edx, 16 - mov ebp, DWORD PTR _des_SPtrans[0300h+ecx] - xor esi, ebp - mov ebp, DWORD PTR 24[esp] - mov cl, dh - and eax, 0ffh - and edx, 0ffh - mov ebx, DWORD PTR _des_SPtrans[0600h+ebx] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0700h+ecx] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0400h+eax] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0500h+edx] - xor esi, ebx - ; - ; Round 8 - mov eax, DWORD PTR 64[ebp] - xor ebx, ebx - mov edx, DWORD PTR 68[ebp] - xor eax, esi - xor edx, esi - and eax, 0fcfcfcfch - and edx, 0cfcfcfcfh - mov bl, al - mov cl, ah - ror edx, 4 - mov ebp, DWORD PTR _des_SPtrans[ebx] - mov bl, dl - xor edi, ebp - mov ebp, DWORD PTR _des_SPtrans[0200h+ecx] - xor edi, ebp - mov cl, dh - shr eax, 16 - mov ebp, DWORD PTR _des_SPtrans[0100h+ebx] - xor edi, ebp - mov bl, ah - shr edx, 16 - mov ebp, DWORD PTR _des_SPtrans[0300h+ecx] - xor edi, ebp - mov ebp, DWORD PTR 24[esp] - mov cl, dh - and eax, 0ffh - and edx, 0ffh - mov ebx, DWORD PTR _des_SPtrans[0600h+ebx] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0700h+ecx] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0400h+eax] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0500h+edx] - xor edi, ebx - ; - ; Round 9 - mov eax, DWORD PTR 72[ebp] - xor ebx, ebx - mov edx, DWORD PTR 76[ebp] - xor eax, edi - xor edx, edi - and eax, 0fcfcfcfch - and edx, 0cfcfcfcfh - mov bl, al - mov cl, ah - ror edx, 4 - mov ebp, DWORD PTR _des_SPtrans[ebx] - mov bl, dl - xor esi, ebp - mov ebp, DWORD PTR _des_SPtrans[0200h+ecx] - xor esi, ebp - mov cl, dh - shr eax, 16 - mov ebp, DWORD PTR _des_SPtrans[0100h+ebx] - xor esi, ebp - mov bl, ah - shr edx, 16 - mov ebp, DWORD PTR _des_SPtrans[0300h+ecx] - xor esi, ebp - mov ebp, DWORD PTR 24[esp] - mov cl, dh - and eax, 0ffh - and edx, 0ffh - mov ebx, DWORD PTR _des_SPtrans[0600h+ebx] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0700h+ecx] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0400h+eax] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0500h+edx] - xor esi, ebx - ; - ; Round 10 - mov eax, DWORD PTR 80[ebp] - xor ebx, ebx - mov edx, DWORD PTR 84[ebp] - xor eax, esi - xor edx, esi - and eax, 0fcfcfcfch - and edx, 0cfcfcfcfh - mov bl, al - mov cl, ah - ror edx, 4 - mov ebp, DWORD PTR _des_SPtrans[ebx] - mov bl, dl - xor edi, ebp - mov ebp, DWORD PTR _des_SPtrans[0200h+ecx] - xor edi, ebp - mov cl, dh - shr eax, 16 - mov ebp, DWORD PTR _des_SPtrans[0100h+ebx] - xor edi, ebp - mov bl, ah - shr edx, 16 - mov ebp, DWORD PTR _des_SPtrans[0300h+ecx] - xor edi, ebp - mov ebp, DWORD PTR 24[esp] - mov cl, dh - and eax, 0ffh - and edx, 0ffh - mov ebx, DWORD PTR _des_SPtrans[0600h+ebx] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0700h+ecx] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0400h+eax] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0500h+edx] - xor edi, ebx - ; - ; Round 11 - mov eax, DWORD PTR 88[ebp] - xor ebx, ebx - mov edx, DWORD PTR 92[ebp] - xor eax, edi - xor edx, edi - and eax, 0fcfcfcfch - and edx, 0cfcfcfcfh - mov bl, al - mov cl, ah - ror edx, 4 - mov ebp, DWORD PTR _des_SPtrans[ebx] - mov bl, dl - xor esi, ebp - mov ebp, DWORD PTR _des_SPtrans[0200h+ecx] - xor esi, ebp - mov cl, dh - shr eax, 16 - mov ebp, DWORD PTR _des_SPtrans[0100h+ebx] - xor esi, ebp - mov bl, ah - shr edx, 16 - mov ebp, DWORD PTR _des_SPtrans[0300h+ecx] - xor esi, ebp - mov ebp, DWORD PTR 24[esp] - mov cl, dh - and eax, 0ffh - and edx, 0ffh - mov ebx, DWORD PTR _des_SPtrans[0600h+ebx] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0700h+ecx] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0400h+eax] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0500h+edx] - xor esi, ebx - ; - ; Round 12 - mov eax, DWORD PTR 96[ebp] - xor ebx, ebx - mov edx, DWORD PTR 100[ebp] - xor eax, esi - xor edx, esi - and eax, 0fcfcfcfch - and edx, 0cfcfcfcfh - mov bl, al - mov cl, ah - ror edx, 4 - mov ebp, DWORD PTR _des_SPtrans[ebx] - mov bl, dl - xor edi, ebp - mov ebp, DWORD PTR _des_SPtrans[0200h+ecx] - xor edi, ebp - mov cl, dh - shr eax, 16 - mov ebp, DWORD PTR _des_SPtrans[0100h+ebx] - xor edi, ebp - mov bl, ah - shr edx, 16 - mov ebp, DWORD PTR _des_SPtrans[0300h+ecx] - xor edi, ebp - mov ebp, DWORD PTR 24[esp] - mov cl, dh - and eax, 0ffh - and edx, 0ffh - mov ebx, DWORD PTR _des_SPtrans[0600h+ebx] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0700h+ecx] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0400h+eax] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0500h+edx] - xor edi, ebx - ; - ; Round 13 - mov eax, DWORD PTR 104[ebp] - xor ebx, ebx - mov edx, DWORD PTR 108[ebp] - xor eax, edi - xor edx, edi - and eax, 0fcfcfcfch - and edx, 0cfcfcfcfh - mov bl, al - mov cl, ah - ror edx, 4 - mov ebp, DWORD PTR _des_SPtrans[ebx] - mov bl, dl - xor esi, ebp - mov ebp, DWORD PTR _des_SPtrans[0200h+ecx] - xor esi, ebp - mov cl, dh - shr eax, 16 - mov ebp, DWORD PTR _des_SPtrans[0100h+ebx] - xor esi, ebp - mov bl, ah - shr edx, 16 - mov ebp, DWORD PTR _des_SPtrans[0300h+ecx] - xor esi, ebp - mov ebp, DWORD PTR 24[esp] - mov cl, dh - and eax, 0ffh - and edx, 0ffh - mov ebx, DWORD PTR _des_SPtrans[0600h+ebx] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0700h+ecx] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0400h+eax] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0500h+edx] - xor esi, ebx - ; - ; Round 14 - mov eax, DWORD PTR 112[ebp] - xor ebx, ebx - mov edx, DWORD PTR 116[ebp] - xor eax, esi - xor edx, esi - and eax, 0fcfcfcfch - and edx, 0cfcfcfcfh - mov bl, al - mov cl, ah - ror edx, 4 - mov ebp, DWORD PTR _des_SPtrans[ebx] - mov bl, dl - xor edi, ebp - mov ebp, DWORD PTR _des_SPtrans[0200h+ecx] - xor edi, ebp - mov cl, dh - shr eax, 16 - mov ebp, DWORD PTR _des_SPtrans[0100h+ebx] - xor edi, ebp - mov bl, ah - shr edx, 16 - mov ebp, DWORD PTR _des_SPtrans[0300h+ecx] - xor edi, ebp - mov ebp, DWORD PTR 24[esp] - mov cl, dh - and eax, 0ffh - and edx, 0ffh - mov ebx, DWORD PTR _des_SPtrans[0600h+ebx] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0700h+ecx] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0400h+eax] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0500h+edx] - xor edi, ebx - ; - ; Round 15 - mov eax, DWORD PTR 120[ebp] - xor ebx, ebx - mov edx, DWORD PTR 124[ebp] - xor eax, edi - xor edx, edi - and eax, 0fcfcfcfch - and edx, 0cfcfcfcfh - mov bl, al - mov cl, ah - ror edx, 4 - mov ebp, DWORD PTR _des_SPtrans[ebx] - mov bl, dl - xor esi, ebp - mov ebp, DWORD PTR _des_SPtrans[0200h+ecx] - xor esi, ebp - mov cl, dh - shr eax, 16 - mov ebp, DWORD PTR _des_SPtrans[0100h+ebx] - xor esi, ebp - mov bl, ah - shr edx, 16 - mov ebp, DWORD PTR _des_SPtrans[0300h+ecx] - xor esi, ebp - mov ebp, DWORD PTR 24[esp] - mov cl, dh - and eax, 0ffh - and edx, 0ffh - mov ebx, DWORD PTR _des_SPtrans[0600h+ebx] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0700h+ecx] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0400h+eax] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0500h+edx] - xor esi, ebx - jmp $L001end -$L000start_decrypt: - ; - ; Round 15 - mov eax, DWORD PTR 120[ebp] - xor ebx, ebx - mov edx, DWORD PTR 124[ebp] - xor eax, esi - xor edx, esi - and eax, 0fcfcfcfch - and edx, 0cfcfcfcfh - mov bl, al - mov cl, ah - ror edx, 4 - mov ebp, DWORD PTR _des_SPtrans[ebx] - mov bl, dl - xor edi, ebp - mov ebp, DWORD PTR _des_SPtrans[0200h+ecx] - xor edi, ebp - mov cl, dh - shr eax, 16 - mov ebp, DWORD PTR _des_SPtrans[0100h+ebx] - xor edi, ebp - mov bl, ah - shr edx, 16 - mov ebp, DWORD PTR _des_SPtrans[0300h+ecx] - xor edi, ebp - mov ebp, DWORD PTR 24[esp] - mov cl, dh - and eax, 0ffh - and edx, 0ffh - mov ebx, DWORD PTR _des_SPtrans[0600h+ebx] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0700h+ecx] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0400h+eax] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0500h+edx] - xor edi, ebx - ; - ; Round 14 - mov eax, DWORD PTR 112[ebp] - xor ebx, ebx - mov edx, DWORD PTR 116[ebp] - xor eax, edi - xor edx, edi - and eax, 0fcfcfcfch - and edx, 0cfcfcfcfh - mov bl, al - mov cl, ah - ror edx, 4 - mov ebp, DWORD PTR _des_SPtrans[ebx] - mov bl, dl - xor esi, ebp - mov ebp, DWORD PTR _des_SPtrans[0200h+ecx] - xor esi, ebp - mov cl, dh - shr eax, 16 - mov ebp, DWORD PTR _des_SPtrans[0100h+ebx] - xor esi, ebp - mov bl, ah - shr edx, 16 - mov ebp, DWORD PTR _des_SPtrans[0300h+ecx] - xor esi, ebp - mov ebp, DWORD PTR 24[esp] - mov cl, dh - and eax, 0ffh - and edx, 0ffh - mov ebx, DWORD PTR _des_SPtrans[0600h+ebx] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0700h+ecx] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0400h+eax] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0500h+edx] - xor esi, ebx - ; - ; Round 13 - mov eax, DWORD PTR 104[ebp] - xor ebx, ebx - mov edx, DWORD PTR 108[ebp] - xor eax, esi - xor edx, esi - and eax, 0fcfcfcfch - and edx, 0cfcfcfcfh - mov bl, al - mov cl, ah - ror edx, 4 - mov ebp, DWORD PTR _des_SPtrans[ebx] - mov bl, dl - xor edi, ebp - mov ebp, DWORD PTR _des_SPtrans[0200h+ecx] - xor edi, ebp - mov cl, dh - shr eax, 16 - mov ebp, DWORD PTR _des_SPtrans[0100h+ebx] - xor edi, ebp - mov bl, ah - shr edx, 16 - mov ebp, DWORD PTR _des_SPtrans[0300h+ecx] - xor edi, ebp - mov ebp, DWORD PTR 24[esp] - mov cl, dh - and eax, 0ffh - and edx, 0ffh - mov ebx, DWORD PTR _des_SPtrans[0600h+ebx] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0700h+ecx] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0400h+eax] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0500h+edx] - xor edi, ebx - ; - ; Round 12 - mov eax, DWORD PTR 96[ebp] - xor ebx, ebx - mov edx, DWORD PTR 100[ebp] - xor eax, edi - xor edx, edi - and eax, 0fcfcfcfch - and edx, 0cfcfcfcfh - mov bl, al - mov cl, ah - ror edx, 4 - mov ebp, DWORD PTR _des_SPtrans[ebx] - mov bl, dl - xor esi, ebp - mov ebp, DWORD PTR _des_SPtrans[0200h+ecx] - xor esi, ebp - mov cl, dh - shr eax, 16 - mov ebp, DWORD PTR _des_SPtrans[0100h+ebx] - xor esi, ebp - mov bl, ah - shr edx, 16 - mov ebp, DWORD PTR _des_SPtrans[0300h+ecx] - xor esi, ebp - mov ebp, DWORD PTR 24[esp] - mov cl, dh - and eax, 0ffh - and edx, 0ffh - mov ebx, DWORD PTR _des_SPtrans[0600h+ebx] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0700h+ecx] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0400h+eax] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0500h+edx] - xor esi, ebx - ; - ; Round 11 - mov eax, DWORD PTR 88[ebp] - xor ebx, ebx - mov edx, DWORD PTR 92[ebp] - xor eax, esi - xor edx, esi - and eax, 0fcfcfcfch - and edx, 0cfcfcfcfh - mov bl, al - mov cl, ah - ror edx, 4 - mov ebp, DWORD PTR _des_SPtrans[ebx] - mov bl, dl - xor edi, ebp - mov ebp, DWORD PTR _des_SPtrans[0200h+ecx] - xor edi, ebp - mov cl, dh - shr eax, 16 - mov ebp, DWORD PTR _des_SPtrans[0100h+ebx] - xor edi, ebp - mov bl, ah - shr edx, 16 - mov ebp, DWORD PTR _des_SPtrans[0300h+ecx] - xor edi, ebp - mov ebp, DWORD PTR 24[esp] - mov cl, dh - and eax, 0ffh - and edx, 0ffh - mov ebx, DWORD PTR _des_SPtrans[0600h+ebx] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0700h+ecx] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0400h+eax] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0500h+edx] - xor edi, ebx - ; - ; Round 10 - mov eax, DWORD PTR 80[ebp] - xor ebx, ebx - mov edx, DWORD PTR 84[ebp] - xor eax, edi - xor edx, edi - and eax, 0fcfcfcfch - and edx, 0cfcfcfcfh - mov bl, al - mov cl, ah - ror edx, 4 - mov ebp, DWORD PTR _des_SPtrans[ebx] - mov bl, dl - xor esi, ebp - mov ebp, DWORD PTR _des_SPtrans[0200h+ecx] - xor esi, ebp - mov cl, dh - shr eax, 16 - mov ebp, DWORD PTR _des_SPtrans[0100h+ebx] - xor esi, ebp - mov bl, ah - shr edx, 16 - mov ebp, DWORD PTR _des_SPtrans[0300h+ecx] - xor esi, ebp - mov ebp, DWORD PTR 24[esp] - mov cl, dh - and eax, 0ffh - and edx, 0ffh - mov ebx, DWORD PTR _des_SPtrans[0600h+ebx] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0700h+ecx] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0400h+eax] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0500h+edx] - xor esi, ebx - ; - ; Round 9 - mov eax, DWORD PTR 72[ebp] - xor ebx, ebx - mov edx, DWORD PTR 76[ebp] - xor eax, esi - xor edx, esi - and eax, 0fcfcfcfch - and edx, 0cfcfcfcfh - mov bl, al - mov cl, ah - ror edx, 4 - mov ebp, DWORD PTR _des_SPtrans[ebx] - mov bl, dl - xor edi, ebp - mov ebp, DWORD PTR _des_SPtrans[0200h+ecx] - xor edi, ebp - mov cl, dh - shr eax, 16 - mov ebp, DWORD PTR _des_SPtrans[0100h+ebx] - xor edi, ebp - mov bl, ah - shr edx, 16 - mov ebp, DWORD PTR _des_SPtrans[0300h+ecx] - xor edi, ebp - mov ebp, DWORD PTR 24[esp] - mov cl, dh - and eax, 0ffh - and edx, 0ffh - mov ebx, DWORD PTR _des_SPtrans[0600h+ebx] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0700h+ecx] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0400h+eax] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0500h+edx] - xor edi, ebx - ; - ; Round 8 - mov eax, DWORD PTR 64[ebp] - xor ebx, ebx - mov edx, DWORD PTR 68[ebp] - xor eax, edi - xor edx, edi - and eax, 0fcfcfcfch - and edx, 0cfcfcfcfh - mov bl, al - mov cl, ah - ror edx, 4 - mov ebp, DWORD PTR _des_SPtrans[ebx] - mov bl, dl - xor esi, ebp - mov ebp, DWORD PTR _des_SPtrans[0200h+ecx] - xor esi, ebp - mov cl, dh - shr eax, 16 - mov ebp, DWORD PTR _des_SPtrans[0100h+ebx] - xor esi, ebp - mov bl, ah - shr edx, 16 - mov ebp, DWORD PTR _des_SPtrans[0300h+ecx] - xor esi, ebp - mov ebp, DWORD PTR 24[esp] - mov cl, dh - and eax, 0ffh - and edx, 0ffh - mov ebx, DWORD PTR _des_SPtrans[0600h+ebx] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0700h+ecx] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0400h+eax] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0500h+edx] - xor esi, ebx - ; - ; Round 7 - mov eax, DWORD PTR 56[ebp] - xor ebx, ebx - mov edx, DWORD PTR 60[ebp] - xor eax, esi - xor edx, esi - and eax, 0fcfcfcfch - and edx, 0cfcfcfcfh - mov bl, al - mov cl, ah - ror edx, 4 - mov ebp, DWORD PTR _des_SPtrans[ebx] - mov bl, dl - xor edi, ebp - mov ebp, DWORD PTR _des_SPtrans[0200h+ecx] - xor edi, ebp - mov cl, dh - shr eax, 16 - mov ebp, DWORD PTR _des_SPtrans[0100h+ebx] - xor edi, ebp - mov bl, ah - shr edx, 16 - mov ebp, DWORD PTR _des_SPtrans[0300h+ecx] - xor edi, ebp - mov ebp, DWORD PTR 24[esp] - mov cl, dh - and eax, 0ffh - and edx, 0ffh - mov ebx, DWORD PTR _des_SPtrans[0600h+ebx] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0700h+ecx] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0400h+eax] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0500h+edx] - xor edi, ebx - ; - ; Round 6 - mov eax, DWORD PTR 48[ebp] - xor ebx, ebx - mov edx, DWORD PTR 52[ebp] - xor eax, edi - xor edx, edi - and eax, 0fcfcfcfch - and edx, 0cfcfcfcfh - mov bl, al - mov cl, ah - ror edx, 4 - mov ebp, DWORD PTR _des_SPtrans[ebx] - mov bl, dl - xor esi, ebp - mov ebp, DWORD PTR _des_SPtrans[0200h+ecx] - xor esi, ebp - mov cl, dh - shr eax, 16 - mov ebp, DWORD PTR _des_SPtrans[0100h+ebx] - xor esi, ebp - mov bl, ah - shr edx, 16 - mov ebp, DWORD PTR _des_SPtrans[0300h+ecx] - xor esi, ebp - mov ebp, DWORD PTR 24[esp] - mov cl, dh - and eax, 0ffh - and edx, 0ffh - mov ebx, DWORD PTR _des_SPtrans[0600h+ebx] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0700h+ecx] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0400h+eax] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0500h+edx] - xor esi, ebx - ; - ; Round 5 - mov eax, DWORD PTR 40[ebp] - xor ebx, ebx - mov edx, DWORD PTR 44[ebp] - xor eax, esi - xor edx, esi - and eax, 0fcfcfcfch - and edx, 0cfcfcfcfh - mov bl, al - mov cl, ah - ror edx, 4 - mov ebp, DWORD PTR _des_SPtrans[ebx] - mov bl, dl - xor edi, ebp - mov ebp, DWORD PTR _des_SPtrans[0200h+ecx] - xor edi, ebp - mov cl, dh - shr eax, 16 - mov ebp, DWORD PTR _des_SPtrans[0100h+ebx] - xor edi, ebp - mov bl, ah - shr edx, 16 - mov ebp, DWORD PTR _des_SPtrans[0300h+ecx] - xor edi, ebp - mov ebp, DWORD PTR 24[esp] - mov cl, dh - and eax, 0ffh - and edx, 0ffh - mov ebx, DWORD PTR _des_SPtrans[0600h+ebx] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0700h+ecx] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0400h+eax] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0500h+edx] - xor edi, ebx - ; - ; Round 4 - mov eax, DWORD PTR 32[ebp] - xor ebx, ebx - mov edx, DWORD PTR 36[ebp] - xor eax, edi - xor edx, edi - and eax, 0fcfcfcfch - and edx, 0cfcfcfcfh - mov bl, al - mov cl, ah - ror edx, 4 - mov ebp, DWORD PTR _des_SPtrans[ebx] - mov bl, dl - xor esi, ebp - mov ebp, DWORD PTR _des_SPtrans[0200h+ecx] - xor esi, ebp - mov cl, dh - shr eax, 16 - mov ebp, DWORD PTR _des_SPtrans[0100h+ebx] - xor esi, ebp - mov bl, ah - shr edx, 16 - mov ebp, DWORD PTR _des_SPtrans[0300h+ecx] - xor esi, ebp - mov ebp, DWORD PTR 24[esp] - mov cl, dh - and eax, 0ffh - and edx, 0ffh - mov ebx, DWORD PTR _des_SPtrans[0600h+ebx] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0700h+ecx] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0400h+eax] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0500h+edx] - xor esi, ebx - ; - ; Round 3 - mov eax, DWORD PTR 24[ebp] - xor ebx, ebx - mov edx, DWORD PTR 28[ebp] - xor eax, esi - xor edx, esi - and eax, 0fcfcfcfch - and edx, 0cfcfcfcfh - mov bl, al - mov cl, ah - ror edx, 4 - mov ebp, DWORD PTR _des_SPtrans[ebx] - mov bl, dl - xor edi, ebp - mov ebp, DWORD PTR _des_SPtrans[0200h+ecx] - xor edi, ebp - mov cl, dh - shr eax, 16 - mov ebp, DWORD PTR _des_SPtrans[0100h+ebx] - xor edi, ebp - mov bl, ah - shr edx, 16 - mov ebp, DWORD PTR _des_SPtrans[0300h+ecx] - xor edi, ebp - mov ebp, DWORD PTR 24[esp] - mov cl, dh - and eax, 0ffh - and edx, 0ffh - mov ebx, DWORD PTR _des_SPtrans[0600h+ebx] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0700h+ecx] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0400h+eax] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0500h+edx] - xor edi, ebx - ; - ; Round 2 - mov eax, DWORD PTR 16[ebp] - xor ebx, ebx - mov edx, DWORD PTR 20[ebp] - xor eax, edi - xor edx, edi - and eax, 0fcfcfcfch - and edx, 0cfcfcfcfh - mov bl, al - mov cl, ah - ror edx, 4 - mov ebp, DWORD PTR _des_SPtrans[ebx] - mov bl, dl - xor esi, ebp - mov ebp, DWORD PTR _des_SPtrans[0200h+ecx] - xor esi, ebp - mov cl, dh - shr eax, 16 - mov ebp, DWORD PTR _des_SPtrans[0100h+ebx] - xor esi, ebp - mov bl, ah - shr edx, 16 - mov ebp, DWORD PTR _des_SPtrans[0300h+ecx] - xor esi, ebp - mov ebp, DWORD PTR 24[esp] - mov cl, dh - and eax, 0ffh - and edx, 0ffh - mov ebx, DWORD PTR _des_SPtrans[0600h+ebx] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0700h+ecx] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0400h+eax] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0500h+edx] - xor esi, ebx - ; - ; Round 1 - mov eax, DWORD PTR 8[ebp] - xor ebx, ebx - mov edx, DWORD PTR 12[ebp] - xor eax, esi - xor edx, esi - and eax, 0fcfcfcfch - and edx, 0cfcfcfcfh - mov bl, al - mov cl, ah - ror edx, 4 - mov ebp, DWORD PTR _des_SPtrans[ebx] - mov bl, dl - xor edi, ebp - mov ebp, DWORD PTR _des_SPtrans[0200h+ecx] - xor edi, ebp - mov cl, dh - shr eax, 16 - mov ebp, DWORD PTR _des_SPtrans[0100h+ebx] - xor edi, ebp - mov bl, ah - shr edx, 16 - mov ebp, DWORD PTR _des_SPtrans[0300h+ecx] - xor edi, ebp - mov ebp, DWORD PTR 24[esp] - mov cl, dh - and eax, 0ffh - and edx, 0ffh - mov ebx, DWORD PTR _des_SPtrans[0600h+ebx] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0700h+ecx] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0400h+eax] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0500h+edx] - xor edi, ebx - ; - ; Round 0 - mov eax, DWORD PTR [ebp] - xor ebx, ebx - mov edx, DWORD PTR 4[ebp] - xor eax, edi - xor edx, edi - and eax, 0fcfcfcfch - and edx, 0cfcfcfcfh - mov bl, al - mov cl, ah - ror edx, 4 - mov ebp, DWORD PTR _des_SPtrans[ebx] - mov bl, dl - xor esi, ebp - mov ebp, DWORD PTR _des_SPtrans[0200h+ecx] - xor esi, ebp - mov cl, dh - shr eax, 16 - mov ebp, DWORD PTR _des_SPtrans[0100h+ebx] - xor esi, ebp - mov bl, ah - shr edx, 16 - mov ebp, DWORD PTR _des_SPtrans[0300h+ecx] - xor esi, ebp - mov ebp, DWORD PTR 24[esp] - mov cl, dh - and eax, 0ffh - and edx, 0ffh - mov ebx, DWORD PTR _des_SPtrans[0600h+ebx] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0700h+ecx] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0400h+eax] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0500h+edx] - xor esi, ebx -$L001end: - ; - ; FP - mov edx, DWORD PTR 20[esp] - ror esi, 1 - mov eax, edi - xor edi, esi - and edi, 0aaaaaaaah - xor eax, edi - xor esi, edi - ; - rol eax, 23 - mov edi, eax - xor eax, esi - and eax, 003fc03fch - xor edi, eax - xor esi, eax - ; - rol edi, 10 - mov eax, edi - xor edi, esi - and edi, 033333333h - xor eax, edi - xor esi, edi - ; - rol esi, 18 - mov edi, esi - xor esi, eax - and esi, 0fff0000fh - xor edi, esi - xor eax, esi - ; - rol edi, 12 - mov esi, edi - xor edi, eax - and edi, 0f0f0f0f0h - xor esi, edi - xor eax, edi - ; - ror eax, 4 - mov DWORD PTR [edx],eax - mov DWORD PTR 4[edx],esi - pop edi - pop esi - pop ebx - pop ebp - ret -_des_encrypt ENDP -_TEXT ENDS -_TEXT SEGMENT -PUBLIC _des_encrypt2 -EXTRN _des_SPtrans:DWORD -_des_encrypt2 PROC NEAR - push ebp - push ebx - push esi - push edi - ; - ; Load the 2 words - mov eax, DWORD PTR 20[esp] - xor ecx, ecx - mov esi, DWORD PTR [eax] - mov ebx, DWORD PTR 28[esp] - rol esi, 3 - mov edi, DWORD PTR 4[eax] - rol edi, 3 - cmp ebx, 0 - mov ebp, DWORD PTR 24[esp] - je $L002start_decrypt - ; - ; Round 0 - mov eax, DWORD PTR [ebp] - xor ebx, ebx - mov edx, DWORD PTR 4[ebp] - xor eax, esi - xor edx, esi - and eax, 0fcfcfcfch - and edx, 0cfcfcfcfh - mov bl, al - mov cl, ah - ror edx, 4 - mov ebp, DWORD PTR _des_SPtrans[ebx] - mov bl, dl - xor edi, ebp - mov ebp, DWORD PTR _des_SPtrans[0200h+ecx] - xor edi, ebp - mov cl, dh - shr eax, 16 - mov ebp, DWORD PTR _des_SPtrans[0100h+ebx] - xor edi, ebp - mov bl, ah - shr edx, 16 - mov ebp, DWORD PTR _des_SPtrans[0300h+ecx] - xor edi, ebp - mov ebp, DWORD PTR 24[esp] - mov cl, dh - and eax, 0ffh - and edx, 0ffh - mov ebx, DWORD PTR _des_SPtrans[0600h+ebx] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0700h+ecx] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0400h+eax] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0500h+edx] - xor edi, ebx - ; - ; Round 1 - mov eax, DWORD PTR 8[ebp] - xor ebx, ebx - mov edx, DWORD PTR 12[ebp] - xor eax, edi - xor edx, edi - and eax, 0fcfcfcfch - and edx, 0cfcfcfcfh - mov bl, al - mov cl, ah - ror edx, 4 - mov ebp, DWORD PTR _des_SPtrans[ebx] - mov bl, dl - xor esi, ebp - mov ebp, DWORD PTR _des_SPtrans[0200h+ecx] - xor esi, ebp - mov cl, dh - shr eax, 16 - mov ebp, DWORD PTR _des_SPtrans[0100h+ebx] - xor esi, ebp - mov bl, ah - shr edx, 16 - mov ebp, DWORD PTR _des_SPtrans[0300h+ecx] - xor esi, ebp - mov ebp, DWORD PTR 24[esp] - mov cl, dh - and eax, 0ffh - and edx, 0ffh - mov ebx, DWORD PTR _des_SPtrans[0600h+ebx] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0700h+ecx] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0400h+eax] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0500h+edx] - xor esi, ebx - ; - ; Round 2 - mov eax, DWORD PTR 16[ebp] - xor ebx, ebx - mov edx, DWORD PTR 20[ebp] - xor eax, esi - xor edx, esi - and eax, 0fcfcfcfch - and edx, 0cfcfcfcfh - mov bl, al - mov cl, ah - ror edx, 4 - mov ebp, DWORD PTR _des_SPtrans[ebx] - mov bl, dl - xor edi, ebp - mov ebp, DWORD PTR _des_SPtrans[0200h+ecx] - xor edi, ebp - mov cl, dh - shr eax, 16 - mov ebp, DWORD PTR _des_SPtrans[0100h+ebx] - xor edi, ebp - mov bl, ah - shr edx, 16 - mov ebp, DWORD PTR _des_SPtrans[0300h+ecx] - xor edi, ebp - mov ebp, DWORD PTR 24[esp] - mov cl, dh - and eax, 0ffh - and edx, 0ffh - mov ebx, DWORD PTR _des_SPtrans[0600h+ebx] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0700h+ecx] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0400h+eax] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0500h+edx] - xor edi, ebx - ; - ; Round 3 - mov eax, DWORD PTR 24[ebp] - xor ebx, ebx - mov edx, DWORD PTR 28[ebp] - xor eax, edi - xor edx, edi - and eax, 0fcfcfcfch - and edx, 0cfcfcfcfh - mov bl, al - mov cl, ah - ror edx, 4 - mov ebp, DWORD PTR _des_SPtrans[ebx] - mov bl, dl - xor esi, ebp - mov ebp, DWORD PTR _des_SPtrans[0200h+ecx] - xor esi, ebp - mov cl, dh - shr eax, 16 - mov ebp, DWORD PTR _des_SPtrans[0100h+ebx] - xor esi, ebp - mov bl, ah - shr edx, 16 - mov ebp, DWORD PTR _des_SPtrans[0300h+ecx] - xor esi, ebp - mov ebp, DWORD PTR 24[esp] - mov cl, dh - and eax, 0ffh - and edx, 0ffh - mov ebx, DWORD PTR _des_SPtrans[0600h+ebx] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0700h+ecx] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0400h+eax] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0500h+edx] - xor esi, ebx - ; - ; Round 4 - mov eax, DWORD PTR 32[ebp] - xor ebx, ebx - mov edx, DWORD PTR 36[ebp] - xor eax, esi - xor edx, esi - and eax, 0fcfcfcfch - and edx, 0cfcfcfcfh - mov bl, al - mov cl, ah - ror edx, 4 - mov ebp, DWORD PTR _des_SPtrans[ebx] - mov bl, dl - xor edi, ebp - mov ebp, DWORD PTR _des_SPtrans[0200h+ecx] - xor edi, ebp - mov cl, dh - shr eax, 16 - mov ebp, DWORD PTR _des_SPtrans[0100h+ebx] - xor edi, ebp - mov bl, ah - shr edx, 16 - mov ebp, DWORD PTR _des_SPtrans[0300h+ecx] - xor edi, ebp - mov ebp, DWORD PTR 24[esp] - mov cl, dh - and eax, 0ffh - and edx, 0ffh - mov ebx, DWORD PTR _des_SPtrans[0600h+ebx] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0700h+ecx] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0400h+eax] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0500h+edx] - xor edi, ebx - ; - ; Round 5 - mov eax, DWORD PTR 40[ebp] - xor ebx, ebx - mov edx, DWORD PTR 44[ebp] - xor eax, edi - xor edx, edi - and eax, 0fcfcfcfch - and edx, 0cfcfcfcfh - mov bl, al - mov cl, ah - ror edx, 4 - mov ebp, DWORD PTR _des_SPtrans[ebx] - mov bl, dl - xor esi, ebp - mov ebp, DWORD PTR _des_SPtrans[0200h+ecx] - xor esi, ebp - mov cl, dh - shr eax, 16 - mov ebp, DWORD PTR _des_SPtrans[0100h+ebx] - xor esi, ebp - mov bl, ah - shr edx, 16 - mov ebp, DWORD PTR _des_SPtrans[0300h+ecx] - xor esi, ebp - mov ebp, DWORD PTR 24[esp] - mov cl, dh - and eax, 0ffh - and edx, 0ffh - mov ebx, DWORD PTR _des_SPtrans[0600h+ebx] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0700h+ecx] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0400h+eax] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0500h+edx] - xor esi, ebx - ; - ; Round 6 - mov eax, DWORD PTR 48[ebp] - xor ebx, ebx - mov edx, DWORD PTR 52[ebp] - xor eax, esi - xor edx, esi - and eax, 0fcfcfcfch - and edx, 0cfcfcfcfh - mov bl, al - mov cl, ah - ror edx, 4 - mov ebp, DWORD PTR _des_SPtrans[ebx] - mov bl, dl - xor edi, ebp - mov ebp, DWORD PTR _des_SPtrans[0200h+ecx] - xor edi, ebp - mov cl, dh - shr eax, 16 - mov ebp, DWORD PTR _des_SPtrans[0100h+ebx] - xor edi, ebp - mov bl, ah - shr edx, 16 - mov ebp, DWORD PTR _des_SPtrans[0300h+ecx] - xor edi, ebp - mov ebp, DWORD PTR 24[esp] - mov cl, dh - and eax, 0ffh - and edx, 0ffh - mov ebx, DWORD PTR _des_SPtrans[0600h+ebx] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0700h+ecx] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0400h+eax] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0500h+edx] - xor edi, ebx - ; - ; Round 7 - mov eax, DWORD PTR 56[ebp] - xor ebx, ebx - mov edx, DWORD PTR 60[ebp] - xor eax, edi - xor edx, edi - and eax, 0fcfcfcfch - and edx, 0cfcfcfcfh - mov bl, al - mov cl, ah - ror edx, 4 - mov ebp, DWORD PTR _des_SPtrans[ebx] - mov bl, dl - xor esi, ebp - mov ebp, DWORD PTR _des_SPtrans[0200h+ecx] - xor esi, ebp - mov cl, dh - shr eax, 16 - mov ebp, DWORD PTR _des_SPtrans[0100h+ebx] - xor esi, ebp - mov bl, ah - shr edx, 16 - mov ebp, DWORD PTR _des_SPtrans[0300h+ecx] - xor esi, ebp - mov ebp, DWORD PTR 24[esp] - mov cl, dh - and eax, 0ffh - and edx, 0ffh - mov ebx, DWORD PTR _des_SPtrans[0600h+ebx] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0700h+ecx] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0400h+eax] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0500h+edx] - xor esi, ebx - ; - ; Round 8 - mov eax, DWORD PTR 64[ebp] - xor ebx, ebx - mov edx, DWORD PTR 68[ebp] - xor eax, esi - xor edx, esi - and eax, 0fcfcfcfch - and edx, 0cfcfcfcfh - mov bl, al - mov cl, ah - ror edx, 4 - mov ebp, DWORD PTR _des_SPtrans[ebx] - mov bl, dl - xor edi, ebp - mov ebp, DWORD PTR _des_SPtrans[0200h+ecx] - xor edi, ebp - mov cl, dh - shr eax, 16 - mov ebp, DWORD PTR _des_SPtrans[0100h+ebx] - xor edi, ebp - mov bl, ah - shr edx, 16 - mov ebp, DWORD PTR _des_SPtrans[0300h+ecx] - xor edi, ebp - mov ebp, DWORD PTR 24[esp] - mov cl, dh - and eax, 0ffh - and edx, 0ffh - mov ebx, DWORD PTR _des_SPtrans[0600h+ebx] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0700h+ecx] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0400h+eax] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0500h+edx] - xor edi, ebx - ; - ; Round 9 - mov eax, DWORD PTR 72[ebp] - xor ebx, ebx - mov edx, DWORD PTR 76[ebp] - xor eax, edi - xor edx, edi - and eax, 0fcfcfcfch - and edx, 0cfcfcfcfh - mov bl, al - mov cl, ah - ror edx, 4 - mov ebp, DWORD PTR _des_SPtrans[ebx] - mov bl, dl - xor esi, ebp - mov ebp, DWORD PTR _des_SPtrans[0200h+ecx] - xor esi, ebp - mov cl, dh - shr eax, 16 - mov ebp, DWORD PTR _des_SPtrans[0100h+ebx] - xor esi, ebp - mov bl, ah - shr edx, 16 - mov ebp, DWORD PTR _des_SPtrans[0300h+ecx] - xor esi, ebp - mov ebp, DWORD PTR 24[esp] - mov cl, dh - and eax, 0ffh - and edx, 0ffh - mov ebx, DWORD PTR _des_SPtrans[0600h+ebx] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0700h+ecx] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0400h+eax] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0500h+edx] - xor esi, ebx - ; - ; Round 10 - mov eax, DWORD PTR 80[ebp] - xor ebx, ebx - mov edx, DWORD PTR 84[ebp] - xor eax, esi - xor edx, esi - and eax, 0fcfcfcfch - and edx, 0cfcfcfcfh - mov bl, al - mov cl, ah - ror edx, 4 - mov ebp, DWORD PTR _des_SPtrans[ebx] - mov bl, dl - xor edi, ebp - mov ebp, DWORD PTR _des_SPtrans[0200h+ecx] - xor edi, ebp - mov cl, dh - shr eax, 16 - mov ebp, DWORD PTR _des_SPtrans[0100h+ebx] - xor edi, ebp - mov bl, ah - shr edx, 16 - mov ebp, DWORD PTR _des_SPtrans[0300h+ecx] - xor edi, ebp - mov ebp, DWORD PTR 24[esp] - mov cl, dh - and eax, 0ffh - and edx, 0ffh - mov ebx, DWORD PTR _des_SPtrans[0600h+ebx] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0700h+ecx] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0400h+eax] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0500h+edx] - xor edi, ebx - ; - ; Round 11 - mov eax, DWORD PTR 88[ebp] - xor ebx, ebx - mov edx, DWORD PTR 92[ebp] - xor eax, edi - xor edx, edi - and eax, 0fcfcfcfch - and edx, 0cfcfcfcfh - mov bl, al - mov cl, ah - ror edx, 4 - mov ebp, DWORD PTR _des_SPtrans[ebx] - mov bl, dl - xor esi, ebp - mov ebp, DWORD PTR _des_SPtrans[0200h+ecx] - xor esi, ebp - mov cl, dh - shr eax, 16 - mov ebp, DWORD PTR _des_SPtrans[0100h+ebx] - xor esi, ebp - mov bl, ah - shr edx, 16 - mov ebp, DWORD PTR _des_SPtrans[0300h+ecx] - xor esi, ebp - mov ebp, DWORD PTR 24[esp] - mov cl, dh - and eax, 0ffh - and edx, 0ffh - mov ebx, DWORD PTR _des_SPtrans[0600h+ebx] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0700h+ecx] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0400h+eax] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0500h+edx] - xor esi, ebx - ; - ; Round 12 - mov eax, DWORD PTR 96[ebp] - xor ebx, ebx - mov edx, DWORD PTR 100[ebp] - xor eax, esi - xor edx, esi - and eax, 0fcfcfcfch - and edx, 0cfcfcfcfh - mov bl, al - mov cl, ah - ror edx, 4 - mov ebp, DWORD PTR _des_SPtrans[ebx] - mov bl, dl - xor edi, ebp - mov ebp, DWORD PTR _des_SPtrans[0200h+ecx] - xor edi, ebp - mov cl, dh - shr eax, 16 - mov ebp, DWORD PTR _des_SPtrans[0100h+ebx] - xor edi, ebp - mov bl, ah - shr edx, 16 - mov ebp, DWORD PTR _des_SPtrans[0300h+ecx] - xor edi, ebp - mov ebp, DWORD PTR 24[esp] - mov cl, dh - and eax, 0ffh - and edx, 0ffh - mov ebx, DWORD PTR _des_SPtrans[0600h+ebx] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0700h+ecx] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0400h+eax] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0500h+edx] - xor edi, ebx - ; - ; Round 13 - mov eax, DWORD PTR 104[ebp] - xor ebx, ebx - mov edx, DWORD PTR 108[ebp] - xor eax, edi - xor edx, edi - and eax, 0fcfcfcfch - and edx, 0cfcfcfcfh - mov bl, al - mov cl, ah - ror edx, 4 - mov ebp, DWORD PTR _des_SPtrans[ebx] - mov bl, dl - xor esi, ebp - mov ebp, DWORD PTR _des_SPtrans[0200h+ecx] - xor esi, ebp - mov cl, dh - shr eax, 16 - mov ebp, DWORD PTR _des_SPtrans[0100h+ebx] - xor esi, ebp - mov bl, ah - shr edx, 16 - mov ebp, DWORD PTR _des_SPtrans[0300h+ecx] - xor esi, ebp - mov ebp, DWORD PTR 24[esp] - mov cl, dh - and eax, 0ffh - and edx, 0ffh - mov ebx, DWORD PTR _des_SPtrans[0600h+ebx] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0700h+ecx] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0400h+eax] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0500h+edx] - xor esi, ebx - ; - ; Round 14 - mov eax, DWORD PTR 112[ebp] - xor ebx, ebx - mov edx, DWORD PTR 116[ebp] - xor eax, esi - xor edx, esi - and eax, 0fcfcfcfch - and edx, 0cfcfcfcfh - mov bl, al - mov cl, ah - ror edx, 4 - mov ebp, DWORD PTR _des_SPtrans[ebx] - mov bl, dl - xor edi, ebp - mov ebp, DWORD PTR _des_SPtrans[0200h+ecx] - xor edi, ebp - mov cl, dh - shr eax, 16 - mov ebp, DWORD PTR _des_SPtrans[0100h+ebx] - xor edi, ebp - mov bl, ah - shr edx, 16 - mov ebp, DWORD PTR _des_SPtrans[0300h+ecx] - xor edi, ebp - mov ebp, DWORD PTR 24[esp] - mov cl, dh - and eax, 0ffh - and edx, 0ffh - mov ebx, DWORD PTR _des_SPtrans[0600h+ebx] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0700h+ecx] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0400h+eax] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0500h+edx] - xor edi, ebx - ; - ; Round 15 - mov eax, DWORD PTR 120[ebp] - xor ebx, ebx - mov edx, DWORD PTR 124[ebp] - xor eax, edi - xor edx, edi - and eax, 0fcfcfcfch - and edx, 0cfcfcfcfh - mov bl, al - mov cl, ah - ror edx, 4 - mov ebp, DWORD PTR _des_SPtrans[ebx] - mov bl, dl - xor esi, ebp - mov ebp, DWORD PTR _des_SPtrans[0200h+ecx] - xor esi, ebp - mov cl, dh - shr eax, 16 - mov ebp, DWORD PTR _des_SPtrans[0100h+ebx] - xor esi, ebp - mov bl, ah - shr edx, 16 - mov ebp, DWORD PTR _des_SPtrans[0300h+ecx] - xor esi, ebp - mov ebp, DWORD PTR 24[esp] - mov cl, dh - and eax, 0ffh - and edx, 0ffh - mov ebx, DWORD PTR _des_SPtrans[0600h+ebx] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0700h+ecx] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0400h+eax] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0500h+edx] - xor esi, ebx - jmp $L003end -$L002start_decrypt: - ; - ; Round 15 - mov eax, DWORD PTR 120[ebp] - xor ebx, ebx - mov edx, DWORD PTR 124[ebp] - xor eax, esi - xor edx, esi - and eax, 0fcfcfcfch - and edx, 0cfcfcfcfh - mov bl, al - mov cl, ah - ror edx, 4 - mov ebp, DWORD PTR _des_SPtrans[ebx] - mov bl, dl - xor edi, ebp - mov ebp, DWORD PTR _des_SPtrans[0200h+ecx] - xor edi, ebp - mov cl, dh - shr eax, 16 - mov ebp, DWORD PTR _des_SPtrans[0100h+ebx] - xor edi, ebp - mov bl, ah - shr edx, 16 - mov ebp, DWORD PTR _des_SPtrans[0300h+ecx] - xor edi, ebp - mov ebp, DWORD PTR 24[esp] - mov cl, dh - and eax, 0ffh - and edx, 0ffh - mov ebx, DWORD PTR _des_SPtrans[0600h+ebx] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0700h+ecx] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0400h+eax] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0500h+edx] - xor edi, ebx - ; - ; Round 14 - mov eax, DWORD PTR 112[ebp] - xor ebx, ebx - mov edx, DWORD PTR 116[ebp] - xor eax, edi - xor edx, edi - and eax, 0fcfcfcfch - and edx, 0cfcfcfcfh - mov bl, al - mov cl, ah - ror edx, 4 - mov ebp, DWORD PTR _des_SPtrans[ebx] - mov bl, dl - xor esi, ebp - mov ebp, DWORD PTR _des_SPtrans[0200h+ecx] - xor esi, ebp - mov cl, dh - shr eax, 16 - mov ebp, DWORD PTR _des_SPtrans[0100h+ebx] - xor esi, ebp - mov bl, ah - shr edx, 16 - mov ebp, DWORD PTR _des_SPtrans[0300h+ecx] - xor esi, ebp - mov ebp, DWORD PTR 24[esp] - mov cl, dh - and eax, 0ffh - and edx, 0ffh - mov ebx, DWORD PTR _des_SPtrans[0600h+ebx] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0700h+ecx] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0400h+eax] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0500h+edx] - xor esi, ebx - ; - ; Round 13 - mov eax, DWORD PTR 104[ebp] - xor ebx, ebx - mov edx, DWORD PTR 108[ebp] - xor eax, esi - xor edx, esi - and eax, 0fcfcfcfch - and edx, 0cfcfcfcfh - mov bl, al - mov cl, ah - ror edx, 4 - mov ebp, DWORD PTR _des_SPtrans[ebx] - mov bl, dl - xor edi, ebp - mov ebp, DWORD PTR _des_SPtrans[0200h+ecx] - xor edi, ebp - mov cl, dh - shr eax, 16 - mov ebp, DWORD PTR _des_SPtrans[0100h+ebx] - xor edi, ebp - mov bl, ah - shr edx, 16 - mov ebp, DWORD PTR _des_SPtrans[0300h+ecx] - xor edi, ebp - mov ebp, DWORD PTR 24[esp] - mov cl, dh - and eax, 0ffh - and edx, 0ffh - mov ebx, DWORD PTR _des_SPtrans[0600h+ebx] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0700h+ecx] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0400h+eax] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0500h+edx] - xor edi, ebx - ; - ; Round 12 - mov eax, DWORD PTR 96[ebp] - xor ebx, ebx - mov edx, DWORD PTR 100[ebp] - xor eax, edi - xor edx, edi - and eax, 0fcfcfcfch - and edx, 0cfcfcfcfh - mov bl, al - mov cl, ah - ror edx, 4 - mov ebp, DWORD PTR _des_SPtrans[ebx] - mov bl, dl - xor esi, ebp - mov ebp, DWORD PTR _des_SPtrans[0200h+ecx] - xor esi, ebp - mov cl, dh - shr eax, 16 - mov ebp, DWORD PTR _des_SPtrans[0100h+ebx] - xor esi, ebp - mov bl, ah - shr edx, 16 - mov ebp, DWORD PTR _des_SPtrans[0300h+ecx] - xor esi, ebp - mov ebp, DWORD PTR 24[esp] - mov cl, dh - and eax, 0ffh - and edx, 0ffh - mov ebx, DWORD PTR _des_SPtrans[0600h+ebx] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0700h+ecx] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0400h+eax] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0500h+edx] - xor esi, ebx - ; - ; Round 11 - mov eax, DWORD PTR 88[ebp] - xor ebx, ebx - mov edx, DWORD PTR 92[ebp] - xor eax, esi - xor edx, esi - and eax, 0fcfcfcfch - and edx, 0cfcfcfcfh - mov bl, al - mov cl, ah - ror edx, 4 - mov ebp, DWORD PTR _des_SPtrans[ebx] - mov bl, dl - xor edi, ebp - mov ebp, DWORD PTR _des_SPtrans[0200h+ecx] - xor edi, ebp - mov cl, dh - shr eax, 16 - mov ebp, DWORD PTR _des_SPtrans[0100h+ebx] - xor edi, ebp - mov bl, ah - shr edx, 16 - mov ebp, DWORD PTR _des_SPtrans[0300h+ecx] - xor edi, ebp - mov ebp, DWORD PTR 24[esp] - mov cl, dh - and eax, 0ffh - and edx, 0ffh - mov ebx, DWORD PTR _des_SPtrans[0600h+ebx] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0700h+ecx] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0400h+eax] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0500h+edx] - xor edi, ebx - ; - ; Round 10 - mov eax, DWORD PTR 80[ebp] - xor ebx, ebx - mov edx, DWORD PTR 84[ebp] - xor eax, edi - xor edx, edi - and eax, 0fcfcfcfch - and edx, 0cfcfcfcfh - mov bl, al - mov cl, ah - ror edx, 4 - mov ebp, DWORD PTR _des_SPtrans[ebx] - mov bl, dl - xor esi, ebp - mov ebp, DWORD PTR _des_SPtrans[0200h+ecx] - xor esi, ebp - mov cl, dh - shr eax, 16 - mov ebp, DWORD PTR _des_SPtrans[0100h+ebx] - xor esi, ebp - mov bl, ah - shr edx, 16 - mov ebp, DWORD PTR _des_SPtrans[0300h+ecx] - xor esi, ebp - mov ebp, DWORD PTR 24[esp] - mov cl, dh - and eax, 0ffh - and edx, 0ffh - mov ebx, DWORD PTR _des_SPtrans[0600h+ebx] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0700h+ecx] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0400h+eax] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0500h+edx] - xor esi, ebx - ; - ; Round 9 - mov eax, DWORD PTR 72[ebp] - xor ebx, ebx - mov edx, DWORD PTR 76[ebp] - xor eax, esi - xor edx, esi - and eax, 0fcfcfcfch - and edx, 0cfcfcfcfh - mov bl, al - mov cl, ah - ror edx, 4 - mov ebp, DWORD PTR _des_SPtrans[ebx] - mov bl, dl - xor edi, ebp - mov ebp, DWORD PTR _des_SPtrans[0200h+ecx] - xor edi, ebp - mov cl, dh - shr eax, 16 - mov ebp, DWORD PTR _des_SPtrans[0100h+ebx] - xor edi, ebp - mov bl, ah - shr edx, 16 - mov ebp, DWORD PTR _des_SPtrans[0300h+ecx] - xor edi, ebp - mov ebp, DWORD PTR 24[esp] - mov cl, dh - and eax, 0ffh - and edx, 0ffh - mov ebx, DWORD PTR _des_SPtrans[0600h+ebx] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0700h+ecx] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0400h+eax] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0500h+edx] - xor edi, ebx - ; - ; Round 8 - mov eax, DWORD PTR 64[ebp] - xor ebx, ebx - mov edx, DWORD PTR 68[ebp] - xor eax, edi - xor edx, edi - and eax, 0fcfcfcfch - and edx, 0cfcfcfcfh - mov bl, al - mov cl, ah - ror edx, 4 - mov ebp, DWORD PTR _des_SPtrans[ebx] - mov bl, dl - xor esi, ebp - mov ebp, DWORD PTR _des_SPtrans[0200h+ecx] - xor esi, ebp - mov cl, dh - shr eax, 16 - mov ebp, DWORD PTR _des_SPtrans[0100h+ebx] - xor esi, ebp - mov bl, ah - shr edx, 16 - mov ebp, DWORD PTR _des_SPtrans[0300h+ecx] - xor esi, ebp - mov ebp, DWORD PTR 24[esp] - mov cl, dh - and eax, 0ffh - and edx, 0ffh - mov ebx, DWORD PTR _des_SPtrans[0600h+ebx] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0700h+ecx] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0400h+eax] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0500h+edx] - xor esi, ebx - ; - ; Round 7 - mov eax, DWORD PTR 56[ebp] - xor ebx, ebx - mov edx, DWORD PTR 60[ebp] - xor eax, esi - xor edx, esi - and eax, 0fcfcfcfch - and edx, 0cfcfcfcfh - mov bl, al - mov cl, ah - ror edx, 4 - mov ebp, DWORD PTR _des_SPtrans[ebx] - mov bl, dl - xor edi, ebp - mov ebp, DWORD PTR _des_SPtrans[0200h+ecx] - xor edi, ebp - mov cl, dh - shr eax, 16 - mov ebp, DWORD PTR _des_SPtrans[0100h+ebx] - xor edi, ebp - mov bl, ah - shr edx, 16 - mov ebp, DWORD PTR _des_SPtrans[0300h+ecx] - xor edi, ebp - mov ebp, DWORD PTR 24[esp] - mov cl, dh - and eax, 0ffh - and edx, 0ffh - mov ebx, DWORD PTR _des_SPtrans[0600h+ebx] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0700h+ecx] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0400h+eax] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0500h+edx] - xor edi, ebx - ; - ; Round 6 - mov eax, DWORD PTR 48[ebp] - xor ebx, ebx - mov edx, DWORD PTR 52[ebp] - xor eax, edi - xor edx, edi - and eax, 0fcfcfcfch - and edx, 0cfcfcfcfh - mov bl, al - mov cl, ah - ror edx, 4 - mov ebp, DWORD PTR _des_SPtrans[ebx] - mov bl, dl - xor esi, ebp - mov ebp, DWORD PTR _des_SPtrans[0200h+ecx] - xor esi, ebp - mov cl, dh - shr eax, 16 - mov ebp, DWORD PTR _des_SPtrans[0100h+ebx] - xor esi, ebp - mov bl, ah - shr edx, 16 - mov ebp, DWORD PTR _des_SPtrans[0300h+ecx] - xor esi, ebp - mov ebp, DWORD PTR 24[esp] - mov cl, dh - and eax, 0ffh - and edx, 0ffh - mov ebx, DWORD PTR _des_SPtrans[0600h+ebx] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0700h+ecx] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0400h+eax] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0500h+edx] - xor esi, ebx - ; - ; Round 5 - mov eax, DWORD PTR 40[ebp] - xor ebx, ebx - mov edx, DWORD PTR 44[ebp] - xor eax, esi - xor edx, esi - and eax, 0fcfcfcfch - and edx, 0cfcfcfcfh - mov bl, al - mov cl, ah - ror edx, 4 - mov ebp, DWORD PTR _des_SPtrans[ebx] - mov bl, dl - xor edi, ebp - mov ebp, DWORD PTR _des_SPtrans[0200h+ecx] - xor edi, ebp - mov cl, dh - shr eax, 16 - mov ebp, DWORD PTR _des_SPtrans[0100h+ebx] - xor edi, ebp - mov bl, ah - shr edx, 16 - mov ebp, DWORD PTR _des_SPtrans[0300h+ecx] - xor edi, ebp - mov ebp, DWORD PTR 24[esp] - mov cl, dh - and eax, 0ffh - and edx, 0ffh - mov ebx, DWORD PTR _des_SPtrans[0600h+ebx] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0700h+ecx] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0400h+eax] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0500h+edx] - xor edi, ebx - ; - ; Round 4 - mov eax, DWORD PTR 32[ebp] - xor ebx, ebx - mov edx, DWORD PTR 36[ebp] - xor eax, edi - xor edx, edi - and eax, 0fcfcfcfch - and edx, 0cfcfcfcfh - mov bl, al - mov cl, ah - ror edx, 4 - mov ebp, DWORD PTR _des_SPtrans[ebx] - mov bl, dl - xor esi, ebp - mov ebp, DWORD PTR _des_SPtrans[0200h+ecx] - xor esi, ebp - mov cl, dh - shr eax, 16 - mov ebp, DWORD PTR _des_SPtrans[0100h+ebx] - xor esi, ebp - mov bl, ah - shr edx, 16 - mov ebp, DWORD PTR _des_SPtrans[0300h+ecx] - xor esi, ebp - mov ebp, DWORD PTR 24[esp] - mov cl, dh - and eax, 0ffh - and edx, 0ffh - mov ebx, DWORD PTR _des_SPtrans[0600h+ebx] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0700h+ecx] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0400h+eax] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0500h+edx] - xor esi, ebx - ; - ; Round 3 - mov eax, DWORD PTR 24[ebp] - xor ebx, ebx - mov edx, DWORD PTR 28[ebp] - xor eax, esi - xor edx, esi - and eax, 0fcfcfcfch - and edx, 0cfcfcfcfh - mov bl, al - mov cl, ah - ror edx, 4 - mov ebp, DWORD PTR _des_SPtrans[ebx] - mov bl, dl - xor edi, ebp - mov ebp, DWORD PTR _des_SPtrans[0200h+ecx] - xor edi, ebp - mov cl, dh - shr eax, 16 - mov ebp, DWORD PTR _des_SPtrans[0100h+ebx] - xor edi, ebp - mov bl, ah - shr edx, 16 - mov ebp, DWORD PTR _des_SPtrans[0300h+ecx] - xor edi, ebp - mov ebp, DWORD PTR 24[esp] - mov cl, dh - and eax, 0ffh - and edx, 0ffh - mov ebx, DWORD PTR _des_SPtrans[0600h+ebx] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0700h+ecx] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0400h+eax] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0500h+edx] - xor edi, ebx - ; - ; Round 2 - mov eax, DWORD PTR 16[ebp] - xor ebx, ebx - mov edx, DWORD PTR 20[ebp] - xor eax, edi - xor edx, edi - and eax, 0fcfcfcfch - and edx, 0cfcfcfcfh - mov bl, al - mov cl, ah - ror edx, 4 - mov ebp, DWORD PTR _des_SPtrans[ebx] - mov bl, dl - xor esi, ebp - mov ebp, DWORD PTR _des_SPtrans[0200h+ecx] - xor esi, ebp - mov cl, dh - shr eax, 16 - mov ebp, DWORD PTR _des_SPtrans[0100h+ebx] - xor esi, ebp - mov bl, ah - shr edx, 16 - mov ebp, DWORD PTR _des_SPtrans[0300h+ecx] - xor esi, ebp - mov ebp, DWORD PTR 24[esp] - mov cl, dh - and eax, 0ffh - and edx, 0ffh - mov ebx, DWORD PTR _des_SPtrans[0600h+ebx] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0700h+ecx] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0400h+eax] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0500h+edx] - xor esi, ebx - ; - ; Round 1 - mov eax, DWORD PTR 8[ebp] - xor ebx, ebx - mov edx, DWORD PTR 12[ebp] - xor eax, esi - xor edx, esi - and eax, 0fcfcfcfch - and edx, 0cfcfcfcfh - mov bl, al - mov cl, ah - ror edx, 4 - mov ebp, DWORD PTR _des_SPtrans[ebx] - mov bl, dl - xor edi, ebp - mov ebp, DWORD PTR _des_SPtrans[0200h+ecx] - xor edi, ebp - mov cl, dh - shr eax, 16 - mov ebp, DWORD PTR _des_SPtrans[0100h+ebx] - xor edi, ebp - mov bl, ah - shr edx, 16 - mov ebp, DWORD PTR _des_SPtrans[0300h+ecx] - xor edi, ebp - mov ebp, DWORD PTR 24[esp] - mov cl, dh - and eax, 0ffh - and edx, 0ffh - mov ebx, DWORD PTR _des_SPtrans[0600h+ebx] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0700h+ecx] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0400h+eax] - xor edi, ebx - mov ebx, DWORD PTR _des_SPtrans[0500h+edx] - xor edi, ebx - ; - ; Round 0 - mov eax, DWORD PTR [ebp] - xor ebx, ebx - mov edx, DWORD PTR 4[ebp] - xor eax, edi - xor edx, edi - and eax, 0fcfcfcfch - and edx, 0cfcfcfcfh - mov bl, al - mov cl, ah - ror edx, 4 - mov ebp, DWORD PTR _des_SPtrans[ebx] - mov bl, dl - xor esi, ebp - mov ebp, DWORD PTR _des_SPtrans[0200h+ecx] - xor esi, ebp - mov cl, dh - shr eax, 16 - mov ebp, DWORD PTR _des_SPtrans[0100h+ebx] - xor esi, ebp - mov bl, ah - shr edx, 16 - mov ebp, DWORD PTR _des_SPtrans[0300h+ecx] - xor esi, ebp - mov ebp, DWORD PTR 24[esp] - mov cl, dh - and eax, 0ffh - and edx, 0ffh - mov ebx, DWORD PTR _des_SPtrans[0600h+ebx] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0700h+ecx] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0400h+eax] - xor esi, ebx - mov ebx, DWORD PTR _des_SPtrans[0500h+edx] - xor esi, ebx -$L003end: - ; - ; Fixup - ror edi, 3 - mov eax, DWORD PTR 20[esp] - ror esi, 3 - mov DWORD PTR [eax],edi - mov DWORD PTR 4[eax],esi - pop edi - pop esi - pop ebx - pop ebp - ret -_des_encrypt2 ENDP -_TEXT ENDS -_TEXT SEGMENT -PUBLIC _des_encrypt3 -EXTRN _des_SPtrans:DWORD -_des_encrypt3 PROC NEAR - push ebp - push ebx - push esi - push edi - ; - ; Load the data words - mov ebx, DWORD PTR 20[esp] - mov edi, DWORD PTR [ebx] - mov esi, DWORD PTR 4[ebx] - ; - ; IP - rol edi, 4 - mov edx, edi - xor edi, esi - and edi, 0f0f0f0f0h - xor edx, edi - xor esi, edi - ; - rol esi, 20 - mov edi, esi - xor esi, edx - and esi, 0fff0000fh - xor edi, esi - xor edx, esi - ; - rol edi, 14 - mov esi, edi - xor edi, edx - and edi, 033333333h - xor esi, edi - xor edx, edi - ; - rol edx, 22 - mov edi, edx - xor edx, esi - and edx, 003fc03fch - xor edi, edx - xor esi, edx - ; - rol edi, 9 - mov edx, edi - xor edi, esi - and edi, 0aaaaaaaah - xor edx, edi - xor esi, edi - ; - ror edx, 3 - ror esi, 2 - mov DWORD PTR 4[ebx],esi - mov eax, DWORD PTR 24[esp] - mov DWORD PTR [ebx],edx - mov edi, DWORD PTR 28[esp] - mov esi, DWORD PTR 32[esp] - push 1 - push eax - push ebx - call _des_encrypt2 - push 0 - push edi - push ebx - call _des_encrypt2 - push 1 - push esi - push ebx - call _des_encrypt2 - mov edi, DWORD PTR [ebx] - add esp, 36 - mov esi, DWORD PTR 4[ebx] - ; - ; FP - rol esi, 2 - rol edi, 3 - mov eax, edi - xor edi, esi - and edi, 0aaaaaaaah - xor eax, edi - xor esi, edi - ; - rol eax, 23 - mov edi, eax - xor eax, esi - and eax, 003fc03fch - xor edi, eax - xor esi, eax - ; - rol edi, 10 - mov eax, edi - xor edi, esi - and edi, 033333333h - xor eax, edi - xor esi, edi - ; - rol esi, 18 - mov edi, esi - xor esi, eax - and esi, 0fff0000fh - xor edi, esi - xor eax, esi - ; - rol edi, 12 - mov esi, edi - xor edi, eax - and edi, 0f0f0f0f0h - xor esi, edi - xor eax, edi - ; - ror eax, 4 - mov DWORD PTR [ebx],eax - mov DWORD PTR 4[ebx],esi - pop edi - pop esi - pop ebx - pop ebp - ret -_des_encrypt3 ENDP -_TEXT ENDS -_TEXT SEGMENT -PUBLIC _des_decrypt3 -EXTRN _des_SPtrans:DWORD -_des_decrypt3 PROC NEAR - push ebp - push ebx - push esi - push edi - ; - ; Load the data words - mov ebx, DWORD PTR 20[esp] - mov edi, DWORD PTR [ebx] - mov esi, DWORD PTR 4[ebx] - ; - ; IP - rol edi, 4 - mov edx, edi - xor edi, esi - and edi, 0f0f0f0f0h - xor edx, edi - xor esi, edi - ; - rol esi, 20 - mov edi, esi - xor esi, edx - and esi, 0fff0000fh - xor edi, esi - xor edx, esi - ; - rol edi, 14 - mov esi, edi - xor edi, edx - and edi, 033333333h - xor esi, edi - xor edx, edi - ; - rol edx, 22 - mov edi, edx - xor edx, esi - and edx, 003fc03fch - xor edi, edx - xor esi, edx - ; - rol edi, 9 - mov edx, edi - xor edi, esi - and edi, 0aaaaaaaah - xor edx, edi - xor esi, edi - ; - ror edx, 3 - ror esi, 2 - mov DWORD PTR 4[ebx],esi - mov esi, DWORD PTR 24[esp] - mov DWORD PTR [ebx],edx - mov edi, DWORD PTR 28[esp] - mov eax, DWORD PTR 32[esp] - push 0 - push eax - push ebx - call _des_encrypt2 - push 1 - push edi - push ebx - call _des_encrypt2 - push 0 - push esi - push ebx - call _des_encrypt2 - mov edi, DWORD PTR [ebx] - add esp, 36 - mov esi, DWORD PTR 4[ebx] - ; - ; FP - rol esi, 2 - rol edi, 3 - mov eax, edi - xor edi, esi - and edi, 0aaaaaaaah - xor eax, edi - xor esi, edi - ; - rol eax, 23 - mov edi, eax - xor eax, esi - and eax, 003fc03fch - xor edi, eax - xor esi, eax - ; - rol edi, 10 - mov eax, edi - xor edi, esi - and edi, 033333333h - xor eax, edi - xor esi, edi - ; - rol esi, 18 - mov edi, esi - xor esi, eax - and esi, 0fff0000fh - xor edi, esi - xor eax, esi - ; - rol edi, 12 - mov esi, edi - xor edi, eax - and edi, 0f0f0f0f0h - xor esi, edi - xor eax, edi - ; - ror eax, 4 - mov DWORD PTR [ebx],eax - mov DWORD PTR 4[ebx],esi - pop edi - pop esi - pop ebx - pop ebp - ret -_des_decrypt3 ENDP -_TEXT ENDS -END diff --git a/crypto/heimdal-0.6.3/lib/des/asm/win32.obj b/crypto/heimdal-0.6.3/lib/des/asm/win32.obj deleted file mode 100644 index 935b7e0cfe..0000000000 Binary files a/crypto/heimdal-0.6.3/lib/des/asm/win32.obj and /dev/null differ diff --git a/crypto/heimdal-0.6.3/lib/des/asm/win32.uu b/crypto/heimdal-0.6.3/lib/des/asm/win32.uu deleted file mode 100644 index b8fc7702b8..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/asm/win32.uu +++ /dev/null @@ -1,319 +0,0 @@ -begin 644 win32.obj -M3`$"`&*'V3)`-@``#``````````N=&5X=```````````````W"$``&0```!` -M(@`````````"```@`#!@+F1A=&$```#<(0````````````!`-@`````````` -M````````0``PP%535E>+="04,\F+!HM<)!R+?@3!P`2+\#/')?#P\/`S\#/X -MP<<4B\#^P"+;"08#X2U!P``BT4`,]N+500S -MQC/6)?S\_/R!XL_/S\^*V(K,PH0BZD``P``,_V+;"08BLXE_P```('B_P```(N;``8``#/[ -MBYD`!P``,_N+F``$```S^XN:``4``#/[BT4(,]N+50PSQS/7)?S\_/R!XL_/ -MS\^*V(K,PH0 -MBZD``P``,_6+;"08BLXE_P```('B_P```(N;``8``#/SBYD`!P``,_.+F``$ -M```S\XN:``4``#/SBT40,]N+510SQC/6)?S\_/R!XL_/S\^*V(K,PH0BZD``P``,_V+;"08 -MBLXE_P```('B_P```(N;``8``#/[BYD`!P``,_N+F``$```S^XN:``4``#/[ -MBT48,]N+51PSQS/7)?S\_/R!XL_/S\^*V(K,PH0BZD``P``,_6+;"08BLXE_P```('B_P`` -M`(N;``8``#/SBYD`!P``,_.+F``$```S\XN:``4``#/SBT4@,]N+520SQC/6 -M)?S\_/R!XL_/S\^*V(K,PH0BZD``P``,_V+;"08BLXE_P```('B_P```(N;``8``#/[BYD` -M!P``,_N+F``$```S^XN:``4``#/[BT4H,]N+52PSQS/7)?S\_/R!XL_/S\^* -MV(K,PH0BZD` -M`P``,_6+;"08BLXE_P```('B_P```(N;``8``#/SBYD`!P``,_.+F``$```S -M\XN:``4``#/SBT4P,]N+530SQC/6)?S\_/R!XL_/S\^*V(K,PH0BZD``P``,_V+;"08BLXE -M_P```('B_P```(N;``8``#/[BYD`!P``,_N+F``$```S^XN:``4``#/[BT4X -M,]N+53PSQS/7)?S\_/R!XL_/S\^*V(K,PH0BZD``P``,_6+;"08BLXE_P```('B_P```(N; -M``8``#/SBYD`!P``,_.+F``$```S\XN:``4``#/SBT5`,]N+540SQC/6)?S\ -M_/R!XL_/S\^*V(K,PH0BZD``P``,_V+;"08BLXE_P```('B_P```(N;``8``#/[BYD`!P`` -M,_N+F``$```S^XN:``4``#/[BT5(,]N+54PSQS/7)?S\_/R!XL_/S\^*V(K, -MPH0BZD``P`` -M,_6+;"08BLXE_P```('B_P```(N;``8``#/SBYD`!P``,_.+F``$```S\XN: -M``4``#/SBT50,]N+550SQC/6)?S\_/R!XL_/S\^*V(K,PH0BZD``P``,_V+;"08BLXE_P`` -M`('B_P```(N;``8``#/[BYD`!P``,_N+F``$```S^XN:``4``#/[BT58,]N+ -M55PSQS/7)?S\_/R!XL_/S\^*V(K,PH0BZD``P``,_6+;"08BLXE_P```('B_P```(N;``8` -M`#/SBYD`!P``,_.+F``$```S\XN:``4``#/SBT5@,]N+560SQC/6)?S\_/R! -MXL_/S\^*V(K,PH0BZD``P``,_V+;"08BLXE_P```('B_P```(N;``8``#/[BYD`!P``,_N+ -MF``$```S^XN:``4``#/[BT5H,]N+56PSQS/7)?S\_/R!XL_/S\^*V(K,PH0BZD``P``,_6+ -M;"08BLXE_P```('B_P```(N;``8``#/SBYD`!P``,_.+F``$```S\XN:``4` -M`#/SBT5P,]N+570SQC/6)?S\_/R!XL_/S\^*V(K,PH0BZD``P``,_V+;"08BLXE_P```('B -M_P```(N;``8``#/[BYD`!P``,_N+F``$```S^XN:``4``#/[BT5X,]N+57PS -MQS/7)?S\_/R!XL_/S\^*V(K,PH0BZD``P``,_6+;"08BLXE_P```('B_P```(N;``8``#/S -MBYD`!P``,_.+F``$```S\XN:``4``#/SZ;`'``"+17@SVXM5?#/&,]8E_/S\ -M_('BS\_/SXK8BLS!R@2+JP````"*VC/]BZD``@``,_V*SL'H$(NK``$``#/] -MBMS!ZA"+J0`#```S_8ML)!B*SB7_````@>+_````BYL`!@``,_N+F0`'```S -M^XN8``0``#/[BYH`!0``,_N+17`SVXM5=#/',]+_````BYL`!@``,_.+F0`'```S\XN8``0``#/SBYH` -M!0``,_.+16@SVXM5;#/&,]8E_/S\_('BS\_/SXK8BLS!R@2+JP````"*VC/] -MBZD``@``,_V*SL'H$(NK``$``#/]BMS!ZA"+J0`#```S_8ML)!B*SB7_```` -M@>+_````BYL`!@``,_N+F0`'```S^XN8``0``#/[BYH`!0``,_N+16`SVXM5 -M9#/',]+_````BYL`!@`` -M,_.+F0`'```S\XN8``0``#/SBYH`!0``,_.+15@SVXM57#/&,]8E_/S\_('B -MS\_/SXK8BLS!R@2+JP````"*VC/]BZD``@``,_V*SL'H$(NK``$``#/]BMS! -MZA"+J0`#```S_8ML)!B*SB7_````@>+_````BYL`!@``,_N+F0`'```S^XN8 -M``0``#/[BYH`!0``,_N+15`SVXM55#/',]+_````BYL`!@``,_.+F0`'```S\XN8``0``#/SBYH`!0`` -M,_.+14@SVXM53#/&,]8E_/S\_('BS\_/SXK8BLS!R@2+JP````"*VC/]BZD` -M`@``,_V*SL'H$(NK``$``#/]BMS!ZA"+J0`#```S_8ML)!B*SB7_````@>+_ -M````BYL`!@``,_N+F0`'```S^XN8``0``#/[BYH`!0``,_N+14`SVXM51#/' -M,]+_````BYL`!@``,_.+ -MF0`'```S\XN8``0``#/SBYH`!0``,_.+13@SVXM5/#/&,]8E_/S\_('BS\_/ -MSXK8BLS!R@2+JP````"*VC/]BZD``@``,_V*SL'H$(NK``$``#/]BMS!ZA"+ -MJ0`#```S_8ML)!B*SB7_````@>+_````BYL`!@``,_N+F0`'```S^XN8``0` -M`#/[BYH`!0``,_N+13`SVXM5-#/',]+_````BYL`!@``,_.+F0`'```S\XN8``0``#/SBYH`!0``,_.+ -M12@SVXM5+#/&,]8E_/S\_('BS\_/SXK8BLS!R@2+JP````"*VC/]BZD``@`` -M,_V*SL'H$(NK``$``#/]BMS!ZA"+J0`#```S_8ML)!B*SB7_````@>+_```` -MBYL`!@``,_N+F0`'```S^XN8``0``#/[BYH`!0``,_N+12`SVXM5)#/',]+_````BYL`!@``,_.+F0`' -M```S\XN8``0``#/SBYH`!0``,_.+11@SVXM5'#/&,]8E_/S\_('BS\_/SXK8 -MBLS!R@2+JP````"*VC/]BZD``@``,_V*SL'H$(NK``$``#/]BMS!ZA"+J0`# -M```S_8ML)!B*SB7_````@>+_````BYL`!@``,_N+F0`'```S^XN8``0``#/[ -MBYH`!0``,_N+11`SVXM5%#/',]+_````BYL`!@``,_.+F0`'```S\XN8``0``#/SBYH`!0``,_.+10@S -MVXM5##/&,]8E_/S\_('BS\_/SXK8BLS!R@2+JP````"*VC/]BZD``@``,_V* -MSL'H$(NK``$``#/]BMS!ZA"+J0`#```S_8ML)!B*SB7_````@>+_````BYL` -M!@``,_N+F0`'```S^XN8``0``#/[BYH`!0``,_N+10`SVXM5!#/',]+_````BYL`!@``,_.+F0`'```S -M\XN8``0``#/SBYH`!0``,_.+5"04T>JJJJJ,\6UW#55-65XM$)!0SR8LPBUPD','& -M`XMX!,''`X/[`(ML)!@/A+4'``"+10`SVXM5!#/&,]8E_/S\_('BS\_/SXK8 -MBLS!R@2+JP````"*VC/]BZD``@``,_V*SL'H$(NK``$``#/]BMS!ZA"+J0`# -M```S_8ML)!B*SB7_````@>+_````BYL`!@``,_N+F0`'```S^XN8``0``#/[ -MBYH`!0``,_N+10@SVXM5##/',]+_````BYL`!@``,_.+F0`'```S\XN8``0``#/SBYH`!0``,_.+11`S -MVXM5%#/&,]8E_/S\_('BS\_/SXK8BLS!R@2+JP````"*VC/]BZD``@``,_V* -MSL'H$(NK``$``#/]BMS!ZA"+J0`#```S_8ML)!B*SB7_````@>+_````BYL` -M!@``,_N+F0`'```S^XN8``0``#/[BYH`!0``,_N+11@SVXM5'#/',]+_````BYL`!@``,_.+F0`'```S -M\XN8``0``#/SBYH`!0``,_.+12`SVXM5)#/&,]8E_/S\_('BS\_/SXK8BLS! -MR@2+JP````"*VC/]BZD``@``,_V*SL'H$(NK``$``#/]BMS!ZA"+J0`#```S -M_8ML)!B*SB7_````@>+_````BYL`!@``,_N+F0`'```S^XN8``0``#/[BYH` -M!0``,_N+12@SVXM5+#/',]+_````BYL`!@``,_.+F0`'```S\XN8``0``#/SBYH`!0``,_.+13`SVXM5 -M-#/&,]8E_/S\_('BS\_/SXK8BLS!R@2+JP````"*VC/]BZD``@``,_V*SL'H -M$(NK``$``#/]BMS!ZA"+J0`#```S_8ML)!B*SB7_````@>+_````BYL`!@`` -M,_N+F0`'```S^XN8``0``#/[BYH`!0``,_N+13@SVXM5/#/',]+_````BYL`!@``,_.+F0`'```S\XN8 -M``0``#/SBYH`!0``,_.+14`SVXM51#/&,]8E_/S\_('BS\_/SXK8BLS!R@2+ -MJP````"*VC/]BZD``@``,_V*SL'H$(NK``$``#/]BMS!ZA"+J0`#```S_8ML -M)!B*SB7_````@>+_````BYL`!@``,_N+F0`'```S^XN8``0``#/[BYH`!0`` -M,_N+14@SVXM53#/',]+_ -M````BYL`!@``,_.+F0`'```S\XN8``0``#/SBYH`!0``,_.+15`SVXM55#/& -M,]8E_/S\_('BS\_/SXK8BLS!R@2+JP````"*VC/]BZD``@``,_V*SL'H$(NK -M``$``#/]BMS!ZA"+J0`#```S_8ML)!B*SB7_````@>+_````BYL`!@``,_N+ -MF0`'```S^XN8``0``#/[BYH`!0``,_N+15@SVXM57#/',]+_````BYL`!@``,_.+F0`'```S\XN8``0` -M`#/SBYH`!0``,_.+16`SVXM59#/&,]8E_/S\_('BS\_/SXK8BLS!R@2+JP`` -M``"*VC/]BZD``@``,_V*SL'H$(NK``$``#/]BMS!ZA"+J0`#```S_8ML)!B* -MSB7_````@>+_````BYL`!@``,_N+F0`'```S^XN8``0``#/[BYH`!0``,_N+ -M16@SVXM5;#/',]+_```` -MBYL`!@``,_.+F0`'```S\XN8``0``#/SBYH`!0``,_.+17`SVXM5=#/&,]8E -M_/S\_('BS\_/SXK8BLS!R@2+JP````"*VC/]BZD``@``,_V*SL'H$(NK``$` -M`#/]BMS!ZA"+J0`#```S_8ML)!B*SB7_````@>+_````BYL`!@``,_N+F0`' -M```S^XN8``0``#/[BYH`!0``,_N+17@SVXM5?#/',]+_````BYL`!@``,_.+F0`'```S\XN8``0``#/S -MBYH`!0``,_/IL`<``(M%>#/;BU5\,\8SUB7\_/S\@>+/S\_/BMB*S,'*!(NK -M`````(K:,_V+J0`"```S_8K.P>@0BZL``0``,_V*W,'J$(NI``,``#/]BVPD -M&(K.)?\```"!XO\```"+FP`&```S^XN9``<``#/[BY@`!```,_N+F@`%```S -M^XM%<#/;BU5T,\+/S\_/BMB*S,'*!(NK`````(K:,_6+J0`" -M```S]8K.P>@0BZL``0``,_6*W,'J$(NI``,``#/UBVPD&(K.)?\```"!XO\` -M``"+FP`&```S\XN9``<``#/SBY@`!```,_.+F@`%```S\XM%:#/;BU5L,\8S -MUB7\_/S\@>+/S\_/BMB*S,'*!(NK`````(K:,_V+J0`"```S_8K.P>@0BZL` -M`0``,_V*W,'J$(NI``,``#/]BVPD&(K.)?\```"!XO\```"+FP`&```S^XN9 -M``<``#/[BY@`!```,_N+F@`%```S^XM%8#/;BU5D,\+/S\_/ -MBMB*S,'*!(NK`````(K:,_6+J0`"```S]8K.P>@0BZL``0``,_6*W,'J$(NI -M``,``#/UBVPD&(K.)?\```"!XO\```"+FP`&```S\XN9``<``#/SBY@`!``` -M,_.+F@`%```S\XM%6#/;BU5<,\8SUB7\_/S\@>+/S\_/BMB*S,'*!(NK```` -M`(K:,_V+J0`"```S_8K.P>@0BZL``0``,_V*W,'J$(NI``,``#/]BVPD&(K. -M)?\```"!XO\```"+FP`&```S^XN9``<``#/[BY@`!```,_N+F@`%```S^XM% -M4#/;BU54,\+/S\_/BMB*S,'*!(NK`````(K:,_6+J0`"```S -M]8K.P>@0BZL``0``,_6*W,'J$(NI``,``#/UBVPD&(K.)?\```"!XO\```"+ -MFP`&```S\XN9``<``#/SBY@`!```,_.+F@`%```S\XM%2#/;BU5,,\8SUB7\ -M_/S\@>+/S\_/BMB*S,'*!(NK`````(K:,_V+J0`"```S_8K.P>@0BZL``0`` -M,_V*W,'J$(NI``,``#/]BVPD&(K.)?\```"!XO\```"+FP`&```S^XN9``<` -M`#/[BY@`!```,_N+F@`%```S^XM%0#/;BU5$,\+/S\_/BMB* -MS,'*!(NK`````(K:,_6+J0`"```S]8K.P>@0BZL``0``,_6*W,'J$(NI``,` -M`#/UBVPD&(K.)?\```"!XO\```"+FP`&```S\XN9``<``#/SBY@`!```,_.+ -MF@`%```S\XM%.#/;BU4\,\8SUB7\_/S\@>+/S\_/BMB*S,'*!(NK`````(K: -M,_V+J0`"```S_8K.P>@0BZL``0``,_V*W,'J$(NI``,``#/]BVPD&(K.)?\` -M``"!XO\```"+FP`&```S^XN9``<``#/[BY@`!```,_N+F@`%```S^XM%,#/; -MBU4T,\+/S\_/BMB*S,'*!(NK`````(K:,_6+J0`"```S]8K. -MP>@0BZL``0``,_6*W,'J$(NI``,``#/UBVPD&(K.)?\```"!XO\```"+FP`& -M```S\XN9``<``#/SBY@`!```,_.+F@`%```S\XM%*#/;BU4L,\8SUB7\_/S\ -M@>+/S\_/BMB*S,'*!(NK`````(K:,_V+J0`"```S_8K.P>@0BZL``0``,_V* -MW,'J$(NI``,``#/]BVPD&(K.)?\```"!XO\```"+FP`&```S^XN9``<``#/[ -MBY@`!```,_N+F@`%```S^XM%(#/;BU4D,\+/S\_/BMB*S,'* -M!(NK`````(K:,_6+J0`"```S]8K.P>@0BZL``0``,_6*W,'J$(NI``,``#/U -MBVPD&(K.)?\```"!XO\```"+FP`&```S\XN9``<``#/SBY@`!```,_.+F@`% -M```S\XM%&#/;BU4<,\8SUB7\_/S\@>+/S\_/BMB*S,'*!(NK`````(K:,_V+ -MJ0`"```S_8K.P>@0BZL``0``,_V*W,'J$(NI``,``#/]BVPD&(K.)?\```"! -MXO\```"+FP`&```S^XN9``<``#/[BY@`!```,_N+F@`%```S^XM%$#/;BU44 -M,\+/S\_/BMB*S,'*!(NK`````(K:,_6+J0`"```S]8K.P>@0 -MBZL``0``,_6*W,'J$(NI``,``#/UBVPD&(K.)?\```"!XO\```"+FP`&```S -M\XN9``<``#/SBY@`!```,_.+F@`%```S\XM%"#/;BU4,,\8SUB7\_/S\@>+/ -MS\_/BMB*S,'*!(NK`````(K:,_V+J0`"```S_8K.P>@0BZL``0``,_V*W,'J -M$(NI``,``#/]BVPD&(K.)?\```"!XO\```"+FP`&```S^XN9``<``#/[BY@` -M!```,_N+F@`%```S^XM%`#/;BU4$,\+/S\_/BMB*S,'*!(NK -M`````(K:,_6+J0`"```S]8K.P>@0BZL``0``,_6*W,'J$(NI``,``#/UBVPD -M&(K.)?\```"!XO\```"+FP`&```S\XN9``<``#/SBY@`!```,_.+F@`%```S -M\\'/`XM$)!3!S@.).(EP!%]>6UW#55-65XM<)!2+.XMS!,''!(O7,_Z!Y_#P -M\/`SUS/WP<84B_XS\H'F#P#P_S/^,];!QPZ+]S/Z@>___XL[@\0DBW,$P<8" -MP<<#B\+^#/&)?P#_`,S^#/PP<<*B\8/`/#_,_XSQL''#(OW,_B!Y_#P\/`S]S/'P<@$B0.) -M+7"04BSN+?P\/#P,]+\`_P#,_HS\L'' -M"8O7,_Z!YZJJJJHSUS/WP?P\/#P,_04```<````&`(8%```'````!@"?!0``!P````8`IP4```<````&`*\% -M```'````!@"W!0``!P````8`W04```<````&`.<%```'````!@#T!0``!P`` -M``8``08```<````&`!H&```'````!@`B!@``!P````8`*@8```<````&`#(& -M```'````!@!8!@``!P````8`8@8```<````&`&\&```'````!@!\!@``!P`` -M``8`E08```<````&`)T&```'````!@"E!@``!P````8`K08```<````&`-,& -M```'````!@#=!@``!P````8`Z@8```<````&`/<&```'````!@`0!P``!P`` -M``8`&`<```<````&`"`'```'````!@`H!P``!P````8`3@<```<````&`%@' -M```'````!@!E!P``!P````8`<@<```<````&`(L'```'````!@"3!P``!P`` -M``8`FP<```<````&`*,'```'````!@#)!P``!P````8`TP<```<````&`.`' -M```'````!@#M!P``!P````8`!@@```<````&``X(```'````!@`6"```!P`` -M``8`'@@```<````&`$D(```'````!@!3"```!P````8`8`@```<````&`&T( -M```'````!@"&"```!P````8`C@@```<````&`)8(```'````!@">"```!P`` -M``8`Q`@```<````&`,X(```'````!@#;"```!P````8`Z`@```<````&``$) -M```'````!@`)"0``!P````8`$0D```<````&`!D)```'````!@`_"0``!P`` -M``8`20D```<````&`%8)```'````!@!C"0``!P````8`?`D```<````&`(0) -M```'````!@","0``!P````8`E`D```<````&`+H)```'````!@#$"0``!P`` -M``8`T0D```<````&`-X)```'````!@#W"0``!P````8`_PD```<````&``<* -M```'````!@`/"@``!P````8`-0H```<````&`#\*```'````!@!,"@``!P`` -M``8`60H```<````&`'(*```'````!@!Z"@``!P````8`@@H```<````&`(H* -M```'````!@"P"@``!P````8`N@H```<````&`,<*```'````!@#4"@``!P`` -M``8`[0H```<````&`/4*```'````!@#]"@``!P````8`!0L```<````&`"L+ -M```'````!@`U"P``!P````8`0@L```<````&`$\+```'````!@!H"P``!P`` -M``8`<`L```<````&`'@+```'````!@"`"P``!P````8`I@L```<````&`+`+ -M```'````!@"]"P``!P````8`R@L```<````&`.,+```'````!@#K"P``!P`` -M``8`\PL```<````&`/L+```'````!@`A#```!P````8`*PP```<````&`#@, -M```'````!@!%#```!P````8`7@P```<````&`&8,```'````!@!N#```!P`` -M``8`=@P```<````&`)P,```'````!@"F#```!P````8`LPP```<````&`,`, -M```'````!@#9#```!P````8`X0P```<````&`.D,```'````!@#Q#```!P`` -M``8`%PT```<````&`"$-```'````!@`N#0``!P````8`.PT```<````&`%0- -M```'````!@!<#0``!P````8`9`T```<````&`&P-```'````!@"2#0``!P`` -M``8`G`T```<````&`*D-```'````!@"V#0``!P````8`SPT```<````&`-<- -M```'````!@#?#0``!P````8`YPT```<````&``T.```'````!@`7#@``!P`` -M``8`)`X```<````&`#$.```'````!@!*#@``!P````8`4@X```<````&`%H. -M```'````!@!B#@``!P````8`B`X```<````&`)(.```'````!@"?#@``!P`` -M``8`K`X```<````&`,4.```'````!@#-#@``!P````8`U0X```<````&`-T. -M```'````!@`##P``!P````8`#0\```<````&`!H/```'````!@`G#P``!P`` -M``8`0`\```<````&`$@/```'````!@!0#P``!P````8`6`\```<````&`'X/ -M```'````!@"(#P``!P````8`E0\```<````&`*(/```'````!@"[#P``!P`` -M``8`PP\```<````&`,L/```'````!@#3#P``!P````8`@Q````<````&`(T0 -M```'````!@":$```!P````8`IQ````<````&`,`0```'````!@#($```!P`` -M``8`T!````<````&`-@0```'````!@#^$```!P````8`"!$```<````&`!41 -M```'````!@`B$0``!P````8`.Q$```<````&`$,1```'````!@!+$0``!P`` -M``8`4Q$```<````&`'D1```'````!@"#$0``!P````8`D!$```<````&`)T1 -M```'````!@"V$0``!P````8`OA$```<````&`,81```'````!@#.$0``!P`` -M``8`]!$```<````&`/X1```'````!@`+$@``!P````8`&!(```<````&`#$2 -M```'````!@`Y$@``!P````8`01(```<````&`$D2```'````!@!O$@``!P`` -M``8`>1(```<````&`(82```'````!@"3$@``!P````8`K!(```<````&`+02 -M```'````!@"\$@``!P````8`Q!(```<````&`.H2```'````!@#T$@``!P`` -M``8``1,```<````&``X3```'````!@`G$P``!P````8`+Q,```<````&`#<3 -M```'````!@`_$P``!P````8`91,```<````&`&\3```'````!@!\$P``!P`` -M``8`B1,```<````&`*(3```'````!@"J$P``!P````8`LA,```<````&`+H3 -M```'````!@#@$P``!P````8`ZA,```<````&`/<3```'````!@`$%```!P`` -M``8`'10```<````&`"44```'````!@`M%```!P````8`-10```<````&`%L4 -M```'````!@!E%```!P````8`%0``!P`` -M``8`IA4```<````&`,P5```'````!@#6%0``!P````8`XQ4```<````&`/`5 -M```'````!@`)%@``!P````8`$18```<````&`!D6```'````!@`A%@``!P`` -M``8`1Q8```<````&`%$6```'````!@!>%@``!P````8`:Q8```<````&`(06 -M```'````!@",%@``!P````8`E!8```<````&`)P6```'````!@#"%@``!P`` -M``8`S!8```<````&`-D6```'````!@#F%@``!P````8`_Q8```<````&``<7 -M```'````!@`/%P``!P````8`%Q<```<````&`#T7```'````!@!'%P``!P`` -M``8`5!<```<````&`&$7```'````!@!Z%P``!P````8`@A<```<````&`(H7 -M```'````!@"2%P``!P````8`N!<```<````&`,(7```'````!@#/%P``!P`` -M``8`W!<```<````&`/47```'````!@#]%P``!P````8`!1@```<````&``T8 -M```'````!@`X&```!P````8`0A@```<````&`$\8```'````!@!<&```!P`` -M``8`=1@```<````&`'T8```'````!@"%&```!P````8`C1@```<````&`+,8 -M```'````!@"]&```!P````8`RA@```<````&`-<8```'````!@#P&```!P`` -M``8`^!@```<````&```9```'````!@`(&0``!P````8`+AD```<````&`#@9 -M```'````!@!%&0``!P````8`4AD```<````&`&L9```'````!@!S&0``!P`` -M``8`>QD```<````&`(,9```'````!@"I&0``!P````8`LQD```<````&`,`9 -M```'````!@#-&0``!P````8`YAD```<````&`.X9```'````!@#V&0``!P`` -M``8`_AD```<````&`"0:```'````!@`N&@``!P````8`.QH```<````&`$@: -M```'````!@!A&@``!P````8`:1H```<````&`'$:```'````!@!Y&@``!P`` -M``8`GQH```<````&`*D:```'````!@"V&@``!P````8`PQH```<````&`-P: -M```'````!@#D&@``!P````8`[!H```<````&`/0:```'````!@`:&P``!P`` -M``8`)!L```<````&`#$;```'````!@`^&P``!P````8`5QL```<````&`%\; -M```'````!@!G&P``!P````8`;QL```<````&`)4;```'````!@"?&P``!P`` -M``8`K!L```<````&`+D;```'````!@#2&P``!P````8`VAL```<````&`.(; -M```'````!@#J&P``!P````8`$!P```<````&`!H<```'````!@`G'```!P`` -M``8`-!P```<````&`$T<```'````!@!5'```!P````8`71P```<````&`&4< -M```'````!@"+'```!P````8`E1P```<````&`*(<```'````!@"O'```!P`` -M``8`R!P```<````&`-`<```'````!@#8'```!P````8`X!P```<````&``8= -M```'````!@`0'0``!P````8`'1T```<````&`"H=```'````!@!#'0``!P`` -M``8`2QT```<````&`%,=```'````!@!;'0``!P````8`@1T```<````&`(L= -M```'````!@"8'0``!P````8`I1T```<````&`+X=```'````!@#&'0``!P`` -M``8`SAT```<````&`-8=```'````!@#\'0``!P````8`!AX```<````&`!,> -M```'````!@`@'@``!P````8`.1X```<````&`$$>```'````!@!)'@``!P`` -M``8`41X```<````&`'<>```'````!@"!'@``!P````8`CAX```<````&`)L> -M```'````!@"T'@``!P````8`O!X```<````&`,0>```'````!@#,'@``!P`` -M``8`\AX```<````&`/P>```'````!@`)'P``!P````8`%A\```<````&`"\? -M```'````!@`W'P``!P````8`/Q\```<````&`$````/1````$`(``"```````L````W!\```$`(``" -M```````Z````W"````$`(``"`$@```!?9&5S7U-0=')A;G,`7V1E7!T`%]D97-?96YC7!T,P!?9&5S7V1E8W)Y<'0S -!```` -` -end diff --git a/crypto/heimdal-0.6.3/lib/des/asm/x86ms.pl b/crypto/heimdal-0.6.3/lib/des/asm/x86ms.pl deleted file mode 100644 index 18b11864c1..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/asm/x86ms.pl +++ /dev/null @@ -1,223 +0,0 @@ -#!/usr/local/bin/perl - -package x86ms; - -$label="L000"; - -%lb=( 'eax', 'al', - 'ebx', 'bl', - 'ecx', 'cl', - 'edx', 'dl', - 'ax', 'al', - 'bx', 'bl', - 'cx', 'cl', - 'dx', 'dl', - ); - -%hb=( 'eax', 'ah', - 'ebx', 'bh', - 'ecx', 'ch', - 'edx', 'dh', - 'ax', 'ah', - 'bx', 'bh', - 'cx', 'ch', - 'dx', 'dh', - ); - -sub main'LB - { - (defined($lb{$_[0]})) || die "$_[0] does not have a 'low byte'\n"; - return($lb{$_[0]}); - } - -sub main'HB - { - (defined($hb{$_[0]})) || die "$_[0] does not have a 'high byte'\n"; - return($hb{$_[0]}); - } - -sub main'DWP - { - local($addr,$reg1,$reg2,$idx)=@_; - local($t); - local($ret)="DWORD PTR "; - - $addr =~ s/^\s+//; - if ($addr =~ /^(.+)\+(.+)$/) - { - $reg2=&conv($1); - $addr="_$2"; - } - elsif ($addr =~ /^[_a-zA-Z]/) - { - $addr="_$addr"; - } - - $reg1="$regs{$reg1}" if defined($regs{$reg1}); - $reg2="$regs{$reg2}" if defined($regs{$reg2}); - $ret.=$addr if ($addr ne "") && ($addr ne 0); - if ($reg2 ne "") - { - $t=""; - $t="*$idx" if ($idx != 0); - $ret.="[$reg2$t+$reg1]"; - } - else - { - $ret.="[$reg1]" - } - return($ret); - } - -sub main'mov { &out2("mov",@_); } -sub main'movb { &out2("mov",@_); } -sub main'and { &out2("and",@_); } -sub main'or { &out2("or",@_); } -sub main'shl { &out2("shl",@_); } -sub main'shr { &out2("shr",@_); } -sub main'xor { &out2("xor",@_); } -sub main'add { &out2("add",@_); } -sub main'sub { &out2("sub",@_); } -sub main'rotl { &out2("rol",@_); } -sub main'rotr { &out2("ror",@_); } -sub main'exch { &out2("xchg",@_); } -sub main'cmp { &out2("cmp",@_); } -sub main'dec { &out1("dec",@_); } -sub main'jmp { &out1("jmp",@_); } -sub main'je { &out1("je",@_); } -sub main'jz { &out1("jz",@_); } -sub main'push { &out1("push",@_); } -sub main'call { &out1("call",'_'.$_[0]); } - - -sub out2 - { - local($name,$p1,$p2)=@_; - local($l,$t); - - print "\t$name\t"; - $t=&conv($p1).","; - $l=length($t); - print $t; - $l=4-($l+9)/8; - print "\t" x $l; - print &conv($p2); - print "\n"; - } - -sub out1 - { - local($name,$p1)=@_; - local($l,$t); - - print "\t$name\t"; - print &conv($p1); - print "\n"; - } - -sub conv - { - local($p)=@_; - - $p =~ s/0x([0-9A-Fa-f]+)/0$1h/; - return $p; - } - -sub main'file - { - local($file)=@_; - - print <<"EOF"; - TITLE $file.asm - .386 -.model FLAT -EOF - } - -sub main'function_begin - { - local($func,$num)=@_; - - $params=$num*4; - - print <<"EOF"; -_TEXT SEGMENT -PUBLIC _$func -EXTRN _des_SPtrans:DWORD -_$func PROC NEAR - push ebp - push ebx - push esi - push edi -EOF - $stack=20; - } - -sub main'function_end - { - local($func)=@_; - - print <<"EOF"; - pop edi - pop esi - pop ebx - pop ebp - ret -_$func ENDP -_TEXT ENDS -EOF - $stack=0; - %label=(); - } - -sub main'file_end - { - print "END\n" - } - -sub main'wparam - { - local($num)=@_; - - return(&main'DWP($stack+$num*4,"esp","",0)); - } - -sub main'wtmp - { - local($num)=@_; - - return(&main'DWP($stack+$params+$num*4,"esp","",0)); - } - -sub main'comment - { - foreach (@_) - { - print "\t; $_\n"; - } - } - -sub main'label - { - if (!defined($label{$_[0]})) - { - $label{$_[0]}="\$${label}${_[0]}"; - $label++; - } - return($label{$_[0]}); - } - -sub main'set_label - { - if (!defined($label{$_[0]})) - { - $label{$_[0]}="${label}${_[0]}"; - $label++; - } - print "$label{$_[0]}:\n"; - } - -sub main'file_end - { - print "END\n"; - } diff --git a/crypto/heimdal-0.6.3/lib/des/asm/x86unix.pl b/crypto/heimdal-0.6.3/lib/des/asm/x86unix.pl deleted file mode 100644 index 2048a9cc3a..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/asm/x86unix.pl +++ /dev/null @@ -1,253 +0,0 @@ -#!/usr/local/bin/perl - -package x86ms; - -$label="L000"; - -$align=($main'aout)?"4":"16"; -$under=($main'aout)?"_":""; -$com_start=($main'sol)?"/":"#"; - -if ($main'cpp) - { - $align="ALIGN"; - $under=""; - $com_start='/*'; - $com_end='*/'; - } - -%lb=( 'eax', '%al', - 'ebx', '%bl', - 'ecx', '%cl', - 'edx', '%dl', - 'ax', '%al', - 'bx', '%bl', - 'cx', '%cl', - 'dx', '%dl', - ); - -%hb=( 'eax', '%ah', - 'ebx', '%bh', - 'ecx', '%ch', - 'edx', '%dh', - 'ax', '%ah', - 'bx', '%bh', - 'cx', '%ch', - 'dx', '%dh', - ); - -%regs=( 'eax', '%eax', - 'ebx', '%ebx', - 'ecx', '%ecx', - 'edx', '%edx', - 'esi', '%esi', - 'edi', '%edi', - 'ebp', '%ebp', - 'esp', '%esp', - ); - -sub main'LB - { - (defined($lb{$_[0]})) || die "$_[0] does not have a 'low byte'\n"; - return($lb{$_[0]}); - } - -sub main'HB - { - (defined($hb{$_[0]})) || die "$_[0] does not have a 'high byte'\n"; - return($hb{$_[0]}); - } - -sub main'DWP - { - local($addr,$reg1,$reg2,$idx)=@_; - - - $ret=""; - - $addr =~ s/(^|[+ \t])([A-Za-z_]+)($|[+ \t])/$1$under$2$3/; - - $reg1="$regs{$reg1}" if defined($regs{$reg1}); - $reg2="$regs{$reg2}" if defined($regs{$reg2}); - $ret.=$addr if ($addr ne "") && ($addr ne 0); - if ($reg2 ne "") - { - $ret.="($reg1,$reg2,$idx)"; - } - else - { - $ret.="($reg1)" - } - return($ret); - } - -sub main'mov { &out2("movl",@_); } -sub main'movb { &out2("movb",@_); } -sub main'and { &out2("andl",@_); } -sub main'or { &out2("orl",@_); } -sub main'shl { &out2("shll",@_); } -sub main'shr { &out2("shrl",@_); } -sub main'xor { &out2("xorl",@_); } -sub main'add { &out2("addl",@_); } -sub main'sub { &out2("subl",@_); } -sub main'rotl { &out2("roll",@_); } -sub main'rotr { &out2("rorl",@_); } -sub main'exch { &out2("xchg",@_); } -sub main'cmp { &out2("cmpl",@_); } -sub main'jmp { &out1("jmp",@_); } -sub main'je { &out1("je",@_); } -sub main'jne { &out1("jne",@_); } -sub main'jnz { &out1("jnz",@_); } -sub main'dec { &out1("decl",@_); } -sub main'push { &out1("pushl",@_); } -sub main'call { &out1("call",$under.$_[0]); } - - -sub out2 - { - local($name,$p1,$p2)=@_; - local($l,$ll,$t); - - print "\t$name\t"; - $t=&conv($p2).","; - $l=length($t); - print $t; - $ll=4-($l+9)/8; - print "\t" x $ll; - print &conv($p1); - print "\n"; - } - -sub out1 - { - local($name,$p1)=@_; - local($l,$t); - - print "\t$name\t"; - print &conv($p1); - print "\n"; - } - -sub conv - { - local($p)=@_; - -# $p =~ s/0x([0-9A-Fa-f]+)/0$1h/; - - $p=$regs{$p} if (defined($regs{$p})); - - $p =~ s/^([0-9A-Fa-f]+)$/\$$1/; - $p =~ s/^(0x[0-9A-Fa-f]+)$/\$$1/; - return $p; - } - -sub main'file - { - local($file)=@_; - - print <<"EOF"; - .file "$file.s" - .version "01.01" -gcc2_compiled.: -EOF - } - -sub main'function_begin - { - local($func,$num)=@_; - - $params=$num*4; - - $func=$under.$func; - - print <<"EOF"; -.text - .align $align -.globl $func -EOF - if ($main'cpp) - { printf("\tTYPE($func,\@function)\n"); } - else { printf("\t.type $func,\@function\n"); } - print <<"EOF"; -$func: - pushl %ebp - pushl %ebx - pushl %esi - pushl %edi - -EOF - $stack=20; - } - -sub main'function_end - { - local($func)=@_; - - $func=$under.$func; - - print <<"EOF"; - popl %edi - popl %esi - popl %ebx - popl %ebp - ret -.${func}_end: -EOF - if ($main'cpp) - { printf("\tSIZE($func,.${func}_end-$func)\n"); } - else { printf("\t.size\t$func,.${func}_end-$func\n"); } - print ".ident \"desasm.pl\"\n"; - $stack=0; - %label=(); - } - - -sub main'wparam - { - local($num)=@_; - - return(&main'DWP($stack+$num*4,"esp","",0)); - } - -sub main'wtmp - { - local($num)=@_; - - return(&main'DWP(-($num+1)*4,"esp","",0)); - } - -sub main'comment - { - foreach (@_) - { - if (/^\s*$/) - { print "\n"; } - else - { print "\t$com_start $_ $com_end\n"; } - } - } - -sub main'label - { - if (!defined($label{$_[0]})) - { - $label{$_[0]}=".${label}${_[0]}"; - $label++; - } - return($label{$_[0]}); - } - -sub main'set_label - { - if (!defined($label{$_[0]})) - { - $label{$_[0]}=".${label}${_[0]}"; - $label++; - } - print ".align $align\n"; - print "$label{$_[0]}:\n"; - } - -sub main'file_end - { - } diff --git a/crypto/heimdal-0.6.3/lib/des/cbc3_enc.c b/crypto/heimdal-0.6.3/lib/des/cbc3_enc.c deleted file mode 100644 index 3b3f2821d2..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/cbc3_enc.c +++ /dev/null @@ -1,99 +0,0 @@ -/* crypto/des/cbc3_enc.c */ -/* Copyright (C) 1995-1997 Eric Young (eay@mincom.oz.au) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@mincom.oz.au). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@mincom.oz.au). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@mincom.oz.au)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@mincom.oz.au)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include "des_locl.h" - -/* HAS BUGS? DON'T USE */ -void des_3cbc_encrypt(input, output, length, ks1, ks2, iv1, iv2, encrypt) -des_cblock (*input); -des_cblock (*output); -long length; -des_key_schedule ks1; -des_key_schedule ks2; -des_cblock (*iv1); -des_cblock (*iv2); -int encrypt; - { - int off=((int)length-1)/8; - long l8=((length+7)/8)*8; - des_cblock niv1,niv2; - - if (encrypt == DES_ENCRYPT) - { - des_cbc_encrypt(input,output,length,ks1,iv1,encrypt); - if (length >= sizeof(des_cblock)) - memcpy(niv1,output[off],sizeof(des_cblock)); - des_cbc_encrypt(output,output,l8,ks2,iv1,!encrypt); - des_cbc_encrypt(output,output,l8,ks1,iv2, encrypt); - if (length >= sizeof(des_cblock)) - memcpy(niv2,output[off],sizeof(des_cblock)); - } - else - { - if (length >= sizeof(des_cblock)) - memcpy(niv2,input[off],sizeof(des_cblock)); - des_cbc_encrypt(input,output,l8,ks1,iv2,encrypt); - des_cbc_encrypt(output,output,l8,ks2,iv1,!encrypt); - if (length >= sizeof(des_cblock)) - memcpy(niv1,output[off],sizeof(des_cblock)); - des_cbc_encrypt(output,output,length,ks1,iv1, encrypt); - } - memcpy(*iv1,niv1,sizeof(des_cblock)); - memcpy(*iv2,niv2,sizeof(des_cblock)); - } - diff --git a/crypto/heimdal-0.6.3/lib/des/cbc_cksm.c b/crypto/heimdal-0.6.3/lib/des/cbc_cksm.c deleted file mode 100644 index 5dfa9b8a61..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/cbc_cksm.c +++ /dev/null @@ -1,103 +0,0 @@ -/* crypto/des/cbc_cksm.c */ -/* Copyright (C) 1995-1997 Eric Young (eay@mincom.oz.au) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@mincom.oz.au). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@mincom.oz.au). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@mincom.oz.au)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@mincom.oz.au)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include "des_locl.h" - -DES_LONG des_cbc_cksum(input, output, length, schedule, ivec) -des_cblock (*input); -des_cblock (*output); -long length; -des_key_schedule schedule; -des_cblock (*ivec); - { - register DES_LONG tout0,tout1,tin0,tin1; - register long l=length; - DES_LONG tin[2]; - unsigned char *in,*out,*iv; - - in=(unsigned char *)input; - out=(unsigned char *)output; - iv=(unsigned char *)ivec; - - c2l(iv,tout0); - c2l(iv,tout1); - for (; l>0; l-=8) - { - if (l >= 8) - { - c2l(in,tin0); - c2l(in,tin1); - } - else - c2ln(in,tin0,tin1,l); - - tin0^=tout0; tin[0]=tin0; - tin1^=tout1; tin[1]=tin1; - des_encrypt((DES_LONG *)tin,schedule,DES_ENCRYPT); - /* fix 15/10/91 eay - thanks to keithr@sco.COM */ - tout0=tin[0]; - tout1=tin[1]; - } - if (out != NULL) - { - l2c(tout0,out); - l2c(tout1,out); - } - tout0=tin0=tin1=tin[0]=tin[1]=0; - return(tout1); - } diff --git a/crypto/heimdal-0.6.3/lib/des/cbc_enc.c b/crypto/heimdal-0.6.3/lib/des/cbc_enc.c deleted file mode 100644 index e7a90ce985..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/cbc_enc.c +++ /dev/null @@ -1,135 +0,0 @@ -/* crypto/des/cbc_enc.c */ -/* Copyright (C) 1995-1997 Eric Young (eay@mincom.oz.au) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@mincom.oz.au). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@mincom.oz.au). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@mincom.oz.au)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@mincom.oz.au)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include "des_locl.h" - -void des_cbc_encrypt(input, output, length, schedule, ivec, encrypt) -des_cblock (*input); -des_cblock (*output); -long length; -des_key_schedule schedule; -des_cblock (*ivec); -int encrypt; - { - register DES_LONG tin0,tin1; - register DES_LONG tout0,tout1,xor0,xor1; - register unsigned char *in,*out; - register long l=length; - DES_LONG tin[2]; - unsigned char *iv; - - in=(unsigned char *)input; - out=(unsigned char *)output; - iv=(unsigned char *)ivec; - - if (encrypt) - { - c2l(iv,tout0); - c2l(iv,tout1); - for (l-=8; l>=0; l-=8) - { - c2l(in,tin0); - c2l(in,tin1); - tin0^=tout0; tin[0]=tin0; - tin1^=tout1; tin[1]=tin1; - des_encrypt((DES_LONG *)tin,schedule,DES_ENCRYPT); - tout0=tin[0]; l2c(tout0,out); - tout1=tin[1]; l2c(tout1,out); - } - if (l != -8) - { - c2ln(in,tin0,tin1,l+8); - tin0^=tout0; tin[0]=tin0; - tin1^=tout1; tin[1]=tin1; - des_encrypt((DES_LONG *)tin,schedule,DES_ENCRYPT); - tout0=tin[0]; l2c(tout0,out); - tout1=tin[1]; l2c(tout1,out); - } - } - else - { - c2l(iv,xor0); - c2l(iv,xor1); - for (l-=8; l>=0; l-=8) - { - c2l(in,tin0); tin[0]=tin0; - c2l(in,tin1); tin[1]=tin1; - des_encrypt((DES_LONG *)tin,schedule,DES_DECRYPT); - tout0=tin[0]^xor0; - tout1=tin[1]^xor1; - l2c(tout0,out); - l2c(tout1,out); - xor0=tin0; - xor1=tin1; - } - if (l != -8) - { - c2l(in,tin0); tin[0]=tin0; - c2l(in,tin1); tin[1]=tin1; - des_encrypt((DES_LONG *)tin,schedule,DES_DECRYPT); - tout0=tin[0]^xor0; - tout1=tin[1]^xor1; - l2cn(tout0,tout1,out,l+8); - /* xor0=tin0; - xor1=tin1; */ - } - } - tin0=tin1=tout0=tout1=xor0=xor1=0; - tin[0]=tin[1]=0; - } - diff --git a/crypto/heimdal-0.6.3/lib/des/cfb64ede.c b/crypto/heimdal-0.6.3/lib/des/cfb64ede.c deleted file mode 100644 index b1e127a1e8..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/cfb64ede.c +++ /dev/null @@ -1,151 +0,0 @@ -/* crypto/des/cfb64ede.c */ -/* Copyright (C) 1995-1997 Eric Young (eay@mincom.oz.au) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@mincom.oz.au). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@mincom.oz.au). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@mincom.oz.au)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@mincom.oz.au)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include "des_locl.h" - -/* The input and output encrypted as though 64bit cfb mode is being - * used. The extra state information to record how much of the - * 64bit block we have used is contained in *num; - */ - -void des_ede3_cfb64_encrypt(in, out, length, ks1,ks2,ks3, ivec, num, encrypt) -unsigned char *in; -unsigned char *out; -long length; -des_key_schedule ks1,ks2,ks3; -des_cblock (*ivec); -int *num; -int encrypt; - { - register DES_LONG v0,v1; - register long l=length; - register int n= *num; - DES_LONG ti[2]; - unsigned char *iv,c,cc; - - iv=(unsigned char *)ivec; - if (encrypt) - { - while (l--) - { - if (n == 0) - { - c2l(iv,v0); - c2l(iv,v1); - - ti[0]=v0; - ti[1]=v1; - des_encrypt3((DES_LONG *)ti,ks1,ks2,ks3); - v0=ti[0]; - v1=ti[1]; - - iv=(unsigned char *)ivec; - l2c(v0,iv); - l2c(v1,iv); - iv=(unsigned char *)ivec; - } - c= *(in++)^iv[n]; - *(out++)=c; - iv[n]=c; - n=(n+1)&0x07; - } - } - else - { - while (l--) - { - if (n == 0) - { - c2l(iv,v0); - c2l(iv,v1); - - ti[0]=v0; - ti[1]=v1; - des_encrypt3((DES_LONG *)ti,ks1,ks2,ks3); - v0=ti[0]; - v1=ti[1]; - - iv=(unsigned char *)ivec; - l2c(v0,iv); - l2c(v1,iv); - iv=(unsigned char *)ivec; - } - cc= *(in++); - c=iv[n]; - iv[n]=cc; - *(out++)=c^cc; - n=(n+1)&0x07; - } - } - v0=v1=ti[0]=ti[1]=c=cc=0; - *num=n; - } - -#ifdef undef /* MACRO */ -void des_ede2_cfb64_encrypt(in, out, length, ks1,ks2, ivec, num, encrypt) -unsigned char *in; -unsigned char *out; -long length; -des_key_schedule ks1,ks2; -des_cblock (*ivec); -int *num; -int encrypt; - { - des_ede3_cfb64_encrypt(in,out,length,ks1,ks2,ks1,ivec,num,encrypt); - } -#endif diff --git a/crypto/heimdal-0.6.3/lib/des/cfb64enc.c b/crypto/heimdal-0.6.3/lib/des/cfb64enc.c deleted file mode 100644 index 66c944a82d..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/cfb64enc.c +++ /dev/null @@ -1,128 +0,0 @@ -/* crypto/des/cfb64enc.c */ -/* Copyright (C) 1995-1997 Eric Young (eay@mincom.oz.au) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@mincom.oz.au). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@mincom.oz.au). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@mincom.oz.au)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@mincom.oz.au)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include "des_locl.h" - -/* The input and output encrypted as though 64bit cfb mode is being - * used. The extra state information to record how much of the - * 64bit block we have used is contained in *num; - */ - -void des_cfb64_encrypt(in, out, length, schedule, ivec, num, encrypt) -unsigned char *in; -unsigned char *out; -long length; -des_key_schedule schedule; -des_cblock (*ivec); -int *num; -int encrypt; - { - register DES_LONG v0,v1; - register long l=length; - register int n= *num; - DES_LONG ti[2]; - unsigned char *iv,c,cc; - - iv=(unsigned char *)ivec; - if (encrypt) - { - while (l--) - { - if (n == 0) - { - c2l(iv,v0); ti[0]=v0; - c2l(iv,v1); ti[1]=v1; - des_encrypt((DES_LONG *)ti, - schedule,DES_ENCRYPT); - iv=(unsigned char *)ivec; - v0=ti[0]; l2c(v0,iv); - v0=ti[1]; l2c(v0,iv); - iv=(unsigned char *)ivec; - } - c= *(in++)^iv[n]; - *(out++)=c; - iv[n]=c; - n=(n+1)&0x07; - } - } - else - { - while (l--) - { - if (n == 0) - { - c2l(iv,v0); ti[0]=v0; - c2l(iv,v1); ti[1]=v1; - des_encrypt((DES_LONG *)ti, - schedule,DES_ENCRYPT); - iv=(unsigned char *)ivec; - v0=ti[0]; l2c(v0,iv); - v0=ti[1]; l2c(v0,iv); - iv=(unsigned char *)ivec; - } - cc= *(in++); - c=iv[n]; - iv[n]=cc; - *(out++)=c^cc; - n=(n+1)&0x07; - } - } - v0=v1=ti[0]=ti[1]=c=cc=0; - *num=n; - } - diff --git a/crypto/heimdal-0.6.3/lib/des/cfb_enc.c b/crypto/heimdal-0.6.3/lib/des/cfb_enc.c deleted file mode 100644 index 52a360dcb3..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/cfb_enc.c +++ /dev/null @@ -1,171 +0,0 @@ -/* crypto/des/cfb_enc.c */ -/* Copyright (C) 1995-1997 Eric Young (eay@mincom.oz.au) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@mincom.oz.au). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@mincom.oz.au). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@mincom.oz.au)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@mincom.oz.au)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include "des_locl.h" - -/* The input and output are loaded in multiples of 8 bits. - * What this means is that if you hame numbits=12 and length=2 - * the first 12 bits will be retrieved from the first byte and half - * the second. The second 12 bits will come from the 3rd and half the 4th - * byte. - */ -void des_cfb_encrypt(in, out, numbits, length, schedule, ivec, encrypt) -unsigned char *in; -unsigned char *out; -int numbits; -long length; -des_key_schedule schedule; -des_cblock (*ivec); -int encrypt; - { - register DES_LONG d0,d1,v0,v1,n=(numbits+7)/8; - register DES_LONG mask0,mask1; - register unsigned long l=length; - register int num=numbits; - DES_LONG ti[2]; - unsigned char *iv; - - if (num > 64) return; - if (num > 32) - { - mask0=0xffffffffL; - if (num == 64) - mask1=mask0; - else mask1=(1L<<(num-32))-1; - } - else - { - if (num == 32) - mask0=0xffffffffL; - else mask0=(1L<= n) - { - l-=n; - ti[0]=v0; - ti[1]=v1; - des_encrypt((DES_LONG *)ti,schedule,DES_ENCRYPT); - c2ln(in,d0,d1,n); - in+=n; - d0=(d0^ti[0])&mask0; - d1=(d1^ti[1])&mask1; - l2cn(d0,d1,out,n); - out+=n; - /* 30-08-94 - eay - changed because l>>32 and - * l<<32 are bad under gcc :-( */ - if (num == 32) - { v0=v1; v1=d0; } - else if (num == 64) - { v0=d0; v1=d1; } - else if (num > 32) /* && num != 64 */ - { - v0=((v1>>(num-32))|(d0<<(64-num)))&0xffffffffL; - v1=((d0>>(num-32))|(d1<<(64-num)))&0xffffffffL; - } - else /* num < 32 */ - { - v0=((v0>>num)|(v1<<(32-num)))&0xffffffffL; - v1=((v1>>num)|(d0<<(32-num)))&0xffffffffL; - } - } - } - else - { - while (l >= n) - { - l-=n; - ti[0]=v0; - ti[1]=v1; - des_encrypt((DES_LONG *)ti,schedule,DES_ENCRYPT); - c2ln(in,d0,d1,n); - in+=n; - /* 30-08-94 - eay - changed because l>>32 and - * l<<32 are bad under gcc :-( */ - if (num == 32) - { v0=v1; v1=d0; } - else if (num == 64) - { v0=d0; v1=d1; } - else if (num > 32) /* && num != 64 */ - { - v0=((v1>>(num-32))|(d0<<(64-num)))&0xffffffffL; - v1=((d0>>(num-32))|(d1<<(64-num)))&0xffffffffL; - } - else /* num < 32 */ - { - v0=((v0>>num)|(v1<<(32-num)))&0xffffffffL; - v1=((v1>>num)|(d0<<(32-num)))&0xffffffffL; - } - d0=(d0^ti[0])&mask0; - d1=(d1^ti[1])&mask1; - l2cn(d0,d1,out,n); - out+=n; - } - } - iv=(unsigned char *)ivec; - l2c(v0,iv); - l2c(v1,iv); - v0=v1=d0=d1=ti[0]=ti[1]=0; - } - diff --git a/crypto/heimdal-0.6.3/lib/des/des.1 b/crypto/heimdal-0.6.3/lib/des/des.1 deleted file mode 100644 index 17ee6e62e9..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/des.1 +++ /dev/null @@ -1,186 +0,0 @@ -.TH DES 1 -.SH NAME -des - encrypt or decrypt data using Data Encryption Standard -.SH SYNOPSIS -.B des -( -.B \-e -| -.B \-E -) | ( -.B \-d -| -.B \-D -) | ( -.B \-\fR[\fPcC\fR][\fPckname\fR]\fP -) | -[ -.B \-b3hfs -] [ -.B \-k -.I key -] -] [ -.B \-u\fR[\fIuuname\fR] -[ -.I input-file -[ -.I output-file -] ] -.SH DESCRIPTION -.B des -encrypts and decrypts data using the -Data Encryption Standard algorithm. -One of -.B \-e, \-E -(for encrypt) or -.B \-d, \-D -(for decrypt) must be specified. -It is also possible to use -.B \-c -or -.B \-C -in conjunction or instead of the a encrypt/decrypt option to generate -a 16 character hexadecimal checksum, generated via the -.I des_cbc_cksum. -.LP -Two standard encryption modes are supported by the -.B des -program, Cipher Block Chaining (the default) and Electronic Code Book -(specified with -.B \-b -). -.LP -The key used for the DES -algorithm is obtained by prompting the user unless the -.B `\-k -.I key' -option is given. -If the key is an argument to the -.B des -command, it is potentially visible to users executing -.BR ps (1) -or a derivative. To minimise this possibility, -.B des -takes care to destroy the key argument immediately upon entry. -If your shell keeps a history file be careful to make sure it is not -world readable. -.LP -Since this program attempts to maintain compatibility with SunOS's -des(1) command, there are 2 different methods used to convert the user -supplied key to a des key. -Whenever and one or more of -.B \-E, \-D, \-C -or -.B \-3 -options are used, the key conversion procedure will not be compatible -with the SunOS des(1) version but will use all the user supplied -character to generate the des key. -.B des -command reads from standard input unless -.I input-file -is specified and writes to standard output unless -.I output-file -is given. -.SH OPTIONS -.TP -.B \-b -Select ECB -(eight bytes at a time) encryption mode. -.TP -.B \-3 -Encrypt using triple encryption. -By default triple cbc encryption is used but if the -.B \-b -option is used then triple ecb encryption is performed. -If the key is less than 8 characters long, the flag has no effect. -.TP -.B \-e -Encrypt data using an 8 byte key in a manner compatible with SunOS -des(1). -.TP -.B \-E -Encrypt data using a key of nearly unlimited length (1024 bytes). -This will product a more secure encryption. -.TP -.B \-d -Decrypt data that was encrypted with the \-e option. -.TP -.B \-D -Decrypt data that was encrypted with the \-E option. -.TP -.B \-c -Generate a 16 character hexadecimal cbc checksum and output this to -stderr. -If a filename was specified after the -.B \-c -option, the checksum is output to that file. -The checksum is generated using a key generated in a SunOS compatible -manner. -.TP -.B \-C -A cbc checksum is generated in the same manner as described for the -.B \-c -option but the DES key is generated in the same manner as used for the -.B \-E -and -.B \-D -options -.TP -.B \-f -Does nothing - allowed for compatibility with SunOS des(1) command. -.TP -.B \-s -Does nothing - allowed for compatibility with SunOS des(1) command. -.TP -.B "\-k \fIkey\fP" -Use the encryption -.I key -specified. -.TP -.B "\-h" -The -.I key -is assumed to be a 16 character hexadecimal number. -If the -.B "\-3" -option is used the key is assumed to be a 32 character hexadecimal -number. -.TP -.B \-u -This flag is used to read and write uuencoded files. If decrypting, -the input file is assumed to contain uuencoded, DES encrypted data. -If encrypting, the characters following the -u are used as the name of -the uuencoded file to embed in the begin line of the uuencoded -output. If there is no name specified after the -u, the name text.des -will be embedded in the header. -.SH SEE ALSO -.B ps (1) -.B des_crypt(3) -.SH BUGS -.LP -The problem with using the -.B -e -option is the short key length. -It would be better to use a real 56-bit key rather than an -ASCII-based 56-bit pattern. Knowing that the key was derived from ASCII -radically reduces the time necessary for a brute-force cryptographic attack. -My attempt to remove this problem is to add an alternative text-key to -DES-key function. This alternative function (accessed via -.B -E, -D, -S -and -.B -3 -) -uses DES to help generate the key. -.LP -Be carefully when using the -u option. Doing des -ud will -not decrypt filename (the -u option will gobble the d option). -.LP -The VMS operating system operates in a world where files are always a -multiple of 512 bytes. This causes problems when encrypted data is -send from unix to VMS since a 88 byte file will suddenly be padded -with 424 null bytes. To get around this problem, use the -u option -to uuencode the data before it is send to the VMS system. -.SH AUTHOR -.LP -Eric Young (eay@mincom.oz.au or eay@psych.psy.uq.oz.au) diff --git a/crypto/heimdal-0.6.3/lib/des/des.c b/crypto/heimdal-0.6.3/lib/des/des.c deleted file mode 100644 index a8d0bc5e21..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/des.c +++ /dev/null @@ -1,959 +0,0 @@ -/* crypto/des/des.c */ -/* Copyright (C) 1995-1997 Eric Young (eay@mincom.oz.au) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@mincom.oz.au). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@mincom.oz.au). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@mincom.oz.au)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@mincom.oz.au)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#ifdef HAVE_CONFIG_H -#include -#endif - -#include -#include -#include -#ifdef HAVE_UNISTD_H -#include -#endif -#ifdef HAVE_IO_H -#include -#endif - -#include -#include "des_ver.h" - -#ifdef VMS -#include -#include -#endif -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_SYS_STAT_H -#include -#endif -#include "des.h" - -#ifndef HAVE_RANDOM -#define random rand -#define srandom(s) srand(s) -#endif - -#ifndef NOPROTO -void usage(void); -void doencryption(void); -int uufwrite(unsigned char *data, int size, unsigned int num, FILE *fp); -void uufwriteEnd(FILE *fp); -int uufread(unsigned char *out,int size,unsigned int num,FILE *fp); -int uuencode(unsigned char *in,int num,unsigned char *out); -int uudecode(unsigned char *in,int num,unsigned char *out); -#else -void usage(); -void doencryption(); -int uufwrite(); -void uufwriteEnd(); -int uufread(); -int uuencode(); -int uudecode(); -#endif - -#ifdef VMS -#define EXIT(a) exit(a&0x10000000) -#else -#define EXIT(a) exit(a) -#endif - -#define BUFSIZE (8*1024) -#define VERIFY 1 -#define KEYSIZ 8 -#define KEYSIZB 1024 /* should hit tty line limit first :-) */ -char key[KEYSIZB+1]; -int do_encrypt,longk=0; -FILE *DES_IN,*DES_OUT,*CKSUM_OUT; -char uuname[200]; -unsigned char uubuf[50]; -int uubufnum=0; -#define INUUBUFN (45*100) -#define OUTUUBUF (65*100) -unsigned char b[OUTUUBUF]; -unsigned char bb[300]; -des_cblock cksum={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}; -char cksumname[200]=""; - -int vflag,cflag,eflag,dflag,kflag,bflag,fflag,sflag,uflag,flag3,hflag,error; - -int main(argc, argv) -int argc; -char **argv; - { - int i; - struct stat ins,outs; - char *p; - char *in=NULL,*out=NULL; - - vflag=cflag=eflag=dflag=kflag=hflag=bflag=fflag=sflag=uflag=flag3=0; - error=0; - memset(key,0,sizeof(key)); - - for (i=1; i=0; j--) - argv[i][j]='\0'; - } - break; - default: - fprintf(stderr,"'%c' unknown flag\n",p[-1]); - error=1; - break; - } - } - } - else - { - if (in == NULL) - in=argv[i]; - else if (out == NULL) - out=argv[i]; - else - error=1; - } - } - if (error) usage(); - /* We either - * do checksum or - * do encrypt or - * do decrypt or - * do decrypt then ckecksum or - * do checksum then encrypt - */ - if (((eflag+dflag) == 1) || cflag) - { - if (eflag) do_encrypt=DES_ENCRYPT; - if (dflag) do_encrypt=DES_DECRYPT; - } - else - { - if (vflag) - { -#ifndef _Windows - fprintf(stderr,"des(1) built with %s\n",libdes_version); -#endif - EXIT(1); - } - else usage(); - } - -#ifndef _Windows - if (vflag) fprintf(stderr,"des(1) built with %s\n",libdes_version); -#endif - if ( (in != NULL) && - (out != NULL) && -#ifndef MSDOS - (stat(in,&ins) != -1) && - (stat(out,&outs) != -1) && - (ins.st_dev == outs.st_dev) && - (ins.st_ino == outs.st_ino)) -#else /* MSDOS */ - (strcmp(in,out) == 0)) -#endif - { - fputs("input and output file are the same\n",stderr); - EXIT(3); - } - - if (!kflag) - if (des_read_pw_string(key,KEYSIZB+1,"Enter key:",eflag?VERIFY:0)) - { - fputs("password error\n",stderr); - EXIT(2); - } - - if (in == NULL) - DES_IN=stdin; - else if ((DES_IN=fopen(in,"r")) == NULL) - { - perror("opening input file"); - EXIT(4); - } - - CKSUM_OUT=stdout; - if (out == NULL) - { - DES_OUT=stdout; - CKSUM_OUT=stderr; - } - else if ((DES_OUT=fopen(out,"w")) == NULL) - { - perror("opening output file"); - EXIT(5); - } - -#ifdef MSDOS - /* This should set the file to binary mode. */ - { -#include - if (!(uflag && dflag)) - setmode(fileno(DES_IN),O_BINARY); - if (!(uflag && eflag)) - setmode(fileno(DES_OUT),O_BINARY); - } -#endif - - doencryption(); - fclose(DES_IN); - fclose(DES_OUT); - EXIT(0); - } - -void usage() - { - char **u; - static const char *Usage[]={ -"des [input-file [output-file]]", -"options:", -"-v : des(1) version number", -"-e : encrypt using sunOS compatible user key to DES key conversion.", -"-E : encrypt ", -"-d : decrypt using sunOS compatible user key to DES key conversion.", -"-D : decrypt ", -"-c[ckname] : generate a cbc_cksum using sunOS compatible user key to", -" DES key conversion and output to ckname (stdout default,", -" stderr if data being output on stdout). The checksum is", -" generated before encryption and after decryption if used", -" in conjunction with -[eEdD].", -"-C[ckname] : generate a cbc_cksum as for -c but compatible with -[ED].", -"-k key : use key 'key'", -"-h : the key that is entered will be a hexidecimal number", -" that is used directly as the des key", -"-u[uuname] : input file is uudecoded if -[dD] or output uuencoded data if -[eE]", -" (uuname is the filename to put in the uuencode header).", -"-b : encrypt using DES in ecb encryption mode, the defaut is cbc mode.", -"-3 : encrypt using tripple DES encryption. This uses 2 keys", -" generated from the input key. If the input key is less", -" than 8 characters long, this is equivelent to normal", -" encryption. Default is tripple cbc, -b makes it tripple ecb.", -NULL -}; - for (u=(char **)Usage; *u; u++) - { - fputs(*u,stderr); - fputc('\n',stderr); - } - - EXIT(1); - } - -void doencryption() - { -#ifdef _LIBC - extern int srandom(); - extern int random(); - extern unsigned long time(); -#endif - - register int i; - des_key_schedule ks,ks2; - unsigned char iv[8],iv2[8]; - char *p; - int num=0,j,k,l,rem,ll,len,last,ex=0; - des_cblock kk,k2; - FILE *O; - int Exit=0; -#ifndef MSDOS - static unsigned char buf[BUFSIZE+8],obuf[BUFSIZE+8]; -#else - static unsigned char *buf=NULL,*obuf=NULL; - - if (buf == NULL) - { - if ( (( buf=(unsigned char *)Malloc(BUFSIZE+8)) == NULL) || - ((obuf=(unsigned char *)Malloc(BUFSIZE+8)) == NULL)) - { - fputs("Not enough memory\n",stderr); - Exit=10; - goto problems; - } - } -#endif - - if (hflag) - { - j=(flag3?16:8); - p=key; - for (i=0; i= '0')) - k=(*p-'0')<<4; - else if ((*p <= 'f') && (*p >= 'a')) - k=(*p-'a'+10)<<4; - else if ((*p <= 'F') && (*p >= 'A')) - k=(*p-'A'+10)<<4; - else - { - fputs("Bad hex key\n",stderr); - Exit=9; - goto problems; - } - p++; - if ((*p <= '9') && (*p >= '0')) - k|=(*p-'0'); - else if ((*p <= 'f') && (*p >= 'a')) - k|=(*p-'a'+10); - else if ((*p <= 'F') && (*p >= 'A')) - k|=(*p-'A'+10); - else - { - fputs("Bad hex key\n",stderr); - Exit=9; - goto problems; - } - p++; - if (i < 8) - kk[i]=k; - else - k2[i-8]=k; - } - des_set_key((C_Block *)k2,ks2); - memset(k2,0,sizeof(k2)); - } - else if (longk || flag3) - { - if (flag3) - { - des_string_to_2keys(key,(C_Block *)kk,(C_Block *)k2); - des_set_key((C_Block *)k2,ks2); - memset(k2,0,sizeof(k2)); - } - else - des_string_to_key(key,(C_Block *)kk); - } - else - for (i=0; i>=1; - } - if (l & 1) - kk[i]=key[i]&0x7f; - else - kk[i]=key[i]|0x80; - } - - des_set_key((C_Block *)kk,ks); - memset(key,0,sizeof(key)); - memset(kk,0,sizeof(kk)); - /* woops - A bug that does not showup under unix :-( */ - memset(iv,0,sizeof(iv)); - memset(iv2,0,sizeof(iv2)); - - l=1; - rem=0; - /* first read */ - if (eflag || (!dflag && cflag)) - { - for (;;) - { - num=l=fread(&(buf[rem]),1,BUFSIZE,DES_IN); - l+=rem; - num+=rem; - if (l < 0) - { - perror("read error"); - Exit=6; - goto problems; - } - - rem=l%8; - len=l-rem; - if (feof(DES_IN)) - { - srandom((unsigned int)time(NULL)); - for (i=7-rem; i>0; i--) - buf[l++]=random()&0xff; - buf[l++]=rem; - ex=1; - len+=rem; - } - else - l-=rem; - - if (cflag) - { - des_cbc_cksum((C_Block *)buf,(C_Block *)cksum, - (long)len,ks,(C_Block *)cksum); - if (!eflag) - { - if (feof(DES_IN)) break; - else continue; - } - } - - if (bflag && !flag3) - for (i=0; i= 8) memcpy(iv,&(obuf[l-8]),8); - } - if (rem) memcpy(buf,&(buf[l]),(unsigned int)rem); - - i=0; - while (i < l) - { - if (uflag) - j=uufwrite(obuf,1,(unsigned int)l-i, - DES_OUT); - else - j=fwrite(obuf,1,(unsigned int)l-i, - DES_OUT); - if (j == -1) - { - perror("Write error"); - Exit=7; - goto problems; - } - i+=j; - } - if (feof(DES_IN)) - { - if (uflag) uufwriteEnd(DES_OUT); - break; - } - } - } - else /* decrypt */ - { - ex=1; - for (;;) - { - if (ex) { - if (uflag) - l=uufread(buf,1,BUFSIZE,DES_IN); - else - l=fread(buf,1,BUFSIZE,DES_IN); - ex=0; - rem=l%8; - l-=rem; - } - if (l < 0) - { - perror("read error"); - Exit=6; - goto problems; - } - - if (bflag && !flag3) - for (i=0; i= 8) memcpy(iv,&(buf[l-8]),8); - } - - if (uflag) - ll=uufread(&(buf[rem]),1,BUFSIZE,DES_IN); - else - ll=fread(&(buf[rem]),1,BUFSIZE,DES_IN); - ll+=rem; - rem=ll%8; - ll-=rem; - if (feof(DES_IN) && (ll == 0)) - { - last=obuf[l-1]; - - if ((last > 7) || (last < 0)) - { - fputs("The file was not decrypted correctly.\n", - stderr); - Exit=8; - last=0; - } - l=l-8+last; - } - i=0; - if (cflag) des_cbc_cksum((C_Block *)obuf, - (C_Block *)cksum,(long)l/8*8,ks, - (C_Block *)cksum); - while (i != l) - { - j=fwrite(obuf,1,(unsigned int)l-i,DES_OUT); - if (j == -1) - { - perror("Write error"); - Exit=7; - goto problems; - } - i+=j; - } - l=ll; - if ((l == 0) && feof(DES_IN)) break; - } - } - if (cflag) - { - l=0; - if (cksumname[0] != '\0') - { - if ((O=fopen(cksumname,"w")) != NULL) - { - CKSUM_OUT=O; - l=1; - } - } - for (i=0; i<8; i++) - fprintf(CKSUM_OUT,"%02X",cksum[i]); - fprintf(CKSUM_OUT,"\n"); - if (l) fclose(CKSUM_OUT); - } -problems: - memset(buf,0,sizeof(buf)); - memset(obuf,0,sizeof(obuf)); - memset(ks,0,sizeof(ks)); - memset(ks2,0,sizeof(ks2)); - memset(iv,0,sizeof(iv)); - memset(iv2,0,sizeof(iv2)); - memset(kk,0,sizeof(kk)); - memset(k2,0,sizeof(k2)); - memset(uubuf,0,sizeof(uubuf)); - memset(b,0,sizeof(b)); - memset(bb,0,sizeof(bb)); - memset(cksum,0,sizeof(cksum)); - if (Exit) EXIT(Exit); - } - -int uufwrite(data, size, num, fp) -unsigned char *data; -int size; -unsigned int num; -FILE *fp; - - /* We ignore this parameter but it should be > ~50 I believe */ - - - { - int i,j,left,rem,ret=num; - static int start=1; - - if (start) - { - fprintf(fp,"begin 600 %s\n", - (uuname[0] == '\0')?"text.d":uuname); - start=0; - } - - if (uubufnum) - { - if (uubufnum+num < 45) - { - memcpy(&(uubuf[uubufnum]),data,(unsigned int)num); - uubufnum+=num; - return(num); - } - else - { - i=45-uubufnum; - memcpy(&(uubuf[uubufnum]),data,(unsigned int)i); - j=uuencode((unsigned char *)uubuf,45,b); - fwrite(b,1,(unsigned int)j,fp); - uubufnum=0; - data+=i; - num-=i; - } - } - - for (i=0; i<(((int)num)-INUUBUFN); i+=INUUBUFN) - { - j=uuencode(&(data[i]),INUUBUFN,b); - fwrite(b,1,(unsigned int)j,fp); - } - rem=(num-i)%45; - left=(num-i-rem); - if (left) - { - j=uuencode(&(data[i]),left,b); - fwrite(b,1,(unsigned int)j,fp); - i+=left; - } - if (i != num) - { - memcpy(uubuf,&(data[i]),(unsigned int)rem); - uubufnum=rem; - } - return(ret); - } - -void uufwriteEnd(fp) -FILE *fp; - { - int j; - static const char *end=" \nend\n"; - - if (uubufnum != 0) - { - uubuf[uubufnum]='\0'; - uubuf[uubufnum+1]='\0'; - uubuf[uubufnum+2]='\0'; - j=uuencode(uubuf,uubufnum,b); - fwrite(b,1,(unsigned int)j,fp); - } - fwrite(end,1,strlen(end),fp); - } - -int uufread(out, size, num, fp) -unsigned char *out; -int size; /* should always be > ~ 60; I actually ignore this parameter :-) */ -unsigned int num; -FILE *fp; - { - int i,j,tot; - static int done=0; - static int valid=0; - static int start=1; - - if (start) - { - for (;;) - { - b[0]='\0'; - fgets((char *)b,300,fp); - if (b[0] == '\0') - { - fprintf(stderr,"no 'begin' found in uuencoded input\n"); - return(-1); - } - if (strncmp((char *)b,"begin ",6) == 0) break; - } - start=0; - } - if (done) return(0); - tot=0; - if (valid) - { - memcpy(out,bb,(unsigned int)valid); - tot=valid; - valid=0; - } - for (;;) - { - b[0]='\0'; - fgets((char *)b,300,fp); - if (b[0] == '\0') break; - i=strlen((char *)b); - if ((b[0] == 'e') && (b[1] == 'n') && (b[2] == 'd')) - { - done=1; - while (!feof(fp)) - { - fgets((char *)b,300,fp); - } - break; - } - i=uudecode(b,i,bb); - if (i < 0) break; - if ((i+tot+8) > num) - { - /* num to copy to make it a multiple of 8 */ - j=(num/8*8)-tot-8; - memcpy(&(out[tot]),bb,(unsigned int)j); - tot+=j; - memcpy(bb,&(bb[j]),(unsigned int)i-j); - valid=i-j; - break; - } - memcpy(&(out[tot]),bb,(unsigned int)i); - tot+=i; - } - return(tot); - } - -#define ccc2l(c,l) (l =((DES_LONG)(*((c)++)))<<16, \ - l|=((DES_LONG)(*((c)++)))<< 8, \ - l|=((DES_LONG)(*((c)++)))) - -#define l2ccc(l,c) (*((c)++)=(unsigned char)(((l)>>16)&0xff), \ - *((c)++)=(unsigned char)(((l)>> 8)&0xff), \ - *((c)++)=(unsigned char)(((l) )&0xff)) - - -int uuencode(in, num, out) -unsigned char *in; -int num; -unsigned char *out; - { - int j,i,n,tot=0; - DES_LONG l; - register unsigned char *p; - p=out; - - for (j=0; j num) - i=(num-j); - else i=45; - *(p++)=i+' '; - for (n=0; n>18)&0x3f)+' '; - *(p++)=((l>>12)&0x3f)+' '; - *(p++)=((l>> 6)&0x3f)+' '; - *(p++)=((l )&0x3f)+' '; - tot+=4; - } - *(p++)='\n'; - tot+=2; - } - *p='\0'; - l=0; - return(tot); - } - -int uudecode(in, num, out) -unsigned char *in; -int num; -unsigned char *out; - { - int j,i,k; - unsigned int n=0,space=0; - DES_LONG l; - DES_LONG w,x,y,z; - unsigned int blank=(unsigned int)'\n'-' '; - - for (j=0; j 60) - { - fprintf(stderr,"uuencoded line length too long\n"); - return(-1); - } - j++; - - for (i=0; i 63) || (x > 63) || (y > 63) || (z > 63)) - { - k=0; - if (w == blank) k=1; - if (x == blank) k=2; - if (y == blank) k=3; - if (z == blank) k=4; - space=1; - switch (k) { - case 1: w=0; in--; - case 2: x=0; in--; - case 3: y=0; in--; - case 4: z=0; in--; - break; - case 0: - space=0; - fprintf(stderr,"bad uuencoded data values\n"); - w=x=y=z=0; - return(-1); - break; - } - } - l=(w<<18)|(x<<12)|(y<< 6)|(z ); - l2ccc(l,out); - } - if (*(in++) != '\n') - { - fprintf(stderr,"missing nl in uuencoded line\n"); - w=x=y=z=0; - return(-1); - } - j++; - } - *out='\0'; - w=x=y=z=0; - return(n); - } diff --git a/crypto/heimdal-0.6.3/lib/des/des.cat1 b/crypto/heimdal-0.6.3/lib/des/des.cat1 deleted file mode 100644 index 9a78c18de3..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/des.cat1 +++ /dev/null @@ -1,132 +0,0 @@ - - - -DES(1) DES(1) - - - -NAME - des - encrypt or decrypt data using Data Encryption Standard - -SYNOPSIS - ddeess ( --ee | --EE ) | ( --dd | --DD ) | ( --[ccCC][cckknnaammee] ) | [ --bb33hhffss ] [ --kk _k_e_y ] ] - [ --uu[_u_u_n_a_m_e] [ _i_n_p_u_t_-_f_i_l_e [ _o_u_t_p_u_t_-_f_i_l_e ] ] - -DESCRIPTION - ddeess encrypts and decrypts data using the Data Encryption Standard algo- - rithm. One of --ee,, --EE (for encrypt) or --dd,, --DD (for decrypt) must be speci- - fied. It is also possible to use --cc or --CC in conjunction or instead of the - a encrypt/decrypt option to generate a 16 character hexadecimal checksum, - generated via the _d_e_s___c_b_c___c_k_s_u_m_. - - Two standard encryption modes are supported by the ddeess program, Cipher - Block Chaining (the default) and Electronic Code Book (specified with --bb ). - - The key used for the DES algorithm is obtained by prompting the user unless - the ``--kk _k_e_y_' option is given. If the key is an argument to the ddeess com- - mand, it is potentially visible to users executing ppss(1) or a derivative. - To minimise this possibility, ddeess takes care to destroy the key argument - immediately upon entry. If your shell keeps a history file be careful to - make sure it is not world readable. - - Since this program attempts to maintain compatibility with SunOS's des(1) - command, there are 2 different methods used to convert the user supplied - key to a des key. Whenever and one or more of --EE,, --DD,, --CC or --33 options are - used, the key conversion procedure will not be compatible with the SunOS - des(1) version but will use all the user supplied character to generate the - des key. ddeess command reads from standard input unless _i_n_p_u_t_-_f_i_l_e is speci- - fied and writes to standard output unless _o_u_t_p_u_t_-_f_i_l_e is given. - -OPTIONS - - --bb Select ECB (eight bytes at a time) encryption mode. - - --33 Encrypt using triple encryption. By default triple cbc encryption is - used but if the --bb option is used then triple ecb encryption is per- - formed. If the key is less than 8 characters long, the flag has no - effect. - - --ee Encrypt data using an 8 byte key in a manner compatible with SunOS - des(1). - - --EE Encrypt data using a key of nearly unlimited length (1024 bytes). - This will product a more secure encryption. - - --dd Decrypt data that was encrypted with the -e option. - - --DD Decrypt data that was encrypted with the -E option. - - --cc Generate a 16 character hexadecimal cbc checksum and output this to - stderr. If a filename was specified after the --cc option, the checksum - is output to that file. The checksum is generated using a key gener- - ated in a SunOS compatible manner. - - --CC A cbc checksum is generated in the same manner as described for the --cc - option but the DES key is generated in the same manner as used for the - --EE and --DD options - - --ff Does nothing - allowed for compatibility with SunOS des(1) command. - - --ss Does nothing - allowed for compatibility with SunOS des(1) command. - - --kk _k_e_y - Use the encryption _k_e_y specified. - - --hh The _k_e_y is assumed to be a 16 character hexadecimal number. If the --33 - option is used the key is assumed to be a 32 character hexadecimal - number. - - --uu This flag is used to read and write uuencoded files. If decrypting, - the input file is assumed to contain uuencoded, DES encrypted data. - If encrypting, the characters following the -u are used as the name of - the uuencoded file to embed in the begin line of the uuencoded output. - If there is no name specified after the -u, the name text.des will be - embedded in the header. - -SEE ALSO - ppss ((11)) ddeess__ccrryypptt((33)) - -BUGS - - The problem with using the --ee option is the short key length. It would be - better to use a real 56-bit key rather than an ASCII-based 56-bit pattern. - Knowing that the key was derived from ASCII radically reduces the time nec- - essary for a brute-force cryptographic attack. My attempt to remove this - problem is to add an alternative text-key to DES-key function. This alter- - native function (accessed via --EE,, --DD,, --SS and --33 ) uses DES to help generate - the key. - - Be carefully when using the -u option. Doing des -ud will not - decrypt filename (the -u option will gobble the d option). - - The VMS operating system operates in a world where files are always a mul- - tiple of 512 bytes. This causes problems when encrypted data is send from - unix to VMS since a 88 byte file will suddenly be padded with 424 null - bytes. To get around this problem, use the -u option to uuencode the data - before it is send to the VMS system. - -AUTHOR - - Eric Young (eay@mincom.oz.au or eay@psych.psy.uq.oz.au) - - - - - - - - - - - - - - - - - - - - - - diff --git a/crypto/heimdal-0.6.3/lib/des/des.def b/crypto/heimdal-0.6.3/lib/des/des.def deleted file mode 100644 index 24b1de2d3d..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/des.def +++ /dev/null @@ -1,37 +0,0 @@ -LIBRARY des BASE=0x06000000 -EXPORTS - des_ecb3_encrypt - des_cbc_cksum - des_cbc_encrypt - des_ncbc_encrypt - des_3cbc_encrypt - des_cfb_encrypt - des_ede3_cfb64_encrypt - des_ede3_ofb64_encrypt - des_ecb_encrypt - des_encrypt - des_encrypt2 - des_ede3_cbc_encrypt - des_enc_read - des_enc_write - crypt - des_ofb_encrypt - des_pcbc_encrypt - des_quad_cksum - des_read_password - des_read_2passwords - des_read_pw_string - des_set_odd_parity - des_is_weak_key - des_set_key - des_key_sched - des_string_to_key - des_string_to_2keys - des_cfb64_encrypt - des_ofb64_encrypt - des_cblock_print_file - des_new_random_key - des_init_random_number_generator - des_set_random_generator_seed - des_set_sequence_number - des_generate_random_block diff --git a/crypto/heimdal-0.6.3/lib/des/des.doc b/crypto/heimdal-0.6.3/lib/des/des.doc deleted file mode 100644 index 1e30158129..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/des.doc +++ /dev/null @@ -1,505 +0,0 @@ -The DES library. - -Please note that this library was originally written to operate with -eBones, a version of Kerberos that had had encryption removed when it left -the USA and then put back in. As such there are some routines that I will -advise not using but they are still in the library for historical reasons. -For all calls that have an 'input' and 'output' variables, they can be the -same. - -This library requires the inclusion of 'des.h'. - -All of the encryption functions take what is called a des_key_schedule as an -argument. A des_key_schedule is an expanded form of the des key. -A des_key is 8 bytes of odd parity, the type used to hold the key is a -des_cblock. A des_cblock is an array of 8 bytes, often in this library -description I will refer to input bytes when the function specifies -des_cblock's as input or output, this just means that the variable should -be a multiple of 8 bytes. - -The define DES_ENCRYPT is passed to specify encryption, DES_DECRYPT to -specify decryption. The functions and global variable are as follows: - -int des_check_key; - DES keys are supposed to be odd parity. If this variable is set to - a non-zero value, des_set_key() will check that the key has odd - parity and is not one of the known weak DES keys. By default this - variable is turned off; - -void des_set_odd_parity( -des_cblock *key ); - This function takes a DES key (8 bytes) and sets the parity to odd. - -int des_is_weak_key( -des_cblock *key ); - This function returns a non-zero value if the DES key passed is a - weak, DES key. If it is a weak key, don't use it, try a different - one. If you are using 'random' keys, the chances of hitting a weak - key are 1/2^52 so it is probably not worth checking for them. - -int des_set_key( -des_cblock *key, -des_key_schedule schedule); - Des_set_key converts an 8 byte DES key into a des_key_schedule. - A des_key_schedule is an expanded form of the key which is used to - perform actual encryption. It can be regenerated from the DES key - so it only needs to be kept when encryption or decryption is about - to occur. Don't save or pass around des_key_schedule's since they - are CPU architecture dependent, DES keys are not. If des_check_key - is non zero, zero is returned if the key has the wrong parity or - the key is a weak key, else 1 is returned. - -int des_key_sched( -des_cblock *key, -des_key_schedule schedule); - An alternative name for des_set_key(). - -int des_rw_mode; /* defaults to DES_PCBC_MODE */ - This flag holds either DES_CBC_MODE or DES_PCBC_MODE (default). - This specifies the function to use in the enc_read() and enc_write() - functions. - -void des_encrypt( -unsigned long *data, -des_key_schedule ks, -int enc); - This is the DES encryption function that gets called by just about - every other DES routine in the library. You should not use this - function except to implement 'modes' of DES. I say this because the - functions that call this routine do the conversion from 'char *' to - long, and this needs to be done to make sure 'non-aligned' memory - access do not occur. The characters are loaded 'little endian', - have a look at my source code for more details on how I use this - function. - Data is a pointer to 2 unsigned long's and ks is the - des_key_schedule to use. enc, is non zero specifies encryption, - zero if decryption. - -void des_encrypt2( -unsigned long *data, -des_key_schedule ks, -int enc); - This functions is the same as des_encrypt() except that the DES - initial permutation (IP) and final permutation (FP) have been left - out. As for des_encrypt(), you should not use this function. - It is used by the routines in my library that implement triple DES. - IP() des_encrypt2() des_encrypt2() des_encrypt2() FP() is the same - as des_encrypt() des_encrypt() des_encrypt() except faster :-). - -void des_ecb_encrypt( -des_cblock *input, -des_cblock *output, -des_key_schedule ks, -int enc); - This is the basic Electronic Code Book form of DES, the most basic - form. Input is encrypted into output using the key represented by - ks. If enc is non zero (DES_ENCRYPT), encryption occurs, otherwise - decryption occurs. Input is 8 bytes long and output is 8 bytes. - (the des_cblock structure is 8 chars). - -void des_ecb3_encrypt( -des_cblock *input, -des_cblock *output, -des_key_schedule ks1, -des_key_schedule ks2, -des_key_schedule ks3, -int enc); - This is the 3 key EDE mode of ECB DES. What this means is that - the 8 bytes of input is encrypted with ks1, decrypted with ks2 and - then encrypted again with ks3, before being put into output; - C=E(ks3,D(ks2,E(ks1,M))). There is a macro, des_ecb2_encrypt() - that only takes 2 des_key_schedules that implements, - C=E(ks1,D(ks2,E(ks1,M))) in that the final encrypt is done with ks1. - -void des_cbc_encrypt( -des_cblock *input, -des_cblock *output, -long length, -des_key_schedule ks, -des_cblock *ivec, -int enc); - This routine implements DES in Cipher Block Chaining mode. - Input, which should be a multiple of 8 bytes is encrypted - (or decrypted) to output which will also be a multiple of 8 bytes. - The number of bytes is in length (and from what I've said above, - should be a multiple of 8). If length is not a multiple of 8, I'm - not being held responsible :-). ivec is the initialisation vector. - This function does not modify this variable. To correctly implement - cbc mode, you need to do one of 2 things; copy the last 8 bytes of - cipher text for use as the next ivec in your application, - or use des_ncbc_encrypt(). - Only this routine has this problem with updating the ivec, all - other routines that are implementing cbc mode update ivec. - -void des_ncbc_encrypt( -des_cblock *input, -des_cblock *output, -long length, -des_key_schedule sk, -des_cblock *ivec, -int enc); - For historical reasons, des_cbc_encrypt() did not update the - ivec with the value requires so that subsequent calls to - des_cbc_encrypt() would 'chain'. This was needed so that the same - 'length' values would not need to be used when decrypting. - des_ncbc_encrypt() does the right thing. It is the same as - des_cbc_encrypt accept that ivec is updates with the correct value - to pass in subsequent calls to des_ncbc_encrypt(). I advise using - des_ncbc_encrypt() instead of des_cbc_encrypt(); - -void des_xcbc_encrypt( -des_cblock *input, -des_cblock *output, -long length, -des_key_schedule sk, -des_cblock *ivec, -des_cblock *inw, -des_cblock *outw, -int enc); - This is RSA's DESX mode of DES. It uses inw and outw to - 'whiten' the encryption. inw and outw are secret (unlike the iv) - and are as such, part of the key. So the key is sort of 24 bytes. - This is much better than cbc des. - -void des_3cbc_encrypt( -des_cblock *input, -des_cblock *output, -long length, -des_key_schedule sk1, -des_key_schedule sk2, -des_cblock *ivec1, -des_cblock *ivec2, -int enc); - This function is flawed, do not use it. I have left it in the - library because it is used in my des(1) program and will function - correctly when used by des(1). If I removed the function, people - could end up unable to decrypt files. - This routine implements outer triple cbc encryption using 2 ks and - 2 ivec's. Use des_ede2_cbc_encrypt() instead. - -void des_ede3_cbc_encrypt( -des_cblock *input, -des_cblock *output, -long length, -des_key_schedule ks1, -des_key_schedule ks2, -des_key_schedule ks3, -des_cblock *ivec, -int enc); - This function implements inner triple CBC DES encryption with 3 - keys. What this means is that each 'DES' operation - inside the cbc mode is really an C=E(ks3,D(ks2,E(ks1,M))). - Again, this is cbc mode so an ivec is requires. - This mode is used by SSL. - There is also a des_ede2_cbc_encrypt() that only uses 2 - des_key_schedule's, the first being reused for the final - encryption. C=E(ks1,D(ks2,E(ks1,M))). This form of triple DES - is used by the RSAref library. - -void des_pcbc_encrypt( -des_cblock *input, -des_cblock *output, -long length, -des_key_schedule ks, -des_cblock *ivec, -int enc); - This is Propagating Cipher Block Chaining mode of DES. It is used - by Kerberos v4. It's parameters are the same as des_ncbc_encrypt(). - -void des_cfb_encrypt( -unsigned char *in, -unsigned char *out, -int numbits, -long length, -des_key_schedule ks, -des_cblock *ivec, -int enc); - Cipher Feedback Back mode of DES. This implementation 'feeds back' - in numbit blocks. The input (and output) is in multiples of numbits - bits. numbits should to be a multiple of 8 bits. Length is the - number of bytes input. If numbits is not a multiple of 8 bits, - the extra bits in the bytes will be considered padding. So if - numbits is 12, for each 2 input bytes, the 4 high bits of the - second byte will be ignored. So to encode 72 bits when using - a numbits of 12 take 12 bytes. To encode 72 bits when using - numbits of 9 will take 16 bytes. To encode 80 bits when using - numbits of 16 will take 10 bytes. etc, etc. This padding will - apply to both input and output. - - -void des_cfb64_encrypt( -unsigned char *in, -unsigned char *out, -long length, -des_key_schedule ks, -des_cblock *ivec, -int *num, -int enc); - This is one of the more useful functions in this DES library, it - implements CFB mode of DES with 64bit feedback. Why is this - useful you ask? Because this routine will allow you to encrypt an - arbitrary number of bytes, no 8 byte padding. Each call to this - routine will encrypt the input bytes to output and then update ivec - and num. num contains 'how far' we are though ivec. If this does - not make much sense, read more about cfb mode of DES :-). - -void des_ede3_cfb64_encrypt( -unsigned char *in, -unsigned char *out, -long length, -des_key_schedule ks1, -des_key_schedule ks2, -des_key_schedule ks3, -des_cblock *ivec, -int *num, -int enc); - Same as des_cfb64_encrypt() accept that the DES operation is - triple DES. As usual, there is a macro for - des_ede2_cfb64_encrypt() which reuses ks1. - -void des_ofb_encrypt( -unsigned char *in, -unsigned char *out, -int numbits, -long length, -des_key_schedule ks, -des_cblock *ivec); - This is a implementation of Output Feed Back mode of DES. It is - the same as des_cfb_encrypt() in that numbits is the size of the - units dealt with during input and output (in bits). - -void des_ofb64_encrypt( -unsigned char *in, -unsigned char *out, -long length, -des_key_schedule ks, -des_cblock *ivec, -int *num); - The same as des_cfb64_encrypt() except that it is Output Feed Back - mode. - -void des_ede3_ofb64_encrypt( -unsigned char *in, -unsigned char *out, -long length, -des_key_schedule ks1, -des_key_schedule ks2, -des_key_schedule ks3, -des_cblock *ivec, -int *num); - Same as des_ofb64_encrypt() accept that the DES operation is - triple DES. As usual, there is a macro for - des_ede2_ofb64_encrypt() which reuses ks1. - -int des_read_pw_string( -char *buf, -int length, -char *prompt, -int verify); - This routine is used to get a password from the terminal with echo - turned off. Buf is where the string will end up and length is the - size of buf. Prompt is a string presented to the 'user' and if - verify is set, the key is asked for twice and unless the 2 copies - match, an error is returned. A return code of -1 indicates a - system error, 1 failure due to use interaction, and 0 is success. - -unsigned long des_cbc_cksum( -des_cblock *input, -des_cblock *output, -long length, -des_key_schedule ks, -des_cblock *ivec); - This function produces an 8 byte checksum from input that it puts in - output and returns the last 4 bytes as a long. The checksum is - generated via cbc mode of DES in which only the last 8 byes are - kept. I would recommend not using this function but instead using - the EVP_Digest routines, or at least using MD5 or SHA. This - function is used by Kerberos v4 so that is why it stays in the - library. - -char *des_fcrypt( -const char *buf, -const char *salt -char *ret); - This is my fast version of the unix crypt(3) function. This version - takes only a small amount of space relative to other fast - crypt() implementations. This is different to the normal crypt - in that the third parameter is the buffer that the return value - is written into. It needs to be at least 14 bytes long. This - function is thread safe, unlike the normal crypt. - -char *crypt( -const char *buf, -const char *salt); - This function calls des_fcrypt() with a static array passed as the - third parameter. This emulates the normal non-thread safe semantics - of crypt(3). - -void des_string_to_key( -char *str, -des_cblock *key); - This function takes str and converts it into a DES key. I would - recommend using MD5 instead and use the first 8 bytes of output. - When I wrote the first version of these routines back in 1990, MD5 - did not exist but I feel these routines are still sound. This - routines is compatible with the one in MIT's libdes. - -void des_string_to_2keys( -char *str, -des_cblock *key1, -des_cblock *key2); - This function takes str and converts it into 2 DES keys. - I would recommend using MD5 and using the 16 bytes as the 2 keys. - I have nothing against these 2 'string_to_key' routines, it's just - that if you say that your encryption key is generated by using the - 16 bytes of an MD5 hash, every-one knows how you generated your - keys. - -int des_read_password( -des_cblock *key, -char *prompt, -int verify); - This routine combines des_read_pw_string() with des_string_to_key(). - -int des_read_2passwords( -des_cblock *key1, -des_cblock *key2, -char *prompt, -int verify); - This routine combines des_read_pw_string() with des_string_to_2key(). - -void des_random_seed( -des_cblock key); - This routine sets a starting point for des_random_key(). - -void des_random_key( -des_cblock ret); - This function return a random key. Make sure to 'seed' the random - number generator (with des_random_seed()) before using this function. - I personally now use a MD5 based random number system. - -int des_enc_read( -int fd, -char *buf, -int len, -des_key_schedule ks, -des_cblock *iv); - This function will write to a file descriptor the encrypted data - from buf. This data will be preceded by a 4 byte 'byte count' and - will be padded out to 8 bytes. The encryption is either CBC of - PCBC depending on the value of des_rw_mode. If it is DES_PCBC_MODE, - pcbc is used, if DES_CBC_MODE, cbc is used. The default is to use - DES_PCBC_MODE. - -int des_enc_write( -int fd, -char *buf, -int len, -des_key_schedule ks, -des_cblock *iv); - This routines read stuff written by des_enc_read() and decrypts it. - I have used these routines quite a lot but I don't believe they are - suitable for non-blocking io. If you are after a full - authentication/encryption over networks, have a look at SSL instead. - -unsigned long des_quad_cksum( -des_cblock *input, -des_cblock *output, -long length, -int out_count, -des_cblock *seed); - This is a function from Kerberos v4 that is not anything to do with - DES but was needed. It is a cksum that is quicker to generate than - des_cbc_cksum(); I personally would use MD5 routines now. -===== -Modes of DES -Quite a bit of the following information has been taken from - AS 2805.5.2 - Australian Standard - Electronic funds transfer - Requirements for interfaces, - Part 5.2: Modes of operation for an n-bit block cipher algorithm - Appendix A - -There are several different modes in which DES can be used, they are -as follows. - -Electronic Codebook Mode (ECB) (des_ecb_encrypt()) -- 64 bits are enciphered at a time. -- The order of the blocks can be rearranged without detection. -- The same plaintext block always produces the same ciphertext block - (for the same key) making it vulnerable to a 'dictionary attack'. -- An error will only affect one ciphertext block. - -Cipher Block Chaining Mode (CBC) (des_cbc_encrypt()) -- a multiple of 64 bits are enciphered at a time. -- The CBC mode produces the same ciphertext whenever the same - plaintext is encrypted using the same key and starting variable. -- The chaining operation makes the ciphertext blocks dependent on the - current and all preceding plaintext blocks and therefore blocks can not - be rearranged. -- The use of different starting variables prevents the same plaintext - enciphering to the same ciphertext. -- An error will affect the current and the following ciphertext blocks. - -Cipher Feedback Mode (CFB) (des_cfb_encrypt()) -- a number of bits (j) <= 64 are enciphered at a time. -- The CFB mode produces the same ciphertext whenever the same - plaintext is encrypted using the same key and starting variable. -- The chaining operation makes the ciphertext variables dependent on the - current and all preceding variables and therefore j-bit variables are - chained together and can not be rearranged. -- The use of different starting variables prevents the same plaintext - enciphering to the same ciphertext. -- The strength of the CFB mode depends on the size of k (maximal if - j == k). In my implementation this is always the case. -- Selection of a small value for j will require more cycles through - the encipherment algorithm per unit of plaintext and thus cause - greater processing overheads. -- Only multiples of j bits can be enciphered. -- An error will affect the current and the following ciphertext variables. - -Output Feedback Mode (OFB) (des_ofb_encrypt()) -- a number of bits (j) <= 64 are enciphered at a time. -- The OFB mode produces the same ciphertext whenever the same - plaintext enciphered using the same key and starting variable. More - over, in the OFB mode the same key stream is produced when the same - key and start variable are used. Consequently, for security reasons - a specific start variable should be used only once for a given key. -- The absence of chaining makes the OFB more vulnerable to specific attacks. -- The use of different start variables values prevents the same - plaintext enciphering to the same ciphertext, by producing different - key streams. -- Selection of a small value for j will require more cycles through - the encipherment algorithm per unit of plaintext and thus cause - greater processing overheads. -- Only multiples of j bits can be enciphered. -- OFB mode of operation does not extend ciphertext errors in the - resultant plaintext output. Every bit error in the ciphertext causes - only one bit to be in error in the deciphered plaintext. -- OFB mode is not self-synchronising. If the two operation of - encipherment and decipherment get out of synchronism, the system needs - to be re-initialised. -- Each re-initialisation should use a value of the start variable - different from the start variable values used before with the same - key. The reason for this is that an identical bit stream would be - produced each time from the same parameters. This would be - susceptible to a ' known plaintext' attack. - -Triple ECB Mode (des_ecb3_encrypt()) -- Encrypt with key1, decrypt with key2 and encrypt with key3 again. -- As for ECB encryption but increases the key length to 168 bits. - There are theoretic attacks that can be used that make the effective - key length 112 bits, but this attack also requires 2^56 blocks of - memory, not very likely, even for the NSA. -- If both keys are the same it is equivalent to encrypting once with - just one key. -- If the first and last key are the same, the key length is 112 bits. - There are attacks that could reduce the key space to 55 bit's but it - requires 2^56 blocks of memory. -- If all 3 keys are the same, this is effectively the same as normal - ecb mode. - -Triple CBC Mode (des_ede3_cbc_encrypt()) -- Encrypt with key1, decrypt with key2 and then encrypt with key3. -- As for CBC encryption but increases the key length to 168 bits with - the same restrictions as for triple ecb mode. diff --git a/crypto/heimdal-0.6.3/lib/des/des.dsp b/crypto/heimdal-0.6.3/lib/des/des.dsp deleted file mode 100644 index 628742bbd0..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/des.dsp +++ /dev/null @@ -1,258 +0,0 @@ -# Microsoft Developer Studio Project File - Name="des" - Package Owner=<4> -# Microsoft Developer Studio Generated Build File, Format Version 5.00 -# ** DO NOT EDIT ** - -# TARGTYPE "Win32 (x86) Dynamic-Link Library" 0x0102 - -CFG=des - Win32 Release -!MESSAGE This is not a valid makefile. To build this project using NMAKE, -!MESSAGE use the Export Makefile command and run -!MESSAGE -!MESSAGE NMAKE /f "des.mak". -!MESSAGE -!MESSAGE You can specify a configuration when running NMAKE -!MESSAGE by defining the macro CFG on the command line. For example: -!MESSAGE -!MESSAGE NMAKE /f "des.mak" CFG="des - Win32 Release" -!MESSAGE -!MESSAGE Possible choices for configuration are: -!MESSAGE -!MESSAGE "des - Win32 Release" (based on "Win32 (x86) Dynamic-Link Library") -!MESSAGE "des - Win32 Debug" (based on "Win32 (x86) Dynamic-Link Library") -!MESSAGE - -# Begin Project -# PROP Scc_ProjName "" -# PROP Scc_LocalPath "" -CPP=cl.exe -MTL=midl.exe -RSC=rc.exe - -!IF "$(CFG)" == "des - Win32 Release" - -# PROP BASE Use_MFC 0 -# PROP BASE Use_Debug_Libraries 0 -# PROP BASE Output_Dir ".\Release" -# PROP BASE Intermediate_Dir ".\Release" -# PROP BASE Target_Dir "" -# PROP Use_MFC 0 -# PROP Use_Debug_Libraries 0 -# PROP Output_Dir ".\Release" -# PROP Intermediate_Dir ".\Release" -# PROP Ignore_Export_Lib 0 -# PROP Target_Dir "" -# ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /YX /c -# ADD CPP /nologo /MT /W3 /GX /O2 /I "..\roken" /I "." /I "..\..\include" /I "..\..\include\win32" /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "HAVE_CONFIG_H" /YX /FD /c -# ADD BASE MTL /nologo /D "NDEBUG" /win32 -# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 -# ADD BASE RSC /l 0x409 /d "NDEBUG" -# ADD RSC /l 0x409 /d "NDEBUG" -BSC32=bscmake.exe -# ADD BASE BSC32 /nologo -# ADD BSC32 /nologo -LINK32=link.exe -# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:windows /dll /machine:I386 -# ADD LINK32 ..\roken\Release\roken.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib /nologo /subsystem:windows /dll /machine:I386 - -!ELSEIF "$(CFG)" == "des - Win32 Debug" - -# PROP BASE Use_MFC 0 -# PROP BASE Use_Debug_Libraries 1 -# PROP BASE Output_Dir ".\Debug" -# PROP BASE Intermediate_Dir ".\Debug" -# PROP BASE Target_Dir "" -# PROP Use_MFC 0 -# PROP Use_Debug_Libraries 1 -# PROP Output_Dir ".\Debug" -# PROP Intermediate_Dir ".\Debug" -# PROP Ignore_Export_Lib 0 -# PROP Target_Dir "" -# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /Zi /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /YX /c -# ADD CPP /nologo /MDd /W3 /Gm /GX /Zi /Od /I "..\roken" /I "." /I "..\..\include" /I "..\..\include\win32" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "HAVE_CONFIG_H" /YX /FD /c -# ADD BASE MTL /nologo /D "_DEBUG" /win32 -# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 -# ADD BASE RSC /l 0x409 /d "_DEBUG" -# ADD RSC /l 0x409 /d "_DEBUG" -BSC32=bscmake.exe -# ADD BASE BSC32 /nologo -# ADD BSC32 /nologo -LINK32=link.exe -# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:windows /dll /debug /machine:I386 -# ADD LINK32 ..\roken\Debug\roken.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib /nologo /subsystem:windows /dll /debug /machine:I386 - -!ENDIF - -# Begin Target - -# Name "des - Win32 Release" -# Name "des - Win32 Debug" -# Begin Group "Source Files" - -# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;hpj;bat;for;f90" -# Begin Source File - -SOURCE=.\cbc3_enc.c -# End Source File -# Begin Source File - -SOURCE=.\cbc_cksm.c -# End Source File -# Begin Source File - -SOURCE=.\cbc_enc.c -# End Source File -# Begin Source File - -SOURCE=.\cfb64ede.c -# End Source File -# Begin Source File - -SOURCE=.\cfb64enc.c -# End Source File -# Begin Source File - -SOURCE=.\cfb_enc.c -# End Source File -# Begin Source File - -SOURCE=.\des.def -# End Source File -# Begin Source File - -SOURCE=.\des_enc.c -# End Source File -# Begin Source File - -SOURCE=.\dllmain.c -# End Source File -# Begin Source File - -SOURCE=.\ecb3_enc.c -# End Source File -# Begin Source File - -SOURCE=.\ecb_enc.c -# End Source File -# Begin Source File - -SOURCE=.\ede_enc.c -# End Source File -# Begin Source File - -SOURCE=.\enc_read.c -# End Source File -# Begin Source File - -SOURCE=.\enc_writ.c -# End Source File -# Begin Source File - -SOURCE=.\fcrypt.c -# End Source File -# Begin Source File - -SOURCE=.\key_par.c -# End Source File -# Begin Source File - -SOURCE=.\ncbc_enc.c -# End Source File -# Begin Source File - -SOURCE=.\ofb64ede.c -# End Source File -# Begin Source File - -SOURCE=.\ofb64enc.c -# End Source File -# Begin Source File - -SOURCE=.\ofb_enc.c -# End Source File -# Begin Source File - -SOURCE=.\passwd_dlg.c -# End Source File -# Begin Source File - -SOURCE=.\pcbc_enc.c -# End Source File -# Begin Source File - -SOURCE=.\qud_cksm.c -# End Source File -# Begin Source File - -SOURCE=.\read_pwd.c -# End Source File -# Begin Source File - -SOURCE=.\rnd_keys.c -# End Source File -# Begin Source File - -SOURCE=.\rpc_enc.c -# End Source File -# Begin Source File - -SOURCE=.\set_key.c -# End Source File -# Begin Source File - -SOURCE=.\str2key.c -# End Source File -# Begin Source File - -SOURCE=.\supp.c -# End Source File -# End Group -# Begin Group "Header Files" - -# PROP Default_Filter "h;hpp;hxx;hm;inl;fi;fd" -# Begin Source File - -SOURCE=.\des.h -# End Source File -# Begin Source File - -SOURCE=.\des_locl.h -# End Source File -# Begin Source File - -SOURCE=.\des_ver.h -# End Source File -# Begin Source File - -SOURCE=.\md5.h -# End Source File -# Begin Source File - -SOURCE=.\passwd_dlg.h -# End Source File -# Begin Source File - -SOURCE=.\podd.h -# End Source File -# Begin Source File - -SOURCE=.\rpc_des.h -# End Source File -# Begin Source File - -SOURCE=.\sk.h -# End Source File -# Begin Source File - -SOURCE=.\spr.h -# End Source File -# End Group -# Begin Group "Resource Files" - -# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;cnt;rtf;gif;jpg;jpeg;jpe" -# Begin Source File - -SOURCE=.\passwd_dialog.rc -# End Source File -# End Group -# End Target -# End Project diff --git a/crypto/heimdal-0.6.3/lib/des/des.h b/crypto/heimdal-0.6.3/lib/des/des.h deleted file mode 100644 index 611df417b4..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/des.h +++ /dev/null @@ -1,309 +0,0 @@ -/* crypto/des/des.h */ -/* Copyright (C) 1995-1997 Eric Young (eay@mincom.oz.au) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@mincom.oz.au). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@mincom.oz.au). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@mincom.oz.au)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@mincom.oz.au)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#ifndef HEADER_DES_H -#define HEADER_DES_H - -#ifdef __cplusplus -extern "C" { -#endif - -#include - -#ifndef DES_LIB_FUNCTION -#if defined(__BORLANDC__) -#define DES_LIB_FUNCTION /* not-ready-definition-yet */ -#elif defined(_MSC_VER) -#define DES_LIB_FUNCTION /* not-ready-definition-yet2 */ -#else -#define DES_LIB_FUNCTION -#endif -#endif - -/* If this is set to 'unsigned int' on a DEC Alpha, this gives about a - * %20 speed up (longs are 8 bytes, int's are 4). */ -#ifndef DES_LONG -#if defined(__alpha) || defined(__sparcv9) || defined(__sparc_v9__) || _MIPS_SZLONG == 64 -#define DES_LONG unsigned int -#else /* Not a 64 bit machine */ -#define DES_LONG unsigned long -#endif -#endif - -typedef unsigned char des_cblock[8]; -typedef struct des_ks_struct - { - union { - des_cblock _; - /* make sure things are correct size on machines with - * 8 byte longs */ - DES_LONG pad[2]; - } ks; -#undef _ -#define _ ks._ - } des_key_schedule[16]; - -#define DES_KEY_SZ (sizeof(des_cblock)) -#define DES_SCHEDULE_SZ (sizeof(des_key_schedule)) - -#define DES_ENCRYPT 1 -#define DES_DECRYPT 0 - -#define DES_CBC_MODE 0 -#define DES_PCBC_MODE 1 - -#define des_ecb2_encrypt(i,o,k1,k2,e) \ - des_ecb3_encrypt((i),(o),(k1),(k2),(k1),(e)) - -#define des_ede2_cbc_encrypt(i,o,l,k1,k2,iv,e) \ - des_ede3_cbc_encrypt((i),(o),(l),(k1),(k2),(k1),(iv),(e)) - -#define des_ede2_cfb64_encrypt(i,o,l,k1,k2,iv,n,e) \ - des_ede3_cfb64_encrypt((i),(o),(l),(k1),(k2),(k1),(iv),(n),(e)) - -#define des_ede2_ofb64_encrypt(i,o,l,k1,k2,iv,n) \ - des_ede3_ofb64_encrypt((i),(o),(l),(k1),(k2),(k1),(iv),(n)) - -#define C_Block des_cblock -#define Key_schedule des_key_schedule -#ifdef KERBEROS -#define ENCRYPT DES_ENCRYPT -#define DECRYPT DES_DECRYPT -#endif -#define KEY_SZ DES_KEY_SZ -#define string_to_key des_string_to_key -#define read_pw_string des_read_pw_string -#define random_key des_random_key -#define pcbc_encrypt des_pcbc_encrypt -#define set_key des_set_key -#define key_sched des_key_sched -#define ecb_encrypt des_ecb_encrypt -#define cbc_encrypt des_cbc_encrypt -#define ncbc_encrypt des_ncbc_encrypt -#define xcbc_encrypt des_xcbc_encrypt -#define cbc_cksum des_cbc_cksum -#define quad_cksum des_quad_cksum - -/* For compatibility with the MIT lib - eay 20/05/92 */ -typedef des_key_schedule bit_64; -#define des_fixup_key_parity des_set_odd_parity -#define des_check_key_parity check_parity - -extern int des_check_key; /* defaults to false */ -extern int des_rw_mode; /* defaults to DES_PCBC_MODE */ - -#ifdef cplusplus -extern "C" { -#endif - -/* The next line is used to disable full ANSI prototypes, if your - * compiler has problems with the prototypes, make sure this line always - * evaluates to true :-) */ -#if defined(MSDOS) || defined(__STDC__) -#undef NOPROTO -#endif -#ifndef NOPROTO -char *DES_LIB_FUNCTION des_options(void); -void DES_LIB_FUNCTION des_ecb3_encrypt(des_cblock *input,des_cblock *output, - des_key_schedule ks1,des_key_schedule ks2, - des_key_schedule ks3, int enc); -DES_LONG DES_LIB_FUNCTION des_cbc_cksum(des_cblock *input,des_cblock *output, - long length,des_key_schedule schedule,des_cblock *ivec); -void DES_LIB_FUNCTION des_cbc_encrypt(des_cblock *input,des_cblock *output,long length, - des_key_schedule schedule,des_cblock *ivec,int enc); -void DES_LIB_FUNCTION des_ncbc_encrypt(des_cblock *input,des_cblock *output,long length, - des_key_schedule schedule,des_cblock *ivec,int enc); -void DES_LIB_FUNCTION des_xcbc_encrypt(des_cblock *input,des_cblock *output,long length, - des_key_schedule schedule,des_cblock *ivec, - des_cblock *inw,des_cblock *outw,int enc); -void DES_LIB_FUNCTION des_3cbc_encrypt(des_cblock *input,des_cblock *output,long length, - des_key_schedule sk1,des_key_schedule sk2, - des_cblock *ivec1,des_cblock *ivec2,int enc); -void DES_LIB_FUNCTION des_cfb_encrypt(unsigned char *in,unsigned char *out,int numbits, - long length,des_key_schedule schedule,des_cblock *ivec,int enc); -void DES_LIB_FUNCTION des_ecb_encrypt(des_cblock *input,des_cblock *output, - des_key_schedule ks,int enc); -void DES_LIB_FUNCTION des_encrypt(DES_LONG *data,des_key_schedule ks, int enc); -void DES_LIB_FUNCTION des_encrypt2(DES_LONG *data,des_key_schedule ks, int enc); -void DES_LIB_FUNCTION des_encrypt3(DES_LONG *data, des_key_schedule ks1, - des_key_schedule ks2, des_key_schedule ks3); -void DES_LIB_FUNCTION des_decrypt3(DES_LONG *data, des_key_schedule ks1, - des_key_schedule ks2, des_key_schedule ks3); -void DES_LIB_FUNCTION des_ede3_cbc_encrypt(des_cblock *input, des_cblock *output, - long length, des_key_schedule ks1, des_key_schedule ks2, - des_key_schedule ks3, des_cblock *ivec, int enc); -void DES_LIB_FUNCTION des_ede3_cfb64_encrypt(unsigned char *in, unsigned char *out, - long length, des_key_schedule ks1, des_key_schedule ks2, - des_key_schedule ks3, des_cblock *ivec, int *num, int encrypt); -void DES_LIB_FUNCTION des_ede3_ofb64_encrypt(unsigned char *in, unsigned char *out, - long length, des_key_schedule ks1, des_key_schedule ks2, - des_key_schedule ks3, des_cblock *ivec, int *num); - -int DES_LIB_FUNCTION des_enc_read(int fd,char *buf,int len,des_key_schedule sched, - des_cblock *iv); -int DES_LIB_FUNCTION des_enc_write(int fd,char *buf,int len,des_key_schedule sched, - des_cblock *iv); -char *DES_LIB_FUNCTION des_fcrypt(const char *buf,const char *salt, char *ret); -#ifdef PERL5 -char *des_crypt(const char *buf,const char *salt); -#else -/* some stupid compilers complain because I have declared char instead - * of const char */ -#ifdef HEADER_DES_LOCL_H -char *DES_LIB_FUNCTION crypt(const char *buf,const char *salt); -#else -char *crypt(); -#endif -#endif -void DES_LIB_FUNCTION des_ofb_encrypt(unsigned char *in,unsigned char *out, - int numbits,long length,des_key_schedule schedule,des_cblock *ivec); -void DES_LIB_FUNCTION des_pcbc_encrypt(des_cblock *input,des_cblock *output,long length, - des_key_schedule schedule,des_cblock *ivec,int enc); -DES_LONG DES_LIB_FUNCTION des_quad_cksum(des_cblock *input,des_cblock *output, - long length,int out_count,des_cblock *seed); -void DES_LIB_FUNCTION des_random_seed(des_cblock key); -void DES_LIB_FUNCTION des_random_key(des_cblock ret); -int DES_LIB_FUNCTION des_read_password(des_cblock *key,char *prompt,int verify); -int DES_LIB_FUNCTION des_read_2passwords(des_cblock *key1,des_cblock *key2, - char *prompt,int verify); -int DES_LIB_FUNCTION des_read_pw_string(char *buf,int length,char *prompt,int verify); -void DES_LIB_FUNCTION des_set_odd_parity(des_cblock *key); -int DES_LIB_FUNCTION des_is_weak_key(des_cblock *key); -int DES_LIB_FUNCTION des_set_key(des_cblock *key,des_key_schedule schedule); -int DES_LIB_FUNCTION des_key_sched(des_cblock *key,des_key_schedule schedule); -void DES_LIB_FUNCTION des_string_to_key(char *str,des_cblock *key); -void DES_LIB_FUNCTION des_string_to_2keys(char *str,des_cblock *key1,des_cblock *key2); -void DES_LIB_FUNCTION des_cfb64_encrypt(unsigned char *in, unsigned char *out, long length, - des_key_schedule schedule, des_cblock *ivec, int *num, int enc); -void DES_LIB_FUNCTION des_ofb64_encrypt(unsigned char *in, unsigned char *out, long length, - des_key_schedule schedule, des_cblock *ivec, int *num); - -/* Extra functions from Mark Murray */ -void DES_LIB_FUNCTION des_cblock_print_file(des_cblock *cb, FILE *fp); -/* The following functions are not in the normal unix build or the - * SSLeay build. When using the SSLeay build, use RAND_seed() - * and RAND_bytes() instead. */ -int DES_LIB_FUNCTION des_new_random_key(des_cblock *key); -void DES_LIB_FUNCTION des_init_random_number_generator(des_cblock *key); -void DES_LIB_FUNCTION des_set_random_generator_seed(des_cblock *key); -void DES_LIB_FUNCTION des_set_sequence_number(des_cblock new_sequence_number); -void DES_LIB_FUNCTION des_generate_random_block(des_cblock *block); -void DES_LIB_FUNCTION des_rand_data(unsigned char *data, int size); - -#else - -char *des_options(); -void des_ecb3_encrypt(); -DES_LONG des_cbc_cksum(); -void des_cbc_encrypt(); -void des_ncbc_encrypt(); -void des_xcbc_encrypt(); -void des_3cbc_encrypt(); -void des_cfb_encrypt(); -void des_ede3_cfb64_encrypt(); -void des_ede3_ofb64_encrypt(); -void des_ecb_encrypt(); -void des_encrypt(); -void des_encrypt2(); -void des_encrypt3(); -void des_decrypt3(); -void des_ede3_cbc_encrypt(); -int des_enc_read(); -int des_enc_write(); -char *des_fcrypt(); -#ifdef PERL5 -char *des_crypt(); -#else -char *crypt(); -#endif -void des_ofb_encrypt(); -void des_pcbc_encrypt(); -DES_LONG des_quad_cksum(); -void des_random_seed(); -void des_random_key(); -int des_read_password(); -int des_read_2passwords(); -int des_read_pw_string(); -void des_set_odd_parity(); -int des_is_weak_key(); -int des_set_key(); -int des_key_sched(); -void des_string_to_key(); -void des_string_to_2keys(); -void des_cfb64_encrypt(); -void des_ofb64_encrypt(); - -/* Extra functions from Mark Murray */ -void des_cblock_print_file(); -/* The following functions are not in the normal unix build or the - * SSLeay build. When using the SSLeay build, use RAND_seed() - * and RAND_bytes() instead. */ -int des_new_random_key(); -void des_init_random_number_generator(); -void des_set_random_generator_seed(); -void des_set_sequence_number(); -void des_generate_random_block(); -void des_rand_data(); - -#endif - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/crypto/heimdal-0.6.3/lib/des/des.mak b/crypto/heimdal-0.6.3/lib/des/des.mak deleted file mode 100644 index c200527065..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/des.mak +++ /dev/null @@ -1,659 +0,0 @@ -# Microsoft Developer Studio Generated NMAKE File, Based on des.dsp -!IF "$(CFG)" == "" -CFG=des - Win32 Release -!MESSAGE No configuration specified. Defaulting to des - Win32 Release. -!ENDIF - -!IF "$(CFG)" != "des - Win32 Release" && "$(CFG)" != "des - Win32 Debug" -!MESSAGE Invalid configuration "$(CFG)" specified. -!MESSAGE You can specify a configuration when running NMAKE -!MESSAGE by defining the macro CFG on the command line. For example: -!MESSAGE -!MESSAGE NMAKE /f "des.mak" CFG="des - Win32 Release" -!MESSAGE -!MESSAGE Possible choices for configuration are: -!MESSAGE -!MESSAGE "des - Win32 Release" (based on "Win32 (x86) Dynamic-Link Library") -!MESSAGE "des - Win32 Debug" (based on "Win32 (x86) Dynamic-Link Library") -!MESSAGE -!ERROR An invalid configuration is specified. -!ENDIF - -!IF "$(OS)" == "Windows_NT" -NULL= -!ELSE -NULL=nul -!ENDIF - -!IF "$(CFG)" == "des - Win32 Release" - -OUTDIR=.\Release -INTDIR=.\Release -# Begin Custom Macros -OutDir=.\.\Release -# End Custom Macros - -!IF "$(RECURSE)" == "0" - -ALL : "$(OUTDIR)\des.dll" - -!ELSE - -ALL : "roken - Win32 Release" "$(OUTDIR)\des.dll" - -!ENDIF - -!IF "$(RECURSE)" == "1" -CLEAN :"roken - Win32 ReleaseCLEAN" -!ELSE -CLEAN : -!ENDIF - -@erase "$(INTDIR)\cbc3_enc.obj" - -@erase "$(INTDIR)\cbc_cksm.obj" - -@erase "$(INTDIR)\cbc_enc.obj" - -@erase "$(INTDIR)\cfb64ede.obj" - -@erase "$(INTDIR)\cfb64enc.obj" - -@erase "$(INTDIR)\cfb_enc.obj" - -@erase "$(INTDIR)\des_enc.obj" - -@erase "$(INTDIR)\dllmain.obj" - -@erase "$(INTDIR)\ecb3_enc.obj" - -@erase "$(INTDIR)\ecb_enc.obj" - -@erase "$(INTDIR)\ede_enc.obj" - -@erase "$(INTDIR)\enc_read.obj" - -@erase "$(INTDIR)\enc_writ.obj" - -@erase "$(INTDIR)\fcrypt.obj" - -@erase "$(INTDIR)\key_par.obj" - -@erase "$(INTDIR)\ncbc_enc.obj" - -@erase "$(INTDIR)\ofb64ede.obj" - -@erase "$(INTDIR)\ofb64enc.obj" - -@erase "$(INTDIR)\ofb_enc.obj" - -@erase "$(INTDIR)\passwd_dialog.res" - -@erase "$(INTDIR)\passwd_dlg.obj" - -@erase "$(INTDIR)\pcbc_enc.obj" - -@erase "$(INTDIR)\qud_cksm.obj" - -@erase "$(INTDIR)\read_pwd.obj" - -@erase "$(INTDIR)\rnd_keys.obj" - -@erase "$(INTDIR)\rpc_enc.obj" - -@erase "$(INTDIR)\set_key.obj" - -@erase "$(INTDIR)\str2key.obj" - -@erase "$(INTDIR)\supp.obj" - -@erase "$(INTDIR)\vc50.idb" - -@erase "$(OUTDIR)\des.dll" - -@erase "$(OUTDIR)\des.exp" - -@erase "$(OUTDIR)\des.lib" - -"$(OUTDIR)" : - if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)" - -CPP=cl.exe -CPP_PROJ=/nologo /MT /W3 /GX /O2 /I "..\roken" /I "." /I "..\..\include" /I\ - "..\..\include\win32" /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "HAVE_CONFIG_H"\ - /Fp"$(INTDIR)\des.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c -CPP_OBJS=.\Release/ -CPP_SBRS=. - -.c{$(CPP_OBJS)}.obj:: - $(CPP) @<< - $(CPP_PROJ) $< -<< - -.cpp{$(CPP_OBJS)}.obj:: - $(CPP) @<< - $(CPP_PROJ) $< -<< - -.cxx{$(CPP_OBJS)}.obj:: - $(CPP) @<< - $(CPP_PROJ) $< -<< - -.c{$(CPP_SBRS)}.sbr:: - $(CPP) @<< - $(CPP_PROJ) $< -<< - -.cpp{$(CPP_SBRS)}.sbr:: - $(CPP) @<< - $(CPP_PROJ) $< -<< - -.cxx{$(CPP_SBRS)}.sbr:: - $(CPP) @<< - $(CPP_PROJ) $< -<< - -MTL=midl.exe -MTL_PROJ=/nologo /D "NDEBUG" /mktyplib203 /win32 -RSC=rc.exe -RSC_PROJ=/l 0x409 /fo"$(INTDIR)\passwd_dialog.res" /d "NDEBUG" -BSC32=bscmake.exe -BSC32_FLAGS=/nologo /o"$(OUTDIR)\des.bsc" -BSC32_SBRS= \ - -LINK32=link.exe -LINK32_FLAGS=..\roken\Release\roken.lib kernel32.lib user32.lib gdi32.lib\ - winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib\ - uuid.lib /nologo /subsystem:windows /dll /incremental:no\ - /pdb:"$(OUTDIR)\des.pdb" /machine:I386 /def:".\des.def"\ - /out:"$(OUTDIR)\des.dll" /implib:"$(OUTDIR)\des.lib" -DEF_FILE= \ - ".\des.def" -LINK32_OBJS= \ - "$(INTDIR)\cbc3_enc.obj" \ - "$(INTDIR)\cbc_cksm.obj" \ - "$(INTDIR)\cbc_enc.obj" \ - "$(INTDIR)\cfb64ede.obj" \ - "$(INTDIR)\cfb64enc.obj" \ - "$(INTDIR)\cfb_enc.obj" \ - "$(INTDIR)\des_enc.obj" \ - "$(INTDIR)\dllmain.obj" \ - "$(INTDIR)\ecb3_enc.obj" \ - "$(INTDIR)\ecb_enc.obj" \ - "$(INTDIR)\ede_enc.obj" \ - "$(INTDIR)\enc_read.obj" \ - "$(INTDIR)\enc_writ.obj" \ - "$(INTDIR)\fcrypt.obj" \ - "$(INTDIR)\key_par.obj" \ - "$(INTDIR)\ncbc_enc.obj" \ - "$(INTDIR)\ofb64ede.obj" \ - "$(INTDIR)\ofb64enc.obj" \ - "$(INTDIR)\ofb_enc.obj" \ - "$(INTDIR)\passwd_dialog.res" \ - "$(INTDIR)\passwd_dlg.obj" \ - "$(INTDIR)\pcbc_enc.obj" \ - "$(INTDIR)\qud_cksm.obj" \ - "$(INTDIR)\read_pwd.obj" \ - "$(INTDIR)\rnd_keys.obj" \ - "$(INTDIR)\rpc_enc.obj" \ - "$(INTDIR)\set_key.obj" \ - "$(INTDIR)\str2key.obj" \ - "$(INTDIR)\supp.obj" \ - "..\roken\Release\roken.lib" - -"$(OUTDIR)\des.dll" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS) - $(LINK32) @<< - $(LINK32_FLAGS) $(LINK32_OBJS) -<< - -!ELSEIF "$(CFG)" == "des - Win32 Debug" - -OUTDIR=.\Debug -INTDIR=.\Debug -# Begin Custom Macros -OutDir=.\.\Debug -# End Custom Macros - -!IF "$(RECURSE)" == "0" - -ALL : "$(OUTDIR)\des.dll" - -!ELSE - -ALL : "roken - Win32 Debug" "$(OUTDIR)\des.dll" - -!ENDIF - -!IF "$(RECURSE)" == "1" -CLEAN :"roken - Win32 DebugCLEAN" -!ELSE -CLEAN : -!ENDIF - -@erase "$(INTDIR)\cbc3_enc.obj" - -@erase "$(INTDIR)\cbc_cksm.obj" - -@erase "$(INTDIR)\cbc_enc.obj" - -@erase "$(INTDIR)\cfb64ede.obj" - -@erase "$(INTDIR)\cfb64enc.obj" - -@erase "$(INTDIR)\cfb_enc.obj" - -@erase "$(INTDIR)\des_enc.obj" - -@erase "$(INTDIR)\dllmain.obj" - -@erase "$(INTDIR)\ecb3_enc.obj" - -@erase "$(INTDIR)\ecb_enc.obj" - -@erase "$(INTDIR)\ede_enc.obj" - -@erase "$(INTDIR)\enc_read.obj" - -@erase "$(INTDIR)\enc_writ.obj" - -@erase "$(INTDIR)\fcrypt.obj" - -@erase "$(INTDIR)\key_par.obj" - -@erase "$(INTDIR)\ncbc_enc.obj" - -@erase "$(INTDIR)\ofb64ede.obj" - -@erase "$(INTDIR)\ofb64enc.obj" - -@erase "$(INTDIR)\ofb_enc.obj" - -@erase "$(INTDIR)\passwd_dialog.res" - -@erase "$(INTDIR)\passwd_dlg.obj" - -@erase "$(INTDIR)\pcbc_enc.obj" - -@erase "$(INTDIR)\qud_cksm.obj" - -@erase "$(INTDIR)\read_pwd.obj" - -@erase "$(INTDIR)\rnd_keys.obj" - -@erase "$(INTDIR)\rpc_enc.obj" - -@erase "$(INTDIR)\set_key.obj" - -@erase "$(INTDIR)\str2key.obj" - -@erase "$(INTDIR)\supp.obj" - -@erase "$(INTDIR)\vc50.idb" - -@erase "$(INTDIR)\vc50.pdb" - -@erase "$(OUTDIR)\des.dll" - -@erase "$(OUTDIR)\des.exp" - -@erase "$(OUTDIR)\des.ilk" - -@erase "$(OUTDIR)\des.lib" - -@erase "$(OUTDIR)\des.pdb" - -"$(OUTDIR)" : - if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)" - -CPP=cl.exe -CPP_PROJ=/nologo /MDd /W3 /Gm /GX /Zi /Od /I "..\roken" /I "." /I\ - "..\..\include" /I "..\..\include\win32" /D "WIN32" /D "_DEBUG" /D "_WINDOWS"\ - /D "HAVE_CONFIG_H" /Fp"$(INTDIR)\des.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\"\ - /FD /c -CPP_OBJS=.\Debug/ -CPP_SBRS=. - -.c{$(CPP_OBJS)}.obj:: - $(CPP) @<< - $(CPP_PROJ) $< -<< - -.cpp{$(CPP_OBJS)}.obj:: - $(CPP) @<< - $(CPP_PROJ) $< -<< - -.cxx{$(CPP_OBJS)}.obj:: - $(CPP) @<< - $(CPP_PROJ) $< -<< - -.c{$(CPP_SBRS)}.sbr:: - $(CPP) @<< - $(CPP_PROJ) $< -<< - -.cpp{$(CPP_SBRS)}.sbr:: - $(CPP) @<< - $(CPP_PROJ) $< -<< - -.cxx{$(CPP_SBRS)}.sbr:: - $(CPP) @<< - $(CPP_PROJ) $< -<< - -MTL=midl.exe -MTL_PROJ=/nologo /D "_DEBUG" /mktyplib203 /win32 -RSC=rc.exe -RSC_PROJ=/l 0x409 /fo"$(INTDIR)\passwd_dialog.res" /d "_DEBUG" -BSC32=bscmake.exe -BSC32_FLAGS=/nologo /o"$(OUTDIR)\des.bsc" -BSC32_SBRS= \ - -LINK32=link.exe -LINK32_FLAGS=..\roken\Debug\roken.lib kernel32.lib user32.lib gdi32.lib\ - winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib\ - uuid.lib /nologo /subsystem:windows /dll /incremental:yes\ - /pdb:"$(OUTDIR)\des.pdb" /debug /machine:I386 /def:".\des.def"\ - /out:"$(OUTDIR)\des.dll" /implib:"$(OUTDIR)\des.lib" -DEF_FILE= \ - ".\des.def" -LINK32_OBJS= \ - "$(INTDIR)\cbc3_enc.obj" \ - "$(INTDIR)\cbc_cksm.obj" \ - "$(INTDIR)\cbc_enc.obj" \ - "$(INTDIR)\cfb64ede.obj" \ - "$(INTDIR)\cfb64enc.obj" \ - "$(INTDIR)\cfb_enc.obj" \ - "$(INTDIR)\des_enc.obj" \ - "$(INTDIR)\dllmain.obj" \ - "$(INTDIR)\ecb3_enc.obj" \ - "$(INTDIR)\ecb_enc.obj" \ - "$(INTDIR)\ede_enc.obj" \ - "$(INTDIR)\enc_read.obj" \ - "$(INTDIR)\enc_writ.obj" \ - "$(INTDIR)\fcrypt.obj" \ - "$(INTDIR)\key_par.obj" \ - "$(INTDIR)\ncbc_enc.obj" \ - "$(INTDIR)\ofb64ede.obj" \ - "$(INTDIR)\ofb64enc.obj" \ - "$(INTDIR)\ofb_enc.obj" \ - "$(INTDIR)\passwd_dialog.res" \ - "$(INTDIR)\passwd_dlg.obj" \ - "$(INTDIR)\pcbc_enc.obj" \ - "$(INTDIR)\qud_cksm.obj" \ - "$(INTDIR)\read_pwd.obj" \ - "$(INTDIR)\rnd_keys.obj" \ - "$(INTDIR)\rpc_enc.obj" \ - "$(INTDIR)\set_key.obj" \ - "$(INTDIR)\str2key.obj" \ - "$(INTDIR)\supp.obj" \ - "..\roken\Debug\roken.lib" - -"$(OUTDIR)\des.dll" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS) - $(LINK32) @<< - $(LINK32_FLAGS) $(LINK32_OBJS) -<< - -!ENDIF - - -!IF "$(CFG)" == "des - Win32 Release" || "$(CFG)" == "des - Win32 Debug" -SOURCE=.\cbc3_enc.c -DEP_CPP_CBC3_=\ - "..\..\include\win32\config.h"\ - ".\des.h"\ - ".\des_locl.h"\ - - -"$(INTDIR)\cbc3_enc.obj" : $(SOURCE) $(DEP_CPP_CBC3_) "$(INTDIR)" - - -SOURCE=.\cbc_cksm.c -DEP_CPP_CBC_C=\ - "..\..\include\win32\config.h"\ - ".\des.h"\ - ".\des_locl.h"\ - - -"$(INTDIR)\cbc_cksm.obj" : $(SOURCE) $(DEP_CPP_CBC_C) "$(INTDIR)" - - -SOURCE=.\cbc_enc.c -DEP_CPP_CBC_E=\ - "..\..\include\win32\config.h"\ - ".\des.h"\ - ".\des_locl.h"\ - - -"$(INTDIR)\cbc_enc.obj" : $(SOURCE) $(DEP_CPP_CBC_E) "$(INTDIR)" - - -SOURCE=.\cfb64ede.c -DEP_CPP_CFB64=\ - "..\..\include\win32\config.h"\ - ".\des.h"\ - ".\des_locl.h"\ - - -"$(INTDIR)\cfb64ede.obj" : $(SOURCE) $(DEP_CPP_CFB64) "$(INTDIR)" - - -SOURCE=.\cfb64enc.c -DEP_CPP_CFB64E=\ - "..\..\include\win32\config.h"\ - ".\des.h"\ - ".\des_locl.h"\ - - -"$(INTDIR)\cfb64enc.obj" : $(SOURCE) $(DEP_CPP_CFB64E) "$(INTDIR)" - - -SOURCE=.\cfb_enc.c -DEP_CPP_CFB_E=\ - "..\..\include\win32\config.h"\ - ".\des.h"\ - ".\des_locl.h"\ - - -"$(INTDIR)\cfb_enc.obj" : $(SOURCE) $(DEP_CPP_CFB_E) "$(INTDIR)" - - -SOURCE=.\des_enc.c -DEP_CPP_DES_E=\ - "..\..\include\win32\config.h"\ - ".\des.h"\ - ".\des_locl.h"\ - - -"$(INTDIR)\des_enc.obj" : $(SOURCE) $(DEP_CPP_DES_E) "$(INTDIR)" - - -SOURCE=.\dllmain.c -DEP_CPP_DLLMA=\ - "..\..\include\win32\config.h"\ - - -"$(INTDIR)\dllmain.obj" : $(SOURCE) $(DEP_CPP_DLLMA) "$(INTDIR)" - - -SOURCE=.\ecb3_enc.c -DEP_CPP_ECB3_=\ - "..\..\include\win32\config.h"\ - ".\des.h"\ - ".\des_locl.h"\ - - -"$(INTDIR)\ecb3_enc.obj" : $(SOURCE) $(DEP_CPP_ECB3_) "$(INTDIR)" - - -SOURCE=.\ecb_enc.c -DEP_CPP_ECB_E=\ - "..\..\include\win32\config.h"\ - ".\des.h"\ - ".\des_locl.h"\ - ".\spr.h"\ - - -"$(INTDIR)\ecb_enc.obj" : $(SOURCE) $(DEP_CPP_ECB_E) "$(INTDIR)" - - -SOURCE=.\ede_enc.c -DEP_CPP_EDE_E=\ - "..\..\include\win32\config.h"\ - ".\des.h"\ - ".\des_locl.h"\ - - -"$(INTDIR)\ede_enc.obj" : $(SOURCE) $(DEP_CPP_EDE_E) "$(INTDIR)" - - -SOURCE=.\enc_read.c -DEP_CPP_ENC_R=\ - "..\..\include\win32\config.h"\ - ".\des.h"\ - ".\des_locl.h"\ - - -"$(INTDIR)\enc_read.obj" : $(SOURCE) $(DEP_CPP_ENC_R) "$(INTDIR)" - - -SOURCE=.\enc_writ.c -DEP_CPP_ENC_W=\ - "..\..\include\win32\config.h"\ - ".\des.h"\ - ".\des_locl.h"\ - - -"$(INTDIR)\enc_writ.obj" : $(SOURCE) $(DEP_CPP_ENC_W) "$(INTDIR)" - - -SOURCE=.\fcrypt.c -DEP_CPP_FCRYP=\ - "..\..\include\win32\config.h"\ - "..\..\include\win32\ktypes.h"\ - ".\des.h"\ - ".\des_locl.h"\ - ".\md5.h"\ - {$(INCLUDE)}"sys\types.h"\ - - -"$(INTDIR)\fcrypt.obj" : $(SOURCE) $(DEP_CPP_FCRYP) "$(INTDIR)" - - -SOURCE=.\key_par.c -DEP_CPP_KEY_P=\ - "..\..\include\win32\config.h"\ - ".\des.h"\ - ".\des_locl.h"\ - - -"$(INTDIR)\key_par.obj" : $(SOURCE) $(DEP_CPP_KEY_P) "$(INTDIR)" - - -SOURCE=.\ncbc_enc.c -DEP_CPP_NCBC_=\ - "..\..\include\win32\config.h"\ - ".\des.h"\ - ".\des_locl.h"\ - - -"$(INTDIR)\ncbc_enc.obj" : $(SOURCE) $(DEP_CPP_NCBC_) "$(INTDIR)" - - -SOURCE=.\ofb64ede.c -DEP_CPP_OFB64=\ - "..\..\include\win32\config.h"\ - ".\des.h"\ - ".\des_locl.h"\ - - -"$(INTDIR)\ofb64ede.obj" : $(SOURCE) $(DEP_CPP_OFB64) "$(INTDIR)" - - -SOURCE=.\ofb64enc.c -DEP_CPP_OFB64E=\ - "..\..\include\win32\config.h"\ - ".\des.h"\ - ".\des_locl.h"\ - - -"$(INTDIR)\ofb64enc.obj" : $(SOURCE) $(DEP_CPP_OFB64E) "$(INTDIR)" - - -SOURCE=.\ofb_enc.c -DEP_CPP_OFB_E=\ - "..\..\include\win32\config.h"\ - ".\des.h"\ - ".\des_locl.h"\ - - -"$(INTDIR)\ofb_enc.obj" : $(SOURCE) $(DEP_CPP_OFB_E) "$(INTDIR)" - - -SOURCE=.\passwd_dlg.c -DEP_CPP_PASSW=\ - "..\..\include\win32\config.h"\ - ".\passwd_dlg.h"\ - - -"$(INTDIR)\passwd_dlg.obj" : $(SOURCE) $(DEP_CPP_PASSW) "$(INTDIR)" - - -SOURCE=.\pcbc_enc.c -DEP_CPP_PCBC_=\ - "..\..\include\win32\config.h"\ - ".\des.h"\ - ".\des_locl.h"\ - - -"$(INTDIR)\pcbc_enc.obj" : $(SOURCE) $(DEP_CPP_PCBC_) "$(INTDIR)" - - -SOURCE=.\qud_cksm.c -DEP_CPP_QUD_C=\ - "..\..\include\win32\config.h"\ - ".\des.h"\ - ".\des_locl.h"\ - - -"$(INTDIR)\qud_cksm.obj" : $(SOURCE) $(DEP_CPP_QUD_C) "$(INTDIR)" - - -SOURCE=.\read_pwd.c -DEP_CPP_READ_=\ - "..\..\include\win32\config.h"\ - ".\des.h"\ - ".\des_locl.h"\ - - -"$(INTDIR)\read_pwd.obj" : $(SOURCE) $(DEP_CPP_READ_) "$(INTDIR)" - - -SOURCE=.\rnd_keys.c -DEP_CPP_RND_K=\ - "..\..\include\win32\config.h"\ - "..\..\include\win32\ktypes.h"\ - ".\des.h"\ - ".\des_locl.h"\ - {$(INCLUDE)}"sys\types.h"\ - - -"$(INTDIR)\rnd_keys.obj" : $(SOURCE) $(DEP_CPP_RND_K) "$(INTDIR)" - - -SOURCE=.\rpc_enc.c -DEP_CPP_RPC_E=\ - "..\..\include\win32\config.h"\ - ".\des.h"\ - ".\des_locl.h"\ - ".\des_ver.h"\ - ".\rpc_des.h"\ - - -"$(INTDIR)\rpc_enc.obj" : $(SOURCE) $(DEP_CPP_RPC_E) "$(INTDIR)" - - -SOURCE=.\set_key.c -DEP_CPP_SET_K=\ - "..\..\include\win32\config.h"\ - ".\des.h"\ - ".\des_locl.h"\ - ".\podd.h"\ - ".\sk.h"\ - - -"$(INTDIR)\set_key.obj" : $(SOURCE) $(DEP_CPP_SET_K) "$(INTDIR)" - - -SOURCE=.\str2key.c -DEP_CPP_STR2K=\ - "..\..\include\win32\config.h"\ - ".\des.h"\ - ".\des_locl.h"\ - - -"$(INTDIR)\str2key.obj" : $(SOURCE) $(DEP_CPP_STR2K) "$(INTDIR)" - - -SOURCE=.\supp.c -DEP_CPP_SUPP_=\ - "..\..\include\win32\config.h"\ - ".\des.h"\ - ".\des_locl.h"\ - - -"$(INTDIR)\supp.obj" : $(SOURCE) $(DEP_CPP_SUPP_) "$(INTDIR)" - - -SOURCE=.\passwd_dialog.rc - -"$(INTDIR)\passwd_dialog.res" : $(SOURCE) "$(INTDIR)" - $(RSC) $(RSC_PROJ) $(SOURCE) - - -!IF "$(CFG)" == "des - Win32 Release" - -"roken - Win32 Release" : - cd "\tmp\wirus-krb\krb4-pre-0.9.9\lib\roken" - $(MAKE) /$(MAKEFLAGS) /F ".\roken.mak" CFG="roken - Win32 Release" - cd "..\des" - -"roken - Win32 ReleaseCLEAN" : - cd "\tmp\wirus-krb\krb4-pre-0.9.9\lib\roken" - $(MAKE) /$(MAKEFLAGS) CLEAN /F ".\roken.mak" CFG="roken - Win32 Release"\ - RECURSE=1 - cd "..\des" - -!ELSEIF "$(CFG)" == "des - Win32 Debug" - -"roken - Win32 Debug" : - cd "\tmp\wirus-krb\krb4-pre-0.9.9\lib\roken" - $(MAKE) /$(MAKEFLAGS) /F ".\roken.mak" CFG="roken - Win32 Debug" - cd "..\des" - -"roken - Win32 DebugCLEAN" : - cd "\tmp\wirus-krb\krb4-pre-0.9.9\lib\roken" - $(MAKE) /$(MAKEFLAGS) CLEAN /F ".\roken.mak" CFG="roken - Win32 Debug"\ - RECURSE=1 - cd "..\des" - -!ENDIF - - -!ENDIF - diff --git a/crypto/heimdal-0.6.3/lib/des/des.man b/crypto/heimdal-0.6.3/lib/des/des.man deleted file mode 100644 index 734119906b..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/des.man +++ /dev/null @@ -1,186 +0,0 @@ -.TH DES 1 -.SH NAME -des - encrypt or decrypt data using Data Encryption Standard -.SH SYNOPSIS -.B des -( -.B \-e -| -.B \-E -) | ( -.B \-d -| -.B \-D -) | ( -.B \-\fR[\fPcC\fR][\fPckname\fR]\fP -) | -[ -.B \-b3hfs -] [ -.B \-k -.I key -] -] [ -.B \-u\fR[\fIuuname\fR] -[ -.I input-file -[ -.I output-file -] ] -.SH DESCRIPTION -.B des -encrypts and decrypts data using the -Data Encryption Standard algorithm. -One of -.B \-e, \-E -(for encrypt) or -.B \-d, \-D -(for decrypt) must be specified. -It is also possible to use -.B \-c -or -.B \-C -in conjunction or instead of the a encrypt/decrypt option to generate -a 16 character hexadecimal checksum, generated via the -.I des_cbc_cksum. -.LP -Two standard encryption modes are supported by the -.B des -program, Cipher Block Chaining (the default) and Electronic Code Book -(specified with -.B \-b -). -.LP -The key used for the DES -algorithm is obtained by prompting the user unless the -.B `\-k -.I key' -option is given. -If the key is an argument to the -.B des -command, it is potentially visible to users executing -.BR ps (1) -or a derivative. To minimise this possibility, -.B des -takes care to destroy the key argument immediately upon entry. -If your shell keeps a history file be careful to make sure it is not -world readable. -.LP -Since this program attempts to maintain compatability with sunOS's -des(1) command, there are 2 different methods used to convert the user -supplied key to a des key. -Whenever and one or more of -.B \-E, \-D, \-C -or -.B \-3 -options are used, the key conversion procedure will not be compatible -with the sunOS des(1) version but will use all the user supplied -character to generate the des key. -.B des -command reads from standard input unless -.I input-file -is specified and writes to standard output unless -.I output-file -is given. -.SH OPTIONS -.TP -.B \-b -Select ECB -(eight bytes at a time) encryption mode. -.TP -.B \-3 -Encrypt using triple encryption. -By default triple cbc encryption is used but if the -.B \-b -option is used then triple ecb encryption is performed. -If the key is less than 8 characters long, the flag has no effect. -.TP -.B \-e -Encrypt data using an 8 byte key in a manner compatible with sunOS -des(1). -.TP -.B \-E -Encrypt data using a key of nearly unlimited length (1024 bytes). -This will product a more secure encryption. -.TP -.B \-d -Decrypt data that was encrypted with the \-e option. -.TP -.B \-D -Decrypt data that was encrypted with the \-E option. -.TP -.B \-c -Generate a 16 character hexadecimal cbc checksum and output this to -stderr. -If a filename was specified after the -.B \-c -option, the checksum is output to that file. -The checksum is generated using a key generated in a sunOS compatible -manner. -.TP -.B \-C -A cbc checksum is generated in the same manner as described for the -.B \-c -option but the DES key is generated in the same manner as used for the -.B \-E -and -.B \-D -options -.TP -.B \-f -Does nothing - allowed for compatibility with sunOS des(1) command. -.TP -.B \-s -Does nothing - allowed for compatibility with sunOS des(1) command. -.TP -.B "\-k \fIkey\fP" -Use the encryption -.I key -specified. -.TP -.B "\-h" -The -.I key -is assumed to be a 16 character hexadecimal number. -If the -.B "\-3" -option is used the key is assumed to be a 32 character hexadecimal -number. -.TP -.B \-u -This flag is used to read and write uuencoded files. If decrypting, -the input file is assumed to contain uuencoded, DES encrypted data. -If encrypting, the characters following the -u are used as the name of -the uuencoded file to embed in the begin line of the uuencoded -output. If there is no name specified after the -u, the name text.des -will be embedded in the header. -.SH SEE ALSO -.B ps (1) -.B des_crypt(3) -.SH BUGS -.LP -The problem with using the -.B -e -option is the short key length. -It would be better to use a real 56-bit key rather than an -ASCII-based 56-bit pattern. Knowing that the key was derived from ASCII -radically reduces the time necessary for a brute-force cryptographic attack. -My attempt to remove this problem is to add an alternative text-key to -DES-key function. This alternative function (accessed via -.B -E, -D, -S -and -.B -3 -) -uses DES to help generate the key. -.LP -Be carefully when using the -u option. Doing des -ud will -not decrypt filename (the -u option will gobble the d option). -.LP -The VMS operating system operates in a world where files are always a -multiple of 512 bytes. This causes problems when encrypted data is -send from unix to VMS since a 88 byte file will suddenly be padded -with 424 null bytes. To get around this problem, use the -u option -to uuencode the data before it is send to the VMS system. -.SH AUTHOR -.LP -Eric Young (eay@mincom.oz.au or eay@psych.psy.uq.oz.au) diff --git a/crypto/heimdal-0.6.3/lib/des/des.org b/crypto/heimdal-0.6.3/lib/des/des.org deleted file mode 100644 index c1eef51bfe..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/des.org +++ /dev/null @@ -1,291 +0,0 @@ -/* crypto/des/des.h */ -/* Copyright (C) 1995-1997 Eric Young (eay@mincom.oz.au) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@mincom.oz.au). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@mincom.oz.au). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@mincom.oz.au)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@mincom.oz.au)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#ifndef HEADER_DES_H -#define HEADER_DES_H - -#ifdef __cplusplus -extern "C" { -#endif - -#include - -/* If this is set to 'unsigned int' on a DEC Alpha, this gives about a - * %20 speed up (longs are 8 bytes, int's are 4). */ -#ifndef DES_LONG -#define DES_LONG unsigned long -#endif - -typedef unsigned char des_cblock[8]; -typedef struct des_ks_struct - { - union { - des_cblock _; - /* make sure things are correct size on machines with - * 8 byte longs */ - DES_LONG pad[2]; - } ks; -#undef _ -#define _ ks._ - } des_key_schedule[16]; - -#define DES_KEY_SZ (sizeof(des_cblock)) -#define DES_SCHEDULE_SZ (sizeof(des_key_schedule)) - -#define DES_ENCRYPT 1 -#define DES_DECRYPT 0 - -#define DES_CBC_MODE 0 -#define DES_PCBC_MODE 1 - -#define des_ecb2_encrypt(i,o,k1,k2,e) \ - des_ecb3_encrypt((i),(o),(k1),(k2),(k1),(e)) - -#define des_ede2_cbc_encrypt(i,o,l,k1,k2,iv,e) \ - des_ede3_cbc_encrypt((i),(o),(l),(k1),(k2),(k1),(iv),(e)) - -#define des_ede2_cfb64_encrypt(i,o,l,k1,k2,iv,n,e) \ - des_ede3_cfb64_encrypt((i),(o),(l),(k1),(k2),(k1),(iv),(n),(e)) - -#define des_ede2_ofb64_encrypt(i,o,l,k1,k2,iv,n) \ - des_ede3_ofb64_encrypt((i),(o),(l),(k1),(k2),(k1),(iv),(n)) - -#define C_Block des_cblock -#define Key_schedule des_key_schedule -#ifdef KERBEROS -#define ENCRYPT DES_ENCRYPT -#define DECRYPT DES_DECRYPT -#endif -#define KEY_SZ DES_KEY_SZ -#define string_to_key des_string_to_key -#define read_pw_string des_read_pw_string -#define random_key des_random_key -#define pcbc_encrypt des_pcbc_encrypt -#define set_key des_set_key -#define key_sched des_key_sched -#define ecb_encrypt des_ecb_encrypt -#define cbc_encrypt des_cbc_encrypt -#define ncbc_encrypt des_ncbc_encrypt -#define xcbc_encrypt des_xcbc_encrypt -#define cbc_cksum des_cbc_cksum -#define quad_cksum des_quad_cksum - -/* For compatibility with the MIT lib - eay 20/05/92 */ -typedef des_key_schedule bit_64; -#define des_fixup_key_parity des_set_odd_parity -#define des_check_key_parity check_parity - -extern int des_check_key; /* defaults to false */ -extern int des_rw_mode; /* defaults to DES_PCBC_MODE */ - -/* The next line is used to disable full ANSI prototypes, if your - * compiler has problems with the prototypes, make sure this line always - * evaluates to true :-) */ -#if defined(MSDOS) || defined(__STDC__) -#undef NOPROTO -#endif -#ifndef NOPROTO -char *des_options(void); -void des_ecb3_encrypt(des_cblock *input,des_cblock *output, - des_key_schedule ks1,des_key_schedule ks2, - des_key_schedule ks3, int enc); -DES_LONG des_cbc_cksum(des_cblock *input,des_cblock *output, - long length,des_key_schedule schedule,des_cblock *ivec); -void des_cbc_encrypt(des_cblock *input,des_cblock *output,long length, - des_key_schedule schedule,des_cblock *ivec,int enc); -void des_ncbc_encrypt(des_cblock *input,des_cblock *output,long length, - des_key_schedule schedule,des_cblock *ivec,int enc); -void des_xcbc_encrypt(des_cblock *input,des_cblock *output,long length, - des_key_schedule schedule,des_cblock *ivec, - des_cblock *inw,des_cblock *outw,int enc); -void des_3cbc_encrypt(des_cblock *input,des_cblock *output,long length, - des_key_schedule sk1,des_key_schedule sk2, - des_cblock *ivec1,des_cblock *ivec2,int enc); -void des_cfb_encrypt(unsigned char *in,unsigned char *out,int numbits, - long length,des_key_schedule schedule,des_cblock *ivec,int enc); -void des_ecb_encrypt(des_cblock *input,des_cblock *output, - des_key_schedule ks,int enc); -void des_encrypt(DES_LONG *data,des_key_schedule ks, int enc); -void des_encrypt2(DES_LONG *data,des_key_schedule ks, int enc); -void des_encrypt3(DES_LONG *data, des_key_schedule ks1, - des_key_schedule ks2, des_key_schedule ks3); -void des_decrypt3(DES_LONG *data, des_key_schedule ks1, - des_key_schedule ks2, des_key_schedule ks3); -void des_ede3_cbc_encrypt(des_cblock *input, des_cblock *output, - long length, des_key_schedule ks1, des_key_schedule ks2, - des_key_schedule ks3, des_cblock *ivec, int enc); -void des_ede3_cfb64_encrypt(unsigned char *in, unsigned char *out, - long length, des_key_schedule ks1, des_key_schedule ks2, - des_key_schedule ks3, des_cblock *ivec, int *num, int encrypt); -void des_ede3_ofb64_encrypt(unsigned char *in, unsigned char *out, - long length, des_key_schedule ks1, des_key_schedule ks2, - des_key_schedule ks3, des_cblock *ivec, int *num); - -int des_enc_read(int fd,char *buf,int len,des_key_schedule sched, - des_cblock *iv); -int des_enc_write(int fd,char *buf,int len,des_key_schedule sched, - des_cblock *iv); -char *des_fcrypt(const char *buf,const char *salt, char *ret); -#ifdef PERL5 -char *des_crypt(const char *buf,const char *salt); -#else -/* some stupid compilers complain because I have declared char instead - * of const char */ -#ifdef HEADER_DES_LOCL_H -char *crypt(const char *buf,const char *salt); -#else -char *crypt(); -#endif -#endif -void des_ofb_encrypt(unsigned char *in,unsigned char *out, - int numbits,long length,des_key_schedule schedule,des_cblock *ivec); -void des_pcbc_encrypt(des_cblock *input,des_cblock *output,long length, - des_key_schedule schedule,des_cblock *ivec,int enc); -DES_LONG des_quad_cksum(des_cblock *input,des_cblock *output, - long length,int out_count,des_cblock *seed); -void des_random_seed(des_cblock key); -void des_random_key(des_cblock ret); -int des_read_password(des_cblock *key,char *prompt,int verify); -int des_read_2passwords(des_cblock *key1,des_cblock *key2, - char *prompt,int verify); -int des_read_pw_string(char *buf,int length,char *prompt,int verify); -void des_set_odd_parity(des_cblock *key); -int des_is_weak_key(des_cblock *key); -int des_set_key(des_cblock *key,des_key_schedule schedule); -int des_key_sched(des_cblock *key,des_key_schedule schedule); -void des_string_to_key(char *str,des_cblock *key); -void des_string_to_2keys(char *str,des_cblock *key1,des_cblock *key2); -void des_cfb64_encrypt(unsigned char *in, unsigned char *out, long length, - des_key_schedule schedule, des_cblock *ivec, int *num, int enc); -void des_ofb64_encrypt(unsigned char *in, unsigned char *out, long length, - des_key_schedule schedule, des_cblock *ivec, int *num); - -/* Extra functions from Mark Murray */ -void des_cblock_print_file(des_cblock *cb, FILE *fp); -/* The following functions are not in the normal unix build or the - * SSLeay build. When using the SSLeay build, use RAND_seed() - * and RAND_bytes() instead. */ -int des_new_random_key(des_cblock *key); -void des_init_random_number_generator(des_cblock *key); -void des_set_random_generator_seed(des_cblock *key); -void des_set_sequence_number(des_cblock new_sequence_number); -void des_generate_random_block(des_cblock *block); - -#else - -char *des_options(); -void des_ecb3_encrypt(); -DES_LONG des_cbc_cksum(); -void des_cbc_encrypt(); -void des_ncbc_encrypt(); -void des_xcbc_encrypt(); -void des_3cbc_encrypt(); -void des_cfb_encrypt(); -void des_ede3_cfb64_encrypt(); -void des_ede3_ofb64_encrypt(); -void des_ecb_encrypt(); -void des_encrypt(); -void des_encrypt2(); -void des_encrypt3(); -void des_decrypt3(); -void des_ede3_cbc_encrypt(); -int des_enc_read(); -int des_enc_write(); -char *des_fcrypt(); -#ifdef PERL5 -char *des_crypt(); -#else -char *crypt(); -#endif -void des_ofb_encrypt(); -void des_pcbc_encrypt(); -DES_LONG des_quad_cksum(); -void des_random_seed(); -void des_random_key(); -int des_read_password(); -int des_read_2passwords(); -int des_read_pw_string(); -void des_set_odd_parity(); -int des_is_weak_key(); -int des_set_key(); -int des_key_sched(); -void des_string_to_key(); -void des_string_to_2keys(); -void des_cfb64_encrypt(); -void des_ofb64_encrypt(); - -/* Extra functions from Mark Murray */ -void des_cblock_print_file(); -/* The following functions are not in the normal unix build or the - * SSLeay build. When using the SSLeay build, use RAND_seed() - * and RAND_bytes() instead. */ -#ifdef FreeBSD -int des_new_random_key(); -void des_init_random_number_generator(); -void des_set_random_generator_seed(); -void des_set_sequence_number(); -void des_generate_random_block(); -#endif - -#endif - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/crypto/heimdal-0.6.3/lib/des/des.pl b/crypto/heimdal-0.6.3/lib/des/des.pl deleted file mode 100644 index 449c782534..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/des.pl +++ /dev/null @@ -1,552 +0,0 @@ -#!/usr/local/bin/perl -# des.pl - eric young 22/11/1991 eay@mincom.oz.au or eay@psych.psy.uq.oz.au -# -# Copyright (C) 1993 Eric Young -# -# 11 April 1996 - patched to circumvent Perl 5 (through 5.002) problem -# with sign-extension on right shift operations. -# Ed Kubaitis - ejk@uiuc.edu -# -# eay - 92/08/31 - I think I have fixed all problems for 64bit -# versions of perl but I could be wrong since I have not tested it yet :-). -# -# This is an implementation of DES in perl. -# The two routines (des_set_key and des_ecb_encrypt) -# take 8 byte objects as arguments. -# -# des_set_key takes an 8 byte string as a key and returns a key schedule -# for use in calls to des_ecb_encrypt. -# des_ecb_encrypt takes three arguments, the first is a key schedule -# (make sure to pass it by reference with the *), the second is 1 -# to encrypt, 0 to decrypt. The third argument is an 8 byte object -# to encrypt. The function returns an 8 byte object that has been -# DES encrypted. -# -# example: -# require 'des.pl' -# -# $key =pack("C8",0x12,0x23,0x45,0x67,0x89,0xab,0xcd,0xef); -# @ks= &des_set_key($key); -# -# $outbytes= &des_ecb_encrypt(*ks,1,$data); -# @enc =unpack("C8",$outbytes); -# - -package des; - -eval("usr integer;") if (int($]) > 4); - -# The following 8 arrays are used in des_set_key -@skb0=( -# for C bits (numbered as per FIPS 46) 1 2 3 4 5 6 -0x00000000,0x00000010,0x20000000,0x20000010, -0x00010000,0x00010010,0x20010000,0x20010010, -0x00000800,0x00000810,0x20000800,0x20000810, -0x00010800,0x00010810,0x20010800,0x20010810, -0x00000020,0x00000030,0x20000020,0x20000030, -0x00010020,0x00010030,0x20010020,0x20010030, -0x00000820,0x00000830,0x20000820,0x20000830, -0x00010820,0x00010830,0x20010820,0x20010830, -0x00080000,0x00080010,0x20080000,0x20080010, -0x00090000,0x00090010,0x20090000,0x20090010, -0x00080800,0x00080810,0x20080800,0x20080810, -0x00090800,0x00090810,0x20090800,0x20090810, -0x00080020,0x00080030,0x20080020,0x20080030, -0x00090020,0x00090030,0x20090020,0x20090030, -0x00080820,0x00080830,0x20080820,0x20080830, -0x00090820,0x00090830,0x20090820,0x20090830, -); -@skb1=( -# for C bits (numbered as per FIPS 46) 7 8 10 11 12 13 -0x00000000,0x02000000,0x00002000,0x02002000, -0x00200000,0x02200000,0x00202000,0x02202000, -0x00000004,0x02000004,0x00002004,0x02002004, -0x00200004,0x02200004,0x00202004,0x02202004, -0x00000400,0x02000400,0x00002400,0x02002400, -0x00200400,0x02200400,0x00202400,0x02202400, -0x00000404,0x02000404,0x00002404,0x02002404, -0x00200404,0x02200404,0x00202404,0x02202404, -0x10000000,0x12000000,0x10002000,0x12002000, -0x10200000,0x12200000,0x10202000,0x12202000, -0x10000004,0x12000004,0x10002004,0x12002004, -0x10200004,0x12200004,0x10202004,0x12202004, -0x10000400,0x12000400,0x10002400,0x12002400, -0x10200400,0x12200400,0x10202400,0x12202400, -0x10000404,0x12000404,0x10002404,0x12002404, -0x10200404,0x12200404,0x10202404,0x12202404, -); -@skb2=( -# for C bits (numbered as per FIPS 46) 14 15 16 17 19 20 -0x00000000,0x00000001,0x00040000,0x00040001, -0x01000000,0x01000001,0x01040000,0x01040001, -0x00000002,0x00000003,0x00040002,0x00040003, -0x01000002,0x01000003,0x01040002,0x01040003, -0x00000200,0x00000201,0x00040200,0x00040201, -0x01000200,0x01000201,0x01040200,0x01040201, -0x00000202,0x00000203,0x00040202,0x00040203, -0x01000202,0x01000203,0x01040202,0x01040203, -0x08000000,0x08000001,0x08040000,0x08040001, -0x09000000,0x09000001,0x09040000,0x09040001, -0x08000002,0x08000003,0x08040002,0x08040003, -0x09000002,0x09000003,0x09040002,0x09040003, -0x08000200,0x08000201,0x08040200,0x08040201, -0x09000200,0x09000201,0x09040200,0x09040201, -0x08000202,0x08000203,0x08040202,0x08040203, -0x09000202,0x09000203,0x09040202,0x09040203, -); -@skb3=( -# for C bits (numbered as per FIPS 46) 21 23 24 26 27 28 -0x00000000,0x00100000,0x00000100,0x00100100, -0x00000008,0x00100008,0x00000108,0x00100108, -0x00001000,0x00101000,0x00001100,0x00101100, -0x00001008,0x00101008,0x00001108,0x00101108, -0x04000000,0x04100000,0x04000100,0x04100100, -0x04000008,0x04100008,0x04000108,0x04100108, -0x04001000,0x04101000,0x04001100,0x04101100, -0x04001008,0x04101008,0x04001108,0x04101108, -0x00020000,0x00120000,0x00020100,0x00120100, -0x00020008,0x00120008,0x00020108,0x00120108, -0x00021000,0x00121000,0x00021100,0x00121100, -0x00021008,0x00121008,0x00021108,0x00121108, -0x04020000,0x04120000,0x04020100,0x04120100, -0x04020008,0x04120008,0x04020108,0x04120108, -0x04021000,0x04121000,0x04021100,0x04121100, -0x04021008,0x04121008,0x04021108,0x04121108, -); -@skb4=( -# for D bits (numbered as per FIPS 46) 1 2 3 4 5 6 -0x00000000,0x10000000,0x00010000,0x10010000, -0x00000004,0x10000004,0x00010004,0x10010004, -0x20000000,0x30000000,0x20010000,0x30010000, -0x20000004,0x30000004,0x20010004,0x30010004, -0x00100000,0x10100000,0x00110000,0x10110000, -0x00100004,0x10100004,0x00110004,0x10110004, -0x20100000,0x30100000,0x20110000,0x30110000, -0x20100004,0x30100004,0x20110004,0x30110004, -0x00001000,0x10001000,0x00011000,0x10011000, -0x00001004,0x10001004,0x00011004,0x10011004, -0x20001000,0x30001000,0x20011000,0x30011000, -0x20001004,0x30001004,0x20011004,0x30011004, -0x00101000,0x10101000,0x00111000,0x10111000, -0x00101004,0x10101004,0x00111004,0x10111004, -0x20101000,0x30101000,0x20111000,0x30111000, -0x20101004,0x30101004,0x20111004,0x30111004, -); -@skb5=( -# for D bits (numbered as per FIPS 46) 8 9 11 12 13 14 -0x00000000,0x08000000,0x00000008,0x08000008, -0x00000400,0x08000400,0x00000408,0x08000408, -0x00020000,0x08020000,0x00020008,0x08020008, -0x00020400,0x08020400,0x00020408,0x08020408, -0x00000001,0x08000001,0x00000009,0x08000009, -0x00000401,0x08000401,0x00000409,0x08000409, -0x00020001,0x08020001,0x00020009,0x08020009, -0x00020401,0x08020401,0x00020409,0x08020409, -0x02000000,0x0A000000,0x02000008,0x0A000008, -0x02000400,0x0A000400,0x02000408,0x0A000408, -0x02020000,0x0A020000,0x02020008,0x0A020008, -0x02020400,0x0A020400,0x02020408,0x0A020408, -0x02000001,0x0A000001,0x02000009,0x0A000009, -0x02000401,0x0A000401,0x02000409,0x0A000409, -0x02020001,0x0A020001,0x02020009,0x0A020009, -0x02020401,0x0A020401,0x02020409,0x0A020409, -); -@skb6=( -# for D bits (numbered as per FIPS 46) 16 17 18 19 20 21 -0x00000000,0x00000100,0x00080000,0x00080100, -0x01000000,0x01000100,0x01080000,0x01080100, -0x00000010,0x00000110,0x00080010,0x00080110, -0x01000010,0x01000110,0x01080010,0x01080110, -0x00200000,0x00200100,0x00280000,0x00280100, -0x01200000,0x01200100,0x01280000,0x01280100, -0x00200010,0x00200110,0x00280010,0x00280110, -0x01200010,0x01200110,0x01280010,0x01280110, -0x00000200,0x00000300,0x00080200,0x00080300, -0x01000200,0x01000300,0x01080200,0x01080300, -0x00000210,0x00000310,0x00080210,0x00080310, -0x01000210,0x01000310,0x01080210,0x01080310, -0x00200200,0x00200300,0x00280200,0x00280300, -0x01200200,0x01200300,0x01280200,0x01280300, -0x00200210,0x00200310,0x00280210,0x00280310, -0x01200210,0x01200310,0x01280210,0x01280310, -); -@skb7=( -# for D bits (numbered as per FIPS 46) 22 23 24 25 27 28 -0x00000000,0x04000000,0x00040000,0x04040000, -0x00000002,0x04000002,0x00040002,0x04040002, -0x00002000,0x04002000,0x00042000,0x04042000, -0x00002002,0x04002002,0x00042002,0x04042002, -0x00000020,0x04000020,0x00040020,0x04040020, -0x00000022,0x04000022,0x00040022,0x04040022, -0x00002020,0x04002020,0x00042020,0x04042020, -0x00002022,0x04002022,0x00042022,0x04042022, -0x00000800,0x04000800,0x00040800,0x04040800, -0x00000802,0x04000802,0x00040802,0x04040802, -0x00002800,0x04002800,0x00042800,0x04042800, -0x00002802,0x04002802,0x00042802,0x04042802, -0x00000820,0x04000820,0x00040820,0x04040820, -0x00000822,0x04000822,0x00040822,0x04040822, -0x00002820,0x04002820,0x00042820,0x04042820, -0x00002822,0x04002822,0x00042822,0x04042822, -); - -@shifts2=(0,0,1,1,1,1,1,1,0,1,1,1,1,1,1,0); - -# used in ecb_encrypt -@SP0=( -0x00410100, 0x00010000, 0x40400000, 0x40410100, -0x00400000, 0x40010100, 0x40010000, 0x40400000, -0x40010100, 0x00410100, 0x00410000, 0x40000100, -0x40400100, 0x00400000, 0x00000000, 0x40010000, -0x00010000, 0x40000000, 0x00400100, 0x00010100, -0x40410100, 0x00410000, 0x40000100, 0x00400100, -0x40000000, 0x00000100, 0x00010100, 0x40410000, -0x00000100, 0x40400100, 0x40410000, 0x00000000, -0x00000000, 0x40410100, 0x00400100, 0x40010000, -0x00410100, 0x00010000, 0x40000100, 0x00400100, -0x40410000, 0x00000100, 0x00010100, 0x40400000, -0x40010100, 0x40000000, 0x40400000, 0x00410000, -0x40410100, 0x00010100, 0x00410000, 0x40400100, -0x00400000, 0x40000100, 0x40010000, 0x00000000, -0x00010000, 0x00400000, 0x40400100, 0x00410100, -0x40000000, 0x40410000, 0x00000100, 0x40010100, -); -@SP1=( -0x08021002, 0x00000000, 0x00021000, 0x08020000, -0x08000002, 0x00001002, 0x08001000, 0x00021000, -0x00001000, 0x08020002, 0x00000002, 0x08001000, -0x00020002, 0x08021000, 0x08020000, 0x00000002, -0x00020000, 0x08001002, 0x08020002, 0x00001000, -0x00021002, 0x08000000, 0x00000000, 0x00020002, -0x08001002, 0x00021002, 0x08021000, 0x08000002, -0x08000000, 0x00020000, 0x00001002, 0x08021002, -0x00020002, 0x08021000, 0x08001000, 0x00021002, -0x08021002, 0x00020002, 0x08000002, 0x00000000, -0x08000000, 0x00001002, 0x00020000, 0x08020002, -0x00001000, 0x08000000, 0x00021002, 0x08001002, -0x08021000, 0x00001000, 0x00000000, 0x08000002, -0x00000002, 0x08021002, 0x00021000, 0x08020000, -0x08020002, 0x00020000, 0x00001002, 0x08001000, -0x08001002, 0x00000002, 0x08020000, 0x00021000, -); -@SP2=( -0x20800000, 0x00808020, 0x00000020, 0x20800020, -0x20008000, 0x00800000, 0x20800020, 0x00008020, -0x00800020, 0x00008000, 0x00808000, 0x20000000, -0x20808020, 0x20000020, 0x20000000, 0x20808000, -0x00000000, 0x20008000, 0x00808020, 0x00000020, -0x20000020, 0x20808020, 0x00008000, 0x20800000, -0x20808000, 0x00800020, 0x20008020, 0x00808000, -0x00008020, 0x00000000, 0x00800000, 0x20008020, -0x00808020, 0x00000020, 0x20000000, 0x00008000, -0x20000020, 0x20008000, 0x00808000, 0x20800020, -0x00000000, 0x00808020, 0x00008020, 0x20808000, -0x20008000, 0x00800000, 0x20808020, 0x20000000, -0x20008020, 0x20800000, 0x00800000, 0x20808020, -0x00008000, 0x00800020, 0x20800020, 0x00008020, -0x00800020, 0x00000000, 0x20808000, 0x20000020, -0x20800000, 0x20008020, 0x00000020, 0x00808000, -); -@SP3=( -0x00080201, 0x02000200, 0x00000001, 0x02080201, -0x00000000, 0x02080000, 0x02000201, 0x00080001, -0x02080200, 0x02000001, 0x02000000, 0x00000201, -0x02000001, 0x00080201, 0x00080000, 0x02000000, -0x02080001, 0x00080200, 0x00000200, 0x00000001, -0x00080200, 0x02000201, 0x02080000, 0x00000200, -0x00000201, 0x00000000, 0x00080001, 0x02080200, -0x02000200, 0x02080001, 0x02080201, 0x00080000, -0x02080001, 0x00000201, 0x00080000, 0x02000001, -0x00080200, 0x02000200, 0x00000001, 0x02080000, -0x02000201, 0x00000000, 0x00000200, 0x00080001, -0x00000000, 0x02080001, 0x02080200, 0x00000200, -0x02000000, 0x02080201, 0x00080201, 0x00080000, -0x02080201, 0x00000001, 0x02000200, 0x00080201, -0x00080001, 0x00080200, 0x02080000, 0x02000201, -0x00000201, 0x02000000, 0x02000001, 0x02080200, -); -@SP4=( -0x01000000, 0x00002000, 0x00000080, 0x01002084, -0x01002004, 0x01000080, 0x00002084, 0x01002000, -0x00002000, 0x00000004, 0x01000004, 0x00002080, -0x01000084, 0x01002004, 0x01002080, 0x00000000, -0x00002080, 0x01000000, 0x00002004, 0x00000084, -0x01000080, 0x00002084, 0x00000000, 0x01000004, -0x00000004, 0x01000084, 0x01002084, 0x00002004, -0x01002000, 0x00000080, 0x00000084, 0x01002080, -0x01002080, 0x01000084, 0x00002004, 0x01002000, -0x00002000, 0x00000004, 0x01000004, 0x01000080, -0x01000000, 0x00002080, 0x01002084, 0x00000000, -0x00002084, 0x01000000, 0x00000080, 0x00002004, -0x01000084, 0x00000080, 0x00000000, 0x01002084, -0x01002004, 0x01002080, 0x00000084, 0x00002000, -0x00002080, 0x01002004, 0x01000080, 0x00000084, -0x00000004, 0x00002084, 0x01002000, 0x01000004, -); -@SP5=( -0x10000008, 0x00040008, 0x00000000, 0x10040400, -0x00040008, 0x00000400, 0x10000408, 0x00040000, -0x00000408, 0x10040408, 0x00040400, 0x10000000, -0x10000400, 0x10000008, 0x10040000, 0x00040408, -0x00040000, 0x10000408, 0x10040008, 0x00000000, -0x00000400, 0x00000008, 0x10040400, 0x10040008, -0x10040408, 0x10040000, 0x10000000, 0x00000408, -0x00000008, 0x00040400, 0x00040408, 0x10000400, -0x00000408, 0x10000000, 0x10000400, 0x00040408, -0x10040400, 0x00040008, 0x00000000, 0x10000400, -0x10000000, 0x00000400, 0x10040008, 0x00040000, -0x00040008, 0x10040408, 0x00040400, 0x00000008, -0x10040408, 0x00040400, 0x00040000, 0x10000408, -0x10000008, 0x10040000, 0x00040408, 0x00000000, -0x00000400, 0x10000008, 0x10000408, 0x10040400, -0x10040000, 0x00000408, 0x00000008, 0x10040008, -); -@SP6=( -0x00000800, 0x00000040, 0x00200040, 0x80200000, -0x80200840, 0x80000800, 0x00000840, 0x00000000, -0x00200000, 0x80200040, 0x80000040, 0x00200800, -0x80000000, 0x00200840, 0x00200800, 0x80000040, -0x80200040, 0x00000800, 0x80000800, 0x80200840, -0x00000000, 0x00200040, 0x80200000, 0x00000840, -0x80200800, 0x80000840, 0x00200840, 0x80000000, -0x80000840, 0x80200800, 0x00000040, 0x00200000, -0x80000840, 0x00200800, 0x80200800, 0x80000040, -0x00000800, 0x00000040, 0x00200000, 0x80200800, -0x80200040, 0x80000840, 0x00000840, 0x00000000, -0x00000040, 0x80200000, 0x80000000, 0x00200040, -0x00000000, 0x80200040, 0x00200040, 0x00000840, -0x80000040, 0x00000800, 0x80200840, 0x00200000, -0x00200840, 0x80000000, 0x80000800, 0x80200840, -0x80200000, 0x00200840, 0x00200800, 0x80000800, -); -@SP7=( -0x04100010, 0x04104000, 0x00004010, 0x00000000, -0x04004000, 0x00100010, 0x04100000, 0x04104010, -0x00000010, 0x04000000, 0x00104000, 0x00004010, -0x00104010, 0x04004010, 0x04000010, 0x04100000, -0x00004000, 0x00104010, 0x00100010, 0x04004000, -0x04104010, 0x04000010, 0x00000000, 0x00104000, -0x04000000, 0x00100000, 0x04004010, 0x04100010, -0x00100000, 0x00004000, 0x04104000, 0x00000010, -0x00100000, 0x00004000, 0x04000010, 0x04104010, -0x00004010, 0x04000000, 0x00000000, 0x00104000, -0x04100010, 0x04004010, 0x04004000, 0x00100010, -0x04104000, 0x00000010, 0x00100010, 0x04004000, -0x04104010, 0x00100000, 0x04100000, 0x04000010, -0x00104000, 0x00004010, 0x04004010, 0x04100000, -0x00000010, 0x04104000, 0x00104010, 0x00000000, -0x04000000, 0x04100010, 0x00004000, 0x00104010, -); - -sub main'des_set_key - { - local($param)=@_; - local(@key); - local($c,$d,$i,$s,$t); - local(@ks)=(); - - # Get the bytes in the order we want. - @key=unpack("C8",$param); - - $c= ($key[0] )| - ($key[1]<< 8)| - ($key[2]<<16)| - ($key[3]<<24); - $d= ($key[4] )| - ($key[5]<< 8)| - ($key[6]<<16)| - ($key[7]<<24); - - &doPC1(*c,*d); - - for $i (@shifts2) - { - if ($i) - { - $c=($c>>2)|($c<<26); - $d=($d>>2)|($d<<26); - } - else - { - $c=($c>>1)|($c<<27); - $d=($d>>1)|($d<<27); - } - $c&=0x0fffffff; - $d&=0x0fffffff; - $s= $skb0[ ($c )&0x3f ]| - $skb1[(($c>> 6)&0x03)|(($c>> 7)&0x3c)]| - $skb2[(($c>>13)&0x0f)|(($c>>14)&0x30)]| - $skb3[(($c>>20)&0x01)|(($c>>21)&0x06) | - (($c>>22)&0x38)]; - $t= $skb4[ ($d )&0x3f ]| - $skb5[(($d>> 7)&0x03)|(($d>> 8)&0x3c)]| - $skb6[ ($d>>15)&0x3f ]| - $skb7[(($d>>21)&0x0f)|(($d>>22)&0x30)]; - push(@ks,(($t<<16)|($s&0x0000ffff))&0xffffffff); - $s= (($s>>16)&0x0000ffff)|($t&0xffff0000) ; - push(@ks,(($s<<4)|(($s>>28)&0xf))&0xffffffff); - } - @ks; - } - -sub doPC1 - { - local(*a,*b)=@_; - local($t); - - $t=(($b>>4)^$a)&0x0f0f0f0f; - $b^=($t<<4); $a^=$t; - # do $a first - $t=(($a<<18)^$a)&0xcccc0000; - $a=$a^$t^(($t>>18)&0x00003fff); - $t=(($a<<17)^$a)&0xaaaa0000; - $a=$a^$t^(($t>>17)&0x00007fff); - $t=(($a<< 8)^$a)&0x00ff0000; - $a=$a^$t^(($t>> 8)&0x00ffffff); - $t=(($a<<17)^$a)&0xaaaa0000; - $a=$a^$t^(($t>>17)&0x00007fff); - - # now do $b - $t=(($b<<24)^$b)&0xff000000; - $b=$b^$t^(($t>>24)&0x000000ff); - $t=(($b<< 8)^$b)&0x00ff0000; - $b=$b^$t^(($t>> 8)&0x00ffffff); - $t=(($b<<14)^$b)&0x33330000; - $b=$b^$t^(($t>>14)&0x0003ffff); - $b=(($b&0x00aa00aa)<<7)|(($b&0x55005500)>>7)|($b&0xaa55aa55); - $b=(($b>>8)&0x00ffffff)|((($a&0xf0000000)>>4)&0x0fffffff); - $a&=0x0fffffff; - } - -sub doIP - { - local(*a,*b)=@_; - local($t); - - $t=(($b>> 4)^$a)&0x0f0f0f0f; - $b^=($t<< 4); $a^=$t; - $t=(($a>>16)^$b)&0x0000ffff; - $a^=($t<<16); $b^=$t; - $t=(($b>> 2)^$a)&0x33333333; - $b^=($t<< 2); $a^=$t; - $t=(($a>> 8)^$b)&0x00ff00ff; - $a^=($t<< 8); $b^=$t; - $t=(($b>> 1)^$a)&0x55555555; - $b^=($t<< 1); $a^=$t; - $t=$a; - $a=$b&0xffffffff; - $b=$t&0xffffffff; - } - -sub doFP - { - local(*a,*b)=@_; - local($t); - - $t=(($b>> 1)^$a)&0x55555555; - $b^=($t<< 1); $a^=$t; - $t=(($a>> 8)^$b)&0x00ff00ff; - $a^=($t<< 8); $b^=$t; - $t=(($b>> 2)^$a)&0x33333333; - $b^=($t<< 2); $a^=$t; - $t=(($a>>16)^$b)&0x0000ffff; - $a^=($t<<16); $b^=$t; - $t=(($b>> 4)^$a)&0x0f0f0f0f; - $b^=($t<< 4); $a^=$t; - $a&=0xffffffff; - $b&=0xffffffff; - } - -sub main'des_ecb_encrypt - { - local(*ks,$encrypt,$in)=@_; - local($l,$r,$i,$t,$u,@input); - - @input=unpack("C8",$in); - # Get the bytes in the order we want. - $l= ($input[0] )| - ($input[1]<< 8)| - ($input[2]<<16)| - ($input[3]<<24); - $r= ($input[4] )| - ($input[5]<< 8)| - ($input[6]<<16)| - ($input[7]<<24); - - $l&=0xffffffff; - $r&=0xffffffff; - &doIP(*l,*r); - if ($encrypt) - { - for ($i=0; $i<32; $i+=4) - { - $t=((($r&0x7fffffff)<<1)|(($r>>31)&0x00000001)); - $u=$t^$ks[$i ]; - $t=$t^$ks[$i+1]; - $t2=(($t&0x0000000f)<<28); - - $t=((($t>>4)&0x0fffffff)|(($t&0x0000000f)<<28)); - $l^= $SP1[ $t &0x3f]| - $SP3[($t>> 8)&0x3f]| - $SP5[($t>>16)&0x3f]| - $SP7[($t>>24)&0x3f]| - $SP0[ $u &0x3f]| - $SP2[($u>> 8)&0x3f]| - $SP4[($u>>16)&0x3f]| - $SP6[($u>>24)&0x3f]; - - $t=(($l<<1)|(($l>>31)&0x1))&0xffffffff; - $u=$t^$ks[$i+2]; - $t=$t^$ks[$i+3]; - $t=((($t>>4)&0x0fffffff)|($t<<28))&0xffffffff; - $r^= $SP1[ $t &0x3f]| - $SP3[($t>> 8)&0x3f]| - $SP5[($t>>16)&0x3f]| - $SP7[($t>>24)&0x3f]| - $SP0[ $u &0x3f]| - $SP2[($u>> 8)&0x3f]| - $SP4[($u>>16)&0x3f]| - $SP6[($u>>24)&0x3f]; - } - } - else - { - for ($i=30; $i>0; $i-=4) - { - $t=(($r<<1)|(($r>>31)&0x1))&0xffffffff; - $u=$t^$ks[$i ]; - $t=$t^$ks[$i+1]; - $t=((($t>>4)&0x0fffffff)|($t<<28))&0xffffffff; - $l^= $SP1[ $t &0x3f]| - $SP3[($t>> 8)&0x3f]| - $SP5[($t>>16)&0x3f]| - $SP7[($t>>24)&0x3f]| - $SP0[ $u &0x3f]| - $SP2[($u>> 8)&0x3f]| - $SP4[($u>>16)&0x3f]| - $SP6[($u>>24)&0x3f]; - - $t=(($l<<1)|(($l>>31)&0x1))&0xffffffff; - $u=$t^$ks[$i-2]; - $t=$t^$ks[$i-1]; - $t=((($t>>4)&0x0fffffff)|($t<<28))&0xffffffff; - $r^= $SP1[ $t &0x3f]| - $SP3[($t>> 8)&0x3f]| - $SP5[($t>>16)&0x3f]| - $SP7[($t>>24)&0x3f]| - $SP0[ $u &0x3f]| - $SP2[($u>> 8)&0x3f]| - $SP4[($u>>16)&0x3f]| - $SP6[($u>>24)&0x3f]; - } - } - &doFP(*l,*r); - pack("C8",$l&0xff, - ($l>> 8)&0x00ffffff, - ($l>>16)&0x0000ffff, - ($l>>24)&0x000000ff, - $r&0xff, - ($r>> 8)&0x00ffffff, - ($r>>16)&0x0000ffff, - ($r>>24)&0x000000ff); - } diff --git a/crypto/heimdal-0.6.3/lib/des/des_crypt.3 b/crypto/heimdal-0.6.3/lib/des/des_crypt.3 deleted file mode 100644 index f3955e2350..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/des_crypt.3 +++ /dev/null @@ -1,379 +0,0 @@ -.\" $Id: des_crypt.3,v 1.2 1996/06/12 21:29:09 bg Exp $ -.\" Copyright 1989 by the Massachusetts Institute of Technology. -.\" -.\" For copying and distribution information, -.\" please see the file . -.\" -.TH DES_CRYPT 3 "Kerberos Version 4.0" "MIT Project Athena" -.SH NAME -des_read_password, des_string_to_key, des_random_key, des_set_key, -des_ecb_encrypt, des_cbc_encrypt, des_pcbc_encrypt, des_cbc_cksum, -des_quad_cksum, \- (new) DES encryption -.SH SYNOPSIS -.nf -.nj -.ft B -#include -.PP -.ft B -.B int des_read_password(key,prompt,verify) -des_cblock *key; -char *prompt; -int verify; -.PP -.ft B -int des_string_to_key(str,key) -char *str; -des_cblock key; -.PP -.ft B -int des_random_key(key) -des_cblock *key; -.PP -.ft B -int des_set_key(key,schedule) -des_cblock *key; -des_key_schedule schedule; -.PP -.ft B -int des_ecb_encrypt(input,output,schedule,encrypt) -des_cblock *input; -des_cblock *output; -des_key_schedule schedule; -int encrypt; -.PP -.ft B -int des_cbc_encrypt(input,output,length,schedule,ivec,encrypt) -des_cblock *input; -des_cblock *output; -long length; -des_key_schedule schedule; -des_cblock *ivec; -int encrypt; -.PP -.ft B -int des_pcbc_encrypt(input,output,length,schedule,ivec,encrypt) -des_cblock *input; -des_cblock *output; -long length; -des_key_schedule schedule; -des_cblock *ivec; -int encrypt; -.PP -.ft B -unsigned long des_cbc_cksum(input,output,length,schedule,ivec) -des_cblock *input; -des_cblock *output; -long length; -des_key_schedule schedule; -des_cblock *ivec; -.PP -.ft B -unsigned long quad_cksum(input,output,length,out_count,seed) -des_cblock *input; -des_cblock *output; -long length; -int out_count; -des_cblock *seed; -.PP -.fi -.SH DESCRIPTION -This library supports various DES encryption related operations. It differs -from the -.I crypt, setkey, and encrypt -library routines in that it provides -a true DES encryption, without modifying the algorithm, -and executes much faster. -.PP -For each key that may be simultaneously active, create a -.B des_key_schedule -struct, -defined in "des.h". Next, create key schedules (from the 8-byte keys) as -needed, via -.I des_set_key, -prior to using the encryption or checksum routines. Then -setup the input and output areas. Make sure to note the restrictions -on lengths being multiples of eight bytes. Finally, invoke the -encryption/decryption routines, -.I des_ecb_encrypt -or -.I des_cbc_encrypt -or -.I des_pcbc_encrypt, -or, to generate a cryptographic checksum, use -.I quad_cksum -(fast) or -.I des_cbc_cksum -(slow). -.PP -A -.I des_cblock -struct is an 8 byte block used as the fundamental unit for DES data and -keys, and is defined as: -.PP -.B typedef unsigned char des_cblock[8]; -.PP -and a -.I des_key_schedule, -is defined as: -.PP -.B typedef struct des_ks_struct {des_cblock _;} des_key_schedule[16]; -.PP -.I des_read_password -writes the string specified by -.I prompt -to the standard -output, turns off echo (if possible) -and reads an input string from standard input until terminated with a newline. -If -.I verify -is non-zero, it prompts and reads input again, for use -in applications such as changing a password; both -versions are compared, and the input is requested repeatedly until they -match. Then -.I des_read_password -converts the input string into a valid DES key, internally -using the -.I des_string_to_key -routine. The newly created key is copied to the -area pointed to by the -.I key -argument. -.I des_read_password -returns a zero if no errors occurred, or a -1 -indicating that an error -occurred trying to manipulate the terminal echo. -.PP -.PP -.I des_string_to_key -converts an arbitrary length null-terminated string -to an 8 byte DES key, with odd byte parity, per FIPS specification. -A one-way function is used to convert the string to a key, making it -very difficult to reconstruct the string from the key. -The -.I str -argument is a pointer to the string, and -.I key -should -point to a -.I des_cblock -supplied by the caller to receive the generated key. -No meaningful value is returned. Void is not used for compatibility with -other compilers. -.PP -.PP -.I des_random_key -generates a random DES encryption key (eight bytes), set to odd parity per -FIPS -specifications. -This routine uses the current time, process id, and a counter -as a seed for the random number generator. -The caller must supply space for the output key, pointed to -by argument -.I key, -then after calling -.I des_random_key -should -call the -.I des_set_key -routine when needed. -No meaningful value is returned. Void is not used for compatibility -with other compilers. -.PP -.PP -.I des_set_key -calculates a key schedule from all eight bytes of the input key, pointed -to by the -.I key -argument, and outputs the schedule into the -.I des_key_schedule -indicated by the -.I schedule -argument. Make sure to pass a valid eight byte -key; no padding is done. The key schedule may then be used in subsequent -encryption/decryption/checksum operations. Many key schedules may be -cached for later use. The user is responsible to clear keys and schedules -as soon as no longer needed, to prevent their disclosure. -The routine also checks the key -parity, and returns a zero if the key parity is correct (odd), a -1 -indicating a key parity error, or a -2 indicating use of an illegal -weak key. If an error is returned, the key schedule was not created. -.PP -.PP -.I des_ecb_encrypt -is the basic DES encryption routine that encrypts or decrypts a single 8-byte -block in -.B electronic code book -mode. It always transforms the input data, pointed to by -.I input, -into the output data, pointed to by the -.I output -argument. -.PP -If the -.I encrypt -argument is non-zero, the -.I input -(cleartext) is encrypted into the -.I output -(ciphertext) using the key_schedule specified by the -.I schedule -argument, previously set via -.I des_set_key -.PP -If encrypt is zero, the -.I input -(now ciphertext) is decrypted into the -.I output -(now cleartext). -.PP -Input and output may overlap. -.PP -No meaningful value is returned. Void is not used for compatibility -with other compilers. -.PP -.PP -.I des_cbc_encrypt -encrypts/decrypts using the -.B cipher-block-chaining mode of DES. -If the -.I encrypt -argument is non-zero, the routine cipher-block-chain encrypts -the cleartext data pointed to by the -.I input -argument into the ciphertext pointed to by the -.I output -argument, using the key schedule provided by the -.I schedule -argument, and initialization vector provided by the -.I ivec -argument. -If the -.I length -argument is not an integral -multiple of eight bytes, the last block is copied to a temp and zero -filled (highest addresses). The output is ALWAYS an integral multiple -of eight bytes. -.PP -If -.I encrypt -is zero, the routine cipher-block chain decrypts the (now) ciphertext -data pointed to by the -.I input -argument into (now) cleartext pointed to by the -.I output -argument using the key schedule provided by the -.I schedule -argument, and initialization vector provided by the -.I ivec -argument. Decryption ALWAYS operates on integral -multiples of 8 bytes, so it will round the -.I length -provided up to the -appropriate multiple. Consequently, it will always produce the rounded-up -number of bytes of output cleartext. The application must determine if -the output cleartext was zero-padded due to original cleartext lengths that -were not integral multiples of 8. -.PP -No errors or meaningful values are returned. Void is not used for -compatibility with other compilers. -.PP -A characteristic of cbc mode is that changing a single bit of the -cleartext, then encrypting using cbc mode, -affects ALL the subsequent ciphertext. This makes cryptanalysis -much more difficult. However, modifying a single bit of the ciphertext, -then decrypting, only affects the resulting cleartext from -the modified block and the succeeding block. Therefore, -.I des_pcbc_encrypt -is STRONGLY recommended for applications where -indefinite propagation of errors is required in order to detect modifications. -.PP -.PP -.I des_pcbc_encrypt -encrypts/decrypts using a modified block chaining mode. Its calling -sequence is identical to -.I des_cbc_encrypt. -It differs in its error propagation characteristics. -.PP -.I des_pcbc_encrypt -is highly recommended for most encryption purposes, in that -modification of a single bit of the ciphertext will affect ALL the -subsequent (decrypted) cleartext. Similarly, modifying a single bit of -the cleartext will affect ALL the subsequent (encrypted) ciphertext. -"PCBC" mode, on encryption, "xors" both the -cleartext of block N and the ciphertext resulting from block N with the -cleartext for block N+1 prior to encrypting block N+1. -.PP -.I des_cbc_cksum -produces an 8 byte cryptographic checksum by cipher-block-chain -encrypting the cleartext data pointed to by the -.I input -argument. All of the ciphertext output is discarded, except the -last 8-byte ciphertext block, which is written into the area pointed to by -the -.I output -argument. -It uses the key schedule, -provided by the -.I schedule -argument and initialization vector provided by the -.I ivec -argument. -If the -.I length -argument is not an integral -multiple of eight bytes, the last cleartext block is copied to a temp and zero -filled (highest addresses). The output is ALWAYS eight bytes. -.PP -The routine also returns an unsigned long, which is the last (highest address) -half of the 8 byte checksum computed. -.PP -.PP -.I quad_cksum -produces a checksum by chaining quadratic operations on the cleartext data -pointed to by the -.I input -argument. The -.I length -argument specifies the length of the -input -- only exactly that many bytes are included for the checksum, -without any padding. -.PP -The algorithm may be iterated over the same input data, if the -.I out_count -argument is 2, 3 or 4, and the optional -.I output -argument is a non-null pointer . -The default is one iteration, and it will not run -more than 4 times. Multiple iterations run slower, but provide -a longer checksum if desired. The -.I seed -argument provides an 8-byte seed for the first iteration. If multiple iterations are -requested, the results of one iteration are automatically used as -the seed for the next iteration. -.PP -It returns both an unsigned long checksum value, and -if the -.I output -argument is not a null pointer, up to 16 bytes of -the computed checksum are written into the output. -.PP -.PP -.SH FILES -/usr/include/des.h -.br -/usr/lib/libdes.a -.SH "SEE ALSO" -.SH DIAGNOSTICS -.SH BUGS -This software has not yet been compiled or tested on machines other than the -VAX and the IBM PC. -.SH AUTHORS -Steve Miller, MIT Project Athena/Digital Equipment Corporation -.SH RESTRICTIONS -COPYRIGHT 1985,1986 Massachusetts Institute of Technology -.PP -This software may not be exported outside of the US without a special -license from the US Dept of Commerce. It may be replaced by any secret -key block cipher with block length and key length of 8 bytes, as long -as the interface is the same as described here. diff --git a/crypto/heimdal-0.6.3/lib/des/des_crypt.cat3 b/crypto/heimdal-0.6.3/lib/des/des_crypt.cat3 deleted file mode 100644 index f7370a3af5..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/des_crypt.cat3 +++ /dev/null @@ -1,264 +0,0 @@ - - - -DES_CRYPT(3) DES_CRYPT(3) - - - -NAME - des_read_password, des_string_to_key, des_random_key, des_set_key, - des_ecb_encrypt, des_cbc_encrypt, des_pcbc_encrypt, des_cbc_cksum, - des_quad_cksum, - (new) DES encryption - -SYNOPSIS - ##iinncclluuddee <> - - iinntt ddeess__rreeaadd__ppaasssswwoorrdd((kkeeyy,,pprroommpptt,,vveerriiffyy)) - des_cblock *key; - char *prompt; - int verify; - - iinntt ddeess__ssttrriinngg__ttoo__kkeeyy((ssttrr,,kkeeyy)) - cchhaarr **ssttrr;; - ddeess__ccbblloocckk kkeeyy;; - - iinntt ddeess__rraannddoomm__kkeeyy((kkeeyy)) - ddeess__ccbblloocckk **kkeeyy;; - - iinntt ddeess__sseett__kkeeyy((kkeeyy,,sscchheedduullee)) - ddeess__ccbblloocckk **kkeeyy;; - ddeess__kkeeyy__sscchheedduullee sscchheedduullee;; - - iinntt ddeess__eeccbb__eennccrryypptt((iinnppuutt,,oouuttppuutt,,sscchheedduullee,,eennccrryypptt)) - ddeess__ccbblloocckk **iinnppuutt;; - ddeess__ccbblloocckk **oouuttppuutt;; - ddeess__kkeeyy__sscchheedduullee sscchheedduullee;; - iinntt eennccrryypptt;; - - iinntt ddeess__ccbbcc__eennccrryypptt((iinnppuutt,,oouuttppuutt,,lleennggtthh,,sscchheedduullee,,iivveecc,,eennccrryypptt)) - ddeess__ccbblloocckk **iinnppuutt;; - ddeess__ccbblloocckk **oouuttppuutt;; - lloonngg lleennggtthh;; - ddeess__kkeeyy__sscchheedduullee sscchheedduullee;; - ddeess__ccbblloocckk **iivveecc;; - iinntt eennccrryypptt;; - - iinntt ddeess__ppccbbcc__eennccrryypptt((iinnppuutt,,oouuttppuutt,,lleennggtthh,,sscchheedduullee,,iivveecc,,eennccrryypptt)) - ddeess__ccbblloocckk **iinnppuutt;; - ddeess__ccbblloocckk **oouuttppuutt;; - lloonngg lleennggtthh;; - ddeess__kkeeyy__sscchheedduullee sscchheedduullee;; - ddeess__ccbblloocckk **iivveecc;; - iinntt eennccrryypptt;; - - uunnssiiggnneedd lloonngg ddeess__ccbbcc__cckkssuumm((iinnppuutt,,oouuttppuutt,,lleennggtthh,,sscchheedduullee,,iivveecc)) - ddeess__ccbblloocckk **iinnppuutt;; - ddeess__ccbblloocckk **oouuttppuutt;; - lloonngg lleennggtthh;; - ddeess__kkeeyy__sscchheedduullee sscchheedduullee;; - ddeess__ccbblloocckk **iivveecc;; - - uunnssiiggnneedd lloonngg qquuaadd__cckkssuumm((iinnppuutt,,oouuttppuutt,,lleennggtthh,,oouutt__ccoouunntt,,sseeeedd)) - ddeess__ccbblloocckk **iinnppuutt;; - ddeess__ccbblloocckk **oouuttppuutt;; - lloonngg lleennggtthh;; - iinntt oouutt__ccoouunntt;; - ddeess__ccbblloocckk **sseeeedd;; - -DESCRIPTION - This library supports various DES encryption related operations. It differs - from the _c_r_y_p_t_, _s_e_t_k_e_y_, _a_n_d _e_n_c_r_y_p_t library routines in that it provides a - true DES encryption, without modifying the algorithm, and executes much - faster. - - For each key that may be simultaneously active, create a ddeess__kkeeyy__sscchheedduullee - struct, defined in "des.h". Next, create key schedules (from the 8-byte - keys) as needed, via _d_e_s___s_e_t___k_e_y_, prior to using the encryption or checksum - routines. Then setup the input and output areas. Make sure to note the - restrictions on lengths being multiples of eight bytes. Finally, invoke the - encryption/decryption routines, _d_e_s___e_c_b___e_n_c_r_y_p_t or _d_e_s___c_b_c___e_n_c_r_y_p_t or - _d_e_s___p_c_b_c___e_n_c_r_y_p_t_, or, to generate a cryptographic checksum, use _q_u_a_d___c_k_s_u_m - (fast) or _d_e_s___c_b_c___c_k_s_u_m (slow). - - A _d_e_s___c_b_l_o_c_k struct is an 8 byte block used as the fundamental unit for DES - data and keys, and is defined as: - - ttyyppeeddeeff uunnssiiggnneedd cchhaarr ddeess__ccbblloocckk[[88]];; - - and a _d_e_s___k_e_y___s_c_h_e_d_u_l_e_, is defined as: - - ttyyppeeddeeff ssttrruucctt ddeess__kkss__ssttrruucctt {{ddeess__ccbblloocckk __;;}} ddeess__kkeeyy__sscchheedduullee[[1166]];; - - _d_e_s___r_e_a_d___p_a_s_s_w_o_r_d writes the string specified by _p_r_o_m_p_t to the standard - output, turns off echo (if possible) and reads an input string from stan- - dard input until terminated with a newline. If _v_e_r_i_f_y is non-zero, it - prompts and reads input again, for use in applications such as changing a - password; both versions are compared, and the input is requested repeatedly - until they match. Then _d_e_s___r_e_a_d___p_a_s_s_w_o_r_d converts the input string into a - valid DES key, internally using the _d_e_s___s_t_r_i_n_g___t_o___k_e_y routine. The newly - created key is copied to the area pointed to by the _k_e_y argument. - _d_e_s___r_e_a_d___p_a_s_s_w_o_r_d returns a zero if no errors occurred, or a -1 indicating - that an error occurred trying to manipulate the terminal echo. - - _d_e_s___s_t_r_i_n_g___t_o___k_e_y converts an arbitrary length null-terminated string to an - 8 byte DES key, with odd byte parity, per FIPS specification. A one-way - function is used to convert the string to a key, making it very difficult - to reconstruct the string from the key. The _s_t_r argument is a pointer to - the string, and _k_e_y should point to a _d_e_s___c_b_l_o_c_k supplied by the caller to - receive the generated key. No meaningful value is returned. Void is not - used for compatibility with other compilers. - - _d_e_s___r_a_n_d_o_m___k_e_y generates a random DES encryption key (eight bytes), set to - odd parity per FIPS specifications. This routine uses the current time, - process id, and a counter as a seed for the random number generator. The - caller must supply space for the output key, pointed to by argument _k_e_y_, - then after calling _d_e_s___r_a_n_d_o_m___k_e_y should call the _d_e_s___s_e_t___k_e_y routine when - needed. No meaningful value is returned. Void is not used for compatibil- - ity with other compilers. - - _d_e_s___s_e_t___k_e_y calculates a key schedule from all eight bytes of the input - key, pointed to by the _k_e_y argument, and outputs the schedule into the - _d_e_s___k_e_y___s_c_h_e_d_u_l_e indicated by the _s_c_h_e_d_u_l_e argument. Make sure to pass a - valid eight byte key; no padding is done. The key schedule may then be - used in subsequent encryption/decryption/checksum operations. Many key - schedules may be cached for later use. The user is responsible to clear - keys and schedules as soon as no longer needed, to prevent their disclo- - sure. The routine also checks the key parity, and returns a zero if the - key parity is correct (odd), a -1 indicating a key parity error, or a -2 - indicating use of an illegal weak key. If an error is returned, the key - schedule was not created. - - _d_e_s___e_c_b___e_n_c_r_y_p_t is the basic DES encryption routine that encrypts or - decrypts a single 8-byte block in eelleeccttrroonniicc ccooddee bbooookk mode. It always - transforms the input data, pointed to by _i_n_p_u_t_, into the output data, - pointed to by the _o_u_t_p_u_t argument. - - If the _e_n_c_r_y_p_t argument is non-zero, the _i_n_p_u_t (cleartext) is encrypted - into the _o_u_t_p_u_t (ciphertext) using the key_schedule specified by the _s_c_h_e_d_- - _u_l_e argument, previously set via _d_e_s___s_e_t___k_e_y - - If encrypt is zero, the _i_n_p_u_t (now ciphertext) is decrypted into the _o_u_t_p_u_t - (now cleartext). - - Input and output may overlap. - - No meaningful value is returned. Void is not used for compatibility with - other compilers. - - _d_e_s___c_b_c___e_n_c_r_y_p_t encrypts/decrypts using the cciipphheerr--bblloocckk--cchhaaiinniinngg mmooddee ooff - DDEESS.. If the _e_n_c_r_y_p_t argument is non-zero, the routine cipher-block-chain - encrypts the cleartext data pointed to by the _i_n_p_u_t argument into the - ciphertext pointed to by the _o_u_t_p_u_t argument, using the key schedule pro- - vided by the _s_c_h_e_d_u_l_e argument, and initialization vector provided by the - _i_v_e_c argument. If the _l_e_n_g_t_h argument is not an integral multiple of eight - bytes, the last block is copied to a temp and zero filled (highest - addresses). The output is ALWAYS an integral multiple of eight bytes. - - If _e_n_c_r_y_p_t is zero, the routine cipher-block chain decrypts the (now) - ciphertext data pointed to by the _i_n_p_u_t argument into (now) cleartext - pointed to by the _o_u_t_p_u_t argument using the key schedule provided by the - _s_c_h_e_d_u_l_e argument, and initialization vector provided by the _i_v_e_c argument. - Decryption ALWAYS operates on integral multiples of 8 bytes, so it will - round the _l_e_n_g_t_h provided up to the appropriate multiple. Consequently, it - will always produce the rounded-up number of bytes of output cleartext. The - application must determine if the output cleartext was zero-padded due to - original cleartext lengths that were not integral multiples of 8. - - No errors or meaningful values are returned. Void is not used for compati- - bility with other compilers. - - A characteristic of cbc mode is that changing a single bit of the cleart- - ext, then encrypting using cbc mode, affects ALL the subsequent ciphertext. - This makes cryptanalysis much more difficult. However, modifying a single - bit of the ciphertext, then decrypting, only affects the resulting cleart- - ext from the modified block and the succeeding block. Therefore, - _d_e_s___p_c_b_c___e_n_c_r_y_p_t is STRONGLY recommended for applications where indefinite - propagation of errors is required in order to detect modifications. - - _d_e_s___p_c_b_c___e_n_c_r_y_p_t encrypts/decrypts using a modified block chaining mode. - Its calling sequence is identical to _d_e_s___c_b_c___e_n_c_r_y_p_t_. It differs in its - error propagation characteristics. - - _d_e_s___p_c_b_c___e_n_c_r_y_p_t is highly recommended for most encryption purposes, in - that modification of a single bit of the ciphertext will affect ALL the - subsequent (decrypted) cleartext. Similarly, modifying a single bit of the - cleartext will affect ALL the subsequent (encrypted) ciphertext. "PCBC" - mode, on encryption, "xors" both the cleartext of block N and the cipher- - text resulting from block N with the cleartext for block N+1 prior to - encrypting block N+1. - - _d_e_s___c_b_c___c_k_s_u_m produces an 8 byte cryptographic checksum by cipher-block- - chain encrypting the cleartext data pointed to by the _i_n_p_u_t argument. All - of the ciphertext output is discarded, except the last 8-byte ciphertext - block, which is written into the area pointed to by the _o_u_t_p_u_t argument. - It uses the key schedule, provided by the _s_c_h_e_d_u_l_e argument and initializa- - tion vector provided by the _i_v_e_c argument. If the _l_e_n_g_t_h argument is not - an integral multiple of eight bytes, the last cleartext block is copied to - a temp and zero filled (highest addresses). The output is ALWAYS eight - bytes. - - The routine also returns an unsigned long, which is the last (highest - address) half of the 8 byte checksum computed. - - _q_u_a_d___c_k_s_u_m produces a checksum by chaining quadratic operations on the - cleartext data pointed to by the _i_n_p_u_t argument. The _l_e_n_g_t_h argument speci- - fies the length of the input -- only exactly that many bytes are included - for the checksum, without any padding. - - The algorithm may be iterated over the same input data, if the _o_u_t___c_o_u_n_t - argument is 2, 3 or 4, and the optional _o_u_t_p_u_t argument is a non-null - pointer . The default is one iteration, and it will not run more than 4 - times. Multiple iterations run slower, but provide a longer checksum if - desired. The _s_e_e_d argument provides an 8-byte seed for the first iteration. - If multiple iterations are requested, the results of one iteration are - automatically used as the seed for the next iteration. - - It returns both an unsigned long checksum value, and if the _o_u_t_p_u_t argument - is not a null pointer, up to 16 bytes of the computed checksum are written - into the output. - -FILES - /usr/include/des.h - /usr/lib/libdes.a - -SEE ALSO - -DIAGNOSTICS - -BUGS - This software has not yet been compiled or tested on machines other than - the VAX and the IBM PC. - -AUTHORS - Steve Miller, MIT Project Athena/Digital Equipment Corporation - -RESTRICTIONS - COPYRIGHT 1985,1986 Massachusetts Institute of Technology - - This software may not be exported outside of the US without a special - license from the US Dept of Commerce. It may be replaced by any secret key - block cipher with block length and key length of 8 bytes, as long as the - interface is the same as described here. - - - - - - - - - - - - - - - - - - - - - - - diff --git a/crypto/heimdal-0.6.3/lib/des/des_crypt.man b/crypto/heimdal-0.6.3/lib/des/des_crypt.man deleted file mode 100644 index 9feb447129..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/des_crypt.man +++ /dev/null @@ -1,508 +0,0 @@ -.TH DES_CRYPT 3 -.SH NAME -des_read_password, des_read_2password, -des_string_to_key, des_string_to_2key, des_read_pw_string, -des_random_key, des_set_key, -des_key_sched, des_ecb_encrypt, des_3ecb_encrypt, des_cbc_encrypt, -des_3cbc_encrypt, -des_pcbc_encrypt, des_cfb_encrypt, des_ofb_encrypt, -des_cbc_cksum, des_quad_cksum, -des_enc_read, des_enc_write, des_set_odd_parity, -des_is_weak_key, crypt \- (non USA) DES encryption -.SH SYNOPSIS -.nf -.nj -.ft B -#include -.PP -.B int des_read_password(key,prompt,verify) -des_cblock *key; -char *prompt; -int verify; -.PP -.B int des_read_2password(key1,key2,prompt,verify) -des_cblock *key1,*key2; -char *prompt; -int verify; -.PP -.B int des_string_to_key(str,key) -char *str; -des_cblock *key; -.PP -.B int des_string_to_2keys(str,key1,key2) -char *str; -des_cblock *key1,*key2; -.PP -.B int des_read_pw_string(buf,length,prompt,verify) -char *buf; -int length; -char *prompt; -int verify; -.PP -.B int des_random_key(key) -des_cblock *key; -.PP -.B int des_set_key(key,schedule) -des_cblock *key; -des_key_schedule schedule; -.PP -.B int des_key_sched(key,schedule) -des_cblock *key; -des_key_schedule schedule; -.PP -.B int des_ecb_encrypt(input,output,schedule,encrypt) -des_cblock *input; -des_cblock *output; -des_key_schedule schedule; -int encrypt; -.PP -.B int des_3ecb_encrypt(input,output,ks1,ks2,encrypt) -des_cblock *input; -des_cblock *output; -des_key_schedule ks1,ks2; -int encrypt; -.PP -.B int des_cbc_encrypt(input,output,length,schedule,ivec,encrypt) -des_cblock *input; -des_cblock *output; -long length; -des_key_schedule schedule; -des_cblock *ivec; -int encrypt; -.PP -.B int des_3cbc_encrypt(input,output,length,sk1,sk2,ivec1,ivec2,encrypt) -des_cblock *input; -des_cblock *output; -long length; -des_key_schedule sk1; -des_key_schedule sk2; -des_cblock *ivec1; -des_cblock *ivec2; -int encrypt; -.PP -.B int des_pcbc_encrypt(input,output,length,schedule,ivec,encrypt) -des_cblock *input; -des_cblock *output; -long length; -des_key_schedule schedule; -des_cblock *ivec; -int encrypt; -.PP -.B int des_cfb_encrypt(input,output,numbits,length,schedule,ivec,encrypt) -unsigned char *input; -unsigned char *output; -int numbits; -long length; -des_key_schedule schedule; -des_cblock *ivec; -int encrypt; -.PP -.B int des_ofb_encrypt(input,output,numbits,length,schedule,ivec) -unsigned char *input,*output; -int numbits; -long length; -des_key_schedule schedule; -des_cblock *ivec; -.PP -.B unsigned long des_cbc_cksum(input,output,length,schedule,ivec) -des_cblock *input; -des_cblock *output; -long length; -des_key_schedule schedule; -des_cblock *ivec; -.PP -.B unsigned long des_quad_cksum(input,output,length,out_count,seed) -des_cblock *input; -des_cblock *output; -long length; -int out_count; -des_cblock *seed; -.PP -.B int des_check_key; -.PP -.B int des_enc_read(fd,buf,len,sched,iv) -int fd; -char *buf; -int len; -des_key_schedule sched; -des_cblock *iv; -.PP -.B int des_enc_write(fd,buf,len,sched,iv) -int fd; -char *buf; -int len; -des_key_schedule sched; -des_cblock *iv; -.PP -.B extern int des_rw_mode; -.PP -.B void des_set_odd_parity(key) -des_cblock *key; -.PP -.B int des_is_weak_key(key) -des_cblock *key; -.PP -.B char *crypt(passwd,salt) -char *passwd; -char *salt; -.PP -.fi -.SH DESCRIPTION -This library contains a fast implementation of the DES encryption -algorithm. -.PP -There are two phases to the use of DES encryption. -The first is the generation of a -.I des_key_schedule -from a key, -the second is the actual encryption. -A des key is of type -.I des_cblock. -This type is made from 8 characters with odd parity. -The least significant bit in the character is the parity bit. -The key schedule is an expanded form of the key; it is used to speed the -encryption process. -.PP -.I des_read_password -writes the string specified by prompt to the standard output, -turns off echo and reads an input string from standard input -until terminated with a newline. -If verify is non-zero, it prompts and reads the input again and verifies -that both entered passwords are the same. -The entered string is converted into a des key by using the -.I des_string_to_key -routine. -The new key is placed in the -.I des_cblock -that was passed (by reference) to the routine. -If there were no errors, -.I des_read_password -returns 0, --1 is returned if there was a terminal error and 1 is returned for -any other error. -.PP -.I des_read_2password -operates in the same way as -.I des_read_password -except that it generates 2 keys by using the -.I des_string_to_2key -function. -.PP -.I des_read_pw_string -is called by -.I des_read_password -to read and verify a string from a terminal device. -The string is returned in -.I buf. -The size of -.I buf -is passed to the routine via the -.I length -parameter. -.PP -.I des_string_to_key -converts a string into a valid des key. -.PP -.I des_string_to_2key -converts a string into 2 valid des keys. -This routine is best suited for used to generate keys for use with -.I des_3ecb_encrypt. -.PP -.I des_random_key -returns a random key that is made of a combination of process id, -time and an increasing counter. -.PP -Before a des key can be used it is converted into a -.I des_key_schedule -via the -.I des_set_key -routine. -If the -.I des_check_key -flag is non-zero, -.I des_set_key -will check that the key passed is of odd parity and is not a week or -semi-weak key. -If the parity is wrong, -then -1 is returned. -If the key is a weak key, -then -2 is returned. -If an error is returned, -the key schedule is not generated. -.PP -.I des_key_sched -is another name for the -.I des_set_key -function. -.PP -The following routines mostly operate on an input and output stream of -.I des_cblock's. -.PP -.I des_ecb_encrypt -is the basic DES encryption routine that encrypts or decrypts a single 8-byte -.I des_cblock -in -.I electronic code book -mode. -It always transforms the input data, pointed to by -.I input, -into the output data, -pointed to by the -.I output -argument. -If the -.I encrypt -argument is non-zero (DES_ENCRYPT), -the -.I input -(cleartext) is encrypted in to the -.I output -(ciphertext) using the key_schedule specified by the -.I schedule -argument, -previously set via -.I des_set_key. -If -.I encrypt -is zero (DES_DECRYPT), -the -.I input -(now ciphertext) -is decrypted into the -.I output -(now cleartext). -Input and output may overlap. -No meaningful value is returned. -.PP -.I des_3ecb_encrypt -encrypts/decrypts the -.I input -block by using triple ecb DES encryption. -This involves encrypting the input with -.I ks1, -decryption with the key schedule -.I ks2, -and then encryption with the first again. -This routine greatly reduces the chances of brute force breaking of -DES and has the advantage of if -.I ks1 -and -.I ks2 -are the same, it is equivalent to just encryption using ecb mode and -.I ks1 -as the key. -.PP -.I des_cbc_encrypt -encrypts/decrypts using the -.I cipher-block-chaining -mode of DES. -If the -.I encrypt -argument is non-zero, -the routine cipher-block-chain encrypts the cleartext data pointed to by the -.I input -argument into the ciphertext pointed to by the -.I output -argument, -using the key schedule provided by the -.I schedule -argument, -and initialisation vector provided by the -.I ivec -argument. -If the -.I length -argument is not an integral multiple of eight bytes, -the last block is copied to a temporary area and zero filled. -The output is always -an integral multiple of eight bytes. -To make multiple cbc encrypt calls on a large amount of data appear to -be one -.I des_cbc_encrypt -call, the -.I ivec -of subsequent calls should be the last 8 bytes of the output. -.PP -.I des_3cbc_encrypt -encrypts/decrypts the -.I input -block by using triple cbc DES encryption. -This involves encrypting the input with key schedule -.I ks1, -decryption with the key schedule -.I ks2, -and then encryption with the first again. -2 initialisation vectors are required, -.I ivec1 -and -.I ivec2. -Unlike -.I des_cbc_encrypt, -these initialisation vectors are modified by the subroutine. -This routine greatly reduces the chances of brute force breaking of -DES and has the advantage of if -.I ks1 -and -.I ks2 -are the same, it is equivalent to just encryption using cbc mode and -.I ks1 -as the key. -.PP -.I des_pcbc_encrypt -encrypt/decrypts using a modified block chaining mode. -It provides better error propagation characteristics than cbc -encryption. -.PP -.I des_cfb_encrypt -encrypt/decrypts using cipher feedback mode. This method takes an -array of characters as input and outputs and array of characters. It -does not require any padding to 8 character groups. Note: the ivec -variable is changed and the new changed value needs to be passed to -the next call to this function. Since this function runs a complete -DES ecb encryption per numbits, this function is only suggested for -use when sending small numbers of characters. -.PP -.I des_ofb_encrypt -encrypt using output feedback mode. This method takes an -array of characters as input and outputs and array of characters. It -does not require any padding to 8 character groups. Note: the ivec -variable is changed and the new changed value needs to be passed to -the next call to this function. Since this function runs a complete -DES ecb encryption per numbits, this function is only suggested for -use when sending small numbers of characters. -.PP -.I des_cbc_cksum -produces an 8 byte checksum based on the input stream (via cbc encryption). -The last 4 bytes of the checksum is returned and the complete 8 bytes is -placed in -.I output. -.PP -.I des_quad_cksum -returns a 4 byte checksum from the input bytes. -The algorithm can be iterated over the input, -depending on -.I out_count, -1, 2, 3 or 4 times. -If -.I output -is non-NULL, -the 8 bytes generated by each pass are written into -.I output. -.PP -.I des_enc_write -is used to write -.I len -bytes -to file descriptor -.I fd -from buffer -.I buf. -The data is encrypted via -.I pcbc_encrypt -(default) using -.I sched -for the key and -.I iv -as a starting vector. -The actual data send down -.I fd -consists of 4 bytes (in network byte order) containing the length of the -following encrypted data. The encrypted data then follows, padded with random -data out to a multiple of 8 bytes. -.PP -.I des_enc_read -is used to read -.I len -bytes -from file descriptor -.I fd -into buffer -.I buf. -The data being read from -.I fd -is assumed to have come from -.I des_enc_write -and is decrypted using -.I sched -for the key schedule and -.I iv -for the initial vector. -The -.I des_enc_read/des_enc_write -pair can be used to read/write to files, pipes and sockets. -I have used them in implementing a version of rlogin in which all -data is encrypted. -.PP -.I des_rw_mode -is used to specify the encryption mode to use with -.I des_enc_read -and -.I des_end_write. -If set to -.I DES_PCBC_MODE -(the default), des_pcbc_encrypt is used. -If set to -.I DES_CBC_MODE -des_cbc_encrypt is used. -These two routines and the variable are not part of the normal MIT library. -.PP -.I des_set_odd_parity -sets the parity of the passed -.I key -to odd. This routine is not part of the standard MIT library. -.PP -.I des_is_weak_key -returns 1 is the passed key is a weak key (pick again :-), -0 if it is ok. -This routine is not part of the standard MIT library. -.PP -.I crypt -is a replacement for the normal system crypt. -It is much faster than the system crypt. -.PP -.SH FILES -/usr/include/des.h -.br -/usr/lib/libdes.a -.PP -The encryption routines have been tested on 16bit, 32bit and 64bit -machines of various endian and even works under VMS. -.PP -.SH BUGS -.PP -If you think this manual is sparse, -read the des_crypt(3) manual from the MIT kerberos (or bones outside -of the USA) distribution. -.PP -.I des_cfb_encrypt -and -.I des_ofb_encrypt -operates on input of 8 bits. What this means is that if you set -numbits to 12, and length to 2, the first 12 bits will come from the 1st -input byte and the low half of the second input byte. The second 12 -bits will have the low 8 bits taken from the 3rd input byte and the -top 4 bits taken from the 4th input byte. The same holds for output. -This function has been implemented this way because most people will -be using a multiple of 8 and because once you get into pulling bytes input -bytes apart things get ugly! -.PP -.I des_read_pw_string -is the most machine/OS dependent function and normally generates the -most problems when porting this code. -.PP -.I des_string_to_key -is probably different from the MIT version since there are lots -of fun ways to implement one-way encryption of a text string. -.PP -The routines are optimised for 32 bit machines and so are not efficient -on IBM PCs. -.PP -NOTE: extensive work has been done on this library since this document -was origionally written. Please try to read des.doc from the libdes -distribution since it is far more upto date and documents more of the -functions. Libdes is now also being shipped as part of SSLeay, a -general cryptographic library that amonst other things implements -netscapes SSL protocoll. The most recent version can be found in -SSLeay distributions. -.SH AUTHOR -Eric Young (eay@mincom.oz.au or eay@psych.psy.uq.oz.au) diff --git a/crypto/heimdal-0.6.3/lib/des/des_enc.c b/crypto/heimdal-0.6.3/lib/des/des_enc.c deleted file mode 100644 index d08fe65013..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/des_enc.c +++ /dev/null @@ -1,301 +0,0 @@ -/* crypto/des/des_enc.c */ -/* Copyright (C) 1995-1997 Eric Young (eay@mincom.oz.au) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@mincom.oz.au). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@mincom.oz.au). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@mincom.oz.au)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@mincom.oz.au)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include "des_locl.h" - -void des_encrypt(data, ks, encrypt) -DES_LONG *data; -des_key_schedule ks; -int encrypt; - { - register DES_LONG l,r,t,u; -#ifdef DES_PTR - register unsigned char *des_SP=(unsigned char *)des_SPtrans; -#endif -#ifndef DES_UNROLL - register int i; -#endif - register DES_LONG *s; - - r=data[0]; - l=data[1]; - - IP(r,l); - /* Things have been modified so that the initial rotate is - * done outside the loop. This required the - * des_SPtrans values in sp.h to be rotated 1 bit to the right. - * One perl script later and things have a 5% speed up on a sparc2. - * Thanks to Richard Outerbridge <71755.204@CompuServe.COM> - * for pointing this out. */ - /* clear the top bits on machines with 8byte longs */ - /* shift left by 2 */ - r=ROTATE(r,29)&0xffffffffL; - l=ROTATE(l,29)&0xffffffffL; - - s=(DES_LONG *)ks; - /* I don't know if it is worth the effort of loop unrolling the - * inner loop */ - if (encrypt) - { -#ifdef DES_UNROLL - D_ENCRYPT(l,r, 0); /* 1 */ - D_ENCRYPT(r,l, 2); /* 2 */ - D_ENCRYPT(l,r, 4); /* 3 */ - D_ENCRYPT(r,l, 6); /* 4 */ - D_ENCRYPT(l,r, 8); /* 5 */ - D_ENCRYPT(r,l,10); /* 6 */ - D_ENCRYPT(l,r,12); /* 7 */ - D_ENCRYPT(r,l,14); /* 8 */ - D_ENCRYPT(l,r,16); /* 9 */ - D_ENCRYPT(r,l,18); /* 10 */ - D_ENCRYPT(l,r,20); /* 11 */ - D_ENCRYPT(r,l,22); /* 12 */ - D_ENCRYPT(l,r,24); /* 13 */ - D_ENCRYPT(r,l,26); /* 14 */ - D_ENCRYPT(l,r,28); /* 15 */ - D_ENCRYPT(r,l,30); /* 16 */ -#else - for (i=0; i<32; i+=8) - { - D_ENCRYPT(l,r,i+0); /* 1 */ - D_ENCRYPT(r,l,i+2); /* 2 */ - D_ENCRYPT(l,r,i+4); /* 3 */ - D_ENCRYPT(r,l,i+6); /* 4 */ - } -#endif - } - else - { -#ifdef DES_UNROLL - D_ENCRYPT(l,r,30); /* 16 */ - D_ENCRYPT(r,l,28); /* 15 */ - D_ENCRYPT(l,r,26); /* 14 */ - D_ENCRYPT(r,l,24); /* 13 */ - D_ENCRYPT(l,r,22); /* 12 */ - D_ENCRYPT(r,l,20); /* 11 */ - D_ENCRYPT(l,r,18); /* 10 */ - D_ENCRYPT(r,l,16); /* 9 */ - D_ENCRYPT(l,r,14); /* 8 */ - D_ENCRYPT(r,l,12); /* 7 */ - D_ENCRYPT(l,r,10); /* 6 */ - D_ENCRYPT(r,l, 8); /* 5 */ - D_ENCRYPT(l,r, 6); /* 4 */ - D_ENCRYPT(r,l, 4); /* 3 */ - D_ENCRYPT(l,r, 2); /* 2 */ - D_ENCRYPT(r,l, 0); /* 1 */ -#else - for (i=30; i>0; i-=8) - { - D_ENCRYPT(l,r,i-0); /* 16 */ - D_ENCRYPT(r,l,i-2); /* 15 */ - D_ENCRYPT(l,r,i-4); /* 14 */ - D_ENCRYPT(r,l,i-6); /* 13 */ - } -#endif - } - - /* rotate and clear the top bits on machines with 8byte longs */ - l=ROTATE(l,3)&0xffffffffL; - r=ROTATE(r,3)&0xffffffffL; - - FP(r,l); - data[0]=l; - data[1]=r; - l=r=t=u=0; - } - -void des_encrypt2(data, ks, encrypt) -DES_LONG *data; -des_key_schedule ks; -int encrypt; - { - register DES_LONG l,r,t,u; -#ifdef DES_PTR - register unsigned char *des_SP=(unsigned char *)des_SPtrans; -#endif -#ifndef DES_UNROLL - register int i; -#endif - register DES_LONG *s; - - r=data[0]; - l=data[1]; - - /* Things have been modified so that the initial rotate is - * done outside the loop. This required the - * des_SPtrans values in sp.h to be rotated 1 bit to the right. - * One perl script later and things have a 5% speed up on a sparc2. - * Thanks to Richard Outerbridge <71755.204@CompuServe.COM> - * for pointing this out. */ - /* clear the top bits on machines with 8byte longs */ - r=ROTATE(r,29)&0xffffffff; - l=ROTATE(l,29)&0xffffffff; - - s=(DES_LONG *)ks; - /* I don't know if it is worth the effort of loop unrolling the - * inner loop */ - if (encrypt) - { -#ifdef DES_UNROLL - D_ENCRYPT(l,r, 0); /* 1 */ - D_ENCRYPT(r,l, 2); /* 2 */ - D_ENCRYPT(l,r, 4); /* 3 */ - D_ENCRYPT(r,l, 6); /* 4 */ - D_ENCRYPT(l,r, 8); /* 5 */ - D_ENCRYPT(r,l,10); /* 6 */ - D_ENCRYPT(l,r,12); /* 7 */ - D_ENCRYPT(r,l,14); /* 8 */ - D_ENCRYPT(l,r,16); /* 9 */ - D_ENCRYPT(r,l,18); /* 10 */ - D_ENCRYPT(l,r,20); /* 11 */ - D_ENCRYPT(r,l,22); /* 12 */ - D_ENCRYPT(l,r,24); /* 13 */ - D_ENCRYPT(r,l,26); /* 14 */ - D_ENCRYPT(l,r,28); /* 15 */ - D_ENCRYPT(r,l,30); /* 16 */ -#else - for (i=0; i<32; i+=8) - { - D_ENCRYPT(l,r,i+0); /* 1 */ - D_ENCRYPT(r,l,i+2); /* 2 */ - D_ENCRYPT(l,r,i+4); /* 3 */ - D_ENCRYPT(r,l,i+6); /* 4 */ - } -#endif - } - else - { -#ifdef DES_UNROLL - D_ENCRYPT(l,r,30); /* 16 */ - D_ENCRYPT(r,l,28); /* 15 */ - D_ENCRYPT(l,r,26); /* 14 */ - D_ENCRYPT(r,l,24); /* 13 */ - D_ENCRYPT(l,r,22); /* 12 */ - D_ENCRYPT(r,l,20); /* 11 */ - D_ENCRYPT(l,r,18); /* 10 */ - D_ENCRYPT(r,l,16); /* 9 */ - D_ENCRYPT(l,r,14); /* 8 */ - D_ENCRYPT(r,l,12); /* 7 */ - D_ENCRYPT(l,r,10); /* 6 */ - D_ENCRYPT(r,l, 8); /* 5 */ - D_ENCRYPT(l,r, 6); /* 4 */ - D_ENCRYPT(r,l, 4); /* 3 */ - D_ENCRYPT(l,r, 2); /* 2 */ - D_ENCRYPT(r,l, 0); /* 1 */ -#else - for (i=30; i>0; i-=8) - { - D_ENCRYPT(l,r,i-0); /* 16 */ - D_ENCRYPT(r,l,i-2); /* 15 */ - D_ENCRYPT(l,r,i-4); /* 14 */ - D_ENCRYPT(r,l,i-6); /* 13 */ - } -#endif - } - /* rotate and clear the top bits on machines with 8byte longs */ - data[0]=ROTATE(l,3)&0xffffffff; - data[1]=ROTATE(r,3)&0xffffffff; - l=r=t=u=0; - } - -void des_encrypt3(data,ks1,ks2,ks3) -DES_LONG *data; -des_key_schedule ks1; -des_key_schedule ks2; -des_key_schedule ks3; - { - register DES_LONG l,r; - - l=data[0]; - r=data[1]; - IP(l,r); - data[0]=l; - data[1]=r; - des_encrypt2((DES_LONG *)data,ks1,DES_ENCRYPT); - des_encrypt2((DES_LONG *)data,ks2,DES_DECRYPT); - des_encrypt2((DES_LONG *)data,ks3,DES_ENCRYPT); - l=data[0]; - r=data[1]; - FP(r,l); - data[0]=l; - data[1]=r; - } - -void des_decrypt3(data,ks1,ks2,ks3) -DES_LONG *data; -des_key_schedule ks1; -des_key_schedule ks2; -des_key_schedule ks3; - { - register DES_LONG l,r; - - l=data[0]; - r=data[1]; - IP(l,r); - data[0]=l; - data[1]=r; - des_encrypt2((DES_LONG *)data,ks3,DES_DECRYPT); - des_encrypt2((DES_LONG *)data,ks2,DES_ENCRYPT); - des_encrypt2((DES_LONG *)data,ks1,DES_DECRYPT); - l=data[0]; - r=data[1]; - FP(r,l); - data[0]=l; - data[1]=r; - } - diff --git a/crypto/heimdal-0.6.3/lib/des/des_locl.h b/crypto/heimdal-0.6.3/lib/des/des_locl.h deleted file mode 100644 index 5de15dbead..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/des_locl.h +++ /dev/null @@ -1,535 +0,0 @@ -#ifdef HAVE_CONFIG_H -#include "config.h" - -/* - if (we have termios.h) - define TERMIOS - else if (we have termio.h) - define TERMIO -*/ -#ifdef HAVE_TERMIOS_H - -#define TERMIOS - -#else /* !HAVE_TERMIOS_H */ - -#ifdef HAVE_TERMIO_H -#define TERMIO -#endif - -#endif /* !HAVE_TERMIOS_H */ - -#endif /* HAVE_CONFIG_H */ - -/* crypto/des/des_locl.h */ -/* Copyright (C) 1995-1997 Eric Young (eay@mincom.oz.au) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@mincom.oz.au). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@mincom.oz.au). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@mincom.oz.au)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@mincom.oz.au)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -/* WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING - * - * Always modify des_locl.org since des_locl.h is automatically generated from - * it during SSLeay configuration. - * - * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING - */ - -#ifndef HEADER_DES_LOCL_H -#define HEADER_DES_LOCL_H - -#if defined(WIN32) || defined(WIN16) -#ifndef MSDOS -#define MSDOS -#endif -#endif - -#include -#include -#ifdef HAVE_UNISTD_H -#include -#endif -#ifdef HAVE_IO_H -#include -#endif -#include "des.h" - -#ifndef DES_DEFAULT_OPTIONS -/* the following is tweaked from a config script, that is why it is a - * protected undef/define */ -#ifndef DES_PTR -#undef DES_PTR -#endif - -/* This helps C compiler generate the correct code for multiple functional - * units. It reduces register dependancies at the expense of 2 more - * registers */ -#ifndef DES_RISC1 -#undef DES_RISC1 -#endif - -#ifndef DES_RISC2 -#undef DES_RISC2 -#endif - -#if defined(DES_RISC1) && defined(DES_RISC2) -YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!! -#endif - -/* Unroll the inner loop, this sometimes helps, sometimes hinders. - * Very mucy CPU dependant */ -#ifndef DES_UNROLL -#undef DES_UNROLL -#endif - -/* These default values were supplied by - * Peter Gutman - * They are only used if nothing else has been defined */ -#if !defined(DES_PTR) && !defined(DES_RISC1) && !defined(DES_RISC2) && !defined(DES_UNROLL) -/* Special defines which change the way the code is built depending on the - CPU and OS. For SGI machines you can use _MIPS_SZLONG (32 or 64) to find - even newer MIPS CPU's, but at the moment one size fits all for - optimization options. Older Sparc's work better with only UNROLL, but - there's no way to tell at compile time what it is you're running on */ - -#if defined( sun ) /* Newer Sparc's */ - #define DES_PTR - #define DES_RISC1 - #define DES_UNROLL -#elif defined( __ultrix ) /* Older MIPS */ - #define DES_PTR - #define DES_RISC2 - #define DES_UNROLL -#elif defined( __osf1__ ) /* Alpha */ - #define DES_PTR - #define DES_RISC2 -#elif defined ( _AIX ) /* RS6000 */ - /* Unknown */ -#elif defined( __hpux ) /* HP-PA */ - #define DES_UNROLL -#elif defined( __aux ) /* 68K */ - /* Unknown */ -#elif defined( __dgux ) /* 88K (but P6 in latest boxes) */ - #define DES_UNROLL -#elif defined( __sgi ) /* Newer MIPS */ - #define DES_PTR - #define DES_RISC2 - #define DES_UNROLL -#elif defined( i386 ) /* x86 boxes, should be gcc */ - #define DES_PTR - #define DES_RISC1 - #define DES_UNROLL -#endif /* Systems-specific speed defines */ -#endif - -#endif /* DES_DEFAULT_OPTIONS */ - -#ifdef MSDOS /* Visual C++ 2.1 (Windows NT/95) */ -#include -#include -#include -#include -#ifndef RAND -#define RAND -#endif -#undef NOPROTO -#endif - -#if defined(__STDC__) || defined(VMS) || defined(M_XENIX) || defined(MSDOS) || defined(WIN32) -#include -#endif - -#ifndef RAND -#define RAND -#endif - -#ifdef linux -#undef RAND -#endif - -#ifdef MSDOS -#define getpid() 2 -#define RAND -#undef NOPROTO -#endif - -#if defined(NOCONST) -#define const -#endif - -#ifdef __STDC__ -#undef NOPROTO -#endif - -#ifdef RAND -#define srandom(s) srand(s) -#define random rand -#endif - -#define ITERATIONS 16 -#define HALF_ITERATIONS 8 - -/* used in des_read and des_write */ -#define MAXWRITE (1024*16) -#define des_BSIZE (MAXWRITE+4) - -#define c2l(c,l) (l =((DES_LONG)(*((c)++))) , \ - l|=((DES_LONG)(*((c)++)))<< 8L, \ - l|=((DES_LONG)(*((c)++)))<<16L, \ - l|=((DES_LONG)(*((c)++)))<<24L) - -/* NOTE - c is not incremented as per c2l */ -#define c2ln(c,l1,l2,n) { \ - c+=n; \ - l1=l2=0; \ - switch (n) { \ - case 8: l2 =((DES_LONG)(*(--(c))))<<24L; \ - case 7: l2|=((DES_LONG)(*(--(c))))<<16L; \ - case 6: l2|=((DES_LONG)(*(--(c))))<< 8L; \ - case 5: l2|=((DES_LONG)(*(--(c)))); \ - case 4: l1 =((DES_LONG)(*(--(c))))<<24L; \ - case 3: l1|=((DES_LONG)(*(--(c))))<<16L; \ - case 2: l1|=((DES_LONG)(*(--(c))))<< 8L; \ - case 1: l1|=((DES_LONG)(*(--(c)))); \ - } \ - } - -#define l2c(l,c) (*((c)++)=(unsigned char)(((l) )&0xff), \ - *((c)++)=(unsigned char)(((l)>> 8L)&0xff), \ - *((c)++)=(unsigned char)(((l)>>16L)&0xff), \ - *((c)++)=(unsigned char)(((l)>>24L)&0xff)) - -/* replacements for htonl and ntohl since I have no idea what to do - * when faced with machines with 8 byte longs. */ -#define HDRSIZE 4 - -#define n2l(c,l) (l =((DES_LONG)(*((c)++)))<<24L, \ - l|=((DES_LONG)(*((c)++)))<<16L, \ - l|=((DES_LONG)(*((c)++)))<< 8L, \ - l|=((DES_LONG)(*((c)++)))) - -#define l2n(l,c) (*((c)++)=(unsigned char)(((l)>>24L)&0xff), \ - *((c)++)=(unsigned char)(((l)>>16L)&0xff), \ - *((c)++)=(unsigned char)(((l)>> 8L)&0xff), \ - *((c)++)=(unsigned char)(((l) )&0xff)) - -/* NOTE - c is not incremented as per l2c */ -#define l2cn(l1,l2,c,n) { \ - c+=n; \ - switch (n) { \ - case 8: *(--(c))=(unsigned char)(((l2)>>24L)&0xff); \ - case 7: *(--(c))=(unsigned char)(((l2)>>16L)&0xff); \ - case 6: *(--(c))=(unsigned char)(((l2)>> 8L)&0xff); \ - case 5: *(--(c))=(unsigned char)(((l2) )&0xff); \ - case 4: *(--(c))=(unsigned char)(((l1)>>24L)&0xff); \ - case 3: *(--(c))=(unsigned char)(((l1)>>16L)&0xff); \ - case 2: *(--(c))=(unsigned char)(((l1)>> 8L)&0xff); \ - case 1: *(--(c))=(unsigned char)(((l1) )&0xff); \ - } \ - } - -#if defined(WIN32) -#define ROTATE(a,n) (_lrotr(a,n)) -#else -#define ROTATE(a,n) (((a)>>(n))+((a)<<(32-(n)))) -#endif - -/* Don't worry about the LOAD_DATA() stuff, that is used by - * fcrypt() to add it's little bit to the front */ - -#ifdef DES_FCRYPT - -#define LOAD_DATA_tmp(R,S,u,t,E0,E1) \ - { DES_LONG tmp; LOAD_DATA(R,S,u,t,E0,E1,tmp); } - -#define LOAD_DATA(R,S,u,t,E0,E1,tmp) \ - t=R^(R>>16L); \ - u=t&E0; t&=E1; \ - tmp=(u<<16); u^=R^s[S ]; u^=tmp; \ - tmp=(t<<16); t^=R^s[S+1]; t^=tmp -#else -#define LOAD_DATA_tmp(a,b,c,d,e,f) LOAD_DATA(a,b,c,d,e,f,g) -#define LOAD_DATA(R,S,u,t,E0,E1,tmp) \ - u=R^s[S ]; \ - t=R^s[S+1] -#endif - -/* The changes to this macro may help or hinder, depending on the - * compiler and the achitecture. gcc2 always seems to do well :-). - * Inspired by Dana How - * DO NOT use the alternative version on machines with 8 byte longs. - * It does not seem to work on the Alpha, even when DES_LONG is 4 - * bytes, probably an issue of accessing non-word aligned objects :-( */ -#ifdef DES_PTR - -/* It recently occured to me that 0^0^0^0^0^0^0 == 0, so there - * is no reason to not xor all the sub items together. This potentially - * saves a register since things can be xored directly into L */ - -#if defined(DES_RISC1) || defined(DES_RISC2) -#ifdef DES_RISC1 -#define D_ENCRYPT(LL,R,S) { \ - unsigned int u1,u2,u3; \ - LOAD_DATA(R,S,u,t,E0,E1,u1); \ - u2=(int)u>>8L; \ - u1=(int)u&0xfc; \ - u2&=0xfc; \ - t=ROTATE(t,4); \ - u>>=16L; \ - LL^= *(DES_LONG *)((unsigned char *)des_SP +u1); \ - LL^= *(DES_LONG *)((unsigned char *)des_SP+0x200+u2); \ - u3=(int)(u>>8L); \ - u1=(int)u&0xfc; \ - u3&=0xfc; \ - LL^= *(DES_LONG *)((unsigned char *)des_SP+0x400+u1); \ - LL^= *(DES_LONG *)((unsigned char *)des_SP+0x600+u3); \ - u2=(int)t>>8L; \ - u1=(int)t&0xfc; \ - u2&=0xfc; \ - t>>=16L; \ - LL^= *(DES_LONG *)((unsigned char *)des_SP+0x100+u1); \ - LL^= *(DES_LONG *)((unsigned char *)des_SP+0x300+u2); \ - u3=(int)t>>8L; \ - u1=(int)t&0xfc; \ - u3&=0xfc; \ - LL^= *(DES_LONG *)((unsigned char *)des_SP+0x500+u1); \ - LL^= *(DES_LONG *)((unsigned char *)des_SP+0x700+u3); } -#endif -#ifdef DES_RISC2 -#define D_ENCRYPT(LL,R,S) { \ - unsigned int u1,u2,s1,s2; \ - LOAD_DATA(R,S,u,t,E0,E1,u1); \ - u2=(int)u>>8L; \ - u1=(int)u&0xfc; \ - u2&=0xfc; \ - t=ROTATE(t,4); \ - LL^= *(DES_LONG *)((unsigned char *)des_SP +u1); \ - LL^= *(DES_LONG *)((unsigned char *)des_SP+0x200+u2); \ - s1=(int)(u>>16L); \ - s2=(int)(u>>24L); \ - s1&=0xfc; \ - s2&=0xfc; \ - LL^= *(DES_LONG *)((unsigned char *)des_SP+0x400+s1); \ - LL^= *(DES_LONG *)((unsigned char *)des_SP+0x600+s2); \ - u2=(int)t>>8L; \ - u1=(int)t&0xfc; \ - u2&=0xfc; \ - LL^= *(DES_LONG *)((unsigned char *)des_SP+0x100+u1); \ - LL^= *(DES_LONG *)((unsigned char *)des_SP+0x300+u2); \ - s1=(int)(t>>16L); \ - s2=(int)(t>>24L); \ - s1&=0xfc; \ - s2&=0xfc; \ - LL^= *(DES_LONG *)((unsigned char *)des_SP+0x500+s1); \ - LL^= *(DES_LONG *)((unsigned char *)des_SP+0x700+s2); } -#endif -#else -#define D_ENCRYPT(LL,R,S) { \ - LOAD_DATA_tmp(R,S,u,t,E0,E1); \ - t=ROTATE(t,4); \ - LL^= \ - *(DES_LONG *)((unsigned char *)des_SP +((u )&0xfc))^ \ - *(DES_LONG *)((unsigned char *)des_SP+0x200+((u>> 8L)&0xfc))^ \ - *(DES_LONG *)((unsigned char *)des_SP+0x400+((u>>16L)&0xfc))^ \ - *(DES_LONG *)((unsigned char *)des_SP+0x600+((u>>24L)&0xfc))^ \ - *(DES_LONG *)((unsigned char *)des_SP+0x100+((t )&0xfc))^ \ - *(DES_LONG *)((unsigned char *)des_SP+0x300+((t>> 8L)&0xfc))^ \ - *(DES_LONG *)((unsigned char *)des_SP+0x500+((t>>16L)&0xfc))^ \ - *(DES_LONG *)((unsigned char *)des_SP+0x700+((t>>24L)&0xfc)); } -#endif - -#else /* original version */ - -#if defined(DES_RISC1) || defined(DES_RISC2) -#ifdef DES_RISC1 -#define D_ENCRYPT(LL,R,S) {\ - unsigned int u1,u2,u3; \ - LOAD_DATA(R,S,u,t,E0,E1,u1); \ - u>>=2L; \ - t=ROTATE(t,6); \ - u2=(int)u>>8L; \ - u1=(int)u&0x3f; \ - u2&=0x3f; \ - u>>=16L; \ - LL^=des_SPtrans[0][u1]; \ - LL^=des_SPtrans[2][u2]; \ - u3=(int)u>>8L; \ - u1=(int)u&0x3f; \ - u3&=0x3f; \ - LL^=des_SPtrans[4][u1]; \ - LL^=des_SPtrans[6][u3]; \ - u2=(int)t>>8L; \ - u1=(int)t&0x3f; \ - u2&=0x3f; \ - t>>=16L; \ - LL^=des_SPtrans[1][u1]; \ - LL^=des_SPtrans[3][u2]; \ - u3=(int)t>>8L; \ - u1=(int)t&0x3f; \ - u3&=0x3f; \ - LL^=des_SPtrans[5][u1]; \ - LL^=des_SPtrans[7][u3]; } -#endif -#ifdef DES_RISC2 -#define D_ENCRYPT(LL,R,S) {\ - unsigned int u1,u2,s1,s2; \ - LOAD_DATA(R,S,u,t,E0,E1,u1); \ - u>>=2L; \ - t=ROTATE(t,6); \ - u2=(int)u>>8L; \ - u1=(int)u&0x3f; \ - u2&=0x3f; \ - LL^=des_SPtrans[0][u1]; \ - LL^=des_SPtrans[2][u2]; \ - s1=(int)u>>16L; \ - s2=(int)u>>24L; \ - s1&=0x3f; \ - s2&=0x3f; \ - LL^=des_SPtrans[4][s1]; \ - LL^=des_SPtrans[6][s2]; \ - u2=(int)t>>8L; \ - u1=(int)t&0x3f; \ - u2&=0x3f; \ - LL^=des_SPtrans[1][u1]; \ - LL^=des_SPtrans[3][u2]; \ - s1=(int)t>>16; \ - s2=(int)t>>24L; \ - s1&=0x3f; \ - s2&=0x3f; \ - LL^=des_SPtrans[5][s1]; \ - LL^=des_SPtrans[7][s2]; } -#endif - -#else - -#define D_ENCRYPT(LL,R,S) {\ - LOAD_DATA_tmp(R,S,u,t,E0,E1); \ - t=ROTATE(t,4); \ - LL^=\ - des_SPtrans[0][(u>> 2L)&0x3f]^ \ - des_SPtrans[2][(u>>10L)&0x3f]^ \ - des_SPtrans[4][(u>>18L)&0x3f]^ \ - des_SPtrans[6][(u>>26L)&0x3f]^ \ - des_SPtrans[1][(t>> 2L)&0x3f]^ \ - des_SPtrans[3][(t>>10L)&0x3f]^ \ - des_SPtrans[5][(t>>18L)&0x3f]^ \ - des_SPtrans[7][(t>>26L)&0x3f]; } -#endif -#endif - - /* IP and FP - * The problem is more of a geometric problem that random bit fiddling. - 0 1 2 3 4 5 6 7 62 54 46 38 30 22 14 6 - 8 9 10 11 12 13 14 15 60 52 44 36 28 20 12 4 - 16 17 18 19 20 21 22 23 58 50 42 34 26 18 10 2 - 24 25 26 27 28 29 30 31 to 56 48 40 32 24 16 8 0 - - 32 33 34 35 36 37 38 39 63 55 47 39 31 23 15 7 - 40 41 42 43 44 45 46 47 61 53 45 37 29 21 13 5 - 48 49 50 51 52 53 54 55 59 51 43 35 27 19 11 3 - 56 57 58 59 60 61 62 63 57 49 41 33 25 17 9 1 - - The output has been subject to swaps of the form - 0 1 -> 3 1 but the odd and even bits have been put into - 2 3 2 0 - different words. The main trick is to remember that - t=((l>>size)^r)&(mask); - r^=t; - l^=(t<>(n))^(b))&(m)),\ - (b)^=(t),\ - (a)^=((t)<<(n))) - -#define IP(l,r) \ - { \ - register DES_LONG tt; \ - PERM_OP(r,l,tt, 4,0x0f0f0f0fL); \ - PERM_OP(l,r,tt,16,0x0000ffffL); \ - PERM_OP(r,l,tt, 2,0x33333333L); \ - PERM_OP(l,r,tt, 8,0x00ff00ffL); \ - PERM_OP(r,l,tt, 1,0x55555555L); \ - } - -#define FP(l,r) \ - { \ - register DES_LONG tt; \ - PERM_OP(l,r,tt, 1,0x55555555L); \ - PERM_OP(r,l,tt, 8,0x00ff00ffL); \ - PERM_OP(l,r,tt, 2,0x33333333L); \ - PERM_OP(r,l,tt,16,0x0000ffffL); \ - PERM_OP(l,r,tt, 4,0x0f0f0f0fL); \ - } - -extern const DES_LONG des_SPtrans[8][64]; - -#endif diff --git a/crypto/heimdal-0.6.3/lib/des/des_locl.org b/crypto/heimdal-0.6.3/lib/des/des_locl.org deleted file mode 100644 index 3853ddc834..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/des_locl.org +++ /dev/null @@ -1,509 +0,0 @@ -/* crypto/des/des_locl.h */ -/* Copyright (C) 1995-1997 Eric Young (eay@mincom.oz.au) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@mincom.oz.au). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@mincom.oz.au). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@mincom.oz.au)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@mincom.oz.au)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -/* WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING - * - * Always modify des_locl.org since des_locl.h is automatically generated from - * it during SSLeay configuration. - * - * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING - */ - -#ifndef HEADER_DES_LOCL_H -#define HEADER_DES_LOCL_H - -#if defined(WIN32) || defined(WIN16) -#ifndef MSDOS -#define MSDOS -#endif -#endif - -#include -#include -#ifndef MSDOS -#include -#endif -#include "des.h" - -#ifndef DES_DEFAULT_OPTIONS -/* the following is tweaked from a config script, that is why it is a - * protected undef/define */ -#ifndef DES_PTR -#undef DES_PTR -#endif - -/* This helps C compiler generate the correct code for multiple functional - * units. It reduces register dependancies at the expense of 2 more - * registers */ -#ifndef DES_RISC1 -#undef DES_RISC1 -#endif - -#ifndef DES_RISC2 -#undef DES_RISC2 -#endif - -#if defined(DES_RISC1) && defined(DES_RISC2) -YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!! -#endif - -/* Unroll the inner loop, this sometimes helps, sometimes hinders. - * Very mucy CPU dependant */ -#ifndef DES_UNROLL -#undef DES_UNROLL -#endif - -/* These default values were supplied by - * Peter Gutman - * They are only used if nothing else has been defined */ -#if !defined(DES_PTR) && !defined(DES_RISC1) && !defined(DES_RISC2) && !defined(DES_UNROLL) -/* Special defines which change the way the code is built depending on the - CPU and OS. For SGI machines you can use _MIPS_SZLONG (32 or 64) to find - even newer MIPS CPU's, but at the moment one size fits all for - optimization options. Older Sparc's work better with only UNROLL, but - there's no way to tell at compile time what it is you're running on */ - -#if defined( sun ) /* Newer Sparc's */ - #define DES_PTR - #define DES_RISC1 - #define DES_UNROLL -#elif defined( __ultrix ) /* Older MIPS */ - #define DES_PTR - #define DES_RISC2 - #define DES_UNROLL -#elif defined( __osf1__ ) /* Alpha */ - #define DES_PTR - #define DES_RISC2 -#elif defined ( _AIX ) /* RS6000 */ - /* Unknown */ -#elif defined( __hpux ) /* HP-PA */ - /* Unknown */ -#elif defined( __aux ) /* 68K */ - /* Unknown */ -#elif defined( __dgux ) /* 88K (but P6 in latest boxes) */ - #define DES_UNROLL -#elif defined( __sgi ) /* Newer MIPS */ - #define DES_PTR - #define DES_RISC2 - #define DES_UNROLL -#elif defined( i386 ) /* x86 boxes, should be gcc */ - #define DES_PTR - #define DES_RISC1 - #define DES_UNROLL -#endif /* Systems-specific speed defines */ -#endif - -#endif /* DES_DEFAULT_OPTIONS */ - -#ifdef MSDOS /* Visual C++ 2.1 (Windows NT/95) */ -#include -#include -#include -#include -#ifndef RAND -#define RAND -#endif -#undef NOPROTO -#endif - -#if defined(__STDC__) || defined(VMS) || defined(M_XENIX) || defined(MSDOS) -#include -#endif - -#ifndef RAND -#define RAND -#endif - -#ifdef linux -#undef RAND -#endif - -#ifdef MSDOS -#define getpid() 2 -#define RAND -#undef NOPROTO -#endif - -#if defined(NOCONST) -#define const -#endif - -#ifdef __STDC__ -#undef NOPROTO -#endif - -#ifdef RAND -#define srandom(s) srand(s) -#define random rand -#endif - -#define ITERATIONS 16 -#define HALF_ITERATIONS 8 - -/* used in des_read and des_write */ -#define MAXWRITE (1024*16) -#define BSIZE (MAXWRITE+4) - -#define c2l(c,l) (l =((DES_LONG)(*((c)++))) , \ - l|=((DES_LONG)(*((c)++)))<< 8L, \ - l|=((DES_LONG)(*((c)++)))<<16L, \ - l|=((DES_LONG)(*((c)++)))<<24L) - -/* NOTE - c is not incremented as per c2l */ -#define c2ln(c,l1,l2,n) { \ - c+=n; \ - l1=l2=0; \ - switch (n) { \ - case 8: l2 =((DES_LONG)(*(--(c))))<<24L; \ - case 7: l2|=((DES_LONG)(*(--(c))))<<16L; \ - case 6: l2|=((DES_LONG)(*(--(c))))<< 8L; \ - case 5: l2|=((DES_LONG)(*(--(c)))); \ - case 4: l1 =((DES_LONG)(*(--(c))))<<24L; \ - case 3: l1|=((DES_LONG)(*(--(c))))<<16L; \ - case 2: l1|=((DES_LONG)(*(--(c))))<< 8L; \ - case 1: l1|=((DES_LONG)(*(--(c)))); \ - } \ - } - -#define l2c(l,c) (*((c)++)=(unsigned char)(((l) )&0xff), \ - *((c)++)=(unsigned char)(((l)>> 8L)&0xff), \ - *((c)++)=(unsigned char)(((l)>>16L)&0xff), \ - *((c)++)=(unsigned char)(((l)>>24L)&0xff)) - -/* replacements for htonl and ntohl since I have no idea what to do - * when faced with machines with 8 byte longs. */ -#define HDRSIZE 4 - -#define n2l(c,l) (l =((DES_LONG)(*((c)++)))<<24L, \ - l|=((DES_LONG)(*((c)++)))<<16L, \ - l|=((DES_LONG)(*((c)++)))<< 8L, \ - l|=((DES_LONG)(*((c)++)))) - -#define l2n(l,c) (*((c)++)=(unsigned char)(((l)>>24L)&0xff), \ - *((c)++)=(unsigned char)(((l)>>16L)&0xff), \ - *((c)++)=(unsigned char)(((l)>> 8L)&0xff), \ - *((c)++)=(unsigned char)(((l) )&0xff)) - -/* NOTE - c is not incremented as per l2c */ -#define l2cn(l1,l2,c,n) { \ - c+=n; \ - switch (n) { \ - case 8: *(--(c))=(unsigned char)(((l2)>>24L)&0xff); \ - case 7: *(--(c))=(unsigned char)(((l2)>>16L)&0xff); \ - case 6: *(--(c))=(unsigned char)(((l2)>> 8L)&0xff); \ - case 5: *(--(c))=(unsigned char)(((l2) )&0xff); \ - case 4: *(--(c))=(unsigned char)(((l1)>>24L)&0xff); \ - case 3: *(--(c))=(unsigned char)(((l1)>>16L)&0xff); \ - case 2: *(--(c))=(unsigned char)(((l1)>> 8L)&0xff); \ - case 1: *(--(c))=(unsigned char)(((l1) )&0xff); \ - } \ - } - -#if defined(WIN32) -#define ROTATE(a,n) (_lrotr(a,n)) -#else -#define ROTATE(a,n) (((a)>>(n))+((a)<<(32-(n)))) -#endif - -/* Don't worry about the LOAD_DATA() stuff, that is used by - * fcrypt() to add it's little bit to the front */ - -#ifdef DES_FCRYPT - -#define LOAD_DATA_tmp(R,S,u,t,E0,E1) \ - { DES_LONG tmp; LOAD_DATA(R,S,u,t,E0,E1,tmp); } - -#define LOAD_DATA(R,S,u,t,E0,E1,tmp) \ - t=R^(R>>16L); \ - u=t&E0; t&=E1; \ - tmp=(u<<16); u^=R^s[S ]; u^=tmp; \ - tmp=(t<<16); t^=R^s[S+1]; t^=tmp -#else -#define LOAD_DATA_tmp(a,b,c,d,e,f) LOAD_DATA(a,b,c,d,e,f,g) -#define LOAD_DATA(R,S,u,t,E0,E1,tmp) \ - u=R^s[S ]; \ - t=R^s[S+1] -#endif - -/* The changes to this macro may help or hinder, depending on the - * compiler and the achitecture. gcc2 always seems to do well :-). - * Inspired by Dana How - * DO NOT use the alternative version on machines with 8 byte longs. - * It does not seem to work on the Alpha, even when DES_LONG is 4 - * bytes, probably an issue of accessing non-word aligned objects :-( */ -#ifdef DES_PTR - -/* It recently occured to me that 0^0^0^0^0^0^0 == 0, so there - * is no reason to not xor all the sub items together. This potentially - * saves a register since things can be xored directly into L */ - -#if defined(DES_RISC1) || defined(DES_RISC2) -#ifdef DES_RISC1 -#define D_ENCRYPT(LL,R,S) { \ - unsigned int u1,u2,u3; \ - LOAD_DATA(R,S,u,t,E0,E1,u1); \ - u2=(int)u>>8L; \ - u1=(int)u&0xfc; \ - u2&=0xfc; \ - t=ROTATE(t,4); \ - u>>=16L; \ - LL^= *(DES_LONG *)((unsigned char *)des_SP +u1); \ - LL^= *(DES_LONG *)((unsigned char *)des_SP+0x200+u2); \ - u3=(int)(u>>8L); \ - u1=(int)u&0xfc; \ - u3&=0xfc; \ - LL^= *(DES_LONG *)((unsigned char *)des_SP+0x400+u1); \ - LL^= *(DES_LONG *)((unsigned char *)des_SP+0x600+u3); \ - u2=(int)t>>8L; \ - u1=(int)t&0xfc; \ - u2&=0xfc; \ - t>>=16L; \ - LL^= *(DES_LONG *)((unsigned char *)des_SP+0x100+u1); \ - LL^= *(DES_LONG *)((unsigned char *)des_SP+0x300+u2); \ - u3=(int)t>>8L; \ - u1=(int)t&0xfc; \ - u3&=0xfc; \ - LL^= *(DES_LONG *)((unsigned char *)des_SP+0x500+u1); \ - LL^= *(DES_LONG *)((unsigned char *)des_SP+0x700+u3); } -#endif -#ifdef DES_RISC2 -#define D_ENCRYPT(LL,R,S) { \ - unsigned int u1,u2,s1,s2; \ - LOAD_DATA(R,S,u,t,E0,E1,u1); \ - u2=(int)u>>8L; \ - u1=(int)u&0xfc; \ - u2&=0xfc; \ - t=ROTATE(t,4); \ - LL^= *(DES_LONG *)((unsigned char *)des_SP +u1); \ - LL^= *(DES_LONG *)((unsigned char *)des_SP+0x200+u2); \ - s1=(int)(u>>16L); \ - s2=(int)(u>>24L); \ - s1&=0xfc; \ - s2&=0xfc; \ - LL^= *(DES_LONG *)((unsigned char *)des_SP+0x400+s1); \ - LL^= *(DES_LONG *)((unsigned char *)des_SP+0x600+s2); \ - u2=(int)t>>8L; \ - u1=(int)t&0xfc; \ - u2&=0xfc; \ - LL^= *(DES_LONG *)((unsigned char *)des_SP+0x100+u1); \ - LL^= *(DES_LONG *)((unsigned char *)des_SP+0x300+u2); \ - s1=(int)(t>>16L); \ - s2=(int)(t>>24L); \ - s1&=0xfc; \ - s2&=0xfc; \ - LL^= *(DES_LONG *)((unsigned char *)des_SP+0x500+s1); \ - LL^= *(DES_LONG *)((unsigned char *)des_SP+0x700+s2); } -#endif -#else -#define D_ENCRYPT(LL,R,S) { \ - LOAD_DATA_tmp(R,S,u,t,E0,E1); \ - t=ROTATE(t,4); \ - LL^= \ - *(DES_LONG *)((unsigned char *)des_SP +((u )&0xfc))^ \ - *(DES_LONG *)((unsigned char *)des_SP+0x200+((u>> 8L)&0xfc))^ \ - *(DES_LONG *)((unsigned char *)des_SP+0x400+((u>>16L)&0xfc))^ \ - *(DES_LONG *)((unsigned char *)des_SP+0x600+((u>>24L)&0xfc))^ \ - *(DES_LONG *)((unsigned char *)des_SP+0x100+((t )&0xfc))^ \ - *(DES_LONG *)((unsigned char *)des_SP+0x300+((t>> 8L)&0xfc))^ \ - *(DES_LONG *)((unsigned char *)des_SP+0x500+((t>>16L)&0xfc))^ \ - *(DES_LONG *)((unsigned char *)des_SP+0x700+((t>>24L)&0xfc)); } -#endif - -#else /* original version */ - -#if defined(DES_RISC1) || defined(DES_RISC2) -#ifdef DES_RISC1 -#define D_ENCRYPT(LL,R,S) {\ - unsigned int u1,u2,u3; \ - LOAD_DATA(R,S,u,t,E0,E1,u1); \ - u>>=2L; \ - t=ROTATE(t,6); \ - u2=(int)u>>8L; \ - u1=(int)u&0x3f; \ - u2&=0x3f; \ - u>>=16L; \ - LL^=des_SPtrans[0][u1]; \ - LL^=des_SPtrans[2][u2]; \ - u3=(int)u>>8L; \ - u1=(int)u&0x3f; \ - u3&=0x3f; \ - LL^=des_SPtrans[4][u1]; \ - LL^=des_SPtrans[6][u3]; \ - u2=(int)t>>8L; \ - u1=(int)t&0x3f; \ - u2&=0x3f; \ - t>>=16L; \ - LL^=des_SPtrans[1][u1]; \ - LL^=des_SPtrans[3][u2]; \ - u3=(int)t>>8L; \ - u1=(int)t&0x3f; \ - u3&=0x3f; \ - LL^=des_SPtrans[5][u1]; \ - LL^=des_SPtrans[7][u3]; } -#endif -#ifdef DES_RISC2 -#define D_ENCRYPT(LL,R,S) {\ - unsigned int u1,u2,s1,s2; \ - LOAD_DATA(R,S,u,t,E0,E1,u1); \ - u>>=2L; \ - t=ROTATE(t,6); \ - u2=(int)u>>8L; \ - u1=(int)u&0x3f; \ - u2&=0x3f; \ - LL^=des_SPtrans[0][u1]; \ - LL^=des_SPtrans[2][u2]; \ - s1=(int)u>>16L; \ - s2=(int)u>>24L; \ - s1&=0x3f; \ - s2&=0x3f; \ - LL^=des_SPtrans[4][s1]; \ - LL^=des_SPtrans[6][s2]; \ - u2=(int)t>>8L; \ - u1=(int)t&0x3f; \ - u2&=0x3f; \ - LL^=des_SPtrans[1][u1]; \ - LL^=des_SPtrans[3][u2]; \ - s1=(int)t>>16; \ - s2=(int)t>>24L; \ - s1&=0x3f; \ - s2&=0x3f; \ - LL^=des_SPtrans[5][s1]; \ - LL^=des_SPtrans[7][s2]; } -#endif - -#else - -#define D_ENCRYPT(LL,R,S) {\ - LOAD_DATA_tmp(R,S,u,t,E0,E1); \ - t=ROTATE(t,4); \ - LL^=\ - des_SPtrans[0][(u>> 2L)&0x3f]^ \ - des_SPtrans[2][(u>>10L)&0x3f]^ \ - des_SPtrans[4][(u>>18L)&0x3f]^ \ - des_SPtrans[6][(u>>26L)&0x3f]^ \ - des_SPtrans[1][(t>> 2L)&0x3f]^ \ - des_SPtrans[3][(t>>10L)&0x3f]^ \ - des_SPtrans[5][(t>>18L)&0x3f]^ \ - des_SPtrans[7][(t>>26L)&0x3f]; } -#endif -#endif - - /* IP and FP - * The problem is more of a geometric problem that random bit fiddling. - 0 1 2 3 4 5 6 7 62 54 46 38 30 22 14 6 - 8 9 10 11 12 13 14 15 60 52 44 36 28 20 12 4 - 16 17 18 19 20 21 22 23 58 50 42 34 26 18 10 2 - 24 25 26 27 28 29 30 31 to 56 48 40 32 24 16 8 0 - - 32 33 34 35 36 37 38 39 63 55 47 39 31 23 15 7 - 40 41 42 43 44 45 46 47 61 53 45 37 29 21 13 5 - 48 49 50 51 52 53 54 55 59 51 43 35 27 19 11 3 - 56 57 58 59 60 61 62 63 57 49 41 33 25 17 9 1 - - The output has been subject to swaps of the form - 0 1 -> 3 1 but the odd and even bits have been put into - 2 3 2 0 - different words. The main trick is to remember that - t=((l>>size)^r)&(mask); - r^=t; - l^=(t<>(n))^(b))&(m)),\ - (b)^=(t),\ - (a)^=((t)<<(n))) - -#define IP(l,r) \ - { \ - register DES_LONG tt; \ - PERM_OP(r,l,tt, 4,0x0f0f0f0fL); \ - PERM_OP(l,r,tt,16,0x0000ffffL); \ - PERM_OP(r,l,tt, 2,0x33333333L); \ - PERM_OP(l,r,tt, 8,0x00ff00ffL); \ - PERM_OP(r,l,tt, 1,0x55555555L); \ - } - -#define FP(l,r) \ - { \ - register DES_LONG tt; \ - PERM_OP(l,r,tt, 1,0x55555555L); \ - PERM_OP(r,l,tt, 8,0x00ff00ffL); \ - PERM_OP(l,r,tt, 2,0x33333333L); \ - PERM_OP(r,l,tt,16,0x0000ffffL); \ - PERM_OP(l,r,tt, 4,0x0f0f0f0fL); \ - } - -extern const DES_LONG des_SPtrans[8][64]; - -#endif diff --git a/crypto/heimdal-0.6.3/lib/des/des_opts.c b/crypto/heimdal-0.6.3/lib/des/des_opts.c deleted file mode 100644 index 90b035baef..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/des_opts.c +++ /dev/null @@ -1,616 +0,0 @@ -/* crypto/des/des_opts.c */ -/* Copyright (C) 1995-1997 Eric Young (eay@mincom.oz.au) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@mincom.oz.au). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@mincom.oz.au). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@mincom.oz.au)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@mincom.oz.au)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -/* define PART1, PART2, PART3 or PART4 to build only with a few of the options. - * This is for machines with 64k code segment size restrictions. */ - -#ifndef MSDOS -#define TIMES -#endif - -#include -#ifndef MSDOS -#include -#else -#include -extern void exit(); -#endif -#include -#ifndef VMS -#ifndef _IRIX -#include -#endif -#ifdef TIMES -#include -#include -#endif -#else /* VMS */ -#include -struct tms { - time_t tms_utime; - time_t tms_stime; - time_t tms_uchild; /* I dunno... */ - time_t tms_uchildsys; /* so these names are a guess :-) */ - } -#endif -#ifndef TIMES -#include -#endif - -#ifdef sun -#include -#include -#endif - -#include "des.h" -#include "spr.h" - -#define DES_DEFAULT_OPTIONS - -#if !defined(PART1) && !defined(PART2) && !defined(PART3) && !defined(PART4) -#define PART1 -#define PART2 -#define PART3 -#define PART4 -#endif - -#ifdef PART1 - -#undef DES_UNROLL -#undef DES_RISC1 -#undef DES_RISC2 -#undef DES_PTR -#undef D_ENCRYPT -#define des_encrypt des_encrypt_u4_cisc_idx -#define des_encrypt2 des_encrypt2_u4_cisc_idx -#define des_encrypt3 des_encrypt3_u4_cisc_idx -#define des_decrypt3 des_decrypt3_u4_cisc_idx -#undef HEADER_DES_LOCL_H -#include "des_enc.c" - -#define DES_UNROLL -#undef DES_RISC1 -#undef DES_RISC2 -#undef DES_PTR -#undef D_ENCRYPT -#undef des_encrypt -#undef des_encrypt2 -#undef des_encrypt3 -#undef des_decrypt3 -#define des_encrypt des_encrypt_u16_cisc_idx -#define des_encrypt2 des_encrypt2_u16_cisc_idx -#define des_encrypt3 des_encrypt3_u16_cisc_idx -#define des_decrypt3 des_decrypt3_u16_cisc_idx -#undef HEADER_DES_LOCL_H -#include "des_enc.c" - -#undef DES_UNROLL -#define DES_RISC1 -#undef DES_RISC2 -#undef DES_PTR -#undef D_ENCRYPT -#undef des_encrypt -#undef des_encrypt2 -#undef des_encrypt3 -#undef des_decrypt3 -#define des_encrypt des_encrypt_u4_risc1_idx -#define des_encrypt2 des_encrypt2_u4_risc1_idx -#define des_encrypt3 des_encrypt3_u4_risc1_idx -#define des_decrypt3 des_decrypt3_u4_risc1_idx -#undef HEADER_DES_LOCL_H -#include "des_enc.c" - -#endif - -#ifdef PART2 - -#undef DES_UNROLL -#undef DES_RISC1 -#define DES_RISC2 -#undef DES_PTR -#undef D_ENCRYPT -#undef des_encrypt -#undef des_encrypt2 -#undef des_encrypt3 -#undef des_decrypt3 -#define des_encrypt des_encrypt_u4_risc2_idx -#define des_encrypt2 des_encrypt2_u4_risc2_idx -#define des_encrypt3 des_encrypt3_u4_risc2_idx -#define des_decrypt3 des_decrypt3_u4_risc2_idx -#undef HEADER_DES_LOCL_H -#include "des_enc.c" - -#define DES_UNROLL -#define DES_RISC1 -#undef DES_RISC2 -#undef DES_PTR -#undef D_ENCRYPT -#undef des_encrypt -#undef des_encrypt2 -#undef des_encrypt3 -#undef des_decrypt3 -#define des_encrypt des_encrypt_u16_risc1_idx -#define des_encrypt2 des_encrypt2_u16_risc1_idx -#define des_encrypt3 des_encrypt3_u16_risc1_idx -#define des_decrypt3 des_decrypt3_u16_risc1_idx -#undef HEADER_DES_LOCL_H -#include "des_enc.c" - -#define DES_UNROLL -#undef DES_RISC1 -#define DES_RISC2 -#undef DES_PTR -#undef D_ENCRYPT -#undef des_encrypt -#undef des_encrypt2 -#undef des_encrypt3 -#undef des_decrypt3 -#define des_encrypt des_encrypt_u16_risc2_idx -#define des_encrypt2 des_encrypt2_u16_risc2_idx -#define des_encrypt3 des_encrypt3_u16_risc2_idx -#define des_decrypt3 des_decrypt3_u16_risc2_idx -#undef HEADER_DES_LOCL_H -#include "des_enc.c" - -#endif - -#ifdef PART3 - -#undef DES_UNROLL -#undef DES_RISC1 -#undef DES_RISC2 -#define DES_PTR -#undef D_ENCRYPT -#undef des_encrypt -#undef des_encrypt2 -#undef des_encrypt3 -#undef des_decrypt3 -#define des_encrypt des_encrypt_u4_cisc_ptr -#define des_encrypt2 des_encrypt2_u4_cisc_ptr -#define des_encrypt3 des_encrypt3_u4_cisc_ptr -#define des_decrypt3 des_decrypt3_u4_cisc_ptr -#undef HEADER_DES_LOCL_H -#include "des_enc.c" - -#define DES_UNROLL -#undef DES_RISC1 -#undef DES_RISC2 -#define DES_PTR -#undef D_ENCRYPT -#undef des_encrypt -#undef des_encrypt2 -#undef des_encrypt3 -#undef des_decrypt3 -#define des_encrypt des_encrypt_u16_cisc_ptr -#define des_encrypt2 des_encrypt2_u16_cisc_ptr -#define des_encrypt3 des_encrypt3_u16_cisc_ptr -#define des_decrypt3 des_decrypt3_u16_cisc_ptr -#undef HEADER_DES_LOCL_H -#include "des_enc.c" - -#undef DES_UNROLL -#define DES_RISC1 -#undef DES_RISC2 -#define DES_PTR -#undef D_ENCRYPT -#undef des_encrypt -#undef des_encrypt2 -#undef des_encrypt3 -#undef des_decrypt3 -#define des_encrypt des_encrypt_u4_risc1_ptr -#define des_encrypt2 des_encrypt2_u4_risc1_ptr -#define des_encrypt3 des_encrypt3_u4_risc1_ptr -#define des_decrypt3 des_decrypt3_u4_risc1_ptr -#undef HEADER_DES_LOCL_H -#include "des_enc.c" - -#endif - -#ifdef PART4 - -#undef DES_UNROLL -#undef DES_RISC1 -#define DES_RISC2 -#define DES_PTR -#undef D_ENCRYPT -#undef des_encrypt -#undef des_encrypt2 -#undef des_encrypt3 -#undef des_decrypt3 -#define des_encrypt des_encrypt_u4_risc2_ptr -#define des_encrypt2 des_encrypt2_u4_risc2_ptr -#define des_encrypt3 des_encrypt3_u4_risc2_ptr -#define des_decrypt3 des_decrypt3_u4_risc2_ptr -#undef HEADER_DES_LOCL_H -#include "des_enc.c" - -#define DES_UNROLL -#define DES_RISC1 -#undef DES_RISC2 -#define DES_PTR -#undef D_ENCRYPT -#undef des_encrypt -#undef des_encrypt2 -#undef des_encrypt3 -#undef des_decrypt3 -#define des_encrypt des_encrypt_u16_risc1_ptr -#define des_encrypt2 des_encrypt2_u16_risc1_ptr -#define des_encrypt3 des_encrypt3_u16_risc1_ptr -#define des_decrypt3 des_decrypt3_u16_risc1_ptr -#undef HEADER_DES_LOCL_H -#include "des_enc.c" - -#define DES_UNROLL -#undef DES_RISC1 -#define DES_RISC2 -#define DES_PTR -#undef D_ENCRYPT -#undef des_encrypt -#undef des_encrypt2 -#undef des_encrypt3 -#undef des_decrypt3 -#define des_encrypt des_encrypt_u16_risc2_ptr -#define des_encrypt2 des_encrypt2_u16_risc2_ptr -#define des_encrypt3 des_encrypt3_u16_risc2_ptr -#define des_decrypt3 des_decrypt3_u16_risc2_ptr -#undef HEADER_DES_LOCL_H -#include "des_enc.c" - -#endif - -/* The following if from times(3) man page. It may need to be changed */ -#ifndef HZ -#ifndef CLK_TCK -#ifndef VMS -#define HZ 100.0 -#else /* VMS */ -#define HZ 100.0 -#endif -#else /* CLK_TCK */ -#define HZ ((double)CLK_TCK) -#endif -#endif - -#define BUFSIZE ((long)1024) -long run=0; - -#ifndef NOPROTO -double Time_F(int s); -#else -double Time_F(); -#endif - -#ifdef SIGALRM -#if defined(__STDC__) || defined(sgi) -#define SIGRETTYPE void -#else -#define SIGRETTYPE int -#endif - -#ifndef NOPROTO -SIGRETTYPE sig_done(int sig); -#else -SIGRETTYPE sig_done(); -#endif - -SIGRETTYPE sig_done(sig) -int sig; - { - signal(SIGALRM,sig_done); - run=0; -#ifdef LINT - sig=sig; -#endif - } -#endif - -#define START 0 -#define STOP 1 - -double Time_F(s) -int s; - { - double ret; -#ifdef TIMES - static struct tms tstart,tend; - - if (s == START) - { - times(&tstart); - return(0); - } - else - { - times(&tend); - ret=((double)(tend.tms_utime-tstart.tms_utime))/HZ; - return((ret == 0.0)?1e-6:ret); - } -#else /* !times() */ - static struct timeb tstart,tend; - long i; - - if (s == START) - { - ftime(&tstart); - return(0); - } - else - { - ftime(&tend); - i=(long)tend.millitm-(long)tstart.millitm; - ret=((double)(tend.time-tstart.time))+((double)i)/1000.0; - return((ret == 0.0)?1e-6:ret); - } -#endif - } - -#ifdef SIGALRM -#define print_name(name) fprintf(stderr,"Doing %s's for 10 seconds\n",name); alarm(10); -#else -#define print_name(name) fprintf(stderr,"Doing %s %ld times\n",name,cb); -#endif - -#define time_it(func,name,index) \ - print_name(name); \ - Time_F(START); \ - for (count=0,run=1; COND(cb); count++) \ - { \ - unsigned long d[2]; \ - func(d,&(sch[0]),DES_ENCRYPT); \ - } \ - tm[index]=Time_F(STOP); \ - fprintf(stderr,"%ld %s's in %.2f second\n",count,name,tm[index]); \ - tm[index]=((double)COUNT(cb))/tm[index]; - -#define print_it(name,index) \ - fprintf(stderr,"%s bytes per sec = %12.2f (%5.1fuS)\n",name, \ - tm[index]*8,1.0e6/tm[index]); - -int main(argc,argv) -int argc; -char **argv; - { - long count; - static unsigned char buf[BUFSIZE]; - static des_cblock key ={0x12,0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0}; - static des_cblock key2={0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0,0x12}; - static des_cblock key3={0x56,0x78,0x9a,0xbc,0xde,0xf0,0x12,0x34}; - des_key_schedule sch,sch2,sch3; - double d,tm[16],max=0; - int rank[16]; - char *str[16]; - int max_idx=0,i,num=0,j; -#ifndef SIGALARM - long ca,cb,cc,cd,ce; -#endif - - for (i=0; i<12; i++) - { - tm[i]=0.0; - rank[i]=0; - } - -#ifndef TIMES - fprintf(stderr,"To get the most acurate results, try to run this\n"); - fprintf(stderr,"program when this computer is idle.\n"); -#endif - - des_set_key((C_Block *)key,sch); - des_set_key((C_Block *)key2,sch2); - des_set_key((C_Block *)key3,sch3); - -#ifndef SIGALRM - fprintf(stderr,"First we calculate the approximate speed ...\n"); - des_set_key((C_Block *)key,sch); - count=10; - do { - long i; - unsigned long data[2]; - - count*=2; - Time_F(START); - for (i=count; i; i--) - des_encrypt(data,&(sch[0]),DES_ENCRYPT); - d=Time_F(STOP); - } while (d < 3.0); - ca=count; - cb=count*3; - cc=count*3*8/BUFSIZE+1; - cd=count*8/BUFSIZE+1; - - ce=count/20+1; -#define COND(d) (count != (d)) -#define COUNT(d) (d) -#else -#define COND(c) (run) -#define COUNT(d) (count) - signal(SIGALRM,sig_done); - alarm(10); -#endif - -#ifdef PART1 - time_it(des_encrypt_u4_cisc_idx, "des_encrypt_u4_cisc_idx ", 0); - time_it(des_encrypt_u16_cisc_idx, "des_encrypt_u16_cisc_idx ", 1); - time_it(des_encrypt_u4_risc1_idx, "des_encrypt_u4_risc1_idx ", 2); - num+=3; -#endif -#ifdef PART2 - time_it(des_encrypt_u16_risc1_idx,"des_encrypt_u16_risc1_idx", 3); - time_it(des_encrypt_u4_risc2_idx, "des_encrypt_u4_risc2_idx ", 4); - time_it(des_encrypt_u16_risc2_idx,"des_encrypt_u16_risc2_idx", 5); - num+=3; -#endif -#ifdef PART3 - time_it(des_encrypt_u4_cisc_ptr, "des_encrypt_u4_cisc_ptr ", 6); - time_it(des_encrypt_u16_cisc_ptr, "des_encrypt_u16_cisc_ptr ", 7); - time_it(des_encrypt_u4_risc1_ptr, "des_encrypt_u4_risc1_ptr ", 8); - num+=3; -#endif -#ifdef PART4 - time_it(des_encrypt_u16_risc1_ptr,"des_encrypt_u16_risc1_ptr", 9); - time_it(des_encrypt_u4_risc2_ptr, "des_encrypt_u4_risc2_ptr ",10); - time_it(des_encrypt_u16_risc2_ptr,"des_encrypt_u16_risc2_ptr",11); - num+=3; -#endif - -#ifdef PART1 - str[0]=" 4 c i"; - print_it("des_encrypt_u4_cisc_idx ",0); - max=tm[0]; - max_idx=0; - str[1]="16 c i"; - print_it("des_encrypt_u16_cisc_idx ",1); - if (max < tm[1]) { max=tm[1]; max_idx=1; } - str[2]=" 4 r1 i"; - print_it("des_encrypt_u4_risc1_idx ",2); - if (max < tm[2]) { max=tm[2]; max_idx=2; } -#endif -#ifdef PART2 - str[3]="16 r1 i"; - print_it("des_encrypt_u16_risc1_idx",3); - if (max < tm[3]) { max=tm[3]; max_idx=3; } - str[4]=" 4 r2 i"; - print_it("des_encrypt_u4_risc2_idx ",4); - if (max < tm[4]) { max=tm[4]; max_idx=4; } - str[5]="16 r2 i"; - print_it("des_encrypt_u16_risc2_idx",5); - if (max < tm[5]) { max=tm[5]; max_idx=5; } -#endif -#ifdef PART3 - str[6]=" 4 c p"; - print_it("des_encrypt_u4_cisc_ptr ",6); - if (max < tm[6]) { max=tm[6]; max_idx=6; } - str[7]="16 c p"; - print_it("des_encrypt_u16_cisc_ptr ",7); - if (max < tm[7]) { max=tm[7]; max_idx=7; } - str[8]=" 4 r1 p"; - print_it("des_encrypt_u4_risc1_ptr ",8); - if (max < tm[8]) { max=tm[8]; max_idx=8; } -#endif -#ifdef PART4 - str[9]="16 r1 p"; - print_it("des_encrypt_u16_risc1_ptr",9); - if (max < tm[9]) { max=tm[9]; max_idx=9; } - str[10]=" 4 r2 p"; - print_it("des_encrypt_u4_risc2_ptr ",10); - if (max < tm[10]) { max=tm[10]; max_idx=10; } - str[11]="16 r2 p"; - print_it("des_encrypt_u16_risc2_ptr",11); - if (max < tm[11]) { max=tm[11]; max_idx=11; } -#endif - printf("options des ecb/s\n"); - printf("%s %12.2f 100.0%%\n",str[max_idx],tm[max_idx]); - d=tm[max_idx]; - tm[max_idx]= -2.0; - max= -1.0; - for (;;) - { - for (i=0; i<12; i++) - { - if (max < tm[i]) { max=tm[i]; j=i; } - } - if (max < 0.0) break; - printf("%s %12.2f %4.1f%%\n",str[j],tm[j],tm[j]/d*100.0); - tm[j]= -2.0; - max= -1.0; - } - - switch (max_idx) - { - case 0: - printf("-DDES_DEFAULT_OPTIONS\n"); - break; - case 1: - printf("-DDES_UNROLL\n"); - break; - case 2: - printf("-DDES_RISC1\n"); - break; - case 3: - printf("-DDES_UNROLL -DDES_RISC1\n"); - break; - case 4: - printf("-DDES_RISC2\n"); - break; - case 5: - printf("-DDES_UNROLL -DDES_RISC2\n"); - break; - case 6: - printf("-DDES_PTR\n"); - break; - case 7: - printf("-DDES_UNROLL -DDES_PTR\n"); - break; - case 8: - printf("-DDES_RISC1 -DDES_PTR\n"); - break; - case 9: - printf("-DDES_UNROLL -DDES_RISC1 -DDES_PTR\n"); - break; - case 10: - printf("-DDES_RISC2 -DDES_PTR\n"); - break; - case 11: - printf("-DDES_UNROLL -DDES_RISC2 -DDES_PTR\n"); - break; - } - exit(0); -#if defined(LINT) || defined(MSDOS) - return(0); -#endif - } diff --git a/crypto/heimdal-0.6.3/lib/des/des_ver.h b/crypto/heimdal-0.6.3/lib/des/des_ver.h deleted file mode 100644 index 5edda07db7..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/des_ver.h +++ /dev/null @@ -1,60 +0,0 @@ -/* crypto/des/des_ver.h */ -/* Copyright (C) 1995-1997 Eric Young (eay@mincom.oz.au) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@mincom.oz.au). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@mincom.oz.au). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@mincom.oz.au)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@mincom.oz.au)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -extern char *DES_version; /* SSLeay version string */ -extern char *libdes_version; /* old libdes version string */ diff --git a/crypto/heimdal-0.6.3/lib/des/destest.c b/crypto/heimdal-0.6.3/lib/des/destest.c deleted file mode 100644 index e0d3ec7b44..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/destest.c +++ /dev/null @@ -1,876 +0,0 @@ -/* crypto/des/destest.c */ -/* Copyright (C) 1995-1997 Eric Young (eay@mincom.oz.au) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@mincom.oz.au). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@mincom.oz.au). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@mincom.oz.au)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@mincom.oz.au)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#ifdef HAVE_CONFIG_H -#include -#endif - -#if defined(WIN32) || defined(WIN16) || defined(WINDOWS) -#ifndef MSDOS -#define MSDOS -#endif -#endif - -#include -#include -#include -#ifdef HAVE_UNISTD_H -#include -#endif -#ifdef HAVE_IO_H -#include -#endif - -#include "des.h" - -/* tisk tisk - the test keys don't all have odd parity :-( */ -/* test data */ -#define NUM_TESTS 34 -static unsigned char key_data[NUM_TESTS][8]={ - {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, - {0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF}, - {0x30,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, - {0x11,0x11,0x11,0x11,0x11,0x11,0x11,0x11}, - {0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF}, - {0x11,0x11,0x11,0x11,0x11,0x11,0x11,0x11}, - {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, - {0xFE,0xDC,0xBA,0x98,0x76,0x54,0x32,0x10}, - {0x7C,0xA1,0x10,0x45,0x4A,0x1A,0x6E,0x57}, - {0x01,0x31,0xD9,0x61,0x9D,0xC1,0x37,0x6E}, - {0x07,0xA1,0x13,0x3E,0x4A,0x0B,0x26,0x86}, - {0x38,0x49,0x67,0x4C,0x26,0x02,0x31,0x9E}, - {0x04,0xB9,0x15,0xBA,0x43,0xFE,0xB5,0xB6}, - {0x01,0x13,0xB9,0x70,0xFD,0x34,0xF2,0xCE}, - {0x01,0x70,0xF1,0x75,0x46,0x8F,0xB5,0xE6}, - {0x43,0x29,0x7F,0xAD,0x38,0xE3,0x73,0xFE}, - {0x07,0xA7,0x13,0x70,0x45,0xDA,0x2A,0x16}, - {0x04,0x68,0x91,0x04,0xC2,0xFD,0x3B,0x2F}, - {0x37,0xD0,0x6B,0xB5,0x16,0xCB,0x75,0x46}, - {0x1F,0x08,0x26,0x0D,0x1A,0xC2,0x46,0x5E}, - {0x58,0x40,0x23,0x64,0x1A,0xBA,0x61,0x76}, - {0x02,0x58,0x16,0x16,0x46,0x29,0xB0,0x07}, - {0x49,0x79,0x3E,0xBC,0x79,0xB3,0x25,0x8F}, - {0x4F,0xB0,0x5E,0x15,0x15,0xAB,0x73,0xA7}, - {0x49,0xE9,0x5D,0x6D,0x4C,0xA2,0x29,0xBF}, - {0x01,0x83,0x10,0xDC,0x40,0x9B,0x26,0xD6}, - {0x1C,0x58,0x7F,0x1C,0x13,0x92,0x4F,0xEF}, - {0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01}, - {0x1F,0x1F,0x1F,0x1F,0x0E,0x0E,0x0E,0x0E}, - {0xE0,0xFE,0xE0,0xFE,0xF1,0xFE,0xF1,0xFE}, - {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, - {0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF}, - {0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF}, - {0xFE,0xDC,0xBA,0x98,0x76,0x54,0x32,0x10}}; - -static unsigned char plain_data[NUM_TESTS][8]={ - {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, - {0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF}, - {0x10,0x00,0x00,0x00,0x00,0x00,0x00,0x01}, - {0x11,0x11,0x11,0x11,0x11,0x11,0x11,0x11}, - {0x11,0x11,0x11,0x11,0x11,0x11,0x11,0x11}, - {0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF}, - {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, - {0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF}, - {0x01,0xA1,0xD6,0xD0,0x39,0x77,0x67,0x42}, - {0x5C,0xD5,0x4C,0xA8,0x3D,0xEF,0x57,0xDA}, - {0x02,0x48,0xD4,0x38,0x06,0xF6,0x71,0x72}, - {0x51,0x45,0x4B,0x58,0x2D,0xDF,0x44,0x0A}, - {0x42,0xFD,0x44,0x30,0x59,0x57,0x7F,0xA2}, - {0x05,0x9B,0x5E,0x08,0x51,0xCF,0x14,0x3A}, - {0x07,0x56,0xD8,0xE0,0x77,0x47,0x61,0xD2}, - {0x76,0x25,0x14,0xB8,0x29,0xBF,0x48,0x6A}, - {0x3B,0xDD,0x11,0x90,0x49,0x37,0x28,0x02}, - {0x26,0x95,0x5F,0x68,0x35,0xAF,0x60,0x9A}, - {0x16,0x4D,0x5E,0x40,0x4F,0x27,0x52,0x32}, - {0x6B,0x05,0x6E,0x18,0x75,0x9F,0x5C,0xCA}, - {0x00,0x4B,0xD6,0xEF,0x09,0x17,0x60,0x62}, - {0x48,0x0D,0x39,0x00,0x6E,0xE7,0x62,0xF2}, - {0x43,0x75,0x40,0xC8,0x69,0x8F,0x3C,0xFA}, - {0x07,0x2D,0x43,0xA0,0x77,0x07,0x52,0x92}, - {0x02,0xFE,0x55,0x77,0x81,0x17,0xF1,0x2A}, - {0x1D,0x9D,0x5C,0x50,0x18,0xF7,0x28,0xC2}, - {0x30,0x55,0x32,0x28,0x6D,0x6F,0x29,0x5A}, - {0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF}, - {0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF}, - {0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF}, - {0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF}, - {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, - {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, - {0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF}}; - -static unsigned char cipher_data[NUM_TESTS][8]={ - {0x8C,0xA6,0x4D,0xE9,0xC1,0xB1,0x23,0xA7}, - {0x73,0x59,0xB2,0x16,0x3E,0x4E,0xDC,0x58}, - {0x95,0x8E,0x6E,0x62,0x7A,0x05,0x55,0x7B}, - {0xF4,0x03,0x79,0xAB,0x9E,0x0E,0xC5,0x33}, - {0x17,0x66,0x8D,0xFC,0x72,0x92,0x53,0x2D}, - {0x8A,0x5A,0xE1,0xF8,0x1A,0xB8,0xF2,0xDD}, - {0x8C,0xA6,0x4D,0xE9,0xC1,0xB1,0x23,0xA7}, - {0xED,0x39,0xD9,0x50,0xFA,0x74,0xBC,0xC4}, - {0x69,0x0F,0x5B,0x0D,0x9A,0x26,0x93,0x9B}, - {0x7A,0x38,0x9D,0x10,0x35,0x4B,0xD2,0x71}, - {0x86,0x8E,0xBB,0x51,0xCA,0xB4,0x59,0x9A}, - {0x71,0x78,0x87,0x6E,0x01,0xF1,0x9B,0x2A}, - {0xAF,0x37,0xFB,0x42,0x1F,0x8C,0x40,0x95}, - {0x86,0xA5,0x60,0xF1,0x0E,0xC6,0xD8,0x5B}, - {0x0C,0xD3,0xDA,0x02,0x00,0x21,0xDC,0x09}, - {0xEA,0x67,0x6B,0x2C,0xB7,0xDB,0x2B,0x7A}, - {0xDF,0xD6,0x4A,0x81,0x5C,0xAF,0x1A,0x0F}, - {0x5C,0x51,0x3C,0x9C,0x48,0x86,0xC0,0x88}, - {0x0A,0x2A,0xEE,0xAE,0x3F,0xF4,0xAB,0x77}, - {0xEF,0x1B,0xF0,0x3E,0x5D,0xFA,0x57,0x5A}, - {0x88,0xBF,0x0D,0xB6,0xD7,0x0D,0xEE,0x56}, - {0xA1,0xF9,0x91,0x55,0x41,0x02,0x0B,0x56}, - {0x6F,0xBF,0x1C,0xAF,0xCF,0xFD,0x05,0x56}, - {0x2F,0x22,0xE4,0x9B,0xAB,0x7C,0xA1,0xAC}, - {0x5A,0x6B,0x61,0x2C,0xC2,0x6C,0xCE,0x4A}, - {0x5F,0x4C,0x03,0x8E,0xD1,0x2B,0x2E,0x41}, - {0x63,0xFA,0xC0,0xD0,0x34,0xD9,0xF7,0x93}, - {0x61,0x7B,0x3A,0x0C,0xE8,0xF0,0x71,0x00}, - {0xDB,0x95,0x86,0x05,0xF8,0xC8,0xC6,0x06}, - {0xED,0xBF,0xD1,0xC6,0x6C,0x29,0xCC,0xC7}, - {0x35,0x55,0x50,0xB2,0x15,0x0E,0x24,0x51}, - {0xCA,0xAA,0xAF,0x4D,0xEA,0xF1,0xDB,0xAE}, - {0xD5,0xD4,0x4F,0xF7,0x20,0x68,0x3D,0x0D}, - {0x2A,0x2B,0xB0,0x08,0xDF,0x97,0xC2,0xF2}}; - -static unsigned char cipher_ecb2[NUM_TESTS-1][8]={ - {0x92,0x95,0xB5,0x9B,0xB3,0x84,0x73,0x6E}, - {0x19,0x9E,0x9D,0x6D,0xF3,0x9A,0xA8,0x16}, - {0x2A,0x4B,0x4D,0x24,0x52,0x43,0x84,0x27}, - {0x35,0x84,0x3C,0x01,0x9D,0x18,0xC5,0xB6}, - {0x4A,0x5B,0x2F,0x42,0xAA,0x77,0x19,0x25}, - {0xA0,0x6B,0xA9,0xB8,0xCA,0x5B,0x17,0x8A}, - {0xAB,0x9D,0xB7,0xFB,0xED,0x95,0xF2,0x74}, - {0x3D,0x25,0x6C,0x23,0xA7,0x25,0x2F,0xD6}, - {0xB7,0x6F,0xAB,0x4F,0xBD,0xBD,0xB7,0x67}, - {0x8F,0x68,0x27,0xD6,0x9C,0xF4,0x1A,0x10}, - {0x82,0x57,0xA1,0xD6,0x50,0x5E,0x81,0x85}, - {0xA2,0x0F,0x0A,0xCD,0x80,0x89,0x7D,0xFA}, - {0xCD,0x2A,0x53,0x3A,0xDB,0x0D,0x7E,0xF3}, - {0xD2,0xC2,0xBE,0x27,0xE8,0x1B,0x68,0xE3}, - {0xE9,0x24,0xCF,0x4F,0x89,0x3C,0x5B,0x0A}, - {0xA7,0x18,0xC3,0x9F,0xFA,0x9F,0xD7,0x69}, - {0x77,0x2C,0x79,0xB1,0xD2,0x31,0x7E,0xB1}, - {0x49,0xAB,0x92,0x7F,0xD0,0x22,0x00,0xB7}, - {0xCE,0x1C,0x6C,0x7D,0x85,0xE3,0x4A,0x6F}, - {0xBE,0x91,0xD6,0xE1,0x27,0xB2,0xE9,0x87}, - {0x70,0x28,0xAE,0x8F,0xD1,0xF5,0x74,0x1A}, - {0xAA,0x37,0x80,0xBB,0xF3,0x22,0x1D,0xDE}, - {0xA6,0xC4,0xD2,0x5E,0x28,0x93,0xAC,0xB3}, - {0x22,0x07,0x81,0x5A,0xE4,0xB7,0x1A,0xAD}, - {0xDC,0xCE,0x05,0xE7,0x07,0xBD,0xF5,0x84}, - {0x26,0x1D,0x39,0x2C,0xB3,0xBA,0xA5,0x85}, - {0xB4,0xF7,0x0F,0x72,0xFB,0x04,0xF0,0xDC}, - {0x95,0xBA,0xA9,0x4E,0x87,0x36,0xF2,0x89}, - {0xD4,0x07,0x3A,0xF1,0x5A,0x17,0x82,0x0E}, - {0xEF,0x6F,0xAF,0xA7,0x66,0x1A,0x7E,0x89}, - {0xC1,0x97,0xF5,0x58,0x74,0x8A,0x20,0xE7}, - {0x43,0x34,0xCF,0xDA,0x22,0xC4,0x86,0xC8}, - {0x08,0xD7,0xB4,0xFB,0x62,0x9D,0x08,0x85}}; - -static unsigned char cbc_key [8]={0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef}; -static unsigned char cbc2_key[8]={0xf0,0xe1,0xd2,0xc3,0xb4,0xa5,0x96,0x87}; -static unsigned char cbc3_key[8]={0xfe,0xdc,0xba,0x98,0x76,0x54,0x32,0x10}; -static unsigned char cbc_iv [8]={0xfe,0xdc,0xba,0x98,0x76,0x54,0x32,0x10}; -static char cbc_data[40]="7654321 Now is the time for "; - -static unsigned char cbc_ok[32]={ - 0xcc,0xd1,0x73,0xff,0xab,0x20,0x39,0xf4, - 0xac,0xd8,0xae,0xfd,0xdf,0xd8,0xa1,0xeb, - 0x46,0x8e,0x91,0x15,0x78,0x88,0xba,0x68, - 0x1d,0x26,0x93,0x97,0xf7,0xfe,0x62,0xb4}; - -static unsigned char xcbc_ok[32]={ - 0x86,0x74,0x81,0x0D,0x61,0xA4,0xA5,0x48, - 0xB9,0x93,0x03,0xE1,0xB8,0xBB,0xBD,0xBD, - 0x64,0x30,0x0B,0xB9,0x06,0x65,0x81,0x76, - 0x04,0x1D,0x77,0x62,0x17,0xCA,0x2B,0xD2, - }; - -static unsigned char cbc3_ok[32]={ - 0x3F,0xE3,0x01,0xC9,0x62,0xAC,0x01,0xD0, - 0x22,0x13,0x76,0x3C,0x1C,0xBD,0x4C,0xDC, - 0x79,0x96,0x57,0xC0,0x64,0xEC,0xF5,0xD4, - 0x1C,0x67,0x38,0x12,0xCF,0xDE,0x96,0x75}; - -static unsigned char pcbc_ok[32]={ - 0xcc,0xd1,0x73,0xff,0xab,0x20,0x39,0xf4, - 0x6d,0xec,0xb4,0x70,0xa0,0xe5,0x6b,0x15, - 0xae,0xa6,0xbf,0x61,0xed,0x7d,0x9c,0x9f, - 0xf7,0x17,0x46,0x3b,0x8a,0xb3,0xcc,0x88}; - -static unsigned char cfb_key[8]={0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef}; -static unsigned char cfb_iv[8]={0x12,0x34,0x56,0x78,0x90,0xab,0xcd,0xef}; -static unsigned char cfb_buf1[40],cfb_buf2[40],cfb_tmp[8]; -static unsigned char plain[24]= - { - 0x4e,0x6f,0x77,0x20,0x69,0x73, - 0x20,0x74,0x68,0x65,0x20,0x74, - 0x69,0x6d,0x65,0x20,0x66,0x6f, - 0x72,0x20,0x61,0x6c,0x6c,0x20 - }; -static unsigned char cfb_cipher8[24]= { - 0xf3,0x1f,0xda,0x07,0x01,0x14, 0x62,0xee,0x18,0x7f,0x43,0xd8, - 0x0a,0x7c,0xd9,0xb5,0xb0,0xd2, 0x90,0xda,0x6e,0x5b,0x9a,0x87 }; -static unsigned char cfb_cipher16[24]={ - 0xF3,0x09,0x87,0x87,0x7F,0x57, 0xF7,0x3C,0x36,0xB6,0xDB,0x70, - 0xD8,0xD5,0x34,0x19,0xD3,0x86, 0xB2,0x23,0xB7,0xB2,0xAD,0x1B }; -static unsigned char cfb_cipher32[24]={ - 0xF3,0x09,0x62,0x49,0xA4,0xDF, 0xA4,0x9F,0x33,0xDC,0x7B,0xAD, - 0x4C,0xC8,0x9F,0x64,0xE4,0x53, 0xE5,0xEC,0x67,0x20,0xDA,0xB6 }; -static unsigned char cfb_cipher48[24]={ - 0xF3,0x09,0x62,0x49,0xC7,0xF4, 0x30,0xB5,0x15,0xEC,0xBB,0x85, - 0x97,0x5A,0x13,0x8C,0x68,0x60, 0xE2,0x38,0x34,0x3C,0xDC,0x1F }; -static unsigned char cfb_cipher64[24]={ - 0xF3,0x09,0x62,0x49,0xC7,0xF4, 0x6E,0x51,0xA6,0x9E,0x83,0x9B, - 0x1A,0x92,0xF7,0x84,0x03,0x46, 0x71,0x33,0x89,0x8E,0xA6,0x22 }; - -static unsigned char ofb_key[8]={0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef}; -static unsigned char ofb_iv[8]={0x12,0x34,0x56,0x78,0x90,0xab,0xcd,0xef}; -static unsigned char ofb_buf1[24],ofb_buf2[24],ofb_tmp[8]; -static unsigned char ofb_cipher[24]= - { - 0xf3,0x09,0x62,0x49,0xc7,0xf4,0x6e,0x51, - 0x35,0xf2,0x4a,0x24,0x2e,0xeb,0x3d,0x3f, - 0x3d,0x6d,0x5b,0xe3,0x25,0x5a,0xf8,0xc3 - }; - -DES_LONG cbc_cksum_ret=0xB462FEF7L; -unsigned char cbc_cksum_data[8]={0x1D,0x26,0x93,0x97,0xf7,0xfe,0x62,0xb4}; - -#ifndef NOPROTO -static char *pt(unsigned char *p); -static int cfb_test(int bits, unsigned char *cfb_cipher); -static int cfb64_test(unsigned char *cfb_cipher); -static int ede_cfb64_test(unsigned char *cfb_cipher); -#else -static char *pt(); -static int cfb_test(); -static int cfb64_test(); -static int ede_cfb64_test(); -#endif - -int main(argc,argv) -int argc; -char *argv[]; - { - int i,j,err=0; - des_cblock in,out,outin,iv3; - des_key_schedule ks,ks2,ks3; - unsigned char cbc_in[40]; - unsigned char cbc_out[40]; - DES_LONG cs; - unsigned char cret[8]; -#ifdef _CRAY - struct { - int a:32; - int b:32; - } lqret[2]; -#else - DES_LONG lqret[4]; -#endif - int num; - char *str; - - printf("Doing ecb\n"); - for (i=0; i>4)&0xf]; - ret[i*2+1]=f[p[i]&0xf]; - } - ret[16]='\0'; - return(ret); - } - -#ifndef LIBDES_LIT - -static int cfb_test(bits, cfb_cipher) -int bits; -unsigned char *cfb_cipher; - { - des_key_schedule ks; - int i,err=0; - - des_key_sched((C_Block *)cfb_key,ks); - memcpy(cfb_tmp,cfb_iv,sizeof(cfb_iv)); - des_cfb_encrypt(plain,cfb_buf1,bits,(long)sizeof(plain),ks, - (C_Block *)cfb_tmp,DES_ENCRYPT); - if (memcmp(cfb_cipher,cfb_buf1,sizeof(plain)) != 0) - { - err=1; - printf("cfb_encrypt encrypt error\n"); - for (i=0; i<24; i+=8) - printf("%s\n",pt(&(cfb_buf1[i]))); - } - memcpy(cfb_tmp,cfb_iv,sizeof(cfb_iv)); - des_cfb_encrypt(cfb_buf1,cfb_buf2,bits,(long)sizeof(plain),ks, - (C_Block *)cfb_tmp,DES_DECRYPT); - if (memcmp(plain,cfb_buf2,sizeof(plain)) != 0) - { - err=1; - printf("cfb_encrypt decrypt error\n"); - for (i=0; i<24; i+=8) - printf("%s\n",pt(&(cfb_buf1[i]))); - } - return(err); - } - -static int cfb64_test(cfb_cipher) -unsigned char *cfb_cipher; - { - des_key_schedule ks; - int err=0,i,n; - - des_key_sched((C_Block *)cfb_key,ks); - memcpy(cfb_tmp,cfb_iv,sizeof(cfb_iv)); - n=0; - des_cfb64_encrypt(plain,cfb_buf1,(long)12,ks, - (C_Block *)cfb_tmp,&n,DES_ENCRYPT); - des_cfb64_encrypt(&(plain[12]),&(cfb_buf1[12]), - (long)sizeof(plain)-12,ks, - (C_Block *)cfb_tmp,&n,DES_ENCRYPT); - if (memcmp(cfb_cipher,cfb_buf1,sizeof(plain)) != 0) - { - err=1; - printf("cfb_encrypt encrypt error\n"); - for (i=0; i<24; i+=8) - printf("%s\n",pt(&(cfb_buf1[i]))); - } - memcpy(cfb_tmp,cfb_iv,sizeof(cfb_iv)); - n=0; - des_cfb64_encrypt(cfb_buf1,cfb_buf2,(long)17,ks, - (C_Block *)cfb_tmp,&n,DES_DECRYPT); - des_cfb64_encrypt(&(cfb_buf1[17]),&(cfb_buf2[17]), - (long)sizeof(plain)-17,ks, - (C_Block *)cfb_tmp,&n,DES_DECRYPT); - if (memcmp(plain,cfb_buf2,sizeof(plain)) != 0) - { - err=1; - printf("cfb_encrypt decrypt error\n"); - for (i=0; i<24; i+=8) - printf("%s\n",pt(&(cfb_buf2[i]))); - } - return(err); - } - -static int ede_cfb64_test(cfb_cipher) -unsigned char *cfb_cipher; - { - des_key_schedule ks; - int err=0,i,n; - - des_key_sched((C_Block *)cfb_key,ks); - memcpy(cfb_tmp,cfb_iv,sizeof(cfb_iv)); - n=0; - des_ede3_cfb64_encrypt(plain,cfb_buf1,(long)12,ks,ks,ks, - (C_Block *)cfb_tmp,&n,DES_ENCRYPT); - des_ede3_cfb64_encrypt(&(plain[12]),&(cfb_buf1[12]), - (long)sizeof(plain)-12,ks,ks,ks, - (C_Block *)cfb_tmp,&n,DES_ENCRYPT); - if (memcmp(cfb_cipher,cfb_buf1,sizeof(plain)) != 0) - { - err=1; - printf("ede_cfb_encrypt encrypt error\n"); - for (i=0; i<24; i+=8) - printf("%s\n",pt(&(cfb_buf1[i]))); - } - memcpy(cfb_tmp,cfb_iv,sizeof(cfb_iv)); - n=0; - des_ede3_cfb64_encrypt(cfb_buf1,cfb_buf2,(long)17,ks,ks,ks, - (C_Block *)cfb_tmp,&n,DES_DECRYPT); - des_ede3_cfb64_encrypt(&(cfb_buf1[17]),&(cfb_buf2[17]), - (long)sizeof(plain)-17,ks,ks,ks, - (C_Block *)cfb_tmp,&n,DES_DECRYPT); - if (memcmp(plain,cfb_buf2,sizeof(plain)) != 0) - { - err=1; - printf("ede_cfb_encrypt decrypt error\n"); - for (i=0; i<24; i+=8) - printf("%s\n",pt(&(cfb_buf2[i]))); - } - return(err); - } - -#endif - diff --git a/crypto/heimdal-0.6.3/lib/des/dllmain.c b/crypto/heimdal-0.6.3/lib/des/dllmain.c deleted file mode 100644 index 5250967507..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/dllmain.c +++ /dev/null @@ -1,52 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: dllmain.c,v 1.6 1999/12/02 16:58:38 joda Exp $"); -#endif - -#include - -BOOL WINAPI -DllMain (HANDLE hInst, - ULONG reason, - LPVOID lpReserved) -{ - switch(reason) { - case DLL_PROCESS_ATTACH: - case DLL_PROCESS_DETACH: - default: - return TRUE; - } -} diff --git a/crypto/heimdal-0.6.3/lib/des/doIP b/crypto/heimdal-0.6.3/lib/des/doIP deleted file mode 100644 index 18cf231303..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/doIP +++ /dev/null @@ -1,46 +0,0 @@ -#!/usr/local/bin/perl - -@l=( - 0, 1, 2, 3, 4, 5, 6, 7, - 8, 9,10,11,12,13,14,15, - 16,17,18,19,20,21,22,23, - 24,25,26,27,28,29,30,31 - ); -@r=( - 32,33,34,35,36,37,38,39, - 40,41,42,43,44,45,46,47, - 48,49,50,51,52,53,54,55, - 56,57,58,59,60,61,62,63 - ); - -require 'shifts.pl'; - -sub PERM_OP - { - local(*a,*b,*t,$n,$m)=@_; - - @z=&shift(*a,-$n); - @z=&xor(*b,*z); - @z=&and(*z,$m); - @b=&xor(*b,*z); - @z=&shift(*z,$n); - @a=&xor(*a,*z); - } - - -@L=@l; -@R=@r; -&PERM_OP(*R,*L,*T,4,0x0f0f0f0f); -&PERM_OP(*L,*R,*T,16,0x0000ffff); -&PERM_OP(*R,*L,*T,2,0x33333333); -&PERM_OP(*L,*R,*T,8,0x00ff00ff); -&PERM_OP(*R,*L,*T,1,0x55555555); - &printit(@L); - &printit(@R); -&PERM_OP(*R,*L,*T,1,0x55555555); -&PERM_OP(*L,*R,*T,8,0x00ff00ff); -&PERM_OP(*R,*L,*T,2,0x33333333); -&PERM_OP(*L,*R,*T,16,0x0000ffff); -&PERM_OP(*R,*L,*T,4,0x0f0f0f0f); - &printit(@L); - &printit(@R); diff --git a/crypto/heimdal-0.6.3/lib/des/doPC1 b/crypto/heimdal-0.6.3/lib/des/doPC1 deleted file mode 100644 index 096afd8c46..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/doPC1 +++ /dev/null @@ -1,110 +0,0 @@ -#!/usr/local/bin/perl - -@l=( - 0, 1, 2, 3, 4, 5, 6, 7, - 8, 9,10,11,12,13,14,15, - 16,17,18,19,20,21,22,23, - 24,25,26,27,28,29,30,31 - ); -@r=( - 32,33,34,35,36,37,38,39, - 40,41,42,43,44,45,46,47, - 48,49,50,51,52,53,54,55, - 56,57,58,59,60,61,62,63 - ); - -require 'shifts.pl'; - -sub PERM_OP - { - local(*a,*b,*t,$n,$m)=@_; - - @z=&shift(*a,-$n); - @z=&xor(*b,*z); - @z=&and(*z,$m); - @b=&xor(*b,*z); - @z=&shift(*z,$n); - @a=&xor(*a,*z); - } - -sub HPERM_OP2 - { - local(*a,*t,$n,$m)=@_; - local(@x,@y,$i); - - @z=&shift(*a,16-$n); - @z=&xor(*a,*z); - @z=&and(*z,$m); - @a=&xor(*a,*z); - @z=&shift(*z,$n-16); - @a=&xor(*a,*z); - } - -sub HPERM_OP - { - local(*a,*t,$n,$m)=@_; - local(@x,@y,$i); - - for ($i=0; $i<16; $i++) - { - $x[$i]=$a[$i]; - $y[$i]=$a[16+$i]; - } - @z=&shift(*x,-$n); - @z=&xor(*y,*z); - @z=&and(*z,$m); - @y=&xor(*y,*z); - @z=&shift(*z,$n); - @x=&xor(*x,*z); - for ($i=0; $i<16; $i++) - { - $a[$i]=$x[$i]; - $a[16+$i]=$y[$i]; - } - } - -@L=@l; -@R=@r; - - print "---\n"; &printit(@R); -&PERM_OP(*R,*L,*T,4,0x0f0f0f0f); - print "---\n"; &printit(@R); -&HPERM_OP2(*L,*T,-2,0xcccc0000); -&HPERM_OP2(*R,*T,-2,0xcccc0000); - print "---\n"; &printit(@R); -&PERM_OP(*R,*L,*T,1,0x55555555); - print "---\n"; &printit(@R); -&PERM_OP(*L,*R,*T,8,0x00ff00ff); - print "---\n"; &printit(@R); -&PERM_OP(*R,*L,*T,1,0x55555555); - print "---\n"; &printit(@R); -# &printit(@L); - &printit(@R); -print <<"EOF"; -============================== -63 55 47 39 31 23 15 7 -62 54 46 38 30 22 14 6 -61 53 45 37 29 21 13 5 -60 52 44 36 -- -- -- -- - -57 49 41 33 25 17 9 1 -58 50 42 34 26 18 10 2 -59 51 43 35 27 19 11 3 -28 20 12 4 -- -- -- -- -EOF -exit(1); -@A=&and(*R,0x000000ff); -@A=&shift(*A,16); -@B=&and(*R,0x0000ff00); -@C=&and(*R,0x00ff0000); -@C=&shift(*C,-16); -@D=&and(*L,0xf0000000); -@D=&shift(*D,-4); -@A=&or(*A,*B); -@B=&or(*D,*C); -@R=&or(*A,*B); -@L=&and(*L,0x0fffffff); - - &printit(@L); - &printit(@R); - diff --git a/crypto/heimdal-0.6.3/lib/des/doPC2 b/crypto/heimdal-0.6.3/lib/des/doPC2 deleted file mode 100644 index fa5cf74cf7..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/doPC2 +++ /dev/null @@ -1,94 +0,0 @@ -#!/usr/local/bin/perl - -@PC2_C=(14,17,11,24, 1, 5, - 3,28,15, 6,21,10, - 23,19,12, 4,26, 8, - 16, 7,27,20,13, 2, - ); - -@PC2_D=(41,52,31,37,47,55, - 30,40,51,45,33,48, - 44,49,39,56,34,53, - 46,42,50,36,29,32, - ); - -$i=0; -foreach (@PC2_C) { - $_--; -# printf "%2d,",$_; - $C{$_}=$i; - ++$i; -# print "\n" if ((($i) % 8) == 0); - } -$i=0; -#print "\n"; -foreach (@PC2_D) { - $_-=28; - $_--; -# printf "%2d,",$_; - $D{$_}=$i; - $i++; -# print "\n" if ((($i) % 8) == 0); - } - -#print "\n"; -foreach $i (0 .. 27) - { - $_=$C{$i}; -# printf "%2d,",$_; - $i++; -# print "\n" if ((($i) % 8) == 0); - } -#print "\n"; - -#print "\n"; -foreach $i (0 .. 27) - { - $_=$D{$i}; -# printf "%2d,",$_; - $i++; -# print "\n" if ((($i) % 8) == 0); - } -#print "\n"; - -print "static ulong skb[8][64]={\n"; -&doit("C",*C, 0, 1, 2, 3, 4, 5); -&doit("C",*C, 6, 7, 9,10,11,12); -&doit("C",*C,13,14,15,16,18,19); -&doit("C",*C,20,22,23,25,26,27); - -&doit("D",*D, 0, 1, 2, 3, 4, 5); -&doit("D",*D, 7, 8,10,11,12,13); -&doit("D",*D,15,16,17,18,19,20); -&doit("D",*D,21,22,23,24,26,27); -print "};\n"; - -sub doit - { - local($l,*A,@b)=@_; - local(@out); - - printf("/* for $l bits (numbered as per FIPS 46) %d %d %d %d %d %d */\n", - $b[0]+1, $b[1]+1, $b[2]+1, $b[3]+1, $b[4]+1, $b[5]+1); - for ($i=0; $i<64; $i++) - { - $out[$i]=0; - $j=1; -#print "\n"; - for ($k=0; $k<6; $k++) - { - $l=$A{$b[$k]}; -#print"$l - "; - if ((1<<$k) & $i) - { - $ll=int($l/6)*8+($l%6); - $out[$i]|=1<<($ll); - } - } - $pp=$out[$i]; - $pp=($pp&0xff0000ff)| (($pp&0x00ff0000)>>8)| - (($pp&0x0000ff00)<<8); - printf("0x%08X,",$pp); - print "\n" if (($i+1) % 4 == 0); - } - } diff --git a/crypto/heimdal-0.6.3/lib/des/ecb3_enc.c b/crypto/heimdal-0.6.3/lib/des/ecb3_enc.c deleted file mode 100644 index 03d8f87771..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/ecb3_enc.c +++ /dev/null @@ -1,87 +0,0 @@ -/* crypto/des/ecb3_enc.c */ -/* Copyright (C) 1995-1997 Eric Young (eay@mincom.oz.au) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@mincom.oz.au). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@mincom.oz.au). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@mincom.oz.au)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@mincom.oz.au)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include "des_locl.h" - -void des_ecb3_encrypt(input, output, ks1, ks2, ks3, encrypt) -des_cblock (*input); -des_cblock (*output); -des_key_schedule ks1; -des_key_schedule ks2; -des_key_schedule ks3; -int encrypt; - { - register DES_LONG l0,l1; - register unsigned char *in,*out; - DES_LONG ll[2]; - - in=(unsigned char *)input; - out=(unsigned char *)output; - c2l(in,l0); - c2l(in,l1); - ll[0]=l0; - ll[1]=l1; - if (encrypt) - des_encrypt3(ll,ks1,ks2,ks3); - else - des_decrypt3(ll,ks1,ks2,ks3); - l0=ll[0]; - l1=ll[1]; - l2c(l0,out); - l2c(l1,out); - } diff --git a/crypto/heimdal-0.6.3/lib/des/ecb_enc.c b/crypto/heimdal-0.6.3/lib/des/ecb_enc.c deleted file mode 100644 index 5fcaf19289..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/ecb_enc.c +++ /dev/null @@ -1,124 +0,0 @@ -/* crypto/des/ecb_enc.c */ -/* Copyright (C) 1995-1997 Eric Young (eay@mincom.oz.au) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@mincom.oz.au). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@mincom.oz.au). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@mincom.oz.au)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@mincom.oz.au)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include "des_locl.h" -#include "spr.h" - -char *libdes_version="libdes v 4.01 - 13-Jan-1997 - eay"; -char *DES_version="DES part of SSLeay 0.6.6 14-Jan-1997"; - -char *des_options() - { - static int init=1; - static char buf[32]; - - if (init) - { - char *ptr,*unroll,*risc,*size; - - init=0; -#ifdef DES_PTR - ptr="ptr"; -#else - ptr="idx"; -#endif -#if defined(DES_RISC1) || defined(DES_RISC2) -#ifdef DES_RISC1 - risc="risc1"; -#endif -#ifdef DES_RISC2 - risc="risc2"; -#endif -#else - risc="cisc"; -#endif -#ifdef DES_UNROLL - unroll="16"; -#else - unroll="4"; -#endif - if (sizeof(DES_LONG) != sizeof(long)) - size="int"; - else - size="long"; - sprintf(buf,"des(%s,%s,%s,%s)",ptr,risc,unroll,size); - } - return(buf); - } - - -void des_ecb_encrypt(input, output, ks, encrypt) -des_cblock (*input); -des_cblock (*output); -des_key_schedule ks; -int encrypt; - { - register DES_LONG l; - register unsigned char *in,*out; - DES_LONG ll[2]; - - in=(unsigned char *)input; - out=(unsigned char *)output; - c2l(in,l); ll[0]=l; - c2l(in,l); ll[1]=l; - des_encrypt(ll,ks,encrypt); - l=ll[0]; l2c(l,out); - l=ll[1]; l2c(l,out); - l=ll[0]=ll[1]=0; - } - diff --git a/crypto/heimdal-0.6.3/lib/des/ede_enc.c b/crypto/heimdal-0.6.3/lib/des/ede_enc.c deleted file mode 100644 index c62efac4e3..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/ede_enc.c +++ /dev/null @@ -1,189 +0,0 @@ -/* crypto/des/ede_enc.c */ -/* Copyright (C) 1995-1997 Eric Young (eay@mincom.oz.au) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@mincom.oz.au). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@mincom.oz.au). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@mincom.oz.au)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@mincom.oz.au)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include "des_locl.h" - -void des_ede3_cbc_encrypt(input, output, length, ks1, ks2, ks3, ivec, encrypt) -des_cblock (*input); -des_cblock (*output); -long length; -des_key_schedule ks1; -des_key_schedule ks2; -des_key_schedule ks3; -des_cblock (*ivec); -int encrypt; - { - register DES_LONG tin0,tin1; - register DES_LONG tout0,tout1,xor0,xor1; - register unsigned char *in,*out; - register long l=length; - DES_LONG tin[2]; - unsigned char *iv; - - in=(unsigned char *)input; - out=(unsigned char *)output; - iv=(unsigned char *)ivec; - - if (encrypt) - { - c2l(iv,tout0); - c2l(iv,tout1); - for (l-=8; l>=0; l-=8) - { - c2l(in,tin0); - c2l(in,tin1); - tin0^=tout0; - tin1^=tout1; - - tin[0]=tin0; - tin[1]=tin1; - des_encrypt3((DES_LONG *)tin,ks1,ks2,ks3); - tout0=tin[0]; - tout1=tin[1]; - - l2c(tout0,out); - l2c(tout1,out); - } - if (l != -8) - { - c2ln(in,tin0,tin1,l+8); - tin0^=tout0; - tin1^=tout1; - - tin[0]=tin0; - tin[1]=tin1; - des_encrypt3((DES_LONG *)tin,ks1,ks2,ks3); - tout0=tin[0]; - tout1=tin[1]; - - l2c(tout0,out); - l2c(tout1,out); - } - iv=(unsigned char *)ivec; - l2c(tout0,iv); - l2c(tout1,iv); - } - else - { - register DES_LONG t0,t1; - - c2l(iv,xor0); - c2l(iv,xor1); - for (l-=8; l>=0; l-=8) - { - c2l(in,tin0); - c2l(in,tin1); - - t0=tin0; - t1=tin1; - - tin[0]=tin0; - tin[1]=tin1; - des_decrypt3((DES_LONG *)tin,ks1,ks2,ks3); - tout0=tin[0]; - tout1=tin[1]; - - tout0^=xor0; - tout1^=xor1; - l2c(tout0,out); - l2c(tout1,out); - xor0=t0; - xor1=t1; - } - if (l != -8) - { - c2l(in,tin0); - c2l(in,tin1); - - t0=tin0; - t1=tin1; - - tin[0]=tin0; - tin[1]=tin1; - des_decrypt3((DES_LONG *)tin,ks1,ks2,ks3); - tout0=tin[0]; - tout1=tin[1]; - - tout0^=xor0; - tout1^=xor1; - l2cn(tout0,tout1,out,l+8); - xor0=t0; - xor1=t1; - } - iv=(unsigned char *)ivec; - l2c(xor0,iv); - l2c(xor1,iv); - } - tin0=tin1=tout0=tout1=xor0=xor1=0; - tin[0]=tin[1]=0; - } - -#ifdef undef /* MACRO */ -void des_ede2_cbc_encrypt(input, output, length, ks1, ks2, ivec, enc) -des_cblock (*input); -des_cblock (*output); -long length; -des_key_schedule ks1; -des_key_schedule ks2; -des_cblock (*ivec); -int enc; - { - des_ede3_cbc_encrypt(input,output,length,ks1,ks2,ks1,ivec,enc); - } -#endif - diff --git a/crypto/heimdal-0.6.3/lib/des/enc_read.c b/crypto/heimdal-0.6.3/lib/des/enc_read.c deleted file mode 100644 index fa2612cd8b..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/enc_read.c +++ /dev/null @@ -1,214 +0,0 @@ -/* crypto/des/enc_read.c */ -/* Copyright (C) 1995-1997 Eric Young (eay@mincom.oz.au) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@mincom.oz.au). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@mincom.oz.au). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@mincom.oz.au)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@mincom.oz.au)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include -#include -#include "des_locl.h" - -/* This has some uglies in it but it works - even over sockets. */ -/*extern int errno;*/ -int des_rw_mode=DES_PCBC_MODE; - -int des_enc_read(fd, buf, len, sched, iv) -int fd; -char *buf; -int len; -des_key_schedule sched; -des_cblock (*iv); - { - /* data to be unencrypted */ - int net_num=0; - static unsigned char *net=NULL; - /* extra unencrypted data - * for when a block of 100 comes in but is des_read one byte at - * a time. */ - static char *unnet=NULL; - static int unnet_start=0; - static int unnet_left=0; - static char *tmpbuf=NULL; - int i; - long num=0,rnum; - unsigned char *p; - - if (tmpbuf == NULL) - { - tmpbuf=(char *)malloc(des_BSIZE); - if (tmpbuf == NULL) return(-1); - } - if (net == NULL) - { - net=(unsigned char *)malloc(des_BSIZE); - if (net == NULL) return(-1); - } - if (unnet == NULL) - { - unnet=(char *)malloc(des_BSIZE); - if (unnet == NULL) return(-1); - } - /* left over data from last decrypt */ - if (unnet_left != 0) - { - if (unnet_left < len) - { - /* we still still need more data but will return - * with the number of bytes we have - should always - * check the return value */ - memcpy(buf,&(unnet[unnet_start]), - (unsigned int)unnet_left); - /* eay 26/08/92 I had the next 2 lines - * reversed :-( */ - i=unnet_left; - unnet_start=unnet_left=0; - } - else - { - memcpy(buf,&(unnet[unnet_start]),(unsigned int)len); - unnet_start+=len; - unnet_left-=len; - i=len; - } - return(i); - } - - /* We need to get more data. */ - if (len > MAXWRITE) len=MAXWRITE; - - /* first - get the length */ - while (net_num < HDRSIZE) - { - i=read(fd,&(net[net_num]),(unsigned int)HDRSIZE-net_num); - if ((i == -1) && (errno == EINTR)) continue; - if (i <= 0) return(0); - net_num+=i; - } - - /* we now have at net_num bytes in net */ - p=net; - /* num=0; */ - n2l(p,num); - /* num should be rounded up to the next group of eight - * we make sure that we have read a multiple of 8 bytes from the net. - */ - if ((num > MAXWRITE) || (num < 0)) /* error */ - return(-1); - rnum=(num < 8)?8:((num+7)/8*8); - - net_num=0; - while (net_num < rnum) - { - i=read(fd,&(net[net_num]),(unsigned int)rnum-net_num); - if ((i == -1) && (errno == EINTR)) continue; - if (i <= 0) return(0); - net_num+=i; - } - - /* Check if there will be data left over. */ - if (len < num) - { - if (des_rw_mode & DES_PCBC_MODE) - des_pcbc_encrypt((des_cblock *)net,(des_cblock *)unnet, - num,sched,iv,DES_DECRYPT); - else - des_cbc_encrypt((des_cblock *)net,(des_cblock *)unnet, - num,sched,iv,DES_DECRYPT); - memcpy(buf,unnet,(unsigned int)len); - unnet_start=len; - unnet_left=(int)num-len; - - /* The following line is done because we return num - * as the number of bytes read. */ - num=len; - } - else - { - /* >output is a multiple of 8 byes, if len < rnum - * >we must be careful. The user must be aware that this - * >routine will write more bytes than he asked for. - * >The length of the buffer must be correct. - * FIXED - Should be ok now 18-9-90 - eay */ - if (len < rnum) - { - - if (des_rw_mode & DES_PCBC_MODE) - des_pcbc_encrypt((des_cblock *)net, - (des_cblock *)tmpbuf, - num,sched,iv,DES_DECRYPT); - else - des_cbc_encrypt((des_cblock *)net, - (des_cblock *)tmpbuf, - num,sched,iv,DES_DECRYPT); - - /* eay 26/08/92 fix a bug that returned more - * bytes than you asked for (returned len bytes :-( */ - memcpy(buf,tmpbuf,(unsigned int)num); - } - else - { - if (des_rw_mode & DES_PCBC_MODE) - des_pcbc_encrypt((des_cblock *)net, - (des_cblock *)buf,num,sched,iv, - DES_DECRYPT); - else - des_cbc_encrypt((des_cblock *)net, - (des_cblock *)buf,num,sched,iv, - DES_DECRYPT); - } - } - return((int)num); - } - diff --git a/crypto/heimdal-0.6.3/lib/des/enc_writ.c b/crypto/heimdal-0.6.3/lib/des/enc_writ.c deleted file mode 100644 index fbc93e35d6..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/enc_writ.c +++ /dev/null @@ -1,160 +0,0 @@ -/* crypto/des/enc_writ.c */ -/* Copyright (C) 1995-1997 Eric Young (eay@mincom.oz.au) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@mincom.oz.au). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@mincom.oz.au). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@mincom.oz.au)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@mincom.oz.au)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include -#include -#include "des_locl.h" - -int des_enc_write(fd, buf, len, sched, iv) -int fd; -char *buf; -int len; -des_key_schedule sched; -des_cblock (*iv); - { -#ifdef _LIBC - extern int srandom(); - extern unsigned long time(); - extern int random(); - extern int write(); -#endif - - long rnum; - int i,j,k,outnum; - char *outbuf=NULL; - char shortbuf[8]; - char *p; - static int start=1; - - if (outbuf == NULL) - { - outbuf=(char *)malloc(des_BSIZE+HDRSIZE); - if (outbuf == NULL) return(-1); - } - /* If we are sending less than 8 bytes, the same char will look - * the same if we don't pad it out with random bytes */ - if (start) - { - start=0; - srandom((unsigned int)time(NULL)); - } - - /* lets recurse if we want to send the data in small chunks */ - if (len > MAXWRITE) - { - j=0; - for (i=0; i MAXWRITE)?MAXWRITE:(len-i),sched,iv); - if (k < 0) - return(k); - else - j+=k; - } - return(j); - } - - /* write length first */ - p=outbuf; - l2n(len,p); - - /* pad short strings */ - if (len < 8) - { - p=shortbuf; - memcpy(shortbuf,buf,(unsigned int)len); - for (i=len; i<8; i++) - shortbuf[i]=random(); - rnum=8; - } - else - { - p=buf; - rnum=((len+7)/8*8); /* round up to nearest eight */ - } - - if (des_rw_mode & DES_PCBC_MODE) - des_pcbc_encrypt((des_cblock *)p, - (des_cblock *)&(outbuf[HDRSIZE]), - (long)((len<8)?8:len),sched,iv,DES_ENCRYPT); - else - des_cbc_encrypt((des_cblock *)p, - (des_cblock *)&(outbuf[HDRSIZE]), - (long)((len<8)?8:len),sched,iv,DES_ENCRYPT); - - /* output */ - outnum=(int)rnum+HDRSIZE; - - for (j=0; j - -/* Eric Young. - * This version of crypt has been developed from my MIT compatable - * DES library. - * The library is available at pub/Crypto/DES at ftp.psy.uq.oz.au - * eay@mincom.oz.au or eay@psych.psy.uq.oz.au - */ - -/* Modification by Jens Kupferschmidt (Cu) - * I have included directive PARA for shared memory computers. - * I have included a directive LONGCRYPT to using this routine to cipher - * passwords with more than 8 bytes like HP-UX 10.x it used. The MAXPLEN - * definition is the maximum of lenght of password and can changed. I have - * defined 24. - */ - -#define FCRYPT_MOD(R,u,t,E0,E1,tmp) \ - u=R>>16; \ - t=R^u; \ - u=t&E0; t=t&E1; \ - tmp=(u<<16); u^=R^s[S ]; u^=tmp; \ - tmp=(t<<16); t^=R^s[S+1]; t^=tmp - -#define DES_FCRYPT -#include "des_locl.h" -#undef DES_FCRYPT - -#undef PERM_OP -#define PERM_OP(a,b,t,n,m) ((t)=((((a)>>(n))^(b))&(m)),\ - (b)^=(t),\ - (a)^=((t)<<(n))) - -#undef HPERM_OP -#define HPERM_OP(a,t,n,m) ((t)=((((a)<<(16-(n)))^(a))&(m)),\ - (a)=(a)^(t)^(t>>(16-(n))))\ - -#ifdef PARA -#define STATIC -#else -#define STATIC static -#endif - -/* It used to be Only FreeBSD that had MD5 based crypts, but now it's - * also the case on Redhat linux 6.0 and OpenBSD so we always include - * this code. That solves the problem of making the test program - * conditional as well. - */ - -#define MD5_CRYPT_SUPPORT 1 - -#if MD5_CRYPT_SUPPORT -/* - * ---------------------------------------------------------------------------- - * "THE BEER-WARE LICENSE" (Revision 42): - * wrote this file. As long as you retain this notice you - * can do whatever you want with this stuff. If we meet some day, and you think - * this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp - * ---------------------------------------------------------------------------- - */ - -#ifdef HAVE_CONFIG_H -#include -#endif -#include - -static unsigned char itoa64[] = /* 0 ... 63 => ascii - 64 */ - "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; - -static void -to64(s, v, n) - char *s; - unsigned long v; - int n; -{ - while (--n >= 0) { - *s++ = itoa64[v&0x3f]; - v >>= 6; - } -} - -/* - * UNIX password - * - * Use MD5 for what it is best at... - */ - -static -char * -crypt_md5(pw, salt) - register const char *pw; - register const char *salt; -{ - static char *magic = "$1$"; /* - * This string is magic for - * this algorithm. Having - * it this way, we can get - * get better later on - */ - static char passwd[120], *p; - static const char *sp,*ep; - unsigned char final[16]; - int sl,pl,i,j; - MD5_CTX ctx,ctx1; - unsigned long l; - - /* Refine the Salt first */ - sp = salt; - - /* If it starts with the magic string, then skip that */ - if(!strncmp(sp,magic,strlen(magic))) - sp += strlen(magic); - - /* It stops at the first '$', max 8 chars */ - for(ep=sp;*ep && *ep != '$' && ep < (sp+8);ep++) - continue; - - /* get the length of the true salt */ - sl = ep - sp; - - MD5_Init(&ctx); - - /* The password first, since that is what is most unknown */ - MD5_Update(&ctx,pw,strlen(pw)); - - /* Then our magic string */ - MD5_Update(&ctx,magic,strlen(magic)); - - /* Then the raw salt */ - MD5_Update(&ctx,sp,sl); - - /* Then just as many characters of the MD5(pw,salt,pw) */ - MD5_Init(&ctx1); - MD5_Update(&ctx1,pw,strlen(pw)); - MD5_Update(&ctx1,sp,sl); - MD5_Update(&ctx1,pw,strlen(pw)); - MD5_Final(final,&ctx1); - for(pl = strlen(pw); pl > 0; pl -= 16) - MD5_Update(&ctx,final,pl>16 ? 16 : pl); - - /* Don't leave anything around in vm they could use. */ - memset(final,0,sizeof final); - - /* Then something really weird... */ - for (j=0,i = strlen(pw); i ; i >>= 1) - if(i&1) - MD5_Update(&ctx, final+j, 1); - else - MD5_Update(&ctx, pw+j, 1); - - /* Now make the output string */ - strcpy(passwd, magic); /* sizeof(passwd) > sizeof(magic) */ - strncat(passwd, sp, sl); /* ok, since sl <= 8 */ - strcat(passwd, "$"); - - MD5_Final(final,&ctx); - - /* - * and now, just to make sure things don't run too fast - * On a 60 Mhz Pentium this takes 34 msec, so you would - * need 30 seconds to build a 1000 entry dictionary... - */ - for(i=0;i<1000;i++) { - MD5_Init(&ctx1); - if(i & 1) - MD5_Update(&ctx1,pw,strlen(pw)); - else - MD5_Update(&ctx1,final,16); - - if(i % 3) - MD5_Update(&ctx1,sp,sl); - - if(i % 7) - MD5_Update(&ctx1,pw,strlen(pw)); - - if(i & 1) - MD5_Update(&ctx1,final,16); - else - MD5_Update(&ctx1,pw,strlen(pw)); - MD5_Final(final,&ctx1); - } - - p = passwd + strlen(passwd); - - l = (final[ 0]<<16) | (final[ 6]<<8) | final[12]; to64(p,l,4); p += 4; - l = (final[ 1]<<16) | (final[ 7]<<8) | final[13]; to64(p,l,4); p += 4; - l = (final[ 2]<<16) | (final[ 8]<<8) | final[14]; to64(p,l,4); p += 4; - l = (final[ 3]<<16) | (final[ 9]<<8) | final[15]; to64(p,l,4); p += 4; - l = (final[ 4]<<16) | (final[10]<<8) | final[ 5]; to64(p,l,4); p += 4; - l = final[11] ; to64(p,l,2); p += 2; - *p = '\0'; - - /* Don't leave anything around in vm they could use. */ - memset(final,0,sizeof final); - - return passwd; -} -#endif /* MD5_CRYPT_SUPPORT */ - -#ifndef NOPROTO - -STATIC int fcrypt_body(DES_LONG *out0, DES_LONG *out1, - des_key_schedule ks, DES_LONG Eswap0, DES_LONG Eswap1); - -#else - -STATIC int fcrypt_body(); - -#endif - -/* Added more values to handle illegal salt values the way normal - * crypt() implementations do. The patch was sent by - * Bjorn Gronvall - */ -static unsigned const char con_salt[128]={ -0xD2,0xD3,0xD4,0xD5,0xD6,0xD7,0xD8,0xD9, -0xDA,0xDB,0xDC,0xDD,0xDE,0xDF,0xE0,0xE1, -0xE2,0xE3,0xE4,0xE5,0xE6,0xE7,0xE8,0xE9, -0xEA,0xEB,0xEC,0xED,0xEE,0xEF,0xF0,0xF1, -0xF2,0xF3,0xF4,0xF5,0xF6,0xF7,0xF8,0xF9, -0xFA,0xFB,0xFC,0xFD,0xFE,0xFF,0x00,0x01, -0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09, -0x0A,0x0B,0x05,0x06,0x07,0x08,0x09,0x0A, -0x0B,0x0C,0x0D,0x0E,0x0F,0x10,0x11,0x12, -0x13,0x14,0x15,0x16,0x17,0x18,0x19,0x1A, -0x1B,0x1C,0x1D,0x1E,0x1F,0x20,0x21,0x22, -0x23,0x24,0x25,0x20,0x21,0x22,0x23,0x24, -0x25,0x26,0x27,0x28,0x29,0x2A,0x2B,0x2C, -0x2D,0x2E,0x2F,0x30,0x31,0x32,0x33,0x34, -0x35,0x36,0x37,0x38,0x39,0x3A,0x3B,0x3C, -0x3D,0x3E,0x3F,0x40,0x41,0x42,0x43,0x44, -}; - -static unsigned const char cov_2char[64]={ -0x2E,0x2F,0x30,0x31,0x32,0x33,0x34,0x35, -0x36,0x37,0x38,0x39,0x41,0x42,0x43,0x44, -0x45,0x46,0x47,0x48,0x49,0x4A,0x4B,0x4C, -0x4D,0x4E,0x4F,0x50,0x51,0x52,0x53,0x54, -0x55,0x56,0x57,0x58,0x59,0x5A,0x61,0x62, -0x63,0x64,0x65,0x66,0x67,0x68,0x69,0x6A, -0x6B,0x6C,0x6D,0x6E,0x6F,0x70,0x71,0x72, -0x73,0x74,0x75,0x76,0x77,0x78,0x79,0x7A -}; - -#ifndef NOPROTO -#ifdef PERL5 -char *des_crypt(const char *buf,const char *salt); -#else -char *crypt(const char *buf,const char *salt); -#endif -#else -#ifdef PERL5 -char *des_crypt(); -#else -char *crypt(); -#endif -#endif - -#ifdef PERL5 -char *des_crypt(buf,salt) -#else -char *crypt(buf,salt) -#endif -const char *buf; -const char *salt; - { - static char buff[14]; - -#if MD5_CRYPT_SUPPORT - if (!strncmp(salt, "$1$", 3)) - return crypt_md5(buf, salt); -#endif - - return(des_fcrypt(buf,salt,buff)); - } - - -char *des_fcrypt(buf,salt,ret) -const char *buf; -const char *salt; -char *ret; - { - unsigned int i,j,x,y; - DES_LONG Eswap0,Eswap1; - DES_LONG out[2],ll; - des_cblock key; - des_key_schedule ks; - unsigned char bb[9]; - unsigned char *b=bb; - unsigned char c,u; - - /* eay 25/08/92 - * If you call crypt("pwd","*") as often happens when you - * have * as the pwd field in /etc/passwd, the function - * returns *\0XXXXXXXXX - * The \0 makes the string look like * so the pwd "*" would - * crypt to "*". This was found when replacing the crypt in - * our shared libraries. People found that the disbled - * accounts effectivly had no passwd :-(. */ - x=ret[0]=((salt[0] == '\0')?'A':salt[0]); - Eswap0=con_salt[x]<<2; - x=ret[1]=((salt[1] == '\0')?'A':salt[1]); - Eswap1=con_salt[x]<<6; - -/* EAY -r=strlen(buf); -r=(r+7)/8; -*/ - for (i=0; i<8; i++) - { - c= *(buf++); - if (!c) break; - key[i]=(c<<1); - } - for (; i<8; i++) - key[i]=0; - - des_set_key((des_cblock *)(key),ks); - fcrypt_body(&(out[0]),&(out[1]),ks,Eswap0,Eswap1); - - ll=out[0]; l2c(ll,b); - ll=out[1]; l2c(ll,b); - y=0; - u=0x80; - bb[8]=0; - for (i=2; i<13; i++) - { - c=0; - for (j=0; j<6; j++) - { - c<<=1; - if (bb[y] & u) c|=1; - u>>=1; - if (!u) - { - y++; - u=0x80; - } - } - ret[i]=cov_2char[c]; - } - ret[13]='\0'; - return(ret); - } - -STATIC int fcrypt_body(out0, out1, ks, Eswap0, Eswap1) -DES_LONG *out0; -DES_LONG *out1; -des_key_schedule ks; -DES_LONG Eswap0; -DES_LONG Eswap1; - { - register DES_LONG l,r,t,u; -#ifdef DES_PTR - register unsigned char *des_SP=(unsigned char *)des_SPtrans; -#endif - register DES_LONG *s; - register int j; - register DES_LONG E0,E1; - - l=0; - r=0; - - s=(DES_LONG *)ks; - E0=Eswap0; - E1=Eswap1; - - for (j=0; j<25; j++) - { -#ifdef DES_UNROLL - register int i; - - for (i=0; i<32; i+=8) - { - D_ENCRYPT(l,r,i+0); /* 1 */ - D_ENCRYPT(r,l,i+2); /* 2 */ - D_ENCRYPT(l,r,i+4); /* 3 */ - D_ENCRYPT(r,l,i+6); /* 4 */ - } -#else - D_ENCRYPT(l,r, 0); /* 1 */ - D_ENCRYPT(r,l, 2); /* 2 */ - D_ENCRYPT(l,r, 4); /* 3 */ - D_ENCRYPT(r,l, 6); /* 4 */ - D_ENCRYPT(l,r, 8); /* 5 */ - D_ENCRYPT(r,l,10); /* 6 */ - D_ENCRYPT(l,r,12); /* 7 */ - D_ENCRYPT(r,l,14); /* 8 */ - D_ENCRYPT(l,r,16); /* 9 */ - D_ENCRYPT(r,l,18); /* 10 */ - D_ENCRYPT(l,r,20); /* 11 */ - D_ENCRYPT(r,l,22); /* 12 */ - D_ENCRYPT(l,r,24); /* 13 */ - D_ENCRYPT(r,l,26); /* 14 */ - D_ENCRYPT(l,r,28); /* 15 */ - D_ENCRYPT(r,l,30); /* 16 */ -#endif - t=l; - l=r; - r=t; - } - l=ROTATE(l,3)&0xffffffffL; - r=ROTATE(r,3)&0xffffffffL; - - PERM_OP(l,r,t, 1,0x55555555L); - PERM_OP(r,l,t, 8,0x00ff00ffL); - PERM_OP(l,r,t, 2,0x33333333L); - PERM_OP(r,l,t,16,0x0000ffffL); - PERM_OP(l,r,t, 4,0x0f0f0f0fL); - - *out0=r; - *out1=l; - return(0); - } - diff --git a/crypto/heimdal-0.6.3/lib/des/hash.h b/crypto/heimdal-0.6.3/lib/des/hash.h deleted file mode 100644 index 6761d7f433..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/hash.h +++ /dev/null @@ -1,67 +0,0 @@ -/* - * Copyright (c) 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of KTH nor the names of its contributors may be - * used to endorse or promote products derived from this software without - * specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY - * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR - * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, - * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR - * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF - * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ - -/* $Id: hash.h,v 1.1 1999/03/22 19:16:25 joda Exp $ */ - -/* stuff in common between md4, md5, and sha1 */ - -#ifndef __hash_h__ -#define __hash_h__ - -#include -#include - -#ifndef min -#define min(a,b) (((a)>(b))?(b):(a)) -#endif - -/* Vector Crays doesn't have a good 32-bit type, or more precisely, - int32_t as defined by isn't 32 bits, and we don't - want to depend in being able to redefine this type. To cope with - this we have to clamp the result in some places to [0,2^32); no - need to do this on other machines. Did I say this was a mess? - */ - -#ifdef _CRAY -#define CRAYFIX(X) ((X) & 0xffffffff) -#else -#define CRAYFIX(X) (X) -#endif - -static inline u_int32_t -cshift (u_int32_t x, unsigned int n) -{ - x = CRAYFIX(x); - return CRAYFIX((x << n) | (x >> (32 - n))); -} - -#endif /* __hash_h__ */ diff --git a/crypto/heimdal-0.6.3/lib/des/key_par.c b/crypto/heimdal-0.6.3/lib/des/key_par.c deleted file mode 100644 index 0b7e69463e..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/key_par.c +++ /dev/null @@ -1,48 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "des_locl.h" - -/* MIT Link and source compatibility */ - -#ifdef des_fixup_key_parity -#undef des_fixup_key_parity -#endif /* des_fixup_key_parity */ - -void des_fixup_key_parity(des_cblock *key); - -void -des_fixup_key_parity(des_cblock *key) -{ - des_set_odd_parity(key); -} diff --git a/crypto/heimdal-0.6.3/lib/des/makefile.bc b/crypto/heimdal-0.6.3/lib/des/makefile.bc deleted file mode 100644 index 1fe6d4915a..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/makefile.bc +++ /dev/null @@ -1,50 +0,0 @@ -# -# Origional BC Makefile from Teun -# -# -CC = bcc -TLIB = tlib /0 /C -# note: the -3 flag produces code for 386, 486, Pentium etc; omit it for 286s -OPTIMIZE= -3 -O2 -#WINDOWS= -W -CFLAGS = -c -ml -d $(OPTIMIZE) $(WINDOWS) -DMSDOS -LFLAGS = -ml $(WINDOWS) - -.c.obj: - $(CC) $(CFLAGS) $*.c - -.obj.exe: - $(CC) $(LFLAGS) -e$*.exe $*.obj libdes.lib - -all: $(LIB) destest.exe rpw.exe des.exe speed.exe - -# "make clean": use a directory containing only libdes .exe and .obj files... -clean: - del *.exe - del *.obj - del libdes.lib - del libdes.rsp - -OBJS= cbc_cksm.obj cbc_enc.obj ecb_enc.obj pcbc_enc.obj \ - qud_cksm.obj rand_key.obj set_key.obj str2key.obj \ - enc_read.obj enc_writ.obj fcrypt.obj cfb_enc.obj \ - ecb3_enc.obj ofb_enc.obj cbc3_enc.obj read_pwd.obj\ - cfb64enc.obj ofb64enc.obj ede_enc.obj cfb64ede.obj\ - ofb64ede.obj supp.obj - -LIB= libdes.lib - -$(LIB): $(OBJS) - del $(LIB) - makersp "+%s &\n" &&| - $(OBJS) -| >libdes.rsp - $(TLIB) libdes.lib @libdes.rsp,nul - del libdes.rsp - -destest.exe: destest.obj libdes.lib -rpw.exe: rpw.obj libdes.lib -speed.exe: speed.obj libdes.lib -des.exe: des.obj libdes.lib - - diff --git a/crypto/heimdal-0.6.3/lib/des/md4.c b/crypto/heimdal-0.6.3/lib/des/md4.c deleted file mode 100644 index 47330ef4f0..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/md4.c +++ /dev/null @@ -1,250 +0,0 @@ -/* - * Copyright (c) 1995 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include "config.h" - -RCSID("$Id: md4.c,v 1.15 2001/01/29 04:33:44 assar Exp $"); -#endif - -#include "md4.h" -#include "hash.h" - -#define A m->counter[0] -#define B m->counter[1] -#define C m->counter[2] -#define D m->counter[3] -#define X data - -void -MD4_Init (struct md4 *m) -{ - m->sz[0] = 0; - m->sz[1] = 0; - D = 0x10325476; - C = 0x98badcfe; - B = 0xefcdab89; - A = 0x67452301; -} - -#define F(x,y,z) CRAYFIX((x & y) | (~x & z)) -#define G(x,y,z) ((x & y) | (x & z) | (y & z)) -#define H(x,y,z) (x ^ y ^ z) - -#define DOIT(a,b,c,d,k,s,i,OP) \ -a = cshift(a + OP(b,c,d) + X[k] + i, s) - -#define DO1(a,b,c,d,k,s,i) DOIT(a,b,c,d,k,s,i,F) -#define DO2(a,b,c,d,k,s,i) DOIT(a,b,c,d,k,s,i,G) -#define DO3(a,b,c,d,k,s,i) DOIT(a,b,c,d,k,s,i,H) - -static inline void -calc (struct md4 *m, u_int32_t *data) -{ - u_int32_t AA, BB, CC, DD; - - AA = A; - BB = B; - CC = C; - DD = D; - - /* Round 1 */ - - DO1(A,B,C,D,0,3,0); - DO1(D,A,B,C,1,7,0); - DO1(C,D,A,B,2,11,0); - DO1(B,C,D,A,3,19,0); - - DO1(A,B,C,D,4,3,0); - DO1(D,A,B,C,5,7,0); - DO1(C,D,A,B,6,11,0); - DO1(B,C,D,A,7,19,0); - - DO1(A,B,C,D,8,3,0); - DO1(D,A,B,C,9,7,0); - DO1(C,D,A,B,10,11,0); - DO1(B,C,D,A,11,19,0); - - DO1(A,B,C,D,12,3,0); - DO1(D,A,B,C,13,7,0); - DO1(C,D,A,B,14,11,0); - DO1(B,C,D,A,15,19,0); - - /* Round 2 */ - - DO2(A,B,C,D,0,3,0x5A827999); - DO2(D,A,B,C,4,5,0x5A827999); - DO2(C,D,A,B,8,9,0x5A827999); - DO2(B,C,D,A,12,13,0x5A827999); - - DO2(A,B,C,D,1,3,0x5A827999); - DO2(D,A,B,C,5,5,0x5A827999); - DO2(C,D,A,B,9,9,0x5A827999); - DO2(B,C,D,A,13,13,0x5A827999); - - DO2(A,B,C,D,2,3,0x5A827999); - DO2(D,A,B,C,6,5,0x5A827999); - DO2(C,D,A,B,10,9,0x5A827999); - DO2(B,C,D,A,14,13,0x5A827999); - - DO2(A,B,C,D,3,3,0x5A827999); - DO2(D,A,B,C,7,5,0x5A827999); - DO2(C,D,A,B,11,9,0x5A827999); - DO2(B,C,D,A,15,13,0x5A827999); - - /* Round 3 */ - - DO3(A,B,C,D,0,3,0x6ED9EBA1); - DO3(D,A,B,C,8,9,0x6ED9EBA1); - DO3(C,D,A,B,4,11,0x6ED9EBA1); - DO3(B,C,D,A,12,15,0x6ED9EBA1); - - DO3(A,B,C,D,2,3,0x6ED9EBA1); - DO3(D,A,B,C,10,9,0x6ED9EBA1); - DO3(C,D,A,B,6,11,0x6ED9EBA1); - DO3(B,C,D,A,14,15,0x6ED9EBA1); - - DO3(A,B,C,D,1,3,0x6ED9EBA1); - DO3(D,A,B,C,9,9,0x6ED9EBA1); - DO3(C,D,A,B,5,11,0x6ED9EBA1); - DO3(B,C,D,A,13,15,0x6ED9EBA1); - - DO3(A,B,C,D,3,3,0x6ED9EBA1); - DO3(D,A,B,C,11,9,0x6ED9EBA1); - DO3(C,D,A,B,7,11,0x6ED9EBA1); - DO3(B,C,D,A,15,15,0x6ED9EBA1); - - A += AA; - B += BB; - C += CC; - D += DD; -} - -/* - * From `Performance analysis of MD5' by Joseph D. Touch - */ - -#if defined(WORDS_BIGENDIAN) -static inline u_int32_t -swap_u_int32_t (u_int32_t t) -{ - u_int32_t temp1, temp2; - - temp1 = cshift(t, 16); - temp2 = temp1 >> 8; - temp1 &= 0x00ff00ff; - temp2 &= 0x00ff00ff; - temp1 <<= 8; - return temp1 | temp2; -} -#endif - -struct x32{ - unsigned int a:32; - unsigned int b:32; -}; - -void -MD4_Update (struct md4 *m, const void *v, size_t len) -{ - const unsigned char *p = v; - size_t old_sz = m->sz[0]; - size_t offset; - - m->sz[0] += len * 8; - if (m->sz[0] < old_sz) - ++m->sz[1]; - offset = (old_sz / 8) % 64; - while(len > 0) { - size_t l = min(len, 64 - offset); - memcpy(m->save + offset, p, l); - offset += l; - p += l; - len -= l; - if(offset == 64) { -#if defined(WORDS_BIGENDIAN) - int i; - u_int32_t current[16]; - struct x32 *u = (struct x32*)m->save; - for(i = 0; i < 8; i++){ - current[2*i+0] = swap_u_int32_t(u[i].a); - current[2*i+1] = swap_u_int32_t(u[i].b); - } - calc(m, current); -#else - calc(m, (u_int32_t*)m->save); -#endif - offset = 0; - } - } -} - -void -MD4_Final (void *res, struct md4 *m) -{ - static unsigned char zeros[72]; - unsigned offset = (m->sz[0] / 8) % 64; - unsigned int dstart = (120 - offset - 1) % 64 + 1; - - *zeros = 0x80; - memset (zeros + 1, 0, sizeof(zeros) - 1); - zeros[dstart+0] = (m->sz[0] >> 0) & 0xff; - zeros[dstart+1] = (m->sz[0] >> 8) & 0xff; - zeros[dstart+2] = (m->sz[0] >> 16) & 0xff; - zeros[dstart+3] = (m->sz[0] >> 24) & 0xff; - zeros[dstart+4] = (m->sz[1] >> 0) & 0xff; - zeros[dstart+5] = (m->sz[1] >> 8) & 0xff; - zeros[dstart+6] = (m->sz[1] >> 16) & 0xff; - zeros[dstart+7] = (m->sz[1] >> 24) & 0xff; - MD4_Update (m, zeros, dstart + 8); - { - int i; - unsigned char *r = (unsigned char *)res; - - for (i = 0; i < 4; ++i) { - r[4*i] = m->counter[i] & 0xFF; - r[4*i+1] = (m->counter[i] >> 8) & 0xFF; - r[4*i+2] = (m->counter[i] >> 16) & 0xFF; - r[4*i+3] = (m->counter[i] >> 24) & 0xFF; - } - } -#if 0 - { - int i; - u_int32_t *r = (u_int32_t *)res; - - for (i = 0; i < 4; ++i) - r[i] = swap_u_int32_t (m->counter[i]); - } -#endif -} diff --git a/crypto/heimdal-0.6.3/lib/des/md4.h b/crypto/heimdal-0.6.3/lib/des/md4.h deleted file mode 100644 index f2377376ff..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/md4.h +++ /dev/null @@ -1,59 +0,0 @@ -/* - * Copyright (c) 1995 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: md4.h,v 1.8 2001/01/29 02:08:56 assar Exp $ */ - -#include -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_SYS_BITYPES_H -#include -#endif -#ifdef KRB5 -#include -#elif defined(KRB4) -#include -#endif - -struct md4 { - unsigned int sz[2]; - u_int32_t counter[4]; - unsigned char save[64]; -}; - -typedef struct md4 MD4_CTX; - -void MD4_Init (struct md4 *m); -void MD4_Update (struct md4 *m, const void *p, size_t len); -void MD4_Final (void *res, struct md4 *m); diff --git a/crypto/heimdal-0.6.3/lib/des/md5.c b/crypto/heimdal-0.6.3/lib/des/md5.c deleted file mode 100644 index f8abba27ac..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/md5.c +++ /dev/null @@ -1,274 +0,0 @@ -/* - * Copyright (c) 1995 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include "config.h" - -RCSID("$Id: md5.c,v 1.15 2001/01/29 04:33:44 assar Exp $"); -#endif - -#include "md5.h" -#include "hash.h" - -#define A m->counter[0] -#define B m->counter[1] -#define C m->counter[2] -#define D m->counter[3] -#define X data - -void -MD5_Init (struct md5 *m) -{ - m->sz[0] = 0; - m->sz[1] = 0; - D = 0x10325476; - C = 0x98badcfe; - B = 0xefcdab89; - A = 0x67452301; -} - -#define F(x,y,z) CRAYFIX((x & y) | (~x & z)) -#define G(x,y,z) CRAYFIX((x & z) | (y & ~z)) -#define H(x,y,z) (x ^ y ^ z) -#define I(x,y,z) CRAYFIX(y ^ (x | ~z)) - -#define DOIT(a,b,c,d,k,s,i,OP) \ -a = b + cshift(a + OP(b,c,d) + X[k] + (i), s) - -#define DO1(a,b,c,d,k,s,i) DOIT(a,b,c,d,k,s,i,F) -#define DO2(a,b,c,d,k,s,i) DOIT(a,b,c,d,k,s,i,G) -#define DO3(a,b,c,d,k,s,i) DOIT(a,b,c,d,k,s,i,H) -#define DO4(a,b,c,d,k,s,i) DOIT(a,b,c,d,k,s,i,I) - -static inline void -calc (struct md5 *m, u_int32_t *data) -{ - u_int32_t AA, BB, CC, DD; - - AA = A; - BB = B; - CC = C; - DD = D; - - /* Round 1 */ - - DO1(A,B,C,D,0,7,0xd76aa478); - DO1(D,A,B,C,1,12,0xe8c7b756); - DO1(C,D,A,B,2,17,0x242070db); - DO1(B,C,D,A,3,22,0xc1bdceee); - - DO1(A,B,C,D,4,7,0xf57c0faf); - DO1(D,A,B,C,5,12,0x4787c62a); - DO1(C,D,A,B,6,17,0xa8304613); - DO1(B,C,D,A,7,22,0xfd469501); - - DO1(A,B,C,D,8,7,0x698098d8); - DO1(D,A,B,C,9,12,0x8b44f7af); - DO1(C,D,A,B,10,17,0xffff5bb1); - DO1(B,C,D,A,11,22,0x895cd7be); - - DO1(A,B,C,D,12,7,0x6b901122); - DO1(D,A,B,C,13,12,0xfd987193); - DO1(C,D,A,B,14,17,0xa679438e); - DO1(B,C,D,A,15,22,0x49b40821); - - /* Round 2 */ - - DO2(A,B,C,D,1,5,0xf61e2562); - DO2(D,A,B,C,6,9,0xc040b340); - DO2(C,D,A,B,11,14,0x265e5a51); - DO2(B,C,D,A,0,20,0xe9b6c7aa); - - DO2(A,B,C,D,5,5,0xd62f105d); - DO2(D,A,B,C,10,9,0x2441453); - DO2(C,D,A,B,15,14,0xd8a1e681); - DO2(B,C,D,A,4,20,0xe7d3fbc8); - - DO2(A,B,C,D,9,5,0x21e1cde6); - DO2(D,A,B,C,14,9,0xc33707d6); - DO2(C,D,A,B,3,14,0xf4d50d87); - DO2(B,C,D,A,8,20,0x455a14ed); - - DO2(A,B,C,D,13,5,0xa9e3e905); - DO2(D,A,B,C,2,9,0xfcefa3f8); - DO2(C,D,A,B,7,14,0x676f02d9); - DO2(B,C,D,A,12,20,0x8d2a4c8a); - - /* Round 3 */ - - DO3(A,B,C,D,5,4,0xfffa3942); - DO3(D,A,B,C,8,11,0x8771f681); - DO3(C,D,A,B,11,16,0x6d9d6122); - DO3(B,C,D,A,14,23,0xfde5380c); - - DO3(A,B,C,D,1,4,0xa4beea44); - DO3(D,A,B,C,4,11,0x4bdecfa9); - DO3(C,D,A,B,7,16,0xf6bb4b60); - DO3(B,C,D,A,10,23,0xbebfbc70); - - DO3(A,B,C,D,13,4,0x289b7ec6); - DO3(D,A,B,C,0,11,0xeaa127fa); - DO3(C,D,A,B,3,16,0xd4ef3085); - DO3(B,C,D,A,6,23,0x4881d05); - - DO3(A,B,C,D,9,4,0xd9d4d039); - DO3(D,A,B,C,12,11,0xe6db99e5); - DO3(C,D,A,B,15,16,0x1fa27cf8); - DO3(B,C,D,A,2,23,0xc4ac5665); - - /* Round 4 */ - - DO4(A,B,C,D,0,6,0xf4292244); - DO4(D,A,B,C,7,10,0x432aff97); - DO4(C,D,A,B,14,15,0xab9423a7); - DO4(B,C,D,A,5,21,0xfc93a039); - - DO4(A,B,C,D,12,6,0x655b59c3); - DO4(D,A,B,C,3,10,0x8f0ccc92); - DO4(C,D,A,B,10,15,0xffeff47d); - DO4(B,C,D,A,1,21,0x85845dd1); - - DO4(A,B,C,D,8,6,0x6fa87e4f); - DO4(D,A,B,C,15,10,0xfe2ce6e0); - DO4(C,D,A,B,6,15,0xa3014314); - DO4(B,C,D,A,13,21,0x4e0811a1); - - DO4(A,B,C,D,4,6,0xf7537e82); - DO4(D,A,B,C,11,10,0xbd3af235); - DO4(C,D,A,B,2,15,0x2ad7d2bb); - DO4(B,C,D,A,9,21,0xeb86d391); - - A += AA; - B += BB; - C += CC; - D += DD; -} - -/* - * From `Performance analysis of MD5' by Joseph D. Touch - */ - -#if defined(WORDS_BIGENDIAN) -static inline u_int32_t -swap_u_int32_t (u_int32_t t) -{ - u_int32_t temp1, temp2; - - temp1 = cshift(t, 16); - temp2 = temp1 >> 8; - temp1 &= 0x00ff00ff; - temp2 &= 0x00ff00ff; - temp1 <<= 8; - return temp1 | temp2; -} -#endif - -struct x32{ - unsigned int a:32; - unsigned int b:32; -}; - -void -MD5_Update (struct md5 *m, const void *v, size_t len) -{ - const unsigned char *p = v; - size_t old_sz = m->sz[0]; - size_t offset; - - m->sz[0] += len * 8; - if (m->sz[0] < old_sz) - ++m->sz[1]; - offset = (old_sz / 8) % 64; - while(len > 0){ - size_t l = min(len, 64 - offset); - memcpy(m->save + offset, p, l); - offset += l; - p += l; - len -= l; - if(offset == 64){ -#if defined(WORDS_BIGENDIAN) - int i; - u_int32_t current[16]; - struct x32 *u = (struct x32*)m->save; - for(i = 0; i < 8; i++){ - current[2*i+0] = swap_u_int32_t(u[i].a); - current[2*i+1] = swap_u_int32_t(u[i].b); - } - calc(m, current); -#else - calc(m, (u_int32_t*)m->save); -#endif - offset = 0; - } - } -} - -void -MD5_Final (void *res, struct md5 *m) -{ - static unsigned char zeros[72]; - unsigned offset = (m->sz[0] / 8) % 64; - unsigned int dstart = (120 - offset - 1) % 64 + 1; - - *zeros = 0x80; - memset (zeros + 1, 0, sizeof(zeros) - 1); - zeros[dstart+0] = (m->sz[0] >> 0) & 0xff; - zeros[dstart+1] = (m->sz[0] >> 8) & 0xff; - zeros[dstart+2] = (m->sz[0] >> 16) & 0xff; - zeros[dstart+3] = (m->sz[0] >> 24) & 0xff; - zeros[dstart+4] = (m->sz[1] >> 0) & 0xff; - zeros[dstart+5] = (m->sz[1] >> 8) & 0xff; - zeros[dstart+6] = (m->sz[1] >> 16) & 0xff; - zeros[dstart+7] = (m->sz[1] >> 24) & 0xff; - MD5_Update (m, zeros, dstart + 8); - { - int i; - unsigned char *r = (unsigned char *)res; - - for (i = 0; i < 4; ++i) { - r[4*i] = m->counter[i] & 0xFF; - r[4*i+1] = (m->counter[i] >> 8) & 0xFF; - r[4*i+2] = (m->counter[i] >> 16) & 0xFF; - r[4*i+3] = (m->counter[i] >> 24) & 0xFF; - } - } -#if 0 - { - int i; - u_int32_t *r = (u_int32_t *)res; - - for (i = 0; i < 4; ++i) - r[i] = swap_u_int32_t (m->counter[i]); - } -#endif -} diff --git a/crypto/heimdal-0.6.3/lib/des/md5.h b/crypto/heimdal-0.6.3/lib/des/md5.h deleted file mode 100644 index f4dd6a819e..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/md5.h +++ /dev/null @@ -1,59 +0,0 @@ -/* - * Copyright (c) 1995 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: md5.h,v 1.8 2001/01/29 02:08:57 assar Exp $ */ - -#include -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_SYS_BITYPES_H -#include -#endif -#ifdef KRB5 -#include -#elif defined(KRB4) -#include -#endif - -struct md5 { - unsigned int sz[2]; - u_int32_t counter[4]; - unsigned char save[64]; -}; - -typedef struct md5 MD5_CTX; - -void MD5_Init (struct md5 *m); -void MD5_Update (struct md5 *m, const void *p, size_t len); -void MD5_Final (void *res, struct md5 *m); /* u_int32_t res[4] */ diff --git a/crypto/heimdal-0.6.3/lib/des/md5crypt_test.c b/crypto/heimdal-0.6.3/lib/des/md5crypt_test.c deleted file mode 100644 index 89ea727658..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/md5crypt_test.c +++ /dev/null @@ -1,80 +0,0 @@ -/* - * Copyright (c) 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: md5crypt_test.c,v 1.4 1999/12/17 05:15:32 assar Exp $"); -#endif - -#include -#include -#include - -struct test { - const char *str; - const char *salt; - const char *result; -} tests[] = { - {"Hello world!", "$1$saltstring", "$1$saltstri$YMyguxXMBpd2TEZ.vS/3q1"}, - {NULL, NULL, NULL} -}; - -static int -do_test (void) -{ - struct test *t; - int res = 0; - - for (t = tests; t->str != NULL; ++t) { - const char *c; - - c = crypt (t->str, t->salt); - - if (strcmp (c, t->result) != 0) { - res = 1; - printf ("should have been: \"%s\"\n", t->result); - printf ("result was: \"%s\"\n", c); - } - } - if (res) - printf ("failed\n"); - else - printf ("success\n"); - return res; -} - -int -main (void) -{ - return do_test (); -} diff --git a/crypto/heimdal-0.6.3/lib/des/mdtest.c b/crypto/heimdal-0.6.3/lib/des/mdtest.c deleted file mode 100644 index c4ba0ffc5d..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/mdtest.c +++ /dev/null @@ -1,297 +0,0 @@ -/* - * Copyright (c) 1995 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: mdtest.c,v 1.16 2002/05/07 15:49:28 joda Exp $"); -#endif - -#include -#include -#include -#include -#include - -#define ONE_MILLION_A "one million a's" - -struct hash_foo { - const char *name; - size_t psize; - size_t hsize; - void (*init)(void*); - void (*update)(void*, const void*, size_t); - void (*final)(void*, void*); -} md4 = { - "MD4", - sizeof(MD4_CTX), - 16, - (void (*)(void*))MD4_Init, - (void (*)(void*,const void*, size_t))MD4_Update, - (void (*)(void*, void*))MD4_Final -}, md5 = { - "MD5", - sizeof(MD5_CTX), - 16, - (void (*)(void*))MD5_Init, - (void (*)(void*,const void*, size_t))MD5_Update, - (void (*)(void*, void*))MD5_Final -}, sha1 = { - "SHA-1", - sizeof(struct sha), - 20, - (void (*)(void*))SHA1_Init, - (void (*)(void*,const void*, size_t))SHA1_Update, - (void (*)(void*, void*))SHA1_Final -}; -#ifdef HAVE_SHA256 -struct hash_foo sha256 = { - "SHA-256", - sizeof(struct sha256), - 32, - (void (*)(void*))SHA256_Init, - (void (*)(void*,const void*, size_t))SHA256_Update, - (void (*)(void*, void*))SHA256_Final -}; -#endif -#ifdef HAVE_SHA384 -struct hash_foo sha384 = { - "SHA-384", - sizeof(struct sha512), - 48, - (void (*)(void*))SHA384_Init, - (void (*)(void*,const void*, size_t))SHA384_Update, - (void (*)(void*, void*))SHA384_Final -}; -#endif -#ifdef HAVE_SHA512 -struct hash_foo sha512 = { - "SHA-512", - sizeof(struct sha512), - 64, - (void (*)(void*))SHA512_Init, - (void (*)(void*,const void*, size_t))SHA512_Update, - (void (*)(void*, void*))SHA512_Final -}; -#endif - -struct test { - char *str; - unsigned char hash[64]; -}; - -struct test md4_tests[] = { - {"", - {0x31, 0xd6, 0xcf, 0xe0, 0xd1, 0x6a, 0xe9, 0x31, 0xb7, 0x3c, 0x59, - 0xd7, 0xe0, 0xc0, 0x89, 0xc0}}, - {"a", - {0xbd, 0xe5, 0x2c, 0xb3, 0x1d, 0xe3, 0x3e, 0x46, 0x24, 0x5e, 0x05, - 0xfb, 0xdb, 0xd6, 0xfb, 0x24}}, - {"abc", - {0xa4, 0x48, 0x01, 0x7a, 0xaf, 0x21, 0xd8, 0x52, 0x5f, 0xc1, 0x0a, 0xe8, 0x7a, 0xa6, 0x72, 0x9d}}, - {"message digest", - {0xd9, 0x13, 0x0a, 0x81, 0x64, 0x54, 0x9f, 0xe8, 0x18, 0x87, 0x48, 0x06, 0xe1, 0xc7, 0x01, 0x4b}}, - {"abcdefghijklmnopqrstuvwxyz", {0xd7, 0x9e, 0x1c, 0x30, 0x8a, 0xa5, 0xbb, 0xcd, 0xee, 0xa8, 0xed, 0x63, 0xdf, 0x41, 0x2d, 0xa9, }}, - {"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789", - {0x04, 0x3f, 0x85, 0x82, 0xf2, 0x41, 0xdb, 0x35, 0x1c, 0xe6, 0x27, 0xe1, 0x53, 0xe7, 0xf0, 0xe4}}, - {"12345678901234567890123456789012345678901234567890123456789012345678901234567890", - {0xe3, 0x3b, 0x4d, 0xdc, 0x9c, 0x38, 0xf2, 0x19, 0x9c, 0x3e, 0x7b, 0x16, 0x4f, 0xcc, 0x05, 0x36, }}, - {NULL, { 0x0 }}}; - -struct test md5_tests[] = { - {"", {0xd4, 0x1d, 0x8c, 0xd9, 0x8f, 0x00, 0xb2, 0x04, 0xe9, 0x80, 0x09, 0x98, 0xec, 0xf8, 0x42, 0x7e}}, - {"a", {0x0c, 0xc1, 0x75, 0xb9, 0xc0, 0xf1, 0xb6, 0xa8, 0x31, 0xc3, 0x99, 0xe2, 0x69, 0x77, 0x26, 0x61}}, - {"abc", {0x90, 0x01, 0x50, 0x98, 0x3c, 0xd2, 0x4f, 0xb0, 0xd6, 0x96, 0x3f, 0x7d, 0x28, 0xe1, 0x7f, 0x72}}, - {"message digest", {0xf9, 0x6b, 0x69, 0x7d, 0x7c, 0xb7, 0x93, 0x8d, 0x52, 0x5a, 0x2f, 0x31, 0xaa, 0xf1, 0x61, 0xd0}}, - {"abcdefghijklmnopqrstuvwxyz", {0xc3, 0xfc, 0xd3, 0xd7, 0x61, 0x92, 0xe4, 0x00, 0x7d, 0xfb, 0x49, 0x6c, 0xca, 0x67, 0xe1, 0x3b}}, - {"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789", {0xd1, 0x74, 0xab, 0x98, 0xd2, 0x77, 0xd9, 0xf5, 0xa5, 0x61, 0x1c, 0x2c, 0x9f, 0x41, 0x9d, 0x9f}}, - {"12345678901234567890123456789012345678901234567890123456789012345678901234567890", {0x57, 0xed, 0xf4, 0xa2, 0x2b, 0xe3, 0xc9, 0x55, 0xac, 0x49, 0xda, 0x2e, 0x21, 0x07, 0xb6, 0x7a}}, - {NULL, { 0x0 }}}; - -struct test sha1_tests[] = { - { "abc", - {0xA9, 0x99, 0x3E, 0x36, 0x47, 0x06, 0x81, 0x6A, - 0xBA, 0x3E, 0x25, 0x71, 0x78, 0x50, 0xC2, 0x6C, - 0x9C, 0xD0, 0xD8, 0x9D}}, - { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq", - {0x84, 0x98, 0x3E, 0x44, 0x1C, 0x3B, 0xD2, 0x6E, - 0xBA, 0xAE, 0x4A, 0xA1, 0xF9, 0x51, 0x29, 0xE5, - 0xE5, 0x46, 0x70, 0xF1}}, - { ONE_MILLION_A, - {0x34, 0xaa, 0x97, 0x3c, 0xd4, 0xc4, 0xda, 0xa4, - 0xf6, 0x1e, 0xeb, 0x2b, 0xdb, 0xad, 0x27, 0x31, - 0x65, 0x34, 0x01, 0x6f}}, - { NULL } -}; - -#ifdef HAVE_SHA256 -struct test sha256_tests[] = { - { "abc", - { 0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, - 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, - 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, - 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad }}, - { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq", - { 0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, - 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, - 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, - 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1 }}, - { ONE_MILLION_A, - {0xcd,0xc7,0x6e,0x5c, 0x99,0x14,0xfb,0x92, - 0x81,0xa1,0xc7,0xe2, 0x84,0xd7,0x3e,0x67, - 0xf1,0x80,0x9a,0x48, 0xa4,0x97,0x20,0x0e, - 0x04,0x6d,0x39,0xcc, 0xc7,0x11,0x2c,0xd0 }}, - { NULL } -}; -#endif -#ifdef HAVE_SHA384 -struct test sha384_tests[] = { - { "abc", - { 0xcb,0x00,0x75,0x3f,0x45,0xa3,0x5e,0x8b, - 0xb5,0xa0,0x3d,0x69,0x9a,0xc6,0x50,0x07, - 0x27,0x2c,0x32,0xab,0x0e,0xde,0xd1,0x63, - 0x1a,0x8b,0x60,0x5a,0x43,0xff,0x5b,0xed, - 0x80,0x86,0x07,0x2b,0xa1,0xe7,0xcc,0x23, - 0x58,0xba,0xec,0xa1,0x34,0xc8,0x25,0xa7}}, - { "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmno" - "ijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu", - { 0x09,0x33,0x0c,0x33,0xf7,0x11,0x47,0xe8, - 0x3d,0x19,0x2f,0xc7,0x82,0xcd,0x1b,0x47, - 0x53,0x11,0x1b,0x17,0x3b,0x3b,0x05,0xd2, - 0x2f,0xa0,0x80,0x86,0xe3,0xb0,0xf7,0x12, - 0xfc,0xc7,0xc7,0x1a,0x55,0x7e,0x2d,0xb9, - 0x66,0xc3,0xe9,0xfa,0x91,0x74,0x60,0x39}}, - { ONE_MILLION_A, - { 0x9d,0x0e,0x18,0x09,0x71,0x64,0x74,0xcb, - 0x08,0x6e,0x83,0x4e,0x31,0x0a,0x4a,0x1c, - 0xed,0x14,0x9e,0x9c,0x00,0xf2,0x48,0x52, - 0x79,0x72,0xce,0xc5,0x70,0x4c,0x2a,0x5b, - 0x07,0xb8,0xb3,0xdc,0x38,0xec,0xc4,0xeb, - 0xae,0x97,0xdd,0xd8,0x7f,0x3d,0x89,0x85}}, - {NULL} -}; -#endif -#ifdef HAVE_SHA512 -struct test sha512_tests[] = { - { "abc", - { 0xdd,0xaf,0x35,0xa1,0x93,0x61,0x7a,0xba, - 0xcc,0x41,0x73,0x49,0xae,0x20,0x41,0x31, - 0x12,0xe6,0xfa,0x4e,0x89,0xa9,0x7e,0xa2, - 0x0a,0x9e,0xee,0xe6,0x4b,0x55,0xd3,0x9a, - 0x21,0x92,0x99,0x2a,0x27,0x4f,0xc1,0xa8, - 0x36,0xba,0x3c,0x23,0xa3,0xfe,0xeb,0xbd, - 0x45,0x4d,0x44,0x23,0x64,0x3c,0xe8,0x0e, - 0x2a,0x9a,0xc9,0x4f,0xa5,0x4c,0xa4,0x9f }}, - { "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmno" - "ijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu", - { 0x8e,0x95,0x9b,0x75,0xda,0xe3,0x13,0xda, - 0x8c,0xf4,0xf7,0x28,0x14,0xfc,0x14,0x3f, - 0x8f,0x77,0x79,0xc6,0xeb,0x9f,0x7f,0xa1, - 0x72,0x99,0xae,0xad,0xb6,0x88,0x90,0x18, - 0x50,0x1d,0x28,0x9e,0x49,0x00,0xf7,0xe4, - 0x33,0x1b,0x99,0xde,0xc4,0xb5,0x43,0x3a, - 0xc7,0xd3,0x29,0xee,0xb6,0xdd,0x26,0x54, - 0x5e,0x96,0xe5,0x5b,0x87,0x4b,0xe9,0x09 }}, - { ONE_MILLION_A, - { 0xe7,0x18,0x48,0x3d,0x0c,0xe7,0x69,0x64, - 0x4e,0x2e,0x42,0xc7,0xbc,0x15,0xb4,0x63, - 0x8e,0x1f,0x98,0xb1,0x3b,0x20,0x44,0x28, - 0x56,0x32,0xa8,0x03,0xaf,0xa9,0x73,0xeb, - 0xde,0x0f,0xf2,0x44,0x87,0x7e,0xa6,0x0a, - 0x4c,0xb0,0x43,0x2c,0xe5,0x77,0xc3,0x1b, - 0xeb,0x00,0x9c,0x5c,0x2c,0x49,0xaa,0x2e, - 0x4e,0xad,0xb2,0x17,0xad,0x8c,0xc0,0x9b }}, - { NULL } -}; -#endif - -static int -hash_test (struct hash_foo *hash, struct test *tests) -{ - struct test *t; - void *ctx = malloc(hash->psize); - unsigned char *res = malloc(hash->hsize); - - printf ("%s... ", hash->name); - for (t = tests; t->str; ++t) { - char buf[1000]; - - (*hash->init)(ctx); - if(strcmp(t->str, ONE_MILLION_A) == 0) { - int i; - memset(buf, 'a', sizeof(buf)); - for(i = 0; i < 1000; i++) - (*hash->update)(ctx, buf, sizeof(buf)); - } else - (*hash->update)(ctx, (unsigned char *)t->str, strlen(t->str)); - (*hash->final) (res, ctx); - if (memcmp (res, t->hash, hash->hsize) != 0) { - int i; - - printf ("%s(\"%s\") failed\n", hash->name, t->str); - printf("should be: "); - for(i = 0; i < hash->hsize; ++i) { - if(i > 0 && (i % 16) == 0) - printf("\n "); - printf("%02x ", t->hash[i]); - } - printf("\nresult was: "); - for(i = 0; i < hash->hsize; ++i) { - if(i > 0 && (i % 16) == 0) - printf("\n "); - printf("%02x ", res[i]); - } - printf("\n"); - return 1; - } - } - printf ("success\n"); - return 0; -} - -int -main (void) -{ - return hash_test(&md4, md4_tests) + - hash_test(&md5, md5_tests) + - hash_test(&sha1, sha1_tests) -#ifdef HAVE_SHA256 - + hash_test(&sha256, sha256_tests) -#endif -#ifdef HAVE_SHA384 - + hash_test(&sha384, sha384_tests) -#endif -#ifdef HAVE_SHA512 - + hash_test(&sha512, sha512_tests) -#endif - ; -} diff --git a/crypto/heimdal-0.6.3/lib/des/ncbc_enc.c b/crypto/heimdal-0.6.3/lib/des/ncbc_enc.c deleted file mode 100644 index 4a972ac546..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/ncbc_enc.c +++ /dev/null @@ -1,141 +0,0 @@ -/* crypto/des/ncbc_enc.c */ -/* Copyright (C) 1995-1997 Eric Young (eay@mincom.oz.au) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@mincom.oz.au). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@mincom.oz.au). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@mincom.oz.au)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@mincom.oz.au)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include "des_locl.h" - -void des_ncbc_encrypt(input, output, length, schedule, ivec, encrypt) -des_cblock (*input); -des_cblock (*output); -long length; -des_key_schedule schedule; -des_cblock (*ivec); -int encrypt; - { - register DES_LONG tin0,tin1; - register DES_LONG tout0,tout1,xor0,xor1; - register unsigned char *in,*out; - register long l=length; - DES_LONG tin[2]; - unsigned char *iv; - - in=(unsigned char *)input; - out=(unsigned char *)output; - iv=(unsigned char *)ivec; - - if (encrypt) - { - c2l(iv,tout0); - c2l(iv,tout1); - for (l-=8; l>=0; l-=8) - { - c2l(in,tin0); - c2l(in,tin1); - tin0^=tout0; tin[0]=tin0; - tin1^=tout1; tin[1]=tin1; - des_encrypt((DES_LONG *)tin,schedule,DES_ENCRYPT); - tout0=tin[0]; l2c(tout0,out); - tout1=tin[1]; l2c(tout1,out); - } - if (l != -8) - { - c2ln(in,tin0,tin1,l+8); - tin0^=tout0; tin[0]=tin0; - tin1^=tout1; tin[1]=tin1; - des_encrypt((DES_LONG *)tin,schedule,DES_ENCRYPT); - tout0=tin[0]; l2c(tout0,out); - tout1=tin[1]; l2c(tout1,out); - } - iv=(unsigned char *)ivec; - l2c(tout0,iv); - l2c(tout1,iv); - } - else - { - c2l(iv,xor0); - c2l(iv,xor1); - for (l-=8; l>=0; l-=8) - { - c2l(in,tin0); tin[0]=tin0; - c2l(in,tin1); tin[1]=tin1; - des_encrypt((DES_LONG *)tin,schedule,DES_DECRYPT); - tout0=tin[0]^xor0; - tout1=tin[1]^xor1; - l2c(tout0,out); - l2c(tout1,out); - xor0=tin0; - xor1=tin1; - } - if (l != -8) - { - c2l(in,tin0); tin[0]=tin0; - c2l(in,tin1); tin[1]=tin1; - des_encrypt((DES_LONG *)tin,schedule,DES_DECRYPT); - tout0=tin[0]^xor0; - tout1=tin[1]^xor1; - l2cn(tout0,tout1,out,l+8); - xor0=tin0; - xor1=tin1; - } - iv=(unsigned char *)ivec; - l2c(xor0,iv); - l2c(xor1,iv); - } - tin0=tin1=tout0=tout1=xor0=xor1=0; - tin[0]=tin[1]=0; - } - diff --git a/crypto/heimdal-0.6.3/lib/des/ofb64ede.c b/crypto/heimdal-0.6.3/lib/des/ofb64ede.c deleted file mode 100644 index b33deef10e..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/ofb64ede.c +++ /dev/null @@ -1,131 +0,0 @@ -/* crypto/des/ofb64ede.c */ -/* Copyright (C) 1995-1997 Eric Young (eay@mincom.oz.au) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@mincom.oz.au). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@mincom.oz.au). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@mincom.oz.au)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@mincom.oz.au)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include "des_locl.h" - -/* The input and output encrypted as though 64bit ofb mode is being - * used. The extra state information to record how much of the - * 64bit block we have used is contained in *num; - */ -void des_ede3_ofb64_encrypt(in, out, length, k1,k2,k3, ivec, num) -register unsigned char *in; -register unsigned char *out; -long length; -des_key_schedule k1,k2,k3; -des_cblock (*ivec); -int *num; - { - register DES_LONG v0,v1; - register int n= *num; - register long l=length; - des_cblock d; - register char *dp; - DES_LONG ti[2]; - unsigned char *iv; - int save=0; - - iv=(unsigned char *)ivec; - c2l(iv,v0); - c2l(iv,v1); - ti[0]=v0; - ti[1]=v1; - dp=(char *)d; - l2c(v0,dp); - l2c(v1,dp); - while (l--) - { - if (n == 0) - { - ti[0]=v0; - ti[1]=v1; - des_encrypt3((DES_LONG *)ti,k1,k2,k3); - v0=ti[0]; - v1=ti[1]; - - dp=(char *)d; - l2c(v0,dp); - l2c(v1,dp); - save++; - } - *(out++)= *(in++)^d[n]; - n=(n+1)&0x07; - } - if (save) - { -/* v0=ti[0]; - v1=ti[1];*/ - iv=(unsigned char *)ivec; - l2c(v0,iv); - l2c(v1,iv); - } - v0=v1=ti[0]=ti[1]=0; - *num=n; - } - -#ifdef undef /* MACRO */ -void des_ede2_ofb64_encrypt(in, out, length, k1,k2, ivec, num) -register unsigned char *in; -register unsigned char *out; -long length; -des_key_schedule k1,k2; -des_cblock (*ivec); -int *num; - { - des_ede3_ofb64_encrypt(in, out, length, k1,k2,k1, ivec, num); - } -#endif diff --git a/crypto/heimdal-0.6.3/lib/des/ofb64enc.c b/crypto/heimdal-0.6.3/lib/des/ofb64enc.c deleted file mode 100644 index 041f5b52b8..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/ofb64enc.c +++ /dev/null @@ -1,114 +0,0 @@ -/* crypto/des/ofb64enc.c */ -/* Copyright (C) 1995-1997 Eric Young (eay@mincom.oz.au) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@mincom.oz.au). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@mincom.oz.au). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@mincom.oz.au)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@mincom.oz.au)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include "des_locl.h" - -/* The input and output encrypted as though 64bit ofb mode is being - * used. The extra state information to record how much of the - * 64bit block we have used is contained in *num; - */ -void des_ofb64_encrypt(in, out, length, schedule, ivec, num) -register unsigned char *in; -register unsigned char *out; -long length; -des_key_schedule schedule; -des_cblock (*ivec); -int *num; - { - register DES_LONG v0,v1,t; - register int n= *num; - register long l=length; - des_cblock d; - register char *dp; - DES_LONG ti[2]; - unsigned char *iv; - int save=0; - - iv=(unsigned char *)ivec; - c2l(iv,v0); - c2l(iv,v1); - ti[0]=v0; - ti[1]=v1; - dp=(char *)d; - l2c(v0,dp); - l2c(v1,dp); - while (l--) - { - if (n == 0) - { - des_encrypt((DES_LONG *)ti,schedule,DES_ENCRYPT); - dp=(char *)d; - t=ti[0]; l2c(t,dp); - t=ti[1]; l2c(t,dp); - save++; - } - *(out++)= *(in++)^d[n]; - n=(n+1)&0x07; - } - if (save) - { - v0=ti[0]; - v1=ti[1]; - iv=(unsigned char *)ivec; - l2c(v0,iv); - l2c(v1,iv); - } - t=v0=v1=ti[0]=ti[1]=0; - *num=n; - } - diff --git a/crypto/heimdal-0.6.3/lib/des/ofb_enc.c b/crypto/heimdal-0.6.3/lib/des/ofb_enc.c deleted file mode 100644 index d0506100d8..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/ofb_enc.c +++ /dev/null @@ -1,122 +0,0 @@ -/* crypto/des/ofb_enc.c */ -/* Copyright (C) 1995-1997 Eric Young (eay@mincom.oz.au) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@mincom.oz.au). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@mincom.oz.au). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@mincom.oz.au)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@mincom.oz.au)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include "des_locl.h" - -/* The input and output are loaded in multiples of 8 bits. - * What this means is that if you hame numbits=12 and length=2 - * the first 12 bits will be retrieved from the first byte and half - * the second. The second 12 bits will come from the 3rd and half the 4th - * byte. - */ -void des_ofb_encrypt(in, out, numbits, length, schedule, ivec) -unsigned char *in; -unsigned char *out; -int numbits; -long length; -des_key_schedule schedule; -des_cblock (*ivec); - { - register DES_LONG d0,d1,v0,v1,n=(numbits+7)/8; - register DES_LONG mask0,mask1; - register long l=length; - register int num=numbits; - DES_LONG ti[2]; - unsigned char *iv; - - if (num > 64) return; - if (num > 32) - { - mask0=0xffffffffL; - if (num >= 64) - mask1=mask0; - else - mask1=(1L<<(num-32))-1; - } - else - { - if (num == 32) - mask0=0xffffffffL; - else - mask0=(1L< 0) - { - des_encrypt((DES_LONG *)ti,schedule,DES_ENCRYPT); - c2ln(in,d0,d1,n); - in+=n; - d0=(d0^ti[0])&mask0; - d1=(d1^ti[1])&mask1; - l2cn(d0,d1,out,n); - out+=n; - } - v0=ti[0]; - v1=ti[1]; - iv=(unsigned char *)ivec; - l2c(v0,iv); - l2c(v1,iv); - v0=v1=d0=d1=ti[0]=ti[1]=0; - } - diff --git a/crypto/heimdal-0.6.3/lib/des/passwd_dialog.aps b/crypto/heimdal-0.6.3/lib/des/passwd_dialog.aps deleted file mode 100644 index c90d030918..0000000000 Binary files a/crypto/heimdal-0.6.3/lib/des/passwd_dialog.aps and /dev/null differ diff --git a/crypto/heimdal-0.6.3/lib/des/passwd_dialog.clw b/crypto/heimdal-0.6.3/lib/des/passwd_dialog.clw deleted file mode 100644 index f3451af3fd..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/passwd_dialog.clw +++ /dev/null @@ -1,34 +0,0 @@ -; CLW file contains information for the MFC ClassWizard - -[General Info] -Version=1 -LastClass= -LastTemplate=CDialog -NewFileInclude1=#include "stdafx.h" -NewFileInclude2=#include "passwd_dialog.h" -LastPage=0 - -ClassCount=0 - -ResourceCount=2 -Resource1=IDD_DIALOG1 -Resource2=IDD_PASSWD_DIALOG - -[DLG:IDD_DIALOG1] -Type=1 -ControlCount=6 -Control1=IDOK,button,1342242817 -Control2=IDCANCEL,button,1342242816 -Control3=IDC_STATIC,static,1342308352 -Control4=IDC_STATIC,static,1342308352 -Control5=IDC_EDIT1,edit,1350631552 -Control6=IDC_EDIT2,edit,1350631584 - -[DLG:IDD_PASSWD_DIALOG] -Type=1 -ControlCount=4 -Control1=IDC_PASSWD_EDIT,edit,1350631456 -Control2=IDOK,button,1342242817 -Control3=IDCANCEL,button,1342242816 -Control4=IDC_STATIC,static,1342177280 - diff --git a/crypto/heimdal-0.6.3/lib/des/passwd_dialog.rc b/crypto/heimdal-0.6.3/lib/des/passwd_dialog.rc deleted file mode 100644 index 62079f2aee..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/passwd_dialog.rc +++ /dev/null @@ -1,143 +0,0 @@ -//Microsoft Developer Studio generated resource script. -// -#include "resource.h" - -#define APSTUDIO_READONLY_SYMBOLS -///////////////////////////////////////////////////////////////////////////// -// -// Generated from the TEXTINCLUDE 2 resource. -// -#include "afxres.h" - -///////////////////////////////////////////////////////////////////////////// -#undef APSTUDIO_READONLY_SYMBOLS - -///////////////////////////////////////////////////////////////////////////// -// Swedish resources - -#if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_SVE) -#ifdef _WIN32 -LANGUAGE LANG_SWEDISH, SUBLANG_DEFAULT -#pragma code_page(1252) -#endif //_WIN32 - -///////////////////////////////////////////////////////////////////////////// -// -// Dialog -// - -IDD_PASSWD_DIALOG DIALOG DISCARDABLE 0, 0, 186, 66 -STYLE DS_ABSALIGN | DS_MODALFRAME | DS_SETFOREGROUND | DS_CENTER | WS_POPUP | - WS_VISIBLE | WS_CAPTION -CAPTION "Password query" -FONT 8, "MS Sans Serif" -BEGIN - EDITTEXT IDC_PASSWD_EDIT,30,22,125,14,ES_PASSWORD - DEFPUSHBUTTON "OK",IDOK,30,45,50,14 - PUSHBUTTON "Cancel",IDCANCEL,105,45,50,14 - LTEXT "Please insert password:",IDC_STATIC,30,13,87,8,NOT - WS_GROUP -END - - -///////////////////////////////////////////////////////////////////////////// -// -// DESIGNINFO -// - -#ifdef APSTUDIO_INVOKED -GUIDELINES DESIGNINFO DISCARDABLE -BEGIN - IDD_PASSWD_DIALOG, DIALOG - BEGIN - LEFTMARGIN, 7 - RIGHTMARGIN, 179 - TOPMARGIN, 7 - BOTTOMMARGIN, 59 - END -END -#endif // APSTUDIO_INVOKED - - -#ifdef APSTUDIO_INVOKED -///////////////////////////////////////////////////////////////////////////// -// -// TEXTINCLUDE -// - -1 TEXTINCLUDE DISCARDABLE -BEGIN - "resource.h\0" -END - -2 TEXTINCLUDE DISCARDABLE -BEGIN - "#include ""afxres.h""\r\n" - "\0" -END - -3 TEXTINCLUDE DISCARDABLE -BEGIN - "\r\n" - "\0" -END - -#endif // APSTUDIO_INVOKED - - -#ifndef _MAC -///////////////////////////////////////////////////////////////////////////// -// -// Version -// - -VS_VERSION_INFO VERSIONINFO - FILEVERSION 1,0,0,1 - PRODUCTVERSION 1,0,0,1 - FILEFLAGSMASK 0x3fL -#ifdef _DEBUG - FILEFLAGS 0x1L -#else - FILEFLAGS 0x0L -#endif - FILEOS 0x40004L - FILETYPE 0x2L - FILESUBTYPE 0x0L -BEGIN - BLOCK "StringFileInfo" - BEGIN - BLOCK "040904b0" - BEGIN - VALUE "CompanyName", "Royal Institute of Technology (KTH)\0" - VALUE "FileDescription", "des\0" - VALUE "FileVersion", "4, 0, 9, 9\0" - VALUE "InternalName", "des\0" - VALUE "LegalCopyright", "Copyright © 1996 - 1998 Royal Institute of Technology (KTH)\0" - VALUE "OriginalFilename", "des.dll\0" - VALUE "ProductName", "KTH Kerberos\0" - VALUE "ProductVersion", "4,0,9,9\0" - END - END - BLOCK "VarFileInfo" - BEGIN - VALUE "Translation", 0x409, 1200 - END -END - -#endif // !_MAC - -#endif // Swedish resources -///////////////////////////////////////////////////////////////////////////// - - - -#ifndef APSTUDIO_INVOKED -///////////////////////////////////////////////////////////////////////////// -// -// Generated from the TEXTINCLUDE 3 resource. -// - - -///////////////////////////////////////////////////////////////////////////// -#endif // not APSTUDIO_INVOKED - diff --git a/crypto/heimdal-0.6.3/lib/des/passwd_dialog.res b/crypto/heimdal-0.6.3/lib/des/passwd_dialog.res deleted file mode 100644 index bdb2868700..0000000000 Binary files a/crypto/heimdal-0.6.3/lib/des/passwd_dialog.res and /dev/null differ diff --git a/crypto/heimdal-0.6.3/lib/des/passwd_dlg.c b/crypto/heimdal-0.6.3/lib/des/passwd_dlg.c deleted file mode 100644 index bf5bc92582..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/passwd_dlg.c +++ /dev/null @@ -1,92 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* passwd_dlg.c - Dialog boxes for Windows95/NT - * Author: Jörgen Karlsson - d93-jka@nada.kth.se - * Date: June 1996 - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: passwd_dlg.c,v 1.8 1999/12/02 16:58:39 joda Exp $"); -#endif - -#ifdef WIN32 /* Visual C++ 4.0 (Windows95/NT) */ -#include -#include "passwd_dlg.h" -#include "Resource.h" -#define passwdBufSZ 64 - -char passwd[passwdBufSZ]; - -BOOL CALLBACK -pwd_dialog_proc(HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lParam) -{ - switch(uMsg) - { - case WM_COMMAND: - switch(wParam) - { - case IDOK: - if(!GetDlgItemText(hwndDlg,IDC_PASSWD_EDIT, passwd, passwdBufSZ)) - EndDialog(hwndDlg, IDCANCEL); - case IDCANCEL: - EndDialog(hwndDlg, wParam); - return TRUE; - } - } - return FALSE; -} - - -/* return 0 if ok, 1 otherwise */ -int -pwd_dialog(char *buf, int size) -{ - int i; - HWND wnd = GetActiveWindow(); - HANDLE hInst = GetModuleHandle("des"); - switch(DialogBox(hInst,MAKEINTRESOURCE(IDD_PASSWD_DIALOG),wnd,pwd_dialog_proc)) - { - case IDOK: - strlcpy(buf, passwd, size); - memset (passwd, 0, sizeof(passwd)); - return 0; - case IDCANCEL: - default: - memset (passwd, 0, sizeof(passwd)); - return 1; - } -} - -#endif /* WIN32 */ diff --git a/crypto/heimdal-0.6.3/lib/des/passwd_dlg.h b/crypto/heimdal-0.6.3/lib/des/passwd_dlg.h deleted file mode 100644 index 5600e96d23..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/passwd_dlg.h +++ /dev/null @@ -1,47 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* passwd_dlg.h - Dialog boxes for Windows95/NT - * Author: Jörgen Karlsson - d93-jka@nada.kth.se - * Date: June 1996 - */ - -/* $Id: passwd_dlg.h,v 1.6 1999/12/02 16:58:39 joda Exp $ */ - -#ifndef PASSWD_DLG_H -#define PASSWD_DLG_H - -int pwd_dialog(char *buf, int size); - - -#endif /* PASSWD_DLG_H */ diff --git a/crypto/heimdal-0.6.3/lib/des/pcbc_enc.c b/crypto/heimdal-0.6.3/lib/des/pcbc_enc.c deleted file mode 100644 index cb2e785cfb..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/pcbc_enc.c +++ /dev/null @@ -1,126 +0,0 @@ -/* crypto/des/pcbc_enc.c */ -/* Copyright (C) 1995-1997 Eric Young (eay@mincom.oz.au) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@mincom.oz.au). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@mincom.oz.au). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@mincom.oz.au)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@mincom.oz.au)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include "des_locl.h" - -void des_pcbc_encrypt(input, output, length, schedule, ivec, encrypt) -des_cblock (*input); -des_cblock (*output); -long length; -des_key_schedule schedule; -des_cblock (*ivec); -int encrypt; - { - register DES_LONG sin0,sin1,xor0,xor1,tout0,tout1; - DES_LONG tin[2]; - unsigned char *in,*out,*iv; - - in=(unsigned char *)input; - out=(unsigned char *)output; - iv=(unsigned char *)ivec; - - if (encrypt) - { - c2l(iv,xor0); - c2l(iv,xor1); - for (; length>0; length-=8) - { - if (length >= 8) - { - c2l(in,sin0); - c2l(in,sin1); - } - else - c2ln(in,sin0,sin1,length); - tin[0]=sin0^xor0; - tin[1]=sin1^xor1; - des_encrypt((DES_LONG *)tin,schedule,DES_ENCRYPT); - tout0=tin[0]; - tout1=tin[1]; - xor0=sin0^tout0; - xor1=sin1^tout1; - l2c(tout0,out); - l2c(tout1,out); - } - } - else - { - c2l(iv,xor0); c2l(iv,xor1); - for (; length>0; length-=8) - { - c2l(in,sin0); - c2l(in,sin1); - tin[0]=sin0; - tin[1]=sin1; - des_encrypt((DES_LONG *)tin,schedule,DES_DECRYPT); - tout0=tin[0]^xor0; - tout1=tin[1]^xor1; - if (length >= 8) - { - l2c(tout0,out); - l2c(tout1,out); - } - else - l2cn(tout0,tout1,out,length); - xor0=tout0^sin0; - xor1=tout1^sin1; - } - } - tin[0]=tin[1]=0; - sin0=sin1=xor0=xor1=tout0=tout1=0; - } diff --git a/crypto/heimdal-0.6.3/lib/des/podd.h b/crypto/heimdal-0.6.3/lib/des/podd.h deleted file mode 100644 index c984a3490d..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/podd.h +++ /dev/null @@ -1,75 +0,0 @@ -/* crypto/des/podd.h */ -/* Copyright (C) 1995-1997 Eric Young (eay@mincom.oz.au) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@mincom.oz.au). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@mincom.oz.au). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@mincom.oz.au)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@mincom.oz.au)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -static const unsigned char odd_parity[256]={ - 1, 1, 2, 2, 4, 4, 7, 7, 8, 8, 11, 11, 13, 13, 14, 14, - 16, 16, 19, 19, 21, 21, 22, 22, 25, 25, 26, 26, 28, 28, 31, 31, - 32, 32, 35, 35, 37, 37, 38, 38, 41, 41, 42, 42, 44, 44, 47, 47, - 49, 49, 50, 50, 52, 52, 55, 55, 56, 56, 59, 59, 61, 61, 62, 62, - 64, 64, 67, 67, 69, 69, 70, 70, 73, 73, 74, 74, 76, 76, 79, 79, - 81, 81, 82, 82, 84, 84, 87, 87, 88, 88, 91, 91, 93, 93, 94, 94, - 97, 97, 98, 98,100,100,103,103,104,104,107,107,109,109,110,110, -112,112,115,115,117,117,118,118,121,121,122,122,124,124,127,127, -128,128,131,131,133,133,134,134,137,137,138,138,140,140,143,143, -145,145,146,146,148,148,151,151,152,152,155,155,157,157,158,158, -161,161,162,162,164,164,167,167,168,168,171,171,173,173,174,174, -176,176,179,179,181,181,182,182,185,185,186,186,188,188,191,191, -193,193,194,194,196,196,199,199,200,200,203,203,205,205,206,206, -208,208,211,211,213,213,214,214,217,217,218,218,220,220,223,223, -224,224,227,227,229,229,230,230,233,233,234,234,236,236,239,239, -241,241,242,242,244,244,247,247,248,248,251,251,253,253,254,254}; diff --git a/crypto/heimdal-0.6.3/lib/des/qud_cksm.c b/crypto/heimdal-0.6.3/lib/des/qud_cksm.c deleted file mode 100644 index 783274854f..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/qud_cksm.c +++ /dev/null @@ -1,143 +0,0 @@ -/* crypto/des/qud_cksm.c */ -/* Copyright (C) 1995-1997 Eric Young (eay@mincom.oz.au) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@mincom.oz.au). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@mincom.oz.au). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@mincom.oz.au)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@mincom.oz.au)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -/* From "Message Authentication" R.R. Jueneman, S.M. Matyas, C.H. Meyer - * IEEE Communications Magazine Sept 1985 Vol. 23 No. 9 p 29-40 - * This module in only based on the code in this paper and is - * almost definitely not the same as the MIT implementation. - */ -#include "des_locl.h" - -/* bug fix for dos - 7/6/91 - Larry hughes@logos.ucs.indiana.edu */ -#define Q_B0(a) (((DES_LONG)(a))) -#define Q_B1(a) (((DES_LONG)(a))<<8) -#define Q_B2(a) (((DES_LONG)(a))<<16) -#define Q_B3(a) (((DES_LONG)(a))<<24) - -/* used to scramble things a bit */ -/* Got the value MIT uses via brute force :-) 2/10/90 eay */ -#define NOISE ((DES_LONG)83653421L) - -DES_LONG des_quad_cksum(input, output, length, out_count, seed) - des_cblock (*input); - des_cblock (*output); - long length; - int out_count; - des_cblock (*seed); -{ - DES_LONG z0,z1,t0,t1; - int i; - long l; -#ifdef _CRAY - typedef struct { - unsigned int a:32; - unsigned int b:32; - } XXX; -#else - typedef DES_LONG XXX; -#endif - unsigned char *cp; - XXX *lp; - - if (out_count < 1) out_count=1; - lp=(XXX*)output; - - z0=Q_B0((*seed)[0])|Q_B1((*seed)[1])|Q_B2((*seed)[2])|Q_B3((*seed)[3]); - z1=Q_B0((*seed)[4])|Q_B1((*seed)[5])|Q_B2((*seed)[6])|Q_B3((*seed)[7]); - - for (i=0; ((i<4)&&(i 0) - { - if (l > 1) - { - t0= (DES_LONG)(*(cp++)); - t0|=(DES_LONG)Q_B1(*(cp++)); - l--; - } - else - t0= (DES_LONG)(*(cp++)); - l--; - /* add */ - t0+=z0; - t0&=0xffffffffL; - t1=z1; - /* square, well sort of square */ - z0=((((t0*t0)&0xffffffffL)+((t1*t1)&0xffffffffL)) - &0xffffffffL)%0x7fffffffL; - z1=((t0*((t1+NOISE)&0xffffffffL))&0xffffffffL)%0x7fffffffL; - } - if (lp != NULL) - { - /* The MIT library assumes that the checksum is - * composed of 2*out_count 32 bit ints */ -#ifdef _CRAY - lp->a = z0; - lp->b = z1; - lp++; -#else - *lp++ = (XXX)z0; - *lp++ = (XXX)z1; -#endif - } - } - return(z0); -} - diff --git a/crypto/heimdal-0.6.3/lib/des/rand_key.c b/crypto/heimdal-0.6.3/lib/des/rand_key.c deleted file mode 100644 index fd4c5ef4d6..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/rand_key.c +++ /dev/null @@ -1,121 +0,0 @@ -/* crypto/des/rand_key.c */ -/* Copyright (C) 1995-1997 Eric Young (eay@mincom.oz.au) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@mincom.oz.au). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@mincom.oz.au). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@mincom.oz.au)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@mincom.oz.au)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include "des_locl.h" -#include - -static int seed=0; -static des_cblock init; - -void des_random_seed(key) -des_cblock key; - { - memcpy(init,key,sizeof(des_cblock)); - seed=1; - } - -/* Old source */ -/* -void des_random_key(ret) -unsigned char *ret; - { - des_key_schedule ks; - static DES_LONG c=0; - static unsigned short pid=0; - static des_cblock data={0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef}; - des_cblock key; - unsigned char *p; - DES_LONG t; - int i; - -#if defined(MSDOS) || defined(WIN32) - pid=1; -#else - if (!pid) pid=getpid(); -#endif - p=key; - if (seed) - { - for (i=0; i<8; i++) - { - data[i] ^= init[i]; - init[i]=0; - } - seed=0; - } - t=(DES_LONG)time(NULL); - l2c(t,p); - t=(DES_LONG)((pid)|((c++)<<16)); - l2c(t,p); - - des_set_odd_parity((des_cblock *)data); - des_set_key((des_cblock *)data,ks); - des_cbc_cksum((des_cblock *)key,(des_cblock *)key, - (long)sizeof(key),ks,(des_cblock *)data); - - des_set_odd_parity((des_cblock *)key); - des_set_key((des_cblock *)key,ks); - des_cbc_cksum((des_cblock *)key,(des_cblock *)data, - (long)sizeof(key),ks,(des_cblock *)key); - - memcpy(ret,data,sizeof(key)); - memset(key,0,sizeof(key)); - memset(ks,0,sizeof(ks)); - t=0; - } -*/ diff --git a/crypto/heimdal-0.6.3/lib/des/rc4.h b/crypto/heimdal-0.6.3/lib/des/rc4.h deleted file mode 100644 index 15441f6019..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/rc4.h +++ /dev/null @@ -1,76 +0,0 @@ -/* crypto/rc4/rc4.h */ -/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -/* $Id: rc4.h,v 1.2 1999/10/21 12:58:31 joda Exp $ */ - -#ifndef HEADER_RC4_H -#define HEADER_RC4_H - -typedef unsigned int RC4_INT; - -typedef struct rc4_key_st { - RC4_INT x,y; - RC4_INT data[256]; -} RC4_KEY; - - -void RC4_set_key(RC4_KEY *key, int len, unsigned char *data); -void RC4(RC4_KEY *key, unsigned long len, unsigned char *indata, - unsigned char *outdata); - -#endif diff --git a/crypto/heimdal-0.6.3/lib/des/rc4_enc.c b/crypto/heimdal-0.6.3/lib/des/rc4_enc.c deleted file mode 100644 index 6b1686f569..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/rc4_enc.c +++ /dev/null @@ -1,133 +0,0 @@ -/* crypto/rc4/rc4_enc.c */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include "des_locl.h" -#include "rc4.h" - -RCSID("$Id: rc4_enc.c,v 1.2 1999/10/21 12:58:43 joda Exp $"); - -/* RC4 as implemented from a posting from - * Newsgroups: sci.crypt - * From: sterndark@netcom.com (David Sterndark) - * Subject: RC4 Algorithm revealed. - * Message-ID: - * Date: Wed, 14 Sep 1994 06:35:31 GMT - */ - -void RC4(RC4_KEY *key, unsigned long len, unsigned char *indata, - unsigned char *outdata) - { - register RC4_INT *d; - register RC4_INT x,y,tx,ty; - int i; - - x=key->x; - y=key->y; - d=key->data; - -#define LOOP(in,out) \ - x=((x+1)&0xff); \ - tx=d[x]; \ - y=(tx+y)&0xff; \ - d[x]=ty=d[y]; \ - d[y]=tx; \ - (out) = d[(tx+ty)&0xff]^ (in); - -#ifndef RC4_INDEX -#define RC4_LOOP(a,b,i) LOOP(*((a)++),*((b)++)) -#else -#define RC4_LOOP(a,b,i) LOOP(a[i],b[i]) -#endif - - i=(int)(len>>3L); - if (i) - { - for (;;) - { - RC4_LOOP(indata,outdata,0); - RC4_LOOP(indata,outdata,1); - RC4_LOOP(indata,outdata,2); - RC4_LOOP(indata,outdata,3); - RC4_LOOP(indata,outdata,4); - RC4_LOOP(indata,outdata,5); - RC4_LOOP(indata,outdata,6); - RC4_LOOP(indata,outdata,7); -#ifdef RC4_INDEX - indata+=8; - outdata+=8; -#endif - if (--i == 0) break; - } - } - i=(int)len&0x07; - if (i) - { - for (;;) - { - RC4_LOOP(indata,outdata,0); if (--i == 0) break; - RC4_LOOP(indata,outdata,1); if (--i == 0) break; - RC4_LOOP(indata,outdata,2); if (--i == 0) break; - RC4_LOOP(indata,outdata,3); if (--i == 0) break; - RC4_LOOP(indata,outdata,4); if (--i == 0) break; - RC4_LOOP(indata,outdata,5); if (--i == 0) break; - RC4_LOOP(indata,outdata,6); if (--i == 0) break; - } - } - key->x=x; - key->y=y; - } diff --git a/crypto/heimdal-0.6.3/lib/des/rc4_skey.c b/crypto/heimdal-0.6.3/lib/des/rc4_skey.c deleted file mode 100644 index f5bce4683f..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/rc4_skey.c +++ /dev/null @@ -1,101 +0,0 @@ -/* crypto/rc4/rc4_skey.c */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include "des_locl.h" -#include "rc4.h" - -RCSID("$Id: rc4_skey.c,v 1.2 1999/10/21 12:58:52 joda Exp $"); - -/* RC4 as implemented from a posting from - * Newsgroups: sci.crypt - * From: sterndark@netcom.com (David Sterndark) - * Subject: RC4 Algorithm revealed. - * Message-ID: - * Date: Wed, 14 Sep 1994 06:35:31 GMT - */ - -void RC4_set_key(RC4_KEY *key, int len, register unsigned char *data) - { - register RC4_INT tmp; - register int id1,id2; - register RC4_INT *d; - unsigned int i; - - d= &(key->data[0]); - for (i=0; i<256; i++) - d[i]=i; - key->x = 0; - key->y = 0; - id1=id2=0; - -#define SK_LOOP(n) { \ - tmp=d[(n)]; \ - id2 = (data[id1] + tmp + id2) & 0xff; \ - if (++id1 == len) id1=0; \ - d[(n)]=d[id2]; \ - d[id2]=tmp; } - - for (i=0; i < 256; i+=4) - { - SK_LOOP(i+0); - SK_LOOP(i+1); - SK_LOOP(i+2); - SK_LOOP(i+3); - } - } - diff --git a/crypto/heimdal-0.6.3/lib/des/rc4test.c b/crypto/heimdal-0.6.3/lib/des/rc4test.c deleted file mode 100644 index 5abf8cff30..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/rc4test.c +++ /dev/null @@ -1,201 +0,0 @@ -/* crypto/rc4/rc4test.c */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include -#include -#include - -#ifdef NO_RC4 -int main(int argc, char *argv[]) -{ - printf("No RC4 support\n"); - return(0); -} -#else -#include - -unsigned char keys[7][30]={ - {8,0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef}, - {8,0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef}, - {8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, - {4,0xef,0x01,0x23,0x45}, - {8,0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef}, - {4,0xef,0x01,0x23,0x45}, - }; - -unsigned char data_len[7]={8,8,8,20,28,10}; -unsigned char data[7][30]={ - {0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef,0xff}, - {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xff}, - {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xff}, - {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0xff}, - {0x12,0x34,0x56,0x78,0x9A,0xBC,0xDE,0xF0, - 0x12,0x34,0x56,0x78,0x9A,0xBC,0xDE,0xF0, - 0x12,0x34,0x56,0x78,0x9A,0xBC,0xDE,0xF0, - 0x12,0x34,0x56,0x78,0xff}, - {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xff}, - {0}, - }; - -unsigned char output[7][30]={ - {0x75,0xb7,0x87,0x80,0x99,0xe0,0xc5,0x96,0x00}, - {0x74,0x94,0xc2,0xe7,0x10,0x4b,0x08,0x79,0x00}, - {0xde,0x18,0x89,0x41,0xa3,0x37,0x5d,0x3a,0x00}, - {0xd6,0xa1,0x41,0xa7,0xec,0x3c,0x38,0xdf, - 0xbd,0x61,0x5a,0x11,0x62,0xe1,0xc7,0xba, - 0x36,0xb6,0x78,0x58,0x00}, - {0x66,0xa0,0x94,0x9f,0x8a,0xf7,0xd6,0x89, - 0x1f,0x7f,0x83,0x2b,0xa8,0x33,0xc0,0x0c, - 0x89,0x2e,0xbe,0x30,0x14,0x3c,0xe2,0x87, - 0x40,0x01,0x1e,0xcf,0x00}, - {0xd6,0xa1,0x41,0xa7,0xec,0x3c,0x38,0xdf,0xbd,0x61,0x00}, - {0}, - }; - -int main(int argc, char *argv[]) - { - int i,err=0; - int j; - unsigned char *p; - RC4_KEY key; - unsigned char buf[512],obuf[512]; - - for (i=0; i<512; i++) buf[i]=0x01; - - for (i=0; i<6; i++) - { - RC4_set_key(&key,keys[i][0],&(keys[i][1])); - memset(obuf,0x00,sizeof(obuf)); - RC4(&key,data_len[i],&(data[i][0]),obuf); - if (memcmp(obuf,output[i],data_len[i]+1) != 0) - { - printf("error calculating RC4\n"); - printf("output:"); - for (j=0; j -#endif - -/* 06-Apr-92 Luke Brennan Support for VMS */ -#include "des_locl.h" -#include -#include -#include -#include - -/* There are 5 types of terminal interface supported, - * TERMIO, TERMIOS, VMS, MSDOS and SGTTY - */ - -#if defined(__sgi) && !defined(TERMIOS) -#define TERMIOS -#undef TERMIO -#undef SGTTY -#endif - -#if defined(linux) && !defined(TERMIO) -#undef TERMIOS -#define TERMIO -#undef SGTTY -#endif - -#ifdef _LIBC -#define TERMIO -#endif - -#if !defined(TERMIO) && !defined(TERMIOS) && !defined(VMS) && !defined(MSDOS) -#define SGTTY -#endif - -#if defined(HAVE_SGTTY_H) && defined(__NeXT__) -#define SGTTY -#endif - -#ifdef TERMIOS -#include -#define TTY_STRUCT struct termios -#define TTY_FLAGS c_lflag -#define TTY_get(tty,data) tcgetattr(tty,data) -#define TTY_set(tty,data) tcsetattr(tty,TCSANOW,data) -#endif - -#ifdef TERMIO -#include -#define TTY_STRUCT struct termio -#define TTY_FLAGS c_lflag -#define TTY_get(tty,data) ioctl(tty,TCGETA,data) -#define TTY_set(tty,data) ioctl(tty,TCSETA,data) -#endif - -#ifdef SGTTY -#include -#define TTY_STRUCT struct sgttyb -#define TTY_FLAGS sg_flags -#define TTY_get(tty,data) ioctl(tty,TIOCGETP,data) -#define TTY_set(tty,data) ioctl(tty,TIOCSETP,data) -#endif - -#if !defined(_LIBC) && !defined(MSDOS) && !defined(VMS) -#include -#endif - -#ifdef MSDOS -#include -#define fgets(a,b,c) noecho_fgets(a,b,c) -#endif - -#ifdef VMS -#include -#include -#include -#include -struct IOSB { - short iosb$w_value; - short iosb$w_count; - long iosb$l_info; - }; -#endif - -#ifndef NX509_SIG -#define NX509_SIG 32 -#endif - -#ifndef NOPROTO -static void read_till_nl(FILE *); -static int read_pw(char *buf, char *buff, int size, char *prompt, int verify); -static void recsig(int); -static void pushsig(void); -static void popsig(void); -#if defined(MSDOS) && !defined(WIN16) -static int noecho_fgets(char *buf, int size, FILE *tty); -#endif -#else -static void read_till_nl(); -static int read_pw(); -static void recsig(); -static void pushsig(); -static void popsig(); -#if defined(MSDOS) && !defined(WIN16) -static int noecho_fgets(); -#endif -#endif - -#ifndef NOPROTO -static void (*savsig[NX509_SIG])(int ); -#else -static void (*savsig[NX509_SIG])(); -#endif -static jmp_buf save; - -int des_read_password(key, prompt, verify) -des_cblock (*key); -char *prompt; -int verify; - { - int ok; - char buf[BUFSIZ],buff[BUFSIZ]; - - if ((ok=read_pw(buf,buff,BUFSIZ,prompt,verify)) == 0) - des_string_to_key(buf,key); - memset(buf,0,BUFSIZ); - memset(buff,0,BUFSIZ); - return(ok); - } - -int des_read_2passwords(key1, key2, prompt, verify) -des_cblock (*key1); -des_cblock (*key2); -char *prompt; -int verify; - { - int ok; - char buf[BUFSIZ],buff[BUFSIZ]; - - if ((ok=read_pw(buf,buff,BUFSIZ,prompt,verify)) == 0) - des_string_to_2keys(buf,key1,key2); - memset(buf,0,BUFSIZ); - memset(buff,0,BUFSIZ); - return(ok); - } - -int des_read_pw_string(buf, length, prompt, verify) -char *buf; -int length; -char *prompt; -int verify; - { - char buff[BUFSIZ]; - int ret; - - ret=read_pw(buf,buff,(length>BUFSIZ)?BUFSIZ:length,prompt,verify); - memset(buff,0,BUFSIZ); - return(ret); - } - -#ifndef WIN16 - -static void read_till_nl(in) -FILE *in; - { -#define SIZE 4 - char buf[SIZE+1]; - - do { - fgets(buf,SIZE,in); - } while (strchr(buf,'\n') == NULL); - } - - -/* return 0 if ok, 1 (or -1) otherwise */ -static int read_pw(buf, buff, size, prompt, verify) -char *buf; -char *buff; -int size; -char *prompt; -int verify; - { -#ifdef VMS - struct IOSB iosb; - $DESCRIPTOR(terminal,"TT"); - long tty_orig[3], tty_new[3]; - long status; - unsigned short channel = 0; -#else -#ifndef MSDOS - TTY_STRUCT tty_orig,tty_new; -#endif -#endif - int number=5; - int ok=0; - int ps=0; - int is_a_tty=1; - - FILE *tty=NULL; - char *p; - -#ifdef __CYGWIN32__ - tty = stdin; -#elif !defined(MSDOS) - if ((tty=fopen("/dev/tty","r")) == NULL) - tty=stdin; -#else /* MSDOS */ - if ((tty=fopen("con","r")) == NULL) - tty=stdin; -#endif /* MSDOS */ - -#if defined(TTY_get) && !defined(VMS) - if (TTY_get(fileno(tty),&tty_orig) == -1) - { -#ifdef ENOTTY - if (errno == ENOTTY) - is_a_tty=0; - else -#endif - return(-1); - } - memcpy(&(tty_new),&(tty_orig),sizeof(tty_orig)); -#endif -#ifdef VMS - status = SYS$ASSIGN(&terminal,&channel,0,0); - if (status != SS$_NORMAL) - return(-1); - status=SYS$QIOW(0,channel,IO$_SENSEMODE,&iosb,0,0,tty_orig,12,0,0,0,0); - if ((status != SS$_NORMAL) || (iosb.iosb$w_value != SS$_NORMAL)) - return(-1); -#endif - - if (setjmp(save)) - { - ok=0; - goto error; - } - pushsig(); - ps=1; - -#ifdef TTY_FLAGS - tty_new.TTY_FLAGS &= ~ECHO; -#endif - -#if defined(TTY_set) && !defined(VMS) - if (is_a_tty && (TTY_set(fileno(tty),&tty_new) == -1)) - return(-1); -#endif -#ifdef VMS - tty_new[0] = tty_orig[0]; - tty_new[1] = tty_orig[1] | TT$M_NOECHO; - tty_new[2] = tty_orig[2]; - status = SYS$QIOW(0,channel,IO$_SETMODE,&iosb,0,0,tty_new,12,0,0,0,0); - if ((status != SS$_NORMAL) || (iosb.iosb$w_value != SS$_NORMAL)) - return(-1); -#endif - ps=2; - - while ((!ok) && (number--)) - { - fputs(prompt,stderr); - fflush(stderr); - - buf[0]='\0'; - fgets(buf,size,tty); - if (feof(tty)) goto error; - if (ferror(tty)) goto error; - if ((p=(char *)strchr(buf,'\n')) != NULL) - *p='\0'; - else read_till_nl(tty); - if (verify) - { - fprintf(stderr,"\nVerifying password - %s",prompt); - fflush(stderr); - buff[0]='\0'; - fgets(buff,size,tty); - if (feof(tty)) goto error; - if ((p=(char *)strchr(buff,'\n')) != NULL) - *p='\0'; - else read_till_nl(tty); - - if (strcmp(buf,buff) != 0) - { - fprintf(stderr,"\nVerify failure"); - fflush(stderr); - break; - /* continue; */ - } - } - ok=1; - } - -error: - fprintf(stderr,"\n"); -#ifdef DEBUG - perror("fgets(tty)"); -#endif - /* What can we do if there is an error? */ -#if defined(TTY_set) && !defined(VMS) - if (ps >= 2) TTY_set(fileno(tty),&tty_orig); -#endif -#ifdef VMS - if (ps >= 2) - status = SYS$QIOW(0,channel,IO$_SETMODE,&iosb,0,0 - ,tty_orig,12,0,0,0,0); -#endif - - if (ps >= 1) popsig(); - if (stdin != tty) fclose(tty); -#ifdef VMS - status = SYS$DASSGN(channel); -#endif - return(!ok); - } - -#else /* WIN16 */ - -static int read_pw(buf, buff, size, prompt, verify) -char *buf; -char *buff; -int size; -char *prompt; -int verify; - { - memset(buf,0,size); - memset(buff,0,size); - return(0); - } - -#endif - -static void pushsig() - { - int i; - - for (i=1; i -#include -#ifdef KRB5 -#include -#elif defined(KRB4) -#include -#endif - -#include - -#ifdef TIME_WITH_SYS_TIME -#include -#include -#elif defined(HAVE_SYS_TIME_H) -#include -#else -#include -#endif - -#ifdef HAVE_SYS_TYPES_H -#include -#endif - -#ifdef HAVE_UNISTD_H -#include -#endif -#ifdef HAVE_IO_H -#include -#endif - -#ifdef HAVE_SIGNAL_H -#include -#endif -#ifdef HAVE_FCNTL_H -#include -#endif - -/* - * Generate "random" data by checksumming a file. - * - * Returns -1 if there were any problems with permissions or I/O - * errors. - */ -static -int -sumFile (const char *name, int len, void *res) -{ - u_int32_t sum[2]; - u_int32_t buf[1024*2]; - int fd, i; - - fd = open (name, 0); - if (fd < 0) - return -1; - - while (len > 0) - { - int n = read(fd, buf, sizeof(buf)); - if (n < 0) - { - close(fd); - return n; - } - for (i = 0; i < (n/sizeof(buf[0])); i++) - { - sum[0] += buf[i]; - i++; - sum[1] += buf[i]; - } - len -= n; - } - close (fd); - memcpy (res, &sum, sizeof(sum)); - return 0; -} - -#if 0 -static -int -md5sumFile (const char *name, int len, int32_t sum[4]) -{ - int32_t buf[1024*2]; - int fd, cnt; - struct md5 md5; - - fd = open (name, 0); - if (fd < 0) - return -1; - - md5_init(&md5); - while (len > 0) - { - int n = read(fd, buf, sizeof(buf)); - if (n < 0) - { - close(fd); - return n; - } - md5_update(&md5, buf, n); - len -= n; - } - md5_finito(&md5, (unsigned char *)sum); - close (fd); - return 0; -} -#endif - -/* - * Create a sequence of random 64 bit blocks. - * The sequence is indexed with a long long and - * based on an initial des key used as a seed. - */ -static des_key_schedule sequence_seed; -static u_int32_t sequence_index[2]; - -/* - * Random number generator based on ideas from truerand in cryptolib - * as described on page 424 in Applied Cryptography 2 ed. by Bruce - * Schneier. - */ - -static volatile int counter; -static volatile unsigned char *gdata; /* Global data */ -static volatile int igdata; /* Index into global data */ -static int gsize; - -#if !defined(WIN32) && !defined(__EMX__) && !defined(__OS2__) && !defined(__CYGWIN32__) -/* Visual C++ 4.0 (Windows95/NT) */ - -static -RETSIGTYPE -sigALRM(int sig) -{ - if (igdata < gsize) - gdata[igdata++] ^= counter & 0xff; - -#ifndef HAVE_SIGACTION - signal(SIGALRM, sigALRM); /* Reinstall SysV signal handler */ -#endif - SIGRETURN(0); -} - -#endif - -#if !defined(HAVE_RANDOM) && defined(HAVE_RAND) -#ifndef srandom -#define srandom srand -#endif -#ifndef random -#define random rand -#endif -#endif - -#ifndef HAVE_SETITIMER -static void -des_not_rand_data(unsigned char *data, int size) -{ - int i; - - srandom (time (NULL)); - - for(i = 0; i < size; ++i) - data[i] ^= random() % 0x100; -} -#endif - -#if !defined(WIN32) && !defined(__EMX__) && !defined(__OS2__) && !defined(__CYGWIN32__) - -#ifndef HAVE_SETITIMER -static void -pacemaker(struct timeval *tv) -{ - fd_set fds; - pid_t pid; - pid = getppid(); - while(1){ - FD_ZERO(&fds); - FD_SET(0, &fds); - select(1, &fds, NULL, NULL, tv); - kill(pid, SIGALRM); - } -} -#endif - -#ifdef HAVE_SIGACTION -/* XXX ugly hack, should perhaps use function from roken */ -static RETSIGTYPE -(*fake_signal(int sig, RETSIGTYPE (*f)(int)))(int) -{ - struct sigaction sa, osa; - sa.sa_handler = f; - sa.sa_flags = 0; - sigemptyset(&sa.sa_mask); - sigaction(sig, &sa, &osa); - return osa.sa_handler; -} -#define signal(S, F) fake_signal((S), (F)) -#endif - -/* - * Generate size bytes of "random" data using timed interrupts. - * It takes about 40ms/byte random data. - * It's not neccessary to be root to run it. - */ -void -des_rand_data(unsigned char *data, int size) -{ - struct itimerval tv, otv; - RETSIGTYPE (*osa)(int); - int i, j; -#ifndef HAVE_SETITIMER - RETSIGTYPE (*ochld)(int); - pid_t pid; -#endif - char *rnd_devices[] = {"/dev/random", - "/dev/srandom", - "/dev/urandom", - NULL}; - char **p; - - for(p = rnd_devices; *p; p++) { - int fd = open(*p, O_RDONLY | O_NDELAY); - - if(fd >= 0 && read(fd, data, size) == size) { - close(fd); - return; - } - close(fd); - } - - /* Paranoia? Initialize data from /dev/mem if we can read it. */ - if (size >= 8) - sumFile("/dev/mem", (1024*1024*2), data); - - gdata = data; - gsize = size; - igdata = 0; - - osa = signal(SIGALRM, sigALRM); - - /* Start timer */ - tv.it_value.tv_sec = 0; - tv.it_value.tv_usec = 10 * 1000; /* 10 ms */ - tv.it_interval = tv.it_value; -#ifdef HAVE_SETITIMER - setitimer(ITIMER_REAL, &tv, &otv); -#else - ochld = signal(SIGCHLD, SIG_IGN); - pid = fork(); - if(pid == -1){ - signal(SIGCHLD, ochld != SIG_ERR ? ochld : SIG_DFL); - des_not_rand_data(data, size); - return; - } - if(pid == 0) - pacemaker(&tv.it_interval); -#endif - - for(i = 0; i < 4; i++) { - for (igdata = 0; igdata < size;) /* igdata++ in sigALRM */ - counter++; - for (j = 0; j < size; j++) /* Only use 2 bits each lap */ - gdata[j] = (gdata[j]>>2) | (gdata[j]<<6); - } -#ifdef HAVE_SETITIMER - setitimer(ITIMER_REAL, &otv, 0); -#else - kill(pid, SIGKILL); - while(waitpid(pid, NULL, 0) != pid); - signal(SIGCHLD, ochld != SIG_ERR ? ochld : SIG_DFL); -#endif - signal(SIGALRM, osa != SIG_ERR ? osa : SIG_DFL); -} -#else -void -des_rand_data(unsigned char *p, int s) -{ - des_not_rand_data (p, s); -} -#endif - -void -des_generate_random_block(des_cblock *block) -{ - des_rand_data((unsigned char *)block, sizeof(*block)); -} - -/* - * Generate a "random" DES key. - */ -void -des_rand_data_key(des_cblock *key) -{ - unsigned char data[8]; - des_key_schedule sched; - do { - des_rand_data(data, sizeof(data)); - des_rand_data((unsigned char*)key, sizeof(des_cblock)); - des_set_odd_parity(key); - des_key_sched(key, sched); - des_ecb_encrypt(&data, key, sched, DES_ENCRYPT); - memset(&data, 0, sizeof(data)); - memset(&sched, 0, sizeof(sched)); - des_set_odd_parity(key); - } while(des_is_weak_key(key)); -} - -/* - * Generate "random" data by checksumming /dev/mem - * - * It's neccessary to be root to run it. Returns -1 if there were any - * problems with permissions. - */ -int -des_mem_rand8(unsigned char *data) -{ - return 1; -} - -/* - * In case the generator does not get initialized use this as fallback. - */ -static int initialized; - -static void -do_initialize(void) -{ - des_cblock default_seed; - do { - des_generate_random_block(&default_seed); - des_set_odd_parity(&default_seed); - } while (des_is_weak_key(&default_seed)); - des_init_random_number_generator(&default_seed); -} - -#define zero_long_long(ll) do { ll[0] = ll[1] = 0; } while (0) - -#define incr_long_long(ll) do { if (++ll[0] == 0) ++ll[1]; } while (0) - -#define set_sequence_number(ll) \ -memcpy((char *)sequence_index, (ll), sizeof(sequence_index)); - -/* - * Set the sequnce number to this value (a long long). - */ -void -des_set_sequence_number(unsigned char *ll) -{ - set_sequence_number(ll); -} - -/* - * Set the generator seed and reset the sequence number to 0. - */ -void -des_set_random_generator_seed(des_cblock *seed) -{ - des_key_sched(seed, sequence_seed); - zero_long_long(sequence_index); - initialized = 1; -} - -/* - * Generate a sequence of random des keys - * using the random block sequence, fixup - * parity and skip weak keys. - */ -int -des_new_random_key(des_cblock *key) -{ - if (!initialized) - do_initialize(); - - do { - des_ecb_encrypt((des_cblock *) sequence_index, - key, - sequence_seed, - DES_ENCRYPT); - incr_long_long(sequence_index); - /* random key must have odd parity and not be weak */ - des_set_odd_parity(key); - } while (des_is_weak_key(key)); - return(0); -} - -/* - * des_init_random_number_generator: - * - * Initialize the sequence of random 64 bit blocks. The input seed - * can be a secret key since it should be well hidden and is also not - * kept. - * - */ -void -des_init_random_number_generator(des_cblock *seed) -{ - struct timeval now; - des_cblock uniq; - des_cblock new_key; - - gettimeofday(&now, (struct timezone *)0); - des_generate_random_block(&uniq); - - /* Pick a unique random key from the shared sequence. */ - des_set_random_generator_seed(seed); - set_sequence_number((unsigned char *)&uniq); - des_new_random_key(&new_key); - - /* Select a new nonshared sequence, */ - des_set_random_generator_seed(&new_key); - - /* and use the current time to pick a key for the new sequence. */ - set_sequence_number((unsigned char *)&now); - des_new_random_key(&new_key); - des_set_random_generator_seed(&new_key); -} - -/* This is for backwards compatibility. */ -void -des_random_key(des_cblock ret) -{ - des_new_random_key((des_cblock *)ret); -} - -#ifdef TESTRUN -int -main() -{ - unsigned char data[8]; - int i; - - while (1) - { - if (sumFile("/dev/mem", (1024*1024*8), data) != 0) - { perror("sumFile"); exit(1); } - for (i = 0; i < 8; i++) - printf("%02x", data[i]); - printf("\n"); - } -} -#endif - -#ifdef TESTRUN2 -int -main() -{ - des_cblock data; - int i; - - while (1) - { - do_initialize(); - des_random_key(data); - for (i = 0; i < 8; i++) - printf("%02x", data[i]); - printf("\n"); - } -} -#endif diff --git a/crypto/heimdal-0.6.3/lib/des/rpc_des.h b/crypto/heimdal-0.6.3/lib/des/rpc_des.h deleted file mode 100644 index 683b397f6a..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/rpc_des.h +++ /dev/null @@ -1,131 +0,0 @@ -/* crypto/des/rpc_des.h */ -/* Copyright (C) 1995-1997 Eric Young (eay@mincom.oz.au) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@mincom.oz.au). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@mincom.oz.au). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@mincom.oz.au)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@mincom.oz.au)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -/* @(#)des.h 2.2 88/08/10 4.0 RPCSRC; from 2.7 88/02/08 SMI */ -/* - * Sun RPC is a product of Sun Microsystems, Inc. and is provided for - * unrestricted use provided that this legend is included on all tape - * media and as a part of the software program in whole or part. Users - * may copy or modify Sun RPC without charge, but are not authorized - * to license or distribute it to anyone else except as part of a product or - * program developed by the user. - * - * SUN RPC IS PROVIDED AS IS WITH NO WARRANTIES OF ANY KIND INCLUDING THE - * WARRANTIES OF DESIGN, MERCHANTIBILITY AND FITNESS FOR A PARTICULAR - * PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. - * - * Sun RPC is provided with no support and without any obligation on the - * part of Sun Microsystems, Inc. to assist in its use, correction, - * modification or enhancement. - * - * SUN MICROSYSTEMS, INC. SHALL HAVE NO LIABILITY WITH RESPECT TO THE - * INFRINGEMENT OF COPYRIGHTS, TRADE SECRETS OR ANY PATENTS BY SUN RPC - * OR ANY PART THEREOF. - * - * In no event will Sun Microsystems, Inc. be liable for any lost revenue - * or profits or other special, indirect and consequential damages, even if - * Sun has been advised of the possibility of such damages. - * - * Sun Microsystems, Inc. - * 2550 Garcia Avenue - * Mountain View, California 94043 - */ -/* - * Generic DES driver interface - * Keep this file hardware independent! - * Copyright (c) 1986 by Sun Microsystems, Inc. - */ - -#define DES_MAXLEN 65536 /* maximum # of bytes to encrypt */ -#define DES_QUICKLEN 16 /* maximum # of bytes to encrypt quickly */ - -#ifdef HEADER_DES_H -#undef ENCRYPT -#undef DECRYPT -#endif - -enum desdir { ENCRYPT, DECRYPT }; -enum desmode { CBC, ECB }; - -/* - * parameters to ioctl call - */ -struct desparams { - unsigned char des_key[8]; /* key (with low bit parity) */ - enum desdir des_dir; /* direction */ - enum desmode des_mode; /* mode */ - unsigned char des_ivec[8]; /* input vector */ - unsigned des_len; /* number of bytes to crypt */ - union { - unsigned char UDES_data[DES_QUICKLEN]; - unsigned char *UDES_buf; - } UDES; -# define des_data UDES.UDES_data /* direct data here if quick */ -# define des_buf UDES.UDES_buf /* otherwise, pointer to data */ -}; - -/* - * Encrypt an arbitrary sized buffer - */ -#define DESIOCBLOCK _IOWR(d, 6, struct desparams) - -/* - * Encrypt of small amount of data, quickly - */ -#define DESIOCQUICK _IOWR(d, 7, struct desparams) - diff --git a/crypto/heimdal-0.6.3/lib/des/rpc_enc.c b/crypto/heimdal-0.6.3/lib/des/rpc_enc.c deleted file mode 100644 index 7a0fcf2a58..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/rpc_enc.c +++ /dev/null @@ -1,107 +0,0 @@ -/* crypto/des/rpc_enc.c */ -/* Copyright (C) 1995-1997 Eric Young (eay@mincom.oz.au) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@mincom.oz.au). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@mincom.oz.au). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@mincom.oz.au)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@mincom.oz.au)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include "rpc_des.h" -#include "des_locl.h" -#include "des_ver.h" - -#ifndef NOPROTO -int _des_crypt(char *buf,int len,struct desparams *desp); -#else -int _des_crypt(); -#endif - -int _des_crypt(buf, len, desp) -char *buf; -int len; -struct desparams *desp; - { - des_key_schedule ks; - int enc; - - des_set_key((des_cblock *)desp->des_key,ks); - enc=(desp->des_dir == ENCRYPT)?DES_ENCRYPT:DES_DECRYPT; - - if (desp->des_mode == CBC) - des_ecb_encrypt((des_cblock *)desp->UDES.UDES_buf, - (des_cblock *)desp->UDES.UDES_buf,ks,enc); - else - { - des_ncbc_encrypt((des_cblock *)desp->UDES.UDES_buf, - (des_cblock *)desp->UDES.UDES_buf, - (long)len,ks, - (des_cblock *)desp->des_ivec,enc); -#ifdef undef - /* len will always be %8 if called from common_crypt - * in secure_rpc. - * Libdes's cbc encrypt does not copy back the iv, - * so we have to do it here. */ - /* It does now :-) eay 20/09/95 */ - - a=(char *)&(desp->UDES.UDES_buf[len-8]); - b=(char *)&(desp->des_ivec[0]); - - *(a++)= *(b++); *(a++)= *(b++); - *(a++)= *(b++); *(a++)= *(b++); - *(a++)= *(b++); *(a++)= *(b++); - *(a++)= *(b++); *(a++)= *(b++); -#endif - } - return(1); - } - diff --git a/crypto/heimdal-0.6.3/lib/des/rpw.c b/crypto/heimdal-0.6.3/lib/des/rpw.c deleted file mode 100644 index 7d29ec9ab8..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/rpw.c +++ /dev/null @@ -1,105 +0,0 @@ -/* crypto/des/rpw.c */ -/* Copyright (C) 1995-1997 Eric Young (eay@mincom.oz.au) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@mincom.oz.au). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@mincom.oz.au). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@mincom.oz.au)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@mincom.oz.au)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#ifdef HAVE_CONFIG_H -#include -#endif -#include -#include -#include "des.h" - -int main(argc,argv) -int argc; -char *argv[]; - { - des_cblock k,k1; - int i; - - printf("read passwd\n"); - if ((i=des_read_password((C_Block *)k,"Enter password:",0)) == 0) - { - printf("password = "); - for (i=0; i<8; i++) - printf("%02x ",k[i]); - } - else - printf("error %d\n",i); - printf("\n"); - printf("read 2passwds and verify\n"); - if ((i=des_read_2passwords((C_Block *)k,(C_Block *)k1, - "Enter verified password:",1)) == 0) - { - printf("password1 = "); - for (i=0; i<8; i++) - printf("%02x ",k[i]); - printf("\n"); - printf("password2 = "); - for (i=0; i<8; i++) - printf("%02x ",k1[i]); - printf("\n"); - exit(1); - } - else - { - printf("error %d\n",i); - exit(0); - } -#ifdef LINT - return(0); -#endif - } diff --git a/crypto/heimdal-0.6.3/lib/des/set_key.c b/crypto/heimdal-0.6.3/lib/des/set_key.c deleted file mode 100644 index a6f307efe2..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/set_key.c +++ /dev/null @@ -1,249 +0,0 @@ -/* crypto/des/set_key.c */ -/* Copyright (C) 1995-1997 Eric Young (eay@mincom.oz.au) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@mincom.oz.au). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@mincom.oz.au). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@mincom.oz.au)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@mincom.oz.au)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -/* set_key.c v 1.4 eay 24/9/91 - * 1.4 Speed up by 400% :-) - * 1.3 added register declarations. - * 1.2 unrolled make_key_sched a bit more - * 1.1 added norm_expand_bits - * 1.0 First working version - */ -#include "des_locl.h" -#include "podd.h" -#include "sk.h" - -#ifndef NOPROTO -static int check_parity(des_cblock (*key)); -#else -static int check_parity(); -#endif - -int des_check_key=0; - -void des_set_odd_parity(key) -des_cblock (*key); - { - int i; - - for (i=0; i>(n))^(b))&(m)),\ - * (b)^=(t),\ - * (a)=((a)^((t)<<(n)))) - */ - -#define HPERM_OP(a,t,n,m) ((t)=((((a)<<(16-(n)))^(a))&(m)),\ - (a)=(a)^(t)^(t>>(16-(n)))) - -/* return 0 if key parity is odd (correct), - * return -1 if key parity error, - * return -2 if illegal weak key. - */ -int des_set_key(key, schedule) -des_cblock (*key); -des_key_schedule schedule; - { - static int shifts2[16]={0,0,1,1,1,1,1,1,0,1,1,1,1,1,1,0}; - register DES_LONG c,d,t,s,t2; - register unsigned char *in; - register DES_LONG *k; - register int i; - - if (des_check_key) - { - if (!check_parity(key)) - return(-1); - - if (des_is_weak_key(key)) - return(-2); - } - - k=(DES_LONG *)schedule; - in=(unsigned char *)key; - - c2l(in,c); - c2l(in,d); - - /* do PC1 in 60 simple operations */ -/* PERM_OP(d,c,t,4,0x0f0f0f0fL); - HPERM_OP(c,t,-2, 0xcccc0000L); - HPERM_OP(c,t,-1, 0xaaaa0000L); - HPERM_OP(c,t, 8, 0x00ff0000L); - HPERM_OP(c,t,-1, 0xaaaa0000L); - HPERM_OP(d,t,-8, 0xff000000L); - HPERM_OP(d,t, 8, 0x00ff0000L); - HPERM_OP(d,t, 2, 0x33330000L); - d=((d&0x00aa00aaL)<<7L)|((d&0x55005500L)>>7L)|(d&0xaa55aa55L); - d=(d>>8)|((c&0xf0000000L)>>4); - c&=0x0fffffffL; */ - - /* I now do it in 47 simple operations :-) - * Thanks to John Fletcher (john_fletcher@lccmail.ocf.llnl.gov) - * for the inspiration. :-) */ - PERM_OP (d,c,t,4,0x0f0f0f0fL); - HPERM_OP(c,t,-2,0xcccc0000L); - HPERM_OP(d,t,-2,0xcccc0000L); - PERM_OP (d,c,t,1,0x55555555L); - PERM_OP (c,d,t,8,0x00ff00ffL); - PERM_OP (d,c,t,1,0x55555555L); - d= (((d&0x000000ffL)<<16L)| (d&0x0000ff00L) | - ((d&0x00ff0000L)>>16L)|((c&0xf0000000L)>>4L)); - c&=0x0fffffffL; - - for (i=0; i>2L)|(c<<26L)); d=((d>>2L)|(d<<26L)); } - else - { c=((c>>1L)|(c<<27L)); d=((d>>1L)|(d<<27L)); } - c&=0x0fffffffL; - d&=0x0fffffffL; - /* could be a few less shifts but I am to lazy at this - * point in time to investigate */ - s= des_skb[0][ (c )&0x3f ]| - des_skb[1][((c>> 6)&0x03)|((c>> 7L)&0x3c)]| - des_skb[2][((c>>13)&0x0f)|((c>>14L)&0x30)]| - des_skb[3][((c>>20)&0x01)|((c>>21L)&0x06) | - ((c>>22L)&0x38)]; - t= des_skb[4][ (d )&0x3f ]| - des_skb[5][((d>> 7L)&0x03)|((d>> 8L)&0x3c)]| - des_skb[6][ (d>>15L)&0x3f ]| - des_skb[7][((d>>21L)&0x0f)|((d>>22L)&0x30)]; - - /* table contained 0213 4657 */ - t2=((t<<16L)|(s&0x0000ffffL))&0xffffffffL; - *(k++)=ROTATE(t2,30)&0xffffffffL; - - t2=((s>>16L)|(t&0xffff0000L)); - *(k++)=ROTATE(t2,26)&0xffffffffL; - } - return(0); - } - -int des_key_sched(key, schedule) -des_cblock (*key); -des_key_schedule schedule; - { - return(des_set_key(key,schedule)); - } diff --git a/crypto/heimdal-0.6.3/lib/des/sha.c b/crypto/heimdal-0.6.3/lib/des/sha.c deleted file mode 100644 index 8bf653dfb1..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/sha.c +++ /dev/null @@ -1,300 +0,0 @@ -/* - * Copyright (c) 1995 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include "config.h" - -RCSID("$Id: sha.c,v 1.16 2001/01/29 04:33:44 assar Exp $"); -#endif - -#include "sha.h" -#include "hash.h" - -#define A m->counter[0] -#define B m->counter[1] -#define C m->counter[2] -#define D m->counter[3] -#define E m->counter[4] -#define X data - -void -SHA1_Init (struct sha *m) -{ - m->sz[0] = 0; - m->sz[1] = 0; - A = 0x67452301; - B = 0xefcdab89; - C = 0x98badcfe; - D = 0x10325476; - E = 0xc3d2e1f0; -} - - -#define F0(x,y,z) CRAYFIX((x & y) | (~x & z)) -#define F1(x,y,z) (x ^ y ^ z) -#define F2(x,y,z) ((x & y) | (x & z) | (y & z)) -#define F3(x,y,z) F1(x,y,z) - -#define K0 0x5a827999 -#define K1 0x6ed9eba1 -#define K2 0x8f1bbcdc -#define K3 0xca62c1d6 - -#define DO(t,f,k) \ -do { \ - u_int32_t temp; \ - \ - temp = cshift(AA, 5) + f(BB,CC,DD) + EE + data[t] + k; \ - EE = DD; \ - DD = CC; \ - CC = cshift(BB, 30); \ - BB = AA; \ - AA = temp; \ -} while(0) - -static inline void -calc (struct sha *m, u_int32_t *in) -{ - u_int32_t AA, BB, CC, DD, EE; - u_int32_t data[80]; - int i; - - AA = A; - BB = B; - CC = C; - DD = D; - EE = E; - - for (i = 0; i < 16; ++i) - data[i] = in[i]; - for (i = 16; i < 80; ++i) - data[i] = cshift(data[i-3] ^ data[i-8] ^ data[i-14] ^ data[i-16], 1); - - /* t=[0,19] */ - - DO(0,F0,K0); - DO(1,F0,K0); - DO(2,F0,K0); - DO(3,F0,K0); - DO(4,F0,K0); - DO(5,F0,K0); - DO(6,F0,K0); - DO(7,F0,K0); - DO(8,F0,K0); - DO(9,F0,K0); - DO(10,F0,K0); - DO(11,F0,K0); - DO(12,F0,K0); - DO(13,F0,K0); - DO(14,F0,K0); - DO(15,F0,K0); - DO(16,F0,K0); - DO(17,F0,K0); - DO(18,F0,K0); - DO(19,F0,K0); - - /* t=[20,39] */ - - DO(20,F1,K1); - DO(21,F1,K1); - DO(22,F1,K1); - DO(23,F1,K1); - DO(24,F1,K1); - DO(25,F1,K1); - DO(26,F1,K1); - DO(27,F1,K1); - DO(28,F1,K1); - DO(29,F1,K1); - DO(30,F1,K1); - DO(31,F1,K1); - DO(32,F1,K1); - DO(33,F1,K1); - DO(34,F1,K1); - DO(35,F1,K1); - DO(36,F1,K1); - DO(37,F1,K1); - DO(38,F1,K1); - DO(39,F1,K1); - - /* t=[40,59] */ - - DO(40,F2,K2); - DO(41,F2,K2); - DO(42,F2,K2); - DO(43,F2,K2); - DO(44,F2,K2); - DO(45,F2,K2); - DO(46,F2,K2); - DO(47,F2,K2); - DO(48,F2,K2); - DO(49,F2,K2); - DO(50,F2,K2); - DO(51,F2,K2); - DO(52,F2,K2); - DO(53,F2,K2); - DO(54,F2,K2); - DO(55,F2,K2); - DO(56,F2,K2); - DO(57,F2,K2); - DO(58,F2,K2); - DO(59,F2,K2); - - /* t=[60,79] */ - - DO(60,F3,K3); - DO(61,F3,K3); - DO(62,F3,K3); - DO(63,F3,K3); - DO(64,F3,K3); - DO(65,F3,K3); - DO(66,F3,K3); - DO(67,F3,K3); - DO(68,F3,K3); - DO(69,F3,K3); - DO(70,F3,K3); - DO(71,F3,K3); - DO(72,F3,K3); - DO(73,F3,K3); - DO(74,F3,K3); - DO(75,F3,K3); - DO(76,F3,K3); - DO(77,F3,K3); - DO(78,F3,K3); - DO(79,F3,K3); - - A += AA; - B += BB; - C += CC; - D += DD; - E += EE; -} - -/* - * From `Performance analysis of MD5' by Joseph D. Touch - */ - -#if !defined(WORDS_BIGENDIAN) || defined(_CRAY) -static inline u_int32_t -swap_u_int32_t (u_int32_t t) -{ -#define ROL(x,n) ((x)<<(n))|((x)>>(32-(n))) - u_int32_t temp1, temp2; - - temp1 = cshift(t, 16); - temp2 = temp1 >> 8; - temp1 &= 0x00ff00ff; - temp2 &= 0x00ff00ff; - temp1 <<= 8; - return temp1 | temp2; -} -#endif - -struct x32{ - unsigned int a:32; - unsigned int b:32; -}; - -void -SHA1_Update (struct sha *m, const void *v, size_t len) -{ - const unsigned char *p = v; - size_t old_sz = m->sz[0]; - size_t offset; - - m->sz[0] += len * 8; - if (m->sz[0] < old_sz) - ++m->sz[1]; - offset = (old_sz / 8) % 64; - while(len > 0){ - size_t l = min(len, 64 - offset); - memcpy(m->save + offset, p, l); - offset += l; - p += l; - len -= l; - if(offset == 64){ -#if !defined(WORDS_BIGENDIAN) || defined(_CRAY) - int i; - u_int32_t current[16]; - struct x32 *u = (struct x32*)m->save; - for(i = 0; i < 8; i++){ - current[2*i+0] = swap_u_int32_t(u[i].a); - current[2*i+1] = swap_u_int32_t(u[i].b); - } - calc(m, current); -#else - calc(m, (u_int32_t*)m->save); -#endif - offset = 0; - } - } -} - -void -SHA1_Final (void *res, struct sha *m) -{ - static unsigned char zeros[72]; - unsigned offset = (m->sz[0] / 8) % 64; - unsigned int dstart = (120 - offset - 1) % 64 + 1; - - *zeros = 0x80; - memset (zeros + 1, 0, sizeof(zeros) - 1); - zeros[dstart+7] = (m->sz[0] >> 0) & 0xff; - zeros[dstart+6] = (m->sz[0] >> 8) & 0xff; - zeros[dstart+5] = (m->sz[0] >> 16) & 0xff; - zeros[dstart+4] = (m->sz[0] >> 24) & 0xff; - zeros[dstart+3] = (m->sz[1] >> 0) & 0xff; - zeros[dstart+2] = (m->sz[1] >> 8) & 0xff; - zeros[dstart+1] = (m->sz[1] >> 16) & 0xff; - zeros[dstart+0] = (m->sz[1] >> 24) & 0xff; - SHA1_Update (m, zeros, dstart + 8); - { - int i; - unsigned char *r = (unsigned char*)res; - - for (i = 0; i < 5; ++i) { - r[4*i+3] = m->counter[i] & 0xFF; - r[4*i+2] = (m->counter[i] >> 8) & 0xFF; - r[4*i+1] = (m->counter[i] >> 16) & 0xFF; - r[4*i] = (m->counter[i] >> 24) & 0xFF; - } - } -#if 0 - { - int i; - u_int32_t *r = (u_int32_t *)res; - - for (i = 0; i < 5; ++i) - r[i] = swap_u_int32_t (m->counter[i]); - } -#endif -} diff --git a/crypto/heimdal-0.6.3/lib/des/sha.h b/crypto/heimdal-0.6.3/lib/des/sha.h deleted file mode 100644 index 5250e36259..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/sha.h +++ /dev/null @@ -1,59 +0,0 @@ -/* - * Copyright (c) 1995 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: sha.h,v 1.7 2001/01/29 02:08:57 assar Exp $ */ - -#include -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_SYS_BITYPES_H -#include -#endif -#ifdef KRB5 -#include -#elif defined(KRB4) -#include -#endif - -struct sha { - unsigned int sz[2]; - u_int32_t counter[5]; - unsigned char save[64]; -}; - -typedef struct sha SHA_CTX; - -void SHA1_Init (struct sha *m); -void SHA1_Update (struct sha *m, const void *v, size_t len); -void SHA1_Final (void *res, struct sha *m); diff --git a/crypto/heimdal-0.6.3/lib/des/shifts.pl b/crypto/heimdal-0.6.3/lib/des/shifts.pl deleted file mode 100644 index 94afde35b1..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/shifts.pl +++ /dev/null @@ -1,198 +0,0 @@ -#/usr/local/bin/perl - -sub lab_shift - { - local(*a,$n)=@_; - local(@r,$i,$j,$k,$d,@z); - - @r=&shift(*a,$n); - foreach $i (0 .. 31) - { - @z=split(/\^/,$r[$i]); - for ($j=0; $j <= $#z; $j++) - { - ($d)=($z[$j] =~ /^(..)/); - ($k)=($z[$j] =~ /\[(.*)\]$/); - $k.=",$n" if ($k ne ""); - $k="$n" if ($k eq ""); - $d="$d[$k]"; - $z[$j]=$d; - } - $r[$i]=join('^',@z); - } - return(@r); - } - -sub shift - { - local(*a,$n)=@_; - local(@f); - - if ($n > 0) - { - @f=&shiftl(*a,$n); - } - else - { - @f=&shiftr(*a,-$n); - } - return(@f); - } - -sub rotate - { - local(*a,$n)=@_; - local(@f); - - if ($n > 0) - { @f=&rotatel(*a,$n); } - else - { @f=&rotater(*a,-$n); } - return(@f); - } - -sub rotater - { - local(*a,$n)=@_; - local(@f,@g); - - @f=&shiftr(*a,$n); - @g=&shiftl(*a,32-$n); - $#f=31; - $#g=31; - return(&or(*f,*g)); - } - -sub rotatel - { - local(*a,$n)=@_; - local(@f,@g); - - @f=&shiftl(*a,$n); - @g=&shiftr(*a,32-$n); - $#f=31; - $#g=31; - return(&or(*f,*g)); - } - -sub shiftr - { - local(*a,$n)=@_; - local(@r,$i); - - $#r=31; - foreach $i (0 .. 31) - { - if (($i+$n) > 31) - { - $r[$i]="--"; - } - else - { - $r[$i]=$a[$i+$n]; - } - } - return(@r); - } - -sub shiftl - { - local(*a,$n)=@_; - local(@r,$i); - - $#r=31; - foreach $i (0 .. 31) - { - if ($i < $n) - { - $r[$i]="--"; - } - else - { - $r[$i]=$a[$i-$n]; - } - } - return(@r); - } - -sub printit - { - local(@a)=@_; - local($i); - - foreach $i (0 .. 31) - { - printf "%2s ",$a[$i]; - print "\n" if (($i%8) == 7); - } - print "\n"; - } - -sub xor - { - local(*a,*b)=@_; - local(@r,$i); - - $#r=31; - foreach $i (0 .. 31) - { - $r[$i]=&compress($a[$i].'^'.$b[$i]); -# $r[$i]=$a[$i]."^".$b[$i]; - } - return(@r); - } - -sub and - { - local(*a,$m)=@_; - local(@r,$i); - - $#r=31; - foreach $i (0 .. 31) - { - $r[$i]=(($m & (1<<$i))?($a[$i]):('--')); - } - return(@r); - } - -sub or - { - local(*a,*b)=@_; - local(@r,$i); - - $#r=31; - foreach $i (0 .. 31) - { - $r[$i]='--' if (($a[$i] eq '--') && ($b[$i] eq '--')); - $r[$i]=$a[$i] if (($a[$i] ne '--') && ($b[$i] eq '--')); - $r[$i]=$b[$i] if (($a[$i] eq '--') && ($b[$i] ne '--')); - $r[$i]='++' if (($a[$i] ne '--') && ($b[$i] ne '--')); - } - return(@r); - } - -sub compress - { - local($s)=@_; - local($_,$i,@a,%a,$r); - - $s =~ s/\^\^/\^/g; - $s =~ s/^\^//; - $s =~ s/\^$//; - @a=split(/\^/,$s); - - while ($#a >= 0) - { - $_=shift(@a); - next unless /\d/; - $a{$_}++; - } - foreach $i (sort keys %a) - { - next if ($a{$i}%2 == 0); - $r.="$i^"; - } - chop($r); - return($r); - } -1; diff --git a/crypto/heimdal-0.6.3/lib/des/sk.h b/crypto/heimdal-0.6.3/lib/des/sk.h deleted file mode 100644 index 6fe99cf825..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/sk.h +++ /dev/null @@ -1,204 +0,0 @@ -/* crypto/des/sk.h */ -/* Copyright (C) 1995-1997 Eric Young (eay@mincom.oz.au) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@mincom.oz.au). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@mincom.oz.au). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@mincom.oz.au)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@mincom.oz.au)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -static const DES_LONG des_skb[8][64]={ -{ -/* for C bits (numbered as per FIPS 46) 1 2 3 4 5 6 */ -0x00000000L,0x00000010L,0x20000000L,0x20000010L, -0x00010000L,0x00010010L,0x20010000L,0x20010010L, -0x00000800L,0x00000810L,0x20000800L,0x20000810L, -0x00010800L,0x00010810L,0x20010800L,0x20010810L, -0x00000020L,0x00000030L,0x20000020L,0x20000030L, -0x00010020L,0x00010030L,0x20010020L,0x20010030L, -0x00000820L,0x00000830L,0x20000820L,0x20000830L, -0x00010820L,0x00010830L,0x20010820L,0x20010830L, -0x00080000L,0x00080010L,0x20080000L,0x20080010L, -0x00090000L,0x00090010L,0x20090000L,0x20090010L, -0x00080800L,0x00080810L,0x20080800L,0x20080810L, -0x00090800L,0x00090810L,0x20090800L,0x20090810L, -0x00080020L,0x00080030L,0x20080020L,0x20080030L, -0x00090020L,0x00090030L,0x20090020L,0x20090030L, -0x00080820L,0x00080830L,0x20080820L,0x20080830L, -0x00090820L,0x00090830L,0x20090820L,0x20090830L, -},{ -/* for C bits (numbered as per FIPS 46) 7 8 10 11 12 13 */ -0x00000000L,0x02000000L,0x00002000L,0x02002000L, -0x00200000L,0x02200000L,0x00202000L,0x02202000L, -0x00000004L,0x02000004L,0x00002004L,0x02002004L, -0x00200004L,0x02200004L,0x00202004L,0x02202004L, -0x00000400L,0x02000400L,0x00002400L,0x02002400L, -0x00200400L,0x02200400L,0x00202400L,0x02202400L, -0x00000404L,0x02000404L,0x00002404L,0x02002404L, -0x00200404L,0x02200404L,0x00202404L,0x02202404L, -0x10000000L,0x12000000L,0x10002000L,0x12002000L, -0x10200000L,0x12200000L,0x10202000L,0x12202000L, -0x10000004L,0x12000004L,0x10002004L,0x12002004L, -0x10200004L,0x12200004L,0x10202004L,0x12202004L, -0x10000400L,0x12000400L,0x10002400L,0x12002400L, -0x10200400L,0x12200400L,0x10202400L,0x12202400L, -0x10000404L,0x12000404L,0x10002404L,0x12002404L, -0x10200404L,0x12200404L,0x10202404L,0x12202404L, -},{ -/* for C bits (numbered as per FIPS 46) 14 15 16 17 19 20 */ -0x00000000L,0x00000001L,0x00040000L,0x00040001L, -0x01000000L,0x01000001L,0x01040000L,0x01040001L, -0x00000002L,0x00000003L,0x00040002L,0x00040003L, -0x01000002L,0x01000003L,0x01040002L,0x01040003L, -0x00000200L,0x00000201L,0x00040200L,0x00040201L, -0x01000200L,0x01000201L,0x01040200L,0x01040201L, -0x00000202L,0x00000203L,0x00040202L,0x00040203L, -0x01000202L,0x01000203L,0x01040202L,0x01040203L, -0x08000000L,0x08000001L,0x08040000L,0x08040001L, -0x09000000L,0x09000001L,0x09040000L,0x09040001L, -0x08000002L,0x08000003L,0x08040002L,0x08040003L, -0x09000002L,0x09000003L,0x09040002L,0x09040003L, -0x08000200L,0x08000201L,0x08040200L,0x08040201L, -0x09000200L,0x09000201L,0x09040200L,0x09040201L, -0x08000202L,0x08000203L,0x08040202L,0x08040203L, -0x09000202L,0x09000203L,0x09040202L,0x09040203L, -},{ -/* for C bits (numbered as per FIPS 46) 21 23 24 26 27 28 */ -0x00000000L,0x00100000L,0x00000100L,0x00100100L, -0x00000008L,0x00100008L,0x00000108L,0x00100108L, -0x00001000L,0x00101000L,0x00001100L,0x00101100L, -0x00001008L,0x00101008L,0x00001108L,0x00101108L, -0x04000000L,0x04100000L,0x04000100L,0x04100100L, -0x04000008L,0x04100008L,0x04000108L,0x04100108L, -0x04001000L,0x04101000L,0x04001100L,0x04101100L, -0x04001008L,0x04101008L,0x04001108L,0x04101108L, -0x00020000L,0x00120000L,0x00020100L,0x00120100L, -0x00020008L,0x00120008L,0x00020108L,0x00120108L, -0x00021000L,0x00121000L,0x00021100L,0x00121100L, -0x00021008L,0x00121008L,0x00021108L,0x00121108L, -0x04020000L,0x04120000L,0x04020100L,0x04120100L, -0x04020008L,0x04120008L,0x04020108L,0x04120108L, -0x04021000L,0x04121000L,0x04021100L,0x04121100L, -0x04021008L,0x04121008L,0x04021108L,0x04121108L, -},{ -/* for D bits (numbered as per FIPS 46) 1 2 3 4 5 6 */ -0x00000000L,0x10000000L,0x00010000L,0x10010000L, -0x00000004L,0x10000004L,0x00010004L,0x10010004L, -0x20000000L,0x30000000L,0x20010000L,0x30010000L, -0x20000004L,0x30000004L,0x20010004L,0x30010004L, -0x00100000L,0x10100000L,0x00110000L,0x10110000L, -0x00100004L,0x10100004L,0x00110004L,0x10110004L, -0x20100000L,0x30100000L,0x20110000L,0x30110000L, -0x20100004L,0x30100004L,0x20110004L,0x30110004L, -0x00001000L,0x10001000L,0x00011000L,0x10011000L, -0x00001004L,0x10001004L,0x00011004L,0x10011004L, -0x20001000L,0x30001000L,0x20011000L,0x30011000L, -0x20001004L,0x30001004L,0x20011004L,0x30011004L, -0x00101000L,0x10101000L,0x00111000L,0x10111000L, -0x00101004L,0x10101004L,0x00111004L,0x10111004L, -0x20101000L,0x30101000L,0x20111000L,0x30111000L, -0x20101004L,0x30101004L,0x20111004L,0x30111004L, -},{ -/* for D bits (numbered as per FIPS 46) 8 9 11 12 13 14 */ -0x00000000L,0x08000000L,0x00000008L,0x08000008L, -0x00000400L,0x08000400L,0x00000408L,0x08000408L, -0x00020000L,0x08020000L,0x00020008L,0x08020008L, -0x00020400L,0x08020400L,0x00020408L,0x08020408L, -0x00000001L,0x08000001L,0x00000009L,0x08000009L, -0x00000401L,0x08000401L,0x00000409L,0x08000409L, -0x00020001L,0x08020001L,0x00020009L,0x08020009L, -0x00020401L,0x08020401L,0x00020409L,0x08020409L, -0x02000000L,0x0A000000L,0x02000008L,0x0A000008L, -0x02000400L,0x0A000400L,0x02000408L,0x0A000408L, -0x02020000L,0x0A020000L,0x02020008L,0x0A020008L, -0x02020400L,0x0A020400L,0x02020408L,0x0A020408L, -0x02000001L,0x0A000001L,0x02000009L,0x0A000009L, -0x02000401L,0x0A000401L,0x02000409L,0x0A000409L, -0x02020001L,0x0A020001L,0x02020009L,0x0A020009L, -0x02020401L,0x0A020401L,0x02020409L,0x0A020409L, -},{ -/* for D bits (numbered as per FIPS 46) 16 17 18 19 20 21 */ -0x00000000L,0x00000100L,0x00080000L,0x00080100L, -0x01000000L,0x01000100L,0x01080000L,0x01080100L, -0x00000010L,0x00000110L,0x00080010L,0x00080110L, -0x01000010L,0x01000110L,0x01080010L,0x01080110L, -0x00200000L,0x00200100L,0x00280000L,0x00280100L, -0x01200000L,0x01200100L,0x01280000L,0x01280100L, -0x00200010L,0x00200110L,0x00280010L,0x00280110L, -0x01200010L,0x01200110L,0x01280010L,0x01280110L, -0x00000200L,0x00000300L,0x00080200L,0x00080300L, -0x01000200L,0x01000300L,0x01080200L,0x01080300L, -0x00000210L,0x00000310L,0x00080210L,0x00080310L, -0x01000210L,0x01000310L,0x01080210L,0x01080310L, -0x00200200L,0x00200300L,0x00280200L,0x00280300L, -0x01200200L,0x01200300L,0x01280200L,0x01280300L, -0x00200210L,0x00200310L,0x00280210L,0x00280310L, -0x01200210L,0x01200310L,0x01280210L,0x01280310L, -},{ -/* for D bits (numbered as per FIPS 46) 22 23 24 25 27 28 */ -0x00000000L,0x04000000L,0x00040000L,0x04040000L, -0x00000002L,0x04000002L,0x00040002L,0x04040002L, -0x00002000L,0x04002000L,0x00042000L,0x04042000L, -0x00002002L,0x04002002L,0x00042002L,0x04042002L, -0x00000020L,0x04000020L,0x00040020L,0x04040020L, -0x00000022L,0x04000022L,0x00040022L,0x04040022L, -0x00002020L,0x04002020L,0x00042020L,0x04042020L, -0x00002022L,0x04002022L,0x00042022L,0x04042022L, -0x00000800L,0x04000800L,0x00040800L,0x04040800L, -0x00000802L,0x04000802L,0x00040802L,0x04040802L, -0x00002800L,0x04002800L,0x00042800L,0x04042800L, -0x00002802L,0x04002802L,0x00042802L,0x04042802L, -0x00000820L,0x04000820L,0x00040820L,0x04040820L, -0x00000822L,0x04000822L,0x00040822L,0x04040822L, -0x00002820L,0x04002820L,0x00042820L,0x04042820L, -0x00002822L,0x04002822L,0x00042822L,0x04042822L, -}}; diff --git a/crypto/heimdal-0.6.3/lib/des/speed.c b/crypto/heimdal-0.6.3/lib/des/speed.c deleted file mode 100644 index 3d588ecd47..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/speed.c +++ /dev/null @@ -1,330 +0,0 @@ -/* crypto/des/speed.c */ -/* Copyright (C) 1995-1997 Eric Young (eay@mincom.oz.au) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@mincom.oz.au). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@mincom.oz.au). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@mincom.oz.au)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@mincom.oz.au)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -/* 11-Sep-92 Andrew Daviel Support for Silicon Graphics IRIX added */ -/* 06-Apr-92 Luke Brennan Support for VMS and add extra signal calls */ - -#ifdef HAVE_CONFIG_H -#include -#endif - -#if !defined(MSDOS) && !defined(WIN32) -#define TIMES -#endif - -#include -#include -#ifdef HAVE_UNISTD_H -#include -#endif -#include -#ifdef HAVE_TIME_H -#include -#endif -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_SYS_TIMES_H -#include -#endif - -#ifdef VMS -#include -struct tms { - time_t tms_utime; - time_t tms_stime; - time_t tms_uchild; /* I dunno... */ - time_t tms_uchildsys; /* so these names are a guess :-) */ - } -#endif - -#ifdef HAVE_SYS_TIMEB_H -#include -#endif - -#include -#ifdef HAVE_SYS_PARAM_H -#include -#endif - -#include "des.h" - -/* The following if from times(3) man page. It may need to be changed */ -#ifndef HZ -#ifndef CLK_TCK -#ifndef VMS -#define HZ 100.0 -#else /* VMS */ -#define HZ 100.0 -#endif -#else /* CLK_TCK */ -#define HZ ((double)CLK_TCK) -#endif -#endif - -#define BUFSIZE ((long)1024) -long run=0; - -#ifndef NOPROTO -double Time_F(int s); -#else -double Time_F(); -#endif - -#ifdef SIGALRM -#if defined(__STDC__) || defined(sgi) -#define SIGRETTYPE void -#else -#define SIGRETTYPE int -#endif - -#ifndef NOPROTO -SIGRETTYPE sig_done(int sig); -#else -SIGRETTYPE sig_done(); -#endif - -SIGRETTYPE sig_done(sig) -int sig; - { - signal(SIGALRM,sig_done); - run=0; -#ifdef LINT - sig=sig; -#endif - } -#endif - -#define START 0 -#define STOP 1 - -double Time_F(s) -int s; - { - double ret; -#ifdef TIMES - static struct tms tstart,tend; - - if (s == START) - { - times(&tstart); - return(0); - } - else - { - times(&tend); - ret=((double)(tend.tms_utime-tstart.tms_utime))/HZ; - return((ret == 0.0)?1e-6:ret); - } -#else /* !times() */ - static struct timeb tstart,tend; - long i; - - if (s == START) - { - ftime(&tstart); - return(0); - } - else - { - ftime(&tend); - i=(long)tend.millitm-(long)tstart.millitm; - ret=((double)(tend.time-tstart.time))+((double)i)/1000.0; - return((ret == 0.0)?1e-6:ret); - } -#endif - } - -int main(argc,argv) -int argc; -char **argv; - { - long count; - static unsigned char buf[BUFSIZE]; - static des_cblock key ={0x12,0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0}; - static des_cblock key2={0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0,0x12}; - static des_cblock key3={0x56,0x78,0x9a,0xbc,0xde,0xf0,0x12,0x34}; - des_key_schedule sch,sch2,sch3; - double a,b,c,d,e; -#ifndef SIGALRM - long ca,cb,cc,cd,ce; -#endif - -#ifndef TIMES - printf("To get the most acurate results, try to run this\n"); - printf("program when this computer is idle.\n"); -#endif - - des_set_key((C_Block *)key2,sch2); - des_set_key((C_Block *)key3,sch3); - -#ifndef SIGALRM - printf("First we calculate the approximate speed ...\n"); - des_set_key((C_Block *)key,sch); - count=10; - do { - long i; - DES_LONG data[2]; - - count*=2; - Time_F(START); - for (i=count; i; i--) - des_encrypt(data,&(sch[0]),DES_ENCRYPT); - d=Time_F(STOP); - } while (d < 3.0); - ca=count; - cb=count*3; - cc=count*3*8/BUFSIZE+1; - cd=count*8/BUFSIZE+1; - ce=count/20+1; - printf("Doing set_key %ld times\n",ca); -#define COND(d) (count != (d)) -#define COUNT(d) (d) -#else -#define COND(c) (run) -#define COUNT(d) (count) - signal(SIGALRM,sig_done); - printf("Doing set_key for 10 seconds\n"); - alarm(10); -#endif - - Time_F(START); - for (count=0,run=1; COND(ca); count++) - des_set_key((C_Block *)key,sch); - d=Time_F(STOP); - printf("%ld set_key's in %.2f seconds\n",count,d); - a=((double)COUNT(ca))/d; - -#ifdef SIGALRM - printf("Doing des_encrypt's for 10 seconds\n"); - alarm(10); -#else - printf("Doing des_encrypt %ld times\n",cb); -#endif - Time_F(START); - for (count=0,run=1; COND(cb); count++) - { - DES_LONG data[2]; - - des_encrypt(data,&(sch[0]),DES_ENCRYPT); - } - d=Time_F(STOP); - printf("%ld des_encrypt's in %.2f second\n",count,d); - b=((double)COUNT(cb)*8)/d; - -#ifdef SIGALRM - printf("Doing des_cbc_encrypt on %ld byte blocks for 10 seconds\n", - BUFSIZE); - alarm(10); -#else - printf("Doing des_cbc_encrypt %ld times on %ld byte blocks\n",cc, - BUFSIZE); -#endif - Time_F(START); - for (count=0,run=1; COND(cc); count++) - des_ncbc_encrypt((C_Block *)buf,(C_Block *)buf,BUFSIZE,&(sch[0]), - (C_Block *)&(key[0]),DES_ENCRYPT); - d=Time_F(STOP); - printf("%ld des_cbc_encrypt's of %ld byte blocks in %.2f second\n", - count,BUFSIZE,d); - c=((double)COUNT(cc)*BUFSIZE)/d; - -#ifdef SIGALRM - printf("Doing des_ede_cbc_encrypt on %ld byte blocks for 10 seconds\n", - BUFSIZE); - alarm(10); -#else - printf("Doing des_ede_cbc_encrypt %ld times on %ld byte blocks\n",cd, - BUFSIZE); -#endif - Time_F(START); - for (count=0,run=1; COND(cd); count++) - des_ede3_cbc_encrypt((C_Block *)buf,(C_Block *)buf,BUFSIZE, - &(sch[0]), - &(sch2[0]), - &(sch3[0]), - (C_Block *)&(key[0]), - DES_ENCRYPT); - d=Time_F(STOP); - printf("%ld des_ede_cbc_encrypt's of %ld byte blocks in %.2f second\n", - count,BUFSIZE,d); - d=((double)COUNT(cd)*BUFSIZE)/d; - -#ifdef SIGALRM - printf("Doing crypt for 10 seconds\n"); - alarm(10); -#else - printf("Doing crypt %ld times\n",ce); -#endif - Time_F(START); - for (count=0,run=1; COND(ce); count++) - crypt("testing1","ef"); - e=Time_F(STOP); - printf("%ld crypts in %.2f second\n",count,e); - e=((double)COUNT(ce))/e; - - printf("set_key per sec = %12.2f (%5.1fuS)\n",a,1.0e6/a); - printf("DES raw ecb bytes per sec = %12.2f (%5.1fuS)\n",b,8.0e6/b); - printf("DES cbc bytes per sec = %12.2f (%5.1fuS)\n",c,8.0e6/c); - printf("DES ede cbc bytes per sec = %12.2f (%5.1fuS)\n",d,8.0e6/d); - printf("crypt per sec = %12.2f (%5.1fuS)\n",e,1.0e6/e); - exit(0); -#if defined(LINT) || defined(MSDOS) - return(0); -#endif - } diff --git a/crypto/heimdal-0.6.3/lib/des/spr.h b/crypto/heimdal-0.6.3/lib/des/spr.h deleted file mode 100644 index 3ac3e8db41..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/spr.h +++ /dev/null @@ -1,204 +0,0 @@ -/* crypto/des/spr.h */ -/* Copyright (C) 1995-1997 Eric Young (eay@mincom.oz.au) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@mincom.oz.au). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@mincom.oz.au). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@mincom.oz.au)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@mincom.oz.au)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -const DES_LONG des_SPtrans[8][64]={ -{ -/* nibble 0 */ -0x02080800L, 0x00080000L, 0x02000002L, 0x02080802L, -0x02000000L, 0x00080802L, 0x00080002L, 0x02000002L, -0x00080802L, 0x02080800L, 0x02080000L, 0x00000802L, -0x02000802L, 0x02000000L, 0x00000000L, 0x00080002L, -0x00080000L, 0x00000002L, 0x02000800L, 0x00080800L, -0x02080802L, 0x02080000L, 0x00000802L, 0x02000800L, -0x00000002L, 0x00000800L, 0x00080800L, 0x02080002L, -0x00000800L, 0x02000802L, 0x02080002L, 0x00000000L, -0x00000000L, 0x02080802L, 0x02000800L, 0x00080002L, -0x02080800L, 0x00080000L, 0x00000802L, 0x02000800L, -0x02080002L, 0x00000800L, 0x00080800L, 0x02000002L, -0x00080802L, 0x00000002L, 0x02000002L, 0x02080000L, -0x02080802L, 0x00080800L, 0x02080000L, 0x02000802L, -0x02000000L, 0x00000802L, 0x00080002L, 0x00000000L, -0x00080000L, 0x02000000L, 0x02000802L, 0x02080800L, -0x00000002L, 0x02080002L, 0x00000800L, 0x00080802L, -},{ -/* nibble 1 */ -0x40108010L, 0x00000000L, 0x00108000L, 0x40100000L, -0x40000010L, 0x00008010L, 0x40008000L, 0x00108000L, -0x00008000L, 0x40100010L, 0x00000010L, 0x40008000L, -0x00100010L, 0x40108000L, 0x40100000L, 0x00000010L, -0x00100000L, 0x40008010L, 0x40100010L, 0x00008000L, -0x00108010L, 0x40000000L, 0x00000000L, 0x00100010L, -0x40008010L, 0x00108010L, 0x40108000L, 0x40000010L, -0x40000000L, 0x00100000L, 0x00008010L, 0x40108010L, -0x00100010L, 0x40108000L, 0x40008000L, 0x00108010L, -0x40108010L, 0x00100010L, 0x40000010L, 0x00000000L, -0x40000000L, 0x00008010L, 0x00100000L, 0x40100010L, -0x00008000L, 0x40000000L, 0x00108010L, 0x40008010L, -0x40108000L, 0x00008000L, 0x00000000L, 0x40000010L, -0x00000010L, 0x40108010L, 0x00108000L, 0x40100000L, -0x40100010L, 0x00100000L, 0x00008010L, 0x40008000L, -0x40008010L, 0x00000010L, 0x40100000L, 0x00108000L, -},{ -/* nibble 2 */ -0x04000001L, 0x04040100L, 0x00000100L, 0x04000101L, -0x00040001L, 0x04000000L, 0x04000101L, 0x00040100L, -0x04000100L, 0x00040000L, 0x04040000L, 0x00000001L, -0x04040101L, 0x00000101L, 0x00000001L, 0x04040001L, -0x00000000L, 0x00040001L, 0x04040100L, 0x00000100L, -0x00000101L, 0x04040101L, 0x00040000L, 0x04000001L, -0x04040001L, 0x04000100L, 0x00040101L, 0x04040000L, -0x00040100L, 0x00000000L, 0x04000000L, 0x00040101L, -0x04040100L, 0x00000100L, 0x00000001L, 0x00040000L, -0x00000101L, 0x00040001L, 0x04040000L, 0x04000101L, -0x00000000L, 0x04040100L, 0x00040100L, 0x04040001L, -0x00040001L, 0x04000000L, 0x04040101L, 0x00000001L, -0x00040101L, 0x04000001L, 0x04000000L, 0x04040101L, -0x00040000L, 0x04000100L, 0x04000101L, 0x00040100L, -0x04000100L, 0x00000000L, 0x04040001L, 0x00000101L, -0x04000001L, 0x00040101L, 0x00000100L, 0x04040000L, -},{ -/* nibble 3 */ -0x00401008L, 0x10001000L, 0x00000008L, 0x10401008L, -0x00000000L, 0x10400000L, 0x10001008L, 0x00400008L, -0x10401000L, 0x10000008L, 0x10000000L, 0x00001008L, -0x10000008L, 0x00401008L, 0x00400000L, 0x10000000L, -0x10400008L, 0x00401000L, 0x00001000L, 0x00000008L, -0x00401000L, 0x10001008L, 0x10400000L, 0x00001000L, -0x00001008L, 0x00000000L, 0x00400008L, 0x10401000L, -0x10001000L, 0x10400008L, 0x10401008L, 0x00400000L, -0x10400008L, 0x00001008L, 0x00400000L, 0x10000008L, -0x00401000L, 0x10001000L, 0x00000008L, 0x10400000L, -0x10001008L, 0x00000000L, 0x00001000L, 0x00400008L, -0x00000000L, 0x10400008L, 0x10401000L, 0x00001000L, -0x10000000L, 0x10401008L, 0x00401008L, 0x00400000L, -0x10401008L, 0x00000008L, 0x10001000L, 0x00401008L, -0x00400008L, 0x00401000L, 0x10400000L, 0x10001008L, -0x00001008L, 0x10000000L, 0x10000008L, 0x10401000L, -},{ -/* nibble 4 */ -0x08000000L, 0x00010000L, 0x00000400L, 0x08010420L, -0x08010020L, 0x08000400L, 0x00010420L, 0x08010000L, -0x00010000L, 0x00000020L, 0x08000020L, 0x00010400L, -0x08000420L, 0x08010020L, 0x08010400L, 0x00000000L, -0x00010400L, 0x08000000L, 0x00010020L, 0x00000420L, -0x08000400L, 0x00010420L, 0x00000000L, 0x08000020L, -0x00000020L, 0x08000420L, 0x08010420L, 0x00010020L, -0x08010000L, 0x00000400L, 0x00000420L, 0x08010400L, -0x08010400L, 0x08000420L, 0x00010020L, 0x08010000L, -0x00010000L, 0x00000020L, 0x08000020L, 0x08000400L, -0x08000000L, 0x00010400L, 0x08010420L, 0x00000000L, -0x00010420L, 0x08000000L, 0x00000400L, 0x00010020L, -0x08000420L, 0x00000400L, 0x00000000L, 0x08010420L, -0x08010020L, 0x08010400L, 0x00000420L, 0x00010000L, -0x00010400L, 0x08010020L, 0x08000400L, 0x00000420L, -0x00000020L, 0x00010420L, 0x08010000L, 0x08000020L, -},{ -/* nibble 5 */ -0x80000040L, 0x00200040L, 0x00000000L, 0x80202000L, -0x00200040L, 0x00002000L, 0x80002040L, 0x00200000L, -0x00002040L, 0x80202040L, 0x00202000L, 0x80000000L, -0x80002000L, 0x80000040L, 0x80200000L, 0x00202040L, -0x00200000L, 0x80002040L, 0x80200040L, 0x00000000L, -0x00002000L, 0x00000040L, 0x80202000L, 0x80200040L, -0x80202040L, 0x80200000L, 0x80000000L, 0x00002040L, -0x00000040L, 0x00202000L, 0x00202040L, 0x80002000L, -0x00002040L, 0x80000000L, 0x80002000L, 0x00202040L, -0x80202000L, 0x00200040L, 0x00000000L, 0x80002000L, -0x80000000L, 0x00002000L, 0x80200040L, 0x00200000L, -0x00200040L, 0x80202040L, 0x00202000L, 0x00000040L, -0x80202040L, 0x00202000L, 0x00200000L, 0x80002040L, -0x80000040L, 0x80200000L, 0x00202040L, 0x00000000L, -0x00002000L, 0x80000040L, 0x80002040L, 0x80202000L, -0x80200000L, 0x00002040L, 0x00000040L, 0x80200040L, -},{ -/* nibble 6 */ -0x00004000L, 0x00000200L, 0x01000200L, 0x01000004L, -0x01004204L, 0x00004004L, 0x00004200L, 0x00000000L, -0x01000000L, 0x01000204L, 0x00000204L, 0x01004000L, -0x00000004L, 0x01004200L, 0x01004000L, 0x00000204L, -0x01000204L, 0x00004000L, 0x00004004L, 0x01004204L, -0x00000000L, 0x01000200L, 0x01000004L, 0x00004200L, -0x01004004L, 0x00004204L, 0x01004200L, 0x00000004L, -0x00004204L, 0x01004004L, 0x00000200L, 0x01000000L, -0x00004204L, 0x01004000L, 0x01004004L, 0x00000204L, -0x00004000L, 0x00000200L, 0x01000000L, 0x01004004L, -0x01000204L, 0x00004204L, 0x00004200L, 0x00000000L, -0x00000200L, 0x01000004L, 0x00000004L, 0x01000200L, -0x00000000L, 0x01000204L, 0x01000200L, 0x00004200L, -0x00000204L, 0x00004000L, 0x01004204L, 0x01000000L, -0x01004200L, 0x00000004L, 0x00004004L, 0x01004204L, -0x01000004L, 0x01004200L, 0x01004000L, 0x00004004L, -},{ -/* nibble 7 */ -0x20800080L, 0x20820000L, 0x00020080L, 0x00000000L, -0x20020000L, 0x00800080L, 0x20800000L, 0x20820080L, -0x00000080L, 0x20000000L, 0x00820000L, 0x00020080L, -0x00820080L, 0x20020080L, 0x20000080L, 0x20800000L, -0x00020000L, 0x00820080L, 0x00800080L, 0x20020000L, -0x20820080L, 0x20000080L, 0x00000000L, 0x00820000L, -0x20000000L, 0x00800000L, 0x20020080L, 0x20800080L, -0x00800000L, 0x00020000L, 0x20820000L, 0x00000080L, -0x00800000L, 0x00020000L, 0x20000080L, 0x20820080L, -0x00020080L, 0x20000000L, 0x00000000L, 0x00820000L, -0x20800080L, 0x20020080L, 0x20020000L, 0x00800080L, -0x20820000L, 0x00000080L, 0x00800080L, 0x20020000L, -0x20820080L, 0x00800000L, 0x20800000L, 0x20000080L, -0x00820000L, 0x00020080L, 0x20020080L, 0x20800000L, -0x00000080L, 0x20820000L, 0x00820080L, 0x00000000L, -0x20000000L, 0x20800080L, 0x00020000L, 0x00820080L, -}}; diff --git a/crypto/heimdal-0.6.3/lib/des/str2key.c b/crypto/heimdal-0.6.3/lib/des/str2key.c deleted file mode 100644 index c86368c8cc..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/str2key.c +++ /dev/null @@ -1,177 +0,0 @@ -/* crypto/des/str2key.c */ -/* Copyright (C) 1995-1997 Eric Young (eay@mincom.oz.au) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@mincom.oz.au). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@mincom.oz.au). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@mincom.oz.au)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@mincom.oz.au)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include "des_locl.h" - -extern int des_check_key; - -void des_string_to_key(str, key) -char *str; -des_cblock (*key); - { - des_key_schedule ks; - int i,length; - register unsigned char j; - - memset(key,0,8); - length=strlen(str); -#ifdef OLD_STR_TO_KEY - for (i=0; i>4)&0x0f); - j=((j<<2)&0xcc)|((j>>2)&0x33); - j=((j<<1)&0xaa)|((j>>1)&0x55); - (*key)[7-(i%8)]^=j; - } - } -#endif - des_set_odd_parity((des_cblock *)key); - i=des_check_key; - des_check_key=0; - if(des_is_weak_key((des_cblock *)key)) - (*key)[7] ^= 0xF0; - des_set_key((des_cblock *)key,ks); - des_check_key=i; - des_cbc_cksum((des_cblock *)str,(des_cblock *)key,(long)length,ks, - (des_cblock *)key); - memset(ks,0,sizeof(ks)); - des_set_odd_parity((des_cblock *)key); - } - -void des_string_to_2keys(str, key1, key2) -char *str; -des_cblock (*key1); -des_cblock (*key2); - { - des_key_schedule ks; - int i,length; - register unsigned char j; - - memset(key1,0,8); - memset(key2,0,8); - length=strlen(str); -#ifdef OLD_STR_TO_KEY - if (length <= 8) - { - for (i=0; i>4)&0x0f); - j=((j<<2)&0xcc)|((j>>2)&0x33); - j=((j<<1)&0xaa)|((j>>1)&0x55); - if ((i%16) < 8) - (*key1)[7-(i%8)]^=j; - else - (*key2)[7-(i%8)]^=j; - } - } - if (length <= 8) memcpy(key2,key1,8); -#endif - des_set_odd_parity((des_cblock *)key1); - des_set_odd_parity((des_cblock *)key2); - i=des_check_key; - des_check_key=0; - if(des_is_weak_key((des_cblock *)key1)) - (*key1)[7] ^= 0xF0; - des_set_key((des_cblock *)key1,ks); - des_cbc_cksum((des_cblock *)str,(des_cblock *)key1,(long)length,ks, - (des_cblock *)key1); - if(des_is_weak_key((des_cblock *)key2)) - (*key2)[7] ^= 0xF0; - des_set_key((des_cblock *)key2,ks); - des_cbc_cksum((des_cblock *)str,(des_cblock *)key2,(long)length,ks, - (des_cblock *)key2); - des_check_key=i; - memset(ks,0,sizeof(ks)); - des_set_odd_parity(key1); - des_set_odd_parity(key2); - } diff --git a/crypto/heimdal-0.6.3/lib/des/supp.c b/crypto/heimdal-0.6.3/lib/des/supp.c deleted file mode 100644 index b8e8566b23..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/supp.c +++ /dev/null @@ -1,109 +0,0 @@ -/* crypto/des/supp.c */ -/* Copyright (C) 1995-1997 Eric Young (eay@mincom.oz.au) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@mincom.oz.au). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@mincom.oz.au). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@mincom.oz.au)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@mincom.oz.au)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -/* - * Copyright (c) 1995 - * Mark Murray. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Mark Murray - * 4. Neither the name of the author nor the names of any co-contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY MARK MURRAY AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * $Id: supp.c,v 1.4 1997/06/22 10:14:07 bg Exp $ - */ - -#include -#include "des_locl.h" - -void des_cblock_print_file(cb, fp) - des_cblock *cb; - FILE *fp; -{ - int i; - unsigned int *p = (unsigned int *)cb; - - fprintf(fp, " 0x { "); - for (i = 0; i < 8; i++) { - fprintf(fp, "%x", p[i]); - if (i != 7) fprintf(fp, ", "); - } - fprintf(fp, " }"); -} diff --git a/crypto/heimdal-0.6.3/lib/des/t/perl b/crypto/heimdal-0.6.3/lib/des/t/perl deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/crypto/heimdal-0.6.3/lib/des/t/test b/crypto/heimdal-0.6.3/lib/des/t/test deleted file mode 100644 index 97acd0552e..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/t/test +++ /dev/null @@ -1,27 +0,0 @@ -#!./perl - -BEGIN { push(@INC, qw(../../../lib ../../lib ../lib lib)); } - -use DES; - -$key='00000000'; -$ks=DES::set_key($key); -@a=split(//,$ks); -foreach (@a) { printf "%02x-",ord($_); } -print "\n"; - - -$key=DES::random_key(); -print "($_)\n"; -@a=split(//,$key); -foreach (@a) { printf "%02x-",ord($_); } -print "\n"; -$str="this is and again into the breach"; -($k1,$k2)=DES::string_to_2keys($str); -@a=split(//,$k1); -foreach (@a) { printf "%02x-",ord($_); } -print "\n"; -@a=split(//,$k2); -foreach (@a) { printf "%02x-",ord($_); } -print "\n"; - diff --git a/crypto/heimdal-0.6.3/lib/des/testdes.pl b/crypto/heimdal-0.6.3/lib/des/testdes.pl deleted file mode 100644 index 01a165a963..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/testdes.pl +++ /dev/null @@ -1,167 +0,0 @@ -#!/usr/local/bin/perl - -# des.pl tesing code - -require 'des.pl'; - -$num_tests=34; -@key_data=( - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, - 0x30,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x11,0x11,0x11,0x11,0x11,0x11,0x11,0x11, - 0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF, - 0x11,0x11,0x11,0x11,0x11,0x11,0x11,0x11, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0xFE,0xDC,0xBA,0x98,0x76,0x54,0x32,0x10, - 0x7C,0xA1,0x10,0x45,0x4A,0x1A,0x6E,0x57, - 0x01,0x31,0xD9,0x61,0x9D,0xC1,0x37,0x6E, - 0x07,0xA1,0x13,0x3E,0x4A,0x0B,0x26,0x86, - 0x38,0x49,0x67,0x4C,0x26,0x02,0x31,0x9E, - 0x04,0xB9,0x15,0xBA,0x43,0xFE,0xB5,0xB6, - 0x01,0x13,0xB9,0x70,0xFD,0x34,0xF2,0xCE, - 0x01,0x70,0xF1,0x75,0x46,0x8F,0xB5,0xE6, - 0x43,0x29,0x7F,0xAD,0x38,0xE3,0x73,0xFE, - 0x07,0xA7,0x13,0x70,0x45,0xDA,0x2A,0x16, - 0x04,0x68,0x91,0x04,0xC2,0xFD,0x3B,0x2F, - 0x37,0xD0,0x6B,0xB5,0x16,0xCB,0x75,0x46, - 0x1F,0x08,0x26,0x0D,0x1A,0xC2,0x46,0x5E, - 0x58,0x40,0x23,0x64,0x1A,0xBA,0x61,0x76, - 0x02,0x58,0x16,0x16,0x46,0x29,0xB0,0x07, - 0x49,0x79,0x3E,0xBC,0x79,0xB3,0x25,0x8F, - 0x4F,0xB0,0x5E,0x15,0x15,0xAB,0x73,0xA7, - 0x49,0xE9,0x5D,0x6D,0x4C,0xA2,0x29,0xBF, - 0x01,0x83,0x10,0xDC,0x40,0x9B,0x26,0xD6, - 0x1C,0x58,0x7F,0x1C,0x13,0x92,0x4F,0xEF, - 0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01, - 0x1F,0x1F,0x1F,0x1F,0x0E,0x0E,0x0E,0x0E, - 0xE0,0xFE,0xE0,0xFE,0xF1,0xFE,0xF1,0xFE, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, - 0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF, - 0xFE,0xDC,0xBA,0x98,0x76,0x54,0x32,0x10, - ); - -@plain_data=( - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, - 0x10,0x00,0x00,0x00,0x00,0x00,0x00,0x01, - 0x11,0x11,0x11,0x11,0x11,0x11,0x11,0x11, - 0x11,0x11,0x11,0x11,0x11,0x11,0x11,0x11, - 0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF, - 0x01,0xA1,0xD6,0xD0,0x39,0x77,0x67,0x42, - 0x5C,0xD5,0x4C,0xA8,0x3D,0xEF,0x57,0xDA, - 0x02,0x48,0xD4,0x38,0x06,0xF6,0x71,0x72, - 0x51,0x45,0x4B,0x58,0x2D,0xDF,0x44,0x0A, - 0x42,0xFD,0x44,0x30,0x59,0x57,0x7F,0xA2, - 0x05,0x9B,0x5E,0x08,0x51,0xCF,0x14,0x3A, - 0x07,0x56,0xD8,0xE0,0x77,0x47,0x61,0xD2, - 0x76,0x25,0x14,0xB8,0x29,0xBF,0x48,0x6A, - 0x3B,0xDD,0x11,0x90,0x49,0x37,0x28,0x02, - 0x26,0x95,0x5F,0x68,0x35,0xAF,0x60,0x9A, - 0x16,0x4D,0x5E,0x40,0x4F,0x27,0x52,0x32, - 0x6B,0x05,0x6E,0x18,0x75,0x9F,0x5C,0xCA, - 0x00,0x4B,0xD6,0xEF,0x09,0x17,0x60,0x62, - 0x48,0x0D,0x39,0x00,0x6E,0xE7,0x62,0xF2, - 0x43,0x75,0x40,0xC8,0x69,0x8F,0x3C,0xFA, - 0x07,0x2D,0x43,0xA0,0x77,0x07,0x52,0x92, - 0x02,0xFE,0x55,0x77,0x81,0x17,0xF1,0x2A, - 0x1D,0x9D,0x5C,0x50,0x18,0xF7,0x28,0xC2, - 0x30,0x55,0x32,0x28,0x6D,0x6F,0x29,0x5A, - 0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF, - 0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF, - 0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF, - 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF); - -@cipher_data=( - 0x8C,0xA6,0x4D,0xE9,0xC1,0xB1,0x23,0xA7, - 0x73,0x59,0xB2,0x16,0x3E,0x4E,0xDC,0x58, - 0x95,0x8E,0x6E,0x62,0x7A,0x05,0x55,0x7B, - 0xF4,0x03,0x79,0xAB,0x9E,0x0E,0xC5,0x33, - 0x17,0x66,0x8D,0xFC,0x72,0x92,0x53,0x2D, - 0x8A,0x5A,0xE1,0xF8,0x1A,0xB8,0xF2,0xDD, - 0x8C,0xA6,0x4D,0xE9,0xC1,0xB1,0x23,0xA7, - 0xED,0x39,0xD9,0x50,0xFA,0x74,0xBC,0xC4, - 0x69,0x0F,0x5B,0x0D,0x9A,0x26,0x93,0x9B, - 0x7A,0x38,0x9D,0x10,0x35,0x4B,0xD2,0x71, - 0x86,0x8E,0xBB,0x51,0xCA,0xB4,0x59,0x9A, - 0x71,0x78,0x87,0x6E,0x01,0xF1,0x9B,0x2A, - 0xAF,0x37,0xFB,0x42,0x1F,0x8C,0x40,0x95, - 0x86,0xA5,0x60,0xF1,0x0E,0xC6,0xD8,0x5B, - 0x0C,0xD3,0xDA,0x02,0x00,0x21,0xDC,0x09, - 0xEA,0x67,0x6B,0x2C,0xB7,0xDB,0x2B,0x7A, - 0xDF,0xD6,0x4A,0x81,0x5C,0xAF,0x1A,0x0F, - 0x5C,0x51,0x3C,0x9C,0x48,0x86,0xC0,0x88, - 0x0A,0x2A,0xEE,0xAE,0x3F,0xF4,0xAB,0x77, - 0xEF,0x1B,0xF0,0x3E,0x5D,0xFA,0x57,0x5A, - 0x88,0xBF,0x0D,0xB6,0xD7,0x0D,0xEE,0x56, - 0xA1,0xF9,0x91,0x55,0x41,0x02,0x0B,0x56, - 0x6F,0xBF,0x1C,0xAF,0xCF,0xFD,0x05,0x56, - 0x2F,0x22,0xE4,0x9B,0xAB,0x7C,0xA1,0xAC, - 0x5A,0x6B,0x61,0x2C,0xC2,0x6C,0xCE,0x4A, - 0x5F,0x4C,0x03,0x8E,0xD1,0x2B,0x2E,0x41, - 0x63,0xFA,0xC0,0xD0,0x34,0xD9,0xF7,0x93, - 0x61,0x7B,0x3A,0x0C,0xE8,0xF0,0x71,0x00, - 0xDB,0x95,0x86,0x05,0xF8,0xC8,0xC6,0x06, - 0xED,0xBF,0xD1,0xC6,0x6C,0x29,0xCC,0xC7, - 0x35,0x55,0x50,0xB2,0x15,0x0E,0x24,0x51, - 0xCA,0xAA,0xAF,0x4D,0xEA,0xF1,0xDB,0xAE, - 0xD5,0xD4,0x4F,0xF7,0x20,0x68,0x3D,0x0D, - 0x2A,0x2B,0xB0,0x08,0xDF,0x97,0xC2,0xF2); - -print "Doing ecb tests\n"; -for ($i=0; $i<$num_tests; $i++) - { - printf "Doing test $i\n"; - $key =pack("C8",splice(@key_data ,0,8)); - $data=pack("C8",splice(@plain_data ,0,8)); - $res =pack("C8",splice(@cipher_data,0,8)); - - @ks= &des_set_key($key); - $out1= &des_ecb_encrypt(*ks,1,$data); - $out2= &des_ecb_encrypt(*ks,0,$out1); - $out3= &des_ecb_encrypt(*ks,0,$res); - &eprint("encryption failure",$res,$out1) - if ($out1 ne $res); - &eprint("encryption/decryption failure",$data,$out2) - if ($out2 ne $data); - &eprint("decryption failure",$data,$out3) - if ($data ne $out3); - } -print "Done\n"; - -print "doing speed test over 30 seconds\n"; -$SIG{'ALRM'}='done'; -sub done {$done=1;} -$done=0; - -$count=0; -$d=pack("C8",0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef); -@ks= &des_set_key($d); -alarm(30); -$start=(times)[0]; -while (!$done) - { - $count++; - $d=&des_ecb_encrypt(*ks,1,$d); - } -$end=(times)[0]; -$t=$end-$start; -printf "$count DESs in %.2f seconds is %.2f DESs/sec or %.2f bytes/sec\n", - 1.0*$t,1.0*$count/$t,$count*8.0/$t; - -sub eprint - { - local($s,$c,$e)=@_; - local(@k); - - @k=unpack("C8",$c); - printf "%02x%02x%02x%02x %02x%02x%02x%02x - ",unpack("C8",$c); - printf "%02x%02x%02x%02x %02x%02x%02x%02x :",unpack("C8",$e); - print " $s\n"; - } diff --git a/crypto/heimdal-0.6.3/lib/des/times b/crypto/heimdal-0.6.3/lib/des/times deleted file mode 100644 index f5080ef99c..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/times +++ /dev/null @@ -1,216 +0,0 @@ -existing library on a DEC 3000/500 -set_key per sec = 256294.06 ( 3.9uS) -DES ecb bytes per sec = 3553694.40 ( 2.3uS) -DES cbc bytes per sec = 3661004.80 ( 2.2uS) -DES ede cbc bytes per sec = 1353115.99 ( 5.9uS) -crypt per sec = 16829.40 ( 59.4uS) - -Intel P6/200 (NEXTSTEP) - cc -O3 (cc: gcc 2.5.8) -set_key per sec = 219220.82 ( 4.6uS) -DES ecb bytes per sec = 2438014.04 ( 3.3uS) -DES cbc bytes per sec = 2467648.85 ( 3.2uS) -DES ede cbc bytes per sec = 942121.58 ( 8.5uS) -crypt per sec = 11398.73 ( 87.7uS) - -# DECstation Alpha 3000 Model 700 AXP / OSF1 V3.0 -# gcc 2.6.3 / Young libdes 3.21 -set_key per sec = 149369.74 ( 6.7uS) -DES ecb bytes per sec = 2011976.68 ( 4.0uS) -DES cbc bytes per sec = 2002245.35 ( 4.0uS) -DES ede cbc bytes per sec = 793677.19 ( 10.1uS) -crypt per sec = 9244.52 (108.2uS) - -# Sun Ultra I gcc 2.7.2 / Young libdes 3.21 -set_key per sec = 147172.22 ( 6.8uS) -DES ecb bytes per sec = 1815054.70 ( 4.4uS) -DES cbc bytes per sec = 1829405.18 ( 4.4uS) -DES ede cbc bytes per sec = 714490.23 ( 11.2uS) -crypt per sec = 8896.24 (112.4uS) - -SGI Challenge (MIPS R4400 200mhz) - gcc -O2 -set_key per sec = 114141.13 ( 8.8uS) -DES ecb bytes per sec = 1573472.84 ( 5.1uS) -DES cbc bytes per sec = 1580418.20 ( 5.1uS) -crypt per sec = 7137.84 (140.1uS) - -DEC Alpha DEC 4000/710 AXP OSF/1 v 3.0 - gcc -O2 2.6.1 -set_key per sec = 123138.49 ( 8.1uS) -DES ecb bytes per sec = 1407546.76 ( 5.7uS) -DES cbc bytes per sec = 1404103.21 ( 5.7uS) -crypt per sec = 7746.76 (129.1uS) - -DEC Alpha DEC 4000/710 AXP OSF/1 v 3.0 - cc -O4 'DEC Compiler Driver 3.11' -set_key per sec = 135160.83 ( 7.4uS) -DES ecb bytes per sec = 1267753.22 ( 6.3uS) -DES cbc bytes per sec = 1260564.90 ( 6.3uS) -crypt per sec = 6479.37 (154.3uS) - -SGI Challenge (MIPS R4400 200mhz) - cc -O2 -set_key per sec = 124000.10 ( 8.1uS) -DES ecb bytes per sec = 1338138.45 ( 6.0uS) -DES cbc bytes per sec = 1356515.84 ( 5.9uS) -crypt per sec = 6223.92 (160.7uS) - -Intel P5/133 (NEXTSTEP) - cc -O3 (cc: gcc 2.5.8) -set_key per sec = 81923.10 ( 12.2uS) -DES ecb bytes per sec = 1104711.61 ( 7.2uS) -DES cbc bytes per sec = 1091536.05 ( 7.3uS) -DES ede cbc bytes per sec = 410502.62 ( 19.5uS) -crypt per sec = 4849.60 (206.2uS) - -Sun SPARC 20 (NEXTSTEP) - cc -O3 (cc: gcc 2.5.8) -set_key per sec = 60973.05 ( 16.4uS) -DES ecb bytes per sec = 806032.15 ( 9.9uS) -DES cbc bytes per sec = 801534.95 ( 10.0uS) -DES ede cbc bytes per sec = 298799.73 ( 26.8uS) -crypt per sec = 3678.42 (271.9uS) - -SGI Indy (MIPS R4600 133mhz) -cc -O2 -set_key per sec = 88470.54 ( 11.3uS) -DES ecb bytes per sec = 1023040.33 ( 7.8uS) -DES cbc bytes per sec = 1033610.01 ( 7.7uS) -crypt per sec = 4641.51 (215.4uS) - -HP-UX 9000/887 cc +O3 -set_key per sec = 76824.30 ( 13.0uS) -DES ecb bytes per sec = 1048911.20 ( 7.6uS) -DES cbc bytes per sec = 1072332.80 ( 7.5uS) -crypt per sec = 4968.64 (201.3uS) - -IRIX 5.2 IP22 (R4000) cc -O2 (galilo) -set_key per sec = 60615.73 ( 16.5uS) -DES ecb bytes per sec = 584741.32 ( 13.7uS) -DES cbc bytes per sec = 584306.94 ( 13.7uS) -crypt per sec = 3049.33 (327.9uS) - -HP-UX 9000/867 cc -O -set_key per sec = 48600.00 ( 20.6uS) -DES ecb bytes per sec = 616235.14 ( 13.0uS) -DES cbc bytes per sec = 638669.44 ( 12.5uS) -crypt per sec = 3016.68 (331.5uS) - -HP-UX 9000/867 gcc -O2 -set_key per sec = 52120.50 ( 19.2uS) -DES ecb bytes per sec = 715156.55 ( 11.2uS) -DES cbc bytes per sec = 724424.28 ( 11.0uS) -crypt per sec = 3295.87 (303.4uS) - -DGUX AViiON mc88110 gcc -O2 -set_key per sec = 55604.91 ( 18.0uS) -DES ecb bytes per sec = 658513.25 ( 12.1uS) -DES cbc bytes per sec = 675552.71 ( 11.8uS) -crypt per sec = 3438.10 (290.9uS) - -Sparc 10 cc -O2 (orb) -set_key per sec = 53002.30 ( 18.9uS) -DES ecb bytes per sec = 705250.40 ( 11.3uS) -DES cbc bytes per sec = 714342.40 ( 11.2uS) -crypt per sec = 2943.99 (339.7uS) - -Sparc 10 gcc -O2 (orb) -set_key per sec = 58681.21 ( 17.0uS) -DES ecb bytes per sec = 772390.20 ( 10.4uS) -DES cbc bytes per sec = 774144.00 ( 10.3uS) -crypt per sec = 3606.90 (277.2uS) - -DEC Alpha DEC 4000/610 AXP OSF/1 v 1.3 - gcc v 2.3.3 -set_key per sec = 101840.19 ( 9.8uS) -DES ecb bytes per sec = 1223712.35 ( 6.5uS) -DES cbc bytes per sec = 1230542.98 ( 6.5uS) -crypt per sec = 6428.75 (155.6uS) - -DEC Alpha DEC 4000/610 APX OSF/1 v 1.3 - cc -O2 - OSF/1 AXP -set_key per sec = 114198.91 ( 8.8uS) -DES ecb bytes per sec = 1022710.93 ( 7.8uS) -DES cbc bytes per sec = 1008821.93 ( 7.9uS) -crypt per sec = 5454.13 (183.3uS) - -DEC Alpha - DEC 3000/500 AXP OSF/1 - cc -O2 - 02/12/92 -set_key per sec = 83587.04 ( 12.0uS) -DES ecb bytes per sec = 822620.82 ( 9.7uS) -DES cbc bytes per sec = 832929.60 ( 9.6uS) -crypt per sec = 4807.62 (208.0uS) - -sun sparc 10/30 - gcc -O2 -set_key per sec = 42005.24 ( 23.8uS) -DES ecb bytes per sec = 555949.47 ( 14.4uS) -DES cbc bytes per sec = 549440.28 ( 14.6uS) -crypt per sec = 2580.25 (387.6uS) - -PA-RISC 1.1 HP 710 -set_key per sec = 38916.86 -DES ecb bytes per sec = 505971.82 -DES cbc bytes per sec = 515381.13 -crypt per sec = 2438.24 - -iris (spike) cc -O2 -set_key per sec = 23128.83 ( 43.2uS) -DES ecb bytes per sec = 261577.94 ( 30.6uS) -DES cbc bytes per sec = 261746.41 ( 30.6uS) -crypt per sec = 1231.76 (811.8uS) - -sun sparc 10/30 - cc -O4 -set_key per sec = 38379.86 ( 26.1uS) -DES ecb bytes per sec = 460051.34 ( 17.4uS) -DES cbc bytes per sec = 464970.54 ( 17.2uS) -crypt per sec = 2092.64 (477.9uS) - -sun sparc 2 - gcc2 -O2 -set_key per sec = 21559.10 -DES ecb bytes per sec = 305566.92 -DES cbc bytes per sec = 303497.50 -crypt per sec = 1410.48 - -RS/6000 model 320 -set_key per sec = 14371.93 -DES ecb bytes per sec = 222231.26 -DES cbc bytes per sec = 223926.79 -crypt per sec = 981.20 - -80486dx/66MHz Solaris 2.1 - gcc -O2 (gcc 2.6.3) -set_key per sec = 26814.15 ( 37.3uS) -DES ecb bytes per sec = 345029.95 ( 23.2uS) -DES cbc bytes per sec = 344064.00 ( 23.3uS) -crypt per sec = 1551.97 (644.3uS) - -80486dx/50MHz Solaris 2.1 - gcc -O2 (gcc 2.5.2) -set_key per sec = 18558.29 ( 53.9uS) -DES ecb bytes per sec = 240873.90 ( 33.2uS) -DES cbc bytes per sec = 239993.37 ( 33.3uS) -crypt per sec = 1073.67 (931.4uS) - -80486dx/50MHz Solaris 2.1 - cc -xO4 (cc: PC2.0.1 30 April 1993) -set_key per sec = 18302.79 ( 54.6uS) -DES ecb bytes per sec = 242640.29 ( 33.0uS) -DES cbc bytes per sec = 239568.89 ( 33.4uS) -crypt per sec = 1057.92 (945.2uS) - -68030 HP400 -set_key per sec = 5251.28 -DES ecb bytes per sec = 56186.56 -DES cbc bytes per sec = 58681.53 -crypt per sec = 276.15 - -80486sx/33MHz MSDOS Turbo C v 2.0 -set_key per sec = 1883.22 (531.0uS) -DES ecb bytes per sec = 63393.31 (126.2uS) -DES cbc bytes per sec = 63416.83 (126.1uS) -crypt per sec = 158.71 (6300.6uS) - -80486sx/33MHz MSDOS djgpp gcc 1.39 (32bit compiler) -set_key per sec = 12603.08 (79.3) -DES ecb bytes per sec = 158875.15 (50.4) -DES cbc bytes per sec = 159893.85 (50.0) -crypt per sec = 780.24 (1281.7) - -Version 1.99 26/08/92 -8MHz 68000 Atari-ST gcc 2.1 -O2 MiNT 0.94 -set_key per sec = 325.68 (3070.5uS) -DES ecb bytes per sec = 4173.67 (1916.8uS) -DES cbc bytes per sec = 4249.89 (1882.4uS) -crypt per sec = 20.19 (49521.6uS) - -8088/4.77mh MSDOS Turbo C v 2.0 -set_key per sec = 35.09 -DES ecb bytes per sec = 563.63 -crypt per sec = 2.69 diff --git a/crypto/heimdal-0.6.3/lib/des/typemap b/crypto/heimdal-0.6.3/lib/des/typemap deleted file mode 100644 index a524f53634..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/typemap +++ /dev/null @@ -1,34 +0,0 @@ -# -# DES SECTION -# -deschar * T_DESCHARP -des_cblock * T_CBLOCK -des_cblock T_CBLOCK -des_key_schedule T_SCHEDULE -des_key_schedule * T_SCHEDULE - -INPUT -T_CBLOCK - $var=(des_cblock *)SvPV($arg,len); - if (len < DES_KEY_SZ) - { - croak(\"$var needs to be at least %u bytes long\",DES_KEY_SZ); - } - -T_SCHEDULE - $var=(des_key_schedule *)SvPV($arg,len); - if (len < DES_SCHEDULE_SZ) - { - croak(\"$var needs to be at least %u bytes long\", - DES_SCHEDULE_SZ); - } - -OUTPUT -T_CBLOCK - sv_setpvn($arg,(char *)$var,DES_KEY_SZ); - -T_SCHEDULE - sv_setpvn($arg,(char *)$var,DES_SCHEDULE_SZ); - -T_DESCHARP - sv_setpvn($arg,(char *)$var,len); diff --git a/crypto/heimdal-0.6.3/lib/des/version.h b/crypto/heimdal-0.6.3/lib/des/version.h deleted file mode 100644 index aee11903f3..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/version.h +++ /dev/null @@ -1,48 +0,0 @@ -/* lib/des/version.h */ -/* Copyright (C) 1995 Eric Young (eay@mincom.oz.au) - * All rights reserved. - * - * This file is part of an SSL implementation written - * by Eric Young (eay@mincom.oz.au). - * The implementation was written so as to conform with Netscapes SSL - * specification. This library and applications are - * FREE FOR COMMERCIAL AND NON-COMMERCIAL USE - * as long as the following conditions are aheared to. - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. If this code is used in a product, - * Eric Young should be given attribution as the author of the parts used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Eric Young (eay@mincom.oz.au) - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -extern char *DES_version; diff --git a/crypto/heimdal-0.6.3/lib/des/vms.com b/crypto/heimdal-0.6.3/lib/des/vms.com deleted file mode 100644 index 885ea8e36b..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/vms.com +++ /dev/null @@ -1,90 +0,0 @@ -$! --- VMS.com --- -$! -$ GoSub defines -$ GoSub linker_options -$ If (P1 .nes. "") -$ Then -$ GoSub 'P1' -$ Else -$ GoSub lib -$ GoSub destest -$ GoSub rpw -$ GoSub speed -$ GoSub des -$ EndIF -$! -$ Exit -$! -$!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -$! -$DEFINES: -$ OPT_FILE := "VAX_LINKER_OPTIONS.OPT" -$! -$ CC_OPTS := "/NODebug/OPTimize/NOWarn" -$! -$ LINK_OPTS := "/NODebug/NOTraceback/Contiguous" -$! -$ OBJS = "cbc_cksm.obj,cbc_enc.obj,ecb_enc.obj,pcbc_enc.obj," + - - "qud_cksm.obj,rand_key.obj,read_pwd.obj,set_key.obj," + - - "str2key.obj,enc_read.obj,enc_writ.obj,fcrypt.obj," + - - "cfb_enc.obj,3ecb_enc.obj,ofb_enc.obj" - - -$! -$ LIBDES = "cbc_cksm.c,cbc_enc.c,ecb_enc.c,enc_read.c," + - - "enc_writ.c,pcbc_enc.c,qud_cksm.c,rand_key.c," + - - "read_pwd.c,set_key.c,str2key.c,fcrypt.c," + - - "cfb_enc.c,3ecb_enc.c,ofb_enc.c" -$ Return -$! -$!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -$! -$LINKER_OPTIONS: -$ If (f$search(OPT_FILE) .eqs. "") -$ Then -$ Create 'OPT_FILE' -$DECK -! Default system options file to link against the sharable C runtime library -! -Sys$Share:VAXcRTL.exe/Share -$EOD -$ EndIF -$ Return -$! -$!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -$! -$LIB: -$ CC 'CC_OPTS' 'LIBDES' -$ If (f$search("LIBDES.OLB") .nes. "") -$ Then Library /Object /Replace libdes 'OBJS' -$ Else Library /Create /Object libdes 'OBJS' -$ EndIF -$ Return -$! -$!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -$! -$DESTEST: -$ CC 'CC_OPTS' destest -$ Link 'link_opts' /Exec=destest destest.obj,libdes/LIBRARY,'opt_file'/Option -$ Return -$! -$!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -$! -$RPW: -$ CC 'CC_OPTS' rpw -$ Link 'link_opts' /Exec=rpw rpw.obj,libdes/LIBRARY,'opt_file'/Option -$ Return -$! -$!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -$! -$SPEED: -$ CC 'CC_OPTS' speed -$ Link 'link_opts' /Exec=speed speed.obj,libdes/LIBRARY,'opt_file'/Option -$ Return -$! -$!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -$! -$DES: -$ CC 'CC_OPTS' des -$ Link 'link_opts' /Exec=des des.obj,libdes/LIBRARY,'opt_file'/Option -$ Return diff --git a/crypto/heimdal-0.6.3/lib/des/xcbc_enc.c b/crypto/heimdal-0.6.3/lib/des/xcbc_enc.c deleted file mode 100644 index 6a8626171d..0000000000 --- a/crypto/heimdal-0.6.3/lib/des/xcbc_enc.c +++ /dev/null @@ -1,206 +0,0 @@ -/* crypto/des/xcbc_enc.c */ -/* Copyright (C) 1995-1997 Eric Young (eay@mincom.oz.au) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@mincom.oz.au). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@mincom.oz.au). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@mincom.oz.au)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@mincom.oz.au)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include "des_locl.h" - -/* RSA's DESX */ - -static unsigned char desx_white_in2out[256]={ -0xBD,0x56,0xEA,0xF2,0xA2,0xF1,0xAC,0x2A,0xB0,0x93,0xD1,0x9C,0x1B,0x33,0xFD,0xD0, -0x30,0x04,0xB6,0xDC,0x7D,0xDF,0x32,0x4B,0xF7,0xCB,0x45,0x9B,0x31,0xBB,0x21,0x5A, -0x41,0x9F,0xE1,0xD9,0x4A,0x4D,0x9E,0xDA,0xA0,0x68,0x2C,0xC3,0x27,0x5F,0x80,0x36, -0x3E,0xEE,0xFB,0x95,0x1A,0xFE,0xCE,0xA8,0x34,0xA9,0x13,0xF0,0xA6,0x3F,0xD8,0x0C, -0x78,0x24,0xAF,0x23,0x52,0xC1,0x67,0x17,0xF5,0x66,0x90,0xE7,0xE8,0x07,0xB8,0x60, -0x48,0xE6,0x1E,0x53,0xF3,0x92,0xA4,0x72,0x8C,0x08,0x15,0x6E,0x86,0x00,0x84,0xFA, -0xF4,0x7F,0x8A,0x42,0x19,0xF6,0xDB,0xCD,0x14,0x8D,0x50,0x12,0xBA,0x3C,0x06,0x4E, -0xEC,0xB3,0x35,0x11,0xA1,0x88,0x8E,0x2B,0x94,0x99,0xB7,0x71,0x74,0xD3,0xE4,0xBF, -0x3A,0xDE,0x96,0x0E,0xBC,0x0A,0xED,0x77,0xFC,0x37,0x6B,0x03,0x79,0x89,0x62,0xC6, -0xD7,0xC0,0xD2,0x7C,0x6A,0x8B,0x22,0xA3,0x5B,0x05,0x5D,0x02,0x75,0xD5,0x61,0xE3, -0x18,0x8F,0x55,0x51,0xAD,0x1F,0x0B,0x5E,0x85,0xE5,0xC2,0x57,0x63,0xCA,0x3D,0x6C, -0xB4,0xC5,0xCC,0x70,0xB2,0x91,0x59,0x0D,0x47,0x20,0xC8,0x4F,0x58,0xE0,0x01,0xE2, -0x16,0x38,0xC4,0x6F,0x3B,0x0F,0x65,0x46,0xBE,0x7E,0x2D,0x7B,0x82,0xF9,0x40,0xB5, -0x1D,0x73,0xF8,0xEB,0x26,0xC7,0x87,0x97,0x25,0x54,0xB1,0x28,0xAA,0x98,0x9D,0xA5, -0x64,0x6D,0x7A,0xD4,0x10,0x81,0x44,0xEF,0x49,0xD6,0xAE,0x2E,0xDD,0x76,0x5C,0x2F, -0xA7,0x1C,0xC9,0x09,0x69,0x9A,0x83,0xCF,0x29,0x39,0xB9,0xE9,0x4C,0xFF,0x43,0xAB, - }; - -void des_xwhite_in2out(des_key,in_white,out_white) -des_cblock (*des_key); -des_cblock (*in_white); -des_cblock (*out_white); - { - unsigned char *key,*in,*out; - int out0,out1; - int i; - - key=(unsigned char *)des_key; - in=(unsigned char *)in_white; - out=(unsigned char *)out_white; - - out[0]=out[1]=out[2]=out[3]=out[4]=out[5]=out[6]=out[7]=0; - out0=out1=0; - for (i=0; i<8; i++) - { - out[i]=key[i]^desx_white_in2out[out0^out1]; - out0=out1; - out1=(int)out[i&0x07]; - } - - out0=out[0]; - out1=out[i]; - for (i=0; i<8; i++) - { - out[i]=in[i]^desx_white_in2out[out0^out1]; - out0=out1; - out1=(int)out[i&0x07]; - } - } - -void des_xcbc_encrypt(input, output, length, schedule, ivec, inw,outw,encrypt) -des_cblock (*input); -des_cblock (*output); -long length; -des_key_schedule schedule; -des_cblock (*ivec); -des_cblock (*inw); -des_cblock (*outw); -int encrypt; - { - register DES_LONG tin0,tin1; - register DES_LONG tout0,tout1,xor0,xor1; - register DES_LONG inW0,inW1,outW0,outW1; - register unsigned char *in,*out; - register long l=length; - DES_LONG tin[2]; - unsigned char *iv; - - in=(unsigned char *)inw; - c2l(in,inW0); - c2l(in,inW1); - in=(unsigned char *)outw; - c2l(in,outW0); - c2l(in,outW1); - - in=(unsigned char *)input; - out=(unsigned char *)output; - iv=(unsigned char *)ivec; - - if (encrypt) - { - c2l(iv,tout0); - c2l(iv,tout1); - for (l-=8; l>=0; l-=8) - { - c2l(in,tin0); - c2l(in,tin1); - tin0^=tout0^inW0; tin[0]=tin0; - tin1^=tout1^inW1; tin[1]=tin1; - des_encrypt((DES_LONG *)tin,schedule,DES_ENCRYPT); - tout0=tin[0]^outW0; l2c(tout0,out); - tout1=tin[1]^outW1; l2c(tout1,out); - } - if (l != -8) - { - c2ln(in,tin0,tin1,l+8); - tin0^=tout0^inW0; tin[0]=tin0; - tin1^=tout1^inW1; tin[1]=tin1; - des_encrypt((DES_LONG *)tin,schedule,DES_ENCRYPT); - tout0=tin[0]^outW0; l2c(tout0,out); - tout1=tin[1]^outW1; l2c(tout1,out); - } - iv=(unsigned char *)ivec; - l2c(tout0,iv); - l2c(tout1,iv); - } - else - { - c2l(iv,xor0); - c2l(iv,xor1); - for (l-=8; l>0; l-=8) - { - c2l(in,tin0); tin[0]=tin0^outW0; - c2l(in,tin1); tin[1]=tin1^outW1; - des_encrypt((DES_LONG *)tin,schedule,DES_DECRYPT); - tout0=tin[0]^xor0^inW0; - tout1=tin[1]^xor1^inW1; - l2c(tout0,out); - l2c(tout1,out); - xor0=tin0; - xor1=tin1; - } - if (l != -8) - { - c2l(in,tin0); tin[0]=tin0^outW0; - c2l(in,tin1); tin[1]=tin1^outW1; - des_encrypt((DES_LONG *)tin,schedule,DES_DECRYPT); - tout0=tin[0]^xor0^inW0; - tout1=tin[1]^xor1^inW1; - l2cn(tout0,tout1,out,l+8); - xor0=tin0; - xor1=tin1; - } - - iv=(unsigned char *)ivec; - l2c(xor0,iv); - l2c(xor1,iv); - } - tin0=tin1=tout0=tout1=xor0=xor1=0; - inW0=inW1=outW0=outW1=0; - tin[0]=tin[1]=0; - } - diff --git a/crypto/heimdal-0.6.3/lib/editline/ChangeLog b/crypto/heimdal-0.6.3/lib/editline/ChangeLog deleted file mode 100644 index 3773f8c6b9..0000000000 --- a/crypto/heimdal-0.6.3/lib/editline/ChangeLog +++ /dev/null @@ -1,108 +0,0 @@ -2002-08-22 Assar Westerlund - - * testit.c: make it use getarg so that it can handle --help and - --version (and thus make check can pass) - -2001-09-13 Assar Westerlund - - * editline.c: rename STATUS -> el_STATUS to avoid conflict with - STATUS in arpa/nameser.h - -2000-11-15 Assar Westerlund - - * Makefile.am: make libeditline and libel_compat into libtool - libraries but always make them static - -2000-03-01 Assar Westerlund - - * edit_compat.c (readline): be more liberal in what we accept from - el_gets. if count == 0 -> interpret it as EOF. also copy the - string first and then cut of the newline, it's cleaner - -1999-12-23 Assar Westerlund - - * editline.c (TTYinfo): add fallback if we fail to find "le" in - termcap. - -1999-08-06 Assar Westerlund - - * editline.c (TTYinfo): copy backspace string to avoid referencing - into a local variable. - -1999-08-04 Assar Westerlund - - * Makefile.am: don't run testit in `make check' - -1999-04-11 Assar Westerlund - - * Makefile.am: don't run testit as a check - -Sat Apr 10 23:01:18 1999 Johan Danielsson - - * complete.c (rl_complete_filename): return if there were no - matches - -Thu Apr 8 15:08:25 1999 Johan Danielsson - - * Makefile.in: snprintf - - * roken_rename.h: add snprintf, asprintf - - * Makefile.am: build testit - - * complete.c: nuke NEW, DISPOSE, RENEW, and COPYFROMTO macros; - (rl_complete): call rl_list_possib instead of doing the same - - * editline.h: nuke NEW, DISPOSE, RENEW, and COPYFROMTO macros - - * editline.c: nuke NEW, DISPOSE, RENEW, and COPYFROMTO macros - - * sysunix.c: add some whitespace - -Thu Mar 18 11:22:55 1999 Johan Danielsson - - * Makefile.am: include Makefile.am.common - -Tue Mar 16 17:10:34 1999 Johan Danielsson - - * editline.c: remove protos for read/write - -Sat Mar 13 22:23:22 1999 Assar Westerlund - - * : add - -Sun Nov 22 10:40:28 1998 Assar Westerlund - - * Makefile.in (WFLAGS): set - -Tue Sep 29 02:09:15 1998 Assar Westerlund - - * Makefile.in (LIB_DEPS): add LIB_tgetent - -Thu Jul 2 15:10:08 1998 Johan Danielsson - - * edit_compat.c: support for newer libedit - -Tue Jun 30 17:18:09 1998 Assar Westerlund - - * Makefile.in (distclean): don't remove roken_rename.h - -Fri May 29 19:03:38 1998 Assar Westerlund - - * Makefile.in (strdup.c): remove dependency - -Mon May 25 05:25:16 1998 Assar Westerlund - - * Makefile.in (clean): try to remove shared library debris - -Sun Apr 19 09:53:46 1998 Assar Westerlund - - * Makefile.in: add symlink magic for linux - -Sat Feb 7 07:24:30 1998 Assar Westerlund - - * editline.h: add prototypes - -Tue Feb 3 10:24:22 1998 Johan Danielsson - - * editline.c: If read returns EINTR, try again. diff --git a/crypto/heimdal-0.6.3/lib/editline/Makefile.am b/crypto/heimdal-0.6.3/lib/editline/Makefile.am deleted file mode 100644 index 5500d2664f..0000000000 --- a/crypto/heimdal-0.6.3/lib/editline/Makefile.am +++ /dev/null @@ -1,53 +0,0 @@ -# $Id: Makefile.am,v 1.13 2002/08/13 13:48:15 joda Exp $ - -include $(top_srcdir)/Makefile.am.common - -if do_roken_rename -ES = snprintf.c strdup.c -endif - -INCLUDES += $(ROKEN_RENAME) - -man_MANS = editline.3 - -lib_LTLIBRARIES = libeditline.la -if el_compat -noinst_LTLIBRARIES = libel_compat.la -else -noinst_LTLIBRARIES = -endif - -noinst_PROGRAMS = testit - -CHECK_LOCAL = - -testit_LDADD = \ - libeditline.la \ - $(LIB_tgetent) \ - $(LIB_roken) - -include_HEADERS = editline.h - -libeditline_la_SOURCES = \ - complete.c \ - editline.c \ - sysunix.c \ - editline.h \ - roken_rename.h \ - unix.h \ - $(EXTRA_SOURCE) - -libeditline_la_LDFLAGS = -static - -EXTRA_SOURCE = $(ES) - -libel_compat_la_SOURCES = edit_compat.c - -libel_compat_la_LDFLAGS = -static - -EXTRA_DIST = $(man_MANS) - -snprintf.c: - $(LN_S) $(srcdir)/../roken/snprintf.c . -strdup.c: - $(LN_S) $(srcdir)/../roken/strdup.c . diff --git a/crypto/heimdal-0.6.3/lib/editline/Makefile.in b/crypto/heimdal-0.6.3/lib/editline/Makefile.in deleted file mode 100644 index e7c3a4903f..0000000000 --- a/crypto/heimdal-0.6.3/lib/editline/Makefile.in +++ /dev/null @@ -1,892 +0,0 @@ -# Makefile.in generated by automake 1.8.3 from Makefile.am. -# @configure_input@ - -# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004 Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -# $Id: Makefile.am,v 1.13 2002/08/13 13:48:15 joda Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $ - - - -SOURCES = $(libeditline_la_SOURCES) $(libel_compat_la_SOURCES) testit.c - -srcdir = @srcdir@ -top_srcdir = @top_srcdir@ -VPATH = @srcdir@ -pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -top_builddir = ../.. -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = @INSTALL@ -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_HEADER = $(INSTALL_DATA) -transform = $(program_transform_name) -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_triplet = @host@ -DIST_COMMON = README $(include_HEADERS) $(srcdir)/Makefile.am \ - $(srcdir)/Makefile.in $(top_srcdir)/Makefile.am.common \ - $(top_srcdir)/cf/Makefile.am.common ChangeLog -noinst_PROGRAMS = testit$(EXEEXT) -subdir = lib/editline -ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \ - $(top_srcdir)/cf/auth-modules.m4 \ - $(top_srcdir)/cf/broken-getaddrinfo.m4 \ - $(top_srcdir)/cf/broken-getnameinfo.m4 \ - $(top_srcdir)/cf/broken-glob.m4 \ - $(top_srcdir)/cf/broken-realloc.m4 \ - $(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \ - $(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \ - $(top_srcdir)/cf/capabilities.m4 \ - $(top_srcdir)/cf/check-compile-et.m4 \ - $(top_srcdir)/cf/check-declaration.m4 \ - $(top_srcdir)/cf/check-getpwnam_r-posix.m4 \ - $(top_srcdir)/cf/check-man.m4 \ - $(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \ - $(top_srcdir)/cf/check-type-extra.m4 \ - $(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \ - $(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \ - $(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \ - $(top_srcdir)/cf/dlopen.m4 \ - $(top_srcdir)/cf/find-func-no-libs.m4 \ - $(top_srcdir)/cf/find-func-no-libs2.m4 \ - $(top_srcdir)/cf/find-func.m4 \ - $(top_srcdir)/cf/find-if-not-broken.m4 \ - $(top_srcdir)/cf/have-struct-field.m4 \ - $(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \ - $(top_srcdir)/cf/krb-bigendian.m4 \ - $(top_srcdir)/cf/krb-func-getlogin.m4 \ - $(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \ - $(top_srcdir)/cf/krb-readline.m4 \ - $(top_srcdir)/cf/krb-struct-spwd.m4 \ - $(top_srcdir)/cf/krb-struct-winsize.m4 \ - $(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \ - $(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \ - $(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \ - $(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \ - $(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \ - $(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \ - $(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in -am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ - $(ACLOCAL_M4) -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -am__installdirs = "$(DESTDIR)$(libdir)" "$(DESTDIR)$(man3dir)" "$(DESTDIR)$(includedir)" -libLTLIBRARIES_INSTALL = $(INSTALL) -LTLIBRARIES = $(lib_LTLIBRARIES) $(noinst_LTLIBRARIES) -libeditline_la_LIBADD = -am__libeditline_la_SOURCES_DIST = complete.c editline.c sysunix.c \ - editline.h roken_rename.h unix.h snprintf.c strdup.c -@do_roken_rename_TRUE@am__objects_1 = snprintf.lo strdup.lo -am__objects_2 = $(am__objects_1) -am_libeditline_la_OBJECTS = complete.lo editline.lo sysunix.lo \ - $(am__objects_2) -libeditline_la_OBJECTS = $(am_libeditline_la_OBJECTS) -libel_compat_la_LIBADD = -am_libel_compat_la_OBJECTS = edit_compat.lo -libel_compat_la_OBJECTS = $(am_libel_compat_la_OBJECTS) -PROGRAMS = $(noinst_PROGRAMS) -testit_SOURCES = testit.c -testit_OBJECTS = testit.$(OBJEXT) -am__DEPENDENCIES_1 = -testit_DEPENDENCIES = libeditline.la $(am__DEPENDENCIES_1) \ - $(am__DEPENDENCIES_1) -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \ - $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ - $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -SOURCES = $(libeditline_la_SOURCES) $(libel_compat_la_SOURCES) \ - testit.c -DIST_SOURCES = $(am__libeditline_la_SOURCES_DIST) \ - $(libel_compat_la_SOURCES) testit.c -man3dir = $(mandir)/man3 -MANS = $(man_MANS) -includeHEADERS_INSTALL = $(INSTALL_HEADER) -HEADERS = $(include_HEADERS) -ETAGS = etags -CTAGS = ctags -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) -ACLOCAL = @ACLOCAL@ -AIX4_FALSE = @AIX4_FALSE@ -AIX4_TRUE = @AIX4_TRUE@ -AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@ -AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@ -AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@ -AIX_FALSE = @AIX_FALSE@ -AIX_TRUE = @AIX_TRUE@ -AMTAR = @AMTAR@ -AR = @AR@ -AUTOCONF = @AUTOCONF@ -AUTOHEADER = @AUTOHEADER@ -AUTOMAKE = @AUTOMAKE@ -AWK = @AWK@ -CANONICAL_HOST = @CANONICAL_HOST@ -CATMAN = @CATMAN@ -CATMANEXT = @CATMANEXT@ -CATMAN_FALSE = @CATMAN_FALSE@ -CATMAN_TRUE = @CATMAN_TRUE@ -CC = @CC@ -CFLAGS = @CFLAGS@ -COMPILE_ET = @COMPILE_ET@ -CPP = @CPP@ -CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXFLAGS = @CXXFLAGS@ -CYGPATH_W = @CYGPATH_W@ -DBLIB = @DBLIB@ -DCE_FALSE = @DCE_FALSE@ -DCE_TRUE = @DCE_TRUE@ -DEFS = @DEFS@ -DIR_com_err = @DIR_com_err@ -DIR_des = @DIR_des@ -DIR_roken = @DIR_roken@ -ECHO = @ECHO@ -ECHO_C = @ECHO_C@ -ECHO_N = @ECHO_N@ -ECHO_T = @ECHO_T@ -EGREP = @EGREP@ -EXEEXT = @EXEEXT@ -EXTRA_LIB45 = @EXTRA_LIB45@ -F77 = @F77@ -FFLAGS = @FFLAGS@ -GROFF = @GROFF@ -HAVE_DB1_FALSE = @HAVE_DB1_FALSE@ -HAVE_DB1_TRUE = @HAVE_DB1_TRUE@ -HAVE_DB3_FALSE = @HAVE_DB3_FALSE@ -HAVE_DB3_TRUE = @HAVE_DB3_TRUE@ -HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@ -HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@ -HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@ -HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@ -HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@ -HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@ -HAVE_X_FALSE = @HAVE_X_FALSE@ -HAVE_X_TRUE = @HAVE_X_TRUE@ -INCLUDES_roken = @INCLUDES_roken@ -INCLUDE_des = @INCLUDE_des@ -INCLUDE_hesiod = @INCLUDE_hesiod@ -INCLUDE_krb4 = @INCLUDE_krb4@ -INCLUDE_openldap = @INCLUDE_openldap@ -INCLUDE_readline = @INCLUDE_readline@ -INSTALL_DATA = @INSTALL_DATA@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -IRIX_FALSE = @IRIX_FALSE@ -IRIX_TRUE = @IRIX_TRUE@ -KRB4_FALSE = @KRB4_FALSE@ -KRB4_TRUE = @KRB4_TRUE@ -KRB5_FALSE = @KRB5_FALSE@ -KRB5_TRUE = @KRB5_TRUE@ -LDFLAGS = @LDFLAGS@ -LEX = @LEX@ -LEXLIB = @LEXLIB@ -LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ -LIBOBJS = @LIBOBJS@ -LIBS = @LIBS@ -LIBTOOL = @LIBTOOL@ -LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@ -LIB_NDBM = @LIB_NDBM@ -LIB_XauFileName = @LIB_XauFileName@ -LIB_XauReadAuth = @LIB_XauReadAuth@ -LIB_XauWriteAuth = @LIB_XauWriteAuth@ -LIB_bswap16 = @LIB_bswap16@ -LIB_bswap32 = @LIB_bswap32@ -LIB_com_err = @LIB_com_err@ -LIB_com_err_a = @LIB_com_err_a@ -LIB_com_err_so = @LIB_com_err_so@ -LIB_crypt = @LIB_crypt@ -LIB_db_create = @LIB_db_create@ -LIB_dbm_firstkey = @LIB_dbm_firstkey@ -LIB_dbopen = @LIB_dbopen@ -LIB_des = @LIB_des@ -LIB_des_a = @LIB_des_a@ -LIB_des_appl = @LIB_des_appl@ -LIB_des_so = @LIB_des_so@ -LIB_dlopen = @LIB_dlopen@ -LIB_dn_expand = @LIB_dn_expand@ -LIB_el_init = @LIB_el_init@ -LIB_freeaddrinfo = @LIB_freeaddrinfo@ -LIB_gai_strerror = @LIB_gai_strerror@ -LIB_getaddrinfo = @LIB_getaddrinfo@ -LIB_gethostbyname = @LIB_gethostbyname@ -LIB_gethostbyname2 = @LIB_gethostbyname2@ -LIB_getnameinfo = @LIB_getnameinfo@ -LIB_getpwnam_r = @LIB_getpwnam_r@ -LIB_getsockopt = @LIB_getsockopt@ -LIB_hesiod = @LIB_hesiod@ -LIB_hstrerror = @LIB_hstrerror@ -LIB_kdb = @LIB_kdb@ -LIB_krb4 = @LIB_krb4@ -LIB_krb_disable_debug = @LIB_krb_disable_debug@ -LIB_krb_enable_debug = @LIB_krb_enable_debug@ -LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@ -LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@ -LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@ -LIB_loadquery = @LIB_loadquery@ -LIB_logout = @LIB_logout@ -LIB_logwtmp = @LIB_logwtmp@ -LIB_openldap = @LIB_openldap@ -LIB_openpty = @LIB_openpty@ -LIB_otp = @LIB_otp@ -LIB_pidfile = @LIB_pidfile@ -LIB_readline = @LIB_readline@ -LIB_res_nsearch = @LIB_res_nsearch@ -LIB_res_search = @LIB_res_search@ -LIB_roken = @LIB_roken@ -LIB_security = @LIB_security@ -LIB_setsockopt = @LIB_setsockopt@ -LIB_socket = @LIB_socket@ -LIB_syslog = @LIB_syslog@ -LIB_tgetent = @LIB_tgetent@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -MAINT = @MAINT@ -MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@ -MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@ -MAKEINFO = @MAKEINFO@ -NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ -NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ -NROFF = @NROFF@ -OBJEXT = @OBJEXT@ -OTP_FALSE = @OTP_FALSE@ -OTP_TRUE = @OTP_TRUE@ -PACKAGE = @PACKAGE@ -PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ -PACKAGE_NAME = @PACKAGE_NAME@ -PACKAGE_STRING = @PACKAGE_STRING@ -PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_VERSION = @PACKAGE_VERSION@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -RANLIB = @RANLIB@ -SET_MAKE = @SET_MAKE@ -SHELL = @SHELL@ -STRIP = @STRIP@ -VERSION = @VERSION@ -VOID_RETSIGTYPE = @VOID_RETSIGTYPE@ -WFLAGS = @WFLAGS@ -WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@ -WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@ -X_CFLAGS = @X_CFLAGS@ -X_EXTRA_LIBS = @X_EXTRA_LIBS@ -X_LIBS = @X_LIBS@ -X_PRE_LIBS = @X_PRE_LIBS@ -YACC = @YACC@ -ac_ct_AR = @ac_ct_AR@ -ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ -ac_ct_RANLIB = @ac_ct_RANLIB@ -ac_ct_STRIP = @ac_ct_STRIP@ -am__leading_dot = @am__leading_dot@ -bindir = @bindir@ -build = @build@ -build_alias = @build_alias@ -build_cpu = @build_cpu@ -build_os = @build_os@ -build_vendor = @build_vendor@ -datadir = @datadir@ -do_roken_rename_FALSE = @do_roken_rename_FALSE@ -do_roken_rename_TRUE = @do_roken_rename_TRUE@ -dpagaix_cflags = @dpagaix_cflags@ -dpagaix_ldadd = @dpagaix_ldadd@ -dpagaix_ldflags = @dpagaix_ldflags@ -el_compat_FALSE = @el_compat_FALSE@ -el_compat_TRUE = @el_compat_TRUE@ -exec_prefix = @exec_prefix@ -have_err_h_FALSE = @have_err_h_FALSE@ -have_err_h_TRUE = @have_err_h_TRUE@ -have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@ -have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@ -have_glob_h_FALSE = @have_glob_h_FALSE@ -have_glob_h_TRUE = @have_glob_h_TRUE@ -have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@ -have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@ -have_vis_h_FALSE = @have_vis_h_FALSE@ -have_vis_h_TRUE = @have_vis_h_TRUE@ -host = @host@ -host_alias = @host_alias@ -host_cpu = @host_cpu@ -host_os = @host_os@ -host_vendor = @host_vendor@ -includedir = @includedir@ -infodir = @infodir@ -install_sh = @install_sh@ -libdir = @libdir@ -libexecdir = @libexecdir@ -localstatedir = @localstatedir@ -mandir = @mandir@ -mkdir_p = @mkdir_p@ -oldincludedir = @oldincludedir@ -prefix = @prefix@ -program_transform_name = @program_transform_name@ -sbindir = @sbindir@ -sharedstatedir = @sharedstatedir@ -sysconfdir = @sysconfdir@ -target_alias = @target_alias@ -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(ROKEN_RENAME) -@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME -AM_CFLAGS = $(WFLAGS) -CP = cp -buildinclude = $(top_builddir)/include -LIB_getattr = @LIB_getattr@ -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_setpcred = @LIB_setpcred@ -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -NROFF_MAN = groff -mandoc -Tascii -LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) -@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la - -@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la -@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la -@do_roken_rename_TRUE@ES = snprintf.c strdup.c -man_MANS = editline.3 -lib_LTLIBRARIES = libeditline.la -@el_compat_FALSE@noinst_LTLIBRARIES = -@el_compat_TRUE@noinst_LTLIBRARIES = libel_compat.la -CHECK_LOCAL = -testit_LDADD = \ - libeditline.la \ - $(LIB_tgetent) \ - $(LIB_roken) - -include_HEADERS = editline.h -libeditline_la_SOURCES = \ - complete.c \ - editline.c \ - sysunix.c \ - editline.h \ - roken_rename.h \ - unix.h \ - $(EXTRA_SOURCE) - -libeditline_la_LDFLAGS = -static -EXTRA_SOURCE = $(ES) -libel_compat_la_SOURCES = edit_compat.c -libel_compat_la_LDFLAGS = -static -EXTRA_DIST = $(man_MANS) -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps) - @for dep in $?; do \ - case '$(am__configure_deps)' in \ - *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ - exit 1;; \ - esac; \ - done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign --ignore-deps lib/editline/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign --ignore-deps lib/editline/Makefile -.PRECIOUS: Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - @case '$?' in \ - *config.status*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ - *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ - esac; - -$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -install-libLTLIBRARIES: $(lib_LTLIBRARIES) - @$(NORMAL_INSTALL) - test -z "$(libdir)" || $(mkdir_p) "$(DESTDIR)$(libdir)" - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - if test -f $$p; then \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(libdir)/$$f'"; \ - $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(libdir)/$$f"; \ - else :; fi; \ - done - -uninstall-libLTLIBRARIES: - @$(NORMAL_UNINSTALL) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - p="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$p'"; \ - $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$p"; \ - done - -clean-libLTLIBRARIES: - -test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ - test "$$dir" = "$$p" && dir=.; \ - echo "rm -f \"$${dir}/so_locations\""; \ - rm -f "$${dir}/so_locations"; \ - done - -clean-noinstLTLIBRARIES: - -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) - @list='$(noinst_LTLIBRARIES)'; for p in $$list; do \ - dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ - test "$$dir" = "$$p" && dir=.; \ - echo "rm -f \"$${dir}/so_locations\""; \ - rm -f "$${dir}/so_locations"; \ - done -libeditline.la: $(libeditline_la_OBJECTS) $(libeditline_la_DEPENDENCIES) - $(LINK) -rpath $(libdir) $(libeditline_la_LDFLAGS) $(libeditline_la_OBJECTS) $(libeditline_la_LIBADD) $(LIBS) -libel_compat.la: $(libel_compat_la_OBJECTS) $(libel_compat_la_DEPENDENCIES) - $(LINK) $(libel_compat_la_LDFLAGS) $(libel_compat_la_OBJECTS) $(libel_compat_la_LIBADD) $(LIBS) - -clean-noinstPROGRAMS: - @list='$(noinst_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -testit$(EXEEXT): $(testit_OBJECTS) $(testit_DEPENDENCIES) - @rm -f testit$(EXEEXT) - $(LINK) $(testit_LDFLAGS) $(testit_OBJECTS) $(testit_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c $< - -.c.obj: - $(COMPILE) -c `$(CYGPATH_W) '$<'` - -.c.lo: - $(LTCOMPILE) -c -o $@ $< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: -install-man3: $(man3_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - test -z "$(man3dir)" || $(mkdir_p) "$(DESTDIR)$(man3dir)" - @list='$(man3_MANS) $(dist_man3_MANS) $(nodist_man3_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.3*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 3*) ;; \ - *) ext='3' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man3dir)/$$inst'"; \ - $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man3dir)/$$inst"; \ - done -uninstall-man3: - @$(NORMAL_UNINSTALL) - @list='$(man3_MANS) $(dist_man3_MANS) $(nodist_man3_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.3*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 3*) ;; \ - *) ext='3' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f '$(DESTDIR)$(man3dir)/$$inst'"; \ - rm -f "$(DESTDIR)$(man3dir)/$$inst"; \ - done -install-includeHEADERS: $(include_HEADERS) - @$(NORMAL_INSTALL) - test -z "$(includedir)" || $(mkdir_p) "$(DESTDIR)$(includedir)" - @list='$(include_HEADERS)'; for p in $$list; do \ - if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(includeHEADERS_INSTALL) '$$d$$p' '$(DESTDIR)$(includedir)/$$f'"; \ - $(includeHEADERS_INSTALL) "$$d$$p" "$(DESTDIR)$(includedir)/$$f"; \ - done - -uninstall-includeHEADERS: - @$(NORMAL_UNINSTALL) - @list='$(include_HEADERS)'; for p in $$list; do \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " rm -f '$(DESTDIR)$(includedir)/$$f'"; \ - rm -f "$(DESTDIR)$(includedir)/$$f"; \ - done - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique -tags: TAGS - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique -ctags: CTAGS -CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ - || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - -distdir: $(DISTFILES) - $(mkdir_p) $(distdir)/../.. $(distdir)/../../cf - @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \ - list='$(DISTFILES)'; for file in $$list; do \ - case $$file in \ - $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \ - $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \ - esac; \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkdir_p) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="$(top_distdir)" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(MANS) $(HEADERS) \ - all-local -installdirs: - for dir in "$(DESTDIR)$(libdir)" "$(DESTDIR)$(man3dir)" "$(DESTDIR)$(includedir)"; do \ - test -z "$$dir" || $(mkdir_p) "$$dir"; \ - done -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-generic clean-libLTLIBRARIES clean-libtool \ - clean-noinstLTLIBRARIES clean-noinstPROGRAMS mostlyclean-am - -distclean: distclean-am - -rm -f Makefile -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -html: html-am - -info: info-am - -info-am: - -install-data-am: install-includeHEADERS install-man - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-data-hook - -install-exec-am: install-libLTLIBRARIES - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: install-man3 - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -rm -f Makefile -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -pdf: pdf-am - -pdf-am: - -ps: ps-am - -ps-am: - -uninstall-am: uninstall-includeHEADERS uninstall-info-am \ - uninstall-libLTLIBRARIES uninstall-man - -uninstall-man: uninstall-man3 - -.PHONY: CTAGS GTAGS all all-am all-local check check-am check-local \ - clean clean-generic clean-libLTLIBRARIES clean-libtool \ - clean-noinstLTLIBRARIES clean-noinstPROGRAMS ctags distclean \ - distclean-compile distclean-generic distclean-libtool \ - distclean-tags distdir dvi dvi-am html html-am info info-am \ - install install-am install-data install-data-am install-exec \ - install-exec-am install-includeHEADERS install-info \ - install-info-am install-libLTLIBRARIES install-man \ - install-man3 install-strip installcheck installcheck-am \ - installdirs maintainer-clean maintainer-clean-generic \ - mostlyclean mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool pdf pdf-am ps ps-am tags uninstall \ - uninstall-am uninstall-includeHEADERS uninstall-info-am \ - uninstall-libLTLIBRARIES uninstall-man uninstall-man3 - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-hook: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< - -snprintf.c: - $(LN_S) $(srcdir)/../roken/snprintf.c . -strdup.c: - $(LN_S) $(srcdir)/../roken/strdup.c . -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal-0.6.3/lib/editline/README b/crypto/heimdal-0.6.3/lib/editline/README deleted file mode 100644 index 829db995b8..0000000000 --- a/crypto/heimdal-0.6.3/lib/editline/README +++ /dev/null @@ -1,45 +0,0 @@ -$Revision: 1.1 $ - -This is a line-editing library. It can be linked into almost any -program to provide command-line editing and recall. - -It is call-compatible with the FSF readline library, but it is a -fraction of the size (and offers fewer features). It does not use -standard I/O. It is distributed under a "C News-like" copyright. - -Configuration is done in the Makefile. Type "make testit" to get -a small slow shell for testing. - -An earlier version was distributed with Byron's rc. Principal -changes over that version include: - Faster. - Is eight-bit clean (thanks to brendan@cs.widener.edu) - Written in K&R C, but ANSI compliant (gcc all warnings) - Propagates EOF properly; rc trip test now passes - Doesn't need or use or provide memmove. - More robust - Calling sequence changed to be compatible with readline. - Test program, new manpage, better configuration - More system-independant; includes Unix and OS-9 support. - -Enjoy, - Rich $alz - - - Copyright 1992 Simmule Turner and Rich Salz. All rights reserved. - - This software is not subject to any license of the American Telephone - and Telegraph Company or of the Regents of the University of California. - - Permission is granted to anyone to use this software for any purpose on - any computer system, and to alter it and redistribute it freely, subject - to the following restrictions: - 1. The authors are not responsible for the consequences of use of this - software, no matter how awful, even if they arise from flaws in it. - 2. The origin of this software must not be misrepresented, either by - explicit claim or by omission. Since few users ever read sources, - credits must appear in the documentation. - 3. Altered versions must be plainly marked as such, and must not be - misrepresented as being the original software. Since few users - ever read sources, credits must appear in the documentation. - 4. This notice may not be removed or altered. diff --git a/crypto/heimdal-0.6.3/lib/editline/complete.c b/crypto/heimdal-0.6.3/lib/editline/complete.c deleted file mode 100644 index d2a311d25e..0000000000 --- a/crypto/heimdal-0.6.3/lib/editline/complete.c +++ /dev/null @@ -1,243 +0,0 @@ -/* Copyright 1992 Simmule Turner and Rich Salz. All rights reserved. - * - * This software is not subject to any license of the American Telephone - * and Telegraph Company or of the Regents of the University of California. - * - * Permission is granted to anyone to use this software for any purpose on - * any computer system, and to alter it and redistribute it freely, subject - * to the following restrictions: - * 1. The authors are not responsible for the consequences of use of this - * software, no matter how awful, even if they arise from flaws in it. - * 2. The origin of this software must not be misrepresented, either by - * explicit claim or by omission. Since few users ever read sources, - * credits must appear in the documentation. - * 3. Altered versions must be plainly marked as such, and must not be - * misrepresented as being the original software. Since few users - * ever read sources, credits must appear in the documentation. - * 4. This notice may not be removed or altered. - */ - -/* -** History and file completion functions for editline library. -*/ -#include -#include "editline.h" - -RCSID("$Id: complete.c,v 1.5 1999/04/10 21:01:16 joda Exp $"); - -/* -** strcmp-like sorting predicate for qsort. -*/ -static int -compare(const void *p1, const void *p2) -{ - const char **v1; - const char **v2; - - v1 = (const char **)p1; - v2 = (const char **)p2; - return strcmp(*v1, *v2); -} - -/* -** Fill in *avp with an array of names that match file, up to its length. -** Ignore . and .. . -*/ -static int -FindMatches(char *dir, char *file, char ***avp) -{ - char **av; - char **new; - char *p; - DIR *dp; - DIRENTRY *ep; - size_t ac; - size_t len; - - if ((dp = opendir(dir)) == NULL) - return 0; - - av = NULL; - ac = 0; - len = strlen(file); - while ((ep = readdir(dp)) != NULL) { - p = ep->d_name; - if (p[0] == '.' && (p[1] == '\0' || (p[1] == '.' && p[2] == '\0'))) - continue; - if (len && strncmp(p, file, len) != 0) - continue; - - if ((ac % MEM_INC) == 0) { - if ((new = malloc(sizeof(char*) * (ac + MEM_INC))) == NULL) - break; - if (ac) { - memcpy(new, av, ac * sizeof (char **)); - free(av); - } - *avp = av = new; - } - - if ((av[ac] = strdup(p)) == NULL) { - if (ac == 0) - free(av); - break; - } - ac++; - } - - /* Clean up and return. */ - (void)closedir(dp); - if (ac) - qsort(av, ac, sizeof (char **), compare); - return ac; -} - -/* -** Split a pathname into allocated directory and trailing filename parts. -*/ -static int SplitPath(char *path, char **dirpart, char **filepart) -{ - static char DOT[] = "."; - char *dpart; - char *fpart; - - if ((fpart = strrchr(path, '/')) == NULL) { - if ((dpart = strdup(DOT)) == NULL) - return -1; - if ((fpart = strdup(path)) == NULL) { - free(dpart); - return -1; - } - } - else { - if ((dpart = strdup(path)) == NULL) - return -1; - dpart[fpart - path] = '\0'; - if ((fpart = strdup(++fpart)) == NULL) { - free(dpart); - return -1; - } - } - *dirpart = dpart; - *filepart = fpart; - return 0; -} - -/* -** Attempt to complete the pathname, returning an allocated copy. -** Fill in *unique if we completed it, or set it to 0 if ambiguous. -*/ - -static char * -rl_complete_filename(char *pathname, int *unique) -{ - char **av; - char *new; - char *p; - size_t ac; - size_t end; - size_t i; - size_t j; - size_t len; - char *s; - - ac = rl_list_possib(pathname, &av); - if(ac == 0) - return NULL; - - s = strrchr(pathname, '/'); - if(s == NULL) - len = strlen(pathname); - else - len = strlen(s + 1); - - p = NULL; - if (ac == 1) { - /* Exactly one match -- finish it off. */ - *unique = 1; - j = strlen(av[0]) - len + 2; - if ((p = malloc(j + 1)) != NULL) { - memcpy(p, av[0] + len, j); - asprintf(&new, "%s%s", pathname, p); - if(new != NULL) { - rl_add_slash(new, p); - free(new); - } - } - } - else { - *unique = 0; - if (len) { - /* Find largest matching substring. */ - for (i = len, end = strlen(av[0]); i < end; i++) - for (j = 1; j < ac; j++) - if (av[0][i] != av[j][i]) - goto breakout; - breakout: - if (i > len) { - j = i - len + 1; - if ((p = malloc(j)) != NULL) { - memcpy(p, av[0] + len, j); - p[j - 1] = '\0'; - } - } - } - } - - /* Clean up and return. */ - for (i = 0; i < ac; i++) - free(av[i]); - free(av); - return p; -} - -static rl_complete_func_t complete_func = rl_complete_filename; - -char * -rl_complete(char *pathname, int *unique) -{ - return (*complete_func)(pathname, unique); -} - -rl_complete_func_t -rl_set_complete_func(rl_complete_func_t func) -{ - rl_complete_func_t old = complete_func; - complete_func = func; - return old; -} - - -/* -** Return all possible completions. -*/ -static int -rl_list_possib_filename(char *pathname, char ***avp) -{ - char *dir; - char *file; - int ac; - - if (SplitPath(pathname, &dir, &file) < 0) - return 0; - ac = FindMatches(dir, file, avp); - free(dir); - free(file); - return ac; -} - -static rl_list_possib_func_t list_possib_func = rl_list_possib_filename; - -int -rl_list_possib(char *pathname, char ***avp) -{ - return (*list_possib_func)(pathname, avp); -} - -rl_list_possib_func_t -rl_set_list_possib_func(rl_list_possib_func_t func) -{ - rl_list_possib_func_t old = list_possib_func; - list_possib_func = func; - return old; -} diff --git a/crypto/heimdal-0.6.3/lib/editline/edit_compat.c b/crypto/heimdal-0.6.3/lib/editline/edit_compat.c deleted file mode 100644 index e0f4962802..0000000000 --- a/crypto/heimdal-0.6.3/lib/editline/edit_compat.c +++ /dev/null @@ -1,120 +0,0 @@ -/* - * Copyright (c) 1995 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include -#include -#include -#include - -#include "edit_compat.h" - -RCSID("$Id: edit_compat.c,v 1.9 2001/08/29 00:24:33 assar Exp $"); - -void -rl_reset_terminal(char *p) -{ -} - -void -rl_initialize(void) -{ -} - -static const char *pr; -static const char* ret_prompt(EditLine *e) -{ - return pr; -} - -static History *h; - -#ifdef H_SETSIZE -#define EL_INIT_FOUR 1 -#else -#ifdef H_SETMAXSIZE -/* backwards compatibility */ -#define H_SETSIZE H_SETMAXSIZE -#endif -#endif - -char * -readline(const char* prompt) -{ - static EditLine *e; -#ifdef H_SETSIZE - HistEvent ev; -#endif - int count; - const char *str; - - if(e == NULL){ -#ifdef EL_INIT_FOUR - e = el_init("", stdin, stdout, stderr); -#else - e = el_init("", stdin, stdout); -#endif - el_set(e, EL_PROMPT, ret_prompt); - h = history_init(); -#ifdef H_SETSIZE - history(h, &ev, H_SETSIZE, 25); -#else - history(h, H_EVENT, 25); -#endif - el_set(e, EL_HIST, history, h); - el_set(e, EL_EDITOR, "emacs"); /* XXX? */ - } - pr = prompt ? prompt : ""; - str = el_gets(e, &count); - if (str && count > 0) { - char *ret = strdup (str); - - if (ret == NULL) - return NULL; - - if (ret[strlen(ret) - 1] == '\n') - ret[strlen(ret) - 1] = '\0'; - return ret; - } - return NULL; -} - -void -add_history(char *p) -{ -#ifdef H_SETSIZE - HistEvent ev; - history(h, &ev, H_ENTER, p); -#else - history(h, H_ENTER, p); -#endif -} diff --git a/crypto/heimdal-0.6.3/lib/editline/edit_compat.h b/crypto/heimdal-0.6.3/lib/editline/edit_compat.h deleted file mode 100644 index c0c40fe983..0000000000 --- a/crypto/heimdal-0.6.3/lib/editline/edit_compat.h +++ /dev/null @@ -1,44 +0,0 @@ -/* - * Copyright (c) 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: edit_compat.h,v 1.1 2001/08/29 00:24:33 assar Exp $ */ - -#ifndef _EDIT_COMPAT_H -#define _EDIT_COMPAT_H - -void rl_reset_terminal(char *p); -void rl_initialize(void); -char *readline(const char *prompt); -void add_history(char *p); - -#endif /* _EDIT_COMPAT_H */ diff --git a/crypto/heimdal-0.6.3/lib/editline/editline.3 b/crypto/heimdal-0.6.3/lib/editline/editline.3 deleted file mode 100644 index 6e30a09d91..0000000000 --- a/crypto/heimdal-0.6.3/lib/editline/editline.3 +++ /dev/null @@ -1,175 +0,0 @@ -.\" $Revision: 1.2 $ -.TH EDITLINE 3 -.SH NAME -editline \- command-line editing library with history -.SH SYNOPSIS -.nf -.B "char *" -.B "readline(prompt)" -.B " char *prompt;" - -.B "void" -.B "add_history(line)" -.B " char *line;" -.fi -.SH DESCRIPTION -.I Editline -is a library that provides an line-editing interface with text recall. -It is intended to be compatible with the -.I readline -library provided by the Free Software Foundation, but much smaller. -The bulk of this manual page describes the user interface. -.PP -The -.I readline -routine returns a line of text with the trailing newline removed. -The data is returned in a buffer allocated with -.IR malloc (3), -so the space should be released with -.IR free (3) -when the calling program is done with it. -Before accepting input from the user, the specified -.I prompt -is displayed on the terminal. -.PP -The -.I add_history -routine makes a copy of the specified -.I line -and adds it to the internal history list. -.SS "User Interface" -A program that uses this library provides a simple emacs-like editing -interface to its users. -A line may be edited before it is sent to the calling program by typing either -control characters or escape sequences. -A control character, shown as a caret followed by a letter, is typed by -holding down the ``control'' key while the letter is typed. -For example, ``^A'' is a control-A. -An escape sequence is entered by typing the ``escape'' key followed by one or -more characters. -The escape key is abbreviated as ``ESC.'' -Note that unlike control keys, case matters in escape sequences; ``ESC\ F'' -is not the same as ``ESC\ f''. -.PP -An editing command may be typed anywhere on the line, not just at the -beginning. -In addition, a return may also be typed anywhere on the line, not just at -the end. -.PP -Most editing commands may be given a repeat count, -.IR n , -where -.I n -is a number. -To enter a repeat count, type the escape key, the number, and then -the command to execute. -For example, ``ESC\ 4\ ^f'' moves forward four characters. -If a command may be given a repeat count then the text ``[n]'' is given at the -end of its description. -.PP -The following control characters are accepted: -.RS -.nf -.ta \w'ESC DEL 'u -^A Move to the beginning of the line -^B Move left (backwards) [n] -^D Delete character [n] -^E Move to end of line -^F Move right (forwards) [n] -^G Ring the bell -^H Delete character before cursor (backspace key) [n] -^I Complete filename (tab key); see below -^J Done with line (return key) -^K Kill to end of line (or column [n]) -^L Redisplay line -^M Done with line (alternate return key) -^N Get next line from history [n] -^P Get previous line from history [n] -^R Search backward (forward if [n]) through history for text; -\& must start line if text begins with an uparrow -^T Transpose characters -^V Insert next character, even if it is an edit command -^W Wipe to the mark -^X^X Exchange current location and mark -^Y Yank back last killed text -^[ Start an escape sequence (escape key) -^]c Move forward to next character ``c'' -^? Delete character before cursor (delete key) [n] -.fi -.RE -.PP -The following escape sequences are provided. -.RS -.nf -.ta \w'ESC DEL 'u -ESC\ ^H Delete previous word (backspace key) [n] -ESC\ DEL Delete previous word (delete key) [n] -ESC\ SP Set the mark (space key); see ^X^X and ^Y above -ESC\ \. Get the last (or [n]'th) word from previous line -ESC\ ? Show possible completions; see below -ESC\ < Move to start of history -ESC\ > Move to end of history -ESC\ b Move backward a word [n] -ESC\ d Delete word under cursor [n] -ESC\ f Move forward a word [n] -ESC\ l Make word lowercase [n] -ESC\ u Make word uppercase [n] -ESC\ y Yank back last killed text -ESC\ v Show library version -ESC\ w Make area up to mark yankable -ESC\ nn Set repeat count to the number nn -ESC\ C Read from environment variable ``_C_'', where C is -\& an uppercase letter -.fi -.RE -.PP -The -.I editline -library has a small macro facility. -If you type the escape key followed by an uppercase letter, -.IR C , -then the contents of the environment variable -.I _C_ -are read in as if you had typed them at the keyboard. -For example, if the variable -.I _L_ -contains the following: -.RS -^A^Kecho '^V^[[H^V^[[2J'^M -.RE -Then typing ``ESC L'' will move to the beginning of the line, kill the -entire line, enter the echo command needed to clear the terminal (if your -terminal is like a VT-100), and send the line back to the shell. -.PP -The -.I editline -library also does filename completion. -Suppose the root directory has the following files in it: -.RS -.nf -.ta \w'core 'u -bin vmunix -core vmunix.old -.fi -.RE -If you type ``rm\ /v'' and then the tab key. -.I Editline -will then finish off as much of the name as possible by adding ``munix''. -Because the name is not unique, it will then beep. -If you type the escape key and a question mark, it will display the -two choices. -If you then type a period and a tab, the library will finish off the filename -for you: -.RS -.nf -.RI "rm /v[TAB]" munix .TAB old -.fi -.RE -The tab key is shown by ``[TAB]'' and the automatically-entered text -is shown in italics. -.SH "BUGS AND LIMITATIONS" -Cannot handle lines more than 80 columns. -.SH AUTHORS -Simmule R. Turner -and Rich $alz . -Original manual page by DaviD W. Sanderson . diff --git a/crypto/heimdal-0.6.3/lib/editline/editline.c b/crypto/heimdal-0.6.3/lib/editline/editline.c deleted file mode 100644 index 24fa8464a9..0000000000 --- a/crypto/heimdal-0.6.3/lib/editline/editline.c +++ /dev/null @@ -1,1376 +0,0 @@ -/* Copyright 1992 Simmule Turner and Rich Salz. All rights reserved. - * - * This software is not subject to any license of the American Telephone - * and Telegraph Company or of the Regents of the University of California. - * - * Permission is granted to anyone to use this software for any purpose on - * any computer system, and to alter it and redistribute it freely, subject - * to the following restrictions: - * 1. The authors are not responsible for the consequences of use of this - * software, no matter how awful, even if they arise from flaws in it. - * 2. The origin of this software must not be misrepresented, either by - * explicit claim or by omission. Since few users ever read sources, - * credits must appear in the documentation. - * 3. Altered versions must be plainly marked as such, and must not be - * misrepresented as being the original software. Since few users - * ever read sources, credits must appear in the documentation. - * 4. This notice may not be removed or altered. - */ - -/* -** Main editing routines for editline library. -*/ -#include -#include "editline.h" -#include -#include - -RCSID("$Id: editline.c,v 1.10 2001/09/13 01:19:54 assar Exp $"); - -/* -** Manifest constants. -*/ -#define SCREEN_WIDTH 80 -#define SCREEN_ROWS 24 -#define NO_ARG (-1) -#define DEL 127 -#define CTL(x) ((x) & 0x1F) -#define ISCTL(x) ((x) && (x) < ' ') -#define UNCTL(x) ((x) + 64) -#define META(x) ((x) | 0x80) -#define ISMETA(x) ((x) & 0x80) -#define UNMETA(x) ((x) & 0x7F) -#if !defined(HIST_SIZE) -#define HIST_SIZE 20 -#endif /* !defined(HIST_SIZE) */ - -/* -** Command status codes. -*/ -typedef enum _el_STATUS { - CSdone, CSeof, CSmove, CSdispatch, CSstay -} el_STATUS; - -/* -** The type of case-changing to perform. -*/ -typedef enum _CASE { - TOupper, TOlower -} CASE; - -/* -** Key to command mapping. -*/ -typedef struct _KEYMAP { - unsigned char Key; - el_STATUS (*Function)(); -} KEYMAP; - -/* -** Command history structure. -*/ -typedef struct _HISTORY { - int Size; - int Pos; - unsigned char *Lines[HIST_SIZE]; -} HISTORY; - -/* -** Globals. -*/ -int rl_eof; -int rl_erase; -int rl_intr; -int rl_kill; - -static unsigned char NIL[] = ""; -static const unsigned char *Input = NIL; -static unsigned char *Line; -static const char *Prompt; -static unsigned char *Yanked; -static char *Screen; -static char NEWLINE[]= CRLF; -static HISTORY H; -int rl_quit; -static int Repeat; -static int End; -static int Mark; -static int OldPoint; -static int Point; -static int PushBack; -static int Pushed; -static KEYMAP Map[33]; -static KEYMAP MetaMap[16]; -static size_t Length; -static size_t ScreenCount; -static size_t ScreenSize; -static char *backspace; -static int TTYwidth; -static int TTYrows; - -/* Display print 8-bit chars as `M-x' or as the actual 8-bit char? */ -int rl_meta_chars = 1; - -/* -** Declarations. -*/ -static unsigned char *editinput(void); -char *tgetstr(const char*, char**); -int tgetent(char*, const char*); -int tgetnum(const char*); - -/* -** TTY input/output functions. -*/ - -static void -TTYflush() -{ - if (ScreenCount) { - write(1, Screen, ScreenCount); - ScreenCount = 0; - } -} - -static void -TTYput(unsigned char c) -{ - Screen[ScreenCount] = c; - if (++ScreenCount >= ScreenSize - 1) { - ScreenSize += SCREEN_INC; - Screen = realloc(Screen, ScreenSize); - } -} - -static void -TTYputs(const char *p) -{ - while (*p) - TTYput(*p++); -} - -static void -TTYshow(unsigned char c) -{ - if (c == DEL) { - TTYput('^'); - TTYput('?'); - } - else if (ISCTL(c)) { - TTYput('^'); - TTYput(UNCTL(c)); - } - else if (rl_meta_chars && ISMETA(c)) { - TTYput('M'); - TTYput('-'); - TTYput(UNMETA(c)); - } - else - TTYput(c); -} - -static void -TTYstring(unsigned char *p) -{ - while (*p) - TTYshow(*p++); -} - -static int -TTYget() -{ - char c; - int e; - - TTYflush(); - if (Pushed) { - Pushed = 0; - return PushBack; - } - if (*Input) - return *Input++; - do { - e = read(0, &c, 1); - } while(e < 0 && errno == EINTR); - if(e == 1) - return c; - return EOF; -} - -static void -TTYback(void) -{ - if (backspace) - TTYputs(backspace); - else - TTYput('\b'); -} - -static void -TTYbackn(int n) -{ - while (--n >= 0) - TTYback(); -} - -static void -TTYinfo() -{ - static int init; - char *term; - char buff[2048]; - char *bp; - char *tmp; -#if defined(TIOCGWINSZ) - struct winsize W; -#endif /* defined(TIOCGWINSZ) */ - - if (init) { -#if defined(TIOCGWINSZ) - /* Perhaps we got resized. */ - if (ioctl(0, TIOCGWINSZ, &W) >= 0 - && W.ws_col > 0 && W.ws_row > 0) { - TTYwidth = (int)W.ws_col; - TTYrows = (int)W.ws_row; - } -#endif /* defined(TIOCGWINSZ) */ - return; - } - init++; - - TTYwidth = TTYrows = 0; - bp = &buff[0]; - if ((term = getenv("TERM")) == NULL) - term = "dumb"; - if (tgetent(buff, term) < 0) { - TTYwidth = SCREEN_WIDTH; - TTYrows = SCREEN_ROWS; - return; - } - tmp = tgetstr("le", &bp); - if (tmp != NULL) - backspace = strdup(tmp); - else - backspace = "\b"; - TTYwidth = tgetnum("co"); - TTYrows = tgetnum("li"); - -#if defined(TIOCGWINSZ) - if (ioctl(0, TIOCGWINSZ, &W) >= 0) { - TTYwidth = (int)W.ws_col; - TTYrows = (int)W.ws_row; - } -#endif /* defined(TIOCGWINSZ) */ - - if (TTYwidth <= 0 || TTYrows <= 0) { - TTYwidth = SCREEN_WIDTH; - TTYrows = SCREEN_ROWS; - } -} - - -/* -** Print an array of words in columns. -*/ -static void -columns(int ac, unsigned char **av) -{ - unsigned char *p; - int i; - int j; - int k; - int len; - int skip; - int longest; - int cols; - - /* Find longest name, determine column count from that. */ - for (longest = 0, i = 0; i < ac; i++) - if ((j = strlen((char *)av[i])) > longest) - longest = j; - cols = TTYwidth / (longest + 3); - - TTYputs(NEWLINE); - for (skip = ac / cols + 1, i = 0; i < skip; i++) { - for (j = i; j < ac; j += skip) { - for (p = av[j], len = strlen((char *)p), k = len; --k >= 0; p++) - TTYput(*p); - if (j + skip < ac) - while (++len < longest + 3) - TTYput(' '); - } - TTYputs(NEWLINE); - } -} - -static void -reposition() -{ - int i; - unsigned char *p; - - TTYput('\r'); - TTYputs(Prompt); - for (i = Point, p = Line; --i >= 0; p++) - TTYshow(*p); -} - -static void -left(el_STATUS Change) -{ - TTYback(); - if (Point) { - if (ISCTL(Line[Point - 1])) - TTYback(); - else if (rl_meta_chars && ISMETA(Line[Point - 1])) { - TTYback(); - TTYback(); - } - } - if (Change == CSmove) - Point--; -} - -static void -right(el_STATUS Change) -{ - TTYshow(Line[Point]); - if (Change == CSmove) - Point++; -} - -static el_STATUS -ring_bell() -{ - TTYput('\07'); - TTYflush(); - return CSstay; -} - -static el_STATUS -do_macro(unsigned char c) -{ - unsigned char name[4]; - - name[0] = '_'; - name[1] = c; - name[2] = '_'; - name[3] = '\0'; - - if ((Input = (unsigned char *)getenv((char *)name)) == NULL) { - Input = NIL; - return ring_bell(); - } - return CSstay; -} - -static el_STATUS -do_forward(el_STATUS move) -{ - int i; - unsigned char *p; - - i = 0; - do { - p = &Line[Point]; - for ( ; Point < End && (*p == ' ' || !isalnum(*p)); Point++, p++) - if (move == CSmove) - right(CSstay); - - for (; Point < End && isalnum(*p); Point++, p++) - if (move == CSmove) - right(CSstay); - - if (Point == End) - break; - } while (++i < Repeat); - - return CSstay; -} - -static el_STATUS -do_case(CASE type) -{ - int i; - int end; - int count; - unsigned char *p; - - do_forward(CSstay); - if (OldPoint != Point) { - if ((count = Point - OldPoint) < 0) - count = -count; - Point = OldPoint; - if ((end = Point + count) > End) - end = End; - for (i = Point, p = &Line[i]; i < end; i++, p++) { - if (type == TOupper) { - if (islower(*p)) - *p = toupper(*p); - } - else if (isupper(*p)) - *p = tolower(*p); - right(CSmove); - } - } - return CSstay; -} - -static el_STATUS -case_down_word() -{ - return do_case(TOlower); -} - -static el_STATUS -case_up_word() -{ - return do_case(TOupper); -} - -static void -ceol() -{ - int extras; - int i; - unsigned char *p; - - for (extras = 0, i = Point, p = &Line[i]; i <= End; i++, p++) { - TTYput(' '); - if (ISCTL(*p)) { - TTYput(' '); - extras++; - } - else if (rl_meta_chars && ISMETA(*p)) { - TTYput(' '); - TTYput(' '); - extras += 2; - } - } - - for (i += extras; i > Point; i--) - TTYback(); -} - -static void -clear_line() -{ - Point = -strlen(Prompt); - TTYput('\r'); - ceol(); - Point = 0; - End = 0; - Line[0] = '\0'; -} - -static el_STATUS -insert_string(unsigned char *p) -{ - size_t len; - int i; - unsigned char *new; - unsigned char *q; - - len = strlen((char *)p); - if (End + len >= Length) { - if ((new = malloc(sizeof(unsigned char) * (Length + len + MEM_INC))) == NULL) - return CSstay; - if (Length) { - memcpy(new, Line, Length); - free(Line); - } - Line = new; - Length += len + MEM_INC; - } - - for (q = &Line[Point], i = End - Point; --i >= 0; ) - q[len + i] = q[i]; - memcpy(&Line[Point], p, len); - End += len; - Line[End] = '\0'; - TTYstring(&Line[Point]); - Point += len; - - return Point == End ? CSstay : CSmove; -} - - -static unsigned char * -next_hist() -{ - return H.Pos >= H.Size - 1 ? NULL : H.Lines[++H.Pos]; -} - -static unsigned char * -prev_hist() -{ - return H.Pos == 0 ? NULL : H.Lines[--H.Pos]; -} - -static el_STATUS -do_insert_hist(unsigned char *p) -{ - if (p == NULL) - return ring_bell(); - Point = 0; - reposition(); - ceol(); - End = 0; - return insert_string(p); -} - -static el_STATUS -do_hist(unsigned char *(*move)()) -{ - unsigned char *p; - int i; - - i = 0; - do { - if ((p = (*move)()) == NULL) - return ring_bell(); - } while (++i < Repeat); - return do_insert_hist(p); -} - -static el_STATUS -h_next() -{ - return do_hist(next_hist); -} - -static el_STATUS -h_prev() -{ - return do_hist(prev_hist); -} - -static el_STATUS -h_first() -{ - return do_insert_hist(H.Lines[H.Pos = 0]); -} - -static el_STATUS -h_last() -{ - return do_insert_hist(H.Lines[H.Pos = H.Size - 1]); -} - -/* -** Return zero if pat appears as a substring in text. -*/ -static int -substrcmp(char *text, char *pat, int len) -{ - unsigned char c; - - if ((c = *pat) == '\0') - return *text == '\0'; - for ( ; *text; text++) - if (*text == c && strncmp(text, pat, len) == 0) - return 0; - return 1; -} - -static unsigned char * -search_hist(unsigned char *search, unsigned char *(*move)()) -{ - static unsigned char *old_search; - int len; - int pos; - int (*match)(); - char *pat; - - /* Save or get remembered search pattern. */ - if (search && *search) { - if (old_search) - free(old_search); - old_search = (unsigned char *)strdup((char *)search); - } - else { - if (old_search == NULL || *old_search == '\0') - return NULL; - search = old_search; - } - - /* Set up pattern-finder. */ - if (*search == '^') { - match = strncmp; - pat = (char *)(search + 1); - } - else { - match = substrcmp; - pat = (char *)search; - } - len = strlen(pat); - - for (pos = H.Pos; (*move)() != NULL; ) - if ((*match)((char *)H.Lines[H.Pos], pat, len) == 0) - return H.Lines[H.Pos]; - H.Pos = pos; - return NULL; -} - -static el_STATUS -h_search() -{ - static int Searching; - const char *old_prompt; - unsigned char *(*move)(); - unsigned char *p; - - if (Searching) - return ring_bell(); - Searching = 1; - - clear_line(); - old_prompt = Prompt; - Prompt = "Search: "; - TTYputs(Prompt); - move = Repeat == NO_ARG ? prev_hist : next_hist; - p = search_hist(editinput(), move); - clear_line(); - Prompt = old_prompt; - TTYputs(Prompt); - - Searching = 0; - return do_insert_hist(p); -} - -static el_STATUS -fd_char() -{ - int i; - - i = 0; - do { - if (Point >= End) - break; - right(CSmove); - } while (++i < Repeat); - return CSstay; -} - -static void -save_yank(int begin, int i) -{ - if (Yanked) { - free(Yanked); - Yanked = NULL; - } - - if (i < 1) - return; - - if ((Yanked = malloc(sizeof(unsigned char) * (i + 1))) != NULL) { - memcpy(Yanked, &Line[begin], i); - Yanked[i+1] = '\0'; - } -} - -static el_STATUS -delete_string(int count) -{ - int i; - unsigned char *p; - - if (count <= 0 || End == Point) - return ring_bell(); - - if (count == 1 && Point == End - 1) { - /* Optimize common case of delete at end of line. */ - End--; - p = &Line[Point]; - i = 1; - TTYput(' '); - if (ISCTL(*p)) { - i = 2; - TTYput(' '); - } - else if (rl_meta_chars && ISMETA(*p)) { - i = 3; - TTYput(' '); - TTYput(' '); - } - TTYbackn(i); - *p = '\0'; - return CSmove; - } - if (Point + count > End && (count = End - Point) <= 0) - return CSstay; - - if (count > 1) - save_yank(Point, count); - - for (p = &Line[Point], i = End - (Point + count) + 1; --i >= 0; p++) - p[0] = p[count]; - ceol(); - End -= count; - TTYstring(&Line[Point]); - return CSmove; -} - -static el_STATUS -bk_char() -{ - int i; - - i = 0; - do { - if (Point == 0) - break; - left(CSmove); - } while (++i < Repeat); - - return CSstay; -} - -static el_STATUS -bk_del_char() -{ - int i; - - i = 0; - do { - if (Point == 0) - break; - left(CSmove); - } while (++i < Repeat); - - return delete_string(i); -} - -static el_STATUS -redisplay() -{ - TTYputs(NEWLINE); - TTYputs(Prompt); - TTYstring(Line); - return CSmove; -} - -static el_STATUS -kill_line() -{ - int i; - - if (Repeat != NO_ARG) { - if (Repeat < Point) { - i = Point; - Point = Repeat; - reposition(); - delete_string(i - Point); - } - else if (Repeat > Point) { - right(CSmove); - delete_string(Repeat - Point - 1); - } - return CSmove; - } - - save_yank(Point, End - Point); - Line[Point] = '\0'; - ceol(); - End = Point; - return CSstay; -} - -static el_STATUS -insert_char(int c) -{ - el_STATUS s; - unsigned char buff[2]; - unsigned char *p; - unsigned char *q; - int i; - - if (Repeat == NO_ARG || Repeat < 2) { - buff[0] = c; - buff[1] = '\0'; - return insert_string(buff); - } - - if ((p = malloc(Repeat + 1)) == NULL) - return CSstay; - for (i = Repeat, q = p; --i >= 0; ) - *q++ = c; - *q = '\0'; - Repeat = 0; - s = insert_string(p); - free(p); - return s; -} - -static el_STATUS -meta() -{ - unsigned int c; - KEYMAP *kp; - - if ((c = TTYget()) == EOF) - return CSeof; - /* Also include VT-100 arrows. */ - if (c == '[' || c == 'O') - switch (c = TTYget()) { - default: return ring_bell(); - case EOF: return CSeof; - case 'A': return h_prev(); - case 'B': return h_next(); - case 'C': return fd_char(); - case 'D': return bk_char(); - } - - if (isdigit(c)) { - for (Repeat = c - '0'; (c = TTYget()) != EOF && isdigit(c); ) - Repeat = Repeat * 10 + c - '0'; - Pushed = 1; - PushBack = c; - return CSstay; - } - - if (isupper(c)) - return do_macro(c); - for (OldPoint = Point, kp = MetaMap; kp->Function; kp++) - if (kp->Key == c) - return (*kp->Function)(); - - return ring_bell(); -} - -static el_STATUS -emacs(unsigned int c) -{ - el_STATUS s; - KEYMAP *kp; - - if (ISMETA(c)) { - Pushed = 1; - PushBack = UNMETA(c); - return meta(); - } - for (kp = Map; kp->Function; kp++) - if (kp->Key == c) - break; - s = kp->Function ? (*kp->Function)() : insert_char((int)c); - if (!Pushed) - /* No pushback means no repeat count; hacky, but true. */ - Repeat = NO_ARG; - return s; -} - -static el_STATUS -TTYspecial(unsigned int c) -{ - if (ISMETA(c)) - return CSdispatch; - - if (c == rl_erase || c == DEL) - return bk_del_char(); - if (c == rl_kill) { - if (Point != 0) { - Point = 0; - reposition(); - } - Repeat = NO_ARG; - return kill_line(); - } - if (c == rl_intr || c == rl_quit) { - Point = End = 0; - Line[0] = '\0'; - return redisplay(); - } - if (c == rl_eof && Point == 0 && End == 0) - return CSeof; - - return CSdispatch; -} - -static unsigned char * -editinput() -{ - unsigned int c; - - Repeat = NO_ARG; - OldPoint = Point = Mark = End = 0; - Line[0] = '\0'; - - while ((c = TTYget()) != EOF) - switch (TTYspecial(c)) { - case CSdone: - return Line; - case CSeof: - return NULL; - case CSmove: - reposition(); - break; - case CSdispatch: - switch (emacs(c)) { - case CSdone: - return Line; - case CSeof: - return NULL; - case CSmove: - reposition(); - break; - case CSdispatch: - case CSstay: - break; - } - break; - case CSstay: - break; - } - return NULL; -} - -static void -hist_add(unsigned char *p) -{ - int i; - - if ((p = (unsigned char *)strdup((char *)p)) == NULL) - return; - if (H.Size < HIST_SIZE) - H.Lines[H.Size++] = p; - else { - free(H.Lines[0]); - for (i = 0; i < HIST_SIZE - 1; i++) - H.Lines[i] = H.Lines[i + 1]; - H.Lines[i] = p; - } - H.Pos = H.Size - 1; -} - -/* -** For compatibility with FSF readline. -*/ -/* ARGSUSED0 */ -void -rl_reset_terminal(char *p) -{ -} - -void -rl_initialize(void) -{ -} - -char * -readline(const char* prompt) -{ - unsigned char *line; - - if (Line == NULL) { - Length = MEM_INC; - if ((Line = malloc(Length)) == NULL) - return NULL; - } - - TTYinfo(); - rl_ttyset(0); - hist_add(NIL); - ScreenSize = SCREEN_INC; - Screen = malloc(ScreenSize); - Prompt = prompt ? prompt : (char *)NIL; - TTYputs(Prompt); - if ((line = editinput()) != NULL) { - line = (unsigned char *)strdup((char *)line); - TTYputs(NEWLINE); - TTYflush(); - } - rl_ttyset(1); - free(Screen); - free(H.Lines[--H.Size]); - return (char *)line; -} - -void -add_history(char *p) -{ - if (p == NULL || *p == '\0') - return; - -#if defined(UNIQUE_HISTORY) - if (H.Pos && strcmp(p, H.Lines[H.Pos - 1]) == 0) - return; -#endif /* defined(UNIQUE_HISTORY) */ - hist_add((unsigned char *)p); -} - - -static el_STATUS -beg_line() -{ - if (Point) { - Point = 0; - return CSmove; - } - return CSstay; -} - -static el_STATUS -del_char() -{ - return delete_string(Repeat == NO_ARG ? 1 : Repeat); -} - -static el_STATUS -end_line() -{ - if (Point != End) { - Point = End; - return CSmove; - } - return CSstay; -} - -/* -** Move back to the beginning of the current word and return an -** allocated copy of it. -*/ -static unsigned char * -find_word() -{ - static char SEPS[] = "#;&|^$=`'{}()<>\n\t "; - unsigned char *p; - unsigned char *new; - size_t len; - - for (p = &Line[Point]; p > Line && strchr(SEPS, (char)p[-1]) == NULL; p--) - continue; - len = Point - (p - Line) + 1; - if ((new = malloc(len)) == NULL) - return NULL; - memcpy(new, p, len); - new[len - 1] = '\0'; - return new; -} - -static el_STATUS -c_complete() -{ - unsigned char *p; - unsigned char *word; - int unique; - el_STATUS s; - - word = find_word(); - p = (unsigned char *)rl_complete((char *)word, &unique); - if (word) - free(word); - if (p && *p) { - s = insert_string(p); - if (!unique) - ring_bell(); - free(p); - return s; - } - return ring_bell(); -} - -static el_STATUS -c_possible() -{ - unsigned char **av; - unsigned char *word; - int ac; - - word = find_word(); - ac = rl_list_possib((char *)word, (char ***)&av); - if (word) - free(word); - if (ac) { - columns(ac, av); - while (--ac >= 0) - free(av[ac]); - free(av); - return CSmove; - } - return ring_bell(); -} - -static el_STATUS -accept_line() -{ - Line[End] = '\0'; - return CSdone; -} - -static el_STATUS -transpose() -{ - unsigned char c; - - if (Point) { - if (Point == End) - left(CSmove); - c = Line[Point - 1]; - left(CSstay); - Line[Point - 1] = Line[Point]; - TTYshow(Line[Point - 1]); - Line[Point++] = c; - TTYshow(c); - } - return CSstay; -} - -static el_STATUS -quote() -{ - unsigned int c; - - return (c = TTYget()) == EOF ? CSeof : insert_char((int)c); -} - -static el_STATUS -wipe() -{ - int i; - - if (Mark > End) - return ring_bell(); - - if (Point > Mark) { - i = Point; - Point = Mark; - Mark = i; - reposition(); - } - - return delete_string(Mark - Point); -} - -static el_STATUS -mk_set() -{ - Mark = Point; - return CSstay; -} - -static el_STATUS -exchange() -{ - unsigned int c; - - if ((c = TTYget()) != CTL('X')) - return c == EOF ? CSeof : ring_bell(); - - if ((c = Mark) <= End) { - Mark = Point; - Point = c; - return CSmove; - } - return CSstay; -} - -static el_STATUS -yank() -{ - if (Yanked && *Yanked) - return insert_string(Yanked); - return CSstay; -} - -static el_STATUS -copy_region() -{ - if (Mark > End) - return ring_bell(); - - if (Point > Mark) - save_yank(Mark, Point - Mark); - else - save_yank(Point, Mark - Point); - - return CSstay; -} - -static el_STATUS -move_to_char() -{ - unsigned int c; - int i; - unsigned char *p; - - if ((c = TTYget()) == EOF) - return CSeof; - for (i = Point + 1, p = &Line[i]; i < End; i++, p++) - if (*p == c) { - Point = i; - return CSmove; - } - return CSstay; -} - -static el_STATUS -fd_word() -{ - return do_forward(CSmove); -} - -static el_STATUS -fd_kill_word() -{ - int i; - - do_forward(CSstay); - if (OldPoint != Point) { - i = Point - OldPoint; - Point = OldPoint; - return delete_string(i); - } - return CSstay; -} - -static el_STATUS -bk_word() -{ - int i; - unsigned char *p; - - i = 0; - do { - for (p = &Line[Point]; p > Line && !isalnum(p[-1]); p--) - left(CSmove); - - for (; p > Line && p[-1] != ' ' && isalnum(p[-1]); p--) - left(CSmove); - - if (Point == 0) - break; - } while (++i < Repeat); - - return CSstay; -} - -static el_STATUS -bk_kill_word() -{ - bk_word(); - if (OldPoint != Point) - return delete_string(OldPoint - Point); - return CSstay; -} - -static int -argify(unsigned char *line, unsigned char ***avp) -{ - unsigned char *c; - unsigned char **p; - unsigned char **new; - int ac; - int i; - - i = MEM_INC; - if ((*avp = p = malloc(sizeof(unsigned char*) * i))== NULL) - return 0; - - for (c = line; isspace(*c); c++) - continue; - if (*c == '\n' || *c == '\0') - return 0; - - for (ac = 0, p[ac++] = c; *c && *c != '\n'; ) { - if (isspace(*c)) { - *c++ = '\0'; - if (*c && *c != '\n') { - if (ac + 1 == i) { - new = malloc(sizeof(unsigned char*) * (i + MEM_INC)); - if (new == NULL) { - p[ac] = NULL; - return ac; - } - memcpy(new, p, i * sizeof (char **)); - i += MEM_INC; - free(p); - *avp = p = new; - } - p[ac++] = c; - } - } - else - c++; - } - *c = '\0'; - p[ac] = NULL; - return ac; -} - -static el_STATUS -last_argument() -{ - unsigned char **av; - unsigned char *p; - el_STATUS s; - int ac; - - if (H.Size == 1 || (p = H.Lines[H.Size - 2]) == NULL) - return ring_bell(); - - if ((p = (unsigned char *)strdup((char *)p)) == NULL) - return CSstay; - ac = argify(p, &av); - - if (Repeat != NO_ARG) - s = Repeat < ac ? insert_string(av[Repeat]) : ring_bell(); - else - s = ac ? insert_string(av[ac - 1]) : CSstay; - - if (ac) - free(av); - free(p); - return s; -} - -static KEYMAP Map[33] = { - { CTL('@'), ring_bell }, - { CTL('A'), beg_line }, - { CTL('B'), bk_char }, - { CTL('D'), del_char }, - { CTL('E'), end_line }, - { CTL('F'), fd_char }, - { CTL('G'), ring_bell }, - { CTL('H'), bk_del_char }, - { CTL('I'), c_complete }, - { CTL('J'), accept_line }, - { CTL('K'), kill_line }, - { CTL('L'), redisplay }, - { CTL('M'), accept_line }, - { CTL('N'), h_next }, - { CTL('O'), ring_bell }, - { CTL('P'), h_prev }, - { CTL('Q'), ring_bell }, - { CTL('R'), h_search }, - { CTL('S'), ring_bell }, - { CTL('T'), transpose }, - { CTL('U'), ring_bell }, - { CTL('V'), quote }, - { CTL('W'), wipe }, - { CTL('X'), exchange }, - { CTL('Y'), yank }, - { CTL('Z'), ring_bell }, - { CTL('['), meta }, - { CTL(']'), move_to_char }, - { CTL('^'), ring_bell }, - { CTL('_'), ring_bell }, - { 0, NULL } -}; - -static KEYMAP MetaMap[16]= { - { CTL('H'), bk_kill_word }, - { DEL, bk_kill_word }, - { ' ', mk_set }, - { '.', last_argument }, - { '<', h_first }, - { '>', h_last }, - { '?', c_possible }, - { 'b', bk_word }, - { 'd', fd_kill_word }, - { 'f', fd_word }, - { 'l', case_down_word }, - { 'u', case_up_word }, - { 'y', yank }, - { 'w', copy_region }, - { 0, NULL } -}; diff --git a/crypto/heimdal-0.6.3/lib/editline/editline.cat3 b/crypto/heimdal-0.6.3/lib/editline/editline.cat3 deleted file mode 100644 index 6e7e63ede1..0000000000 --- a/crypto/heimdal-0.6.3/lib/editline/editline.cat3 +++ /dev/null @@ -1,198 +0,0 @@ - - - -EDITLINE(3) EDITLINE(3) - - - -NAME - editline - command-line editing library with history - -SYNOPSIS - cchhaarr ** - rreeaaddlliinnee((pprroommpptt)) - cchhaarr **pprroommpptt;; - - vvooiidd - aadddd__hhiissttoorryy((lliinnee)) - cchhaarr **lliinnee;; - -DESCRIPTION - _E_d_i_t_l_i_n_e is a library that provides an line-editing interface with text - recall. It is intended to be compatible with the _r_e_a_d_l_i_n_e library provided - by the Free Software Foundation, but much smaller. The bulk of this manual - page describes the user interface. - - The _r_e_a_d_l_i_n_e routine returns a line of text with the trailing newline - removed. The data is returned in a buffer allocated with _m_a_l_l_o_c(3), so the - space should be released with _f_r_e_e(3) when the calling program is done with - it. Before accepting input from the user, the specified _p_r_o_m_p_t is dis- - played on the terminal. - - The _a_d_d___h_i_s_t_o_r_y routine makes a copy of the specified _l_i_n_e and adds it to - the internal history list. - - User Interface - - A program that uses this library provides a simple emacs-like editing - interface to its users. A line may be edited before it is sent to the - calling program by typing either control characters or escape sequences. A - control character, shown as a caret followed by a letter, is typed by hold- - ing down the ``control'' key while the letter is typed. For example, - ``^A'' is a control-A. An escape sequence is entered by typing the - ``escape'' key followed by one or more characters. The escape key is - abbreviated as ``ESC.'' Note that unlike control keys, case matters in - escape sequences; ``ESC F'' is not the same as ``ESC f''. - - An editing command may be typed anywhere on the line, not just at the - beginning. In addition, a return may also be typed anywhere on the line, - not just at the end. - - Most editing commands may be given a repeat count, _n, where _n is a number. - To enter a repeat count, type the escape key, the number, and then the com- - mand to execute. For example, ``ESC 4 ^f'' moves forward four characters. - If a command may be given a repeat count then the text ``[n]'' is given at - the end of its description. - - The following control characters are accepted: - ^A Move to the beginning of the line - ^B Move left (backwards) [n] - ^D Delete character [n] - ^E Move to end of line - ^F Move right (forwards) [n] - ^G Ring the bell - ^H Delete character before cursor (backspace key) [n] - ^I Complete filename (tab key); see below - ^J Done with line (return key) - ^K Kill to end of line (or column [n]) - ^L Redisplay line - ^M Done with line (alternate return key) - ^N Get next line from history [n] - ^P Get previous line from history [n] - ^R Search backward (forward if [n]) through history for text; - must start line if text begins with an uparrow - ^T Transpose characters - ^V Insert next character, even if it is an edit command - ^W Wipe to the mark - ^X^X Exchange current location and mark - ^Y Yank back last killed text - ^[ Start an escape sequence (escape key) - ^]c Move forward to next character ``c'' - ^? Delete character before cursor (delete key) [n] - - The following escape sequences are provided. - ESC ^H Delete previous word (backspace key) [n] - ESC DEL Delete previous word (delete key) [n] - ESC SP Set the mark (space key); see ^X^X and ^Y above - ESC . Get the last (or [n]'th) word from previous line - ESC ? Show possible completions; see below - ESC < Move to start of history - ESC > Move to end of history - ESC b Move backward a word [n] - ESC d Delete word under cursor [n] - ESC f Move forward a word [n] - ESC l Make word lowercase [n] - ESC u Make word uppercase [n] - ESC y Yank back last killed text - ESC v Show library version - ESC w Make area up to mark yankable - ESC nn Set repeat count to the number nn - ESC C Read from environment variable ``_C_'', where C is - an uppercase letter - - The _e_d_i_t_l_i_n_e library has a small macro facility. If you type the escape - key followed by an uppercase letter, _C, then the contents of the environ- - ment variable ___C__ are read in as if you had typed them at the keyboard. - For example, if the variable ___L__ contains the following: - ^A^Kecho '^V^[[H^V^[[2J'^M - Then typing ``ESC L'' will move to the beginning of the line, kill the - entire line, enter the echo command needed to clear the terminal (if your - terminal is like a VT-100), and send the line back to the shell. - - The _e_d_i_t_l_i_n_e library also does filename completion. Suppose the root - directory has the following files in it: - bin vmunix - core vmunix.old - If you type ``rm /v'' and then the tab key. _E_d_i_t_l_i_n_e will then finish off - as much of the name as possible by adding ``munix''. Because the name is - not unique, it will then beep. If you type the escape key and a question - mark, it will display the two choices. If you then type a period and a - tab, the library will finish off the filename for you: - rm /v[TAB]_m_u_n_i_x.TAB_o_l_d - The tab key is shown by ``[TAB]'' and the automatically-entered text is - shown in italics. - - - -BUGS AND LIMITATIONS - Cannot handle lines more than 80 columns. - - - - -AUTHORS - Simmule R. Turner and Rich $alz - . Original manual page by DaviD W. Sanderson - . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/crypto/heimdal-0.6.3/lib/editline/editline.h b/crypto/heimdal-0.6.3/lib/editline/editline.h deleted file mode 100644 index a948ddc5c5..0000000000 --- a/crypto/heimdal-0.6.3/lib/editline/editline.h +++ /dev/null @@ -1,64 +0,0 @@ -/* $Revision: 1.4 $ -** -** Internal header file for editline library. -*/ -#ifdef HAVE_CONFIG_H -#include -#endif - -#include -#include -#include - -#define CRLF "\r\n" - -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_SYS_STAT_H -#include -#endif - -#ifdef HAVE_DIRENT_H -#include -typedef struct dirent DIRENTRY; -#else -#include -typedef struct direct DIRENTRY; -#endif - -#include - -#if !defined(S_ISDIR) -#define S_ISDIR(m) (((m) & S_IFMT) == S_IFDIR) -#endif /* !defined(S_ISDIR) */ - -typedef unsigned char CHAR; - -#define MEM_INC 64 -#define SCREEN_INC 256 - -/* -** Variables and routines internal to this package. -*/ -extern int rl_eof; -extern int rl_erase; -extern int rl_intr; -extern int rl_kill; -extern int rl_quit; - -typedef char* (*rl_complete_func_t)(char*, int*); - -typedef int (*rl_list_possib_func_t)(char*, char***); - -void add_history (char*); -char* readline (const char* prompt); -void rl_add_slash (char*, char*); -char* rl_complete (char*, int*); -void rl_initialize (void); -int rl_list_possib (char*, char***); -void rl_reset_terminal (char*); -void rl_ttyset (int); -rl_complete_func_t rl_set_complete_func (rl_complete_func_t); -rl_list_possib_func_t rl_set_list_possib_func (rl_list_possib_func_t); - diff --git a/crypto/heimdal-0.6.3/lib/editline/roken_rename.h b/crypto/heimdal-0.6.3/lib/editline/roken_rename.h deleted file mode 100644 index 9ea278d22f..0000000000 --- a/crypto/heimdal-0.6.3/lib/editline/roken_rename.h +++ /dev/null @@ -1,61 +0,0 @@ -/* - * Copyright (c) 1998, 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: roken_rename.h,v 1.4 1999/12/02 16:58:39 joda Exp $ */ - -#ifndef __roken_rename_h__ -#define __roken_rename_h__ - -#ifndef HAVE_STRDUP -#define strdup _editline_strdup -#endif -#ifndef HAVE_SNPRINTF -#define snprintf _editline_snprintf -#endif -#ifndef HAVE_VSNPRINTF -#define vsnprintf _editline_vsnprintf -#endif -#ifndef HAVE_ASPRINTF -#define asprintf _editline_asprintf -#endif -#ifndef HAVE_ASNPRINTF -#define asnprintf _editline_asnprintf -#endif -#ifndef HAVE_VASPRINTF -#define vasprintf _editline_vasprintf -#endif -#ifndef HAVE_VASNPRINTF -#define vasnprintf _editline_vasnprintf -#endif - -#endif /* __roken_rename_h__ */ diff --git a/crypto/heimdal-0.6.3/lib/editline/sysunix.c b/crypto/heimdal-0.6.3/lib/editline/sysunix.c deleted file mode 100644 index bcd6def6ca..0000000000 --- a/crypto/heimdal-0.6.3/lib/editline/sysunix.c +++ /dev/null @@ -1,92 +0,0 @@ -/* Copyright 1992 Simmule Turner and Rich Salz. All rights reserved. - * - * This software is not subject to any license of the American Telephone - * and Telegraph Company or of the Regents of the University of California. - * - * Permission is granted to anyone to use this software for any purpose on - * any computer system, and to alter it and redistribute it freely, subject - * to the following restrictions: - * 1. The authors are not responsible for the consequences of use of this - * software, no matter how awful, even if they arise from flaws in it. - * 2. The origin of this software must not be misrepresented, either by - * explicit claim or by omission. Since few users ever read sources, - * credits must appear in the documentation. - * 3. Altered versions must be plainly marked as such, and must not be - * misrepresented as being the original software. Since few users - * ever read sources, credits must appear in the documentation. - * 4. This notice may not be removed or altered. - */ - -/* -** Unix system-dependant routines for editline library. -*/ -#include -#include "editline.h" - -#ifdef HAVE_TERMIOS_H -#include -#else -#include -#endif - -RCSID("$Id: sysunix.c,v 1.4 1999/04/08 13:08:24 joda Exp $"); - -#ifdef HAVE_TERMIOS_H - -void -rl_ttyset(int Reset) -{ - static struct termios old; - struct termios new; - - if (Reset == 0) { - tcgetattr(0, &old); - rl_erase = old.c_cc[VERASE]; - rl_kill = old.c_cc[VKILL]; - rl_eof = old.c_cc[VEOF]; - rl_intr = old.c_cc[VINTR]; - rl_quit = old.c_cc[VQUIT]; - - new = old; - new.c_cc[VINTR] = -1; - new.c_cc[VQUIT] = -1; - new.c_lflag &= ~(ECHO | ICANON); - new.c_iflag &= ~(ISTRIP | INPCK); - new.c_cc[VMIN] = 1; - new.c_cc[VTIME] = 0; - tcsetattr(0, TCSANOW, &new); - } - else - tcsetattr(0, TCSANOW, &old); -} - -#else /* !HAVE_TERMIOS_H */ - -void -rl_ttyset(int Reset) -{ - static struct sgttyb old; - struct sgttyb new; - - if (Reset == 0) { - ioctl(0, TIOCGETP, &old); - rl_erase = old.sg_erase; - rl_kill = old.sg_kill; - new = old; - new.sg_flags &= ~(ECHO | ICANON); - new.sg_flags &= ~(ISTRIP | INPCK); - ioctl(0, TIOCSETP, &new); - } else { - ioctl(0, TIOCSETP, &old); - } -} -#endif /* HAVE_TERMIOS_H */ - -void -rl_add_slash(char *path, char *p) -{ - struct stat Sb; - - if (stat(path, &Sb) >= 0) - strcat(p, S_ISDIR(Sb.st_mode) ? "/" : " "); -} diff --git a/crypto/heimdal-0.6.3/lib/editline/testit.c b/crypto/heimdal-0.6.3/lib/editline/testit.c deleted file mode 100644 index c8ab847a7b..0000000000 --- a/crypto/heimdal-0.6.3/lib/editline/testit.c +++ /dev/null @@ -1,78 +0,0 @@ -/* $Revision: 1.3 $ -** -** A "micro-shell" to test editline library. -** If given any arguments, commands aren't executed. -*/ -#if defined(HAVE_CONFIG_H) -#include -#endif -#include -#include -#ifdef HAVE_ERRNO_H -#include -#endif -#include - -#include "editline.h" - -static int n_flag = 0; -static int version_flag = 0; -static int help_flag = 0; - -static struct getargs args[] = { - {"dry-run", 'n', arg_flag, &n_flag, - "do not run commands", NULL }, - {"version", 0, arg_flag, &version_flag, - "print version", NULL }, - {"help", 0, arg_flag, &help_flag, - NULL, NULL } -}; - -static void -usage (int ret) -{ - arg_printusage (args, - sizeof(args)/sizeof(*args), - NULL, - ""); - exit (ret); -} - -int -main(int argc, char **argv) -{ - char *p; - int optind = 0; - - setprogname (argv[0]); - - if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind)) - usage(1); - - if (help_flag) - usage (0); - - if(version_flag){ - print_version(NULL); - exit(0); - } - - argc -= optind; - argv += optind; - - while ((p = readline("testit> ")) != NULL) { - (void)printf("\t\t\t|%s|\n", p); - if (!n_flag) { - if (strncmp(p, "cd ", 3) == 0) { - if (chdir(&p[3]) < 0) - perror(&p[3]); - } else if (system(p) != 0) { - perror(p); - } - } - add_history(p); - free(p); - } - exit(0); - /* NOTREACHED */ -} diff --git a/crypto/heimdal-0.6.3/lib/editline/unix.h b/crypto/heimdal-0.6.3/lib/editline/unix.h deleted file mode 100644 index fe6beedcec..0000000000 --- a/crypto/heimdal-0.6.3/lib/editline/unix.h +++ /dev/null @@ -1,22 +0,0 @@ -/* $Revision: 1.1 $ -** -** Editline system header file for Unix. -*/ - -#define CRLF "\r\n" -#define FORWARD STATIC - -#include -#include - -#if defined(USE_DIRENT) -#include -typedef struct dirent DIRENTRY; -#else -#include -typedef struct direct DIRENTRY; -#endif /* defined(USE_DIRENT) */ - -#if !defined(S_ISDIR) -#define S_ISDIR(m) (((m) & S_IFMT) == S_IFDIR) -#endif /* !defined(S_ISDIR) */ diff --git a/crypto/heimdal-0.6.3/lib/gssapi/8003.c b/crypto/heimdal-0.6.3/lib/gssapi/8003.c deleted file mode 100644 index 3b481822b8..0000000000 --- a/crypto/heimdal-0.6.3/lib/gssapi/8003.c +++ /dev/null @@ -1,251 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: 8003.c,v 1.12.2.2 2003/09/18 21:30:57 lha Exp $"); - -krb5_error_code -gssapi_encode_om_uint32(OM_uint32 n, u_char *p) -{ - p[0] = (n >> 0) & 0xFF; - p[1] = (n >> 8) & 0xFF; - p[2] = (n >> 16) & 0xFF; - p[3] = (n >> 24) & 0xFF; - return 0; -} - -krb5_error_code -gssapi_encode_be_om_uint32(OM_uint32 n, u_char *p) -{ - p[0] = (n >> 24) & 0xFF; - p[1] = (n >> 16) & 0xFF; - p[2] = (n >> 8) & 0xFF; - p[3] = (n >> 0) & 0xFF; - return 0; -} - -krb5_error_code -gssapi_decode_om_uint32(u_char *p, OM_uint32 *n) -{ - *n = (p[0] << 0) | (p[1] << 8) | (p[2] << 16) | (p[3] << 24); - return 0; -} - -krb5_error_code -gssapi_decode_be_om_uint32(u_char *p, OM_uint32 *n) -{ - *n = (p[0] <<24) | (p[1] << 16) | (p[2] << 8) | (p[3] << 0); - return 0; -} - -static krb5_error_code -hash_input_chan_bindings (const gss_channel_bindings_t b, - u_char *p) -{ - u_char num[4]; - MD5_CTX md5; - - MD5_Init(&md5); - gssapi_encode_om_uint32 (b->initiator_addrtype, num); - MD5_Update (&md5, num, sizeof(num)); - gssapi_encode_om_uint32 (b->initiator_address.length, num); - MD5_Update (&md5, num, sizeof(num)); - if (b->initiator_address.length) - MD5_Update (&md5, - b->initiator_address.value, - b->initiator_address.length); - gssapi_encode_om_uint32 (b->acceptor_addrtype, num); - MD5_Update (&md5, num, sizeof(num)); - gssapi_encode_om_uint32 (b->acceptor_address.length, num); - MD5_Update (&md5, num, sizeof(num)); - if (b->acceptor_address.length) - MD5_Update (&md5, - b->acceptor_address.value, - b->acceptor_address.length); - gssapi_encode_om_uint32 (b->application_data.length, num); - MD5_Update (&md5, num, sizeof(num)); - if (b->application_data.length) - MD5_Update (&md5, - b->application_data.value, - b->application_data.length); - MD5_Final (p, &md5); - return 0; -} - -/* - * create a checksum over the chanel bindings in - * `input_chan_bindings', `flags' and `fwd_data' and return it in - * `result' - */ - -OM_uint32 -gssapi_krb5_create_8003_checksum ( - OM_uint32 *minor_status, - const gss_channel_bindings_t input_chan_bindings, - OM_uint32 flags, - const krb5_data *fwd_data, - Checksum *result) -{ - u_char *p; - - /* - * see rfc1964 (section 1.1.1 (Initial Token), and the checksum value - * field's format) */ - result->cksumtype = 0x8003; - if (fwd_data->length > 0 && (flags & GSS_C_DELEG_FLAG)) - result->checksum.length = 24 + 4 + fwd_data->length; - else - result->checksum.length = 24; - result->checksum.data = malloc (result->checksum.length); - if (result->checksum.data == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - p = result->checksum.data; - gssapi_encode_om_uint32 (16, p); - p += 4; - if (input_chan_bindings == GSS_C_NO_CHANNEL_BINDINGS) { - memset (p, 0, 16); - } else { - hash_input_chan_bindings (input_chan_bindings, p); - } - p += 16; - gssapi_encode_om_uint32 (flags, p); - p += 4; - - if (fwd_data->length > 0 && (flags & GSS_C_DELEG_FLAG)) { -#if 0 - u_char *tmp; - - result->checksum.length = 28 + fwd_data->length; - tmp = realloc(result->checksum.data, result->checksum.length); - if (tmp == NULL) - return ENOMEM; - result->checksum.data = tmp; - - p = (u_char*)result->checksum.data + 24; -#endif - *p++ = (1 >> 0) & 0xFF; /* DlgOpt */ /* == 1 */ - *p++ = (1 >> 8) & 0xFF; /* DlgOpt */ /* == 0 */ - *p++ = (fwd_data->length >> 0) & 0xFF; /* Dlgth */ - *p++ = (fwd_data->length >> 8) & 0xFF; /* Dlgth */ - memcpy(p, (unsigned char *) fwd_data->data, fwd_data->length); - - p += fwd_data->length; - } - - return GSS_S_COMPLETE; -} - -/* - * verify the checksum in `cksum' over `input_chan_bindings' - * returning `flags' and `fwd_data' - */ - -OM_uint32 -gssapi_krb5_verify_8003_checksum( - OM_uint32 *minor_status, - const gss_channel_bindings_t input_chan_bindings, - const Checksum *cksum, - OM_uint32 *flags, - krb5_data *fwd_data) -{ - unsigned char hash[16]; - unsigned char *p; - OM_uint32 length; - int DlgOpt; - static unsigned char zeros[16]; - - /* XXX should handle checksums > 24 bytes */ - if(cksum->cksumtype != 0x8003 || cksum->checksum.length < 24) { - *minor_status = 0; - return GSS_S_BAD_BINDINGS; - } - - p = cksum->checksum.data; - gssapi_decode_om_uint32(p, &length); - if(length != sizeof(hash)) { - *minor_status = 0; - return GSS_S_BAD_BINDINGS; - } - - p += 4; - - if (input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS - && memcmp(p, zeros, sizeof(zeros)) != 0) { - if(hash_input_chan_bindings(input_chan_bindings, hash) != 0) { - *minor_status = 0; - return GSS_S_BAD_BINDINGS; - } - if(memcmp(hash, p, sizeof(hash)) != 0) { - *minor_status = 0; - return GSS_S_BAD_BINDINGS; - } - } - - p += sizeof(hash); - - gssapi_decode_om_uint32(p, flags); - p += 4; - - if (cksum->checksum.length > 24 && (*flags & GSS_C_DELEG_FLAG)) { - if(cksum->checksum.length < 28) { - *minor_status = 0; - return GSS_S_BAD_BINDINGS; - } - - DlgOpt = (p[0] << 0) | (p[1] << 8); - p += 2; - if (DlgOpt != 1) { - *minor_status = 0; - return GSS_S_BAD_BINDINGS; - } - - fwd_data->length = (p[0] << 0) | (p[1] << 8); - p += 2; - if(cksum->checksum.length < 28 + fwd_data->length) { - *minor_status = 0; - return GSS_S_BAD_BINDINGS; - } - fwd_data->data = malloc(fwd_data->length); - if (fwd_data->data == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - memcpy(fwd_data->data, p, fwd_data->length); - } - - return GSS_S_COMPLETE; -} diff --git a/crypto/heimdal-0.6.3/lib/gssapi/ChangeLog b/crypto/heimdal-0.6.3/lib/gssapi/ChangeLog deleted file mode 100644 index b18bde67ea..0000000000 --- a/crypto/heimdal-0.6.3/lib/gssapi/ChangeLog +++ /dev/null @@ -1,688 +0,0 @@ -2003-12-19 Love Hörnquist Åstrand - - * accept_sec_context.c: 1.40->1.41: Don't require timestamp to be - set on delegated token, its already protected by the outer token - (and windows doesn't alway send it) Pointed out by Zi-Bin Yang - on heimdal-discuss - -2003-10-21 Love Hörnquist Åstrand - - * add_cred.c: 1.3->1.4: If its a MEMORY cc, make a copy. We need - to do this since now gss_release_cred will destroy the cred. This - should be really be solved a better way. - -2003-10-07 Love Hörnquist Åstrand - - * release_cred.c: 1.9->1.10: - (gss_release_cred): if its a mcc, destroy it rather the just release it - Found by: "Zi-Bin Yang" - -2003-09-19 Love Hörnquist Åstrand - - * arcfour.c: 1.13->1.14: remove depenency on gss_arcfour_mic_token - and gss_arcfour_warp_token - - * arcfour.h: 1.3->1.4: remove depenency on gss_arcfour_mic_token - and gss_arcfour_warp_token - - * arcfour.c: make build - - * get_mic.c, verify_mic.c, unwrap.c, wrap.c: - glue in arcfour support - - * gssapi_locl.h: 1.32->1.33: add _gssapi_verify_pad - -2003-09-18 Love Hörnquist Åstrand - - * encapsulate.c: add _gssapi_make_mech_header - - * gssapi_locl.h: add "arcfour.h" and prototype for - _gssapi_make_mech_header - - * gssapi_locl.h: add gssapi_{en,de}code_{be_,}om_uint32 - - * 8003.c: 1.12->1.13: export and rename - encode_om_uint32/decode_om_uint32 and start to use them - -2003-08-16 Love Hörnquist Åstrand - - * verify_mic.c: 1.21->1.22: make sure minor_status is always set, - pointed out by Luke Howard - -2003-08-15 Love Hörnquist Åstrand - - * context_time.c: 1.7->1.10: return time in seconds from now - - * gssapi_locl.h: add gssapi_lifetime_left - - * init_sec_context.c: part of 1.37->1.38: (init_auth): if the cred - is expired before we tries to create a token, fail so the peer - doesn't need reject us - (*): make sure time is returned in seconds from now, not in - kerberos time - - * acquire_cred.c: 1.14->1.15: (gss_aquire_cred): make sure time is - returned in seconds from now, not in kerberos time - - * accept_sec_context.c: 1.34->1.35: (gss_accept_sec_context): make - sure time is returned in seconds from now, not in kerberos time - -2003-05-07 Love Hörnquist Åstrand - - * gssapi.h: 1.27->1.28: - if __cplusplus, wrap the extern variable (just to be safe) and - functions in extern "C" { } - -2003-04-30 Love Hörnquist Åstrand - - * gssapi.3: more about the des3 mic mess - - * verify_mic.c 1.19->1.20 : (verify_mic_des3): always check if the - mic is the correct mic or the mic that old heimdal would have - generated - -2003-04-29 Jacques Vidrine - - * verify_mic.c: 1.18->1.19: verify_mic_des3: If MIC verification - fails, retry using the `old' MIC computation (with zero IV). - -2003-04-28 Love Hörnquist Åstrand - - * compat.c (_gss_DES3_get_mic_compat): default to use compat - - * gssapi.3: 1.5->1.6: document [gssapi]correct_des3_mic and - [gssapi]broken_des3_mic - - * compat.c: 1.2->1.4: - (gss_krb5_compat_des3_mci): return a value - (gss_krb5_compat_des3_mic): enable turning on/off des3 mic compat - (_gss_DES3_get_mic_compat): handle [gssapi]correct_des3_mic too - - * gssapi.h: 1.26->1.27: - (gss_krb5_compat_des3_mic): new function, turn on/off des3 mic compat - (GSS_C_KRB5_COMPAT_DES3_MIC): cpp symbol that exists if - gss_krb5_compat_des3_mic exists - -2003-04-23 Love Hörnquist Åstrand - - * Makefile.am: 1.44->1.45: test_acquire_cred_LDADD: use - libgssapi.la not ./libgssapi.la (makes make -jN work) - -2003-04-16 Love Hörnquist Åstrand - - * gssapi.3: spelling - - * gss_acquire_cred.3: Change .Fd #include to .In - header.h, from Thomas Klausner - - -2003-04-06 Love Hörnquist Åstrand - - * gss_acquire_cred.3: spelling - - * Makefile.am: remove stuff that sneaked in with last commit - - * acquire_cred.c (acquire_initiator_cred): if the requested name - isn't in the ccache, also check keytab. Extact the krbtgt for the - default realm to check how long the credentials will last. - - * add_cred.c (gss_add_cred): don't create a new ccache, just open - the old one; better check if output handle is compatible with new - (copied) handle - - * test_acquire_cred.c: test gss_add_cred too - -2003-04-03 Love Hörnquist Åstrand - - * Makefile.am: build test_acquire_cred - - * test_acquire_cred.c: simple gss_acquire_cred test - -2003-04-02 Love Hörnquist Åstrand - - * gss_acquire_cred.3: s/gssapi/GSS-API/ - -2003-03-19 Love Hörnquist Åstrand - - * gss_acquire_cred.3: document v1 interface (and that they are - obsolete) - -2003-03-18 Love Hörnquist Åstrand - - * gss_acquire_cred.3: list supported mechanism and nametypes - -2003-03-16 Love Hörnquist Åstrand - - * gss_acquire_cred.3: text about gss_display_name - - * Makefile.am (libgssapi_la_LDFLAGS): bump to 3:6:2 - (libgssapi_la_SOURCES): add all new functions - - * gssapi.3: now that we have a functions, uncomment the missing - ones - - * gss_acquire_cred.3: now that we have a functions, uncomment the - missing ones - - * process_context_token.c: implement gss_process_context_token - - * inquire_names_for_mech.c: implement gss_inquire_names_for_mech - - * inquire_mechs_for_name.c: implement gss_inquire_mechs_for_name - - * inquire_cred_by_mech.c: implement gss_inquire_cred_by_mech - - * add_cred.c: implement gss_add_cred - - * acquire_cred.c (gss_acquire_cred): more testing of input - argument, make sure output arguments are ok, since we don't know - the time_rec (for now), set it to time_req - - * export_sec_context.c: send lifetime, also set minor_status - - * get_mic.c: set minor_status - - * import_sec_context.c (gss_import_sec_context): add error - checking, pick up lifetime (if there is no lifetime, use - GSS_C_INDEFINITE) - - * init_sec_context.c: take care to set export value to something - sane before we start so caller will have harmless values in them - if then function fails - - * release_buffer.c (gss_release_buffer): set minor_status - - * wrap.c: make sure minor_status get set - - * verify_mic.c (gss_verify_mic_internal): rename verify_mic to - gss_verify_mic_internal and let it take the type as an argument, - (gss_verify_mic): call gss_verify_mic_internal - set minor_status - - * unwrap.c: set minor_status - - * test_oid_set_member.c (gss_test_oid_set_member): use - gss_oid_equal - - * release_oid_set.c (gss_release_oid_set): set minor_status - - * release_name.c (gss_release_name): set minor_status - - * release_cred.c (gss_release_cred): set minor_status - - * add_oid_set_member.c (gss_add_oid_set_member): set minor_status - - * compare_name.c (gss_compare_name): set minor_status - - * compat.c (check_compat): make sure ret have a defined value - - * context_time.c (gss_context_time): set minor_status - - * copy_ccache.c (gss_krb5_copy_ccache): set minor_status - - * create_emtpy_oid_set.c (gss_create_empty_oid_set): set - minor_status - - * delete_sec_context.c (gss_delete_sec_context): set minor_status - - * display_name.c (gss_display_name): set minor_status - - * display_status.c (gss_display_status): use gss_oid_equal, handle - supplementary errors - - * duplicate_name.c (gss_duplicate_name): set minor_status - - * inquire_context.c (gss_inquire_context): set lifetime_rec now - when we know it, set minor_status - - * inquire_cred.c (gss_inquire_cred): take care to set export value - to something sane before we start so caller will have harmless - values in them if the function fails - - * accept_sec_context.c (gss_accept_sec_context): take care to set - export value to something sane before we start so caller will have - harmless values in them if then function fails, set lifetime from - ticket expiration date - - * indicate_mechs.c (gss_indicate_mechs): use - gss_create_empty_oid_set and gss_add_oid_set_member - - * gssapi.h (gss_ctx_id_t_desc): store the lifetime in the cred, - since there is no ticket transfered in the exported context - - * export_name.c (gss_export_name): export name with - GSS_C_NT_EXPORT_NAME wrapping, not just the principal - - * import_name.c (import_export_name): new function, parses a - GSS_C_NT_EXPORT_NAME - (import_krb5_name): factor out common code of parsing krb5 name - (gss_oid_equal): rename from oid_equal - - * gssapi_locl.h: add prototypes for gss_oid_equal and - gss_verify_mic_internal - - * gssapi.h: comment out the argument names - -2003-03-15 Love Hörnquist Åstrand - - * gssapi.3: add LIST OF FUNCTIONS and copyright/license - - * Makefile.am: s/gss_aquire_cred.3/gss_acquire_cred.3/ - - * Makefile.am: man_MANS += gss_aquire_cred.3 - -2003-03-14 Love Hörnquist Åstrand - - * gss_aquire_cred.3: the gssapi api manpage - -2003-03-03 Love Hörnquist Åstrand - - * inquire_context.c: (gss_inquire_context): rename argument open - to open_context - - * gssapi.h (gss_inquire_context): rename argument open to open_context - -2003-02-27 Love Hörnquist Åstrand - - * init_sec_context.c (do_delegation): remove unused variable - subkey - - * gssapi.3: all 0.5.x version had broken token delegation - -2003-02-21 Love Hörnquist Åstrand - - * (init_auth): only generate one subkey - -2003-01-27 Love Hörnquist Åstrand - - * verify_mic.c (verify_mic_des3): fix 3des verify_mic to conform - to rfc (and mit kerberos), provide backward compat hook - - * get_mic.c (mic_des3): fix 3des get_mic to conform to rfc (and - mit kerberos), provide backward compat hook - - * init_sec_context.c (init_auth): check if we need compat for - older get_mic/verify_mic - - * gssapi_locl.h: add prototype for _gss_DES3_get_mic_compat - - * gssapi.h (more_flags): add COMPAT_OLD_DES3 - - * Makefile.am: add gssapi.3 and compat.c - - * gssapi.3: add gssapi COMPATIBILITY documentation - - * accept_sec_context.c (gss_accept_sec_context): check if we need - compat for older get_mic/verify_mic - - * compat.c: check for compatiblity with other heimdal's 3des - get_mic/verify_mic - -2002-10-31 Johan Danielsson - - * check return value from gssapi_krb5_init - - * 8003.c (gssapi_krb5_verify_8003_checksum): check size of input - -2002-09-03 Johan Danielsson - - * wrap.c (wrap_des3): use ETYPE_DES3_CBC_NONE - - * unwrap.c (unwrap_des3): use ETYPE_DES3_CBC_NONE - -2002-09-02 Johan Danielsson - - * init_sec_context.c: we need to generate a local subkey here - -2002-08-20 Jacques Vidrine - - * acquire_cred.c, inquire_cred.c, release_cred.c: Use default - credential resolution if gss_acquire_cred is called with - GSS_C_NO_NAME. - -2002-06-20 Jacques Vidrine - - * import_name.c: Compare name types by value if pointers do - not match. Reported by: "Douglas E. Engert" - -2002-05-20 Jacques Vidrine - - * verify_mic.c (gss_verify_mic), unwrap.c (gss_unwrap): initialize - the qop_state parameter. from Doug Rabson - -2002-05-09 Jacques Vidrine - - * acquire_cred.c: handle GSS_C_INITIATE/GSS_C_ACCEPT/GSS_C_BOTH - -2002-05-08 Jacques Vidrine - - * acquire_cred.c: initialize gssapi; handle null desired_name - -2002-03-22 Johan Danielsson - - * Makefile.am: remove non-functional stuff accidentally committed - -2002-03-11 Assar Westerlund - - * Makefile.am (libgssapi_la_LDFLAGS): bump version to 3:5:2 - * 8003.c (gssapi_krb5_verify_8003_checksum): handle zero channel - bindings - -2001-10-31 Jacques Vidrine - - * get_mic.c (mic_des3): MIC computation using DES3/SHA1 - was bogusly appending the message buffer to the result, - overwriting a heap buffer in the process. - -2001-08-29 Assar Westerlund - - * 8003.c (gssapi_krb5_verify_8003_checksum, - gssapi_krb5_create_8003_checksum): make more consistent by always - returning an gssapi error and setting minor status. update - callers - -2001-08-28 Jacques Vidrine - - * accept_sec_context.c: Create a cache for delegated credentials - when needed. - -2001-08-28 Assar Westerlund - - * Makefile.am (libgssapi_la_LDFLAGS): set version to 3:4:2 - -2001-08-23 Assar Westerlund - - * *.c: handle minor_status more consistently - - * display_status.c (gss_display_status): handle krb5_get_err_text - failing - -2001-08-15 Johan Danielsson - - * gssapi_locl.h: fix prototype for gssapi_krb5_init - -2001-08-13 Johan Danielsson - - * accept_sec_context.c (gsskrb5_register_acceptor_identity): init - context and check return value from kt_resolve - - * init.c: return error code - -2001-07-19 Assar Westerlund - - * Makefile.am (libgssapi_la_LDFLAGS): update to 3:3:2 - -2001-07-12 Assar Westerlund - - * Makefile.am (libgssapi_la_LIBADD): add required library - dependencies - -2001-07-06 Assar Westerlund - - * accept_sec_context.c (gsskrb5_register_acceptor_identity): set - the keytab to be used for gss_acquire_cred too' - -2001-07-03 Assar Westerlund - - * Makefile.am (libgssapi_la_LDFLAGS): set version to 3:2:2 - -2001-06-18 Assar Westerlund - - * wrap.c: replace gss_krb5_getsomekey with gss_krb5_get_localkey - and gss_krb5_get_remotekey - * verify_mic.c: update krb5_auth_con function names use - gss_krb5_get_remotekey - * unwrap.c: replace gss_krb5_getsomekey with gss_krb5_get_localkey - and gss_krb5_get_remotekey - * gssapi_locl.h (gss_krb5_get_remotekey, gss_krb5_get_localkey): - add prototypes - * get_mic.c: update krb5_auth_con function names. use - gss_krb5_get_localkey - * accept_sec_context.c: update krb5_auth_con function names - -2001-05-17 Assar Westerlund - - * Makefile.am: bump version to 3:1:2 - -2001-05-14 Assar Westerlund - - * address_to_krb5addr.c: adapt to new address functions - -2001-05-11 Assar Westerlund - - * try to return the error string from libkrb5 where applicable - -2001-05-08 Assar Westerlund - - * delete_sec_context.c (gss_delete_sec_context): remember to free - the memory used by the ticket itself. from - -2001-05-04 Assar Westerlund - - * gssapi_locl.h: add config.h for completeness - * gssapi.h: remove config.h, this is an installed header file - sys/types.h is not needed either - -2001-03-12 Assar Westerlund - - * acquire_cred.c (gss_acquire_cred): remove memory leaks. from - Jason R Thorpe - -2001-02-18 Assar Westerlund - - * accept_sec_context.c (gss_accept_sec_context): either return - gss_name NULL-ed or set - - * import_name.c: set minor_status in some cases where it was not - done - -2001-02-15 Assar Westerlund - - * wrap.c: use krb5_generate_random_block for the confounders - -2001-01-30 Assar Westerlund - - * Makefile.am (libgssapi_la_LDFLAGS): bump version to 3:0:2 - * acquire_cred.c, init_sec_context.c, release_cred.c: add support - for getting creds from a keytab, from fvdl@netbsd.org - - * copy_ccache.c: add gss_krb5_copy_ccache - -2001-01-27 Assar Westerlund - - * get_mic.c: cast parameters to des function to non-const pointers - to handle the case where these functions actually take non-const - des_cblock * - -2001-01-09 Assar Westerlund - - * accept_sec_context.c (gss_accept_sec_context): use krb5_rd_cred2 - instead of krb5_rd_cred - -2000-12-11 Assar Westerlund - - * Makefile.am (libgssapi_la_LDFLAGS): bump to 2:3:1 - -2000-12-08 Assar Westerlund - - * wrap.c (wrap_des3): use the checksum as ivec when encrypting the - sequence number - * unwrap.c (unwrap_des3): use the checksum as ivec when encrypting - the sequence number - * init_sec_context.c (init_auth): always zero fwd_data - -2000-12-06 Johan Danielsson - - * accept_sec_context.c: de-pointerise auth_context parameter to - krb5_mk_rep - -2000-11-15 Assar Westerlund - - * init_sec_context.c (init_auth): update to new - krb5_build_authenticator - -2000-09-19 Assar Westerlund - - * Makefile.am (libgssapi_la_LDFLAGS): bump to 2:2:1 - -2000-08-27 Assar Westerlund - - * init_sec_context.c: actually pay attention to `time_req' - * init_sec_context.c: re-organize. leak less memory. - * gssapi_locl.h (gssapi_krb5_encapsulate, gss_krb5_getsomekey): - update prototypes add assert.h - * gssapi.h (GSS_KRB5_CONF_C_QOP_DES, GSS_KRB5_CONF_C_QOP_DES3_KD): - add - * verify_mic.c: re-organize and add 3DES code - * wrap.c: re-organize and add 3DES code - * unwrap.c: re-organize and add 3DES code - * get_mic.c: re-organize and add 3DES code - * encapsulate.c (gssapi_krb5_encapsulate): do not free `in_data', - let the caller do that. fix the callers. - -2000-08-16 Assar Westerlund - - * Makefile.am: bump version to 2:1:1 - -2000-07-29 Assar Westerlund - - * decapsulate.c (gssapi_krb5_verify_header): sanity-check length - -2000-07-25 Johan Danielsson - - * Makefile.am: bump version to 2:0:1 - -2000-07-22 Assar Westerlund - - * gssapi.h: update OID for GSS_C_NT_HOSTBASED_SERVICE and other - details from rfc2744 - -2000-06-29 Assar Westerlund - - * address_to_krb5addr.c (gss_address_to_krb5addr): actually use - `int' instead of `sa_family_t' for the address family. - -2000-06-21 Assar Westerlund - - * add support for token delegation. From Daniel Kouril - and Miroslav Ruda - -2000-05-15 Assar Westerlund - - * Makefile.am (libgssapi_la_LDFLAGS): set version to 1:1:1 - -2000-04-12 Assar Westerlund - - * release_oid_set.c (gss_release_oid_set): clear set for - robustness. From GOMBAS Gabor - * release_name.c (gss_release_name): reset input_name for - robustness. From GOMBAS Gabor - * release_buffer.c (gss_release_buffer): set value to NULL to be - more robust. From GOMBAS Gabor - * add_oid_set_member.c (gss_add_oid_set_member): actually check if - the oid is a member first. leave the oid_set unchanged if realloc - fails. - -2000-02-13 Assar Westerlund - - * Makefile.am: set version to 1:0:1 - -2000-02-12 Assar Westerlund - - * gssapi_locl.h: add flags for import/export - * import_sec_context.c (import_sec_context: add flags for what - fields are included. do not include the authenticator for now. - * export_sec_context.c (export_sec_context: add flags for what - fields are included. do not include the authenticator for now. - * accept_sec_context.c (gss_accept_sec_context): set target in - context_handle - -2000-02-11 Assar Westerlund - - * delete_sec_context.c (gss_delete_sec_context): set context to - GSS_C_NO_CONTEXT - - * Makefile.am: add {export,import}_sec_context.c - * export_sec_context.c: new file - * import_sec_context.c: new file - * accept_sec_context.c (gss_accept_sec_context): set trans flag - -2000-02-07 Assar Westerlund - - * Makefile.am: set version to 0:5:0 - -2000-01-26 Assar Westerlund - - * delete_sec_context.c (gss_delete_sec_context): handle a NULL - output_token - - * wrap.c: update to pseudo-standard APIs for md4,md5,sha. some - changes to libdes calls to make them more portable. - * verify_mic.c: update to pseudo-standard APIs for md4,md5,sha. - some changes to libdes calls to make them more portable. - * unwrap.c: update to pseudo-standard APIs for md4,md5,sha. some - changes to libdes calls to make them more portable. - * get_mic.c: update to pseudo-standard APIs for md4,md5,sha. some - changes to libdes calls to make them more portable. - * 8003.c: update to pseudo-standard APIs for md4,md5,sha. - -2000-01-06 Assar Westerlund - - * Makefile.am: set version to 0:4:0 - -1999-12-26 Assar Westerlund - - * accept_sec_context.c (gss_accept_sec_context): always set - `output_token' - * init_sec_context.c (init_auth): always initialize `output_token' - * delete_sec_context.c (gss_delete_sec_context): always set - `output_token' - -1999-12-06 Assar Westerlund - - * Makefile.am: bump version to 0:3:0 - -1999-10-20 Assar Westerlund - - * Makefile.am: set version to 0:2:0 - -1999-09-21 Assar Westerlund - - * init_sec_context.c (gss_init_sec_context): initialize `ticket' - - * gssapi.h (gss_ctx_id_t_desc): add ticket in here. ick. - - * delete_sec_context.c (gss_delete_sec_context): free ticket - - * accept_sec_context.c (gss_accept_sec_context): stove away - `krb5_ticket' in context so that ugly programs such as - gss_nt_server can get at it. uck. - -1999-09-20 Johan Danielsson - - * accept_sec_context.c: set minor_status - -1999-08-04 Assar Westerlund - - * display_status.c (calling_error, routine_error): right shift the - code to make it possible to index into the arrays - -1999-07-28 Assar Westerlund - - * gssapi.h (GSS_C_AF_INET6): add - - * import_name.c (import_hostbased_name): set minor_status - -1999-07-26 Assar Westerlund - - * Makefile.am: set version to 0:1:0 - -Wed Apr 7 14:05:15 1999 Johan Danielsson - - * display_status.c: set minor_status - - * init_sec_context.c: set minor_status - - * lib/gssapi/init.c: remove donep (check gssapi_krb5_context - directly) - diff --git a/crypto/heimdal-0.6.3/lib/gssapi/Makefile.am b/crypto/heimdal-0.6.3/lib/gssapi/Makefile.am deleted file mode 100644 index 2988d6a4aa..0000000000 --- a/crypto/heimdal-0.6.3/lib/gssapi/Makefile.am +++ /dev/null @@ -1,66 +0,0 @@ -# $Id: Makefile.am,v 1.44.2.7 2003/10/14 16:13:13 joda Exp $ - -include $(top_srcdir)/Makefile.am.common - -INCLUDES += -I$(srcdir)/../krb5 $(INCLUDE_des) $(INCLUDE_krb4) - -lib_LTLIBRARIES = libgssapi.la -libgssapi_la_LDFLAGS = -version-info 5:0:4 -libgssapi_la_LIBADD = ../krb5/libkrb5.la $(LIB_des) ../asn1/libasn1.la ../roken/libroken.la - -man_MANS = gssapi.3 gss_acquire_cred.3 - -include_HEADERS = gssapi.h - -libgssapi_la_SOURCES = \ - 8003.c \ - arcfour.c \ - accept_sec_context.c \ - acquire_cred.c \ - add_cred.c \ - add_oid_set_member.c \ - canonicalize_name.c \ - compare_name.c \ - compat.c \ - context_time.c \ - copy_ccache.c \ - create_emtpy_oid_set.c \ - decapsulate.c \ - delete_sec_context.c \ - display_name.c \ - display_status.c \ - duplicate_name.c \ - encapsulate.c \ - export_sec_context.c \ - export_name.c \ - external.c \ - get_mic.c \ - gssapi.h \ - gssapi_locl.h \ - import_name.c \ - import_sec_context.c \ - indicate_mechs.c \ - init.c \ - init_sec_context.c \ - inquire_context.c \ - inquire_cred.c \ - inquire_cred_by_mech.c \ - inquire_mechs_for_name.c \ - inquire_names_for_mech.c \ - release_buffer.c \ - release_cred.c \ - release_name.c \ - release_oid_set.c \ - process_context_token.c \ - test_oid_set_member.c \ - unwrap.c \ - v1.c \ - verify_mic.c \ - wrap.c \ - address_to_krb5addr.c - -#noinst_PROGRAMS = test_acquire_cred - -#test_acquire_cred_SOURCES = test_acquire_cred.c - -#test_acquire_cred_LDADD = libgssapi.la diff --git a/crypto/heimdal-0.6.3/lib/gssapi/Makefile.in b/crypto/heimdal-0.6.3/lib/gssapi/Makefile.in deleted file mode 100644 index 6dee23920e..0000000000 --- a/crypto/heimdal-0.6.3/lib/gssapi/Makefile.in +++ /dev/null @@ -1,894 +0,0 @@ -# Makefile.in generated by automake 1.8.3 from Makefile.am. -# @configure_input@ - -# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004 Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -# $Id: Makefile.am,v 1.44.2.7 2003/10/14 16:13:13 joda Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $ - - -SOURCES = $(libgssapi_la_SOURCES) - -srcdir = @srcdir@ -top_srcdir = @top_srcdir@ -VPATH = @srcdir@ -pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -top_builddir = ../.. -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = @INSTALL@ -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_HEADER = $(INSTALL_DATA) -transform = $(program_transform_name) -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_triplet = @host@ -DIST_COMMON = $(include_HEADERS) $(srcdir)/Makefile.am \ - $(srcdir)/Makefile.in $(top_srcdir)/Makefile.am.common \ - $(top_srcdir)/cf/Makefile.am.common ChangeLog -subdir = lib/gssapi -ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \ - $(top_srcdir)/cf/auth-modules.m4 \ - $(top_srcdir)/cf/broken-getaddrinfo.m4 \ - $(top_srcdir)/cf/broken-getnameinfo.m4 \ - $(top_srcdir)/cf/broken-glob.m4 \ - $(top_srcdir)/cf/broken-realloc.m4 \ - $(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \ - $(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \ - $(top_srcdir)/cf/capabilities.m4 \ - $(top_srcdir)/cf/check-compile-et.m4 \ - $(top_srcdir)/cf/check-declaration.m4 \ - $(top_srcdir)/cf/check-getpwnam_r-posix.m4 \ - $(top_srcdir)/cf/check-man.m4 \ - $(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \ - $(top_srcdir)/cf/check-type-extra.m4 \ - $(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \ - $(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \ - $(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \ - $(top_srcdir)/cf/dlopen.m4 \ - $(top_srcdir)/cf/find-func-no-libs.m4 \ - $(top_srcdir)/cf/find-func-no-libs2.m4 \ - $(top_srcdir)/cf/find-func.m4 \ - $(top_srcdir)/cf/find-if-not-broken.m4 \ - $(top_srcdir)/cf/have-struct-field.m4 \ - $(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \ - $(top_srcdir)/cf/krb-bigendian.m4 \ - $(top_srcdir)/cf/krb-func-getlogin.m4 \ - $(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \ - $(top_srcdir)/cf/krb-readline.m4 \ - $(top_srcdir)/cf/krb-struct-spwd.m4 \ - $(top_srcdir)/cf/krb-struct-winsize.m4 \ - $(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \ - $(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \ - $(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \ - $(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \ - $(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \ - $(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \ - $(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in -am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ - $(ACLOCAL_M4) -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -am__installdirs = "$(DESTDIR)$(libdir)" "$(DESTDIR)$(man3dir)" "$(DESTDIR)$(includedir)" -libLTLIBRARIES_INSTALL = $(INSTALL) -LTLIBRARIES = $(lib_LTLIBRARIES) -am__DEPENDENCIES_1 = -libgssapi_la_DEPENDENCIES = ../krb5/libkrb5.la $(am__DEPENDENCIES_1) \ - ../asn1/libasn1.la ../roken/libroken.la -am_libgssapi_la_OBJECTS = 8003.lo arcfour.lo accept_sec_context.lo \ - acquire_cred.lo add_cred.lo add_oid_set_member.lo \ - canonicalize_name.lo compare_name.lo compat.lo context_time.lo \ - copy_ccache.lo create_emtpy_oid_set.lo decapsulate.lo \ - delete_sec_context.lo display_name.lo display_status.lo \ - duplicate_name.lo encapsulate.lo export_sec_context.lo \ - export_name.lo external.lo get_mic.lo import_name.lo \ - import_sec_context.lo indicate_mechs.lo init.lo \ - init_sec_context.lo inquire_context.lo inquire_cred.lo \ - inquire_cred_by_mech.lo inquire_mechs_for_name.lo \ - inquire_names_for_mech.lo release_buffer.lo release_cred.lo \ - release_name.lo release_oid_set.lo process_context_token.lo \ - test_oid_set_member.lo unwrap.lo v1.lo verify_mic.lo wrap.lo \ - address_to_krb5addr.lo -libgssapi_la_OBJECTS = $(am_libgssapi_la_OBJECTS) -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \ - $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ - $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -SOURCES = $(libgssapi_la_SOURCES) -DIST_SOURCES = $(libgssapi_la_SOURCES) -man3dir = $(mandir)/man3 -MANS = $(man_MANS) -includeHEADERS_INSTALL = $(INSTALL_HEADER) -HEADERS = $(include_HEADERS) -ETAGS = etags -CTAGS = ctags -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) -ACLOCAL = @ACLOCAL@ -AIX4_FALSE = @AIX4_FALSE@ -AIX4_TRUE = @AIX4_TRUE@ -AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@ -AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@ -AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@ -AIX_FALSE = @AIX_FALSE@ -AIX_TRUE = @AIX_TRUE@ -AMTAR = @AMTAR@ -AR = @AR@ -AUTOCONF = @AUTOCONF@ -AUTOHEADER = @AUTOHEADER@ -AUTOMAKE = @AUTOMAKE@ -AWK = @AWK@ -CANONICAL_HOST = @CANONICAL_HOST@ -CATMAN = @CATMAN@ -CATMANEXT = @CATMANEXT@ -CATMAN_FALSE = @CATMAN_FALSE@ -CATMAN_TRUE = @CATMAN_TRUE@ -CC = @CC@ -CFLAGS = @CFLAGS@ -COMPILE_ET = @COMPILE_ET@ -CPP = @CPP@ -CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXFLAGS = @CXXFLAGS@ -CYGPATH_W = @CYGPATH_W@ -DBLIB = @DBLIB@ -DCE_FALSE = @DCE_FALSE@ -DCE_TRUE = @DCE_TRUE@ -DEFS = @DEFS@ -DIR_com_err = @DIR_com_err@ -DIR_des = @DIR_des@ -DIR_roken = @DIR_roken@ -ECHO = @ECHO@ -ECHO_C = @ECHO_C@ -ECHO_N = @ECHO_N@ -ECHO_T = @ECHO_T@ -EGREP = @EGREP@ -EXEEXT = @EXEEXT@ -EXTRA_LIB45 = @EXTRA_LIB45@ -F77 = @F77@ -FFLAGS = @FFLAGS@ -GROFF = @GROFF@ -HAVE_DB1_FALSE = @HAVE_DB1_FALSE@ -HAVE_DB1_TRUE = @HAVE_DB1_TRUE@ -HAVE_DB3_FALSE = @HAVE_DB3_FALSE@ -HAVE_DB3_TRUE = @HAVE_DB3_TRUE@ -HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@ -HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@ -HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@ -HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@ -HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@ -HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@ -HAVE_X_FALSE = @HAVE_X_FALSE@ -HAVE_X_TRUE = @HAVE_X_TRUE@ -INCLUDES_roken = @INCLUDES_roken@ -INCLUDE_des = @INCLUDE_des@ -INCLUDE_hesiod = @INCLUDE_hesiod@ -INCLUDE_krb4 = @INCLUDE_krb4@ -INCLUDE_openldap = @INCLUDE_openldap@ -INCLUDE_readline = @INCLUDE_readline@ -INSTALL_DATA = @INSTALL_DATA@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -IRIX_FALSE = @IRIX_FALSE@ -IRIX_TRUE = @IRIX_TRUE@ -KRB4_FALSE = @KRB4_FALSE@ -KRB4_TRUE = @KRB4_TRUE@ -KRB5_FALSE = @KRB5_FALSE@ -KRB5_TRUE = @KRB5_TRUE@ -LDFLAGS = @LDFLAGS@ -LEX = @LEX@ -LEXLIB = @LEXLIB@ -LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ -LIBOBJS = @LIBOBJS@ -LIBS = @LIBS@ -LIBTOOL = @LIBTOOL@ -LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@ -LIB_NDBM = @LIB_NDBM@ -LIB_XauFileName = @LIB_XauFileName@ -LIB_XauReadAuth = @LIB_XauReadAuth@ -LIB_XauWriteAuth = @LIB_XauWriteAuth@ -LIB_bswap16 = @LIB_bswap16@ -LIB_bswap32 = @LIB_bswap32@ -LIB_com_err = @LIB_com_err@ -LIB_com_err_a = @LIB_com_err_a@ -LIB_com_err_so = @LIB_com_err_so@ -LIB_crypt = @LIB_crypt@ -LIB_db_create = @LIB_db_create@ -LIB_dbm_firstkey = @LIB_dbm_firstkey@ -LIB_dbopen = @LIB_dbopen@ -LIB_des = @LIB_des@ -LIB_des_a = @LIB_des_a@ -LIB_des_appl = @LIB_des_appl@ -LIB_des_so = @LIB_des_so@ -LIB_dlopen = @LIB_dlopen@ -LIB_dn_expand = @LIB_dn_expand@ -LIB_el_init = @LIB_el_init@ -LIB_freeaddrinfo = @LIB_freeaddrinfo@ -LIB_gai_strerror = @LIB_gai_strerror@ -LIB_getaddrinfo = @LIB_getaddrinfo@ -LIB_gethostbyname = @LIB_gethostbyname@ -LIB_gethostbyname2 = @LIB_gethostbyname2@ -LIB_getnameinfo = @LIB_getnameinfo@ -LIB_getpwnam_r = @LIB_getpwnam_r@ -LIB_getsockopt = @LIB_getsockopt@ -LIB_hesiod = @LIB_hesiod@ -LIB_hstrerror = @LIB_hstrerror@ -LIB_kdb = @LIB_kdb@ -LIB_krb4 = @LIB_krb4@ -LIB_krb_disable_debug = @LIB_krb_disable_debug@ -LIB_krb_enable_debug = @LIB_krb_enable_debug@ -LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@ -LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@ -LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@ -LIB_loadquery = @LIB_loadquery@ -LIB_logout = @LIB_logout@ -LIB_logwtmp = @LIB_logwtmp@ -LIB_openldap = @LIB_openldap@ -LIB_openpty = @LIB_openpty@ -LIB_otp = @LIB_otp@ -LIB_pidfile = @LIB_pidfile@ -LIB_readline = @LIB_readline@ -LIB_res_nsearch = @LIB_res_nsearch@ -LIB_res_search = @LIB_res_search@ -LIB_roken = @LIB_roken@ -LIB_security = @LIB_security@ -LIB_setsockopt = @LIB_setsockopt@ -LIB_socket = @LIB_socket@ -LIB_syslog = @LIB_syslog@ -LIB_tgetent = @LIB_tgetent@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -MAINT = @MAINT@ -MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@ -MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@ -MAKEINFO = @MAKEINFO@ -NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ -NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ -NROFF = @NROFF@ -OBJEXT = @OBJEXT@ -OTP_FALSE = @OTP_FALSE@ -OTP_TRUE = @OTP_TRUE@ -PACKAGE = @PACKAGE@ -PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ -PACKAGE_NAME = @PACKAGE_NAME@ -PACKAGE_STRING = @PACKAGE_STRING@ -PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_VERSION = @PACKAGE_VERSION@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -RANLIB = @RANLIB@ -SET_MAKE = @SET_MAKE@ -SHELL = @SHELL@ -STRIP = @STRIP@ -VERSION = @VERSION@ -VOID_RETSIGTYPE = @VOID_RETSIGTYPE@ -WFLAGS = @WFLAGS@ -WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@ -WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@ -X_CFLAGS = @X_CFLAGS@ -X_EXTRA_LIBS = @X_EXTRA_LIBS@ -X_LIBS = @X_LIBS@ -X_PRE_LIBS = @X_PRE_LIBS@ -YACC = @YACC@ -ac_ct_AR = @ac_ct_AR@ -ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ -ac_ct_RANLIB = @ac_ct_RANLIB@ -ac_ct_STRIP = @ac_ct_STRIP@ -am__leading_dot = @am__leading_dot@ -bindir = @bindir@ -build = @build@ -build_alias = @build_alias@ -build_cpu = @build_cpu@ -build_os = @build_os@ -build_vendor = @build_vendor@ -datadir = @datadir@ -do_roken_rename_FALSE = @do_roken_rename_FALSE@ -do_roken_rename_TRUE = @do_roken_rename_TRUE@ -dpagaix_cflags = @dpagaix_cflags@ -dpagaix_ldadd = @dpagaix_ldadd@ -dpagaix_ldflags = @dpagaix_ldflags@ -el_compat_FALSE = @el_compat_FALSE@ -el_compat_TRUE = @el_compat_TRUE@ -exec_prefix = @exec_prefix@ -have_err_h_FALSE = @have_err_h_FALSE@ -have_err_h_TRUE = @have_err_h_TRUE@ -have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@ -have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@ -have_glob_h_FALSE = @have_glob_h_FALSE@ -have_glob_h_TRUE = @have_glob_h_TRUE@ -have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@ -have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@ -have_vis_h_FALSE = @have_vis_h_FALSE@ -have_vis_h_TRUE = @have_vis_h_TRUE@ -host = @host@ -host_alias = @host_alias@ -host_cpu = @host_cpu@ -host_os = @host_os@ -host_vendor = @host_vendor@ -includedir = @includedir@ -infodir = @infodir@ -install_sh = @install_sh@ -libdir = @libdir@ -libexecdir = @libexecdir@ -localstatedir = @localstatedir@ -mandir = @mandir@ -mkdir_p = @mkdir_p@ -oldincludedir = @oldincludedir@ -prefix = @prefix@ -program_transform_name = @program_transform_name@ -sbindir = @sbindir@ -sharedstatedir = @sharedstatedir@ -sysconfdir = @sysconfdir@ -target_alias = @target_alias@ -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) -I$(srcdir)/../krb5 $(INCLUDE_des) $(INCLUDE_krb4) -@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME -AM_CFLAGS = $(WFLAGS) -CP = cp -buildinclude = $(top_builddir)/include -LIB_getattr = @LIB_getattr@ -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_setpcred = @LIB_setpcred@ -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -NROFF_MAN = groff -mandoc -Tascii -LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) -@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la - -@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la -@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la -lib_LTLIBRARIES = libgssapi.la -libgssapi_la_LDFLAGS = -version-info 5:0:4 -libgssapi_la_LIBADD = ../krb5/libkrb5.la $(LIB_des) ../asn1/libasn1.la ../roken/libroken.la -man_MANS = gssapi.3 gss_acquire_cred.3 -include_HEADERS = gssapi.h -libgssapi_la_SOURCES = \ - 8003.c \ - arcfour.c \ - accept_sec_context.c \ - acquire_cred.c \ - add_cred.c \ - add_oid_set_member.c \ - canonicalize_name.c \ - compare_name.c \ - compat.c \ - context_time.c \ - copy_ccache.c \ - create_emtpy_oid_set.c \ - decapsulate.c \ - delete_sec_context.c \ - display_name.c \ - display_status.c \ - duplicate_name.c \ - encapsulate.c \ - export_sec_context.c \ - export_name.c \ - external.c \ - get_mic.c \ - gssapi.h \ - gssapi_locl.h \ - import_name.c \ - import_sec_context.c \ - indicate_mechs.c \ - init.c \ - init_sec_context.c \ - inquire_context.c \ - inquire_cred.c \ - inquire_cred_by_mech.c \ - inquire_mechs_for_name.c \ - inquire_names_for_mech.c \ - release_buffer.c \ - release_cred.c \ - release_name.c \ - release_oid_set.c \ - process_context_token.c \ - test_oid_set_member.c \ - unwrap.c \ - v1.c \ - verify_mic.c \ - wrap.c \ - address_to_krb5addr.c - -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps) - @for dep in $?; do \ - case '$(am__configure_deps)' in \ - *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ - exit 1;; \ - esac; \ - done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign --ignore-deps lib/gssapi/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign --ignore-deps lib/gssapi/Makefile -.PRECIOUS: Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - @case '$?' in \ - *config.status*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ - *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ - esac; - -$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -install-libLTLIBRARIES: $(lib_LTLIBRARIES) - @$(NORMAL_INSTALL) - test -z "$(libdir)" || $(mkdir_p) "$(DESTDIR)$(libdir)" - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - if test -f $$p; then \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(libdir)/$$f'"; \ - $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(libdir)/$$f"; \ - else :; fi; \ - done - -uninstall-libLTLIBRARIES: - @$(NORMAL_UNINSTALL) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - p="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$p'"; \ - $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$p"; \ - done - -clean-libLTLIBRARIES: - -test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ - test "$$dir" = "$$p" && dir=.; \ - echo "rm -f \"$${dir}/so_locations\""; \ - rm -f "$${dir}/so_locations"; \ - done -libgssapi.la: $(libgssapi_la_OBJECTS) $(libgssapi_la_DEPENDENCIES) - $(LINK) -rpath $(libdir) $(libgssapi_la_LDFLAGS) $(libgssapi_la_OBJECTS) $(libgssapi_la_LIBADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c $< - -.c.obj: - $(COMPILE) -c `$(CYGPATH_W) '$<'` - -.c.lo: - $(LTCOMPILE) -c -o $@ $< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: -install-man3: $(man3_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - test -z "$(man3dir)" || $(mkdir_p) "$(DESTDIR)$(man3dir)" - @list='$(man3_MANS) $(dist_man3_MANS) $(nodist_man3_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.3*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 3*) ;; \ - *) ext='3' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man3dir)/$$inst'"; \ - $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man3dir)/$$inst"; \ - done -uninstall-man3: - @$(NORMAL_UNINSTALL) - @list='$(man3_MANS) $(dist_man3_MANS) $(nodist_man3_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.3*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 3*) ;; \ - *) ext='3' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f '$(DESTDIR)$(man3dir)/$$inst'"; \ - rm -f "$(DESTDIR)$(man3dir)/$$inst"; \ - done -install-includeHEADERS: $(include_HEADERS) - @$(NORMAL_INSTALL) - test -z "$(includedir)" || $(mkdir_p) "$(DESTDIR)$(includedir)" - @list='$(include_HEADERS)'; for p in $$list; do \ - if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(includeHEADERS_INSTALL) '$$d$$p' '$(DESTDIR)$(includedir)/$$f'"; \ - $(includeHEADERS_INSTALL) "$$d$$p" "$(DESTDIR)$(includedir)/$$f"; \ - done - -uninstall-includeHEADERS: - @$(NORMAL_UNINSTALL) - @list='$(include_HEADERS)'; for p in $$list; do \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " rm -f '$(DESTDIR)$(includedir)/$$f'"; \ - rm -f "$(DESTDIR)$(includedir)/$$f"; \ - done - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique -tags: TAGS - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique -ctags: CTAGS -CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ - || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - -distdir: $(DISTFILES) - $(mkdir_p) $(distdir)/../.. $(distdir)/../../cf - @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \ - list='$(DISTFILES)'; for file in $$list; do \ - case $$file in \ - $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \ - $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \ - esac; \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkdir_p) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="$(top_distdir)" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(LTLIBRARIES) $(MANS) $(HEADERS) all-local -installdirs: - for dir in "$(DESTDIR)$(libdir)" "$(DESTDIR)$(man3dir)" "$(DESTDIR)$(includedir)"; do \ - test -z "$$dir" || $(mkdir_p) "$$dir"; \ - done -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-generic clean-libLTLIBRARIES clean-libtool \ - mostlyclean-am - -distclean: distclean-am - -rm -f Makefile -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -html: html-am - -info: info-am - -info-am: - -install-data-am: install-includeHEADERS install-man - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-data-hook - -install-exec-am: install-libLTLIBRARIES - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: install-man3 - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -rm -f Makefile -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -pdf: pdf-am - -pdf-am: - -ps: ps-am - -ps-am: - -uninstall-am: uninstall-includeHEADERS uninstall-info-am \ - uninstall-libLTLIBRARIES uninstall-man - -uninstall-man: uninstall-man3 - -.PHONY: CTAGS GTAGS all all-am all-local check check-am check-local \ - clean clean-generic clean-libLTLIBRARIES clean-libtool ctags \ - distclean distclean-compile distclean-generic \ - distclean-libtool distclean-tags distdir dvi dvi-am html \ - html-am info info-am install install-am install-data \ - install-data-am install-exec install-exec-am \ - install-includeHEADERS install-info install-info-am \ - install-libLTLIBRARIES install-man install-man3 install-strip \ - installcheck installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ - tags uninstall uninstall-am uninstall-includeHEADERS \ - uninstall-info-am uninstall-libLTLIBRARIES uninstall-man \ - uninstall-man3 - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-hook: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< - -#noinst_PROGRAMS = test_acquire_cred - -#test_acquire_cred_SOURCES = test_acquire_cred.c - -#test_acquire_cred_LDADD = libgssapi.la -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal-0.6.3/lib/gssapi/accept_sec_context.c b/crypto/heimdal-0.6.3/lib/gssapi/accept_sec_context.c deleted file mode 100644 index d923c36fd5..0000000000 --- a/crypto/heimdal-0.6.3/lib/gssapi/accept_sec_context.c +++ /dev/null @@ -1,445 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: accept_sec_context.c,v 1.33.2.2 2003/12/19 00:37:06 lha Exp $"); - -krb5_keytab gssapi_krb5_keytab; - -OM_uint32 -gsskrb5_register_acceptor_identity (const char *identity) -{ - krb5_error_code ret; - char *p; - - ret = gssapi_krb5_init(); - if(ret) - return GSS_S_FAILURE; - - if(gssapi_krb5_keytab != NULL) { - krb5_kt_close(gssapi_krb5_context, gssapi_krb5_keytab); - gssapi_krb5_keytab = NULL; - } - asprintf(&p, "FILE:%s", identity); - if(p == NULL) - return GSS_S_FAILURE; - ret = krb5_kt_resolve(gssapi_krb5_context, p, &gssapi_krb5_keytab); - free(p); - if(ret) - return GSS_S_FAILURE; - return GSS_S_COMPLETE; -} - -OM_uint32 -gss_accept_sec_context - (OM_uint32 * minor_status, - gss_ctx_id_t * context_handle, - const gss_cred_id_t acceptor_cred_handle, - const gss_buffer_t input_token_buffer, - const gss_channel_bindings_t input_chan_bindings, - gss_name_t * src_name, - gss_OID * mech_type, - gss_buffer_t output_token, - OM_uint32 * ret_flags, - OM_uint32 * time_rec, - gss_cred_id_t * delegated_cred_handle - ) -{ - krb5_error_code kret; - OM_uint32 ret = GSS_S_COMPLETE; - krb5_data indata; - krb5_flags ap_options; - OM_uint32 flags; - krb5_ticket *ticket = NULL; - krb5_keytab keytab = NULL; - krb5_data fwd_data; - OM_uint32 minor; - - GSSAPI_KRB5_INIT(); - - krb5_data_zero (&fwd_data); - output_token->length = 0; - output_token->value = NULL; - - if (src_name != NULL) - *src_name = NULL; - if (mech_type) - *mech_type = GSS_KRB5_MECHANISM; - - if (*context_handle == GSS_C_NO_CONTEXT) { - *context_handle = malloc(sizeof(**context_handle)); - if (*context_handle == GSS_C_NO_CONTEXT) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - } - - (*context_handle)->auth_context = NULL; - (*context_handle)->source = NULL; - (*context_handle)->target = NULL; - (*context_handle)->flags = 0; - (*context_handle)->more_flags = 0; - (*context_handle)->ticket = NULL; - (*context_handle)->lifetime = GSS_C_INDEFINITE; - - kret = krb5_auth_con_init (gssapi_krb5_context, - &(*context_handle)->auth_context); - if (kret) { - ret = GSS_S_FAILURE; - *minor_status = kret; - gssapi_krb5_set_error_string (); - goto failure; - } - - if (input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS - && input_chan_bindings->application_data.length == - 2 * sizeof((*context_handle)->auth_context->local_port) - ) { - - /* Port numbers are expected to be in application_data.value, - * initator's port first */ - - krb5_address initiator_addr, acceptor_addr; - - memset(&initiator_addr, 0, sizeof(initiator_addr)); - memset(&acceptor_addr, 0, sizeof(acceptor_addr)); - - (*context_handle)->auth_context->remote_port = - *(int16_t *) input_chan_bindings->application_data.value; - - (*context_handle)->auth_context->local_port = - *((int16_t *) input_chan_bindings->application_data.value + 1); - - - kret = gss_address_to_krb5addr(input_chan_bindings->acceptor_addrtype, - &input_chan_bindings->acceptor_address, - (*context_handle)->auth_context->local_port, - &acceptor_addr); - if (kret) { - gssapi_krb5_set_error_string (); - ret = GSS_S_BAD_BINDINGS; - *minor_status = kret; - goto failure; - } - - kret = gss_address_to_krb5addr(input_chan_bindings->initiator_addrtype, - &input_chan_bindings->initiator_address, - (*context_handle)->auth_context->remote_port, - &initiator_addr); - if (kret) { - krb5_free_address (gssapi_krb5_context, &acceptor_addr); - gssapi_krb5_set_error_string (); - ret = GSS_S_BAD_BINDINGS; - *minor_status = kret; - goto failure; - } - - kret = krb5_auth_con_setaddrs(gssapi_krb5_context, - (*context_handle)->auth_context, - &acceptor_addr, /* local address */ - &initiator_addr); /* remote address */ - - krb5_free_address (gssapi_krb5_context, &initiator_addr); - krb5_free_address (gssapi_krb5_context, &acceptor_addr); - -#if 0 - free(input_chan_bindings->application_data.value); - input_chan_bindings->application_data.value = NULL; - input_chan_bindings->application_data.length = 0; -#endif - - if (kret) { - gssapi_krb5_set_error_string (); - ret = GSS_S_BAD_BINDINGS; - *minor_status = kret; - goto failure; - } - } - - - - { - int32_t tmp; - - krb5_auth_con_getflags(gssapi_krb5_context, - (*context_handle)->auth_context, - &tmp); - tmp |= KRB5_AUTH_CONTEXT_DO_SEQUENCE; - krb5_auth_con_setflags(gssapi_krb5_context, - (*context_handle)->auth_context, - tmp); - } - - ret = gssapi_krb5_decapsulate (minor_status, - input_token_buffer, - &indata, - "\x01\x00"); - if (ret) - goto failure; - - if (acceptor_cred_handle == GSS_C_NO_CREDENTIAL) { - if (gssapi_krb5_keytab != NULL) { - keytab = gssapi_krb5_keytab; - } - } else if (acceptor_cred_handle->keytab != NULL) { - keytab = acceptor_cred_handle->keytab; - } - - kret = krb5_rd_req (gssapi_krb5_context, - &(*context_handle)->auth_context, - &indata, - (acceptor_cred_handle == GSS_C_NO_CREDENTIAL) ? NULL - : acceptor_cred_handle->principal, - keytab, - &ap_options, - &ticket); - if (kret) { - ret = GSS_S_FAILURE; - *minor_status = kret; - gssapi_krb5_set_error_string (); - goto failure; - } - - kret = krb5_copy_principal (gssapi_krb5_context, - ticket->client, - &(*context_handle)->source); - if (kret) { - ret = GSS_S_FAILURE; - *minor_status = kret; - gssapi_krb5_set_error_string (); - goto failure; - } - - kret = krb5_copy_principal (gssapi_krb5_context, - ticket->server, - &(*context_handle)->target); - if (kret) { - ret = GSS_S_FAILURE; - *minor_status = kret; - gssapi_krb5_set_error_string (); - goto failure; - } - - ret = _gss_DES3_get_mic_compat(minor_status, *context_handle); - if (ret) - goto failure; - - if (src_name != NULL) { - kret = krb5_copy_principal (gssapi_krb5_context, - ticket->client, - src_name); - if (kret) { - ret = GSS_S_FAILURE; - *minor_status = kret; - gssapi_krb5_set_error_string (); - goto failure; - } - } - - { - krb5_authenticator authenticator; - - kret = krb5_auth_con_getauthenticator(gssapi_krb5_context, - (*context_handle)->auth_context, - &authenticator); - if(kret) { - ret = GSS_S_FAILURE; - *minor_status = kret; - gssapi_krb5_set_error_string (); - goto failure; - } - - ret = gssapi_krb5_verify_8003_checksum(minor_status, - input_chan_bindings, - authenticator->cksum, - &flags, - &fwd_data); - krb5_free_authenticator(gssapi_krb5_context, &authenticator); - if (ret) - goto failure; - } - - if (fwd_data.length > 0 && (flags & GSS_C_DELEG_FLAG)) { - krb5_ccache ccache; - int32_t ac_flags; - - if (delegated_cred_handle == NULL) - /* XXX Create a new delegated_cred_handle? */ - kret = krb5_cc_default (gssapi_krb5_context, &ccache); - else if (*delegated_cred_handle == NULL) { - if ((*delegated_cred_handle = - calloc(1, sizeof(**delegated_cred_handle))) == NULL) { - ret = GSS_S_FAILURE; - *minor_status = ENOMEM; - krb5_set_error_string(gssapi_krb5_context, "out of memory"); - gssapi_krb5_set_error_string(); - goto failure; - } - if ((ret = gss_duplicate_name(minor_status, ticket->client, - &(*delegated_cred_handle)->principal)) != 0) { - flags &= ~GSS_C_DELEG_FLAG; - free(*delegated_cred_handle); - *delegated_cred_handle = NULL; - goto end_fwd; - } - } - if (delegated_cred_handle != NULL && - (*delegated_cred_handle)->ccache == NULL) { - kret = krb5_cc_gen_new (gssapi_krb5_context, - &krb5_mcc_ops, - &(*delegated_cred_handle)->ccache); - ccache = (*delegated_cred_handle)->ccache; - } - if (delegated_cred_handle != NULL && - (*delegated_cred_handle)->mechanisms == NULL) { - ret = gss_create_empty_oid_set(minor_status, - &(*delegated_cred_handle)->mechanisms); - if (ret) - goto failure; - ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM, - &(*delegated_cred_handle)->mechanisms); - if (ret) - goto failure; - } - - if (kret) { - flags &= ~GSS_C_DELEG_FLAG; - goto end_fwd; - } - - kret = krb5_cc_initialize(gssapi_krb5_context, - ccache, - *src_name); - if (kret) { - flags &= ~GSS_C_DELEG_FLAG; - goto end_fwd; - } - - krb5_auth_con_getflags(gssapi_krb5_context, - (*context_handle)->auth_context, - &ac_flags); - krb5_auth_con_setflags(gssapi_krb5_context, - (*context_handle)->auth_context, - ac_flags & ~KRB5_AUTH_CONTEXT_DO_TIME); - kret = krb5_rd_cred2(gssapi_krb5_context, - (*context_handle)->auth_context, - ccache, - &fwd_data); - krb5_auth_con_setflags(gssapi_krb5_context, - (*context_handle)->auth_context, - ac_flags); - if (kret) { - flags &= ~GSS_C_DELEG_FLAG; - goto end_fwd; - } - - end_fwd: - free(fwd_data.data); - } - - - flags |= GSS_C_TRANS_FLAG; - - if (ret_flags) - *ret_flags = flags; - (*context_handle)->lifetime = ticket->ticket.endtime; - (*context_handle)->flags = flags; - (*context_handle)->more_flags |= OPEN; - - if (mech_type) - *mech_type = GSS_KRB5_MECHANISM; - - if (time_rec) { - ret = gssapi_lifetime_left(minor_status, - (*context_handle)->lifetime, - time_rec); - if (ret) - goto failure; - } - - if(flags & GSS_C_MUTUAL_FLAG) { - krb5_data outbuf; - - kret = krb5_mk_rep (gssapi_krb5_context, - (*context_handle)->auth_context, - &outbuf); - if (kret) { - ret = GSS_S_FAILURE; - *minor_status = kret; - gssapi_krb5_set_error_string (); - goto failure; - } - ret = gssapi_krb5_encapsulate (minor_status, - &outbuf, - output_token, - "\x02\x00"); - krb5_data_free (&outbuf); - if (ret) - goto failure; - } else { - output_token->length = 0; - output_token->value = NULL; - } - - (*context_handle)->ticket = ticket; - ticket = NULL; - -#if 0 - krb5_free_ticket (context, ticket); -#endif - - *minor_status = 0; - return GSS_S_COMPLETE; - - failure: - if (fwd_data.length > 0) - free(fwd_data.data); - if (ticket != NULL) - krb5_free_ticket (gssapi_krb5_context, ticket); - krb5_auth_con_free (gssapi_krb5_context, - (*context_handle)->auth_context); - if((*context_handle)->source) - krb5_free_principal (gssapi_krb5_context, - (*context_handle)->source); - if((*context_handle)->target) - krb5_free_principal (gssapi_krb5_context, - (*context_handle)->target); - free (*context_handle); - if (src_name != NULL) { - gss_release_name (&minor, src_name); - *src_name = NULL; - } - *context_handle = GSS_C_NO_CONTEXT; - return ret; -} diff --git a/crypto/heimdal-0.6.3/lib/gssapi/acquire_cred.c b/crypto/heimdal-0.6.3/lib/gssapi/acquire_cred.c deleted file mode 100644 index dfe2b4cca5..0000000000 --- a/crypto/heimdal-0.6.3/lib/gssapi/acquire_cred.c +++ /dev/null @@ -1,309 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: acquire_cred.c,v 1.13.2.1 2003/08/15 14:18:24 lha Exp $"); - -static krb5_error_code -get_keytab(krb5_keytab *keytab) -{ - char kt_name[256]; - krb5_error_code kret; - - if (gssapi_krb5_keytab != NULL) { - kret = krb5_kt_get_name(gssapi_krb5_context, - gssapi_krb5_keytab, - kt_name, sizeof(kt_name)); - if (kret == 0) - kret = krb5_kt_resolve(gssapi_krb5_context, kt_name, keytab); - } else - kret = krb5_kt_default(gssapi_krb5_context, keytab); - return (kret); -} - -static OM_uint32 acquire_initiator_cred - (OM_uint32 * minor_status, - const gss_name_t desired_name, - OM_uint32 time_req, - const gss_OID_set desired_mechs, - gss_cred_usage_t cred_usage, - gss_cred_id_t handle, - gss_OID_set * actual_mechs, - OM_uint32 * time_rec - ) -{ - OM_uint32 ret; - krb5_creds cred; - krb5_principal def_princ; - krb5_get_init_creds_opt opt; - krb5_ccache ccache; - krb5_keytab keytab; - krb5_error_code kret; - - keytab = NULL; - ccache = NULL; - def_princ = NULL; - ret = GSS_S_FAILURE; - memset(&cred, 0, sizeof(cred)); - - kret = krb5_cc_default(gssapi_krb5_context, &ccache); - if (kret) - goto end; - kret = krb5_cc_get_principal(gssapi_krb5_context, ccache, - &def_princ); - if (kret != 0) { - /* we'll try to use a keytab below */ - krb5_cc_destroy(gssapi_krb5_context, ccache); - ccache = NULL; - kret = 0; - } else if (handle->principal == NULL) { - kret = krb5_copy_principal(gssapi_krb5_context, def_princ, - &handle->principal); - if (kret) - goto end; - } else if (handle->principal != NULL && - krb5_principal_compare(gssapi_krb5_context, handle->principal, - def_princ) == FALSE) { - /* Before failing, lets check the keytab */ - krb5_free_principal(gssapi_krb5_context, def_princ); - def_princ = NULL; - } - if (def_princ == NULL) { - /* We have no existing credentials cache, - * so attempt to get a TGT using a keytab. - */ - if (handle->principal == NULL) { - kret = krb5_get_default_principal(gssapi_krb5_context, - &handle->principal); - if (kret) - goto end; - } - kret = get_keytab(&keytab); - if (kret) - goto end; - krb5_get_init_creds_opt_init(&opt); - kret = krb5_get_init_creds_keytab(gssapi_krb5_context, &cred, - handle->principal, keytab, 0, NULL, &opt); - if (kret) - goto end; - kret = krb5_cc_gen_new(gssapi_krb5_context, &krb5_mcc_ops, - &ccache); - if (kret) - goto end; - kret = krb5_cc_initialize(gssapi_krb5_context, ccache, cred.client); - if (kret) - goto end; - kret = krb5_cc_store_cred(gssapi_krb5_context, ccache, &cred); - if (kret) - goto end; - handle->lifetime = cred.times.endtime; - } else { - krb5_creds in_cred, *out_cred; - krb5_const_realm realm; - - memset(&in_cred, 0, sizeof(in_cred)); - in_cred.client = handle->principal; - - realm = krb5_principal_get_realm(gssapi_krb5_context, - handle->principal); - if (realm == NULL) { - kret = KRB5_PRINC_NOMATCH; /* XXX */ - goto end; - } - - kret = krb5_make_principal(gssapi_krb5_context, &in_cred.server, - realm, KRB5_TGS_NAME, realm, NULL); - if (kret) - goto end; - - kret = krb5_get_credentials(gssapi_krb5_context, 0, - ccache, &in_cred, &out_cred); - krb5_free_principal(gssapi_krb5_context, in_cred.server); - if (kret) - goto end; - - handle->lifetime = out_cred->times.endtime; - krb5_free_creds(gssapi_krb5_context, out_cred); - } - - handle->ccache = ccache; - ret = GSS_S_COMPLETE; - -end: - if (cred.client != NULL) - krb5_free_creds_contents(gssapi_krb5_context, &cred); - if (def_princ != NULL) - krb5_free_principal(gssapi_krb5_context, def_princ); - if (keytab != NULL) - krb5_kt_close(gssapi_krb5_context, keytab); - if (ret != GSS_S_COMPLETE) { - if (ccache != NULL) - krb5_cc_close(gssapi_krb5_context, ccache); - if (kret != 0) { - *minor_status = kret; - gssapi_krb5_set_error_string (); - } - } - return (ret); -} - -static OM_uint32 acquire_acceptor_cred - (OM_uint32 * minor_status, - const gss_name_t desired_name, - OM_uint32 time_req, - const gss_OID_set desired_mechs, - gss_cred_usage_t cred_usage, - gss_cred_id_t handle, - gss_OID_set * actual_mechs, - OM_uint32 * time_rec - ) -{ - OM_uint32 ret; - krb5_error_code kret; - - kret = 0; - ret = GSS_S_FAILURE; - kret = get_keytab(&handle->keytab); - if (kret) - goto end; - ret = GSS_S_COMPLETE; - -end: - if (ret != GSS_S_COMPLETE) { - if (handle->keytab != NULL) - krb5_kt_close(gssapi_krb5_context, handle->keytab); - if (kret != 0) { - *minor_status = kret; - gssapi_krb5_set_error_string (); - } - } - return (ret); -} - -OM_uint32 gss_acquire_cred - (OM_uint32 * minor_status, - const gss_name_t desired_name, - OM_uint32 time_req, - const gss_OID_set desired_mechs, - gss_cred_usage_t cred_usage, - gss_cred_id_t * output_cred_handle, - gss_OID_set * actual_mechs, - OM_uint32 * time_rec - ) -{ - gss_cred_id_t handle; - OM_uint32 ret; - - GSSAPI_KRB5_INIT (); - - *output_cred_handle = NULL; - if (time_rec) - *time_rec = 0; - if (actual_mechs) - *actual_mechs = GSS_C_NO_OID_SET; - - if (desired_mechs) { - OM_uint32 present = 0; - - ret = gss_test_oid_set_member(minor_status, GSS_KRB5_MECHANISM, - desired_mechs, &present); - if (ret) - return ret; - if (!present) { - *minor_status = 0; - return GSS_S_BAD_MECH; - } - } - - handle = (gss_cred_id_t)malloc(sizeof(*handle)); - if (handle == GSS_C_NO_CREDENTIAL) { - *minor_status = ENOMEM; - return (GSS_S_FAILURE); - } - - memset(handle, 0, sizeof (*handle)); - - if (desired_name != GSS_C_NO_NAME) { - ret = gss_duplicate_name(minor_status, desired_name, - &handle->principal); - if (ret != GSS_S_COMPLETE) { - free(handle); - return (ret); - } - } - if (cred_usage == GSS_C_INITIATE || cred_usage == GSS_C_BOTH) { - ret = acquire_initiator_cred(minor_status, desired_name, time_req, - desired_mechs, cred_usage, handle, actual_mechs, time_rec); - if (ret != GSS_S_COMPLETE) { - free(handle); - return (ret); - } - } else if (cred_usage == GSS_C_ACCEPT || cred_usage == GSS_C_BOTH) { - ret = acquire_acceptor_cred(minor_status, desired_name, time_req, - desired_mechs, cred_usage, handle, actual_mechs, time_rec); - if (ret != GSS_S_COMPLETE) { - free(handle); - return (ret); - } - } else { - free(handle); - *minor_status = GSS_KRB5_S_G_BAD_USAGE; - return GSS_S_FAILURE; - } - ret = gss_create_empty_oid_set(minor_status, &handle->mechanisms); - if (ret == GSS_S_COMPLETE) - ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM, - &handle->mechanisms); - if (ret == GSS_S_COMPLETE) - ret = gss_inquire_cred(minor_status, handle, NULL, time_rec, NULL, - actual_mechs); - if (ret != GSS_S_COMPLETE) { - if (handle->mechanisms != NULL) - gss_release_oid_set(NULL, &handle->mechanisms); - free(handle); - return (ret); - } - *minor_status = 0; - if (time_rec) { - ret = gssapi_lifetime_left(minor_status, - handle->lifetime, - time_rec); - - if (ret) - return ret; - } - handle->usage = cred_usage; - *output_cred_handle = handle; - return (GSS_S_COMPLETE); -} diff --git a/crypto/heimdal-0.6.3/lib/gssapi/add_cred.c b/crypto/heimdal-0.6.3/lib/gssapi/add_cred.c deleted file mode 100644 index 53d4f33706..0000000000 --- a/crypto/heimdal-0.6.3/lib/gssapi/add_cred.c +++ /dev/null @@ -1,234 +0,0 @@ -/* - * Copyright (c) 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: add_cred.c,v 1.2.2.1 2003/10/21 21:00:47 lha Exp $"); - -OM_uint32 gss_add_cred ( - OM_uint32 *minor_status, - const gss_cred_id_t input_cred_handle, - const gss_name_t desired_name, - const gss_OID desired_mech, - gss_cred_usage_t cred_usage, - OM_uint32 initiator_time_req, - OM_uint32 acceptor_time_req, - gss_cred_id_t *output_cred_handle, - gss_OID_set *actual_mechs, - OM_uint32 *initiator_time_rec, - OM_uint32 *acceptor_time_rec) -{ - OM_uint32 ret, lifetime; - gss_cred_id_t cred, handle; - - handle = NULL; - cred = input_cred_handle; - - if (gss_oid_equal(desired_mech, GSS_KRB5_MECHANISM) == 0) { - *minor_status = 0; - return GSS_S_BAD_MECH; - } - - if (cred == GSS_C_NO_CREDENTIAL && output_cred_handle == NULL) { - *minor_status = 0; - return GSS_S_NO_CRED; - } - - /* check if requested output usage is compatible with output usage */ - if (output_cred_handle != NULL && - (cred->usage != cred_usage && cred->usage != GSS_C_BOTH)) { - *minor_status = GSS_KRB5_S_G_BAD_USAGE; - return(GSS_S_FAILURE); - } - - /* check that we have the same name */ - if (desired_name != GSS_C_NO_NAME && - krb5_principal_compare(gssapi_krb5_context, desired_name, - cred->principal) != FALSE) { - *minor_status = 0; - return GSS_S_BAD_NAME; - } - - /* make a copy */ - if (output_cred_handle) { - - handle = (gss_cred_id_t)malloc(sizeof(*handle)); - if (handle == GSS_C_NO_CREDENTIAL) { - *minor_status = ENOMEM; - return (GSS_S_FAILURE); - } - - memset(handle, 0, sizeof (*handle)); - - handle->usage = cred_usage; - handle->lifetime = cred->lifetime; - handle->principal = NULL; - handle->keytab = NULL; - handle->ccache = NULL; - handle->mechanisms = NULL; - - ret = GSS_S_FAILURE; - - ret = gss_duplicate_name(minor_status, cred->principal, - &handle->principal); - if (ret) { - free(handle); - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - if (cred->keytab) { - krb5_error_code kret; - char name[KRB5_KT_PREFIX_MAX_LEN + MAXPATHLEN]; - int len; - - ret = GSS_S_FAILURE; - - kret = krb5_kt_get_type(gssapi_krb5_context, cred->keytab, - name, KRB5_KT_PREFIX_MAX_LEN); - if (kret) { - *minor_status = kret; - goto failure; - } - len = strlen(name); - name[len++] = ':'; - - kret = krb5_kt_get_name(gssapi_krb5_context, cred->keytab, - name + len, - sizeof(name) - len); - if (kret) { - *minor_status = kret; - goto failure; - } - - kret = krb5_kt_resolve(gssapi_krb5_context, name, - &handle->keytab); - if (kret){ - *minor_status = kret; - goto failure; - } - } - - if (cred->ccache) { - krb5_error_code kret; - const char *type, *name; - char *type_name; - - ret = GSS_S_FAILURE; - - type = krb5_cc_get_type(gssapi_krb5_context, cred->ccache); - if (type == NULL){ - *minor_status = ENOMEM; - goto failure; - } - - if (strcmp(type, "MEMORY") == 0) { - ret = krb5_cc_gen_new(gssapi_krb5_context, &krb5_mcc_ops, - &handle->ccache); - if (ret) { - *minor_status = ret; - goto failure; - } - - ret = krb5_cc_copy_cache(gssapi_krb5_context, cred->ccache, - handle->ccache); - if (ret) { - *minor_status = ret; - goto failure; - } - - } else { - - name = krb5_cc_get_name(gssapi_krb5_context, cred->ccache); - if (name == NULL) { - *minor_status = ENOMEM; - goto failure; - } - - asprintf(&type_name, "%s:%s", type, name); - if (type_name == NULL) { - *minor_status = ENOMEM; - goto failure; - } - - kret = krb5_cc_resolve(gssapi_krb5_context, type_name, - &handle->ccache); - free(type_name); - if (kret) { - *minor_status = kret; - goto failure; - } - } - } - - ret = gss_create_empty_oid_set(minor_status, &handle->mechanisms); - if (ret) - goto failure; - - ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM, - &handle->mechanisms); - if (ret) - goto failure; - } - - ret = gss_inquire_cred(minor_status, cred, NULL, &lifetime, - NULL, actual_mechs); - if (ret) - goto failure; - - if (initiator_time_rec) - *initiator_time_rec = lifetime; - if (acceptor_time_rec) - *acceptor_time_rec = lifetime; - - if (output_cred_handle) - *output_cred_handle = handle; - - *minor_status = 0; - return ret; - - failure: - - if (handle) { - if (handle->principal) - gss_release_name(NULL, &handle->principal); - if (handle->keytab) - krb5_kt_close(gssapi_krb5_context, handle->keytab); - if (handle->ccache) - krb5_cc_destroy(gssapi_krb5_context, handle->ccache); - if (handle->mechanisms) - gss_release_oid_set(NULL, &handle->mechanisms); - free(handle); - } - return ret; -} diff --git a/crypto/heimdal-0.6.3/lib/gssapi/add_oid_set_member.c b/crypto/heimdal-0.6.3/lib/gssapi/add_oid_set_member.c deleted file mode 100644 index ed654fc8c5..0000000000 --- a/crypto/heimdal-0.6.3/lib/gssapi/add_oid_set_member.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (c) 1997 - 2001, 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: add_oid_set_member.c,v 1.8 2003/03/16 17:50:49 lha Exp $"); - -OM_uint32 gss_add_oid_set_member ( - OM_uint32 * minor_status, - const gss_OID member_oid, - gss_OID_set * oid_set - ) -{ - gss_OID tmp; - size_t n; - OM_uint32 res; - int present; - - res = gss_test_oid_set_member(minor_status, member_oid, *oid_set, &present); - if (res != GSS_S_COMPLETE) - return res; - - if (present) { - *minor_status = 0; - return GSS_S_COMPLETE; - } - - n = (*oid_set)->count + 1; - tmp = realloc ((*oid_set)->elements, n * sizeof(gss_OID_desc)); - if (tmp == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - (*oid_set)->elements = tmp; - (*oid_set)->count = n; - (*oid_set)->elements[n-1] = *member_oid; - *minor_status = 0; - return GSS_S_COMPLETE; -} diff --git a/crypto/heimdal-0.6.3/lib/gssapi/address_to_krb5addr.c b/crypto/heimdal-0.6.3/lib/gssapi/address_to_krb5addr.c deleted file mode 100644 index c8041aa936..0000000000 --- a/crypto/heimdal-0.6.3/lib/gssapi/address_to_krb5addr.c +++ /dev/null @@ -1,76 +0,0 @@ -/* - * Copyright (c) 2000 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -#include - -krb5_error_code -gss_address_to_krb5addr(OM_uint32 gss_addr_type, - gss_buffer_desc *gss_addr, - int16_t port, - krb5_address *address) -{ - int addr_type; - struct sockaddr sa; - int sa_size = sizeof(sa); - krb5_error_code problem; - - if (gss_addr == NULL) - return GSS_S_FAILURE; - - switch (gss_addr_type) { -#ifdef HAVE_IPV6 - case GSS_C_AF_INET6: addr_type = AF_INET6; - break; -#endif /* HAVE_IPV6 */ - - case GSS_C_AF_INET: addr_type = AF_INET; - break; - default: - return GSS_S_FAILURE; - } - - problem = krb5_h_addr2sockaddr (gssapi_krb5_context, - addr_type, - gss_addr->value, - &sa, - &sa_size, - port); - if (problem) - return GSS_S_FAILURE; - - problem = krb5_sockaddr2address (gssapi_krb5_context, &sa, address); - - return problem; -} diff --git a/crypto/heimdal-0.6.3/lib/gssapi/arcfour.c b/crypto/heimdal-0.6.3/lib/gssapi/arcfour.c deleted file mode 100644 index 66d688ca0b..0000000000 --- a/crypto/heimdal-0.6.3/lib/gssapi/arcfour.c +++ /dev/null @@ -1,623 +0,0 @@ -/* - * Copyright (c) 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -/* - * Implements draft-brezak-win2k-krb-rc4-hmac-04.txt - */ - -RCSID("$Id: arcfour.c,v 1.12.2.3 2003/09/19 15:15:11 lha Exp $"); - -static krb5_error_code -arcfour_mic_key(krb5_context context, krb5_keyblock *key, - void *cksum_data, size_t cksum_size, - void *key6_data, size_t key6_size) -{ - krb5_error_code ret; - - Checksum cksum_k5; - krb5_keyblock key5; - char k5_data[16]; - - Checksum cksum_k6; - - char T[4]; - - memset(T, 0, 4); - cksum_k5.checksum.data = k5_data; - cksum_k5.checksum.length = sizeof(k5_data); - - if (key->keytype == KEYTYPE_ARCFOUR_56) { - char L40[14] = "fortybits"; - - memcpy(L40 + 10, T, sizeof(T)); - ret = krb5_hmac(context, CKSUMTYPE_RSA_MD5, - L40, 14, 0, key, &cksum_k5); - memset(&k5_data[7], 0xAB, 9); - } else { - ret = krb5_hmac(context, CKSUMTYPE_RSA_MD5, - T, 4, 0, key, &cksum_k5); - } - if (ret) - return ret; - - key5.keytype = KEYTYPE_ARCFOUR; - key5.keyvalue = cksum_k5.checksum; - - cksum_k6.checksum.data = key6_data; - cksum_k6.checksum.length = key6_size; - - return krb5_hmac(context, CKSUMTYPE_RSA_MD5, - cksum_data, cksum_size, 0, &key5, &cksum_k6); -} - - -static krb5_error_code -arcfour_mic_cksum(krb5_keyblock *key, unsigned usage, - u_char *sgn_cksum, size_t sgn_cksum_sz, - const char *v1, size_t l1, - const void *v2, size_t l2, - const void *v3, size_t l3) -{ - Checksum CKSUM; - u_char *ptr; - size_t len; - krb5_crypto crypto; - krb5_error_code ret; - - assert(sgn_cksum_sz == 8); - - len = l1 + l2 + l3; - - ptr = malloc(len); - if (ptr == NULL) - return ENOMEM; - - memcpy(ptr, v1, l1); - memcpy(ptr + l1, v2, l2); - memcpy(ptr + l1 + l2, v3, l3); - - ret = krb5_crypto_init(gssapi_krb5_context, key, 0, &crypto); - if (ret) { - free(ptr); - return ret; - } - - ret = krb5_create_checksum(gssapi_krb5_context, - crypto, - usage, - 0, - ptr, len, - &CKSUM); - free(ptr); - if (ret == 0) { - memcpy(sgn_cksum, CKSUM.checksum.data, sgn_cksum_sz); - free_Checksum(&CKSUM); - } - krb5_crypto_destroy(gssapi_krb5_context, crypto); - - return ret; -} - - -OM_uint32 -_gssapi_get_mic_arcfour(OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - gss_qop_t qop_req, - const gss_buffer_t message_buffer, - gss_buffer_t message_token, - krb5_keyblock *key) -{ - krb5_error_code ret; - int32_t seq_number; - size_t len, total_len; - u_char k6_data[16], *p0, *p; - RC4_KEY rc4_key; - - gssapi_krb5_encap_length (22, &len, &total_len); - - message_token->length = total_len; - message_token->value = malloc (total_len); - if (message_token->value == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - p0 = _gssapi_make_mech_header(message_token->value, - len); - p = p0; - - *p++ = 0x01; /* TOK_ID */ - *p++ = 0x01; - *p++ = 0x11; /* SGN_ALG */ - *p++ = 0x00; - *p++ = 0xff; /* Filler */ - *p++ = 0xff; - *p++ = 0xff; - *p++ = 0xff; - - p = NULL; - - ret = arcfour_mic_cksum(key, KRB5_KU_USAGE_SIGN, - p0 + 16, 8, /* SGN_CKSUM */ - p0, 8, /* TOK_ID, SGN_ALG, Filer */ - message_buffer->value, message_buffer->length, - NULL, 0); - if (ret) { - gss_release_buffer(minor_status, message_token); - *minor_status = ret; - return GSS_S_FAILURE; - } - - ret = arcfour_mic_key(gssapi_krb5_context, key, - p0 + 16, 8, /* SGN_CKSUM */ - k6_data, sizeof(k6_data)); - if (ret) { - gss_release_buffer(minor_status, message_token); - *minor_status = ret; - return GSS_S_FAILURE; - } - - krb5_auth_con_getlocalseqnumber (gssapi_krb5_context, - context_handle->auth_context, - &seq_number); - p = p0 + 8; /* SND_SEQ */ - gssapi_encode_be_om_uint32(seq_number, p); - - krb5_auth_con_setlocalseqnumber (gssapi_krb5_context, - context_handle->auth_context, - ++seq_number); - - memset (p + 4, (context_handle->more_flags & LOCAL) ? 0 : 0xff, 4); - - RC4_set_key (&rc4_key, sizeof(k6_data), k6_data); - RC4 (&rc4_key, 8, p, p); - - memset(&rc4_key, 0, sizeof(rc4_key)); - memset(k6_data, 0, sizeof(k6_data)); - - *minor_status = 0; - return GSS_S_COMPLETE; -} - - -OM_uint32 -_gssapi_verify_mic_arcfour(OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t message_buffer, - const gss_buffer_t token_buffer, - gss_qop_t * qop_state, - krb5_keyblock *key, - char *type) -{ - krb5_error_code ret; - int32_t seq_number, seq_number2; - OM_uint32 omret; - char cksum_data[8], k6_data[16], SND_SEQ[8]; - u_char *p; - int cmp; - - if (qop_state) - *qop_state = 0; - - p = token_buffer->value; - omret = gssapi_krb5_verify_header (&p, - token_buffer->length, - type); - if (omret) - return omret; - - if (memcmp(p, "\x11\x00", 2) != 0) /* SGN_ALG = HMAC MD5 ARCFOUR */ - return GSS_S_BAD_SIG; - p += 2; - if (memcmp (p, "\xff\xff\xff\xff", 4) != 0) - return GSS_S_BAD_MIC; - p += 4; - - ret = arcfour_mic_cksum(key, KRB5_KU_USAGE_SIGN, - cksum_data, sizeof(cksum_data), - p - 8, 8, - message_buffer->value, message_buffer->length, - NULL, 0); - if (ret) { - *minor_status = ret; - return GSS_S_FAILURE; - } - - ret = arcfour_mic_key(gssapi_krb5_context, key, - cksum_data, sizeof(cksum_data), - k6_data, sizeof(k6_data)); - if (ret) { - *minor_status = ret; - return GSS_S_FAILURE; - } - - cmp = memcmp(cksum_data, p + 8, 8); - if (cmp) { - *minor_status = 0; - return GSS_S_BAD_MIC; - } - - { - RC4_KEY rc4_key; - - RC4_set_key (&rc4_key, sizeof(k6_data), k6_data); - RC4 (&rc4_key, 8, p, SND_SEQ); - - memset(&rc4_key, 0, sizeof(rc4_key)); - memset(k6_data, 0, sizeof(k6_data)); - } - - gssapi_decode_be_om_uint32(SND_SEQ, &seq_number); - - if (context_handle->more_flags & LOCAL) - cmp = memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4); - else - cmp = memcmp(&SND_SEQ[4], "\x00\x00\x00\x00", 4); - - memset(SND_SEQ, 0, sizeof(SND_SEQ)); - if (cmp != 0) { - *minor_status = 0; - return GSS_S_BAD_MIC; - } - - krb5_auth_con_getlocalseqnumber (gssapi_krb5_context, - context_handle->auth_context, - &seq_number2); - - if (seq_number != seq_number2) { - *minor_status = 0; - return GSS_S_UNSEQ_TOKEN; - } - - krb5_auth_con_setlocalseqnumber (gssapi_krb5_context, - context_handle->auth_context, - ++seq_number2); - - *minor_status = 0; - return GSS_S_COMPLETE; -} - -OM_uint32 -_gssapi_wrap_arcfour(OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - int conf_req_flag, - gss_qop_t qop_req, - const gss_buffer_t input_message_buffer, - int * conf_state, - gss_buffer_t output_message_buffer, - krb5_keyblock *key) -{ - u_char Klocaldata[16], k6_data[16], *p, *p0; - size_t len, total_len, datalen; - krb5_keyblock Klocal; - krb5_error_code ret; - int32_t seq_number; - - if (conf_state) - *conf_state = 0; - - datalen = input_message_buffer->length + 1 /* padding */; - len = datalen + 30; - gssapi_krb5_encap_length (len, &len, &total_len); - - output_message_buffer->length = total_len; - output_message_buffer->value = malloc (total_len); - if (output_message_buffer->value == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - p0 = _gssapi_make_mech_header(output_message_buffer->value, - len); - p = p0; - - *p++ = 0x02; /* TOK_ID */ - *p++ = 0x01; - *p++ = 0x11; /* SGN_ALG */ - *p++ = 0x00; - if (conf_req_flag) { - *p++ = 0x10; /* SEAL_ALG */ - *p++ = 0x00; - } else { - *p++ = 0xff; /* SEAL_ALG */ - *p++ = 0xff; - } - *p++ = 0xff; /* Filler */ - *p++ = 0xff; - - p = NULL; - - krb5_auth_con_getlocalseqnumber (gssapi_krb5_context, - context_handle->auth_context, - &seq_number); - - gssapi_encode_be_om_uint32(seq_number, p0 + 8); - - krb5_auth_con_setlocalseqnumber (gssapi_krb5_context, - context_handle->auth_context, - ++seq_number); - - memset (p0 + 8 + 4, - (context_handle->more_flags & LOCAL) ? 0 : 0xff, - 4); - - krb5_generate_random_block(p0 + 24, 8); /* fill in Confounder */ - - /* p points to data */ - p = p0 + GSS_ARCFOUR_WRAP_TOKEN_SIZE; - memcpy(p, input_message_buffer->value, input_message_buffer->length); - p[input_message_buffer->length] = 1; /* PADDING */ - - ret = arcfour_mic_cksum(key, KRB5_KU_USAGE_SEAL, - p0 + 16, 8, /* SGN_CKSUM */ - p0, 8, /* TOK_ID, SGN_ALG, SEAL_ALG, Filler */ - p0 + 24, 8, /* Confounder */ - p0 + GSS_ARCFOUR_WRAP_TOKEN_SIZE, - datalen); - if (ret) { - *minor_status = ret; - gss_release_buffer(minor_status, output_message_buffer); - return GSS_S_FAILURE; - } - - { - int i; - - Klocal.keytype = key->keytype; - Klocal.keyvalue.data = Klocaldata; - Klocal.keyvalue.length = sizeof(Klocaldata); - - for (i = 0; i < 16; i++) - Klocaldata[i] = ((u_char *)key->keyvalue.data)[i] ^ 0xF0; - } - ret = arcfour_mic_key(gssapi_krb5_context, &Klocal, - p0 + 8, 4, /* SND_SEQ */ - k6_data, sizeof(k6_data)); - memset(Klocaldata, 0, sizeof(Klocaldata)); - if (ret) { - gss_release_buffer(minor_status, output_message_buffer); - *minor_status = ret; - return GSS_S_FAILURE; - } - - - if(conf_req_flag) { - RC4_KEY rc4_key; - - RC4_set_key (&rc4_key, sizeof(k6_data), k6_data); - /* XXX ? */ - RC4 (&rc4_key, 8 + datalen, p0 + 24, p0 + 24); /* Confounder + data */ - memset(&rc4_key, 0, sizeof(rc4_key)); - } - memset(k6_data, 0, sizeof(k6_data)); - - ret = arcfour_mic_key(gssapi_krb5_context, key, - p0 + 16, 8, /* SGN_CKSUM */ - k6_data, sizeof(k6_data)); - if (ret) { - gss_release_buffer(minor_status, output_message_buffer); - *minor_status = ret; - return GSS_S_FAILURE; - } - - { - RC4_KEY rc4_key; - - RC4_set_key (&rc4_key, sizeof(k6_data), k6_data); - RC4 (&rc4_key, 8, p0 + 8, p0 + 8); /* SND_SEQ */ - memset(&rc4_key, 0, sizeof(rc4_key)); - memset(k6_data, 0, sizeof(k6_data)); - } - - if (conf_state) - *conf_state = conf_req_flag; - - *minor_status = 0; - return GSS_S_COMPLETE; -} - -OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t input_message_buffer, - gss_buffer_t output_message_buffer, - int *conf_state, - gss_qop_t *qop_state, - krb5_keyblock *key) -{ - u_char Klocaldata[16]; - krb5_keyblock Klocal; - krb5_error_code ret; - int32_t seq_number, seq_number2; - size_t datalen; - OM_uint32 omret; - char k6_data[16], SND_SEQ[8], Confounder[8]; - char cksum_data[8]; - u_char *p, *p0; - int cmp; - int conf_flag; - size_t padlen; - - if (conf_state) - *conf_state = 0; - if (qop_state) - *qop_state = 0; - - p0 = input_message_buffer->value; - omret = _gssapi_verify_mech_header(&p0, - input_message_buffer->length); - if (omret) - return omret; - p = p0; - - datalen = input_message_buffer->length - - (p - ((u_char *)input_message_buffer->value)) - - GSS_ARCFOUR_WRAP_TOKEN_SIZE; - - if (memcmp(p, "\x02\x01", 2) != 0) - return GSS_S_BAD_SIG; - p += 2; - if (memcmp(p, "\x11\x00", 2) != 0) /* SGN_ALG = HMAC MD5 ARCFOUR */ - return GSS_S_BAD_SIG; - p += 2; - - if (memcmp (p, "\x10\x00", 2) == 0) - conf_flag = 1; - else if (memcmp (p, "\xff\xff", 2) == 0) - conf_flag = 0; - else - return GSS_S_BAD_SIG; - - p += 2; - if (memcmp (p, "\xff\xff", 2) != 0) - return GSS_S_BAD_MIC; - p = NULL; - - ret = arcfour_mic_key(gssapi_krb5_context, key, - p0 + 16, 8, /* SGN_CKSUM */ - k6_data, sizeof(k6_data)); - if (ret) { - *minor_status = ret; - return GSS_S_FAILURE; - } - - { - RC4_KEY rc4_key; - - RC4_set_key (&rc4_key, sizeof(k6_data), k6_data); - RC4 (&rc4_key, 8, p0 + 8, SND_SEQ); /* SND_SEQ */ - memset(&rc4_key, 0, sizeof(rc4_key)); - memset(k6_data, 0, sizeof(k6_data)); - } - - gssapi_decode_be_om_uint32(SND_SEQ, &seq_number); - - if (context_handle->more_flags & LOCAL) - cmp = memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4); - else - cmp = memcmp(&SND_SEQ[4], "\x00\x00\x00\x00", 4); - - if (cmp != 0) { - *minor_status = 0; - return GSS_S_BAD_MIC; - } - - { - int i; - - Klocal.keytype = key->keytype; - Klocal.keyvalue.data = Klocaldata; - Klocal.keyvalue.length = sizeof(Klocaldata); - - for (i = 0; i < 16; i++) - Klocaldata[i] = ((u_char *)key->keyvalue.data)[i] ^ 0xF0; - } - ret = arcfour_mic_key(gssapi_krb5_context, &Klocal, - SND_SEQ, 4, - k6_data, sizeof(k6_data)); - memset(Klocaldata, 0, sizeof(Klocaldata)); - if (ret) { - *minor_status = ret; - return GSS_S_FAILURE; - } - - output_message_buffer->value = malloc(datalen); - if (output_message_buffer->value == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - output_message_buffer->length = datalen; - - if(conf_flag) { - RC4_KEY rc4_key; - - RC4_set_key (&rc4_key, sizeof(k6_data), k6_data); - RC4 (&rc4_key, 8, p0 + 24, Confounder); /* Confounder */ - RC4 (&rc4_key, datalen, p0 + GSS_ARCFOUR_WRAP_TOKEN_SIZE, - output_message_buffer->value); - memset(&rc4_key, 0, sizeof(rc4_key)); - } else { - memcpy(Confounder, p0 + 24, 8); /* Confounder */ - memcpy(output_message_buffer->value, - p0 + GSS_ARCFOUR_WRAP_TOKEN_SIZE, - datalen); - } - memset(k6_data, 0, sizeof(k6_data)); - - ret = _gssapi_verify_pad(output_message_buffer, datalen, &padlen); - if (ret) { - gss_release_buffer(minor_status, output_message_buffer); - *minor_status = 0; - return ret; - } - output_message_buffer->length -= padlen; - - ret = arcfour_mic_cksum(key, KRB5_KU_USAGE_SEAL, - cksum_data, sizeof(cksum_data), - p0, 8, - Confounder, sizeof(Confounder), - output_message_buffer->value, - output_message_buffer->length + padlen); - if (ret) { - gss_release_buffer(minor_status, output_message_buffer); - *minor_status = ret; - return GSS_S_FAILURE; - } - - cmp = memcmp(cksum_data, p0 + 16, 8); /* SGN_CKSUM */ - if (cmp) { - gss_release_buffer(minor_status, output_message_buffer); - *minor_status = 0; - return GSS_S_BAD_MIC; - } - - krb5_auth_getremoteseqnumber (gssapi_krb5_context, - context_handle->auth_context, - &seq_number2); - - if (seq_number != seq_number2) { - *minor_status = 0; - return GSS_S_UNSEQ_TOKEN; - } - - krb5_auth_con_setremoteseqnumber (gssapi_krb5_context, - context_handle->auth_context, - ++seq_number2); - - if (conf_state) - *conf_state = conf_flag; - - *minor_status = 0; - return GSS_S_COMPLETE; -} diff --git a/crypto/heimdal-0.6.3/lib/gssapi/arcfour.h b/crypto/heimdal-0.6.3/lib/gssapi/arcfour.h deleted file mode 100644 index 88bdfb119f..0000000000 --- a/crypto/heimdal-0.6.3/lib/gssapi/arcfour.h +++ /dev/null @@ -1,98 +0,0 @@ -/* - * Copyright (c) 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: arcfour.h,v 1.3.2.2 2003/09/19 15:14:14 lha Exp $ */ - -#ifndef GSSAPI_ARCFOUR_H_ -#define GSSAPI_ARCFOUR_H_ 1 - -/* - * The arcfour message have the following formats, these are only here - * for reference and is not used. - */ - -#if 0 -typedef struct gss_arcfour_mic_token { - u_char TOK_ID[2]; /* 01 01 */ - u_char SGN_ALG[2]; /* 11 00 */ - u_char Filler[4]; - u_char SND_SEQ[8]; - u_char SGN_CKSUM[8]; -} gss_arcfour_mic_token_desc, *gss_arcfour_mic_token; - -typedef struct gss_arcfour_wrap_token { - u_char TOK_ID[2]; /* 02 01 */ - u_char SGN_ALG[2]; - u_char SEAL_ALG[2]; - u_char Filler[2]; - u_char SND_SEQ[8]; - u_char SGN_CKSUM[8]; - u_char Confounder[8]; -} gss_arcfour_wrap_token_desc, *gss_arcfour_wrap_token; -#endif - -#define GSS_ARCFOUR_WRAP_TOKEN_SIZE 32 - -OM_uint32 _gssapi_wrap_arcfour(OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - int conf_req_flag, - gss_qop_t qop_req, - const gss_buffer_t input_message_buffer, - int *conf_state, - gss_buffer_t output_message_buffer, - krb5_keyblock *key); - -OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t input_message_buffer, - gss_buffer_t output_message_buffer, - int *conf_state, - gss_qop_t *qop_state, - krb5_keyblock *key); - -OM_uint32 _gssapi_get_mic_arcfour(OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - gss_qop_t qop_req, - const gss_buffer_t message_buffer, - gss_buffer_t message_token, - krb5_keyblock *key); - -OM_uint32 _gssapi_verify_mic_arcfour(OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t message_buffer, - const gss_buffer_t token_buffer, - gss_qop_t *qop_state, - krb5_keyblock *key, - char *type); - -#endif /* GSSAPI_ARCFOUR_H_ */ diff --git a/crypto/heimdal-0.6.3/lib/gssapi/canonicalize_name.c b/crypto/heimdal-0.6.3/lib/gssapi/canonicalize_name.c deleted file mode 100644 index afa39f3a4f..0000000000 --- a/crypto/heimdal-0.6.3/lib/gssapi/canonicalize_name.c +++ /dev/null @@ -1,46 +0,0 @@ -/* - * Copyright (c) 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: canonicalize_name.c,v 1.2 1999/12/02 17:05:03 joda Exp $"); - -OM_uint32 gss_canonicalize_name ( - OM_uint32 * minor_status, - const gss_name_t input_name, - const gss_OID mech_type, - gss_name_t * output_name - ) -{ - return gss_duplicate_name (minor_status, input_name, output_name); -} diff --git a/crypto/heimdal-0.6.3/lib/gssapi/compare_name.c b/crypto/heimdal-0.6.3/lib/gssapi/compare_name.c deleted file mode 100644 index da494b0d10..0000000000 --- a/crypto/heimdal-0.6.3/lib/gssapi/compare_name.c +++ /dev/null @@ -1,51 +0,0 @@ -/* - * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: compare_name.c,v 1.4 2003/03/16 17:50:07 lha Exp $"); - -OM_uint32 gss_compare_name - (OM_uint32 * minor_status, - const gss_name_t name1, - const gss_name_t name2, - int * name_equal - ) -{ - GSSAPI_KRB5_INIT(); - - *name_equal = krb5_principal_compare (gssapi_krb5_context, - name1, name2); - *minor_status = 0; - return GSS_S_COMPLETE; -} diff --git a/crypto/heimdal-0.6.3/lib/gssapi/compat.c b/crypto/heimdal-0.6.3/lib/gssapi/compat.c deleted file mode 100644 index 311b1cb71a..0000000000 --- a/crypto/heimdal-0.6.3/lib/gssapi/compat.c +++ /dev/null @@ -1,113 +0,0 @@ -/* - * Copyright (c) 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: compat.c,v 1.2.2.2 2003/04/28 13:58:09 lha Exp $"); - - -static krb5_error_code -check_compat(OM_uint32 *minor_status, gss_name_t name, - const char *option, krb5_boolean *compat, - krb5_boolean match_val) -{ - krb5_error_code ret = 0; - char **p, **q; - krb5_principal match; - - - p = krb5_config_get_strings(gssapi_krb5_context, NULL, "gssapi", - option, NULL); - if(p == NULL) - return 0; - - for(q = p; *q; q++) { - - ret = krb5_parse_name(gssapi_krb5_context, *q, &match); - if (ret) - break; - - if (krb5_principal_match(gssapi_krb5_context, name, match)) { - *compat = match_val; - break; - } - - krb5_free_principal(gssapi_krb5_context, match); - } - krb5_config_free_strings(p); - - if (ret) { - *minor_status = ret; - return GSS_S_FAILURE; - } - - return 0; -} - -OM_uint32 -_gss_DES3_get_mic_compat(OM_uint32 *minor_status, gss_ctx_id_t ctx) -{ - krb5_boolean use_compat = TRUE; - OM_uint32 ret; - - if ((ctx->more_flags & COMPAT_OLD_DES3_SELECTED) == 0) { - ret = check_compat(minor_status, ctx->target, - "broken_des3_mic", &use_compat, TRUE); - if (ret) - return ret; - ret = check_compat(minor_status, ctx->target, - "correct_des3_mic", &use_compat, FALSE); - if (ret) - return ret; - - if (use_compat) - ctx->more_flags |= COMPAT_OLD_DES3; - ctx->more_flags |= COMPAT_OLD_DES3_SELECTED; - } - return 0; -} - -OM_uint32 -gss_krb5_compat_des3_mic(OM_uint32 *minor_status, gss_ctx_id_t ctx, int on) -{ - *minor_status = 0; - - if (on) { - ctx->more_flags |= COMPAT_OLD_DES3; - } else { - ctx->more_flags &= ~COMPAT_OLD_DES3; - } - ctx->more_flags |= COMPAT_OLD_DES3_SELECTED; - - return 0; -} diff --git a/crypto/heimdal-0.6.3/lib/gssapi/context_time.c b/crypto/heimdal-0.6.3/lib/gssapi/context_time.c deleted file mode 100644 index daeb25f26d..0000000000 --- a/crypto/heimdal-0.6.3/lib/gssapi/context_time.c +++ /dev/null @@ -1,85 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: context_time.c,v 1.7.2.1 2003/08/15 14:25:50 lha Exp $"); - -OM_uint32 -gssapi_lifetime_left(OM_uint32 *minor_status, - OM_uint32 lifetime, - OM_uint32 *lifetime_rec) -{ - krb5_timestamp timeret; - krb5_error_code kret; - - kret = krb5_timeofday(gssapi_krb5_context, &timeret); - if (kret) { - *minor_status = kret; - gssapi_krb5_set_error_string (); - return GSS_S_FAILURE; - } - - if (lifetime < timeret) - *lifetime_rec = 0; - else - *lifetime_rec = lifetime - timeret; - - return GSS_S_COMPLETE; -} - - -OM_uint32 gss_context_time - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - OM_uint32 * time_rec - ) -{ - OM_uint32 lifetime; - OM_uint32 major_status; - - GSSAPI_KRB5_INIT (); - - lifetime = context_handle->lifetime; - - major_status = gssapi_lifetime_left(minor_status, lifetime, time_rec); - if (major_status != GSS_S_COMPLETE) - return major_status; - - *minor_status = 0; - - if (*time_rec == 0) - return GSS_S_CONTEXT_EXPIRED; - - return GSS_S_COMPLETE; -} diff --git a/crypto/heimdal-0.6.3/lib/gssapi/copy_ccache.c b/crypto/heimdal-0.6.3/lib/gssapi/copy_ccache.c deleted file mode 100644 index 2ffe0656d8..0000000000 --- a/crypto/heimdal-0.6.3/lib/gssapi/copy_ccache.c +++ /dev/null @@ -1,58 +0,0 @@ -/* - * Copyright (c) 2000 - 2001, 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: copy_ccache.c,v 1.3 2003/03/16 17:47:44 lha Exp $"); - -OM_uint32 -gss_krb5_copy_ccache(OM_uint32 *minor_status, - gss_cred_id_t cred, - krb5_ccache out) -{ - krb5_error_code kret; - - if (cred->ccache == NULL) { - *minor_status = EINVAL; - return GSS_S_FAILURE; - } - - kret = krb5_cc_copy_cache(gssapi_krb5_context, cred->ccache, out); - if (kret) { - *minor_status = kret; - gssapi_krb5_set_error_string (); - return GSS_S_FAILURE; - } - *minor_status = 0; - return GSS_S_COMPLETE; -} diff --git a/crypto/heimdal-0.6.3/lib/gssapi/create_emtpy_oid_set.c b/crypto/heimdal-0.6.3/lib/gssapi/create_emtpy_oid_set.c deleted file mode 100644 index 1a25e0d781..0000000000 --- a/crypto/heimdal-0.6.3/lib/gssapi/create_emtpy_oid_set.c +++ /dev/null @@ -1,52 +0,0 @@ -/* - * Copyright (c) 1997 - 2001, 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: create_emtpy_oid_set.c,v 1.5 2003/03/16 17:47:07 lha Exp $"); - -OM_uint32 gss_create_empty_oid_set ( - OM_uint32 * minor_status, - gss_OID_set * oid_set - ) -{ - *oid_set = malloc(sizeof(**oid_set)); - if (*oid_set == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - (*oid_set)->count = 0; - (*oid_set)->elements = NULL; - *minor_status = 0; - return GSS_S_COMPLETE; -} diff --git a/crypto/heimdal-0.6.3/lib/gssapi/decapsulate.c b/crypto/heimdal-0.6.3/lib/gssapi/decapsulate.c deleted file mode 100644 index 2425453528..0000000000 --- a/crypto/heimdal-0.6.3/lib/gssapi/decapsulate.c +++ /dev/null @@ -1,184 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: decapsulate.c,v 1.7.6.1 2003/09/18 22:00:41 lha Exp $"); - -OM_uint32 -gssapi_krb5_verify_header(u_char **str, - size_t total_len, - char *type) -{ - size_t len, len_len, mech_len, foo; - int e; - u_char *p = *str; - - if (total_len < 1) - return GSS_S_DEFECTIVE_TOKEN; - if (*p++ != 0x60) - return GSS_S_DEFECTIVE_TOKEN; - e = der_get_length (p, total_len - 1, &len, &len_len); - if (e || 1 + len_len + len != total_len) - return GSS_S_DEFECTIVE_TOKEN; - p += len_len; - if (*p++ != 0x06) - return GSS_S_DEFECTIVE_TOKEN; - e = der_get_length (p, total_len - 1 - len_len - 1, - &mech_len, &foo); - if (e) - return GSS_S_DEFECTIVE_TOKEN; - p += foo; - if (mech_len != GSS_KRB5_MECHANISM->length) - return GSS_S_BAD_MECH; - if (memcmp(p, - GSS_KRB5_MECHANISM->elements, - GSS_KRB5_MECHANISM->length) != 0) - return GSS_S_BAD_MECH; - p += mech_len; - if (memcmp (p, type, 2) != 0) - return GSS_S_DEFECTIVE_TOKEN; - p += 2; - *str = p; - return GSS_S_COMPLETE; -} - -static ssize_t -gssapi_krb5_get_mech (const u_char *ptr, - size_t total_len, - const u_char **mech_ret) -{ - size_t len, len_len, mech_len, foo; - const u_char *p = ptr; - int e; - - if (total_len < 1) - return -1; - if (*p++ != 0x60) - return -1; - e = der_get_length (p, total_len - 1, &len, &len_len); - if (e || 1 + len_len + len != total_len) - return -1; - p += len_len; - if (*p++ != 0x06) - return -1; - e = der_get_length (p, total_len - 1 - len_len - 1, - &mech_len, &foo); - if (e) - return -1; - p += foo; - *mech_ret = p; - return mech_len; -} - -OM_uint32 -_gssapi_verify_mech_header(u_char **str, - size_t total_len) -{ - const u_char *p; - ssize_t mech_len; - - mech_len = gssapi_krb5_get_mech (*str, total_len, &p); - if (mech_len < 0) - return GSS_S_DEFECTIVE_TOKEN; - - if (mech_len != GSS_KRB5_MECHANISM->length) - return GSS_S_BAD_MECH; - if (memcmp(p, - GSS_KRB5_MECHANISM->elements, - GSS_KRB5_MECHANISM->length) != 0) - return GSS_S_BAD_MECH; - p += mech_len; - *str = (char *)p; - return GSS_S_COMPLETE; -} - -/* - * Remove the GSS-API wrapping from `in_token' giving `out_data. - * Does not copy data, so just free `in_token'. - */ - -OM_uint32 -gssapi_krb5_decapsulate( - OM_uint32 *minor_status, - gss_buffer_t input_token_buffer, - krb5_data *out_data, - char *type -) -{ - u_char *p; - OM_uint32 ret; - - p = input_token_buffer->value; - ret = gssapi_krb5_verify_header(&p, - input_token_buffer->length, - type); - if (ret) { - *minor_status = 0; - return ret; - } - - out_data->length = input_token_buffer->length - - (p - (u_char *)input_token_buffer->value); - out_data->data = p; - return GSS_S_COMPLETE; -} - -/* - * Verify padding of a gss wrapped message and return its length. - */ - -OM_uint32 -_gssapi_verify_pad(gss_buffer_t wrapped_token, - size_t datalen, - size_t *padlen) -{ - u_char *pad; - size_t padlength; - int i; - - pad = (u_char *)wrapped_token->value + wrapped_token->length - 1; - padlength = *pad; - - if (padlength > datalen) - return GSS_S_BAD_MECH; - - for (i = padlength; i > 0 && *pad == padlength; i--, pad--) - ; - if (i != 0) - return GSS_S_BAD_MIC; - - *padlen = padlength; - - return 0; -} diff --git a/crypto/heimdal-0.6.3/lib/gssapi/delete_sec_context.c b/crypto/heimdal-0.6.3/lib/gssapi/delete_sec_context.c deleted file mode 100644 index 2df1f39749..0000000000 --- a/crypto/heimdal-0.6.3/lib/gssapi/delete_sec_context.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: delete_sec_context.c,v 1.11 2003/03/16 17:46:40 lha Exp $"); - -OM_uint32 gss_delete_sec_context - (OM_uint32 * minor_status, - gss_ctx_id_t * context_handle, - gss_buffer_t output_token - ) -{ - GSSAPI_KRB5_INIT (); - - if (output_token) { - output_token->length = 0; - output_token->value = NULL; - } - - krb5_auth_con_free (gssapi_krb5_context, - (*context_handle)->auth_context); - if((*context_handle)->source) - krb5_free_principal (gssapi_krb5_context, - (*context_handle)->source); - if((*context_handle)->target) - krb5_free_principal (gssapi_krb5_context, - (*context_handle)->target); - if ((*context_handle)->ticket) { - krb5_free_ticket (gssapi_krb5_context, - (*context_handle)->ticket); - free((*context_handle)->ticket); - } - - free (*context_handle); - *context_handle = GSS_C_NO_CONTEXT; - *minor_status = 0; - return GSS_S_COMPLETE; -} diff --git a/crypto/heimdal-0.6.3/lib/gssapi/display_name.c b/crypto/heimdal-0.6.3/lib/gssapi/display_name.c deleted file mode 100644 index 27a232fd3c..0000000000 --- a/crypto/heimdal-0.6.3/lib/gssapi/display_name.c +++ /dev/null @@ -1,73 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: display_name.c,v 1.9 2003/03/16 17:46:11 lha Exp $"); - -OM_uint32 gss_display_name - (OM_uint32 * minor_status, - const gss_name_t input_name, - gss_buffer_t output_name_buffer, - gss_OID * output_name_type - ) -{ - krb5_error_code kret; - char *buf; - size_t len; - - GSSAPI_KRB5_INIT (); - kret = krb5_unparse_name (gssapi_krb5_context, - input_name, - &buf); - if (kret) { - *minor_status = kret; - gssapi_krb5_set_error_string (); - return GSS_S_FAILURE; - } - len = strlen (buf); - output_name_buffer->length = len; - output_name_buffer->value = malloc(len + 1); - if (output_name_buffer->value == NULL) { - free (buf); - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - memcpy (output_name_buffer->value, buf, len); - ((char *)output_name_buffer->value)[len] = '\0'; - free (buf); - if (output_name_type) - *output_name_type = GSS_KRB5_NT_PRINCIPAL_NAME; - *minor_status = 0; - return GSS_S_COMPLETE; -} diff --git a/crypto/heimdal-0.6.3/lib/gssapi/display_status.c b/crypto/heimdal-0.6.3/lib/gssapi/display_status.c deleted file mode 100644 index d266fa46bf..0000000000 --- a/crypto/heimdal-0.6.3/lib/gssapi/display_status.c +++ /dev/null @@ -1,187 +0,0 @@ -/* - * Copyright (c) 1998 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: display_status.c,v 1.9 2003/03/16 17:45:36 lha Exp $"); - -static char *krb5_error_string; - -static char * -calling_error(OM_uint32 v) -{ - static char *msgs[] = { - NULL, /* 0 */ - "A required input parameter could not be read.", /* */ - "A required output parameter could not be written.", /* */ - "A parameter was malformed" - }; - - v >>= GSS_C_CALLING_ERROR_OFFSET; - - if (v == 0) - return ""; - else if (v >= sizeof(msgs)/sizeof(*msgs)) - return "unknown calling error"; - else - return msgs[v]; -} - -static char * -routine_error(OM_uint32 v) -{ - static char *msgs[] = { - NULL, /* 0 */ - "An unsupported mechanism was requested", - "An invalid name was supplied", - "A supplied name was of an unsupported type", - "Incorrect channel bindings were supplied", - "An invalid status code was supplied", - "A token had an invalid MIC", - "No credentials were supplied, " - "or the credentials were unavailable or inaccessible.", - "No context has been established", - "A token was invalid", - "A credential was invalid", - "The referenced credentials have expired", - "The context has expired", - "Miscellaneous failure (see text)", - "The quality-of-protection requested could not be provide", - "The operation is forbidden by local security policy", - "The operation or option is not available", - "The requested credential element already exists", - "The provided name was not a mechanism name.", - }; - - v >>= GSS_C_ROUTINE_ERROR_OFFSET; - - if (v == 0) - return ""; - else if (v >= sizeof(msgs)/sizeof(*msgs)) - return "unknown routine error"; - else - return msgs[v]; -} - -static char * -supplementary_error(OM_uint32 v) -{ - static char *msgs[] = { - "normal completion", - "continuation call to routine required", - "duplicate per-message token detected", - "timed-out per-message token detected", - "reordered (early) per-message token detected", - "skipped predecessor token(s) detected" - }; - - v >>= GSS_C_SUPPLEMENTARY_OFFSET; - - if (v >= sizeof(msgs)/sizeof(*msgs)) - return "unknown routine error"; - else - return msgs[v]; -} - -void -gssapi_krb5_set_error_string (void) -{ - krb5_error_string = krb5_get_error_string(gssapi_krb5_context); -} - -char * -gssapi_krb5_get_error_string (void) -{ - char *ret = krb5_error_string; - krb5_error_string = NULL; - return ret; -} - -OM_uint32 gss_display_status - (OM_uint32 *minor_status, - OM_uint32 status_value, - int status_type, - const gss_OID mech_type, - OM_uint32 *message_context, - gss_buffer_t status_string) -{ - char *buf; - - GSSAPI_KRB5_INIT (); - - status_string->length = 0; - status_string->value = NULL; - - if (gss_oid_equal(mech_type, GSS_C_NO_OID) == 0 && - gss_oid_equal(mech_type, GSS_KRB5_MECHANISM) == 0) { - *minor_status = 0; - return GSS_C_GSS_CODE; - } - - if (status_type == GSS_C_GSS_CODE) { - if (GSS_SUPPLEMENTARY_INFO(status_value)) - asprintf(&buf, "%s", - supplementary_error(GSS_SUPPLEMENTARY_INFO(status_value))); - else - asprintf (&buf, "%s %s", - calling_error(GSS_CALLING_ERROR(status_value)), - routine_error(GSS_ROUTINE_ERROR(status_value))); - } else if (status_type == GSS_C_MECH_CODE) { - buf = gssapi_krb5_get_error_string (); - if (buf == NULL) { - const char *tmp = krb5_get_err_text (gssapi_krb5_context, - status_value); - if (tmp == NULL) - asprintf(&buf, "unknown mech error-code %u", - (unsigned)status_value); - else - buf = strdup(tmp); - } - } else { - *minor_status = EINVAL; - return GSS_S_BAD_STATUS; - } - - if (buf == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - *message_context = 0; - *minor_status = 0; - - status_string->length = strlen(buf); - status_string->value = buf; - - return GSS_S_COMPLETE; -} diff --git a/crypto/heimdal-0.6.3/lib/gssapi/duplicate_name.c b/crypto/heimdal-0.6.3/lib/gssapi/duplicate_name.c deleted file mode 100644 index 2b54e90ec8..0000000000 --- a/crypto/heimdal-0.6.3/lib/gssapi/duplicate_name.c +++ /dev/null @@ -1,59 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: duplicate_name.c,v 1.7 2003/03/16 17:44:26 lha Exp $"); - -OM_uint32 gss_duplicate_name ( - OM_uint32 * minor_status, - const gss_name_t src_name, - gss_name_t * dest_name - ) -{ - krb5_error_code kret; - - GSSAPI_KRB5_INIT (); - - kret = krb5_copy_principal (gssapi_krb5_context, - src_name, - dest_name); - if (kret) { - *minor_status = kret; - gssapi_krb5_set_error_string (); - return GSS_S_FAILURE; - } else { - *minor_status = 0; - return GSS_S_COMPLETE; - } -} diff --git a/crypto/heimdal-0.6.3/lib/gssapi/encapsulate.c b/crypto/heimdal-0.6.3/lib/gssapi/encapsulate.c deleted file mode 100644 index f3cd1e49f4..0000000000 --- a/crypto/heimdal-0.6.3/lib/gssapi/encapsulate.c +++ /dev/null @@ -1,122 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: encapsulate.c,v 1.6.6.1 2003/09/18 21:47:44 lha Exp $"); - -void -gssapi_krb5_encap_length (size_t data_len, - size_t *len, - size_t *total_len) -{ - size_t len_len; - - *len = 1 + 1 + GSS_KRB5_MECHANISM->length + 2 + data_len; - - len_len = length_len(*len); - - *total_len = 1 + len_len + *len; -} - -u_char * -gssapi_krb5_make_header (u_char *p, - size_t len, - u_char *type) -{ - int e; - size_t len_len, foo; - - *p++ = 0x60; - len_len = length_len(len); - e = der_put_length (p + len_len - 1, len_len, len, &foo); - if(e || foo != len_len) - abort (); - p += len_len; - *p++ = 0x06; - *p++ = GSS_KRB5_MECHANISM->length; - memcpy (p, GSS_KRB5_MECHANISM->elements, GSS_KRB5_MECHANISM->length); - p += GSS_KRB5_MECHANISM->length; - memcpy (p, type, 2); - p += 2; - return p; -} - -u_char * -_gssapi_make_mech_header(u_char *p, - size_t len) -{ - int e; - size_t len_len, foo; - - *p++ = 0x60; - len_len = length_len(len); - e = der_put_length (p + len_len - 1, len_len, len, &foo); - if(e || foo != len_len) - abort (); - p += len_len; - *p++ = 0x06; - *p++ = GSS_KRB5_MECHANISM->length; - memcpy (p, GSS_KRB5_MECHANISM->elements, GSS_KRB5_MECHANISM->length); - p += GSS_KRB5_MECHANISM->length; - return p; -} - -/* - * Give it a krb5_data and it will encapsulate with extra GSS-API wrappings. - */ - -OM_uint32 -gssapi_krb5_encapsulate( - OM_uint32 *minor_status, - const krb5_data *in_data, - gss_buffer_t output_token, - u_char *type -) -{ - size_t len, outer_len; - u_char *p; - - gssapi_krb5_encap_length (in_data->length, &len, &outer_len); - - output_token->length = outer_len; - output_token->value = malloc (outer_len); - if (output_token->value == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - p = gssapi_krb5_make_header (output_token->value, len, type); - memcpy (p, in_data->data, in_data->length); - return GSS_S_COMPLETE; -} diff --git a/crypto/heimdal-0.6.3/lib/gssapi/export_name.c b/crypto/heimdal-0.6.3/lib/gssapi/export_name.c deleted file mode 100644 index c5fcbd4fd0..0000000000 --- a/crypto/heimdal-0.6.3/lib/gssapi/export_name.c +++ /dev/null @@ -1,94 +0,0 @@ -/* - * Copyright (c) 1997, 1999, 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: export_name.c,v 1.5 2003/03/16 17:34:46 lha Exp $"); - -OM_uint32 gss_export_name - (OM_uint32 * minor_status, - const gss_name_t input_name, - gss_buffer_t exported_name - ) -{ - krb5_error_code kret; - char *buf, *name; - size_t len; - - GSSAPI_KRB5_INIT (); - kret = krb5_unparse_name (gssapi_krb5_context, - input_name, - &name); - if (kret) { - *minor_status = kret; - gssapi_krb5_set_error_string (); - return GSS_S_FAILURE; - } - len = strlen (name); - - exported_name->length = 10 + len + GSS_KRB5_MECHANISM->length; - exported_name->value = malloc(exported_name->length); - if (exported_name->value == NULL) { - free (name); - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - /* TOK, MECH_OID_LEN, DER(MECH_OID), NAME_LEN, NAME */ - - buf = exported_name->value; - memcpy(buf, "\x04\x01", 2); - buf += 2; - buf[0] = ((GSS_KRB5_MECHANISM->length + 2) >> 8) & 0xff; - buf[1] = (GSS_KRB5_MECHANISM->length + 2) & 0xff; - buf+= 2; - buf[0] = 0x06; - buf[1] = (GSS_KRB5_MECHANISM->length) & 0xFF; - buf+= 2; - - memcpy(buf, GSS_KRB5_MECHANISM->elements, GSS_KRB5_MECHANISM->length); - buf += GSS_KRB5_MECHANISM->length; - - buf[0] = (len >> 24) & 0xff; - buf[1] = (len >> 16) & 0xff; - buf[2] = (len >> 8) & 0xff; - buf[3] = (len) & 0xff; - buf += 4; - - memcpy (buf, name, len); - - free (name); - - *minor_status = 0; - return GSS_S_COMPLETE; -} diff --git a/crypto/heimdal-0.6.3/lib/gssapi/export_sec_context.c b/crypto/heimdal-0.6.3/lib/gssapi/export_sec_context.c deleted file mode 100644 index c7e6265242..0000000000 --- a/crypto/heimdal-0.6.3/lib/gssapi/export_sec_context.c +++ /dev/null @@ -1,223 +0,0 @@ -/* - * Copyright (c) 1999 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: export_sec_context.c,v 1.6 2003/03/16 18:02:52 lha Exp $"); - -OM_uint32 -gss_export_sec_context ( - OM_uint32 * minor_status, - gss_ctx_id_t * context_handle, - gss_buffer_t interprocess_token - ) -{ - krb5_storage *sp; - krb5_auth_context ac; - OM_uint32 ret = GSS_S_COMPLETE; - krb5_data data; - gss_buffer_desc buffer; - int flags; - OM_uint32 minor; - krb5_error_code kret; - - GSSAPI_KRB5_INIT (); - if (!((*context_handle)->flags & GSS_C_TRANS_FLAG)) { - *minor_status = 0; - return GSS_S_UNAVAILABLE; - } - - sp = krb5_storage_emem (); - if (sp == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - ac = (*context_handle)->auth_context; - - /* flagging included fields */ - - flags = 0; - if (ac->local_address) - flags |= SC_LOCAL_ADDRESS; - if (ac->remote_address) - flags |= SC_REMOTE_ADDRESS; - if (ac->keyblock) - flags |= SC_KEYBLOCK; - if (ac->local_subkey) - flags |= SC_LOCAL_SUBKEY; - if (ac->remote_subkey) - flags |= SC_REMOTE_SUBKEY; - - kret = krb5_store_int32 (sp, flags); - if (kret) { - *minor_status = kret; - goto failure; - } - - /* marshall auth context */ - - kret = krb5_store_int32 (sp, ac->flags); - if (kret) { - *minor_status = kret; - goto failure; - } - if (ac->local_address) { - kret = krb5_store_address (sp, *ac->local_address); - if (kret) { - *minor_status = kret; - goto failure; - } - } - if (ac->remote_address) { - kret = krb5_store_address (sp, *ac->remote_address); - if (kret) { - *minor_status = kret; - goto failure; - } - } - kret = krb5_store_int16 (sp, ac->local_port); - if (kret) { - *minor_status = kret; - goto failure; - } - kret = krb5_store_int16 (sp, ac->remote_port); - if (kret) { - *minor_status = kret; - goto failure; - } - if (ac->keyblock) { - kret = krb5_store_keyblock (sp, *ac->keyblock); - if (kret) { - *minor_status = kret; - goto failure; - } - } - if (ac->local_subkey) { - kret = krb5_store_keyblock (sp, *ac->local_subkey); - if (kret) { - *minor_status = kret; - goto failure; - } - } - if (ac->remote_subkey) { - kret = krb5_store_keyblock (sp, *ac->remote_subkey); - if (kret) { - *minor_status = kret; - goto failure; - } - } - kret = krb5_store_int32 (sp, ac->local_seqnumber); - if (kret) { - *minor_status = kret; - goto failure; - } - kret = krb5_store_int32 (sp, ac->remote_seqnumber); - if (kret) { - *minor_status = kret; - goto failure; - } - - kret = krb5_store_int32 (sp, ac->keytype); - if (kret) { - *minor_status = kret; - goto failure; - } - kret = krb5_store_int32 (sp, ac->cksumtype); - if (kret) { - *minor_status = kret; - goto failure; - } - - /* names */ - - ret = gss_export_name (minor_status, (*context_handle)->source, &buffer); - if (ret) - goto failure; - data.data = buffer.value; - data.length = buffer.length; - kret = krb5_store_data (sp, data); - gss_release_buffer (&minor, &buffer); - if (kret) { - *minor_status = kret; - goto failure; - } - - ret = gss_export_name (minor_status, (*context_handle)->target, &buffer); - if (ret) - goto failure; - data.data = buffer.value; - data.length = buffer.length; - - ret = GSS_S_FAILURE; - - kret = krb5_store_data (sp, data); - gss_release_buffer (&minor, &buffer); - if (kret) { - *minor_status = kret; - goto failure; - } - - kret = krb5_store_int32 (sp, (*context_handle)->flags); - if (kret) { - *minor_status = kret; - goto failure; - } - kret = krb5_store_int32 (sp, (*context_handle)->more_flags); - if (kret) { - *minor_status = kret; - goto failure; - } - kret = krb5_store_int32 (sp, (*context_handle)->lifetime); - if (kret) { - *minor_status = kret; - goto failure; - } - - kret = krb5_storage_to_data (sp, &data); - krb5_storage_free (sp); - if (kret) { - *minor_status = kret; - return GSS_S_FAILURE; - } - interprocess_token->length = data.length; - interprocess_token->value = data.data; - ret = gss_delete_sec_context (minor_status, context_handle, - GSS_C_NO_BUFFER); - if (ret != GSS_S_COMPLETE) - gss_release_buffer (NULL, interprocess_token); - *minor_status = 0; - return ret; - failure: - krb5_storage_free (sp); - return ret; -} diff --git a/crypto/heimdal-0.6.3/lib/gssapi/external.c b/crypto/heimdal-0.6.3/lib/gssapi/external.c deleted file mode 100644 index dca35ea943..0000000000 --- a/crypto/heimdal-0.6.3/lib/gssapi/external.c +++ /dev/null @@ -1,235 +0,0 @@ -/* - * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: external.c,v 1.5 2000/07/22 03:45:28 assar Exp $"); - -/* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {10, (void *)"\x2a\x86\x48\x86\xf7\x12" - * "\x01\x02\x01\x01"}, - * corresponding to an object-identifier value of - * {iso(1) member-body(2) United States(840) mit(113554) - * infosys(1) gssapi(2) generic(1) user_name(1)}. The constant - * GSS_C_NT_USER_NAME should be initialized to point - * to that gss_OID_desc. - */ - -static gss_OID_desc gss_c_nt_user_name_oid_desc = -{10, (void *)"\x2a\x86\x48\x86\xf7\x12" - "\x01\x02\x01\x01"}; - -gss_OID GSS_C_NT_USER_NAME = &gss_c_nt_user_name_oid_desc; - -/* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {10, (void *)"\x2a\x86\x48\x86\xf7\x12" - * "\x01\x02\x01\x02"}, - * corresponding to an object-identifier value of - * {iso(1) member-body(2) United States(840) mit(113554) - * infosys(1) gssapi(2) generic(1) machine_uid_name(2)}. - * The constant GSS_C_NT_MACHINE_UID_NAME should be - * initialized to point to that gss_OID_desc. - */ - -static gss_OID_desc gss_c_nt_machine_uid_name_oid_desc = -{10, (void *)"\x2a\x86\x48\x86\xf7\x12" - "\x01\x02\x01\x02"}; - -gss_OID GSS_C_NT_MACHINE_UID_NAME = &gss_c_nt_machine_uid_name_oid_desc; - -/* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {10, (void *)"\x2a\x86\x48\x86\xf7\x12" - * "\x01\x02\x01\x03"}, - * corresponding to an object-identifier value of - * {iso(1) member-body(2) United States(840) mit(113554) - * infosys(1) gssapi(2) generic(1) string_uid_name(3)}. - * The constant GSS_C_NT_STRING_UID_NAME should be - * initialized to point to that gss_OID_desc. - */ - -static gss_OID_desc gss_c_nt_string_uid_name_oid_desc = -{10, (void *)"\x2a\x86\x48\x86\xf7\x12" - "\x01\x02\x01\x03"}; - -gss_OID GSS_C_NT_STRING_UID_NAME = &gss_c_nt_string_uid_name_oid_desc; - -/* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {6, (void *)"\x2b\x06\x01\x05\x06\x02"}, - * corresponding to an object-identifier value of - * {iso(1) org(3) dod(6) internet(1) security(5) - * nametypes(6) gss-host-based-services(2)). The constant - * GSS_C_NT_HOSTBASED_SERVICE_X should be initialized to point - * to that gss_OID_desc. This is a deprecated OID value, and - * implementations wishing to support hostbased-service names - * should instead use the GSS_C_NT_HOSTBASED_SERVICE OID, - * defined below, to identify such names; - * GSS_C_NT_HOSTBASED_SERVICE_X should be accepted a synonym - * for GSS_C_NT_HOSTBASED_SERVICE when presented as an input - * parameter, but should not be emitted by GSS-API - * implementations - */ - -static gss_OID_desc gss_c_nt_hostbased_service_x_oid_desc = -{6, (void *)"\x2b\x06\x01\x05\x06\x02"}; - -gss_OID GSS_C_NT_HOSTBASED_SERVICE_X = &gss_c_nt_hostbased_service_x_oid_desc; - -/* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {10, (void *)"\x2a\x86\x48\x86\xf7\x12" - * "\x01\x02\x01\x04"}, corresponding to an - * object-identifier value of {iso(1) member-body(2) - * Unites States(840) mit(113554) infosys(1) gssapi(2) - * generic(1) service_name(4)}. The constant - * GSS_C_NT_HOSTBASED_SERVICE should be initialized - * to point to that gss_OID_desc. - */ -static gss_OID_desc gss_c_nt_hostbased_service_oid_desc = -{10, (void *)"\x2a\x86\x48\x86\xf7\x12" "\x01\x02\x01\x04"}; - -gss_OID GSS_C_NT_HOSTBASED_SERVICE = &gss_c_nt_hostbased_service_oid_desc; - -/* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {6, (void *)"\x2b\x06\01\x05\x06\x03"}, - * corresponding to an object identifier value of - * {1(iso), 3(org), 6(dod), 1(internet), 5(security), - * 6(nametypes), 3(gss-anonymous-name)}. The constant - * and GSS_C_NT_ANONYMOUS should be initialized to point - * to that gss_OID_desc. - */ - -static gss_OID_desc gss_c_nt_anonymous_oid_desc = -{6, (void *)"\x2b\x06\01\x05\x06\x03"}; - -gss_OID GSS_C_NT_ANONYMOUS = &gss_c_nt_anonymous_oid_desc; - -/* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {6, (void *)"\x2b\x06\x01\x05\x06\x04"}, - * corresponding to an object-identifier value of - * {1(iso), 3(org), 6(dod), 1(internet), 5(security), - * 6(nametypes), 4(gss-api-exported-name)}. The constant - * GSS_C_NT_EXPORT_NAME should be initialized to point - * to that gss_OID_desc. - */ - -static gss_OID_desc gss_c_nt_export_name_oid_desc = -{6, (void *)"\x2b\x06\x01\x05\x06\x04"}; - -gss_OID GSS_C_NT_EXPORT_NAME = &gss_c_nt_export_name_oid_desc; - -/* - * This name form shall be represented by the Object Identifier {iso(1) - * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) - * krb5(2) krb5_name(1)}. The recommended symbolic name for this type - * is "GSS_KRB5_NT_PRINCIPAL_NAME". - */ - -static gss_OID_desc gss_krb5_nt_principal_name_oid_desc = -{10, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x01"}; - -gss_OID GSS_KRB5_NT_PRINCIPAL_NAME = &gss_krb5_nt_principal_name_oid_desc; - -/* - * This name form shall be represented by the Object Identifier {iso(1) - * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) - * generic(1) user_name(1)}. The recommended symbolic name for this - * type is "GSS_KRB5_NT_USER_NAME". - */ - -gss_OID GSS_KRB5_NT_USER_NAME = &gss_c_nt_user_name_oid_desc; - -/* - * This name form shall be represented by the Object Identifier {iso(1) - * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) - * generic(1) machine_uid_name(2)}. The recommended symbolic name for - * this type is "GSS_KRB5_NT_MACHINE_UID_NAME". - */ - -gss_OID GSS_KRB5_NT_MACHINE_UID_NAME = &gss_c_nt_machine_uid_name_oid_desc; - -/* - * This name form shall be represented by the Object Identifier {iso(1) - * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) - * generic(1) string_uid_name(3)}. The recommended symbolic name for - * this type is "GSS_KRB5_NT_STRING_UID_NAME". - */ - -gss_OID GSS_KRB5_NT_STRING_UID_NAME = &gss_c_nt_string_uid_name_oid_desc; - -/* - * To support ongoing experimentation, testing, and evolution of the - * specification, the Kerberos V5 GSS-API mechanism as defined in this - * and any successor memos will be identified with the following Object - * Identifier, as defined in RFC-1510, until the specification is - * advanced to the level of Proposed Standard RFC: - * - * {iso(1), org(3), dod(5), internet(1), security(5), kerberosv5(2)} - * - * Upon advancement to the level of Proposed Standard RFC, the Kerberos - * V5 GSS-API mechanism will be identified by an Object Identifier - * having the value: - * - * {iso(1) member-body(2) United States(840) mit(113554) infosys(1) - * gssapi(2) krb5(2)} - */ - -#if 0 /* This is the old OID */ - -static gss_OID_desc gss_krb5_mechanism_oid_desc = -{5, (void *)"\x2b\x05\x01\x05\x02"}; - -#endif - -static gss_OID_desc gss_krb5_mechanism_oid_desc = -{9, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02"}; - -gss_OID GSS_KRB5_MECHANISM = &gss_krb5_mechanism_oid_desc; - -/* - * Context for krb5 calls. - */ - -krb5_context gssapi_krb5_context; diff --git a/crypto/heimdal-0.6.3/lib/gssapi/get_mic.c b/crypto/heimdal-0.6.3/lib/gssapi/get_mic.c deleted file mode 100644 index 7f5b37e025..0000000000 --- a/crypto/heimdal-0.6.3/lib/gssapi/get_mic.c +++ /dev/null @@ -1,295 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: get_mic.c,v 1.21.2.1 2003/09/18 22:05:12 lha Exp $"); - -static OM_uint32 -mic_des - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - gss_qop_t qop_req, - const gss_buffer_t message_buffer, - gss_buffer_t message_token, - krb5_keyblock *key - ) -{ - u_char *p; - MD5_CTX md5; - u_char hash[16]; - des_key_schedule schedule; - des_cblock deskey; - des_cblock zero; - int32_t seq_number; - size_t len, total_len; - - gssapi_krb5_encap_length (22, &len, &total_len); - - message_token->length = total_len; - message_token->value = malloc (total_len); - if (message_token->value == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - p = gssapi_krb5_make_header(message_token->value, - len, - "\x01\x01"); /* TOK_ID */ - - memcpy (p, "\x00\x00", 2); /* SGN_ALG = DES MAC MD5 */ - p += 2; - - memcpy (p, "\xff\xff\xff\xff", 4); /* Filler */ - p += 4; - - /* Fill in later (SND-SEQ) */ - memset (p, 0, 16); - p += 16; - - /* checksum */ - MD5_Init (&md5); - MD5_Update (&md5, p - 24, 8); - MD5_Update (&md5, message_buffer->value, message_buffer->length); - MD5_Final (hash, &md5); - - memset (&zero, 0, sizeof(zero)); - memcpy (&deskey, key->keyvalue.data, sizeof(deskey)); - des_set_key (&deskey, schedule); - des_cbc_cksum ((void *)hash, (void *)hash, sizeof(hash), - schedule, &zero); - memcpy (p - 8, hash, 8); /* SGN_CKSUM */ - - /* sequence number */ - krb5_auth_con_getlocalseqnumber (gssapi_krb5_context, - context_handle->auth_context, - &seq_number); - - p -= 16; /* SND_SEQ */ - p[0] = (seq_number >> 0) & 0xFF; - p[1] = (seq_number >> 8) & 0xFF; - p[2] = (seq_number >> 16) & 0xFF; - p[3] = (seq_number >> 24) & 0xFF; - memset (p + 4, - (context_handle->more_flags & LOCAL) ? 0 : 0xFF, - 4); - - des_set_key (&deskey, schedule); - des_cbc_encrypt ((void *)p, (void *)p, 8, - schedule, (des_cblock *)(p + 8), DES_ENCRYPT); - - krb5_auth_con_setlocalseqnumber (gssapi_krb5_context, - context_handle->auth_context, - ++seq_number); - - memset (deskey, 0, sizeof(deskey)); - memset (schedule, 0, sizeof(schedule)); - - *minor_status = 0; - return GSS_S_COMPLETE; -} - -static OM_uint32 -mic_des3 - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - gss_qop_t qop_req, - const gss_buffer_t message_buffer, - gss_buffer_t message_token, - krb5_keyblock *key - ) -{ - u_char *p; - Checksum cksum; - u_char seq[8]; - - int32_t seq_number; - size_t len, total_len; - - krb5_crypto crypto; - krb5_error_code kret; - krb5_data encdata; - char *tmp; - char ivec[8]; - - gssapi_krb5_encap_length (36, &len, &total_len); - - message_token->length = total_len; - message_token->value = malloc (total_len); - if (message_token->value == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - p = gssapi_krb5_make_header(message_token->value, - len, - "\x01\x01"); /* TOK-ID */ - - memcpy (p, "\x04\x00", 2); /* SGN_ALG = HMAC SHA1 DES3-KD */ - p += 2; - - memcpy (p, "\xff\xff\xff\xff", 4); /* filler */ - p += 4; - - /* this should be done in parts */ - - tmp = malloc (message_buffer->length + 8); - if (tmp == NULL) { - free (message_token->value); - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - memcpy (tmp, p - 8, 8); - memcpy (tmp + 8, message_buffer->value, message_buffer->length); - - kret = krb5_crypto_init(gssapi_krb5_context, key, 0, &crypto); - if (kret) { - free (message_token->value); - free (tmp); - gssapi_krb5_set_error_string (); - *minor_status = kret; - return GSS_S_FAILURE; - } - - kret = krb5_create_checksum (gssapi_krb5_context, - crypto, - KRB5_KU_USAGE_SIGN, - 0, - tmp, - message_buffer->length + 8, - &cksum); - free (tmp); - krb5_crypto_destroy (gssapi_krb5_context, crypto); - if (kret) { - free (message_token->value); - gssapi_krb5_set_error_string (); - *minor_status = kret; - return GSS_S_FAILURE; - } - - memcpy (p + 8, cksum.checksum.data, cksum.checksum.length); - - /* sequence number */ - krb5_auth_con_getlocalseqnumber (gssapi_krb5_context, - context_handle->auth_context, - &seq_number); - - seq[0] = (seq_number >> 0) & 0xFF; - seq[1] = (seq_number >> 8) & 0xFF; - seq[2] = (seq_number >> 16) & 0xFF; - seq[3] = (seq_number >> 24) & 0xFF; - memset (seq + 4, - (context_handle->more_flags & LOCAL) ? 0 : 0xFF, - 4); - - kret = krb5_crypto_init(gssapi_krb5_context, key, - ETYPE_DES3_CBC_NONE, &crypto); - if (kret) { - free (message_token->value); - gssapi_krb5_set_error_string (); - *minor_status = kret; - return GSS_S_FAILURE; - } - - if (context_handle->more_flags & COMPAT_OLD_DES3) - memset(ivec, 0, 8); - else - memcpy(ivec, p + 8, 8); - - kret = krb5_encrypt_ivec (gssapi_krb5_context, - crypto, - KRB5_KU_USAGE_SEQ, - seq, 8, &encdata, ivec); - krb5_crypto_destroy (gssapi_krb5_context, crypto); - if (kret) { - free (message_token->value); - gssapi_krb5_set_error_string (); - *minor_status = kret; - return GSS_S_FAILURE; - } - - assert (encdata.length == 8); - - memcpy (p, encdata.data, encdata.length); - krb5_data_free (&encdata); - - krb5_auth_con_setlocalseqnumber (gssapi_krb5_context, - context_handle->auth_context, - ++seq_number); - - free_Checksum (&cksum); - *minor_status = 0; - return GSS_S_COMPLETE; -} - -OM_uint32 gss_get_mic - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - gss_qop_t qop_req, - const gss_buffer_t message_buffer, - gss_buffer_t message_token - ) -{ - krb5_keyblock *key; - OM_uint32 ret; - krb5_keytype keytype; - - ret = gss_krb5_get_localkey(context_handle, &key); - if (ret) { - gssapi_krb5_set_error_string (); - *minor_status = ret; - return GSS_S_FAILURE; - } - krb5_enctype_to_keytype (gssapi_krb5_context, key->keytype, &keytype); - - switch (keytype) { - case KEYTYPE_DES : - ret = mic_des (minor_status, context_handle, qop_req, - message_buffer, message_token, key); - break; - case KEYTYPE_DES3 : - ret = mic_des3 (minor_status, context_handle, qop_req, - message_buffer, message_token, key); - break; - case KEYTYPE_ARCFOUR: - ret = _gssapi_get_mic_arcfour (minor_status, context_handle, qop_req, - message_buffer, message_token, key); - break; - default : - *minor_status = KRB5_PROG_ETYPE_NOSUPP; - ret = GSS_S_FAILURE; - break; - } - krb5_free_keyblock (gssapi_krb5_context, key); - return ret; -} diff --git a/crypto/heimdal-0.6.3/lib/gssapi/gss_acquire_cred.3 b/crypto/heimdal-0.6.3/lib/gssapi/gss_acquire_cred.3 deleted file mode 100644 index 1d8c0a0f97..0000000000 --- a/crypto/heimdal-0.6.3/lib/gssapi/gss_acquire_cred.3 +++ /dev/null @@ -1,465 +0,0 @@ -.\" Copyright (c) 2003 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: gss_acquire_cred.3,v 1.8.2.1 2003/04/28 13:41:42 lha Exp $ -.\" -.Dd April 2, 2003 -.Dt GSS_ACQUIRE_CRED 3 -.Os HEIMDAL -.Sh NAME -.Nm gss_accept_sec_context , -.Nm gss_acquire_cred , -.Nm gss_add_cred , -.Nm gss_add_oid_set_member , -.Nm gss_canonicalize_name , -.Nm gss_compare_name , -.Nm gss_context_time , -.Nm gss_create_empty_oid_set , -.Nm gss_delete_sec_context , -.Nm gss_display_name , -.Nm gss_display_status , -.Nm gss_duplicate_name , -.Nm gss_export_name , -.Nm gss_export_sec_context , -.Nm gss_get_mic , -.Nm gss_import_name , -.Nm gss_import_sec_context , -.Nm gss_indicate_mechs , -.Nm gss_init_sec_context , -.Nm gss_inquire_context , -.Nm gss_inquire_cred , -.Nm gss_inquire_cred_by_mech , -.Nm gss_inquire_mechs_for_name , -.Nm gss_inquire_names_for_mech , -.Nm gss_krb5_copy_ccache , -.Nm gss_krb5_compat_des3_mic , -.Nm gss_process_context_token , -.Nm gss_release_buffer , -.Nm gss_release_cred , -.Nm gss_release_name , -.Nm gss_release_oid_set , -.Nm gss_seal , -.Nm gss_sign , -.Nm gss_test_oid_set_member , -.Nm gss_unseal , -.Nm gss_unwrap , -.Nm gss_verify , -.Nm gss_verify_mic , -.Nm gss_wrap , -.Nm gss_wrap_size_limit -.Nd Generic Security Service Application Program Interface library -.Sh LIBRARY -GSS-API library (libgssapi, -lgssapi) -.Sh SYNOPSIS -.In gssapi.h -.Pp -.Ft OM_uint32 -.Fo gss_accept_sec_context -.Fa "OM_uint32 * minor_status" -.Fa "gss_ctx_id_t * context_handle" -.Fa "const gss_cred_id_t acceptor_cred_handle" -.Fa "const gss_buffer_t input_token_buffer" -.Fa "const gss_channel_bindings_t input_chan_bindings" -.Fa "gss_name_t * src_name" -.Fa "gss_OID * mech_type" -.Fa "gss_buffer_t output_token" -.Fa "OM_uint32 * ret_flags" -.Fa "OM_uint32 * time_rec" -.Fa "gss_cred_id_t * delegated_cred_handle" -.Fc -.Pp -.Ft OM_uint32 -.Fo gss_acquire_cred -.Fa "OM_uint32 * minor_status" -.Fa "const gss_name_t desired_name" -.Fa "OM_uint32 time_req" -.Fa "const gss_OID_set desired_mechs" -.Fa "gss_cred_usage_t cred_usage" -.Fa "gss_cred_id_t * output_cred_handle" -.Fa "gss_OID_set * actual_mechs" -.Fa "OM_uint32 * time_rec" -.Fc -.\" .Fn gss_add_cred -.Ft OM_uint32 -.Fo gss_add_oid_set_member -.Fa "OM_uint32 * minor_status" -.Fa "const gss_OID member_oid" -.Fa "gss_OID_set * oid_set" -.Fc -.Ft OM_uint32 -.Fo gss_canonicalize_name -.Fa "OM_uint32 * minor_status" -.Fa "const gss_name_t input_name" -.Fa "const gss_OID mech_type" -.Fa "gss_name_t * output_name" -.Fc -.Ft OM_uint32 -.Fo gss_compare_name -.Fa "OM_uint32 * minor_status" -.Fa "const gss_name_t name1" -.Fa "const gss_name_t name2" -.Fa "int * name_equal" -.Fc -.Ft OM_uint32 -.Fo gss_context_time -.Fa "OM_uint32 * minor_status" -.Fa "const gss_ctx_id_t context_handle" -.Fa "OM_uint32 * time_rec" -.Fc -.Ft OM_uint32 -.Fo gss_create_empty_oid_set -.Fa "OM_uint32 * minor_status" -.Fa "gss_OID_set * oid_set" -.Fc -.Ft OM_uint32 -.Fo gss_delete_sec_context -.Fa "OM_uint32 * minor_status" -.Fa "gss_ctx_id_t * context_handle" -.Fa "gss_buffer_t output_token" -.Fc -.Ft OM_uint32 -.Fo gss_display_name -.Fa "OM_uint32 * minor_status" -.Fa "const gss_name_t input_name" -.Fa "gss_buffer_t output_name_buffer" -.Fa "gss_OID * output_name_type" -.Fc -.Ft OM_uint32 -.Fo gss_display_status -.Fa "OM_uint32 *minor_status" -.Fa "OM_uint32 status_value" -.Fa "int status_type" -.Fa "const gss_OID mech_type" -.Fa "OM_uint32 *message_context" -.Fa "gss_buffer_t status_string" -.Fc -.Ft OM_uint32 -.Fo gss_duplicate_name -.Fa "OM_uint32 * minor_status" -.Fa "const gss_name_t src_name" -.Fa "gss_name_t * dest_name" -.Fc -.Ft OM_uint32 -.Fo gss_export_name -.Fa "OM_uint32 * minor_status" -.Fa "const gss_name_t input_name" -.Fa "gss_buffer_t exported_name" -.Fc -.Ft OM_uint32 -.Fo gss_export_sec_context -.Fa "OM_uint32 * minor_status" -.Fa "gss_ctx_id_t * context_handle" -.Fa "gss_buffer_t interprocess_token" -.Fc -.Ft OM_uint32 -.Fo gss_get_mic -.Fa "OM_uint32 * minor_status" -.Fa "const gss_ctx_id_t context_handle" -.Fa "gss_qop_t qop_req" -.Fa "const gss_buffer_t message_buffer" -.Fa "gss_buffer_t message_token" -.Fc -.Ft OM_uint32 -.Fo gss_import_name -.Fa "OM_uint32 * minor_status, -.Fa "const gss_buffer_t input_name_buffer" -.Fa "const gss_OID input_name_type" -.Fa "gss_name_t * output_name" -.Fc -.Ft OM_uint32 -.Fo gss_import_sec_context -.Fa "OM_uint32 * minor_status" -.Fa "const gss_buffer_t interprocess_token" -.Fa "gss_ctx_id_t * context_handle" -.Fc -.Ft OM_uint32 -.Fo gss_indicate_mechs -.Fa "OM_uint32 * minor_status" -.Fa "gss_OID_set * mech_set" -.Fc -.Ft OM_uint32 -.Fo gss_init_sec_context -.Fa "OM_uint32 * minor_status" -.Fa "const gss_cred_id_t initiator_cred_handle" -.Fa "gss_ctx_id_t * context_handle" -.Fa "const gss_name_t target_name" -.Fa "const gss_OID mech_type" -.Fa "OM_uint32 req_flags" -.Fa "OM_uint32 time_req" -.Fa "const gss_channel_bindings_t input_chan_bindings" -.Fa "const gss_buffer_t input_token" -.Fa "gss_OID * actual_mech_type" -.Fa "gss_buffer_t output_token" -.Fa "OM_uint32 * ret_flags" -.Fa "OM_uint32 * time_rec" -.Fc -.Ft OM_uint32 -.Fo gss_inquire_context -.Fa "OM_uint32 * minor_status" -.Fa "const gss_ctx_id_t context_handle" -.Fa "gss_name_t * src_name" -.Fa "gss_name_t * targ_name" -.Fa "OM_uint32 * lifetime_rec" -.Fa "gss_OID * mech_type" -.Fa "OM_uint32 * ctx_flags" -.Fa "int * locally_initiated" -.Fa "int * open_context" -.Fc -.Ft OM_uint32 -.Fo gss_inquire_cred -.Fa "OM_uint32 * minor_status" -.Fa "const gss_cred_id_t cred_handle" -.Fa "gss_name_t * name" -.Fa "OM_uint32 * lifetime" -.Fa "gss_cred_usage_t * cred_usage" -.Fa "gss_OID_set * mechanisms" -.Fc -.Ft OM_uint32 -.Fo gss_inquire_cred_by_mech -.Fc -.Ft OM_uint32 -.Fo gss_inquire_mechs_for_name -.Fc -.Ft OM_uint32 -.Fo gss_inquire_names_for_mech -.Fc -.Ft OM_uint32 -.Fo gss_krb5_copy_ccache -.Fa "OM_uint32 *minor" -.Fa "gss_cred_id_t cred" -.Fa "krb5_ccache out" -.Fc -.Ft OM_uint32 -.Fo gss_krb5_compat_des3_mic -.Fa "OM_uint32 * minor_status" -.Fa "gss_ctx_id_t context_handle" -.Fa "int onoff" -.Fc -.Ft OM_uint32 -.Fo gss_process_context_token -.Fc -.Ft OM_uint32 -.Fo gss_release_buffer -.Fa "OM_uint32 * minor_status" -.Fa "gss_buffer_t buffer" -.Fc -.Ft OM_uint32 -.Fo gss_release_cred -.Fa "OM_uint32 * minor_status" -.Fa "gss_cred_id_t * cred_handle" -.Fc -.Ft OM_uint32 -.Fo gss_release_name -.Fa "OM_uint32 * minor_status" -.Fa "gss_name_t * input_name" -.Fc -.Ft -.Fo gss_release_oid_set -.Fa "OM_uint32 * minor_status" -.Fa "gss_OID_set * set" -.Fc -.Ft OM_uint32 -.Fo gss_seal -.Fa "OM_uint32 * minor_status" -.Fa "gss_ctx_id_t context_handle" -.Fa "int conf_req_flag" -.Fa "int qop_req" -.Fa "gss_buffer_t input_message_buffer" -.Fa "int * conf_state" -.Fa "gss_buffer_t output_message_buffer" -.Fc -.Ft OM_uint32 -.Fo gss_sign -.Fa "OM_uint32 * minor_status" -.Fa "gss_ctx_id_t context_handle" -.Fa "int qop_req" -.Fa "gss_buffer_t message_buffer" -.Fa "gss_buffer_t message_token" -.Fc -.Ft OM_uint32 -.Fo gss_test_oid_set_member -.Fa "OM_uint32 * minor_status" -.Fa "const gss_OID member" -.Fa "const gss_OID_set set" -.Fa "int * present" -.Fc -.Ft OM_uint32 -.Fo gss_unseal -.Fa "OM_uint32 * minor_status" -.Fa "gss_ctx_id_t context_handle" -.Fa "gss_buffer_t input_message_buffer" -.Fa "gss_buffer_t output_message_buffer" -.Fa "int * conf_state" -.Fa "int * qop_state" -.Fc -.Ft OM_uint32 -.Fo gss_unwrap -.Fa "OM_uint32 * minor_status" -.Fa "const gss_ctx_id_t context_handle" -.Fa "const gss_buffer_t input_message_buffer" -.Fa "gss_buffer_t output_message_buffer" -.Fa "int * conf_state" -.Fa "gss_qop_t * qop_state" -.Fc -.Ft OM_uint32 -.Fo gss_verify -.Fa "OM_uint32 * minor_status" -.Fa "gss_ctx_id_t context_handle" -.Fa "gss_buffer_t message_buffer" -.Fa "gss_buffer_t token_buffer" -.Fa "int * qop_state" -.Fc -.Ft OM_uint32 -.Fo gss_verify_mic -.Fa "OM_uint32 * minor_status" -.Fa "const gss_ctx_id_t context_handle" -.Fa "const gss_buffer_t message_buffer" -.Fa "const gss_buffer_t token_buffer" -.Fa "gss_qop_t * qop_state" -.Fc -.Ft -.Fo gss_wrap -.Fa "OM_uint32 * minor_status" -.Fa "const gss_ctx_id_t context_handle" -.Fa "int conf_req_flag" -.Fa "gss_qop_t qop_req" -.Fa "const gss_buffer_t input_message_buffer" -.Fa "int * conf_state" -.Fa "gss_buffer_t output_message_buffer" -.Fc -.Ft OM_uint32 -.Fo gss_wrap_size_limit -.Fa "OM_uint32 * minor_status" -.Fa "const gss_ctx_id_t context_handle" -.Fa "int conf_req_flag" -.Fa "gss_qop_t qop_req" -.Fa "OM_uint32 req_output_size" -.Fa "OM_uint32 * max_input_size" -.Fc -.Sh DESCRIPTION -Generic Security Service API (GSS-API) version 2, and its C binding, -is described in -.Li RFC2743 -and -.Li RFC2744 . -Version 1 (deprecated) of the C binding is described in -.Li RFC1509 . -.Pp -Heimdals GSS-API implementation supports the following mechanisms -.Bl -bullet -.It -.Li GSS_KRB5_MECHANISM -.El -.Pp -GSS-API have generic name types that all mechanism are supposed to -implement (if possible) -.Bl -bullet -.It -.Li GSS_C_NT_USER_NAME -.It -.Li GSS_C_NT_MACHINE_UID_NAME -.It -.Li GSS_C_NT_STRING_UID_NAME -.It -.Li GSS_C_NT_HOSTBASED_SERVICE -.It -.Li GSS_C_NT_ANONYMOUS -.It -.Li GSS_C_NT_EXPORT_NAME -.El -.Pp -GSS-API implementations that supports Kerberos 5 have some additional -name types -.Bl -bullet -.It -.Li GSS_KRB5_NT_PRINCIPAL_NAME -.It -.Li GSS_KRB5_NT_USER_NAME -.It -.Li GSS_KRB5_NT_MACHINE_UID_NAME -.It -.Li GSS_KRB5_NT_STRING_UID_NAME -.El -.Pp -.Fn gss_display_name -takes the gss name in -.Fa input_name -and put a printable form in -.Fa output_name_buffer . -.Fa output_name_buffer -should be freed when done using -.Fn gss_release_buffer . -.Fa output_name_type -can either be -.Dv NULL -or a pointer to a -.Li gss_OID -and will in the later case contain the OID type of the name. -The name should only be used for printing. -Access control should be done with the result of -.Fn gss_export_name . -.Pp -.Fn gss_sign , -.Fn gss_verify , -.Fn gss_seal , -and -.Fn gss_unseal -are part of the GSS-API V1 interface and are obsolete. The functions -should not be used for new applications. -They are provided so that version 1 applications can link against the -library. -.Pp -.Fn gss_krb5_copy_ccache -is an extension to the GSS-API API. -The function will extract the krb5 credential that are transfered from -the initiator to the acceptor when using token delegation in the -Kerberos mechanism. -The acceptor receives the delegated token in the last argument to -.Fn gss_accept_sec_context . -.Pp -.Nm gss_krb5_compat_des3_mic -turns on or off the compatibly with older version of Heimdal using -des3 get and verify mic, this is way to programmatically set the -[gssapi]broken_des3_mic and [gssapi]correct_des3_mic flags (see -COMPATIBILITY section in -.Xr gssapi 3 ) . -If the CPP symbol -.Dv GSS_C_KRB5_COMPAT_DES3_MIC -is present, -.Nm gss_krb5_compat_des3_mic -exists. -.Nm gss_krb5_compat_des3_mic -will be removed in a later version of the GSS-API library. -.Sh SEE ALSO -.Xr krb5 3 , -.Xr krb5_ccache 3 , -.Xr gssapi 3 , -.Xr kerberos 8 diff --git a/crypto/heimdal-0.6.3/lib/gssapi/gss_acquire_cred.cat3 b/crypto/heimdal-0.6.3/lib/gssapi/gss_acquire_cred.cat3 deleted file mode 100644 index 37f2c74455..0000000000 --- a/crypto/heimdal-0.6.3/lib/gssapi/gss_acquire_cred.cat3 +++ /dev/null @@ -1,275 +0,0 @@ - -GSS_ACQUIRE_CRED(3) UNIX Programmer's Manual GSS_ACQUIRE_CRED(3) - -NNAAMMEE - ggssss__aacccceepptt__sseecc__ccoonntteexxtt, ggssss__aaccqquuiirree__ccrreedd, ggssss__aadddd__ccrreedd, - ggssss__aadddd__ooiidd__sseett__mmeemmbbeerr, ggssss__ccaannoonniiccaalliizzee__nnaammee, ggssss__ccoommppaarree__nnaammee, - ggssss__ccoonntteexxtt__ttiimmee, ggssss__ccrreeaattee__eemmppttyy__ooiidd__sseett, ggssss__ddeelleettee__sseecc__ccoonntteexxtt, - ggssss__ddiissppllaayy__nnaammee, ggssss__ddiissppllaayy__ssttaattuuss, ggssss__dduupplliiccaattee__nnaammee, - ggssss__eexxppoorrtt__nnaammee, ggssss__eexxppoorrtt__sseecc__ccoonntteexxtt, ggssss__ggeett__mmiicc, ggssss__iimmppoorrtt__nnaammee, - ggssss__iimmppoorrtt__sseecc__ccoonntteexxtt, ggssss__iinnddiiccaattee__mmeecchhss, ggssss__iinniitt__sseecc__ccoonntteexxtt, - ggssss__iinnqquuiirree__ccoonntteexxtt, ggssss__iinnqquuiirree__ccrreedd, ggssss__iinnqquuiirree__ccrreedd__bbyy__mmeecchh, - ggssss__iinnqquuiirree__mmeecchhss__ffoorr__nnaammee, ggssss__iinnqquuiirree__nnaammeess__ffoorr__mmeecchh, - ggssss__kkrrbb55__ccooppyy__ccccaacchhee, ggssss__kkrrbb55__ccoommppaatt__ddeess33__mmiicc, - ggssss__pprroocceessss__ccoonntteexxtt__ttookkeenn, ggssss__rreelleeaassee__bbuuffffeerr, ggssss__rreelleeaassee__ccrreedd, - ggssss__rreelleeaassee__nnaammee, ggssss__rreelleeaassee__ooiidd__sseett, ggssss__sseeaall, ggssss__ssiiggnn, - ggssss__tteesstt__ooiidd__sseett__mmeemmbbeerr, ggssss__uunnsseeaall, ggssss__uunnwwrraapp, ggssss__vveerriiffyy, - ggssss__vveerriiffyy__mmiicc, ggssss__wwrraapp, ggssss__wwrraapp__ssiizzee__lliimmiitt - Generic Security Service - Application Program Interface library - -LLIIBBRRAARRYY - GSS-API library (libgssapi, -lgssapi) - -SSYYNNOOPPSSIISS - _O_M___u_i_n_t_3_2 - ggssss__aacccceepptt__sseecc__ccoonntteexxtt(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s, - _g_s_s___c_t_x___i_d___t _* _c_o_n_t_e_x_t___h_a_n_d_l_e, - _c_o_n_s_t _g_s_s___c_r_e_d___i_d___t _a_c_c_e_p_t_o_r___c_r_e_d___h_a_n_d_l_e, - _c_o_n_s_t _g_s_s___b_u_f_f_e_r___t _i_n_p_u_t___t_o_k_e_n___b_u_f_f_e_r, - _c_o_n_s_t _g_s_s___c_h_a_n_n_e_l___b_i_n_d_i_n_g_s___t _i_n_p_u_t___c_h_a_n___b_i_n_d_i_n_g_s, - _g_s_s___n_a_m_e___t _* _s_r_c___n_a_m_e, _g_s_s___O_I_D _* _m_e_c_h___t_y_p_e, - _g_s_s___b_u_f_f_e_r___t _o_u_t_p_u_t___t_o_k_e_n, _O_M___u_i_n_t_3_2 _* _r_e_t___f_l_a_g_s, - _O_M___u_i_n_t_3_2 _* _t_i_m_e___r_e_c, _g_s_s___c_r_e_d___i_d___t _* _d_e_l_e_g_a_t_e_d___c_r_e_d___h_a_n_d_l_e) - - _O_M___u_i_n_t_3_2 - ggssss__aaccqquuiirree__ccrreedd(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s, _c_o_n_s_t _g_s_s___n_a_m_e___t _d_e_s_i_r_e_d___n_a_m_e, - _O_M___u_i_n_t_3_2 _t_i_m_e___r_e_q, _c_o_n_s_t _g_s_s___O_I_D___s_e_t _d_e_s_i_r_e_d___m_e_c_h_s, - _g_s_s___c_r_e_d___u_s_a_g_e___t _c_r_e_d___u_s_a_g_e, _g_s_s___c_r_e_d___i_d___t _* _o_u_t_p_u_t___c_r_e_d___h_a_n_d_l_e, - _g_s_s___O_I_D___s_e_t _* _a_c_t_u_a_l___m_e_c_h_s, _O_M___u_i_n_t_3_2 _* _t_i_m_e___r_e_c) - - _O_M___u_i_n_t_3_2 - ggssss__aadddd__ooiidd__sseett__mmeemmbbeerr(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s, - _c_o_n_s_t _g_s_s___O_I_D _m_e_m_b_e_r___o_i_d, _g_s_s___O_I_D___s_e_t _* _o_i_d___s_e_t) - - _O_M___u_i_n_t_3_2 - ggssss__ccaannoonniiccaalliizzee__nnaammee(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s, - _c_o_n_s_t _g_s_s___n_a_m_e___t _i_n_p_u_t___n_a_m_e, _c_o_n_s_t _g_s_s___O_I_D _m_e_c_h___t_y_p_e, - _g_s_s___n_a_m_e___t _* _o_u_t_p_u_t___n_a_m_e) - - _O_M___u_i_n_t_3_2 - ggssss__ccoommppaarree__nnaammee(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s, _c_o_n_s_t _g_s_s___n_a_m_e___t _n_a_m_e_1, - _c_o_n_s_t _g_s_s___n_a_m_e___t _n_a_m_e_2, _i_n_t _* _n_a_m_e___e_q_u_a_l) - - _O_M___u_i_n_t_3_2 - ggssss__ccoonntteexxtt__ttiimmee(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s, - _c_o_n_s_t _g_s_s___c_t_x___i_d___t _c_o_n_t_e_x_t___h_a_n_d_l_e, _O_M___u_i_n_t_3_2 _* _t_i_m_e___r_e_c) - - _O_M___u_i_n_t_3_2 - ggssss__ccrreeaattee__eemmppttyy__ooiidd__sseett(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s, _g_s_s___O_I_D___s_e_t _* _o_i_d___s_e_t) - - _O_M___u_i_n_t_3_2 - ggssss__ddeelleettee__sseecc__ccoonntteexxtt(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s, - _g_s_s___c_t_x___i_d___t _* _c_o_n_t_e_x_t___h_a_n_d_l_e, _g_s_s___b_u_f_f_e_r___t _o_u_t_p_u_t___t_o_k_e_n) - - _O_M___u_i_n_t_3_2 - ggssss__ddiissppllaayy__nnaammee(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s, _c_o_n_s_t _g_s_s___n_a_m_e___t _i_n_p_u_t___n_a_m_e, - _g_s_s___b_u_f_f_e_r___t _o_u_t_p_u_t___n_a_m_e___b_u_f_f_e_r, _g_s_s___O_I_D _* _o_u_t_p_u_t___n_a_m_e___t_y_p_e) - - _O_M___u_i_n_t_3_2 - ggssss__ddiissppllaayy__ssttaattuuss(_O_M___u_i_n_t_3_2 _*_m_i_n_o_r___s_t_a_t_u_s, _O_M___u_i_n_t_3_2 _s_t_a_t_u_s___v_a_l_u_e, - _i_n_t _s_t_a_t_u_s___t_y_p_e, _c_o_n_s_t _g_s_s___O_I_D _m_e_c_h___t_y_p_e, - _O_M___u_i_n_t_3_2 _*_m_e_s_s_a_g_e___c_o_n_t_e_x_t, _g_s_s___b_u_f_f_e_r___t _s_t_a_t_u_s___s_t_r_i_n_g) - - _O_M___u_i_n_t_3_2 - ggssss__dduupplliiccaattee__nnaammee(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s, _c_o_n_s_t _g_s_s___n_a_m_e___t _s_r_c___n_a_m_e, - _g_s_s___n_a_m_e___t _* _d_e_s_t___n_a_m_e) - - _O_M___u_i_n_t_3_2 - ggssss__eexxppoorrtt__nnaammee(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s, _c_o_n_s_t _g_s_s___n_a_m_e___t _i_n_p_u_t___n_a_m_e, - _g_s_s___b_u_f_f_e_r___t _e_x_p_o_r_t_e_d___n_a_m_e) - - _O_M___u_i_n_t_3_2 - ggssss__eexxppoorrtt__sseecc__ccoonntteexxtt(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s, - _g_s_s___c_t_x___i_d___t _* _c_o_n_t_e_x_t___h_a_n_d_l_e, _g_s_s___b_u_f_f_e_r___t _i_n_t_e_r_p_r_o_c_e_s_s___t_o_k_e_n) - - _O_M___u_i_n_t_3_2 - ggssss__ggeett__mmiicc(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s, _c_o_n_s_t _g_s_s___c_t_x___i_d___t _c_o_n_t_e_x_t___h_a_n_d_l_e, - _g_s_s___q_o_p___t _q_o_p___r_e_q, _c_o_n_s_t _g_s_s___b_u_f_f_e_r___t _m_e_s_s_a_g_e___b_u_f_f_e_r, - _g_s_s___b_u_f_f_e_r___t _m_e_s_s_a_g_e___t_o_k_e_n) - - _O_M___u_i_n_t_3_2 - ggssss__iimmppoorrtt__nnaammee(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s_,, - _c_o_n_s_t _g_s_s___b_u_f_f_e_r___t _i_n_p_u_t___n_a_m_e___b_u_f_f_e_r, - _c_o_n_s_t _g_s_s___O_I_D _i_n_p_u_t___n_a_m_e___t_y_p_e, _g_s_s___n_a_m_e___t _* _o_u_t_p_u_t___n_a_m_e) - - _O_M___u_i_n_t_3_2 - ggssss__iimmppoorrtt__sseecc__ccoonntteexxtt(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s, - _c_o_n_s_t _g_s_s___b_u_f_f_e_r___t _i_n_t_e_r_p_r_o_c_e_s_s___t_o_k_e_n, - _g_s_s___c_t_x___i_d___t _* _c_o_n_t_e_x_t___h_a_n_d_l_e) - - _O_M___u_i_n_t_3_2 - ggssss__iinnddiiccaattee__mmeecchhss(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s, _g_s_s___O_I_D___s_e_t _* _m_e_c_h___s_e_t) - - _O_M___u_i_n_t_3_2 - ggssss__iinniitt__sseecc__ccoonntteexxtt(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s, - _c_o_n_s_t _g_s_s___c_r_e_d___i_d___t _i_n_i_t_i_a_t_o_r___c_r_e_d___h_a_n_d_l_e, - _g_s_s___c_t_x___i_d___t _* _c_o_n_t_e_x_t___h_a_n_d_l_e, _c_o_n_s_t _g_s_s___n_a_m_e___t _t_a_r_g_e_t___n_a_m_e, - _c_o_n_s_t _g_s_s___O_I_D _m_e_c_h___t_y_p_e, _O_M___u_i_n_t_3_2 _r_e_q___f_l_a_g_s, _O_M___u_i_n_t_3_2 _t_i_m_e___r_e_q, - _c_o_n_s_t _g_s_s___c_h_a_n_n_e_l___b_i_n_d_i_n_g_s___t _i_n_p_u_t___c_h_a_n___b_i_n_d_i_n_g_s, - _c_o_n_s_t _g_s_s___b_u_f_f_e_r___t _i_n_p_u_t___t_o_k_e_n, _g_s_s___O_I_D _* _a_c_t_u_a_l___m_e_c_h___t_y_p_e, - _g_s_s___b_u_f_f_e_r___t _o_u_t_p_u_t___t_o_k_e_n, _O_M___u_i_n_t_3_2 _* _r_e_t___f_l_a_g_s, - _O_M___u_i_n_t_3_2 _* _t_i_m_e___r_e_c) - - _O_M___u_i_n_t_3_2 - ggssss__iinnqquuiirree__ccoonntteexxtt(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s, - _c_o_n_s_t _g_s_s___c_t_x___i_d___t _c_o_n_t_e_x_t___h_a_n_d_l_e, _g_s_s___n_a_m_e___t _* _s_r_c___n_a_m_e, - _g_s_s___n_a_m_e___t _* _t_a_r_g___n_a_m_e, _O_M___u_i_n_t_3_2 _* _l_i_f_e_t_i_m_e___r_e_c, - _g_s_s___O_I_D _* _m_e_c_h___t_y_p_e, _O_M___u_i_n_t_3_2 _* _c_t_x___f_l_a_g_s, - _i_n_t _* _l_o_c_a_l_l_y___i_n_i_t_i_a_t_e_d, _i_n_t _* _o_p_e_n___c_o_n_t_e_x_t) - - _O_M___u_i_n_t_3_2 - ggssss__iinnqquuiirree__ccrreedd(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s, - _c_o_n_s_t _g_s_s___c_r_e_d___i_d___t _c_r_e_d___h_a_n_d_l_e, _g_s_s___n_a_m_e___t _* _n_a_m_e, - _O_M___u_i_n_t_3_2 _* _l_i_f_e_t_i_m_e, _g_s_s___c_r_e_d___u_s_a_g_e___t _* _c_r_e_d___u_s_a_g_e, - _g_s_s___O_I_D___s_e_t _* _m_e_c_h_a_n_i_s_m_s) - - _O_M___u_i_n_t_3_2 - ggssss__iinnqquuiirree__ccrreedd__bbyy__mmeecchh() - - _O_M___u_i_n_t_3_2 - ggssss__iinnqquuiirree__mmeecchhss__ffoorr__nnaammee() - - - _O_M___u_i_n_t_3_2 - ggssss__iinnqquuiirree__nnaammeess__ffoorr__mmeecchh() - - _O_M___u_i_n_t_3_2 - ggssss__kkrrbb55__ccooppyy__ccccaacchhee(_O_M___u_i_n_t_3_2 _*_m_i_n_o_r, _g_s_s___c_r_e_d___i_d___t _c_r_e_d, - _k_r_b_5___c_c_a_c_h_e _o_u_t) - - _O_M___u_i_n_t_3_2 - ggssss__kkrrbb55__ccoommppaatt__ddeess33__mmiicc(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s, - _g_s_s___c_t_x___i_d___t _c_o_n_t_e_x_t___h_a_n_d_l_e, _i_n_t _o_n_o_f_f) - - _O_M___u_i_n_t_3_2 - ggssss__pprroocceessss__ccoonntteexxtt__ttookkeenn() - - _O_M___u_i_n_t_3_2 - ggssss__rreelleeaassee__bbuuffffeerr(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s, _g_s_s___b_u_f_f_e_r___t _b_u_f_f_e_r) - - _O_M___u_i_n_t_3_2 - ggssss__rreelleeaassee__ccrreedd(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s, _g_s_s___c_r_e_d___i_d___t _* _c_r_e_d___h_a_n_d_l_e) - - _O_M___u_i_n_t_3_2 - ggssss__rreelleeaassee__nnaammee(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s, _g_s_s___n_a_m_e___t _* _i_n_p_u_t___n_a_m_e) - - - ggssss__rreelleeaassee__ooiidd__sseett(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s, _g_s_s___O_I_D___s_e_t _* _s_e_t) - - _O_M___u_i_n_t_3_2 - ggssss__sseeaall(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s, _g_s_s___c_t_x___i_d___t _c_o_n_t_e_x_t___h_a_n_d_l_e, - _i_n_t _c_o_n_f___r_e_q___f_l_a_g, _i_n_t _q_o_p___r_e_q, - _g_s_s___b_u_f_f_e_r___t _i_n_p_u_t___m_e_s_s_a_g_e___b_u_f_f_e_r, _i_n_t _* _c_o_n_f___s_t_a_t_e, - _g_s_s___b_u_f_f_e_r___t _o_u_t_p_u_t___m_e_s_s_a_g_e___b_u_f_f_e_r) - - _O_M___u_i_n_t_3_2 - ggssss__ssiiggnn(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s, _g_s_s___c_t_x___i_d___t _c_o_n_t_e_x_t___h_a_n_d_l_e, - _i_n_t _q_o_p___r_e_q, _g_s_s___b_u_f_f_e_r___t _m_e_s_s_a_g_e___b_u_f_f_e_r, - _g_s_s___b_u_f_f_e_r___t _m_e_s_s_a_g_e___t_o_k_e_n) - - _O_M___u_i_n_t_3_2 - ggssss__tteesstt__ooiidd__sseett__mmeemmbbeerr(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s, _c_o_n_s_t _g_s_s___O_I_D _m_e_m_b_e_r, - _c_o_n_s_t _g_s_s___O_I_D___s_e_t _s_e_t, _i_n_t _* _p_r_e_s_e_n_t) - - _O_M___u_i_n_t_3_2 - ggssss__uunnsseeaall(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s, _g_s_s___c_t_x___i_d___t _c_o_n_t_e_x_t___h_a_n_d_l_e, - _g_s_s___b_u_f_f_e_r___t _i_n_p_u_t___m_e_s_s_a_g_e___b_u_f_f_e_r, - _g_s_s___b_u_f_f_e_r___t _o_u_t_p_u_t___m_e_s_s_a_g_e___b_u_f_f_e_r, _i_n_t _* _c_o_n_f___s_t_a_t_e, - _i_n_t _* _q_o_p___s_t_a_t_e) - - _O_M___u_i_n_t_3_2 - ggssss__uunnwwrraapp(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s, _c_o_n_s_t _g_s_s___c_t_x___i_d___t _c_o_n_t_e_x_t___h_a_n_d_l_e, - _c_o_n_s_t _g_s_s___b_u_f_f_e_r___t _i_n_p_u_t___m_e_s_s_a_g_e___b_u_f_f_e_r, - _g_s_s___b_u_f_f_e_r___t _o_u_t_p_u_t___m_e_s_s_a_g_e___b_u_f_f_e_r, _i_n_t _* _c_o_n_f___s_t_a_t_e, - _g_s_s___q_o_p___t _* _q_o_p___s_t_a_t_e) - - _O_M___u_i_n_t_3_2 - ggssss__vveerriiffyy(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s, _g_s_s___c_t_x___i_d___t _c_o_n_t_e_x_t___h_a_n_d_l_e, - _g_s_s___b_u_f_f_e_r___t _m_e_s_s_a_g_e___b_u_f_f_e_r, _g_s_s___b_u_f_f_e_r___t _t_o_k_e_n___b_u_f_f_e_r, - _i_n_t _* _q_o_p___s_t_a_t_e) - - _O_M___u_i_n_t_3_2 - ggssss__vveerriiffyy__mmiicc(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s, - _c_o_n_s_t _g_s_s___c_t_x___i_d___t _c_o_n_t_e_x_t___h_a_n_d_l_e, - _c_o_n_s_t _g_s_s___b_u_f_f_e_r___t _m_e_s_s_a_g_e___b_u_f_f_e_r, - _c_o_n_s_t _g_s_s___b_u_f_f_e_r___t _t_o_k_e_n___b_u_f_f_e_r, _g_s_s___q_o_p___t _* _q_o_p___s_t_a_t_e) - - - - ggssss__wwrraapp(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s, _c_o_n_s_t _g_s_s___c_t_x___i_d___t _c_o_n_t_e_x_t___h_a_n_d_l_e, - _i_n_t _c_o_n_f___r_e_q___f_l_a_g, _g_s_s___q_o_p___t _q_o_p___r_e_q, - _c_o_n_s_t _g_s_s___b_u_f_f_e_r___t _i_n_p_u_t___m_e_s_s_a_g_e___b_u_f_f_e_r, _i_n_t _* _c_o_n_f___s_t_a_t_e, - _g_s_s___b_u_f_f_e_r___t _o_u_t_p_u_t___m_e_s_s_a_g_e___b_u_f_f_e_r) - - _O_M___u_i_n_t_3_2 - ggssss__wwrraapp__ssiizzee__lliimmiitt(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s, - _c_o_n_s_t _g_s_s___c_t_x___i_d___t _c_o_n_t_e_x_t___h_a_n_d_l_e, _i_n_t _c_o_n_f___r_e_q___f_l_a_g, - _g_s_s___q_o_p___t _q_o_p___r_e_q, _O_M___u_i_n_t_3_2 _r_e_q___o_u_t_p_u_t___s_i_z_e, - _O_M___u_i_n_t_3_2 _* _m_a_x___i_n_p_u_t___s_i_z_e) - -DDEESSCCRRIIPPTTIIOONN - Generic Security Service API (GSS-API) version 2, and its C binding, is - described in RFC2743 and RFC2744. Version 1 (deprecated) of the C binding - is described in RFC1509. - - Heimdals GSS-API implementation supports the following mechanisms - - ++oo GSS_KRB5_MECHANISM - - GSS-API have generic name types that all mechanism are supposed to imple- - ment (if possible) - - ++oo GSS_C_NT_USER_NAME - - ++oo GSS_C_NT_MACHINE_UID_NAME - - ++oo GSS_C_NT_STRING_UID_NAME - - ++oo GSS_C_NT_HOSTBASED_SERVICE - - ++oo GSS_C_NT_ANONYMOUS - - ++oo GSS_C_NT_EXPORT_NAME - - GSS-API implementations that supports Kerberos 5 have some additional - name types - - ++oo GSS_KRB5_NT_PRINCIPAL_NAME - - ++oo GSS_KRB5_NT_USER_NAME - - ++oo GSS_KRB5_NT_MACHINE_UID_NAME - - ++oo GSS_KRB5_NT_STRING_UID_NAME - - ggssss__ddiissppllaayy__nnaammee() takes the gss name in _i_n_p_u_t___n_a_m_e and put a printable - form in _o_u_t_p_u_t___n_a_m_e___b_u_f_f_e_r. _o_u_t_p_u_t___n_a_m_e___b_u_f_f_e_r should be freed when done - using ggssss__rreelleeaassee__bbuuffffeerr(). _o_u_t_p_u_t___n_a_m_e___t_y_p_e can either be NULL or a - pointer to a gss_OID and will in the later case contain the OID type of - the name. The name should only be used for printing. Access control - should be done with the result of ggssss__eexxppoorrtt__nnaammee(). - - ggssss__ssiiggnn(), ggssss__vveerriiffyy(), ggssss__sseeaall(), and ggssss__uunnsseeaall() are part of the - GSS-API V1 interface and are obsolete. The functions should not be used - for new applications. They are provided so that version 1 applications - can link against the library. - - ggssss__kkrrbb55__ccooppyy__ccccaacchhee() is an extension to the GSS-API API. The function - will extract the krb5 credential that are transfered from the initiator - to the acceptor when using token delegation in the Kerberos mechanism. - The acceptor receives the delegated token in the last argument to - ggssss__aacccceepptt__sseecc__ccoonntteexxtt(). - - - ggssss__kkrrbb55__ccoommppaatt__ddeess33__mmiicc turns on or off the compatibly with older ver- - sion of Heimdal using des3 get and verify mic, this is way to programmat- - ically set the [gssapi]broken_des3_mic and [gssapi]correct_des3_mic flags - (see COMPATIBILITY section in gssapi(3)). If the CPP symbol - GSS_C_KRB5_COMPAT_DES3_MIC is present, ggssss__kkrrbb55__ccoommppaatt__ddeess33__mmiicc exists. - ggssss__kkrrbb55__ccoommppaatt__ddeess33__mmiicc will be removed in a later version of the GSS- - API library. - -SSEEEE AALLSSOO - krb5(3), krb5_ccache(3), gssapi(3), kerberos(8) - - HEIMDAL April 2, 2003 5 diff --git a/crypto/heimdal-0.6.3/lib/gssapi/gssapi.3 b/crypto/heimdal-0.6.3/lib/gssapi/gssapi.3 deleted file mode 100644 index ff30042b8c..0000000000 --- a/crypto/heimdal-0.6.3/lib/gssapi/gssapi.3 +++ /dev/null @@ -1,158 +0,0 @@ -.\" Copyright (c) 2003 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: gssapi.3,v 1.5.2.2 2003/04/30 09:56:26 lha Exp $ -.\" -.Dd January 23, 2003 -.Dt GSSAPI 3 -.Os -.Sh NAME -.Nm gssapi -.Nd Generic Security Service Application Program Interface library -.Sh LIBRARY -GSS-API Library (libgssapi, -lgssapi) -.Sh DESCRIPTION -The Generic Security Service Application Program Interface (GSS-API) -provides security services to callers in a generic fashion, -supportable with a range of underlying mechanisms and technologies and -hence allowing source-level portability of applications to different -environments. -.Sh LIST OF FUNCTIONS -These functions constitute the gssapi library, -.Em libgssapi . -Declarations for these functions may be obtained from the include file -.Pa gssapi.h . -.sp 2 -.nf -.ta \w'gss_inquire_names_for_mech'u+2n +\w'Description goes here'u -\fIName/Page\fP \fIDescription\fP -.ta \w'gss_inquire_names_for_mech'u+2n +\w'Description goes here'u+6nC -.sp 5p -gss_accept_sec_context.3 -gss_acquire_cred.3 -gss_add_cred.3 -gss_add_oid_set_member.3 -gss_canonicalize_name.3 -gss_compare_name.3 -gss_context_time.3 -gss_create_empty_oid_set.3 -gss_delete_sec_context.3 -gss_display_name.3 -gss_display_status.3 -gss_duplicate_name.3 -gss_export_name.3 -gss_export_sec_context.3 -gss_get_mic.3 -gss_import_name.3 -gss_import_sec_context.3 -gss_indicate_mechs.3 -gss_init_sec_context.3 -gss_inquire_context.3 -gss_inquire_cred.3 -gss_inquire_cred_by_mech.3 -gss_inquire_mechs_for_name.3 -gss_inquire_names_for_mech.3 -gss_krb5_copy_ccache.3 -gss_process_context_token.3 -gss_release_buffer.3 -gss_release_cred.3 -gss_release_name.3 -gss_release_oid_set.3 -gss_seal.3 -gss_sign.3 -gss_test_oid_set_member.3 -gss_unseal.3 -gss_unwrap.3 -gss_verify.3 -gss_verify_mic.3 -gss_wrap.3 -gss_wrap_size_limit.3 -.ta -.Fi -.Sh COMPATIBILITY -The -.Nm Heimdal -GSS-API implementation had a bug in releases before 0.6 that made it -fail to inter-operate when using DES3 with other GSS-API -implementations when using -.Fn gss_get_mic -/ -.Fn gss_verify_mic . -Its possible to modify the behavior of the generator of the MIC with -the -.Pa krb5.conf -configuration file so that old clients/servers will still -work. -.Pp -New clients/servers will try both the old and new MIC in Heimdal 0.6. -In 0.7 it will check only if configured and the compatibility code -will be removed in 0.8. -.Pp -Heimdal 0.6 still generates by default the broken GSS-API DES3 mic, -this will change in 0.7 to generate correct des3 mic. -.Pp -To turn on compatibility with older clients and servers, change the -.Nm [gssapi] -.Ar broken_des3_mic -in -.Pa krb5.conf -that contains a list of globbing expressions that will be matched -against the server name. -To turn off generation of the old (incompatible) mic of the MIC use -.Nm [gssapi] -.Ar correct_des3_mic . -.Pp -If a match for a entry is in both -.Nm [gssapi] -.Ar correct_des3_mic -and -.Nm [gssapi] -.Ar correct_des3_mic , -the later will override. -.Pp -This config option modifies behaviour for both clients and servers. -.Pp -Example: -.Bd -literal -offset indent -[gssapi] - broken_des3_mic = cvs/*@SU.SE - broken_des3_mic = host/*@E.KTH.SE - correct_des3_mic = host/*@SU.SE -.Ed -.Sh BUGS -All of 0.5.x versions of -.Nm heimdal -had broken token delegations in the client side, the server side was -correct. -.Sh SEE ALSO -.Xr krb5 3 , -.Xr krb5.conf 5 , -.Xr kerberos 8 diff --git a/crypto/heimdal-0.6.3/lib/gssapi/gssapi.cat3 b/crypto/heimdal-0.6.3/lib/gssapi/gssapi.cat3 deleted file mode 100644 index 5969ecc2bc..0000000000 --- a/crypto/heimdal-0.6.3/lib/gssapi/gssapi.cat3 +++ /dev/null @@ -1,101 +0,0 @@ - -GSSAPI(3) UNIX Programmer's Manual GSSAPI(3) - -NNAAMMEE - ggssssaappii - Generic Security Service Application Program Interface library - -LLIIBBRRAARRYY - GSS-API Library (libgssapi, -lgssapi) - -DDEESSCCRRIIPPTTIIOONN - The Generic Security Service Application Program Interface (GSS-API) pro- - vides security services to callers in a generic fashion, supportable with - a range of underlying mechanisms and technologies and hence allowing - source-level portability of applications to different environments. - -LLIISSTT OOFF FFUUNNCCTTIIOONNSS - These functions constitute the gssapi library, _l_i_b_g_s_s_a_p_i. Declarations - for these functions may be obtained from the include file _g_s_s_a_p_i_._h. - - - _N_a_m_e_/_P_a_g_e _D_e_s_c_r_i_p_t_i_o_n - gss_accept_sec_context.3 - gss_acquire_cred.3 - gss_add_cred.3 - gss_add_oid_set_member.3 - gss_canonicalize_name.3 - gss_compare_name.3 - gss_context_time.3 - gss_create_empty_oid_set.3 - gss_delete_sec_context.3 - gss_display_name.3 - gss_display_status.3 - gss_duplicate_name.3 - gss_export_name.3 - gss_export_sec_context.3 - gss_get_mic.3 - gss_import_name.3 - gss_import_sec_context.3 - gss_indicate_mechs.3 - gss_init_sec_context.3 - gss_inquire_context.3 - gss_inquire_cred.3 - gss_inquire_cred_by_mech.3 - gss_inquire_mechs_for_name.3 - gss_inquire_names_for_mech.3 - gss_krb5_copy_ccache.3 - gss_process_context_token.3 - gss_release_buffer.3 - gss_release_cred.3 - gss_release_name.3 - gss_release_oid_set.3 - gss_seal.3 - gss_sign.3 - gss_test_oid_set_member.3 - gss_unseal.3 - gss_unwrap.3 - gss_verify.3 - gss_verify_mic.3 - gss_wrap.3 - gss_wrap_size_limit.3 - -CCOOMMPPAATTIIBBIILLIITTYY - The HHeeiimmddaall GSS-API implementation had a bug in releases before 0.6 that - made it fail to inter-operate when using DES3 with other GSS-API imple- - mentations when using ggssss__ggeett__mmiicc() / ggssss__vveerriiffyy__mmiicc(). Its possible to - modify the behavior of the generator of the MIC with the _k_r_b_5_._c_o_n_f con- - figuration file so that old clients/servers will still work. - - New clients/servers will try both the old and new MIC in Heimdal 0.6. In - 0.7 it will check only if configured and the compatibility code will be - removed in 0.8. - - Heimdal 0.6 still generates by default the broken GSS-API DES3 mic, this - will change in 0.7 to generate correct des3 mic. - - To turn on compatibility with older clients and servers, change the - [[ggssssaappii]] _b_r_o_k_e_n___d_e_s_3___m_i_c in _k_r_b_5_._c_o_n_f that contains a list of globbing - expressions that will be matched against the server name. To turn off - generation of the old (incompatible) mic of the MIC use [[ggssssaappii]] - _c_o_r_r_e_c_t___d_e_s_3___m_i_c. - - If a match for a entry is in both [[ggssssaappii]] _c_o_r_r_e_c_t___d_e_s_3___m_i_c and [[ggssssaappii]] - _c_o_r_r_e_c_t___d_e_s_3___m_i_c, the later will override. - - This config option modifies behaviour for both clients and servers. - - Example: - - [gssapi] - broken_des3_mic = cvs/*@SU.SE - broken_des3_mic = host/*@E.KTH.SE - correct_des3_mic = host/*@SU.SE - -BBUUGGSS - All of 0.5.x versions of hheeiimmddaall had broken token delegations in the - client side, the server side was correct. - -SSEEEE AALLSSOO - krb5(3), krb5.conf(5), kerberos(8) - -BSD Experimental January 23, 2003 2 diff --git a/crypto/heimdal-0.6.3/lib/gssapi/gssapi.h b/crypto/heimdal-0.6.3/lib/gssapi/gssapi.h deleted file mode 100644 index 12ac426b01..0000000000 --- a/crypto/heimdal-0.6.3/lib/gssapi/gssapi.h +++ /dev/null @@ -1,788 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: gssapi.h,v 1.26.2.2 2003/05/07 11:12:21 lha Exp $ */ - -#ifndef GSSAPI_H_ -#define GSSAPI_H_ - -/* - * First, include stddef.h to get size_t defined. - */ -#include - -#include - -/* - * Now define the three implementation-dependent types. - */ - -typedef u_int32_t OM_uint32; - -typedef u_int32_t gss_uint32; - -/* - * This is to avoid having to include - */ - -struct krb5_auth_context_data; - -struct Principal; - -/* typedef void *gss_name_t; */ - -typedef struct Principal *gss_name_t; - -typedef struct gss_ctx_id_t_desc_struct { - struct krb5_auth_context_data *auth_context; - gss_name_t source, target; - OM_uint32 flags; - enum { LOCAL = 1, OPEN = 2, - COMPAT_OLD_DES3 = 4, COMPAT_OLD_DES3_SELECTED = 8 } more_flags; - struct krb5_ticket *ticket; - time_t lifetime; -} gss_ctx_id_t_desc; - -typedef gss_ctx_id_t_desc *gss_ctx_id_t; - -typedef struct gss_OID_desc_struct { - OM_uint32 length; - void *elements; -} gss_OID_desc, *gss_OID; - -typedef struct gss_OID_set_desc_struct { - size_t count; - gss_OID elements; -} gss_OID_set_desc, *gss_OID_set; - -struct krb5_keytab_data; - -struct krb5_ccache_data; - -typedef int gss_cred_usage_t; - -typedef struct gss_cred_id_t_desc_struct { - gss_name_t principal; - struct krb5_keytab_data *keytab; - OM_uint32 lifetime; - gss_cred_usage_t usage; - gss_OID_set mechanisms; - struct krb5_ccache_data *ccache; -} gss_cred_id_t_desc; - -typedef gss_cred_id_t_desc *gss_cred_id_t; - -typedef struct gss_buffer_desc_struct { - size_t length; - void *value; -} gss_buffer_desc, *gss_buffer_t; - -typedef struct gss_channel_bindings_struct { - OM_uint32 initiator_addrtype; - gss_buffer_desc initiator_address; - OM_uint32 acceptor_addrtype; - gss_buffer_desc acceptor_address; - gss_buffer_desc application_data; -} *gss_channel_bindings_t; - -/* - * For now, define a QOP-type as an OM_uint32 - */ -typedef OM_uint32 gss_qop_t; - -/* - * Flag bits for context-level services. - */ -#define GSS_C_DELEG_FLAG 1 -#define GSS_C_MUTUAL_FLAG 2 -#define GSS_C_REPLAY_FLAG 4 -#define GSS_C_SEQUENCE_FLAG 8 -#define GSS_C_CONF_FLAG 16 -#define GSS_C_INTEG_FLAG 32 -#define GSS_C_ANON_FLAG 64 -#define GSS_C_PROT_READY_FLAG 128 -#define GSS_C_TRANS_FLAG 256 - -/* - * Credential usage options - */ -#define GSS_C_BOTH 0 -#define GSS_C_INITIATE 1 -#define GSS_C_ACCEPT 2 - -/* - * Status code types for gss_display_status - */ -#define GSS_C_GSS_CODE 1 -#define GSS_C_MECH_CODE 2 - -/* - * The constant definitions for channel-bindings address families - */ -#define GSS_C_AF_UNSPEC 0 -#define GSS_C_AF_LOCAL 1 -#define GSS_C_AF_INET 2 -#define GSS_C_AF_IMPLINK 3 -#define GSS_C_AF_PUP 4 -#define GSS_C_AF_CHAOS 5 -#define GSS_C_AF_NS 6 -#define GSS_C_AF_NBS 7 -#define GSS_C_AF_ECMA 8 -#define GSS_C_AF_DATAKIT 9 -#define GSS_C_AF_CCITT 10 -#define GSS_C_AF_SNA 11 -#define GSS_C_AF_DECnet 12 -#define GSS_C_AF_DLI 13 -#define GSS_C_AF_LAT 14 -#define GSS_C_AF_HYLINK 15 -#define GSS_C_AF_APPLETALK 16 -#define GSS_C_AF_BSC 17 -#define GSS_C_AF_DSS 18 -#define GSS_C_AF_OSI 19 -#define GSS_C_AF_X25 21 -#define GSS_C_AF_INET6 24 - -#define GSS_C_AF_NULLADDR 255 - -/* - * Various Null values - */ -#define GSS_C_NO_NAME ((gss_name_t) 0) -#define GSS_C_NO_BUFFER ((gss_buffer_t) 0) -#define GSS_C_NO_OID ((gss_OID) 0) -#define GSS_C_NO_OID_SET ((gss_OID_set) 0) -#define GSS_C_NO_CONTEXT ((gss_ctx_id_t) 0) -#define GSS_C_NO_CREDENTIAL ((gss_cred_id_t) 0) -#define GSS_C_NO_CHANNEL_BINDINGS ((gss_channel_bindings_t) 0) -#define GSS_C_EMPTY_BUFFER {0, NULL} - -/* - * Some alternate names for a couple of the above - * values. These are defined for V1 compatibility. - */ -#define GSS_C_NULL_OID GSS_C_NO_OID -#define GSS_C_NULL_OID_SET GSS_C_NO_OID_SET - -/* - * Define the default Quality of Protection for per-message - * services. Note that an implementation that offers multiple - * levels of QOP may define GSS_C_QOP_DEFAULT to be either zero - * (as done here) to mean "default protection", or to a specific - * explicit QOP value. However, a value of 0 should always be - * interpreted by a GSSAPI implementation as a request for the - * default protection level. - */ -#define GSS_C_QOP_DEFAULT 0 - -#define GSS_KRB5_CONF_C_QOP_DES 0x0100 -#define GSS_KRB5_CONF_C_QOP_DES3_KD 0x0200 - -/* - * Expiration time of 2^32-1 seconds means infinite lifetime for a - * credential or security context - */ -#define GSS_C_INDEFINITE 0xfffffffful - -#ifdef __cplusplus -extern "C" { -#endif - -/* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {10, (void *)"\x2a\x86\x48\x86\xf7\x12" - * "\x01\x02\x01\x01"}, - * corresponding to an object-identifier value of - * {iso(1) member-body(2) United States(840) mit(113554) - * infosys(1) gssapi(2) generic(1) user_name(1)}. The constant - * GSS_C_NT_USER_NAME should be initialized to point - * to that gss_OID_desc. - */ -extern gss_OID GSS_C_NT_USER_NAME; - -/* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {10, (void *)"\x2a\x86\x48\x86\xf7\x12" - * "\x01\x02\x01\x02"}, - * corresponding to an object-identifier value of - * {iso(1) member-body(2) United States(840) mit(113554) - * infosys(1) gssapi(2) generic(1) machine_uid_name(2)}. - * The constant GSS_C_NT_MACHINE_UID_NAME should be - * initialized to point to that gss_OID_desc. - */ -extern gss_OID GSS_C_NT_MACHINE_UID_NAME; - -/* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {10, (void *)"\x2a\x86\x48\x86\xf7\x12" - * "\x01\x02\x01\x03"}, - * corresponding to an object-identifier value of - * {iso(1) member-body(2) United States(840) mit(113554) - * infosys(1) gssapi(2) generic(1) string_uid_name(3)}. - * The constant GSS_C_NT_STRING_UID_NAME should be - * initialized to point to that gss_OID_desc. - */ -extern gss_OID GSS_C_NT_STRING_UID_NAME; - -/* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {6, (void *)"\x2b\x06\x01\x05\x06\x02"}, - * corresponding to an object-identifier value of - * {iso(1) org(3) dod(6) internet(1) security(5) - * nametypes(6) gss-host-based-services(2)). The constant - * GSS_C_NT_HOSTBASED_SERVICE_X should be initialized to point - * to that gss_OID_desc. This is a deprecated OID value, and - * implementations wishing to support hostbased-service names - * should instead use the GSS_C_NT_HOSTBASED_SERVICE OID, - * defined below, to identify such names; - * GSS_C_NT_HOSTBASED_SERVICE_X should be accepted a synonym - * for GSS_C_NT_HOSTBASED_SERVICE when presented as an input - * parameter, but should not be emitted by GSS-API - * implementations - */ -extern gss_OID GSS_C_NT_HOSTBASED_SERVICE_X; - -/* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {10, (void *)"\x2a\x86\x48\x86\xf7\x12" - * "\x01\x02\x01\x04"}, corresponding to an - * object-identifier value of {iso(1) member-body(2) - * Unites States(840) mit(113554) infosys(1) gssapi(2) - * generic(1) service_name(4)}. The constant - * GSS_C_NT_HOSTBASED_SERVICE should be initialized - * to point to that gss_OID_desc. - */ -extern gss_OID GSS_C_NT_HOSTBASED_SERVICE; - -/* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {6, (void *)"\x2b\x06\01\x05\x06\x03"}, - * corresponding to an object identifier value of - * {1(iso), 3(org), 6(dod), 1(internet), 5(security), - * 6(nametypes), 3(gss-anonymous-name)}. The constant - * and GSS_C_NT_ANONYMOUS should be initialized to point - * to that gss_OID_desc. - */ -extern gss_OID GSS_C_NT_ANONYMOUS; - -/* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {6, (void *)"\x2b\x06\x01\x05\x06\x04"}, - * corresponding to an object-identifier value of - * {1(iso), 3(org), 6(dod), 1(internet), 5(security), - * 6(nametypes), 4(gss-api-exported-name)}. The constant - * GSS_C_NT_EXPORT_NAME should be initialized to point - * to that gss_OID_desc. - */ -extern gss_OID GSS_C_NT_EXPORT_NAME; - -/* - * This if for kerberos5 names. - */ - -extern gss_OID GSS_KRB5_NT_PRINCIPAL_NAME; -extern gss_OID GSS_KRB5_NT_USER_NAME; -extern gss_OID GSS_KRB5_NT_MACHINE_UID_NAME; -extern gss_OID GSS_KRB5_NT_STRING_UID_NAME; - -extern gss_OID GSS_KRB5_MECHANISM; - -/* for compatibility with MIT api */ - -#define gss_mech_krb5 GSS_KRB5_MECHANISM - -/* Major status codes */ - -#define GSS_S_COMPLETE 0 - -/* - * Some "helper" definitions to make the status code macros obvious. - */ -#define GSS_C_CALLING_ERROR_OFFSET 24 -#define GSS_C_ROUTINE_ERROR_OFFSET 16 -#define GSS_C_SUPPLEMENTARY_OFFSET 0 -#define GSS_C_CALLING_ERROR_MASK 0377ul -#define GSS_C_ROUTINE_ERROR_MASK 0377ul -#define GSS_C_SUPPLEMENTARY_MASK 0177777ul - -/* - * The macros that test status codes for error conditions. - * Note that the GSS_ERROR() macro has changed slightly from - * the V1 GSSAPI so that it now evaluates its argument - * only once. - */ -#define GSS_CALLING_ERROR(x) \ - (x & (GSS_C_CALLING_ERROR_MASK << GSS_C_CALLING_ERROR_OFFSET)) -#define GSS_ROUTINE_ERROR(x) \ - (x & (GSS_C_ROUTINE_ERROR_MASK << GSS_C_ROUTINE_ERROR_OFFSET)) -#define GSS_SUPPLEMENTARY_INFO(x) \ - (x & (GSS_C_SUPPLEMENTARY_MASK << GSS_C_SUPPLEMENTARY_OFFSET)) -#define GSS_ERROR(x) \ - (x & ((GSS_C_CALLING_ERROR_MASK << GSS_C_CALLING_ERROR_OFFSET) | \ - (GSS_C_ROUTINE_ERROR_MASK << GSS_C_ROUTINE_ERROR_OFFSET))) - -/* - * Now the actual status code definitions - */ - -/* - * Calling errors: - */ -#define GSS_S_CALL_INACCESSIBLE_READ \ - (1ul << GSS_C_CALLING_ERROR_OFFSET) -#define GSS_S_CALL_INACCESSIBLE_WRITE \ - (2ul << GSS_C_CALLING_ERROR_OFFSET) -#define GSS_S_CALL_BAD_STRUCTURE \ - (3ul << GSS_C_CALLING_ERROR_OFFSET) - -/* - * Routine errors: - */ -#define GSS_S_BAD_MECH (1ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_BAD_NAME (2ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_BAD_NAMETYPE (3ul << GSS_C_ROUTINE_ERROR_OFFSET) - -#define GSS_S_BAD_BINDINGS (4ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_BAD_STATUS (5ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_BAD_SIG (6ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_BAD_MIC GSS_S_BAD_SIG -#define GSS_S_NO_CRED (7ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_NO_CONTEXT (8ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_DEFECTIVE_TOKEN (9ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_DEFECTIVE_CREDENTIAL (10ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_CREDENTIALS_EXPIRED (11ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_CONTEXT_EXPIRED (12ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_FAILURE (13ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_BAD_QOP (14ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_UNAUTHORIZED (15ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_UNAVAILABLE (16ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_DUPLICATE_ELEMENT (17ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_NAME_NOT_MN (18ul << GSS_C_ROUTINE_ERROR_OFFSET) - -/* - * Supplementary info bits: - */ -#define GSS_S_CONTINUE_NEEDED (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 0)) -#define GSS_S_DUPLICATE_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 1)) -#define GSS_S_OLD_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 2)) -#define GSS_S_UNSEQ_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 3)) -#define GSS_S_GAP_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 4)) - -/* - * From RFC1964: - * - * 4.1.1. Non-Kerberos-specific codes - */ - -#define GSS_KRB5_S_G_BAD_SERVICE_NAME 1 - /* "No @ in SERVICE-NAME name string" */ -#define GSS_KRB5_S_G_BAD_STRING_UID 2 - /* "STRING-UID-NAME contains nondigits" */ -#define GSS_KRB5_S_G_NOUSER 3 - /* "UID does not resolve to username" */ -#define GSS_KRB5_S_G_VALIDATE_FAILED 4 - /* "Validation error" */ -#define GSS_KRB5_S_G_BUFFER_ALLOC 5 - /* "Couldn't allocate gss_buffer_t data" */ -#define GSS_KRB5_S_G_BAD_MSG_CTX 6 - /* "Message context invalid" */ -#define GSS_KRB5_S_G_WRONG_SIZE 7 - /* "Buffer is the wrong size" */ -#define GSS_KRB5_S_G_BAD_USAGE 8 - /* "Credential usage type is unknown" */ -#define GSS_KRB5_S_G_UNKNOWN_QOP 9 - /* "Unknown quality of protection specified" */ - - /* - * 4.1.2. Kerberos-specific-codes - */ - -#define GSS_KRB5_S_KG_CCACHE_NOMATCH 10 - /* "Principal in credential cache does not match desired name" */ -#define GSS_KRB5_S_KG_KEYTAB_NOMATCH 11 - /* "No principal in keytab matches desired name" */ -#define GSS_KRB5_S_KG_TGT_MISSING 12 - /* "Credential cache has no TGT" */ -#define GSS_KRB5_S_KG_NO_SUBKEY 13 - /* "Authenticator has no subkey" */ -#define GSS_KRB5_S_KG_CONTEXT_ESTABLISHED 14 - /* "Context is already fully established" */ -#define GSS_KRB5_S_KG_BAD_SIGN_TYPE 15 - /* "Unknown signature type in token" */ -#define GSS_KRB5_S_KG_BAD_LENGTH 16 - /* "Invalid field length in token" */ -#define GSS_KRB5_S_KG_CTX_INCOMPLETE 17 - /* "Attempt to use incomplete security context" */ - -/* - * Finally, function prototypes for the GSS-API routines. - */ - -OM_uint32 gss_acquire_cred - (OM_uint32 * /*minor_status*/, - const gss_name_t /*desired_name*/, - OM_uint32 /*time_req*/, - const gss_OID_set /*desired_mechs*/, - gss_cred_usage_t /*cred_usage*/, - gss_cred_id_t * /*output_cred_handle*/, - gss_OID_set * /*actual_mechs*/, - OM_uint32 * /*time_rec*/ - ); - -OM_uint32 gss_release_cred - (OM_uint32 * /*minor_status*/, - gss_cred_id_t * /*cred_handle*/ - ); - -OM_uint32 gss_init_sec_context - (OM_uint32 * /*minor_status*/, - const gss_cred_id_t /*initiator_cred_handle*/, - gss_ctx_id_t * /*context_handle*/, - const gss_name_t /*target_name*/, - const gss_OID /*mech_type*/, - OM_uint32 /*req_flags*/, - OM_uint32 /*time_req*/, - const gss_channel_bindings_t /*input_chan_bindings*/, - const gss_buffer_t /*input_token*/, - gss_OID * /*actual_mech_type*/, - gss_buffer_t /*output_token*/, - OM_uint32 * /*ret_flags*/, - OM_uint32 * /*time_rec*/ - ); - -OM_uint32 gss_accept_sec_context - (OM_uint32 * /*minor_status*/, - gss_ctx_id_t * /*context_handle*/, - const gss_cred_id_t /*acceptor_cred_handle*/, - const gss_buffer_t /*input_token_buffer*/, - const gss_channel_bindings_t /*input_chan_bindings*/, - gss_name_t * /*src_name*/, - gss_OID * /*mech_type*/, - gss_buffer_t /*output_token*/, - OM_uint32 * /*ret_flags*/, - OM_uint32 * /*time_rec*/, - gss_cred_id_t * /*delegated_cred_handle*/ - ); - -OM_uint32 gss_process_context_token - (OM_uint32 * /*minor_status*/, - const gss_ctx_id_t /*context_handle*/, - const gss_buffer_t /*token_buffer*/ - ); - -OM_uint32 gss_delete_sec_context - (OM_uint32 * /*minor_status*/, - gss_ctx_id_t * /*context_handle*/, - gss_buffer_t /*output_token*/ - ); - -OM_uint32 gss_context_time - (OM_uint32 * /*minor_status*/, - const gss_ctx_id_t /*context_handle*/, - OM_uint32 * /*time_rec*/ - ); - -OM_uint32 gss_get_mic - (OM_uint32 * /*minor_status*/, - const gss_ctx_id_t /*context_handle*/, - gss_qop_t /*qop_req*/, - const gss_buffer_t /*message_buffer*/, - gss_buffer_t /*message_token*/ - ); - -OM_uint32 gss_verify_mic - (OM_uint32 * /*minor_status*/, - const gss_ctx_id_t /*context_handle*/, - const gss_buffer_t /*message_buffer*/, - const gss_buffer_t /*token_buffer*/, - gss_qop_t * /*qop_state*/ - ); - -OM_uint32 gss_wrap - (OM_uint32 * /*minor_status*/, - const gss_ctx_id_t /*context_handle*/, - int /*conf_req_flag*/, - gss_qop_t /*qop_req*/, - const gss_buffer_t /*input_message_buffer*/, - int * /*conf_state*/, - gss_buffer_t /*output_message_buffer*/ - ); - -OM_uint32 gss_unwrap - (OM_uint32 * /*minor_status*/, - const gss_ctx_id_t /*context_handle*/, - const gss_buffer_t /*input_message_buffer*/, - gss_buffer_t /*output_message_buffer*/, - int * /*conf_state*/, - gss_qop_t * /*qop_state*/ - ); - -OM_uint32 gss_display_status - (OM_uint32 * /*minor_status*/, - OM_uint32 /*status_value*/, - int /*status_type*/, - const gss_OID /*mech_type*/, - OM_uint32 * /*message_context*/, - gss_buffer_t /*status_string*/ - ); - -OM_uint32 gss_indicate_mechs - (OM_uint32 * /*minor_status*/, - gss_OID_set * /*mech_set*/ - ); - -OM_uint32 gss_compare_name - (OM_uint32 * /*minor_status*/, - const gss_name_t /*name1*/, - const gss_name_t /*name2*/, - int * /*name_equal*/ - ); - -OM_uint32 gss_display_name - (OM_uint32 * /*minor_status*/, - const gss_name_t /*input_name*/, - gss_buffer_t /*output_name_buffer*/, - gss_OID * /*output_name_type*/ - ); - -OM_uint32 gss_import_name - (OM_uint32 * /*minor_status*/, - const gss_buffer_t /*input_name_buffer*/, - const gss_OID /*input_name_type*/, - gss_name_t * /*output_name*/ - ); - -OM_uint32 gss_export_name - (OM_uint32 * /*minor_status*/, - const gss_name_t /*input_name*/, - gss_buffer_t /*exported_name*/ - ); - -OM_uint32 gss_release_name - (OM_uint32 * /*minor_status*/, - gss_name_t * /*input_name*/ - ); - -OM_uint32 gss_release_buffer - (OM_uint32 * /*minor_status*/, - gss_buffer_t /*buffer*/ - ); - -OM_uint32 gss_release_oid_set - (OM_uint32 * /*minor_status*/, - gss_OID_set * /*set*/ - ); - -OM_uint32 gss_inquire_cred - (OM_uint32 * /*minor_status*/, - const gss_cred_id_t /*cred_handle*/, - gss_name_t * /*name*/, - OM_uint32 * /*lifetime*/, - gss_cred_usage_t * /*cred_usage*/, - gss_OID_set * /*mechanisms*/ - ); - -OM_uint32 gss_inquire_context ( - OM_uint32 * /*minor_status*/, - const gss_ctx_id_t /*context_handle*/, - gss_name_t * /*src_name*/, - gss_name_t * /*targ_name*/, - OM_uint32 * /*lifetime_rec*/, - gss_OID * /*mech_type*/, - OM_uint32 * /*ctx_flags*/, - int * /*locally_initiated*/, - int * /*open_context*/ - ); - -OM_uint32 gss_wrap_size_limit ( - OM_uint32 * /*minor_status*/, - const gss_ctx_id_t /*context_handle*/, - int /*conf_req_flag*/, - gss_qop_t /*qop_req*/, - OM_uint32 /*req_output_size*/, - OM_uint32 * /*max_input_size*/ - ); - -OM_uint32 gss_add_cred ( - OM_uint32 * /*minor_status*/, - const gss_cred_id_t /*input_cred_handle*/, - const gss_name_t /*desired_name*/, - const gss_OID /*desired_mech*/, - gss_cred_usage_t /*cred_usage*/, - OM_uint32 /*initiator_time_req*/, - OM_uint32 /*acceptor_time_req*/, - gss_cred_id_t * /*output_cred_handle*/, - gss_OID_set * /*actual_mechs*/, - OM_uint32 * /*initiator_time_rec*/, - OM_uint32 * /*acceptor_time_rec*/ - ); - -OM_uint32 gss_inquire_cred_by_mech ( - OM_uint32 * /*minor_status*/, - const gss_cred_id_t /*cred_handle*/, - const gss_OID /*mech_type*/, - gss_name_t * /*name*/, - OM_uint32 * /*initiator_lifetime*/, - OM_uint32 * /*acceptor_lifetime*/, - gss_cred_usage_t * /*cred_usage*/ - ); - -OM_uint32 gss_export_sec_context ( - OM_uint32 * /*minor_status*/, - gss_ctx_id_t * /*context_handle*/, - gss_buffer_t /*interprocess_token*/ - ); - -OM_uint32 gss_import_sec_context ( - OM_uint32 * /*minor_status*/, - const gss_buffer_t /*interprocess_token*/, - gss_ctx_id_t * /*context_handle*/ - ); - -OM_uint32 gss_create_empty_oid_set ( - OM_uint32 * /*minor_status*/, - gss_OID_set * /*oid_set*/ - ); - -OM_uint32 gss_add_oid_set_member ( - OM_uint32 * /*minor_status*/, - const gss_OID /*member_oid*/, - gss_OID_set * /*oid_set*/ - ); - -OM_uint32 gss_test_oid_set_member ( - OM_uint32 * /*minor_status*/, - const gss_OID /*member*/, - const gss_OID_set /*set*/, - int * /*present*/ - ); - -OM_uint32 gss_inquire_names_for_mech ( - OM_uint32 * /*minor_status*/, - const gss_OID /*mechanism*/, - gss_OID_set * /*name_types*/ - ); - -OM_uint32 gss_inquire_mechs_for_name ( - OM_uint32 * /*minor_status*/, - const gss_name_t /*input_name*/, - gss_OID_set * /*mech_types*/ - ); - -OM_uint32 gss_canonicalize_name ( - OM_uint32 * /*minor_status*/, - const gss_name_t /*input_name*/, - const gss_OID /*mech_type*/, - gss_name_t * /*output_name*/ - ); - -OM_uint32 gss_duplicate_name ( - OM_uint32 * /*minor_status*/, - const gss_name_t /*src_name*/, - gss_name_t * /*dest_name*/ - ); - -/* - * The following routines are obsolete variants of gss_get_mic, - * gss_verify_mic, gss_wrap and gss_unwrap. They should be - * provided by GSSAPI V2 implementations for backwards - * compatibility with V1 applications. Distinct entrypoints - * (as opposed to #defines) should be provided, both to allow - * GSSAPI V1 applications to link against GSSAPI V2 implementations, - * and to retain the slight parameter type differences between the - * obsolete versions of these routines and their current forms. - */ - -OM_uint32 gss_sign - (OM_uint32 * /*minor_status*/, - gss_ctx_id_t /*context_handle*/, - int /*qop_req*/, - gss_buffer_t /*message_buffer*/, - gss_buffer_t /*message_token*/ - ); - -OM_uint32 gss_verify - (OM_uint32 * /*minor_status*/, - gss_ctx_id_t /*context_handle*/, - gss_buffer_t /*message_buffer*/, - gss_buffer_t /*token_buffer*/, - int * /*qop_state*/ - ); - -OM_uint32 gss_seal - (OM_uint32 * /*minor_status*/, - gss_ctx_id_t /*context_handle*/, - int /*conf_req_flag*/, - int /*qop_req*/, - gss_buffer_t /*input_message_buffer*/, - int * /*conf_state*/, - gss_buffer_t /*output_message_buffer*/ - ); - -OM_uint32 gss_unseal - (OM_uint32 * /*minor_status*/, - gss_ctx_id_t /*context_handle*/, - gss_buffer_t /*input_message_buffer*/, - gss_buffer_t /*output_message_buffer*/, - int * /*conf_state*/, - int * /*qop_state*/ - ); - -/* - * kerberos mechanism specific functions - */ - -OM_uint32 gsskrb5_register_acceptor_identity - (const char */*identity*/); - -OM_uint32 gss_krb5_copy_ccache - (OM_uint32 */*minor*/, - gss_cred_id_t /*cred*/, - struct krb5_ccache_data */*out*/); - -#define GSS_C_KRB5_COMPAT_DES3_MIC 1 - -OM_uint32 -gss_krb5_compat_des3_mic(OM_uint32 *, gss_ctx_id_t, int); - -#ifdef __cplusplus -} -#endif - -#endif /* GSSAPI_H_ */ diff --git a/crypto/heimdal-0.6.3/lib/gssapi/gssapi_locl.h b/crypto/heimdal-0.6.3/lib/gssapi/gssapi_locl.h deleted file mode 100644 index 154c4b120d..0000000000 --- a/crypto/heimdal-0.6.3/lib/gssapi/gssapi_locl.h +++ /dev/null @@ -1,179 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: gssapi_locl.h,v 1.24.2.5 2003/09/18 22:01:52 lha Exp $ */ - -#ifndef GSSAPI_LOCL_H -#define GSSAPI_LOCL_H - -#ifdef HAVE_CONFIG_H -#include -#endif - -#include -#include -#include - -#include "arcfour.h" - -extern krb5_context gssapi_krb5_context; - -extern krb5_keytab gssapi_krb5_keytab; - -krb5_error_code gssapi_krb5_init (void); - -#define GSSAPI_KRB5_INIT() do { \ - krb5_error_code kret; \ - if((kret = gssapi_krb5_init ()) != 0) { \ - *minor_status = kret; \ - return GSS_S_FAILURE; \ - } \ -} while (0) - -OM_uint32 -gssapi_krb5_create_8003_checksum ( - OM_uint32 *minor_status, - const gss_channel_bindings_t input_chan_bindings, - OM_uint32 flags, - const krb5_data *fwd_data, - Checksum *result); - -OM_uint32 -gssapi_krb5_verify_8003_checksum ( - OM_uint32 *minor_status, - const gss_channel_bindings_t input_chan_bindings, - const Checksum *cksum, - OM_uint32 *flags, - krb5_data *fwd_data); - -OM_uint32 -gssapi_krb5_encapsulate( - OM_uint32 *minor_status, - const krb5_data *in_data, - gss_buffer_t output_token, - u_char *type); - -u_char * -_gssapi_make_mech_header(u_char *p, - size_t len); - -OM_uint32 -gssapi_krb5_decapsulate( - OM_uint32 *minor_status, - gss_buffer_t input_token_buffer, - krb5_data *out_data, - char *type); - -void -gssapi_krb5_encap_length (size_t data_len, - size_t *len, - size_t *total_len); - -u_char * -gssapi_krb5_make_header (u_char *p, - size_t len, - u_char *type); - -OM_uint32 -gssapi_krb5_verify_header(u_char **str, - size_t total_len, - char *type); - - -OM_uint32 -_gssapi_verify_mech_header(u_char **str, - size_t total_len); - -OM_uint32 -_gssapi_verify_pad(gss_buffer_t, size_t, size_t *); - -OM_uint32 -gss_verify_mic_internal(OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t message_buffer, - const gss_buffer_t token_buffer, - gss_qop_t * qop_state, - char * type); - -OM_uint32 -gss_krb5_get_remotekey(const gss_ctx_id_t context_handle, - krb5_keyblock **key); - -OM_uint32 -gss_krb5_get_localkey(const gss_ctx_id_t context_handle, - krb5_keyblock **key); - -krb5_error_code -gss_address_to_krb5addr(OM_uint32 gss_addr_type, - gss_buffer_desc *gss_addr, - int16_t port, - krb5_address *address); - -/* sec_context flags */ - -#define SC_LOCAL_ADDRESS 0x01 -#define SC_REMOTE_ADDRESS 0x02 -#define SC_KEYBLOCK 0x04 -#define SC_LOCAL_SUBKEY 0x08 -#define SC_REMOTE_SUBKEY 0x10 - -int -gss_oid_equal(const gss_OID a, const gss_OID b); - -void -gssapi_krb5_set_error_string (void); - -char * -gssapi_krb5_get_error_string (void); - -OM_uint32 -_gss_DES3_get_mic_compat(OM_uint32 *minor_status, gss_ctx_id_t ctx); - -OM_uint32 -gssapi_lifetime_left(OM_uint32 *, OM_uint32, OM_uint32 *); - -/* 8003 */ - -krb5_error_code -gssapi_encode_om_uint32(OM_uint32, u_char *); - -krb5_error_code -gssapi_encode_be_om_uint32(OM_uint32, u_char *); - -krb5_error_code -gssapi_decode_om_uint32(u_char *, OM_uint32 *); - -krb5_error_code -gssapi_decode_be_om_uint32(u_char *, OM_uint32 *); - -#endif diff --git a/crypto/heimdal-0.6.3/lib/gssapi/import_name.c b/crypto/heimdal-0.6.3/lib/gssapi/import_name.c deleted file mode 100644 index 423e757146..0000000000 --- a/crypto/heimdal-0.6.3/lib/gssapi/import_name.c +++ /dev/null @@ -1,229 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: import_name.c,v 1.13 2003/03/16 17:33:31 lha Exp $"); - -static OM_uint32 -parse_krb5_name (OM_uint32 *minor_status, - const char *name, - gss_name_t *output_name) -{ - krb5_error_code kerr; - - kerr = krb5_parse_name (gssapi_krb5_context, name, output_name); - - if (kerr == 0) - return GSS_S_COMPLETE; - else if (kerr == KRB5_PARSE_ILLCHAR || kerr == KRB5_PARSE_MALFORMED) { - gssapi_krb5_set_error_string (); - *minor_status = kerr; - return GSS_S_BAD_NAME; - } else { - gssapi_krb5_set_error_string (); - *minor_status = kerr; - return GSS_S_FAILURE; - } -} - -static OM_uint32 -import_krb5_name (OM_uint32 *minor_status, - const gss_buffer_t input_name_buffer, - gss_name_t *output_name) -{ - OM_uint32 ret; - char *tmp; - - tmp = malloc (input_name_buffer->length + 1); - if (tmp == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - memcpy (tmp, - input_name_buffer->value, - input_name_buffer->length); - tmp[input_name_buffer->length] = '\0'; - - ret = parse_krb5_name(minor_status, tmp, output_name); - free(tmp); - - return ret; -} - -static OM_uint32 -import_hostbased_name (OM_uint32 *minor_status, - const gss_buffer_t input_name_buffer, - gss_name_t *output_name) -{ - krb5_error_code kerr; - char *tmp; - char *p; - char *host; - char local_hostname[MAXHOSTNAMELEN]; - - *output_name = NULL; - - tmp = malloc (input_name_buffer->length + 1); - if (tmp == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - memcpy (tmp, - input_name_buffer->value, - input_name_buffer->length); - tmp[input_name_buffer->length] = '\0'; - - p = strchr (tmp, '@'); - if (p != NULL) { - *p = '\0'; - host = p + 1; - } else { - if (gethostname(local_hostname, sizeof(local_hostname)) < 0) { - *minor_status = errno; - free (tmp); - return GSS_S_FAILURE; - } - host = local_hostname; - } - - kerr = krb5_sname_to_principal (gssapi_krb5_context, - host, - tmp, - KRB5_NT_SRV_HST, - output_name); - free (tmp); - *minor_status = kerr; - if (kerr == 0) - return GSS_S_COMPLETE; - else if (kerr == KRB5_PARSE_ILLCHAR || kerr == KRB5_PARSE_MALFORMED) { - gssapi_krb5_set_error_string (); - *minor_status = kerr; - return GSS_S_BAD_NAME; - } else { - gssapi_krb5_set_error_string (); - *minor_status = kerr; - return GSS_S_FAILURE; - } -} - -static OM_uint32 -import_export_name (OM_uint32 *minor_status, - const gss_buffer_t input_name_buffer, - gss_name_t *output_name) -{ - unsigned char *p; - uint32_t length; - OM_uint32 ret; - char *name; - - if (input_name_buffer->length < 10 + GSS_KRB5_MECHANISM->length) - return GSS_S_BAD_NAME; - - /* TOK, MECH_OID_LEN, DER(MECH_OID), NAME_LEN, NAME */ - - p = input_name_buffer->value; - - if (memcmp(&p[0], "\x04\x01\x00", 3) != 0 || - p[3] != GSS_KRB5_MECHANISM->length + 2 || - p[4] != 0x06 || - p[5] != GSS_KRB5_MECHANISM->length || - memcmp(&p[6], GSS_KRB5_MECHANISM->elements, - GSS_KRB5_MECHANISM->length) != 0) - return GSS_S_BAD_NAME; - - p += 6 + GSS_KRB5_MECHANISM->length; - - length = p[0] << 24 | p[1] << 16 | p[2] << 8 | p[3]; - p += 4; - - if (length > input_name_buffer->length - 10 - GSS_KRB5_MECHANISM->length) - return GSS_S_BAD_NAME; - - name = malloc(length + 1); - if (name == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - memcpy(name, p, length); - name[length] = '\0'; - - ret = parse_krb5_name(minor_status, name, output_name); - free(name); - - return ret; -} - -int -gss_oid_equal(const gss_OID a, const gss_OID b) -{ - if (a == b) - return 1; - else if (a == GSS_C_NO_OID || b == GSS_C_NO_OID || a->length != b->length) - return 0; - else - return memcmp(a->elements, b->elements, a->length) == 0; -} - -OM_uint32 gss_import_name - (OM_uint32 * minor_status, - const gss_buffer_t input_name_buffer, - const gss_OID input_name_type, - gss_name_t * output_name - ) -{ - GSSAPI_KRB5_INIT (); - - *minor_status = 0; - *output_name = GSS_C_NO_NAME; - - if (gss_oid_equal(input_name_type, GSS_C_NT_HOSTBASED_SERVICE)) - return import_hostbased_name (minor_status, - input_name_buffer, - output_name); - else if (gss_oid_equal(input_name_type, GSS_C_NO_OID) - || gss_oid_equal(input_name_type, GSS_C_NT_USER_NAME) - || gss_oid_equal(input_name_type, GSS_KRB5_NT_PRINCIPAL_NAME)) - /* default printable syntax */ - return import_krb5_name (minor_status, - input_name_buffer, - output_name); - else if (gss_oid_equal(input_name_type, GSS_C_NT_EXPORT_NAME)) { - return import_export_name(minor_status, - input_name_buffer, - output_name); - } else { - *minor_status = 0; - return GSS_S_BAD_NAMETYPE; - } -} diff --git a/crypto/heimdal-0.6.3/lib/gssapi/import_sec_context.c b/crypto/heimdal-0.6.3/lib/gssapi/import_sec_context.c deleted file mode 100644 index 2daa5736ca..0000000000 --- a/crypto/heimdal-0.6.3/lib/gssapi/import_sec_context.c +++ /dev/null @@ -1,212 +0,0 @@ -/* - * Copyright (c) 1999 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: import_sec_context.c,v 1.7 2003/03/16 18:01:32 lha Exp $"); - -OM_uint32 -gss_import_sec_context ( - OM_uint32 * minor_status, - const gss_buffer_t interprocess_token, - gss_ctx_id_t * context_handle - ) -{ - OM_uint32 ret = GSS_S_FAILURE; - krb5_error_code kret; - krb5_storage *sp; - krb5_auth_context ac; - krb5_address local, remote; - krb5_address *localp, *remotep; - krb5_data data; - gss_buffer_desc buffer; - krb5_keyblock keyblock; - int32_t tmp; - int32_t flags; - OM_uint32 minor; - - GSSAPI_KRB5_INIT (); - - localp = remotep = NULL; - - sp = krb5_storage_from_mem (interprocess_token->value, - interprocess_token->length); - if (sp == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - *context_handle = malloc(sizeof(**context_handle)); - if (*context_handle == NULL) { - *minor_status = ENOMEM; - krb5_storage_free (sp); - return GSS_S_FAILURE; - } - memset (*context_handle, 0, sizeof(**context_handle)); - - kret = krb5_auth_con_init (gssapi_krb5_context, - &(*context_handle)->auth_context); - if (kret) { - gssapi_krb5_set_error_string (); - *minor_status = kret; - ret = GSS_S_FAILURE; - goto failure; - } - - /* flags */ - - *minor_status = 0; - - if (krb5_ret_int32 (sp, &flags) != 0) - goto failure; - - /* retrieve the auth context */ - - ac = (*context_handle)->auth_context; - krb5_ret_int32 (sp, &ac->flags); - if (flags & SC_LOCAL_ADDRESS) { - if (krb5_ret_address (sp, localp = &local) != 0) - goto failure; - } - - if (flags & SC_REMOTE_ADDRESS) { - if (krb5_ret_address (sp, remotep = &remote) != 0) - goto failure; - } - - krb5_auth_con_setaddrs (gssapi_krb5_context, ac, localp, remotep); - if (localp) - krb5_free_address (gssapi_krb5_context, localp); - if (remotep) - krb5_free_address (gssapi_krb5_context, remotep); - localp = remotep = NULL; - - if (krb5_ret_int16 (sp, &ac->local_port) != 0) - goto failure; - - if (krb5_ret_int16 (sp, &ac->remote_port) != 0) - goto failure; - if (flags & SC_KEYBLOCK) { - if (krb5_ret_keyblock (sp, &keyblock) != 0) - goto failure; - krb5_auth_con_setkey (gssapi_krb5_context, ac, &keyblock); - krb5_free_keyblock_contents (gssapi_krb5_context, &keyblock); - } - if (flags & SC_LOCAL_SUBKEY) { - if (krb5_ret_keyblock (sp, &keyblock) != 0) - goto failure; - krb5_auth_con_setlocalsubkey (gssapi_krb5_context, ac, &keyblock); - krb5_free_keyblock_contents (gssapi_krb5_context, &keyblock); - } - if (flags & SC_REMOTE_SUBKEY) { - if (krb5_ret_keyblock (sp, &keyblock) != 0) - goto failure; - krb5_auth_con_setremotesubkey (gssapi_krb5_context, ac, &keyblock); - krb5_free_keyblock_contents (gssapi_krb5_context, &keyblock); - } - if (krb5_ret_int32 (sp, &ac->local_seqnumber)) - goto failure; - if (krb5_ret_int32 (sp, &ac->remote_seqnumber)) - goto failure; - - if (krb5_ret_int32 (sp, &tmp) != 0) - goto failure; - ac->keytype = tmp; - if (krb5_ret_int32 (sp, &tmp) != 0) - goto failure; - ac->cksumtype = tmp; - - /* names */ - - if (krb5_ret_data (sp, &data)) - goto failure; - buffer.value = data.data; - buffer.length = data.length; - - ret = gss_import_name (minor_status, &buffer, GSS_C_NT_EXPORT_NAME, - &(*context_handle)->source); - if (ret) { - ret = gss_import_name (minor_status, &buffer, GSS_C_NO_OID, - &(*context_handle)->source); - if (ret) { - krb5_data_free (&data); - goto failure; - } - } - krb5_data_free (&data); - - if (krb5_ret_data (sp, &data) != 0) - goto failure; - buffer.value = data.data; - buffer.length = data.length; - - ret = gss_import_name (minor_status, &buffer, GSS_C_NT_EXPORT_NAME, - &(*context_handle)->target); - if (ret) { - ret = gss_import_name (minor_status, &buffer, GSS_C_NO_OID, - &(*context_handle)->target); - if (ret) { - krb5_data_free (&data); - goto failure; - } - } - krb5_data_free (&data); - - if (krb5_ret_int32 (sp, &tmp)) - goto failure; - (*context_handle)->flags = tmp; - if (krb5_ret_int32 (sp, &tmp)) - goto failure; - (*context_handle)->more_flags = tmp; - if (krb5_ret_int32 (sp, &tmp) == 0) - (*context_handle)->lifetime = tmp; - else - (*context_handle)->lifetime = GSS_C_INDEFINITE; - - return GSS_S_COMPLETE; - -failure: - krb5_auth_con_free (gssapi_krb5_context, - (*context_handle)->auth_context); - if ((*context_handle)->source != NULL) - gss_release_name(&minor, &(*context_handle)->source); - if ((*context_handle)->target != NULL) - gss_release_name(&minor, &(*context_handle)->target); - if (localp) - krb5_free_address (gssapi_krb5_context, localp); - if (remotep) - krb5_free_address (gssapi_krb5_context, remotep); - free (*context_handle); - *context_handle = GSS_C_NO_CONTEXT; - return ret; -} diff --git a/crypto/heimdal-0.6.3/lib/gssapi/indicate_mechs.c b/crypto/heimdal-0.6.3/lib/gssapi/indicate_mechs.c deleted file mode 100644 index 89191bb935..0000000000 --- a/crypto/heimdal-0.6.3/lib/gssapi/indicate_mechs.c +++ /dev/null @@ -1,55 +0,0 @@ -/* - * Copyright (c) 1997 - 2001, 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: indicate_mechs.c,v 1.5 2003/03/16 17:38:20 lha Exp $"); - -OM_uint32 gss_indicate_mechs - (OM_uint32 * minor_status, - gss_OID_set * mech_set - ) -{ - OM_uint32 ret; - - ret = gss_create_empty_oid_set(minor_status, mech_set); - if (ret) - return ret; - - ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM, mech_set); - if (ret) - return ret; - - *minor_status = 0; - return GSS_S_COMPLETE; -} diff --git a/crypto/heimdal-0.6.3/lib/gssapi/init.c b/crypto/heimdal-0.6.3/lib/gssapi/init.c deleted file mode 100644 index ddc0d7090a..0000000000 --- a/crypto/heimdal-0.6.3/lib/gssapi/init.c +++ /dev/null @@ -1,44 +0,0 @@ -/* - * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: init.c,v 1.6 2001/08/13 13:14:07 joda Exp $"); - -krb5_error_code -gssapi_krb5_init (void) -{ - if(gssapi_krb5_context == NULL) - return krb5_init_context (&gssapi_krb5_context); - return 0; -} diff --git a/crypto/heimdal-0.6.3/lib/gssapi/init_sec_context.c b/crypto/heimdal-0.6.3/lib/gssapi/init_sec_context.c deleted file mode 100644 index 72286a399f..0000000000 --- a/crypto/heimdal-0.6.3/lib/gssapi/init_sec_context.c +++ /dev/null @@ -1,578 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: init_sec_context.c,v 1.36.2.1 2003/08/15 14:21:18 lha Exp $"); - -/* - * copy the addresses from `input_chan_bindings' (if any) to - * the auth context `ac' - */ - -static OM_uint32 -set_addresses (krb5_auth_context ac, - const gss_channel_bindings_t input_chan_bindings) -{ - /* Port numbers are expected to be in application_data.value, - * initator's port first */ - - krb5_address initiator_addr, acceptor_addr; - krb5_error_code kret; - - if (input_chan_bindings == GSS_C_NO_CHANNEL_BINDINGS - || input_chan_bindings->application_data.length != - 2 * sizeof(ac->local_port)) - return 0; - - memset(&initiator_addr, 0, sizeof(initiator_addr)); - memset(&acceptor_addr, 0, sizeof(acceptor_addr)); - - ac->local_port = - *(int16_t *) input_chan_bindings->application_data.value; - - ac->remote_port = - *((int16_t *) input_chan_bindings->application_data.value + 1); - - kret = gss_address_to_krb5addr(input_chan_bindings->acceptor_addrtype, - &input_chan_bindings->acceptor_address, - ac->remote_port, - &acceptor_addr); - if (kret) - return kret; - - kret = gss_address_to_krb5addr(input_chan_bindings->initiator_addrtype, - &input_chan_bindings->initiator_address, - ac->local_port, - &initiator_addr); - if (kret) { - krb5_free_address (gssapi_krb5_context, &acceptor_addr); - return kret; - } - - kret = krb5_auth_con_setaddrs(gssapi_krb5_context, - ac, - &initiator_addr, /* local address */ - &acceptor_addr); /* remote address */ - - krb5_free_address (gssapi_krb5_context, &initiator_addr); - krb5_free_address (gssapi_krb5_context, &acceptor_addr); - -#if 0 - free(input_chan_bindings->application_data.value); - input_chan_bindings->application_data.value = NULL; - input_chan_bindings->application_data.length = 0; -#endif - - return kret; -} - -/* - * handle delegated creds in init-sec-context - */ - -static void -do_delegation (krb5_auth_context ac, - krb5_ccache ccache, - krb5_creds *cred, - const gss_name_t target_name, - krb5_data *fwd_data, - int *flags) -{ - krb5_creds creds; - krb5_kdc_flags fwd_flags; - krb5_error_code kret; - - memset (&creds, 0, sizeof(creds)); - krb5_data_zero (fwd_data); - - kret = krb5_cc_get_principal(gssapi_krb5_context, ccache, &creds.client); - if (kret) - goto out; - - kret = krb5_build_principal(gssapi_krb5_context, - &creds.server, - strlen(creds.client->realm), - creds.client->realm, - KRB5_TGS_NAME, - creds.client->realm, - NULL); - if (kret) - goto out; - - creds.times.endtime = 0; - - fwd_flags.i = 0; - fwd_flags.b.forwarded = 1; - fwd_flags.b.forwardable = 1; - - if ( /*target_name->name.name_type != KRB5_NT_SRV_HST ||*/ - target_name->name.name_string.len < 2) - goto out; - - kret = krb5_get_forwarded_creds(gssapi_krb5_context, - ac, - ccache, - fwd_flags.i, - target_name->name.name_string.val[1], - &creds, - fwd_data); - - out: - if (kret) - *flags &= ~GSS_C_DELEG_FLAG; - else - *flags |= GSS_C_DELEG_FLAG; - - if (creds.client) - krb5_free_principal(gssapi_krb5_context, creds.client); - if (creds.server) - krb5_free_principal(gssapi_krb5_context, creds.server); -} - -/* - * first stage of init-sec-context - */ - -static OM_uint32 -init_auth -(OM_uint32 * minor_status, - const gss_cred_id_t initiator_cred_handle, - gss_ctx_id_t * context_handle, - const gss_name_t target_name, - const gss_OID mech_type, - OM_uint32 req_flags, - OM_uint32 time_req, - const gss_channel_bindings_t input_chan_bindings, - const gss_buffer_t input_token, - gss_OID * actual_mech_type, - gss_buffer_t output_token, - OM_uint32 * ret_flags, - OM_uint32 * time_rec - ) -{ - OM_uint32 ret = GSS_S_FAILURE; - krb5_error_code kret; - krb5_flags ap_options; - krb5_creds this_cred, *cred; - krb5_data outbuf; - krb5_ccache ccache; - u_int32_t flags; - Authenticator *auth; - krb5_data authenticator; - Checksum cksum; - krb5_enctype enctype; - krb5_data fwd_data; - OM_uint32 lifetime_rec; - - krb5_data_zero(&outbuf); - krb5_data_zero(&fwd_data); - - *minor_status = 0; - - *context_handle = malloc(sizeof(**context_handle)); - if (*context_handle == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - (*context_handle)->auth_context = NULL; - (*context_handle)->source = NULL; - (*context_handle)->target = NULL; - (*context_handle)->flags = 0; - (*context_handle)->more_flags = 0; - (*context_handle)->ticket = NULL; - (*context_handle)->lifetime = GSS_C_INDEFINITE; - - kret = krb5_auth_con_init (gssapi_krb5_context, - &(*context_handle)->auth_context); - if (kret) { - gssapi_krb5_set_error_string (); - *minor_status = kret; - ret = GSS_S_FAILURE; - goto failure; - } - - kret = set_addresses ((*context_handle)->auth_context, - input_chan_bindings); - if (kret) { - *minor_status = kret; - ret = GSS_S_BAD_BINDINGS; - goto failure; - } - - { - int32_t tmp; - - krb5_auth_con_getflags(gssapi_krb5_context, - (*context_handle)->auth_context, - &tmp); - tmp |= KRB5_AUTH_CONTEXT_DO_SEQUENCE; - krb5_auth_con_setflags(gssapi_krb5_context, - (*context_handle)->auth_context, - tmp); - } - - if (actual_mech_type) - *actual_mech_type = GSS_KRB5_MECHANISM; - - if (initiator_cred_handle == GSS_C_NO_CREDENTIAL) { - kret = krb5_cc_default (gssapi_krb5_context, &ccache); - if (kret) { - gssapi_krb5_set_error_string (); - *minor_status = kret; - ret = GSS_S_FAILURE; - goto failure; - } - } else - ccache = initiator_cred_handle->ccache; - - kret = krb5_cc_get_principal (gssapi_krb5_context, - ccache, - &(*context_handle)->source); - if (kret) { - gssapi_krb5_set_error_string (); - *minor_status = kret; - ret = GSS_S_FAILURE; - goto failure; - } - - kret = krb5_copy_principal (gssapi_krb5_context, - target_name, - &(*context_handle)->target); - if (kret) { - gssapi_krb5_set_error_string (); - *minor_status = kret; - ret = GSS_S_FAILURE; - goto failure; - } - - ret = _gss_DES3_get_mic_compat(minor_status, *context_handle); - if (ret) - goto failure; - - - memset(&this_cred, 0, sizeof(this_cred)); - this_cred.client = (*context_handle)->source; - this_cred.server = (*context_handle)->target; - if (time_req && time_req != GSS_C_INDEFINITE) { - krb5_timestamp ts; - - krb5_timeofday (gssapi_krb5_context, &ts); - this_cred.times.endtime = ts + time_req; - } else - this_cred.times.endtime = 0; - this_cred.session.keytype = 0; - - kret = krb5_get_credentials (gssapi_krb5_context, - KRB5_TC_MATCH_KEYTYPE, - ccache, - &this_cred, - &cred); - - if (kret) { - gssapi_krb5_set_error_string (); - *minor_status = kret; - ret = GSS_S_FAILURE; - goto failure; - } - - (*context_handle)->lifetime = cred->times.endtime; - - ret = gssapi_lifetime_left(minor_status, - (*context_handle)->lifetime, - &lifetime_rec); - if (ret) { - goto failure; - } - - if (lifetime_rec == 0) { - *minor_status = 0; - ret = GSS_S_CONTEXT_EXPIRED; - goto failure; - } - - krb5_auth_con_setkey(gssapi_krb5_context, - (*context_handle)->auth_context, - &cred->session); - - kret = krb5_auth_con_generatelocalsubkey(gssapi_krb5_context, - (*context_handle)->auth_context, - &cred->session); - if(kret) { - gssapi_krb5_set_error_string (); - *minor_status = kret; - ret = GSS_S_FAILURE; - goto failure; - } - - flags = 0; - ap_options = 0; - if (req_flags & GSS_C_DELEG_FLAG) - do_delegation ((*context_handle)->auth_context, - ccache, cred, target_name, &fwd_data, &flags); - - if (req_flags & GSS_C_MUTUAL_FLAG) { - flags |= GSS_C_MUTUAL_FLAG; - ap_options |= AP_OPTS_MUTUAL_REQUIRED; - } - - if (req_flags & GSS_C_REPLAY_FLAG) - ; /* XXX */ - if (req_flags & GSS_C_SEQUENCE_FLAG) - ; /* XXX */ - if (req_flags & GSS_C_ANON_FLAG) - ; /* XXX */ - flags |= GSS_C_CONF_FLAG; - flags |= GSS_C_INTEG_FLAG; - flags |= GSS_C_SEQUENCE_FLAG; - flags |= GSS_C_TRANS_FLAG; - - if (ret_flags) - *ret_flags = flags; - (*context_handle)->flags = flags; - (*context_handle)->more_flags |= LOCAL; - - ret = gssapi_krb5_create_8003_checksum (minor_status, - input_chan_bindings, - flags, - &fwd_data, - &cksum); - krb5_data_free (&fwd_data); - if (ret) - goto failure; - -#if 1 - enctype = (*context_handle)->auth_context->keyblock->keytype; -#else - if ((*context_handle)->auth_context->enctype) - enctype = (*context_handle)->auth_context->enctype; - else { - kret = krb5_keytype_to_enctype(gssapi_krb5_context, - (*context_handle)->auth_context->keyblock->keytype, - &enctype); - if (kret) - return kret; - } -#endif - - kret = krb5_build_authenticator (gssapi_krb5_context, - (*context_handle)->auth_context, - enctype, - cred, - &cksum, - &auth, - &authenticator, - KRB5_KU_AP_REQ_AUTH); - - if (kret) { - gssapi_krb5_set_error_string (); - *minor_status = kret; - ret = GSS_S_FAILURE; - goto failure; - } - - kret = krb5_build_ap_req (gssapi_krb5_context, - enctype, - cred, - ap_options, - authenticator, - &outbuf); - - if (kret) { - gssapi_krb5_set_error_string (); - *minor_status = kret; - ret = GSS_S_FAILURE; - goto failure; - } - - ret = gssapi_krb5_encapsulate (minor_status, &outbuf, output_token, - "\x01\x00"); - if (ret) - goto failure; - - krb5_data_free (&outbuf); - - if (flags & GSS_C_MUTUAL_FLAG) { - return GSS_S_CONTINUE_NEEDED; - } else { - if (time_rec) - *time_rec = lifetime_rec; - - (*context_handle)->more_flags |= OPEN; - return GSS_S_COMPLETE; - } - - failure: - krb5_auth_con_free (gssapi_krb5_context, - (*context_handle)->auth_context); - if((*context_handle)->source) - krb5_free_principal (gssapi_krb5_context, - (*context_handle)->source); - if((*context_handle)->target) - krb5_free_principal (gssapi_krb5_context, - (*context_handle)->target); - free (*context_handle); - krb5_data_free (&outbuf); - *context_handle = GSS_C_NO_CONTEXT; - return ret; -} - -static OM_uint32 -repl_mutual - (OM_uint32 * minor_status, - const gss_cred_id_t initiator_cred_handle, - gss_ctx_id_t * context_handle, - const gss_name_t target_name, - const gss_OID mech_type, - OM_uint32 req_flags, - OM_uint32 time_req, - const gss_channel_bindings_t input_chan_bindings, - const gss_buffer_t input_token, - gss_OID * actual_mech_type, - gss_buffer_t output_token, - OM_uint32 * ret_flags, - OM_uint32 * time_rec - ) -{ - OM_uint32 ret; - krb5_error_code kret; - krb5_data indata; - krb5_ap_rep_enc_part *repl; - - output_token->length = 0; - output_token->value = NULL; - - if (actual_mech_type) - *actual_mech_type = GSS_KRB5_MECHANISM; - - ret = gssapi_krb5_decapsulate (minor_status, input_token, &indata, - "\x02\x00"); - if (ret) - /* XXX - Handle AP_ERROR */ - return ret; - - kret = krb5_rd_rep (gssapi_krb5_context, - (*context_handle)->auth_context, - &indata, - &repl); - if (kret) { - gssapi_krb5_set_error_string (); - *minor_status = kret; - return GSS_S_FAILURE; - } - krb5_free_ap_rep_enc_part (gssapi_krb5_context, - repl); - - (*context_handle)->more_flags |= OPEN; - - *minor_status = 0; - if (time_rec) { - ret = gssapi_lifetime_left(minor_status, - (*context_handle)->lifetime, - time_rec); - } else { - ret = GSS_S_COMPLETE; - } - if (ret_flags) - *ret_flags = (*context_handle)->flags; - - return ret; -} - -/* - * gss_init_sec_context - */ - -OM_uint32 gss_init_sec_context - (OM_uint32 * minor_status, - const gss_cred_id_t initiator_cred_handle, - gss_ctx_id_t * context_handle, - const gss_name_t target_name, - const gss_OID mech_type, - OM_uint32 req_flags, - OM_uint32 time_req, - const gss_channel_bindings_t input_chan_bindings, - const gss_buffer_t input_token, - gss_OID * actual_mech_type, - gss_buffer_t output_token, - OM_uint32 * ret_flags, - OM_uint32 * time_rec - ) -{ - GSSAPI_KRB5_INIT (); - - output_token->length = 0; - output_token->value = NULL; - - if (ret_flags) - *ret_flags = 0; - if (time_rec) - *time_rec = 0; - - if (target_name == GSS_C_NO_NAME) { - if (actual_mech_type) - *actual_mech_type = GSS_C_NO_OID; - *minor_status = 0; - return GSS_S_BAD_NAME; - } - - if (input_token == GSS_C_NO_BUFFER || input_token->length == 0) - return init_auth (minor_status, - initiator_cred_handle, - context_handle, - target_name, - mech_type, - req_flags, - time_req, - input_chan_bindings, - input_token, - actual_mech_type, - output_token, - ret_flags, - time_rec); - else - return repl_mutual(minor_status, - initiator_cred_handle, - context_handle, - target_name, - mech_type, - req_flags, - time_req, - input_chan_bindings, - input_token, - actual_mech_type, - output_token, - ret_flags, - time_rec); -} diff --git a/crypto/heimdal-0.6.3/lib/gssapi/inquire_context.c b/crypto/heimdal-0.6.3/lib/gssapi/inquire_context.c deleted file mode 100644 index 95cd2c576e..0000000000 --- a/crypto/heimdal-0.6.3/lib/gssapi/inquire_context.c +++ /dev/null @@ -1,85 +0,0 @@ -/* - * Copyright (c) 1997, 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: inquire_context.c,v 1.5 2003/03/16 17:43:30 lha Exp $"); - -OM_uint32 gss_inquire_context ( - OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - gss_name_t * src_name, - gss_name_t * targ_name, - OM_uint32 * lifetime_rec, - gss_OID * mech_type, - OM_uint32 * ctx_flags, - int * locally_initiated, - int * open_context - ) -{ - OM_uint32 ret; - - if (src_name) { - ret = gss_duplicate_name (minor_status, - context_handle->source, - src_name); - if (ret) - return ret; - } - - if (targ_name) { - ret = gss_duplicate_name (minor_status, - context_handle->target, - targ_name); - if (ret) - return ret; - } - - if (lifetime_rec) - *lifetime_rec = context_handle->lifetime; - - if (mech_type) - *mech_type = GSS_KRB5_MECHANISM; - - if (ctx_flags) - *ctx_flags = context_handle->flags; - - if (locally_initiated) - *locally_initiated = context_handle->more_flags & LOCAL; - - if (open_context) - *open_context = context_handle->more_flags & OPEN; - - *minor_status = 0; - return GSS_S_COMPLETE; -} diff --git a/crypto/heimdal-0.6.3/lib/gssapi/inquire_cred.c b/crypto/heimdal-0.6.3/lib/gssapi/inquire_cred.c deleted file mode 100644 index 4938d564e5..0000000000 --- a/crypto/heimdal-0.6.3/lib/gssapi/inquire_cred.c +++ /dev/null @@ -1,97 +0,0 @@ -/* - * Copyright (c) 1997, 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: inquire_cred.c,v 1.4 2003/03/16 17:42:14 lha Exp $"); - -OM_uint32 gss_inquire_cred - (OM_uint32 * minor_status, - const gss_cred_id_t cred_handle, - gss_name_t * name, - OM_uint32 * lifetime, - gss_cred_usage_t * cred_usage, - gss_OID_set * mechanisms - ) -{ - OM_uint32 ret; - - *minor_status = 0; - - if (name) - *name = NULL; - if (mechanisms) - *mechanisms = GSS_C_NO_OID_SET; - - if (cred_handle == GSS_C_NO_CREDENTIAL) { - return GSS_S_FAILURE; - } - - if (name != NULL) { - if (cred_handle->principal != NULL) { - ret = gss_duplicate_name(minor_status, cred_handle->principal, - name); - if (ret) - return ret; - } else if (cred_handle->usage == GSS_C_ACCEPT) { - *minor_status = krb5_sname_to_principal(gssapi_krb5_context, NULL, - NULL, KRB5_NT_SRV_HST, name); - if (*minor_status) - return GSS_S_FAILURE; - } else { - *minor_status = krb5_get_default_principal(gssapi_krb5_context, - name); - if (*minor_status) - return GSS_S_FAILURE; - } - } - if (lifetime != NULL) { - *lifetime = cred_handle->lifetime; - } - if (cred_usage != NULL) { - *cred_usage = cred_handle->usage; - } - if (mechanisms != NULL) { - ret = gss_create_empty_oid_set(minor_status, mechanisms); - if (ret) { - return ret; - } - ret = gss_add_oid_set_member(minor_status, - &cred_handle->mechanisms->elements[0], - mechanisms); - if (ret) { - return ret; - } - } - return GSS_S_COMPLETE; -} diff --git a/crypto/heimdal-0.6.3/lib/gssapi/inquire_cred_by_mech.c b/crypto/heimdal-0.6.3/lib/gssapi/inquire_cred_by_mech.c deleted file mode 100644 index b09d1e1d5f..0000000000 --- a/crypto/heimdal-0.6.3/lib/gssapi/inquire_cred_by_mech.c +++ /dev/null @@ -1,80 +0,0 @@ -/* - * Copyright (c) 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: inquire_cred_by_mech.c,v 1.1 2003/03/16 18:11:16 lha Exp $"); - -OM_uint32 gss_inquire_cred_by_mech ( - OM_uint32 * minor_status, - const gss_cred_id_t cred_handle, - const gss_OID mech_type, - gss_name_t * name, - OM_uint32 * initiator_lifetime, - OM_uint32 * acceptor_lifetime, - gss_cred_usage_t * cred_usage - ) -{ - OM_uint32 ret; - OM_uint32 lifetime; - - if (gss_oid_equal(mech_type, GSS_C_NO_OID) == 0 && - gss_oid_equal(mech_type, GSS_KRB5_MECHANISM) == 0) { - *minor_status = EINVAL; - return GSS_S_BAD_MECH; - } - - ret = gss_inquire_cred (minor_status, - cred_handle, - name, - &lifetime, - cred_usage, - NULL); - - if (ret == 0 && cred_handle != GSS_C_NO_CREDENTIAL) { - gss_cred_usage_t usage; - - usage = cred_handle->usage; - - if (initiator_lifetime) { - if (usage == GSS_C_INITIATE || usage == GSS_C_BOTH) - *initiator_lifetime = lifetime; - } - if (acceptor_lifetime) { - if (usage == GSS_C_ACCEPT || usage == GSS_C_BOTH) - *acceptor_lifetime = lifetime; - } - } - - return ret; -} diff --git a/crypto/heimdal-0.6.3/lib/gssapi/inquire_mechs_for_name.c b/crypto/heimdal-0.6.3/lib/gssapi/inquire_mechs_for_name.c deleted file mode 100644 index 67ebb04db4..0000000000 --- a/crypto/heimdal-0.6.3/lib/gssapi/inquire_mechs_for_name.c +++ /dev/null @@ -1,57 +0,0 @@ -/* - * Copyright (c) 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: inquire_mechs_for_name.c,v 1.1 2003/03/16 18:12:33 lha Exp $"); - -OM_uint32 gss_inquire_mechs_for_name ( - OM_uint32 * minor_status, - const gss_name_t input_name, - gss_OID_set * mech_types - ) -{ - OM_uint32 ret; - - ret = gss_create_empty_oid_set(minor_status, mech_types); - if (ret) - return ret; - - ret = gss_add_oid_set_member(minor_status, - GSS_KRB5_MECHANISM, - mech_types); - if (ret) - gss_release_oid_set(NULL, mech_types); - - return ret; -} diff --git a/crypto/heimdal-0.6.3/lib/gssapi/inquire_names_for_mech.c b/crypto/heimdal-0.6.3/lib/gssapi/inquire_names_for_mech.c deleted file mode 100644 index 0e93de6854..0000000000 --- a/crypto/heimdal-0.6.3/lib/gssapi/inquire_names_for_mech.c +++ /dev/null @@ -1,80 +0,0 @@ -/* - * Copyright (c) 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: inquire_names_for_mech.c,v 1.1 2003/03/16 18:15:29 lha Exp $"); - - -static gss_OID *name_list[] = { - &GSS_C_NT_HOSTBASED_SERVICE, - &GSS_C_NT_USER_NAME, - &GSS_KRB5_NT_PRINCIPAL_NAME, - &GSS_C_NT_EXPORT_NAME, - NULL -}; - -OM_uint32 gss_inquire_names_for_mech ( - OM_uint32 * minor_status, - const gss_OID mechanism, - gss_OID_set * name_types - ) -{ - OM_uint32 ret; - int i; - - *minor_status = 0; - - if (gss_oid_equal(mechanism, GSS_KRB5_MECHANISM) == 0 && - gss_oid_equal(mechanism, GSS_C_NULL_OID) == 0) { - *name_types = GSS_C_NO_OID_SET; - return GSS_S_BAD_MECH; - } - - ret = gss_create_empty_oid_set(minor_status, name_types); - if (ret != GSS_S_COMPLETE) - return ret; - - for (i = 0; name_list[i] != NULL; i++) { - ret = gss_add_oid_set_member(minor_status, - *(name_list[i]), - name_types); - if (ret != GSS_S_COMPLETE) - break; - } - - if (ret != GSS_S_COMPLETE) - gss_release_oid_set(NULL, name_types); - - return GSS_S_COMPLETE; -} diff --git a/crypto/heimdal-0.6.3/lib/gssapi/process_context_token.c b/crypto/heimdal-0.6.3/lib/gssapi/process_context_token.c deleted file mode 100644 index 0cec33cc3e..0000000000 --- a/crypto/heimdal-0.6.3/lib/gssapi/process_context_token.c +++ /dev/null @@ -1,65 +0,0 @@ -/* - * Copyright (c) 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: process_context_token.c,v 1.1 2003/03/16 18:19:05 lha Exp $"); - -OM_uint32 gss_process_context_token ( - OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t token_buffer - ) -{ - OM_uint32 ret = GSS_S_FAILURE; - gss_buffer_desc empty_buffer; - gss_qop_t qop_state; - - empty_buffer.length = 0; - empty_buffer.value = NULL; - - qop_state = GSS_C_QOP_DEFAULT; - - ret = gss_verify_mic_internal(minor_status, context_handle, - token_buffer, &empty_buffer, - GSS_C_QOP_DEFAULT, "\x01\x02"); - - if (ret == GSS_S_COMPLETE) - ret = gss_delete_sec_context(minor_status, - (gss_ctx_id_t *)&context_handle, - GSS_C_NO_BUFFER); - if (ret == GSS_S_COMPLETE) - *minor_status = 0; - - return ret; -} diff --git a/crypto/heimdal-0.6.3/lib/gssapi/release_buffer.c b/crypto/heimdal-0.6.3/lib/gssapi/release_buffer.c deleted file mode 100644 index 258b76f627..0000000000 --- a/crypto/heimdal-0.6.3/lib/gssapi/release_buffer.c +++ /dev/null @@ -1,48 +0,0 @@ -/* - * Copyright (c) 1997 - 2000, 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: release_buffer.c,v 1.5 2003/03/16 17:58:20 lha Exp $"); - -OM_uint32 gss_release_buffer - (OM_uint32 * minor_status, - gss_buffer_t buffer - ) -{ - *minor_status = 0; - free (buffer->value); - buffer->value = NULL; - buffer->length = 0; - return GSS_S_COMPLETE; -} diff --git a/crypto/heimdal-0.6.3/lib/gssapi/release_cred.c b/crypto/heimdal-0.6.3/lib/gssapi/release_cred.c deleted file mode 100644 index 01cbb6a0f9..0000000000 --- a/crypto/heimdal-0.6.3/lib/gssapi/release_cred.c +++ /dev/null @@ -1,68 +0,0 @@ -/* - * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: release_cred.c,v 1.8.2.1 2003/10/07 01:08:21 lha Exp $"); - -OM_uint32 gss_release_cred - (OM_uint32 * minor_status, - gss_cred_id_t * cred_handle - ) -{ - *minor_status = 0; - - if (*cred_handle == GSS_C_NO_CREDENTIAL) { - return GSS_S_COMPLETE; - } - - GSSAPI_KRB5_INIT (); - - if ((*cred_handle)->principal != NULL) - krb5_free_principal(gssapi_krb5_context, (*cred_handle)->principal); - if ((*cred_handle)->keytab != NULL) - krb5_kt_close(gssapi_krb5_context, (*cred_handle)->keytab); - if ((*cred_handle)->ccache != NULL) { - const krb5_cc_ops *ops; - ops = krb5_cc_get_ops(gssapi_krb5_context, (*cred_handle)->ccache); - if (ops == &krb5_mcc_ops) - krb5_cc_destroy(gssapi_krb5_context, (*cred_handle)->ccache); - else - krb5_cc_close(gssapi_krb5_context, (*cred_handle)->ccache); - } - gss_release_oid_set(NULL, &(*cred_handle)->mechanisms); - free(*cred_handle); - *cred_handle = GSS_C_NO_CREDENTIAL; - return GSS_S_COMPLETE; -} - diff --git a/crypto/heimdal-0.6.3/lib/gssapi/release_name.c b/crypto/heimdal-0.6.3/lib/gssapi/release_name.c deleted file mode 100644 index 6894ffae49..0000000000 --- a/crypto/heimdal-0.6.3/lib/gssapi/release_name.c +++ /dev/null @@ -1,50 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: release_name.c,v 1.7 2003/03/16 17:52:48 lha Exp $"); - -OM_uint32 gss_release_name - (OM_uint32 * minor_status, - gss_name_t * input_name - ) -{ - GSSAPI_KRB5_INIT (); - if (minor_status) - *minor_status = 0; - krb5_free_principal(gssapi_krb5_context, - *input_name); - *input_name = GSS_C_NO_NAME; - return GSS_S_COMPLETE; -} diff --git a/crypto/heimdal-0.6.3/lib/gssapi/release_oid_set.c b/crypto/heimdal-0.6.3/lib/gssapi/release_oid_set.c deleted file mode 100644 index 04eb01565f..0000000000 --- a/crypto/heimdal-0.6.3/lib/gssapi/release_oid_set.c +++ /dev/null @@ -1,49 +0,0 @@ -/* - * Copyright (c) 1997 - 2000, 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: release_oid_set.c,v 1.5 2003/03/16 17:53:25 lha Exp $"); - -OM_uint32 gss_release_oid_set - (OM_uint32 * minor_status, - gss_OID_set * set - ) -{ - if (minor_status) - *minor_status = 0; - free ((*set)->elements); - free (*set); - *set = GSS_C_NO_OID_SET; - return GSS_S_COMPLETE; -} diff --git a/crypto/heimdal-0.6.3/lib/gssapi/test_acquire_cred.c b/crypto/heimdal-0.6.3/lib/gssapi/test_acquire_cred.c deleted file mode 100644 index 29ed830d28..0000000000 --- a/crypto/heimdal-0.6.3/lib/gssapi/test_acquire_cred.c +++ /dev/null @@ -1,98 +0,0 @@ -/* - * Copyright (c) 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of KTH nor the names of its contributors may be - * used to endorse or promote products derived from this software without - * specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY - * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR - * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, - * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR - * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF - * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ - -#include "gssapi_locl.h" -#include - -RCSID("$Id: test_acquire_cred.c,v 1.2 2003/04/06 00:20:37 lha Exp $"); - -static void -print_time(OM_uint32 time_rec) -{ - if (time_rec == GSS_C_INDEFINITE) { - printf("cred never expire\n"); - } else { - time_t t = time_rec; - printf("expiration time: %s", ctime(&t)); - } -} - -int -main(int argc, char **argv) -{ - OM_uint32 major_status, minor_status; - gss_cred_id_t cred_handle, copy_cred; - OM_uint32 time_rec; - - major_status = gss_acquire_cred(&minor_status, - GSS_C_NO_NAME, - 0, - NULL, - GSS_C_INITIATE, - &cred_handle, - NULL, - &time_rec); - if (GSS_ERROR(major_status)) - errx(1, "acquire_cred failed"); - - - print_time(time_rec); - - major_status = gss_add_cred (&minor_status, - cred_handle, - GSS_C_NO_NAME, - GSS_KRB5_MECHANISM, - GSS_C_INITIATE, - 0, - 0, - ©_cred, - NULL, - &time_rec, - NULL); - - if (GSS_ERROR(major_status)) - errx(1, "add_cred failed"); - - print_time(time_rec); - - major_status = gss_release_cred(&minor_status, - &cred_handle); - if (GSS_ERROR(major_status)) - errx(1, "release_cred failed"); - - major_status = gss_release_cred(&minor_status, - ©_cred); - if (GSS_ERROR(major_status)) - errx(1, "release_cred failed"); - - return 0; -} diff --git a/crypto/heimdal-0.6.3/lib/gssapi/test_oid_set_member.c b/crypto/heimdal-0.6.3/lib/gssapi/test_oid_set_member.c deleted file mode 100644 index e747c5acc1..0000000000 --- a/crypto/heimdal-0.6.3/lib/gssapi/test_oid_set_member.c +++ /dev/null @@ -1,55 +0,0 @@ -/* - * Copyright (c) 1997, 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: test_oid_set_member.c,v 1.5 2003/03/16 17:54:06 lha Exp $"); - -OM_uint32 gss_test_oid_set_member ( - OM_uint32 * minor_status, - const gss_OID member, - const gss_OID_set set, - int * present - ) -{ - size_t i; - - *minor_status = 0; - *present = 0; - for (i = 0; i < set->count; ++i) - if (gss_oid_equal(member, &set->elements[i]) != 0) { - *present = 1; - break; - } - return GSS_S_COMPLETE; -} diff --git a/crypto/heimdal-0.6.3/lib/gssapi/unwrap.c b/crypto/heimdal-0.6.3/lib/gssapi/unwrap.c deleted file mode 100644 index b798438dc6..0000000000 --- a/crypto/heimdal-0.6.3/lib/gssapi/unwrap.c +++ /dev/null @@ -1,422 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: unwrap.c,v 1.22.2.1 2003/09/18 22:05:22 lha Exp $"); - -OM_uint32 -gss_krb5_get_remotekey(const gss_ctx_id_t context_handle, - krb5_keyblock **key) -{ - krb5_keyblock *skey; - - krb5_auth_con_getremotesubkey(gssapi_krb5_context, - context_handle->auth_context, - &skey); - if(skey == NULL) - krb5_auth_con_getlocalsubkey(gssapi_krb5_context, - context_handle->auth_context, - &skey); - if(skey == NULL) - krb5_auth_con_getkey(gssapi_krb5_context, - context_handle->auth_context, - &skey); - if(skey == NULL) - return GSS_KRB5_S_KG_NO_SUBKEY; /* XXX */ - *key = skey; - return 0; -} - -static OM_uint32 -unwrap_des - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t input_message_buffer, - gss_buffer_t output_message_buffer, - int * conf_state, - gss_qop_t * qop_state, - krb5_keyblock *key - ) -{ - u_char *p, *pad; - size_t len; - MD5_CTX md5; - u_char hash[16], seq_data[8]; - des_key_schedule schedule; - des_cblock deskey; - des_cblock zero; - int i; - int32_t seq_number; - size_t padlength; - OM_uint32 ret; - int cstate; - - p = input_message_buffer->value; - ret = gssapi_krb5_verify_header (&p, - input_message_buffer->length, - "\x02\x01"); - if (ret) - return ret; - - if (memcmp (p, "\x00\x00", 2) != 0) - return GSS_S_BAD_SIG; - p += 2; - if (memcmp (p, "\x00\x00", 2) == 0) { - cstate = 1; - } else if (memcmp (p, "\xFF\xFF", 2) == 0) { - cstate = 0; - } else - return GSS_S_BAD_MIC; - p += 2; - if(conf_state != NULL) - *conf_state = cstate; - if (memcmp (p, "\xff\xff", 2) != 0) - return GSS_S_DEFECTIVE_TOKEN; - p += 2; - p += 16; - - len = p - (u_char *)input_message_buffer->value; - - if(cstate) { - /* decrypt data */ - memcpy (&deskey, key->keyvalue.data, sizeof(deskey)); - - for (i = 0; i < sizeof(deskey); ++i) - deskey[i] ^= 0xf0; - des_set_key (&deskey, schedule); - memset (&zero, 0, sizeof(zero)); - des_cbc_encrypt ((void *)p, - (void *)p, - input_message_buffer->length - len, - schedule, - &zero, - DES_DECRYPT); - - memset (deskey, 0, sizeof(deskey)); - memset (schedule, 0, sizeof(schedule)); - } - /* check pad */ - - pad = (u_char *)input_message_buffer->value + input_message_buffer->length - 1; - padlength = *pad; - - for (i = padlength; i > 0 && *pad == padlength; i--, pad--) - ; - if (i != 0) - return GSS_S_BAD_MIC; - - MD5_Init (&md5); - MD5_Update (&md5, p - 24, 8); - MD5_Update (&md5, p, input_message_buffer->length - len); - MD5_Final (hash, &md5); - - memset (&zero, 0, sizeof(zero)); - memcpy (&deskey, key->keyvalue.data, sizeof(deskey)); - des_set_key (&deskey, schedule); - des_cbc_cksum ((void *)hash, (void *)hash, sizeof(hash), - schedule, &zero); - if (memcmp (p - 8, hash, 8) != 0) - return GSS_S_BAD_MIC; - - /* verify sequence number */ - - krb5_auth_getremoteseqnumber (gssapi_krb5_context, - context_handle->auth_context, - &seq_number); - seq_data[0] = (seq_number >> 0) & 0xFF; - seq_data[1] = (seq_number >> 8) & 0xFF; - seq_data[2] = (seq_number >> 16) & 0xFF; - seq_data[3] = (seq_number >> 24) & 0xFF; - memset (seq_data + 4, - (context_handle->more_flags & LOCAL) ? 0xFF : 0, - 4); - - p -= 16; - des_set_key (&deskey, schedule); - des_cbc_encrypt ((void *)p, (void *)p, 8, - schedule, (des_cblock *)hash, DES_DECRYPT); - - memset (deskey, 0, sizeof(deskey)); - memset (schedule, 0, sizeof(schedule)); - - if (memcmp (p, seq_data, 8) != 0) { - return GSS_S_BAD_MIC; - } - - krb5_auth_con_setremoteseqnumber (gssapi_krb5_context, - context_handle->auth_context, - ++seq_number); - - /* copy out data */ - - output_message_buffer->length = input_message_buffer->length - - len - padlength - 8; - output_message_buffer->value = malloc(output_message_buffer->length); - if(output_message_buffer->length != 0 && output_message_buffer->value == NULL) - return GSS_S_FAILURE; - memcpy (output_message_buffer->value, - p + 24, - output_message_buffer->length); - return GSS_S_COMPLETE; -} - -static OM_uint32 -unwrap_des3 - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t input_message_buffer, - gss_buffer_t output_message_buffer, - int * conf_state, - gss_qop_t * qop_state, - krb5_keyblock *key - ) -{ - u_char *p, *pad; - size_t len; - u_char seq[8]; - krb5_data seq_data; - u_char cksum[20]; - int i; - int32_t seq_number; - size_t padlength; - OM_uint32 ret; - int cstate; - krb5_crypto crypto; - Checksum csum; - int cmp; - - p = input_message_buffer->value; - ret = gssapi_krb5_verify_header (&p, - input_message_buffer->length, - "\x02\x01"); - if (ret) - return ret; - - if (memcmp (p, "\x04\x00", 2) != 0) /* HMAC SHA1 DES3_KD */ - return GSS_S_BAD_SIG; - p += 2; - if (memcmp (p, "\x02\x00", 2) == 0) { - cstate = 1; - } else if (memcmp (p, "\xff\xff", 2) == 0) { - cstate = 0; - } else - return GSS_S_BAD_MIC; - p += 2; - if(conf_state != NULL) - *conf_state = cstate; - if (memcmp (p, "\xff\xff", 2) != 0) - return GSS_S_DEFECTIVE_TOKEN; - p += 2; - p += 28; - - len = p - (u_char *)input_message_buffer->value; - - if(cstate) { - /* decrypt data */ - krb5_data tmp; - - ret = krb5_crypto_init(gssapi_krb5_context, key, - ETYPE_DES3_CBC_NONE, &crypto); - if (ret) { - gssapi_krb5_set_error_string (); - *minor_status = ret; - return GSS_S_FAILURE; - } - ret = krb5_decrypt(gssapi_krb5_context, crypto, KRB5_KU_USAGE_SEAL, - p, input_message_buffer->length - len, &tmp); - krb5_crypto_destroy(gssapi_krb5_context, crypto); - if (ret) { - gssapi_krb5_set_error_string (); - *minor_status = ret; - return GSS_S_FAILURE; - } - assert (tmp.length == input_message_buffer->length - len); - - memcpy (p, tmp.data, tmp.length); - krb5_data_free(&tmp); - } - /* check pad */ - - pad = (u_char *)input_message_buffer->value + input_message_buffer->length - 1; - padlength = *pad; - - for (i = padlength; i > 0 && *pad == padlength; i--, pad--) - ; - if (i != 0) - return GSS_S_BAD_MIC; - - /* verify sequence number */ - - krb5_auth_getremoteseqnumber (gssapi_krb5_context, - context_handle->auth_context, - &seq_number); - seq[0] = (seq_number >> 0) & 0xFF; - seq[1] = (seq_number >> 8) & 0xFF; - seq[2] = (seq_number >> 16) & 0xFF; - seq[3] = (seq_number >> 24) & 0xFF; - memset (seq + 4, - (context_handle->more_flags & LOCAL) ? 0xFF : 0, - 4); - - p -= 28; - - ret = krb5_crypto_init(gssapi_krb5_context, key, - ETYPE_DES3_CBC_NONE, &crypto); - if (ret) { - gssapi_krb5_set_error_string (); - *minor_status = ret; - return GSS_S_FAILURE; - } - { - des_cblock ivec; - - memcpy(&ivec, p + 8, 8); - ret = krb5_decrypt_ivec (gssapi_krb5_context, - crypto, - KRB5_KU_USAGE_SEQ, - p, 8, &seq_data, - &ivec); - } - krb5_crypto_destroy (gssapi_krb5_context, crypto); - if (ret) { - gssapi_krb5_set_error_string (); - *minor_status = ret; - return GSS_S_FAILURE; - } - if (seq_data.length != 8) { - krb5_data_free (&seq_data); - return GSS_S_BAD_MIC; - } - - cmp = memcmp (seq, seq_data.data, seq_data.length); - krb5_data_free (&seq_data); - if (cmp != 0) { - return GSS_S_BAD_MIC; - } - - krb5_auth_con_setremoteseqnumber (gssapi_krb5_context, - context_handle->auth_context, - ++seq_number); - - /* verify checksum */ - - memcpy (cksum, p + 8, 20); - - memcpy (p + 20, p - 8, 8); - - csum.cksumtype = CKSUMTYPE_HMAC_SHA1_DES3; - csum.checksum.length = 20; - csum.checksum.data = cksum; - - ret = krb5_crypto_init(gssapi_krb5_context, key, 0, &crypto); - if (ret) { - gssapi_krb5_set_error_string (); - *minor_status = ret; - return GSS_S_FAILURE; - } - - ret = krb5_verify_checksum (gssapi_krb5_context, crypto, - KRB5_KU_USAGE_SIGN, - p + 20, - input_message_buffer->length - len + 8, - &csum); - krb5_crypto_destroy (gssapi_krb5_context, crypto); - if (ret) { - gssapi_krb5_set_error_string (); - *minor_status = ret; - return GSS_S_FAILURE; - } - - /* copy out data */ - - output_message_buffer->length = input_message_buffer->length - - len - padlength - 8; - output_message_buffer->value = malloc(output_message_buffer->length); - if(output_message_buffer->length != 0 && output_message_buffer->value == NULL) - return GSS_S_FAILURE; - memcpy (output_message_buffer->value, - p + 36, - output_message_buffer->length); - return GSS_S_COMPLETE; -} - -OM_uint32 gss_unwrap - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t input_message_buffer, - gss_buffer_t output_message_buffer, - int * conf_state, - gss_qop_t * qop_state - ) -{ - krb5_keyblock *key; - OM_uint32 ret; - krb5_keytype keytype; - - if (qop_state != NULL) - *qop_state = GSS_C_QOP_DEFAULT; - ret = gss_krb5_get_remotekey(context_handle, &key); - if (ret) { - gssapi_krb5_set_error_string (); - *minor_status = ret; - return GSS_S_FAILURE; - } - krb5_enctype_to_keytype (gssapi_krb5_context, key->keytype, &keytype); - - *minor_status = 0; - - switch (keytype) { - case KEYTYPE_DES : - ret = unwrap_des (minor_status, context_handle, - input_message_buffer, output_message_buffer, - conf_state, qop_state, key); - break; - case KEYTYPE_DES3 : - ret = unwrap_des3 (minor_status, context_handle, - input_message_buffer, output_message_buffer, - conf_state, qop_state, key); - break; - case KEYTYPE_ARCFOUR: - ret = _gssapi_unwrap_arcfour (minor_status, context_handle, - input_message_buffer, output_message_buffer, - conf_state, qop_state, key); - break; - default : - *minor_status = KRB5_PROG_ETYPE_NOSUPP; - ret = GSS_S_FAILURE; - break; - } - krb5_free_keyblock (gssapi_krb5_context, key); - return ret; -} diff --git a/crypto/heimdal-0.6.3/lib/gssapi/v1.c b/crypto/heimdal-0.6.3/lib/gssapi/v1.c deleted file mode 100644 index 34091ea715..0000000000 --- a/crypto/heimdal-0.6.3/lib/gssapi/v1.c +++ /dev/null @@ -1,104 +0,0 @@ -/* - * Copyright (c) 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: v1.c,v 1.2 1999/12/02 17:05:04 joda Exp $"); - -/* These functions are for V1 compatibility */ - -OM_uint32 gss_sign - (OM_uint32 * minor_status, - gss_ctx_id_t context_handle, - int qop_req, - gss_buffer_t message_buffer, - gss_buffer_t message_token - ) -{ - return gss_get_mic(minor_status, - context_handle, - (gss_qop_t)qop_req, - message_buffer, - message_token); -} - -OM_uint32 gss_verify - (OM_uint32 * minor_status, - gss_ctx_id_t context_handle, - gss_buffer_t message_buffer, - gss_buffer_t token_buffer, - int * qop_state - ) -{ - return gss_verify_mic(minor_status, - context_handle, - message_buffer, - token_buffer, - (gss_qop_t *)qop_state); -} - -OM_uint32 gss_seal - (OM_uint32 * minor_status, - gss_ctx_id_t context_handle, - int conf_req_flag, - int qop_req, - gss_buffer_t input_message_buffer, - int * conf_state, - gss_buffer_t output_message_buffer - ) -{ - return gss_wrap(minor_status, - context_handle, - conf_req_flag, - (gss_qop_t)qop_req, - input_message_buffer, - conf_state, - output_message_buffer); -} - -OM_uint32 gss_unseal - (OM_uint32 * minor_status, - gss_ctx_id_t context_handle, - gss_buffer_t input_message_buffer, - gss_buffer_t output_message_buffer, - int * conf_state, - int * qop_state - ) -{ - return gss_unwrap(minor_status, - context_handle, - input_message_buffer, - output_message_buffer, - conf_state, - (gss_qop_t *)qop_state); -} diff --git a/crypto/heimdal-0.6.3/lib/gssapi/verify_mic.c b/crypto/heimdal-0.6.3/lib/gssapi/verify_mic.c deleted file mode 100644 index aef2d07da6..0000000000 --- a/crypto/heimdal-0.6.3/lib/gssapi/verify_mic.c +++ /dev/null @@ -1,322 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: verify_mic.c,v 1.18.2.4 2003/09/18 22:05:34 lha Exp $"); - -static OM_uint32 -verify_mic_des - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t message_buffer, - const gss_buffer_t token_buffer, - gss_qop_t * qop_state, - krb5_keyblock *key, - char *type - ) -{ - u_char *p; - MD5_CTX md5; - u_char hash[16], seq_data[8]; - des_key_schedule schedule; - des_cblock zero; - des_cblock deskey; - int32_t seq_number; - OM_uint32 ret; - - p = token_buffer->value; - ret = gssapi_krb5_verify_header (&p, - token_buffer->length, - type); - if (ret) - return ret; - - if (memcmp(p, "\x00\x00", 2) != 0) - return GSS_S_BAD_SIG; - p += 2; - if (memcmp (p, "\xff\xff\xff\xff", 4) != 0) - return GSS_S_BAD_MIC; - p += 4; - p += 16; - - /* verify checksum */ - MD5_Init (&md5); - MD5_Update (&md5, p - 24, 8); - MD5_Update (&md5, message_buffer->value, - message_buffer->length); - MD5_Final (hash, &md5); - - memset (&zero, 0, sizeof(zero)); - memcpy (&deskey, key->keyvalue.data, sizeof(deskey)); - - des_set_key (&deskey, schedule); - des_cbc_cksum ((void *)hash, (void *)hash, sizeof(hash), - schedule, &zero); - if (memcmp (p - 8, hash, 8) != 0) { - memset (deskey, 0, sizeof(deskey)); - memset (schedule, 0, sizeof(schedule)); - return GSS_S_BAD_MIC; - } - - /* verify sequence number */ - - krb5_auth_getremoteseqnumber (gssapi_krb5_context, - context_handle->auth_context, - &seq_number); - seq_data[0] = (seq_number >> 0) & 0xFF; - seq_data[1] = (seq_number >> 8) & 0xFF; - seq_data[2] = (seq_number >> 16) & 0xFF; - seq_data[3] = (seq_number >> 24) & 0xFF; - memset (seq_data + 4, - (context_handle->more_flags & LOCAL) ? 0xFF : 0, - 4); - - p -= 16; - des_set_key (&deskey, schedule); - des_cbc_encrypt ((void *)p, (void *)p, 8, - schedule, (des_cblock *)hash, DES_DECRYPT); - - memset (deskey, 0, sizeof(deskey)); - memset (schedule, 0, sizeof(schedule)); - - if (memcmp (p, seq_data, 8) != 0) { - return GSS_S_BAD_MIC; - } - - krb5_auth_con_setremoteseqnumber (gssapi_krb5_context, - context_handle->auth_context, - ++seq_number); - - return GSS_S_COMPLETE; -} - -static OM_uint32 -verify_mic_des3 - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t message_buffer, - const gss_buffer_t token_buffer, - gss_qop_t * qop_state, - krb5_keyblock *key, - char *type - ) -{ - u_char *p; - u_char seq[8]; - int32_t seq_number; - OM_uint32 ret; - krb5_crypto crypto; - krb5_data seq_data; - int cmp, docompat; - Checksum csum; - char *tmp; - char ivec[8]; - - p = token_buffer->value; - ret = gssapi_krb5_verify_header (&p, - token_buffer->length, - type); - if (ret) - return ret; - - if (memcmp(p, "\x04\x00", 2) != 0) /* SGN_ALG = HMAC SHA1 DES3-KD */ - return GSS_S_BAD_SIG; - p += 2; - if (memcmp (p, "\xff\xff\xff\xff", 4) != 0) - return GSS_S_BAD_MIC; - p += 4; - - ret = krb5_crypto_init(gssapi_krb5_context, key, - ETYPE_DES3_CBC_NONE, &crypto); - if (ret){ - gssapi_krb5_set_error_string (); - *minor_status = ret; - return GSS_S_FAILURE; - } - - /* verify sequence number */ - docompat = 0; -retry: - if (docompat) - memset(ivec, 0, 8); - else - memcpy(ivec, p + 8, 8); - - ret = krb5_decrypt_ivec (gssapi_krb5_context, - crypto, - KRB5_KU_USAGE_SEQ, - p, 8, &seq_data, ivec); - if (ret) { - if (docompat++) { - gssapi_krb5_set_error_string (); - krb5_crypto_destroy (gssapi_krb5_context, crypto); - *minor_status = ret; - return GSS_S_FAILURE; - } else - goto retry; - } - - if (seq_data.length != 8) { - krb5_data_free (&seq_data); - if (docompat++) { - krb5_crypto_destroy (gssapi_krb5_context, crypto); - return GSS_S_BAD_MIC; - } else - goto retry; - } - - krb5_auth_getremoteseqnumber (gssapi_krb5_context, - context_handle->auth_context, - &seq_number); - seq[0] = (seq_number >> 0) & 0xFF; - seq[1] = (seq_number >> 8) & 0xFF; - seq[2] = (seq_number >> 16) & 0xFF; - seq[3] = (seq_number >> 24) & 0xFF; - memset (seq + 4, - (context_handle->more_flags & LOCAL) ? 0xFF : 0, - 4); - cmp = memcmp (seq, seq_data.data, seq_data.length); - krb5_data_free (&seq_data); - if (cmp != 0) { - if (docompat++) { - krb5_crypto_destroy (gssapi_krb5_context, crypto); - return GSS_S_BAD_MIC; - } else - goto retry; - } - - /* verify checksum */ - - tmp = malloc (message_buffer->length + 8); - if (tmp == NULL) { - krb5_crypto_destroy (gssapi_krb5_context, crypto); - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - memcpy (tmp, p - 8, 8); - memcpy (tmp + 8, message_buffer->value, message_buffer->length); - - csum.cksumtype = CKSUMTYPE_HMAC_SHA1_DES3; - csum.checksum.length = 20; - csum.checksum.data = p + 8; - - ret = krb5_verify_checksum (gssapi_krb5_context, crypto, - KRB5_KU_USAGE_SIGN, - tmp, message_buffer->length + 8, - &csum); - free (tmp); - if (ret) { - gssapi_krb5_set_error_string (); - krb5_crypto_destroy (gssapi_krb5_context, crypto); - *minor_status = ret; - return GSS_S_BAD_MIC; - } - - krb5_auth_con_setremoteseqnumber (gssapi_krb5_context, - context_handle->auth_context, - ++seq_number); - - krb5_crypto_destroy (gssapi_krb5_context, crypto); - return GSS_S_COMPLETE; -} - -OM_uint32 -gss_verify_mic_internal - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t message_buffer, - const gss_buffer_t token_buffer, - gss_qop_t * qop_state, - char * type - ) -{ - krb5_keyblock *key; - OM_uint32 ret; - krb5_keytype keytype; - - ret = gss_krb5_get_remotekey(context_handle, &key); - if (ret) { - gssapi_krb5_set_error_string (); - *minor_status = ret; - return GSS_S_FAILURE; - } - *minor_status = 0; - krb5_enctype_to_keytype (gssapi_krb5_context, key->keytype, &keytype); - switch (keytype) { - case KEYTYPE_DES : - ret = verify_mic_des (minor_status, context_handle, - message_buffer, token_buffer, qop_state, key, - type); - break; - case KEYTYPE_DES3 : - ret = verify_mic_des3 (minor_status, context_handle, - message_buffer, token_buffer, qop_state, key, - type); - break; - case KEYTYPE_ARCFOUR : - ret = _gssapi_verify_mic_arcfour (minor_status, context_handle, - message_buffer, token_buffer, - qop_state, key, type); - break; - default : - *minor_status = KRB5_PROG_ETYPE_NOSUPP; - ret = GSS_S_FAILURE; - break; - } - krb5_free_keyblock (gssapi_krb5_context, key); - - return ret; -} - -OM_uint32 -gss_verify_mic - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t message_buffer, - const gss_buffer_t token_buffer, - gss_qop_t * qop_state - ) -{ - OM_uint32 ret; - - if (qop_state != NULL) - *qop_state = GSS_C_QOP_DEFAULT; - - ret = gss_verify_mic_internal(minor_status, context_handle, - message_buffer, token_buffer, - qop_state, "\x01\x01"); - - return ret; -} diff --git a/crypto/heimdal-0.6.3/lib/gssapi/wrap.c b/crypto/heimdal-0.6.3/lib/gssapi/wrap.c deleted file mode 100644 index a0f9d2ff52..0000000000 --- a/crypto/heimdal-0.6.3/lib/gssapi/wrap.c +++ /dev/null @@ -1,454 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: wrap.c,v 1.21.2.1 2003/09/18 22:05:45 lha Exp $"); - -OM_uint32 -gss_krb5_get_localkey(const gss_ctx_id_t context_handle, - krb5_keyblock **key) -{ - krb5_keyblock *skey; - - krb5_auth_con_getlocalsubkey(gssapi_krb5_context, - context_handle->auth_context, - &skey); - if(skey == NULL) - krb5_auth_con_getremotesubkey(gssapi_krb5_context, - context_handle->auth_context, - &skey); - if(skey == NULL) - krb5_auth_con_getkey(gssapi_krb5_context, - context_handle->auth_context, - &skey); - if(skey == NULL) - return GSS_S_FAILURE; - *key = skey; - return 0; -} - -static OM_uint32 -sub_wrap_size ( - OM_uint32 req_output_size, - OM_uint32 * max_input_size, - int blocksize, - int extrasize - ) -{ - size_t len, total_len, padlength; - padlength = blocksize - (req_output_size % blocksize); - len = req_output_size + 8 + padlength + extrasize; - gssapi_krb5_encap_length(len, &len, &total_len); - *max_input_size = (OM_uint32)total_len; - return GSS_S_COMPLETE; -} - -OM_uint32 -gss_wrap_size_limit ( - OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - int conf_req_flag, - gss_qop_t qop_req, - OM_uint32 req_output_size, - OM_uint32 * max_input_size - ) -{ - krb5_keyblock *key; - OM_uint32 ret; - krb5_keytype keytype; - - ret = gss_krb5_get_localkey(context_handle, &key); - if (ret) { - gssapi_krb5_set_error_string (); - *minor_status = ret; - return GSS_S_FAILURE; - } - krb5_enctype_to_keytype (gssapi_krb5_context, key->keytype, &keytype); - - switch (keytype) { - case KEYTYPE_DES : - case KEYTYPE_ARCFOUR: - ret = sub_wrap_size(req_output_size, max_input_size, 8, 22); - break; - case KEYTYPE_DES3 : - ret = sub_wrap_size(req_output_size, max_input_size, 8, 34); - break; - default : - *minor_status = KRB5_PROG_ETYPE_NOSUPP; - ret = GSS_S_FAILURE; - break; - } - krb5_free_keyblock (gssapi_krb5_context, key); - *minor_status = 0; - return ret; -} - -static OM_uint32 -wrap_des - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - int conf_req_flag, - gss_qop_t qop_req, - const gss_buffer_t input_message_buffer, - int * conf_state, - gss_buffer_t output_message_buffer, - krb5_keyblock *key - ) -{ - u_char *p; - MD5_CTX md5; - u_char hash[16]; - des_key_schedule schedule; - des_cblock deskey; - des_cblock zero; - int i; - int32_t seq_number; - size_t len, total_len, padlength, datalen; - - padlength = 8 - (input_message_buffer->length % 8); - datalen = input_message_buffer->length + padlength + 8; - len = datalen + 22; - gssapi_krb5_encap_length (len, &len, &total_len); - - output_message_buffer->length = total_len; - output_message_buffer->value = malloc (total_len); - if (output_message_buffer->value == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - p = gssapi_krb5_make_header(output_message_buffer->value, - len, - "\x02\x01"); /* TOK_ID */ - - /* SGN_ALG */ - memcpy (p, "\x00\x00", 2); - p += 2; - /* SEAL_ALG */ - if(conf_req_flag) - memcpy (p, "\x00\x00", 2); - else - memcpy (p, "\xff\xff", 2); - p += 2; - /* Filler */ - memcpy (p, "\xff\xff", 2); - p += 2; - - /* fill in later */ - memset (p, 0, 16); - p += 16; - - /* confounder + data + pad */ - krb5_generate_random_block(p, 8); - memcpy (p + 8, input_message_buffer->value, - input_message_buffer->length); - memset (p + 8 + input_message_buffer->length, padlength, padlength); - - /* checksum */ - MD5_Init (&md5); - MD5_Update (&md5, p - 24, 8); - MD5_Update (&md5, p, datalen); - MD5_Final (hash, &md5); - - memset (&zero, 0, sizeof(zero)); - memcpy (&deskey, key->keyvalue.data, sizeof(deskey)); - des_set_key (&deskey, schedule); - des_cbc_cksum ((void *)hash, (void *)hash, sizeof(hash), - schedule, &zero); - memcpy (p - 8, hash, 8); - - /* sequence number */ - krb5_auth_con_getlocalseqnumber (gssapi_krb5_context, - context_handle->auth_context, - &seq_number); - - p -= 16; - p[0] = (seq_number >> 0) & 0xFF; - p[1] = (seq_number >> 8) & 0xFF; - p[2] = (seq_number >> 16) & 0xFF; - p[3] = (seq_number >> 24) & 0xFF; - memset (p + 4, - (context_handle->more_flags & LOCAL) ? 0 : 0xFF, - 4); - - des_set_key (&deskey, schedule); - des_cbc_encrypt ((void *)p, (void *)p, 8, - schedule, (des_cblock *)(p + 8), DES_ENCRYPT); - - krb5_auth_con_setlocalseqnumber (gssapi_krb5_context, - context_handle->auth_context, - ++seq_number); - - /* encrypt the data */ - p += 16; - - if(conf_req_flag) { - memcpy (&deskey, key->keyvalue.data, sizeof(deskey)); - - for (i = 0; i < sizeof(deskey); ++i) - deskey[i] ^= 0xf0; - des_set_key (&deskey, schedule); - memset (&zero, 0, sizeof(zero)); - des_cbc_encrypt ((void *)p, - (void *)p, - datalen, - schedule, - &zero, - DES_ENCRYPT); - - memset (deskey, 0, sizeof(deskey)); - memset (schedule, 0, sizeof(schedule)); - } - if(conf_state != NULL) - *conf_state = conf_req_flag; - *minor_status = 0; - return GSS_S_COMPLETE; -} - -static OM_uint32 -wrap_des3 - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - int conf_req_flag, - gss_qop_t qop_req, - const gss_buffer_t input_message_buffer, - int * conf_state, - gss_buffer_t output_message_buffer, - krb5_keyblock *key - ) -{ - u_char *p; - u_char seq[8]; - int32_t seq_number; - size_t len, total_len, padlength, datalen; - u_int32_t ret; - krb5_crypto crypto; - Checksum cksum; - krb5_data encdata; - - padlength = 8 - (input_message_buffer->length % 8); - datalen = input_message_buffer->length + padlength + 8; - len = datalen + 34; - gssapi_krb5_encap_length (len, &len, &total_len); - - output_message_buffer->length = total_len; - output_message_buffer->value = malloc (total_len); - if (output_message_buffer->value == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - p = gssapi_krb5_make_header(output_message_buffer->value, - len, - "\x02\x01"); /* TOK_ID */ - - /* SGN_ALG */ - memcpy (p, "\x04\x00", 2); /* HMAC SHA1 DES3-KD */ - p += 2; - /* SEAL_ALG */ - if(conf_req_flag) - memcpy (p, "\x02\x00", 2); /* DES3-KD */ - else - memcpy (p, "\xff\xff", 2); - p += 2; - /* Filler */ - memcpy (p, "\xff\xff", 2); - p += 2; - - /* calculate checksum (the above + confounder + data + pad) */ - - memcpy (p + 20, p - 8, 8); - krb5_generate_random_block(p + 28, 8); - memcpy (p + 28 + 8, input_message_buffer->value, - input_message_buffer->length); - memset (p + 28 + 8 + input_message_buffer->length, padlength, padlength); - - ret = krb5_crypto_init(gssapi_krb5_context, key, 0, &crypto); - if (ret) { - gssapi_krb5_set_error_string (); - free (output_message_buffer->value); - *minor_status = ret; - return GSS_S_FAILURE; - } - - ret = krb5_create_checksum (gssapi_krb5_context, - crypto, - KRB5_KU_USAGE_SIGN, - 0, - p + 20, - datalen + 8, - &cksum); - krb5_crypto_destroy (gssapi_krb5_context, crypto); - if (ret) { - gssapi_krb5_set_error_string (); - free (output_message_buffer->value); - *minor_status = ret; - return GSS_S_FAILURE; - } - - /* zero out SND_SEQ + SGN_CKSUM in case */ - memset (p, 0, 28); - - memcpy (p + 8, cksum.checksum.data, cksum.checksum.length); - free_Checksum (&cksum); - - /* sequence number */ - krb5_auth_con_getlocalseqnumber (gssapi_krb5_context, - context_handle->auth_context, - &seq_number); - - seq[0] = (seq_number >> 0) & 0xFF; - seq[1] = (seq_number >> 8) & 0xFF; - seq[2] = (seq_number >> 16) & 0xFF; - seq[3] = (seq_number >> 24) & 0xFF; - memset (seq + 4, - (context_handle->more_flags & LOCAL) ? 0 : 0xFF, - 4); - - - ret = krb5_crypto_init(gssapi_krb5_context, key, ETYPE_DES3_CBC_NONE, - &crypto); - if (ret) { - free (output_message_buffer->value); - *minor_status = ret; - return GSS_S_FAILURE; - } - - { - des_cblock ivec; - - memcpy (&ivec, p + 8, 8); - ret = krb5_encrypt_ivec (gssapi_krb5_context, - crypto, - KRB5_KU_USAGE_SEQ, - seq, 8, &encdata, - &ivec); - } - krb5_crypto_destroy (gssapi_krb5_context, crypto); - if (ret) { - gssapi_krb5_set_error_string (); - free (output_message_buffer->value); - *minor_status = ret; - return GSS_S_FAILURE; - } - - assert (encdata.length == 8); - - memcpy (p, encdata.data, encdata.length); - krb5_data_free (&encdata); - - krb5_auth_con_setlocalseqnumber (gssapi_krb5_context, - context_handle->auth_context, - ++seq_number); - - /* encrypt the data */ - p += 28; - - if(conf_req_flag) { - krb5_data tmp; - - ret = krb5_crypto_init(gssapi_krb5_context, key, - ETYPE_DES3_CBC_NONE, &crypto); - if (ret) { - gssapi_krb5_set_error_string (); - free (output_message_buffer->value); - *minor_status = ret; - return GSS_S_FAILURE; - } - ret = krb5_encrypt(gssapi_krb5_context, crypto, KRB5_KU_USAGE_SEAL, - p, datalen, &tmp); - krb5_crypto_destroy(gssapi_krb5_context, crypto); - if (ret) { - gssapi_krb5_set_error_string (); - free (output_message_buffer->value); - *minor_status = ret; - return GSS_S_FAILURE; - } - assert (tmp.length == datalen); - - memcpy (p, tmp.data, datalen); - krb5_data_free(&tmp); - } - if(conf_state != NULL) - *conf_state = conf_req_flag; - *minor_status = 0; - return GSS_S_COMPLETE; -} - -OM_uint32 gss_wrap - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - int conf_req_flag, - gss_qop_t qop_req, - const gss_buffer_t input_message_buffer, - int * conf_state, - gss_buffer_t output_message_buffer - ) -{ - krb5_keyblock *key; - OM_uint32 ret; - krb5_keytype keytype; - - ret = gss_krb5_get_localkey(context_handle, &key); - if (ret) { - gssapi_krb5_set_error_string (); - *minor_status = ret; - return GSS_S_FAILURE; - } - krb5_enctype_to_keytype (gssapi_krb5_context, key->keytype, &keytype); - - switch (keytype) { - case KEYTYPE_DES : - ret = wrap_des (minor_status, context_handle, conf_req_flag, - qop_req, input_message_buffer, conf_state, - output_message_buffer, key); - break; - case KEYTYPE_DES3 : - ret = wrap_des3 (minor_status, context_handle, conf_req_flag, - qop_req, input_message_buffer, conf_state, - output_message_buffer, key); - break; - case KEYTYPE_ARCFOUR: - ret = _gssapi_wrap_arcfour (minor_status, context_handle, conf_req_flag, - qop_req, input_message_buffer, conf_state, - output_message_buffer, key); - break; - default : - *minor_status = KRB5_PROG_ETYPE_NOSUPP; - ret = GSS_S_FAILURE; - break; - } - krb5_free_keyblock (gssapi_krb5_context, key); - return ret; -} diff --git a/crypto/heimdal-0.6.3/lib/hdb/Makefile.am b/crypto/heimdal-0.6.3/lib/hdb/Makefile.am deleted file mode 100644 index 952944bda3..0000000000 --- a/crypto/heimdal-0.6.3/lib/hdb/Makefile.am +++ /dev/null @@ -1,62 +0,0 @@ -# $Id: Makefile.am,v 1.53.4.2 2003/10/14 16:13:14 joda Exp $ - -include $(top_srcdir)/Makefile.am.common - -INCLUDES += -I../asn1 -I$(srcdir)/../asn1 $(INCLUDE_des) - -BUILT_SOURCES = asn1_Key.c asn1_Event.c asn1_HDBFlags.c asn1_hdb_entry.c \ - asn1_Salt.c hdb_err.c hdb_err.h asn1_GENERATION.c - -foo = asn1_Key.x asn1_GENERATION.x asn1_Event.x asn1_HDBFlags.x asn1_hdb_entry.x asn1_Salt.x - -CLEANFILES = $(BUILT_SOURCES) $(foo) hdb_asn1.h asn1_files - -noinst_PROGRAMS = convert_db -LDADD = libhdb.la \ - $(LIB_openldap) \ - ../krb5/libkrb5.la \ - ../asn1/libasn1.la \ - $(LIB_des) \ - $(LIB_roken) - -lib_LTLIBRARIES = libhdb.la -libhdb_la_LDFLAGS = -version-info 7:7:0 - -libhdb_la_SOURCES = \ - common.c \ - db.c \ - db3.c \ - hdb-ldap.c \ - hdb.c \ - keytab.c \ - mkey.c \ - ndbm.c \ - print.c \ - $(BUILT_SOURCES) - -INCLUDES += $(INCLUDE_openldap) - -include_HEADERS = hdb.h hdb_err.h hdb_asn1.h hdb-protos.h hdb-private.h - -libhdb_la_LIBADD = ../krb5/libkrb5.la ../asn1/libasn1.la ../roken/libroken.la $(LIB_openldap) $(DBLIB) $(LIB_NDBM) - -$(libhdb_la_OBJECTS): $(srcdir)/hdb-protos.h $(srcdir)/hdb-private.h - -$(srcdir)/hdb-protos.h: - cd $(srcdir); perl ../../cf/make-proto.pl -q -P comment -o hdb-protos.h $(libhdb_la_SOURCES) || rm -f hdb-protos.h - -$(srcdir)/hdb-private.h: - cd $(srcdir); perl ../../cf/make-proto.pl -q -P comment -p hdb-private.h $(libhdb_la_SOURCES) || rm -f hdb-private.h - -$(foo) hdb_asn1.h: asn1_files - -asn1_files: ../asn1/asn1_compile$(EXEEXT) $(srcdir)/hdb.asn1 - ../asn1/asn1_compile$(EXEEXT) $(srcdir)/hdb.asn1 hdb_asn1 - -$(libhdb_la_OBJECTS): hdb_asn1.h hdb_err.h - -$(convert_db_OBJECTS): hdb_asn1.h hdb_err.h - -# to help stupid solaris make - -hdb_err.h: hdb_err.et diff --git a/crypto/heimdal-0.6.3/lib/hdb/Makefile.in b/crypto/heimdal-0.6.3/lib/hdb/Makefile.in deleted file mode 100644 index 28ca7d5f6b..0000000000 --- a/crypto/heimdal-0.6.3/lib/hdb/Makefile.in +++ /dev/null @@ -1,850 +0,0 @@ -# Makefile.in generated by automake 1.8.3 from Makefile.am. -# @configure_input@ - -# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004 Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -# $Id: Makefile.am,v 1.53.4.2 2003/10/14 16:13:14 joda Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $ - - - -SOURCES = $(libhdb_la_SOURCES) convert_db.c - -srcdir = @srcdir@ -top_srcdir = @top_srcdir@ -VPATH = @srcdir@ -pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -top_builddir = ../.. -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = @INSTALL@ -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_HEADER = $(INSTALL_DATA) -transform = $(program_transform_name) -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_triplet = @host@ -DIST_COMMON = $(include_HEADERS) $(srcdir)/Makefile.am \ - $(srcdir)/Makefile.in $(top_srcdir)/Makefile.am.common \ - $(top_srcdir)/cf/Makefile.am.common -noinst_PROGRAMS = convert_db$(EXEEXT) -subdir = lib/hdb -ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \ - $(top_srcdir)/cf/auth-modules.m4 \ - $(top_srcdir)/cf/broken-getaddrinfo.m4 \ - $(top_srcdir)/cf/broken-getnameinfo.m4 \ - $(top_srcdir)/cf/broken-glob.m4 \ - $(top_srcdir)/cf/broken-realloc.m4 \ - $(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \ - $(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \ - $(top_srcdir)/cf/capabilities.m4 \ - $(top_srcdir)/cf/check-compile-et.m4 \ - $(top_srcdir)/cf/check-declaration.m4 \ - $(top_srcdir)/cf/check-getpwnam_r-posix.m4 \ - $(top_srcdir)/cf/check-man.m4 \ - $(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \ - $(top_srcdir)/cf/check-type-extra.m4 \ - $(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \ - $(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \ - $(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \ - $(top_srcdir)/cf/dlopen.m4 \ - $(top_srcdir)/cf/find-func-no-libs.m4 \ - $(top_srcdir)/cf/find-func-no-libs2.m4 \ - $(top_srcdir)/cf/find-func.m4 \ - $(top_srcdir)/cf/find-if-not-broken.m4 \ - $(top_srcdir)/cf/have-struct-field.m4 \ - $(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \ - $(top_srcdir)/cf/krb-bigendian.m4 \ - $(top_srcdir)/cf/krb-func-getlogin.m4 \ - $(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \ - $(top_srcdir)/cf/krb-readline.m4 \ - $(top_srcdir)/cf/krb-struct-spwd.m4 \ - $(top_srcdir)/cf/krb-struct-winsize.m4 \ - $(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \ - $(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \ - $(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \ - $(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \ - $(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \ - $(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \ - $(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in -am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ - $(ACLOCAL_M4) -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -am__installdirs = "$(DESTDIR)$(libdir)" "$(DESTDIR)$(includedir)" -libLTLIBRARIES_INSTALL = $(INSTALL) -LTLIBRARIES = $(lib_LTLIBRARIES) -am__DEPENDENCIES_1 = -libhdb_la_DEPENDENCIES = ../krb5/libkrb5.la ../asn1/libasn1.la \ - ../roken/libroken.la $(am__DEPENDENCIES_1) \ - $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) -am__objects_1 = asn1_Key.lo asn1_Event.lo asn1_HDBFlags.lo \ - asn1_hdb_entry.lo asn1_Salt.lo hdb_err.lo asn1_GENERATION.lo -am_libhdb_la_OBJECTS = common.lo db.lo db3.lo hdb-ldap.lo hdb.lo \ - keytab.lo mkey.lo ndbm.lo print.lo $(am__objects_1) -libhdb_la_OBJECTS = $(am_libhdb_la_OBJECTS) -PROGRAMS = $(noinst_PROGRAMS) -convert_db_SOURCES = convert_db.c -convert_db_OBJECTS = convert_db.$(OBJEXT) -convert_db_LDADD = $(LDADD) -convert_db_DEPENDENCIES = libhdb.la $(am__DEPENDENCIES_1) \ - ../krb5/libkrb5.la ../asn1/libasn1.la $(am__DEPENDENCIES_1) \ - $(am__DEPENDENCIES_1) -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \ - $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ - $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -SOURCES = $(libhdb_la_SOURCES) convert_db.c -DIST_SOURCES = $(libhdb_la_SOURCES) convert_db.c -includeHEADERS_INSTALL = $(INSTALL_HEADER) -HEADERS = $(include_HEADERS) -ETAGS = etags -CTAGS = ctags -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) -ACLOCAL = @ACLOCAL@ -AIX4_FALSE = @AIX4_FALSE@ -AIX4_TRUE = @AIX4_TRUE@ -AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@ -AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@ -AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@ -AIX_FALSE = @AIX_FALSE@ -AIX_TRUE = @AIX_TRUE@ -AMTAR = @AMTAR@ -AR = @AR@ -AUTOCONF = @AUTOCONF@ -AUTOHEADER = @AUTOHEADER@ -AUTOMAKE = @AUTOMAKE@ -AWK = @AWK@ -CANONICAL_HOST = @CANONICAL_HOST@ -CATMAN = @CATMAN@ -CATMANEXT = @CATMANEXT@ -CATMAN_FALSE = @CATMAN_FALSE@ -CATMAN_TRUE = @CATMAN_TRUE@ -CC = @CC@ -CFLAGS = @CFLAGS@ -COMPILE_ET = @COMPILE_ET@ -CPP = @CPP@ -CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXFLAGS = @CXXFLAGS@ -CYGPATH_W = @CYGPATH_W@ -DBLIB = @DBLIB@ -DCE_FALSE = @DCE_FALSE@ -DCE_TRUE = @DCE_TRUE@ -DEFS = @DEFS@ -DIR_com_err = @DIR_com_err@ -DIR_des = @DIR_des@ -DIR_roken = @DIR_roken@ -ECHO = @ECHO@ -ECHO_C = @ECHO_C@ -ECHO_N = @ECHO_N@ -ECHO_T = @ECHO_T@ -EGREP = @EGREP@ -EXEEXT = @EXEEXT@ -EXTRA_LIB45 = @EXTRA_LIB45@ -F77 = @F77@ -FFLAGS = @FFLAGS@ -GROFF = @GROFF@ -HAVE_DB1_FALSE = @HAVE_DB1_FALSE@ -HAVE_DB1_TRUE = @HAVE_DB1_TRUE@ -HAVE_DB3_FALSE = @HAVE_DB3_FALSE@ -HAVE_DB3_TRUE = @HAVE_DB3_TRUE@ -HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@ -HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@ -HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@ -HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@ -HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@ -HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@ -HAVE_X_FALSE = @HAVE_X_FALSE@ -HAVE_X_TRUE = @HAVE_X_TRUE@ -INCLUDES_roken = @INCLUDES_roken@ -INCLUDE_des = @INCLUDE_des@ -INCLUDE_hesiod = @INCLUDE_hesiod@ -INCLUDE_krb4 = @INCLUDE_krb4@ -INCLUDE_openldap = @INCLUDE_openldap@ -INCLUDE_readline = @INCLUDE_readline@ -INSTALL_DATA = @INSTALL_DATA@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -IRIX_FALSE = @IRIX_FALSE@ -IRIX_TRUE = @IRIX_TRUE@ -KRB4_FALSE = @KRB4_FALSE@ -KRB4_TRUE = @KRB4_TRUE@ -KRB5_FALSE = @KRB5_FALSE@ -KRB5_TRUE = @KRB5_TRUE@ -LDFLAGS = @LDFLAGS@ -LEX = @LEX@ -LEXLIB = @LEXLIB@ -LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ -LIBOBJS = @LIBOBJS@ -LIBS = @LIBS@ -LIBTOOL = @LIBTOOL@ -LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@ -LIB_NDBM = @LIB_NDBM@ -LIB_XauFileName = @LIB_XauFileName@ -LIB_XauReadAuth = @LIB_XauReadAuth@ -LIB_XauWriteAuth = @LIB_XauWriteAuth@ -LIB_bswap16 = @LIB_bswap16@ -LIB_bswap32 = @LIB_bswap32@ -LIB_com_err = @LIB_com_err@ -LIB_com_err_a = @LIB_com_err_a@ -LIB_com_err_so = @LIB_com_err_so@ -LIB_crypt = @LIB_crypt@ -LIB_db_create = @LIB_db_create@ -LIB_dbm_firstkey = @LIB_dbm_firstkey@ -LIB_dbopen = @LIB_dbopen@ -LIB_des = @LIB_des@ -LIB_des_a = @LIB_des_a@ -LIB_des_appl = @LIB_des_appl@ -LIB_des_so = @LIB_des_so@ -LIB_dlopen = @LIB_dlopen@ -LIB_dn_expand = @LIB_dn_expand@ -LIB_el_init = @LIB_el_init@ -LIB_freeaddrinfo = @LIB_freeaddrinfo@ -LIB_gai_strerror = @LIB_gai_strerror@ -LIB_getaddrinfo = @LIB_getaddrinfo@ -LIB_gethostbyname = @LIB_gethostbyname@ -LIB_gethostbyname2 = @LIB_gethostbyname2@ -LIB_getnameinfo = @LIB_getnameinfo@ -LIB_getpwnam_r = @LIB_getpwnam_r@ -LIB_getsockopt = @LIB_getsockopt@ -LIB_hesiod = @LIB_hesiod@ -LIB_hstrerror = @LIB_hstrerror@ -LIB_kdb = @LIB_kdb@ -LIB_krb4 = @LIB_krb4@ -LIB_krb_disable_debug = @LIB_krb_disable_debug@ -LIB_krb_enable_debug = @LIB_krb_enable_debug@ -LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@ -LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@ -LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@ -LIB_loadquery = @LIB_loadquery@ -LIB_logout = @LIB_logout@ -LIB_logwtmp = @LIB_logwtmp@ -LIB_openldap = @LIB_openldap@ -LIB_openpty = @LIB_openpty@ -LIB_otp = @LIB_otp@ -LIB_pidfile = @LIB_pidfile@ -LIB_readline = @LIB_readline@ -LIB_res_nsearch = @LIB_res_nsearch@ -LIB_res_search = @LIB_res_search@ -LIB_roken = @LIB_roken@ -LIB_security = @LIB_security@ -LIB_setsockopt = @LIB_setsockopt@ -LIB_socket = @LIB_socket@ -LIB_syslog = @LIB_syslog@ -LIB_tgetent = @LIB_tgetent@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -MAINT = @MAINT@ -MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@ -MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@ -MAKEINFO = @MAKEINFO@ -NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ -NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ -NROFF = @NROFF@ -OBJEXT = @OBJEXT@ -OTP_FALSE = @OTP_FALSE@ -OTP_TRUE = @OTP_TRUE@ -PACKAGE = @PACKAGE@ -PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ -PACKAGE_NAME = @PACKAGE_NAME@ -PACKAGE_STRING = @PACKAGE_STRING@ -PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_VERSION = @PACKAGE_VERSION@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -RANLIB = @RANLIB@ -SET_MAKE = @SET_MAKE@ -SHELL = @SHELL@ -STRIP = @STRIP@ -VERSION = @VERSION@ -VOID_RETSIGTYPE = @VOID_RETSIGTYPE@ -WFLAGS = @WFLAGS@ -WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@ -WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@ -X_CFLAGS = @X_CFLAGS@ -X_EXTRA_LIBS = @X_EXTRA_LIBS@ -X_LIBS = @X_LIBS@ -X_PRE_LIBS = @X_PRE_LIBS@ -YACC = @YACC@ -ac_ct_AR = @ac_ct_AR@ -ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ -ac_ct_RANLIB = @ac_ct_RANLIB@ -ac_ct_STRIP = @ac_ct_STRIP@ -am__leading_dot = @am__leading_dot@ -bindir = @bindir@ -build = @build@ -build_alias = @build_alias@ -build_cpu = @build_cpu@ -build_os = @build_os@ -build_vendor = @build_vendor@ -datadir = @datadir@ -do_roken_rename_FALSE = @do_roken_rename_FALSE@ -do_roken_rename_TRUE = @do_roken_rename_TRUE@ -dpagaix_cflags = @dpagaix_cflags@ -dpagaix_ldadd = @dpagaix_ldadd@ -dpagaix_ldflags = @dpagaix_ldflags@ -el_compat_FALSE = @el_compat_FALSE@ -el_compat_TRUE = @el_compat_TRUE@ -exec_prefix = @exec_prefix@ -have_err_h_FALSE = @have_err_h_FALSE@ -have_err_h_TRUE = @have_err_h_TRUE@ -have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@ -have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@ -have_glob_h_FALSE = @have_glob_h_FALSE@ -have_glob_h_TRUE = @have_glob_h_TRUE@ -have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@ -have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@ -have_vis_h_FALSE = @have_vis_h_FALSE@ -have_vis_h_TRUE = @have_vis_h_TRUE@ -host = @host@ -host_alias = @host_alias@ -host_cpu = @host_cpu@ -host_os = @host_os@ -host_vendor = @host_vendor@ -includedir = @includedir@ -infodir = @infodir@ -install_sh = @install_sh@ -libdir = @libdir@ -libexecdir = @libexecdir@ -localstatedir = @localstatedir@ -mandir = @mandir@ -mkdir_p = @mkdir_p@ -oldincludedir = @oldincludedir@ -prefix = @prefix@ -program_transform_name = @program_transform_name@ -sbindir = @sbindir@ -sharedstatedir = @sharedstatedir@ -sysconfdir = @sysconfdir@ -target_alias = @target_alias@ -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) -I../asn1 -I$(srcdir)/../asn1 $(INCLUDE_des) $(INCLUDE_openldap) -@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME -AM_CFLAGS = $(WFLAGS) -CP = cp -buildinclude = $(top_builddir)/include -LIB_getattr = @LIB_getattr@ -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_setpcred = @LIB_setpcred@ -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -NROFF_MAN = groff -mandoc -Tascii -LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) -@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la - -@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la -@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la -BUILT_SOURCES = asn1_Key.c asn1_Event.c asn1_HDBFlags.c asn1_hdb_entry.c \ - asn1_Salt.c hdb_err.c hdb_err.h asn1_GENERATION.c - -foo = asn1_Key.x asn1_GENERATION.x asn1_Event.x asn1_HDBFlags.x asn1_hdb_entry.x asn1_Salt.x -CLEANFILES = $(BUILT_SOURCES) $(foo) hdb_asn1.h asn1_files -LDADD = libhdb.la \ - $(LIB_openldap) \ - ../krb5/libkrb5.la \ - ../asn1/libasn1.la \ - $(LIB_des) \ - $(LIB_roken) - -lib_LTLIBRARIES = libhdb.la -libhdb_la_LDFLAGS = -version-info 7:7:0 -libhdb_la_SOURCES = \ - common.c \ - db.c \ - db3.c \ - hdb-ldap.c \ - hdb.c \ - keytab.c \ - mkey.c \ - ndbm.c \ - print.c \ - $(BUILT_SOURCES) - -include_HEADERS = hdb.h hdb_err.h hdb_asn1.h hdb-protos.h hdb-private.h -libhdb_la_LIBADD = ../krb5/libkrb5.la ../asn1/libasn1.la ../roken/libroken.la $(LIB_openldap) $(DBLIB) $(LIB_NDBM) -all: $(BUILT_SOURCES) - $(MAKE) $(AM_MAKEFLAGS) all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps) - @for dep in $?; do \ - case '$(am__configure_deps)' in \ - *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ - exit 1;; \ - esac; \ - done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign --ignore-deps lib/hdb/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign --ignore-deps lib/hdb/Makefile -.PRECIOUS: Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - @case '$?' in \ - *config.status*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ - *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ - esac; - -$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -install-libLTLIBRARIES: $(lib_LTLIBRARIES) - @$(NORMAL_INSTALL) - test -z "$(libdir)" || $(mkdir_p) "$(DESTDIR)$(libdir)" - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - if test -f $$p; then \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(libdir)/$$f'"; \ - $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(libdir)/$$f"; \ - else :; fi; \ - done - -uninstall-libLTLIBRARIES: - @$(NORMAL_UNINSTALL) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - p="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$p'"; \ - $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$p"; \ - done - -clean-libLTLIBRARIES: - -test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ - test "$$dir" = "$$p" && dir=.; \ - echo "rm -f \"$${dir}/so_locations\""; \ - rm -f "$${dir}/so_locations"; \ - done -libhdb.la: $(libhdb_la_OBJECTS) $(libhdb_la_DEPENDENCIES) - $(LINK) -rpath $(libdir) $(libhdb_la_LDFLAGS) $(libhdb_la_OBJECTS) $(libhdb_la_LIBADD) $(LIBS) - -clean-noinstPROGRAMS: - @list='$(noinst_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -convert_db$(EXEEXT): $(convert_db_OBJECTS) $(convert_db_DEPENDENCIES) - @rm -f convert_db$(EXEEXT) - $(LINK) $(convert_db_LDFLAGS) $(convert_db_OBJECTS) $(convert_db_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c $< - -.c.obj: - $(COMPILE) -c `$(CYGPATH_W) '$<'` - -.c.lo: - $(LTCOMPILE) -c -o $@ $< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: -install-includeHEADERS: $(include_HEADERS) - @$(NORMAL_INSTALL) - test -z "$(includedir)" || $(mkdir_p) "$(DESTDIR)$(includedir)" - @list='$(include_HEADERS)'; for p in $$list; do \ - if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(includeHEADERS_INSTALL) '$$d$$p' '$(DESTDIR)$(includedir)/$$f'"; \ - $(includeHEADERS_INSTALL) "$$d$$p" "$(DESTDIR)$(includedir)/$$f"; \ - done - -uninstall-includeHEADERS: - @$(NORMAL_UNINSTALL) - @list='$(include_HEADERS)'; for p in $$list; do \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " rm -f '$(DESTDIR)$(includedir)/$$f'"; \ - rm -f "$(DESTDIR)$(includedir)/$$f"; \ - done - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique -tags: TAGS - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique -ctags: CTAGS -CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ - || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - -distdir: $(DISTFILES) - $(mkdir_p) $(distdir)/../.. $(distdir)/../../cf - @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \ - list='$(DISTFILES)'; for file in $$list; do \ - case $$file in \ - $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \ - $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \ - esac; \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkdir_p) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="$(top_distdir)" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: $(BUILT_SOURCES) - $(MAKE) $(AM_MAKEFLAGS) check-am -all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(HEADERS) all-local -installdirs: - for dir in "$(DESTDIR)$(libdir)" "$(DESTDIR)$(includedir)"; do \ - test -z "$$dir" || $(mkdir_p) "$$dir"; \ - done -install: $(BUILT_SOURCES) - $(MAKE) $(AM_MAKEFLAGS) install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) - -distclean-generic: - -rm -f $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." - -test -z "$(BUILT_SOURCES)" || rm -f $(BUILT_SOURCES) -clean: clean-am - -clean-am: clean-generic clean-libLTLIBRARIES clean-libtool \ - clean-noinstPROGRAMS mostlyclean-am - -distclean: distclean-am - -rm -f Makefile -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -html: html-am - -info: info-am - -info-am: - -install-data-am: install-includeHEADERS - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-data-hook - -install-exec-am: install-libLTLIBRARIES - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -rm -f Makefile -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -pdf: pdf-am - -pdf-am: - -ps: ps-am - -ps-am: - -uninstall-am: uninstall-includeHEADERS uninstall-info-am \ - uninstall-libLTLIBRARIES - -.PHONY: CTAGS GTAGS all all-am all-local check check-am check-local \ - clean clean-generic clean-libLTLIBRARIES clean-libtool \ - clean-noinstPROGRAMS ctags distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am html html-am info info-am install install-am \ - install-data install-data-am install-exec install-exec-am \ - install-includeHEADERS install-info install-info-am \ - install-libLTLIBRARIES install-man install-strip installcheck \ - installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ - tags uninstall uninstall-am uninstall-includeHEADERS \ - uninstall-info-am uninstall-libLTLIBRARIES - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-hook: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< - -$(libhdb_la_OBJECTS): $(srcdir)/hdb-protos.h $(srcdir)/hdb-private.h - -$(srcdir)/hdb-protos.h: - cd $(srcdir); perl ../../cf/make-proto.pl -q -P comment -o hdb-protos.h $(libhdb_la_SOURCES) || rm -f hdb-protos.h - -$(srcdir)/hdb-private.h: - cd $(srcdir); perl ../../cf/make-proto.pl -q -P comment -p hdb-private.h $(libhdb_la_SOURCES) || rm -f hdb-private.h - -$(foo) hdb_asn1.h: asn1_files - -asn1_files: ../asn1/asn1_compile$(EXEEXT) $(srcdir)/hdb.asn1 - ../asn1/asn1_compile$(EXEEXT) $(srcdir)/hdb.asn1 hdb_asn1 - -$(libhdb_la_OBJECTS): hdb_asn1.h hdb_err.h - -$(convert_db_OBJECTS): hdb_asn1.h hdb_err.h - -# to help stupid solaris make - -hdb_err.h: hdb_err.et -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal-0.6.3/lib/hdb/common.c b/crypto/heimdal-0.6.3/lib/hdb/common.c deleted file mode 100644 index 6f0e73071c..0000000000 --- a/crypto/heimdal-0.6.3/lib/hdb/common.c +++ /dev/null @@ -1,143 +0,0 @@ -/* - * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "hdb_locl.h" - -RCSID("$Id: common.c,v 1.12 2003/01/14 06:54:32 lha Exp $"); - -int -hdb_principal2key(krb5_context context, krb5_principal p, krb5_data *key) -{ - Principal new; - size_t len; - int ret; - - ret = copy_Principal(p, &new); - if(ret) - return ret; - new.name.name_type = 0; - - ASN1_MALLOC_ENCODE(Principal, key->data, key->length, &new, &len, ret); - free_Principal(&new); - return ret; -} - -int -hdb_key2principal(krb5_context context, krb5_data *key, krb5_principal p) -{ - return decode_Principal(key->data, key->length, p, NULL); -} - -int -hdb_entry2value(krb5_context context, hdb_entry *ent, krb5_data *value) -{ - size_t len; - int ret; - - ASN1_MALLOC_ENCODE(hdb_entry, value->data, value->length, ent, &len, ret); - return ret; -} - -int -hdb_value2entry(krb5_context context, krb5_data *value, hdb_entry *ent) -{ - return decode_hdb_entry(value->data, value->length, ent, NULL); -} - -krb5_error_code -_hdb_fetch(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry) -{ - krb5_data key, value; - int code; - - hdb_principal2key(context, entry->principal, &key); - code = db->_get(context, db, key, &value); - krb5_data_free(&key); - if(code) - return code; - code = hdb_value2entry(context, &value, entry); - krb5_data_free(&value); - if (code) - return code; - if (db->master_key_set && (flags & HDB_F_DECRYPT)) { - code = hdb_unseal_keys (context, db, entry); - if (code) - hdb_free_entry(context, entry); - } - return code; -} - -krb5_error_code -_hdb_store(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry) -{ - krb5_data key, value; - int code; - - if(entry->generation == NULL) { - struct timeval t; - entry->generation = malloc(sizeof(*entry->generation)); - if(entry->generation == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - gettimeofday(&t, NULL); - entry->generation->time = t.tv_sec; - entry->generation->usec = t.tv_usec; - entry->generation->gen = 0; - } else - entry->generation->gen++; - hdb_principal2key(context, entry->principal, &key); - code = hdb_seal_keys(context, db, entry); - if (code) { - krb5_data_free(&key); - return code; - } - hdb_entry2value(context, entry, &value); - code = db->_put(context, db, flags & HDB_F_REPLACE, key, value); - krb5_data_free(&value); - krb5_data_free(&key); - return code; -} - -krb5_error_code -_hdb_remove(krb5_context context, HDB *db, hdb_entry *entry) -{ - krb5_data key; - int code; - - hdb_principal2key(context, entry->principal, &key); - code = db->_del(context, db, key); - krb5_data_free(&key); - return code; -} - diff --git a/crypto/heimdal-0.6.3/lib/hdb/convert_db.c b/crypto/heimdal-0.6.3/lib/hdb/convert_db.c deleted file mode 100644 index 0b300a55fc..0000000000 --- a/crypto/heimdal-0.6.3/lib/hdb/convert_db.c +++ /dev/null @@ -1,213 +0,0 @@ -/* - * Copyright (c) 1999 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of KTH nor the names of its contributors may be - * used to endorse or promote products derived from this software without - * specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY - * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR - * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, - * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR - * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF - * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ - -/* Converts a database from version 0.0* to 0.1. This is done by - * making three copies of each DES key (DES-CBC-CRC, DES-CBC-MD4, and - * DES-CBC-MD5). - * - * Use with care. - */ - -#include "hdb_locl.h" -#include -#include - -RCSID("$Id: convert_db.c,v 1.12 2001/02/20 01:44:53 assar Exp $"); - -static krb5_error_code -update_keytypes(krb5_context context, HDB *db, hdb_entry *entry, void *data) -{ - int i; - int n = 0; - Key *k; - int save_len; - Key *save_val; - HDB *new = data; - krb5_error_code ret; - - for(i = 0; i < entry->keys.len; i++) - if(entry->keys.val[i].key.keytype == KEYTYPE_DES) - n += 2; - else if(entry->keys.val[i].key.keytype == KEYTYPE_DES3) - n += 1; - k = malloc(sizeof(*k) * (entry->keys.len + n)); - n = 0; - for(i = 0; i < entry->keys.len; i++) { - copy_Key(&entry->keys.val[i], &k[n]); - if(entry->keys.val[i].key.keytype == KEYTYPE_DES) { - copy_Key(&entry->keys.val[i], &k[n+1]); - k[n+1].key.keytype = ETYPE_DES_CBC_MD4; - copy_Key(&entry->keys.val[i], &k[n+2]); - k[n+2].key.keytype = ETYPE_DES_CBC_MD5; - n += 2; - } - else if(entry->keys.val[i].key.keytype == KEYTYPE_DES3) { - copy_Key(&entry->keys.val[i], &k[n+1]); - k[n+1].key.keytype = ETYPE_DES3_CBC_MD5; - n += 1; - } - n++; - } - save_len = entry->keys.len; - save_val = entry->keys.val; - entry->keys.len = n; - entry->keys.val = k; - ret = new->store(context, new, HDB_F_REPLACE, entry); - entry->keys.len = save_len; - entry->keys.val = save_val; - for(i = 0; i < n; i++) - free_Key(&k[i]); - free(k); - return 0; -} - -static krb5_error_code -update_version2(krb5_context context, HDB *db, hdb_entry *entry, void *data) -{ - HDB *new = data; - if(!db->master_key_set) { - int i; - for(i = 0; i < entry->keys.len; i++) { - free(entry->keys.val[i].mkvno); - entry->keys.val[i].mkvno = NULL; - } - } - new->store(context, new, HDB_F_REPLACE, entry); - return 0; -} - -char *old_database = HDB_DEFAULT_DB; -char *new_database = HDB_DEFAULT_DB ".new"; -char *mkeyfile; -int update_version; -int help_flag; -int version_flag; - -struct getargs args[] = { - { "old-database", 0, arg_string, &old_database, - "name of database to convert", "file" }, - { "new-database", 0, arg_string, &new_database, - "name of converted database", "file" }, - { "master-key", 0, arg_string, &mkeyfile, - "v5 master key file", "file" }, - { "update-version", 0, arg_flag, &update_version, - "update the database to the current version" }, - { "help", 'h', arg_flag, &help_flag }, - { "version", 0, arg_flag, &version_flag } -}; - -static int num_args = sizeof(args) / sizeof(args[0]); - -int -main(int argc, char **argv) -{ - krb5_error_code ret; - krb5_context context; - HDB *db, *new; - int optind = 0; - int master_key_set = 0; - - setprogname(argv[0]); - - if(getarg(args, num_args, argc, argv, &optind)) - krb5_std_usage(1, args, num_args); - - if(help_flag) - krb5_std_usage(0, args, num_args); - - if(version_flag){ - print_version(NULL); - exit(0); - } - - ret = krb5_init_context(&context); - if(ret != 0) - errx(1, "krb5_init_context failed: %d", ret); - - ret = hdb_create(context, &db, old_database); - if(ret != 0) - krb5_err(context, 1, ret, "hdb_create"); - - ret = hdb_set_master_keyfile(context, db, mkeyfile); - if (ret) - krb5_err(context, 1, ret, "hdb_set_master_keyfile"); - master_key_set = 1; - ret = hdb_create(context, &new, new_database); - if(ret != 0) - krb5_err(context, 1, ret, "hdb_create"); - if (master_key_set) { - ret = hdb_set_master_keyfile(context, new, mkeyfile); - if (ret) - krb5_err(context, 1, ret, "hdb_set_master_keyfile"); - } - ret = db->open(context, db, O_RDONLY, 0); - if(ret == HDB_ERR_BADVERSION) { - krb5_data tag; - krb5_data version; - int foo; - unsigned ver; - tag.data = HDB_DB_FORMAT_ENTRY; - tag.length = strlen(tag.data); - ret = (*db->_get)(context, db, tag, &version); - if(ret) - krb5_errx(context, 1, "database is wrong version, " - "but couldn't find version key (%s)", - HDB_DB_FORMAT_ENTRY); - foo = sscanf(version.data, "%u", &ver); - krb5_data_free (&version); - if(foo != 1) - krb5_errx(context, 1, "database version is not a number"); - if(ver == 1 && HDB_DB_FORMAT == 2) { - krb5_warnx(context, "will upgrade database from version %d to %d", - ver, HDB_DB_FORMAT); - krb5_warnx(context, "rerun to do other conversions"); - update_version = 1; - } else - krb5_errx(context, 1, - "don't know how to upgrade from version %d to %d", - ver, HDB_DB_FORMAT); - } else if(ret) - krb5_err(context, 1, ret, "%s", old_database); - ret = new->open(context, new, O_CREAT|O_EXCL|O_RDWR, 0600); - if(ret) - krb5_err(context, 1, ret, "%s", new_database); - if(update_version) - ret = hdb_foreach(context, db, 0, update_version2, new); - else - ret = hdb_foreach(context, db, 0, update_keytypes, new); - if(ret != 0) - krb5_err(context, 1, ret, "hdb_foreach"); - db->close(context, db); - new->close(context, new); - krb5_warnx(context, "wrote converted database to `%s'", new_database); - return 0; -} diff --git a/crypto/heimdal-0.6.3/lib/hdb/db.c b/crypto/heimdal-0.6.3/lib/hdb/db.c deleted file mode 100644 index 4dfbc66b8d..0000000000 --- a/crypto/heimdal-0.6.3/lib/hdb/db.c +++ /dev/null @@ -1,299 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "hdb_locl.h" - -RCSID("$Id: db.c,v 1.30 2001/08/09 08:41:48 assar Exp $"); - -#if HAVE_DB1 - -#if defined(HAVE_DB_185_H) -#include -#elif defined(HAVE_DB_H) -#include -#endif - -static krb5_error_code -DB_close(krb5_context context, HDB *db) -{ - DB *d = (DB*)db->db; - d->close(d); - return 0; -} - -static krb5_error_code -DB_destroy(krb5_context context, HDB *db) -{ - krb5_error_code ret; - - ret = hdb_clear_master_key (context, db); - free(db->name); - free(db); - return ret; -} - -static krb5_error_code -DB_lock(krb5_context context, HDB *db, int operation) -{ - DB *d = (DB*)db->db; - int fd = (*d->fd)(d); - if(fd < 0) - return HDB_ERR_CANT_LOCK_DB; - return hdb_lock(fd, operation); -} - -static krb5_error_code -DB_unlock(krb5_context context, HDB *db) -{ - DB *d = (DB*)db->db; - int fd = (*d->fd)(d); - if(fd < 0) - return HDB_ERR_CANT_LOCK_DB; - return hdb_unlock(fd); -} - - -static krb5_error_code -DB_seq(krb5_context context, HDB *db, - unsigned flags, hdb_entry *entry, int flag) -{ - DB *d = (DB*)db->db; - DBT key, value; - krb5_data key_data, data; - int code; - - code = db->lock(context, db, HDB_RLOCK); - if(code == -1) - return HDB_ERR_DB_INUSE; - code = d->seq(d, &key, &value, flag); - db->unlock(context, db); /* XXX check value */ - if(code == -1) - return errno; - if(code == 1) - return HDB_ERR_NOENTRY; - - key_data.data = key.data; - key_data.length = key.size; - data.data = value.data; - data.length = value.size; - if (hdb_value2entry(context, &data, entry)) - return DB_seq(context, db, flags, entry, R_NEXT); - if (db->master_key_set && (flags & HDB_F_DECRYPT)) { - code = hdb_unseal_keys (context, db, entry); - if (code) - hdb_free_entry (context, entry); - } - if (code == 0 && entry->principal == NULL) { - entry->principal = malloc(sizeof(*entry->principal)); - if (entry->principal == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - code = ENOMEM; - hdb_free_entry (context, entry); - } else { - hdb_key2principal(context, &key_data, entry->principal); - } - } - return code; -} - - -static krb5_error_code -DB_firstkey(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry) -{ - return DB_seq(context, db, flags, entry, R_FIRST); -} - - -static krb5_error_code -DB_nextkey(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry) -{ - return DB_seq(context, db, flags, entry, R_NEXT); -} - -static krb5_error_code -DB_rename(krb5_context context, HDB *db, const char *new_name) -{ - int ret; - char *old, *new; - - asprintf(&old, "%s.db", db->name); - asprintf(&new, "%s.db", new_name); - ret = rename(old, new); - free(old); - free(new); - if(ret) - return errno; - - free(db->name); - db->name = strdup(new_name); - return 0; -} - -static krb5_error_code -DB__get(krb5_context context, HDB *db, krb5_data key, krb5_data *reply) -{ - DB *d = (DB*)db->db; - DBT k, v; - int code; - - k.data = key.data; - k.size = key.length; - code = db->lock(context, db, HDB_RLOCK); - if(code) - return code; - code = d->get(d, &k, &v, 0); - db->unlock(context, db); - if(code < 0) - return errno; - if(code == 1) - return HDB_ERR_NOENTRY; - - krb5_data_copy(reply, v.data, v.size); - return 0; -} - -static krb5_error_code -DB__put(krb5_context context, HDB *db, int replace, - krb5_data key, krb5_data value) -{ - DB *d = (DB*)db->db; - DBT k, v; - int code; - - k.data = key.data; - k.size = key.length; - v.data = value.data; - v.size = value.length; - code = db->lock(context, db, HDB_WLOCK); - if(code) - return code; - code = d->put(d, &k, &v, replace ? 0 : R_NOOVERWRITE); - db->unlock(context, db); - if(code < 0) - return errno; - if(code == 1) - return HDB_ERR_EXISTS; - return 0; -} - -static krb5_error_code -DB__del(krb5_context context, HDB *db, krb5_data key) -{ - DB *d = (DB*)db->db; - DBT k; - krb5_error_code code; - k.data = key.data; - k.size = key.length; - code = db->lock(context, db, HDB_WLOCK); - if(code) - return code; - code = d->del(d, &k, 0); - db->unlock(context, db); - if(code == 1) - return HDB_ERR_NOENTRY; - if(code < 0) - return errno; - return 0; -} - -static krb5_error_code -DB_open(krb5_context context, HDB *db, int flags, mode_t mode) -{ - char *fn; - krb5_error_code ret; - - asprintf(&fn, "%s.db", db->name); - if (fn == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - db->db = dbopen(fn, flags, mode, DB_BTREE, NULL); - free(fn); - /* try to open without .db extension */ - if(db->db == NULL && errno == ENOENT) - db->db = dbopen(db->name, flags, mode, DB_BTREE, NULL); - if(db->db == NULL) { - ret = errno; - krb5_set_error_string(context, "dbopen (%s): %s", - db->name, strerror(ret)); - return ret; - } - if((flags & O_ACCMODE) == O_RDONLY) - ret = hdb_check_db_format(context, db); - else - ret = hdb_init_db(context, db); - if(ret == HDB_ERR_NOENTRY) { - krb5_clear_error_string(context); - return 0; - } - return ret; -} - -krb5_error_code -hdb_db_create(krb5_context context, HDB **db, - const char *filename) -{ - *db = malloc(sizeof(**db)); - if (*db == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - - (*db)->db = NULL; - (*db)->name = strdup(filename); - if ((*db)->name == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - free(*db); - *db = NULL; - return ENOMEM; - } - (*db)->master_key_set = 0; - (*db)->openp = 0; - (*db)->open = DB_open; - (*db)->close = DB_close; - (*db)->fetch = _hdb_fetch; - (*db)->store = _hdb_store; - (*db)->remove = _hdb_remove; - (*db)->firstkey = DB_firstkey; - (*db)->nextkey= DB_nextkey; - (*db)->lock = DB_lock; - (*db)->unlock = DB_unlock; - (*db)->rename = DB_rename; - (*db)->_get = DB__get; - (*db)->_put = DB__put; - (*db)->_del = DB__del; - (*db)->destroy = DB_destroy; - return 0; -} - -#endif /* HAVE_DB1 */ diff --git a/crypto/heimdal-0.6.3/lib/hdb/db3.c b/crypto/heimdal-0.6.3/lib/hdb/db3.c deleted file mode 100644 index 8ae35350c6..0000000000 --- a/crypto/heimdal-0.6.3/lib/hdb/db3.c +++ /dev/null @@ -1,341 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "hdb_locl.h" - -RCSID("$Id: db3.c,v 1.8.6.1 2003/08/29 16:59:39 lha Exp $"); - -#if HAVE_DB3 - -#ifdef HAVE_DB4_DB_H -#include -#elif defined(HAVE_DB3_DB_H) -#include -#else -#include -#endif - -static krb5_error_code -DB_close(krb5_context context, HDB *db) -{ - DB *d = (DB*)db->db; - DBC *dbcp = (DBC*)db->dbc; - - dbcp->c_close(dbcp); - db->dbc = 0; - d->close(d, 0); - return 0; -} - -static krb5_error_code -DB_destroy(krb5_context context, HDB *db) -{ - krb5_error_code ret; - - ret = hdb_clear_master_key (context, db); - free(db->name); - free(db); - return ret; -} - -static krb5_error_code -DB_lock(krb5_context context, HDB *db, int operation) -{ - DB *d = (DB*)db->db; - int fd; - if ((*d->fd)(d, &fd)) - return HDB_ERR_CANT_LOCK_DB; - return hdb_lock(fd, operation); -} - -static krb5_error_code -DB_unlock(krb5_context context, HDB *db) -{ - DB *d = (DB*)db->db; - int fd; - if ((*d->fd)(d, &fd)) - return HDB_ERR_CANT_LOCK_DB; - return hdb_unlock(fd); -} - - -static krb5_error_code -DB_seq(krb5_context context, HDB *db, - unsigned flags, hdb_entry *entry, int flag) -{ - DBT key, value; - DBC *dbcp = db->dbc; - krb5_data key_data, data; - int code; - - memset(&key, 0, sizeof(DBT)); - memset(&value, 0, sizeof(DBT)); - if (db->lock(context, db, HDB_RLOCK)) - return HDB_ERR_DB_INUSE; - code = dbcp->c_get(dbcp, &key, &value, flag); - db->unlock(context, db); /* XXX check value */ - if (code == DB_NOTFOUND) - return HDB_ERR_NOENTRY; - if (code) - return code; - - key_data.data = key.data; - key_data.length = key.size; - data.data = value.data; - data.length = value.size; - if (hdb_value2entry(context, &data, entry)) - return DB_seq(context, db, flags, entry, DB_NEXT); - if (db->master_key_set && (flags & HDB_F_DECRYPT)) { - code = hdb_unseal_keys (context, db, entry); - if (code) - hdb_free_entry (context, entry); - } - if (entry->principal == NULL) { - entry->principal = malloc(sizeof(*entry->principal)); - if (entry->principal == NULL) { - hdb_free_entry (context, entry); - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } else { - hdb_key2principal(context, &key_data, entry->principal); - } - } - return 0; -} - - -static krb5_error_code -DB_firstkey(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry) -{ - return DB_seq(context, db, flags, entry, DB_FIRST); -} - - -static krb5_error_code -DB_nextkey(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry) -{ - return DB_seq(context, db, flags, entry, DB_NEXT); -} - -static krb5_error_code -DB_rename(krb5_context context, HDB *db, const char *new_name) -{ - int ret; - char *old, *new; - - asprintf(&old, "%s.db", db->name); - asprintf(&new, "%s.db", new_name); - ret = rename(old, new); - free(old); - free(new); - if(ret) - return errno; - - free(db->name); - db->name = strdup(new_name); - return 0; -} - -static krb5_error_code -DB__get(krb5_context context, HDB *db, krb5_data key, krb5_data *reply) -{ - DB *d = (DB*)db->db; - DBT k, v; - int code; - - memset(&k, 0, sizeof(DBT)); - memset(&v, 0, sizeof(DBT)); - k.data = key.data; - k.size = key.length; - k.flags = 0; - if ((code = db->lock(context, db, HDB_RLOCK))) - return code; - code = d->get(d, NULL, &k, &v, 0); - db->unlock(context, db); - if(code == DB_NOTFOUND) - return HDB_ERR_NOENTRY; - if(code) - return code; - - krb5_data_copy(reply, v.data, v.size); - return 0; -} - -static krb5_error_code -DB__put(krb5_context context, HDB *db, int replace, - krb5_data key, krb5_data value) -{ - DB *d = (DB*)db->db; - DBT k, v; - int code; - - memset(&k, 0, sizeof(DBT)); - memset(&v, 0, sizeof(DBT)); - k.data = key.data; - k.size = key.length; - k.flags = 0; - v.data = value.data; - v.size = value.length; - v.flags = 0; - if ((code = db->lock(context, db, HDB_WLOCK))) - return code; - code = d->put(d, NULL, &k, &v, replace ? 0 : DB_NOOVERWRITE); - db->unlock(context, db); - if(code == DB_KEYEXIST) - return HDB_ERR_EXISTS; - if(code) - return errno; - return 0; -} - -static krb5_error_code -DB__del(krb5_context context, HDB *db, krb5_data key) -{ - DB *d = (DB*)db->db; - DBT k; - krb5_error_code code; - memset(&k, 0, sizeof(DBT)); - k.data = key.data; - k.size = key.length; - k.flags = 0; - code = db->lock(context, db, HDB_WLOCK); - if(code) - return code; - code = d->del(d, NULL, &k, 0); - db->unlock(context, db); - if(code == DB_NOTFOUND) - return HDB_ERR_NOENTRY; - if(code) - return code; - return 0; -} - -static krb5_error_code -DB_open(krb5_context context, HDB *db, int flags, mode_t mode) -{ - char *fn; - krb5_error_code ret; - DB *d; - int myflags = 0; - - if (flags & O_CREAT) - myflags |= DB_CREATE; - - if (flags & O_EXCL) - myflags |= DB_EXCL; - - if (flags & O_RDONLY) - myflags |= DB_RDONLY; - - if (flags & O_TRUNC) - myflags |= DB_TRUNCATE; - - asprintf(&fn, "%s.db", db->name); - if (fn == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - db_create(&d, NULL, 0); - db->db = d; -#if (DB_VERSION_MAJOR > 3) && (DB_VERSION_MINOR > 0) - if ((ret = d->open(db->db, NULL, fn, NULL, DB_BTREE, myflags, mode))) { -#else - if ((ret = d->open(db->db, fn, NULL, DB_BTREE, myflags, mode))) { -#endif - if(ret == ENOENT) - /* try to open without .db extension */ -#if (DB_VERSION_MAJOR > 3) && (DB_VERSION_MINOR > 0) - if (d->open(db->db, NULL, db->name, NULL, DB_BTREE, myflags, mode)) { -#else - if (d->open(db->db, db->name, NULL, DB_BTREE, myflags, mode)) { -#endif - free(fn); - krb5_set_error_string(context, "opening %s: %s", - db->name, strerror(ret)); - return ret; - } - } - free(fn); - - ret = d->cursor(d, NULL, (DBC **)&db->dbc, 0); - if (ret) { - krb5_set_error_string(context, "d->cursor: %s", strerror(ret)); - return ret; - } - - if((flags & O_ACCMODE) == O_RDONLY) - ret = hdb_check_db_format(context, db); - else - ret = hdb_init_db(context, db); - if(ret == HDB_ERR_NOENTRY) - return 0; - return ret; -} - -krb5_error_code -hdb_db_create(krb5_context context, HDB **db, - const char *filename) -{ - *db = malloc(sizeof(**db)); - if (*db == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - - (*db)->db = NULL; - (*db)->name = strdup(filename); - if ((*db)->name == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - free(*db); - *db = NULL; - return ENOMEM; - } - (*db)->master_key_set = 0; - (*db)->openp = 0; - (*db)->open = DB_open; - (*db)->close = DB_close; - (*db)->fetch = _hdb_fetch; - (*db)->store = _hdb_store; - (*db)->remove = _hdb_remove; - (*db)->firstkey = DB_firstkey; - (*db)->nextkey= DB_nextkey; - (*db)->lock = DB_lock; - (*db)->unlock = DB_unlock; - (*db)->rename = DB_rename; - (*db)->_get = DB__get; - (*db)->_put = DB__put; - (*db)->_del = DB__del; - (*db)->destroy = DB_destroy; - return 0; -} -#endif /* HAVE_DB3 */ diff --git a/crypto/heimdal-0.6.3/lib/hdb/hdb-ldap.c b/crypto/heimdal-0.6.3/lib/hdb/hdb-ldap.c deleted file mode 100644 index aed29b3caa..0000000000 --- a/crypto/heimdal-0.6.3/lib/hdb/hdb-ldap.c +++ /dev/null @@ -1,1324 +0,0 @@ -/* - * Copyright (c) 1999-2001, PADL Software Pty Ltd. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of PADL Software nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "hdb_locl.h" - -RCSID("$Id: hdb-ldap.c,v 1.10.4.1 2003/09/18 20:49:09 lha Exp $"); - -#ifdef OPENLDAP - -#include -#include -#include -#include - -static krb5_error_code LDAP__connect(krb5_context context, HDB * db); - -static krb5_error_code -LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg, - hdb_entry * ent); - -static char *krb5kdcentry_attrs[] = - { "krb5PrincipalName", "cn", "krb5PrincipalRealm", - "krb5KeyVersionNumber", "krb5Key", - "krb5ValidStart", "krb5ValidEnd", "krb5PasswordEnd", - "krb5MaxLife", "krb5MaxRenew", "krb5KDCFlags", "krb5EncryptionType", - "modifiersName", "modifyTimestamp", "creatorsName", "createTimestamp", - NULL -}; - -static char *krb5principal_attrs[] = - { "krb5PrincipalName", "cn", "krb5PrincipalRealm", - "modifiersName", "modifyTimestamp", "creatorsName", "createTimestamp", - NULL -}; - -static krb5_error_code -LDAP__setmod(LDAPMod *** modlist, int modop, const char *attribute, - int *pIndex) -{ - int cMods; - - if (*modlist == NULL) { - *modlist = (LDAPMod **)ber_memcalloc(1, sizeof(LDAPMod *)); - if (*modlist == NULL) { - return ENOMEM; - } - } - - for (cMods = 0; (*modlist)[cMods] != NULL; cMods++) { - if ((*modlist)[cMods]->mod_op == modop && - strcasecmp((*modlist)[cMods]->mod_type, attribute) == 0) { - break; - } - } - - *pIndex = cMods; - - if ((*modlist)[cMods] == NULL) { - LDAPMod *mod; - - *modlist = (LDAPMod **)ber_memrealloc(*modlist, - (cMods + 2) * sizeof(LDAPMod *)); - if (*modlist == NULL) { - return ENOMEM; - } - (*modlist)[cMods] = (LDAPMod *)ber_memalloc(sizeof(LDAPMod)); - if ((*modlist)[cMods] == NULL) { - return ENOMEM; - } - - mod = (*modlist)[cMods]; - mod->mod_op = modop; - mod->mod_type = ber_strdup(attribute); - if (mod->mod_type == NULL) { - ber_memfree(mod); - (*modlist)[cMods] = NULL; - return ENOMEM; - } - - if (modop & LDAP_MOD_BVALUES) { - mod->mod_bvalues = NULL; - } else { - mod->mod_values = NULL; - } - - (*modlist)[cMods + 1] = NULL; - } - - return 0; -} - -static krb5_error_code -LDAP_addmod_len(LDAPMod *** modlist, int modop, const char *attribute, - unsigned char *value, size_t len) -{ - int cMods, cValues = 0; - krb5_error_code ret; - - ret = LDAP__setmod(modlist, modop | LDAP_MOD_BVALUES, attribute, &cMods); - if (ret != 0) { - return ret; - } - - if (value != NULL) { - struct berval *bValue; - struct berval ***pbValues = &((*modlist)[cMods]->mod_bvalues); - - if (*pbValues != NULL) { - for (cValues = 0; (*pbValues)[cValues] != NULL; cValues++) - ; - *pbValues = (struct berval **)ber_memrealloc(*pbValues, (cValues + 2) - * sizeof(struct berval *)); - } else { - *pbValues = (struct berval **)ber_memalloc(2 * sizeof(struct berval *)); - } - if (*pbValues == NULL) { - return ENOMEM; - } - (*pbValues)[cValues] = (struct berval *)ber_memalloc(sizeof(struct berval));; - if ((*pbValues)[cValues] == NULL) { - return ENOMEM; - } - - bValue = (*pbValues)[cValues]; - bValue->bv_val = value; - bValue->bv_len = len; - - (*pbValues)[cValues + 1] = NULL; - } - - return 0; -} - -static krb5_error_code -LDAP_addmod(LDAPMod *** modlist, int modop, const char *attribute, - const char *value) -{ - int cMods, cValues = 0; - krb5_error_code ret; - - ret = LDAP__setmod(modlist, modop, attribute, &cMods); - if (ret != 0) { - return ret; - } - - if (value != NULL) { - char ***pValues = &((*modlist)[cMods]->mod_values); - - if (*pValues != NULL) { - for (cValues = 0; (*pValues)[cValues] != NULL; cValues++) - ; - *pValues = (char **)ber_memrealloc(*pValues, (cValues + 2) * sizeof(char *)); - } else { - *pValues = (char **)ber_memalloc(2 * sizeof(char *)); - } - if (*pValues == NULL) { - return ENOMEM; - } - (*pValues)[cValues] = ber_strdup(value); - if ((*pValues)[cValues] == NULL) { - return ENOMEM; - } - (*pValues)[cValues + 1] = NULL; - } - - return 0; -} - -static krb5_error_code -LDAP_addmod_generalized_time(LDAPMod *** mods, int modop, - const char *attribute, KerberosTime * time) -{ - char buf[22]; - struct tm *tm; - - /* XXX not threadsafe */ - tm = gmtime(time); - strftime(buf, sizeof(buf), "%Y%m%d%H%M%SZ", tm); - - return LDAP_addmod(mods, modop, attribute, buf); -} - -static krb5_error_code -LDAP_get_string_value(HDB * db, LDAPMessage * entry, - const char *attribute, char **ptr) -{ - char **vals; - int ret; - - vals = ldap_get_values((LDAP *) db->db, entry, (char *) attribute); - if (vals == NULL) { - return HDB_ERR_NOENTRY; - } - *ptr = strdup(vals[0]); - if (*ptr == NULL) { - ret = ENOMEM; - } else { - ret = 0; - } - - ldap_value_free(vals); - - return ret; -} - -static krb5_error_code -LDAP_get_integer_value(HDB * db, LDAPMessage * entry, - const char *attribute, int *ptr) -{ - char **vals; - - vals = ldap_get_values((LDAP *) db->db, entry, (char *) attribute); - if (vals == NULL) { - return HDB_ERR_NOENTRY; - } - *ptr = atoi(vals[0]); - ldap_value_free(vals); - return 0; -} - -static krb5_error_code -LDAP_get_generalized_time_value(HDB * db, LDAPMessage * entry, - const char *attribute, KerberosTime * kt) -{ - char *tmp, *gentime; - struct tm tm; - int ret; - - *kt = 0; - - ret = LDAP_get_string_value(db, entry, attribute, &gentime); - if (ret != 0) { - return ret; - } - - tmp = strptime(gentime, "%Y%m%d%H%M%SZ", &tm); - if (tmp == NULL) { - free(gentime); - return HDB_ERR_NOENTRY; - } - - free(gentime); - - *kt = timegm(&tm); - - return 0; -} - -static krb5_error_code -LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry * ent, - LDAPMessage * msg, LDAPMod *** pmods) -{ - krb5_error_code ret; - krb5_boolean is_new_entry; - int rc, i; - char *tmp = NULL; - LDAPMod **mods = NULL; - hdb_entry orig; - unsigned long oflags, nflags; - - if (msg != NULL) { - ret = LDAP_message2entry(context, db, msg, &orig); - if (ret != 0) { - goto out; - } - is_new_entry = FALSE; - } else { - /* to make it perfectly obvious we're depending on - * orig being intiialized to zero */ - memset(&orig, 0, sizeof(orig)); - is_new_entry = TRUE; - } - - if (is_new_entry) { - ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "objectClass", "top"); - if (ret != 0) { - goto out; - } - /* person is the structural object class */ - ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "objectClass", "person"); - if (ret != 0) { - goto out; - } - ret = - LDAP_addmod(&mods, LDAP_MOD_ADD, "objectClass", - "krb5Principal"); - if (ret != 0) { - goto out; - } - ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "objectClass", - "krb5KDCEntry"); - if (ret != 0) { - goto out; - } - } - - if (is_new_entry || - krb5_principal_compare(context, ent->principal, orig.principal) == - FALSE) { - ret = krb5_unparse_name(context, ent->principal, &tmp); - if (ret != 0) { - goto out; - } - ret = - LDAP_addmod(&mods, LDAP_MOD_REPLACE, "krb5PrincipalName", tmp); - if (ret != 0) { - free(tmp); - goto out; - } - free(tmp); - } - - if (ent->kvno != orig.kvno) { - rc = asprintf(&tmp, "%d", ent->kvno); - if (rc < 0) { - krb5_set_error_string(context, "asprintf: out of memory"); - ret = ENOMEM; - goto out; - } - ret = - LDAP_addmod(&mods, LDAP_MOD_REPLACE, "krb5KeyVersionNumber", - tmp); - free(tmp); - if (ret != 0) { - goto out; - } - } - - if (ent->valid_start) { - if (orig.valid_end == NULL - || (*(ent->valid_start) != *(orig.valid_start))) { - ret = - LDAP_addmod_generalized_time(&mods, LDAP_MOD_REPLACE, - "krb5ValidStart", - ent->valid_start); - if (ret != 0) { - goto out; - } - } - } - - if (ent->valid_end) { - if (orig.valid_end == NULL - || (*(ent->valid_end) != *(orig.valid_end))) { - ret = - LDAP_addmod_generalized_time(&mods, LDAP_MOD_REPLACE, - "krb5ValidEnd", - ent->valid_end); - if (ret != 0) { - goto out; - } - } - } - - if (ent->pw_end) { - if (orig.pw_end == NULL || (*(ent->pw_end) != *(orig.pw_end))) { - ret = - LDAP_addmod_generalized_time(&mods, LDAP_MOD_REPLACE, - "krb5PasswordEnd", - ent->pw_end); - if (ret != 0) { - goto out; - } - } - } - - if (ent->max_life) { - if (orig.max_life == NULL - || (*(ent->max_life) != *(orig.max_life))) { - rc = asprintf(&tmp, "%d", *(ent->max_life)); - if (rc < 0) { - krb5_set_error_string(context, "asprintf: out of memory"); - ret = ENOMEM; - goto out; - } - ret = LDAP_addmod(&mods, LDAP_MOD_REPLACE, "krb5MaxLife", tmp); - free(tmp); - if (ret != 0) { - goto out; - } - } - } - - if (ent->max_renew) { - if (orig.max_renew == NULL - || (*(ent->max_renew) != *(orig.max_renew))) { - rc = asprintf(&tmp, "%d", *(ent->max_renew)); - if (rc < 0) { - krb5_set_error_string(context, "asprintf: out of memory"); - ret = ENOMEM; - goto out; - } - ret = - LDAP_addmod(&mods, LDAP_MOD_REPLACE, "krb5MaxRenew", tmp); - free(tmp); - if (ret != 0) { - goto out; - } - } - } - - oflags = HDBFlags2int(orig.flags); - nflags = HDBFlags2int(ent->flags); - - if (oflags != nflags) { - rc = asprintf(&tmp, "%lu", nflags); - if (rc < 0) { - krb5_set_error_string(context, "asprintf: out of memory"); - ret = ENOMEM; - goto out; - } - ret = LDAP_addmod(&mods, LDAP_MOD_REPLACE, "krb5KDCFlags", tmp); - free(tmp); - if (ret != 0) { - goto out; - } - } - - if (is_new_entry == FALSE && orig.keys.len > 0) { - /* for the moment, clobber and replace keys. */ - ret = LDAP_addmod(&mods, LDAP_MOD_DELETE, "krb5Key", NULL); - if (ret != 0) { - goto out; - } - } - - for (i = 0; i < ent->keys.len; i++) { - unsigned char *buf; - size_t len; - - ASN1_MALLOC_ENCODE(Key, buf, len, &ent->keys.val[i], &len, ret); - if (ret != 0) - goto out; - - /* addmod_len _owns_ the key, doesn't need to copy it */ - ret = LDAP_addmod_len(&mods, LDAP_MOD_ADD, "krb5Key", buf, len); - if (ret != 0) { - goto out; - } - } - - if (ent->etypes) { - /* clobber and replace encryption types. */ - if (is_new_entry == FALSE) { - ret = - LDAP_addmod(&mods, LDAP_MOD_DELETE, "krb5EncryptionType", - NULL); - } - for (i = 0; i < ent->etypes->len; i++) { - rc = asprintf(&tmp, "%d", ent->etypes->val[i]); - if (rc < 0) { - krb5_set_error_string(context, "asprintf: out of memory"); - ret = ENOMEM; - goto out; - } - free(tmp); - ret = - LDAP_addmod(&mods, LDAP_MOD_ADD, "krb5EncryptionType", - tmp); - if (ret != 0) { - goto out; - } - } - } - - /* for clarity */ - ret = 0; - - out: - - if (ret == 0) { - *pmods = mods; - } else if (mods != NULL) { - ldap_mods_free(mods, 1); - *pmods = NULL; - } - - if (msg != NULL) { - hdb_free_entry(context, &orig); - } - - return ret; -} - -static krb5_error_code -LDAP_dn2principal(krb5_context context, HDB * db, const char *dn, - krb5_principal * principal) -{ - krb5_error_code ret; - int rc, limit = 1; - char **values; - LDAPMessage *res = NULL, *e; - - rc = ldap_set_option((LDAP *) db->db, LDAP_OPT_SIZELIMIT, (const void *)&limit); - if (rc != LDAP_SUCCESS) { - krb5_set_error_string(context, "ldap_set_option: %s", ldap_err2string(rc)); - ret = HDB_ERR_BADVERSION; - goto out; - } - - rc = ldap_search_s((LDAP *) db->db, dn, LDAP_SCOPE_BASE, - "(objectclass=krb5Principal)", krb5principal_attrs, - 0, &res); - if (rc != LDAP_SUCCESS) { - krb5_set_error_string(context, "ldap_search_s: %s", ldap_err2string(rc)); - ret = HDB_ERR_NOENTRY; - goto out; - } - - e = ldap_first_entry((LDAP *) db->db, res); - if (e == NULL) { - ret = HDB_ERR_NOENTRY; - goto out; - } - - values = ldap_get_values((LDAP *) db->db, e, "krb5PrincipalName"); - if (values == NULL) { - ret = HDB_ERR_NOENTRY; - goto out; - } - - ret = krb5_parse_name(context, values[0], principal); - ldap_value_free(values); - - out: - if (res != NULL) { - ldap_msgfree(res); - } - return ret; -} - -static krb5_error_code -LDAP__lookup_princ(krb5_context context, HDB * db, const char *princname, - LDAPMessage ** msg) -{ - krb5_error_code ret; - int rc, limit = 1; - char *filter = NULL; - - (void) LDAP__connect(context, db); - - rc = - asprintf(&filter, - "(&(objectclass=krb5KDCEntry)(krb5PrincipalName=%s))", - princname); - if (rc < 0) { - krb5_set_error_string(context, "asprintf: out of memory"); - ret = ENOMEM; - goto out; - } - - rc = ldap_set_option((LDAP *) db->db, LDAP_OPT_SIZELIMIT, (const void *)&limit); - if (rc != LDAP_SUCCESS) { - krb5_set_error_string(context, "ldap_set_option: %s", ldap_err2string(rc)); - ret = HDB_ERR_BADVERSION; - goto out; - } - - rc = ldap_search_s((LDAP *) db->db, db->name, LDAP_SCOPE_ONELEVEL, filter, - krb5kdcentry_attrs, 0, msg); - if (rc != LDAP_SUCCESS) { - krb5_set_error_string(context, "ldap_search_s: %s", ldap_err2string(rc)); - ret = HDB_ERR_NOENTRY; - goto out; - } - - ret = 0; - - out: - if (filter != NULL) { - free(filter); - } - return ret; -} - -static krb5_error_code -LDAP_principal2message(krb5_context context, HDB * db, - krb5_principal princ, LDAPMessage ** msg) -{ - char *princname = NULL; - krb5_error_code ret; - - ret = krb5_unparse_name(context, princ, &princname); - if (ret != 0) { - return ret; - } - - ret = LDAP__lookup_princ(context, db, princname, msg); - free(princname); - - return ret; -} - -/* - * Construct an hdb_entry from a directory entry. - */ -static krb5_error_code -LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg, - hdb_entry * ent) -{ - char *unparsed_name = NULL, *dn = NULL; - int ret; - unsigned long tmp; - struct berval **keys; - char **values; - - memset(ent, 0, sizeof(*ent)); - ent->flags = int2HDBFlags(0); - - ret = - LDAP_get_string_value(db, msg, "krb5PrincipalName", - &unparsed_name); - if (ret != 0) { - return ret; - } - - ret = krb5_parse_name(context, unparsed_name, &ent->principal); - if (ret != 0) { - goto out; - } - - ret = - LDAP_get_integer_value(db, msg, "krb5KeyVersionNumber", - &ent->kvno); - if (ret != 0) { - ent->kvno = 0; - } - - keys = ldap_get_values_len((LDAP *) db->db, msg, "krb5Key"); - if (keys != NULL) { - int i; - size_t l; - - ent->keys.len = ldap_count_values_len(keys); - ent->keys.val = (Key *) calloc(ent->keys.len, sizeof(Key)); - if (ent->keys.val == NULL) { - krb5_set_error_string(context, "calloc: out of memory"); - ret = ENOMEM; - goto out; - } - for (i = 0; i < ent->keys.len; i++) { - decode_Key((unsigned char *) keys[i]->bv_val, - (size_t) keys[i]->bv_len, &ent->keys.val[i], &l); - } - ber_bvecfree(keys); - } else { -#if 1 - /* - * This violates the ASN1 but it allows a principal to - * be related to a general directory entry without creating - * the keys. Hopefully it's OK. - */ - ent->keys.len = 0; - ent->keys.val = NULL; -#else - ret = HDB_ERR_NOENTRY; - goto out; -#endif - } - - ret = - LDAP_get_generalized_time_value(db, msg, "createTimestamp", - &ent->created_by.time); - if (ret != 0) { - ent->created_by.time = time(NULL); - } - - ent->created_by.principal = NULL; - - ret = LDAP_get_string_value(db, msg, "creatorsName", &dn); - if (ret == 0) { - if (LDAP_dn2principal(context, db, dn, &ent->created_by.principal) - != 0) { - ent->created_by.principal = NULL; - } - free(dn); - } - - ent->modified_by = (Event *) malloc(sizeof(Event)); - if (ent->modified_by == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - ret = ENOMEM; - goto out; - } - ret = - LDAP_get_generalized_time_value(db, msg, "modifyTimestamp", - &ent->modified_by->time); - if (ret == 0) { - ret = LDAP_get_string_value(db, msg, "modifiersName", &dn); - if (LDAP_dn2principal - (context, db, dn, &ent->modified_by->principal) != 0) { - ent->modified_by->principal = NULL; - } - free(dn); - } else { - free(ent->modified_by); - ent->modified_by = NULL; - } - - if ((ent->valid_start = (KerberosTime *) malloc(sizeof(KerberosTime))) - == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - ret = ENOMEM; - goto out; - } - ret = - LDAP_get_generalized_time_value(db, msg, "krb5ValidStart", - ent->valid_start); - if (ret != 0) { - /* OPTIONAL */ - free(ent->valid_start); - ent->valid_start = NULL; - } - - if ((ent->valid_end = (KerberosTime *) malloc(sizeof(KerberosTime))) == - NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - ret = ENOMEM; - goto out; - } - ret = - LDAP_get_generalized_time_value(db, msg, "krb5ValidEnd", - ent->valid_end); - if (ret != 0) { - /* OPTIONAL */ - free(ent->valid_end); - ent->valid_end = NULL; - } - - if ((ent->pw_end = (KerberosTime *) malloc(sizeof(KerberosTime))) == - NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - ret = ENOMEM; - goto out; - } - ret = - LDAP_get_generalized_time_value(db, msg, "krb5PasswordEnd", - ent->pw_end); - if (ret != 0) { - /* OPTIONAL */ - free(ent->pw_end); - ent->pw_end = NULL; - } - - ent->max_life = (int *) malloc(sizeof(int)); - if (ent->max_life == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - ret = ENOMEM; - goto out; - } - ret = LDAP_get_integer_value(db, msg, "krb5MaxLife", ent->max_life); - if (ret != 0) { - free(ent->max_life); - ent->max_life = NULL; - } - - ent->max_renew = (int *) malloc(sizeof(int)); - if (ent->max_renew == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - ret = ENOMEM; - goto out; - } - ret = LDAP_get_integer_value(db, msg, "krb5MaxRenew", ent->max_renew); - if (ret != 0) { - free(ent->max_renew); - ent->max_renew = NULL; - } - - values = ldap_get_values((LDAP *) db->db, msg, "krb5KDCFlags"); - if (values != NULL) { - tmp = strtoul(values[0], (char **) NULL, 10); - if (tmp == ULONG_MAX && errno == ERANGE) { - krb5_set_error_string(context, "strtoul: could not convert flag"); - ret = ERANGE; - goto out; - } - } else { - tmp = 0; - } - ent->flags = int2HDBFlags(tmp); - - values = ldap_get_values((LDAP *) db->db, msg, "krb5EncryptionType"); - if (values != NULL) { - int i; - - ent->etypes = malloc(sizeof(*(ent->etypes))); - if (ent->etypes == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - ret = ENOMEM; - goto out; - } - ent->etypes->len = ldap_count_values(values); - ent->etypes->val = calloc(ent->etypes->len, sizeof(int)); - for (i = 0; i < ent->etypes->len; i++) { - ent->etypes->val[i] = atoi(values[i]); - } - ldap_value_free(values); - } - - ret = 0; - - out: - if (unparsed_name != NULL) { - free(unparsed_name); - } - - if (ret != 0) { - /* I don't think this frees ent itself. */ - hdb_free_entry(context, ent); - } - - return ret; -} - -static krb5_error_code LDAP_close(krb5_context context, HDB * db) -{ - ldap_unbind_ext((LDAP *) db->db, NULL, NULL); - db->db = NULL; - - return 0; -} - -static krb5_error_code -LDAP_lock(krb5_context context, HDB * db, int operation) -{ - return 0; -} - -static krb5_error_code LDAP_unlock(krb5_context context, HDB * db) -{ - return 0; -} - -static krb5_error_code -LDAP_seq(krb5_context context, HDB * db, unsigned flags, hdb_entry * entry) -{ - int msgid, rc, parserc; - krb5_error_code ret; - LDAPMessage *e; - - msgid = db->openp; /* BOGUS OVERLOADING */ - if (msgid < 0) { - return HDB_ERR_NOENTRY; - } - - do { - rc = ldap_result((LDAP *) db->db, msgid, LDAP_MSG_ONE, NULL, &e); - switch (rc) { - case LDAP_RES_SEARCH_ENTRY: - /* We have an entry. Parse it. */ - ret = LDAP_message2entry(context, db, e, entry); - ldap_msgfree(e); - break; - case LDAP_RES_SEARCH_RESULT: - /* We're probably at the end of the results. If not, abandon. */ - parserc = - ldap_parse_result((LDAP *) db->db, e, NULL, NULL, NULL, - NULL, NULL, 1); - if (parserc != LDAP_SUCCESS - && parserc != LDAP_MORE_RESULTS_TO_RETURN) { - krb5_set_error_string(context, "ldap_parse_result: %s", ldap_err2string(parserc)); - ldap_abandon((LDAP *) db->db, msgid); - } - ret = HDB_ERR_NOENTRY; - db->openp = -1; - break; - case 0: - case -1: - default: - /* Some unspecified error (timeout?). Abandon. */ - ldap_msgfree(e); - ldap_abandon((LDAP *) db->db, msgid); - ret = HDB_ERR_NOENTRY; - db->openp = -1; - break; - } - } while (rc == LDAP_RES_SEARCH_REFERENCE); - - if (ret == 0) { - if (db->master_key_set && (flags & HDB_F_DECRYPT)) { - ret = hdb_unseal_keys(context, db, entry); - if (ret) - hdb_free_entry(context,entry); - } - } - - return ret; -} - -static krb5_error_code -LDAP_firstkey(krb5_context context, HDB * db, unsigned flags, - hdb_entry * entry) -{ - int msgid, limit = LDAP_NO_LIMIT, rc; - - (void) LDAP__connect(context, db); - - rc = ldap_set_option((LDAP *) db->db, LDAP_OPT_SIZELIMIT, (const void *)&limit); - if (rc != LDAP_SUCCESS) { - krb5_set_error_string(context, "ldap_set_option: %s", ldap_err2string(rc)); - return HDB_ERR_BADVERSION; - } - - msgid = ldap_search((LDAP *) db->db, db->name, - LDAP_SCOPE_ONELEVEL, "(objectclass=krb5KDCEntry)", - krb5kdcentry_attrs, 0); - if (msgid < 0) { - return HDB_ERR_NOENTRY; - } - - db->openp = msgid; - - return LDAP_seq(context, db, flags, entry); -} - -static krb5_error_code -LDAP_nextkey(krb5_context context, HDB * db, unsigned flags, - hdb_entry * entry) -{ - return LDAP_seq(context, db, flags, entry); -} - -static krb5_error_code -LDAP_rename(krb5_context context, HDB * db, const char *new_name) -{ - return HDB_ERR_DB_INUSE; -} - -static krb5_error_code LDAP__connect(krb5_context context, HDB * db) -{ - int rc, version = LDAP_VERSION3; - /* - * Empty credentials to do a SASL bind with LDAP. Note that empty - * different from NULL credentials. If you provide NULL - * credentials instead of empty credentials you will get a SASL - * bind in progress message. - */ - struct berval bv = { 0, "" }; - - if (db->db != NULL) { - /* connection has been opened. ping server. */ - struct sockaddr_un addr; - socklen_t len; - int sd; - - if (ldap_get_option((LDAP *) db->db, LDAP_OPT_DESC, &sd) == 0 && - getpeername(sd, (struct sockaddr *) &addr, &len) < 0) { - /* the other end has died. reopen. */ - LDAP_close(context, db); - } - } - - if (db->db != NULL) { - /* server is UP */ - return 0; - } - - rc = ldap_initialize((LDAP **) & db->db, "ldapi:///"); - if (rc != LDAP_SUCCESS) { - krb5_set_error_string(context, "ldap_initialize: %s", ldap_err2string(rc)); - return HDB_ERR_NOENTRY; - } - - rc = ldap_set_option((LDAP *) db->db, LDAP_OPT_PROTOCOL_VERSION, (const void *)&version); - if (rc != LDAP_SUCCESS) { - krb5_set_error_string(context, "ldap_set_option: %s", ldap_err2string(rc)); - ldap_unbind_ext((LDAP *) db->db, NULL, NULL); - db->db = NULL; - return HDB_ERR_BADVERSION; - } - - rc = ldap_sasl_bind_s((LDAP *) db->db, NULL, "EXTERNAL", &bv, NULL, NULL, NULL); - if (rc != LDAP_SUCCESS) { - krb5_set_error_string(context, "ldap_sasl_bind_s: %s", ldap_err2string(rc)); - ldap_unbind_ext((LDAP *) db->db, NULL, NULL); - db->db = NULL; - return HDB_ERR_BADVERSION; - } - - return 0; -} - -static krb5_error_code -LDAP_open(krb5_context context, HDB * db, int flags, mode_t mode) -{ - /* Not the right place for this. */ -#ifdef HAVE_SIGACTION - struct sigaction sa; - - sa.sa_flags = 0; - sa.sa_handler = SIG_IGN; - sigemptyset(&sa.sa_mask); - - sigaction(SIGPIPE, &sa, NULL); -#else - signal(SIGPIPE, SIG_IGN); -#endif /* HAVE_SIGACTION */ - - return LDAP__connect(context, db); -} - -static krb5_error_code -LDAP_fetch(krb5_context context, HDB * db, unsigned flags, - hdb_entry * entry) -{ - LDAPMessage *msg, *e; - krb5_error_code ret; - - ret = LDAP_principal2message(context, db, entry->principal, &msg); - if (ret != 0) { - return ret; - } - - e = ldap_first_entry((LDAP *) db->db, msg); - if (e == NULL) { - ret = HDB_ERR_NOENTRY; - goto out; - } - - ret = LDAP_message2entry(context, db, e, entry); - if (ret == 0) { - if (db->master_key_set && (flags & HDB_F_DECRYPT)) { - ret = hdb_unseal_keys(context, db, entry); - if (ret) - hdb_free_entry(context,entry); - } - } - - out: - ldap_msgfree(msg); - - return ret; -} - -static krb5_error_code -LDAP_store(krb5_context context, HDB * db, unsigned flags, - hdb_entry * entry) -{ - LDAPMod **mods = NULL; - krb5_error_code ret; - const char *errfn; - int rc; - LDAPMessage *msg = NULL, *e = NULL; - char *dn = NULL, *name = NULL; - - ret = krb5_unparse_name(context, entry->principal, &name); - if (ret != 0) { - goto out; - } - - ret = LDAP__lookup_princ(context, db, name, &msg); - if (ret == 0) { - e = ldap_first_entry((LDAP *) db->db, msg); - } - - ret = hdb_seal_keys(context, db, entry); - if (ret != 0) { - goto out; - } - - /* turn new entry into LDAPMod array */ - ret = LDAP_entry2mods(context, db, entry, e, &mods); - if (ret != 0) { - goto out; - } - - if (e == NULL) { - /* Doesn't exist yet. */ - char *p; - - e = NULL; - - /* normalize the naming attribute */ - for (p = name; *p != '\0'; p++) { - *p = (char) tolower((int) *p); - } - - /* - * We could do getpwnam() on the local component of - * the principal to find cn/sn but that's probably - * bad thing to do from inside a KDC. Better leave - * it to management tools. - */ - ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "cn", name); - if (ret < 0) { - goto out; - } - - ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "sn", name); - if (ret < 0) { - goto out; - } - - if (db->name != NULL) { - ret = asprintf(&dn, "cn=%s,%s", name, db->name); - } else { - /* A bit bogus, but we don't have a search base */ - ret = asprintf(&dn, "cn=%s", name); - } - if (ret < 0) { - krb5_set_error_string(context, "asprintf: out of memory"); - ret = ENOMEM; - goto out; - } - } else if (flags & HDB_F_REPLACE) { - /* Entry exists, and we're allowed to replace it. */ - dn = ldap_get_dn((LDAP *) db->db, e); - } else { - /* Entry exists, but we're not allowed to replace it. Bail. */ - ret = HDB_ERR_EXISTS; - goto out; - } - - /* write entry into directory */ - if (e == NULL) { - /* didn't exist before */ - rc = ldap_add_s((LDAP *) db->db, dn, mods); - errfn = "ldap_add_s"; - } else { - /* already existed, send deltas only */ - rc = ldap_modify_s((LDAP *) db->db, dn, mods); - errfn = "ldap_modify_s"; - } - - if (rc == LDAP_SUCCESS) { - ret = 0; - } else { - krb5_set_error_string(context, "%s: %s (dn=%s) %s", - errfn, name, dn, ldap_err2string(rc)); - ret = HDB_ERR_CANT_LOCK_DB; - } - - out: - /* free stuff */ - if (dn != NULL) { - free(dn); - } - - if (msg != NULL) { - ldap_msgfree(msg); - } - - if (mods != NULL) { - ldap_mods_free(mods, 1); - } - - if (name != NULL) { - free(name); - } - - return ret; -} - -static krb5_error_code -LDAP_remove(krb5_context context, HDB * db, hdb_entry * entry) -{ - krb5_error_code ret; - LDAPMessage *msg, *e; - char *dn = NULL; - int rc, limit = LDAP_NO_LIMIT; - - ret = LDAP_principal2message(context, db, entry->principal, &msg); - if (ret != 0) { - goto out; - } - - e = ldap_first_entry((LDAP *) db->db, msg); - if (e == NULL) { - ret = HDB_ERR_NOENTRY; - goto out; - } - - dn = ldap_get_dn((LDAP *) db->db, e); - if (dn == NULL) { - ret = HDB_ERR_NOENTRY; - goto out; - } - - rc = ldap_set_option((LDAP *) db->db, LDAP_OPT_SIZELIMIT, (const void *)&limit); - if (rc != LDAP_SUCCESS) { - krb5_set_error_string(context, "ldap_set_option: %s", ldap_err2string(rc)); - ret = HDB_ERR_BADVERSION; - goto out; - } - - rc = ldap_delete_s((LDAP *) db->db, dn); - if (rc == LDAP_SUCCESS) { - ret = 0; - } else { - krb5_set_error_string(context, "ldap_delete_s: %s", ldap_err2string(rc)); - ret = HDB_ERR_CANT_LOCK_DB; - } - - out: - if (dn != NULL) { - free(dn); - } - - if (msg != NULL) { - ldap_msgfree(msg); - } - - return ret; -} - -static krb5_error_code -LDAP__get(krb5_context context, HDB * db, krb5_data key, krb5_data * reply) -{ - fprintf(stderr, "LDAP__get not implemented\n"); - abort(); - return 0; -} - -static krb5_error_code -LDAP__put(krb5_context context, HDB * db, int replace, - krb5_data key, krb5_data value) -{ - fprintf(stderr, "LDAP__put not implemented\n"); - abort(); - return 0; -} - -static krb5_error_code -LDAP__del(krb5_context context, HDB * db, krb5_data key) -{ - fprintf(stderr, "LDAP__del not implemented\n"); - abort(); - return 0; -} - -static krb5_error_code LDAP_destroy(krb5_context context, HDB * db) -{ - krb5_error_code ret; - - ret = hdb_clear_master_key(context, db); - if (db->name != NULL) { - free(db->name); - } - free(db); - - return ret; -} - -krb5_error_code -hdb_ldap_create(krb5_context context, HDB ** db, const char *arg) -{ - *db = malloc(sizeof(**db)); - if (*db == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - - (*db)->db = NULL; - - if (arg == NULL || arg[0] == '\0') { - /* - * if no argument specified in the configuration file - * then use NULL, which tells OpenLDAP to look in - * the ldap.conf file. This doesn't work for - * writing entries because we don't know where to - * put new principals. - */ - (*db)->name = NULL; - } else { - (*db)->name = strdup(arg); - if ((*db)->name == NULL) { - krb5_set_error_string(context, "strdup: out of memory"); - free(*db); - *db = NULL; - return ENOMEM; - } - } - - (*db)->master_key_set = 0; - (*db)->openp = 0; - (*db)->open = LDAP_open; - (*db)->close = LDAP_close; - (*db)->fetch = LDAP_fetch; - (*db)->store = LDAP_store; - (*db)->remove = LDAP_remove; - (*db)->firstkey = LDAP_firstkey; - (*db)->nextkey = LDAP_nextkey; - (*db)->lock = LDAP_lock; - (*db)->unlock = LDAP_unlock; - (*db)->rename = LDAP_rename; - /* can we ditch these? */ - (*db)->_get = LDAP__get; - (*db)->_put = LDAP__put; - (*db)->_del = LDAP__del; - (*db)->destroy = LDAP_destroy; - - return 0; -} - -#endif /* OPENLDAP */ diff --git a/crypto/heimdal-0.6.3/lib/hdb/hdb-private.h b/crypto/heimdal-0.6.3/lib/hdb/hdb-private.h deleted file mode 100644 index a47de70210..0000000000 --- a/crypto/heimdal-0.6.3/lib/hdb/hdb-private.h +++ /dev/null @@ -1,27 +0,0 @@ -/* This is a generated file */ -#ifndef __hdb_private_h__ -#define __hdb_private_h__ - -#include - -krb5_error_code -_hdb_fetch ( - krb5_context /*context*/, - HDB */*db*/, - unsigned /*flags*/, - hdb_entry */*entry*/); - -krb5_error_code -_hdb_remove ( - krb5_context /*context*/, - HDB */*db*/, - hdb_entry */*entry*/); - -krb5_error_code -_hdb_store ( - krb5_context /*context*/, - HDB */*db*/, - unsigned /*flags*/, - hdb_entry */*entry*/); - -#endif /* __hdb_private_h__ */ diff --git a/crypto/heimdal-0.6.3/lib/hdb/hdb-protos.h b/crypto/heimdal-0.6.3/lib/hdb/hdb-protos.h deleted file mode 100644 index ce85fcb056..0000000000 --- a/crypto/heimdal-0.6.3/lib/hdb/hdb-protos.h +++ /dev/null @@ -1,188 +0,0 @@ -/* This is a generated file */ -#ifndef __hdb_protos_h__ -#define __hdb_protos_h__ - -#include - -krb5_error_code -hdb_add_master_key ( - krb5_context /*context*/, - krb5_keyblock */*key*/, - hdb_master_key */*inout*/); - -krb5_error_code -hdb_check_db_format ( - krb5_context /*context*/, - HDB */*db*/); - -krb5_error_code -hdb_clear_master_key ( - krb5_context /*context*/, - HDB */*db*/); - -krb5_error_code -hdb_create ( - krb5_context /*context*/, - HDB **/*db*/, - const char */*filename*/); - -krb5_error_code -hdb_db_create ( - krb5_context /*context*/, - HDB **/*db*/, - const char */*filename*/); - -krb5_error_code -hdb_enctype2key ( - krb5_context /*context*/, - hdb_entry */*e*/, - krb5_enctype /*enctype*/, - Key **/*key*/); - -krb5_error_code -hdb_entry2string ( - krb5_context /*context*/, - hdb_entry */*ent*/, - char **/*str*/); - -int -hdb_entry2value ( - krb5_context /*context*/, - hdb_entry */*ent*/, - krb5_data */*value*/); - -krb5_error_code -hdb_foreach ( - krb5_context /*context*/, - HDB */*db*/, - unsigned /*flags*/, - hdb_foreach_func_t /*func*/, - void */*data*/); - -void -hdb_free_entry ( - krb5_context /*context*/, - hdb_entry */*ent*/); - -void -hdb_free_key (Key */*key*/); - -void -hdb_free_master_key ( - krb5_context /*context*/, - hdb_master_key /*mkey*/); - -krb5_error_code -hdb_init_db ( - krb5_context /*context*/, - HDB */*db*/); - -int -hdb_key2principal ( - krb5_context /*context*/, - krb5_data */*key*/, - krb5_principal /*p*/); - -krb5_error_code -hdb_ldap_create ( - krb5_context /*context*/, - HDB ** /*db*/, - const char */*arg*/); - -krb5_error_code -hdb_lock ( - int /*fd*/, - int /*operation*/); - -krb5_error_code -hdb_ndbm_create ( - krb5_context /*context*/, - HDB **/*db*/, - const char */*filename*/); - -krb5_error_code -hdb_next_enctype2key ( - krb5_context /*context*/, - const hdb_entry */*e*/, - krb5_enctype /*enctype*/, - Key **/*key*/); - -int -hdb_principal2key ( - krb5_context /*context*/, - krb5_principal /*p*/, - krb5_data */*key*/); - -krb5_error_code -hdb_print_entry ( - krb5_context /*context*/, - HDB */*db*/, - hdb_entry */*entry*/, - void */*data*/); - -krb5_error_code -hdb_process_master_key ( - krb5_context /*context*/, - int /*kvno*/, - krb5_keyblock */*key*/, - krb5_enctype /*etype*/, - hdb_master_key */*mkey*/); - -krb5_error_code -hdb_read_master_key ( - krb5_context /*context*/, - const char */*filename*/, - hdb_master_key */*mkey*/); - -krb5_error_code -hdb_seal_keys ( - krb5_context /*context*/, - HDB */*db*/, - hdb_entry */*ent*/); - -krb5_error_code -hdb_seal_keys_mkey ( - krb5_context /*context*/, - hdb_entry */*ent*/, - hdb_master_key /*mkey*/); - -krb5_error_code -hdb_set_master_key ( - krb5_context /*context*/, - HDB */*db*/, - krb5_keyblock */*key*/); - -krb5_error_code -hdb_set_master_keyfile ( - krb5_context /*context*/, - HDB */*db*/, - const char */*keyfile*/); - -krb5_error_code -hdb_unlock (int /*fd*/); - -krb5_error_code -hdb_unseal_keys ( - krb5_context /*context*/, - HDB */*db*/, - hdb_entry */*ent*/); - -krb5_error_code -hdb_unseal_keys_mkey ( - krb5_context /*context*/, - hdb_entry */*ent*/, - hdb_master_key /*mkey*/); - -int -hdb_value2entry ( - krb5_context /*context*/, - krb5_data */*value*/, - hdb_entry */*ent*/); - -krb5_error_code -hdb_write_master_key ( - krb5_context /*context*/, - const char */*filename*/, - hdb_master_key /*mkey*/); - -#endif /* __hdb_protos_h__ */ diff --git a/crypto/heimdal-0.6.3/lib/hdb/hdb.asn1 b/crypto/heimdal-0.6.3/lib/hdb/hdb.asn1 deleted file mode 100644 index 084d5a1bb2..0000000000 --- a/crypto/heimdal-0.6.3/lib/hdb/hdb.asn1 +++ /dev/null @@ -1,70 +0,0 @@ --- $Id: hdb.asn1,v 1.9 2001/06/21 14:54:53 joda Exp $ -HDB DEFINITIONS ::= -BEGIN - -IMPORTS EncryptionKey, KerberosTime, Principal FROM krb5; - -HDB_DB_FORMAT INTEGER ::= 2 -- format of database, - -- update when making changes - --- these must have the same value as the pa-* counterparts -hdb-pw-salt INTEGER ::= 3 -hdb-afs3-salt INTEGER ::= 10 - -Salt ::= SEQUENCE { - type[0] INTEGER, - salt[1] OCTET STRING -} - -Key ::= SEQUENCE { - mkvno[0] INTEGER OPTIONAL, -- master key version number - key[1] EncryptionKey, - salt[2] Salt OPTIONAL -} - -Event ::= SEQUENCE { - time[0] KerberosTime, - principal[1] Principal OPTIONAL -} - -HDBFlags ::= BIT STRING { - initial(0), -- require as-req - forwardable(1), -- may issue forwardable - proxiable(2), -- may issue proxiable - renewable(3), -- may issue renewable - postdate(4), -- may issue postdatable - server(5), -- may be server - client(6), -- may be client - invalid(7), -- entry is invalid - require-preauth(8), -- must use preauth - change-pw(9), -- change password service - require-hwauth(10), -- must use hwauth - ok-as-delegate(11), -- as in TicketFlags - user-to-user(12), -- may use user-to-user auth - immutable(13) -- may not be deleted -} - -GENERATION ::= SEQUENCE { - time[0] KerberosTime, -- timestamp - usec[1] INTEGER, -- microseconds - gen[2] INTEGER -- generation number -} - -hdb_entry ::= SEQUENCE { - principal[0] Principal OPTIONAL, -- this is optional only - -- for compatibility with libkrb5 - kvno[1] INTEGER, - keys[2] SEQUENCE OF Key, - created-by[3] Event, - modified-by[4] Event OPTIONAL, - valid-start[5] KerberosTime OPTIONAL, - valid-end[6] KerberosTime OPTIONAL, - pw-end[7] KerberosTime OPTIONAL, - max-life[8] INTEGER OPTIONAL, - max-renew[9] INTEGER OPTIONAL, - flags[10] HDBFlags, - etypes[11] SEQUENCE OF INTEGER OPTIONAL, - generation[12] GENERATION OPTIONAL -} - -END diff --git a/crypto/heimdal-0.6.3/lib/hdb/hdb.c b/crypto/heimdal-0.6.3/lib/hdb/hdb.c deleted file mode 100644 index 95fde19db7..0000000000 --- a/crypto/heimdal-0.6.3/lib/hdb/hdb.c +++ /dev/null @@ -1,240 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "hdb_locl.h" - -RCSID("$Id: hdb.c,v 1.44 2001/08/09 08:41:48 assar Exp $"); - -struct hdb_method { - const char *prefix; - krb5_error_code (*create)(krb5_context, HDB **, const char *filename); -}; - -static struct hdb_method methods[] = { -#if HAVE_DB1 || HAVE_DB3 - {"db:", hdb_db_create}, -#endif -#if HAVE_NDBM - {"ndbm:", hdb_ndbm_create}, -#endif -#ifdef OPENLDAP - {"ldap:", hdb_ldap_create}, -#endif -#if HAVE_DB1 || HAVE_DB3 - {"", hdb_db_create}, -#elif defined(HAVE_NDBM) - {"", hdb_ndbm_create}, -#elif defined(OPENLDAP) - {"", hdb_ldap_create}, -#endif - {NULL, NULL} -}; - -krb5_error_code -hdb_next_enctype2key(krb5_context context, - const hdb_entry *e, - krb5_enctype enctype, - Key **key) -{ - Key *k; - - for (k = *key ? (*key) + 1 : e->keys.val; - k < e->keys.val + e->keys.len; - k++) - if(k->key.keytype == enctype){ - *key = k; - return 0; - } - return KRB5_PROG_ETYPE_NOSUPP; /* XXX */ -} - -krb5_error_code -hdb_enctype2key(krb5_context context, - hdb_entry *e, - krb5_enctype enctype, - Key **key) -{ - *key = NULL; - return hdb_next_enctype2key(context, e, enctype, key); -} - -void -hdb_free_key(Key *key) -{ - memset(key->key.keyvalue.data, - 0, - key->key.keyvalue.length); - free_Key(key); - free(key); -} - - -krb5_error_code -hdb_lock(int fd, int operation) -{ - int i, code = 0; - - for(i = 0; i < 3; i++){ - code = flock(fd, (operation == HDB_RLOCK ? LOCK_SH : LOCK_EX) | LOCK_NB); - if(code == 0 || errno != EWOULDBLOCK) - break; - sleep(1); - } - if(code == 0) - return 0; - if(errno == EWOULDBLOCK) - return HDB_ERR_DB_INUSE; - return HDB_ERR_CANT_LOCK_DB; -} - -krb5_error_code -hdb_unlock(int fd) -{ - int code; - code = flock(fd, LOCK_UN); - if(code) - return 4711 /* XXX */; - return 0; -} - -void -hdb_free_entry(krb5_context context, hdb_entry *ent) -{ - int i; - - for(i = 0; i < ent->keys.len; ++i) { - Key *k = &ent->keys.val[i]; - - memset (k->key.keyvalue.data, 0, k->key.keyvalue.length); - } - free_hdb_entry(ent); -} - -krb5_error_code -hdb_foreach(krb5_context context, - HDB *db, - unsigned flags, - hdb_foreach_func_t func, - void *data) -{ - krb5_error_code ret; - hdb_entry entry; - ret = db->firstkey(context, db, flags, &entry); - while(ret == 0){ - ret = (*func)(context, db, &entry, data); - hdb_free_entry(context, &entry); - if(ret == 0) - ret = db->nextkey(context, db, flags, &entry); - } - if(ret == HDB_ERR_NOENTRY) - ret = 0; - return ret; -} - -krb5_error_code -hdb_check_db_format(krb5_context context, HDB *db) -{ - krb5_data tag; - krb5_data version; - krb5_error_code ret; - unsigned ver; - int foo; - - tag.data = HDB_DB_FORMAT_ENTRY; - tag.length = strlen(tag.data); - ret = (*db->_get)(context, db, tag, &version); - if(ret) - return ret; - foo = sscanf(version.data, "%u", &ver); - krb5_data_free (&version); - if (foo != 1) - return HDB_ERR_BADVERSION; - if(ver != HDB_DB_FORMAT) - return HDB_ERR_BADVERSION; - return 0; -} - -krb5_error_code -hdb_init_db(krb5_context context, HDB *db) -{ - krb5_error_code ret; - krb5_data tag; - krb5_data version; - char ver[32]; - - ret = hdb_check_db_format(context, db); - if(ret != HDB_ERR_NOENTRY) - return ret; - - tag.data = HDB_DB_FORMAT_ENTRY; - tag.length = strlen(tag.data); - snprintf(ver, sizeof(ver), "%u", HDB_DB_FORMAT); - version.data = ver; - version.length = strlen(version.data) + 1; /* zero terminated */ - ret = (*db->_put)(context, db, 0, tag, version); - return ret; -} - -/* - * find the relevant method for `filename', returning a pointer to the - * rest in `rest'. - * return NULL if there's no such method. - */ - -static const struct hdb_method * -find_method (const char *filename, const char **rest) -{ - const struct hdb_method *h; - - for (h = methods; h->prefix != NULL; ++h) - if (strncmp (filename, h->prefix, strlen(h->prefix)) == 0) { - *rest = filename + strlen(h->prefix); - return h; - } - return NULL; -} - -krb5_error_code -hdb_create(krb5_context context, HDB **db, const char *filename) -{ - const struct hdb_method *h; - const char *residual; - - if(filename == NULL) - filename = HDB_DEFAULT_DB; - krb5_add_et_list(context, initialize_hdb_error_table_r); - h = find_method (filename, &residual); - if (h == NULL) - krb5_errx(context, 1, "No database support! (hdb_create)"); - return (*h->create)(context, db, residual); -} diff --git a/crypto/heimdal-0.6.3/lib/hdb/hdb.h b/crypto/heimdal-0.6.3/lib/hdb/hdb.h deleted file mode 100644 index 21d739b98b..0000000000 --- a/crypto/heimdal-0.6.3/lib/hdb/hdb.h +++ /dev/null @@ -1,91 +0,0 @@ -/* - * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: hdb.h,v 1.31 2000/07/08 16:03:37 joda Exp $ */ - -#ifndef __HDB_H__ -#define __HDB_H__ - -#include - -#include - -enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK }; - -/* flags for various functions */ -#define HDB_F_DECRYPT 1 /* decrypt keys */ -#define HDB_F_REPLACE 2 /* replace entry */ - -/* key usage for master key */ -#define HDB_KU_MKEY 0x484442 - -typedef struct hdb_master_key_data *hdb_master_key; - -typedef struct HDB{ - void *db; - void *dbc; - char *name; - int master_key_set; - hdb_master_key master_key; - int openp; - - krb5_error_code (*open)(krb5_context, struct HDB*, int, mode_t); - krb5_error_code (*close)(krb5_context, struct HDB*); - krb5_error_code (*fetch)(krb5_context, struct HDB*, unsigned, hdb_entry*); - krb5_error_code (*store)(krb5_context, struct HDB*, unsigned, hdb_entry*); - krb5_error_code (*remove)(krb5_context, struct HDB*, hdb_entry*); - krb5_error_code (*firstkey)(krb5_context, struct HDB*, - unsigned, hdb_entry*); - krb5_error_code (*nextkey)(krb5_context, struct HDB*, - unsigned, hdb_entry*); - krb5_error_code (*lock)(krb5_context, struct HDB*, int operation); - krb5_error_code (*unlock)(krb5_context, struct HDB*); - krb5_error_code (*rename)(krb5_context, struct HDB*, const char*); - krb5_error_code (*_get)(krb5_context, struct HDB*, krb5_data, krb5_data*); - krb5_error_code (*_put)(krb5_context, struct HDB*, int, - krb5_data, krb5_data); - krb5_error_code (*_del)(krb5_context, struct HDB*, krb5_data); - krb5_error_code (*destroy)(krb5_context, struct HDB*); -}HDB; - -#define HDB_DB_DIR "/var/heimdal" -#define HDB_DEFAULT_DB HDB_DB_DIR "/heimdal" -#define HDB_DB_FORMAT_ENTRY "hdb/db-format" - -typedef krb5_error_code (*hdb_foreach_func_t)(krb5_context, HDB*, - hdb_entry*, void*); -extern krb5_kt_ops hdb_kt_ops; - -#include - -#endif /* __HDB_H__ */ diff --git a/crypto/heimdal-0.6.3/lib/hdb/hdb_err.et b/crypto/heimdal-0.6.3/lib/hdb/hdb_err.et deleted file mode 100644 index 9929a56311..0000000000 --- a/crypto/heimdal-0.6.3/lib/hdb/hdb_err.et +++ /dev/null @@ -1,27 +0,0 @@ -# -# Error messages for the hdb library -# -# This might look like a com_err file, but is not -# -id "$Id: hdb_err.et,v 1.5 2001/01/28 23:05:52 assar Exp $" - -error_table hdb - -prefix HDB_ERR - -index 1 -#error_code INUSE, "Entry already exists in database" -error_code UK_SERROR, "Database store error" -error_code UK_RERROR, "Database read error" -error_code NOENTRY, "No such entry in the database" -error_code DB_INUSE, "Database is locked or in use--try again later" -error_code DB_CHANGED, "Database was modified during read" -error_code RECURSIVELOCK, "Attempt to lock database twice" -error_code NOTLOCKED, "Attempt to unlock database when not locked" -error_code BADLOCKMODE, "Invalid kdb lock mode" -error_code CANT_LOCK_DB, "Insufficient access to lock database" -error_code EXISTS, "Entry already exists in database" -error_code BADVERSION, "Wrong database version" -error_code NO_MKEY, "No correct master key" - -end diff --git a/crypto/heimdal-0.6.3/lib/hdb/hdb_locl.h b/crypto/heimdal-0.6.3/lib/hdb/hdb_locl.h deleted file mode 100644 index 3405fdd085..0000000000 --- a/crypto/heimdal-0.6.3/lib/hdb/hdb_locl.h +++ /dev/null @@ -1,67 +0,0 @@ -/* - * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: hdb_locl.h,v 1.18.4.1 2003/09/10 22:04:39 lha Exp $ */ - -#ifndef __HDB_LOCL_H__ -#define __HDB_LOCL_H__ - -#include - -#include -#include -#include -#include -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_UNISTD_H -#include -#endif -#ifdef HAVE_FCNTL_H -#include -#endif -#ifdef HAVE_SYS_FILE_H -#include -#endif -#ifdef HAVE_LIMITS_H -#include -#endif -#include - -#include "crypto-headers.h" -#include -#include -#include - -#endif /* __HDB_LOCL_H__ */ diff --git a/crypto/heimdal-0.6.3/lib/hdb/keytab.c b/crypto/heimdal-0.6.3/lib/hdb/keytab.c deleted file mode 100644 index 6ede2b9c1f..0000000000 --- a/crypto/heimdal-0.6.3/lib/hdb/keytab.c +++ /dev/null @@ -1,264 +0,0 @@ -/* - * Copyright (c) 1999 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "hdb_locl.h" - -/* keytab backend for HDB databases */ - -RCSID("$Id: keytab.c,v 1.5 2002/08/26 13:28:11 assar Exp $"); - -struct hdb_data { - char *dbname; - char *mkey; -}; - -/* - * the format for HDB keytabs is: - * HDB:[database:mkey] - */ - -static krb5_error_code -hdb_resolve(krb5_context context, const char *name, krb5_keytab id) -{ - struct hdb_data *d; - const char *db, *mkey; - - d = malloc(sizeof(*d)); - if(d == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - db = name; - mkey = strchr(name, ':'); - if(mkey == NULL || mkey[1] == '\0') { - if(*name == '\0') - d->dbname = NULL; - else { - d->dbname = strdup(name); - if(d->dbname == NULL) { - free(d); - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - } - d->mkey = NULL; - } else { - if((mkey - db) == 0) { - d->dbname = NULL; - } else { - d->dbname = malloc(mkey - db); - if(d->dbname == NULL) { - free(d); - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - memmove(d->dbname, db, mkey - db); - d->dbname[mkey - db] = '\0'; - } - d->mkey = strdup(mkey + 1); - if(d->mkey == NULL) { - free(d->dbname); - free(d); - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - } - id->data = d; - return 0; -} - -static krb5_error_code -hdb_close(krb5_context context, krb5_keytab id) -{ - struct hdb_data *d = id->data; - - free(d->dbname); - free(d->mkey); - free(d); - return 0; -} - -static krb5_error_code -hdb_get_name(krb5_context context, - krb5_keytab id, - char *name, - size_t namesize) -{ - struct hdb_data *d = id->data; - - snprintf(name, namesize, "%s%s%s", - d->dbname ? d->dbname : "", - (d->dbname || d->mkey) ? ":" : "", - d->mkey ? d->mkey : ""); - return 0; -} - -static void -set_config (krb5_context context, - krb5_config_binding *binding, - const char **dbname, - const char **mkey) -{ - *dbname = krb5_config_get_string(context, binding, "dbname", NULL); - *mkey = krb5_config_get_string(context, binding, "mkey_file", NULL); -} - -/* - * try to figure out the database (`dbname') and master-key (`mkey') - * that should be used for `principal'. - */ - -static void -find_db (krb5_context context, - const char **dbname, - const char **mkey, - krb5_const_principal principal) -{ - const krb5_config_binding *top_bind = NULL; - krb5_config_binding *default_binding = NULL; - krb5_config_binding *db; - krb5_realm *prealm = krb5_princ_realm(context, (krb5_principal)principal); - - *dbname = *mkey = NULL; - - while ((db = (krb5_config_binding *) - krb5_config_get_next(context, - NULL, - &top_bind, - krb5_config_list, - "kdc", - "database", - NULL)) != NULL) { - const char *p; - - p = krb5_config_get_string (context, db, "realm", NULL); - if (p == NULL) { - if(default_binding) { - krb5_warnx(context, "WARNING: more than one realm-less " - "database specification"); - krb5_warnx(context, "WARNING: using the first encountered"); - } else - default_binding = db; - } else if (strcmp (*prealm, p) == 0) { - set_config (context, db, dbname, mkey); - break; - } - } - if (*dbname == NULL && default_binding != NULL) - set_config (context, default_binding, dbname, mkey); - if (*dbname == NULL) - *dbname = HDB_DEFAULT_DB; -} - -/* - * find the keytab entry in `id' for `principal, kvno, enctype' and return - * it in `entry'. return 0 or an error code - */ - -static krb5_error_code -hdb_get_entry(krb5_context context, - krb5_keytab id, - krb5_const_principal principal, - krb5_kvno kvno, - krb5_enctype enctype, - krb5_keytab_entry *entry) -{ - hdb_entry ent; - krb5_error_code ret; - struct hdb_data *d = id->data; - int i; - HDB *db; - const char *dbname = d->dbname; - const char *mkey = d->mkey; - - if (dbname == NULL) - find_db (context, &dbname, &mkey, principal); - - ret = hdb_create (context, &db, dbname); - if (ret) - return ret; - ret = hdb_set_master_keyfile (context, db, mkey); - if (ret) { - (*db->destroy)(context, db); - return ret; - } - - ret = (*db->open)(context, db, O_RDONLY, 0); - if (ret) { - (*db->destroy)(context, db); - return ret; - } - ent.principal = (krb5_principal)principal; - ret = (*db->fetch)(context, db, HDB_F_DECRYPT, &ent); - (*db->close)(context, db); - (*db->destroy)(context, db); - - if(ret == HDB_ERR_NOENTRY) - return KRB5_KT_NOTFOUND; - else if(ret) - return ret; - if(kvno && ent.kvno != kvno) { - hdb_free_entry(context, &ent); - return KRB5_KT_NOTFOUND; - } - if(enctype == 0) - if(ent.keys.len > 0) - enctype = ent.keys.val[0].key.keytype; - ret = KRB5_KT_NOTFOUND; - for(i = 0; i < ent.keys.len; i++) { - if(ent.keys.val[i].key.keytype == enctype) { - krb5_copy_principal(context, principal, &entry->principal); - entry->vno = ent.kvno; - krb5_copy_keyblock_contents(context, - &ent.keys.val[i].key, - &entry->keyblock); - ret = 0; - break; - } - } - hdb_free_entry(context, &ent); - return ret; -} - -krb5_kt_ops hdb_kt_ops = { - "HDB", - hdb_resolve, - hdb_get_name, - hdb_close, - hdb_get_entry, - NULL, /* start_seq_get */ - NULL, /* next_entry */ - NULL, /* end_seq_get */ - NULL, /* add */ - NULL /* remove */ -}; diff --git a/crypto/heimdal-0.6.3/lib/hdb/mkey.c b/crypto/heimdal-0.6.3/lib/hdb/mkey.c deleted file mode 100644 index 92bcd86f3a..0000000000 --- a/crypto/heimdal-0.6.3/lib/hdb/mkey.c +++ /dev/null @@ -1,525 +0,0 @@ -/* - * Copyright (c) 2000 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "hdb_locl.h" -#ifndef O_BINARY -#define O_BINARY 0 -#endif - -RCSID("$Id: mkey.c,v 1.15 2003/03/28 02:01:33 lha Exp $"); - -struct hdb_master_key_data { - krb5_keytab_entry keytab; - krb5_crypto crypto; - struct hdb_master_key_data *next; -}; - -void -hdb_free_master_key(krb5_context context, hdb_master_key mkey) -{ - struct hdb_master_key_data *ptr; - while(mkey) { - krb5_kt_free_entry(context, &mkey->keytab); - if (mkey->crypto) - krb5_crypto_destroy(context, mkey->crypto); - ptr = mkey; - mkey = mkey->next; - free(ptr); - } -} - -krb5_error_code -hdb_process_master_key(krb5_context context, - int kvno, krb5_keyblock *key, krb5_enctype etype, - hdb_master_key *mkey) -{ - krb5_error_code ret; - - *mkey = calloc(1, sizeof(**mkey)); - if(*mkey == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - (*mkey)->keytab.vno = kvno; - ret = krb5_parse_name(context, "K/M", &(*mkey)->keytab.principal); - if(ret) - goto fail; - ret = krb5_copy_keyblock_contents(context, key, &(*mkey)->keytab.keyblock); - if(ret) - goto fail; - if(etype != 0) - (*mkey)->keytab.keyblock.keytype = etype; - (*mkey)->keytab.timestamp = time(NULL); - ret = krb5_crypto_init(context, key, etype, &(*mkey)->crypto); - if(ret) - goto fail; - return 0; - fail: - hdb_free_master_key(context, *mkey); - *mkey = NULL; - return ret; -} - -krb5_error_code -hdb_add_master_key(krb5_context context, krb5_keyblock *key, - hdb_master_key *inout) -{ - int vno = 0; - hdb_master_key p; - krb5_error_code ret; - - for(p = *inout; p; p = p->next) - vno = max(vno, p->keytab.vno); - vno++; - ret = hdb_process_master_key(context, vno, key, 0, &p); - if(ret) - return ret; - p->next = *inout; - *inout = p; - return 0; -} - -static krb5_error_code -read_master_keytab(krb5_context context, const char *filename, - hdb_master_key *mkey) -{ - krb5_error_code ret; - krb5_keytab id; - krb5_kt_cursor cursor; - krb5_keytab_entry entry; - hdb_master_key p; - - ret = krb5_kt_resolve(context, filename, &id); - if(ret) - return ret; - - ret = krb5_kt_start_seq_get(context, id, &cursor); - if(ret) - goto out; - *mkey = NULL; - while(krb5_kt_next_entry(context, id, &entry, &cursor) == 0) { - p = calloc(1, sizeof(*p)); - p->keytab = entry; - ret = krb5_crypto_init(context, &p->keytab.keyblock, 0, &p->crypto); - p->next = *mkey; - *mkey = p; - } - krb5_kt_end_seq_get(context, id, &cursor); - out: - krb5_kt_close(context, id); - return ret; -} - -/* read a MIT master keyfile */ -static krb5_error_code -read_master_mit(krb5_context context, const char *filename, - hdb_master_key *mkey) -{ - int fd; - krb5_error_code ret; - krb5_storage *sp; - u_int16_t enctype; - krb5_keyblock key; - - fd = open(filename, O_RDONLY | O_BINARY); - if(fd < 0) { - int save_errno = errno; - krb5_set_error_string(context, "failed to open %s: %s", filename, - strerror(save_errno)); - return save_errno; - } - sp = krb5_storage_from_fd(fd); - if(sp == NULL) { - close(fd); - return errno; - } - krb5_storage_set_flags(sp, KRB5_STORAGE_HOST_BYTEORDER); -#if 0 - /* could possibly use ret_keyblock here, but do it with more - checks for now */ - ret = krb5_ret_keyblock(sp, &key); -#else - ret = krb5_ret_int16(sp, &enctype); - if((htons(enctype) & 0xff00) == 0x3000) { - krb5_set_error_string(context, "unknown keytype in %s: %#x, expected %#x", - filename, htons(enctype), 0x3000); - ret = HEIM_ERR_BAD_MKEY; - goto out; - } - key.keytype = enctype; - ret = krb5_ret_data(sp, &key.keyvalue); - if(ret) - goto out; -#endif - ret = hdb_process_master_key(context, 0, &key, 0, mkey); - krb5_free_keyblock_contents(context, &key); - out: - krb5_storage_free(sp); - close(fd); - return ret; -} - -/* read an old master key file */ -static krb5_error_code -read_master_encryptionkey(krb5_context context, const char *filename, - hdb_master_key *mkey) -{ - int fd; - krb5_keyblock key; - krb5_error_code ret; - unsigned char buf[256]; - ssize_t len; - size_t ret_len; - - fd = open(filename, O_RDONLY | O_BINARY); - if(fd < 0) { - int save_errno = errno; - krb5_set_error_string(context, "failed to open %s: %s", - filename, strerror(save_errno)); - return save_errno; - } - - len = read(fd, buf, sizeof(buf)); - close(fd); - if(len < 0) { - int save_errno = errno; - krb5_set_error_string(context, "error reading %s: %s", - filename, strerror(save_errno)); - return save_errno; - } - - ret = decode_EncryptionKey(buf, len, &key, &ret_len); - memset(buf, 0, sizeof(buf)); - if(ret) - return ret; - - /* Originally, the keytype was just that, and later it got changed - to des-cbc-md5, but we always used des in cfb64 mode. This - should cover all cases, but will break if someone has hacked - this code to really use des-cbc-md5 -- but then that's not my - problem. */ - if(key.keytype == KEYTYPE_DES || key.keytype == ETYPE_DES_CBC_MD5) - key.keytype = ETYPE_DES_CFB64_NONE; - - ret = hdb_process_master_key(context, 0, &key, 0, mkey); - krb5_free_keyblock_contents(context, &key); - return ret; -} - -/* read a krb4 /.k style file */ -static krb5_error_code -read_master_krb4(krb5_context context, const char *filename, - hdb_master_key *mkey) -{ - int fd; - krb5_keyblock key; - krb5_error_code ret; - unsigned char buf[256]; - ssize_t len; - - fd = open(filename, O_RDONLY | O_BINARY); - if(fd < 0) { - int save_errno = errno; - krb5_set_error_string(context, "failed to open %s: %s", - filename, strerror(save_errno)); - return save_errno; - } - - len = read(fd, buf, sizeof(buf)); - close(fd); - if(len < 0) { - int save_errno = errno; - krb5_set_error_string(context, "error reading %s: %s", - filename, strerror(save_errno)); - return save_errno; - } - if(len != 8) { - krb5_set_error_string(context, "bad contents of %s", filename); - return HEIM_ERR_EOF; /* XXX file might be too large */ - } - - memset(&key, 0, sizeof(key)); - key.keytype = ETYPE_DES_PCBC_NONE; - ret = krb5_data_copy(&key.keyvalue, buf, len); - memset(buf, 0, sizeof(buf)); - if(ret) - return ret; - - ret = hdb_process_master_key(context, 0, &key, 0, mkey); - krb5_free_keyblock_contents(context, &key); - return ret; -} - -krb5_error_code -hdb_read_master_key(krb5_context context, const char *filename, - hdb_master_key *mkey) -{ - FILE *f; - unsigned char buf[16]; - krb5_error_code ret; - - off_t len; - - *mkey = NULL; - - if(filename == NULL) - filename = HDB_DB_DIR "/m-key"; - - f = fopen(filename, "r"); - if(f == NULL) { - int save_errno = errno; - krb5_set_error_string(context, "failed to open %s: %s", - filename, strerror(save_errno)); - return save_errno; - } - - if(fread(buf, 1, 2, f) != 2) { - krb5_set_error_string(context, "end of file reading %s", filename); - fclose(f); - return HEIM_ERR_EOF; - } - - fseek(f, 0, SEEK_END); - len = ftell(f); - - if(fclose(f) != 0) - return errno; - - if(len < 0) - return errno; - - if(len == 8) { - ret = read_master_krb4(context, filename, mkey); - } else if(buf[0] == 0x30 && len <= 127 && buf[1] == len - 2) { - ret = read_master_encryptionkey(context, filename, mkey); - } else if(buf[0] == 5 && buf[1] >= 1 && buf[1] <= 2) { - ret = read_master_keytab(context, filename, mkey); - } else { - ret = read_master_mit(context, filename, mkey); - } - return ret; -} - -krb5_error_code -hdb_write_master_key(krb5_context context, const char *filename, - hdb_master_key mkey) -{ - krb5_error_code ret; - hdb_master_key p; - krb5_keytab kt; - - if(filename == NULL) - filename = HDB_DB_DIR "/m-key"; - - ret = krb5_kt_resolve(context, filename, &kt); - if(ret) - return ret; - - for(p = mkey; p; p = p->next) { - ret = krb5_kt_add_entry(context, kt, &p->keytab); - } - - krb5_kt_close(context, kt); - - return ret; -} - -static hdb_master_key -find_master_key(Key *key, hdb_master_key mkey) -{ - hdb_master_key ret = NULL; - while(mkey) { - if(ret == NULL && mkey->keytab.vno == 0) - ret = mkey; - if(key->mkvno == NULL) { - if(ret == NULL || mkey->keytab.vno > ret->keytab.vno) - ret = mkey; - } else if(mkey->keytab.vno == *key->mkvno) - return mkey; - mkey = mkey->next; - } - return ret; -} - -krb5_error_code -hdb_unseal_keys_mkey(krb5_context context, hdb_entry *ent, hdb_master_key mkey) -{ - int i; - krb5_error_code ret; - krb5_data res; - size_t keysize; - Key *k; - - for(i = 0; i < ent->keys.len; i++){ - hdb_master_key key; - - k = &ent->keys.val[i]; - if(k->mkvno == NULL) - continue; - - key = find_master_key(&ent->keys.val[i], mkey); - - if (key == NULL) - return HDB_ERR_NO_MKEY; - - ret = krb5_decrypt(context, key->crypto, HDB_KU_MKEY, - k->key.keyvalue.data, - k->key.keyvalue.length, - &res); - if (ret) - return ret; - - /* fixup keylength if the key got padded when encrypting it */ - ret = krb5_enctype_keysize(context, k->key.keytype, &keysize); - if (ret) { - krb5_data_free(&res); - return ret; - } - if (keysize > res.length) { - krb5_data_free(&res); - return KRB5_BAD_KEYSIZE; - } - - memset(k->key.keyvalue.data, 0, k->key.keyvalue.length); - free(k->key.keyvalue.data); - k->key.keyvalue = res; - k->key.keyvalue.length = keysize; - free(k->mkvno); - k->mkvno = NULL; - } - return 0; -} - -krb5_error_code -hdb_unseal_keys(krb5_context context, HDB *db, hdb_entry *ent) -{ - if (db->master_key_set == 0) - return 0; - return hdb_unseal_keys_mkey(context, ent, db->master_key); -} - -krb5_error_code -hdb_seal_keys_mkey(krb5_context context, hdb_entry *ent, hdb_master_key mkey) -{ - int i; - krb5_error_code ret; - krb5_data res; - for(i = 0; i < ent->keys.len; i++){ - Key *k = &ent->keys.val[i]; - hdb_master_key key; - - if(k->mkvno != NULL) - continue; - - key = find_master_key(k, mkey); - - if (key == NULL) - return HDB_ERR_NO_MKEY; - - ret = krb5_encrypt(context, key->crypto, HDB_KU_MKEY, - k->key.keyvalue.data, - k->key.keyvalue.length, - &res); - if (ret) - return ret; - - memset(k->key.keyvalue.data, 0, k->key.keyvalue.length); - free(k->key.keyvalue.data); - k->key.keyvalue = res; - - k->mkvno = malloc(sizeof(*k->mkvno)); - if (k->mkvno == NULL) - return ENOMEM; - *k->mkvno = key->keytab.vno; - } - return 0; -} - -krb5_error_code -hdb_seal_keys(krb5_context context, HDB *db, hdb_entry *ent) -{ - if (db->master_key_set == 0) - return 0; - - return hdb_seal_keys_mkey(context, ent, db->master_key); -} - -krb5_error_code -hdb_set_master_key (krb5_context context, - HDB *db, - krb5_keyblock *key) -{ - krb5_error_code ret; - hdb_master_key mkey; - - ret = hdb_process_master_key(context, 0, key, 0, &mkey); - if (ret) - return ret; - db->master_key = mkey; -#if 0 /* XXX - why? */ - des_set_random_generator_seed(key.keyvalue.data); -#endif - db->master_key_set = 1; - return 0; -} - -krb5_error_code -hdb_set_master_keyfile (krb5_context context, - HDB *db, - const char *keyfile) -{ - hdb_master_key key; - krb5_error_code ret; - - ret = hdb_read_master_key(context, keyfile, &key); - if (ret) { - if (ret != ENOENT) - return ret; - krb5_clear_error_string(context); - return 0; - } - db->master_key = key; - db->master_key_set = 1; - return ret; -} - -krb5_error_code -hdb_clear_master_key (krb5_context context, - HDB *db) -{ - if (db->master_key_set) { - hdb_free_master_key(context, db->master_key); - db->master_key_set = 0; - } - return 0; -} diff --git a/crypto/heimdal-0.6.3/lib/hdb/ndbm.c b/crypto/heimdal-0.6.3/lib/hdb/ndbm.c deleted file mode 100644 index c162145294..0000000000 --- a/crypto/heimdal-0.6.3/lib/hdb/ndbm.c +++ /dev/null @@ -1,361 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "hdb_locl.h" - -RCSID("$Id: ndbm.c,v 1.33 2001/09/03 05:03:01 assar Exp $"); - -#if HAVE_NDBM - -#if defined(HAVE_GDBM_NDBM_H) -#include -#elif defined(HAVE_NDBM_H) -#include -#elif defined(HAVE_DBM_H) -#include -#endif - -struct ndbm_db { - DBM *db; - int lock_fd; -}; - -static krb5_error_code -NDBM_destroy(krb5_context context, HDB *db) -{ - krb5_error_code ret; - - ret = hdb_clear_master_key (context, db); - free(db->name); - free(db); - return 0; -} - -static krb5_error_code -NDBM_lock(krb5_context context, HDB *db, int operation) -{ - struct ndbm_db *d = db->db; - return hdb_lock(d->lock_fd, operation); -} - -static krb5_error_code -NDBM_unlock(krb5_context context, HDB *db) -{ - struct ndbm_db *d = db->db; - return hdb_unlock(d->lock_fd); -} - -static krb5_error_code -NDBM_seq(krb5_context context, HDB *db, - unsigned flags, hdb_entry *entry, int first) - -{ - struct ndbm_db *d = (struct ndbm_db *)db->db; - datum key, value; - krb5_data key_data, data; - krb5_error_code ret = 0; - - if(first) - key = dbm_firstkey(d->db); - else - key = dbm_nextkey(d->db); - if(key.dptr == NULL) - return HDB_ERR_NOENTRY; - key_data.data = key.dptr; - key_data.length = key.dsize; - ret = db->lock(context, db, HDB_RLOCK); - if(ret) return ret; - value = dbm_fetch(d->db, key); - db->unlock(context, db); - data.data = value.dptr; - data.length = value.dsize; - if(hdb_value2entry(context, &data, entry)) - return NDBM_seq(context, db, flags, entry, 0); - if (db->master_key_set && (flags & HDB_F_DECRYPT)) { - ret = hdb_unseal_keys (context, db, entry); - if (ret) - hdb_free_entry (context, entry); - } - if (entry->principal == NULL) { - entry->principal = malloc (sizeof(*entry->principal)); - if (entry->principal == NULL) { - ret = ENOMEM; - hdb_free_entry (context, entry); - krb5_set_error_string(context, "malloc: out of memory"); - } else { - hdb_key2principal (context, &key_data, entry->principal); - } - } - return ret; -} - - -static krb5_error_code -NDBM_firstkey(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry) -{ - return NDBM_seq(context, db, flags, entry, 1); -} - - -static krb5_error_code -NDBM_nextkey(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry) -{ - return NDBM_seq(context, db, flags, entry, 0); -} - -static krb5_error_code -NDBM_rename(krb5_context context, HDB *db, const char *new_name) -{ - /* XXX this function will break */ - struct ndbm_db *d = db->db; - - int ret; - char *old_dir, *old_pag, *new_dir, *new_pag; - char *new_lock; - int lock_fd; - - /* lock old and new databases */ - ret = db->lock(context, db, HDB_WLOCK); - if(ret) - return ret; - asprintf(&new_lock, "%s.lock", new_name); - if(new_lock == NULL) { - db->unlock(context, db); - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - lock_fd = open(new_lock, O_RDWR | O_CREAT, 0600); - if(lock_fd < 0) { - ret = errno; - db->unlock(context, db); - krb5_set_error_string(context, "open(%s): %s", new_lock, - strerror(ret)); - free(new_lock); - return ret; - } - free(new_lock); - ret = hdb_lock(lock_fd, HDB_WLOCK); - if(ret) { - db->unlock(context, db); - close(lock_fd); - return ret; - } - - asprintf(&old_dir, "%s.dir", db->name); - asprintf(&old_pag, "%s.pag", db->name); - asprintf(&new_dir, "%s.dir", new_name); - asprintf(&new_pag, "%s.pag", new_name); - - ret = rename(old_dir, new_dir) || rename(old_pag, new_pag); - free(old_dir); - free(old_pag); - free(new_dir); - free(new_pag); - hdb_unlock(lock_fd); - db->unlock(context, db); - - if(ret) { - ret = errno; - close(lock_fd); - krb5_set_error_string(context, "rename: %s", strerror(ret)); - return ret; - } - - close(d->lock_fd); - d->lock_fd = lock_fd; - - free(db->name); - db->name = strdup(new_name); - return 0; -} - -static krb5_error_code -NDBM__get(krb5_context context, HDB *db, krb5_data key, krb5_data *reply) -{ - struct ndbm_db *d = (struct ndbm_db *)db->db; - datum k, v; - int code; - - k.dptr = key.data; - k.dsize = key.length; - code = db->lock(context, db, HDB_RLOCK); - if(code) - return code; - v = dbm_fetch(d->db, k); - db->unlock(context, db); - if(v.dptr == NULL) - return HDB_ERR_NOENTRY; - - krb5_data_copy(reply, v.dptr, v.dsize); - return 0; -} - -static krb5_error_code -NDBM__put(krb5_context context, HDB *db, int replace, - krb5_data key, krb5_data value) -{ - struct ndbm_db *d = (struct ndbm_db *)db->db; - datum k, v; - int code; - - k.dptr = key.data; - k.dsize = key.length; - v.dptr = value.data; - v.dsize = value.length; - - code = db->lock(context, db, HDB_WLOCK); - if(code) - return code; - code = dbm_store(d->db, k, v, replace ? DBM_REPLACE : DBM_INSERT); - db->unlock(context, db); - if(code == 1) - return HDB_ERR_EXISTS; - if (code < 0) - return code; - return 0; -} - -static krb5_error_code -NDBM__del(krb5_context context, HDB *db, krb5_data key) -{ - struct ndbm_db *d = (struct ndbm_db *)db->db; - datum k; - int code; - krb5_error_code ret; - - k.dptr = key.data; - k.dsize = key.length; - ret = db->lock(context, db, HDB_WLOCK); - if(ret) return ret; - code = dbm_delete(d->db, k); - db->unlock(context, db); - if(code < 0) - return errno; - return 0; -} - -static krb5_error_code -NDBM_open(krb5_context context, HDB *db, int flags, mode_t mode) -{ - krb5_error_code ret; - struct ndbm_db *d = malloc(sizeof(*d)); - char *lock_file; - - if(d == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - asprintf(&lock_file, "%s.lock", (char*)db->name); - if(lock_file == NULL) { - free(d); - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - d->db = dbm_open((char*)db->name, flags, mode); - if(d->db == NULL){ - ret = errno; - free(d); - free(lock_file); - krb5_set_error_string(context, "dbm_open(%s): %s", db->name, - strerror(ret)); - return ret; - } - d->lock_fd = open(lock_file, O_RDWR | O_CREAT, 0600); - if(d->lock_fd < 0){ - ret = errno; - dbm_close(d->db); - free(d); - krb5_set_error_string(context, "open(%s): %s", lock_file, - strerror(ret)); - free(lock_file); - return ret; - } - free(lock_file); - db->db = d; - if((flags & O_ACCMODE) == O_RDONLY) - ret = hdb_check_db_format(context, db); - else - ret = hdb_init_db(context, db); - if(ret == HDB_ERR_NOENTRY) - return 0; - return ret; -} - -static krb5_error_code -NDBM_close(krb5_context context, HDB *db) -{ - struct ndbm_db *d = db->db; - dbm_close(d->db); - close(d->lock_fd); - free(d); - return 0; -} - -krb5_error_code -hdb_ndbm_create(krb5_context context, HDB **db, - const char *filename) -{ - *db = malloc(sizeof(**db)); - if (*db == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - - (*db)->db = NULL; - (*db)->name = strdup(filename); - if ((*db)->name == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - free(*db); - *db = NULL; - return ENOMEM; - } - (*db)->master_key_set = 0; - (*db)->openp = 0; - (*db)->open = NDBM_open; - (*db)->close = NDBM_close; - (*db)->fetch = _hdb_fetch; - (*db)->store = _hdb_store; - (*db)->remove = _hdb_remove; - (*db)->firstkey = NDBM_firstkey; - (*db)->nextkey= NDBM_nextkey; - (*db)->lock = NDBM_lock; - (*db)->unlock = NDBM_unlock; - (*db)->rename = NDBM_rename; - (*db)->_get = NDBM__get; - (*db)->_put = NDBM__put; - (*db)->_del = NDBM__del; - (*db)->destroy = NDBM_destroy; - return 0; -} - -#endif /* HAVE_NDBM */ diff --git a/crypto/heimdal-0.6.3/lib/hdb/print.c b/crypto/heimdal-0.6.3/lib/hdb/print.c deleted file mode 100644 index 5ad172f748..0000000000 --- a/crypto/heimdal-0.6.3/lib/hdb/print.c +++ /dev/null @@ -1,262 +0,0 @@ -/* - * Copyright (c) 1999-2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of KTH nor the names of its contributors may be - * used to endorse or promote products derived from this software without - * specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY - * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR - * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, - * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR - * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF - * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ - -#include "hdb_locl.h" -#include - -RCSID("$Id: print.c,v 1.8 2002/05/24 15:18:02 joda Exp $"); - -/* - This is the present contents of a dump line. This might change at - any time. Fields are separated by white space. - - principal - keyblock - kvno - keys... - mkvno - enctype - keyvalue - salt (- means use normal salt) - creation date and principal - modification date and principal - principal valid from date (not used) - principal valid end date (not used) - principal key expires (not used) - max ticket life - max renewable life - flags - generation number - */ - -static krb5_error_code -append_string(krb5_context context, krb5_storage *sp, const char *fmt, ...) -{ - krb5_error_code ret; - char *s; - va_list ap; - va_start(ap, fmt); - vasprintf(&s, fmt, ap); - va_end(ap); - if(s == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - ret = krb5_storage_write(sp, s, strlen(s)); - free(s); - return ret; -} - -static krb5_error_code -append_hex(krb5_context context, krb5_storage *sp, krb5_data *data) -{ - int i, printable = 1; - char *p; - - p = data->data; - for(i = 0; i < data->length; i++) - if(!isalnum((unsigned char)p[i]) && p[i] != '.'){ - printable = 0; - break; - } - if(printable) - return append_string(context, sp, "\"%.*s\"", - data->length, data->data); - for(i = 0; i < data->length; i++) - append_string(context, sp, "%02x", ((unsigned char*)data->data)[i]); - return 0; -} - -static char * -time2str(time_t t) -{ - static char buf[128]; - strftime(buf, sizeof(buf), "%Y%m%d%H%M%S", gmtime(&t)); - return buf; -} - -static krb5_error_code -append_event(krb5_context context, krb5_storage *sp, Event *ev) -{ - char *pr = NULL; - krb5_error_code ret; - if(ev == NULL) - return append_string(context, sp, "- "); - if (ev->principal != NULL) { - ret = krb5_unparse_name(context, ev->principal, &pr); - if(ret) - return ret; - } - ret = append_string(context, sp, "%s:%s ", - time2str(ev->time), pr ? pr : "UNKNOWN"); - free(pr); - return ret; -} - -static krb5_error_code -entry2string_int (krb5_context context, krb5_storage *sp, hdb_entry *ent) -{ - char *p; - int i; - krb5_error_code ret; - - /* --- principal */ - ret = krb5_unparse_name(context, ent->principal, &p); - if(ret) - return ret; - append_string(context, sp, "%s ", p); - free(p); - /* --- kvno */ - append_string(context, sp, "%d", ent->kvno); - /* --- keys */ - for(i = 0; i < ent->keys.len; i++){ - /* --- mkvno, keytype */ - if(ent->keys.val[i].mkvno) - append_string(context, sp, ":%d:%d:", - *ent->keys.val[i].mkvno, - ent->keys.val[i].key.keytype); - else - append_string(context, sp, "::%d:", - ent->keys.val[i].key.keytype); - /* --- keydata */ - append_hex(context, sp, &ent->keys.val[i].key.keyvalue); - append_string(context, sp, ":"); - /* --- salt */ - if(ent->keys.val[i].salt){ - append_string(context, sp, "%u/", ent->keys.val[i].salt->type); - append_hex(context, sp, &ent->keys.val[i].salt->salt); - }else - append_string(context, sp, "-"); - } - append_string(context, sp, " "); - /* --- created by */ - append_event(context, sp, &ent->created_by); - /* --- modified by */ - append_event(context, sp, ent->modified_by); - - /* --- valid start */ - if(ent->valid_start) - append_string(context, sp, "%s ", time2str(*ent->valid_start)); - else - append_string(context, sp, "- "); - - /* --- valid end */ - if(ent->valid_end) - append_string(context, sp, "%s ", time2str(*ent->valid_end)); - else - append_string(context, sp, "- "); - - /* --- password ends */ - if(ent->pw_end) - append_string(context, sp, "%s ", time2str(*ent->pw_end)); - else - append_string(context, sp, "- "); - - /* --- max life */ - if(ent->max_life) - append_string(context, sp, "%d ", *ent->max_life); - else - append_string(context, sp, "- "); - - /* --- max renewable life */ - if(ent->max_renew) - append_string(context, sp, "%d ", *ent->max_renew); - else - append_string(context, sp, "- "); - - /* --- flags */ - append_string(context, sp, "%d ", HDBFlags2int(ent->flags)); - - /* --- generation number */ - if(ent->generation) { - append_string(context, sp, "%s:%d:%d", time2str(ent->generation->time), - ent->generation->usec, - ent->generation->gen); - } else - append_string(context, sp, "-"); - - return 0; -} - -krb5_error_code -hdb_entry2string (krb5_context context, hdb_entry *ent, char **str) -{ - krb5_error_code ret; - krb5_data data; - krb5_storage *sp; - - sp = krb5_storage_emem(); - if(sp == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - - ret = entry2string_int(context, sp, ent); - if(ret) { - krb5_storage_free(sp); - return ret; - } - - krb5_storage_write(sp, "\0", 1); - krb5_storage_to_data(sp, &data); - krb5_storage_free(sp); - *str = data.data; - return 0; -} - -/* print a hdb_entry to (FILE*)data; suitable for hdb_foreach */ - -krb5_error_code -hdb_print_entry(krb5_context context, HDB *db, hdb_entry *entry, void *data) -{ - krb5_error_code ret; - krb5_storage *sp; - - FILE *f = data; - - fflush(f); - sp = krb5_storage_from_fd(fileno(f)); - if(sp == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - - ret = entry2string_int(context, sp, entry); - if(ret) { - krb5_storage_free(sp); - return ret; - } - - krb5_storage_write(sp, "\n", 1); - krb5_storage_free(sp); - return 0; -} diff --git a/crypto/heimdal-0.6.3/lib/kadm5/ChangeLog b/crypto/heimdal-0.6.3/lib/kadm5/ChangeLog deleted file mode 100644 index 51b559bf71..0000000000 --- a/crypto/heimdal-0.6.3/lib/kadm5/ChangeLog +++ /dev/null @@ -1,662 +0,0 @@ -2003-12-30 Love Hörnquist Åstrand - - * chpass_s.c: from 1.14->1.15: - (change): fix same-password-again by decrypting keys and setting - an error code. From: Buck Huppmann - -2003-12-21 Love Hörnquist Åstrand - - * init_c.c: 1.47->1.48: (_kadm5_c_init_context): catch errors from - strdup and other krb5_ functions - -2003-08-15 Love Hörnquist Åstrand - - * ipropd_slave.c: 1.27->1.28: (receive_everything): switch close - and rename From: Alf Wachsmann - -2003-04-16 Love Hörnquist Åstrand - - * send_recv.c: check return values from krb5_data_alloc - * log.c: check return values from krb5_data_alloc - -2003-04-16 Love Hörnquist Åstrand - - * dump_log.c (print_entry): check return values from - krb5_data_alloc - -2003-04-01 Love Hörnquist Åstrand - - * init_c.c (kadm_connect): if a context realm was passed in, use - that to form the kadmin/admin principal - -2003-03-19 Love Hörnquist Åstrand - - * ipropd_master.c (main): make sure we don't consider dead slave - for select processing - (write_stats): use slave_stats_file variable, - check return value of strftime - (args): allow specifying slave stats file - (slave_dead): close the fd when the slave dies - -2002-10-21 Johan Danielsson - - * ipropd_slave.c (from Derrick Brashear): Propagating a large - database without this means the slave kdcs can get erroneous - HDB_NOENTRY and return the resulting errors. This creates a new db - handle, populates it, and moves it into place. - -2002-08-26 Assar Westerlund - - * ipropd_slave.c (receive_everything): type-correctness calling - _krb5_get_int - - * context_s.c (find_db_spec): const-correctness in parameters to - krb5_config_get_next - -2002-08-16 Johan Danielsson - - * private.h: rename header file flag macro - - * Makefile.am: generate kadm5-{protos,private}.h - -2002-08-15 Johan Danielsson - - * ipropd_master.c: check return value of krb5_sockaddr2address - -2002-07-04 Johan Danielsson - - * ipropd_master.c: handle slaves that come and go; add status - reporting (both from Love) - - * iprop.h: KADM5_SLAVE_STATS - -2002-03-25 Jacques Vidrine - - * init_c.c (get_cred_cache): bug fix: the default credentials - cache was not being used if a client name was specified. - -2002-03-25 Johan Danielsson - - * init_c.c (get_cred_cache): when getting the default_client from - the cred cache, make sure the instance part is "admin"; this - should require fewer uses of -p - -2002-03-11 Assar Westerlund - - * Makefile.am (libkadm5srv_la_LDFLAGS): set version to 7:5:0 - (libkadm5clnt_la_LDFLAGS): set version to 6:3:2 - -2002-02-08 Johan Danielsson - - * init_c.c: we have to create our own param struct before - marshaling - -2001-09-05 Johan Danielsson - - * Makefile.am: link with LIB_pidfile - - * iprop.h: include util.h for pidfile - -2001-08-31 Assar Westerlund - - * ipropd_slave.c (main): syslog with the correct name - -2001-08-30 Jacques Vidrine - - * ipropd_slave.c, ipropd_master.c (main): call pidfile - -2001-08-28 Assar Westerlund - - * Makefile.am (libkadm5srv_la_LDFLAGS): set version to 7:4:0 - -2001-08-24 Assar Westerlund - - * acl.c (fetch_acl): do not return bogus flags and re-organize - function - - * Makefile.am: rename variable name to avoid error from current - automake - -2001-08-13 Johan Danielsson - - * set_keys.c: add easier afs configuration, defaulting to the - local realm in lower case; also try to remove duplicate salts - -2001-07-12 Assar Westerlund - - * Makefile.am: add required library dependencies - -2001-07-03 Assar Westerlund - - * Makefile.am (libkadm5clnt_la_LDFLAGS): set version to 6:2:2 - -2001-06-29 Johan Danielsson - - * init_c.c: call krb5_get_init_creds_opt_set_default_flags - -2001-02-19 Johan Danielsson - - * replay_log.c: add --{start-end}-version flags to replay just - part of the log - -2001-02-15 Assar Westerlund - - * ipropd_master.c (main): fix select-loop to decrement ret - correctly. from "Brandon S. Allbery KF8NH" - -2001-01-30 Assar Westerlund - - * Makefile.am: bump versions - -2000-12-31 Assar Westerlund - - * init_s.c (*): handle krb5_init_context failure consistently - * init_c.c (init_context): handle krb5_init_context failure - consistently - -2000-12-11 Assar Westerlund - - * Makefile.am (libkadm5srv_la_LDFLAGS): bump version to 7:2:0 - -2000-11-16 Assar Westerlund - - * set_keys.c (make_keys): clean-up salting loop and try not to - leak memory - - * ipropd_master.c (main): check for fd's being too large to select - on - -2000-08-16 Assar Westerlund - - * Makefile.am (libkadm5srv_la_LDFLAGS): bump version to 7:1:0 - -2000-08-10 Assar Westerlund - - * acl.c (fetch_acl): fix wrong cases, use krb5_principal_match - -2000-08-07 Assar Westerlund - - * ipropd_master.c (main): ignore SIGPIPE - -2000-08-06 Assar Westerlund - - * ipropd_slave.c (receive_everything): make `fd' an int instead of - a pointer. From Derrick J Brashear - -2000-08-04 Johan Danielsson - - * admin.h: change void** to void* - -2000-07-25 Johan Danielsson - - * Makefile.am: bump versions to 7:0:0 and 6:0:2 - -2000-07-24 Assar Westerlund - - * log.c (kadm5_log_get_version): rename kadm5_log_get_version_fd - and make a new that takes a context - (kadm5_log_nop): add logging of missing lengths - (kadm5_log_truncate): new function - - * dump_log.c (print_entry): update and correct - * randkey_s.c: call _kadm5_bump_pw_expire - * truncate_log.c: new program for truncating the log - * Makefile.am (sbin_PROGRAMS): add truncate_log - (C_SOURCES): add bump_pw_expire.c - * bump_pw_expire.c: new function for extending password expiration - -2000-07-22 Assar Westerlund - - * keys.c: new file with _kadm5_free_keys, _kadm5_init_keys - - * set_keys.c (free_keys, init_keys): elevate to internal kadm5 - functions - - * chpass_s.c (kadm5_s_chpass_principal_cond): new function - * Makefile.am (C_SOURCES): add keys.c - * init_c.c: remove unused variable and handle some parameters - being NULL - -2000-07-22 Johan Danielsson - - * ipropd_slave.c: use krb5_read_priv_message - - * ipropd_master.c: use krb5_{read,write}_priv_message - - * init_c.c: use krb5_write_priv_message - -2000-07-11 Johan Danielsson - - * ipropd_slave.c: no need to call gethostname, since - sname_to_principal will - - * send_recv.c: assert that we have a connected socket - - * get_princs_c.c: call _kadm5_connect - - * rename_c.c: call _kadm5_connect - - * randkey_c.c: call _kadm5_connect - - * privs_c.c: call _kadm5_connect - - * modify_c.c: call _kadm5_connect - - * get_c.c: call _kadm5_connect - - * delete_c.c: call _kadm5_connect - - * create_c.c: call _kadm5_connect - - * chpass_c.c: call _kadm5_connect - - * private.h: add more fields to client context; remove prototypes - - * admin.h: remove prototypes - - * kadm5-protos.h: move public prototypes here - - * kadm5-private.h: move private prototypes here - - * init_c.c: break out connection code to separate function, and - defer calling it until we actually do something - -2000-07-07 Assar Westerlund - - * set_keys.c (make_keys): also support `[kadmin]use_v4_salt' for - backwards compatability - -2000-06-26 Johan Danielsson - - * set_keys.c (_kadm5_set_keys): rewrite this to be more easily - adaptable to different salts - -2000-06-19 Johan Danielsson - - * get_s.c: pa_* -> KRB5_PADATA_* - -2000-06-16 Assar Westerlund - - * ipropd_slave.c: change default keytab to default keytab (as in - typically FILE:/etc/krb5.keytab) - -2000-06-08 Assar Westerlund - - * ipropd_slave.c: bug fixes, for actually writing the full dump to - the database. based on a patch from Love - -2000-06-07 Assar Westerlund - - * acl.c: add support for patterns of principals - * log.c (kadm5_log_replay_create): handle more NULL pointers - (should they really happen?) - * log.c (kadm5_log_replay_modify): handle max_life == NULL and - max_renew == NULL - - * ipropd_master.c: use syslog. be less verbose - * ipropd_slave.c: use syslog - -2000-06-05 Assar Westerlund - - * private.h (kadm_ops): add kadm_nop more prototypes - * log.c (kadm5_log_set_version, kadm5_log_reinit, kadm5_log_nop, - kadm5_log_replay_nop): add - * ipropd_slave.c: and some more improvements - * ipropd_master.c: lots of improvements - * iprop.h (IPROP_PORT, IPROP_SERVICE): add - (iprop_cmd): add new commands - - * dump_log.c: add nop - -2000-05-15 Assar Westerlund - - * Makefile.am (libkadm5clnt_la_LDFLAGS): set version to 5:1:1 - -2000-05-12 Assar Westerlund - - * get_s.c (kadm5_s_get_principal): set life, rlife to INT_MAX as a - fallback. handle not having any creator. - * destroy_s.c (kadm5_s_destroy): free all allocated memory - * context_s.c (set_field): free variable if it's already set - (find_db_spec): malloc space for all strings - -2000-04-05 Assar Westerlund - - * Makefile.am (LDADD): add LIB_openldap - -2000-04-03 Assar Westerlund - - * Makefile.am (libkadm5srv_la_LDFLAGS): set version to 6:0:1 - (libkadm5clnt_la_LDFLAGS): set version to 5:0:1 - -2000-03-24 Assar Westerlund - - * set_keys.c (_kadm5_set_keys2): rewrite - (_kadm5_set_keys3): add - - * private.h (struct kadm_func): add chpass_principal_with_key - * init_c.c (set_funcs): add chpass_principal_with_key - -2000-03-23 Assar Westerlund - - * context_s.c (set_funcs): add chpass_principal_with_key - * common_glue.c (kadm5_chpass_principal_with_key): add - * chpass_s.c: comment-ize and change calling convention for - _kadm5_set_keys* - * chpass_c.c (kadm5_c_chpass_principal_with_key): add - -2000-02-07 Assar Westerlund - - * Makefile.am (libkadm5clnt_la_LDFLAGS): set version to 4:2:0 - -2000-01-28 Assar Westerlund - - * init_c.c (get_new_cache): make sure to request non-forwardable, - non-proxiable - -2000-01-06 Assar Westerlund - - * Makefile.am (libkadm5srv.la): bump version to 5:1:0 - - * context_s.c (_kadm5_s_init_context): handle params == NULL - -1999-12-26 Assar Westerlund - - * get_s.c (kadm5_s_get_principal): handle modified_by->principal - == NULL - -1999-12-20 Assar Westerlund - - * Makefile.am (libkadm5clnt_la_LDFLAGS): bump version to 4:1:0 - - * init_c.c (_kadm5_c_init_context): handle getting back port - number from admin host - (kadm5_c_init_with_context): remove `proto/' part before doing - getaddrinfo() - -1999-12-06 Assar Westerlund - - * Makefile.am: bump version to 5:0:0 and 4:0:0 - - * init_c.c (kadm5_c_init_with_context): don't use unitialized - stuff - -1999-12-04 Assar Westerlund - - * replay_log.c: adapt to changed kadm5_log_foreach - - * log.c (kadm5_log_foreach): change to take a - `kadm5_server_context' - - * init_c.c: use krb5_warn{,x} - - * dump_log.c: adapt to changed kadm5_log_foreach - - * init_c.c: re-write to use getaddrinfo - * Makefile.am (install-build-headers): add dependency - -1999-12-03 Johan Danielsson - - * log.c (kadm5_log_foreach): pass context - - * dump_log.c: print more interesting things - -1999-12-02 Johan Danielsson - - * ipropd_master.c (process_msg): check for short reads - -1999-11-25 Assar Westerlund - - * modify_s.c (kadm5_s_modify_principal): support key_data - (kadm5_s_modify_principal_with_key): remove - - * admin.h (kadm5_s_modify_principal_with_key): remove - -1999-11-20 Assar Westerlund - - * context_s.c (find_db_spec): ugly cast work-around. - -1999-11-14 Assar Westerlund - - * context_s.c (_kadm5_s_init_context): call krb5_add_et_list so - that we aren't dependent on the layout of krb5_context_data - * init_c.c (_kadm5_c_init_context): call krb5_add_et_list so that - we aren't dependent on the layout of krb5_context_data - -1999-11-13 Assar Westerlund - - * password_quality.c (kadm5_setup_passwd_quality_check): use - correct types for function pointers - -1999-11-09 Johan Danielsson - - * randkey_s.c: always bail out if the fetch fails - - * admin.h (kadm5_config_params): remove fields we're not using - - * ipropd_slave.c: allow passing a realm - - * ipropd_master.c: allow passing a realm - - * dump_log.c: allow passing a realm - - * acl.c: correctly get acl file - - * private.h (kadm5_server_context): add config_params struct and - remove acl_file; bump protocol version number - - * marshall.c: marshalling of config parameters - - * init_c.c (kadm5_c_init_with_context): try to cope with old - servers - - * init_s.c (kadm5_s_init_with_context): actually use some passed - values - - * context_s.c (_kadm5_s_init_context): get dbname, acl_file, and - stash_file from the config parameters, try to figure out these if - they're not provided - -1999-11-05 Assar Westerlund - - * Makefile.am (install-build-headers): use `cp' instead of - INSTALL_DATA - -1999-11-04 Assar Westerlund - - * Makefile.am: bump version to 4:0:0 and 3:0:0 (they access fields - directly in libkrb5's context - bad functions) - - * set_keys.c (_kadm5_set_keys_randomly): set enctypes correctly in - the copied keys - -1999-10-20 Assar Westerlund - - * Makefile.am: set version of kadm5srv to 3:0:2 (new password - quality functions). - set version of kdam5clnt to 2:1:1 (no interface changes) - - * Makefile.am (LDADD): add $(LIB_dlopen) - -1999-10-17 Assar Westerlund - - * randkey_s.c (kadm5_s_randkey_principal): use - _kadm5_set_keys_randomly - - * set_keys.c (free_keys): free more memory - (_kadm5_set_keys): a little bit more generic - (_kadm5_set_keys_randomly): new function for setting random keys. - -1999-10-14 Assar Westerlund - - * set_keys.c (_kadm5_set_keys): ignore old keys when setting new - ones and always add 3 DES keys and one 3DES key - -1999-10-03 Assar Westerlund - - * init_c.c (_kadm5_c_init_context): use `krb5_get_krb_admin_hst'. - check return value from strdup - -1999-09-26 Assar Westerlund - - * acl.c (_kadm5_privs_to_string): forgot one strcpy_truncate -> - strlcpy - -1999-09-24 Johan Danielsson - - * dump_log.c: remove unused `optind' - - * replay_log.c: remove unused `optind' - -1999-09-13 Assar Westerlund - - * chpass_c.c (kadm5_c_chpass_principal): new _kadm5_client_recv - - * send_recv.c (_kadm5_client_recv): return result in a `krb5_data' - so that we avoid copying it and don't need to dimension in - advance. change all callers. - -1999-09-10 Assar Westerlund - - * password_quality.c: new file - - * admin.h - (kadm5_setup_passwd_quality_check,kadm5_check_password_quality): - add prototypes - - * Makefile.am (S_SOURCES): add password_quality.c - -1999-07-26 Assar Westerlund - - * Makefile.am: update versions to 2:0:1 - -1999-07-24 Assar Westerlund - - * ent_setup.c (_kadm5_setup_entry): make princ_expire_time == 0 - and pw_expiration == 0 mean never - -1999-07-22 Assar Westerlund - - * log.c (kadm5_log_flush): extra cast - -1999-07-07 Assar Westerlund - - * marshall.c (store_principal_ent): encoding princ_expire_time and - pw_expiration in correct order - -1999-06-28 Assar Westerlund - - * randkey_s.c (kadm5_s_randkey_principal): nuke old mkvno, - otherwise hdb will think that the new random keys are already - encrypted which will cause lots of confusion later. - -1999-06-23 Assar Westerlund - - * ent_setup.c (_kadm5_setup_entry): handle 0 == unlimited - correctly. From Michal Vocu - -1999-06-15 Assar Westerlund - - * init_c.c (get_cred_cache): use get_default_username - -1999-05-23 Assar Westerlund - - * create_s.c (create_principal): if there's no default entry the - mask should be zero. - -1999-05-21 Assar Westerlund - - * init_c.c (get_cred_cache): use $USERNAME - -1999-05-17 Johan Danielsson - - * init_c.c (get_cred_cache): figure out principal - -1999-05-05 Johan Danielsson - - * send_recv.c: cleanup _kadm5_client_{send,recv} - -1999-05-04 Assar Westerlund - - * set_keys.c (_kadm5_set_keys2): don't check the recently created - memory for NULL pointers - - * private.h (_kadm5_setup_entry): change prototype - - * modify_s.c: call new _kadm5_setup_entry - - * ent_setup.c (_kadm5_setup_entry): change so that it takes three - masks, one for what bits to set and one for each of principal and - def containing the bits that are set there. - - * create_s.c: call new _kadm5_setup_entry - - * create_s.c (get_default): check return value - (create_principal): send wider mask to _kadm5_setup_entry - -1999-05-04 Johan Danielsson - - * send_recv.c (_kadm5_client_recv): handle arbitrarily sized - packets, check for errors - - * get_c.c: check for failure from _kadm5_client_{send,recv} - -1999-05-04 Assar Westerlund - - * init_c.c (get_new_cache): don't abort when interrupted from - password prompt - - * destroy_c.c (kadm5_c_destroy): check if we should destroy the - auth context - -1999-05-03 Johan Danielsson - - * chpass_s.c: fix arguments to _kadm5_set_keys2 - - * private.h: proto - - * set_keys.c: clear mkvno - - * rename_s.c: add flags to fetch and store; seal keys before - logging - - * randkey_s.c: add flags to fetch and store; seal keys before - logging - - * modify_s.c: add flags to fetch and store; seal keys before - logging - - * log.c: add flags to fetch and store; seal keys before logging - - * get_s.c: add flags to fetch and store; seal keys before logging - - * get_princs_s.c: add flags to fetch and store; seal keys before - logging - - * delete_s.c: add flags to fetch and store; seal keys before - logging - - * create_s.c: add flags to fetch and store; seal keys before - logging - - * chpass_s.c: add flags to fetch and store; seal keys before - logging - - * Makefile.am: remove server.c - - * admin.h: add prototypes - - * ent_setup.c (_kadm5_setup_entry): set key_data - - * set_keys.c: add _kadm5_set_keys2 to sey keys from key_data - - * modify_s.c: add kadm5_s_modify_principal_with_key - - * create_s.c: add kadm5_s_create_principal_with_key - - * chpass_s.c: add kadm5_s_chpass_principal_with_key - - * kadm5_locl.h: move stuff to private.h - - * private.h: move stuff from kadm5_locl.h - diff --git a/crypto/heimdal-0.6.3/lib/kadm5/Makefile.am b/crypto/heimdal-0.6.3/lib/kadm5/Makefile.am deleted file mode 100644 index 9b0c49d920..0000000000 --- a/crypto/heimdal-0.6.3/lib/kadm5/Makefile.am +++ /dev/null @@ -1,135 +0,0 @@ -# $Id: Makefile.am,v 1.51.6.1 2003/05/12 15:20:46 joda Exp $ - -include $(top_srcdir)/Makefile.am.common - -lib_LTLIBRARIES = libkadm5srv.la libkadm5clnt.la -libkadm5srv_la_LDFLAGS = -version-info 7:6:0 -libkadm5clnt_la_LDFLAGS = -version-info 6:4:2 -sbin_PROGRAMS = dump_log replay_log truncate_log - -libkadm5srv_la_LIBADD = ../krb5/libkrb5.la ../hdb/libhdb.la ../roken/libroken.la -libkadm5clnt_la_LIBADD = ../krb5/libkrb5.la ../hdb/libhdb.la ../roken/libroken.la - -libexec_PROGRAMS = ipropd-master ipropd-slave - -kadm5includedir = $(includedir)/kadm5 -buildkadm5include = $(buildinclude)/kadm5 - -kadm5include_HEADERS = kadm5_err.h admin.h private.h \ - kadm5-protos.h kadm5-private.h - -install-build-headers:: $(kadm5include_HEADERS) - @foo='$(kadm5include_HEADERS)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildkadm5include)/$$f 2> /dev/null ; then \ - : ; else \ - echo "cp $$file $(buildkadm5include)/$$f";\ - cp $$file $(buildkadm5include)/$$f; \ - fi ; \ - done - -SOURCES_client = \ - admin.h \ - chpass_c.c \ - common_glue.c \ - create_c.c \ - delete_c.c \ - destroy_c.c \ - flush_c.c \ - free.c \ - get_c.c \ - get_princs_c.c \ - init_c.c \ - kadm5_err.c \ - kadm5_locl.h \ - marshall.c \ - modify_c.c \ - private.h \ - privs_c.c \ - randkey_c.c \ - rename_c.c \ - send_recv.c - -SOURCES_server = \ - acl.c \ - admin.h \ - bump_pw_expire.c \ - chpass_s.c \ - common_glue.c \ - context_s.c \ - create_s.c \ - delete_s.c \ - destroy_s.c \ - ent_setup.c \ - error.c \ - flush_s.c \ - free.c \ - get_princs_s.c \ - get_s.c \ - init_s.c \ - kadm5_err.c \ - kadm5_locl.h \ - keys.c \ - log.c \ - marshall.c \ - modify_s.c \ - private.h \ - privs_s.c \ - randkey_s.c \ - rename_s.c \ - set_keys.c \ - set_modifier.c \ - password_quality.c - -libkadm5srv_la_SOURCES = $(SOURCES_server) server_glue.c -libkadm5clnt_la_SOURCES = $(SOURCES_client) client_glue.c - -dump_log_SOURCES = dump_log.c kadm5_locl.h - -replay_log_SOURCES = replay_log.c kadm5_locl.h - -ipropd_master_SOURCES = ipropd_master.c iprop.h kadm5_locl.h - -ipropd_slave_SOURCES = ipropd_slave.c iprop.h kadm5_locl.h - -truncate_log_SOURCES = truncate_log.c - -LDADD = \ - libkadm5srv.la \ - $(top_builddir)/lib/hdb/libhdb.la \ - $(LIB_openldap) \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la \ - $(LIB_des) \ - $(LIB_roken) \ - $(DBLIB) \ - $(LIB_dlopen) \ - $(LIB_pidfile) - -CLEANFILES = kadm5_err.c kadm5_err.h - -$(libkadm5srv_la_OBJECTS): kadm5_err.h - -client_glue.lo server_glue.lo: $(srcdir)/common_glue.c - -# to help stupid solaris make - -kadm5_err.h: kadm5_err.et - -$(libkadm5clnt_la_OBJECTS) $(libkadm5srv_la_OBJECTS): $(srcdir)/kadm5-protos.h $(srcdir)/kadm5-private.h - -proto_opts = -q -R '^(_|kadm5_c_|kadm5_s_|kadm5_log)' -P comment -$(srcdir)/kadm5-protos.h: - cd $(srcdir); perl ../../cf/make-proto.pl $(proto_opts) \ - -o kadm5-protos.h \ - $(libkadm5clnt_la_SOURCES) $(libkadm5srv_la_SOURCES) \ - || rm -f kadm5-protos.h - -$(srcdir)/kadm5-private.h: - cd $(srcdir); perl ../../cf/make-proto.pl $(proto_opts) \ - -p kadm5-private.h \ - $(libkadm5clnt_la_SOURCES) $(libkadm5srv_la_SOURCES) \ - || rm -f kadm5-private.h diff --git a/crypto/heimdal-0.6.3/lib/kadm5/Makefile.in b/crypto/heimdal-0.6.3/lib/kadm5/Makefile.in deleted file mode 100644 index 8695002cb7..0000000000 --- a/crypto/heimdal-0.6.3/lib/kadm5/Makefile.in +++ /dev/null @@ -1,1042 +0,0 @@ -# Makefile.in generated by automake 1.8.3 from Makefile.am. -# @configure_input@ - -# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004 Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -# $Id: Makefile.am,v 1.51.6.1 2003/05/12 15:20:46 joda Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $ - - - -SOURCES = $(libkadm5clnt_la_SOURCES) $(libkadm5srv_la_SOURCES) $(dump_log_SOURCES) $(ipropd_master_SOURCES) $(ipropd_slave_SOURCES) $(replay_log_SOURCES) $(truncate_log_SOURCES) - -srcdir = @srcdir@ -top_srcdir = @top_srcdir@ -VPATH = @srcdir@ -pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -top_builddir = ../.. -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = @INSTALL@ -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_HEADER = $(INSTALL_DATA) -transform = $(program_transform_name) -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_triplet = @host@ -DIST_COMMON = $(kadm5include_HEADERS) $(srcdir)/Makefile.am \ - $(srcdir)/Makefile.in $(top_srcdir)/Makefile.am.common \ - $(top_srcdir)/cf/Makefile.am.common ChangeLog -sbin_PROGRAMS = dump_log$(EXEEXT) replay_log$(EXEEXT) \ - truncate_log$(EXEEXT) -libexec_PROGRAMS = ipropd-master$(EXEEXT) ipropd-slave$(EXEEXT) -subdir = lib/kadm5 -ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \ - $(top_srcdir)/cf/auth-modules.m4 \ - $(top_srcdir)/cf/broken-getaddrinfo.m4 \ - $(top_srcdir)/cf/broken-getnameinfo.m4 \ - $(top_srcdir)/cf/broken-glob.m4 \ - $(top_srcdir)/cf/broken-realloc.m4 \ - $(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \ - $(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \ - $(top_srcdir)/cf/capabilities.m4 \ - $(top_srcdir)/cf/check-compile-et.m4 \ - $(top_srcdir)/cf/check-declaration.m4 \ - $(top_srcdir)/cf/check-getpwnam_r-posix.m4 \ - $(top_srcdir)/cf/check-man.m4 \ - $(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \ - $(top_srcdir)/cf/check-type-extra.m4 \ - $(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \ - $(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \ - $(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \ - $(top_srcdir)/cf/dlopen.m4 \ - $(top_srcdir)/cf/find-func-no-libs.m4 \ - $(top_srcdir)/cf/find-func-no-libs2.m4 \ - $(top_srcdir)/cf/find-func.m4 \ - $(top_srcdir)/cf/find-if-not-broken.m4 \ - $(top_srcdir)/cf/have-struct-field.m4 \ - $(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \ - $(top_srcdir)/cf/krb-bigendian.m4 \ - $(top_srcdir)/cf/krb-func-getlogin.m4 \ - $(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \ - $(top_srcdir)/cf/krb-readline.m4 \ - $(top_srcdir)/cf/krb-struct-spwd.m4 \ - $(top_srcdir)/cf/krb-struct-winsize.m4 \ - $(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \ - $(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \ - $(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \ - $(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \ - $(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \ - $(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \ - $(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in -am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ - $(ACLOCAL_M4) -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -am__installdirs = "$(DESTDIR)$(libdir)" "$(DESTDIR)$(libexecdir)" "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(kadm5includedir)" -libLTLIBRARIES_INSTALL = $(INSTALL) -LTLIBRARIES = $(lib_LTLIBRARIES) -libkadm5clnt_la_DEPENDENCIES = ../krb5/libkrb5.la ../hdb/libhdb.la \ - ../roken/libroken.la -am__objects_1 = chpass_c.lo common_glue.lo create_c.lo delete_c.lo \ - destroy_c.lo flush_c.lo free.lo get_c.lo get_princs_c.lo \ - init_c.lo kadm5_err.lo marshall.lo modify_c.lo privs_c.lo \ - randkey_c.lo rename_c.lo send_recv.lo -am_libkadm5clnt_la_OBJECTS = $(am__objects_1) client_glue.lo -libkadm5clnt_la_OBJECTS = $(am_libkadm5clnt_la_OBJECTS) -libkadm5srv_la_DEPENDENCIES = ../krb5/libkrb5.la ../hdb/libhdb.la \ - ../roken/libroken.la -am__objects_2 = acl.lo bump_pw_expire.lo chpass_s.lo common_glue.lo \ - context_s.lo create_s.lo delete_s.lo destroy_s.lo ent_setup.lo \ - error.lo flush_s.lo free.lo get_princs_s.lo get_s.lo init_s.lo \ - kadm5_err.lo keys.lo log.lo marshall.lo modify_s.lo privs_s.lo \ - randkey_s.lo rename_s.lo set_keys.lo set_modifier.lo \ - password_quality.lo -am_libkadm5srv_la_OBJECTS = $(am__objects_2) server_glue.lo -libkadm5srv_la_OBJECTS = $(am_libkadm5srv_la_OBJECTS) -libexecPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -sbinPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -PROGRAMS = $(libexec_PROGRAMS) $(sbin_PROGRAMS) -am_dump_log_OBJECTS = dump_log.$(OBJEXT) -dump_log_OBJECTS = $(am_dump_log_OBJECTS) -dump_log_LDADD = $(LDADD) -am__DEPENDENCIES_1 = -dump_log_DEPENDENCIES = libkadm5srv.la \ - $(top_builddir)/lib/hdb/libhdb.la $(am__DEPENDENCIES_1) \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) \ - $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ - $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) -am_ipropd_master_OBJECTS = ipropd_master.$(OBJEXT) -ipropd_master_OBJECTS = $(am_ipropd_master_OBJECTS) -ipropd_master_LDADD = $(LDADD) -ipropd_master_DEPENDENCIES = libkadm5srv.la \ - $(top_builddir)/lib/hdb/libhdb.la $(am__DEPENDENCIES_1) \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) \ - $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ - $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) -am_ipropd_slave_OBJECTS = ipropd_slave.$(OBJEXT) -ipropd_slave_OBJECTS = $(am_ipropd_slave_OBJECTS) -ipropd_slave_LDADD = $(LDADD) -ipropd_slave_DEPENDENCIES = libkadm5srv.la \ - $(top_builddir)/lib/hdb/libhdb.la $(am__DEPENDENCIES_1) \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) \ - $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ - $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) -am_replay_log_OBJECTS = replay_log.$(OBJEXT) -replay_log_OBJECTS = $(am_replay_log_OBJECTS) -replay_log_LDADD = $(LDADD) -replay_log_DEPENDENCIES = libkadm5srv.la \ - $(top_builddir)/lib/hdb/libhdb.la $(am__DEPENDENCIES_1) \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) \ - $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ - $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) -am_truncate_log_OBJECTS = truncate_log.$(OBJEXT) -truncate_log_OBJECTS = $(am_truncate_log_OBJECTS) -truncate_log_LDADD = $(LDADD) -truncate_log_DEPENDENCIES = libkadm5srv.la \ - $(top_builddir)/lib/hdb/libhdb.la $(am__DEPENDENCIES_1) \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) \ - $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ - $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \ - $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ - $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -SOURCES = $(libkadm5clnt_la_SOURCES) $(libkadm5srv_la_SOURCES) \ - $(dump_log_SOURCES) $(ipropd_master_SOURCES) \ - $(ipropd_slave_SOURCES) $(replay_log_SOURCES) \ - $(truncate_log_SOURCES) -DIST_SOURCES = $(libkadm5clnt_la_SOURCES) $(libkadm5srv_la_SOURCES) \ - $(dump_log_SOURCES) $(ipropd_master_SOURCES) \ - $(ipropd_slave_SOURCES) $(replay_log_SOURCES) \ - $(truncate_log_SOURCES) -kadm5includeHEADERS_INSTALL = $(INSTALL_HEADER) -HEADERS = $(kadm5include_HEADERS) -ETAGS = etags -CTAGS = ctags -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) -ACLOCAL = @ACLOCAL@ -AIX4_FALSE = @AIX4_FALSE@ -AIX4_TRUE = @AIX4_TRUE@ -AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@ -AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@ -AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@ -AIX_FALSE = @AIX_FALSE@ -AIX_TRUE = @AIX_TRUE@ -AMTAR = @AMTAR@ -AR = @AR@ -AUTOCONF = @AUTOCONF@ -AUTOHEADER = @AUTOHEADER@ -AUTOMAKE = @AUTOMAKE@ -AWK = @AWK@ -CANONICAL_HOST = @CANONICAL_HOST@ -CATMAN = @CATMAN@ -CATMANEXT = @CATMANEXT@ -CATMAN_FALSE = @CATMAN_FALSE@ -CATMAN_TRUE = @CATMAN_TRUE@ -CC = @CC@ -CFLAGS = @CFLAGS@ -COMPILE_ET = @COMPILE_ET@ -CPP = @CPP@ -CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXFLAGS = @CXXFLAGS@ -CYGPATH_W = @CYGPATH_W@ -DBLIB = @DBLIB@ -DCE_FALSE = @DCE_FALSE@ -DCE_TRUE = @DCE_TRUE@ -DEFS = @DEFS@ -DIR_com_err = @DIR_com_err@ -DIR_des = @DIR_des@ -DIR_roken = @DIR_roken@ -ECHO = @ECHO@ -ECHO_C = @ECHO_C@ -ECHO_N = @ECHO_N@ -ECHO_T = @ECHO_T@ -EGREP = @EGREP@ -EXEEXT = @EXEEXT@ -EXTRA_LIB45 = @EXTRA_LIB45@ -F77 = @F77@ -FFLAGS = @FFLAGS@ -GROFF = @GROFF@ -HAVE_DB1_FALSE = @HAVE_DB1_FALSE@ -HAVE_DB1_TRUE = @HAVE_DB1_TRUE@ -HAVE_DB3_FALSE = @HAVE_DB3_FALSE@ -HAVE_DB3_TRUE = @HAVE_DB3_TRUE@ -HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@ -HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@ -HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@ -HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@ -HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@ -HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@ -HAVE_X_FALSE = @HAVE_X_FALSE@ -HAVE_X_TRUE = @HAVE_X_TRUE@ -INCLUDES_roken = @INCLUDES_roken@ -INCLUDE_des = @INCLUDE_des@ -INCLUDE_hesiod = @INCLUDE_hesiod@ -INCLUDE_krb4 = @INCLUDE_krb4@ -INCLUDE_openldap = @INCLUDE_openldap@ -INCLUDE_readline = @INCLUDE_readline@ -INSTALL_DATA = @INSTALL_DATA@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -IRIX_FALSE = @IRIX_FALSE@ -IRIX_TRUE = @IRIX_TRUE@ -KRB4_FALSE = @KRB4_FALSE@ -KRB4_TRUE = @KRB4_TRUE@ -KRB5_FALSE = @KRB5_FALSE@ -KRB5_TRUE = @KRB5_TRUE@ -LDFLAGS = @LDFLAGS@ -LEX = @LEX@ -LEXLIB = @LEXLIB@ -LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ -LIBOBJS = @LIBOBJS@ -LIBS = @LIBS@ -LIBTOOL = @LIBTOOL@ -LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@ -LIB_NDBM = @LIB_NDBM@ -LIB_XauFileName = @LIB_XauFileName@ -LIB_XauReadAuth = @LIB_XauReadAuth@ -LIB_XauWriteAuth = @LIB_XauWriteAuth@ -LIB_bswap16 = @LIB_bswap16@ -LIB_bswap32 = @LIB_bswap32@ -LIB_com_err = @LIB_com_err@ -LIB_com_err_a = @LIB_com_err_a@ -LIB_com_err_so = @LIB_com_err_so@ -LIB_crypt = @LIB_crypt@ -LIB_db_create = @LIB_db_create@ -LIB_dbm_firstkey = @LIB_dbm_firstkey@ -LIB_dbopen = @LIB_dbopen@ -LIB_des = @LIB_des@ -LIB_des_a = @LIB_des_a@ -LIB_des_appl = @LIB_des_appl@ -LIB_des_so = @LIB_des_so@ -LIB_dlopen = @LIB_dlopen@ -LIB_dn_expand = @LIB_dn_expand@ -LIB_el_init = @LIB_el_init@ -LIB_freeaddrinfo = @LIB_freeaddrinfo@ -LIB_gai_strerror = @LIB_gai_strerror@ -LIB_getaddrinfo = @LIB_getaddrinfo@ -LIB_gethostbyname = @LIB_gethostbyname@ -LIB_gethostbyname2 = @LIB_gethostbyname2@ -LIB_getnameinfo = @LIB_getnameinfo@ -LIB_getpwnam_r = @LIB_getpwnam_r@ -LIB_getsockopt = @LIB_getsockopt@ -LIB_hesiod = @LIB_hesiod@ -LIB_hstrerror = @LIB_hstrerror@ -LIB_kdb = @LIB_kdb@ -LIB_krb4 = @LIB_krb4@ -LIB_krb_disable_debug = @LIB_krb_disable_debug@ -LIB_krb_enable_debug = @LIB_krb_enable_debug@ -LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@ -LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@ -LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@ -LIB_loadquery = @LIB_loadquery@ -LIB_logout = @LIB_logout@ -LIB_logwtmp = @LIB_logwtmp@ -LIB_openldap = @LIB_openldap@ -LIB_openpty = @LIB_openpty@ -LIB_otp = @LIB_otp@ -LIB_pidfile = @LIB_pidfile@ -LIB_readline = @LIB_readline@ -LIB_res_nsearch = @LIB_res_nsearch@ -LIB_res_search = @LIB_res_search@ -LIB_roken = @LIB_roken@ -LIB_security = @LIB_security@ -LIB_setsockopt = @LIB_setsockopt@ -LIB_socket = @LIB_socket@ -LIB_syslog = @LIB_syslog@ -LIB_tgetent = @LIB_tgetent@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -MAINT = @MAINT@ -MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@ -MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@ -MAKEINFO = @MAKEINFO@ -NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ -NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ -NROFF = @NROFF@ -OBJEXT = @OBJEXT@ -OTP_FALSE = @OTP_FALSE@ -OTP_TRUE = @OTP_TRUE@ -PACKAGE = @PACKAGE@ -PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ -PACKAGE_NAME = @PACKAGE_NAME@ -PACKAGE_STRING = @PACKAGE_STRING@ -PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_VERSION = @PACKAGE_VERSION@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -RANLIB = @RANLIB@ -SET_MAKE = @SET_MAKE@ -SHELL = @SHELL@ -STRIP = @STRIP@ -VERSION = @VERSION@ -VOID_RETSIGTYPE = @VOID_RETSIGTYPE@ -WFLAGS = @WFLAGS@ -WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@ -WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@ -X_CFLAGS = @X_CFLAGS@ -X_EXTRA_LIBS = @X_EXTRA_LIBS@ -X_LIBS = @X_LIBS@ -X_PRE_LIBS = @X_PRE_LIBS@ -YACC = @YACC@ -ac_ct_AR = @ac_ct_AR@ -ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ -ac_ct_RANLIB = @ac_ct_RANLIB@ -ac_ct_STRIP = @ac_ct_STRIP@ -am__leading_dot = @am__leading_dot@ -bindir = @bindir@ -build = @build@ -build_alias = @build_alias@ -build_cpu = @build_cpu@ -build_os = @build_os@ -build_vendor = @build_vendor@ -datadir = @datadir@ -do_roken_rename_FALSE = @do_roken_rename_FALSE@ -do_roken_rename_TRUE = @do_roken_rename_TRUE@ -dpagaix_cflags = @dpagaix_cflags@ -dpagaix_ldadd = @dpagaix_ldadd@ -dpagaix_ldflags = @dpagaix_ldflags@ -el_compat_FALSE = @el_compat_FALSE@ -el_compat_TRUE = @el_compat_TRUE@ -exec_prefix = @exec_prefix@ -have_err_h_FALSE = @have_err_h_FALSE@ -have_err_h_TRUE = @have_err_h_TRUE@ -have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@ -have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@ -have_glob_h_FALSE = @have_glob_h_FALSE@ -have_glob_h_TRUE = @have_glob_h_TRUE@ -have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@ -have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@ -have_vis_h_FALSE = @have_vis_h_FALSE@ -have_vis_h_TRUE = @have_vis_h_TRUE@ -host = @host@ -host_alias = @host_alias@ -host_cpu = @host_cpu@ -host_os = @host_os@ -host_vendor = @host_vendor@ -includedir = @includedir@ -infodir = @infodir@ -install_sh = @install_sh@ -libdir = @libdir@ -libexecdir = @libexecdir@ -localstatedir = @localstatedir@ -mandir = @mandir@ -mkdir_p = @mkdir_p@ -oldincludedir = @oldincludedir@ -prefix = @prefix@ -program_transform_name = @program_transform_name@ -sbindir = @sbindir@ -sharedstatedir = @sharedstatedir@ -sysconfdir = @sysconfdir@ -target_alias = @target_alias@ -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) -@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME -AM_CFLAGS = $(WFLAGS) -CP = cp -buildinclude = $(top_builddir)/include -LIB_getattr = @LIB_getattr@ -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_setpcred = @LIB_setpcred@ -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -NROFF_MAN = groff -mandoc -Tascii -LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) -@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la - -@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la -@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la -lib_LTLIBRARIES = libkadm5srv.la libkadm5clnt.la -libkadm5srv_la_LDFLAGS = -version-info 7:6:0 -libkadm5clnt_la_LDFLAGS = -version-info 6:4:2 -libkadm5srv_la_LIBADD = ../krb5/libkrb5.la ../hdb/libhdb.la ../roken/libroken.la -libkadm5clnt_la_LIBADD = ../krb5/libkrb5.la ../hdb/libhdb.la ../roken/libroken.la -kadm5includedir = $(includedir)/kadm5 -buildkadm5include = $(buildinclude)/kadm5 -kadm5include_HEADERS = kadm5_err.h admin.h private.h \ - kadm5-protos.h kadm5-private.h - -SOURCES_client = \ - admin.h \ - chpass_c.c \ - common_glue.c \ - create_c.c \ - delete_c.c \ - destroy_c.c \ - flush_c.c \ - free.c \ - get_c.c \ - get_princs_c.c \ - init_c.c \ - kadm5_err.c \ - kadm5_locl.h \ - marshall.c \ - modify_c.c \ - private.h \ - privs_c.c \ - randkey_c.c \ - rename_c.c \ - send_recv.c - -SOURCES_server = \ - acl.c \ - admin.h \ - bump_pw_expire.c \ - chpass_s.c \ - common_glue.c \ - context_s.c \ - create_s.c \ - delete_s.c \ - destroy_s.c \ - ent_setup.c \ - error.c \ - flush_s.c \ - free.c \ - get_princs_s.c \ - get_s.c \ - init_s.c \ - kadm5_err.c \ - kadm5_locl.h \ - keys.c \ - log.c \ - marshall.c \ - modify_s.c \ - private.h \ - privs_s.c \ - randkey_s.c \ - rename_s.c \ - set_keys.c \ - set_modifier.c \ - password_quality.c - -libkadm5srv_la_SOURCES = $(SOURCES_server) server_glue.c -libkadm5clnt_la_SOURCES = $(SOURCES_client) client_glue.c -dump_log_SOURCES = dump_log.c kadm5_locl.h -replay_log_SOURCES = replay_log.c kadm5_locl.h -ipropd_master_SOURCES = ipropd_master.c iprop.h kadm5_locl.h -ipropd_slave_SOURCES = ipropd_slave.c iprop.h kadm5_locl.h -truncate_log_SOURCES = truncate_log.c -LDADD = \ - libkadm5srv.la \ - $(top_builddir)/lib/hdb/libhdb.la \ - $(LIB_openldap) \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la \ - $(LIB_des) \ - $(LIB_roken) \ - $(DBLIB) \ - $(LIB_dlopen) \ - $(LIB_pidfile) - -CLEANFILES = kadm5_err.c kadm5_err.h -proto_opts = -q -R '^(_|kadm5_c_|kadm5_s_|kadm5_log)' -P comment -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps) - @for dep in $?; do \ - case '$(am__configure_deps)' in \ - *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ - exit 1;; \ - esac; \ - done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign --ignore-deps lib/kadm5/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign --ignore-deps lib/kadm5/Makefile -.PRECIOUS: Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - @case '$?' in \ - *config.status*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ - *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ - esac; - -$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -install-libLTLIBRARIES: $(lib_LTLIBRARIES) - @$(NORMAL_INSTALL) - test -z "$(libdir)" || $(mkdir_p) "$(DESTDIR)$(libdir)" - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - if test -f $$p; then \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(libdir)/$$f'"; \ - $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(libdir)/$$f"; \ - else :; fi; \ - done - -uninstall-libLTLIBRARIES: - @$(NORMAL_UNINSTALL) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - p="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$p'"; \ - $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$p"; \ - done - -clean-libLTLIBRARIES: - -test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ - test "$$dir" = "$$p" && dir=.; \ - echo "rm -f \"$${dir}/so_locations\""; \ - rm -f "$${dir}/so_locations"; \ - done -libkadm5clnt.la: $(libkadm5clnt_la_OBJECTS) $(libkadm5clnt_la_DEPENDENCIES) - $(LINK) -rpath $(libdir) $(libkadm5clnt_la_LDFLAGS) $(libkadm5clnt_la_OBJECTS) $(libkadm5clnt_la_LIBADD) $(LIBS) -libkadm5srv.la: $(libkadm5srv_la_OBJECTS) $(libkadm5srv_la_DEPENDENCIES) - $(LINK) -rpath $(libdir) $(libkadm5srv_la_LDFLAGS) $(libkadm5srv_la_OBJECTS) $(libkadm5srv_la_LIBADD) $(LIBS) -install-libexecPROGRAMS: $(libexec_PROGRAMS) - @$(NORMAL_INSTALL) - test -z "$(libexecdir)" || $(mkdir_p) "$(DESTDIR)$(libexecdir)" - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(libexecPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(libexecdir)/$$f'"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(libexecPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(libexecdir)/$$f" || exit 1; \ - else :; fi; \ - done - -uninstall-libexecPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f '$(DESTDIR)$(libexecdir)/$$f'"; \ - rm -f "$(DESTDIR)$(libexecdir)/$$f"; \ - done - -clean-libexecPROGRAMS: - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -install-sbinPROGRAMS: $(sbin_PROGRAMS) - @$(NORMAL_INSTALL) - test -z "$(sbindir)" || $(mkdir_p) "$(DESTDIR)$(sbindir)" - @list='$(sbin_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(sbinPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(sbindir)/$$f'"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(sbinPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(sbindir)/$$f" || exit 1; \ - else :; fi; \ - done - -uninstall-sbinPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(sbin_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f '$(DESTDIR)$(sbindir)/$$f'"; \ - rm -f "$(DESTDIR)$(sbindir)/$$f"; \ - done - -clean-sbinPROGRAMS: - @list='$(sbin_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -dump_log$(EXEEXT): $(dump_log_OBJECTS) $(dump_log_DEPENDENCIES) - @rm -f dump_log$(EXEEXT) - $(LINK) $(dump_log_LDFLAGS) $(dump_log_OBJECTS) $(dump_log_LDADD) $(LIBS) -ipropd-master$(EXEEXT): $(ipropd_master_OBJECTS) $(ipropd_master_DEPENDENCIES) - @rm -f ipropd-master$(EXEEXT) - $(LINK) $(ipropd_master_LDFLAGS) $(ipropd_master_OBJECTS) $(ipropd_master_LDADD) $(LIBS) -ipropd-slave$(EXEEXT): $(ipropd_slave_OBJECTS) $(ipropd_slave_DEPENDENCIES) - @rm -f ipropd-slave$(EXEEXT) - $(LINK) $(ipropd_slave_LDFLAGS) $(ipropd_slave_OBJECTS) $(ipropd_slave_LDADD) $(LIBS) -replay_log$(EXEEXT): $(replay_log_OBJECTS) $(replay_log_DEPENDENCIES) - @rm -f replay_log$(EXEEXT) - $(LINK) $(replay_log_LDFLAGS) $(replay_log_OBJECTS) $(replay_log_LDADD) $(LIBS) -truncate_log$(EXEEXT): $(truncate_log_OBJECTS) $(truncate_log_DEPENDENCIES) - @rm -f truncate_log$(EXEEXT) - $(LINK) $(truncate_log_LDFLAGS) $(truncate_log_OBJECTS) $(truncate_log_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c $< - -.c.obj: - $(COMPILE) -c `$(CYGPATH_W) '$<'` - -.c.lo: - $(LTCOMPILE) -c -o $@ $< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: -install-kadm5includeHEADERS: $(kadm5include_HEADERS) - @$(NORMAL_INSTALL) - test -z "$(kadm5includedir)" || $(mkdir_p) "$(DESTDIR)$(kadm5includedir)" - @list='$(kadm5include_HEADERS)'; for p in $$list; do \ - if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(kadm5includeHEADERS_INSTALL) '$$d$$p' '$(DESTDIR)$(kadm5includedir)/$$f'"; \ - $(kadm5includeHEADERS_INSTALL) "$$d$$p" "$(DESTDIR)$(kadm5includedir)/$$f"; \ - done - -uninstall-kadm5includeHEADERS: - @$(NORMAL_UNINSTALL) - @list='$(kadm5include_HEADERS)'; for p in $$list; do \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " rm -f '$(DESTDIR)$(kadm5includedir)/$$f'"; \ - rm -f "$(DESTDIR)$(kadm5includedir)/$$f"; \ - done - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique -tags: TAGS - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique -ctags: CTAGS -CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ - || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - -distdir: $(DISTFILES) - $(mkdir_p) $(distdir)/../.. $(distdir)/../../cf - @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \ - list='$(DISTFILES)'; for file in $$list; do \ - case $$file in \ - $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \ - $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \ - esac; \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkdir_p) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="$(top_distdir)" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(HEADERS) all-local -installdirs: - for dir in "$(DESTDIR)$(libdir)" "$(DESTDIR)$(libexecdir)" "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(kadm5includedir)"; do \ - test -z "$$dir" || $(mkdir_p) "$$dir"; \ - done -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) - -distclean-generic: - -rm -f $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-generic clean-libLTLIBRARIES clean-libexecPROGRAMS \ - clean-libtool clean-sbinPROGRAMS mostlyclean-am - -distclean: distclean-am - -rm -f Makefile -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -html: html-am - -info: info-am - -info-am: - -install-data-am: install-kadm5includeHEADERS - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-data-hook - -install-exec-am: install-libLTLIBRARIES install-libexecPROGRAMS \ - install-sbinPROGRAMS - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -rm -f Makefile -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -pdf: pdf-am - -pdf-am: - -ps: ps-am - -ps-am: - -uninstall-am: uninstall-info-am uninstall-kadm5includeHEADERS \ - uninstall-libLTLIBRARIES uninstall-libexecPROGRAMS \ - uninstall-sbinPROGRAMS - -.PHONY: CTAGS GTAGS all all-am all-local check check-am check-local \ - clean clean-generic clean-libLTLIBRARIES clean-libexecPROGRAMS \ - clean-libtool clean-sbinPROGRAMS ctags distclean \ - distclean-compile distclean-generic distclean-libtool \ - distclean-tags distdir dvi dvi-am html html-am info info-am \ - install install-am install-data install-data-am install-exec \ - install-exec-am install-info install-info-am \ - install-kadm5includeHEADERS install-libLTLIBRARIES \ - install-libexecPROGRAMS install-man install-sbinPROGRAMS \ - install-strip installcheck installcheck-am installdirs \ - maintainer-clean maintainer-clean-generic mostlyclean \ - mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ - pdf pdf-am ps ps-am tags uninstall uninstall-am \ - uninstall-info-am uninstall-kadm5includeHEADERS \ - uninstall-libLTLIBRARIES uninstall-libexecPROGRAMS \ - uninstall-sbinPROGRAMS - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-hook: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< - -install-build-headers:: $(kadm5include_HEADERS) - @foo='$(kadm5include_HEADERS)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildkadm5include)/$$f 2> /dev/null ; then \ - : ; else \ - echo "cp $$file $(buildkadm5include)/$$f";\ - cp $$file $(buildkadm5include)/$$f; \ - fi ; \ - done - -$(libkadm5srv_la_OBJECTS): kadm5_err.h - -client_glue.lo server_glue.lo: $(srcdir)/common_glue.c - -# to help stupid solaris make - -kadm5_err.h: kadm5_err.et - -$(libkadm5clnt_la_OBJECTS) $(libkadm5srv_la_OBJECTS): $(srcdir)/kadm5-protos.h $(srcdir)/kadm5-private.h -$(srcdir)/kadm5-protos.h: - cd $(srcdir); perl ../../cf/make-proto.pl $(proto_opts) \ - -o kadm5-protos.h \ - $(libkadm5clnt_la_SOURCES) $(libkadm5srv_la_SOURCES) \ - || rm -f kadm5-protos.h - -$(srcdir)/kadm5-private.h: - cd $(srcdir); perl ../../cf/make-proto.pl $(proto_opts) \ - -p kadm5-private.h \ - $(libkadm5clnt_la_SOURCES) $(libkadm5srv_la_SOURCES) \ - || rm -f kadm5-private.h -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal-0.6.3/lib/kadm5/acl.c b/crypto/heimdal-0.6.3/lib/kadm5/acl.c deleted file mode 100644 index 6240588f68..0000000000 --- a/crypto/heimdal-0.6.3/lib/kadm5/acl.c +++ /dev/null @@ -1,216 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kadm5_locl.h" - -RCSID("$Id: acl.c,v 1.13 2001/08/24 04:01:42 assar Exp $"); - -static struct units acl_units[] = { - { "all", KADM5_PRIV_ALL }, - { "change-password",KADM5_PRIV_CPW }, - { "cpw", KADM5_PRIV_CPW }, - { "list", KADM5_PRIV_LIST }, - { "delete", KADM5_PRIV_DELETE }, - { "modify", KADM5_PRIV_MODIFY }, - { "add", KADM5_PRIV_ADD }, - { "get", KADM5_PRIV_GET }, - { NULL } -}; - -kadm5_ret_t -_kadm5_string_to_privs(const char *s, u_int32_t* privs) -{ - int flags; - flags = parse_flags(s, acl_units, 0); - if(flags < 0) - return KADM5_FAILURE; - *privs = flags; - return 0; -} - -kadm5_ret_t -_kadm5_privs_to_string(u_int32_t privs, char *string, size_t len) -{ - if(privs == 0) - strlcpy(string, "none", len); - else - unparse_flags(privs, acl_units + 1, string, len); - return 0; -} - -/* - * retrieve the right for the current caller on `princ' (NULL means all) - * and store them in `ret_flags' - * return 0 or an error. - */ - -static kadm5_ret_t -fetch_acl (kadm5_server_context *context, - krb5_const_principal princ, - unsigned *ret_flags) -{ - FILE *f; - krb5_error_code ret = 0; - char buf[256]; - - *ret_flags = 0; - - /* no acl file -> no rights */ - f = fopen(context->config.acl_file, "r"); - if (f == NULL) - return 0; - - while(fgets(buf, sizeof(buf), f) != NULL) { - char *foo = NULL, *p; - krb5_principal this_princ; - unsigned flags = 0; - - p = strtok_r(buf, " \t\n", &foo); - if(p == NULL) - continue; - if (*p == '#') /* comment */ - continue; - ret = krb5_parse_name(context->context, p, &this_princ); - if(ret) - break; - if(!krb5_principal_compare(context->context, - context->caller, this_princ)) { - krb5_free_principal(context->context, this_princ); - continue; - } - krb5_free_principal(context->context, this_princ); - p = strtok_r(NULL, " \t\n", &foo); - if(p == NULL) - continue; - ret = _kadm5_string_to_privs(p, &flags); - if (ret) - break; - p = strtok_r(NULL, "\n", &foo); - if (p == NULL) { - *ret_flags = flags; - break; - } - if (princ != NULL) { - krb5_principal pattern_princ; - krb5_boolean match; - - ret = krb5_parse_name (context->context, p, &pattern_princ); - if (ret) - break; - match = krb5_principal_match (context->context, - princ, pattern_princ); - krb5_free_principal (context->context, pattern_princ); - if (match) { - *ret_flags = flags; - break; - } - } - } - fclose(f); - return ret; -} - -/* - * set global acl flags in `context' for the current caller. - * return 0 on success or an error - */ - -kadm5_ret_t -_kadm5_acl_init(kadm5_server_context *context) -{ - krb5_principal princ; - krb5_error_code ret; - - ret = krb5_parse_name(context->context, KADM5_ADMIN_SERVICE, &princ); - if (ret) - return ret; - ret = krb5_principal_compare(context->context, context->caller, princ); - krb5_free_principal(context->context, princ); - if(ret != 0) { - context->acl_flags = KADM5_PRIV_ALL; - return 0; - } - - return fetch_acl (context, NULL, &context->acl_flags); -} - -/* - * check if `flags' allows `op' - * return 0 if OK or an error - */ - -static kadm5_ret_t -check_flags (unsigned op, - unsigned flags) -{ - unsigned res = ~flags & op; - - if(res & KADM5_PRIV_GET) - return KADM5_AUTH_GET; - if(res & KADM5_PRIV_ADD) - return KADM5_AUTH_ADD; - if(res & KADM5_PRIV_MODIFY) - return KADM5_AUTH_MODIFY; - if(res & KADM5_PRIV_DELETE) - return KADM5_AUTH_DELETE; - if(res & KADM5_PRIV_CPW) - return KADM5_AUTH_CHANGEPW; - if(res & KADM5_PRIV_LIST) - return KADM5_AUTH_LIST; - if(res) - return KADM5_AUTH_INSUFFICIENT; - return 0; -} - -/* - * return 0 if the current caller in `context' is allowed to perform - * `op' on `princ' and otherwise an error - * princ == NULL if it's not relevant. - */ - -kadm5_ret_t -_kadm5_acl_check_permission(kadm5_server_context *context, - unsigned op, - krb5_const_principal princ) -{ - kadm5_ret_t ret; - unsigned princ_flags; - - ret = check_flags (op, context->acl_flags); - if (ret == 0) - return ret; - ret = fetch_acl (context, princ, &princ_flags); - if (ret) - return ret; - return check_flags (op, princ_flags); -} diff --git a/crypto/heimdal-0.6.3/lib/kadm5/admin.h b/crypto/heimdal-0.6.3/lib/kadm5/admin.h deleted file mode 100644 index d9bd85f963..0000000000 --- a/crypto/heimdal-0.6.3/lib/kadm5/admin.h +++ /dev/null @@ -1,243 +0,0 @@ -/* - * Copyright (c) 1997-2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ -/* $Id: admin.h,v 1.18 2000/08/04 11:26:21 joda Exp $ */ - -#ifndef __KADM5_ADMIN_H__ -#define __KADM5_ADMIN_H__ - -#define KADM5_API_VERSION_1 1 -#define KADM5_API_VERSION_2 2 - -#ifndef USE_KADM5_API_VERSION -#define USE_KADM5_API_VERSION KADM5_API_VERSION_2 -#endif - -#if USE_KADM5_API_VERSION != KADM5_API_VERSION_2 -#error No support for API versions other than 2 -#endif - -#define KADM5_STRUCT_VERSION 0 - -#include - -#define KRB5_KDB_DISALLOW_POSTDATED 0x00000001 -#define KRB5_KDB_DISALLOW_FORWARDABLE 0x00000002 -#define KRB5_KDB_DISALLOW_TGT_BASED 0x00000004 -#define KRB5_KDB_DISALLOW_RENEWABLE 0x00000008 -#define KRB5_KDB_DISALLOW_PROXIABLE 0x00000010 -#define KRB5_KDB_DISALLOW_DUP_SKEY 0x00000020 -#define KRB5_KDB_DISALLOW_ALL_TIX 0x00000040 -#define KRB5_KDB_REQUIRES_PRE_AUTH 0x00000080 -#define KRB5_KDB_REQUIRES_HW_AUTH 0x00000100 -#define KRB5_KDB_REQUIRES_PWCHANGE 0x00000200 -#define KRB5_KDB_DISALLOW_SVR 0x00001000 -#define KRB5_KDB_PWCHANGE_SERVICE 0x00002000 -#define KRB5_KDB_SUPPORT_DESMD5 0x00004000 -#define KRB5_KDB_NEW_PRINC 0x00008000 - -#define KADM5_PRINCIPAL 0x000001 -#define KADM5_PRINC_EXPIRE_TIME 0x000002 -#define KADM5_PW_EXPIRATION 0x000004 -#define KADM5_LAST_PWD_CHANGE 0x000008 -#define KADM5_ATTRIBUTES 0x000010 -#define KADM5_MAX_LIFE 0x000020 -#define KADM5_MOD_TIME 0x000040 -#define KADM5_MOD_NAME 0x000080 -#define KADM5_KVNO 0x000100 -#define KADM5_MKVNO 0x000200 -#define KADM5_AUX_ATTRIBUTES 0x000400 -#define KADM5_POLICY 0x000800 -#define KADM5_POLICY_CLR 0x001000 -#define KADM5_MAX_RLIFE 0x002000 -#define KADM5_LAST_SUCCESS 0x004000 -#define KADM5_LAST_FAILED 0x008000 -#define KADM5_FAIL_AUTH_COUNT 0x010000 -#define KADM5_KEY_DATA 0x020000 -#define KADM5_TL_DATA 0x040000 - -#define KADM5_PRINCIPAL_NORMAL_MASK (~(KADM5_KEY_DATA | KADM5_TL_DATA)) - -#define KADM5_PW_MAX_LIFE 0x004000 -#define KADM5_PW_MIN_LIFE 0x008000 -#define KADM5_PW_MIN_LENGTH 0x010000 -#define KADM5_PW_MIN_CLASSES 0x020000 -#define KADM5_PW_HISTORY_NUM 0x040000 -#define KADM5_REF_COUNT 0x080000 - -#define KADM5_POLICY_NORMAL_MASK (~0) - -#define KADM5_ADMIN_SERVICE "kadmin/admin" -#define KADM5_HIST_PRINCIPAL "kadmin/history" -#define KADM5_CHANGEPW_SERVICE "kadmin/changepw" - -typedef struct _krb5_key_data { - int16_t key_data_ver; /* Version */ - int16_t key_data_kvno; /* Key Version */ - int16_t key_data_type[2]; /* Array of types */ - int16_t key_data_length[2]; /* Array of lengths */ - void* key_data_contents[2];/* Array of pointers */ -} krb5_key_data; - -typedef struct _krb5_tl_data { - struct _krb5_tl_data* tl_data_next; - int16_t tl_data_type; - int16_t tl_data_length; - void* tl_data_contents; -} krb5_tl_data; - -typedef struct _kadm5_principal_ent_t { - krb5_principal principal; - - krb5_timestamp princ_expire_time; - krb5_timestamp last_pwd_change; - krb5_timestamp pw_expiration; - krb5_deltat max_life; - krb5_principal mod_name; - krb5_timestamp mod_date; - krb5_flags attributes; - krb5_kvno kvno; - krb5_kvno mkvno; - - char * policy; - u_int32_t aux_attributes; - - krb5_deltat max_renewable_life; - krb5_timestamp last_success; - krb5_timestamp last_failed; - krb5_kvno fail_auth_count; - int16_t n_key_data; - int16_t n_tl_data; - krb5_tl_data *tl_data; - krb5_key_data *key_data; -} kadm5_principal_ent_rec, *kadm5_principal_ent_t; - -typedef struct _kadm5_policy_ent_t { - char *policy; - - u_int32_t pw_min_life; - u_int32_t pw_max_life; - u_int32_t pw_min_length; - u_int32_t pw_min_classes; - u_int32_t pw_history_num; - u_int32_t policy_refcnt; -} kadm5_policy_ent_rec, *kadm5_policy_ent_t; - -#define KADM5_CONFIG_REALM (1 << 0) -#define KADM5_CONFIG_PROFILE (1 << 1) -#define KADM5_CONFIG_KADMIND_PORT (1 << 2) -#define KADM5_CONFIG_ADMIN_SERVER (1 << 3) -#define KADM5_CONFIG_DBNAME (1 << 4) -#define KADM5_CONFIG_ADBNAME (1 << 5) -#define KADM5_CONFIG_ADB_LOCKFILE (1 << 6) -#define KADM5_CONFIG_ACL_FILE (1 << 7) -#define KADM5_CONFIG_DICT_FILE (1 << 8) -#define KADM5_CONFIG_ADMIN_KEYTAB (1 << 9) -#define KADM5_CONFIG_MKEY_FROM_KEYBOARD (1 << 10) -#define KADM5_CONFIG_STASH_FILE (1 << 11) -#define KADM5_CONFIG_MKEY_NAME (1 << 12) -#define KADM5_CONFIG_ENCTYPE (1 << 13) -#define KADM5_CONFIG_MAX_LIFE (1 << 14) -#define KADM5_CONFIG_MAX_RLIFE (1 << 15) -#define KADM5_CONFIG_EXPIRATION (1 << 16) -#define KADM5_CONFIG_FLAGS (1 << 17) -#define KADM5_CONFIG_ENCTYPES (1 << 18) - -#define KADM5_PRIV_GET (1 << 0) -#define KADM5_PRIV_ADD (1 << 1) -#define KADM5_PRIV_MODIFY (1 << 2) -#define KADM5_PRIV_DELETE (1 << 3) -#define KADM5_PRIV_LIST (1 << 4) -#define KADM5_PRIV_CPW (1 << 5) -#define KADM5_PRIV_ALL (KADM5_PRIV_GET | KADM5_PRIV_ADD | KADM5_PRIV_MODIFY | KADM5_PRIV_DELETE | KADM5_PRIV_LIST | KADM5_PRIV_CPW) - -typedef struct { - int XXX; -}krb5_key_salt_tuple; - -typedef struct _kadm5_config_params { - u_int32_t mask; - - /* Client and server fields */ - char *realm; - int kadmind_port; - - /* client fields */ - char *admin_server; - - /* server fields */ - char *dbname; - char *acl_file; - - /* server library (database) fields */ - char *stash_file; -} kadm5_config_params; - -typedef krb5_error_code kadm5_ret_t; - -#include "kadm5-protos.h" - -#if 0 -/* unimplemented functions */ -kadm5_ret_t -kadm5_decrypt_key(void *server_handle, - kadm5_principal_ent_t entry, int32_t - ktype, int32_t stype, int32_t - kvno, krb5_keyblock *keyblock, - krb5_keysalt *keysalt, int *kvnop); - -kadm5_ret_t -kadm5_create_policy(void *server_handle, - kadm5_policy_ent_t policy, u_int32_t mask); - -kadm5_ret_t -kadm5_delete_policy(void *server_handle, char *policy); - - -kadm5_ret_t -kadm5_modify_policy(void *server_handle, - kadm5_policy_ent_t policy, - u_int32_t mask); - -kadm5_ret_t -kadm5_get_policy(void *server_handle, char *policy, kadm5_policy_ent_t ent); - -kadm5_ret_t -kadm5_get_policies(void *server_handle, char *exp, - char ***pols, int *count); - -void -kadm5_free_policy_ent(kadm5_policy_ent_t policy); - -#endif - -#endif /* __KADM5_ADMIN_H__ */ diff --git a/crypto/heimdal-0.6.3/lib/kadm5/bump_pw_expire.c b/crypto/heimdal-0.6.3/lib/kadm5/bump_pw_expire.c deleted file mode 100644 index a185c20daf..0000000000 --- a/crypto/heimdal-0.6.3/lib/kadm5/bump_pw_expire.c +++ /dev/null @@ -1,59 +0,0 @@ -/* - * Copyright (c) 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kadm5_locl.h" - -RCSID("$Id: bump_pw_expire.c,v 1.1 2000/07/24 03:47:54 assar Exp $"); - -/* - * extend password_expiration if it's defined - */ - -kadm5_ret_t -_kadm5_bump_pw_expire(kadm5_server_context *context, - hdb_entry *ent) -{ - if (ent->pw_end != NULL) { - time_t life; - - life = krb5_config_get_time_default(context->context, - NULL, - 365 * 24 * 60 * 60, - "kadmin", - "password_lifetime", - NULL); - - *(ent->pw_end) = time(NULL) + life; - } - return 0; -} diff --git a/crypto/heimdal-0.6.3/lib/kadm5/chpass_c.c b/crypto/heimdal-0.6.3/lib/kadm5/chpass_c.c deleted file mode 100644 index b06b8cd2a7..0000000000 --- a/crypto/heimdal-0.6.3/lib/kadm5/chpass_c.c +++ /dev/null @@ -1,116 +0,0 @@ -/* - * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kadm5_locl.h" - -RCSID("$Id: chpass_c.c,v 1.5 2000/07/11 15:59:14 joda Exp $"); - -kadm5_ret_t -kadm5_c_chpass_principal(void *server_handle, - krb5_principal princ, - char *password) -{ - kadm5_client_context *context = server_handle; - kadm5_ret_t ret; - krb5_storage *sp; - unsigned char buf[1024]; - int32_t tmp; - krb5_data reply; - - ret = _kadm5_connect(server_handle); - if(ret) - return ret; - - sp = krb5_storage_from_mem(buf, sizeof(buf)); - if (sp == NULL) - return ENOMEM; - krb5_store_int32(sp, kadm_chpass); - krb5_store_principal(sp, princ); - krb5_store_string(sp, password); - ret = _kadm5_client_send(context, sp); - krb5_storage_free(sp); - ret = _kadm5_client_recv(context, &reply); - if(ret) - return ret; - sp = krb5_storage_from_data (&reply); - if (sp == NULL) { - krb5_data_free (&reply); - return ENOMEM; - } - krb5_ret_int32(sp, &tmp); - krb5_storage_free(sp); - krb5_data_free (&reply); - return tmp; -} - -kadm5_ret_t -kadm5_c_chpass_principal_with_key(void *server_handle, - krb5_principal princ, - int n_key_data, - krb5_key_data *key_data) -{ - kadm5_client_context *context = server_handle; - kadm5_ret_t ret; - krb5_storage *sp; - unsigned char buf[1024]; - int32_t tmp; - krb5_data reply; - int i; - - ret = _kadm5_connect(server_handle); - if(ret) - return ret; - - sp = krb5_storage_from_mem(buf, sizeof(buf)); - if (sp == NULL) - return ENOMEM; - krb5_store_int32(sp, kadm_chpass_with_key); - krb5_store_principal(sp, princ); - krb5_store_int32(sp, n_key_data); - for (i = 0; i < n_key_data; ++i) - kadm5_store_key_data (sp, &key_data[i]); - ret = _kadm5_client_send(context, sp); - krb5_storage_free(sp); - ret = _kadm5_client_recv(context, &reply); - if(ret) - return ret; - sp = krb5_storage_from_data (&reply); - if (sp == NULL) { - krb5_data_free (&reply); - return ENOMEM; - } - krb5_ret_int32(sp, &tmp); - krb5_storage_free(sp); - krb5_data_free (&reply); - return tmp; -} diff --git a/crypto/heimdal-0.6.3/lib/kadm5/chpass_s.c b/crypto/heimdal-0.6.3/lib/kadm5/chpass_s.c deleted file mode 100644 index a1a4b4395d..0000000000 --- a/crypto/heimdal-0.6.3/lib/kadm5/chpass_s.c +++ /dev/null @@ -1,179 +0,0 @@ -/* - * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kadm5_locl.h" - -RCSID("$Id: chpass_s.c,v 1.13.8.1 2003/12/30 15:59:58 lha Exp $"); - -static kadm5_ret_t -change(void *server_handle, - krb5_principal princ, - char *password, - int cond) -{ - kadm5_server_context *context = server_handle; - hdb_entry ent; - kadm5_ret_t ret; - Key *keys; - size_t num_keys; - int cmp = 1; - - ent.principal = princ; - ret = context->db->open(context->context, context->db, O_RDWR, 0); - if(ret) - return ret; - ret = context->db->fetch(context->context, context->db, - HDB_F_DECRYPT, &ent); - if(ret == HDB_ERR_NOENTRY) - goto out; - - num_keys = ent.keys.len; - keys = ent.keys.val; - - ent.keys.len = 0; - ent.keys.val = NULL; - - ret = _kadm5_set_keys(context, &ent, password); - if(ret) { - _kadm5_free_keys (server_handle, num_keys, keys); - goto out2; - } - if (cond) - cmp = _kadm5_cmp_keys (ent.keys.val, ent.keys.len, - keys, num_keys); - _kadm5_free_keys (server_handle, num_keys, keys); - - if (cmp == 0) { - krb5_set_error_string(context->context, "Password reuse forbidden"); - ret = KADM5_PASS_REUSE; - goto out2; - } - ret = _kadm5_set_modifier(context, &ent); - if(ret) - goto out2; - - ret = _kadm5_bump_pw_expire(context, &ent); - if (ret) - goto out2; - - ret = hdb_seal_keys(context->context, context->db, &ent); - if (ret) - goto out2; - - kadm5_log_modify (context, - &ent, - KADM5_PRINCIPAL | KADM5_MOD_NAME | KADM5_MOD_TIME | - KADM5_KEY_DATA | KADM5_KVNO | KADM5_PW_EXPIRATION); - - ret = context->db->store(context->context, context->db, - HDB_F_REPLACE, &ent); -out2: - hdb_free_entry(context->context, &ent); -out: - context->db->close(context->context, context->db); - return _kadm5_error_code(ret); -} - - - -/* - * change the password of `princ' to `password' if it's not already that. - */ - -kadm5_ret_t -kadm5_s_chpass_principal_cond(void *server_handle, - krb5_principal princ, - char *password) -{ - return change (server_handle, princ, password, 1); -} - -/* - * change the password of `princ' to `password' - */ - -kadm5_ret_t -kadm5_s_chpass_principal(void *server_handle, - krb5_principal princ, - char *password) -{ - return change (server_handle, princ, password, 0); -} - -/* - * change keys for `princ' to `keys' - */ - -kadm5_ret_t -kadm5_s_chpass_principal_with_key(void *server_handle, - krb5_principal princ, - int n_key_data, - krb5_key_data *key_data) -{ - kadm5_server_context *context = server_handle; - hdb_entry ent; - kadm5_ret_t ret; - ent.principal = princ; - ret = context->db->open(context->context, context->db, O_RDWR, 0); - if(ret) - return ret; - ret = context->db->fetch(context->context, context->db, 0, &ent); - if(ret == HDB_ERR_NOENTRY) - goto out; - ret = _kadm5_set_keys2(context, &ent, n_key_data, key_data); - if(ret) - goto out2; - ret = _kadm5_set_modifier(context, &ent); - if(ret) - goto out2; - ret = _kadm5_bump_pw_expire(context, &ent); - if (ret) - goto out2; - - ret = hdb_seal_keys(context->context, context->db, &ent); - if (ret) - goto out2; - - kadm5_log_modify (context, - &ent, - KADM5_PRINCIPAL | KADM5_MOD_NAME | KADM5_MOD_TIME | - KADM5_KEY_DATA | KADM5_KVNO | KADM5_PW_EXPIRATION); - - ret = context->db->store(context->context, context->db, - HDB_F_REPLACE, &ent); -out2: - hdb_free_entry(context->context, &ent); -out: - context->db->close(context->context, context->db); - return _kadm5_error_code(ret); -} diff --git a/crypto/heimdal-0.6.3/lib/kadm5/client_glue.c b/crypto/heimdal-0.6.3/lib/kadm5/client_glue.c deleted file mode 100644 index 395577ddb3..0000000000 --- a/crypto/heimdal-0.6.3/lib/kadm5/client_glue.c +++ /dev/null @@ -1,150 +0,0 @@ -/* - * Copyright (c) 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kadm5_locl.h" - -RCSID("$Id: client_glue.c,v 1.5 1999/12/02 17:05:05 joda Exp $"); - -kadm5_ret_t -kadm5_init_with_password(const char *client_name, - const char *password, - const char *service_name, - kadm5_config_params *realm_params, - unsigned long struct_version, - unsigned long api_version, - void **server_handle) -{ - return kadm5_c_init_with_password(client_name, - password, - service_name, - realm_params, - struct_version, - api_version, - server_handle); -} - -kadm5_ret_t -kadm5_init_with_password_ctx(krb5_context context, - const char *client_name, - const char *password, - const char *service_name, - kadm5_config_params *realm_params, - unsigned long struct_version, - unsigned long api_version, - void **server_handle) -{ - return kadm5_c_init_with_password_ctx(context, - client_name, - password, - service_name, - realm_params, - struct_version, - api_version, - server_handle); -} - -kadm5_ret_t -kadm5_init_with_skey(const char *client_name, - const char *keytab, - const char *service_name, - kadm5_config_params *realm_params, - unsigned long struct_version, - unsigned long api_version, - void **server_handle) -{ - return kadm5_c_init_with_skey(client_name, - keytab, - service_name, - realm_params, - struct_version, - api_version, - server_handle); -} - -kadm5_ret_t -kadm5_init_with_skey_ctx(krb5_context context, - const char *client_name, - const char *keytab, - const char *service_name, - kadm5_config_params *realm_params, - unsigned long struct_version, - unsigned long api_version, - void **server_handle) -{ - return kadm5_c_init_with_skey_ctx(context, - client_name, - keytab, - service_name, - realm_params, - struct_version, - api_version, - server_handle); -} - -kadm5_ret_t -kadm5_init_with_creds(const char *client_name, - krb5_ccache ccache, - const char *service_name, - kadm5_config_params *realm_params, - unsigned long struct_version, - unsigned long api_version, - void **server_handle) -{ - return kadm5_c_init_with_creds(client_name, - ccache, - service_name, - realm_params, - struct_version, - api_version, - server_handle); -} - -kadm5_ret_t -kadm5_init_with_creds_ctx(krb5_context context, - const char *client_name, - krb5_ccache ccache, - const char *service_name, - kadm5_config_params *realm_params, - unsigned long struct_version, - unsigned long api_version, - void **server_handle) -{ - return kadm5_c_init_with_creds_ctx(context, - client_name, - ccache, - service_name, - realm_params, - struct_version, - api_version, - server_handle); -} diff --git a/crypto/heimdal-0.6.3/lib/kadm5/common_glue.c b/crypto/heimdal-0.6.3/lib/kadm5/common_glue.c deleted file mode 100644 index b508282690..0000000000 --- a/crypto/heimdal-0.6.3/lib/kadm5/common_glue.c +++ /dev/null @@ -1,134 +0,0 @@ -/* - * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kadm5_locl.h" - -RCSID("$Id: common_glue.c,v 1.5 2000/03/23 22:58:26 assar Exp $"); - -#define __CALL(F, P) (*((kadm5_common_context*)server_handle)->funcs.F)P; - -kadm5_ret_t -kadm5_chpass_principal(void *server_handle, - krb5_principal princ, - char *password) -{ - return __CALL(chpass_principal, (server_handle, princ, password)); -} - -kadm5_ret_t -kadm5_chpass_principal_with_key(void *server_handle, - krb5_principal princ, - int n_key_data, - krb5_key_data *key_data) -{ - return __CALL(chpass_principal_with_key, - (server_handle, princ, n_key_data, key_data)); -} - -kadm5_ret_t -kadm5_create_principal(void *server_handle, - kadm5_principal_ent_t princ, - u_int32_t mask, - char *password) -{ - return __CALL(create_principal, (server_handle, princ, mask, password)); -} - -kadm5_ret_t -kadm5_delete_principal(void *server_handle, - krb5_principal princ) -{ - return __CALL(delete_principal, (server_handle, princ)); -} - -kadm5_ret_t -kadm5_destroy (void *server_handle) -{ - return __CALL(destroy, (server_handle)); -} - -kadm5_ret_t -kadm5_flush (void *server_handle) -{ - return __CALL(flush, (server_handle)); -} - -kadm5_ret_t -kadm5_get_principal(void *server_handle, - krb5_principal princ, - kadm5_principal_ent_t out, - u_int32_t mask) -{ - return __CALL(get_principal, (server_handle, princ, out, mask)); -} - -kadm5_ret_t -kadm5_modify_principal(void *server_handle, - kadm5_principal_ent_t princ, - u_int32_t mask) -{ - return __CALL(modify_principal, (server_handle, princ, mask)); -} - -kadm5_ret_t -kadm5_randkey_principal(void *server_handle, - krb5_principal princ, - krb5_keyblock **new_keys, - int *n_keys) -{ - return __CALL(randkey_principal, (server_handle, princ, new_keys, n_keys)); -} - -kadm5_ret_t -kadm5_rename_principal(void *server_handle, - krb5_principal source, - krb5_principal target) -{ - return __CALL(rename_principal, (server_handle, source, target)); -} - -kadm5_ret_t -kadm5_get_principals(void *server_handle, - const char *exp, - char ***princs, - int *count) -{ - return __CALL(get_principals, (server_handle, exp, princs, count)); -} - -kadm5_ret_t -kadm5_get_privs(void *server_handle, - u_int32_t *privs) -{ - return __CALL(get_privs, (server_handle, privs)); -} diff --git a/crypto/heimdal-0.6.3/lib/kadm5/context_s.c b/crypto/heimdal-0.6.3/lib/kadm5/context_s.c deleted file mode 100644 index a5a78e6bab..0000000000 --- a/crypto/heimdal-0.6.3/lib/kadm5/context_s.c +++ /dev/null @@ -1,225 +0,0 @@ -/* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kadm5_locl.h" - -RCSID("$Id: context_s.c,v 1.17 2002/08/26 13:28:36 assar Exp $"); - -static void -set_funcs(kadm5_server_context *c) -{ -#define SET(C, F) (C)->funcs.F = kadm5_s_ ## F - SET(c, chpass_principal); - SET(c, chpass_principal_with_key); - SET(c, create_principal); - SET(c, delete_principal); - SET(c, destroy); - SET(c, flush); - SET(c, get_principal); - SET(c, get_principals); - SET(c, get_privs); - SET(c, modify_principal); - SET(c, randkey_principal); - SET(c, rename_principal); -} - -struct database_spec { - char *dbpath; - char *logfile; - char *mkeyfile; - char *aclfile; -}; - -static void -set_field(krb5_context context, krb5_config_binding *binding, - const char *dbname, const char *name, const char *ext, - char **variable) -{ - const char *p; - - if (*variable != NULL) - free (*variable); - - p = krb5_config_get_string(context, binding, name, NULL); - if(p) - *variable = strdup(p); - else { - p = strrchr(dbname, '.'); - if(p == NULL) - asprintf(variable, "%s.%s", dbname, ext); - else - asprintf(variable, "%.*s.%s", (int)(p - dbname), dbname, ext); - } -} - -static void -set_socket_name(const char *dbname, struct sockaddr_un *un) -{ - const char *p; - memset(un, 0, sizeof(*un)); - un->sun_family = AF_UNIX; - p = strrchr(dbname, '.'); - if(p == NULL) - snprintf(un->sun_path, sizeof(un->sun_path), "%s.signal", - dbname); - else - snprintf(un->sun_path, sizeof(un->sun_path), "%.*s.signal", - (int)(p - dbname), dbname); -} - -static void -set_config(kadm5_server_context *ctx, - krb5_config_binding *binding) -{ - const char *p; - if(ctx->config.dbname == NULL) { - p = krb5_config_get_string(ctx->context, binding, "dbname", NULL); - if(p) - ctx->config.dbname = strdup(p); - else - ctx->config.dbname = strdup(HDB_DEFAULT_DB); - } - if(ctx->log_context.log_file == NULL) - set_field(ctx->context, binding, ctx->config.dbname, - "log_file", "log", &ctx->log_context.log_file); - set_socket_name(ctx->config.dbname, &ctx->log_context.socket_name); - if(ctx->config.acl_file == NULL) - set_field(ctx->context, binding, ctx->config.dbname, - "acl_file", "acl", &ctx->config.acl_file); - if(ctx->config.stash_file == NULL) - set_field(ctx->context, binding, ctx->config.dbname, - "mkey_file", "mkey", &ctx->config.stash_file); -} - -static kadm5_ret_t -find_db_spec(kadm5_server_context *ctx) -{ - const krb5_config_binding *top_binding = NULL; - krb5_config_binding *db_binding; - krb5_config_binding *default_binding = NULL; - krb5_context context = ctx->context; - - while((db_binding = (krb5_config_binding *) - krb5_config_get_next(context, - NULL, - &top_binding, - krb5_config_list, - "kdc", - "database", - NULL))) { - const char *p; - p = krb5_config_get_string(context, db_binding, "realm", NULL); - if(p == NULL) { - if(default_binding) { - krb5_warnx(context, "WARNING: more than one realm-less " - "database specification"); - krb5_warnx(context, "WARNING: using the first encountered"); - } else - default_binding = db_binding; - continue; - } - if(strcmp(ctx->config.realm, p) != 0) - continue; - - set_config(ctx, db_binding); - return 0; - } - if(default_binding) - set_config(ctx, default_binding); - else { - ctx->config.dbname = strdup(HDB_DEFAULT_DB); - ctx->config.acl_file = strdup(HDB_DB_DIR "/kadmind.acl"); - ctx->config.stash_file = strdup(HDB_DB_DIR "/m-key"); - ctx->log_context.log_file = strdup(HDB_DB_DIR "/log"); - memset(&ctx->log_context.socket_name, 0, - sizeof(ctx->log_context.socket_name)); - ctx->log_context.socket_name.sun_family = AF_UNIX; - strlcpy(ctx->log_context.socket_name.sun_path, - KADM5_LOG_SIGNAL, - sizeof(ctx->log_context.socket_name.sun_path)); - } - return 0; -} - -kadm5_ret_t -_kadm5_s_init_context(kadm5_server_context **ctx, - kadm5_config_params *params, - krb5_context context) -{ - *ctx = malloc(sizeof(**ctx)); - if(*ctx == NULL) - return ENOMEM; - memset(*ctx, 0, sizeof(**ctx)); - set_funcs(*ctx); - (*ctx)->context = context; - krb5_add_et_list (context, initialize_kadm5_error_table_r); -#define is_set(M) (params && params->mask & KADM5_CONFIG_ ## M) - if(is_set(REALM)) - (*ctx)->config.realm = strdup(params->realm); - else - krb5_get_default_realm(context, &(*ctx)->config.realm); - if(is_set(DBNAME)) - (*ctx)->config.dbname = strdup(params->dbname); - if(is_set(ACL_FILE)) - (*ctx)->config.acl_file = strdup(params->acl_file); - if(is_set(STASH_FILE)) - (*ctx)->config.stash_file = strdup(params->stash_file); - - find_db_spec(*ctx); - - /* PROFILE can't be specified for now */ - /* KADMIND_PORT is supposed to be used on the server also, - but this doesn't make sense */ - /* ADMIN_SERVER is client only */ - /* ADNAME is not used at all (as far as I can tell) */ - /* ADB_LOCKFILE ditto */ - /* DICT_FILE */ - /* ADMIN_KEYTAB */ - /* MKEY_FROM_KEYBOARD is not supported */ - /* MKEY_NAME neither */ - /* ENCTYPE */ - /* MAX_LIFE */ - /* MAX_RLIFE */ - /* EXPIRATION */ - /* FLAGS */ - /* ENCTYPES */ - - return 0; -} - -HDB * -_kadm5_s_get_db(void *server_handle) -{ - kadm5_server_context *context = server_handle; - return context->db; -} diff --git a/crypto/heimdal-0.6.3/lib/kadm5/create_c.c b/crypto/heimdal-0.6.3/lib/kadm5/create_c.c deleted file mode 100644 index 8d81cb3c55..0000000000 --- a/crypto/heimdal-0.6.3/lib/kadm5/create_c.c +++ /dev/null @@ -1,77 +0,0 @@ -/* - * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kadm5_locl.h" - -RCSID("$Id: create_c.c,v 1.4 2000/07/11 15:59:21 joda Exp $"); - -kadm5_ret_t -kadm5_c_create_principal(void *server_handle, - kadm5_principal_ent_t princ, - u_int32_t mask, - char *password) -{ - kadm5_client_context *context = server_handle; - kadm5_ret_t ret; - krb5_storage *sp; - unsigned char buf[1024]; - int32_t tmp; - krb5_data reply; - - ret = _kadm5_connect(server_handle); - if(ret) - return ret; - - sp = krb5_storage_from_mem(buf, sizeof(buf)); - if (sp == NULL) - return ENOMEM; - krb5_store_int32(sp, kadm_create); - kadm5_store_principal_ent(sp, princ); - krb5_store_int32(sp, mask); - krb5_store_string(sp, password); - ret = _kadm5_client_send(context, sp); - krb5_storage_free(sp); - ret = _kadm5_client_recv(context, &reply); - if(ret) - return ret; - sp = krb5_storage_from_data (&reply); - if (sp == NULL) { - krb5_data_free (&reply); - return ENOMEM; - } - krb5_ret_int32(sp, &tmp); - krb5_storage_free(sp); - krb5_data_free (&reply); - return tmp; -} - diff --git a/crypto/heimdal-0.6.3/lib/kadm5/create_s.c b/crypto/heimdal-0.6.3/lib/kadm5/create_s.c deleted file mode 100644 index 287211b332..0000000000 --- a/crypto/heimdal-0.6.3/lib/kadm5/create_s.c +++ /dev/null @@ -1,198 +0,0 @@ -/* - * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kadm5_locl.h" - -RCSID("$Id: create_s.c,v 1.19 2001/01/30 01:24:28 assar Exp $"); - -static kadm5_ret_t -get_default(kadm5_server_context *context, krb5_principal princ, - kadm5_principal_ent_t def) -{ - kadm5_ret_t ret; - krb5_principal def_principal; - krb5_realm *realm = krb5_princ_realm(context->context, princ); - - ret = krb5_make_principal(context->context, &def_principal, - *realm, "default", NULL); - if (ret) - return ret; - ret = kadm5_s_get_principal(context, def_principal, def, - KADM5_PRINCIPAL_NORMAL_MASK); - krb5_free_principal (context->context, def_principal); - return ret; -} - -static kadm5_ret_t -create_principal(kadm5_server_context *context, - kadm5_principal_ent_t princ, - u_int32_t mask, - hdb_entry *ent, - u_int32_t required_mask, - u_int32_t forbidden_mask) -{ - kadm5_ret_t ret; - kadm5_principal_ent_rec defrec, *defent; - u_int32_t def_mask; - - if((mask & required_mask) != required_mask) - return KADM5_BAD_MASK; - if((mask & forbidden_mask)) - return KADM5_BAD_MASK; - if((mask & KADM5_POLICY) && strcmp(princ->policy, "default")) - /* XXX no real policies for now */ - return KADM5_UNK_POLICY; - memset(ent, 0, sizeof(*ent)); - ret = krb5_copy_principal(context->context, princ->principal, - &ent->principal); - if(ret) - return ret; - - defent = &defrec; - ret = get_default(context, princ->principal, defent); - if(ret) { - defent = NULL; - def_mask = 0; - } else { - def_mask = KADM5_ATTRIBUTES | KADM5_MAX_LIFE | KADM5_MAX_RLIFE; - } - - ret = _kadm5_setup_entry(context, - ent, mask | def_mask, - princ, mask, - defent, def_mask); - if(defent) - kadm5_free_principal_ent(context, defent); - - ent->created_by.time = time(NULL); - ret = krb5_copy_principal(context->context, context->caller, - &ent->created_by.principal); - - return ret; -} - -kadm5_ret_t -kadm5_s_create_principal_with_key(void *server_handle, - kadm5_principal_ent_t princ, - u_int32_t mask) -{ - kadm5_ret_t ret; - hdb_entry ent; - kadm5_server_context *context = server_handle; - - ret = create_principal(context, princ, mask, &ent, - KADM5_PRINCIPAL | KADM5_KEY_DATA, - KADM5_LAST_PWD_CHANGE | KADM5_MOD_TIME - | KADM5_MOD_NAME | KADM5_MKVNO - | KADM5_AUX_ATTRIBUTES - | KADM5_POLICY_CLR | KADM5_LAST_SUCCESS - | KADM5_LAST_FAILED | KADM5_FAIL_AUTH_COUNT); - if(ret) - goto out; - - ret = _kadm5_set_keys2(context, &ent, princ->n_key_data, princ->key_data); - if(ret) - goto out; - - ret = hdb_seal_keys(context->context, context->db, &ent); - if (ret) - goto out; - - kadm5_log_create (context, &ent); - - ret = context->db->open(context->context, context->db, O_RDWR, 0); - if(ret) - goto out; - ret = context->db->store(context->context, context->db, 0, &ent); - context->db->close(context->context, context->db); -out: - hdb_free_entry(context->context, &ent); - return _kadm5_error_code(ret); -} - - -kadm5_ret_t -kadm5_s_create_principal(void *server_handle, - kadm5_principal_ent_t princ, - u_int32_t mask, - char *password) -{ - kadm5_ret_t ret; - hdb_entry ent; - kadm5_server_context *context = server_handle; - - ret = create_principal(context, princ, mask, &ent, - KADM5_PRINCIPAL, - KADM5_LAST_PWD_CHANGE | KADM5_MOD_TIME - | KADM5_MOD_NAME | KADM5_MKVNO - | KADM5_AUX_ATTRIBUTES | KADM5_KEY_DATA - | KADM5_POLICY_CLR | KADM5_LAST_SUCCESS - | KADM5_LAST_FAILED | KADM5_FAIL_AUTH_COUNT); - if(ret) - goto out; - - /* XXX this should be fixed */ - ent.keys.len = 4; - ent.keys.val = calloc(ent.keys.len, sizeof(*ent.keys.val)); - ent.keys.val[0].key.keytype = ETYPE_DES_CBC_CRC; - /* flag as version 4 compatible salt; ignored by _kadm5_set_keys - if we don't want to be compatible */ - ent.keys.val[0].salt = calloc(1, sizeof(*ent.keys.val[0].salt)); - ent.keys.val[0].salt->type = hdb_pw_salt; - ent.keys.val[1].key.keytype = ETYPE_DES_CBC_MD4; - ent.keys.val[1].salt = calloc(1, sizeof(*ent.keys.val[1].salt)); - ent.keys.val[1].salt->type = hdb_pw_salt; - ent.keys.val[2].key.keytype = ETYPE_DES_CBC_MD5; - ent.keys.val[2].salt = calloc(1, sizeof(*ent.keys.val[2].salt)); - ent.keys.val[2].salt->type = hdb_pw_salt; - ent.keys.val[3].key.keytype = ETYPE_DES3_CBC_SHA1; - ret = _kadm5_set_keys(context, &ent, password); - if (ret) - goto out; - - ret = hdb_seal_keys(context->context, context->db, &ent); - if (ret) - goto out; - - kadm5_log_create (context, &ent); - - ret = context->db->open(context->context, context->db, O_RDWR, 0); - if(ret) - goto out; - ret = context->db->store(context->context, context->db, 0, &ent); - context->db->close(context->context, context->db); -out: - hdb_free_entry(context->context, &ent); - return _kadm5_error_code(ret); -} - diff --git a/crypto/heimdal-0.6.3/lib/kadm5/delete_c.c b/crypto/heimdal-0.6.3/lib/kadm5/delete_c.c deleted file mode 100644 index 7575c5e438..0000000000 --- a/crypto/heimdal-0.6.3/lib/kadm5/delete_c.c +++ /dev/null @@ -1,73 +0,0 @@ -/* - * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kadm5_locl.h" - -RCSID("$Id: delete_c.c,v 1.4 2000/07/11 15:59:29 joda Exp $"); - -kadm5_ret_t -kadm5_c_delete_principal(void *server_handle, krb5_principal princ) -{ - kadm5_client_context *context = server_handle; - kadm5_ret_t ret; - krb5_storage *sp; - unsigned char buf[1024]; - int32_t tmp; - krb5_data reply; - - ret = _kadm5_connect(server_handle); - if(ret) - return ret; - - sp = krb5_storage_from_mem(buf, sizeof(buf)); - if (sp == NULL) - return ENOMEM; - krb5_store_int32(sp, kadm_delete); - krb5_store_principal(sp, princ); - ret = _kadm5_client_send(context, sp); - krb5_storage_free(sp); - if (ret) - return ret; - ret = _kadm5_client_recv(context, &reply); - if (ret) - return ret; - sp = krb5_storage_from_data (&reply); - if(sp == NULL) { - krb5_data_free (&reply); - return ENOMEM; - } - krb5_ret_int32(sp, &tmp); - krb5_storage_free(sp); - krb5_data_free (&reply); - return tmp; -} diff --git a/crypto/heimdal-0.6.3/lib/kadm5/delete_s.c b/crypto/heimdal-0.6.3/lib/kadm5/delete_s.c deleted file mode 100644 index 2f2bf881d2..0000000000 --- a/crypto/heimdal-0.6.3/lib/kadm5/delete_s.c +++ /dev/null @@ -1,72 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kadm5_locl.h" - -RCSID("$Id: delete_s.c,v 1.9 2001/01/30 01:24:28 assar Exp $"); - -kadm5_ret_t -kadm5_s_delete_principal(void *server_handle, krb5_principal princ) -{ - kadm5_server_context *context = server_handle; - kadm5_ret_t ret; - hdb_entry ent; - - ent.principal = princ; - ret = context->db->open(context->context, context->db, O_RDWR, 0); - if(ret) { - krb5_warn(context->context, ret, "opening database"); - return ret; - } - ret = context->db->fetch(context->context, context->db, - HDB_F_DECRYPT, &ent); - if(ret == HDB_ERR_NOENTRY) - goto out2; - if(ent.flags.immutable) { - ret = KADM5_PROTECT_PRINCIPAL; - goto out; - } - - ret = hdb_seal_keys(context->context, context->db, &ent); - if (ret) - goto out; - - kadm5_log_delete (context, princ); - - ret = context->db->remove(context->context, context->db, &ent); -out: - hdb_free_entry(context->context, &ent); -out2: - context->db->close(context->context, context->db); - return _kadm5_error_code(ret); -} diff --git a/crypto/heimdal-0.6.3/lib/kadm5/destroy_c.c b/crypto/heimdal-0.6.3/lib/kadm5/destroy_c.c deleted file mode 100644 index b42c84ce79..0000000000 --- a/crypto/heimdal-0.6.3/lib/kadm5/destroy_c.c +++ /dev/null @@ -1,51 +0,0 @@ -/* - * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kadm5_locl.h" - -RCSID("$Id: destroy_c.c,v 1.3 1999/12/02 17:05:05 joda Exp $"); - -kadm5_ret_t -kadm5_c_destroy(void *server_handle) -{ - kadm5_client_context *context = server_handle; - - free(context->realm); - free(context->admin_server); - close(context->sock); - if (context->ac != NULL) - krb5_auth_con_free(context->context, context->ac); - if(context->my_context) - krb5_free_context(context->context); - return 0; -} diff --git a/crypto/heimdal-0.6.3/lib/kadm5/destroy_s.c b/crypto/heimdal-0.6.3/lib/kadm5/destroy_s.c deleted file mode 100644 index a8ad3285d4..0000000000 --- a/crypto/heimdal-0.6.3/lib/kadm5/destroy_s.c +++ /dev/null @@ -1,81 +0,0 @@ -/* - * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kadm5_locl.h" - -RCSID("$Id: destroy_s.c,v 1.6 2000/05/12 15:23:13 assar Exp $"); - -/* - * dealloc a `kadm5_config_params' - */ - -static void -destroy_config (kadm5_config_params *c) -{ - free (c->realm); - free (c->dbname); - free (c->acl_file); - free (c->stash_file); -} - -/* - * dealloc a kadm5_log_context - */ - -static void -destroy_kadm5_log_context (kadm5_log_context *c) -{ - free (c->log_file); - close (c->socket_fd); -} - -/* - * destroy a kadm5 handle - */ - -kadm5_ret_t -kadm5_s_destroy(void *server_handle) -{ - kadm5_ret_t ret; - kadm5_server_context *context = server_handle; - krb5_context kcontext = context->context; - - ret = context->db->destroy(kcontext, context->db); - destroy_kadm5_log_context (&context->log_context); - destroy_config (&context->config); - krb5_free_principal (kcontext, context->caller); - if(context->my_context) - krb5_free_context(kcontext); - free (context); - return ret; -} diff --git a/crypto/heimdal-0.6.3/lib/kadm5/dump_log.c b/crypto/heimdal-0.6.3/lib/kadm5/dump_log.c deleted file mode 100644 index f8309fb5ac..0000000000 --- a/crypto/heimdal-0.6.3/lib/kadm5/dump_log.c +++ /dev/null @@ -1,273 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "iprop.h" -#include "parse_time.h" - -RCSID("$Id: dump_log.c,v 1.13 2003/04/16 17:56:02 lha Exp $"); - -static char *op_names[] = { - "get", - "delete", - "create", - "rename", - "chpass", - "modify", - "randkey", - "get_privs", - "get_princs", - "chpass_with_key", - "nop" -}; - -static void -print_entry(kadm5_server_context *server_context, - u_int32_t ver, - time_t timestamp, - enum kadm_ops op, - u_int32_t len, - krb5_storage *sp) -{ - char t[256]; - int32_t mask; - hdb_entry ent; - krb5_principal source; - char *name1, *name2; - krb5_data data; - krb5_context context = server_context->context; - - off_t end = krb5_storage_seek(sp, 0, SEEK_CUR) + len; - - krb5_error_code ret; - - strftime(t, sizeof(t), "%Y-%m-%d %H:%M:%S", localtime(×tamp)); - - if(op < kadm_get || op > kadm_nop) { - printf("unknown op: %d\n", op); - krb5_storage_seek(sp, end, SEEK_SET); - return; - } - - printf ("%s: ver = %u, timestamp = %s, len = %u\n", - op_names[op], ver, t, len); - switch(op) { - case kadm_delete: - krb5_ret_principal(sp, &source); - krb5_unparse_name(context, source, &name1); - printf(" %s\n", name1); - free(name1); - krb5_free_principal(context, source); - break; - case kadm_rename: - ret = krb5_data_alloc(&data, len); - if (ret) - krb5_err (context, 1, ret, "kadm_rename: data alloc: %d", len); - krb5_ret_principal(sp, &source); - krb5_storage_read(sp, data.data, data.length); - hdb_value2entry(context, &data, &ent); - krb5_unparse_name(context, source, &name1); - krb5_unparse_name(context, ent.principal, &name2); - printf(" %s -> %s\n", name1, name2); - free(name1); - free(name2); - krb5_free_principal(context, source); - hdb_free_entry(context, &ent); - break; - case kadm_create: - ret = krb5_data_alloc(&data, len); - if (ret) - krb5_err (context, 1, ret, "kadm_create: data alloc: %d", len); - krb5_storage_read(sp, data.data, data.length); - ret = hdb_value2entry(context, &data, &ent); - if(ret) - abort(); - mask = ~0; - goto foo; - case kadm_modify: - ret = krb5_data_alloc(&data, len); - if (ret) - krb5_err (context, 1, ret, "kadm_modify: data alloc: %d", len); - krb5_ret_int32(sp, &mask); - krb5_storage_read(sp, data.data, data.length); - ret = hdb_value2entry(context, &data, &ent); - if(ret) - abort(); - foo: - if(ent.principal /* mask & KADM5_PRINCIPAL */) { - krb5_unparse_name(context, ent.principal, &name1); - printf(" principal = %s\n", name1); - free(name1); - } - if(mask & KADM5_PRINC_EXPIRE_TIME) { - if(ent.valid_end == NULL) { - strcpy(t, "never"); - } else { - strftime(t, sizeof(t), "%Y-%m-%d %H:%M:%S", - localtime(ent.valid_end)); - } - printf(" expires = %s\n", t); - } - if(mask & KADM5_PW_EXPIRATION) { - if(ent.pw_end == NULL) { - strcpy(t, "never"); - } else { - strftime(t, sizeof(t), "%Y-%m-%d %H:%M:%S", - localtime(ent.pw_end)); - } - printf(" password exp = %s\n", t); - } - if(mask & KADM5_LAST_PWD_CHANGE) { - } - if(mask & KADM5_ATTRIBUTES) { - unparse_flags(HDBFlags2int(ent.flags), - HDBFlags_units, t, sizeof(t)); - printf(" attributes = %s\n", t); - } - if(mask & KADM5_MAX_LIFE) { - if(ent.max_life == NULL) - strcpy(t, "for ever"); - else - unparse_time(*ent.max_life, t, sizeof(t)); - printf(" max life = %s\n", t); - } - if(mask & KADM5_MAX_RLIFE) { - if(ent.max_renew == NULL) - strcpy(t, "for ever"); - else - unparse_time(*ent.max_renew, t, sizeof(t)); - printf(" max rlife = %s\n", t); - } - if(mask & KADM5_MOD_TIME) { - printf(" mod time\n"); - } - if(mask & KADM5_MOD_NAME) { - printf(" mod name\n"); - } - if(mask & KADM5_KVNO) { - printf(" kvno = %d\n", ent.kvno); - } - if(mask & KADM5_MKVNO) { - printf(" mkvno\n"); - } - if(mask & KADM5_AUX_ATTRIBUTES) { - printf(" aux attributes\n"); - } - if(mask & KADM5_POLICY) { - printf(" policy\n"); - } - if(mask & KADM5_POLICY_CLR) { - printf(" mod time\n"); - } - if(mask & KADM5_LAST_SUCCESS) { - printf(" last success\n"); - } - if(mask & KADM5_LAST_FAILED) { - printf(" last failed\n"); - } - if(mask & KADM5_FAIL_AUTH_COUNT) { - printf(" fail auth count\n"); - } - if(mask & KADM5_KEY_DATA) { - printf(" key data\n"); - } - if(mask & KADM5_TL_DATA) { - printf(" tl data\n"); - } - hdb_free_entry(context, &ent); - break; - case kadm_nop : - break; - default: - abort(); - } - krb5_storage_seek(sp, end, SEEK_SET); -} - -static char *realm; -static int version_flag; -static int help_flag; - -static struct getargs args[] = { - { "realm", 'r', arg_string, &realm }, - { "version", 0, arg_flag, &version_flag }, - { "help", 0, arg_flag, &help_flag } -}; -int num_args = sizeof(args) / sizeof(args[0]); - -int -main(int argc, char **argv) -{ - krb5_context context; - krb5_error_code ret; - void *kadm_handle; - kadm5_server_context *server_context; - kadm5_config_params conf; - - krb5_program_setup(&context, argc, argv, args, num_args, NULL); - - if(help_flag) - krb5_std_usage(0, args, num_args); - if(version_flag) { - print_version(NULL); - exit(0); - } - - memset(&conf, 0, sizeof(conf)); - if(realm) { - conf.mask |= KADM5_CONFIG_REALM; - conf.realm = realm; - } - ret = kadm5_init_with_password_ctx (context, - KADM5_ADMIN_SERVICE, - NULL, - KADM5_ADMIN_SERVICE, - &conf, 0, 0, - &kadm_handle); - if (ret) - krb5_err (context, 1, ret, "kadm5_init_with_password_ctx"); - - server_context = (kadm5_server_context *)kadm_handle; - - ret = kadm5_log_init (server_context); - if (ret) - krb5_err (context, 1, ret, "kadm5_log_init"); - - ret = kadm5_log_foreach (server_context, print_entry); - if(ret) - krb5_warn(context, ret, "kadm5_log_foreach"); - - ret = kadm5_log_end (server_context); - if (ret) - krb5_warn(context, ret, "kadm5_log_end"); - return 0; -} diff --git a/crypto/heimdal-0.6.3/lib/kadm5/ent_setup.c b/crypto/heimdal-0.6.3/lib/kadm5/ent_setup.c deleted file mode 100644 index 29fab740ba..0000000000 --- a/crypto/heimdal-0.6.3/lib/kadm5/ent_setup.c +++ /dev/null @@ -1,142 +0,0 @@ -/* - * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kadm5_locl.h" - -RCSID("$Id: ent_setup.c,v 1.12 2000/03/23 23:02:35 assar Exp $"); - -#define set_value(X, V) do { if((X) == NULL) (X) = malloc(sizeof(*(X))); *(X) = V; } while(0) -#define set_null(X) do { if((X) != NULL) free((X)); (X) = NULL; } while (0) - -static void -attr_to_flags(unsigned attr, HDBFlags *flags) -{ - flags->postdate = !(attr & KRB5_KDB_DISALLOW_POSTDATED); - flags->forwardable = !(attr & KRB5_KDB_DISALLOW_FORWARDABLE); - flags->initial = !!(attr & KRB5_KDB_DISALLOW_TGT_BASED); - flags->renewable = !(attr & KRB5_KDB_DISALLOW_RENEWABLE); - flags->proxiable = !(attr & KRB5_KDB_DISALLOW_PROXIABLE); - /* DUP_SKEY */ - flags->invalid = !!(attr & KRB5_KDB_DISALLOW_ALL_TIX); - flags->require_preauth = !!(attr & KRB5_KDB_REQUIRES_PRE_AUTH); - /* HW_AUTH */ - flags->server = !(attr & KRB5_KDB_DISALLOW_SVR); - flags->change_pw = !!(attr & KRB5_KDB_PWCHANGE_SERVICE); - flags->client = 1; /* XXX */ -} - -/* - * Create the hdb entry `ent' based on data from `princ' with - * `princ_mask' specifying what fields to be gotten from there and - * `mask' specifying what fields we want filled in. - */ - -kadm5_ret_t -_kadm5_setup_entry(kadm5_server_context *context, - hdb_entry *ent, - u_int32_t mask, - kadm5_principal_ent_t princ, - u_int32_t princ_mask, - kadm5_principal_ent_t def, - u_int32_t def_mask) -{ - if(mask & KADM5_PRINC_EXPIRE_TIME - && princ_mask & KADM5_PRINC_EXPIRE_TIME) { - if (princ->princ_expire_time) - set_value(ent->valid_end, princ->princ_expire_time); - else - set_null(ent->valid_end); - } - if(mask & KADM5_PW_EXPIRATION - && princ_mask & KADM5_PW_EXPIRATION) { - if (princ->pw_expiration) - set_value(ent->pw_end, princ->pw_expiration); - else - set_null(ent->pw_end); - } - if(mask & KADM5_ATTRIBUTES) { - if (princ_mask & KADM5_ATTRIBUTES) { - attr_to_flags(princ->attributes, &ent->flags); - } else if(def_mask & KADM5_ATTRIBUTES) { - attr_to_flags(def->attributes, &ent->flags); - ent->flags.invalid = 0; - } else { - ent->flags.client = 1; - ent->flags.server = 1; - ent->flags.forwardable = 1; - ent->flags.proxiable = 1; - ent->flags.renewable = 1; - ent->flags.postdate = 1; - } - } - if(mask & KADM5_MAX_LIFE) { - if(princ_mask & KADM5_MAX_LIFE) { - if(princ->max_life) - set_value(ent->max_life, princ->max_life); - else - set_null(ent->max_life); - } else if(def_mask & KADM5_MAX_LIFE) { - if(def->max_life) - set_value(ent->max_life, def->max_life); - else - set_null(ent->max_life); - } - } - if(mask & KADM5_KVNO - && princ_mask & KADM5_KVNO) - ent->kvno = princ->kvno; - if(mask & KADM5_MAX_RLIFE) { - if(princ_mask & KADM5_MAX_RLIFE) { - if(princ->max_renewable_life) - set_value(ent->max_renew, princ->max_renewable_life); - else - set_null(ent->max_renew); - } else if(def_mask & KADM5_MAX_RLIFE) { - if(def->max_renewable_life) - set_value(ent->max_renew, def->max_renewable_life); - else - set_null(ent->max_renew); - } - } - if(mask & KADM5_KEY_DATA - && princ_mask & KADM5_KEY_DATA) { - _kadm5_set_keys2(context, ent, princ->n_key_data, princ->key_data); - } - if(mask & KADM5_TL_DATA) { - /* XXX */ - } - if(mask & KADM5_FAIL_AUTH_COUNT) { - /* XXX */ - } - return 0; -} diff --git a/crypto/heimdal-0.6.3/lib/kadm5/error.c b/crypto/heimdal-0.6.3/lib/kadm5/error.c deleted file mode 100644 index 11b1ded7d8..0000000000 --- a/crypto/heimdal-0.6.3/lib/kadm5/error.c +++ /dev/null @@ -1,48 +0,0 @@ -/* - * Copyright (c) 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kadm5_locl.h" - -RCSID("$Id: error.c,v 1.3 1999/12/02 17:05:06 joda Exp $"); - -kadm5_ret_t -_kadm5_error_code(kadm5_ret_t code) -{ - switch(code){ - case HDB_ERR_EXISTS: - return KADM5_DUP; - case HDB_ERR_NOENTRY: - return KADM5_UNK_PRINC; - } - return code; -} diff --git a/crypto/heimdal-0.6.3/lib/kadm5/flush.c b/crypto/heimdal-0.6.3/lib/kadm5/flush.c deleted file mode 100644 index 4808259de7..0000000000 --- a/crypto/heimdal-0.6.3/lib/kadm5/flush.c +++ /dev/null @@ -1,48 +0,0 @@ -/* - * Copyright (c) 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kadm5_locl.h" - -RCSID("$Id: flush.c,v 1.2 1999/12/02 17:05:06 joda Exp $"); - -kadm5_ret_t -kadm5_s_flush(void *server_handle) -{ - return 0; -} - -kadm5_ret_t -kadm5_c_flush(void *server_handle) -{ - return 0; -} diff --git a/crypto/heimdal-0.6.3/lib/kadm5/flush_c.c b/crypto/heimdal-0.6.3/lib/kadm5/flush_c.c deleted file mode 100644 index 01cdcf723a..0000000000 --- a/crypto/heimdal-0.6.3/lib/kadm5/flush_c.c +++ /dev/null @@ -1,41 +0,0 @@ -/* - * Copyright (c) 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of KTH nor the names of its contributors may be - * used to endorse or promote products derived from this software without - * specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY - * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR - * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, - * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR - * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF - * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ - -#include "kadm5_locl.h" - -RCSID("$Id: flush_c.c,v 1.1 1999/03/23 18:23:36 joda Exp $"); - -kadm5_ret_t -kadm5_c_flush(void *server_handle) -{ - return 0; -} diff --git a/crypto/heimdal-0.6.3/lib/kadm5/flush_s.c b/crypto/heimdal-0.6.3/lib/kadm5/flush_s.c deleted file mode 100644 index dffbe2f2ca..0000000000 --- a/crypto/heimdal-0.6.3/lib/kadm5/flush_s.c +++ /dev/null @@ -1,41 +0,0 @@ -/* - * Copyright (c) 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of KTH nor the names of its contributors may be - * used to endorse or promote products derived from this software without - * specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY - * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR - * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, - * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR - * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF - * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ - -#include "kadm5_locl.h" - -RCSID("$Id: flush_s.c,v 1.1 1999/03/23 18:23:37 joda Exp $"); - -kadm5_ret_t -kadm5_s_flush(void *server_handle) -{ - return 0; -} diff --git a/crypto/heimdal-0.6.3/lib/kadm5/free.c b/crypto/heimdal-0.6.3/lib/kadm5/free.c deleted file mode 100644 index fcc1e70f0d..0000000000 --- a/crypto/heimdal-0.6.3/lib/kadm5/free.c +++ /dev/null @@ -1,91 +0,0 @@ -/* - * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kadm5_locl.h" - -RCSID("$Id: free.c,v 1.4 1999/12/02 17:05:06 joda Exp $"); - -void -kadm5_free_key_data(void *server_handle, - int16_t *n_key_data, - krb5_key_data *key_data) -{ - int i; - for(i = 0; i < *n_key_data; i++){ - if(key_data[i].key_data_contents[0]){ - memset(key_data[i].key_data_contents[0], - 0, - key_data[i].key_data_length[0]); - free(key_data[i].key_data_contents[0]); - } - if(key_data[i].key_data_contents[1]) - free(key_data[i].key_data_contents[1]); - } - *n_key_data = 0; -} - - -void -kadm5_free_principal_ent(void *server_handle, - kadm5_principal_ent_t princ) -{ - kadm5_server_context *context = server_handle; - if(princ->principal) - krb5_free_principal(context->context, princ->principal); - if(princ->mod_name) - krb5_free_principal(context->context, princ->mod_name); - kadm5_free_key_data(server_handle, &princ->n_key_data, princ->key_data); - while(princ->n_tl_data && princ->tl_data) { - krb5_tl_data *tp; - tp = princ->tl_data; - princ->tl_data = tp->tl_data_next; - princ->n_tl_data--; - memset(tp->tl_data_contents, 0, tp->tl_data_length); - free(tp->tl_data_contents); - free(tp); - } - if (princ->key_data != NULL) - free (princ->key_data); -} - -void -kadm5_free_name_list(void *server_handle, - char **names, - int *count) -{ - int i; - for(i = 0; i < *count; i++) - free(names[i]); - free(names); - *count = 0; -} diff --git a/crypto/heimdal-0.6.3/lib/kadm5/get_c.c b/crypto/heimdal-0.6.3/lib/kadm5/get_c.c deleted file mode 100644 index 279a77aa6b..0000000000 --- a/crypto/heimdal-0.6.3/lib/kadm5/get_c.c +++ /dev/null @@ -1,80 +0,0 @@ -/* - * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kadm5_locl.h" - -RCSID("$Id: get_c.c,v 1.6 2000/07/11 15:59:36 joda Exp $"); - -kadm5_ret_t -kadm5_c_get_principal(void *server_handle, - krb5_principal princ, - kadm5_principal_ent_t out, - u_int32_t mask) -{ - kadm5_client_context *context = server_handle; - kadm5_ret_t ret; - krb5_storage *sp; - unsigned char buf[1024]; - int32_t tmp; - krb5_data reply; - - ret = _kadm5_connect(server_handle); - if(ret) - return ret; - - sp = krb5_storage_from_mem(buf, sizeof(buf)); - if (sp == NULL) - return ENOMEM; - krb5_store_int32(sp, kadm_get); - krb5_store_principal(sp, princ); - krb5_store_int32(sp, mask); - ret = _kadm5_client_send(context, sp); - krb5_storage_free(sp); - if(ret) - return ret; - ret = _kadm5_client_recv(context, &reply); - if (ret) - return ret; - sp = krb5_storage_from_data (&reply); - if (sp == NULL) { - krb5_data_free (&reply); - return ENOMEM; - } - krb5_ret_int32(sp, &tmp); - ret = tmp; - if(ret == 0) - kadm5_ret_principal_ent(sp, out); - krb5_storage_free(sp); - krb5_data_free (&reply); - return ret; -} diff --git a/crypto/heimdal-0.6.3/lib/kadm5/get_princs_c.c b/crypto/heimdal-0.6.3/lib/kadm5/get_princs_c.c deleted file mode 100644 index 3536cdfc5f..0000000000 --- a/crypto/heimdal-0.6.3/lib/kadm5/get_princs_c.c +++ /dev/null @@ -1,90 +0,0 @@ -/* - * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kadm5_locl.h" - -RCSID("$Id: get_princs_c.c,v 1.4 2000/07/11 16:00:19 joda Exp $"); - -kadm5_ret_t -kadm5_c_get_principals(void *server_handle, - const char *exp, - char ***princs, - int *count) -{ - kadm5_client_context *context = server_handle; - kadm5_ret_t ret; - krb5_storage *sp; - unsigned char buf[1024]; - int32_t tmp; - krb5_data reply; - - ret = _kadm5_connect(server_handle); - if(ret) - return ret; - - sp = krb5_storage_from_mem(buf, sizeof(buf)); - if (sp == NULL) - return ENOMEM; - krb5_store_int32(sp, kadm_get_princs); - krb5_store_int32(sp, exp != NULL); - if(exp) - krb5_store_string(sp, exp); - ret = _kadm5_client_send(context, sp); - krb5_storage_free(sp); - ret = _kadm5_client_recv(context, &reply); - if(ret) - return ret; - sp = krb5_storage_from_data (&reply); - if (sp == NULL) { - krb5_data_free (&reply); - return ENOMEM; - } - krb5_ret_int32(sp, &tmp); - ret = tmp; - if(ret == 0) { - int i; - krb5_ret_int32(sp, &tmp); - *princs = calloc(tmp + 1, sizeof(**princs)); - if (*princs == NULL) { - ret = ENOMEM; - goto out; - } - for(i = 0; i < tmp; i++) - krb5_ret_string(sp, &(*princs)[i]); - *count = tmp; - } -out: - krb5_storage_free(sp); - krb5_data_free (&reply); - return ret; -} diff --git a/crypto/heimdal-0.6.3/lib/kadm5/get_princs_s.c b/crypto/heimdal-0.6.3/lib/kadm5/get_princs_s.c deleted file mode 100644 index 2702bae461..0000000000 --- a/crypto/heimdal-0.6.3/lib/kadm5/get_princs_s.c +++ /dev/null @@ -1,113 +0,0 @@ -/* - * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kadm5_locl.h" - -RCSID("$Id: get_princs_s.c,v 1.5 1999/12/02 17:05:06 joda Exp $"); - -struct foreach_data { - const char *exp; - char *exp2; - char **princs; - int count; -}; - -static krb5_error_code -add_princ(struct foreach_data *d, char *princ) -{ - char **tmp; - tmp = realloc(d->princs, (d->count + 1) * sizeof(*tmp)); - if(tmp == NULL) - return ENOMEM; - d->princs = tmp; - d->princs[d->count++] = princ; - return 0; -} - -static krb5_error_code -foreach(krb5_context context, HDB *db, hdb_entry *ent, void *data) -{ - struct foreach_data *d = data; - char *princ; - krb5_error_code ret; - ret = krb5_unparse_name(context, ent->principal, &princ); - if(ret) - return ret; - if(d->exp){ - if(fnmatch(d->exp, princ, 0) == 0 || fnmatch(d->exp2, princ, 0) == 0) - ret = add_princ(d, princ); - else - free(princ); - }else{ - ret = add_princ(d, princ); - } - if(ret) - free(princ); - return ret; -} - -kadm5_ret_t -kadm5_s_get_principals(void *server_handle, - const char *exp, - char ***princs, - int *count) -{ - struct foreach_data d; - kadm5_server_context *context = server_handle; - kadm5_ret_t ret; - ret = context->db->open(context->context, context->db, O_RDWR, 0); - if(ret) { - krb5_warn(context->context, ret, "opening database"); - return ret; - } - d.exp = exp; - { - krb5_realm r; - krb5_get_default_realm(context->context, &r); - asprintf(&d.exp2, "%s@%s", exp, r); - free(r); - } - d.princs = NULL; - d.count = 0; - ret = hdb_foreach(context->context, context->db, 0, foreach, &d); - context->db->close(context->context, context->db); - if(ret == 0) - ret = add_princ(&d, NULL); - if(ret == 0){ - *princs = d.princs; - *count = d.count - 1; - }else - kadm5_free_name_list(context, d.princs, &d.count); - free(d.exp2); - return _kadm5_error_code(ret); -} diff --git a/crypto/heimdal-0.6.3/lib/kadm5/get_s.c b/crypto/heimdal-0.6.3/lib/kadm5/get_s.c deleted file mode 100644 index 08519009c8..0000000000 --- a/crypto/heimdal-0.6.3/lib/kadm5/get_s.c +++ /dev/null @@ -1,191 +0,0 @@ -/* - * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kadm5_locl.h" - -RCSID("$Id: get_s.c,v 1.13 2000/06/19 16:11:31 joda Exp $"); - -kadm5_ret_t -kadm5_s_get_principal(void *server_handle, - krb5_principal princ, - kadm5_principal_ent_t out, - u_int32_t mask) -{ - kadm5_server_context *context = server_handle; - kadm5_ret_t ret; - hdb_entry ent; - - ent.principal = princ; - ret = context->db->open(context->context, context->db, O_RDONLY, 0); - if(ret) - return ret; - ret = context->db->fetch(context->context, context->db, - HDB_F_DECRYPT, &ent); - context->db->close(context->context, context->db); - if(ret) - return _kadm5_error_code(ret); - - memset(out, 0, sizeof(*out)); - if(mask & KADM5_PRINCIPAL) - ret = krb5_copy_principal(context->context, ent.principal, - &out->principal); - if(ret) - goto out; - if(mask & KADM5_PRINC_EXPIRE_TIME && ent.valid_end) - out->princ_expire_time = *ent.valid_end; - if(mask & KADM5_PW_EXPIRATION && ent.pw_end) - out->pw_expiration = *ent.pw_end; - if(mask & KADM5_LAST_PWD_CHANGE) - /* XXX implement */; - if(mask & KADM5_ATTRIBUTES){ - out->attributes |= ent.flags.postdate ? 0 : KRB5_KDB_DISALLOW_POSTDATED; - out->attributes |= ent.flags.forwardable ? 0 : KRB5_KDB_DISALLOW_FORWARDABLE; - out->attributes |= ent.flags.initial ? KRB5_KDB_DISALLOW_TGT_BASED : 0; - out->attributes |= ent.flags.renewable ? 0 : KRB5_KDB_DISALLOW_RENEWABLE; - out->attributes |= ent.flags.proxiable ? 0 : KRB5_KDB_DISALLOW_PROXIABLE; - out->attributes |= ent.flags.invalid ? KRB5_KDB_DISALLOW_ALL_TIX : 0; - out->attributes |= ent.flags.require_preauth ? KRB5_KDB_REQUIRES_PRE_AUTH : 0; - out->attributes |= ent.flags.server ? 0 : KRB5_KDB_DISALLOW_SVR; - out->attributes |= ent.flags.change_pw ? KRB5_KDB_PWCHANGE_SERVICE : 0; - } - if(mask & KADM5_MAX_LIFE) { - if(ent.max_life) - out->max_life = *ent.max_life; - else - out->max_life = INT_MAX; - } - if(mask & KADM5_MOD_TIME) { - if(ent.modified_by) - out->mod_date = ent.modified_by->time; - else - out->mod_date = ent.created_by.time; - } - if(mask & KADM5_MOD_NAME) { - if(ent.modified_by) { - if (ent.modified_by->principal != NULL) - ret = krb5_copy_principal(context->context, - ent.modified_by->principal, - &out->mod_name); - } else if(ent.created_by.principal != NULL) - ret = krb5_copy_principal(context->context, - ent.created_by.principal, - &out->mod_name); - else - out->mod_name = NULL; - } - if(ret) - goto out; - - if(mask & KADM5_KVNO) - out->kvno = ent.kvno; - if(mask & KADM5_MKVNO) { - int n; - out->mkvno = 0; /* XXX */ - for(n = 0; n < ent.keys.len; n++) - if(ent.keys.val[n].mkvno) { - out->mkvno = *ent.keys.val[n].mkvno; /* XXX this isn't right */ - break; - } - } - if(mask & KADM5_AUX_ATTRIBUTES) - /* XXX implement */; - if(mask & KADM5_POLICY) - out->policy = NULL; - if(mask & KADM5_MAX_RLIFE) { - if(ent.max_renew) - out->max_renewable_life = *ent.max_renew; - else - out->max_renewable_life = INT_MAX; - } - if(mask & KADM5_LAST_SUCCESS) - /* XXX implement */; - if(mask & KADM5_LAST_FAILED) - /* XXX implement */; - if(mask & KADM5_FAIL_AUTH_COUNT) - /* XXX implement */; - if(mask & KADM5_KEY_DATA){ - int i; - Key *key; - krb5_key_data *kd; - krb5_salt salt; - krb5_data *sp; - krb5_get_pw_salt(context->context, ent.principal, &salt); - out->key_data = malloc(ent.keys.len * sizeof(*out->key_data)); - for(i = 0; i < ent.keys.len; i++){ - key = &ent.keys.val[i]; - kd = &out->key_data[i]; - kd->key_data_ver = 2; - kd->key_data_kvno = ent.kvno; - kd->key_data_type[0] = key->key.keytype; - if(key->salt) - kd->key_data_type[1] = key->salt->type; - else - kd->key_data_type[1] = KRB5_PADATA_PW_SALT; - /* setup key */ - kd->key_data_length[0] = key->key.keyvalue.length; - kd->key_data_contents[0] = malloc(kd->key_data_length[0]); - if(kd->key_data_contents[0] == NULL){ - ret = ENOMEM; - break; - } - memcpy(kd->key_data_contents[0], key->key.keyvalue.data, - kd->key_data_length[0]); - /* setup salt */ - if(key->salt) - sp = &key->salt->salt; - else - sp = &salt.saltvalue; - kd->key_data_length[1] = sp->length; - kd->key_data_contents[1] = malloc(kd->key_data_length[1]); - if(kd->key_data_length[1] != 0 - && kd->key_data_contents[1] == NULL) { - memset(kd->key_data_contents[0], 0, kd->key_data_length[0]); - ret = ENOMEM; - break; - } - memcpy(kd->key_data_contents[1], sp->data, kd->key_data_length[1]); - out->n_key_data = i + 1; - } - krb5_free_salt(context->context, salt); - } - if(ret){ - kadm5_free_principal_ent(context, out); - goto out; - } - if(mask & KADM5_TL_DATA) - /* XXX implement */; -out: - hdb_free_entry(context->context, &ent); - - return _kadm5_error_code(ret); -} diff --git a/crypto/heimdal-0.6.3/lib/kadm5/init_c.c b/crypto/heimdal-0.6.3/lib/kadm5/init_c.c deleted file mode 100644 index 05b7adb343..0000000000 --- a/crypto/heimdal-0.6.3/lib/kadm5/init_c.c +++ /dev/null @@ -1,716 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kadm5_locl.h" -#include -#include -#include -#include - -RCSID("$Id: init_c.c,v 1.45.2.1 2003/12/21 22:48:13 lha Exp $"); - -static void -set_funcs(kadm5_client_context *c) -{ -#define SET(C, F) (C)->funcs.F = kadm5 ## _c_ ## F - SET(c, chpass_principal); - SET(c, chpass_principal_with_key); - SET(c, create_principal); - SET(c, delete_principal); - SET(c, destroy); - SET(c, flush); - SET(c, get_principal); - SET(c, get_principals); - SET(c, get_privs); - SET(c, modify_principal); - SET(c, randkey_principal); - SET(c, rename_principal); -} - -kadm5_ret_t -_kadm5_c_init_context(kadm5_client_context **ctx, - kadm5_config_params *params, - krb5_context context) -{ - krb5_error_code ret; - char *colon; - - *ctx = malloc(sizeof(**ctx)); - if(*ctx == NULL) - return ENOMEM; - memset(*ctx, 0, sizeof(**ctx)); - krb5_add_et_list (context, initialize_kadm5_error_table_r); - set_funcs(*ctx); - (*ctx)->context = context; - if(params->mask & KADM5_CONFIG_REALM) { - ret = 0; - (*ctx)->realm = strdup(params->realm); - if ((*ctx)->realm == NULL) - ret = ENOMEM; - } else - ret = krb5_get_default_realm((*ctx)->context, &(*ctx)->realm); - if (ret) { - free(*ctx); - return ret; - } - if(params->mask & KADM5_CONFIG_ADMIN_SERVER) - (*ctx)->admin_server = strdup(params->admin_server); - else { - char **hostlist; - - ret = krb5_get_krb_admin_hst (context, &(*ctx)->realm, &hostlist); - if (ret) { - free((*ctx)->realm); - free(*ctx); - return ret; - } - (*ctx)->admin_server = strdup(*hostlist); - krb5_free_krbhst (context, hostlist); - } - - if ((*ctx)->admin_server == NULL) { - return ENOMEM; - free((*ctx)->realm); - free(*ctx); - } - colon = strchr ((*ctx)->admin_server, ':'); - if (colon != NULL) - *colon++ = '\0'; - - (*ctx)->kadmind_port = 0; - - if(params->mask & KADM5_CONFIG_KADMIND_PORT) - (*ctx)->kadmind_port = params->kadmind_port; - else if (colon != NULL) { - char *end; - - (*ctx)->kadmind_port = htons(strtol (colon, &end, 0)); - } - if ((*ctx)->kadmind_port == 0) - (*ctx)->kadmind_port = krb5_getportbyname (context, "kerberos-adm", - "tcp", 749); - return 0; -} - -static krb5_error_code -get_kadm_ticket(krb5_context context, - krb5_ccache id, - krb5_principal client, - const char *server_name) -{ - krb5_error_code ret; - krb5_creds in, *out; - - memset(&in, 0, sizeof(in)); - in.client = client; - ret = krb5_parse_name(context, server_name, &in.server); - if(ret) - return ret; - ret = krb5_get_credentials(context, 0, id, &in, &out); - if(ret == 0) - krb5_free_creds(context, out); - krb5_free_principal(context, in.server); - return ret; -} - -static krb5_error_code -get_new_cache(krb5_context context, - krb5_principal client, - const char *password, - krb5_prompter_fct prompter, - const char *keytab, - const char *server_name, - krb5_ccache *ret_cache) -{ - krb5_error_code ret; - krb5_creds cred; - krb5_get_init_creds_opt opt; - krb5_ccache id; - - krb5_get_init_creds_opt_init (&opt); - - krb5_get_init_creds_opt_set_default_flags(context, "kadmin", - krb5_principal_get_realm(context, - client), - &opt); - - - krb5_get_init_creds_opt_set_forwardable (&opt, FALSE); - krb5_get_init_creds_opt_set_proxiable (&opt, FALSE); - - if(password == NULL && prompter == NULL) { - krb5_keytab kt; - if(keytab == NULL) - ret = krb5_kt_default(context, &kt); - else - ret = krb5_kt_resolve(context, keytab, &kt); - if(ret) - return ret; - ret = krb5_get_init_creds_keytab (context, - &cred, - client, - kt, - 0, - server_name, - &opt); - krb5_kt_close(context, kt); - } else { - ret = krb5_get_init_creds_password (context, - &cred, - client, - password, - prompter, - NULL, - 0, - server_name, - &opt); - } - switch(ret){ - case 0: - break; - case KRB5_LIBOS_PWDINTR: /* don't print anything if it was just C-c:ed */ - case KRB5KRB_AP_ERR_BAD_INTEGRITY: - case KRB5KRB_AP_ERR_MODIFIED: - return KADM5_BAD_PASSWORD; - default: - return ret; - } - ret = krb5_cc_gen_new(context, &krb5_mcc_ops, &id); - if(ret) - return ret; - ret = krb5_cc_initialize (context, id, cred.client); - if (ret) - return ret; - ret = krb5_cc_store_cred (context, id, &cred); - if (ret) - return ret; - krb5_free_creds_contents (context, &cred); - *ret_cache = id; - return 0; -} - -static krb5_error_code -get_cred_cache(krb5_context context, - const char *client_name, - const char *server_name, - const char *password, - krb5_prompter_fct prompter, - const char *keytab, - krb5_ccache ccache, - krb5_ccache *ret_cache) -{ - krb5_error_code ret; - krb5_ccache id = NULL; - krb5_principal default_client = NULL, client = NULL; - - /* treat empty password as NULL */ - if(password && *password == '\0') - password = NULL; - if(server_name == NULL) - server_name = KADM5_ADMIN_SERVICE; - - if(client_name != NULL) { - ret = krb5_parse_name(context, client_name, &client); - if(ret) - return ret; - } - - if(password != NULL || prompter != NULL) { - /* get principal from default cache, ok if this doesn't work */ - ret = krb5_cc_default(context, &id); - if(ret == 0) { - ret = krb5_cc_get_principal(context, id, &default_client); - if(ret) { - krb5_cc_close(context, id); - id = NULL; - } else { - const char *name, *inst; - krb5_principal tmp; - name = krb5_principal_get_comp_string(context, - default_client, 0); - inst = krb5_principal_get_comp_string(context, - default_client, 1); - if(inst == NULL || strcmp(inst, "admin") != 0) { - ret = krb5_make_principal(context, &tmp, NULL, - name, "admin", NULL); - if(ret != 0) { - krb5_free_principal(context, default_client); - krb5_cc_close(context, id); - return ret; - } - krb5_free_principal(context, default_client); - default_client = tmp; - krb5_cc_close(context, id); - id = NULL; - } - } - } - - if (client != NULL) { - /* A client was specified by the caller. */ - if (default_client != NULL) { - krb5_free_principal(context, default_client); - default_client = NULL; - } - } - else if (default_client != NULL) - /* No client was specified by the caller, but we have a - * client from the default credentials cache. - */ - client = default_client; - else { - /* No client was specified by the caller and we cannot determine - * the client from a credentials cache. - */ - const char *user; - - user = get_default_username (); - - if(user == NULL) - return KADM5_FAILURE; - ret = krb5_make_principal(context, &client, - NULL, user, "admin", NULL); - if(ret) - return ret; - if (id != NULL) { - krb5_cc_close(context, id); - id = NULL; - } - } - } else if(ccache != NULL) - id = ccache; - - if(id && (default_client == NULL || - krb5_principal_compare(context, client, default_client))) { - ret = get_kadm_ticket(context, id, client, server_name); - if(ret == 0) { - *ret_cache = id; - krb5_free_principal(context, default_client); - if (default_client != client) - krb5_free_principal(context, client); - return 0; - } - if(ccache != NULL) - /* couldn't get ticket from cache */ - return -1; - } - /* get creds via AS request */ - if(id) - krb5_cc_close(context, id); - if (client != default_client) - krb5_free_principal(context, default_client); - - ret = get_new_cache(context, client, password, prompter, keytab, - server_name, ret_cache); - krb5_free_principal(context, client); - return ret; -} - -static kadm5_ret_t -kadm_connect(kadm5_client_context *ctx) -{ - kadm5_ret_t ret; - krb5_principal server; - krb5_ccache cc; - int s; - struct addrinfo *ai, *a; - struct addrinfo hints; - int error; - char portstr[NI_MAXSERV]; - char *hostname, *slash; - char *service_name; - krb5_context context = ctx->context; - - memset (&hints, 0, sizeof(hints)); - hints.ai_socktype = SOCK_STREAM; - hints.ai_protocol = IPPROTO_TCP; - - snprintf (portstr, sizeof(portstr), "%u", ntohs(ctx->kadmind_port)); - - hostname = ctx->admin_server; - slash = strchr (hostname, '/'); - if (slash != NULL) - hostname = slash + 1; - - error = getaddrinfo (hostname, portstr, &hints, &ai); - if (error) - return KADM5_BAD_SERVER_NAME; - - for (a = ai; a != NULL; a = a->ai_next) { - s = socket (a->ai_family, a->ai_socktype, a->ai_protocol); - if (s < 0) - continue; - if (connect (s, a->ai_addr, a->ai_addrlen) < 0) { - krb5_warn (context, errno, "connect(%s)", hostname); - close (s); - continue; - } - break; - } - if (a == NULL) { - freeaddrinfo (ai); - krb5_warnx (context, "failed to contact %s", hostname); - return KADM5_FAILURE; - } - ret = get_cred_cache(context, ctx->client_name, ctx->service_name, - NULL, ctx->prompter, ctx->keytab, - ctx->ccache, &cc); - - if(ret) { - freeaddrinfo (ai); - close(s); - return ret; - } - - if (ctx->realm) - asprintf(&service_name, "%s@%s", KADM5_ADMIN_SERVICE, ctx->realm); - else - asprintf(&service_name, "%s", KADM5_ADMIN_SERVICE); - - if (service_name == NULL) { - freeaddrinfo (ai); - close(s); - return ENOMEM; - } - - ret = krb5_parse_name(context, service_name, &server); - free(service_name); - if(ret) { - freeaddrinfo (ai); - if(ctx->ccache == NULL) - krb5_cc_close(context, cc); - close(s); - return ret; - } - ctx->ac = NULL; - - ret = krb5_sendauth(context, &ctx->ac, &s, - KADMIN_APPL_VERSION, NULL, - server, AP_OPTS_MUTUAL_REQUIRED, - NULL, NULL, cc, NULL, NULL, NULL); - if(ret == 0) { - krb5_data params; - kadm5_config_params p; - memset(&p, 0, sizeof(p)); - if(ctx->realm) { - p.mask |= KADM5_CONFIG_REALM; - p.realm = ctx->realm; - } - ret = _kadm5_marshal_params(context, &p, ¶ms); - - ret = krb5_write_priv_message(context, ctx->ac, &s, ¶ms); - krb5_data_free(¶ms); - if(ret) { - freeaddrinfo (ai); - close(s); - if(ctx->ccache == NULL) - krb5_cc_close(context, cc); - return ret; - } - } else if(ret == KRB5_SENDAUTH_BADAPPLVERS) { - close(s); - - s = socket (a->ai_family, a->ai_socktype, a->ai_protocol); - if (s < 0) { - freeaddrinfo (ai); - return errno; - } - if (connect (s, a->ai_addr, a->ai_addrlen) < 0) { - close (s); - freeaddrinfo (ai); - return errno; - } - ret = krb5_sendauth(context, &ctx->ac, &s, - KADMIN_OLD_APPL_VERSION, NULL, - server, AP_OPTS_MUTUAL_REQUIRED, - NULL, NULL, cc, NULL, NULL, NULL); - } - freeaddrinfo (ai); - if(ret) { - close(s); - return ret; - } - - krb5_free_principal(context, server); - if(ctx->ccache == NULL) - krb5_cc_close(context, cc); - if(ret) { - close(s); - return ret; - } - ctx->sock = s; - - return 0; -} - -kadm5_ret_t -_kadm5_connect(void *handle) -{ - kadm5_client_context *ctx = handle; - if(ctx->sock == -1) - return kadm_connect(ctx); - return 0; -} - -static kadm5_ret_t -kadm5_c_init_with_context(krb5_context context, - const char *client_name, - const char *password, - krb5_prompter_fct prompter, - const char *keytab, - krb5_ccache ccache, - const char *service_name, - kadm5_config_params *realm_params, - unsigned long struct_version, - unsigned long api_version, - void **server_handle) -{ - kadm5_ret_t ret; - kadm5_client_context *ctx; - krb5_ccache cc; - - ret = _kadm5_c_init_context(&ctx, realm_params, context); - if(ret) - return ret; - - if(password != NULL && *password != '\0') { - ret = get_cred_cache(context, client_name, service_name, - password, prompter, keytab, ccache, &cc); - if(ret) - return ret; /* XXX */ - ccache = cc; - } - - - if (client_name != NULL) - ctx->client_name = strdup(client_name); - else - ctx->client_name = NULL; - if (service_name != NULL) - ctx->service_name = strdup(service_name); - else - ctx->service_name = NULL; - ctx->prompter = prompter; - ctx->keytab = keytab; - ctx->ccache = ccache; - /* maybe we should copy the params here */ - ctx->sock = -1; - - *server_handle = ctx; - return 0; -} - -static kadm5_ret_t -init_context(const char *client_name, - const char *password, - krb5_prompter_fct prompter, - const char *keytab, - krb5_ccache ccache, - const char *service_name, - kadm5_config_params *realm_params, - unsigned long struct_version, - unsigned long api_version, - void **server_handle) -{ - krb5_context context; - kadm5_ret_t ret; - kadm5_server_context *ctx; - - ret = krb5_init_context(&context); - if (ret) - return ret; - ret = kadm5_c_init_with_context(context, - client_name, - password, - prompter, - keytab, - ccache, - service_name, - realm_params, - struct_version, - api_version, - server_handle); - if(ret){ - krb5_free_context(context); - return ret; - } - ctx = *server_handle; - ctx->my_context = 1; - return 0; -} - -kadm5_ret_t -kadm5_c_init_with_password_ctx(krb5_context context, - const char *client_name, - const char *password, - const char *service_name, - kadm5_config_params *realm_params, - unsigned long struct_version, - unsigned long api_version, - void **server_handle) -{ - return kadm5_c_init_with_context(context, - client_name, - password, - krb5_prompter_posix, - NULL, - NULL, - service_name, - realm_params, - struct_version, - api_version, - server_handle); -} - -kadm5_ret_t -kadm5_c_init_with_password(const char *client_name, - const char *password, - const char *service_name, - kadm5_config_params *realm_params, - unsigned long struct_version, - unsigned long api_version, - void **server_handle) -{ - return init_context(client_name, - password, - krb5_prompter_posix, - NULL, - NULL, - service_name, - realm_params, - struct_version, - api_version, - server_handle); -} - -kadm5_ret_t -kadm5_c_init_with_skey_ctx(krb5_context context, - const char *client_name, - const char *keytab, - const char *service_name, - kadm5_config_params *realm_params, - unsigned long struct_version, - unsigned long api_version, - void **server_handle) -{ - return kadm5_c_init_with_context(context, - client_name, - NULL, - NULL, - keytab, - NULL, - service_name, - realm_params, - struct_version, - api_version, - server_handle); -} - - -kadm5_ret_t -kadm5_c_init_with_skey(const char *client_name, - const char *keytab, - const char *service_name, - kadm5_config_params *realm_params, - unsigned long struct_version, - unsigned long api_version, - void **server_handle) -{ - return init_context(client_name, - NULL, - NULL, - keytab, - NULL, - service_name, - realm_params, - struct_version, - api_version, - server_handle); -} - -kadm5_ret_t -kadm5_c_init_with_creds_ctx(krb5_context context, - const char *client_name, - krb5_ccache ccache, - const char *service_name, - kadm5_config_params *realm_params, - unsigned long struct_version, - unsigned long api_version, - void **server_handle) -{ - return kadm5_c_init_with_context(context, - client_name, - NULL, - NULL, - NULL, - ccache, - service_name, - realm_params, - struct_version, - api_version, - server_handle); -} - -kadm5_ret_t -kadm5_c_init_with_creds(const char *client_name, - krb5_ccache ccache, - const char *service_name, - kadm5_config_params *realm_params, - unsigned long struct_version, - unsigned long api_version, - void **server_handle) -{ - return init_context(client_name, - NULL, - NULL, - NULL, - ccache, - service_name, - realm_params, - struct_version, - api_version, - server_handle); -} - -#if 0 -kadm5_ret_t -kadm5_init(char *client_name, char *pass, - char *service_name, - kadm5_config_params *realm_params, - unsigned long struct_version, - unsigned long api_version, - void **server_handle) -{ -} -#endif - diff --git a/crypto/heimdal-0.6.3/lib/kadm5/init_s.c b/crypto/heimdal-0.6.3/lib/kadm5/init_s.c deleted file mode 100644 index bf5d036d8f..0000000000 --- a/crypto/heimdal-0.6.3/lib/kadm5/init_s.c +++ /dev/null @@ -1,238 +0,0 @@ -/* - * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kadm5_locl.h" - -RCSID("$Id: init_s.c,v 1.10 2000/12/31 08:01:16 assar Exp $"); - - -static kadm5_ret_t -kadm5_s_init_with_context(krb5_context context, - const char *client_name, - const char *service_name, - kadm5_config_params *realm_params, - unsigned long struct_version, - unsigned long api_version, - void **server_handle) -{ - kadm5_ret_t ret; - kadm5_server_context *ctx; - ret = _kadm5_s_init_context(&ctx, realm_params, context); - if(ret) - return ret; - - assert(ctx->config.dbname != NULL); - assert(ctx->config.stash_file != NULL); - assert(ctx->config.acl_file != NULL); - assert(ctx->log_context.log_file != NULL); - assert(ctx->log_context.socket_name.sun_path[0] != '\0'); - - ret = hdb_create(ctx->context, &ctx->db, ctx->config.dbname); - if(ret) - return ret; - ret = hdb_set_master_keyfile (ctx->context, - ctx->db, ctx->config.stash_file); - if(ret) - return ret; - - ctx->log_context.log_fd = -1; - - ctx->log_context.socket_fd = socket (AF_UNIX, SOCK_DGRAM, 0); - - ret = krb5_parse_name(ctx->context, client_name, &ctx->caller); - if(ret) - return ret; - - ret = _kadm5_acl_init(ctx); - if(ret) - return ret; - - *server_handle = ctx; - return 0; -} - -kadm5_ret_t -kadm5_s_init_with_password_ctx(krb5_context context, - const char *client_name, - const char *password, - const char *service_name, - kadm5_config_params *realm_params, - unsigned long struct_version, - unsigned long api_version, - void **server_handle) -{ - return kadm5_s_init_with_context(context, - client_name, - service_name, - realm_params, - struct_version, - api_version, - server_handle); -} - -kadm5_ret_t -kadm5_s_init_with_password(const char *client_name, - const char *password, - const char *service_name, - kadm5_config_params *realm_params, - unsigned long struct_version, - unsigned long api_version, - void **server_handle) -{ - krb5_context context; - kadm5_ret_t ret; - kadm5_server_context *ctx; - - ret = krb5_init_context(&context); - if (ret) - return ret; - ret = kadm5_s_init_with_password_ctx(context, - client_name, - password, - service_name, - realm_params, - struct_version, - api_version, - server_handle); - if(ret){ - krb5_free_context(context); - return ret; - } - ctx = *server_handle; - ctx->my_context = 1; - return 0; -} - -kadm5_ret_t -kadm5_s_init_with_skey_ctx(krb5_context context, - const char *client_name, - const char *keytab, - const char *service_name, - kadm5_config_params *realm_params, - unsigned long struct_version, - unsigned long api_version, - void **server_handle) -{ - return kadm5_s_init_with_context(context, - client_name, - service_name, - realm_params, - struct_version, - api_version, - server_handle); -} - -kadm5_ret_t -kadm5_s_init_with_skey(const char *client_name, - const char *keytab, - const char *service_name, - kadm5_config_params *realm_params, - unsigned long struct_version, - unsigned long api_version, - void **server_handle) -{ - krb5_context context; - kadm5_ret_t ret; - kadm5_server_context *ctx; - - ret = krb5_init_context(&context); - if (ret) - return ret; - ret = kadm5_s_init_with_skey_ctx(context, - client_name, - keytab, - service_name, - realm_params, - struct_version, - api_version, - server_handle); - if(ret){ - krb5_free_context(context); - return ret; - } - ctx = *server_handle; - ctx->my_context = 1; - return 0; -} - -kadm5_ret_t -kadm5_s_init_with_creds_ctx(krb5_context context, - const char *client_name, - krb5_ccache ccache, - const char *service_name, - kadm5_config_params *realm_params, - unsigned long struct_version, - unsigned long api_version, - void **server_handle) -{ - return kadm5_s_init_with_context(context, - client_name, - service_name, - realm_params, - struct_version, - api_version, - server_handle); -} - -kadm5_ret_t -kadm5_s_init_with_creds(const char *client_name, - krb5_ccache ccache, - const char *service_name, - kadm5_config_params *realm_params, - unsigned long struct_version, - unsigned long api_version, - void **server_handle) -{ - krb5_context context; - kadm5_ret_t ret; - kadm5_server_context *ctx; - - ret = krb5_init_context(&context); - if (ret) - return ret; - ret = kadm5_s_init_with_creds_ctx(context, - client_name, - ccache, - service_name, - realm_params, - struct_version, - api_version, - server_handle); - if(ret){ - krb5_free_context(context); - return ret; - } - ctx = *server_handle; - ctx->my_context = 1; - return 0; -} diff --git a/crypto/heimdal-0.6.3/lib/kadm5/iprop.h b/crypto/heimdal-0.6.3/lib/kadm5/iprop.h deleted file mode 100644 index e02a9d604a..0000000000 --- a/crypto/heimdal-0.6.3/lib/kadm5/iprop.h +++ /dev/null @@ -1,68 +0,0 @@ -/* - * Copyright (c) 1998-2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: iprop.h,v 1.7 2002/07/04 14:39:19 joda Exp $ */ - -#ifndef __IPROP_H__ -#define __IPROP_H__ - -#include "kadm5_locl.h" -#include /* _krb5_{get,put}_int */ -#include -#ifdef HAVE_SYS_SELECT_H -#include -#endif -#ifdef HAVE_UTIL_H -#include -#endif - -#define IPROP_VERSION "iprop-0.0" - -#define KADM5_SLAVE_ACL HDB_DB_DIR "/slaves" - -#define KADM5_SLAVE_STATS HDB_DB_DIR "/slaves-stats" - -#define IPROP_NAME "iprop" - -#define IPROP_SERVICE "iprop" - -#define IPROP_PORT 2121 - -enum iprop_cmd { I_HAVE = 1, - FOR_YOU = 2, - TELL_YOU_EVERYTHING = 3, - ONE_PRINC = 4, - NOW_YOU_HAVE = 5 -}; - -#endif /* __IPROP_H__ */ diff --git a/crypto/heimdal-0.6.3/lib/kadm5/ipropd_master.c b/crypto/heimdal-0.6.3/lib/kadm5/ipropd_master.c deleted file mode 100644 index 537d403195..0000000000 --- a/crypto/heimdal-0.6.3/lib/kadm5/ipropd_master.c +++ /dev/null @@ -1,638 +0,0 @@ -/* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "iprop.h" -#include - -RCSID("$Id: ipropd_master.c,v 1.29 2003/03/19 11:56:38 lha Exp $"); - -static krb5_log_facility *log_facility; - -const char *slave_stats_file = KADM5_SLAVE_STATS; - -static int -make_signal_socket (krb5_context context) -{ - struct sockaddr_un addr; - int fd; - - fd = socket (AF_UNIX, SOCK_DGRAM, 0); - if (fd < 0) - krb5_err (context, 1, errno, "socket AF_UNIX"); - memset (&addr, 0, sizeof(addr)); - addr.sun_family = AF_UNIX; - strlcpy (addr.sun_path, KADM5_LOG_SIGNAL, sizeof(addr.sun_path)); - unlink (addr.sun_path); - if (bind (fd, (struct sockaddr *)&addr, sizeof(addr)) < 0) - krb5_err (context, 1, errno, "bind %s", addr.sun_path); - return fd; -} - -static int -make_listen_socket (krb5_context context) -{ - int fd; - int one = 1; - struct sockaddr_in addr; - - fd = socket (AF_INET, SOCK_STREAM, 0); - if (fd < 0) - krb5_err (context, 1, errno, "socket AF_INET"); - setsockopt (fd, SOL_SOCKET, SO_REUSEADDR, (void *)&one, sizeof(one)); - memset (&addr, 0, sizeof(addr)); - addr.sin_family = AF_INET; - addr.sin_port = krb5_getportbyname (context, - IPROP_SERVICE, "tcp", IPROP_PORT); - if(bind(fd, (struct sockaddr *)&addr, sizeof(addr)) < 0) - krb5_err (context, 1, errno, "bind"); - if (listen(fd, SOMAXCONN) < 0) - krb5_err (context, 1, errno, "listen"); - return fd; -} - -struct slave { - int fd; - struct sockaddr_in addr; - char *name; - krb5_auth_context ac; - u_int32_t version; - time_t seen; - unsigned long flags; -#define SLAVE_F_DEAD 0x1 - struct slave *next; -}; - -typedef struct slave slave; - -static int -check_acl (krb5_context context, const char *name) -{ - FILE *fp; - char buf[256]; - int ret = 1; - - fp = fopen (KADM5_SLAVE_ACL, "r"); - if (fp == NULL) - return 1; - while (fgets(buf, sizeof(buf), fp) != NULL) { - if (buf[strlen(buf) - 1 ] == '\n') - buf[strlen(buf) - 1 ] = '\0'; - if (strcmp (buf, name) == 0) { - ret = 0; - break; - } - } - fclose (fp); - return ret; -} - -static void -slave_seen(slave *s) -{ - s->seen = time(NULL); -} - -static void -slave_dead(slave *s) -{ - if (s->fd >= 0) { - close (s->fd); - s->fd = -1; - } - s->flags |= SLAVE_F_DEAD; - slave_seen(s); -} - -static void -remove_slave (krb5_context context, slave *s, slave **root) -{ - slave **p; - - if (s->fd >= 0) - close (s->fd); - if (s->name) - free (s->name); - if (s->ac) - krb5_auth_con_free (context, s->ac); - - for (p = root; *p; p = &(*p)->next) - if (*p == s) { - *p = s->next; - break; - } - free (s); -} - -static void -add_slave (krb5_context context, krb5_keytab keytab, slave **root, int fd) -{ - krb5_principal server; - krb5_error_code ret; - slave *s; - socklen_t addr_len; - krb5_ticket *ticket = NULL; - char hostname[128]; - - s = malloc(sizeof(*s)); - if (s == NULL) { - krb5_warnx (context, "add_slave: no memory"); - return; - } - s->name = NULL; - s->ac = NULL; - - addr_len = sizeof(s->addr); - s->fd = accept (fd, (struct sockaddr *)&s->addr, &addr_len); - if (s->fd < 0) { - krb5_warn (context, errno, "accept"); - goto error; - } - gethostname(hostname, sizeof(hostname)); - ret = krb5_sname_to_principal (context, hostname, IPROP_NAME, - KRB5_NT_SRV_HST, &server); - if (ret) { - krb5_warn (context, ret, "krb5_sname_to_principal"); - goto error; - } - - ret = krb5_recvauth (context, &s->ac, &s->fd, - IPROP_VERSION, server, 0, keytab, &ticket); - krb5_free_principal (context, server); - if (ret) { - krb5_warn (context, ret, "krb5_recvauth"); - goto error; - } - ret = krb5_unparse_name (context, ticket->client, &s->name); - if (ret) { - krb5_warn (context, ret, "krb5_unparse_name"); - goto error; - } - if (check_acl (context, s->name)) { - krb5_warnx (context, "%s not in acl", s->name); - goto error; - } - krb5_free_ticket (context, ticket); - ticket = NULL; - - { - slave *l = *root; - - while (l) { - if (strcmp(l->name, s->name) == 0) - break; - l = l->next; - } - if (l) { - if (l->flags & SLAVE_F_DEAD) { - remove_slave(context, l, root); - } else { - krb5_warnx (context, "second connection from %s", s->name); - goto error; - } - } - } - - krb5_warnx (context, "connection from %s", s->name); - - s->version = 0; - s->flags = 0; - slave_seen(s); - s->next = *root; - *root = s; - return; -error: - remove_slave(context, s, root); -} - -struct prop_context { - krb5_auth_context auth_context; - int fd; -}; - -static int -prop_one (krb5_context context, HDB *db, hdb_entry *entry, void *v) -{ - krb5_error_code ret; - krb5_data data; - struct slave *slave = (struct slave *)v; - - ret = hdb_entry2value (context, entry, &data); - if (ret) - return ret; - ret = krb5_data_realloc (&data, data.length + 4); - if (ret) { - krb5_data_free (&data); - return ret; - } - memmove ((char *)data.data + 4, data.data, data.length - 4); - _krb5_put_int (data.data, ONE_PRINC, 4); - - ret = krb5_write_priv_message (context, slave->ac, &slave->fd, &data); - krb5_data_free (&data); - return ret; -} - -static int -send_complete (krb5_context context, slave *s, - const char *database, u_int32_t current_version) -{ - krb5_error_code ret; - HDB *db; - krb5_data data; - char buf[8]; - - ret = hdb_create (context, &db, database); - if (ret) - krb5_err (context, 1, ret, "hdb_create: %s", database); - ret = db->open (context, db, O_RDONLY, 0); - if (ret) - krb5_err (context, 1, ret, "db->open"); - - _krb5_put_int(buf, TELL_YOU_EVERYTHING, 4); - - data.data = buf; - data.length = 4; - - ret = krb5_write_priv_message(context, s->ac, &s->fd, &data); - - if (ret) { - krb5_warn (context, ret, "krb5_write_priv_message"); - slave_dead(s); - return ret; - } - - ret = hdb_foreach (context, db, 0, prop_one, s); - if (ret) { - krb5_warn (context, ret, "hdb_foreach"); - slave_dead(s); - return ret; - } - - _krb5_put_int (buf, NOW_YOU_HAVE, 4); - _krb5_put_int (buf + 4, current_version, 4); - data.length = 8; - - s->version = current_version; - - ret = krb5_write_priv_message(context, s->ac, &s->fd, &data); - if (ret) { - slave_dead(s); - krb5_warn (context, ret, "krb5_write_priv_message"); - return ret; - } - - slave_seen(s); - - return 0; -} - -static int -send_diffs (krb5_context context, slave *s, int log_fd, - const char *database, u_int32_t current_version) -{ - krb5_storage *sp; - u_int32_t ver; - time_t timestamp; - enum kadm_ops op; - u_int32_t len; - off_t right, left; - krb5_data data; - int ret = 0; - - if (s->version == current_version) - return 0; - - if (s->flags & SLAVE_F_DEAD) - return 0; - - sp = kadm5_log_goto_end (log_fd); - right = krb5_storage_seek(sp, 0, SEEK_CUR); - for (;;) { - if (kadm5_log_previous (sp, &ver, ×tamp, &op, &len)) - abort (); - left = krb5_storage_seek(sp, -16, SEEK_CUR); - if (ver == s->version) - return 0; - if (ver == s->version + 1) - break; - if (left == 0) - return send_complete (context, s, database, current_version); - } - krb5_data_alloc (&data, right - left + 4); - krb5_storage_read (sp, (char *)data.data + 4, data.length - 4); - krb5_storage_free(sp); - - _krb5_put_int(data.data, FOR_YOU, 4); - - ret = krb5_write_priv_message(context, s->ac, &s->fd, &data); - krb5_data_free(&data); - - if (ret) { - krb5_warn (context, ret, "krb5_write_priv_message"); - slave_dead(s); - return 1; - } - slave_seen(s); - - return 0; -} - -static int -process_msg (krb5_context context, slave *s, int log_fd, - const char *database, u_int32_t current_version) -{ - int ret = 0; - krb5_data out; - krb5_storage *sp; - int32_t tmp; - - ret = krb5_read_priv_message(context, s->ac, &s->fd, &out); - if(ret) { - krb5_warn (context, ret, "error reading message from %s", s->name); - return 1; - } - - sp = krb5_storage_from_mem (out.data, out.length); - krb5_ret_int32 (sp, &tmp); - switch (tmp) { - case I_HAVE : - krb5_ret_int32 (sp, &tmp); - s->version = tmp; - ret = send_diffs (context, s, log_fd, database, current_version); - break; - case FOR_YOU : - default : - krb5_warnx (context, "Ignoring command %d", tmp); - break; - } - - krb5_data_free (&out); - - slave_seen(s); - - return ret; -} - -#define SLAVE_NAME "Name" -#define SLAVE_ADDRESS "Address" -#define SLAVE_VERSION "Version" -#define SLAVE_STATUS "Status" -#define SLAVE_SEEN "Last Seen" - -static void -write_stats(krb5_context context, slave *slaves, u_int32_t current_version) -{ - char str[100]; - rtbl_t tbl; - time_t t = time(NULL); - FILE *fp; - - fp = fopen(slave_stats_file, "w"); - if (fp == NULL) - return; - - strftime(str, sizeof(str), "%Y-%m-%d %H:%M:%S", - localtime(&t)); - fprintf(fp, "Status for slaves, last updated: %s\n\n", str); - - fprintf(fp, "Master version: %lu\n\n", (unsigned long)current_version); - - tbl = rtbl_create(); - if (tbl == NULL) { - fclose(fp); - return; - } - - rtbl_add_column(tbl, SLAVE_NAME, 0); - rtbl_add_column(tbl, SLAVE_ADDRESS, 0); - rtbl_add_column(tbl, SLAVE_VERSION, RTBL_ALIGN_RIGHT); - rtbl_add_column(tbl, SLAVE_STATUS, 0); - rtbl_add_column(tbl, SLAVE_SEEN, 0); - - rtbl_set_prefix(tbl, " "); - rtbl_set_column_prefix(tbl, SLAVE_NAME, ""); - - while (slaves) { - krb5_address addr; - krb5_error_code ret; - rtbl_add_column_entry(tbl, SLAVE_NAME, slaves->name); - ret = krb5_sockaddr2address (context, - (struct sockaddr*)&slaves->addr, &addr); - if(ret == 0) { - krb5_print_address(&addr, str, sizeof(str), NULL); - krb5_free_address(context, &addr); - rtbl_add_column_entry(tbl, SLAVE_ADDRESS, str); - } else - rtbl_add_column_entry(tbl, SLAVE_ADDRESS, ""); - - snprintf(str, sizeof(str), "%u", (unsigned)slaves->version); - rtbl_add_column_entry(tbl, SLAVE_VERSION, str); - - if (slaves->flags & SLAVE_F_DEAD) - rtbl_add_column_entry(tbl, SLAVE_STATUS, "Down"); - else - rtbl_add_column_entry(tbl, SLAVE_STATUS, "Up"); - - if (strftime(str, sizeof(str), "%Y-%m-%d %H:%M:%S %Z", - localtime(&slaves->seen)) == 0) - strlcpy(str, "Unknown time", sizeof(str)); - rtbl_add_column_entry(tbl, SLAVE_SEEN, str); - - slaves = slaves->next; - } - - rtbl_format(tbl, fp); - rtbl_destroy(tbl); - - fclose(fp); -} - - -static char *realm; -static int version_flag; -static int help_flag; -static char *keytab_str = "HDB:"; -static char *database; - -static struct getargs args[] = { - { "realm", 'r', arg_string, &realm }, - { "keytab", 'k', arg_string, &keytab_str, - "keytab to get authentication from", "kspec" }, - { "database", 'd', arg_string, &database, "database", "file"}, - { "slave-stats-file", 0, arg_string, &slave_stats_file, "file"}, - { "version", 0, arg_flag, &version_flag }, - { "help", 0, arg_flag, &help_flag } -}; -static int num_args = sizeof(args) / sizeof(args[0]); - -int -main(int argc, char **argv) -{ - krb5_error_code ret; - krb5_context context; - void *kadm_handle; - kadm5_server_context *server_context; - kadm5_config_params conf; - int signal_fd, listen_fd; - int log_fd; - slave *slaves = NULL; - u_int32_t current_version, old_version = 0; - krb5_keytab keytab; - int optind; - - optind = krb5_program_setup(&context, argc, argv, args, num_args, NULL); - - if(help_flag) - krb5_std_usage(0, args, num_args); - if(version_flag) { - print_version(NULL); - exit(0); - } - - pidfile (NULL); - krb5_openlog (context, "ipropd-master", &log_facility); - krb5_set_warn_dest(context, log_facility); - - ret = krb5_kt_register(context, &hdb_kt_ops); - if(ret) - krb5_err(context, 1, ret, "krb5_kt_register"); - - ret = krb5_kt_resolve(context, keytab_str, &keytab); - if(ret) - krb5_err(context, 1, ret, "krb5_kt_resolve: %s", keytab_str); - - memset(&conf, 0, sizeof(conf)); - if(realm) { - conf.mask |= KADM5_CONFIG_REALM; - conf.realm = realm; - } - ret = kadm5_init_with_skey_ctx (context, - KADM5_ADMIN_SERVICE, - NULL, - KADM5_ADMIN_SERVICE, - &conf, 0, 0, - &kadm_handle); - if (ret) - krb5_err (context, 1, ret, "kadm5_init_with_password_ctx"); - - server_context = (kadm5_server_context *)kadm_handle; - - log_fd = open (server_context->log_context.log_file, O_RDONLY, 0); - if (log_fd < 0) - krb5_err (context, 1, errno, "open %s", - server_context->log_context.log_file); - - signal_fd = make_signal_socket (context); - listen_fd = make_listen_socket (context); - - signal (SIGPIPE, SIG_IGN); - - for (;;) { - slave *p; - fd_set readset; - int max_fd = 0; - struct timeval to = {30, 0}; - u_int32_t vers; - - if (signal_fd >= FD_SETSIZE || listen_fd >= FD_SETSIZE) - krb5_errx (context, 1, "fd too large"); - - FD_ZERO(&readset); - FD_SET(signal_fd, &readset); - max_fd = max(max_fd, signal_fd); - FD_SET(listen_fd, &readset); - max_fd = max(max_fd, listen_fd); - - for (p = slaves; p != NULL; p = p->next) { - if (p->flags & SLAVE_F_DEAD) - continue; - FD_SET(p->fd, &readset); - max_fd = max(max_fd, p->fd); - } - - ret = select (max_fd + 1, - &readset, NULL, NULL, &to); - if (ret < 0) { - if (errno == EINTR) - continue; - else - krb5_err (context, 1, errno, "select"); - } - - if (ret == 0) { - old_version = current_version; - kadm5_log_get_version_fd (log_fd, ¤t_version); - - if (current_version > old_version) - for (p = slaves; p != NULL; p = p->next) { - if (p->flags & SLAVE_F_DEAD) - continue; - send_diffs (context, p, log_fd, database, current_version); - } - } - - if (ret && FD_ISSET(signal_fd, &readset)) { - struct sockaddr_un peer_addr; - socklen_t peer_len = sizeof(peer_addr); - - if(recvfrom(signal_fd, (void *)&vers, sizeof(vers), 0, - (struct sockaddr *)&peer_addr, &peer_len) < 0) { - krb5_warn (context, errno, "recvfrom"); - continue; - } - --ret; - old_version = current_version; - kadm5_log_get_version_fd (log_fd, ¤t_version); - for (p = slaves; p != NULL; p = p->next) - send_diffs (context, p, log_fd, database, current_version); - } - - for(p = slaves; ret && p != NULL; p = p->next) { - if (p->flags & SLAVE_F_DEAD) - continue; - if (FD_ISSET(p->fd, &readset)) { - --ret; - if(process_msg (context, p, log_fd, database, current_version)) - slave_dead(p); - } - } - - if (ret && FD_ISSET(listen_fd, &readset)) { - add_slave (context, keytab, &slaves, listen_fd); - --ret; - } - write_stats(context, slaves, current_version); - } - - return 0; -} diff --git a/crypto/heimdal-0.6.3/lib/kadm5/ipropd_slave.c b/crypto/heimdal-0.6.3/lib/kadm5/ipropd_slave.c deleted file mode 100644 index abeb29d9ac..0000000000 --- a/crypto/heimdal-0.6.3/lib/kadm5/ipropd_slave.c +++ /dev/null @@ -1,455 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "iprop.h" - -RCSID("$Id: ipropd_slave.c,v 1.27.2.1 2003/08/15 16:45:15 lha Exp $"); - -static krb5_log_facility *log_facility; - -static int -connect_to_master (krb5_context context, const char *master) -{ - int fd; - struct sockaddr_in addr; - struct hostent *he; - - fd = socket (AF_INET, SOCK_STREAM, 0); - if (fd < 0) - krb5_err (context, 1, errno, "socket AF_INET"); - memset (&addr, 0, sizeof(addr)); - addr.sin_family = AF_INET; - addr.sin_port = krb5_getportbyname (context, - IPROP_SERVICE, "tcp", IPROP_PORT); - he = roken_gethostbyname (master); - if (he == NULL) - krb5_errx (context, 1, "gethostbyname: %s", hstrerror(h_errno)); - memcpy (&addr.sin_addr, he->h_addr, sizeof(addr.sin_addr)); - if(connect(fd, (struct sockaddr *)&addr, sizeof(addr)) < 0) - krb5_err (context, 1, errno, "connect"); - return fd; -} - -static void -get_creds(krb5_context context, const char *keytab_str, - krb5_ccache *cache, const char *host) -{ - krb5_keytab keytab; - krb5_principal client; - krb5_error_code ret; - krb5_get_init_creds_opt init_opts; - krb5_creds creds; - char *server; - char keytab_buf[256]; - - if (keytab_str == NULL) { - ret = krb5_kt_default_name (context, keytab_buf, sizeof(keytab_buf)); - if (ret) - krb5_err (context, 1, ret, "krb5_kt_default_name"); - keytab_str = keytab_buf; - } - - ret = krb5_kt_resolve(context, keytab_str, &keytab); - if(ret) - krb5_err(context, 1, ret, "%s", keytab_str); - - ret = krb5_sname_to_principal (context, NULL, IPROP_NAME, - KRB5_NT_SRV_HST, &client); - if (ret) krb5_err(context, 1, ret, "krb5_sname_to_principal"); - - krb5_get_init_creds_opt_init(&init_opts); - - asprintf (&server, "%s/%s", IPROP_NAME, host); - if (server == NULL) - krb5_errx (context, 1, "malloc: no memory"); - - ret = krb5_get_init_creds_keytab(context, &creds, client, keytab, - 0, server, &init_opts); - free (server); - if(ret) krb5_err(context, 1, ret, "krb5_get_init_creds"); - - ret = krb5_kt_close(context, keytab); - if(ret) krb5_err(context, 1, ret, "krb5_kt_close"); - - ret = krb5_cc_gen_new(context, &krb5_mcc_ops, cache); - if(ret) krb5_err(context, 1, ret, "krb5_cc_gen_new"); - - ret = krb5_cc_initialize(context, *cache, client); - if(ret) krb5_err(context, 1, ret, "krb5_cc_initialize"); - - ret = krb5_cc_store_cred(context, *cache, &creds); - if(ret) krb5_err(context, 1, ret, "krb5_cc_store_cred"); -} - -static void -ihave (krb5_context context, krb5_auth_context auth_context, - int fd, u_int32_t version) -{ - int ret; - u_char buf[8]; - krb5_storage *sp; - krb5_data data, priv_data; - - sp = krb5_storage_from_mem (buf, 8); - krb5_store_int32 (sp, I_HAVE); - krb5_store_int32 (sp, version); - krb5_storage_free (sp); - data.length = 8; - data.data = buf; - - ret = krb5_mk_priv (context, auth_context, &data, &priv_data, NULL); - if (ret) - krb5_err (context, 1, ret, "krb_mk_priv"); - - ret = krb5_write_message (context, &fd, &priv_data); - if (ret) - krb5_err (context, 1, ret, "krb5_write_message"); - - krb5_data_free (&priv_data); -} - -static void -receive_loop (krb5_context context, - krb5_storage *sp, - kadm5_server_context *server_context) -{ - int ret; - off_t left, right; - void *buf; - int32_t vers; - - do { - int32_t len, timestamp, tmp; - enum kadm_ops op; - - if(krb5_ret_int32 (sp, &vers) != 0) - return; - krb5_ret_int32 (sp, ×tamp); - krb5_ret_int32 (sp, &tmp); - op = tmp; - krb5_ret_int32 (sp, &len); - if (vers <= server_context->log_context.version) - krb5_storage_seek(sp, len, SEEK_CUR); - } while(vers <= server_context->log_context.version); - - left = krb5_storage_seek (sp, -16, SEEK_CUR); - right = krb5_storage_seek (sp, 0, SEEK_END); - buf = malloc (right - left); - if (buf == NULL && (right - left) != 0) { - krb5_warnx (context, "malloc: no memory"); - return; - } - krb5_storage_seek (sp, left, SEEK_SET); - krb5_storage_read (sp, buf, right - left); - write (server_context->log_context.log_fd, buf, right-left); - fsync (server_context->log_context.log_fd); - free (buf); - - krb5_storage_seek (sp, left, SEEK_SET); - - for(;;) { - int32_t len, timestamp, tmp; - enum kadm_ops op; - - if(krb5_ret_int32 (sp, &vers) != 0) - break; - krb5_ret_int32 (sp, ×tamp); - krb5_ret_int32 (sp, &tmp); - op = tmp; - krb5_ret_int32 (sp, &len); - - ret = kadm5_log_replay (server_context, - op, vers, len, sp); - if (ret) - krb5_warn (context, ret, "kadm5_log_replay"); - else - server_context->log_context.version = vers; - krb5_storage_seek (sp, 8, SEEK_CUR); - } -} - -static void -receive (krb5_context context, - krb5_storage *sp, - kadm5_server_context *server_context) -{ - int ret; - - ret = server_context->db->open(context, - server_context->db, - O_RDWR | O_CREAT, 0600); - if (ret) - krb5_err (context, 1, ret, "db->open"); - - receive_loop (context, sp, server_context); - - ret = server_context->db->close (context, server_context->db); - if (ret) - krb5_err (context, 1, ret, "db->close"); -} - -static void -receive_everything (krb5_context context, int fd, - kadm5_server_context *server_context, - krb5_auth_context auth_context) -{ - int ret; - krb5_data data; - int32_t vno; - int32_t opcode; - unsigned long tmp; - - char *dbname; - HDB *mydb; - - asprintf(&dbname, "%s-NEW", server_context->db->name); - ret = hdb_create(context, &mydb, dbname); - if(ret) - krb5_err(context,1, ret, "hdb_create"); - free(dbname); - - ret = hdb_set_master_keyfile (context, - mydb, server_context->config.stash_file); - if(ret) - krb5_err(context,1, ret, "hdb_set_master_keyfile"); - - /* I really want to use O_EXCL here, but given that I can't easily clean - up on error, I won't */ - ret = mydb->open(context, mydb, O_RDWR | O_CREAT | O_TRUNC, 0600); - - if (ret) - krb5_err (context, 1, ret, "db->open"); - - do { - krb5_storage *sp; - - ret = krb5_read_priv_message(context, auth_context, &fd, &data); - - if (ret) - krb5_err (context, 1, ret, "krb5_read_priv_message"); - - sp = krb5_storage_from_data (&data); - krb5_ret_int32 (sp, &opcode); - if (opcode == ONE_PRINC) { - krb5_data fake_data; - hdb_entry entry; - - fake_data.data = (char *)data.data + 4; - fake_data.length = data.length - 4; - - ret = hdb_value2entry (context, &fake_data, &entry); - if (ret) - krb5_err (context, 1, ret, "hdb_value2entry"); - ret = mydb->store(server_context->context, - mydb, - 0, &entry); - if (ret) - krb5_err (context, 1, ret, "hdb_store"); - - hdb_free_entry (context, &entry); - krb5_data_free (&data); - } - } while (opcode == ONE_PRINC); - - if (opcode != NOW_YOU_HAVE) - krb5_errx (context, 1, "receive_everything: strange %d", opcode); - - _krb5_get_int ((char *)data.data + 4, &tmp, 4); - vno = tmp; - - ret = kadm5_log_reinit (server_context); - if (ret) - krb5_err(context, 1, ret, "kadm5_log_reinit"); - - ret = kadm5_log_set_version (server_context, vno - 1); - if (ret) - krb5_err (context, 1, ret, "kadm5_log_set_version"); - - ret = kadm5_log_nop (server_context); - if (ret) - krb5_err (context, 1, ret, "kadm5_log_nop"); - - krb5_data_free (&data); - - ret = mydb->rename (context, mydb, server_context->db->name); - if (ret) - krb5_err (context, 1, ret, "db->rename"); - - ret = mydb->close (context, mydb); - if (ret) - krb5_err (context, 1, ret, "db->close"); - - ret = mydb->destroy (context, mydb); - if (ret) - krb5_err (context, 1, ret, "db->destroy"); -} - -static char *realm; -static int version_flag; -static int help_flag; -static char *keytab_str; - -static struct getargs args[] = { - { "realm", 'r', arg_string, &realm }, - { "keytab", 'k', arg_string, &keytab_str, - "keytab to get authentication from", "kspec" }, - { "version", 0, arg_flag, &version_flag }, - { "help", 0, arg_flag, &help_flag } -}; - -static int num_args = sizeof(args) / sizeof(args[0]); - -static void -usage (int code, struct getargs *args, int num_args) -{ - arg_printusage (args, num_args, NULL, "master"); - exit (code); -} - -int -main(int argc, char **argv) -{ - krb5_error_code ret; - krb5_context context; - krb5_auth_context auth_context; - void *kadm_handle; - kadm5_server_context *server_context; - kadm5_config_params conf; - int master_fd; - krb5_ccache ccache; - krb5_principal server; - - int optind; - const char *master; - - optind = krb5_program_setup(&context, argc, argv, args, num_args, usage); - - if(help_flag) - usage (0, args, num_args); - if(version_flag) { - print_version(NULL); - exit(0); - } - - argc -= optind; - argv += optind; - - if (argc != 1) - usage (1, args, num_args); - - master = argv[0]; - - pidfile (NULL); - krb5_openlog (context, "ipropd-slave", &log_facility); - krb5_set_warn_dest(context, log_facility); - - ret = krb5_kt_register(context, &hdb_kt_ops); - if(ret) - krb5_err(context, 1, ret, "krb5_kt_register"); - - memset(&conf, 0, sizeof(conf)); - if(realm) { - conf.mask |= KADM5_CONFIG_REALM; - conf.realm = realm; - } - ret = kadm5_init_with_password_ctx (context, - KADM5_ADMIN_SERVICE, - NULL, - KADM5_ADMIN_SERVICE, - &conf, 0, 0, - &kadm_handle); - if (ret) - krb5_err (context, 1, ret, "kadm5_init_with_password_ctx"); - - server_context = (kadm5_server_context *)kadm_handle; - - ret = kadm5_log_init (server_context); - if (ret) - krb5_err (context, 1, ret, "kadm5_log_init"); - - get_creds(context, keytab_str, &ccache, master); - - master_fd = connect_to_master (context, master); - - ret = krb5_sname_to_principal (context, master, IPROP_NAME, - KRB5_NT_SRV_HST, &server); - if (ret) - krb5_err (context, 1, ret, "krb5_sname_to_principal"); - - auth_context = NULL; - ret = krb5_sendauth (context, &auth_context, &master_fd, - IPROP_VERSION, NULL, server, - AP_OPTS_MUTUAL_REQUIRED, NULL, NULL, - ccache, NULL, NULL, NULL); - if (ret) - krb5_err (context, 1, ret, "krb5_sendauth"); - - ihave (context, auth_context, master_fd, - server_context->log_context.version); - - for (;;) { - int ret; - krb5_data out; - krb5_storage *sp; - int32_t tmp; - - ret = krb5_read_priv_message(context, auth_context, &master_fd, &out); - - if (ret) - krb5_err (context, 1, ret, "krb5_read_priv_message"); - - sp = krb5_storage_from_mem (out.data, out.length); - krb5_ret_int32 (sp, &tmp); - switch (tmp) { - case FOR_YOU : - receive (context, sp, server_context); - ihave (context, auth_context, master_fd, - server_context->log_context.version); - break; - case TELL_YOU_EVERYTHING : - receive_everything (context, master_fd, server_context, - auth_context); - break; - case NOW_YOU_HAVE : - case I_HAVE : - case ONE_PRINC : - default : - krb5_warnx (context, "Ignoring command %d", tmp); - break; - } - krb5_storage_free (sp); - krb5_data_free (&out); - } - - return 0; -} diff --git a/crypto/heimdal-0.6.3/lib/kadm5/kadm5-private.h b/crypto/heimdal-0.6.3/lib/kadm5/kadm5-private.h deleted file mode 100644 index 63e579f99c..0000000000 --- a/crypto/heimdal-0.6.3/lib/kadm5/kadm5-private.h +++ /dev/null @@ -1,522 +0,0 @@ -/* This is a generated file */ -#ifndef __kadm5_private_h__ -#define __kadm5_private_h__ - -#include - -kadm5_ret_t -_kadm5_acl_check_permission ( - kadm5_server_context */*context*/, - unsigned /*op*/, - krb5_const_principal /*princ*/); - -kadm5_ret_t -_kadm5_acl_init (kadm5_server_context */*context*/); - -kadm5_ret_t -_kadm5_bump_pw_expire ( - kadm5_server_context */*context*/, - hdb_entry */*ent*/); - -kadm5_ret_t -_kadm5_c_init_context ( - kadm5_client_context **/*ctx*/, - kadm5_config_params */*params*/, - krb5_context /*context*/); - -kadm5_ret_t -_kadm5_client_recv ( - kadm5_client_context */*context*/, - krb5_data */*reply*/); - -kadm5_ret_t -_kadm5_client_send ( - kadm5_client_context */*context*/, - krb5_storage */*sp*/); - -int -_kadm5_cmp_keys ( - Key */*keys1*/, - int /*len1*/, - Key */*keys2*/, - int /*len2*/); - -kadm5_ret_t -_kadm5_connect (void */*handle*/); - -kadm5_ret_t -_kadm5_error_code (kadm5_ret_t /*code*/); - -void -_kadm5_free_keys ( - kadm5_server_context */*context*/, - int /*len*/, - Key */*keys*/); - -void -_kadm5_init_keys ( - Key */*keys*/, - int /*len*/); - -kadm5_ret_t -_kadm5_marshal_params ( - krb5_context /*context*/, - kadm5_config_params */*params*/, - krb5_data */*out*/); - -kadm5_ret_t -_kadm5_privs_to_string ( - u_int32_t /*privs*/, - char */*string*/, - size_t /*len*/); - -HDB * -_kadm5_s_get_db (void */*server_handle*/); - -kadm5_ret_t -_kadm5_s_init_context ( - kadm5_server_context **/*ctx*/, - kadm5_config_params */*params*/, - krb5_context /*context*/); - -kadm5_ret_t -_kadm5_set_keys ( - kadm5_server_context */*context*/, - hdb_entry */*ent*/, - const char */*password*/); - -kadm5_ret_t -_kadm5_set_keys2 ( - kadm5_server_context */*context*/, - hdb_entry */*ent*/, - int16_t /*n_key_data*/, - krb5_key_data */*key_data*/); - -kadm5_ret_t -_kadm5_set_keys3 ( - kadm5_server_context */*context*/, - hdb_entry */*ent*/, - int /*n_keys*/, - krb5_keyblock */*keyblocks*/); - -kadm5_ret_t -_kadm5_set_keys_randomly ( - kadm5_server_context */*context*/, - hdb_entry */*ent*/, - krb5_keyblock **/*new_keys*/, - int */*n_keys*/); - -kadm5_ret_t -_kadm5_set_modifier ( - kadm5_server_context */*context*/, - hdb_entry */*ent*/); - -kadm5_ret_t -_kadm5_setup_entry ( - kadm5_server_context */*context*/, - hdb_entry */*ent*/, - u_int32_t /*mask*/, - kadm5_principal_ent_t /*princ*/, - u_int32_t /*princ_mask*/, - kadm5_principal_ent_t /*def*/, - u_int32_t /*def_mask*/); - -kadm5_ret_t -_kadm5_string_to_privs ( - const char */*s*/, - u_int32_t* /*privs*/); - -kadm5_ret_t -_kadm5_unmarshal_params ( - krb5_context /*context*/, - krb5_data */*in*/, - kadm5_config_params */*params*/); - -kadm5_ret_t -kadm5_c_chpass_principal ( - void */*server_handle*/, - krb5_principal /*princ*/, - char */*password*/); - -kadm5_ret_t -kadm5_c_chpass_principal_with_key ( - void */*server_handle*/, - krb5_principal /*princ*/, - int /*n_key_data*/, - krb5_key_data */*key_data*/); - -kadm5_ret_t -kadm5_c_create_principal ( - void */*server_handle*/, - kadm5_principal_ent_t /*princ*/, - u_int32_t /*mask*/, - char */*password*/); - -kadm5_ret_t -kadm5_c_delete_principal ( - void */*server_handle*/, - krb5_principal /*princ*/); - -kadm5_ret_t -kadm5_c_destroy (void */*server_handle*/); - -kadm5_ret_t -kadm5_c_flush (void */*server_handle*/); - -kadm5_ret_t -kadm5_c_get_principal ( - void */*server_handle*/, - krb5_principal /*princ*/, - kadm5_principal_ent_t /*out*/, - u_int32_t /*mask*/); - -kadm5_ret_t -kadm5_c_get_principals ( - void */*server_handle*/, - const char */*exp*/, - char ***/*princs*/, - int */*count*/); - -kadm5_ret_t -kadm5_c_get_privs ( - void */*server_handle*/, - u_int32_t */*privs*/); - -kadm5_ret_t -kadm5_c_init_with_creds ( - const char */*client_name*/, - krb5_ccache /*ccache*/, - const char */*service_name*/, - kadm5_config_params */*realm_params*/, - unsigned long /*struct_version*/, - unsigned long /*api_version*/, - void **/*server_handle*/); - -kadm5_ret_t -kadm5_c_init_with_creds_ctx ( - krb5_context /*context*/, - const char */*client_name*/, - krb5_ccache /*ccache*/, - const char */*service_name*/, - kadm5_config_params */*realm_params*/, - unsigned long /*struct_version*/, - unsigned long /*api_version*/, - void **/*server_handle*/); - -kadm5_ret_t -kadm5_c_init_with_password ( - const char */*client_name*/, - const char */*password*/, - const char */*service_name*/, - kadm5_config_params */*realm_params*/, - unsigned long /*struct_version*/, - unsigned long /*api_version*/, - void **/*server_handle*/); - -kadm5_ret_t -kadm5_c_init_with_password_ctx ( - krb5_context /*context*/, - const char */*client_name*/, - const char */*password*/, - const char */*service_name*/, - kadm5_config_params */*realm_params*/, - unsigned long /*struct_version*/, - unsigned long /*api_version*/, - void **/*server_handle*/); - -kadm5_ret_t -kadm5_c_init_with_skey ( - const char */*client_name*/, - const char */*keytab*/, - const char */*service_name*/, - kadm5_config_params */*realm_params*/, - unsigned long /*struct_version*/, - unsigned long /*api_version*/, - void **/*server_handle*/); - -kadm5_ret_t -kadm5_c_init_with_skey_ctx ( - krb5_context /*context*/, - const char */*client_name*/, - const char */*keytab*/, - const char */*service_name*/, - kadm5_config_params */*realm_params*/, - unsigned long /*struct_version*/, - unsigned long /*api_version*/, - void **/*server_handle*/); - -kadm5_ret_t -kadm5_c_modify_principal ( - void */*server_handle*/, - kadm5_principal_ent_t /*princ*/, - u_int32_t /*mask*/); - -kadm5_ret_t -kadm5_c_randkey_principal ( - void */*server_handle*/, - krb5_principal /*princ*/, - krb5_keyblock **/*new_keys*/, - int */*n_keys*/); - -kadm5_ret_t -kadm5_c_rename_principal ( - void */*server_handle*/, - krb5_principal /*source*/, - krb5_principal /*target*/); - -kadm5_ret_t -kadm5_log_create ( - kadm5_server_context */*context*/, - hdb_entry */*ent*/); - -kadm5_ret_t -kadm5_log_delete ( - kadm5_server_context */*context*/, - krb5_principal /*princ*/); - -kadm5_ret_t -kadm5_log_end (kadm5_server_context */*context*/); - -kadm5_ret_t -kadm5_log_foreach ( - kadm5_server_context */*context*/, - void (*/*func*/)(kadm5_server_context *server_context, u_int32_t ver, time_t timestamp, enum kadm_ops op, u_int32_t len, krb5_storage *sp)); - -kadm5_ret_t -kadm5_log_get_version ( - kadm5_server_context */*context*/, - u_int32_t */*ver*/); - -kadm5_ret_t -kadm5_log_get_version_fd ( - int /*fd*/, - u_int32_t */*ver*/); - -krb5_storage * -kadm5_log_goto_end (int /*fd*/); - -kadm5_ret_t -kadm5_log_init (kadm5_server_context */*context*/); - -kadm5_ret_t -kadm5_log_modify ( - kadm5_server_context */*context*/, - hdb_entry */*ent*/, - u_int32_t /*mask*/); - -kadm5_ret_t -kadm5_log_nop (kadm5_server_context */*context*/); - -kadm5_ret_t -kadm5_log_previous ( - krb5_storage */*sp*/, - u_int32_t */*ver*/, - time_t */*timestamp*/, - enum kadm_ops */*op*/, - u_int32_t */*len*/); - -kadm5_ret_t -kadm5_log_reinit (kadm5_server_context */*context*/); - -kadm5_ret_t -kadm5_log_rename ( - kadm5_server_context */*context*/, - krb5_principal /*source*/, - hdb_entry */*ent*/); - -kadm5_ret_t -kadm5_log_replay ( - kadm5_server_context */*context*/, - enum kadm_ops /*op*/, - u_int32_t /*ver*/, - u_int32_t /*len*/, - krb5_storage */*sp*/); - -kadm5_ret_t -kadm5_log_replay_create ( - kadm5_server_context */*context*/, - u_int32_t /*ver*/, - u_int32_t /*len*/, - krb5_storage */*sp*/); - -kadm5_ret_t -kadm5_log_replay_delete ( - kadm5_server_context */*context*/, - u_int32_t /*ver*/, - u_int32_t /*len*/, - krb5_storage */*sp*/); - -kadm5_ret_t -kadm5_log_replay_modify ( - kadm5_server_context */*context*/, - u_int32_t /*ver*/, - u_int32_t /*len*/, - krb5_storage */*sp*/); - -kadm5_ret_t -kadm5_log_replay_nop ( - kadm5_server_context */*context*/, - u_int32_t /*ver*/, - u_int32_t /*len*/, - krb5_storage */*sp*/); - -kadm5_ret_t -kadm5_log_replay_rename ( - kadm5_server_context */*context*/, - u_int32_t /*ver*/, - u_int32_t /*len*/, - krb5_storage */*sp*/); - -kadm5_ret_t -kadm5_log_set_version ( - kadm5_server_context */*context*/, - u_int32_t /*vno*/); - -kadm5_ret_t -kadm5_log_truncate (kadm5_server_context */*server_context*/); - -kadm5_ret_t -kadm5_s_chpass_principal ( - void */*server_handle*/, - krb5_principal /*princ*/, - char */*password*/); - -kadm5_ret_t -kadm5_s_chpass_principal_cond ( - void */*server_handle*/, - krb5_principal /*princ*/, - char */*password*/); - -kadm5_ret_t -kadm5_s_chpass_principal_with_key ( - void */*server_handle*/, - krb5_principal /*princ*/, - int /*n_key_data*/, - krb5_key_data */*key_data*/); - -kadm5_ret_t -kadm5_s_create_principal ( - void */*server_handle*/, - kadm5_principal_ent_t /*princ*/, - u_int32_t /*mask*/, - char */*password*/); - -kadm5_ret_t -kadm5_s_create_principal_with_key ( - void */*server_handle*/, - kadm5_principal_ent_t /*princ*/, - u_int32_t /*mask*/); - -kadm5_ret_t -kadm5_s_delete_principal ( - void */*server_handle*/, - krb5_principal /*princ*/); - -kadm5_ret_t -kadm5_s_destroy (void */*server_handle*/); - -kadm5_ret_t -kadm5_s_flush (void */*server_handle*/); - -kadm5_ret_t -kadm5_s_get_principal ( - void */*server_handle*/, - krb5_principal /*princ*/, - kadm5_principal_ent_t /*out*/, - u_int32_t /*mask*/); - -kadm5_ret_t -kadm5_s_get_principals ( - void */*server_handle*/, - const char */*exp*/, - char ***/*princs*/, - int */*count*/); - -kadm5_ret_t -kadm5_s_get_privs ( - void */*server_handle*/, - u_int32_t */*privs*/); - -kadm5_ret_t -kadm5_s_init_with_creds ( - const char */*client_name*/, - krb5_ccache /*ccache*/, - const char */*service_name*/, - kadm5_config_params */*realm_params*/, - unsigned long /*struct_version*/, - unsigned long /*api_version*/, - void **/*server_handle*/); - -kadm5_ret_t -kadm5_s_init_with_creds_ctx ( - krb5_context /*context*/, - const char */*client_name*/, - krb5_ccache /*ccache*/, - const char */*service_name*/, - kadm5_config_params */*realm_params*/, - unsigned long /*struct_version*/, - unsigned long /*api_version*/, - void **/*server_handle*/); - -kadm5_ret_t -kadm5_s_init_with_password ( - const char */*client_name*/, - const char */*password*/, - const char */*service_name*/, - kadm5_config_params */*realm_params*/, - unsigned long /*struct_version*/, - unsigned long /*api_version*/, - void **/*server_handle*/); - -kadm5_ret_t -kadm5_s_init_with_password_ctx ( - krb5_context /*context*/, - const char */*client_name*/, - const char */*password*/, - const char */*service_name*/, - kadm5_config_params */*realm_params*/, - unsigned long /*struct_version*/, - unsigned long /*api_version*/, - void **/*server_handle*/); - -kadm5_ret_t -kadm5_s_init_with_skey ( - const char */*client_name*/, - const char */*keytab*/, - const char */*service_name*/, - kadm5_config_params */*realm_params*/, - unsigned long /*struct_version*/, - unsigned long /*api_version*/, - void **/*server_handle*/); - -kadm5_ret_t -kadm5_s_init_with_skey_ctx ( - krb5_context /*context*/, - const char */*client_name*/, - const char */*keytab*/, - const char */*service_name*/, - kadm5_config_params */*realm_params*/, - unsigned long /*struct_version*/, - unsigned long /*api_version*/, - void **/*server_handle*/); - -kadm5_ret_t -kadm5_s_modify_principal ( - void */*server_handle*/, - kadm5_principal_ent_t /*princ*/, - u_int32_t /*mask*/); - -kadm5_ret_t -kadm5_s_randkey_principal ( - void */*server_handle*/, - krb5_principal /*princ*/, - krb5_keyblock **/*new_keys*/, - int */*n_keys*/); - -kadm5_ret_t -kadm5_s_rename_principal ( - void */*server_handle*/, - krb5_principal /*source*/, - krb5_principal /*target*/); - -#endif /* __kadm5_private_h__ */ diff --git a/crypto/heimdal-0.6.3/lib/kadm5/kadm5-protos.h b/crypto/heimdal-0.6.3/lib/kadm5/kadm5-protos.h deleted file mode 100644 index c0a0cce7a0..0000000000 --- a/crypto/heimdal-0.6.3/lib/kadm5/kadm5-protos.h +++ /dev/null @@ -1,210 +0,0 @@ -/* This is a generated file */ -#ifndef __kadm5_protos_h__ -#define __kadm5_protos_h__ - -#include - -const char * -kadm5_check_password_quality ( - krb5_context /*context*/, - krb5_principal /*principal*/, - krb5_data */*pwd_data*/); - -kadm5_ret_t -kadm5_chpass_principal ( - void */*server_handle*/, - krb5_principal /*princ*/, - char */*password*/); - -kadm5_ret_t -kadm5_chpass_principal_with_key ( - void */*server_handle*/, - krb5_principal /*princ*/, - int /*n_key_data*/, - krb5_key_data */*key_data*/); - -kadm5_ret_t -kadm5_create_principal ( - void */*server_handle*/, - kadm5_principal_ent_t /*princ*/, - u_int32_t /*mask*/, - char */*password*/); - -kadm5_ret_t -kadm5_delete_principal ( - void */*server_handle*/, - krb5_principal /*princ*/); - -kadm5_ret_t -kadm5_destroy (void */*server_handle*/); - -kadm5_ret_t -kadm5_flush (void */*server_handle*/); - -void -kadm5_free_key_data ( - void */*server_handle*/, - int16_t */*n_key_data*/, - krb5_key_data */*key_data*/); - -void -kadm5_free_name_list ( - void */*server_handle*/, - char **/*names*/, - int */*count*/); - -void -kadm5_free_principal_ent ( - void */*server_handle*/, - kadm5_principal_ent_t /*princ*/); - -kadm5_ret_t -kadm5_get_principal ( - void */*server_handle*/, - krb5_principal /*princ*/, - kadm5_principal_ent_t /*out*/, - u_int32_t /*mask*/); - -kadm5_ret_t -kadm5_get_principals ( - void */*server_handle*/, - const char */*exp*/, - char ***/*princs*/, - int */*count*/); - -kadm5_ret_t -kadm5_get_privs ( - void */*server_handle*/, - u_int32_t */*privs*/); - -kadm5_ret_t -kadm5_init_with_creds ( - const char */*client_name*/, - krb5_ccache /*ccache*/, - const char */*service_name*/, - kadm5_config_params */*realm_params*/, - unsigned long /*struct_version*/, - unsigned long /*api_version*/, - void **/*server_handle*/); - -kadm5_ret_t -kadm5_init_with_creds_ctx ( - krb5_context /*context*/, - const char */*client_name*/, - krb5_ccache /*ccache*/, - const char */*service_name*/, - kadm5_config_params */*realm_params*/, - unsigned long /*struct_version*/, - unsigned long /*api_version*/, - void **/*server_handle*/); - -kadm5_ret_t -kadm5_init_with_password ( - const char */*client_name*/, - const char */*password*/, - const char */*service_name*/, - kadm5_config_params */*realm_params*/, - unsigned long /*struct_version*/, - unsigned long /*api_version*/, - void **/*server_handle*/); - -kadm5_ret_t -kadm5_init_with_password_ctx ( - krb5_context /*context*/, - const char */*client_name*/, - const char */*password*/, - const char */*service_name*/, - kadm5_config_params */*realm_params*/, - unsigned long /*struct_version*/, - unsigned long /*api_version*/, - void **/*server_handle*/); - -kadm5_ret_t -kadm5_init_with_skey ( - const char */*client_name*/, - const char */*keytab*/, - const char */*service_name*/, - kadm5_config_params */*realm_params*/, - unsigned long /*struct_version*/, - unsigned long /*api_version*/, - void **/*server_handle*/); - -kadm5_ret_t -kadm5_init_with_skey_ctx ( - krb5_context /*context*/, - const char */*client_name*/, - const char */*keytab*/, - const char */*service_name*/, - kadm5_config_params */*realm_params*/, - unsigned long /*struct_version*/, - unsigned long /*api_version*/, - void **/*server_handle*/); - -kadm5_ret_t -kadm5_modify_principal ( - void */*server_handle*/, - kadm5_principal_ent_t /*princ*/, - u_int32_t /*mask*/); - -kadm5_ret_t -kadm5_randkey_principal ( - void */*server_handle*/, - krb5_principal /*princ*/, - krb5_keyblock **/*new_keys*/, - int */*n_keys*/); - -kadm5_ret_t -kadm5_rename_principal ( - void */*server_handle*/, - krb5_principal /*source*/, - krb5_principal /*target*/); - -kadm5_ret_t -kadm5_ret_key_data ( - krb5_storage */*sp*/, - krb5_key_data */*key*/); - -kadm5_ret_t -kadm5_ret_principal_ent ( - krb5_storage */*sp*/, - kadm5_principal_ent_t /*princ*/); - -kadm5_ret_t -kadm5_ret_principal_ent_mask ( - krb5_storage */*sp*/, - kadm5_principal_ent_t /*princ*/, - u_int32_t */*mask*/); - -kadm5_ret_t -kadm5_ret_tl_data ( - krb5_storage */*sp*/, - krb5_tl_data */*tl*/); - -void -kadm5_setup_passwd_quality_check ( - krb5_context /*context*/, - const char */*check_library*/, - const char */*check_function*/); - -kadm5_ret_t -kadm5_store_key_data ( - krb5_storage */*sp*/, - krb5_key_data */*key*/); - -kadm5_ret_t -kadm5_store_principal_ent ( - krb5_storage */*sp*/, - kadm5_principal_ent_t /*princ*/); - -kadm5_ret_t -kadm5_store_principal_ent_mask ( - krb5_storage */*sp*/, - kadm5_principal_ent_t /*princ*/, - u_int32_t /*mask*/); - -kadm5_ret_t -kadm5_store_tl_data ( - krb5_storage */*sp*/, - krb5_tl_data */*tl*/); - -#endif /* __kadm5_protos_h__ */ diff --git a/crypto/heimdal-0.6.3/lib/kadm5/kadm5_err.et b/crypto/heimdal-0.6.3/lib/kadm5/kadm5_err.et deleted file mode 100644 index 674fbe73ba..0000000000 --- a/crypto/heimdal-0.6.3/lib/kadm5/kadm5_err.et +++ /dev/null @@ -1,59 +0,0 @@ -# -# Error messages for the kadm5 library -# -# This might look like a com_err file, but is not -# -id "$Id: kadm5_err.et,v 1.5 2001/12/06 17:02:55 assar Exp $" - -error_table ovk kadm5 - -prefix KADM5 -error_code FAILURE, "Operation failed for unspecified reason" -error_code AUTH_GET, "Operation requires `get' privilege" -error_code AUTH_ADD, "Operation requires `add' privilege" -error_code AUTH_MODIFY, "Operation requires `modify' privilege" -error_code AUTH_DELETE, "Operation requires `delete' privilege" -error_code AUTH_INSUFFICIENT, "Insufficient authorization for operation" -error_code BAD_DB, "Database inconsistency detected" -error_code DUP, "Principal or policy already exists" -error_code RPC_ERROR, "Communication failure with server" -error_code NO_SRV, "No administration server found for realm" -error_code BAD_HIST_KEY, "Password history principal key version mismatch" -error_code NOT_INIT, "Connection to server not initialized" -error_code UNK_PRINC, "Principal does not exist" -error_code UNK_POLICY, "Policy does not exist" -error_code BAD_MASK, "Invalid field mask for operation" -error_code BAD_CLASS, "Invalid number of character classes" -error_code BAD_LENGTH, "Invalid password length" -error_code BAD_POLICY, "Invalid policy name" -error_code BAD_PRINCIPAL, "Invalid principal name." -error_code BAD_AUX_ATTR, "Invalid auxillary attributes" -error_code BAD_HISTORY, "Invalid password history count" -error_code BAD_MIN_PASS_LIFE, "Password minimum life is greater than password maximum life" -error_code PASS_Q_TOOSHORT, "Password is too short" -error_code PASS_Q_CLASS, "Password does not contain enough character classes" -error_code PASS_Q_DICT, "Password is in the password dictionary" -error_code PASS_REUSE, "Can't resuse password" -error_code PASS_TOOSOON, "Current password's minimum life has not expired" -error_code POLICY_REF, "Policy is in use" -error_code INIT, "Connection to server already initialized" -error_code BAD_PASSWORD, "Incorrect password" -error_code PROTECT_PRINCIPAL, "Can't change protected principal" -error_code BAD_SERVER_HANDLE, "Programmer error! Bad Admin server handle" -error_code BAD_STRUCT_VERSION, "Programmer error! Bad API structure version" -error_code OLD_STRUCT_VERSION, "API structure version specified by application is no longer supported" -error_code NEW_STRUCT_VERSION, "API structure version specified by application is unknown to libraries" -error_code BAD_API_VERSION, "Programmer error! Bad API version" -error_code OLD_LIB_API_VERSION, "API version specified by application is no longer supported by libraries" -error_code OLD_SERVER_API_VERSION,"API version specified by application is no longer supported by server" -error_code NEW_LIB_API_VERSION, "API version specified by application is unknown to libraries" -error_code NEW_SERVER_API_VERSION,"API version specified by application is unknown to server" -error_code SECURE_PRINC_MISSING,"Database error! Required principal missing" -error_code NO_RENAME_SALT, "The salt type of the specified principal does not support renaming" -error_code BAD_CLIENT_PARAMS, "Invalid configuration parameter for remote KADM5 client" -error_code BAD_SERVER_PARAMS, "Invalid configuration parameter for local KADM5 client." -error_code AUTH_LIST, "Operation requires `list' privilege" -error_code AUTH_CHANGEPW, "Operation requires `change-password' privilege" -error_code BAD_TL_TYPE, "Programmer error! Invalid tagged data list element type" -error_code MISSING_CONF_PARAMS, "Required parameters in kdc.conf missing" -error_code BAD_SERVER_NAME, "Bad krb5 admin server hostname" diff --git a/crypto/heimdal-0.6.3/lib/kadm5/kadm5_locl.h b/crypto/heimdal-0.6.3/lib/kadm5/kadm5_locl.h deleted file mode 100644 index 6f634ed8c0..0000000000 --- a/crypto/heimdal-0.6.3/lib/kadm5/kadm5_locl.h +++ /dev/null @@ -1,85 +0,0 @@ -/* - * Copyright (c) 1997-2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: kadm5_locl.h,v 1.23 2000/07/08 11:57:40 assar Exp $ */ - -#ifndef __KADM5_LOCL_H__ -#define __KADM5_LOCL_H__ - -#ifdef HAVE_CONFIG_H -#include -#endif - -#include -#include -#include -#include -#include -#include -#ifdef HAVE_UNISTD_H -#include -#endif -#ifdef HAVE_FCNTL_H -#include -#endif -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_SYS_TIME_H -#include -#endif -#ifdef HAVE_UNISTD_H -#include -#endif -#ifdef HAVE_SYS_FILE_H -#include -#endif -#ifdef HAVE_SYS_SOCKET_H -#include -#endif -#ifdef HAVE_SYS_UN_H -#include -#endif -#ifdef HAVE_NETDB_H -#include -#endif -#include -#include "admin.h" -#include "kadm5_err.h" -#include -#include -#include -#include -#include "private.h" - -#endif /* __KADM5_LOCL_H__ */ diff --git a/crypto/heimdal-0.6.3/lib/kadm5/keys.c b/crypto/heimdal-0.6.3/lib/kadm5/keys.c deleted file mode 100644 index 3ae21abb47..0000000000 --- a/crypto/heimdal-0.6.3/lib/kadm5/keys.c +++ /dev/null @@ -1,112 +0,0 @@ -/* - * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kadm5_locl.h" - -RCSID("$Id: keys.c,v 1.1 2000/07/22 05:53:02 assar Exp $"); - -/* - * free all the memory used by (len, keys) - */ - -void -_kadm5_free_keys (kadm5_server_context *context, - int len, Key *keys) -{ - int i; - - for (i = 0; i < len; ++i) { - free (keys[i].mkvno); - keys[i].mkvno = NULL; - if (keys[i].salt != NULL) { - free_Salt(keys[i].salt); - free(keys[i].salt); - keys[i].salt = NULL; - } - krb5_free_keyblock_contents(context->context, &keys[i].key); - } - free (keys); -} - -/* - * null-ify `len', `keys' - */ - -void -_kadm5_init_keys (Key *keys, int len) -{ - int i; - - for (i = 0; i < len; ++i) { - keys[i].mkvno = NULL; - keys[i].salt = NULL; - keys[i].key.keyvalue.length = 0; - keys[i].key.keyvalue.data = NULL; - } -} - -/* - * return 0 iff `keys1, len1' and `keys2, len2' are identical - */ - -int -_kadm5_cmp_keys(Key *keys1, int len1, Key *keys2, int len2) -{ - int i; - - if (len1 != len2) - return 1; - - for (i = 0; i < len1; ++i) { - if ((keys1[i].salt != NULL && keys2[i].salt == NULL) - || (keys1[i].salt == NULL && keys2[i].salt != NULL)) - return 1; - if (keys1[i].salt != NULL) { - if (keys1[i].salt->type != keys2[i].salt->type) - return 1; - if (keys1[i].salt->salt.length != keys2[i].salt->salt.length) - return 1; - if (memcmp (keys1[i].salt->salt.data, keys2[i].salt->salt.data, - keys1[i].salt->salt.length) != 0) - return 1; - } - if (keys1[i].key.keytype != keys2[i].key.keytype) - return 1; - if (keys1[i].key.keyvalue.length != keys2[i].key.keyvalue.length) - return 1; - if (memcmp (keys1[i].key.keyvalue.data, keys2[i].key.keyvalue.data, - keys1[i].key.keyvalue.length) != 0) - return 1; - } - return 0; -} diff --git a/crypto/heimdal-0.6.3/lib/kadm5/log.c b/crypto/heimdal-0.6.3/lib/kadm5/log.c deleted file mode 100644 index 8ea3ca9c8a..0000000000 --- a/crypto/heimdal-0.6.3/lib/kadm5/log.c +++ /dev/null @@ -1,813 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kadm5_locl.h" - -RCSID("$Id: log.c,v 1.20 2003/04/16 17:56:55 lha Exp $"); - -/* - * A log record consists of: - * - * version number 4 bytes - * time in seconds 4 bytes - * operation (enum kadm_ops) 4 bytes - * length of record 4 bytes - * data... n bytes - * length of record 4 bytes - * version number 4 bytes - * - */ - -kadm5_ret_t -kadm5_log_get_version_fd (int fd, - u_int32_t *ver) -{ - int ret; - krb5_storage *sp; - int32_t old_version; - - ret = lseek (fd, 0, SEEK_END); - if(ret < 0) - return errno; - if(ret == 0) { - *ver = 0; - return 0; - } - sp = krb5_storage_from_fd (fd); - krb5_storage_seek(sp, -4, SEEK_CUR); - krb5_ret_int32 (sp, &old_version); - *ver = old_version; - krb5_storage_free(sp); - lseek (fd, 0, SEEK_END); - return 0; -} - -kadm5_ret_t -kadm5_log_get_version (kadm5_server_context *context, u_int32_t *ver) -{ - return kadm5_log_get_version_fd (context->log_context.log_fd, ver); -} - -kadm5_ret_t -kadm5_log_set_version (kadm5_server_context *context, u_int32_t vno) -{ - kadm5_log_context *log_context = &context->log_context; - - log_context->version = vno; - return 0; -} - -kadm5_ret_t -kadm5_log_init (kadm5_server_context *context) -{ - int fd; - kadm5_ret_t ret; - kadm5_log_context *log_context = &context->log_context; - - if (log_context->log_fd != -1) - return 0; - fd = open (log_context->log_file, O_RDWR | O_CREAT, 0600); - if (fd < 0) - return errno; - if (flock (fd, LOCK_EX) < 0) { - close (fd); - return errno; - } - - ret = kadm5_log_get_version_fd (fd, &log_context->version); - if (ret) - return ret; - - log_context->log_fd = fd; - return 0; -} - -kadm5_ret_t -kadm5_log_reinit (kadm5_server_context *context) -{ - int fd; - kadm5_log_context *log_context = &context->log_context; - - if (log_context->log_fd != -1) { - close (log_context->log_fd); - log_context->log_fd = -1; - } - fd = open (log_context->log_file, O_RDWR | O_CREAT | O_TRUNC, 0600); - if (fd < 0) - return errno; - if (flock (fd, LOCK_EX) < 0) { - close (fd); - return errno; - } - - log_context->version = 0; - log_context->log_fd = fd; - return 0; -} - - -kadm5_ret_t -kadm5_log_end (kadm5_server_context *context) -{ - kadm5_log_context *log_context = &context->log_context; - int fd = log_context->log_fd; - - flock (fd, LOCK_UN); - close(fd); - log_context->log_fd = -1; - return 0; -} - -static kadm5_ret_t -kadm5_log_preamble (kadm5_server_context *context, - krb5_storage *sp, - enum kadm_ops op) -{ - kadm5_log_context *log_context = &context->log_context; - kadm5_ret_t kadm_ret; - - kadm_ret = kadm5_log_init (context); - if (kadm_ret) - return kadm_ret; - - krb5_store_int32 (sp, ++log_context->version); - krb5_store_int32 (sp, time(NULL)); - krb5_store_int32 (sp, op); - return 0; -} - -static kadm5_ret_t -kadm5_log_postamble (kadm5_log_context *context, - krb5_storage *sp) -{ - krb5_store_int32 (sp, context->version); - return 0; -} - -/* - * flush the log record in `sp'. - */ - -static kadm5_ret_t -kadm5_log_flush (kadm5_log_context *log_context, - krb5_storage *sp) -{ - krb5_data data; - size_t len; - int ret; - - krb5_storage_to_data(sp, &data); - len = data.length; - ret = write (log_context->log_fd, data.data, len); - if (ret != len) { - krb5_data_free(&data); - return errno; - } - if (fsync (log_context->log_fd) < 0) { - krb5_data_free(&data); - return errno; - } - /* - * Try to send a signal to any running `ipropd-master' - */ - sendto (log_context->socket_fd, - (void *)&log_context->version, - sizeof(log_context->version), - 0, - (struct sockaddr *)&log_context->socket_name, - sizeof(log_context->socket_name)); - - krb5_data_free(&data); - return 0; -} - -/* - * Add a `create' operation to the log. - */ - -kadm5_ret_t -kadm5_log_create (kadm5_server_context *context, - hdb_entry *ent) -{ - krb5_storage *sp; - kadm5_ret_t ret; - krb5_data value; - kadm5_log_context *log_context = &context->log_context; - - sp = krb5_storage_emem(); - ret = hdb_entry2value (context->context, ent, &value); - if (ret) { - krb5_storage_free(sp); - return ret; - } - ret = kadm5_log_preamble (context, sp, kadm_create); - if (ret) { - krb5_data_free (&value); - krb5_storage_free(sp); - return ret; - } - krb5_store_int32 (sp, value.length); - krb5_storage_write(sp, value.data, value.length); - krb5_store_int32 (sp, value.length); - krb5_data_free (&value); - ret = kadm5_log_postamble (log_context, sp); - if (ret) { - krb5_storage_free (sp); - return ret; - } - ret = kadm5_log_flush (log_context, sp); - krb5_storage_free (sp); - if (ret) - return ret; - ret = kadm5_log_end (context); - return ret; -} - -/* - * Read the data of a create log record from `sp' and change the - * database. - */ - -kadm5_ret_t -kadm5_log_replay_create (kadm5_server_context *context, - u_int32_t ver, - u_int32_t len, - krb5_storage *sp) -{ - krb5_error_code ret; - krb5_data data; - hdb_entry ent; - - ret = krb5_data_alloc (&data, len); - if (ret) - return ret; - krb5_storage_read (sp, data.data, len); - ret = hdb_value2entry (context->context, &data, &ent); - krb5_data_free(&data); - if (ret) - return ret; - ret = context->db->store(context->context, context->db, 0, &ent); - hdb_free_entry (context->context, &ent); - return ret; -} - -/* - * Add a `delete' operation to the log. - */ - -kadm5_ret_t -kadm5_log_delete (kadm5_server_context *context, - krb5_principal princ) -{ - krb5_storage *sp; - kadm5_ret_t ret; - off_t off; - off_t len; - kadm5_log_context *log_context = &context->log_context; - - sp = krb5_storage_emem(); - ret = kadm5_log_preamble (context, sp, kadm_delete); - if (ret) { - krb5_storage_free(sp); - return ret; - } - krb5_store_int32 (sp, 0); - off = krb5_storage_seek (sp, 0, SEEK_CUR); - krb5_store_principal (sp, princ); - len = krb5_storage_seek (sp, 0, SEEK_CUR) - off; - krb5_storage_seek(sp, -(len + 4), SEEK_CUR); - krb5_store_int32 (sp, len); - krb5_storage_seek(sp, len, SEEK_CUR); - krb5_store_int32 (sp, len); - if (ret) { - krb5_storage_free (sp); - return ret; - } - ret = kadm5_log_postamble (log_context, sp); - if (ret) { - krb5_storage_free (sp); - return ret; - } - ret = kadm5_log_flush (log_context, sp); - krb5_storage_free (sp); - if (ret) - return ret; - ret = kadm5_log_end (context); - return ret; -} - -/* - * Read a `delete' log operation from `sp' and apply it. - */ - -kadm5_ret_t -kadm5_log_replay_delete (kadm5_server_context *context, - u_int32_t ver, - u_int32_t len, - krb5_storage *sp) -{ - krb5_error_code ret; - hdb_entry ent; - - krb5_ret_principal (sp, &ent.principal); - - ret = context->db->remove(context->context, context->db, &ent); - krb5_free_principal (context->context, ent.principal); - return ret; -} - -/* - * Add a `rename' operation to the log. - */ - -kadm5_ret_t -kadm5_log_rename (kadm5_server_context *context, - krb5_principal source, - hdb_entry *ent) -{ - krb5_storage *sp; - kadm5_ret_t ret; - off_t off; - off_t len; - krb5_data value; - kadm5_log_context *log_context = &context->log_context; - - sp = krb5_storage_emem(); - ret = hdb_entry2value (context->context, ent, &value); - if (ret) { - krb5_storage_free(sp); - return ret; - } - ret = kadm5_log_preamble (context, sp, kadm_rename); - if (ret) { - krb5_storage_free(sp); - krb5_data_free (&value); - return ret; - } - krb5_store_int32 (sp, 0); - off = krb5_storage_seek (sp, 0, SEEK_CUR); - krb5_store_principal (sp, source); - krb5_storage_write(sp, value.data, value.length); - krb5_data_free (&value); - len = krb5_storage_seek (sp, 0, SEEK_CUR) - off; - - krb5_storage_seek(sp, -(len + 4), SEEK_CUR); - krb5_store_int32 (sp, len); - krb5_storage_seek(sp, len, SEEK_CUR); - krb5_store_int32 (sp, len); - if (ret) { - krb5_storage_free (sp); - return ret; - } - ret = kadm5_log_postamble (log_context, sp); - if (ret) { - krb5_storage_free (sp); - return ret; - } - ret = kadm5_log_flush (log_context, sp); - krb5_storage_free (sp); - if (ret) - return ret; - ret = kadm5_log_end (context); - return ret; -} - -/* - * Read a `rename' log operation from `sp' and apply it. - */ - -kadm5_ret_t -kadm5_log_replay_rename (kadm5_server_context *context, - u_int32_t ver, - u_int32_t len, - krb5_storage *sp) -{ - krb5_error_code ret; - krb5_principal source; - hdb_entry source_ent, target_ent; - krb5_data value; - off_t off; - size_t princ_len, data_len; - - off = krb5_storage_seek(sp, 0, SEEK_CUR); - krb5_ret_principal (sp, &source); - princ_len = krb5_storage_seek(sp, 0, SEEK_CUR) - off; - data_len = len - princ_len; - ret = krb5_data_alloc (&value, data_len); - if (ret) { - krb5_free_principal (context->context, source); - return ret; - } - krb5_storage_read (sp, value.data, data_len); - ret = hdb_value2entry (context->context, &value, &target_ent); - krb5_data_free(&value); - if (ret) { - krb5_free_principal (context->context, source); - return ret; - } - ret = context->db->store (context->context, context->db, 0, &target_ent); - hdb_free_entry (context->context, &target_ent); - if (ret) { - krb5_free_principal (context->context, source); - return ret; - } - source_ent.principal = source; - ret = context->db->remove (context->context, context->db, &source_ent); - krb5_free_principal (context->context, source); - return ret; -} - - -/* - * Add a `modify' operation to the log. - */ - -kadm5_ret_t -kadm5_log_modify (kadm5_server_context *context, - hdb_entry *ent, - u_int32_t mask) -{ - krb5_storage *sp; - kadm5_ret_t ret; - krb5_data value; - u_int32_t len; - kadm5_log_context *log_context = &context->log_context; - - sp = krb5_storage_emem(); - ret = hdb_entry2value (context->context, ent, &value); - if (ret) { - krb5_storage_free(sp); - return ret; - } - ret = kadm5_log_preamble (context, sp, kadm_modify); - if (ret) { - krb5_data_free (&value); - krb5_storage_free(sp); - return ret; - } - len = value.length + 4; - krb5_store_int32 (sp, len); - krb5_store_int32 (sp, mask); - krb5_storage_write (sp, value.data, value.length); - krb5_data_free (&value); - krb5_store_int32 (sp, len); - if (ret) { - krb5_storage_free (sp); - return ret; - } - ret = kadm5_log_postamble (log_context, sp); - if (ret) { - krb5_storage_free (sp); - return ret; - } - ret = kadm5_log_flush (log_context, sp); - krb5_storage_free (sp); - if (ret) - return ret; - ret = kadm5_log_end (context); - return ret; -} - -/* - * Read a `modify' log operation from `sp' and apply it. - */ - -kadm5_ret_t -kadm5_log_replay_modify (kadm5_server_context *context, - u_int32_t ver, - u_int32_t len, - krb5_storage *sp) -{ - krb5_error_code ret; - int32_t mask; - krb5_data value; - hdb_entry ent, log_ent; - - krb5_ret_int32 (sp, &mask); - len -= 4; - ret = krb5_data_alloc (&value, len); - if (ret) - return ret; - krb5_storage_read (sp, value.data, len); - ret = hdb_value2entry (context->context, &value, &log_ent); - krb5_data_free(&value); - if (ret) - return ret; - ent.principal = log_ent.principal; - log_ent.principal = NULL; - ret = context->db->fetch(context->context, context->db, - HDB_F_DECRYPT, &ent); - if (ret) - return ret; - if (mask & KADM5_PRINC_EXPIRE_TIME) { - if (log_ent.valid_end == NULL) { - ent.valid_end = NULL; - } else { - if (ent.valid_end == NULL) - ent.valid_end = malloc(sizeof(*ent.valid_end)); - *ent.valid_end = *log_ent.valid_end; - } - } - if (mask & KADM5_PW_EXPIRATION) { - if (log_ent.pw_end == NULL) { - ent.pw_end = NULL; - } else { - if (ent.pw_end == NULL) - ent.pw_end = malloc(sizeof(*ent.pw_end)); - *ent.pw_end = *log_ent.pw_end; - } - } - if (mask & KADM5_LAST_PWD_CHANGE) { - abort (); /* XXX */ - } - if (mask & KADM5_ATTRIBUTES) { - ent.flags = log_ent.flags; - } - if (mask & KADM5_MAX_LIFE) { - if (log_ent.max_life == NULL) { - ent.max_life = NULL; - } else { - if (ent.max_life == NULL) - ent.max_life = malloc (sizeof(*ent.max_life)); - *ent.max_life = *log_ent.max_life; - } - } - if ((mask & KADM5_MOD_TIME) && (mask & KADM5_MOD_NAME)) { - if (ent.modified_by == NULL) { - ent.modified_by = malloc(sizeof(*ent.modified_by)); - } else - free_Event(ent.modified_by); - copy_Event(log_ent.modified_by, ent.modified_by); - } - if (mask & KADM5_KVNO) { - ent.kvno = log_ent.kvno; - } - if (mask & KADM5_MKVNO) { - abort (); /* XXX */ - } - if (mask & KADM5_AUX_ATTRIBUTES) { - abort (); /* XXX */ - } - if (mask & KADM5_POLICY) { - abort (); /* XXX */ - } - if (mask & KADM5_POLICY_CLR) { - abort (); /* XXX */ - } - if (mask & KADM5_MAX_RLIFE) { - if (log_ent.max_renew == NULL) { - ent.max_renew = NULL; - } else { - if (ent.max_renew == NULL) - ent.max_renew = malloc (sizeof(*ent.max_renew)); - *ent.max_renew = *log_ent.max_renew; - } - } - if (mask & KADM5_LAST_SUCCESS) { - abort (); /* XXX */ - } - if (mask & KADM5_LAST_FAILED) { - abort (); /* XXX */ - } - if (mask & KADM5_FAIL_AUTH_COUNT) { - abort (); /* XXX */ - } - if (mask & KADM5_KEY_DATA) { - size_t len; - int i; - - for (i = 0; i < ent.keys.len; ++i) - free_Key(&ent.keys.val[i]); - free (ent.keys.val); - - len = log_ent.keys.len; - - ent.keys.len = len; - ent.keys.val = malloc(len * sizeof(*ent.keys.val)); - for (i = 0; i < ent.keys.len; ++i) - copy_Key(&log_ent.keys.val[i], - &ent.keys.val[i]); - } - ret = context->db->store(context->context, context->db, - HDB_F_REPLACE, &ent); - hdb_free_entry (context->context, &ent); - hdb_free_entry (context->context, &log_ent); - return ret; -} - -/* - * Add a `nop' operation to the log. - */ - -kadm5_ret_t -kadm5_log_nop (kadm5_server_context *context) -{ - krb5_storage *sp; - kadm5_ret_t ret; - kadm5_log_context *log_context = &context->log_context; - - sp = krb5_storage_emem(); - ret = kadm5_log_preamble (context, sp, kadm_nop); - if (ret) { - krb5_storage_free (sp); - return ret; - } - krb5_store_int32 (sp, 0); - krb5_store_int32 (sp, 0); - ret = kadm5_log_postamble (log_context, sp); - if (ret) { - krb5_storage_free (sp); - return ret; - } - ret = kadm5_log_flush (log_context, sp); - krb5_storage_free (sp); - if (ret) - return ret; - ret = kadm5_log_end (context); - return ret; -} - -/* - * Read a `nop' log operation from `sp' and apply it. - */ - -kadm5_ret_t -kadm5_log_replay_nop (kadm5_server_context *context, - u_int32_t ver, - u_int32_t len, - krb5_storage *sp) -{ - return 0; -} - -/* - * Call `func' for each log record in the log in `context' - */ - -kadm5_ret_t -kadm5_log_foreach (kadm5_server_context *context, - void (*func)(kadm5_server_context *server_context, - u_int32_t ver, - time_t timestamp, - enum kadm_ops op, - u_int32_t len, - krb5_storage *sp)) -{ - int fd = context->log_context.log_fd; - krb5_storage *sp; - - lseek (fd, 0, SEEK_SET); - sp = krb5_storage_from_fd (fd); - for (;;) { - int32_t ver, timestamp, op, len; - - if(krb5_ret_int32 (sp, &ver) != 0) - break; - krb5_ret_int32 (sp, ×tamp); - krb5_ret_int32 (sp, &op); - krb5_ret_int32 (sp, &len); - (*func)(context, ver, timestamp, op, len, sp); - krb5_storage_seek(sp, 8, SEEK_CUR); - } - return 0; -} - -/* - * Go to end of log. - */ - -krb5_storage * -kadm5_log_goto_end (int fd) -{ - krb5_storage *sp; - - sp = krb5_storage_from_fd (fd); - krb5_storage_seek(sp, 0, SEEK_END); - return sp; -} - -/* - * Return previous log entry. - */ - -kadm5_ret_t -kadm5_log_previous (krb5_storage *sp, - u_int32_t *ver, - time_t *timestamp, - enum kadm_ops *op, - u_int32_t *len) -{ - off_t off; - int32_t tmp; - - krb5_storage_seek(sp, -8, SEEK_CUR); - krb5_ret_int32 (sp, &tmp); - *len = tmp; - krb5_ret_int32 (sp, &tmp); - *ver = tmp; - off = 24 + *len; - krb5_storage_seek(sp, -off, SEEK_CUR); - krb5_ret_int32 (sp, &tmp); - assert(tmp == *ver); - krb5_ret_int32 (sp, &tmp); - *timestamp = tmp; - krb5_ret_int32 (sp, &tmp); - *op = tmp; - krb5_ret_int32 (sp, &tmp); - assert(tmp == *len); - return 0; -} - -/* - * Replay a record from the log - */ - -kadm5_ret_t -kadm5_log_replay (kadm5_server_context *context, - enum kadm_ops op, - u_int32_t ver, - u_int32_t len, - krb5_storage *sp) -{ - switch (op) { - case kadm_create : - return kadm5_log_replay_create (context, ver, len, sp); - case kadm_delete : - return kadm5_log_replay_delete (context, ver, len, sp); - case kadm_rename : - return kadm5_log_replay_rename (context, ver, len, sp); - case kadm_modify : - return kadm5_log_replay_modify (context, ver, len, sp); - case kadm_nop : - return kadm5_log_replay_nop (context, ver, len, sp); - default : - return KADM5_FAILURE; - } -} - -/* - * truncate the log - i.e. create an empty file with just (nop vno + 2) - */ - -kadm5_ret_t -kadm5_log_truncate (kadm5_server_context *server_context) -{ - kadm5_ret_t ret; - u_int32_t vno; - - ret = kadm5_log_init (server_context); - if (ret) - return ret; - - ret = kadm5_log_get_version (server_context, &vno); - if (ret) - return ret; - - ret = kadm5_log_reinit (server_context); - if (ret) - return ret; - - ret = kadm5_log_set_version (server_context, vno + 1); - if (ret) - return ret; - - ret = kadm5_log_nop (server_context); - if (ret) - return ret; - - ret = kadm5_log_end (server_context); - if (ret) - return ret; - return 0; - -} diff --git a/crypto/heimdal-0.6.3/lib/kadm5/marshall.c b/crypto/heimdal-0.6.3/lib/kadm5/marshall.c deleted file mode 100644 index 98288376c4..0000000000 --- a/crypto/heimdal-0.6.3/lib/kadm5/marshall.c +++ /dev/null @@ -1,330 +0,0 @@ -/* - * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kadm5_locl.h" - -RCSID("$Id: marshall.c,v 1.6 1999/12/02 17:05:06 joda Exp $"); - -kadm5_ret_t -kadm5_store_key_data(krb5_storage *sp, - krb5_key_data *key) -{ - krb5_data c; - krb5_store_int32(sp, key->key_data_ver); - krb5_store_int32(sp, key->key_data_kvno); - krb5_store_int32(sp, key->key_data_type[0]); - c.length = key->key_data_length[0]; - c.data = key->key_data_contents[0]; - krb5_store_data(sp, c); - krb5_store_int32(sp, key->key_data_type[1]); - c.length = key->key_data_length[1]; - c.data = key->key_data_contents[1]; - krb5_store_data(sp, c); - return 0; -} - -kadm5_ret_t -kadm5_ret_key_data(krb5_storage *sp, - krb5_key_data *key) -{ - krb5_data c; - int32_t tmp; - krb5_ret_int32(sp, &tmp); - key->key_data_ver = tmp; - krb5_ret_int32(sp, &tmp); - key->key_data_kvno = tmp; - krb5_ret_int32(sp, &tmp); - key->key_data_type[0] = tmp; - krb5_ret_data(sp, &c); - key->key_data_length[0] = c.length; - key->key_data_contents[0] = c.data; - krb5_ret_int32(sp, &tmp); - key->key_data_type[1] = tmp; - krb5_ret_data(sp, &c); - key->key_data_length[1] = c.length; - key->key_data_contents[1] = c.data; - return 0; -} - -kadm5_ret_t -kadm5_store_tl_data(krb5_storage *sp, - krb5_tl_data *tl) -{ - krb5_data c; - krb5_store_int32(sp, tl->tl_data_type); - c.length = tl->tl_data_length; - c.data = tl->tl_data_contents; - krb5_store_data(sp, c); - return 0; -} - -kadm5_ret_t -kadm5_ret_tl_data(krb5_storage *sp, - krb5_tl_data *tl) -{ - krb5_data c; - int32_t tmp; - krb5_ret_int32(sp, &tmp); - tl->tl_data_type = tmp; - krb5_ret_data(sp, &c); - tl->tl_data_length = c.length; - tl->tl_data_contents = c.data; - return 0; -} - -static kadm5_ret_t -store_principal_ent(krb5_storage *sp, - kadm5_principal_ent_t princ, - u_int32_t mask) -{ - int i; - - if (mask & KADM5_PRINCIPAL) - krb5_store_principal(sp, princ->principal); - if (mask & KADM5_PRINC_EXPIRE_TIME) - krb5_store_int32(sp, princ->princ_expire_time); - if (mask & KADM5_PW_EXPIRATION) - krb5_store_int32(sp, princ->pw_expiration); - if (mask & KADM5_LAST_PWD_CHANGE) - krb5_store_int32(sp, princ->last_pwd_change); - if (mask & KADM5_MAX_LIFE) - krb5_store_int32(sp, princ->max_life); - if (mask & KADM5_MOD_NAME) { - krb5_store_int32(sp, princ->mod_name != NULL); - if(princ->mod_name) - krb5_store_principal(sp, princ->mod_name); - } - if (mask & KADM5_MOD_TIME) - krb5_store_int32(sp, princ->mod_date); - if (mask & KADM5_ATTRIBUTES) - krb5_store_int32(sp, princ->attributes); - if (mask & KADM5_KVNO) - krb5_store_int32(sp, princ->kvno); - if (mask & KADM5_MKVNO) - krb5_store_int32(sp, princ->mkvno); - if (mask & KADM5_POLICY) { - krb5_store_int32(sp, princ->policy != NULL); - if(princ->policy) - krb5_store_string(sp, princ->policy); - } - if (mask & KADM5_AUX_ATTRIBUTES) - krb5_store_int32(sp, princ->aux_attributes); - if (mask & KADM5_MAX_RLIFE) - krb5_store_int32(sp, princ->max_renewable_life); - if (mask & KADM5_LAST_SUCCESS) - krb5_store_int32(sp, princ->last_success); - if (mask & KADM5_LAST_FAILED) - krb5_store_int32(sp, princ->last_failed); - if (mask & KADM5_FAIL_AUTH_COUNT) - krb5_store_int32(sp, princ->fail_auth_count); - if (mask & KADM5_KEY_DATA) { - krb5_store_int32(sp, princ->n_key_data); - for(i = 0; i < princ->n_key_data; i++) - kadm5_store_key_data(sp, &princ->key_data[i]); - } - if (mask & KADM5_TL_DATA) { - krb5_tl_data *tp; - - krb5_store_int32(sp, princ->n_tl_data); - for(tp = princ->tl_data; tp; tp = tp->tl_data_next) - kadm5_store_tl_data(sp, tp); - } - return 0; -} - - -kadm5_ret_t -kadm5_store_principal_ent(krb5_storage *sp, - kadm5_principal_ent_t princ) -{ - return store_principal_ent (sp, princ, ~0); -} - -kadm5_ret_t -kadm5_store_principal_ent_mask(krb5_storage *sp, - kadm5_principal_ent_t princ, - u_int32_t mask) -{ - krb5_store_int32(sp, mask); - return store_principal_ent (sp, princ, mask); -} - -static kadm5_ret_t -ret_principal_ent(krb5_storage *sp, - kadm5_principal_ent_t princ, - u_int32_t mask) -{ - int i; - int32_t tmp; - - if (mask & KADM5_PRINCIPAL) - krb5_ret_principal(sp, &princ->principal); - - if (mask & KADM5_PRINC_EXPIRE_TIME) { - krb5_ret_int32(sp, &tmp); - princ->princ_expire_time = tmp; - } - if (mask & KADM5_PW_EXPIRATION) { - krb5_ret_int32(sp, &tmp); - princ->pw_expiration = tmp; - } - if (mask & KADM5_LAST_PWD_CHANGE) { - krb5_ret_int32(sp, &tmp); - princ->last_pwd_change = tmp; - } - if (mask & KADM5_MAX_LIFE) { - krb5_ret_int32(sp, &tmp); - princ->max_life = tmp; - } - if (mask & KADM5_MOD_NAME) { - krb5_ret_int32(sp, &tmp); - if(tmp) - krb5_ret_principal(sp, &princ->mod_name); - else - princ->mod_name = NULL; - } - if (mask & KADM5_MOD_TIME) { - krb5_ret_int32(sp, &tmp); - princ->mod_date = tmp; - } - if (mask & KADM5_ATTRIBUTES) { - krb5_ret_int32(sp, &tmp); - princ->attributes = tmp; - } - if (mask & KADM5_KVNO) { - krb5_ret_int32(sp, &tmp); - princ->kvno = tmp; - } - if (mask & KADM5_MKVNO) { - krb5_ret_int32(sp, &tmp); - princ->mkvno = tmp; - } - if (mask & KADM5_POLICY) { - krb5_ret_int32(sp, &tmp); - if(tmp) - krb5_ret_string(sp, &princ->policy); - else - princ->policy = NULL; - } - if (mask & KADM5_AUX_ATTRIBUTES) { - krb5_ret_int32(sp, &tmp); - princ->aux_attributes = tmp; - } - if (mask & KADM5_MAX_RLIFE) { - krb5_ret_int32(sp, &tmp); - princ->max_renewable_life = tmp; - } - if (mask & KADM5_LAST_SUCCESS) { - krb5_ret_int32(sp, &tmp); - princ->last_success = tmp; - } - if (mask & KADM5_LAST_FAILED) { - krb5_ret_int32(sp, &tmp); - princ->last_failed = tmp; - } - if (mask & KADM5_FAIL_AUTH_COUNT) { - krb5_ret_int32(sp, &tmp); - princ->fail_auth_count = tmp; - } - if (mask & KADM5_KEY_DATA) { - krb5_ret_int32(sp, &tmp); - princ->n_key_data = tmp; - princ->key_data = malloc(princ->n_key_data * sizeof(*princ->key_data)); - for(i = 0; i < princ->n_key_data; i++) - kadm5_ret_key_data(sp, &princ->key_data[i]); - } - if (mask & KADM5_TL_DATA) { - krb5_ret_int32(sp, &tmp); - princ->n_tl_data = tmp; - princ->tl_data = NULL; - for(i = 0; i < princ->n_tl_data; i++){ - krb5_tl_data *tp = malloc(sizeof(*tp)); - kadm5_ret_tl_data(sp, tp); - tp->tl_data_next = princ->tl_data; - princ->tl_data = tp; - } - } - return 0; -} - -kadm5_ret_t -kadm5_ret_principal_ent(krb5_storage *sp, - kadm5_principal_ent_t princ) -{ - return ret_principal_ent (sp, princ, ~0); -} - -kadm5_ret_t -kadm5_ret_principal_ent_mask(krb5_storage *sp, - kadm5_principal_ent_t princ, - u_int32_t *mask) -{ - int32_t tmp; - - krb5_ret_int32 (sp, &tmp); - *mask = tmp; - return ret_principal_ent (sp, princ, *mask); -} - -kadm5_ret_t -_kadm5_marshal_params(krb5_context context, - kadm5_config_params *params, - krb5_data *out) -{ - krb5_storage *sp = krb5_storage_emem(); - - krb5_store_int32(sp, params->mask & (KADM5_CONFIG_REALM)); - - if(params->mask & KADM5_CONFIG_REALM) - krb5_store_string(sp, params->realm); - krb5_storage_to_data(sp, out); - krb5_storage_free(sp); - - return 0; -} - -kadm5_ret_t -_kadm5_unmarshal_params(krb5_context context, - krb5_data *in, - kadm5_config_params *params) -{ - krb5_storage *sp = krb5_storage_from_data(in); - - krb5_ret_int32(sp, ¶ms->mask); - - if(params->mask & KADM5_CONFIG_REALM) - krb5_ret_string(sp, ¶ms->realm); - krb5_storage_free(sp); - - return 0; -} diff --git a/crypto/heimdal-0.6.3/lib/kadm5/modify_c.c b/crypto/heimdal-0.6.3/lib/kadm5/modify_c.c deleted file mode 100644 index 8d8ca56bb2..0000000000 --- a/crypto/heimdal-0.6.3/lib/kadm5/modify_c.c +++ /dev/null @@ -1,77 +0,0 @@ -/* - * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kadm5_locl.h" - -RCSID("$Id: modify_c.c,v 1.4 2000/07/11 15:59:46 joda Exp $"); - -kadm5_ret_t -kadm5_c_modify_principal(void *server_handle, - kadm5_principal_ent_t princ, - u_int32_t mask) -{ - kadm5_client_context *context = server_handle; - kadm5_ret_t ret; - krb5_storage *sp; - unsigned char buf[1024]; - int32_t tmp; - krb5_data reply; - - ret = _kadm5_connect(server_handle); - if(ret) - return ret; - - sp = krb5_storage_from_mem(buf, sizeof(buf)); - if (sp == NULL) - return ENOMEM; - krb5_store_int32(sp, kadm_modify); - kadm5_store_principal_ent(sp, princ); - krb5_store_int32(sp, mask); - ret = _kadm5_client_send(context, sp); - krb5_storage_free(sp); - if(ret) - return ret; - ret = _kadm5_client_recv(context, &reply); - if(ret) - return ret; - sp = krb5_storage_from_data (&reply); - if (sp == NULL) { - krb5_data_free (&reply); - return ENOMEM; - } - krb5_ret_int32(sp, &tmp); - krb5_storage_free(sp); - krb5_data_free (&reply); - return tmp; -} - diff --git a/crypto/heimdal-0.6.3/lib/kadm5/modify_s.c b/crypto/heimdal-0.6.3/lib/kadm5/modify_s.c deleted file mode 100644 index 8c595a957b..0000000000 --- a/crypto/heimdal-0.6.3/lib/kadm5/modify_s.c +++ /dev/null @@ -1,94 +0,0 @@ -/* - * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kadm5_locl.h" - -RCSID("$Id: modify_s.c,v 1.12 2001/01/30 01:24:28 assar Exp $"); - -static kadm5_ret_t -modify_principal(void *server_handle, - kadm5_principal_ent_t princ, - u_int32_t mask, - u_int32_t forbidden_mask) -{ - kadm5_server_context *context = server_handle; - hdb_entry ent; - kadm5_ret_t ret; - if((mask & forbidden_mask)) - return KADM5_BAD_MASK; - if((mask & KADM5_POLICY) && strcmp(princ->policy, "default")) - return KADM5_UNK_POLICY; - - ent.principal = princ->principal; - ret = context->db->open(context->context, context->db, O_RDWR, 0); - if(ret) - return ret; - ret = context->db->fetch(context->context, context->db, 0, &ent); - if(ret) - goto out; - ret = _kadm5_setup_entry(context, &ent, mask, princ, mask, NULL, 0); - if(ret) - goto out2; - ret = _kadm5_set_modifier(context, &ent); - if(ret) - goto out2; - - ret = hdb_seal_keys(context->context, context->db, &ent); - if (ret) - goto out2; - - kadm5_log_modify (context, - &ent, - mask | KADM5_MOD_NAME | KADM5_MOD_TIME); - - ret = context->db->store(context->context, context->db, - HDB_F_REPLACE, &ent); -out2: - hdb_free_entry(context->context, &ent); -out: - context->db->close(context->context, context->db); - return _kadm5_error_code(ret); -} - - -kadm5_ret_t -kadm5_s_modify_principal(void *server_handle, - kadm5_principal_ent_t princ, - u_int32_t mask) -{ - return modify_principal(server_handle, princ, mask, - KADM5_LAST_PWD_CHANGE | KADM5_MOD_TIME - | KADM5_MOD_NAME | KADM5_MKVNO - | KADM5_AUX_ATTRIBUTES | KADM5_LAST_SUCCESS - | KADM5_LAST_FAILED); -} diff --git a/crypto/heimdal-0.6.3/lib/kadm5/password_quality.c b/crypto/heimdal-0.6.3/lib/kadm5/password_quality.c deleted file mode 100644 index bc1463fed9..0000000000 --- a/crypto/heimdal-0.6.3/lib/kadm5/password_quality.c +++ /dev/null @@ -1,145 +0,0 @@ -/* - * Copyright (c) 1997-1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kadm5_locl.h" - -RCSID("$Id: password_quality.c,v 1.4 2000/07/05 13:14:45 joda Exp $"); - -#ifdef HAVE_DLFCN_H -#include -#endif - -static const char * -simple_passwd_quality (krb5_context context, - krb5_principal principal, - krb5_data *pwd) -{ - if (pwd->length < 6) - return "Password too short"; - else - return NULL; -} - -typedef const char* (*passwd_quality_check_func)(krb5_context, - krb5_principal, - krb5_data*); - -static passwd_quality_check_func passwd_quality_check = simple_passwd_quality; - -#ifdef HAVE_DLOPEN - -#define PASSWD_VERSION 0 - -#endif - -/* - * setup the password quality hook - */ - -void -kadm5_setup_passwd_quality_check(krb5_context context, - const char *check_library, - const char *check_function) -{ -#ifdef HAVE_DLOPEN - void *handle; - void *sym; - int *version; - int flags; - const char *tmp; - -#ifdef RTLD_NOW - flags = RTLD_NOW; -#else - flags = 0; -#endif - - if(check_library == NULL) { - tmp = krb5_config_get_string(context, NULL, - "password_quality", - "check_library", - NULL); - if(tmp != NULL) - check_library = tmp; - } - if(check_function == NULL) { - tmp = krb5_config_get_string(context, NULL, - "password_quality", - "check_function", - NULL); - if(tmp != NULL) - check_function = tmp; - } - if(check_library != NULL && check_function == NULL) - check_function = "passwd_check"; - - if(check_library == NULL) - return; - handle = dlopen(check_library, flags); - if(handle == NULL) { - krb5_warnx(context, "failed to open `%s'", check_library); - return; - } - version = dlsym(handle, "version"); - if(version == NULL) { - krb5_warnx(context, - "didn't find `version' symbol in `%s'", check_library); - dlclose(handle); - return; - } - if(*version != PASSWD_VERSION) { - krb5_warnx(context, - "version of loaded library is %d (expected %d)", - *version, PASSWD_VERSION); - dlclose(handle); - return; - } - sym = dlsym(handle, check_function); - if(sym == NULL) { - krb5_warnx(context, - "didn't find `%s' symbol in `%s'", - check_function, check_library); - dlclose(handle); - return; - } - passwd_quality_check = (passwd_quality_check_func) sym; -#endif /* HAVE_DLOPEN */ -} - -const char * -kadm5_check_password_quality (krb5_context context, - krb5_principal principal, - krb5_data *pwd_data) -{ - return (*passwd_quality_check) (context, principal, pwd_data); -} diff --git a/crypto/heimdal-0.6.3/lib/kadm5/private.h b/crypto/heimdal-0.6.3/lib/kadm5/private.h deleted file mode 100644 index b09545fd67..0000000000 --- a/crypto/heimdal-0.6.3/lib/kadm5/private.h +++ /dev/null @@ -1,132 +0,0 @@ -/* - * Copyright (c) 1997-2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: private.h,v 1.15 2002/08/16 20:57:44 joda Exp $ */ - -#ifndef __kadm5_privatex_h__ -#define __kadm5_privatex_h__ - -struct kadm_func { - kadm5_ret_t (*chpass_principal) (void *, krb5_principal, char*); - kadm5_ret_t (*create_principal) (void*, kadm5_principal_ent_t, - u_int32_t, char*); - kadm5_ret_t (*delete_principal) (void*, krb5_principal); - kadm5_ret_t (*destroy) (void*); - kadm5_ret_t (*flush) (void*); - kadm5_ret_t (*get_principal) (void*, krb5_principal, - kadm5_principal_ent_t, u_int32_t); - kadm5_ret_t (*get_principals) (void*, const char*, char***, int*); - kadm5_ret_t (*get_privs) (void*, u_int32_t*); - kadm5_ret_t (*modify_principal) (void*, kadm5_principal_ent_t, u_int32_t); - kadm5_ret_t (*randkey_principal) (void*, krb5_principal, - krb5_keyblock**, int*); - kadm5_ret_t (*rename_principal) (void*, krb5_principal, krb5_principal); - kadm5_ret_t (*chpass_principal_with_key) (void *, krb5_principal, - int, krb5_key_data *); -}; - -/* XXX should be integrated */ -typedef struct kadm5_common_context { - krb5_context context; - krb5_boolean my_context; - struct kadm_func funcs; - void *data; -}kadm5_common_context; - -typedef struct kadm5_log_peer { - int fd; - char *name; - krb5_auth_context ac; - struct kadm5_log_peer *next; -} kadm5_log_peer; - -typedef struct kadm5_log_context { - char *log_file; - int log_fd; - u_int32_t version; - struct sockaddr_un socket_name; - int socket_fd; -} kadm5_log_context; - -typedef struct kadm5_server_context { - krb5_context context; - krb5_boolean my_context; - struct kadm_func funcs; - /* */ - kadm5_config_params config; - HDB *db; - krb5_principal caller; - unsigned acl_flags; - kadm5_log_context log_context; -} kadm5_server_context; - -typedef struct kadm5_client_context { - krb5_context context; - krb5_boolean my_context; - struct kadm_func funcs; - /* */ - krb5_auth_context ac; - char *realm; - char *admin_server; - int kadmind_port; - int sock; - char *client_name; - char *service_name; - krb5_prompter_fct prompter; - const char *keytab; - krb5_ccache ccache; - kadm5_config_params *realm_params; -}kadm5_client_context; - -enum kadm_ops { - kadm_get, - kadm_delete, - kadm_create, - kadm_rename, - kadm_chpass, - kadm_modify, - kadm_randkey, - kadm_get_privs, - kadm_get_princs, - kadm_chpass_with_key, - kadm_nop -}; - -#define KADMIN_APPL_VERSION "KADM0.1" -#define KADMIN_OLD_APPL_VERSION "KADM0.0" - -#define KADM5_LOG_SIGNAL HDB_DB_DIR "/signal" - -#include "kadm5-private.h" - -#endif /* __kadm5_privatex_h__ */ diff --git a/crypto/heimdal-0.6.3/lib/kadm5/privs_c.c b/crypto/heimdal-0.6.3/lib/kadm5/privs_c.c deleted file mode 100644 index 83d293cfbf..0000000000 --- a/crypto/heimdal-0.6.3/lib/kadm5/privs_c.c +++ /dev/null @@ -1,77 +0,0 @@ -/* - * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kadm5_locl.h" - -RCSID("$Id: privs_c.c,v 1.4 2000/07/11 15:59:54 joda Exp $"); - -kadm5_ret_t -kadm5_c_get_privs(void *server_handle, u_int32_t *privs) -{ - kadm5_client_context *context = server_handle; - kadm5_ret_t ret; - krb5_storage *sp; - unsigned char buf[1024]; - int32_t tmp; - krb5_data reply; - - ret = _kadm5_connect(server_handle); - if(ret) - return ret; - - sp = krb5_storage_from_mem(buf, sizeof(buf)); - if (sp == NULL) - return ENOMEM; - krb5_store_int32(sp, kadm_get_privs); - ret = _kadm5_client_send(context, sp); - krb5_storage_free(sp); - if(ret) - return ret; - ret = _kadm5_client_recv(context, &reply); - if (ret) - return ret; - sp = krb5_storage_from_data(&reply); - if (sp == NULL) { - krb5_data_free (&reply); - return ENOMEM; - } - krb5_ret_int32(sp, &tmp); - ret = tmp; - if(ret == 0){ - krb5_ret_int32(sp, &tmp); - *privs = tmp; - } - krb5_storage_free(sp); - krb5_data_free (&reply); - return ret; -} diff --git a/crypto/heimdal-0.6.3/lib/kadm5/privs_s.c b/crypto/heimdal-0.6.3/lib/kadm5/privs_s.c deleted file mode 100644 index 85cd5d597d..0000000000 --- a/crypto/heimdal-0.6.3/lib/kadm5/privs_s.c +++ /dev/null @@ -1,44 +0,0 @@ -/* - * Copyright (c) 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kadm5_locl.h" - -RCSID("$Id: privs_s.c,v 1.2 1999/12/02 17:05:07 joda Exp $"); - -kadm5_ret_t -kadm5_s_get_privs(void *server_handle, u_int32_t *privs) -{ - kadm5_server_context *context = server_handle; - *privs = context->acl_flags; - return 0; -} diff --git a/crypto/heimdal-0.6.3/lib/kadm5/randkey_c.c b/crypto/heimdal-0.6.3/lib/kadm5/randkey_c.c deleted file mode 100644 index eedf697906..0000000000 --- a/crypto/heimdal-0.6.3/lib/kadm5/randkey_c.c +++ /dev/null @@ -1,93 +0,0 @@ -/* - * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kadm5_locl.h" - -RCSID("$Id: randkey_c.c,v 1.4 2000/07/11 16:00:02 joda Exp $"); - -kadm5_ret_t -kadm5_c_randkey_principal(void *server_handle, - krb5_principal princ, - krb5_keyblock **new_keys, - int *n_keys) -{ - kadm5_client_context *context = server_handle; - kadm5_ret_t ret; - krb5_storage *sp; - unsigned char buf[1024]; - int32_t tmp; - krb5_data reply; - - ret = _kadm5_connect(server_handle); - if(ret) - return ret; - - sp = krb5_storage_from_mem(buf, sizeof(buf)); - if (sp == NULL) - return ENOMEM; - krb5_store_int32(sp, kadm_randkey); - krb5_store_principal(sp, princ); - ret = _kadm5_client_send(context, sp); - krb5_storage_free(sp); - if (ret) - return ret; - ret = _kadm5_client_recv(context, &reply); - if(ret) - return ret; - sp = krb5_storage_from_data(&reply); - if (sp == NULL) { - krb5_data_free (&reply); - return ENOMEM; - } - krb5_ret_int32(sp, &tmp); - ret = tmp; - if(ret == 0){ - krb5_keyblock *k; - int i; - - krb5_ret_int32(sp, &tmp); - k = malloc(tmp * sizeof(*k)); - if (k == NULL) { - ret = ENOMEM; - goto out; - } - for(i = 0; i < tmp; i++) - krb5_ret_keyblock(sp, &k[i]); - *n_keys = tmp; - *new_keys = k; - } -out: - krb5_storage_free(sp); - krb5_data_free (&reply); - return ret; -} diff --git a/crypto/heimdal-0.6.3/lib/kadm5/randkey_s.c b/crypto/heimdal-0.6.3/lib/kadm5/randkey_s.c deleted file mode 100644 index 9780b11131..0000000000 --- a/crypto/heimdal-0.6.3/lib/kadm5/randkey_s.c +++ /dev/null @@ -1,101 +0,0 @@ -/* - * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kadm5_locl.h" - -RCSID("$Id: randkey_s.c,v 1.13 2001/01/30 01:24:28 assar Exp $"); - -/* - * Set the keys of `princ' to random values, returning the random keys - * in `new_keys', `n_keys'. - */ - -kadm5_ret_t -kadm5_s_randkey_principal(void *server_handle, - krb5_principal princ, - krb5_keyblock **new_keys, - int *n_keys) -{ - kadm5_server_context *context = server_handle; - hdb_entry ent; - kadm5_ret_t ret; - - ent.principal = princ; - ret = context->db->open(context->context, context->db, O_RDWR, 0); - if(ret) - return ret; - ret = context->db->fetch(context->context, context->db, 0, &ent); - if(ret) - goto out; - - ret = _kadm5_set_keys_randomly (context, - &ent, - new_keys, - n_keys); - if (ret) - goto out2; - - ret = _kadm5_set_modifier(context, &ent); - if(ret) - goto out3; - ret = _kadm5_bump_pw_expire(context, &ent); - if (ret) - goto out2; - - ret = hdb_seal_keys(context->context, context->db, &ent); - if (ret) - goto out2; - - kadm5_log_modify (context, - &ent, - KADM5_PRINCIPAL | KADM5_MOD_NAME | KADM5_MOD_TIME | - KADM5_KEY_DATA | KADM5_KVNO | KADM5_PW_EXPIRATION); - - ret = context->db->store(context->context, context->db, - HDB_F_REPLACE, &ent); -out3: - if (ret) { - int i; - - for (i = 0; i < *n_keys; ++i) - krb5_free_keyblock_contents (context->context, &(*new_keys)[i]); - free (*new_keys); - *new_keys = NULL; - *n_keys = 0; - } -out2: - hdb_free_entry(context->context, &ent); -out: - context->db->close(context->context, context->db); - return _kadm5_error_code(ret); -} diff --git a/crypto/heimdal-0.6.3/lib/kadm5/rename_c.c b/crypto/heimdal-0.6.3/lib/kadm5/rename_c.c deleted file mode 100644 index 95ccf25036..0000000000 --- a/crypto/heimdal-0.6.3/lib/kadm5/rename_c.c +++ /dev/null @@ -1,77 +0,0 @@ -/* - * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kadm5_locl.h" - -RCSID("$Id: rename_c.c,v 1.4 2000/07/11 16:00:08 joda Exp $"); - -kadm5_ret_t -kadm5_c_rename_principal(void *server_handle, - krb5_principal source, - krb5_principal target) -{ - kadm5_client_context *context = server_handle; - kadm5_ret_t ret; - krb5_storage *sp; - unsigned char buf[1024]; - int32_t tmp; - krb5_data reply; - - ret = _kadm5_connect(server_handle); - if(ret) - return ret; - - sp = krb5_storage_from_mem(buf, sizeof(buf)); - if (sp == NULL) - return ENOMEM; - krb5_store_int32(sp, kadm_rename); - krb5_store_principal(sp, source); - krb5_store_principal(sp, target); - ret = _kadm5_client_send(context, sp); - krb5_storage_free(sp); - if (ret) - return ret; - ret = _kadm5_client_recv(context, &reply); - if(ret) - return ret; - sp = krb5_storage_from_data (&reply); - if (sp == NULL) { - krb5_data_free (&reply); - return ENOMEM; - } - krb5_ret_int32(sp, &tmp); - ret = tmp; - krb5_storage_free(sp); - krb5_data_free (&reply); - return ret; -} diff --git a/crypto/heimdal-0.6.3/lib/kadm5/rename_s.c b/crypto/heimdal-0.6.3/lib/kadm5/rename_s.c deleted file mode 100644 index a478e0acd9..0000000000 --- a/crypto/heimdal-0.6.3/lib/kadm5/rename_s.c +++ /dev/null @@ -1,108 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kadm5_locl.h" - -RCSID("$Id: rename_s.c,v 1.11 2001/01/30 01:24:29 assar Exp $"); - -kadm5_ret_t -kadm5_s_rename_principal(void *server_handle, - krb5_principal source, - krb5_principal target) -{ - kadm5_server_context *context = server_handle; - kadm5_ret_t ret; - hdb_entry ent, ent2; - ent.principal = source; - if(krb5_principal_compare(context->context, source, target)) - return KADM5_DUP; /* XXX is this right? */ - if(!krb5_realm_compare(context->context, source, target)) - return KADM5_FAILURE; /* XXX better code */ - ret = context->db->open(context->context, context->db, O_RDWR, 0); - if(ret) - return ret; - ret = context->db->fetch(context->context, context->db, 0, &ent); - if(ret){ - context->db->close(context->context, context->db); - goto out; - } - ret = _kadm5_set_modifier(context, &ent); - if(ret) - goto out2; - { - /* fix salt */ - int i; - Salt salt; - krb5_salt salt2; - krb5_get_pw_salt(context->context, source, &salt2); - salt.type = hdb_pw_salt; - salt.salt = salt2.saltvalue; - for(i = 0; i < ent.keys.len; i++){ - if(ent.keys.val[i].salt == NULL){ - ent.keys.val[i].salt = malloc(sizeof(*ent.keys.val[i].salt)); - ret = copy_Salt(&salt, ent.keys.val[i].salt); - if(ret) - break; - } - } - krb5_free_salt(context->context, salt2); - } - if(ret) - goto out2; - ent2.principal = ent.principal; - ent.principal = target; - - ret = hdb_seal_keys(context->context, context->db, &ent); - if (ret) { - ent.principal = ent2.principal; - goto out2; - } - - kadm5_log_rename (context, - source, - &ent); - - ret = context->db->store(context->context, context->db, 0, &ent); - if(ret){ - ent.principal = ent2.principal; - goto out2; - } - ret = context->db->remove(context->context, context->db, &ent2); - ent.principal = ent2.principal; -out2: - context->db->close(context->context, context->db); - hdb_free_entry(context->context, &ent); -out: - return _kadm5_error_code(ret); -} - diff --git a/crypto/heimdal-0.6.3/lib/kadm5/replay_log.c b/crypto/heimdal-0.6.3/lib/kadm5/replay_log.c deleted file mode 100644 index 1b2d71635f..0000000000 --- a/crypto/heimdal-0.6.3/lib/kadm5/replay_log.c +++ /dev/null @@ -1,129 +0,0 @@ -/* - * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "iprop.h" - -RCSID("$Id: replay_log.c,v 1.9 2002/05/24 15:19:22 joda Exp $"); - -int start_version = -1; -int end_version = -1; - -static void -apply_entry(kadm5_server_context *server_context, - u_int32_t ver, - time_t timestamp, - enum kadm_ops op, - u_int32_t len, - krb5_storage *sp) -{ - krb5_error_code ret; - - if((start_version != -1 && ver < start_version) || - (end_version != -1 && ver > end_version)) { - /* XXX skip this entry */ - krb5_storage_seek(sp, len, SEEK_CUR); - return; - } - printf ("ver %u... ", ver); - fflush (stdout); - - ret = kadm5_log_replay (server_context, - op, ver, len, sp); - if (ret) - krb5_warn (server_context->context, ret, "kadm5_log_replay"); - - - printf ("done\n"); -} - -int version_flag; -int help_flag; -struct getargs args[] = { - { "start-version", 0, arg_integer, &start_version, "start replay with this version" }, - { "end-version", 0, arg_integer, &end_version, "end replay with this version" }, - { "version", 0, arg_flag, &version_flag }, - { "help", 0, arg_flag, &help_flag } -}; -int num_args = sizeof(args) / sizeof(args[0]); - -int -main(int argc, char **argv) -{ - krb5_context context; - krb5_error_code ret; - void *kadm_handle; - kadm5_config_params conf; - kadm5_server_context *server_context; - - krb5_program_setup(&context, argc, argv, args, num_args, NULL); - - if(help_flag) - krb5_std_usage(0, args, num_args); - if(version_flag) { - print_version(NULL); - exit(0); - } - - memset(&conf, 0, sizeof(conf)); - ret = kadm5_init_with_password_ctx (context, - KADM5_ADMIN_SERVICE, - NULL, - KADM5_ADMIN_SERVICE, - &conf, 0, 0, - &kadm_handle); - if (ret) - krb5_err (context, 1, ret, "kadm5_init_with_password_ctx"); - - server_context = (kadm5_server_context *)kadm_handle; - - ret = server_context->db->open(context, - server_context->db, - O_RDWR | O_CREAT, 0); - if (ret) - krb5_err (context, 1, ret, "db->open"); - - ret = kadm5_log_init (server_context); - if (ret) - krb5_err (context, 1, ret, "kadm5_log_init"); - - ret = kadm5_log_foreach (server_context, apply_entry); - if(ret) - krb5_warn(context, ret, "kadm5_log_foreach"); - ret = kadm5_log_end (server_context); - if (ret) - krb5_warn(context, ret, "kadm5_log_end"); - ret = server_context->db->close (context, server_context->db); - if (ret) - krb5_err (context, 1, ret, "db->close"); - return 0; -} diff --git a/crypto/heimdal-0.6.3/lib/kadm5/sample_passwd_check.c b/crypto/heimdal-0.6.3/lib/kadm5/sample_passwd_check.c deleted file mode 100644 index 4ff5122c16..0000000000 --- a/crypto/heimdal-0.6.3/lib/kadm5/sample_passwd_check.c +++ /dev/null @@ -1,85 +0,0 @@ -/* - * Copyright (c) 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of KTH nor the names of its contributors may be - * used to endorse or promote products derived from this software without - * specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY - * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR - * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, - * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR - * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF - * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ - -/* $Id: sample_passwd_check.c,v 1.1 1999/09/10 10:11:03 assar Exp $ */ - -#include -#include -#include - -/* specify the api-version this library conforms to */ - -int version = 0; - -/* just check the length of the password, this is what the default - check does, but this lets you specify the minimum length in - krb5.conf */ -const char* -check_length(krb5_context context, - krb5_principal prinipal, - krb5_data *password) -{ - int min_length = krb5_config_get_int_default(context, NULL, 6, - "password_quality", - "min_length", - NULL); - if(password->length < min_length) - return "Password too short"; - return NULL; -} - -#ifdef DICTPATH - -/* use cracklib to check password quality; this requires a patch for - cracklib that can be found at - ftp://ftp.pdc.kth.se/pub/krb/src/cracklib.patch */ - -const char* -check_cracklib(krb5_context context, - krb5_principal principal, - krb5_data *password) -{ - char *s = malloc(password->length + 1); - char *msg; - char *strings[2]; - if(s == NULL) - return NULL; /* XXX */ - strings[0] = principal->name.name_string.val[0]; /* XXX */ - strings[1] = NULL; - memcpy(s, password->data, password->length); - s[password->length] = '\0'; - msg = FascistCheck(s, DICTPATH, strings); - memset(s, 0, password->length); - free(s); - return msg; -} -#endif diff --git a/crypto/heimdal-0.6.3/lib/kadm5/send_recv.c b/crypto/heimdal-0.6.3/lib/kadm5/send_recv.c deleted file mode 100644 index fe44b76b8c..0000000000 --- a/crypto/heimdal-0.6.3/lib/kadm5/send_recv.c +++ /dev/null @@ -1,93 +0,0 @@ -/* - * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kadm5_locl.h" - -RCSID("$Id: send_recv.c,v 1.10 2003/04/16 17:58:59 lha Exp $"); - -kadm5_ret_t -_kadm5_client_send(kadm5_client_context *context, krb5_storage *sp) -{ - krb5_data msg, out; - krb5_error_code ret; - size_t len; - krb5_storage *sock; - - assert(context->sock != -1); - - len = krb5_storage_seek(sp, 0, SEEK_CUR); - ret = krb5_data_alloc(&msg, len); - if (ret) - return ret; - krb5_storage_seek(sp, 0, SEEK_SET); - krb5_storage_read(sp, msg.data, msg.length); - - ret = krb5_mk_priv(context->context, context->ac, &msg, &out, NULL); - krb5_data_free(&msg); - if(ret) - return ret; - - sock = krb5_storage_from_fd(context->sock); - if(sock == NULL) { - krb5_data_free(&out); - return ENOMEM; - } - - ret = krb5_store_data(sock, out); - krb5_storage_free(sock); - krb5_data_free(&out); - return ret; -} - -kadm5_ret_t -_kadm5_client_recv(kadm5_client_context *context, krb5_data *reply) -{ - krb5_error_code ret; - krb5_data data; - krb5_storage *sock; - - sock = krb5_storage_from_fd(context->sock); - if(sock == NULL) - return ENOMEM; - ret = krb5_ret_data(sock, &data); - krb5_storage_free(sock); - if(ret == KRB5_CC_END) - return KADM5_RPC_ERROR; - else if(ret) - return ret; - - ret = krb5_rd_priv(context->context, context->ac, &data, reply, NULL); - krb5_data_free(&data); - return ret; -} - diff --git a/crypto/heimdal-0.6.3/lib/kadm5/server_glue.c b/crypto/heimdal-0.6.3/lib/kadm5/server_glue.c deleted file mode 100644 index 21b60776ad..0000000000 --- a/crypto/heimdal-0.6.3/lib/kadm5/server_glue.c +++ /dev/null @@ -1,150 +0,0 @@ -/* - * Copyright (c) 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kadm5_locl.h" - -RCSID("$Id: server_glue.c,v 1.6 1999/12/02 17:05:07 joda Exp $"); - -kadm5_ret_t -kadm5_init_with_password(const char *client_name, - const char *password, - const char *service_name, - kadm5_config_params *realm_params, - unsigned long struct_version, - unsigned long api_version, - void **server_handle) -{ - return kadm5_s_init_with_password(client_name, - password, - service_name, - realm_params, - struct_version, - api_version, - server_handle); -} - -kadm5_ret_t -kadm5_init_with_password_ctx(krb5_context context, - const char *client_name, - const char *password, - const char *service_name, - kadm5_config_params *realm_params, - unsigned long struct_version, - unsigned long api_version, - void **server_handle) -{ - return kadm5_s_init_with_password_ctx(context, - client_name, - password, - service_name, - realm_params, - struct_version, - api_version, - server_handle); -} - -kadm5_ret_t -kadm5_init_with_skey(const char *client_name, - const char *keytab, - const char *service_name, - kadm5_config_params *realm_params, - unsigned long struct_version, - unsigned long api_version, - void **server_handle) -{ - return kadm5_s_init_with_skey(client_name, - keytab, - service_name, - realm_params, - struct_version, - api_version, - server_handle); -} - -kadm5_ret_t -kadm5_init_with_skey_ctx(krb5_context context, - const char *client_name, - const char *keytab, - const char *service_name, - kadm5_config_params *realm_params, - unsigned long struct_version, - unsigned long api_version, - void **server_handle) -{ - return kadm5_s_init_with_skey_ctx(context, - client_name, - keytab, - service_name, - realm_params, - struct_version, - api_version, - server_handle); -} - -kadm5_ret_t -kadm5_init_with_creds(const char *client_name, - krb5_ccache ccache, - const char *service_name, - kadm5_config_params *realm_params, - unsigned long struct_version, - unsigned long api_version, - void **server_handle) -{ - return kadm5_s_init_with_creds(client_name, - ccache, - service_name, - realm_params, - struct_version, - api_version, - server_handle); -} - -kadm5_ret_t -kadm5_init_with_creds_ctx(krb5_context context, - const char *client_name, - krb5_ccache ccache, - const char *service_name, - kadm5_config_params *realm_params, - unsigned long struct_version, - unsigned long api_version, - void **server_handle) -{ - return kadm5_s_init_with_creds_ctx(context, - client_name, - ccache, - service_name, - realm_params, - struct_version, - api_version, - server_handle); -} diff --git a/crypto/heimdal-0.6.3/lib/kadm5/set_keys.c b/crypto/heimdal-0.6.3/lib/kadm5/set_keys.c deleted file mode 100644 index d69c509b22..0000000000 --- a/crypto/heimdal-0.6.3/lib/kadm5/set_keys.c +++ /dev/null @@ -1,499 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kadm5_locl.h" - -RCSID("$Id: set_keys.c,v 1.25 2001/08/13 15:12:16 joda Exp $"); - -/* - * the known and used DES enctypes - */ - -static krb5_enctype des_types[] = { ETYPE_DES_CBC_CRC, - ETYPE_DES_CBC_MD4, - ETYPE_DES_CBC_MD5 }; -static unsigned n_des_types = sizeof(des_types) / sizeof(des_types[0]); - -static krb5_error_code -make_keys(krb5_context context, krb5_principal principal, const char *password, - Key **keys_ret, size_t *num_keys_ret) -{ - krb5_enctype all_etypes[] = { ETYPE_DES3_CBC_SHA1, - ETYPE_DES_CBC_MD5, - ETYPE_DES_CBC_MD4, - ETYPE_DES_CBC_CRC }; - - - krb5_enctype e; - - krb5_error_code ret = 0; - char **ktypes, **kp; - - Key *keys = NULL, *tmp; - int num_keys = 0; - Key key; - - int i; - char *v4_ktypes[] = {"des3:pw-salt", "v4", NULL}; - - ktypes = krb5_config_get_strings(context, NULL, "kadmin", - "default_keys", NULL); - - /* for each entry in `default_keys' try to parse it as a sequence - of etype:salttype:salt, syntax of this if something like: - [(des|des3|etype):](pw|afs3)[:string], if etype is omitted it - means all etypes, and if string is omitted is means the default - string (for that principal). Additional special values: - v5 == pw-salt, and - v4 == des:pw-salt: - afs or afs3 == des:afs3-salt - */ - - if (ktypes == NULL - && krb5_config_get_bool (context, NULL, "kadmin", - "use_v4_salt", NULL)) - ktypes = v4_ktypes; - - for(kp = ktypes; kp && *kp; kp++) { - krb5_enctype *etypes; - int num_etypes; - krb5_salt salt; - krb5_boolean salt_set; - - const char *p; - char buf[3][256]; - int num_buf = 0; - - p = *kp; - if(strcmp(p, "v5") == 0) - p = "pw-salt"; - else if(strcmp(p, "v4") == 0) - p = "des:pw-salt:"; - else if(strcmp(p, "afs") == 0 || strcmp(p, "afs3") == 0) - p = "des:afs3-salt"; - - /* split p in a list of :-separated strings */ - for(num_buf = 0; num_buf < 3; num_buf++) - if(strsep_copy(&p, ":", buf[num_buf], sizeof(buf[num_buf])) == -1) - break; - - etypes = NULL; - num_etypes = 0; - memset(&salt, 0, sizeof(salt)); - salt_set = FALSE; - - for(i = 0; i < num_buf; i++) { - if(etypes == NULL) { - /* this might be a etype specifier */ - /* XXX there should be a string_to_etypes handling - special cases like `des' and `all' */ - if(strcmp(buf[i], "des") == 0) { - etypes = all_etypes + 1; - num_etypes = 3; - continue; - } else if(strcmp(buf[i], "des3") == 0) { - e = ETYPE_DES3_CBC_SHA1; - etypes = &e; - num_etypes = 1; - continue; - } else { - ret = krb5_string_to_enctype(context, buf[i], &e); - if(ret == 0) { - etypes = &e; - num_etypes = 1; - continue; - } - } - } - if(salt.salttype == 0) { - /* interpret string as a salt specifier, if no etype - is set, this sets default values */ - /* XXX should perhaps use string_to_salttype, but that - interface sucks */ - if(strcmp(buf[i], "pw-salt") == 0) { - if(etypes == NULL) { - etypes = all_etypes; - num_etypes = 4; - } - salt.salttype = KRB5_PW_SALT; - } else if(strcmp(buf[i], "afs3-salt") == 0) { - if(etypes == NULL) { - etypes = all_etypes + 1; - num_etypes = 3; - } - salt.salttype = KRB5_AFS3_SALT; - } - } else { - /* if there is a final string, use it as the string to - salt with, this is mostly useful with null salt for - v4 compat, and a cell name for afs compat */ - salt.saltvalue.data = buf[i]; - salt.saltvalue.length = strlen(buf[i]); - salt_set = TRUE; - } - } - - if(etypes == NULL || salt.salttype == 0) { - krb5_warnx(context, "bad value for default_keys `%s'", *kp); - continue; - } - - if(!salt_set) { - /* make up default salt */ - if(salt.salttype == KRB5_PW_SALT) - ret = krb5_get_pw_salt(context, principal, &salt); - else if(salt.salttype == KRB5_AFS3_SALT) { - krb5_realm *realm = krb5_princ_realm(context, principal); - salt.saltvalue.data = strdup(*realm); - if(salt.saltvalue.data == NULL) { - krb5_set_error_string(context, "out of memory while " - "parsinig salt specifiers"); - ret = ENOMEM; - goto out; - } - strlwr(salt.saltvalue.data); - salt.saltvalue.length = strlen(*realm); - salt_set = 1; - } - } - memset(&key, 0, sizeof(key)); - for(i = 0; i < num_etypes; i++) { - Key *k; - for(k = keys; k < keys + num_keys; k++) { - if(k->key.keytype == etypes[i] && - ((k->salt != NULL && - k->salt->type == salt.salttype && - k->salt->salt.length == salt.saltvalue.length && - memcmp(k->salt->salt.data, salt.saltvalue.data, - salt.saltvalue.length) == 0) || - (k->salt == NULL && - salt.salttype == KRB5_PW_SALT && - !salt_set))) - goto next_etype; - } - - ret = krb5_string_to_key_salt (context, - etypes[i], - password, - salt, - &key.key); - - if(ret) - goto out; - - if (salt.salttype != KRB5_PW_SALT || salt_set) { - key.salt = malloc (sizeof(*key.salt)); - if (key.salt == NULL) { - free_Key(&key); - ret = ENOMEM; - goto out; - } - key.salt->type = salt.salttype; - krb5_data_zero (&key.salt->salt); - - /* is the salt has not been set explicitly, it will be - the default salt, so there's no need to explicitly - copy it */ - if (salt_set) { - ret = krb5_data_copy(&key.salt->salt, - salt.saltvalue.data, - salt.saltvalue.length); - if (ret) { - free_Key(&key); - goto out; - } - } - } - tmp = realloc(keys, (num_keys + 1) * sizeof(*keys)); - if(tmp == NULL) { - free_Key(&key); - ret = ENOMEM; - goto out; - } - keys = tmp; - keys[num_keys++] = key; - next_etype:; - } - } - - if(num_keys == 0) { - /* if we didn't manage to find a single valid key, create a - default set */ - /* XXX only do this is there is no `default_keys'? */ - krb5_salt v5_salt; - tmp = realloc(keys, (num_keys + 4) * sizeof(*keys)); - if(tmp == NULL) { - ret = ENOMEM; - goto out; - } - keys = tmp; - ret = krb5_get_pw_salt(context, principal, &v5_salt); - if(ret) - goto out; - for(i = 0; i < 4; i++) { - memset(&key, 0, sizeof(key)); - ret = krb5_string_to_key_salt(context, all_etypes[i], password, - v5_salt, &key.key); - if(ret) { - krb5_free_salt(context, v5_salt); - goto out; - } - keys[num_keys++] = key; - } - krb5_free_salt(context, v5_salt); - } - - out: - if(ret == 0) { - *keys_ret = keys; - *num_keys_ret = num_keys; - } else { - for(i = 0; i < num_keys; i++) { - free_Key(&keys[i]); - } - free(keys); - } - return ret; -} - -/* - * Set the keys of `ent' to the string-to-key of `password' - */ - -kadm5_ret_t -_kadm5_set_keys(kadm5_server_context *context, - hdb_entry *ent, - const char *password) -{ - kadm5_ret_t ret; - Key *keys; - size_t num_keys; - - ret = make_keys(context->context, ent->principal, password, - &keys, &num_keys); - - if(ret) - return ret; - - _kadm5_free_keys (context, ent->keys.len, ent->keys.val); - ent->keys.val = keys; - ent->keys.len = num_keys; - ent->kvno++; - return 0; -} - -/* - * Set the keys of `ent' to (`n_key_data', `key_data') - */ - -kadm5_ret_t -_kadm5_set_keys2(kadm5_server_context *context, - hdb_entry *ent, - int16_t n_key_data, - krb5_key_data *key_data) -{ - krb5_error_code ret; - int i; - unsigned len; - Key *keys; - - len = n_key_data; - keys = malloc (len * sizeof(*keys)); - if (keys == NULL) - return ENOMEM; - - _kadm5_init_keys (keys, len); - - for(i = 0; i < n_key_data; i++) { - keys[i].mkvno = NULL; - keys[i].key.keytype = key_data[i].key_data_type[0]; - ret = krb5_data_copy(&keys[i].key.keyvalue, - key_data[i].key_data_contents[0], - key_data[i].key_data_length[0]); - if(ret) - goto out; - if(key_data[i].key_data_ver == 2) { - Salt *salt; - - salt = malloc(sizeof(*salt)); - if(salt == NULL) { - ret = ENOMEM; - goto out; - } - keys[i].salt = salt; - salt->type = key_data[i].key_data_type[1]; - krb5_data_copy(&salt->salt, - key_data[i].key_data_contents[1], - key_data[i].key_data_length[1]); - } else - keys[i].salt = NULL; - } - _kadm5_free_keys (context, ent->keys.len, ent->keys.val); - ent->keys.len = len; - ent->keys.val = keys; - ent->kvno++; - return 0; - out: - _kadm5_free_keys (context, len, keys); - return ret; -} - -/* - * Set the keys of `ent' to `n_keys, keys' - */ - -kadm5_ret_t -_kadm5_set_keys3(kadm5_server_context *context, - hdb_entry *ent, - int n_keys, - krb5_keyblock *keyblocks) -{ - krb5_error_code ret; - int i; - unsigned len; - Key *keys; - - len = n_keys; - keys = malloc (len * sizeof(*keys)); - if (keys == NULL) - return ENOMEM; - - _kadm5_init_keys (keys, len); - - for(i = 0; i < n_keys; i++) { - keys[i].mkvno = NULL; - ret = krb5_copy_keyblock_contents (context->context, - &keyblocks[i], - &keys[i].key); - if(ret) - goto out; - keys[i].salt = NULL; - } - _kadm5_free_keys (context, ent->keys.len, ent->keys.val); - ent->keys.len = len; - ent->keys.val = keys; - ent->kvno++; - return 0; - out: - _kadm5_free_keys (context, len, keys); - return ret; -} - -/* - * Set the keys of `ent' to random keys and return them in `n_keys' - * and `new_keys'. - */ - -kadm5_ret_t -_kadm5_set_keys_randomly (kadm5_server_context *context, - hdb_entry *ent, - krb5_keyblock **new_keys, - int *n_keys) -{ - kadm5_ret_t ret = 0; - int i; - unsigned len; - krb5_keyblock *keys; - Key *hkeys; - - len = n_des_types + 1; - keys = malloc (len * sizeof(*keys)); - if (keys == NULL) - return ENOMEM; - - for (i = 0; i < len; ++i) { - keys[i].keyvalue.length = 0; - keys[i].keyvalue.data = NULL; - } - - hkeys = malloc (len * sizeof(*hkeys)); - if (hkeys == NULL) { - free (keys); - return ENOMEM; - } - - _kadm5_init_keys (hkeys, len); - - ret = krb5_generate_random_keyblock (context->context, - des_types[0], - &keys[0]); - if (ret) - goto out; - - ret = krb5_copy_keyblock_contents (context->context, - &keys[0], - &hkeys[0].key); - if (ret) - goto out; - - for (i = 1; i < n_des_types; ++i) { - ret = krb5_copy_keyblock_contents (context->context, - &keys[0], - &keys[i]); - if (ret) - goto out; - keys[i].keytype = des_types[i]; - ret = krb5_copy_keyblock_contents (context->context, - &keys[0], - &hkeys[i].key); - if (ret) - goto out; - hkeys[i].key.keytype = des_types[i]; - } - - ret = krb5_generate_random_keyblock (context->context, - ETYPE_DES3_CBC_SHA1, - &keys[n_des_types]); - if (ret) - goto out; - - ret = krb5_copy_keyblock_contents (context->context, - &keys[n_des_types], - &hkeys[n_des_types].key); - if (ret) - goto out; - - _kadm5_free_keys (context, ent->keys.len, ent->keys.val); - ent->keys.len = len; - ent->keys.val = hkeys; - ent->kvno++; - *new_keys = keys; - *n_keys = len; - return ret; -out: - for (i = 0; i < len; ++i) - krb5_free_keyblock_contents (context->context, &keys[i]); - free (keys); - _kadm5_free_keys (context, len, hkeys); - return ret; -} diff --git a/crypto/heimdal-0.6.3/lib/kadm5/set_modifier.c b/crypto/heimdal-0.6.3/lib/kadm5/set_modifier.c deleted file mode 100644 index 2b097459b5..0000000000 --- a/crypto/heimdal-0.6.3/lib/kadm5/set_modifier.c +++ /dev/null @@ -1,54 +0,0 @@ -/* - * Copyright (c) 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kadm5_locl.h" - -RCSID("$Id: set_modifier.c,v 1.2 1999/12/02 17:05:07 joda Exp $"); - -kadm5_ret_t -_kadm5_set_modifier(kadm5_server_context *context, - hdb_entry *ent) -{ - kadm5_ret_t ret; - if(ent->modified_by == NULL){ - ent->modified_by = malloc(sizeof(*ent->modified_by)); - if(ent->modified_by == NULL) - return ENOMEM; - } else - free_Event(ent->modified_by); - ent->modified_by->time = time(NULL); - ret = krb5_copy_principal(context->context, context->caller, - &ent->modified_by->principal); - return ret; -} - diff --git a/crypto/heimdal-0.6.3/lib/kadm5/truncate_log.c b/crypto/heimdal-0.6.3/lib/kadm5/truncate_log.c deleted file mode 100644 index cf4af26e73..0000000000 --- a/crypto/heimdal-0.6.3/lib/kadm5/truncate_log.c +++ /dev/null @@ -1,89 +0,0 @@ -/* - * Copyright (c) 2000, 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "iprop.h" - -RCSID("$Id: truncate_log.c,v 1.1.8.1 2003/10/14 15:58:46 joda Exp $"); - -static char *realm; -static int version_flag; -static int help_flag; - -static struct getargs args[] = { - { "realm", 'r', arg_string, &realm }, - { "version", 0, arg_flag, &version_flag }, - { "help", 0, arg_flag, &help_flag } -}; - -static int num_args = sizeof(args) / sizeof(args[0]); - -int -main(int argc, char **argv) -{ - krb5_context context; - krb5_error_code ret; - void *kadm_handle; - kadm5_server_context *server_context; - kadm5_config_params conf; - - krb5_program_setup(&context, argc, argv, args, num_args, NULL); - - if(help_flag) - krb5_std_usage(0, args, num_args); - if(version_flag) { - print_version(NULL); - exit(0); - } - - memset(&conf, 0, sizeof(conf)); - if(realm) { - conf.mask |= KADM5_CONFIG_REALM; - conf.realm = realm; - } - - ret = kadm5_init_with_password_ctx (context, - KADM5_ADMIN_SERVICE, - NULL, - KADM5_ADMIN_SERVICE, - &conf, 0, 0, - &kadm_handle); - if (ret) - krb5_err (context, 1, ret, "kadm5_init_with_password_ctx"); - - server_context = (kadm5_server_context *)kadm_handle; - - ret = kadm5_log_truncate (server_context); - if(ret) - krb5_err (context, 1, ret, "kadm5_log_truncate"); - return 0; -} diff --git a/crypto/heimdal-0.6.3/lib/kafs/ChangeLog b/crypto/heimdal-0.6.3/lib/kafs/ChangeLog deleted file mode 100644 index 2f1bb02e7b..0000000000 --- a/crypto/heimdal-0.6.3/lib/kafs/ChangeLog +++ /dev/null @@ -1,417 +0,0 @@ -2004-06-22 Love - - * afssys.c: 1.70->1.72: s/arla/nnpfs/ - -2004-06-22 Love Hörquist Åstrand - - * afssys.c: 1.70: support the linux /proc/fs/mumel/afs_ioctl afs - "syscall" interface - -2003-04-23 Love Hörquist Åstrand - - * common.c, kafs.h: drop the int argument (the error code) from - the logging function - -2003-04-22 Johan Danielsson - - * afskrb5.c (v5_convert): better match what other functions do - with values from krb5.conf, like case insensitivity - -2003-04-16 Love Hörquist Åstrand - - * kafs.3: Change .Fd #include to .In header.h - from Thomas Klausner - -2003-04-14 Love Hörquist Åstrand - - * Makefile.am: (libkafs_la_LDFLAGS): update version - - * Makefile.am (ROKEN_SRCS): drop strupr.c - - * kafs.3: document kafs_set_verbose - - * common.c (kafs_set_verbose): add function that (re)sets the - logging function - (_kafs_try_get_cred): add function that does (krb_data->get_cred) to - make logging easier (that is now done in this function) - (*): use _kafs_try_get_cred - - * afskrb5.c (get_cred): handle that inst can be the empty string too - (v5_convert): use _kafs_foldup - (krb5_afslog_uid_home): set name - (krb5_afslog_uid_home): ditto - - * afskrb.c (krb_afslog_uid_home): set name - (krb_afslog_uid_home): ditto - - * kafs_locl.h (kafs_data): add name - (_kafs_foldup): internally export - -2003-04-11 Love Hörquist Åstrand - - * kafs.3: tell that cell-name is uppercased - - * Makefile.am: add INCLUDE_krb4 when using krb4, add INCLUDE_des - when using krb5, add strupr.c - - * afskrb5.c: Check the cell part of the name, not the realm part - when checking if 2b should be used. The reson is afs@REALM might - have updated their servers but not afs/cell@REALM. Add constant - KAFS_RXKAD_2B_KVNO. - -2003-04-06 Love Hörquist Åstrand - - * kafs.3: s/kerberos/Kerberos/ - -2003-03-19 Love Hörquist Åstrand - - * kafs.3: spelling, from - - * kafs.3: document the kafs_settoken functions write about the - krb5_appdefault option for kerberos 5 afs tokens fix prototypes - -2003-03-18 Love Hörquist Åstrand - - * afskrb5.c (kafs_settoken5): change signature to include a - krb5_context, use v5_convert - (v5_convert): new function, converts a krb5_ccreds to a kafs_token in - three diffrent ways, not at all, local 524/2b, and using 524 - (v5_to_kt): add code to do local 524/2b - (get_cred): use v5_convert - - - * kafs.h (kafs_settoken5): change signature to include a - krb5_context - - * Makefile.am: always build the libkafs library now that the - kerberos 5 can stand on their own - - * kafs.3: expose the krb5 functions - - * common.c (kafs_settoken_rxkad): move all content kerberos - version from kafs_settoken to kafs_settoken_rxkad - (_kafs_fixup_viceid): move the fixup the timestamp to make client - happy code here. - (_kafs_v4_to_kt): move all the kerberos 4 dependant parts from - kafs_settoken here. - (*): adapt to kafs_token - - * afskrb5.c (kafs_settoken5): new function, inserts a krb5_creds - into kernel - (v5_to_kt): new function, stores a krb5_creds in struct kafs_token - (get_cred): add a appdefault boolean ("libkafs", realm, "afs-use-524") - that can used to toggle if there should v5 token should be used - directly or converted via 524 first. - - * afskrb.c: move kafs_settoken here, use struct kafs_token - - * kafs_locl.h: include krb5-v4compat.h if needed, define an - internal structure struct kafs_token that carries around for rxkad - data that is independant of kerberos version - -2003-02-18 Love Hörquist Åstrand - - * dlfcn.h: s/intialize/initialize, from - - -2003-02-08 Assar Westerlund - - * afssysdefs.h: fix FreeBSD section - -2003-02-06 Love Hörquist Åstrand - - * afssysdefs.h: use syscall 208 on openbsd (all version) use - syscall 339 on freebsd 5.0 and later, use 210 on 4.x and earlier - -2002-08-28 Johan Danielsson - - * kafs.3: move around sections (from NetBSD) - -2002-05-31 Assar Westerlund - - * common.c: remove the trial of afs@REALM for cell != realm, it - tries to use the wrong key for foreign cells - -2002-05-20 Johan Danielsson - - * Makefile.am: version number - -2002-04-18 Johan Danielsson - - * common.c (find_cells): make file parameter const - -2001-11-01 Assar Westerlund - - * add strsep, and bump version to 3:3:3 - -2001-10-27 Assar Westerlund - - * Makefile.am (libkafs_la_LDFLAGS): set version to 3:2:3 - -2001-10-24 Assar Westerlund - - * afskrb.c (afslog_uid_int): handle krb_get_tf_fullname that - cannot take NULLs - (such as the MIT one) - -2001-10-22 Assar Westerlund - - * Makefile.am (ROKEN_SRCS): add strlcpy.c - -2001-10-09 Assar Westerlund - - * Makefile.am (ROKEN_SRCS): add strtok_r.c - * roken_rename.h (dns_srv_order): rename correctly - (strtok_r): add renaming - -2001-09-10 Assar Westerlund - - * kafs.h, common.c: look for configuration files in /etc/arla (the - location in debian's arla package) - -2001-08-26 Assar Westerlund - - * Makefile.am: handle both krb5 and krb4 cases - -2001-07-19 Assar Westerlund - - * Makefile.am (libkafs_la_LDFLAGS): set version to 3:0:3 - -2001-07-12 Assar Westerlund - - * common.c: look in /etc/openafs for debian openafs - * kafs.h: add paths for openafs debian (/etc/openafs) - - * Makefile.am: add required library dependencies - -2001-07-03 Assar Westerlund - - * Makefile.am (libkafs_la_LDFLAGS): set versoin to 2:4:2 - -2001-06-19 Assar Westerlund - - * common.c (_kafs_realm_of_cell): changed to first try exact match - in CellServDB, then exact match in DNS, and finally in-exact match - in CellServDB - -2001-05-18 Johan Danielsson - - * Makefile.am: only build resolve.c if doing renaming - -2001-02-12 Assar Westerlund - - * Makefile.am, roken_rename.h: add rename of dns functions - -2000-12-11 Assar Westerlund - - * Makefile.am (libkafs_la_LDFLAGS): set version to 2:3:2 - -2000-11-17 Assar Westerlund - - * afssysdefs.h: solaris 8 apperently uses 65 - -2000-09-19 Assar Westerlund - - * Makefile.am (libkafs_la_LDFLAGS): bump version to 2:2:2 - -2000-09-12 Johan Danielsson - - * dlfcn.c: correct arguments to some snprintf:s - -2000-07-25 Johan Danielsson - - * Makefile.am: bump version to 2:1:2 - -2000-04-03 Assar Westerlund - - * Makefile.am: set version to 2:0:2 - -2000-03-20 Assar Westerlund - - * afssysdefs.h: make versions later than 5.7 of solaris also use - 73 - -2000-03-16 Assar Westerlund - - * afskrb.c (afslog_uid_int): use krb_get_tf_fullname instead of - krb_get_default_principal - -2000-03-15 Assar Westerlund - - * afssys.c (map_syscall_name_to_number): ignore # at - beginning-of-line - -2000-03-13 Assar Westerlund - - * afssysdefs.h: add 230 for MacOS X per information from - - -1999-12-06 Assar Westerlund - - * Makefile.am: set version to 1:2:1 - -1999-11-22 Assar Westerlund - - * afskrb5.c (afslog_uid_int): handle d->realm == NULL - -1999-11-17 Assar Westerlund - - * afskrb5.c (afslog_uid_int): don't look at the local realm at - all. just use the realm from the ticket file. - -1999-10-20 Assar Westerlund - - * Makefile.am: set version to 1:1:1 - - * afskrb5.c (get_cred): always request a DES key - -Mon Oct 18 17:40:21 1999 Bjoern Groenvall - - * common.c (find_cells): Trim trailing whitespace from - cellname. Lines starting with # are regarded as comments. - -Fri Oct 8 18:17:22 1999 Bjoern Groenvall - - * afskrb.c, common.c : Change code to make a clear distinction - between hinted realm and ticket realm. - - * kafs_locl.h: Added argument realm_hint. - - * common.c (_kafs_get_cred): Change code to acquire the ``best'' - possible ticket. Use cross-cell authentication only as method of - last resort. - - * afskrb.c (afslog_uid_int): Add realm_hint argument and extract - realm from ticket file. - - * afskrb5.c (afslog_uid_int): Added argument realm_hint. - -1999-10-03 Assar Westerlund - - * afskrb5.c (get_cred): update to new krb524_convert_creds_kdc - -1999-08-12 Johan Danielsson - - * Makefile.am: ignore the comlicated aix construct if !krb4 - -1999-07-26 Assar Westerlund - - * Makefile.am: set version to 1:0:1 - -1999-07-22 Assar Westerlund - - * afssysdefs.h: define AFS_SYSCALL to 73 for Solaris 2.7 - -1999-07-07 Assar Westerlund - - * afskrb5.c (krb5_realm_of_cell): new function - - * afskrb.c (krb_realm_of_cell): new function - (afslog_uid_int): call krb_get_lrealm correctly - -1999-06-15 Assar Westerlund - - * common.c (realm_of_cell): rename to _kafs_realm_of_cell and - un-staticize - -Fri Mar 19 14:52:29 1999 Johan Danielsson - - * Makefile.am: add version-info - -Thu Mar 18 11:24:02 1999 Johan Danielsson - - * Makefile.am: include Makefile.am.common - -Sat Feb 27 19:46:21 1999 Johan Danielsson - - * Makefile.am: remove EXTRA_DATA (as of autoconf 2.13/automake - 1.4) - -Thu Feb 11 22:57:37 1999 Johan Danielsson - - * Makefile.am: set AIX_SRC also if !AIX - -Tue Dec 1 14:45:15 1998 Johan Danielsson - - * Makefile.am: fix AIX linkage - -Sun Nov 22 10:40:44 1998 Assar Westerlund - - * Makefile.in (WFLAGS): set - -Sat Nov 21 16:55:19 1998 Johan Danielsson - - * afskrb5.c: add homedir support - -Sun Sep 6 20:16:27 1998 Assar Westerlund - - * add new functionality for specifying the homedir to krb_afslog - et al - -Thu Jul 16 01:27:19 1998 Assar Westerlund - - * afssys.c: reorganize order of definitions. - (try_one, try_two): conditionalize - -Thu Jul 9 18:31:52 1998 Johan Danielsson - - * common.c (realm_of_cell): make the dns fallback work - -Wed Jul 8 01:39:44 1998 Assar Westerlund - - * afssys.c (map_syscall_name_to_number): new function for finding - the number of a syscall given the name on solaris - (k_hasafs): try using map_syscall_name_to_number - -Tue Jun 30 17:19:00 1998 Assar Westerlund - - * afssys.c: rewrite and add support for environment variable - AFS_SYSCALL - - * Makefile.in (distclean): don't remove roken_rename.h - -Fri May 29 19:03:20 1998 Assar Westerlund - - * Makefile.in (roken_rename.h): remove dependency - -Mon May 25 05:25:54 1998 Assar Westerlund - - * Makefile.in (clean): try to remove shared library debris - -Sun Apr 19 09:58:40 1998 Assar Westerlund - - * Makefile.in: add symlink magic for linux - -Sat Apr 4 15:08:48 1998 Assar Westerlund - - * kafs.h: add arla paths - - * common.c (_kafs_afslog_all_local_cells): Try _PATH_ARLA_* - (_realm_of_cell): Try _PATH_ARLA_CELLSERVDB - -Thu Feb 19 14:50:22 1998 Johan Danielsson - - * common.c: Don't store expired tokens (this broke when using - pag-less rsh-sessions, and `non-standard' ticket files). - -Thu Feb 12 11:20:15 1998 Johan Danielsson - - * Makefile.in: Install/uninstall one library at a time. - -Thu Feb 12 05:38:58 1998 Assar Westerlund - - * Makefile.in (install): one library at a time. - -Mon Feb 9 23:40:32 1998 Assar Westerlund - - * common.c (find_cells): ignore empty lines - -Tue Jan 6 04:25:58 1998 Assar Westerlund - - * afssysdefs.h (AFS_SYSCALL): add FreeBSD - -Fri Jan 2 17:08:24 1998 Assar Westerlund - - * kafs.h: new VICEIOCTL's. From - - * afssysdefs.h: Add OpenBSD diff --git a/crypto/heimdal-0.6.3/lib/kafs/Makefile.am b/crypto/heimdal-0.6.3/lib/kafs/Makefile.am deleted file mode 100644 index a08c47761a..0000000000 --- a/crypto/heimdal-0.6.3/lib/kafs/Makefile.am +++ /dev/null @@ -1,114 +0,0 @@ -# $Id: Makefile.am,v 1.43.2.1 2003/05/12 15:20:46 joda Exp $ - -include $(top_srcdir)/Makefile.am.common - -INCLUDES += $(AFS_EXTRA_DEFS) $(ROKEN_RENAME) - -if KRB4 -DEPLIB_krb4 = $(LIB_krb4) $(LIB_des) -krb4_am_workaround = $(INCLUDE_krb4) -else -DEPLIB_krb4 = -krb4_am_workaround = -endif # KRB4 -INCLUDES += $(krb4_am_workaround) - -if KRB5 -DEPLIB_krb5 = ../krb5/libkrb5.la -krb5_am_workaround = $(INCLUDE_des) -I$(top_srcdir)/lib/krb5 -else -DEPLIB_krb5 = -krb5_am_workaround = -endif # KRB5 -INCLUDES += $(krb5_am_workaround) - - -if AIX -AFSL_EXP = $(srcdir)/afsl.exp - -if AIX4 -AFS_EXTRA_LD = -bnoentry -else -AFS_EXTRA_LD = -e _nostart -endif - -if AIX_DYNAMIC_AFS -if HAVE_DLOPEN -AIX_SRC = -else -AIX_SRC = dlfcn.c -endif -AFS_EXTRA_LIBS = afslib.so -AFS_EXTRA_DEFS = -else -AIX_SRC = afslib.c -AFS_EXTRA_LIBS = -AFS_EXTRA_DEFS = -DSTATIC_AFS -endif - -else -AFSL_EXP = -AIX_SRC = -endif # AIX - -libkafs_la_LIBADD = $(DEPLIB_krb5) ../roken/libroken.la $(DEPLIB_krb4) - -lib_LTLIBRARIES = libkafs.la -libkafs_la_LDFLAGS = -version-info 4:0:4 -foodir = $(libdir) -foo_DATA = $(AFS_EXTRA_LIBS) -# EXTRA_DATA = afslib.so - -CLEANFILES= $(AFS_EXTRA_LIBS) $(ROKEN_SRCS) - -include_HEADERS = kafs.h - -if KRB5 -afskrb5_c = afskrb5.c -endif - -if KRB4 -afskrb_c = afskrb.c -endif - - -if do_roken_rename -ROKEN_SRCS = resolve.c strtok_r.c strlcpy.c strsep.c -endif - -libkafs_la_SOURCES = \ - afssys.c \ - $(afskrb_c) \ - $(afskrb5_c) \ - common.c \ - $(AIX_SRC) \ - kafs_locl.h \ - afssysdefs.h \ - $(ROKEN_SRCS) - -#afslib_so_SOURCES = afslib.c - -EXTRA_libkafs_la_SOURCES = afskrb.c afskrb5.c dlfcn.c afslib.c dlfcn.h - -EXTRA_DIST = README.dlfcn afsl.exp afslib.exp - -man_MANS = kafs.3 - -# AIX: this almost works with gcc, but somehow it fails to use the -# correct ld, use ld instead -afslib.so: afslib.o - ld -o $@ -bM:SRE -bI:$(srcdir)/afsl.exp -bE:$(srcdir)/afslib.exp $(AFS_EXTRA_LD) afslib.o -lc - -$(OBJECTS): ../../include/config.h - -resolve.c: - $(LN_S) $(srcdir)/../roken/resolve.c . - -strtok_r.c: - $(LN_S) $(srcdir)/../roken/strtok_r.c . - -strlcpy.c: - $(LN_S) $(srcdir)/../roken/strlcpy.c . - -strsep.c: - $(LN_S) $(srcdir)/../roken/strsep.c . diff --git a/crypto/heimdal-0.6.3/lib/kafs/Makefile.in b/crypto/heimdal-0.6.3/lib/kafs/Makefile.in deleted file mode 100644 index b221833e21..0000000000 --- a/crypto/heimdal-0.6.3/lib/kafs/Makefile.in +++ /dev/null @@ -1,924 +0,0 @@ -# Makefile.in generated by automake 1.8.3 from Makefile.am. -# @configure_input@ - -# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004 Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -# $Id: Makefile.am,v 1.43.2.1 2003/05/12 15:20:46 joda Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $ - - - -SOURCES = $(libkafs_la_SOURCES) $(EXTRA_libkafs_la_SOURCES) - -srcdir = @srcdir@ -top_srcdir = @top_srcdir@ -VPATH = @srcdir@ -pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -top_builddir = ../.. -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = @INSTALL@ -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_HEADER = $(INSTALL_DATA) -transform = $(program_transform_name) -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_triplet = @host@ -DIST_COMMON = $(include_HEADERS) $(srcdir)/Makefile.am \ - $(srcdir)/Makefile.in $(top_srcdir)/Makefile.am.common \ - $(top_srcdir)/cf/Makefile.am.common ChangeLog -subdir = lib/kafs -ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \ - $(top_srcdir)/cf/auth-modules.m4 \ - $(top_srcdir)/cf/broken-getaddrinfo.m4 \ - $(top_srcdir)/cf/broken-getnameinfo.m4 \ - $(top_srcdir)/cf/broken-glob.m4 \ - $(top_srcdir)/cf/broken-realloc.m4 \ - $(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \ - $(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \ - $(top_srcdir)/cf/capabilities.m4 \ - $(top_srcdir)/cf/check-compile-et.m4 \ - $(top_srcdir)/cf/check-declaration.m4 \ - $(top_srcdir)/cf/check-getpwnam_r-posix.m4 \ - $(top_srcdir)/cf/check-man.m4 \ - $(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \ - $(top_srcdir)/cf/check-type-extra.m4 \ - $(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \ - $(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \ - $(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \ - $(top_srcdir)/cf/dlopen.m4 \ - $(top_srcdir)/cf/find-func-no-libs.m4 \ - $(top_srcdir)/cf/find-func-no-libs2.m4 \ - $(top_srcdir)/cf/find-func.m4 \ - $(top_srcdir)/cf/find-if-not-broken.m4 \ - $(top_srcdir)/cf/have-struct-field.m4 \ - $(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \ - $(top_srcdir)/cf/krb-bigendian.m4 \ - $(top_srcdir)/cf/krb-func-getlogin.m4 \ - $(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \ - $(top_srcdir)/cf/krb-readline.m4 \ - $(top_srcdir)/cf/krb-struct-spwd.m4 \ - $(top_srcdir)/cf/krb-struct-winsize.m4 \ - $(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \ - $(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \ - $(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \ - $(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \ - $(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \ - $(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \ - $(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in -am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ - $(ACLOCAL_M4) -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -am__installdirs = "$(DESTDIR)$(libdir)" "$(DESTDIR)$(man3dir)" "$(DESTDIR)$(foodir)" "$(DESTDIR)$(includedir)" -libLTLIBRARIES_INSTALL = $(INSTALL) -LTLIBRARIES = $(lib_LTLIBRARIES) -@KRB5_TRUE@am__DEPENDENCIES_1 = ../krb5/libkrb5.la -am__DEPENDENCIES_2 = -@KRB4_TRUE@am__DEPENDENCIES_3 = $(am__DEPENDENCIES_2) \ -@KRB4_TRUE@ $(am__DEPENDENCIES_2) -libkafs_la_DEPENDENCIES = $(am__DEPENDENCIES_1) ../roken/libroken.la \ - $(am__DEPENDENCIES_3) -am__libkafs_la_SOURCES_DIST = afssys.c afskrb.c afskrb5.c common.c \ - afslib.c dlfcn.c kafs_locl.h afssysdefs.h resolve.c strtok_r.c \ - strlcpy.c strsep.c -@KRB4_TRUE@am__objects_1 = afskrb.lo -@KRB5_TRUE@am__objects_2 = afskrb5.lo -@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@am__objects_3 = afslib.lo -@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@am__objects_3 = \ -@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@ dlfcn.lo -@do_roken_rename_TRUE@am__objects_4 = resolve.lo strtok_r.lo \ -@do_roken_rename_TRUE@ strlcpy.lo strsep.lo -am_libkafs_la_OBJECTS = afssys.lo $(am__objects_1) $(am__objects_2) \ - common.lo $(am__objects_3) $(am__objects_4) -libkafs_la_OBJECTS = $(am_libkafs_la_OBJECTS) -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \ - $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ - $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -SOURCES = $(libkafs_la_SOURCES) $(EXTRA_libkafs_la_SOURCES) -DIST_SOURCES = $(am__libkafs_la_SOURCES_DIST) \ - $(EXTRA_libkafs_la_SOURCES) -man3dir = $(mandir)/man3 -MANS = $(man_MANS) -fooDATA_INSTALL = $(INSTALL_DATA) -DATA = $(foo_DATA) -includeHEADERS_INSTALL = $(INSTALL_HEADER) -HEADERS = $(include_HEADERS) -ETAGS = etags -CTAGS = ctags -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) -ACLOCAL = @ACLOCAL@ -AIX4_FALSE = @AIX4_FALSE@ -AIX4_TRUE = @AIX4_TRUE@ -AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@ -AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@ -AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@ -AIX_FALSE = @AIX_FALSE@ -AIX_TRUE = @AIX_TRUE@ -AMTAR = @AMTAR@ -AR = @AR@ -AUTOCONF = @AUTOCONF@ -AUTOHEADER = @AUTOHEADER@ -AUTOMAKE = @AUTOMAKE@ -AWK = @AWK@ -CANONICAL_HOST = @CANONICAL_HOST@ -CATMAN = @CATMAN@ -CATMANEXT = @CATMANEXT@ -CATMAN_FALSE = @CATMAN_FALSE@ -CATMAN_TRUE = @CATMAN_TRUE@ -CC = @CC@ -CFLAGS = @CFLAGS@ -COMPILE_ET = @COMPILE_ET@ -CPP = @CPP@ -CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXFLAGS = @CXXFLAGS@ -CYGPATH_W = @CYGPATH_W@ -DBLIB = @DBLIB@ -DCE_FALSE = @DCE_FALSE@ -DCE_TRUE = @DCE_TRUE@ -DEFS = @DEFS@ -DIR_com_err = @DIR_com_err@ -DIR_des = @DIR_des@ -DIR_roken = @DIR_roken@ -ECHO = @ECHO@ -ECHO_C = @ECHO_C@ -ECHO_N = @ECHO_N@ -ECHO_T = @ECHO_T@ -EGREP = @EGREP@ -EXEEXT = @EXEEXT@ -EXTRA_LIB45 = @EXTRA_LIB45@ -F77 = @F77@ -FFLAGS = @FFLAGS@ -GROFF = @GROFF@ -HAVE_DB1_FALSE = @HAVE_DB1_FALSE@ -HAVE_DB1_TRUE = @HAVE_DB1_TRUE@ -HAVE_DB3_FALSE = @HAVE_DB3_FALSE@ -HAVE_DB3_TRUE = @HAVE_DB3_TRUE@ -HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@ -HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@ -HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@ -HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@ -HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@ -HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@ -HAVE_X_FALSE = @HAVE_X_FALSE@ -HAVE_X_TRUE = @HAVE_X_TRUE@ -INCLUDES_roken = @INCLUDES_roken@ -INCLUDE_des = @INCLUDE_des@ -INCLUDE_hesiod = @INCLUDE_hesiod@ -INCLUDE_krb4 = @INCLUDE_krb4@ -INCLUDE_openldap = @INCLUDE_openldap@ -INCLUDE_readline = @INCLUDE_readline@ -INSTALL_DATA = @INSTALL_DATA@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -IRIX_FALSE = @IRIX_FALSE@ -IRIX_TRUE = @IRIX_TRUE@ -KRB4_FALSE = @KRB4_FALSE@ -KRB4_TRUE = @KRB4_TRUE@ -KRB5_FALSE = @KRB5_FALSE@ -KRB5_TRUE = @KRB5_TRUE@ -LDFLAGS = @LDFLAGS@ -LEX = @LEX@ -LEXLIB = @LEXLIB@ -LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ -LIBOBJS = @LIBOBJS@ -LIBS = @LIBS@ -LIBTOOL = @LIBTOOL@ -LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@ -LIB_NDBM = @LIB_NDBM@ -LIB_XauFileName = @LIB_XauFileName@ -LIB_XauReadAuth = @LIB_XauReadAuth@ -LIB_XauWriteAuth = @LIB_XauWriteAuth@ -LIB_bswap16 = @LIB_bswap16@ -LIB_bswap32 = @LIB_bswap32@ -LIB_com_err = @LIB_com_err@ -LIB_com_err_a = @LIB_com_err_a@ -LIB_com_err_so = @LIB_com_err_so@ -LIB_crypt = @LIB_crypt@ -LIB_db_create = @LIB_db_create@ -LIB_dbm_firstkey = @LIB_dbm_firstkey@ -LIB_dbopen = @LIB_dbopen@ -LIB_des = @LIB_des@ -LIB_des_a = @LIB_des_a@ -LIB_des_appl = @LIB_des_appl@ -LIB_des_so = @LIB_des_so@ -LIB_dlopen = @LIB_dlopen@ -LIB_dn_expand = @LIB_dn_expand@ -LIB_el_init = @LIB_el_init@ -LIB_freeaddrinfo = @LIB_freeaddrinfo@ -LIB_gai_strerror = @LIB_gai_strerror@ -LIB_getaddrinfo = @LIB_getaddrinfo@ -LIB_gethostbyname = @LIB_gethostbyname@ -LIB_gethostbyname2 = @LIB_gethostbyname2@ -LIB_getnameinfo = @LIB_getnameinfo@ -LIB_getpwnam_r = @LIB_getpwnam_r@ -LIB_getsockopt = @LIB_getsockopt@ -LIB_hesiod = @LIB_hesiod@ -LIB_hstrerror = @LIB_hstrerror@ -LIB_kdb = @LIB_kdb@ -LIB_krb4 = @LIB_krb4@ -LIB_krb_disable_debug = @LIB_krb_disable_debug@ -LIB_krb_enable_debug = @LIB_krb_enable_debug@ -LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@ -LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@ -LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@ -LIB_loadquery = @LIB_loadquery@ -LIB_logout = @LIB_logout@ -LIB_logwtmp = @LIB_logwtmp@ -LIB_openldap = @LIB_openldap@ -LIB_openpty = @LIB_openpty@ -LIB_otp = @LIB_otp@ -LIB_pidfile = @LIB_pidfile@ -LIB_readline = @LIB_readline@ -LIB_res_nsearch = @LIB_res_nsearch@ -LIB_res_search = @LIB_res_search@ -LIB_roken = @LIB_roken@ -LIB_security = @LIB_security@ -LIB_setsockopt = @LIB_setsockopt@ -LIB_socket = @LIB_socket@ -LIB_syslog = @LIB_syslog@ -LIB_tgetent = @LIB_tgetent@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -MAINT = @MAINT@ -MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@ -MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@ -MAKEINFO = @MAKEINFO@ -NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ -NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ -NROFF = @NROFF@ -OBJEXT = @OBJEXT@ -OTP_FALSE = @OTP_FALSE@ -OTP_TRUE = @OTP_TRUE@ -PACKAGE = @PACKAGE@ -PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ -PACKAGE_NAME = @PACKAGE_NAME@ -PACKAGE_STRING = @PACKAGE_STRING@ -PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_VERSION = @PACKAGE_VERSION@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -RANLIB = @RANLIB@ -SET_MAKE = @SET_MAKE@ -SHELL = @SHELL@ -STRIP = @STRIP@ -VERSION = @VERSION@ -VOID_RETSIGTYPE = @VOID_RETSIGTYPE@ -WFLAGS = @WFLAGS@ -WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@ -WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@ -X_CFLAGS = @X_CFLAGS@ -X_EXTRA_LIBS = @X_EXTRA_LIBS@ -X_LIBS = @X_LIBS@ -X_PRE_LIBS = @X_PRE_LIBS@ -YACC = @YACC@ -ac_ct_AR = @ac_ct_AR@ -ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ -ac_ct_RANLIB = @ac_ct_RANLIB@ -ac_ct_STRIP = @ac_ct_STRIP@ -am__leading_dot = @am__leading_dot@ -bindir = @bindir@ -build = @build@ -build_alias = @build_alias@ -build_cpu = @build_cpu@ -build_os = @build_os@ -build_vendor = @build_vendor@ -datadir = @datadir@ -do_roken_rename_FALSE = @do_roken_rename_FALSE@ -do_roken_rename_TRUE = @do_roken_rename_TRUE@ -dpagaix_cflags = @dpagaix_cflags@ -dpagaix_ldadd = @dpagaix_ldadd@ -dpagaix_ldflags = @dpagaix_ldflags@ -el_compat_FALSE = @el_compat_FALSE@ -el_compat_TRUE = @el_compat_TRUE@ -exec_prefix = @exec_prefix@ -have_err_h_FALSE = @have_err_h_FALSE@ -have_err_h_TRUE = @have_err_h_TRUE@ -have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@ -have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@ -have_glob_h_FALSE = @have_glob_h_FALSE@ -have_glob_h_TRUE = @have_glob_h_TRUE@ -have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@ -have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@ -have_vis_h_FALSE = @have_vis_h_FALSE@ -have_vis_h_TRUE = @have_vis_h_TRUE@ -host = @host@ -host_alias = @host_alias@ -host_cpu = @host_cpu@ -host_os = @host_os@ -host_vendor = @host_vendor@ -includedir = @includedir@ -infodir = @infodir@ -install_sh = @install_sh@ -libdir = @libdir@ -libexecdir = @libexecdir@ -localstatedir = @localstatedir@ -mandir = @mandir@ -mkdir_p = @mkdir_p@ -oldincludedir = @oldincludedir@ -prefix = @prefix@ -program_transform_name = @program_transform_name@ -sbindir = @sbindir@ -sharedstatedir = @sharedstatedir@ -sysconfdir = @sysconfdir@ -target_alias = @target_alias@ -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(AFS_EXTRA_DEFS) $(ROKEN_RENAME) $(krb4_am_workaround) $(krb5_am_workaround) -@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME -AM_CFLAGS = $(WFLAGS) -CP = cp -buildinclude = $(top_builddir)/include -LIB_getattr = @LIB_getattr@ -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_setpcred = @LIB_setpcred@ -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -NROFF_MAN = groff -mandoc -Tascii -LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) -@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la - -@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la -@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la -@KRB4_FALSE@DEPLIB_krb4 = -@KRB4_TRUE@DEPLIB_krb4 = $(LIB_krb4) $(LIB_des) -@KRB4_FALSE@krb4_am_workaround = -@KRB4_TRUE@krb4_am_workaround = $(INCLUDE_krb4) -@KRB5_FALSE@DEPLIB_krb5 = -@KRB5_TRUE@DEPLIB_krb5 = ../krb5/libkrb5.la -@KRB5_FALSE@krb5_am_workaround = -@KRB5_TRUE@krb5_am_workaround = $(INCLUDE_des) -I$(top_srcdir)/lib/krb5 -@AIX_FALSE@AFSL_EXP = -@AIX_TRUE@AFSL_EXP = $(srcdir)/afsl.exp -@AIX4_FALSE@@AIX_TRUE@AFS_EXTRA_LD = -e _nostart -@AIX4_TRUE@@AIX_TRUE@AFS_EXTRA_LD = -bnoentry -@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@AIX_SRC = afslib.c -@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@AIX_SRC = dlfcn.c -@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@AIX_SRC = -@AIX_FALSE@AIX_SRC = -@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@AFS_EXTRA_LIBS = -@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@AFS_EXTRA_LIBS = afslib.so -@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@AFS_EXTRA_DEFS = -DSTATIC_AFS -@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@AFS_EXTRA_DEFS = -libkafs_la_LIBADD = $(DEPLIB_krb5) ../roken/libroken.la $(DEPLIB_krb4) -lib_LTLIBRARIES = libkafs.la -libkafs_la_LDFLAGS = -version-info 4:0:4 -foodir = $(libdir) -foo_DATA = $(AFS_EXTRA_LIBS) -# EXTRA_DATA = afslib.so -CLEANFILES = $(AFS_EXTRA_LIBS) $(ROKEN_SRCS) -include_HEADERS = kafs.h -@KRB5_TRUE@afskrb5_c = afskrb5.c -@KRB4_TRUE@afskrb_c = afskrb.c -@do_roken_rename_TRUE@ROKEN_SRCS = resolve.c strtok_r.c strlcpy.c strsep.c -libkafs_la_SOURCES = \ - afssys.c \ - $(afskrb_c) \ - $(afskrb5_c) \ - common.c \ - $(AIX_SRC) \ - kafs_locl.h \ - afssysdefs.h \ - $(ROKEN_SRCS) - - -#afslib_so_SOURCES = afslib.c -EXTRA_libkafs_la_SOURCES = afskrb.c afskrb5.c dlfcn.c afslib.c dlfcn.h -EXTRA_DIST = README.dlfcn afsl.exp afslib.exp -man_MANS = kafs.3 -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps) - @for dep in $?; do \ - case '$(am__configure_deps)' in \ - *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ - exit 1;; \ - esac; \ - done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign --ignore-deps lib/kafs/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign --ignore-deps lib/kafs/Makefile -.PRECIOUS: Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - @case '$?' in \ - *config.status*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ - *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ - esac; - -$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -install-libLTLIBRARIES: $(lib_LTLIBRARIES) - @$(NORMAL_INSTALL) - test -z "$(libdir)" || $(mkdir_p) "$(DESTDIR)$(libdir)" - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - if test -f $$p; then \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(libdir)/$$f'"; \ - $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(libdir)/$$f"; \ - else :; fi; \ - done - -uninstall-libLTLIBRARIES: - @$(NORMAL_UNINSTALL) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - p="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$p'"; \ - $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$p"; \ - done - -clean-libLTLIBRARIES: - -test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ - test "$$dir" = "$$p" && dir=.; \ - echo "rm -f \"$${dir}/so_locations\""; \ - rm -f "$${dir}/so_locations"; \ - done -libkafs.la: $(libkafs_la_OBJECTS) $(libkafs_la_DEPENDENCIES) - $(LINK) -rpath $(libdir) $(libkafs_la_LDFLAGS) $(libkafs_la_OBJECTS) $(libkafs_la_LIBADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c $< - -.c.obj: - $(COMPILE) -c `$(CYGPATH_W) '$<'` - -.c.lo: - $(LTCOMPILE) -c -o $@ $< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: -install-man3: $(man3_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - test -z "$(man3dir)" || $(mkdir_p) "$(DESTDIR)$(man3dir)" - @list='$(man3_MANS) $(dist_man3_MANS) $(nodist_man3_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.3*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 3*) ;; \ - *) ext='3' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man3dir)/$$inst'"; \ - $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man3dir)/$$inst"; \ - done -uninstall-man3: - @$(NORMAL_UNINSTALL) - @list='$(man3_MANS) $(dist_man3_MANS) $(nodist_man3_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.3*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 3*) ;; \ - *) ext='3' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f '$(DESTDIR)$(man3dir)/$$inst'"; \ - rm -f "$(DESTDIR)$(man3dir)/$$inst"; \ - done -install-fooDATA: $(foo_DATA) - @$(NORMAL_INSTALL) - test -z "$(foodir)" || $(mkdir_p) "$(DESTDIR)$(foodir)" - @list='$(foo_DATA)'; for p in $$list; do \ - if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(fooDATA_INSTALL) '$$d$$p' '$(DESTDIR)$(foodir)/$$f'"; \ - $(fooDATA_INSTALL) "$$d$$p" "$(DESTDIR)$(foodir)/$$f"; \ - done - -uninstall-fooDATA: - @$(NORMAL_UNINSTALL) - @list='$(foo_DATA)'; for p in $$list; do \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " rm -f '$(DESTDIR)$(foodir)/$$f'"; \ - rm -f "$(DESTDIR)$(foodir)/$$f"; \ - done -install-includeHEADERS: $(include_HEADERS) - @$(NORMAL_INSTALL) - test -z "$(includedir)" || $(mkdir_p) "$(DESTDIR)$(includedir)" - @list='$(include_HEADERS)'; for p in $$list; do \ - if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(includeHEADERS_INSTALL) '$$d$$p' '$(DESTDIR)$(includedir)/$$f'"; \ - $(includeHEADERS_INSTALL) "$$d$$p" "$(DESTDIR)$(includedir)/$$f"; \ - done - -uninstall-includeHEADERS: - @$(NORMAL_UNINSTALL) - @list='$(include_HEADERS)'; for p in $$list; do \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " rm -f '$(DESTDIR)$(includedir)/$$f'"; \ - rm -f "$(DESTDIR)$(includedir)/$$f"; \ - done - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique -tags: TAGS - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique -ctags: CTAGS -CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ - || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - -distdir: $(DISTFILES) - $(mkdir_p) $(distdir)/../.. $(distdir)/../../cf - @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \ - list='$(DISTFILES)'; for file in $$list; do \ - case $$file in \ - $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \ - $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \ - esac; \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkdir_p) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="$(top_distdir)" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) $(HEADERS) all-local -installdirs: - for dir in "$(DESTDIR)$(libdir)" "$(DESTDIR)$(man3dir)" "$(DESTDIR)$(foodir)" "$(DESTDIR)$(includedir)"; do \ - test -z "$$dir" || $(mkdir_p) "$$dir"; \ - done -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) - -distclean-generic: - -rm -f $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-generic clean-libLTLIBRARIES clean-libtool \ - mostlyclean-am - -distclean: distclean-am - -rm -f Makefile -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -html: html-am - -info: info-am - -info-am: - -install-data-am: install-fooDATA install-includeHEADERS install-man - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-data-hook - -install-exec-am: install-libLTLIBRARIES - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: install-man3 - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -rm -f Makefile -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -pdf: pdf-am - -pdf-am: - -ps: ps-am - -ps-am: - -uninstall-am: uninstall-fooDATA uninstall-includeHEADERS \ - uninstall-info-am uninstall-libLTLIBRARIES uninstall-man - -uninstall-man: uninstall-man3 - -.PHONY: CTAGS GTAGS all all-am all-local check check-am check-local \ - clean clean-generic clean-libLTLIBRARIES clean-libtool ctags \ - distclean distclean-compile distclean-generic \ - distclean-libtool distclean-tags distdir dvi dvi-am html \ - html-am info info-am install install-am install-data \ - install-data-am install-exec install-exec-am install-fooDATA \ - install-includeHEADERS install-info install-info-am \ - install-libLTLIBRARIES install-man install-man3 install-strip \ - installcheck installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ - tags uninstall uninstall-am uninstall-fooDATA \ - uninstall-includeHEADERS uninstall-info-am \ - uninstall-libLTLIBRARIES uninstall-man uninstall-man3 - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-hook: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< - -# AIX: this almost works with gcc, but somehow it fails to use the -# correct ld, use ld instead -afslib.so: afslib.o - ld -o $@ -bM:SRE -bI:$(srcdir)/afsl.exp -bE:$(srcdir)/afslib.exp $(AFS_EXTRA_LD) afslib.o -lc - -$(OBJECTS): ../../include/config.h - -resolve.c: - $(LN_S) $(srcdir)/../roken/resolve.c . - -strtok_r.c: - $(LN_S) $(srcdir)/../roken/strtok_r.c . - -strlcpy.c: - $(LN_S) $(srcdir)/../roken/strlcpy.c . - -strsep.c: - $(LN_S) $(srcdir)/../roken/strsep.c . -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal-0.6.3/lib/kafs/README.dlfcn b/crypto/heimdal-0.6.3/lib/kafs/README.dlfcn deleted file mode 100644 index cee1b75193..0000000000 --- a/crypto/heimdal-0.6.3/lib/kafs/README.dlfcn +++ /dev/null @@ -1,246 +0,0 @@ -Copyright (c) 1992,1993,1995,1996, Jens-Uwe Mager, Helios Software GmbH -Not derived from licensed software. - -Permission is granted to freely use, copy, modify, and redistribute -this software, provided that the author is not construed to be liable -for any results of using the software, alterations are clearly marked -as such, and this notice is not modified. - -libdl.a -------- - -This is an emulation library to emulate the SunOS/System V.4 functions -to access the runtime linker. The functions are emulated by using the -AIX load() function and by reading the .loader section of the loaded -module to find the exports. The to be loaded module should be linked as -follows (if using AIX 3): - - cc -o module.so -bM:SRE -bE:module.exp -e _nostart $(OBJS) - -For AIX 4: - - cc -o module.so -bM:SRE -bE:module.exp -bnoentry $(OBJS) - -If you want to reference symbols from the main part of the program in a -loaded module, you will have to link against the export file of the -main part: - - cc -o main -bE:main.exp $(MAIN_OBJS) - cc -o module.so -bM:SRE -bI:main.exp -bE:module.exp -bnoentry $(OBJS) - -Note that you explicitely have to specify what functions are supposed -to be accessible from your loaded modules, this is different from -SunOS/System V.4 where any global is automatically exported. If you -want to export all globals, the following script might be of help: - -#!/bin/sh -/usr/ucb/nm -g $* | awk '$2 == "B" || $2 == "D" { print $3 }' - -The module export file contains the symbols to be exported. Because -this library uses the loader section, the final module.so file can be -stripped. C++ users should build their shared objects using the script -makeC++SharedLib (part of the IBM C++ compiler), this will make sure -that constructors and destructors for static and global objects will be -called upon loading and unloading the module. GNU C++ users should use -the -shared option to g++ to link the shared object: - - g++ -o module.so -shared $(OBJS) - -If the shared object does have permissions for anybody, the shared -object will be loaded into the shared library segment and it will stay -there even if the main application terminates. If you rebuild your -shared object after a bugfix and you want to make sure that you really -get the newest version you will have to use the "slibclean" command -before starting the application again to garbage collect the shared -library segment. If the performance utilities (bosperf) are installed -you can use the following command to see what shared objects are -loaded: - -/usr/lpp/bosperf/genkld | sort | uniq - -For easier debugging you can avoid loading the shared object into the -shared library segment alltogether by removing permissions for others -from the module.so file: - -chmod o-rwx module.so - -This will ensure you get a fresh copy of the shared object for every -dlopen() call which is loaded into the application's data segment. - -Usage ------ - -void *dlopen(const char *path, int mode); - -This routine loads the module pointed to by path and reads its export -table. If the path does not contain a '/' character, dlopen will search -for the module using the LIBPATH environment variable. It returns an -opaque handle to the module or NULL on error. The mode parameter can be -either RTLD_LAZY (for lazy function binding) or RTLD_NOW for immediate -function binding. The AIX implementation currently does treat RTLD_NOW -the same as RTLD_LAZY. The flag RTLD_GLOBAL might be or'ed into the -mode parameter to allow loaded modules to bind to global variables or -functions in other loaded modules loaded by dlopen(). If RTLD_GLOBAL is -not specified, only globals from the main part of the executable or -shared libraries are used to look for undefined symbols in loaded -modules. - - -void *dlsym(void *handle, const char *symbol); - -This routine searches for the symbol in the module referred to by -handle and returns its address. If the symbol could not be found, the -function returns NULL. The return value must be casted to a proper -function pointer before it can be used. SunOS/System V.4 allows handle -to be a NULL pointer to refer to the module the call is made from, this -is not implemented. - -int dlclose(void *handle); - -This routine unloads the module referred to by the handle and disposes -of any local storage. this function returns -1 on failure. Any function -pointers obtained through dlsym() should be considered invalid after -closing a module. - -As AIX caches shared objects in the shared library segment, function -pointers obtained through dlsym() might still work even though the -module has been unloaded. This can introduce subtle bugs that will -segment fault later if AIX garbage collects or immediatly on -SunOS/System V.4 as the text segment is unmapped. - -char *dlerror(void); - -This routine can be used to retrieve a text message describing the most -recent error that occured on on of the above routines. This function -returns NULL if there is no error information. - -Initialization and termination handlers ---------------------------------------- - -The emulation provides for an initialization and a termination -handler. The dlfcn.h file contains a structure declaration named -dl_info with following members: - - void (*init)(void); - void (*fini)(void); - -The init function is called upon first referencing the library. The -fini function is called at dlclose() time or when the process exits. -The module should declare a variable named dl_info that contains this -structure which must be exported. These functions correspond to the -documented _init() and _fini() functions of SunOS 4.x, but these are -appearently not implemented in SunOS. When using SunOS 5.0, these -correspond to #pragma init and #pragma fini respectively. At the same -time any static or global C++ object's constructors or destructors will -be called. - -BUGS ----- - -Please note that there is currently a problem with implicitely loaded -shared C++ libaries: if you refer to a shared C++ library from a loaded -module that is not yet used by the main program, the dlopen() emulator -does not notice this and does not call the static constructors for the -implicitely loaded library. This can be easily demonstrated by -referencing the C++ standard streams from a loaded module if the main -program is a plain C program. - -Jens-Uwe Mager - -HELIOS Software GmbH -Lavesstr. 80 -30159 Hannover -Germany - -Phone: +49 511 36482-0 -FAX: +49 511 36482-69 -AppleLink: helios.de/jum -Internet: jum@helios.de - -Revison History ---------------- - -SCCS/s.dlfcn.h: - -D 1.4 95/04/25 09:36:52 jum 4 3 00018/00004/00028 -MRs: -COMMENTS: -added RTLD_GLOBAL, include and C++ guards - -D 1.3 92/12/27 20:58:32 jum 3 2 00001/00001/00031 -MRs: -COMMENTS: -we always have prototypes on RS/6000 - -D 1.2 92/08/16 17:45:11 jum 2 1 00009/00000/00023 -MRs: -COMMENTS: -added dl_info structure to implement initialize and terminate functions - -D 1.1 92/08/02 18:08:45 jum 1 0 00023/00000/00000 -MRs: -COMMENTS: -Erstellungsdatum und -uhrzeit 92/08/02 18:08:45 von jum - -SCCS/s.dlfcn.c: - -D 1.11 96/04/10 20:12:51 jum 13 12 00037/00000/00533 -MRs: -COMMENTS: -Integrated the changes from John W. Eaton to initialize -g++ generated shared objects. - -D 1.10 96/02/15 17:42:44 jum 12 10 00012/00007/00521 -MRs: -COMMENTS: -the C++ constructor and destructor chains are now called properly for either -xlC 2 or xlC 3 (CSet++). - -D 1.9 95/09/22 11:09:38 markus 10 9 00001/00008/00527 -MRs: -COMMENTS: -Fix version number - -D 1.8 95/09/22 10:14:34 markus 9 8 00008/00001/00527 -MRs: -COMMENTS: -Added version number for dl lib - -D 1.7 95/08/14 19:08:38 jum 8 6 00026/00004/00502 -MRs: -COMMENTS: -Integrated the fixes from Kirk Benell (kirk@rsinc.com) to allow loading of -shared objects generated under AIX 4. Fixed bug that symbols with exactly -8 characters would use garbage characters from the following symbol value. - -D 1.6 95/04/25 09:38:03 jum 6 5 00046/00006/00460 -MRs: -COMMENTS: -added handling of C++ static constructors and destructors, added RTLD_GLOBAL to bind against other loaded modules - -D 1.5 93/02/14 20:14:17 jum 5 4 00002/00000/00464 -MRs: -COMMENTS: -added path to dlopen error message to make clear where there error occured. - -D 1.4 93/01/03 19:13:56 jum 4 3 00061/00005/00403 -MRs: -COMMENTS: -to allow calling symbols in the main module call load with L_NOAUTODEFER and -do a loadbind later with the main module. - -D 1.3 92/12/27 20:59:55 jum 3 2 00066/00008/00342 -MRs: -COMMENTS: -added search by L_GETINFO if module got loaded by LIBPATH - -D 1.2 92/08/16 17:45:43 jum 2 1 00074/00006/00276 -MRs: -COMMENTS: -implemented initialize and terminate functions, added reference counting to avoid multiple loads of the same library - -D 1.1 92/08/02 18:08:45 jum 1 0 00282/00000/00000 -MRs: -COMMENTS: -Erstellungsdatum und -uhrzeit 92/08/02 18:08:45 von jum - diff --git a/crypto/heimdal-0.6.3/lib/kafs/afskrb.c b/crypto/heimdal-0.6.3/lib/kafs/afskrb.c deleted file mode 100644 index 523a7b9a91..0000000000 --- a/crypto/heimdal-0.6.3/lib/kafs/afskrb.c +++ /dev/null @@ -1,173 +0,0 @@ -/* - * Copyright (c) 1995 - 2001, 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kafs_locl.h" - -RCSID("$Id: afskrb.c,v 1.17 2003/04/14 08:32:11 lha Exp $"); - -#ifdef KRB4 - -struct krb_kafs_data { - const char *realm; -}; - -static int -get_cred(kafs_data *data, const char *name, const char *inst, - const char *realm, uid_t uid, struct kafs_token *kt) -{ - CREDENTIALS c; - KTEXT_ST tkt; - int ret = krb_get_cred((char*)name, (char*)inst, (char*)realm, &c); - - if (ret) { - ret = krb_mk_req(&tkt, (char*)name, (char*)inst, (char*)realm, 0); - if (ret == KSUCCESS) - ret = krb_get_cred((char*)name, (char*)inst, (char*)realm, &c); - } - if (ret == 0) - ret = _kafs_v4_to_kt(&c, uid, kt); - return ret; -} - -static int -afslog_uid_int(kafs_data *data, - const char *cell, - const char *realm_hint, - uid_t uid, - const char *homedir) -{ - int ret; - struct kafs_token kt; - char name[ANAME_SZ]; - char inst[INST_SZ]; - char realm[REALM_SZ]; - - kt.ticket = NULL; - - if (cell == 0 || cell[0] == 0) - return _kafs_afslog_all_local_cells (data, uid, homedir); - - /* Extract realm from ticket file. */ - ret = krb_get_tf_fullname(tkt_string(), name, inst, realm); - if (ret != KSUCCESS) - return ret; - - kt.ticket = NULL; - ret = _kafs_get_cred(data, cell, realm_hint, realm, uid, &kt); - - if (ret == 0) { - ret = kafs_settoken_rxkad(cell, &kt.ct, kt.ticket, kt.ticket_len); - free(kt.ticket); - } - return ret; -} - -static char * -get_realm(kafs_data *data, const char *host) -{ - char *r = krb_realmofhost(host); - if(r != NULL) - return strdup(r); - else - return NULL; -} - -int -krb_afslog_uid_home(const char *cell, const char *realm_hint, uid_t uid, - const char *homedir) -{ - kafs_data kd; - - kd.name = "krb4"; - kd.afslog_uid = afslog_uid_int; - kd.get_cred = get_cred; - kd.get_realm = get_realm; - kd.data = 0; - return afslog_uid_int(&kd, cell, realm_hint, uid, homedir); -} - -int -krb_afslog_uid(const char *cell, const char *realm_hint, uid_t uid) -{ - return krb_afslog_uid_home(cell, realm_hint, uid, NULL); -} - -int -krb_afslog(const char *cell, const char *realm_hint) -{ - return krb_afslog_uid(cell, realm_hint, getuid()); -} - -int -krb_afslog_home(const char *cell, const char *realm_hint, const char *homedir) -{ - return krb_afslog_uid_home(cell, realm_hint, getuid(), homedir); -} - -/* - * - */ - -int -krb_realm_of_cell(const char *cell, char **realm) -{ - kafs_data kd; - - kd.name = "krb4"; - kd.get_realm = get_realm; - return _kafs_realm_of_cell(&kd, cell, realm); -} - -int -kafs_settoken(const char *cell, uid_t uid, CREDENTIALS *c) -{ - struct kafs_token kt; - int ret; - - kt.ticket = NULL; - - ret = _kafs_v4_to_kt(c, uid, &kt); - if (ret) - return ret; - - if (kt.ct.EndTimestamp < time(NULL)) { - free(kt.ticket); - return 0; - } - - ret = kafs_settoken_rxkad(cell, &kt.ct, kt.ticket, kt.ticket_len); - free(kt.ticket); - return ret; -} - -#endif /* KRB4 */ diff --git a/crypto/heimdal-0.6.3/lib/kafs/afskrb5.c b/crypto/heimdal-0.6.3/lib/kafs/afskrb5.c deleted file mode 100644 index d415db6ea0..0000000000 --- a/crypto/heimdal-0.6.3/lib/kafs/afskrb5.c +++ /dev/null @@ -1,326 +0,0 @@ -/* - * Copyright (c) 1995-2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kafs_locl.h" - -RCSID("$Id: afskrb5.c,v 1.18.2.1 2003/04/22 14:25:43 joda Exp $"); - -struct krb5_kafs_data { - krb5_context context; - krb5_ccache id; - krb5_const_realm realm; -}; - -enum { - KAFS_RXKAD_2B_KVNO = 213, - KAFS_RXKAD_K5_KVNO = 256 -}; - -static int -v5_to_kt(krb5_creds *cred, uid_t uid, struct kafs_token *kt, int local524) -{ - int kvno, ret; - - kt->ticket = NULL; - - /* check if des key */ - if (cred->session.keyvalue.length != 8) - return EINVAL; - - if (local524) { - Ticket t; - unsigned char *buf; - size_t buf_len; - size_t len; - - kvno = KAFS_RXKAD_2B_KVNO; - - ret = decode_Ticket(cred->ticket.data, cred->ticket.length, &t, &len); - if (ret) - return ret; - if (t.tkt_vno != 5) - return -1; - - ASN1_MALLOC_ENCODE(EncryptedData, buf, buf_len, &t.enc_part, - &len, ret); - free_Ticket(&t); - if (ret) - return ret; - if(buf_len != len) { - free(buf); - return KRB5KRB_ERR_GENERIC; - } - - kt->ticket = buf; - kt->ticket_len = buf_len; - - } else { - kvno = KAFS_RXKAD_K5_KVNO; - kt->ticket = malloc(cred->ticket.length); - if (kt->ticket == NULL) - return ENOMEM; - kt->ticket_len = cred->ticket.length; - memcpy(kt->ticket, cred->ticket.data, kt->ticket_len); - - ret = 0; - } - - - /* - * Build a struct ClearToken - */ - - kt->ct.AuthHandle = kvno; - memcpy(kt->ct.HandShakeKey, cred->session.keyvalue.data, 8); - kt->ct.ViceId = uid; - kt->ct.BeginTimestamp = cred->times.starttime; - kt->ct.EndTimestamp = cred->times.endtime; - - _kafs_fixup_viceid(&kt->ct, uid); - - return 0; -} - -static krb5_error_code -v5_convert(krb5_context context, krb5_ccache id, - krb5_creds *cred, uid_t uid, - const char *cell, - struct kafs_token *kt) -{ - krb5_error_code ret; - char *c, *val; - - c = strdup(cell); - if (c == NULL) - return ENOMEM; - _kafs_foldup(c, c); - krb5_appdefault_string (context, "libkafs", - c, - "afs-use-524", "yes", &val); - free(c); - - if (strcasecmp(val, "local") == 0 || - strcasecmp(val, "2b") == 0) - ret = v5_to_kt(cred, uid, kt, 1); - else if(strcasecmp(val, "yes") == 0 || - strcasecmp(val, "true") == 0 || - atoi(val)) { - struct credentials c; - - if (id == NULL) - ret = krb524_convert_creds_kdc(context, cred, &c); - else - ret = krb524_convert_creds_kdc_ccache(context, id, cred, &c); - if (ret) - goto out; - - ret = _kafs_v4_to_kt(&c, uid, kt); - } else - ret = v5_to_kt(cred, uid, kt, 0); - - out: - free(val); - return ret; -} - - -/* - * - */ - -static int -get_cred(kafs_data *data, const char *name, const char *inst, - const char *realm, uid_t uid, struct kafs_token *kt) -{ - krb5_error_code ret; - krb5_creds in_creds, *out_creds; - struct krb5_kafs_data *d = data->data; - - memset(&in_creds, 0, sizeof(in_creds)); - ret = krb5_425_conv_principal(d->context, name, inst, realm, - &in_creds.server); - if(ret) - return ret; - ret = krb5_cc_get_principal(d->context, d->id, &in_creds.client); - if(ret){ - krb5_free_principal(d->context, in_creds.server); - return ret; - } - in_creds.session.keytype = KEYTYPE_DES; - ret = krb5_get_credentials(d->context, 0, d->id, &in_creds, &out_creds); - krb5_free_principal(d->context, in_creds.server); - krb5_free_principal(d->context, in_creds.client); - if(ret) - return ret; - - ret = v5_convert(d->context, d->id, out_creds, uid, - (inst != NULL && inst[0] != '\0') ? inst : realm, kt); - krb5_free_creds(d->context, out_creds); - - return ret; -} - -static krb5_error_code -afslog_uid_int(kafs_data *data, const char *cell, const char *rh, uid_t uid, - const char *homedir) -{ - krb5_error_code ret; - struct kafs_token kt; - krb5_principal princ; - krb5_realm *trealm; /* ticket realm */ - struct krb5_kafs_data *d = data->data; - - if (cell == 0 || cell[0] == 0) - return _kafs_afslog_all_local_cells (data, uid, homedir); - - ret = krb5_cc_get_principal (d->context, d->id, &princ); - if (ret) - return ret; - - trealm = krb5_princ_realm (d->context, princ); - - if (d->realm != NULL && strcmp (d->realm, *trealm) == 0) { - trealm = NULL; - krb5_free_principal (d->context, princ); - } - - kt.ticket = NULL; - ret = _kafs_get_cred(data, cell, d->realm, *trealm, uid, &kt); - if(trealm) - krb5_free_principal (d->context, princ); - - if(ret == 0) { - ret = kafs_settoken_rxkad(cell, &kt.ct, kt.ticket, kt.ticket_len); - free(kt.ticket); - } - return ret; -} - -static char * -get_realm(kafs_data *data, const char *host) -{ - struct krb5_kafs_data *d = data->data; - krb5_realm *realms; - char *r; - if(krb5_get_host_realm(d->context, host, &realms)) - return NULL; - r = strdup(realms[0]); - krb5_free_host_realm(d->context, realms); - return r; -} - -krb5_error_code -krb5_afslog_uid_home(krb5_context context, - krb5_ccache id, - const char *cell, - krb5_const_realm realm, - uid_t uid, - const char *homedir) -{ - kafs_data kd; - struct krb5_kafs_data d; - kd.name = "krb5"; - kd.afslog_uid = afslog_uid_int; - kd.get_cred = get_cred; - kd.get_realm = get_realm; - kd.data = &d; - d.context = context; - d.id = id; - d.realm = realm; - return afslog_uid_int(&kd, cell, 0, uid, homedir); -} - -krb5_error_code -krb5_afslog_uid(krb5_context context, - krb5_ccache id, - const char *cell, - krb5_const_realm realm, - uid_t uid) -{ - return krb5_afslog_uid_home (context, id, cell, realm, uid, NULL); -} - -krb5_error_code -krb5_afslog(krb5_context context, - krb5_ccache id, - const char *cell, - krb5_const_realm realm) -{ - return krb5_afslog_uid (context, id, cell, realm, getuid()); -} - -krb5_error_code -krb5_afslog_home(krb5_context context, - krb5_ccache id, - const char *cell, - krb5_const_realm realm, - const char *homedir) -{ - return krb5_afslog_uid_home (context, id, cell, realm, getuid(), homedir); -} - -/* - * - */ - -krb5_error_code -krb5_realm_of_cell(const char *cell, char **realm) -{ - kafs_data kd; - - kd.name = "krb5"; - kd.get_realm = get_realm; - return _kafs_realm_of_cell(&kd, cell, realm); -} - -/* - * - */ - -int -kafs_settoken5(krb5_context context, const char *cell, uid_t uid, - krb5_creds *cred) -{ - struct kafs_token kt; - int ret; - - ret = v5_convert(context, NULL, cred, uid, cell, &kt); - if (ret) - return ret; - - ret = kafs_settoken_rxkad(cell, &kt.ct, kt.ticket, kt.ticket_len); - - free(kt.ticket); - - return ret; -} diff --git a/crypto/heimdal-0.6.3/lib/kafs/afsl.exp b/crypto/heimdal-0.6.3/lib/kafs/afsl.exp deleted file mode 100644 index 4d2b00e283..0000000000 --- a/crypto/heimdal-0.6.3/lib/kafs/afsl.exp +++ /dev/null @@ -1,6 +0,0 @@ -#!/unix - -* This mumbo jumbo creates entry points to syscalls in _AIX - -lpioctl syscall -lsetpag syscall diff --git a/crypto/heimdal-0.6.3/lib/kafs/afslib.c b/crypto/heimdal-0.6.3/lib/kafs/afslib.c deleted file mode 100644 index ae3b5a5692..0000000000 --- a/crypto/heimdal-0.6.3/lib/kafs/afslib.c +++ /dev/null @@ -1,55 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* - * This file is only used with AIX - */ - -#include "kafs_locl.h" - -RCSID("$Id: afslib.c,v 1.6 1999/12/02 16:58:40 joda Exp $"); - -int -aix_pioctl(char *a_path, - int o_opcode, - struct ViceIoctl *a_paramsP, - int a_followSymlinks) -{ - return lpioctl(a_path, o_opcode, a_paramsP, a_followSymlinks); -} - -int -aix_setpag(void) -{ - return lsetpag(); -} diff --git a/crypto/heimdal-0.6.3/lib/kafs/afslib.exp b/crypto/heimdal-0.6.3/lib/kafs/afslib.exp deleted file mode 100644 index f288717706..0000000000 --- a/crypto/heimdal-0.6.3/lib/kafs/afslib.exp +++ /dev/null @@ -1,3 +0,0 @@ -#! -aix_pioctl -aix_setpag diff --git a/crypto/heimdal-0.6.3/lib/kafs/afssys.c b/crypto/heimdal-0.6.3/lib/kafs/afssys.c deleted file mode 100644 index 5cd994c566..0000000000 --- a/crypto/heimdal-0.6.3/lib/kafs/afssys.c +++ /dev/null @@ -1,459 +0,0 @@ -/* - * Copyright (c) 1995 - 2000, 2002, 2004 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kafs_locl.h" - -RCSID("$Id: afssys.c,v 1.69.2.2 2004/06/22 14:29:48 lha Exp $"); - -struct procdata { - unsigned long param4; - unsigned long param3; - unsigned long param2; - unsigned long param1; - unsigned long syscall; -}; -#define VIOC_SYSCALL _IOW('C', 1, void *) - - -int _kafs_debug; /* this should be done in a better way */ - -#define NO_ENTRY_POINT 0 -#define SINGLE_ENTRY_POINT 1 -#define MULTIPLE_ENTRY_POINT 2 -#define SINGLE_ENTRY_POINT2 3 -#define SINGLE_ENTRY_POINT3 4 -#define LINUX_PROC_POINT 5 -#define AIX_ENTRY_POINTS 6 -#define UNKNOWN_ENTRY_POINT 7 -static int afs_entry_point = UNKNOWN_ENTRY_POINT; -static int afs_syscalls[2]; -static char *afs_procpath; - -/* Magic to get AIX syscalls to work */ -#ifdef _AIX - -static int (*Pioctl)(char*, int, struct ViceIoctl*, int); -static int (*Setpag)(void); - -#include "dlfcn.h" - -/* - * - */ - -static int -try_aix(void) -{ -#ifdef STATIC_AFS_SYSCALLS - Pioctl = aix_pioctl; - Setpag = aix_setpag; -#else - void *ptr; - char path[MaxPathLen], *p; - /* - * If we are root or running setuid don't trust AFSLIBPATH! - */ - if (getuid() != 0 && !issuid() && (p = getenv("AFSLIBPATH")) != NULL) - strlcpy(path, p, sizeof(path)); - else - snprintf(path, sizeof(path), "%s/afslib.so", LIBDIR); - - ptr = dlopen(path, RTLD_NOW); - if(ptr == NULL) { - if(_kafs_debug) { - if(errno == ENOEXEC && (p = dlerror()) != NULL) - fprintf(stderr, "dlopen(%s): %s\n", path, p); - else if (errno != ENOENT) - fprintf(stderr, "dlopen(%s): %s\n", path, strerror(errno)); - } - return 1; - } - Setpag = (int (*)(void))dlsym(ptr, "aix_setpag"); - Pioctl = (int (*)(char*, int, - struct ViceIoctl*, int))dlsym(ptr, "aix_pioctl"); -#endif - afs_entry_point = AIX_ENTRY_POINTS; - return 0; -} -#endif /* _AIX */ - -/* - * This probably only works under Solaris and could get confused if - * there's a /etc/name_to_sysnum file. - */ - -#define _PATH_ETC_NAME_TO_SYSNUM "/etc/name_to_sysnum" - -static int -map_syscall_name_to_number (const char *str, int *res) -{ - FILE *f; - char buf[256]; - size_t str_len = strlen (str); - - f = fopen (_PATH_ETC_NAME_TO_SYSNUM, "r"); - if (f == NULL) - return -1; - while (fgets (buf, sizeof(buf), f) != NULL) { - if (buf[0] == '#') - continue; - - if (strncmp (str, buf, str_len) == 0) { - char *begptr = buf + str_len; - char *endptr; - long val = strtol (begptr, &endptr, 0); - - if (val != 0 && endptr != begptr) { - fclose (f); - *res = val; - return 0; - } - } - } - fclose (f); - return -1; -} - -static int -try_proc(const char *path) -{ - int fd; - fd = open(path, O_RDWR); - if (fd < 0) - return 1; - close(fd); - afs_procpath = strdup(path); - if (afs_procpath == NULL) - return 1; - afs_entry_point = LINUX_PROC_POINT; - return 0; -} - -static int -do_proc(struct procdata *data) -{ - int fd, ret, saved_errno; - fd = open(afs_procpath, O_RDWR); - if (fd < 0) { - errno = EINVAL; - return -1; - } - ret = ioctl(fd, VIOC_SYSCALL, data); - saved_errno = errno; - close(fd); - errno = saved_errno; - return ret; -} - -int -k_pioctl(char *a_path, - int o_opcode, - struct ViceIoctl *a_paramsP, - int a_followSymlinks) -{ -#ifndef NO_AFS - switch(afs_entry_point){ -#if defined(AFS_SYSCALL) || defined(AFS_SYSCALL2) || defined(AFS_SYSCALL3) - case SINGLE_ENTRY_POINT: - case SINGLE_ENTRY_POINT2: - case SINGLE_ENTRY_POINT3: - return syscall(afs_syscalls[0], AFSCALL_PIOCTL, - a_path, o_opcode, a_paramsP, a_followSymlinks); -#endif -#if defined(AFS_PIOCTL) - case MULTIPLE_ENTRY_POINT: - return syscall(afs_syscalls[0], - a_path, o_opcode, a_paramsP, a_followSymlinks); -#endif - case LINUX_PROC_POINT: { - struct procdata data = { 0, 0, 0, 0, AFSCALL_PIOCTL }; - data.param1 = (unsigned long)a_path; - data.param2 = (unsigned long)o_opcode; - data.param3 = (unsigned long)a_paramsP; - data.param4 = (unsigned long)a_followSymlinks; - return do_proc(&data); - } -#ifdef _AIX - case AIX_ENTRY_POINTS: - return Pioctl(a_path, o_opcode, a_paramsP, a_followSymlinks); -#endif - } - errno = ENOSYS; -#ifdef SIGSYS - kill(getpid(), SIGSYS); /* You lose! */ -#endif -#endif /* NO_AFS */ - return -1; -} - -int -k_afs_cell_of_file(const char *path, char *cell, int len) -{ - struct ViceIoctl parms; - parms.in = NULL; - parms.in_size = 0; - parms.out = cell; - parms.out_size = len; - return k_pioctl((char*)path, VIOC_FILE_CELL_NAME, &parms, 1); -} - -int -k_unlog(void) -{ - struct ViceIoctl parms; - memset(&parms, 0, sizeof(parms)); - return k_pioctl(0, VIOCUNLOG, &parms, 0); -} - -int -k_setpag(void) -{ -#ifndef NO_AFS - switch(afs_entry_point){ -#if defined(AFS_SYSCALL) || defined(AFS_SYSCALL2) || defined(AFS_SYSCALL3) - case SINGLE_ENTRY_POINT: - case SINGLE_ENTRY_POINT2: - case SINGLE_ENTRY_POINT3: - return syscall(afs_syscalls[0], AFSCALL_SETPAG); -#endif -#if defined(AFS_PIOCTL) - case MULTIPLE_ENTRY_POINT: - return syscall(afs_syscalls[1]); -#endif - case LINUX_PROC_POINT: { - struct procdata data = { 0, 0, 0, 0, AFSCALL_SETPAG }; - return do_proc(&data); - } -#ifdef _AIX - case AIX_ENTRY_POINTS: - return Setpag(); -#endif - } - - errno = ENOSYS; -#ifdef SIGSYS - kill(getpid(), SIGSYS); /* You lose! */ -#endif -#endif /* NO_AFS */ - return -1; -} - -static jmp_buf catch_SIGSYS; - -#ifdef SIGSYS - -static RETSIGTYPE -SIGSYS_handler(int sig) -{ - errno = 0; - signal(SIGSYS, SIGSYS_handler); /* Need to reinstall handler on SYSV */ - longjmp(catch_SIGSYS, 1); -} - -#endif - -/* - * Try to see if `syscall' is a pioctl. Return 0 iff succesful. - */ - -#if defined(AFS_SYSCALL) || defined(AFS_SYSCALL2) || defined(AFS_SYSCALL3) -static int -try_one (int syscall_num) -{ - struct ViceIoctl parms; - memset(&parms, 0, sizeof(parms)); - - if (setjmp(catch_SIGSYS) == 0) { - syscall(syscall_num, AFSCALL_PIOCTL, - 0, VIOCSETTOK, &parms, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0); - if (errno == EINVAL) { - afs_entry_point = SINGLE_ENTRY_POINT; - afs_syscalls[0] = syscall_num; - return 0; - } - } - return 1; -} -#endif - -/* - * Try to see if `syscall_pioctl' is a pioctl syscall. Return 0 iff - * succesful. - * - */ - -#ifdef AFS_PIOCTL -static int -try_two (int syscall_pioctl, int syscall_setpag) -{ - struct ViceIoctl parms; - memset(&parms, 0, sizeof(parms)); - - if (setjmp(catch_SIGSYS) == 0) { - syscall(syscall_pioctl, - 0, VIOCSETTOK, &parms, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0); - if (errno == EINVAL) { - afs_entry_point = MULTIPLE_ENTRY_POINT; - afs_syscalls[0] = syscall_pioctl; - afs_syscalls[1] = syscall_setpag; - return 0; - } - } - return 1; -} -#endif - -int -k_hasafs(void) -{ -#if !defined(NO_AFS) && defined(SIGSYS) - RETSIGTYPE (*saved_func)(int); -#endif - int saved_errno; - char *env = getenv ("AFS_SYSCALL"); - - /* - * Already checked presence of AFS syscalls? - */ - if (afs_entry_point != UNKNOWN_ENTRY_POINT) - return afs_entry_point != NO_ENTRY_POINT; - - /* - * Probe kernel for AFS specific syscalls, - * they (currently) come in two flavors. - * If the syscall is absent we recive a SIGSYS. - */ - afs_entry_point = NO_ENTRY_POINT; - - saved_errno = errno; -#ifndef NO_AFS -#ifdef SIGSYS - saved_func = signal(SIGSYS, SIGSYS_handler); -#endif - -#if defined(AFS_SYSCALL) || defined(AFS_SYSCALL2) || defined(AFS_SYSCALL3) - { - int tmp; - - if (env != NULL) { - if (sscanf (env, "%d", &tmp) == 1) { - if (try_one (tmp) == 0) - goto done; - } else { - char *end = NULL; - char *p; - char *s = strdup (env); - - if (s != NULL) { - for (p = strtok_r (s, ",", &end); - p != NULL; - p = strtok_r (NULL, ",", &end)) { - if (map_syscall_name_to_number (p, &tmp) == 0) - if (try_one (tmp) == 0) { - free (s); - goto done; - } - } - free (s); - } - } - } - } -#endif /* AFS_SYSCALL || AFS_SYSCALL2 || AFS_SYSCALL3 */ - -#ifdef AFS_SYSCALL - if (try_one (AFS_SYSCALL) == 0) - goto done; -#endif /* AFS_SYSCALL */ - -#ifdef AFS_PIOCTL - { - int tmp[2]; - - if (env != NULL && sscanf (env, "%d%d", &tmp[0], &tmp[1]) == 2) - if (try_two (tmp[0], tmp[1]) == 2) - goto done; - } -#endif /* AFS_PIOCTL */ - -#ifdef AFS_PIOCTL - if (try_two (AFS_PIOCTL, AFS_SETPAG) == 0) - goto done; -#endif /* AFS_PIOCTL */ - -#ifdef AFS_SYSCALL2 - if (try_one (AFS_SYSCALL2) == 0) - goto done; -#endif /* AFS_SYSCALL2 */ - -#ifdef AFS_SYSCALL3 - if (try_one (AFS_SYSCALL3) == 0) - goto done; -#endif /* AFS_SYSCALL3 */ - -#ifdef _AIX -#if 0 - if (env != NULL) { - char *pos = NULL; - char *pioctl_name; - char *setpag_name; - - pioctl_name = strtok_r (env, ", \t", &pos); - if (pioctl_name != NULL) { - setpag_name = strtok_r (NULL, ", \t", &pos); - if (setpag_name != NULL) - if (try_aix (pioctl_name, setpag_name) == 0) - goto done; - } - } -#endif - - if(try_aix() == 0) - goto done; -#endif - - if (try_proc("/proc/fs/openafs/afs_ioctl") == 0) - goto done; - if (try_proc("/proc/fs/nnpfs/afs_ioctl") == 0) - goto done; - if (env && try_proc(env) == 0) - goto done; - -done: -#ifdef SIGSYS - signal(SIGSYS, saved_func); -#endif -#endif /* NO_AFS */ - errno = saved_errno; - return afs_entry_point != NO_ENTRY_POINT; -} diff --git a/crypto/heimdal-0.6.3/lib/kafs/afssysdefs.h b/crypto/heimdal-0.6.3/lib/kafs/afssysdefs.h deleted file mode 100644 index bfda36a07e..0000000000 --- a/crypto/heimdal-0.6.3/lib/kafs/afssysdefs.h +++ /dev/null @@ -1,107 +0,0 @@ -/* - * Copyright (c) 1995 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: afssysdefs.h,v 1.26 2003/02/08 22:55:55 assar Exp $ */ - -/* - * This section is for machines using single entry point AFS syscalls! - * and/or - * This section is for machines using multiple entry point AFS syscalls! - * - * SunOS 4 is an example of single entry point and sgi of multiple - * entry point syscalls. - */ - -#if SunOS == 40 -#define AFS_SYSCALL 31 -#endif - -#if SunOS >= 50 && SunOS < 57 -#define AFS_SYSCALL 105 -#endif - -#if SunOS == 57 -#define AFS_SYSCALL 73 -#endif - -#if SunOS >= 58 -#define AFS_SYSCALL 65 -#endif - -#if defined(__hpux) -#define AFS_SYSCALL 50 -#define AFS_SYSCALL2 49 -#define AFS_SYSCALL3 48 -#endif - -#if defined(_AIX) -/* _AIX is too weird */ -#endif - -#if defined(__sgi) -#define AFS_PIOCTL (64+1000) -#define AFS_SETPAG (65+1000) -#endif - -#if defined(__osf__) -#define AFS_SYSCALL 232 -#define AFS_SYSCALL2 258 -#endif - -#if defined(__ultrix) -#define AFS_SYSCALL 31 -#endif - -#if defined(__FreeBSD__) -#if __FreeBSD_version >= 500000 -#define AFS_SYSCALL 339 -#else -#define AFS_SYSCALL 210 -#endif -#endif /* __FreeBSD__ */ - -#ifdef __OpenBSD__ -#define AFS_SYSCALL 208 -#endif - -#if defined(__NetBSD__) -#define AFS_SYSCALL 210 -#endif - -#ifdef __APPLE__ /* MacOS X */ -#define AFS_SYSCALL 230 -#endif - -#ifdef SYS_afs_syscall -#define AFS_SYSCALL3 SYS_afs_syscall -#endif diff --git a/crypto/heimdal-0.6.3/lib/kafs/common.c b/crypto/heimdal-0.6.3/lib/kafs/common.c deleted file mode 100644 index 291dcac3c1..0000000000 --- a/crypto/heimdal-0.6.3/lib/kafs/common.c +++ /dev/null @@ -1,484 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kafs_locl.h" - -RCSID("$Id: common.c,v 1.26.2.1 2003/04/23 18:03:20 lha Exp $"); - -#define AUTH_SUPERUSER "afs" - -/* - * Here only ASCII characters are relevant. - */ - -#define IsAsciiLower(c) ('a' <= (c) && (c) <= 'z') - -#define ToAsciiUpper(c) ((c) - 'a' + 'A') - -static void (*kafs_verbose)(void *, const char *); -static void *kafs_verbose_ctx; - -void -_kafs_foldup(char *a, const char *b) -{ - for (; *b; a++, b++) - if (IsAsciiLower(*b)) - *a = ToAsciiUpper(*b); - else - *a = *b; - *a = '\0'; -} - -void -kafs_set_verbose(void (*f)(void *, const char *), void *ctx) -{ - if (f) { - kafs_verbose = f; - kafs_verbose_ctx = ctx; - } -} - -int -kafs_settoken_rxkad(const char *cell, struct ClearToken *ct, - void *ticket, size_t ticket_len) -{ - struct ViceIoctl parms; - char buf[2048], *t; - int32_t sizeof_x; - - t = buf; - /* - * length of secret token followed by secret token - */ - sizeof_x = ticket_len; - memcpy(t, &sizeof_x, sizeof(sizeof_x)); - t += sizeof(sizeof_x); - memcpy(t, ticket, sizeof_x); - t += sizeof_x; - /* - * length of clear token followed by clear token - */ - sizeof_x = sizeof(*ct); - memcpy(t, &sizeof_x, sizeof(sizeof_x)); - t += sizeof(sizeof_x); - memcpy(t, ct, sizeof_x); - t += sizeof_x; - - /* - * do *not* mark as primary cell - */ - sizeof_x = 0; - memcpy(t, &sizeof_x, sizeof(sizeof_x)); - t += sizeof(sizeof_x); - /* - * follow with cell name - */ - sizeof_x = strlen(cell) + 1; - memcpy(t, cell, sizeof_x); - t += sizeof_x; - - /* - * Build argument block - */ - parms.in = buf; - parms.in_size = t - buf; - parms.out = 0; - parms.out_size = 0; - - return k_pioctl(0, VIOCSETTOK, &parms, 0); -} - -void -_kafs_fixup_viceid(struct ClearToken *ct, uid_t uid) -{ -#define ODD(x) ((x) & 1) - /* According to Transarc conventions ViceId is valid iff - * (EndTimestamp - BeginTimestamp) is odd. By decrementing EndTime - * the transformations: - * - * (issue_date, life) -> (StartTime, EndTime) -> (issue_date, life) - * preserves the original values. - */ - if (uid != 0) /* valid ViceId */ - { - if (!ODD(ct->EndTimestamp - ct->BeginTimestamp)) - ct->EndTimestamp--; - } - else /* not valid ViceId */ - { - if (ODD(ct->EndTimestamp - ct->BeginTimestamp)) - ct->EndTimestamp--; - } -} - - -int -_kafs_v4_to_kt(CREDENTIALS *c, uid_t uid, struct kafs_token *kt) -{ - kt->ticket = NULL; - - if (c->ticket_st.length > MAX_KTXT_LEN) - return EINVAL; - - kt->ticket = malloc(c->ticket_st.length); - if (kt->ticket == NULL) - return ENOMEM; - kt->ticket_len = c->ticket_st.length; - memcpy(kt->ticket, c->ticket_st.dat, kt->ticket_len); - - /* - * Build a struct ClearToken - */ - kt->ct.AuthHandle = c->kvno; - memcpy (kt->ct.HandShakeKey, c->session, sizeof(c->session)); - kt->ct.ViceId = uid; - kt->ct.BeginTimestamp = c->issue_date; - kt->ct.EndTimestamp = krb_life_to_time(c->issue_date, c->lifetime); - - _kafs_fixup_viceid(&kt->ct, uid); - - return 0; -} - -/* Try to get a db-server for an AFS cell from a AFSDB record */ - -static int -dns_find_cell(const char *cell, char *dbserver, size_t len) -{ - struct dns_reply *r; - int ok = -1; - r = dns_lookup(cell, "afsdb"); - if(r){ - struct resource_record *rr = r->head; - while(rr){ - if(rr->type == T_AFSDB && rr->u.afsdb->preference == 1){ - strlcpy(dbserver, - rr->u.afsdb->domain, - len); - ok = 0; - break; - } - rr = rr->next; - } - dns_free_data(r); - } - return ok; -} - - -/* - * Try to find the cells we should try to klog to in "file". - */ -static void -find_cells(const char *file, char ***cells, int *index) -{ - FILE *f; - char cell[64]; - int i; - int ind = *index; - - f = fopen(file, "r"); - if (f == NULL) - return; - while (fgets(cell, sizeof(cell), f)) { - char *t; - t = cell + strlen(cell); - for (; t >= cell; t--) - if (*t == '\n' || *t == '\t' || *t == ' ') - *t = 0; - if (cell[0] == '\0' || cell[0] == '#') - continue; - for(i = 0; i < ind; i++) - if(strcmp((*cells)[i], cell) == 0) - break; - if(i == ind){ - char **tmp; - - tmp = realloc(*cells, (ind + 1) * sizeof(**cells)); - if (tmp == NULL) - break; - *cells = tmp; - (*cells)[ind] = strdup(cell); - if ((*cells)[ind] == NULL) - break; - ++ind; - } - } - fclose(f); - *index = ind; -} - -/* - * Get tokens for all cells[] - */ -static int -afslog_cells(kafs_data *data, char **cells, int max, uid_t uid, - const char *homedir) -{ - int ret = 0; - int i; - for (i = 0; i < max; i++) { - int er = (*data->afslog_uid)(data, cells[i], 0, uid, homedir); - if (er) - ret = er; - } - return ret; -} - -int -_kafs_afslog_all_local_cells(kafs_data *data, uid_t uid, const char *homedir) -{ - int ret; - char **cells = NULL; - int index = 0; - - if (homedir == NULL) - homedir = getenv("HOME"); - if (homedir != NULL) { - char home[MaxPathLen]; - snprintf(home, sizeof(home), "%s/.TheseCells", homedir); - find_cells(home, &cells, &index); - } - find_cells(_PATH_THESECELLS, &cells, &index); - find_cells(_PATH_THISCELL, &cells, &index); - find_cells(_PATH_ARLA_THESECELLS, &cells, &index); - find_cells(_PATH_ARLA_THISCELL, &cells, &index); - find_cells(_PATH_OPENAFS_DEBIAN_THESECELLS, &cells, &index); - find_cells(_PATH_OPENAFS_DEBIAN_THISCELL, &cells, &index); - find_cells(_PATH_ARLA_DEBIAN_THESECELLS, &cells, &index); - find_cells(_PATH_ARLA_DEBIAN_THISCELL, &cells, &index); - - ret = afslog_cells(data, cells, index, uid, homedir); - while(index > 0) - free(cells[--index]); - free(cells); - return ret; -} - - -static int -file_find_cell(kafs_data *data, const char *cell, char **realm, int exact) -{ - FILE *F; - char buf[1024]; - char *p; - int ret = -1; - - if ((F = fopen(_PATH_CELLSERVDB, "r")) - || (F = fopen(_PATH_ARLA_CELLSERVDB, "r")) - || (F = fopen(_PATH_OPENAFS_DEBIAN_CELLSERVDB, "r")) - || (F = fopen(_PATH_ARLA_DEBIAN_CELLSERVDB, "r"))) { - while (fgets(buf, sizeof(buf), F)) { - int cmp; - - if (buf[0] != '>') - continue; /* Not a cell name line, try next line */ - p = buf; - strsep(&p, " \t\n#"); - - if (exact) - cmp = strcmp(buf + 1, cell); - else - cmp = strncmp(buf + 1, cell, strlen(cell)); - - if (cmp == 0) { - /* - * We found the cell name we're looking for. - * Read next line on the form ip-address '#' hostname - */ - if (fgets(buf, sizeof(buf), F) == NULL) - break; /* Read failed, give up */ - p = strchr(buf, '#'); - if (p == NULL) - break; /* No '#', give up */ - p++; - if (buf[strlen(buf) - 1] == '\n') - buf[strlen(buf) - 1] = '\0'; - *realm = (*data->get_realm)(data, p); - if (*realm && **realm != '\0') - ret = 0; - break; /* Won't try any more */ - } - } - fclose(F); - } - return ret; -} - -/* Find the realm associated with cell. Do this by opening - /usr/vice/etc/CellServDB and getting the realm-of-host for the - first VL-server for the cell. - - This does not work when the VL-server is living in one realm, but - the cell it is serving is living in another realm. - - Return 0 on success, -1 otherwise. - */ - -int -_kafs_realm_of_cell(kafs_data *data, const char *cell, char **realm) -{ - char buf[1024]; - int ret; - - ret = file_find_cell(data, cell, realm, 1); - if (ret == 0) - return ret; - if (dns_find_cell(cell, buf, sizeof(buf)) == 0) { - *realm = (*data->get_realm)(data, buf); - if(*realm != NULL) - return 0; - } - return file_find_cell(data, cell, realm, 0); -} - -static int -_kafs_try_get_cred(kafs_data *data, const char *user, const char *cell, - const char *realm, uid_t uid, struct kafs_token *kt) -{ - int ret; - - ret = (*data->get_cred)(data, user, cell, realm, uid, kt); - if (kafs_verbose) { - char *str; - asprintf(&str, "%s tried afs%s%s@%s -> %d", - data->name, cell[0] == '\0' ? "" : "/", - cell, realm, ret); - (*kafs_verbose)(kafs_verbose_ctx, str); - free(str); - } - - return ret; -} - - -int -_kafs_get_cred(kafs_data *data, - const char *cell, - const char *realm_hint, - const char *realm, - uid_t uid, - struct kafs_token *kt) -{ - int ret = -1; - char *vl_realm; - char CELL[64]; - - /* We're about to find the the realm that holds the key for afs in - * the specified cell. The problem is that null-instance - * afs-principals are common and that hitting the wrong realm might - * yield the wrong afs key. The following assumptions were made. - * - * Any realm passed to us is preferred. - * - * If there is a realm with the same name as the cell, it is most - * likely the correct realm to talk to. - * - * In most (maybe even all) cases the database servers of the cell - * will live in the realm we are looking for. - * - * Try the local realm, but if the previous cases fail, this is - * really a long shot. - * - */ - - /* comments on the ordering of these tests */ - - /* If the user passes a realm, she probably knows something we don't - * know and we should try afs@realm_hint. - */ - - if (realm_hint) { - ret = _kafs_try_get_cred(data, AUTH_SUPERUSER, - cell, realm_hint, uid, kt); - if (ret == 0) return 0; - ret = _kafs_try_get_cred(data, AUTH_SUPERUSER, - "", realm_hint, uid, kt); - if (ret == 0) return 0; - } - - _kafs_foldup(CELL, cell); - - /* - * If cell == realm we don't need no cross-cell authentication. - * Try afs@REALM. - */ - if (strcmp(CELL, realm) == 0) { - ret = _kafs_try_get_cred(data, AUTH_SUPERUSER, - "", realm, uid, kt); - if (ret == 0) return 0; - /* Try afs.cell@REALM below. */ - } - - /* - * If the AFS servers have a file /usr/afs/etc/krb.conf containing - * REALM we still don't have to resort to cross-cell authentication. - * Try afs.cell@REALM. - */ - ret = _kafs_try_get_cred(data, AUTH_SUPERUSER, - cell, realm, uid, kt); - if (ret == 0) return 0; - - /* - * We failed to get ``first class tickets'' for afs, - * fall back to cross-cell authentication. - * Try afs@CELL. - * Try afs.cell@CELL. - */ - ret = _kafs_try_get_cred(data, AUTH_SUPERUSER, - "", CELL, uid, kt); - if (ret == 0) return 0; - ret = _kafs_try_get_cred(data, AUTH_SUPERUSER, - cell, CELL, uid, kt); - if (ret == 0) return 0; - - /* - * Perhaps the cell doesn't correspond to any realm? - * Use realm of first volume location DB server. - * Try afs.cell@VL_REALM. - * Try afs@VL_REALM??? - */ - if (_kafs_realm_of_cell(data, cell, &vl_realm) == 0 - && strcmp(vl_realm, realm) != 0 - && strcmp(vl_realm, CELL) != 0) { - ret = _kafs_try_get_cred(data, AUTH_SUPERUSER, - cell, vl_realm, uid, kt); - if (ret) - ret = _kafs_try_get_cred(data, AUTH_SUPERUSER, - "", vl_realm, uid, kt); - free(vl_realm); - if (ret == 0) return 0; - } - - return ret; -} diff --git a/crypto/heimdal-0.6.3/lib/kafs/dlfcn.c b/crypto/heimdal-0.6.3/lib/kafs/dlfcn.c deleted file mode 100644 index 728cf5cdd7..0000000000 --- a/crypto/heimdal-0.6.3/lib/kafs/dlfcn.c +++ /dev/null @@ -1,581 +0,0 @@ -/* - * @(#)dlfcn.c 1.11 revision of 96/04/10 20:12:51 - * This is an unpublished work copyright (c) 1992 HELIOS Software GmbH - * 30159 Hannover, Germany - */ - -/* - * Changes marked with `--jwe' were made on April 7 1996 by John W. Eaton - * to support g++ and/or use with Octave. - */ - -/* - * This makes my life easier with Octave. --jwe - */ -#ifdef HAVE_CONFIG_H -#include -#endif - -#include -#include -#include -#include -#include -#include -#include -#include -#include "dlfcn.h" - -/* - * We simulate dlopen() et al. through a call to load. Because AIX has - * no call to find an exported symbol we read the loader section of the - * loaded module and build a list of exported symbols and their virtual - * address. - */ - -typedef struct { - char *name; /* the symbols's name */ - void *addr; /* its relocated virtual address */ -} Export, *ExportPtr; - -/* - * xlC uses the following structure to list its constructors and - * destructors. This is gleaned from the output of munch. - */ -typedef struct { - void (*init)(void); /* call static constructors */ - void (*term)(void); /* call static destructors */ -} Cdtor, *CdtorPtr; - -typedef void (*GccCDtorPtr)(void); - -/* - * The void * handle returned from dlopen is actually a ModulePtr. - */ -typedef struct Module { - struct Module *next; - char *name; /* module name for refcounting */ - int refCnt; /* the number of references */ - void *entry; /* entry point from load */ - struct dl_info *info; /* optional init/terminate functions */ - CdtorPtr cdtors; /* optional C++ constructors */ - GccCDtorPtr gcc_ctor; /* g++ constructors --jwe */ - GccCDtorPtr gcc_dtor; /* g++ destructors --jwe */ - int nExports; /* the number of exports found */ - ExportPtr exports; /* the array of exports */ -} Module, *ModulePtr; - -/* - * We keep a list of all loaded modules to be able to call the fini - * handlers and destructors at atexit() time. - */ -static ModulePtr modList; - -/* - * The last error from one of the dl* routines is kept in static - * variables here. Each error is returned only once to the caller. - */ -static char errbuf[BUFSIZ]; -static int errvalid; - -/* - * The `fixed' gcc header files on AIX 3.2.5 provide a prototype for - * strdup(). --jwe - */ -#ifndef HAVE_STRDUP -extern char *strdup(const char *); -#endif -static void caterr(char *); -static int readExports(ModulePtr); -static void terminate(void); -static void *findMain(void); - -void *dlopen(const char *path, int mode) -{ - ModulePtr mp; - static void *mainModule; - - /* - * Upon the first call register a terminate handler that will - * close all libraries. Also get a reference to the main module - * for use with loadbind. - */ - if (!mainModule) { - if ((mainModule = findMain()) == NULL) - return NULL; - atexit(terminate); - } - /* - * Scan the list of modules if we have the module already loaded. - */ - for (mp = modList; mp; mp = mp->next) - if (strcmp(mp->name, path) == 0) { - mp->refCnt++; - return mp; - } - if ((mp = (ModulePtr)calloc(1, sizeof(*mp))) == NULL) { - errvalid++; - snprintf (errbuf, sizeof(errbuf), "calloc: %s", strerror(errno)); - return NULL; - } - if ((mp->name = strdup(path)) == NULL) { - errvalid++; - snprintf (errbuf, sizeof(errbuf), "strdup: %s", strerror(errno)); - free(mp); - return NULL; - } - /* - * load should be declared load(const char *...). Thus we - * cast the path to a normal char *. Ugly. - */ - if ((mp->entry = (void *)load((char *)path, L_NOAUTODEFER, NULL)) == NULL) { - free(mp->name); - free(mp); - errvalid++; - snprintf (errbuf, sizeof(errbuf), - "dlopen: %s: ", path); - /* - * If AIX says the file is not executable, the error - * can be further described by querying the loader about - * the last error. - */ - if (errno == ENOEXEC) { - char *tmp[BUFSIZ/sizeof(char *)]; - if (loadquery(L_GETMESSAGES, tmp, sizeof(tmp)) == -1) - strlcpy(errbuf, - strerror(errno), - sizeof(errbuf)); - else { - char **p; - for (p = tmp; *p; p++) - caterr(*p); - } - } else - strlcat(errbuf, - strerror(errno), - sizeof(errbuf)); - return NULL; - } - mp->refCnt = 1; - mp->next = modList; - modList = mp; - if (loadbind(0, mainModule, mp->entry) == -1) { - dlclose(mp); - errvalid++; - snprintf (errbuf, sizeof(errbuf), - "loadbind: %s", strerror(errno)); - return NULL; - } - /* - * If the user wants global binding, loadbind against all other - * loaded modules. - */ - if (mode & RTLD_GLOBAL) { - ModulePtr mp1; - for (mp1 = mp->next; mp1; mp1 = mp1->next) - if (loadbind(0, mp1->entry, mp->entry) == -1) { - dlclose(mp); - errvalid++; - snprintf (errbuf, sizeof(errbuf), - "loadbind: %s", - strerror(errno)); - return NULL; - } - } - if (readExports(mp) == -1) { - dlclose(mp); - return NULL; - } - /* - * If there is a dl_info structure, call the init function. - */ - if (mp->info = (struct dl_info *)dlsym(mp, "dl_info")) { - if (mp->info->init) - (*mp->info->init)(); - } else - errvalid = 0; - /* - * If the shared object was compiled using xlC we will need - * to call static constructors (and later on dlclose destructors). - */ - if (mp->cdtors = (CdtorPtr)dlsym(mp, "__cdtors")) { - CdtorPtr cp = mp->cdtors; - while (cp->init || cp->term) { - if (cp->init && cp->init != (void (*)(void))0xffffffff) - (*cp->init)(); - cp++; - } - /* - * If the shared object was compiled using g++, we will need - * to call global constructors using the _GLOBAL__DI function, - * and later, global destructors using the _GLOBAL_DD - * funciton. --jwe - */ - } else if (mp->gcc_ctor = (GccCDtorPtr)dlsym(mp, "_GLOBAL__DI")) { - (*mp->gcc_ctor)(); - mp->gcc_dtor = (GccCDtorPtr)dlsym(mp, "_GLOBAL__DD"); - } else - errvalid = 0; - return mp; -} - -/* - * Attempt to decipher an AIX loader error message and append it - * to our static error message buffer. - */ -static void caterr(char *s) -{ - char *p = s; - - while (*p >= '0' && *p <= '9') - p++; - switch(atoi(s)) { - case L_ERROR_TOOMANY: - strlcat(errbuf, "to many errors", sizeof(errbuf)); - break; - case L_ERROR_NOLIB: - strlcat(errbuf, "can't load library", sizeof(errbuf)); - strlcat(errbuf, p, sizeof(errbuf)); - break; - case L_ERROR_UNDEF: - strlcat(errbuf, "can't find symbol", sizeof(errbuf)); - strlcat(errbuf, p, sizeof(errbuf)); - break; - case L_ERROR_RLDBAD: - strlcat(errbuf, "bad RLD", sizeof(errbuf)); - strlcat(errbuf, p, sizeof(errbuf)); - break; - case L_ERROR_FORMAT: - strlcat(errbuf, "bad exec format in", sizeof(errbuf)); - strlcat(errbuf, p, sizeof(errbuf)); - break; - case L_ERROR_ERRNO: - strlcat(errbuf, strerror(atoi(++p)), sizeof(errbuf)); - break; - default: - strlcat(errbuf, s, sizeof(errbuf)); - break; - } -} - -void *dlsym(void *handle, const char *symbol) -{ - ModulePtr mp = (ModulePtr)handle; - ExportPtr ep; - int i; - - /* - * Could speed up the search, but I assume that one assigns - * the result to function pointers anyways. - */ - for (ep = mp->exports, i = mp->nExports; i; i--, ep++) - if (strcmp(ep->name, symbol) == 0) - return ep->addr; - errvalid++; - snprintf (errbuf, sizeof(errbuf), - "dlsym: undefined symbol %s", symbol); - return NULL; -} - -char *dlerror(void) -{ - if (errvalid) { - errvalid = 0; - return errbuf; - } - return NULL; -} - -int dlclose(void *handle) -{ - ModulePtr mp = (ModulePtr)handle; - int result; - ModulePtr mp1; - - if (--mp->refCnt > 0) - return 0; - if (mp->info && mp->info->fini) - (*mp->info->fini)(); - if (mp->cdtors) { - CdtorPtr cp = mp->cdtors; - while (cp->init || cp->term) { - if (cp->term && cp->init != (void (*)(void))0xffffffff) - (*cp->term)(); - cp++; - } - /* - * If the function to handle global destructors for g++ - * exists, call it. --jwe - */ - } else if (mp->gcc_dtor) { - (*mp->gcc_dtor)(); - } - result = unload(mp->entry); - if (result == -1) { - errvalid++; - snprintf (errbuf, sizeof(errbuf), - "%s", strerror(errno)); - } - if (mp->exports) { - ExportPtr ep; - int i; - for (ep = mp->exports, i = mp->nExports; i; i--, ep++) - if (ep->name) - free(ep->name); - free(mp->exports); - } - if (mp == modList) - modList = mp->next; - else { - for (mp1 = modList; mp1; mp1 = mp1->next) - if (mp1->next == mp) { - mp1->next = mp->next; - break; - } - } - free(mp->name); - free(mp); - return result; -} - -static void terminate(void) -{ - while (modList) - dlclose(modList); -} - -/* - * Build the export table from the XCOFF .loader section. - */ -static int readExports(ModulePtr mp) -{ - LDFILE *ldp = NULL; - SCNHDR sh, shdata; - LDHDR *lhp; - char *ldbuf; - LDSYM *ls; - int i; - ExportPtr ep; - - if ((ldp = ldopen(mp->name, ldp)) == NULL) { - struct ld_info *lp; - char *buf; - int size = 4*1024; - if (errno != ENOENT) { - errvalid++; - snprintf(errbuf, sizeof(errbuf), - "readExports: %s", - strerror(errno)); - return -1; - } - /* - * The module might be loaded due to the LIBPATH - * environment variable. Search for the loaded - * module using L_GETINFO. - */ - if ((buf = malloc(size)) == NULL) { - errvalid++; - snprintf(errbuf, sizeof(errbuf), - "readExports: %s", - strerror(errno)); - return -1; - } - while ((i = loadquery(L_GETINFO, buf, size)) == -1 && errno == ENOMEM) { - free(buf); - size += 4*1024; - if ((buf = malloc(size)) == NULL) { - errvalid++; - snprintf(errbuf, sizeof(errbuf), - "readExports: %s", - strerror(errno)); - return -1; - } - } - if (i == -1) { - errvalid++; - snprintf(errbuf, sizeof(errbuf), - "readExports: %s", - strerror(errno)); - free(buf); - return -1; - } - /* - * Traverse the list of loaded modules. The entry point - * returned by load() does actually point to the data - * segment origin. - */ - lp = (struct ld_info *)buf; - while (lp) { - if (lp->ldinfo_dataorg == mp->entry) { - ldp = ldopen(lp->ldinfo_filename, ldp); - break; - } - if (lp->ldinfo_next == 0) - lp = NULL; - else - lp = (struct ld_info *)((char *)lp + lp->ldinfo_next); - } - free(buf); - if (!ldp) { - errvalid++; - snprintf (errbuf, sizeof(errbuf), - "readExports: %s", strerror(errno)); - return -1; - } - } - if (TYPE(ldp) != U802TOCMAGIC) { - errvalid++; - snprintf(errbuf, sizeof(errbuf), "readExports: bad magic"); - while(ldclose(ldp) == FAILURE) - ; - return -1; - } - /* - * Get the padding for the data section. This is needed for - * AIX 4.1 compilers. This is used when building the final - * function pointer to the exported symbol. - */ - if (ldnshread(ldp, _DATA, &shdata) != SUCCESS) { - errvalid++; - snprintf(errbuf, sizeof(errbuf), - "readExports: cannot read data section header"); - while(ldclose(ldp) == FAILURE) - ; - return -1; - } - if (ldnshread(ldp, _LOADER, &sh) != SUCCESS) { - errvalid++; - snprintf(errbuf, sizeof(errbuf), - "readExports: cannot read loader section header"); - while(ldclose(ldp) == FAILURE) - ; - return -1; - } - /* - * We read the complete loader section in one chunk, this makes - * finding long symbol names residing in the string table easier. - */ - if ((ldbuf = (char *)malloc(sh.s_size)) == NULL) { - errvalid++; - snprintf (errbuf, sizeof(errbuf), - "readExports: %s", strerror(errno)); - while(ldclose(ldp) == FAILURE) - ; - return -1; - } - if (FSEEK(ldp, sh.s_scnptr, BEGINNING) != OKFSEEK) { - errvalid++; - snprintf(errbuf, sizeof(errbuf), - "readExports: cannot seek to loader section"); - free(ldbuf); - while(ldclose(ldp) == FAILURE) - ; - return -1; - } - if (FREAD(ldbuf, sh.s_size, 1, ldp) != 1) { - errvalid++; - snprintf(errbuf, sizeof(errbuf), - "readExports: cannot read loader section"); - free(ldbuf); - while(ldclose(ldp) == FAILURE) - ; - return -1; - } - lhp = (LDHDR *)ldbuf; - ls = (LDSYM *)(ldbuf+LDHDRSZ); - /* - * Count the number of exports to include in our export table. - */ - for (i = lhp->l_nsyms; i; i--, ls++) { - if (!LDR_EXPORT(*ls)) - continue; - mp->nExports++; - } - if ((mp->exports = (ExportPtr)calloc(mp->nExports, sizeof(*mp->exports))) == NULL) { - errvalid++; - snprintf (errbuf, sizeof(errbuf), - "readExports: %s", strerror(errno)); - free(ldbuf); - while(ldclose(ldp) == FAILURE) - ; - return -1; - } - /* - * Fill in the export table. All entries are relative to - * the entry point we got from load. - */ - ep = mp->exports; - ls = (LDSYM *)(ldbuf+LDHDRSZ); - for (i = lhp->l_nsyms; i; i--, ls++) { - char *symname; - char tmpsym[SYMNMLEN+1]; - if (!LDR_EXPORT(*ls)) - continue; - if (ls->l_zeroes == 0) - symname = ls->l_offset+lhp->l_stoff+ldbuf; - else { - /* - * The l_name member is not zero terminated, we - * must copy the first SYMNMLEN chars and make - * sure we have a zero byte at the end. - */ - strlcpy (tmpsym, ls->l_name, - SYMNMLEN + 1); - symname = tmpsym; - } - ep->name = strdup(symname); - ep->addr = (void *)((unsigned long)mp->entry + - ls->l_value - shdata.s_vaddr); - ep++; - } - free(ldbuf); - while(ldclose(ldp) == FAILURE) - ; - return 0; -} - -/* - * Find the main modules entry point. This is used as export pointer - * for loadbind() to be able to resolve references to the main part. - */ -static void * findMain(void) -{ - struct ld_info *lp; - char *buf; - int size = 4*1024; - int i; - void *ret; - - if ((buf = malloc(size)) == NULL) { - errvalid++; - snprintf (errbuf, sizeof(errbuf), - "findMail: %s", strerror(errno)); - return NULL; - } - while ((i = loadquery(L_GETINFO, buf, size)) == -1 && errno == ENOMEM) { - free(buf); - size += 4*1024; - if ((buf = malloc(size)) == NULL) { - errvalid++; - snprintf (errbuf, sizeof(errbuf), - "findMail: %s", strerror(errno)); - return NULL; - } - } - if (i == -1) { - errvalid++; - snprintf (errbuf, sizeof(errbuf), - "findMail: %s", strerror(errno)); - free(buf); - return NULL; - } - /* - * The first entry is the main module. The entry point - * returned by load() does actually point to the data - * segment origin. - */ - lp = (struct ld_info *)buf; - ret = lp->ldinfo_dataorg; - free(buf); - return ret; -} diff --git a/crypto/heimdal-0.6.3/lib/kafs/dlfcn.h b/crypto/heimdal-0.6.3/lib/kafs/dlfcn.h deleted file mode 100644 index b8dfd985a5..0000000000 --- a/crypto/heimdal-0.6.3/lib/kafs/dlfcn.h +++ /dev/null @@ -1,46 +0,0 @@ -/* - * @(#)dlfcn.h 1.4 revision of 95/04/25 09:36:52 - * This is an unpublished work copyright (c) 1992 HELIOS Software GmbH - * 30159 Hannover, Germany - */ - -#ifndef __dlfcn_h__ -#define __dlfcn_h__ - -#ifdef __cplusplus -extern "C" { -#endif - -/* - * Mode flags for the dlopen routine. - */ -#define RTLD_LAZY 1 /* lazy function call binding */ -#define RTLD_NOW 2 /* immediate function call binding */ -#define RTLD_GLOBAL 0x100 /* allow symbols to be global */ - -/* - * To be able to initialize, a library may provide a dl_info structure - * that contains functions to be called to initialize and terminate. - */ -struct dl_info { - void (*init)(void); - void (*fini)(void); -}; - -#if __STDC__ || defined(_IBMR2) -void *dlopen(const char *path, int mode); -void *dlsym(void *handle, const char *symbol); -char *dlerror(void); -int dlclose(void *handle); -#else -void *dlopen(); -void *dlsym(); -char *dlerror(); -int dlclose(); -#endif - -#ifdef __cplusplus -} -#endif - -#endif /* __dlfcn_h__ */ diff --git a/crypto/heimdal-0.6.3/lib/kafs/kafs.3 b/crypto/heimdal-0.6.3/lib/kafs/kafs.3 deleted file mode 100644 index c6cff4da7d..0000000000 --- a/crypto/heimdal-0.6.3/lib/kafs/kafs.3 +++ /dev/null @@ -1,275 +0,0 @@ -.\" Copyright (c) 1998 - 1999, 2001 - 2003 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: kafs.3,v 1.16 2003/04/16 13:58:27 lha Exp $ -.\" -.Dd Mar 17, 2003 -.Os HEIMDAL -.Dt KAFS 3 -.Sh NAME -.Nm k_hasafs , -.Nm k_pioctl , -.Nm k_unlog , -.Nm k_setpag , -.Nm k_afs_cell_of_file , -.Nm kafs_set_verbose , -.Nm kafs_settoken_rxkad , -.Nm kafs_settoken , -.Nm krb_afslog , -.Nm krb_afslog_uid -.Nm kafs_settoken5 , -.Nm krb5_afslog , -.Nm krb5_afslog_uid -.Nd AFS library -.Sh LIBRARY -AFS cache manager access library (libkafs, -lkafs) -.Sh SYNOPSIS -.In kafs.h -.Ft int -.Fn k_afs_cell_of_file "const char *path" "char *cell" "int len" -.Ft int -.Fn k_hasafs "void" -.Ft int -.Fn k_pioctl "char *a_path" "int o_opcode" "struct ViceIoctl *a_paramsP" "int a_followSymlinks" -.Ft int -.Fn k_setpag "void" -.Ft int -.Fn k_unlog "void" -.Ft void -.Fn kafs_set_verbose "void (*func)(void *, const char *, int)" "void *" -.Ft int -.Fn kafs_settoken_rxkad "const char *cell" "struct ClearToken *token" "void *ticket" "size_t ticket_len" -.Ft int -.Fn kafs_settoken "const char *cell" "uid_t uid" "CREDENTIALS *c" -.Fn krb_afslog "char *cell" "char *realm" -.Ft int -.Fn krb_afslog_uid "char *cell" "char *realm" "uid_t uid" -.Ft krb5_error_code -.Fn krb5_afslog_uid "krb5_context context" "krb5_ccache id" "const char *cell" "krb5_const_realm realm" "uid_t uid" -.Ft int -.Fn kafs_settoken5 "const char *cell" "uid_t uid" "krb5_creds *c" -.Ft krb5_error_code -.Fn krb5_afslog "krb5_context context" "krb5_ccache id" "const char *cell" "krb5_const_realm realm" -.Sh DESCRIPTION -.Fn k_hasafs -initializes some library internal structures, and tests for the -presence of AFS in the kernel, none of the other functions should be -called before -.Fn k_hasafs -is called, or if it fails. -.Pp -.Fn kafs_set_verbose -set a log function that will be called each time the kafs library does -something important so that the application using libkafs can output -verbose logging. -Calling the function -.Fa kafs_set_verbose -with the function argument set to -.Dv NULL -will stop libkafs from calling the logging function (if set). -.Pp -.Fn kafs_settoken_rxkad -set -.Li rxkad -with the -.Fa token -and -.Fa ticket -(that have the length -.Fa ticket_len ) -for a given -.Fa cell . -.Pp -.Fn kafs_settoken -and -.Fn kafs_settoken5 -work the same way as -.Fn kafs_settoken_rxkad -but internally converts the Kerberos 4 or 5 credential to a afs -cleartoken and ticket. -.Pp -.Fn krb_afslog , -and -.Fn krb_afslog_uid -obtains new tokens (and possibly tickets) for the specified -.Fa cell -and -.Fa realm . -If -.Fa cell -is -.Dv NULL , -the local cell is used. If -.Fa realm -is -.Dv NULL , -the function tries to guess what realm to use. Unless you have some good knowledge of what cell or realm to use, you should pass -.Dv NULL . -.Fn krb_afslog -will use the real user-id for the -.Dv ViceId -field in the token, -.Fn krb_afslog_uid -will use -.Fa uid . -.Pp -.Fn krb5_afslog , -and -.Fn krb5_afslog_uid -are the Kerberos 5 equivalents of -.Fn krb_afslog , -and -.Fn krb_afslog_uid . -.Pp -.Fn krb5_afslog , -.Fn kafs_settoken5 -can be configured to behave diffrently via a -.Nm krb5_appdefault -option -.Li afs-use-524 -in -.Pa krb5.conf . -Possible values for -.Li afs-use-524 -are: -.Bl -tag -width local -.It yes -use the 524 server in the realm to convert the ticket -.It no -use the Kerberos 5 ticket directly, can be used with if the afs cell -support 2b token. -.It local, 2b -convert the Kerberos 5 credential to a 2b token locally (the same work -as a 2b 524 server should have done). -.El -.Pp -Example: -.Pp -.Bd -literal -[appdefaults] - SU.SE = { afs-use-524 = local } - PDC.KTH.SE = { afs-use-524 = yes } - afs-use-524 = yes -.Ed -.Pp -libkafs will use the -.Li libkafs -as application name when running the -.Nm krb5_appdefault -function call. -.Pp -The (uppercased) cellname is used as the realm to the -.Nm krb5_appdefault function. -.Pp -.\" The extra arguments are the ubiquitous context, and the cache id where -.\" to store any obtained tickets. Since AFS servers normally can't handle -.\" Kerberos 5 tickets directly, these functions will first obtain version -.\" 5 tickets for the requested cells, and then convert them to version 4 -.\" tickets, that can be stashed in the kernel. To convert tickets the -.\" .Fn krb524_convert_creds_kdc -.\" function will be used. -.\" .Pp -.Fn k_afs_cell_of_file -will in -.Fa cell -return the cell of a specified file, no more than -.Fa len -characters is put in -.Fa cell . -.Pp -.Fn k_pioctl -does a -.Fn pioctl -syscall with the specified arguments. This function is equivalent to -.Fn lpioctl . -.Pp -.Fn k_setpag -initializes a new PAG. -.Pp -.Fn k_unlog -removes destroys all tokens in the current PAG. -.Sh RETURN VALUES -.Fn k_hasafs -returns 1 if AFS is present in the kernel, 0 otherwise. -.Fn krb_afslog -and -.Fn krb_afslog_uid -returns 0 on success, or a Kerberos error number on failure. -.Fn k_afs_cell_of_file , -.Fn k_pioctl , -.Fn k_setpag , -and -.Fn k_unlog -all return the value of the underlaying system call, 0 on success. -.Sh ENVIRONMENT -The following environment variable affect the mode of operation of -.Nm kafs : -.Bl -tag -width AFS_SYSCALL -.It Ev AFS_SYSCALL -Normally, -.Nm kafs -will try to figure out the correct system call(s) that are used by AFS -by itself. If it does not manage to do that, or does it incorrectly, -you can set this variable to the system call number or list of system -call numbers that should be used. -.El -.Sh EXAMPLES -The following code from -.Nm login -will obtain a new PAG and tokens for the local cell and the cell of -the users home directory. -.Bd -literal -if (k_hasafs()) { - char cell[64]; - k_setpag(); - if(k_afs_cell_of_file(pwd->pw_dir, cell, sizeof(cell)) == 0) - krb_afslog(cell, NULL); - krb_afslog(NULL, NULL); -} -.Ed -.Sh ERRORS -If any of these functions (apart from -.Fn k_hasafs ) -is called without AFS being present in the kernel, the process will -usually (depending on the operating system) receive a SIGSYS signal. -.Sh SEE ALSO -.Rs -.%A Transarc Corporation -.%J AFS-3 Programmer's Reference -.%T File Server/Cache Manager Interface -.%D 1991 -.Re -.Pp -.Xr krb5_appdefaults 3 , -.Xr krb5.conf 5 -.Sh BUGS -.Ev AFS_SYSCALL -has no effect under AIX. diff --git a/crypto/heimdal-0.6.3/lib/kafs/kafs.cat3 b/crypto/heimdal-0.6.3/lib/kafs/kafs.cat3 deleted file mode 100644 index 7c962490e9..0000000000 --- a/crypto/heimdal-0.6.3/lib/kafs/kafs.cat3 +++ /dev/null @@ -1,162 +0,0 @@ - -KAFS(3) UNIX Programmer's Manual KAFS(3) - -NNAAMMEE - kk__hhaassaaffss, kk__ppiiooccttll, kk__uunnlloogg, kk__sseettppaagg, kk__aaffss__cceellll__ooff__ffiillee, - kkaaffss__sseett__vveerrbboossee, kkaaffss__sseettttookkeenn__rrxxkkaadd, kkaaffss__sseettttookkeenn, kkrrbb__aaffsslloogg, - kkrrbb__aaffsslloogg__uuiidd kkaaffss__sseettttookkeenn55, kkrrbb55__aaffsslloogg, kkrrbb55__aaffsslloogg__uuiidd - AFS library - -LLIIBBRRAARRYY - AFS cache manager access library (libkafs, -lkafs) - -SSYYNNOOPPSSIISS - _i_n_t - kk__aaffss__cceellll__ooff__ffiillee(_c_o_n_s_t _c_h_a_r _*_p_a_t_h, _c_h_a_r _*_c_e_l_l, _i_n_t _l_e_n) - - _i_n_t - kk__hhaassaaffss(_v_o_i_d) - - _i_n_t - kk__ppiiooccttll(_c_h_a_r _*_a___p_a_t_h, _i_n_t _o___o_p_c_o_d_e, _s_t_r_u_c_t _V_i_c_e_I_o_c_t_l _*_a___p_a_r_a_m_s_P, - _i_n_t _a___f_o_l_l_o_w_S_y_m_l_i_n_k_s) - - _i_n_t - kk__sseettppaagg(_v_o_i_d) - - _i_n_t - kk__uunnlloogg(_v_o_i_d) - - _v_o_i_d - kkaaffss__sseett__vveerrbboossee(_v_o_i_d _(_*_f_u_n_c_)_(_v_o_i_d _*_, _c_o_n_s_t _c_h_a_r _*_, _i_n_t_), _v_o_i_d _*) - - _i_n_t - kkaaffss__sseettttookkeenn__rrxxkkaadd(_c_o_n_s_t _c_h_a_r _*_c_e_l_l, _s_t_r_u_c_t _C_l_e_a_r_T_o_k_e_n _*_t_o_k_e_n, - _v_o_i_d _*_t_i_c_k_e_t, _s_i_z_e___t _t_i_c_k_e_t___l_e_n) - - _i_n_t - kkaaffss__sseettttookkeenn(_c_o_n_s_t _c_h_a_r _*_c_e_l_l, _u_i_d___t _u_i_d, _C_R_E_D_E_N_T_I_A_L_S _*_c) - - kkrrbb__aaffsslloogg(_c_h_a_r _*_c_e_l_l, _c_h_a_r _*_r_e_a_l_m) - - _i_n_t - kkrrbb__aaffsslloogg__uuiidd(_c_h_a_r _*_c_e_l_l, _c_h_a_r _*_r_e_a_l_m, _u_i_d___t _u_i_d) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__aaffsslloogg__uuiidd(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___c_c_a_c_h_e _i_d, _c_o_n_s_t _c_h_a_r _*_c_e_l_l, - _k_r_b_5___c_o_n_s_t___r_e_a_l_m _r_e_a_l_m, _u_i_d___t _u_i_d) - - _i_n_t - kkaaffss__sseettttookkeenn55(_c_o_n_s_t _c_h_a_r _*_c_e_l_l, _u_i_d___t _u_i_d, _k_r_b_5___c_r_e_d_s _*_c) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__aaffsslloogg(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___c_c_a_c_h_e _i_d, _c_o_n_s_t _c_h_a_r _*_c_e_l_l, - _k_r_b_5___c_o_n_s_t___r_e_a_l_m _r_e_a_l_m) - -DDEESSCCRRIIPPTTIIOONN - kk__hhaassaaffss() initializes some library internal structures, and tests for - the presence of AFS in the kernel, none of the other functions should be - called before kk__hhaassaaffss() is called, or if it fails. - - kkaaffss__sseett__vveerrbboossee() set a log function that will be called each time the - kafs library does something important so that the application using - libkafs can output verbose logging. Calling the function - _k_a_f_s___s_e_t___v_e_r_b_o_s_e with the function argument set to NULL will stop libkafs - from calling the logging function (if set). - - - kkaaffss__sseettttookkeenn__rrxxkkaadd() set rxkad with the _t_o_k_e_n and _t_i_c_k_e_t (that have the - length _t_i_c_k_e_t___l_e_n) for a given _c_e_l_l. - - kkaaffss__sseettttookkeenn() and kkaaffss__sseettttookkeenn55() work the same way as - kkaaffss__sseettttookkeenn__rrxxkkaadd() but internally converts the Kerberos 4 or 5 creden- - tial to a afs cleartoken and ticket. - - kkrrbb__aaffsslloogg(), and kkrrbb__aaffsslloogg__uuiidd() obtains new tokens (and possibly tick- - ets) for the specified _c_e_l_l and _r_e_a_l_m. If _c_e_l_l is NULL, the local cell is - used. If _r_e_a_l_m is NULL, the function tries to guess what realm to use. - Unless you have some good knowledge of what cell or realm to use, you - should pass NULL. kkrrbb__aaffsslloogg() will use the real user-id for the ViceId - field in the token, kkrrbb__aaffsslloogg__uuiidd() will use _u_i_d. - - kkrrbb55__aaffsslloogg(), and kkrrbb55__aaffsslloogg__uuiidd() are the Kerberos 5 equivalents of - kkrrbb__aaffsslloogg(), and kkrrbb__aaffsslloogg__uuiidd(). - - kkrrbb55__aaffsslloogg(), kkaaffss__sseettttookkeenn55() can be configured to behave diffrently - via a kkrrbb55__aappppddeeffaauulltt option afs-use-524 in _k_r_b_5_._c_o_n_f. Possible values - for afs-use-524 are: - - yes use the 524 server in the realm to convert the ticket - - no use the Kerberos 5 ticket directly, can be used with if the afs - cell support 2b token. - - local, 2b - convert the Kerberos 5 credential to a 2b token locally (the same - work as a 2b 524 server should have done). - - Example: - - [appdefaults] - SU.SE = { afs-use-524 = local } - PDC.KTH.SE = { afs-use-524 = yes } - afs-use-524 = yes - - libkafs will use the libkafs as application name when running the - kkrrbb55__aappppddeeffaauulltt function call. - - The (uppercased) cellname is used as the realm to the kkrrbb55__aappppddeeffaauulltt - ffuunnccttiioonn.. - - kk__aaffss__cceellll__ooff__ffiillee() will in _c_e_l_l return the cell of a specified file, no - more than _l_e_n characters is put in _c_e_l_l. - - kk__ppiiooccttll() does a ppiiooccttll() syscall with the specified arguments. This - function is equivalent to llppiiooccttll(). - - kk__sseettppaagg() initializes a new PAG. - - kk__uunnlloogg() removes destroys all tokens in the current PAG. - -RREETTUURRNN VVAALLUUEESS - kk__hhaassaaffss() returns 1 if AFS is present in the kernel, 0 otherwise. - kkrrbb__aaffsslloogg() and kkrrbb__aaffsslloogg__uuiidd() returns 0 on success, or a Kerberos er- - ror number on failure. kk__aaffss__cceellll__ooff__ffiillee(), kk__ppiiooccttll(), kk__sseettppaagg(), and - kk__uunnlloogg() all return the value of the underlaying system call, 0 on suc- - cess. - -EENNVVIIRROONNMMEENNTT - The following environment variable affect the mode of operation of kkaaffss: - - AFS_SYSCALL Normally, kkaaffss will try to figure out the correct system - call(s) that are used by AFS by itself. If it does not man- - age to do that, or does it incorrectly, you can set this - variable to the system call number or list of system call - numbers that should be used. - -EEXXAAMMPPLLEESS - The following code from llooggiinn will obtain a new PAG and tokens for the - local cell and the cell of the users home directory. - - if (k_hasafs()) { - char cell[64]; - k_setpag(); - if(k_afs_cell_of_file(pwd->pw_dir, cell, sizeof(cell)) == 0) - krb_afslog(cell, NULL); - krb_afslog(NULL, NULL); - } - -EERRRROORRSS - If any of these functions (apart from kk__hhaassaaffss()) is called without AFS - being present in the kernel, the process will usually (depending on the - operating system) receive a SIGSYS signal. - -SSEEEE AALLSSOO - Transarc Corporation, "File Server/Cache Manager Interface", _A_F_S_-_3 - _P_r_o_g_r_a_m_m_e_r_'_s _R_e_f_e_r_e_n_c_e, 1991. - - krb5_appdefaults(3), krb5.conf(5) - -BBUUGGSS - AFS_SYSCALL has no effect under AIX. - - HEIMDAL Mar 17, 2003 3 diff --git a/crypto/heimdal-0.6.3/lib/kafs/kafs.h b/crypto/heimdal-0.6.3/lib/kafs/kafs.h deleted file mode 100644 index f95b7769a4..0000000000 --- a/crypto/heimdal-0.6.3/lib/kafs/kafs.h +++ /dev/null @@ -1,208 +0,0 @@ -/* - * Copyright (c) 1995 - 2001, 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: kafs.h,v 1.39.2.1 2003/04/23 18:03:21 lha Exp $ */ - -#ifndef __KAFS_H -#define __KAFS_H - -/* XXX must include krb5.h or krb.h */ - -/* sys/ioctl.h must be included manually before kafs.h */ - -/* - */ -#define AFSCALL_PIOCTL 20 -#define AFSCALL_SETPAG 21 - -#ifndef _VICEIOCTL -#define _VICEIOCTL(id) ((unsigned int ) _IOW('V', id, struct ViceIoctl)) -#endif /* _VICEIOCTL */ - -#define VIOCSETAL _VICEIOCTL(1) -#define VIOCGETAL _VICEIOCTL(2) -#define VIOCSETTOK _VICEIOCTL(3) -#define VIOCGETVOLSTAT _VICEIOCTL(4) -#define VIOCSETVOLSTAT _VICEIOCTL(5) -#define VIOCFLUSH _VICEIOCTL(6) -#define VIOCGETTOK _VICEIOCTL(8) -#define VIOCUNLOG _VICEIOCTL(9) -#define VIOCCKSERV _VICEIOCTL(10) -#define VIOCCKBACK _VICEIOCTL(11) -#define VIOCCKCONN _VICEIOCTL(12) -#define VIOCWHEREIS _VICEIOCTL(14) -#define VIOCACCESS _VICEIOCTL(20) -#define VIOCUNPAG _VICEIOCTL(21) -#define VIOCGETFID _VICEIOCTL(22) -#define VIOCSETCACHESIZE _VICEIOCTL(24) -#define VIOCFLUSHCB _VICEIOCTL(25) -#define VIOCNEWCELL _VICEIOCTL(26) -#define VIOCGETCELL _VICEIOCTL(27) -#define VIOC_AFS_DELETE_MT_PT _VICEIOCTL(28) -#define VIOC_AFS_STAT_MT_PT _VICEIOCTL(29) -#define VIOC_FILE_CELL_NAME _VICEIOCTL(30) -#define VIOC_GET_WS_CELL _VICEIOCTL(31) -#define VIOC_AFS_MARINER_HOST _VICEIOCTL(32) -#define VIOC_GET_PRIMARY_CELL _VICEIOCTL(33) -#define VIOC_VENUSLOG _VICEIOCTL(34) -#define VIOC_GETCELLSTATUS _VICEIOCTL(35) -#define VIOC_SETCELLSTATUS _VICEIOCTL(36) -#define VIOC_FLUSHVOLUME _VICEIOCTL(37) -#define VIOC_AFS_SYSNAME _VICEIOCTL(38) -#define VIOC_EXPORTAFS _VICEIOCTL(39) -#define VIOCGETCACHEPARAMS _VICEIOCTL(40) -#define VIOC_GCPAGS _VICEIOCTL(48) - -struct ViceIoctl { - caddr_t in, out; - short in_size; - short out_size; -}; - -struct ClearToken { - int32_t AuthHandle; - char HandShakeKey[8]; - int32_t ViceId; - int32_t BeginTimestamp; - int32_t EndTimestamp; -}; - -#ifdef __STDC__ -#ifndef __P -#define __P(x) x -#endif -#else -#ifndef __P -#define __P(x) () -#endif -#endif - -/* Use k_hasafs() to probe if the machine supports AFS syscalls. - The other functions will generate a SIGSYS if AFS is not supported */ - -int k_hasafs __P((void)); - -int krb_afslog __P((const char *cell, const char *realm)); -int krb_afslog_uid __P((const char *cell, const char *realm, uid_t uid)); -int krb_afslog_home __P((const char *cell, const char *realm, - const char *homedir)); -int krb_afslog_uid_home __P((const char *cell, const char *realm, uid_t uid, - const char *homedir)); - -int krb_realm_of_cell __P((const char *cell, char **realm)); - -/* compat */ -#define k_afsklog krb_afslog -#define k_afsklog_uid krb_afslog_uid - -int k_pioctl __P((char *a_path, - int o_opcode, - struct ViceIoctl *a_paramsP, - int a_followSymlinks)); -int k_unlog __P((void)); -int k_setpag __P((void)); -int k_afs_cell_of_file __P((const char *path, char *cell, int len)); - - - -/* XXX */ -#ifdef KFAILURE -#define KRB_H_INCLUDED -#endif - -#ifdef KRB5_RECVAUTH_IGNORE_VERSION -#define KRB5_H_INCLUDED -#endif - -void kafs_set_verbose __P((void (*kafs_verbose)(void *, const char *), void *)); -int kafs_settoken_rxkad __P((const char *, struct ClearToken *, - void *ticket, size_t ticket_len)); -#ifdef KRB_H_INCLUDED -int kafs_settoken __P((const char*, uid_t, CREDENTIALS*)); -#endif -#ifdef KRB5_H_INCLUDED -int kafs_settoken5 __P((krb5_context, const char*, uid_t, krb5_creds*)); -#endif - - -#ifdef KRB5_H_INCLUDED -krb5_error_code krb5_afslog_uid __P((krb5_context context, - krb5_ccache id, - const char *cell, - krb5_const_realm realm, - uid_t uid)); -krb5_error_code krb5_afslog __P((krb5_context context, - krb5_ccache id, - const char *cell, - krb5_const_realm realm)); -krb5_error_code krb5_afslog_uid_home __P((krb5_context context, - krb5_ccache id, - const char *cell, - krb5_const_realm realm, - uid_t uid, - const char *homedir)); - -krb5_error_code krb5_afslog_home __P((krb5_context context, - krb5_ccache id, - const char *cell, - krb5_const_realm realm, - const char *homedir)); - -krb5_error_code krb5_realm_of_cell __P((const char *cell, char **realm)); - -#endif - - -#define _PATH_VICE "/usr/vice/etc/" -#define _PATH_THISCELL _PATH_VICE "ThisCell" -#define _PATH_CELLSERVDB _PATH_VICE "CellServDB" -#define _PATH_THESECELLS _PATH_VICE "TheseCells" - -#define _PATH_ARLA_VICE "/usr/arla/etc/" -#define _PATH_ARLA_THISCELL _PATH_ARLA_VICE "ThisCell" -#define _PATH_ARLA_CELLSERVDB _PATH_ARLA_VICE "CellServDB" -#define _PATH_ARLA_THESECELLS _PATH_ARLA_VICE "TheseCells" - -#define _PATH_OPENAFS_DEBIAN_VICE "/etc/openafs/" -#define _PATH_OPENAFS_DEBIAN_THISCELL _PATH_OPENAFS_DEBIAN_VICE "ThisCell" -#define _PATH_OPENAFS_DEBIAN_CELLSERVDB _PATH_OPENAFS_DEBIAN_VICE "CellServDB" -#define _PATH_OPENAFS_DEBIAN_THESECELLS _PATH_OPENAFS_DEBIAN_VICE "TheseCells" - -#define _PATH_ARLA_DEBIAN_VICE "/etc/arla/" -#define _PATH_ARLA_DEBIAN_THISCELL _PATH_ARLA_DEBIAN_VICE "ThisCell" -#define _PATH_ARLA_DEBIAN_CELLSERVDB _PATH_ARLA_DEBIAN_VICE "CellServDB" -#define _PATH_ARLA_DEBIAN_THESECELLS _PATH_ARLA_DEBIAN_VICE "TheseCells" - -extern int _kafs_debug; - -#endif /* __KAFS_H */ diff --git a/crypto/heimdal-0.6.3/lib/kafs/kafs_locl.h b/crypto/heimdal-0.6.3/lib/kafs/kafs_locl.h deleted file mode 100644 index e82b81bf98..0000000000 --- a/crypto/heimdal-0.6.3/lib/kafs/kafs_locl.h +++ /dev/null @@ -1,157 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: kafs_locl.h,v 1.17 2003/04/14 08:28:37 lha Exp $ */ - -#ifndef __KAFS_LOCL_H__ -#define __KAFS_LOCL_H__ - -#ifdef HAVE_CONFIG_H -#include -#endif - -#include -#include -#include -#include -#include -#include - -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_UNISTD_H -#include -#endif -#if defined(HAVE_SYS_IOCTL_H) && SunOS != 40 -#include -#endif -#ifdef HAVE_SYS_FILIO_H -#include -#endif - -#ifdef HAVE_SYS_SYSCALL_H -#include -#endif -#ifdef HAVE_SYS_SOCKET_H -#include -#endif -#ifdef HAVE_NETINET_IN_H -#include -#endif -#ifdef HAVE_NETINET_IN6_H -#include -#endif -#ifdef HAVE_NETINET6_IN6_H -#include -#endif - -#ifdef HAVE_NETDB_H -#include -#endif - -#ifdef HAVE_ARPA_NAMESER_H -#include -#endif -#ifdef HAVE_RESOLV_H -#include -#endif -#include - -#ifdef KRB5 -#include -#endif -#ifdef KRB4 -#include -#else -#ifdef KRB5 -#include "crypto-headers.h" -#include -typedef struct credentials CREDENTIALS; -#endif /* KRB5 */ -#endif /* KRB4 */ -#include - -#include - -#include "afssysdefs.h" - -struct kafs_data; -struct kafs_token; -typedef int (*afslog_uid_func_t)(struct kafs_data *, - const char *, - const char *, - uid_t, - const char *); - -typedef int (*get_cred_func_t)(struct kafs_data*, const char*, const char*, - const char*, uid_t, struct kafs_token *); - -typedef char* (*get_realm_func_t)(struct kafs_data*, const char*); - -typedef struct kafs_data { - const char *name; - afslog_uid_func_t afslog_uid; - get_cred_func_t get_cred; - get_realm_func_t get_realm; - void *data; -} kafs_data; - -struct kafs_token { - struct ClearToken ct; - void *ticket; - size_t ticket_len; -}; - -void _kafs_foldup(char *, const char *); - -int _kafs_afslog_all_local_cells(kafs_data*, uid_t, const char*); - -int _kafs_get_cred(kafs_data*, const char*, const char*, const char *, - uid_t, struct kafs_token *); - -int -_kafs_realm_of_cell(kafs_data *, const char *, char **); - -int -_kafs_v4_to_kt(CREDENTIALS *, uid_t, struct kafs_token *); - -void -_kafs_fixup_viceid(struct ClearToken *, uid_t); - -#ifdef _AIX -int aix_pioctl(char*, int, struct ViceIoctl*, int); -int aix_setpag(void); -#endif - -#endif /* __KAFS_LOCL_H__ */ diff --git a/crypto/heimdal-0.6.3/lib/kafs/roken_rename.h b/crypto/heimdal-0.6.3/lib/kafs/roken_rename.h deleted file mode 100644 index fbb653dc93..0000000000 --- a/crypto/heimdal-0.6.3/lib/kafs/roken_rename.h +++ /dev/null @@ -1,61 +0,0 @@ -/* - * Copyright (c) 2001-2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: roken_rename.h,v 1.6 2002/08/19 15:08:24 joda Exp $ */ - -#ifndef __roken_rename_h__ -#define __roken_rename_h__ - -/* - * Libroken routines that are added libkafs - */ - -#define _resolve_debug _kafs_resolve_debug - -#define rk_dns_free_data _kafs_dns_free_data -#define rk_dns_lookup _kafs_dns_lookup -#define rk_dns_string_to_type _kafs_dns_string_to_type -#define rk_dns_type_to_string _kafs_dns_type_to_string -#define rk_dns_srv_order _kafs_dns_srv_order - -#ifndef HAVE_STRTOK_R -#define strtok_r _kafs_strtok_r -#endif -#ifndef HAVE_STRLCPY -#define strlcpy _kafs_strlcpy -#endif -#ifndef HAVE_STRSEP -#define strsep _kafs_strsep -#endif - -#endif /* __roken_rename_h__ */ diff --git a/crypto/heimdal-0.6.3/lib/kdfs/ChangeLog b/crypto/heimdal-0.6.3/lib/kdfs/ChangeLog deleted file mode 100644 index c4bc2a367c..0000000000 --- a/crypto/heimdal-0.6.3/lib/kdfs/ChangeLog +++ /dev/null @@ -1,28 +0,0 @@ -2002-08-12 Johan Danielsson - - * k5dfspag.c: don't use ## in string concatenation - -2002-03-11 Assar Westerlund - - * Makefile.am (libkdfs_la_LDFLAGS): set versoin to 0:2:0 - -2002-01-23 Assar Westerlund - - * k5dfspag.c: use SIG_DFL and not SIG_IGN for SIGCHLD. - from "Todd C. Miller" - -2001-02-07 Assar Westerlund - - * k5dfspag.c: add config.h - -2000-12-11 Assar Westerlund - - * Makefile.am (libkdfs_la_LDFLAGS): set version to 0:1:0 - -2000-07-02 Assar Westerlund - - * k5dfspag.c: use krb5.h instead of krb5_locl.h - - * initial import from Ake Sandgren - - diff --git a/crypto/heimdal-0.6.3/lib/kdfs/Makefile.am b/crypto/heimdal-0.6.3/lib/kdfs/Makefile.am deleted file mode 100644 index 7e0e6d5637..0000000000 --- a/crypto/heimdal-0.6.3/lib/kdfs/Makefile.am +++ /dev/null @@ -1,10 +0,0 @@ -# $Id: Makefile.am,v 1.3 2002/03/10 23:53:22 assar Exp $ - -include $(top_srcdir)/Makefile.am.common - -lib_LTLIBRARIES = libkdfs.la - -libkdfs_la_SOURCES = \ - k5dfspag.c - -libkdfs_la_LDFLAGS = -version-info 0:2:0 diff --git a/crypto/heimdal-0.6.3/lib/kdfs/Makefile.in b/crypto/heimdal-0.6.3/lib/kdfs/Makefile.in deleted file mode 100644 index 523dc5fceb..0000000000 --- a/crypto/heimdal-0.6.3/lib/kdfs/Makefile.in +++ /dev/null @@ -1,754 +0,0 @@ -# Makefile.in generated by automake 1.8.3 from Makefile.am. -# @configure_input@ - -# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004 Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -# $Id: Makefile.am,v 1.3 2002/03/10 23:53:22 assar Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $ - -SOURCES = $(libkdfs_la_SOURCES) - -srcdir = @srcdir@ -top_srcdir = @top_srcdir@ -VPATH = @srcdir@ -pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -top_builddir = ../.. -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = @INSTALL@ -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_HEADER = $(INSTALL_DATA) -transform = $(program_transform_name) -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_triplet = @host@ -DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \ - $(top_srcdir)/Makefile.am.common \ - $(top_srcdir)/cf/Makefile.am.common ChangeLog -subdir = lib/kdfs -ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \ - $(top_srcdir)/cf/auth-modules.m4 \ - $(top_srcdir)/cf/broken-getaddrinfo.m4 \ - $(top_srcdir)/cf/broken-getnameinfo.m4 \ - $(top_srcdir)/cf/broken-glob.m4 \ - $(top_srcdir)/cf/broken-realloc.m4 \ - $(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \ - $(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \ - $(top_srcdir)/cf/capabilities.m4 \ - $(top_srcdir)/cf/check-compile-et.m4 \ - $(top_srcdir)/cf/check-declaration.m4 \ - $(top_srcdir)/cf/check-getpwnam_r-posix.m4 \ - $(top_srcdir)/cf/check-man.m4 \ - $(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \ - $(top_srcdir)/cf/check-type-extra.m4 \ - $(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \ - $(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \ - $(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \ - $(top_srcdir)/cf/dlopen.m4 \ - $(top_srcdir)/cf/find-func-no-libs.m4 \ - $(top_srcdir)/cf/find-func-no-libs2.m4 \ - $(top_srcdir)/cf/find-func.m4 \ - $(top_srcdir)/cf/find-if-not-broken.m4 \ - $(top_srcdir)/cf/have-struct-field.m4 \ - $(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \ - $(top_srcdir)/cf/krb-bigendian.m4 \ - $(top_srcdir)/cf/krb-func-getlogin.m4 \ - $(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \ - $(top_srcdir)/cf/krb-readline.m4 \ - $(top_srcdir)/cf/krb-struct-spwd.m4 \ - $(top_srcdir)/cf/krb-struct-winsize.m4 \ - $(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \ - $(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \ - $(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \ - $(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \ - $(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \ - $(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \ - $(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in -am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ - $(ACLOCAL_M4) -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -am__installdirs = "$(DESTDIR)$(libdir)" -libLTLIBRARIES_INSTALL = $(INSTALL) -LTLIBRARIES = $(lib_LTLIBRARIES) -libkdfs_la_LIBADD = -am_libkdfs_la_OBJECTS = k5dfspag.lo -libkdfs_la_OBJECTS = $(am_libkdfs_la_OBJECTS) -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \ - $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ - $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -SOURCES = $(libkdfs_la_SOURCES) -DIST_SOURCES = $(libkdfs_la_SOURCES) -ETAGS = etags -CTAGS = ctags -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) -ACLOCAL = @ACLOCAL@ -AIX4_FALSE = @AIX4_FALSE@ -AIX4_TRUE = @AIX4_TRUE@ -AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@ -AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@ -AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@ -AIX_FALSE = @AIX_FALSE@ -AIX_TRUE = @AIX_TRUE@ -AMTAR = @AMTAR@ -AR = @AR@ -AUTOCONF = @AUTOCONF@ -AUTOHEADER = @AUTOHEADER@ -AUTOMAKE = @AUTOMAKE@ -AWK = @AWK@ -CANONICAL_HOST = @CANONICAL_HOST@ -CATMAN = @CATMAN@ -CATMANEXT = @CATMANEXT@ -CATMAN_FALSE = @CATMAN_FALSE@ -CATMAN_TRUE = @CATMAN_TRUE@ -CC = @CC@ -CFLAGS = @CFLAGS@ -COMPILE_ET = @COMPILE_ET@ -CPP = @CPP@ -CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXFLAGS = @CXXFLAGS@ -CYGPATH_W = @CYGPATH_W@ -DBLIB = @DBLIB@ -DCE_FALSE = @DCE_FALSE@ -DCE_TRUE = @DCE_TRUE@ -DEFS = @DEFS@ -DIR_com_err = @DIR_com_err@ -DIR_des = @DIR_des@ -DIR_roken = @DIR_roken@ -ECHO = @ECHO@ -ECHO_C = @ECHO_C@ -ECHO_N = @ECHO_N@ -ECHO_T = @ECHO_T@ -EGREP = @EGREP@ -EXEEXT = @EXEEXT@ -EXTRA_LIB45 = @EXTRA_LIB45@ -F77 = @F77@ -FFLAGS = @FFLAGS@ -GROFF = @GROFF@ -HAVE_DB1_FALSE = @HAVE_DB1_FALSE@ -HAVE_DB1_TRUE = @HAVE_DB1_TRUE@ -HAVE_DB3_FALSE = @HAVE_DB3_FALSE@ -HAVE_DB3_TRUE = @HAVE_DB3_TRUE@ -HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@ -HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@ -HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@ -HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@ -HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@ -HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@ -HAVE_X_FALSE = @HAVE_X_FALSE@ -HAVE_X_TRUE = @HAVE_X_TRUE@ -INCLUDES_roken = @INCLUDES_roken@ -INCLUDE_des = @INCLUDE_des@ -INCLUDE_hesiod = @INCLUDE_hesiod@ -INCLUDE_krb4 = @INCLUDE_krb4@ -INCLUDE_openldap = @INCLUDE_openldap@ -INCLUDE_readline = @INCLUDE_readline@ -INSTALL_DATA = @INSTALL_DATA@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -IRIX_FALSE = @IRIX_FALSE@ -IRIX_TRUE = @IRIX_TRUE@ -KRB4_FALSE = @KRB4_FALSE@ -KRB4_TRUE = @KRB4_TRUE@ -KRB5_FALSE = @KRB5_FALSE@ -KRB5_TRUE = @KRB5_TRUE@ -LDFLAGS = @LDFLAGS@ -LEX = @LEX@ -LEXLIB = @LEXLIB@ -LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ -LIBOBJS = @LIBOBJS@ -LIBS = @LIBS@ -LIBTOOL = @LIBTOOL@ -LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@ -LIB_NDBM = @LIB_NDBM@ -LIB_XauFileName = @LIB_XauFileName@ -LIB_XauReadAuth = @LIB_XauReadAuth@ -LIB_XauWriteAuth = @LIB_XauWriteAuth@ -LIB_bswap16 = @LIB_bswap16@ -LIB_bswap32 = @LIB_bswap32@ -LIB_com_err = @LIB_com_err@ -LIB_com_err_a = @LIB_com_err_a@ -LIB_com_err_so = @LIB_com_err_so@ -LIB_crypt = @LIB_crypt@ -LIB_db_create = @LIB_db_create@ -LIB_dbm_firstkey = @LIB_dbm_firstkey@ -LIB_dbopen = @LIB_dbopen@ -LIB_des = @LIB_des@ -LIB_des_a = @LIB_des_a@ -LIB_des_appl = @LIB_des_appl@ -LIB_des_so = @LIB_des_so@ -LIB_dlopen = @LIB_dlopen@ -LIB_dn_expand = @LIB_dn_expand@ -LIB_el_init = @LIB_el_init@ -LIB_freeaddrinfo = @LIB_freeaddrinfo@ -LIB_gai_strerror = @LIB_gai_strerror@ -LIB_getaddrinfo = @LIB_getaddrinfo@ -LIB_gethostbyname = @LIB_gethostbyname@ -LIB_gethostbyname2 = @LIB_gethostbyname2@ -LIB_getnameinfo = @LIB_getnameinfo@ -LIB_getpwnam_r = @LIB_getpwnam_r@ -LIB_getsockopt = @LIB_getsockopt@ -LIB_hesiod = @LIB_hesiod@ -LIB_hstrerror = @LIB_hstrerror@ -LIB_kdb = @LIB_kdb@ -LIB_krb4 = @LIB_krb4@ -LIB_krb_disable_debug = @LIB_krb_disable_debug@ -LIB_krb_enable_debug = @LIB_krb_enable_debug@ -LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@ -LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@ -LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@ -LIB_loadquery = @LIB_loadquery@ -LIB_logout = @LIB_logout@ -LIB_logwtmp = @LIB_logwtmp@ -LIB_openldap = @LIB_openldap@ -LIB_openpty = @LIB_openpty@ -LIB_otp = @LIB_otp@ -LIB_pidfile = @LIB_pidfile@ -LIB_readline = @LIB_readline@ -LIB_res_nsearch = @LIB_res_nsearch@ -LIB_res_search = @LIB_res_search@ -LIB_roken = @LIB_roken@ -LIB_security = @LIB_security@ -LIB_setsockopt = @LIB_setsockopt@ -LIB_socket = @LIB_socket@ -LIB_syslog = @LIB_syslog@ -LIB_tgetent = @LIB_tgetent@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -MAINT = @MAINT@ -MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@ -MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@ -MAKEINFO = @MAKEINFO@ -NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ -NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ -NROFF = @NROFF@ -OBJEXT = @OBJEXT@ -OTP_FALSE = @OTP_FALSE@ -OTP_TRUE = @OTP_TRUE@ -PACKAGE = @PACKAGE@ -PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ -PACKAGE_NAME = @PACKAGE_NAME@ -PACKAGE_STRING = @PACKAGE_STRING@ -PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_VERSION = @PACKAGE_VERSION@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -RANLIB = @RANLIB@ -SET_MAKE = @SET_MAKE@ -SHELL = @SHELL@ -STRIP = @STRIP@ -VERSION = @VERSION@ -VOID_RETSIGTYPE = @VOID_RETSIGTYPE@ -WFLAGS = @WFLAGS@ -WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@ -WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@ -X_CFLAGS = @X_CFLAGS@ -X_EXTRA_LIBS = @X_EXTRA_LIBS@ -X_LIBS = @X_LIBS@ -X_PRE_LIBS = @X_PRE_LIBS@ -YACC = @YACC@ -ac_ct_AR = @ac_ct_AR@ -ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ -ac_ct_RANLIB = @ac_ct_RANLIB@ -ac_ct_STRIP = @ac_ct_STRIP@ -am__leading_dot = @am__leading_dot@ -bindir = @bindir@ -build = @build@ -build_alias = @build_alias@ -build_cpu = @build_cpu@ -build_os = @build_os@ -build_vendor = @build_vendor@ -datadir = @datadir@ -do_roken_rename_FALSE = @do_roken_rename_FALSE@ -do_roken_rename_TRUE = @do_roken_rename_TRUE@ -dpagaix_cflags = @dpagaix_cflags@ -dpagaix_ldadd = @dpagaix_ldadd@ -dpagaix_ldflags = @dpagaix_ldflags@ -el_compat_FALSE = @el_compat_FALSE@ -el_compat_TRUE = @el_compat_TRUE@ -exec_prefix = @exec_prefix@ -have_err_h_FALSE = @have_err_h_FALSE@ -have_err_h_TRUE = @have_err_h_TRUE@ -have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@ -have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@ -have_glob_h_FALSE = @have_glob_h_FALSE@ -have_glob_h_TRUE = @have_glob_h_TRUE@ -have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@ -have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@ -have_vis_h_FALSE = @have_vis_h_FALSE@ -have_vis_h_TRUE = @have_vis_h_TRUE@ -host = @host@ -host_alias = @host_alias@ -host_cpu = @host_cpu@ -host_os = @host_os@ -host_vendor = @host_vendor@ -includedir = @includedir@ -infodir = @infodir@ -install_sh = @install_sh@ -libdir = @libdir@ -libexecdir = @libexecdir@ -localstatedir = @localstatedir@ -mandir = @mandir@ -mkdir_p = @mkdir_p@ -oldincludedir = @oldincludedir@ -prefix = @prefix@ -program_transform_name = @program_transform_name@ -sbindir = @sbindir@ -sharedstatedir = @sharedstatedir@ -sysconfdir = @sysconfdir@ -target_alias = @target_alias@ -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) -@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME -AM_CFLAGS = $(WFLAGS) -CP = cp -buildinclude = $(top_builddir)/include -LIB_getattr = @LIB_getattr@ -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_setpcred = @LIB_setpcred@ -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -NROFF_MAN = groff -mandoc -Tascii -LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) -@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la - -@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la -@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la -lib_LTLIBRARIES = libkdfs.la -libkdfs_la_SOURCES = \ - k5dfspag.c - -libkdfs_la_LDFLAGS = -version-info 0:2:0 -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps) - @for dep in $?; do \ - case '$(am__configure_deps)' in \ - *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ - exit 1;; \ - esac; \ - done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign --ignore-deps lib/kdfs/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign --ignore-deps lib/kdfs/Makefile -.PRECIOUS: Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - @case '$?' in \ - *config.status*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ - *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ - esac; - -$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -install-libLTLIBRARIES: $(lib_LTLIBRARIES) - @$(NORMAL_INSTALL) - test -z "$(libdir)" || $(mkdir_p) "$(DESTDIR)$(libdir)" - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - if test -f $$p; then \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(libdir)/$$f'"; \ - $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(libdir)/$$f"; \ - else :; fi; \ - done - -uninstall-libLTLIBRARIES: - @$(NORMAL_UNINSTALL) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - p="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$p'"; \ - $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$p"; \ - done - -clean-libLTLIBRARIES: - -test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ - test "$$dir" = "$$p" && dir=.; \ - echo "rm -f \"$${dir}/so_locations\""; \ - rm -f "$${dir}/so_locations"; \ - done -libkdfs.la: $(libkdfs_la_OBJECTS) $(libkdfs_la_DEPENDENCIES) - $(LINK) -rpath $(libdir) $(libkdfs_la_LDFLAGS) $(libkdfs_la_OBJECTS) $(libkdfs_la_LIBADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c $< - -.c.obj: - $(COMPILE) -c `$(CYGPATH_W) '$<'` - -.c.lo: - $(LTCOMPILE) -c -o $@ $< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique -tags: TAGS - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique -ctags: CTAGS -CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ - || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - -distdir: $(DISTFILES) - $(mkdir_p) $(distdir)/../.. $(distdir)/../../cf - @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \ - list='$(DISTFILES)'; for file in $$list; do \ - case $$file in \ - $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \ - $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \ - esac; \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkdir_p) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="$(top_distdir)" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(LTLIBRARIES) all-local -installdirs: - for dir in "$(DESTDIR)$(libdir)"; do \ - test -z "$$dir" || $(mkdir_p) "$$dir"; \ - done -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-generic clean-libLTLIBRARIES clean-libtool \ - mostlyclean-am - -distclean: distclean-am - -rm -f Makefile -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -html: html-am - -info: info-am - -info-am: - -install-data-am: - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-data-hook - -install-exec-am: install-libLTLIBRARIES - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -rm -f Makefile -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -pdf: pdf-am - -pdf-am: - -ps: ps-am - -ps-am: - -uninstall-am: uninstall-info-am uninstall-libLTLIBRARIES - -.PHONY: CTAGS GTAGS all all-am all-local check check-am check-local \ - clean clean-generic clean-libLTLIBRARIES clean-libtool ctags \ - distclean distclean-compile distclean-generic \ - distclean-libtool distclean-tags distdir dvi dvi-am html \ - html-am info info-am install install-am install-data \ - install-data-am install-exec install-exec-am install-info \ - install-info-am install-libLTLIBRARIES install-man \ - install-strip installcheck installcheck-am installdirs \ - maintainer-clean maintainer-clean-generic mostlyclean \ - mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ - pdf pdf-am ps ps-am tags uninstall uninstall-am \ - uninstall-info-am uninstall-libLTLIBRARIES - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-hook: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal-0.6.3/lib/kdfs/k5dfspag.c b/crypto/heimdal-0.6.3/lib/kdfs/k5dfspag.c deleted file mode 100644 index 84161b84b6..0000000000 --- a/crypto/heimdal-0.6.3/lib/kdfs/k5dfspag.c +++ /dev/null @@ -1,368 +0,0 @@ -/* - * lib/krb5/os/k5dfspag.c - * - * New Kerberos module to issue the DFS PAG syscalls. - * It also contains the routine to fork and exec the - * k5dcecon routine to do most of the work. - * - * This file is designed to be as independent of DCE - * and DFS as possible. The only dependencies are on - * the syscall numbers. If DFS not running or not installed, - * the sig handlers will catch and the signal and - * will continue. - * - * krb5_dfs_newpag and krb5_dfs_getpag should not be real - * Kerberos routines, since they should be setpag and getpag - * in the DCE library, but without the DCE baggage. - * Thus they don't have context, and don't return a krb5 error. - * - * - * - * krb5_dfs_pag() - */ - -#ifdef HAVE_CONFIG_H -#include -#endif - -RCSID("$Id: k5dfspag.c,v 1.6 2002/08/12 15:11:58 joda Exp $"); - -#include - -#ifdef DCE - -#include -#include -#include -#include -#include - -/* Only run this DFS PAG code on systems with POSIX - * All that we are interested in dor:, AIX 4.x, - * Solaris 2.5.x, HPUX 10.x Even SunOS 4.1.4, AIX 3.2.5 - * and SGI 5.3 are OK. This simplifies - * the build/configure which I don't want to change now. - * All of them also have waitpid as well. - */ - -#define POSIX_SETJMP -#define POSIX_SIGNALS -#define HAVE_WAITPID - -#include -#include -#ifndef POSIX_SETJMP -#undef sigjmp_buf -#undef sigsetjmp -#undef siglongjmp -#define sigjmp_buf jmp_buf -#define sigsetjmp(j,s) setjmp(j) -#define siglongjmp longjmp -#endif - -#ifdef POSIX_SIGNALS -typedef struct sigaction handler; -#define handler_init(H,F) (sigemptyset(&(H).sa_mask), \ - (H).sa_flags=0, \ - (H).sa_handler=(F)) -#define handler_swap(S,NEW,OLD) sigaction(S, &NEW, &OLD) -#define handler_set(S,OLD) sigaction(S, &OLD, NULL) -#else -typedef sigtype (*handler)(); -#define handler_init(H,F) ((H) = (F)) -#define handler_swap(S,NEW,OLD) ((OLD) = signal ((S), (NEW))) -#define handler_set(S,OLD) (signal ((S), (OLD))) -#endif - -#define krb5_sigtype void -#define WAIT_USES_INT -typedef krb5_sigtype sigtype; - - -/* - * Need some syscall numbers based on different systems. - * These are based on: - * HPUX 10.10 /opt/dce/include/dcedfs/syscall.h - * Solaris 2.5 /opt/dcelocal/share/include/dcedfs/syscall.h - * AIX 4.2 - needs some funny games with load and kafs_syscall - * to get the kernel extentions. There should be a better way! - * - * DEE 5/27/97 - * - */ - - -#define AFSCALL_SETPAG 2 -#define AFSCALL_GETPAG 11 - -#if defined(sun) -#define AFS_SYSCALL 72 - -#elif defined(hpux) -/* assume HPUX 10 + or is it 50 */ -#define AFS_SYSCALL 326 - -#elif defined(_AIX) -#ifndef DPAGAIX -#define DPAGAIX LIBEXECDIR "/dpagaix" -#endif -int *load(); -static int (*dpagaix)(int, int, int, int, int, int) = 0; - -#elif defined(sgi) || defined(_sgi) -#define AFS_SYSCALL 206+1000 - -#else -#define AFS_SYSCALL (Unknown_DFS_AFS_SYSCALL) -#endif - - -#ifdef WAIT_USES_INT - int wait_status; -#else /* WAIT_USES_INT */ - union wait wait_status; -#endif /* WAIT_USES_INT */ - -#ifndef K5DCECON -#define K5DCECON LIBEXECDIR "/k5dcecon" -#endif - -/* - * mysig() - * - * signal handler if DFS not running - * - */ - -static sigjmp_buf setpag_buf; - -static sigtype mysig() -{ - siglongjmp(setpag_buf, 1); -} - -/* - * krb5_dfs_pag_syscall() - * - * wrapper for the syscall with signal handlers - * - */ - -static int krb5_dfs_pag_syscall(opt1,opt2) - int opt1; - int opt2; -{ - handler sa1, osa1; - handler sa2, osa2; - int pag = -2; - - handler_init (sa1, mysig); - handler_init (sa2, mysig); - handler_swap (SIGSYS, sa1, osa1); - handler_swap (SIGSEGV, sa2, osa2); - - if (sigsetjmp(setpag_buf, 1) == 0) { - -#if defined(_AIX) - if (!dpagaix) - dpagaix = load(DPAGAIX, 0, 0); - if (dpagaix) - pag = (*dpagaix)(opt1, opt2, 0, 0, 0, 0); -#else - pag = syscall(AFS_SYSCALL, opt1, opt2, 0, 0, 0, 0); -#endif - - handler_set (SIGSYS, osa1); - handler_set (SIGSEGV, osa2); - return(pag); - } - - /* syscall failed! return 0 */ - handler_set (SIGSYS, osa1); - handler_set (SIGSEGV, osa2); - return(-2); -} - -/* - * krb5_dfs_newpag() - * - * issue a DCE/DFS setpag system call to set the newpag - * for this process. This takes advantage of a currently - * undocumented feature of the Transarc port of DFS. - * Even in DCE 1.2.2 for which the source is available, - * (but no vendors have released), this feature is not - * there, but it should be, or could be added. - * If new_pag is zero, then the syscall will get a new pag - * and return its value. - */ - -int krb5_dfs_newpag(new_pag) - int new_pag; -{ - return(krb5_dfs_pag_syscall(AFSCALL_SETPAG, new_pag)); -} - -/* - * krb5_dfs_getpag() - * - * get the current PAG. Used mostly as a test. - */ - -int krb5_dfs_getpag() -{ - return(krb5_dfs_pag_syscall(AFSCALL_GETPAG, 0)); -} - -/* - * krb5_dfs_pag() - * - * Given a principal and local username, - * fork and exec the k5dcecon module to create - * refresh or join a new DCE/DFS - * Process Authentication Group (PAG) - * - * This routine should be called after krb5_kuserok has - * determined that this combination of local user and - * principal are acceptable for the local host. - * - * It should also be called after a forwarded ticket has - * been received, and the KRB5CCNAME environment variable - * has been set to point at it. k5dcecon will convert this - * to a new DCE context and a new pag and replace KRB5CCNAME - * in the environment. - * - * If there is no forwarded ticket, k5dcecon will attempt - * to join an existing PAG for the same principal and local - * user. - * - * And it should be called before access to the home directory - * as this may be in DFS, not accessable by root, and require - * the PAG to have been setup. - * - * The krb5_afs_pag can be called after this routine to - * use the the cache obtained by k5dcecon to get an AFS token. - * DEE - 7/97 - */ - -int krb5_dfs_pag(context, flag, principal, luser) - krb5_context context; - int flag; /* 1 if a forwarded TGT is to be used */ - krb5_principal principal; - const char *luser; - -{ - - struct stat stx; - int fd[2]; - int i,j; - int pid; - int new_pag; - int pag; - char newccname[MAXPATHLEN] = ""; - char *princ; - int err; - struct sigaction newsig, oldsig; - -#ifdef WAIT_USES_INT - int wait_status; -#else /* WAIT_USES_INT */ - union wait wait_status; -#endif /* WAIT_USES_INT */ - - if (krb5_unparse_name(context, principal, &princ)) - return(0); - - /* test if DFS is running or installed */ - if (krb5_dfs_getpag() == -2) - return(0); /* DFS not running, dont try */ - - if (pipe(fd) == -1) - return(0); - - /* Make sure that telnetd.c's SIGCHLD action don't happen right now... */ - memset((char *)&newsig, 0, sizeof(newsig)); - newsig.sa_handler = SIG_DFL; - sigaction(SIGCHLD, &newsig, &oldsig); - - pid = fork(); - if (pid <0) - return(0); - - if (pid == 0) { /* child process */ - - close(1); /* close stdout */ - dup(fd[1]); /* point stdout at pipe here */ - close(fd[0]); /* don't use end of pipe here */ - close(fd[1]); /* pipe now as stdout */ - - execl(K5DCECON, "k5dcecon", - (flag) ? "-f" : "-s" , - "-l", luser, - "-p", princ, (char *)0); - - exit(127); /* incase execl fails */ - } - - /* parent, wait for child to finish */ - - close(fd[1]); /* dont need this end of pipe */ - -/* #if defined(sgi) || defined(_sgi) */ - /* wait_status.w_status = 0; */ - /* waitpid((pid_t) pid, &wait_status.w_status, 0); */ -/* #else */ - - - wait_status = 0; -#ifdef HAVE_WAITPID - err = waitpid((pid_t) pid, &wait_status, 0); -#else /* HAVE_WAITPID */ - err = wait4(pid, &wait_status, 0, (struct rusage *) NULL); -#endif /* HAVE_WAITPID */ -/* #endif */ - - sigaction(SIGCHLD, &oldsig, 0); - if (WIFEXITED(wait_status)){ - if (WEXITSTATUS(wait_status) == 0) { - i = 1; - j = 0; - while (i != 0) { - i = read(fd[0], &newccname[j], sizeof(newccname)-1-j); - if ( i > 0) - j += i; - if (j >= sizeof(newccname)-1) - i = 0; - } - close(fd[0]); - if (j > 0) { - newccname[j] = '\0'; - esetenv("KRB5CCNAME",newccname,1); - sscanf(&newccname[j-8],"%8x",&new_pag); - if (new_pag && strncmp("FILE:/opt/dcelocal/var/security/creds/dcecred_", newccname, 46) == 0) { - if((pag = krb5_dfs_newpag(new_pag)) != -2) { - return(pag); - } - } - } - } - } - return(0); /* something not right */ -} - -#else /* DCE */ - -/* - * krb5_dfs_pag - dummy version for the lib for systems - * which don't have DFS, or the needed setpag kernel code. - */ - -krb5_boolean -krb5_dfs_pag(context, principal, luser) - krb5_context context; - krb5_principal principal; - const char *luser; -{ - return(0); -} - -#endif /* DCE */ diff --git a/crypto/heimdal-0.6.3/lib/krb5/Makefile.am b/crypto/heimdal-0.6.3/lib/krb5/Makefile.am deleted file mode 100644 index 7ca638bcbd..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/Makefile.am +++ /dev/null @@ -1,196 +0,0 @@ -# $Id: Makefile.am,v 1.156.2.4 2004/06/21 10:52:01 lha Exp $ - -include $(top_srcdir)/Makefile.am.common - -INCLUDES += $(INCLUDE_krb4) $(INCLUDE_des) -I../com_err -I$(srcdir)/../com_err - -bin_PROGRAMS = verify_krb5_conf - -noinst_PROGRAMS = dump_config test_get_addrs krbhst-test test_alname - -TESTS = \ - aes-test \ - n-fold-test \ - string-to-key-test \ - derived-key-test \ - store-test \ - parse-name-test \ - test_cc \ - name-45-test - -check_PROGRAMS = $(TESTS) - -LDADD = libkrb5.la \ - $(LIB_des) \ - $(top_builddir)/lib/asn1/libasn1.la \ - $(LIB_roken) - -libkrb5_la_LIBADD = \ - ../com_err/error.lo ../com_err/com_err.lo \ - $(LIB_des) \ - $(top_builddir)/lib/asn1/libasn1.la \ - $(LIB_roken) - -lib_LTLIBRARIES = libkrb5.la - -ERR_FILES = krb5_err.c heim_err.c k524_err.c - -libkrb5_la_SOURCES = \ - acl.c \ - add_et_list.c \ - addr_families.c \ - aname_to_localname.c \ - appdefault.c \ - asn1_glue.c \ - auth_context.c \ - build_ap_req.c \ - build_auth.c \ - cache.c \ - changepw.c \ - codec.c \ - config_file.c \ - config_file_netinfo.c \ - convert_creds.c \ - constants.c \ - context.c \ - copy_host_realm.c \ - crc.c \ - creds.c \ - crypto.c \ - data.c \ - eai_to_heim_errno.c \ - error_string.c \ - expand_hostname.c \ - fcache.c \ - free.c \ - free_host_realm.c \ - generate_seq_number.c \ - generate_subkey.c \ - get_addrs.c \ - get_cred.c \ - get_default_principal.c \ - get_default_realm.c \ - get_for_creds.c \ - get_host_realm.c \ - get_in_tkt.c \ - get_in_tkt_pw.c \ - get_in_tkt_with_keytab.c \ - get_in_tkt_with_skey.c \ - get_port.c \ - init_creds.c \ - init_creds_pw.c \ - keyblock.c \ - keytab.c \ - keytab_any.c \ - keytab_file.c \ - keytab_memory.c \ - keytab_keyfile.c \ - keytab_krb4.c \ - krbhst.c \ - kuserok.c \ - log.c \ - mcache.c \ - misc.c \ - mk_error.c \ - mk_priv.c \ - mk_rep.c \ - mk_req.c \ - mk_req_ext.c \ - mk_safe.c \ - net_read.c \ - net_write.c \ - n-fold.c \ - padata.c \ - principal.c \ - prog_setup.c \ - prompter_posix.c \ - rd_cred.c \ - rd_error.c \ - rd_priv.c \ - rd_rep.c \ - rd_req.c \ - rd_safe.c \ - read_message.c \ - recvauth.c \ - replay.c \ - send_to_kdc.c \ - sendauth.c \ - set_default_realm.c \ - sock_principal.c \ - store.c \ - store-int.h \ - store_emem.c \ - store_fd.c \ - store_mem.c \ - ticket.c \ - time.c \ - transited.c \ - verify_init.c \ - verify_user.c \ - version.c \ - warn.c \ - write_message.c \ - $(ERR_FILES) - -libkrb5_la_LDFLAGS = -version-info 20:0:3 - -$(libkrb5_la_OBJECTS): $(srcdir)/krb5-protos.h $(srcdir)/krb5-private.h - -$(srcdir)/krb5-protos.h: - cd $(srcdir) && perl ../../cf/make-proto.pl -q -P comment -o krb5-protos.h $(libkrb5_la_SOURCES) || rm -f krb5-protos.h - -$(srcdir)/krb5-private.h: - cd $(srcdir) && perl ../../cf/make-proto.pl -q -P comment -p krb5-private.h $(libkrb5_la_SOURCES) || rm -f krb5-private.h - -#libkrb5_la_LIBADD = ../com_err/error.lo ../com_err/com_err.lo - -man_MANS = \ - kerberos.8 \ - krb5.3 \ - krb5.conf.5 \ - krb5_425_conv_principal.3 \ - krb5_address.3 \ - krb5_aname_to_localname.3 \ - krb5_appdefault.3 \ - krb5_auth_context.3 \ - krb5_build_principal.3 \ - krb5_ccache.3 \ - krb5_config.3 \ - krb5_context.3 \ - krb5_create_checksum.3 \ - krb5_crypto_init.3 \ - krb5_data.3 \ - krb5_encrypt.3 \ - krb5_free_addresses.3 \ - krb5_free_principal.3 \ - krb5_get_all_client_addrs.3 \ - krb5_get_krbhst.3 \ - krb5_init_context.3 \ - krb5_keytab.3 \ - krb5_krbhst_init.3 \ - krb5_kuserok.3 \ - krb5_openlog.3 \ - krb5_parse_name.3 \ - krb5_principal_get_realm.3 \ - krb5_set_default_realm.3 \ - krb5_set_password.3 \ - krb5_sname_to_principal.3 \ - krb5_timeofday.3 \ - krb5_unparse_name.3 \ - krb5_verify_user.3 \ - krb5_warn.3 \ - verify_krb5_conf.8 - -include_HEADERS = krb5.h krb5-protos.h krb5-private.h krb5_err.h heim_err.h k524_err.h - -CLEANFILES = krb5_err.c krb5_err.h heim_err.c heim_err.h k524_err.c k524_err.h - -$(libkrb5_la_OBJECTS): krb5_err.h heim_err.h k524_err.h - -# to help stupid solaris make - -krb5_err.h: krb5_err.et - -heim_err.h: heim_err.et - -k524_err.h: k524_err.et diff --git a/crypto/heimdal-0.6.3/lib/krb5/Makefile.in b/crypto/heimdal-0.6.3/lib/krb5/Makefile.in deleted file mode 100644 index 78017a784c..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/Makefile.in +++ /dev/null @@ -1,1365 +0,0 @@ -# Makefile.in generated by automake 1.8.3 from Makefile.am. -# @configure_input@ - -# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004 Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -# $Id: Makefile.am,v 1.156.2.4 2004/06/21 10:52:01 lha Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $ - - - -SOURCES = $(libkrb5_la_SOURCES) aes-test.c derived-key-test.c dump_config.c krbhst-test.c n-fold-test.c name-45-test.c parse-name-test.c store-test.c string-to-key-test.c test_alname.c test_cc.c test_get_addrs.c verify_krb5_conf.c - -srcdir = @srcdir@ -top_srcdir = @top_srcdir@ -VPATH = @srcdir@ -pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -top_builddir = ../.. -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = @INSTALL@ -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_HEADER = $(INSTALL_DATA) -transform = $(program_transform_name) -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_triplet = @host@ -DIST_COMMON = $(include_HEADERS) $(srcdir)/Makefile.am \ - $(srcdir)/Makefile.in $(top_srcdir)/Makefile.am.common \ - $(top_srcdir)/cf/Makefile.am.common -bin_PROGRAMS = verify_krb5_conf$(EXEEXT) -noinst_PROGRAMS = dump_config$(EXEEXT) test_get_addrs$(EXEEXT) \ - krbhst-test$(EXEEXT) test_alname$(EXEEXT) -check_PROGRAMS = $(am__EXEEXT_1) -subdir = lib/krb5 -ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \ - $(top_srcdir)/cf/auth-modules.m4 \ - $(top_srcdir)/cf/broken-getaddrinfo.m4 \ - $(top_srcdir)/cf/broken-getnameinfo.m4 \ - $(top_srcdir)/cf/broken-glob.m4 \ - $(top_srcdir)/cf/broken-realloc.m4 \ - $(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \ - $(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \ - $(top_srcdir)/cf/capabilities.m4 \ - $(top_srcdir)/cf/check-compile-et.m4 \ - $(top_srcdir)/cf/check-declaration.m4 \ - $(top_srcdir)/cf/check-getpwnam_r-posix.m4 \ - $(top_srcdir)/cf/check-man.m4 \ - $(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \ - $(top_srcdir)/cf/check-type-extra.m4 \ - $(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \ - $(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \ - $(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \ - $(top_srcdir)/cf/dlopen.m4 \ - $(top_srcdir)/cf/find-func-no-libs.m4 \ - $(top_srcdir)/cf/find-func-no-libs2.m4 \ - $(top_srcdir)/cf/find-func.m4 \ - $(top_srcdir)/cf/find-if-not-broken.m4 \ - $(top_srcdir)/cf/have-struct-field.m4 \ - $(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \ - $(top_srcdir)/cf/krb-bigendian.m4 \ - $(top_srcdir)/cf/krb-func-getlogin.m4 \ - $(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \ - $(top_srcdir)/cf/krb-readline.m4 \ - $(top_srcdir)/cf/krb-struct-spwd.m4 \ - $(top_srcdir)/cf/krb-struct-winsize.m4 \ - $(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \ - $(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \ - $(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \ - $(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \ - $(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \ - $(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \ - $(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in -am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ - $(ACLOCAL_M4) -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -am__installdirs = "$(DESTDIR)$(libdir)" "$(DESTDIR)$(bindir)" "$(DESTDIR)$(man3dir)" "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(includedir)" -libLTLIBRARIES_INSTALL = $(INSTALL) -LTLIBRARIES = $(lib_LTLIBRARIES) -am__DEPENDENCIES_1 = -libkrb5_la_DEPENDENCIES = ../com_err/error.lo ../com_err/com_err.lo \ - $(am__DEPENDENCIES_1) $(top_builddir)/lib/asn1/libasn1.la \ - $(am__DEPENDENCIES_1) -am__objects_1 = krb5_err.lo heim_err.lo k524_err.lo -am_libkrb5_la_OBJECTS = acl.lo add_et_list.lo addr_families.lo \ - aname_to_localname.lo appdefault.lo asn1_glue.lo \ - auth_context.lo build_ap_req.lo build_auth.lo cache.lo \ - changepw.lo codec.lo config_file.lo config_file_netinfo.lo \ - convert_creds.lo constants.lo context.lo copy_host_realm.lo \ - crc.lo creds.lo crypto.lo data.lo eai_to_heim_errno.lo \ - error_string.lo expand_hostname.lo fcache.lo free.lo \ - free_host_realm.lo generate_seq_number.lo generate_subkey.lo \ - get_addrs.lo get_cred.lo get_default_principal.lo \ - get_default_realm.lo get_for_creds.lo get_host_realm.lo \ - get_in_tkt.lo get_in_tkt_pw.lo get_in_tkt_with_keytab.lo \ - get_in_tkt_with_skey.lo get_port.lo init_creds.lo \ - init_creds_pw.lo keyblock.lo keytab.lo keytab_any.lo \ - keytab_file.lo keytab_memory.lo keytab_keyfile.lo \ - keytab_krb4.lo krbhst.lo kuserok.lo log.lo mcache.lo misc.lo \ - mk_error.lo mk_priv.lo mk_rep.lo mk_req.lo mk_req_ext.lo \ - mk_safe.lo net_read.lo net_write.lo n-fold.lo padata.lo \ - principal.lo prog_setup.lo prompter_posix.lo rd_cred.lo \ - rd_error.lo rd_priv.lo rd_rep.lo rd_req.lo rd_safe.lo \ - read_message.lo recvauth.lo replay.lo send_to_kdc.lo \ - sendauth.lo set_default_realm.lo sock_principal.lo store.lo \ - store_emem.lo store_fd.lo store_mem.lo ticket.lo time.lo \ - transited.lo verify_init.lo verify_user.lo version.lo warn.lo \ - write_message.lo $(am__objects_1) -libkrb5_la_OBJECTS = $(am_libkrb5_la_OBJECTS) -binPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -am__EXEEXT_1 = aes-test$(EXEEXT) n-fold-test$(EXEEXT) \ - string-to-key-test$(EXEEXT) derived-key-test$(EXEEXT) \ - store-test$(EXEEXT) parse-name-test$(EXEEXT) test_cc$(EXEEXT) \ - name-45-test$(EXEEXT) -PROGRAMS = $(bin_PROGRAMS) $(noinst_PROGRAMS) -aes_test_SOURCES = aes-test.c -aes_test_OBJECTS = aes-test.$(OBJEXT) -aes_test_LDADD = $(LDADD) -aes_test_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ - $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) -derived_key_test_SOURCES = derived-key-test.c -derived_key_test_OBJECTS = derived-key-test.$(OBJEXT) -derived_key_test_LDADD = $(LDADD) -derived_key_test_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ - $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) -dump_config_SOURCES = dump_config.c -dump_config_OBJECTS = dump_config.$(OBJEXT) -dump_config_LDADD = $(LDADD) -dump_config_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ - $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) -krbhst_test_SOURCES = krbhst-test.c -krbhst_test_OBJECTS = krbhst-test.$(OBJEXT) -krbhst_test_LDADD = $(LDADD) -krbhst_test_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ - $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) -n_fold_test_SOURCES = n-fold-test.c -n_fold_test_OBJECTS = n-fold-test.$(OBJEXT) -n_fold_test_LDADD = $(LDADD) -n_fold_test_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ - $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) -name_45_test_SOURCES = name-45-test.c -name_45_test_OBJECTS = name-45-test.$(OBJEXT) -name_45_test_LDADD = $(LDADD) -name_45_test_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ - $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) -parse_name_test_SOURCES = parse-name-test.c -parse_name_test_OBJECTS = parse-name-test.$(OBJEXT) -parse_name_test_LDADD = $(LDADD) -parse_name_test_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ - $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) -store_test_SOURCES = store-test.c -store_test_OBJECTS = store-test.$(OBJEXT) -store_test_LDADD = $(LDADD) -store_test_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ - $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) -string_to_key_test_SOURCES = string-to-key-test.c -string_to_key_test_OBJECTS = string-to-key-test.$(OBJEXT) -string_to_key_test_LDADD = $(LDADD) -string_to_key_test_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ - $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) -test_alname_SOURCES = test_alname.c -test_alname_OBJECTS = test_alname.$(OBJEXT) -test_alname_LDADD = $(LDADD) -test_alname_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ - $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) -test_cc_SOURCES = test_cc.c -test_cc_OBJECTS = test_cc.$(OBJEXT) -test_cc_LDADD = $(LDADD) -test_cc_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ - $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) -test_get_addrs_SOURCES = test_get_addrs.c -test_get_addrs_OBJECTS = test_get_addrs.$(OBJEXT) -test_get_addrs_LDADD = $(LDADD) -test_get_addrs_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ - $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) -verify_krb5_conf_SOURCES = verify_krb5_conf.c -verify_krb5_conf_OBJECTS = verify_krb5_conf.$(OBJEXT) -verify_krb5_conf_LDADD = $(LDADD) -verify_krb5_conf_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ - $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \ - $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ - $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -SOURCES = $(libkrb5_la_SOURCES) aes-test.c derived-key-test.c \ - dump_config.c krbhst-test.c n-fold-test.c name-45-test.c \ - parse-name-test.c store-test.c string-to-key-test.c \ - test_alname.c test_cc.c test_get_addrs.c verify_krb5_conf.c -DIST_SOURCES = $(libkrb5_la_SOURCES) aes-test.c derived-key-test.c \ - dump_config.c krbhst-test.c n-fold-test.c name-45-test.c \ - parse-name-test.c store-test.c string-to-key-test.c \ - test_alname.c test_cc.c test_get_addrs.c verify_krb5_conf.c -man3dir = $(mandir)/man3 -man5dir = $(mandir)/man5 -man8dir = $(mandir)/man8 -MANS = $(man_MANS) -includeHEADERS_INSTALL = $(INSTALL_HEADER) -HEADERS = $(include_HEADERS) -ETAGS = etags -CTAGS = ctags -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) -ACLOCAL = @ACLOCAL@ -AIX4_FALSE = @AIX4_FALSE@ -AIX4_TRUE = @AIX4_TRUE@ -AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@ -AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@ -AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@ -AIX_FALSE = @AIX_FALSE@ -AIX_TRUE = @AIX_TRUE@ -AMTAR = @AMTAR@ -AR = @AR@ -AUTOCONF = @AUTOCONF@ -AUTOHEADER = @AUTOHEADER@ -AUTOMAKE = @AUTOMAKE@ -AWK = @AWK@ -CANONICAL_HOST = @CANONICAL_HOST@ -CATMAN = @CATMAN@ -CATMANEXT = @CATMANEXT@ -CATMAN_FALSE = @CATMAN_FALSE@ -CATMAN_TRUE = @CATMAN_TRUE@ -CC = @CC@ -CFLAGS = @CFLAGS@ -COMPILE_ET = @COMPILE_ET@ -CPP = @CPP@ -CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXFLAGS = @CXXFLAGS@ -CYGPATH_W = @CYGPATH_W@ -DBLIB = @DBLIB@ -DCE_FALSE = @DCE_FALSE@ -DCE_TRUE = @DCE_TRUE@ -DEFS = @DEFS@ -DIR_com_err = @DIR_com_err@ -DIR_des = @DIR_des@ -DIR_roken = @DIR_roken@ -ECHO = @ECHO@ -ECHO_C = @ECHO_C@ -ECHO_N = @ECHO_N@ -ECHO_T = @ECHO_T@ -EGREP = @EGREP@ -EXEEXT = @EXEEXT@ -EXTRA_LIB45 = @EXTRA_LIB45@ -F77 = @F77@ -FFLAGS = @FFLAGS@ -GROFF = @GROFF@ -HAVE_DB1_FALSE = @HAVE_DB1_FALSE@ -HAVE_DB1_TRUE = @HAVE_DB1_TRUE@ -HAVE_DB3_FALSE = @HAVE_DB3_FALSE@ -HAVE_DB3_TRUE = @HAVE_DB3_TRUE@ -HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@ -HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@ -HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@ -HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@ -HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@ -HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@ -HAVE_X_FALSE = @HAVE_X_FALSE@ -HAVE_X_TRUE = @HAVE_X_TRUE@ -INCLUDES_roken = @INCLUDES_roken@ -INCLUDE_des = @INCLUDE_des@ -INCLUDE_hesiod = @INCLUDE_hesiod@ -INCLUDE_krb4 = @INCLUDE_krb4@ -INCLUDE_openldap = @INCLUDE_openldap@ -INCLUDE_readline = @INCLUDE_readline@ -INSTALL_DATA = @INSTALL_DATA@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -IRIX_FALSE = @IRIX_FALSE@ -IRIX_TRUE = @IRIX_TRUE@ -KRB4_FALSE = @KRB4_FALSE@ -KRB4_TRUE = @KRB4_TRUE@ -KRB5_FALSE = @KRB5_FALSE@ -KRB5_TRUE = @KRB5_TRUE@ -LDFLAGS = @LDFLAGS@ -LEX = @LEX@ -LEXLIB = @LEXLIB@ -LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ -LIBOBJS = @LIBOBJS@ -LIBS = @LIBS@ -LIBTOOL = @LIBTOOL@ -LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@ -LIB_NDBM = @LIB_NDBM@ -LIB_XauFileName = @LIB_XauFileName@ -LIB_XauReadAuth = @LIB_XauReadAuth@ -LIB_XauWriteAuth = @LIB_XauWriteAuth@ -LIB_bswap16 = @LIB_bswap16@ -LIB_bswap32 = @LIB_bswap32@ -LIB_com_err = @LIB_com_err@ -LIB_com_err_a = @LIB_com_err_a@ -LIB_com_err_so = @LIB_com_err_so@ -LIB_crypt = @LIB_crypt@ -LIB_db_create = @LIB_db_create@ -LIB_dbm_firstkey = @LIB_dbm_firstkey@ -LIB_dbopen = @LIB_dbopen@ -LIB_des = @LIB_des@ -LIB_des_a = @LIB_des_a@ -LIB_des_appl = @LIB_des_appl@ -LIB_des_so = @LIB_des_so@ -LIB_dlopen = @LIB_dlopen@ -LIB_dn_expand = @LIB_dn_expand@ -LIB_el_init = @LIB_el_init@ -LIB_freeaddrinfo = @LIB_freeaddrinfo@ -LIB_gai_strerror = @LIB_gai_strerror@ -LIB_getaddrinfo = @LIB_getaddrinfo@ -LIB_gethostbyname = @LIB_gethostbyname@ -LIB_gethostbyname2 = @LIB_gethostbyname2@ -LIB_getnameinfo = @LIB_getnameinfo@ -LIB_getpwnam_r = @LIB_getpwnam_r@ -LIB_getsockopt = @LIB_getsockopt@ -LIB_hesiod = @LIB_hesiod@ -LIB_hstrerror = @LIB_hstrerror@ -LIB_kdb = @LIB_kdb@ -LIB_krb4 = @LIB_krb4@ -LIB_krb_disable_debug = @LIB_krb_disable_debug@ -LIB_krb_enable_debug = @LIB_krb_enable_debug@ -LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@ -LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@ -LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@ -LIB_loadquery = @LIB_loadquery@ -LIB_logout = @LIB_logout@ -LIB_logwtmp = @LIB_logwtmp@ -LIB_openldap = @LIB_openldap@ -LIB_openpty = @LIB_openpty@ -LIB_otp = @LIB_otp@ -LIB_pidfile = @LIB_pidfile@ -LIB_readline = @LIB_readline@ -LIB_res_nsearch = @LIB_res_nsearch@ -LIB_res_search = @LIB_res_search@ -LIB_roken = @LIB_roken@ -LIB_security = @LIB_security@ -LIB_setsockopt = @LIB_setsockopt@ -LIB_socket = @LIB_socket@ -LIB_syslog = @LIB_syslog@ -LIB_tgetent = @LIB_tgetent@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -MAINT = @MAINT@ -MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@ -MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@ -MAKEINFO = @MAKEINFO@ -NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ -NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ -NROFF = @NROFF@ -OBJEXT = @OBJEXT@ -OTP_FALSE = @OTP_FALSE@ -OTP_TRUE = @OTP_TRUE@ -PACKAGE = @PACKAGE@ -PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ -PACKAGE_NAME = @PACKAGE_NAME@ -PACKAGE_STRING = @PACKAGE_STRING@ -PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_VERSION = @PACKAGE_VERSION@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -RANLIB = @RANLIB@ -SET_MAKE = @SET_MAKE@ -SHELL = @SHELL@ -STRIP = @STRIP@ -VERSION = @VERSION@ -VOID_RETSIGTYPE = @VOID_RETSIGTYPE@ -WFLAGS = @WFLAGS@ -WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@ -WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@ -X_CFLAGS = @X_CFLAGS@ -X_EXTRA_LIBS = @X_EXTRA_LIBS@ -X_LIBS = @X_LIBS@ -X_PRE_LIBS = @X_PRE_LIBS@ -YACC = @YACC@ -ac_ct_AR = @ac_ct_AR@ -ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ -ac_ct_RANLIB = @ac_ct_RANLIB@ -ac_ct_STRIP = @ac_ct_STRIP@ -am__leading_dot = @am__leading_dot@ -bindir = @bindir@ -build = @build@ -build_alias = @build_alias@ -build_cpu = @build_cpu@ -build_os = @build_os@ -build_vendor = @build_vendor@ -datadir = @datadir@ -do_roken_rename_FALSE = @do_roken_rename_FALSE@ -do_roken_rename_TRUE = @do_roken_rename_TRUE@ -dpagaix_cflags = @dpagaix_cflags@ -dpagaix_ldadd = @dpagaix_ldadd@ -dpagaix_ldflags = @dpagaix_ldflags@ -el_compat_FALSE = @el_compat_FALSE@ -el_compat_TRUE = @el_compat_TRUE@ -exec_prefix = @exec_prefix@ -have_err_h_FALSE = @have_err_h_FALSE@ -have_err_h_TRUE = @have_err_h_TRUE@ -have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@ -have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@ -have_glob_h_FALSE = @have_glob_h_FALSE@ -have_glob_h_TRUE = @have_glob_h_TRUE@ -have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@ -have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@ -have_vis_h_FALSE = @have_vis_h_FALSE@ -have_vis_h_TRUE = @have_vis_h_TRUE@ -host = @host@ -host_alias = @host_alias@ -host_cpu = @host_cpu@ -host_os = @host_os@ -host_vendor = @host_vendor@ -includedir = @includedir@ -infodir = @infodir@ -install_sh = @install_sh@ -libdir = @libdir@ -libexecdir = @libexecdir@ -localstatedir = @localstatedir@ -mandir = @mandir@ -mkdir_p = @mkdir_p@ -oldincludedir = @oldincludedir@ -prefix = @prefix@ -program_transform_name = @program_transform_name@ -sbindir = @sbindir@ -sharedstatedir = @sharedstatedir@ -sysconfdir = @sysconfdir@ -target_alias = @target_alias@ -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4) $(INCLUDE_des) -I../com_err -I$(srcdir)/../com_err -@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME -AM_CFLAGS = $(WFLAGS) -CP = cp -buildinclude = $(top_builddir)/include -LIB_getattr = @LIB_getattr@ -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_setpcred = @LIB_setpcred@ -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -NROFF_MAN = groff -mandoc -Tascii -LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) -@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la - -@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la -@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la -TESTS = \ - aes-test \ - n-fold-test \ - string-to-key-test \ - derived-key-test \ - store-test \ - parse-name-test \ - test_cc \ - name-45-test - -LDADD = libkrb5.la \ - $(LIB_des) \ - $(top_builddir)/lib/asn1/libasn1.la \ - $(LIB_roken) - -libkrb5_la_LIBADD = \ - ../com_err/error.lo ../com_err/com_err.lo \ - $(LIB_des) \ - $(top_builddir)/lib/asn1/libasn1.la \ - $(LIB_roken) - -lib_LTLIBRARIES = libkrb5.la -ERR_FILES = krb5_err.c heim_err.c k524_err.c -libkrb5_la_SOURCES = \ - acl.c \ - add_et_list.c \ - addr_families.c \ - aname_to_localname.c \ - appdefault.c \ - asn1_glue.c \ - auth_context.c \ - build_ap_req.c \ - build_auth.c \ - cache.c \ - changepw.c \ - codec.c \ - config_file.c \ - config_file_netinfo.c \ - convert_creds.c \ - constants.c \ - context.c \ - copy_host_realm.c \ - crc.c \ - creds.c \ - crypto.c \ - data.c \ - eai_to_heim_errno.c \ - error_string.c \ - expand_hostname.c \ - fcache.c \ - free.c \ - free_host_realm.c \ - generate_seq_number.c \ - generate_subkey.c \ - get_addrs.c \ - get_cred.c \ - get_default_principal.c \ - get_default_realm.c \ - get_for_creds.c \ - get_host_realm.c \ - get_in_tkt.c \ - get_in_tkt_pw.c \ - get_in_tkt_with_keytab.c \ - get_in_tkt_with_skey.c \ - get_port.c \ - init_creds.c \ - init_creds_pw.c \ - keyblock.c \ - keytab.c \ - keytab_any.c \ - keytab_file.c \ - keytab_memory.c \ - keytab_keyfile.c \ - keytab_krb4.c \ - krbhst.c \ - kuserok.c \ - log.c \ - mcache.c \ - misc.c \ - mk_error.c \ - mk_priv.c \ - mk_rep.c \ - mk_req.c \ - mk_req_ext.c \ - mk_safe.c \ - net_read.c \ - net_write.c \ - n-fold.c \ - padata.c \ - principal.c \ - prog_setup.c \ - prompter_posix.c \ - rd_cred.c \ - rd_error.c \ - rd_priv.c \ - rd_rep.c \ - rd_req.c \ - rd_safe.c \ - read_message.c \ - recvauth.c \ - replay.c \ - send_to_kdc.c \ - sendauth.c \ - set_default_realm.c \ - sock_principal.c \ - store.c \ - store-int.h \ - store_emem.c \ - store_fd.c \ - store_mem.c \ - ticket.c \ - time.c \ - transited.c \ - verify_init.c \ - verify_user.c \ - version.c \ - warn.c \ - write_message.c \ - $(ERR_FILES) - -libkrb5_la_LDFLAGS = -version-info 20:0:3 - -#libkrb5_la_LIBADD = ../com_err/error.lo ../com_err/com_err.lo -man_MANS = \ - kerberos.8 \ - krb5.3 \ - krb5.conf.5 \ - krb5_425_conv_principal.3 \ - krb5_address.3 \ - krb5_aname_to_localname.3 \ - krb5_appdefault.3 \ - krb5_auth_context.3 \ - krb5_build_principal.3 \ - krb5_ccache.3 \ - krb5_config.3 \ - krb5_context.3 \ - krb5_create_checksum.3 \ - krb5_crypto_init.3 \ - krb5_data.3 \ - krb5_encrypt.3 \ - krb5_free_addresses.3 \ - krb5_free_principal.3 \ - krb5_get_all_client_addrs.3 \ - krb5_get_krbhst.3 \ - krb5_init_context.3 \ - krb5_keytab.3 \ - krb5_krbhst_init.3 \ - krb5_kuserok.3 \ - krb5_openlog.3 \ - krb5_parse_name.3 \ - krb5_principal_get_realm.3 \ - krb5_set_default_realm.3 \ - krb5_set_password.3 \ - krb5_sname_to_principal.3 \ - krb5_timeofday.3 \ - krb5_unparse_name.3 \ - krb5_verify_user.3 \ - krb5_warn.3 \ - verify_krb5_conf.8 - -include_HEADERS = krb5.h krb5-protos.h krb5-private.h krb5_err.h heim_err.h k524_err.h -CLEANFILES = krb5_err.c krb5_err.h heim_err.c heim_err.h k524_err.c k524_err.h -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps) - @for dep in $?; do \ - case '$(am__configure_deps)' in \ - *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ - exit 1;; \ - esac; \ - done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign --ignore-deps lib/krb5/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign --ignore-deps lib/krb5/Makefile -.PRECIOUS: Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - @case '$?' in \ - *config.status*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ - *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ - esac; - -$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -install-libLTLIBRARIES: $(lib_LTLIBRARIES) - @$(NORMAL_INSTALL) - test -z "$(libdir)" || $(mkdir_p) "$(DESTDIR)$(libdir)" - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - if test -f $$p; then \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(libdir)/$$f'"; \ - $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(libdir)/$$f"; \ - else :; fi; \ - done - -uninstall-libLTLIBRARIES: - @$(NORMAL_UNINSTALL) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - p="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$p'"; \ - $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$p"; \ - done - -clean-libLTLIBRARIES: - -test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ - test "$$dir" = "$$p" && dir=.; \ - echo "rm -f \"$${dir}/so_locations\""; \ - rm -f "$${dir}/so_locations"; \ - done -libkrb5.la: $(libkrb5_la_OBJECTS) $(libkrb5_la_DEPENDENCIES) - $(LINK) -rpath $(libdir) $(libkrb5_la_LDFLAGS) $(libkrb5_la_OBJECTS) $(libkrb5_la_LIBADD) $(LIBS) -install-binPROGRAMS: $(bin_PROGRAMS) - @$(NORMAL_INSTALL) - test -z "$(bindir)" || $(mkdir_p) "$(DESTDIR)$(bindir)" - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(bindir)/$$f'"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(bindir)/$$f" || exit 1; \ - else :; fi; \ - done - -uninstall-binPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f '$(DESTDIR)$(bindir)/$$f'"; \ - rm -f "$(DESTDIR)$(bindir)/$$f"; \ - done - -clean-binPROGRAMS: - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done - -clean-checkPROGRAMS: - @list='$(check_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done - -clean-noinstPROGRAMS: - @list='$(noinst_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -aes-test$(EXEEXT): $(aes_test_OBJECTS) $(aes_test_DEPENDENCIES) - @rm -f aes-test$(EXEEXT) - $(LINK) $(aes_test_LDFLAGS) $(aes_test_OBJECTS) $(aes_test_LDADD) $(LIBS) -derived-key-test$(EXEEXT): $(derived_key_test_OBJECTS) $(derived_key_test_DEPENDENCIES) - @rm -f derived-key-test$(EXEEXT) - $(LINK) $(derived_key_test_LDFLAGS) $(derived_key_test_OBJECTS) $(derived_key_test_LDADD) $(LIBS) -dump_config$(EXEEXT): $(dump_config_OBJECTS) $(dump_config_DEPENDENCIES) - @rm -f dump_config$(EXEEXT) - $(LINK) $(dump_config_LDFLAGS) $(dump_config_OBJECTS) $(dump_config_LDADD) $(LIBS) -krbhst-test$(EXEEXT): $(krbhst_test_OBJECTS) $(krbhst_test_DEPENDENCIES) - @rm -f krbhst-test$(EXEEXT) - $(LINK) $(krbhst_test_LDFLAGS) $(krbhst_test_OBJECTS) $(krbhst_test_LDADD) $(LIBS) -n-fold-test$(EXEEXT): $(n_fold_test_OBJECTS) $(n_fold_test_DEPENDENCIES) - @rm -f n-fold-test$(EXEEXT) - $(LINK) $(n_fold_test_LDFLAGS) $(n_fold_test_OBJECTS) $(n_fold_test_LDADD) $(LIBS) -name-45-test$(EXEEXT): $(name_45_test_OBJECTS) $(name_45_test_DEPENDENCIES) - @rm -f name-45-test$(EXEEXT) - $(LINK) $(name_45_test_LDFLAGS) $(name_45_test_OBJECTS) $(name_45_test_LDADD) $(LIBS) -parse-name-test$(EXEEXT): $(parse_name_test_OBJECTS) $(parse_name_test_DEPENDENCIES) - @rm -f parse-name-test$(EXEEXT) - $(LINK) $(parse_name_test_LDFLAGS) $(parse_name_test_OBJECTS) $(parse_name_test_LDADD) $(LIBS) -store-test$(EXEEXT): $(store_test_OBJECTS) $(store_test_DEPENDENCIES) - @rm -f store-test$(EXEEXT) - $(LINK) $(store_test_LDFLAGS) $(store_test_OBJECTS) $(store_test_LDADD) $(LIBS) -string-to-key-test$(EXEEXT): $(string_to_key_test_OBJECTS) $(string_to_key_test_DEPENDENCIES) - @rm -f string-to-key-test$(EXEEXT) - $(LINK) $(string_to_key_test_LDFLAGS) $(string_to_key_test_OBJECTS) $(string_to_key_test_LDADD) $(LIBS) -test_alname$(EXEEXT): $(test_alname_OBJECTS) $(test_alname_DEPENDENCIES) - @rm -f test_alname$(EXEEXT) - $(LINK) $(test_alname_LDFLAGS) $(test_alname_OBJECTS) $(test_alname_LDADD) $(LIBS) -test_cc$(EXEEXT): $(test_cc_OBJECTS) $(test_cc_DEPENDENCIES) - @rm -f test_cc$(EXEEXT) - $(LINK) $(test_cc_LDFLAGS) $(test_cc_OBJECTS) $(test_cc_LDADD) $(LIBS) -test_get_addrs$(EXEEXT): $(test_get_addrs_OBJECTS) $(test_get_addrs_DEPENDENCIES) - @rm -f test_get_addrs$(EXEEXT) - $(LINK) $(test_get_addrs_LDFLAGS) $(test_get_addrs_OBJECTS) $(test_get_addrs_LDADD) $(LIBS) -verify_krb5_conf$(EXEEXT): $(verify_krb5_conf_OBJECTS) $(verify_krb5_conf_DEPENDENCIES) - @rm -f verify_krb5_conf$(EXEEXT) - $(LINK) $(verify_krb5_conf_LDFLAGS) $(verify_krb5_conf_OBJECTS) $(verify_krb5_conf_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c $< - -.c.obj: - $(COMPILE) -c `$(CYGPATH_W) '$<'` - -.c.lo: - $(LTCOMPILE) -c -o $@ $< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: -install-man3: $(man3_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - test -z "$(man3dir)" || $(mkdir_p) "$(DESTDIR)$(man3dir)" - @list='$(man3_MANS) $(dist_man3_MANS) $(nodist_man3_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.3*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 3*) ;; \ - *) ext='3' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man3dir)/$$inst'"; \ - $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man3dir)/$$inst"; \ - done -uninstall-man3: - @$(NORMAL_UNINSTALL) - @list='$(man3_MANS) $(dist_man3_MANS) $(nodist_man3_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.3*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 3*) ;; \ - *) ext='3' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f '$(DESTDIR)$(man3dir)/$$inst'"; \ - rm -f "$(DESTDIR)$(man3dir)/$$inst"; \ - done -install-man5: $(man5_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - test -z "$(man5dir)" || $(mkdir_p) "$(DESTDIR)$(man5dir)" - @list='$(man5_MANS) $(dist_man5_MANS) $(nodist_man5_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.5*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 5*) ;; \ - *) ext='5' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man5dir)/$$inst'"; \ - $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man5dir)/$$inst"; \ - done -uninstall-man5: - @$(NORMAL_UNINSTALL) - @list='$(man5_MANS) $(dist_man5_MANS) $(nodist_man5_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.5*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 5*) ;; \ - *) ext='5' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f '$(DESTDIR)$(man5dir)/$$inst'"; \ - rm -f "$(DESTDIR)$(man5dir)/$$inst"; \ - done -install-man8: $(man8_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - test -z "$(man8dir)" || $(mkdir_p) "$(DESTDIR)$(man8dir)" - @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.8*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 8*) ;; \ - *) ext='8' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ - $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \ - done -uninstall-man8: - @$(NORMAL_UNINSTALL) - @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.8*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 8*) ;; \ - *) ext='8' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \ - rm -f "$(DESTDIR)$(man8dir)/$$inst"; \ - done -install-includeHEADERS: $(include_HEADERS) - @$(NORMAL_INSTALL) - test -z "$(includedir)" || $(mkdir_p) "$(DESTDIR)$(includedir)" - @list='$(include_HEADERS)'; for p in $$list; do \ - if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(includeHEADERS_INSTALL) '$$d$$p' '$(DESTDIR)$(includedir)/$$f'"; \ - $(includeHEADERS_INSTALL) "$$d$$p" "$(DESTDIR)$(includedir)/$$f"; \ - done - -uninstall-includeHEADERS: - @$(NORMAL_UNINSTALL) - @list='$(include_HEADERS)'; for p in $$list; do \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " rm -f '$(DESTDIR)$(includedir)/$$f'"; \ - rm -f "$(DESTDIR)$(includedir)/$$f"; \ - done - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique -tags: TAGS - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique -ctags: CTAGS -CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ - || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - -check-TESTS: $(TESTS) - @failed=0; all=0; xfail=0; xpass=0; skip=0; \ - srcdir=$(srcdir); export srcdir; \ - list='$(TESTS)'; \ - if test -n "$$list"; then \ - for tst in $$list; do \ - if test -f ./$$tst; then dir=./; \ - elif test -f $$tst; then dir=; \ - else dir="$(srcdir)/"; fi; \ - if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \ - all=`expr $$all + 1`; \ - case " $(XFAIL_TESTS) " in \ - *" $$tst "*) \ - xpass=`expr $$xpass + 1`; \ - failed=`expr $$failed + 1`; \ - echo "XPASS: $$tst"; \ - ;; \ - *) \ - echo "PASS: $$tst"; \ - ;; \ - esac; \ - elif test $$? -ne 77; then \ - all=`expr $$all + 1`; \ - case " $(XFAIL_TESTS) " in \ - *" $$tst "*) \ - xfail=`expr $$xfail + 1`; \ - echo "XFAIL: $$tst"; \ - ;; \ - *) \ - failed=`expr $$failed + 1`; \ - echo "FAIL: $$tst"; \ - ;; \ - esac; \ - else \ - skip=`expr $$skip + 1`; \ - echo "SKIP: $$tst"; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - if test "$$xfail" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="All $$all tests behaved as expected ($$xfail expected failures)"; \ - fi; \ - else \ - if test "$$xpass" -eq 0; then \ - banner="$$failed of $$all tests failed"; \ - else \ - banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \ - fi; \ - fi; \ - dashes="$$banner"; \ - skipped=""; \ - if test "$$skip" -ne 0; then \ - skipped="($$skip tests were not run)"; \ - test `echo "$$skipped" | wc -c` -gt `echo "$$banner" | wc -c` && \ - dashes="$$skipped"; \ - fi; \ - report=""; \ - if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \ - report="Please report to $(PACKAGE_BUGREPORT)"; \ - test `echo "$$report" | wc -c` -gt `echo "$$banner" | wc -c` && \ - dashes="$$report"; \ - fi; \ - dashes=`echo "$$dashes" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - test -n "$$skipped" && echo "$$skipped"; \ - test -n "$$report" && echo "$$report"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - else :; fi - -distdir: $(DISTFILES) - $(mkdir_p) $(distdir)/../.. $(distdir)/../../cf - @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \ - list='$(DISTFILES)'; for file in $$list; do \ - case $$file in \ - $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \ - $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \ - esac; \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkdir_p) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="$(top_distdir)" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS) - $(MAKE) $(AM_MAKEFLAGS) check-TESTS check-local -check: check-am -all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(MANS) $(HEADERS) \ - all-local -install-binPROGRAMS: install-libLTLIBRARIES - -installdirs: - for dir in "$(DESTDIR)$(libdir)" "$(DESTDIR)$(bindir)" "$(DESTDIR)$(man3dir)" "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(includedir)"; do \ - test -z "$$dir" || $(mkdir_p) "$$dir"; \ - done -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) - -distclean-generic: - -rm -f $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-binPROGRAMS clean-checkPROGRAMS clean-generic \ - clean-libLTLIBRARIES clean-libtool clean-noinstPROGRAMS \ - mostlyclean-am - -distclean: distclean-am - -rm -f Makefile -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -html: html-am - -info: info-am - -info-am: - -install-data-am: install-includeHEADERS install-man - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-data-hook - -install-exec-am: install-binPROGRAMS install-libLTLIBRARIES - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: install-man3 install-man5 install-man8 - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -rm -f Makefile -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -pdf: pdf-am - -pdf-am: - -ps: ps-am - -ps-am: - -uninstall-am: uninstall-binPROGRAMS uninstall-includeHEADERS \ - uninstall-info-am uninstall-libLTLIBRARIES uninstall-man - -uninstall-man: uninstall-man3 uninstall-man5 uninstall-man8 - -.PHONY: CTAGS GTAGS all all-am all-local check check-TESTS check-am \ - check-local clean clean-binPROGRAMS clean-checkPROGRAMS \ - clean-generic clean-libLTLIBRARIES clean-libtool \ - clean-noinstPROGRAMS ctags distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am html html-am info info-am install install-am \ - install-binPROGRAMS install-data install-data-am install-exec \ - install-exec-am install-includeHEADERS install-info \ - install-info-am install-libLTLIBRARIES install-man \ - install-man3 install-man5 install-man8 install-strip \ - installcheck installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ - tags uninstall uninstall-am uninstall-binPROGRAMS \ - uninstall-includeHEADERS uninstall-info-am \ - uninstall-libLTLIBRARIES uninstall-man uninstall-man3 \ - uninstall-man5 uninstall-man8 - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-hook: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< - -$(libkrb5_la_OBJECTS): $(srcdir)/krb5-protos.h $(srcdir)/krb5-private.h - -$(srcdir)/krb5-protos.h: - cd $(srcdir) && perl ../../cf/make-proto.pl -q -P comment -o krb5-protos.h $(libkrb5_la_SOURCES) || rm -f krb5-protos.h - -$(srcdir)/krb5-private.h: - cd $(srcdir) && perl ../../cf/make-proto.pl -q -P comment -p krb5-private.h $(libkrb5_la_SOURCES) || rm -f krb5-private.h - -$(libkrb5_la_OBJECTS): krb5_err.h heim_err.h k524_err.h - -# to help stupid solaris make - -krb5_err.h: krb5_err.et - -heim_err.h: heim_err.et - -k524_err.h: k524_err.et -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal-0.6.3/lib/krb5/acl.c b/crypto/heimdal-0.6.3/lib/krb5/acl.c deleted file mode 100644 index c3568699c2..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/acl.c +++ /dev/null @@ -1,205 +0,0 @@ -/* - * Copyright (c) 2000 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" -#include - -RCSID("$Id: acl.c,v 1.3 2002/04/18 16:16:24 joda Exp $"); - -struct acl_field { - enum { acl_string, acl_fnmatch, acl_retval } type; - union { - const char *cstr; - char **retv; - } u; - struct acl_field *next, **last; -}; - -static void -acl_free_list(struct acl_field *acl) -{ - struct acl_field *next; - while(acl != NULL) { - next = acl->next; - free(acl); - acl = next; - } -} - -static krb5_error_code -acl_parse_format(krb5_context context, - struct acl_field **acl_ret, - const char *format, - va_list ap) -{ - const char *p; - struct acl_field *acl = NULL, *tmp; - - for(p = format; *p != '\0'; p++) { - tmp = malloc(sizeof(*tmp)); - if(tmp == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - acl_free_list(acl); - return ENOMEM; - } - if(*p == 's') { - tmp->type = acl_string; - tmp->u.cstr = va_arg(ap, const char*); - } else if(*p == 'f') { - tmp->type = acl_fnmatch; - tmp->u.cstr = va_arg(ap, const char*); - } else if(*p == 'r') { - tmp->type = acl_retval; - tmp->u.retv = va_arg(ap, char **); - } - tmp->next = NULL; - if(acl == NULL) - acl = tmp; - else - *acl->last = tmp; - acl->last = &tmp->next; - } - *acl_ret = acl; - return 0; -} - -static krb5_boolean -acl_match_field(krb5_context context, - const char *string, - struct acl_field *field) -{ - if(field->type == acl_string) { - return !strcmp(string, field->u.cstr); - } else if(field->type == acl_fnmatch) { - return !fnmatch(string, field->u.cstr, 0); - } else if(field->type == acl_retval) { - *field->u.retv = strdup(string); - return TRUE; - } - return FALSE; -} - -static krb5_boolean -acl_match_acl(krb5_context context, - struct acl_field *acl, - const char *string) -{ - char buf[256]; - for(;strsep_copy(&string, " \t", buf, sizeof(buf)) != -1; - acl = acl->next) { - if(buf[0] == '\0') - continue; /* skip ws */ - if(!acl_match_field(context, buf, acl)) { - return FALSE; - } - } - return TRUE; -} - - -krb5_error_code -krb5_acl_match_string(krb5_context context, - const char *string, - const char *format, - ...) -{ - krb5_error_code ret; - krb5_boolean found; - struct acl_field *acl; - - va_list ap; - va_start(ap, format); - ret = acl_parse_format(context, &acl, format, ap); - va_end(ap); - if(ret) - return ret; - - found = acl_match_acl(context, acl, string); - acl_free_list(acl); - if (found) { - return 0; - } else { - krb5_set_error_string(context, "ACL did not match"); - return EACCES; - } -} - -krb5_error_code -krb5_acl_match_file(krb5_context context, - const char *file, - const char *format, - ...) -{ - krb5_error_code ret; - struct acl_field *acl; - char buf[256]; - va_list ap; - FILE *f; - krb5_boolean found; - - f = fopen(file, "r"); - if(f == NULL) { - int save_errno = errno; - - krb5_set_error_string(context, "open(%s): %s", file, - strerror(save_errno)); - return save_errno; - } - - va_start(ap, format); - ret = acl_parse_format(context, &acl, format, ap); - va_end(ap); - if(ret) { - fclose(f); - return ret; - } - - found = FALSE; - while(fgets(buf, sizeof(buf), f)) { - if(buf[0] == '#') - continue; - if(acl_match_acl(context, acl, buf)) { - found = TRUE; - break; - } - } - - fclose(f); - acl_free_list(acl); - if (found) { - return 0; - } else { - krb5_set_error_string(context, "ACL did not match"); - return EACCES; - } -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/add_et_list.c b/crypto/heimdal-0.6.3/lib/krb5/add_et_list.c deleted file mode 100644 index cfc42f493c..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/add_et_list.c +++ /dev/null @@ -1,50 +0,0 @@ -/* - * Copyright (c) 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" - -RCSID("$Id: add_et_list.c,v 1.2 1999/12/02 17:05:07 joda Exp $"); - -/* - * Add a specified list of error messages to the et list in context. - * Call func (probably a comerr-generated function) with a pointer to - * the current et_list. - */ - -krb5_error_code -krb5_add_et_list (krb5_context context, - void (*func)(struct et_list **)) -{ - (*func)(&context->et_list); - return 0; -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/addr_families.c b/crypto/heimdal-0.6.3/lib/krb5/addr_families.c deleted file mode 100644 index be32458eaa..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/addr_families.c +++ /dev/null @@ -1,984 +0,0 @@ -/* - * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" - -RCSID("$Id: addr_families.c,v 1.38 2003/03/25 12:37:02 joda Exp $"); - -struct addr_operations { - int af; - krb5_address_type atype; - size_t max_sockaddr_size; - krb5_error_code (*sockaddr2addr)(const struct sockaddr *, krb5_address *); - krb5_error_code (*sockaddr2port)(const struct sockaddr *, int16_t *); - void (*addr2sockaddr)(const krb5_address *, struct sockaddr *, - krb5_socklen_t *sa_size, int port); - void (*h_addr2sockaddr)(const char *, struct sockaddr *, krb5_socklen_t *, int); - krb5_error_code (*h_addr2addr)(const char *, krb5_address *); - krb5_boolean (*uninteresting)(const struct sockaddr *); - void (*anyaddr)(struct sockaddr *, krb5_socklen_t *, int); - int (*print_addr)(const krb5_address *, char *, size_t); - int (*parse_addr)(krb5_context, const char*, krb5_address *); - int (*order_addr)(krb5_context, const krb5_address*, const krb5_address*); - int (*free_addr)(krb5_context, krb5_address*); - int (*copy_addr)(krb5_context, const krb5_address*, krb5_address*); -}; - -/* - * AF_INET - aka IPv4 implementation - */ - -static krb5_error_code -ipv4_sockaddr2addr (const struct sockaddr *sa, krb5_address *a) -{ - const struct sockaddr_in *sin = (const struct sockaddr_in *)sa; - unsigned char buf[4]; - - a->addr_type = KRB5_ADDRESS_INET; - memcpy (buf, &sin->sin_addr, 4); - return krb5_data_copy(&a->address, buf, 4); -} - -static krb5_error_code -ipv4_sockaddr2port (const struct sockaddr *sa, int16_t *port) -{ - const struct sockaddr_in *sin = (const struct sockaddr_in *)sa; - - *port = sin->sin_port; - return 0; -} - -static void -ipv4_addr2sockaddr (const krb5_address *a, - struct sockaddr *sa, - krb5_socklen_t *sa_size, - int port) -{ - struct sockaddr_in tmp; - - memset (&tmp, 0, sizeof(tmp)); - tmp.sin_family = AF_INET; - memcpy (&tmp.sin_addr, a->address.data, 4); - tmp.sin_port = port; - memcpy(sa, &tmp, min(sizeof(tmp), *sa_size)); - *sa_size = sizeof(tmp); -} - -static void -ipv4_h_addr2sockaddr(const char *addr, - struct sockaddr *sa, - krb5_socklen_t *sa_size, - int port) -{ - struct sockaddr_in tmp; - - memset (&tmp, 0, sizeof(tmp)); - tmp.sin_family = AF_INET; - tmp.sin_port = port; - tmp.sin_addr = *((const struct in_addr *)addr); - memcpy(sa, &tmp, min(sizeof(tmp), *sa_size)); - *sa_size = sizeof(tmp); -} - -static krb5_error_code -ipv4_h_addr2addr (const char *addr, - krb5_address *a) -{ - unsigned char buf[4]; - - a->addr_type = KRB5_ADDRESS_INET; - memcpy(buf, addr, 4); - return krb5_data_copy(&a->address, buf, 4); -} - -/* - * Are there any addresses that should be considered `uninteresting'? - */ - -static krb5_boolean -ipv4_uninteresting (const struct sockaddr *sa) -{ - const struct sockaddr_in *sin = (const struct sockaddr_in *)sa; - - if (sin->sin_addr.s_addr == INADDR_ANY) - return TRUE; - - return FALSE; -} - -static void -ipv4_anyaddr (struct sockaddr *sa, krb5_socklen_t *sa_size, int port) -{ - struct sockaddr_in tmp; - - memset (&tmp, 0, sizeof(tmp)); - tmp.sin_family = AF_INET; - tmp.sin_port = port; - tmp.sin_addr.s_addr = INADDR_ANY; - memcpy(sa, &tmp, min(sizeof(tmp), *sa_size)); - *sa_size = sizeof(tmp); -} - -static int -ipv4_print_addr (const krb5_address *addr, char *str, size_t len) -{ - struct in_addr ia; - - memcpy (&ia, addr->address.data, 4); - - return snprintf (str, len, "IPv4:%s", inet_ntoa(ia)); -} - -static int -ipv4_parse_addr (krb5_context context, const char *address, krb5_address *addr) -{ - const char *p; - struct in_addr a; - - p = strchr(address, ':'); - if(p) { - p++; - if(strncasecmp(address, "ip:", p - address) != 0 && - strncasecmp(address, "ip4:", p - address) != 0 && - strncasecmp(address, "ipv4:", p - address) != 0 && - strncasecmp(address, "inet:", p - address) != 0) - return -1; - } else - p = address; -#ifdef HAVE_INET_ATON - if(inet_aton(p, &a) == 0) - return -1; -#elif defined(HAVE_INET_ADDR) - a.s_addr = inet_addr(p); - if(a.s_addr == INADDR_NONE) - return -1; -#else - return -1; -#endif - addr->addr_type = KRB5_ADDRESS_INET; - if(krb5_data_alloc(&addr->address, 4) != 0) - return -1; - _krb5_put_int(addr->address.data, ntohl(a.s_addr), addr->address.length); - return 0; -} - -/* - * AF_INET6 - aka IPv6 implementation - */ - -#ifdef HAVE_IPV6 - -static krb5_error_code -ipv6_sockaddr2addr (const struct sockaddr *sa, krb5_address *a) -{ - const struct sockaddr_in6 *sin6 = (const struct sockaddr_in6 *)sa; - - if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) { - unsigned char buf[4]; - - a->addr_type = KRB5_ADDRESS_INET; -#ifndef IN6_ADDR_V6_TO_V4 -#ifdef IN6_EXTRACT_V4ADDR -#define IN6_ADDR_V6_TO_V4(x) (&IN6_EXTRACT_V4ADDR(x)) -#else -#define IN6_ADDR_V6_TO_V4(x) ((const struct in_addr *)&(x)->s6_addr[12]) -#endif -#endif - memcpy (buf, IN6_ADDR_V6_TO_V4(&sin6->sin6_addr), 4); - return krb5_data_copy(&a->address, buf, 4); - } else { - a->addr_type = KRB5_ADDRESS_INET6; - return krb5_data_copy(&a->address, - &sin6->sin6_addr, - sizeof(sin6->sin6_addr)); - } -} - -static krb5_error_code -ipv6_sockaddr2port (const struct sockaddr *sa, int16_t *port) -{ - const struct sockaddr_in6 *sin6 = (const struct sockaddr_in6 *)sa; - - *port = sin6->sin6_port; - return 0; -} - -static void -ipv6_addr2sockaddr (const krb5_address *a, - struct sockaddr *sa, - krb5_socklen_t *sa_size, - int port) -{ - struct sockaddr_in6 tmp; - - memset (&tmp, 0, sizeof(tmp)); - tmp.sin6_family = AF_INET6; - memcpy (&tmp.sin6_addr, a->address.data, sizeof(tmp.sin6_addr)); - tmp.sin6_port = port; - memcpy(sa, &tmp, min(sizeof(tmp), *sa_size)); - *sa_size = sizeof(tmp); -} - -static void -ipv6_h_addr2sockaddr(const char *addr, - struct sockaddr *sa, - krb5_socklen_t *sa_size, - int port) -{ - struct sockaddr_in6 tmp; - - memset (&tmp, 0, sizeof(tmp)); - tmp.sin6_family = AF_INET6; - tmp.sin6_port = port; - tmp.sin6_addr = *((const struct in6_addr *)addr); - memcpy(sa, &tmp, min(sizeof(tmp), *sa_size)); - *sa_size = sizeof(tmp); -} - -static krb5_error_code -ipv6_h_addr2addr (const char *addr, - krb5_address *a) -{ - a->addr_type = KRB5_ADDRESS_INET6; - return krb5_data_copy(&a->address, addr, sizeof(struct in6_addr)); -} - -/* - * - */ - -static krb5_boolean -ipv6_uninteresting (const struct sockaddr *sa) -{ - const struct sockaddr_in6 *sin6 = (const struct sockaddr_in6 *)sa; - const struct in6_addr *in6 = (const struct in6_addr *)&sin6->sin6_addr; - - return - IN6_IS_ADDR_LINKLOCAL(in6) - || IN6_IS_ADDR_V4COMPAT(in6); -} - -static void -ipv6_anyaddr (struct sockaddr *sa, krb5_socklen_t *sa_size, int port) -{ - struct sockaddr_in6 tmp; - - memset (&tmp, 0, sizeof(tmp)); - tmp.sin6_family = AF_INET6; - tmp.sin6_port = port; - tmp.sin6_addr = in6addr_any; - *sa_size = sizeof(tmp); -} - -static int -ipv6_print_addr (const krb5_address *addr, char *str, size_t len) -{ - char buf[128], buf2[3]; -#ifdef HAVE_INET_NTOP - if(inet_ntop(AF_INET6, addr->address.data, buf, sizeof(buf)) == NULL) -#endif - { - /* XXX this is pretty ugly, but better than abort() */ - int i; - unsigned char *p = addr->address.data; - buf[0] = '\0'; - for(i = 0; i < addr->address.length; i++) { - snprintf(buf2, sizeof(buf2), "%02x", p[i]); - if(i > 0 && (i & 1) == 0) - strlcat(buf, ":", sizeof(buf)); - strlcat(buf, buf2, sizeof(buf)); - } - } - return snprintf(str, len, "IPv6:%s", buf); -} - -static int -ipv6_parse_addr (krb5_context context, const char *address, krb5_address *addr) -{ - int ret; - struct in6_addr in6; - const char *p; - - p = strchr(address, ':'); - if(p) { - p++; - if(strncasecmp(address, "ip6:", p - address) == 0 || - strncasecmp(address, "ipv6:", p - address) == 0 || - strncasecmp(address, "inet6:", p - address) == 0) - address = p; - } - - ret = inet_pton(AF_INET6, address, &in6.s6_addr); - if(ret == 1) { - addr->addr_type = KRB5_ADDRESS_INET6; - ret = krb5_data_alloc(&addr->address, sizeof(in6.s6_addr)); - if (ret) - return -1; - memcpy(addr->address.data, in6.s6_addr, sizeof(in6.s6_addr)); - return 0; - } - return -1; -} - -#endif /* IPv6 */ - -/* - * table - */ - -#define KRB5_ADDRESS_ARANGE (-100) - -struct arange { - krb5_address low; - krb5_address high; -}; - -static int -arange_parse_addr (krb5_context context, - const char *address, krb5_address *addr) -{ - char buf[1024]; - krb5_addresses low, high; - struct arange *a; - krb5_error_code ret; - - if(strncasecmp(address, "RANGE:", 6) != 0) - return -1; - - address += 6; - - /* should handle netmasks */ - strsep_copy(&address, "-", buf, sizeof(buf)); - ret = krb5_parse_address(context, buf, &low); - if(ret) - return ret; - if(low.len != 1) { - krb5_free_addresses(context, &low); - return -1; - } - - strsep_copy(&address, "-", buf, sizeof(buf)); - ret = krb5_parse_address(context, buf, &high); - if(ret) { - krb5_free_addresses(context, &low); - return ret; - } - - if(high.len != 1 || high.val[0].addr_type != low.val[0].addr_type) { - krb5_free_addresses(context, &low); - krb5_free_addresses(context, &high); - return -1; - } - - krb5_data_alloc(&addr->address, sizeof(*a)); - addr->addr_type = KRB5_ADDRESS_ARANGE; - a = addr->address.data; - - if(krb5_address_order(context, &low.val[0], &high.val[0]) < 0) { - a->low = low.val[0]; - a->high = high.val[0]; - } else { - a->low = high.val[0]; - a->high = low.val[0]; - } - return 0; -} - -static int -arange_free (krb5_context context, krb5_address *addr) -{ - struct arange *a; - a = addr->address.data; - krb5_free_address(context, &a->low); - krb5_free_address(context, &a->high); - return 0; -} - - -static int -arange_copy (krb5_context context, const krb5_address *inaddr, - krb5_address *outaddr) -{ - krb5_error_code ret; - struct arange *i, *o; - - outaddr->addr_type = KRB5_ADDRESS_ARANGE; - ret = krb5_data_alloc(&outaddr->address, sizeof(*o)); - if(ret) - return ret; - i = inaddr->address.data; - o = outaddr->address.data; - ret = krb5_copy_address(context, &i->low, &o->low); - if(ret) { - krb5_data_free(&outaddr->address); - return ret; - } - ret = krb5_copy_address(context, &i->high, &o->high); - if(ret) { - krb5_free_address(context, &o->low); - krb5_data_free(&outaddr->address); - return ret; - } - return 0; -} - -static int -arange_print_addr (const krb5_address *addr, char *str, size_t len) -{ - struct arange *a; - krb5_error_code ret; - size_t l, ret_len = 0; - - a = addr->address.data; - - l = strlcpy(str, "RANGE:", len); - ret_len += l; - - ret = krb5_print_address (&a->low, str + ret_len, len - ret_len, &l); - ret_len += l; - - l = strlcat(str, "-", len); - ret_len += l; - - ret = krb5_print_address (&a->high, str + ret_len, len - ret_len, &l); - ret_len += l; - - return ret_len; -} - -static int -arange_order_addr(krb5_context context, - const krb5_address *addr1, - const krb5_address *addr2) -{ - int tmp1, tmp2, sign; - struct arange *a; - const krb5_address *a2; - - if(addr1->addr_type == KRB5_ADDRESS_ARANGE) { - a = addr1->address.data; - a2 = addr2; - sign = 1; - } else if(addr2->addr_type == KRB5_ADDRESS_ARANGE) { - a = addr2->address.data; - a2 = addr1; - sign = -1; - } else - abort(); - - if(a2->addr_type == KRB5_ADDRESS_ARANGE) { - struct arange *b = a2->address.data; - tmp1 = krb5_address_order(context, &a->low, &b->low); - if(tmp1 != 0) - return sign * tmp1; - return sign * krb5_address_order(context, &a->high, &b->high); - } else if(a2->addr_type == a->low.addr_type) { - tmp1 = krb5_address_order(context, &a->low, a2); - if(tmp1 > 0) - return sign; - tmp2 = krb5_address_order(context, &a->high, a2); - if(tmp2 < 0) - return -sign; - return 0; - } else { - return sign * (addr1->addr_type - addr2->addr_type); - } -} - -static int -addrport_print_addr (const krb5_address *addr, char *str, size_t len) -{ - krb5_address addr1, addr2; - uint16_t port = 0; - size_t ret_len = 0, l; - krb5_storage *sp = krb5_storage_from_data((krb5_data*)&addr->address); - /* for totally obscure reasons, these are not in network byteorder */ - krb5_storage_set_byteorder(sp, KRB5_STORAGE_BYTEORDER_LE); - - krb5_storage_seek(sp, 2, SEEK_CUR); /* skip first two bytes */ - krb5_ret_address(sp, &addr1); - - krb5_storage_seek(sp, 2, SEEK_CUR); /* skip two bytes */ - krb5_ret_address(sp, &addr2); - krb5_storage_free(sp); - if(addr2.addr_type == KRB5_ADDRESS_IPPORT && addr2.address.length == 2) { - unsigned long value; - _krb5_get_int(addr2.address.data, &value, 2); - port = value; - } - l = strlcpy(str, "ADDRPORT:", len); - ret_len += l; - krb5_print_address(&addr1, str + ret_len, len - ret_len, &l); - ret_len += l; - l = snprintf(str + ret_len, len - ret_len, ",PORT=%u", port); - ret_len += l; - return ret_len; -} - -static struct addr_operations at[] = { - {AF_INET, KRB5_ADDRESS_INET, sizeof(struct sockaddr_in), - ipv4_sockaddr2addr, - ipv4_sockaddr2port, - ipv4_addr2sockaddr, - ipv4_h_addr2sockaddr, - ipv4_h_addr2addr, - ipv4_uninteresting, ipv4_anyaddr, ipv4_print_addr, ipv4_parse_addr}, -#ifdef HAVE_IPV6 - {AF_INET6, KRB5_ADDRESS_INET6, sizeof(struct sockaddr_in6), - ipv6_sockaddr2addr, - ipv6_sockaddr2port, - ipv6_addr2sockaddr, - ipv6_h_addr2sockaddr, - ipv6_h_addr2addr, - ipv6_uninteresting, ipv6_anyaddr, ipv6_print_addr, ipv6_parse_addr} , -#endif - {KRB5_ADDRESS_ADDRPORT, KRB5_ADDRESS_ADDRPORT, 0, - NULL, NULL, NULL, NULL, NULL, - NULL, NULL, addrport_print_addr, NULL, NULL, NULL, NULL }, - /* fake address type */ - {KRB5_ADDRESS_ARANGE, KRB5_ADDRESS_ARANGE, sizeof(struct arange), - NULL, NULL, NULL, NULL, NULL, NULL, NULL, - arange_print_addr, arange_parse_addr, - arange_order_addr, arange_free, arange_copy } -}; - -static int num_addrs = sizeof(at) / sizeof(at[0]); - -static size_t max_sockaddr_size = 0; - -/* - * generic functions - */ - -static struct addr_operations * -find_af(int af) -{ - struct addr_operations *a; - - for (a = at; a < at + num_addrs; ++a) - if (af == a->af) - return a; - return NULL; -} - -static struct addr_operations * -find_atype(int atype) -{ - struct addr_operations *a; - - for (a = at; a < at + num_addrs; ++a) - if (atype == a->atype) - return a; - return NULL; -} - -krb5_error_code -krb5_sockaddr2address (krb5_context context, - const struct sockaddr *sa, krb5_address *addr) -{ - struct addr_operations *a = find_af(sa->sa_family); - if (a == NULL) { - krb5_set_error_string (context, "Address family %d not supported", - sa->sa_family); - return KRB5_PROG_ATYPE_NOSUPP; - } - return (*a->sockaddr2addr)(sa, addr); -} - -krb5_error_code -krb5_sockaddr2port (krb5_context context, - const struct sockaddr *sa, int16_t *port) -{ - struct addr_operations *a = find_af(sa->sa_family); - if (a == NULL) { - krb5_set_error_string (context, "Address family %d not supported", - sa->sa_family); - return KRB5_PROG_ATYPE_NOSUPP; - } - return (*a->sockaddr2port)(sa, port); -} - -krb5_error_code -krb5_addr2sockaddr (krb5_context context, - const krb5_address *addr, - struct sockaddr *sa, - krb5_socklen_t *sa_size, - int port) -{ - struct addr_operations *a = find_atype(addr->addr_type); - - if (a == NULL) { - krb5_set_error_string (context, "Address type %d not supported", - addr->addr_type); - return KRB5_PROG_ATYPE_NOSUPP; - } - if (a->addr2sockaddr == NULL) { - krb5_set_error_string (context, "Can't convert address type %d to sockaddr", - addr->addr_type); - return KRB5_PROG_ATYPE_NOSUPP; - } - (*a->addr2sockaddr)(addr, sa, sa_size, port); - return 0; -} - -size_t -krb5_max_sockaddr_size (void) -{ - if (max_sockaddr_size == 0) { - struct addr_operations *a; - - for(a = at; a < at + num_addrs; ++a) - max_sockaddr_size = max(max_sockaddr_size, a->max_sockaddr_size); - } - return max_sockaddr_size; -} - -krb5_boolean -krb5_sockaddr_uninteresting(const struct sockaddr *sa) -{ - struct addr_operations *a = find_af(sa->sa_family); - if (a == NULL || a->uninteresting == NULL) - return TRUE; - return (*a->uninteresting)(sa); -} - -krb5_error_code -krb5_h_addr2sockaddr (krb5_context context, - int af, - const char *addr, struct sockaddr *sa, - krb5_socklen_t *sa_size, - int port) -{ - struct addr_operations *a = find_af(af); - if (a == NULL) { - krb5_set_error_string (context, "Address family %d not supported", af); - return KRB5_PROG_ATYPE_NOSUPP; - } - (*a->h_addr2sockaddr)(addr, sa, sa_size, port); - return 0; -} - -krb5_error_code -krb5_h_addr2addr (krb5_context context, - int af, - const char *haddr, krb5_address *addr) -{ - struct addr_operations *a = find_af(af); - if (a == NULL) { - krb5_set_error_string (context, "Address family %d not supported", af); - return KRB5_PROG_ATYPE_NOSUPP; - } - return (*a->h_addr2addr)(haddr, addr); -} - -krb5_error_code -krb5_anyaddr (krb5_context context, - int af, - struct sockaddr *sa, - krb5_socklen_t *sa_size, - int port) -{ - struct addr_operations *a = find_af (af); - - if (a == NULL) { - krb5_set_error_string (context, "Address family %d not supported", af); - return KRB5_PROG_ATYPE_NOSUPP; - } - - (*a->anyaddr)(sa, sa_size, port); - return 0; -} - -krb5_error_code -krb5_print_address (const krb5_address *addr, - char *str, size_t len, size_t *ret_len) -{ - size_t ret; - struct addr_operations *a = find_atype(addr->addr_type); - - if (a == NULL || a->print_addr == NULL) { - char *s; - int l; - int i; - - s = str; - l = snprintf(s, len, "TYPE_%d:", addr->addr_type); - if (l < 0) - return EINVAL; - s += l; - len -= l; - for(i = 0; i < addr->address.length; i++) { - l = snprintf(s, len, "%02x", ((char*)addr->address.data)[i]); - if (l < 0) - return EINVAL; - len -= l; - s += l; - } - if(ret_len != NULL) - *ret_len = s - str; - return 0; - } - ret = (*a->print_addr)(addr, str, len); - if(ret_len != NULL) - *ret_len = ret; - return 0; -} - -krb5_error_code -krb5_parse_address(krb5_context context, - const char *string, - krb5_addresses *addresses) -{ - int i, n; - struct addrinfo *ai, *a; - int error; - int save_errno; - - for(i = 0; i < num_addrs; i++) { - if(at[i].parse_addr) { - krb5_address addr; - if((*at[i].parse_addr)(context, string, &addr) == 0) { - ALLOC_SEQ(addresses, 1); - addresses->val[0] = addr; - return 0; - } - } - } - - error = getaddrinfo (string, NULL, NULL, &ai); - if (error) { - save_errno = errno; - krb5_set_error_string (context, "%s: %s", string, gai_strerror(error)); - return krb5_eai_to_heim_errno(error, save_errno); - } - - n = 0; - for (a = ai; a != NULL; a = a->ai_next) - ++n; - - ALLOC_SEQ(addresses, n); - - for (a = ai, i = 0; a != NULL; a = a->ai_next) { - if(krb5_sockaddr2address (context, ai->ai_addr, - &addresses->val[i]) == 0) - i++; - } - freeaddrinfo (ai); - return 0; -} - -int -krb5_address_order(krb5_context context, - const krb5_address *addr1, - const krb5_address *addr2) -{ - /* this sucks; what if both addresses have order functions, which - should we call? this works for now, though */ - struct addr_operations *a; - a = find_atype(addr1->addr_type); - if(a == NULL) { - krb5_set_error_string (context, "Address family %d not supported", - addr1->addr_type); - return KRB5_PROG_ATYPE_NOSUPP; - } - if(a->order_addr != NULL) - return (*a->order_addr)(context, addr1, addr2); - a = find_atype(addr2->addr_type); - if(a == NULL) { - krb5_set_error_string (context, "Address family %d not supported", - addr2->addr_type); - return KRB5_PROG_ATYPE_NOSUPP; - } - if(a->order_addr != NULL) - return (*a->order_addr)(context, addr1, addr2); - - if(addr1->addr_type != addr2->addr_type) - return addr1->addr_type - addr2->addr_type; - if(addr1->address.length != addr2->address.length) - return addr1->address.length - addr2->address.length; - return memcmp (addr1->address.data, - addr2->address.data, - addr1->address.length); -} - -krb5_boolean -krb5_address_compare(krb5_context context, - const krb5_address *addr1, - const krb5_address *addr2) -{ - return krb5_address_order (context, addr1, addr2) == 0; -} - -krb5_boolean -krb5_address_search(krb5_context context, - const krb5_address *addr, - const krb5_addresses *addrlist) -{ - int i; - - for (i = 0; i < addrlist->len; ++i) - if (krb5_address_compare (context, addr, &addrlist->val[i])) - return TRUE; - return FALSE; -} - -krb5_error_code -krb5_free_address(krb5_context context, - krb5_address *address) -{ - struct addr_operations *a = find_af (address->addr_type); - if(a != NULL && a->free_addr != NULL) - return (*a->free_addr)(context, address); - krb5_data_free (&address->address); - return 0; -} - -krb5_error_code -krb5_free_addresses(krb5_context context, - krb5_addresses *addresses) -{ - int i; - for(i = 0; i < addresses->len; i++) - krb5_free_address(context, &addresses->val[i]); - free(addresses->val); - return 0; -} - -krb5_error_code -krb5_copy_address(krb5_context context, - const krb5_address *inaddr, - krb5_address *outaddr) -{ - struct addr_operations *a = find_af (inaddr->addr_type); - if(a != NULL && a->copy_addr != NULL) - return (*a->copy_addr)(context, inaddr, outaddr); - return copy_HostAddress(inaddr, outaddr); -} - -krb5_error_code -krb5_copy_addresses(krb5_context context, - const krb5_addresses *inaddr, - krb5_addresses *outaddr) -{ - int i; - ALLOC_SEQ(outaddr, inaddr->len); - if(inaddr->len > 0 && outaddr->val == NULL) - return ENOMEM; - for(i = 0; i < inaddr->len; i++) - krb5_copy_address(context, &inaddr->val[i], &outaddr->val[i]); - return 0; -} - -krb5_error_code -krb5_append_addresses(krb5_context context, - krb5_addresses *dest, - const krb5_addresses *source) -{ - krb5_address *tmp; - krb5_error_code ret; - int i; - if(source->len > 0) { - tmp = realloc(dest->val, (dest->len + source->len) * sizeof(*tmp)); - if(tmp == NULL) { - krb5_set_error_string(context, "realloc: out of memory"); - return ENOMEM; - } - dest->val = tmp; - for(i = 0; i < source->len; i++) { - /* skip duplicates */ - if(krb5_address_search(context, &source->val[i], dest)) - continue; - ret = krb5_copy_address(context, - &source->val[i], - &dest->val[dest->len]); - if(ret) - return ret; - dest->len++; - } - } - return 0; -} - -/* - * Create an address of type KRB5_ADDRESS_ADDRPORT from (addr, port) - */ - -krb5_error_code -krb5_make_addrport (krb5_context context, - krb5_address **res, const krb5_address *addr, int16_t port) -{ - krb5_error_code ret; - size_t len = addr->address.length + 2 + 4 * 4; - u_char *p; - - *res = malloc (sizeof(**res)); - if (*res == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - (*res)->addr_type = KRB5_ADDRESS_ADDRPORT; - ret = krb5_data_alloc (&(*res)->address, len); - if (ret) { - krb5_set_error_string(context, "malloc: out of memory"); - free (*res); - return ret; - } - p = (*res)->address.data; - *p++ = 0; - *p++ = 0; - *p++ = (addr->addr_type ) & 0xFF; - *p++ = (addr->addr_type >> 8) & 0xFF; - - *p++ = (addr->address.length ) & 0xFF; - *p++ = (addr->address.length >> 8) & 0xFF; - *p++ = (addr->address.length >> 16) & 0xFF; - *p++ = (addr->address.length >> 24) & 0xFF; - - memcpy (p, addr->address.data, addr->address.length); - p += addr->address.length; - - *p++ = 0; - *p++ = 0; - *p++ = (KRB5_ADDRESS_IPPORT ) & 0xFF; - *p++ = (KRB5_ADDRESS_IPPORT >> 8) & 0xFF; - - *p++ = (2 ) & 0xFF; - *p++ = (2 >> 8) & 0xFF; - *p++ = (2 >> 16) & 0xFF; - *p++ = (2 >> 24) & 0xFF; - - memcpy (p, &port, 2); - p += 2; - - return 0; -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/aes-test.c b/crypto/heimdal-0.6.3/lib/krb5/aes-test.c deleted file mode 100644 index cfee8e25a7..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/aes-test.c +++ /dev/null @@ -1,472 +0,0 @@ -/* - * Copyright (c) 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of KTH nor the names of its contributors may be - * used to endorse or promote products derived from this software without - * specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY - * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR - * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, - * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR - * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF - * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ - -#include "krb5_locl.h" - -#ifdef HAVE_OPENSSL -#include -#endif - -RCSID("$Id: aes-test.c,v 1.3 2003/03/25 11:30:41 lha Exp $"); - -static int verbose = 0; - -static void -hex_dump_data(krb5_data *data) -{ - unsigned char *p = data->data; - int i, j; - - for (i = j = 0; i < data->length; i++, j++) { - printf("%02x ", p[i]); - if (j > 15) { - printf("\n"); - j = 0; - } - } - if (j != 0) - printf("\n"); -} - -struct { - char *password; - char *salt; - int saltlen; - int iterations; - krb5_enctype enctype; - int keylen; - char *pbkdf2; - char *key; -} keys[] = { -#ifdef ENABLE_AES - { - "password", "ATHENA.MIT.EDUraeburn", -1, - 1, - ETYPE_AES128_CTS_HMAC_SHA1_96, 16, - "\xcd\xed\xb5\x28\x1b\xb2\xf8\x01\x56\x5a\x11\x22\xb2\x56\x35\x15", - "\x42\x26\x3c\x6e\x89\xf4\xfc\x28\xb8\xdf\x68\xee\x09\x79\x9f\x15" - }, - { - "password", "ATHENA.MIT.EDUraeburn", -1, - 1, - ETYPE_AES256_CTS_HMAC_SHA1_96, 32, - "\xcd\xed\xb5\x28\x1b\xb2\xf8\x01\x56\x5a\x11\x22\xb2\x56\x35\x15" - "\x0a\xd1\xf7\xa0\x4b\xb9\xf3\xa3\x33\xec\xc0\xe2\xe1\xf7\x08\x37", - "\xfe\x69\x7b\x52\xbc\x0d\x3c\xe1\x44\x32\xba\x03\x6a\x92\xe6\x5b" - "\xbb\x52\x28\x09\x90\xa2\xfa\x27\x88\x39\x98\xd7\x2a\xf3\x01\x61" - }, - { - "password", "ATHENA.MIT.EDUraeburn", -1, - 2, - ETYPE_AES128_CTS_HMAC_SHA1_96, 16, - "\x01\xdb\xee\x7f\x4a\x9e\x24\x3e\x98\x8b\x62\xc7\x3c\xda\x93\x5d", - "\xc6\x51\xbf\x29\xe2\x30\x0a\xc2\x7f\xa4\x69\xd6\x93\xbd\xda\x13" - }, - { - "password", "ATHENA.MIT.EDUraeburn", -1, - 2, - ETYPE_AES256_CTS_HMAC_SHA1_96, 32, - "\x01\xdb\xee\x7f\x4a\x9e\x24\x3e\x98\x8b\x62\xc7\x3c\xda\x93\x5d" - "\xa0\x53\x78\xb9\x32\x44\xec\x8f\x48\xa9\x9e\x61\xad\x79\x9d\x86", - "\xa2\xe1\x6d\x16\xb3\x60\x69\xc1\x35\xd5\xe9\xd2\xe2\x5f\x89\x61" - "\x02\x68\x56\x18\xb9\x59\x14\xb4\x67\xc6\x76\x22\x22\x58\x24\xff" - }, - { - "password", "ATHENA.MIT.EDUraeburn", -1, - 1200, - ETYPE_AES128_CTS_HMAC_SHA1_96, 16, - "\x5c\x08\xeb\x61\xfd\xf7\x1e\x4e\x4e\xc3\xcf\x6b\xa1\xf5\x51\x2b", - "\x4c\x01\xcd\x46\xd6\x32\xd0\x1e\x6d\xbe\x23\x0a\x01\xed\x64\x2a" - }, - { - "password", "ATHENA.MIT.EDUraeburn", -1, - 1200, - ETYPE_AES256_CTS_HMAC_SHA1_96, 32, - "\x5c\x08\xeb\x61\xfd\xf7\x1e\x4e\x4e\xc3\xcf\x6b\xa1\xf5\x51\x2b" - "\xa7\xe5\x2d\xdb\xc5\xe5\x14\x2f\x70\x8a\x31\xe2\xe6\x2b\x1e\x13", - "\x55\xa6\xac\x74\x0a\xd1\x7b\x48\x46\x94\x10\x51\xe1\xe8\xb0\xa7" - "\x54\x8d\x93\xb0\xab\x30\xa8\xbc\x3f\xf1\x62\x80\x38\x2b\x8c\x2a" - }, - { - "password", "\x12\x34\x56\x78\x78\x56\x34\x12", 8, - 5, - ETYPE_AES128_CTS_HMAC_SHA1_96, 16, - "\xd1\xda\xa7\x86\x15\xf2\x87\xe6\xa1\xc8\xb1\x20\xd7\x06\x2a\x49", - "\xe9\xb2\x3d\x52\x27\x37\x47\xdd\x5c\x35\xcb\x55\xbe\x61\x9d\x8e" - }, - { - "password", "\x12\x34\x56\x78\x78\x56\x34\x12", 8, - 5, - ETYPE_AES256_CTS_HMAC_SHA1_96, 32, - "\xd1\xda\xa7\x86\x15\xf2\x87\xe6\xa1\xc8\xb1\x20\xd7\x06\x2a\x49" - "\x3f\x98\xd2\x03\xe6\xbe\x49\xa6\xad\xf4\xfa\x57\x4b\x6e\x64\xee", - "\x97\xa4\xe7\x86\xbe\x20\xd8\x1a\x38\x2d\x5e\xbc\x96\xd5\x90\x9c" - "\xab\xcd\xad\xc8\x7c\xa4\x8f\x57\x45\x04\x15\x9f\x16\xc3\x6e\x31" - }, - { - "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", - "pass phrase equals block size", -1, - 1200, - ETYPE_AES128_CTS_HMAC_SHA1_96, 16, - "\x13\x9c\x30\xc0\x96\x6b\xc3\x2b\xa5\x5f\xdb\xf2\x12\x53\x0a\xc9", - "\x59\xd1\xbb\x78\x9a\x82\x8b\x1a\xa5\x4e\xf9\xc2\x88\x3f\x69\xed" - }, - { - "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", - "pass phrase equals block size", -1, - 1200, - ETYPE_AES256_CTS_HMAC_SHA1_96, 32, - "\x13\x9c\x30\xc0\x96\x6b\xc3\x2b\xa5\x5f\xdb\xf2\x12\x53\x0a\xc9" - "\xc5\xec\x59\xf1\xa4\x52\xf5\xcc\x9a\xd9\x40\xfe\xa0\x59\x8e\xd1", - "\x89\xad\xee\x36\x08\xdb\x8b\xc7\x1f\x1b\xfb\xfe\x45\x94\x86\xb0" - "\x56\x18\xb7\x0c\xba\xe2\x20\x92\x53\x4e\x56\xc5\x53\xba\x4b\x34" - }, - { - "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", - "pass phrase exceeds block size", -1, - 1200, - ETYPE_AES128_CTS_HMAC_SHA1_96, 16, - "\x9c\xca\xd6\xd4\x68\x77\x0c\xd5\x1b\x10\xe6\xa6\x87\x21\xbe\x61", - "\xcb\x80\x05\xdc\x5f\x90\x17\x9a\x7f\x02\x10\x4c\x00\x18\x75\x1d" - }, - { - "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", - "pass phrase exceeds block size", -1, - 1200, - ETYPE_AES256_CTS_HMAC_SHA1_96, 32, - "\x9c\xca\xd6\xd4\x68\x77\x0c\xd5\x1b\x10\xe6\xa6\x87\x21\xbe\x61" - "\x1a\x8b\x4d\x28\x26\x01\xdb\x3b\x36\xbe\x92\x46\x91\x5e\xc8\x2a", - "\xd7\x8c\x5c\x9c\xb8\x72\xa8\xc9\xda\xd4\x69\x7f\x0b\xb5\xb2\xd2" - "\x14\x96\xc8\x2b\xeb\x2c\xae\xda\x21\x12\xfc\xee\xa0\x57\x40\x1b" - - }, - { - "\xf0\x9d\x84\x9e" /* g-clef */, "EXAMPLE.COMpianist", -1, - 50, - ETYPE_AES128_CTS_HMAC_SHA1_96, 16, - "\x6b\x9c\xf2\x6d\x45\x45\x5a\x43\xa5\xb8\xbb\x27\x6a\x40\x3b\x39", - "\xf1\x49\xc1\xf2\xe1\x54\xa7\x34\x52\xd4\x3e\x7f\xe6\x2a\x56\xe5" - }, - { - "\xf0\x9d\x84\x9e" /* g-clef */, "EXAMPLE.COMpianist", -1, - 50, - ETYPE_AES256_CTS_HMAC_SHA1_96, 32, - "\x6b\x9c\xf2\x6d\x45\x45\x5a\x43\xa5\xb8\xbb\x27\x6a\x40\x3b\x39" - "\xe7\xfe\x37\xa0\xc4\x1e\x02\xc2\x81\xff\x30\x69\xe1\xe9\x4f\x52", - "\x4b\x6d\x98\x39\xf8\x44\x06\xdf\x1f\x09\xcc\x16\x6d\xb4\xb8\x3c" - "\x57\x18\x48\xb7\x84\xa3\xd6\xbd\xc3\x46\x58\x9a\x3e\x39\x3f\x9e" - }, -#endif - { - "foo", "", -1, - 0, - ETYPE_ARCFOUR_HMAC_MD5, 16, - NULL, - "\xac\x8e\x65\x7f\x83\xdf\x82\xbe\xea\x5d\x43\xbd\xaf\x78\x00\xcc" - }, - { - "test", "", -1, - 0, - ETYPE_ARCFOUR_HMAC_MD5, 16, - NULL, - "\x0c\xb6\x94\x88\x05\xf7\x97\xbf\x2a\x82\x80\x79\x73\xb8\x95\x37" - } -}; - -static int -string_to_key_test(krb5_context context) -{ - krb5_data password, opaque; - krb5_error_code ret; - krb5_keyblock key; - krb5_salt salt; - int i, val = 0; - char iter[4]; - char keyout[32]; - - for (i = 0; i < sizeof(keys)/sizeof(keys[0]); i++) { - - password.data = keys[i].password; - password.length = strlen(password.data); - - salt.salttype = KRB5_PW_SALT; - salt.saltvalue.data = keys[i].salt; - if (keys[i].saltlen == -1) - salt.saltvalue.length = strlen(salt.saltvalue.data); - else - salt.saltvalue.length = keys[i].saltlen; - - opaque.data = iter; - opaque.length = sizeof(iter); - _krb5_put_int(iter, keys[i].iterations, 4); - - if (verbose) - printf("%d: password: %s salt: %s\n", - i, keys[i].password, keys[i].salt); - - if (keys[i].keylen > sizeof(keyout)) - abort(); - -#ifdef ENABLE_AES - if (keys[i].pbkdf2) { - -#ifdef HAVE_OPENSSL - PKCS5_PBKDF2_HMAC_SHA1(password.data, password.length, - salt.saltvalue.data, salt.saltvalue.length, - keys[i].iterations, - keys[i].keylen, keyout); - - if (memcmp(keyout, keys[i].pbkdf2, keys[i].keylen) != 0) { - krb5_warnx(context, "%d: openssl key pbkdf2", i); - val = 1; - continue; - } -#endif - - ret = krb5_PKCS5_PBKDF2(context, CKSUMTYPE_SHA1, password, salt, - keys[i].iterations - 1, - keys[i].enctype, - &key); - if (ret) { - krb5_warn(context, ret, "%d: krb5_PKCS5_PBKDF2", i); - val = 1; - continue; - } - - if (key.keyvalue.length != keys[i].keylen) { - krb5_warnx(context, "%d: size key pbkdf2", i); - val = 1; - continue; - } - - if (memcmp(key.keyvalue.data, keys[i].pbkdf2, keys[i].keylen) != 0) { - krb5_warnx(context, "%d: key pbkdf2 pl %d", - i, password.length); - val = 1; - continue; - } - - if (verbose) { - printf("PBKDF2:\n"); - hex_dump_data(&key.keyvalue); - } - - krb5_free_keyblock_contents(context, &key); - } -#endif - - ret = krb5_string_to_key_data_salt_opaque (context, keys[i].enctype, - password, salt, opaque, - &key); - if (ret) { - krb5_warn(context, ret, "%d: string_to_key_data_salt_opaque", i); - val = 1; - continue; - } - - if (key.keyvalue.length != keys[i].keylen) { - krb5_warnx(context, "%d: key wrong length (%d/%d)", - i, key.keyvalue.length, keys[i].keylen); - val = 1; - continue; - } - - if (memcmp(key.keyvalue.data, keys[i].key, keys[i].keylen) != 0) { - krb5_warnx(context, "%d: key wrong", i); - val = 1; - continue; - } - - if (verbose) { - printf("key:\n"); - hex_dump_data(&key.keyvalue); - } - krb5_free_keyblock_contents(context, &key); - } - return val; -} - -#ifdef ENABLE_AES - -struct { - size_t len; - char *input; - char *output; -} encs[] = { - { - 17, - "\x49\x20\x77\x6f\x75\x6c\x64\x20\x6c\x69\x6b\x65\x20\x74\x68\x65" - "\x20", - "\xc6\x35\x35\x68\xf2\xbf\x8c\xb4\xd8\xa5\x80\x36\x2d\xa7\xff\x7f" - "\x97" - }, - { - 31, - "\x49\x20\x77\x6f\x75\x6c\x64\x20\x6c\x69\x6b\x65\x20\x74\x68\x65" - "\x20\x47\x65\x6e\x65\x72\x61\x6c\x20\x47\x61\x75\x27\x73\x20", - "\xfc\x00\x78\x3e\x0e\xfd\xb2\xc1\xd4\x45\xd4\xc8\xef\xf7\xed\x22" - "\x97\x68\x72\x68\xd6\xec\xcc\xc0\xc0\x7b\x25\xe2\x5e\xcf\xe5" - }, - { - 32, - "\x49\x20\x77\x6f\x75\x6c\x64\x20\x6c\x69\x6b\x65\x20\x74\x68\x65" - "\x20\x47\x65\x6e\x65\x72\x61\x6c\x20\x47\x61\x75\x27\x73\x20\x43", - "\x39\x31\x25\x23\xa7\x86\x62\xd5\xbe\x7f\xcb\xcc\x98\xeb\xf5\xa8" - "\x97\x68\x72\x68\xd6\xec\xcc\xc0\xc0\x7b\x25\xe2\x5e\xcf\xe5\x84" - }, - { - 47, - "\x49\x20\x77\x6f\x75\x6c\x64\x20\x6c\x69\x6b\x65\x20\x74\x68\x65" - "\x20\x47\x65\x6e\x65\x72\x61\x6c\x20\x47\x61\x75\x27\x73\x20\x43" - "\x68\x69\x63\x6b\x65\x6e\x2c\x20\x70\x6c\x65\x61\x73\x65\x2c", - "\x97\x68\x72\x68\xd6\xec\xcc\xc0\xc0\x7b\x25\xe2\x5e\xcf\xe5\x84" - "\xb3\xff\xfd\x94\x0c\x16\xa1\x8c\x1b\x55\x49\xd2\xf8\x38\x02\x9e" - "\x39\x31\x25\x23\xa7\x86\x62\xd5\xbe\x7f\xcb\xcc\x98\xeb\xf5" - }, - { - 64, - "\x49\x20\x77\x6f\x75\x6c\x64\x20\x6c\x69\x6b\x65\x20\x74\x68\x65" - "\x20\x47\x65\x6e\x65\x72\x61\x6c\x20\x47\x61\x75\x27\x73\x20\x43" - "\x68\x69\x63\x6b\x65\x6e\x2c\x20\x70\x6c\x65\x61\x73\x65\x2c\x20" - "\x61\x6e\x64\x20\x77\x6f\x6e\x74\x6f\x6e\x20\x73\x6f\x75\x70\x2e", - "\x97\x68\x72\x68\xd6\xec\xcc\xc0\xc0\x7b\x25\xe2\x5e\xcf\xe5\x84" - "\x39\x31\x25\x23\xa7\x86\x62\xd5\xbe\x7f\xcb\xcc\x98\xeb\xf5\xa8" - "\x48\x07\xef\xe8\x36\xee\x89\xa5\x26\x73\x0d\xbc\x2f\x7b\xc8\x40" - "\x9d\xad\x8b\xbb\x96\xc4\xcd\xc0\x3b\xc1\x03\xe1\xa1\x94\xbb\xd8" - } -}; - -char *enc_key = - "\x63\x68\x69\x63\x6b\x65\x6e\x20\x74\x65\x72\x69\x79\x61\x6b\x69"; - -static int -samep(int testn, char *type, const char *p1, const char *p2, size_t len) -{ - size_t i; - int val = 1; - - for (i = 0; i < len; i++) { - if (p1[i] != p2[i]) { - if (verbose) - printf("M"); - val = 0; - } else { - if (verbose) - printf("."); - } - } - if (verbose) - printf("\n"); - return val; -} - -static int -encryption_test(krb5_context context) -{ - char iv[AES_BLOCK_SIZE]; - int i, val = 0; - AES_KEY ekey, dkey; - char *p; - - AES_set_encrypt_key(enc_key, 128, &ekey); - AES_set_decrypt_key(enc_key, 128, &dkey); - - for (i = 0; i < sizeof(encs)/sizeof(encs[0]); i++) { - if (verbose) - printf("test: %d\n", i); - memset(iv, 0, sizeof(iv)); - - p = malloc(encs[i].len + 1); - if (p == NULL) - krb5_errx(context, 1, "malloc"); - - p[encs[i].len] = '\0'; - - memcpy(p, encs[i].input, encs[i].len); - - _krb5_aes_cts_encrypt(p, p, encs[i].len, - &ekey, iv, AES_ENCRYPT); - - if (p[encs[i].len] != '\0') { - krb5_warnx(context, "%d: encrypt modified off end", i); - val = 1; - } - - if (!samep(i, "cipher", p, encs[i].output, encs[i].len)) - val = 1; - - memset(iv, 0, sizeof(iv)); - - _krb5_aes_cts_encrypt(p, p, encs[i].len, - &dkey, iv, AES_DECRYPT); - - if (p[encs[i].len] != '\0') { - krb5_warnx(context, "%d: decrypt modified off end", i); - val = 1; - } - - if (!samep(i, "clear", p, encs[i].input, encs[i].len)) - val = 1; - - free(p); - } - return val; -} - -#endif /* ENABLE_AES */ - -int -main(int argc, char **argv) -{ - krb5_error_code ret; - krb5_context context; - int val = 0; - - ret = krb5_init_context (&context); - if (ret) - errx (1, "krb5_init_context failed: %d", ret); - - val |= string_to_key_test(context); - -#ifdef ENABLE_AES - val |= encryption_test(context); -#endif - - if (verbose && val == 0) - printf("all ok\n"); - if (val) - printf("tests failed\n"); - - krb5_free_context(context); - - return val; -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/aname_to_localname.c b/crypto/heimdal-0.6.3/lib/krb5/aname_to_localname.c deleted file mode 100644 index d5b5f87a6c..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/aname_to_localname.c +++ /dev/null @@ -1,92 +0,0 @@ -/* - * Copyright (c) 1997 - 1999, 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include - -RCSID("$Id: aname_to_localname.c,v 1.6 2003/04/16 16:01:06 lha Exp $"); - -krb5_error_code -krb5_aname_to_localname (krb5_context context, - krb5_const_principal aname, - size_t lnsize, - char *lname) -{ - krb5_error_code ret; - krb5_realm *lrealms, *r; - int valid; - size_t len; - const char *res; - - ret = krb5_get_default_realms (context, &lrealms); - if (ret) - return ret; - - valid = 0; - for (r = lrealms; *r != NULL; ++r) { - if (strcmp (*r, aname->realm) == 0) { - valid = 1; - break; - } - } - krb5_free_host_realm (context, lrealms); - if (valid == 0) - return KRB5_NO_LOCALNAME; - - if (aname->name.name_string.len == 1) - res = aname->name.name_string.val[0]; - else if (aname->name.name_string.len == 2 - && strcmp (aname->name.name_string.val[1], "root") == 0) { - krb5_principal rootprinc; - krb5_boolean userok; - - res = "root"; - - ret = krb5_copy_principal(context, aname, &rootprinc); - if (ret) - return ret; - - userok = krb5_kuserok(context, rootprinc, res); - krb5_free_principal(context, rootprinc); - if (!userok) - return KRB5_NO_LOCALNAME; - - } else - return KRB5_NO_LOCALNAME; - - len = strlen (res); - if (len >= lnsize) - return ERANGE; - strlcpy (lname, res, lnsize); - - return 0; -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/appdefault.c b/crypto/heimdal-0.6.3/lib/krb5/appdefault.c deleted file mode 100644 index 831b6036bf..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/appdefault.c +++ /dev/null @@ -1,137 +0,0 @@ -/* - * Copyright (c) 2000 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" - -RCSID("$Id: appdefault.c,v 1.7 2001/09/16 04:48:55 assar Exp $"); - -void -krb5_appdefault_boolean(krb5_context context, const char *appname, - krb5_const_realm realm, const char *option, - krb5_boolean def_val, krb5_boolean *ret_val) -{ - - if(appname == NULL) - appname = getprogname(); - - def_val = krb5_config_get_bool_default(context, NULL, def_val, - "libdefaults", option, NULL); - if(realm != NULL) - def_val = krb5_config_get_bool_default(context, NULL, def_val, - "realms", realm, option, NULL); - - def_val = krb5_config_get_bool_default(context, NULL, def_val, - "appdefaults", - option, - NULL); - if(realm != NULL) - def_val = krb5_config_get_bool_default(context, NULL, def_val, - "appdefaults", - realm, - option, - NULL); - if(appname != NULL) { - def_val = krb5_config_get_bool_default(context, NULL, def_val, - "appdefaults", - appname, - option, - NULL); - if(realm != NULL) - def_val = krb5_config_get_bool_default(context, NULL, def_val, - "appdefaults", - appname, - realm, - option, - NULL); - } - *ret_val = def_val; -} - -void -krb5_appdefault_string(krb5_context context, const char *appname, - krb5_const_realm realm, const char *option, - const char *def_val, char **ret_val) -{ - if(appname == NULL) - appname = getprogname(); - - def_val = krb5_config_get_string_default(context, NULL, def_val, - "libdefaults", option, NULL); - if(realm != NULL) - def_val = krb5_config_get_string_default(context, NULL, def_val, - "realms", realm, option, NULL); - - def_val = krb5_config_get_string_default(context, NULL, def_val, - "appdefaults", - option, - NULL); - if(realm != NULL) - def_val = krb5_config_get_string_default(context, NULL, def_val, - "appdefaults", - realm, - option, - NULL); - if(appname != NULL) { - def_val = krb5_config_get_string_default(context, NULL, def_val, - "appdefaults", - appname, - option, - NULL); - if(realm != NULL) - def_val = krb5_config_get_string_default(context, NULL, def_val, - "appdefaults", - appname, - realm, - option, - NULL); - } - if(def_val != NULL) - *ret_val = strdup(def_val); - else - *ret_val = NULL; -} - -void -krb5_appdefault_time(krb5_context context, const char *appname, - krb5_const_realm realm, const char *option, - time_t def_val, time_t *ret_val) -{ - time_t t; - char tstr[32]; - char *val; - snprintf(tstr, sizeof(tstr), "%ld", (long)def_val); - krb5_appdefault_string(context, appname, realm, option, tstr, &val); - t = parse_time (val, NULL); - free(val); - *ret_val = t; -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/asn1_glue.c b/crypto/heimdal-0.6.3/lib/krb5/asn1_glue.c deleted file mode 100644 index ac83ff78bd..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/asn1_glue.c +++ /dev/null @@ -1,59 +0,0 @@ -/* - * Copyright (c) 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* - * - */ - -#include "krb5_locl.h" - -RCSID("$Id: asn1_glue.c,v 1.7 1999/12/02 17:05:07 joda Exp $"); - -krb5_error_code -krb5_principal2principalname (PrincipalName *p, - const krb5_principal from) -{ - return copy_PrincipalName(&from->name, p); -} - -krb5_error_code -principalname2krb5_principal (krb5_principal *principal, - const PrincipalName from, - const Realm realm) -{ - krb5_principal p = malloc(sizeof(*p)); - copy_PrincipalName(&from, &p->name); - p->realm = strdup(realm); - *principal = p; - return 0; -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/auth_context.c b/crypto/heimdal-0.6.3/lib/krb5/auth_context.c deleted file mode 100644 index 2e7a8f49cb..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/auth_context.c +++ /dev/null @@ -1,492 +0,0 @@ -/* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" - -RCSID("$Id: auth_context.c,v 1.59 2002/09/02 17:11:02 joda Exp $"); - -krb5_error_code -krb5_auth_con_init(krb5_context context, - krb5_auth_context *auth_context) -{ - krb5_auth_context p; - - ALLOC(p, 1); - if(!p) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - memset(p, 0, sizeof(*p)); - ALLOC(p->authenticator, 1); - if (!p->authenticator) { - krb5_set_error_string(context, "malloc: out of memory"); - free(p); - return ENOMEM; - } - memset (p->authenticator, 0, sizeof(*p->authenticator)); - p->flags = KRB5_AUTH_CONTEXT_DO_TIME; - - p->local_address = NULL; - p->remote_address = NULL; - p->local_port = 0; - p->remote_port = 0; - p->keytype = KEYTYPE_NULL; - p->cksumtype = CKSUMTYPE_NONE; - *auth_context = p; - return 0; -} - -krb5_error_code -krb5_auth_con_free(krb5_context context, - krb5_auth_context auth_context) -{ - if (auth_context != NULL) { - krb5_free_authenticator(context, &auth_context->authenticator); - if(auth_context->local_address){ - free_HostAddress(auth_context->local_address); - free(auth_context->local_address); - } - if(auth_context->remote_address){ - free_HostAddress(auth_context->remote_address); - free(auth_context->remote_address); - } - krb5_free_keyblock(context, auth_context->keyblock); - krb5_free_keyblock(context, auth_context->remote_subkey); - krb5_free_keyblock(context, auth_context->local_subkey); - free (auth_context); - } - return 0; -} - -krb5_error_code -krb5_auth_con_setflags(krb5_context context, - krb5_auth_context auth_context, - int32_t flags) -{ - auth_context->flags = flags; - return 0; -} - - -krb5_error_code -krb5_auth_con_getflags(krb5_context context, - krb5_auth_context auth_context, - int32_t *flags) -{ - *flags = auth_context->flags; - return 0; -} - - -krb5_error_code -krb5_auth_con_setaddrs(krb5_context context, - krb5_auth_context auth_context, - krb5_address *local_addr, - krb5_address *remote_addr) -{ - if (local_addr) { - if (auth_context->local_address) - krb5_free_address (context, auth_context->local_address); - else - auth_context->local_address = malloc(sizeof(krb5_address)); - krb5_copy_address(context, local_addr, auth_context->local_address); - } - if (remote_addr) { - if (auth_context->remote_address) - krb5_free_address (context, auth_context->remote_address); - else - auth_context->remote_address = malloc(sizeof(krb5_address)); - krb5_copy_address(context, remote_addr, auth_context->remote_address); - } - return 0; -} - -krb5_error_code -krb5_auth_con_genaddrs(krb5_context context, - krb5_auth_context auth_context, - int fd, int flags) -{ - krb5_error_code ret; - krb5_address local_k_address, remote_k_address; - krb5_address *lptr = NULL, *rptr = NULL; - struct sockaddr_storage ss_local, ss_remote; - struct sockaddr *local = (struct sockaddr *)&ss_local; - struct sockaddr *remote = (struct sockaddr *)&ss_remote; - socklen_t len; - - if(flags & KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR) { - if (auth_context->local_address == NULL) { - len = sizeof(ss_local); - if(getsockname(fd, local, &len) < 0) { - ret = errno; - krb5_set_error_string (context, "getsockname: %s", - strerror(ret)); - goto out; - } - ret = krb5_sockaddr2address (context, local, &local_k_address); - if(ret) goto out; - if(flags & KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR) { - krb5_sockaddr2port (context, local, &auth_context->local_port); - } else - auth_context->local_port = 0; - lptr = &local_k_address; - } - } - if(flags & KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR) { - len = sizeof(ss_remote); - if(getpeername(fd, remote, &len) < 0) { - ret = errno; - krb5_set_error_string (context, "getpeername: %s", strerror(ret)); - goto out; - } - ret = krb5_sockaddr2address (context, remote, &remote_k_address); - if(ret) goto out; - if(flags & KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR) { - krb5_sockaddr2port (context, remote, &auth_context->remote_port); - } else - auth_context->remote_port = 0; - rptr = &remote_k_address; - } - ret = krb5_auth_con_setaddrs (context, - auth_context, - lptr, - rptr); - out: - if (lptr) - krb5_free_address (context, lptr); - if (rptr) - krb5_free_address (context, rptr); - return ret; - -} - -krb5_error_code -krb5_auth_con_setaddrs_from_fd (krb5_context context, - krb5_auth_context auth_context, - void *p_fd) -{ - int fd = *(int*)p_fd; - int flags = 0; - if(auth_context->local_address == NULL) - flags |= KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR; - if(auth_context->remote_address == NULL) - flags |= KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR; - return krb5_auth_con_genaddrs(context, auth_context, fd, flags); -} - -krb5_error_code -krb5_auth_con_getaddrs(krb5_context context, - krb5_auth_context auth_context, - krb5_address **local_addr, - krb5_address **remote_addr) -{ - if(*local_addr) - krb5_free_address (context, *local_addr); - *local_addr = malloc (sizeof(**local_addr)); - if (*local_addr == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - krb5_copy_address(context, - auth_context->local_address, - *local_addr); - - if(*remote_addr) - krb5_free_address (context, *remote_addr); - *remote_addr = malloc (sizeof(**remote_addr)); - if (*remote_addr == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - krb5_free_address (context, *local_addr); - *local_addr = NULL; - return ENOMEM; - } - krb5_copy_address(context, - auth_context->remote_address, - *remote_addr); - return 0; -} - -static krb5_error_code -copy_key(krb5_context context, - krb5_keyblock *in, - krb5_keyblock **out) -{ - if(in) - return krb5_copy_keyblock(context, in, out); - *out = NULL; /* is this right? */ - return 0; -} - -krb5_error_code -krb5_auth_con_getkey(krb5_context context, - krb5_auth_context auth_context, - krb5_keyblock **keyblock) -{ - return copy_key(context, auth_context->keyblock, keyblock); -} - -krb5_error_code -krb5_auth_con_getlocalsubkey(krb5_context context, - krb5_auth_context auth_context, - krb5_keyblock **keyblock) -{ - return copy_key(context, auth_context->local_subkey, keyblock); -} - -krb5_error_code -krb5_auth_con_getremotesubkey(krb5_context context, - krb5_auth_context auth_context, - krb5_keyblock **keyblock) -{ - return copy_key(context, auth_context->remote_subkey, keyblock); -} - -krb5_error_code -krb5_auth_con_setkey(krb5_context context, - krb5_auth_context auth_context, - krb5_keyblock *keyblock) -{ - if(auth_context->keyblock) - krb5_free_keyblock(context, auth_context->keyblock); - return copy_key(context, keyblock, &auth_context->keyblock); -} - -krb5_error_code -krb5_auth_con_setlocalsubkey(krb5_context context, - krb5_auth_context auth_context, - krb5_keyblock *keyblock) -{ - if(auth_context->local_subkey) - krb5_free_keyblock(context, auth_context->local_subkey); - return copy_key(context, keyblock, &auth_context->local_subkey); -} - -krb5_error_code -krb5_auth_con_generatelocalsubkey(krb5_context context, - krb5_auth_context auth_context, - krb5_keyblock *key) -{ - krb5_error_code ret; - krb5_keyblock *subkey; - - ret = krb5_generate_subkey (context, key, &subkey); - if(ret) - return ret; - if(auth_context->local_subkey) - krb5_free_keyblock(context, auth_context->local_subkey); - auth_context->local_subkey = subkey; - return 0; -} - - -krb5_error_code -krb5_auth_con_setremotesubkey(krb5_context context, - krb5_auth_context auth_context, - krb5_keyblock *keyblock) -{ - if(auth_context->remote_subkey) - krb5_free_keyblock(context, auth_context->remote_subkey); - return copy_key(context, keyblock, &auth_context->remote_subkey); -} - -krb5_error_code -krb5_auth_con_setcksumtype(krb5_context context, - krb5_auth_context auth_context, - krb5_cksumtype cksumtype) -{ - auth_context->cksumtype = cksumtype; - return 0; -} - -krb5_error_code -krb5_auth_con_getcksumtype(krb5_context context, - krb5_auth_context auth_context, - krb5_cksumtype *cksumtype) -{ - *cksumtype = auth_context->cksumtype; - return 0; -} - -krb5_error_code -krb5_auth_con_setkeytype (krb5_context context, - krb5_auth_context auth_context, - krb5_keytype keytype) -{ - auth_context->keytype = keytype; - return 0; -} - -krb5_error_code -krb5_auth_con_getkeytype (krb5_context context, - krb5_auth_context auth_context, - krb5_keytype *keytype) -{ - *keytype = auth_context->keytype; - return 0; -} - -#if 0 -krb5_error_code -krb5_auth_con_setenctype(krb5_context context, - krb5_auth_context auth_context, - krb5_enctype etype) -{ - if(auth_context->keyblock) - krb5_free_keyblock(context, auth_context->keyblock); - ALLOC(auth_context->keyblock, 1); - if(auth_context->keyblock == NULL) - return ENOMEM; - auth_context->keyblock->keytype = etype; - return 0; -} - -krb5_error_code -krb5_auth_con_getenctype(krb5_context context, - krb5_auth_context auth_context, - krb5_enctype *etype) -{ - krb5_abortx(context, "unimplemented krb5_auth_getenctype called"); -} -#endif - -krb5_error_code -krb5_auth_con_getlocalseqnumber(krb5_context context, - krb5_auth_context auth_context, - int32_t *seqnumber) -{ - *seqnumber = auth_context->local_seqnumber; - return 0; -} - -krb5_error_code -krb5_auth_con_setlocalseqnumber (krb5_context context, - krb5_auth_context auth_context, - int32_t seqnumber) -{ - auth_context->local_seqnumber = seqnumber; - return 0; -} - -krb5_error_code -krb5_auth_getremoteseqnumber(krb5_context context, - krb5_auth_context auth_context, - int32_t *seqnumber) -{ - *seqnumber = auth_context->remote_seqnumber; - return 0; -} - -krb5_error_code -krb5_auth_con_setremoteseqnumber (krb5_context context, - krb5_auth_context auth_context, - int32_t seqnumber) -{ - auth_context->remote_seqnumber = seqnumber; - return 0; -} - - -krb5_error_code -krb5_auth_con_getauthenticator(krb5_context context, - krb5_auth_context auth_context, - krb5_authenticator *authenticator) -{ - *authenticator = malloc(sizeof(**authenticator)); - if (*authenticator == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - - copy_Authenticator(auth_context->authenticator, - *authenticator); - return 0; -} - - -void -krb5_free_authenticator(krb5_context context, - krb5_authenticator *authenticator) -{ - free_Authenticator (*authenticator); - free (*authenticator); - *authenticator = NULL; -} - - -krb5_error_code -krb5_auth_con_setuserkey(krb5_context context, - krb5_auth_context auth_context, - krb5_keyblock *keyblock) -{ - if(auth_context->keyblock) - krb5_free_keyblock(context, auth_context->keyblock); - return krb5_copy_keyblock(context, keyblock, &auth_context->keyblock); -} - -krb5_error_code -krb5_auth_con_getrcache(krb5_context context, - krb5_auth_context auth_context, - krb5_rcache *rcache) -{ - *rcache = auth_context->rcache; - return 0; -} - -krb5_error_code -krb5_auth_con_setrcache(krb5_context context, - krb5_auth_context auth_context, - krb5_rcache rcache) -{ - auth_context->rcache = rcache; - return 0; -} - -#if 0 /* not implemented */ - -krb5_error_code -krb5_auth_con_initivector(krb5_context context, - krb5_auth_context auth_context) -{ - krb5_abortx(context, "unimplemented krb5_auth_con_initivector called"); -} - - -krb5_error_code -krb5_auth_con_setivector(krb5_context context, - krb5_auth_context auth_context, - krb5_pointer ivector) -{ - krb5_abortx(context, "unimplemented krb5_auth_con_setivector called"); -} - -#endif /* not implemented */ diff --git a/crypto/heimdal-0.6.3/lib/krb5/build_ap_req.c b/crypto/heimdal-0.6.3/lib/krb5/build_ap_req.c deleted file mode 100644 index cab5e6fd2d..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/build_ap_req.c +++ /dev/null @@ -1,75 +0,0 @@ -/* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include - -RCSID("$Id: build_ap_req.c,v 1.18 2002/09/04 16:26:04 joda Exp $"); - -krb5_error_code -krb5_build_ap_req (krb5_context context, - krb5_enctype enctype, - krb5_creds *cred, - krb5_flags ap_options, - krb5_data authenticator, - krb5_data *retdata) -{ - krb5_error_code ret = 0; - AP_REQ ap; - Ticket t; - size_t len; - - ap.pvno = 5; - ap.msg_type = krb_ap_req; - memset(&ap.ap_options, 0, sizeof(ap.ap_options)); - ap.ap_options.use_session_key = (ap_options & AP_OPTS_USE_SESSION_KEY) > 0; - ap.ap_options.mutual_required = (ap_options & AP_OPTS_MUTUAL_REQUIRED) > 0; - - ap.ticket.tkt_vno = 5; - copy_Realm(&cred->server->realm, &ap.ticket.realm); - copy_PrincipalName(&cred->server->name, &ap.ticket.sname); - - decode_Ticket(cred->ticket.data, cred->ticket.length, &t, &len); - copy_EncryptedData(&t.enc_part, &ap.ticket.enc_part); - free_Ticket(&t); - - ap.authenticator.etype = enctype; - ap.authenticator.kvno = NULL; - ap.authenticator.cipher = authenticator; - - ASN1_MALLOC_ENCODE(AP_REQ, retdata->data, retdata->length, - &ap, &len, ret); - - free_AP_REQ(&ap); - return ret; - -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/build_auth.c b/crypto/heimdal-0.6.3/lib/krb5/build_auth.c deleted file mode 100644 index 9a2ca3e28e..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/build_auth.c +++ /dev/null @@ -1,130 +0,0 @@ -/* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include - -RCSID("$Id: build_auth.c,v 1.38 2002/09/04 16:26:04 joda Exp $"); - -krb5_error_code -krb5_build_authenticator (krb5_context context, - krb5_auth_context auth_context, - krb5_enctype enctype, - krb5_creds *cred, - Checksum *cksum, - Authenticator **auth_result, - krb5_data *result, - krb5_key_usage usage) -{ - Authenticator *auth; - u_char *buf = NULL; - size_t buf_size; - size_t len; - krb5_error_code ret; - krb5_crypto crypto; - - auth = malloc(sizeof(*auth)); - if (auth == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - - memset (auth, 0, sizeof(*auth)); - auth->authenticator_vno = 5; - copy_Realm(&cred->client->realm, &auth->crealm); - copy_PrincipalName(&cred->client->name, &auth->cname); - - { - int32_t sec, usec; - - krb5_us_timeofday (context, &sec, &usec); - auth->ctime = sec; - auth->cusec = usec; - } - ret = krb5_auth_con_getlocalsubkey(context, auth_context, &auth->subkey); - if(ret) - goto fail; - - if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) { - krb5_generate_seq_number (context, - &cred->session, - &auth_context->local_seqnumber); - ALLOC(auth->seq_number, 1); - *auth->seq_number = auth_context->local_seqnumber; - } else - auth->seq_number = NULL; - auth->authorization_data = NULL; - auth->cksum = cksum; - - /* XXX - Copy more to auth_context? */ - - if (auth_context) { - auth_context->authenticator->ctime = auth->ctime; - auth_context->authenticator->cusec = auth->cusec; - } - - ASN1_MALLOC_ENCODE(Authenticator, buf, buf_size, auth, &len, ret); - - if (ret) - goto fail; - - ret = krb5_crypto_init(context, &cred->session, enctype, &crypto); - if (ret) - goto fail; - ret = krb5_encrypt (context, - crypto, - usage /* KRB5_KU_AP_REQ_AUTH */, - buf + buf_size - len, - len, - result); - krb5_crypto_destroy(context, crypto); - - if (ret) - goto fail; - - free (buf); - - if (auth_result) - *auth_result = auth; - else { - /* Don't free the `cksum', it's allocated by the caller */ - auth->cksum = NULL; - free_Authenticator (auth); - free (auth); - } - return ret; -fail: - free_Authenticator (auth); - free (auth); - free (buf); - return ret; -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/cache.c b/crypto/heimdal-0.6.3/lib/krb5/cache.c deleted file mode 100644 index 26cda9a626..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/cache.c +++ /dev/null @@ -1,470 +0,0 @@ -/* - * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" - -RCSID("$Id: cache.c,v 1.52 2003/03/16 18:23:59 lha Exp $"); - -/* - * Add a new ccache type with operations `ops', overwriting any - * existing one if `override'. - * Return an error code or 0. - */ - -krb5_error_code -krb5_cc_register(krb5_context context, - const krb5_cc_ops *ops, - krb5_boolean override) -{ - int i; - - for(i = 0; i < context->num_cc_ops && context->cc_ops[i].prefix; i++) { - if(strcmp(context->cc_ops[i].prefix, ops->prefix) == 0) { - if(!override) { - krb5_set_error_string(context, - "ccache type %s already exists", - ops->prefix); - return KRB5_CC_TYPE_EXISTS; - } - break; - } - } - if(i == context->num_cc_ops) { - krb5_cc_ops *o = realloc(context->cc_ops, - (context->num_cc_ops + 1) * - sizeof(*context->cc_ops)); - if(o == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return KRB5_CC_NOMEM; - } - context->num_cc_ops++; - context->cc_ops = o; - memset(context->cc_ops + i, 0, - (context->num_cc_ops - i) * sizeof(*context->cc_ops)); - } - memcpy(&context->cc_ops[i], ops, sizeof(context->cc_ops[i])); - return 0; -} - -/* - * Allocate memory for a new ccache in `id' with operations `ops' - * and name `residual'. - * Return 0 or an error code. - */ - -static krb5_error_code -allocate_ccache (krb5_context context, - const krb5_cc_ops *ops, - const char *residual, - krb5_ccache *id) -{ - krb5_error_code ret; - krb5_ccache p; - - p = malloc(sizeof(*p)); - if(p == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return KRB5_CC_NOMEM; - } - p->ops = ops; - *id = p; - ret = p->ops->resolve(context, id, residual); - if(ret) - free(p); - return ret; -} - -/* - * Find and allocate a ccache in `id' from the specification in `residual'. - * If the ccache name doesn't contain any colon, interpret it as a file name. - * Return 0 or an error code. - */ - -krb5_error_code -krb5_cc_resolve(krb5_context context, - const char *name, - krb5_ccache *id) -{ - int i; - - for(i = 0; i < context->num_cc_ops && context->cc_ops[i].prefix; i++) { - size_t prefix_len = strlen(context->cc_ops[i].prefix); - - if(strncmp(context->cc_ops[i].prefix, name, prefix_len) == 0 - && name[prefix_len] == ':') { - return allocate_ccache (context, &context->cc_ops[i], - name + prefix_len + 1, - id); - } - } - if (strchr (name, ':') == NULL) - return allocate_ccache (context, &krb5_fcc_ops, name, id); - else { - krb5_set_error_string(context, "unknown ccache type %s", name); - return KRB5_CC_UNKNOWN_TYPE; - } -} - -/* - * Generate a new ccache of type `ops' in `id'. - * Return 0 or an error code. - */ - -krb5_error_code -krb5_cc_gen_new(krb5_context context, - const krb5_cc_ops *ops, - krb5_ccache *id) -{ - krb5_ccache p; - - p = malloc (sizeof(*p)); - if (p == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return KRB5_CC_NOMEM; - } - p->ops = ops; - *id = p; - return p->ops->gen_new(context, id); -} - -/* - * Return the name of the ccache `id' - */ - -const char* -krb5_cc_get_name(krb5_context context, - krb5_ccache id) -{ - return id->ops->get_name(context, id); -} - -/* - * Return the type of the ccache `id'. - */ - -const char* -krb5_cc_get_type(krb5_context context, - krb5_ccache id) -{ - return id->ops->prefix; -} - -/* - * Return krb5_cc_ops of a the ccache `id'. - */ - -const krb5_cc_ops * -krb5_cc_get_ops(krb5_context context, krb5_ccache id) -{ - return id->ops; -} - -/* - * Set the default cc name for `context' to `name'. - */ - -krb5_error_code -krb5_cc_set_default_name(krb5_context context, const char *name) -{ - krb5_error_code ret = 0; - char *p; - - if (name == NULL) { - char *e; - e = getenv("KRB5CCNAME"); - if (e) - p = strdup(e); - else - asprintf(&p,"FILE:/tmp/krb5cc_%u", (unsigned)getuid()); - } else - p = strdup(name); - - if (p == NULL) - return ENOMEM; - - if (context->default_cc_name) - free(context->default_cc_name); - - context->default_cc_name = p; - - return ret; -} - -/* - * Return a pointer to a context static string containing the default ccache name. - */ - -const char* -krb5_cc_default_name(krb5_context context) -{ - if (context->default_cc_name == NULL) - krb5_cc_set_default_name(context, NULL); - - return context->default_cc_name; -} - -/* - * Open the default ccache in `id'. - * Return 0 or an error code. - */ - -krb5_error_code -krb5_cc_default(krb5_context context, - krb5_ccache *id) -{ - const char *p = krb5_cc_default_name(context); - - if (p == NULL) - return ENOMEM; - return krb5_cc_resolve(context, p, id); -} - -/* - * Create a new ccache in `id' for `primary_principal'. - * Return 0 or an error code. - */ - -krb5_error_code -krb5_cc_initialize(krb5_context context, - krb5_ccache id, - krb5_principal primary_principal) -{ - return id->ops->init(context, id, primary_principal); -} - - -/* - * Remove the ccache `id'. - * Return 0 or an error code. - */ - -krb5_error_code -krb5_cc_destroy(krb5_context context, - krb5_ccache id) -{ - krb5_error_code ret; - - ret = id->ops->destroy(context, id); - krb5_cc_close (context, id); - return ret; -} - -/* - * Stop using the ccache `id' and free the related resources. - * Return 0 or an error code. - */ - -krb5_error_code -krb5_cc_close(krb5_context context, - krb5_ccache id) -{ - krb5_error_code ret; - ret = id->ops->close(context, id); - free(id); - return ret; -} - -/* - * Store `creds' in the ccache `id'. - * Return 0 or an error code. - */ - -krb5_error_code -krb5_cc_store_cred(krb5_context context, - krb5_ccache id, - krb5_creds *creds) -{ - return id->ops->store(context, id, creds); -} - -/* - * Retrieve the credential identified by `mcreds' (and `whichfields') - * from `id' in `creds'. - * Return 0 or an error code. - */ - -krb5_error_code -krb5_cc_retrieve_cred(krb5_context context, - krb5_ccache id, - krb5_flags whichfields, - const krb5_creds *mcreds, - krb5_creds *creds) -{ - krb5_error_code ret; - krb5_cc_cursor cursor; - krb5_cc_start_seq_get(context, id, &cursor); - while((ret = krb5_cc_next_cred(context, id, &cursor, creds)) == 0){ - if(krb5_compare_creds(context, whichfields, mcreds, creds)){ - ret = 0; - break; - } - krb5_free_creds_contents (context, creds); - } - krb5_cc_end_seq_get(context, id, &cursor); - return ret; -} - -/* - * Return the principal of `id' in `principal'. - * Return 0 or an error code. - */ - -krb5_error_code -krb5_cc_get_principal(krb5_context context, - krb5_ccache id, - krb5_principal *principal) -{ - return id->ops->get_princ(context, id, principal); -} - -/* - * Start iterating over `id', `cursor' is initialized to the - * beginning. - * Return 0 or an error code. - */ - -krb5_error_code -krb5_cc_start_seq_get (krb5_context context, - const krb5_ccache id, - krb5_cc_cursor *cursor) -{ - return id->ops->get_first(context, id, cursor); -} - -/* - * Retrieve the next cred pointed to by (`id', `cursor') in `creds' - * and advance `cursor'. - * Return 0 or an error code. - */ - -krb5_error_code -krb5_cc_next_cred (krb5_context context, - const krb5_ccache id, - krb5_cc_cursor *cursor, - krb5_creds *creds) -{ - return id->ops->get_next(context, id, cursor, creds); -} - -/* - * Destroy the cursor `cursor'. - */ - -krb5_error_code -krb5_cc_end_seq_get (krb5_context context, - const krb5_ccache id, - krb5_cc_cursor *cursor) -{ - return id->ops->end_get(context, id, cursor); -} - -/* - * Remove the credential identified by `cred', `which' from `id'. - */ - -krb5_error_code -krb5_cc_remove_cred(krb5_context context, - krb5_ccache id, - krb5_flags which, - krb5_creds *cred) -{ - if(id->ops->remove_cred == NULL) { - krb5_set_error_string(context, - "ccache %s does not support remove_cred", - id->ops->prefix); - return EACCES; /* XXX */ - } - return (*id->ops->remove_cred)(context, id, which, cred); -} - -/* - * Set the flags of `id' to `flags'. - */ - -krb5_error_code -krb5_cc_set_flags(krb5_context context, - krb5_ccache id, - krb5_flags flags) -{ - return id->ops->set_flags(context, id, flags); -} - -/* - * Copy the contents of `from' to `to'. - */ - -krb5_error_code -krb5_cc_copy_cache(krb5_context context, - const krb5_ccache from, - krb5_ccache to) -{ - krb5_error_code ret; - krb5_cc_cursor cursor; - krb5_creds cred; - krb5_principal princ; - - ret = krb5_cc_get_principal(context, from, &princ); - if(ret) - return ret; - ret = krb5_cc_initialize(context, to, princ); - if(ret){ - krb5_free_principal(context, princ); - return ret; - } - ret = krb5_cc_start_seq_get(context, from, &cursor); - if(ret){ - krb5_free_principal(context, princ); - return ret; - } - while(ret == 0 && krb5_cc_next_cred(context, from, &cursor, &cred) == 0){ - ret = krb5_cc_store_cred(context, to, &cred); - krb5_free_creds_contents (context, &cred); - } - krb5_cc_end_seq_get(context, from, &cursor); - krb5_free_principal(context, princ); - return ret; -} - -/* - * Return the version of `id'. - */ - -krb5_error_code -krb5_cc_get_version(krb5_context context, - const krb5_ccache id) -{ - if(id->ops->get_version) - return id->ops->get_version(context, id); - else - return 0; -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/changepw.c b/crypto/heimdal-0.6.3/lib/krb5/changepw.c deleted file mode 100644 index 1c4013b500..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/changepw.c +++ /dev/null @@ -1,814 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include - -RCSID("$Id: changepw.c,v 1.38.2.1 2004/06/21 08:38:10 lha Exp $"); - -static void -str2data (krb5_data *d, - const char *fmt, - ...) __attribute__ ((format (printf, 2, 3))); - -static void -str2data (krb5_data *d, - const char *fmt, - ...) -{ - va_list args; - - va_start(args, fmt); - d->length = vasprintf ((char **)&d->data, fmt, args); - va_end(args); -} - -/* - * Change password protocol defined by - * draft-ietf-cat-kerb-chg-password-02.txt - * - * Share the response part of the protocol with MS set password - * (RFC3244) - */ - -static krb5_error_code -chgpw_send_request (krb5_context context, - krb5_auth_context *auth_context, - krb5_creds *creds, - krb5_principal targprinc, - int is_stream, - int sock, - char *passwd, - const char *host) -{ - krb5_error_code ret; - krb5_data ap_req_data; - krb5_data krb_priv_data; - krb5_data passwd_data; - size_t len; - u_char header[6]; - u_char *p; - struct iovec iov[3]; - struct msghdr msghdr; - - if (is_stream) - return KRB5_KPASSWD_MALFORMED; - - if (targprinc && - krb5_principal_compare(context, creds->client, targprinc) != TRUE) - return KRB5_KPASSWD_MALFORMED; - - krb5_data_zero (&ap_req_data); - - ret = krb5_mk_req_extended (context, - auth_context, - AP_OPTS_MUTUAL_REQUIRED | AP_OPTS_USE_SUBKEY, - NULL, /* in_data */ - creds, - &ap_req_data); - if (ret) - return ret; - - passwd_data.data = passwd; - passwd_data.length = strlen(passwd); - - krb5_data_zero (&krb_priv_data); - - ret = krb5_mk_priv (context, - *auth_context, - &passwd_data, - &krb_priv_data, - NULL); - if (ret) - goto out2; - - len = 6 + ap_req_data.length + krb_priv_data.length; - p = header; - *p++ = (len >> 8) & 0xFF; - *p++ = (len >> 0) & 0xFF; - *p++ = 0; - *p++ = 1; - *p++ = (ap_req_data.length >> 8) & 0xFF; - *p++ = (ap_req_data.length >> 0) & 0xFF; - - memset(&msghdr, 0, sizeof(msghdr)); - msghdr.msg_name = NULL; - msghdr.msg_namelen = 0; - msghdr.msg_iov = iov; - msghdr.msg_iovlen = sizeof(iov)/sizeof(*iov); -#if 0 - msghdr.msg_control = NULL; - msghdr.msg_controllen = 0; -#endif - - iov[0].iov_base = (void*)header; - iov[0].iov_len = 6; - iov[1].iov_base = ap_req_data.data; - iov[1].iov_len = ap_req_data.length; - iov[2].iov_base = krb_priv_data.data; - iov[2].iov_len = krb_priv_data.length; - - if (sendmsg (sock, &msghdr, 0) < 0) { - ret = errno; - krb5_set_error_string(context, "sendmsg %s: %s", host, strerror(ret)); - } - - krb5_data_free (&krb_priv_data); -out2: - krb5_data_free (&ap_req_data); - return ret; -} - -/* - * Set password protocol as defined by RFC3244 -- - * Microsoft Windows 2000 Kerberos Change Password and Set Password Protocols - */ - -static krb5_error_code -setpw_send_request (krb5_context context, - krb5_auth_context *auth_context, - krb5_creds *creds, - krb5_principal targprinc, - int is_stream, - int sock, - char *passwd, - const char *host) -{ - krb5_error_code ret; - krb5_data ap_req_data; - krb5_data krb_priv_data; - krb5_data pwd_data; - ChangePasswdDataMS chpw; - size_t len; - u_char header[4 + 6]; - u_char *p; - struct iovec iov[3]; - struct msghdr msghdr; - - krb5_data_zero (&ap_req_data); - - ret = krb5_mk_req_extended (context, - auth_context, - AP_OPTS_MUTUAL_REQUIRED | AP_OPTS_USE_SUBKEY, - NULL, /* in_data */ - creds, - &ap_req_data); - if (ret) - return ret; - - chpw.newpasswd.length = strlen(passwd); - chpw.newpasswd.data = passwd; - if (targprinc) { - chpw.targname = &targprinc->name; - chpw.targrealm = &targprinc->realm; - } else { - chpw.targname = NULL; - chpw.targrealm = NULL; - } - - ASN1_MALLOC_ENCODE(ChangePasswdDataMS, pwd_data.data, pwd_data.length, - &chpw, &len, ret); - if (ret) { - krb5_data_free (&ap_req_data); - return ret; - } - - if(pwd_data.length != len) - krb5_abortx(context, "internal error in ASN.1 encoder"); - - ret = krb5_mk_priv (context, - *auth_context, - &pwd_data, - &krb_priv_data, - NULL); - if (ret) - goto out2; - - len = 6 + ap_req_data.length + krb_priv_data.length; - p = header; - if (is_stream) { - _krb5_put_int(p, len, 4); - p += 4; - } - *p++ = (len >> 8) & 0xFF; - *p++ = (len >> 0) & 0xFF; - *p++ = 0xff; - *p++ = 0x80; - *p++ = (ap_req_data.length >> 8) & 0xFF; - *p++ = (ap_req_data.length >> 0) & 0xFF; - - memset(&msghdr, 0, sizeof(msghdr)); - msghdr.msg_name = NULL; - msghdr.msg_namelen = 0; - msghdr.msg_iov = iov; - msghdr.msg_iovlen = sizeof(iov)/sizeof(*iov); -#if 0 - msghdr.msg_control = NULL; - msghdr.msg_controllen = 0; -#endif - - iov[0].iov_base = (void*)header; - if (is_stream) - iov[0].iov_len = 10; - else - iov[0].iov_len = 6; - iov[1].iov_base = ap_req_data.data; - iov[1].iov_len = ap_req_data.length; - iov[2].iov_base = krb_priv_data.data; - iov[2].iov_len = krb_priv_data.length; - - if (sendmsg (sock, &msghdr, 0) < 0) { - ret = errno; - krb5_set_error_string(context, "sendmsg %s: %s", host, strerror(ret)); - } - - krb5_data_free (&krb_priv_data); -out2: - krb5_data_free (&ap_req_data); - krb5_data_free (&pwd_data); - return ret; -} - -static krb5_error_code -process_reply (krb5_context context, - krb5_auth_context auth_context, - int is_stream, - int sock, - int *result_code, - krb5_data *result_code_string, - krb5_data *result_string, - const char *host) -{ - krb5_error_code ret; - u_char reply[1024 * 3]; - ssize_t len; - u_int16_t pkt_len, pkt_ver; - krb5_data ap_rep_data; - int save_errno; - - len = 0; - if (is_stream) { - while (len < sizeof(reply)) { - unsigned long size; - - ret = recvfrom (sock, reply + len, sizeof(reply) - len, - 0, NULL, NULL); - if (ret < 0) { - save_errno = errno; - krb5_set_error_string(context, "recvfrom %s: %s", - host, strerror(save_errno)); - return save_errno; - } else if (ret == 0) { - krb5_set_error_string(context, "recvfrom timeout %s", host); - return 1; - } - len += ret; - if (len < 4) - continue; - _krb5_get_int(reply, &size, 4); - if (size + 4 < len) - continue; - memmove(reply, reply + 4, size); - len = size; - break; - } - if (len == sizeof(reply)) { - krb5_set_error_string(context, "message too large from %s", - host); - return ENOMEM; - } - } else { - ret = recvfrom (sock, reply, sizeof(reply), 0, NULL, NULL); - if (ret < 0) { - save_errno = errno; - krb5_set_error_string(context, "recvfrom %s: %s", - host, strerror(save_errno)); - return save_errno; - } - len = ret; - } - - if (len < 6) { - str2data (result_string, "server %s sent to too short message " - "(%d bytes)", host, len); - *result_code = KRB5_KPASSWD_MALFORMED; - return 0; - } - - pkt_len = (reply[0] << 8) | (reply[1]); - pkt_ver = (reply[2] << 8) | (reply[3]); - - if ((pkt_len != len) || (reply[1] == 0x7e || reply[1] == 0x5e)) { - KRB_ERROR error; - size_t size; - u_char *p; - - memset(&error, 0, sizeof(error)); - - ret = decode_KRB_ERROR(reply, len, &error, &size); - if (ret) - return ret; - - if (error.e_data->length < 2) { - str2data(result_string, "server %s sent too short " - "e_data to print anything usable", host); - free_KRB_ERROR(&error); - *result_code = KRB5_KPASSWD_MALFORMED; - return 0; - } - - p = error.e_data->data; - *result_code = (p[0] << 8) | p[1]; - if (error.e_data->length == 2) - str2data(result_string, "server only sent error code"); - else - krb5_data_copy (result_string, - p + 2, - error.e_data->length - 2); - free_KRB_ERROR(&error); - return 0; - } - - if (pkt_len != len) { - str2data (result_string, "client: wrong len in reply"); - *result_code = KRB5_KPASSWD_MALFORMED; - return 0; - } - if (pkt_ver != KRB5_KPASSWD_VERS_CHANGEPW) { - str2data (result_string, - "client: wrong version number (%d)", pkt_ver); - *result_code = KRB5_KPASSWD_MALFORMED; - return 0; - } - - ap_rep_data.data = reply + 6; - ap_rep_data.length = (reply[4] << 8) | (reply[5]); - - if (reply + len < (u_char *)ap_rep_data.data + ap_rep_data.length) { - str2data (result_string, "client: wrong AP len in reply"); - *result_code = KRB5_KPASSWD_MALFORMED; - return 0; - } - - if (ap_rep_data.length) { - krb5_ap_rep_enc_part *ap_rep; - krb5_data priv_data; - u_char *p; - - priv_data.data = (u_char*)ap_rep_data.data + ap_rep_data.length; - priv_data.length = len - ap_rep_data.length - 6; - - ret = krb5_rd_rep (context, - auth_context, - &ap_rep_data, - &ap_rep); - if (ret) - return ret; - - krb5_free_ap_rep_enc_part (context, ap_rep); - - ret = krb5_rd_priv (context, - auth_context, - &priv_data, - result_code_string, - NULL); - if (ret) { - krb5_data_free (result_code_string); - return ret; - } - - if (result_code_string->length < 2) { - *result_code = KRB5_KPASSWD_MALFORMED; - str2data (result_string, - "client: bad length in result"); - return 0; - } - - p = result_code_string->data; - - *result_code = (p[0] << 8) | p[1]; - krb5_data_copy (result_string, - (unsigned char*)result_code_string->data + 2, - result_code_string->length - 2); - return 0; - } else { - KRB_ERROR error; - size_t size; - u_char *p; - - ret = decode_KRB_ERROR(reply + 6, len - 6, &error, &size); - if (ret) { - return ret; - } - if (error.e_data->length < 2) { - krb5_warnx (context, "too short e_data to print anything usable"); - return 1; /* XXX */ - } - - p = error.e_data->data; - *result_code = (p[0] << 8) | p[1]; - krb5_data_copy (result_string, - p + 2, - error.e_data->length - 2); - return 0; - } -} - - -/* - * change the password using the credentials in `creds' (for the - * principal indicated in them) to `newpw', storing the result of - * the operation in `result_*' and an error code or 0. - */ - -typedef krb5_error_code (*kpwd_send_request) (krb5_context, - krb5_auth_context *, - krb5_creds *, - krb5_principal, - int, - int, - char *, - const char *); -typedef krb5_error_code (*kpwd_process_reply) (krb5_context, - krb5_auth_context, - int, - int, - int *, - krb5_data *, - krb5_data *, - const char *); - -struct kpwd_proc { - const char *name; - int flags; -#define SUPPORT_TCP 1 -#define SUPPORT_UDP 2 - kpwd_send_request send_req; - kpwd_process_reply process_rep; -} procs[] = { - { - "MS set password", - SUPPORT_TCP|SUPPORT_UDP, - setpw_send_request, - process_reply - }, - { - "change password", - SUPPORT_UDP, - chgpw_send_request, - process_reply - }, - { NULL } -}; - -static struct kpwd_proc * -find_chpw_proto(const char *name) -{ - struct kpwd_proc *p; - for (p = procs; p->name != NULL; p++) { - if (strcmp(p->name, name) == 0) - return p; - } - return NULL; -} - -/* - * - */ - -static krb5_error_code -change_password_loop (krb5_context context, - krb5_creds *creds, - krb5_principal targprinc, - char *newpw, - int *result_code, - krb5_data *result_code_string, - krb5_data *result_string, - struct kpwd_proc *proc) -{ - krb5_error_code ret; - krb5_auth_context auth_context = NULL; - krb5_krbhst_handle handle = NULL; - krb5_krbhst_info *hi; - int sock; - int i; - int done = 0; - krb5_realm realm = creds->client->realm; - - ret = krb5_auth_con_init (context, &auth_context); - if (ret) - return ret; - - krb5_auth_con_setflags (context, auth_context, - KRB5_AUTH_CONTEXT_DO_SEQUENCE); - - ret = krb5_krbhst_init (context, realm, KRB5_KRBHST_CHANGEPW, &handle); - if (ret) - goto out; - - while (!done && (ret = krb5_krbhst_next(context, handle, &hi)) == 0) { - struct addrinfo *ai, *a; - int is_stream; - - switch (hi->proto) { - case KRB5_KRBHST_UDP: - if ((proc->flags & SUPPORT_UDP) == 0) - continue; - is_stream = 0; - break; - case KRB5_KRBHST_TCP: - if ((proc->flags & SUPPORT_TCP) == 0) - continue; - is_stream = 1; - break; - default: - continue; - } - - ret = krb5_krbhst_get_addrinfo(context, hi, &ai); - if (ret) - continue; - - for (a = ai; !done && a != NULL; a = a->ai_next) { - int replied = 0; - - sock = socket (a->ai_family, a->ai_socktype, a->ai_protocol); - if (sock < 0) - continue; - - ret = connect(sock, a->ai_addr, a->ai_addrlen); - if (ret < 0) { - close (sock); - goto out; - } - - ret = krb5_auth_con_genaddrs (context, auth_context, sock, - KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR); - if (ret) { - close (sock); - goto out; - } - - for (i = 0; !done && i < 5; ++i) { - fd_set fdset; - struct timeval tv; - - if (!replied) { - replied = 0; - - ret = (*proc->send_req) (context, - &auth_context, - creds, - targprinc, - is_stream, - sock, - newpw, - hi->hostname); - if (ret) { - close(sock); - goto out; - } - } - - if (sock >= FD_SETSIZE) { - krb5_set_error_string(context, "fd %d too large", sock); - ret = ERANGE; - close (sock); - goto out; - } - - FD_ZERO(&fdset); - FD_SET(sock, &fdset); - tv.tv_usec = 0; - tv.tv_sec = 1 + (1 << i); - - ret = select (sock + 1, &fdset, NULL, NULL, &tv); - if (ret < 0 && errno != EINTR) { - close(sock); - goto out; - } - if (ret == 1) { - ret = (*proc->process_rep) (context, - auth_context, - is_stream, - sock, - result_code, - result_code_string, - result_string, - hi->hostname); - if (ret == 0) - done = 1; - else if (i > 0 && ret == KRB5KRB_AP_ERR_MUT_FAIL) - replied = 1; - } else { - ret = KRB5_KDC_UNREACH; - } - } - close (sock); - } - } - - out: - krb5_krbhst_free (context, handle); - krb5_auth_con_free (context, auth_context); - if (done) - return 0; - else { - if (ret == KRB5_KDC_UNREACH) - krb5_set_error_string(context, - "unable to reach any changepw server " - " in realm %s", realm); - return ret; - } -} - - -/* - * change the password using the credentials in `creds' (for the - * principal indicated in them) to `newpw', storing the result of - * the operation in `result_*' and an error code or 0. - */ - -krb5_error_code -krb5_change_password (krb5_context context, - krb5_creds *creds, - char *newpw, - int *result_code, - krb5_data *result_code_string, - krb5_data *result_string) -{ - struct kpwd_proc *p = find_chpw_proto("change password"); - - *result_code = KRB5_KPASSWD_MALFORMED; - result_code_string->data = result_string->data = NULL; - result_code_string->length = result_string->length = 0; - - if (p == NULL) - return KRB5_KPASSWD_MALFORMED; - - return change_password_loop(context, creds, NULL, newpw, - result_code, result_code_string, - result_string, p); -} - -/* - * - */ - -krb5_error_code -krb5_set_password(krb5_context context, - krb5_creds *creds, - char *newpw, - krb5_principal targprinc, - int *result_code, - krb5_data *result_code_string, - krb5_data *result_string) -{ - krb5_principal principal = NULL; - krb5_error_code ret = 0; - int i; - - *result_code = KRB5_KPASSWD_MALFORMED; - result_code_string->data = result_string->data = NULL; - result_code_string->length = result_string->length = 0; - - if (targprinc == NULL) { - ret = krb5_get_default_principal(context, &principal); - if (ret) - return ret; - } else - principal = targprinc; - - for (i = 0; procs[i].name != NULL; i++) { - *result_code = 0; - ret = change_password_loop(context, creds, targprinc, newpw, - result_code, result_code_string, - result_string, - &procs[i]); - if (ret == 0 && *result_code == 0) - break; - } - - if (targprinc == NULL) - krb5_free_principal(context, principal); - return ret; -} - -/* - * - */ - -krb5_error_code -krb5_set_password_using_ccache(krb5_context context, - krb5_ccache ccache, - char *newpw, - krb5_principal targprinc, - int *result_code, - krb5_data *result_code_string, - krb5_data *result_string) -{ - krb5_creds creds, *credsp; - krb5_error_code ret; - krb5_principal principal = NULL; - - *result_code = KRB5_KPASSWD_MALFORMED; - result_code_string->data = result_string->data = NULL; - result_code_string->length = result_string->length = 0; - - memset(&creds, 0, sizeof(creds)); - - if (targprinc == NULL) { - ret = krb5_cc_get_principal(context, ccache, &principal); - if (ret) - return ret; - } else - principal = targprinc; - - ret = krb5_make_principal(context, &creds.server, - krb5_principal_get_realm(context, principal), - "kadmin", "changepw", NULL); - if (ret) - goto out; - - ret = krb5_cc_get_principal(context, ccache, &creds.client); - if (ret) { - krb5_free_principal(context, creds.server); - goto out; - } - - ret = krb5_get_credentials(context, 0, ccache, &creds, &credsp); - krb5_free_principal(context, creds.server); - krb5_free_principal(context, creds.client); - if (ret) - goto out; - - ret = krb5_set_password(context, - credsp, - newpw, - principal, - result_code, - result_code_string, - result_string); - - krb5_free_creds(context, credsp); - - return ret; - out: - if (targprinc == NULL) - krb5_free_principal(context, principal); - return ret; -} - -/* - * - */ - -const char* -krb5_passwd_result_to_string (krb5_context context, - int result) -{ - static const char *strings[] = { - "Success", - "Malformed", - "Hard error", - "Auth error", - "Soft error" , - "Access denied", - "Bad version", - "Initial flag needed" - }; - - if (result < 0 || result > KRB5_KPASSWD_INITIAL_FLAG_NEEDED) - return "unknown result code"; - else - return strings[result]; -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/codec.c b/crypto/heimdal-0.6.3/lib/krb5/codec.c deleted file mode 100644 index 6a49e68ec9..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/codec.c +++ /dev/null @@ -1,176 +0,0 @@ -/* - * Copyright (c) 1998 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" - -RCSID("$Id: codec.c,v 1.7 2001/05/16 22:08:08 assar Exp $"); - -krb5_error_code -krb5_decode_EncTicketPart (krb5_context context, - const void *data, - size_t length, - EncTicketPart *t, - size_t *len) -{ - return decode_EncTicketPart(data, length, t, len); -} - -krb5_error_code -krb5_encode_EncTicketPart (krb5_context context, - void *data, - size_t length, - EncTicketPart *t, - size_t *len) -{ - return encode_EncTicketPart(data, length, t, len); -} - -krb5_error_code -krb5_decode_EncASRepPart (krb5_context context, - const void *data, - size_t length, - EncASRepPart *t, - size_t *len) -{ - return decode_EncASRepPart(data, length, t, len); -} - -krb5_error_code -krb5_encode_EncASRepPart (krb5_context context, - void *data, - size_t length, - EncASRepPart *t, - size_t *len) -{ - return encode_EncASRepPart(data, length, t, len); -} - -krb5_error_code -krb5_decode_EncTGSRepPart (krb5_context context, - const void *data, - size_t length, - EncTGSRepPart *t, - size_t *len) -{ - return decode_EncTGSRepPart(data, length, t, len); -} - -krb5_error_code -krb5_encode_EncTGSRepPart (krb5_context context, - void *data, - size_t length, - EncTGSRepPart *t, - size_t *len) -{ - return encode_EncTGSRepPart(data, length, t, len); -} - -krb5_error_code -krb5_decode_EncAPRepPart (krb5_context context, - const void *data, - size_t length, - EncAPRepPart *t, - size_t *len) -{ - return decode_EncAPRepPart(data, length, t, len); -} - -krb5_error_code -krb5_encode_EncAPRepPart (krb5_context context, - void *data, - size_t length, - EncAPRepPart *t, - size_t *len) -{ - return encode_EncAPRepPart(data, length, t, len); -} - -krb5_error_code -krb5_decode_Authenticator (krb5_context context, - const void *data, - size_t length, - Authenticator *t, - size_t *len) -{ - return decode_Authenticator(data, length, t, len); -} - -krb5_error_code -krb5_encode_Authenticator (krb5_context context, - void *data, - size_t length, - Authenticator *t, - size_t *len) -{ - return encode_Authenticator(data, length, t, len); -} - -krb5_error_code -krb5_decode_EncKrbCredPart (krb5_context context, - const void *data, - size_t length, - EncKrbCredPart *t, - size_t *len) -{ - return decode_EncKrbCredPart(data, length, t, len); -} - -krb5_error_code -krb5_encode_EncKrbCredPart (krb5_context context, - void *data, - size_t length, - EncKrbCredPart *t, - size_t *len) -{ - return encode_EncKrbCredPart (data, length, t, len); -} - -krb5_error_code -krb5_decode_ETYPE_INFO (krb5_context context, - const void *data, - size_t length, - ETYPE_INFO *t, - size_t *len) -{ - return decode_ETYPE_INFO(data, length, t, len); -} - -krb5_error_code -krb5_encode_ETYPE_INFO (krb5_context context, - void *data, - size_t length, - ETYPE_INFO *t, - size_t *len) -{ - return encode_ETYPE_INFO (data, length, t, len); -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/config_file.c b/crypto/heimdal-0.6.3/lib/krb5/config_file.c deleted file mode 100644 index 47c1a945cb..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/config_file.c +++ /dev/null @@ -1,722 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" -RCSID("$Id: config_file.c,v 1.46.4.2 2003/10/13 13:46:10 lha Exp $"); - -#ifndef HAVE_NETINFO - -static krb5_error_code parse_section(char *p, krb5_config_section **s, - krb5_config_section **res, - const char **error_message); -static krb5_error_code parse_binding(FILE *f, unsigned *lineno, char *p, - krb5_config_binding **b, - krb5_config_binding **parent, - const char **error_message); -static krb5_error_code parse_list(FILE *f, unsigned *lineno, - krb5_config_binding **parent, - const char **error_message); - -static krb5_config_section * -get_entry(krb5_config_section **parent, const char *name, int type) -{ - krb5_config_section **q; - - for(q = parent; *q != NULL; q = &(*q)->next) - if(type == krb5_config_list && - type == (*q)->type && - strcmp(name, (*q)->name) == 0) - return *q; - *q = calloc(1, sizeof(**q)); - if(*q == NULL) - return NULL; - (*q)->name = strdup(name); - (*q)->type = type; - if((*q)->name == NULL) { - free(*q); - *q = NULL; - return NULL; - } - return *q; -} - -/* - * Parse a section: - * - * [section] - * foo = bar - * b = { - * a - * } - * ... - * - * starting at the line in `p', storing the resulting structure in - * `s' and hooking it into `parent'. - * Store the error message in `error_message'. - */ - -static krb5_error_code -parse_section(char *p, krb5_config_section **s, krb5_config_section **parent, - const char **error_message) -{ - char *p1; - krb5_config_section *tmp; - - p1 = strchr (p + 1, ']'); - if (p1 == NULL) { - *error_message = "missing ]"; - return KRB5_CONFIG_BADFORMAT; - } - *p1 = '\0'; - tmp = get_entry(parent, p + 1, krb5_config_list); - if(tmp == NULL) { - *error_message = "out of memory"; - return KRB5_CONFIG_BADFORMAT; - } - *s = tmp; - return 0; -} - -/* - * Parse a brace-enclosed list from `f', hooking in the structure at - * `parent'. - * Store the error message in `error_message'. - */ - -static krb5_error_code -parse_list(FILE *f, unsigned *lineno, krb5_config_binding **parent, - const char **error_message) -{ - char buf[BUFSIZ]; - krb5_error_code ret; - krb5_config_binding *b = NULL; - unsigned beg_lineno = *lineno; - - while(fgets(buf, sizeof(buf), f) != NULL) { - char *p; - - ++*lineno; - if (buf[strlen(buf) - 1] == '\n') - buf[strlen(buf) - 1] = '\0'; - p = buf; - while(isspace((unsigned char)*p)) - ++p; - if (*p == '#' || *p == ';' || *p == '\0') - continue; - while(isspace((unsigned char)*p)) - ++p; - if (*p == '}') - return 0; - if (*p == '\0') - continue; - ret = parse_binding (f, lineno, p, &b, parent, error_message); - if (ret) - return ret; - } - *lineno = beg_lineno; - *error_message = "unclosed {"; - return KRB5_CONFIG_BADFORMAT; -} - -/* - * - */ - -static krb5_error_code -parse_binding(FILE *f, unsigned *lineno, char *p, - krb5_config_binding **b, krb5_config_binding **parent, - const char **error_message) -{ - krb5_config_binding *tmp; - char *p1, *p2; - krb5_error_code ret = 0; - - p1 = p; - while (*p && *p != '=' && !isspace((unsigned char)*p)) - ++p; - if (*p == '\0') { - *error_message = "missing ="; - return KRB5_CONFIG_BADFORMAT; - } - p2 = p; - while (isspace((unsigned char)*p)) - ++p; - if (*p != '=') { - *error_message = "missing ="; - return KRB5_CONFIG_BADFORMAT; - } - ++p; - while(isspace((unsigned char)*p)) - ++p; - *p2 = '\0'; - if (*p == '{') { - tmp = get_entry(parent, p1, krb5_config_list); - if (tmp == NULL) { - *error_message = "out of memory"; - return KRB5_CONFIG_BADFORMAT; - } - ret = parse_list (f, lineno, &tmp->u.list, error_message); - } else { - tmp = get_entry(parent, p1, krb5_config_string); - if (tmp == NULL) { - *error_message = "out of memory"; - return KRB5_CONFIG_BADFORMAT; - } - p1 = p; - p = p1 + strlen(p1); - while(p > p1 && isspace((unsigned char)*(p-1))) - --p; - *p = '\0'; - tmp->u.string = strdup(p1); - } - *b = tmp; - return ret; -} - -/* - * Parse the config file `fname', generating the structures into `res' - * returning error messages in `error_message' - */ - -static krb5_error_code -krb5_config_parse_file_debug (const char *fname, - krb5_config_section **res, - unsigned *lineno, - const char **error_message) -{ - FILE *f; - krb5_config_section *s; - krb5_config_binding *b; - char buf[BUFSIZ]; - krb5_error_code ret = 0; - - s = NULL; - b = NULL; - *lineno = 0; - f = fopen (fname, "r"); - if (f == NULL) { - *error_message = "cannot open file"; - return ENOENT; - } - while (fgets(buf, sizeof(buf), f) != NULL) { - char *p; - - ++*lineno; - if(buf[strlen(buf) - 1] == '\n') - buf[strlen(buf) - 1] = '\0'; - p = buf; - while(isspace((unsigned char)*p)) - ++p; - if (*p == '#' || *p == ';') - continue; - if (*p == '[') { - ret = parse_section(p, &s, res, error_message); - if (ret) { - goto out; - } - b = NULL; - } else if (*p == '}') { - *error_message = "unmatched }"; - ret = EINVAL; /* XXX */ - goto out; - } else if(*p != '\0') { - if (s == NULL) { - *error_message = "binding before section"; - ret = EINVAL; - goto out; - } - ret = parse_binding(f, lineno, p, &b, &s->u.list, error_message); - if (ret) - goto out; - } - } -out: - fclose (f); - return ret; -} - -krb5_error_code -krb5_config_parse_file_multi (krb5_context context, - const char *fname, - krb5_config_section **res) -{ - const char *str; - unsigned lineno; - krb5_error_code ret; - - ret = krb5_config_parse_file_debug (fname, res, &lineno, &str); - if (ret) { - krb5_set_error_string (context, "%s:%u: %s", fname, lineno, str); - return ret; - } - return 0; -} - -krb5_error_code -krb5_config_parse_file (krb5_context context, - const char *fname, - krb5_config_section **res) -{ - *res = NULL; - return krb5_config_parse_file_multi(context, fname, res); -} - -#endif /* !HAVE_NETINFO */ - -static void -free_binding (krb5_context context, krb5_config_binding *b) -{ - krb5_config_binding *next_b; - - while (b) { - free (b->name); - if (b->type == krb5_config_string) - free (b->u.string); - else if (b->type == krb5_config_list) - free_binding (context, b->u.list); - else - krb5_abortx(context, "unknown binding type (%d) in free_binding", - b->type); - next_b = b->next; - free (b); - b = next_b; - } -} - -krb5_error_code -krb5_config_file_free (krb5_context context, krb5_config_section *s) -{ - free_binding (context, s); - return 0; -} - -const void * -krb5_config_get_next (krb5_context context, - const krb5_config_section *c, - const krb5_config_binding **pointer, - int type, - ...) -{ - const char *ret; - va_list args; - - va_start(args, type); - ret = krb5_config_vget_next (context, c, pointer, type, args); - va_end(args); - return ret; -} - -static const void * -vget_next(krb5_context context, - const krb5_config_binding *b, - const krb5_config_binding **pointer, - int type, - const char *name, - va_list args) -{ - const char *p = va_arg(args, const char *); - while(b != NULL) { - if(strcmp(b->name, name) == 0) { - if(b->type == type && p == NULL) { - *pointer = b; - return b->u.generic; - } else if(b->type == krb5_config_list && p != NULL) { - return vget_next(context, b->u.list, pointer, type, p, args); - } - } - b = b->next; - } - return NULL; -} - -const void * -krb5_config_vget_next (krb5_context context, - const krb5_config_section *c, - const krb5_config_binding **pointer, - int type, - va_list args) -{ - const krb5_config_binding *b; - const char *p; - - if(c == NULL) - c = context->cf; - - if (c == NULL) - return NULL; - - if (*pointer == NULL) { - /* first time here, walk down the tree looking for the right - section */ - p = va_arg(args, const char *); - if (p == NULL) - return NULL; - return vget_next(context, c, pointer, type, p, args); - } - - /* we were called again, so just look for more entries with the - same name and type */ - for (b = (*pointer)->next; b != NULL; b = b->next) { - if(strcmp(b->name, (*pointer)->name) == 0 && b->type == type) { - *pointer = b; - return b->u.generic; - } - } - return NULL; -} - -const void * -krb5_config_get (krb5_context context, - const krb5_config_section *c, - int type, - ...) -{ - const void *ret; - va_list args; - - va_start(args, type); - ret = krb5_config_vget (context, c, type, args); - va_end(args); - return ret; -} - -const void * -krb5_config_vget (krb5_context context, - const krb5_config_section *c, - int type, - va_list args) -{ - const krb5_config_binding *foo = NULL; - - return krb5_config_vget_next (context, c, &foo, type, args); -} - -const krb5_config_binding * -krb5_config_get_list (krb5_context context, - const krb5_config_section *c, - ...) -{ - const krb5_config_binding *ret; - va_list args; - - va_start(args, c); - ret = krb5_config_vget_list (context, c, args); - va_end(args); - return ret; -} - -const krb5_config_binding * -krb5_config_vget_list (krb5_context context, - const krb5_config_section *c, - va_list args) -{ - return krb5_config_vget (context, c, krb5_config_list, args); -} - -const char * -krb5_config_get_string (krb5_context context, - const krb5_config_section *c, - ...) -{ - const char *ret; - va_list args; - - va_start(args, c); - ret = krb5_config_vget_string (context, c, args); - va_end(args); - return ret; -} - -const char * -krb5_config_vget_string (krb5_context context, - const krb5_config_section *c, - va_list args) -{ - return krb5_config_vget (context, c, krb5_config_string, args); -} - -const char * -krb5_config_vget_string_default (krb5_context context, - const krb5_config_section *c, - const char *def_value, - va_list args) -{ - const char *ret; - - ret = krb5_config_vget_string (context, c, args); - if (ret == NULL) - ret = def_value; - return ret; -} - -const char * -krb5_config_get_string_default (krb5_context context, - const krb5_config_section *c, - const char *def_value, - ...) -{ - const char *ret; - va_list args; - - va_start(args, def_value); - ret = krb5_config_vget_string_default (context, c, def_value, args); - va_end(args); - return ret; -} - -char ** -krb5_config_vget_strings(krb5_context context, - const krb5_config_section *c, - va_list args) -{ - char **strings = NULL; - int nstr = 0; - const krb5_config_binding *b = NULL; - const char *p; - - while((p = krb5_config_vget_next(context, c, &b, - krb5_config_string, args))) { - char *tmp = strdup(p); - char *pos = NULL; - char *s; - if(tmp == NULL) - goto cleanup; - s = strtok_r(tmp, " \t", &pos); - while(s){ - char **tmp = realloc(strings, (nstr + 1) * sizeof(*strings)); - if(tmp == NULL) - goto cleanup; - strings = tmp; - strings[nstr] = strdup(s); - nstr++; - if(strings[nstr-1] == NULL) - goto cleanup; - s = strtok_r(NULL, " \t", &pos); - } - free(tmp); - } - if(nstr){ - char **tmp = realloc(strings, (nstr + 1) * sizeof(*strings)); - if(strings == NULL) - goto cleanup; - strings = tmp; - strings[nstr] = NULL; - } - return strings; -cleanup: - while(nstr--) - free(strings[nstr]); - free(strings); - return NULL; - -} - -char** -krb5_config_get_strings(krb5_context context, - const krb5_config_section *c, - ...) -{ - va_list ap; - char **ret; - va_start(ap, c); - ret = krb5_config_vget_strings(context, c, ap); - va_end(ap); - return ret; -} - -void -krb5_config_free_strings(char **strings) -{ - char **s = strings; - while(s && *s){ - free(*s); - s++; - } - free(strings); -} - -krb5_boolean -krb5_config_vget_bool_default (krb5_context context, - const krb5_config_section *c, - krb5_boolean def_value, - va_list args) -{ - const char *str; - str = krb5_config_vget_string (context, c, args); - if(str == NULL) - return def_value; - if(strcasecmp(str, "yes") == 0 || - strcasecmp(str, "true") == 0 || - atoi(str)) return TRUE; - return FALSE; -} - -krb5_boolean -krb5_config_vget_bool (krb5_context context, - const krb5_config_section *c, - va_list args) -{ - return krb5_config_vget_bool_default (context, c, FALSE, args); -} - -krb5_boolean -krb5_config_get_bool_default (krb5_context context, - const krb5_config_section *c, - krb5_boolean def_value, - ...) -{ - va_list ap; - krb5_boolean ret; - va_start(ap, def_value); - ret = krb5_config_vget_bool_default(context, c, def_value, ap); - va_end(ap); - return ret; -} - -krb5_boolean -krb5_config_get_bool (krb5_context context, - const krb5_config_section *c, - ...) -{ - va_list ap; - krb5_boolean ret; - va_start(ap, c); - ret = krb5_config_vget_bool (context, c, ap); - va_end(ap); - return ret; -} - -int -krb5_config_vget_time_default (krb5_context context, - const krb5_config_section *c, - int def_value, - va_list args) -{ - const char *str; - str = krb5_config_vget_string (context, c, args); - if(str == NULL) - return def_value; - return parse_time (str, NULL); -} - -int -krb5_config_vget_time (krb5_context context, - const krb5_config_section *c, - va_list args) -{ - return krb5_config_vget_time_default (context, c, -1, args); -} - -int -krb5_config_get_time_default (krb5_context context, - const krb5_config_section *c, - int def_value, - ...) -{ - va_list ap; - int ret; - va_start(ap, def_value); - ret = krb5_config_vget_time_default(context, c, def_value, ap); - va_end(ap); - return ret; -} - -int -krb5_config_get_time (krb5_context context, - const krb5_config_section *c, - ...) -{ - va_list ap; - int ret; - va_start(ap, c); - ret = krb5_config_vget_time (context, c, ap); - va_end(ap); - return ret; -} - - -int -krb5_config_vget_int_default (krb5_context context, - const krb5_config_section *c, - int def_value, - va_list args) -{ - const char *str; - str = krb5_config_vget_string (context, c, args); - if(str == NULL) - return def_value; - else { - char *endptr; - long l; - l = strtol(str, &endptr, 0); - if (endptr == str) - return def_value; - else - return l; - } -} - -int -krb5_config_vget_int (krb5_context context, - const krb5_config_section *c, - va_list args) -{ - return krb5_config_vget_int_default (context, c, -1, args); -} - -int -krb5_config_get_int_default (krb5_context context, - const krb5_config_section *c, - int def_value, - ...) -{ - va_list ap; - int ret; - va_start(ap, def_value); - ret = krb5_config_vget_int_default(context, c, def_value, ap); - va_end(ap); - return ret; -} - -int -krb5_config_get_int (krb5_context context, - const krb5_config_section *c, - ...) -{ - va_list ap; - int ret; - va_start(ap, c); - ret = krb5_config_vget_int (context, c, ap); - va_end(ap); - return ret; -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/config_file_netinfo.c b/crypto/heimdal-0.6.3/lib/krb5/config_file_netinfo.c deleted file mode 100644 index a035e887b9..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/config_file_netinfo.c +++ /dev/null @@ -1,180 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" -RCSID("$Id: config_file_netinfo.c,v 1.3 2001/05/14 06:14:45 assar Exp $"); - -/* - * Netinfo implementation from Luke Howard - */ - -#ifdef HAVE_NETINFO -#include -static ni_status -ni_proplist2binding(ni_proplist *pl, krb5_config_section **ret) -{ - int i, j; - krb5_config_section **next = NULL; - - for (i = 0; i < pl->ni_proplist_len; i++) { - if (!strcmp(pl->nipl_val[i].nip_name, "name")) - continue; - - for (j = 0; j < pl->nipl_val[i].nip_val.ni_namelist_len; j++) { - krb5_config_binding *b; - - b = malloc(sizeof(*b)); - if (b == NULL) - return NI_FAILED; - - b->next = NULL; - b->type = krb5_config_string; - b->name = ni_name_dup(pl->nipl_val[i].nip_name); - b->u.string = ni_name_dup(pl->nipl_val[i].nip_val.ninl_val[j]); - - if (next == NULL) { - *ret = b; - } else { - *next = b; - } - next = &b->next; - } - } - return NI_OK; -} - -static ni_status -ni_idlist2binding(void *ni, ni_idlist *idlist, krb5_config_section **ret) -{ - int i; - ni_status nis; - krb5_config_section **next; - - for (i = 0; i < idlist->ni_idlist_len; i++) { - ni_proplist pl; - ni_id nid; - ni_idlist children; - krb5_config_binding *b; - ni_index index; - - nid.nii_instance = 0; - nid.nii_object = idlist->ni_idlist_val[i]; - - nis = ni_read(ni, &nid, &pl); - - if (nis != NI_OK) { - return nis; - } - index = ni_proplist_match(pl, "name", NULL); - b = malloc(sizeof(*b)); - if (b == NULL) return NI_FAILED; - - if (i == 0) { - *ret = b; - } else { - *next = b; - } - - b->type = krb5_config_list; - b->name = ni_name_dup(pl.nipl_val[index].nip_val.ninl_val[0]); - b->next = NULL; - b->u.list = NULL; - - /* get the child directories */ - nis = ni_children(ni, &nid, &children); - if (nis == NI_OK) { - nis = ni_idlist2binding(ni, &children, &b->u.list); - if (nis != NI_OK) { - return nis; - } - } - - nis = ni_proplist2binding(&pl, b->u.list == NULL ? &b->u.list : &b->u.list->next); - ni_proplist_free(&pl); - if (nis != NI_OK) { - return nis; - } - next = &b->next; - } - ni_idlist_free(idlist); - return NI_OK; -} - -krb5_error_code -krb5_config_parse_file (krb5_context context, - const char *fname, - krb5_config_section **res) -{ - void *ni = NULL, *lastni = NULL; - int i; - ni_status nis; - ni_id nid; - ni_idlist children; - - krb5_config_section *s; - int ret; - - s = NULL; - - for (i = 0; i < 256; i++) { - if (i == 0) { - nis = ni_open(NULL, ".", &ni); - } else { - if (lastni != NULL) ni_free(lastni); - lastni = ni; - nis = ni_open(lastni, "..", &ni); - } - if (nis != NI_OK) - break; - nis = ni_pathsearch(ni, &nid, "/locations/kerberos"); - if (nis == NI_OK) { - nis = ni_children(ni, &nid, &children); - if (nis != NI_OK) - break; - nis = ni_idlist2binding(ni, &children, &s); - break; - } - } - - if (ni != NULL) ni_free(ni); - if (ni != lastni && lastni != NULL) ni_free(lastni); - - ret = (nis == NI_OK) ? 0 : -1; - if (ret == 0) { - *res = s; - } else { - *res = NULL; - } - return ret; -} -#endif /* HAVE_NETINFO */ diff --git a/crypto/heimdal-0.6.3/lib/krb5/constants.c b/crypto/heimdal-0.6.3/lib/krb5/constants.c deleted file mode 100644 index 280bf620af..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/constants.c +++ /dev/null @@ -1,39 +0,0 @@ -/* - * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" - -RCSID("$Id: constants.c,v 1.7 2002/08/16 20:52:15 joda Exp $"); - -const char *krb5_config_file = SYSCONFDIR "/krb5.conf:/etc/krb5.conf"; -const char *krb5_defkeyname = KEYTAB_DEFAULT; diff --git a/crypto/heimdal-0.6.3/lib/krb5/context.c b/crypto/heimdal-0.6.3/lib/krb5/context.c deleted file mode 100644 index d3982e8e9a..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/context.c +++ /dev/null @@ -1,545 +0,0 @@ -/* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" -#include - -RCSID("$Id: context.c,v 1.83.2.1 2004/08/20 15:30:24 lha Exp $"); - -#define INIT_FIELD(C, T, E, D, F) \ - (C)->E = krb5_config_get_ ## T ## _default ((C), NULL, (D), \ - "libdefaults", F, NULL) - -/* - * Set the list of etypes `ret_etypes' from the configuration variable - * `name' - */ - -static krb5_error_code -set_etypes (krb5_context context, - const char *name, - krb5_enctype **ret_enctypes) -{ - char **etypes_str; - krb5_enctype *etypes = NULL; - - etypes_str = krb5_config_get_strings(context, NULL, "libdefaults", - name, NULL); - if(etypes_str){ - int i, j, k; - for(i = 0; etypes_str[i]; i++); - etypes = malloc((i+1) * sizeof(*etypes)); - if (etypes == NULL) { - krb5_config_free_strings (etypes_str); - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; - } - for(j = 0, k = 0; j < i; j++) { - if(krb5_string_to_enctype(context, etypes_str[j], &etypes[k]) == 0) - k++; - } - etypes[k] = ETYPE_NULL; - krb5_config_free_strings(etypes_str); - } - *ret_enctypes = etypes; - return 0; -} - -/* - * read variables from the configuration file and set in `context' - */ - -static krb5_error_code -init_context_from_config_file(krb5_context context) -{ - krb5_error_code ret; - const char * tmp; - krb5_enctype *tmptypes; - - INIT_FIELD(context, time, max_skew, 5 * 60, "clockskew"); - INIT_FIELD(context, time, kdc_timeout, 3, "kdc_timeout"); - INIT_FIELD(context, int, max_retries, 3, "max_retries"); - - INIT_FIELD(context, string, http_proxy, NULL, "http_proxy"); - - ret = set_etypes (context, "default_etypes", &tmptypes); - if(ret) - return ret; - free(context->etypes); - context->etypes = tmptypes; - - ret = set_etypes (context, "default_etypes_des", &tmptypes); - if(ret) - return ret; - free(context->etypes_des); - context->etypes_des = tmptypes; - - /* default keytab name */ - tmp = NULL; - if(!issuid()) - tmp = getenv("KRB5_KTNAME"); - if(tmp != NULL) - context->default_keytab = tmp; - else - INIT_FIELD(context, string, default_keytab, - KEYTAB_DEFAULT, "default_keytab_name"); - - INIT_FIELD(context, string, default_keytab_modify, - NULL, "default_keytab_modify_name"); - - INIT_FIELD(context, string, time_fmt, - "%Y-%m-%dT%H:%M:%S", "time_format"); - - INIT_FIELD(context, string, date_fmt, - "%Y-%m-%d", "date_format"); - - INIT_FIELD(context, bool, log_utc, - FALSE, "log_utc"); - - - - /* init dns-proxy slime */ - tmp = krb5_config_get_string(context, NULL, "libdefaults", - "dns_proxy", NULL); - if(tmp) - roken_gethostby_setup(context->http_proxy, tmp); - krb5_free_host_realm (context, context->default_realms); - context->default_realms = NULL; - - { - krb5_addresses addresses; - char **adr, **a; - - krb5_set_extra_addresses(context, NULL); - adr = krb5_config_get_strings(context, NULL, - "libdefaults", - "extra_addresses", - NULL); - memset(&addresses, 0, sizeof(addresses)); - for(a = adr; a && *a; a++) { - ret = krb5_parse_address(context, *a, &addresses); - if (ret == 0) { - krb5_add_extra_addresses(context, &addresses); - krb5_free_addresses(context, &addresses); - } - } - krb5_config_free_strings(adr); - - krb5_set_ignore_addresses(context, NULL); - adr = krb5_config_get_strings(context, NULL, - "libdefaults", - "ignore_addresses", - NULL); - memset(&addresses, 0, sizeof(addresses)); - for(a = adr; a && *a; a++) { - ret = krb5_parse_address(context, *a, &addresses); - if (ret == 0) { - krb5_add_ignore_addresses(context, &addresses); - krb5_free_addresses(context, &addresses); - } - } - krb5_config_free_strings(adr); - } - - INIT_FIELD(context, bool, scan_interfaces, TRUE, "scan_interfaces"); - INIT_FIELD(context, int, fcache_vno, 0, "fcache_version"); - /* prefer dns_lookup_kdc over srv_lookup. */ - INIT_FIELD(context, bool, srv_lookup, TRUE, "srv_lookup"); - INIT_FIELD(context, bool, srv_lookup, context->srv_lookup, "dns_lookup_kdc"); - context->default_cc_name = NULL; - return 0; -} - -krb5_error_code -krb5_init_context(krb5_context *context) -{ - krb5_context p; - krb5_error_code ret; - char **files; - - p = calloc(1, sizeof(*p)); - if(!p) - return ENOMEM; - - ret = krb5_get_default_config_files(&files); - if(ret) - goto out; - ret = krb5_set_config_files(p, files); - krb5_free_config_files(files); - if(ret) - goto out; - - /* init error tables */ - krb5_init_ets(p); - - p->cc_ops = NULL; - p->num_cc_ops = 0; - krb5_cc_register(p, &krb5_fcc_ops, TRUE); - krb5_cc_register(p, &krb5_mcc_ops, TRUE); - - p->num_kt_types = 0; - p->kt_types = NULL; - krb5_kt_register (p, &krb5_fkt_ops); - krb5_kt_register (p, &krb5_mkt_ops); - krb5_kt_register (p, &krb5_akf_ops); - krb5_kt_register (p, &krb4_fkt_ops); - krb5_kt_register (p, &krb5_srvtab_fkt_ops); - krb5_kt_register (p, &krb5_any_ops); - -out: - if(ret) { - krb5_free_context(p); - p = NULL; - } - *context = p; - return ret; -} - -void -krb5_free_context(krb5_context context) -{ - if (context->default_cc_name) - free(context->default_cc_name); - free(context->etypes); - free(context->etypes_des); - krb5_free_host_realm (context, context->default_realms); - krb5_config_file_free (context, context->cf); - free_error_table (context->et_list); - free(context->cc_ops); - free(context->kt_types); - krb5_clear_error_string(context); - if(context->warn_dest != NULL) - krb5_closelog(context, context->warn_dest); - krb5_set_extra_addresses(context, NULL); - krb5_set_ignore_addresses(context, NULL); - free(context); -} - -krb5_error_code -krb5_set_config_files(krb5_context context, char **filenames) -{ - krb5_error_code ret; - krb5_config_binding *tmp = NULL; - while(filenames != NULL && *filenames != NULL && **filenames != '\0') { - ret = krb5_config_parse_file_multi(context, *filenames, &tmp); - if(ret != 0 && ret != ENOENT) { - krb5_config_file_free(context, tmp); - return ret; - } - filenames++; - } -#if 0 - /* with this enabled and if there are no config files, Kerberos is - considererd disabled */ - if(tmp == NULL) - return ENXIO; -#endif - krb5_config_file_free(context, context->cf); - context->cf = tmp; - ret = init_context_from_config_file(context); - return ret; -} - -krb5_error_code -krb5_get_default_config_files(char ***pfilenames) -{ - const char *p, *q; - char **pp; - int n, i; - - const char *files = NULL; - if (pfilenames == NULL) - return EINVAL; - if(!issuid()) - files = getenv("KRB5_CONFIG"); - if (files == NULL) - files = krb5_config_file; - - for(n = 0, p = files; strsep_copy(&p, ":", NULL, 0) != -1; n++); - pp = malloc((n + 1) * sizeof(*pp)); - if(pp == NULL) - return ENOMEM; - - n = 0; - p = files; - while(1) { - ssize_t l; - q = p; - l = strsep_copy(&q, ":", NULL, 0); - if(l == -1) - break; - pp[n] = malloc(l + 1); - if(pp[n] == NULL) { - krb5_free_config_files(pp); - return ENOMEM; - } - l = strsep_copy(&p, ":", pp[n], l + 1); - for(i = 0; i < n; i++) - if(strcmp(pp[i], pp[n]) == 0) { - free(pp[n]); - goto skip; - } - n++; - skip:; - } - pp[n] = NULL; - *pfilenames = pp; - return 0; -} - -void -krb5_free_config_files(char **filenames) -{ - char **p; - for(p = filenames; *p != NULL; p++) - free(*p); - free(filenames); -} - -/* - * set `etype' to a malloced list of the default enctypes - */ - -static krb5_error_code -default_etypes(krb5_context context, krb5_enctype **etype) -{ - krb5_enctype p[] = { - ETYPE_DES3_CBC_SHA1, - ETYPE_DES3_CBC_MD5, - ETYPE_ARCFOUR_HMAC_MD5, - ETYPE_DES_CBC_MD5, - ETYPE_DES_CBC_MD4, - ETYPE_DES_CBC_CRC, - ETYPE_NULL - }; - - *etype = malloc(sizeof(p)); - if(*etype == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; - } - memcpy(*etype, p, sizeof(p)); - return 0; -} - -krb5_error_code -krb5_set_default_in_tkt_etypes(krb5_context context, - const krb5_enctype *etypes) -{ - int i; - krb5_enctype *p = NULL; - - if(etypes) { - for (i = 0; etypes[i]; ++i) - if(!krb5_enctype_valid(context, etypes[i])) { - krb5_set_error_string(context, "enctype %d not supported", - etypes[i]); - return KRB5_PROG_ETYPE_NOSUPP; - } - ++i; - ALLOC(p, i); - if(!p) { - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; - } - memmove(p, etypes, i * sizeof(krb5_enctype)); - } - if(context->etypes) - free(context->etypes); - context->etypes = p; - return 0; -} - - -krb5_error_code -krb5_get_default_in_tkt_etypes(krb5_context context, - krb5_enctype **etypes) -{ - krb5_enctype *p; - int i; - krb5_error_code ret; - - if(context->etypes) { - for(i = 0; context->etypes[i]; i++); - ++i; - ALLOC(p, i); - if(!p) { - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; - } - memmove(p, context->etypes, i * sizeof(krb5_enctype)); - } else { - ret = default_etypes(context, &p); - if (ret) - return ret; - } - *etypes = p; - return 0; -} - -const char * -krb5_get_err_text(krb5_context context, krb5_error_code code) -{ - const char *p = NULL; - if(context != NULL) - p = com_right(context->et_list, code); - if(p == NULL) - p = strerror(code); - if (p == NULL) - p = "Unknown error"; - return p; -} - -void -krb5_init_ets(krb5_context context) -{ - if(context->et_list == NULL){ - krb5_add_et_list(context, initialize_krb5_error_table_r); - krb5_add_et_list(context, initialize_asn1_error_table_r); - krb5_add_et_list(context, initialize_heim_error_table_r); - krb5_add_et_list(context, initialize_k524_error_table_r); - } -} - -void -krb5_set_use_admin_kdc (krb5_context context, krb5_boolean flag) -{ - context->use_admin_kdc = flag; -} - -krb5_boolean -krb5_get_use_admin_kdc (krb5_context context) -{ - return context->use_admin_kdc; -} - -krb5_error_code -krb5_add_extra_addresses(krb5_context context, krb5_addresses *addresses) -{ - - if(context->extra_addresses) - return krb5_append_addresses(context, - context->extra_addresses, addresses); - else - return krb5_set_extra_addresses(context, addresses); -} - -krb5_error_code -krb5_set_extra_addresses(krb5_context context, const krb5_addresses *addresses) -{ - if(context->extra_addresses) - krb5_free_addresses(context, context->extra_addresses); - - if(addresses == NULL) { - if(context->extra_addresses != NULL) { - free(context->extra_addresses); - context->extra_addresses = NULL; - } - return 0; - } - if(context->extra_addresses == NULL) { - context->extra_addresses = malloc(sizeof(*context->extra_addresses)); - if(context->extra_addresses == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; - } - } - return krb5_copy_addresses(context, addresses, context->extra_addresses); -} - -krb5_error_code -krb5_get_extra_addresses(krb5_context context, krb5_addresses *addresses) -{ - if(context->extra_addresses == NULL) { - memset(addresses, 0, sizeof(*addresses)); - return 0; - } - return krb5_copy_addresses(context,context->extra_addresses, addresses); -} - -krb5_error_code -krb5_add_ignore_addresses(krb5_context context, krb5_addresses *addresses) -{ - - if(context->ignore_addresses) - return krb5_append_addresses(context, - context->ignore_addresses, addresses); - else - return krb5_set_ignore_addresses(context, addresses); -} - -krb5_error_code -krb5_set_ignore_addresses(krb5_context context, const krb5_addresses *addresses) -{ - if(context->ignore_addresses) - krb5_free_addresses(context, context->ignore_addresses); - if(addresses == NULL) { - if(context->ignore_addresses != NULL) { - free(context->ignore_addresses); - context->ignore_addresses = NULL; - } - return 0; - } - if(context->ignore_addresses == NULL) { - context->ignore_addresses = malloc(sizeof(*context->ignore_addresses)); - if(context->ignore_addresses == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; - } - } - return krb5_copy_addresses(context, addresses, context->ignore_addresses); -} - -krb5_error_code -krb5_get_ignore_addresses(krb5_context context, krb5_addresses *addresses) -{ - if(context->ignore_addresses == NULL) { - memset(addresses, 0, sizeof(*addresses)); - return 0; - } - return krb5_copy_addresses(context, context->ignore_addresses, addresses); -} - -krb5_error_code -krb5_set_fcache_version(krb5_context context, int version) -{ - context->fcache_vno = version; - return 0; -} - -krb5_error_code -krb5_get_fcache_version(krb5_context context, int *version) -{ - *version = context->fcache_vno; - return 0; -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/convert_creds.c b/crypto/heimdal-0.6.3/lib/krb5/convert_creds.c deleted file mode 100644 index 0c119e742b..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/convert_creds.c +++ /dev/null @@ -1,236 +0,0 @@ -/* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" -RCSID("$Id: convert_creds.c,v 1.26 2003/03/18 03:11:16 lha Exp $"); - -#include "krb5-v4compat.h" - -static krb5_error_code -check_ticket_flags(TicketFlags f) -{ - return 0; /* maybe add some more tests here? */ -} - -/* include this here, to avoid dependencies on libkrb */ - -static const int _tkt_lifetimes[TKTLIFENUMFIXED] = { - 38400, 41055, 43894, 46929, 50174, 53643, 57352, 61318, - 65558, 70091, 74937, 80119, 85658, 91581, 97914, 104684, - 111922, 119661, 127935, 136781, 146239, 156350, 167161, 178720, - 191077, 204289, 218415, 233517, 249664, 266926, 285383, 305116, - 326213, 348769, 372885, 398668, 426234, 455705, 487215, 520904, - 556921, 595430, 636601, 680618, 727680, 777995, 831789, 889303, - 950794, 1016537, 1086825, 1161973, 1242318, 1328218, 1420057, 1518247, - 1623226, 1735464, 1855462, 1983758, 2120925, 2267576, 2424367, 2592000 -}; - -int -_krb5_krb_time_to_life(time_t start, time_t end) -{ - int i; - time_t life = end - start; - - if (life > MAXTKTLIFETIME || life <= 0) - return 0; -#if 0 - if (krb_no_long_lifetimes) - return (life + 5*60 - 1)/(5*60); -#endif - - if (end >= NEVERDATE) - return TKTLIFENOEXPIRE; - if (life < _tkt_lifetimes[0]) - return (life + 5*60 - 1)/(5*60); - for (i=0; i TKTLIFEMAXFIXED) - return start + MAXTKTLIFETIME; - return start + _tkt_lifetimes[life - TKTLIFEMINFIXED]; -} - - -/* Convert the v5 credentials in `in_cred' to v4-dito in `v4creds'. - * This is done by sending them to the 524 function in the KDC. If - * `in_cred' doesn't contain a DES session key, then a new one is - * gotten from the KDC and stored in the cred cache `ccache'. - */ - -krb5_error_code -krb524_convert_creds_kdc(krb5_context context, - krb5_creds *in_cred, - struct credentials *v4creds) -{ - krb5_error_code ret; - krb5_data reply; - krb5_storage *sp; - int32_t tmp; - krb5_data ticket; - char realm[REALM_SZ]; - krb5_creds *v5_creds = in_cred; - - ret = check_ticket_flags(v5_creds->flags.b); - if(ret) - goto out2; - - { - krb5_krbhst_handle handle; - - ret = krb5_krbhst_init(context, - *krb5_princ_realm(context, - v5_creds->server), - KRB5_KRBHST_KRB524, - &handle); - if (ret) - goto out2; - - ret = krb5_sendto (context, - &v5_creds->ticket, - handle, - &reply); - krb5_krbhst_free(context, handle); - if (ret) - goto out2; - } - sp = krb5_storage_from_mem(reply.data, reply.length); - if(sp == NULL) { - ret = ENOMEM; - krb5_set_error_string (context, "malloc: out of memory"); - goto out2; - } - krb5_ret_int32(sp, &tmp); - ret = tmp; - if(ret == 0) { - memset(v4creds, 0, sizeof(*v4creds)); - ret = krb5_ret_int32(sp, &tmp); - if(ret) - goto out; - v4creds->kvno = tmp; - ret = krb5_ret_data(sp, &ticket); - if(ret) - goto out; - v4creds->ticket_st.length = ticket.length; - memcpy(v4creds->ticket_st.dat, ticket.data, ticket.length); - krb5_data_free(&ticket); - ret = krb5_524_conv_principal(context, - v5_creds->server, - v4creds->service, - v4creds->instance, - v4creds->realm); - if(ret) - goto out; - v4creds->issue_date = v5_creds->times.starttime; - v4creds->lifetime = _krb5_krb_time_to_life(v4creds->issue_date, - v5_creds->times.endtime); - ret = krb5_524_conv_principal(context, v5_creds->client, - v4creds->pname, - v4creds->pinst, - realm); - if(ret) - goto out; - memcpy(v4creds->session, v5_creds->session.keyvalue.data, 8); - } else { - krb5_set_error_string(context, "converting credentials: %s", - krb5_get_err_text(context, ret)); - } -out: - krb5_storage_free(sp); - krb5_data_free(&reply); -out2: - if (v5_creds != in_cred) - krb5_free_creds (context, v5_creds); - return ret; -} - -krb5_error_code -krb524_convert_creds_kdc_ccache(krb5_context context, - krb5_ccache ccache, - krb5_creds *in_cred, - struct credentials *v4creds) -{ - krb5_error_code ret; - krb5_creds *v5_creds = in_cred; - krb5_keytype keytype; - - keytype = v5_creds->session.keytype; - - if (keytype != ENCTYPE_DES_CBC_CRC) { - /* MIT krb524d doesn't like nothing but des-cbc-crc tickets, - so go get one */ - krb5_creds template; - - memset (&template, 0, sizeof(template)); - template.session.keytype = ENCTYPE_DES_CBC_CRC; - ret = krb5_copy_principal (context, in_cred->client, &template.client); - if (ret) { - krb5_free_creds_contents (context, &template); - return ret; - } - ret = krb5_copy_principal (context, in_cred->server, &template.server); - if (ret) { - krb5_free_creds_contents (context, &template); - return ret; - } - - ret = krb5_get_credentials (context, 0, ccache, - &template, &v5_creds); - krb5_free_creds_contents (context, &template); - if (ret) - return ret; - } - - ret = krb524_convert_creds_kdc(context, v5_creds, v4creds); - - if (v5_creds != in_cred) - krb5_free_creds (context, v5_creds); - return ret; -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/copy_host_realm.c b/crypto/heimdal-0.6.3/lib/krb5/copy_host_realm.c deleted file mode 100644 index 38fdfa894d..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/copy_host_realm.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (c) 1999 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" - -RCSID("$Id: copy_host_realm.c,v 1.4 2001/05/14 06:14:45 assar Exp $"); - -/* - * Copy the list of realms from `from' to `to'. - */ - -krb5_error_code -krb5_copy_host_realm(krb5_context context, - const krb5_realm *from, - krb5_realm **to) -{ - int n, i; - const krb5_realm *p; - - for (n = 0, p = from; *p != NULL; ++p) - ++n; - ++n; - *to = malloc (n * sizeof(**to)); - if (*to == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; - } - for (i = 0; i < n; ++i) - (*to)[i] = NULL; - for (i = 0, p = from; *p != NULL; ++p, ++i) { - (*to)[i] = strdup(*p); - if ((*to)[i] == NULL) { - krb5_free_host_realm (context, *to); - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; - } - } - return 0; -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/crc.c b/crypto/heimdal-0.6.3/lib/krb5/crc.c deleted file mode 100644 index c7cedd8c9e..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/crc.c +++ /dev/null @@ -1,71 +0,0 @@ -/* - * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" - -RCSID("$Id: crc.c,v 1.9 2000/08/03 01:45:14 assar Exp $"); - -static u_long table[256]; - -#define CRC_GEN 0xEDB88320L - -void -_krb5_crc_init_table(void) -{ - static int flag = 0; - unsigned long crc, poly; - int i, j; - - if(flag) return; - poly = CRC_GEN; - for (i = 0; i < 256; i++) { - crc = i; - for (j = 8; j > 0; j--) { - if (crc & 1) { - crc = (crc >> 1) ^ poly; - } else { - crc >>= 1; - } - } - table[i] = crc; - } - flag = 1; -} - -u_int32_t -_krb5_crc_update (const char *p, size_t len, u_int32_t res) -{ - while (len--) - res = table[(res ^ *p++) & 0xFF] ^ (res >> 8); - return res & 0xFFFFFFFF; -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/creds.c b/crypto/heimdal-0.6.3/lib/krb5/creds.c deleted file mode 100644 index 01c1c30a1c..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/creds.c +++ /dev/null @@ -1,151 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" - -RCSID("$Id: creds.c,v 1.15 2001/05/14 06:14:45 assar Exp $"); - -krb5_error_code -krb5_free_cred_contents (krb5_context context, krb5_creds *c) -{ - return krb5_free_creds_contents (context, c); -} - -krb5_error_code -krb5_free_creds_contents (krb5_context context, krb5_creds *c) -{ - krb5_free_principal (context, c->client); - c->client = NULL; - krb5_free_principal (context, c->server); - c->server = NULL; - krb5_free_keyblock_contents (context, &c->session); - krb5_data_free (&c->ticket); - krb5_data_free (&c->second_ticket); - free_AuthorizationData (&c->authdata); - krb5_free_addresses (context, &c->addresses); - return 0; -} - -krb5_error_code -krb5_copy_creds_contents (krb5_context context, - const krb5_creds *incred, - krb5_creds *c) -{ - krb5_error_code ret; - - memset(c, 0, sizeof(*c)); - ret = krb5_copy_principal (context, incred->client, &c->client); - if (ret) - goto fail; - ret = krb5_copy_principal (context, incred->server, &c->server); - if (ret) - goto fail; - ret = krb5_copy_keyblock_contents (context, &incred->session, &c->session); - if (ret) - goto fail; - c->times = incred->times; - ret = krb5_data_copy (&c->ticket, - incred->ticket.data, - incred->ticket.length); - if (ret) - goto fail; - ret = krb5_data_copy (&c->second_ticket, - incred->second_ticket.data, - incred->second_ticket.length); - if (ret) - goto fail; - ret = copy_AuthorizationData(&incred->authdata, &c->authdata); - if (ret) - goto fail; - ret = krb5_copy_addresses (context, - &incred->addresses, - &c->addresses); - if (ret) - goto fail; - c->flags = incred->flags; - return 0; - -fail: - krb5_free_creds_contents (context, c); - return ret; -} - -krb5_error_code -krb5_copy_creds (krb5_context context, - const krb5_creds *incred, - krb5_creds **outcred) -{ - krb5_creds *c; - - c = malloc (sizeof (*c)); - if (c == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; - } - memset (c, 0, sizeof(*c)); - *outcred = c; - return krb5_copy_creds_contents (context, incred, c); -} - -krb5_error_code -krb5_free_creds (krb5_context context, krb5_creds *c) -{ - krb5_free_creds_contents (context, c); - free (c); - return 0; -} - -/* - * Return TRUE if `mcreds' and `creds' are equal (`whichfields' - * determines what equal means). - */ - -krb5_boolean -krb5_compare_creds(krb5_context context, krb5_flags whichfields, - const krb5_creds *mcreds, const krb5_creds *creds) -{ - krb5_boolean match; - - if(whichfields & KRB5_TC_DONT_MATCH_REALM) - match = krb5_principal_compare_any_realm(context, - mcreds->server, - creds->server); - else - match = krb5_principal_compare(context, mcreds->server, creds->server); - if(match && (whichfields & KRB5_TC_MATCH_KEYTYPE) && - !krb5_enctypes_compatible_keys (context, - mcreds->session.keytype, - creds->session.keytype)) - match = FALSE; - return match; -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/crypto.c b/crypto/heimdal-0.6.3/lib/krb5/crypto.c deleted file mode 100644 index 3da8d303e3..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/crypto.c +++ /dev/null @@ -1,3774 +0,0 @@ -/* - * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" -RCSID("$Id: crypto.c,v 1.73.2.4 2004/03/06 16:38:00 lha Exp $"); - -#undef CRYPTO_DEBUG -#ifdef CRYPTO_DEBUG -static void krb5_crypto_debug(krb5_context, int, size_t, krb5_keyblock*); -#endif - - -struct key_data { - krb5_keyblock *key; - krb5_data *schedule; -}; - -struct key_usage { - unsigned usage; - struct key_data key; -}; - -struct krb5_crypto_data { - struct encryption_type *et; - struct key_data key; - int num_key_usage; - struct key_usage *key_usage; -}; - -#define CRYPTO_ETYPE(C) ((C)->et->type) - -/* bits for `flags' below */ -#define F_KEYED 1 /* checksum is keyed */ -#define F_CPROOF 2 /* checksum is collision proof */ -#define F_DERIVED 4 /* uses derived keys */ -#define F_VARIANT 8 /* uses `variant' keys (6.4.3) */ -#define F_PSEUDO 16 /* not a real protocol type */ -#define F_SPECIAL 32 /* backwards */ - -struct salt_type { - krb5_salttype type; - const char *name; - krb5_error_code (*string_to_key)(krb5_context, krb5_enctype, krb5_data, - krb5_salt, krb5_data, krb5_keyblock*); -}; - -struct key_type { - krb5_keytype type; /* XXX */ - const char *name; - size_t bits; - size_t size; - size_t schedule_size; -#if 0 - krb5_enctype best_etype; -#endif - void (*random_key)(krb5_context, krb5_keyblock*); - void (*schedule)(krb5_context, struct key_data *); - struct salt_type *string_to_key; -}; - -struct checksum_type { - krb5_cksumtype type; - const char *name; - size_t blocksize; - size_t checksumsize; - unsigned flags; - void (*checksum)(krb5_context context, - struct key_data *key, - const void *buf, size_t len, - unsigned usage, - Checksum *csum); - krb5_error_code (*verify)(krb5_context context, - struct key_data *key, - const void *buf, size_t len, - unsigned usage, - Checksum *csum); -}; - -struct encryption_type { - krb5_enctype type; - const char *name; - size_t blocksize; - size_t padsize; - size_t confoundersize; - struct key_type *keytype; - struct checksum_type *checksum; - struct checksum_type *keyed_checksum; - unsigned flags; - krb5_error_code (*encrypt)(krb5_context context, - struct key_data *key, - void *data, size_t len, - krb5_boolean encrypt, - int usage, - void *ivec); -}; - -#define ENCRYPTION_USAGE(U) (((U) << 8) | 0xAA) -#define INTEGRITY_USAGE(U) (((U) << 8) | 0x55) -#define CHECKSUM_USAGE(U) (((U) << 8) | 0x99) - -static struct checksum_type *_find_checksum(krb5_cksumtype type); -static struct encryption_type *_find_enctype(krb5_enctype type); -static struct key_type *_find_keytype(krb5_keytype type); -static krb5_error_code _get_derived_key(krb5_context, krb5_crypto, - unsigned, struct key_data**); -static struct key_data *_new_derived_key(krb5_crypto crypto, unsigned usage); -static krb5_error_code derive_key(krb5_context context, - struct encryption_type *et, - struct key_data *key, - const void *constant, - size_t len); -static krb5_error_code hmac(krb5_context context, - struct checksum_type *cm, - const void *data, - size_t len, - unsigned usage, - struct key_data *keyblock, - Checksum *result); -static void free_key_data(krb5_context context, struct key_data *key); -static krb5_error_code usage2arcfour (krb5_context, int *); - -/************************************************************ - * * - ************************************************************/ - -static void -krb5_DES_random_key(krb5_context context, - krb5_keyblock *key) -{ - des_cblock *k = key->keyvalue.data; - do { - krb5_generate_random_block(k, sizeof(des_cblock)); - des_set_odd_parity(k); - } while(des_is_weak_key(k)); -} - -static void -krb5_DES_schedule(krb5_context context, - struct key_data *key) -{ - des_set_key(key->key->keyvalue.data, key->schedule->data); -} - -static void -DES_string_to_key_int(unsigned char *data, size_t length, des_cblock *key) -{ - des_key_schedule schedule; - int i; - int reverse = 0; - unsigned char *p; - - unsigned char swap[] = { 0x0, 0x8, 0x4, 0xc, 0x2, 0xa, 0x6, 0xe, - 0x1, 0x9, 0x5, 0xd, 0x3, 0xb, 0x7, 0xf }; - memset(key, 0, 8); - - p = (unsigned char*)key; - for (i = 0; i < length; i++) { - unsigned char tmp = data[i]; - if (!reverse) - *p++ ^= (tmp << 1); - else - *--p ^= (swap[tmp & 0xf] << 4) | swap[(tmp & 0xf0) >> 4]; - if((i % 8) == 7) - reverse = !reverse; - } - des_set_odd_parity(key); - if(des_is_weak_key(key)) - (*key)[7] ^= 0xF0; - des_set_key(key, schedule); - des_cbc_cksum((void*)data, key, length, schedule, key); - memset(schedule, 0, sizeof(schedule)); - des_set_odd_parity(key); -} - -static krb5_error_code -krb5_DES_string_to_key(krb5_context context, - krb5_enctype enctype, - krb5_data password, - krb5_salt salt, - krb5_data opaque, - krb5_keyblock *key) -{ - unsigned char *s; - size_t len; - des_cblock tmp; - - len = password.length + salt.saltvalue.length; - s = malloc(len); - if(len > 0 && s == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - memcpy(s, password.data, password.length); - memcpy(s + password.length, salt.saltvalue.data, salt.saltvalue.length); - DES_string_to_key_int(s, len, &tmp); - key->keytype = enctype; - krb5_data_copy(&key->keyvalue, tmp, sizeof(tmp)); - memset(&tmp, 0, sizeof(tmp)); - memset(s, 0, len); - free(s); - return 0; -} - -/* This defines the Andrew string_to_key function. It accepts a password - * string as input and converts its via a one-way encryption algorithm to a DES - * encryption key. It is compatible with the original Andrew authentication - * service password database. - */ - -/* - * Short passwords, i.e 8 characters or less. - */ -static void -krb5_DES_AFS3_CMU_string_to_key (krb5_data pw, - krb5_data cell, - des_cblock *key) -{ - char password[8+1]; /* crypt is limited to 8 chars anyway */ - int i; - - for(i = 0; i < 8; i++) { - char c = ((i < pw.length) ? ((char*)pw.data)[i] : 0) ^ - ((i < cell.length) ? - tolower(((unsigned char*)cell.data)[i]) : 0); - password[i] = c ? c : 'X'; - } - password[8] = '\0'; - - memcpy(key, crypt(password, "p1") + 2, sizeof(des_cblock)); - - /* parity is inserted into the LSB so left shift each byte up one - bit. This allows ascii characters with a zero MSB to retain as - much significance as possible. */ - for (i = 0; i < sizeof(des_cblock); i++) - ((unsigned char*)key)[i] <<= 1; - des_set_odd_parity (key); -} - -/* - * Long passwords, i.e 9 characters or more. - */ -static void -krb5_DES_AFS3_Transarc_string_to_key (krb5_data pw, - krb5_data cell, - des_cblock *key) -{ - des_key_schedule schedule; - des_cblock temp_key; - des_cblock ivec; - char password[512]; - size_t passlen; - - memcpy(password, pw.data, min(pw.length, sizeof(password))); - if(pw.length < sizeof(password)) { - int len = min(cell.length, sizeof(password) - pw.length); - int i; - - memcpy(password + pw.length, cell.data, len); - for (i = pw.length; i < pw.length + len; ++i) - password[i] = tolower((unsigned char)password[i]); - } - passlen = min(sizeof(password), pw.length + cell.length); - memcpy(&ivec, "kerberos", 8); - memcpy(&temp_key, "kerberos", 8); - des_set_odd_parity (&temp_key); - des_set_key (&temp_key, schedule); - des_cbc_cksum (password, &ivec, passlen, schedule, &ivec); - - memcpy(&temp_key, &ivec, 8); - des_set_odd_parity (&temp_key); - des_set_key (&temp_key, schedule); - des_cbc_cksum (password, key, passlen, schedule, &ivec); - memset(&schedule, 0, sizeof(schedule)); - memset(&temp_key, 0, sizeof(temp_key)); - memset(&ivec, 0, sizeof(ivec)); - memset(password, 0, sizeof(password)); - - des_set_odd_parity (key); -} - -static krb5_error_code -DES_AFS3_string_to_key(krb5_context context, - krb5_enctype enctype, - krb5_data password, - krb5_salt salt, - krb5_data opaque, - krb5_keyblock *key) -{ - des_cblock tmp; - if(password.length > 8) - krb5_DES_AFS3_Transarc_string_to_key(password, salt.saltvalue, &tmp); - else - krb5_DES_AFS3_CMU_string_to_key(password, salt.saltvalue, &tmp); - key->keytype = enctype; - krb5_data_copy(&key->keyvalue, tmp, sizeof(tmp)); - memset(&key, 0, sizeof(key)); - return 0; -} - -static void -DES3_random_key(krb5_context context, - krb5_keyblock *key) -{ - des_cblock *k = key->keyvalue.data; - do { - krb5_generate_random_block(k, 3 * sizeof(des_cblock)); - des_set_odd_parity(&k[0]); - des_set_odd_parity(&k[1]); - des_set_odd_parity(&k[2]); - } while(des_is_weak_key(&k[0]) || - des_is_weak_key(&k[1]) || - des_is_weak_key(&k[2])); -} - -static void -DES3_schedule(krb5_context context, - struct key_data *key) -{ - des_cblock *k = key->key->keyvalue.data; - des_key_schedule *s = key->schedule->data; - des_set_key(&k[0], s[0]); - des_set_key(&k[1], s[1]); - des_set_key(&k[2], s[2]); -} - -/* - * A = A xor B. A & B are 8 bytes. - */ - -static void -xor (des_cblock *key, const unsigned char *b) -{ - unsigned char *a = (unsigned char*)key; - a[0] ^= b[0]; - a[1] ^= b[1]; - a[2] ^= b[2]; - a[3] ^= b[3]; - a[4] ^= b[4]; - a[5] ^= b[5]; - a[6] ^= b[6]; - a[7] ^= b[7]; -} - -static krb5_error_code -DES3_string_to_key(krb5_context context, - krb5_enctype enctype, - krb5_data password, - krb5_salt salt, - krb5_data opaque, - krb5_keyblock *key) -{ - char *str; - size_t len; - unsigned char tmp[24]; - des_cblock keys[3]; - - len = password.length + salt.saltvalue.length; - str = malloc(len); - if(len != 0 && str == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - memcpy(str, password.data, password.length); - memcpy(str + password.length, salt.saltvalue.data, salt.saltvalue.length); - { - des_cblock ivec; - des_key_schedule s[3]; - int i; - - _krb5_n_fold(str, len, tmp, 24); - - for(i = 0; i < 3; i++){ - memcpy(keys + i, tmp + i * 8, sizeof(keys[i])); - des_set_odd_parity(keys + i); - if(des_is_weak_key(keys + i)) - xor(keys + i, (const unsigned char*)"\0\0\0\0\0\0\0\xf0"); - des_set_key(keys + i, s[i]); - } - memset(&ivec, 0, sizeof(ivec)); - des_ede3_cbc_encrypt(tmp, - tmp, sizeof(tmp), - s[0], s[1], s[2], &ivec, DES_ENCRYPT); - memset(s, 0, sizeof(s)); - memset(&ivec, 0, sizeof(ivec)); - for(i = 0; i < 3; i++){ - memcpy(keys + i, tmp + i * 8, sizeof(keys[i])); - des_set_odd_parity(keys + i); - if(des_is_weak_key(keys + i)) - xor(keys + i, (const unsigned char*)"\0\0\0\0\0\0\0\xf0"); - } - memset(tmp, 0, sizeof(tmp)); - } - key->keytype = enctype; - krb5_data_copy(&key->keyvalue, keys, sizeof(keys)); - memset(keys, 0, sizeof(keys)); - memset(str, 0, len); - free(str); - return 0; -} - -static krb5_error_code -DES3_string_to_key_derived(krb5_context context, - krb5_enctype enctype, - krb5_data password, - krb5_salt salt, - krb5_data opaque, - krb5_keyblock *key) -{ - krb5_error_code ret; - size_t len = password.length + salt.saltvalue.length; - char *s; - - s = malloc(len); - if(len != 0 && s == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - memcpy(s, password.data, password.length); - memcpy(s + password.length, salt.saltvalue.data, salt.saltvalue.length); - ret = krb5_string_to_key_derived(context, - s, - len, - enctype, - key); - memset(s, 0, len); - free(s); - return ret; -} - -/* - * ARCFOUR - */ - -static void -ARCFOUR_random_key(krb5_context context, krb5_keyblock *key) -{ - krb5_generate_random_block (key->keyvalue.data, - key->keyvalue.length); -} - -static void -ARCFOUR_schedule(krb5_context context, struct key_data *kd) -{ - RC4_set_key (kd->schedule->data, - kd->key->keyvalue.length, kd->key->keyvalue.data); -} - -static krb5_error_code -ARCFOUR_string_to_key(krb5_context context, - krb5_enctype enctype, - krb5_data password, - krb5_salt salt, - krb5_data opaque, - krb5_keyblock *key) -{ - char *s, *p; - size_t len; - int i; - MD4_CTX m; - - len = 2 * password.length; - s = malloc (len); - if (len != 0 && s == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - for (p = s, i = 0; i < password.length; ++i) { - *p++ = ((char *)password.data)[i]; - *p++ = 0; - } - MD4_Init (&m); - MD4_Update (&m, s, len); - key->keytype = enctype; - krb5_data_alloc (&key->keyvalue, 16); - MD4_Final (key->keyvalue.data, &m); - memset (s, 0, len); - free (s); - return 0; -} - -#ifdef ENABLE_AES -/* - * AES - */ - -/* iter is really 1 based, so iter == 0 will be 1 iteration */ - -krb5_error_code -krb5_PKCS5_PBKDF2(krb5_context context, krb5_cksumtype cktype, - krb5_data password, krb5_salt salt, u_int32_t iter, - krb5_keytype type, krb5_keyblock *key) -{ - struct checksum_type *c = _find_checksum(cktype); - struct key_type *kt; - size_t datalen, leftofkey; - krb5_error_code ret; - u_int32_t keypart; - struct key_data ksign; - krb5_keyblock kb; - Checksum result; - char *data, *tmpcksum; - int i, j; - char *p; - - if (c == NULL) { - krb5_set_error_string(context, "checksum %d not supported", cktype); - return KRB5_PROG_KEYTYPE_NOSUPP; - } - - kt = _find_keytype(type); - if (kt == NULL) { - krb5_set_error_string(context, "key type %d not supported", type); - return KRB5_PROG_KEYTYPE_NOSUPP; - } - - key->keytype = type; - ret = krb5_data_alloc (&key->keyvalue, kt->bits / 8); - if (ret) { - krb5_set_error_string(context, "malloc: out of memory"); - return ret; - } - - ret = krb5_data_alloc (&result.checksum, c->checksumsize); - if (ret) { - krb5_set_error_string(context, "malloc: out of memory"); - krb5_data_free (&key->keyvalue); - return ret; - } - - tmpcksum = malloc(c->checksumsize); - if (tmpcksum == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - krb5_data_free (&key->keyvalue); - krb5_data_free (&result.checksum); - return ENOMEM; - } - - datalen = salt.saltvalue.length + 4; - data = malloc(datalen); - if (data == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - free(tmpcksum); - krb5_data_free (&key->keyvalue); - krb5_data_free (&result.checksum); - return ENOMEM; - } - - kb.keyvalue = password; - ksign.key = &kb; - - memcpy(data, salt.saltvalue.data, salt.saltvalue.length); - - keypart = 1; - leftofkey = key->keyvalue.length; - p = key->keyvalue.data; - - while (leftofkey) { - int len; - - if (leftofkey > c->checksumsize) - len = c->checksumsize; - else - len = leftofkey; - - _krb5_put_int(data + datalen - 4, keypart, 4); - - ret = hmac(context, c, data, datalen, 0, &ksign, &result); - if (ret) - krb5_abortx(context, "hmac failed"); - memcpy(p, result.checksum.data, len); - memcpy(tmpcksum, result.checksum.data, result.checksum.length); - for (i = 0; i < iter; i++) { - ret = hmac(context, c, tmpcksum, result.checksum.length, - 0, &ksign, &result); - if (ret) - krb5_abortx(context, "hmac failed"); - memcpy(tmpcksum, result.checksum.data, result.checksum.length); - for (j = 0; j < len; j++) - p[j] ^= tmpcksum[j]; - } - - p += len; - leftofkey -= len; - keypart++; - } - - free(data); - free(tmpcksum); - krb5_data_free (&result.checksum); - - return 0; -} - -static krb5_error_code -AES_string_to_key(krb5_context context, - krb5_enctype enctype, - krb5_data password, - krb5_salt salt, - krb5_data opaque, - krb5_keyblock *key) -{ - krb5_error_code ret; - u_int32_t iter; - struct encryption_type *et; - struct key_data kd; - - if (opaque.length == 0) - iter = 45056 - 1; - else if (opaque.length == 4) { - unsigned long v; - _krb5_get_int(opaque.data, &v, 4); - iter = ((u_int32_t)v) - 1; - } else - return KRB5_PROG_KEYTYPE_NOSUPP; /* XXX */ - - - et = _find_enctype(enctype); - if (et == NULL) - return KRB5_PROG_KEYTYPE_NOSUPP; - - ret = krb5_PKCS5_PBKDF2(context, CKSUMTYPE_SHA1, password, salt, - iter, enctype, key); - if (ret) - return ret; - - ret = krb5_copy_keyblock(context, key, &kd.key); - kd.schedule = NULL; - - ret = derive_key(context, et, &kd, "kerberos", strlen("kerberos")); - - if (ret) { - krb5_data_free(&key->keyvalue); - } else { - ret = krb5_copy_keyblock_contents(context, kd.key, key); - free_key_data(context, &kd); - } - - return ret; -} - -static void -AES_schedule(krb5_context context, struct key_data *kd) -{ - AES_KEY *key = kd->schedule->data; - int bits = kd->key->keyvalue.length * 8; - - AES_set_encrypt_key(kd->key->keyvalue.data, bits, &key[0]); - AES_set_decrypt_key(kd->key->keyvalue.data, bits, &key[1]); -} - -/* - * - */ - -extern struct salt_type AES_salt[]; - -#endif /* ENABLE_AES */ - -extern struct salt_type des_salt[], - des3_salt[], des3_salt_derived[], arcfour_salt[]; - -struct key_type keytype_null = { - KEYTYPE_NULL, - "null", - 0, - 0, - 0, - NULL, - NULL, - NULL -}; - -struct key_type keytype_des = { - KEYTYPE_DES, - "des", - 56, - sizeof(des_cblock), - sizeof(des_key_schedule), - krb5_DES_random_key, - krb5_DES_schedule, - des_salt -}; - -struct key_type keytype_des3 = { - KEYTYPE_DES3, - "des3", - 168, - 3 * sizeof(des_cblock), - 3 * sizeof(des_key_schedule), - DES3_random_key, - DES3_schedule, - des3_salt -}; - -struct key_type keytype_des3_derived = { - KEYTYPE_DES3, - "des3", - 168, - 3 * sizeof(des_cblock), - 3 * sizeof(des_key_schedule), - DES3_random_key, - DES3_schedule, - des3_salt_derived -}; - -#ifdef ENABLE_AES -struct key_type keytype_aes128 = { - KEYTYPE_AES128, - "aes-128", - 128, - 16, - sizeof(AES_KEY) * 2, - NULL, - AES_schedule, - AES_salt -}; - -struct key_type keytype_aes256 = { - KEYTYPE_AES256, - "aes-256", - 256, - 16, - sizeof(AES_KEY) * 2, - NULL, - AES_schedule, - AES_salt -}; -#endif /* ENABLE_AES */ - -struct key_type keytype_arcfour = { - KEYTYPE_ARCFOUR, - "arcfour", - 128, - 16, - sizeof(RC4_KEY), - ARCFOUR_random_key, - ARCFOUR_schedule, - arcfour_salt -}; - -struct key_type *keytypes[] = { - &keytype_null, - &keytype_des, - &keytype_des3_derived, - &keytype_des3, -#ifdef ENABLE_AES - &keytype_aes128, - &keytype_aes256, -#endif /* ENABLE_AES */ - &keytype_arcfour -}; - -static int num_keytypes = sizeof(keytypes) / sizeof(keytypes[0]); - -static struct key_type * -_find_keytype(krb5_keytype type) -{ - int i; - for(i = 0; i < num_keytypes; i++) - if(keytypes[i]->type == type) - return keytypes[i]; - return NULL; -} - - -struct salt_type des_salt[] = { - { - KRB5_PW_SALT, - "pw-salt", - krb5_DES_string_to_key - }, - { - KRB5_AFS3_SALT, - "afs3-salt", - DES_AFS3_string_to_key - }, - { 0 } -}; - -struct salt_type des3_salt[] = { - { - KRB5_PW_SALT, - "pw-salt", - DES3_string_to_key - }, - { 0 } -}; - -struct salt_type des3_salt_derived[] = { - { - KRB5_PW_SALT, - "pw-salt", - DES3_string_to_key_derived - }, - { 0 } -}; - -#ifdef ENABLE_AES -struct salt_type AES_salt[] = { - { - KRB5_PW_SALT, - "pw-salt", - AES_string_to_key - }, - { 0 } -}; -#endif /* ENABLE_AES */ - -struct salt_type arcfour_salt[] = { - { - KRB5_PW_SALT, - "pw-salt", - ARCFOUR_string_to_key - }, - { 0 } -}; - -krb5_error_code -krb5_salttype_to_string (krb5_context context, - krb5_enctype etype, - krb5_salttype stype, - char **string) -{ - struct encryption_type *e; - struct salt_type *st; - - e = _find_enctype (etype); - if (e == NULL) { - krb5_set_error_string(context, "encryption type %d not supported", - etype); - return KRB5_PROG_ETYPE_NOSUPP; - } - for (st = e->keytype->string_to_key; st && st->type; st++) { - if (st->type == stype) { - *string = strdup (st->name); - if (*string == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - return 0; - } - } - krb5_set_error_string(context, "salttype %d not supported", stype); - return HEIM_ERR_SALTTYPE_NOSUPP; -} - -krb5_error_code -krb5_string_to_salttype (krb5_context context, - krb5_enctype etype, - const char *string, - krb5_salttype *salttype) -{ - struct encryption_type *e; - struct salt_type *st; - - e = _find_enctype (etype); - if (e == NULL) { - krb5_set_error_string(context, "encryption type %d not supported", - etype); - return KRB5_PROG_ETYPE_NOSUPP; - } - for (st = e->keytype->string_to_key; st && st->type; st++) { - if (strcasecmp (st->name, string) == 0) { - *salttype = st->type; - return 0; - } - } - krb5_set_error_string(context, "salttype %s not supported", string); - return HEIM_ERR_SALTTYPE_NOSUPP; -} - -krb5_error_code -krb5_get_pw_salt(krb5_context context, - krb5_const_principal principal, - krb5_salt *salt) -{ - size_t len; - int i; - krb5_error_code ret; - char *p; - - salt->salttype = KRB5_PW_SALT; - len = strlen(principal->realm); - for (i = 0; i < principal->name.name_string.len; ++i) - len += strlen(principal->name.name_string.val[i]); - ret = krb5_data_alloc (&salt->saltvalue, len); - if (ret) - return ret; - p = salt->saltvalue.data; - memcpy (p, principal->realm, strlen(principal->realm)); - p += strlen(principal->realm); - for (i = 0; i < principal->name.name_string.len; ++i) { - memcpy (p, - principal->name.name_string.val[i], - strlen(principal->name.name_string.val[i])); - p += strlen(principal->name.name_string.val[i]); - } - return 0; -} - -krb5_error_code -krb5_free_salt(krb5_context context, - krb5_salt salt) -{ - krb5_data_free(&salt.saltvalue); - return 0; -} - -krb5_error_code -krb5_string_to_key_data (krb5_context context, - krb5_enctype enctype, - krb5_data password, - krb5_principal principal, - krb5_keyblock *key) -{ - krb5_error_code ret; - krb5_salt salt; - - ret = krb5_get_pw_salt(context, principal, &salt); - if(ret) - return ret; - ret = krb5_string_to_key_data_salt(context, enctype, password, salt, key); - krb5_free_salt(context, salt); - return ret; -} - -krb5_error_code -krb5_string_to_key (krb5_context context, - krb5_enctype enctype, - const char *password, - krb5_principal principal, - krb5_keyblock *key) -{ - krb5_data pw; - pw.data = (void*)password; - pw.length = strlen(password); - return krb5_string_to_key_data(context, enctype, pw, principal, key); -} - -krb5_error_code -krb5_string_to_key_data_salt (krb5_context context, - krb5_enctype enctype, - krb5_data password, - krb5_salt salt, - krb5_keyblock *key) -{ - krb5_data opaque; - krb5_data_zero(&opaque); - return krb5_string_to_key_data_salt_opaque(context, enctype, password, - salt, opaque, key); -} - -/* - * Do a string -> key for encryption type `enctype' operation on - * `password' (with salt `salt' and the enctype specific data string - * `opaque'), returning the resulting key in `key' - */ - -krb5_error_code -krb5_string_to_key_data_salt_opaque (krb5_context context, - krb5_enctype enctype, - krb5_data password, - krb5_salt salt, - krb5_data opaque, - krb5_keyblock *key) -{ - struct encryption_type *et =_find_enctype(enctype); - struct salt_type *st; - if(et == NULL) { - krb5_set_error_string(context, "encryption type %d not supported", - enctype); - return KRB5_PROG_ETYPE_NOSUPP; - } - for(st = et->keytype->string_to_key; st && st->type; st++) - if(st->type == salt.salttype) - return (*st->string_to_key)(context, enctype, password, - salt, opaque, key); - krb5_set_error_string(context, "salt type %d not supported", - salt.salttype); - return HEIM_ERR_SALTTYPE_NOSUPP; -} - -/* - * Do a string -> key for encryption type `enctype' operation on the - * string `password' (with salt `salt'), returning the resulting key - * in `key' - */ - -krb5_error_code -krb5_string_to_key_salt (krb5_context context, - krb5_enctype enctype, - const char *password, - krb5_salt salt, - krb5_keyblock *key) -{ - krb5_data pw; - pw.data = (void*)password; - pw.length = strlen(password); - return krb5_string_to_key_data_salt(context, enctype, pw, salt, key); -} - -krb5_error_code -krb5_keytype_to_string(krb5_context context, - krb5_keytype keytype, - char **string) -{ - struct key_type *kt = _find_keytype(keytype); - if(kt == NULL) { - krb5_set_error_string(context, "key type %d not supported", keytype); - return KRB5_PROG_KEYTYPE_NOSUPP; - } - *string = strdup(kt->name); - if(*string == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - return 0; -} - -krb5_error_code -krb5_string_to_keytype(krb5_context context, - const char *string, - krb5_keytype *keytype) -{ - int i; - for(i = 0; i < num_keytypes; i++) - if(strcasecmp(keytypes[i]->name, string) == 0){ - *keytype = keytypes[i]->type; - return 0; - } - krb5_set_error_string(context, "key type %s not supported", string); - return KRB5_PROG_KEYTYPE_NOSUPP; -} - -krb5_error_code -krb5_enctype_keysize(krb5_context context, - krb5_enctype type, - size_t *keysize) -{ - struct encryption_type *et = _find_enctype(type); - if(et == NULL) { - krb5_set_error_string(context, "encryption type %d not supported", - type); - return KRB5_PROG_ETYPE_NOSUPP; - } - *keysize = et->keytype->size; - return 0; -} - -krb5_error_code -krb5_generate_random_keyblock(krb5_context context, - krb5_enctype type, - krb5_keyblock *key) -{ - krb5_error_code ret; - struct encryption_type *et = _find_enctype(type); - if(et == NULL) { - krb5_set_error_string(context, "encryption type %d not supported", - type); - return KRB5_PROG_ETYPE_NOSUPP; - } - ret = krb5_data_alloc(&key->keyvalue, et->keytype->size); - if(ret) - return ret; - key->keytype = type; - if(et->keytype->random_key) - (*et->keytype->random_key)(context, key); - else - krb5_generate_random_block(key->keyvalue.data, - key->keyvalue.length); - return 0; -} - -static krb5_error_code -_key_schedule(krb5_context context, - struct key_data *key) -{ - krb5_error_code ret; - struct encryption_type *et = _find_enctype(key->key->keytype); - struct key_type *kt = et->keytype; - - if(kt->schedule == NULL) - return 0; - if (key->schedule != NULL) - return 0; - ALLOC(key->schedule, 1); - if(key->schedule == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - ret = krb5_data_alloc(key->schedule, kt->schedule_size); - if(ret) { - free(key->schedule); - key->schedule = NULL; - return ret; - } - (*kt->schedule)(context, key); - return 0; -} - -/************************************************************ - * * - ************************************************************/ - -static void -NONE_checksum(krb5_context context, - struct key_data *key, - const void *data, - size_t len, - unsigned usage, - Checksum *C) -{ -} - -static void -CRC32_checksum(krb5_context context, - struct key_data *key, - const void *data, - size_t len, - unsigned usage, - Checksum *C) -{ - u_int32_t crc; - unsigned char *r = C->checksum.data; - _krb5_crc_init_table (); - crc = _krb5_crc_update (data, len, 0); - r[0] = crc & 0xff; - r[1] = (crc >> 8) & 0xff; - r[2] = (crc >> 16) & 0xff; - r[3] = (crc >> 24) & 0xff; -} - -static void -RSA_MD4_checksum(krb5_context context, - struct key_data *key, - const void *data, - size_t len, - unsigned usage, - Checksum *C) -{ - MD4_CTX m; - - MD4_Init (&m); - MD4_Update (&m, data, len); - MD4_Final (C->checksum.data, &m); -} - -static void -RSA_MD4_DES_checksum(krb5_context context, - struct key_data *key, - const void *data, - size_t len, - unsigned usage, - Checksum *cksum) -{ - MD4_CTX md4; - des_cblock ivec; - unsigned char *p = cksum->checksum.data; - - krb5_generate_random_block(p, 8); - MD4_Init (&md4); - MD4_Update (&md4, p, 8); - MD4_Update (&md4, data, len); - MD4_Final (p + 8, &md4); - memset (&ivec, 0, sizeof(ivec)); - des_cbc_encrypt(p, - p, - 24, - key->schedule->data, - &ivec, - DES_ENCRYPT); -} - -static krb5_error_code -RSA_MD4_DES_verify(krb5_context context, - struct key_data *key, - const void *data, - size_t len, - unsigned usage, - Checksum *C) -{ - MD4_CTX md4; - unsigned char tmp[24]; - unsigned char res[16]; - des_cblock ivec; - krb5_error_code ret = 0; - - memset(&ivec, 0, sizeof(ivec)); - des_cbc_encrypt(C->checksum.data, - (void*)tmp, - C->checksum.length, - key->schedule->data, - &ivec, - DES_DECRYPT); - MD4_Init (&md4); - MD4_Update (&md4, tmp, 8); /* confounder */ - MD4_Update (&md4, data, len); - MD4_Final (res, &md4); - if(memcmp(res, tmp + 8, sizeof(res)) != 0) { - krb5_clear_error_string (context); - ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; - } - memset(tmp, 0, sizeof(tmp)); - memset(res, 0, sizeof(res)); - return ret; -} - -static void -RSA_MD5_checksum(krb5_context context, - struct key_data *key, - const void *data, - size_t len, - unsigned usage, - Checksum *C) -{ - MD5_CTX m; - - MD5_Init (&m); - MD5_Update(&m, data, len); - MD5_Final (C->checksum.data, &m); -} - -static void -RSA_MD5_DES_checksum(krb5_context context, - struct key_data *key, - const void *data, - size_t len, - unsigned usage, - Checksum *C) -{ - MD5_CTX md5; - des_cblock ivec; - unsigned char *p = C->checksum.data; - - krb5_generate_random_block(p, 8); - MD5_Init (&md5); - MD5_Update (&md5, p, 8); - MD5_Update (&md5, data, len); - MD5_Final (p + 8, &md5); - memset (&ivec, 0, sizeof(ivec)); - des_cbc_encrypt(p, - p, - 24, - key->schedule->data, - &ivec, - DES_ENCRYPT); -} - -static krb5_error_code -RSA_MD5_DES_verify(krb5_context context, - struct key_data *key, - const void *data, - size_t len, - unsigned usage, - Checksum *C) -{ - MD5_CTX md5; - unsigned char tmp[24]; - unsigned char res[16]; - des_cblock ivec; - des_key_schedule *sched = key->schedule->data; - krb5_error_code ret = 0; - - memset(&ivec, 0, sizeof(ivec)); - des_cbc_encrypt(C->checksum.data, - (void*)tmp, - C->checksum.length, - sched[0], - &ivec, - DES_DECRYPT); - MD5_Init (&md5); - MD5_Update (&md5, tmp, 8); /* confounder */ - MD5_Update (&md5, data, len); - MD5_Final (res, &md5); - if(memcmp(res, tmp + 8, sizeof(res)) != 0) { - krb5_clear_error_string (context); - ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; - } - memset(tmp, 0, sizeof(tmp)); - memset(res, 0, sizeof(res)); - return ret; -} - -static void -RSA_MD5_DES3_checksum(krb5_context context, - struct key_data *key, - const void *data, - size_t len, - unsigned usage, - Checksum *C) -{ - MD5_CTX md5; - des_cblock ivec; - unsigned char *p = C->checksum.data; - des_key_schedule *sched = key->schedule->data; - - krb5_generate_random_block(p, 8); - MD5_Init (&md5); - MD5_Update (&md5, p, 8); - MD5_Update (&md5, data, len); - MD5_Final (p + 8, &md5); - memset (&ivec, 0, sizeof(ivec)); - des_ede3_cbc_encrypt(p, - p, - 24, - sched[0], sched[1], sched[2], - &ivec, - DES_ENCRYPT); -} - -static krb5_error_code -RSA_MD5_DES3_verify(krb5_context context, - struct key_data *key, - const void *data, - size_t len, - unsigned usage, - Checksum *C) -{ - MD5_CTX md5; - unsigned char tmp[24]; - unsigned char res[16]; - des_cblock ivec; - des_key_schedule *sched = key->schedule->data; - krb5_error_code ret = 0; - - memset(&ivec, 0, sizeof(ivec)); - des_ede3_cbc_encrypt(C->checksum.data, - (void*)tmp, - C->checksum.length, - sched[0], sched[1], sched[2], - &ivec, - DES_DECRYPT); - MD5_Init (&md5); - MD5_Update (&md5, tmp, 8); /* confounder */ - MD5_Update (&md5, data, len); - MD5_Final (res, &md5); - if(memcmp(res, tmp + 8, sizeof(res)) != 0) { - krb5_clear_error_string (context); - ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; - } - memset(tmp, 0, sizeof(tmp)); - memset(res, 0, sizeof(res)); - return ret; -} - -static void -SHA1_checksum(krb5_context context, - struct key_data *key, - const void *data, - size_t len, - unsigned usage, - Checksum *C) -{ - SHA_CTX m; - - SHA1_Init(&m); - SHA1_Update(&m, data, len); - SHA1_Final(C->checksum.data, &m); -} - -/* HMAC according to RFC2104 */ -static krb5_error_code -hmac(krb5_context context, - struct checksum_type *cm, - const void *data, - size_t len, - unsigned usage, - struct key_data *keyblock, - Checksum *result) -{ - unsigned char *ipad, *opad; - unsigned char *key; - size_t key_len; - int i; - - ipad = malloc(cm->blocksize + len); - if (ipad == NULL) - return ENOMEM; - opad = malloc(cm->blocksize + cm->checksumsize); - if (opad == NULL) { - free(ipad); - return ENOMEM; - } - memset(ipad, 0x36, cm->blocksize); - memset(opad, 0x5c, cm->blocksize); - - if(keyblock->key->keyvalue.length > cm->blocksize){ - (*cm->checksum)(context, - keyblock, - keyblock->key->keyvalue.data, - keyblock->key->keyvalue.length, - usage, - result); - key = result->checksum.data; - key_len = result->checksum.length; - } else { - key = keyblock->key->keyvalue.data; - key_len = keyblock->key->keyvalue.length; - } - for(i = 0; i < key_len; i++){ - ipad[i] ^= key[i]; - opad[i] ^= key[i]; - } - memcpy(ipad + cm->blocksize, data, len); - (*cm->checksum)(context, keyblock, ipad, cm->blocksize + len, - usage, result); - memcpy(opad + cm->blocksize, result->checksum.data, - result->checksum.length); - (*cm->checksum)(context, keyblock, opad, - cm->blocksize + cm->checksumsize, usage, result); - memset(ipad, 0, cm->blocksize + len); - free(ipad); - memset(opad, 0, cm->blocksize + cm->checksumsize); - free(opad); - - return 0; -} - -krb5_error_code -krb5_hmac(krb5_context context, - krb5_cksumtype cktype, - const void *data, - size_t len, - unsigned usage, - krb5_keyblock *key, - Checksum *result) -{ - struct checksum_type *c = _find_checksum(cktype); - struct key_data kd; - krb5_error_code ret; - - if (c == NULL) { - krb5_set_error_string (context, "checksum type %d not supported", - cktype); - return KRB5_PROG_SUMTYPE_NOSUPP; - } - - kd.key = key; - kd.schedule = NULL; - - ret = hmac(context, c, data, len, usage, &kd, result); - - if (kd.schedule) - krb5_free_data(context, kd.schedule); - - return ret; - } - -static void -SP_HMAC_SHA1_checksum(krb5_context context, - struct key_data *key, - const void *data, - size_t len, - unsigned usage, - Checksum *result) -{ - struct checksum_type *c = _find_checksum(CKSUMTYPE_SHA1); - Checksum res; - char sha1_data[20]; - krb5_error_code ret; - - res.checksum.data = sha1_data; - res.checksum.length = sizeof(sha1_data); - - ret = hmac(context, c, data, len, usage, key, &res); - if (ret) - krb5_abortx(context, "hmac failed"); - memcpy(result->checksum.data, res.checksum.data, result->checksum.length); -} - -/* - * checksum according to section 5. of draft-brezak-win2k-krb-rc4-hmac-03.txt - */ - -static void -HMAC_MD5_checksum(krb5_context context, - struct key_data *key, - const void *data, - size_t len, - unsigned usage, - Checksum *result) -{ - MD5_CTX md5; - struct checksum_type *c = _find_checksum (CKSUMTYPE_RSA_MD5); - const char signature[] = "signaturekey"; - Checksum ksign_c; - struct key_data ksign; - krb5_keyblock kb; - unsigned char t[4]; - unsigned char tmp[16]; - unsigned char ksign_c_data[16]; - krb5_error_code ret; - - ksign_c.checksum.length = sizeof(ksign_c_data); - ksign_c.checksum.data = ksign_c_data; - ret = hmac(context, c, signature, sizeof(signature), 0, key, &ksign_c); - if (ret) - krb5_abortx(context, "hmac failed"); - ksign.key = &kb; - kb.keyvalue = ksign_c.checksum; - MD5_Init (&md5); - t[0] = (usage >> 0) & 0xFF; - t[1] = (usage >> 8) & 0xFF; - t[2] = (usage >> 16) & 0xFF; - t[3] = (usage >> 24) & 0xFF; - MD5_Update (&md5, t, 4); - MD5_Update (&md5, data, len); - MD5_Final (tmp, &md5); - ret = hmac(context, c, tmp, sizeof(tmp), 0, &ksign, result); - if (ret) - krb5_abortx(context, "hmac failed"); -} - -/* - * same as previous but being used while encrypting. - */ - -static void -HMAC_MD5_checksum_enc(krb5_context context, - struct key_data *key, - const void *data, - size_t len, - unsigned usage, - Checksum *result) -{ - struct checksum_type *c = _find_checksum (CKSUMTYPE_RSA_MD5); - Checksum ksign_c; - struct key_data ksign; - krb5_keyblock kb; - unsigned char t[4]; - unsigned char ksign_c_data[16]; - krb5_error_code ret; - - t[0] = (usage >> 0) & 0xFF; - t[1] = (usage >> 8) & 0xFF; - t[2] = (usage >> 16) & 0xFF; - t[3] = (usage >> 24) & 0xFF; - - ksign_c.checksum.length = sizeof(ksign_c_data); - ksign_c.checksum.data = ksign_c_data; - ret = hmac(context, c, t, sizeof(t), 0, key, &ksign_c); - if (ret) - krb5_abortx(context, "hmac failed"); - ksign.key = &kb; - kb.keyvalue = ksign_c.checksum; - ret = hmac(context, c, data, len, 0, &ksign, result); - if (ret) - krb5_abortx(context, "hmac failed"); -} - -struct checksum_type checksum_none = { - CKSUMTYPE_NONE, - "none", - 1, - 0, - 0, - NONE_checksum, - NULL -}; -struct checksum_type checksum_crc32 = { - CKSUMTYPE_CRC32, - "crc32", - 1, - 4, - 0, - CRC32_checksum, - NULL -}; -struct checksum_type checksum_rsa_md4 = { - CKSUMTYPE_RSA_MD4, - "rsa-md4", - 64, - 16, - F_CPROOF, - RSA_MD4_checksum, - NULL -}; -struct checksum_type checksum_rsa_md4_des = { - CKSUMTYPE_RSA_MD4_DES, - "rsa-md4-des", - 64, - 24, - F_KEYED | F_CPROOF | F_VARIANT, - RSA_MD4_DES_checksum, - RSA_MD4_DES_verify -}; -#if 0 -struct checksum_type checksum_des_mac = { - CKSUMTYPE_DES_MAC, - "des-mac", - 0, - 0, - 0, - DES_MAC_checksum -}; -struct checksum_type checksum_des_mac_k = { - CKSUMTYPE_DES_MAC_K, - "des-mac-k", - 0, - 0, - 0, - DES_MAC_K_checksum -}; -struct checksum_type checksum_rsa_md4_des_k = { - CKSUMTYPE_RSA_MD4_DES_K, - "rsa-md4-des-k", - 0, - 0, - 0, - RSA_MD4_DES_K_checksum, - RSA_MD4_DES_K_verify -}; -#endif -struct checksum_type checksum_rsa_md5 = { - CKSUMTYPE_RSA_MD5, - "rsa-md5", - 64, - 16, - F_CPROOF, - RSA_MD5_checksum, - NULL -}; -struct checksum_type checksum_rsa_md5_des = { - CKSUMTYPE_RSA_MD5_DES, - "rsa-md5-des", - 64, - 24, - F_KEYED | F_CPROOF | F_VARIANT, - RSA_MD5_DES_checksum, - RSA_MD5_DES_verify -}; -struct checksum_type checksum_rsa_md5_des3 = { - CKSUMTYPE_RSA_MD5_DES3, - "rsa-md5-des3", - 64, - 24, - F_KEYED | F_CPROOF | F_VARIANT, - RSA_MD5_DES3_checksum, - RSA_MD5_DES3_verify -}; -struct checksum_type checksum_sha1 = { - CKSUMTYPE_SHA1, - "sha1", - 64, - 20, - F_CPROOF, - SHA1_checksum, - NULL -}; -struct checksum_type checksum_hmac_sha1_des3 = { - CKSUMTYPE_HMAC_SHA1_DES3, - "hmac-sha1-des3", - 64, - 20, - F_KEYED | F_CPROOF | F_DERIVED, - SP_HMAC_SHA1_checksum, - NULL -}; - -#ifdef ENABLE_AES -struct checksum_type checksum_hmac_sha1_aes128 = { - CKSUMTYPE_HMAC_SHA1_96_AES_128, - "hmac-sha1-96-aes128", - 64, - 12, - F_KEYED | F_CPROOF | F_DERIVED, - SP_HMAC_SHA1_checksum, - NULL -}; - -struct checksum_type checksum_hmac_sha1_aes256 = { - CKSUMTYPE_HMAC_SHA1_96_AES_256, - "hmac-sha1-96-aes256", - 64, - 12, - F_KEYED | F_CPROOF | F_DERIVED, - SP_HMAC_SHA1_checksum, - NULL -}; -#endif /* ENABLE_AES */ - -struct checksum_type checksum_hmac_md5 = { - CKSUMTYPE_HMAC_MD5, - "hmac-md5", - 64, - 16, - F_KEYED | F_CPROOF, - HMAC_MD5_checksum, - NULL -}; - -struct checksum_type checksum_hmac_md5_enc = { - CKSUMTYPE_HMAC_MD5_ENC, - "hmac-md5-enc", - 64, - 16, - F_KEYED | F_CPROOF | F_PSEUDO, - HMAC_MD5_checksum_enc, - NULL -}; - -struct checksum_type *checksum_types[] = { - &checksum_none, - &checksum_crc32, - &checksum_rsa_md4, - &checksum_rsa_md4_des, -#if 0 - &checksum_des_mac, - &checksum_des_mac_k, - &checksum_rsa_md4_des_k, -#endif - &checksum_rsa_md5, - &checksum_rsa_md5_des, - &checksum_rsa_md5_des3, - &checksum_sha1, - &checksum_hmac_sha1_des3, -#ifdef ENABLE_AES - &checksum_hmac_sha1_aes128, - &checksum_hmac_sha1_aes256, -#endif - &checksum_hmac_md5, - &checksum_hmac_md5_enc -}; - -static int num_checksums = sizeof(checksum_types) / sizeof(checksum_types[0]); - -static struct checksum_type * -_find_checksum(krb5_cksumtype type) -{ - int i; - for(i = 0; i < num_checksums; i++) - if(checksum_types[i]->type == type) - return checksum_types[i]; - return NULL; -} - -static krb5_error_code -get_checksum_key(krb5_context context, - krb5_crypto crypto, - unsigned usage, /* not krb5_key_usage */ - struct checksum_type *ct, - struct key_data **key) -{ - krb5_error_code ret = 0; - - if(ct->flags & F_DERIVED) - ret = _get_derived_key(context, crypto, usage, key); - else if(ct->flags & F_VARIANT) { - int i; - - *key = _new_derived_key(crypto, 0xff/* KRB5_KU_RFC1510_VARIANT */); - if(*key == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - ret = krb5_copy_keyblock(context, crypto->key.key, &(*key)->key); - if(ret) - return ret; - for(i = 0; i < (*key)->key->keyvalue.length; i++) - ((unsigned char*)(*key)->key->keyvalue.data)[i] ^= 0xF0; - } else { - *key = &crypto->key; - } - if(ret == 0) - ret = _key_schedule(context, *key); - return ret; -} - -static krb5_error_code -create_checksum (krb5_context context, - struct checksum_type *ct, - krb5_crypto crypto, - unsigned usage, - void *data, - size_t len, - Checksum *result) -{ - krb5_error_code ret; - struct key_data *dkey; - int keyed_checksum; - - keyed_checksum = (ct->flags & F_KEYED) != 0; - if(keyed_checksum && crypto == NULL) { - krb5_clear_error_string (context); - return KRB5_PROG_SUMTYPE_NOSUPP; /* XXX */ - } - if(keyed_checksum) { - ret = get_checksum_key(context, crypto, usage, ct, &dkey); - if (ret) - return ret; - } else - dkey = NULL; - result->cksumtype = ct->type; - krb5_data_alloc(&result->checksum, ct->checksumsize); - (*ct->checksum)(context, dkey, data, len, usage, result); - return 0; -} - -static int -arcfour_checksum_p(struct checksum_type *ct, krb5_crypto crypto) -{ - return (ct->type == CKSUMTYPE_HMAC_MD5) && - (crypto->key.key->keytype == KEYTYPE_ARCFOUR); -} - -krb5_error_code -krb5_create_checksum(krb5_context context, - krb5_crypto crypto, - krb5_key_usage usage, - int type, - void *data, - size_t len, - Checksum *result) -{ - struct checksum_type *ct = NULL; - unsigned keyusage; - - /* type 0 -> pick from crypto */ - if (type) { - ct = _find_checksum(type); - } else if (crypto) { - ct = crypto->et->keyed_checksum; - if (ct == NULL) - ct = crypto->et->checksum; - } - - if(ct == NULL) { - krb5_set_error_string (context, "checksum type %d not supported", - type); - return KRB5_PROG_SUMTYPE_NOSUPP; - } - - if (arcfour_checksum_p(ct, crypto)) { - keyusage = usage; - usage2arcfour(context, &keyusage); - } else - keyusage = CHECKSUM_USAGE(usage); - - return create_checksum(context, ct, crypto, keyusage, - data, len, result); -} - -static krb5_error_code -verify_checksum(krb5_context context, - krb5_crypto crypto, - unsigned usage, /* not krb5_key_usage */ - void *data, - size_t len, - Checksum *cksum) -{ - krb5_error_code ret; - struct key_data *dkey; - int keyed_checksum; - Checksum c; - struct checksum_type *ct; - - ct = _find_checksum(cksum->cksumtype); - if (ct == NULL) { - krb5_set_error_string (context, "checksum type %d not supported", - cksum->cksumtype); - return KRB5_PROG_SUMTYPE_NOSUPP; - } - if(ct->checksumsize != cksum->checksum.length) { - krb5_clear_error_string (context); - return KRB5KRB_AP_ERR_BAD_INTEGRITY; /* XXX */ - } - keyed_checksum = (ct->flags & F_KEYED) != 0; - if(keyed_checksum && crypto == NULL) { - krb5_clear_error_string (context); - return KRB5_PROG_SUMTYPE_NOSUPP; /* XXX */ - } - if(keyed_checksum) - ret = get_checksum_key(context, crypto, usage, ct, &dkey); - else - dkey = NULL; - if(ct->verify) - return (*ct->verify)(context, dkey, data, len, usage, cksum); - - ret = krb5_data_alloc (&c.checksum, ct->checksumsize); - if (ret) - return ret; - - (*ct->checksum)(context, dkey, data, len, usage, &c); - - if(c.checksum.length != cksum->checksum.length || - memcmp(c.checksum.data, cksum->checksum.data, c.checksum.length)) { - krb5_clear_error_string (context); - ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; - } else { - ret = 0; - } - krb5_data_free (&c.checksum); - return ret; -} - -krb5_error_code -krb5_verify_checksum(krb5_context context, - krb5_crypto crypto, - krb5_key_usage usage, - void *data, - size_t len, - Checksum *cksum) -{ - struct checksum_type *ct; - unsigned keyusage; - - ct = _find_checksum(cksum->cksumtype); - if(ct == NULL) { - krb5_set_error_string (context, "checksum type %d not supported", - cksum->cksumtype); - return KRB5_PROG_SUMTYPE_NOSUPP; - } - - if (arcfour_checksum_p(ct, crypto)) { - keyusage = usage; - usage2arcfour(context, &keyusage); - } else - keyusage = CHECKSUM_USAGE(usage); - - return verify_checksum(context, crypto, keyusage, - data, len, cksum); -} - -krb5_error_code -krb5_checksumsize(krb5_context context, - krb5_cksumtype type, - size_t *size) -{ - struct checksum_type *ct = _find_checksum(type); - if(ct == NULL) { - krb5_set_error_string (context, "checksum type %d not supported", - type); - return KRB5_PROG_SUMTYPE_NOSUPP; - } - *size = ct->checksumsize; - return 0; -} - -krb5_boolean -krb5_checksum_is_keyed(krb5_context context, - krb5_cksumtype type) -{ - struct checksum_type *ct = _find_checksum(type); - if(ct == NULL) { - krb5_set_error_string (context, "checksum type %d not supported", - type); - return KRB5_PROG_SUMTYPE_NOSUPP; - } - return ct->flags & F_KEYED; -} - -krb5_boolean -krb5_checksum_is_collision_proof(krb5_context context, - krb5_cksumtype type) -{ - struct checksum_type *ct = _find_checksum(type); - if(ct == NULL) { - krb5_set_error_string (context, "checksum type %d not supported", - type); - return KRB5_PROG_SUMTYPE_NOSUPP; - } - return ct->flags & F_CPROOF; -} - -/************************************************************ - * * - ************************************************************/ - -static krb5_error_code -NULL_encrypt(krb5_context context, - struct key_data *key, - void *data, - size_t len, - krb5_boolean encrypt, - int usage, - void *ivec) -{ - return 0; -} - -static krb5_error_code -DES_CBC_encrypt_null_ivec(krb5_context context, - struct key_data *key, - void *data, - size_t len, - krb5_boolean encrypt, - int usage, - void *ignore_ivec) -{ - des_cblock ivec; - des_key_schedule *s = key->schedule->data; - memset(&ivec, 0, sizeof(ivec)); - des_cbc_encrypt(data, data, len, *s, &ivec, encrypt); - return 0; -} - -static krb5_error_code -DES_CBC_encrypt_key_ivec(krb5_context context, - struct key_data *key, - void *data, - size_t len, - krb5_boolean encrypt, - int usage, - void *ignore_ivec) -{ - des_cblock ivec; - des_key_schedule *s = key->schedule->data; - memcpy(&ivec, key->key->keyvalue.data, sizeof(ivec)); - des_cbc_encrypt(data, data, len, *s, &ivec, encrypt); - return 0; -} - -static krb5_error_code -DES3_CBC_encrypt(krb5_context context, - struct key_data *key, - void *data, - size_t len, - krb5_boolean encrypt, - int usage, - void *ivec) -{ - des_cblock local_ivec; - des_key_schedule *s = key->schedule->data; - if(ivec == NULL) { - ivec = &local_ivec; - memset(local_ivec, 0, sizeof(local_ivec)); - } - des_ede3_cbc_encrypt(data, data, len, s[0], s[1], s[2], ivec, encrypt); - return 0; -} - -static krb5_error_code -DES_CFB64_encrypt_null_ivec(krb5_context context, - struct key_data *key, - void *data, - size_t len, - krb5_boolean encrypt, - int usage, - void *ignore_ivec) -{ - des_cblock ivec; - int num = 0; - des_key_schedule *s = key->schedule->data; - memset(&ivec, 0, sizeof(ivec)); - - des_cfb64_encrypt(data, data, len, *s, &ivec, &num, encrypt); - return 0; -} - -static krb5_error_code -DES_PCBC_encrypt_key_ivec(krb5_context context, - struct key_data *key, - void *data, - size_t len, - krb5_boolean encrypt, - int usage, - void *ignore_ivec) -{ - des_cblock ivec; - des_key_schedule *s = key->schedule->data; - memcpy(&ivec, key->key->keyvalue.data, sizeof(ivec)); - - des_pcbc_encrypt(data, data, len, *s, &ivec, encrypt); - return 0; -} - -#ifdef ENABLE_AES - -/* - * AES draft-raeburn-krb-rijndael-krb-02 - */ - -void -_krb5_aes_cts_encrypt(const unsigned char *in, unsigned char *out, - size_t len, const void *aes_key, - unsigned char *ivec, const int enc) -{ - unsigned char tmp[AES_BLOCK_SIZE]; - const AES_KEY *key = aes_key; /* XXX remove this when we always have AES */ - int i; - - /* - * In the framework of kerberos, the length can never be shorter - * then at least one blocksize. - */ - - if (enc == AES_ENCRYPT) { - - while(len > AES_BLOCK_SIZE) { - for (i = 0; i < AES_BLOCK_SIZE; i++) - tmp[i] = in[i] ^ ivec[i]; - AES_encrypt(tmp, out, key); - memcpy(ivec, out, AES_BLOCK_SIZE); - len -= AES_BLOCK_SIZE; - in += AES_BLOCK_SIZE; - out += AES_BLOCK_SIZE; - } - - for (i = 0; i < len; i++) - tmp[i] = in[i] ^ ivec[i]; - for (; i < AES_BLOCK_SIZE; i++) - tmp[i] = 0 ^ ivec[i]; - - AES_encrypt(tmp, out - AES_BLOCK_SIZE, key); - - memcpy(out, ivec, len); - - } else { - char tmp2[AES_BLOCK_SIZE]; - char tmp3[AES_BLOCK_SIZE]; - - while(len > AES_BLOCK_SIZE * 2) { - memcpy(tmp, in, AES_BLOCK_SIZE); - AES_decrypt(in, out, key); - for (i = 0; i < AES_BLOCK_SIZE; i++) - out[i] ^= ivec[i]; - memcpy(ivec, tmp, AES_BLOCK_SIZE); - len -= AES_BLOCK_SIZE; - in += AES_BLOCK_SIZE; - out += AES_BLOCK_SIZE; - } - - len -= AES_BLOCK_SIZE; - - AES_decrypt(in, tmp2, key); - - memcpy(tmp3, in + AES_BLOCK_SIZE, len); - memcpy(tmp3 + len, tmp2 + len, AES_BLOCK_SIZE - len); /* xor 0 */ - - for (i = 0; i < len; i++) - out[i + AES_BLOCK_SIZE] = tmp2[i] ^ tmp3[i]; - - AES_decrypt(tmp3, out, key); - for (i = 0; i < AES_BLOCK_SIZE; i++) - out[i] ^= ivec[i]; - } -} - -static krb5_error_code -AES_CTS_encrypt(krb5_context context, - struct key_data *key, - void *data, - size_t len, - krb5_boolean encrypt, - int usage, - void *ivec) -{ - AES_KEY *k = key->schedule->data; - char local_ivec[AES_BLOCK_SIZE]; - - if (encrypt) - k = &k[0]; - else - k = &k[1]; - - if (len < AES_BLOCK_SIZE) - krb5_abortx(context, "invalid use of AES_CTS_encrypt"); - if (len == AES_BLOCK_SIZE) { - if (encrypt) - AES_encrypt(data, data, k); - else - AES_decrypt(data, data, k); - } else { - if(ivec == NULL) { - memset(local_ivec, 0, sizeof(local_ivec)); - ivec = local_ivec; - } - _krb5_aes_cts_encrypt(data, data, len, k, ivec, encrypt); - } - - return 0; -} -#endif /* ENABLE_AES */ - -/* - * section 6 of draft-brezak-win2k-krb-rc4-hmac-03 - * - * warning: not for small children - */ - -static krb5_error_code -ARCFOUR_subencrypt(krb5_context context, - struct key_data *key, - void *data, - size_t len, - int usage, - void *ivec) -{ - struct checksum_type *c = _find_checksum (CKSUMTYPE_RSA_MD5); - Checksum k1_c, k2_c, k3_c, cksum; - struct key_data ke; - krb5_keyblock kb; - unsigned char t[4]; - RC4_KEY rc4_key; - unsigned char *cdata = data; - unsigned char k1_c_data[16], k2_c_data[16], k3_c_data[16]; - krb5_error_code ret; - - t[0] = (usage >> 0) & 0xFF; - t[1] = (usage >> 8) & 0xFF; - t[2] = (usage >> 16) & 0xFF; - t[3] = (usage >> 24) & 0xFF; - - k1_c.checksum.length = sizeof(k1_c_data); - k1_c.checksum.data = k1_c_data; - - ret = hmac(NULL, c, t, sizeof(t), 0, key, &k1_c); - if (ret) - krb5_abortx(context, "hmac failed"); - - memcpy (k2_c_data, k1_c_data, sizeof(k1_c_data)); - - k2_c.checksum.length = sizeof(k2_c_data); - k2_c.checksum.data = k2_c_data; - - ke.key = &kb; - kb.keyvalue = k2_c.checksum; - - cksum.checksum.length = 16; - cksum.checksum.data = data; - - ret = hmac(NULL, c, cdata + 16, len - 16, 0, &ke, &cksum); - if (ret) - krb5_abortx(context, "hmac failed"); - - ke.key = &kb; - kb.keyvalue = k1_c.checksum; - - k3_c.checksum.length = sizeof(k3_c_data); - k3_c.checksum.data = k3_c_data; - - ret = hmac(NULL, c, data, 16, 0, &ke, &k3_c); - if (ret) - krb5_abortx(context, "hmac failed"); - - RC4_set_key (&rc4_key, k3_c.checksum.length, k3_c.checksum.data); - RC4 (&rc4_key, len - 16, cdata + 16, cdata + 16); - memset (k1_c_data, 0, sizeof(k1_c_data)); - memset (k2_c_data, 0, sizeof(k2_c_data)); - memset (k3_c_data, 0, sizeof(k3_c_data)); - return 0; -} - -static krb5_error_code -ARCFOUR_subdecrypt(krb5_context context, - struct key_data *key, - void *data, - size_t len, - int usage, - void *ivec) -{ - struct checksum_type *c = _find_checksum (CKSUMTYPE_RSA_MD5); - Checksum k1_c, k2_c, k3_c, cksum; - struct key_data ke; - krb5_keyblock kb; - unsigned char t[4]; - RC4_KEY rc4_key; - unsigned char *cdata = data; - unsigned char k1_c_data[16], k2_c_data[16], k3_c_data[16]; - unsigned char cksum_data[16]; - krb5_error_code ret; - - t[0] = (usage >> 0) & 0xFF; - t[1] = (usage >> 8) & 0xFF; - t[2] = (usage >> 16) & 0xFF; - t[3] = (usage >> 24) & 0xFF; - - k1_c.checksum.length = sizeof(k1_c_data); - k1_c.checksum.data = k1_c_data; - - ret = hmac(NULL, c, t, sizeof(t), 0, key, &k1_c); - if (ret) - krb5_abortx(context, "hmac failed"); - - memcpy (k2_c_data, k1_c_data, sizeof(k1_c_data)); - - k2_c.checksum.length = sizeof(k2_c_data); - k2_c.checksum.data = k2_c_data; - - ke.key = &kb; - kb.keyvalue = k1_c.checksum; - - k3_c.checksum.length = sizeof(k3_c_data); - k3_c.checksum.data = k3_c_data; - - ret = hmac(NULL, c, cdata, 16, 0, &ke, &k3_c); - if (ret) - krb5_abortx(context, "hmac failed"); - - RC4_set_key (&rc4_key, k3_c.checksum.length, k3_c.checksum.data); - RC4 (&rc4_key, len - 16, cdata + 16, cdata + 16); - - ke.key = &kb; - kb.keyvalue = k2_c.checksum; - - cksum.checksum.length = 16; - cksum.checksum.data = cksum_data; - - ret = hmac(NULL, c, cdata + 16, len - 16, 0, &ke, &cksum); - if (ret) - krb5_abortx(context, "hmac failed"); - - memset (k1_c_data, 0, sizeof(k1_c_data)); - memset (k2_c_data, 0, sizeof(k2_c_data)); - memset (k3_c_data, 0, sizeof(k3_c_data)); - - if (memcmp (cksum.checksum.data, data, 16) != 0) { - krb5_clear_error_string (context); - return KRB5KRB_AP_ERR_BAD_INTEGRITY; - } else { - return 0; - } -} - -/* - * convert the usage numbers used in - * draft-ietf-cat-kerb-key-derivation-00.txt to the ones in - * draft-brezak-win2k-krb-rc4-hmac-04.txt - */ - -static krb5_error_code -usage2arcfour (krb5_context context, int *usage) -{ - switch (*usage) { - case KRB5_KU_AS_REP_ENC_PART : /* 3 */ - case KRB5_KU_TGS_REP_ENC_PART_SUB_KEY : /* 9 */ - *usage = 8; - return 0; - case KRB5_KU_USAGE_SEAL : /* 22 */ - *usage = 13; - return 0; - case KRB5_KU_USAGE_SIGN : /* 23 */ - *usage = 15; - return 0; - case KRB5_KU_USAGE_SEQ: /* 24 */ - *usage = 0; - return 0; - default : - return 0; - } -} - -static krb5_error_code -ARCFOUR_encrypt(krb5_context context, - struct key_data *key, - void *data, - size_t len, - krb5_boolean encrypt, - int usage, - void *ivec) -{ - krb5_error_code ret; - if((ret = usage2arcfour (context, &usage)) != 0) - return ret; - - if (encrypt) - return ARCFOUR_subencrypt (context, key, data, len, usage, ivec); - else - return ARCFOUR_subdecrypt (context, key, data, len, usage, ivec); -} - - -/* - * these should currently be in reverse preference order. - * (only relevant for !F_PSEUDO) */ - -static struct encryption_type enctype_null = { - ETYPE_NULL, - "null", - 1, - 1, - 0, - &keytype_null, - &checksum_none, - NULL, - 0, - NULL_encrypt, -}; -static struct encryption_type enctype_des_cbc_crc = { - ETYPE_DES_CBC_CRC, - "des-cbc-crc", - 8, - 8, - 8, - &keytype_des, - &checksum_crc32, - NULL, - 0, - DES_CBC_encrypt_key_ivec, -}; -static struct encryption_type enctype_des_cbc_md4 = { - ETYPE_DES_CBC_MD4, - "des-cbc-md4", - 8, - 8, - 8, - &keytype_des, - &checksum_rsa_md4, - &checksum_rsa_md4_des, - 0, - DES_CBC_encrypt_null_ivec, -}; -static struct encryption_type enctype_des_cbc_md5 = { - ETYPE_DES_CBC_MD5, - "des-cbc-md5", - 8, - 8, - 8, - &keytype_des, - &checksum_rsa_md5, - &checksum_rsa_md5_des, - 0, - DES_CBC_encrypt_null_ivec, -}; -static struct encryption_type enctype_arcfour_hmac_md5 = { - ETYPE_ARCFOUR_HMAC_MD5, - "arcfour-hmac-md5", - 1, - 1, - 8, - &keytype_arcfour, - &checksum_hmac_md5, - /* &checksum_hmac_md5_enc */ NULL, - F_SPECIAL, - ARCFOUR_encrypt -}; -static struct encryption_type enctype_des3_cbc_md5 = { - ETYPE_DES3_CBC_MD5, - "des3-cbc-md5", - 8, - 8, - 8, - &keytype_des3, - &checksum_rsa_md5, - &checksum_rsa_md5_des3, - 0, - DES3_CBC_encrypt, -}; -static struct encryption_type enctype_des3_cbc_sha1 = { - ETYPE_DES3_CBC_SHA1, - "des3-cbc-sha1", - 8, - 8, - 8, - &keytype_des3_derived, - &checksum_sha1, - &checksum_hmac_sha1_des3, - F_DERIVED, - DES3_CBC_encrypt, -}; -static struct encryption_type enctype_old_des3_cbc_sha1 = { - ETYPE_OLD_DES3_CBC_SHA1, - "old-des3-cbc-sha1", - 8, - 8, - 8, - &keytype_des3, - &checksum_sha1, - &checksum_hmac_sha1_des3, - 0, - DES3_CBC_encrypt, -}; -#ifdef ENABLE_AES -static struct encryption_type enctype_aes128_cts_hmac_sha1 = { - ETYPE_AES128_CTS_HMAC_SHA1_96, - "aes128-cts-hmac-sha1-96", - 16, - 1, - 16, - &keytype_aes128, - &checksum_sha1, - &checksum_hmac_sha1_aes128, - 0, - AES_CTS_encrypt, -}; -static struct encryption_type enctype_aes256_cts_hmac_sha1 = { - ETYPE_AES256_CTS_HMAC_SHA1_96, - "aes256-cts-hmac-sha1-96", - 16, - 1, - 16, - &keytype_aes256, - &checksum_sha1, - &checksum_hmac_sha1_aes256, - 0, - AES_CTS_encrypt, -}; -#endif /* ENABLE_AES */ -static struct encryption_type enctype_des_cbc_none = { - ETYPE_DES_CBC_NONE, - "des-cbc-none", - 8, - 8, - 0, - &keytype_des, - &checksum_none, - NULL, - F_PSEUDO, - DES_CBC_encrypt_null_ivec, -}; -static struct encryption_type enctype_des_cfb64_none = { - ETYPE_DES_CFB64_NONE, - "des-cfb64-none", - 1, - 1, - 0, - &keytype_des, - &checksum_none, - NULL, - F_PSEUDO, - DES_CFB64_encrypt_null_ivec, -}; -static struct encryption_type enctype_des_pcbc_none = { - ETYPE_DES_PCBC_NONE, - "des-pcbc-none", - 8, - 8, - 0, - &keytype_des, - &checksum_none, - NULL, - F_PSEUDO, - DES_PCBC_encrypt_key_ivec, -}; -static struct encryption_type enctype_des3_cbc_none = { - ETYPE_DES3_CBC_NONE, - "des3-cbc-none", - 8, - 8, - 0, - &keytype_des3_derived, - &checksum_none, - NULL, - F_PSEUDO, - DES3_CBC_encrypt, -}; - -static struct encryption_type *etypes[] = { - &enctype_null, - &enctype_des_cbc_crc, - &enctype_des_cbc_md4, - &enctype_des_cbc_md5, - &enctype_arcfour_hmac_md5, - &enctype_des3_cbc_md5, - &enctype_des3_cbc_sha1, - &enctype_old_des3_cbc_sha1, -#ifdef ENABLE_AES - &enctype_aes128_cts_hmac_sha1, - &enctype_aes256_cts_hmac_sha1, -#endif - &enctype_des_cbc_none, - &enctype_des_cfb64_none, - &enctype_des_pcbc_none, - &enctype_des3_cbc_none -}; - -static unsigned num_etypes = sizeof(etypes) / sizeof(etypes[0]); - - -static struct encryption_type * -_find_enctype(krb5_enctype type) -{ - int i; - for(i = 0; i < num_etypes; i++) - if(etypes[i]->type == type) - return etypes[i]; - return NULL; -} - - -krb5_error_code -krb5_enctype_to_string(krb5_context context, - krb5_enctype etype, - char **string) -{ - struct encryption_type *e; - e = _find_enctype(etype); - if(e == NULL) { - krb5_set_error_string (context, "encryption type %d not supported", - etype); - return KRB5_PROG_ETYPE_NOSUPP; - } - *string = strdup(e->name); - if(*string == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - return 0; -} - -krb5_error_code -krb5_string_to_enctype(krb5_context context, - const char *string, - krb5_enctype *etype) -{ - int i; - for(i = 0; i < num_etypes; i++) - if(strcasecmp(etypes[i]->name, string) == 0){ - *etype = etypes[i]->type; - return 0; - } - krb5_set_error_string (context, "encryption type %s not supported", - string); - return KRB5_PROG_ETYPE_NOSUPP; -} - -krb5_error_code -krb5_enctype_to_keytype(krb5_context context, - krb5_enctype etype, - krb5_keytype *keytype) -{ - struct encryption_type *e = _find_enctype(etype); - if(e == NULL) { - krb5_set_error_string (context, "encryption type %d not supported", - etype); - return KRB5_PROG_ETYPE_NOSUPP; - } - *keytype = e->keytype->type; /* XXX */ - return 0; -} - -#if 0 -krb5_error_code -krb5_keytype_to_enctype(krb5_context context, - krb5_keytype keytype, - krb5_enctype *etype) -{ - struct key_type *kt = _find_keytype(keytype); - krb5_warnx(context, "krb5_keytype_to_enctype(%u)", keytype); - if(kt == NULL) - return KRB5_PROG_KEYTYPE_NOSUPP; - *etype = kt->best_etype; - return 0; -} -#endif - -krb5_error_code -krb5_keytype_to_enctypes (krb5_context context, - krb5_keytype keytype, - unsigned *len, - krb5_enctype **val) -{ - int i; - unsigned n = 0; - krb5_enctype *ret; - - for (i = num_etypes - 1; i >= 0; --i) { - if (etypes[i]->keytype->type == keytype - && !(etypes[i]->flags & F_PSEUDO)) - ++n; - } - ret = malloc(n * sizeof(*ret)); - if (ret == NULL && n != 0) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - n = 0; - for (i = num_etypes - 1; i >= 0; --i) { - if (etypes[i]->keytype->type == keytype - && !(etypes[i]->flags & F_PSEUDO)) - ret[n++] = etypes[i]->type; - } - *len = n; - *val = ret; - return 0; -} - -/* - * First take the configured list of etypes for `keytype' if available, - * else, do `krb5_keytype_to_enctypes'. - */ - -krb5_error_code -krb5_keytype_to_enctypes_default (krb5_context context, - krb5_keytype keytype, - unsigned *len, - krb5_enctype **val) -{ - int i, n; - krb5_enctype *ret; - - if (keytype != KEYTYPE_DES || context->etypes_des == NULL) - return krb5_keytype_to_enctypes (context, keytype, len, val); - - for (n = 0; context->etypes_des[n]; ++n) - ; - ret = malloc (n * sizeof(*ret)); - if (ret == NULL && n != 0) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - for (i = 0; i < n; ++i) - ret[i] = context->etypes_des[i]; - *len = n; - *val = ret; - return 0; -} - -krb5_error_code -krb5_enctype_valid(krb5_context context, - krb5_enctype etype) -{ - return _find_enctype(etype) != NULL; -} - -/* if two enctypes have compatible keys */ -krb5_boolean -krb5_enctypes_compatible_keys(krb5_context context, - krb5_enctype etype1, - krb5_enctype etype2) -{ - struct encryption_type *e1 = _find_enctype(etype1); - struct encryption_type *e2 = _find_enctype(etype2); - return e1 != NULL && e2 != NULL && e1->keytype == e2->keytype; -} - -static krb5_boolean -derived_crypto(krb5_context context, - krb5_crypto crypto) -{ - return (crypto->et->flags & F_DERIVED) != 0; -} - -static krb5_boolean -special_crypto(krb5_context context, - krb5_crypto crypto) -{ - return (crypto->et->flags & F_SPECIAL) != 0; -} - -#define CHECKSUMSIZE(C) ((C)->checksumsize) -#define CHECKSUMTYPE(C) ((C)->type) - -static krb5_error_code -encrypt_internal_derived(krb5_context context, - krb5_crypto crypto, - unsigned usage, - void *data, - size_t len, - krb5_data *result, - void *ivec) -{ - size_t sz, block_sz, checksum_sz, total_sz; - Checksum cksum; - unsigned char *p, *q; - krb5_error_code ret; - struct key_data *dkey; - const struct encryption_type *et = crypto->et; - - checksum_sz = CHECKSUMSIZE(et->keyed_checksum); - - sz = et->confoundersize + len; - block_sz = (sz + et->padsize - 1) &~ (et->padsize - 1); /* pad */ - total_sz = block_sz + checksum_sz; - p = calloc(1, total_sz); - if(p == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - - q = p; - krb5_generate_random_block(q, et->confoundersize); /* XXX */ - q += et->confoundersize; - memcpy(q, data, len); - - ret = create_checksum(context, - et->keyed_checksum, - crypto, - INTEGRITY_USAGE(usage), - p, - block_sz, - &cksum); - if(ret == 0 && cksum.checksum.length != checksum_sz) { - free_Checksum (&cksum); - krb5_clear_error_string (context); - ret = KRB5_CRYPTO_INTERNAL; - } - if(ret) - goto fail; - memcpy(p + block_sz, cksum.checksum.data, cksum.checksum.length); - free_Checksum (&cksum); - ret = _get_derived_key(context, crypto, ENCRYPTION_USAGE(usage), &dkey); - if(ret) - goto fail; - ret = _key_schedule(context, dkey); - if(ret) - goto fail; -#ifdef CRYPTO_DEBUG - krb5_crypto_debug(context, 1, block_sz, dkey->key); -#endif - ret = (*et->encrypt)(context, dkey, p, block_sz, 1, usage, ivec); - if (ret) - goto fail; - result->data = p; - result->length = total_sz; - return 0; - fail: - memset(p, 0, total_sz); - free(p); - return ret; -} - - -static krb5_error_code -encrypt_internal(krb5_context context, - krb5_crypto crypto, - void *data, - size_t len, - krb5_data *result, - void *ivec) -{ - size_t sz, block_sz, checksum_sz; - Checksum cksum; - unsigned char *p, *q; - krb5_error_code ret; - const struct encryption_type *et = crypto->et; - - checksum_sz = CHECKSUMSIZE(et->checksum); - - sz = et->confoundersize + checksum_sz + len; - block_sz = (sz + et->padsize - 1) &~ (et->padsize - 1); /* pad */ - p = calloc(1, block_sz); - if(p == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - - q = p; - krb5_generate_random_block(q, et->confoundersize); /* XXX */ - q += et->confoundersize; - memset(q, 0, checksum_sz); - q += checksum_sz; - memcpy(q, data, len); - - ret = create_checksum(context, - et->checksum, - crypto, - 0, - p, - block_sz, - &cksum); - if(ret == 0 && cksum.checksum.length != checksum_sz) { - krb5_clear_error_string (context); - free_Checksum(&cksum); - ret = KRB5_CRYPTO_INTERNAL; - } - if(ret) - goto fail; - memcpy(p + et->confoundersize, cksum.checksum.data, cksum.checksum.length); - free_Checksum(&cksum); - ret = _key_schedule(context, &crypto->key); - if(ret) - goto fail; -#ifdef CRYPTO_DEBUG - krb5_crypto_debug(context, 1, block_sz, crypto->key.key); -#endif - ret = (*et->encrypt)(context, &crypto->key, p, block_sz, 1, 0, ivec); - if (ret) { - memset(p, 0, block_sz); - free(p); - return ret; - } - result->data = p; - result->length = block_sz; - return 0; - fail: - memset(p, 0, block_sz); - free(p); - return ret; -} - -static krb5_error_code -encrypt_internal_special(krb5_context context, - krb5_crypto crypto, - int usage, - void *data, - size_t len, - krb5_data *result, - void *ivec) -{ - struct encryption_type *et = crypto->et; - size_t cksum_sz = CHECKSUMSIZE(et->checksum); - size_t sz = len + cksum_sz + et->confoundersize; - char *tmp, *p; - krb5_error_code ret; - - tmp = malloc (sz); - if (tmp == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - p = tmp; - memset (p, 0, cksum_sz); - p += cksum_sz; - krb5_generate_random_block(p, et->confoundersize); - p += et->confoundersize; - memcpy (p, data, len); - ret = (*et->encrypt)(context, &crypto->key, tmp, sz, TRUE, usage, ivec); - if (ret) { - memset(tmp, 0, sz); - free(tmp); - return ret; - } - result->data = tmp; - result->length = sz; - return 0; -} - -static krb5_error_code -decrypt_internal_derived(krb5_context context, - krb5_crypto crypto, - unsigned usage, - void *data, - size_t len, - krb5_data *result, - void *ivec) -{ - size_t checksum_sz; - Checksum cksum; - unsigned char *p; - krb5_error_code ret; - struct key_data *dkey; - struct encryption_type *et = crypto->et; - unsigned long l; - - checksum_sz = CHECKSUMSIZE(et->keyed_checksum); - if (len < checksum_sz) { - krb5_clear_error_string (context); - return EINVAL; /* XXX - better error code? */ - } - - if (((len - checksum_sz) % et->padsize) != 0) { - krb5_clear_error_string(context); - return KRB5_BAD_MSIZE; - } - - p = malloc(len); - if(len != 0 && p == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - memcpy(p, data, len); - - len -= checksum_sz; - - ret = _get_derived_key(context, crypto, ENCRYPTION_USAGE(usage), &dkey); - if(ret) { - free(p); - return ret; - } - ret = _key_schedule(context, dkey); - if(ret) { - free(p); - return ret; - } -#ifdef CRYPTO_DEBUG - krb5_crypto_debug(context, 0, len, dkey->key); -#endif - ret = (*et->encrypt)(context, dkey, p, len, 0, usage, ivec); - if (ret) { - free(p); - return ret; - } - - cksum.checksum.data = p + len; - cksum.checksum.length = checksum_sz; - cksum.cksumtype = CHECKSUMTYPE(et->keyed_checksum); - - ret = verify_checksum(context, - crypto, - INTEGRITY_USAGE(usage), - p, - len, - &cksum); - if(ret) { - free(p); - return ret; - } - l = len - et->confoundersize; - memmove(p, p + et->confoundersize, l); - result->data = realloc(p, l); - if(result->data == NULL) { - free(p); - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - result->length = l; - return 0; -} - -static krb5_error_code -decrypt_internal(krb5_context context, - krb5_crypto crypto, - void *data, - size_t len, - krb5_data *result, - void *ivec) -{ - krb5_error_code ret; - unsigned char *p; - Checksum cksum; - size_t checksum_sz, l; - struct encryption_type *et = crypto->et; - - if ((len % et->padsize) != 0) { - krb5_clear_error_string(context); - return KRB5_BAD_MSIZE; - } - - checksum_sz = CHECKSUMSIZE(et->checksum); - p = malloc(len); - if(len != 0 && p == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - memcpy(p, data, len); - - ret = _key_schedule(context, &crypto->key); - if(ret) { - free(p); - return ret; - } -#ifdef CRYPTO_DEBUG - krb5_crypto_debug(context, 0, len, crypto->key.key); -#endif - ret = (*et->encrypt)(context, &crypto->key, p, len, 0, 0, ivec); - if (ret) { - free(p); - return ret; - } - ret = krb5_data_copy(&cksum.checksum, p + et->confoundersize, checksum_sz); - if(ret) { - free(p); - return ret; - } - memset(p + et->confoundersize, 0, checksum_sz); - cksum.cksumtype = CHECKSUMTYPE(et->checksum); - ret = verify_checksum(context, NULL, 0, p, len, &cksum); - free_Checksum(&cksum); - if(ret) { - free(p); - return ret; - } - l = len - et->confoundersize - checksum_sz; - memmove(p, p + et->confoundersize + checksum_sz, l); - result->data = realloc(p, l); - if(result->data == NULL) { - free(p); - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - result->length = l; - return 0; -} - -static krb5_error_code -decrypt_internal_special(krb5_context context, - krb5_crypto crypto, - int usage, - void *data, - size_t len, - krb5_data *result, - void *ivec) -{ - struct encryption_type *et = crypto->et; - size_t cksum_sz = CHECKSUMSIZE(et->checksum); - size_t sz = len - cksum_sz - et->confoundersize; - unsigned char *p; - krb5_error_code ret; - - if ((len % et->padsize) != 0) { - krb5_clear_error_string(context); - return KRB5_BAD_MSIZE; - } - - p = malloc (len); - if (p == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - memcpy(p, data, len); - - ret = (*et->encrypt)(context, &crypto->key, p, len, FALSE, usage, ivec); - if (ret) { - free(p); - return ret; - } - - memmove (p, p + cksum_sz + et->confoundersize, sz); - result->data = realloc(p, sz); - if(result->data == NULL) { - free(p); - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - result->length = sz; - return 0; -} - - -krb5_error_code -krb5_encrypt_ivec(krb5_context context, - krb5_crypto crypto, - unsigned usage, - void *data, - size_t len, - krb5_data *result, - void *ivec) -{ - if(derived_crypto(context, crypto)) - return encrypt_internal_derived(context, crypto, usage, - data, len, result, ivec); - else if (special_crypto(context, crypto)) - return encrypt_internal_special (context, crypto, usage, - data, len, result, ivec); - else - return encrypt_internal(context, crypto, data, len, result, ivec); -} - -krb5_error_code -krb5_encrypt(krb5_context context, - krb5_crypto crypto, - unsigned usage, - void *data, - size_t len, - krb5_data *result) -{ - return krb5_encrypt_ivec(context, crypto, usage, data, len, result, NULL); -} - -krb5_error_code -krb5_encrypt_EncryptedData(krb5_context context, - krb5_crypto crypto, - unsigned usage, - void *data, - size_t len, - int kvno, - EncryptedData *result) -{ - result->etype = CRYPTO_ETYPE(crypto); - if(kvno){ - ALLOC(result->kvno, 1); - *result->kvno = kvno; - }else - result->kvno = NULL; - return krb5_encrypt(context, crypto, usage, data, len, &result->cipher); -} - -krb5_error_code -krb5_decrypt_ivec(krb5_context context, - krb5_crypto crypto, - unsigned usage, - void *data, - size_t len, - krb5_data *result, - void *ivec) -{ - if(derived_crypto(context, crypto)) - return decrypt_internal_derived(context, crypto, usage, - data, len, result, ivec); - else if (special_crypto (context, crypto)) - return decrypt_internal_special(context, crypto, usage, - data, len, result, ivec); - else - return decrypt_internal(context, crypto, data, len, result, ivec); -} - -krb5_error_code -krb5_decrypt(krb5_context context, - krb5_crypto crypto, - unsigned usage, - void *data, - size_t len, - krb5_data *result) -{ - return krb5_decrypt_ivec (context, crypto, usage, data, len, result, - NULL); -} - -krb5_error_code -krb5_decrypt_EncryptedData(krb5_context context, - krb5_crypto crypto, - unsigned usage, - const EncryptedData *e, - krb5_data *result) -{ - return krb5_decrypt(context, crypto, usage, - e->cipher.data, e->cipher.length, result); -} - -/************************************************************ - * * - ************************************************************/ - -#ifdef HAVE_OPENSSL -#include - -/* From openssl/crypto/rand/rand_lcl.h */ -#define ENTROPY_NEEDED 20 -static int -seed_something(void) -{ - int fd = -1; - char buf[1024], seedfile[256]; - - /* If there is a seed file, load it. But such a file cannot be trusted, - so use 0 for the entropy estimate */ - if (RAND_file_name(seedfile, sizeof(seedfile))) { - fd = open(seedfile, O_RDONLY); - if (fd >= 0) { - read(fd, buf, sizeof(buf)); - /* Use the full buffer anyway */ - RAND_add(buf, sizeof(buf), 0.0); - } else - seedfile[0] = '\0'; - } else - seedfile[0] = '\0'; - - /* Calling RAND_status() will try to use /dev/urandom if it exists so - we do not have to deal with it. */ - if (RAND_status() != 1) { - krb5_context context; - const char *p; - - /* Try using egd */ - if (!krb5_init_context(&context)) { - p = krb5_config_get_string(context, NULL, "libdefaults", - "egd_socket", NULL); - if (p != NULL) - RAND_egd_bytes(p, ENTROPY_NEEDED); - krb5_free_context(context); - } - } - - if (RAND_status() == 1) { - /* Update the seed file */ - if (seedfile[0]) - RAND_write_file(seedfile); - - return 0; - } else - return -1; -} - -void -krb5_generate_random_block(void *buf, size_t len) -{ - static int rng_initialized = 0; - - if (!rng_initialized) { - if (seed_something()) - krb5_abortx(NULL, "Fatal: could not seed the random number generator"); - - rng_initialized = 1; - } - RAND_bytes(buf, len); -} - -#else - -void -krb5_generate_random_block(void *buf, size_t len) -{ - des_cblock key, out; - static des_cblock counter; - static des_key_schedule schedule; - int i; - static int initialized = 0; - - if(!initialized) { - des_new_random_key(&key); - des_set_key(&key, schedule); - memset(&key, 0, sizeof(key)); - des_new_random_key(&counter); - } - while(len > 0) { - des_ecb_encrypt(&counter, &out, schedule, DES_ENCRYPT); - for(i = 7; i >=0; i--) - if(counter[i]++) - break; - memcpy(buf, out, min(len, sizeof(out))); - len -= min(len, sizeof(out)); - buf = (char*)buf + sizeof(out); - } -} -#endif - -static void -DES3_postproc(krb5_context context, - unsigned char *k, size_t len, struct key_data *key) -{ - unsigned char x[24]; - int i, j; - - memset(x, 0, sizeof(x)); - for (i = 0; i < 3; ++i) { - unsigned char foo; - - for (j = 0; j < 7; ++j) { - unsigned char b = k[7 * i + j]; - - x[8 * i + j] = b; - } - foo = 0; - for (j = 6; j >= 0; --j) { - foo |= k[7 * i + j] & 1; - foo <<= 1; - } - x[8 * i + 7] = foo; - } - k = key->key->keyvalue.data; - memcpy(k, x, 24); - memset(x, 0, sizeof(x)); - if (key->schedule) { - krb5_free_data(context, key->schedule); - key->schedule = NULL; - } - des_set_odd_parity((des_cblock*)k); - des_set_odd_parity((des_cblock*)(k + 8)); - des_set_odd_parity((des_cblock*)(k + 16)); -} - -static krb5_error_code -derive_key(krb5_context context, - struct encryption_type *et, - struct key_data *key, - const void *constant, - size_t len) -{ - unsigned char *k; - unsigned int nblocks = 0, i; - krb5_error_code ret = 0; - - struct key_type *kt = et->keytype; - ret = _key_schedule(context, key); - if(ret) - return ret; - if(et->blocksize * 8 < kt->bits || - len != et->blocksize) { - nblocks = (kt->bits + et->blocksize * 8 - 1) / (et->blocksize * 8); - k = malloc(nblocks * et->blocksize); - if(k == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - _krb5_n_fold(constant, len, k, et->blocksize); - for(i = 0; i < nblocks; i++) { - if(i > 0) - memcpy(k + i * et->blocksize, - k + (i - 1) * et->blocksize, - et->blocksize); - (*et->encrypt)(context, key, k + i * et->blocksize, et->blocksize, - 1, 0, NULL); - } - } else { - /* this case is probably broken, but won't be run anyway */ - void *c = malloc(len); - size_t res_len = (kt->bits + 7) / 8; - - if(len != 0 && c == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - memcpy(c, constant, len); - (*et->encrypt)(context, key, c, len, 1, 0, NULL); - k = malloc(res_len); - if(res_len != 0 && k == NULL) { - free(c); - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - _krb5_n_fold(c, len, k, res_len); - free(c); - } - - /* XXX keytype dependent post-processing */ - switch(kt->type) { - case KEYTYPE_DES3: - DES3_postproc(context, k, nblocks * et->blocksize, key); - break; -#ifdef ENABLE_AES - case KEYTYPE_AES128: - case KEYTYPE_AES256: - memcpy(key->key->keyvalue.data, k, key->key->keyvalue.length); - break; -#endif /* ENABLE_AES */ - default: - krb5_set_error_string(context, - "derive_key() called with unknown keytype (%u)", - kt->type); - ret = KRB5_CRYPTO_INTERNAL; - break; - } - memset(k, 0, nblocks * et->blocksize); - free(k); - return ret; -} - -static struct key_data * -_new_derived_key(krb5_crypto crypto, unsigned usage) -{ - struct key_usage *d = crypto->key_usage; - d = realloc(d, (crypto->num_key_usage + 1) * sizeof(*d)); - if(d == NULL) - return NULL; - crypto->key_usage = d; - d += crypto->num_key_usage++; - memset(d, 0, sizeof(*d)); - d->usage = usage; - return &d->key; -} - -krb5_error_code -krb5_derive_key(krb5_context context, - const krb5_keyblock *key, - krb5_enctype etype, - const void *constant, - size_t constant_len, - krb5_keyblock **derived_key) -{ - krb5_error_code ret; - struct encryption_type *et; - struct key_data d; - - et = _find_enctype (etype); - if (et == NULL) { - krb5_set_error_string(context, "encryption type %d not supported", - etype); - return KRB5_PROG_ETYPE_NOSUPP; - } - - ret = krb5_copy_keyblock(context, key, derived_key); - if (ret) - return ret; - - d.key = *derived_key; - d.schedule = NULL; - ret = derive_key(context, et, &d, constant, constant_len); - if (ret) - return ret; - ret = krb5_copy_keyblock(context, d.key, derived_key); - return ret; -} - -static krb5_error_code -_get_derived_key(krb5_context context, - krb5_crypto crypto, - unsigned usage, - struct key_data **key) -{ - int i; - struct key_data *d; - unsigned char constant[5]; - - for(i = 0; i < crypto->num_key_usage; i++) - if(crypto->key_usage[i].usage == usage) { - *key = &crypto->key_usage[i].key; - return 0; - } - d = _new_derived_key(crypto, usage); - if(d == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - krb5_copy_keyblock(context, crypto->key.key, &d->key); - _krb5_put_int(constant, usage, 5); - derive_key(context, crypto->et, d, constant, sizeof(constant)); - *key = d; - return 0; -} - - -krb5_error_code -krb5_crypto_init(krb5_context context, - const krb5_keyblock *key, - krb5_enctype etype, - krb5_crypto *crypto) -{ - krb5_error_code ret; - ALLOC(*crypto, 1); - if(*crypto == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - if(etype == ETYPE_NULL) - etype = key->keytype; - (*crypto)->et = _find_enctype(etype); - if((*crypto)->et == NULL) { - free(*crypto); - krb5_set_error_string (context, "encryption type %d not supported", - etype); - return KRB5_PROG_ETYPE_NOSUPP; - } - if((*crypto)->et->keytype->size != key->keyvalue.length) { - free(*crypto); - krb5_set_error_string (context, "encryption key has bad length"); - return KRB5_BAD_KEYSIZE; - } - ret = krb5_copy_keyblock(context, key, &(*crypto)->key.key); - if(ret) { - free(*crypto); - return ret; - } - (*crypto)->key.schedule = NULL; - (*crypto)->num_key_usage = 0; - (*crypto)->key_usage = NULL; - return 0; -} - -static void -free_key_data(krb5_context context, struct key_data *key) -{ - krb5_free_keyblock(context, key->key); - if(key->schedule) { - memset(key->schedule->data, 0, key->schedule->length); - krb5_free_data(context, key->schedule); - } -} - -static void -free_key_usage(krb5_context context, struct key_usage *ku) -{ - free_key_data(context, &ku->key); -} - -krb5_error_code -krb5_crypto_destroy(krb5_context context, - krb5_crypto crypto) -{ - int i; - - for(i = 0; i < crypto->num_key_usage; i++) - free_key_usage(context, &crypto->key_usage[i]); - free(crypto->key_usage); - free_key_data(context, &crypto->key); - free (crypto); - return 0; -} - -krb5_error_code -krb5_crypto_getblocksize(krb5_context context, - krb5_crypto crypto, - size_t *blocksize) -{ - *blocksize = crypto->et->blocksize; - return 0; -} - -krb5_error_code -krb5_string_to_key_derived(krb5_context context, - const void *str, - size_t len, - krb5_enctype etype, - krb5_keyblock *key) -{ - struct encryption_type *et = _find_enctype(etype); - krb5_error_code ret; - struct key_data kd; - size_t keylen = et->keytype->bits / 8; - u_char *tmp; - - if(et == NULL) { - krb5_set_error_string (context, "encryption type %d not supported", - etype); - return KRB5_PROG_ETYPE_NOSUPP; - } - ALLOC(kd.key, 1); - if(kd.key == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; - } - ret = krb5_data_alloc(&kd.key->keyvalue, et->keytype->size); - if(ret) { - free(kd.key); - return ret; - } - kd.key->keytype = etype; - tmp = malloc (keylen); - if(tmp == NULL) { - krb5_free_keyblock(context, kd.key); - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; - } - _krb5_n_fold(str, len, tmp, keylen); - kd.schedule = NULL; - DES3_postproc (context, tmp, keylen, &kd); /* XXX */ - memset(tmp, 0, keylen); - free(tmp); - ret = derive_key(context, - et, - &kd, - "kerberos", /* XXX well known constant */ - strlen("kerberos")); - ret = krb5_copy_keyblock_contents(context, kd.key, key); - free_key_data(context, &kd); - return ret; -} - -static size_t -wrapped_length (krb5_context context, - krb5_crypto crypto, - size_t data_len) -{ - struct encryption_type *et = crypto->et; - size_t padsize = et->padsize; - size_t res; - - res = et->confoundersize + et->checksum->checksumsize + data_len; - res = (res + padsize - 1) / padsize * padsize; - return res; -} - -static size_t -wrapped_length_dervied (krb5_context context, - krb5_crypto crypto, - size_t data_len) -{ - struct encryption_type *et = crypto->et; - size_t padsize = et->padsize; - size_t res; - - res = et->confoundersize + data_len; - res = (res + padsize - 1) / padsize * padsize; - res += et->checksum->checksumsize; - return res; -} - -/* - * Return the size of an encrypted packet of length `data_len' - */ - -size_t -krb5_get_wrapped_length (krb5_context context, - krb5_crypto crypto, - size_t data_len) -{ - if (derived_crypto (context, crypto)) - return wrapped_length_dervied (context, crypto, data_len); - else - return wrapped_length (context, crypto, data_len); -} - -#ifdef CRYPTO_DEBUG - -static krb5_error_code -krb5_get_keyid(krb5_context context, - krb5_keyblock *key, - u_int32_t *keyid) -{ - MD5_CTX md5; - unsigned char tmp[16]; - - MD5_Init (&md5); - MD5_Update (&md5, key->keyvalue.data, key->keyvalue.length); - MD5_Final (tmp, &md5); - *keyid = (tmp[12] << 24) | (tmp[13] << 16) | (tmp[14] << 8) | tmp[15]; - return 0; -} - -static void -krb5_crypto_debug(krb5_context context, - int encrypt, - size_t len, - krb5_keyblock *key) -{ - u_int32_t keyid; - char *kt; - krb5_get_keyid(context, key, &keyid); - krb5_enctype_to_string(context, key->keytype, &kt); - krb5_warnx(context, "%s %lu bytes with key-id %#x (%s)", - encrypt ? "encrypting" : "decrypting", - (unsigned long)len, - keyid, - kt); - free(kt); -} - -#endif /* CRYPTO_DEBUG */ - -#if 0 -int -main() -{ -#if 0 - int i; - krb5_context context; - krb5_crypto crypto; - struct key_data *d; - krb5_keyblock key; - char constant[4]; - unsigned usage = ENCRYPTION_USAGE(3); - krb5_error_code ret; - - ret = krb5_init_context(&context); - if (ret) - errx (1, "krb5_init_context failed: %d", ret); - - key.keytype = ETYPE_NEW_DES3_CBC_SHA1; - key.keyvalue.data = "\xb3\x85\x58\x94\xd9\xdc\x7c\xc8" - "\x25\xe9\x85\xab\x3e\xb5\xfb\x0e" - "\xc8\xdf\xab\x26\x86\x64\x15\x25"; - key.keyvalue.length = 24; - - krb5_crypto_init(context, &key, 0, &crypto); - - d = _new_derived_key(crypto, usage); - if(d == NULL) - return ENOMEM; - krb5_copy_keyblock(context, crypto->key.key, &d->key); - _krb5_put_int(constant, usage, 4); - derive_key(context, crypto->et, d, constant, sizeof(constant)); - return 0; -#else - int i; - krb5_context context; - krb5_crypto crypto; - struct key_data *d; - krb5_keyblock key; - krb5_error_code ret; - Checksum res; - - char *data = "what do ya want for nothing?"; - - ret = krb5_init_context(&context); - if (ret) - errx (1, "krb5_init_context failed: %d", ret); - - key.keytype = ETYPE_NEW_DES3_CBC_SHA1; - key.keyvalue.data = "Jefe"; - /* "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" - "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"; */ - key.keyvalue.length = 4; - - d = calloc(1, sizeof(*d)); - - d->key = &key; - res.checksum.length = 20; - res.checksum.data = malloc(res.checksum.length); - SP_HMAC_SHA1_checksum(context, d, data, 28, &res); - - return 0; -#endif -} -#endif diff --git a/crypto/heimdal-0.6.3/lib/krb5/data.c b/crypto/heimdal-0.6.3/lib/krb5/data.c deleted file mode 100644 index d2bfeb2090..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/data.c +++ /dev/null @@ -1,119 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" - -RCSID("$Id: data.c,v 1.17 2003/03/25 22:07:17 lha Exp $"); - -void -krb5_data_zero(krb5_data *p) -{ - p->length = 0; - p->data = NULL; -} - -void -krb5_data_free(krb5_data *p) -{ - if(p->data != NULL) - free(p->data); - p->length = 0; -} - -void -krb5_free_data_contents(krb5_context context, krb5_data *data) -{ - krb5_data_free(data); -} - -void -krb5_free_data(krb5_context context, - krb5_data *p) -{ - krb5_data_free(p); - free(p); -} - -krb5_error_code -krb5_data_alloc(krb5_data *p, int len) -{ - p->data = malloc(len); - if(len && p->data == NULL) - return ENOMEM; - p->length = len; - return 0; -} - -krb5_error_code -krb5_data_realloc(krb5_data *p, int len) -{ - void *tmp; - tmp = realloc(p->data, len); - if(len && !tmp) - return ENOMEM; - p->data = tmp; - p->length = len; - return 0; -} - -krb5_error_code -krb5_data_copy(krb5_data *p, const void *data, size_t len) -{ - if (len) { - if(krb5_data_alloc(p, len)) - return ENOMEM; - memmove(p->data, data, len); - } else - p->data = NULL; - p->length = len; - return 0; -} - -krb5_error_code -krb5_copy_data(krb5_context context, - const krb5_data *indata, - krb5_data **outdata) -{ - krb5_error_code ret; - ALLOC(*outdata, 1); - if(*outdata == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - ret = copy_octet_string(indata, *outdata); - if(ret) { - krb5_clear_error_string (context); - free(*outdata); - } - return ret; -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/derived-key-test.c b/crypto/heimdal-0.6.3/lib/krb5/derived-key-test.c deleted file mode 100644 index 0a47dd3f25..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/derived-key-test.c +++ /dev/null @@ -1,119 +0,0 @@ -/* - * Copyright (c) 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of KTH nor the names of its contributors may be - * used to endorse or promote products derived from this software without - * specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY - * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR - * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, - * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR - * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF - * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ - -#include "krb5_locl.h" - -RCSID("$Id: derived-key-test.c,v 1.1 2001/03/12 07:44:52 assar Exp $"); - -enum { MAXSIZE = 24 }; - -static struct testcase { - krb5_enctype enctype; - unsigned char constant[MAXSIZE]; - size_t constant_len; - unsigned char key[MAXSIZE]; - unsigned char res[MAXSIZE]; -} tests[] = { - {ETYPE_DES3_CBC_SHA1, {0x00, 0x00, 0x00, 0x01, 0x55}, 5, - {0xdc, 0xe0, 0x6b, 0x1f, 0x64, 0xc8, 0x57, 0xa1, 0x1c, 0x3d, 0xb5, 0x7c, 0x51, 0x89, 0x9b, 0x2c, 0xc1, 0x79, 0x10, 0x08, 0xce, 0x97, 0x3b, 0x92}, - {0x92, 0x51, 0x79, 0xd0, 0x45, 0x91, 0xa7, 0x9b, 0x5d, 0x31, 0x92, 0xc4, 0xa7, 0xe9, 0xc2, 0x89, 0xb0, 0x49, 0xc7, 0x1f, 0x6e, 0xe6, 0x04, 0xcd}}, - {ETYPE_DES3_CBC_SHA1, {0x00, 0x00, 0x00, 0x01, 0xaa}, 5, - {0x5e, 0x13, 0xd3, 0x1c, 0x70, 0xef, 0x76, 0x57, 0x46, 0x57, 0x85, 0x31, 0xcb, 0x51, 0xc1, 0x5b, 0xf1, 0x1c, 0xa8, 0x2c, 0x97, 0xce, 0xe9, 0xf2}, - {0x9e, 0x58, 0xe5, 0xa1, 0x46, 0xd9, 0x94, 0x2a, 0x10, 0x1c, 0x46, 0x98, 0x45, 0xd6, 0x7a, 0x20, 0xe3, 0xc4, 0x25, 0x9e, 0xd9, 0x13, 0xf2, 0x07}}, - {ETYPE_DES3_CBC_SHA1, {0x00, 0x00, 0x00, 0x01, 0x55}, 5, - {0x98, 0xe6, 0xfd, 0x8a, 0x04, 0xa4, 0xb6, 0x85, 0x9b, 0x75, 0xa1, 0x76, 0x54, 0x0b, 0x97, 0x52, 0xba, 0xd3, 0xec, 0xd6, 0x10, 0xa2, 0x52, 0xbc}, - {0x13, 0xfe, 0xf8, 0x0d, 0x76, 0x3e, 0x94, 0xec, 0x6d, 0x13, 0xfd, 0x2c, 0xa1, 0xd0, 0x85, 0x07, 0x02, 0x49, 0xda, 0xd3, 0x98, 0x08, 0xea, 0xbf}}, - {ETYPE_DES3_CBC_SHA1, {0x00, 0x00, 0x00, 0x01, 0xaa}, 5, - {0x62, 0x2a, 0xec, 0x25, 0xa2, 0xfe, 0x2c, 0xad, 0x70, 0x94, 0x68, 0x0b, 0x7c, 0x64, 0x94, 0x02, 0x80, 0x08, 0x4c, 0x1a, 0x7c, 0xec, 0x92, 0xb5}, - {0xf8, 0xdf, 0xbf, 0x04, 0xb0, 0x97, 0xe6, 0xd9, 0xdc, 0x07, 0x02, 0x68, 0x6b, 0xcb, 0x34, 0x89, 0xd9, 0x1f, 0xd9, 0xa4, 0x51, 0x6b, 0x70, 0x3e}}, - {ETYPE_DES3_CBC_SHA1, {0x6b, 0x65, 0x72, 0x62, 0x65, 0x72, 0x6f, 0x73}, 8, - {0xd3, 0xf8, 0x29, 0x8c, 0xcb, 0x16, 0x64, 0x38, 0xdc, 0xb9, 0xb9, 0x3e, 0xe5, 0xa7, 0x62, 0x92, 0x86, 0xa4, 0x91, 0xf8, 0x38, 0xf8, 0x02, 0xfb}, - {0x23, 0x70, 0xda, 0x57, 0x5d, 0x2a, 0x3d, 0xa8, 0x64, 0xce, 0xbf, 0xdc, 0x52, 0x04, 0xd5, 0x6d, 0xf7, 0x79, 0xa7, 0xdf, 0x43, 0xd9, 0xda, 0x43}}, - {ETYPE_DES3_CBC_SHA1, {0x63, 0x6f, 0x6d, 0x62, 0x69, 0x6e, 0x65}, 7, - {0xb5, 0x5e, 0x98, 0x34, 0x67, 0xe5, 0x51, 0xb3, 0xe5, 0xd0, 0xe5, 0xb6, 0xc8, 0x0d, 0x45, 0x76, 0x94, 0x23, 0xa8, 0x73, 0xdc, 0x62, 0xb3, 0x0e}, - {0x01, 0x26, 0x38, 0x8a, 0xad, 0xc8, 0x1a, 0x1f, 0x2a, 0x62, 0xbc, 0x45, 0xf8, 0xd5, 0xc1, 0x91, 0x51, 0xba, 0xcd, 0xd5, 0xcb, 0x79, 0x8a, 0x3e}}, - {ETYPE_DES3_CBC_SHA1, {0x00, 0x00, 0x00, 0x01, 0x55}, 5, - {0xc1, 0x08, 0x16, 0x49, 0xad, 0xa7, 0x43, 0x62, 0xe6, 0xa1, 0x45, 0x9d, 0x01, 0xdf, 0xd3, 0x0d, 0x67, 0xc2, 0x23, 0x4c, 0x94, 0x07, 0x04, 0xda}, - {0x34, 0x80, 0x57, 0xec, 0x98, 0xfd, 0xc4, 0x80, 0x16, 0x16, 0x1c, 0x2a, 0x4c, 0x7a, 0x94, 0x3e, 0x92, 0xae, 0x49, 0x2c, 0x98, 0x91, 0x75, 0xf7}}, - {ETYPE_DES3_CBC_SHA1, {0x00, 0x00, 0x00, 0x01, 0xaa}, 5, - {0x5d, 0x15, 0x4a, 0xf2, 0x38, 0xf4, 0x67, 0x13, 0x15, 0x57, 0x19, 0xd5, 0x5e, 0x2f, 0x1f, 0x79, 0x0d, 0xd6, 0x61, 0xf2, 0x79, 0xa7, 0x91, 0x7c}, - {0xa8, 0x80, 0x8a, 0xc2, 0x67, 0xda, 0xda, 0x3d, 0xcb, 0xe9, 0xa7, 0xc8, 0x46, 0x26, 0xfb, 0xc7, 0x61, 0xc2, 0x94, 0xb0, 0x13, 0x15, 0xe5, 0xc1}}, - {ETYPE_DES3_CBC_SHA1, {0x00, 0x00, 0x00, 0x01, 0x55}, 5, - {0x79, 0x85, 0x62, 0xe0, 0x49, 0x85, 0x2f, 0x57, 0xdc, 0x8c, 0x34, 0x3b, 0xa1, 0x7f, 0x2c, 0xa1, 0xd9, 0x73, 0x94, 0xef, 0xc8, 0xad, 0xc4, 0x43}, - {0xc8, 0x13, 0xf8, 0x8a, 0x3b, 0xe3, 0xb3, 0x34, 0xf7, 0x54, 0x25, 0xce, 0x91, 0x75, 0xfb, 0xe3, 0xc8, 0x49, 0x3b, 0x89, 0xc8, 0x70, 0x3b, 0x49}}, - {ETYPE_DES3_CBC_SHA1, {0x00, 0x00, 0x00, 0x01, 0xaa}, 5, - {0x26, 0xdc, 0xe3, 0x34, 0xb5, 0x45, 0x29, 0x2f, 0x2f, 0xea, 0xb9, 0xa8, 0x70, 0x1a, 0x89, 0xa4, 0xb9, 0x9e, 0xb9, 0x94, 0x2c, 0xec, 0xd0, 0x16}, - {0xf4, 0x8f, 0xfd, 0x6e, 0x83, 0xf8, 0x3e, 0x73, 0x54, 0xe6, 0x94, 0xfd, 0x25, 0x2c, 0xf8, 0x3b, 0xfe, 0x58, 0xf7, 0xd5, 0xba, 0x37, 0xec, 0x5d}}, - {0} -}; - -int -main(int argc, char **argv) -{ - struct testcase *t; - krb5_context context; - krb5_error_code ret; - int val = 0; - - ret = krb5_init_context (&context); - if (ret) - errx (1, "krb5_init_context failed: %d", ret); - - for (t = tests; t->enctype != 0; ++t) { - krb5_keyblock key; - krb5_keyblock *dkey; - - key.keytype = KEYTYPE_DES3; - key.keyvalue.length = MAXSIZE; - key.keyvalue.data = t->key; - - ret = krb5_derive_key(context, &key, t->enctype, t->constant, - t->constant_len, &dkey); - if (ret) - krb5_err (context, 1, ret, "krb5_derive_key"); - if (memcmp (dkey->keyvalue.data, t->res, dkey->keyvalue.length) != 0) { - const unsigned char *p = dkey->keyvalue.data; - int i; - - printf ("derive_key failed\n"); - printf ("should be: "); - for (i = 0; i < dkey->keyvalue.length; ++i) - printf ("%02x", t->res[i]); - printf ("\nresult was: "); - for (i = 0; i < dkey->keyvalue.length; ++i) - printf ("%02x", p[i]); - printf ("\n"); - val = 1; - } - } - return val; -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/dump_config.c b/crypto/heimdal-0.6.3/lib/krb5/dump_config.c deleted file mode 100644 index 074595e213..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/dump_config.c +++ /dev/null @@ -1,71 +0,0 @@ -/* - * Copyright (c) 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of KTH nor the names of its contributors may be - * used to endorse or promote products derived from this software without - * specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY - * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR - * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, - * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR - * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF - * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ - -#include "krb5_locl.h" - -RCSID("$Id: dump_config.c,v 1.2 1999/10/28 23:22:41 assar Exp $"); - -/* print contents of krb5.conf */ - -static void -print_tree(struct krb5_config_binding *b, int level) -{ - if (b == NULL) - return; - - printf("%*s%s%s%s", level * 4, "", - (level == 0) ? "[" : "", b->name, (level == 0) ? "]" : ""); - if(b->type == krb5_config_list) { - if(level > 0) - printf(" = {"); - printf("\n"); - print_tree(b->u.list, level + 1); - if(level > 0) - printf("%*s}\n", level * 4, ""); - } else if(b->type == krb5_config_string) { - printf(" = %s\n", b->u.string); - } - if(b->next) - print_tree(b->next, level); -} - -int -main(int argc, char **argv) -{ - krb5_context context; - krb5_error_code ret = krb5_init_context(&context); - if(ret == 0) { - print_tree(context->cf, 0); - return 0; - } - return 1; -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/eai_to_heim_errno.c b/crypto/heimdal-0.6.3/lib/krb5/eai_to_heim_errno.c deleted file mode 100644 index b30640f72d..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/eai_to_heim_errno.c +++ /dev/null @@ -1,98 +0,0 @@ -/* - * Copyright (c) 2000 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include - -RCSID("$Id: eai_to_heim_errno.c,v 1.3.8.1 2004/02/13 16:15:16 lha Exp $"); - -/* - * convert the getaddrinfo error code in `eai_errno' into a - * krb5_error_code. `system_error' should have the value of the errno - * after the failed call. - */ - -krb5_error_code -krb5_eai_to_heim_errno(int eai_errno, int system_error) -{ - switch(eai_errno) { - case EAI_NOERROR: - return 0; -#ifdef EAI_ADDRFAMILY - case EAI_ADDRFAMILY: - return HEIM_EAI_ADDRFAMILY; -#endif - case EAI_AGAIN: - return HEIM_EAI_AGAIN; - case EAI_BADFLAGS: - return HEIM_EAI_BADFLAGS; - case EAI_FAIL: - return HEIM_EAI_FAIL; - case EAI_FAMILY: - return HEIM_EAI_FAMILY; - case EAI_MEMORY: - return HEIM_EAI_MEMORY; -#if defined(EAI_NODATA) && EAI_NODATA != EAI_NONAME - case EAI_NODATA: - return HEIM_EAI_NODATA; -#endif - case EAI_NONAME: - return HEIM_EAI_NONAME; - case EAI_SERVICE: - return HEIM_EAI_SERVICE; - case EAI_SOCKTYPE: - return HEIM_EAI_SOCKTYPE; - case EAI_SYSTEM: - return system_error; - default: - return HEIM_EAI_UNKNOWN; /* XXX */ - } -} - -krb5_error_code -krb5_h_errno_to_heim_errno(int eai_errno) -{ - switch(eai_errno) { - case 0: - return 0; - case HOST_NOT_FOUND: - return HEIM_EAI_NONAME; - case TRY_AGAIN: - return HEIM_EAI_AGAIN; - case NO_RECOVERY: - return HEIM_EAI_FAIL; - case NO_DATA: - return HEIM_EAI_NONAME; - default: - return HEIM_EAI_UNKNOWN; /* XXX */ - } -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/error_string.c b/crypto/heimdal-0.6.3/lib/krb5/error_string.c deleted file mode 100644 index bf734481c1..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/error_string.c +++ /dev/null @@ -1,95 +0,0 @@ -/* - * Copyright (c) 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" - -RCSID("$Id: error_string.c,v 1.1 2001/05/06 23:07:22 assar Exp $"); - -#undef __attribute__ -#define __attribute__(X) - -void -krb5_free_error_string(krb5_context context, char *str) -{ - if (str != context->error_buf) - free(str); -} - -void -krb5_clear_error_string(krb5_context context) -{ - if (context->error_string != NULL - && context->error_string != context->error_buf) - free(context->error_string); - context->error_string = NULL; -} - -krb5_error_code -krb5_set_error_string(krb5_context context, const char *fmt, ...) - __attribute__((format (printf, 2, 3))) -{ - krb5_error_code ret; - va_list ap; - - va_start(ap, fmt); - ret = krb5_vset_error_string (context, fmt, ap); - va_end(ap); - return ret; -} - -krb5_error_code -krb5_vset_error_string(krb5_context context, const char *fmt, va_list args) - __attribute__ ((format (printf, 2, 0))) -{ - krb5_clear_error_string(context); - vasprintf(&context->error_string, fmt, args); - if(context->error_string == NULL) { - vsnprintf (context->error_buf, sizeof(context->error_buf), fmt, args); - context->error_string = context->error_buf; - } - return 0; -} - -char* -krb5_get_error_string(krb5_context context) -{ - char *ret = context->error_string; - context->error_string = NULL; - return ret; -} - -krb5_boolean -krb5_have_error_string(krb5_context context) -{ - return context->error_string != NULL; -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/expand_hostname.c b/crypto/heimdal-0.6.3/lib/krb5/expand_hostname.c deleted file mode 100644 index 7ed2dd53f1..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/expand_hostname.c +++ /dev/null @@ -1,153 +0,0 @@ -/* - * Copyright (c) 1999 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" - -RCSID("$Id: expand_hostname.c,v 1.11 2001/09/18 09:35:47 joda Exp $"); - -static krb5_error_code -copy_hostname(krb5_context context, - const char *orig_hostname, - char **new_hostname) -{ - *new_hostname = strdup (orig_hostname); - if (*new_hostname == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - strlwr (*new_hostname); - return 0; -} - -/* - * Try to make `orig_hostname' into a more canonical one in the newly - * allocated space returned in `new_hostname'. - */ - -krb5_error_code -krb5_expand_hostname (krb5_context context, - const char *orig_hostname, - char **new_hostname) -{ - struct addrinfo *ai, *a, hints; - int error; - - memset (&hints, 0, sizeof(hints)); - hints.ai_flags = AI_CANONNAME; - - error = getaddrinfo (orig_hostname, NULL, &hints, &ai); - if (error) - return copy_hostname (context, orig_hostname, new_hostname); - for (a = ai; a != NULL; a = a->ai_next) { - if (a->ai_canonname != NULL) { - *new_hostname = strdup (a->ai_canonname); - freeaddrinfo (ai); - if (*new_hostname == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } else { - return 0; - } - } - } - freeaddrinfo (ai); - return copy_hostname (context, orig_hostname, new_hostname); -} - -/* - * handle the case of the hostname being unresolvable and thus identical - */ - -static krb5_error_code -vanilla_hostname (krb5_context context, - const char *orig_hostname, - char **new_hostname, - char ***realms) -{ - krb5_error_code ret; - - ret = copy_hostname (context, orig_hostname, new_hostname); - if (ret) - return ret; - strlwr (*new_hostname); - - ret = krb5_get_host_realm (context, *new_hostname, realms); - if (ret) { - free (*new_hostname); - return ret; - } - return 0; -} - -/* - * expand `hostname' to a name we believe to be a hostname in newly - * allocated space in `host' and return realms in `realms'. - */ - -krb5_error_code -krb5_expand_hostname_realms (krb5_context context, - const char *orig_hostname, - char **new_hostname, - char ***realms) -{ - struct addrinfo *ai, *a, hints; - int error; - krb5_error_code ret = 0; - - memset (&hints, 0, sizeof(hints)); - hints.ai_flags = AI_CANONNAME; - - error = getaddrinfo (orig_hostname, NULL, &hints, &ai); - if (error) - return vanilla_hostname (context, orig_hostname, new_hostname, - realms); - - for (a = ai; a != NULL; a = a->ai_next) { - if (a->ai_canonname != NULL) { - ret = copy_hostname (context, a->ai_canonname, new_hostname); - if (ret) { - freeaddrinfo (ai); - return ret; - } - strlwr (*new_hostname); - ret = krb5_get_host_realm (context, *new_hostname, realms); - if (ret == 0) { - freeaddrinfo (ai); - return 0; - } - free (*new_hostname); - } - } - freeaddrinfo(ai); - return vanilla_hostname (context, orig_hostname, new_hostname, realms); -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/fcache.c b/crypto/heimdal-0.6.3/lib/krb5/fcache.c deleted file mode 100644 index 38006c3e3a..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/fcache.c +++ /dev/null @@ -1,656 +0,0 @@ -/* - * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" - -RCSID("$Id: fcache.c,v 1.34.6.6 2004/03/10 13:30:59 lha Exp $"); - -typedef struct krb5_fcache{ - char *filename; - int version; -}krb5_fcache; - -struct fcc_cursor { - int fd; - krb5_storage *sp; -}; - -#define KRB5_FCC_FVNO_1 1 -#define KRB5_FCC_FVNO_2 2 -#define KRB5_FCC_FVNO_3 3 -#define KRB5_FCC_FVNO_4 4 - -#define FCC_TAG_DELTATIME 1 - -#define FCACHE(X) ((krb5_fcache*)(X)->data.data) - -#define FILENAME(X) (FCACHE(X)->filename) - -#define FCC_CURSOR(C) ((struct fcc_cursor*)(C)) - -static const char* -fcc_get_name(krb5_context context, - krb5_ccache id) -{ - return FILENAME(id); -} - -int -_krb5_xlock(krb5_context context, int fd, krb5_boolean exclusive, - const char *filename) -{ - int ret; -#ifdef HAVE_FCNTL - struct flock l; - - l.l_start = 0; - l.l_len = 0; - l.l_type = exclusive ? F_WRLCK : F_RDLCK; - l.l_whence = SEEK_SET; - ret = fcntl(fd, F_SETLKW, &l); -#else - ret = flock(fd, exclusive ? LOCK_EX : LOCK_SH); -#endif - if(ret < 0) - ret = errno; - if(ret == EACCES) /* fcntl can return EACCES instead of EAGAIN */ - ret = EAGAIN; - - switch (ret) { - case 0: - break; - case EINVAL: /* filesystem doesn't support locking, let the user have it */ - ret = 0; - break; - case EAGAIN: - krb5_set_error_string(context, "timed out locking cache file %s", - filename); - break; - default: - krb5_set_error_string(context, "error locking cache file %s: %s", - filename, strerror(ret)); - break; - } - return ret; -} - -int -_krb5_xunlock(int fd) -{ -#ifdef HAVE_FCNTL_LOCK - struct flock l; - l.l_start = 0; - l.l_len = 0; - l.l_type = F_UNLCK; - l.l_whence = SEEK_SET; - return fcntl(fd, F_SETLKW, &l); -#else - return flock(fd, LOCK_UN); -#endif -} - -static krb5_error_code -fcc_lock(krb5_context context, krb5_ccache id, - int fd, krb5_boolean exclusive) -{ - return _krb5_xlock(context, fd, exclusive, fcc_get_name(context, id)); -} - -static krb5_error_code -fcc_unlock(krb5_context context, int fd) -{ - return _krb5_xunlock(fd); -} - -static krb5_error_code -fcc_resolve(krb5_context context, krb5_ccache *id, const char *res) -{ - krb5_fcache *f; - f = malloc(sizeof(*f)); - if(f == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return KRB5_CC_NOMEM; - } - f->filename = strdup(res); - if(f->filename == NULL){ - free(f); - krb5_set_error_string(context, "malloc: out of memory"); - return KRB5_CC_NOMEM; - } - f->version = 0; - (*id)->data.data = f; - (*id)->data.length = sizeof(*f); - return 0; -} - -/* - * Try to scrub the contents of `filename' safely. - */ - -static int -scrub_file (int fd) -{ - off_t pos; - char buf[128]; - - pos = lseek(fd, 0, SEEK_END); - if (pos < 0) - return errno; - if (lseek(fd, 0, SEEK_SET) < 0) - return errno; - memset(buf, 0, sizeof(buf)); - while(pos > 0) { - ssize_t tmp = write(fd, buf, min(sizeof(buf), pos)); - - if (tmp < 0) - return errno; - pos -= tmp; - } - fsync (fd); - return 0; -} - -/* - * Erase `filename' if it exists, trying to remove the contents if - * it's `safe'. We always try to remove the file, it it exists. It's - * only overwritten if it's a regular file (not a symlink and not a - * hardlink) - */ - -static krb5_error_code -erase_file(const char *filename) -{ - int fd; - struct stat sb1, sb2; - int ret; - - ret = lstat (filename, &sb1); - if (ret < 0) - return errno; - - fd = open(filename, O_RDWR | O_BINARY); - if(fd < 0) { - if(errno == ENOENT) - return 0; - else - return errno; - } - if (unlink(filename) < 0) { - close (fd); - return errno; - } - ret = fstat (fd, &sb2); - if (ret < 0) { - close (fd); - return errno; - } - - /* check if someone was playing with symlinks */ - - if (sb1.st_dev != sb2.st_dev || sb1.st_ino != sb2.st_ino) { - close (fd); - return EPERM; - } - - /* there are still hard links to this file */ - - if (sb2.st_nlink != 0) { - close (fd); - return 0; - } - - ret = scrub_file (fd); - close (fd); - return ret; -} - -static krb5_error_code -fcc_gen_new(krb5_context context, krb5_ccache *id) -{ - krb5_fcache *f; - int fd; - char *file; - - f = malloc(sizeof(*f)); - if(f == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return KRB5_CC_NOMEM; - } - asprintf (&file, "%sXXXXXX", KRB5_DEFAULT_CCFILE_ROOT); - if(file == NULL) { - free(f); - krb5_set_error_string(context, "malloc: out of memory"); - return KRB5_CC_NOMEM; - } - fd = mkstemp(file); - if(fd < 0) { - free(f); - free(file); - krb5_set_error_string(context, "mkstemp %s", file); - return errno; - } - close(fd); - f->filename = file; - f->version = 0; - (*id)->data.data = f; - (*id)->data.length = sizeof(*f); - return 0; -} - -static void -storage_set_flags(krb5_context context, krb5_storage *sp, int vno) -{ - int flags = 0; - switch(vno) { - case KRB5_FCC_FVNO_1: - flags |= KRB5_STORAGE_PRINCIPAL_WRONG_NUM_COMPONENTS; - flags |= KRB5_STORAGE_PRINCIPAL_NO_NAME_TYPE; - flags |= KRB5_STORAGE_HOST_BYTEORDER; - break; - case KRB5_FCC_FVNO_2: - flags |= KRB5_STORAGE_HOST_BYTEORDER; - break; - case KRB5_FCC_FVNO_3: - flags |= KRB5_STORAGE_KEYBLOCK_KEYTYPE_TWICE; - break; - case KRB5_FCC_FVNO_4: - break; - default: - krb5_abortx(context, - "storage_set_flags called with bad vno (%x)", vno); - } - krb5_storage_set_flags(sp, flags); -} - -static krb5_error_code -fcc_open(krb5_context context, - krb5_ccache id, - int *fd_ret, - int flags, - mode_t mode) -{ - krb5_boolean exclusive = ((flags | O_WRONLY) == flags || - (flags | O_RDWR) == flags); - krb5_error_code ret; - const char *filename = FILENAME(id); - int fd; - fd = open(filename, flags, mode); - if(fd < 0) { - ret = errno; - krb5_set_error_string(context, "open(%s): %s", filename, - strerror(ret)); - return ret; - } - - if((ret = fcc_lock(context, id, fd, exclusive)) != 0) { - close(fd); - return ret; - } - *fd_ret = fd; - return 0; -} - -static krb5_error_code -fcc_initialize(krb5_context context, - krb5_ccache id, - krb5_principal primary_principal) -{ - krb5_fcache *f = FCACHE(id); - int ret = 0; - int fd; - char *filename = f->filename; - - unlink (filename); - - ret = fcc_open(context, id, &fd, O_RDWR | O_CREAT | O_EXCL | O_BINARY, 0600); - if(ret) - return ret; - { - krb5_storage *sp; - sp = krb5_storage_from_fd(fd); - krb5_storage_set_eof_code(sp, KRB5_CC_END); - if(context->fcache_vno != 0) - f->version = context->fcache_vno; - else - f->version = KRB5_FCC_FVNO_4; - ret |= krb5_store_int8(sp, 5); - ret |= krb5_store_int8(sp, f->version); - storage_set_flags(context, sp, f->version); - if(f->version == KRB5_FCC_FVNO_4 && ret == 0) { - /* V4 stuff */ - if (context->kdc_sec_offset) { - ret |= krb5_store_int16 (sp, 12); /* length */ - ret |= krb5_store_int16 (sp, FCC_TAG_DELTATIME); /* Tag */ - ret |= krb5_store_int16 (sp, 8); /* length of data */ - ret |= krb5_store_int32 (sp, context->kdc_sec_offset); - ret |= krb5_store_int32 (sp, context->kdc_usec_offset); - } else { - ret |= krb5_store_int16 (sp, 0); - } - } - ret |= krb5_store_principal(sp, primary_principal); - - krb5_storage_free(sp); - } - fcc_unlock(context, fd); - if (close(fd) < 0) - if (ret == 0) { - ret = errno; - krb5_set_error_string (context, "close %s: %s", - FILENAME(id), strerror(ret)); - } - return ret; -} - -static krb5_error_code -fcc_close(krb5_context context, - krb5_ccache id) -{ - free (FILENAME(id)); - krb5_data_free(&id->data); - return 0; -} - -static krb5_error_code -fcc_destroy(krb5_context context, - krb5_ccache id) -{ - erase_file(FILENAME(id)); - return 0; -} - -static krb5_error_code -fcc_store_cred(krb5_context context, - krb5_ccache id, - krb5_creds *creds) -{ - int ret; - int fd; - - ret = fcc_open(context, id, &fd, O_WRONLY | O_APPEND | O_BINARY, 0); - if(ret) - return ret; - { - krb5_storage *sp; - sp = krb5_storage_from_fd(fd); - krb5_storage_set_eof_code(sp, KRB5_CC_END); - storage_set_flags(context, sp, FCACHE(id)->version); - if (krb5_config_get_bool_default(context, NULL, FALSE, - "libdefaults", - "fcc-mit-ticketflags", - NULL)) - ret = _krb5_store_creds_heimdal_0_7(sp, creds); - else - ret = _krb5_store_creds_heimdal_pre_0_7(sp, creds); - krb5_storage_free(sp); - } - fcc_unlock(context, fd); - if (close(fd) < 0) - if (ret == 0) { - ret = errno; - krb5_set_error_string (context, "close %s: %s", - FILENAME(id), strerror(ret)); - } - return ret; -} - -static krb5_error_code -init_fcc (krb5_context context, - krb5_ccache id, - krb5_storage **ret_sp, - int *ret_fd) -{ - int fd; - int8_t pvno, tag; - krb5_storage *sp; - krb5_error_code ret; - - ret = fcc_open(context, id, &fd, O_RDONLY | O_BINARY, 0); - - if(ret) - return ret; - - sp = krb5_storage_from_fd(fd); - if(sp == NULL) { - ret = ENOMEM; - goto out; - } - krb5_storage_set_eof_code(sp, KRB5_CC_END); - ret = krb5_ret_int8(sp, &pvno); - if(ret != 0) { - if(ret == KRB5_CC_END) - ret = ENOENT; /* empty file */ - goto out; - } - if(pvno != 5) { - ret = KRB5_CCACHE_BADVNO; - goto out; - } - ret = krb5_ret_int8(sp, &tag); /* should not be host byte order */ - if(ret != 0) { - ret = KRB5_CC_FORMAT; - goto out; - } - FCACHE(id)->version = tag; - storage_set_flags(context, sp, FCACHE(id)->version); - switch (tag) { - case KRB5_FCC_FVNO_4: { - int16_t length; - - ret = krb5_ret_int16 (sp, &length); - if(ret) { - ret = KRB5_CC_FORMAT; - goto out; - } - while(length > 0) { - int16_t tag, data_len; - int i; - int8_t dummy; - - ret = krb5_ret_int16 (sp, &tag); - if(ret) { - ret = KRB5_CC_FORMAT; - goto out; - } - ret = krb5_ret_int16 (sp, &data_len); - if(ret) { - ret = KRB5_CC_FORMAT; - goto out; - } - switch (tag) { - case FCC_TAG_DELTATIME : - ret = krb5_ret_int32 (sp, &context->kdc_sec_offset); - if(ret) { - ret = KRB5_CC_FORMAT; - goto out; - } - ret = krb5_ret_int32 (sp, &context->kdc_usec_offset); - if(ret) { - ret = KRB5_CC_FORMAT; - goto out; - } - break; - default : - for (i = 0; i < data_len; ++i) { - ret = krb5_ret_int8 (sp, &dummy); - if(ret) { - ret = KRB5_CC_FORMAT; - goto out; - } - } - break; - } - length -= 4 + data_len; - } - break; - } - case KRB5_FCC_FVNO_3: - case KRB5_FCC_FVNO_2: - case KRB5_FCC_FVNO_1: - break; - default : - ret = KRB5_CCACHE_BADVNO; - goto out; - } - *ret_sp = sp; - *ret_fd = fd; - - return 0; - out: - if(sp != NULL) - krb5_storage_free(sp); - fcc_unlock(context, fd); - close(fd); - return ret; -} - -static krb5_error_code -fcc_get_principal(krb5_context context, - krb5_ccache id, - krb5_principal *principal) -{ - krb5_error_code ret; - int fd; - krb5_storage *sp; - - ret = init_fcc (context, id, &sp, &fd); - if (ret) - return ret; - ret = krb5_ret_principal(sp, principal); - krb5_storage_free(sp); - fcc_unlock(context, fd); - close(fd); - return ret; -} - -static krb5_error_code -fcc_end_get (krb5_context context, - krb5_ccache id, - krb5_cc_cursor *cursor); - -static krb5_error_code -fcc_get_first (krb5_context context, - krb5_ccache id, - krb5_cc_cursor *cursor) -{ - krb5_error_code ret; - krb5_principal principal; - - *cursor = malloc(sizeof(struct fcc_cursor)); - - ret = init_fcc (context, id, &FCC_CURSOR(*cursor)->sp, - &FCC_CURSOR(*cursor)->fd); - if (ret) { - free(*cursor); - return ret; - } - ret = krb5_ret_principal (FCC_CURSOR(*cursor)->sp, &principal); - if(ret) { - fcc_end_get(context, id, cursor); - return ret; - } - krb5_free_principal (context, principal); - fcc_unlock(context, FCC_CURSOR(*cursor)->fd); - return 0; -} - -static krb5_error_code -fcc_get_next (krb5_context context, - krb5_ccache id, - krb5_cc_cursor *cursor, - krb5_creds *creds) -{ - krb5_error_code ret; - if((ret = fcc_lock(context, id, FCC_CURSOR(*cursor)->fd, FALSE)) != 0) - return ret; - - ret = krb5_ret_creds(FCC_CURSOR(*cursor)->sp, creds); - - fcc_unlock(context, FCC_CURSOR(*cursor)->fd); - return ret; -} - -static krb5_error_code -fcc_end_get (krb5_context context, - krb5_ccache id, - krb5_cc_cursor *cursor) -{ - krb5_storage_free(FCC_CURSOR(*cursor)->sp); - close (FCC_CURSOR(*cursor)->fd); - free(*cursor); - *cursor = NULL; - return 0; -} - -static krb5_error_code -fcc_remove_cred(krb5_context context, - krb5_ccache id, - krb5_flags which, - krb5_creds *cred) -{ - return 0; /* XXX */ -} - -static krb5_error_code -fcc_set_flags(krb5_context context, - krb5_ccache id, - krb5_flags flags) -{ - return 0; /* XXX */ -} - -static krb5_error_code -fcc_get_version(krb5_context context, - krb5_ccache id) -{ - return FCACHE(id)->version; -} - -const krb5_cc_ops krb5_fcc_ops = { - "FILE", - fcc_get_name, - fcc_resolve, - fcc_gen_new, - fcc_initialize, - fcc_destroy, - fcc_close, - fcc_store_cred, - NULL, /* fcc_retrieve */ - fcc_get_principal, - fcc_get_first, - fcc_get_next, - fcc_end_get, - fcc_remove_cred, - fcc_set_flags, - fcc_get_version -}; diff --git a/crypto/heimdal-0.6.3/lib/krb5/free.c b/crypto/heimdal-0.6.3/lib/krb5/free.c deleted file mode 100644 index 251ec32010..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/free.c +++ /dev/null @@ -1,52 +0,0 @@ -/* - * Copyright (c) 1997, 1998 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" - -RCSID("$Id: free.c,v 1.5 1999/12/02 17:05:09 joda Exp $"); - -krb5_error_code -krb5_free_kdc_rep(krb5_context context, krb5_kdc_rep *rep) -{ - free_KDC_REP(&rep->kdc_rep); - free_EncTGSRepPart(&rep->enc_part); - free_KRB_ERROR(&rep->error); - return 0; -} - -krb5_error_code -krb5_xfree (void *ptr) -{ - free (ptr); - return 0; -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/free_host_realm.c b/crypto/heimdal-0.6.3/lib/krb5/free_host_realm.c deleted file mode 100644 index a69f29b988..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/free_host_realm.c +++ /dev/null @@ -1,54 +0,0 @@ -/* - * Copyright (c) 1997, 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" - -RCSID("$Id: free_host_realm.c,v 1.4 1999/12/02 17:05:09 joda Exp $"); - -/* - * Free all memory allocated by `realmlist' - */ - -krb5_error_code -krb5_free_host_realm(krb5_context context, - krb5_realm *realmlist) -{ - krb5_realm *p; - - if(realmlist == NULL) - return 0; - for (p = realmlist; *p; ++p) - free (*p); - free (realmlist); - return 0; -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/generate_seq_number.c b/crypto/heimdal-0.6.3/lib/krb5/generate_seq_number.c deleted file mode 100644 index 795c3f3ff6..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/generate_seq_number.c +++ /dev/null @@ -1,62 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include - -RCSID("$Id: generate_seq_number.c,v 1.8 2001/05/08 14:05:37 assar Exp $"); - -krb5_error_code -krb5_generate_seq_number(krb5_context context, - const krb5_keyblock *key, - u_int32_t *seqno) -{ - krb5_error_code ret; - krb5_keyblock *subkey; - u_int32_t q; - u_char *p; - int i; - - ret = krb5_generate_subkey (context, key, &subkey); - if (ret) - return ret; - - q = 0; - for (p = (u_char *)subkey->keyvalue.data, i = 0; - i < subkey->keyvalue.length; - ++i, ++p) - q = (q << 8) | *p; - q &= 0xffffffff; - *seqno = q; - krb5_free_keyblock (context, subkey); - return 0; -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/generate_subkey.c b/crypto/heimdal-0.6.3/lib/krb5/generate_subkey.c deleted file mode 100644 index 3fb22f970e..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/generate_subkey.c +++ /dev/null @@ -1,54 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include - -RCSID("$Id: generate_subkey.c,v 1.8 2001/05/14 06:14:46 assar Exp $"); - -krb5_error_code -krb5_generate_subkey(krb5_context context, - const krb5_keyblock *key, - krb5_keyblock **subkey) -{ - krb5_error_code ret; - - ALLOC(*subkey, 1); - if (*subkey == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - ret = krb5_generate_random_keyblock(context, key->keytype, *subkey); - if(ret) - free(*subkey); - return ret; -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/get_addrs.c b/crypto/heimdal-0.6.3/lib/krb5/get_addrs.c deleted file mode 100644 index 94a0350e8b..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/get_addrs.c +++ /dev/null @@ -1,291 +0,0 @@ -/* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" - -RCSID("$Id: get_addrs.c,v 1.45 2003/01/25 15:19:49 lha Exp $"); - -#ifdef __osf__ -/* hate */ -struct rtentry; -struct mbuf; -#endif -#ifdef HAVE_NET_IF_H -#include -#endif -#include - -static krb5_error_code -gethostname_fallback (krb5_context context, krb5_addresses *res) -{ - krb5_error_code ret; - char hostname[MAXHOSTNAMELEN]; - struct hostent *hostent; - - if (gethostname (hostname, sizeof(hostname))) { - ret = errno; - krb5_set_error_string (context, "gethostname: %s", strerror(ret)); - return ret; - } - hostent = roken_gethostbyname (hostname); - if (hostent == NULL) { - ret = errno; - krb5_set_error_string (context, "gethostbyname %s: %s", - hostname, strerror(ret)); - return ret; - } - res->len = 1; - res->val = malloc (sizeof(*res->val)); - if (res->val == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - res->val[0].addr_type = hostent->h_addrtype; - res->val[0].address.data = NULL; - res->val[0].address.length = 0; - ret = krb5_data_copy (&res->val[0].address, - hostent->h_addr, - hostent->h_length); - if (ret) { - free (res->val); - return ret; - } - return 0; -} - -enum { - LOOP = 1, /* do include loopback interfaces */ - LOOP_IF_NONE = 2, /* include loopback if no other if's */ - EXTRA_ADDRESSES = 4, /* include extra addresses */ - SCAN_INTERFACES = 8 /* scan interfaces for addresses */ -}; - -/* - * Try to figure out the addresses of all configured interfaces with a - * lot of magic ioctls. - */ - -static krb5_error_code -find_all_addresses (krb5_context context, krb5_addresses *res, int flags) -{ - struct sockaddr sa_zero; - struct ifaddrs *ifa0, *ifa; - krb5_error_code ret = ENXIO; - int num, idx; - krb5_addresses ignore_addresses; - - res->val = NULL; - - if (getifaddrs(&ifa0) == -1) { - ret = errno; - krb5_set_error_string(context, "getifaddrs: %s", strerror(ret)); - return (ret); - } - - memset(&sa_zero, 0, sizeof(sa_zero)); - - /* First, count all the ifaddrs. */ - for (ifa = ifa0, num = 0; ifa != NULL; ifa = ifa->ifa_next, num++) - /* nothing */; - - if (num == 0) { - freeifaddrs(ifa0); - krb5_set_error_string(context, "no addresses found"); - return (ENXIO); - } - - if (flags & EXTRA_ADDRESSES) { - /* we'll remove the addresses we don't care about */ - ret = krb5_get_ignore_addresses(context, &ignore_addresses); - if(ret) - return ret; - } - - /* Allocate storage for them. */ - res->val = calloc(num, sizeof(*res->val)); - if (res->val == NULL) { - krb5_free_addresses(context, &ignore_addresses); - freeifaddrs(ifa0); - krb5_set_error_string (context, "malloc: out of memory"); - return (ENOMEM); - } - - /* Now traverse the list. */ - for (ifa = ifa0, idx = 0; ifa != NULL; ifa = ifa->ifa_next) { - if ((ifa->ifa_flags & IFF_UP) == 0) - continue; - if (ifa->ifa_addr == NULL) - continue; - if (memcmp(ifa->ifa_addr, &sa_zero, sizeof(sa_zero)) == 0) - continue; - if (krb5_sockaddr_uninteresting(ifa->ifa_addr)) - continue; - if ((ifa->ifa_flags & IFF_LOOPBACK) != 0) { - /* We'll deal with the LOOP_IF_NONE case later. */ - if ((flags & LOOP) == 0) - continue; - } - - ret = krb5_sockaddr2address(context, ifa->ifa_addr, &res->val[idx]); - if (ret) { - /* - * The most likely error here is going to be "Program - * lacks support for address type". This is no big - * deal -- just continue, and we'll listen on the - * addresses who's type we *do* support. - */ - continue; - } - /* possibly skip this address? */ - if((flags & EXTRA_ADDRESSES) && - krb5_address_search(context, &res->val[idx], &ignore_addresses)) { - krb5_free_address(context, &res->val[idx]); - flags &= ~LOOP_IF_NONE; /* we actually found an address, - so don't add any loop-back - addresses */ - continue; - } - - idx++; - } - - /* - * If no addresses were found, and LOOP_IF_NONE is set, then find - * the loopback addresses and add them to our list. - */ - if ((flags & LOOP_IF_NONE) != 0 && idx == 0) { - for (ifa = ifa0; ifa != NULL; ifa = ifa->ifa_next) { - if ((ifa->ifa_flags & IFF_UP) == 0) - continue; - if (ifa->ifa_addr == NULL) - continue; - if (memcmp(ifa->ifa_addr, &sa_zero, sizeof(sa_zero)) == 0) - continue; - if (krb5_sockaddr_uninteresting(ifa->ifa_addr)) - continue; - - if ((ifa->ifa_flags & IFF_LOOPBACK) != 0) { - ret = krb5_sockaddr2address(context, - ifa->ifa_addr, &res->val[idx]); - if (ret) { - /* - * See comment above. - */ - continue; - } - if((flags & EXTRA_ADDRESSES) && - krb5_address_search(context, &res->val[idx], - &ignore_addresses)) { - krb5_free_address(context, &res->val[idx]); - continue; - } - idx++; - } - } - } - - if (flags & EXTRA_ADDRESSES) - krb5_free_addresses(context, &ignore_addresses); - freeifaddrs(ifa0); - if (ret) - free(res->val); - else - res->len = idx; /* Now a count. */ - return (ret); -} - -static krb5_error_code -get_addrs_int (krb5_context context, krb5_addresses *res, int flags) -{ - krb5_error_code ret = -1; - - if (flags & SCAN_INTERFACES) { - ret = find_all_addresses (context, res, flags); - if(ret || res->len == 0) - ret = gethostname_fallback (context, res); - } else { - res->len = 0; - res->val = NULL; - ret = 0; - } - - if(ret == 0 && (flags & EXTRA_ADDRESSES)) { - krb5_addresses a; - /* append user specified addresses */ - ret = krb5_get_extra_addresses(context, &a); - if(ret) { - krb5_free_addresses(context, res); - return ret; - } - ret = krb5_append_addresses(context, res, &a); - if(ret) { - krb5_free_addresses(context, res); - return ret; - } - krb5_free_addresses(context, &a); - } - if(res->len == 0) { - free(res->val); - res->val = NULL; - } - return ret; -} - -/* - * Try to get all addresses, but return the one corresponding to - * `hostname' if we fail. - * - * Only include loopback address if there are no other. - */ - -krb5_error_code -krb5_get_all_client_addrs (krb5_context context, krb5_addresses *res) -{ - int flags = LOOP_IF_NONE | EXTRA_ADDRESSES; - - if (context->scan_interfaces) - flags |= SCAN_INTERFACES; - - return get_addrs_int (context, res, flags); -} - -/* - * Try to get all local addresses that a server should listen to. - * If that fails, we return the address corresponding to `hostname'. - */ - -krb5_error_code -krb5_get_all_server_addrs (krb5_context context, krb5_addresses *res) -{ - return get_addrs_int (context, res, LOOP | SCAN_INTERFACES); -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/get_cred.c b/crypto/heimdal-0.6.3/lib/krb5/get_cred.c deleted file mode 100644 index cae47f5763..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/get_cred.c +++ /dev/null @@ -1,868 +0,0 @@ -/* - * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include - -RCSID("$Id: get_cred.c,v 1.91.4.3 2004/01/09 00:47:17 lha Exp $"); - -/* - * Take the `body' and encode it into `padata' using the credentials - * in `creds'. - */ - -static krb5_error_code -make_pa_tgs_req(krb5_context context, - krb5_auth_context ac, - KDC_REQ_BODY *body, - PA_DATA *padata, - krb5_creds *creds, - krb5_key_usage usage) -{ - u_char *buf; - size_t buf_size; - size_t len; - krb5_data in_data; - krb5_error_code ret; - - ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, body, &len, ret); - if (ret) - goto out; - if(buf_size != len) - krb5_abortx(context, "internal error in ASN.1 encoder"); - - in_data.length = len; - in_data.data = buf; - ret = krb5_mk_req_internal(context, &ac, 0, &in_data, creds, - &padata->padata_value, - KRB5_KU_TGS_REQ_AUTH_CKSUM, - usage - /* KRB5_KU_TGS_REQ_AUTH */); -out: - free (buf); - if(ret) - return ret; - padata->padata_type = KRB5_PADATA_TGS_REQ; - return 0; -} - -/* - * Set the `enc-authorization-data' in `req_body' based on `authdata' - */ - -static krb5_error_code -set_auth_data (krb5_context context, - KDC_REQ_BODY *req_body, - krb5_authdata *authdata, - krb5_keyblock *key) -{ - if(authdata->len) { - size_t len; - unsigned char *buf; - krb5_crypto crypto; - krb5_error_code ret; - - ASN1_MALLOC_ENCODE(AuthorizationData, buf, len, authdata, &len, ret); - if (ret) - return ret; - - ALLOC(req_body->enc_authorization_data, 1); - if (req_body->enc_authorization_data == NULL) { - free (buf); - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - ret = krb5_crypto_init(context, key, 0, &crypto); - if (ret) { - free (buf); - free (req_body->enc_authorization_data); - return ret; - } - krb5_encrypt_EncryptedData(context, - crypto, - KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY, - /* KRB5_KU_TGS_REQ_AUTH_DAT_SESSION? */ - buf, - len, - 0, - req_body->enc_authorization_data); - free (buf); - krb5_crypto_destroy(context, crypto); - } else { - req_body->enc_authorization_data = NULL; - } - return 0; -} - -/* - * Create a tgs-req in `t' with `addresses', `flags', `second_ticket' - * (if not-NULL), `in_creds', `krbtgt', and returning the generated - * subkey in `subkey'. - */ - -static krb5_error_code -init_tgs_req (krb5_context context, - krb5_ccache ccache, - krb5_addresses *addresses, - krb5_kdc_flags flags, - Ticket *second_ticket, - krb5_creds *in_creds, - krb5_creds *krbtgt, - unsigned nonce, - krb5_keyblock **subkey, - TGS_REQ *t, - krb5_key_usage usage) -{ - krb5_error_code ret = 0; - - memset(t, 0, sizeof(*t)); - t->pvno = 5; - t->msg_type = krb_tgs_req; - if (in_creds->session.keytype) { - ALLOC_SEQ(&t->req_body.etype, 1); - if(t->req_body.etype.val == NULL) { - ret = ENOMEM; - krb5_set_error_string(context, "malloc: out of memory"); - goto fail; - } - t->req_body.etype.val[0] = in_creds->session.keytype; - } else { - ret = krb5_init_etype(context, - &t->req_body.etype.len, - &t->req_body.etype.val, - NULL); - } - if (ret) - goto fail; - t->req_body.addresses = addresses; - t->req_body.kdc_options = flags.b; - ret = copy_Realm(&in_creds->server->realm, &t->req_body.realm); - if (ret) - goto fail; - ALLOC(t->req_body.sname, 1); - if (t->req_body.sname == NULL) { - ret = ENOMEM; - krb5_set_error_string(context, "malloc: out of memory"); - goto fail; - } - - /* some versions of some code might require that the client be - present in TGS-REQs, but this is clearly against the spec */ - - ret = copy_PrincipalName(&in_creds->server->name, t->req_body.sname); - if (ret) - goto fail; - - /* req_body.till should be NULL if there is no endtime specified, - but old MIT code (like DCE secd) doesn't like that */ - ALLOC(t->req_body.till, 1); - if(t->req_body.till == NULL){ - ret = ENOMEM; - krb5_set_error_string(context, "malloc: out of memory"); - goto fail; - } - *t->req_body.till = in_creds->times.endtime; - - t->req_body.nonce = nonce; - if(second_ticket){ - ALLOC(t->req_body.additional_tickets, 1); - if (t->req_body.additional_tickets == NULL) { - ret = ENOMEM; - krb5_set_error_string(context, "malloc: out of memory"); - goto fail; - } - ALLOC_SEQ(t->req_body.additional_tickets, 1); - if (t->req_body.additional_tickets->val == NULL) { - ret = ENOMEM; - krb5_set_error_string(context, "malloc: out of memory"); - goto fail; - } - ret = copy_Ticket(second_ticket, t->req_body.additional_tickets->val); - if (ret) - goto fail; - } - ALLOC(t->padata, 1); - if (t->padata == NULL) { - ret = ENOMEM; - krb5_set_error_string(context, "malloc: out of memory"); - goto fail; - } - ALLOC_SEQ(t->padata, 1); - if (t->padata->val == NULL) { - ret = ENOMEM; - krb5_set_error_string(context, "malloc: out of memory"); - goto fail; - } - - { - krb5_auth_context ac; - krb5_keyblock *key = NULL; - - ret = krb5_auth_con_init(context, &ac); - if(ret) - goto fail; - - if (krb5_config_get_bool_default(context, NULL, FALSE, - "realms", - krbtgt->server->realm, - "tgs_require_subkey", - NULL)) - { - ret = krb5_generate_subkey (context, &krbtgt->session, &key); - if (ret) { - krb5_auth_con_free (context, ac); - goto fail; - } - - ret = krb5_auth_con_setlocalsubkey(context, ac, key); - if (ret) { - if (key) - krb5_free_keyblock (context, key); - krb5_auth_con_free (context, ac); - goto fail; - } - } - - ret = set_auth_data (context, &t->req_body, &in_creds->authdata, key); - if (ret) { - if (key) - krb5_free_keyblock (context, key); - krb5_auth_con_free (context, ac); - goto fail; - } - - ret = make_pa_tgs_req(context, - ac, - &t->req_body, - t->padata->val, - krbtgt, - usage); - if(ret) { - if (key) - krb5_free_keyblock (context, key); - krb5_auth_con_free(context, ac); - goto fail; - } - *subkey = key; - - krb5_auth_con_free(context, ac); - } -fail: - if (ret) { - t->req_body.addresses = NULL; - free_TGS_REQ (t); - } - return ret; -} - -krb5_error_code -_krb5_get_krbtgt(krb5_context context, - krb5_ccache id, - krb5_realm realm, - krb5_creds **cred) -{ - krb5_error_code ret; - krb5_creds tmp_cred; - - memset(&tmp_cred, 0, sizeof(tmp_cred)); - - ret = krb5_cc_get_principal(context, id, &tmp_cred.client); - if (ret) - return ret; - - ret = krb5_make_principal(context, - &tmp_cred.server, - realm, - KRB5_TGS_NAME, - realm, - NULL); - if(ret) { - krb5_free_principal(context, tmp_cred.client); - return ret; - } - ret = krb5_get_credentials(context, - KRB5_GC_CACHED, - id, - &tmp_cred, - cred); - krb5_free_principal(context, tmp_cred.client); - krb5_free_principal(context, tmp_cred.server); - if(ret) - return ret; - return 0; -} - -/* DCE compatible decrypt proc */ -static krb5_error_code -decrypt_tkt_with_subkey (krb5_context context, - krb5_keyblock *key, - krb5_key_usage usage, - krb5_const_pointer subkey, - krb5_kdc_rep *dec_rep) -{ - krb5_error_code ret; - krb5_data data; - size_t size; - krb5_crypto crypto; - - ret = krb5_crypto_init(context, key, 0, &crypto); - if (ret) - return ret; - ret = krb5_decrypt_EncryptedData (context, - crypto, - usage, - &dec_rep->kdc_rep.enc_part, - &data); - krb5_crypto_destroy(context, crypto); - if(ret && subkey){ - /* DCE compat -- try to decrypt with subkey */ - ret = krb5_crypto_init(context, (krb5_keyblock*)subkey, 0, &crypto); - if (ret) - return ret; - ret = krb5_decrypt_EncryptedData (context, - crypto, - KRB5_KU_TGS_REP_ENC_PART_SUB_KEY, - &dec_rep->kdc_rep.enc_part, - &data); - krb5_crypto_destroy(context, crypto); - } - if (ret) - return ret; - - ret = krb5_decode_EncASRepPart(context, - data.data, - data.length, - &dec_rep->enc_part, - &size); - if (ret) - ret = krb5_decode_EncTGSRepPart(context, - data.data, - data.length, - &dec_rep->enc_part, - &size); - krb5_data_free (&data); - return ret; -} - -static krb5_error_code -get_cred_kdc_usage(krb5_context context, - krb5_ccache id, - krb5_kdc_flags flags, - krb5_addresses *addresses, - krb5_creds *in_creds, - krb5_creds *krbtgt, - krb5_creds *out_creds, - krb5_key_usage usage) -{ - TGS_REQ req; - krb5_data enc; - krb5_data resp; - krb5_kdc_rep rep; - KRB_ERROR error; - krb5_error_code ret; - unsigned nonce; - krb5_keyblock *subkey = NULL; - u_char *buf = NULL; - size_t buf_size; - size_t len; - Ticket second_ticket; - - krb5_generate_random_block(&nonce, sizeof(nonce)); - nonce &= 0xffffffff; - - if(flags.b.enc_tkt_in_skey){ - ret = decode_Ticket(in_creds->second_ticket.data, - in_creds->second_ticket.length, - &second_ticket, &len); - if(ret) - return ret; - } - - ret = init_tgs_req (context, - id, - addresses, - flags, - flags.b.enc_tkt_in_skey ? &second_ticket : NULL, - in_creds, - krbtgt, - nonce, - &subkey, - &req, - usage); - if(flags.b.enc_tkt_in_skey) - free_Ticket(&second_ticket); - if (ret) - goto out; - - ASN1_MALLOC_ENCODE(TGS_REQ, buf, buf_size, &req, &enc.length, ret); - if (ret) - goto out; - if(enc.length != buf_size) - krb5_abortx(context, "internal error in ASN.1 encoder"); - - /* don't free addresses */ - req.req_body.addresses = NULL; - free_TGS_REQ(&req); - - enc.data = buf + buf_size - enc.length; - if (ret) - goto out; - - /* - * Send and receive - */ - - ret = krb5_sendto_kdc (context, &enc, - &krbtgt->server->name.name_string.val[1], &resp); - if(ret) - goto out; - - memset(&rep, 0, sizeof(rep)); - if(decode_TGS_REP(resp.data, resp.length, &rep.kdc_rep, &len) == 0){ - ret = krb5_copy_principal(context, - in_creds->client, - &out_creds->client); - if(ret) - goto out; - ret = krb5_copy_principal(context, - in_creds->server, - &out_creds->server); - if(ret) - goto out; - /* this should go someplace else */ - out_creds->times.endtime = in_creds->times.endtime; - - ret = _krb5_extract_ticket(context, - &rep, - out_creds, - &krbtgt->session, - NULL, - KRB5_KU_TGS_REP_ENC_PART_SESSION, - &krbtgt->addresses, - nonce, - TRUE, - flags.b.request_anonymous, - decrypt_tkt_with_subkey, - subkey); - krb5_free_kdc_rep(context, &rep); - if (ret) - goto out; - } else if(krb5_rd_error(context, &resp, &error) == 0) { - ret = krb5_error_from_rd_error(context, &error, in_creds); - krb5_free_error_contents(context, &error); - } else if(resp.data && ((char*)resp.data)[0] == 4) { - ret = KRB5KRB_AP_ERR_V4_REPLY; - krb5_clear_error_string(context); - } else { - ret = KRB5KRB_AP_ERR_MSG_TYPE; - krb5_clear_error_string(context); - } - krb5_data_free(&resp); - out: - if(subkey){ - krb5_free_keyblock_contents(context, subkey); - free(subkey); - } - if (buf) - free (buf); - return ret; - -} - -static krb5_error_code -get_cred_kdc(krb5_context context, - krb5_ccache id, - krb5_kdc_flags flags, - krb5_addresses *addresses, - krb5_creds *in_creds, - krb5_creds *krbtgt, - krb5_creds *out_creds) -{ - krb5_error_code ret; - - ret = get_cred_kdc_usage(context, id, flags, addresses, in_creds, - krbtgt, out_creds, KRB5_KU_TGS_REQ_AUTH); - if (ret == KRB5KRB_AP_ERR_BAD_INTEGRITY) { - krb5_clear_error_string (context); - ret = get_cred_kdc_usage(context, id, flags, addresses, in_creds, - krbtgt, out_creds, KRB5_KU_AP_REQ_AUTH); - } - return ret; -} - -/* same as above, just get local addresses first */ - -static krb5_error_code -get_cred_kdc_la(krb5_context context, krb5_ccache id, krb5_kdc_flags flags, - krb5_creds *in_creds, krb5_creds *krbtgt, - krb5_creds *out_creds) -{ - krb5_error_code ret; - krb5_addresses addresses, *addrs = &addresses; - - krb5_get_all_client_addrs(context, &addresses); - /* XXX this sucks. */ - if(addresses.len == 0) - addrs = NULL; - ret = get_cred_kdc(context, id, flags, addrs, - in_creds, krbtgt, out_creds); - krb5_free_addresses(context, &addresses); - return ret; -} - -krb5_error_code -krb5_get_kdc_cred(krb5_context context, - krb5_ccache id, - krb5_kdc_flags flags, - krb5_addresses *addresses, - Ticket *second_ticket, - krb5_creds *in_creds, - krb5_creds **out_creds - ) -{ - krb5_error_code ret; - krb5_creds *krbtgt; - - *out_creds = calloc(1, sizeof(**out_creds)); - if(*out_creds == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - ret = _krb5_get_krbtgt (context, - id, - in_creds->server->realm, - &krbtgt); - if(ret) { - free(*out_creds); - return ret; - } - ret = get_cred_kdc(context, id, flags, addresses, - in_creds, krbtgt, *out_creds); - krb5_free_creds (context, krbtgt); - if(ret) - free(*out_creds); - return ret; -} - - -static krb5_error_code -find_cred(krb5_context context, - krb5_ccache id, - krb5_principal server, - krb5_creds **tgts, - krb5_creds *out_creds) -{ - krb5_error_code ret; - krb5_creds mcreds; - mcreds.server = server; - ret = krb5_cc_retrieve_cred(context, id, KRB5_TC_DONT_MATCH_REALM, - &mcreds, out_creds); - if(ret == 0) - return 0; - while(tgts && *tgts){ - if(krb5_compare_creds(context, KRB5_TC_DONT_MATCH_REALM, - &mcreds, *tgts)){ - ret = krb5_copy_creds_contents(context, *tgts, out_creds); - return ret; - } - tgts++; - } - krb5_clear_error_string(context); - return KRB5_CC_NOTFOUND; -} - -static krb5_error_code -add_cred(krb5_context context, krb5_creds ***tgts, krb5_creds *tkt) -{ - int i; - krb5_error_code ret; - krb5_creds **tmp = *tgts; - - for(i = 0; tmp && tmp[i]; i++); /* XXX */ - tmp = realloc(tmp, (i+2)*sizeof(*tmp)); - if(tmp == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - *tgts = tmp; - ret = krb5_copy_creds(context, tkt, &tmp[i]); - tmp[i+1] = NULL; - return ret; -} - -/* -get_cred(server) - creds = cc_get_cred(server) - if(creds) return creds - tgt = cc_get_cred(krbtgt/server_realm@any_realm) - if(tgt) - return get_cred_tgt(server, tgt) - if(client_realm == server_realm) - return NULL - tgt = get_cred(krbtgt/server_realm@client_realm) - while(tgt_inst != server_realm) - tgt = get_cred(krbtgt/server_realm@tgt_inst) - return get_cred_tgt(server, tgt) - */ - -static krb5_error_code -get_cred_from_kdc_flags(krb5_context context, - krb5_kdc_flags flags, - krb5_ccache ccache, - krb5_creds *in_creds, - krb5_creds **out_creds, - krb5_creds ***ret_tgts) -{ - krb5_error_code ret; - krb5_creds *tgt, tmp_creds; - krb5_const_realm client_realm, server_realm, try_realm; - - *out_creds = NULL; - - client_realm = *krb5_princ_realm(context, in_creds->client); - server_realm = *krb5_princ_realm(context, in_creds->server); - memset(&tmp_creds, 0, sizeof(tmp_creds)); - ret = krb5_copy_principal(context, in_creds->client, &tmp_creds.client); - if(ret) - return ret; - - try_realm = krb5_config_get_string(context, NULL, "capaths", - client_realm, server_realm, NULL); - -#if 1 - /* XXX remove in future release */ - if(try_realm == NULL) - try_realm = krb5_config_get_string(context, NULL, "libdefaults", - "capath", server_realm, NULL); -#endif - - if (try_realm == NULL) - try_realm = client_realm; - - ret = krb5_make_principal(context, - &tmp_creds.server, - try_realm, - KRB5_TGS_NAME, - server_realm, - NULL); - if(ret){ - krb5_free_principal(context, tmp_creds.client); - return ret; - } - { - krb5_creds tgts; - /* XXX try krb5_cc_retrieve_cred first? */ - ret = find_cred(context, ccache, tmp_creds.server, - *ret_tgts, &tgts); - if(ret == 0){ - *out_creds = calloc(1, sizeof(**out_creds)); - if(*out_creds == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - ret = ENOMEM; - } else { - krb5_boolean noaddr; - - krb5_appdefault_boolean(context, NULL, tgts.server->realm, - "no-addresses", FALSE, &noaddr); - - if (noaddr) - ret = get_cred_kdc(context, ccache, flags, NULL, - in_creds, &tgts, *out_creds); - else - ret = get_cred_kdc_la(context, ccache, flags, - in_creds, &tgts, *out_creds); - if (ret) { - free (*out_creds); - *out_creds = NULL; - } - } - krb5_free_creds_contents(context, &tgts); - krb5_free_principal(context, tmp_creds.server); - krb5_free_principal(context, tmp_creds.client); - return ret; - } - } - if(krb5_realm_compare(context, in_creds->client, in_creds->server)) { - krb5_clear_error_string (context); - return KRB5_CC_NOTFOUND; - } - /* XXX this can loop forever */ - while(1){ - general_string tgt_inst; - - ret = get_cred_from_kdc_flags(context, flags, ccache, &tmp_creds, - &tgt, ret_tgts); - if(ret) { - krb5_free_principal(context, tmp_creds.server); - krb5_free_principal(context, tmp_creds.client); - return ret; - } - ret = add_cred(context, ret_tgts, tgt); - if(ret) { - krb5_free_principal(context, tmp_creds.server); - krb5_free_principal(context, tmp_creds.client); - return ret; - } - tgt_inst = tgt->server->name.name_string.val[1]; - if(strcmp(tgt_inst, server_realm) == 0) - break; - krb5_free_principal(context, tmp_creds.server); - ret = krb5_make_principal(context, &tmp_creds.server, - tgt_inst, KRB5_TGS_NAME, server_realm, NULL); - if(ret) { - krb5_free_principal(context, tmp_creds.server); - krb5_free_principal(context, tmp_creds.client); - return ret; - } - ret = krb5_free_creds(context, tgt); - if(ret) { - krb5_free_principal(context, tmp_creds.server); - krb5_free_principal(context, tmp_creds.client); - return ret; - } - } - - krb5_free_principal(context, tmp_creds.server); - krb5_free_principal(context, tmp_creds.client); - *out_creds = calloc(1, sizeof(**out_creds)); - if(*out_creds == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - ret = ENOMEM; - } else { - krb5_boolean noaddr; - - krb5_appdefault_boolean(context, NULL, tgt->server->realm, - "no-addresses", FALSE, &noaddr); - if (noaddr) - ret = get_cred_kdc (context, ccache, flags, NULL, - in_creds, tgt, *out_creds); - else - ret = get_cred_kdc_la(context, ccache, flags, - in_creds, tgt, *out_creds); - if (ret) { - free (*out_creds); - *out_creds = NULL; - } - } - krb5_free_creds(context, tgt); - return ret; -} - -krb5_error_code -krb5_get_cred_from_kdc_opt(krb5_context context, - krb5_ccache ccache, - krb5_creds *in_creds, - krb5_creds **out_creds, - krb5_creds ***ret_tgts, - krb5_flags flags) -{ - krb5_kdc_flags f; - f.i = flags; - return get_cred_from_kdc_flags(context, f, ccache, - in_creds, out_creds, ret_tgts); -} - -krb5_error_code -krb5_get_cred_from_kdc(krb5_context context, - krb5_ccache ccache, - krb5_creds *in_creds, - krb5_creds **out_creds, - krb5_creds ***ret_tgts) -{ - return krb5_get_cred_from_kdc_opt(context, ccache, - in_creds, out_creds, ret_tgts, 0); -} - - -krb5_error_code -krb5_get_credentials_with_flags(krb5_context context, - krb5_flags options, - krb5_kdc_flags flags, - krb5_ccache ccache, - krb5_creds *in_creds, - krb5_creds **out_creds) -{ - krb5_error_code ret; - krb5_creds **tgts; - krb5_creds *res_creds; - int i; - - *out_creds = NULL; - res_creds = calloc(1, sizeof(*res_creds)); - if (res_creds == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - - ret = krb5_cc_retrieve_cred(context, - ccache, - in_creds->session.keytype ? - KRB5_TC_MATCH_KEYTYPE : 0, - in_creds, res_creds); - if(ret == 0) { - *out_creds = res_creds; - return 0; - } - free(res_creds); - if(ret != KRB5_CC_END) - return ret; - if(options & KRB5_GC_CACHED) { - krb5_clear_error_string (context); - return KRB5_CC_NOTFOUND; - } - if(options & KRB5_GC_USER_USER) - flags.b.enc_tkt_in_skey = 1; - tgts = NULL; - ret = get_cred_from_kdc_flags(context, flags, ccache, - in_creds, out_creds, &tgts); - for(i = 0; tgts && tgts[i]; i++) { - krb5_cc_store_cred(context, ccache, tgts[i]); - krb5_free_creds(context, tgts[i]); - } - free(tgts); - if(ret == 0 && flags.b.enc_tkt_in_skey == 0) - krb5_cc_store_cred(context, ccache, *out_creds); - return ret; -} - -krb5_error_code -krb5_get_credentials(krb5_context context, - krb5_flags options, - krb5_ccache ccache, - krb5_creds *in_creds, - krb5_creds **out_creds) -{ - krb5_kdc_flags flags; - flags.i = 0; - return krb5_get_credentials_with_flags(context, options, flags, - ccache, in_creds, out_creds); -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/get_default_principal.c b/crypto/heimdal-0.6.3/lib/krb5/get_default_principal.c deleted file mode 100644 index f8ed48f958..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/get_default_principal.c +++ /dev/null @@ -1,98 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" - -RCSID("$Id: get_default_principal.c,v 1.7 2001/05/14 06:14:46 assar Exp $"); - -/* - * Try to find out what's a reasonable default principal. - */ - -static const char* -get_env_user(void) -{ - const char *user = getenv("USER"); - if(user == NULL) - user = getenv("LOGNAME"); - if(user == NULL) - user = getenv("USERNAME"); - return user; -} - -krb5_error_code -krb5_get_default_principal (krb5_context context, - krb5_principal *princ) -{ - krb5_error_code ret; - krb5_ccache id; - const char *user; - uid_t uid; - - ret = krb5_cc_default (context, &id); - if (ret == 0) { - ret = krb5_cc_get_principal (context, id, princ); - krb5_cc_close (context, id); - if (ret == 0) - return 0; - } - - - uid = getuid(); - if(uid == 0) { - user = getlogin(); - if(user == NULL) - user = get_env_user(); - if(user != NULL && strcmp(user, "root") != 0) - ret = krb5_make_principal(context, princ, NULL, user, "root", NULL); - else - ret = krb5_make_principal(context, princ, NULL, "root", NULL); - } else { - struct passwd *pw = getpwuid(uid); - if(pw != NULL) - user = pw->pw_name; - else { - user = get_env_user(); - if(user == NULL) - user = getlogin(); - } - if(user == NULL) { - krb5_set_error_string(context, - "unable to figure out current principal"); - return ENOTTY; /* XXX */ - } - ret = krb5_make_principal(context, princ, NULL, user, NULL); - } - - return ret; -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/get_default_realm.c b/crypto/heimdal-0.6.3/lib/krb5/get_default_realm.c deleted file mode 100644 index 74a880d144..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/get_default_realm.c +++ /dev/null @@ -1,84 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" - -RCSID("$Id: get_default_realm.c,v 1.10 2001/07/19 16:55:27 assar Exp $"); - -/* - * Return a NULL-terminated list of default realms in `realms'. - * Free this memory with krb5_free_host_realm. - */ - -krb5_error_code -krb5_get_default_realms (krb5_context context, - krb5_realm **realms) -{ - if (context->default_realms == NULL) { - krb5_error_code ret = krb5_set_default_realm (context, NULL); - if (ret) - return KRB5_CONFIG_NODEFREALM; - } - - return krb5_copy_host_realm (context, - context->default_realms, - realms); -} - -/* - * Return the first default realm. For compatability. - */ - -krb5_error_code -krb5_get_default_realm(krb5_context context, - krb5_realm *realm) -{ - char *res; - - if (context->default_realms == NULL - || context->default_realms[0] == NULL) { - krb5_error_code ret = krb5_set_default_realm (context, NULL); - if (ret) { - krb5_set_error_string(context, "no default realm configured"); - return KRB5_CONFIG_NODEFREALM; - } - } - - res = strdup (context->default_realms[0]); - if (res == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - *realm = res; - return 0; -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/get_for_creds.c b/crypto/heimdal-0.6.3/lib/krb5/get_for_creds.c deleted file mode 100644 index 6bdffe5500..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/get_for_creds.c +++ /dev/null @@ -1,413 +0,0 @@ -/* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include - -RCSID("$Id: get_for_creds.c,v 1.34.4.1 2004/01/09 00:51:55 lha Exp $"); - -static krb5_error_code -add_addrs(krb5_context context, - krb5_addresses *addr, - struct addrinfo *ai) -{ - krb5_error_code ret; - unsigned n, i; - void *tmp; - struct addrinfo *a; - - n = 0; - for (a = ai; a != NULL; a = a->ai_next) - ++n; - - tmp = realloc(addr->val, (addr->len + n) * sizeof(*addr->val)); - if (tmp == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - ret = ENOMEM; - goto fail; - } - addr->val = tmp; - for (i = addr->len; i < (addr->len + n); ++i) { - addr->val[i].addr_type = 0; - krb5_data_zero(&addr->val[i].address); - } - i = addr->len; - for (a = ai; a != NULL; a = a->ai_next) { - krb5_address ad; - - ret = krb5_sockaddr2address (context, a->ai_addr, &ad); - if (ret == 0) { - if (krb5_address_search(context, &ad, addr)) - krb5_free_address(context, &ad); - else - addr->val[i++] = ad; - } - else if (ret == KRB5_PROG_ATYPE_NOSUPP) - krb5_clear_error_string (context); - else - goto fail; - addr->len = i; - } - return 0; -fail: - krb5_free_addresses (context, addr); - return ret; -} - -/* - * Forward credentials for `client' to host `hostname`, - * making them forwardable if `forwardable', and returning the - * blob of data to sent in `out_data'. - * If hostname == NULL, pick it from `server' - */ - -krb5_error_code -krb5_fwd_tgt_creds (krb5_context context, - krb5_auth_context auth_context, - const char *hostname, - krb5_principal client, - krb5_principal server, - krb5_ccache ccache, - int forwardable, - krb5_data *out_data) -{ - krb5_flags flags = 0; - krb5_creds creds; - krb5_error_code ret; - krb5_const_realm client_realm; - - flags |= KDC_OPT_FORWARDED; - - if (forwardable) - flags |= KDC_OPT_FORWARDABLE; - - if (hostname == NULL && - krb5_principal_get_type(context, server) == KRB5_NT_SRV_HST) { - const char *inst = krb5_principal_get_comp_string(context, server, 0); - const char *host = krb5_principal_get_comp_string(context, server, 1); - - if (inst != NULL && - strcmp(inst, "host") == 0 && - host != NULL && - krb5_principal_get_comp_string(context, server, 2) == NULL) - hostname = host; - } - - client_realm = krb5_principal_get_realm(context, client); - - memset (&creds, 0, sizeof(creds)); - creds.client = client; - - ret = krb5_build_principal(context, - &creds.server, - strlen(client_realm), - client_realm, - KRB5_TGS_NAME, - client_realm, - NULL); - if (ret) - return ret; - - ret = krb5_get_forwarded_creds (context, - auth_context, - ccache, - flags, - hostname, - &creds, - out_data); - return ret; -} - -/* - * - */ - -krb5_error_code -krb5_get_forwarded_creds (krb5_context context, - krb5_auth_context auth_context, - krb5_ccache ccache, - krb5_flags flags, - const char *hostname, - krb5_creds *in_creds, - krb5_data *out_data) -{ - krb5_error_code ret; - krb5_creds *out_creds; - krb5_addresses addrs, *paddrs; - KRB_CRED cred; - KrbCredInfo *krb_cred_info; - EncKrbCredPart enc_krb_cred_part; - size_t len; - unsigned char *buf; - size_t buf_size; - krb5_kdc_flags kdc_flags; - krb5_crypto crypto; - struct addrinfo *ai; - int save_errno; - krb5_keyblock *key; - krb5_creds *ticket; - char *realm; - - if (in_creds->client && in_creds->client->realm) - realm = in_creds->client->realm; - else - realm = in_creds->server->realm; - - addrs.len = 0; - addrs.val = NULL; - paddrs = &addrs; - - /* - * If tickets are address-less, forward address-less tickets. - */ - - ret = _krb5_get_krbtgt (context, - ccache, - realm, - &ticket); - if(ret == 0) { - if (ticket->addresses.len == 0) - paddrs = NULL; - krb5_free_creds (context, ticket); - } - - if (paddrs != NULL) { - - ret = getaddrinfo (hostname, NULL, NULL, &ai); - if (ret) { - save_errno = errno; - krb5_set_error_string(context, "resolving %s: %s", - hostname, gai_strerror(ret)); - return krb5_eai_to_heim_errno(ret, save_errno); - } - - ret = add_addrs (context, &addrs, ai); - freeaddrinfo (ai); - if (ret) - return ret; - } - - kdc_flags.i = flags; - - ret = krb5_get_kdc_cred (context, - ccache, - kdc_flags, - paddrs, - NULL, - in_creds, - &out_creds); - krb5_free_addresses (context, &addrs); - if (ret) { - return ret; - } - - memset (&cred, 0, sizeof(cred)); - cred.pvno = 5; - cred.msg_type = krb_cred; - ALLOC_SEQ(&cred.tickets, 1); - if (cred.tickets.val == NULL) { - ret = ENOMEM; - krb5_set_error_string(context, "malloc: out of memory"); - goto out2; - } - ret = decode_Ticket(out_creds->ticket.data, - out_creds->ticket.length, - cred.tickets.val, &len); - if (ret) - goto out3; - - memset (&enc_krb_cred_part, 0, sizeof(enc_krb_cred_part)); - ALLOC_SEQ(&enc_krb_cred_part.ticket_info, 1); - if (enc_krb_cred_part.ticket_info.val == NULL) { - ret = ENOMEM; - krb5_set_error_string(context, "malloc: out of memory"); - goto out4; - } - - if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_TIME) { - int32_t sec, usec; - - krb5_us_timeofday (context, &sec, &usec); - - ALLOC(enc_krb_cred_part.timestamp, 1); - if (enc_krb_cred_part.timestamp == NULL) { - ret = ENOMEM; - krb5_set_error_string(context, "malloc: out of memory"); - goto out4; - } - *enc_krb_cred_part.timestamp = sec; - ALLOC(enc_krb_cred_part.usec, 1); - if (enc_krb_cred_part.usec == NULL) { - ret = ENOMEM; - krb5_set_error_string(context, "malloc: out of memory"); - goto out4; - } - *enc_krb_cred_part.usec = usec; - } else { - enc_krb_cred_part.timestamp = NULL; - enc_krb_cred_part.usec = NULL; - } - - if (auth_context->local_address && auth_context->local_port) { - krb5_boolean noaddr; - krb5_const_realm realm; - - realm = krb5_principal_get_realm(context, out_creds->server); - krb5_appdefault_boolean(context, NULL, realm, "no-addresses", FALSE, - &noaddr); - if (!noaddr) { - ret = krb5_make_addrport (context, - &enc_krb_cred_part.s_address, - auth_context->local_address, - auth_context->local_port); - if (ret) - goto out4; - } - } - - if (auth_context->remote_address) { - if (auth_context->remote_port) { - krb5_boolean noaddr; - krb5_const_realm realm; - - realm = krb5_principal_get_realm(context, out_creds->server); - krb5_appdefault_boolean(context, NULL, realm, "no-addresses", - FALSE, &noaddr); - if (!noaddr) { - ret = krb5_make_addrport (context, - &enc_krb_cred_part.r_address, - auth_context->remote_address, - auth_context->remote_port); - if (ret) - goto out4; - } - } else { - ALLOC(enc_krb_cred_part.r_address, 1); - if (enc_krb_cred_part.r_address == NULL) { - ret = ENOMEM; - krb5_set_error_string(context, "malloc: out of memory"); - goto out4; - } - - ret = krb5_copy_address (context, auth_context->remote_address, - enc_krb_cred_part.r_address); - if (ret) - goto out4; - } - } - - /* fill ticket_info.val[0] */ - - enc_krb_cred_part.ticket_info.len = 1; - - krb_cred_info = enc_krb_cred_part.ticket_info.val; - - copy_EncryptionKey (&out_creds->session, &krb_cred_info->key); - ALLOC(krb_cred_info->prealm, 1); - copy_Realm (&out_creds->client->realm, krb_cred_info->prealm); - ALLOC(krb_cred_info->pname, 1); - copy_PrincipalName(&out_creds->client->name, krb_cred_info->pname); - ALLOC(krb_cred_info->flags, 1); - *krb_cred_info->flags = out_creds->flags.b; - ALLOC(krb_cred_info->authtime, 1); - *krb_cred_info->authtime = out_creds->times.authtime; - ALLOC(krb_cred_info->starttime, 1); - *krb_cred_info->starttime = out_creds->times.starttime; - ALLOC(krb_cred_info->endtime, 1); - *krb_cred_info->endtime = out_creds->times.endtime; - ALLOC(krb_cred_info->renew_till, 1); - *krb_cred_info->renew_till = out_creds->times.renew_till; - ALLOC(krb_cred_info->srealm, 1); - copy_Realm (&out_creds->server->realm, krb_cred_info->srealm); - ALLOC(krb_cred_info->sname, 1); - copy_PrincipalName (&out_creds->server->name, krb_cred_info->sname); - ALLOC(krb_cred_info->caddr, 1); - copy_HostAddresses (&out_creds->addresses, krb_cred_info->caddr); - - krb5_free_creds (context, out_creds); - - /* encode EncKrbCredPart */ - - ASN1_MALLOC_ENCODE(EncKrbCredPart, buf, buf_size, - &enc_krb_cred_part, &len, ret); - free_EncKrbCredPart (&enc_krb_cred_part); - if (ret) { - free_KRB_CRED(&cred); - return ret; - } - if(buf_size != len) - krb5_abortx(context, "internal error in ASN.1 encoder"); - - if (auth_context->local_subkey) - key = auth_context->local_subkey; - else if (auth_context->remote_subkey) - key = auth_context->remote_subkey; - else - key = auth_context->keyblock; - - ret = krb5_crypto_init(context, key, 0, &crypto); - if (ret) { - free(buf); - free_KRB_CRED(&cred); - return ret; - } - ret = krb5_encrypt_EncryptedData (context, - crypto, - KRB5_KU_KRB_CRED, - buf, - len, - 0, - &cred.enc_part); - free(buf); - krb5_crypto_destroy(context, crypto); - if (ret) { - free_KRB_CRED(&cred); - return ret; - } - - ASN1_MALLOC_ENCODE(KRB_CRED, buf, buf_size, &cred, &len, ret); - free_KRB_CRED (&cred); - if (ret) - return ret; - if(buf_size != len) - krb5_abortx(context, "internal error in ASN.1 encoder"); - out_data->length = len; - out_data->data = buf; - return 0; - out4: - free_EncKrbCredPart(&enc_krb_cred_part); - out3: - free_KRB_CRED(&cred); - out2: - krb5_free_creds (context, out_creds); - return ret; -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/get_host_realm.c b/crypto/heimdal-0.6.3/lib/krb5/get_host_realm.c deleted file mode 100644 index f2b4280f8b..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/get_host_realm.c +++ /dev/null @@ -1,220 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" -#include - -RCSID("$Id: get_host_realm.c,v 1.29 2002/08/28 13:36:57 nectar Exp $"); - -/* To automagically find the correct realm of a host (without - * [domain_realm] in krb5.conf) add a text record for your domain with - * the name of your realm, like this: - * - * _kerberos IN TXT "FOO.SE" - * - * The search is recursive, so you can add entries for specific - * hosts. To find the realm of host a.b.c, it first tries - * _kerberos.a.b.c, then _kerberos.b.c and so on. - * - * This method is described in draft-ietf-cat-krb-dns-locate-03.txt. - * - */ - -static int -copy_txt_to_realms (struct resource_record *head, - krb5_realm **realms) -{ - struct resource_record *rr; - int n, i; - - for(n = 0, rr = head; rr; rr = rr->next) - if (rr->type == T_TXT) - ++n; - - if (n == 0) - return -1; - - *realms = malloc ((n + 1) * sizeof(krb5_realm)); - if (*realms == NULL) - return -1; - - for (i = 0; i < n + 1; ++i) - (*realms)[i] = NULL; - - for (i = 0, rr = head; rr; rr = rr->next) { - if (rr->type == T_TXT) { - char *tmp; - - tmp = strdup(rr->u.txt); - if (tmp == NULL) { - for (i = 0; i < n; ++i) - free ((*realms)[i]); - free (*realms); - return -1; - } - (*realms)[i] = tmp; - ++i; - } - } - return 0; -} - -static int -dns_find_realm(krb5_context context, - const char *domain, - krb5_realm **realms) -{ - static char *default_labels[] = { "_kerberos", NULL }; - char dom[MAXHOSTNAMELEN]; - struct dns_reply *r; - char **labels; - int i, ret; - - labels = krb5_config_get_strings(context, NULL, "libdefaults", - "dns_lookup_realm_labels", NULL); - if(labels == NULL) - labels = default_labels; - if(*domain == '.') - domain++; - for (i = 0; labels[i] != NULL; i++) { - if(snprintf(dom, sizeof(dom), "%s.%s.", labels[i], domain) >= - sizeof(dom)) - return -1; - r = dns_lookup(dom, "TXT"); - if(r != NULL) { - ret = copy_txt_to_realms (r->head, realms); - dns_free_data(r); - if(ret == 0) - return 0; - } - } - return -1; -} - -/* - * Try to figure out what realms host in `domain' belong to from the - * configuration file. - */ - -static int -config_find_realm(krb5_context context, - const char *domain, - krb5_realm **realms) -{ - char **tmp = krb5_config_get_strings (context, NULL, - "domain_realm", - domain, - NULL); - - if (tmp == NULL) - return -1; - *realms = tmp; - return 0; -} - -/* - * This function assumes that `host' is a FQDN (and doesn't handle the - * special case of host == NULL either). - * Try to find mapping in the config file or DNS and it that fails, - * fall back to guessing - */ - -krb5_error_code -krb5_get_host_realm_int (krb5_context context, - const char *host, - krb5_boolean use_dns, - krb5_realm **realms) -{ - const char *p, *q; - krb5_boolean dns_locate_enable; - - dns_locate_enable = krb5_config_get_bool_default(context, NULL, TRUE, - "libdefaults", "dns_lookup_realm", NULL); - for (p = host; p != NULL; p = strchr (p + 1, '.')) { - if(config_find_realm(context, p, realms) == 0) { - if(strcasecmp(*realms[0], "dns_locate") == 0) { - if(use_dns) - for (q = host; q != NULL; q = strchr(q + 1, '.')) - if(dns_find_realm(context, q, realms) == 0) - return 0; - continue; - } else - return 0; - } - else if(use_dns && dns_locate_enable) { - if(dns_find_realm(context, p, realms) == 0) - return 0; - } - } - p = strchr(host, '.'); - if(p != NULL) { - p++; - *realms = malloc(2 * sizeof(krb5_realm)); - if (*realms == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - - (*realms)[0] = strdup(p); - if((*realms)[0] == NULL) { - free(*realms); - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - strupr((*realms)[0]); - (*realms)[1] = NULL; - return 0; - } - krb5_set_error_string(context, "unable to find realm of host %s", host); - return KRB5_ERR_HOST_REALM_UNKNOWN; -} - -/* - * Return the realm(s) of `host' as a NULL-terminated list in `realms'. - */ - -krb5_error_code -krb5_get_host_realm(krb5_context context, - const char *host, - krb5_realm **realms) -{ - char hostname[MAXHOSTNAMELEN]; - - if (host == NULL) { - if (gethostname (hostname, sizeof(hostname))) - return errno; - host = hostname; - } - - return krb5_get_host_realm_int (context, host, 1, realms); -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/get_in_tkt.c b/crypto/heimdal-0.6.3/lib/krb5/get_in_tkt.c deleted file mode 100644 index 88943e7e0f..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/get_in_tkt.c +++ /dev/null @@ -1,827 +0,0 @@ -/* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" - -RCSID("$Id: get_in_tkt.c,v 1.107.2.1 2003/09/18 21:00:09 lha Exp $"); - -krb5_error_code -krb5_init_etype (krb5_context context, - unsigned *len, - krb5_enctype **val, - const krb5_enctype *etypes) -{ - int i; - krb5_error_code ret; - krb5_enctype *tmp = NULL; - - ret = 0; - if (etypes == NULL) { - ret = krb5_get_default_in_tkt_etypes(context, - &tmp); - if (ret) - return ret; - etypes = tmp; - } - - for (i = 0; etypes[i]; ++i) - ; - *len = i; - *val = malloc(i * sizeof(**val)); - if (i != 0 && *val == NULL) { - ret = ENOMEM; - krb5_set_error_string(context, "malloc: out of memory"); - goto cleanup; - } - memmove (*val, - etypes, - i * sizeof(*tmp)); -cleanup: - if (tmp != NULL) - free (tmp); - return ret; -} - - -static krb5_error_code -decrypt_tkt (krb5_context context, - krb5_keyblock *key, - krb5_key_usage usage, - krb5_const_pointer decrypt_arg, - krb5_kdc_rep *dec_rep) -{ - krb5_error_code ret; - krb5_data data; - size_t size; - krb5_crypto crypto; - - ret = krb5_crypto_init(context, key, 0, &crypto); - if (ret) - return ret; - - ret = krb5_decrypt_EncryptedData (context, - crypto, - usage, - &dec_rep->kdc_rep.enc_part, - &data); - krb5_crypto_destroy(context, crypto); - - if (ret) - return ret; - - ret = krb5_decode_EncASRepPart(context, - data.data, - data.length, - &dec_rep->enc_part, - &size); - if (ret) - ret = krb5_decode_EncTGSRepPart(context, - data.data, - data.length, - &dec_rep->enc_part, - &size); - krb5_data_free (&data); - if (ret) - return ret; - return 0; -} - -int -_krb5_extract_ticket(krb5_context context, - krb5_kdc_rep *rep, - krb5_creds *creds, - krb5_keyblock *key, - krb5_const_pointer keyseed, - krb5_key_usage key_usage, - krb5_addresses *addrs, - unsigned nonce, - krb5_boolean allow_server_mismatch, - krb5_boolean ignore_cname, - krb5_decrypt_proc decrypt_proc, - krb5_const_pointer decryptarg) -{ - krb5_error_code ret; - krb5_principal tmp_principal; - int tmp; - time_t tmp_time; - krb5_timestamp sec_now; - - ret = principalname2krb5_principal (&tmp_principal, - rep->kdc_rep.cname, - rep->kdc_rep.crealm); - if (ret) - goto out; - - /* compare client */ - - if (!ignore_cname) { - tmp = krb5_principal_compare (context, tmp_principal, creds->client); - if (!tmp) { - krb5_free_principal (context, tmp_principal); - krb5_clear_error_string (context); - ret = KRB5KRB_AP_ERR_MODIFIED; - goto out; - } - } - - krb5_free_principal (context, creds->client); - creds->client = tmp_principal; - - /* extract ticket */ - ASN1_MALLOC_ENCODE(Ticket, creds->ticket.data, creds->ticket.length, - &rep->kdc_rep.ticket, &creds->ticket.length, ret); - if(ret) - goto out; - creds->second_ticket.length = 0; - creds->second_ticket.data = NULL; - - /* compare server */ - - ret = principalname2krb5_principal (&tmp_principal, - rep->kdc_rep.ticket.sname, - rep->kdc_rep.ticket.realm); - if (ret) - goto out; - if(allow_server_mismatch){ - krb5_free_principal(context, creds->server); - creds->server = tmp_principal; - tmp_principal = NULL; - }else{ - tmp = krb5_principal_compare (context, tmp_principal, creds->server); - krb5_free_principal (context, tmp_principal); - if (!tmp) { - ret = KRB5KRB_AP_ERR_MODIFIED; - krb5_clear_error_string (context); - goto out; - } - } - - /* decrypt */ - - if (decrypt_proc == NULL) - decrypt_proc = decrypt_tkt; - - ret = (*decrypt_proc)(context, key, key_usage, decryptarg, rep); - if (ret) - goto out; - -#if 0 - /* XXX should this decode be here, or in the decrypt_proc? */ - ret = krb5_decode_keyblock(context, &rep->enc_part.key, 1); - if(ret) - goto out; -#endif - - /* compare nonces */ - - if (nonce != rep->enc_part.nonce) { - ret = KRB5KRB_AP_ERR_MODIFIED; - krb5_set_error_string(context, "malloc: out of memory"); - goto out; - } - - /* set kdc-offset */ - - krb5_timeofday (context, &sec_now); - if (rep->enc_part.flags.initial - && context->kdc_sec_offset == 0 - && krb5_config_get_bool (context, NULL, - "libdefaults", - "kdc_timesync", - NULL)) { - context->kdc_sec_offset = rep->enc_part.authtime - sec_now; - krb5_timeofday (context, &sec_now); - } - - /* check all times */ - - if (rep->enc_part.starttime) { - tmp_time = *rep->enc_part.starttime; - } else - tmp_time = rep->enc_part.authtime; - - if (creds->times.starttime == 0 - && abs(tmp_time - sec_now) > context->max_skew) { - ret = KRB5KRB_AP_ERR_SKEW; - krb5_set_error_string (context, - "time skew (%d) larger than max (%d)", - abs(tmp_time - sec_now), - (int)context->max_skew); - goto out; - } - - if (creds->times.starttime != 0 - && tmp_time != creds->times.starttime) { - krb5_clear_error_string (context); - ret = KRB5KRB_AP_ERR_MODIFIED; - goto out; - } - - creds->times.starttime = tmp_time; - - if (rep->enc_part.renew_till) { - tmp_time = *rep->enc_part.renew_till; - } else - tmp_time = 0; - - if (creds->times.renew_till != 0 - && tmp_time > creds->times.renew_till) { - krb5_clear_error_string (context); - ret = KRB5KRB_AP_ERR_MODIFIED; - goto out; - } - - creds->times.renew_till = tmp_time; - - creds->times.authtime = rep->enc_part.authtime; - - if (creds->times.endtime != 0 - && rep->enc_part.endtime > creds->times.endtime) { - krb5_clear_error_string (context); - ret = KRB5KRB_AP_ERR_MODIFIED; - goto out; - } - - creds->times.endtime = rep->enc_part.endtime; - - if(rep->enc_part.caddr) - krb5_copy_addresses (context, rep->enc_part.caddr, &creds->addresses); - else if(addrs) - krb5_copy_addresses (context, addrs, &creds->addresses); - else { - creds->addresses.len = 0; - creds->addresses.val = NULL; - } - creds->flags.b = rep->enc_part.flags; - - creds->authdata.len = 0; - creds->authdata.val = NULL; - creds->session.keyvalue.length = 0; - creds->session.keyvalue.data = NULL; - creds->session.keytype = rep->enc_part.key.keytype; - ret = krb5_data_copy (&creds->session.keyvalue, - rep->enc_part.key.keyvalue.data, - rep->enc_part.key.keyvalue.length); - -out: - memset (rep->enc_part.key.keyvalue.data, 0, - rep->enc_part.key.keyvalue.length); - return ret; -} - - -static krb5_error_code -make_pa_enc_timestamp(krb5_context context, PA_DATA *pa, - krb5_enctype etype, krb5_keyblock *key) -{ - PA_ENC_TS_ENC p; - unsigned char *buf; - size_t buf_size; - size_t len; - EncryptedData encdata; - krb5_error_code ret; - int32_t sec, usec; - int usec2; - krb5_crypto crypto; - - krb5_us_timeofday (context, &sec, &usec); - p.patimestamp = sec; - usec2 = usec; - p.pausec = &usec2; - - ASN1_MALLOC_ENCODE(PA_ENC_TS_ENC, buf, buf_size, &p, &len, ret); - if (ret) - return ret; - if(buf_size != len) - krb5_abortx(context, "internal error in ASN.1 encoder"); - ret = krb5_crypto_init(context, key, 0, &crypto); - if (ret) { - free(buf); - return ret; - } - ret = krb5_encrypt_EncryptedData(context, - crypto, - KRB5_KU_PA_ENC_TIMESTAMP, - buf, - len, - 0, - &encdata); - free(buf); - krb5_crypto_destroy(context, crypto); - if (ret) - return ret; - - ASN1_MALLOC_ENCODE(EncryptedData, buf, buf_size, &encdata, &len, ret); - free_EncryptedData(&encdata); - if (ret) - return ret; - if(buf_size != len) - krb5_abortx(context, "internal error in ASN.1 encoder"); - pa->padata_type = KRB5_PADATA_ENC_TIMESTAMP; - pa->padata_value.length = len; - pa->padata_value.data = buf; - return 0; -} - -static krb5_error_code -add_padata(krb5_context context, - METHOD_DATA *md, - krb5_principal client, - krb5_key_proc key_proc, - krb5_const_pointer keyseed, - krb5_enctype *enctypes, - unsigned netypes, - krb5_salt *salt) -{ - krb5_error_code ret; - PA_DATA *pa2; - krb5_salt salt2; - krb5_enctype *ep; - int i; - - if(salt == NULL) { - /* default to standard salt */ - ret = krb5_get_pw_salt (context, client, &salt2); - salt = &salt2; - } - if (!enctypes) { - enctypes = context->etypes; - netypes = 0; - for (ep = enctypes; *ep != ETYPE_NULL; ep++) - netypes++; - } - pa2 = realloc (md->val, (md->len + netypes) * sizeof(*md->val)); - if (pa2 == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - md->val = pa2; - - for (i = 0; i < netypes; ++i) { - krb5_keyblock *key; - - ret = (*key_proc)(context, enctypes[i], *salt, keyseed, &key); - if (ret) - continue; - ret = make_pa_enc_timestamp (context, &md->val[md->len], - enctypes[i], key); - krb5_free_keyblock (context, key); - if (ret) - return ret; - ++md->len; - } - if(salt == &salt2) - krb5_free_salt(context, salt2); - return 0; -} - -static krb5_error_code -init_as_req (krb5_context context, - krb5_kdc_flags opts, - krb5_creds *creds, - const krb5_addresses *addrs, - const krb5_enctype *etypes, - const krb5_preauthtype *ptypes, - const krb5_preauthdata *preauth, - krb5_key_proc key_proc, - krb5_const_pointer keyseed, - unsigned nonce, - AS_REQ *a) -{ - krb5_error_code ret; - krb5_salt salt; - - memset(a, 0, sizeof(*a)); - - a->pvno = 5; - a->msg_type = krb_as_req; - a->req_body.kdc_options = opts.b; - a->req_body.cname = malloc(sizeof(*a->req_body.cname)); - if (a->req_body.cname == NULL) { - ret = ENOMEM; - krb5_set_error_string(context, "malloc: out of memory"); - goto fail; - } - a->req_body.sname = malloc(sizeof(*a->req_body.sname)); - if (a->req_body.sname == NULL) { - ret = ENOMEM; - krb5_set_error_string(context, "malloc: out of memory"); - goto fail; - } - ret = krb5_principal2principalname (a->req_body.cname, creds->client); - if (ret) - goto fail; - ret = krb5_principal2principalname (a->req_body.sname, creds->server); - if (ret) - goto fail; - ret = copy_Realm(&creds->client->realm, &a->req_body.realm); - if (ret) - goto fail; - - if(creds->times.starttime) { - a->req_body.from = malloc(sizeof(*a->req_body.from)); - if (a->req_body.from == NULL) { - ret = ENOMEM; - krb5_set_error_string(context, "malloc: out of memory"); - goto fail; - } - *a->req_body.from = creds->times.starttime; - } - if(creds->times.endtime){ - ALLOC(a->req_body.till, 1); - *a->req_body.till = creds->times.endtime; - } - if(creds->times.renew_till){ - a->req_body.rtime = malloc(sizeof(*a->req_body.rtime)); - if (a->req_body.rtime == NULL) { - ret = ENOMEM; - krb5_set_error_string(context, "malloc: out of memory"); - goto fail; - } - *a->req_body.rtime = creds->times.renew_till; - } - a->req_body.nonce = nonce; - ret = krb5_init_etype (context, - &a->req_body.etype.len, - &a->req_body.etype.val, - etypes); - if (ret) - goto fail; - - /* - * This means no addresses - */ - - if (addrs && addrs->len == 0) { - a->req_body.addresses = NULL; - } else { - a->req_body.addresses = malloc(sizeof(*a->req_body.addresses)); - if (a->req_body.addresses == NULL) { - ret = ENOMEM; - krb5_set_error_string(context, "malloc: out of memory"); - goto fail; - } - - if (addrs) - ret = krb5_copy_addresses(context, addrs, a->req_body.addresses); - else { - ret = krb5_get_all_client_addrs (context, a->req_body.addresses); - if(ret == 0 && a->req_body.addresses->len == 0) { - free(a->req_body.addresses); - a->req_body.addresses = NULL; - } - } - if (ret) - return ret; - } - - a->req_body.enc_authorization_data = NULL; - a->req_body.additional_tickets = NULL; - - if(preauth != NULL) { - int i; - ALLOC(a->padata, 1); - if(a->padata == NULL) { - ret = ENOMEM; - krb5_set_error_string(context, "malloc: out of memory"); - goto fail; - } - for(i = 0; i < preauth->len; i++) { - if(preauth->val[i].type == KRB5_PADATA_ENC_TIMESTAMP){ - int j; - PA_DATA *tmp = realloc(a->padata->val, - (a->padata->len + - preauth->val[i].info.len) * - sizeof(*a->padata->val)); - if(tmp == NULL) { - ret = ENOMEM; - krb5_set_error_string(context, "malloc: out of memory"); - goto fail; - } - a->padata->val = tmp; - for(j = 0; j < preauth->val[i].info.len; j++) { - krb5_salt *sp = &salt; - if(preauth->val[i].info.val[j].salttype) - salt.salttype = *preauth->val[i].info.val[j].salttype; - else - salt.salttype = KRB5_PW_SALT; - if(preauth->val[i].info.val[j].salt) - salt.saltvalue = *preauth->val[i].info.val[j].salt; - else - if(salt.salttype == KRB5_PW_SALT) - sp = NULL; - else - krb5_data_zero(&salt.saltvalue); - ret = add_padata(context, a->padata, creds->client, - key_proc, keyseed, - &preauth->val[i].info.val[j].etype, 1, - sp); - if (ret == 0) - break; - } - } - } - } else - /* not sure this is the way to use `ptypes' */ - if (ptypes == NULL || *ptypes == KRB5_PADATA_NONE) - a->padata = NULL; - else if (*ptypes == KRB5_PADATA_ENC_TIMESTAMP) { - ALLOC(a->padata, 1); - if (a->padata == NULL) { - ret = ENOMEM; - krb5_set_error_string(context, "malloc: out of memory"); - goto fail; - } - a->padata->len = 0; - a->padata->val = NULL; - - /* make a v5 salted pa-data */ - add_padata(context, a->padata, creds->client, - key_proc, keyseed, a->req_body.etype.val, - a->req_body.etype.len, NULL); - - /* make a v4 salted pa-data */ - salt.salttype = KRB5_PW_SALT; - krb5_data_zero(&salt.saltvalue); - add_padata(context, a->padata, creds->client, - key_proc, keyseed, a->req_body.etype.val, - a->req_body.etype.len, &salt); - } else { - krb5_set_error_string (context, "pre-auth type %d not supported", - *ptypes); - ret = KRB5_PREAUTH_BAD_TYPE; - goto fail; - } - return 0; -fail: - free_AS_REQ(a); - return ret; -} - -static int -set_ptypes(krb5_context context, - KRB_ERROR *error, - krb5_preauthtype **ptypes, - krb5_preauthdata **preauth) -{ - static krb5_preauthdata preauth2; - static krb5_preauthtype ptypes2[] = { KRB5_PADATA_ENC_TIMESTAMP, KRB5_PADATA_NONE }; - - if(error->e_data) { - METHOD_DATA md; - int i; - decode_METHOD_DATA(error->e_data->data, - error->e_data->length, - &md, - NULL); - for(i = 0; i < md.len; i++){ - switch(md.val[i].padata_type){ - case KRB5_PADATA_ENC_TIMESTAMP: - *ptypes = ptypes2; - break; - case KRB5_PADATA_ETYPE_INFO: - *preauth = &preauth2; - ALLOC_SEQ(*preauth, 1); - (*preauth)->val[0].type = KRB5_PADATA_ENC_TIMESTAMP; - krb5_decode_ETYPE_INFO(context, - md.val[i].padata_value.data, - md.val[i].padata_value.length, - &(*preauth)->val[0].info, - NULL); - break; - default: - break; - } - } - free_METHOD_DATA(&md); - } else { - *ptypes = ptypes2; - } - return(1); -} - -krb5_error_code -krb5_get_in_cred(krb5_context context, - krb5_flags options, - const krb5_addresses *addrs, - const krb5_enctype *etypes, - const krb5_preauthtype *ptypes, - const krb5_preauthdata *preauth, - krb5_key_proc key_proc, - krb5_const_pointer keyseed, - krb5_decrypt_proc decrypt_proc, - krb5_const_pointer decryptarg, - krb5_creds *creds, - krb5_kdc_rep *ret_as_reply) -{ - krb5_error_code ret; - AS_REQ a; - krb5_kdc_rep rep; - krb5_data req, resp; - size_t len; - krb5_salt salt; - krb5_keyblock *key; - size_t size; - krb5_kdc_flags opts; - PA_DATA *pa; - krb5_enctype etype; - krb5_preauthdata *my_preauth = NULL; - unsigned nonce; - int done; - - opts.i = options; - - krb5_generate_random_block (&nonce, sizeof(nonce)); - nonce &= 0xffffffff; - - do { - done = 1; - ret = init_as_req (context, - opts, - creds, - addrs, - etypes, - ptypes, - preauth, - key_proc, - keyseed, - nonce, - &a); - if (my_preauth) { - free_ETYPE_INFO(&my_preauth->val[0].info); - free (my_preauth->val); - } - if (ret) - return ret; - - ASN1_MALLOC_ENCODE(AS_REQ, req.data, req.length, &a, &len, ret); - free_AS_REQ(&a); - if (ret) - return ret; - if(len != req.length) - krb5_abortx(context, "internal error in ASN.1 encoder"); - - ret = krb5_sendto_kdc (context, &req, &creds->client->realm, &resp); - krb5_data_free(&req); - if (ret) - return ret; - - memset (&rep, 0, sizeof(rep)); - ret = decode_AS_REP(resp.data, resp.length, &rep.kdc_rep, &size); - if(ret) { - /* let's try to parse it as a KRB-ERROR */ - KRB_ERROR error; - int ret2; - - ret2 = krb5_rd_error(context, &resp, &error); - if(ret2 && resp.data && ((char*)resp.data)[0] == 4) - ret = KRB5KRB_AP_ERR_V4_REPLY; - krb5_data_free(&resp); - if (ret2 == 0) { - ret = krb5_error_from_rd_error(context, &error, creds); - /* if no preauth was set and KDC requires it, give it - one more try */ - if (!ptypes && !preauth - && ret == KRB5KDC_ERR_PREAUTH_REQUIRED -#if 0 - || ret == KRB5KDC_ERR_BADOPTION -#endif - && set_ptypes(context, &error, &ptypes, &my_preauth)) { - done = 0; - preauth = my_preauth; - krb5_free_error_contents(context, &error); - krb5_clear_error_string(context); - continue; - } - if(ret_as_reply) - ret_as_reply->error = error; - else - free_KRB_ERROR (&error); - return ret; - } - return ret; - } - krb5_data_free(&resp); - } while(!done); - - pa = NULL; - etype = rep.kdc_rep.enc_part.etype; - if(rep.kdc_rep.padata){ - int index = 0; - pa = krb5_find_padata(rep.kdc_rep.padata->val, rep.kdc_rep.padata->len, - KRB5_PADATA_PW_SALT, &index); - if(pa == NULL) { - index = 0; - pa = krb5_find_padata(rep.kdc_rep.padata->val, - rep.kdc_rep.padata->len, - KRB5_PADATA_AFS3_SALT, &index); - } - } - if(pa) { - salt.salttype = pa->padata_type; - salt.saltvalue = pa->padata_value; - - ret = (*key_proc)(context, etype, salt, keyseed, &key); - } else { - /* make a v5 salted pa-data */ - ret = krb5_get_pw_salt (context, creds->client, &salt); - - if (ret) - goto out; - ret = (*key_proc)(context, etype, salt, keyseed, &key); - krb5_free_salt(context, salt); - } - if (ret) - goto out; - - ret = _krb5_extract_ticket(context, - &rep, - creds, - key, - keyseed, - KRB5_KU_AS_REP_ENC_PART, - NULL, - nonce, - FALSE, - opts.b.request_anonymous, - decrypt_proc, - decryptarg); - memset (key->keyvalue.data, 0, key->keyvalue.length); - krb5_free_keyblock_contents (context, key); - free (key); - -out: - if (ret == 0 && ret_as_reply) - *ret_as_reply = rep; - else - krb5_free_kdc_rep (context, &rep); - return ret; -} - -krb5_error_code -krb5_get_in_tkt(krb5_context context, - krb5_flags options, - const krb5_addresses *addrs, - const krb5_enctype *etypes, - const krb5_preauthtype *ptypes, - krb5_key_proc key_proc, - krb5_const_pointer keyseed, - krb5_decrypt_proc decrypt_proc, - krb5_const_pointer decryptarg, - krb5_creds *creds, - krb5_ccache ccache, - krb5_kdc_rep *ret_as_reply) -{ - krb5_error_code ret; - krb5_kdc_flags opts; - opts.i = 0; - opts.b = int2KDCOptions(options); - - ret = krb5_get_in_cred (context, - opts.i, - addrs, - etypes, - ptypes, - NULL, - key_proc, - keyseed, - decrypt_proc, - decryptarg, - creds, - ret_as_reply); - if(ret) - return ret; - if (ccache) - ret = krb5_cc_store_cred (context, ccache, creds); - return ret; -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/get_in_tkt_pw.c b/crypto/heimdal-0.6.3/lib/krb5/get_in_tkt_pw.c deleted file mode 100644 index a4f5c80134..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/get_in_tkt_pw.c +++ /dev/null @@ -1,90 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" - -RCSID("$Id: get_in_tkt_pw.c,v 1.16 2001/05/14 06:14:48 assar Exp $"); - -krb5_error_code -krb5_password_key_proc (krb5_context context, - krb5_enctype type, - krb5_salt salt, - krb5_const_pointer keyseed, - krb5_keyblock **key) -{ - krb5_error_code ret; - const char *password = (const char *)keyseed; - char buf[BUFSIZ]; - - *key = malloc (sizeof (**key)); - if (*key == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - if (password == NULL) { - if(des_read_pw_string (buf, sizeof(buf), "Password: ", 0)) { - free (*key); - krb5_clear_error_string(context); - return KRB5_LIBOS_PWDINTR; - } - password = buf; - } - ret = krb5_string_to_key_salt (context, type, password, salt, *key); - memset (buf, 0, sizeof(buf)); - return ret; -} - -krb5_error_code -krb5_get_in_tkt_with_password (krb5_context context, - krb5_flags options, - krb5_addresses *addrs, - const krb5_enctype *etypes, - const krb5_preauthtype *pre_auth_types, - const char *password, - krb5_ccache ccache, - krb5_creds *creds, - krb5_kdc_rep *ret_as_reply) -{ - return krb5_get_in_tkt (context, - options, - addrs, - etypes, - pre_auth_types, - krb5_password_key_proc, - password, - NULL, - NULL, - creds, - ccache, - ret_as_reply); -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/get_in_tkt_with_keytab.c b/crypto/heimdal-0.6.3/lib/krb5/get_in_tkt_with_keytab.c deleted file mode 100644 index c5feee4581..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/get_in_tkt_with_keytab.c +++ /dev/null @@ -1,105 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" - -RCSID("$Id: get_in_tkt_with_keytab.c,v 1.6 2001/05/14 06:14:48 assar Exp $"); - -krb5_error_code -krb5_keytab_key_proc (krb5_context context, - krb5_enctype enctype, - krb5_salt salt, - krb5_const_pointer keyseed, - krb5_keyblock **key) -{ - krb5_keytab_key_proc_args *args = (krb5_keytab_key_proc_args *)keyseed; - krb5_keytab keytab = args->keytab; - krb5_principal principal = args->principal; - krb5_error_code ret; - krb5_keytab real_keytab; - krb5_keytab_entry entry; - - if(keytab == NULL) - krb5_kt_default(context, &real_keytab); - else - real_keytab = keytab; - - ret = krb5_kt_get_entry (context, real_keytab, principal, - 0, enctype, &entry); - - if (keytab == NULL) - krb5_kt_close (context, real_keytab); - - if (ret) - return ret; - - ret = krb5_copy_keyblock (context, &entry.keyblock, key); - krb5_kt_free_entry(context, &entry); - return ret; -} - -krb5_error_code -krb5_get_in_tkt_with_keytab (krb5_context context, - krb5_flags options, - krb5_addresses *addrs, - const krb5_enctype *etypes, - const krb5_preauthtype *pre_auth_types, - krb5_keytab keytab, - krb5_ccache ccache, - krb5_creds *creds, - krb5_kdc_rep *ret_as_reply) -{ - krb5_keytab_key_proc_args *a; - - a = malloc(sizeof(*a)); - if (a == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - - a->principal = creds->client; - a->keytab = keytab; - - return krb5_get_in_tkt (context, - options, - addrs, - etypes, - pre_auth_types, - krb5_keytab_key_proc, - a, - NULL, - NULL, - creds, - ccache, - ret_as_reply); -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/get_in_tkt_with_skey.c b/crypto/heimdal-0.6.3/lib/krb5/get_in_tkt_with_skey.c deleted file mode 100644 index 773d361758..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/get_in_tkt_with_skey.c +++ /dev/null @@ -1,82 +0,0 @@ -/* - * Copyright (c) 1997, 1998 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" - -RCSID("$Id: get_in_tkt_with_skey.c,v 1.3 1999/12/02 17:05:10 joda Exp $"); - -static krb5_error_code -krb5_skey_key_proc (krb5_context context, - krb5_enctype type, - krb5_salt salt, - krb5_const_pointer keyseed, - krb5_keyblock **key) -{ - return krb5_copy_keyblock (context, keyseed, key); -} - -krb5_error_code -krb5_get_in_tkt_with_skey (krb5_context context, - krb5_flags options, - krb5_addresses *addrs, - const krb5_enctype *etypes, - const krb5_preauthtype *pre_auth_types, - const krb5_keyblock *key, - krb5_ccache ccache, - krb5_creds *creds, - krb5_kdc_rep *ret_as_reply) -{ - if(key == NULL) - return krb5_get_in_tkt_with_keytab (context, - options, - addrs, - etypes, - pre_auth_types, - NULL, - ccache, - creds, - ret_as_reply); - else - return krb5_get_in_tkt (context, - options, - addrs, - etypes, - pre_auth_types, - krb5_skey_key_proc, - key, - NULL, - NULL, - creds, - ccache, - ret_as_reply); -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/get_port.c b/crypto/heimdal-0.6.3/lib/krb5/get_port.c deleted file mode 100644 index 6c517414bc..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/get_port.c +++ /dev/null @@ -1,54 +0,0 @@ -/* - * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include - -RCSID("$Id: get_port.c,v 1.8 2001/01/27 19:24:34 joda Exp $"); - -int -krb5_getportbyname (krb5_context context, - const char *service, - const char *proto, - int default_port) -{ - struct servent *sp; - - if ((sp = roken_getservbyname (service, proto)) == NULL) { -#if 0 - krb5_warnx(context, "%s/%s unknown service, using default port %d", - service, proto, default_port); -#endif - return htons(default_port); - } else - return sp->s_port; -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/heim_err.et b/crypto/heimdal-0.6.3/lib/krb5/heim_err.et deleted file mode 100644 index 67642a53db..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/heim_err.et +++ /dev/null @@ -1,36 +0,0 @@ -# -# Error messages for the krb5 library -# -# This might look like a com_err file, but is not -# -id "$Id: heim_err.et,v 1.12 2001/06/21 03:51:36 assar Exp $" - -error_table heim - -prefix HEIM_ERR - -error_code LOG_PARSE, "Error parsing log destination" -error_code V4_PRINC_NO_CONV, "Failed to convert v4 principal" -error_code SALTTYPE_NOSUPP, "Salt type is not supported by enctype" -error_code NOHOST, "Host not found" -error_code OPNOTSUPP, "Operation not supported" -error_code EOF, "End of file" -error_code BAD_MKEY, "Failed to get the master key" -error_code SERVICE_NOMATCH, "Unacceptable service used" - -index 128 -prefix HEIM_EAI -#error_code NOERROR, "no error" -error_code UNKNOWN, "unknown error from getaddrinfo" -error_code ADDRFAMILY, "address family for nodename not supported" -error_code AGAIN, "temporary failure in name resolution" -error_code BADFLAGS, "invalid value for ai_flags" -error_code FAIL, "non-recoverable failure in name resolution" -error_code FAMILY, "ai_family not supported" -error_code MEMORY, "memory allocation failure" -error_code NODATA, "no address associated with nodename" -error_code NONAME, "nodename nor servname provided, or not known" -error_code SERVICE, "servname not supported for ai_socktype" -error_code SOCKTYPE, "ai_socktype not supported" -error_code SYSTEM, "system error returned in errno" -end diff --git a/crypto/heimdal-0.6.3/lib/krb5/init_creds.c b/crypto/heimdal-0.6.3/lib/krb5/init_creds.c deleted file mode 100644 index 6f9300596e..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/init_creds.c +++ /dev/null @@ -1,220 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" - -RCSID("$Id: init_creds.c,v 1.9 2001/07/03 18:42:07 assar Exp $"); - -void -krb5_get_init_creds_opt_init(krb5_get_init_creds_opt *opt) -{ - memset (opt, 0, sizeof(*opt)); - opt->flags = 0; -} - -static int -get_config_time (krb5_context context, - const char *realm, - const char *name, - int def) -{ - int ret; - - ret = krb5_config_get_time (context, NULL, - "realms", - realm, - name, - NULL); - if (ret >= 0) - return ret; - ret = krb5_config_get_time (context, NULL, - "libdefaults", - name, - NULL); - if (ret >= 0) - return ret; - return def; -} - -static krb5_boolean -get_config_bool (krb5_context context, - const char *realm, - const char *name) -{ - return krb5_config_get_bool (context, - NULL, - "realms", - realm, - name, - NULL) - || krb5_config_get_bool (context, - NULL, - "libdefaults", - name, - NULL); -} - -/* - * set all the values in `opt' to the appropriate values for - * application `appname' (default to getprogname() if NULL), and realm - * `realm'. First looks in [appdefaults] but falls back to - * [realms] or [libdefaults] for some of the values. - */ - -static krb5_addresses no_addrs = {0, NULL}; - -void -krb5_get_init_creds_opt_set_default_flags(krb5_context context, - const char *appname, - krb5_const_realm realm, - krb5_get_init_creds_opt *opt) -{ - krb5_boolean b; - time_t t; - - b = get_config_bool (context, realm, "forwardable"); - krb5_appdefault_boolean(context, appname, realm, "forwardable", b, &b); - krb5_get_init_creds_opt_set_forwardable(opt, b); - - b = get_config_bool (context, realm, "proxiable"); - krb5_appdefault_boolean(context, appname, realm, "proxiable", b, &b); - krb5_get_init_creds_opt_set_proxiable (opt, b); - - krb5_appdefault_time(context, appname, realm, "ticket_lifetime", 0, &t); - if (t == 0) - t = get_config_time (context, realm, "ticket_lifetime", 0); - if(t != 0) - krb5_get_init_creds_opt_set_tkt_life(opt, t); - - krb5_appdefault_time(context, appname, realm, "renew_lifetime", 0, &t); - if (t == 0) - t = get_config_time (context, realm, "renew_lifetime", 0); - if(t != 0) - krb5_get_init_creds_opt_set_renew_life(opt, t); - - krb5_appdefault_boolean(context, appname, realm, "no-addresses", FALSE, &b); - if (b) - krb5_get_init_creds_opt_set_address_list (opt, &no_addrs); - -#if 0 - krb5_appdefault_boolean(context, appname, realm, "anonymous", FALSE, &b); - krb5_get_init_creds_opt_set_anonymous (opt, b); - - krb5_get_init_creds_opt_set_etype_list(opt, enctype, - etype_str.num_strings); - - krb5_get_init_creds_opt_set_salt(krb5_get_init_creds_opt *opt, - krb5_data *salt); - - krb5_get_init_creds_opt_set_preauth_list(krb5_get_init_creds_opt *opt, - krb5_preauthtype *preauth_list, - int preauth_list_length); -#endif -} - - -void -krb5_get_init_creds_opt_set_tkt_life(krb5_get_init_creds_opt *opt, - krb5_deltat tkt_life) -{ - opt->flags |= KRB5_GET_INIT_CREDS_OPT_TKT_LIFE; - opt->tkt_life = tkt_life; -} - -void -krb5_get_init_creds_opt_set_renew_life(krb5_get_init_creds_opt *opt, - krb5_deltat renew_life) -{ - opt->flags |= KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE; - opt->renew_life = renew_life; -} - -void -krb5_get_init_creds_opt_set_forwardable(krb5_get_init_creds_opt *opt, - int forwardable) -{ - opt->flags |= KRB5_GET_INIT_CREDS_OPT_FORWARDABLE; - opt->forwardable = forwardable; -} - -void -krb5_get_init_creds_opt_set_proxiable(krb5_get_init_creds_opt *opt, - int proxiable) -{ - opt->flags |= KRB5_GET_INIT_CREDS_OPT_PROXIABLE; - opt->proxiable = proxiable; -} - -void -krb5_get_init_creds_opt_set_etype_list(krb5_get_init_creds_opt *opt, - krb5_enctype *etype_list, - int etype_list_length) -{ - opt->flags |= KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST; - opt->etype_list = etype_list; - opt->etype_list_length = etype_list_length; -} - -void -krb5_get_init_creds_opt_set_address_list(krb5_get_init_creds_opt *opt, - krb5_addresses *addresses) -{ - opt->flags |= KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST; - opt->address_list = addresses; -} - -void -krb5_get_init_creds_opt_set_preauth_list(krb5_get_init_creds_opt *opt, - krb5_preauthtype *preauth_list, - int preauth_list_length) -{ - opt->flags |= KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST; - opt->preauth_list_length = preauth_list_length; - opt->preauth_list = preauth_list; -} - -void -krb5_get_init_creds_opt_set_salt(krb5_get_init_creds_opt *opt, - krb5_data *salt) -{ - opt->flags |= KRB5_GET_INIT_CREDS_OPT_SALT; - opt->salt = salt; -} - -void -krb5_get_init_creds_opt_set_anonymous(krb5_get_init_creds_opt *opt, - int anonymous) -{ - opt->flags |= KRB5_GET_INIT_CREDS_OPT_ANONYMOUS; - opt->anonymous = anonymous; -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/init_creds_pw.c b/crypto/heimdal-0.6.3/lib/krb5/init_creds_pw.c deleted file mode 100644 index e54e7c4f2d..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/init_creds_pw.c +++ /dev/null @@ -1,575 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" - -RCSID("$Id: init_creds_pw.c,v 1.55.2.1 2004/08/30 23:21:07 lha Exp $"); - -static int -get_config_time (krb5_context context, - const char *realm, - const char *name, - int def) -{ - int ret; - - ret = krb5_config_get_time (context, NULL, - "realms", - realm, - name, - NULL); - if (ret >= 0) - return ret; - ret = krb5_config_get_time (context, NULL, - "libdefaults", - name, - NULL); - if (ret >= 0) - return ret; - return def; -} - -static krb5_error_code -init_cred (krb5_context context, - krb5_creds *cred, - krb5_principal client, - krb5_deltat start_time, - const char *in_tkt_service, - krb5_get_init_creds_opt *options) -{ - krb5_error_code ret; - krb5_realm *client_realm; - int tmp; - krb5_timestamp now; - - krb5_timeofday (context, &now); - - memset (cred, 0, sizeof(*cred)); - - if (client) - krb5_copy_principal(context, client, &cred->client); - else { - ret = krb5_get_default_principal (context, - &cred->client); - if (ret) - goto out; - } - - client_realm = krb5_princ_realm (context, cred->client); - - if (start_time) - cred->times.starttime = now + start_time; - - if (options->flags & KRB5_GET_INIT_CREDS_OPT_TKT_LIFE) - tmp = options->tkt_life; - else - tmp = 10 * 60 * 60; - cred->times.endtime = now + tmp; - - if ((options->flags & KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE) && - options->renew_life > 0) { - cred->times.renew_till = now + options->renew_life; - } - - if (in_tkt_service) { - krb5_realm server_realm; - - ret = krb5_parse_name (context, in_tkt_service, &cred->server); - if (ret) - goto out; - server_realm = strdup (*client_realm); - free (*krb5_princ_realm(context, cred->server)); - krb5_princ_set_realm (context, cred->server, &server_realm); - } else { - ret = krb5_make_principal(context, &cred->server, - *client_realm, KRB5_TGS_NAME, *client_realm, - NULL); - if (ret) - goto out; - } - return 0; - -out: - krb5_free_creds_contents (context, cred); - return ret; -} - -/* - * Print a message (str) to the user about the expiration in `lr' - */ - -static void -report_expiration (krb5_context context, - krb5_prompter_fct prompter, - krb5_data *data, - const char *str, - time_t time) -{ - char *p; - - asprintf (&p, "%s%s", str, ctime(&time)); - (*prompter) (context, data, NULL, p, 0, NULL); - free (p); -} - -/* - * Parse the last_req data and show it to the user if it's interesting - */ - -static void -print_expire (krb5_context context, - krb5_realm *realm, - krb5_kdc_rep *rep, - krb5_prompter_fct prompter, - krb5_data *data) -{ - int i; - LastReq *lr = &rep->enc_part.last_req; - krb5_timestamp sec; - time_t t; - krb5_boolean reported = FALSE; - - krb5_timeofday (context, &sec); - - t = sec + get_config_time (context, - *realm, - "warn_pwexpire", - 7 * 24 * 60 * 60); - - for (i = 0; i < lr->len; ++i) { - if (lr->val[i].lr_value <= t) { - switch (abs(lr->val[i].lr_type)) { - case LR_PW_EXPTIME : - report_expiration(context, prompter, data, - "Your password will expire at ", - lr->val[i].lr_value); - reported = TRUE; - break; - case LR_ACCT_EXPTIME : - report_expiration(context, prompter, data, - "Your account will expire at ", - lr->val[i].lr_value); - reported = TRUE; - break; - } - } - } - - if (!reported - && rep->enc_part.key_expiration - && *rep->enc_part.key_expiration <= t) { - report_expiration(context, prompter, data, - "Your password/account will expire at ", - *rep->enc_part.key_expiration); - } -} - -static krb5_error_code -get_init_creds_common(krb5_context context, - krb5_creds *creds, - krb5_principal client, - krb5_deltat start_time, - const char *in_tkt_service, - krb5_get_init_creds_opt *options, - krb5_addresses **addrs, - krb5_enctype **etypes, - krb5_creds *cred, - krb5_preauthtype **pre_auth_types, - krb5_kdc_flags *flags) -{ - krb5_error_code ret; - krb5_realm *client_realm; - krb5_get_init_creds_opt default_opt; - - if (options == NULL) { - krb5_get_init_creds_opt_init (&default_opt); - options = &default_opt; - } - - ret = init_cred (context, cred, client, start_time, - in_tkt_service, options); - if (ret) - return ret; - - client_realm = krb5_princ_realm (context, cred->client); - - flags->i = 0; - - if (options->flags & KRB5_GET_INIT_CREDS_OPT_FORWARDABLE) - flags->b.forwardable = options->forwardable; - - if (options->flags & KRB5_GET_INIT_CREDS_OPT_PROXIABLE) - flags->b.proxiable = options->proxiable; - - if (start_time) - flags->b.postdated = 1; - if (cred->times.renew_till) - flags->b.renewable = 1; - if (options->flags & KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST) - *addrs = options->address_list; - if (options->flags & KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST) { - *etypes = malloc((options->etype_list_length + 1) - * sizeof(krb5_enctype)); - if (*etypes == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - memcpy (*etypes, options->etype_list, - options->etype_list_length * sizeof(krb5_enctype)); - (*etypes)[options->etype_list_length] = ETYPE_NULL; - } - if (options->flags & KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST) { - *pre_auth_types = malloc((options->preauth_list_length + 1) - * sizeof(krb5_preauthtype)); - if (*pre_auth_types == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - memcpy (*pre_auth_types, options->preauth_list, - options->preauth_list_length * sizeof(krb5_preauthtype)); - (*pre_auth_types)[options->preauth_list_length] = KRB5_PADATA_NONE; - } - if (options->flags & KRB5_GET_INIT_CREDS_OPT_SALT) - ; /* XXX */ - if (options->flags & KRB5_GET_INIT_CREDS_OPT_ANONYMOUS) - flags->b.request_anonymous = options->anonymous; - return 0; -} - -static krb5_error_code -change_password (krb5_context context, - krb5_principal client, - const char *password, - char *newpw, - size_t newpw_sz, - krb5_prompter_fct prompter, - void *data, - krb5_get_init_creds_opt *old_options) -{ - krb5_prompt prompts[2]; - krb5_error_code ret; - krb5_creds cpw_cred; - char buf1[BUFSIZ], buf2[BUFSIZ]; - krb5_data password_data[2]; - int result_code; - krb5_data result_code_string; - krb5_data result_string; - char *p; - krb5_get_init_creds_opt options; - - memset (&cpw_cred, 0, sizeof(cpw_cred)); - - krb5_get_init_creds_opt_init (&options); - krb5_get_init_creds_opt_set_tkt_life (&options, 60); - krb5_get_init_creds_opt_set_forwardable (&options, FALSE); - krb5_get_init_creds_opt_set_proxiable (&options, FALSE); - if (old_options->flags & KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST) - krb5_get_init_creds_opt_set_preauth_list (&options, - old_options->preauth_list, - old_options->preauth_list_length); - - krb5_data_zero (&result_code_string); - krb5_data_zero (&result_string); - - ret = krb5_get_init_creds_password (context, - &cpw_cred, - client, - password, - prompter, - data, - 0, - "kadmin/changepw", - &options); - if (ret) - goto out; - - for(;;) { - password_data[0].data = buf1; - password_data[0].length = sizeof(buf1); - - prompts[0].hidden = 1; - prompts[0].prompt = "New password: "; - prompts[0].reply = &password_data[0]; - prompts[0].type = KRB5_PROMPT_TYPE_NEW_PASSWORD; - - password_data[1].data = buf2; - password_data[1].length = sizeof(buf2); - - prompts[1].hidden = 1; - prompts[1].prompt = "Repeat new password: "; - prompts[1].reply = &password_data[1]; - prompts[1].type = KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN; - - ret = (*prompter) (context, data, NULL, "Changing password", - 2, prompts); - if (ret) { - memset (buf1, 0, sizeof(buf1)); - memset (buf2, 0, sizeof(buf2)); - goto out; - } - - if (strcmp (buf1, buf2) == 0) - break; - memset (buf1, 0, sizeof(buf1)); - memset (buf2, 0, sizeof(buf2)); - } - - ret = krb5_change_password (context, - &cpw_cred, - buf1, - &result_code, - &result_code_string, - &result_string); - if (ret) - goto out; - asprintf (&p, "%s: %.*s\n", - result_code ? "Error" : "Success", - (int)result_string.length, - (char*)result_string.data); - - ret = (*prompter) (context, data, NULL, p, 0, NULL); - free (p); - if (result_code == 0) { - strlcpy (newpw, buf1, newpw_sz); - ret = 0; - } else { - krb5_set_error_string (context, "failed changing password"); - ret = ENOTTY; - } - -out: - memset (buf1, 0, sizeof(buf1)); - memset (buf2, 0, sizeof(buf2)); - krb5_data_free (&result_string); - krb5_data_free (&result_code_string); - krb5_free_creds_contents (context, &cpw_cred); - return ret; -} - -krb5_error_code -krb5_get_init_creds_password(krb5_context context, - krb5_creds *creds, - krb5_principal client, - const char *password, - krb5_prompter_fct prompter, - void *data, - krb5_deltat start_time, - const char *in_tkt_service, - krb5_get_init_creds_opt *options) -{ - krb5_error_code ret; - krb5_kdc_flags flags; - krb5_addresses *addrs = NULL; - krb5_enctype *etypes = NULL; - krb5_preauthtype *pre_auth_types = NULL; - krb5_creds this_cred; - krb5_kdc_rep kdc_reply; - char buf[BUFSIZ]; - krb5_data password_data; - int done; - - memset(&kdc_reply, 0, sizeof(kdc_reply)); - - ret = get_init_creds_common(context, creds, client, start_time, - in_tkt_service, options, - &addrs, &etypes, &this_cred, &pre_auth_types, - &flags); - if(ret) - goto out; - - if (password == NULL) { - krb5_prompt prompt; - char *p, *q; - - krb5_unparse_name (context, this_cred.client, &p); - asprintf (&q, "%s's Password: ", p); - free (p); - prompt.prompt = q; - password_data.data = buf; - password_data.length = sizeof(buf); - prompt.hidden = 1; - prompt.reply = &password_data; - prompt.type = KRB5_PROMPT_TYPE_PASSWORD; - - ret = (*prompter) (context, data, NULL, NULL, 1, &prompt); - free (q); - if (ret) { - memset (buf, 0, sizeof(buf)); - ret = KRB5_LIBOS_PWDINTR; - krb5_clear_error_string (context); - goto out; - } - password = password_data.data; - } - - done = 0; - while(!done) { - memset(&kdc_reply, 0, sizeof(kdc_reply)); - ret = krb5_get_in_cred (context, - flags.i, - addrs, - etypes, - pre_auth_types, - NULL, - krb5_password_key_proc, - password, - NULL, - NULL, - &this_cred, - &kdc_reply); - switch (ret) { - case 0 : - done = 1; - break; - case KRB5KDC_ERR_KEY_EXPIRED : - /* try to avoid recursion */ - - if (prompter == NULL) - goto out; - - krb5_clear_error_string (context); - - if (in_tkt_service != NULL - && strcmp (in_tkt_service, "kadmin/changepw") == 0) - goto out; - - ret = change_password (context, - client, - password, - buf, - sizeof(buf), - prompter, - data, - options); - if (ret) - goto out; - password = buf; - break; - default: - goto out; - } - } - - if (prompter) - print_expire (context, - krb5_princ_realm (context, this_cred.client), - &kdc_reply, - prompter, - data); -out: - memset (buf, 0, sizeof(buf)); - - krb5_free_kdc_rep (context, &kdc_reply); - - free (pre_auth_types); - free (etypes); - if (ret == 0 && creds) - *creds = this_cred; - else - krb5_free_creds_contents (context, &this_cred); - return ret; -} - -krb5_error_code -krb5_keyblock_key_proc (krb5_context context, - krb5_keytype type, - krb5_data *salt, - krb5_const_pointer keyseed, - krb5_keyblock **key) -{ - return krb5_copy_keyblock (context, keyseed, key); -} - -krb5_error_code -krb5_get_init_creds_keytab(krb5_context context, - krb5_creds *creds, - krb5_principal client, - krb5_keytab keytab, - krb5_deltat start_time, - const char *in_tkt_service, - krb5_get_init_creds_opt *options) -{ - krb5_error_code ret; - krb5_kdc_flags flags; - krb5_addresses *addrs = NULL; - krb5_enctype *etypes = NULL; - krb5_preauthtype *pre_auth_types = NULL; - krb5_creds this_cred; - krb5_keytab_key_proc_args *a; - - ret = get_init_creds_common(context, creds, client, start_time, - in_tkt_service, options, - &addrs, &etypes, &this_cred, &pre_auth_types, - &flags); - if(ret) - goto out; - - a = malloc (sizeof(*a)); - if (a == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - ret = ENOMEM; - goto out; - } - a->principal = this_cred.client; - a->keytab = keytab; - - ret = krb5_get_in_cred (context, - flags.i, - addrs, - etypes, - pre_auth_types, - NULL, - krb5_keytab_key_proc, - a, - NULL, - NULL, - &this_cred, - NULL); - free (a); - - if (ret) - goto out; - free (pre_auth_types); - free (etypes); - if (creds) - *creds = this_cred; - else - krb5_free_creds_contents (context, &this_cred); - return 0; - -out: - free (pre_auth_types); - free (etypes); - krb5_free_creds_contents (context, &this_cred); - return ret; -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/k524_err.et b/crypto/heimdal-0.6.3/lib/krb5/k524_err.et deleted file mode 100644 index 2dc60f46ae..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/k524_err.et +++ /dev/null @@ -1,20 +0,0 @@ -# -# Error messages for the k524 functions -# -# This might look like a com_err file, but is not -# -id "$Id: k524_err.et,v 1.1 2001/06/20 02:44:11 joda Exp $" - -error_table k524 - -prefix KRB524 -error_code BADKEY, "wrong keytype in ticket" -error_code BADADDR, "incorrect network address" -error_code BADPRINC, "cannot convert V5 principal" #unused -error_code BADREALM, "V5 realm name longer than V4 maximum" #unused -error_code V4ERR, "kerberos V4 error server" -error_code ENCFULL, "encoding too large at server" -error_code DECEMPTY, "decoding out of data" #unused -error_code NOTRESP, "service not responding" #unused -end - diff --git a/crypto/heimdal-0.6.3/lib/krb5/kerberos.8 b/crypto/heimdal-0.6.3/lib/krb5/kerberos.8 deleted file mode 100644 index b0b4980778..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/kerberos.8 +++ /dev/null @@ -1,104 +0,0 @@ -.\" Copyright (c) 2000 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: kerberos.8,v 1.6 2003/03/10 02:19:23 lha Exp $ -.\" -.Dd September 1, 2000 -.Dt KERBEROS 8 -.Os HEIMDAL -.Sh NAME -.Nm kerberos -.Nd introduction to the Kerberos system -.Sh DESCRIPTION -Kerberos is a network authentication system. Its purpose is to -securely authenticate users and services in an insecure network -environment. -.Pp -This is done with a Kerberos server acting as a trusted third party, -keeping a database with secret keys for all users and services -(collectively called -.Em principals ) . -.Pp -Each principal belongs to exactly one -.Em realm , -which is the administrative domain in Kerberos. A realm usually -corresponds to an organisation, and the realm should normally be -derived from that organisation's domain name. A realm is served by one -or more Kerberos servers. -.Pp -The authentication process involves exchange of -.Sq tickets -and -.Sq authenticators -which together prove the principal's identity. -.Pp -When you login to the Kerberos system, either through the normal -system login or with the -.Xr kinit 1 -program, you acquire a -.Em ticket granting ticket -which allows you to get new tickets for other services, such as -.Ic telnet -or -.Ic ftp , -without giving your password. -.Pp -For more information on how Kerberos works, and other general Kerberos -questions see the Kerberos FAQ at -.Pa http://www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html . -.Pp -For setup instructions see the Heimdal Texinfo manual. -.Sh SEE ALSO -.Xr ftp 1 , -.Xr kdestroy 1 , -.Xr kinit 1 , -.Xr klist 1 , -.Xr kpasswd 1 , -.Xr telnet 1 -.Sh HISTORY -The Kerberos authentication system was developed in the late 1980's as -part of the Athena Project at the Massachusetts Institute of -Technology. Versions one through three never reached outside MIT, but -version 4 was (and still is) quite popular, especially in the academic -community, but is also used in commercial products like the AFS -filesystem. -.Pp -The problems with version 4 are that it has many limitations, the code -was not too well written (since it had been developed over a long -time), and it has a number of known security problems. To resolve many -of these issues work on version five started, and resulted in IETF -RFC1510 in 1993. Since then much work has been put into the further -development, and a new RFC will hopefully appear soon. -.Pp -This manual manual page is part of the -.Nm Heimdal -Kerberos 5 distribution, which has been in development at the Royal -Institute of Technology in Stockholm, Sweden, since about 1997. diff --git a/crypto/heimdal-0.6.3/lib/krb5/kerberos.cat8 b/crypto/heimdal-0.6.3/lib/krb5/kerberos.cat8 deleted file mode 100644 index 532f38cd17..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/kerberos.cat8 +++ /dev/null @@ -1,55 +0,0 @@ - -KERBEROS(8) UNIX System Manager's Manual KERBEROS(8) - -NNAAMMEE - kkeerrbbeerrooss - introduction to the Kerberos system - -DDEESSCCRRIIPPTTIIOONN - Kerberos is a network authentication system. Its purpose is to securely - authenticate users and services in an insecure network environment. - - This is done with a Kerberos server acting as a trusted third party, - keeping a database with secret keys for all users and services (collec- - tively called _p_r_i_n_c_i_p_a_l_s). - - Each principal belongs to exactly one _r_e_a_l_m, which is the administrative - domain in Kerberos. A realm usually corresponds to an organisation, and - the realm should normally be derived from that organisation's domain - name. A realm is served by one or more Kerberos servers. - - The authentication process involves exchange of `tickets' and - `authenticators' which together prove the principal's identity. - - When you login to the Kerberos system, either through the normal system - login or with the kinit(1) program, you acquire a _t_i_c_k_e_t _g_r_a_n_t_i_n_g _t_i_c_k_e_t - which allows you to get new tickets for other services, such as tteellnneett or - ffttpp, without giving your password. - - For more information on how Kerberos works, and other general Kerberos - questions see the Kerberos FAQ at - _h_t_t_p_:_/_/_w_w_w_._n_r_l_._n_a_v_y_._m_i_l_/_C_C_S_/_p_e_o_p_l_e_/_k_e_n_h_/_k_e_r_b_e_r_o_s_-_f_a_q_._h_t_m_l. - - For setup instructions see the Heimdal Texinfo manual. - -SSEEEE AALLSSOO - ftp(1), kdestroy(1), kinit(1), klist(1), kpasswd(1), telnet(1) - -HHIISSTTOORRYY - The Kerberos authentication system was developed in the late 1980's as - part of the Athena Project at the Massachusetts Institute of Technology. - Versions one through three never reached outside MIT, but version 4 was - (and still is) quite popular, especially in the academic community, but - is also used in commercial products like the AFS filesystem. - - The problems with version 4 are that it has many limitations, the code - was not too well written (since it had been developed over a long time), - and it has a number of known security problems. To resolve many of these - issues work on version five started, and resulted in IETF RFC1510 in - 1993. Since then much work has been put into the further development, and - a new RFC will hopefully appear soon. - - This manual manual page is part of the HHeeiimmddaall Kerberos 5 distribution, - which has been in development at the Royal Institute of Technology in - Stockholm, Sweden, since about 1997. - - HEIMDAL September 1, 2000 1 diff --git a/crypto/heimdal-0.6.3/lib/krb5/keyblock.c b/crypto/heimdal-0.6.3/lib/krb5/keyblock.c deleted file mode 100644 index 7eb7067aab..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/keyblock.c +++ /dev/null @@ -1,81 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" - -RCSID("$Id: keyblock.c,v 1.12 2001/05/14 06:14:48 assar Exp $"); - -void -krb5_free_keyblock_contents(krb5_context context, - krb5_keyblock *keyblock) -{ - if(keyblock) { - if (keyblock->keyvalue.data != NULL) - memset(keyblock->keyvalue.data, 0, keyblock->keyvalue.length); - krb5_data_free (&keyblock->keyvalue); - } -} - -void -krb5_free_keyblock(krb5_context context, - krb5_keyblock *keyblock) -{ - if(keyblock){ - krb5_free_keyblock_contents(context, keyblock); - free(keyblock); - } -} - -krb5_error_code -krb5_copy_keyblock_contents (krb5_context context, - const krb5_keyblock *inblock, - krb5_keyblock *to) -{ - return copy_EncryptionKey(inblock, to); -} - -krb5_error_code -krb5_copy_keyblock (krb5_context context, - const krb5_keyblock *inblock, - krb5_keyblock **to) -{ - krb5_keyblock *k; - - k = malloc (sizeof(*k)); - if (k == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - *to = k; - return krb5_copy_keyblock_contents (context, inblock, k); -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/keytab.c b/crypto/heimdal-0.6.3/lib/krb5/keytab.c deleted file mode 100644 index 9adf99bc08..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/keytab.c +++ /dev/null @@ -1,505 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" - -RCSID("$Id: keytab.c,v 1.55 2003/03/27 03:45:01 lha Exp $"); - -/* - * Register a new keytab in `ops' - * Return 0 or an error. - */ - -krb5_error_code -krb5_kt_register(krb5_context context, - const krb5_kt_ops *ops) -{ - struct krb5_keytab_data *tmp; - - if (strlen(ops->prefix) > KRB5_KT_PREFIX_MAX_LEN - 1) { - krb5_set_error_string(context, "krb5_kt_register; prefix too long"); - return KRB5_KT_NAME_TOOLONG; - } - - tmp = realloc(context->kt_types, - (context->num_kt_types + 1) * sizeof(*context->kt_types)); - if(tmp == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - memcpy(&tmp[context->num_kt_types], ops, - sizeof(tmp[context->num_kt_types])); - context->kt_types = tmp; - context->num_kt_types++; - return 0; -} - -/* - * Resolve the keytab name (of the form `type:residual') in `name' - * into a keytab in `id'. - * Return 0 or an error - */ - -krb5_error_code -krb5_kt_resolve(krb5_context context, - const char *name, - krb5_keytab *id) -{ - krb5_keytab k; - int i; - const char *type, *residual; - size_t type_len; - krb5_error_code ret; - - residual = strchr(name, ':'); - if(residual == NULL) { - type = "FILE"; - type_len = strlen(type); - residual = name; - } else { - type = name; - type_len = residual - name; - residual++; - } - - for(i = 0; i < context->num_kt_types; i++) { - if(strncasecmp(type, context->kt_types[i].prefix, type_len) == 0) - break; - } - if(i == context->num_kt_types) { - krb5_set_error_string(context, "unknown keytab type %.*s", - (int)type_len, type); - return KRB5_KT_UNKNOWN_TYPE; - } - - k = malloc (sizeof(*k)); - if (k == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - memcpy(k, &context->kt_types[i], sizeof(*k)); - k->data = NULL; - ret = (*k->resolve)(context, residual, k); - if(ret) { - free(k); - k = NULL; - } - *id = k; - return ret; -} - -/* - * copy the name of the default keytab into `name'. - * Return 0 or KRB5_CONFIG_NOTENUFSPACE if `namesize' is too short. - */ - -krb5_error_code -krb5_kt_default_name(krb5_context context, char *name, size_t namesize) -{ - if (strlcpy (name, context->default_keytab, namesize) >= namesize) { - krb5_clear_error_string (context); - return KRB5_CONFIG_NOTENUFSPACE; - } - return 0; -} - -/* - * copy the name of the default modify keytab into `name'. - * Return 0 or KRB5_CONFIG_NOTENUFSPACE if `namesize' is too short. - */ - -krb5_error_code -krb5_kt_default_modify_name(krb5_context context, char *name, size_t namesize) -{ - const char *kt = NULL; - if(context->default_keytab_modify == NULL) { - if(strncasecmp(context->default_keytab, "ANY:", 4) != 0) - kt = context->default_keytab; - else { - size_t len = strcspn(context->default_keytab + 4, ","); - if(len >= namesize) { - krb5_clear_error_string(context); - return KRB5_CONFIG_NOTENUFSPACE; - } - strlcpy(name, context->default_keytab + 4, namesize); - name[len] = '\0'; - return 0; - } - } else - kt = context->default_keytab_modify; - if (strlcpy (name, kt, namesize) >= namesize) { - krb5_clear_error_string (context); - return KRB5_CONFIG_NOTENUFSPACE; - } - return 0; -} - -/* - * Set `id' to the default keytab. - * Return 0 or an error. - */ - -krb5_error_code -krb5_kt_default(krb5_context context, krb5_keytab *id) -{ - return krb5_kt_resolve (context, context->default_keytab, id); -} - -/* - * Read the key identified by `(principal, vno, enctype)' from the - * keytab in `keyprocarg' (the default if == NULL) into `*key'. - * Return 0 or an error. - */ - -krb5_error_code -krb5_kt_read_service_key(krb5_context context, - krb5_pointer keyprocarg, - krb5_principal principal, - krb5_kvno vno, - krb5_enctype enctype, - krb5_keyblock **key) -{ - krb5_keytab keytab; - krb5_keytab_entry entry; - krb5_error_code ret; - - if (keyprocarg) - ret = krb5_kt_resolve (context, keyprocarg, &keytab); - else - ret = krb5_kt_default (context, &keytab); - - if (ret) - return ret; - - ret = krb5_kt_get_entry (context, keytab, principal, vno, enctype, &entry); - krb5_kt_close (context, keytab); - if (ret) - return ret; - ret = krb5_copy_keyblock (context, &entry.keyblock, key); - krb5_kt_free_entry(context, &entry); - return ret; -} - -/* - * Return the type of the `keytab' in the string `prefix of length - * `prefixsize'. - */ - -krb5_error_code -krb5_kt_get_type(krb5_context context, - krb5_keytab keytab, - char *prefix, - size_t prefixsize) -{ - strlcpy(prefix, keytab->prefix, prefixsize); - return 0; -} - -/* - * Retrieve the name of the keytab `keytab' into `name', `namesize' - * Return 0 or an error. - */ - -krb5_error_code -krb5_kt_get_name(krb5_context context, - krb5_keytab keytab, - char *name, - size_t namesize) -{ - return (*keytab->get_name)(context, keytab, name, namesize); -} - -/* - * Finish using the keytab in `id'. All resources will be released. - * Return 0 or an error. - */ - -krb5_error_code -krb5_kt_close(krb5_context context, - krb5_keytab id) -{ - krb5_error_code ret; - - ret = (*id->close)(context, id); - if(ret == 0) - free(id); - return ret; -} - -/* - * Compare `entry' against `principal, vno, enctype'. - * Any of `principal, vno, enctype' might be 0 which acts as a wildcard. - * Return TRUE if they compare the same, FALSE otherwise. - */ - -krb5_boolean -krb5_kt_compare(krb5_context context, - krb5_keytab_entry *entry, - krb5_const_principal principal, - krb5_kvno vno, - krb5_enctype enctype) -{ - if(principal != NULL && - !krb5_principal_compare(context, entry->principal, principal)) - return FALSE; - if(vno && vno != entry->vno) - return FALSE; - if(enctype && enctype != entry->keyblock.keytype) - return FALSE; - return TRUE; -} - -/* - * Retrieve the keytab entry for `principal, kvno, enctype' into `entry' - * from the keytab `id'. - * kvno == 0 is a wildcard and gives the keytab with the highest vno. - * Return 0 or an error. - */ - -krb5_error_code -krb5_kt_get_entry(krb5_context context, - krb5_keytab id, - krb5_const_principal principal, - krb5_kvno kvno, - krb5_enctype enctype, - krb5_keytab_entry *entry) -{ - krb5_keytab_entry tmp; - krb5_error_code ret; - krb5_kt_cursor cursor; - - if(id->get) - return (*id->get)(context, id, principal, kvno, enctype, entry); - - ret = krb5_kt_start_seq_get (context, id, &cursor); - if (ret) - return KRB5_KT_NOTFOUND; /* XXX i.e. file not found */ - - entry->vno = 0; - while (krb5_kt_next_entry(context, id, &tmp, &cursor) == 0) { - if (krb5_kt_compare(context, &tmp, principal, 0, enctype)) { - /* the file keytab might only store the lower 8 bits of - the kvno, so only compare those bits */ - if (kvno == tmp.vno - || (tmp.vno < 256 && kvno % 256 == tmp.vno)) { - krb5_kt_copy_entry_contents (context, &tmp, entry); - krb5_kt_free_entry (context, &tmp); - krb5_kt_end_seq_get(context, id, &cursor); - return 0; - } else if (kvno == 0 && tmp.vno > entry->vno) { - if (entry->vno) - krb5_kt_free_entry (context, entry); - krb5_kt_copy_entry_contents (context, &tmp, entry); - } - } - krb5_kt_free_entry(context, &tmp); - } - krb5_kt_end_seq_get (context, id, &cursor); - if (entry->vno) { - return 0; - } else { - char princ[256], kt_name[256], kvno_str[25]; - - krb5_unparse_name_fixed (context, principal, princ, sizeof(princ)); - krb5_kt_get_name (context, id, kt_name, sizeof(kt_name)); - - if (kvno) - snprintf(kvno_str, sizeof(kvno_str), "(kvno %d)", kvno); - else - kvno_str[0] = '\0'; - - krb5_set_error_string (context, - "failed to find %s%s in keytab %s", - princ, - kvno_str, - kt_name); - return KRB5_KT_NOTFOUND; - } -} - -/* - * Copy the contents of `in' into `out'. - * Return 0 or an error. */ - -krb5_error_code -krb5_kt_copy_entry_contents(krb5_context context, - const krb5_keytab_entry *in, - krb5_keytab_entry *out) -{ - krb5_error_code ret; - - memset(out, 0, sizeof(*out)); - out->vno = in->vno; - - ret = krb5_copy_principal (context, in->principal, &out->principal); - if (ret) - goto fail; - ret = krb5_copy_keyblock_contents (context, - &in->keyblock, - &out->keyblock); - if (ret) - goto fail; - out->timestamp = in->timestamp; - return 0; -fail: - krb5_kt_free_entry (context, out); - return ret; -} - -/* - * Free the contents of `entry'. - */ - -krb5_error_code -krb5_kt_free_entry(krb5_context context, - krb5_keytab_entry *entry) -{ - krb5_free_principal (context, entry->principal); - krb5_free_keyblock_contents (context, &entry->keyblock); - return 0; -} - -#if 0 -static int -xxxlock(int fd, int write) -{ - if(flock(fd, (write ? LOCK_EX : LOCK_SH) | LOCK_NB) < 0) { - sleep(1); - if(flock(fd, (write ? LOCK_EX : LOCK_SH) | LOCK_NB) < 0) - return -1; - } - return 0; -} - -static void -xxxunlock(int fd) -{ - flock(fd, LOCK_UN); -} -#endif - -/* - * Set `cursor' to point at the beginning of `id'. - * Return 0 or an error. - */ - -krb5_error_code -krb5_kt_start_seq_get(krb5_context context, - krb5_keytab id, - krb5_kt_cursor *cursor) -{ - if(id->start_seq_get == NULL) { - krb5_set_error_string(context, - "start_seq_get is not supported in the %s " - " keytab", id->prefix); - return HEIM_ERR_OPNOTSUPP; - } - return (*id->start_seq_get)(context, id, cursor); -} - -/* - * Get the next entry from `id' pointed to by `cursor' and advance the - * `cursor'. - * Return 0 or an error. - */ - -krb5_error_code -krb5_kt_next_entry(krb5_context context, - krb5_keytab id, - krb5_keytab_entry *entry, - krb5_kt_cursor *cursor) -{ - if(id->next_entry == NULL) { - krb5_set_error_string(context, - "next_entry is not supported in the %s " - " keytab", id->prefix); - return HEIM_ERR_OPNOTSUPP; - } - return (*id->next_entry)(context, id, entry, cursor); -} - -/* - * Release all resources associated with `cursor'. - */ - -krb5_error_code -krb5_kt_end_seq_get(krb5_context context, - krb5_keytab id, - krb5_kt_cursor *cursor) -{ - if(id->end_seq_get == NULL) { - krb5_set_error_string(context, - "end_seq_get is not supported in the %s " - " keytab", id->prefix); - return HEIM_ERR_OPNOTSUPP; - } - return (*id->end_seq_get)(context, id, cursor); -} - -/* - * Add the entry in `entry' to the keytab `id'. - * Return 0 or an error. - */ - -krb5_error_code -krb5_kt_add_entry(krb5_context context, - krb5_keytab id, - krb5_keytab_entry *entry) -{ - if(id->add == NULL) { - krb5_set_error_string(context, "Add is not supported in the %s keytab", - id->prefix); - return KRB5_KT_NOWRITE; - } - entry->timestamp = time(NULL); - return (*id->add)(context, id,entry); -} - -/* - * Remove the entry `entry' from the keytab `id'. - * Return 0 or an error. - */ - -krb5_error_code -krb5_kt_remove_entry(krb5_context context, - krb5_keytab id, - krb5_keytab_entry *entry) -{ - if(id->remove == NULL) { - krb5_set_error_string(context, - "Remove is not supported in the %s keytab", - id->prefix); - return KRB5_KT_NOWRITE; - } - return (*id->remove)(context, id, entry); -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/keytab_any.c b/crypto/heimdal-0.6.3/lib/krb5/keytab_any.c deleted file mode 100644 index 667788c69d..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/keytab_any.c +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (c) 2001-2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" - -RCSID("$Id: keytab_any.c,v 1.7 2002/10/21 13:36:59 joda Exp $"); - -struct any_data { - krb5_keytab kt; - char *name; - struct any_data *next; -}; - -static void -free_list (krb5_context context, struct any_data *a) -{ - struct any_data *next; - - for (; a != NULL; a = next) { - next = a->next; - free (a->name); - if(a->kt) - krb5_kt_close(context, a->kt); - free (a); - } -} - -static krb5_error_code -any_resolve(krb5_context context, const char *name, krb5_keytab id) -{ - struct any_data *a, *a0 = NULL, *prev = NULL; - krb5_error_code ret; - char buf[256]; - - while (strsep_copy(&name, ",", buf, sizeof(buf)) != -1) { - a = malloc(sizeof(*a)); - if (a == NULL) { - ret = ENOMEM; - goto fail; - } - if (a0 == NULL) { - a0 = a; - a->name = strdup(buf); - if (a->name == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - ret = ENOMEM; - goto fail; - } - } else - a->name = NULL; - if (prev != NULL) - prev->next = a; - a->next = NULL; - ret = krb5_kt_resolve (context, buf, &a->kt); - if (ret) - goto fail; - prev = a; - } - if (a0 == NULL) { - krb5_set_error_string(context, "empty ANY: keytab"); - return ENOENT; - } - id->data = a0; - return 0; - fail: - free_list (context, a0); - return ret; -} - -static krb5_error_code -any_get_name (krb5_context context, - krb5_keytab id, - char *name, - size_t namesize) -{ - struct any_data *a = id->data; - strlcpy(name, a->name, namesize); - return 0; -} - -static krb5_error_code -any_close (krb5_context context, - krb5_keytab id) -{ - struct any_data *a = id->data; - - free_list (context, a); - return 0; -} - -struct any_cursor_extra_data { - struct any_data *a; - krb5_kt_cursor cursor; -}; - -static krb5_error_code -any_start_seq_get(krb5_context context, - krb5_keytab id, - krb5_kt_cursor *c) -{ - struct any_data *a = id->data; - struct any_cursor_extra_data *ed; - krb5_error_code ret; - - c->data = malloc (sizeof(struct any_cursor_extra_data)); - if(c->data == NULL){ - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; - } - ed = (struct any_cursor_extra_data *)c->data; - ed->a = a; - ret = krb5_kt_start_seq_get(context, ed->a->kt, &ed->cursor); - if (ret) { - free (c->data); - c->data = NULL; - return ret; - } - return 0; -} - -static krb5_error_code -any_next_entry (krb5_context context, - krb5_keytab id, - krb5_keytab_entry *entry, - krb5_kt_cursor *cursor) -{ - krb5_error_code ret, ret2; - struct any_cursor_extra_data *ed; - - ed = (struct any_cursor_extra_data *)cursor->data; - do { - ret = krb5_kt_next_entry(context, ed->a->kt, entry, &ed->cursor); - if (ret == 0) - return 0; - else if (ret == KRB5_KT_END) { - ret2 = krb5_kt_end_seq_get (context, ed->a->kt, &ed->cursor); - if (ret2) - return ret2; - while ((ed->a = ed->a->next) != NULL) { - ret2 = krb5_kt_start_seq_get(context, ed->a->kt, &ed->cursor); - if (ret2 == 0) - break; - } - if (ed->a == NULL) { - krb5_clear_error_string (context); - return KRB5_KT_END; - } - } else - return ret; - } while (ret == KRB5_KT_END); - return ret; -} - -static krb5_error_code -any_end_seq_get(krb5_context context, - krb5_keytab id, - krb5_kt_cursor *cursor) -{ - krb5_error_code ret = 0; - struct any_cursor_extra_data *ed; - - ed = (struct any_cursor_extra_data *)cursor->data; - if (ed->a != NULL) - ret = krb5_kt_end_seq_get(context, ed->a->kt, &ed->cursor); - free (ed); - cursor->data = NULL; - return ret; -} - -static krb5_error_code -any_add_entry(krb5_context context, - krb5_keytab id, - krb5_keytab_entry *entry) -{ - struct any_data *a = id->data; - krb5_error_code ret; - while(a != NULL) { - ret = krb5_kt_add_entry(context, a->kt, entry); - if(ret != 0 && ret != KRB5_KT_NOWRITE) { - krb5_set_error_string(context, "failed to add entry to %s", - a->name); - return ret; - } - a = a->next; - } - return 0; -} - -static krb5_error_code -any_remove_entry(krb5_context context, - krb5_keytab id, - krb5_keytab_entry *entry) -{ - struct any_data *a = id->data; - krb5_error_code ret; - int found = 0; - while(a != NULL) { - ret = krb5_kt_remove_entry(context, a->kt, entry); - if(ret == 0) - found++; - else { - if(ret != KRB5_KT_NOWRITE && ret != KRB5_KT_NOTFOUND) { - krb5_set_error_string(context, "failed to remove entry from %s", - a->name); - return ret; - } - } - a = a->next; - } - if(!found) - return KRB5_KT_NOTFOUND; - return 0; -} - -const krb5_kt_ops krb5_any_ops = { - "ANY", - any_resolve, - any_get_name, - any_close, - NULL, /* get */ - any_start_seq_get, - any_next_entry, - any_end_seq_get, - any_add_entry, - any_remove_entry -}; diff --git a/crypto/heimdal-0.6.3/lib/krb5/keytab_file.c b/crypto/heimdal-0.6.3/lib/krb5/keytab_file.c deleted file mode 100644 index f2ff53867c..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/keytab_file.c +++ /dev/null @@ -1,617 +0,0 @@ -/* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" - -RCSID("$Id: keytab_file.c,v 1.12 2002/09/24 16:43:30 joda Exp $"); - -#define KRB5_KT_VNO_1 1 -#define KRB5_KT_VNO_2 2 -#define KRB5_KT_VNO KRB5_KT_VNO_2 - -/* file operations -------------------------------------------- */ - -struct fkt_data { - char *filename; -}; - -static krb5_error_code -krb5_kt_ret_data(krb5_context context, - krb5_storage *sp, - krb5_data *data) -{ - int ret; - int16_t size; - ret = krb5_ret_int16(sp, &size); - if(ret) - return ret; - data->length = size; - data->data = malloc(size); - if (data->data == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; - } - ret = krb5_storage_read(sp, data->data, size); - if(ret != size) - return (ret < 0)? errno : KRB5_KT_END; - return 0; -} - -static krb5_error_code -krb5_kt_ret_string(krb5_context context, - krb5_storage *sp, - general_string *data) -{ - int ret; - int16_t size; - ret = krb5_ret_int16(sp, &size); - if(ret) - return ret; - *data = malloc(size + 1); - if (*data == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; - } - ret = krb5_storage_read(sp, *data, size); - (*data)[size] = '\0'; - if(ret != size) - return (ret < 0)? errno : KRB5_KT_END; - return 0; -} - -static krb5_error_code -krb5_kt_store_data(krb5_context context, - krb5_storage *sp, - krb5_data data) -{ - int ret; - ret = krb5_store_int16(sp, data.length); - if(ret < 0) - return ret; - ret = krb5_storage_write(sp, data.data, data.length); - if(ret != data.length){ - if(ret < 0) - return errno; - return KRB5_KT_END; - } - return 0; -} - -static krb5_error_code -krb5_kt_store_string(krb5_storage *sp, - general_string data) -{ - int ret; - size_t len = strlen(data); - ret = krb5_store_int16(sp, len); - if(ret < 0) - return ret; - ret = krb5_storage_write(sp, data, len); - if(ret != len){ - if(ret < 0) - return errno; - return KRB5_KT_END; - } - return 0; -} - -static krb5_error_code -krb5_kt_ret_keyblock(krb5_context context, krb5_storage *sp, krb5_keyblock *p) -{ - int ret; - int16_t tmp; - - ret = krb5_ret_int16(sp, &tmp); /* keytype + etype */ - if(ret) return ret; - p->keytype = tmp; - ret = krb5_kt_ret_data(context, sp, &p->keyvalue); - return ret; -} - -static krb5_error_code -krb5_kt_store_keyblock(krb5_context context, - krb5_storage *sp, - krb5_keyblock *p) -{ - int ret; - - ret = krb5_store_int16(sp, p->keytype); /* keytype + etype */ - if(ret) return ret; - ret = krb5_kt_store_data(context, sp, p->keyvalue); - return ret; -} - - -static krb5_error_code -krb5_kt_ret_principal(krb5_context context, - krb5_storage *sp, - krb5_principal *princ) -{ - int i; - int ret; - krb5_principal p; - int16_t tmp; - - ALLOC(p, 1); - if(p == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; - } - - ret = krb5_ret_int16(sp, &tmp); - if(ret) - return ret; - if(krb5_storage_is_flags(sp, KRB5_STORAGE_PRINCIPAL_WRONG_NUM_COMPONENTS)) - tmp--; - p->name.name_string.len = tmp; - ret = krb5_kt_ret_string(context, sp, &p->realm); - if(ret) - return ret; - p->name.name_string.val = calloc(p->name.name_string.len, - sizeof(*p->name.name_string.val)); - if(p->name.name_string.val == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; - } - for(i = 0; i < p->name.name_string.len; i++){ - ret = krb5_kt_ret_string(context, sp, p->name.name_string.val + i); - if(ret) - return ret; - } - if (krb5_storage_is_flags(sp, KRB5_STORAGE_PRINCIPAL_NO_NAME_TYPE)) - p->name.name_type = KRB5_NT_UNKNOWN; - else { - int32_t tmp32; - ret = krb5_ret_int32(sp, &tmp32); - p->name.name_type = tmp32; - if (ret) - return ret; - } - *princ = p; - return 0; -} - -static krb5_error_code -krb5_kt_store_principal(krb5_context context, - krb5_storage *sp, - krb5_principal p) -{ - int i; - int ret; - - if(krb5_storage_is_flags(sp, KRB5_STORAGE_PRINCIPAL_WRONG_NUM_COMPONENTS)) - ret = krb5_store_int16(sp, p->name.name_string.len + 1); - else - ret = krb5_store_int16(sp, p->name.name_string.len); - if(ret) return ret; - ret = krb5_kt_store_string(sp, p->realm); - if(ret) return ret; - for(i = 0; i < p->name.name_string.len; i++){ - ret = krb5_kt_store_string(sp, p->name.name_string.val[i]); - if(ret) - return ret; - } - if(!krb5_storage_is_flags(sp, KRB5_STORAGE_PRINCIPAL_NO_NAME_TYPE)) { - ret = krb5_store_int32(sp, p->name.name_type); - if(ret) - return ret; - } - - return 0; -} - -static krb5_error_code -fkt_resolve(krb5_context context, const char *name, krb5_keytab id) -{ - struct fkt_data *d; - - d = malloc(sizeof(*d)); - if(d == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; - } - d->filename = strdup(name); - if(d->filename == NULL) { - free(d); - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; - } - id->data = d; - return 0; -} - -static krb5_error_code -fkt_close(krb5_context context, krb5_keytab id) -{ - struct fkt_data *d = id->data; - free(d->filename); - free(d); - return 0; -} - -static krb5_error_code -fkt_get_name(krb5_context context, - krb5_keytab id, - char *name, - size_t namesize) -{ - /* This function is XXX */ - struct fkt_data *d = id->data; - strlcpy(name, d->filename, namesize); - return 0; -} - -static void -storage_set_flags(krb5_context context, krb5_storage *sp, int vno) -{ - int flags = 0; - switch(vno) { - case KRB5_KT_VNO_1: - flags |= KRB5_STORAGE_PRINCIPAL_WRONG_NUM_COMPONENTS; - flags |= KRB5_STORAGE_PRINCIPAL_NO_NAME_TYPE; - flags |= KRB5_STORAGE_HOST_BYTEORDER; - break; - case KRB5_KT_VNO_2: - break; - default: - krb5_warnx(context, - "storage_set_flags called with bad vno (%d)", vno); - } - krb5_storage_set_flags(sp, flags); -} - -static krb5_error_code -fkt_start_seq_get_int(krb5_context context, - krb5_keytab id, - int flags, - krb5_kt_cursor *c) -{ - int8_t pvno, tag; - krb5_error_code ret; - struct fkt_data *d = id->data; - - c->fd = open (d->filename, flags); - if (c->fd < 0) { - ret = errno; - krb5_set_error_string(context, "%s: %s", d->filename, - strerror(ret)); - return ret; - } - c->sp = krb5_storage_from_fd(c->fd); - krb5_storage_set_eof_code(c->sp, KRB5_KT_END); - ret = krb5_ret_int8(c->sp, &pvno); - if(ret) { - krb5_storage_free(c->sp); - close(c->fd); - return ret; - } - if(pvno != 5) { - krb5_storage_free(c->sp); - close(c->fd); - krb5_clear_error_string (context); - return KRB5_KEYTAB_BADVNO; - } - ret = krb5_ret_int8(c->sp, &tag); - if (ret) { - krb5_storage_free(c->sp); - close(c->fd); - return ret; - } - id->version = tag; - storage_set_flags(context, c->sp, id->version); - return 0; -} - -static krb5_error_code -fkt_start_seq_get(krb5_context context, - krb5_keytab id, - krb5_kt_cursor *c) -{ - return fkt_start_seq_get_int(context, id, O_RDONLY | O_BINARY, c); -} - -static krb5_error_code -fkt_next_entry_int(krb5_context context, - krb5_keytab id, - krb5_keytab_entry *entry, - krb5_kt_cursor *cursor, - off_t *start, - off_t *end) -{ - int32_t len; - int ret; - int8_t tmp8; - int32_t tmp32; - off_t pos, curpos; - - pos = krb5_storage_seek(cursor->sp, 0, SEEK_CUR); -loop: - ret = krb5_ret_int32(cursor->sp, &len); - if (ret) - return ret; - if(len < 0) { - pos = krb5_storage_seek(cursor->sp, -len, SEEK_CUR); - goto loop; - } - ret = krb5_kt_ret_principal (context, cursor->sp, &entry->principal); - if (ret) - goto out; - ret = krb5_ret_int32(cursor->sp, &tmp32); - entry->timestamp = tmp32; - if (ret) - goto out; - ret = krb5_ret_int8(cursor->sp, &tmp8); - if (ret) - goto out; - entry->vno = tmp8; - ret = krb5_kt_ret_keyblock (context, cursor->sp, &entry->keyblock); - if (ret) - goto out; - /* there might be a 32 bit kvno here - * if it's zero, assume that the 8bit one was right, - * otherwise trust the new value */ - curpos = krb5_storage_seek(cursor->sp, 0, SEEK_CUR); - if(len + 4 + pos - curpos == 4) { - ret = krb5_ret_int32(cursor->sp, &tmp32); - if (ret == 0 && tmp32 != 0) { - entry->vno = tmp32; - } - } - if(start) *start = pos; - if(end) *end = *start + 4 + len; - out: - krb5_storage_seek(cursor->sp, pos + 4 + len, SEEK_SET); - return ret; -} - -static krb5_error_code -fkt_next_entry(krb5_context context, - krb5_keytab id, - krb5_keytab_entry *entry, - krb5_kt_cursor *cursor) -{ - return fkt_next_entry_int(context, id, entry, cursor, NULL, NULL); -} - -static krb5_error_code -fkt_end_seq_get(krb5_context context, - krb5_keytab id, - krb5_kt_cursor *cursor) -{ - krb5_storage_free(cursor->sp); - close(cursor->fd); - return 0; -} - -static krb5_error_code -fkt_setup_keytab(krb5_context context, - krb5_keytab id, - krb5_storage *sp) -{ - krb5_error_code ret; - ret = krb5_store_int8(sp, 5); - if(ret) - return ret; - if(id->version == 0) - id->version = KRB5_KT_VNO; - return krb5_store_int8 (sp, id->version); -} - -static krb5_error_code -fkt_add_entry(krb5_context context, - krb5_keytab id, - krb5_keytab_entry *entry) -{ - int ret; - int fd; - krb5_storage *sp; - struct fkt_data *d = id->data; - krb5_data keytab; - int32_t len; - - fd = open (d->filename, O_RDWR | O_BINARY); - if (fd < 0) { - fd = open (d->filename, O_RDWR | O_CREAT | O_EXCL | O_BINARY, 0600); - if (fd < 0) { - ret = errno; - krb5_set_error_string(context, "open(%s): %s", d->filename, - strerror(ret)); - return ret; - } - sp = krb5_storage_from_fd(fd); - krb5_storage_set_eof_code(sp, KRB5_KT_END); - ret = fkt_setup_keytab(context, id, sp); - if(ret) { - krb5_storage_free(sp); - close(fd); - return ret; - } - storage_set_flags(context, sp, id->version); - } else { - int8_t pvno, tag; - sp = krb5_storage_from_fd(fd); - krb5_storage_set_eof_code(sp, KRB5_KT_END); - ret = krb5_ret_int8(sp, &pvno); - if(ret) { - /* we probably have a zero byte file, so try to set it up - properly */ - ret = fkt_setup_keytab(context, id, sp); - if(ret) { - krb5_set_error_string(context, "%s: keytab is corrupted: %s", - d->filename, strerror(ret)); - krb5_storage_free(sp); - close(fd); - return ret; - } - storage_set_flags(context, sp, id->version); - } else { - if(pvno != 5) { - krb5_storage_free(sp); - close(fd); - krb5_clear_error_string (context); - ret = KRB5_KEYTAB_BADVNO; - krb5_set_error_string(context, "%s: %s", - d->filename, strerror(ret)); - return ret; - } - ret = krb5_ret_int8 (sp, &tag); - if (ret) { - krb5_set_error_string(context, "%s: reading tag: %s", - d->filename, strerror(ret)); - krb5_storage_free(sp); - close(fd); - return ret; - } - id->version = tag; - storage_set_flags(context, sp, id->version); - } - } - - { - krb5_storage *emem; - emem = krb5_storage_emem(); - if(emem == NULL) { - ret = ENOMEM; - krb5_set_error_string (context, "malloc: out of memory"); - goto out; - } - ret = krb5_kt_store_principal(context, emem, entry->principal); - if(ret) { - krb5_storage_free(emem); - goto out; - } - ret = krb5_store_int32 (emem, entry->timestamp); - if(ret) { - krb5_storage_free(emem); - goto out; - } - ret = krb5_store_int8 (emem, entry->vno % 256); - if(ret) { - krb5_storage_free(emem); - goto out; - } - ret = krb5_kt_store_keyblock (context, emem, &entry->keyblock); - if(ret) { - krb5_storage_free(emem); - goto out; - } - ret = krb5_store_int32 (emem, entry->vno); - if (ret) { - krb5_storage_free(emem); - goto out; - } - - ret = krb5_storage_to_data(emem, &keytab); - krb5_storage_free(emem); - if(ret) - goto out; - } - - while(1) { - ret = krb5_ret_int32(sp, &len); - if(ret == KRB5_KT_END) { - len = keytab.length; - break; - } - if(len < 0) { - len = -len; - if(len >= keytab.length) { - krb5_storage_seek(sp, -4, SEEK_CUR); - break; - } - } - krb5_storage_seek(sp, len, SEEK_CUR); - } - ret = krb5_store_int32(sp, len); - if(krb5_storage_write(sp, keytab.data, keytab.length) < 0) - ret = errno; - memset(keytab.data, 0, keytab.length); - krb5_data_free(&keytab); - out: - krb5_storage_free(sp); - close(fd); - return ret; -} - -static krb5_error_code -fkt_remove_entry(krb5_context context, - krb5_keytab id, - krb5_keytab_entry *entry) -{ - krb5_keytab_entry e; - krb5_kt_cursor cursor; - off_t pos_start, pos_end; - int found = 0; - krb5_error_code ret; - - ret = fkt_start_seq_get_int(context, id, O_RDWR | O_BINARY, &cursor); - if(ret != 0) - goto out; /* return other error here? */ - while(fkt_next_entry_int(context, id, &e, &cursor, - &pos_start, &pos_end) == 0) { - if(krb5_kt_compare(context, &e, entry->principal, - entry->vno, entry->keyblock.keytype)) { - int32_t len; - unsigned char buf[128]; - found = 1; - krb5_storage_seek(cursor.sp, pos_start, SEEK_SET); - len = pos_end - pos_start - 4; - krb5_store_int32(cursor.sp, -len); - memset(buf, 0, sizeof(buf)); - while(len > 0) { - krb5_storage_write(cursor.sp, buf, min(len, sizeof(buf))); - len -= min(len, sizeof(buf)); - } - } - } - krb5_kt_end_seq_get(context, id, &cursor); - out: - if (!found) { - krb5_clear_error_string (context); - return KRB5_KT_NOTFOUND; - } - return 0; -} - -const krb5_kt_ops krb5_fkt_ops = { - "FILE", - fkt_resolve, - fkt_get_name, - fkt_close, - NULL, /* get */ - fkt_start_seq_get, - fkt_next_entry, - fkt_end_seq_get, - fkt_add_entry, - fkt_remove_entry -}; diff --git a/crypto/heimdal-0.6.3/lib/krb5/keytab_keyfile.c b/crypto/heimdal-0.6.3/lib/krb5/keytab_keyfile.c deleted file mode 100644 index aca930fa55..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/keytab_keyfile.c +++ /dev/null @@ -1,389 +0,0 @@ -/* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" - -RCSID("$Id: keytab_keyfile.c,v 1.15 2002/10/21 15:42:06 joda Exp $"); - -/* afs keyfile operations --------------------------------------- */ - -/* - * Minimum tools to handle the AFS KeyFile. - * - * Format of the KeyFile is: - * {[ ] * numkeys} - * - * It just adds to the end of the keyfile, deleting isn't implemented. - * Use your favorite text/hex editor to delete keys. - * - */ - -#define AFS_SERVERTHISCELL "/usr/afs/etc/ThisCell" -#define AFS_SERVERMAGICKRBCONF "/usr/afs/etc/krb.conf" - -struct akf_data { - int num_entries; - char *filename; - char *cell; - char *realm; -}; - -/* - * set `d->cell' and `d->realm' - */ - -static int -get_cell_and_realm (krb5_context context, - struct akf_data *d) -{ - FILE *f; - char buf[BUFSIZ], *cp; - int ret; - - f = fopen (AFS_SERVERTHISCELL, "r"); - if (f == NULL) { - ret = errno; - krb5_set_error_string (context, "open %s: %s", AFS_SERVERTHISCELL, - strerror(ret)); - return ret; - } - if (fgets (buf, sizeof(buf), f) == NULL) { - fclose (f); - krb5_set_error_string (context, "no cell in %s", AFS_SERVERTHISCELL); - return EINVAL; - } - buf[strcspn(buf, "\n")] = '\0'; - fclose(f); - - d->cell = strdup (buf); - if (d->cell == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; - } - - f = fopen (AFS_SERVERMAGICKRBCONF, "r"); - if (f != NULL) { - if (fgets (buf, sizeof(buf), f) == NULL) { - fclose (f); - krb5_set_error_string (context, "no realm in %s", - AFS_SERVERMAGICKRBCONF); - return EINVAL; - } - buf[strcspn(buf, "\n")] = '\0'; - fclose(f); - } - /* uppercase */ - for (cp = buf; *cp != '\0'; cp++) - *cp = toupper(*cp); - - d->realm = strdup (buf); - if (d->realm == NULL) { - free (d->cell); - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; - } - return 0; -} - -/* - * init and get filename - */ - -static krb5_error_code -akf_resolve(krb5_context context, const char *name, krb5_keytab id) -{ - int ret; - struct akf_data *d = malloc(sizeof (struct akf_data)); - - if (d == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; - } - - d->num_entries = 0; - ret = get_cell_and_realm (context, d); - if (ret) { - free (d); - return ret; - } - d->filename = strdup (name); - if (d->filename == NULL) { - free (d->cell); - free (d->realm); - free (d); - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; - } - id->data = d; - - return 0; -} - -/* - * cleanup - */ - -static krb5_error_code -akf_close(krb5_context context, krb5_keytab id) -{ - struct akf_data *d = id->data; - - free (d->filename); - free (d->cell); - free (d); - return 0; -} - -/* - * Return filename - */ - -static krb5_error_code -akf_get_name(krb5_context context, - krb5_keytab id, - char *name, - size_t name_sz) -{ - struct akf_data *d = id->data; - - strlcpy (name, d->filename, name_sz); - return 0; -} - -/* - * Init - */ - -static krb5_error_code -akf_start_seq_get(krb5_context context, - krb5_keytab id, - krb5_kt_cursor *c) -{ - int32_t ret; - struct akf_data *d = id->data; - - c->fd = open (d->filename, O_RDONLY|O_BINARY, 0600); - if (c->fd < 0) { - ret = errno; - krb5_set_error_string(context, "open(%s): %s", d->filename, - strerror(ret)); - return ret; - } - - c->sp = krb5_storage_from_fd(c->fd); - ret = krb5_ret_int32(c->sp, &d->num_entries); - if(ret) { - krb5_storage_free(c->sp); - close(c->fd); - krb5_clear_error_string (context); - if(ret == KRB5_KT_END) - return KRB5_KT_NOTFOUND; - return ret; - } - - return 0; -} - -static krb5_error_code -akf_next_entry(krb5_context context, - krb5_keytab id, - krb5_keytab_entry *entry, - krb5_kt_cursor *cursor) -{ - struct akf_data *d = id->data; - int32_t kvno; - off_t pos; - int ret; - - pos = krb5_storage_seek(cursor->sp, 0, SEEK_CUR); - - if ((pos - 4) / (4 + 8) >= d->num_entries) - return KRB5_KT_END; - - ret = krb5_make_principal (context, &entry->principal, - d->realm, "afs", d->cell, NULL); - if (ret) - goto out; - - ret = krb5_ret_int32(cursor->sp, &kvno); - if (ret) { - krb5_free_principal (context, entry->principal); - goto out; - } - - entry->vno = kvno; - - entry->keyblock.keytype = ETYPE_DES_CBC_MD5; - entry->keyblock.keyvalue.length = 8; - entry->keyblock.keyvalue.data = malloc (8); - if (entry->keyblock.keyvalue.data == NULL) { - krb5_free_principal (context, entry->principal); - krb5_set_error_string (context, "malloc: out of memory"); - ret = ENOMEM; - goto out; - } - - ret = krb5_storage_read(cursor->sp, entry->keyblock.keyvalue.data, 8); - if(ret != 8) - ret = (ret < 0) ? errno : KRB5_KT_END; - else - ret = 0; - - entry->timestamp = time(NULL); - - out: - krb5_storage_seek(cursor->sp, pos + 4 + 8, SEEK_SET); - return ret; -} - -static krb5_error_code -akf_end_seq_get(krb5_context context, - krb5_keytab id, - krb5_kt_cursor *cursor) -{ - krb5_storage_free(cursor->sp); - close(cursor->fd); - return 0; -} - -static krb5_error_code -akf_add_entry(krb5_context context, - krb5_keytab id, - krb5_keytab_entry *entry) -{ - struct akf_data *d = id->data; - int fd, created = 0; - krb5_error_code ret; - int32_t len; - krb5_storage *sp; - - - if (entry->keyblock.keyvalue.length != 8 - || entry->keyblock.keytype != ETYPE_DES_CBC_MD5) - return 0; - - fd = open (d->filename, O_RDWR | O_BINARY); - if (fd < 0) { - fd = open (d->filename, - O_RDWR | O_BINARY | O_CREAT | O_EXCL, 0600); - if (fd < 0) { - ret = errno; - krb5_set_error_string(context, "open(%s): %s", d->filename, - strerror(ret)); - return ret; - } - created = 1; - } - - sp = krb5_storage_from_fd(fd); - if(sp == NULL) { - close(fd); - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; - } - if (created) - len = 0; - else { - if(krb5_storage_seek(sp, 0, SEEK_SET) < 0) { - ret = errno; - krb5_storage_free(sp); - close(fd); - krb5_set_error_string (context, "seek: %s", strerror(ret)); - return ret; - } - - ret = krb5_ret_int32(sp, &len); - if(ret) { - krb5_storage_free(sp); - close(fd); - return ret; - } - } - len++; - - if(krb5_storage_seek(sp, 0, SEEK_SET) < 0) { - ret = errno; - krb5_storage_free(sp); - close(fd); - krb5_set_error_string (context, "seek: %s", strerror(ret)); - return ret; - } - - ret = krb5_store_int32(sp, len); - if(ret) { - krb5_storage_free(sp); - close(fd); - return ret; - } - - - if(krb5_storage_seek(sp, (len - 1) * (8 + 4), SEEK_CUR) < 0) { - ret = errno; - krb5_storage_free(sp); - close(fd); - krb5_set_error_string (context, "seek: %s", strerror(ret)); - return ret; - } - - ret = krb5_store_int32(sp, entry->vno); - if(ret) { - krb5_storage_free(sp); - close(fd); - return ret; - } - ret = krb5_storage_write(sp, entry->keyblock.keyvalue.data, - entry->keyblock.keyvalue.length); - if(ret != entry->keyblock.keyvalue.length) { - krb5_storage_free(sp); - close(fd); - if(ret < 0) - return errno; - return ENOTTY; - } - krb5_storage_free(sp); - close (fd); - return 0; -} - -const krb5_kt_ops krb5_akf_ops = { - "AFSKEYFILE", - akf_resolve, - akf_get_name, - akf_close, - NULL, /* get */ - akf_start_seq_get, - akf_next_entry, - akf_end_seq_get, - akf_add_entry, - NULL /* remove */ -}; diff --git a/crypto/heimdal-0.6.3/lib/krb5/keytab_krb4.c b/crypto/heimdal-0.6.3/lib/krb5/keytab_krb4.c deleted file mode 100644 index 2405f8256a..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/keytab_krb4.c +++ /dev/null @@ -1,427 +0,0 @@ -/* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" - -RCSID("$Id: keytab_krb4.c,v 1.10 2002/04/18 14:04:46 joda Exp $"); - -struct krb4_kt_data { - char *filename; -}; - -static krb5_error_code -krb4_kt_resolve(krb5_context context, const char *name, krb5_keytab id) -{ - struct krb4_kt_data *d; - - d = malloc (sizeof(*d)); - if (d == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; - } - d->filename = strdup (name); - if (d->filename == NULL) { - free(d); - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; - } - id->data = d; - return 0; -} - -static krb5_error_code -krb4_kt_get_name (krb5_context context, - krb5_keytab id, - char *name, - size_t name_sz) -{ - struct krb4_kt_data *d = id->data; - - strlcpy (name, d->filename, name_sz); - return 0; -} - -static krb5_error_code -krb4_kt_close (krb5_context context, - krb5_keytab id) -{ - struct krb4_kt_data *d = id->data; - - free (d->filename); - free (d); - return 0; -} - -struct krb4_cursor_extra_data { - krb5_keytab_entry entry; - int num; -}; - -static int -open_flock(const char *filename, int flags, int mode) -{ - int lock_mode; - int tries = 0; - int fd = open(filename, flags, mode); - if(fd < 0) - return fd; - if((flags & O_ACCMODE) == O_RDONLY) - lock_mode = LOCK_SH | LOCK_NB; - else - lock_mode = LOCK_EX | LOCK_NB; - while(flock(fd, lock_mode) < 0) { - if(++tries < 5) { - sleep(1); - } else { - close(fd); - return -1; - } - } - return fd; -} - - - -static krb5_error_code -krb4_kt_start_seq_get_int (krb5_context context, - krb5_keytab id, - int flags, - krb5_kt_cursor *c) -{ - struct krb4_kt_data *d = id->data; - struct krb4_cursor_extra_data *ed; - int ret; - - ed = malloc (sizeof(*ed)); - if (ed == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; - } - ed->entry.principal = NULL; - ed->num = -1; - c->data = ed; - c->fd = open_flock (d->filename, flags, 0); - if (c->fd < 0) { - ret = errno; - free (ed); - krb5_set_error_string(context, "open(%s): %s", d->filename, - strerror(ret)); - return ret; - } - c->sp = krb5_storage_from_fd(c->fd); - krb5_storage_set_eof_code(c->sp, KRB5_KT_END); - return 0; -} - -static krb5_error_code -krb4_kt_start_seq_get (krb5_context context, - krb5_keytab id, - krb5_kt_cursor *c) -{ - return krb4_kt_start_seq_get_int (context, id, O_BINARY | O_RDONLY, c); -} - -static krb5_error_code -read_v4_entry (krb5_context context, - struct krb4_kt_data *d, - krb5_kt_cursor *c, - struct krb4_cursor_extra_data *ed) -{ - krb5_error_code ret; - char *service, *instance, *realm; - int8_t kvno; - des_cblock key; - - ret = krb5_ret_stringz(c->sp, &service); - if (ret) - return ret; - ret = krb5_ret_stringz(c->sp, &instance); - if (ret) { - free (service); - return ret; - } - ret = krb5_ret_stringz(c->sp, &realm); - if (ret) { - free (service); - free (instance); - return ret; - } - ret = krb5_425_conv_principal (context, service, instance, realm, - &ed->entry.principal); - free (service); - free (instance); - free (realm); - if (ret) - return ret; - ret = krb5_ret_int8(c->sp, &kvno); - if (ret) { - krb5_free_principal (context, ed->entry.principal); - return ret; - } - ret = krb5_storage_read(c->sp, key, 8); - if (ret < 0) { - krb5_free_principal(context, ed->entry.principal); - return ret; - } - if (ret < 8) { - krb5_free_principal(context, ed->entry.principal); - return EINVAL; - } - ed->entry.vno = kvno; - ret = krb5_data_copy (&ed->entry.keyblock.keyvalue, - key, 8); - if (ret) - return ret; - ed->entry.timestamp = time(NULL); - ed->num = 0; - return 0; -} - -static krb5_error_code -krb4_kt_next_entry (krb5_context context, - krb5_keytab id, - krb5_keytab_entry *entry, - krb5_kt_cursor *c) -{ - krb5_error_code ret; - struct krb4_kt_data *d = id->data; - struct krb4_cursor_extra_data *ed = c->data; - const krb5_enctype keytypes[] = {ETYPE_DES_CBC_MD5, - ETYPE_DES_CBC_MD4, - ETYPE_DES_CBC_CRC}; - - if (ed->num == -1) { - ret = read_v4_entry (context, d, c, ed); - if (ret) - return ret; - } - ret = krb5_kt_copy_entry_contents (context, - &ed->entry, - entry); - if (ret) - return ret; - entry->keyblock.keytype = keytypes[ed->num]; - if (++ed->num == 3) { - krb5_kt_free_entry (context, &ed->entry); - ed->num = -1; - } - return 0; -} - -static krb5_error_code -krb4_kt_end_seq_get (krb5_context context, - krb5_keytab id, - krb5_kt_cursor *c) -{ - struct krb4_cursor_extra_data *ed = c->data; - - krb5_storage_free (c->sp); - if (ed->num != -1) - krb5_kt_free_entry (context, &ed->entry); - free (c->data); - close (c->fd); - return 0; -} - -static krb5_error_code -krb4_store_keytab_entry(krb5_context context, - krb5_keytab_entry *entry, - krb5_storage *sp) -{ - krb5_error_code ret; -#define ANAME_SZ 40 -#define INST_SZ 40 -#define REALM_SZ 40 - char service[ANAME_SZ]; - char instance[INST_SZ]; - char realm[REALM_SZ]; - ret = krb5_524_conv_principal (context, entry->principal, - service, instance, realm); - if (ret) - return ret; - if (entry->keyblock.keyvalue.length == 8 - && entry->keyblock.keytype == ETYPE_DES_CBC_MD5) { - ret = krb5_store_stringz(sp, service); - ret = krb5_store_stringz(sp, instance); - ret = krb5_store_stringz(sp, realm); - ret = krb5_store_int8(sp, entry->vno); - ret = krb5_storage_write(sp, entry->keyblock.keyvalue.data, 8); - } - return 0; -} - -static krb5_error_code -krb4_kt_add_entry (krb5_context context, - krb5_keytab id, - krb5_keytab_entry *entry) -{ - struct krb4_kt_data *d = id->data; - krb5_storage *sp; - krb5_error_code ret; - int fd; - - fd = open_flock (d->filename, O_WRONLY | O_APPEND | O_BINARY, 0); - if (fd < 0) { - fd = open_flock (d->filename, - O_WRONLY | O_APPEND | O_BINARY | O_CREAT, 0600); - if (fd < 0) { - ret = errno; - krb5_set_error_string(context, "open(%s): %s", d->filename, - strerror(ret)); - return ret; - } - } - sp = krb5_storage_from_fd(fd); - krb5_storage_set_eof_code(sp, KRB5_KT_END); - if(sp == NULL) { - close(fd); - return ENOMEM; - } - ret = krb4_store_keytab_entry(context, entry, sp); - krb5_storage_free(sp); - if(close (fd) < 0) - return errno; - return ret; -} - -static krb5_error_code -krb4_kt_remove_entry(krb5_context context, - krb5_keytab id, - krb5_keytab_entry *entry) -{ - struct krb4_kt_data *d = id->data; - krb5_error_code ret; - krb5_keytab_entry e; - krb5_kt_cursor cursor; - krb5_storage *sp; - int remove_flag = 0; - - sp = krb5_storage_emem(); - ret = krb5_kt_start_seq_get(context, id, &cursor); - while(krb5_kt_next_entry(context, id, &e, &cursor) == 0) { - if(!krb5_kt_compare(context, &e, entry->principal, - entry->vno, entry->keyblock.keytype)) { - ret = krb4_store_keytab_entry(context, &e, sp); - if(ret) { - krb5_storage_free(sp); - return ret; - } - } else - remove_flag = 1; - } - krb5_kt_end_seq_get(context, id, &cursor); - if(remove_flag) { - int fd; - unsigned char buf[1024]; - ssize_t n; - krb5_data data; - struct stat st; - - krb5_storage_to_data(sp, &data); - krb5_storage_free(sp); - - fd = open_flock (d->filename, O_RDWR | O_BINARY, 0); - if(fd < 0) { - memset(data.data, 0, data.length); - krb5_data_free(&data); - if(errno == EACCES || errno == EROFS) - return KRB5_KT_NOWRITE; - return errno; - } - - if(write(fd, data.data, data.length) != data.length) { - memset(data.data, 0, data.length); - close(fd); - krb5_set_error_string(context, "failed writing to \"%s\"", d->filename); - return errno; - } - memset(data.data, 0, data.length); - if(fstat(fd, &st) < 0) { - close(fd); - krb5_set_error_string(context, "failed getting size of \"%s\"", d->filename); - return errno; - } - st.st_size -= data.length; - memset(buf, 0, sizeof(buf)); - while(st.st_size > 0) { - n = min(st.st_size, sizeof(buf)); - n = write(fd, buf, n); - if(n <= 0) { - close(fd); - krb5_set_error_string(context, "failed writing to \"%s\"", d->filename); - return errno; - - } - st.st_size -= n; - } - if(ftruncate(fd, data.length) < 0) { - close(fd); - krb5_set_error_string(context, "failed truncating \"%s\"", d->filename); - return errno; - } - krb5_data_free(&data); - if(close(fd) < 0) { - krb5_set_error_string(context, "error closing \"%s\"", d->filename); - return errno; - } - return 0; - } else - return KRB5_KT_NOTFOUND; -} - - -const krb5_kt_ops krb4_fkt_ops = { - "krb4", - krb4_kt_resolve, - krb4_kt_get_name, - krb4_kt_close, - NULL, /* get */ - krb4_kt_start_seq_get, - krb4_kt_next_entry, - krb4_kt_end_seq_get, - krb4_kt_add_entry, /* add_entry */ - krb4_kt_remove_entry /* remove_entry */ -}; - -const krb5_kt_ops krb5_srvtab_fkt_ops = { - "SRVTAB", - krb4_kt_resolve, - krb4_kt_get_name, - krb4_kt_close, - NULL, /* get */ - krb4_kt_start_seq_get, - krb4_kt_next_entry, - krb4_kt_end_seq_get, - krb4_kt_add_entry, /* add_entry */ - krb4_kt_remove_entry /* remove_entry */ -}; diff --git a/crypto/heimdal-0.6.3/lib/krb5/keytab_memory.c b/crypto/heimdal-0.6.3/lib/krb5/keytab_memory.c deleted file mode 100644 index cde894335f..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/keytab_memory.c +++ /dev/null @@ -1,165 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" - -RCSID("$Id: keytab_memory.c,v 1.5 2001/05/14 06:14:49 assar Exp $"); - -/* memory operations -------------------------------------------- */ - -struct mkt_data { - krb5_keytab_entry *entries; - int num_entries; -}; - -static krb5_error_code -mkt_resolve(krb5_context context, const char *name, krb5_keytab id) -{ - struct mkt_data *d; - d = malloc(sizeof(*d)); - if(d == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; - } - d->entries = NULL; - d->num_entries = 0; - id->data = d; - return 0; -} - -static krb5_error_code -mkt_close(krb5_context context, krb5_keytab id) -{ - struct mkt_data *d = id->data; - int i; - for(i = 0; i < d->num_entries; i++) - krb5_kt_free_entry(context, &d->entries[i]); - free(d->entries); - free(d); - return 0; -} - -static krb5_error_code -mkt_get_name(krb5_context context, - krb5_keytab id, - char *name, - size_t namesize) -{ - strlcpy(name, "", namesize); - return 0; -} - -static krb5_error_code -mkt_start_seq_get(krb5_context context, - krb5_keytab id, - krb5_kt_cursor *c) -{ - /* XXX */ - c->fd = 0; - return 0; -} - -static krb5_error_code -mkt_next_entry(krb5_context context, - krb5_keytab id, - krb5_keytab_entry *entry, - krb5_kt_cursor *c) -{ - struct mkt_data *d = id->data; - if(c->fd >= d->num_entries) - return KRB5_KT_END; - return krb5_kt_copy_entry_contents(context, &d->entries[c->fd++], entry); -} - -static krb5_error_code -mkt_end_seq_get(krb5_context context, - krb5_keytab id, - krb5_kt_cursor *cursor) -{ - return 0; -} - -static krb5_error_code -mkt_add_entry(krb5_context context, - krb5_keytab id, - krb5_keytab_entry *entry) -{ - struct mkt_data *d = id->data; - krb5_keytab_entry *tmp; - tmp = realloc(d->entries, (d->num_entries + 1) * sizeof(*d->entries)); - if(tmp == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; - } - d->entries = tmp; - return krb5_kt_copy_entry_contents(context, entry, - &d->entries[d->num_entries++]); -} - -static krb5_error_code -mkt_remove_entry(krb5_context context, - krb5_keytab id, - krb5_keytab_entry *entry) -{ - struct mkt_data *d = id->data; - krb5_keytab_entry *e, *end; - - /* do this backwards to minimize copying */ - for(end = d->entries + d->num_entries, e = end - 1; e >= d->entries; e--) { - if(krb5_kt_compare(context, e, entry->principal, - entry->vno, entry->keyblock.keytype)) { - krb5_kt_free_entry(context, e); - memmove(e, e + 1, (end - e - 1) * sizeof(*e)); - memset(end - 1, 0, sizeof(*end)); - d->num_entries--; - end--; - } - } - e = realloc(d->entries, d->num_entries * sizeof(*d->entries)); - if(e != NULL) - d->entries = e; - return 0; -} - -const krb5_kt_ops krb5_mkt_ops = { - "MEMORY", - mkt_resolve, - mkt_get_name, - mkt_close, - NULL, /* get */ - mkt_start_seq_get, - mkt_next_entry, - mkt_end_seq_get, - mkt_add_entry, - mkt_remove_entry -}; diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5-private.h b/crypto/heimdal-0.6.3/lib/krb5/krb5-private.h deleted file mode 100644 index 669e9547c5..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5-private.h +++ /dev/null @@ -1,102 +0,0 @@ -/* This is a generated file */ -#ifndef __krb5_private_h__ -#define __krb5_private_h__ - -#include - -void -_krb5_aes_cts_encrypt ( - const unsigned char */*in*/, - unsigned char */*out*/, - size_t /*len*/, - const void */*aes_key*/, - unsigned char */*ivec*/, - const int /*enc*/); - -void -_krb5_crc_init_table (void); - -u_int32_t -_krb5_crc_update ( - const char */*p*/, - size_t /*len*/, - u_int32_t /*res*/); - -int -_krb5_extract_ticket ( - krb5_context /*context*/, - krb5_kdc_rep */*rep*/, - krb5_creds */*creds*/, - krb5_keyblock */*key*/, - krb5_const_pointer /*keyseed*/, - krb5_key_usage /*key_usage*/, - krb5_addresses */*addrs*/, - unsigned /*nonce*/, - krb5_boolean /*allow_server_mismatch*/, - krb5_boolean /*ignore_cname*/, - krb5_decrypt_proc /*decrypt_proc*/, - krb5_const_pointer /*decryptarg*/); - -krb5_ssize_t -_krb5_get_int ( - void */*buffer*/, - unsigned long */*value*/, - size_t /*size*/); - -krb5_error_code -_krb5_get_krbtgt ( - krb5_context /*context*/, - krb5_ccache /*id*/, - krb5_realm /*realm*/, - krb5_creds **/*cred*/); - -time_t -_krb5_krb_life_to_time ( - int /*start*/, - int /*life_*/); - -int -_krb5_krb_time_to_life ( - time_t /*start*/, - time_t /*end*/); - -void -_krb5_n_fold ( - const void */*str*/, - size_t /*len*/, - void */*key*/, - size_t /*size*/); - -krb5_ssize_t -_krb5_put_int ( - void */*buffer*/, - unsigned long /*value*/, - size_t /*size*/); - -krb5_error_code -_krb5_store_creds_heimdal_0_7 ( - krb5_storage */*sp*/, - krb5_creds */*creds*/); - -krb5_error_code -_krb5_store_creds_heimdal_pre_0_7 ( - krb5_storage */*sp*/, - krb5_creds */*creds*/); - -krb5_error_code -_krb5_store_creds_internal ( - krb5_storage */*sp*/, - krb5_creds */*creds*/, - int /*v0_6*/); - -int -_krb5_xlock ( - krb5_context /*context*/, - int /*fd*/, - krb5_boolean /*exclusive*/, - const char */*filename*/); - -int -_krb5_xunlock (int /*fd*/); - -#endif /* __krb5_private_h__ */ diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5-protos.h b/crypto/heimdal-0.6.3/lib/krb5/krb5-protos.h deleted file mode 100644 index 58788aebab..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5-protos.h +++ /dev/null @@ -1,2986 +0,0 @@ -/* This is a generated file */ -#ifndef __krb5_protos_h__ -#define __krb5_protos_h__ - -#include - -#if !defined(__GNUC__) && !defined(__attribute__) -#define __attribute__(x) -#endif - -krb5_error_code -krb524_convert_creds_kdc ( - krb5_context /*context*/, - krb5_creds */*in_cred*/, - struct credentials */*v4creds*/); - -krb5_error_code -krb524_convert_creds_kdc_ccache ( - krb5_context /*context*/, - krb5_ccache /*ccache*/, - krb5_creds */*in_cred*/, - struct credentials */*v4creds*/); - -krb5_error_code -krb5_425_conv_principal ( - krb5_context /*context*/, - const char */*name*/, - const char */*instance*/, - const char */*realm*/, - krb5_principal */*princ*/); - -krb5_error_code -krb5_425_conv_principal_ext ( - krb5_context /*context*/, - const char */*name*/, - const char */*instance*/, - const char */*realm*/, - krb5_boolean (*/*func*/)(krb5_context, krb5_principal), - krb5_boolean /*resolve*/, - krb5_principal */*princ*/); - -krb5_error_code -krb5_524_conv_principal ( - krb5_context /*context*/, - const krb5_principal /*principal*/, - char */*name*/, - char */*instance*/, - char */*realm*/); - -krb5_error_code -krb5_PKCS5_PBKDF2 ( - krb5_context /*context*/, - krb5_cksumtype /*cktype*/, - krb5_data /*password*/, - krb5_salt /*salt*/, - u_int32_t /*iter*/, - krb5_keytype /*type*/, - krb5_keyblock */*key*/); - -krb5_error_code -krb5_abort ( - krb5_context /*context*/, - krb5_error_code /*code*/, - const char */*fmt*/, - ...) - __attribute__ ((noreturn, format (printf, 3, 4))); - -krb5_error_code -krb5_abortx ( - krb5_context /*context*/, - const char */*fmt*/, - ...) - __attribute__ ((noreturn, format (printf, 2, 3))); - -krb5_error_code -krb5_acl_match_file ( - krb5_context /*context*/, - const char */*file*/, - const char */*format*/, - ...); - -krb5_error_code -krb5_acl_match_string ( - krb5_context /*context*/, - const char */*string*/, - const char */*format*/, - ...); - -krb5_error_code -krb5_add_et_list ( - krb5_context /*context*/, - void (*/*func*/)(struct et_list **)); - -krb5_error_code -krb5_add_extra_addresses ( - krb5_context /*context*/, - krb5_addresses */*addresses*/); - -krb5_error_code -krb5_add_ignore_addresses ( - krb5_context /*context*/, - krb5_addresses */*addresses*/); - -krb5_error_code -krb5_addlog_dest ( - krb5_context /*context*/, - krb5_log_facility */*f*/, - const char */*orig*/); - -krb5_error_code -krb5_addlog_func ( - krb5_context /*context*/, - krb5_log_facility */*fac*/, - int /*min*/, - int /*max*/, - krb5_log_log_func_t /*log*/, - krb5_log_close_func_t /*close*/, - void */*data*/); - -krb5_error_code -krb5_addr2sockaddr ( - krb5_context /*context*/, - const krb5_address */*addr*/, - struct sockaddr */*sa*/, - krb5_socklen_t */*sa_size*/, - int /*port*/); - -krb5_boolean -krb5_address_compare ( - krb5_context /*context*/, - const krb5_address */*addr1*/, - const krb5_address */*addr2*/); - -int -krb5_address_order ( - krb5_context /*context*/, - const krb5_address */*addr1*/, - const krb5_address */*addr2*/); - -krb5_boolean -krb5_address_search ( - krb5_context /*context*/, - const krb5_address */*addr*/, - const krb5_addresses */*addrlist*/); - -krb5_error_code -krb5_aname_to_localname ( - krb5_context /*context*/, - krb5_const_principal /*aname*/, - size_t /*lnsize*/, - char */*lname*/); - -krb5_error_code -krb5_anyaddr ( - krb5_context /*context*/, - int /*af*/, - struct sockaddr */*sa*/, - krb5_socklen_t */*sa_size*/, - int /*port*/); - -void -krb5_appdefault_boolean ( - krb5_context /*context*/, - const char */*appname*/, - krb5_const_realm /*realm*/, - const char */*option*/, - krb5_boolean /*def_val*/, - krb5_boolean */*ret_val*/); - -void -krb5_appdefault_string ( - krb5_context /*context*/, - const char */*appname*/, - krb5_const_realm /*realm*/, - const char */*option*/, - const char */*def_val*/, - char **/*ret_val*/); - -void -krb5_appdefault_time ( - krb5_context /*context*/, - const char */*appname*/, - krb5_const_realm /*realm*/, - const char */*option*/, - time_t /*def_val*/, - time_t */*ret_val*/); - -krb5_error_code -krb5_append_addresses ( - krb5_context /*context*/, - krb5_addresses */*dest*/, - const krb5_addresses */*source*/); - -krb5_error_code -krb5_auth_con_free ( - krb5_context /*context*/, - krb5_auth_context /*auth_context*/); - -krb5_error_code -krb5_auth_con_genaddrs ( - krb5_context /*context*/, - krb5_auth_context /*auth_context*/, - int /*fd*/, - int /*flags*/); - -krb5_error_code -krb5_auth_con_generatelocalsubkey ( - krb5_context /*context*/, - krb5_auth_context /*auth_context*/, - krb5_keyblock */*key*/); - -krb5_error_code -krb5_auth_con_getaddrs ( - krb5_context /*context*/, - krb5_auth_context /*auth_context*/, - krb5_address **/*local_addr*/, - krb5_address **/*remote_addr*/); - -krb5_error_code -krb5_auth_con_getauthenticator ( - krb5_context /*context*/, - krb5_auth_context /*auth_context*/, - krb5_authenticator */*authenticator*/); - -krb5_error_code -krb5_auth_con_getcksumtype ( - krb5_context /*context*/, - krb5_auth_context /*auth_context*/, - krb5_cksumtype */*cksumtype*/); - -krb5_error_code -krb5_auth_con_getflags ( - krb5_context /*context*/, - krb5_auth_context /*auth_context*/, - int32_t */*flags*/); - -krb5_error_code -krb5_auth_con_getkey ( - krb5_context /*context*/, - krb5_auth_context /*auth_context*/, - krb5_keyblock **/*keyblock*/); - -krb5_error_code -krb5_auth_con_getkeytype ( - krb5_context /*context*/, - krb5_auth_context /*auth_context*/, - krb5_keytype */*keytype*/); - -krb5_error_code -krb5_auth_con_getlocalseqnumber ( - krb5_context /*context*/, - krb5_auth_context /*auth_context*/, - int32_t */*seqnumber*/); - -krb5_error_code -krb5_auth_con_getlocalsubkey ( - krb5_context /*context*/, - krb5_auth_context /*auth_context*/, - krb5_keyblock **/*keyblock*/); - -krb5_error_code -krb5_auth_con_getrcache ( - krb5_context /*context*/, - krb5_auth_context /*auth_context*/, - krb5_rcache */*rcache*/); - -krb5_error_code -krb5_auth_con_getremotesubkey ( - krb5_context /*context*/, - krb5_auth_context /*auth_context*/, - krb5_keyblock **/*keyblock*/); - -krb5_error_code -krb5_auth_con_init ( - krb5_context /*context*/, - krb5_auth_context */*auth_context*/); - -krb5_error_code -krb5_auth_con_setaddrs ( - krb5_context /*context*/, - krb5_auth_context /*auth_context*/, - krb5_address */*local_addr*/, - krb5_address */*remote_addr*/); - -krb5_error_code -krb5_auth_con_setaddrs_from_fd ( - krb5_context /*context*/, - krb5_auth_context /*auth_context*/, - void */*p_fd*/); - -krb5_error_code -krb5_auth_con_setcksumtype ( - krb5_context /*context*/, - krb5_auth_context /*auth_context*/, - krb5_cksumtype /*cksumtype*/); - -krb5_error_code -krb5_auth_con_setflags ( - krb5_context /*context*/, - krb5_auth_context /*auth_context*/, - int32_t /*flags*/); - -krb5_error_code -krb5_auth_con_setkey ( - krb5_context /*context*/, - krb5_auth_context /*auth_context*/, - krb5_keyblock */*keyblock*/); - -krb5_error_code -krb5_auth_con_setkeytype ( - krb5_context /*context*/, - krb5_auth_context /*auth_context*/, - krb5_keytype /*keytype*/); - -krb5_error_code -krb5_auth_con_setlocalseqnumber ( - krb5_context /*context*/, - krb5_auth_context /*auth_context*/, - int32_t /*seqnumber*/); - -krb5_error_code -krb5_auth_con_setlocalsubkey ( - krb5_context /*context*/, - krb5_auth_context /*auth_context*/, - krb5_keyblock */*keyblock*/); - -krb5_error_code -krb5_auth_con_setrcache ( - krb5_context /*context*/, - krb5_auth_context /*auth_context*/, - krb5_rcache /*rcache*/); - -krb5_error_code -krb5_auth_con_setremoteseqnumber ( - krb5_context /*context*/, - krb5_auth_context /*auth_context*/, - int32_t /*seqnumber*/); - -krb5_error_code -krb5_auth_con_setremotesubkey ( - krb5_context /*context*/, - krb5_auth_context /*auth_context*/, - krb5_keyblock */*keyblock*/); - -krb5_error_code -krb5_auth_con_setuserkey ( - krb5_context /*context*/, - krb5_auth_context /*auth_context*/, - krb5_keyblock */*keyblock*/); - -krb5_error_code -krb5_auth_getremoteseqnumber ( - krb5_context /*context*/, - krb5_auth_context /*auth_context*/, - int32_t */*seqnumber*/); - -krb5_error_code -krb5_build_ap_req ( - krb5_context /*context*/, - krb5_enctype /*enctype*/, - krb5_creds */*cred*/, - krb5_flags /*ap_options*/, - krb5_data /*authenticator*/, - krb5_data */*retdata*/); - -krb5_error_code -krb5_build_authenticator ( - krb5_context /*context*/, - krb5_auth_context /*auth_context*/, - krb5_enctype /*enctype*/, - krb5_creds */*cred*/, - Checksum */*cksum*/, - Authenticator **/*auth_result*/, - krb5_data */*result*/, - krb5_key_usage /*usage*/); - -krb5_error_code -krb5_build_principal ( - krb5_context /*context*/, - krb5_principal */*principal*/, - int /*rlen*/, - krb5_const_realm /*realm*/, - ...); - -krb5_error_code -krb5_build_principal_ext ( - krb5_context /*context*/, - krb5_principal */*principal*/, - int /*rlen*/, - krb5_const_realm /*realm*/, - ...); - -krb5_error_code -krb5_build_principal_va ( - krb5_context /*context*/, - krb5_principal */*principal*/, - int /*rlen*/, - krb5_const_realm /*realm*/, - va_list /*ap*/); - -krb5_error_code -krb5_build_principal_va_ext ( - krb5_context /*context*/, - krb5_principal */*principal*/, - int /*rlen*/, - krb5_const_realm /*realm*/, - va_list /*ap*/); - -krb5_error_code -krb5_cc_close ( - krb5_context /*context*/, - krb5_ccache /*id*/); - -krb5_error_code -krb5_cc_copy_cache ( - krb5_context /*context*/, - const krb5_ccache /*from*/, - krb5_ccache /*to*/); - -krb5_error_code -krb5_cc_default ( - krb5_context /*context*/, - krb5_ccache */*id*/); - -const char* -krb5_cc_default_name (krb5_context /*context*/); - -krb5_error_code -krb5_cc_destroy ( - krb5_context /*context*/, - krb5_ccache /*id*/); - -krb5_error_code -krb5_cc_end_seq_get ( - krb5_context /*context*/, - const krb5_ccache /*id*/, - krb5_cc_cursor */*cursor*/); - -krb5_error_code -krb5_cc_gen_new ( - krb5_context /*context*/, - const krb5_cc_ops */*ops*/, - krb5_ccache */*id*/); - -const char* -krb5_cc_get_name ( - krb5_context /*context*/, - krb5_ccache /*id*/); - -const krb5_cc_ops * -krb5_cc_get_ops ( - krb5_context /*context*/, - krb5_ccache /*id*/); - -krb5_error_code -krb5_cc_get_principal ( - krb5_context /*context*/, - krb5_ccache /*id*/, - krb5_principal */*principal*/); - -const char* -krb5_cc_get_type ( - krb5_context /*context*/, - krb5_ccache /*id*/); - -krb5_error_code -krb5_cc_get_version ( - krb5_context /*context*/, - const krb5_ccache /*id*/); - -krb5_error_code -krb5_cc_initialize ( - krb5_context /*context*/, - krb5_ccache /*id*/, - krb5_principal /*primary_principal*/); - -krb5_error_code -krb5_cc_next_cred ( - krb5_context /*context*/, - const krb5_ccache /*id*/, - krb5_cc_cursor */*cursor*/, - krb5_creds */*creds*/); - -krb5_error_code -krb5_cc_register ( - krb5_context /*context*/, - const krb5_cc_ops */*ops*/, - krb5_boolean /*override*/); - -krb5_error_code -krb5_cc_remove_cred ( - krb5_context /*context*/, - krb5_ccache /*id*/, - krb5_flags /*which*/, - krb5_creds */*cred*/); - -krb5_error_code -krb5_cc_resolve ( - krb5_context /*context*/, - const char */*name*/, - krb5_ccache */*id*/); - -krb5_error_code -krb5_cc_retrieve_cred ( - krb5_context /*context*/, - krb5_ccache /*id*/, - krb5_flags /*whichfields*/, - const krb5_creds */*mcreds*/, - krb5_creds */*creds*/); - -krb5_error_code -krb5_cc_set_default_name ( - krb5_context /*context*/, - const char */*name*/); - -krb5_error_code -krb5_cc_set_flags ( - krb5_context /*context*/, - krb5_ccache /*id*/, - krb5_flags /*flags*/); - -krb5_error_code -krb5_cc_start_seq_get ( - krb5_context /*context*/, - const krb5_ccache /*id*/, - krb5_cc_cursor */*cursor*/); - -krb5_error_code -krb5_cc_store_cred ( - krb5_context /*context*/, - krb5_ccache /*id*/, - krb5_creds */*creds*/); - -krb5_error_code -krb5_change_password ( - krb5_context /*context*/, - krb5_creds */*creds*/, - char */*newpw*/, - int */*result_code*/, - krb5_data */*result_code_string*/, - krb5_data */*result_string*/); - -krb5_error_code -krb5_check_transited ( - krb5_context /*context*/, - krb5_const_realm /*client_realm*/, - krb5_const_realm /*server_realm*/, - krb5_realm */*realms*/, - int /*num_realms*/, - int */*bad_realm*/); - -krb5_error_code -krb5_check_transited_realms ( - krb5_context /*context*/, - const char *const */*realms*/, - int /*num_realms*/, - int */*bad_realm*/); - -krb5_boolean -krb5_checksum_is_collision_proof ( - krb5_context /*context*/, - krb5_cksumtype /*type*/); - -krb5_boolean -krb5_checksum_is_keyed ( - krb5_context /*context*/, - krb5_cksumtype /*type*/); - -krb5_error_code -krb5_checksumsize ( - krb5_context /*context*/, - krb5_cksumtype /*type*/, - size_t */*size*/); - -void -krb5_clear_error_string (krb5_context /*context*/); - -krb5_error_code -krb5_closelog ( - krb5_context /*context*/, - krb5_log_facility */*fac*/); - -krb5_boolean -krb5_compare_creds ( - krb5_context /*context*/, - krb5_flags /*whichfields*/, - const krb5_creds */*mcreds*/, - const krb5_creds */*creds*/); - -krb5_error_code -krb5_config_file_free ( - krb5_context /*context*/, - krb5_config_section */*s*/); - -void -krb5_config_free_strings (char **/*strings*/); - -const void * -krb5_config_get ( - krb5_context /*context*/, - const krb5_config_section */*c*/, - int /*type*/, - ...); - -krb5_boolean -krb5_config_get_bool ( - krb5_context /*context*/, - const krb5_config_section */*c*/, - ...); - -krb5_boolean -krb5_config_get_bool_default ( - krb5_context /*context*/, - const krb5_config_section */*c*/, - krb5_boolean /*def_value*/, - ...); - -int -krb5_config_get_int ( - krb5_context /*context*/, - const krb5_config_section */*c*/, - ...); - -int -krb5_config_get_int_default ( - krb5_context /*context*/, - const krb5_config_section */*c*/, - int /*def_value*/, - ...); - -const krb5_config_binding * -krb5_config_get_list ( - krb5_context /*context*/, - const krb5_config_section */*c*/, - ...); - -const void * -krb5_config_get_next ( - krb5_context /*context*/, - const krb5_config_section */*c*/, - const krb5_config_binding **/*pointer*/, - int /*type*/, - ...); - -const char * -krb5_config_get_string ( - krb5_context /*context*/, - const krb5_config_section */*c*/, - ...); - -const char * -krb5_config_get_string_default ( - krb5_context /*context*/, - const krb5_config_section */*c*/, - const char */*def_value*/, - ...); - -char** -krb5_config_get_strings ( - krb5_context /*context*/, - const krb5_config_section */*c*/, - ...); - -int -krb5_config_get_time ( - krb5_context /*context*/, - const krb5_config_section */*c*/, - ...); - -int -krb5_config_get_time_default ( - krb5_context /*context*/, - const krb5_config_section */*c*/, - int /*def_value*/, - ...); - -krb5_error_code -krb5_config_parse_file ( - krb5_context /*context*/, - const char */*fname*/, - krb5_config_section **/*res*/); - -krb5_error_code -krb5_config_parse_file_multi ( - krb5_context /*context*/, - const char */*fname*/, - krb5_config_section **/*res*/); - -const void * -krb5_config_vget ( - krb5_context /*context*/, - const krb5_config_section */*c*/, - int /*type*/, - va_list /*args*/); - -krb5_boolean -krb5_config_vget_bool ( - krb5_context /*context*/, - const krb5_config_section */*c*/, - va_list /*args*/); - -krb5_boolean -krb5_config_vget_bool_default ( - krb5_context /*context*/, - const krb5_config_section */*c*/, - krb5_boolean /*def_value*/, - va_list /*args*/); - -int -krb5_config_vget_int ( - krb5_context /*context*/, - const krb5_config_section */*c*/, - va_list /*args*/); - -int -krb5_config_vget_int_default ( - krb5_context /*context*/, - const krb5_config_section */*c*/, - int /*def_value*/, - va_list /*args*/); - -const krb5_config_binding * -krb5_config_vget_list ( - krb5_context /*context*/, - const krb5_config_section */*c*/, - va_list /*args*/); - -const void * -krb5_config_vget_next ( - krb5_context /*context*/, - const krb5_config_section */*c*/, - const krb5_config_binding **/*pointer*/, - int /*type*/, - va_list /*args*/); - -const char * -krb5_config_vget_string ( - krb5_context /*context*/, - const krb5_config_section */*c*/, - va_list /*args*/); - -const char * -krb5_config_vget_string_default ( - krb5_context /*context*/, - const krb5_config_section */*c*/, - const char */*def_value*/, - va_list /*args*/); - -char ** -krb5_config_vget_strings ( - krb5_context /*context*/, - const krb5_config_section */*c*/, - va_list /*args*/); - -int -krb5_config_vget_time ( - krb5_context /*context*/, - const krb5_config_section */*c*/, - va_list /*args*/); - -int -krb5_config_vget_time_default ( - krb5_context /*context*/, - const krb5_config_section */*c*/, - int /*def_value*/, - va_list /*args*/); - -krb5_error_code -krb5_copy_address ( - krb5_context /*context*/, - const krb5_address */*inaddr*/, - krb5_address */*outaddr*/); - -krb5_error_code -krb5_copy_addresses ( - krb5_context /*context*/, - const krb5_addresses */*inaddr*/, - krb5_addresses */*outaddr*/); - -krb5_error_code -krb5_copy_creds ( - krb5_context /*context*/, - const krb5_creds */*incred*/, - krb5_creds **/*outcred*/); - -krb5_error_code -krb5_copy_creds_contents ( - krb5_context /*context*/, - const krb5_creds */*incred*/, - krb5_creds */*c*/); - -krb5_error_code -krb5_copy_data ( - krb5_context /*context*/, - const krb5_data */*indata*/, - krb5_data **/*outdata*/); - -krb5_error_code -krb5_copy_host_realm ( - krb5_context /*context*/, - const krb5_realm */*from*/, - krb5_realm **/*to*/); - -krb5_error_code -krb5_copy_keyblock ( - krb5_context /*context*/, - const krb5_keyblock */*inblock*/, - krb5_keyblock **/*to*/); - -krb5_error_code -krb5_copy_keyblock_contents ( - krb5_context /*context*/, - const krb5_keyblock */*inblock*/, - krb5_keyblock */*to*/); - -krb5_error_code -krb5_copy_principal ( - krb5_context /*context*/, - krb5_const_principal /*inprinc*/, - krb5_principal */*outprinc*/); - -krb5_error_code -krb5_copy_ticket ( - krb5_context /*context*/, - const krb5_ticket */*from*/, - krb5_ticket **/*to*/); - -krb5_error_code -krb5_create_checksum ( - krb5_context /*context*/, - krb5_crypto /*crypto*/, - krb5_key_usage /*usage*/, - int /*type*/, - void */*data*/, - size_t /*len*/, - Checksum */*result*/); - -krb5_error_code -krb5_crypto_destroy ( - krb5_context /*context*/, - krb5_crypto /*crypto*/); - -krb5_error_code -krb5_crypto_getblocksize ( - krb5_context /*context*/, - krb5_crypto /*crypto*/, - size_t */*blocksize*/); - -krb5_error_code -krb5_crypto_init ( - krb5_context /*context*/, - const krb5_keyblock */*key*/, - krb5_enctype /*etype*/, - krb5_crypto */*crypto*/); - -krb5_error_code -krb5_data_alloc ( - krb5_data */*p*/, - int /*len*/); - -krb5_error_code -krb5_data_copy ( - krb5_data */*p*/, - const void */*data*/, - size_t /*len*/); - -void -krb5_data_free (krb5_data */*p*/); - -krb5_error_code -krb5_data_realloc ( - krb5_data */*p*/, - int /*len*/); - -void -krb5_data_zero (krb5_data */*p*/); - -krb5_error_code -krb5_decode_Authenticator ( - krb5_context /*context*/, - const void */*data*/, - size_t /*length*/, - Authenticator */*t*/, - size_t */*len*/); - -krb5_error_code -krb5_decode_ETYPE_INFO ( - krb5_context /*context*/, - const void */*data*/, - size_t /*length*/, - ETYPE_INFO */*t*/, - size_t */*len*/); - -krb5_error_code -krb5_decode_EncAPRepPart ( - krb5_context /*context*/, - const void */*data*/, - size_t /*length*/, - EncAPRepPart */*t*/, - size_t */*len*/); - -krb5_error_code -krb5_decode_EncASRepPart ( - krb5_context /*context*/, - const void */*data*/, - size_t /*length*/, - EncASRepPart */*t*/, - size_t */*len*/); - -krb5_error_code -krb5_decode_EncKrbCredPart ( - krb5_context /*context*/, - const void */*data*/, - size_t /*length*/, - EncKrbCredPart */*t*/, - size_t */*len*/); - -krb5_error_code -krb5_decode_EncTGSRepPart ( - krb5_context /*context*/, - const void */*data*/, - size_t /*length*/, - EncTGSRepPart */*t*/, - size_t */*len*/); - -krb5_error_code -krb5_decode_EncTicketPart ( - krb5_context /*context*/, - const void */*data*/, - size_t /*length*/, - EncTicketPart */*t*/, - size_t */*len*/); - -krb5_error_code -krb5_decode_ap_req ( - krb5_context /*context*/, - const krb5_data */*inbuf*/, - krb5_ap_req */*ap_req*/); - -krb5_error_code -krb5_decrypt ( - krb5_context /*context*/, - krb5_crypto /*crypto*/, - unsigned /*usage*/, - void */*data*/, - size_t /*len*/, - krb5_data */*result*/); - -krb5_error_code -krb5_decrypt_EncryptedData ( - krb5_context /*context*/, - krb5_crypto /*crypto*/, - unsigned /*usage*/, - const EncryptedData */*e*/, - krb5_data */*result*/); - -krb5_error_code -krb5_decrypt_ivec ( - krb5_context /*context*/, - krb5_crypto /*crypto*/, - unsigned /*usage*/, - void */*data*/, - size_t /*len*/, - krb5_data */*result*/, - void */*ivec*/); - -krb5_error_code -krb5_decrypt_ticket ( - krb5_context /*context*/, - Ticket */*ticket*/, - krb5_keyblock */*key*/, - EncTicketPart */*out*/, - krb5_flags /*flags*/); - -krb5_error_code -krb5_derive_key ( - krb5_context /*context*/, - const krb5_keyblock */*key*/, - krb5_enctype /*etype*/, - const void */*constant*/, - size_t /*constant_len*/, - krb5_keyblock **/*derived_key*/); - -krb5_error_code -krb5_domain_x500_decode ( - krb5_context /*context*/, - krb5_data /*tr*/, - char ***/*realms*/, - int */*num_realms*/, - const char */*client_realm*/, - const char */*server_realm*/); - -krb5_error_code -krb5_domain_x500_encode ( - char **/*realms*/, - int /*num_realms*/, - krb5_data */*encoding*/); - -krb5_error_code -krb5_eai_to_heim_errno ( - int /*eai_errno*/, - int /*system_error*/); - -krb5_error_code -krb5_encode_Authenticator ( - krb5_context /*context*/, - void */*data*/, - size_t /*length*/, - Authenticator */*t*/, - size_t */*len*/); - -krb5_error_code -krb5_encode_ETYPE_INFO ( - krb5_context /*context*/, - void */*data*/, - size_t /*length*/, - ETYPE_INFO */*t*/, - size_t */*len*/); - -krb5_error_code -krb5_encode_EncAPRepPart ( - krb5_context /*context*/, - void */*data*/, - size_t /*length*/, - EncAPRepPart */*t*/, - size_t */*len*/); - -krb5_error_code -krb5_encode_EncASRepPart ( - krb5_context /*context*/, - void */*data*/, - size_t /*length*/, - EncASRepPart */*t*/, - size_t */*len*/); - -krb5_error_code -krb5_encode_EncKrbCredPart ( - krb5_context /*context*/, - void */*data*/, - size_t /*length*/, - EncKrbCredPart */*t*/, - size_t */*len*/); - -krb5_error_code -krb5_encode_EncTGSRepPart ( - krb5_context /*context*/, - void */*data*/, - size_t /*length*/, - EncTGSRepPart */*t*/, - size_t */*len*/); - -krb5_error_code -krb5_encode_EncTicketPart ( - krb5_context /*context*/, - void */*data*/, - size_t /*length*/, - EncTicketPart */*t*/, - size_t */*len*/); - -krb5_error_code -krb5_encrypt ( - krb5_context /*context*/, - krb5_crypto /*crypto*/, - unsigned /*usage*/, - void */*data*/, - size_t /*len*/, - krb5_data */*result*/); - -krb5_error_code -krb5_encrypt_EncryptedData ( - krb5_context /*context*/, - krb5_crypto /*crypto*/, - unsigned /*usage*/, - void */*data*/, - size_t /*len*/, - int /*kvno*/, - EncryptedData */*result*/); - -krb5_error_code -krb5_encrypt_ivec ( - krb5_context /*context*/, - krb5_crypto /*crypto*/, - unsigned /*usage*/, - void */*data*/, - size_t /*len*/, - krb5_data */*result*/, - void */*ivec*/); - -krb5_error_code -krb5_enctype_keysize ( - krb5_context /*context*/, - krb5_enctype /*type*/, - size_t */*keysize*/); - -krb5_error_code -krb5_enctype_to_keytype ( - krb5_context /*context*/, - krb5_enctype /*etype*/, - krb5_keytype */*keytype*/); - -krb5_error_code -krb5_enctype_to_string ( - krb5_context /*context*/, - krb5_enctype /*etype*/, - char **/*string*/); - -krb5_error_code -krb5_enctype_valid ( - krb5_context /*context*/, - krb5_enctype /*etype*/); - -krb5_boolean -krb5_enctypes_compatible_keys ( - krb5_context /*context*/, - krb5_enctype /*etype1*/, - krb5_enctype /*etype2*/); - -krb5_error_code -krb5_err ( - krb5_context /*context*/, - int /*eval*/, - krb5_error_code /*code*/, - const char */*fmt*/, - ...) - __attribute__ ((noreturn, format (printf, 4, 5))); - -krb5_error_code -krb5_error_from_rd_error ( - krb5_context /*context*/, - const krb5_error */*error*/, - const krb5_creds */*creds*/); - -krb5_error_code -krb5_errx ( - krb5_context /*context*/, - int /*eval*/, - const char */*fmt*/, - ...) - __attribute__ ((noreturn, format (printf, 3, 4))); - -krb5_error_code -krb5_expand_hostname ( - krb5_context /*context*/, - const char */*orig_hostname*/, - char **/*new_hostname*/); - -krb5_error_code -krb5_expand_hostname_realms ( - krb5_context /*context*/, - const char */*orig_hostname*/, - char **/*new_hostname*/, - char ***/*realms*/); - -PA_DATA * -krb5_find_padata ( - PA_DATA */*val*/, - unsigned /*len*/, - int /*type*/, - int */*index*/); - -krb5_error_code -krb5_format_time ( - krb5_context /*context*/, - time_t /*t*/, - char */*s*/, - size_t /*len*/, - krb5_boolean /*include_time*/); - -krb5_error_code -krb5_free_address ( - krb5_context /*context*/, - krb5_address */*address*/); - -krb5_error_code -krb5_free_addresses ( - krb5_context /*context*/, - krb5_addresses */*addresses*/); - -void -krb5_free_ap_rep_enc_part ( - krb5_context /*context*/, - krb5_ap_rep_enc_part */*val*/); - -void -krb5_free_authenticator ( - krb5_context /*context*/, - krb5_authenticator */*authenticator*/); - -void -krb5_free_config_files (char **/*filenames*/); - -void -krb5_free_context (krb5_context /*context*/); - -krb5_error_code -krb5_free_cred_contents ( - krb5_context /*context*/, - krb5_creds */*c*/); - -krb5_error_code -krb5_free_creds ( - krb5_context /*context*/, - krb5_creds */*c*/); - -krb5_error_code -krb5_free_creds_contents ( - krb5_context /*context*/, - krb5_creds */*c*/); - -void -krb5_free_data ( - krb5_context /*context*/, - krb5_data */*p*/); - -void -krb5_free_data_contents ( - krb5_context /*context*/, - krb5_data */*data*/); - -void -krb5_free_error ( - krb5_context /*context*/, - krb5_error */*error*/); - -void -krb5_free_error_contents ( - krb5_context /*context*/, - krb5_error */*error*/); - -void -krb5_free_error_string ( - krb5_context /*context*/, - char */*str*/); - -krb5_error_code -krb5_free_host_realm ( - krb5_context /*context*/, - krb5_realm */*realmlist*/); - -krb5_error_code -krb5_free_kdc_rep ( - krb5_context /*context*/, - krb5_kdc_rep */*rep*/); - -void -krb5_free_keyblock ( - krb5_context /*context*/, - krb5_keyblock */*keyblock*/); - -void -krb5_free_keyblock_contents ( - krb5_context /*context*/, - krb5_keyblock */*keyblock*/); - -krb5_error_code -krb5_free_krbhst ( - krb5_context /*context*/, - char **/*hostlist*/); - -void -krb5_free_principal ( - krb5_context /*context*/, - krb5_principal /*p*/); - -krb5_error_code -krb5_free_salt ( - krb5_context /*context*/, - krb5_salt /*salt*/); - -krb5_error_code -krb5_free_ticket ( - krb5_context /*context*/, - krb5_ticket */*ticket*/); - -krb5_error_code -krb5_fwd_tgt_creds ( - krb5_context /*context*/, - krb5_auth_context /*auth_context*/, - const char */*hostname*/, - krb5_principal /*client*/, - krb5_principal /*server*/, - krb5_ccache /*ccache*/, - int /*forwardable*/, - krb5_data */*out_data*/); - -void -krb5_generate_random_block ( - void */*buf*/, - size_t /*len*/); - -krb5_error_code -krb5_generate_random_keyblock ( - krb5_context /*context*/, - krb5_enctype /*type*/, - krb5_keyblock */*key*/); - -krb5_error_code -krb5_generate_seq_number ( - krb5_context /*context*/, - const krb5_keyblock */*key*/, - u_int32_t */*seqno*/); - -krb5_error_code -krb5_generate_subkey ( - krb5_context /*context*/, - const krb5_keyblock */*key*/, - krb5_keyblock **/*subkey*/); - -krb5_error_code -krb5_get_all_client_addrs ( - krb5_context /*context*/, - krb5_addresses */*res*/); - -krb5_error_code -krb5_get_all_server_addrs ( - krb5_context /*context*/, - krb5_addresses */*res*/); - -krb5_error_code -krb5_get_cred_from_kdc ( - krb5_context /*context*/, - krb5_ccache /*ccache*/, - krb5_creds */*in_creds*/, - krb5_creds **/*out_creds*/, - krb5_creds ***/*ret_tgts*/); - -krb5_error_code -krb5_get_cred_from_kdc_opt ( - krb5_context /*context*/, - krb5_ccache /*ccache*/, - krb5_creds */*in_creds*/, - krb5_creds **/*out_creds*/, - krb5_creds ***/*ret_tgts*/, - krb5_flags /*flags*/); - -krb5_error_code -krb5_get_credentials ( - krb5_context /*context*/, - krb5_flags /*options*/, - krb5_ccache /*ccache*/, - krb5_creds */*in_creds*/, - krb5_creds **/*out_creds*/); - -krb5_error_code -krb5_get_credentials_with_flags ( - krb5_context /*context*/, - krb5_flags /*options*/, - krb5_kdc_flags /*flags*/, - krb5_ccache /*ccache*/, - krb5_creds */*in_creds*/, - krb5_creds **/*out_creds*/); - -krb5_error_code -krb5_get_default_config_files (char ***/*pfilenames*/); - -krb5_error_code -krb5_get_default_in_tkt_etypes ( - krb5_context /*context*/, - krb5_enctype **/*etypes*/); - -krb5_error_code -krb5_get_default_principal ( - krb5_context /*context*/, - krb5_principal */*princ*/); - -krb5_error_code -krb5_get_default_realm ( - krb5_context /*context*/, - krb5_realm */*realm*/); - -krb5_error_code -krb5_get_default_realms ( - krb5_context /*context*/, - krb5_realm **/*realms*/); - -const char * -krb5_get_err_text ( - krb5_context /*context*/, - krb5_error_code /*code*/); - -char* -krb5_get_error_string (krb5_context /*context*/); - -krb5_error_code -krb5_get_extra_addresses ( - krb5_context /*context*/, - krb5_addresses */*addresses*/); - -krb5_error_code -krb5_get_fcache_version ( - krb5_context /*context*/, - int */*version*/); - -krb5_error_code -krb5_get_forwarded_creds ( - krb5_context /*context*/, - krb5_auth_context /*auth_context*/, - krb5_ccache /*ccache*/, - krb5_flags /*flags*/, - const char */*hostname*/, - krb5_creds */*in_creds*/, - krb5_data */*out_data*/); - -krb5_error_code -krb5_get_host_realm ( - krb5_context /*context*/, - const char */*host*/, - krb5_realm **/*realms*/); - -krb5_error_code -krb5_get_host_realm_int ( - krb5_context /*context*/, - const char */*host*/, - krb5_boolean /*use_dns*/, - krb5_realm **/*realms*/); - -krb5_error_code -krb5_get_ignore_addresses ( - krb5_context /*context*/, - krb5_addresses */*addresses*/); - -krb5_error_code -krb5_get_in_cred ( - krb5_context /*context*/, - krb5_flags /*options*/, - const krb5_addresses */*addrs*/, - const krb5_enctype */*etypes*/, - const krb5_preauthtype */*ptypes*/, - const krb5_preauthdata */*preauth*/, - krb5_key_proc /*key_proc*/, - krb5_const_pointer /*keyseed*/, - krb5_decrypt_proc /*decrypt_proc*/, - krb5_const_pointer /*decryptarg*/, - krb5_creds */*creds*/, - krb5_kdc_rep */*ret_as_reply*/); - -krb5_error_code -krb5_get_in_tkt ( - krb5_context /*context*/, - krb5_flags /*options*/, - const krb5_addresses */*addrs*/, - const krb5_enctype */*etypes*/, - const krb5_preauthtype */*ptypes*/, - krb5_key_proc /*key_proc*/, - krb5_const_pointer /*keyseed*/, - krb5_decrypt_proc /*decrypt_proc*/, - krb5_const_pointer /*decryptarg*/, - krb5_creds */*creds*/, - krb5_ccache /*ccache*/, - krb5_kdc_rep */*ret_as_reply*/); - -krb5_error_code -krb5_get_in_tkt_with_keytab ( - krb5_context /*context*/, - krb5_flags /*options*/, - krb5_addresses */*addrs*/, - const krb5_enctype */*etypes*/, - const krb5_preauthtype */*pre_auth_types*/, - krb5_keytab /*keytab*/, - krb5_ccache /*ccache*/, - krb5_creds */*creds*/, - krb5_kdc_rep */*ret_as_reply*/); - -krb5_error_code -krb5_get_in_tkt_with_password ( - krb5_context /*context*/, - krb5_flags /*options*/, - krb5_addresses */*addrs*/, - const krb5_enctype */*etypes*/, - const krb5_preauthtype */*pre_auth_types*/, - const char */*password*/, - krb5_ccache /*ccache*/, - krb5_creds */*creds*/, - krb5_kdc_rep */*ret_as_reply*/); - -krb5_error_code -krb5_get_in_tkt_with_skey ( - krb5_context /*context*/, - krb5_flags /*options*/, - krb5_addresses */*addrs*/, - const krb5_enctype */*etypes*/, - const krb5_preauthtype */*pre_auth_types*/, - const krb5_keyblock */*key*/, - krb5_ccache /*ccache*/, - krb5_creds */*creds*/, - krb5_kdc_rep */*ret_as_reply*/); - -krb5_error_code -krb5_get_init_creds_keytab ( - krb5_context /*context*/, - krb5_creds */*creds*/, - krb5_principal /*client*/, - krb5_keytab /*keytab*/, - krb5_deltat /*start_time*/, - const char */*in_tkt_service*/, - krb5_get_init_creds_opt */*options*/); - -void -krb5_get_init_creds_opt_init (krb5_get_init_creds_opt */*opt*/); - -void -krb5_get_init_creds_opt_set_address_list ( - krb5_get_init_creds_opt */*opt*/, - krb5_addresses */*addresses*/); - -void -krb5_get_init_creds_opt_set_anonymous ( - krb5_get_init_creds_opt */*opt*/, - int /*anonymous*/); - -void -krb5_get_init_creds_opt_set_default_flags ( - krb5_context /*context*/, - const char */*appname*/, - krb5_const_realm /*realm*/, - krb5_get_init_creds_opt */*opt*/); - -void -krb5_get_init_creds_opt_set_etype_list ( - krb5_get_init_creds_opt */*opt*/, - krb5_enctype */*etype_list*/, - int /*etype_list_length*/); - -void -krb5_get_init_creds_opt_set_forwardable ( - krb5_get_init_creds_opt */*opt*/, - int /*forwardable*/); - -void -krb5_get_init_creds_opt_set_preauth_list ( - krb5_get_init_creds_opt */*opt*/, - krb5_preauthtype */*preauth_list*/, - int /*preauth_list_length*/); - -void -krb5_get_init_creds_opt_set_proxiable ( - krb5_get_init_creds_opt */*opt*/, - int /*proxiable*/); - -void -krb5_get_init_creds_opt_set_renew_life ( - krb5_get_init_creds_opt */*opt*/, - krb5_deltat /*renew_life*/); - -void -krb5_get_init_creds_opt_set_salt ( - krb5_get_init_creds_opt */*opt*/, - krb5_data */*salt*/); - -void -krb5_get_init_creds_opt_set_tkt_life ( - krb5_get_init_creds_opt */*opt*/, - krb5_deltat /*tkt_life*/); - -krb5_error_code -krb5_get_init_creds_password ( - krb5_context /*context*/, - krb5_creds */*creds*/, - krb5_principal /*client*/, - const char */*password*/, - krb5_prompter_fct /*prompter*/, - void */*data*/, - krb5_deltat /*start_time*/, - const char */*in_tkt_service*/, - krb5_get_init_creds_opt */*options*/); - -krb5_error_code -krb5_get_kdc_cred ( - krb5_context /*context*/, - krb5_ccache /*id*/, - krb5_kdc_flags /*flags*/, - krb5_addresses */*addresses*/, - Ticket */*second_ticket*/, - krb5_creds */*in_creds*/, - krb5_creds **out_creds ); - -krb5_error_code -krb5_get_krb524hst ( - krb5_context /*context*/, - const krb5_realm */*realm*/, - char ***/*hostlist*/); - -krb5_error_code -krb5_get_krb_admin_hst ( - krb5_context /*context*/, - const krb5_realm */*realm*/, - char ***/*hostlist*/); - -krb5_error_code -krb5_get_krb_changepw_hst ( - krb5_context /*context*/, - const krb5_realm */*realm*/, - char ***/*hostlist*/); - -krb5_error_code -krb5_get_krbhst ( - krb5_context /*context*/, - const krb5_realm */*realm*/, - char ***/*hostlist*/); - -krb5_error_code -krb5_get_pw_salt ( - krb5_context /*context*/, - krb5_const_principal /*principal*/, - krb5_salt */*salt*/); - -krb5_error_code -krb5_get_server_rcache ( - krb5_context /*context*/, - const krb5_data */*piece*/, - krb5_rcache */*id*/); - -krb5_boolean -krb5_get_use_admin_kdc (krb5_context /*context*/); - -size_t -krb5_get_wrapped_length ( - krb5_context /*context*/, - krb5_crypto /*crypto*/, - size_t /*data_len*/); - -int -krb5_getportbyname ( - krb5_context /*context*/, - const char */*service*/, - const char */*proto*/, - int /*default_port*/); - -krb5_error_code -krb5_h_addr2addr ( - krb5_context /*context*/, - int /*af*/, - const char */*haddr*/, - krb5_address */*addr*/); - -krb5_error_code -krb5_h_addr2sockaddr ( - krb5_context /*context*/, - int /*af*/, - const char */*addr*/, - struct sockaddr */*sa*/, - krb5_socklen_t */*sa_size*/, - int /*port*/); - -krb5_error_code -krb5_h_errno_to_heim_errno (int /*eai_errno*/); - -krb5_boolean -krb5_have_error_string (krb5_context /*context*/); - -krb5_error_code -krb5_hmac ( - krb5_context /*context*/, - krb5_cksumtype /*cktype*/, - const void */*data*/, - size_t /*len*/, - unsigned /*usage*/, - krb5_keyblock */*key*/, - Checksum */*result*/); - -krb5_error_code -krb5_init_context (krb5_context */*context*/); - -void -krb5_init_ets (krb5_context /*context*/); - -krb5_error_code -krb5_init_etype ( - krb5_context /*context*/, - unsigned */*len*/, - krb5_enctype **/*val*/, - const krb5_enctype */*etypes*/); - -krb5_error_code -krb5_initlog ( - krb5_context /*context*/, - const char */*program*/, - krb5_log_facility **/*fac*/); - -krb5_error_code -krb5_keyblock_key_proc ( - krb5_context /*context*/, - krb5_keytype /*type*/, - krb5_data */*salt*/, - krb5_const_pointer /*keyseed*/, - krb5_keyblock **/*key*/); - -krb5_error_code -krb5_keytab_key_proc ( - krb5_context /*context*/, - krb5_enctype /*enctype*/, - krb5_salt /*salt*/, - krb5_const_pointer /*keyseed*/, - krb5_keyblock **/*key*/); - -krb5_error_code -krb5_keytype_to_enctypes ( - krb5_context /*context*/, - krb5_keytype /*keytype*/, - unsigned */*len*/, - krb5_enctype **/*val*/); - -krb5_error_code -krb5_keytype_to_enctypes_default ( - krb5_context /*context*/, - krb5_keytype /*keytype*/, - unsigned */*len*/, - krb5_enctype **/*val*/); - -krb5_error_code -krb5_keytype_to_string ( - krb5_context /*context*/, - krb5_keytype /*keytype*/, - char **/*string*/); - -krb5_error_code -krb5_krbhst_format_string ( - krb5_context /*context*/, - const krb5_krbhst_info */*host*/, - char */*hostname*/, - size_t /*hostlen*/); - -void -krb5_krbhst_free ( - krb5_context /*context*/, - krb5_krbhst_handle /*handle*/); - -krb5_error_code -krb5_krbhst_get_addrinfo ( - krb5_context /*context*/, - krb5_krbhst_info */*host*/, - struct addrinfo **/*ai*/); - -krb5_error_code -krb5_krbhst_init ( - krb5_context /*context*/, - const char */*realm*/, - unsigned int /*type*/, - krb5_krbhst_handle */*handle*/); - -krb5_error_code -krb5_krbhst_next ( - krb5_context /*context*/, - krb5_krbhst_handle /*handle*/, - krb5_krbhst_info **/*host*/); - -krb5_error_code -krb5_krbhst_next_as_string ( - krb5_context /*context*/, - krb5_krbhst_handle /*handle*/, - char */*hostname*/, - size_t /*hostlen*/); - -void -krb5_krbhst_reset ( - krb5_context /*context*/, - krb5_krbhst_handle /*handle*/); - -krb5_error_code -krb5_kt_add_entry ( - krb5_context /*context*/, - krb5_keytab /*id*/, - krb5_keytab_entry */*entry*/); - -krb5_error_code -krb5_kt_close ( - krb5_context /*context*/, - krb5_keytab /*id*/); - -krb5_boolean -krb5_kt_compare ( - krb5_context /*context*/, - krb5_keytab_entry */*entry*/, - krb5_const_principal /*principal*/, - krb5_kvno /*vno*/, - krb5_enctype /*enctype*/); - -krb5_error_code -krb5_kt_copy_entry_contents ( - krb5_context /*context*/, - const krb5_keytab_entry */*in*/, - krb5_keytab_entry */*out*/); - -krb5_error_code -krb5_kt_default ( - krb5_context /*context*/, - krb5_keytab */*id*/); - -krb5_error_code -krb5_kt_default_modify_name ( - krb5_context /*context*/, - char */*name*/, - size_t /*namesize*/); - -krb5_error_code -krb5_kt_default_name ( - krb5_context /*context*/, - char */*name*/, - size_t /*namesize*/); - -krb5_error_code -krb5_kt_end_seq_get ( - krb5_context /*context*/, - krb5_keytab /*id*/, - krb5_kt_cursor */*cursor*/); - -krb5_error_code -krb5_kt_free_entry ( - krb5_context /*context*/, - krb5_keytab_entry */*entry*/); - -krb5_error_code -krb5_kt_get_entry ( - krb5_context /*context*/, - krb5_keytab /*id*/, - krb5_const_principal /*principal*/, - krb5_kvno /*kvno*/, - krb5_enctype /*enctype*/, - krb5_keytab_entry */*entry*/); - -krb5_error_code -krb5_kt_get_name ( - krb5_context /*context*/, - krb5_keytab /*keytab*/, - char */*name*/, - size_t /*namesize*/); - -krb5_error_code -krb5_kt_get_type ( - krb5_context /*context*/, - krb5_keytab /*keytab*/, - char */*prefix*/, - size_t /*prefixsize*/); - -krb5_error_code -krb5_kt_next_entry ( - krb5_context /*context*/, - krb5_keytab /*id*/, - krb5_keytab_entry */*entry*/, - krb5_kt_cursor */*cursor*/); - -krb5_error_code -krb5_kt_read_service_key ( - krb5_context /*context*/, - krb5_pointer /*keyprocarg*/, - krb5_principal /*principal*/, - krb5_kvno /*vno*/, - krb5_enctype /*enctype*/, - krb5_keyblock **/*key*/); - -krb5_error_code -krb5_kt_register ( - krb5_context /*context*/, - const krb5_kt_ops */*ops*/); - -krb5_error_code -krb5_kt_remove_entry ( - krb5_context /*context*/, - krb5_keytab /*id*/, - krb5_keytab_entry */*entry*/); - -krb5_error_code -krb5_kt_resolve ( - krb5_context /*context*/, - const char */*name*/, - krb5_keytab */*id*/); - -krb5_error_code -krb5_kt_start_seq_get ( - krb5_context /*context*/, - krb5_keytab /*id*/, - krb5_kt_cursor */*cursor*/); - -krb5_boolean -krb5_kuserok ( - krb5_context /*context*/, - krb5_principal /*principal*/, - const char */*luser*/); - -krb5_error_code -krb5_log ( - krb5_context /*context*/, - krb5_log_facility */*fac*/, - int /*level*/, - const char */*fmt*/, - ...) - __attribute__((format (printf, 4, 5))); - -krb5_error_code -krb5_log_msg ( - krb5_context /*context*/, - krb5_log_facility */*fac*/, - int /*level*/, - char **/*reply*/, - const char */*fmt*/, - ...) - __attribute__((format (printf, 5, 6))); - -krb5_error_code -krb5_make_addrport ( - krb5_context /*context*/, - krb5_address **/*res*/, - const krb5_address */*addr*/, - int16_t /*port*/); - -krb5_error_code -krb5_make_principal ( - krb5_context /*context*/, - krb5_principal */*principal*/, - krb5_const_realm /*realm*/, - ...); - -size_t -krb5_max_sockaddr_size (void); - -krb5_error_code -krb5_mk_error ( - krb5_context /*context*/, - krb5_error_code /*error_code*/, - const char */*e_text*/, - const krb5_data */*e_data*/, - const krb5_principal /*client*/, - const krb5_principal /*server*/, - time_t */*client_time*/, - int */*client_usec*/, - krb5_data */*reply*/); - -krb5_error_code -krb5_mk_priv ( - krb5_context /*context*/, - krb5_auth_context /*auth_context*/, - const krb5_data */*userdata*/, - krb5_data */*outbuf*/, - void */*outdata*/); - -krb5_error_code -krb5_mk_rep ( - krb5_context /*context*/, - krb5_auth_context /*auth_context*/, - krb5_data */*outbuf*/); - -krb5_error_code -krb5_mk_req ( - krb5_context /*context*/, - krb5_auth_context */*auth_context*/, - const krb5_flags /*ap_req_options*/, - const char */*service*/, - const char */*hostname*/, - krb5_data */*in_data*/, - krb5_ccache /*ccache*/, - krb5_data */*outbuf*/); - -krb5_error_code -krb5_mk_req_exact ( - krb5_context /*context*/, - krb5_auth_context */*auth_context*/, - const krb5_flags /*ap_req_options*/, - const krb5_principal /*server*/, - krb5_data */*in_data*/, - krb5_ccache /*ccache*/, - krb5_data */*outbuf*/); - -krb5_error_code -krb5_mk_req_extended ( - krb5_context /*context*/, - krb5_auth_context */*auth_context*/, - const krb5_flags /*ap_req_options*/, - krb5_data */*in_data*/, - krb5_creds */*in_creds*/, - krb5_data */*outbuf*/); - -krb5_error_code -krb5_mk_req_internal ( - krb5_context /*context*/, - krb5_auth_context */*auth_context*/, - const krb5_flags /*ap_req_options*/, - krb5_data */*in_data*/, - krb5_creds */*in_creds*/, - krb5_data */*outbuf*/, - krb5_key_usage /*checksum_usage*/, - krb5_key_usage /*encrypt_usage*/); - -krb5_error_code -krb5_mk_safe ( - krb5_context /*context*/, - krb5_auth_context /*auth_context*/, - const krb5_data */*userdata*/, - krb5_data */*outbuf*/, - void */*outdata*/); - -krb5_ssize_t -krb5_net_read ( - krb5_context /*context*/, - void */*p_fd*/, - void */*buf*/, - size_t /*len*/); - -krb5_ssize_t -krb5_net_write ( - krb5_context /*context*/, - void */*p_fd*/, - const void */*buf*/, - size_t /*len*/); - -krb5_error_code -krb5_openlog ( - krb5_context /*context*/, - const char */*program*/, - krb5_log_facility **/*fac*/); - -krb5_error_code -krb5_parse_address ( - krb5_context /*context*/, - const char */*string*/, - krb5_addresses */*addresses*/); - -krb5_error_code -krb5_parse_name ( - krb5_context /*context*/, - const char */*name*/, - krb5_principal */*principal*/); - -const char* -krb5_passwd_result_to_string ( - krb5_context /*context*/, - int /*result*/); - -krb5_error_code -krb5_password_key_proc ( - krb5_context /*context*/, - krb5_enctype /*type*/, - krb5_salt /*salt*/, - krb5_const_pointer /*keyseed*/, - krb5_keyblock **/*key*/); - -krb5_realm* -krb5_princ_realm ( - krb5_context /*context*/, - krb5_principal /*principal*/); - -void -krb5_princ_set_realm ( - krb5_context /*context*/, - krb5_principal /*principal*/, - krb5_realm */*realm*/); - -krb5_error_code -krb5_principal2principalname ( - PrincipalName */*p*/, - const krb5_principal /*from*/); - -krb5_boolean -krb5_principal_compare ( - krb5_context /*context*/, - krb5_const_principal /*princ1*/, - krb5_const_principal /*princ2*/); - -krb5_boolean -krb5_principal_compare_any_realm ( - krb5_context /*context*/, - krb5_const_principal /*princ1*/, - krb5_const_principal /*princ2*/); - -const char * -krb5_principal_get_comp_string ( - krb5_context /*context*/, - krb5_principal /*principal*/, - unsigned int /*component*/); - -const char * -krb5_principal_get_realm ( - krb5_context /*context*/, - krb5_principal /*principal*/); - -int -krb5_principal_get_type ( - krb5_context /*context*/, - krb5_principal /*principal*/); - -krb5_boolean -krb5_principal_match ( - krb5_context /*context*/, - krb5_const_principal /*princ*/, - krb5_const_principal /*pattern*/); - -krb5_error_code -krb5_print_address ( - const krb5_address */*addr*/, - char */*str*/, - size_t /*len*/, - size_t */*ret_len*/); - -int -krb5_program_setup ( - krb5_context */*context*/, - int /*argc*/, - char **/*argv*/, - struct getargs */*args*/, - int /*num_args*/, - void (*/*usage*/)(int, struct getargs*, int)); - -int -krb5_prompter_posix ( - krb5_context /*context*/, - void */*data*/, - const char */*name*/, - const char */*banner*/, - int /*num_prompts*/, - krb5_prompt prompts[]); - -krb5_error_code -krb5_rc_close ( - krb5_context /*context*/, - krb5_rcache /*id*/); - -krb5_error_code -krb5_rc_default ( - krb5_context /*context*/, - krb5_rcache */*id*/); - -const char * -krb5_rc_default_name (krb5_context /*context*/); - -const char * -krb5_rc_default_type (krb5_context /*context*/); - -krb5_error_code -krb5_rc_destroy ( - krb5_context /*context*/, - krb5_rcache /*id*/); - -krb5_error_code -krb5_rc_expunge ( - krb5_context /*context*/, - krb5_rcache /*id*/); - -krb5_error_code -krb5_rc_get_lifespan ( - krb5_context /*context*/, - krb5_rcache /*id*/, - krb5_deltat */*auth_lifespan*/); - -const char* -krb5_rc_get_name ( - krb5_context /*context*/, - krb5_rcache /*id*/); - -const char* -krb5_rc_get_type ( - krb5_context /*context*/, - krb5_rcache /*id*/); - -krb5_error_code -krb5_rc_initialize ( - krb5_context /*context*/, - krb5_rcache /*id*/, - krb5_deltat /*auth_lifespan*/); - -krb5_error_code -krb5_rc_recover ( - krb5_context /*context*/, - krb5_rcache /*id*/); - -krb5_error_code -krb5_rc_resolve ( - krb5_context /*context*/, - krb5_rcache /*id*/, - const char */*name*/); - -krb5_error_code -krb5_rc_resolve_full ( - krb5_context /*context*/, - krb5_rcache */*id*/, - const char */*string_name*/); - -krb5_error_code -krb5_rc_resolve_type ( - krb5_context /*context*/, - krb5_rcache */*id*/, - const char */*type*/); - -krb5_error_code -krb5_rc_store ( - krb5_context /*context*/, - krb5_rcache /*id*/, - krb5_donot_replay */*rep*/); - -krb5_error_code -krb5_rd_cred ( - krb5_context /*context*/, - krb5_auth_context /*auth_context*/, - krb5_data */*in_data*/, - krb5_creds ***/*ret_creds*/, - krb5_replay_data */*out_data*/); - -krb5_error_code -krb5_rd_cred2 ( - krb5_context /*context*/, - krb5_auth_context /*auth_context*/, - krb5_ccache /*ccache*/, - krb5_data */*in_data*/); - -krb5_error_code -krb5_rd_error ( - krb5_context /*context*/, - krb5_data */*msg*/, - KRB_ERROR */*result*/); - -krb5_error_code -krb5_rd_priv ( - krb5_context /*context*/, - krb5_auth_context /*auth_context*/, - const krb5_data */*inbuf*/, - krb5_data */*outbuf*/, - void */*outdata*/); - -krb5_error_code -krb5_rd_rep ( - krb5_context /*context*/, - krb5_auth_context /*auth_context*/, - const krb5_data */*inbuf*/, - krb5_ap_rep_enc_part **/*repl*/); - -krb5_error_code -krb5_rd_req ( - krb5_context /*context*/, - krb5_auth_context */*auth_context*/, - const krb5_data */*inbuf*/, - krb5_const_principal /*server*/, - krb5_keytab /*keytab*/, - krb5_flags */*ap_req_options*/, - krb5_ticket **/*ticket*/); - -krb5_error_code -krb5_rd_req_with_keyblock ( - krb5_context /*context*/, - krb5_auth_context */*auth_context*/, - const krb5_data */*inbuf*/, - krb5_const_principal /*server*/, - krb5_keyblock */*keyblock*/, - krb5_flags */*ap_req_options*/, - krb5_ticket **/*ticket*/); - -krb5_error_code -krb5_rd_safe ( - krb5_context /*context*/, - krb5_auth_context /*auth_context*/, - const krb5_data */*inbuf*/, - krb5_data */*outbuf*/, - void */*outdata*/); - -krb5_error_code -krb5_read_message ( - krb5_context /*context*/, - krb5_pointer /*p_fd*/, - krb5_data */*data*/); - -krb5_error_code -krb5_read_priv_message ( - krb5_context /*context*/, - krb5_auth_context /*ac*/, - krb5_pointer /*p_fd*/, - krb5_data */*data*/); - -krb5_error_code -krb5_read_safe_message ( - krb5_context /*context*/, - krb5_auth_context /*ac*/, - krb5_pointer /*p_fd*/, - krb5_data */*data*/); - -krb5_boolean -krb5_realm_compare ( - krb5_context /*context*/, - krb5_const_principal /*princ1*/, - krb5_const_principal /*princ2*/); - -krb5_error_code -krb5_recvauth ( - krb5_context /*context*/, - krb5_auth_context */*auth_context*/, - krb5_pointer /*p_fd*/, - const char */*appl_version*/, - krb5_principal /*server*/, - int32_t /*flags*/, - krb5_keytab /*keytab*/, - krb5_ticket **/*ticket*/); - -krb5_error_code -krb5_recvauth_match_version ( - krb5_context /*context*/, - krb5_auth_context */*auth_context*/, - krb5_pointer /*p_fd*/, - krb5_boolean (*/*match_appl_version*/)(const void *, const char*), - const void */*match_data*/, - krb5_principal /*server*/, - int32_t /*flags*/, - krb5_keytab /*keytab*/, - krb5_ticket **/*ticket*/); - -krb5_error_code -krb5_ret_address ( - krb5_storage */*sp*/, - krb5_address */*adr*/); - -krb5_error_code -krb5_ret_addrs ( - krb5_storage */*sp*/, - krb5_addresses */*adr*/); - -krb5_error_code -krb5_ret_authdata ( - krb5_storage */*sp*/, - krb5_authdata */*auth*/); - -krb5_error_code -krb5_ret_creds ( - krb5_storage */*sp*/, - krb5_creds */*creds*/); - -krb5_error_code -krb5_ret_data ( - krb5_storage */*sp*/, - krb5_data */*data*/); - -krb5_error_code -krb5_ret_int16 ( - krb5_storage */*sp*/, - int16_t */*value*/); - -krb5_error_code -krb5_ret_int32 ( - krb5_storage */*sp*/, - int32_t */*value*/); - -krb5_error_code -krb5_ret_int8 ( - krb5_storage */*sp*/, - int8_t */*value*/); - -krb5_error_code -krb5_ret_keyblock ( - krb5_storage */*sp*/, - krb5_keyblock */*p*/); - -krb5_error_code -krb5_ret_principal ( - krb5_storage */*sp*/, - krb5_principal */*princ*/); - -krb5_error_code -krb5_ret_string ( - krb5_storage */*sp*/, - char **/*string*/); - -krb5_error_code -krb5_ret_stringz ( - krb5_storage */*sp*/, - char **/*string*/); - -krb5_error_code -krb5_ret_times ( - krb5_storage */*sp*/, - krb5_times */*times*/); - -krb5_error_code -krb5_salttype_to_string ( - krb5_context /*context*/, - krb5_enctype /*etype*/, - krb5_salttype /*stype*/, - char **/*string*/); - -krb5_error_code -krb5_sendauth ( - krb5_context /*context*/, - krb5_auth_context */*auth_context*/, - krb5_pointer /*p_fd*/, - const char */*appl_version*/, - krb5_principal /*client*/, - krb5_principal /*server*/, - krb5_flags /*ap_req_options*/, - krb5_data */*in_data*/, - krb5_creds */*in_creds*/, - krb5_ccache /*ccache*/, - krb5_error **/*ret_error*/, - krb5_ap_rep_enc_part **/*rep_result*/, - krb5_creds **/*out_creds*/); - -krb5_error_code -krb5_sendto ( - krb5_context /*context*/, - const krb5_data */*send_data*/, - krb5_krbhst_handle /*handle*/, - krb5_data */*receive*/); - -krb5_error_code -krb5_sendto_kdc ( - krb5_context /*context*/, - const krb5_data */*send_data*/, - const krb5_realm */*realm*/, - krb5_data */*receive*/); - -krb5_error_code -krb5_sendto_kdc2 ( - krb5_context /*context*/, - const krb5_data */*send_data*/, - const krb5_realm */*realm*/, - krb5_data */*receive*/, - krb5_boolean /*master*/); - -krb5_error_code -krb5_set_config_files ( - krb5_context /*context*/, - char **/*filenames*/); - -krb5_error_code -krb5_set_default_in_tkt_etypes ( - krb5_context /*context*/, - const krb5_enctype */*etypes*/); - -krb5_error_code -krb5_set_default_realm ( - krb5_context /*context*/, - const char */*realm*/); - -krb5_error_code -krb5_set_error_string ( - krb5_context /*context*/, - const char */*fmt*/, - ...) - __attribute__((format (printf, 2, 3))); - -krb5_error_code -krb5_set_extra_addresses ( - krb5_context /*context*/, - const krb5_addresses */*addresses*/); - -krb5_error_code -krb5_set_fcache_version ( - krb5_context /*context*/, - int /*version*/); - -krb5_error_code -krb5_set_ignore_addresses ( - krb5_context /*context*/, - const krb5_addresses */*addresses*/); - -krb5_error_code -krb5_set_password ( - krb5_context /*context*/, - krb5_creds */*creds*/, - char */*newpw*/, - krb5_principal /*targprinc*/, - int */*result_code*/, - krb5_data */*result_code_string*/, - krb5_data */*result_string*/); - -krb5_error_code -krb5_set_password_using_ccache ( - krb5_context /*context*/, - krb5_ccache /*ccache*/, - char */*newpw*/, - krb5_principal /*targprinc*/, - int */*result_code*/, - krb5_data */*result_code_string*/, - krb5_data */*result_string*/); - -void -krb5_set_use_admin_kdc ( - krb5_context /*context*/, - krb5_boolean /*flag*/); - -krb5_error_code -krb5_set_warn_dest ( - krb5_context /*context*/, - krb5_log_facility */*fac*/); - -krb5_error_code -krb5_sname_to_principal ( - krb5_context /*context*/, - const char */*hostname*/, - const char */*sname*/, - int32_t /*type*/, - krb5_principal */*ret_princ*/); - -krb5_error_code -krb5_sock_to_principal ( - krb5_context /*context*/, - int /*sock*/, - const char */*sname*/, - int32_t /*type*/, - krb5_principal */*ret_princ*/); - -krb5_error_code -krb5_sockaddr2address ( - krb5_context /*context*/, - const struct sockaddr */*sa*/, - krb5_address */*addr*/); - -krb5_error_code -krb5_sockaddr2port ( - krb5_context /*context*/, - const struct sockaddr */*sa*/, - int16_t */*port*/); - -krb5_boolean -krb5_sockaddr_uninteresting (const struct sockaddr */*sa*/); - -void -krb5_std_usage ( - int /*code*/, - struct getargs */*args*/, - int /*num_args*/); - -void -krb5_storage_clear_flags ( - krb5_storage */*sp*/, - krb5_flags /*flags*/); - -krb5_storage * -krb5_storage_emem (void); - -krb5_error_code -krb5_storage_free (krb5_storage */*sp*/); - -krb5_storage * -krb5_storage_from_data (krb5_data */*data*/); - -krb5_storage * -krb5_storage_from_fd (int /*fd*/); - -krb5_storage * -krb5_storage_from_mem ( - void */*buf*/, - size_t /*len*/); - -krb5_flags -krb5_storage_get_byteorder ( - krb5_storage */*sp*/, - krb5_flags /*byteorder*/); - -krb5_boolean -krb5_storage_is_flags ( - krb5_storage */*sp*/, - krb5_flags /*flags*/); - -krb5_ssize_t -krb5_storage_read ( - krb5_storage */*sp*/, - void */*buf*/, - size_t /*len*/); - -off_t -krb5_storage_seek ( - krb5_storage */*sp*/, - off_t /*offset*/, - int /*whence*/); - -void -krb5_storage_set_byteorder ( - krb5_storage */*sp*/, - krb5_flags /*byteorder*/); - -void -krb5_storage_set_eof_code ( - krb5_storage */*sp*/, - int /*code*/); - -void -krb5_storage_set_flags ( - krb5_storage */*sp*/, - krb5_flags /*flags*/); - -krb5_error_code -krb5_storage_to_data ( - krb5_storage */*sp*/, - krb5_data */*data*/); - -krb5_ssize_t -krb5_storage_write ( - krb5_storage */*sp*/, - const void */*buf*/, - size_t /*len*/); - -krb5_error_code -krb5_store_address ( - krb5_storage */*sp*/, - krb5_address /*p*/); - -krb5_error_code -krb5_store_addrs ( - krb5_storage */*sp*/, - krb5_addresses /*p*/); - -krb5_error_code -krb5_store_authdata ( - krb5_storage */*sp*/, - krb5_authdata /*auth*/); - -krb5_error_code -krb5_store_creds ( - krb5_storage */*sp*/, - krb5_creds */*creds*/); - -krb5_error_code -krb5_store_data ( - krb5_storage */*sp*/, - krb5_data /*data*/); - -krb5_error_code -krb5_store_int16 ( - krb5_storage */*sp*/, - int16_t /*value*/); - -krb5_error_code -krb5_store_int32 ( - krb5_storage */*sp*/, - int32_t /*value*/); - -krb5_error_code -krb5_store_int8 ( - krb5_storage */*sp*/, - int8_t /*value*/); - -krb5_error_code -krb5_store_keyblock ( - krb5_storage */*sp*/, - krb5_keyblock /*p*/); - -krb5_error_code -krb5_store_principal ( - krb5_storage */*sp*/, - krb5_principal /*p*/); - -krb5_error_code -krb5_store_string ( - krb5_storage */*sp*/, - const char */*s*/); - -krb5_error_code -krb5_store_stringz ( - krb5_storage */*sp*/, - const char */*s*/); - -krb5_error_code -krb5_store_times ( - krb5_storage */*sp*/, - krb5_times /*times*/); - -krb5_error_code -krb5_string_to_deltat ( - const char */*string*/, - krb5_deltat */*deltat*/); - -krb5_error_code -krb5_string_to_enctype ( - krb5_context /*context*/, - const char */*string*/, - krb5_enctype */*etype*/); - -krb5_error_code -krb5_string_to_key ( - krb5_context /*context*/, - krb5_enctype /*enctype*/, - const char */*password*/, - krb5_principal /*principal*/, - krb5_keyblock */*key*/); - -krb5_error_code -krb5_string_to_key_data ( - krb5_context /*context*/, - krb5_enctype /*enctype*/, - krb5_data /*password*/, - krb5_principal /*principal*/, - krb5_keyblock */*key*/); - -krb5_error_code -krb5_string_to_key_data_salt ( - krb5_context /*context*/, - krb5_enctype /*enctype*/, - krb5_data /*password*/, - krb5_salt /*salt*/, - krb5_keyblock */*key*/); - -krb5_error_code -krb5_string_to_key_data_salt_opaque ( - krb5_context /*context*/, - krb5_enctype /*enctype*/, - krb5_data /*password*/, - krb5_salt /*salt*/, - krb5_data /*opaque*/, - krb5_keyblock */*key*/); - -krb5_error_code -krb5_string_to_key_derived ( - krb5_context /*context*/, - const void */*str*/, - size_t /*len*/, - krb5_enctype /*etype*/, - krb5_keyblock */*key*/); - -krb5_error_code -krb5_string_to_key_salt ( - krb5_context /*context*/, - krb5_enctype /*enctype*/, - const char */*password*/, - krb5_salt /*salt*/, - krb5_keyblock */*key*/); - -krb5_error_code -krb5_string_to_keytype ( - krb5_context /*context*/, - const char */*string*/, - krb5_keytype */*keytype*/); - -krb5_error_code -krb5_string_to_salttype ( - krb5_context /*context*/, - krb5_enctype /*etype*/, - const char */*string*/, - krb5_salttype */*salttype*/); - -krb5_error_code -krb5_timeofday ( - krb5_context /*context*/, - krb5_timestamp */*timeret*/); - -krb5_error_code -krb5_unparse_name ( - krb5_context /*context*/, - krb5_const_principal /*principal*/, - char **/*name*/); - -krb5_error_code -krb5_unparse_name_fixed ( - krb5_context /*context*/, - krb5_const_principal /*principal*/, - char */*name*/, - size_t /*len*/); - -krb5_error_code -krb5_unparse_name_fixed_short ( - krb5_context /*context*/, - krb5_const_principal /*principal*/, - char */*name*/, - size_t /*len*/); - -krb5_error_code -krb5_unparse_name_short ( - krb5_context /*context*/, - krb5_const_principal /*principal*/, - char **/*name*/); - -krb5_error_code -krb5_us_timeofday ( - krb5_context /*context*/, - int32_t */*sec*/, - int32_t */*usec*/); - -krb5_error_code -krb5_vabort ( - krb5_context /*context*/, - krb5_error_code /*code*/, - const char */*fmt*/, - va_list /*ap*/) - __attribute__ ((noreturn, format (printf, 3, 0))); - -krb5_error_code -krb5_vabortx ( - krb5_context /*context*/, - const char */*fmt*/, - va_list /*ap*/) - __attribute__ ((noreturn, format (printf, 2, 0))); - -krb5_error_code -krb5_verify_ap_req ( - krb5_context /*context*/, - krb5_auth_context */*auth_context*/, - krb5_ap_req */*ap_req*/, - krb5_const_principal /*server*/, - krb5_keyblock */*keyblock*/, - krb5_flags /*flags*/, - krb5_flags */*ap_req_options*/, - krb5_ticket **/*ticket*/); - -krb5_error_code -krb5_verify_ap_req2 ( - krb5_context /*context*/, - krb5_auth_context */*auth_context*/, - krb5_ap_req */*ap_req*/, - krb5_const_principal /*server*/, - krb5_keyblock */*keyblock*/, - krb5_flags /*flags*/, - krb5_flags */*ap_req_options*/, - krb5_ticket **/*ticket*/, - krb5_key_usage /*usage*/); - -krb5_error_code -krb5_verify_authenticator_checksum ( - krb5_context /*context*/, - krb5_auth_context /*ac*/, - void */*data*/, - size_t /*len*/); - -krb5_error_code -krb5_verify_checksum ( - krb5_context /*context*/, - krb5_crypto /*crypto*/, - krb5_key_usage /*usage*/, - void */*data*/, - size_t /*len*/, - Checksum */*cksum*/); - -krb5_error_code -krb5_verify_init_creds ( - krb5_context /*context*/, - krb5_creds */*creds*/, - krb5_principal /*ap_req_server*/, - krb5_keytab /*ap_req_keytab*/, - krb5_ccache */*ccache*/, - krb5_verify_init_creds_opt */*options*/); - -void -krb5_verify_init_creds_opt_init (krb5_verify_init_creds_opt */*options*/); - -void -krb5_verify_init_creds_opt_set_ap_req_nofail ( - krb5_verify_init_creds_opt */*options*/, - int /*ap_req_nofail*/); - -void -krb5_verify_opt_init (krb5_verify_opt */*opt*/); - -void -krb5_verify_opt_set_ccache ( - krb5_verify_opt */*opt*/, - krb5_ccache /*ccache*/); - -void -krb5_verify_opt_set_flags ( - krb5_verify_opt */*opt*/, - unsigned int /*flags*/); - -void -krb5_verify_opt_set_keytab ( - krb5_verify_opt */*opt*/, - krb5_keytab /*keytab*/); - -void -krb5_verify_opt_set_secure ( - krb5_verify_opt */*opt*/, - krb5_boolean /*secure*/); - -void -krb5_verify_opt_set_service ( - krb5_verify_opt */*opt*/, - const char */*service*/); - -krb5_error_code -krb5_verify_user ( - krb5_context /*context*/, - krb5_principal /*principal*/, - krb5_ccache /*ccache*/, - const char */*password*/, - krb5_boolean /*secure*/, - const char */*service*/); - -krb5_error_code -krb5_verify_user_lrealm ( - krb5_context /*context*/, - krb5_principal /*principal*/, - krb5_ccache /*ccache*/, - const char */*password*/, - krb5_boolean /*secure*/, - const char */*service*/); - -krb5_error_code -krb5_verify_user_opt ( - krb5_context /*context*/, - krb5_principal /*principal*/, - const char */*password*/, - krb5_verify_opt */*opt*/); - -krb5_error_code -krb5_verr ( - krb5_context /*context*/, - int /*eval*/, - krb5_error_code /*code*/, - const char */*fmt*/, - va_list /*ap*/) - __attribute__ ((noreturn, format (printf, 4, 0))); - -krb5_error_code -krb5_verrx ( - krb5_context /*context*/, - int /*eval*/, - const char */*fmt*/, - va_list /*ap*/) - __attribute__ ((noreturn, format (printf, 3, 0))); - -krb5_error_code -krb5_vlog ( - krb5_context /*context*/, - krb5_log_facility */*fac*/, - int /*level*/, - const char */*fmt*/, - va_list /*ap*/) - __attribute__((format (printf, 4, 0))); - -krb5_error_code -krb5_vlog_msg ( - krb5_context /*context*/, - krb5_log_facility */*fac*/, - char **/*reply*/, - int /*level*/, - const char */*fmt*/, - va_list /*ap*/) - __attribute__((format (printf, 5, 0))); - -krb5_error_code -krb5_vset_error_string ( - krb5_context /*context*/, - const char */*fmt*/, - va_list /*args*/) - __attribute__ ((format (printf, 2, 0))); - -krb5_error_code -krb5_vwarn ( - krb5_context /*context*/, - krb5_error_code /*code*/, - const char */*fmt*/, - va_list /*ap*/) - __attribute__ ((format (printf, 3, 0))); - -krb5_error_code -krb5_vwarnx ( - krb5_context /*context*/, - const char */*fmt*/, - va_list /*ap*/) - __attribute__ ((format (printf, 2, 0))); - -krb5_error_code -krb5_warn ( - krb5_context /*context*/, - krb5_error_code /*code*/, - const char */*fmt*/, - ...) - __attribute__ ((format (printf, 3, 4))); - -krb5_error_code -krb5_warnx ( - krb5_context /*context*/, - const char */*fmt*/, - ...) - __attribute__ ((format (printf, 2, 3))); - -krb5_error_code -krb5_write_message ( - krb5_context /*context*/, - krb5_pointer /*p_fd*/, - krb5_data */*data*/); - -krb5_error_code -krb5_write_priv_message ( - krb5_context /*context*/, - krb5_auth_context /*ac*/, - krb5_pointer /*p_fd*/, - krb5_data */*data*/); - -krb5_error_code -krb5_write_safe_message ( - krb5_context /*context*/, - krb5_auth_context /*ac*/, - krb5_pointer /*p_fd*/, - krb5_data */*data*/); - -krb5_error_code -krb5_xfree (void */*ptr*/); - -krb5_error_code -principalname2krb5_principal ( - krb5_principal */*principal*/, - const PrincipalName /*from*/, - const Realm /*realm*/); - -#endif /* __krb5_protos_h__ */ diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5-v4compat.h b/crypto/heimdal-0.6.3/lib/krb5/krb5-v4compat.h deleted file mode 100644 index 2f89281ed2..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5-v4compat.h +++ /dev/null @@ -1,93 +0,0 @@ -/* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: krb5-v4compat.h,v 1.2 2003/03/18 03:08:20 lha Exp $ */ - -#ifndef __KRB5_V4COMPAT_H__ -#define __KRB5_V4COMPAT_H__ - -/* - * This file must only be included with v4 compat glue stuff in - * heimdal sources. - * - * It MUST NOT be installed. - */ - -#define MAX_KTXT_LEN 1250 - -#define ANAME_SZ 40 -#define REALM_SZ 40 -#define SNAME_SZ 40 -#define INST_SZ 40 - -struct ktext { - unsigned int length; /* Length of the text */ - unsigned char dat[MAX_KTXT_LEN]; /* The data itself */ - u_int32_t mbz; /* zero to catch runaway strings */ -}; - -struct credentials { - char service[ANAME_SZ]; /* Service name */ - char instance[INST_SZ]; /* Instance */ - char realm[REALM_SZ]; /* Auth domain */ - des_cblock session; /* Session key */ - int lifetime; /* Lifetime */ - int kvno; /* Key version number */ - struct ktext ticket_st; /* The ticket itself */ - int32_t issue_date; /* The issue time */ - char pname[ANAME_SZ]; /* Principal's name */ - char pinst[INST_SZ]; /* Principal's instance */ -}; - - -#define TKTLIFENUMFIXED 64 -#define TKTLIFEMINFIXED 0x80 -#define TKTLIFEMAXFIXED 0xBF -#define TKTLIFENOEXPIRE 0xFF -#define MAXTKTLIFETIME (30*24*3600) /* 30 days */ -#ifndef NEVERDATE -#define NEVERDATE ((time_t)0x7fffffffL) -#endif - -#define KERB_ERR_NULL_KEY 10 - -int -_krb5_krb_time_to_life(time_t start, time_t end); - -time_t -_krb5_krb_life_to_time(int start, int life_); - -#define krb_time_to_life _krb5_krb_time_to_life -#define krb_life_to_time _krb5_krb_life_to_time - -#endif /* __KRB5_V4COMPAT_H__ */ diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5.3 b/crypto/heimdal-0.6.3/lib/krb5/krb5.3 deleted file mode 100644 index 8e169a0ca6..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5.3 +++ /dev/null @@ -1,240 +0,0 @@ -.\" Copyright (c) 2001, 2003 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.Dd March 20, 2003 -.Dt KRB5 3 -.Os -.Sh NAME -.Nm krb5 -.Nd kerberos 5 library -.Sh LIBRARY -Kerberos 5 Library (libkrb5, -lkrb5) -.Sh DESCRIPTION -These functions constitute the Kerberos 5 library, -.Em libkrb5 . -Declarations for these functions may be obtained from the include file -.Pa krb5.h . -.Sh LIST OF FUNCTIONS -.sp 2 -.nf -.ta \w'krb5_checksum_is_collision_proof.3'u+2n +\w'Description goes here'u -\fIName/Page\fP \fIDescription\fP -.ta \w'krb5_checksum_is_collision_proof.3'u+2n +\w'Description goes here'u+6nC -.sp 5p -krb5_425_conv_principal.3 -krb5_425_conv_principal_ext.3 -krb5_524_conv_principal.3 -krb5_addlog_dest.3 -krb5_addlog_func.3 -krb5_addr2sockaddr.3 -krb5_address.3 -krb5_address_compare.3 -krb5_address_order.3 -krb5_address_search.3 -krb5_addresses.3 -krb5_anyaddr.3 -krb5_appdefault_boolean.3 -krb5_appdefault_string.3 -krb5_appdefault_time.3 -krb5_append_addresses.3 -krb5_auth_con_free.3 -krb5_auth_con_genaddrs.3 -krb5_auth_con_getaddrs.3 -krb5_auth_con_getflags.3 -krb5_auth_con_getkey.3 -krb5_auth_con_getlocalsubkey.3 -krb5_auth_con_getrcache.3 -krb5_auth_con_getremotesubkey.3 -krb5_auth_con_getuserkey.3 -krb5_auth_con_init.3 -krb5_auth_con_initivector.3 -krb5_auth_con_setaddrs.3 -krb5_auth_con_setaddrs_from_fd.3 -krb5_auth_con_setflags.3 -krb5_auth_con_setivector.3 -krb5_auth_con_setkey.3 -krb5_auth_con_setlocalsubkey.3 -krb5_auth_con_setrcache.3 -krb5_auth_con_setremotesubkey.3 -krb5_auth_con_setuserkey.3 -krb5_auth_context.3 -krb5_auth_getauthenticator.3 -krb5_auth_getcksumtype.3 -krb5_auth_getkeytype.3 -krb5_auth_getlocalseqnumber.3 -krb5_auth_getremoteseqnumber.3 -krb5_auth_setcksumtype.3 -krb5_auth_setkeytype.3 -krb5_auth_setlocalseqnumber.3 -krb5_auth_setremoteseqnumber.3 -krb5_build_principal.3 -krb5_build_principal_ext.3 -krb5_build_principal_va.3 -krb5_build_principal_va_ext.3 -krb5_cc_close.3 -krb5_cc_copy_cache.3 -krb5_cc_default.3 -krb5_cc_default_name.3 -krb5_cc_destroy.3 -krb5_cc_end_seq_get.3 -krb5_cc_gen_new.3 -krb5_cc_get_name.3 -krb5_cc_get_principal.3 -krb5_cc_get_type.3 -krb5_cc_get_version.3 -krb5_cc_initialize.3 -krb5_cc_next_cred.3 -krb5_cc_register.3 -krb5_cc_remove_cred.3 -krb5_cc_resolve.3 -krb5_cc_retrieve_cred.3 -krb5_cc_set_default_name.3 -krb5_cc_set_flags.3 -krb5_cc_store_cred.3 -krb5_checksum_is_collision_proof.3 -krb5_checksum_is_keyed.3 -krb5_checksumsize.3 -krb5_closelog.3 -krb5_config_get_bool_default.3 -krb5_config_get_int_default.3 -krb5_config_get_string_default.3 -krb5_config_get_time_default.3 -krb5_context.3 -krb5_copy_address.3 -krb5_copy_addresses.3 -krb5_copy_data.3 -krb5_create_checksum.3 -krb5_crypto_destroy.3 -krb5_crypto_init.3 -krb5_data_alloc.3 -krb5_data_copy.3 -krb5_data_free.3 -krb5_data_realloc.3 -krb5_data_zero.3 -krb5_decrypt.3 -krb5_decrypt_EncryptedData.3 -krb5_encrypt.3 -krb5_encrypt_EncryptedData.3 -krb5_err.3 -krb5_errx.3 -krb5_free_address.3 -krb5_free_addresses.3 -krb5_free_context.3 -krb5_free_data.3 -krb5_free_data_contents.3 -krb5_free_host_realm.3 -krb5_free_krbhst.3 -krb5_free_principal.3 -krb5_get_all_client_addrs.3 -krb5_get_all_server_addrs.3 -krb5_get_default_realm.3 -krb5_get_default_realms.3 -krb5_get_host_realm.3 -krb5_get_krb524hst.3 -krb5_get_krb_admin_hst.3 -krb5_get_krb_changepw_hst.3 -krb5_get_krbhst.3 -krb5_h_addr2addr.3 -krb5_h_addr2sockaddr.3 -krb5_init_context.3 -krb5_initlog.3 -krb5_keytab_entry.3 -krb5_krbhst_format_string.3 -krb5_krbhst_free.3 -krb5_krbhst_get_addrinfo.3 -krb5_krbhst_init.3 -krb5_krbhst_next.3 -krb5_krbhst_next_as_string.3 -krb5_krbhst_reset.3 -krb5_kt_add_entry.3 -krb5_kt_close.3 -krb5_kt_compare.3 -krb5_kt_copy_entry_contents.3 -krb5_kt_cursor.3 -krb5_kt_cursor.3 -krb5_kt_default.3 -krb5_kt_default_name.3 -krb5_kt_end_seq_get.3 -krb5_kt_free_entry.3 -krb5_kt_get_entry.3 -krb5_kt_get_name.3 -krb5_kt_next_entry.3 -krb5_kt_ops.3 -krb5_kt_read_service_key.3 -krb5_kt_register.3 -krb5_kt_remove_entry.3 -krb5_kt_resolve.3.3 -krb5_kt_start_seq_get -krb5_log.3 -krb5_log_msg.3 -krb5_make_addrport.3 -krb5_make_principal.3 -krb5_max_sockaddr_size.3 -krb5_openlog.3 -krb5_parse_address.3 -krb5_parse_name.3 -krb5_principal.3 -krb5_principal_get_comp_string.3 -krb5_principal_get_realm.3 -krb5_print_address.3 -krb5_set_default_realm.3 -krb5_set_warn_dest.3 -krb5_sname_to_principal.3 -krb5_sock_to_principal.3 -krb5_sockaddr2address.3 -krb5_sockaddr2port.3 -krb5_sockaddr_uninteresting.3 -krb5_timeofday.3 -krb5_unparse_name.3 -krb5_us_timeofday.3 -krb5_verify_checksum.3 -krb5_verify_opt_init.3 -krb5_verify_opt_set_flags.3 -krb5_verify_opt_set_keytab.3 -krb5_verify_opt_set_secure.3 -krb5_verify_opt_set_service.3 -krb5_verify_user.3 -krb5_verify_user_lrealm.3 -krb5_verify_user_opt.3 -krb5_verr.3 -krb5_verrx.3 -krb5_vlog.3 -krb5_vlog_msg.3 -krb5_vwarn.3 -krb5_vwarnx.3 -krb5_warn.3 -krb5_warnx.3 -krn5_kuserok.3 -.ta -.Fi -.Sh SEE ALSO -.Xr krb5.conf 5 , -.Xr kerberos 8 diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5.cat3 b/crypto/heimdal-0.6.3/lib/krb5/krb5.cat3 deleted file mode 100644 index 83cd5de34a..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5.cat3 +++ /dev/null @@ -1,204 +0,0 @@ - -KRB5(3) UNIX Programmer's Manual KRB5(3) - -NNAAMMEE - kkrrbb55 - kerberos 5 library - -LLIIBBRRAARRYY - Kerberos 5 Library (libkrb5, -lkrb5) - -DDEESSCCRRIIPPTTIIOONN - These functions constitute the Kerberos 5 library, _l_i_b_k_r_b_5. Declarations - for these functions may be obtained from the include file _k_r_b_5_._h. - -LLIISSTT OOFF FFUUNNCCTTIIOONNSS - _N_a_m_e_/_P_a_g_e _D_e_s_c_r_i_p_t_i_o_n - krb5_425_conv_principal.3 - krb5_425_conv_principal_ext.3 - krb5_524_conv_principal.3 - krb5_addlog_dest.3 - krb5_addlog_func.3 - krb5_addr2sockaddr.3 - krb5_address.3 - krb5_address_compare.3 - krb5_address_order.3 - krb5_address_search.3 - krb5_addresses.3 - krb5_anyaddr.3 - krb5_appdefault_boolean.3 - krb5_appdefault_string.3 - krb5_appdefault_time.3 - krb5_append_addresses.3 - krb5_auth_con_free.3 - krb5_auth_con_genaddrs.3 - krb5_auth_con_getaddrs.3 - krb5_auth_con_getflags.3 - krb5_auth_con_getkey.3 - krb5_auth_con_getlocalsubkey.3 - krb5_auth_con_getrcache.3 - krb5_auth_con_getremotesubkey.3 - krb5_auth_con_getuserkey.3 - krb5_auth_con_init.3 - krb5_auth_con_initivector.3 - krb5_auth_con_setaddrs.3 - krb5_auth_con_setaddrs_from_fd.3 - krb5_auth_con_setflags.3 - krb5_auth_con_setivector.3 - krb5_auth_con_setkey.3 - krb5_auth_con_setlocalsubkey.3 - krb5_auth_con_setrcache.3 - krb5_auth_con_setremotesubkey.3 - krb5_auth_con_setuserkey.3 - krb5_auth_context.3 - krb5_auth_getauthenticator.3 - krb5_auth_getcksumtype.3 - krb5_auth_getkeytype.3 - krb5_auth_getlocalseqnumber.3 - krb5_auth_getremoteseqnumber.3 - krb5_auth_setcksumtype.3 - krb5_auth_setkeytype.3 - krb5_auth_setlocalseqnumber.3 - krb5_auth_setremoteseqnumber.3 - krb5_build_principal.3 - krb5_build_principal_ext.3 - krb5_build_principal_va.3 - krb5_build_principal_va_ext.3 - krb5_cc_close.3 - krb5_cc_copy_cache.3 - krb5_cc_default.3 - krb5_cc_default_name.3 - krb5_cc_destroy.3 - krb5_cc_end_seq_get.3 - krb5_cc_gen_new.3 - krb5_cc_get_name.3 - krb5_cc_get_principal.3 - krb5_cc_get_type.3 - krb5_cc_get_version.3 - krb5_cc_initialize.3 - krb5_cc_next_cred.3 - krb5_cc_register.3 - krb5_cc_remove_cred.3 - krb5_cc_resolve.3 - krb5_cc_retrieve_cred.3 - krb5_cc_set_default_name.3 - krb5_cc_set_flags.3 - krb5_cc_store_cred.3 - krb5_checksum_is_collision_proof.3 - krb5_checksum_is_keyed.3 - krb5_checksumsize.3 - krb5_closelog.3 - krb5_config_get_bool_default.3 - krb5_config_get_int_default.3 - krb5_config_get_string_default.3 - krb5_config_get_time_default.3 - krb5_context.3 - krb5_copy_address.3 - krb5_copy_addresses.3 - krb5_copy_data.3 - krb5_create_checksum.3 - krb5_crypto_destroy.3 - krb5_crypto_init.3 - krb5_data_alloc.3 - krb5_data_copy.3 - krb5_data_free.3 - krb5_data_realloc.3 - krb5_data_zero.3 - krb5_decrypt.3 - krb5_decrypt_EncryptedData.3 - krb5_encrypt.3 - krb5_encrypt_EncryptedData.3 - krb5_err.3 - krb5_errx.3 - krb5_free_address.3 - krb5_free_addresses.3 - krb5_free_context.3 - krb5_free_data.3 - krb5_free_data_contents.3 - krb5_free_host_realm.3 - krb5_free_krbhst.3 - krb5_free_principal.3 - krb5_get_all_client_addrs.3 - krb5_get_all_server_addrs.3 - krb5_get_default_realm.3 - krb5_get_default_realms.3 - krb5_get_host_realm.3 - krb5_get_krb524hst.3 - krb5_get_krb_admin_hst.3 - krb5_get_krb_changepw_hst.3 - krb5_get_krbhst.3 - krb5_h_addr2addr.3 - krb5_h_addr2sockaddr.3 - krb5_init_context.3 - krb5_initlog.3 - krb5_keytab_entry.3 - krb5_krbhst_format_string.3 - krb5_krbhst_free.3 - krb5_krbhst_get_addrinfo.3 - krb5_krbhst_init.3 - krb5_krbhst_next.3 - krb5_krbhst_next_as_string.3 - krb5_krbhst_reset.3 - krb5_kt_add_entry.3 - krb5_kt_close.3 - krb5_kt_compare.3 - krb5_kt_copy_entry_contents.3 - krb5_kt_cursor.3 - krb5_kt_cursor.3 - krb5_kt_default.3 - krb5_kt_default_name.3 - krb5_kt_end_seq_get.3 - krb5_kt_free_entry.3 - krb5_kt_get_entry.3 - krb5_kt_get_name.3 - krb5_kt_next_entry.3 - krb5_kt_ops.3 - krb5_kt_read_service_key.3 - krb5_kt_register.3 - krb5_kt_remove_entry.3 - krb5_kt_resolve.3.3 - krb5_kt_start_seq_get - krb5_log.3 - krb5_log_msg.3 - krb5_make_addrport.3 - krb5_make_principal.3 - krb5_max_sockaddr_size.3 - krb5_openlog.3 - krb5_parse_address.3 - krb5_parse_name.3 - krb5_principal.3 - krb5_principal_get_comp_string.3 - krb5_principal_get_realm.3 - krb5_print_address.3 - krb5_set_default_realm.3 - krb5_set_warn_dest.3 - krb5_sname_to_principal.3 - krb5_sock_to_principal.3 - krb5_sockaddr2address.3 - krb5_sockaddr2port.3 - krb5_sockaddr_uninteresting.3 - krb5_timeofday.3 - krb5_unparse_name.3 - krb5_us_timeofday.3 - krb5_verify_checksum.3 - krb5_verify_opt_init.3 - krb5_verify_opt_set_flags.3 - krb5_verify_opt_set_keytab.3 - krb5_verify_opt_set_secure.3 - krb5_verify_opt_set_service.3 - krb5_verify_user.3 - krb5_verify_user_lrealm.3 - krb5_verify_user_opt.3 - krb5_verr.3 - krb5_verrx.3 - krb5_vlog.3 - krb5_vlog_msg.3 - krb5_vwarn.3 - krb5_vwarnx.3 - krb5_warn.3 - krb5_warnx.3 - krn5_kuserok.3 - -SSEEEE AALLSSOO - krb5.conf(5), kerberos(8) - -BSD Experimental March 20, 2003 4 diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5.conf.5 b/crypto/heimdal-0.6.3/lib/krb5/krb5.conf.5 deleted file mode 100644 index c9f8771c8a..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5.conf.5 +++ /dev/null @@ -1,477 +0,0 @@ -.\" Copyright (c) 1999 - 2004 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: krb5.conf.5,v 1.35.2.2 2004/03/09 19:52:07 lha Exp $ -.\" -.Dd March 9, 2004 -.Dt KRB5.CONF 5 -.Os HEIMDAL -.Sh NAME -.Nm krb5.conf -.Nd configuration file for Kerberos 5 -.Sh SYNOPSIS -.In krb5.h -.Sh DESCRIPTION -The -.Nm -file specifies several configuration parameters for the Kerberos 5 -library, as well as for some programs. -.Pp -The file consists of one or more sections, containing a number of -bindings. -The value of each binding can be either a string or a list of other -bindings. -The grammar looks like: -.Bd -literal -offset indent -file: - /* empty */ - sections - -sections: - section sections - section - -section: - '[' section_name ']' bindings - -section_name: - STRING - -bindings: - binding bindings - binding - -binding: - name '=' STRING - name '=' '{' bindings '}' - -name: - STRING - -.Ed -.Li STRINGs -consists of one or more non-whitespace characters. -.Pp -STRINGs that are specified later in this man-page uses the following -notation. -.Bl -tag -width "xxx" -offset indent -.It boolean -values can be either yes/true or no/false. -.It time -values can be a list of year, month, day, hour, min, second. -Example: 1 month 2 days 30 min. -.It etypes -valid encryption types are: des-cbc-crc, des-cbc-md4, des-cbc-md5, -des3-cbc-sha1, arcfour-hmac-md5, aes128-cts-hmac-sha1-96, and -aes256-cts-hmac-sha1-96 . -.It address -an address can be either a IPv4 or a IPv6 address. -.El -.Pp -Currently recognised sections and bindings are: -.Bl -tag -width "xxx" -offset indent -.It Li [appdefaults] -Specifies the default values to be used for Kerberos applications. -You can specify defaults per application, realm, or a combination of -these. -The preference order is: -.Bl -enum -compact -.It -.Va application Va realm Va option -.It -.Va application Va option -.It -.Va realm Va option -.It -.Va option -.El -.Pp -The supported options are: -.Bl -tag -width "xxx" -offset indent -.It Li forwardable = Va boolean -When obtaining initial credentials, make the credentials forwardable. -.It Li proxiable = Va boolean -When obtaining initial credentials, make the credentials proxiable. -.It Li no-addresses = Va boolean -When obtaining initial credentials, request them for an empty set of -addresses, making the tickets valid from any address. -.It Li ticket_lifetime = Va time -Default ticket lifetime. -.It Li renew_lifetime = Va time -Default renewable ticket lifetime. -.It Li encrypt = Va boolean -Use encryption, when available. -.It Li forward = Va boolean -Forward credentials to remote host (for -.Xr rsh 1 , -.Xr telnet 1 , -etc). -.El -.It Li [libdefaults] -.Bl -tag -width "xxx" -offset indent -.It Li default_realm = Va REALM -Default realm to use, this is also known as your -.Dq local realm . -The default is the result of -.Fn krb5_get_host_realm "local hostname" . -.It Li clockskew = Va time -Maximum time differential (in seconds) allowed when comparing -times. -Default is 300 seconds (five minutes). -.It Li kdc_timeout = Va time -Maximum time to wait for a reply from the kdc, default is 3 seconds. -.It v4_name_convert -.It v4_instance_resolve -These are described in the -.Xr krb5_425_conv_principal 3 -manual page. -.It Li capath = { -.Bl -tag -width "xxx" -offset indent -.It Va destination-realm Li = Va next-hop-realm -.It ... -.It Li } -.El -This is deprecated, see the -.Li capaths -section below. -.It Li default_etypes = Va etypes ... -A list of default encryption types to use. -.It Li default_etypes_des = Va etypes ... -A list of default encryption types to use when requesting a DES credential. -.It Li default_keytab_name = Va keytab -The keytab to use if no other is specified, default is -.Dq FILE:/etc/krb5.keytab . -.It Li dns_lookup_kdc = Va boolean -Use DNS SRV records to lookup KDC services location. -.It Li dns_lookup_realm = Va boolean -Use DNS TXT records to lookup domain to realm mappings. -.It Li kdc_timesync = Va boolean -Try to keep track of the time differential between the local machine -and the KDC, and then compensate for that when issuing requests. -.It Li max_retries = Va number -The max number of times to try to contact each KDC. -.It Li ticket_lifetime = Va time -Default ticket lifetime. -.It Li renew_lifetime = Va time -Default renewable ticket lifetime. -.It Li forwardable = Va boolean -When obtaining initial credentials, make the credentials forwardable. -This option is also valid in the [realms] section. -.It Li proxiable = Va boolean -When obtaining initial credentials, make the credentials proxiable. -This option is also valid in the [realms] section. -.It Li verify_ap_req_nofail = Va boolean -If enabled, failure to verify credentials against a local key is a -fatal error. -The application has to be able to read the corresponding service key -for this to work. -Some applications, like -.Xr su 1 , -enable this option unconditionally. -.It Li warn_pwexpire = Va time -How soon to warn for expiring password. -Default is seven days. -.It Li http_proxy = Va proxy-spec -A HTTP-proxy to use when talking to the KDC via HTTP. -.It Li dns_proxy = Va proxy-spec -Enable using DNS via HTTP. -.It Li extra_addresses = Va address ... -A list of addresses to get tickets for along with all local addresses. -.It Li time_format = Va string -How to print time strings in logs, this string is passed to -.Xr strftime 3 . -.It Li date_format = Va string -How to print date strings in logs, this string is passed to -.Xr strftime 3 . -.It Li log_utc = Va boolean -Write log-entries using UTC instead of your local time zone. -.It Li scan_interfaces = Va boolean -Scan all network interfaces for addresses, as opposed to simply using -the address associated with the system's host name. -.It Li fcache_version = Va int -Use file credential cache format version specified. -.It Li krb4_get_tickets = Va boolean -Also get Kerberos 4 tickets in -.Nm kinit , -.Nm login , -and other programs. -This option is also valid in the [realms] section. -.It Li fcc-mit-ticketflags = Va boolean -Use MIT compatible format for file credential cache. -It's the field ticketflags that is stored in reverse bit order for -older than Heimdal 0.7. -Setting this flag to -.Dv TRUE -make it store the MIT way, this is default for Heimdal 0.7. -.El -.It Li [domain_realm] -This is a list of mappings from DNS domain to Kerberos realm. -Each binding in this section looks like: -.Pp -.Dl domain = realm -.Pp -The domain can be either a full name of a host or a trailing -component, in the latter case the domain-string should start with a -period. -The realm may be the token `dns_locate', in which case the actual -realm will be determined using DNS (independently of the setting -of the `dns_lookup_realm' option). -.It Li [realms] -.Bl -tag -width "xxx" -offset indent -.It Va REALM Li = { -.Bl -tag -width "xxx" -offset indent -.It Li kdc = Va [service/]host[:port] -Specifies a list of kdcs for this realm. -If the optional -.Va port -is absent, the -default value for the -.Dq kerberos/udp -.Dq kerberos/tcp , -and -.Dq http/tcp -port (depending on service) will be used. -The kdcs will be used in the order that they are specified. -.Pp -The optional -.Va service -specifies over what medium the kdc should be -contacted. -Possible services are -.Dq udp , -.Dq tcp , -and -.Dq http . -Http can also be written as -.Dq http:// . -Default service is -.Dq udp -and -.Dq tcp . -.It Li admin_server = Va host[:port] -Specifies the admin server for this realm, where all the modifications -to the database are performed. -.It Li kpasswd_server = Va host[:port] -Points to the server where all the password changes are performed. -If there is no such entry, the kpasswd port on the admin_server host -will be tried. -.It Li krb524_server = Va host[:port] -Points to the server that does 524 conversions. -If it is not mentioned, the krb524 port on the kdcs will be tried. -.It Li v4_instance_convert -.It Li v4_name_convert -.It Li default_domain -See -.Xr krb5_425_conv_principal 3 . -.It Li tgs_require_subkey -a boolan variable that defaults to false. -Old DCE secd (pre 1.1) might need this to be true. -.El -.It Li } -.El -.It Li [capaths] -.Bl -tag -width "xxx" -offset indent -.It Va client-realm Li = { -.Bl -tag -width "xxx" -offset indent -.It Va server-realm Li = Va hop-realm ... -This serves two purposes. First the first listed -.Va hop-realm -tells a client which realm it should contact in order to ultimately -obtain credentials for a service in the -.Va server-realm . -Secondly, it tells the KDC (and other servers) which realms are -allowed in a multi-hop traversal from -.Va client-realm -to -.Va server-realm . -Except for the client case, the order of the realms are not important. -.El -.It Va } -.El -.It Li [logging] -.Bl -tag -width "xxx" -offset indent -.It Va entity Li = Va destination -Specifies that -.Va entity -should use the specified -.Li destination -for logging. -See the -.Xr krb5_openlog 3 -manual page for a list of defined destinations. -.El -.It Li [kdc] -.Bl -tag -width "xxx" -offset indent -.It database Li = { -.Bl -tag -width "xxx" -offset indent -.It dbname Li = Va DATABASENAME -Use this database for this realm. -.It realm Li = Va REALM -Specifies the realm that will be stored in this database. -.It mkey_file Li = Pa FILENAME -Use this keytab file for the master key of this database. -If not specified -.Va DATABASENAME Ns .mkey -will be used. -.It acl_file Li = PA FILENAME -Use this file for the ACL list of this database. -.It log_file Li = Pa FILENAME -Use this file as the log of changes performed to the database. -This file is used by -.Nm ipropd-master -for propagating changes to slaves. -.El -.It Li } -.It max-request = Va SIZE -Maximum size of a kdc request. -.It require-preauth = Va BOOL -If set pre-authentication is required. -Since krb4 requests are not pre-authenticated they will be rejected. -.It ports = Va "list of ports" -List of ports the kdc should listen to. -.It addresses = Va "list of interfaces" -List of addresses the kdc should bind to. -.It enable-kerberos4 = Va BOOL -Turn on Kerberos 4 support. -.It v4-realm = Va REALM -To what realm v4 requests should be mapped. -.It enable-524 = Va BOOL -Should the Kerberos 524 converting facility be turned on. -Default is same as -.Va enable-kerberos4 . -.It enable-http = Va BOOL -Should the kdc answer kdc-requests over http. -.It enable-kaserver = Va BOOL -If this kdc should emulate the AFS kaserver. -.It check-ticket-addresses = Va BOOL -verify the addresses in the tickets used in tgs requests. -.\" XXX -.It allow-null-ticket-addresses = Va BOOL -Allow addresses-less tickets. -.\" XXX -.It allow-anonymous = Va BOOL -If the kdc is allowed to hand out anonymous tickets. -.It encode_as_rep_as_tgs_rep = Va BOOL -Encode as-rep as tgs-rep tobe compatible with mistakes older DCE secd did. -.\" XXX -.It kdc_warn_pwexpire = Va TIME -The time before expiration that the user should be warned that her -password is about to expire. -.It logging = Va Logging -What type of logging the kdc should use, see also [logging]/kdc. -.It use_2b = Va principal list -List of principals to use AFS 2b tokens for. -.El -.It Li [kadmin] -.Bl -tag -width "xxx" -offset indent -.It require-preauth = Va BOOL -If pre-authentication is required to talk to the kadmin server. -.It default_keys = Va keytypes... -for each entry in -.Va default_keys -try to parse it as a sequence of -.Va etype:salttype:salt -syntax of this if something like: -.Pp -[(des|des3|etype):](pw-salt|afs3-salt)[:string] -.Pp -If -.Ar etype -is omitted it means everything, and if string is omitted it means the -default salt string (for that principal and encryption type). -Additional special values of keytypes are: -.Bl -tag -width "xxx" -offset indent -.It v5 -The Kerberos 5 salt -.Va pw-salt -.It v4 -The Kerberos 4 salt -.Va des:pw-salt: -.El -.It use_v4_salt = Va BOOL -When true, this is the same as -.Pp -.Va default_keys = Va des3:pw-salt Va v4 -.Pp -and is only left for backwards compatibility. -.El -.El -.Sh ENVIRONMENT -.Ev KRB5_CONFIG -points to the configuration file to read. -.Sh FILES -.Bl -tag -width "/etc/krb5.conf" -.It Pa /etc/krb5.conf -configuration file for Kerberos 5. -.El -.Sh EXAMPLES -.Bd -literal -offset indent -[libdefaults] - default_realm = FOO.SE -[domain_realm] - .foo.se = FOO.SE - .bar.se = FOO.SE -[realms] - FOO.SE = { - kdc = kerberos.foo.se - v4_name_convert = { - rcmd = host - } - v4_instance_convert = { - xyz = xyz.bar.se - } - default_domain = foo.se - } -[logging] - kdc = FILE:/var/heimdal/kdc.log - kdc = SYSLOG:INFO - default = SYSLOG:INFO:USER -.Ed -.Sh DIAGNOSTICS -Since -.Nm -is read and parsed by the krb5 library, there is not a lot of -opportunities for programs to report parsing errors in any useful -format. -To help overcome this problem, there is a program -.Nm verify_krb5_conf -that reads -.Nm -and tries to emit useful diagnostics from parsing errors. -Note that this program does not have any way of knowing what options -are actually used and thus cannot warn about unknown or misspelled -ones. -.Sh SEE ALSO -.Xr kinit 1 , -.Xr krb5_425_conv_principal 3 , -.Xr krb5_openlog 3 , -.Xr strftime 3 , -.Xr verify_krb5_conf 8 diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5.conf.cat5 b/crypto/heimdal-0.6.3/lib/krb5/krb5.conf.cat5 deleted file mode 100644 index 7c7bc6d68d..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5.conf.cat5 +++ /dev/null @@ -1,476 +0,0 @@ - -KRB5.CONF(5) UNIX Programmer's Manual KRB5.CONF(5) - -NNAAMMEE - kkrrbb55..ccoonnff - configuration file for Kerberos 5 - -SSYYNNOOPPSSIISS -DDEESSCCRRIIPPTTIIOONN - The kkrrbb55..ccoonnff file specifies several configuration parameters for the - Kerberos 5 library, as well as for some programs. - - The file consists of one or more sections, containing a number of bind- - ings. The value of each binding can be either a string or a list of oth- - er bindings. The grammar looks like: - - file: - /* empty */ - sections - - sections: - section sections - section - - section: - '[' section_name ']' bindings - - section_name: - STRING - - bindings: - binding bindings - binding - - binding: - name '=' STRING - name '=' '{' bindings '}' - - name: - STRING - - STRINGs consists of one or more non-whitespace characters. - - STRINGs that are specified later in this man-page uses the following no- - tation. - - boolean - values can be either yes/true or no/false. - - time - values can be a list of year, month, day, hour, min, second. - Example: 1 month 2 days 30 min. - - etypes - valid encryption types are: des-cbc-crc, des-cbc-md4, des-cbc- - md5, des3-cbc-sha1, arcfour-hmac-md5, aes128-cts-hmac-sha1-96, - and aes256-cts-hmac-sha1-96 . - - address - an address can be either a IPv4 or a IPv6 address. - - Currently recognised sections and bindings are: - - [appdefaults] - Specifies the default values to be used for Kerberos applica- - tions. You can specify defaults per application, realm, or a - - combination of these. The preference order is: - 1. _a_p_p_l_i_c_a_t_i_o_n _r_e_a_l_m _o_p_t_i_o_n - 2. _a_p_p_l_i_c_a_t_i_o_n _o_p_t_i_o_n - 3. _r_e_a_l_m _o_p_t_i_o_n - 4. _o_p_t_i_o_n - - The supported options are: - - forwardable = _b_o_o_l_e_a_n - When obtaining initial credentials, make the cre- - dentials forwardable. - - proxiable = _b_o_o_l_e_a_n - When obtaining initial credentials, make the cre- - dentials proxiable. - - no-addresses = _b_o_o_l_e_a_n - When obtaining initial credentials, request them - for an empty set of addresses, making the tickets - valid from any address. - - ticket_lifetime = _t_i_m_e - Default ticket lifetime. - - renew_lifetime = _t_i_m_e - Default renewable ticket lifetime. - - encrypt = _b_o_o_l_e_a_n - Use encryption, when available. - - forward = _b_o_o_l_e_a_n - Forward credentials to remote host (for rsh(1), - telnet(1), etc). - - [libdefaults] - - default_realm = _R_E_A_L_M - Default realm to use, this is also known as your - ``local realm''. The default is the result of - kkrrbb55__ggeett__hhoosstt__rreeaallmm(_l_o_c_a_l _h_o_s_t_n_a_m_e). - - clockskew = _t_i_m_e - Maximum time differential (in seconds) allowed when - comparing times. Default is 300 seconds (five min- - utes). - - kdc_timeout = _t_i_m_e - Maximum time to wait for a reply from the kdc, de- - fault is 3 seconds. - - v4_name_convert - - v4_instance_resolve - These are described in the krb5_425_conv_princi- - pal(3) manual page. - - capath = { - - _d_e_s_t_i_n_a_t_i_o_n_-_r_e_a_l_m = _n_e_x_t_-_h_o_p_-_r_e_a_l_m - - ... - - } - - - This is deprecated, see the capaths section below. - - default_etypes = _e_t_y_p_e_s _._._. - A list of default encryption types to use. - - default_etypes_des = _e_t_y_p_e_s _._._. - A list of default encryption types to use when re- - questing a DES credential. - - default_keytab_name = _k_e_y_t_a_b - The keytab to use if no other is specified, default - is ``FILE:/etc/krb5.keytab''. - - dns_lookup_kdc = _b_o_o_l_e_a_n - Use DNS SRV records to lookup KDC services loca- - tion. - - dns_lookup_realm = _b_o_o_l_e_a_n - Use DNS TXT records to lookup domain to realm map- - pings. - - kdc_timesync = _b_o_o_l_e_a_n - Try to keep track of the time differential between - the local machine and the KDC, and then compensate - for that when issuing requests. - - max_retries = _n_u_m_b_e_r - The max number of times to try to contact each KDC. - - ticket_lifetime = _t_i_m_e - Default ticket lifetime. - - renew_lifetime = _t_i_m_e - Default renewable ticket lifetime. - - forwardable = _b_o_o_l_e_a_n - When obtaining initial credentials, make the cre- - dentials forwardable. This option is also valid in - the [realms] section. - - proxiable = _b_o_o_l_e_a_n - When obtaining initial credentials, make the cre- - dentials proxiable. This option is also valid in - the [realms] section. - - verify_ap_req_nofail = _b_o_o_l_e_a_n - If enabled, failure to verify credentials against a - local key is a fatal error. The application has to - be able to read the corresponding service key for - this to work. Some applications, like su(1), en- - able this option unconditionally. - - warn_pwexpire = _t_i_m_e - How soon to warn for expiring password. Default is - seven days. - - http_proxy = _p_r_o_x_y_-_s_p_e_c - A HTTP-proxy to use when talking to the KDC via - HTTP. - - dns_proxy = _p_r_o_x_y_-_s_p_e_c - Enable using DNS via HTTP. - - extra_addresses = _a_d_d_r_e_s_s _._._. - A list of addresses to get tickets for along with - - all local addresses. - - time_format = _s_t_r_i_n_g - How to print time strings in logs, this string is - passed to strftime(3). - - date_format = _s_t_r_i_n_g - How to print date strings in logs, this string is - passed to strftime(3). - - log_utc = _b_o_o_l_e_a_n - Write log-entries using UTC instead of your local - time zone. - - scan_interfaces = _b_o_o_l_e_a_n - Scan all network interfaces for addresses, as op- - posed to simply using the address associated with - the system's host name. - - fcache_version = _i_n_t - Use file credential cache format version specified. - - krb4_get_tickets = _b_o_o_l_e_a_n - Also get Kerberos 4 tickets in kkiinniitt, llooggiinn, and - other programs. This option is also valid in the - [realms] section. - - fcc-mit-ticketflags = _b_o_o_l_e_a_n - Use MIT compatible format for file credential - cache. It's the field ticketflags that is stored - in reverse bit order for older than Heimdal 0.7. - Setting this flag to TRUE make it store the MIT - way, this is default for Heimdal 0.7. - - [domain_realm] - This is a list of mappings from DNS domain to Kerberos realm. - Each binding in this section looks like: - - domain = realm - - The domain can be either a full name of a host or a trailing - component, in the latter case the domain-string should start - with a period. The realm may be the token `dns_locate', in - which case the actual realm will be determined using DNS (in- - dependently of the setting of the `dns_lookup_realm' option). - - [realms] - - _R_E_A_L_M = { - - kdc = _[_s_e_r_v_i_c_e_/_]_h_o_s_t_[_:_p_o_r_t_] - Specifies a list of kdcs for this realm. - If the optional _p_o_r_t is absent, the de- - fault value for the ``kerberos/udp'' - ``kerberos/tcp'', and ``http/tcp'' port - (depending on service) will be used. - The kdcs will be used in the order that - they are specified. - - The optional _s_e_r_v_i_c_e specifies over what - medium the kdc should be contacted. - Possible services are ``udp'', ``tcp'', - and ``http''. Http can also be written - as ``http://''. Default service is - - - ``udp'' and ``tcp''. - - admin_server = _h_o_s_t_[_:_p_o_r_t_] - Specifies the admin server for this - realm, where all the modifications to - the database are performed. - - kpasswd_server = _h_o_s_t_[_:_p_o_r_t_] - Points to the server where all the pass- - word changes are performed. If there is - no such entry, the kpasswd port on the - admin_server host will be tried. - - krb524_server = _h_o_s_t_[_:_p_o_r_t_] - Points to the server that does 524 con- - versions. If it is not mentioned, the - krb524 port on the kdcs will be tried. - - v4_instance_convert - - v4_name_convert - - default_domain - See krb5_425_conv_principal(3). - - tgs_require_subkey - a boolan variable that defaults to - false. Old DCE secd (pre 1.1) might - need this to be true. - - } - - [capaths] - - _c_l_i_e_n_t_-_r_e_a_l_m = { - - _s_e_r_v_e_r_-_r_e_a_l_m = _h_o_p_-_r_e_a_l_m _._._. - This serves two purposes. First the - first listed _h_o_p_-_r_e_a_l_m tells a client - which realm it should contact in order - to ultimately obtain credentials for a - service in the _s_e_r_v_e_r_-_r_e_a_l_m. Secondly, - it tells the KDC (and other servers) - which realms are allowed in a multi-hop - traversal from _c_l_i_e_n_t_-_r_e_a_l_m to _s_e_r_v_e_r_- - _r_e_a_l_m. Except for the client case, the - order of the realms are not important. - - _} - - [logging] - - _e_n_t_i_t_y = _d_e_s_t_i_n_a_t_i_o_n - Specifies that _e_n_t_i_t_y should use the specified - destination for logging. See the krb5_openlog(3) - manual page for a list of defined destinations. - - [kdc] - - database = { - - dbname = _D_A_T_A_B_A_S_E_N_A_M_E - Use this database for this realm. - - realm = _R_E_A_L_M - Specifies the realm that will be stored - - in this database. - - mkey_file = _F_I_L_E_N_A_M_E - Use this keytab file for the master key - of this database. If not specified - _D_A_T_A_B_A_S_E_N_A_M_E.mkey will be used. - - acl_file = PA FILENAME - Use this file for the ACL list of this - database. - - log_file = _F_I_L_E_N_A_M_E - Use this file as the log of changes per- - formed to the database. This file is - used by iipprrooppdd--mmaasstteerr for propagating - changes to slaves. - - } - - max-request = _S_I_Z_E - Maximum size of a kdc request. - - require-preauth = _B_O_O_L - If set pre-authentication is required. Since krb4 - requests are not pre-authenticated they will be re- - jected. - - ports = _l_i_s_t _o_f _p_o_r_t_s - List of ports the kdc should listen to. - - addresses = _l_i_s_t _o_f _i_n_t_e_r_f_a_c_e_s - List of addresses the kdc should bind to. - - enable-kerberos4 = _B_O_O_L - Turn on Kerberos 4 support. - - v4-realm = _R_E_A_L_M - To what realm v4 requests should be mapped. - - enable-524 = _B_O_O_L - Should the Kerberos 524 converting facility be - turned on. Default is same as _e_n_a_b_l_e_-_k_e_r_b_e_r_o_s_4. - - enable-http = _B_O_O_L - Should the kdc answer kdc-requests over http. - - enable-kaserver = _B_O_O_L - If this kdc should emulate the AFS kaserver. - - check-ticket-addresses = _B_O_O_L - verify the addresses in the tickets used in tgs re- - quests. - - allow-null-ticket-addresses = _B_O_O_L - Allow addresses-less tickets. - - allow-anonymous = _B_O_O_L - If the kdc is allowed to hand out anonymous tick- - ets. - - encode_as_rep_as_tgs_rep = _B_O_O_L - Encode as-rep as tgs-rep tobe compatible with mis- - takes older DCE secd did. - - kdc_warn_pwexpire = _T_I_M_E - The time before expiration that the user should be - warned that her password is about to expire. - - logging = _L_o_g_g_i_n_g - What type of logging the kdc should use, see also - [logging]/kdc. - - use_2b = _p_r_i_n_c_i_p_a_l _l_i_s_t - List of principals to use AFS 2b tokens for. - - [kadmin] - - require-preauth = _B_O_O_L - If pre-authentication is required to talk to the - kadmin server. - - default_keys = _k_e_y_t_y_p_e_s_._._. - for each entry in _d_e_f_a_u_l_t___k_e_y_s try to parse it as a - sequence of _e_t_y_p_e_:_s_a_l_t_t_y_p_e_:_s_a_l_t syntax of this if - something like: - - [(des|des3|etype):](pw-salt|afs3-salt)[:string] - - If _e_t_y_p_e is omitted it means everything, and if - string is omitted it means the default salt string - (for that principal and encryption type). Addi- - tional special values of keytypes are: - - v5 The Kerberos 5 salt _p_w_-_s_a_l_t - - v4 The Kerberos 4 salt _d_e_s_:_p_w_-_s_a_l_t_: - - use_v4_salt = _B_O_O_L - When true, this is the same as - - _d_e_f_a_u_l_t___k_e_y_s _= _d_e_s_3_:_p_w_-_s_a_l_t _v_4 - - and is only left for backwards compatibility. - -EENNVVIIRROONNMMEENNTT - KRB5_CONFIG points to the configuration file to read. - -FFIILLEESS - /etc/krb5.conf configuration file for Kerberos 5. - -EEXXAAMMPPLLEESS - [libdefaults] - default_realm = FOO.SE - [domain_realm] - .foo.se = FOO.SE - .bar.se = FOO.SE - [realms] - FOO.SE = { - kdc = kerberos.foo.se - v4_name_convert = { - rcmd = host - } - v4_instance_convert = { - xyz = xyz.bar.se - } - default_domain = foo.se - } - [logging] - kdc = FILE:/var/heimdal/kdc.log - kdc = SYSLOG:INFO - default = SYSLOG:INFO:USER - -DDIIAAGGNNOOSSTTIICCSS - Since kkrrbb55..ccoonnff is read and parsed by the krb5 library, there is not a - lot of opportunities for programs to report parsing errors in any useful - format. To help overcome this problem, there is a program - vveerriiffyy__kkrrbb55__ccoonnff that reads kkrrbb55..ccoonnff and tries to emit useful diagnos- - tics from parsing errors. Note that this program does not have any way - of knowing what options are actually used and thus cannot warn about un- - known or misspelled ones. - -SSEEEE AALLSSOO - kinit(1), krb5_425_conv_principal(3), krb5_openlog(3), strftime(3), - verify_krb5_conf(8) - - HEIMDAL March 9, 2004 8 diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5.h b/crypto/heimdal-0.6.3/lib/krb5/krb5.h deleted file mode 100644 index 9a327f104c..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5.h +++ /dev/null @@ -1,683 +0,0 @@ -/* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: krb5.h,v 1.209.2.2 2004/06/21 08:32:00 lha Exp $ */ - -#ifndef __KRB5_H__ -#define __KRB5_H__ - -#include -#include - -#include -#include -#include -#include - -#include - -/* name confusion with MIT */ -#ifndef KRB5KDC_ERR_KEY_EXP -#define KRB5KDC_ERR_KEY_EXP KRB5KDC_ERR_KEY_EXPIRED -#endif - -/* simple constants */ - -#ifndef TRUE -#define TRUE 1 -#define FALSE 0 -#endif - -typedef int krb5_boolean; - -typedef int32_t krb5_error_code; - -typedef int krb5_kvno; - -typedef u_int32_t krb5_flags; - -typedef void *krb5_pointer; -typedef const void *krb5_const_pointer; - -typedef octet_string krb5_data; - -struct krb5_crypto_data; -typedef struct krb5_crypto_data *krb5_crypto; - -typedef CKSUMTYPE krb5_cksumtype; - -typedef Checksum krb5_checksum; - -typedef ENCTYPE krb5_enctype; - -/* alternative names */ -enum { - ENCTYPE_NULL = ETYPE_NULL, - ENCTYPE_DES_CBC_CRC = ETYPE_DES_CBC_CRC, - ENCTYPE_DES_CBC_MD4 = ETYPE_DES_CBC_MD4, - ENCTYPE_DES_CBC_MD5 = ETYPE_DES_CBC_MD5, - ENCTYPE_DES3_CBC_MD5 = ETYPE_DES3_CBC_MD5, - ENCTYPE_OLD_DES3_CBC_SHA1 = ETYPE_OLD_DES3_CBC_SHA1, - ENCTYPE_SIGN_DSA_GENERATE = ETYPE_SIGN_DSA_GENERATE, - ENCTYPE_ENCRYPT_RSA_PRIV = ETYPE_ENCRYPT_RSA_PRIV, - ENCTYPE_ENCRYPT_RSA_PUB = ETYPE_ENCRYPT_RSA_PUB, - ENCTYPE_DES3_CBC_SHA1 = ETYPE_DES3_CBC_SHA1, - ENCTYPE_ARCFOUR_HMAC_MD5 = ETYPE_ARCFOUR_HMAC_MD5, - ENCTYPE_ARCFOUR_HMAC_MD5_56 = ETYPE_ARCFOUR_HMAC_MD5_56, - ENCTYPE_ENCTYPE_PK_CROSS = ETYPE_ENCTYPE_PK_CROSS, - ENCTYPE_DES_CBC_NONE = ETYPE_DES_CBC_NONE, - ENCTYPE_DES3_CBC_NONE = ETYPE_DES3_CBC_NONE, - ENCTYPE_DES_CFB64_NONE = ETYPE_DES_CFB64_NONE, - ENCTYPE_DES_PCBC_NONE = ETYPE_DES_PCBC_NONE -}; - -typedef PADATA_TYPE krb5_preauthtype; - -typedef enum krb5_key_usage { - KRB5_KU_PA_ENC_TIMESTAMP = 1, - /* AS-REQ PA-ENC-TIMESTAMP padata timestamp, encrypted with the - client key (section 5.4.1) */ - KRB5_KU_TICKET = 2, - /* AS-REP Ticket and TGS-REP Ticket (includes tgs session key or - application session key), encrypted with the service key - (section 5.4.2) */ - KRB5_KU_AS_REP_ENC_PART = 3, - /* AS-REP encrypted part (includes tgs session key or application - session key), encrypted with the client key (section 5.4.2) */ - KRB5_KU_TGS_REQ_AUTH_DAT_SESSION = 4, - /* TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the tgs - session key (section 5.4.1) */ - KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY = 5, - /* TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the tgs - authenticator subkey (section 5.4.1) */ - KRB5_KU_TGS_REQ_AUTH_CKSUM = 6, - /* TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator cksum, keyed - with the tgs session key (sections 5.3.2, 5.4.1) */ - KRB5_KU_TGS_REQ_AUTH = 7, - /* TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator (includes tgs - authenticator subkey), encrypted with the tgs session key - (section 5.3.2) */ - KRB5_KU_TGS_REP_ENC_PART_SESSION = 8, - /* TGS-REP encrypted part (includes application session key), - encrypted with the tgs session key (section 5.4.2) */ - KRB5_KU_TGS_REP_ENC_PART_SUB_KEY = 9, - /* TGS-REP encrypted part (includes application session key), - encrypted with the tgs authenticator subkey (section 5.4.2) */ - KRB5_KU_AP_REQ_AUTH_CKSUM = 10, - /* AP-REQ Authenticator cksum, keyed with the application session - key (section 5.3.2) */ - KRB5_KU_AP_REQ_AUTH = 11, - /* AP-REQ Authenticator (includes application authenticator - subkey), encrypted with the application session key (section - 5.3.2) */ - KRB5_KU_AP_REQ_ENC_PART = 12, - /* AP-REP encrypted part (includes application session subkey), - encrypted with the application session key (section 5.5.2) */ - KRB5_KU_KRB_PRIV = 13, - /* KRB-PRIV encrypted part, encrypted with a key chosen by the - application (section 5.7.1) */ - KRB5_KU_KRB_CRED = 14, - /* KRB-CRED encrypted part, encrypted with a key chosen by the - application (section 5.8.1) */ - KRB5_KU_KRB_SAFE_CKSUM = 15, - /* KRB-SAFE cksum, keyed with a key chosen by the application - (section 5.6.1) */ - KRB5_KU_OTHER_ENCRYPTED = 16, - /* Data which is defined in some specification outside of - Kerberos to be encrypted using an RFC1510 encryption type. */ - KRB5_KU_OTHER_CKSUM = 17, - /* Data which is defined in some specification outside of - Kerberos to be checksummed using an RFC1510 checksum type. */ - KRB5_KU_KRB_ERROR = 18, - /* Krb-error checksum */ - KRB5_KU_AD_KDC_ISSUED = 19, - /* AD-KDCIssued checksum */ - KRB5_KU_MANDATORY_TICKET_EXTENSION = 20, - /* Checksum for Mandatory Ticket Extensions */ - KRB5_KU_AUTH_DATA_TICKET_EXTENSION = 21, - /* Checksum in Authorization Data in Ticket Extensions */ - KRB5_KU_USAGE_SEAL = 22, - /* seal in GSSAPI krb5 mechanism */ - KRB5_KU_USAGE_SIGN = 23, - /* sign in GSSAPI krb5 mechanism */ - KRB5_KU_USAGE_SEQ = 24 - /* SEQ in GSSAPI krb5 mechanism */ -} krb5_key_usage; - -typedef krb5_key_usage krb5_keyusage; - -typedef enum krb5_salttype { - KRB5_PW_SALT = KRB5_PADATA_PW_SALT, - KRB5_AFS3_SALT = KRB5_PADATA_AFS3_SALT -}krb5_salttype; - -typedef struct krb5_salt { - krb5_salttype salttype; - krb5_data saltvalue; -} krb5_salt; - -typedef ETYPE_INFO krb5_preauthinfo; - -typedef struct { - krb5_preauthtype type; - krb5_preauthinfo info; /* list of preauthinfo for this type */ -} krb5_preauthdata_entry; - -typedef struct krb5_preauthdata { - unsigned len; - krb5_preauthdata_entry *val; -}krb5_preauthdata; - -typedef enum krb5_address_type { - KRB5_ADDRESS_INET = 2, - KRB5_ADDRESS_INET6 = 24, - KRB5_ADDRESS_ADDRPORT = 256, - KRB5_ADDRESS_IPPORT = 257 -} krb5_address_type; - -enum { - AP_OPTS_USE_SESSION_KEY = 1, - AP_OPTS_MUTUAL_REQUIRED = 2, - AP_OPTS_USE_SUBKEY = 4 /* library internal */ -}; - -typedef HostAddress krb5_address; - -typedef HostAddresses krb5_addresses; - -typedef enum krb5_keytype { - KEYTYPE_NULL = 0, - KEYTYPE_DES = 1, - KEYTYPE_DES3 = 7, - KEYTYPE_AES128 = 17, - KEYTYPE_AES256 = 18, - KEYTYPE_ARCFOUR = 23, - KEYTYPE_ARCFOUR_56 = 24 -} krb5_keytype; - -typedef EncryptionKey krb5_keyblock; - -typedef AP_REQ krb5_ap_req; - -struct krb5_cc_ops; - -#define KRB5_DEFAULT_CCFILE_ROOT "/tmp/krb5cc_" - -#define KRB5_DEFAULT_CCROOT "FILE:" KRB5_DEFAULT_CCFILE_ROOT - -#define KRB5_ACCEPT_NULL_ADDRESSES(C) \ - krb5_config_get_bool_default((C), NULL, TRUE, \ - "libdefaults", "accept_null_addresses", \ - NULL) - -typedef void *krb5_cc_cursor; - -typedef struct krb5_ccache_data { - const struct krb5_cc_ops *ops; - krb5_data data; -}krb5_ccache_data; - -typedef struct krb5_ccache_data *krb5_ccache; - -typedef struct krb5_context_data *krb5_context; - -typedef Realm krb5_realm; -typedef const char *krb5_const_realm; /* stupid language */ - -#define krb5_realm_length(r) strlen(r) -#define krb5_realm_data(r) (r) - -typedef Principal krb5_principal_data; -typedef struct Principal *krb5_principal; -typedef const struct Principal *krb5_const_principal; - -typedef time_t krb5_deltat; -typedef time_t krb5_timestamp; - -typedef struct krb5_times { - krb5_timestamp authtime; - krb5_timestamp starttime; - krb5_timestamp endtime; - krb5_timestamp renew_till; -} krb5_times; - -typedef union { - TicketFlags b; - krb5_flags i; -} krb5_ticket_flags; - -/* options for krb5_get_in_tkt() */ -#define KDC_OPT_FORWARDABLE (1 << 1) -#define KDC_OPT_FORWARDED (1 << 2) -#define KDC_OPT_PROXIABLE (1 << 3) -#define KDC_OPT_PROXY (1 << 4) -#define KDC_OPT_ALLOW_POSTDATE (1 << 5) -#define KDC_OPT_POSTDATED (1 << 6) -#define KDC_OPT_RENEWABLE (1 << 8) -#define KDC_OPT_REQUEST_ANONYMOUS (1 << 14) -#define KDC_OPT_DISABLE_TRANSITED_CHECK (1 << 26) -#define KDC_OPT_RENEWABLE_OK (1 << 27) -#define KDC_OPT_ENC_TKT_IN_SKEY (1 << 28) -#define KDC_OPT_RENEW (1 << 30) -#define KDC_OPT_VALIDATE (1 << 31) - -typedef union { - KDCOptions b; - krb5_flags i; -} krb5_kdc_flags; - -/* flags for krb5_verify_ap_req */ - -#define KRB5_VERIFY_AP_REQ_IGNORE_INVALID (1 << 0) - -#define KRB5_GC_CACHED (1U << 0) -#define KRB5_GC_USER_USER (1U << 1) - -/* constants for compare_creds (and cc_retrieve_cred) */ -#define KRB5_TC_DONT_MATCH_REALM (1U << 31) -#define KRB5_TC_MATCH_KEYTYPE (1U << 30) - -typedef AuthorizationData krb5_authdata; - -typedef KRB_ERROR krb5_error; - -typedef struct krb5_creds { - krb5_principal client; - krb5_principal server; - krb5_keyblock session; - krb5_times times; - krb5_data ticket; - krb5_data second_ticket; - krb5_authdata authdata; - krb5_addresses addresses; - krb5_ticket_flags flags; -} krb5_creds; - -typedef struct krb5_cc_ops { - const char *prefix; - const char* (*get_name)(krb5_context, krb5_ccache); - krb5_error_code (*resolve)(krb5_context, krb5_ccache *, const char *); - krb5_error_code (*gen_new)(krb5_context, krb5_ccache *); - krb5_error_code (*init)(krb5_context, krb5_ccache, krb5_principal); - krb5_error_code (*destroy)(krb5_context, krb5_ccache); - krb5_error_code (*close)(krb5_context, krb5_ccache); - krb5_error_code (*store)(krb5_context, krb5_ccache, krb5_creds*); - krb5_error_code (*retrieve)(krb5_context, krb5_ccache, - krb5_flags, krb5_creds*, krb5_creds); - krb5_error_code (*get_princ)(krb5_context, krb5_ccache, krb5_principal*); - krb5_error_code (*get_first)(krb5_context, krb5_ccache, krb5_cc_cursor *); - krb5_error_code (*get_next)(krb5_context, krb5_ccache, - krb5_cc_cursor*, krb5_creds*); - krb5_error_code (*end_get)(krb5_context, krb5_ccache, krb5_cc_cursor*); - krb5_error_code (*remove_cred)(krb5_context, krb5_ccache, - krb5_flags, krb5_creds*); - krb5_error_code (*set_flags)(krb5_context, krb5_ccache, krb5_flags); - int (*get_version)(krb5_context, krb5_ccache); -} krb5_cc_ops; - -struct krb5_log_facility; - -struct krb5_config_binding { - enum { krb5_config_string, krb5_config_list } type; - char *name; - struct krb5_config_binding *next; - union { - char *string; - struct krb5_config_binding *list; - void *generic; - } u; -}; - -typedef struct krb5_config_binding krb5_config_binding; - -typedef krb5_config_binding krb5_config_section; - -typedef struct krb5_context_data { - krb5_enctype *etypes; - krb5_enctype *etypes_des; - char **default_realms; - time_t max_skew; - time_t kdc_timeout; - unsigned max_retries; - int32_t kdc_sec_offset; - int32_t kdc_usec_offset; - krb5_config_section *cf; - struct et_list *et_list; - struct krb5_log_facility *warn_dest; - krb5_cc_ops *cc_ops; - int num_cc_ops; - const char *http_proxy; - const char *time_fmt; - krb5_boolean log_utc; - const char *default_keytab; - const char *default_keytab_modify; - krb5_boolean use_admin_kdc; - krb5_addresses *extra_addresses; - krb5_boolean scan_interfaces; /* `ifconfig -a' */ - krb5_boolean srv_lookup; /* do SRV lookups */ - krb5_boolean srv_try_txt; /* try TXT records also */ - int32_t fcache_vno; /* create cache files w/ this - version */ - int num_kt_types; /* # of registered keytab types */ - struct krb5_keytab_data *kt_types; /* registered keytab types */ - const char *date_fmt; - char *error_string; - char error_buf[256]; - krb5_addresses *ignore_addresses; - char *default_cc_name; -} krb5_context_data; - -typedef struct krb5_ticket { - EncTicketPart ticket; - krb5_principal client; - krb5_principal server; -} krb5_ticket; - -typedef Authenticator krb5_authenticator_data; - -typedef krb5_authenticator_data *krb5_authenticator; - -struct krb5_rcache_data; -typedef struct krb5_rcache_data *krb5_rcache; -typedef Authenticator krb5_donot_replay; - -#define KRB5_STORAGE_HOST_BYTEORDER 0x01 /* old */ -#define KRB5_STORAGE_PRINCIPAL_WRONG_NUM_COMPONENTS 0x02 -#define KRB5_STORAGE_PRINCIPAL_NO_NAME_TYPE 0x04 -#define KRB5_STORAGE_KEYBLOCK_KEYTYPE_TWICE 0x08 -#define KRB5_STORAGE_BYTEORDER_MASK 0x60 -#define KRB5_STORAGE_BYTEORDER_BE 0x00 /* default */ -#define KRB5_STORAGE_BYTEORDER_LE 0x20 -#define KRB5_STORAGE_BYTEORDER_HOST 0x40 - -struct krb5_storage_data; -typedef struct krb5_storage_data krb5_storage; - -typedef struct krb5_keytab_entry { - krb5_principal principal; - krb5_kvno vno; - krb5_keyblock keyblock; - u_int32_t timestamp; -} krb5_keytab_entry; - -typedef struct krb5_kt_cursor { - int fd; - krb5_storage *sp; - void *data; -} krb5_kt_cursor; - -struct krb5_keytab_data; - -typedef struct krb5_keytab_data *krb5_keytab; - -#define KRB5_KT_PREFIX_MAX_LEN 30 - -struct krb5_keytab_data { - const char *prefix; - krb5_error_code (*resolve)(krb5_context, const char*, krb5_keytab); - krb5_error_code (*get_name)(krb5_context, krb5_keytab, char*, size_t); - krb5_error_code (*close)(krb5_context, krb5_keytab); - krb5_error_code (*get)(krb5_context, krb5_keytab, krb5_const_principal, - krb5_kvno, krb5_enctype, krb5_keytab_entry*); - krb5_error_code (*start_seq_get)(krb5_context, krb5_keytab, krb5_kt_cursor*); - krb5_error_code (*next_entry)(krb5_context, krb5_keytab, - krb5_keytab_entry*, krb5_kt_cursor*); - krb5_error_code (*end_seq_get)(krb5_context, krb5_keytab, krb5_kt_cursor*); - krb5_error_code (*add)(krb5_context, krb5_keytab, krb5_keytab_entry*); - krb5_error_code (*remove)(krb5_context, krb5_keytab, krb5_keytab_entry*); - void *data; - int32_t version; -}; - -typedef struct krb5_keytab_data krb5_kt_ops; - -struct krb5_keytab_key_proc_args { - krb5_keytab keytab; - krb5_principal principal; -}; - -typedef struct krb5_keytab_key_proc_args krb5_keytab_key_proc_args; - -typedef struct krb5_replay_data { - krb5_timestamp timestamp; - u_int32_t usec; - u_int32_t seq; -} krb5_replay_data; - -/* flags for krb5_auth_con_setflags */ -enum { - KRB5_AUTH_CONTEXT_DO_TIME = 1, - KRB5_AUTH_CONTEXT_RET_TIME = 2, - KRB5_AUTH_CONTEXT_DO_SEQUENCE = 4, - KRB5_AUTH_CONTEXT_RET_SEQUENCE = 8, - KRB5_AUTH_CONTEXT_PERMIT_ALL = 16 -}; - -/* flags for krb5_auth_con_genaddrs */ -enum { - KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR = 1, - KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR = 3, - KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR = 4, - KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR = 12 -}; - -typedef struct krb5_auth_context_data { - unsigned int flags; - - krb5_address *local_address; - krb5_address *remote_address; - int16_t local_port; - int16_t remote_port; - krb5_keyblock *keyblock; - krb5_keyblock *local_subkey; - krb5_keyblock *remote_subkey; - - u_int32_t local_seqnumber; - u_int32_t remote_seqnumber; - - krb5_authenticator authenticator; - - krb5_pointer i_vector; - - krb5_rcache rcache; - - krb5_keytype keytype; /* ¿requested key type ? */ - krb5_cksumtype cksumtype; /* ¡requested checksum type! */ - -}krb5_auth_context_data, *krb5_auth_context; - -typedef struct { - KDC_REP kdc_rep; - EncKDCRepPart enc_part; - KRB_ERROR error; -} krb5_kdc_rep; - -extern const char *heimdal_version, *heimdal_long_version; - -typedef void (*krb5_log_log_func_t)(const char*, const char*, void*); -typedef void (*krb5_log_close_func_t)(void*); - -typedef struct krb5_log_facility { - const char *program; - int len; - struct facility *val; -} krb5_log_facility; - -typedef EncAPRepPart krb5_ap_rep_enc_part; - -#define KRB5_RECVAUTH_IGNORE_VERSION 1 - -#define KRB5_SENDAUTH_VERSION "KRB5_SENDAUTH_V1.0" - -#define KRB5_TGS_NAME_SIZE (6) -#define KRB5_TGS_NAME ("krbtgt") - -/* variables */ - -extern const char *krb5_config_file; -extern const char *krb5_defkeyname; - -typedef enum { - KRB5_PROMPT_TYPE_PASSWORD = 0x1, - KRB5_PROMPT_TYPE_NEW_PASSWORD = 0x2, - KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN = 0x3, - KRB5_PROMPT_TYPE_PREAUTH = 0x4 -} krb5_prompt_type; - -typedef struct _krb5_prompt { - const char *prompt; - int hidden; - krb5_data *reply; - krb5_prompt_type type; -} krb5_prompt; - -typedef int (*krb5_prompter_fct)(krb5_context context, - void *data, - const char *name, - const char *banner, - int num_prompts, - krb5_prompt prompts[]); - -typedef krb5_error_code (*krb5_key_proc)(krb5_context context, - krb5_enctype type, - krb5_salt salt, - krb5_const_pointer keyseed, - krb5_keyblock **key); -typedef krb5_error_code (*krb5_decrypt_proc)(krb5_context context, - krb5_keyblock *key, - krb5_key_usage usage, - krb5_const_pointer decrypt_arg, - krb5_kdc_rep *dec_rep); - - -typedef struct _krb5_get_init_creds_opt { - krb5_flags flags; - krb5_deltat tkt_life; - krb5_deltat renew_life; - int forwardable; - int proxiable; - int anonymous; - krb5_enctype *etype_list; - int etype_list_length; - krb5_addresses *address_list; -#if 0 /* this is the MIT-way */ - krb5_address **address_list; -#endif - /* XXX the next three should not be used, as they may be - removed later */ - krb5_preauthtype *preauth_list; - int preauth_list_length; - krb5_data *salt; -} krb5_get_init_creds_opt; - -#define KRB5_GET_INIT_CREDS_OPT_TKT_LIFE 0x0001 -#define KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE 0x0002 -#define KRB5_GET_INIT_CREDS_OPT_FORWARDABLE 0x0004 -#define KRB5_GET_INIT_CREDS_OPT_PROXIABLE 0x0008 -#define KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST 0x0010 -#define KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST 0x0020 -#define KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST 0x0040 -#define KRB5_GET_INIT_CREDS_OPT_SALT 0x0080 -#define KRB5_GET_INIT_CREDS_OPT_ANONYMOUS 0x0100 - -typedef struct _krb5_verify_init_creds_opt { - krb5_flags flags; - int ap_req_nofail; -} krb5_verify_init_creds_opt; - -#define KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL 0x0001 - -typedef struct krb5_verify_opt { - unsigned int flags; - krb5_ccache ccache; - krb5_keytab keytab; - krb5_boolean secure; - const char *service; -} krb5_verify_opt; - -#define KRB5_VERIFY_LREALMS 1 -#define KRB5_VERIFY_NO_ADDRESSES 2 - -extern const krb5_cc_ops krb5_fcc_ops; -extern const krb5_cc_ops krb5_mcc_ops; - -extern const krb5_kt_ops krb5_fkt_ops; -extern const krb5_kt_ops krb5_mkt_ops; -extern const krb5_kt_ops krb5_akf_ops; -extern const krb5_kt_ops krb4_fkt_ops; -extern const krb5_kt_ops krb5_srvtab_fkt_ops; -extern const krb5_kt_ops krb5_any_ops; - -#define KRB5_KPASSWD_VERS_CHANGEPW 1 -#define KRB5_KPASSWD_VERS_SETPW 0xff80 - -#define KRB5_KPASSWD_SUCCESS 0 -#define KRB5_KPASSWD_MALFORMED 1 -#define KRB5_KPASSWD_HARDERROR 2 -#define KRB5_KPASSWD_AUTHERROR 3 -#define KRB5_KPASSWD_SOFTERROR 4 -#define KRB5_KPASSWD_ACCESSDENIED 5 -#define KRB5_KPASSWD_BAD_VERSION 6 -#define KRB5_KPASSWD_INITIAL_FLAG_NEEDED 7 - -#define KPASSWD_PORT 464 - -/* types for the new krbhst interface */ -struct krb5_krbhst_data; -typedef struct krb5_krbhst_data *krb5_krbhst_handle; - -#define KRB5_KRBHST_KDC 1 -#define KRB5_KRBHST_ADMIN 2 -#define KRB5_KRBHST_CHANGEPW 3 -#define KRB5_KRBHST_KRB524 4 - -typedef struct krb5_krbhst_info { - enum { KRB5_KRBHST_UDP, - KRB5_KRBHST_TCP, - KRB5_KRBHST_HTTP } proto; - unsigned short port; - unsigned short def_port; - struct addrinfo *ai; - struct krb5_krbhst_info *next; - char hostname[1]; /* has to come last */ -} krb5_krbhst_info; - - -struct credentials; /* this is to keep the compiler happy */ -struct getargs; -struct sockaddr; - -#include - -#endif /* __KRB5_H__ */ - diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5_425_conv_principal.3 b/crypto/heimdal-0.6.3/lib/krb5/krb5_425_conv_principal.3 deleted file mode 100644 index 78bb62cb40..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5_425_conv_principal.3 +++ /dev/null @@ -1,224 +0,0 @@ -.\" Copyright (c) 1997-2002 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: krb5_425_conv_principal.3,v 1.10 2003/04/16 13:58:13 lha Exp $ -.\" -.Dd April 11, 1999 -.Dt KRB5_425_CONV_PRINCIPAL 3 -.Os HEIMDAL -.Sh NAME -.Nm krb5_425_conv_principal , -.Nm krb5_425_conv_principal_ext , -.Nm krb5_524_conv_principal -.Nd converts to and from version 4 principals -.Sh LIBRARY -Kerberos 5 Library (libkrb5, -lkrb5) -.Sh SYNOPSIS -.In krb5.h -.Ft krb5_error_code -.Fn krb5_425_conv_principal "krb5_context context" "const char *name" "const char *instance" "const char *realm" "krb5_principal *principal" -.Ft krb5_error_code -.Fn krb5_425_conv_principal_ext "krb5_context context" "const char *name" "const char *instance" "const char *realm" "krb5_boolean (*func)(krb5_context, krb5_principal)" "krb5_boolean resolve" "krb5_principal *principal" -.Ft krb5_error_code -.Fn krb5_524_conv_principal "krb5_context context" "const krb5_principal principal" "char *name" "char *instance" "char *realm" -.Sh DESCRIPTION -Converting between version 4 and version 5 principals can at best be -described as a mess. -.Pp -A version 4 principal consists of a name, an instance, and a realm. A -version 5 principal consists of one or more components, and a -realm. In some cases also the first component/name will differ between -version 4 and version 5. Furthermore the second component of a host -principal will be the fully qualified domain name of the host in -question, while the instance of a version 4 principal will only -contain the first part (short hostname). Because of these problems -the conversion between principals will have to be site customized. -.Pp -.Fn krb5_425_conv_principal_ext -will try to convert a version 4 principal, given by -.Fa name , -.Fa instance , -and -.Fa realm , -to a version 5 principal. This can result in several possible -principals, and if -.Fa func -is non-NULL, it will be called for each candidate principal. -.Fa func -should return true if the principal was -.Dq good . -To accomplish this, -.Fn krb5_425_conv_principal_ext -will look up the name in -.Pa krb5.conf . -It first looks in the -.Li v4_name_convert/host -subsection, which should contain a list of version 4 names whose -instance should be treated as a hostname. This list can be specified -for each realm (in the -.Li realms -section), or in the -.Li libdefaults -section. If the name is found the resulting name of the principal -will be the value of this binding. The instance is then first looked -up in -.Li v4_instance_convert -for the specified realm. If found the resulting value will be used as -instance (this can be used for special cases), no further attempts -will be made to find a conversion if this fails (with -.Fa func ) . -If the -.Fa resolve -parameter is true, the instance will be looked up with -.Fn gethostbyname . -This can be a time consuming, error prone, and unsafe operation. Next -a list of hostnames will be created from the instance and the -.Li v4_domains -variable, which should contain a list of possible domains for the -specific realm. -.Pp -On the other hand, if the name is not found in a -.Li host -section, it is looked up in a -.Li v4_name_convert/plain -binding. If found here the name will be converted, but the instance -will be untouched. -.Pp -This list of default host-type conversions is compiled-in: -.Bd -literal -offset indent -v4_name_convert = { - host = { - ftp = ftp - hprop = hprop - imap = imap - pop = pop - rcmd = host - smtp = smtp - } -} -.Ed -.Pp -It will only be used if there isn't an entry for these names in the -config file, so you can override these defaults. -.Pp -.Fn krb5_425_conv_principal -will call -.Fn krb5_425_conv_principal_ext -with -.Dv NULL -as -.Fa func , -and the value of -.Li v4_instance_resolve -(from the -.Li libdefaults -section) as -.Fa resolve . -.Pp -.Fn krb5_524_conv_principal -basically does the opposite of -.Fn krb5_425_conv_principal , -it just doesn't have to look up any names, but will instead truncate -instances found to belong to a host principal. The -.Fa name , -.Fa instance , -and -.Fa realm -should be at least 40 characters long. -.Sh EXAMPLES -Since this is confusing an example is in place. -.Pp -Assume that we have the -.Dq foo.com , -and -.Dq bar.com -domains that have shared a single version 4 realm, FOO.COM. The version 4 -.Pa krb.realms -file looked like: -.Bd -literal -offset indent -foo.com FOO.COM -\&.foo.com FOO.COM -\&.bar.com FOO.COM -.Ed -.Pp -A -.Pa krb5.conf -file that covers this case might look like: -.Bd -literal -offset indent -[libdefaults] - v4_instance_resolve = yes -[realms] - FOO.COM = { - kdc = kerberos.foo.com - v4_instance_convert = { - foo = foo.com - } - v4_domains = foo.com - } -.Ed -.Pp -With this setup and the following host table: -.Bd -literal -offset indent -foo.com -a-host.foo.com -b-host.bar.com -.Ed -the following conversions will be made: -.Bd -literal -offset indent -rcmd.a-host \(-> host/a-host.foo.com -ftp.b-host \(-> ftp/b-host.bar.com -pop.foo \(-> pop/foo.com -ftp.other \(-> ftp/other.foo.com -other.a-host \(-> other/a-host -.Ed -.Pp -The first three are what you expect. If you remove the -.Dq v4_domains , -the fourth entry will result in an error (since the host -.Dq other -can't be found). Even if -.Dq a-host -is a valid host name, the last entry will not be converted, since the -.Dq other -name is not known to represent a host-type principal. -If you turn off -.Dq v4_instance_resolve -the second example will result in -.Dq ftp/b-host.foo.com -(because of the default domain). And all of this is of course only -valid if you have working name resolving. -.Sh SEE ALSO -.Xr krb5_build_principal 3 , -.Xr krb5_free_principal 3 , -.Xr krb5_parse_name 3 , -.Xr krb5_sname_to_principal 3 , -.Xr krb5_unparse_name 3 , -.Xr krb5.conf 5 diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5_425_conv_principal.cat3 b/crypto/heimdal-0.6.3/lib/krb5/krb5_425_conv_principal.cat3 deleted file mode 100644 index 9927c43e86..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5_425_conv_principal.cat3 +++ /dev/null @@ -1,141 +0,0 @@ - -KRB5_425_CONV_PRINCIPAL(3) UNIX Programmer's Manual KRB5_425_CONV_PRINCIPAL(3) - -NNAAMMEE - kkrrbb55__442255__ccoonnvv__pprriinncciippaall, kkrrbb55__442255__ccoonnvv__pprriinncciippaall__eexxtt, - kkrrbb55__552244__ccoonnvv__pprriinncciippaall - converts to and from version 4 principals - -LLIIBBRRAARRYY - Kerberos 5 Library (libkrb5, -lkrb5) - -SSYYNNOOPPSSIISS - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__442255__ccoonnvv__pprriinncciippaall(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _c_h_a_r _*_n_a_m_e, - _c_o_n_s_t _c_h_a_r _*_i_n_s_t_a_n_c_e, _c_o_n_s_t _c_h_a_r _*_r_e_a_l_m, - _k_r_b_5___p_r_i_n_c_i_p_a_l _*_p_r_i_n_c_i_p_a_l) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__442255__ccoonnvv__pprriinncciippaall__eexxtt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _c_h_a_r _*_n_a_m_e, - _c_o_n_s_t _c_h_a_r _*_i_n_s_t_a_n_c_e, _c_o_n_s_t _c_h_a_r _*_r_e_a_l_m, - _k_r_b_5___b_o_o_l_e_a_n _(_*_f_u_n_c_)_(_k_r_b_5___c_o_n_t_e_x_t_, _k_r_b_5___p_r_i_n_c_i_p_a_l_), - _k_r_b_5___b_o_o_l_e_a_n _r_e_s_o_l_v_e, _k_r_b_5___p_r_i_n_c_i_p_a_l _*_p_r_i_n_c_i_p_a_l) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__552244__ccoonnvv__pprriinncciippaall(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, - _c_o_n_s_t _k_r_b_5___p_r_i_n_c_i_p_a_l _p_r_i_n_c_i_p_a_l, _c_h_a_r _*_n_a_m_e, _c_h_a_r _*_i_n_s_t_a_n_c_e, - _c_h_a_r _*_r_e_a_l_m) - -DDEESSCCRRIIPPTTIIOONN - Converting between version 4 and version 5 principals can at best be de- - scribed as a mess. - - A version 4 principal consists of a name, an instance, and a realm. A - version 5 principal consists of one or more components, and a realm. In - some cases also the first component/name will differ between version 4 - and version 5. Furthermore the second component of a host principal will - be the fully qualified domain name of the host in question, while the in- - stance of a version 4 principal will only contain the first part (short - hostname). Because of these problems the conversion between principals - will have to be site customized. - - kkrrbb55__442255__ccoonnvv__pprriinncciippaall__eexxtt() will try to convert a version 4 principal, - given by _n_a_m_e, _i_n_s_t_a_n_c_e, and _r_e_a_l_m, to a version 5 principal. This can - result in several possible principals, and if _f_u_n_c is non-NULL, it will - be called for each candidate principal. _f_u_n_c should return true if the - principal was ``good''. To accomplish this, kkrrbb55__442255__ccoonnvv__pprriinncciippaall__eexxtt() - will look up the name in _k_r_b_5_._c_o_n_f. It first looks in the - v4_name_convert/host subsection, which should contain a list of version 4 - names whose instance should be treated as a hostname. This list can be - specified for each realm (in the realms section), or in the libdefaults - section. If the name is found the resulting name of the principal will - be the value of this binding. The instance is then first looked up in - v4_instance_convert for the specified realm. If found the resulting value - will be used as instance (this can be used for special cases), no further - attempts will be made to find a conversion if this fails (with _f_u_n_c). If - the _r_e_s_o_l_v_e parameter is true, the instance will be looked up with - ggeetthhoossttbbyynnaammee(). This can be a time consuming, error prone, and unsafe - operation. Next a list of hostnames will be created from the instance - and the v4_domains variable, which should contain a list of possible do- - mains for the specific realm. - - On the other hand, if the name is not found in a host section, it is - looked up in a v4_name_convert/plain binding. If found here the name will - be converted, but the instance will be untouched. - - - This list of default host-type conversions is compiled-in: - - v4_name_convert = { - host = { - ftp = ftp - hprop = hprop - imap = imap - pop = pop - rcmd = host - smtp = smtp - } - } - - It will only be used if there isn't an entry for these names in the con- - fig file, so you can override these defaults. - - kkrrbb55__442255__ccoonnvv__pprriinncciippaall() will call kkrrbb55__442255__ccoonnvv__pprriinncciippaall__eexxtt() with - NULL as _f_u_n_c, and the value of v4_instance_resolve (from the libdefaults - section) as _r_e_s_o_l_v_e. - - kkrrbb55__552244__ccoonnvv__pprriinncciippaall() basically does the opposite of - kkrrbb55__442255__ccoonnvv__pprriinncciippaall(), it just doesn't have to look up any names, but - will instead truncate instances found to belong to a host principal. The - _n_a_m_e, _i_n_s_t_a_n_c_e, and _r_e_a_l_m should be at least 40 characters long. - -EEXXAAMMPPLLEESS - Since this is confusing an example is in place. - - Assume that we have the ``foo.com'', and ``bar.com'' domains that have - shared a single version 4 realm, FOO.COM. The version 4 _k_r_b_._r_e_a_l_m_s file - looked like: - - foo.com FOO.COM - .foo.com FOO.COM - .bar.com FOO.COM - - A _k_r_b_5_._c_o_n_f file that covers this case might look like: - - [libdefaults] - v4_instance_resolve = yes - [realms] - FOO.COM = { - kdc = kerberos.foo.com - v4_instance_convert = { - foo = foo.com - } - v4_domains = foo.com - } - - With this setup and the following host table: - - foo.com - a-host.foo.com - b-host.bar.com - the following conversions will be made: - - rcmd.a-host -> host/a-host.foo.com - ftp.b-host -> ftp/b-host.bar.com - pop.foo -> pop/foo.com - ftp.other -> ftp/other.foo.com - other.a-host -> other/a-host - - The first three are what you expect. If you remove the ``v4_domains'', - the fourth entry will result in an error (since the host ``other'' can't - be found). Even if ``a-host'' is a valid host name, the last entry will - not be converted, since the ``other'' name is not known to represent a - host-type principal. If you turn off ``v4_instance_resolve'' the second - example will result in ``ftp/b-host.foo.com'' (because of the default do- - main). And all of this is of course only valid if you have working name - resolving. - -SSEEEE AALLSSOO - krb5_build_principal(3), krb5_free_principal(3), krb5_parse_name(3), - krb5_sname_to_principal(3), krb5_unparse_name(3), krb5.conf(5) - - HEIMDAL April 11, 1999 3 diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5_address.3 b/crypto/heimdal-0.6.3/lib/krb5/krb5_address.3 deleted file mode 100644 index dc780add57..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5_address.3 +++ /dev/null @@ -1,355 +0,0 @@ -.\" Copyright (c) 2003 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: krb5_address.3,v 1.4 2003/04/16 13:58:12 lha Exp $ -.\" -.Dd March 11, 2002 -.Dt KRB5_ADDRESS 3 -.Os HEIMDAL -.Sh NAME -.Nm krb5_address , -.Nm krb5_addresses , -.Nm krb5_sockaddr2address , -.Nm krb5_sockaddr2port , -.Nm krb5_addr2sockaddr , -.Nm krb5_max_sockaddr_size , -.Nm krb5_sockaddr_uninteresting , -.Nm krb5_h_addr2sockaddr , -.Nm krb5_h_addr2addr , -.Nm krb5_anyaddr , -.Nm krb5_print_address , -.Nm krb5_parse_address , -.Nm krb5_address_order , -.Nm krb5_address_compare , -.Nm krb5_address_search , -.Nm krb5_free_address , -.Nm krb5_free_addresses , -.Nm krb5_copy_address , -.Nm krb5_copy_addresses , -.Nm krb5_append_addresses , -.Nm krb5_make_addrport -.Nd mange addresses in Kerberos. -.Sh LIBRARY -Kerberos 5 Library (libkrb5, -lkrb5) -.Sh SYNOPSIS -.In krb5.h -.Pp -.Ft krb5_error_code -.Fo krb5_sockaddr2address -.Fa "krb5_context context" -.Fa "const struct sockaddr *sa" -.Fa "krb5_address *addr" -.Fc -.Ft krb5_error_code -.Fo krb5_sockaddr2port -.Fa "krb5_context context" -.Fa "const struct sockaddr *sa" -.Fa "int16_t *port" -.Fc -.Ft krb5_error_code -.Fo krb5_addr2sockaddr -.Fa "krb5_context context" -.Fa "const krb5_address *addr" -.Fa "struct sockaddr *sa" -.Fa "krb5_socklen_t *sa_size" -.Fa "int port" -.Fc -.Ft size_t -.Fo krb5_max_sockaddr_size -.Fa "void" -.Fc -.Ft "krb5_boolean" -.Fo krb5_sockaddr_uninteresting -.Fa "const struct sockaddr *sa" -.Fc -.Ft krb5_error_code -.Fo krb5_h_addr2sockaddr -.Fa "krb5_context context" -.Fa "int af" -.Fa "const char *addr" -.Fa "struct sockaddr *sa" -.Fa "krb5_socklen_t *sa_size" -.Fa "int port" -.Fc -.Ft krb5_error_code -.Fo krb5_h_addr2addr -.Fa "krb5_context context" -.Fa "int af" -.Fa "const char *haddr" -.Fa "krb5_address *addr" -.Fc -.Ft krb5_error_code -.Fo krb5_anyaddr -.Fa "krb5_context context" -.Fa "int af" -.Fa "struct sockaddr *sa" -.Fa "krb5_socklen_t *sa_size" -.Fa "int port" -.Fc -.Ft krb5_error_code -.Fo krb5_print_address -.Fa "const krb5_address *addr" -.Fa "char *str" -.Fa "size_t len" -.Fa "size_t *ret_len" -.Fc -.Ft krb5_error_code -.Fo krb5_parse_address -.Fa "krb5_context context" -.Fa "const char *string" -.Fa "krb5_addresses *addresses" -.Fc -.Ft int -.Fo "krb5_address_order" -.Fa "krb5_context context" -.Fa "const krb5_address *addr1" -.Fa "const krb5_address *addr2" -.Fc -.Ft "krb5_boolean" -.Fo krb5_address_compare -.Fa "krb5_context context" -.Fa "const krb5_address *addr1" -.Fa "const krb5_address *addr2" -.Fc -.Ft "krb5_boolean" -.Fo krb5_address_search -.Fa "krb5_context context" -.Fa "const krb5_address *addr" -.Fa "const krb5_addresses *addrlist" -.Fc -.Ft krb5_error_code -.Fo krb5_free_address -.Fa "krb5_context context" -.Fa "krb5_address *address" -.Fc -.Ft krb5_error_code -.Fo krb5_free_addresses -.Fa "krb5_context context" -.Fa "krb5_addresses *addresses" -.Fc -.Ft krb5_error_code -.Fo krb5_copy_address -.Fa "krb5_context context" -.Fa "const krb5_address *inaddr" -.Fa "krb5_address *outaddr" -.Fc -.Ft krb5_error_code -.Fo krb5_copy_addresses -.Fa "krb5_context context" -.Fa "const krb5_addresses *inaddr" -.Fa "krb5_addresses *outaddr" -.Fc -.Ft krb5_error_code -.Fo krb5_append_addresses -.Fa "krb5_context context" -.Fa "krb5_addresses *dest" -.Fa "const krb5_addresses *source" -.Fc -.Ft krb5_error_code -.Fo krb5_make_addrport -.Fa "krb5_context context" -.Fa "krb5_address **res" -.Fa "const krb5_address *addr" -.Fa "int16_t port" -.Fc -.Sh DESCRIPTION -The -.Li krb5_address -structure holds a address that can be used in Kerberos API -calls. There are help functions to set and extract address information -of the address. -.Pp -The -.Li krb5_addresses -structure holds a set of krb5_address:es. -.Pp -.Fn krb5_sockaddr2address -stores a address a -.Li "struct sockaddr" -.Fa sa -in the krb5_address -.Fa addr . -.Pp -.Fn krb5_sockaddr2port -extracts a -.Fa port -(if possible) from a -.Li "struct sockaddr" -.Fa sa . -.Pp -.Fn krb5_addr2sockaddr -sets the -struct sockaddr -.Fa sockaddr -from -.Fa addr -and -.Fa port . -.Fa Sa_size -should be initially contain the size of the -.Fa sa , -and after the call, it will contain the actual length of the address. -.Pp -.Fn krb5_max_sockaddr_size -returns the max size of the -.Li struct sockaddr -that the Kerberos library will return. -.Pp -.Fn krb5_sockaddr_uninteresting -returns -.Dv TRUE -for all -.Fa sa -that for that the kerberos library thinks are uninteresting. -One example are link local addresses. -.Pp -.Fn krb5_h_addr2sockaddr -initializes a -.Li "struct sockaddr" -.Fa sa -from -.Fa af -and the -.Li "struct hostent" -(see -.Xr gethostbyname 3 ) -.Fa h_addr_list -component. -.Fa Sa_size -should be initially contain the size of the -.Fa sa , -and after the call, it will contain the actual length of the address. -.Fa sa -argument. -.Pp -.Fn krb5_h_addr2addr -works like -.Fn krb5_h_addr2sockaddr -with the exception that it operates on a -.Li krb5_address -instead of a -.Li struct sockaddr -.Pp -.Fn krb5_anyaddr -fills in a -.Li "struct sockaddr" -.Fa sa -that can be used to -.Xf bind 3 -to. -.Fa Sa_size -should be initially contain the size of the -.Fa sa , -and after the call, it will contain the actual length of the address. -.Pp -.Fn krb5_print_address -prints the address in -.Fa addr -to the a string -.Fa string -that have the length -.Fa len . -If -.Fa ret_len -if not -.Dv NULL , -it will be filled in length of the string. -.Pp -.Fn krb5_parse_address -Returns the resolving a hostname in -.Fa string -to the -.Li krb5_addresses -.Fa addresses . -.Pp -.Fn krb5_address_order -compares to addresses -.Fa addr1 -and -.Fa addr2 -so that it can be used for sorting addresses. If the addresses are the -same address -.Fa krb5_address_order will be return 0. -.Pp -.Fn krb5_address_compare -compares the addresses -.Fa addr1 -and -.Fa addr2 . -returns -.Dv TRUE -if the two addresses are the same. -.Pp -.Fn krb5_address_search -checks if the address -.Fa addr -is a member of the address set list -.Fa addrlist . -.Pp -.Fn krb5_free_address -frees the data stored in the -.Fa address -that is alloced with any of the krb5_address functions. -.Pp -.Fn krb5_free_addresses -frees the data stored in the -.Fa addresses -that is alloced with any of the krb5_address functions. -.Pp -.Fn krb5_copy_address -copies the content of address -.Fa inaddr -to -.Fa outaddr . -.Pp -.Fn krb5_copy_addresses -copies the content of the address list -.Fa inaddr -to -.Fa outaddr . -.Pp -.Fn krb5_append_addresses -adds the set of addresses in -.Fa source -to -.Fa dest . -While copying the addresses, duplicates are also sorted out. -.Pp -.Fn krb5_make_addrport -allocates and creates an -krb5_address in -.Fa res -of type KRB5_ADDRESS_ADDRPORT from -.Fa ( addr , port ) . -.Sh SEE ALSO -.Xr krb5 3 , -.Xr krb5.conf 5 , -.Xr kerberos 8 diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5_address.cat3 b/crypto/heimdal-0.6.3/lib/krb5/krb5_address.cat3 deleted file mode 100644 index 423b1d8d56..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5_address.cat3 +++ /dev/null @@ -1,163 +0,0 @@ - -KRB5_ADDRESS(3) UNIX Programmer's Manual KRB5_ADDRESS(3) - -NNAAMMEE - kkrrbb55__aaddddrreessss, kkrrbb55__aaddddrreesssseess, kkrrbb55__ssoocckkaaddddrr22aaddddrreessss, kkrrbb55__ssoocckkaaddddrr22ppoorrtt, - kkrrbb55__aaddddrr22ssoocckkaaddddrr, kkrrbb55__mmaaxx__ssoocckkaaddddrr__ssiizzee, kkrrbb55__ssoocckkaaddddrr__uunniinntteerreessttiinngg, - kkrrbb55__hh__aaddddrr22ssoocckkaaddddrr, kkrrbb55__hh__aaddddrr22aaddddrr, kkrrbb55__aannyyaaddddrr, kkrrbb55__pprriinntt__aaddddrreessss, - kkrrbb55__ppaarrssee__aaddddrreessss, kkrrbb55__aaddddrreessss__oorrddeerr, kkrrbb55__aaddddrreessss__ccoommppaarree, - kkrrbb55__aaddddrreessss__sseeaarrcchh, kkrrbb55__ffrreeee__aaddddrreessss, kkrrbb55__ffrreeee__aaddddrreesssseess, - kkrrbb55__ccooppyy__aaddddrreessss, kkrrbb55__ccooppyy__aaddddrreesssseess, kkrrbb55__aappppeenndd__aaddddrreesssseess, - kkrrbb55__mmaakkee__aaddddrrppoorrtt - mange addresses in Kerberos. - -LLIIBBRRAARRYY - Kerberos 5 Library (libkrb5, -lkrb5) - -SSYYNNOOPPSSIISS - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__ssoocckkaaddddrr22aaddddrreessss(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _s_t_r_u_c_t _s_o_c_k_a_d_d_r _*_s_a, - _k_r_b_5___a_d_d_r_e_s_s _*_a_d_d_r) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__ssoocckkaaddddrr22ppoorrtt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _s_t_r_u_c_t _s_o_c_k_a_d_d_r _*_s_a, - _i_n_t_1_6___t _*_p_o_r_t) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__aaddddrr22ssoocckkaaddddrr(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _k_r_b_5___a_d_d_r_e_s_s _*_a_d_d_r, - _s_t_r_u_c_t _s_o_c_k_a_d_d_r _*_s_a, _k_r_b_5___s_o_c_k_l_e_n___t _*_s_a___s_i_z_e, _i_n_t _p_o_r_t) - - _s_i_z_e___t - kkrrbb55__mmaaxx__ssoocckkaaddddrr__ssiizzee(_v_o_i_d) - - _k_r_b_5___b_o_o_l_e_a_n - kkrrbb55__ssoocckkaaddddrr__uunniinntteerreessttiinngg(_c_o_n_s_t _s_t_r_u_c_t _s_o_c_k_a_d_d_r _*_s_a) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__hh__aaddddrr22ssoocckkaaddddrr(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _i_n_t _a_f, _c_o_n_s_t _c_h_a_r _*_a_d_d_r, - _s_t_r_u_c_t _s_o_c_k_a_d_d_r _*_s_a, _k_r_b_5___s_o_c_k_l_e_n___t _*_s_a___s_i_z_e, _i_n_t _p_o_r_t) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__hh__aaddddrr22aaddddrr(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _i_n_t _a_f, _c_o_n_s_t _c_h_a_r _*_h_a_d_d_r, - _k_r_b_5___a_d_d_r_e_s_s _*_a_d_d_r) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__aannyyaaddddrr(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _i_n_t _a_f, _s_t_r_u_c_t _s_o_c_k_a_d_d_r _*_s_a, - _k_r_b_5___s_o_c_k_l_e_n___t _*_s_a___s_i_z_e, _i_n_t _p_o_r_t) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__pprriinntt__aaddddrreessss(_c_o_n_s_t _k_r_b_5___a_d_d_r_e_s_s _*_a_d_d_r, _c_h_a_r _*_s_t_r, _s_i_z_e___t _l_e_n, - _s_i_z_e___t _*_r_e_t___l_e_n) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__ppaarrssee__aaddddrreessss(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _c_h_a_r _*_s_t_r_i_n_g, - _k_r_b_5___a_d_d_r_e_s_s_e_s _*_a_d_d_r_e_s_s_e_s) - - _i_n_t - kkrrbb55__aaddddrreessss__oorrddeerr(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _k_r_b_5___a_d_d_r_e_s_s _*_a_d_d_r_1, - _c_o_n_s_t _k_r_b_5___a_d_d_r_e_s_s _*_a_d_d_r_2) - - _k_r_b_5___b_o_o_l_e_a_n - kkrrbb55__aaddddrreessss__ccoommppaarree(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _k_r_b_5___a_d_d_r_e_s_s _*_a_d_d_r_1, - _c_o_n_s_t _k_r_b_5___a_d_d_r_e_s_s _*_a_d_d_r_2) - - _k_r_b_5___b_o_o_l_e_a_n - kkrrbb55__aaddddrreessss__sseeaarrcchh(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _k_r_b_5___a_d_d_r_e_s_s _*_a_d_d_r, - _c_o_n_s_t _k_r_b_5___a_d_d_r_e_s_s_e_s _*_a_d_d_r_l_i_s_t) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__ffrreeee__aaddddrreessss(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___a_d_d_r_e_s_s _*_a_d_d_r_e_s_s) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__ffrreeee__aaddddrreesssseess(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___a_d_d_r_e_s_s_e_s _*_a_d_d_r_e_s_s_e_s) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__ccooppyy__aaddddrreessss(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _k_r_b_5___a_d_d_r_e_s_s _*_i_n_a_d_d_r, - _k_r_b_5___a_d_d_r_e_s_s _*_o_u_t_a_d_d_r) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__ccooppyy__aaddddrreesssseess(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _k_r_b_5___a_d_d_r_e_s_s_e_s _*_i_n_a_d_d_r, - _k_r_b_5___a_d_d_r_e_s_s_e_s _*_o_u_t_a_d_d_r) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__aappppeenndd__aaddddrreesssseess(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___a_d_d_r_e_s_s_e_s _*_d_e_s_t, - _c_o_n_s_t _k_r_b_5___a_d_d_r_e_s_s_e_s _*_s_o_u_r_c_e) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__mmaakkee__aaddddrrppoorrtt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___a_d_d_r_e_s_s _*_*_r_e_s, - _c_o_n_s_t _k_r_b_5___a_d_d_r_e_s_s _*_a_d_d_r, _i_n_t_1_6___t _p_o_r_t) - -DDEESSCCRRIIPPTTIIOONN - The krb5_address structure holds a address that can be used in Kerberos - API calls. There are help functions to set and extract address informa- - tion of the address. - - The krb5_addresses structure holds a set of krb5_address:es. - - kkrrbb55__ssoocckkaaddddrr22aaddddrreessss() stores a address a struct sockaddr _s_a in the - krb5_address _a_d_d_r. - - kkrrbb55__ssoocckkaaddddrr22ppoorrtt() extracts a _p_o_r_t (if possible) from a struct sockaddr - _s_a. - - kkrrbb55__aaddddrr22ssoocckkaaddddrr() sets the struct sockaddr _s_o_c_k_a_d_d_r from _a_d_d_r and - _p_o_r_t. _S_a___s_i_z_e should be initially contain the size of the _s_a, and after - the call, it will contain the actual length of the address. - - kkrrbb55__mmaaxx__ssoocckkaaddddrr__ssiizzee() returns the max size of the struct sockaddr that - the Kerberos library will return. - - kkrrbb55__ssoocckkaaddddrr__uunniinntteerreessttiinngg() returns TRUE for all _s_a that for that the - kerberos library thinks are uninteresting. One example are link local - addresses. - - kkrrbb55__hh__aaddddrr22ssoocckkaaddddrr() initializes a struct sockaddr _s_a from _a_f and the - struct hostent (see gethostbyname(3)) _h___a_d_d_r___l_i_s_t component. _S_a___s_i_z_e - should be initially contain the size of the _s_a, and after the call, it - will contain the actual length of the address. _s_a argument. - - kkrrbb55__hh__aaddddrr22aaddddrr() works like kkrrbb55__hh__aaddddrr22ssoocckkaaddddrr() with the exception - that it operates on a krb5_address instead of a struct sockaddr - - kkrrbb55__aannyyaaddddrr() fills in a struct sockaddr _s_a that can be used to to. - _S_a___s_i_z_e should be initially contain the size of the _s_a, and after the - call, it will contain the actual length of the address. - - kkrrbb55__pprriinntt__aaddddrreessss() prints the address in _a_d_d_r to the a string _s_t_r_i_n_g - that have the length _l_e_n. If _r_e_t___l_e_n if not NULL, it will be filled in - length of the string. - - kkrrbb55__ppaarrssee__aaddddrreessss() Returns the resolving a hostname in _s_t_r_i_n_g to the - krb5_addresses _a_d_d_r_e_s_s_e_s. - - - kkrrbb55__aaddddrreessss__oorrddeerr() compares to addresses _a_d_d_r_1 and _a_d_d_r_2 so that it can - be used for sorting addresses. If the addresses are the same address - _k_r_b_5___a_d_d_r_e_s_s___o_r_d_e_r _w_i_l_l _b_e _r_e_t_u_r_n _0_. - - kkrrbb55__aaddddrreessss__ccoommppaarree() compares the addresses _a_d_d_r_1 and _a_d_d_r_2. returns - TRUE if the two addresses are the same. - - kkrrbb55__aaddddrreessss__sseeaarrcchh() checks if the address _a_d_d_r is a member of the ad- - dress set list _a_d_d_r_l_i_s_t. - - kkrrbb55__ffrreeee__aaddddrreessss() frees the data stored in the _a_d_d_r_e_s_s that is alloced - with any of the krb5_address functions. - - kkrrbb55__ffrreeee__aaddddrreesssseess() frees the data stored in the _a_d_d_r_e_s_s_e_s that is al- - loced with any of the krb5_address functions. - - kkrrbb55__ccooppyy__aaddddrreessss() copies the content of address _i_n_a_d_d_r to _o_u_t_a_d_d_r. - - kkrrbb55__ccooppyy__aaddddrreesssseess() copies the content of the address list _i_n_a_d_d_r to - _o_u_t_a_d_d_r. - - kkrrbb55__aappppeenndd__aaddddrreesssseess() adds the set of addresses in _s_o_u_r_c_e to _d_e_s_t. - While copying the addresses, duplicates are also sorted out. - - kkrrbb55__mmaakkee__aaddddrrppoorrtt() allocates and creates an krb5_address in _r_e_s of type - KRB5_ADDRESS_ADDRPORT from (_a_d_d_r, _p_o_r_t). - -SSEEEE AALLSSOO - krb5(3), krb5.conf(5), kerberos(8) - - HEIMDAL March 11, 2002 3 diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5_aname_to_localname.3 b/crypto/heimdal-0.6.3/lib/krb5/krb5_aname_to_localname.3 deleted file mode 100644 index 900e1d9483..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5_aname_to_localname.3 +++ /dev/null @@ -1,80 +0,0 @@ -.\" Copyright (c) 2003 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: krb5_aname_to_localname.3,v 1.2 2003/04/16 13:58:13 lha Exp $ -.\" -.Dd March 17, 2003 -.Dt KRB5_ANAME_TO_LOCALNAME 3 -.Os HEIMDAL -.Sh NAME -.Nm krb5_aname_to_localname -.Nd converts a principal to a system local name. -.Sh LIBRARY -Kerberos 5 Library (libkrb5, -lkrb5) -.Sh SYNOPSIS -.In krb5.h -.Ft krb5_boolean -.Fo krb5_aname_to_localname -.Fa "krb5_context context" -.Fa "krb5_const_principal name" -.Fa "size_t lnsize" -.Fa "char *lname" -.Fc -.Sh DESCRIPTION -This function takes a principal -.Fa name , -verifies its in the local realm (using -.Fn krb5_get_default_realms ) -and then returns the local name of the principal. -.Pp -If -.Fa name -isn't in one of the local realms and error is returned. -.Pp -If size -.Fa ( lnsize ) -of the local name -.Fa ( lname ) -is to small, an error is returned. -.Pp -.Fn krb5_aname_to_localname -should only be use by application that implements protocols that -doesn't transport the login name and thus needs to convert a principal -to a local name. -.Pp -Protocols should be designed so that the it autheticates using -Kerberos, send over the login name and then verifies in the principal -that authenticated is allowed to login and the login name. -A way to check if a user is allowed to login is using the function -.Fn krb5_kuserok . -.Sh SEE ALSO -.Xr krb5_get_default_realms 3 , -.Xr krb5_kuserok 3 diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5_aname_to_localname.cat3 b/crypto/heimdal-0.6.3/lib/krb5/krb5_aname_to_localname.cat3 deleted file mode 100644 index 5a662c8b37..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5_aname_to_localname.cat3 +++ /dev/null @@ -1,37 +0,0 @@ - -KRB5_ANAME_TO_LOCALNAME(3) UNIX Programmer's Manual KRB5_ANAME_TO_LOCALNAME(3) - -NNAAMMEE - kkrrbb55__aannaammee__ttoo__llooccaallnnaammee - converts a principal to a system local name. - -LLIIBBRRAARRYY - Kerberos 5 Library (libkrb5, -lkrb5) - -SSYYNNOOPPSSIISS - _k_r_b_5___b_o_o_l_e_a_n - kkrrbb55__aannaammee__ttoo__llooccaallnnaammee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___c_o_n_s_t___p_r_i_n_c_i_p_a_l _n_a_m_e, - _s_i_z_e___t _l_n_s_i_z_e, _c_h_a_r _*_l_n_a_m_e) - -DDEESSCCRRIIPPTTIIOONN - This function takes a principal _n_a_m_e, verifies its in the local realm - (using kkrrbb55__ggeett__ddeeffaauulltt__rreeaallmmss()) and then returns the local name of the - principal. - - If _n_a_m_e isn't in one of the local realms and error is returned. - - If size (_l_n_s_i_z_e) of the local name (_l_n_a_m_e) is to small, an error is re- - turned. - - kkrrbb55__aannaammee__ttoo__llooccaallnnaammee() should only be use by application that imple- - ments protocols that doesn't transport the login name and thus needs to - convert a principal to a local name. - - Protocols should be designed so that the it autheticates using Kerberos, - send over the login name and then verifies in the principal that authen- - ticated is allowed to login and the login name. A way to check if a user - is allowed to login is using the function kkrrbb55__kkuusseerrookk(). - -SSEEEE AALLSSOO - krb5_get_default_realms(3), krb5_kuserok(3) - - HEIMDAL March 17, 2003 1 diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5_appdefault.3 b/crypto/heimdal-0.6.3/lib/krb5/krb5_appdefault.3 deleted file mode 100644 index f913fdc33c..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5_appdefault.3 +++ /dev/null @@ -1,88 +0,0 @@ -.\" Copyright (c) 2000 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: krb5_appdefault.3,v 1.10 2003/04/16 13:58:10 lha Exp $ -.\" -.Dd July 25, 2000 -.Dt KRB5_APPDEFAULT 3 -.Os HEIMDAL -.Sh NAME -.Nm krb5_appdefault_boolean , -.Nm krb5_appdefault_string , -.Nm krb5_appdefault_time -.Nd get application configuration value -.Sh LIBRARY -Kerberos 5 Library (libkrb5, -lkrb5) -.Sh SYNOPSIS -.In krb5.h -.Ft void -.Fn krb5_appdefault_boolean "krb5_context context" "const char *appname" "krb5_realm realm" "const char *option" "krb5_boolean def_val" "krb5_boolean *ret_val" -.Ft void -.Fn krb5_appdefault_string "krb5_context context" "const char *appname" "krb5_realm realm" "const char *option" "const char *def_val" "char **ret_val" -.Ft void -.Fn krb5_appdefault_time "krb5_context context" "const char *appname" "krb5_realm realm" "const char *option" "time_t def_val" "time_t *ret_val" -.Sh DESCRIPTION -These functions get application defaults from the -.Dv appdefaults -section of the -.Xr krb5.conf 5 -configuration file. These defaults can be specified per application, -and/or per realm. -.Pp -These values will be looked for in -.Xr krb5.conf 5 , -in order of descending importance. -.Bd -literal -offset indent -[appdefaults] - appname = { - realm = { - option = value - } - } - appname = { - option = value - } - realm = { - option = value - } - option = value -.Ed -.Fa appname -is the name of the application, and -.Fa realm -is the realm name. If the realm is omitted it will not be used for -resolving values. -.Fa def_val -is the value to return if no value is found in -.Xr krb5.conf 5 . -.Sh SEE ALSO -.Xr krb5_config 3 , -.Xr krb5.conf 5 diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5_appdefault.cat3 b/crypto/heimdal-0.6.3/lib/krb5/krb5_appdefault.cat3 deleted file mode 100644 index 0b5f485d95..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5_appdefault.cat3 +++ /dev/null @@ -1,55 +0,0 @@ - -KRB5_APPDEFAULT(3) UNIX Programmer's Manual KRB5_APPDEFAULT(3) - -NNAAMMEE - kkrrbb55__aappppddeeffaauulltt__bboooolleeaann, kkrrbb55__aappppddeeffaauulltt__ssttrriinngg, kkrrbb55__aappppddeeffaauulltt__ttiimmee - - get application configuration value - -LLIIBBRRAARRYY - Kerberos 5 Library (libkrb5, -lkrb5) - -SSYYNNOOPPSSIISS - _v_o_i_d - kkrrbb55__aappppddeeffaauulltt__bboooolleeaann(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _c_h_a_r _*_a_p_p_n_a_m_e, - _k_r_b_5___r_e_a_l_m _r_e_a_l_m, _c_o_n_s_t _c_h_a_r _*_o_p_t_i_o_n, _k_r_b_5___b_o_o_l_e_a_n _d_e_f___v_a_l, - _k_r_b_5___b_o_o_l_e_a_n _*_r_e_t___v_a_l) - - _v_o_i_d - kkrrbb55__aappppddeeffaauulltt__ssttrriinngg(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _c_h_a_r _*_a_p_p_n_a_m_e, - _k_r_b_5___r_e_a_l_m _r_e_a_l_m, _c_o_n_s_t _c_h_a_r _*_o_p_t_i_o_n, _c_o_n_s_t _c_h_a_r _*_d_e_f___v_a_l, - _c_h_a_r _*_*_r_e_t___v_a_l) - - _v_o_i_d - kkrrbb55__aappppddeeffaauulltt__ttiimmee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _c_h_a_r _*_a_p_p_n_a_m_e, - _k_r_b_5___r_e_a_l_m _r_e_a_l_m, _c_o_n_s_t _c_h_a_r _*_o_p_t_i_o_n, _t_i_m_e___t _d_e_f___v_a_l, - _t_i_m_e___t _*_r_e_t___v_a_l) - -DDEESSCCRRIIPPTTIIOONN - These functions get application defaults from the appdefaults section of - the krb5.conf(5) configuration file. These defaults can be specified per - application, and/or per realm. - - These values will be looked for in krb5.conf(5), in order of descending - importance. - - [appdefaults] - appname = { - realm = { - option = value - } - } - appname = { - option = value - } - realm = { - option = value - } - option = value - _a_p_p_n_a_m_e is the name of the application, and _r_e_a_l_m is the realm name. If - the realm is omitted it will not be used for resolving values. _d_e_f___v_a_l - is the value to return if no value is found in krb5.conf(5). - -SSEEEE AALLSSOO - krb5_config(3), krb5.conf(5) - - HEIMDAL July 25, 2000 1 diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5_auth_context.3 b/crypto/heimdal-0.6.3/lib/krb5/krb5_auth_context.3 deleted file mode 100644 index 69db32486b..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5_auth_context.3 +++ /dev/null @@ -1,317 +0,0 @@ -.\" Copyright (c) 2001 - 2002 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: krb5_auth_context.3,v 1.8 2003/04/16 13:58:13 lha Exp $ -.\" -.Dd January 21, 2001 -.Dt KRB5_AUTH_CONTEXT 3 -.Os HEIMDAL -.Sh NAME -.Nm krb5_auth_context , -.Nm krb5_auth_con_init , -.Nm krb5_auth_con_free , -.Nm krb5_auth_con_setflags , -.Nm krb5_auth_con_getflags , -.Nm krb5_auth_con_setaddrs , -.Nm krb5_auth_con_setaddrs_from_fd , -.Nm krb5_auth_con_getaddrs , -.Nm krb5_auth_con_genaddrs , -.Nm krb5_auth_con_getkey , -.Nm krb5_auth_con_setkey , -.Nm krb5_auth_con_getuserkey , -.Nm krb5_auth_con_setuserkey , -.Nm krb5_auth_con_getlocalsubkey , -.Nm krb5_auth_con_setlocalsubkey , -.Nm krb5_auth_con_getremotesubkey , -.Nm krb5_auth_con_setremotesubkey , -.Nm krb5_auth_setcksumtype , -.Nm krb5_auth_getcksumtype , -.Nm krb5_auth_setkeytype , -.Nm krb5_auth_getkeytype , -.Nm krb5_auth_getlocalseqnumber , -.Nm krb5_auth_setlocalseqnumber , -.Nm krb5_auth_getremoteseqnumber , -.Nm krb5_auth_setremoteseqnumber , -.Nm krb5_auth_getauthenticator , -.Nm krb5_auth_con_getrcache , -.Nm krb5_auth_con_setrcache , -.Nm krb5_auth_con_initivector , -.Nm krb5_auth_con_setivector -.Nd manage authentication on connection level -.Sh LIBRARY -Kerberos 5 Library (libkrb5, -lkrb5) -.Sh SYNOPSIS -.In krb5.h -.Ft krb5_error_code -.Fo krb5_auth_con_init -.Fa "krb5_context context" -.Fa "krb5_auth_context *auth_context" -.Fc -.Ft void -.Fo krb5_auth_con_free -.Fa "krb5_context context" -.Fa "krb5_auth_context auth_context" -.Fc -.Ft krb5_error_code -.Fo krb5_auth_con_setflags -.Fa "krb5_context context" -.Fa "krb5_auth_context auth_context" -.Fa "int32_t flags" -.Fc -.Ft krb5_error_code -.Fo krb5_auth_con_getflags -.Fa "krb5_context context" -.Fa "krb5_auth_context auth_context" -.Fa "int32_t *flags" -.Fc -.Ft krb5_error_code -.Fo krb5_auth_con_setaddrs -.Fa "krb5_context context" -.Fa "krb5_auth_context auth_context" -.Fa "krb5_address *local_addr" -.Fa "krb5_address *remote_addr" -.Fc -.Ft krb5_error_code -.Fo krb5_auth_con_getaddrs -.Fa "krb5_context context" -.Fa "krb5_auth_context auth_context" -.Fa "krb5_address **local_addr" -.Fa "krb5_address **remote_addr" -.Fc -.Ft krb5_error_code -.Fo krb5_auth_con_genaddrs -.Fa "krb5_context context" -.Fa "krb5_auth_context auth_context" -.Fa "int fd" -.Fa "int flags" -.Fc -.Ft krb5_error_code -.Fo krb5_auth_con_setaddrs_from_fd -.Fa "krb5_context context" -.Fa "krb5_auth_context auth_context" -.Fa "void *p_fd" -.Fc -.Ft krb5_error_code -.Fo krb5_auth_con_getkey -.Fa "krb5_context context" -.Fa "krb5_auth_context auth_context" -.Fa "krb5_keyblock **keyblock" -.Fc -.Ft krb5_error_code -.Fo krb5_auth_con_getlocalsubkey -.Fa "krb5_context context" -.Fa "krb5_auth_context auth_context" -.Fa "krb5_keyblock **keyblock" -.Fc -.Ft krb5_error_code -.Fo krb5_auth_con_getremotesubkey -.Fa "krb5_context context" -.Fa "krb5_auth_context auth_context" -.Fa "krb5_keyblock **keyblock" -.Fc -.Ft krb5_error_code -.Fo krb5_auth_con_initivector -.Fa "krb5_context context" -.Fa "krb5_auth_context auth_context" -.Fc -.Ft krb5_error_code -.Fo krb5_auth_con_setivector -.Fa "krb5_context context" -.Fa "krb5_auth_context *auth_context" -.Fa "krb5_pointer ivector" -.Fc -.Sh DESCRIPTION -The -.Nm krb5_auth_context -structure holds all context related to an authenticated connection, in -a similar way to -.Nm krb5_context -that holds the context for the thread or process. -.Nm krb5_auth_context -is used by various functions that are directly related to -authentication between the server/client. Example of data that this -structure contains are various flags, addresses of client and server, -port numbers, keyblocks (and subkeys), sequence numbers, replay cache, -and checksum-type. -.Pp -.Fn krb5_auth_con_init -allocates and initializes the -.Nm krb5_auth_context -structure. Default values can be changed with -.Fn krb5_auth_con_setcksumtype -and -.Fn krb5_auth_con_setflags . -The -.Nm auth_context -structure must be freed by -.Fn krb5_auth_con_free . -.Pp -.Fn krb5_auth_con_getflags -and -.Fn krb5_auth_con_setflags -gets and modifies the flags for a -.Nm krb5_auth_context -structure. Possible flags to set are: -.Bl -tag -width Ds -.It Dv KRB5_AUTH_CONTEXT_DO_TIME -check timestamp on incoming packets. -.\".It Dv KRB5_AUTH_CONTEXT_RET_TIME -.It Dv KRB5_AUTH_CONTEXT_DO_SEQUENCE -Generate and check sequence-number on each packet. -.\".It Dv KRB5_AUTH_CONTEXT_RET_SEQUENCE -.\".It Dv KRB5_AUTH_CONTEXT_PERMIT_ALL -.El -.Pp -.Fn krb5_auth_con_setaddrs , -.Fn krb5_auth_con_setaddrs_from_fd -and -.Fn krb5_auth_con_getaddrs -gets and sets the addresses that are checked when a packet is received. -It is mandatory to set an address for the remote -host. If the local address is not set, it iss deduced from the underlaying -operating system. -.Fn krb5_auth_con_getaddrs -will call -.Fn krb5_free_address -on any address that is passed in -.Fa local_addr -or -.Fa remote_addr . -.Fn krb5_auth_con_setaddr -allows passing in a -.Dv NULL -pointer as -.Fa local_addr -and -.Fa remote_addr , -in that case it will just not set that address. -.Pp -.Fn krb5_auth_con_setaddrs_from_fd -fetches the addresses from a file descriptor. -.Pp -.Fn krb5_auth_con_genaddrs -fetches the address information from the given file descriptor -.Fa fd -depending on the bitmap argument -.Fa flags . -.Pp -Possible values on -.Fa flags -are: -.Bl -tag -width Ds -.It Va KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR -fetches the local address from -.Fa fd . -.It Va KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR -fetches the remote address from -.Fa fd . -.El -.Pp -.Fn krb5_auth_con_setkey , -.Fn krb5_auth_con_setuserkey -and -.Fn krb5_auth_con_getkey -gets and sets the key used for this auth context. The keyblock returned by -.Fn krb5_auth_con_getkey -should be freed with -.Fn krb5_free_keyblock . -The keyblock send into -.Fn krb5_auth_con_setkey -is copied into the -.Nm krb5_auth_context , -and thus no special handling is needed. -.Dv NULL -is not a valid keyblock to -.Fn krb5_auth_con_setkey . -.Pp -.Fn krb5_auth_con_setuserkey -is only useful when doing user to user authentication. -.Fn krb5_auth_con_setkey -is equivalent to -.Fn krb5_auth_con_setuserkey . -.Pp -.Fn krb5_auth_con_getlocalsubkey , -.Fn krb5_auth_con_setlocalsubkey , -.Fn krb5_auth_con_getremotesubkey -and -.Fn krb5_auth_con_setremotesubkey -gets and sets the keyblock for the local and remote subkey. The keyblock returned by -.Fn krb5_auth_con_getlocalsubkey -and -.Fn krb5_auth_con_getremotesubkey -must be freed with -.Fn krb5_free_keyblock . -.Pp -.Fn krb5_auth_setcksumtype -and -.Fn krb5_auth_getcksumtype -sets and gets the checksum type that should be used for this -connection. -.Pp -.Fn krb5_auth_getremoteseqnumber -.Fn krb5_auth_setremoteseqnumber , -.Fn krb5_auth_getlocalseqnumber -and -.Fn krb5_auth_setlocalseqnumber -gets and sets the sequence-number for the local and remote -sequence-number counter. -.Pp -.Fn krb5_auth_setkeytype -and -.Fn krb5_auth_getkeytype -gets and gets the keytype of the keyblock in -.Nm krb5_auth_context . -.Pp -.Fn krb5_auth_getauthenticator -Retrieves the authenticator that was used during mutual -authentication. The -.Dv authenticator -returned should be freed by calling -.Fn krb5_free_authenticator . -.Pp -.Fn krb5_auth_con_getrcache -and -.Fn krb5_auth_con_setrcache -gets and sets the replay-cache. -.Pp -.Fn krb5_auth_con_initivector -allocates memory for and zeros the initial vector in the -.Fa auth_context -keyblock. -.Pp -.Fn krb5_auth_con_setivector -sets the i_vector portion of -.Fa auth_context -to -.Fa ivector . -.Sh SEE ALSO -.Xr krb5_context 3 , -.Xr kerberos 8 diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5_auth_context.cat3 b/crypto/heimdal-0.6.3/lib/krb5/krb5_auth_context.cat3 deleted file mode 100644 index 025e739f45..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5_auth_context.cat3 +++ /dev/null @@ -1,167 +0,0 @@ - -KRB5_AUTH_CONTEXT(3) UNIX Programmer's Manual KRB5_AUTH_CONTEXT(3) - -NNAAMMEE - kkrrbb55__aauutthh__ccoonntteexxtt, kkrrbb55__aauutthh__ccoonn__iinniitt, kkrrbb55__aauutthh__ccoonn__ffrreeee, - kkrrbb55__aauutthh__ccoonn__sseettffllaaggss, kkrrbb55__aauutthh__ccoonn__ggeettffllaaggss, kkrrbb55__aauutthh__ccoonn__sseettaaddddrrss, - kkrrbb55__aauutthh__ccoonn__sseettaaddddrrss__ffrroomm__ffdd, kkrrbb55__aauutthh__ccoonn__ggeettaaddddrrss, - kkrrbb55__aauutthh__ccoonn__ggeennaaddddrrss, kkrrbb55__aauutthh__ccoonn__ggeettkkeeyy, kkrrbb55__aauutthh__ccoonn__sseettkkeeyy, - kkrrbb55__aauutthh__ccoonn__ggeettuusseerrkkeeyy, kkrrbb55__aauutthh__ccoonn__sseettuusseerrkkeeyy, - kkrrbb55__aauutthh__ccoonn__ggeettllooccaallssuubbkkeeyy, kkrrbb55__aauutthh__ccoonn__sseettllooccaallssuubbkkeeyy, - kkrrbb55__aauutthh__ccoonn__ggeettrreemmootteessuubbkkeeyy, kkrrbb55__aauutthh__ccoonn__sseettrreemmootteessuubbkkeeyy, - kkrrbb55__aauutthh__sseettcckkssuummttyyppee, kkrrbb55__aauutthh__ggeettcckkssuummttyyppee, kkrrbb55__aauutthh__sseettkkeeyyttyyppee, - kkrrbb55__aauutthh__ggeettkkeeyyttyyppee, kkrrbb55__aauutthh__ggeettllooccaallsseeqqnnuummbbeerr, - kkrrbb55__aauutthh__sseettllooccaallsseeqqnnuummbbeerr, kkrrbb55__aauutthh__ggeettrreemmootteesseeqqnnuummbbeerr, - kkrrbb55__aauutthh__sseettrreemmootteesseeqqnnuummbbeerr, kkrrbb55__aauutthh__ggeettaauutthheennttiiccaattoorr, - kkrrbb55__aauutthh__ccoonn__ggeettrrccaacchhee, kkrrbb55__aauutthh__ccoonn__sseettrrccaacchhee, - kkrrbb55__aauutthh__ccoonn__iinniittiivveeccttoorr, kkrrbb55__aauutthh__ccoonn__sseettiivveeccttoorr - manage authentica- - tion on connection level - -LLIIBBRRAARRYY - Kerberos 5 Library (libkrb5, -lkrb5) - -SSYYNNOOPPSSIISS - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__aauutthh__ccoonn__iinniitt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___a_u_t_h___c_o_n_t_e_x_t _*_a_u_t_h___c_o_n_t_e_x_t) - - _v_o_i_d - kkrrbb55__aauutthh__ccoonn__ffrreeee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___a_u_t_h___c_o_n_t_e_x_t _a_u_t_h___c_o_n_t_e_x_t) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__aauutthh__ccoonn__sseettffllaaggss(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, - _k_r_b_5___a_u_t_h___c_o_n_t_e_x_t _a_u_t_h___c_o_n_t_e_x_t, _i_n_t_3_2___t _f_l_a_g_s) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__aauutthh__ccoonn__ggeettffllaaggss(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, - _k_r_b_5___a_u_t_h___c_o_n_t_e_x_t _a_u_t_h___c_o_n_t_e_x_t, _i_n_t_3_2___t _*_f_l_a_g_s) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__aauutthh__ccoonn__sseettaaddddrrss(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, - _k_r_b_5___a_u_t_h___c_o_n_t_e_x_t _a_u_t_h___c_o_n_t_e_x_t, _k_r_b_5___a_d_d_r_e_s_s _*_l_o_c_a_l___a_d_d_r, - _k_r_b_5___a_d_d_r_e_s_s _*_r_e_m_o_t_e___a_d_d_r) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__aauutthh__ccoonn__ggeettaaddddrrss(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, - _k_r_b_5___a_u_t_h___c_o_n_t_e_x_t _a_u_t_h___c_o_n_t_e_x_t, _k_r_b_5___a_d_d_r_e_s_s _*_*_l_o_c_a_l___a_d_d_r, - _k_r_b_5___a_d_d_r_e_s_s _*_*_r_e_m_o_t_e___a_d_d_r) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__aauutthh__ccoonn__ggeennaaddddrrss(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, - _k_r_b_5___a_u_t_h___c_o_n_t_e_x_t _a_u_t_h___c_o_n_t_e_x_t, _i_n_t _f_d, _i_n_t _f_l_a_g_s) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__aauutthh__ccoonn__sseettaaddddrrss__ffrroomm__ffdd(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, - _k_r_b_5___a_u_t_h___c_o_n_t_e_x_t _a_u_t_h___c_o_n_t_e_x_t, _v_o_i_d _*_p___f_d) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__aauutthh__ccoonn__ggeettkkeeyy(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, - _k_r_b_5___a_u_t_h___c_o_n_t_e_x_t _a_u_t_h___c_o_n_t_e_x_t, _k_r_b_5___k_e_y_b_l_o_c_k _*_*_k_e_y_b_l_o_c_k) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__aauutthh__ccoonn__ggeettllooccaallssuubbkkeeyy(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, - _k_r_b_5___a_u_t_h___c_o_n_t_e_x_t _a_u_t_h___c_o_n_t_e_x_t, _k_r_b_5___k_e_y_b_l_o_c_k _*_*_k_e_y_b_l_o_c_k) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__aauutthh__ccoonn__ggeettrreemmootteessuubbkkeeyy(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, - _k_r_b_5___a_u_t_h___c_o_n_t_e_x_t _a_u_t_h___c_o_n_t_e_x_t, _k_r_b_5___k_e_y_b_l_o_c_k _*_*_k_e_y_b_l_o_c_k) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__aauutthh__ccoonn__iinniittiivveeccttoorr(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, - _k_r_b_5___a_u_t_h___c_o_n_t_e_x_t _a_u_t_h___c_o_n_t_e_x_t) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__aauutthh__ccoonn__sseettiivveeccttoorr(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, - _k_r_b_5___a_u_t_h___c_o_n_t_e_x_t _*_a_u_t_h___c_o_n_t_e_x_t, _k_r_b_5___p_o_i_n_t_e_r _i_v_e_c_t_o_r) - -DDEESSCCRRIIPPTTIIOONN - The kkrrbb55__aauutthh__ccoonntteexxtt structure holds all context related to an authenti- - cated connection, in a similar way to kkrrbb55__ccoonntteexxtt that holds the context - for the thread or process. kkrrbb55__aauutthh__ccoonntteexxtt is used by various func- - tions that are directly related to authentication between the serv- - er/client. Example of data that this structure contains are various - flags, addresses of client and server, port numbers, keyblocks (and sub- - keys), sequence numbers, replay cache, and checksum-type. - - kkrrbb55__aauutthh__ccoonn__iinniitt() allocates and initializes the kkrrbb55__aauutthh__ccoonntteexxtt - structure. Default values can be changed with - kkrrbb55__aauutthh__ccoonn__sseettcckkssuummttyyppee() and kkrrbb55__aauutthh__ccoonn__sseettffllaaggss(). The - aauutthh__ccoonntteexxtt structure must be freed by kkrrbb55__aauutthh__ccoonn__ffrreeee(). - - kkrrbb55__aauutthh__ccoonn__ggeettffllaaggss() and kkrrbb55__aauutthh__ccoonn__sseettffllaaggss() gets and modifies - the flags for a kkrrbb55__aauutthh__ccoonntteexxtt structure. Possible flags to set are: - - KRB5_AUTH_CONTEXT_DO_TIME - check timestamp on incoming packets. - - KRB5_AUTH_CONTEXT_DO_SEQUENCE - Generate and check sequence-number on each packet. - - kkrrbb55__aauutthh__ccoonn__sseettaaddddrrss(), kkrrbb55__aauutthh__ccoonn__sseettaaddddrrss__ffrroomm__ffdd() and - kkrrbb55__aauutthh__ccoonn__ggeettaaddddrrss() gets and sets the addresses that are checked - when a packet is received. It is mandatory to set an address for the re- - mote host. If the local address is not set, it iss deduced from the un- - derlaying operating system. kkrrbb55__aauutthh__ccoonn__ggeettaaddddrrss() will call - kkrrbb55__ffrreeee__aaddddrreessss() on any address that is passed in _l_o_c_a_l___a_d_d_r or - _r_e_m_o_t_e___a_d_d_r. kkrrbb55__aauutthh__ccoonn__sseettaaddddrr() allows passing in a NULL pointer as - _l_o_c_a_l___a_d_d_r and _r_e_m_o_t_e___a_d_d_r, in that case it will just not set that ad- - dress. - - kkrrbb55__aauutthh__ccoonn__sseettaaddddrrss__ffrroomm__ffdd() fetches the addresses from a file de- - scriptor. - - kkrrbb55__aauutthh__ccoonn__ggeennaaddddrrss() fetches the address information from the given - file descriptor _f_d depending on the bitmap argument _f_l_a_g_s. - - Possible values on _f_l_a_g_s are: - - _K_R_B_5___A_U_T_H___C_O_N_T_E_X_T___G_E_N_E_R_A_T_E___L_O_C_A_L___A_D_D_R - fetches the local address from _f_d. - - _K_R_B_5___A_U_T_H___C_O_N_T_E_X_T___G_E_N_E_R_A_T_E___R_E_M_O_T_E___A_D_D_R - fetches the remote address from _f_d. - - kkrrbb55__aauutthh__ccoonn__sseettkkeeyy(), kkrrbb55__aauutthh__ccoonn__sseettuusseerrkkeeyy() and - kkrrbb55__aauutthh__ccoonn__ggeettkkeeyy() gets and sets the key used for this auth context. - The keyblock returned by kkrrbb55__aauutthh__ccoonn__ggeettkkeeyy() should be freed with - kkrrbb55__ffrreeee__kkeeyybblloocckk(). The keyblock send into kkrrbb55__aauutthh__ccoonn__sseettkkeeyy() is - copied into the kkrrbb55__aauutthh__ccoonntteexxtt, and thus no special handling is need- - ed. NULL is not a valid keyblock to kkrrbb55__aauutthh__ccoonn__sseettkkeeyy(). - - kkrrbb55__aauutthh__ccoonn__sseettuusseerrkkeeyy() is only useful when doing user to user authen- - tication. kkrrbb55__aauutthh__ccoonn__sseettkkeeyy() is equivalent to - kkrrbb55__aauutthh__ccoonn__sseettuusseerrkkeeyy(). - - kkrrbb55__aauutthh__ccoonn__ggeettllooccaallssuubbkkeeyy(), kkrrbb55__aauutthh__ccoonn__sseettllooccaallssuubbkkeeyy(), - kkrrbb55__aauutthh__ccoonn__ggeettrreemmootteessuubbkkeeyy() and kkrrbb55__aauutthh__ccoonn__sseettrreemmootteessuubbkkeeyy() gets - and sets the keyblock for the local and remote subkey. The keyblock re- - turned by kkrrbb55__aauutthh__ccoonn__ggeettllooccaallssuubbkkeeyy() and - kkrrbb55__aauutthh__ccoonn__ggeettrreemmootteessuubbkkeeyy() must be freed with kkrrbb55__ffrreeee__kkeeyybblloocckk(). - - kkrrbb55__aauutthh__sseettcckkssuummttyyppee() and kkrrbb55__aauutthh__ggeettcckkssuummttyyppee() sets and gets the - checksum type that should be used for this connection. - - kkrrbb55__aauutthh__ggeettrreemmootteesseeqqnnuummbbeerr() kkrrbb55__aauutthh__sseettrreemmootteesseeqqnnuummbbeerr(), - kkrrbb55__aauutthh__ggeettllooccaallsseeqqnnuummbbeerr() and kkrrbb55__aauutthh__sseettllooccaallsseeqqnnuummbbeerr() gets and - sets the sequence-number for the local and remote sequence-number - counter. - - kkrrbb55__aauutthh__sseettkkeeyyttyyppee() and kkrrbb55__aauutthh__ggeettkkeeyyttyyppee() gets and gets the key- - type of the keyblock in kkrrbb55__aauutthh__ccoonntteexxtt. - - kkrrbb55__aauutthh__ggeettaauutthheennttiiccaattoorr() Retrieves the authenticator that was used - during mutual authentication. The authenticator returned should be freed - by calling kkrrbb55__ffrreeee__aauutthheennttiiccaattoorr(). - - kkrrbb55__aauutthh__ccoonn__ggeettrrccaacchhee() and kkrrbb55__aauutthh__ccoonn__sseettrrccaacchhee() gets and sets the - replay-cache. - - kkrrbb55__aauutthh__ccoonn__iinniittiivveeccttoorr() allocates memory for and zeros the initial - vector in the _a_u_t_h___c_o_n_t_e_x_t keyblock. - - kkrrbb55__aauutthh__ccoonn__sseettiivveeccttoorr() sets the i_vector portion of _a_u_t_h___c_o_n_t_e_x_t to - _i_v_e_c_t_o_r. - -SSEEEE AALLSSOO - krb5_context(3), kerberos(8) - - HEIMDAL January 21, 2001 3 diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5_build_principal.3 b/crypto/heimdal-0.6.3/lib/krb5/krb5_build_principal.3 deleted file mode 100644 index e74c7543bd..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5_build_principal.3 +++ /dev/null @@ -1,101 +0,0 @@ -.\" Copyright (c) 1997, 2001 - 2002 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: krb5_build_principal.3,v 1.7 2003/04/16 13:58:14 lha Exp $ -.\" -.Dd August 8, 1997 -.Dt KRB5_BUILD_PRINCIPAL 3 -.Os HEIMDAL -.Sh NAME -.Nm krb5_build_principal , -.Nm krb5_build_principal_ext , -.Nm krb5_build_principal_va , -.Nm krb5_build_principal_va_ext , -.Nm krb5_make_principal -.Nd principal creation functions -.Sh LIBRARY -Kerberos 5 Library (libkrb5, -lkrb5) -.Sh SYNOPSIS -.In krb5.h -.Ft krb5_error_code -.Fn krb5_build_principal "krb5_context context" "krb5_principal *principal" "int realm_len" "krb5_const_realm realm" "..." -.Ft krb5_error_code -.Fn krb5_build_principal_ext "krb5_context context" "krb5_principal *principal" "int realm_len" "krb5_const_realm realm" "..." -.Ft krb5_error_code -.Fn krb5_build_principal_va "krb5_context context" "krb5_principal *principal" "int realm_len" "krb5_const_realm realm" "va_list ap" -.Ft krb5_error_code -.Fn krb5_build_principal_va_ext "krb5_context context" "krb5_principal *principal" "int realm_len" "krb5_const_realm realm" "va_list ap" -.Ft krb5_error_code -.Fn krb5_make_principal "krb5_context context" "krb5_principal *principal" "krb5_const_realm realm" "..." -.Sh DESCRIPTION -These functions create a Kerberos 5 principal from a realm and a list -of components. -All of these functions return an allocated principal in the -.Fa principal -parameter, this should be freed with -.Fn krb5_free_principal -after use. -.Pp -The -.Dq build -functions take a -.Fa realm -and the length of the realm. The -.Fn krb5_build_principal -and -.Fn krb5_build_principal_va -also takes a list of components (zero-terminated strings), terminated -with -.Dv NULL . -The -.Fn krb5_build_principal_ext -and -.Fn krb5_build_principal_va_ext -takes a list of length-value pairs, the list is terminated with a zero -length. -.Pp -The -.Fn krb5_make_principal -is a wrapper around -.Fn krb5_build_principal . -If the realm is -.Dv NULL , -the default realm will be used. -.Sh BUGS -You can not have a NUL in a component. Until someone can give a good -example of where it would be a good idea to have NUL's in a component, -this will not be fixed. -.Sh SEE ALSO -.Xr krb5_425_conv_principal 3 , -.Xr krb5_free_principal 3 , -.Xr krb5_parse_name 3 , -.Xr krb5_sname_to_principal 3 , -.Xr krb5_unparse_name 3 diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5_build_principal.cat3 b/crypto/heimdal-0.6.3/lib/krb5/krb5_build_principal.cat3 deleted file mode 100644 index 087dd93eaf..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5_build_principal.cat3 +++ /dev/null @@ -1,58 +0,0 @@ - -KRB5_BUILD_PRINCIPAL(3) UNIX Programmer's Manual KRB5_BUILD_PRINCIPAL(3) - -NNAAMMEE - kkrrbb55__bbuuiilldd__pprriinncciippaall, kkrrbb55__bbuuiilldd__pprriinncciippaall__eexxtt, kkrrbb55__bbuuiilldd__pprriinncciippaall__vvaa, - kkrrbb55__bbuuiilldd__pprriinncciippaall__vvaa__eexxtt, kkrrbb55__mmaakkee__pprriinncciippaall - principal creation - functions - -LLIIBBRRAARRYY - Kerberos 5 Library (libkrb5, -lkrb5) - -SSYYNNOOPPSSIISS - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__bbuuiilldd__pprriinncciippaall(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___p_r_i_n_c_i_p_a_l _*_p_r_i_n_c_i_p_a_l, - _i_n_t _r_e_a_l_m___l_e_n, _k_r_b_5___c_o_n_s_t___r_e_a_l_m _r_e_a_l_m, _._._.) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__bbuuiilldd__pprriinncciippaall__eexxtt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___p_r_i_n_c_i_p_a_l _*_p_r_i_n_c_i_p_a_l, - _i_n_t _r_e_a_l_m___l_e_n, _k_r_b_5___c_o_n_s_t___r_e_a_l_m _r_e_a_l_m, _._._.) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__bbuuiilldd__pprriinncciippaall__vvaa(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___p_r_i_n_c_i_p_a_l _*_p_r_i_n_c_i_p_a_l, - _i_n_t _r_e_a_l_m___l_e_n, _k_r_b_5___c_o_n_s_t___r_e_a_l_m _r_e_a_l_m, _v_a___l_i_s_t _a_p) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__bbuuiilldd__pprriinncciippaall__vvaa__eexxtt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, - _k_r_b_5___p_r_i_n_c_i_p_a_l _*_p_r_i_n_c_i_p_a_l, _i_n_t _r_e_a_l_m___l_e_n, _k_r_b_5___c_o_n_s_t___r_e_a_l_m _r_e_a_l_m, - _v_a___l_i_s_t _a_p) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__mmaakkee__pprriinncciippaall(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___p_r_i_n_c_i_p_a_l _*_p_r_i_n_c_i_p_a_l, - _k_r_b_5___c_o_n_s_t___r_e_a_l_m _r_e_a_l_m, _._._.) - -DDEESSCCRRIIPPTTIIOONN - These functions create a Kerberos 5 principal from a realm and a list of - components. All of these functions return an allocated principal in the - _p_r_i_n_c_i_p_a_l parameter, this should be freed with kkrrbb55__ffrreeee__pprriinncciippaall() af- - ter use. - - The ``build'' functions take a _r_e_a_l_m and the length of the realm. The - kkrrbb55__bbuuiilldd__pprriinncciippaall() and kkrrbb55__bbuuiilldd__pprriinncciippaall__vvaa() also takes a list of - components (zero-terminated strings), terminated with NULL. The - kkrrbb55__bbuuiilldd__pprriinncciippaall__eexxtt() and kkrrbb55__bbuuiilldd__pprriinncciippaall__vvaa__eexxtt() takes a list - of length-value pairs, the list is terminated with a zero length. - - The kkrrbb55__mmaakkee__pprriinncciippaall() is a wrapper around kkrrbb55__bbuuiilldd__pprriinncciippaall(). If - the realm is NULL, the default realm will be used. - -BBUUGGSS - You can not have a NUL in a component. Until someone can give a good ex- - ample of where it would be a good idea to have NUL's in a component, this - will not be fixed. - -SSEEEE AALLSSOO - krb5_425_conv_principal(3), krb5_free_principal(3), krb5_parse_name(3), - krb5_sname_to_principal(3), krb5_unparse_name(3) - - HEIMDAL August 8, 1997 1 diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5_ccache.3 b/crypto/heimdal-0.6.3/lib/krb5/krb5_ccache.3 deleted file mode 100644 index ec48c5f37a..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5_ccache.3 +++ /dev/null @@ -1,356 +0,0 @@ -.\" Copyright (c) 2003 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: krb5_ccache.3,v 1.7 2003/04/16 13:58:12 lha Exp $ -.\" -.Dd March 16, 2003 -.Dt KRB5_CCACHE 3 -.Os HEIMDAL -.Sh NAME -.Nm krb5_ccache , -.Nm krb5_cc_cursor , -.Nm krb5_cc_ops , -.Nm krb5_fcc_ops , -.Nm krb5_mcc_ops , -.Nm krb5_cc_close , -.Nm krb5_cc_copy_cache , -.Nm krb5_cc_default , -.Nm krb5_cc_default_name , -.Nm krb5_cc_destroy , -.Nm krb5_cc_end_seq_get , -.Nm krb5_cc_gen_new , -.Nm krb5_cc_get_name , -.Nm krb5_cc_get_principal , -.Nm krb5_cc_get_type , -.Nm krb5_cc_get_ops , -.Nm krb5_cc_get_version , -.Nm krb5_cc_initialize , -.Nm krb5_cc_register , -.Nm krb5_cc_resolve , -.Nm krb5_cc_retrieve_cred , -.Nm krb5_cc_remove_cred , -.Nm krb5_cc_set_default_name , -.Nm krb5_cc_store_cred , -.Nm krb5_cc_set_flags , -.Nm krb5_cc_next_cred -.Nd mange credential cache. -.Sh LIBRARY -Kerberos 5 Library (libkrb5, -lkrb5) -.Sh SYNOPSIS -.In krb5.h -.Pp -.Li "struct krb5_ccache;" -.Pp -.Li "struct krb5_cc_cursor;" -.Pp -.Li "struct krb5_cc_ops;" -.Pp -.Li "struct krb5_cc_ops *krb5_fcc_ops;" -.Pp -.Li "struct krb5_cc_ops *krb5_mcc_ops;" -.Pp -.Ft krb5_error_code -.Fo krb5_cc_close -.Fa "krb5_context *context" -.Fa "krb5_ccache id" -.Fc -.Ft krb5_error_code -.Fo krb5_cc_copy_cache -.Fa "krb5_context *context" -.Fa "const krb5_ccache from" -.Fa "krb5_ccache to" -.Fc -.Ft krb5_error_code -.Fo krb5_cc_default -.Fa "krb5_context *context" -.Fa "krb5_ccache *id" -.Fc -.Ft "const char *" -.Fo krb5_cc_default_name -.Fa "krb5_context *context" -.Fc -.Ft krb5_error_code -.Fo krb5_cc_destroy -.Fa "krb5_context *context" -.Fa "krb5_ccache id" -.Fc -.Ft krb5_error_code -.Fo krb5_cc_end_seq_get -.Fa "krb5_context *context" -.Fa "const krb5_ccache id" -.Fa "krb5_cc_cursor *cursor" -.Fc -.Ft krb5_error_code -.Fo krb5_cc_gen_new -.Fa "krb5_context *context" -.Fa "const krb5_cc_ops *ops" -.Fa "krb5_ccache *id" -.Fc -.Ft "const char *" -.Fo krb5_cc_get_name -.Fa "krb5_context *context" -.Fa "krb5_ccache id" -.Fc -.Ft krb5_error_code -.Fo krb5_cc_get_principal -.Fa "krb5_context *context" -.Fa "krb5_ccache id" -.Fa "krb5_principal *principal" -.Fc -.Ft "const char *" -.Fo krb5_cc_get_type -.Fa "krb5_context *context" -.Fa "krb5_ccache id" -.Fc -.Ft "const krb5_cc_ops *" -.Fo krb5_cc_get_ops -.Fa "krb5_context *context" -.Fa "krb5_ccache id" -.Fc -.Ft krb5_error_code -.Fo krb5_cc_get_version -.Fa "krb5_context *context" -.Fa "const krb5_ccache id" -.Fc -.Ft krb5_error_code -.Fo krb5_cc_initialize -.Fa "krb5_context *context" -.Fa "krb5_ccache id" -.Fa "krb5_principal primary_principal" -.Fc -.Ft krb5_error_code -.Fo krb5_cc_register -.Fa "krb5_context *context" -.Fa "const krb5_cc_ops *ops" -.Fa "krb5_boolean override" -.Fc -.Ft krb5_error_code -.Fo krb5_cc_resolve -.Fa "krb5_context *context" -.Fa "const char *name" -.Fa "krb5_ccache *id" -.Fc -.Ft krb5_error_code -.Fo krb5_cc_retrieve_cred -.Fa "krb5_context *context" -.Fa "krb5_ccache id" -.Fa "krb5_flags whichfields" -.Fa "const krb5_creds *mcreds" -.Fa "krb5_creds *creds" -.Fc -.Ft krb5_error_code -.Fo krb5_cc_remove_cred -.Fa "krb5_context *context" -.Fa "krb5_ccache id" -.Fa "krb5_flags which" -.Fa "krb5_creds *cred" -.Fc -.Ft krb5_error_code -.Fo krb5_cc_set_default_name -.Fa "krb5_context *context" -.Fa "const char *name" -.Fc -.Ft krb5_error_code -.Fo krb5_cc_store_cred -.Fa "krb5_context *context" -.Fa "krb5_ccache id" -.Fa "krb5_creds *creds" -.Fc -.Ft krb5_error_code -.Fo krb5_cc_set_flags -.Fa "krb5_context *context" -.Fa "krb5_cc_set_flags id" -.Fa "krb5_flags flags" -.Fc -.Ft krb5_error_code -.Fo krb5_cc_next_cred -.Fa "krb5_context *context" -.Fa "const krb5_ccache id" -.Fa "krb5_cc_cursor *cursor" -.Fa "krb5_creds *creds" -.Fc -.Sh DESCRIPTION -The -.Li krb5_ccache -structure holds a Kerberos credential cache. -.Pp -The -.Li krb5_cc_cursor -structure holds current position in a credential cache when -iterating over the cache. -.Pp -The -.Li krb5_cc_ops -structure holds a set of operations that can me preformed on a -credential cache. -.Pp -There is no component inside -.Li krb5_ccache , -.Li krb5_cc_cursor -nor -.Li krb5_fcc_ops -that is directly referable. -.Pp -The -.Li krb5_creds -holds a Kerberos credential, see manpage for -.Xr krb5_creds 3 . -.Pp -.Fn krb5_cc_default_name -and -.Fn krb5_cc_set_default_name -gets and sets the default name for the -.Fa context . -.Pp -.Fn krb5_cc_default -opens the default ccache in -.Fa id . -Return 0 or an error code. -.Pp -.Fn krb5_cc_gen_new -generates a new ccache of type -.Fa ops -in -.Fa id . -Return 0 or an error code. -.Pp -.Fn krb5_cc_resolve -finds and allocates a ccache in -.Fa id -from the specification in -.Fa residual . -If the ccache name doesn't contain any colon (:), interpret it as a -file name. -Return 0 or an error code. -.Pp -.Fn krb5_cc_initialize -creates a new ccache in -.Fa id -for -.Fa primary_principal . -Return 0 or an error code. -.Pp -.Fn krb5_cc_close -stops using the ccache -.Fa id -and frees the related resources. -Return 0 or an error code. -.Fn krb5_cc_destroy -removes the ccache -and closes (by calling -.Fn krb5_cc_close ) -.Fa id . -Return 0 or an error code. -.Pp -.Fn krb5_cc_copy_cache -copys the contents of -.Fa from -to -.Fa to . -.Pp -.Fn krb5_cc_get_name -returns the name of the ccache -.Fa id . -.Pp -.Fn krb5_cc_get_principal -returns the principal of -.Fa id -in -.Fa principal . -Return 0 or an error code. -.Pp -.Fn krb5_cc_get_type -returns the type of the ccache -.Fa id . -.Pp -.Fn krb5_cc_get_ops -returns the ops of the ccache -.Fa id . -.Pp -.Fn krb5_cc_get_version -returns the version of -.Fa id . -.Pp -.Fn krb5_cc_register -Adds a new ccache type with operations -.Fa ops , -overwriting any existing one if -.Fa override . -Return an error code or 0. -.Pp -.Fn krb5_cc_remove_cred -removes the credential identified by -.Fa ( cred , -.Fa which ) -from -.Fa id . -.Pp -.Fn krb5_cc_store_cred -stores -.Fa creds -in the ccache -.Fa id . -Return 0 or an error code. -.Pp -.Fn krb5_cc_set_flags -sets the flags of -.Fa id -to -.Fa flags . -.Pp -.Fn krb5_cc_retrieve_cred , -retrieves the credential identified by -.Fa mcreds -(and -.Fa whichfields ) -from -.Fa id -in -.Fa creds . -Return 0 or an error code. -.Pp -.Fn krb5_cc_next_cred -retrieves the next cred pointed to by -.Fa ( id , -.Fa cursor ) -in -.Fa creds , -and advance -.Fa cursor . -Return 0 or an error code. -.Pp -.Fn krb5_cc_end_seq_get -Destroys the cursor -.Fa cursor . -.Sh SEE ALSO -.Xr krb5 3 , -.Xr krb5.conf 5 , -.Xr kerberos 8 diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5_ccache.cat3 b/crypto/heimdal-0.6.3/lib/krb5/krb5_ccache.cat3 deleted file mode 100644 index 19624ffb11..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5_ccache.cat3 +++ /dev/null @@ -1,176 +0,0 @@ - -KRB5_CCACHE(3) UNIX Programmer's Manual KRB5_CCACHE(3) - -NNAAMMEE - kkrrbb55__ccccaacchhee, kkrrbb55__cccc__ccuurrssoorr, kkrrbb55__cccc__ooppss, kkrrbb55__ffcccc__ooppss, kkrrbb55__mmcccc__ooppss, - kkrrbb55__cccc__cclloossee, kkrrbb55__cccc__ccooppyy__ccaacchhee, kkrrbb55__cccc__ddeeffaauulltt, kkrrbb55__cccc__ddeeffaauulltt__nnaammee, - kkrrbb55__cccc__ddeessttrrooyy, kkrrbb55__cccc__eenndd__sseeqq__ggeett, kkrrbb55__cccc__ggeenn__nneeww, kkrrbb55__cccc__ggeett__nnaammee, - kkrrbb55__cccc__ggeett__pprriinncciippaall, kkrrbb55__cccc__ggeett__ttyyppee, kkrrbb55__cccc__ggeett__ooppss, - kkrrbb55__cccc__ggeett__vveerrssiioonn, kkrrbb55__cccc__iinniittiiaalliizzee, kkrrbb55__cccc__rreeggiisstteerr, - kkrrbb55__cccc__rreessoollvvee, kkrrbb55__cccc__rreettrriieevvee__ccrreedd, kkrrbb55__cccc__rreemmoovvee__ccrreedd, - kkrrbb55__cccc__sseett__ddeeffaauulltt__nnaammee, kkrrbb55__cccc__ssttoorree__ccrreedd, kkrrbb55__cccc__sseett__ffllaaggss, - kkrrbb55__cccc__nneexxtt__ccrreedd - mange credential cache. - -LLIIBBRRAARRYY - Kerberos 5 Library (libkrb5, -lkrb5) - -SSYYNNOOPPSSIISS - struct krb5_ccache; - - struct krb5_cc_cursor; - - struct krb5_cc_ops; - - struct krb5_cc_ops *krb5_fcc_ops; - - struct krb5_cc_ops *krb5_mcc_ops; - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__cccc__cclloossee(_k_r_b_5___c_o_n_t_e_x_t _*_c_o_n_t_e_x_t, _k_r_b_5___c_c_a_c_h_e _i_d) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__cccc__ccooppyy__ccaacchhee(_k_r_b_5___c_o_n_t_e_x_t _*_c_o_n_t_e_x_t, _c_o_n_s_t _k_r_b_5___c_c_a_c_h_e _f_r_o_m, - _k_r_b_5___c_c_a_c_h_e _t_o) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__cccc__ddeeffaauulltt(_k_r_b_5___c_o_n_t_e_x_t _*_c_o_n_t_e_x_t, _k_r_b_5___c_c_a_c_h_e _*_i_d) - - _c_o_n_s_t _c_h_a_r _* - kkrrbb55__cccc__ddeeffaauulltt__nnaammee(_k_r_b_5___c_o_n_t_e_x_t _*_c_o_n_t_e_x_t) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__cccc__ddeessttrrooyy(_k_r_b_5___c_o_n_t_e_x_t _*_c_o_n_t_e_x_t, _k_r_b_5___c_c_a_c_h_e _i_d) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__cccc__eenndd__sseeqq__ggeett(_k_r_b_5___c_o_n_t_e_x_t _*_c_o_n_t_e_x_t, _c_o_n_s_t _k_r_b_5___c_c_a_c_h_e _i_d, - _k_r_b_5___c_c___c_u_r_s_o_r _*_c_u_r_s_o_r) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__cccc__ggeenn__nneeww(_k_r_b_5___c_o_n_t_e_x_t _*_c_o_n_t_e_x_t, _c_o_n_s_t _k_r_b_5___c_c___o_p_s _*_o_p_s, - _k_r_b_5___c_c_a_c_h_e _*_i_d) - - _c_o_n_s_t _c_h_a_r _* - kkrrbb55__cccc__ggeett__nnaammee(_k_r_b_5___c_o_n_t_e_x_t _*_c_o_n_t_e_x_t, _k_r_b_5___c_c_a_c_h_e _i_d) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__cccc__ggeett__pprriinncciippaall(_k_r_b_5___c_o_n_t_e_x_t _*_c_o_n_t_e_x_t, _k_r_b_5___c_c_a_c_h_e _i_d, - _k_r_b_5___p_r_i_n_c_i_p_a_l _*_p_r_i_n_c_i_p_a_l) - - _c_o_n_s_t _c_h_a_r _* - kkrrbb55__cccc__ggeett__ttyyppee(_k_r_b_5___c_o_n_t_e_x_t _*_c_o_n_t_e_x_t, _k_r_b_5___c_c_a_c_h_e _i_d) - - _c_o_n_s_t _k_r_b_5___c_c___o_p_s _* - kkrrbb55__cccc__ggeett__ooppss(_k_r_b_5___c_o_n_t_e_x_t _*_c_o_n_t_e_x_t, _k_r_b_5___c_c_a_c_h_e _i_d) - - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__cccc__ggeett__vveerrssiioonn(_k_r_b_5___c_o_n_t_e_x_t _*_c_o_n_t_e_x_t, _c_o_n_s_t _k_r_b_5___c_c_a_c_h_e _i_d) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__cccc__iinniittiiaalliizzee(_k_r_b_5___c_o_n_t_e_x_t _*_c_o_n_t_e_x_t, _k_r_b_5___c_c_a_c_h_e _i_d, - _k_r_b_5___p_r_i_n_c_i_p_a_l _p_r_i_m_a_r_y___p_r_i_n_c_i_p_a_l) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__cccc__rreeggiisstteerr(_k_r_b_5___c_o_n_t_e_x_t _*_c_o_n_t_e_x_t, _c_o_n_s_t _k_r_b_5___c_c___o_p_s _*_o_p_s, - _k_r_b_5___b_o_o_l_e_a_n _o_v_e_r_r_i_d_e) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__cccc__rreessoollvvee(_k_r_b_5___c_o_n_t_e_x_t _*_c_o_n_t_e_x_t, _c_o_n_s_t _c_h_a_r _*_n_a_m_e, _k_r_b_5___c_c_a_c_h_e _*_i_d) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__cccc__rreettrriieevvee__ccrreedd(_k_r_b_5___c_o_n_t_e_x_t _*_c_o_n_t_e_x_t, _k_r_b_5___c_c_a_c_h_e _i_d, - _k_r_b_5___f_l_a_g_s _w_h_i_c_h_f_i_e_l_d_s, _c_o_n_s_t _k_r_b_5___c_r_e_d_s _*_m_c_r_e_d_s, - _k_r_b_5___c_r_e_d_s _*_c_r_e_d_s) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__cccc__rreemmoovvee__ccrreedd(_k_r_b_5___c_o_n_t_e_x_t _*_c_o_n_t_e_x_t, _k_r_b_5___c_c_a_c_h_e _i_d, - _k_r_b_5___f_l_a_g_s _w_h_i_c_h, _k_r_b_5___c_r_e_d_s _*_c_r_e_d) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__cccc__sseett__ddeeffaauulltt__nnaammee(_k_r_b_5___c_o_n_t_e_x_t _*_c_o_n_t_e_x_t, _c_o_n_s_t _c_h_a_r _*_n_a_m_e) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__cccc__ssttoorree__ccrreedd(_k_r_b_5___c_o_n_t_e_x_t _*_c_o_n_t_e_x_t, _k_r_b_5___c_c_a_c_h_e _i_d, - _k_r_b_5___c_r_e_d_s _*_c_r_e_d_s) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__cccc__sseett__ffllaaggss(_k_r_b_5___c_o_n_t_e_x_t _*_c_o_n_t_e_x_t, _k_r_b_5___c_c___s_e_t___f_l_a_g_s _i_d, - _k_r_b_5___f_l_a_g_s _f_l_a_g_s) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__cccc__nneexxtt__ccrreedd(_k_r_b_5___c_o_n_t_e_x_t _*_c_o_n_t_e_x_t, _c_o_n_s_t _k_r_b_5___c_c_a_c_h_e _i_d, - _k_r_b_5___c_c___c_u_r_s_o_r _*_c_u_r_s_o_r, _k_r_b_5___c_r_e_d_s _*_c_r_e_d_s) - -DDEESSCCRRIIPPTTIIOONN - The krb5_ccache structure holds a Kerberos credential cache. - - The krb5_cc_cursor structure holds current position in a credential cache - when iterating over the cache. - - The krb5_cc_ops structure holds a set of operations that can me preformed - on a credential cache. - - There is no component inside krb5_ccache, krb5_cc_cursor nor krb5_fcc_ops - that is directly referable. - - The krb5_creds holds a Kerberos credential, see manpage for - krb5_creds(3). - - kkrrbb55__cccc__ddeeffaauulltt__nnaammee() and kkrrbb55__cccc__sseett__ddeeffaauulltt__nnaammee() gets and sets the - default name for the _c_o_n_t_e_x_t. - - kkrrbb55__cccc__ddeeffaauulltt() opens the default ccache in _i_d. Return 0 or an error - code. - - kkrrbb55__cccc__ggeenn__nneeww() generates a new ccache of type _o_p_s in _i_d. Return 0 or - an error code. - - kkrrbb55__cccc__rreessoollvvee() finds and allocates a ccache in _i_d from the specifica- - tion in _r_e_s_i_d_u_a_l. If the ccache name doesn't contain any colon (:), in- - terpret it as a file name. Return 0 or an error code. - - - kkrrbb55__cccc__iinniittiiaalliizzee() creates a new ccache in _i_d for _p_r_i_m_a_r_y___p_r_i_n_c_i_p_a_l. - Return 0 or an error code. - - kkrrbb55__cccc__cclloossee() stops using the ccache _i_d and frees the related re- - sources. Return 0 or an error code. kkrrbb55__cccc__ddeessttrrooyy() removes the - ccache and closes (by calling kkrrbb55__cccc__cclloossee()) _i_d. Return 0 or an error - code. - - kkrrbb55__cccc__ccooppyy__ccaacchhee() copys the contents of _f_r_o_m to _t_o. - - kkrrbb55__cccc__ggeett__nnaammee() returns the name of the ccache _i_d. - - kkrrbb55__cccc__ggeett__pprriinncciippaall() returns the principal of _i_d in _p_r_i_n_c_i_p_a_l. Return - 0 or an error code. - - kkrrbb55__cccc__ggeett__ttyyppee() returns the type of the ccache _i_d. - - kkrrbb55__cccc__ggeett__ooppss() returns the ops of the ccache _i_d. - - kkrrbb55__cccc__ggeett__vveerrssiioonn() returns the version of _i_d. - - kkrrbb55__cccc__rreeggiisstteerr() Adds a new ccache type with operations _o_p_s, overwrit- - ing any existing one if _o_v_e_r_r_i_d_e. Return an error code or 0. - - kkrrbb55__cccc__rreemmoovvee__ccrreedd() removes the credential identified by (_c_r_e_d, _w_h_i_c_h) - from _i_d. - - kkrrbb55__cccc__ssttoorree__ccrreedd() stores _c_r_e_d_s in the ccache _i_d. Return 0 or an error - code. - - kkrrbb55__cccc__sseett__ffllaaggss() sets the flags of _i_d to _f_l_a_g_s. - - kkrrbb55__cccc__rreettrriieevvee__ccrreedd(), retrieves the credential identified by _m_c_r_e_d_s - (and _w_h_i_c_h_f_i_e_l_d_s) from _i_d in _c_r_e_d_s. Return 0 or an error code. - - kkrrbb55__cccc__nneexxtt__ccrreedd() retrieves the next cred pointed to by (_i_d, _c_u_r_s_o_r) in - _c_r_e_d_s, and advance _c_u_r_s_o_r. Return 0 or an error code. - - kkrrbb55__cccc__eenndd__sseeqq__ggeett() Destroys the cursor _c_u_r_s_o_r. - -SSEEEE AALLSSOO - krb5(3), krb5.conf(5), kerberos(8) - - HEIMDAL March 16, 2003 3 diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5_config.3 b/crypto/heimdal-0.6.3/lib/krb5/krb5_config.3 deleted file mode 100644 index 471389e54a..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5_config.3 +++ /dev/null @@ -1,65 +0,0 @@ -.\" Copyright (c) 2000 Kungliga Tekniska Högskolan -.\" $Id: krb5_config.3,v 1.5 2003/04/16 13:58:14 lha Exp $ -.Dd July 25, 2000 -.Dt KRB5_CONFIG 3 -.Os HEIMDAL -.Sh NAME -.Nm krb5_config_get_bool_default , -.Nm krb5_config_get_int_default , -.Nm krb5_config_get_string_default , -.Nm krb5_config_get_time_default -.Nd get configuration value -.Sh LIBRARY -Kerberos 5 Library (libkrb5, -lkrb5) -.Sh SYNOPSIS -.In krb5.h -.Ft krb5_boolean -.Fn krb5_config_get_bool_default "krb5_context context" "krb5_config_section *c" "krb5_boolean def_value" "..." -.Ft int -.Fn krb5_config_get_int_default "krb5_context context" "krb5_config_section *c" "int def_value" "..." -.Ft const char* -.Fn krb5_config_get_string_default "krb5_context context" "krb5_config_section *c" "const char *def_value" "..." -.Ft int -.Fn krb5_config_get_time_default "krb5_context context" "krb5_config_section *c" "int def_value" "..." -.Sh DESCRIPTION -These functions get values from the -.Xr krb5.conf 5 -configuration file, or another configuration database specified by the -.Fa c -parameter. -.Pp -The variable arguments should be a list of strings naming each -subsection to look for. For example: -.Bd -literal -offset indent -krb5_config_get_bool_default(context, NULL, FALSE, "libdefaults", "log_utc", NULL) -.Ed -.Pp -gets the boolean value for the -.Dv log_utc -option, defaulting to -.Dv FALSE . -.Pp -.Fn krb5_config_get_bool_default -will convert the option value to a boolean value, where -.Sq yes , -.Sq true , -and any non-zero number means -.Dv TRUE , -and any other value -.Dv FALSE . -.Pp -.Fn krb5_config_get_int_default -will convert the value to an integer. -.Pp -.Fn krb5_config_get_time_default -will convert the value to a period of time (not a time stamp) in -seconds, so the string -.Sq 2 weeks -will be converted to -1209600 (2 * 7 * 24 * 60 * 60). -.Sh BUGS -Other than for the string case, there's no way to tell whether there -was a value specified or not. -.Sh SEE ALSO -.Xr krb5_appdefault 3 , -.Xr krb5.conf 5 diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5_config.cat3 b/crypto/heimdal-0.6.3/lib/krb5/krb5_config.cat3 deleted file mode 100644 index 9b8bab2953..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5_config.cat3 +++ /dev/null @@ -1,57 +0,0 @@ - -KRB5_CONFIG(3) UNIX Programmer's Manual KRB5_CONFIG(3) - -NNAAMMEE - kkrrbb55__ccoonnffiigg__ggeett__bbooooll__ddeeffaauulltt, kkrrbb55__ccoonnffiigg__ggeett__iinntt__ddeeffaauulltt, - kkrrbb55__ccoonnffiigg__ggeett__ssttrriinngg__ddeeffaauulltt, kkrrbb55__ccoonnffiigg__ggeett__ttiimmee__ddeeffaauulltt - get con- - figuration value - -LLIIBBRRAARRYY - Kerberos 5 Library (libkrb5, -lkrb5) - -SSYYNNOOPPSSIISS - _k_r_b_5___b_o_o_l_e_a_n - kkrrbb55__ccoonnffiigg__ggeett__bbooooll__ddeeffaauulltt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, - _k_r_b_5___c_o_n_f_i_g___s_e_c_t_i_o_n _*_c, _k_r_b_5___b_o_o_l_e_a_n _d_e_f___v_a_l_u_e, _._._.) - - _i_n_t - kkrrbb55__ccoonnffiigg__ggeett__iinntt__ddeeffaauulltt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___c_o_n_f_i_g___s_e_c_t_i_o_n _*_c, - _i_n_t _d_e_f___v_a_l_u_e, _._._.) - - _c_o_n_s_t _c_h_a_r_* - kkrrbb55__ccoonnffiigg__ggeett__ssttrriinngg__ddeeffaauulltt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, - _k_r_b_5___c_o_n_f_i_g___s_e_c_t_i_o_n _*_c, _c_o_n_s_t _c_h_a_r _*_d_e_f___v_a_l_u_e, _._._.) - - _i_n_t - kkrrbb55__ccoonnffiigg__ggeett__ttiimmee__ddeeffaauulltt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, - _k_r_b_5___c_o_n_f_i_g___s_e_c_t_i_o_n _*_c, _i_n_t _d_e_f___v_a_l_u_e, _._._.) - -DDEESSCCRRIIPPTTIIOONN - These functions get values from the krb5.conf(5) configuration file, or - another configuration database specified by the _c parameter. - - The variable arguments should be a list of strings naming each subsection - to look for. For example: - - krb5_config_get_bool_default(context, NULL, FALSE, "libdefaults", "log_utc", NULL) - - gets the boolean value for the log_utc option, defaulting to FALSE. - - kkrrbb55__ccoonnffiigg__ggeett__bbooooll__ddeeffaauulltt() will convert the option value to a boolean - value, where `yes', `true', and any non-zero number means TRUE, and any - other value FALSE. - - kkrrbb55__ccoonnffiigg__ggeett__iinntt__ddeeffaauulltt() will convert the value to an integer. - - kkrrbb55__ccoonnffiigg__ggeett__ttiimmee__ddeeffaauulltt() will convert the value to a period of time - (not a time stamp) in seconds, so the string `2 weeks' will be converted - to 1209600 (2 * 7 * 24 * 60 * 60). - -BBUUGGSS - Other than for the string case, there's no way to tell whether there was - a value specified or not. - -SSEEEE AALLSSOO - krb5_appdefault(3), krb5.conf(5) - - HEIMDAL July 25, 2000 1 diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5_context.3 b/crypto/heimdal-0.6.3/lib/krb5/krb5_context.3 deleted file mode 100644 index 95d11207d4..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5_context.3 +++ /dev/null @@ -1,52 +0,0 @@ -.\" Copyright (c) 2001 - 200 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: krb5_context.3,v 1.5 2003/03/10 02:19:28 lha Exp $ -.\" -.Dd January 21, 2001 -.Dt KRB5_CONTEXT 3 -.Os HEIMDAL -.Sh NAME -.Nm krb5_context -.Nd krb5 state structure -.Sh DESCRIPTION -The -.Nm -structure is designed to hold all per thread state. All global -variables that are context specific are stored in this structure, -including default encryption types, credentials-cache (ticket file), and -default realms. -.Pp -The internals of the structure should never be accessed directly, -functions exist for extracting information. -.Sh SEE ALSO -.Xr krb5_init_context 3 , -.Xr kerberos 8 diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5_context.cat3 b/crypto/heimdal-0.6.3/lib/krb5/krb5_context.cat3 deleted file mode 100644 index 0f8abc1b98..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5_context.cat3 +++ /dev/null @@ -1,19 +0,0 @@ - -KRB5_CONTEXT(3) UNIX Programmer's Manual KRB5_CONTEXT(3) - -NNAAMMEE - kkrrbb55__ccoonntteexxtt - krb5 state structure - -DDEESSCCRRIIPPTTIIOONN - The kkrrbb55__ccoonntteexxtt structure is designed to hold all per thread state. All - global variables that are context specific are stored in this structure, - including default encryption types, credentials-cache (ticket file), and - default realms. - - The internals of the structure should never be accessed directly, func- - tions exist for extracting information. - -SSEEEE AALLSSOO - krb5_init_context(3), kerberos(8) - - HEIMDAL January 21, 2001 1 diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5_create_checksum.3 b/crypto/heimdal-0.6.3/lib/krb5/krb5_create_checksum.3 deleted file mode 100644 index 6704113bd7..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5_create_checksum.3 +++ /dev/null @@ -1,95 +0,0 @@ -.\" Copyright (c) 1999 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: krb5_create_checksum.3,v 1.6 2003/04/16 13:58:14 lha Exp $ -.\" -.Dd April 7, 1999 -.Dt NAME 3 -.Os HEIMDAL -.Sh NAME -.Nm krb5_checksum_is_collision_proof , -.Nm krb5_checksum_is_keyed , -.Nm krb5_checksumsize , -.Nm krb5_create_checksum , -.Nm krb5_verify_checksum -.Nd creates and verifies checksums -.Sh LIBRARY -Kerberos 5 Library (libkrb5, -lkrb5) -.Sh SYNOPSIS -.In krb5.h -.Ft krb5_error_code -.Fn krb5_create_checksum "krb5_context context" "krb5_crypto crypto" "unsigned usage_or_type" "void *data" "size_t len" "Checksum *result" -.Ft krb5_error_code -.Fn krb5_verify_checksum "krb5_context context" "krb5_crypto crypto" "krb5_key_usage usage" "void *data" "size_t len" "Checksum *cksum" -.Ft krb5_boolean -.Fn krb5_checksum_is_collision_proof "krb5_context context" "krb5_cksumtype type" -.Ft krb5_boolean -.Fn krb5_checksum_is_keyed "krb5_context context" "krb5_cksumtype type" -.Sh DESCRIPTION -These functions are used to create and verify checksums. -.Fn krb5_create_checksum -creates a checksum of the specified data, and puts it in -.Fa result . -If -.Fa crypto -is -.Dv NULL , -.Fa usage_or_type -specifies the checksum type to use; it must not be keyed. Otherwise -.Fa crypto -is an encryption context created by -.Fn krb5_crypto_init , -and -.Fa usage_or_type -specifies a key-usage. -.Pp -.Fn krb5_verify_checksum -verifies the -.Fa checksum , -against the provided data. -.Pp -.Fn krb5_checksum_is_collision_proof -returns true is the specified checksum is collision proof (that it's -very unlikely that two strings has the same hash value, and that it's -hard to find two strings that has the same hash). Examples of -collision proof checksums are MD5, and SHA1, while CRC32 is not. -.Pp -.Fn krb5_checksum_is_keyed -returns true if the specified checksum type is keyed (that the hash -value is a function of both the data, and a separate key). Examples of -keyed hash algorithms are HMAC-SHA1-DES3, and RSA-MD5-DES. The -.Dq plain -hash functions MD5, and SHA1 are not keyed. -.\" .Sh EXAMPLE -.\" .Sh BUGS -.Sh SEE ALSO -.Xr krb5_crypto_init 3 , -.Xr krb5_encrypt 3 diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5_create_checksum.cat3 b/crypto/heimdal-0.6.3/lib/krb5/krb5_create_checksum.cat3 deleted file mode 100644 index 9a0d1d9909..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5_create_checksum.cat3 +++ /dev/null @@ -1,52 +0,0 @@ - -NAME(3) UNIX Programmer's Manual NAME(3) - -NNAAMMEE - kkrrbb55__cchheecckkssuumm__iiss__ccoolllliissiioonn__pprrooooff, kkrrbb55__cchheecckkssuumm__iiss__kkeeyyeedd, - kkrrbb55__cchheecckkssuummssiizzee, kkrrbb55__ccrreeaattee__cchheecckkssuumm, kkrrbb55__vveerriiffyy__cchheecckkssuumm - creates - and verifies checksums - -LLIIBBRRAARRYY - Kerberos 5 Library (libkrb5, -lkrb5) - -SSYYNNOOPPSSIISS - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__ccrreeaattee__cchheecckkssuumm(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___c_r_y_p_t_o _c_r_y_p_t_o, - _u_n_s_i_g_n_e_d _u_s_a_g_e___o_r___t_y_p_e, _v_o_i_d _*_d_a_t_a, _s_i_z_e___t _l_e_n, _C_h_e_c_k_s_u_m _*_r_e_s_u_l_t) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__vveerriiffyy__cchheecckkssuumm(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___c_r_y_p_t_o _c_r_y_p_t_o, - _k_r_b_5___k_e_y___u_s_a_g_e _u_s_a_g_e, _v_o_i_d _*_d_a_t_a, _s_i_z_e___t _l_e_n, _C_h_e_c_k_s_u_m _*_c_k_s_u_m) - - _k_r_b_5___b_o_o_l_e_a_n - kkrrbb55__cchheecckkssuumm__iiss__ccoolllliissiioonn__pprrooooff(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, - _k_r_b_5___c_k_s_u_m_t_y_p_e _t_y_p_e) - - _k_r_b_5___b_o_o_l_e_a_n - kkrrbb55__cchheecckkssuumm__iiss__kkeeyyeedd(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___c_k_s_u_m_t_y_p_e _t_y_p_e) - -DDEESSCCRRIIPPTTIIOONN - These functions are used to create and verify checksums. - kkrrbb55__ccrreeaattee__cchheecckkssuumm() creates a checksum of the specified data, and puts - it in _r_e_s_u_l_t. If _c_r_y_p_t_o is NULL, _u_s_a_g_e___o_r___t_y_p_e specifies the checksum - type to use; it must not be keyed. Otherwise _c_r_y_p_t_o is an encryption con- - text created by kkrrbb55__ccrryyppttoo__iinniitt(), and _u_s_a_g_e___o_r___t_y_p_e specifies a key-us- - age. - - kkrrbb55__vveerriiffyy__cchheecckkssuumm() verifies the _c_h_e_c_k_s_u_m, against the provided data. - - kkrrbb55__cchheecckkssuumm__iiss__ccoolllliissiioonn__pprrooooff() returns true is the specified checksum - is collision proof (that it's very unlikely that two strings has the same - hash value, and that it's hard to find two strings that has the same - hash). Examples of collision proof checksums are MD5, and SHA1, while - CRC32 is not. - - kkrrbb55__cchheecckkssuumm__iiss__kkeeyyeedd() returns true if the specified checksum type is - keyed (that the hash value is a function of both the data, and a separate - key). Examples of keyed hash algorithms are HMAC-SHA1-DES3, and RSA- - MD5-DES. The ``plain'' hash functions MD5, and SHA1 are not keyed. - -SSEEEE AALLSSOO - krb5_crypto_init(3), krb5_encrypt(3) - - HEIMDAL April 7, 1999 1 diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5_crypto_init.3 b/crypto/heimdal-0.6.3/lib/krb5/krb5_crypto_init.3 deleted file mode 100644 index 4b0284cbfe..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5_crypto_init.3 +++ /dev/null @@ -1,70 +0,0 @@ -.\" Copyright (c) 1999 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: krb5_crypto_init.3,v 1.6 2003/04/16 13:58:15 lha Exp $ -.\" -.Dd April 7, 1999 -.Dt NAME 3 -.Os HEIMDAL -.Sh NAME -.Nm krb5_crypto_init , -.Nm krb5_crypto_destroy -.Nd initialize encryption context -.Sh LIBRARY -Kerberos 5 Library (libkrb5, -lkrb5) -.Sh SYNOPSIS -.In krb5.h -.Ft krb5_error_code -.Fn krb5_crypto_init "krb5_context context" "krb5_keyblock *key" "krb5_enctype enctype" "krb5_crypto *crypto" -.Ft krb5_error_code -.Fn krb5_crypto_destroy "krb5_context context" "krb5_crypto crypto" -.Sh DESCRIPTION -These functions are used to initialize an encryption context that can -be used to encrypt or checksum data. -.Pp -The -.Fn krb5_crypt_init -initializes the encrytion context -.Fa crypto . -The -.Fa key -parameter is the key to use for encryption, and checksums. The -encryption type to use is taken from the key, but can be overridden -with the -.Fa enctype parameter . -.Pp -.Fn krb5_crypto_destroy -frees a previously allocated encrypion context. -.\" .Sh EXAMPLE -.\" .Sh BUGS -.Sh SEE ALSO -.Xr krb5_create_checksum 3 , -.Xr krb5_encrypt 3 diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5_crypto_init.cat3 b/crypto/heimdal-0.6.3/lib/krb5/krb5_crypto_init.cat3 deleted file mode 100644 index f59863aa02..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5_crypto_init.cat3 +++ /dev/null @@ -1,32 +0,0 @@ - -NAME(3) UNIX Programmer's Manual NAME(3) - -NNAAMMEE - kkrrbb55__ccrryyppttoo__iinniitt, kkrrbb55__ccrryyppttoo__ddeessttrrooyy - initialize encryption context - -LLIIBBRRAARRYY - Kerberos 5 Library (libkrb5, -lkrb5) - -SSYYNNOOPPSSIISS - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__ccrryyppttoo__iinniitt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___k_e_y_b_l_o_c_k _*_k_e_y, - _k_r_b_5___e_n_c_t_y_p_e _e_n_c_t_y_p_e, _k_r_b_5___c_r_y_p_t_o _*_c_r_y_p_t_o) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__ccrryyppttoo__ddeessttrrooyy(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___c_r_y_p_t_o _c_r_y_p_t_o) - -DDEESSCCRRIIPPTTIIOONN - These functions are used to initialize an encryption context that can be - used to encrypt or checksum data. - - The kkrrbb55__ccrryypptt__iinniitt() initializes the encrytion context _c_r_y_p_t_o. The _k_e_y - parameter is the key to use for encryption, and checksums. The encryption - type to use is taken from the key, but can be overridden with the _e_n_c_t_y_p_e - _p_a_r_a_m_e_t_e_r. - - kkrrbb55__ccrryyppttoo__ddeessttrrooyy() frees a previously allocated encrypion context. - -SSEEEE AALLSSOO - krb5_create_checksum(3), krb5_encrypt(3) - - HEIMDAL April 7, 1999 1 diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5_data.3 b/crypto/heimdal-0.6.3/lib/krb5/krb5_data.3 deleted file mode 100644 index 355d934149..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5_data.3 +++ /dev/null @@ -1,149 +0,0 @@ -.\" Copyright (c) 2003 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: krb5_data.3,v 1.4 2003/04/16 13:58:13 lha Exp $ -.\" -.Dd March 20, 2003 -.Dt KRB5_DATA 3 -.Os HEIMDAL -.Sh NAME -.Nm krb5_data -.Nm krb5_data_zero -.Nm krb5_data_free -.Nm krb5_free_data_contents -.Nm krb5_free_data -.Nm krb5_data_alloc -.Nm krb5_data_realloc -.Nm krb5_data_copy -.Nm krb5_copy_data -.Nd operates on the Kerberos datatype krb5_data. -.Sh LIBRARY -Kerberos 5 Library (libkrb5, -lkrb5) -.Sh SYNOPSIS -.In krb5.h -.Pp -.Li "struct krb5_data;" -.Ft void -.Fn krb5_data_zero "krb5_data *p" -.Ft void -.Fn krb5_data_free "krb5_data *p" -.Ft void -.Fn krb5_free_data_contents "krb5_context context" "krb5_data *p" -.Ft void -.Fn krb5_free_data "krb5_context context" "krb5_data *p" -.Ft krb5_error_code -.Fn krb5_data_alloc "krb5_data *p" "int len" -.Ft krb5_error_code -.Fn krb5_data_realloc "krb5_data *p" "int len" -.Ft krb5_error_code -.Fn krb5_data_copy "krb5_data *p" "const void *data" "size_t len" -.Ft krb5_error_code -.Fn krb5_copy_data "krb5_context context" "const krb5_data *indata" "krb5_data **outdata" -.Sh DESCRIPTION -The -.Li krb5_data -structure holds a data element. -The structure contains two public accessible elements -.Fa length -(the length of data) -and -.Fa data -(the data itself). -The structure must always be initiated and freed by the functions -documented in this manual. -.Pp -.Fn krb5_data_zero -resets the content of -.Fa p . -.Pp -.Fn krb5_data_free -free the data in -.Fa p . -.Pp -.Fn krb5_free_data_contents -works the same way as -.Fa krb5_data_free . -The diffrence is that krb5_free_data_contents is more portable (exists -in MIT api). -.Pp -.Fn krb5_free_data -frees the data in -.Fa p -and -.Fa p -itself . -.Pp -.Fn krb5_data_alloc -allocates -.Fa len -bytes in -.Fa p -Returns 0 or an error. -.Pp -.Fn krb5_data_realloc -reallocates the length of -.Fa p -to the length in -.Fa len . -Returns 0 or an error. -.Pp -.Fn krb5_data_copy -copies the -.Fa data -that have the length -.Fa len -into -.Fa p . -.Fa p -is not freed so the calling function should make sure the -.Fa p -doesn't contain anything needs to be freed. -Returns 0 or an error. -.Pp -.Fn krb5_copy_data -copies the -.Li krb5_data -in -.Fa indata -to -.Fa outdata . -.Fa outdata -is not freed so the calling function should make sure the -.Fa outdata -doesn't contain anything needs to be freed. -.Fa outdata -should be freed using -.Fn krb5_free_data . -Returns 0 or an error. -.Sh SEE ALSO -.Xr krb5 3 , -.Xr krb5_storage 3 , -.Xr kerberos 8 diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5_data.cat3 b/crypto/heimdal-0.6.3/lib/krb5/krb5_data.cat3 deleted file mode 100644 index 70aa5e247a..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5_data.cat3 +++ /dev/null @@ -1,71 +0,0 @@ - -KRB5_DATA(3) UNIX Programmer's Manual KRB5_DATA(3) - -NNAAMMEE - kkrrbb55__ddaattaa kkrrbb55__ddaattaa__zzeerroo kkrrbb55__ddaattaa__ffrreeee kkrrbb55__ffrreeee__ddaattaa__ccoonntteennttss - kkrrbb55__ffrreeee__ddaattaa kkrrbb55__ddaattaa__aalllloocc kkrrbb55__ddaattaa__rreeaalllloocc kkrrbb55__ddaattaa__ccooppyy - kkrrbb55__ccooppyy__ddaattaa - operates on the Kerberos datatype krb5_data. - -LLIIBBRRAARRYY - Kerberos 5 Library (libkrb5, -lkrb5) - -SSYYNNOOPPSSIISS - struct krb5_data; _v_o_i_d - kkrrbb55__ddaattaa__zzeerroo(_k_r_b_5___d_a_t_a _*_p) - - _v_o_i_d - kkrrbb55__ddaattaa__ffrreeee(_k_r_b_5___d_a_t_a _*_p) - - _v_o_i_d - kkrrbb55__ffrreeee__ddaattaa__ccoonntteennttss(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___d_a_t_a _*_p) - - _v_o_i_d - kkrrbb55__ffrreeee__ddaattaa(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___d_a_t_a _*_p) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__ddaattaa__aalllloocc(_k_r_b_5___d_a_t_a _*_p, _i_n_t _l_e_n) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__ddaattaa__rreeaalllloocc(_k_r_b_5___d_a_t_a _*_p, _i_n_t _l_e_n) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__ddaattaa__ccooppyy(_k_r_b_5___d_a_t_a _*_p, _c_o_n_s_t _v_o_i_d _*_d_a_t_a, _s_i_z_e___t _l_e_n) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__ccooppyy__ddaattaa(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _k_r_b_5___d_a_t_a _*_i_n_d_a_t_a, - _k_r_b_5___d_a_t_a _*_*_o_u_t_d_a_t_a) - -DDEESSCCRRIIPPTTIIOONN - The krb5_data structure holds a data element. The structure contains two - public accessible elements _l_e_n_g_t_h (the length of data) and _d_a_t_a (the data - itself). The structure must always be initiated and freed by the func- - tions documented in this manual. - - kkrrbb55__ddaattaa__zzeerroo() resets the content of _p. - - kkrrbb55__ddaattaa__ffrreeee() free the data in _p. - - kkrrbb55__ffrreeee__ddaattaa__ccoonntteennttss() works the same way as _k_r_b_5___d_a_t_a___f_r_e_e. The - diffrence is that krb5_free_data_contents is more portable (exists in MIT - api). - - kkrrbb55__ffrreeee__ddaattaa() frees the data in _p and _p itself . - - kkrrbb55__ddaattaa__aalllloocc() allocates _l_e_n bytes in _p Returns 0 or an error. - - kkrrbb55__ddaattaa__rreeaalllloocc() reallocates the length of _p to the length in _l_e_n. Re- - turns 0 or an error. - - kkrrbb55__ddaattaa__ccooppyy() copies the _d_a_t_a that have the length _l_e_n into _p. _p is - not freed so the calling function should make sure the _p doesn't contain - anything needs to be freed. Returns 0 or an error. - - kkrrbb55__ccooppyy__ddaattaa() copies the krb5_data in _i_n_d_a_t_a to _o_u_t_d_a_t_a. _o_u_t_d_a_t_a is - not freed so the calling function should make sure the _o_u_t_d_a_t_a doesn't - contain anything needs to be freed. _o_u_t_d_a_t_a should be freed using - kkrrbb55__ffrreeee__ddaattaa(). Returns 0 or an error. - -SSEEEE AALLSSOO - krb5(3), krb5_storage(3), kerberos(8) - - HEIMDAL March 20, 2003 2 diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5_encrypt.3 b/crypto/heimdal-0.6.3/lib/krb5/krb5_encrypt.3 deleted file mode 100644 index 84140bffc0..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5_encrypt.3 +++ /dev/null @@ -1,87 +0,0 @@ -.\" Copyright (c) 1999 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: krb5_encrypt.3,v 1.7 2003/04/16 13:58:15 lha Exp $ -.\" -.Dd April 7, 1999 -.Dt KRB5_ENCRYPT 3 -.Os HEIMDAL -.Sh NAME -.Nm krb5_decrypt , -.Nm krb5_decrypt_EncryptedData , -.Nm krb5_encrypt , -.Nm krb5_encrypt_EncryptedData -.Nd encrypt and decrypt data -.Sh LIBRARY -Kerberos 5 Library (libkrb5, -lkrb5) -.Sh SYNOPSIS -.In krb5.h -.Ft krb5_error_code -.Fn krb5_encrypt "krb5_context context" "krb5_crypto crypto" "unsigned usage" "void *data" "size_t len" "krb5_data *result" -.Ft krb5_error_code -.Fn krb5_encrypt_EncryptedData "krb5_context context" "krb5_crypto crypto" "unsigned usage" "void *data" "size_t len" "int kvno" "EncryptedData *result" -.Ft krb5_error_code -.Fn krb5_decrypt "krb5_context context" "krb5_crypto crypto" "unsigned usage" "void *data" "size_t len" "krb5_data *result" -.Ft krb5_error_code -.Fn krb5_decrypt_EncryptedData "krb5_context context" "krb5_crypto crypto" "unsigned usage" "EncryptedData *e" "krb5_data *result" -.Sh DESCRIPTION -These functions are used to encrypt and decrypt data. -.Pp -.Fn krb5_encrypt -puts the encrypted version of -.Fa data -(of size -.Fa len ) -in -.Fa result . -If the encryption type supports using derived keys, -.Fa usage -should be the appropriate key-usage. -.Fn krb5_encrypt_EncryptedData -does the same as -.Fn krb5_encrypt , -but it puts the encrypted data in a -.Fa EncryptedData -structure instead. If -.Fa kvno -is not zero, it will be put in the -.Fa kvno field in the -.Fa EncryptedData . -.Pp -.Fn krb5_decrypt , -and -.Fn krb5_decrypt_EncryptedData -works similarly. -.\" .Sh EXAMPLE -.\" .Sh BUGS -.Sh SEE ALSO -.Xr krb5_create_checksum 3 , -.Xr krb5_crypto_init 3 diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5_encrypt.cat3 b/crypto/heimdal-0.6.3/lib/krb5/krb5_encrypt.cat3 deleted file mode 100644 index 0188acd39e..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5_encrypt.cat3 +++ /dev/null @@ -1,44 +0,0 @@ - -KRB5_ENCRYPT(3) UNIX Programmer's Manual KRB5_ENCRYPT(3) - -NNAAMMEE - kkrrbb55__ddeeccrryypptt, kkrrbb55__ddeeccrryypptt__EEnnccrryypptteeddDDaattaa, kkrrbb55__eennccrryypptt, - kkrrbb55__eennccrryypptt__EEnnccrryypptteeddDDaattaa - encrypt and decrypt data - -LLIIBBRRAARRYY - Kerberos 5 Library (libkrb5, -lkrb5) - -SSYYNNOOPPSSIISS - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__eennccrryypptt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___c_r_y_p_t_o _c_r_y_p_t_o, _u_n_s_i_g_n_e_d _u_s_a_g_e, - _v_o_i_d _*_d_a_t_a, _s_i_z_e___t _l_e_n, _k_r_b_5___d_a_t_a _*_r_e_s_u_l_t) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__eennccrryypptt__EEnnccrryypptteeddDDaattaa(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___c_r_y_p_t_o _c_r_y_p_t_o, - _u_n_s_i_g_n_e_d _u_s_a_g_e, _v_o_i_d _*_d_a_t_a, _s_i_z_e___t _l_e_n, _i_n_t _k_v_n_o, - _E_n_c_r_y_p_t_e_d_D_a_t_a _*_r_e_s_u_l_t) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__ddeeccrryypptt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___c_r_y_p_t_o _c_r_y_p_t_o, _u_n_s_i_g_n_e_d _u_s_a_g_e, - _v_o_i_d _*_d_a_t_a, _s_i_z_e___t _l_e_n, _k_r_b_5___d_a_t_a _*_r_e_s_u_l_t) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__ddeeccrryypptt__EEnnccrryypptteeddDDaattaa(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___c_r_y_p_t_o _c_r_y_p_t_o, - _u_n_s_i_g_n_e_d _u_s_a_g_e, _E_n_c_r_y_p_t_e_d_D_a_t_a _*_e, _k_r_b_5___d_a_t_a _*_r_e_s_u_l_t) - -DDEESSCCRRIIPPTTIIOONN - These functions are used to encrypt and decrypt data. - - kkrrbb55__eennccrryypptt() puts the encrypted version of _d_a_t_a (of size _l_e_n) in - _r_e_s_u_l_t. If the encryption type supports using derived keys, _u_s_a_g_e should - be the appropriate key-usage. kkrrbb55__eennccrryypptt__EEnnccrryypptteeddDDaattaa() does the same - as kkrrbb55__eennccrryypptt(), but it puts the encrypted data in a _E_n_c_r_y_p_t_e_d_D_a_t_a - structure instead. If _k_v_n_o is not zero, it will be put in the _k_v_n_o _f_i_e_l_d - _i_n _t_h_e _E_n_c_r_y_p_t_e_d_D_a_t_a. - - kkrrbb55__ddeeccrryypptt(), and kkrrbb55__ddeeccrryypptt__EEnnccrryypptteeddDDaattaa() works similarly. - -SSEEEE AALLSSOO - krb5_create_checksum(3), krb5_crypto_init(3) - - HEIMDAL April 7, 1999 1 diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5_err.et b/crypto/heimdal-0.6.3/lib/krb5/krb5_err.et deleted file mode 100644 index 34279239ea..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5_err.et +++ /dev/null @@ -1,235 +0,0 @@ -# -# Error messages for the krb5 library -# -# This might look like a com_err file, but is not -# -id "$Id: krb5_err.et,v 1.9 2000/04/06 00:41:37 assar Exp $" - -error_table krb5 - -prefix KRB5KDC_ERR -error_code NONE, "No error" -error_code NAME_EXP, "Client's entry in database has expired" -error_code SERVICE_EXP, "Server's entry in database has expired" -error_code BAD_PVNO, "Requested protocol version not supported" -error_code C_OLD_MAST_KVNO, "Client's key is encrypted in an old master key" -error_code S_OLD_MAST_KVNO, "Server's key is encrypted in an old master key" -error_code C_PRINCIPAL_UNKNOWN, "Client not found in Kerberos database" -error_code S_PRINCIPAL_UNKNOWN, "Server not found in Kerberos database" -error_code PRINCIPAL_NOT_UNIQUE,"Principal has multiple entries in Kerberos database" -error_code NULL_KEY, "Client or server has a null key" -error_code CANNOT_POSTDATE, "Ticket is ineligible for postdating" -error_code NEVER_VALID, "Requested effective lifetime is negative or too short" -error_code POLICY, "KDC policy rejects request" -error_code BADOPTION, "KDC can't fulfill requested option" -error_code ETYPE_NOSUPP, "KDC has no support for encryption type" -error_code SUMTYPE_NOSUPP, "KDC has no support for checksum type" -error_code PADATA_TYPE_NOSUPP, "KDC has no support for padata type" -error_code TRTYPE_NOSUPP, "KDC has no support for transited type" -error_code CLIENT_REVOKED, "Clients credentials have been revoked" -error_code SERVICE_REVOKED, "Credentials for server have been revoked" -error_code TGT_REVOKED, "TGT has been revoked" -error_code CLIENT_NOTYET, "Client not yet valid - try again later" -error_code SERVICE_NOTYET, "Server not yet valid - try again later" -error_code KEY_EXPIRED, "Password has expired" -error_code PREAUTH_FAILED, "Preauthentication failed" -error_code PREAUTH_REQUIRED, "Additional pre-authentication required" -error_code SERVER_NOMATCH, "Requested server and ticket don't match" - -# 27-30 are reserved -index 31 -prefix KRB5KRB_AP -error_code ERR_BAD_INTEGRITY, "Decrypt integrity check failed" -error_code ERR_TKT_EXPIRED, "Ticket expired" -error_code ERR_TKT_NYV, "Ticket not yet valid" -error_code ERR_REPEAT, "Request is a replay" -error_code ERR_NOT_US, "The ticket isn't for us" -error_code ERR_BADMATCH, "Ticket/authenticator don't match" -error_code ERR_SKEW, "Clock skew too great" -error_code ERR_BADADDR, "Incorrect net address" -error_code ERR_BADVERSION, "Protocol version mismatch" -error_code ERR_MSG_TYPE, "Invalid message type" -error_code ERR_MODIFIED, "Message stream modified" -error_code ERR_BADORDER, "Message out of order" -error_code ERR_ILL_CR_TKT, "Invalid cross-realm ticket" -error_code ERR_BADKEYVER, "Key version is not available" -error_code ERR_NOKEY, "Service key not available" -error_code ERR_MUT_FAIL, "Mutual authentication failed" -error_code ERR_BADDIRECTION, "Incorrect message direction" -error_code ERR_METHOD, "Alternative authentication method required" -error_code ERR_BADSEQ, "Incorrect sequence number in message" -error_code ERR_INAPP_CKSUM, "Inappropriate type of checksum in message" -error_code PATH_NOT_ACCEPTED, "Policy rejects transited path" - -prefix KRB5KRB_ERR -error_code RESPONSE_TOO_BIG, "Response too big for UDP, retry with TCP" -# 53-59 are reserved -index 60 -error_code GENERIC, "Generic error (see e-text)" -error_code FIELD_TOOLONG, "Field is too long for this implementation" - -# pkinit -index 62 -prefix KDC_ERROR -error_code CLIENT_NOT_TRUSTED, "Client not trusted" -error_code KDC_NOT_TRUSTED, "KDC not trusted" -error_code INVALID_SIG, "Invalid signature" -error_code KEY_TOO_WEAK, "Key too weak" -error_code CERTIFICATE_MISMATCH, "Certificate mismatch" -prefix KRB5_AP_ERR -error_code USER_TO_USER_REQUIRED, "User to user required" -prefix KDC_ERROR -error_code CANT_VERIFY_CERTIFICATE, "Cannot verify certificate" -error_code INVALID_CERTIFICATE, "Invalid certificate" -error_code REVOKED_CERTIFICATE, "Revoked certificate" -error_code REVOCATION_STATUS_UNKNOWN, "Revocation status unknown" -error_code REVOCATION_STATUS_UNAVAILABLE,"Revocation status unavailable" -error_code CLIENT_NAME_MISMATCH, "Client name mismatch" -error_code KDC_NAME_MISMATCH, "KDC name mismatch" - -# 77-127 are reserved - -index 128 -prefix -error_code KRB5_ERR_RCSID, "$Id: krb5_err.et,v 1.9 2000/04/06 00:41:37 assar Exp $" - -error_code KRB5_LIBOS_BADLOCKFLAG, "Invalid flag for file lock mode" -error_code KRB5_LIBOS_CANTREADPWD, "Cannot read password" -error_code KRB5_LIBOS_BADPWDMATCH, "Password mismatch" -error_code KRB5_LIBOS_PWDINTR, "Password read interrupted" - -error_code KRB5_PARSE_ILLCHAR, "Invalid character in component name" -error_code KRB5_PARSE_MALFORMED, "Malformed representation of principal" - -error_code KRB5_CONFIG_CANTOPEN, "Can't open/find configuration file" -error_code KRB5_CONFIG_BADFORMAT, "Improper format of configuration file" -error_code KRB5_CONFIG_NOTENUFSPACE, "Insufficient space to return complete information" - -error_code KRB5_BADMSGTYPE, "Invalid message type specified for encoding" - -error_code KRB5_CC_BADNAME, "Credential cache name malformed" -error_code KRB5_CC_UNKNOWN_TYPE, "Unknown credential cache type" -error_code KRB5_CC_NOTFOUND, "Matching credential not found" -error_code KRB5_CC_END, "End of credential cache reached" - -error_code KRB5_NO_TKT_SUPPLIED, "Request did not supply a ticket" - -error_code KRB5KRB_AP_WRONG_PRINC, "Wrong principal in request" -error_code KRB5KRB_AP_ERR_TKT_INVALID, "Ticket has invalid flag set" - -error_code KRB5_PRINC_NOMATCH, "Requested principal and ticket don't match" -error_code KRB5_KDCREP_MODIFIED, "KDC reply did not match expectations" -error_code KRB5_KDCREP_SKEW, "Clock skew too great in KDC reply" -error_code KRB5_IN_TKT_REALM_MISMATCH, "Client/server realm mismatch in initial ticket request" - -error_code KRB5_PROG_ETYPE_NOSUPP, "Program lacks support for encryption type" -error_code KRB5_PROG_KEYTYPE_NOSUPP, "Program lacks support for key type" -error_code KRB5_WRONG_ETYPE, "Requested encryption type not used in message" -error_code KRB5_PROG_SUMTYPE_NOSUPP, "Program lacks support for checksum type" - -error_code KRB5_REALM_UNKNOWN, "Cannot find KDC for requested realm" -error_code KRB5_SERVICE_UNKNOWN, "Kerberos service unknown" -error_code KRB5_KDC_UNREACH, "Cannot contact any KDC for requested realm" -error_code KRB5_NO_LOCALNAME, "No local name found for principal name" - -error_code KRB5_MUTUAL_FAILED, "Mutual authentication failed" - -# some of these should be combined/supplanted by system codes - -error_code KRB5_RC_TYPE_EXISTS, "Replay cache type is already registered" -error_code KRB5_RC_MALLOC, "No more memory to allocate (in replay cache code)" -error_code KRB5_RC_TYPE_NOTFOUND, "Replay cache type is unknown" -error_code KRB5_RC_UNKNOWN, "Generic unknown RC error" -error_code KRB5_RC_REPLAY, "Message is a replay" -error_code KRB5_RC_IO, "Replay I/O operation failed XXX" -error_code KRB5_RC_NOIO, "Replay cache type does not support non-volatile storage" -error_code KRB5_RC_PARSE, "Replay cache name parse/format error" - -error_code KRB5_RC_IO_EOF, "End-of-file on replay cache I/O" -error_code KRB5_RC_IO_MALLOC, "No more memory to allocate (in replay cache I/O code)" -error_code KRB5_RC_IO_PERM, "Permission denied in replay cache code" -error_code KRB5_RC_IO_IO, "I/O error in replay cache i/o code" -error_code KRB5_RC_IO_UNKNOWN, "Generic unknown RC/IO error" -error_code KRB5_RC_IO_SPACE, "Insufficient system space to store replay information" - -error_code KRB5_TRANS_CANTOPEN, "Can't open/find realm translation file" -error_code KRB5_TRANS_BADFORMAT, "Improper format of realm translation file" - -error_code KRB5_LNAME_CANTOPEN, "Can't open/find lname translation database" -error_code KRB5_LNAME_NOTRANS, "No translation available for requested principal" -error_code KRB5_LNAME_BADFORMAT, "Improper format of translation database entry" - -error_code KRB5_CRYPTO_INTERNAL, "Cryptosystem internal error" - -error_code KRB5_KT_BADNAME, "Key table name malformed" -error_code KRB5_KT_UNKNOWN_TYPE, "Unknown Key table type" -error_code KRB5_KT_NOTFOUND, "Key table entry not found" -error_code KRB5_KT_END, "End of key table reached" -error_code KRB5_KT_NOWRITE, "Cannot write to specified key table" -error_code KRB5_KT_IOERR, "Error writing to key table" - -error_code KRB5_NO_TKT_IN_RLM, "Cannot find ticket for requested realm" -error_code KRB5DES_BAD_KEYPAR, "DES key has bad parity" -error_code KRB5DES_WEAK_KEY, "DES key is a weak key" - -error_code KRB5_BAD_ENCTYPE, "Bad encryption type" -error_code KRB5_BAD_KEYSIZE, "Key size is incompatible with encryption type" -error_code KRB5_BAD_MSIZE, "Message size is incompatible with encryption type" - -error_code KRB5_CC_TYPE_EXISTS, "Credentials cache type is already registered." -error_code KRB5_KT_TYPE_EXISTS, "Key table type is already registered." - -error_code KRB5_CC_IO, "Credentials cache I/O operation failed XXX" -error_code KRB5_FCC_PERM, "Credentials cache file permissions incorrect" -error_code KRB5_FCC_NOFILE, "No credentials cache file found" -error_code KRB5_FCC_INTERNAL, "Internal file credentials cache error" -error_code KRB5_CC_WRITE, "Error writing to credentials cache file" -error_code KRB5_CC_NOMEM, "No more memory to allocate (in credentials cache code)" -error_code KRB5_CC_FORMAT, "Bad format in credentials cache" - -# errors for dual tgt library calls -error_code KRB5_INVALID_FLAGS, "Invalid KDC option combination (library internal error)" -error_code KRB5_NO_2ND_TKT, "Request missing second ticket" - -error_code KRB5_NOCREDS_SUPPLIED, "No credentials supplied to library routine" - -# errors for sendauth (and recvauth) - -error_code KRB5_SENDAUTH_BADAUTHVERS, "Bad sendauth version was sent" -error_code KRB5_SENDAUTH_BADAPPLVERS, "Bad application version was sent (via sendauth)" -error_code KRB5_SENDAUTH_BADRESPONSE, "Bad response (during sendauth exchange)" -error_code KRB5_SENDAUTH_REJECTED, "Server rejected authentication (during sendauth exchange)" - -# errors for preauthentication - -error_code KRB5_PREAUTH_BAD_TYPE, "Unsupported preauthentication type" -error_code KRB5_PREAUTH_NO_KEY, "Required preauthentication key not supplied" -error_code KRB5_PREAUTH_FAILED, "Generic preauthentication failure" - -# version number errors - -error_code KRB5_RCACHE_BADVNO, "Unsupported replay cache format version number" -error_code KRB5_CCACHE_BADVNO, "Unsupported credentials cache format version number" -error_code KRB5_KEYTAB_BADVNO, "Unsupported key table format version number" - -# -# - -error_code KRB5_PROG_ATYPE_NOSUPP, "Program lacks support for address type" -error_code KRB5_RC_REQUIRED, "Message replay detection requires rcache parameter" -error_code KRB5_ERR_BAD_HOSTNAME, "Hostname cannot be canonicalized" -error_code KRB5_ERR_HOST_REALM_UNKNOWN, "Cannot determine realm for host" -error_code KRB5_SNAME_UNSUPP_NAMETYPE, "Conversion to service principal undefined for name type" - -error_code KRB5KRB_AP_ERR_V4_REPLY, "Initial Ticket response appears to be Version 4" -error_code KRB5_REALM_CANT_RESOLVE, "Cannot resolve KDC for requested realm" -error_code KRB5_TKT_NOT_FORWARDABLE, "Requesting ticket can't get forwardable tickets" -error_code KRB5_FWD_BAD_PRINCIPAL, "Bad principal name while trying to forward credentials" - -error_code KRB5_GET_IN_TKT_LOOP, "Looping detected inside krb5_get_in_tkt" -error_code KRB5_CONFIG_NODEFREALM, "Configuration file does not specify default realm" - -error_code KRB5_SAM_UNSUPPORTED, "Bad SAM flags in obtain_sam_padata" -error_code KRB5_KT_NAME_TOOLONG, "Keytab name too long" - -end diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5_free_addresses.3 b/crypto/heimdal-0.6.3/lib/krb5/krb5_free_addresses.3 deleted file mode 100644 index 6ac46d44f3..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5_free_addresses.3 +++ /dev/null @@ -1,53 +0,0 @@ -.\" Copyright (c) 2001 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: krb5_free_addresses.3,v 1.5 2003/04/16 13:58:15 lha Exp $ -.\" -.Dd November 20, 2001 -.Dt KRB5_FREE_ADDRESSES 3 -.Os HEIMDAL -.Sh NAME -.Nm krb5_free_addresses -.Nd free list of addresses -.Sh LIBRARY -Kerberos 5 Library (libkrb5, -lkrb5) -.Sh SYNOPSIS -.In krb5.h -.Ft void -.Fn krb5_free_addresses "krb5_context context" "krb5_addresses *addresses" -.Sh DESCRIPTION -The -.Fn krb5_free_addresses -will free a list of addresses that has been created with -.Fn krb5_get_all_client_addrs -or with some other function. -.Sh SEE ALSO -.Xr krb5_get_all_client_addrs 3 diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5_free_addresses.cat3 b/crypto/heimdal-0.6.3/lib/krb5/krb5_free_addresses.cat3 deleted file mode 100644 index 4bf75c35f4..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5_free_addresses.cat3 +++ /dev/null @@ -1,21 +0,0 @@ - -KRB5_FREE_ADDRESSES(3) UNIX Programmer's Manual KRB5_FREE_ADDRESSES(3) - -NNAAMMEE - kkrrbb55__ffrreeee__aaddddrreesssseess - free list of addresses - -LLIIBBRRAARRYY - Kerberos 5 Library (libkrb5, -lkrb5) - -SSYYNNOOPPSSIISS - _v_o_i_d - kkrrbb55__ffrreeee__aaddddrreesssseess(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___a_d_d_r_e_s_s_e_s _*_a_d_d_r_e_s_s_e_s) - -DDEESSCCRRIIPPTTIIOONN - The kkrrbb55__ffrreeee__aaddddrreesssseess() will free a list of addresses that has been - created with kkrrbb55__ggeett__aallll__cclliieenntt__aaddddrrss() or with some other function. - -SSEEEE AALLSSOO - krb5_get_all_client_addrs(3) - - HEIMDAL November 20, 2001 1 diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5_free_principal.3 b/crypto/heimdal-0.6.3/lib/krb5/krb5_free_principal.3 deleted file mode 100644 index e9900a7981..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5_free_principal.3 +++ /dev/null @@ -1,58 +0,0 @@ -.\" Copyright (c) 1997, 2001 - 2002 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" Copyright (c) 1997 Kungliga Tekniska Högskolan -.\" $Id: krb5_free_principal.3,v 1.7 2003/04/16 13:58:11 lha Exp $ -.Dd August 8, 1997 -.Dt KRB5_FREE_PRINCIPAL 3 -.Os HEIMDAL -.Sh NAME -.Nm krb5_free_principal -.Nd principal free function -.Sh LIBRARY -Kerberos 5 Library (libkrb5, -lkrb5) -.Sh SYNOPSIS -.In krb5.h -.Ft void -.Fn krb5_free_principal "krb5_context context" "krb5_principal principal" -.Sh DESCRIPTION -The -.Fn krb5_free_principal -will free a principal that has been created with -.Fn krb5_build_principal , -.Fn krb5_parse_name , -or with some other function. -.Sh SEE ALSO -.Xr krb5_425_conv_principal 3 , -.Xr krb5_build_principal 3 , -.Xr krb5_parse_name 3 , -.Xr krb5_sname_to_principal 3 , -.Xr krb5_unparse_name 3 diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5_free_principal.cat3 b/crypto/heimdal-0.6.3/lib/krb5/krb5_free_principal.cat3 deleted file mode 100644 index 91aa5319cc..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5_free_principal.cat3 +++ /dev/null @@ -1,23 +0,0 @@ - -KRB5_FREE_PRINCIPAL(3) UNIX Programmer's Manual KRB5_FREE_PRINCIPAL(3) - -NNAAMMEE - kkrrbb55__ffrreeee__pprriinncciippaall - principal free function - -LLIIBBRRAARRYY - Kerberos 5 Library (libkrb5, -lkrb5) - -SSYYNNOOPPSSIISS - _v_o_i_d - kkrrbb55__ffrreeee__pprriinncciippaall(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___p_r_i_n_c_i_p_a_l _p_r_i_n_c_i_p_a_l) - -DDEESSCCRRIIPPTTIIOONN - The kkrrbb55__ffrreeee__pprriinncciippaall() will free a principal that has been created - with kkrrbb55__bbuuiilldd__pprriinncciippaall(), kkrrbb55__ppaarrssee__nnaammee(), or with some other func- - tion. - -SSEEEE AALLSSOO - krb5_425_conv_principal(3), krb5_build_principal(3), - krb5_parse_name(3), krb5_sname_to_principal(3), krb5_unparse_name(3) - - HEIMDAL August 8, 1997 1 diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5_get_all_client_addrs.3 b/crypto/heimdal-0.6.3/lib/krb5/krb5_get_all_client_addrs.3 deleted file mode 100644 index 0aef63e318..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5_get_all_client_addrs.3 +++ /dev/null @@ -1,73 +0,0 @@ -.\" Copyright (c) 2001 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: krb5_get_all_client_addrs.3,v 1.6 2003/04/16 13:58:16 lha Exp $ -.\" -.Dd July 1, 2001 -.Dt KRB5_GET_ADDRS 3 -.Sh NAME -.Nm krb5_get_all_client_addrs , -.Nm krb5_get_all_server_addrs -.Nd return local addresses -.Sh LIBRARY -Kerberos 5 Library (libkrb5, -lkrb5) -.Sh SYNOPSIS -.In krb5.h -.Ft "krb5_error_code" -.Fn krb5_get_all_client_addrs "krb5_context context" "krb5_addresses *addrs" -.Ft "krb5_error_code" -.Fn krb5_get_all_server_addrs "krb5_context context" "krb5_addresses *addrs" -.Sh DESCRIPTION -These functions return in -.Fa addrs -a list of addresses associated with the local -host. -.Pp -The server variant returns all configured interface addresses (if -possible), including loop-back addresses. This is useful if you want -to create sockets to listen to. -.Pp -The client version will also scan local interfaces (can be turned off -by setting -.Li libdefaults/scan_interfaces -to false in -.Pa krb5.conf ) , -but will not include loop-back addresses, unless there are no other -addresses found. It will remove all addresses included in -.Li libdefaults/ignore_addresses -but will unconditionally include addresses in -.Li libdefaults/extra_addresses . -.Pp -The returned addresses should be freed by calling -.Fn krb5_free_addresses . -.\".Sh EXAMPLE -.Sh SEE ALSO -.Xr krb5_free_addresses 3 diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5_get_all_client_addrs.cat3 b/crypto/heimdal-0.6.3/lib/krb5/krb5_get_all_client_addrs.cat3 deleted file mode 100644 index 4093b1a986..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5_get_all_client_addrs.cat3 +++ /dev/null @@ -1,37 +0,0 @@ - -KRB5_GET_ADDRS(3) UNIX Programmer's Manual KRB5_GET_ADDRS(3) - -NNAAMMEE - kkrrbb55__ggeett__aallll__cclliieenntt__aaddddrrss, kkrrbb55__ggeett__aallll__sseerrvveerr__aaddddrrss - return local ad- - dresses - -LLIIBBRRAARRYY - Kerberos 5 Library (libkrb5, -lkrb5) - -SSYYNNOOPPSSIISS - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__ggeett__aallll__cclliieenntt__aaddddrrss(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___a_d_d_r_e_s_s_e_s _*_a_d_d_r_s) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__ggeett__aallll__sseerrvveerr__aaddddrrss(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___a_d_d_r_e_s_s_e_s _*_a_d_d_r_s) - -DDEESSCCRRIIPPTTIIOONN - These functions return in _a_d_d_r_s a list of addresses associated with the - local host. - - The server variant returns all configured interface addresses (if possi- - ble), including loop-back addresses. This is useful if you want to create - sockets to listen to. - - The client version will also scan local interfaces (can be turned off by - setting libdefaults/scan_interfaces to false in _k_r_b_5_._c_o_n_f), but will not - include loop-back addresses, unless there are no other addresses found. - It will remove all addresses included in libdefaults/ignore_addresses but - will unconditionally include addresses in libdefaults/extra_addresses. - - The returned addresses should be freed by calling kkrrbb55__ffrreeee__aaddddrreesssseess(). - -SSEEEE AALLSSOO - krb5_free_addresses(3) - - July 1, 2001 1 diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5_get_krbhst.3 b/crypto/heimdal-0.6.3/lib/krb5/krb5_get_krbhst.3 deleted file mode 100644 index 76ad20bc6e..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5_get_krbhst.3 +++ /dev/null @@ -1,86 +0,0 @@ -.\" Copyright (c) 2001 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: krb5_get_krbhst.3,v 1.6 2003/04/16 13:58:16 lha Exp $ -.\" -.Dd June 17, 2001 -.Dt KRB5_GET_KRBHST 3 -.Os HEIMDAL -.Sh NAME -.Nm krb5_get_krbhst -.Nm krb5_get_krb_admin_hst -.Nm krb5_get_krb_changepw_hst -.Nm krb5_get_krb524hst -.Nm krb5_free_krbhst -.Nd lookup Kerberos KDC hosts -.Sh LIBRARY -Kerberos 5 Library (libkrb5, -lkrb5) -.Sh SYNOPSIS -.In krb5.h -.Ft krb5_error_code -.Fn krb5_get_krbhst "krb5_context context" "const krb5_realm *realm" "char ***hostlist" -.Ft krb5_error_code -.Fn krb5_get_krb_admin_hst "krb5_context context" "const krb5_realm *realm" "char ***hostlist" -.Ft krb5_error_code -.Fn krb5_get_krb_changepw_hst "krb5_context context" "const krb5_realm *realm" "char ***hostlist" -.Ft krb5_error_code -.Fn krb5_get_krb524hst "krb5_context context" "const krb5_realm *realm" "char ***hostlist" -.Ft krb5_error_code -.Fn krb5_free_krbhst "krb5_context context" "char **hostlist" -.Sh DESCRIPTION -These functions implement the old API to get a list of Kerberos hosts, -and are thus similar to the -.Fn krb5_krbhst_init -functions. However, since these functions returns -.Em all -hosts in one go, they potentially have to do more lookups than -necessary. These functions remain for compatibility reasons. -.Pp -After a call to one of these functions, -.Fa hostlist -is a -.Dv NULL -terminated list of strings, pointing to the requested Kerberos hosts. These should be freed with -.Fn krb5_free_krbhst -when done with. -.Sh EXAMPLE -The following code will print the KDCs of the realm -.Dq MY.REALM . -.Bd -literal -offset indent -char **hosts, **p; -krb5_get_krbhst(context, "MY.REALM", &hosts); -for(p = hosts; *p; p++) - printf("%s\\n", *p); -krb5_free_krbhst(context, hosts); -.Ed -.\" .Sh BUGS -.Sh SEE ALSO -.Xr krb5_krbhst_init 3 diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5_get_krbhst.cat3 b/crypto/heimdal-0.6.3/lib/krb5/krb5_get_krbhst.cat3 deleted file mode 100644 index 493b55284f..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5_get_krbhst.cat3 +++ /dev/null @@ -1,54 +0,0 @@ - -KRB5_GET_KRBHST(3) UNIX Programmer's Manual KRB5_GET_KRBHST(3) - -NNAAMMEE - kkrrbb55__ggeett__kkrrbbhhsstt kkrrbb55__ggeett__kkrrbb__aaddmmiinn__hhsstt kkrrbb55__ggeett__kkrrbb__cchhaannggeeppww__hhsstt - kkrrbb55__ggeett__kkrrbb552244hhsstt kkrrbb55__ffrreeee__kkrrbbhhsstt - lookup Kerberos KDC hosts - -LLIIBBRRAARRYY - Kerberos 5 Library (libkrb5, -lkrb5) - -SSYYNNOOPPSSIISS - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__ggeett__kkrrbbhhsstt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _k_r_b_5___r_e_a_l_m _*_r_e_a_l_m, - _c_h_a_r _*_*_*_h_o_s_t_l_i_s_t) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__ggeett__kkrrbb__aaddmmiinn__hhsstt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _k_r_b_5___r_e_a_l_m _*_r_e_a_l_m, - _c_h_a_r _*_*_*_h_o_s_t_l_i_s_t) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__ggeett__kkrrbb__cchhaannggeeppww__hhsstt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _k_r_b_5___r_e_a_l_m _*_r_e_a_l_m, - _c_h_a_r _*_*_*_h_o_s_t_l_i_s_t) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__ggeett__kkrrbb552244hhsstt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _k_r_b_5___r_e_a_l_m _*_r_e_a_l_m, - _c_h_a_r _*_*_*_h_o_s_t_l_i_s_t) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__ffrreeee__kkrrbbhhsstt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_h_a_r _*_*_h_o_s_t_l_i_s_t) - -DDEESSCCRRIIPPTTIIOONN - These functions implement the old API to get a list of Kerberos hosts, - and are thus similar to the kkrrbb55__kkrrbbhhsstt__iinniitt() functions. However, since - these functions returns _a_l_l hosts in one go, they potentially have to do - more lookups than necessary. These functions remain for compatibility - reasons. - - After a call to one of these functions, _h_o_s_t_l_i_s_t is a NULL terminated - list of strings, pointing to the requested Kerberos hosts. These should - be freed with kkrrbb55__ffrreeee__kkrrbbhhsstt() when done with. - -EEXXAAMMPPLLEE - The following code will print the KDCs of the realm ``MY.REALM''. - - char **hosts, **p; - krb5_get_krbhst(context, "MY.REALM", &hosts); - for(p = hosts; *p; p++) - printf("%s\n", *p); - krb5_free_krbhst(context, hosts); - -SSEEEE AALLSSOO - krb5_krbhst_init(3) - - HEIMDAL June 17, 2001 1 diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5_init_context.3 b/crypto/heimdal-0.6.3/lib/krb5/krb5_init_context.3 deleted file mode 100644 index 76213fb13e..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5_init_context.3 +++ /dev/null @@ -1,72 +0,0 @@ -.\" Copyright (c) 2001 - 2002 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: krb5_init_context.3,v 1.9 2003/04/16 13:58:11 lha Exp $ -.\" -.Dd January 21, 2001 -.Dt KRB5_CONTEXT 3 -.Os HEIMDAL -.Sh NAME -.Nm krb5_init_context , -.Nm krb5_free_context -.Nd create and delete krb5_context structures -.Sh LIBRARY -Kerberos 5 Library (libkrb5, -lkrb5) -.Sh SYNOPSIS -.In krb5.h -.Ft krb5_error_code -.Fn krb5_init_context "krb5_context *context" -.Ft void -.Fn krb5_free_context "krb5_context context" -.Sh DESCRIPTION -The -.Fn krb5_init_context -function initializes the -.Fa context -structure and reads the configuration file -.Pa /etc/krb5.conf . -.Pp -The structure should be freed by calling -.Fn krb5_free_context -when it is no longer being used. -.Sh RETURN VALUES -.Fn krb5_init_context -returns 0 to indicate success. -Otherwise an errno code is returned. -Failure means either that something bad happened during initialization -(typically -.Bq ENOMEM ) -or that Kerberos should not be used -.Bq ENXIO . -.Sh SEE ALSO -.Xr errno 2 , -.Xr krb5_context 3 , -.Xr kerberos 8 diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5_init_context.cat3 b/crypto/heimdal-0.6.3/lib/krb5/krb5_init_context.cat3 deleted file mode 100644 index 4d47bafd5f..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5_init_context.cat3 +++ /dev/null @@ -1,34 +0,0 @@ - -KRB5_CONTEXT(3) UNIX Programmer's Manual KRB5_CONTEXT(3) - -NNAAMMEE - kkrrbb55__iinniitt__ccoonntteexxtt, kkrrbb55__ffrreeee__ccoonntteexxtt - create and delete krb5_context - structures - -LLIIBBRRAARRYY - Kerberos 5 Library (libkrb5, -lkrb5) - -SSYYNNOOPPSSIISS - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__iinniitt__ccoonntteexxtt(_k_r_b_5___c_o_n_t_e_x_t _*_c_o_n_t_e_x_t) - - _v_o_i_d - kkrrbb55__ffrreeee__ccoonntteexxtt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t) - -DDEESSCCRRIIPPTTIIOONN - The kkrrbb55__iinniitt__ccoonntteexxtt() function initializes the _c_o_n_t_e_x_t structure and - reads the configuration file _/_e_t_c_/_k_r_b_5_._c_o_n_f. - - The structure should be freed by calling kkrrbb55__ffrreeee__ccoonntteexxtt() when it is - no longer being used. - -RREETTUURRNN VVAALLUUEESS - kkrrbb55__iinniitt__ccoonntteexxtt() returns 0 to indicate success. Otherwise an errno - code is returned. Failure means either that something bad happened dur- - ing initialization (typically [ENOMEM]) or that Kerberos should not be - used [ENXIO]. - -SSEEEE AALLSSOO - errno(2), krb5_context(3), kerberos(8) - - HEIMDAL January 21, 2001 1 diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5_keytab.3 b/crypto/heimdal-0.6.3/lib/krb5/krb5_keytab.3 deleted file mode 100644 index 164eb49992..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5_keytab.3 +++ /dev/null @@ -1,411 +0,0 @@ -.\" Copyright (c) 2001 - 2003 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: krb5_keytab.3,v 1.9 2003/04/16 13:58:16 lha Exp $ -.\" -.Dd February 5, 2001 -.Dt KRB5_KEYTAB 3 -.Os HEIMDAL -.Sh NAME -.Nm krb5_kt_ops , -.Nm krb5_keytab_entry , -.Nm krb5_kt_cursor , -.Nm krb5_kt_add_entry , -.Nm krb5_kt_close , -.Nm krb5_kt_compare , -.Nm krb5_kt_copy_entry_contents , -.Nm krb5_kt_default , -.Nm krb5_kt_default_name , -.Nm krb5_kt_end_seq_get , -.Nm krb5_kt_free_entry , -.Nm krb5_kt_get_entry , -.Nm krb5_kt_get_name , -.Nm krb5_kt_get_type , -.Nm krb5_kt_next_entry , -.Nm krb5_kt_read_service_key , -.Nm krb5_kt_register , -.Nm krb5_kt_remove_entry , -.Nm krb5_kt_resolve , -.Nm krb5_kt_start_seq_get -.Nd manage keytab (key storage) files -.Sh LIBRARY -Kerberos 5 Library (libkrb5, -lkrb5) -.Sh SYNOPSIS -.In krb5.h -.Pp -.Ft krb5_error_code -.Fo krb5_kt_add_entry -.Fa "krb5_context context" -.Fa "krb5_keytab id" -.Fa "krb5_keytab_entry *entry" -.Fc -.Ft krb5_error_code -.Fo krb5_kt_close -.Fa "krb5_context context" -.Fa "krb5_keytab id" -.Fc -.Ft krb5_boolean -.Fo krb5_kt_compare -.Fa "krb5_context context" -.Fa "krb5_keytab_entry *entry" -.Fa "krb5_const_principal principal" -.Fa "krb5_kvno vno" -.Fa "krb5_enctype enctype" -.Fc -.Ft krb5_error_code -.Fo krb5_kt_copy_entry_contents -.Fa "krb5_context context" -.Fa "const krb5_keytab_entry *in" -.Fa "krb5_keytab_entry *out" -.Fc -.Ft krb5_error_code -.Fo krb5_kt_default -.Fa "krb5_context context" -.Fa "krb5_keytab *id" -.Fc -.Ft krb5_error_code -.Fo krb5_kt_default_name -.Fa "krb5_context context" -.Fa "char *name" -.Fa "size_t namesize" -.Fc -.Ft krb5_error_code -.Fo krb5_kt_end_seq_get -.Fa "krb5_context context" -.Fa "krb5_keytab id" -.Fa "krb5_kt_cursor *cursor" -.Fc -.Ft krb5_error_code -.Fo krb5_kt_free_entry -.Fa "krb5_context context" -.Fa "krb5_keytab_entry *entry" -.Fc -.Ft krb5_error_code -.Fo krb5_kt_get_entry -.Fa "krb5_context context" -.Fa "krb5_keytab id" -.Fa "krb5_const_principal principal" -.Fa "krb5_kvno kvno" -.Fa "krb5_enctype enctype" -.Fa "krb5_keytab_entry *entry" -.Fc -.Ft krb5_error_code -.Fo krb5_kt_get_name -.Fa "krb5_context context" -.Fa "krb5_keytab keytab" -.Fa "char *name" -.Fa "size_t namesize" -.Fc -.Ft krb5_error_code -.Fo krb5_kt_get_type -.Fa "krb5_context context" -.Fa "krb5_keytab keytab" -.Fa "char *prefix" -.Fa "size_t prefixsize" -.Fc -.Ft krb5_error_code -.Fo krb5_kt_next_entry -.Fa "krb5_context context" -.Fa "krb5_keytab id" -.Fa "krb5_keytab_entry *entry" -.Fa "krb5_kt_cursor *cursor" -.Fc -.Ft krb5_error_code -.Fo krb5_kt_read_service_key -.Fa "krb5_context context" -.Fa "krb5_pointer keyprocarg" -.Fa "krb5_principal principal" -.Fa "krb5_kvno vno" -.Fa "krb5_enctype enctype" -.Fa "krb5_keyblock **key" -.Fc -.Ft krb5_error_code -.Fo krb5_kt_register -.Fa "krb5_context context" -.Fa "const krb5_kt_ops *ops" -.Fc -.Ft krb5_error_code -.Fo krb5_kt_remove_entry -.Fa "krb5_context context" -.Fa "krb5_keytab id" -.Fa "krb5_keytab_entry *entry" -.Fc -.Ft krb5_error_code -.Fo krb5_kt_resolve -.Fa "krb5_context context" -.Fa "const char *name" -.Fa "krb5_keytab *id" -.Fc -.Ft krb5_error_code -.Fo krb5_kt_start_seq_get -.Fa "krb5_context context" -.Fa "krb5_keytab id" -.Fa "krb5_kt_cursor *cursor" -.Fc -.Sh DESCRIPTION -A keytab name is on the form -.Li type:residual . -The -.Li residual -part is specific to each keytab-type. -.Pp -When a keytab-name is resolved, the type is matched with an internal -list of keytab types. If there is no matching keytab type, -the default keytab is used. The current default type is -.Nm file . -The default value can be changed in the configuration file -.Pa /etc/krb5.conf -by setting the variable -.Li [defaults]default_keytab_name . -.Pp -The keytab types that are implemented in Heimdal -are: -.Bl -tag -width Ds -.It Nm file -store the keytab in a file, the type's name is -.Li KEYFILE . -The residual part is a filename. -.It Nm keyfile -store the keytab in a -.Li AFS -keyfile (usually -.Pa /usr/afs/etc/KeyFile ) , -the type's name is -.Li AFSKEYFILE . -The residual part is a filename. -.It Nm krb4 -the keytab is a Kerberos 4 -.Pa srvtab -that is on-the-fly converted to a keytab. The type's name is -.Li krb4 . -The residual part is a filename. -.It Nm memory -The keytab is stored in a memory segment. This allows sensitive and/or -temporary data not to be stored on disk. The type's name is -.Li MEMORY . -There are no residual part, the only pointer back to the keytab is the -.Fa id -returned by -.Fn krb5_kt_resolve . -.El -.Pp -.Nm krb5_keytab_entry -holds all data for an entry in a keytab file, like principal name, -key-type, key, key-version number, etc. -.Nm krb5_kt_cursor -holds the current position that is used when iterating through a -keytab entry with -.Fn krb5_kt_start_seq_get , -.Fn krb5_kt_next_entry , -and -.Fn krb5_kt_end_seq_get . -.Pp -.Nm krb5_kt_ops -contains the different operations that can be done to a keytab. This -structure is normally only used when doing a new keytab-type -implementation. -.Pp -.Fn krb5_kt_resolve -is the equivalent of an -.Xr open 2 -on keytab. Resolve the keytab name in -.Fa name -into a keytab in -.Fa id . -Returns 0 or an error. The opposite of -.Fn krb5_kt_resolve -is -.Fn krb5_kt_close . -.Fn krb5_kt_close -frees all resources allocated to the keytab. -.Pp -.Fn krb5_kt_default -sets the argument -.Fa id -to the default keytab. -Returns 0 or an error. -.Pp -.Fn krb5_kt_default_name -copy the name of the default keytab into -.Fa name . -Return 0 or KRB5_CONFIG_NOTENUFSPACE if -.Fa namesize -is too short. -.Pp -.Fn krb5_kt_add_entry -Add a new -.Fa entry -to the keytab -.Fa id . -.Li KRB5_KT_NOWRITE -is returned if the keytab is a readonly keytab. -.Pp -.Fn krb5_kt_compare -compares the passed in -.Fa entry -against -.Fa principal , -.Fa vno , -and -.Fa enctype . -Any of -.Fa principal , -.Fa vno -or -.Fa enctype -might be 0 which acts as a wildcard. Return TRUE if they compare the -same, FALSE otherwise. -.Pp -.Fn krb5_kt_copy_entry_contents -copies the contents of -.Fa in -into -.Fa out . -Returns 0 or an error. -.Pp -.Fn krb5_kt_get_name -retrieves the name of the keytab -.Fa keytab -into -.Fa name , -.Fa namesize . -Returns 0 or an error. -.Pp -.Fn krb5_kt_get_type -retrieves the type of the keytab -.Fa keytab -and store the prefix/name for type of the keytab into -.Fa prefix , -.Fa prefixsize . -The prefix will have the maximum length of -.Dv KRB5_KT_PREFIX_MAX_LEN -(including terminating -.Dv NUL ) . -Returns 0 or an error. -.Pp -.Fn krb5_kt_free_entry -frees the contents of -.Fa entry . -.Pp -.Fn krb5_kt_start_seq_get -sets -.Fa cursor -to point at the beginning of -.Fa id . -Returns 0 or an error. -.Pp -.Fn krb5_kt_next_entry -gets the next entry from -.Fa id -pointed to by -.Fa cursor -and advance the -.Fa cursor . -Returns 0 or an error. -.Pp -.Fn krb5_kt_end_seq_get -releases all resources associated with -.Fa cursor . -.Pp -.Fn krb5_kt_get_entry -retrieves the keytab entry for -.Fa principal , -.Fa kvno, -.Fa enctype -into -.Fa entry -from the keytab -.Fa id . -Returns 0 or an error. -.Pp -.Fn krb5_kt_read_service_key -reads the key identified by -.Ns ( Fa principal , -.Fa vno , -.Fa enctype ) -from the keytab in -.Fa keyprocarg -(the default if == NULL) into -.Fa *key . -Returns 0 or an error. -.Pp -.Fn krb5_kt_remove_entry -removes the entry -.Fa entry -from the keytab -.Fa id . -Returns 0 or an error. -.Pp -.Fn krb5_kt_register -registers a new keytab type -.Fa ops . -Returns 0 or an error. -.Sh EXAMPLE -This is a minimalistic version of -.Nm ktutil . -.Pp -.Bd -literal -int -main (int argc, char **argv) -{ - krb5_context context; - krb5_keytab keytab; - krb5_kt_cursor cursor; - krb5_keytab_entry entry; - krb5_error_code ret; - char *principal; - - if (krb5_init_context (&context) != 0) - errx(1, "krb5_context"); - - ret = krb5_kt_default (context, &keytab); - if (ret) - krb5_err(context, 1, ret, "krb5_kt_default"); - - ret = krb5_kt_start_seq_get(context, keytab, &cursor); - if (ret) - krb5_err(context, 1, ret, "krb5_kt_start_seq_get"); - while((ret = krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0){ - krb5_unparse_name_short(context, entry.principal, &principal); - printf("principal: %s\\n", principal); - free(principal); - krb5_kt_free_entry(context, &entry); - } - ret = krb5_kt_end_seq_get(context, keytab, &cursor); - if (ret) - krb5_err(context, 1, ret, "krb5_kt_end_seq_get"); - krb5_free_context(context); - return 0; -} -.Ed -.Sh SEE ALSO -.Xr krb5.conf 5 , -.Xr kerberos 8 diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5_keytab.cat3 b/crypto/heimdal-0.6.3/lib/krb5/krb5_keytab.cat3 deleted file mode 100644 index 301cb1e27c..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5_keytab.cat3 +++ /dev/null @@ -1,212 +0,0 @@ - -KRB5_KEYTAB(3) UNIX Programmer's Manual KRB5_KEYTAB(3) - -NNAAMMEE - kkrrbb55__kktt__ooppss, kkrrbb55__kkeeyyttaabb__eennttrryy, kkrrbb55__kktt__ccuurrssoorr, kkrrbb55__kktt__aadddd__eennttrryy, - kkrrbb55__kktt__cclloossee, kkrrbb55__kktt__ccoommppaarree, kkrrbb55__kktt__ccooppyy__eennttrryy__ccoonntteennttss, - kkrrbb55__kktt__ddeeffaauulltt, kkrrbb55__kktt__ddeeffaauulltt__nnaammee, kkrrbb55__kktt__eenndd__sseeqq__ggeett, - kkrrbb55__kktt__ffrreeee__eennttrryy, kkrrbb55__kktt__ggeett__eennttrryy, kkrrbb55__kktt__ggeett__nnaammee, - kkrrbb55__kktt__ggeett__ttyyppee, kkrrbb55__kktt__nneexxtt__eennttrryy, kkrrbb55__kktt__rreeaadd__sseerrvviiccee__kkeeyy, - kkrrbb55__kktt__rreeggiisstteerr, kkrrbb55__kktt__rreemmoovvee__eennttrryy, kkrrbb55__kktt__rreessoollvvee, - kkrrbb55__kktt__ssttaarrtt__sseeqq__ggeett - manage keytab (key storage) files - -LLIIBBRRAARRYY - Kerberos 5 Library (libkrb5, -lkrb5) - -SSYYNNOOPPSSIISS - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__kktt__aadddd__eennttrryy(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___k_e_y_t_a_b _i_d, - _k_r_b_5___k_e_y_t_a_b___e_n_t_r_y _*_e_n_t_r_y) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__kktt__cclloossee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___k_e_y_t_a_b _i_d) - - _k_r_b_5___b_o_o_l_e_a_n - kkrrbb55__kktt__ccoommppaarree(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___k_e_y_t_a_b___e_n_t_r_y _*_e_n_t_r_y, - _k_r_b_5___c_o_n_s_t___p_r_i_n_c_i_p_a_l _p_r_i_n_c_i_p_a_l, _k_r_b_5___k_v_n_o _v_n_o, - _k_r_b_5___e_n_c_t_y_p_e _e_n_c_t_y_p_e) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__kktt__ccooppyy__eennttrryy__ccoonntteennttss(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, - _c_o_n_s_t _k_r_b_5___k_e_y_t_a_b___e_n_t_r_y _*_i_n, _k_r_b_5___k_e_y_t_a_b___e_n_t_r_y _*_o_u_t) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__kktt__ddeeffaauulltt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___k_e_y_t_a_b _*_i_d) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__kktt__ddeeffaauulltt__nnaammee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_h_a_r _*_n_a_m_e, _s_i_z_e___t _n_a_m_e_s_i_z_e) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__kktt__eenndd__sseeqq__ggeett(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___k_e_y_t_a_b _i_d, - _k_r_b_5___k_t___c_u_r_s_o_r _*_c_u_r_s_o_r) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__kktt__ffrreeee__eennttrryy(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___k_e_y_t_a_b___e_n_t_r_y _*_e_n_t_r_y) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__kktt__ggeett__eennttrryy(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___k_e_y_t_a_b _i_d, - _k_r_b_5___c_o_n_s_t___p_r_i_n_c_i_p_a_l _p_r_i_n_c_i_p_a_l, _k_r_b_5___k_v_n_o _k_v_n_o, - _k_r_b_5___e_n_c_t_y_p_e _e_n_c_t_y_p_e, _k_r_b_5___k_e_y_t_a_b___e_n_t_r_y _*_e_n_t_r_y) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__kktt__ggeett__nnaammee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___k_e_y_t_a_b _k_e_y_t_a_b, _c_h_a_r _*_n_a_m_e, - _s_i_z_e___t _n_a_m_e_s_i_z_e) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__kktt__ggeett__ttyyppee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___k_e_y_t_a_b _k_e_y_t_a_b, _c_h_a_r _*_p_r_e_f_i_x, - _s_i_z_e___t _p_r_e_f_i_x_s_i_z_e) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__kktt__nneexxtt__eennttrryy(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___k_e_y_t_a_b _i_d, - _k_r_b_5___k_e_y_t_a_b___e_n_t_r_y _*_e_n_t_r_y, _k_r_b_5___k_t___c_u_r_s_o_r _*_c_u_r_s_o_r) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__kktt__rreeaadd__sseerrvviiccee__kkeeyy(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___p_o_i_n_t_e_r _k_e_y_p_r_o_c_a_r_g, - _k_r_b_5___p_r_i_n_c_i_p_a_l _p_r_i_n_c_i_p_a_l, _k_r_b_5___k_v_n_o _v_n_o, _k_r_b_5___e_n_c_t_y_p_e _e_n_c_t_y_p_e, - _k_r_b_5___k_e_y_b_l_o_c_k _*_*_k_e_y) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__kktt__rreeggiisstteerr(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _k_r_b_5___k_t___o_p_s _*_o_p_s) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__kktt__rreemmoovvee__eennttrryy(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___k_e_y_t_a_b _i_d, - _k_r_b_5___k_e_y_t_a_b___e_n_t_r_y _*_e_n_t_r_y) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__kktt__rreessoollvvee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _c_h_a_r _*_n_a_m_e, _k_r_b_5___k_e_y_t_a_b _*_i_d) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__kktt__ssttaarrtt__sseeqq__ggeett(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___k_e_y_t_a_b _i_d, - _k_r_b_5___k_t___c_u_r_s_o_r _*_c_u_r_s_o_r) - -DDEESSCCRRIIPPTTIIOONN - A keytab name is on the form type:residual. The residual part is specific - to each keytab-type. - - When a keytab-name is resolved, the type is matched with an internal list - of keytab types. If there is no matching keytab type, the default keytab - is used. The current default type is ffiillee. The default value can be - changed in the configuration file _/_e_t_c_/_k_r_b_5_._c_o_n_f by setting the variable - [defaults]default_keytab_name. - - The keytab types that are implemented in Heimdal are: - - ffiillee store the keytab in a file, the type's name is KEYFILE. The - residual part is a filename. - - kkeeyyffiillee - store the keytab in a AFS keyfile (usually _/_u_s_r_/_a_f_s_/_e_t_c_/_K_e_y_F_i_l_e), - the type's name is AFSKEYFILE. The residual part is a filename. - - kkrrbb44 the keytab is a Kerberos 4 _s_r_v_t_a_b that is on-the-fly converted to - a keytab. The type's name is krb4. The residual part is a file- - name. - - mmeemmoorryy The keytab is stored in a memory segment. This allows sensitive - and/or temporary data not to be stored on disk. The type's name - is MEMORY. There are no residual part, the only pointer back to - the keytab is the _i_d returned by kkrrbb55__kktt__rreessoollvvee(). - - kkrrbb55__kkeeyyttaabb__eennttrryy holds all data for an entry in a keytab file, like - principal name, key-type, key, key-version number, etc. kkrrbb55__kktt__ccuurrssoorr - holds the current position that is used when iterating through a keytab - entry with kkrrbb55__kktt__ssttaarrtt__sseeqq__ggeett(), kkrrbb55__kktt__nneexxtt__eennttrryy(), and - kkrrbb55__kktt__eenndd__sseeqq__ggeett(). - - kkrrbb55__kktt__ooppss contains the different operations that can be done to a - keytab. This structure is normally only used when doing a new keytab-type - implementation. - - kkrrbb55__kktt__rreessoollvvee() is the equivalent of an open(2) on keytab. Resolve the - keytab name in _n_a_m_e into a keytab in _i_d. Returns 0 or an error. The oppo- - site of kkrrbb55__kktt__rreessoollvvee() is kkrrbb55__kktt__cclloossee(). kkrrbb55__kktt__cclloossee() frees all - resources allocated to the keytab. - - kkrrbb55__kktt__ddeeffaauulltt() sets the argument _i_d to the default keytab. Returns 0 - or an error. - - kkrrbb55__kktt__ddeeffaauulltt__nnaammee() copy the name of the default keytab into _n_a_m_e. Re- - turn 0 or KRB5_CONFIG_NOTENUFSPACE if _n_a_m_e_s_i_z_e is too short. - - - kkrrbb55__kktt__aadddd__eennttrryy() Add a new _e_n_t_r_y to the keytab _i_d. KRB5_KT_NOWRITE is - returned if the keytab is a readonly keytab. - - kkrrbb55__kktt__ccoommppaarree() compares the passed in _e_n_t_r_y against _p_r_i_n_c_i_p_a_l, _v_n_o, - and _e_n_c_t_y_p_e. Any of _p_r_i_n_c_i_p_a_l, _v_n_o or _e_n_c_t_y_p_e might be 0 which acts as a - wildcard. Return TRUE if they compare the same, FALSE otherwise. - - kkrrbb55__kktt__ccooppyy__eennttrryy__ccoonntteennttss() copies the contents of _i_n into _o_u_t. Returns - 0 or an error. - - kkrrbb55__kktt__ggeett__nnaammee() retrieves the name of the keytab _k_e_y_t_a_b into _n_a_m_e, - _n_a_m_e_s_i_z_e. Returns 0 or an error. - - kkrrbb55__kktt__ggeett__ttyyppee() retrieves the type of the keytab _k_e_y_t_a_b and store the - prefix/name for type of the keytab into _p_r_e_f_i_x, _p_r_e_f_i_x_s_i_z_e. The prefix - will have the maximum length of KRB5_KT_PREFIX_MAX_LEN (including termi- - nating NUL). Returns 0 or an error. - - kkrrbb55__kktt__ffrreeee__eennttrryy() frees the contents of _e_n_t_r_y. - - kkrrbb55__kktt__ssttaarrtt__sseeqq__ggeett() sets _c_u_r_s_o_r to point at the beginning of _i_d. Re- - turns 0 or an error. - - kkrrbb55__kktt__nneexxtt__eennttrryy() gets the next entry from _i_d pointed to by _c_u_r_s_o_r and - advance the _c_u_r_s_o_r. Returns 0 or an error. - - kkrrbb55__kktt__eenndd__sseeqq__ggeett() releases all resources associated with _c_u_r_s_o_r. - - kkrrbb55__kktt__ggeett__eennttrryy() retrieves the keytab entry for _p_r_i_n_c_i_p_a_l, _k_v_n_o_, - _e_n_c_t_y_p_e into _e_n_t_r_y from the keytab _i_d. Returns 0 or an error. - - kkrrbb55__kktt__rreeaadd__sseerrvviiccee__kkeeyy() reads the key identified by (_p_r_i_n_c_i_p_a_l, _v_n_o, - _e_n_c_t_y_p_e) from the keytab in _k_e_y_p_r_o_c_a_r_g (the default if == NULL) into - _*_k_e_y. Returns 0 or an error. - - kkrrbb55__kktt__rreemmoovvee__eennttrryy() removes the entry _e_n_t_r_y from the keytab _i_d. Re- - turns 0 or an error. - - kkrrbb55__kktt__rreeggiisstteerr() registers a new keytab type _o_p_s. Returns 0 or an er- - ror. - -EEXXAAMMPPLLEE - This is a minimalistic version of kkttuuttiill. - - int - main (int argc, char **argv) - { - krb5_context context; - krb5_keytab keytab; - krb5_kt_cursor cursor; - krb5_keytab_entry entry; - krb5_error_code ret; - char *principal; - - if (krb5_init_context (&context) != 0) - errx(1, "krb5_context"); - - ret = krb5_kt_default (context, &keytab); - if (ret) - krb5_err(context, 1, ret, "krb5_kt_default"); - - ret = krb5_kt_start_seq_get(context, keytab, &cursor); - if (ret) - krb5_err(context, 1, ret, "krb5_kt_start_seq_get"); - while((ret = krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0){ - krb5_unparse_name_short(context, entry.principal, &principal); - printf("principal: %s\n", principal); - free(principal); - krb5_kt_free_entry(context, &entry); - } - ret = krb5_kt_end_seq_get(context, keytab, &cursor); - if (ret) - krb5_err(context, 1, ret, "krb5_kt_end_seq_get"); - krb5_free_context(context); - return 0; - } - -SSEEEE AALLSSOO - krb5.conf(5), kerberos(8) - - HEIMDAL February 5, 2001 4 diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5_krbhst_init.3 b/crypto/heimdal-0.6.3/lib/krb5/krb5_krbhst_init.3 deleted file mode 100644 index 87ea3f9b0a..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5_krbhst_init.3 +++ /dev/null @@ -1,152 +0,0 @@ -.\" Copyright (c) 2001 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: krb5_krbhst_init.3,v 1.7 2003/04/16 13:58:16 lha Exp $ -.\" -.Dd June 17, 2001 -.Dt KRB5_KRBHST_INIT 3 -.Os HEIMDAL -.Sh NAME -.Nm krb5_krbhst_init , -.Nm krb5_krbhst_next , -.Nm krb5_krbhst_next_as_string , -.Nm krb5_krbhst_reset , -.Nm krb5_krbhst_free , -.Nm krb5_krbhst_format_string , -.Nm krb5_krbhst_get_addrinfo -.Nd lookup Kerberos KDC hosts -.Sh LIBRARY -Kerberos 5 Library (libkrb5, -lkrb5) -.Sh SYNOPSIS -.In krb5.h -.Ft krb5_error_code -.Fn krb5_krbhst_init "krb5_context context" "const char *realm" "unsigned int type" "krb5_krbhst_handle *handle" -.Ft krb5_error_code -.Fn "krb5_krbhst_next" "krb5_context context" "krb5_krbhst_handle handle" "krb5_krbhst_info **host" -.Ft krb5_error_code -.Fn krb5_krbhst_next_as_string "krb5_context context" "krb5_krbhst_handle handle" "char *hostname" "size_t hostlen" -.Ft void -.Fn krb5_krbhst_reset "krb5_context context" "krb5_krbhst_handle handle" -.Ft void -.Fn krb5_krbhst_free "krb5_context context" "krb5_krbhst_handle handle" -.Ft krb5_error_code -.Fn krb5_krbhst_format_string "krb5_context context" "const krb5_krbhst_info *host" "char *hostname" "size_t hostlen" -.Ft krb5_error_code -.Fn krb5_krbhst_get_addrinfo "krb5_context context" "krb5_krbhst_info *host" "struct addrinfo **ai" -.Sh DESCRIPTION -These functions are used to sequence through all Kerberos hosts of a -particular realm and service. The service type can be the KDCs, the -administrative servers, the password changing servers, or the servers -for Kerberos 4 ticket conversion. -.Pp -First a handle to a particular service is obtained by calling -.Fn krb5_krbhst_init -with the -.Fa realm -of interest and the type of service to lookup. The -.Fa type -can be one of: -.Pp -.Bl -hang -compact -offset indent -.It KRB5_KRBHST_KDC -.It KRB5_KRBHST_ADMIN -.It KRB5_KRBHST_CHANGEPW -.It KRB5_KRBHST_KRB524 -.El -.Pp -The -.Fa handle -is returned to the caller, and should be passed to the other -functions. -.Pp -For each call to -.Fn krb5_krbhst_next -information a new host is returned. The former function returns in -.Fa host -a pointer to a structure containing information about the host, such -as protocol, hostname, and port: -.Bd -literal -offset indent -typedef struct krb5_krbhst_info { - enum { KRB5_KRBHST_UDP, - KRB5_KRBHST_TCP, - KRB5_KRBHST_HTTP } proto; - unsigned short port; - struct addrinfo *ai; - struct krb5_krbhst_info *next; - char hostname[1]; -} krb5_krbhst_info; -.Ed -.Pp -The related function, -.Fn krb5_krbhst_next_as_string , -return the same information as a url-like string. -.Pp -When there are no more hosts, these functions return -.Dv KRB5_KDC_UNREACH . -.Pp -To re-iterate over all hosts, call -.Fn krb5_krbhst_reset -and the next call to -.Fn krb5_krbhst_next -will return the first host. -.Pp -When done with the handle, -.Fn krb5_krbhst_free -should be called. -.Pp -To use a -.Va krb5_krbhst_info , -there are two functions: -.Fn krb5_krbhst_format_string -that will return a printable representation of that struct -and -.Fn krb5_krbhst_get_addrinfo -that will return a -.Va struct addrinfo -that can then be used for communicating with the server mentioned. -.Sh EXAMPLE -The following code will print the KDCs of the realm -.Dq MY.REALM . -.Bd -literal -offset indent -krb5_krbhst_handle handle; -char host[MAXHOSTNAMELEN]; -krb5_krbhst_init(context, "MY.REALM", KRB5_KRBHST_KDC, &handle); -while(krb5_krbhst_next_as_string(context, handle, - host, sizeof(host)) == 0) - printf("%s\\n", host); -krb5_krbhst_free(context, handle); -.Ed -.\" .Sh BUGS -.Sh HISTORY -These functions first appeared in Heimdal 0.3g. -.Sh SEE ALSO -.Xr getaddrinfo 3 , -.Xr krb5_get_krbhst 3 diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5_krbhst_init.cat3 b/crypto/heimdal-0.6.3/lib/krb5/krb5_krbhst_init.cat3 deleted file mode 100644 index a4f925f53b..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5_krbhst_init.cat3 +++ /dev/null @@ -1,104 +0,0 @@ - -KRB5_KRBHST_INIT(3) UNIX Programmer's Manual KRB5_KRBHST_INIT(3) - -NNAAMMEE - kkrrbb55__kkrrbbhhsstt__iinniitt, kkrrbb55__kkrrbbhhsstt__nneexxtt, kkrrbb55__kkrrbbhhsstt__nneexxtt__aass__ssttrriinngg, - kkrrbb55__kkrrbbhhsstt__rreesseett, kkrrbb55__kkrrbbhhsstt__ffrreeee, kkrrbb55__kkrrbbhhsstt__ffoorrmmaatt__ssttrriinngg, - kkrrbb55__kkrrbbhhsstt__ggeett__aaddddrriinnffoo - lookup Kerberos KDC hosts - -LLIIBBRRAARRYY - Kerberos 5 Library (libkrb5, -lkrb5) - -SSYYNNOOPPSSIISS - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__kkrrbbhhsstt__iinniitt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _c_h_a_r _*_r_e_a_l_m, - _u_n_s_i_g_n_e_d _i_n_t _t_y_p_e, _k_r_b_5___k_r_b_h_s_t___h_a_n_d_l_e _*_h_a_n_d_l_e) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__kkrrbbhhsstt__nneexxtt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___k_r_b_h_s_t___h_a_n_d_l_e _h_a_n_d_l_e, - _k_r_b_5___k_r_b_h_s_t___i_n_f_o _*_*_h_o_s_t) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__kkrrbbhhsstt__nneexxtt__aass__ssttrriinngg(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, - _k_r_b_5___k_r_b_h_s_t___h_a_n_d_l_e _h_a_n_d_l_e, _c_h_a_r _*_h_o_s_t_n_a_m_e, _s_i_z_e___t _h_o_s_t_l_e_n) - - _v_o_i_d - kkrrbb55__kkrrbbhhsstt__rreesseett(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___k_r_b_h_s_t___h_a_n_d_l_e _h_a_n_d_l_e) - - _v_o_i_d - kkrrbb55__kkrrbbhhsstt__ffrreeee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___k_r_b_h_s_t___h_a_n_d_l_e _h_a_n_d_l_e) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__kkrrbbhhsstt__ffoorrmmaatt__ssttrriinngg(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, - _c_o_n_s_t _k_r_b_5___k_r_b_h_s_t___i_n_f_o _*_h_o_s_t, _c_h_a_r _*_h_o_s_t_n_a_m_e, _s_i_z_e___t _h_o_s_t_l_e_n) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__kkrrbbhhsstt__ggeett__aaddddrriinnffoo(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___k_r_b_h_s_t___i_n_f_o _*_h_o_s_t, - _s_t_r_u_c_t _a_d_d_r_i_n_f_o _*_*_a_i) - -DDEESSCCRRIIPPTTIIOONN - These functions are used to sequence through all Kerberos hosts of a par- - ticular realm and service. The service type can be the KDCs, the adminis- - trative servers, the password changing servers, or the servers for Ker- - beros 4 ticket conversion. - - First a handle to a particular service is obtained by calling - kkrrbb55__kkrrbbhhsstt__iinniitt() with the _r_e_a_l_m of interest and the type of service to - lookup. The _t_y_p_e can be one of: - - KRB5_KRBHST_KDC - KRB5_KRBHST_ADMIN - KRB5_KRBHST_CHANGEPW - KRB5_KRBHST_KRB524 - - The _h_a_n_d_l_e is returned to the caller, and should be passed to the other - functions. - - For each call to kkrrbb55__kkrrbbhhsstt__nneexxtt() information a new host is returned. - The former function returns in _h_o_s_t a pointer to a structure containing - information about the host, such as protocol, hostname, and port: - - typedef struct krb5_krbhst_info { - enum { KRB5_KRBHST_UDP, - KRB5_KRBHST_TCP, - KRB5_KRBHST_HTTP } proto; - unsigned short port; - struct addrinfo *ai; - struct krb5_krbhst_info *next; - char hostname[1]; - } krb5_krbhst_info; - - The related function, kkrrbb55__kkrrbbhhsstt__nneexxtt__aass__ssttrriinngg(), return the same in- - formation as a url-like string. - - When there are no more hosts, these functions return KRB5_KDC_UNREACH. - - To re-iterate over all hosts, call kkrrbb55__kkrrbbhhsstt__rreesseett() and the next call - to kkrrbb55__kkrrbbhhsstt__nneexxtt() will return the first host. - - When done with the handle, kkrrbb55__kkrrbbhhsstt__ffrreeee() should be called. - - To use a _k_r_b_5___k_r_b_h_s_t___i_n_f_o, there are two functions: - kkrrbb55__kkrrbbhhsstt__ffoorrmmaatt__ssttrriinngg() that will return a printable representation - of that struct and kkrrbb55__kkrrbbhhsstt__ggeett__aaddddrriinnffoo() that will return a _s_t_r_u_c_t - _a_d_d_r_i_n_f_o that can then be used for communicating with the server men- - tioned. - -EEXXAAMMPPLLEE - The following code will print the KDCs of the realm ``MY.REALM''. - - krb5_krbhst_handle handle; - char host[MAXHOSTNAMELEN]; - krb5_krbhst_init(context, "MY.REALM", KRB5_KRBHST_KDC, &handle); - while(krb5_krbhst_next_as_string(context, handle, - host, sizeof(host)) == 0) - printf("%s\n", host); - krb5_krbhst_free(context, handle); - -HHIISSTTOORRYY - These functions first appeared in Heimdal 0.3g. - -SSEEEE AALLSSOO - getaddrinfo(3), krb5_get_krbhst(3) - - HEIMDAL June 17, 2001 2 diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5_kuserok.3 b/crypto/heimdal-0.6.3/lib/krb5/krb5_kuserok.3 deleted file mode 100644 index 15392023da..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5_kuserok.3 +++ /dev/null @@ -1,94 +0,0 @@ -.\" Copyright (c) 2003 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: krb5_kuserok.3,v 1.5 2003/04/16 13:58:10 lha Exp $ -.\" -.Dd Oct 17, 2002 -.Dt KRB5_KUSEROK 3 -.Os HEIMDAL -.Sh NAME -.Nm krb5_kuserok -.Nd verifies if a principal can log in as a user -.Sh LIBRARY -Kerberos 5 Library (libkrb5, -lkrb5) -.Sh SYNOPSIS -.In krb5.h -.Ft krb5_boolean -.Fo krb5_kuserok -.Fa "krb5_context context" -.Fa "krb5_principal principal" -.Fa "const char *name" -.Fc -.Sh DESCRIPTION -This function takes a local user -.Fa name -and verifies if -.Fa principal -is allowed to log in as that user. -.Pp -First -.Nm -check if there is a local account name -.Fa username. -If there isn't, -.Nm -returns -.Dv FALSE . -.Pp -Then -.Nm -checks if principal is the same as user@realm in any of the default -realms. If that is the case, -.Nm -returns -.Dv TRUE . -.Pp -After that it reads the file -.Pa .k5login -(if it exists) in the users home directory and checks if -.Fa principal -is in the file. -If it does exists, -.Dv TRUE -is returned. -If neither of the above turns out to be true, -.DV FALSE -is returned. -.Pp -The -.Pa .k5login -should contain one principal per line. -.Sh SEE ALSO -.Xr krb5_get_default_realms 3 , -.Xr krb5_verify_user 3 , -.Xr krb5_verify_user_lrealm 3 , -.Xr krb5_verify_user_opt 3, -.Xr krb5.conf 5 diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5_kuserok.cat3 b/crypto/heimdal-0.6.3/lib/krb5/krb5_kuserok.cat3 deleted file mode 100644 index 379acb8fdf..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5_kuserok.cat3 +++ /dev/null @@ -1,36 +0,0 @@ - -KRB5_KUSEROK(3) UNIX Programmer's Manual KRB5_KUSEROK(3) - -NNAAMMEE - kkrrbb55__kkuusseerrookk - verifies if a principal can log in as a - -LLIIBBRRAARRYY - Kerberos 5 Library (libkrb5, -lkrb5) - -SSYYNNOOPPSSIISS - _k_r_b_5___b_o_o_l_e_a_n - kkrrbb55__kkuusseerrookk(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___p_r_i_n_c_i_p_a_l _p_r_i_n_c_i_p_a_l, - _c_o_n_s_t _c_h_a_r _*_n_a_m_e) - -DDEESSCCRRIIPPTTIIOONN - This function takes a local user _n_a_m_e and verifies if _p_r_i_n_c_i_p_a_l is al- - lowed to log in as that user. - - First kkrrbb55__kkuusseerrookk check if there is a local account name _u_s_e_r_n_a_m_e_. If - there isn't, kkrrbb55__kkuusseerrookk returns FALSE. - - Then kkrrbb55__kkuusseerrookk checks if principal is the same as user@realm in any of - the default realms. If that is the case, kkrrbb55__kkuusseerrookk returns TRUE. - - After that it reads the file _._k_5_l_o_g_i_n (if it exists) in the users home - directory and checks if _p_r_i_n_c_i_p_a_l is in the file. If it does exists, - TRUE is returned. If neither of the above turns out to be true, is re- - turned. - - The _._k_5_l_o_g_i_n should contain one principal per line. - -SSEEEE AALLSSOO - krb5_get_default_realms(3), krb5_verify_user(3), - krb5_verify_user_lrealm(3), krb5_verify_user_opt(3,) krb5.conf(5) - - HEIMDAL Oct 17, 2002 1 diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5_locl.h b/crypto/heimdal-0.6.3/lib/krb5/krb5_locl.h deleted file mode 100644 index b3d6a92f8f..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5_locl.h +++ /dev/null @@ -1,137 +0,0 @@ -/* - * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: krb5_locl.h,v 1.71 2002/09/10 20:10:45 joda Exp $ */ - -#ifndef __KRB5_LOCL_H__ -#define __KRB5_LOCL_H__ - -#ifdef HAVE_CONFIG_H -#include -#endif - -#include -#include -#include -#include -#include -#include - -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_UNISTD_H -#include -#endif -#ifdef HAVE_FCNTL_H -#include -#endif - -#if defined(HAVE_SYS_IOCTL_H) && SunOS != 40 -#include -#endif -#ifdef HAVE_PWD_H -#include -#endif - -#ifdef HAVE_SYS_PARAM_H -#include -#endif -#include -#ifdef HAVE_SYS_TIME_H -#include -#endif -#ifdef HAVE_SYS_SELECT_H -#include -#endif -#ifdef HAVE_SYS_SOCKET_H -#include -#endif -#ifdef HAVE_NETINET_IN_H -#include -#endif -#ifdef HAVE_NETINET_IN6_H -#include -#endif -#ifdef HAVE_NETINET6_IN6_H -#include -#endif -#ifdef HAVE_NETDB_H -#include -#endif -#ifdef _AIX -struct ether_addr; -struct mbuf; -struct sockaddr_dl; -#endif -#ifdef HAVE_ARPA_INET_H -#include -#endif -#ifdef HAVE_ARPA_NAMESER_H -#include -#endif -#ifdef HAVE_SYS_UIO_H -#include -#endif -#ifdef HAVE_SYS_FILIO_H -#include -#endif -#ifdef HAVE_SYS_FILE_H -#include -#endif -#include -#include -#include - -#include "crypto-headers.h" - -#include -#include - -#include -#include -#include -#include - -#define ALLOC(X, N) (X) = calloc((N), sizeof(*(X))) -#define ALLOC_SEQ(X, N) do { (X)->len = (N); ALLOC((X)->val, (N)); } while(0) - -/* should this be public? */ -#define KEYTAB_DEFAULT "ANY:FILE:" SYSCONFDIR "/krb5.keytab,krb4:" SYSCONFDIR "/srvtab" -#define KEYTAB_DEFAULT_MODIFY "FILE:" SYSCONFDIR "/krb5.keytab" - -#ifndef O_BINARY -#define O_BINARY 0 -#endif - -#endif /* __KRB5_LOCL_H__ */ diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5_openlog.3 b/crypto/heimdal-0.6.3/lib/krb5/krb5_openlog.3 deleted file mode 100644 index cb1ccc9ee9..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5_openlog.3 +++ /dev/null @@ -1,242 +0,0 @@ -.\" Copyright (c) 1997, 1999, 2001 - 2002 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: krb5_openlog.3,v 1.9 2003/04/16 13:58:12 lha Exp $ -.Dd August 6, 1997 -.Dt KRB5_OPENLOG 3 -.Os HEIMDAL -.Sh NAME -.Nm krb5_initlog , -.Nm krb5_openlog , -.Nm krb5_closelog , -.Nm krb5_addlog_dest , -.Nm krb5_addlog_func , -.Nm krb5_log , -.Nm krb5_vlog , -.Nm krb5_log_msg , -.Nm krb5_vlog_msg -.Nd Heimdal logging functions -.Sh LIBRARY -Kerberos 5 Library (libkrb5, -lkrb5) -.Sh SYNOPSIS -.In krb5.h -.Ft "typedef void" -.Fn "\*(lp*krb5_log_log_func_t\*(rp" "const char *time" "const char *message" "void *data" -.Ft "typedef void" -.Fn "\*(lp*krb5_log_close_func_t\*(rp" "void *data" -.Ft krb5_error_code -.Fn krb5_addlog_dest "krb5_context context" "krb5_log_facility *facility" "const char *destination" -.Ft krb5_error_code -.Fn krb5_addlog_func "krb5_context context" "krb5_log_facility *facility" "int min" "int max" "krb5_log_log_func_t log" "krb5_log_close_func_t close" "void *data" -.Ft krb5_error_code -.Fn krb5_closelog "krb5_context context" "krb5_log_facility *facility" -.Ft krb5_error_code -.Fn krb5_initlog "krb5_context context" "const char *program" "krb5_log_facility **facility" -.Ft krb5_error_code -.Fn krb5_log "krb5_context context" "krb5_log_facility *facility" "int level" "const char *format" "..." -.Ft krb5_error_code -.Fn krb5_log_msg "krb5_context context" "krb5_log_facility *facility" "char **reply" "int level" "const char *format" "..." -.Ft krb5_error_code -.Fn krb5_openlog "krb5_context context" "const char *program" "krb5_log_facility **facility" -.Ft krb5_error_code -.Fn krb5_vlog "krb5_context context" "krb5_log_facility *facility" "int level" "const char *format" "va_list arglist" -.Ft krb5_error_code -.Fn krb5_vlog_msg "krb5_context context" "krb5_log_facility *facility" "char **reply" "int level" "const char *format" "va_list arglist" -.Sh DESCRIPTION -These functions logs messages to one or more destinations. -.Pp -The -.Fn krb5_openlog -function creates a logging -.Fa facility , -that is used to log messages. A facility consists of one or more -destinations (which can be files or syslog or some other device). The -.Fa program -parameter should be the generic name of the program that is doing the -logging. This name is used to lookup which destinations to use. This -information is contained in the -.Li logging -section of the -.Pa krb5.conf -configuration file. If no entry is found for -.Fa program , -the entry for -.Li default -is used, or if that is missing too, -.Li SYSLOG -will be used as destination. -.Pp -To close a logging facility, use the -.Fn krb5_closelog -function. -.Pp -To log a message to a facility use one of the functions -.Fn krb5_log , -.Fn krb5_log_msg , -.Fn krb5_vlog , -or -.Fn krb5_vlog_msg . -The functions ending in -.Li _msg -return in -.Fa reply -a pointer to the message that just got logged. This string is allocated, -and should be freed with -.Fn free . -The -.Fa format -is a standard -.Fn printf -style format string (but see the BUGS section). -.Pp -If you want better control of where things gets logged, you can instead of using -.Fn krb5_openlog -call -.Fn krb5_initlog , -which just initializes a facility, but doesn't define any actual logging -destinations. You can then add destinations with the -.Fn krb5_addlog_dest -and -.Fn krb5_addlog_func -functions. The first of these takes a string specifying a logging -destination, and adds this to the facility. If you want to do some -non-standard logging you can use the -.Fn krb5_addlog_func -function, which takes a function to use when logging. -The -.Fa log -function is called for each message with -.Fa time -being a string specifying the current time, and -.Fa message -the message to log. -.Fa close -is called when the facility is closed. You can pass application specific data in the -.Fa data -parameter. The -.Fa min -and -.Fa max -parameter are the same as in a destination (defined below). To specify a -max of infinity, pass -1. -.Pp -.Fn krb5_openlog -calls -.Fn krb5_initlog -and then calls -.Fn krb5_addlog_dest -for each destination found. -.Ss Destinations -The defined destinations (as specified in -.Pa krb5.conf ) -follows: -.Bl -tag -width "xxx" -offset indent -.It Li STDERR -This logs to the program's stderr. -.It Li FILE: Ns Pa /file -.It Li FILE= Ns Pa /file -Log to the specified file. The form using a colon appends to the file, the -form with an equal truncates the file. The truncating form keeps the file -open, while the appending form closes it after each log message (which -makes it possible to rotate logs). The truncating form is mainly for -compatibility with the MIT libkrb5. -.It Li DEVICE= Ns Pa /device -This logs to the specified device, at present this is the same as -.Li FILE:/device . -.It Li CONSOLE -Log to the console, this is the same as -.Li DEVICE=/dev/console . -.It Li SYSLOG Ns Op :priority Ns Op :facility -Send messages to the syslog system, using priority, and facility. To -get the name for one of these, you take the name of the macro passed -to -.Xr syslog 3 , -and remove the leading -.Li LOG_ -.No ( Li LOG_NOTICE -becomes -.Li NOTICE ) . -The default values (as well as the values used for unrecognised -values), are -.Li ERR , -and -.Li AUTH , -respectively. See -.Xr syslog 3 -for a list of priorities and facilities. -.El -.Pp -Each destination may optionally be prepended with a range of logging -levels, specified as -.Li min-max/ . -If the -.Fa level -parameter to -.Fn krb5_log -is within this range (inclusive) the message gets logged to this -destination, otherwise not. Either of the min and max valued may be -omitted, in this case min is assumed to be zero, and max is assumed to be -infinity. If you don't include a dash, both min and max gets set to the -specified value. If no range is specified, all messages gets logged. -.Sh EXAMPLE -.Bd -literal -offset indent -[logging] - kdc = 0/FILE:/var/log/kdc.log - kdc = 1-/SYSLOG:INFO:USER - default = STDERR -.Ed -.Pp -This will log all messages from the -.Nm kdc -program with level 0 to -.Pa /var/log/kdc.log , -other messages will be logged to syslog with priority -.Li LOG_INFO , -and facility -.Li LOG_USER . -All other programs will log all messages to their stderr. -.Sh BUGS -These functions use -.Fn asprintf -to format the message. If your operating system does not have a working -.Fn asprintf , -a replacement will be used. At present this replacement does not handle -some correct conversion specifications (like floating point numbers). Until -this is fixed, the use of these conversions should be avoided. -.Pp -If logging is done to the syslog facility, these functions might not be -thread-safe, depending on the implementation of -.Fn openlog , -and -.Fn syslog . -.Sh SEE ALSO -.Xr syslog 3 , -.Xr krb5.conf 5 diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5_openlog.cat3 b/crypto/heimdal-0.6.3/lib/krb5/krb5_openlog.cat3 deleted file mode 100644 index 47177bafb4..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5_openlog.cat3 +++ /dev/null @@ -1,156 +0,0 @@ - -KRB5_OPENLOG(3) UNIX Programmer's Manual KRB5_OPENLOG(3) - -NNAAMMEE - kkrrbb55__iinniittlloogg, kkrrbb55__ooppeennlloogg, kkrrbb55__cclloosseelloogg, kkrrbb55__aaddddlloogg__ddeesstt, - kkrrbb55__aaddddlloogg__ffuunncc, kkrrbb55__lloogg, kkrrbb55__vvlloogg, kkrrbb55__lloogg__mmssgg, kkrrbb55__vvlloogg__mmssgg - - Heimdal logging functions - -LLIIBBRRAARRYY - Kerberos 5 Library (libkrb5, -lkrb5) - -SSYYNNOOPPSSIISS - _t_y_p_e_d_e_f _v_o_i_d - (**kkrrbb55__lloogg__lloogg__ffuunncc__tt)(_c_o_n_s_t _c_h_a_r _*_t_i_m_e, _c_o_n_s_t _c_h_a_r _*_m_e_s_s_a_g_e, _v_o_i_d _*_d_a_t_a) - - _t_y_p_e_d_e_f _v_o_i_d - (**kkrrbb55__lloogg__cclloossee__ffuunncc__tt)(_v_o_i_d _*_d_a_t_a) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__aaddddlloogg__ddeesstt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___l_o_g___f_a_c_i_l_i_t_y _*_f_a_c_i_l_i_t_y, - _c_o_n_s_t _c_h_a_r _*_d_e_s_t_i_n_a_t_i_o_n) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__aaddddlloogg__ffuunncc(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___l_o_g___f_a_c_i_l_i_t_y _*_f_a_c_i_l_i_t_y, - _i_n_t _m_i_n, _i_n_t _m_a_x, _k_r_b_5___l_o_g___l_o_g___f_u_n_c___t _l_o_g, - _k_r_b_5___l_o_g___c_l_o_s_e___f_u_n_c___t _c_l_o_s_e, _v_o_i_d _*_d_a_t_a) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__cclloosseelloogg(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___l_o_g___f_a_c_i_l_i_t_y _*_f_a_c_i_l_i_t_y) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__iinniittlloogg(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _c_h_a_r _*_p_r_o_g_r_a_m, - _k_r_b_5___l_o_g___f_a_c_i_l_i_t_y _*_*_f_a_c_i_l_i_t_y) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__lloogg(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___l_o_g___f_a_c_i_l_i_t_y _*_f_a_c_i_l_i_t_y, _i_n_t _l_e_v_e_l, - _c_o_n_s_t _c_h_a_r _*_f_o_r_m_a_t, _._._.) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__lloogg__mmssgg(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___l_o_g___f_a_c_i_l_i_t_y _*_f_a_c_i_l_i_t_y, - _c_h_a_r _*_*_r_e_p_l_y, _i_n_t _l_e_v_e_l, _c_o_n_s_t _c_h_a_r _*_f_o_r_m_a_t, _._._.) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__ooppeennlloogg(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _c_h_a_r _*_p_r_o_g_r_a_m, - _k_r_b_5___l_o_g___f_a_c_i_l_i_t_y _*_*_f_a_c_i_l_i_t_y) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__vvlloogg(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___l_o_g___f_a_c_i_l_i_t_y _*_f_a_c_i_l_i_t_y, _i_n_t _l_e_v_e_l, - _c_o_n_s_t _c_h_a_r _*_f_o_r_m_a_t, _v_a___l_i_s_t _a_r_g_l_i_s_t) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__vvlloogg__mmssgg(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___l_o_g___f_a_c_i_l_i_t_y _*_f_a_c_i_l_i_t_y, - _c_h_a_r _*_*_r_e_p_l_y, _i_n_t _l_e_v_e_l, _c_o_n_s_t _c_h_a_r _*_f_o_r_m_a_t, _v_a___l_i_s_t _a_r_g_l_i_s_t) - -DDEESSCCRRIIPPTTIIOONN - These functions logs messages to one or more destinations. - - The kkrrbb55__ooppeennlloogg() function creates a logging _f_a_c_i_l_i_t_y, that is used to - log messages. A facility consists of one or more destinations (which can - be files or syslog or some other device). The _p_r_o_g_r_a_m parameter should be - the generic name of the program that is doing the logging. This name is - used to lookup which destinations to use. This information is contained - in the logging section of the _k_r_b_5_._c_o_n_f configuration file. If no entry - is found for _p_r_o_g_r_a_m, the entry for default is used, or if that is miss- - ing too, SYSLOG will be used as destination. - - To close a logging facility, use the kkrrbb55__cclloosseelloogg() function. - - To log a message to a facility use one of the functions kkrrbb55__lloogg(), - kkrrbb55__lloogg__mmssgg(), kkrrbb55__vvlloogg(), or kkrrbb55__vvlloogg__mmssgg(). The functions ending in - _msg return in _r_e_p_l_y a pointer to the message that just got logged. This - string is allocated, and should be freed with ffrreeee(). The _f_o_r_m_a_t is a - standard pprriinnttff() style format string (but see the BUGS section). - - If you want better control of where things gets logged, you can instead - of using kkrrbb55__ooppeennlloogg() call kkrrbb55__iinniittlloogg(), which just initializes a fa- - cility, but doesn't define any actual logging destinations. You can then - add destinations with the kkrrbb55__aaddddlloogg__ddeesstt() and kkrrbb55__aaddddlloogg__ffuunncc() func- - tions. The first of these takes a string specifying a logging destina- - tion, and adds this to the facility. If you want to do some non-standard - logging you can use the kkrrbb55__aaddddlloogg__ffuunncc() function, which takes a func- - tion to use when logging. The _l_o_g function is called for each message - with _t_i_m_e being a string specifying the current time, and _m_e_s_s_a_g_e the - message to log. _c_l_o_s_e is called when the facility is closed. You can - pass application specific data in the _d_a_t_a parameter. The _m_i_n and _m_a_x pa- - rameter are the same as in a destination (defined below). To specify a - max of infinity, pass -1. - - kkrrbb55__ooppeennlloogg() calls kkrrbb55__iinniittlloogg() and then calls kkrrbb55__aaddddlloogg__ddeesstt() for - each destination found. - - DDeessttiinnaattiioonnss - The defined destinations (as specified in _k_r_b_5_._c_o_n_f) follows: - - STDERR - This logs to the program's stderr. - - FILE:_/_f_i_l_e - - FILE=_/_f_i_l_e - Log to the specified file. The form using a colon appends to - the file, the form with an equal truncates the file. The trun- - cating form keeps the file open, while the appending form - closes it after each log message (which makes it possible to - rotate logs). The truncating form is mainly for compatibility - with the MIT libkrb5. - - DEVICE=_/_d_e_v_i_c_e - This logs to the specified device, at present this is the same - as FILE:/device. - - CONSOLE - Log to the console, this is the same as DEVICE=/dev/console. - - SYSLOG[:priority[:facility]] - Send messages to the syslog system, using priority, and facil- - ity. To get the name for one of these, you take the name of - the macro passed to syslog(3), and remove the leading LOG_ - (LOG_NOTICE becomes NOTICE). The default values (as well as - the values used for unrecognised values), are ERR, and AUTH, - respectively. See syslog(3) for a list of priorities and fa- - cilities. - - Each destination may optionally be prepended with a range of logging lev- - els, specified as min-max/. If the _l_e_v_e_l parameter to kkrrbb55__lloogg() is with- - in this range (inclusive) the message gets logged to this destination, - otherwise not. Either of the min and max valued may be omitted, in this - case min is assumed to be zero, and max is assumed to be infinity. If - you don't include a dash, both min and max gets set to the specified val- - ue. If no range is specified, all messages gets logged. - -EEXXAAMMPPLLEE - [logging] - kdc = 0/FILE:/var/log/kdc.log - kdc = 1-/SYSLOG:INFO:USER - default = STDERR - - This will log all messages from the kkddcc program with level 0 to - _/_v_a_r_/_l_o_g_/_k_d_c_._l_o_g, other messages will be logged to syslog with priority - LOG_INFO, and facility LOG_USER. All other programs will log all messages - to their stderr. - -BBUUGGSS - These functions use aasspprriinnttff() to format the message. If your operating - system does not have a working aasspprriinnttff(), a replacement will be used. At - present this replacement does not handle some correct conversion specifi- - cations (like floating point numbers). Until this is fixed, the use of - these conversions should be avoided. - - If logging is done to the syslog facility, these functions might not be - thread-safe, depending on the implementation of ooppeennlloogg(), and ssyysslloogg(). - -SSEEEE AALLSSOO - syslog(3), krb5.conf(5) - - HEIMDAL August 6, 1997 3 diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5_parse_name.3 b/crypto/heimdal-0.6.3/lib/krb5/krb5_parse_name.3 deleted file mode 100644 index b936c63d3f..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5_parse_name.3 +++ /dev/null @@ -1,68 +0,0 @@ -.\" Copyright (c) 1997 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: krb5_parse_name.3,v 1.8 2003/04/16 13:58:17 lha Exp $ -.\" -.Dd August 8, 1997 -.Dt KRB5_PARSE_NAME 3 -.Os HEIMDAL -.Sh NAME -.Nm krb5_parse_name -.Nd string to principal conversion -.Sh LIBRARY -Kerberos 5 Library (libkrb5, -lkrb5) -.Sh SYNOPSIS -.In krb5.h -.Ft krb5_error_code -.Fn krb5_parse_name "krb5_context context" "const char *name" "krb5_principal *principal" -.Sh DESCRIPTION -.Fn krb5_parse_name -converts a string representation of a principal name to -.Nm krb5_principal . -The -.Fa principal -will point to allocated data that should be freed with -.Fn krb5_free_principal . -.Pp -The string should consist of one or more name components separated with slashes -.Pq Dq / , -optionally followed with an -.Dq @ -and a realm name. A slash or @ may be contained in a name component by -quoting it with a back-slash -.Pq Dq \ . -A realm should not contain slashes or colons. -.Sh SEE ALSO -.Xr krb5_425_conv_principal 3 , -.Xr krb5_build_principal 3 , -.Xr krb5_free_principal 3 , -.Xr krb5_sname_to_principal 3 , -.Xr krb5_unparse_name 3 diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5_parse_name.cat3 b/crypto/heimdal-0.6.3/lib/krb5/krb5_parse_name.cat3 deleted file mode 100644 index 73c72a1d54..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5_parse_name.cat3 +++ /dev/null @@ -1,30 +0,0 @@ - -KRB5_PARSE_NAME(3) UNIX Programmer's Manual KRB5_PARSE_NAME(3) - -NNAAMMEE - kkrrbb55__ppaarrssee__nnaammee - string to principal conversion - -LLIIBBRRAARRYY - Kerberos 5 Library (libkrb5, -lkrb5) - -SSYYNNOOPPSSIISS - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__ppaarrssee__nnaammee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _c_h_a_r _*_n_a_m_e, - _k_r_b_5___p_r_i_n_c_i_p_a_l _*_p_r_i_n_c_i_p_a_l) - -DDEESSCCRRIIPPTTIIOONN - kkrrbb55__ppaarrssee__nnaammee() converts a string representation of a principal name to - kkrrbb55__pprriinncciippaall. The _p_r_i_n_c_i_p_a_l will point to allocated data that should be - freed with kkrrbb55__ffrreeee__pprriinncciippaall(). - - The string should consist of one or more name components separated with - slashes (``/''), optionally followed with an ``@'' and a realm name. A - slash or @ may be contained in a name component by quoting it with a - back-slash (`` .'') A realm should not contain slashes or colons. - -SSEEEE AALLSSOO - krb5_425_conv_principal(3), krb5_build_principal(3), - krb5_free_principal(3), krb5_sname_to_principal(3), krb5_un- - parse_name(3) - - HEIMDAL August 8, 1997 1 diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5_principal_get_realm.3 b/crypto/heimdal-0.6.3/lib/krb5/krb5_principal_get_realm.3 deleted file mode 100644 index 1ece7986ad..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5_principal_get_realm.3 +++ /dev/null @@ -1,81 +0,0 @@ -.\" Copyright (c) 2001 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: krb5_principal_get_realm.3,v 1.6 2003/04/16 13:58:17 lha Exp $ -.\" -.Dd June 20, 2001 -.Dt KRB5_PRINCIPAL_GET_REALM 3 -.Os HEIMDAL -.Sh NAME -.Nm krb5_principal_get_realm , -.Nm krb5_principal_get_comp_string -.Nd decompose a principal -.Sh LIBRARY -Kerberos 5 Library (libkrb5, -lkrb5) -.Sh SYNOPSIS -.In krb5.h -.Ft "const char *" -.Fn krb5_principal_get_realm "krb5_context context" "krb5_principal principal" -.Ft "const char *" -.Fn krb5_principal_get_comp_string "krb5_context context" "krb5_principal principal" "unsigned int component" -.Sh DESCRIPTION -These functions return parts of the -.Fa principal , -either the realm or a specific component. The returned string points -to data inside the principal, so they are valid only as long as the -principal exists. -.Pp -The -.Fa component -argument to -.Fn krb5_principal_get_comp_string -is the component number to return, from zero to the total number of -components minus one. If a the requested component number is out of range, -.Dv NULL -is returned. -.Pp -These functions can be seen as a replacement for the -.Fn krb5_princ_realm , -.Fn krb5_princ_component -and related macros, described as intermal in the MIT API -specification. A difference is that these functions return strings, -not -.Dv krb5_data . -A reason to return -.Dv krb5_data -was that it was believed that principal components could contain -binary data, but this belief was unfounded, and it has been decided -that principal components are infact UTF8, so it's safe to use zero -terminated strings. -.Pp -It's generally not necessary to look at the components of a principal. -.Sh SEE ALSO -.Xr krb5_unparse_name 3 diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5_principal_get_realm.cat3 b/crypto/heimdal-0.6.3/lib/krb5/krb5_principal_get_realm.cat3 deleted file mode 100644 index 27cb8b4542..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5_principal_get_realm.cat3 +++ /dev/null @@ -1,42 +0,0 @@ - -KRB5_PRINCIPAL_GET_REALM(3)UNIX Programmer's ManualKRB5_PRINCIPAL_GET_REALM(3) - -NNAAMMEE - kkrrbb55__pprriinncciippaall__ggeett__rreeaallmm, kkrrbb55__pprriinncciippaall__ggeett__ccoommpp__ssttrriinngg - decompose a - principal - -LLIIBBRRAARRYY - Kerberos 5 Library (libkrb5, -lkrb5) - -SSYYNNOOPPSSIISS - _c_o_n_s_t _c_h_a_r _* - kkrrbb55__pprriinncciippaall__ggeett__rreeaallmm(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___p_r_i_n_c_i_p_a_l _p_r_i_n_c_i_p_a_l) - - _c_o_n_s_t _c_h_a_r _* - kkrrbb55__pprriinncciippaall__ggeett__ccoommpp__ssttrriinngg(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, - _k_r_b_5___p_r_i_n_c_i_p_a_l _p_r_i_n_c_i_p_a_l, _u_n_s_i_g_n_e_d _i_n_t _c_o_m_p_o_n_e_n_t) - -DDEESSCCRRIIPPTTIIOONN - These functions return parts of the _p_r_i_n_c_i_p_a_l, either the realm or a spe- - cific component. The returned string points to data inside the principal, - so they are valid only as long as the principal exists. - - The _c_o_m_p_o_n_e_n_t argument to kkrrbb55__pprriinncciippaall__ggeett__ccoommpp__ssttrriinngg() is the compo- - nent number to return, from zero to the total number of components minus - one. If a the requested component number is out of range, NULL is re- - turned. - - These functions can be seen as a replacement for the kkrrbb55__pprriinncc__rreeaallmm(), - kkrrbb55__pprriinncc__ccoommppoonneenntt() and related macros, described as intermal in the - MIT API specification. A difference is that these functions return - strings, not krb5_data. A reason to return krb5_data was that it was be- - lieved that principal components could contain binary data, but this be- - lief was unfounded, and it has been decided that principal components are - infact UTF8, so it's safe to use zero terminated strings. - - It's generally not necessary to look at the components of a principal. - -SSEEEE AALLSSOO - krb5_unparse_name(3) - - HEIMDAL June 20, 2001 1 diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5_set_default_realm.3 b/crypto/heimdal-0.6.3/lib/krb5/krb5_set_default_realm.3 deleted file mode 100644 index e4b9a36c7c..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5_set_default_realm.3 +++ /dev/null @@ -1,144 +0,0 @@ -.\" Copyright (c) 2003 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: krb5_set_default_realm.3,v 1.2 2003/04/16 13:58:11 lha Exp $ -.\" -.Dd Mar 16, 2003 -.Dt KRB5_SET_DEFAULT_REALM 3 -.Os HEIMDAL -.Sh NAME -.Nm krb5_free_host_realm -.Nm krb5_get_default_realm -.Nm krb5_get_default_realms -.Nm krb5_get_host_realm -.Nm krb5_set_default_realm -.Nd default and host realm read and manipulation routines -.Sh LIBRARY -Kerberos 5 Library (libkrb5, -lkrb5) -.Sh SYNOPSIS -.In krb5.h -.Ft krb5_error_code -.Fo krb5_free_host_realm -.Fa "krb5_context context" -.Fa "krb5_realm *realmlist" -.Fc -.Ft krb5_error_code -.Fo krb5_get_default_realm -.Fa "krb5_context context" -.Fa "krb5_realm *realm" -.Fc -.Ft krb5_error_code -.Fo krb5_get_default_realms -.Fa "krb5_context context" -.Fa "krb5_realm **realm" -.Fc -.Ft krb5_error_code -.Fo krb5_get_host_realm -.Fa "krb5_context context" -.Fa "const char *host" -.Fa "krb5_realm **realms" -.Fc -.Ft krb5_error_code -.Fo krb5_set_default_realm -.Fa "krb5_context context" -.Fa "const char *realm" -.Fc -.Sh DESCRIPTION -.Fn krb5_free_host_realm -frees all memory allocated by -.Fa realmlist . -.Pp -.Fn krb5_get_default_realm -returns the first default realm for this host. -The realm returned should be free with -.Fn free . -.Pp -.Fn krb5_get_default_realms -returns a -.Dv NULL -terminated list of default realms for this context. -Realms returned by -.Fn krb5_get_default_realms -should be free with -.Fn krb5_free_host_realm . -.Pp -.Fn krb5_get_host_realm -returns a -.Dv NULL -terminated list of realms for -.Fa host -by looking up the information in the -.Li [domain_realm] -in -.Pa krb5.conf -or in -.Li DNS . -If the mapping in -.Li [domain_realm] -results in the string -.Li dns_locate , -DNS is used to lookup the realm. -.Pp -When using -.Li DNS -to a resolve the domain for the host a.b.c, -.Fn krb5_get_host_realm -looks for a -.Dv TXT -resource record named -.Li _kerberos.a.b.c , -and if not found, it strips off the first component and tries a again -(_kerberos.b.c) until it reaches the root. -.Pp -If there is no configuration or DNS information found, -.Fn krb5_get_host_realm -assumes it can use the domain part of the -.Fa host -to form a realm. -.Pp -.Fn krb5_set_default_realm -sets the default realm for the -.Fa context . -If -.Dv NULL -is used as a -.Fa realm , -the -.Li [libdefaults]default_realm -stanza in -.Pa krb5.conf -is used. -If there is no such stanza in the configuration file, the -.Fn krb5_get_host_realm -function is used to form a default realm. -.Sh SEE ALSO -.Xr krb5.conf 5 , -.Xr free 3 diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5_set_default_realm.cat3 b/crypto/heimdal-0.6.3/lib/krb5/krb5_set_default_realm.cat3 deleted file mode 100644 index 539e65c3e1..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5_set_default_realm.cat3 +++ /dev/null @@ -1,61 +0,0 @@ - -KRB5_SET_DEFAULT_REALM(3) UNIX Programmer's Manual KRB5_SET_DEFAULT_REALM(3) - -NNAAMMEE - kkrrbb55__ffrreeee__hhoosstt__rreeaallmm kkrrbb55__ggeett__ddeeffaauulltt__rreeaallmm kkrrbb55__ggeett__ddeeffaauulltt__rreeaallmmss - kkrrbb55__ggeett__hhoosstt__rreeaallmm kkrrbb55__sseett__ddeeffaauulltt__rreeaallmm - default and host realm read - and manipulation routines - -LLIIBBRRAARRYY - Kerberos 5 Library (libkrb5, -lkrb5) - -SSYYNNOOPPSSIISS - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__ffrreeee__hhoosstt__rreeaallmm(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___r_e_a_l_m _*_r_e_a_l_m_l_i_s_t) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__ggeett__ddeeffaauulltt__rreeaallmm(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___r_e_a_l_m _*_r_e_a_l_m) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__ggeett__ddeeffaauulltt__rreeaallmmss(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___r_e_a_l_m _*_*_r_e_a_l_m) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__ggeett__hhoosstt__rreeaallmm(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _c_h_a_r _*_h_o_s_t, - _k_r_b_5___r_e_a_l_m _*_*_r_e_a_l_m_s) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__sseett__ddeeffaauulltt__rreeaallmm(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _c_h_a_r _*_r_e_a_l_m) - -DDEESSCCRRIIPPTTIIOONN - kkrrbb55__ffrreeee__hhoosstt__rreeaallmm() frees all memory allocated by _r_e_a_l_m_l_i_s_t. - - kkrrbb55__ggeett__ddeeffaauulltt__rreeaallmm() returns the first default realm for this host. - The realm returned should be free with ffrreeee(). - - kkrrbb55__ggeett__ddeeffaauulltt__rreeaallmmss() returns a NULL terminated list of default - realms for this context. Realms returned by kkrrbb55__ggeett__ddeeffaauulltt__rreeaallmmss() - should be free with kkrrbb55__ffrreeee__hhoosstt__rreeaallmm(). - - kkrrbb55__ggeett__hhoosstt__rreeaallmm() returns a NULL terminated list of realms for _h_o_s_t - by looking up the information in the [domain_realm] in _k_r_b_5_._c_o_n_f or in - DNS. If the mapping in [domain_realm] results in the string dns_locate, - DNS is used to lookup the realm. - - When using DNS to a resolve the domain for the host a.b.c, - kkrrbb55__ggeett__hhoosstt__rreeaallmm() looks for a TXT resource record named - _kerberos.a.b.c, and if not found, it strips off the first component and - tries a again (_kerberos.b.c) until it reaches the root. - - If there is no configuration or DNS information found, - kkrrbb55__ggeett__hhoosstt__rreeaallmm() assumes it can use the domain part of the _h_o_s_t to - form a realm. - - kkrrbb55__sseett__ddeeffaauulltt__rreeaallmm() sets the default realm for the _c_o_n_t_e_x_t. If NULL - is used as a _r_e_a_l_m, the [libdefaults]default_realm stanza in _k_r_b_5_._c_o_n_f is - used. If there is no such stanza in the configuration file, the - kkrrbb55__ggeett__hhoosstt__rreeaallmm() function is used to form a default realm. - -SSEEEE AALLSSOO - krb5.conf(5), free(3) - - HEIMDAL Mar 16, 2003 1 diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5_set_password.3 b/crypto/heimdal-0.6.3/lib/krb5/krb5_set_password.3 deleted file mode 100644 index e2e3086314..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5_set_password.3 +++ /dev/null @@ -1,109 +0,0 @@ -.\" Copyright (c) 2003 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: krb5_set_password.3,v 1.3.2.1 2004/06/21 10:51:20 lha Exp $ -.\" -.Dd June 2, 2004 -.Dt KRB5_SET_PASSWORD 3 -.Os HEIMDAL -.Sh NAME -.Nm krb5_change_password , -.Nm krb5_set_password , -.Nm krb5_set_password_using_ccache -.Nd change password functions -.Sh LIBRARY -Kerberos 5 Library (libkrb5, -lkrb5) -.Sh SYNOPSIS -.In krb5.h -.Ft krb5_error_code -.Fo krb5_change_password -.Fa "krb5_context context" -.Fa "krb5_creds *creds" -.Fa "char *newpw" -.Fa "int *result_code" -.Fa "krb5_data *result_code_string" -.Fa "krb5_data *result_string" -.Fc -.Ft krb5_error_code -.Fo krb5_set_password -.Fa "krb5_context context" -.Fa "krb5_creds *creds" -.Fa "char *newpw" -.Fa "krb5_principal targprinc", -.Fa "int *result_code" -.Fa "krb5_data *result_code_string" -.Fa "krb5_data *result_string" -.Fc -.Ft krb5_error_code -.Fo krb5_set_password_using_ccache -.Fa "krb5_context context" -.Fa "krb5_ccache ccache" -.Fa "char *newpw" -.Fa "krb5_principal targprinc" -.Fa "int *result_code" -.Fa "krb5_data *result_code_string" -.Fa "krb5_data *result_string" -.Fc -.Sh DESCRIPTION -These functions change the password for a given principal. -.Pp -.Fn krb5_set_password -and -.Fa krb5_set_password_using_ccache -is the newer two of the three functions and uses a newer version of the -protocol (and falls back to the older when the newer doesn't work). -.Pp -.Fn krb5_change_password -set the password -.Fa newpasswd -for the client principal in -.Fa creds . -The server principal of creds must be -.Li kadmin/changepw . -.Pp -.Fn krb5_set_password -changes the password for the principal -.Fa targprinc , -if -.Fa targprinc -is -.Dv NULL -the default principal in -.Fa ccache -is used. -.Pp -Both functions returns and error in -.Fa result_code -and maybe an error strings to print in -.Fa result_string . -.Sh SEE ALSO -.Xr krb5_ccache 3 , -.Xr krb5_init_context 3 diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5_set_password.cat3 b/crypto/heimdal-0.6.3/lib/krb5/krb5_set_password.cat3 deleted file mode 100644 index 5c1189674f..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5_set_password.cat3 +++ /dev/null @@ -1,46 +0,0 @@ - -KRB5_SET_PASSWORD(3) UNIX Programmer's Manual KRB5_SET_PASSWORD(3) - -NNAAMMEE - kkrrbb55__cchhaannggee__ppaasssswwoorrdd, kkrrbb55__sseett__ppaasssswwoorrdd, kkrrbb55__sseett__ppaasssswwoorrdd__uussiinngg__ccccaacchhee - - change password functions - -LLIIBBRRAARRYY - Kerberos 5 Library (libkrb5, -lkrb5) - -SSYYNNOOPPSSIISS - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__cchhaannggee__ppaasssswwoorrdd(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___c_r_e_d_s _*_c_r_e_d_s, - _c_h_a_r _*_n_e_w_p_w, _i_n_t _*_r_e_s_u_l_t___c_o_d_e, _k_r_b_5___d_a_t_a _*_r_e_s_u_l_t___c_o_d_e___s_t_r_i_n_g, - _k_r_b_5___d_a_t_a _*_r_e_s_u_l_t___s_t_r_i_n_g) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__sseett__ppaasssswwoorrdd(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___c_r_e_d_s _*_c_r_e_d_s, - _c_h_a_r _*_n_e_w_p_w,_k_r_b_5___p_r_i_n_c_i_p_a_l _t_a_r_g_p_r_i_n_c, _,, _i_n_t _*_r_e_s_u_l_t___c_o_d_e, - _k_r_b_5___d_a_t_a _*_r_e_s_u_l_t___c_o_d_e___s_t_r_i_n_g, _k_r_b_5___d_a_t_a _*_r_e_s_u_l_t___s_t_r_i_n_g) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__sseett__ppaasssswwoorrdd__uussiinngg__ccccaacchhee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___c_c_a_c_h_e _c_c_a_c_h_e, - _c_h_a_r _*_n_e_w_p_w, _k_r_b_5___p_r_i_n_c_i_p_a_l _t_a_r_g_p_r_i_n_c, _i_n_t _*_r_e_s_u_l_t___c_o_d_e, - _k_r_b_5___d_a_t_a _*_r_e_s_u_l_t___c_o_d_e___s_t_r_i_n_g, _k_r_b_5___d_a_t_a _*_r_e_s_u_l_t___s_t_r_i_n_g) - -DDEESSCCRRIIPPTTIIOONN - These functions change the password for a given principal. - - kkrrbb55__sseett__ppaasssswwoorrdd() and _k_r_b_5___s_e_t___p_a_s_s_w_o_r_d___u_s_i_n_g___c_c_a_c_h_e is the newer two - of the three functions and uses a newer version of the protocol (and - falls back to the older when the newer doesn't work). - - kkrrbb55__cchhaannggee__ppaasssswwoorrdd() set the password _n_e_w_p_a_s_s_w_d for the client princi- - pal in _c_r_e_d_s. The server principal of creds must be kadmin/changepw. - - kkrrbb55__sseett__ppaasssswwoorrdd() changes the password for the principal _t_a_r_g_p_r_i_n_c, if - _t_a_r_g_p_r_i_n_c is NULL the default principal in _c_c_a_c_h_e is used. - - Both functions returns and error in _r_e_s_u_l_t___c_o_d_e and maybe an error - strings to print in _r_e_s_u_l_t___s_t_r_i_n_g. - -SSEEEE AALLSSOO - krb5_ccache(3), krb5_init_context(3) - - HEIMDAL June 2, 2004 1 diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5_sname_to_principal.3 b/crypto/heimdal-0.6.3/lib/krb5/krb5_sname_to_principal.3 deleted file mode 100644 index 5724ce1876..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5_sname_to_principal.3 +++ /dev/null @@ -1,85 +0,0 @@ -.\" Copyright (c) 1997 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: krb5_sname_to_principal.3,v 1.7 2003/04/16 13:58:17 lha Exp $ -.\" -.Dd August 8, 1997 -.Dt KRB5_PRINCIPAL 3 -.Os HEIMDAL -.Sh NAME -.Nm krb5_sname_to_principal , -.Nm krb5_sock_to_principal -.Nd create a service principal -.Sh LIBRARY -Kerberos 5 Library (libkrb5, -lkrb5) -.Sh SYNOPSIS -.In krb5.h -.Ft krb5_error_code -.Fn krb5_sname_to_principal "krb5_context context" "const char *hostname" "const char *sname" "int32_t type" "krb5_principal *principal" -.Ft krb5_error_code -.Fn krb5_sock_to_principal "krb5_context context" "int socket" "const char *sname" "int32_t type" "krb5_principal *principal" -.Sh DESCRIPTION -These functions create a -.Dq service -principal that can, for instance, be used to lookup a key in a keytab. For both these function the -.Fa sname -parameter will be used for the first component of the created principal. If -.Fa sname -is -.Dv NULL , -.Dq host -will be used instead. -.Fn krb5_sname_to_principal -will use the passed -.Fa hostname -for the second component. If type -.Dv KRB5_NT_SRV_HST -this name will be looked up with -.Fn gethostbyname . -If -.Fa hostname is -.Dv NULL , -the local hostname will be used. -.Pp -.Fn krb5_sock_to_principal -will use the -.Dq sockname -of the passed -.Fa socket , -which should be a bound -.Dv AF_INET -socket. -.Sh SEE ALSO -.Xr krb5_425_conv_principal 3 , -.Xr krb5_build_principal 3 , -.Xr krb5_free_principal 3 , -.Xr krb5_parse_name 3 , -.Xr krb5_unparse_name 3 diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5_sname_to_principal.cat3 b/crypto/heimdal-0.6.3/lib/krb5/krb5_sname_to_principal.cat3 deleted file mode 100644 index 25e0cde33b..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5_sname_to_principal.cat3 +++ /dev/null @@ -1,36 +0,0 @@ - -KRB5_PRINCIPAL(3) UNIX Programmer's Manual KRB5_PRINCIPAL(3) - -NNAAMMEE - kkrrbb55__ssnnaammee__ttoo__pprriinncciippaall, kkrrbb55__ssoocckk__ttoo__pprriinncciippaall - create a service prin- - cipal - -LLIIBBRRAARRYY - Kerberos 5 Library (libkrb5, -lkrb5) - -SSYYNNOOPPSSIISS - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__ssnnaammee__ttoo__pprriinncciippaall(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _c_h_a_r _*_h_o_s_t_n_a_m_e, - _c_o_n_s_t _c_h_a_r _*_s_n_a_m_e, _i_n_t_3_2___t _t_y_p_e, _k_r_b_5___p_r_i_n_c_i_p_a_l _*_p_r_i_n_c_i_p_a_l) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__ssoocckk__ttoo__pprriinncciippaall(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _i_n_t _s_o_c_k_e_t, - _c_o_n_s_t _c_h_a_r _*_s_n_a_m_e, _i_n_t_3_2___t _t_y_p_e, _k_r_b_5___p_r_i_n_c_i_p_a_l _*_p_r_i_n_c_i_p_a_l) - -DDEESSCCRRIIPPTTIIOONN - These functions create a ``service'' principal that can, for instance, be - used to lookup a key in a keytab. For both these function the _s_n_a_m_e pa- - rameter will be used for the first component of the created principal. If - _s_n_a_m_e is NULL, ``host'' will be used instead. kkrrbb55__ssnnaammee__ttoo__pprriinncciippaall() - will use the passed _h_o_s_t_n_a_m_e for the second component. If type - KRB5_NT_SRV_HST this name will be looked up with ggeetthhoossttbbyynnaammee(). If - _h_o_s_t_n_a_m_e _i_s NULL, the local hostname will be used. - - kkrrbb55__ssoocckk__ttoo__pprriinncciippaall() will use the ``sockname'' of the passed _s_o_c_k_e_t, - which should be a bound AF_INET socket. - -SSEEEE AALLSSOO - krb5_425_conv_principal(3), krb5_build_principal(3), - krb5_free_principal(3), krb5_parse_name(3), krb5_unparse_name(3) - - HEIMDAL August 8, 1997 1 diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5_timeofday.3 b/crypto/heimdal-0.6.3/lib/krb5/krb5_timeofday.3 deleted file mode 100644 index 6d5dbb3ddf..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5_timeofday.3 +++ /dev/null @@ -1,57 +0,0 @@ -.\" Copyright (c) 2001 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: krb5_timeofday.3,v 1.5 2003/04/16 13:58:18 lha Exp $ -.\" -.Dd July 1, 2001 -.Dt KRB5_TIMEOFDAY 3 -.Sh NAME -.Nm krb5_timeofday , -.Nm krb5_us_timeofday -.Nd whatever these functions do -.Sh LIBRARY -Kerberos 5 Library (libkrb5, -lkrb5) -.Sh SYNOPSIS -.In krb5.h -.Ft "krb5_error_code" -.Fn krb5_timeofday "krb5_context context" "krb5_timestamp *timeret" -.Ft "krb5_error_code" -.Fn krb5_us_timeofday "krb5_context context" "int32_t *sec" "int32_t *usec" -.Sh DESCRIPTION -.Fn krb5_timeofday -returns the current time, but adjusted with the time difference -between the local host and the KDC. -.Fn krb5_us_timeofday -also returns microseconds. -.Pp -.\".Sh EXAMPLE -.Sh SEE ALSO -.Xr gettimeofday 2 diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5_timeofday.cat3 b/crypto/heimdal-0.6.3/lib/krb5/krb5_timeofday.cat3 deleted file mode 100644 index fe0a2afe20..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5_timeofday.cat3 +++ /dev/null @@ -1,25 +0,0 @@ - -KRB5_TIMEOFDAY(3) UNIX Programmer's Manual KRB5_TIMEOFDAY(3) - -NNAAMMEE - kkrrbb55__ttiimmeeooffddaayy, kkrrbb55__uuss__ttiimmeeooffddaayy - whatever these functions do - -LLIIBBRRAARRYY - Kerberos 5 Library (libkrb5, -lkrb5) - -SSYYNNOOPPSSIISS - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__ttiimmeeooffddaayy(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___t_i_m_e_s_t_a_m_p _*_t_i_m_e_r_e_t) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__uuss__ttiimmeeooffddaayy(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _i_n_t_3_2___t _*_s_e_c, _i_n_t_3_2___t _*_u_s_e_c) - -DDEESSCCRRIIPPTTIIOONN - kkrrbb55__ttiimmeeooffddaayy() returns the current time, but adjusted with the time - difference between the local host and the KDC. kkrrbb55__uuss__ttiimmeeooffddaayy() also - returns microseconds. - -SSEEEE AALLSSOO - gettimeofday(2) - - July 1, 2001 1 diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5_unparse_name.3 b/crypto/heimdal-0.6.3/lib/krb5/krb5_unparse_name.3 deleted file mode 100644 index ed96c5d34f..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5_unparse_name.3 +++ /dev/null @@ -1,62 +0,0 @@ -.\" Copyright (c) 1997 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: krb5_unparse_name.3,v 1.8 2003/04/16 13:58:18 lha Exp $ -.\" -.Dd August 8, 1997 -.Dt KRB5_UNPARSE_NAME 3 -.Os HEIMDAL -.Sh NAME -.Nm krb5_unparse_name -.\" .Nm krb5_unparse_name_ext -.Nd principal to string conversion -.Sh LIBRARY -Kerberos 5 Library (libkrb5, -lkrb5) -.Sh SYNOPSIS -.In krb5.h -.Ft krb5_error_code -.Fn krb5_unparse_name "krb5_context context" "krb5_principal principal" "char **name" -.\" .Ft krb5_error_code -.\" .Fn krb5_unparse_name_ext "krb5_context context" "krb5_const_principal principal" "char **name" "size_t *size" -.Sh DESCRIPTION -This function takes a -.Fa principal , -and will convert in to a printable representation with the same syntax -as described in -.Xr krb5_parse_name 3 . -.Fa *name -will point to allocated data and should be freed by the caller. -.Sh SEE ALSO -.Xr krb5_425_conv_principal 3 , -.Xr krb5_build_principal 3 , -.Xr krb5_free_principal 3 , -.Xr krb5_parse_name 3 , -.Xr krb5_sname_to_principal 3 diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5_unparse_name.cat3 b/crypto/heimdal-0.6.3/lib/krb5/krb5_unparse_name.cat3 deleted file mode 100644 index 0eb8d76be5..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5_unparse_name.cat3 +++ /dev/null @@ -1,24 +0,0 @@ - -KRB5_UNPARSE_NAME(3) UNIX Programmer's Manual KRB5_UNPARSE_NAME(3) - -NNAAMMEE - kkrrbb55__uunnppaarrssee__nnaammee - principal to string conversion - -LLIIBBRRAARRYY - Kerberos 5 Library (libkrb5, -lkrb5) - -SSYYNNOOPPSSIISS - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__uunnppaarrssee__nnaammee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___p_r_i_n_c_i_p_a_l _p_r_i_n_c_i_p_a_l, - _c_h_a_r _*_*_n_a_m_e) - -DDEESSCCRRIIPPTTIIOONN - This function takes a _p_r_i_n_c_i_p_a_l, and will convert in to a printable rep- - resentation with the same syntax as described in krb5_parse_name(3). - _*_n_a_m_e will point to allocated data and should be freed by the caller. - -SSEEEE AALLSSOO - krb5_425_conv_principal(3), krb5_build_principal(3), - krb5_free_principal(3), krb5_parse_name(3), krb5_sname_to_principal(3) - - HEIMDAL August 8, 1997 1 diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5_verify_user.3 b/crypto/heimdal-0.6.3/lib/krb5/krb5_verify_user.3 deleted file mode 100644 index 1357ef186e..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5_verify_user.3 +++ /dev/null @@ -1,225 +0,0 @@ -.\" Copyright (c) 2001 - 2003 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: krb5_verify_user.3,v 1.10 2003/04/16 13:58:11 lha Exp $ -.\" -.Dd March 25, 2003 -.Dt KRB5_VERIFY_USER 3 -.Os HEIMDAL -.Sh NAME -.Nm krb5_verify_user , -.Nm krb5_verify_user_lrealm , -.Nm krb5_verify_user_opt , -.Nm krb5_verify_opt_init -.Nm krb5_verify_opt_set_flags , -.Nm krb5_verify_opt_set_service , -.Nm krb5_verify_opt_set_secure , -.Nm krb5_verify_opt_set_keytab -.Nd Heimdal password verifying functions. -.Sh LIBRARY -Kerberos 5 Library (libkrb5, -lkrb5) -.Sh SYNOPSIS -.In krb5.h -.Ft krb5_error_code -.Fn "krb5_verify_user" "krb5_context context" " krb5_principal principal" "krb5_ccache ccache" "const char *password" "krb5_boolean secure" "const char *service" -.Ft krb5_error_code -.Fn "krb5_verify_user_lrealm" "krb5_context context" "krb5_principal principal" "krb5_ccache ccache" "const char *password" "krb5_boolean secure" "const char *service" -.Ft void -.Fn krb5_verify_opt_init "krb5_verify_opt *opt" -.Ft void -.Fn krb5_verify_opt_set_ccache "krb5_verify_opt *opt" "krb5_ccache ccache" -.Ft void -.Fn krb5_verify_opt_set_keytab "krb5_verify_opt *opt" "krb5_keytab keytab" -.Ft void -.Fn krb5_verify_opt_set_secure "krb5_verify_opt *opt" "krb5_boolean secure" -.Ft void -.Fn krb5_verify_opt_set_service "krb5_verify_opt *opt" "const char *service" -.Ft void -.Fn krb5_verify_opt_set_flags "krb5_verify_opt *opt" "unsigned int flags" -.Ft krb5_error_code -.Fo krb5_verify_user_opt -.Fa "krb5_context context" -.Fa "krb5_principal principal" -.Fa "const char *password" -.Fa "krb5_verify_opt *opt" -.Fc -.Sh DESCRIPTION -The -.Nm krb5_verify_user -function verifies the password supplied by a user. -The principal whose password will be verified is specified in -.Fa principal . -New tickets will be obtained as a side-effect and stored in -.Fa ccache -(if -.Dv NULL , -the default ccache is used). -.Fn krb5_verify_user -will call -.Fn krb5_cc_initialize -on the given -.Fa ccache , -so -.Fa ccache -must only initialized with -.Fn krb5_cc_resolve -or -.Fn krb5_cc_gen_new . -If the password is not supplied in -.Fa password -(and is given as -.Dv NULL ) -the user will be prompted for it. -If -.Fa secure -the ticket will be verified against the locally stored service key -.Fa service -(by default -.Ql host -if given as -.Dv NULL -). -.Pp -The -.Nm krb5_verify_user_lrealm -function does the same, except that it ignores the realm in -.Fa principal -and tries all the local realms (see -.Xr krb5.conf 5 ) . -After a successful return, the principal is set to the authenticated -realm. If the call fails, the principal will not be meaningful, and -should only be freed with -.Xr krb5_free_principal 3 . -.Pp -.Fn krb5_verify_opt_init -resets all opt to default values. -.Pp -None of the krb5_verify_opt_set function makes a copy of the data -structure that they are called with. Its up the caller to free them -after the -.Fn krb5_verify_user_opt -is called. -.Pp -.Fn krb5_verify_opt_set_ccache -sets the -.Fa ccache -that user of -.Fa opt -will use. If not set, the default credential cache will be used. -.Pp -.Fn krb5_verify_opt_set_keytab -sets the -.Fa keytab -that user of -.Fa opt -will use. If not set, the default keytab will be used. -.Pp -.Fn krb5_verify_opt_set_secure -if -.Fa secure -if true, the password verification will require that the ticket will -be verified against the locally stored service key. If not set, -default value is true. -.Pp -.Fn krb5_verify_opt_set_service -sets the -.Fa service -principal that user of -.Fa opt -will use. If not set, the -.Ql host -service will be used. -.Pp -.Fn krb5_verify_opt_set_flags -sets -.Fa flags -that user of -.Fa opt -will use. -If the flag -.Dv KRB5_VERIFY_LREALMS -is used, the -.Fa principal -will be modified like -.Fn krb5_verify_user_lrealm -modifies it. -.Pp -.Fn krb5_verify_user_opt -function verifies the -.Fa password -supplied by a user. -The principal whose password will be verified is specified in -.Fa principal . -Options the to the verification process is pass in in -.Fa opt . -.Sh EXAMPLE -Here is a example program that verifies a password. it uses the -.Ql host/`hostname` -service principal in -.Pa krb5.keytab . -.Bd -literal -#include - -int -main(int argc, char **argv) -{ - char *user; - krb5_error_code error; - krb5_principal princ; - krb5_context context; - - if (argc != 2) - errx(1, "usage: verify_passwd "); - - user = argv[1]; - - if (krb5_init_context(&context) < 0) - errx(1, "krb5_init_context"); - - if ((error = krb5_parse_name(context, user, &princ)) != 0) - krb5_err(context, 1, error, "krb5_parse_name"); - - error = krb5_verify_user(context, princ, NULL, NULL, TRUE, NULL); - if (error) - krb5_err(context, 1, error, "krb5_verify_user"); - - return 0; -} -.Ed -.Sh SEE ALSO -.Xr krb5_err 3 , -.Xr krb5_cc_gen_new 3 , -.Xr krb5_cc_resolve 3 , -.Xr krb5_cc_initialize 3 , -.Xr krb5_free_principal 3 , -.Xr krb5_init_context 3 , -.Xr krb5_kt_default 3 , -.Xr krb5.conf 5 diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5_verify_user.cat3 b/crypto/heimdal-0.6.3/lib/krb5/krb5_verify_user.cat3 deleted file mode 100644 index ef1250ed61..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5_verify_user.cat3 +++ /dev/null @@ -1,128 +0,0 @@ - -KRB5_VERIFY_USER(3) UNIX Programmer's Manual KRB5_VERIFY_USER(3) - -NNAAMMEE - kkrrbb55__vveerriiffyy__uusseerr, kkrrbb55__vveerriiffyy__uusseerr__llrreeaallmm, kkrrbb55__vveerriiffyy__uusseerr__oopptt, - kkrrbb55__vveerriiffyy__oopptt__iinniitt kkrrbb55__vveerriiffyy__oopptt__sseett__ffllaaggss, - kkrrbb55__vveerriiffyy__oopptt__sseett__sseerrvviiccee, kkrrbb55__vveerriiffyy__oopptt__sseett__sseeccuurree, - kkrrbb55__vveerriiffyy__oopptt__sseett__kkeeyyttaabb - Heimdal password verifying functions. - -LLIIBBRRAARRYY - Kerberos 5 Library (libkrb5, -lkrb5) - -SSYYNNOOPPSSIISS - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__vveerriiffyy__uusseerr(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___p_r_i_n_c_i_p_a_l _p_r_i_n_c_i_p_a_l, - _k_r_b_5___c_c_a_c_h_e _c_c_a_c_h_e, _c_o_n_s_t _c_h_a_r _*_p_a_s_s_w_o_r_d, _k_r_b_5___b_o_o_l_e_a_n _s_e_c_u_r_e, - _c_o_n_s_t _c_h_a_r _*_s_e_r_v_i_c_e) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__vveerriiffyy__uusseerr__llrreeaallmm(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___p_r_i_n_c_i_p_a_l _p_r_i_n_c_i_p_a_l, - _k_r_b_5___c_c_a_c_h_e _c_c_a_c_h_e, _c_o_n_s_t _c_h_a_r _*_p_a_s_s_w_o_r_d, _k_r_b_5___b_o_o_l_e_a_n _s_e_c_u_r_e, - _c_o_n_s_t _c_h_a_r _*_s_e_r_v_i_c_e) - - _v_o_i_d - kkrrbb55__vveerriiffyy__oopptt__iinniitt(_k_r_b_5___v_e_r_i_f_y___o_p_t _*_o_p_t) - - _v_o_i_d - kkrrbb55__vveerriiffyy__oopptt__sseett__ccccaacchhee(_k_r_b_5___v_e_r_i_f_y___o_p_t _*_o_p_t, _k_r_b_5___c_c_a_c_h_e _c_c_a_c_h_e) - - _v_o_i_d - kkrrbb55__vveerriiffyy__oopptt__sseett__kkeeyyttaabb(_k_r_b_5___v_e_r_i_f_y___o_p_t _*_o_p_t, _k_r_b_5___k_e_y_t_a_b _k_e_y_t_a_b) - - _v_o_i_d - kkrrbb55__vveerriiffyy__oopptt__sseett__sseeccuurree(_k_r_b_5___v_e_r_i_f_y___o_p_t _*_o_p_t, _k_r_b_5___b_o_o_l_e_a_n _s_e_c_u_r_e) - - _v_o_i_d - kkrrbb55__vveerriiffyy__oopptt__sseett__sseerrvviiccee(_k_r_b_5___v_e_r_i_f_y___o_p_t _*_o_p_t, _c_o_n_s_t _c_h_a_r _*_s_e_r_v_i_c_e) - - _v_o_i_d - kkrrbb55__vveerriiffyy__oopptt__sseett__ffllaaggss(_k_r_b_5___v_e_r_i_f_y___o_p_t _*_o_p_t, _u_n_s_i_g_n_e_d _i_n_t _f_l_a_g_s) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__vveerriiffyy__uusseerr__oopptt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___p_r_i_n_c_i_p_a_l _p_r_i_n_c_i_p_a_l, - _c_o_n_s_t _c_h_a_r _*_p_a_s_s_w_o_r_d, _k_r_b_5___v_e_r_i_f_y___o_p_t _*_o_p_t) - -DDEESSCCRRIIPPTTIIOONN - The kkrrbb55__vveerriiffyy__uusseerr function verifies the password supplied by a user. - The principal whose password will be verified is specified in _p_r_i_n_c_i_p_a_l. - New tickets will be obtained as a side-effect and stored in _c_c_a_c_h_e (if - NULL, the default ccache is used). kkrrbb55__vveerriiffyy__uusseerr() will call - kkrrbb55__cccc__iinniittiiaalliizzee() on the given _c_c_a_c_h_e, so _c_c_a_c_h_e must only initialized - with kkrrbb55__cccc__rreessoollvvee() or kkrrbb55__cccc__ggeenn__nneeww(). If the password is not sup- - plied in _p_a_s_s_w_o_r_d (and is given as NULL) the user will be prompted for - it. If _s_e_c_u_r_e the ticket will be verified against the locally stored - service key _s_e_r_v_i_c_e (by default `host' if given as NULL ). - - The kkrrbb55__vveerriiffyy__uusseerr__llrreeaallmm function does the same, except that it ig- - nores the realm in _p_r_i_n_c_i_p_a_l and tries all the local realms (see - krb5.conf(5)). After a successful return, the principal is set to the - authenticated realm. If the call fails, the principal will not be mean- - ingful, and should only be freed with krb5_free_principal(3). - - kkrrbb55__vveerriiffyy__oopptt__iinniitt() resets all opt to default values. - - - None of the krb5_verify_opt_set function makes a copy of the data struc- - ture that they are called with. Its up the caller to free them after the - kkrrbb55__vveerriiffyy__uusseerr__oopptt() is called. - - kkrrbb55__vveerriiffyy__oopptt__sseett__ccccaacchhee() sets the _c_c_a_c_h_e that user of _o_p_t will use. - If not set, the default credential cache will be used. - - kkrrbb55__vveerriiffyy__oopptt__sseett__kkeeyyttaabb() sets the _k_e_y_t_a_b that user of _o_p_t will use. - If not set, the default keytab will be used. - - kkrrbb55__vveerriiffyy__oopptt__sseett__sseeccuurree() if _s_e_c_u_r_e if true, the password verification - will require that the ticket will be verified against the locally stored - service key. If not set, default value is true. - - kkrrbb55__vveerriiffyy__oopptt__sseett__sseerrvviiccee() sets the _s_e_r_v_i_c_e principal that user of _o_p_t - will use. If not set, the `host' service will be used. - - kkrrbb55__vveerriiffyy__oopptt__sseett__ffllaaggss() sets _f_l_a_g_s that user of _o_p_t will use. If the - flag KRB5_VERIFY_LREALMS is used, the _p_r_i_n_c_i_p_a_l will be modified like - kkrrbb55__vveerriiffyy__uusseerr__llrreeaallmm() modifies it. - - kkrrbb55__vveerriiffyy__uusseerr__oopptt() function verifies the _p_a_s_s_w_o_r_d supplied by a user. - The principal whose password will be verified is specified in _p_r_i_n_c_i_p_a_l. - Options the to the verification process is pass in in _o_p_t. - -EEXXAAMMPPLLEE - Here is a example program that verifies a password. it uses the - `host/`hostname`' service principal in _k_r_b_5_._k_e_y_t_a_b. - - #include - - int - main(int argc, char **argv) - { - char *user; - krb5_error_code error; - krb5_principal princ; - krb5_context context; - - if (argc != 2) - errx(1, "usage: verify_passwd "); - - user = argv[1]; - - if (krb5_init_context(&context) < 0) - errx(1, "krb5_init_context"); - - if ((error = krb5_parse_name(context, user, &princ)) != 0) - krb5_err(context, 1, error, "krb5_parse_name"); - - error = krb5_verify_user(context, princ, NULL, NULL, TRUE, NULL); - if (error) - krb5_err(context, 1, error, "krb5_verify_user"); - - return 0; - } - -SSEEEE AALLSSOO - krb5_err(3), krb5_cc_gen_new(3), krb5_cc_resolve(3), - krb5_cc_initialize(3), krb5_free_principal(3), krb5_init_context(3), - krb5_kt_default(3), krb5.conf(5) - - HEIMDAL March 25, 2003 2 diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5_warn.3 b/crypto/heimdal-0.6.3/lib/krb5/krb5_warn.3 deleted file mode 100644 index 7ed4b31fbc..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5_warn.3 +++ /dev/null @@ -1,68 +0,0 @@ -.\" Copyright (c) 1997 Kungliga Tekniska Högskolan -.\" $Id: krb5_warn.3,v 1.7 2003/04/16 19:31:49 lha Exp $ -.Dd August 8, 1997 -.Dt KRB5_WARN 3 -.Os HEIMDAL -.Sh NAME -.Nm krb5_warn , -.Nm krb5_warnx , -.Nm krb5_vwarn , -.Nm krb5_vwarnx , -.Nm krb5_err , -.Nm krb5_errx , -.Nm krb5_verr , -.Nm krb5_verrx , -.Nm krb5_set_warn_dest -.Nd Heimdal warning and error functions -.Sh LIBRARY -Kerberos 5 Library (libkrb5, -lkrb5) -.Sh SYNOPSIS -.In krb5.h -.Ft krb5_error_code -.Fn krb5_err "krb5_context context" "int eval" "krb5_error_code code" "const char *format" "..." -.Ft krb5_error_code -.Fn krb5_errx "krb5_context context" "int eval" "const char *format" "..." -.Ft krb5_error_code -.Fn krb5_verr "krb5_context context" "int eval" "krb5_error_code code" "const char *format" "va_list ap" -.Ft krb5_error_code -.Fn krb5_verrx "krb5_context context" "int eval" "const char *format" "va_list ap" -.Ft krb5_error_code -.Fn krb5_vwarn "krb5_context context" "krb5_error_code code" "const char *format" "va_list ap" -.Ft krb5_error_code -.Fn krb5_vwarnx "krb5_context context" "const char *format" "va_list ap" -.Ft krb5_error_code -.Fn krb5_warn "krb5_context context" "krb5_error_code code" "const char *format" "..." -.Ft krb5_error_code -.Fn krb5_warnx "krb5_context context" "const char *format" "..." -.Ft krb5_error_code -.Fn krb5_set_warn_dest "krb5_context context" "krb5_log_facility *facility" -.Ft "char *" -.Fn krb5_get_err_text "krb5_context context" "krb5_error_code code" -.Sh DESCRIPTION -These functions prints a warning message to some destination. -.Fa format -is a printf style format specifying the message to print. The forms not ending in an -.Dq x -prints the error string associated with -.Fa code -along with the message. -The -.Dq err -functions exits with exit status -.Fa eval -after printing the message. -.Pp -The -.Fn krb5_set_warn_func -function sets the destination for warning messages to the specified -.Fa facility . -Messages logged with the -.Dq warn -functions have a log level of 1, while the -.Dq err -functions logs with level 0. -.Pp -.Fn krb5_get_err_text -fetches the human readable strings describing the error-code. -.Sh SEE ALSO -.Xr krb5_openlog 3 diff --git a/crypto/heimdal-0.6.3/lib/krb5/krb5_warn.cat3 b/crypto/heimdal-0.6.3/lib/krb5/krb5_warn.cat3 deleted file mode 100644 index 72777bd8f9..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krb5_warn.cat3 +++ /dev/null @@ -1,66 +0,0 @@ - -KRB5_WARN(3) UNIX Programmer's Manual KRB5_WARN(3) - -NNAAMMEE - kkrrbb55__wwaarrnn, kkrrbb55__wwaarrnnxx, kkrrbb55__vvwwaarrnn, kkrrbb55__vvwwaarrnnxx, kkrrbb55__eerrrr, kkrrbb55__eerrrrxx, - kkrrbb55__vveerrrr, kkrrbb55__vveerrrrxx, kkrrbb55__sseett__wwaarrnn__ddeesstt - Heimdal warning and error - functions - -LLIIBBRRAARRYY - Kerberos 5 Library (libkrb5, -lkrb5) - -SSYYNNOOPPSSIISS - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__eerrrr(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _i_n_t _e_v_a_l, _k_r_b_5___e_r_r_o_r___c_o_d_e _c_o_d_e, - _c_o_n_s_t _c_h_a_r _*_f_o_r_m_a_t, _._._.) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__eerrrrxx(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _i_n_t _e_v_a_l, _c_o_n_s_t _c_h_a_r _*_f_o_r_m_a_t, _._._.) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__vveerrrr(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _i_n_t _e_v_a_l, _k_r_b_5___e_r_r_o_r___c_o_d_e _c_o_d_e, - _c_o_n_s_t _c_h_a_r _*_f_o_r_m_a_t, _v_a___l_i_s_t _a_p) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__vveerrrrxx(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _i_n_t _e_v_a_l, _c_o_n_s_t _c_h_a_r _*_f_o_r_m_a_t, - _v_a___l_i_s_t _a_p) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__vvwwaarrnn(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___e_r_r_o_r___c_o_d_e _c_o_d_e, - _c_o_n_s_t _c_h_a_r _*_f_o_r_m_a_t, _v_a___l_i_s_t _a_p) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__vvwwaarrnnxx(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _c_h_a_r _*_f_o_r_m_a_t, _v_a___l_i_s_t _a_p) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__wwaarrnn(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___e_r_r_o_r___c_o_d_e _c_o_d_e, _c_o_n_s_t _c_h_a_r _*_f_o_r_m_a_t, - _._._.) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__wwaarrnnxx(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _c_h_a_r _*_f_o_r_m_a_t, _._._.) - - _k_r_b_5___e_r_r_o_r___c_o_d_e - kkrrbb55__sseett__wwaarrnn__ddeesstt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___l_o_g___f_a_c_i_l_i_t_y _*_f_a_c_i_l_i_t_y) - - _c_h_a_r _* - kkrrbb55__ggeett__eerrrr__tteexxtt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___e_r_r_o_r___c_o_d_e _c_o_d_e) - -DDEESSCCRRIIPPTTIIOONN - These functions prints a warning message to some destination. _f_o_r_m_a_t is - a printf style format specifying the message to print. The forms not end- - ing in an ``x'' prints the error string associated with _c_o_d_e along with - the message. The ``err'' functions exits with exit status _e_v_a_l after - printing the message. - - The kkrrbb55__sseett__wwaarrnn__ffuunncc() function sets the destination for warning mes- - sages to the specified _f_a_c_i_l_i_t_y. Messages logged with the ``warn'' func- - tions have a log level of 1, while the ``err'' functions logs with level - 0. - - kkrrbb55__ggeett__eerrrr__tteexxtt() fetches the human readable strings describing the er- - ror-code. - -SSEEEE AALLSSOO - krb5_openlog(3) - - HEIMDAL August 8, 1997 1 diff --git a/crypto/heimdal-0.6.3/lib/krb5/krbhst-test.c b/crypto/heimdal-0.6.3/lib/krb5/krbhst-test.c deleted file mode 100644 index bf98104706..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krbhst-test.c +++ /dev/null @@ -1,104 +0,0 @@ -/* - * Copyright (c) 2001 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" - -#include -#include - -RCSID("$Id: krbhst-test.c,v 1.3 2002/08/23 03:43:18 assar Exp $"); - -static int version_flag = 0; -static int help_flag = 0; - -static struct getargs args[] = { - {"version", 0, arg_flag, &version_flag, - "print version", NULL }, - {"help", 0, arg_flag, &help_flag, - NULL, NULL } -}; - -static void -usage (int ret) -{ - arg_printusage (args, - sizeof(args)/sizeof(*args), - NULL, - "[realms ...]"); - exit (ret); -} - -int -main(int argc, char **argv) -{ - int i, j; - krb5_context context; - int types[] = {KRB5_KRBHST_KDC, KRB5_KRBHST_ADMIN, KRB5_KRBHST_CHANGEPW, - KRB5_KRBHST_KRB524}; - const char *type_str[] = {"kdc", "admin", "changepw", "krb524"}; - int optind = 0; - - setprogname (argv[0]); - - if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind)) - usage(1); - - if (help_flag) - usage (0); - - if(version_flag){ - print_version(NULL); - exit(0); - } - - argc -= optind; - argv += optind; - - krb5_init_context (&context); - for(i = 0; i < argc; i++) { - krb5_krbhst_handle handle; - char host[MAXHOSTNAMELEN]; - - for (j = 0; j < sizeof(types)/sizeof(*types); ++j) { - printf ("%s for %s:\n", type_str[j], argv[i]); - - krb5_krbhst_init(context, argv[i], types[j], &handle); - while(krb5_krbhst_next_as_string(context, handle, - host, sizeof(host)) == 0) - printf("%s\n", host); - krb5_krbhst_reset(context, handle); - printf ("\n"); - } - } - return 0; -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/krbhst.c b/crypto/heimdal-0.6.3/lib/krb5/krbhst.c deleted file mode 100644 index e0cc9f47f2..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/krbhst.c +++ /dev/null @@ -1,823 +0,0 @@ -/* - * Copyright (c) 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" -#include - -RCSID("$Id: krbhst.c,v 1.43.2.1 2003/04/22 15:00:38 lha Exp $"); - -static int -string_to_proto(const char *string) -{ - if(strcasecmp(string, "udp") == 0) - return KRB5_KRBHST_UDP; - else if(strcasecmp(string, "tcp") == 0) - return KRB5_KRBHST_TCP; - else if(strcasecmp(string, "http") == 0) - return KRB5_KRBHST_HTTP; - return -1; -} - -/* - * set `res' and `count' to the result of looking up SRV RR in DNS for - * `proto', `proto', `realm' using `dns_type'. - * if `port' != 0, force that port number - */ - -static krb5_error_code -srv_find_realm(krb5_context context, krb5_krbhst_info ***res, int *count, - const char *realm, const char *dns_type, - const char *proto, const char *service, int port) -{ - char domain[1024]; - struct dns_reply *r; - struct resource_record *rr; - int num_srv; - int proto_num; - int def_port; - - proto_num = string_to_proto(proto); - if(proto_num < 0) { - krb5_set_error_string(context, "unknown protocol `%s'", proto); - return EINVAL; - } - - if(proto_num == KRB5_KRBHST_HTTP) - def_port = ntohs(krb5_getportbyname (context, "http", "tcp", 80)); - else if(port == 0) - def_port = ntohs(krb5_getportbyname (context, service, proto, 88)); - else - def_port = port; - - snprintf(domain, sizeof(domain), "_%s._%s.%s.", service, proto, realm); - - r = dns_lookup(domain, dns_type); - if(r == NULL) { - *res = NULL; - *count = 0; - return KRB5_KDC_UNREACH; - } - - for(num_srv = 0, rr = r->head; rr; rr = rr->next) - if(rr->type == T_SRV) - num_srv++; - - *res = malloc(num_srv * sizeof(**res)); - if(*res == NULL) { - dns_free_data(r); - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - - dns_srv_order(r); - - for(num_srv = 0, rr = r->head; rr; rr = rr->next) - if(rr->type == T_SRV) { - krb5_krbhst_info *hi; - size_t len = strlen(rr->u.srv->target); - - hi = calloc(1, sizeof(*hi) + len); - if(hi == NULL) { - dns_free_data(r); - while(--num_srv >= 0) - free((*res)[num_srv]); - free(*res); - return ENOMEM; - } - (*res)[num_srv++] = hi; - - hi->proto = proto_num; - - hi->def_port = def_port; - if (port != 0) - hi->port = port; - else - hi->port = rr->u.srv->port; - - strlcpy(hi->hostname, rr->u.srv->target, len + 1); - } - - *count = num_srv; - - dns_free_data(r); - return 0; -} - - -struct krb5_krbhst_data { - char *realm; - unsigned int flags; - int def_port; - int port; /* hardwired port number if != 0 */ -#define KD_CONFIG 1 -#define KD_SRV_UDP 2 -#define KD_SRV_TCP 4 -#define KD_SRV_HTTP 8 -#define KD_FALLBACK 16 -#define KD_CONFIG_EXISTS 32 - - krb5_error_code (*get_next)(krb5_context, struct krb5_krbhst_data *, - krb5_krbhst_info**); - - unsigned int fallback_count; - - struct krb5_krbhst_info *hosts, **index, **end; -}; - -static krb5_boolean -krbhst_empty(const struct krb5_krbhst_data *kd) -{ - return kd->index == &kd->hosts; -} - -/* - * parse `spec' into a krb5_krbhst_info, defaulting the port to `def_port' - * and forcing it to `port' if port != 0 - */ - -static struct krb5_krbhst_info* -parse_hostspec(krb5_context context, const char *spec, int def_port, int port) -{ - const char *p = spec; - struct krb5_krbhst_info *hi; - - hi = calloc(1, sizeof(*hi) + strlen(spec)); - if(hi == NULL) - return NULL; - - hi->proto = KRB5_KRBHST_UDP; - - if(strncmp(p, "http://", 7) == 0){ - hi->proto = KRB5_KRBHST_HTTP; - p += 7; - } else if(strncmp(p, "http/", 5) == 0) { - hi->proto = KRB5_KRBHST_HTTP; - p += 5; - def_port = ntohs(krb5_getportbyname (context, "http", "tcp", 80)); - }else if(strncmp(p, "tcp/", 4) == 0){ - hi->proto = KRB5_KRBHST_TCP; - p += 4; - } else if(strncmp(p, "udp/", 4) == 0) { - p += 4; - } - - if(strsep_copy(&p, ":", hi->hostname, strlen(spec) + 1) < 0) { - free(hi); - return NULL; - } - /* get rid of trailing /, and convert to lower case */ - hi->hostname[strcspn(hi->hostname, "/")] = '\0'; - strlwr(hi->hostname); - - hi->port = hi->def_port = def_port; - if(p != NULL) { - char *end; - hi->port = strtol(p, &end, 0); - if(end == p) { - free(hi); - return NULL; - } - } - if (port) - hi->port = port; - return hi; -} - -static void -free_krbhst_info(krb5_krbhst_info *hi) -{ - if (hi->ai != NULL) - freeaddrinfo(hi->ai); - free(hi); -} - -static void -append_host_hostinfo(struct krb5_krbhst_data *kd, struct krb5_krbhst_info *host) -{ - struct krb5_krbhst_info *h; - - for(h = kd->hosts; h; h = h->next) - if(h->proto == host->proto && - h->port == host->port && - strcmp(h->hostname, host->hostname) == 0) { - free_krbhst_info(host); - return; - } - *kd->end = host; - kd->end = &host->next; -} - -static krb5_error_code -append_host_string(krb5_context context, struct krb5_krbhst_data *kd, - const char *host, int def_port, int port) -{ - struct krb5_krbhst_info *hi; - - hi = parse_hostspec(context, host, def_port, port); - if(hi == NULL) - return ENOMEM; - - append_host_hostinfo(kd, hi); - return 0; -} - -/* - * return a readable representation of `host' in `hostname, hostlen' - */ - -krb5_error_code -krb5_krbhst_format_string(krb5_context context, const krb5_krbhst_info *host, - char *hostname, size_t hostlen) -{ - const char *proto = ""; - char portstr[7] = ""; - if(host->proto == KRB5_KRBHST_TCP) - proto = "tcp/"; - else if(host->proto == KRB5_KRBHST_HTTP) - proto = "http://"; - if(host->port != host->def_port) - snprintf(portstr, sizeof(portstr), ":%d", host->port); - snprintf(hostname, hostlen, "%s%s%s", proto, host->hostname, portstr); - return 0; -} - -/* - * create a getaddrinfo `hints' based on `proto' - */ - -static void -make_hints(struct addrinfo *hints, int proto) -{ - memset(hints, 0, sizeof(*hints)); - hints->ai_family = AF_UNSPEC; - switch(proto) { - case KRB5_KRBHST_UDP : - hints->ai_socktype = SOCK_DGRAM; - break; - case KRB5_KRBHST_HTTP : - case KRB5_KRBHST_TCP : - hints->ai_socktype = SOCK_STREAM; - break; - } -} - -/* - * return an `struct addrinfo *' in `ai' corresponding to the information - * in `host'. free:ing is handled by krb5_krbhst_free. - */ - -krb5_error_code -krb5_krbhst_get_addrinfo(krb5_context context, krb5_krbhst_info *host, - struct addrinfo **ai) -{ - struct addrinfo hints; - char portstr[NI_MAXSERV]; - int ret; - - if (host->ai == NULL) { - make_hints(&hints, host->proto); - snprintf (portstr, sizeof(portstr), "%d", host->port); - ret = getaddrinfo(host->hostname, portstr, &hints, &host->ai); - if (ret) - return krb5_eai_to_heim_errno(ret, errno); - } - *ai = host->ai; - return 0; -} - -static krb5_boolean -get_next(struct krb5_krbhst_data *kd, krb5_krbhst_info **host) -{ - struct krb5_krbhst_info *hi = *kd->index; - if(hi != NULL) { - *host = hi; - kd->index = &(*kd->index)->next; - return TRUE; - } - return FALSE; -} - -static void -srv_get_hosts(krb5_context context, struct krb5_krbhst_data *kd, - const char *proto, const char *service) -{ - krb5_krbhst_info **res; - int count, i; - - srv_find_realm(context, &res, &count, kd->realm, "SRV", proto, service, - kd->port); - for(i = 0; i < count; i++) - append_host_hostinfo(kd, res[i]); - free(res); -} - -/* - * read the configuration for `conf_string', defaulting to kd->def_port and - * forcing it to `kd->port' if kd->port != 0 - */ - -static void -config_get_hosts(krb5_context context, struct krb5_krbhst_data *kd, - const char *conf_string) -{ - int i; - - char **hostlist; - hostlist = krb5_config_get_strings(context, NULL, - "realms", kd->realm, conf_string, NULL); - - if(hostlist == NULL) - return; - kd->flags |= KD_CONFIG_EXISTS; - for(i = 0; hostlist && hostlist[i] != NULL; i++) - append_host_string(context, kd, hostlist[i], kd->def_port, kd->port); - - krb5_config_free_strings(hostlist); -} - -/* - * as a fallback, look for `serv_string.kd->realm' (typically - * kerberos.REALM, kerberos-1.REALM, ... - * `port' is the default port for the service, and `proto' the - * protocol - */ - -static krb5_error_code -fallback_get_hosts(krb5_context context, struct krb5_krbhst_data *kd, - const char *serv_string, int port, int proto) -{ - char *host; - int ret; - struct addrinfo *ai; - struct addrinfo hints; - char portstr[NI_MAXSERV]; - - if(kd->fallback_count == 0) - asprintf(&host, "%s.%s.", serv_string, kd->realm); - else - asprintf(&host, "%s-%d.%s.", - serv_string, kd->fallback_count, kd->realm); - - if (host == NULL) - return ENOMEM; - - make_hints(&hints, proto); - snprintf(portstr, sizeof(portstr), "%d", port); - ret = getaddrinfo(host, portstr, &hints, &ai); - if (ret) { - /* no more hosts, so we're done here */ - free(host); - kd->flags |= KD_FALLBACK; - } else { - struct krb5_krbhst_info *hi; - size_t hostlen = strlen(host); - - hi = calloc(1, sizeof(*hi) + hostlen); - if(hi == NULL) { - free(host); - return ENOMEM; - } - - hi->proto = proto; - hi->port = hi->def_port = port; - hi->ai = ai; - memmove(hi->hostname, host, hostlen - 1); - hi->hostname[hostlen - 1] = '\0'; - free(host); - append_host_hostinfo(kd, hi); - kd->fallback_count++; - } - return 0; -} - -static krb5_error_code -kdc_get_next(krb5_context context, - struct krb5_krbhst_data *kd, - krb5_krbhst_info **host) -{ - krb5_error_code ret; - - if((kd->flags & KD_CONFIG) == 0) { - config_get_hosts(context, kd, "kdc"); - kd->flags |= KD_CONFIG; - if(get_next(kd, host)) - return 0; - } - - if (kd->flags & KD_CONFIG_EXISTS) - return KRB5_KDC_UNREACH; /* XXX */ - - if(context->srv_lookup) { - if((kd->flags & KD_SRV_UDP) == 0) { - srv_get_hosts(context, kd, "udp", "kerberos"); - kd->flags |= KD_SRV_UDP; - if(get_next(kd, host)) - return 0; - } - - if((kd->flags & KD_SRV_TCP) == 0) { - srv_get_hosts(context, kd, "tcp", "kerberos"); - kd->flags |= KD_SRV_TCP; - if(get_next(kd, host)) - return 0; - } - if((kd->flags & KD_SRV_HTTP) == 0) { - srv_get_hosts(context, kd, "http", "kerberos"); - kd->flags |= KD_SRV_HTTP; - if(get_next(kd, host)) - return 0; - } - } - - while((kd->flags & KD_FALLBACK) == 0) { - ret = fallback_get_hosts(context, kd, "kerberos", - kd->def_port, KRB5_KRBHST_UDP); - if(ret) - return ret; - if(get_next(kd, host)) - return 0; - } - - return KRB5_KDC_UNREACH; /* XXX */ -} - -static krb5_error_code -admin_get_next(krb5_context context, - struct krb5_krbhst_data *kd, - krb5_krbhst_info **host) -{ - krb5_error_code ret; - - if((kd->flags & KD_CONFIG) == 0) { - config_get_hosts(context, kd, "admin_server"); - kd->flags |= KD_CONFIG; - if(get_next(kd, host)) - return 0; - } - - if (kd->flags & KD_CONFIG_EXISTS) - return KRB5_KDC_UNREACH; /* XXX */ - - if(context->srv_lookup) { - if((kd->flags & KD_SRV_TCP) == 0) { - srv_get_hosts(context, kd, "tcp", "kerberos-adm"); - kd->flags |= KD_SRV_TCP; - if(get_next(kd, host)) - return 0; - } - } - - if (krbhst_empty(kd) - && (kd->flags & KD_FALLBACK) == 0) { - ret = fallback_get_hosts(context, kd, "kerberos", - kd->def_port, KRB5_KRBHST_UDP); - if(ret) - return ret; - kd->flags |= KD_FALLBACK; - if(get_next(kd, host)) - return 0; - } - - return KRB5_KDC_UNREACH; /* XXX */ -} - -static krb5_error_code -kpasswd_get_next(krb5_context context, - struct krb5_krbhst_data *kd, - krb5_krbhst_info **host) -{ - krb5_error_code ret; - - if((kd->flags & KD_CONFIG) == 0) { - config_get_hosts(context, kd, "kpasswd_server"); - if(get_next(kd, host)) - return 0; - } - - if (kd->flags & KD_CONFIG_EXISTS) - return KRB5_KDC_UNREACH; /* XXX */ - - if(context->srv_lookup) { - if((kd->flags & KD_SRV_UDP) == 0) { - srv_get_hosts(context, kd, "udp", "kpasswd"); - kd->flags |= KD_SRV_UDP; - if(get_next(kd, host)) - return 0; - } - } - - /* no matches -> try admin */ - - if (krbhst_empty(kd)) { - kd->flags = 0; - kd->port = kd->def_port; - kd->get_next = admin_get_next; - ret = (*kd->get_next)(context, kd, host); - if (ret == 0) - (*host)->proto = KRB5_KRBHST_UDP; - return ret; - } - - return KRB5_KDC_UNREACH; /* XXX */ -} - -static krb5_error_code -krb524_get_next(krb5_context context, - struct krb5_krbhst_data *kd, - krb5_krbhst_info **host) -{ - if((kd->flags & KD_CONFIG) == 0) { - config_get_hosts(context, kd, "krb524_server"); - if(get_next(kd, host)) - return 0; - kd->flags |= KD_CONFIG; - } - - if (kd->flags & KD_CONFIG_EXISTS) - return KRB5_KDC_UNREACH; /* XXX */ - - if(context->srv_lookup) { - if((kd->flags & KD_SRV_UDP) == 0) { - srv_get_hosts(context, kd, "udp", "krb524"); - kd->flags |= KD_SRV_UDP; - if(get_next(kd, host)) - return 0; - } - - if((kd->flags & KD_SRV_TCP) == 0) { - srv_get_hosts(context, kd, "tcp", "krb524"); - kd->flags |= KD_SRV_TCP; - if(get_next(kd, host)) - return 0; - } - } - - /* no matches -> try kdc */ - - if (krbhst_empty(kd)) { - kd->flags = 0; - kd->port = kd->def_port; - kd->get_next = kdc_get_next; - return (*kd->get_next)(context, kd, host); - } - - return KRB5_KDC_UNREACH; /* XXX */ -} - -static struct krb5_krbhst_data* -common_init(krb5_context context, - const char *realm) -{ - struct krb5_krbhst_data *kd; - - if((kd = calloc(1, sizeof(*kd))) == NULL) - return NULL; - - if((kd->realm = strdup(realm)) == NULL) { - free(kd); - return NULL; - } - - kd->end = kd->index = &kd->hosts; - return kd; -} - -/* - * initialize `handle' to look for hosts of type `type' in realm `realm' - */ - -krb5_error_code -krb5_krbhst_init(krb5_context context, - const char *realm, - unsigned int type, - krb5_krbhst_handle *handle) -{ - struct krb5_krbhst_data *kd; - krb5_error_code (*get_next)(krb5_context, struct krb5_krbhst_data *, - krb5_krbhst_info **); - int def_port; - - switch(type) { - case KRB5_KRBHST_KDC: - get_next = kdc_get_next; - def_port = ntohs(krb5_getportbyname (context, "kerberos", "udp", 88)); - break; - case KRB5_KRBHST_ADMIN: - get_next = admin_get_next; - def_port = ntohs(krb5_getportbyname (context, "kerberos-adm", - "tcp", 749)); - break; - case KRB5_KRBHST_CHANGEPW: - get_next = kpasswd_get_next; - def_port = ntohs(krb5_getportbyname (context, "kpasswd", "udp", - KPASSWD_PORT)); - break; - case KRB5_KRBHST_KRB524: - get_next = krb524_get_next; - def_port = ntohs(krb5_getportbyname (context, "krb524", "udp", 4444)); - break; - default: - krb5_set_error_string(context, "unknown krbhst type (%u)", type); - return ENOTTY; - } - if((kd = common_init(context, realm)) == NULL) - return ENOMEM; - kd->get_next = get_next; - kd->def_port = def_port; - *handle = kd; - return 0; -} - -/* - * return the next host information from `handle' in `host' - */ - -krb5_error_code -krb5_krbhst_next(krb5_context context, - krb5_krbhst_handle handle, - krb5_krbhst_info **host) -{ - if(get_next(handle, host)) - return 0; - - return (*handle->get_next)(context, handle, host); -} - -/* - * return the next host information from `handle' as a host name - * in `hostname' (or length `hostlen) - */ - -krb5_error_code -krb5_krbhst_next_as_string(krb5_context context, - krb5_krbhst_handle handle, - char *hostname, - size_t hostlen) -{ - krb5_error_code ret; - krb5_krbhst_info *host; - ret = krb5_krbhst_next(context, handle, &host); - if(ret) - return ret; - return krb5_krbhst_format_string(context, host, hostname, hostlen); -} - - -void -krb5_krbhst_reset(krb5_context context, krb5_krbhst_handle handle) -{ - handle->index = &handle->hosts; -} - -void -krb5_krbhst_free(krb5_context context, krb5_krbhst_handle handle) -{ - krb5_krbhst_info *h, *next; - - if (handle == NULL) - return; - - for (h = handle->hosts; h != NULL; h = next) { - next = h->next; - free_krbhst_info(h); - } - - free(handle->realm); - free(handle); -} - -/* backwards compatibility ahead */ - -static krb5_error_code -gethostlist(krb5_context context, const char *realm, - unsigned int type, char ***hostlist) -{ - krb5_error_code ret; - int nhost = 0; - krb5_krbhst_handle handle; - char host[MAXHOSTNAMELEN]; - krb5_krbhst_info *hostinfo; - - ret = krb5_krbhst_init(context, realm, type, &handle); - if (ret) - return ret; - - while(krb5_krbhst_next(context, handle, &hostinfo) == 0) - nhost++; - if(nhost == 0) - return KRB5_KDC_UNREACH; - *hostlist = calloc(nhost + 1, sizeof(**hostlist)); - if(*hostlist == NULL) { - krb5_krbhst_free(context, handle); - return ENOMEM; - } - - krb5_krbhst_reset(context, handle); - nhost = 0; - while(krb5_krbhst_next_as_string(context, handle, - host, sizeof(host)) == 0) { - if(((*hostlist)[nhost++] = strdup(host)) == NULL) { - krb5_free_krbhst(context, *hostlist); - krb5_krbhst_free(context, handle); - return ENOMEM; - } - } - (*hostlist)[nhost++] = NULL; - krb5_krbhst_free(context, handle); - return 0; -} - -/* - * return an malloced list of kadmin-hosts for `realm' in `hostlist' - */ - -krb5_error_code -krb5_get_krb_admin_hst (krb5_context context, - const krb5_realm *realm, - char ***hostlist) -{ - return gethostlist(context, *realm, KRB5_KRBHST_ADMIN, hostlist); -} - -/* - * return an malloced list of changepw-hosts for `realm' in `hostlist' - */ - -krb5_error_code -krb5_get_krb_changepw_hst (krb5_context context, - const krb5_realm *realm, - char ***hostlist) -{ - return gethostlist(context, *realm, KRB5_KRBHST_CHANGEPW, hostlist); -} - -/* - * return an malloced list of 524-hosts for `realm' in `hostlist' - */ - -krb5_error_code -krb5_get_krb524hst (krb5_context context, - const krb5_realm *realm, - char ***hostlist) -{ - return gethostlist(context, *realm, KRB5_KRBHST_KRB524, hostlist); -} - - -/* - * return an malloced list of KDC's for `realm' in `hostlist' - */ - -krb5_error_code -krb5_get_krbhst (krb5_context context, - const krb5_realm *realm, - char ***hostlist) -{ - return gethostlist(context, *realm, KRB5_KRBHST_KDC, hostlist); -} - -/* - * free all the memory allocated in `hostlist' - */ - -krb5_error_code -krb5_free_krbhst (krb5_context context, - char **hostlist) -{ - char **p; - - for (p = hostlist; *p; ++p) - free (*p); - free (hostlist); - return 0; -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/kuserok.c b/crypto/heimdal-0.6.3/lib/krb5/kuserok.c deleted file mode 100644 index a79532e21b..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/kuserok.c +++ /dev/null @@ -1,107 +0,0 @@ -/* - * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" - -RCSID("$Id: kuserok.c,v 1.7 2003/03/13 19:53:43 lha Exp $"); - -/* - * Return TRUE iff `principal' is allowed to login as `luser'. - */ - -krb5_boolean -krb5_kuserok (krb5_context context, - krb5_principal principal, - const char *luser) -{ - char buf[BUFSIZ]; - struct passwd *pwd; - FILE *f; - krb5_realm *realms, *r; - krb5_error_code ret; - krb5_boolean b; - - pwd = getpwnam (luser); /* XXX - Should use k_getpwnam? */ - if (pwd == NULL) - return FALSE; - - ret = krb5_get_default_realms (context, &realms); - if (ret) - return FALSE; - - for (r = realms; *r != NULL; ++r) { - krb5_principal local_principal; - - ret = krb5_build_principal (context, - &local_principal, - strlen(*r), - *r, - luser, - NULL); - if (ret) { - krb5_free_host_realm (context, realms); - return FALSE; - } - - b = krb5_principal_compare (context, principal, local_principal); - krb5_free_principal (context, local_principal); - if (b) { - krb5_free_host_realm (context, realms); - return TRUE; - } - } - krb5_free_host_realm (context, realms); - - snprintf (buf, sizeof(buf), "%s/.k5login", pwd->pw_dir); - f = fopen (buf, "r"); - if (f == NULL) - return FALSE; - while (fgets (buf, sizeof(buf), f) != NULL) { - krb5_principal tmp; - - buf[strcspn(buf, "\n")] = '\0'; - ret = krb5_parse_name (context, buf, &tmp); - if (ret) { - fclose (f); - return FALSE; - } - b = krb5_principal_compare (context, principal, tmp); - krb5_free_principal (context, tmp); - if (b) { - fclose (f); - return TRUE; - } - } - fclose (f); - return FALSE; -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/log.c b/crypto/heimdal-0.6.3/lib/krb5/log.c deleted file mode 100644 index bd7451b4bc..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/log.c +++ /dev/null @@ -1,461 +0,0 @@ -/* - * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" - -RCSID("$Id: log.c,v 1.31 2002/09/05 14:59:14 joda Exp $"); - -struct facility { - int min; - int max; - krb5_log_log_func_t log; - krb5_log_close_func_t close; - void *data; -}; - -static struct facility* -log_realloc(krb5_log_facility *f) -{ - struct facility *fp; - f->len++; - fp = realloc(f->val, f->len * sizeof(*f->val)); - if(fp == NULL) - return NULL; - f->val = fp; - fp += f->len - 1; - return fp; -} - -struct s2i { - const char *s; - int val; -}; - -#define L(X) { #X, LOG_ ## X } - -static struct s2i syslogvals[] = { - L(EMERG), - L(ALERT), - L(CRIT), - L(ERR), - L(WARNING), - L(NOTICE), - L(INFO), - L(DEBUG), - - L(AUTH), -#ifdef LOG_AUTHPRIV - L(AUTHPRIV), -#endif -#ifdef LOG_CRON - L(CRON), -#endif - L(DAEMON), -#ifdef LOG_FTP - L(FTP), -#endif - L(KERN), - L(LPR), - L(MAIL), -#ifdef LOG_NEWS - L(NEWS), -#endif - L(SYSLOG), - L(USER), -#ifdef LOG_UUCP - L(UUCP), -#endif - L(LOCAL0), - L(LOCAL1), - L(LOCAL2), - L(LOCAL3), - L(LOCAL4), - L(LOCAL5), - L(LOCAL6), - L(LOCAL7), - { NULL, -1 } -}; - -static int -find_value(const char *s, struct s2i *table) -{ - while(table->s && strcasecmp(table->s, s)) - table++; - return table->val; -} - -krb5_error_code -krb5_initlog(krb5_context context, - const char *program, - krb5_log_facility **fac) -{ - krb5_log_facility *f = calloc(1, sizeof(*f)); - if(f == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; - } - f->program = strdup(program); - if(f->program == NULL){ - free(f); - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; - } - *fac = f; - return 0; -} - -krb5_error_code -krb5_addlog_func(krb5_context context, - krb5_log_facility *fac, - int min, - int max, - krb5_log_log_func_t log, - krb5_log_close_func_t close, - void *data) -{ - struct facility *fp = log_realloc(fac); - if(fp == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; - } - fp->min = min; - fp->max = max; - fp->log = log; - fp->close = close; - fp->data = data; - return 0; -} - - -struct _heimdal_syslog_data{ - int priority; -}; - -static void -log_syslog(const char *time, - const char *msg, - void *data) - -{ - struct _heimdal_syslog_data *s = data; - syslog(s->priority, "%s", msg); -} - -static void -close_syslog(void *data) -{ - free(data); - closelog(); -} - -static krb5_error_code -open_syslog(krb5_context context, - krb5_log_facility *facility, int min, int max, - const char *sev, const char *fac) -{ - struct _heimdal_syslog_data *sd = malloc(sizeof(*sd)); - int i; - - if(sd == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; - } - i = find_value(sev, syslogvals); - if(i == -1) - i = LOG_ERR; - sd->priority = i; - i = find_value(fac, syslogvals); - if(i == -1) - i = LOG_AUTH; - sd->priority |= i; - roken_openlog(facility->program, LOG_PID | LOG_NDELAY, i); - return krb5_addlog_func(context, facility, min, max, - log_syslog, close_syslog, sd); -} - -struct file_data{ - const char *filename; - const char *mode; - FILE *fd; - int keep_open; -}; - -static void -log_file(const char *time, - const char *msg, - void *data) -{ - struct file_data *f = data; - if(f->keep_open == 0) - f->fd = fopen(f->filename, f->mode); - if(f->fd == NULL) - return; - fprintf(f->fd, "%s %s\n", time, msg); - if(f->keep_open == 0) - fclose(f->fd); -} - -static void -close_file(void *data) -{ - struct file_data *f = data; - if(f->keep_open && f->filename) - fclose(f->fd); - free(data); -} - -static krb5_error_code -open_file(krb5_context context, krb5_log_facility *fac, int min, int max, - const char *filename, const char *mode, FILE *f, int keep_open) -{ - struct file_data *fd = malloc(sizeof(*fd)); - if(fd == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; - } - fd->filename = filename; - fd->mode = mode; - fd->fd = f; - fd->keep_open = keep_open; - - return krb5_addlog_func(context, fac, min, max, log_file, close_file, fd); -} - - - -krb5_error_code -krb5_addlog_dest(krb5_context context, krb5_log_facility *f, const char *orig) -{ - krb5_error_code ret = 0; - int min = 0, max = -1, n; - char c; - const char *p = orig; - - n = sscanf(p, "%d%c%d/", &min, &c, &max); - if(n == 2){ - if(c == '/') { - if(min < 0){ - max = -min; - min = 0; - }else{ - max = min; - } - } - } - if(n){ - p = strchr(p, '/'); - if(p == NULL) { - krb5_set_error_string (context, "failed to parse \"%s\"", orig); - return HEIM_ERR_LOG_PARSE; - } - p++; - } - if(strcmp(p, "STDERR") == 0){ - ret = open_file(context, f, min, max, NULL, NULL, stderr, 1); - }else if(strcmp(p, "CONSOLE") == 0){ - ret = open_file(context, f, min, max, "/dev/console", "w", NULL, 0); - }else if(strncmp(p, "FILE:", 4) == 0 && (p[4] == ':' || p[4] == '=')){ - char *fn; - FILE *file = NULL; - int keep_open = 0; - fn = strdup(p + 5); - if(fn == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; - } - if(p[4] == '='){ - int i = open(fn, O_WRONLY | O_CREAT | - O_TRUNC | O_APPEND, 0666); - if(i < 0) { - ret = errno; - krb5_set_error_string (context, "open(%s): %s", fn, - strerror(ret)); - return ret; - } - file = fdopen(i, "a"); - if(file == NULL){ - ret = errno; - close(i); - krb5_set_error_string (context, "fdopen(%s): %s", fn, - strerror(ret)); - return ret; - } - keep_open = 1; - } - ret = open_file(context, f, min, max, fn, "a", file, keep_open); - }else if(strncmp(p, "DEVICE=", 6) == 0){ - ret = open_file(context, f, min, max, strdup(p + 7), "w", NULL, 0); - }else if(strncmp(p, "SYSLOG", 6) == 0 && (p[6] == '\0' || p[6] == ':')){ - char severity[128] = ""; - char facility[128] = ""; - p += 6; - if(*p != '\0') - p++; - if(strsep_copy(&p, ":", severity, sizeof(severity)) != -1) - strsep_copy(&p, ":", facility, sizeof(facility)); - if(*severity == '\0') - strlcpy(severity, "ERR", sizeof(severity)); - if(*facility == '\0') - strlcpy(facility, "AUTH", sizeof(facility)); - ret = open_syslog(context, f, min, max, severity, facility); - }else{ - krb5_set_error_string (context, "unknown log type: %s", p); - ret = HEIM_ERR_LOG_PARSE; /* XXX */ - } - return ret; -} - - -krb5_error_code -krb5_openlog(krb5_context context, - const char *program, - krb5_log_facility **fac) -{ - krb5_error_code ret; - char **p, **q; - - ret = krb5_initlog(context, program, fac); - if(ret) - return ret; - - p = krb5_config_get_strings(context, NULL, "logging", program, NULL); - if(p == NULL) - p = krb5_config_get_strings(context, NULL, "logging", "default", NULL); - if(p){ - for(q = p; *q; q++) - ret = krb5_addlog_dest(context, *fac, *q); - krb5_config_free_strings(p); - }else - ret = krb5_addlog_dest(context, *fac, "SYSLOG"); - return 0; -} - -krb5_error_code -krb5_closelog(krb5_context context, - krb5_log_facility *fac) -{ - int i; - for(i = 0; i < fac->len; i++) - (*fac->val[i].close)(fac->val[i].data); - return 0; -} - -#undef __attribute__ -#define __attribute__(X) - -krb5_error_code -krb5_vlog_msg(krb5_context context, - krb5_log_facility *fac, - char **reply, - int level, - const char *fmt, - va_list ap) - __attribute__((format (printf, 5, 0))) -{ - - char *msg = NULL; - const char *actual = NULL; - char buf[64]; - time_t t = 0; - int i; - - for(i = 0; fac && i < fac->len; i++) - if(fac->val[i].min <= level && - (fac->val[i].max < 0 || fac->val[i].max >= level)) { - if(t == 0) { - t = time(NULL); - krb5_format_time(context, t, buf, sizeof(buf), TRUE); - } - if(actual == NULL) { - vasprintf(&msg, fmt, ap); - if(msg == NULL) - actual = fmt; - else - actual = msg; - } - (*fac->val[i].log)(buf, actual, fac->val[i].data); - } - if(reply == NULL) - free(msg); - else - *reply = msg; - return 0; -} - -krb5_error_code -krb5_vlog(krb5_context context, - krb5_log_facility *fac, - int level, - const char *fmt, - va_list ap) - __attribute__((format (printf, 4, 0))) -{ - return krb5_vlog_msg(context, fac, NULL, level, fmt, ap); -} - -krb5_error_code -krb5_log_msg(krb5_context context, - krb5_log_facility *fac, - int level, - char **reply, - const char *fmt, - ...) - __attribute__((format (printf, 5, 6))) -{ - va_list ap; - krb5_error_code ret; - - va_start(ap, fmt); - ret = krb5_vlog_msg(context, fac, reply, level, fmt, ap); - va_end(ap); - return ret; -} - - -krb5_error_code -krb5_log(krb5_context context, - krb5_log_facility *fac, - int level, - const char *fmt, - ...) - __attribute__((format (printf, 4, 5))) -{ - va_list ap; - krb5_error_code ret; - - va_start(ap, fmt); - ret = krb5_vlog(context, fac, level, fmt, ap); - va_end(ap); - return ret; -} - diff --git a/crypto/heimdal-0.6.3/lib/krb5/mcache.c b/crypto/heimdal-0.6.3/lib/krb5/mcache.c deleted file mode 100644 index 115760406b..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/mcache.c +++ /dev/null @@ -1,335 +0,0 @@ -/* - * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" - -RCSID("$Id: mcache.c,v 1.15.6.1 2004/03/06 16:57:16 lha Exp $"); - -typedef struct krb5_mcache { - char *name; - unsigned int refcnt; - int dead; - krb5_principal primary_principal; - struct link { - krb5_creds cred; - struct link *next; - } *creds; - struct krb5_mcache *next; -} krb5_mcache; - -static struct krb5_mcache *mcc_head; - -#define MCACHE(X) ((krb5_mcache *)(X)->data.data) - -#define MISDEAD(X) ((X)->dead) - -#define MCC_CURSOR(C) ((struct link*)(C)) - -static const char* -mcc_get_name(krb5_context context, - krb5_ccache id) -{ - return MCACHE(id)->name; -} - -static krb5_mcache * -mcc_alloc(const char *name) -{ - krb5_mcache *m; - - ALLOC(m, 1); - if(m == NULL) - return NULL; - if(name == NULL) - asprintf(&m->name, "%p", m); - else - m->name = strdup(name); - if(m->name == NULL) { - free(m); - return NULL; - } - m->dead = 0; - m->refcnt = 1; - m->primary_principal = NULL; - m->creds = NULL; - m->next = mcc_head; - mcc_head = m; - return m; -} - -static krb5_error_code -mcc_resolve(krb5_context context, krb5_ccache *id, const char *res) -{ - krb5_mcache *m; - - for (m = mcc_head; m != NULL; m = m->next) - if (strcmp(m->name, res) == 0) - break; - - if (m != NULL) { - m->refcnt++; - (*id)->data.data = m; - (*id)->data.length = sizeof(*m); - return 0; - } - - m = mcc_alloc(res); - if (m == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); - return KRB5_CC_NOMEM; - } - - (*id)->data.data = m; - (*id)->data.length = sizeof(*m); - - return 0; -} - - -static krb5_error_code -mcc_gen_new(krb5_context context, krb5_ccache *id) -{ - krb5_mcache *m; - - m = mcc_alloc(NULL); - - if (m == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); - return KRB5_CC_NOMEM; - } - - (*id)->data.data = m; - (*id)->data.length = sizeof(*m); - - return 0; -} - -static krb5_error_code -mcc_initialize(krb5_context context, - krb5_ccache id, - krb5_principal primary_principal) -{ - krb5_mcache *m = MCACHE(id); - m->dead = 0; - return krb5_copy_principal (context, - primary_principal, - &m->primary_principal); -} - -static krb5_error_code -mcc_close(krb5_context context, - krb5_ccache id) -{ - krb5_mcache *m = MCACHE(id); - - if (--m->refcnt != 0) - return 0; - - if (MISDEAD(m)) { - free (m->name); - krb5_data_free(&id->data); - } - - return 0; -} - -static krb5_error_code -mcc_destroy(krb5_context context, - krb5_ccache id) -{ - krb5_mcache **n, *m = MCACHE(id); - struct link *l; - - if (m->refcnt == 0) - krb5_abortx(context, "mcc_destroy: refcnt already 0"); - - if (!MISDEAD(m)) { - /* if this is an active mcache, remove it from the linked - list, and free all data */ - for(n = &mcc_head; n && *n; n = &(*n)->next) { - if(m == *n) { - *n = m->next; - break; - } - } - if (m->primary_principal != NULL) { - krb5_free_principal (context, m->primary_principal); - m->primary_principal = NULL; - } - m->dead = 1; - - l = m->creds; - while (l != NULL) { - struct link *old; - - krb5_free_creds_contents (context, &l->cred); - old = l; - l = l->next; - free (old); - } - m->creds = NULL; - } - return 0; -} - -static krb5_error_code -mcc_store_cred(krb5_context context, - krb5_ccache id, - krb5_creds *creds) -{ - krb5_mcache *m = MCACHE(id); - krb5_error_code ret; - struct link *l; - - if (MISDEAD(m)) - return ENOENT; - - l = malloc (sizeof(*l)); - if (l == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); - return KRB5_CC_NOMEM; - } - l->next = m->creds; - m->creds = l; - memset (&l->cred, 0, sizeof(l->cred)); - ret = krb5_copy_creds_contents (context, creds, &l->cred); - if (ret) { - m->creds = l->next; - free (l); - return ret; - } - return 0; -} - -static krb5_error_code -mcc_get_principal(krb5_context context, - krb5_ccache id, - krb5_principal *principal) -{ - krb5_mcache *m = MCACHE(id); - - if (MISDEAD(m) || m->primary_principal == NULL) - return ENOENT; - return krb5_copy_principal (context, - m->primary_principal, - principal); -} - -static krb5_error_code -mcc_get_first (krb5_context context, - krb5_ccache id, - krb5_cc_cursor *cursor) -{ - krb5_mcache *m = MCACHE(id); - - if (MISDEAD(m)) - return ENOENT; - - *cursor = m->creds; - return 0; -} - -static krb5_error_code -mcc_get_next (krb5_context context, - krb5_ccache id, - krb5_cc_cursor *cursor, - krb5_creds *creds) -{ - krb5_mcache *m = MCACHE(id); - struct link *l; - - if (MISDEAD(m)) - return ENOENT; - - l = *cursor; - if (l != NULL) { - *cursor = l->next; - return krb5_copy_creds_contents (context, - &l->cred, - creds); - } else - return KRB5_CC_END; -} - -static krb5_error_code -mcc_end_get (krb5_context context, - krb5_ccache id, - krb5_cc_cursor *cursor) -{ - return 0; -} - -static krb5_error_code -mcc_remove_cred(krb5_context context, - krb5_ccache id, - krb5_flags which, - krb5_creds *mcreds) -{ - krb5_mcache *m = MCACHE(id); - struct link **q, *p; - for(q = &m->creds, p = *q; p; p = *q) { - if(krb5_compare_creds(context, which, mcreds, &p->cred)) { - *q = p->next; - krb5_free_creds_contents(context, &p->cred); - free(p); - } else - q = &p->next; - } - return 0; -} - -static krb5_error_code -mcc_set_flags(krb5_context context, - krb5_ccache id, - krb5_flags flags) -{ - return 0; /* XXX */ -} - -const krb5_cc_ops krb5_mcc_ops = { - "MEMORY", - mcc_get_name, - mcc_resolve, - mcc_gen_new, - mcc_initialize, - mcc_destroy, - mcc_close, - mcc_store_cred, - NULL, /* mcc_retrieve */ - mcc_get_principal, - mcc_get_first, - mcc_get_next, - mcc_end_get, - mcc_remove_cred, - mcc_set_flags -}; diff --git a/crypto/heimdal-0.6.3/lib/krb5/misc.c b/crypto/heimdal-0.6.3/lib/krb5/misc.c deleted file mode 100644 index baf63f6d52..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/misc.c +++ /dev/null @@ -1,36 +0,0 @@ -/* - * Copyright (c) 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" - -RCSID("$Id: misc.c,v 1.5 1999/12/02 17:05:11 joda Exp $"); diff --git a/crypto/heimdal-0.6.3/lib/krb5/mk_error.c b/crypto/heimdal-0.6.3/lib/krb5/mk_error.c deleted file mode 100644 index ae9e10a5ef..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/mk_error.c +++ /dev/null @@ -1,91 +0,0 @@ -/* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" - -RCSID("$Id: mk_error.c,v 1.18 2002/09/04 16:26:04 joda Exp $"); - -krb5_error_code -krb5_mk_error(krb5_context context, - krb5_error_code error_code, - const char *e_text, - const krb5_data *e_data, - const krb5_principal client, - const krb5_principal server, - time_t *client_time, - int *client_usec, - krb5_data *reply) -{ - KRB_ERROR msg; - int32_t sec, usec; - size_t len; - krb5_error_code ret = 0; - - krb5_us_timeofday (context, &sec, &usec); - - memset(&msg, 0, sizeof(msg)); - msg.pvno = 5; - msg.msg_type = krb_error; - msg.stime = sec; - msg.susec = usec; - msg.ctime = client_time; - msg.cusec = client_usec; - /* Make sure we only send `protocol' error codes */ - if(error_code < KRB5KDC_ERR_NONE || error_code >= KRB5_ERR_RCSID) { - if(e_text == NULL) - e_text = krb5_get_err_text(context, error_code); - error_code = KRB5KRB_ERR_GENERIC; - } - msg.error_code = error_code - KRB5KDC_ERR_NONE; - if (e_text) - msg.e_text = (general_string*)&e_text; - if (e_data) - msg.e_data = (octet_string*)e_data; - if(server){ - msg.realm = server->realm; - msg.sname = server->name; - }else{ - msg.realm = ""; - } - if(client){ - msg.crealm = &client->realm; - msg.cname = &client->name; - } - - ASN1_MALLOC_ENCODE(KRB_ERROR, reply->data, reply->length, &msg, &len, ret); - if (ret) - return ret; - if(reply->length != len) - krb5_abortx(context, "internal error in ASN.1 encoder"); - return 0; -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/mk_priv.c b/crypto/heimdal-0.6.3/lib/krb5/mk_priv.c deleted file mode 100644 index b89f7e9721..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/mk_priv.c +++ /dev/null @@ -1,135 +0,0 @@ -/* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include - -RCSID("$Id: mk_priv.c,v 1.31 2002/09/04 16:26:04 joda Exp $"); - - -krb5_error_code -krb5_mk_priv(krb5_context context, - krb5_auth_context auth_context, - const krb5_data *userdata, - krb5_data *outbuf, - /*krb5_replay_data*/ void *outdata) -{ - krb5_error_code ret; - KRB_PRIV s; - EncKrbPrivPart part; - u_char *buf; - size_t buf_size; - size_t len; - u_int32_t tmp_seq; - krb5_keyblock *key; - int32_t sec, usec; - KerberosTime sec2; - int usec2; - krb5_crypto crypto; - - if (auth_context->local_subkey) - key = auth_context->local_subkey; - else if (auth_context->remote_subkey) - key = auth_context->remote_subkey; - else - key = auth_context->keyblock; - - krb5_us_timeofday (context, &sec, &usec); - - part.user_data = *userdata; - sec2 = sec; - part.timestamp = &sec2; - usec2 = usec; - part.usec = &usec2; - if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) { - tmp_seq = auth_context->local_seqnumber; - part.seq_number = &tmp_seq; - } else { - part.seq_number = NULL; - } - - part.s_address = auth_context->local_address; - part.r_address = auth_context->remote_address; - - krb5_data_zero (&s.enc_part.cipher); - - ASN1_MALLOC_ENCODE(EncKrbPrivPart, buf, buf_size, &part, &len, ret); - if (ret) - goto fail; - - s.pvno = 5; - s.msg_type = krb_priv; - s.enc_part.etype = key->keytype; - s.enc_part.kvno = NULL; - - ret = krb5_crypto_init(context, key, 0, &crypto); - if (ret) { - free (buf); - return ret; - } - ret = krb5_encrypt (context, - crypto, - KRB5_KU_KRB_PRIV, - buf + buf_size - len, - len, - &s.enc_part.cipher); - krb5_crypto_destroy(context, crypto); - if (ret) { - free(buf); - return ret; - } - free(buf); - - - ASN1_MALLOC_ENCODE(KRB_PRIV, buf, buf_size, &s, &len, ret); - - if(ret) - goto fail; - krb5_data_free (&s.enc_part.cipher); - - ret = krb5_data_copy(outbuf, buf + buf_size - len, len); - if (ret) { - krb5_set_error_string (context, "malloc: out of memory"); - free(buf); - return ENOMEM; - } - free (buf); - if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) - auth_context->local_seqnumber = - (auth_context->local_seqnumber + 1) & 0xFFFFFFFF; - return 0; - -fail: - free (buf); - krb5_data_free (&s.enc_part.cipher); - return ret; -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/mk_rep.c b/crypto/heimdal-0.6.3/lib/krb5/mk_rep.c deleted file mode 100644 index 1026df0f33..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/mk_rep.c +++ /dev/null @@ -1,99 +0,0 @@ -/* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include - -RCSID("$Id: mk_rep.c,v 1.21 2002/12/19 13:30:36 joda Exp $"); - -krb5_error_code -krb5_mk_rep(krb5_context context, - krb5_auth_context auth_context, - krb5_data *outbuf) -{ - krb5_error_code ret; - AP_REP ap; - EncAPRepPart body; - u_char *buf = NULL; - size_t buf_size; - size_t len; - krb5_crypto crypto; - - ap.pvno = 5; - ap.msg_type = krb_ap_rep; - - memset (&body, 0, sizeof(body)); - - body.ctime = auth_context->authenticator->ctime; - body.cusec = auth_context->authenticator->cusec; - body.subkey = NULL; - if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) { - krb5_generate_seq_number (context, - auth_context->keyblock, - &auth_context->local_seqnumber); - body.seq_number = malloc (sizeof(*body.seq_number)); - if (body.seq_number == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; - } - *(body.seq_number) = auth_context->local_seqnumber; - } else - body.seq_number = NULL; - - ap.enc_part.etype = auth_context->keyblock->keytype; - ap.enc_part.kvno = NULL; - - ASN1_MALLOC_ENCODE(EncAPRepPart, buf, buf_size, &body, &len, ret); - free_EncAPRepPart (&body); - if(ret) - return ret; - ret = krb5_crypto_init(context, auth_context->keyblock, - 0 /* ap.enc_part.etype */, &crypto); - if (ret) { - free (buf); - return ret; - } - ret = krb5_encrypt (context, - crypto, - KRB5_KU_AP_REQ_ENC_PART, - buf + buf_size - len, - len, - &ap.enc_part.cipher); - krb5_crypto_destroy(context, crypto); - free(buf); - if (ret) - return ret; - - ASN1_MALLOC_ENCODE(AP_REP, outbuf->data, outbuf->length, &ap, &len, ret); - free_AP_REP (&ap); - return ret; -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/mk_req.c b/crypto/heimdal-0.6.3/lib/krb5/mk_req.c deleted file mode 100644 index a554123b00..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/mk_req.c +++ /dev/null @@ -1,116 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include - -RCSID("$Id: mk_req.c,v 1.24 2001/06/18 20:05:52 joda Exp $"); - -krb5_error_code -krb5_mk_req_exact(krb5_context context, - krb5_auth_context *auth_context, - const krb5_flags ap_req_options, - const krb5_principal server, - krb5_data *in_data, - krb5_ccache ccache, - krb5_data *outbuf) -{ - krb5_error_code ret; - krb5_creds this_cred, *cred; - - memset(&this_cred, 0, sizeof(this_cred)); - - ret = krb5_cc_get_principal(context, ccache, &this_cred.client); - - if(ret) - return ret; - - ret = krb5_copy_principal (context, server, &this_cred.server); - if (ret) { - krb5_free_creds_contents (context, &this_cred); - return ret; - } - - this_cred.times.endtime = 0; - if (auth_context && *auth_context && (*auth_context)->keytype) - this_cred.session.keytype = (*auth_context)->keytype; - - ret = krb5_get_credentials (context, 0, ccache, &this_cred, &cred); - krb5_free_creds_contents(context, &this_cred); - if (ret) - return ret; - - ret = krb5_mk_req_extended (context, - auth_context, - ap_req_options, - in_data, - cred, - outbuf); - krb5_free_creds(context, cred); - return ret; -} - -krb5_error_code -krb5_mk_req(krb5_context context, - krb5_auth_context *auth_context, - const krb5_flags ap_req_options, - const char *service, - const char *hostname, - krb5_data *in_data, - krb5_ccache ccache, - krb5_data *outbuf) -{ - krb5_error_code ret; - char **realms; - char *real_hostname; - krb5_principal server; - - ret = krb5_expand_hostname_realms (context, hostname, - &real_hostname, &realms); - if (ret) - return ret; - - ret = krb5_build_principal (context, &server, - strlen(*realms), - *realms, - service, - real_hostname, - NULL); - free (real_hostname); - krb5_free_host_realm (context, realms); - if (ret) - return ret; - ret = krb5_mk_req_exact (context, auth_context, ap_req_options, - server, in_data, ccache, outbuf); - krb5_free_principal (context, server); - return ret; -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/mk_req_ext.c b/crypto/heimdal-0.6.3/lib/krb5/mk_req_ext.c deleted file mode 100644 index 922be9e0b4..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/mk_req_ext.c +++ /dev/null @@ -1,179 +0,0 @@ -/* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include - -RCSID("$Id: mk_req_ext.c,v 1.26.4.1 2003/09/18 20:34:30 lha Exp $"); - -krb5_error_code -krb5_mk_req_internal(krb5_context context, - krb5_auth_context *auth_context, - const krb5_flags ap_req_options, - krb5_data *in_data, - krb5_creds *in_creds, - krb5_data *outbuf, - krb5_key_usage checksum_usage, - krb5_key_usage encrypt_usage) -{ - krb5_error_code ret; - krb5_data authenticator; - Checksum c; - Checksum *c_opt; - krb5_auth_context ac; - - if(auth_context) { - if(*auth_context == NULL) - ret = krb5_auth_con_init(context, auth_context); - else - ret = 0; - ac = *auth_context; - } else - ret = krb5_auth_con_init(context, &ac); - if(ret) - return ret; - - if(ac->local_subkey == NULL && (ap_req_options & AP_OPTS_USE_SUBKEY)) { - ret = krb5_auth_con_generatelocalsubkey(context, ac, &in_creds->session); - if(ret) - return ret; - } - -#if 0 - { - /* This is somewhat bogus since we're possibly overwriting a - value specified by the user, but it's the easiest way to make - the code use a compatible enctype */ - Ticket ticket; - krb5_keytype ticket_keytype; - - ret = decode_Ticket(in_creds->ticket.data, - in_creds->ticket.length, - &ticket, - NULL); - krb5_enctype_to_keytype (context, - ticket.enc_part.etype, - &ticket_keytype); - - if (ticket_keytype == in_creds->session.keytype) - krb5_auth_setenctype(context, - ac, - ticket.enc_part.etype); - free_Ticket(&ticket); - } -#endif - - krb5_free_keyblock(context, ac->keyblock); - krb5_copy_keyblock(context, &in_creds->session, &ac->keyblock); - - /* it's unclear what type of checksum we can use. try the best one, except: - * a) if it's configured differently for the current realm, or - * b) if the session key is des-cbc-crc - */ - - if (in_data) { - if(ac->keyblock->keytype == ETYPE_DES_CBC_CRC) { - /* this is to make DCE secd (and older MIT kdcs?) happy */ - ret = krb5_create_checksum(context, - NULL, - 0, - CKSUMTYPE_RSA_MD4, - in_data->data, - in_data->length, - &c); - } else if(ac->keyblock->keytype == ETYPE_ARCFOUR_HMAC_MD5) { - /* this is to make MS kdc happy */ - ret = krb5_create_checksum(context, - NULL, - 0, - CKSUMTYPE_RSA_MD5, - in_data->data, - in_data->length, - &c); - } else { - krb5_crypto crypto; - - ret = krb5_crypto_init(context, ac->keyblock, 0, &crypto); - if (ret) - return ret; - ret = krb5_create_checksum(context, - crypto, - checksum_usage, - 0, - in_data->data, - in_data->length, - &c); - - krb5_crypto_destroy(context, crypto); - } - c_opt = &c; - } else { - c_opt = NULL; - } - - ret = krb5_build_authenticator (context, - ac, - ac->keyblock->keytype, - in_creds, - c_opt, - NULL, - &authenticator, - encrypt_usage); - if (c_opt) - free_Checksum (c_opt); - if (ret) - return ret; - - ret = krb5_build_ap_req (context, ac->keyblock->keytype, - in_creds, ap_req_options, authenticator, outbuf); - if(auth_context == NULL) - krb5_auth_con_free(context, ac); - return ret; -} - -krb5_error_code -krb5_mk_req_extended(krb5_context context, - krb5_auth_context *auth_context, - const krb5_flags ap_req_options, - krb5_data *in_data, - krb5_creds *in_creds, - krb5_data *outbuf) -{ - return krb5_mk_req_internal (context, - auth_context, - ap_req_options, - in_data, - in_creds, - outbuf, - KRB5_KU_AP_REQ_AUTH_CKSUM, - KRB5_KU_AP_REQ_AUTH); -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/mk_safe.c b/crypto/heimdal-0.6.3/lib/krb5/mk_safe.c deleted file mode 100644 index 8bfa066759..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/mk_safe.c +++ /dev/null @@ -1,124 +0,0 @@ -/* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include - -RCSID("$Id: mk_safe.c,v 1.28.4.1 2004/03/07 12:46:43 lha Exp $"); - -krb5_error_code -krb5_mk_safe(krb5_context context, - krb5_auth_context auth_context, - const krb5_data *userdata, - krb5_data *outbuf, - /*krb5_replay_data*/ void *outdata) -{ - krb5_error_code ret; - KRB_SAFE s; - int32_t sec, usec; - KerberosTime sec2; - int usec2; - u_char *buf = NULL; - size_t buf_size; - size_t len; - u_int32_t tmp_seq; - krb5_crypto crypto; - krb5_keyblock *key; - - if (auth_context->local_subkey) - key = auth_context->local_subkey; - else if (auth_context->remote_subkey) - key = auth_context->remote_subkey; - else - key = auth_context->keyblock; - - s.pvno = 5; - s.msg_type = krb_safe; - - s.safe_body.user_data = *userdata; - krb5_us_timeofday (context, &sec, &usec); - - sec2 = sec; - s.safe_body.timestamp = &sec2; - usec2 = usec; - s.safe_body.usec = &usec2; - if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) { - tmp_seq = auth_context->local_seqnumber; - s.safe_body.seq_number = &tmp_seq; - } else - s.safe_body.seq_number = NULL; - - s.safe_body.s_address = auth_context->local_address; - s.safe_body.r_address = auth_context->remote_address; - - s.cksum.cksumtype = 0; - s.cksum.checksum.data = NULL; - s.cksum.checksum.length = 0; - - ASN1_MALLOC_ENCODE(KRB_SAFE, buf, buf_size, &s, &len, ret); - if (ret) - return ret; - if(buf_size != len) - krb5_abortx(context, "internal error in ASN.1 encoder"); - ret = krb5_crypto_init(context, key, 0, &crypto); - if (ret) { - free (buf); - return ret; - } - ret = krb5_create_checksum(context, - crypto, - KRB5_KU_KRB_SAFE_CKSUM, - 0, - buf, - len, - &s.cksum); - krb5_crypto_destroy(context, crypto); - if (ret) { - free (buf); - return ret; - } - - free(buf); - ASN1_MALLOC_ENCODE(KRB_SAFE, buf, buf_size, &s, &len, ret); - free_Checksum (&s.cksum); - if(ret) - return ret; - if(buf_size != len) - krb5_abortx(context, "internal error in ASN.1 encoder"); - - outbuf->length = len; - outbuf->data = buf; - if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) - auth_context->local_seqnumber = - (auth_context->local_seqnumber + 1) & 0xFFFFFFFF; - return 0; -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/n-fold-test.c b/crypto/heimdal-0.6.3/lib/krb5/n-fold-test.c deleted file mode 100644 index 7cf4905143..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/n-fold-test.c +++ /dev/null @@ -1,119 +0,0 @@ -/* - * Copyright (c) 1999 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of KTH nor the names of its contributors may be - * used to endorse or promote products derived from this software without - * specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY - * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR - * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, - * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR - * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF - * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ - -#include "krb5_locl.h" - -RCSID("$Id: n-fold-test.c,v 1.4 2001/03/12 07:42:30 assar Exp $"); - -enum { MAXSIZE = 24 }; - -static struct testcase { - const char *str; - unsigned n; - unsigned char res[MAXSIZE]; -} tests[] = { - {"012345", 8, - {0xbe, 0x07, 0x26, 0x31, 0x27, 0x6b, 0x19, 0x55} - }, - {"basch", 24, - {0x1a, 0xab, 0x6b, 0x42, 0x96, 0x4b, 0x98, 0xb2, 0x1f, 0x8c, 0xde, - 0x2d, 0x24, 0x48, 0xba, 0x34, 0x55, 0xd7, 0x86, 0x2c, 0x97, 0x31, - 0x64, 0x3f} - }, - {"eichin", 24, - {0x65, 0x69, 0x63, 0x68, 0x69, 0x6e, 0x4b, 0x73, 0x2b, 0x4b, - 0x1b, 0x43, 0xda, 0x1a, 0x5b, 0x99, 0x5a, 0x58, 0xd2, 0xc6, 0xd0, - 0xd2, 0xdc, 0xca} - }, - {"sommerfeld", 24, - {0x2f, 0x7a, 0x98, 0x55, 0x7c, 0x6e, 0xe4, 0xab, 0xad, 0xf4, - 0xe7, 0x11, 0x92, 0xdd, 0x44, 0x2b, 0xd4, 0xff, 0x53, 0x25, 0xa5, - 0xde, 0xf7, 0x5c} - }, - {"MASSACHVSETTS INSTITVTE OF TECHNOLOGY", 24, - {0xdb, 0x3b, 0x0d, 0x8f, 0x0b, 0x06, 0x1e, 0x60, 0x32, 0x82, - 0xb3, 0x08, 0xa5, 0x08, 0x41, 0x22, 0x9a, 0xd7, 0x98, 0xfa, 0xb9, - 0x54, 0x0c, 0x1b} - }, - {"assar@NADA.KTH.SE", 24, - {0x5c, 0x06, 0xc3, 0x4d, 0x2c, 0x89, 0x05, 0xbe, 0x7a, 0x51, - 0x83, 0x6c, 0xd6, 0xf8, 0x1c, 0x4b, 0x7a, 0x93, 0x49, 0x16, 0x5a, - 0xb3, 0xfa, 0xa9} - }, - {"testKRBTEST.MIT.EDUtestkey", 24, - {0x50, 0x2c, 0xf8, 0x29, 0x78, 0xe5, 0xfb, 0x1a, 0x29, 0x06, - 0xbd, 0x22, 0x28, 0x91, 0x56, 0xc0, 0x06, 0xa0, 0xdc, 0xf5, 0xb6, - 0xc2, 0xda, 0x6c} - }, - {"password", 7, - {0x78, 0xa0, 0x7b, 0x6c, 0xaf, 0x85, 0xfa} - }, - {"Rough Consensus, and Running Code", 8, - {0xbb, 0x6e, 0xd3, 0x08, 0x70, 0xb7, 0xf0, 0xe0}, - }, - {"password", 21, - {0x59, 0xe4, 0xa8, 0xca, 0x7c, 0x03, 0x85, 0xc3, 0xc3, 0x7b, 0x3f, - 0x6d, 0x20, 0x00, 0x24, 0x7c, 0xb6, 0xe6, 0xbd, 0x5b, 0x3e}, - }, - {"MASSACHVSETTS INSTITVTE OF TECHNOLOGY", 24, - {0xdb, 0x3b, 0x0d, 0x8f, 0x0b, 0x06, 0x1e, 0x60, 0x32, 0x82, 0xb3, - 0x08, 0xa5, 0x08, 0x41, 0x22, 0x9a, 0xd7, 0x98, 0xfa, 0xb9, 0x54, - 0x0c, 0x1b} - }, - {NULL, 0} -}; - -int -main(int argc, char **argv) -{ - unsigned char data[MAXSIZE]; - struct testcase *t; - int ret = 0; - - for (t = tests; t->str; ++t) { - int i; - - _krb5_n_fold (t->str, strlen(t->str), data, t->n); - if (memcmp (data, t->res, t->n) != 0) { - printf ("n-fold(\"%s\", %d) failed\n", t->str, t->n); - printf ("should be: "); - for (i = 0; i < t->n; ++i) - printf ("%02x", t->res[i]); - printf ("\nresult was: "); - for (i = 0; i < t->n; ++i) - printf ("%02x", data[i]); - printf ("\n"); - ret = 1; - } - } - return ret; -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/n-fold.c b/crypto/heimdal-0.6.3/lib/krb5/n-fold.c deleted file mode 100644 index d0db5e81cb..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/n-fold.c +++ /dev/null @@ -1,126 +0,0 @@ -/* - * Copyright (c) 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of KTH nor the names of its contributors may be - * used to endorse or promote products derived from this software without - * specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY - * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR - * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, - * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR - * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF - * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ - -#include "krb5_locl.h" - -RCSID("$Id: n-fold.c,v 1.6 1999/08/27 09:03:41 joda Exp $"); - -static void -rr13(unsigned char *buf, size_t len) -{ - unsigned char *tmp; - int bytes = (len + 7) / 8; - int i; - if(len == 0) - return; - { - const int bits = 13 % len; - const int lbit = len % 8; - - tmp = malloc(bytes); - memcpy(tmp, buf, bytes); - if(lbit) { - /* pad final byte with inital bits */ - tmp[bytes - 1] &= 0xff << (8 - lbit); - for(i = lbit; i < 8; i += len) - tmp[bytes - 1] |= buf[0] >> i; - } - for(i = 0; i < bytes; i++) { - int bb; - int b1, s1, b2, s2; - /* calculate first bit position of this byte */ - bb = 8 * i - bits; - while(bb < 0) - bb += len; - /* byte offset and shift count */ - b1 = bb / 8; - s1 = bb % 8; - - if(bb + 8 > bytes * 8) - /* watch for wraparound */ - s2 = (len + 8 - s1) % 8; - else - s2 = 8 - s1; - b2 = (b1 + 1) % bytes; - buf[i] = (tmp[b1] << s1) | (tmp[b2] >> s2); - } - free(tmp); - } -} - -/* Add `b' to `a', both beeing one's complement numbers. */ -static void -add1(unsigned char *a, unsigned char *b, size_t len) -{ - int i; - int carry = 0; - for(i = len - 1; i >= 0; i--){ - int x = a[i] + b[i] + carry; - carry = x > 0xff; - a[i] = x & 0xff; - } - for(i = len - 1; carry && i >= 0; i--){ - int x = a[i] + carry; - carry = x > 0xff; - a[i] = x & 0xff; - } -} - -void -_krb5_n_fold(const void *str, size_t len, void *key, size_t size) -{ - /* if len < size we need at most N * len bytes, ie < 2 * size; - if len > size we need at most 2 * len */ - size_t maxlen = 2 * max(size, len); - size_t l = 0; - unsigned char *tmp = malloc(maxlen); - unsigned char *buf = malloc(len); - - memcpy(buf, str, len); - memset(key, 0, size); - do { - memcpy(tmp + l, buf, len); - l += len; - rr13(buf, len * 8); - while(l >= size) { - add1(key, tmp, size); - l -= size; - if(l == 0) - break; - memmove(tmp, tmp + size, l); - } - } while(l != 0); - memset(buf, 0, len); - free(buf); - memset(tmp, 0, maxlen); - free(tmp); -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/name-45-test.c b/crypto/heimdal-0.6.3/lib/krb5/name-45-test.c deleted file mode 100644 index f1455cddd2..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/name-45-test.c +++ /dev/null @@ -1,280 +0,0 @@ -/* - * Copyright (c) 2002 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of KTH nor the names of its contributors may be - * used to endorse or promote products derived from this software without - * specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY - * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR - * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, - * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR - * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF - * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ - -#include "krb5_locl.h" - -RCSID("$Id: name-45-test.c,v 1.3.2.1 2003/05/06 16:49:14 joda Exp $"); - -enum { MAX_COMPONENTS = 3 }; - -static struct testcase { - const char *v4_name; - const char *v4_inst; - const char *v4_realm; - - krb5_realm v5_realm; - unsigned ncomponents; - char *comp_val[MAX_COMPONENTS]; - - const char *config_file; - krb5_error_code ret; /* expected error code from 524 */ - - krb5_error_code ret2; /* expected error code from 425 */ -} tests[] = { - {"", "", "", "", 1, {""}, NULL, 0, 0}, - {"a", "", "", "", 1, {"a"}, NULL, 0, 0}, - {"a", "b", "", "", 2, {"a", "b"}, NULL, 0, 0}, - {"a", "b", "c", "c", 2, {"a", "b"}, NULL, 0, 0}, - - {"krbtgt", "FOO.SE", "FOO.SE", "FOO.SE", 2, - {"krbtgt", "FOO.SE"}, NULL, 0, 0}, - - {"foo", "bar", "BAZ", "BAZ", 2, - {"foo", "bar"}, NULL, 0, 0}, - {"foo", "bar", "BAZ", "BAZ", 2, - {"foo", "bar"}, - "[libdefaults]\n" - " v4_name_convert = {\n" - " host = {\n" - " foo = foo5\n" - " }\n" - "}\n", - HEIM_ERR_V4_PRINC_NO_CONV, 0}, - {"foo", "bar", "BAZ", "BAZ", 2, - {"foo5", "bar.baz"}, - "[realms]\n" - " BAZ = {\n" - " v4_name_convert = {\n" - " host = {\n" - " foo = foo5\n" - " }\n" - " }\n" - " v4_instance_convert = {\n" - " bar = bar.baz\n" - " }\n" - " }\n", - 0, 0}, - - {"rcmd", "foo", "realm", "realm", 2, {"host", "foo"}, NULL, - HEIM_ERR_V4_PRINC_NO_CONV, 0}, - {"rcmd", "foo", "realm", "realm", 2, {"host", "foo.realm"}, - "[realms]\n" - " realm = {\n" - " v4_instance_convert = {\n" - " foo = foo.realm\n" - " }\n" - " }\n", - 0, 0}, - - {"pop", "mail0", "NADA.KTH.SE", "NADA.KTH.SE", 2, - {"pop", "mail0.nada.kth.se"}, "", HEIM_ERR_V4_PRINC_NO_CONV, 0}, - {"pop", "mail0", "NADA.KTH.SE", "NADA.KTH.SE", 2, - {"pop", "mail0.nada.kth.se"}, - "[realms]\n" - " NADA.KTH.SE = {\n" - " default_domain = nada.kth.se\n" - " }\n", - 0, 0}, - {"pop", "mail0", "NADA.KTH.SE", "NADA.KTH.SE", 2, - {"pop", "mail0.nada.kth.se"}, - "[libdefaults]\n" - " v4_instance_resolve = true\n", - HEIM_ERR_V4_PRINC_NO_CONV, 0}, - - {"rcmd", "hokkigai", "NADA.KTH.SE", "NADA.KTH.SE", 2, - {"host", "hokkigai.pdc.kth.se"}, "", HEIM_ERR_V4_PRINC_NO_CONV, 0}, - {"rcmd", "hokkigai", "NADA.KTH.SE", "NADA.KTH.SE", 2, - {"host", "hokkigai.pdc.kth.se"}, - "[libdefaults]\n" - " v4_instance_resolve = true\n" - "[realms]\n" - " NADA.KTH.SE = {\n" - " v4_name_convert = {\n" - " host = {\n" - " rcmd = host\n" - " }\n" - " }\n" - " default_domain = pdc.kth.se\n" - " }\n", - 0, 0}, - - {"0123456789012345678901234567890123456789", - "0123456789012345678901234567890123456789", - "0123456789012345678901234567890123456789", - "0123456789012345678901234567890123456789", - 2, {"0123456789012345678901234567890123456789", - "0123456789012345678901234567890123456789"}, NULL, - 0, KRB5_PARSE_MALFORMED}, - - {"012345678901234567890123456789012345678", - "012345678901234567890123456789012345678", - "012345678901234567890123456789012345678", - "012345678901234567890123456789012345678", - 2, {"012345678901234567890123456789012345678", - "012345678901234567890123456789012345678"}, NULL, - 0, 0}, - - {NULL, NULL, NULL, NULL, 0, {NULL}, NULL, 0} -}; - -int -main(int argc, char **argv) -{ - struct testcase *t; - krb5_context context; - krb5_error_code ret; - int val = 0; - - for (t = tests; t->v4_name; ++t) { - krb5_principal princ; - int i; - char name[40], inst[40], realm[40]; - char printable_princ[256]; - - ret = krb5_init_context (&context); - if (ret) - errx (1, "krb5_init_context failed: %d", ret); - - if (t->config_file != NULL) { - char template[] = "/tmp/krb5-conf-XXXXXX"; - int fd = mkstemp(template); - char *files[2]; - - if (fd < 0) - krb5_err (context, 1, errno, "mkstemp %s", template); - - if (write (fd, t->config_file, strlen(t->config_file)) - != strlen(t->config_file)) - krb5_err (context, 1, errno, "write %s", template); - close (fd); - files[0] = template; - files[1] = NULL; - - ret = krb5_set_config_files (context, files); - unlink (template); - if (ret) - krb5_err (context, 1, ret, "krb5_set_config_files"); - } - - ret = krb5_425_conv_principal (context, - t->v4_name, - t->v4_inst, - t->v4_realm, - &princ); - if (ret) { - if (ret != t->ret) { - krb5_warn (context, ret, - "krb5_425_conv_principal %s.%s@%s", - t->v4_name, t->v4_inst, t->v4_realm); - val = 1; - } - } else { - if (t->ret) { - char *s; - krb5_unparse_name(context, princ, &s); - krb5_warnx (context, - "krb5_425_conv_principal %s.%s@%s " - "passed unexpected: %s", - t->v4_name, t->v4_inst, t->v4_realm, s); - free(s); - val = 1; - continue; - } - } - - if (ret) - continue; - - if (strcmp (t->v5_realm, princ->realm) != 0) { - printf ("wrong realm (\"%s\" should be \"%s\")" - " for \"%s.%s@%s\"\n", - princ->realm, t->v5_realm, - t->v4_name, - t->v4_inst, - t->v4_realm); - val = 1; - } - - if (t->ncomponents != princ->name.name_string.len) { - printf ("wrong number of components (%u should be %u)" - " for \"%s.%s@%s\"\n", - princ->name.name_string.len, t->ncomponents, - t->v4_name, - t->v4_inst, - t->v4_realm); - val = 1; - } else { - for (i = 0; i < t->ncomponents; ++i) { - if (strcmp(t->comp_val[i], - princ->name.name_string.val[i]) != 0) { - printf ("bad component %d (\"%s\" should be \"%s\")" - " for \"%s.%s@%s\"\n", - i, - princ->name.name_string.val[i], - t->comp_val[i], - t->v4_name, - t->v4_inst, - t->v4_realm); - val = 1; - } - } - } - ret = krb5_524_conv_principal (context, princ, - name, inst, realm); - if (krb5_unparse_name_fixed(context, princ, - printable_princ, sizeof(printable_princ))) - strlcpy(printable_princ, "unknown principal", - sizeof(printable_princ)); - if (ret) { - if (ret != t->ret2) { - krb5_warn (context, ret, - "krb5_524_conv_principal %s", printable_princ); - val = 1; - } - } else { - if (t->ret2) { - krb5_warnx (context, - "krb5_524_conv_principal %s " - "passed unexpected", printable_princ); - val = 1; - continue; - } - } - if (ret) { - krb5_free_principal (context, princ); - continue; - } - - krb5_free_principal (context, princ); - } - return val; -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/net_read.c b/crypto/heimdal-0.6.3/lib/krb5/net_read.c deleted file mode 100644 index 38ff0ea639..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/net_read.c +++ /dev/null @@ -1,47 +0,0 @@ -/* - * Copyright (c) 1997, 1998, 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" - -RCSID("$Id: net_read.c,v 1.6 2002/08/21 09:08:06 joda Exp $"); - -krb5_ssize_t -krb5_net_read (krb5_context context, - void *p_fd, - void *buf, - size_t len) -{ - int fd = *((int *)p_fd); - - return net_read (fd, buf, len); -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/net_write.c b/crypto/heimdal-0.6.3/lib/krb5/net_write.c deleted file mode 100644 index 5d87b97547..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/net_write.c +++ /dev/null @@ -1,47 +0,0 @@ -/* - * Copyright (c) 1997, 1998 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" - -RCSID("$Id: net_write.c,v 1.7 2002/08/21 09:08:07 joda Exp $"); - -krb5_ssize_t -krb5_net_write (krb5_context context, - void *p_fd, - const void *buf, - size_t len) -{ - int fd = *((int *)p_fd); - - return net_write (fd, buf, len); -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/padata.c b/crypto/heimdal-0.6.3/lib/krb5/padata.c deleted file mode 100644 index bcf795255a..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/padata.c +++ /dev/null @@ -1,45 +0,0 @@ -/* - * Copyright (c) 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" - -RCSID("$Id: padata.c,v 1.2 1999/12/02 17:05:11 joda Exp $"); - -PA_DATA * -krb5_find_padata(PA_DATA *val, unsigned len, int type, int *index) -{ - for(; *index < len; (*index)++) - if(val[*index].padata_type == type) - return val + *index; - return NULL; -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/parse-name-test.c b/crypto/heimdal-0.6.3/lib/krb5/parse-name-test.c deleted file mode 100644 index 29bd6bb760..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/parse-name-test.c +++ /dev/null @@ -1,192 +0,0 @@ -/* - * Copyright (c) 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of KTH nor the names of its contributors may be - * used to endorse or promote products derived from this software without - * specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY - * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR - * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, - * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR - * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF - * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ - -#include "krb5_locl.h" - -RCSID("$Id: parse-name-test.c,v 1.3.4.1 2004/03/22 19:27:36 joda Exp $"); - -enum { MAX_COMPONENTS = 3 }; - -static struct testcase { - const char *input_string; - const char *output_string; - krb5_realm realm; - unsigned ncomponents; - char *comp_val[MAX_COMPONENTS]; - int realmp; -} tests[] = { - {"", "@", "", 1, {""}, FALSE}, - {"a", "a@", "", 1, {"a"}, FALSE}, - {"\\n", "\\n@", "", 1, {"\n"}, FALSE}, - {"\\ ", "\\ @", "", 1, {" "}, FALSE}, - {"\\t", "\\t@", "", 1, {"\t"}, FALSE}, - {"\\b", "\\b@", "", 1, {"\b"}, FALSE}, - {"\\\\", "\\\\@", "", 1, {"\\"}, FALSE}, - {"\\/", "\\/@", "", 1, {"/"}, FALSE}, - {"\\@", "\\@@", "", 1, {"@"}, FALSE}, - {"@", "@", "", 1, {""}, TRUE}, - {"a/b", "a/b@", "", 2, {"a", "b"}, FALSE}, - {"a/", "a/@", "", 2, {"a", ""}, FALSE}, - {"a\\//\\/", "a\\//\\/@", "", 2, {"a/", "/"}, FALSE}, - {"/a", "/a@", "", 2, {"", "a"}, FALSE}, - {"\\@@\\@", "\\@@\\@", "@", 1, {"@"}, TRUE}, - {"a/b/c", "a/b/c@", "", 3, {"a", "b", "c"}, FALSE}, - {NULL, NULL, "", 0, { NULL }, FALSE}}; - -int -main(int argc, char **argv) -{ - struct testcase *t; - krb5_context context; - krb5_error_code ret; - int val = 0; - - ret = krb5_init_context (&context); - if (ret) - errx (1, "krb5_init_context failed: %d", ret); - - /* to enable realm-less principal name above */ - - krb5_set_default_realm(context, ""); - - for (t = tests; t->input_string; ++t) { - krb5_principal princ; - int i, j; - char name_buf[1024]; - char *s; - - ret = krb5_parse_name(context, t->input_string, &princ); - if (ret) - krb5_err (context, 1, ret, "krb5_parse_name %s", - t->input_string); - if (strcmp (t->realm, princ->realm) != 0) { - printf ("wrong realm (\"%s\" should be \"%s\")" - " for \"%s\"\n", - princ->realm, t->realm, - t->input_string); - val = 1; - } - - if (t->ncomponents != princ->name.name_string.len) { - printf ("wrong number of components (%u should be %u)" - " for \"%s\"\n", - princ->name.name_string.len, t->ncomponents, - t->input_string); - val = 1; - } else { - for (i = 0; i < t->ncomponents; ++i) { - if (strcmp(t->comp_val[i], - princ->name.name_string.val[i]) != 0) { - printf ("bad component %d (\"%s\" should be \"%s\")" - " for \"%s\"\n", - i, - princ->name.name_string.val[i], - t->comp_val[i], - t->input_string); - val = 1; - } - } - } - for (j = 0; j < strlen(t->output_string); ++j) { - ret = krb5_unparse_name_fixed(context, princ, - name_buf, j); - if (ret != ERANGE) { - printf ("unparse_name %s with length %d should have failed\n", - t->input_string, j); - val = 1; - break; - } - } - ret = krb5_unparse_name_fixed(context, princ, - name_buf, sizeof(name_buf)); - if (ret) - krb5_err (context, 1, ret, "krb5_unparse_name_fixed"); - - if (strcmp (t->output_string, name_buf) != 0) { - printf ("failed comparing the re-parsed" - " (\"%s\" should be \"%s\")\n", - name_buf, t->output_string); - val = 1; - } - - ret = krb5_unparse_name(context, princ, &s); - if (ret) - krb5_err (context, 1, ret, "krb5_unparse_name"); - - if (strcmp (t->output_string, s) != 0) { - printf ("failed comparing the re-parsed" - " (\"%s\" should be \"%s\"\n", - s, t->output_string); - val = 1; - } - free(s); - - if (!t->realmp) { - for (j = 0; j < strlen(t->input_string); ++j) { - ret = krb5_unparse_name_fixed_short(context, princ, - name_buf, j); - if (ret != ERANGE) { - printf ("unparse_name_short %s with length %d" - " should have failed\n", - t->input_string, j); - val = 1; - break; - } - } - ret = krb5_unparse_name_fixed_short(context, princ, - name_buf, sizeof(name_buf)); - if (ret) - krb5_err (context, 1, ret, "krb5_unparse_name_fixed"); - - if (strcmp (t->input_string, name_buf) != 0) { - printf ("failed comparing the re-parsed" - " (\"%s\" should be \"%s\")\n", - name_buf, t->input_string); - val = 1; - } - - ret = krb5_unparse_name_short(context, princ, &s); - if (ret) - krb5_err (context, 1, ret, "krb5_unparse_name_short"); - - if (strcmp (t->input_string, s) != 0) { - printf ("failed comparing the re-parsed" - " (\"%s\" should be \"%s\"\n", - s, t->input_string); - val = 1; - } - free(s); - } - krb5_free_principal (context, princ); - } - return val; -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/principal.c b/crypto/heimdal-0.6.3/lib/krb5/principal.c deleted file mode 100644 index d46f328017..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/principal.c +++ /dev/null @@ -1,1087 +0,0 @@ -/* - * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" -#ifdef HAVE_RES_SEARCH -#define USE_RESOLVER -#endif -#ifdef HAVE_ARPA_NAMESER_H -#include -#endif -#include -#include "resolve.h" - -RCSID("$Id: principal.c,v 1.82.2.1 2003/08/15 14:30:07 lha Exp $"); - -#define princ_num_comp(P) ((P)->name.name_string.len) -#define princ_type(P) ((P)->name.name_type) -#define princ_comp(P) ((P)->name.name_string.val) -#define princ_ncomp(P, N) ((P)->name.name_string.val[(N)]) -#define princ_realm(P) ((P)->realm) - -void -krb5_free_principal(krb5_context context, - krb5_principal p) -{ - if(p){ - free_Principal(p); - free(p); - } -} - -int -krb5_principal_get_type(krb5_context context, - krb5_principal principal) -{ - return princ_type(principal); -} - -const char * -krb5_principal_get_realm(krb5_context context, - krb5_principal principal) -{ - return princ_realm(principal); -} - -const char * -krb5_principal_get_comp_string(krb5_context context, - krb5_principal principal, - unsigned int component) -{ - if(component >= princ_num_comp(principal)) - return NULL; - return princ_ncomp(principal, component); -} - -krb5_error_code -krb5_parse_name(krb5_context context, - const char *name, - krb5_principal *principal) -{ - krb5_error_code ret; - general_string *comp; - general_string realm; - int ncomp; - - const char *p; - char *q; - char *s; - char *start; - - int n; - char c; - int got_realm = 0; - - /* count number of component */ - ncomp = 1; - for(p = name; *p; p++){ - if(*p=='\\'){ - if(!p[1]) { - krb5_set_error_string (context, - "trailing \\ in principal name"); - return KRB5_PARSE_MALFORMED; - } - p++; - } else if(*p == '/') - ncomp++; - } - comp = calloc(ncomp, sizeof(*comp)); - if (comp == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; - } - - n = 0; - p = start = q = s = strdup(name); - if (start == NULL) { - free (comp); - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; - } - while(*p){ - c = *p++; - if(c == '\\'){ - c = *p++; - if(c == 'n') - c = '\n'; - else if(c == 't') - c = '\t'; - else if(c == 'b') - c = '\b'; - else if(c == '0') - c = '\0'; - else if(c == '\0') { - krb5_set_error_string (context, - "trailing \\ in principal name"); - ret = KRB5_PARSE_MALFORMED; - goto exit; - } - }else if(c == '/' || c == '@'){ - if(got_realm){ - krb5_set_error_string (context, - "part after realm in principal name"); - ret = KRB5_PARSE_MALFORMED; - goto exit; - }else{ - comp[n] = malloc(q - start + 1); - if (comp[n] == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); - ret = ENOMEM; - goto exit; - } - memcpy(comp[n], start, q - start); - comp[n][q - start] = 0; - n++; - } - if(c == '@') - got_realm = 1; - start = q; - continue; - } - if(got_realm && (c == ':' || c == '/' || c == '\0')) { - krb5_set_error_string (context, - "part after realm in principal name"); - ret = KRB5_PARSE_MALFORMED; - goto exit; - } - *q++ = c; - } - if(got_realm){ - realm = malloc(q - start + 1); - if (realm == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); - ret = ENOMEM; - goto exit; - } - memcpy(realm, start, q - start); - realm[q - start] = 0; - }else{ - ret = krb5_get_default_realm (context, &realm); - if (ret) - goto exit; - - comp[n] = malloc(q - start + 1); - if (comp[n] == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); - ret = ENOMEM; - goto exit; - } - memcpy(comp[n], start, q - start); - comp[n][q - start] = 0; - n++; - } - *principal = malloc(sizeof(**principal)); - if (*principal == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); - ret = ENOMEM; - goto exit; - } - (*principal)->name.name_type = KRB5_NT_PRINCIPAL; - (*principal)->name.name_string.val = comp; - princ_num_comp(*principal) = n; - (*principal)->realm = realm; - free(s); - return 0; -exit: - while(n>0){ - free(comp[--n]); - } - free(comp); - free(s); - return ret; -} - -static const char quotable_chars[] = " \n\t\b\\/@"; -static const char replace_chars[] = " ntb\\/@"; - -#define add_char(BASE, INDEX, LEN, C) do { if((INDEX) < (LEN)) (BASE)[(INDEX)++] = (C); }while(0); - -static size_t -quote_string(const char *s, char *out, size_t index, size_t len) -{ - const char *p, *q; - for(p = s; *p && index < len; p++){ - if((q = strchr(quotable_chars, *p))){ - add_char(out, index, len, '\\'); - add_char(out, index, len, replace_chars[q - quotable_chars]); - }else - add_char(out, index, len, *p); - } - if(index < len) - out[index] = '\0'; - return index; -} - - -static krb5_error_code -unparse_name_fixed(krb5_context context, - krb5_const_principal principal, - char *name, - size_t len, - krb5_boolean short_form) -{ - size_t index = 0; - int i; - for(i = 0; i < princ_num_comp(principal); i++){ - if(i) - add_char(name, index, len, '/'); - index = quote_string(princ_ncomp(principal, i), name, index, len); - if(index == len) - return ERANGE; - } - /* add realm if different from default realm */ - if(short_form) { - krb5_realm r; - krb5_error_code ret; - ret = krb5_get_default_realm(context, &r); - if(ret) - return ret; - if(strcmp(princ_realm(principal), r) != 0) - short_form = 0; - free(r); - } - if(!short_form) { - add_char(name, index, len, '@'); - index = quote_string(princ_realm(principal), name, index, len); - if(index == len) - return ERANGE; - } - return 0; -} - -krb5_error_code -krb5_unparse_name_fixed(krb5_context context, - krb5_const_principal principal, - char *name, - size_t len) -{ - return unparse_name_fixed(context, principal, name, len, FALSE); -} - -krb5_error_code -krb5_unparse_name_fixed_short(krb5_context context, - krb5_const_principal principal, - char *name, - size_t len) -{ - return unparse_name_fixed(context, principal, name, len, TRUE); -} - -static krb5_error_code -unparse_name(krb5_context context, - krb5_const_principal principal, - char **name, - krb5_boolean short_flag) -{ - size_t len = 0, plen; - int i; - krb5_error_code ret; - /* count length */ - plen = strlen(princ_realm(principal)); - if(strcspn(princ_realm(principal), quotable_chars) == plen) - len += plen; - else - len += 2*plen; - len++; - for(i = 0; i < princ_num_comp(principal); i++){ - plen = strlen(princ_ncomp(principal, i)); - if(strcspn(princ_ncomp(principal, i), quotable_chars) == plen) - len += plen; - else - len += 2*plen; - len++; - } - len++; - *name = malloc(len); - if(*name == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; - } - ret = unparse_name_fixed(context, principal, *name, len, short_flag); - if(ret) { - free(*name); - *name = NULL; - } - return ret; -} - -krb5_error_code -krb5_unparse_name(krb5_context context, - krb5_const_principal principal, - char **name) -{ - return unparse_name(context, principal, name, FALSE); -} - -krb5_error_code -krb5_unparse_name_short(krb5_context context, - krb5_const_principal principal, - char **name) -{ - return unparse_name(context, principal, name, TRUE); -} - -#if 0 /* not implemented */ - -krb5_error_code -krb5_unparse_name_ext(krb5_context context, - krb5_const_principal principal, - char **name, - size_t *size) -{ - krb5_abortx(context, "unimplemented krb5_unparse_name_ext called"); -} - -#endif - -krb5_realm* -krb5_princ_realm(krb5_context context, - krb5_principal principal) -{ - return &princ_realm(principal); -} - - -void -krb5_princ_set_realm(krb5_context context, - krb5_principal principal, - krb5_realm *realm) -{ - princ_realm(principal) = *realm; -} - - -krb5_error_code -krb5_build_principal(krb5_context context, - krb5_principal *principal, - int rlen, - krb5_const_realm realm, - ...) -{ - krb5_error_code ret; - va_list ap; - va_start(ap, realm); - ret = krb5_build_principal_va(context, principal, rlen, realm, ap); - va_end(ap); - return ret; -} - -static krb5_error_code -append_component(krb5_context context, krb5_principal p, - const char *comp, - size_t comp_len) -{ - general_string *tmp; - size_t len = princ_num_comp(p); - - tmp = realloc(princ_comp(p), (len + 1) * sizeof(*tmp)); - if(tmp == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; - } - princ_comp(p) = tmp; - princ_ncomp(p, len) = malloc(comp_len + 1); - if (princ_ncomp(p, len) == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; - } - memcpy (princ_ncomp(p, len), comp, comp_len); - princ_ncomp(p, len)[comp_len] = '\0'; - princ_num_comp(p)++; - return 0; -} - -static void -va_ext_princ(krb5_context context, krb5_principal p, va_list ap) -{ - while(1){ - const char *s; - int len; - len = va_arg(ap, int); - if(len == 0) - break; - s = va_arg(ap, const char*); - append_component(context, p, s, len); - } -} - -static void -va_princ(krb5_context context, krb5_principal p, va_list ap) -{ - while(1){ - const char *s; - s = va_arg(ap, const char*); - if(s == NULL) - break; - append_component(context, p, s, strlen(s)); - } -} - - -static krb5_error_code -build_principal(krb5_context context, - krb5_principal *principal, - int rlen, - krb5_const_realm realm, - void (*func)(krb5_context, krb5_principal, va_list), - va_list ap) -{ - krb5_principal p; - - p = calloc(1, sizeof(*p)); - if (p == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; - } - princ_type(p) = KRB5_NT_PRINCIPAL; - - princ_realm(p) = strdup(realm); - if(p->realm == NULL){ - free(p); - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; - } - - (*func)(context, p, ap); - *principal = p; - return 0; -} - -krb5_error_code -krb5_make_principal(krb5_context context, - krb5_principal *principal, - krb5_const_realm realm, - ...) -{ - krb5_error_code ret; - krb5_realm r = NULL; - va_list ap; - if(realm == NULL) { - ret = krb5_get_default_realm(context, &r); - if(ret) - return ret; - realm = r; - } - va_start(ap, realm); - ret = krb5_build_principal_va(context, principal, strlen(realm), realm, ap); - va_end(ap); - if(r) - free(r); - return ret; -} - -krb5_error_code -krb5_build_principal_va(krb5_context context, - krb5_principal *principal, - int rlen, - krb5_const_realm realm, - va_list ap) -{ - return build_principal(context, principal, rlen, realm, va_princ, ap); -} - -krb5_error_code -krb5_build_principal_va_ext(krb5_context context, - krb5_principal *principal, - int rlen, - krb5_const_realm realm, - va_list ap) -{ - return build_principal(context, principal, rlen, realm, va_ext_princ, ap); -} - - -krb5_error_code -krb5_build_principal_ext(krb5_context context, - krb5_principal *principal, - int rlen, - krb5_const_realm realm, - ...) -{ - krb5_error_code ret; - va_list ap; - va_start(ap, realm); - ret = krb5_build_principal_va_ext(context, principal, rlen, realm, ap); - va_end(ap); - return ret; -} - - -krb5_error_code -krb5_copy_principal(krb5_context context, - krb5_const_principal inprinc, - krb5_principal *outprinc) -{ - krb5_principal p = malloc(sizeof(*p)); - if (p == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; - } - if(copy_Principal(inprinc, p)) { - free(p); - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; - } - *outprinc = p; - return 0; -} - -/* - * return TRUE iff princ1 == princ2 (without considering the realm) - */ - -krb5_boolean -krb5_principal_compare_any_realm(krb5_context context, - krb5_const_principal princ1, - krb5_const_principal princ2) -{ - int i; - if(princ_num_comp(princ1) != princ_num_comp(princ2)) - return FALSE; - for(i = 0; i < princ_num_comp(princ1); i++){ - if(strcmp(princ_ncomp(princ1, i), princ_ncomp(princ2, i)) != 0) - return FALSE; - } - return TRUE; -} - -/* - * return TRUE iff princ1 == princ2 - */ - -krb5_boolean -krb5_principal_compare(krb5_context context, - krb5_const_principal princ1, - krb5_const_principal princ2) -{ - if(!krb5_realm_compare(context, princ1, princ2)) - return FALSE; - return krb5_principal_compare_any_realm(context, princ1, princ2); -} - -/* - * return TRUE iff realm(princ1) == realm(princ2) - */ - -krb5_boolean -krb5_realm_compare(krb5_context context, - krb5_const_principal princ1, - krb5_const_principal princ2) -{ - return strcmp(princ_realm(princ1), princ_realm(princ2)) == 0; -} - -/* - * return TRUE iff princ matches pattern - */ - -krb5_boolean -krb5_principal_match(krb5_context context, - krb5_const_principal princ, - krb5_const_principal pattern) -{ - int i; - if(princ_num_comp(princ) != princ_num_comp(pattern)) - return FALSE; - if(fnmatch(princ_realm(pattern), princ_realm(princ), 0) != 0) - return FALSE; - for(i = 0; i < princ_num_comp(princ); i++){ - if(fnmatch(princ_ncomp(pattern, i), princ_ncomp(princ, i), 0) != 0) - return FALSE; - } - return TRUE; -} - - -struct v4_name_convert { - const char *from; - const char *to; -} default_v4_name_convert[] = { - { "ftp", "ftp" }, - { "hprop", "hprop" }, - { "pop", "pop" }, - { "imap", "imap" }, - { "rcmd", "host" }, - { "smtp", "smtp" }, - { NULL, NULL } -}; - -/* - * return the converted instance name of `name' in `realm'. - * look in the configuration file and then in the default set above. - * return NULL if no conversion is appropriate. - */ - -static const char* -get_name_conversion(krb5_context context, const char *realm, const char *name) -{ - struct v4_name_convert *q; - const char *p; - - p = krb5_config_get_string(context, NULL, "realms", realm, - "v4_name_convert", "host", name, NULL); - if(p == NULL) - p = krb5_config_get_string(context, NULL, "libdefaults", - "v4_name_convert", "host", name, NULL); - if(p) - return p; - - /* XXX should be possible to override default list */ - p = krb5_config_get_string(context, NULL, - "realms", - realm, - "v4_name_convert", - "plain", - name, - NULL); - if(p) - return NULL; - p = krb5_config_get_string(context, NULL, - "libdefaults", - "v4_name_convert", - "plain", - name, - NULL); - if(p) - return NULL; - for(q = default_v4_name_convert; q->from; q++) - if(strcmp(q->from, name) == 0) - return q->to; - return NULL; -} - -/* - * convert the v4 principal `name.instance@realm' to a v5 principal in `princ'. - * if `resolve', use DNS. - * if `func', use that function for validating the conversion - */ - -krb5_error_code -krb5_425_conv_principal_ext(krb5_context context, - const char *name, - const char *instance, - const char *realm, - krb5_boolean (*func)(krb5_context, krb5_principal), - krb5_boolean resolve, - krb5_principal *princ) -{ - const char *p; - krb5_error_code ret; - krb5_principal pr; - char host[MAXHOSTNAMELEN]; - char local_hostname[MAXHOSTNAMELEN]; - - /* do the following: if the name is found in the - `v4_name_convert:host' part, is is assumed to be a `host' type - principal, and the instance is looked up in the - `v4_instance_convert' part. if not found there the name is - (optionally) looked up as a hostname, and if that doesn't yield - anything, the `default_domain' is appended to the instance - */ - - if(instance == NULL) - goto no_host; - if(instance[0] == 0){ - instance = NULL; - goto no_host; - } - p = get_name_conversion(context, realm, name); - if(p == NULL) - goto no_host; - name = p; - p = krb5_config_get_string(context, NULL, "realms", realm, - "v4_instance_convert", instance, NULL); - if(p){ - instance = p; - ret = krb5_make_principal(context, &pr, realm, name, instance, NULL); - if(func == NULL || (*func)(context, pr)){ - *princ = pr; - return 0; - } - krb5_free_principal(context, pr); - *princ = NULL; - krb5_clear_error_string (context); - return HEIM_ERR_V4_PRINC_NO_CONV; - } - if(resolve){ - krb5_boolean passed = FALSE; - char *inst = NULL; -#ifdef USE_RESOLVER - struct dns_reply *r; - - r = dns_lookup(instance, "aaaa"); - if (r && r->head && r->head->type == T_AAAA) { - inst = strdup(r->head->domain); - dns_free_data(r); - passed = TRUE; - } else { - r = dns_lookup(instance, "a"); - if(r && r->head && r->head->type == T_A) { - inst = strdup(r->head->domain); - dns_free_data(r); - passed = TRUE; - } - } -#else - struct addrinfo hints, *ai; - int ret; - - memset (&hints, 0, sizeof(hints)); - hints.ai_flags = AI_CANONNAME; - ret = getaddrinfo(instance, NULL, &hints, &ai); - if (ret == 0) { - const struct addrinfo *a; - for (a = ai; a != NULL; a = a->ai_next) { - if (a->ai_canonname != NULL) { - inst = strdup (a->ai_canonname); - passed = TRUE; - break; - } - } - freeaddrinfo (ai); - } -#endif - if (passed) { - if (inst == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; - } - strlwr(inst); - ret = krb5_make_principal(context, &pr, realm, name, inst, - NULL); - free (inst); - if(ret == 0) { - if(func == NULL || (*func)(context, pr)){ - *princ = pr; - return 0; - } - krb5_free_principal(context, pr); - } - } - } - if(func != NULL) { - snprintf(host, sizeof(host), "%s.%s", instance, realm); - strlwr(host); - ret = krb5_make_principal(context, &pr, realm, name, host, NULL); - if((*func)(context, pr)){ - *princ = pr; - return 0; - } - krb5_free_principal(context, pr); - } - - /* - * if the instance is the first component of the local hostname, - * the converted host should be the long hostname. - */ - - if (func == NULL && - gethostname (local_hostname, sizeof(local_hostname)) == 0 && - strncmp(instance, local_hostname, strlen(instance)) == 0 && - local_hostname[strlen(instance)] == '.') { - strlcpy(host, local_hostname, sizeof(host)); - goto local_host; - } - - { - char **domains, **d; - domains = krb5_config_get_strings(context, NULL, "realms", realm, - "v4_domains", NULL); - for(d = domains; d && *d; d++){ - snprintf(host, sizeof(host), "%s.%s", instance, *d); - ret = krb5_make_principal(context, &pr, realm, name, host, NULL); - if(func == NULL || (*func)(context, pr)){ - *princ = pr; - krb5_config_free_strings(domains); - return 0; - } - krb5_free_principal(context, pr); - } - krb5_config_free_strings(domains); - } - - - p = krb5_config_get_string(context, NULL, "realms", realm, - "default_domain", NULL); - if(p == NULL){ - /* this should be an error, just faking a name is not good */ - krb5_clear_error_string (context); - return HEIM_ERR_V4_PRINC_NO_CONV; - } - - if (*p == '.') - ++p; - snprintf(host, sizeof(host), "%s.%s", instance, p); -local_host: - ret = krb5_make_principal(context, &pr, realm, name, host, NULL); - if(func == NULL || (*func)(context, pr)){ - *princ = pr; - return 0; - } - krb5_free_principal(context, pr); - krb5_clear_error_string (context); - return HEIM_ERR_V4_PRINC_NO_CONV; -no_host: - p = krb5_config_get_string(context, NULL, - "realms", - realm, - "v4_name_convert", - "plain", - name, - NULL); - if(p == NULL) - p = krb5_config_get_string(context, NULL, - "libdefaults", - "v4_name_convert", - "plain", - name, - NULL); - if(p) - name = p; - - ret = krb5_make_principal(context, &pr, realm, name, instance, NULL); - if(func == NULL || (*func)(context, pr)){ - *princ = pr; - return 0; - } - krb5_free_principal(context, pr); - krb5_clear_error_string (context); - return HEIM_ERR_V4_PRINC_NO_CONV; -} - -krb5_error_code -krb5_425_conv_principal(krb5_context context, - const char *name, - const char *instance, - const char *realm, - krb5_principal *princ) -{ - krb5_boolean resolve = krb5_config_get_bool(context, - NULL, - "libdefaults", - "v4_instance_resolve", - NULL); - - return krb5_425_conv_principal_ext(context, name, instance, realm, - NULL, resolve, princ); -} - - -static int -check_list(const krb5_config_binding *l, const char *name, const char **out) -{ - while(l){ - if (l->type != krb5_config_string) - continue; - if(strcmp(name, l->u.string) == 0) { - *out = l->name; - return 1; - } - l = l->next; - } - return 0; -} - -static int -name_convert(krb5_context context, const char *name, const char *realm, - const char **out) -{ - const krb5_config_binding *l; - l = krb5_config_get_list (context, - NULL, - "realms", - realm, - "v4_name_convert", - "host", - NULL); - if(l && check_list(l, name, out)) - return KRB5_NT_SRV_HST; - l = krb5_config_get_list (context, - NULL, - "libdefaults", - "v4_name_convert", - "host", - NULL); - if(l && check_list(l, name, out)) - return KRB5_NT_SRV_HST; - l = krb5_config_get_list (context, - NULL, - "realms", - realm, - "v4_name_convert", - "plain", - NULL); - if(l && check_list(l, name, out)) - return KRB5_NT_UNKNOWN; - l = krb5_config_get_list (context, - NULL, - "libdefaults", - "v4_name_convert", - "host", - NULL); - if(l && check_list(l, name, out)) - return KRB5_NT_UNKNOWN; - - /* didn't find it in config file, try built-in list */ - { - struct v4_name_convert *q; - for(q = default_v4_name_convert; q->from; q++) { - if(strcmp(name, q->to) == 0) { - *out = q->from; - return KRB5_NT_SRV_HST; - } - } - } - return -1; -} - -/* - * convert the v5 principal in `principal' into a v4 corresponding one - * in `name, instance, realm' - * this is limited interface since there's no length given for these - * three parameters. They have to be 40 bytes each (ANAME_SZ). - */ - -krb5_error_code -krb5_524_conv_principal(krb5_context context, - const krb5_principal principal, - char *name, - char *instance, - char *realm) -{ - const char *n, *i, *r; - char tmpinst[40]; - int type = princ_type(principal); - const int aname_sz = 40; - - r = principal->realm; - - switch(principal->name.name_string.len){ - case 1: - n = principal->name.name_string.val[0]; - i = ""; - break; - case 2: - n = principal->name.name_string.val[0]; - i = principal->name.name_string.val[1]; - break; - default: - krb5_set_error_string (context, - "cannot convert a %d component principal", - principal->name.name_string.len); - return KRB5_PARSE_MALFORMED; - } - - { - const char *tmp; - int t = name_convert(context, n, r, &tmp); - if(t >= 0) { - type = t; - n = tmp; - } - } - - if(type == KRB5_NT_SRV_HST){ - char *p; - - strlcpy (tmpinst, i, sizeof(tmpinst)); - p = strchr(tmpinst, '.'); - if(p) - *p = 0; - i = tmpinst; - } - - if (strlcpy (name, n, aname_sz) >= aname_sz) { - krb5_set_error_string (context, - "too long name component to convert"); - return KRB5_PARSE_MALFORMED; - } - if (strlcpy (instance, i, aname_sz) >= aname_sz) { - krb5_set_error_string (context, - "too long instance component to convert"); - return KRB5_PARSE_MALFORMED; - } - if (strlcpy (realm, r, aname_sz) >= aname_sz) { - krb5_set_error_string (context, - "too long realm component to convert"); - return KRB5_PARSE_MALFORMED; - } - return 0; -} - -/* - * Create a principal in `ret_princ' for the service `sname' running - * on host `hostname'. */ - -krb5_error_code -krb5_sname_to_principal (krb5_context context, - const char *hostname, - const char *sname, - int32_t type, - krb5_principal *ret_princ) -{ - krb5_error_code ret; - char localhost[MAXHOSTNAMELEN]; - char **realms, *host = NULL; - - if(type != KRB5_NT_SRV_HST && type != KRB5_NT_UNKNOWN) { - krb5_set_error_string (context, "unsupported name type %d", - type); - return KRB5_SNAME_UNSUPP_NAMETYPE; - } - if(hostname == NULL) { - gethostname(localhost, sizeof(localhost)); - hostname = localhost; - } - if(sname == NULL) - sname = "host"; - if(type == KRB5_NT_SRV_HST) { - ret = krb5_expand_hostname_realms (context, hostname, - &host, &realms); - if (ret) - return ret; - strlwr(host); - hostname = host; - } else { - ret = krb5_get_host_realm(context, hostname, &realms); - if(ret) - return ret; - } - - ret = krb5_make_principal(context, ret_princ, realms[0], sname, - hostname, NULL); - if(host) - free(host); - krb5_free_host_realm(context, realms); - return ret; -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/prog_setup.c b/crypto/heimdal-0.6.3/lib/krb5/prog_setup.c deleted file mode 100644 index 3f5efb65fd..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/prog_setup.c +++ /dev/null @@ -1,66 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" -#include -#include - -RCSID("$Id: prog_setup.c,v 1.9 2001/02/20 01:44:54 assar Exp $"); - -void -krb5_std_usage(int code, struct getargs *args, int num_args) -{ - arg_printusage(args, num_args, NULL, ""); - exit(code); -} - -int -krb5_program_setup(krb5_context *context, int argc, char **argv, - struct getargs *args, int num_args, - void (*usage)(int, struct getargs*, int)) -{ - krb5_error_code ret; - int optind = 0; - - if(usage == NULL) - usage = krb5_std_usage; - - setprogname(argv[0]); - ret = krb5_init_context(context); - if (ret) - errx (1, "krb5_init_context failed: %d", ret); - - if(getarg(args, num_args, argc, argv, &optind)) - (*usage)(1, args, num_args); - return optind; -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/prompter_posix.c b/crypto/heimdal-0.6.3/lib/krb5/prompter_posix.c deleted file mode 100644 index 4aea3a4229..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/prompter_posix.c +++ /dev/null @@ -1,72 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" - -RCSID("$Id: prompter_posix.c,v 1.7 2002/09/16 17:32:11 nectar Exp $"); - -int -krb5_prompter_posix (krb5_context context, - void *data, - const char *name, - const char *banner, - int num_prompts, - krb5_prompt prompts[]) -{ - int i; - - if (name) - fprintf (stderr, "%s\n", name); - if (banner) - fprintf (stderr, "%s\n", banner); - for (i = 0; i < num_prompts; ++i) { - if (prompts[i].hidden) { - if(des_read_pw_string(prompts[i].reply->data, - prompts[i].reply->length, - prompts[i].prompt, - 0)) - return 1; - } else { - char *s = prompts[i].reply->data; - - fputs (prompts[i].prompt, stdout); - fflush (stdout); - if(fgets(prompts[i].reply->data, - prompts[i].reply->length, - stdin) == NULL) - return 1; - s[strcspn(s, "\n")] = '\0'; - } - } - return 0; -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/rd_cred.c b/crypto/heimdal-0.6.3/lib/krb5/rd_cred.c deleted file mode 100644 index 4a7d74cad5..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/rd_cred.c +++ /dev/null @@ -1,294 +0,0 @@ -/* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include - -RCSID("$Id: rd_cred.c,v 1.18 2002/09/04 16:26:05 joda Exp $"); - -krb5_error_code -krb5_rd_cred(krb5_context context, - krb5_auth_context auth_context, - krb5_data *in_data, - krb5_creds ***ret_creds, - krb5_replay_data *out_data) -{ - krb5_error_code ret; - size_t len; - KRB_CRED cred; - EncKrbCredPart enc_krb_cred_part; - krb5_data enc_krb_cred_part_data; - krb5_crypto crypto; - int i; - - *ret_creds = NULL; - - ret = decode_KRB_CRED(in_data->data, in_data->length, - &cred, &len); - if(ret) - return ret; - - if (cred.pvno != 5) { - ret = KRB5KRB_AP_ERR_BADVERSION; - krb5_clear_error_string (context); - goto out; - } - - if (cred.msg_type != krb_cred) { - ret = KRB5KRB_AP_ERR_MSG_TYPE; - krb5_clear_error_string (context); - goto out; - } - - if (cred.enc_part.etype == ETYPE_NULL) { - /* DK: MIT GSS-API Compatibility */ - enc_krb_cred_part_data.length = cred.enc_part.cipher.length; - enc_krb_cred_part_data.data = cred.enc_part.cipher.data; - } else { - if (auth_context->remote_subkey) - ret = krb5_crypto_init(context, auth_context->remote_subkey, - 0, &crypto); - else - ret = krb5_crypto_init(context, auth_context->keyblock, - 0, &crypto); - /* DK: MIT rsh */ - - if (ret) - goto out; - - ret = krb5_decrypt_EncryptedData(context, - crypto, - KRB5_KU_KRB_CRED, - &cred.enc_part, - &enc_krb_cred_part_data); - - krb5_crypto_destroy(context, crypto); - if (ret) - goto out; - } - - ret = krb5_decode_EncKrbCredPart (context, - enc_krb_cred_part_data.data, - enc_krb_cred_part_data.length, - &enc_krb_cred_part, - &len); - if (ret) - goto out; - - /* check sender address */ - - if (enc_krb_cred_part.s_address - && auth_context->remote_address - && auth_context->remote_port) { - krb5_address *a; - int cmp; - - ret = krb5_make_addrport (context, &a, - auth_context->remote_address, - auth_context->remote_port); - if (ret) - goto out; - - - cmp = krb5_address_compare (context, - a, - enc_krb_cred_part.s_address); - - krb5_free_address (context, a); - free (a); - - if (cmp == 0) { - krb5_clear_error_string (context); - ret = KRB5KRB_AP_ERR_BADADDR; - goto out; - } - } - - /* check receiver address */ - - if (enc_krb_cred_part.r_address - && auth_context->local_address) { - if(auth_context->local_port && - enc_krb_cred_part.r_address->addr_type == KRB5_ADDRESS_ADDRPORT) { - krb5_address *a; - int cmp; - ret = krb5_make_addrport (context, &a, - auth_context->local_address, - auth_context->local_port); - if (ret) - goto out; - - cmp = krb5_address_compare (context, - a, - enc_krb_cred_part.r_address); - krb5_free_address (context, a); - free (a); - - if (cmp == 0) { - krb5_clear_error_string (context); - ret = KRB5KRB_AP_ERR_BADADDR; - goto out; - } - } else { - if(!krb5_address_compare (context, - auth_context->local_address, - enc_krb_cred_part.r_address)) { - krb5_clear_error_string (context); - ret = KRB5KRB_AP_ERR_BADADDR; - goto out; - } - } - } - - /* check timestamp */ - if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_TIME) { - krb5_timestamp sec; - - krb5_timeofday (context, &sec); - - if (enc_krb_cred_part.timestamp == NULL || - enc_krb_cred_part.usec == NULL || - abs(*enc_krb_cred_part.timestamp - sec) - > context->max_skew) { - krb5_clear_error_string (context); - ret = KRB5KRB_AP_ERR_SKEW; - goto out; - } - } - - if(out_data != NULL) { - if(enc_krb_cred_part.timestamp) - out_data->timestamp = *enc_krb_cred_part.timestamp; - else - out_data->timestamp = 0; - if(enc_krb_cred_part.usec) - out_data->usec = *enc_krb_cred_part.usec; - else - out_data->usec = 0; - if(enc_krb_cred_part.nonce) - out_data->seq = *enc_krb_cred_part.nonce; - else - out_data->seq = 0; - } - - /* Convert to NULL terminated list of creds */ - - *ret_creds = calloc(enc_krb_cred_part.ticket_info.len + 1, - sizeof(**ret_creds)); - - if (*ret_creds == NULL) { - ret = ENOMEM; - krb5_set_error_string (context, "malloc: out of memory"); - goto out; - } - - for (i = 0; i < enc_krb_cred_part.ticket_info.len; ++i) { - KrbCredInfo *kci = &enc_krb_cred_part.ticket_info.val[i]; - krb5_creds *creds; - size_t len; - - creds = calloc(1, sizeof(*creds)); - if(creds == NULL) { - ret = ENOMEM; - krb5_set_error_string (context, "malloc: out of memory"); - goto out; - } - - ASN1_MALLOC_ENCODE(Ticket, creds->ticket.data, creds->ticket.length, - &cred.tickets.val[i], &len, ret); - if (ret) - goto out; - if(creds->ticket.length != len) - krb5_abortx(context, "internal error in ASN.1 encoder"); - copy_EncryptionKey (&kci->key, &creds->session); - if (kci->prealm && kci->pname) - principalname2krb5_principal (&creds->client, - *kci->pname, - *kci->prealm); - if (kci->flags) - creds->flags.b = *kci->flags; - if (kci->authtime) - creds->times.authtime = *kci->authtime; - if (kci->starttime) - creds->times.starttime = *kci->starttime; - if (kci->endtime) - creds->times.endtime = *kci->endtime; - if (kci->renew_till) - creds->times.renew_till = *kci->renew_till; - if (kci->srealm && kci->sname) - principalname2krb5_principal (&creds->server, - *kci->sname, - *kci->srealm); - if (kci->caddr) - krb5_copy_addresses (context, - kci->caddr, - &creds->addresses); - - (*ret_creds)[i] = creds; - - } - (*ret_creds)[i] = NULL; - return 0; - -out: - free_KRB_CRED (&cred); - if(*ret_creds) { - for(i = 0; (*ret_creds)[i]; i++) - krb5_free_creds(context, (*ret_creds)[i]); - free(*ret_creds); - } - return ret; -} - -krb5_error_code -krb5_rd_cred2 (krb5_context context, - krb5_auth_context auth_context, - krb5_ccache ccache, - krb5_data *in_data) -{ - krb5_error_code ret; - krb5_creds **creds; - int i; - - ret = krb5_rd_cred(context, auth_context, in_data, &creds, NULL); - if(ret) - return ret; - - /* Store the creds in the ccache */ - - for(i = 0; creds && creds[i]; i++) { - krb5_cc_store_cred(context, ccache, creds[i]); - krb5_free_creds(context, creds[i]); - } - free(creds); - return 0; -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/rd_error.c b/crypto/heimdal-0.6.3/lib/krb5/rd_error.c deleted file mode 100644 index ca02f3d61a..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/rd_error.c +++ /dev/null @@ -1,120 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" - -RCSID("$Id: rd_error.c,v 1.6 2001/05/15 06:35:10 assar Exp $"); - -krb5_error_code -krb5_rd_error(krb5_context context, - krb5_data *msg, - KRB_ERROR *result) -{ - - size_t len; - krb5_error_code ret; - - ret = decode_KRB_ERROR(msg->data, msg->length, result, &len); - if(ret) - return ret; - result->error_code += KRB5KDC_ERR_NONE; - return 0; -} - -void -krb5_free_error_contents (krb5_context context, - krb5_error *error) -{ - free_KRB_ERROR(error); -} - -void -krb5_free_error (krb5_context context, - krb5_error *error) -{ - krb5_free_error_contents (context, error); - free (error); -} - -krb5_error_code -krb5_error_from_rd_error(krb5_context context, - const krb5_error *error, - const krb5_creds *creds) -{ - krb5_error_code ret; - - ret = error->error_code; - if (error->e_text != NULL) { - krb5_set_error_string(context, "%s", *error->e_text); - } else { - char clientname[256], servername[256]; - - if (creds != NULL) { - krb5_unparse_name_fixed(context, creds->client, - clientname, sizeof(clientname)); - krb5_unparse_name_fixed(context, creds->server, - servername, sizeof(servername)); - } - - switch (ret) { - case KRB5KDC_ERR_NAME_EXP : - krb5_set_error_string(context, "Client %s%s%s expired", - creds ? "(" : "", - creds ? clientname : "", - creds ? ")" : ""); - break; - case KRB5KDC_ERR_SERVICE_EXP : - krb5_set_error_string(context, "Server %s%s%s expired", - creds ? "(" : "", - creds ? servername : "", - creds ? ")" : ""); - break; - case KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN : - krb5_set_error_string(context, "Client %s%s%s unknown", - creds ? "(" : "", - creds ? clientname : "", - creds ? ")" : ""); - break; - case KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN : - krb5_set_error_string(context, "Server %s%s%s unknown", - creds ? "(" : "", - creds ? servername : "", - creds ? ")" : ""); - break; - default : - krb5_clear_error_string(context); - break; - } - } - return ret; -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/rd_priv.c b/crypto/heimdal-0.6.3/lib/krb5/rd_priv.c deleted file mode 100644 index 36ffed5980..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/rd_priv.c +++ /dev/null @@ -1,162 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include - -RCSID("$Id: rd_priv.c,v 1.29 2001/06/18 02:46:15 assar Exp $"); - -krb5_error_code -krb5_rd_priv(krb5_context context, - krb5_auth_context auth_context, - const krb5_data *inbuf, - krb5_data *outbuf, - /*krb5_replay_data*/ void *outdata) -{ - krb5_error_code ret; - KRB_PRIV priv; - EncKrbPrivPart part; - size_t len; - krb5_data plain; - krb5_keyblock *key; - krb5_crypto crypto; - - memset(&priv, 0, sizeof(priv)); - ret = decode_KRB_PRIV (inbuf->data, inbuf->length, &priv, &len); - if (ret) - goto failure; - if (priv.pvno != 5) { - krb5_clear_error_string (context); - ret = KRB5KRB_AP_ERR_BADVERSION; - goto failure; - } - if (priv.msg_type != krb_priv) { - krb5_clear_error_string (context); - ret = KRB5KRB_AP_ERR_MSG_TYPE; - goto failure; - } - - if (auth_context->remote_subkey) - key = auth_context->remote_subkey; - else if (auth_context->local_subkey) - key = auth_context->local_subkey; - else - key = auth_context->keyblock; - - ret = krb5_crypto_init(context, key, 0, &crypto); - if (ret) - goto failure; - ret = krb5_decrypt_EncryptedData(context, - crypto, - KRB5_KU_KRB_PRIV, - &priv.enc_part, - &plain); - krb5_crypto_destroy(context, crypto); - if (ret) - goto failure; - - ret = decode_EncKrbPrivPart (plain.data, plain.length, &part, &len); - krb5_data_free (&plain); - if (ret) - goto failure; - - /* check sender address */ - - if (part.s_address - && auth_context->remote_address - && !krb5_address_compare (context, - auth_context->remote_address, - part.s_address)) { - krb5_clear_error_string (context); - ret = KRB5KRB_AP_ERR_BADADDR; - goto failure_part; - } - - /* check receiver address */ - - if (part.r_address - && auth_context->local_address - && !krb5_address_compare (context, - auth_context->local_address, - part.r_address)) { - krb5_clear_error_string (context); - ret = KRB5KRB_AP_ERR_BADADDR; - goto failure_part; - } - - /* check timestamp */ - if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_TIME) { - krb5_timestamp sec; - - krb5_timeofday (context, &sec); - if (part.timestamp == NULL || - part.usec == NULL || - abs(*part.timestamp - sec) > context->max_skew) { - krb5_clear_error_string (context); - ret = KRB5KRB_AP_ERR_SKEW; - goto failure_part; - } - } - - /* XXX - check replay cache */ - - /* check sequence number. since MIT krb5 cannot generate a sequence - number of zero but instead generates no sequence number, we accept that - */ - - if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) { - if ((part.seq_number == NULL - && auth_context->remote_seqnumber != 0) - || (part.seq_number != NULL - && *part.seq_number != auth_context->remote_seqnumber)) { - krb5_clear_error_string (context); - ret = KRB5KRB_AP_ERR_BADORDER; - goto failure_part; - } - auth_context->remote_seqnumber++; - } - - ret = krb5_data_copy (outbuf, part.user_data.data, part.user_data.length); - if (ret) - goto failure_part; - - free_EncKrbPrivPart (&part); - free_KRB_PRIV (&priv); - return 0; - -failure_part: - free_EncKrbPrivPart (&part); - -failure: - free_KRB_PRIV (&priv); - return ret; -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/rd_rep.c b/crypto/heimdal-0.6.3/lib/krb5/rd_rep.c deleted file mode 100644 index 7f947de5e1..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/rd_rep.c +++ /dev/null @@ -1,117 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include - -RCSID("$Id: rd_rep.c,v 1.22 2001/06/18 02:46:53 assar Exp $"); - -krb5_error_code -krb5_rd_rep(krb5_context context, - krb5_auth_context auth_context, - const krb5_data *inbuf, - krb5_ap_rep_enc_part **repl) -{ - krb5_error_code ret; - AP_REP ap_rep; - size_t len; - krb5_data data; - krb5_crypto crypto; - - krb5_data_zero (&data); - ret = 0; - - ret = decode_AP_REP(inbuf->data, inbuf->length, &ap_rep, &len); - if (ret) - return ret; - if (ap_rep.pvno != 5) { - ret = KRB5KRB_AP_ERR_BADVERSION; - krb5_clear_error_string (context); - goto out; - } - if (ap_rep.msg_type != krb_ap_rep) { - ret = KRB5KRB_AP_ERR_MSG_TYPE; - krb5_clear_error_string (context); - goto out; - } - - ret = krb5_crypto_init(context, auth_context->keyblock, 0, &crypto); - if (ret) - goto out; - ret = krb5_decrypt_EncryptedData (context, - crypto, - KRB5_KU_AP_REQ_ENC_PART, - &ap_rep.enc_part, - &data); - krb5_crypto_destroy(context, crypto); - if (ret) - goto out; - - *repl = malloc(sizeof(**repl)); - if (*repl == NULL) { - ret = ENOMEM; - krb5_set_error_string (context, "malloc: out of memory"); - goto out; - } - ret = krb5_decode_EncAPRepPart(context, - data.data, - data.length, - *repl, - &len); - if (ret) - return ret; - - if ((*repl)->ctime != auth_context->authenticator->ctime || - (*repl)->cusec != auth_context->authenticator->cusec) { - ret = KRB5KRB_AP_ERR_MUT_FAIL; - krb5_clear_error_string (context); - goto out; - } - if ((*repl)->seq_number) - krb5_auth_con_setremoteseqnumber(context, auth_context, - *((*repl)->seq_number)); - if ((*repl)->subkey) - krb5_auth_con_setremotesubkey(context, auth_context, (*repl)->subkey); - -out: - krb5_data_free (&data); - free_AP_REP (&ap_rep); - return ret; -} - -void -krb5_free_ap_rep_enc_part (krb5_context context, - krb5_ap_rep_enc_part *val) -{ - free_EncAPRepPart (val); - free (val); -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/rd_req.c b/crypto/heimdal-0.6.3/lib/krb5/rd_req.c deleted file mode 100644 index 590952eb3b..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/rd_req.c +++ /dev/null @@ -1,544 +0,0 @@ -/* - * Copyright (c) 1997 - 2001, 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include - -RCSID("$Id: rd_req.c,v 1.47.8.3 2003/10/21 20:10:33 lha Exp $"); - -static krb5_error_code -decrypt_tkt_enc_part (krb5_context context, - krb5_keyblock *key, - EncryptedData *enc_part, - EncTicketPart *decr_part) -{ - krb5_error_code ret; - krb5_data plain; - size_t len; - krb5_crypto crypto; - - ret = krb5_crypto_init(context, key, 0, &crypto); - if (ret) - return ret; - ret = krb5_decrypt_EncryptedData (context, - crypto, - KRB5_KU_TICKET, - enc_part, - &plain); - krb5_crypto_destroy(context, crypto); - if (ret) - return ret; - - ret = krb5_decode_EncTicketPart(context, plain.data, plain.length, - decr_part, &len); - krb5_data_free (&plain); - return ret; -} - -static krb5_error_code -decrypt_authenticator (krb5_context context, - EncryptionKey *key, - EncryptedData *enc_part, - Authenticator *authenticator, - krb5_key_usage usage) -{ - krb5_error_code ret; - krb5_data plain; - size_t len; - krb5_crypto crypto; - - ret = krb5_crypto_init(context, key, 0, &crypto); - if (ret) - return ret; - ret = krb5_decrypt_EncryptedData (context, - crypto, - usage /* KRB5_KU_AP_REQ_AUTH */, - enc_part, - &plain); - /* for backwards compatibility, also try the old usage */ - if (ret && usage == KRB5_KU_TGS_REQ_AUTH) - ret = krb5_decrypt_EncryptedData (context, - crypto, - KRB5_KU_AP_REQ_AUTH, - enc_part, - &plain); - krb5_crypto_destroy(context, crypto); - if (ret) - return ret; - - ret = krb5_decode_Authenticator(context, plain.data, plain.length, - authenticator, &len); - krb5_data_free (&plain); - return ret; -} - -krb5_error_code -krb5_decode_ap_req(krb5_context context, - const krb5_data *inbuf, - krb5_ap_req *ap_req) -{ - krb5_error_code ret; - size_t len; - ret = decode_AP_REQ(inbuf->data, inbuf->length, ap_req, &len); - if (ret) - return ret; - if (ap_req->pvno != 5){ - free_AP_REQ(ap_req); - krb5_clear_error_string (context); - return KRB5KRB_AP_ERR_BADVERSION; - } - if (ap_req->msg_type != krb_ap_req){ - free_AP_REQ(ap_req); - krb5_clear_error_string (context); - return KRB5KRB_AP_ERR_MSG_TYPE; - } - if (ap_req->ticket.tkt_vno != 5){ - free_AP_REQ(ap_req); - krb5_clear_error_string (context); - return KRB5KRB_AP_ERR_BADVERSION; - } - return 0; -} - -static krb5_error_code -check_transited(krb5_context context, Ticket *ticket, EncTicketPart *enc) -{ - char **realms; - int num_realms; - krb5_error_code ret; - - if(enc->transited.tr_type != DOMAIN_X500_COMPRESS) - return KRB5KDC_ERR_TRTYPE_NOSUPP; - - if(enc->transited.contents.length == 0) - return 0; - - ret = krb5_domain_x500_decode(context, enc->transited.contents, - &realms, &num_realms, - enc->crealm, - ticket->realm); - if(ret) - return ret; - ret = krb5_check_transited(context, enc->crealm, - ticket->realm, - realms, num_realms, NULL); - free(realms); - return ret; -} - -krb5_error_code -krb5_decrypt_ticket(krb5_context context, - Ticket *ticket, - krb5_keyblock *key, - EncTicketPart *out, - krb5_flags flags) -{ - EncTicketPart t; - krb5_error_code ret; - ret = decrypt_tkt_enc_part (context, key, &ticket->enc_part, &t); - if (ret) - return ret; - - { - krb5_timestamp now; - time_t start = t.authtime; - - krb5_timeofday (context, &now); - if(t.starttime) - start = *t.starttime; - if(start - now > context->max_skew - || (t.flags.invalid - && !(flags & KRB5_VERIFY_AP_REQ_IGNORE_INVALID))) { - free_EncTicketPart(&t); - krb5_clear_error_string (context); - return KRB5KRB_AP_ERR_TKT_NYV; - } - if(now - t.endtime > context->max_skew) { - free_EncTicketPart(&t); - krb5_clear_error_string (context); - return KRB5KRB_AP_ERR_TKT_EXPIRED; - } - - if(!t.flags.transited_policy_checked) { - ret = check_transited(context, ticket, &t); - if(ret) { - free_EncTicketPart(&t); - return ret; - } - } - } - - if(out) - *out = t; - else - free_EncTicketPart(&t); - return 0; -} - -krb5_error_code -krb5_verify_authenticator_checksum(krb5_context context, - krb5_auth_context ac, - void *data, - size_t len) -{ - krb5_error_code ret; - krb5_keyblock *key; - krb5_authenticator authenticator; - krb5_crypto crypto; - - ret = krb5_auth_con_getauthenticator (context, - ac, - &authenticator); - if(ret) - return ret; - if(authenticator->cksum == NULL) - return -17; - ret = krb5_auth_con_getkey(context, ac, &key); - if(ret) { - krb5_free_authenticator(context, &authenticator); - return ret; - } - ret = krb5_crypto_init(context, key, 0, &crypto); - if(ret) - goto out; - ret = krb5_verify_checksum (context, - crypto, - KRB5_KU_AP_REQ_AUTH_CKSUM, - data, - len, - authenticator->cksum); - krb5_crypto_destroy(context, crypto); -out: - krb5_free_authenticator(context, &authenticator); - krb5_free_keyblock(context, key); - return ret; -} - - -krb5_error_code -krb5_verify_ap_req(krb5_context context, - krb5_auth_context *auth_context, - krb5_ap_req *ap_req, - krb5_const_principal server, - krb5_keyblock *keyblock, - krb5_flags flags, - krb5_flags *ap_req_options, - krb5_ticket **ticket) -{ - return krb5_verify_ap_req2 (context, - auth_context, - ap_req, - server, - keyblock, - flags, - ap_req_options, - ticket, - KRB5_KU_AP_REQ_AUTH); -} - -krb5_error_code -krb5_verify_ap_req2(krb5_context context, - krb5_auth_context *auth_context, - krb5_ap_req *ap_req, - krb5_const_principal server, - krb5_keyblock *keyblock, - krb5_flags flags, - krb5_flags *ap_req_options, - krb5_ticket **ticket, - krb5_key_usage usage) -{ - krb5_ticket t; - krb5_auth_context ac; - krb5_error_code ret; - - if (auth_context && *auth_context) { - ac = *auth_context; - } else { - ret = krb5_auth_con_init (context, &ac); - if (ret) - return ret; - } - - if (ap_req->ap_options.use_session_key && ac->keyblock){ - ret = krb5_decrypt_ticket(context, &ap_req->ticket, - ac->keyblock, - &t.ticket, - flags); - krb5_free_keyblock(context, ac->keyblock); - ac->keyblock = NULL; - }else - ret = krb5_decrypt_ticket(context, &ap_req->ticket, - keyblock, - &t.ticket, - flags); - - if(ret) - goto out; - - principalname2krb5_principal(&t.server, ap_req->ticket.sname, - ap_req->ticket.realm); - principalname2krb5_principal(&t.client, t.ticket.cname, - t.ticket.crealm); - - /* save key */ - - krb5_copy_keyblock(context, &t.ticket.key, &ac->keyblock); - - ret = decrypt_authenticator (context, - &t.ticket.key, - &ap_req->authenticator, - ac->authenticator, - usage); - if (ret) - goto out2; - - { - krb5_principal p1, p2; - krb5_boolean res; - - principalname2krb5_principal(&p1, - ac->authenticator->cname, - ac->authenticator->crealm); - principalname2krb5_principal(&p2, - t.ticket.cname, - t.ticket.crealm); - res = krb5_principal_compare (context, p1, p2); - krb5_free_principal (context, p1); - krb5_free_principal (context, p2); - if (!res) { - ret = KRB5KRB_AP_ERR_BADMATCH; - krb5_clear_error_string (context); - goto out2; - } - } - - /* check addresses */ - - if (t.ticket.caddr - && ac->remote_address - && !krb5_address_search (context, - ac->remote_address, - t.ticket.caddr)) { - ret = KRB5KRB_AP_ERR_BADADDR; - krb5_clear_error_string (context); - goto out2; - } - - if (ac->authenticator->seq_number) - krb5_auth_con_setremoteseqnumber(context, ac, - *ac->authenticator->seq_number); - - /* XXX - Xor sequence numbers */ - - if (ac->authenticator->subkey) { - ret = krb5_auth_con_setremotesubkey(context, ac, - ac->authenticator->subkey); - if (ret) - goto out2; - } - - if (ap_req_options) { - *ap_req_options = 0; - if (ap_req->ap_options.use_session_key) - *ap_req_options |= AP_OPTS_USE_SESSION_KEY; - if (ap_req->ap_options.mutual_required) - *ap_req_options |= AP_OPTS_MUTUAL_REQUIRED; - } - - if(ticket){ - *ticket = malloc(sizeof(**ticket)); - **ticket = t; - } else - krb5_free_ticket (context, &t); - if (auth_context) { - if (*auth_context == NULL) - *auth_context = ac; - } else - krb5_auth_con_free (context, ac); - return 0; - out2: - krb5_free_ticket (context, &t); - out: - if (auth_context == NULL || *auth_context == NULL) - krb5_auth_con_free (context, ac); - return ret; -} - - -krb5_error_code -krb5_rd_req_with_keyblock(krb5_context context, - krb5_auth_context *auth_context, - const krb5_data *inbuf, - krb5_const_principal server, - krb5_keyblock *keyblock, - krb5_flags *ap_req_options, - krb5_ticket **ticket) -{ - krb5_error_code ret; - krb5_ap_req ap_req; - - if (*auth_context == NULL) { - ret = krb5_auth_con_init(context, auth_context); - if (ret) - return ret; - } - - ret = krb5_decode_ap_req(context, inbuf, &ap_req); - if(ret) - return ret; - - ret = krb5_verify_ap_req(context, - auth_context, - &ap_req, - server, - keyblock, - 0, - ap_req_options, - ticket); - - free_AP_REQ(&ap_req); - return ret; -} - -static krb5_error_code -get_key_from_keytab(krb5_context context, - krb5_auth_context *auth_context, - krb5_ap_req *ap_req, - krb5_const_principal server, - krb5_keytab keytab, - krb5_keyblock **out_key) -{ - krb5_keytab_entry entry; - krb5_error_code ret; - int kvno; - krb5_keytab real_keytab; - - if(keytab == NULL) - krb5_kt_default(context, &real_keytab); - else - real_keytab = keytab; - - if (ap_req->ticket.enc_part.kvno) - kvno = *ap_req->ticket.enc_part.kvno; - else - kvno = 0; - - ret = krb5_kt_get_entry (context, - real_keytab, - server, - kvno, - ap_req->ticket.enc_part.etype, - &entry); - if(ret) - goto out; - ret = krb5_copy_keyblock(context, &entry.keyblock, out_key); - krb5_kt_free_entry (context, &entry); -out: - if(keytab == NULL) - krb5_kt_close(context, real_keytab); - - return ret; -} - -krb5_error_code -krb5_rd_req(krb5_context context, - krb5_auth_context *auth_context, - const krb5_data *inbuf, - krb5_const_principal server, - krb5_keytab keytab, - krb5_flags *ap_req_options, - krb5_ticket **ticket) -{ - krb5_error_code ret; - krb5_ap_req ap_req; - krb5_keyblock *keyblock = NULL; - krb5_principal service = NULL; - - if (*auth_context == NULL) { - ret = krb5_auth_con_init(context, auth_context); - if (ret) - return ret; - } - - ret = krb5_decode_ap_req(context, inbuf, &ap_req); - if(ret) - return ret; - - if(server == NULL){ - principalname2krb5_principal(&service, - ap_req.ticket.sname, - ap_req.ticket.realm); - server = service; - } - if (ap_req.ap_options.use_session_key && - (*auth_context)->keyblock == NULL) { - krb5_set_error_string(context, "krb5_rd_req: user to user auth " - "without session key given"); - ret = KRB5KRB_AP_ERR_NOKEY; - goto out; - } - - if((*auth_context)->keyblock == NULL){ - ret = get_key_from_keytab(context, - auth_context, - &ap_req, - server, - keytab, - &keyblock); - if(ret) - goto out; - } else { - ret = krb5_copy_keyblock(context, - (*auth_context)->keyblock, - &keyblock); - if (ret) - goto out; - } - - ret = krb5_verify_ap_req(context, - auth_context, - &ap_req, - server, - keyblock, - 0, - ap_req_options, - ticket); - - if(keyblock != NULL) - krb5_free_keyblock(context, keyblock); - -out: - free_AP_REQ(&ap_req); - if(service) - krb5_free_principal(context, service); - return ret; -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/rd_safe.c b/crypto/heimdal-0.6.3/lib/krb5/rd_safe.c deleted file mode 100644 index bbba237b27..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/rd_safe.c +++ /dev/null @@ -1,190 +0,0 @@ -/* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include - -RCSID("$Id: rd_safe.c,v 1.27 2002/09/04 16:26:05 joda Exp $"); - -static krb5_error_code -verify_checksum(krb5_context context, - krb5_auth_context auth_context, - KRB_SAFE *safe) -{ - krb5_error_code ret; - u_char *buf; - size_t buf_size; - size_t len; - Checksum c; - krb5_crypto crypto; - krb5_keyblock *key; - - c = safe->cksum; - safe->cksum.cksumtype = 0; - safe->cksum.checksum.data = NULL; - safe->cksum.checksum.length = 0; - - ASN1_MALLOC_ENCODE(KRB_SAFE, buf, buf_size, safe, &len, ret); - if(ret) - return ret; - if(buf_size != len) - krb5_abortx(context, "internal error in ASN.1 encoder"); - - if (auth_context->remote_subkey) - key = auth_context->remote_subkey; - else if (auth_context->local_subkey) - key = auth_context->local_subkey; - else - key = auth_context->keyblock; - - ret = krb5_crypto_init(context, key, 0, &crypto); - if (ret) - goto out; - ret = krb5_verify_checksum (context, - crypto, - KRB5_KU_KRB_SAFE_CKSUM, - buf + buf_size - len, - len, - &c); - krb5_crypto_destroy(context, crypto); -out: - safe->cksum = c; - free (buf); - return ret; -} - -krb5_error_code -krb5_rd_safe(krb5_context context, - krb5_auth_context auth_context, - const krb5_data *inbuf, - krb5_data *outbuf, - /*krb5_replay_data*/ void *outdata) -{ - krb5_error_code ret; - KRB_SAFE safe; - size_t len; - - ret = decode_KRB_SAFE (inbuf->data, inbuf->length, &safe, &len); - if (ret) - return ret; - if (safe.pvno != 5) { - ret = KRB5KRB_AP_ERR_BADVERSION; - krb5_clear_error_string (context); - goto failure; - } - if (safe.msg_type != krb_safe) { - ret = KRB5KRB_AP_ERR_MSG_TYPE; - krb5_clear_error_string (context); - goto failure; - } - if (!krb5_checksum_is_keyed(context, safe.cksum.cksumtype) - || !krb5_checksum_is_collision_proof(context, safe.cksum.cksumtype)) { - ret = KRB5KRB_AP_ERR_INAPP_CKSUM; - krb5_clear_error_string (context); - goto failure; - } - - /* check sender address */ - - if (safe.safe_body.s_address - && auth_context->remote_address - && !krb5_address_compare (context, - auth_context->remote_address, - safe.safe_body.s_address)) { - ret = KRB5KRB_AP_ERR_BADADDR; - krb5_clear_error_string (context); - goto failure; - } - - /* check receiver address */ - - if (safe.safe_body.r_address - && auth_context->local_address - && !krb5_address_compare (context, - auth_context->local_address, - safe.safe_body.r_address)) { - ret = KRB5KRB_AP_ERR_BADADDR; - krb5_clear_error_string (context); - goto failure; - } - - /* check timestamp */ - if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_TIME) { - krb5_timestamp sec; - - krb5_timeofday (context, &sec); - - if (safe.safe_body.timestamp == NULL || - safe.safe_body.usec == NULL || - abs(*safe.safe_body.timestamp - sec) > context->max_skew) { - ret = KRB5KRB_AP_ERR_SKEW; - krb5_clear_error_string (context); - goto failure; - } - } - /* XXX - check replay cache */ - - /* check sequence number. since MIT krb5 cannot generate a sequence - number of zero but instead generates no sequence number, we accept that - */ - - if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) { - if ((safe.safe_body.seq_number == NULL - && auth_context->remote_seqnumber != 0) - || (safe.safe_body.seq_number != NULL - && *safe.safe_body.seq_number != - auth_context->remote_seqnumber)) { - ret = KRB5KRB_AP_ERR_BADORDER; - krb5_clear_error_string (context); - goto failure; - } - auth_context->remote_seqnumber++; - } - - ret = verify_checksum (context, auth_context, &safe); - if (ret) - goto failure; - - outbuf->length = safe.safe_body.user_data.length; - outbuf->data = malloc(outbuf->length); - if (outbuf->data == NULL) { - ret = ENOMEM; - krb5_set_error_string (context, "malloc: out of memory"); - goto failure; - } - memcpy (outbuf->data, safe.safe_body.user_data.data, outbuf->length); - free_KRB_SAFE (&safe); - return 0; -failure: - free_KRB_SAFE (&safe); - return ret; -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/read_message.c b/crypto/heimdal-0.6.3/lib/krb5/read_message.c deleted file mode 100644 index 124499ad4c..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/read_message.c +++ /dev/null @@ -1,102 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" - -RCSID("$Id: read_message.c,v 1.8 2001/05/14 06:14:51 assar Exp $"); - -krb5_error_code -krb5_read_message (krb5_context context, - krb5_pointer p_fd, - krb5_data *data) -{ - krb5_error_code ret; - u_int32_t len; - u_int8_t buf[4]; - - ret = krb5_net_read (context, p_fd, buf, 4); - if(ret == -1) { - ret = errno; - krb5_clear_error_string (context); - return ret; - } - if(ret < 4) { - data->length = 0; - return HEIM_ERR_EOF; - } - len = (buf[0] << 24) | (buf[1] << 16) | (buf[2] << 8) | buf[3]; - ret = krb5_data_alloc (data, len); - if (ret) - return ret; - if (krb5_net_read (context, p_fd, data->data, len) != len) { - ret = errno; - krb5_data_free (data); - krb5_clear_error_string (context); - return ret; - } - return 0; -} - -krb5_error_code -krb5_read_priv_message(krb5_context context, - krb5_auth_context ac, - krb5_pointer p_fd, - krb5_data *data) -{ - krb5_error_code ret; - krb5_data packet; - - ret = krb5_read_message(context, p_fd, &packet); - if(ret) - return ret; - ret = krb5_rd_priv (context, ac, &packet, data, NULL); - krb5_data_free(&packet); - return ret; -} - -krb5_error_code -krb5_read_safe_message(krb5_context context, - krb5_auth_context ac, - krb5_pointer p_fd, - krb5_data *data) -{ - krb5_error_code ret; - krb5_data packet; - - ret = krb5_read_message(context, p_fd, &packet); - if(ret) - return ret; - ret = krb5_rd_safe (context, ac, &packet, data, NULL); - krb5_data_free(&packet); - return ret; -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/recvauth.c b/crypto/heimdal-0.6.3/lib/krb5/recvauth.c deleted file mode 100644 index d72b5c644d..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/recvauth.c +++ /dev/null @@ -1,211 +0,0 @@ -/* - * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" - -RCSID("$Id: recvauth.c,v 1.16 2002/04/18 09:41:33 joda Exp $"); - -/* - * See `sendauth.c' for the format. - */ - -static krb5_boolean -match_exact(const void *data, const char *appl_version) -{ - return strcmp(data, appl_version) == 0; -} - -krb5_error_code -krb5_recvauth(krb5_context context, - krb5_auth_context *auth_context, - krb5_pointer p_fd, - const char *appl_version, - krb5_principal server, - int32_t flags, - krb5_keytab keytab, - krb5_ticket **ticket) -{ - return krb5_recvauth_match_version(context, auth_context, p_fd, - match_exact, appl_version, - server, flags, - keytab, ticket); -} - -krb5_error_code -krb5_recvauth_match_version(krb5_context context, - krb5_auth_context *auth_context, - krb5_pointer p_fd, - krb5_boolean (*match_appl_version)(const void *, - const char*), - const void *match_data, - krb5_principal server, - int32_t flags, - krb5_keytab keytab, - krb5_ticket **ticket) -{ - krb5_error_code ret; - const char *version = KRB5_SENDAUTH_VERSION; - char her_version[sizeof(KRB5_SENDAUTH_VERSION)]; - char *her_appl_version; - u_int32_t len; - u_char repl; - krb5_data data; - krb5_flags ap_options; - ssize_t n; - - /* - * If there are no addresses in auth_context, get them from `fd'. - */ - - if (*auth_context == NULL) { - ret = krb5_auth_con_init (context, auth_context); - if (ret) - return ret; - } - - ret = krb5_auth_con_setaddrs_from_fd (context, - *auth_context, - p_fd); - if (ret) - return ret; - - if(!(flags & KRB5_RECVAUTH_IGNORE_VERSION)) { - n = krb5_net_read (context, p_fd, &len, 4); - if (n < 0) { - ret = errno; - krb5_set_error_string (context, "read: %s", strerror(errno)); - return ret; - } - if (n == 0) { - krb5_clear_error_string (context); - return KRB5_SENDAUTH_BADAUTHVERS; - } - len = ntohl(len); - if (len != sizeof(her_version) - || krb5_net_read (context, p_fd, her_version, len) != len - || strncmp (version, her_version, len)) { - repl = 1; - krb5_net_write (context, p_fd, &repl, 1); - krb5_clear_error_string (context); - return KRB5_SENDAUTH_BADAUTHVERS; - } - } - - n = krb5_net_read (context, p_fd, &len, 4); - if (n < 0) { - ret = errno; - krb5_set_error_string (context, "read: %s", strerror(errno)); - return ret; - } - if (n == 0) { - krb5_clear_error_string (context); - return KRB5_SENDAUTH_BADAPPLVERS; - } - len = ntohl(len); - her_appl_version = malloc (len); - if (her_appl_version == NULL) { - repl = 2; - krb5_net_write (context, p_fd, &repl, 1); - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; - } - if (krb5_net_read (context, p_fd, her_appl_version, len) != len - || !(*match_appl_version)(match_data, her_appl_version)) { - repl = 2; - krb5_net_write (context, p_fd, &repl, 1); - krb5_set_error_string (context, "wrong sendauth version (%s)", - her_appl_version); - free (her_appl_version); - return KRB5_SENDAUTH_BADAPPLVERS; - } - free (her_appl_version); - - repl = 0; - if (krb5_net_write (context, p_fd, &repl, 1) != 1) { - ret = errno; - krb5_set_error_string (context, "write: %s", strerror(errno)); - return ret; - } - - krb5_data_zero (&data); - ret = krb5_read_message (context, p_fd, &data); - if (ret) - return ret; - - ret = krb5_rd_req (context, - auth_context, - &data, - server, - keytab, - &ap_options, - ticket); - krb5_data_free (&data); - if (ret) { - krb5_data error_data; - krb5_error_code ret2; - - ret2 = krb5_mk_error (context, - ret, - NULL, - NULL, - NULL, - server, - NULL, - NULL, - &error_data); - if (ret2 == 0) { - krb5_write_message (context, p_fd, &error_data); - krb5_data_free (&error_data); - } - return ret; - } - - len = 0; - if (krb5_net_write (context, p_fd, &len, 4) != 4) { - ret = errno; - krb5_set_error_string (context, "write: %s", strerror(errno)); - return ret; - } - - if (ap_options & AP_OPTS_MUTUAL_REQUIRED) { - ret = krb5_mk_rep (context, *auth_context, &data); - if (ret) - return ret; - - ret = krb5_write_message (context, p_fd, &data); - if (ret) - return ret; - krb5_data_free (&data); - } - return 0; -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/replay.c b/crypto/heimdal-0.6.3/lib/krb5/replay.c deleted file mode 100644 index 4298d12e2f..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/replay.c +++ /dev/null @@ -1,304 +0,0 @@ -/* - * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" -#include - -RCSID("$Id: replay.c,v 1.9 2001/07/03 19:33:13 assar Exp $"); - -struct krb5_rcache_data { - char *name; -}; - -krb5_error_code -krb5_rc_resolve(krb5_context context, - krb5_rcache id, - const char *name) -{ - id->name = strdup(name); - if(id->name == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); - return KRB5_RC_MALLOC; - } - return 0; -} - -krb5_error_code -krb5_rc_resolve_type(krb5_context context, - krb5_rcache *id, - const char *type) -{ - if(strcmp(type, "FILE")) { - krb5_set_error_string (context, "replay cache type %s not supported", - type); - return KRB5_RC_TYPE_NOTFOUND; - } - *id = calloc(1, sizeof(**id)); - if(*id == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); - return KRB5_RC_MALLOC; - } - return 0; -} - -krb5_error_code -krb5_rc_resolve_full(krb5_context context, - krb5_rcache *id, - const char *string_name) -{ - krb5_error_code ret; - if(strncmp(string_name, "FILE:", 5)) { - krb5_set_error_string (context, "replay cache type %s not supported", - string_name); - return KRB5_RC_TYPE_NOTFOUND; - } - ret = krb5_rc_resolve_type(context, id, "FILE"); - if(ret) - return ret; - ret = krb5_rc_resolve(context, *id, string_name + 5); - return ret; -} - -const char * -krb5_rc_default_name(krb5_context context) -{ - return "FILE:/var/run/default_rcache"; -} - -const char * -krb5_rc_default_type(krb5_context context) -{ - return "FILE"; -} - -krb5_error_code -krb5_rc_default(krb5_context context, - krb5_rcache *id) -{ - return krb5_rc_resolve_full(context, id, krb5_rc_default_name(context)); -} - -struct rc_entry{ - time_t stamp; - unsigned char data[16]; -}; - -krb5_error_code -krb5_rc_initialize(krb5_context context, - krb5_rcache id, - krb5_deltat auth_lifespan) -{ - FILE *f = fopen(id->name, "w"); - struct rc_entry tmp; - int ret; - - if(f == NULL) { - ret = errno; - krb5_set_error_string (context, "open(%s): %s", id->name, - strerror(ret)); - return ret; - } - tmp.stamp = auth_lifespan; - fwrite(&tmp, 1, sizeof(tmp), f); - fclose(f); - return 0; -} - -krb5_error_code -krb5_rc_recover(krb5_context context, - krb5_rcache id) -{ - return 0; -} - -krb5_error_code -krb5_rc_destroy(krb5_context context, - krb5_rcache id) -{ - int ret; - - if(remove(id->name) < 0) { - ret = errno; - krb5_set_error_string (context, "remove(%s): %s", id->name, - strerror(ret)); - return ret; - } - return krb5_rc_close(context, id); -} - -krb5_error_code -krb5_rc_close(krb5_context context, - krb5_rcache id) -{ - free(id->name); - free(id); - return 0; -} - -static void -checksum_authenticator(Authenticator *auth, void *data) -{ - MD5_CTX md5; - int i; - - MD5_Init (&md5); - MD5_Update (&md5, auth->crealm, strlen(auth->crealm)); - for(i = 0; i < auth->cname.name_string.len; i++) - MD5_Update(&md5, auth->cname.name_string.val[i], - strlen(auth->cname.name_string.val[i])); - MD5_Update (&md5, &auth->ctime, sizeof(auth->ctime)); - MD5_Update (&md5, &auth->cusec, sizeof(auth->cusec)); - MD5_Final (data, &md5); -} - -krb5_error_code -krb5_rc_store(krb5_context context, - krb5_rcache id, - krb5_donot_replay *rep) -{ - struct rc_entry ent, tmp; - time_t t; - FILE *f; - int ret; - - ent.stamp = time(NULL); - checksum_authenticator(rep, ent.data); - f = fopen(id->name, "r"); - if(f == NULL) { - ret = errno; - krb5_set_error_string (context, "open(%s): %s", id->name, - strerror(ret)); - return ret; - } - fread(&tmp, sizeof(ent), 1, f); - t = ent.stamp - tmp.stamp; - while(fread(&tmp, sizeof(ent), 1, f)){ - if(tmp.stamp < t) - continue; - if(memcmp(tmp.data, ent.data, sizeof(ent.data)) == 0){ - fclose(f); - krb5_clear_error_string (context); - return KRB5_RC_REPLAY; - } - } - if(ferror(f)){ - ret = errno; - fclose(f); - krb5_set_error_string (context, "%s: %s", id->name, strerror(ret)); - return ret; - } - fclose(f); - f = fopen(id->name, "a"); - if(f == NULL) { - krb5_set_error_string (context, "open(%s): %s", id->name, - strerror(errno)); - return KRB5_RC_IO_UNKNOWN; - } - fwrite(&ent, 1, sizeof(ent), f); - fclose(f); - return 0; -} - -krb5_error_code -krb5_rc_expunge(krb5_context context, - krb5_rcache id) -{ - return 0; -} - -krb5_error_code -krb5_rc_get_lifespan(krb5_context context, - krb5_rcache id, - krb5_deltat *auth_lifespan) -{ - FILE *f = fopen(id->name, "r"); - int r; - struct rc_entry ent; - r = fread(&ent, sizeof(ent), 1, f); - fclose(f); - if(r){ - *auth_lifespan = ent.stamp; - return 0; - } - krb5_clear_error_string (context); - return KRB5_RC_IO_UNKNOWN; -} - -const char* -krb5_rc_get_name(krb5_context context, - krb5_rcache id) -{ - return id->name; -} - -const char* -krb5_rc_get_type(krb5_context context, - krb5_rcache id) -{ - return "FILE"; -} - -krb5_error_code -krb5_get_server_rcache(krb5_context context, - const krb5_data *piece, - krb5_rcache *id) -{ - krb5_rcache rcache; - krb5_error_code ret; - - char *tmp = malloc(4 * piece->length + 1); - char *name; - - if(tmp == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; - } - strvisx(tmp, piece->data, piece->length, VIS_WHITE | VIS_OCTAL); -#ifdef HAVE_GETEUID - asprintf(&name, "FILE:rc_%s_%u", tmp, (unsigned)geteuid()); -#else - asprintf(&name, "FILE:rc_%s", tmp); -#endif - free(tmp); - if(name == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; - } - - ret = krb5_rc_resolve_full(context, &rcache, name); - free(name); - if(ret) - return ret; - *id = rcache; - return ret; -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/send_to_kdc.c b/crypto/heimdal-0.6.3/lib/krb5/send_to_kdc.c deleted file mode 100644 index 94dae30307..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/send_to_kdc.c +++ /dev/null @@ -1,405 +0,0 @@ -/* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" - -RCSID("$Id: send_to_kdc.c,v 1.48 2002/03/27 09:32:50 joda Exp $"); - -/* - * send the data in `req' on the socket `fd' (which is datagram iff udp) - * waiting `tmout' for a reply and returning the reply in `rep'. - * iff limit read up to this many bytes - * returns 0 and data in `rep' if succesful, otherwise -1 - */ - -static int -recv_loop (int fd, - time_t tmout, - int udp, - size_t limit, - krb5_data *rep) -{ - fd_set fdset; - struct timeval timeout; - int ret; - int nbytes; - - if (fd >= FD_SETSIZE) { - return -1; - } - - krb5_data_zero(rep); - do { - FD_ZERO(&fdset); - FD_SET(fd, &fdset); - timeout.tv_sec = tmout; - timeout.tv_usec = 0; - ret = select (fd + 1, &fdset, NULL, NULL, &timeout); - if (ret < 0) { - if (errno == EINTR) - continue; - return -1; - } else if (ret == 0) { - return 0; - } else { - void *tmp; - - if (ioctl (fd, FIONREAD, &nbytes) < 0) { - krb5_data_free (rep); - return -1; - } - if(nbytes == 0) - return 0; - - if (limit) - nbytes = min(nbytes, limit - rep->length); - - tmp = realloc (rep->data, rep->length + nbytes); - if (tmp == NULL) { - krb5_data_free (rep); - return -1; - } - rep->data = tmp; - ret = recv (fd, (char*)tmp + rep->length, nbytes, 0); - if (ret < 0) { - krb5_data_free (rep); - return -1; - } - rep->length += ret; - } - } while(!udp && (limit == 0 || rep->length < limit)); - return 0; -} - -/* - * Send kerberos requests and receive a reply on a udp or any other kind - * of a datagram socket. See `recv_loop'. - */ - -static int -send_and_recv_udp(int fd, - time_t tmout, - const krb5_data *req, - krb5_data *rep) -{ - if (send (fd, req->data, req->length, 0) < 0) - return -1; - - return recv_loop(fd, tmout, 1, 0, rep); -} - -/* - * `send_and_recv' for a TCP (or any other stream) socket. - * Since there are no record limits on a stream socket the protocol here - * is to prepend the request with 4 bytes of its length and the reply - * is similarly encoded. - */ - -static int -send_and_recv_tcp(int fd, - time_t tmout, - const krb5_data *req, - krb5_data *rep) -{ - unsigned char len[4]; - unsigned long rep_len; - krb5_data len_data; - - _krb5_put_int(len, req->length, 4); - if(net_write(fd, len, sizeof(len)) < 0) - return -1; - if(net_write(fd, req->data, req->length) < 0) - return -1; - if (recv_loop (fd, tmout, 0, 4, &len_data) < 0) - return -1; - if (len_data.length != 4) { - krb5_data_free (&len_data); - return -1; - } - _krb5_get_int(len_data.data, &rep_len, 4); - krb5_data_free (&len_data); - if (recv_loop (fd, tmout, 0, rep_len, rep) < 0) - return -1; - if(rep->length != rep_len) { - krb5_data_free (rep); - return -1; - } - return 0; -} - -/* - * `send_and_recv' tailored for the HTTP protocol. - */ - -static int -send_and_recv_http(int fd, - time_t tmout, - const char *prefix, - const krb5_data *req, - krb5_data *rep) -{ - char *request; - char *str; - int ret; - int len = base64_encode(req->data, req->length, &str); - - if(len < 0) - return -1; - asprintf(&request, "GET %s%s HTTP/1.0\r\n\r\n", prefix, str); - free(str); - if (request == NULL) - return -1; - ret = net_write (fd, request, strlen(request)); - free (request); - if (ret < 0) - return ret; - ret = recv_loop(fd, tmout, 0, 0, rep); - if(ret) - return ret; - { - unsigned long rep_len; - char *s, *p; - - s = realloc(rep->data, rep->length + 1); - if (s == NULL) { - krb5_data_free (rep); - return -1; - } - s[rep->length] = 0; - p = strstr(s, "\r\n\r\n"); - if(p == NULL) { - free(s); - return -1; - } - p += 4; - rep->data = s; - rep->length -= p - s; - if(rep->length < 4) { /* remove length */ - free(s); - return -1; - } - rep->length -= 4; - _krb5_get_int(p, &rep_len, 4); - if (rep_len != rep->length) { - free(s); - return -1; - } - memmove(rep->data, p + 4, rep->length); - } - return 0; -} - -static int -init_port(const char *s, int fallback) -{ - if (s) { - int tmp; - - sscanf (s, "%d", &tmp); - return htons(tmp); - } else - return fallback; -} - -/* - * Return 0 if succesful, otherwise 1 - */ - -static int -send_via_proxy (krb5_context context, - const krb5_krbhst_info *hi, - const krb5_data *send_data, - krb5_data *receive) -{ - char *proxy2 = strdup(context->http_proxy); - char *proxy = proxy2; - char *prefix; - char *colon; - struct addrinfo hints; - struct addrinfo *ai, *a; - int ret; - int s = -1; - char portstr[NI_MAXSERV]; - - if (proxy == NULL) - return ENOMEM; - if (strncmp (proxy, "http://", 7) == 0) - proxy += 7; - - colon = strchr(proxy, ':'); - if(colon != NULL) - *colon++ = '\0'; - memset (&hints, 0, sizeof(hints)); - hints.ai_family = PF_UNSPEC; - hints.ai_socktype = SOCK_STREAM; - snprintf (portstr, sizeof(portstr), "%d", - ntohs(init_port (colon, htons(80)))); - ret = getaddrinfo (proxy, portstr, &hints, &ai); - free (proxy2); - if (ret) - return krb5_eai_to_heim_errno(ret, errno); - - for (a = ai; a != NULL; a = a->ai_next) { - s = socket (a->ai_family, a->ai_socktype, a->ai_protocol); - if (s < 0) - continue; - if (connect (s, a->ai_addr, a->ai_addrlen) < 0) { - close (s); - continue; - } - break; - } - if (a == NULL) { - freeaddrinfo (ai); - return 1; - } - freeaddrinfo (ai); - - asprintf(&prefix, "http://%s/", hi->hostname); - if(prefix == NULL) { - close(s); - return 1; - } - ret = send_and_recv_http(s, context->kdc_timeout, - prefix, send_data, receive); - close (s); - free(prefix); - if(ret == 0 && receive->length != 0) - return 0; - return 1; -} - -/* - * Send the data `send' to one host from `handle` and get back the reply - * in `receive'. - */ - -krb5_error_code -krb5_sendto (krb5_context context, - const krb5_data *send_data, - krb5_krbhst_handle handle, - krb5_data *receive) -{ - krb5_error_code ret = 0; - int fd; - int i; - - for (i = 0; i < context->max_retries; ++i) { - krb5_krbhst_info *hi; - - while (krb5_krbhst_next(context, handle, &hi) == 0) { - int ret; - struct addrinfo *ai, *a; - - if(hi->proto == KRB5_KRBHST_HTTP && context->http_proxy) { - if (send_via_proxy (context, hi, send_data, receive)) - continue; - else - goto out; - } - - ret = krb5_krbhst_get_addrinfo(context, hi, &ai); - if (ret) - continue; - - for (a = ai; a != NULL; a = a->ai_next) { - fd = socket (a->ai_family, a->ai_socktype, a->ai_protocol); - if (fd < 0) - continue; - if (connect (fd, a->ai_addr, a->ai_addrlen) < 0) { - close (fd); - continue; - } - switch (hi->proto) { - case KRB5_KRBHST_HTTP : - ret = send_and_recv_http(fd, context->kdc_timeout, - "", send_data, receive); - break; - case KRB5_KRBHST_TCP : - ret = send_and_recv_tcp (fd, context->kdc_timeout, - send_data, receive); - break; - case KRB5_KRBHST_UDP : - ret = send_and_recv_udp (fd, context->kdc_timeout, - send_data, receive); - break; - } - close (fd); - if(ret == 0 && receive->length != 0) - goto out; - } - } - krb5_krbhst_reset(context, handle); - } - krb5_clear_error_string (context); - ret = KRB5_KDC_UNREACH; -out: - return ret; -} - -krb5_error_code -krb5_sendto_kdc2(krb5_context context, - const krb5_data *send_data, - const krb5_realm *realm, - krb5_data *receive, - krb5_boolean master) -{ - krb5_error_code ret; - krb5_krbhst_handle handle; - int type; - - if (master || context->use_admin_kdc) - type = KRB5_KRBHST_ADMIN; - else - type = KRB5_KRBHST_KDC; - - ret = krb5_krbhst_init(context, *realm, type, &handle); - if (ret) - return ret; - - ret = krb5_sendto(context, send_data, handle, receive); - krb5_krbhst_free(context, handle); - if (ret == KRB5_KDC_UNREACH) - krb5_set_error_string(context, - "unable to reach any KDC in realm %s", *realm); - return ret; -} - -krb5_error_code -krb5_sendto_kdc(krb5_context context, - const krb5_data *send_data, - const krb5_realm *realm, - krb5_data *receive) -{ - return krb5_sendto_kdc2(context, send_data, realm, receive, FALSE); -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/sendauth.c b/crypto/heimdal-0.6.3/lib/krb5/sendauth.c deleted file mode 100644 index c2889ee777..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/sendauth.c +++ /dev/null @@ -1,233 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" - -RCSID("$Id: sendauth.c,v 1.19 2002/09/04 21:34:43 joda Exp $"); - -/* - * The format seems to be: - * client -> server - * - * 4 bytes - length - * KRB5_SENDAUTH_V1.0 (including zero) - * 4 bytes - length - * protocol string (with terminating zero) - * - * server -> client - * 1 byte - (0 = OK, else some kind of error) - * - * client -> server - * 4 bytes - length - * AP-REQ - * - * server -> client - * 4 bytes - length (0 = OK, else length of error) - * (error) - * - * if(mutual) { - * server -> client - * 4 bytes - length - * AP-REP - * } - */ - -krb5_error_code -krb5_sendauth(krb5_context context, - krb5_auth_context *auth_context, - krb5_pointer p_fd, - const char *appl_version, - krb5_principal client, - krb5_principal server, - krb5_flags ap_req_options, - krb5_data *in_data, - krb5_creds *in_creds, - krb5_ccache ccache, - krb5_error **ret_error, - krb5_ap_rep_enc_part **rep_result, - krb5_creds **out_creds) -{ - krb5_error_code ret; - u_int32_t len, net_len; - const char *version = KRB5_SENDAUTH_VERSION; - u_char repl; - krb5_data ap_req, error_data; - krb5_creds this_cred; - krb5_principal this_client = NULL; - krb5_creds *creds; - ssize_t sret; - krb5_boolean my_ccache = FALSE; - - len = strlen(version) + 1; - net_len = htonl(len); - if (krb5_net_write (context, p_fd, &net_len, 4) != 4 - || krb5_net_write (context, p_fd, version, len) != len) { - ret = errno; - krb5_set_error_string (context, "write: %s", strerror(ret)); - return ret; - } - - len = strlen(appl_version) + 1; - net_len = htonl(len); - if (krb5_net_write (context, p_fd, &net_len, 4) != 4 - || krb5_net_write (context, p_fd, appl_version, len) != len) { - ret = errno; - krb5_set_error_string (context, "write: %s", strerror(ret)); - return ret; - } - - sret = krb5_net_read (context, p_fd, &repl, sizeof(repl)); - if (sret < 0) { - ret = errno; - krb5_set_error_string (context, "read: %s", strerror(ret)); - return ret; - } else if (sret != sizeof(repl)) { - krb5_clear_error_string (context); - return KRB5_SENDAUTH_BADRESPONSE; - } - - if (repl != 0) { - krb5_clear_error_string (context); - return KRB5_SENDAUTH_REJECTED; - } - - if (in_creds == NULL) { - if (ccache == NULL) { - ret = krb5_cc_default (context, &ccache); - if (ret) - return ret; - my_ccache = TRUE; - } - - if (client == NULL) { - ret = krb5_cc_get_principal (context, ccache, &this_client); - if (ret) { - if(my_ccache) - krb5_cc_close(context, ccache); - return ret; - } - client = this_client; - } - memset(&this_cred, 0, sizeof(this_cred)); - this_cred.client = client; - this_cred.server = server; - this_cred.times.endtime = 0; - this_cred.ticket.length = 0; - in_creds = &this_cred; - } - if (in_creds->ticket.length == 0) { - ret = krb5_get_credentials (context, 0, ccache, in_creds, &creds); - if (ret) { - if(my_ccache) - krb5_cc_close(context, ccache); - return ret; - } - } else { - creds = in_creds; - } - if(my_ccache) - krb5_cc_close(context, ccache); - ret = krb5_mk_req_extended (context, - auth_context, - ap_req_options, - in_data, - creds, - &ap_req); - - if (out_creds) - *out_creds = creds; - else - krb5_free_creds(context, creds); - if(this_client) - krb5_free_principal(context, this_client); - - if (ret) - return ret; - - ret = krb5_write_message (context, - p_fd, - &ap_req); - if (ret) - return ret; - - krb5_data_free (&ap_req); - - ret = krb5_read_message (context, p_fd, &error_data); - if (ret) - return ret; - - if (error_data.length != 0) { - KRB_ERROR error; - - ret = krb5_rd_error (context, &error_data, &error); - krb5_data_free (&error_data); - if (ret == 0) { - ret = krb5_error_from_rd_error(context, &error, NULL); - if (ret_error != NULL) { - *ret_error = malloc (sizeof(krb5_error)); - if (*ret_error == NULL) { - krb5_free_error_contents (context, &error); - } else { - **ret_error = error; - } - } else { - krb5_free_error_contents (context, &error); - } - return ret; - } else { - krb5_clear_error_string(context); - return ret; - } - } - - if (ap_req_options & AP_OPTS_MUTUAL_REQUIRED) { - krb5_data ap_rep; - krb5_ap_rep_enc_part *ignore; - - krb5_data_zero (&ap_rep); - ret = krb5_read_message (context, - p_fd, - &ap_rep); - if (ret) - return ret; - - ret = krb5_rd_rep (context, *auth_context, &ap_rep, - rep_result ? rep_result : &ignore); - if (ret) - return ret; - if (rep_result == NULL) - krb5_free_ap_rep_enc_part (context, ignore); - krb5_data_free (&ap_rep); - } - return 0; -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/set_default_realm.c b/crypto/heimdal-0.6.3/lib/krb5/set_default_realm.c deleted file mode 100644 index 8b872dfaa8..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/set_default_realm.c +++ /dev/null @@ -1,90 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" - -RCSID("$Id: set_default_realm.c,v 1.13 2001/09/18 09:43:31 joda Exp $"); - -/* - * Convert the simple string `s' into a NULL-terminated and freshly allocated - * list in `list'. Return an error code. - */ - -static krb5_error_code -string_to_list (krb5_context context, const char *s, krb5_realm **list) -{ - - *list = malloc (2 * sizeof(**list)); - if (*list == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; - } - (*list)[0] = strdup (s); - if ((*list)[0] == NULL) { - free (*list); - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; - } - (*list)[1] = NULL; - return 0; -} - -/* - * Set the knowledge of the default realm(s) in `context'. - * If realm != NULL, that's the new default realm. - * Otherwise, the realm(s) are figured out from configuration or DNS. - */ - -krb5_error_code -krb5_set_default_realm(krb5_context context, - const char *realm) -{ - krb5_error_code ret = 0; - krb5_realm *realms = NULL; - - if (realm == NULL) { - realms = krb5_config_get_strings (context, NULL, - "libdefaults", - "default_realm", - NULL); - if (realms == NULL) - ret = krb5_get_host_realm(context, NULL, &realms); - } else { - ret = string_to_list (context, realm, &realms); - } - if (ret) - return ret; - krb5_free_host_realm (context, context->default_realms); - context->default_realms = realms; - return 0; -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/sock_principal.c b/crypto/heimdal-0.6.3/lib/krb5/sock_principal.c deleted file mode 100644 index 7bb0bdfb02..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/sock_principal.c +++ /dev/null @@ -1,70 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" - -RCSID("$Id: sock_principal.c,v 1.16 2001/07/26 09:05:30 assar Exp $"); - -krb5_error_code -krb5_sock_to_principal (krb5_context context, - int sock, - const char *sname, - int32_t type, - krb5_principal *ret_princ) -{ - krb5_error_code ret; - struct sockaddr_storage __ss; - struct sockaddr *sa = (struct sockaddr *)&__ss; - socklen_t salen = sizeof(__ss); - char hostname[NI_MAXHOST]; - - if (getsockname (sock, sa, &salen) < 0) { - ret = errno; - krb5_set_error_string (context, "getsockname: %s", strerror(ret)); - return ret; - } - ret = getnameinfo (sa, salen, hostname, sizeof(hostname), NULL, 0, 0); - if (ret) { - int save_errno = errno; - - krb5_set_error_string (context, "getnameinfo: %s", gai_strerror(ret)); - return krb5_eai_to_heim_errno(ret, save_errno); - } - - ret = krb5_sname_to_principal (context, - hostname, - sname, - type, - ret_princ); - return ret; -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/store-int.h b/crypto/heimdal-0.6.3/lib/krb5/store-int.h deleted file mode 100644 index 42e695a11b..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/store-int.h +++ /dev/null @@ -1,47 +0,0 @@ -/* - * Copyright (c) 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifndef __store_int_h__ -#define __store_int_h__ - -struct krb5_storage_data { - void *data; - ssize_t (*fetch)(struct krb5_storage_data*, void*, size_t); - ssize_t (*store)(struct krb5_storage_data*, const void*, size_t); - off_t (*seek)(struct krb5_storage_data*, off_t, int); - void (*free)(struct krb5_storage_data*); - krb5_flags flags; - int eof_code; -}; - -#endif /* __store_int_h__ */ diff --git a/crypto/heimdal-0.6.3/lib/krb5/store-test.c b/crypto/heimdal-0.6.3/lib/krb5/store-test.c deleted file mode 100644 index 512d2a5c96..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/store-test.c +++ /dev/null @@ -1,115 +0,0 @@ -/* - * Copyright (c) 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of KTH nor the names of its contributors may be - * used to endorse or promote products derived from this software without - * specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY - * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR - * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, - * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR - * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF - * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ - -#include "krb5_locl.h" - -RCSID("$Id: store-test.c,v 1.1 2001/05/11 16:06:25 joda Exp $"); - -static void -print_data(unsigned char *data, size_t len) -{ - int i; - for(i = 0; i < len; i++) { - if(i > 0 && (i % 16) == 0) - printf("\n "); - printf("%02x ", data[i]); - } - printf("\n"); -} - -static int -compare(const char *name, krb5_storage *sp, void *expected, size_t len) -{ - int ret = 0; - krb5_data data; - krb5_storage_to_data(sp, &data); - krb5_storage_free(sp); - if(data.length != len || memcmp(data.data, expected, len) != 0) { - printf("%s mismatch\n", name); - printf(" Expected: "); - print_data(expected, len); - printf(" Actual: "); - print_data(data.data, data.length); - ret++; - } - krb5_data_free(&data); - return ret; -} - -int -main(int argc, char **argv) -{ - int nerr = 0; - krb5_storage *sp; - krb5_context context; - krb5_principal principal; - - - krb5_init_context(&context); - - sp = krb5_storage_emem(); - krb5_store_int32(sp, 0x01020304); - nerr += compare("Integer", sp, "\x1\x2\x3\x4", 4); - - sp = krb5_storage_emem(); - krb5_storage_set_byteorder(sp, KRB5_STORAGE_BYTEORDER_LE); - krb5_store_int32(sp, 0x01020304); - nerr += compare("Integer (LE)", sp, "\x4\x3\x2\x1", 4); - - sp = krb5_storage_emem(); - krb5_storage_set_byteorder(sp, KRB5_STORAGE_BYTEORDER_BE); - krb5_store_int32(sp, 0x01020304); - nerr += compare("Integer (BE)", sp, "\x1\x2\x3\x4", 4); - - sp = krb5_storage_emem(); - krb5_storage_set_byteorder(sp, KRB5_STORAGE_BYTEORDER_HOST); - krb5_store_int32(sp, 0x01020304); - { - int test = 1; - void *data; - if(*(char*)&test) - data = "\x4\x3\x2\x1"; - else - data = "\x1\x2\x3\x4"; - nerr += compare("Integer (host)", sp, data, 4); - } - - sp = krb5_storage_emem(); - krb5_make_principal(context, &principal, "TEST", "foobar", NULL); - krb5_store_principal(sp, principal); - nerr += compare("Principal", sp, "\x0\x0\x0\x1" - "\x0\x0\x0\x1" - "\x0\x0\x0\x4TEST" - "\x0\x0\x0\x6""foobar", 26); - - return nerr ? 1 : 0; -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/store.c b/crypto/heimdal-0.6.3/lib/krb5/store.c deleted file mode 100644 index b0ca731c67..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/store.c +++ /dev/null @@ -1,743 +0,0 @@ -/* - * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" -#include "store-int.h" - -RCSID("$Id: store.c,v 1.38.4.1 2004/03/09 19:32:14 lha Exp $"); - -#define BYTEORDER_IS(SP, V) (((SP)->flags & KRB5_STORAGE_BYTEORDER_MASK) == (V)) -#define BYTEORDER_IS_LE(SP) BYTEORDER_IS((SP), KRB5_STORAGE_BYTEORDER_LE) -#define BYTEORDER_IS_BE(SP) BYTEORDER_IS((SP), KRB5_STORAGE_BYTEORDER_BE) -#define BYTEORDER_IS_HOST(SP) (BYTEORDER_IS((SP), KRB5_STORAGE_BYTEORDER_HOST) || \ - krb5_storage_is_flags((SP), KRB5_STORAGE_HOST_BYTEORDER)) - -void -krb5_storage_set_flags(krb5_storage *sp, krb5_flags flags) -{ - sp->flags |= flags; -} - -void -krb5_storage_clear_flags(krb5_storage *sp, krb5_flags flags) -{ - sp->flags &= ~flags; -} - -krb5_boolean -krb5_storage_is_flags(krb5_storage *sp, krb5_flags flags) -{ - return (sp->flags & flags) == flags; -} - -void -krb5_storage_set_byteorder(krb5_storage *sp, krb5_flags byteorder) -{ - sp->flags &= ~KRB5_STORAGE_BYTEORDER_MASK; - sp->flags |= byteorder; -} - -krb5_flags -krb5_storage_get_byteorder(krb5_storage *sp, krb5_flags byteorder) -{ - return sp->flags & KRB5_STORAGE_BYTEORDER_MASK; -} - -off_t -krb5_storage_seek(krb5_storage *sp, off_t offset, int whence) -{ - return (*sp->seek)(sp, offset, whence); -} - -krb5_ssize_t -krb5_storage_read(krb5_storage *sp, void *buf, size_t len) -{ - return sp->fetch(sp, buf, len); -} - -krb5_ssize_t -krb5_storage_write(krb5_storage *sp, const void *buf, size_t len) -{ - return sp->store(sp, buf, len); -} - -void -krb5_storage_set_eof_code(krb5_storage *sp, int code) -{ - sp->eof_code = code; -} - -krb5_ssize_t -_krb5_put_int(void *buffer, unsigned long value, size_t size) -{ - unsigned char *p = buffer; - int i; - for (i = size - 1; i >= 0; i--) { - p[i] = value & 0xff; - value >>= 8; - } - return size; -} - -krb5_ssize_t -_krb5_get_int(void *buffer, unsigned long *value, size_t size) -{ - unsigned char *p = buffer; - unsigned long v = 0; - int i; - for (i = 0; i < size; i++) - v = (v << 8) + p[i]; - *value = v; - return size; -} - -krb5_error_code -krb5_storage_free(krb5_storage *sp) -{ - if(sp->free) - (*sp->free)(sp); - free(sp->data); - free(sp); - return 0; -} - -krb5_error_code -krb5_storage_to_data(krb5_storage *sp, krb5_data *data) -{ - off_t pos; - size_t size; - krb5_error_code ret; - - pos = sp->seek(sp, 0, SEEK_CUR); - size = (size_t)sp->seek(sp, 0, SEEK_END); - ret = krb5_data_alloc (data, size); - if (ret) { - sp->seek(sp, pos, SEEK_SET); - return ret; - } - if (size) { - sp->seek(sp, 0, SEEK_SET); - sp->fetch(sp, data->data, data->length); - sp->seek(sp, pos, SEEK_SET); - } - return 0; -} - -static krb5_error_code -krb5_store_int(krb5_storage *sp, - int32_t value, - size_t len) -{ - int ret; - unsigned char v[16]; - - if(len > sizeof(v)) - return EINVAL; - _krb5_put_int(v, value, len); - ret = sp->store(sp, v, len); - if (ret != len) - return (ret<0)?errno:sp->eof_code; - return 0; -} - -krb5_error_code -krb5_store_int32(krb5_storage *sp, - int32_t value) -{ - if(BYTEORDER_IS_HOST(sp)) - value = htonl(value); - else if(BYTEORDER_IS_LE(sp)) - value = bswap32(value); - return krb5_store_int(sp, value, 4); -} - -static krb5_error_code -krb5_ret_int(krb5_storage *sp, - int32_t *value, - size_t len) -{ - int ret; - unsigned char v[4]; - unsigned long w; - ret = sp->fetch(sp, v, len); - if(ret != len) - return (ret<0)?errno:sp->eof_code; - _krb5_get_int(v, &w, len); - *value = w; - return 0; -} - -krb5_error_code -krb5_ret_int32(krb5_storage *sp, - int32_t *value) -{ - krb5_error_code ret = krb5_ret_int(sp, value, 4); - if(ret) - return ret; - if(BYTEORDER_IS_HOST(sp)) - *value = htonl(*value); - else if(BYTEORDER_IS_LE(sp)) - *value = bswap32(*value); - return 0; -} - -krb5_error_code -krb5_store_int16(krb5_storage *sp, - int16_t value) -{ - if(BYTEORDER_IS_HOST(sp)) - value = htons(value); - else if(BYTEORDER_IS_LE(sp)) - value = bswap16(value); - return krb5_store_int(sp, value, 2); -} - -krb5_error_code -krb5_ret_int16(krb5_storage *sp, - int16_t *value) -{ - int32_t v; - int ret; - ret = krb5_ret_int(sp, &v, 2); - if(ret) - return ret; - *value = v; - if(BYTEORDER_IS_HOST(sp)) - *value = htons(*value); - else if(BYTEORDER_IS_LE(sp)) - *value = bswap16(*value); - return 0; -} - -krb5_error_code -krb5_store_int8(krb5_storage *sp, - int8_t value) -{ - int ret; - - ret = sp->store(sp, &value, sizeof(value)); - if (ret != sizeof(value)) - return (ret<0)?errno:sp->eof_code; - return 0; -} - -krb5_error_code -krb5_ret_int8(krb5_storage *sp, - int8_t *value) -{ - int ret; - - ret = sp->fetch(sp, value, sizeof(*value)); - if (ret != sizeof(*value)) - return (ret<0)?errno:sp->eof_code; - return 0; -} - -krb5_error_code -krb5_store_data(krb5_storage *sp, - krb5_data data) -{ - int ret; - ret = krb5_store_int32(sp, data.length); - if(ret < 0) - return ret; - ret = sp->store(sp, data.data, data.length); - if(ret != data.length){ - if(ret < 0) - return errno; - return sp->eof_code; - } - return 0; -} - -krb5_error_code -krb5_ret_data(krb5_storage *sp, - krb5_data *data) -{ - int ret; - int32_t size; - - ret = krb5_ret_int32(sp, &size); - if(ret) - return ret; - ret = krb5_data_alloc (data, size); - if (ret) - return ret; - if (size) { - ret = sp->fetch(sp, data->data, size); - if(ret != size) - return (ret < 0)? errno : sp->eof_code; - } - return 0; -} - -krb5_error_code -krb5_store_string(krb5_storage *sp, const char *s) -{ - krb5_data data; - data.length = strlen(s); - data.data = (void*)s; - return krb5_store_data(sp, data); -} - -krb5_error_code -krb5_ret_string(krb5_storage *sp, - char **string) -{ - int ret; - krb5_data data; - ret = krb5_ret_data(sp, &data); - if(ret) - return ret; - *string = realloc(data.data, data.length + 1); - if(*string == NULL){ - free(data.data); - return ENOMEM; - } - (*string)[data.length] = 0; - return 0; -} - -krb5_error_code -krb5_store_stringz(krb5_storage *sp, const char *s) -{ - size_t len = strlen(s) + 1; - ssize_t ret; - - ret = sp->store(sp, s, len); - if(ret != len) { - if(ret < 0) - return ret; - else - return sp->eof_code; - } - return 0; -} - -krb5_error_code -krb5_ret_stringz(krb5_storage *sp, - char **string) -{ - char c; - char *s = NULL; - size_t len = 0; - ssize_t ret; - - while((ret = sp->fetch(sp, &c, 1)) == 1){ - char *tmp; - - len++; - tmp = realloc (s, len); - if (tmp == NULL) { - free (s); - return ENOMEM; - } - s = tmp; - s[len - 1] = c; - if(c == 0) - break; - } - if(ret != 1){ - free(s); - if(ret == 0) - return sp->eof_code; - return ret; - } - *string = s; - return 0; -} - - -krb5_error_code -krb5_store_principal(krb5_storage *sp, - krb5_principal p) -{ - int i; - int ret; - - if(!krb5_storage_is_flags(sp, KRB5_STORAGE_PRINCIPAL_NO_NAME_TYPE)) { - ret = krb5_store_int32(sp, p->name.name_type); - if(ret) return ret; - } - if(krb5_storage_is_flags(sp, KRB5_STORAGE_PRINCIPAL_WRONG_NUM_COMPONENTS)) - ret = krb5_store_int32(sp, p->name.name_string.len + 1); - else - ret = krb5_store_int32(sp, p->name.name_string.len); - - if(ret) return ret; - ret = krb5_store_string(sp, p->realm); - if(ret) return ret; - for(i = 0; i < p->name.name_string.len; i++){ - ret = krb5_store_string(sp, p->name.name_string.val[i]); - if(ret) return ret; - } - return 0; -} - -krb5_error_code -krb5_ret_principal(krb5_storage *sp, - krb5_principal *princ) -{ - int i; - int ret; - krb5_principal p; - int32_t type; - int32_t ncomp; - - p = calloc(1, sizeof(*p)); - if(p == NULL) - return ENOMEM; - - if(krb5_storage_is_flags(sp, KRB5_STORAGE_PRINCIPAL_NO_NAME_TYPE)) - type = KRB5_NT_UNKNOWN; - else if((ret = krb5_ret_int32(sp, &type))){ - free(p); - return ret; - } - if((ret = krb5_ret_int32(sp, &ncomp))){ - free(p); - return ret; - } - if(krb5_storage_is_flags(sp, KRB5_STORAGE_PRINCIPAL_WRONG_NUM_COMPONENTS)) - ncomp--; - p->name.name_type = type; - p->name.name_string.len = ncomp; - ret = krb5_ret_string(sp, &p->realm); - if(ret) return ret; - p->name.name_string.val = calloc(ncomp, sizeof(*p->name.name_string.val)); - if(p->name.name_string.val == NULL){ - free(p->realm); - return ENOMEM; - } - for(i = 0; i < ncomp; i++){ - ret = krb5_ret_string(sp, &p->name.name_string.val[i]); - if(ret) return ret; /* XXX */ - } - *princ = p; - return 0; -} - -krb5_error_code -krb5_store_keyblock(krb5_storage *sp, krb5_keyblock p) -{ - int ret; - ret = krb5_store_int16(sp, p.keytype); - if(ret) return ret; - - if(krb5_storage_is_flags(sp, KRB5_STORAGE_KEYBLOCK_KEYTYPE_TWICE)){ - /* this should really be enctype, but it is the same as - keytype nowadays */ - ret = krb5_store_int16(sp, p.keytype); - if(ret) return ret; - } - - ret = krb5_store_data(sp, p.keyvalue); - return ret; -} - -krb5_error_code -krb5_ret_keyblock(krb5_storage *sp, krb5_keyblock *p) -{ - int ret; - int16_t tmp; - - ret = krb5_ret_int16(sp, &tmp); - if(ret) return ret; - p->keytype = tmp; - - if(krb5_storage_is_flags(sp, KRB5_STORAGE_KEYBLOCK_KEYTYPE_TWICE)){ - ret = krb5_ret_int16(sp, &tmp); - if(ret) return ret; - } - - ret = krb5_ret_data(sp, &p->keyvalue); - return ret; -} - -krb5_error_code -krb5_store_times(krb5_storage *sp, krb5_times times) -{ - int ret; - ret = krb5_store_int32(sp, times.authtime); - if(ret) return ret; - ret = krb5_store_int32(sp, times.starttime); - if(ret) return ret; - ret = krb5_store_int32(sp, times.endtime); - if(ret) return ret; - ret = krb5_store_int32(sp, times.renew_till); - return ret; -} - -krb5_error_code -krb5_ret_times(krb5_storage *sp, krb5_times *times) -{ - int ret; - int32_t tmp; - ret = krb5_ret_int32(sp, &tmp); - times->authtime = tmp; - if(ret) return ret; - ret = krb5_ret_int32(sp, &tmp); - times->starttime = tmp; - if(ret) return ret; - ret = krb5_ret_int32(sp, &tmp); - times->endtime = tmp; - if(ret) return ret; - ret = krb5_ret_int32(sp, &tmp); - times->renew_till = tmp; - return ret; -} - -krb5_error_code -krb5_store_address(krb5_storage *sp, krb5_address p) -{ - int ret; - ret = krb5_store_int16(sp, p.addr_type); - if(ret) return ret; - ret = krb5_store_data(sp, p.address); - return ret; -} - -krb5_error_code -krb5_ret_address(krb5_storage *sp, krb5_address *adr) -{ - int16_t t; - int ret; - ret = krb5_ret_int16(sp, &t); - if(ret) return ret; - adr->addr_type = t; - ret = krb5_ret_data(sp, &adr->address); - return ret; -} - -krb5_error_code -krb5_store_addrs(krb5_storage *sp, krb5_addresses p) -{ - int i; - int ret; - ret = krb5_store_int32(sp, p.len); - if(ret) return ret; - for(i = 0; ilen = tmp; - ALLOC(adr->val, adr->len); - for(i = 0; i < adr->len; i++){ - ret = krb5_ret_address(sp, &adr->val[i]); - if(ret) break; - } - return ret; -} - -krb5_error_code -krb5_store_authdata(krb5_storage *sp, krb5_authdata auth) -{ - krb5_error_code ret; - int i; - ret = krb5_store_int32(sp, auth.len); - if(ret) return ret; - for(i = 0; i < auth.len; i++){ - ret = krb5_store_int16(sp, auth.val[i].ad_type); - if(ret) break; - ret = krb5_store_data(sp, auth.val[i].ad_data); - if(ret) break; - } - return 0; -} - -krb5_error_code -krb5_ret_authdata(krb5_storage *sp, krb5_authdata *auth) -{ - krb5_error_code ret; - int32_t tmp; - int16_t tmp2; - int i; - ret = krb5_ret_int32(sp, &tmp); - if(ret) return ret; - ALLOC_SEQ(auth, tmp); - for(i = 0; i < tmp; i++){ - ret = krb5_ret_int16(sp, &tmp2); - if(ret) break; - auth->val[i].ad_type = tmp2; - ret = krb5_ret_data(sp, &auth->val[i].ad_data); - if(ret) break; - } - return ret; -} - -static int32_t -bitswap32(int32_t b) -{ - int32_t r = 0; - int i; - for (i = 0; i < 32; i++) { - r = r << 1 | (b & 1); - b = b >> 1; - } - return r; -} - - -/* - * - */ - -krb5_error_code -_krb5_store_creds_internal(krb5_storage *sp, krb5_creds *creds, int v0_6) -{ - int ret; - - ret = krb5_store_principal(sp, creds->client); - if(ret) - return ret; - ret = krb5_store_principal(sp, creds->server); - if(ret) - return ret; - ret = krb5_store_keyblock(sp, creds->session); - if(ret) - return ret; - ret = krb5_store_times(sp, creds->times); - if(ret) - return ret; - ret = krb5_store_int8(sp, 0); /* this is probably the - enc-tkt-in-skey bit from KDCOptions */ - if(ret) - return ret; - if (v0_6) { - ret = krb5_store_int32(sp, creds->flags.i); - if(ret) - return ret; - } else { - ret = krb5_store_int32(sp, bitswap32(TicketFlags2int(creds->flags.b))); - if(ret) - return ret; - } - ret = krb5_store_addrs(sp, creds->addresses); - if(ret) - return ret; - ret = krb5_store_authdata(sp, creds->authdata); - if(ret) - return ret; - ret = krb5_store_data(sp, creds->ticket); - if(ret) - return ret; - ret = krb5_store_data(sp, creds->second_ticket); - return ret; -} - -/* - * store `creds' on `sp' returning error or zero - */ - -krb5_error_code -krb5_store_creds(krb5_storage *sp, krb5_creds *creds) -{ - return _krb5_store_creds_internal(sp, creds, 1); -} - -krb5_error_code -_krb5_store_creds_heimdal_0_7(krb5_storage *sp, krb5_creds *creds) -{ - return _krb5_store_creds_internal(sp, creds, 0); -} - -krb5_error_code -_krb5_store_creds_heimdal_pre_0_7(krb5_storage *sp, krb5_creds *creds) -{ - return _krb5_store_creds_internal(sp, creds, 1); -} - -krb5_error_code -krb5_ret_creds(krb5_storage *sp, krb5_creds *creds) -{ - krb5_error_code ret; - int8_t dummy8; - int32_t dummy32; - - memset(creds, 0, sizeof(*creds)); - ret = krb5_ret_principal (sp, &creds->client); - if(ret) goto cleanup; - ret = krb5_ret_principal (sp, &creds->server); - if(ret) goto cleanup; - ret = krb5_ret_keyblock (sp, &creds->session); - if(ret) goto cleanup; - ret = krb5_ret_times (sp, &creds->times); - if(ret) goto cleanup; - ret = krb5_ret_int8 (sp, &dummy8); - if(ret) goto cleanup; - ret = krb5_ret_int32 (sp, &dummy32); - if(ret) goto cleanup; - /* - * Runtime detect the what is the higher bits of the bitfield. If - * any of the higher bits are set in the input data, its either a - * new ticket flag (and this code need to be removed), or its a - * MIT cache (or new Heimdal cache), lets change it to our current - * format. - */ - { - u_int32_t mask = 0xffff0000; - creds->flags.i = 0; - creds->flags.b.anonymous = 1; - if (creds->flags.i & mask) - mask = ~mask; - if (dummy32 & mask) - dummy32 = bitswap32(dummy32); - } - creds->flags.i = dummy32; - ret = krb5_ret_addrs (sp, &creds->addresses); - if(ret) goto cleanup; - ret = krb5_ret_authdata (sp, &creds->authdata); - if(ret) goto cleanup; - ret = krb5_ret_data (sp, &creds->ticket); - if(ret) goto cleanup; - ret = krb5_ret_data (sp, &creds->second_ticket); -cleanup: - if(ret) { -#if 0 - krb5_free_creds_contents(context, creds); /* XXX */ -#endif - } - return ret; -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/store_emem.c b/crypto/heimdal-0.6.3/lib/krb5/store_emem.c deleted file mode 100644 index 526cf32f65..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/store_emem.c +++ /dev/null @@ -1,132 +0,0 @@ -/* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" -#include "store-int.h" - -RCSID("$Id: store_emem.c,v 1.13 2002/10/21 15:36:23 joda Exp $"); - -typedef struct emem_storage{ - unsigned char *base; - size_t size; - size_t len; - unsigned char *ptr; -}emem_storage; - -static ssize_t -emem_fetch(krb5_storage *sp, void *data, size_t size) -{ - emem_storage *s = (emem_storage*)sp->data; - if(s->base + s->len - s->ptr < size) - size = s->base + s->len - s->ptr; - memmove(data, s->ptr, size); - sp->seek(sp, size, SEEK_CUR); - return size; -} - -static ssize_t -emem_store(krb5_storage *sp, const void *data, size_t size) -{ - emem_storage *s = (emem_storage*)sp->data; - if(size > s->base + s->size - s->ptr){ - void *base; - size_t sz, off; - off = s->ptr - s->base; - sz = off + size; - if (sz < 4096) - sz *= 2; - base = realloc(s->base, sz); - if(base == NULL) - return 0; - s->size = sz; - s->base = base; - s->ptr = (unsigned char*)base + off; - } - memmove(s->ptr, data, size); - sp->seek(sp, size, SEEK_CUR); - return size; -} - -static off_t -emem_seek(krb5_storage *sp, off_t offset, int whence) -{ - emem_storage *s = (emem_storage*)sp->data; - switch(whence){ - case SEEK_SET: - if(offset > s->size) - offset = s->size; - if(offset < 0) - offset = 0; - s->ptr = s->base + offset; - if(offset > s->len) - s->len = offset; - break; - case SEEK_CUR: - sp->seek(sp,s->ptr - s->base + offset, SEEK_SET); - break; - case SEEK_END: - sp->seek(sp, s->len + offset, SEEK_SET); - break; - default: - errno = EINVAL; - return -1; - } - return s->ptr - s->base; -} - -static void -emem_free(krb5_storage *sp) -{ - emem_storage *s = sp->data; - memset(s->base, 0, s->len); - free(s->base); -} - -krb5_storage * -krb5_storage_emem(void) -{ - krb5_storage *sp = malloc(sizeof(krb5_storage)); - emem_storage *s = malloc(sizeof(*s)); - sp->data = s; - sp->flags = 0; - sp->eof_code = HEIM_ERR_EOF; - s->size = 1024; - s->base = malloc(s->size); - s->len = 0; - s->ptr = s->base; - sp->fetch = emem_fetch; - sp->store = emem_store; - sp->seek = emem_seek; - sp->free = emem_free; - return sp; -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/store_fd.c b/crypto/heimdal-0.6.3/lib/krb5/store_fd.c deleted file mode 100644 index e31b956143..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/store_fd.c +++ /dev/null @@ -1,84 +0,0 @@ -/* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" -#include "store-int.h" - -RCSID("$Id: store_fd.c,v 1.10 2002/04/18 14:00:39 joda Exp $"); - -typedef struct fd_storage{ - int fd; -}fd_storage; - -#define FD(S) (((fd_storage*)(S)->data)->fd) - -static ssize_t -fd_fetch(krb5_storage *sp, void *data, size_t size) -{ - return net_read(FD(sp), data, size); -} - -static ssize_t -fd_store(krb5_storage *sp, const void *data, size_t size) -{ - return net_write(FD(sp), data, size); -} - -static off_t -fd_seek(krb5_storage *sp, off_t offset, int whence) -{ - return lseek(FD(sp), offset, whence); -} - -krb5_storage * -krb5_storage_from_fd(int fd) -{ - krb5_storage *sp = malloc(sizeof(krb5_storage)); - - if (sp == NULL) - return NULL; - - sp->data = malloc(sizeof(fd_storage)); - if (sp->data == NULL) { - free(sp); - return NULL; - } - sp->flags = 0; - sp->eof_code = HEIM_ERR_EOF; - FD(sp) = fd; - sp->fetch = fd_fetch; - sp->store = fd_store; - sp->seek = fd_seek; - sp->free = NULL; - return sp; -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/store_mem.c b/crypto/heimdal-0.6.3/lib/krb5/store_mem.c deleted file mode 100644 index b0be2002a3..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/store_mem.c +++ /dev/null @@ -1,119 +0,0 @@ -/* - * Copyright (c) 1997 - 2000, 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" -#include "store-int.h" - -RCSID("$Id: store_mem.c,v 1.11 2002/04/18 14:00:44 joda Exp $"); - -typedef struct mem_storage{ - unsigned char *base; - size_t size; - unsigned char *ptr; -}mem_storage; - -static ssize_t -mem_fetch(krb5_storage *sp, void *data, size_t size) -{ - mem_storage *s = (mem_storage*)sp->data; - if(size > s->base + s->size - s->ptr) - size = s->base + s->size - s->ptr; - memmove(data, s->ptr, size); - sp->seek(sp, size, SEEK_CUR); - return size; -} - -static ssize_t -mem_store(krb5_storage *sp, const void *data, size_t size) -{ - mem_storage *s = (mem_storage*)sp->data; - if(size > s->base + s->size - s->ptr) - size = s->base + s->size - s->ptr; - memmove(s->ptr, data, size); - sp->seek(sp, size, SEEK_CUR); - return size; -} - -static off_t -mem_seek(krb5_storage *sp, off_t offset, int whence) -{ - mem_storage *s = (mem_storage*)sp->data; - switch(whence){ - case SEEK_SET: - if(offset > s->size) - offset = s->size; - if(offset < 0) - offset = 0; - s->ptr = s->base + offset; - break; - case SEEK_CUR: - return sp->seek(sp, s->ptr - s->base + offset, SEEK_SET); - case SEEK_END: - return sp->seek(sp, s->size + offset, SEEK_SET); - default: - errno = EINVAL; - return -1; - } - return s->ptr - s->base; -} - -krb5_storage * -krb5_storage_from_mem(void *buf, size_t len) -{ - krb5_storage *sp = malloc(sizeof(krb5_storage)); - mem_storage *s; - if(sp == NULL) - return NULL; - s = malloc(sizeof(*s)); - if(s == NULL) { - free(sp); - return NULL; - } - sp->data = s; - sp->flags = 0; - sp->eof_code = HEIM_ERR_EOF; - s->base = buf; - s->size = len; - s->ptr = buf; - sp->fetch = mem_fetch; - sp->store = mem_store; - sp->seek = mem_seek; - sp->free = NULL; - return sp; -} - -krb5_storage * -krb5_storage_from_data(krb5_data *data) -{ - return krb5_storage_from_mem(data->data, data->length); -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/string-to-key-test.c b/crypto/heimdal-0.6.3/lib/krb5/string-to-key-test.c deleted file mode 100644 index 0ea5cd18d2..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/string-to-key-test.c +++ /dev/null @@ -1,135 +0,0 @@ -/* - * Copyright (c) 1999 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of KTH nor the names of its contributors may be - * used to endorse or promote products derived from this software without - * specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY - * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR - * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, - * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR - * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF - * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ - -#include "krb5_locl.h" - -RCSID("$Id: string-to-key-test.c,v 1.7 2001/05/11 16:15:27 joda Exp $"); - -enum { MAXSIZE = 24 }; - -static struct testcase { - const char *principal_name; - const char *password; - krb5_enctype enctype; - unsigned char res[MAXSIZE]; -} tests[] = { - {"@", "", ETYPE_DES_CBC_MD5, - {0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0xf1}}, - {"nisse@FOO.SE", "hej", ETYPE_DES_CBC_MD5, - {0xfe, 0x67, 0xbf, 0x9e, 0x57, 0x6b, 0xfe, 0x52}}, - {"assar/liten@FOO.SE", "hemligt", ETYPE_DES_CBC_MD5, - {0x5b, 0x9b, 0xcb, 0xf2, 0x97, 0x43, 0xc8, 0x40}}, - {"@", "", ETYPE_DES3_CBC_SHA1, - {0xce, 0xa2, 0x2f, 0x9b, 0x52, 0x2c, 0xb0, 0x15, 0x6e, 0x6b, 0x64, - 0x73, 0x62, 0x64, 0x73, 0x4f, 0x6e, 0x73, 0xce, 0xa2, 0x2f, 0x9b, - 0x52, 0x57}}, - {"nisse@FOO.SE", "hej", ETYPE_DES3_CBC_SHA1, - {0x0e, 0xbc, 0x23, 0x9d, 0x68, 0x46, 0xf2, 0xd5, 0x51, 0x98, 0x5b, - 0x57, 0xc1, 0x57, 0x01, 0x79, 0x04, 0xc4, 0xe9, 0xfe, 0xc1, 0x0e, - 0x13, 0xd0}}, - {"assar/liten@FOO.SE", "hemligt", ETYPE_DES3_CBC_SHA1, - {0x7f, 0x40, 0x67, 0xb9, 0xbc, 0xc4, 0x40, 0xfb, 0x43, 0x73, 0xd9, - 0xd3, 0xcd, 0x7c, 0xc7, 0x67, 0xe6, 0x79, 0x94, 0xd0, 0xa8, 0x34, - 0xdf, 0x62}}, - {"does/not@MATTER", "foo", ETYPE_ARCFOUR_HMAC_MD5, - {0xac, 0x8e, 0x65, 0x7f, 0x83, 0xdf, 0x82, 0xbe, - 0xea, 0x5d, 0x43, 0xbd, 0xaf, 0x78, 0x00, 0xcc}}, - {"raeburn@ATHENA.MIT.EDU", "password", ETYPE_DES_CBC_MD5, - {0xcb, 0xc2, 0x2f, 0xae, 0x23, 0x52, 0x98, 0xe3}}, - {"danny@WHITEHOUSE.GOV", "potatoe", ETYPE_DES_CBC_MD5, - {0xdf, 0x3d, 0x32, 0xa7, 0x4f, 0xd9, 0x2a, 0x01}}, - {"buckaroo@EXAMPLE.COM", "penny", ETYPE_DES_CBC_MD5, - {0x94, 0x43, 0xa2, 0xe5, 0x32, 0xfd, 0xc4, 0xf1}}, - {"Juri\xc5\xa1i\xc4\x87@ATHENA.MIT.EDU", "\xc3\x9f", ETYPE_DES_CBC_MD5, - {0x62, 0xc8, 0x1a, 0x52, 0x32, 0xb5, 0xe6, 0x9d}}, - {"AAAAAAAA", "11119999", ETYPE_DES_CBC_MD5, - {0x98, 0x40, 0x54, 0xd0, 0xf1, 0xa7, 0x3e, 0x31}}, - {"FFFFAAAA", "NNNN6666", ETYPE_DES_CBC_MD5, - {0xc4, 0xbf, 0x6b, 0x25, 0xad, 0xf7, 0xa4, 0xf8}}, - {"raeburn@ATHENA.MIT.EDU", "password", ETYPE_DES3_CBC_SHA1, - {0x85, 0x0b, 0xb5, 0x13, 0x58, 0x54, 0x8c, 0xd0, 0x5e, 0x86, 0x76, 0x8c, 0x31, 0x3e, 0x3b, 0xfe, 0xf7, 0x51, 0x19, 0x37, 0xdc, 0xf7, 0x2c, 0x3e}}, - {"danny@WHITEHOUSE.GOV", "potatoe", ETYPE_DES3_CBC_SHA1, - {0xdf, 0xcd, 0x23, 0x3d, 0xd0, 0xa4, 0x32, 0x04, 0xea, 0x6d, 0xc4, 0x37, 0xfb, 0x15, 0xe0, 0x61, 0xb0, 0x29, 0x79, 0xc1, 0xf7, 0x4f, 0x37, 0x7a}}, - {"buckaroo@EXAMPLE.COM", "penny", ETYPE_DES3_CBC_SHA1, - {0x6d, 0x2f, 0xcd, 0xf2, 0xd6, 0xfb, 0xbc, 0x3d, 0xdc, 0xad, 0xb5, 0xda, 0x57, 0x10, 0xa2, 0x34, 0x89, 0xb0, 0xd3, 0xb6, 0x9d, 0x5d, 0x9d, 0x4a}}, - {"Juri\xc5\xa1i\xc4\x87@ATHENA.MIT.EDU", "\xc3\x9f", ETYPE_DES3_CBC_SHA1, - {0x16, 0xd5, 0xa4, 0x0e, 0x1c, 0xe3, 0xba, 0xcb, 0x61, 0xb9, 0xdc, 0xe0, 0x04, 0x70, 0x32, 0x4c, 0x83, 0x19, 0x73, 0xa7, 0xb9, 0x52, 0xfe, 0xb0}}, - {NULL} -}; - -int -main(int argc, char **argv) -{ - struct testcase *t; - krb5_context context; - krb5_error_code ret; - int val = 0; - - ret = krb5_init_context (&context); - if (ret) - errx (1, "krb5_init_context failed: %d", ret); - - /* to enable realm-less principal name above */ - - krb5_set_default_realm(context, ""); - - for (t = tests; t->principal_name; ++t) { - krb5_keyblock key; - krb5_principal principal; - int i; - - ret = krb5_parse_name (context, t->principal_name, &principal); - if (ret) - krb5_err (context, 1, ret, "krb5_parse_name %s", - t->principal_name); - ret = krb5_string_to_key (context, t->enctype, t->password, - principal, &key); - if (ret) - krb5_err (context, 1, ret, "krb5_string_to_key"); - krb5_free_principal (context, principal); - if (memcmp (key.keyvalue.data, t->res, key.keyvalue.length) != 0) { - const unsigned char *p = key.keyvalue.data; - - printf ("string_to_key(%s, %s) failed\n", - t->principal_name, t->password); - printf ("should be: "); - for (i = 0; i < key.keyvalue.length; ++i) - printf ("%02x", t->res[i]); - printf ("\nresult was: "); - for (i = 0; i < key.keyvalue.length; ++i) - printf ("%02x", p[i]); - printf ("\n"); - val = 1; - } - } - return val; -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/test_alname.c b/crypto/heimdal-0.6.3/lib/krb5/test_alname.c deleted file mode 100644 index 8a6ec6dc8f..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/test_alname.c +++ /dev/null @@ -1,156 +0,0 @@ -/* - * Copyright (c) 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of KTH nor the names of its contributors may be - * used to endorse or promote products derived from this software without - * specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY - * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR - * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, - * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR - * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF - * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ - -#include "krb5_locl.h" -#include -#include - -RCSID("$Id: test_alname.c,v 1.4 2003/04/17 05:46:45 lha Exp $"); - -static void -test_alname(krb5_context context, krb5_realm realm, - const char *user, const char *inst, - const char *localuser, int ok) -{ - krb5_principal p; - char localname[1024]; - krb5_error_code ret; - char *princ; - - ret = krb5_make_principal(context, &p, realm, user, inst, NULL); - if (ret) - krb5_err(context, 1, ret, "krb5_build_principal"); - - ret = krb5_unparse_name(context, p, &princ); - if (ret) - krb5_err(context, 1, ret, "krb5_unparse_name"); - - ret = krb5_aname_to_localname(context, p, sizeof(localname), localname); - krb5_free_principal(context, p); - free(princ); - if (ret) { - if (!ok) - return; - krb5_err(context, 1, ret, "krb5_aname_to_localname: %s -> %s", - princ, localuser); - } - - if (strcmp(localname, localuser) != 0) { - if (ok) - errx(1, "compared failed %s != %s (should have succeded)", - localname, localuser); - } else { - if (!ok) - errx(1, "compared failed %s == %s (should have failed)", - localname, localuser); - } - -} - -static int version_flag = 0; -static int help_flag = 0; - -static struct getargs args[] = { - {"version", 0, arg_flag, &version_flag, - "print version", NULL }, - {"help", 0, arg_flag, &help_flag, - NULL, NULL } -}; - -static void -usage (int ret) -{ - arg_printusage (args, - sizeof(args)/sizeof(*args), - NULL, - ""); - exit (ret); -} - -int -main(int argc, char **argv) -{ - krb5_context context; - krb5_error_code ret; - krb5_realm realm; - int optind = 0; - char *user; - - setprogname(argv[0]); - - if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind)) - usage(1); - - if (help_flag) - usage (0); - - if(version_flag){ - print_version(NULL); - exit(0); - } - - argc -= optind; - argv += optind; - - if (argc != 1) - errx(1, "first argument should be a local user that in root .k5login"); - - user = argv[0]; - - ret = krb5_init_context(&context); - if (ret) - errx (1, "krb5_init_context failed: %d", ret); - - ret = krb5_get_default_realm(context, &realm); - if (ret) - krb5_err(context, 1, ret, "krb5_get_default_realm"); - - test_alname(context, realm, user, NULL, user, 1); - test_alname(context, realm, user, "root", "root", 1); - - test_alname(context, "FOO.BAR.BAZ.KAKA", user, NULL, user, 0); - test_alname(context, "FOO.BAR.BAZ.KAKA", user, "root", "root", 0); - - test_alname(context, realm, user, NULL, - "not-same-as-user", 0); - test_alname(context, realm, user, "root", - "not-same-as-user", 0); - - test_alname(context, "FOO.BAR.BAZ.KAKA", user, NULL, - "not-same-as-user", 0); - test_alname(context, "FOO.BAR.BAZ.KAKA", user, "root", - "not-same-as-user", 0); - - krb5_free_context(context); - - return 0; -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/test_cc.c b/crypto/heimdal-0.6.3/lib/krb5/test_cc.c deleted file mode 100644 index 15181f4d97..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/test_cc.c +++ /dev/null @@ -1,86 +0,0 @@ -/* - * Copyright (c) 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of KTH nor the names of its contributors may be - * used to endorse or promote products derived from this software without - * specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY - * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR - * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, - * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR - * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF - * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ - -#include "krb5_locl.h" -#include - -RCSID("$Id: test_cc.c,v 1.1 2003/03/10 00:26:40 lha Exp $"); - -#define TEST_CC_NAME "/tmp/foo" - -int -main(int argc, char **argv) -{ - krb5_context context; - krb5_error_code ret; - char *p1, *p2, *p3; - const char *p; - - setprogname(argv[0]); - - ret = krb5_init_context(&context); - if (ret) - errx (1, "krb5_init_context failed: %d", ret); - - p = krb5_cc_default_name(context); - if (p == NULL) - krb5_errx (context, 1, "krb5_cc_default_name 1 failed"); - p1 = estrdup(p); - - ret = krb5_cc_set_default_name(context, NULL); - if (p == NULL) - krb5_errx (context, 1, "krb5_cc_set_default_name failed"); - - p = krb5_cc_default_name(context); - if (p == NULL) - krb5_errx (context, 1, "krb5_cc_default_name 2 failed"); - p2 = estrdup(p); - - if (strcmp(p1, p2) != 0) - krb5_errx (context, 1, "krb5_cc_default_name no longer same"); - - ret = krb5_cc_set_default_name(context, TEST_CC_NAME); - if (p == NULL) - krb5_errx (context, 1, "krb5_cc_set_default_name 1 failed"); - - p = krb5_cc_default_name(context); - if (p == NULL) - krb5_errx (context, 1, "krb5_cc_default_name 2 failed"); - p3 = estrdup(p); - - if (strcmp(p3, TEST_CC_NAME) != 0) - krb5_errx (context, 1, "krb5_cc_set_default_name 1 failed"); - - krb5_free_context(context); - - return 0; -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/test_get_addrs.c b/crypto/heimdal-0.6.3/lib/krb5/test_get_addrs.c deleted file mode 100644 index 97e3b2b1e5..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/test_get_addrs.c +++ /dev/null @@ -1,116 +0,0 @@ -/* - * Copyright (c) 2000 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of KTH nor the names of its contributors may be - * used to endorse or promote products derived from this software without - * specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY - * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR - * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, - * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR - * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF - * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ - -#include "krb5_locl.h" -#include -#include - -RCSID("$Id: test_get_addrs.c,v 1.4 2002/08/23 03:42:54 assar Exp $"); - -/* print all addresses that we find */ - -static void -print_addresses (krb5_context context, const krb5_addresses *addrs) -{ - int i; - char buf[256]; - size_t len; - - for (i = 0; i < addrs->len; ++i) { - krb5_print_address (&addrs->val[i], buf, sizeof(buf), &len); - printf ("%s\n", buf); - } -} - -static int version_flag = 0; -static int help_flag = 0; - -static struct getargs args[] = { - {"version", 0, arg_flag, &version_flag, - "print version", NULL }, - {"help", 0, arg_flag, &help_flag, - NULL, NULL } -}; - -static void -usage (int ret) -{ - arg_printusage (args, - sizeof(args)/sizeof(*args), - NULL, - ""); - exit (ret); -} - -int -main(int argc, char **argv) -{ - krb5_context context; - krb5_error_code ret; - krb5_addresses addrs; - int optind = 0; - - setprogname (argv[0]); - - if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind)) - usage(1); - - if (help_flag) - usage (0); - - if(version_flag){ - print_version(NULL); - exit(0); - } - - argc -= optind; - argv += optind; - - ret = krb5_init_context(&context); - if (ret) - errx (1, "krb5_init_context failed: %d", ret); - - ret = krb5_get_all_client_addrs (context, &addrs); - if (ret) - krb5_err (context, 1, ret, "krb5_get_all_client_addrs"); - printf ("client addresses\n"); - print_addresses (context, &addrs); - krb5_free_addresses (context, &addrs); - - ret = krb5_get_all_server_addrs (context, &addrs); - if (ret) - krb5_err (context, 1, ret, "krb5_get_all_server_addrs"); - printf ("server addresses\n"); - print_addresses (context, &addrs); - krb5_free_addresses (context, &addrs); - return 0; -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/ticket.c b/crypto/heimdal-0.6.3/lib/krb5/ticket.c deleted file mode 100644 index 888218ee00..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/ticket.c +++ /dev/null @@ -1,81 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" - -RCSID("$Id: ticket.c,v 1.5.8.1 2003/09/18 21:01:57 lha Exp $"); - -krb5_error_code -krb5_free_ticket(krb5_context context, - krb5_ticket *ticket) -{ - free_EncTicketPart(&ticket->ticket); - krb5_free_principal(context, ticket->client); - krb5_free_principal(context, ticket->server); - return 0; -} - -krb5_error_code -krb5_copy_ticket(krb5_context context, - const krb5_ticket *from, - krb5_ticket **to) -{ - krb5_error_code ret; - krb5_ticket *tmp; - - *to = NULL; - tmp = malloc(sizeof(*tmp)); - if(tmp == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; - } - if((ret = copy_EncTicketPart(&from->ticket, &tmp->ticket))){ - free(tmp); - return ret; - } - ret = krb5_copy_principal(context, from->client, &tmp->client); - if(ret){ - free_EncTicketPart(&tmp->ticket); - free(tmp); - return ret; - } - ret = krb5_copy_principal(context, from->server, &tmp->server); - if(ret){ - krb5_free_principal(context, tmp->client); - free_EncTicketPart(&tmp->ticket); - free(tmp); - return ret; - } - *to = tmp; - return 0; -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/time.c b/crypto/heimdal-0.6.3/lib/krb5/time.c deleted file mode 100644 index 9346546006..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/time.c +++ /dev/null @@ -1,87 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" - -RCSID("$Id: time.c,v 1.5 2001/05/02 10:06:11 joda Exp $"); - -/* - * return ``corrected'' time in `timeret'. - */ - -krb5_error_code -krb5_timeofday (krb5_context context, - krb5_timestamp *timeret) -{ - *timeret = time(NULL) + context->kdc_sec_offset; - return 0; -} - -/* - * like gettimeofday but with time correction to the KDC - */ - -krb5_error_code -krb5_us_timeofday (krb5_context context, - int32_t *sec, - int32_t *usec) -{ - struct timeval tv; - - gettimeofday (&tv, NULL); - - *sec = tv.tv_sec + context->kdc_sec_offset; - *usec = tv.tv_usec; /* XXX */ - return 0; -} - -krb5_error_code -krb5_format_time(krb5_context context, time_t t, - char *s, size_t len, krb5_boolean include_time) -{ - struct tm *tm; - if(context->log_utc) - tm = gmtime (&t); - else - tm = localtime(&t); - strftime(s, len, include_time ? context->time_fmt : context->date_fmt, tm); - return 0; -} - -krb5_error_code -krb5_string_to_deltat(const char *string, krb5_deltat *deltat) -{ - if((*deltat = parse_time(string, "s")) == -1) - return EINVAL; - return 0; -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/transited.c b/crypto/heimdal-0.6.3/lib/krb5/transited.c deleted file mode 100644 index 8f48ff1d93..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/transited.c +++ /dev/null @@ -1,481 +0,0 @@ -/* - * Copyright (c) 1997 - 2001, 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" - -RCSID("$Id: transited.c,v 1.10.2.3 2003/10/22 06:07:41 lha Exp $"); - -/* this is an attempt at one of the most horrible `compression' - schemes that has ever been invented; it's so amazingly brain-dead - that words can not describe it, and all this just to save a few - silly bytes */ - -struct tr_realm { - char *realm; - unsigned leading_space:1; - unsigned leading_slash:1; - unsigned trailing_dot:1; - struct tr_realm *next; -}; - -static void -free_realms(struct tr_realm *r) -{ - struct tr_realm *p; - while(r){ - p = r; - r = r->next; - free(p->realm); - free(p); - } -} - -static int -make_path(krb5_context context, struct tr_realm *r, - const char *from, const char *to) -{ - const char *p; - struct tr_realm *path = r->next; - struct tr_realm *tmp; - - if(strlen(from) < strlen(to)){ - const char *tmp; - tmp = from; - from = to; - to = tmp; - } - - if(strcmp(from + strlen(from) - strlen(to), to) == 0){ - p = from; - while(1){ - p = strchr(p, '.'); - if(p == NULL) { - krb5_clear_error_string (context); - return KRB5KDC_ERR_POLICY; - } - p++; - if(strcmp(p, to) == 0) - break; - tmp = calloc(1, sizeof(*tmp)); - tmp->next = path; - path = tmp; - path->realm = strdup(p); - if(path->realm == NULL){ - r->next = path; /* XXX */ - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM;; - } - } - }else if(strncmp(from, to, strlen(to)) == 0){ - p = from + strlen(from); - while(1){ - while(p >= from && *p != '/') p--; - if(p == from) - return KRB5KDC_ERR_POLICY; - if(strncmp(to, from, p - from) == 0) - break; - tmp = calloc(1, sizeof(*tmp)); - tmp->next = path; - path = tmp; - path->realm = malloc(p - from + 1); - if(path->realm == NULL){ - r->next = path; /* XXX */ - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; - } - memcpy(path->realm, from, p - from); - path->realm[p - from] = '\0'; - p--; - } - } else { - krb5_clear_error_string (context); - return KRB5KDC_ERR_POLICY; - } - r->next = path; - - return 0; -} - -static int -make_paths(krb5_context context, - struct tr_realm *realms, const char *client_realm, - const char *server_realm) -{ - struct tr_realm *r; - int ret; - const char *prev_realm = client_realm; - const char *next_realm = NULL; - for(r = realms; r; r = r->next){ - /* it *might* be that you can have more than one empty - component in a row, at least that's how I interpret the - "," exception in 1510 */ - if(r->realm[0] == '\0'){ - while(r->next && r->next->realm[0] == '\0') - r = r->next; - if(r->next) - next_realm = r->next->realm; - else - next_realm = server_realm; - ret = make_path(context, r, prev_realm, next_realm); - if(ret){ - free_realms(realms); - return ret; - } - } - prev_realm = r->realm; - } - return 0; -} - -static int -expand_realms(krb5_context context, - struct tr_realm *realms, const char *client_realm) -{ - struct tr_realm *r; - const char *prev_realm = NULL; - for(r = realms; r; r = r->next){ - if(r->trailing_dot){ - char *tmp; - size_t len = strlen(r->realm) + strlen(prev_realm) + 1; - - if(prev_realm == NULL) - prev_realm = client_realm; - tmp = realloc(r->realm, len); - if(tmp == NULL){ - free_realms(realms); - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; - } - r->realm = tmp; - strlcat(r->realm, prev_realm, len); - }else if(r->leading_slash && !r->leading_space && prev_realm){ - /* yet another exception: if you use x500-names, the - leading realm doesn't have to be "quoted" with a space */ - char *tmp; - size_t len = strlen(r->realm) + strlen(prev_realm) + 1; - - tmp = malloc(len); - if(tmp == NULL){ - free_realms(realms); - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; - } - strlcpy(tmp, prev_realm, len); - strlcat(tmp, r->realm, len); - free(r->realm); - r->realm = tmp; - } - prev_realm = r->realm; - } - return 0; -} - -static struct tr_realm * -make_realm(char *realm) -{ - struct tr_realm *r; - char *p, *q; - int quote = 0; - r = calloc(1, sizeof(*r)); - if(r == NULL){ - free(realm); - return NULL; - } - r->realm = realm; - for(p = q = r->realm; *p; p++){ - if(p == r->realm && *p == ' '){ - r->leading_space = 1; - continue; - } - if(q == r->realm && *p == '/') - r->leading_slash = 1; - if(quote){ - *q++ = *p; - quote = 0; - continue; - } - if(*p == '\\'){ - quote = 1; - continue; - } - if(p[0] == '.' && p[1] == '\0') - r->trailing_dot = 1; - *q++ = *p; - } - *q = '\0'; - return r; -} - -static struct tr_realm* -append_realm(struct tr_realm *head, struct tr_realm *r) -{ - struct tr_realm *p; - if(head == NULL){ - r->next = NULL; - return r; - } - p = head; - while(p->next) p = p->next; - p->next = r; - return head; -} - -static int -decode_realms(krb5_context context, - const char *tr, int length, struct tr_realm **realms) -{ - struct tr_realm *r = NULL; - - char *tmp; - int quote = 0; - const char *start = tr; - int i; - - for(i = 0; i < length; i++){ - if(quote){ - quote = 0; - continue; - } - if(tr[i] == '\\'){ - quote = 1; - continue; - } - if(tr[i] == ','){ - tmp = malloc(tr + i - start + 1); - memcpy(tmp, start, tr + i - start); - tmp[tr + i - start] = '\0'; - r = make_realm(tmp); - if(r == NULL){ - free_realms(*realms); - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; - } - *realms = append_realm(*realms, r); - start = tr + i + 1; - } - } - tmp = malloc(tr + i - start + 1); - memcpy(tmp, start, tr + i - start); - tmp[tr + i - start] = '\0'; - r = make_realm(tmp); - if(r == NULL){ - free_realms(*realms); - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; - } - *realms = append_realm(*realms, r); - - return 0; -} - - -krb5_error_code -krb5_domain_x500_decode(krb5_context context, - krb5_data tr, char ***realms, int *num_realms, - const char *client_realm, const char *server_realm) -{ - struct tr_realm *r = NULL; - struct tr_realm *p, **q; - int ret; - - if(tr.length == 0) { - *realms = NULL; - *num_realms = 0; - return 0; - } - - /* split string in components */ - ret = decode_realms(context, tr.data, tr.length, &r); - if(ret) - return ret; - - /* apply prefix rule */ - ret = expand_realms(context, r, client_realm); - if(ret) - return ret; - - ret = make_paths(context, r, client_realm, server_realm); - if(ret) - return ret; - - /* remove empty components and count realms */ - q = &r; - *num_realms = 0; - for(p = r; p; ){ - if(p->realm[0] == '\0'){ - free(p->realm); - *q = p->next; - free(p); - p = *q; - }else{ - q = &p->next; - p = p->next; - (*num_realms)++; - } - } - if (*num_realms < 0 || *num_realms + 1 > UINT_MAX/sizeof(**realms)) - return ERANGE; - - { - char **R; - R = malloc((*num_realms + 1) * sizeof(*R)); - if (R == NULL) - return ENOMEM; - *realms = R; - while(r){ - *R++ = r->realm; - p = r->next; - free(r); - r = p; - } - } - return 0; -} - -krb5_error_code -krb5_domain_x500_encode(char **realms, int num_realms, krb5_data *encoding) -{ - char *s = NULL; - int len = 0; - int i; - krb5_data_zero(encoding); - if (num_realms == 0) - return 0; - for(i = 0; i < num_realms; i++){ - len += strlen(realms[i]); - if(realms[i][0] == '/') - len++; - } - len += num_realms - 1; - s = malloc(len + 1); - if (s == NULL) - return ENOMEM; - *s = '\0'; - for(i = 0; i < num_realms; i++){ - if(i && i < num_realms - 1) - strlcat(s, ",", len + 1); - if(realms[i][0] == '/') - strlcat(s, " ", len + 1); - strlcat(s, realms[i], len + 1); - } - encoding->data = s; - encoding->length = strlen(s); - return 0; -} - -krb5_error_code -krb5_check_transited(krb5_context context, - krb5_const_realm client_realm, - krb5_const_realm server_realm, - krb5_realm *realms, - int num_realms, - int *bad_realm) -{ - char **tr_realms; - char **p; - int i; - - if(num_realms == 0) - return 0; - - tr_realms = krb5_config_get_strings(context, NULL, - "capaths", - client_realm, - server_realm, - NULL); - for(i = 0; i < num_realms; i++) { - for(p = tr_realms; p && *p; p++) { - if(strcmp(*p, realms[i]) == 0) - break; - } - if(p == NULL || *p == NULL) { - krb5_config_free_strings(tr_realms); - krb5_set_error_string (context, "no transit through realm %s", - realms[i]); - if(bad_realm) - *bad_realm = i; - return KRB5KRB_AP_ERR_ILL_CR_TKT; - } - } - krb5_config_free_strings(tr_realms); - return 0; -} - -krb5_error_code -krb5_check_transited_realms(krb5_context context, - const char *const *realms, - int num_realms, - int *bad_realm) -{ - int i; - int ret = 0; - char **bad_realms = krb5_config_get_strings(context, NULL, - "libdefaults", - "transited_realms_reject", - NULL); - if(bad_realms == NULL) - return 0; - - for(i = 0; i < num_realms; i++) { - char **p; - for(p = bad_realms; *p; p++) - if(strcmp(*p, realms[i]) == 0) { - krb5_set_error_string (context, "no transit through realm %s", - *p); - ret = KRB5KRB_AP_ERR_ILL_CR_TKT; - if(bad_realm) - *bad_realm = i; - break; - } - } - krb5_config_free_strings(bad_realms); - return ret; -} - -#if 0 -int -main(int argc, char **argv) -{ - krb5_data x; - char **r; - int num, i; - x.data = argv[1]; - x.length = strlen(x.data); - if(domain_expand(x, &r, &num, argv[2], argv[3])) - exit(1); - for(i = 0; i < num; i++) - printf("%s\n", r[i]); - return 0; -} -#endif - diff --git a/crypto/heimdal-0.6.3/lib/krb5/verify_init.c b/crypto/heimdal-0.6.3/lib/krb5/verify_init.c deleted file mode 100644 index 243ac5fa43..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/verify_init.c +++ /dev/null @@ -1,202 +0,0 @@ -/* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" - -RCSID("$Id: verify_init.c,v 1.17 2002/08/20 14:47:59 joda Exp $"); - -void -krb5_verify_init_creds_opt_init(krb5_verify_init_creds_opt *options) -{ - memset (options, 0, sizeof(*options)); -} - -void -krb5_verify_init_creds_opt_set_ap_req_nofail(krb5_verify_init_creds_opt *options, - int ap_req_nofail) -{ - options->flags |= KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL; - options->ap_req_nofail = ap_req_nofail; -} - -/* - * - */ - -static krb5_boolean -fail_verify_is_ok (krb5_context context, - krb5_verify_init_creds_opt *options) -{ - if ((options->flags & KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL - && options->ap_req_nofail != 0) - || krb5_config_get_bool (context, - NULL, - "libdefaults", - "verify_ap_req_nofail", - NULL)) - return FALSE; - else - return TRUE; -} - -krb5_error_code -krb5_verify_init_creds(krb5_context context, - krb5_creds *creds, - krb5_principal ap_req_server, - krb5_keytab ap_req_keytab, - krb5_ccache *ccache, - krb5_verify_init_creds_opt *options) -{ - krb5_error_code ret; - krb5_data req; - krb5_ccache local_ccache = NULL; - krb5_keytab_entry entry; - krb5_creds *new_creds = NULL; - krb5_auth_context auth_context = NULL; - krb5_principal server = NULL; - krb5_keytab keytab = NULL; - - krb5_data_zero (&req); - memset (&entry, 0, sizeof(entry)); - - if (ap_req_server == NULL) { - char local_hostname[MAXHOSTNAMELEN]; - - if (gethostname (local_hostname, sizeof(local_hostname)) < 0) { - ret = errno; - krb5_set_error_string (context, "gethostname: %s", - strerror(ret)); - return ret; - } - - ret = krb5_sname_to_principal (context, - local_hostname, - "host", - KRB5_NT_SRV_HST, - &server); - if (ret) - goto cleanup; - } else - server = ap_req_server; - - if (ap_req_keytab == NULL) { - ret = krb5_kt_default (context, &keytab); - if (ret) - goto cleanup; - } else - keytab = ap_req_keytab; - - if (ccache && *ccache) - local_ccache = *ccache; - else { - ret = krb5_cc_gen_new (context, &krb5_mcc_ops, &local_ccache); - if (ret) - goto cleanup; - ret = krb5_cc_initialize (context, - local_ccache, - creds->client); - if (ret) - goto cleanup; - ret = krb5_cc_store_cred (context, - local_ccache, - creds); - if (ret) - goto cleanup; - } - - if (!krb5_principal_compare (context, server, creds->server)) { - krb5_creds match_cred; - - memset (&match_cred, 0, sizeof(match_cred)); - - match_cred.client = creds->client; - match_cred.server = server; - - ret = krb5_get_credentials (context, - 0, - local_ccache, - &match_cred, - &new_creds); - if (ret) { - if (fail_verify_is_ok (context, options)) - ret = 0; - goto cleanup; - } - creds = new_creds; - } - - ret = krb5_mk_req_extended (context, - &auth_context, - 0, - NULL, - creds, - &req); - - krb5_auth_con_free (context, auth_context); - auth_context = NULL; - - if (ret) - goto cleanup; - - ret = krb5_rd_req (context, - &auth_context, - &req, - server, - keytab, - 0, - NULL); - - if (ret == KRB5_KT_NOTFOUND && fail_verify_is_ok (context, options)) - ret = 0; -cleanup: - if (auth_context) - krb5_auth_con_free (context, auth_context); - krb5_data_free (&req); - krb5_kt_free_entry (context, &entry); - if (new_creds != NULL) - krb5_free_creds (context, new_creds); - if (ap_req_server == NULL && server) - krb5_free_principal (context, server); - if (ap_req_keytab == NULL && keytab) - krb5_kt_close (context, keytab); - if (local_ccache != NULL - && - (ccache == NULL - || (ret != 0 && *ccache == NULL))) - krb5_cc_destroy (context, local_ccache); - - if (ret == 0 && ccache != NULL && *ccache == NULL) - *ccache = local_ccache; - - return ret; -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/verify_krb5_conf.8 b/crypto/heimdal-0.6.3/lib/krb5/verify_krb5_conf.8 deleted file mode 100644 index 7d854bf7b4..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/verify_krb5_conf.8 +++ /dev/null @@ -1,64 +0,0 @@ -.\" $Id: verify_krb5_conf.8,v 1.7 2002/08/20 17:07:28 joda Exp $ -.\" -.Dd August 30, 2001 -.Dt VERIFY_KRB5_CONF 8 -.Os HEIMDAL -.Sh NAME -.Nm verify_krb5_conf -.Nd checks krb5.conf for obvious errors -.Sh SYNOPSIS -.Nm -.Ar [config-file] -.Sh DESCRIPTION -.Nm -reads the configuration file -.Pa krb5.conf , -or the file given on the command line, -and parses it, thereby verifying that the syntax is not correctly wrong. -.Pp -If the file is syntactically correct, -.Nm -tries to verify that the contents of the file is of relevant nature. -.Sh DIAGNOSTICS -Possible output from -.Nm -include: -.Bl -tag -width "" -.It ": failed to parse as size/time/number/boolean" -Usually means that is misspelled, or that it contains -weird characters. The parsing done by -.Nm -is more strict than the one performed by libkrb5, and so strings that -work in real life, might be reported as bad. -.It ": host not found ()" -Means that is supposed to point to a host, but it can't be -recognised as one. -.It : unknown or wrong type -Means that is either is a string when it should be a list, vice -versa, or just that -.Nm -is confused. -.It : unknown entry -Means that is not known by -.Nm "" . -.El -.Sh ENVIRONMENT -.Ev KRB5_CONFIG -points to the configuration file to read. -.Sh FILES -.Bl -tag -width /etc/krb5.conf -compact -.It Pa /etc/krb5.conf -Kerberos 5 configuration file -.El -.Sh SEE ALSO -.Xr krb5.conf 5 -.Sh BUGS -Since each application can put almost anything in the config file, -it's hard to come up with a water tight verification process. Most of -the default settings are sanity checked, but this does not mean that -every problem is discovered, or that everything that is reported as a -possible problem actually is one. This tool should thus be used with -some care. -.Pp -It should warn about obsolete data, or bad practice, but currently -doesn't. diff --git a/crypto/heimdal-0.6.3/lib/krb5/verify_krb5_conf.c b/crypto/heimdal-0.6.3/lib/krb5/verify_krb5_conf.c deleted file mode 100644 index 6017dfc85f..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/verify_krb5_conf.c +++ /dev/null @@ -1,572 +0,0 @@ -/* - * Copyright (c) 1999 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" -#include -#include -#include -RCSID("$Id: verify_krb5_conf.c,v 1.17.2.2 2004/02/13 16:19:44 lha Exp $"); - -/* verify krb5.conf */ - -static int dumpconfig_flag = 0; -static int version_flag = 0; -static int help_flag = 0; - -static struct getargs args[] = { - {"dumpconfig", 0, arg_flag, &dumpconfig_flag, - "show the parsed config files", NULL }, - {"version", 0, arg_flag, &version_flag, - "print version", NULL }, - {"help", 0, arg_flag, &help_flag, - NULL, NULL } -}; - -static void -usage (int ret) -{ - arg_printusage (args, - sizeof(args)/sizeof(*args), - NULL, - "[config-file]"); - exit (ret); -} - -static int -check_bytes(krb5_context context, const char *path, char *data) -{ - if(parse_bytes(data, NULL) == -1) { - krb5_warnx(context, "%s: failed to parse \"%s\" as size", path, data); - return 1; - } - return 0; -} - -static int -check_time(krb5_context context, const char *path, char *data) -{ - if(parse_time(data, NULL) == -1) { - krb5_warnx(context, "%s: failed to parse \"%s\" as time", path, data); - return 1; - } - return 0; -} - -static int -check_numeric(krb5_context context, const char *path, char *data) -{ - long int v; - char *end; - v = strtol(data, &end, 0); - if(*end != '\0') { - krb5_warnx(context, "%s: failed to parse \"%s\" as a number", - path, data); - return 1; - } - return 0; -} - -static int -check_boolean(krb5_context context, const char *path, char *data) -{ - long int v; - char *end; - if(strcasecmp(data, "yes") == 0 || - strcasecmp(data, "true") == 0 || - strcasecmp(data, "no") == 0 || - strcasecmp(data, "false") == 0) - return 0; - v = strtol(data, &end, 0); - if(*end != '\0') { - krb5_warnx(context, "%s: failed to parse \"%s\" as a boolean", - path, data); - return 1; - } - if(v != 0 && v != 1) - krb5_warnx(context, "%s: numeric value \"%s\" is treated as \"true\"", - path, data); - return 0; -} - -static int -check_524(krb5_context context, const char *path, char *data) -{ - if(strcasecmp(data, "yes") == 0 || - strcasecmp(data, "no") == 0 || - strcasecmp(data, "2b") == 0 || - strcasecmp(data, "local") == 0) - return 0; - - krb5_warnx(context, "%s: didn't contain a valid option `%s'", - path, data); - return 1; -} - -static int -check_host(krb5_context context, const char *path, char *data) -{ - int ret; - char hostname[128]; - const char *p = data; - struct addrinfo *ai; - /* XXX data could be a list of hosts that this code can't handle */ - /* XXX copied from krbhst.c */ - if(strncmp(p, "http://", 7) == 0){ - p += 7; - } else if(strncmp(p, "http/", 5) == 0) { - p += 5; - }else if(strncmp(p, "tcp/", 4) == 0){ - p += 4; - } else if(strncmp(p, "udp/", 4) == 0) { - p += 4; - } - if(strsep_copy(&p, ":", hostname, sizeof(hostname)) < 0) { - return 1; - } - hostname[strcspn(hostname, "/")] = '\0'; - ret = getaddrinfo(hostname, "telnet" /* XXX */, NULL, &ai); - if(ret != 0) { - krb5_warnx(context, "%s: %s (%s)", path, gai_strerror(ret), hostname); - return 1; - } - return 0; -} - -#if 0 -static int -mit_entry(krb5_context context, const char *path, char *data) -{ - krb5_warnx(context, "%s is only used by MIT Kerberos", path); - return 0; -} -#endif - -struct s2i { - char *s; - int val; -}; - -#define L(X) { #X, LOG_ ## X } - -static struct s2i syslogvals[] = { - /* severity */ - L(EMERG), - L(ALERT), - L(CRIT), - L(ERR), - L(WARNING), - L(NOTICE), - L(INFO), - L(DEBUG), - /* facility */ - L(AUTH), -#ifdef LOG_AUTHPRIV - L(AUTHPRIV), -#endif -#ifdef LOG_CRON - L(CRON), -#endif - L(DAEMON), -#ifdef LOG_FTP - L(FTP), -#endif - L(KERN), - L(LPR), - L(MAIL), -#ifdef LOG_NEWS - L(NEWS), -#endif - L(SYSLOG), - L(USER), -#ifdef LOG_UUCP - L(UUCP), -#endif - L(LOCAL0), - L(LOCAL1), - L(LOCAL2), - L(LOCAL3), - L(LOCAL4), - L(LOCAL5), - L(LOCAL6), - L(LOCAL7), - { NULL, -1 } -}; - -static int -find_value(const char *s, struct s2i *table) -{ - while(table->s && strcasecmp(table->s, s)) - table++; - return table->val; -} - -static int -check_log(krb5_context context, const char *path, char *data) -{ - /* XXX sync with log.c */ - int min = 0, max = -1, n; - char c; - const char *p = data; - - n = sscanf(p, "%d%c%d/", &min, &c, &max); - if(n == 2){ - if(c == '/') { - if(min < 0){ - max = -min; - min = 0; - }else{ - max = min; - } - } - } - if(n){ - p = strchr(p, '/'); - if(p == NULL) { - krb5_warnx(context, "%s: failed to parse \"%s\"", path, data); - return 1; - } - p++; - } - if(strcmp(p, "STDERR") == 0 || - strcmp(p, "CONSOLE") == 0 || - (strncmp(p, "FILE", 4) == 0 && (p[4] == ':' || p[4] == '=')) || - (strncmp(p, "DEVICE", 6) == 0 && p[6] == '=')) - return 0; - if(strncmp(p, "SYSLOG", 6) == 0){ - int ret = 0; - char severity[128] = ""; - char facility[128] = ""; - p += 6; - if(*p != '\0') - p++; - if(strsep_copy(&p, ":", severity, sizeof(severity)) != -1) - strsep_copy(&p, ":", facility, sizeof(facility)); - if(*severity == '\0') - strlcpy(severity, "ERR", sizeof(severity)); - if(*facility == '\0') - strlcpy(facility, "AUTH", sizeof(facility)); - if(find_value(severity, syslogvals) == -1) { - krb5_warnx(context, "%s: unknown syslog facility \"%s\"", - path, facility); - ret++; - } - if(find_value(severity, syslogvals) == -1) { - krb5_warnx(context, "%s: unknown syslog severity \"%s\"", - path, severity); - ret++; - } - return ret; - }else{ - krb5_warnx(context, "%s: unknown log type: \"%s\"", path, data); - return 1; - } -} - -typedef int (*check_func_t)(krb5_context, const char*, char*); -struct entry { - const char *name; - int type; - void *check_data; -}; - -struct entry all_strings[] = { - { "", krb5_config_string, NULL }, - { NULL } -}; - -struct entry v4_name_convert_entries[] = { - { "host", krb5_config_list, all_strings }, - { "plain", krb5_config_list, all_strings }, - { NULL } -}; - -struct entry libdefaults_entries[] = { - { "accept_null_addresses", krb5_config_string, check_boolean }, - { "capath", krb5_config_list, all_strings }, - { "clockskew", krb5_config_string, check_time }, - { "date_format", krb5_config_string, NULL }, - { "default_etypes", krb5_config_string, NULL }, - { "default_etypes_des", krb5_config_string, NULL }, - { "default_keytab_modify_name", krb5_config_string, NULL }, - { "default_keytab_name", krb5_config_string, NULL }, - { "default_realm", krb5_config_string, NULL }, - { "dns_proxy", krb5_config_string, NULL }, - { "dns_lookup_kdc", krb5_config_string, check_boolean }, - { "dns_lookup_realm", krb5_config_string, check_boolean }, - { "dns_lookup_realm_labels", krb5_config_string, NULL }, - { "egd_socket", krb5_config_string, NULL }, - { "encrypt", krb5_config_string, check_boolean }, - { "extra_addresses", krb5_config_string, NULL }, - { "fcache_version", krb5_config_string, check_numeric }, - { "forward", krb5_config_string, check_boolean }, - { "forwardable", krb5_config_string, check_boolean }, - { "http_proxy", krb5_config_string, check_host /* XXX */ }, - { "ignore_addresses", krb5_config_string, NULL }, - { "kdc_timeout", krb5_config_string, check_time }, - { "kdc_timesync", krb5_config_string, check_boolean }, - { "log_utc", krb5_config_string, check_boolean }, - { "maxretries", krb5_config_string, check_numeric }, - { "scan_interfaces", krb5_config_string, check_boolean }, - { "srv_lookup", krb5_config_string, check_boolean }, - { "srv_try_txt", krb5_config_string, check_boolean }, - { "ticket_lifetime", krb5_config_string, check_time }, - { "time_format", krb5_config_string, NULL }, - { "transited_realms_reject", krb5_config_string, NULL }, - { "v4_instance_resolve", krb5_config_string, check_boolean }, - { "v4_name_convert", krb5_config_list, v4_name_convert_entries }, - { "verify_ap_req_nofail", krb5_config_string, check_boolean }, - { NULL } -}; - -struct entry appdefaults_entries[] = { - { "afslog", krb5_config_string, check_boolean }, - { "afs-use-524", krb5_config_string, check_524 }, - { "forwardable", krb5_config_string, check_boolean }, - { "proxiable", krb5_config_string, check_boolean }, - { "ticket_lifetime", krb5_config_string, check_time }, - { "renew_lifetime", krb5_config_string, check_time }, - { "no-addresses", krb5_config_string, check_boolean }, - { "krb4_get_tickets", krb5_config_string, check_boolean }, -#if 0 - { "anonymous", krb5_config_string, check_boolean }, -#endif - { "", krb5_config_list, appdefaults_entries }, - { NULL } -}; - -struct entry realms_entries[] = { - { "forwardable", krb5_config_string, check_boolean }, - { "proxiable", krb5_config_string, check_boolean }, - { "ticket_lifetime", krb5_config_string, check_time }, - { "renew_lifetime", krb5_config_string, check_time }, - { "warn_pwexpire", krb5_config_string, check_time }, - { "kdc", krb5_config_string, check_host }, - { "admin_server", krb5_config_string, check_host }, - { "kpasswd_server", krb5_config_string, check_host }, - { "krb524_server", krb5_config_string, check_host }, - { "v4_name_convert", krb5_config_list, v4_name_convert_entries }, - { "v4_instance_convert", krb5_config_list, all_strings }, - { "v4_domains", krb5_config_string, NULL }, - { "default_domain", krb5_config_string, NULL }, -#if 0 - /* MIT stuff */ - { "admin_keytab", krb5_config_string, mit_entry }, - { "acl_file", krb5_config_string, mit_entry }, - { "dict_file", krb5_config_string, mit_entry }, - { "kadmind_port", krb5_config_string, mit_entry }, - { "kpasswd_port", krb5_config_string, mit_entry }, - { "master_key_name", krb5_config_string, mit_entry }, - { "master_key_type", krb5_config_string, mit_entry }, - { "key_stash_file", krb5_config_string, mit_entry }, - { "max_life", krb5_config_string, mit_entry }, - { "max_renewable_life", krb5_config_string, mit_entry }, - { "default_principal_expiration", krb5_config_string, mit_entry }, - { "default_principal_flags", krb5_config_string, mit_entry }, - { "supported_enctypes", krb5_config_string, mit_entry }, - { "database_name", krb5_config_string, mit_entry }, -#endif - { NULL } -}; - -struct entry realms_foobar[] = { - { "", krb5_config_list, realms_entries }, - { NULL } -}; - - -struct entry kdc_database_entries[] = { - { "realm", krb5_config_string, NULL }, - { "dbname", krb5_config_string, NULL }, - { "mkey_file", krb5_config_string, NULL }, - { NULL } -}; - -struct entry kdc_entries[] = { - { "database", krb5_config_list, kdc_database_entries }, - { "key-file", krb5_config_string, NULL }, - { "logging", krb5_config_string, check_log }, - { "max-request", krb5_config_string, check_bytes }, - { "require-preauth", krb5_config_string, check_boolean }, - { "ports", krb5_config_string, NULL }, - { "addresses", krb5_config_string, NULL }, - { "enable-kerberos4", krb5_config_string, check_boolean }, - { "enable-524", krb5_config_string, check_boolean }, - { "enable-http", krb5_config_string, check_boolean }, - { "check_ticket-addresses", krb5_config_string, check_boolean }, - { "allow-null-addresses", krb5_config_string, check_boolean }, - { "allow-anonymous", krb5_config_string, check_boolean }, - { "v4_realm", krb5_config_string, NULL }, - { "enable-kaserver", krb5_config_string, check_boolean }, - { "encode_as_rep_as_tgs_rep", krb5_config_string, check_boolean }, - { "kdc_warn_pwexpire", krb5_config_string, check_time }, - { NULL } -}; - -struct entry kadmin_entries[] = { - { "password_lifetime", krb5_config_string, check_time }, - { "default_keys", krb5_config_string, NULL }, - { "use_v4_salt", krb5_config_string, NULL }, - { NULL } -}; -struct entry log_strings[] = { - { "", krb5_config_string, check_log }, - { NULL } -}; - - -#if 0 -struct entry kdcdefaults_entries[] = { - { "kdc_ports", krb5_config_string, mit_entry }, - { "v4_mode", krb5_config_string, mit_entry }, - { NULL } -}; -#endif - -struct entry toplevel_sections[] = { - { "libdefaults" , krb5_config_list, libdefaults_entries }, - { "realms", krb5_config_list, realms_foobar }, - { "domain_realm", krb5_config_list, all_strings }, - { "logging", krb5_config_list, log_strings }, - { "kdc", krb5_config_list, kdc_entries }, - { "kadmin", krb5_config_list, kadmin_entries }, - { "appdefaults", krb5_config_list, appdefaults_entries }, -#if 0 - /* MIT stuff */ - { "kdcdefaults", krb5_config_list, kdcdefaults_entries }, -#endif - { NULL } -}; - - -static int -check_section(krb5_context context, const char *path, krb5_config_section *cf, - struct entry *entries) -{ - int error = 0; - krb5_config_section *p; - struct entry *e; - - char *local; - - for(p = cf; p != NULL; p = p->next) { - asprintf(&local, "%s/%s", path, p->name); - for(e = entries; e->name != NULL; e++) { - if(*e->name == '\0' || strcmp(e->name, p->name) == 0) { - if(e->type != p->type) { - krb5_warnx(context, "%s: unknown or wrong type", local); - error |= 1; - } else if(p->type == krb5_config_string && e->check_data != NULL) { - error |= (*(check_func_t)e->check_data)(context, local, p->u.string); - } else if(p->type == krb5_config_list && e->check_data != NULL) { - error |= check_section(context, local, p->u.list, e->check_data); - } - break; - } - } - if(e->name == NULL) { - krb5_warnx(context, "%s: unknown entry", local); - error |= 1; - } - free(local); - } - return error; -} - - -static void -dumpconfig(int level, krb5_config_section *top) -{ - krb5_config_section *x; - for(x = top; x; x = x->next) { - switch(x->type) { - case krb5_config_list: - if(level == 0) { - printf("[%s]\n", x->name); - } else { - printf("%*s%s = {\n", 4 * level, " ", x->name); - } - dumpconfig(level + 1, x->u.list); - if(level > 0) - printf("%*s}\n", 4 * level, " "); - break; - case krb5_config_string: - printf("%*s%s = %s\n", 4 * level, " ", x->name, x->u.string); - break; - } - } -} - -int -main(int argc, char **argv) -{ - krb5_context context; - krb5_error_code ret; - krb5_config_section *tmp_cf; - int optind = 0; - - setprogname (argv[0]); - - ret = krb5_init_context(&context); - if (ret) - errx (1, "krb5_init_context failed"); - - if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind)) - usage(1); - - if (help_flag) - usage (0); - - if(version_flag){ - print_version(NULL); - exit(0); - } - - argc -= optind; - argv += optind; - - tmp_cf = NULL; - if(argc == 0) - krb5_get_default_config_files(&argv); - - while(*argv) { - ret = krb5_config_parse_file_multi(context, *argv, &tmp_cf); - if (ret != 0) - krb5_warn (context, ret, "krb5_config_parse_file"); - argv++; - } - - if(dumpconfig_flag) - dumpconfig(0, tmp_cf); - - return check_section(context, "", tmp_cf, toplevel_sections); -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/verify_krb5_conf.cat8 b/crypto/heimdal-0.6.3/lib/krb5/verify_krb5_conf.cat8 deleted file mode 100644 index b9cbd32c99..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/verify_krb5_conf.cat8 +++ /dev/null @@ -1,57 +0,0 @@ - -VERIFY_KRB5_CONF(8) UNIX System Manager's Manual VERIFY_KRB5_CONF(8) - -NNAAMMEE - vveerriiffyy__kkrrbb55__ccoonnff - checks krb5.conf for obvious errors - -SSYYNNOOPPSSIISS - vveerriiffyy__kkrrbb55__ccoonnff _[_c_o_n_f_i_g_-_f_i_l_e_] - -DDEESSCCRRIIPPTTIIOONN - vveerriiffyy__kkrrbb55__ccoonnff reads the configuration file _k_r_b_5_._c_o_n_f, or the file giv- - en on the command line, and parses it, thereby verifying that the syntax - is not correctly wrong. - - If the file is syntactically correct, vveerriiffyy__kkrrbb55__ccoonnff tries to verify - that the contents of the file is of relevant nature. - -DDIIAAGGNNOOSSTTIICCSS - Possible output from vveerriiffyy__kkrrbb55__ccoonnff include: - - : failed to parse as size/time/number/boolean - Usually means that is misspelled, or that it contains - weird characters. The parsing done by vveerriiffyy__kkrrbb55__ccoonnff is more - strict than the one performed by libkrb5, and so strings that - work in real life, might be reported as bad. - - : host not found () - Means that is supposed to point to a host, but it can't be - recognised as one. - - : unknown or wrong type - Means that is either is a string when it should be a list, - vice versa, or just that vveerriiffyy__kkrrbb55__ccoonnff is confused. - - : unknown entry - Means that is not known by . - -EENNVVIIRROONNMMEENNTT - KRB5_CONFIG points to the configuration file to read. - -FFIILLEESS - /etc/krb5.conf Kerberos 5 configuration file - -SSEEEE AALLSSOO - krb5.conf(5) - -BBUUGGSS - Since each application can put almost anything in the config file, it's - hard to come up with a water tight verification process. Most of the de- - fault settings are sanity checked, but this does not mean that every - problem is discovered, or that everything that is reported as a possible - problem actually is one. This tool should thus be used with some care. - - It should warn about obsolete data, or bad practice, but currently - doesn't. - - HEIMDAL August 30, 2001 1 diff --git a/crypto/heimdal-0.6.3/lib/krb5/verify_user.c b/crypto/heimdal-0.6.3/lib/krb5/verify_user.c deleted file mode 100644 index 1cd571b23d..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/verify_user.c +++ /dev/null @@ -1,244 +0,0 @@ -/* - * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" - -RCSID("$Id: verify_user.c,v 1.17 2002/08/20 14:48:31 joda Exp $"); - -static krb5_error_code -verify_common (krb5_context context, - krb5_principal principal, - krb5_ccache ccache, - krb5_keytab keytab, - krb5_boolean secure, - const char *service, - krb5_creds cred) -{ - krb5_error_code ret; - krb5_principal server; - krb5_verify_init_creds_opt vopt; - krb5_ccache id; - - ret = krb5_sname_to_principal (context, NULL, service, KRB5_NT_SRV_HST, - &server); - if(ret) - return ret; - - krb5_verify_init_creds_opt_init(&vopt); - krb5_verify_init_creds_opt_set_ap_req_nofail(&vopt, secure); - - ret = krb5_verify_init_creds(context, - &cred, - server, - keytab, - NULL, - &vopt); - krb5_free_principal(context, server); - if(ret) - return ret; - if(ccache == NULL) - ret = krb5_cc_default (context, &id); - else - id = ccache; - if(ret == 0){ - ret = krb5_cc_initialize(context, id, principal); - if(ret == 0){ - ret = krb5_cc_store_cred(context, id, &cred); - } - if(ccache == NULL) - krb5_cc_close(context, id); - } - krb5_free_creds_contents(context, &cred); - return ret; -} - -/* - * Verify user `principal' with `password'. - * - * If `secure', also verify against local service key for `service'. - * - * As a side effect, fresh tickets are obtained and stored in `ccache'. - */ - -void -krb5_verify_opt_init(krb5_verify_opt *opt) -{ - memset(opt, 0, sizeof(*opt)); - opt->secure = TRUE; - opt->service = "host"; -} - -void -krb5_verify_opt_set_ccache(krb5_verify_opt *opt, krb5_ccache ccache) -{ - opt->ccache = ccache; -} - -void -krb5_verify_opt_set_keytab(krb5_verify_opt *opt, krb5_keytab keytab) -{ - opt->keytab = keytab; -} - -void -krb5_verify_opt_set_secure(krb5_verify_opt *opt, krb5_boolean secure) -{ - opt->secure = secure; -} - -void -krb5_verify_opt_set_service(krb5_verify_opt *opt, const char *service) -{ - opt->service = service; -} - -void -krb5_verify_opt_set_flags(krb5_verify_opt *opt, unsigned int flags) -{ - opt->flags |= flags; -} - -static krb5_error_code -verify_user_opt_int(krb5_context context, - krb5_principal principal, - const char *password, - krb5_verify_opt *vopt) - -{ - krb5_error_code ret; - krb5_get_init_creds_opt opt; - krb5_creds cred; - - krb5_get_init_creds_opt_init (&opt); - krb5_get_init_creds_opt_set_default_flags(context, NULL, - *krb5_princ_realm(context, principal), - &opt); - ret = krb5_get_init_creds_password (context, - &cred, - principal, - password, - krb5_prompter_posix, - NULL, - 0, - NULL, - &opt); - if(ret) - return ret; -#define OPT(V, D) ((vopt && (vopt->V)) ? (vopt->V) : (D)) - return verify_common (context, principal, OPT(ccache, NULL), - OPT(keytab, NULL), vopt ? vopt->secure : TRUE, - OPT(service, "host"), cred); -#undef OPT -} - -krb5_error_code -krb5_verify_user_opt(krb5_context context, - krb5_principal principal, - const char *password, - krb5_verify_opt *opt) -{ - krb5_error_code ret; - - if(opt && (opt->flags & KRB5_VERIFY_LREALMS)) { - krb5_realm *realms, *r; - ret = krb5_get_default_realms (context, &realms); - if (ret) - return ret; - ret = KRB5_CONFIG_NODEFREALM; - - for (r = realms; *r != NULL && ret != 0; ++r) { - char *tmp = strdup (*r); - - if (tmp == NULL) { - krb5_free_host_realm (context, realms); - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; - } - free (*krb5_princ_realm (context, principal)); - krb5_princ_set_realm (context, principal, &tmp); - - ret = verify_user_opt_int(context, principal, password, opt); - } - krb5_free_host_realm (context, realms); - if(ret) - return ret; - } else - ret = verify_user_opt_int(context, principal, password, opt); - return ret; -} - -/* compat function that calls above */ - -krb5_error_code -krb5_verify_user(krb5_context context, - krb5_principal principal, - krb5_ccache ccache, - const char *password, - krb5_boolean secure, - const char *service) -{ - krb5_verify_opt opt; - - krb5_verify_opt_init(&opt); - - krb5_verify_opt_set_ccache(&opt, ccache); - krb5_verify_opt_set_secure(&opt, secure); - krb5_verify_opt_set_service(&opt, service); - - return krb5_verify_user_opt(context, principal, password, &opt); -} - -/* - * A variant of `krb5_verify_user'. The realm of `principal' is - * ignored and all the local realms are tried. - */ - -krb5_error_code -krb5_verify_user_lrealm(krb5_context context, - krb5_principal principal, - krb5_ccache ccache, - const char *password, - krb5_boolean secure, - const char *service) -{ - krb5_verify_opt opt; - - krb5_verify_opt_init(&opt); - - krb5_verify_opt_set_ccache(&opt, ccache); - krb5_verify_opt_set_secure(&opt, secure); - krb5_verify_opt_set_service(&opt, service); - krb5_verify_opt_set_flags(&opt, KRB5_VERIFY_LREALMS); - - return krb5_verify_user_opt(context, principal, password, &opt); -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/version.c b/crypto/heimdal-0.6.3/lib/krb5/version.c deleted file mode 100644 index 5f0fd6680b..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/version.c +++ /dev/null @@ -1,43 +0,0 @@ -/* - * Copyright (c) 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" - -RCSID("$Id: version.c,v 1.3 1999/12/02 17:05:13 joda Exp $"); - -/* this is just to get a version stamp in the library file */ - -#define heimdal_version __heimdal_version -#define heimdal_long_version __heimdal_long_version -#include "version.h" - diff --git a/crypto/heimdal-0.6.3/lib/krb5/warn.c b/crypto/heimdal-0.6.3/lib/krb5/warn.c deleted file mode 100644 index 72398bf460..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/warn.c +++ /dev/null @@ -1,205 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" -#include - -RCSID("$Id: warn.c,v 1.14 2003/04/16 16:13:08 lha Exp $"); - -static krb5_error_code _warnerr(krb5_context context, int do_errtext, - krb5_error_code code, int level, const char *fmt, va_list ap) - __attribute__((__format__(__printf__, 5, 0))); - -static krb5_error_code -_warnerr(krb5_context context, int do_errtext, - krb5_error_code code, int level, const char *fmt, va_list ap) -{ - char xfmt[7] = ""; - const char *args[2], **arg; - char *msg = NULL; - char *err_str = NULL; - - args[0] = args[1] = NULL; - arg = args; - if(fmt){ - strlcat(xfmt, "%s", sizeof(xfmt)); - if(do_errtext) - strlcat(xfmt, ": ", sizeof(xfmt)); - vasprintf(&msg, fmt, ap); - if(msg == NULL) - return ENOMEM; - *arg++ = msg; - } - if(context && do_errtext){ - const char *err_msg; - - strlcat(xfmt, "%s", sizeof(xfmt)); - - err_str = krb5_get_error_string(context); - if (err_str != NULL) { - *arg++ = err_str; - } else { - err_msg = krb5_get_err_text(context, code); - if (err_msg) - *arg++ = err_msg; - else - *arg++ = ""; - } - } - - if(context && context->warn_dest) - krb5_log(context, context->warn_dest, level, xfmt, args[0], args[1]); - else - warnx(xfmt, args[0], args[1]); - free(msg); - free(err_str); - return 0; -} - -#define FUNC(ETEXT, CODE, LEVEL) \ - krb5_error_code ret; \ - va_list ap; \ - va_start(ap, fmt); \ - ret = _warnerr(context, ETEXT, CODE, LEVEL, fmt, ap); \ - va_end(ap); - -#undef __attribute__ -#define __attribute__(X) - -krb5_error_code -krb5_vwarn(krb5_context context, krb5_error_code code, - const char *fmt, va_list ap) - __attribute__ ((format (printf, 3, 0))) -{ - return _warnerr(context, 1, code, 1, fmt, ap); -} - - -krb5_error_code -krb5_warn(krb5_context context, krb5_error_code code, const char *fmt, ...) - __attribute__ ((format (printf, 3, 4))) -{ - FUNC(1, code, 1); - return ret; -} - -krb5_error_code -krb5_vwarnx(krb5_context context, const char *fmt, va_list ap) - __attribute__ ((format (printf, 2, 0))) -{ - return _warnerr(context, 0, 0, 1, fmt, ap); -} - -krb5_error_code -krb5_warnx(krb5_context context, const char *fmt, ...) - __attribute__ ((format (printf, 2, 3))) -{ - FUNC(0, 0, 1); - return ret; -} - -krb5_error_code -krb5_verr(krb5_context context, int eval, krb5_error_code code, - const char *fmt, va_list ap) - __attribute__ ((noreturn, format (printf, 4, 0))) -{ - _warnerr(context, 1, code, 0, fmt, ap); - exit(eval); -} - - -krb5_error_code -krb5_err(krb5_context context, int eval, krb5_error_code code, - const char *fmt, ...) - __attribute__ ((noreturn, format (printf, 4, 5))) -{ - FUNC(1, code, 0); - exit(eval); -} - -krb5_error_code -krb5_verrx(krb5_context context, int eval, const char *fmt, va_list ap) - __attribute__ ((noreturn, format (printf, 3, 0))) -{ - _warnerr(context, 0, 0, 0, fmt, ap); - exit(eval); -} - -krb5_error_code -krb5_errx(krb5_context context, int eval, const char *fmt, ...) - __attribute__ ((noreturn, format (printf, 3, 4))) -{ - FUNC(0, 0, 0); - exit(eval); -} - -krb5_error_code -krb5_vabort(krb5_context context, krb5_error_code code, - const char *fmt, va_list ap) - __attribute__ ((noreturn, format (printf, 3, 0))) -{ - _warnerr(context, 1, code, 0, fmt, ap); - abort(); -} - - -krb5_error_code -krb5_abort(krb5_context context, krb5_error_code code, const char *fmt, ...) - __attribute__ ((noreturn, format (printf, 3, 4))) -{ - FUNC(1, code, 0); - abort(); -} - -krb5_error_code -krb5_vabortx(krb5_context context, const char *fmt, va_list ap) - __attribute__ ((noreturn, format (printf, 2, 0))) -{ - _warnerr(context, 0, 0, 0, fmt, ap); - abort(); -} - -krb5_error_code -krb5_abortx(krb5_context context, const char *fmt, ...) - __attribute__ ((noreturn, format (printf, 2, 3))) -{ - FUNC(0, 0, 0); - abort(); -} - -krb5_error_code -krb5_set_warn_dest(krb5_context context, krb5_log_facility *fac) -{ - context->warn_dest = fac; - return 0; -} diff --git a/crypto/heimdal-0.6.3/lib/krb5/write_message.c b/crypto/heimdal-0.6.3/lib/krb5/write_message.c deleted file mode 100644 index 3e23a3aaa9..0000000000 --- a/crypto/heimdal-0.6.3/lib/krb5/write_message.c +++ /dev/null @@ -1,89 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" - -RCSID("$Id: write_message.c,v 1.8 2001/07/02 18:43:06 joda Exp $"); - -krb5_error_code -krb5_write_message (krb5_context context, - krb5_pointer p_fd, - krb5_data *data) -{ - u_int32_t len; - u_int8_t buf[4]; - int ret; - - len = data->length; - _krb5_put_int(buf, len, 4); - if (krb5_net_write (context, p_fd, buf, 4) != 4 - || krb5_net_write (context, p_fd, data->data, len) != len) { - ret = errno; - krb5_set_error_string (context, "write: %s", strerror(ret)); - return ret; - } - return 0; -} - -krb5_error_code -krb5_write_priv_message(krb5_context context, - krb5_auth_context ac, - krb5_pointer p_fd, - krb5_data *data) -{ - krb5_error_code ret; - krb5_data packet; - - ret = krb5_mk_priv (context, ac, data, &packet, NULL); - if(ret) - return ret; - ret = krb5_write_message(context, p_fd, &packet); - krb5_data_free(&packet); - return ret; -} - -krb5_error_code -krb5_write_safe_message(krb5_context context, - krb5_auth_context ac, - krb5_pointer p_fd, - krb5_data *data) -{ - krb5_error_code ret; - krb5_data packet; - ret = krb5_mk_safe (context, ac, data, &packet, NULL); - if(ret) - return ret; - ret = krb5_write_message(context, p_fd, &packet); - krb5_data_free(&packet); - return ret; -} diff --git a/crypto/heimdal-0.6.3/lib/otp/ChangeLog b/crypto/heimdal-0.6.3/lib/otp/ChangeLog deleted file mode 100644 index 3006db2277..0000000000 --- a/crypto/heimdal-0.6.3/lib/otp/ChangeLog +++ /dev/null @@ -1,98 +0,0 @@ -2003-04-16 Love Hörnquist Åstrand - - * roken_rename.h: rename strlcat, strlcpy - * Makefile.am: (ES): add strlcpy.c and strlcat.c - * otp_db.c: use strlcpy, from openbsd - * otp_md.c: use strlcat/strlcpy, from openbsd - * otp_challenge.c: do strdup again, we desupport ultrix - -2002-09-10 Johan Danielsson - - * otp_md.c: if we only have old hash names, we need to include - functions here that do the work - -2002-05-20 Johan Danielsson - - * otp_db.c: fix ndbm test - -2002-05-17 Johan Danielsson - - * Makefile.am: add hooks for ndbm_wrap - - * otp_db.c: use ndbm_wrap - -2001-07-12 Assar Westerlund - - * Makefile.am: add required library dependencies - -2001-01-30 Assar Westerlund - - * Makefile.am (libotp_la_LDFLAGS): bump version to 1:2:1 - -2001-01-29 Assar Westerlund - - * otp_md.c: update to new md4/md5/sha API - -2000-12-11 Assar Westerlund - - * Makefile.am (INCLUDES): add krb4 includes here, which are - somewhat bogusly used when linking against libdes supplied by krb4 - -2000-07-25 Johan Danielsson - - * Makefile.am: bump version to 1:1:1 - -2000-07-01 Assar Westerlund - - * const-ify - -2000-02-07 Assar Westerlund - - * Makefile.am: update version to 1:0:1 - -2000-01-26 Assar Westerlund - - * otp_md.c: update to pseudo-standard APIs for md4,md5,sha. - * otp_md.c: start using the pseudo-standard APIs for the hash - functions - -1999-10-20 Assar Westerlund - - * Makefile.am: set version to 0:1:0 - -Fri Mar 19 14:52:48 1999 Johan Danielsson - - * Makefile.am: add version-info - -Thu Mar 18 11:24:19 1999 Johan Danielsson - - * Makefile.am: include Makefile.am.common - -Sat Mar 13 22:27:10 1999 Assar Westerlund - - * otp_parse.c: unsigned-ify - -Sun Nov 22 10:44:16 1998 Assar Westerlund - - * Makefile.in (WFLAGS): set - -Mon May 25 05:27:07 1998 Assar Westerlund - - * Makefile.in (clean): try to remove shared library debris - -Sat May 23 20:54:28 1998 Assar Westerlund - - * Makefile.am: link with DBLIB - -Sun Apr 19 09:59:46 1998 Assar Westerlund - - * Makefile.in: add symlink magic for linux - -Sat Feb 7 07:27:18 1998 Assar Westerlund - - * otp_db.c (otp_put): make sure we don't overrun `buf' - -Sun Nov 9 07:14:59 1997 Assar Westerlund - - * otp_locl.h: use xdbm.h - diff --git a/crypto/heimdal-0.6.3/lib/otp/Makefile.am b/crypto/heimdal-0.6.3/lib/otp/Makefile.am deleted file mode 100644 index 41a109a0fb..0000000000 --- a/crypto/heimdal-0.6.3/lib/otp/Makefile.am +++ /dev/null @@ -1,62 +0,0 @@ -# $Id: Makefile.am,v 1.23.2.1 2003/05/12 15:20:47 joda Exp $ - -include $(top_srcdir)/Makefile.am.common - -INCLUDES += $(INCLUDE_des) $(ROKEN_RENAME) - -noinst_PROGRAMS = otptest - -check_PROGRAMS = otptest - -otptest_LDADD = libotp.la - -include_HEADERS = otp.h - -lib_LTLIBRARIES = libotp.la -libotp_la_LDFLAGS = -version-info 1:4:1 -libotp_la_LIBADD = $(LIB_des) $(LIB_roken) $(LIB_NDBM) - -if HAVE_DB3 -ndbm_wrap = ndbm_wrap.c ndbm_wrap.h -else -ndbm_wrap = -endif - -libotp_la_SOURCES = \ - otp.c \ - otp_challenge.c \ - otp_db.c \ - otp_md.c \ - otp_parse.c \ - otp_print.c \ - otp_verify.c \ - otp_locl.h \ - otp_md.h \ - roken_rename.h \ - $(ndbm_wrap) \ - $(ROKEN_SRCS) - -if do_roken_rename -ROKEN_SRCS = snprintf.c strcasecmp.c strncasecmp.c strlwr.c strlcpy.c strlcat.c -endif - -$(libotp_la_OBJECTS): $(ndbm_wrap) - -ndbm_wrap.c: - $(LN_S) $(srcdir)/../roken/ndbm_wrap.c . -ndbm_wrap.h: - (echo '#define dbm_rename(X) __otp_ ## X'; cat $(srcdir)/../roken/ndbm_wrap.h) > ndbm_wrap.h - - -snprintf.c: - $(LN_S) $(srcdir)/../roken/snprintf.c . -strcasecmp.c: - $(LN_S) $(srcdir)/../roken/strcasecmp.c . -strncasecmp.c: - $(LN_S) $(srcdir)/../roken/strncasecmp.c . -strlwr.c: - $(LN_S) $(srcdir)/../roken/strlwr.c . -strlcpy.c: - $(LN_S) $(srcdir)/../roken/strlcpy.c . -strlcat.c: - $(LN_S) $(srcdir)/../roken/strlcat.c . diff --git a/crypto/heimdal-0.6.3/lib/otp/Makefile.in b/crypto/heimdal-0.6.3/lib/otp/Makefile.in deleted file mode 100644 index 7cac44e181..0000000000 --- a/crypto/heimdal-0.6.3/lib/otp/Makefile.in +++ /dev/null @@ -1,851 +0,0 @@ -# Makefile.in generated by automake 1.8.3 from Makefile.am. -# @configure_input@ - -# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004 Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -# $Id: Makefile.am,v 1.23.2.1 2003/05/12 15:20:47 joda Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $ - - - -SOURCES = $(libotp_la_SOURCES) otptest.c - -srcdir = @srcdir@ -top_srcdir = @top_srcdir@ -VPATH = @srcdir@ -pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -top_builddir = ../.. -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = @INSTALL@ -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_HEADER = $(INSTALL_DATA) -transform = $(program_transform_name) -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_triplet = @host@ -DIST_COMMON = $(include_HEADERS) $(srcdir)/Makefile.am \ - $(srcdir)/Makefile.in $(top_srcdir)/Makefile.am.common \ - $(top_srcdir)/cf/Makefile.am.common ChangeLog -noinst_PROGRAMS = otptest$(EXEEXT) -check_PROGRAMS = otptest$(EXEEXT) -subdir = lib/otp -ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \ - $(top_srcdir)/cf/auth-modules.m4 \ - $(top_srcdir)/cf/broken-getaddrinfo.m4 \ - $(top_srcdir)/cf/broken-getnameinfo.m4 \ - $(top_srcdir)/cf/broken-glob.m4 \ - $(top_srcdir)/cf/broken-realloc.m4 \ - $(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \ - $(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \ - $(top_srcdir)/cf/capabilities.m4 \ - $(top_srcdir)/cf/check-compile-et.m4 \ - $(top_srcdir)/cf/check-declaration.m4 \ - $(top_srcdir)/cf/check-getpwnam_r-posix.m4 \ - $(top_srcdir)/cf/check-man.m4 \ - $(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \ - $(top_srcdir)/cf/check-type-extra.m4 \ - $(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \ - $(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \ - $(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \ - $(top_srcdir)/cf/dlopen.m4 \ - $(top_srcdir)/cf/find-func-no-libs.m4 \ - $(top_srcdir)/cf/find-func-no-libs2.m4 \ - $(top_srcdir)/cf/find-func.m4 \ - $(top_srcdir)/cf/find-if-not-broken.m4 \ - $(top_srcdir)/cf/have-struct-field.m4 \ - $(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \ - $(top_srcdir)/cf/krb-bigendian.m4 \ - $(top_srcdir)/cf/krb-func-getlogin.m4 \ - $(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \ - $(top_srcdir)/cf/krb-readline.m4 \ - $(top_srcdir)/cf/krb-struct-spwd.m4 \ - $(top_srcdir)/cf/krb-struct-winsize.m4 \ - $(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \ - $(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \ - $(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \ - $(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \ - $(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \ - $(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \ - $(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in -am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ - $(ACLOCAL_M4) -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -am__installdirs = "$(DESTDIR)$(libdir)" "$(DESTDIR)$(includedir)" -libLTLIBRARIES_INSTALL = $(INSTALL) -LTLIBRARIES = $(lib_LTLIBRARIES) -am__DEPENDENCIES_1 = -libotp_la_DEPENDENCIES = $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ - $(am__DEPENDENCIES_1) -am__libotp_la_SOURCES_DIST = otp.c otp_challenge.c otp_db.c otp_md.c \ - otp_parse.c otp_print.c otp_verify.c otp_locl.h otp_md.h \ - roken_rename.h ndbm_wrap.c ndbm_wrap.h snprintf.c strcasecmp.c \ - strncasecmp.c strlwr.c strlcpy.c strlcat.c -@HAVE_DB3_TRUE@am__objects_1 = ndbm_wrap.lo -@do_roken_rename_TRUE@am__objects_2 = snprintf.lo strcasecmp.lo \ -@do_roken_rename_TRUE@ strncasecmp.lo strlwr.lo strlcpy.lo \ -@do_roken_rename_TRUE@ strlcat.lo -am_libotp_la_OBJECTS = otp.lo otp_challenge.lo otp_db.lo otp_md.lo \ - otp_parse.lo otp_print.lo otp_verify.lo $(am__objects_1) \ - $(am__objects_2) -libotp_la_OBJECTS = $(am_libotp_la_OBJECTS) -PROGRAMS = $(noinst_PROGRAMS) -otptest_SOURCES = otptest.c -otptest_OBJECTS = otptest.$(OBJEXT) -otptest_DEPENDENCIES = libotp.la -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \ - $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ - $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -SOURCES = $(libotp_la_SOURCES) otptest.c -DIST_SOURCES = $(am__libotp_la_SOURCES_DIST) otptest.c -includeHEADERS_INSTALL = $(INSTALL_HEADER) -HEADERS = $(include_HEADERS) -ETAGS = etags -CTAGS = ctags -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) -ACLOCAL = @ACLOCAL@ -AIX4_FALSE = @AIX4_FALSE@ -AIX4_TRUE = @AIX4_TRUE@ -AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@ -AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@ -AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@ -AIX_FALSE = @AIX_FALSE@ -AIX_TRUE = @AIX_TRUE@ -AMTAR = @AMTAR@ -AR = @AR@ -AUTOCONF = @AUTOCONF@ -AUTOHEADER = @AUTOHEADER@ -AUTOMAKE = @AUTOMAKE@ -AWK = @AWK@ -CANONICAL_HOST = @CANONICAL_HOST@ -CATMAN = @CATMAN@ -CATMANEXT = @CATMANEXT@ -CATMAN_FALSE = @CATMAN_FALSE@ -CATMAN_TRUE = @CATMAN_TRUE@ -CC = @CC@ -CFLAGS = @CFLAGS@ -COMPILE_ET = @COMPILE_ET@ -CPP = @CPP@ -CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXFLAGS = @CXXFLAGS@ -CYGPATH_W = @CYGPATH_W@ -DBLIB = @DBLIB@ -DCE_FALSE = @DCE_FALSE@ -DCE_TRUE = @DCE_TRUE@ -DEFS = @DEFS@ -DIR_com_err = @DIR_com_err@ -DIR_des = @DIR_des@ -DIR_roken = @DIR_roken@ -ECHO = @ECHO@ -ECHO_C = @ECHO_C@ -ECHO_N = @ECHO_N@ -ECHO_T = @ECHO_T@ -EGREP = @EGREP@ -EXEEXT = @EXEEXT@ -EXTRA_LIB45 = @EXTRA_LIB45@ -F77 = @F77@ -FFLAGS = @FFLAGS@ -GROFF = @GROFF@ -HAVE_DB1_FALSE = @HAVE_DB1_FALSE@ -HAVE_DB1_TRUE = @HAVE_DB1_TRUE@ -HAVE_DB3_FALSE = @HAVE_DB3_FALSE@ -HAVE_DB3_TRUE = @HAVE_DB3_TRUE@ -HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@ -HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@ -HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@ -HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@ -HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@ -HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@ -HAVE_X_FALSE = @HAVE_X_FALSE@ -HAVE_X_TRUE = @HAVE_X_TRUE@ -INCLUDES_roken = @INCLUDES_roken@ -INCLUDE_des = @INCLUDE_des@ -INCLUDE_hesiod = @INCLUDE_hesiod@ -INCLUDE_krb4 = @INCLUDE_krb4@ -INCLUDE_openldap = @INCLUDE_openldap@ -INCLUDE_readline = @INCLUDE_readline@ -INSTALL_DATA = @INSTALL_DATA@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -IRIX_FALSE = @IRIX_FALSE@ -IRIX_TRUE = @IRIX_TRUE@ -KRB4_FALSE = @KRB4_FALSE@ -KRB4_TRUE = @KRB4_TRUE@ -KRB5_FALSE = @KRB5_FALSE@ -KRB5_TRUE = @KRB5_TRUE@ -LDFLAGS = @LDFLAGS@ -LEX = @LEX@ -LEXLIB = @LEXLIB@ -LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ -LIBOBJS = @LIBOBJS@ -LIBS = @LIBS@ -LIBTOOL = @LIBTOOL@ -LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@ -LIB_NDBM = @LIB_NDBM@ -LIB_XauFileName = @LIB_XauFileName@ -LIB_XauReadAuth = @LIB_XauReadAuth@ -LIB_XauWriteAuth = @LIB_XauWriteAuth@ -LIB_bswap16 = @LIB_bswap16@ -LIB_bswap32 = @LIB_bswap32@ -LIB_com_err = @LIB_com_err@ -LIB_com_err_a = @LIB_com_err_a@ -LIB_com_err_so = @LIB_com_err_so@ -LIB_crypt = @LIB_crypt@ -LIB_db_create = @LIB_db_create@ -LIB_dbm_firstkey = @LIB_dbm_firstkey@ -LIB_dbopen = @LIB_dbopen@ -LIB_des = @LIB_des@ -LIB_des_a = @LIB_des_a@ -LIB_des_appl = @LIB_des_appl@ -LIB_des_so = @LIB_des_so@ -LIB_dlopen = @LIB_dlopen@ -LIB_dn_expand = @LIB_dn_expand@ -LIB_el_init = @LIB_el_init@ -LIB_freeaddrinfo = @LIB_freeaddrinfo@ -LIB_gai_strerror = @LIB_gai_strerror@ -LIB_getaddrinfo = @LIB_getaddrinfo@ -LIB_gethostbyname = @LIB_gethostbyname@ -LIB_gethostbyname2 = @LIB_gethostbyname2@ -LIB_getnameinfo = @LIB_getnameinfo@ -LIB_getpwnam_r = @LIB_getpwnam_r@ -LIB_getsockopt = @LIB_getsockopt@ -LIB_hesiod = @LIB_hesiod@ -LIB_hstrerror = @LIB_hstrerror@ -LIB_kdb = @LIB_kdb@ -LIB_krb4 = @LIB_krb4@ -LIB_krb_disable_debug = @LIB_krb_disable_debug@ -LIB_krb_enable_debug = @LIB_krb_enable_debug@ -LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@ -LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@ -LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@ -LIB_loadquery = @LIB_loadquery@ -LIB_logout = @LIB_logout@ -LIB_logwtmp = @LIB_logwtmp@ -LIB_openldap = @LIB_openldap@ -LIB_openpty = @LIB_openpty@ -LIB_otp = @LIB_otp@ -LIB_pidfile = @LIB_pidfile@ -LIB_readline = @LIB_readline@ -LIB_res_nsearch = @LIB_res_nsearch@ -LIB_res_search = @LIB_res_search@ -LIB_roken = @LIB_roken@ -LIB_security = @LIB_security@ -LIB_setsockopt = @LIB_setsockopt@ -LIB_socket = @LIB_socket@ -LIB_syslog = @LIB_syslog@ -LIB_tgetent = @LIB_tgetent@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -MAINT = @MAINT@ -MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@ -MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@ -MAKEINFO = @MAKEINFO@ -NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ -NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ -NROFF = @NROFF@ -OBJEXT = @OBJEXT@ -OTP_FALSE = @OTP_FALSE@ -OTP_TRUE = @OTP_TRUE@ -PACKAGE = @PACKAGE@ -PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ -PACKAGE_NAME = @PACKAGE_NAME@ -PACKAGE_STRING = @PACKAGE_STRING@ -PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_VERSION = @PACKAGE_VERSION@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -RANLIB = @RANLIB@ -SET_MAKE = @SET_MAKE@ -SHELL = @SHELL@ -STRIP = @STRIP@ -VERSION = @VERSION@ -VOID_RETSIGTYPE = @VOID_RETSIGTYPE@ -WFLAGS = @WFLAGS@ -WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@ -WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@ -X_CFLAGS = @X_CFLAGS@ -X_EXTRA_LIBS = @X_EXTRA_LIBS@ -X_LIBS = @X_LIBS@ -X_PRE_LIBS = @X_PRE_LIBS@ -YACC = @YACC@ -ac_ct_AR = @ac_ct_AR@ -ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ -ac_ct_RANLIB = @ac_ct_RANLIB@ -ac_ct_STRIP = @ac_ct_STRIP@ -am__leading_dot = @am__leading_dot@ -bindir = @bindir@ -build = @build@ -build_alias = @build_alias@ -build_cpu = @build_cpu@ -build_os = @build_os@ -build_vendor = @build_vendor@ -datadir = @datadir@ -do_roken_rename_FALSE = @do_roken_rename_FALSE@ -do_roken_rename_TRUE = @do_roken_rename_TRUE@ -dpagaix_cflags = @dpagaix_cflags@ -dpagaix_ldadd = @dpagaix_ldadd@ -dpagaix_ldflags = @dpagaix_ldflags@ -el_compat_FALSE = @el_compat_FALSE@ -el_compat_TRUE = @el_compat_TRUE@ -exec_prefix = @exec_prefix@ -have_err_h_FALSE = @have_err_h_FALSE@ -have_err_h_TRUE = @have_err_h_TRUE@ -have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@ -have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@ -have_glob_h_FALSE = @have_glob_h_FALSE@ -have_glob_h_TRUE = @have_glob_h_TRUE@ -have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@ -have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@ -have_vis_h_FALSE = @have_vis_h_FALSE@ -have_vis_h_TRUE = @have_vis_h_TRUE@ -host = @host@ -host_alias = @host_alias@ -host_cpu = @host_cpu@ -host_os = @host_os@ -host_vendor = @host_vendor@ -includedir = @includedir@ -infodir = @infodir@ -install_sh = @install_sh@ -libdir = @libdir@ -libexecdir = @libexecdir@ -localstatedir = @localstatedir@ -mandir = @mandir@ -mkdir_p = @mkdir_p@ -oldincludedir = @oldincludedir@ -prefix = @prefix@ -program_transform_name = @program_transform_name@ -sbindir = @sbindir@ -sharedstatedir = @sharedstatedir@ -sysconfdir = @sysconfdir@ -target_alias = @target_alias@ -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_des) $(ROKEN_RENAME) -@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME -AM_CFLAGS = $(WFLAGS) -CP = cp -buildinclude = $(top_builddir)/include -LIB_getattr = @LIB_getattr@ -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_setpcred = @LIB_setpcred@ -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -NROFF_MAN = groff -mandoc -Tascii -LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) -@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la - -@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la -@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la -otptest_LDADD = libotp.la -include_HEADERS = otp.h -lib_LTLIBRARIES = libotp.la -libotp_la_LDFLAGS = -version-info 1:4:1 -libotp_la_LIBADD = $(LIB_des) $(LIB_roken) $(LIB_NDBM) -@HAVE_DB3_FALSE@ndbm_wrap = -@HAVE_DB3_TRUE@ndbm_wrap = ndbm_wrap.c ndbm_wrap.h -libotp_la_SOURCES = \ - otp.c \ - otp_challenge.c \ - otp_db.c \ - otp_md.c \ - otp_parse.c \ - otp_print.c \ - otp_verify.c \ - otp_locl.h \ - otp_md.h \ - roken_rename.h \ - $(ndbm_wrap) \ - $(ROKEN_SRCS) - -@do_roken_rename_TRUE@ROKEN_SRCS = snprintf.c strcasecmp.c strncasecmp.c strlwr.c strlcpy.c strlcat.c -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps) - @for dep in $?; do \ - case '$(am__configure_deps)' in \ - *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ - exit 1;; \ - esac; \ - done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign --ignore-deps lib/otp/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign --ignore-deps lib/otp/Makefile -.PRECIOUS: Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - @case '$?' in \ - *config.status*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ - *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ - esac; - -$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -install-libLTLIBRARIES: $(lib_LTLIBRARIES) - @$(NORMAL_INSTALL) - test -z "$(libdir)" || $(mkdir_p) "$(DESTDIR)$(libdir)" - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - if test -f $$p; then \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(libdir)/$$f'"; \ - $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(libdir)/$$f"; \ - else :; fi; \ - done - -uninstall-libLTLIBRARIES: - @$(NORMAL_UNINSTALL) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - p="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$p'"; \ - $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$p"; \ - done - -clean-libLTLIBRARIES: - -test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ - test "$$dir" = "$$p" && dir=.; \ - echo "rm -f \"$${dir}/so_locations\""; \ - rm -f "$${dir}/so_locations"; \ - done -libotp.la: $(libotp_la_OBJECTS) $(libotp_la_DEPENDENCIES) - $(LINK) -rpath $(libdir) $(libotp_la_LDFLAGS) $(libotp_la_OBJECTS) $(libotp_la_LIBADD) $(LIBS) - -clean-checkPROGRAMS: - @list='$(check_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done - -clean-noinstPROGRAMS: - @list='$(noinst_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -otptest$(EXEEXT): $(otptest_OBJECTS) $(otptest_DEPENDENCIES) - @rm -f otptest$(EXEEXT) - $(LINK) $(otptest_LDFLAGS) $(otptest_OBJECTS) $(otptest_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c $< - -.c.obj: - $(COMPILE) -c `$(CYGPATH_W) '$<'` - -.c.lo: - $(LTCOMPILE) -c -o $@ $< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: -install-includeHEADERS: $(include_HEADERS) - @$(NORMAL_INSTALL) - test -z "$(includedir)" || $(mkdir_p) "$(DESTDIR)$(includedir)" - @list='$(include_HEADERS)'; for p in $$list; do \ - if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(includeHEADERS_INSTALL) '$$d$$p' '$(DESTDIR)$(includedir)/$$f'"; \ - $(includeHEADERS_INSTALL) "$$d$$p" "$(DESTDIR)$(includedir)/$$f"; \ - done - -uninstall-includeHEADERS: - @$(NORMAL_UNINSTALL) - @list='$(include_HEADERS)'; for p in $$list; do \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " rm -f '$(DESTDIR)$(includedir)/$$f'"; \ - rm -f "$(DESTDIR)$(includedir)/$$f"; \ - done - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique -tags: TAGS - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique -ctags: CTAGS -CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ - || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - -distdir: $(DISTFILES) - $(mkdir_p) $(distdir)/../.. $(distdir)/../../cf - @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \ - list='$(DISTFILES)'; for file in $$list; do \ - case $$file in \ - $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \ - $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \ - esac; \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkdir_p) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="$(top_distdir)" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS) - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(HEADERS) all-local -installdirs: - for dir in "$(DESTDIR)$(libdir)" "$(DESTDIR)$(includedir)"; do \ - test -z "$$dir" || $(mkdir_p) "$$dir"; \ - done -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-checkPROGRAMS clean-generic clean-libLTLIBRARIES \ - clean-libtool clean-noinstPROGRAMS mostlyclean-am - -distclean: distclean-am - -rm -f Makefile -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -html: html-am - -info: info-am - -info-am: - -install-data-am: install-includeHEADERS - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-data-hook - -install-exec-am: install-libLTLIBRARIES - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -rm -f Makefile -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -pdf: pdf-am - -pdf-am: - -ps: ps-am - -ps-am: - -uninstall-am: uninstall-includeHEADERS uninstall-info-am \ - uninstall-libLTLIBRARIES - -.PHONY: CTAGS GTAGS all all-am all-local check check-am check-local \ - clean clean-checkPROGRAMS clean-generic clean-libLTLIBRARIES \ - clean-libtool clean-noinstPROGRAMS ctags distclean \ - distclean-compile distclean-generic distclean-libtool \ - distclean-tags distdir dvi dvi-am html html-am info info-am \ - install install-am install-data install-data-am install-exec \ - install-exec-am install-includeHEADERS install-info \ - install-info-am install-libLTLIBRARIES install-man \ - install-strip installcheck installcheck-am installdirs \ - maintainer-clean maintainer-clean-generic mostlyclean \ - mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ - pdf pdf-am ps ps-am tags uninstall uninstall-am \ - uninstall-includeHEADERS uninstall-info-am \ - uninstall-libLTLIBRARIES - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-hook: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< - -$(libotp_la_OBJECTS): $(ndbm_wrap) - -ndbm_wrap.c: - $(LN_S) $(srcdir)/../roken/ndbm_wrap.c . -ndbm_wrap.h: - (echo '#define dbm_rename(X) __otp_ ## X'; cat $(srcdir)/../roken/ndbm_wrap.h) > ndbm_wrap.h - -snprintf.c: - $(LN_S) $(srcdir)/../roken/snprintf.c . -strcasecmp.c: - $(LN_S) $(srcdir)/../roken/strcasecmp.c . -strncasecmp.c: - $(LN_S) $(srcdir)/../roken/strncasecmp.c . -strlwr.c: - $(LN_S) $(srcdir)/../roken/strlwr.c . -strlcpy.c: - $(LN_S) $(srcdir)/../roken/strlcpy.c . -strlcat.c: - $(LN_S) $(srcdir)/../roken/strlcat.c . -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal-0.6.3/lib/otp/otp.c b/crypto/heimdal-0.6.3/lib/otp/otp.c deleted file mode 100644 index 746f3cb53a..0000000000 --- a/crypto/heimdal-0.6.3/lib/otp/otp.c +++ /dev/null @@ -1,63 +0,0 @@ -/* - * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include "config.h" -RCSID("$Id: otp.c,v 1.8 2000/07/12 00:26:43 assar Exp $"); -#endif - -#include "otp_locl.h" -#include "otp_md.h" - -static OtpAlgorithm algorithms[] = { - {OTP_ALG_MD4, "md4", 16, otp_md4_hash, otp_md4_init, otp_md4_next}, - {OTP_ALG_MD5, "md5", 16, otp_md5_hash, otp_md5_init, otp_md5_next}, - {OTP_ALG_SHA, "sha", 20, otp_sha_hash, otp_sha_init, otp_sha_next} -}; - -OtpAlgorithm * -otp_find_alg (char *name) -{ - int i; - - for (i = 0; i < sizeof(algorithms)/sizeof(*algorithms); ++i) - if (strcmp (name, algorithms[i].name) == 0) - return &algorithms[i]; - return NULL; -} - -char * -otp_error (OtpContext *o) -{ - return o->err; -} diff --git a/crypto/heimdal-0.6.3/lib/otp/otp.h b/crypto/heimdal-0.6.3/lib/otp/otp.h deleted file mode 100644 index e813458f62..0000000000 --- a/crypto/heimdal-0.6.3/lib/otp/otp.h +++ /dev/null @@ -1,101 +0,0 @@ -/* - * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: otp.h,v 1.19 2000/07/12 00:26:43 assar Exp $ */ - -#ifndef _OTP_H -#define _OTP_H - -#include -#include - -enum {OTPKEYSIZE = 8}; - -typedef unsigned char OtpKey[OTPKEYSIZE]; - -#define OTP_MIN_PASSPHRASE 10 -#define OTP_MAX_PASSPHRASE 63 - -#define OTP_USER_TIMEOUT 120 -#define OTP_DB_TIMEOUT 60 - -#define OTP_HEXPREFIX "hex:" -#define OTP_WORDPREFIX "word:" - -typedef enum { OTP_ALG_MD4, OTP_ALG_MD5, OTP_ALG_SHA } OtpAlgID; - -#define OTP_ALG_DEFAULT "md5" - -typedef struct { - OtpAlgID id; - char *name; - int hashsize; - int (*hash)(const char *s, size_t len, unsigned char *res); - int (*init)(OtpKey key, const char *pwd, const char *seed); - int (*next)(OtpKey key); -} OtpAlgorithm; - -typedef struct { - char *user; - OtpAlgorithm *alg; - unsigned n; - char seed[17]; - OtpKey key; - int challengep; - time_t lock_time; - char *err; -} OtpContext; - -OtpAlgorithm *otp_find_alg (char *name); -void otp_print_stddict (OtpKey key, char *str, size_t sz); -void otp_print_hex (OtpKey key, char *str, size_t sz); -void otp_print_stddict_extended (OtpKey key, char *str, size_t sz); -void otp_print_hex_extended (OtpKey key, char *str, size_t sz); -unsigned otp_checksum (OtpKey key); -int otp_parse_hex (OtpKey key, const char *); -int otp_parse_stddict (OtpKey key, const char *); -int otp_parse_altdict (OtpKey key, const char *, OtpAlgorithm *); -int otp_parse (OtpKey key, const char *, OtpAlgorithm *); -int otp_challenge (OtpContext *ctx, char *user, char *str, size_t len); -int otp_verify_user (OtpContext *ctx, const char *passwd); -int otp_verify_user_1 (OtpContext *ctx, const char *passwd); -char *otp_error (OtpContext *ctx); - -void *otp_db_open (void); -void otp_db_close (void *); -int otp_put (void *, OtpContext *ctx); -int otp_get (void *, OtpContext *ctx); -int otp_simple_get (void *, OtpContext *ctx); -int otp_delete (void *, OtpContext *ctx); - -#endif /* _OTP_H */ diff --git a/crypto/heimdal-0.6.3/lib/otp/otp_challenge.c b/crypto/heimdal-0.6.3/lib/otp/otp_challenge.c deleted file mode 100644 index fbfaec956e..0000000000 --- a/crypto/heimdal-0.6.3/lib/otp/otp_challenge.c +++ /dev/null @@ -1,68 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include "config.h" -RCSID("$Id: otp_challenge.c,v 1.11 2003/04/16 16:17:49 lha Exp $"); -#endif - -#include "otp_locl.h" - -int -otp_challenge (OtpContext *ctx, char *user, char *str, size_t len) -{ - void *dbm; - int ret; - - ctx->challengep = 0; - ctx->err = NULL; - ctx->user = strdup(user); - if (ctx->user == NULL) { - ctx->err = "Out of memory"; - return -1; - } - dbm = otp_db_open (); - if (dbm == NULL) { - ctx->err = "Cannot open database"; - return -1; - } - ret = otp_get (dbm, ctx); - otp_db_close (dbm); - if (ret) - return ret; - snprintf (str, len, - "[ otp-%s %u %s ]", - ctx->alg->name, ctx->n-1, ctx->seed); - ctx->challengep = 1; - return 0; -} diff --git a/crypto/heimdal-0.6.3/lib/otp/otp_db.c b/crypto/heimdal-0.6.3/lib/otp/otp_db.c deleted file mode 100644 index 036fb77bf8..0000000000 --- a/crypto/heimdal-0.6.3/lib/otp/otp_db.c +++ /dev/null @@ -1,233 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include "config.h" -RCSID("$Id: otp_db.c,v 1.20 2003/04/16 16:20:58 lha Exp $"); -#endif - -#include "otp_locl.h" - -#if !defined(HAVE_NDBM) && !defined(HAVE_DB_NDBM) -#include "ndbm_wrap.h" -#endif - -#define RETRIES 5 - -void * -otp_db_open (void) -{ - int lock; - int i; - void *ret; - - for(i = 0; i < RETRIES; ++i) { - struct stat statbuf; - - lock = open (OTP_DB_LOCK, O_WRONLY | O_CREAT | O_EXCL, 0666); - if (lock >= 0) { - close(lock); - break; - } - if (stat (OTP_DB_LOCK, &statbuf) == 0) { - if (time(NULL) - statbuf.st_mtime > OTP_DB_TIMEOUT) - unlink (OTP_DB_LOCK); - else - sleep (1); - } - } - if (i == RETRIES) - return NULL; - ret = dbm_open (OTP_DB, O_RDWR | O_CREAT, 0600); - if (ret == NULL) - unlink (OTP_DB_LOCK); - return ret; -} - -void -otp_db_close (void *dbm) -{ - dbm_close ((DBM *)dbm); - unlink (OTP_DB_LOCK); -} - -/* - * Remove this entry from the database. - * return 0 if ok. - */ - -int -otp_delete (void *v, OtpContext *ctx) -{ - DBM *dbm = (DBM *)v; - datum key; - - key.dsize = strlen(ctx->user); - key.dptr = ctx->user; - - return dbm_delete(dbm, key); -} - -/* - * Read this entry from the database and lock it if lockp. - */ - -static int -otp_get_internal (void *v, OtpContext *ctx, int lockp) -{ - DBM *dbm = (DBM *)v; - datum dat, key; - char *p; - time_t now, then; - - key.dsize = strlen(ctx->user); - key.dptr = ctx->user; - - dat = dbm_fetch (dbm, key); - if (dat.dptr == NULL) { - ctx->err = "Entry not found"; - return -1; - } - p = dat.dptr; - - memcpy (&then, p, sizeof(then)); - ctx->lock_time = then; - if (lockp) { - time(&now); - if (then && now - then < OTP_USER_TIMEOUT) { - ctx->err = "Entry locked"; - return -1; - } - memcpy (p, &now, sizeof(now)); - } - p += sizeof(now); - ctx->alg = otp_find_alg (p); - if (ctx->alg == NULL) { - ctx->err = "Bad algorithm"; - return -1; - } - p += strlen(p) + 1; - { - unsigned char *up = (unsigned char *)p; - ctx->n = (up[0] << 24) | (up[1] << 16) | (up[2] << 8) | up[3]; - } - p += 4; - memcpy (ctx->key, p, OTPKEYSIZE); - p += OTPKEYSIZE; - strlcpy (ctx->seed, p, sizeof(ctx->seed)); - if (lockp) - return dbm_store (dbm, key, dat, DBM_REPLACE); - else - return 0; -} - -/* - * Get and lock. - */ - -int -otp_get (void *v, OtpContext *ctx) -{ - return otp_get_internal (v, ctx, 1); -} - -/* - * Get and don't lock. - */ - -int -otp_simple_get (void *v, OtpContext *ctx) -{ - return otp_get_internal (v, ctx, 0); -} - -/* - * Write this entry to the database. - */ - -int -otp_put (void *v, OtpContext *ctx) -{ - DBM *dbm = (DBM *)v; - datum dat, key; - char buf[1024], *p; - time_t zero = 0; - size_t len, rem; - - key.dsize = strlen(ctx->user); - key.dptr = ctx->user; - - p = buf; - rem = sizeof(buf); - - if (rem < sizeof(zero)) - return -1; - memcpy (p, &zero, sizeof(zero)); - p += sizeof(zero); - rem -= sizeof(zero); - len = strlen(ctx->alg->name) + 1; - - if (rem < len) - return -1; - strlcpy (p, ctx->alg->name, rem); - p += len; - rem -= len; - - if (rem < 4) - return -1; - { - unsigned char *up = (unsigned char *)p; - *up++ = (ctx->n >> 24) & 0xFF; - *up++ = (ctx->n >> 16) & 0xFF; - *up++ = (ctx->n >> 8) & 0xFF; - *up++ = (ctx->n >> 0) & 0xFF; - } - p += 4; - rem -= 4; - - if (rem < OTPKEYSIZE) - return -1; - memcpy (p, ctx->key, OTPKEYSIZE); - p += OTPKEYSIZE; - rem -= OTPKEYSIZE; - - len = strlen(ctx->seed) + 1; - if (rem < len) - return -1; - strlcpy (p, ctx->seed, rem); - p += len; - rem -= len; - dat.dptr = buf; - dat.dsize = p - buf; - return dbm_store (dbm, key, dat, DBM_REPLACE); -} diff --git a/crypto/heimdal-0.6.3/lib/otp/otp_locl.h b/crypto/heimdal-0.6.3/lib/otp/otp_locl.h deleted file mode 100644 index 18c9284566..0000000000 --- a/crypto/heimdal-0.6.3/lib/otp/otp_locl.h +++ /dev/null @@ -1,70 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: otp_locl.h,v 1.12 2002/08/12 15:09:20 joda Exp $ */ - -#include -#include -#include -#include -#include -#include -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_SYS_STAT_H -#include -#endif -#ifdef HAVE_PWD_H -#include -#endif -#ifdef HAVE_FCNTL_H -#include -#endif -#ifdef HAVE_UNISTD_H -#include -#endif -#ifdef HAVE_IO_H -#include -#endif - -#include - -#include - -#include - -#define OTPKEYS "/.otpkeys" - -#define OTP_DB SYSCONFDIR "/otp" -#define OTP_DB_LOCK SYSCONFDIR "/otp-lock" diff --git a/crypto/heimdal-0.6.3/lib/otp/otp_md.c b/crypto/heimdal-0.6.3/lib/otp/otp_md.c deleted file mode 100644 index 36f638a279..0000000000 --- a/crypto/heimdal-0.6.3/lib/otp/otp_md.c +++ /dev/null @@ -1,284 +0,0 @@ -/* - * Copyright (c) 1995 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include "config.h" -RCSID("$Id: otp_md.c,v 1.18 2003/04/16 16:19:33 lha Exp $"); -#endif -#include "otp_locl.h" - -#include "otp_md.h" -#include "crypto-headers.h" - -/* - * Compress len bytes from md into key - */ - -static void -compressmd (OtpKey key, unsigned char *md, size_t len) -{ - u_char *p = key; - - memset (p, 0, OTPKEYSIZE); - while(len) { - *p++ ^= *md++; - *p++ ^= *md++; - *p++ ^= *md++; - *p++ ^= *md++; - len -= 4; - if (p == key + OTPKEYSIZE) - p = key; - } -} - -#ifdef HAVE_OLD_HASH_NAMES -static void -otp_md4_final (void *res, struct md4 *m) -{ - MD4_Final(res, m); -} -#undef MD4_Final -#define MD4_Final otp_md4_final - -static void -otp_md5_final (void *res, struct md5 *m) -{ - MD5_Final(res, m); -} -#undef MD5_Final -#define MD5_Final otp_md5_final -#endif - -static int -otp_md_init (OtpKey key, - const char *pwd, - const char *seed, - void (*init)(void *), - void (*update)(void *, const void *, size_t), - void (*final)(void *, void *), - void *arg, - unsigned char *res, - size_t ressz) -{ - char *p; - int len; - - len = strlen(pwd) + strlen(seed); - p = malloc (len + 1); - if (p == NULL) - return -1; - strlcpy (p, seed, len + 1); - strlwr (p); - strlcat (p, pwd, len + 1); - (*init)(arg); - (*update)(arg, p, len); - (*final)(res, arg); - free (p); - compressmd (key, res, ressz); - return 0; -} - -static int -otp_md_next (OtpKey key, - void (*init)(void *), - void (*update)(void *, const void *, size_t), - void (*final)(void *, void *), - void *arg, - unsigned char *res, - size_t ressz) -{ - (*init)(arg); - (*update)(arg, key, OTPKEYSIZE); - (*final)(res, arg); - compressmd (key, res, ressz); - return 0; -} - -static int -otp_md_hash (const char *data, - size_t len, - void (*init)(void *), - void (*update)(void *, const void *, size_t), - void (*final)(void *, void *), - void *arg, - unsigned char *res, - size_t ressz) -{ - (*init)(arg); - (*update)(arg, data, len); - (*final)(res, arg); - return 0; -} - -int -otp_md4_init (OtpKey key, const char *pwd, const char *seed) -{ - unsigned char res[16]; - MD4_CTX md4; - - return otp_md_init (key, pwd, seed, - (void (*)(void *))MD4_Init, - (void (*)(void *, const void *, size_t))MD4_Update, - (void (*)(void *, void *))MD4_Final, - &md4, res, sizeof(res)); -} - -int -otp_md4_hash (const char *data, - size_t len, - unsigned char *res) -{ - MD4_CTX md4; - - return otp_md_hash (data, len, - (void (*)(void *))MD4_Init, - (void (*)(void *, const void *, size_t))MD4_Update, - (void (*)(void *, void *))MD4_Final, - &md4, res, 16); -} - -int -otp_md4_next (OtpKey key) -{ - unsigned char res[16]; - MD4_CTX md4; - - return otp_md_next (key, - (void (*)(void *))MD4_Init, - (void (*)(void *, const void *, size_t))MD4_Update, - (void (*)(void *, void *))MD4_Final, - &md4, res, sizeof(res)); -} - - -int -otp_md5_init (OtpKey key, const char *pwd, const char *seed) -{ - unsigned char res[16]; - MD5_CTX md5; - - return otp_md_init (key, pwd, seed, - (void (*)(void *))MD5_Init, - (void (*)(void *, const void *, size_t))MD5_Update, - (void (*)(void *, void *))MD5_Final, - &md5, res, sizeof(res)); -} - -int -otp_md5_hash (const char *data, - size_t len, - unsigned char *res) -{ - MD5_CTX md5; - - return otp_md_hash (data, len, - (void (*)(void *))MD5_Init, - (void (*)(void *, const void *, size_t))MD5_Update, - (void (*)(void *, void *))MD5_Final, - &md5, res, 16); -} - -int -otp_md5_next (OtpKey key) -{ - unsigned char res[16]; - MD5_CTX md5; - - return otp_md_next (key, - (void (*)(void *))MD5_Init, - (void (*)(void *, const void *, size_t))MD5_Update, - (void (*)(void *, void *))MD5_Final, - &md5, res, sizeof(res)); -} - -/* - * For histerical reasons, in the OTP definition it's said that the - * result from SHA must be stored in little-endian order. See - * draft-ietf-otp-01.txt. - */ - -static void -SHA1_Final_little_endian (void *res, SHA_CTX *m) -{ - unsigned char tmp[20]; - unsigned char *p = res; - int j; - - SHA1_Final (tmp, m); - for (j = 0; j < 20; j += 4) { - p[j] = tmp[j+3]; - p[j+1] = tmp[j+2]; - p[j+2] = tmp[j+1]; - p[j+3] = tmp[j]; - } -} - -int -otp_sha_init (OtpKey key, const char *pwd, const char *seed) -{ - unsigned char res[20]; - SHA_CTX sha1; - - return otp_md_init (key, pwd, seed, - (void (*)(void *))SHA1_Init, - (void (*)(void *, const void *, size_t))SHA1_Update, - (void (*)(void *, void *))SHA1_Final_little_endian, - &sha1, res, sizeof(res)); -} - -int -otp_sha_hash (const char *data, - size_t len, - unsigned char *res) -{ - SHA_CTX sha1; - - return otp_md_hash (data, len, - (void (*)(void *))SHA1_Init, - (void (*)(void *, const void *, size_t))SHA1_Update, - (void (*)(void *, void *))SHA1_Final_little_endian, - &sha1, res, 20); -} - -int -otp_sha_next (OtpKey key) -{ - unsigned char res[20]; - SHA_CTX sha1; - - return otp_md_next (key, - (void (*)(void *))SHA1_Init, - (void (*)(void *, const void *, size_t))SHA1_Update, - (void (*)(void *, void *))SHA1_Final_little_endian, - &sha1, res, sizeof(res)); -} diff --git a/crypto/heimdal-0.6.3/lib/otp/otp_md.h b/crypto/heimdal-0.6.3/lib/otp/otp_md.h deleted file mode 100644 index 5732606439..0000000000 --- a/crypto/heimdal-0.6.3/lib/otp/otp_md.h +++ /dev/null @@ -1,46 +0,0 @@ -/* - * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: otp_md.h,v 1.7 2000/07/12 00:26:44 assar Exp $ */ - -int otp_md4_init (OtpKey key, const char *pwd, const char *seed); -int otp_md4_hash (const char *, size_t, unsigned char *res); -int otp_md4_next (OtpKey key); - -int otp_md5_init (OtpKey key, const char *pwd, const char *seed); -int otp_md5_hash (const char *, size_t, unsigned char *res); -int otp_md5_next (OtpKey key); - -int otp_sha_init (OtpKey key, const char *pwd, const char *seed); -int otp_sha_hash (const char *, size_t, unsigned char *res); -int otp_sha_next (OtpKey key); diff --git a/crypto/heimdal-0.6.3/lib/otp/otp_parse.c b/crypto/heimdal-0.6.3/lib/otp/otp_parse.c deleted file mode 100644 index cc69de5005..0000000000 --- a/crypto/heimdal-0.6.3/lib/otp/otp_parse.c +++ /dev/null @@ -1,2515 +0,0 @@ -/* - * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include "config.h" -RCSID("$Id: otp_parse.c,v 1.20 2000/07/01 13:58:38 assar Exp $"); -#endif - -#include "otp_locl.h" - -struct e { - char *s; - unsigned n; -}; - -extern const struct e inv_std_dict[2048]; - -static int -cmp(const void *a, const void *b) -{ - struct e *e1, *e2; - - e1 = (struct e *)a; - e2 = (struct e *)b; - return strcasecmp (e1->s, e2->s); -} - -static int -get_stdword (const char *s, void *v) -{ - struct e e, *r; - - e.s = (char *)s; - e.n = -1; - r = (struct e *) bsearch (&e, inv_std_dict, - sizeof(inv_std_dict)/sizeof(*inv_std_dict), - sizeof(*inv_std_dict), cmp); - if (r) - return r->n; - else - return -1; -} - -static void -compress (OtpKey key, unsigned wn[]) -{ - key[0] = wn[0] >> 3; - key[1] = ((wn[0] & 0x07) << 5) | (wn[1] >> 6); - key[2] = ((wn[1] & 0x3F) << 2) | (wn[2] >> 9); - key[3] = ((wn[2] >> 1) & 0xFF); - key[4] = ((wn[2] & 0x01) << 7) | (wn[3] >> 4); - key[5] = ((wn[3] & 0x0F) << 4) | (wn[4] >> 7); - key[6] = ((wn[4] & 0x7F) << 1) | (wn[5] >> 10); - key[7] = ((wn[5] >> 2) & 0xFF); -} - -static int -get_altword (const char *s, void *a) -{ - OtpAlgorithm *alg = (OtpAlgorithm *)a; - int ret; - unsigned char *res = malloc(alg->hashsize); - - if (res == NULL) - return -1; - alg->hash (s, strlen(s), res); - ret = (unsigned)(res[alg->hashsize - 1]) | - ((res[alg->hashsize - 2] & 0x03) << 8); - free (res); - return ret; -} - -static int -parse_words(unsigned wn[], - const char *str, - int (*convert)(const char *, void *), - void *arg) -{ - unsigned char *w, *wend, c; - int i; - int tmp; - - w = (unsigned char *)str; - for (i = 0; i < 6; ++i) { - while (isspace(*w)) - ++w; - wend = w; - while (isalpha (*wend)) - ++wend; - c = *wend; - *wend = '\0'; - tmp = (*convert)((char *)w, arg); - *wend = c; - w = wend; - if (tmp < 0) - return -1; - wn[i] = tmp; - } - return 0; -} - -static int -otp_parse_internal (OtpKey key, const char *str, - OtpAlgorithm *alg, - int (*convert)(const char *, void *)) -{ - unsigned wn[6]; - - if (parse_words (wn, str, convert, alg)) - return -1; - compress (key, wn); - if (otp_checksum (key) != (wn[5] & 0x03)) - return -1; - return 0; -} - -int -otp_parse_stddict (OtpKey key, const char *str) -{ - return otp_parse_internal (key, str, NULL, get_stdword); -} - -int -otp_parse_altdict (OtpKey key, const char *str, OtpAlgorithm *alg) -{ - return otp_parse_internal (key, str, alg, get_altword); -} - -int -otp_parse_hex (OtpKey key, const char *s) -{ - char buf[17], *b; - int is[8]; - int i; - - b = buf; - while (*s) { - if (strchr ("0123456789ABCDEFabcdef", *s)) { - if (b - buf >= 16) - return -1; - else - *b++ = tolower(*s); - } - s++; - } - *b = '\0'; - if (sscanf (buf, "%2x%2x%2x%2x%2x%2x%2x%2x", - &is[0], &is[1], &is[2], &is[3], &is[4], - &is[5], &is[6], &is[7]) != 8) - return -1; - for (i = 0; i < OTPKEYSIZE; ++i) - key[i] = is[i]; - return 0; -} - -int -otp_parse (OtpKey key, const char *s, OtpAlgorithm *alg) -{ - int ret; - int dohex = 1; - - if (strncmp (s, OTP_HEXPREFIX, strlen(OTP_HEXPREFIX)) == 0) - return otp_parse_hex (key, s + strlen(OTP_HEXPREFIX)); - if (strncmp (s, OTP_WORDPREFIX, strlen(OTP_WORDPREFIX)) == 0) { - s += strlen(OTP_WORDPREFIX); - dohex = 0; - } - - ret = otp_parse_stddict (key, s); - if (ret) - ret = otp_parse_altdict (key, s, alg); - if (ret && dohex) - ret = otp_parse_hex (key, s); - return ret; -} - -const char *const std_dict[2048] = -{ "A", "ABE", "ACE", "ACT", "AD", "ADA", "ADD", -"AGO", "AID", "AIM", "AIR", "ALL", "ALP", "AM", "AMY", -"AN", "ANA", "AND", "ANN", "ANT", "ANY", "APE", "APS", -"APT", "ARC", "ARE", "ARK", "ARM", "ART", "AS", "ASH", -"ASK", "AT", "ATE", "AUG", "AUK", "AVE", "AWE", "AWK", -"AWL", "AWN", "AX", "AYE", "BAD", "BAG", "BAH", "BAM", -"BAN", "BAR", "BAT", "BAY", "BE", "BED", "BEE", "BEG", -"BEN", "BET", "BEY", "BIB", "BID", "BIG", "BIN", "BIT", -"BOB", "BOG", "BON", "BOO", "BOP", "BOW", "BOY", "BUB", -"BUD", "BUG", "BUM", "BUN", "BUS", "BUT", "BUY", "BY", -"BYE", "CAB", "CAL", "CAM", "CAN", "CAP", "CAR", "CAT", -"CAW", "COD", "COG", "COL", "CON", "COO", "COP", "COT", -"COW", "COY", "CRY", "CUB", "CUE", "CUP", "CUR", "CUT", -"DAB", "DAD", "DAM", "DAN", "DAR", "DAY", "DEE", "DEL", -"DEN", "DES", "DEW", "DID", "DIE", "DIG", "DIN", "DIP", -"DO", "DOE", "DOG", "DON", "DOT", "DOW", "DRY", "DUB", -"DUD", "DUE", "DUG", "DUN", "EAR", "EAT", "ED", "EEL", -"EGG", "EGO", "ELI", "ELK", "ELM", "ELY", "EM", "END", -"EST", "ETC", "EVA", "EVE", "EWE", "EYE", "FAD", "FAN", -"FAR", "FAT", "FAY", "FED", "FEE", "FEW", "FIB", "FIG", -"FIN", "FIR", "FIT", "FLO", "FLY", "FOE", "FOG", "FOR", -"FRY", "FUM", "FUN", "FUR", "GAB", "GAD", "GAG", "GAL", -"GAM", "GAP", "GAS", "GAY", "GEE", "GEL", "GEM", "GET", -"GIG", "GIL", "GIN", "GO", "GOT", "GUM", "GUN", "GUS", -"GUT", "GUY", "GYM", "GYP", "HA", "HAD", "HAL", "HAM", -"HAN", "HAP", "HAS", "HAT", "HAW", "HAY", "HE", "HEM", -"HEN", "HER", "HEW", "HEY", "HI", "HID", "HIM", "HIP", -"HIS", "HIT", "HO", "HOB", "HOC", "HOE", "HOG", "HOP", -"HOT", "HOW", "HUB", "HUE", "HUG", "HUH", "HUM", "HUT", -"I", "ICY", "IDA", "IF", "IKE", "ILL", "INK", "INN", -"IO", "ION", "IQ", "IRA", "IRE", "IRK", "IS", "IT", -"ITS", "IVY", "JAB", "JAG", "JAM", "JAN", "JAR", "JAW", -"JAY", "JET", "JIG", "JIM", "JO", "JOB", "JOE", "JOG", -"JOT", "JOY", "JUG", "JUT", "KAY", "KEG", "KEN", "KEY", -"KID", "KIM", "KIN", "KIT", "LA", "LAB", "LAC", "LAD", -"LAG", "LAM", "LAP", "LAW", "LAY", "LEA", "LED", "LEE", -"LEG", "LEN", "LEO", "LET", "LEW", "LID", "LIE", "LIN", -"LIP", "LIT", "LO", "LOB", "LOG", "LOP", "LOS", "LOT", -"LOU", "LOW", "LOY", "LUG", "LYE", "MA", "MAC", "MAD", -"MAE", "MAN", "MAO", "MAP", "MAT", "MAW", "MAY", "ME", -"MEG", "MEL", "MEN", "MET", "MEW", "MID", "MIN", "MIT", -"MOB", "MOD", "MOE", "MOO", "MOP", "MOS", "MOT", "MOW", -"MUD", "MUG", "MUM", "MY", "NAB", "NAG", "NAN", "NAP", -"NAT", "NAY", "NE", "NED", "NEE", "NET", "NEW", "NIB", -"NIIL", "NIP", "NIT", "NO", "NOB", "NOD", "NON", "NOR", -"NOT", "NOV", "NOW", "NU", "NUN", "NUT", "O", "OAF", -"OAK", "OAR", "OAT", "ODD", "ODE", "OF", "OFF", "OFT", -"OH", "OIL", "OK", "OLD", "ON", "ONE", "OR", "ORB", -"ORE", "ORR", "OS", "OTT", "OUR", "OUT", "OVA", "OW", -"OWE", "OWL", "OWN", "OX", "PA", "PAD", "PAL", "PAM", -"PAN", "PAP", "PAR", "PAT", "PAW", "PAY", "PEA", "PEG", -"PEN", "PEP", "PER", "PET", "PEW", "PHI", "PI", "PIE", -"PIN", "PIT", "PLY", "PO", "POD", "POE", "POP", "POT", -"POW", "PRO", "PRY", "PUB", "PUG", "PUN", "PUP", "PUT", -"QUO", "RAG", "RAM", "RAN", "RAP", "RAT", "RAW", "RAY", -"REB", "RED", "REP", "RET", "RIB", "RID", "RIG", "RIM", -"RIO", "RIP", "ROB", "ROD", "ROE", "RON", "ROT", "ROW", -"ROY", "RUB", "RUE", "RUG", "RUM", "RUN", "RYE", "SAC", -"SAD", "SAG", "SAL", "SAM", "SAN", "SAP", "SAT", "SAW", -"SAY", "SEA", "SEC", "SEE", "SEN", "SET", "SEW", "SHE", -"SHY", "SIN", "SIP", "SIR", "SIS", "SIT", "SKI", "SKY", -"SLY", "SO", "SOB", "SOD", "SON", "SOP", "SOW", "SOY", -"SPA", "SPY", "SUB", "SUD", "SUE", "SUM", "SUN", "SUP", -"TAB", "TAD", "TAG", "TAN", "TAP", "TAR", "TEA", "TED", -"TEE", "TEN", "THE", "THY", "TIC", "TIE", "TIM", "TIN", -"TIP", "TO", "TOE", "TOG", "TOM", "TON", "TOO", "TOP", -"TOW", "TOY", "TRY", "TUB", "TUG", "TUM", "TUN", "TWO", -"UN", "UP", "US", "USE", "VAN", "VAT", "VET", "VIE", -"WAD", "WAG", "WAR", "WAS", "WAY", "WE", "WEB", "WED", -"WEE", "WET", "WHO", "WHY", "WIN", "WIT", "WOK", "WON", -"WOO", "WOW", "WRY", "WU", "YAM", "YAP", "YAW", "YE", -"YEA", "YES", "YET", "YOU", "ABED", "ABEL", "ABET", "ABLE", -"ABUT", "ACHE", "ACID", "ACME", "ACRE", "ACTA", "ACTS", "ADAM", -"ADDS", "ADEN", "AFAR", "AFRO", "AGEE", "AHEM", "AHOY", "AIDA", -"AIDE", "AIDS", "AIRY", "AJAR", "AKIN", "ALAN", "ALEC", "ALGA", -"ALIA", "ALLY", "ALMA", "ALOE", "ALSO", "ALTO", "ALUM", "ALVA", -"AMEN", "AMES", "AMID", "AMMO", "AMOK", "AMOS", "AMRA", "ANDY", -"ANEW", "ANNA", "ANNE", "ANTE", "ANTI", "AQUA", "ARAB", "ARCH", -"AREA", "ARGO", "ARID", "ARMY", "ARTS", "ARTY", "ASIA", "ASKS", -"ATOM", "AUNT", "AURA", "AUTO", "AVER", "AVID", "AVIS", "AVON", -"AVOW", "AWAY", "AWRY", "BABE", "BABY", "BACH", "BACK", "BADE", -"BAIL", "BAIT", "BAKE", "BALD", "BALE", "BALI", "BALK", "BALL", -"BALM", "BAND", "BANE", "BANG", "BANK", "BARB", "BARD", "BARE", -"BARK", "BARN", "BARR", "BASE", "BASH", "BASK", "BASS", "BATE", -"BATH", "BAWD", "BAWL", "BEAD", "BEAK", "BEAM", "BEAN", "BEAR", -"BEAT", "BEAU", "BECK", "BEEF", "BEEN", "BEER", "BEET", "BELA", -"BELL", "BELT", "BEND", "BENT", "BERG", "BERN", "BERT", "BESS", -"BEST", "BETA", "BETH", "BHOY", "BIAS", "BIDE", "BIEN", "BILE", -"BILK", "BILL", "BIND", "BING", "BIRD", "BITE", "BITS", "BLAB", -"BLAT", "BLED", "BLEW", "BLOB", "BLOC", "BLOT", "BLOW", "BLUE", -"BLUM", "BLUR", "BOAR", "BOAT", "BOCA", "BOCK", "BODE", "BODY", -"BOGY", "BOHR", "BOIL", "BOLD", "BOLO", "BOLT", "BOMB", "BONA", -"BOND", "BONE", "BONG", "BONN", "BONY", "BOOK", "BOOM", "BOON", -"BOOT", "BORE", "BORG", "BORN", "BOSE", "BOSS", "BOTH", "BOUT", -"BOWL", "BOYD", "BRAD", "BRAE", "BRAG", "BRAN", "BRAY", "BRED", -"BREW", "BRIG", "BRIM", "BROW", "BUCK", "BUDD", "BUFF", "BULB", -"BULK", "BULL", "BUNK", "BUNT", "BUOY", "BURG", "BURL", "BURN", -"BURR", "BURT", "BURY", "BUSH", "BUSS", "BUST", "BUSY", "BYTE", -"CADY", "CAFE", "CAGE", "CAIN", "CAKE", "CALF", "CALL", "CALM", -"CAME", "CANE", "CANT", "CARD", "CARE", "CARL", "CARR", "CART", -"CASE", "CASH", "CASK", "CAST", "CAVE", "CEIL", "CELL", "CENT", -"CERN", "CHAD", "CHAR", "CHAT", "CHAW", "CHEF", "CHEN", "CHEW", -"CHIC", "CHIN", "CHOU", "CHOW", "CHUB", "CHUG", "CHUM", "CITE", -"CITY", "CLAD", "CLAM", "CLAN", "CLAW", "CLAY", "CLOD", "CLOG", -"CLOT", "CLUB", "CLUE", "COAL", "COAT", "COCA", "COCK", "COCO", -"CODA", "CODE", "CODY", "COED", "COIL", "COIN", "COKE", "COLA", -"COLD", "COLT", "COMA", "COMB", "COME", "COOK", "COOL", "COON", -"COOT", "CORD", "CORE", "CORK", "CORN", "COST", "COVE", "COWL", -"CRAB", "CRAG", "CRAM", "CRAY", "CREW", "CRIB", "CROW", "CRUD", -"CUBA", "CUBE", "CUFF", "CULL", "CULT", "CUNY", "CURB", "CURD", -"CURE", "CURL", "CURT", "CUTS", "DADE", "DALE", "DAME", "DANA", -"DANE", "DANG", "DANK", "DARE", "DARK", "DARN", "DART", "DASH", -"DATA", "DATE", "DAVE", "DAVY", "DAWN", "DAYS", "DEAD", "DEAF", -"DEAL", "DEAN", "DEAR", "DEBT", "DECK", "DEED", "DEEM", "DEER", -"DEFT", "DEFY", "DELL", "DENT", "DENY", "DESK", "DIAL", "DICE", -"DIED", "DIET", "DIME", "DINE", "DING", "DINT", "DIRE", "DIRT", -"DISC", "DISH", "DISK", "DIVE", "DOCK", "DOES", "DOLE", "DOLL", -"DOLT", "DOME", "DONE", "DOOM", "DOOR", "DORA", "DOSE", "DOTE", -"DOUG", "DOUR", "DOVE", "DOWN", "DRAB", "DRAG", "DRAM", "DRAW", -"DREW", "DRUB", "DRUG", "DRUM", "DUAL", "DUCK", "DUCT", "DUEL", -"DUET", "DUKE", "DULL", "DUMB", "DUNE", "DUNK", "DUSK", "DUST", -"DUTY", "EACH", "EARL", "EARN", "EASE", "EAST", "EASY", "EBEN", -"ECHO", "EDDY", "EDEN", "EDGE", "EDGY", "EDIT", "EDNA", "EGAN", -"ELAN", "ELBA", "ELLA", "ELSE", "EMIL", "EMIT", "EMMA", "ENDS", -"ERIC", "EROS", "EVEN", "EVER", "EVIL", "EYED", "FACE", "FACT", -"FADE", "FAIL", "FAIN", "FAIR", "FAKE", "FALL", "FAME", "FANG", -"FARM", "FAST", "FATE", "FAWN", "FEAR", "FEAT", "FEED", "FEEL", -"FEET", "FELL", "FELT", "FEND", "FERN", "FEST", "FEUD", "FIEF", -"FIGS", "FILE", "FILL", "FILM", "FIND", "FINE", "FINK", "FIRE", -"FIRM", "FISH", "FISK", "FIST", "FITS", "FIVE", "FLAG", "FLAK", -"FLAM", "FLAT", "FLAW", "FLEA", "FLED", "FLEW", "FLIT", "FLOC", -"FLOG", "FLOW", "FLUB", "FLUE", "FOAL", "FOAM", "FOGY", "FOIL", -"FOLD", "FOLK", "FOND", "FONT", "FOOD", "FOOL", "FOOT", "FORD", -"FORE", "FORK", "FORM", "FORT", "FOSS", "FOUL", "FOUR", "FOWL", -"FRAU", "FRAY", "FRED", "FREE", "FRET", "FREY", "FROG", "FROM", -"FUEL", "FULL", "FUME", "FUND", "FUNK", "FURY", "FUSE", "FUSS", -"GAFF", "GAGE", "GAIL", "GAIN", "GAIT", "GALA", "GALE", "GALL", -"GALT", "GAME", "GANG", "GARB", "GARY", "GASH", "GATE", "GAUL", -"GAUR", "GAVE", "GAWK", "GEAR", "GELD", "GENE", "GENT", "GERM", -"GETS", "GIBE", "GIFT", "GILD", "GILL", "GILT", "GINA", "GIRD", -"GIRL", "GIST", "GIVE", "GLAD", "GLEE", "GLEN", "GLIB", "GLOB", -"GLOM", "GLOW", "GLUE", "GLUM", "GLUT", "GOAD", "GOAL", "GOAT", -"GOER", "GOES", "GOLD", "GOLF", "GONE", "GONG", "GOOD", "GOOF", -"GORE", "GORY", "GOSH", "GOUT", "GOWN", "GRAB", "GRAD", "GRAY", -"GREG", "GREW", "GREY", "GRID", "GRIM", "GRIN", "GRIT", "GROW", -"GRUB", "GULF", "GULL", "GUNK", "GURU", "GUSH", "GUST", "GWEN", -"GWYN", "HAAG", "HAAS", "HACK", "HAIL", "HAIR", "HALE", "HALF", -"HALL", "HALO", "HALT", "HAND", "HANG", "HANK", "HANS", "HARD", -"HARK", "HARM", "HART", "HASH", "HAST", "HATE", "HATH", "HAUL", -"HAVE", "HAWK", "HAYS", "HEAD", "HEAL", "HEAR", "HEAT", "HEBE", -"HECK", "HEED", "HEEL", "HEFT", "HELD", "HELL", "HELM", "HERB", -"HERD", "HERE", "HERO", "HERS", "HESS", "HEWN", "HICK", "HIDE", -"HIGH", "HIKE", "HILL", "HILT", "HIND", "HINT", "HIRE", "HISS", -"HIVE", "HOBO", "HOCK", "HOFF", "HOLD", "HOLE", "HOLM", "HOLT", -"HOME", "HONE", "HONK", "HOOD", "HOOF", "HOOK", "HOOT", "HORN", -"HOSE", "HOST", "HOUR", "HOVE", "HOWE", "HOWL", "HOYT", "HUCK", -"HUED", "HUFF", "HUGE", "HUGH", "HUGO", "HULK", "HULL", "HUNK", -"HUNT", "HURD", "HURL", "HURT", "HUSH", "HYDE", "HYMN", "IBIS", -"ICON", "IDEA", "IDLE", "IFFY", "INCA", "INCH", "INTO", "IONS", -"IOTA", "IOWA", "IRIS", "IRMA", "IRON", "ISLE", "ITCH", "ITEM", -"IVAN", "JACK", "JADE", "JAIL", "JAKE", "JANE", "JAVA", "JEAN", -"JEFF", "JERK", "JESS", "JEST", "JIBE", "JILL", "JILT", "JIVE", -"JOAN", "JOBS", "JOCK", "JOEL", "JOEY", "JOHN", "JOIN", "JOKE", -"JOLT", "JOVE", "JUDD", "JUDE", "JUDO", "JUDY", "JUJU", "JUKE", -"JULY", "JUNE", "JUNK", "JUNO", "JURY", "JUST", "JUTE", "KAHN", -"KALE", "KANE", "KANT", "KARL", "KATE", "KEEL", "KEEN", "KENO", -"KENT", "KERN", "KERR", "KEYS", "KICK", "KILL", "KIND", "KING", -"KIRK", "KISS", "KITE", "KLAN", "KNEE", "KNEW", "KNIT", "KNOB", -"KNOT", "KNOW", "KOCH", "KONG", "KUDO", "KURD", "KURT", "KYLE", -"LACE", "LACK", "LACY", "LADY", "LAID", "LAIN", "LAIR", "LAKE", -"LAMB", "LAME", "LAND", "LANE", "LANG", "LARD", "LARK", "LASS", -"LAST", "LATE", "LAUD", "LAVA", "LAWN", "LAWS", "LAYS", "LEAD", -"LEAF", "LEAK", "LEAN", "LEAR", "LEEK", "LEER", "LEFT", "LEND", -"LENS", "LENT", "LEON", "LESK", "LESS", "LEST", "LETS", "LIAR", -"LICE", "LICK", "LIED", "LIEN", "LIES", "LIEU", "LIFE", "LIFT", -"LIKE", "LILA", "LILT", "LILY", "LIMA", "LIMB", "LIME", "LIND", -"LINE", "LINK", "LINT", "LION", "LISA", "LIST", "LIVE", "LOAD", -"LOAF", "LOAM", "LOAN", "LOCK", "LOFT", "LOGE", "LOIS", "LOLA", -"LONE", "LONG", "LOOK", "LOON", "LOOT", "LORD", "LORE", "LOSE", -"LOSS", "LOST", "LOUD", "LOVE", "LOWE", "LUCK", "LUCY", "LUGE", -"LUKE", "LULU", "LUND", "LUNG", "LURA", "LURE", "LURK", "LUSH", -"LUST", "LYLE", "LYNN", "LYON", "LYRA", "MACE", "MADE", "MAGI", -"MAID", "MAIL", "MAIN", "MAKE", "MALE", "MALI", "MALL", "MALT", -"MANA", "MANN", "MANY", "MARC", "MARE", "MARK", "MARS", "MART", -"MARY", "MASH", "MASK", "MASS", "MAST", "MATE", "MATH", "MAUL", -"MAYO", "MEAD", "MEAL", "MEAN", "MEAT", "MEEK", "MEET", "MELD", -"MELT", "MEMO", "MEND", "MENU", "MERT", "MESH", "MESS", "MICE", -"MIKE", "MILD", "MILE", "MILK", "MILL", "MILT", "MIMI", "MIND", -"MINE", "MINI", "MINK", "MINT", "MIRE", "MISS", "MIST", "MITE", -"MITT", "MOAN", "MOAT", "MOCK", "MODE", "MOLD", "MOLE", "MOLL", -"MOLT", "MONA", "MONK", "MONT", "MOOD", "MOON", "MOOR", "MOOT", -"MORE", "MORN", "MORT", "MOSS", "MOST", "MOTH", "MOVE", "MUCH", -"MUCK", "MUDD", "MUFF", "MULE", "MULL", "MURK", "MUSH", "MUST", -"MUTE", "MUTT", "MYRA", "MYTH", "NAGY", "NAIL", "NAIR", "NAME", -"NARY", "NASH", "NAVE", "NAVY", "NEAL", "NEAR", "NEAT", "NECK", -"NEED", "NEIL", "NELL", "NEON", "NERO", "NESS", "NEST", "NEWS", -"NEWT", "NIBS", "NICE", "NICK", "NILE", "NINA", "NINE", "NOAH", -"NODE", "NOEL", "NOLL", "NONE", "NOOK", "NOON", "NORM", "NOSE", -"NOTE", "NOUN", "NOVA", "NUDE", "NULL", "NUMB", "OATH", "OBEY", -"OBOE", "ODIN", "OHIO", "OILY", "OINT", "OKAY", "OLAF", "OLDY", -"OLGA", "OLIN", "OMAN", "OMEN", "OMIT", "ONCE", "ONES", "ONLY", -"ONTO", "ONUS", "ORAL", "ORGY", "OSLO", "OTIS", "OTTO", "OUCH", -"OUST", "OUTS", "OVAL", "OVEN", "OVER", "OWLY", "OWNS", "QUAD", -"QUIT", "QUOD", "RACE", "RACK", "RACY", "RAFT", "RAGE", "RAID", -"RAIL", "RAIN", "RAKE", "RANK", "RANT", "RARE", "RASH", "RATE", -"RAVE", "RAYS", "READ", "REAL", "REAM", "REAR", "RECK", "REED", -"REEF", "REEK", "REEL", "REID", "REIN", "RENA", "REND", "RENT", -"REST", "RICE", "RICH", "RICK", "RIDE", "RIFT", "RILL", "RIME", -"RING", "RINK", "RISE", "RISK", "RITE", "ROAD", "ROAM", "ROAR", -"ROBE", "ROCK", "RODE", "ROIL", "ROLL", "ROME", "ROOD", "ROOF", -"ROOK", "ROOM", "ROOT", "ROSA", "ROSE", "ROSS", "ROSY", "ROTH", -"ROUT", "ROVE", "ROWE", "ROWS", "RUBE", "RUBY", "RUDE", "RUDY", -"RUIN", "RULE", "RUNG", "RUNS", "RUNT", "RUSE", "RUSH", "RUSK", -"RUSS", "RUST", "RUTH", "SACK", "SAFE", "SAGE", "SAID", "SAIL", -"SALE", "SALK", "SALT", "SAME", "SAND", "SANE", "SANG", "SANK", -"SARA", "SAUL", "SAVE", "SAYS", "SCAN", "SCAR", "SCAT", "SCOT", -"SEAL", "SEAM", "SEAR", "SEAT", "SEED", "SEEK", "SEEM", "SEEN", -"SEES", "SELF", "SELL", "SEND", "SENT", "SETS", "SEWN", "SHAG", -"SHAM", "SHAW", "SHAY", "SHED", "SHIM", "SHIN", "SHOD", "SHOE", -"SHOT", "SHOW", "SHUN", "SHUT", "SICK", "SIDE", "SIFT", "SIGH", -"SIGN", "SILK", "SILL", "SILO", "SILT", "SINE", "SING", "SINK", -"SIRE", "SITE", "SITS", "SITU", "SKAT", "SKEW", "SKID", "SKIM", -"SKIN", "SKIT", "SLAB", "SLAM", "SLAT", "SLAY", "SLED", "SLEW", -"SLID", "SLIM", "SLIT", "SLOB", "SLOG", "SLOT", "SLOW", "SLUG", -"SLUM", "SLUR", "SMOG", "SMUG", "SNAG", "SNOB", "SNOW", "SNUB", -"SNUG", "SOAK", "SOAR", "SOCK", "SODA", "SOFA", "SOFT", "SOIL", -"SOLD", "SOME", "SONG", "SOON", "SOOT", "SORE", "SORT", "SOUL", -"SOUR", "SOWN", "STAB", "STAG", "STAN", "STAR", "STAY", "STEM", -"STEW", "STIR", "STOW", "STUB", "STUN", "SUCH", "SUDS", "SUIT", -"SULK", "SUMS", "SUNG", "SUNK", "SURE", "SURF", "SWAB", "SWAG", -"SWAM", "SWAN", "SWAT", "SWAY", "SWIM", "SWUM", "TACK", "TACT", -"TAIL", "TAKE", "TALE", "TALK", "TALL", "TANK", "TASK", "TATE", -"TAUT", "TEAL", "TEAM", "TEAR", "TECH", "TEEM", "TEEN", "TEET", -"TELL", "TEND", "TENT", "TERM", "TERN", "TESS", "TEST", "THAN", -"THAT", "THEE", "THEM", "THEN", "THEY", "THIN", "THIS", "THUD", -"THUG", "TICK", "TIDE", "TIDY", "TIED", "TIER", "TILE", "TILL", -"TILT", "TIME", "TINA", "TINE", "TINT", "TINY", "TIRE", "TOAD", -"TOGO", "TOIL", "TOLD", "TOLL", "TONE", "TONG", "TONY", "TOOK", -"TOOL", "TOOT", "TORE", "TORN", "TOTE", "TOUR", "TOUT", "TOWN", -"TRAG", "TRAM", "TRAY", "TREE", "TREK", "TRIG", "TRIM", "TRIO", -"TROD", "TROT", "TROY", "TRUE", "TUBA", "TUBE", "TUCK", "TUFT", -"TUNA", "TUNE", "TUNG", "TURF", "TURN", "TUSK", "TWIG", "TWIN", -"TWIT", "ULAN", "UNIT", "URGE", "USED", "USER", "USES", "UTAH", -"VAIL", "VAIN", "VALE", "VARY", "VASE", "VAST", "VEAL", "VEDA", -"VEIL", "VEIN", "VEND", "VENT", "VERB", "VERY", "VETO", "VICE", -"VIEW", "VINE", "VISE", "VOID", "VOLT", "VOTE", "WACK", "WADE", -"WAGE", "WAIL", "WAIT", "WAKE", "WALE", "WALK", "WALL", "WALT", -"WAND", "WANE", "WANG", "WANT", "WARD", "WARM", "WARN", "WART", -"WASH", "WAST", "WATS", "WATT", "WAVE", "WAVY", "WAYS", "WEAK", -"WEAL", "WEAN", "WEAR", "WEED", "WEEK", "WEIR", "WELD", "WELL", -"WELT", "WENT", "WERE", "WERT", "WEST", "WHAM", "WHAT", "WHEE", -"WHEN", "WHET", "WHOA", "WHOM", "WICK", "WIFE", "WILD", "WILL", -"WIND", "WINE", "WING", "WINK", "WINO", "WIRE", "WISE", "WISH", -"WITH", "WOLF", "WONT", "WOOD", "WOOL", "WORD", "WORE", "WORK", -"WORM", "WORN", "WOVE", "WRIT", "WYNN", "YALE", "YANG", "YANK", -"YARD", "YARN", "YAWL", "YAWN", "YEAH", "YEAR", "YELL", "YOGA", -"YOKE" }; - -const struct e inv_std_dict[2048] = { -{"A", 0}, -{"ABE", 1}, -{"ABED", 571}, -{"ABEL", 572}, -{"ABET", 573}, -{"ABLE", 574}, -{"ABUT", 575}, -{"ACE", 2}, -{"ACHE", 576}, -{"ACID", 577}, -{"ACME", 578}, -{"ACRE", 579}, -{"ACT", 3}, -{"ACTA", 580}, -{"ACTS", 581}, -{"AD", 4}, -{"ADA", 5}, -{"ADAM", 582}, -{"ADD", 6}, -{"ADDS", 583}, -{"ADEN", 584}, -{"AFAR", 585}, -{"AFRO", 586}, -{"AGEE", 587}, -{"AGO", 7}, -{"AHEM", 588}, -{"AHOY", 589}, -{"AID", 8}, -{"AIDA", 590}, -{"AIDE", 591}, -{"AIDS", 592}, -{"AIM", 9}, -{"AIR", 10}, -{"AIRY", 593}, -{"AJAR", 594}, -{"AKIN", 595}, -{"ALAN", 596}, -{"ALEC", 597}, -{"ALGA", 598}, -{"ALIA", 599}, -{"ALL", 11}, -{"ALLY", 600}, -{"ALMA", 601}, -{"ALOE", 602}, -{"ALP", 12}, -{"ALSO", 603}, -{"ALTO", 604}, -{"ALUM", 605}, -{"ALVA", 606}, -{"AM", 13}, -{"AMEN", 607}, -{"AMES", 608}, -{"AMID", 609}, -{"AMMO", 610}, -{"AMOK", 611}, -{"AMOS", 612}, -{"AMRA", 613}, -{"AMY", 14}, -{"AN", 15}, -{"ANA", 16}, -{"AND", 17}, -{"ANDY", 614}, -{"ANEW", 615}, -{"ANN", 18}, -{"ANNA", 616}, -{"ANNE", 617}, -{"ANT", 19}, -{"ANTE", 618}, -{"ANTI", 619}, -{"ANY", 20}, -{"APE", 21}, -{"APS", 22}, -{"APT", 23}, -{"AQUA", 620}, -{"ARAB", 621}, -{"ARC", 24}, -{"ARCH", 622}, -{"ARE", 25}, -{"AREA", 623}, -{"ARGO", 624}, -{"ARID", 625}, -{"ARK", 26}, -{"ARM", 27}, -{"ARMY", 626}, -{"ART", 28}, -{"ARTS", 627}, -{"ARTY", 628}, -{"AS", 29}, -{"ASH", 30}, -{"ASIA", 629}, -{"ASK", 31}, -{"ASKS", 630}, -{"AT", 32}, -{"ATE", 33}, -{"ATOM", 631}, -{"AUG", 34}, -{"AUK", 35}, -{"AUNT", 632}, -{"AURA", 633}, -{"AUTO", 634}, -{"AVE", 36}, -{"AVER", 635}, -{"AVID", 636}, -{"AVIS", 637}, -{"AVON", 638}, -{"AVOW", 639}, -{"AWAY", 640}, -{"AWE", 37}, -{"AWK", 38}, -{"AWL", 39}, -{"AWN", 40}, -{"AWRY", 641}, -{"AX", 41}, -{"AYE", 42}, -{"BABE", 642}, -{"BABY", 643}, -{"BACH", 644}, -{"BACK", 645}, -{"BAD", 43}, -{"BADE", 646}, -{"BAG", 44}, -{"BAH", 45}, -{"BAIL", 647}, -{"BAIT", 648}, -{"BAKE", 649}, -{"BALD", 650}, -{"BALE", 651}, -{"BALI", 652}, -{"BALK", 653}, -{"BALL", 654}, -{"BALM", 655}, -{"BAM", 46}, -{"BAN", 47}, -{"BAND", 656}, -{"BANE", 657}, -{"BANG", 658}, -{"BANK", 659}, -{"BAR", 48}, -{"BARB", 660}, -{"BARD", 661}, -{"BARE", 662}, -{"BARK", 663}, -{"BARN", 664}, -{"BARR", 665}, -{"BASE", 666}, -{"BASH", 667}, -{"BASK", 668}, -{"BASS", 669}, -{"BAT", 49}, -{"BATE", 670}, -{"BATH", 671}, -{"BAWD", 672}, -{"BAWL", 673}, -{"BAY", 50}, -{"BE", 51}, -{"BEAD", 674}, -{"BEAK", 675}, -{"BEAM", 676}, -{"BEAN", 677}, -{"BEAR", 678}, -{"BEAT", 679}, -{"BEAU", 680}, -{"BECK", 681}, -{"BED", 52}, -{"BEE", 53}, -{"BEEF", 682}, -{"BEEN", 683}, -{"BEER", 684}, -{"BEET", 685}, -{"BEG", 54}, -{"BELA", 686}, -{"BELL", 687}, -{"BELT", 688}, -{"BEN", 55}, -{"BEND", 689}, -{"BENT", 690}, -{"BERG", 691}, -{"BERN", 692}, -{"BERT", 693}, -{"BESS", 694}, -{"BEST", 695}, -{"BET", 56}, -{"BETA", 696}, -{"BETH", 697}, -{"BEY", 57}, -{"BHOY", 698}, -{"BIAS", 699}, -{"BIB", 58}, -{"BID", 59}, -{"BIDE", 700}, -{"BIEN", 701}, -{"BIG", 60}, -{"BILE", 702}, -{"BILK", 703}, -{"BILL", 704}, -{"BIN", 61}, -{"BIND", 705}, -{"BING", 706}, -{"BIRD", 707}, -{"BIT", 62}, -{"BITE", 708}, -{"BITS", 709}, -{"BLAB", 710}, -{"BLAT", 711}, -{"BLED", 712}, -{"BLEW", 713}, -{"BLOB", 714}, -{"BLOC", 715}, -{"BLOT", 716}, -{"BLOW", 717}, -{"BLUE", 718}, -{"BLUM", 719}, -{"BLUR", 720}, -{"BOAR", 721}, -{"BOAT", 722}, -{"BOB", 63}, -{"BOCA", 723}, -{"BOCK", 724}, -{"BODE", 725}, -{"BODY", 726}, -{"BOG", 64}, -{"BOGY", 727}, -{"BOHR", 728}, -{"BOIL", 729}, -{"BOLD", 730}, -{"BOLO", 731}, -{"BOLT", 732}, -{"BOMB", 733}, -{"BON", 65}, -{"BONA", 734}, -{"BOND", 735}, -{"BONE", 736}, -{"BONG", 737}, -{"BONN", 738}, -{"BONY", 739}, -{"BOO", 66}, -{"BOOK", 740}, -{"BOOM", 741}, -{"BOON", 742}, -{"BOOT", 743}, -{"BOP", 67}, -{"BORE", 744}, -{"BORG", 745}, -{"BORN", 746}, -{"BOSE", 747}, -{"BOSS", 748}, -{"BOTH", 749}, -{"BOUT", 750}, -{"BOW", 68}, -{"BOWL", 751}, -{"BOY", 69}, -{"BOYD", 752}, -{"BRAD", 753}, -{"BRAE", 754}, -{"BRAG", 755}, -{"BRAN", 756}, -{"BRAY", 757}, -{"BRED", 758}, -{"BREW", 759}, -{"BRIG", 760}, -{"BRIM", 761}, -{"BROW", 762}, -{"BUB", 70}, -{"BUCK", 763}, -{"BUD", 71}, -{"BUDD", 764}, -{"BUFF", 765}, -{"BUG", 72}, -{"BULB", 766}, -{"BULK", 767}, -{"BULL", 768}, -{"BUM", 73}, -{"BUN", 74}, -{"BUNK", 769}, -{"BUNT", 770}, -{"BUOY", 771}, -{"BURG", 772}, -{"BURL", 773}, -{"BURN", 774}, -{"BURR", 775}, -{"BURT", 776}, -{"BURY", 777}, -{"BUS", 75}, -{"BUSH", 778}, -{"BUSS", 779}, -{"BUST", 780}, -{"BUSY", 781}, -{"BUT", 76}, -{"BUY", 77}, -{"BY", 78}, -{"BYE", 79}, -{"BYTE", 782}, -{"CAB", 80}, -{"CADY", 783}, -{"CAFE", 784}, -{"CAGE", 785}, -{"CAIN", 786}, -{"CAKE", 787}, -{"CAL", 81}, -{"CALF", 788}, -{"CALL", 789}, -{"CALM", 790}, -{"CAM", 82}, -{"CAME", 791}, -{"CAN", 83}, -{"CANE", 792}, -{"CANT", 793}, -{"CAP", 84}, -{"CAR", 85}, -{"CARD", 794}, -{"CARE", 795}, -{"CARL", 796}, -{"CARR", 797}, -{"CART", 798}, -{"CASE", 799}, -{"CASH", 800}, -{"CASK", 801}, -{"CAST", 802}, -{"CAT", 86}, -{"CAVE", 803}, -{"CAW", 87}, -{"CEIL", 804}, -{"CELL", 805}, -{"CENT", 806}, -{"CERN", 807}, -{"CHAD", 808}, -{"CHAR", 809}, -{"CHAT", 810}, -{"CHAW", 811}, -{"CHEF", 812}, -{"CHEN", 813}, -{"CHEW", 814}, -{"CHIC", 815}, -{"CHIN", 816}, -{"CHOU", 817}, -{"CHOW", 818}, -{"CHUB", 819}, -{"CHUG", 820}, -{"CHUM", 821}, -{"CITE", 822}, -{"CITY", 823}, -{"CLAD", 824}, -{"CLAM", 825}, -{"CLAN", 826}, -{"CLAW", 827}, -{"CLAY", 828}, -{"CLOD", 829}, -{"CLOG", 830}, -{"CLOT", 831}, -{"CLUB", 832}, -{"CLUE", 833}, -{"COAL", 834}, -{"COAT", 835}, -{"COCA", 836}, -{"COCK", 837}, -{"COCO", 838}, -{"COD", 88}, -{"CODA", 839}, -{"CODE", 840}, -{"CODY", 841}, -{"COED", 842}, -{"COG", 89}, -{"COIL", 843}, -{"COIN", 844}, -{"COKE", 845}, -{"COL", 90}, -{"COLA", 846}, -{"COLD", 847}, -{"COLT", 848}, -{"COMA", 849}, -{"COMB", 850}, -{"COME", 851}, -{"CON", 91}, -{"COO", 92}, -{"COOK", 852}, -{"COOL", 853}, -{"COON", 854}, -{"COOT", 855}, -{"COP", 93}, -{"CORD", 856}, -{"CORE", 857}, -{"CORK", 858}, -{"CORN", 859}, -{"COST", 860}, -{"COT", 94}, -{"COVE", 861}, -{"COW", 95}, -{"COWL", 862}, -{"COY", 96}, -{"CRAB", 863}, -{"CRAG", 864}, -{"CRAM", 865}, -{"CRAY", 866}, -{"CREW", 867}, -{"CRIB", 868}, -{"CROW", 869}, -{"CRUD", 870}, -{"CRY", 97}, -{"CUB", 98}, -{"CUBA", 871}, -{"CUBE", 872}, -{"CUE", 99}, -{"CUFF", 873}, -{"CULL", 874}, -{"CULT", 875}, -{"CUNY", 876}, -{"CUP", 100}, -{"CUR", 101}, -{"CURB", 877}, -{"CURD", 878}, -{"CURE", 879}, -{"CURL", 880}, -{"CURT", 881}, -{"CUT", 102}, -{"CUTS", 882}, -{"DAB", 103}, -{"DAD", 104}, -{"DADE", 883}, -{"DALE", 884}, -{"DAM", 105}, -{"DAME", 885}, -{"DAN", 106}, -{"DANA", 886}, -{"DANE", 887}, -{"DANG", 888}, -{"DANK", 889}, -{"DAR", 107}, -{"DARE", 890}, -{"DARK", 891}, -{"DARN", 892}, -{"DART", 893}, -{"DASH", 894}, -{"DATA", 895}, -{"DATE", 896}, -{"DAVE", 897}, -{"DAVY", 898}, -{"DAWN", 899}, -{"DAY", 108}, -{"DAYS", 900}, -{"DEAD", 901}, -{"DEAF", 902}, -{"DEAL", 903}, -{"DEAN", 904}, -{"DEAR", 905}, -{"DEBT", 906}, -{"DECK", 907}, -{"DEE", 109}, -{"DEED", 908}, -{"DEEM", 909}, -{"DEER", 910}, -{"DEFT", 911}, -{"DEFY", 912}, -{"DEL", 110}, -{"DELL", 913}, -{"DEN", 111}, -{"DENT", 914}, -{"DENY", 915}, -{"DES", 112}, -{"DESK", 916}, -{"DEW", 113}, -{"DIAL", 917}, -{"DICE", 918}, -{"DID", 114}, -{"DIE", 115}, -{"DIED", 919}, -{"DIET", 920}, -{"DIG", 116}, -{"DIME", 921}, -{"DIN", 117}, -{"DINE", 922}, -{"DING", 923}, -{"DINT", 924}, -{"DIP", 118}, -{"DIRE", 925}, -{"DIRT", 926}, -{"DISC", 927}, -{"DISH", 928}, -{"DISK", 929}, -{"DIVE", 930}, -{"DO", 119}, -{"DOCK", 931}, -{"DOE", 120}, -{"DOES", 932}, -{"DOG", 121}, -{"DOLE", 933}, -{"DOLL", 934}, -{"DOLT", 935}, -{"DOME", 936}, -{"DON", 122}, -{"DONE", 937}, -{"DOOM", 938}, -{"DOOR", 939}, -{"DORA", 940}, -{"DOSE", 941}, -{"DOT", 123}, -{"DOTE", 942}, -{"DOUG", 943}, -{"DOUR", 944}, -{"DOVE", 945}, -{"DOW", 124}, -{"DOWN", 946}, -{"DRAB", 947}, -{"DRAG", 948}, -{"DRAM", 949}, -{"DRAW", 950}, -{"DREW", 951}, -{"DRUB", 952}, -{"DRUG", 953}, -{"DRUM", 954}, -{"DRY", 125}, -{"DUAL", 955}, -{"DUB", 126}, -{"DUCK", 956}, -{"DUCT", 957}, -{"DUD", 127}, -{"DUE", 128}, -{"DUEL", 958}, -{"DUET", 959}, -{"DUG", 129}, -{"DUKE", 960}, -{"DULL", 961}, -{"DUMB", 962}, -{"DUN", 130}, -{"DUNE", 963}, -{"DUNK", 964}, -{"DUSK", 965}, -{"DUST", 966}, -{"DUTY", 967}, -{"EACH", 968}, -{"EAR", 131}, -{"EARL", 969}, -{"EARN", 970}, -{"EASE", 971}, -{"EAST", 972}, -{"EASY", 973}, -{"EAT", 132}, -{"EBEN", 974}, -{"ECHO", 975}, -{"ED", 133}, -{"EDDY", 976}, -{"EDEN", 977}, -{"EDGE", 978}, -{"EDGY", 979}, -{"EDIT", 980}, -{"EDNA", 981}, -{"EEL", 134}, -{"EGAN", 982}, -{"EGG", 135}, -{"EGO", 136}, -{"ELAN", 983}, -{"ELBA", 984}, -{"ELI", 137}, -{"ELK", 138}, -{"ELLA", 985}, -{"ELM", 139}, -{"ELSE", 986}, -{"ELY", 140}, -{"EM", 141}, -{"EMIL", 987}, -{"EMIT", 988}, -{"EMMA", 989}, -{"END", 142}, -{"ENDS", 990}, -{"ERIC", 991}, -{"EROS", 992}, -{"EST", 143}, -{"ETC", 144}, -{"EVA", 145}, -{"EVE", 146}, -{"EVEN", 993}, -{"EVER", 994}, -{"EVIL", 995}, -{"EWE", 147}, -{"EYE", 148}, -{"EYED", 996}, -{"FACE", 997}, -{"FACT", 998}, -{"FAD", 149}, -{"FADE", 999}, -{"FAIL", 1000}, -{"FAIN", 1001}, -{"FAIR", 1002}, -{"FAKE", 1003}, -{"FALL", 1004}, -{"FAME", 1005}, -{"FAN", 150}, -{"FANG", 1006}, -{"FAR", 151}, -{"FARM", 1007}, -{"FAST", 1008}, -{"FAT", 152}, -{"FATE", 1009}, -{"FAWN", 1010}, -{"FAY", 153}, -{"FEAR", 1011}, -{"FEAT", 1012}, -{"FED", 154}, -{"FEE", 155}, -{"FEED", 1013}, -{"FEEL", 1014}, -{"FEET", 1015}, -{"FELL", 1016}, -{"FELT", 1017}, -{"FEND", 1018}, -{"FERN", 1019}, -{"FEST", 1020}, -{"FEUD", 1021}, -{"FEW", 156}, -{"FIB", 157}, -{"FIEF", 1022}, -{"FIG", 158}, -{"FIGS", 1023}, -{"FILE", 1024}, -{"FILL", 1025}, -{"FILM", 1026}, -{"FIN", 159}, -{"FIND", 1027}, -{"FINE", 1028}, -{"FINK", 1029}, -{"FIR", 160}, -{"FIRE", 1030}, -{"FIRM", 1031}, -{"FISH", 1032}, -{"FISK", 1033}, -{"FIST", 1034}, -{"FIT", 161}, -{"FITS", 1035}, -{"FIVE", 1036}, -{"FLAG", 1037}, -{"FLAK", 1038}, -{"FLAM", 1039}, -{"FLAT", 1040}, -{"FLAW", 1041}, -{"FLEA", 1042}, -{"FLED", 1043}, -{"FLEW", 1044}, -{"FLIT", 1045}, -{"FLO", 162}, -{"FLOC", 1046}, -{"FLOG", 1047}, -{"FLOW", 1048}, -{"FLUB", 1049}, -{"FLUE", 1050}, -{"FLY", 163}, -{"FOAL", 1051}, -{"FOAM", 1052}, -{"FOE", 164}, -{"FOG", 165}, -{"FOGY", 1053}, -{"FOIL", 1054}, -{"FOLD", 1055}, -{"FOLK", 1056}, -{"FOND", 1057}, -{"FONT", 1058}, -{"FOOD", 1059}, -{"FOOL", 1060}, -{"FOOT", 1061}, -{"FOR", 166}, -{"FORD", 1062}, -{"FORE", 1063}, -{"FORK", 1064}, -{"FORM", 1065}, -{"FORT", 1066}, -{"FOSS", 1067}, -{"FOUL", 1068}, -{"FOUR", 1069}, -{"FOWL", 1070}, -{"FRAU", 1071}, -{"FRAY", 1072}, -{"FRED", 1073}, -{"FREE", 1074}, -{"FRET", 1075}, -{"FREY", 1076}, -{"FROG", 1077}, -{"FROM", 1078}, -{"FRY", 167}, -{"FUEL", 1079}, -{"FULL", 1080}, -{"FUM", 168}, -{"FUME", 1081}, -{"FUN", 169}, -{"FUND", 1082}, -{"FUNK", 1083}, -{"FUR", 170}, -{"FURY", 1084}, -{"FUSE", 1085}, -{"FUSS", 1086}, -{"GAB", 171}, -{"GAD", 172}, -{"GAFF", 1087}, -{"GAG", 173}, -{"GAGE", 1088}, -{"GAIL", 1089}, -{"GAIN", 1090}, -{"GAIT", 1091}, -{"GAL", 174}, -{"GALA", 1092}, -{"GALE", 1093}, -{"GALL", 1094}, -{"GALT", 1095}, -{"GAM", 175}, -{"GAME", 1096}, -{"GANG", 1097}, -{"GAP", 176}, -{"GARB", 1098}, -{"GARY", 1099}, -{"GAS", 177}, -{"GASH", 1100}, -{"GATE", 1101}, -{"GAUL", 1102}, -{"GAUR", 1103}, -{"GAVE", 1104}, -{"GAWK", 1105}, -{"GAY", 178}, -{"GEAR", 1106}, -{"GEE", 179}, -{"GEL", 180}, -{"GELD", 1107}, -{"GEM", 181}, -{"GENE", 1108}, -{"GENT", 1109}, -{"GERM", 1110}, -{"GET", 182}, -{"GETS", 1111}, -{"GIBE", 1112}, -{"GIFT", 1113}, -{"GIG", 183}, -{"GIL", 184}, -{"GILD", 1114}, -{"GILL", 1115}, -{"GILT", 1116}, -{"GIN", 185}, -{"GINA", 1117}, -{"GIRD", 1118}, -{"GIRL", 1119}, -{"GIST", 1120}, -{"GIVE", 1121}, -{"GLAD", 1122}, -{"GLEE", 1123}, -{"GLEN", 1124}, -{"GLIB", 1125}, -{"GLOB", 1126}, -{"GLOM", 1127}, -{"GLOW", 1128}, -{"GLUE", 1129}, -{"GLUM", 1130}, -{"GLUT", 1131}, -{"GO", 186}, -{"GOAD", 1132}, -{"GOAL", 1133}, -{"GOAT", 1134}, -{"GOER", 1135}, -{"GOES", 1136}, -{"GOLD", 1137}, -{"GOLF", 1138}, -{"GONE", 1139}, -{"GONG", 1140}, -{"GOOD", 1141}, -{"GOOF", 1142}, -{"GORE", 1143}, -{"GORY", 1144}, -{"GOSH", 1145}, -{"GOT", 187}, -{"GOUT", 1146}, -{"GOWN", 1147}, -{"GRAB", 1148}, -{"GRAD", 1149}, -{"GRAY", 1150}, -{"GREG", 1151}, -{"GREW", 1152}, -{"GREY", 1153}, -{"GRID", 1154}, -{"GRIM", 1155}, -{"GRIN", 1156}, -{"GRIT", 1157}, -{"GROW", 1158}, -{"GRUB", 1159}, -{"GULF", 1160}, -{"GULL", 1161}, -{"GUM", 188}, -{"GUN", 189}, -{"GUNK", 1162}, -{"GURU", 1163}, -{"GUS", 190}, -{"GUSH", 1164}, -{"GUST", 1165}, -{"GUT", 191}, -{"GUY", 192}, -{"GWEN", 1166}, -{"GWYN", 1167}, -{"GYM", 193}, -{"GYP", 194}, -{"HA", 195}, -{"HAAG", 1168}, -{"HAAS", 1169}, -{"HACK", 1170}, -{"HAD", 196}, -{"HAIL", 1171}, -{"HAIR", 1172}, -{"HAL", 197}, -{"HALE", 1173}, -{"HALF", 1174}, -{"HALL", 1175}, -{"HALO", 1176}, -{"HALT", 1177}, -{"HAM", 198}, -{"HAN", 199}, -{"HAND", 1178}, -{"HANG", 1179}, -{"HANK", 1180}, -{"HANS", 1181}, -{"HAP", 200}, -{"HARD", 1182}, -{"HARK", 1183}, -{"HARM", 1184}, -{"HART", 1185}, -{"HAS", 201}, -{"HASH", 1186}, -{"HAST", 1187}, -{"HAT", 202}, -{"HATE", 1188}, -{"HATH", 1189}, -{"HAUL", 1190}, -{"HAVE", 1191}, -{"HAW", 203}, -{"HAWK", 1192}, -{"HAY", 204}, -{"HAYS", 1193}, -{"HE", 205}, -{"HEAD", 1194}, -{"HEAL", 1195}, -{"HEAR", 1196}, -{"HEAT", 1197}, -{"HEBE", 1198}, -{"HECK", 1199}, -{"HEED", 1200}, -{"HEEL", 1201}, -{"HEFT", 1202}, -{"HELD", 1203}, -{"HELL", 1204}, -{"HELM", 1205}, -{"HEM", 206}, -{"HEN", 207}, -{"HER", 208}, -{"HERB", 1206}, -{"HERD", 1207}, -{"HERE", 1208}, -{"HERO", 1209}, -{"HERS", 1210}, -{"HESS", 1211}, -{"HEW", 209}, -{"HEWN", 1212}, -{"HEY", 210}, -{"HI", 211}, -{"HICK", 1213}, -{"HID", 212}, -{"HIDE", 1214}, -{"HIGH", 1215}, -{"HIKE", 1216}, -{"HILL", 1217}, -{"HILT", 1218}, -{"HIM", 213}, -{"HIND", 1219}, -{"HINT", 1220}, -{"HIP", 214}, -{"HIRE", 1221}, -{"HIS", 215}, -{"HISS", 1222}, -{"HIT", 216}, -{"HIVE", 1223}, -{"HO", 217}, -{"HOB", 218}, -{"HOBO", 1224}, -{"HOC", 219}, -{"HOCK", 1225}, -{"HOE", 220}, -{"HOFF", 1226}, -{"HOG", 221}, -{"HOLD", 1227}, -{"HOLE", 1228}, -{"HOLM", 1229}, -{"HOLT", 1230}, -{"HOME", 1231}, -{"HONE", 1232}, -{"HONK", 1233}, -{"HOOD", 1234}, -{"HOOF", 1235}, -{"HOOK", 1236}, -{"HOOT", 1237}, -{"HOP", 222}, -{"HORN", 1238}, -{"HOSE", 1239}, -{"HOST", 1240}, -{"HOT", 223}, -{"HOUR", 1241}, -{"HOVE", 1242}, -{"HOW", 224}, -{"HOWE", 1243}, -{"HOWL", 1244}, -{"HOYT", 1245}, -{"HUB", 225}, -{"HUCK", 1246}, -{"HUE", 226}, -{"HUED", 1247}, -{"HUFF", 1248}, -{"HUG", 227}, -{"HUGE", 1249}, -{"HUGH", 1250}, -{"HUGO", 1251}, -{"HUH", 228}, -{"HULK", 1252}, -{"HULL", 1253}, -{"HUM", 229}, -{"HUNK", 1254}, -{"HUNT", 1255}, -{"HURD", 1256}, -{"HURL", 1257}, -{"HURT", 1258}, -{"HUSH", 1259}, -{"HUT", 230}, -{"HYDE", 1260}, -{"HYMN", 1261}, -{"I", 231}, -{"IBIS", 1262}, -{"ICON", 1263}, -{"ICY", 232}, -{"IDA", 233}, -{"IDEA", 1264}, -{"IDLE", 1265}, -{"IF", 234}, -{"IFFY", 1266}, -{"IKE", 235}, -{"ILL", 236}, -{"INCA", 1267}, -{"INCH", 1268}, -{"INK", 237}, -{"INN", 238}, -{"INTO", 1269}, -{"IO", 239}, -{"ION", 240}, -{"IONS", 1270}, -{"IOTA", 1271}, -{"IOWA", 1272}, -{"IQ", 241}, -{"IRA", 242}, -{"IRE", 243}, -{"IRIS", 1273}, -{"IRK", 244}, -{"IRMA", 1274}, -{"IRON", 1275}, -{"IS", 245}, -{"ISLE", 1276}, -{"IT", 246}, -{"ITCH", 1277}, -{"ITEM", 1278}, -{"ITS", 247}, -{"IVAN", 1279}, -{"IVY", 248}, -{"JAB", 249}, -{"JACK", 1280}, -{"JADE", 1281}, -{"JAG", 250}, -{"JAIL", 1282}, -{"JAKE", 1283}, -{"JAM", 251}, -{"JAN", 252}, -{"JANE", 1284}, -{"JAR", 253}, -{"JAVA", 1285}, -{"JAW", 254}, -{"JAY", 255}, -{"JEAN", 1286}, -{"JEFF", 1287}, -{"JERK", 1288}, -{"JESS", 1289}, -{"JEST", 1290}, -{"JET", 256}, -{"JIBE", 1291}, -{"JIG", 257}, -{"JILL", 1292}, -{"JILT", 1293}, -{"JIM", 258}, -{"JIVE", 1294}, -{"JO", 259}, -{"JOAN", 1295}, -{"JOB", 260}, -{"JOBS", 1296}, -{"JOCK", 1297}, -{"JOE", 261}, -{"JOEL", 1298}, -{"JOEY", 1299}, -{"JOG", 262}, -{"JOHN", 1300}, -{"JOIN", 1301}, -{"JOKE", 1302}, -{"JOLT", 1303}, -{"JOT", 263}, -{"JOVE", 1304}, -{"JOY", 264}, -{"JUDD", 1305}, -{"JUDE", 1306}, -{"JUDO", 1307}, -{"JUDY", 1308}, -{"JUG", 265}, -{"JUJU", 1309}, -{"JUKE", 1310}, -{"JULY", 1311}, -{"JUNE", 1312}, -{"JUNK", 1313}, -{"JUNO", 1314}, -{"JURY", 1315}, -{"JUST", 1316}, -{"JUT", 266}, -{"JUTE", 1317}, -{"KAHN", 1318}, -{"KALE", 1319}, -{"KANE", 1320}, -{"KANT", 1321}, -{"KARL", 1322}, -{"KATE", 1323}, -{"KAY", 267}, -{"KEEL", 1324}, -{"KEEN", 1325}, -{"KEG", 268}, -{"KEN", 269}, -{"KENO", 1326}, -{"KENT", 1327}, -{"KERN", 1328}, -{"KERR", 1329}, -{"KEY", 270}, -{"KEYS", 1330}, -{"KICK", 1331}, -{"KID", 271}, -{"KILL", 1332}, -{"KIM", 272}, -{"KIN", 273}, -{"KIND", 1333}, -{"KING", 1334}, -{"KIRK", 1335}, -{"KISS", 1336}, -{"KIT", 274}, -{"KITE", 1337}, -{"KLAN", 1338}, -{"KNEE", 1339}, -{"KNEW", 1340}, -{"KNIT", 1341}, -{"KNOB", 1342}, -{"KNOT", 1343}, -{"KNOW", 1344}, -{"KOCH", 1345}, -{"KONG", 1346}, -{"KUDO", 1347}, -{"KURD", 1348}, -{"KURT", 1349}, -{"KYLE", 1350}, -{"LA", 275}, -{"LAB", 276}, -{"LAC", 277}, -{"LACE", 1351}, -{"LACK", 1352}, -{"LACY", 1353}, -{"LAD", 278}, -{"LADY", 1354}, -{"LAG", 279}, -{"LAID", 1355}, -{"LAIN", 1356}, -{"LAIR", 1357}, -{"LAKE", 1358}, -{"LAM", 280}, -{"LAMB", 1359}, -{"LAME", 1360}, -{"LAND", 1361}, -{"LANE", 1362}, -{"LANG", 1363}, -{"LAP", 281}, -{"LARD", 1364}, -{"LARK", 1365}, -{"LASS", 1366}, -{"LAST", 1367}, -{"LATE", 1368}, -{"LAUD", 1369}, -{"LAVA", 1370}, -{"LAW", 282}, -{"LAWN", 1371}, -{"LAWS", 1372}, -{"LAY", 283}, -{"LAYS", 1373}, -{"LEA", 284}, -{"LEAD", 1374}, -{"LEAF", 1375}, -{"LEAK", 1376}, -{"LEAN", 1377}, -{"LEAR", 1378}, -{"LED", 285}, -{"LEE", 286}, -{"LEEK", 1379}, -{"LEER", 1380}, -{"LEFT", 1381}, -{"LEG", 287}, -{"LEN", 288}, -{"LEND", 1382}, -{"LENS", 1383}, -{"LENT", 1384}, -{"LEO", 289}, -{"LEON", 1385}, -{"LESK", 1386}, -{"LESS", 1387}, -{"LEST", 1388}, -{"LET", 290}, -{"LETS", 1389}, -{"LEW", 291}, -{"LIAR", 1390}, -{"LICE", 1391}, -{"LICK", 1392}, -{"LID", 292}, -{"LIE", 293}, -{"LIED", 1393}, -{"LIEN", 1394}, -{"LIES", 1395}, -{"LIEU", 1396}, -{"LIFE", 1397}, -{"LIFT", 1398}, -{"LIKE", 1399}, -{"LILA", 1400}, -{"LILT", 1401}, -{"LILY", 1402}, -{"LIMA", 1403}, -{"LIMB", 1404}, -{"LIME", 1405}, -{"LIN", 294}, -{"LIND", 1406}, -{"LINE", 1407}, -{"LINK", 1408}, -{"LINT", 1409}, -{"LION", 1410}, -{"LIP", 295}, -{"LISA", 1411}, -{"LIST", 1412}, -{"LIT", 296}, -{"LIVE", 1413}, -{"LO", 297}, -{"LOAD", 1414}, -{"LOAF", 1415}, -{"LOAM", 1416}, -{"LOAN", 1417}, -{"LOB", 298}, -{"LOCK", 1418}, -{"LOFT", 1419}, -{"LOG", 299}, -{"LOGE", 1420}, -{"LOIS", 1421}, -{"LOLA", 1422}, -{"LONE", 1423}, -{"LONG", 1424}, -{"LOOK", 1425}, -{"LOON", 1426}, -{"LOOT", 1427}, -{"LOP", 300}, -{"LORD", 1428}, -{"LORE", 1429}, -{"LOS", 301}, -{"LOSE", 1430}, -{"LOSS", 1431}, -{"LOST", 1432}, -{"LOT", 302}, -{"LOU", 303}, -{"LOUD", 1433}, -{"LOVE", 1434}, -{"LOW", 304}, -{"LOWE", 1435}, -{"LOY", 305}, -{"LUCK", 1436}, -{"LUCY", 1437}, -{"LUG", 306}, -{"LUGE", 1438}, -{"LUKE", 1439}, -{"LULU", 1440}, -{"LUND", 1441}, -{"LUNG", 1442}, -{"LURA", 1443}, -{"LURE", 1444}, -{"LURK", 1445}, -{"LUSH", 1446}, -{"LUST", 1447}, -{"LYE", 307}, -{"LYLE", 1448}, -{"LYNN", 1449}, -{"LYON", 1450}, -{"LYRA", 1451}, -{"MA", 308}, -{"MAC", 309}, -{"MACE", 1452}, -{"MAD", 310}, -{"MADE", 1453}, -{"MAE", 311}, -{"MAGI", 1454}, -{"MAID", 1455}, -{"MAIL", 1456}, -{"MAIN", 1457}, -{"MAKE", 1458}, -{"MALE", 1459}, -{"MALI", 1460}, -{"MALL", 1461}, -{"MALT", 1462}, -{"MAN", 312}, -{"MANA", 1463}, -{"MANN", 1464}, -{"MANY", 1465}, -{"MAO", 313}, -{"MAP", 314}, -{"MARC", 1466}, -{"MARE", 1467}, -{"MARK", 1468}, -{"MARS", 1469}, -{"MART", 1470}, -{"MARY", 1471}, -{"MASH", 1472}, -{"MASK", 1473}, -{"MASS", 1474}, -{"MAST", 1475}, -{"MAT", 315}, -{"MATE", 1476}, -{"MATH", 1477}, -{"MAUL", 1478}, -{"MAW", 316}, -{"MAY", 317}, -{"MAYO", 1479}, -{"ME", 318}, -{"MEAD", 1480}, -{"MEAL", 1481}, -{"MEAN", 1482}, -{"MEAT", 1483}, -{"MEEK", 1484}, -{"MEET", 1485}, -{"MEG", 319}, -{"MEL", 320}, -{"MELD", 1486}, -{"MELT", 1487}, -{"MEMO", 1488}, -{"MEN", 321}, -{"MEND", 1489}, -{"MENU", 1490}, -{"MERT", 1491}, -{"MESH", 1492}, -{"MESS", 1493}, -{"MET", 322}, -{"MEW", 323}, -{"MICE", 1494}, -{"MID", 324}, -{"MIKE", 1495}, -{"MILD", 1496}, -{"MILE", 1497}, -{"MILK", 1498}, -{"MILL", 1499}, -{"MILT", 1500}, -{"MIMI", 1501}, -{"MIN", 325}, -{"MIND", 1502}, -{"MINE", 1503}, -{"MINI", 1504}, -{"MINK", 1505}, -{"MINT", 1506}, -{"MIRE", 1507}, -{"MISS", 1508}, -{"MIST", 1509}, -{"MIT", 326}, -{"MITE", 1510}, -{"MITT", 1511}, -{"MOAN", 1512}, -{"MOAT", 1513}, -{"MOB", 327}, -{"MOCK", 1514}, -{"MOD", 328}, -{"MODE", 1515}, -{"MOE", 329}, -{"MOLD", 1516}, -{"MOLE", 1517}, -{"MOLL", 1518}, -{"MOLT", 1519}, -{"MONA", 1520}, -{"MONK", 1521}, -{"MONT", 1522}, -{"MOO", 330}, -{"MOOD", 1523}, -{"MOON", 1524}, -{"MOOR", 1525}, -{"MOOT", 1526}, -{"MOP", 331}, -{"MORE", 1527}, -{"MORN", 1528}, -{"MORT", 1529}, -{"MOS", 332}, -{"MOSS", 1530}, -{"MOST", 1531}, -{"MOT", 333}, -{"MOTH", 1532}, -{"MOVE", 1533}, -{"MOW", 334}, -{"MUCH", 1534}, -{"MUCK", 1535}, -{"MUD", 335}, -{"MUDD", 1536}, -{"MUFF", 1537}, -{"MUG", 336}, -{"MULE", 1538}, -{"MULL", 1539}, -{"MUM", 337}, -{"MURK", 1540}, -{"MUSH", 1541}, -{"MUST", 1542}, -{"MUTE", 1543}, -{"MUTT", 1544}, -{"MY", 338}, -{"MYRA", 1545}, -{"MYTH", 1546}, -{"NAB", 339}, -{"NAG", 340}, -{"NAGY", 1547}, -{"NAIL", 1548}, -{"NAIR", 1549}, -{"NAME", 1550}, -{"NAN", 341}, -{"NAP", 342}, -{"NARY", 1551}, -{"NASH", 1552}, -{"NAT", 343}, -{"NAVE", 1553}, -{"NAVY", 1554}, -{"NAY", 344}, -{"NE", 345}, -{"NEAL", 1555}, -{"NEAR", 1556}, -{"NEAT", 1557}, -{"NECK", 1558}, -{"NED", 346}, -{"NEE", 347}, -{"NEED", 1559}, -{"NEIL", 1560}, -{"NELL", 1561}, -{"NEON", 1562}, -{"NERO", 1563}, -{"NESS", 1564}, -{"NEST", 1565}, -{"NET", 348}, -{"NEW", 349}, -{"NEWS", 1566}, -{"NEWT", 1567}, -{"NIB", 350}, -{"NIBS", 1568}, -{"NICE", 1569}, -{"NICK", 1570}, -{"NIIL", 351}, -{"NILE", 1571}, -{"NINA", 1572}, -{"NINE", 1573}, -{"NIP", 352}, -{"NIT", 353}, -{"NO", 354}, -{"NOAH", 1574}, -{"NOB", 355}, -{"NOD", 356}, -{"NODE", 1575}, -{"NOEL", 1576}, -{"NOLL", 1577}, -{"NON", 357}, -{"NONE", 1578}, -{"NOOK", 1579}, -{"NOON", 1580}, -{"NOR", 358}, -{"NORM", 1581}, -{"NOSE", 1582}, -{"NOT", 359}, -{"NOTE", 1583}, -{"NOUN", 1584}, -{"NOV", 360}, -{"NOVA", 1585}, -{"NOW", 361}, -{"NU", 362}, -{"NUDE", 1586}, -{"NULL", 1587}, -{"NUMB", 1588}, -{"NUN", 363}, -{"NUT", 364}, -{"O", 365}, -{"OAF", 366}, -{"OAK", 367}, -{"OAR", 368}, -{"OAT", 369}, -{"OATH", 1589}, -{"OBEY", 1590}, -{"OBOE", 1591}, -{"ODD", 370}, -{"ODE", 371}, -{"ODIN", 1592}, -{"OF", 372}, -{"OFF", 373}, -{"OFT", 374}, -{"OH", 375}, -{"OHIO", 1593}, -{"OIL", 376}, -{"OILY", 1594}, -{"OINT", 1595}, -{"OK", 377}, -{"OKAY", 1596}, -{"OLAF", 1597}, -{"OLD", 378}, -{"OLDY", 1598}, -{"OLGA", 1599}, -{"OLIN", 1600}, -{"OMAN", 1601}, -{"OMEN", 1602}, -{"OMIT", 1603}, -{"ON", 379}, -{"ONCE", 1604}, -{"ONE", 380}, -{"ONES", 1605}, -{"ONLY", 1606}, -{"ONTO", 1607}, -{"ONUS", 1608}, -{"OR", 381}, -{"ORAL", 1609}, -{"ORB", 382}, -{"ORE", 383}, -{"ORGY", 1610}, -{"ORR", 384}, -{"OS", 385}, -{"OSLO", 1611}, -{"OTIS", 1612}, -{"OTT", 386}, -{"OTTO", 1613}, -{"OUCH", 1614}, -{"OUR", 387}, -{"OUST", 1615}, -{"OUT", 388}, -{"OUTS", 1616}, -{"OVA", 389}, -{"OVAL", 1617}, -{"OVEN", 1618}, -{"OVER", 1619}, -{"OW", 390}, -{"OWE", 391}, -{"OWL", 392}, -{"OWLY", 1620}, -{"OWN", 393}, -{"OWNS", 1621}, -{"OX", 394}, -{"PA", 395}, -{"PAD", 396}, -{"PAL", 397}, -{"PAM", 398}, -{"PAN", 399}, -{"PAP", 400}, -{"PAR", 401}, -{"PAT", 402}, -{"PAW", 403}, -{"PAY", 404}, -{"PEA", 405}, -{"PEG", 406}, -{"PEN", 407}, -{"PEP", 408}, -{"PER", 409}, -{"PET", 410}, -{"PEW", 411}, -{"PHI", 412}, -{"PI", 413}, -{"PIE", 414}, -{"PIN", 415}, -{"PIT", 416}, -{"PLY", 417}, -{"PO", 418}, -{"POD", 419}, -{"POE", 420}, -{"POP", 421}, -{"POT", 422}, -{"POW", 423}, -{"PRO", 424}, -{"PRY", 425}, -{"PUB", 426}, -{"PUG", 427}, -{"PUN", 428}, -{"PUP", 429}, -{"PUT", 430}, -{"QUAD", 1622}, -{"QUIT", 1623}, -{"QUO", 431}, -{"QUOD", 1624}, -{"RACE", 1625}, -{"RACK", 1626}, -{"RACY", 1627}, -{"RAFT", 1628}, -{"RAG", 432}, -{"RAGE", 1629}, -{"RAID", 1630}, -{"RAIL", 1631}, -{"RAIN", 1632}, -{"RAKE", 1633}, -{"RAM", 433}, -{"RAN", 434}, -{"RANK", 1634}, -{"RANT", 1635}, -{"RAP", 435}, -{"RARE", 1636}, -{"RASH", 1637}, -{"RAT", 436}, -{"RATE", 1638}, -{"RAVE", 1639}, -{"RAW", 437}, -{"RAY", 438}, -{"RAYS", 1640}, -{"READ", 1641}, -{"REAL", 1642}, -{"REAM", 1643}, -{"REAR", 1644}, -{"REB", 439}, -{"RECK", 1645}, -{"RED", 440}, -{"REED", 1646}, -{"REEF", 1647}, -{"REEK", 1648}, -{"REEL", 1649}, -{"REID", 1650}, -{"REIN", 1651}, -{"RENA", 1652}, -{"REND", 1653}, -{"RENT", 1654}, -{"REP", 441}, -{"REST", 1655}, -{"RET", 442}, -{"RIB", 443}, -{"RICE", 1656}, -{"RICH", 1657}, -{"RICK", 1658}, -{"RID", 444}, -{"RIDE", 1659}, -{"RIFT", 1660}, -{"RIG", 445}, -{"RILL", 1661}, -{"RIM", 446}, -{"RIME", 1662}, -{"RING", 1663}, -{"RINK", 1664}, -{"RIO", 447}, -{"RIP", 448}, -{"RISE", 1665}, -{"RISK", 1666}, -{"RITE", 1667}, -{"ROAD", 1668}, -{"ROAM", 1669}, -{"ROAR", 1670}, -{"ROB", 449}, -{"ROBE", 1671}, -{"ROCK", 1672}, -{"ROD", 450}, -{"RODE", 1673}, -{"ROE", 451}, -{"ROIL", 1674}, -{"ROLL", 1675}, -{"ROME", 1676}, -{"RON", 452}, -{"ROOD", 1677}, -{"ROOF", 1678}, -{"ROOK", 1679}, -{"ROOM", 1680}, -{"ROOT", 1681}, -{"ROSA", 1682}, -{"ROSE", 1683}, -{"ROSS", 1684}, -{"ROSY", 1685}, -{"ROT", 453}, -{"ROTH", 1686}, -{"ROUT", 1687}, -{"ROVE", 1688}, -{"ROW", 454}, -{"ROWE", 1689}, -{"ROWS", 1690}, -{"ROY", 455}, -{"RUB", 456}, -{"RUBE", 1691}, -{"RUBY", 1692}, -{"RUDE", 1693}, -{"RUDY", 1694}, -{"RUE", 457}, -{"RUG", 458}, -{"RUIN", 1695}, -{"RULE", 1696}, -{"RUM", 459}, -{"RUN", 460}, -{"RUNG", 1697}, -{"RUNS", 1698}, -{"RUNT", 1699}, -{"RUSE", 1700}, -{"RUSH", 1701}, -{"RUSK", 1702}, -{"RUSS", 1703}, -{"RUST", 1704}, -{"RUTH", 1705}, -{"RYE", 461}, -{"SAC", 462}, -{"SACK", 1706}, -{"SAD", 463}, -{"SAFE", 1707}, -{"SAG", 464}, -{"SAGE", 1708}, -{"SAID", 1709}, -{"SAIL", 1710}, -{"SAL", 465}, -{"SALE", 1711}, -{"SALK", 1712}, -{"SALT", 1713}, -{"SAM", 466}, -{"SAME", 1714}, -{"SAN", 467}, -{"SAND", 1715}, -{"SANE", 1716}, -{"SANG", 1717}, -{"SANK", 1718}, -{"SAP", 468}, -{"SARA", 1719}, -{"SAT", 469}, -{"SAUL", 1720}, -{"SAVE", 1721}, -{"SAW", 470}, -{"SAY", 471}, -{"SAYS", 1722}, -{"SCAN", 1723}, -{"SCAR", 1724}, -{"SCAT", 1725}, -{"SCOT", 1726}, -{"SEA", 472}, -{"SEAL", 1727}, -{"SEAM", 1728}, -{"SEAR", 1729}, -{"SEAT", 1730}, -{"SEC", 473}, -{"SEE", 474}, -{"SEED", 1731}, -{"SEEK", 1732}, -{"SEEM", 1733}, -{"SEEN", 1734}, -{"SEES", 1735}, -{"SELF", 1736}, -{"SELL", 1737}, -{"SEN", 475}, -{"SEND", 1738}, -{"SENT", 1739}, -{"SET", 476}, -{"SETS", 1740}, -{"SEW", 477}, -{"SEWN", 1741}, -{"SHAG", 1742}, -{"SHAM", 1743}, -{"SHAW", 1744}, -{"SHAY", 1745}, -{"SHE", 478}, -{"SHED", 1746}, -{"SHIM", 1747}, -{"SHIN", 1748}, -{"SHOD", 1749}, -{"SHOE", 1750}, -{"SHOT", 1751}, -{"SHOW", 1752}, -{"SHUN", 1753}, -{"SHUT", 1754}, -{"SHY", 479}, -{"SICK", 1755}, -{"SIDE", 1756}, -{"SIFT", 1757}, -{"SIGH", 1758}, -{"SIGN", 1759}, -{"SILK", 1760}, -{"SILL", 1761}, -{"SILO", 1762}, -{"SILT", 1763}, -{"SIN", 480}, -{"SINE", 1764}, -{"SING", 1765}, -{"SINK", 1766}, -{"SIP", 481}, -{"SIR", 482}, -{"SIRE", 1767}, -{"SIS", 483}, -{"SIT", 484}, -{"SITE", 1768}, -{"SITS", 1769}, -{"SITU", 1770}, -{"SKAT", 1771}, -{"SKEW", 1772}, -{"SKI", 485}, -{"SKID", 1773}, -{"SKIM", 1774}, -{"SKIN", 1775}, -{"SKIT", 1776}, -{"SKY", 486}, -{"SLAB", 1777}, -{"SLAM", 1778}, -{"SLAT", 1779}, -{"SLAY", 1780}, -{"SLED", 1781}, -{"SLEW", 1782}, -{"SLID", 1783}, -{"SLIM", 1784}, -{"SLIT", 1785}, -{"SLOB", 1786}, -{"SLOG", 1787}, -{"SLOT", 1788}, -{"SLOW", 1789}, -{"SLUG", 1790}, -{"SLUM", 1791}, -{"SLUR", 1792}, -{"SLY", 487}, -{"SMOG", 1793}, -{"SMUG", 1794}, -{"SNAG", 1795}, -{"SNOB", 1796}, -{"SNOW", 1797}, -{"SNUB", 1798}, -{"SNUG", 1799}, -{"SO", 488}, -{"SOAK", 1800}, -{"SOAR", 1801}, -{"SOB", 489}, -{"SOCK", 1802}, -{"SOD", 490}, -{"SODA", 1803}, -{"SOFA", 1804}, -{"SOFT", 1805}, -{"SOIL", 1806}, -{"SOLD", 1807}, -{"SOME", 1808}, -{"SON", 491}, -{"SONG", 1809}, -{"SOON", 1810}, -{"SOOT", 1811}, -{"SOP", 492}, -{"SORE", 1812}, -{"SORT", 1813}, -{"SOUL", 1814}, -{"SOUR", 1815}, -{"SOW", 493}, -{"SOWN", 1816}, -{"SOY", 494}, -{"SPA", 495}, -{"SPY", 496}, -{"STAB", 1817}, -{"STAG", 1818}, -{"STAN", 1819}, -{"STAR", 1820}, -{"STAY", 1821}, -{"STEM", 1822}, -{"STEW", 1823}, -{"STIR", 1824}, -{"STOW", 1825}, -{"STUB", 1826}, -{"STUN", 1827}, -{"SUB", 497}, -{"SUCH", 1828}, -{"SUD", 498}, -{"SUDS", 1829}, -{"SUE", 499}, -{"SUIT", 1830}, -{"SULK", 1831}, -{"SUM", 500}, -{"SUMS", 1832}, -{"SUN", 501}, -{"SUNG", 1833}, -{"SUNK", 1834}, -{"SUP", 502}, -{"SURE", 1835}, -{"SURF", 1836}, -{"SWAB", 1837}, -{"SWAG", 1838}, -{"SWAM", 1839}, -{"SWAN", 1840}, -{"SWAT", 1841}, -{"SWAY", 1842}, -{"SWIM", 1843}, -{"SWUM", 1844}, -{"TAB", 503}, -{"TACK", 1845}, -{"TACT", 1846}, -{"TAD", 504}, -{"TAG", 505}, -{"TAIL", 1847}, -{"TAKE", 1848}, -{"TALE", 1849}, -{"TALK", 1850}, -{"TALL", 1851}, -{"TAN", 506}, -{"TANK", 1852}, -{"TAP", 507}, -{"TAR", 508}, -{"TASK", 1853}, -{"TATE", 1854}, -{"TAUT", 1855}, -{"TEA", 509}, -{"TEAL", 1856}, -{"TEAM", 1857}, -{"TEAR", 1858}, -{"TECH", 1859}, -{"TED", 510}, -{"TEE", 511}, -{"TEEM", 1860}, -{"TEEN", 1861}, -{"TEET", 1862}, -{"TELL", 1863}, -{"TEN", 512}, -{"TEND", 1864}, -{"TENT", 1865}, -{"TERM", 1866}, -{"TERN", 1867}, -{"TESS", 1868}, -{"TEST", 1869}, -{"THAN", 1870}, -{"THAT", 1871}, -{"THE", 513}, -{"THEE", 1872}, -{"THEM", 1873}, -{"THEN", 1874}, -{"THEY", 1875}, -{"THIN", 1876}, -{"THIS", 1877}, -{"THUD", 1878}, -{"THUG", 1879}, -{"THY", 514}, -{"TIC", 515}, -{"TICK", 1880}, -{"TIDE", 1881}, -{"TIDY", 1882}, -{"TIE", 516}, -{"TIED", 1883}, -{"TIER", 1884}, -{"TILE", 1885}, -{"TILL", 1886}, -{"TILT", 1887}, -{"TIM", 517}, -{"TIME", 1888}, -{"TIN", 518}, -{"TINA", 1889}, -{"TINE", 1890}, -{"TINT", 1891}, -{"TINY", 1892}, -{"TIP", 519}, -{"TIRE", 1893}, -{"TO", 520}, -{"TOAD", 1894}, -{"TOE", 521}, -{"TOG", 522}, -{"TOGO", 1895}, -{"TOIL", 1896}, -{"TOLD", 1897}, -{"TOLL", 1898}, -{"TOM", 523}, -{"TON", 524}, -{"TONE", 1899}, -{"TONG", 1900}, -{"TONY", 1901}, -{"TOO", 525}, -{"TOOK", 1902}, -{"TOOL", 1903}, -{"TOOT", 1904}, -{"TOP", 526}, -{"TORE", 1905}, -{"TORN", 1906}, -{"TOTE", 1907}, -{"TOUR", 1908}, -{"TOUT", 1909}, -{"TOW", 527}, -{"TOWN", 1910}, -{"TOY", 528}, -{"TRAG", 1911}, -{"TRAM", 1912}, -{"TRAY", 1913}, -{"TREE", 1914}, -{"TREK", 1915}, -{"TRIG", 1916}, -{"TRIM", 1917}, -{"TRIO", 1918}, -{"TROD", 1919}, -{"TROT", 1920}, -{"TROY", 1921}, -{"TRUE", 1922}, -{"TRY", 529}, -{"TUB", 530}, -{"TUBA", 1923}, -{"TUBE", 1924}, -{"TUCK", 1925}, -{"TUFT", 1926}, -{"TUG", 531}, -{"TUM", 532}, -{"TUN", 533}, -{"TUNA", 1927}, -{"TUNE", 1928}, -{"TUNG", 1929}, -{"TURF", 1930}, -{"TURN", 1931}, -{"TUSK", 1932}, -{"TWIG", 1933}, -{"TWIN", 1934}, -{"TWIT", 1935}, -{"TWO", 534}, -{"ULAN", 1936}, -{"UN", 535}, -{"UNIT", 1937}, -{"UP", 536}, -{"URGE", 1938}, -{"US", 537}, -{"USE", 538}, -{"USED", 1939}, -{"USER", 1940}, -{"USES", 1941}, -{"UTAH", 1942}, -{"VAIL", 1943}, -{"VAIN", 1944}, -{"VALE", 1945}, -{"VAN", 539}, -{"VARY", 1946}, -{"VASE", 1947}, -{"VAST", 1948}, -{"VAT", 540}, -{"VEAL", 1949}, -{"VEDA", 1950}, -{"VEIL", 1951}, -{"VEIN", 1952}, -{"VEND", 1953}, -{"VENT", 1954}, -{"VERB", 1955}, -{"VERY", 1956}, -{"VET", 541}, -{"VETO", 1957}, -{"VICE", 1958}, -{"VIE", 542}, -{"VIEW", 1959}, -{"VINE", 1960}, -{"VISE", 1961}, -{"VOID", 1962}, -{"VOLT", 1963}, -{"VOTE", 1964}, -{"WACK", 1965}, -{"WAD", 543}, -{"WADE", 1966}, -{"WAG", 544}, -{"WAGE", 1967}, -{"WAIL", 1968}, -{"WAIT", 1969}, -{"WAKE", 1970}, -{"WALE", 1971}, -{"WALK", 1972}, -{"WALL", 1973}, -{"WALT", 1974}, -{"WAND", 1975}, -{"WANE", 1976}, -{"WANG", 1977}, -{"WANT", 1978}, -{"WAR", 545}, -{"WARD", 1979}, -{"WARM", 1980}, -{"WARN", 1981}, -{"WART", 1982}, -{"WAS", 546}, -{"WASH", 1983}, -{"WAST", 1984}, -{"WATS", 1985}, -{"WATT", 1986}, -{"WAVE", 1987}, -{"WAVY", 1988}, -{"WAY", 547}, -{"WAYS", 1989}, -{"WE", 548}, -{"WEAK", 1990}, -{"WEAL", 1991}, -{"WEAN", 1992}, -{"WEAR", 1993}, -{"WEB", 549}, -{"WED", 550}, -{"WEE", 551}, -{"WEED", 1994}, -{"WEEK", 1995}, -{"WEIR", 1996}, -{"WELD", 1997}, -{"WELL", 1998}, -{"WELT", 1999}, -{"WENT", 2000}, -{"WERE", 2001}, -{"WERT", 2002}, -{"WEST", 2003}, -{"WET", 552}, -{"WHAM", 2004}, -{"WHAT", 2005}, -{"WHEE", 2006}, -{"WHEN", 2007}, -{"WHET", 2008}, -{"WHO", 553}, -{"WHOA", 2009}, -{"WHOM", 2010}, -{"WHY", 554}, -{"WICK", 2011}, -{"WIFE", 2012}, -{"WILD", 2013}, -{"WILL", 2014}, -{"WIN", 555}, -{"WIND", 2015}, -{"WINE", 2016}, -{"WING", 2017}, -{"WINK", 2018}, -{"WINO", 2019}, -{"WIRE", 2020}, -{"WISE", 2021}, -{"WISH", 2022}, -{"WIT", 556}, -{"WITH", 2023}, -{"WOK", 557}, -{"WOLF", 2024}, -{"WON", 558}, -{"WONT", 2025}, -{"WOO", 559}, -{"WOOD", 2026}, -{"WOOL", 2027}, -{"WORD", 2028}, -{"WORE", 2029}, -{"WORK", 2030}, -{"WORM", 2031}, -{"WORN", 2032}, -{"WOVE", 2033}, -{"WOW", 560}, -{"WRIT", 2034}, -{"WRY", 561}, -{"WU", 562}, -{"WYNN", 2035}, -{"YALE", 2036}, -{"YAM", 563}, -{"YANG", 2037}, -{"YANK", 2038}, -{"YAP", 564}, -{"YARD", 2039}, -{"YARN", 2040}, -{"YAW", 565}, -{"YAWL", 2041}, -{"YAWN", 2042}, -{"YE", 566}, -{"YEA", 567}, -{"YEAH", 2043}, -{"YEAR", 2044}, -{"YELL", 2045}, -{"YES", 568}, -{"YET", 569}, -{"YOGA", 2046}, -{"YOKE", 2047}, -{"YOU", 570} -}; diff --git a/crypto/heimdal-0.6.3/lib/otp/otp_print.c b/crypto/heimdal-0.6.3/lib/otp/otp_print.c deleted file mode 100644 index 701a74cff5..0000000000 --- a/crypto/heimdal-0.6.3/lib/otp/otp_print.c +++ /dev/null @@ -1,99 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include "config.h" -RCSID("$Id: otp_print.c,v 1.14 1999/12/02 16:58:45 joda Exp $"); -#endif - -#include "otp_locl.h" - -extern const char *const std_dict[]; - -unsigned -otp_checksum (OtpKey key) -{ - int i; - unsigned sum = 0; - - for (i = 0; i < OTPKEYSIZE; ++i) - sum += ((key[i] >> 0) & 0x03) - + ((key[i] >> 2) & 0x03) - + ((key[i] >> 4) & 0x03) - + ((key[i] >> 6) & 0x03); - sum &= 0x03; - return sum; -} - -void -otp_print_stddict (OtpKey key, char *str, size_t sz) -{ - unsigned sum; - - sum = otp_checksum (key); - snprintf (str, sz, - "%s %s %s %s %s %s", - std_dict[(key[0] << 3) | (key[1] >> 5)], - std_dict[((key[1] & 0x1F) << 6) | (key[2] >> 2)], - std_dict[((key[2] & 0x03) << 9) | (key[3] << 1) | (key[4] >> 7)], - std_dict[((key[4] & 0x7F) << 4) | (key[5] >> 4)], - std_dict[((key[5] & 0x0F) << 7) | (key[6] >> 1)], - std_dict[((key[6] & 0x01) << 10) | (key[7] << 2) | sum]); -} - -void -otp_print_hex (OtpKey key, char *str, size_t sz) -{ - snprintf (str, sz, - "%02x%02x%02x%02x%02x%02x%02x%02x", - key[0], key[1], key[2], key[3], - key[4], key[5], key[6], key[7]); -} - -void -otp_print_hex_extended (OtpKey key, char *str, size_t sz) -{ - strlcpy (str, OTP_HEXPREFIX, sz); - otp_print_hex (key, - str + strlen(OTP_HEXPREFIX), - sz - strlen(OTP_HEXPREFIX)); -} - -void -otp_print_stddict_extended (OtpKey key, char *str, size_t sz) -{ - strlcpy (str, OTP_WORDPREFIX, sz); - otp_print_stddict (key, - str + strlen(OTP_WORDPREFIX), - sz - strlen(OTP_WORDPREFIX)); -} diff --git a/crypto/heimdal-0.6.3/lib/otp/otp_verify.c b/crypto/heimdal-0.6.3/lib/otp/otp_verify.c deleted file mode 100644 index 5fec82e2b6..0000000000 --- a/crypto/heimdal-0.6.3/lib/otp/otp_verify.c +++ /dev/null @@ -1,78 +0,0 @@ -/* - * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include "config.h" -RCSID("$Id: otp_verify.c,v 1.7 2000/07/01 13:58:38 assar Exp $"); -#endif - -#include "otp_locl.h" - -int -otp_verify_user_1 (OtpContext *ctx, const char *passwd) -{ - OtpKey key1, key2; - - if (otp_parse (key1, passwd, ctx->alg)) { - ctx->err = "Syntax error in reply"; - return -1; - } - memcpy (key2, key1, sizeof(key1)); - ctx->alg->next (key2); - if (memcmp (ctx->key, key2, sizeof(key2)) == 0) { - --ctx->n; - memcpy (ctx->key, key1, sizeof(key1)); - return 0; - } else - return -1; -} - -int -otp_verify_user (OtpContext *ctx, const char *passwd) -{ - void *dbm; - int ret; - - if (!ctx->challengep) - return -1; - ret = otp_verify_user_1 (ctx, passwd); - dbm = otp_db_open (); - if (dbm == NULL) { - free(ctx->user); - return -1; - } - otp_put (dbm, ctx); - free(ctx->user); - otp_db_close (dbm); - return ret; -} diff --git a/crypto/heimdal-0.6.3/lib/otp/otptest.c b/crypto/heimdal-0.6.3/lib/otp/otptest.c deleted file mode 100644 index 4eb342c797..0000000000 --- a/crypto/heimdal-0.6.3/lib/otp/otptest.c +++ /dev/null @@ -1,145 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include "config.h" -RCSID("$Id: otptest.c,v 1.6 1999/12/02 16:58:45 joda Exp $"); -#endif - -#include -#include -#include - -static int -test_one(OtpKey key1, char *name, char *val, - void (*print)(OtpKey,char*, size_t), - OtpAlgorithm *alg) -{ - char buf[256]; - OtpKey key2; - - (*print)(key1, buf, sizeof(buf)); - printf ("%s: %s, ", name, buf); - if (strcmp (buf, val) != 0) { - printf ("failed(*%s* != *%s*)\n", buf, val); - return 1; - } - if (otp_parse (key2, buf, alg)) { - printf ("parse of %s failed\n", name); - return 1; - } - if (memcmp (key1, key2, OTPKEYSIZE) != 0) { - printf ("key1 != key2, "); - } - printf ("success\n"); - return 0; -} - -static int -test (void) -{ - struct test { - char *alg; - char *passphrase; - char *seed; - int count; - char *hex; - char *word; - } tests[] = { - - /* md4 */ - {"md4", "This is a test.", "TeSt", 0, "d1854218ebbb0b51", "ROME MUG FRED SCAN LIVE LACE"}, - {"md4", "This is a test.", "TeSt", 1, "63473ef01cd0b444", "CARD SAD MINI RYE COL KIN"}, - {"md4", "This is a test.", "TeSt", 99, "c5e612776e6c237a", "NOTE OUT IBIS SINK NAVE MODE"}, - {"md4", "AbCdEfGhIjK", "alpha1", 0, "50076f47eb1ade4e", "AWAY SEN ROOK SALT LICE MAP"}, - {"md4", "AbCdEfGhIjK", "alpha1", 1, "65d20d1949b5f7ab", "CHEW GRIM WU HANG BUCK SAID"}, - {"md4", "AbCdEfGhIjK", "alpha1", 99, "d150c82cce6f62d1", "ROIL FREE COG HUNK WAIT COCA"}, - {"md4", "OTP's are good", "correct", 0, "849c79d4f6f55388", "FOOL STEM DONE TOOL BECK NILE"}, - {"md4", "OTP's are good", "correct", 1, "8c0992fb250847b1", "GIST AMOS MOOT AIDS FOOD SEEM"}, - {"md4", "OTP's are good", "correct",99, "3f3bf4b4145fd74b", "TAG SLOW NOV MIN WOOL KENO"}, - - - /* md5 */ - {"md5", "This is a test.", "TeSt", 0, "9e876134d90499dd", "INCH SEA ANNE LONG AHEM TOUR"}, - {"md5", "This is a test.", "TeSt", 1, "7965e05436f5029f", "EASE OIL FUM CURE AWRY AVIS"}, - {"md5", "This is a test.", "TeSt", 99, "50fe1962c4965880", "BAIL TUFT BITS GANG CHEF THY"}, - {"md5", "AbCdEfGhIjK", "alpha1", 0, "87066dd9644bf206", "FULL PEW DOWN ONCE MORT ARC"}, - {"md5", "AbCdEfGhIjK", "alpha1", 1, "7cd34c1040add14b", "FACT HOOF AT FIST SITE KENT"}, - {"md5", "AbCdEfGhIjK", "alpha1", 99, "5aa37a81f212146c", "BODE HOP JAKE STOW JUT RAP"}, - {"md5", "OTP's are good", "correct", 0, "f205753943de4cf9", "ULAN NEW ARMY FUSE SUIT EYED"}, - {"md5", "OTP's are good", "correct", 1, "ddcdac956f234937", "SKIM CULT LOB SLAM POE HOWL"}, - {"md5", "OTP's are good", "correct",99, "b203e28fa525be47", "LONG IVY JULY AJAR BOND LEE"}, - - /* sha */ - {"sha", "This is a test.", "TeSt", 0, "bb9e6ae1979d8ff4", "MILT VARY MAST OK SEES WENT"}, - {"sha", "This is a test.", "TeSt", 1, "63d936639734385b", "CART OTTO HIVE ODE VAT NUT"}, - {"sha", "This is a test.", "TeSt", 99, "87fec7768b73ccf9", "GAFF WAIT SKID GIG SKY EYED"}, - {"sha", "AbCdEfGhIjK", "alpha1", 0, "ad85f658ebe383c9", "LEST OR HEEL SCOT ROB SUIT"}, - {"sha", "AbCdEfGhIjK", "alpha1", 1, "d07ce229b5cf119b", "RITE TAKE GELD COST TUNE RECK"}, - {"sha", "AbCdEfGhIjK", "alpha1", 99, "27bc71035aaf3dc6", "MAY STAR TIN LYON VEDA STAN"}, - {"sha", "OTP's are good", "correct", 0, "d51f3e99bf8e6f0b", "RUST WELT KICK FELL TAIL FRAU"}, - {"sha", "OTP's are good", "correct", 1, "82aeb52d943774e4", "FLIT DOSE ALSO MEW DRUM DEFY"}, - {"sha", "OTP's are good", "correct", 99, "4f296a74fe1567ec", "AURA ALOE HURL WING BERG WAIT"}, - {NULL} - }; - - struct test *t; - int sum = 0; - - for(t = tests; t->alg; ++t) { - int i; - OtpAlgorithm *alg = otp_find_alg (t->alg); - OtpKey key; - - if (alg == NULL) { - printf ("Could not find alg %s\n", t->alg); - return 1; - } - if(alg->init (key, t->passphrase, t->seed)) - return 1; - for (i = 0; i < t->count; ++i) { - if (alg->next (key)) - return 1; - } - sum += test_one (key, "hexadecimal", t->hex, otp_print_hex, - alg) + - test_one (key, "standard_word", t->word, otp_print_stddict, alg); - } - return sum; -} - -int -main (void) -{ - return test (); -} diff --git a/crypto/heimdal-0.6.3/lib/otp/roken_rename.h b/crypto/heimdal-0.6.3/lib/otp/roken_rename.h deleted file mode 100644 index de1545e430..0000000000 --- a/crypto/heimdal-0.6.3/lib/otp/roken_rename.h +++ /dev/null @@ -1,73 +0,0 @@ -/* - * Copyright (c) 1998 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: roken_rename.h,v 1.3 2003/04/16 16:33:57 lha Exp $ */ - -#ifndef __roken_rename_h__ -#define __roken_rename_h__ - -#ifndef HAVE_SNPRINTF -#define snprintf _otp_snprintf -#endif -#ifndef HAVE_ASPRINTF -#define asprintf _otp_asprintf -#endif -#ifndef HAVE_ASNPRINTF -#define asnprintf _otp_asnprintf -#endif -#ifndef HAVE_VASPRINTF -#define vasprintf _otp_vasprintf -#endif -#ifndef HAVE_VASNPRINTF -#define vasnprintf _otp_vasnprintf -#endif -#ifndef HAVE_VSNPRINTF -#define vsnprintf _otp_vsnprintf -#endif -#ifndef HAVE_STRCASECMP -#define strcasecmp _otp_strcasecmp -#endif -#ifndef HAVE_STRNCASECMP -#define strncasecmp _otp_strncasecmp -#endif -#ifndef HAVE_STRLWR -#define strlwr _otp_strlwr -#endif -#ifndef HAVE_STRLCAT -#define strlcat _otp_strlcat -#endif -#ifndef HAVE_STRLCPY -#define strlcpy _otp_strlcpy -#endif - -#endif /* __roken_rename_h__ */ diff --git a/crypto/heimdal-0.6.3/lib/roken/ChangeLog b/crypto/heimdal-0.6.3/lib/roken/ChangeLog deleted file mode 100644 index 3132d23ae6..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/ChangeLog +++ /dev/null @@ -1,1488 +0,0 @@ -2004-01-15 Love - - * roken-common.h: 1.52: use EAI_NONAME instead of EAI_ADDRFAMILY - to check for if we need EAI_ macros - - * gai_strerror.c: 1.4: correct ifdef for EAI_ADDRFAMILY - 1.3: EAI_ADDRFAMILY and EAI_NODATA is deprecated - -2003-08-29 Love - - * ndbm_wrap.c: 1.1->1.2: patch for working with DB4 on - heimdal-discuss From: Luke Howard - -2003-04-22 Love - - * resolve.c: 1.38->1.39: copy NUL too, from janj@wenf.org via - openbsd - -2003-04-16 Love - - * parse_units.h: remove typedef for units to avoid problems with - shadowing - - * resolve.c: use strlcpy, from openbsd - - * getcap.c: use strlcpy, from openbsd - - * getarg.3: Change .Fd #include to .In header.h - from Thomas Klausner - -2003-04-15 Love - - * socket.c (socket_set_tos): if setsockopt failed with EINVAL - failed, just ignore it, sock was probably a just a non AF_INET - socket - -2003-04-14 Love - - * strncasecmp.c: cast argument to toupper to unsigned char, from - Christian Biere via NetBSD - - * strlwr.c: cast argument to tolower to unsigned char, from - Christian Biere via NetBSD - - * strcasecmp.c: cast argument to toupper to unsigned char, from - Christian Biere via NetBSD - -2003-03-19 Love - - * getarg.3: spelling, from - -2003-03-07 Love - - * parse_bytes.c: use struct units instead of units - - * parse_time.c: use struct units instead of units - -2003-03-04 Love - - * roken.awk: use full prototype for main - -2002-10-15 Johan Danielsson - - * resolve.c: check length of txt records - -2002-09-10 Johan Danielsson - - * roken.awk: include config.h before stdio.h (breaks with - _FILE_OFFSET_BITS on solaris otherwise) - -2002-09-09 Johan Danielsson - - * resolve.c: fix res_nsearch call, but don't use it for now, AIX5 - has a broken version that trashes memory - - * roken-common.h: fix typo in previous - - * roken-common.h: change IRIX == 4 to IRIX4 - -2002-09-04 Assar Westerlund - - * getifaddrs.c: remove some warnings from the linux-portion - - * getnameinfo_verified.c (getnameinfo_verified): handle the case - of forward but no backward DNS information, and also describe the - desired behaviour. from Love - -2002-09-04 Johan Danielsson - - * rtbl.c (rtbl_destroy): free whole table - - * resolve.c: use res_nsearch if we have it (from Larry Greenfield) - -2002-09-03 Assar Westerlund - - * getifaddrs.c: add Linux AF_NETLINK getifaddrs from Hideaki - YOSHIFUJI of the Usagi project - - * parse_reply-test.c: make this build and return 77 if there is no - mmap - - * Makefile.am (parse_reply-test): add - * parse_reply-test.c: add a test case for parse_reply reading past - the given buffer - * resolve.c (parse_reply): update the arguments to more reasonable - types. allow parse_reply-test to call it - -2002-08-28 Johan Danielsson - - * resolve.c (dns_srv_order): do alignment tricks with the random() - state (from NetBSD) - -2002-08-27 Assar Westerlund - - * resolve.c (parse_reply): verify the lengths (both external and - internal) are consistent and not too long - (dns_lookup_int): be conservative in the length sent in to to - parse_reply - -2002-08-26 Assar Westerlund - - * roken.h.in: add prototypes for str, unvis functions - * resolve.h: add fallback definition for T_AAAA - -2002-08-22 Johan Danielsson - - * roken.h.in: we may need a prototype for strndup - -2002-08-20 Johan Danielsson - - * roken.h.in: typedef ssize_t here - - * getarg.c: don't put Ns before comma - - * resolve.c: _res might not be available - - * localtime_r.c: include stdio.h and roken.h - - * strftime.c: only use altzone if we have it - - * roken-common.h: AI_NUMERICHOST needs special handling - - * strlcat.c: add some consistency checks - - * strlcpy.c: make the logic simpler, and handle dst_sz == 0 - -2002-08-19 Johan Danielsson - - * resolve.h: prefix these functions to avoid conflicts with other - packages - -2002-08-14 Johan Danielsson - - * strsep_copy.c: don't write to buf if len == 0 - -2002-05-31 Assar Westerlund - - * Makefile.am: *_LDADD: add LDADD, so that libroken is used - -2002-05-17 Johan Danielsson - - * xdbm.h: remove old dbm part - -2002-04-30 Johan Danielsson - - * ndbm_wrap.{c,h}: ndbm wrapper for newer db libraries - -2002-04-18 Johan Danielsson - - * roken.h.in: move mini_inetd protos to after addrinfo definition - - * snprintf.c (append_number): make rep const - - * getarg.h: rename optind and optarg to avoid some gcc warnings - - * getarg.c: rename optind and optarg to avoid some gcc warnings - -2002-02-18 Johan Danielsson - - * mini_inetd.c: mini_inetd_addrinfo that takes an addrinfo instead - of a port number - -2001-11-30 Assar Westerlund - - * getifaddrs.c: support SIOCGLIFCONF and SIOCGLIFFLAGS which are - used on Solaris 8 to retrieve addresses larger than `struct - sockaddr'. From Magnus Ahltorp (with some - modifications by me) - -2001-10-27 Assar Westerlund - - * Makefile.am (libroken_la_LDFLAGS): set version to 15:0:6 - -2001-10-22 Assar Westerlund - - * localtime_r.c: add - -2001-10-02 Johan Danielsson - - * resolve.c (dns_srv_order): don't try to return a value - -2001-09-24 Johan Danielsson - - * snprintf.c: va_{start,end} fixes; from Thomas Klausner - -2001-09-20 Assar Westerlund - - * resolve.c (dns_srv_order): make sure of not reading after the - array - -2001-09-17 Assar Westerlund - - * Makefile.am (libroken_la_LDFLAGS): bump to 14:4:5 - * snprintf.c: rename 'struct state' -> 'struct snprintf_test' to - avoid collision with resolv.h on aix - -2001-09-04 Assar Westerlund - - * parse_bytes-test.c, parse_bytes.c, parse_bytes.h, parse_units.c, - parse_units.h: use int instead of size_t as return values to be - compatible with snprintf - - * strftime.c (strftime): check for return values from snprintf() < - 0 - -2001-09-03 Johan Danielsson - - * socket.c: restrict is a keyword - -2001-09-03 Assar Westerlund - - * write_pid.c: handle atexit or on_exit - - * Makefile.am (EXTRA_libroken_la_SOURCES): add vis.hin to help - solaris make - -2001-08-30 Johan Danielsson - - * Makefile.am: use LDADD directly - -2001-08-28 Assar Westerlund - - * Makefile.am (libroken_la_LDFLAGS): set to 14:3:5 - - * issuid.c (issuid): call issetugid if it exists - -2001-08-24 Assar Westerlund - - * Makefile.am: make it play better with recent automake - -2001-08-21 Assar Westerlund - - * glob.c: provide a fallback for ARG_MAX. from - - * roken.h.in: remove all winsock.h - for now, it does more harm than good under cygwin and if it should be - used, the correct conditional needs to be found - from - -2001-08-17 Johan Danielsson - - * getaddrinfo.c: include a definition of in6addr_loopback if it - doesn't exist - -2001-08-10 Assar Westerlund - - * Makefile.am (libroken_la_LDFLAGS): update to 14:2:5 - -2001-08-08 Assar Westerlund - - * hstrerror.c: move h_errno to its own file (h_errno.c) - -2001-08-04 Assar Westerlund - - * Makefile.am: add getarg.3 - -2001-08-01 Assar Westerlund - - * mini_inetd.c (mini_inetd): explicitly use PF_UNSPEC. be more - resilient to bind/listen failing. - -2001-07-31 Assar Westerlund - - * getifaddrs.c (getifaddrs2): remove unused variables - -2001-07-31 Assar Westerlund - - * Makefile.am (libroken_la_LDFLAGS): update version to 14:1:5 - -2001-07-23 Assar Westerlund - - * getarg.c (arg_match_long): fix parsing of arg_counter optional - argument - -2001-07-19 Assar Westerlund - - * Makefile.am (libroken_la_LDFLAGS): bump version to 14:0:5 - -2001-07-17 Assar Westerlund - - * snprintf-test.h: add a file with renaming of the snprintf - functions, to be used for running the tests - -2001-07-11 Assar Westerlund - - * snprintf-test.c: add more %X tests, and long and conditional - long long tests - * snprintf.c: add support for printing long long (if available) - -2001-07-10 Assar Westerlund - - * getaddrinfo.c (add_hostent): adapt to const hostent_find_fqdn - * hostent_find_fqdn.c (hostent_find_fqdn): const-ize - -2001-07-09 Assar Westerlund - - * roken-common.h (hostent_find_fqdn): add - * hostent_find_fqdn.c: separate out hostent_find_fqdn - - * warnerr.c: move out getprogname, setprogname - -2001-07-03 Assar Westerlund - - * warnerr.c (setprogname): add const cast - * vis.c (SVIS): add some (unsigned char) before calling isfoo* - * Makefile.am (libroken_la_LDFLAGS:) set version to 13:0:4 - - * Makefile.am: add snprintf_test - * snprintf.c: rewrite so that it does not stop as soon as there - are no more characters to print, we need to figure out how long - the string would have to be. this also fixes snprintf(NULL, 0 - -2001-06-21 Assar Westerlund - - * simple_exec.c (pipe_execv): remove unused variable - -2001-06-20 Johan Danielsson - - * getdtablesize.c: fix typo in obviously never used sysctl case - - * simple_exec.c: rename check_status to wait_for_process, and - export it; function pipe_execv similar to popen, but with more - control over input and output - - * roken-common.h: prototypes for wait_for_process and pipe_execv - -2001-06-17 Assar Westerlund - - * roken-common.h: move emalloc et al to roken.h.in - * Makefile.am: make emalloc,ecalloc,erealloc,estrdup conditional - * emalloc.c, erealloc.c, estrup.c: use errx, since errno might not - be set reliably - * ecalloc.c: add for symmetry - -2001-06-09 Johan Danielsson - - * resolve.c: dns_srv_order to order srv records - -2001-06-08 Johan Danielsson - - * getarg.c: Grog tries to figure out if to use mdoc.old instead of - mdoc by looking at some macros that were only present in the old - version, and by looking at the number of .Oo's present. In - mdoc.old .Oo was a toggle, but in mdoc it's closed by .Oc, so if - the number of .Oo's is bigger than the number of .Oc's, it figures - it must be mdoc.old. This doesn't however account for called Oc's, - and thus grog thinks that valid pages are mdoc.old when they - infact are mdoc. So let's make sure that Oc's are not called by - other macros. - -2001-05-29 Assar Westerlund - - * base64-test.c (main): initialize numerr - -2001-05-28 Johan Danielsson - - * base64.c: clean up the decode mess somewhat - - * base64-test.c: base64 tests - -2001-05-18 Johan Danielsson - - * roken.h.in: just use standard C types with bswap* - - * bswap.c: just use standard C types - -2001-05-17 Assar Westerlund - - * roken.h.in: include all the headers that AC_GROK_TYPES tries for - finding u_int17_t et al - - * Makefile.am: bump version to 12:0:3 - * roken.h.in: re-add set_progname and get_progname for backwards - compatability - * warnerr.c: re-add set_progname and get_progname for backwards - compatability - -2001-05-12 Assar Westerlund - - * glob.c: add limits.h, from - -2001-05-11 Johan Danielsson - - * Makefile.am: bswap.c - - * bswap.c: bswap{16,32} - -2001-05-08 Assar Westerlund - - * freeaddrinfo.c (freeaddrinfo): also free every `struct - addrinfo'. from - -2001-04-25 Assar Westerlund - - * getarg.h (free_getarg_strings): add prototype - * getarg.c (free_getarg_strings): add function - -2001-04-21 Johan Danielsson - - * getarg.c: pack short flag options togther, to shorten the usage - string - -2001-04-17 Johan Danielsson - - * getifaddrs.c (getifaddrs2): close socket when done - -2001-03-26 Johan Danielsson - - * roken.awk: END has to be last with Sun's awk - -2001-03-26 Assar Westerlund - - * parse_units.c (parse_something): do not check the return value - from strtod, it might return != 0.0 when the string has no digits. - just testing if it consumed any characters is enough and more - resilient - * glob.c: add GLOB_LIMIT (from NetBSD) - -2001-02-20 Assar Westerlund - - * warnerr.c (warnerr): do not use __progname - * roken.h.in (setprogname, getprogname): add prototypes - * warnerr.c (setprogname, getprogname): rename to. change all - callers - -2001-02-12 Assar Westerlund - - * getnameinfo_verified.c (getnameinfo_verified): do the first - getnameinfo with NI_NUMERICSERV to avoid the error that bind 8.2.3 - reports on not finding the service - (ENI_NOSERVNAME). reported by Ake Sandgren - -2001-02-09 Assar Westerlund - - * getnameinfo.c (doit): call inet_ntop with correct af, noted by - Ake Sandgren - -2001-02-08 Assar Westerlund - - * getnameinfo_verified.c (getnameinfo_verified): always capture - the service from getnameinfo so it can be sent back to getaddrinfo - and set socktype to avoid getaddrinfo not returning any addresses - -2001-01-30 Assar Westerlund - - * Makefile.am (libroken_la_LDFLAGS): bump version to 11:1:2 - * print_version.c (print_version): add 2001 - -2001-01-29 Assar Westerlund - - * getifaddrs.c (getifaddrs2): copy the entire sockaddr - - * roken-common.h (_PATH_BSHELL): add - -2001-01-27 Assar Westerlund - - * roken.h.in: move __attribute__ to roken-common.h - - * esetenv.c (esetenv): cast to handle a setenv that takes a `char - * which is the case on Unicos - -2000-12-29 Assar Westerlund - - * Makefile.am (EXTRA_libroken_la_SOURCES): ifaddrs.h -> - ifaddrs.hin - -2000-12-25 Assar Westerlund - - * getarg.c (print_arg): add a case for arg_strings - -2000-12-15 Johan Danielsson - - * snprintf.c (append_string): handle NULL strings by printing - `(null)' - -2000-12-12 Johan Danielsson - - * roken-common.h: add c++ externs - - * roken.h.in: fix last commit differently - -2000-12-11 Assar Westerlund - - * err.hin (warnerr): remove, it's not part of the err.h interface - * roken-common.h (warnerr): moved here from err.hin - * Makefile.am (libroken_la_LDFLAGS): set version to 11:0:2 - * vis.c: s/u_int32_t/unsigned/ for systems that do not define - u_int32_t - -2000-12-10 Johan Danielsson - - * Makefile.am: rename some headers to avoid conflict with possible - system headers - -2000-12-06 Johan Danielsson - - * vis.c: make sure _DIAGASSERT is defined - - * unvis.c: make sure _DIAGASSERT is defined - - * Makefile.am: unvis.c, and vis.h - - * vis.h: vis.h from NetBSD - - * unvis.c: unvis from NetBSD - - * roken.h.in: cleanup previous - - * roken-common.h: make `extern "C"' into a macro, this make emacs - much happier - - * vis.c: strvis implementation from NetBSD - - * roken.h.in: add prototypes for strvis* - -2000-12-05 Johan Danielsson - - * ifaddrs.h: fix freeifaddrs prototype, and add ifa_broadaddr - macro - - * getifaddrs.c: free some memory - -2000-12-04 Johan Danielsson - - * ifaddrs.h: getifaddrs implementation using SIOCGIFCONFIG etc - - * getifaddrs.c: getifaddrs implementation using SIOCGIFCONFIG etc - -2000-10-08 Assar Westerlund - - * mini_inetd.c (mini_inetd): check that fds are not too large to - select on - -2000-09-24 Assar Westerlund - - * esetenv.c: new file/function - -2000-08-16 Assar Westerlund - - * Makefile.am: bump version to 10:0:1 - -2000-08-10 Assar Westerlund - - * mini_inetd.c (accept_it): type-correctness on parameters to - accept - -2000-08-07 Johan Danielsson - - * roken.h.in: add proto compat for getsockname - -2000-08-04 Johan Danielsson - - * write_pid.c: conditionalise pidfile - - * write_pid.c: add pidfile function - -2000-07-25 Johan Danielsson - - * Makefile.am: bump version to 9:0:0 - - * warnerr.c: add get_progname - -2000-07-24 Assar Westerlund - - * getaddrinfo.c (add_hostent): if there's no fqdn in `he' try - reverse resolving to see if there's a fuller name there. don't - use just-freed memory - -2000-07-22 Assar Westerlund - - * xdbm.h: do not define ndbm functions in terms of dbm functions - if we're using db - -2000-07-20 Assar Westerlund - - * rtbl.c (rtbl_format): avoid printing an empty row at the end - -2000-07-19 Johan Danielsson - - * Makefile.am: make this compatible with `make dist' - - * Makefile.am: revert version number for now - -2000-07-18 Johan Danielsson - - * configure.in: AM_PROG_LIBTOOL -> AC_PROG_LIBTOOL - -2000-07-17 Johan Danielsson - - * Makefile.am: set ACLOCAL_AMFLAGS - -2000-07-15 Johan Danielsson - - * getaddrinfo_hostspec.c: add new function that takes socktype - hint as parameter - -2000-07-09 Assar Westerlund - - * rtbl.c (rtbl_add_column): initialize `col' completely - - * configure.in: bring headers and functions more in-line with - what's actually being used - -2000-07-08 Johan Danielsson - - * roken.h.in: declare ether_addr and sockaddr_dl for AIX - - * rtbl.{c,h}: simple table functions - -2000-07-08 Assar Westerlund - - * configure.in (AM_INIT_AUTOMAKE): bump version to 10 - * configure.in (AC_BROKEN): add strsep_copy - * Makefile.am (ACLOCAL): fetch files from cf - -2000-07-01 Assar Westerlund - - * roken-common.h (pid_file_*): fix protos - -2000-06-28 Assar Westerlund - - * getnameinfo_verified.c (getnameinfo_verified): free memory - returned from getaddrinfo - -2000-06-27 Assar Westerlund - - * resolve.c: export string_to_type and type_to_string - * resolve.c: add key,sig,cert update test-program - * resolve.h: add key,sig,cert - -2000-06-21 Assar Westerlund - - * resolve.h: add T_SIG, T_KEY - * resolve.c: add SIG and KEY - * Makefile.am (libroken_la_SOURCES): add environment.c and - write_pid.c - - * write_pid.c: new file for writing a pid file. - - * environment.c: new file with functionality for reading - /etc/environment. From Ake Sandgren - -2000-06-12 Johan Danielsson - - * strsep_copy.c: strsep, but with const stringp so returns string - in separate buffer - -2000-05-23 Assar Westerlund - - * vsyslog.c (vsyslog): calculate length of new format string - correctly - -2000-05-22 Johan Danielsson - - * getusershell.c: implment the AIX version use - /etc/security/login.cfg - -2000-05-21 Assar Westerlund - - * vsyslog.c (vsyslog): actually handle `%m' - -2000-05-15 Assar Westerlund - - * Makefile.am (libroken_la_LDFLAGS): set version to 8:1:3 - - * roken-common.h: moved __attribute__ to roken.h.in - -2000-04-14 Assar Westerlund - - * getaddrinfo_hostspec.c (roken_getaddrinfo_hostspec): copy the - correct length from `hostspec'. based on a patch from Love - - -2000-04-09 Assar Westerlund - - * xdbm.h: only include one of db.h and the dbm-series - -2000-04-05 Assar Westerlund - - * resolve.c (_resolve_debug): explicitly set to zero. this moves - the variable from bss to data and the dynamic linker on MacOS - X/Darwin seems unhappy with stuff in the bss segment. - -2000-04-03 Assar Westerlund - - * Makefile.am: set version to 8:0:3 - -2000-03-11 Assar Westerlund - - * roken.h.in (_SS_PAD1SIZE): try to write an inpenetrable - expression that also works on Crays - -2000-03-09 Assar Westerlund - - * getarg.c (arg_match_short): backup optind when there's a missing - argument so that the error can point at the flag and not the - non-existant argument - -2000-03-03 Assar Westerlund - - * Makefile.in (SOURCES): add timeval.c - * Makefile.am (libroken_la_SOURCES): add timeval.c - * timeval.c: new file - -2000-02-19 Assar Westerlund - - * Makefile.am: set version to 7:1:2 - -2000-02-16 Assar Westerlund - - * snprintf.c (PARSE_INT_FORMAT): note that shorts are actually - transmitted as ints - (according to the integer protomotion rules) in variable arguments - lists. Therefore, we should not call va_arg with short but rather - with int. See for - original bug report - -2000-02-13 Assar Westerlund - - * Makefile.am: bump version to 7:0:2 - - * getarg.c (mandoc_template): also fix no- prefix in .Sh OPTIONS - * getarg.c (mandoc_template): better man-stuff for negative - options - -2000-02-07 Assar Westerlund - - * Makefile.am: set version to 6:0:1 - -2000-02-06 Assar Westerlund - - * xdbm.h: hopefully catch a few more declarations by including - even if was found - -2000-01-26 Assar Westerlund - - * mini_inetd.c (mini_inetd): separate number of allocated sockets - and number of actual ones - * mini_inetd.c (mini_inetd): count sockets properly. and fail if - we cannot bind any - * mini_inetd.c (mini_inetd): make failing to create a socket - non-fatal - -2000-01-09 Assar Westerlund - - * Makefile.am(libroken_la_SOURCES): add strcollect.c - * Makefile.in: add strcollect.[co] - * simple_exec.c: use vstrcollect - * roken-common.h (_PATH_DEV): add - (strcollect, vstrcollect): add prototypes - * strcollect.c: new file. functions for collapsing an `va_list' - into an `char **' - -2000-01-06 Assar Westerlund - - * Makefile.am: bump version to 5:0:0 - -1999-12-30 Assar Westerlund - - * Makefile.am (strpftime_test_SOURCES): correct source file name - - * roken.h.in (sockaddr_storage): change padding so that we have - one char[] of pad and then an unsigned long[] (for alignment and - padding). this works much better in practice. - -1999-12-22 Assar Westerlund - - * roken.h.in (sockaddr_storage): drop leading underscore on - `public' fields. this was the consensus on the ipng mailing list - -1999-12-21 Assar Westerlund - - * Makefile.am (strpftime-test): define sources to avoid having - '.o' - * Makefile.am (print_version.h): use $(EXEEXT) - * Makefile.am (roken.h): add $(EXEEXT) to make this work on cygwin - et al - -1999-12-20 Assar Westerlund - - * Makefile.am (libroken_la_LDFLAGS): bump version to 4:3:0 - - * getaddrinfo.c (get_nodes): use getipnodebyname instead of - gethostbyname(2) - -1999-12-16 Assar Westerlund - - * Makefile.am (libroken_la_LDFLAGS): bump version to 4:2:0 - - * roken.h.in (struct sockaddr_storage): redefine with the example - code from rfc2553 - - * getaddrinfo.c (get_null): set loopback with correct endianess - for v4. dunno about v6. - -1999-12-13 Assar Westerlund - - * roken.h.in: add prototypes for str[pf]time - - * signal.c: macosx = rhapsody ~= nextstep also can't handle - various definitions of the same symbol. - -1999-12-12 Assar Westerlund - - * Makefile.am: bump version to 4:1:0 - -1999-12-06 Assar Westerlund - - * Makefile.am: bump version to 4:0:0 - -1999-12-05 Assar Westerlund - - * Makefile.in: replace inaddr2str with getnameinfo_verified - - * roken-common.h (INADDR_LOOPBACK): add fallback definition - - * roken-common.h: move getnameinfo_verified to roken.h.in - * roken.h.in (inaddr2str): remove - * Makefile.am (libroken_la_SOURCES); removed inaddr2str - * roken-common.h (getnameinfo_verified): add prototype - * getnameinfo_verified.c: new file - -1999-12-04 Assar Westerlund - - * roken-common.h: add constants for getaddrinfo, getnameinfo - * roken.h.in (socklen_t): make independent of sockaddr_storage - (AI_*, NI_*, EAI_*): move to roken-common.h - -1999-12-03 Assar Westerlund - - * mini_inetd.c (mini_inted): rewrite to use `getaddrinfo' - * getaddrinfo.c (const_v*): no sizeof(sizeof()) - * getaddrinfo.c (add_hostent): search for the canonical name among - all aliases - (getaddrinfo): handle AI_NUMERICHOST correctly - * Makefile.am (EXTRA_libroken_la_SOURCES): add freeaddinfo, - getaddrinfo, getnameinfo, gai_strerror - (getaddrinfo_test): add - * Makefile.in (SOURCES): add freeaddinfo, getaddrinfo, - getnameinfo, gai_strerror - (getaddrinfo_test): add - * roken.h.in: arpa/inet.h: include - (socklen_t): add - (struct addrinfo): add - (EAI_*): add - (NI_*): add - (AI_*): add - (getaddrinfo, getnameinfo, freeaddrinfo, gai_strerror): add - * getnameinfo.c: new file - * getaddrinfo-test.c: new file - * gai_strerror.c: new file - * getaddrinfo.c: new file - * freeaddrinfo.c: new file - -1999-11-25 Assar Westerlund - - * getopt.c (getopt): return -1 instead of EOF. From - - -1999-11-13 Assar Westerlund - - * strftime.c (strftime): handle `%z' and `%Z' in a tm_gmtoff-less - world - - * getcap.c: make sure to use db only if we have both the library - and the header file - -1999-11-12 Assar Westerlund - - * getarg.h: add arg_counter - * getarg.c: add a new type of argument: `arg_counter' re-organize - the code somewhat - - * Makefile.am: add strptime and strpftime-test - - * snprintf.c (xyzprintf): try to do the right thing with an % at - the end of the format string - - * strptime.c (strptime): implement '%U', '%V', '%W' - * strftime.c (strftime): implement '%U', '%V', '%W', '%z' - - * strftime.c (strftime): correct %E and %O handling. do something - reasonable with "...%" - - * strftime.c: replace the BSD implementation by one of our own - coding - - * strptime.c : new file - * strpftime-test.c: new file - -1999-11-07 Assar Westerlund - - * parse_bytes-test.c: new file - - * Makefile.am: add parse_bytes-test - - * parse_units.c (parse_something): try to handle the case of no - value specified a little bit better - -1999-11-04 Assar Westerlund - - * Makefile.am: bump version to 3:2:0 - -1999-10-30 Assar Westerlund - - * snprintf.c (PARSE_INT_FORMAT): add redundant casts to work - around a gcc-bug that manifests itself on Linux-PPC. From Tom - Rini - -1999-10-28 Assar Westerlund - - * Makefile.am: bump version to 3:1:0 - - * roken.h.in: use `unsigned char' instead of `u_int8_t' to avoid - having to have that definition. this is the easy way out instead - of getting the definition here where it's needed. flame me. - -Fri Oct 22 15:39:31 1999 Bjoern Groenvall - - * k_getpwuid.c (k_getpwuid): getspuid() does not exist (even - though it should), use getspnam(). - -1999-10-20 Assar Westerlund - - * Makefile.am: set version to 3:0:0 - -1999-10-18 Johan Danielsson - - * getarg.3: document arg_collect - - * getarg.c: change the way arg_collect works; it's still quite - horrible though - - * getarg.h: change type of the collect function - -1999-10-17 Assar Westerlund - - * xdbm.h: undo last commit - - * xdbm.h: reorder db includes - -1999-10-10 Assar Westerlund - - * socket.c: const-ize and comment - - * net_write.c: const-ize - - * base64.c: const-ize - -1999-10-06 Assar Westerlund - - * getarg.c (getarg): also set optind when returning error - -1999-09-26 Assar Westerlund - - * Makefile.am: add parse_bytes.[ch] - -1999-09-24 Johan Danielsson - - * getarg.3: getarg manpage - - * getarg.{c,h}: add a callback type to do more complicated processing - - * getarg.{c,h}: add floating point support - -1999-09-16 Assar Westerlund - - * strlcat.c (strlcat): call strlcpy - - * strlcpy.c: update name and prototype - - * strlcat.c: update name and prototype - - * roken.h.in: rename strc{py,at}_truncate to strlc{py,at} - - * Makefile.am: rename strc{py,at}_truncate -> strlc{py,at} - - * Makefile.in: rename strc{py,at}_truncate -> strlc{py,at} - - * strcpy_truncate.c (strcpy_truncate): change return value to be - the length of `src' - -1999-08-16 Assar Westerlund - - * getcap.c: try to make this work on systems with DB - -1999-08-16 Johan Danielsson - - * getcap.c: protect from db-less systems - -1999-08-09 Johan Danielsson - - * simple_exec.c: add simple_exec{ve,le} - - * getcap.c: getcap from NetBSD - -1999-08-06 Assar Westerlund - - * roken.h.in (sockaddr_storage): cater for those that have - v6-support also - -1999-08-05 Assar Westerlund - - * inet_ntop.c (inet_ntop_v4): remember to call ntohl - -1999-08-04 Assar Westerlund - - * roken-common.h: add shutdown constants - - * mini_inetd.c (listen_v4, listen_v6): handle the case of the - protocol not being supported - -1999-08-01 Assar Westerlund - - * mini_inetd.c (socket_set_reuseaddr): remove duplicate - -1999-07-29 Assar Westerlund - - * mini_inetd.c (mini_inetd): fix my stupid bugs - -1999-07-28 Assar Westerlund - - * roken-common.h: add socket* functions - - * Makefile.am (libroken_la_SOURCES): add socket.c - - * socket.c: new file, originally from appl/ftp/common - - * Makefile.am: set version to 2:0:2 - - * roken.h.in (inet_pton): add prototype - - * Makefile.am (EXTRA_libroken_la_SOURCES): add inet_pton - - * inet_pton.c: new file - - * getipnodebyname.c (getipnodebyname): try gethostbyname2 if we - have it - -1999-07-27 Assar Westerlund - - * mini_inetd.c: support IPv6 - -1999-07-26 Assar Westerlund - - * Makefile.am: set version to 1:0:1 - - * roken.h.in (inet_ntop): add prototype - - * roken-common.h: (INET{,6}_ADDRSTRLEN): add - - * inet_ntop.c: new file - - * Makefile.am (EXTRA_libroken_la_SOURCES): add inet_ntop.c - - * Makefile.am: move some files from libroken_la_SOURCES to - EXTRA_libroken_la_SOURCES - - * snprintf.c: some signed vs unsigned casts - -1999-07-24 Assar Westerlund - - * roken.h.in (struct sockaddr_storage): define it needed - -1999-07-19 Assar Westerlund - - * Makefile.am (libroken_la_SOURCES): add copyhostent.c, - freehostent.c, getipnodebyname.c, getipnodebyaddr.c - - * roken.h.in: : include - (copyhostent, freehostent, getipnodebyname, getipnodebyaddr): add - prototypes - - * roken-common.h: new constants for getipnodeby* - - * Makefile.in (SOURCES): add freehostent, copyhostent, - getipnodebyname, getipnodebyaddr - - * freehostent.c: new file - - * copyhostent.c: new file - - * getipnodebyaddr.c: new file - - * getipnodebyname.c: new file - -1999-07-13 Assar Westerlund - - * roken.h.in (k_getpwnam): update prototype - - * k_getpwnam.c (k_getpwnam): const-ize - - * get_default_username.c (get_default_username): a better way of - guessing when the user has su:ed - -1999-07-08 Johan Danielsson - - * roken.awk: use puts, as suggested by Jeffrey Hutzelman - - -1999-07-06 Assar Westerlund - - * readv.c (readv): typo - -1999-07-03 Assar Westerlund - - * writev.c (writev): error check malloc properly - - * sendmsg.c (sendmsg): error check malloc properly - - * resolve.c (parse_reply): error check malloc properly - - * recvmsg.c (recvmsg): error check malloc properly - - * readv.c (readv): error check malloc properly - -1999-06-23 Assar Westerlund - - * parse_units.c (acc_units): move the special case of 0 -> 1 to - parse_something to avoid having it happen at the end of the string - -1999-06-15 Assar Westerlund - - * Makefile.in: add get_default_username - - * get_default_username.c: new file - - * roken.h.in (get_default_username): add prototype - - * Makefile.am: add get_default_username - -1999-05-08 Assar Westerlund - - * xdbm.h: also try with DB_DBM_HSEARCH == 1 - - * strnlen.c (strnlen): update prototype - - * Makefile.am: strndup.c: add - - * Makefile.in: strndup.c: add - - * roken.h.in (strndup): add - (strnlen): update prototype - - * strndup.c: new file - -Fri Apr 16 17:59:30 1999 Assar Westerlund - - * roken.h.in: include strsep prototype if needed - -Thu Apr 15 14:04:03 1999 Johan Danielsson - - * Makefile.am: make make-print-version.o depend on version.h - -Wed Apr 7 14:11:00 1999 Johan Danielsson - - * Makefile.am: make it compile w/o krb4 - -Sat Mar 27 17:33:03 1999 Johan Danielsson - - * snprintf.c (vasnprintf): correct check if realloc returns NULL - -Sat Mar 27 12:37:55 1999 Johan Danielsson - - * Makefile.am: link print_version with -ldes to avoid unresolved - references if -lkrb is shared - -Sat Mar 20 03:42:30 1999 Assar Westerlund - - * roken-common.h (eread, ewrite): add - - * simple_exec.c: add - -Fri Mar 19 21:29:58 1999 Assar Westerlund - - * Makefile.in: add eread, ewrite - - * eread.c, ewrite.c: new files - - * Makefile.am (libroken_la_SOURCES): add eread and ewrite - -Fri Mar 19 14:52:57 1999 Johan Danielsson - - * Makefile.am: add version-info - -Thu Mar 18 12:53:32 1999 Johan Danielsson - - * Makefile.am: remove include_dir hack - - * Makefile.am: parse_units.h - - * Makefile.am: include Makefile.am.common - -Sat Mar 13 23:31:35 1999 Assar Westerlund - - * Makefile.in (SOURCES): add glob.c - -Thu Mar 11 15:02:21 1999 Johan Danielsson - - * iruserok.c: move innetgr() to separate file - - * innetgr.c: move innetgr() to separate file - - * hstrerror.c (hstrerror): add const to return type - - * erealloc.c: fix types in format string - - * emalloc.c: fix types in format string - -Wed Mar 10 16:36:55 1999 Johan Danielsson - - * resolve.c: ugly fix for crays - -Mon Mar 8 11:52:20 1999 Johan Danielsson - - * roken.h.in: protos for {un,}setenv - -1999-02-16 Assar Westerlund - - * Makefile.in (SOURCES): add fnmatch - - * roken-common.h (abs): add - -Sat Feb 13 17:12:53 1999 Assar Westerlund - - * emalloc.c, erealloc.c, estrup.c: new files - - * roken.h.in (mkstemp, gethostname): also includes prototypes if - they are needed. - -1998-12-23 Assar Westerlund - - * roken.h.in: mkstemp: add prototype - -1998-12-20 Assar Westerlund - - * snprintf.c, iruserok.c, parse-units.c: unsigned char-correctness - - * roken.h.in (inet_aton): also chedk NEED_INET_ATON_PROTO - - * roken-common.h: __attribute__: check for autoconf'd - HAVE___ATTRIBUTE__ instead of GNUC - -Sun Dec 6 19:53:21 1998 Assar Westerlund - - * parse_units.c (parse_something): func is called with val == 0 if - no unit was given - (acc_flags, acc_units): update to new standard - -Fri Nov 27 03:09:42 1998 Assar Westerlund - - * resolve.c (stot): constify - (type_to_string): always declare - (dns_lookup_int): correct debug output - -Thu Nov 26 23:43:55 1998 Assar Westerlund - - * resolve.c (dns_lookup_int): send rr_class to res_search - -Thu Nov 26 17:09:47 1998 Johan Danielsson - - * resolve.c: some cleanup - - * resolve.h: add T_NAPTR - -Sun Nov 22 10:23:07 1998 Assar Westerlund - - * Makefile.in (WFLAGS): set - - * k_getpwnam.c (k_getpwnam): check for `struct spwd' - - * k_getpwuid.c (k_getpwuid): check for `struct spwd' - -Tue Sep 8 05:18:31 1998 Assar Westerlund - - * recvmsg.c (recvmsg): patch from bpreece@unity.ncsu.edu - -Fri Sep 4 16:29:27 1998 Johan Danielsson - - * vsyslog.c: asprintf -> vasprintf - -Tue Aug 18 22:25:52 1998 Assar Westerlund - - * getarg.h (arg_printusage): new signature - - * getarg.c (arg_printusage): new parameter `progname'. NULL means - __progname. - -Sun Aug 9 14:53:44 1998 Johan Danielsson - - * Makefile.am: net_{read,write}.c - -Fri Jul 24 21:56:02 1998 Assar Westerlund - - * simple_exec.c (simple_execvp): loop around waitpid when errno == - EINTR - -Thu Jul 23 20:24:35 1998 Johan Danielsson - - * Makefile.am: net_{read,write}.c - -Wed Jul 22 21:38:35 1998 Assar Westerlund - - * simple_exec.c (simple_execlp): initialize `argv' - -Mon Jul 13 23:01:22 1998 Assar Westerlund - - * inaddr2str.c (inaddr2str): don't advance hostent->h_addr_list, - use a copy instead - -Fri Jul 10 01:20:08 1998 Assar Westerlund - - * roken.h.in (net_write, net_read): add prototypes - - * Makefile.in: net_{read,write}.c: add - - * net_{read,write}.c: new files - -Tue Jun 30 17:29:09 1998 Assar Westerlund - - * roken.h.in (issuid): add - - * get_window_size.c: fix misspelling of TIOCGWINSZ and bad use of - fields - -Sun May 31 03:24:34 1998 Johan Danielsson - - * getarg.c (mandoc_template): Put short and long options in - SYNOPSIS within the same [ ] pair. - -Sat May 30 00:13:01 1998 Johan Danielsson - - * getarg.c (arg_printusage): try to keep options shorter than - column width - - * get_window_size.c (get_window_size): check COLUMNS and LINES - -Fri May 29 00:05:04 1998 Johan Danielsson - - * getarg.c (mandoc_template): Put short and long options in - DESCRIPTION on the same line. - - * getarg.c (arg_match_long): make sure you only get an exact match - if the strings are the same length - -Thu May 14 02:23:40 1998 Assar Westerlund - - * roken.awk: stupid cray awk wants \# - -Fri May 1 01:29:36 1998 Assar Westerlund - - * print_version.c (print_version): according to ISO/ANSI C the - elements of `arg' are not constant and therefore not settable at - compile-time. Set the at run-time instead. - -Sun Apr 19 10:00:06 1998 Assar Westerlund - - * roken.h.in: include paths.h - -Sun Apr 5 12:30:49 1998 Assar Westerlund - - * Makefile.in (SOURCES): add roken_gethostby.c to make solaris - make happy - -Thu Mar 19 20:41:25 1998 Johan Danielsson - - * simple_exec.c: Simple fork+exec system() replacement. - -Fri Mar 6 00:21:53 1998 Johan Danielsson - - * roken_gethostby.c: Make `roken_gethostby_setup' take url-like - specification instead of split up versions. Makes it easier for - calling applications. - - * roken_gethostby.c: Another miracle of the 20th century: - gethostby* over HTTP. - -Sat Feb 21 15:18:36 1998 assar westerlund - - * parse_time.c (unparse_time_approx): new function that calls - `unparse_units_approx' - - * parse_units.c (unparse_units_approx): new function that will - only print the first unit. - - * Makefile.in: include parse_{time,units} - -Thu Feb 12 03:30:08 1998 Assar Westerlund - - * parse_time.c (print_time_table): don't return a void value. - -Tue Feb 3 11:06:24 1998 Johan Danielsson - - * getarg.c (mandoc_template): Change date format to full month - name, and day of month without leading zero. - -Thu Jan 22 21:23:23 1998 Johan Danielsson - - * getarg.c: Fix long form of negative flags. - -Mon Dec 29 23:31:10 1997 Johan Danielsson - - * roken.h.in: Include , to get linux __progname. - -Sun Dec 21 09:45:18 1997 Assar Westerlund - - * parse_time.c (print_time_table): new function - - * parse_units.c (print_flags_table, print_units_table): new - functions. - -Thu Dec 4 02:51:46 1997 Assar Westerlund - - * iruserok.c: moved here. - - * snprintf.c (sn_append_char): don't write any terminating zero. - (as_reserve): don't loop. better heuristic for how much space to - realloc. - (vasnprintf): simplify initializing to one. - -Sun Nov 30 14:56:59 1997 Johan Danielsson - - * getarg.c: Add mandoc help back-end to getarg. - -Wed Nov 12 01:09:17 1997 Johan Danielsson - - * verr.c, verrx.c: Fix warnings by moving exit from. - -Tue Nov 11 21:12:09 1997 Johan Danielsson - - * parse_units.c: Change the list of separating characters (between - units) to comma, space, and tab, removing digits. Having digits in - this list makes a flag like `T42 generate a parse error. This - change makes `17m3s' an invalid time-spec (you need a space). - -Tue Nov 11 02:38:44 1997 Assar Westerlund - - * roken.h: add - -Sun Nov 9 04:48:46 1997 Johan Danielsson - - * fnmatch.c: Add fnmatch from NetBSD - -Sun Nov 9 02:00:08 1997 Assar Westerlund - - * parse_units.c (parse_something): ignore white-space and ',' - -Mon Nov 3 22:38:32 1997 Assar Westerlund - - * roken.h: fclose prototype - - * roken.h: add prototype for vsyslog - - * Makefile.in: add some more source files to make soriasis make - happy - -Sat Nov 1 00:19:21 1997 Assar Westerlund - - * roken.h: include and . - prototypes for readv and writev - - * readv.c, writev.c: new files - -Wed Oct 29 02:21:38 1997 Assar Westerlund - - * roken.h: Add ugly macros for openlog, gethostbyname, - gethostbyaddr, and getservbyname for the benefit of Crays. Add - default definition of MAXPATHLEN diff --git a/crypto/heimdal-0.6.3/lib/roken/Makefile.am b/crypto/heimdal-0.6.3/lib/roken/Makefile.am deleted file mode 100644 index 34235ab198..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/Makefile.am +++ /dev/null @@ -1,160 +0,0 @@ -# $Id: Makefile.am,v 1.122.6.3 2003/10/14 16:13:15 joda Exp $ - -include $(top_srcdir)/Makefile.am.common - -ACLOCAL_AMFLAGS = -I ../../cf - -CLEANFILES = roken.h make-roken.c $(XHEADERS) - -lib_LTLIBRARIES = libroken.la -libroken_la_LDFLAGS = -version-info 16:3:0 - -noinst_PROGRAMS = make-roken snprintf-test - -nodist_make_roken_SOURCES = make-roken.c - -check_PROGRAMS = \ - base64-test \ - getaddrinfo-test \ - parse_bytes-test \ - parse_reply-test \ - snprintf-test \ - strpftime-test - -TESTS = $(check_PROGRAMS) - -LDADD = libroken.la $(LIB_crypt) -make_roken_LDADD = - -noinst_LTLIBRARIES = libtest.la -libtest_la_SOURCES = strftime.c strptime.c snprintf.c -libtest_la_CFLAGS = -DTEST_SNPRINTF - -parse_reply_test_SOURCES = parse_reply-test.c resolve.c -parse_reply_test_CFLAGS = -DTEST_RESOLVE - -strpftime_test_SOURCES = strpftime-test.c -strpftime_test_LDADD = libtest.la $(LDADD) -snprintf_test_SOURCES = snprintf-test.c -snprintf_test_LDADD = libtest.la $(LDADD) -snprintf_test_CFLAGS = -DTEST_SNPRINTF - -libroken_la_SOURCES = \ - base64.c \ - bswap.c \ - concat.c \ - environment.c \ - eread.c \ - esetenv.c \ - ewrite.c \ - getaddrinfo_hostspec.c \ - get_default_username.c \ - get_window_size.c \ - getarg.c \ - getnameinfo_verified.c \ - getprogname.c \ - h_errno.c \ - hostent_find_fqdn.c \ - issuid.c \ - k_getpwnam.c \ - k_getpwuid.c \ - mini_inetd.c \ - net_read.c \ - net_write.c \ - parse_bytes.c \ - parse_time.c \ - parse_units.c \ - resolve.c \ - roken_gethostby.c \ - rtbl.c \ - rtbl.h \ - setprogname.c \ - signal.c \ - simple_exec.c \ - snprintf.c \ - socket.c \ - strcollect.c \ - timeval.c \ - tm2time.c \ - unvis.c \ - verify.c \ - vis.c \ - vis.h \ - warnerr.c \ - write_pid.c \ - xdbm.h - -EXTRA_libroken_la_SOURCES = \ - err.hin \ - glob.hin \ - ifaddrs.hin \ - vis.hin - -EXTRA_DIST = roken.awk roken.h.in - -libroken_la_LIBADD = @LTLIBOBJS@ $(DBLIB) - -$(LTLIBOBJS) $(libroken_la_OBJECTS): roken.h $(XHEADERS) - -BUILT_SOURCES = make-roken.c roken.h - -if have_err_h -err_h = -else -err_h = err.h -endif - -if have_fnmatch_h -fnmatch_h = -else -fnmatch_h = fnmatch.h -endif - -if have_glob_h -glob_h = -else -glob_h = glob.h -endif - -if have_ifaddrs_h -ifaddrs_h = -else -ifaddrs_h = ifaddrs.h -endif - -if have_vis_h -vis_h = -else -vis_h = vis.h -endif - -## these are controlled by configure -XHEADERS = $(err_h) $(fnmatch_h) $(glob_h) $(ifaddrs_h) $(vis_h) - -include_HEADERS = \ - base64.h \ - getarg.h \ - parse_bytes.h \ - parse_time.h \ - parse_units.h \ - resolve.h \ - roken-common.h \ - rtbl.h \ - xdbm.h \ - $(XHEADERS) - -nodist_include_HEADERS = roken.h - -man_MANS = getarg.3 - -SUFFIXES += .hin -.hin.h: - cp $< $@ - -roken.h: make-roken$(EXEEXT) - @./make-roken$(EXEEXT) > tmp.h ;\ - if [ -f roken.h ] && cmp -s tmp.h roken.h ; then rm -f tmp.h ; \ - else rm -f roken.h; mv tmp.h roken.h; fi - -make-roken.c: roken.h.in roken.awk - $(AWK) -f $(srcdir)/roken.awk $(srcdir)/roken.h.in > make-roken.c diff --git a/crypto/heimdal-0.6.3/lib/roken/Makefile.in b/crypto/heimdal-0.6.3/lib/roken/Makefile.in deleted file mode 100644 index d9ddcdddcc..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/Makefile.in +++ /dev/null @@ -1,1206 +0,0 @@ -# Makefile.in generated by automake 1.8.3 from Makefile.am. -# @configure_input@ - -# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004 Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -# $Id: Makefile.am,v 1.122.6.3 2003/10/14 16:13:15 joda Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $ - - - -SOURCES = $(libroken_la_SOURCES) $(EXTRA_libroken_la_SOURCES) $(libtest_la_SOURCES) base64-test.c getaddrinfo-test.c $(nodist_make_roken_SOURCES) parse_bytes-test.c $(parse_reply_test_SOURCES) $(snprintf_test_SOURCES) $(strpftime_test_SOURCES) - -srcdir = @srcdir@ -top_srcdir = @top_srcdir@ -VPATH = @srcdir@ -pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -top_builddir = ../.. -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = @INSTALL@ -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_HEADER = $(INSTALL_DATA) -transform = $(program_transform_name) -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_triplet = @host@ -DIST_COMMON = $(am__include_HEADERS_DIST) $(srcdir)/Makefile.am \ - $(srcdir)/Makefile.in $(top_srcdir)/Makefile.am.common \ - $(top_srcdir)/cf/Makefile.am.common ChangeLog chown.c \ - copyhostent.c daemon.c ecalloc.c emalloc.c erealloc.c err.c \ - errx.c estrdup.c fchown.c flock.c fnmatch.c freeaddrinfo.c \ - freehostent.c gai_strerror.c getaddrinfo.c getcap.c getcwd.c \ - getdtablesize.c getegid.c geteuid.c getgid.c gethostname.c \ - getifaddrs.c getipnodebyaddr.c getipnodebyname.c getnameinfo.c \ - getopt.c gettimeofday.c getuid.c getusershell.c glob.c \ - hstrerror.c inet_aton.c inet_ntop.c inet_pton.c initgroups.c \ - innetgr.c install-sh iruserok.c localtime_r.c lstat.c \ - memmove.c missing mkinstalldirs mkstemp.c putenv.c rcmd.c \ - readv.c recvmsg.c sendmsg.c setegid.c setenv.c seteuid.c \ - strcasecmp.c strdup.c strerror.c strftime.c strlcat.c \ - strlcpy.c strlwr.c strncasecmp.c strndup.c strnlen.c \ - strptime.c strsep.c strsep_copy.c strtok_r.c strupr.c swab.c \ - unsetenv.c verr.c verrx.c vsyslog.c vwarn.c vwarnx.c warn.c \ - warnx.c writev.c -noinst_PROGRAMS = make-roken$(EXEEXT) snprintf-test$(EXEEXT) -check_PROGRAMS = base64-test$(EXEEXT) getaddrinfo-test$(EXEEXT) \ - parse_bytes-test$(EXEEXT) parse_reply-test$(EXEEXT) \ - snprintf-test$(EXEEXT) strpftime-test$(EXEEXT) -subdir = lib/roken -ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \ - $(top_srcdir)/cf/auth-modules.m4 \ - $(top_srcdir)/cf/broken-getaddrinfo.m4 \ - $(top_srcdir)/cf/broken-getnameinfo.m4 \ - $(top_srcdir)/cf/broken-glob.m4 \ - $(top_srcdir)/cf/broken-realloc.m4 \ - $(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \ - $(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \ - $(top_srcdir)/cf/capabilities.m4 \ - $(top_srcdir)/cf/check-compile-et.m4 \ - $(top_srcdir)/cf/check-declaration.m4 \ - $(top_srcdir)/cf/check-getpwnam_r-posix.m4 \ - $(top_srcdir)/cf/check-man.m4 \ - $(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \ - $(top_srcdir)/cf/check-type-extra.m4 \ - $(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \ - $(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \ - $(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \ - $(top_srcdir)/cf/dlopen.m4 \ - $(top_srcdir)/cf/find-func-no-libs.m4 \ - $(top_srcdir)/cf/find-func-no-libs2.m4 \ - $(top_srcdir)/cf/find-func.m4 \ - $(top_srcdir)/cf/find-if-not-broken.m4 \ - $(top_srcdir)/cf/have-struct-field.m4 \ - $(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \ - $(top_srcdir)/cf/krb-bigendian.m4 \ - $(top_srcdir)/cf/krb-func-getlogin.m4 \ - $(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \ - $(top_srcdir)/cf/krb-readline.m4 \ - $(top_srcdir)/cf/krb-struct-spwd.m4 \ - $(top_srcdir)/cf/krb-struct-winsize.m4 \ - $(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \ - $(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \ - $(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \ - $(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \ - $(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \ - $(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \ - $(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in -am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ - $(ACLOCAL_M4) -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -am__installdirs = "$(DESTDIR)$(libdir)" "$(DESTDIR)$(man3dir)" "$(DESTDIR)$(includedir)" "$(DESTDIR)$(includedir)" -libLTLIBRARIES_INSTALL = $(INSTALL) -LTLIBRARIES = $(lib_LTLIBRARIES) $(noinst_LTLIBRARIES) -am__DEPENDENCIES_1 = -libroken_la_DEPENDENCIES = @LTLIBOBJS@ $(am__DEPENDENCIES_1) -am_libroken_la_OBJECTS = base64.lo bswap.lo concat.lo environment.lo \ - eread.lo esetenv.lo ewrite.lo getaddrinfo_hostspec.lo \ - get_default_username.lo get_window_size.lo getarg.lo \ - getnameinfo_verified.lo getprogname.lo h_errno.lo \ - hostent_find_fqdn.lo issuid.lo k_getpwnam.lo k_getpwuid.lo \ - mini_inetd.lo net_read.lo net_write.lo parse_bytes.lo \ - parse_time.lo parse_units.lo resolve.lo roken_gethostby.lo \ - rtbl.lo setprogname.lo signal.lo simple_exec.lo snprintf.lo \ - socket.lo strcollect.lo timeval.lo tm2time.lo unvis.lo \ - verify.lo vis.lo warnerr.lo write_pid.lo -libroken_la_OBJECTS = $(am_libroken_la_OBJECTS) -libtest_la_LIBADD = -am_libtest_la_OBJECTS = libtest_la-strftime.lo libtest_la-strptime.lo \ - libtest_la-snprintf.lo -libtest_la_OBJECTS = $(am_libtest_la_OBJECTS) -PROGRAMS = $(noinst_PROGRAMS) -base64_test_SOURCES = base64-test.c -base64_test_OBJECTS = base64-test.$(OBJEXT) -base64_test_LDADD = $(LDADD) -base64_test_DEPENDENCIES = libroken.la $(am__DEPENDENCIES_1) -getaddrinfo_test_SOURCES = getaddrinfo-test.c -getaddrinfo_test_OBJECTS = getaddrinfo-test.$(OBJEXT) -getaddrinfo_test_LDADD = $(LDADD) -getaddrinfo_test_DEPENDENCIES = libroken.la $(am__DEPENDENCIES_1) -nodist_make_roken_OBJECTS = make-roken.$(OBJEXT) -make_roken_OBJECTS = $(nodist_make_roken_OBJECTS) -make_roken_DEPENDENCIES = -parse_bytes_test_SOURCES = parse_bytes-test.c -parse_bytes_test_OBJECTS = parse_bytes-test.$(OBJEXT) -parse_bytes_test_LDADD = $(LDADD) -parse_bytes_test_DEPENDENCIES = libroken.la $(am__DEPENDENCIES_1) -am_parse_reply_test_OBJECTS = \ - parse_reply_test-parse_reply-test.$(OBJEXT) \ - parse_reply_test-resolve.$(OBJEXT) -parse_reply_test_OBJECTS = $(am_parse_reply_test_OBJECTS) -parse_reply_test_LDADD = $(LDADD) -parse_reply_test_DEPENDENCIES = libroken.la $(am__DEPENDENCIES_1) -am_snprintf_test_OBJECTS = snprintf_test-snprintf-test.$(OBJEXT) -snprintf_test_OBJECTS = $(am_snprintf_test_OBJECTS) -am__DEPENDENCIES_2 = libroken.la $(am__DEPENDENCIES_1) -snprintf_test_DEPENDENCIES = libtest.la $(am__DEPENDENCIES_2) -am_strpftime_test_OBJECTS = strpftime-test.$(OBJEXT) -strpftime_test_OBJECTS = $(am_strpftime_test_OBJECTS) -strpftime_test_DEPENDENCIES = libtest.la $(am__DEPENDENCIES_2) -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \ - $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ - $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -SOURCES = $(libroken_la_SOURCES) $(EXTRA_libroken_la_SOURCES) \ - $(libtest_la_SOURCES) base64-test.c getaddrinfo-test.c \ - $(nodist_make_roken_SOURCES) parse_bytes-test.c \ - $(parse_reply_test_SOURCES) $(snprintf_test_SOURCES) \ - $(strpftime_test_SOURCES) -DIST_SOURCES = $(libroken_la_SOURCES) $(EXTRA_libroken_la_SOURCES) \ - $(libtest_la_SOURCES) base64-test.c getaddrinfo-test.c \ - parse_bytes-test.c $(parse_reply_test_SOURCES) \ - $(snprintf_test_SOURCES) $(strpftime_test_SOURCES) -man3dir = $(mandir)/man3 -MANS = $(man_MANS) -am__include_HEADERS_DIST = base64.h getarg.h parse_bytes.h \ - parse_time.h parse_units.h resolve.h roken-common.h rtbl.h \ - xdbm.h err.h fnmatch.h glob.h ifaddrs.h vis.h -includeHEADERS_INSTALL = $(INSTALL_HEADER) -nodist_includeHEADERS_INSTALL = $(INSTALL_HEADER) -HEADERS = $(include_HEADERS) $(nodist_include_HEADERS) -ETAGS = etags -CTAGS = ctags -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) -ACLOCAL = @ACLOCAL@ -AIX4_FALSE = @AIX4_FALSE@ -AIX4_TRUE = @AIX4_TRUE@ -AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@ -AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@ -AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@ -AIX_FALSE = @AIX_FALSE@ -AIX_TRUE = @AIX_TRUE@ -AMTAR = @AMTAR@ -AR = @AR@ -AUTOCONF = @AUTOCONF@ -AUTOHEADER = @AUTOHEADER@ -AUTOMAKE = @AUTOMAKE@ -AWK = @AWK@ -CANONICAL_HOST = @CANONICAL_HOST@ -CATMAN = @CATMAN@ -CATMANEXT = @CATMANEXT@ -CATMAN_FALSE = @CATMAN_FALSE@ -CATMAN_TRUE = @CATMAN_TRUE@ -CC = @CC@ -CFLAGS = @CFLAGS@ -COMPILE_ET = @COMPILE_ET@ -CPP = @CPP@ -CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXFLAGS = @CXXFLAGS@ -CYGPATH_W = @CYGPATH_W@ -DBLIB = @DBLIB@ -DCE_FALSE = @DCE_FALSE@ -DCE_TRUE = @DCE_TRUE@ -DEFS = @DEFS@ -DIR_com_err = @DIR_com_err@ -DIR_des = @DIR_des@ -DIR_roken = @DIR_roken@ -ECHO = @ECHO@ -ECHO_C = @ECHO_C@ -ECHO_N = @ECHO_N@ -ECHO_T = @ECHO_T@ -EGREP = @EGREP@ -EXEEXT = @EXEEXT@ -EXTRA_LIB45 = @EXTRA_LIB45@ -F77 = @F77@ -FFLAGS = @FFLAGS@ -GROFF = @GROFF@ -HAVE_DB1_FALSE = @HAVE_DB1_FALSE@ -HAVE_DB1_TRUE = @HAVE_DB1_TRUE@ -HAVE_DB3_FALSE = @HAVE_DB3_FALSE@ -HAVE_DB3_TRUE = @HAVE_DB3_TRUE@ -HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@ -HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@ -HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@ -HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@ -HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@ -HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@ -HAVE_X_FALSE = @HAVE_X_FALSE@ -HAVE_X_TRUE = @HAVE_X_TRUE@ -INCLUDES_roken = @INCLUDES_roken@ -INCLUDE_des = @INCLUDE_des@ -INCLUDE_hesiod = @INCLUDE_hesiod@ -INCLUDE_krb4 = @INCLUDE_krb4@ -INCLUDE_openldap = @INCLUDE_openldap@ -INCLUDE_readline = @INCLUDE_readline@ -INSTALL_DATA = @INSTALL_DATA@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -IRIX_FALSE = @IRIX_FALSE@ -IRIX_TRUE = @IRIX_TRUE@ -KRB4_FALSE = @KRB4_FALSE@ -KRB4_TRUE = @KRB4_TRUE@ -KRB5_FALSE = @KRB5_FALSE@ -KRB5_TRUE = @KRB5_TRUE@ -LDFLAGS = @LDFLAGS@ -LEX = @LEX@ -LEXLIB = @LEXLIB@ -LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ -LIBOBJS = @LIBOBJS@ -LIBS = @LIBS@ -LIBTOOL = @LIBTOOL@ -LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@ -LIB_NDBM = @LIB_NDBM@ -LIB_XauFileName = @LIB_XauFileName@ -LIB_XauReadAuth = @LIB_XauReadAuth@ -LIB_XauWriteAuth = @LIB_XauWriteAuth@ -LIB_bswap16 = @LIB_bswap16@ -LIB_bswap32 = @LIB_bswap32@ -LIB_com_err = @LIB_com_err@ -LIB_com_err_a = @LIB_com_err_a@ -LIB_com_err_so = @LIB_com_err_so@ -LIB_crypt = @LIB_crypt@ -LIB_db_create = @LIB_db_create@ -LIB_dbm_firstkey = @LIB_dbm_firstkey@ -LIB_dbopen = @LIB_dbopen@ -LIB_des = @LIB_des@ -LIB_des_a = @LIB_des_a@ -LIB_des_appl = @LIB_des_appl@ -LIB_des_so = @LIB_des_so@ -LIB_dlopen = @LIB_dlopen@ -LIB_dn_expand = @LIB_dn_expand@ -LIB_el_init = @LIB_el_init@ -LIB_freeaddrinfo = @LIB_freeaddrinfo@ -LIB_gai_strerror = @LIB_gai_strerror@ -LIB_getaddrinfo = @LIB_getaddrinfo@ -LIB_gethostbyname = @LIB_gethostbyname@ -LIB_gethostbyname2 = @LIB_gethostbyname2@ -LIB_getnameinfo = @LIB_getnameinfo@ -LIB_getpwnam_r = @LIB_getpwnam_r@ -LIB_getsockopt = @LIB_getsockopt@ -LIB_hesiod = @LIB_hesiod@ -LIB_hstrerror = @LIB_hstrerror@ -LIB_kdb = @LIB_kdb@ -LIB_krb4 = @LIB_krb4@ -LIB_krb_disable_debug = @LIB_krb_disable_debug@ -LIB_krb_enable_debug = @LIB_krb_enable_debug@ -LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@ -LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@ -LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@ -LIB_loadquery = @LIB_loadquery@ -LIB_logout = @LIB_logout@ -LIB_logwtmp = @LIB_logwtmp@ -LIB_openldap = @LIB_openldap@ -LIB_openpty = @LIB_openpty@ -LIB_otp = @LIB_otp@ -LIB_pidfile = @LIB_pidfile@ -LIB_readline = @LIB_readline@ -LIB_res_nsearch = @LIB_res_nsearch@ -LIB_res_search = @LIB_res_search@ -LIB_roken = @LIB_roken@ -LIB_security = @LIB_security@ -LIB_setsockopt = @LIB_setsockopt@ -LIB_socket = @LIB_socket@ -LIB_syslog = @LIB_syslog@ -LIB_tgetent = @LIB_tgetent@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -MAINT = @MAINT@ -MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@ -MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@ -MAKEINFO = @MAKEINFO@ -NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ -NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ -NROFF = @NROFF@ -OBJEXT = @OBJEXT@ -OTP_FALSE = @OTP_FALSE@ -OTP_TRUE = @OTP_TRUE@ -PACKAGE = @PACKAGE@ -PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ -PACKAGE_NAME = @PACKAGE_NAME@ -PACKAGE_STRING = @PACKAGE_STRING@ -PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_VERSION = @PACKAGE_VERSION@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -RANLIB = @RANLIB@ -SET_MAKE = @SET_MAKE@ -SHELL = @SHELL@ -STRIP = @STRIP@ -VERSION = @VERSION@ -VOID_RETSIGTYPE = @VOID_RETSIGTYPE@ -WFLAGS = @WFLAGS@ -WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@ -WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@ -X_CFLAGS = @X_CFLAGS@ -X_EXTRA_LIBS = @X_EXTRA_LIBS@ -X_LIBS = @X_LIBS@ -X_PRE_LIBS = @X_PRE_LIBS@ -YACC = @YACC@ -ac_ct_AR = @ac_ct_AR@ -ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ -ac_ct_RANLIB = @ac_ct_RANLIB@ -ac_ct_STRIP = @ac_ct_STRIP@ -am__leading_dot = @am__leading_dot@ -bindir = @bindir@ -build = @build@ -build_alias = @build_alias@ -build_cpu = @build_cpu@ -build_os = @build_os@ -build_vendor = @build_vendor@ -datadir = @datadir@ -do_roken_rename_FALSE = @do_roken_rename_FALSE@ -do_roken_rename_TRUE = @do_roken_rename_TRUE@ -dpagaix_cflags = @dpagaix_cflags@ -dpagaix_ldadd = @dpagaix_ldadd@ -dpagaix_ldflags = @dpagaix_ldflags@ -el_compat_FALSE = @el_compat_FALSE@ -el_compat_TRUE = @el_compat_TRUE@ -exec_prefix = @exec_prefix@ -have_err_h_FALSE = @have_err_h_FALSE@ -have_err_h_TRUE = @have_err_h_TRUE@ -have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@ -have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@ -have_glob_h_FALSE = @have_glob_h_FALSE@ -have_glob_h_TRUE = @have_glob_h_TRUE@ -have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@ -have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@ -have_vis_h_FALSE = @have_vis_h_FALSE@ -have_vis_h_TRUE = @have_vis_h_TRUE@ -host = @host@ -host_alias = @host_alias@ -host_cpu = @host_cpu@ -host_os = @host_os@ -host_vendor = @host_vendor@ -includedir = @includedir@ -infodir = @infodir@ -install_sh = @install_sh@ -libdir = @libdir@ -libexecdir = @libexecdir@ -localstatedir = @localstatedir@ -mandir = @mandir@ -mkdir_p = @mkdir_p@ -oldincludedir = @oldincludedir@ -prefix = @prefix@ -program_transform_name = @program_transform_name@ -sbindir = @sbindir@ -sharedstatedir = @sharedstatedir@ -sysconfdir = @sysconfdir@ -target_alias = @target_alias@ -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .hin -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) -@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME -AM_CFLAGS = $(WFLAGS) -CP = cp -buildinclude = $(top_builddir)/include -LIB_getattr = @LIB_getattr@ -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_setpcred = @LIB_setpcred@ -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -NROFF_MAN = groff -mandoc -Tascii -LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) -@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la - -@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la -@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la -ACLOCAL_AMFLAGS = -I ../../cf -CLEANFILES = roken.h make-roken.c $(XHEADERS) -lib_LTLIBRARIES = libroken.la -libroken_la_LDFLAGS = -version-info 16:3:0 -nodist_make_roken_SOURCES = make-roken.c -TESTS = $(check_PROGRAMS) -LDADD = libroken.la $(LIB_crypt) -make_roken_LDADD = -noinst_LTLIBRARIES = libtest.la -libtest_la_SOURCES = strftime.c strptime.c snprintf.c -libtest_la_CFLAGS = -DTEST_SNPRINTF -parse_reply_test_SOURCES = parse_reply-test.c resolve.c -parse_reply_test_CFLAGS = -DTEST_RESOLVE -strpftime_test_SOURCES = strpftime-test.c -strpftime_test_LDADD = libtest.la $(LDADD) -snprintf_test_SOURCES = snprintf-test.c -snprintf_test_LDADD = libtest.la $(LDADD) -snprintf_test_CFLAGS = -DTEST_SNPRINTF -libroken_la_SOURCES = \ - base64.c \ - bswap.c \ - concat.c \ - environment.c \ - eread.c \ - esetenv.c \ - ewrite.c \ - getaddrinfo_hostspec.c \ - get_default_username.c \ - get_window_size.c \ - getarg.c \ - getnameinfo_verified.c \ - getprogname.c \ - h_errno.c \ - hostent_find_fqdn.c \ - issuid.c \ - k_getpwnam.c \ - k_getpwuid.c \ - mini_inetd.c \ - net_read.c \ - net_write.c \ - parse_bytes.c \ - parse_time.c \ - parse_units.c \ - resolve.c \ - roken_gethostby.c \ - rtbl.c \ - rtbl.h \ - setprogname.c \ - signal.c \ - simple_exec.c \ - snprintf.c \ - socket.c \ - strcollect.c \ - timeval.c \ - tm2time.c \ - unvis.c \ - verify.c \ - vis.c \ - vis.h \ - warnerr.c \ - write_pid.c \ - xdbm.h - -EXTRA_libroken_la_SOURCES = \ - err.hin \ - glob.hin \ - ifaddrs.hin \ - vis.hin - -EXTRA_DIST = roken.awk roken.h.in -libroken_la_LIBADD = @LTLIBOBJS@ $(DBLIB) -BUILT_SOURCES = make-roken.c roken.h -@have_err_h_FALSE@err_h = err.h -@have_err_h_TRUE@err_h = -@have_fnmatch_h_FALSE@fnmatch_h = fnmatch.h -@have_fnmatch_h_TRUE@fnmatch_h = -@have_glob_h_FALSE@glob_h = glob.h -@have_glob_h_TRUE@glob_h = -@have_ifaddrs_h_FALSE@ifaddrs_h = ifaddrs.h -@have_ifaddrs_h_TRUE@ifaddrs_h = -@have_vis_h_FALSE@vis_h = vis.h -@have_vis_h_TRUE@vis_h = -XHEADERS = $(err_h) $(fnmatch_h) $(glob_h) $(ifaddrs_h) $(vis_h) -include_HEADERS = \ - base64.h \ - getarg.h \ - parse_bytes.h \ - parse_time.h \ - parse_units.h \ - resolve.h \ - roken-common.h \ - rtbl.h \ - xdbm.h \ - $(XHEADERS) - -nodist_include_HEADERS = roken.h -man_MANS = getarg.3 -all: $(BUILT_SOURCES) - $(MAKE) $(AM_MAKEFLAGS) all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .hin .c .lo .o .obj -$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps) - @for dep in $?; do \ - case '$(am__configure_deps)' in \ - *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ - exit 1;; \ - esac; \ - done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign --ignore-deps lib/roken/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign --ignore-deps lib/roken/Makefile -.PRECIOUS: Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - @case '$?' in \ - *config.status*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ - *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ - esac; - -$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -install-libLTLIBRARIES: $(lib_LTLIBRARIES) - @$(NORMAL_INSTALL) - test -z "$(libdir)" || $(mkdir_p) "$(DESTDIR)$(libdir)" - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - if test -f $$p; then \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(libdir)/$$f'"; \ - $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(libdir)/$$f"; \ - else :; fi; \ - done - -uninstall-libLTLIBRARIES: - @$(NORMAL_UNINSTALL) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - p="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$p'"; \ - $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$p"; \ - done - -clean-libLTLIBRARIES: - -test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ - test "$$dir" = "$$p" && dir=.; \ - echo "rm -f \"$${dir}/so_locations\""; \ - rm -f "$${dir}/so_locations"; \ - done - -clean-noinstLTLIBRARIES: - -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) - @list='$(noinst_LTLIBRARIES)'; for p in $$list; do \ - dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ - test "$$dir" = "$$p" && dir=.; \ - echo "rm -f \"$${dir}/so_locations\""; \ - rm -f "$${dir}/so_locations"; \ - done -libroken.la: $(libroken_la_OBJECTS) $(libroken_la_DEPENDENCIES) - $(LINK) -rpath $(libdir) $(libroken_la_LDFLAGS) $(libroken_la_OBJECTS) $(libroken_la_LIBADD) $(LIBS) -libtest.la: $(libtest_la_OBJECTS) $(libtest_la_DEPENDENCIES) - $(LINK) $(libtest_la_LDFLAGS) $(libtest_la_OBJECTS) $(libtest_la_LIBADD) $(LIBS) - -clean-checkPROGRAMS: - @list='$(check_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done - -clean-noinstPROGRAMS: - @list='$(noinst_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -base64-test$(EXEEXT): $(base64_test_OBJECTS) $(base64_test_DEPENDENCIES) - @rm -f base64-test$(EXEEXT) - $(LINK) $(base64_test_LDFLAGS) $(base64_test_OBJECTS) $(base64_test_LDADD) $(LIBS) -getaddrinfo-test$(EXEEXT): $(getaddrinfo_test_OBJECTS) $(getaddrinfo_test_DEPENDENCIES) - @rm -f getaddrinfo-test$(EXEEXT) - $(LINK) $(getaddrinfo_test_LDFLAGS) $(getaddrinfo_test_OBJECTS) $(getaddrinfo_test_LDADD) $(LIBS) -make-roken$(EXEEXT): $(make_roken_OBJECTS) $(make_roken_DEPENDENCIES) - @rm -f make-roken$(EXEEXT) - $(LINK) $(make_roken_LDFLAGS) $(make_roken_OBJECTS) $(make_roken_LDADD) $(LIBS) -parse_bytes-test$(EXEEXT): $(parse_bytes_test_OBJECTS) $(parse_bytes_test_DEPENDENCIES) - @rm -f parse_bytes-test$(EXEEXT) - $(LINK) $(parse_bytes_test_LDFLAGS) $(parse_bytes_test_OBJECTS) $(parse_bytes_test_LDADD) $(LIBS) -parse_reply-test$(EXEEXT): $(parse_reply_test_OBJECTS) $(parse_reply_test_DEPENDENCIES) - @rm -f parse_reply-test$(EXEEXT) - $(LINK) $(parse_reply_test_LDFLAGS) $(parse_reply_test_OBJECTS) $(parse_reply_test_LDADD) $(LIBS) -snprintf-test$(EXEEXT): $(snprintf_test_OBJECTS) $(snprintf_test_DEPENDENCIES) - @rm -f snprintf-test$(EXEEXT) - $(LINK) $(snprintf_test_LDFLAGS) $(snprintf_test_OBJECTS) $(snprintf_test_LDADD) $(LIBS) -strpftime-test$(EXEEXT): $(strpftime_test_OBJECTS) $(strpftime_test_DEPENDENCIES) - @rm -f strpftime-test$(EXEEXT) - $(LINK) $(strpftime_test_LDFLAGS) $(strpftime_test_OBJECTS) $(strpftime_test_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c $< - -.c.obj: - $(COMPILE) -c `$(CYGPATH_W) '$<'` - -.c.lo: - $(LTCOMPILE) -c -o $@ $< - -libtest_la-strftime.o: strftime.c - $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libtest_la_CFLAGS) $(CFLAGS) -c -o libtest_la-strftime.o `test -f 'strftime.c' || echo '$(srcdir)/'`strftime.c - -libtest_la-strftime.obj: strftime.c - $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libtest_la_CFLAGS) $(CFLAGS) -c -o libtest_la-strftime.obj `if test -f 'strftime.c'; then $(CYGPATH_W) 'strftime.c'; else $(CYGPATH_W) '$(srcdir)/strftime.c'; fi` - -libtest_la-strftime.lo: strftime.c - $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libtest_la_CFLAGS) $(CFLAGS) -c -o libtest_la-strftime.lo `test -f 'strftime.c' || echo '$(srcdir)/'`strftime.c - -libtest_la-strptime.o: strptime.c - $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libtest_la_CFLAGS) $(CFLAGS) -c -o libtest_la-strptime.o `test -f 'strptime.c' || echo '$(srcdir)/'`strptime.c - -libtest_la-strptime.obj: strptime.c - $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libtest_la_CFLAGS) $(CFLAGS) -c -o libtest_la-strptime.obj `if test -f 'strptime.c'; then $(CYGPATH_W) 'strptime.c'; else $(CYGPATH_W) '$(srcdir)/strptime.c'; fi` - -libtest_la-strptime.lo: strptime.c - $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libtest_la_CFLAGS) $(CFLAGS) -c -o libtest_la-strptime.lo `test -f 'strptime.c' || echo '$(srcdir)/'`strptime.c - -libtest_la-snprintf.o: snprintf.c - $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libtest_la_CFLAGS) $(CFLAGS) -c -o libtest_la-snprintf.o `test -f 'snprintf.c' || echo '$(srcdir)/'`snprintf.c - -libtest_la-snprintf.obj: snprintf.c - $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libtest_la_CFLAGS) $(CFLAGS) -c -o libtest_la-snprintf.obj `if test -f 'snprintf.c'; then $(CYGPATH_W) 'snprintf.c'; else $(CYGPATH_W) '$(srcdir)/snprintf.c'; fi` - -libtest_la-snprintf.lo: snprintf.c - $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libtest_la_CFLAGS) $(CFLAGS) -c -o libtest_la-snprintf.lo `test -f 'snprintf.c' || echo '$(srcdir)/'`snprintf.c - -parse_reply_test-parse_reply-test.o: parse_reply-test.c - $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(parse_reply_test_CFLAGS) $(CFLAGS) -c -o parse_reply_test-parse_reply-test.o `test -f 'parse_reply-test.c' || echo '$(srcdir)/'`parse_reply-test.c - -parse_reply_test-parse_reply-test.obj: parse_reply-test.c - $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(parse_reply_test_CFLAGS) $(CFLAGS) -c -o parse_reply_test-parse_reply-test.obj `if test -f 'parse_reply-test.c'; then $(CYGPATH_W) 'parse_reply-test.c'; else $(CYGPATH_W) '$(srcdir)/parse_reply-test.c'; fi` - -parse_reply_test-parse_reply-test.lo: parse_reply-test.c - $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(parse_reply_test_CFLAGS) $(CFLAGS) -c -o parse_reply_test-parse_reply-test.lo `test -f 'parse_reply-test.c' || echo '$(srcdir)/'`parse_reply-test.c - -parse_reply_test-resolve.o: resolve.c - $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(parse_reply_test_CFLAGS) $(CFLAGS) -c -o parse_reply_test-resolve.o `test -f 'resolve.c' || echo '$(srcdir)/'`resolve.c - -parse_reply_test-resolve.obj: resolve.c - $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(parse_reply_test_CFLAGS) $(CFLAGS) -c -o parse_reply_test-resolve.obj `if test -f 'resolve.c'; then $(CYGPATH_W) 'resolve.c'; else $(CYGPATH_W) '$(srcdir)/resolve.c'; fi` - -parse_reply_test-resolve.lo: resolve.c - $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(parse_reply_test_CFLAGS) $(CFLAGS) -c -o parse_reply_test-resolve.lo `test -f 'resolve.c' || echo '$(srcdir)/'`resolve.c - -snprintf_test-snprintf-test.o: snprintf-test.c - $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(snprintf_test_CFLAGS) $(CFLAGS) -c -o snprintf_test-snprintf-test.o `test -f 'snprintf-test.c' || echo '$(srcdir)/'`snprintf-test.c - -snprintf_test-snprintf-test.obj: snprintf-test.c - $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(snprintf_test_CFLAGS) $(CFLAGS) -c -o snprintf_test-snprintf-test.obj `if test -f 'snprintf-test.c'; then $(CYGPATH_W) 'snprintf-test.c'; else $(CYGPATH_W) '$(srcdir)/snprintf-test.c'; fi` - -snprintf_test-snprintf-test.lo: snprintf-test.c - $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(snprintf_test_CFLAGS) $(CFLAGS) -c -o snprintf_test-snprintf-test.lo `test -f 'snprintf-test.c' || echo '$(srcdir)/'`snprintf-test.c - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: -install-man3: $(man3_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - test -z "$(man3dir)" || $(mkdir_p) "$(DESTDIR)$(man3dir)" - @list='$(man3_MANS) $(dist_man3_MANS) $(nodist_man3_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.3*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 3*) ;; \ - *) ext='3' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man3dir)/$$inst'"; \ - $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man3dir)/$$inst"; \ - done -uninstall-man3: - @$(NORMAL_UNINSTALL) - @list='$(man3_MANS) $(dist_man3_MANS) $(nodist_man3_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.3*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 3*) ;; \ - *) ext='3' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f '$(DESTDIR)$(man3dir)/$$inst'"; \ - rm -f "$(DESTDIR)$(man3dir)/$$inst"; \ - done -install-includeHEADERS: $(include_HEADERS) - @$(NORMAL_INSTALL) - test -z "$(includedir)" || $(mkdir_p) "$(DESTDIR)$(includedir)" - @list='$(include_HEADERS)'; for p in $$list; do \ - if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(includeHEADERS_INSTALL) '$$d$$p' '$(DESTDIR)$(includedir)/$$f'"; \ - $(includeHEADERS_INSTALL) "$$d$$p" "$(DESTDIR)$(includedir)/$$f"; \ - done - -uninstall-includeHEADERS: - @$(NORMAL_UNINSTALL) - @list='$(include_HEADERS)'; for p in $$list; do \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " rm -f '$(DESTDIR)$(includedir)/$$f'"; \ - rm -f "$(DESTDIR)$(includedir)/$$f"; \ - done -install-nodist_includeHEADERS: $(nodist_include_HEADERS) - @$(NORMAL_INSTALL) - test -z "$(includedir)" || $(mkdir_p) "$(DESTDIR)$(includedir)" - @list='$(nodist_include_HEADERS)'; for p in $$list; do \ - if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(nodist_includeHEADERS_INSTALL) '$$d$$p' '$(DESTDIR)$(includedir)/$$f'"; \ - $(nodist_includeHEADERS_INSTALL) "$$d$$p" "$(DESTDIR)$(includedir)/$$f"; \ - done - -uninstall-nodist_includeHEADERS: - @$(NORMAL_UNINSTALL) - @list='$(nodist_include_HEADERS)'; for p in $$list; do \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " rm -f '$(DESTDIR)$(includedir)/$$f'"; \ - rm -f "$(DESTDIR)$(includedir)/$$f"; \ - done - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique -tags: TAGS - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique -ctags: CTAGS -CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ - || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - -check-TESTS: $(TESTS) - @failed=0; all=0; xfail=0; xpass=0; skip=0; \ - srcdir=$(srcdir); export srcdir; \ - list='$(TESTS)'; \ - if test -n "$$list"; then \ - for tst in $$list; do \ - if test -f ./$$tst; then dir=./; \ - elif test -f $$tst; then dir=; \ - else dir="$(srcdir)/"; fi; \ - if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \ - all=`expr $$all + 1`; \ - case " $(XFAIL_TESTS) " in \ - *" $$tst "*) \ - xpass=`expr $$xpass + 1`; \ - failed=`expr $$failed + 1`; \ - echo "XPASS: $$tst"; \ - ;; \ - *) \ - echo "PASS: $$tst"; \ - ;; \ - esac; \ - elif test $$? -ne 77; then \ - all=`expr $$all + 1`; \ - case " $(XFAIL_TESTS) " in \ - *" $$tst "*) \ - xfail=`expr $$xfail + 1`; \ - echo "XFAIL: $$tst"; \ - ;; \ - *) \ - failed=`expr $$failed + 1`; \ - echo "FAIL: $$tst"; \ - ;; \ - esac; \ - else \ - skip=`expr $$skip + 1`; \ - echo "SKIP: $$tst"; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - if test "$$xfail" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="All $$all tests behaved as expected ($$xfail expected failures)"; \ - fi; \ - else \ - if test "$$xpass" -eq 0; then \ - banner="$$failed of $$all tests failed"; \ - else \ - banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \ - fi; \ - fi; \ - dashes="$$banner"; \ - skipped=""; \ - if test "$$skip" -ne 0; then \ - skipped="($$skip tests were not run)"; \ - test `echo "$$skipped" | wc -c` -gt `echo "$$banner" | wc -c` && \ - dashes="$$skipped"; \ - fi; \ - report=""; \ - if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \ - report="Please report to $(PACKAGE_BUGREPORT)"; \ - test `echo "$$report" | wc -c` -gt `echo "$$banner" | wc -c` && \ - dashes="$$report"; \ - fi; \ - dashes=`echo "$$dashes" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - test -n "$$skipped" && echo "$$skipped"; \ - test -n "$$report" && echo "$$report"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - else :; fi - -distdir: $(DISTFILES) - $(mkdir_p) $(distdir)/../.. $(distdir)/../../cf - @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \ - list='$(DISTFILES)'; for file in $$list; do \ - case $$file in \ - $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \ - $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \ - esac; \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkdir_p) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="$(top_distdir)" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS) - $(MAKE) $(AM_MAKEFLAGS) check-TESTS check-local -check: $(BUILT_SOURCES) - $(MAKE) $(AM_MAKEFLAGS) check-am -all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(MANS) $(HEADERS) \ - all-local -installdirs: - for dir in "$(DESTDIR)$(libdir)" "$(DESTDIR)$(man3dir)" "$(DESTDIR)$(includedir)" "$(DESTDIR)$(includedir)"; do \ - test -z "$$dir" || $(mkdir_p) "$$dir"; \ - done -install: $(BUILT_SOURCES) - $(MAKE) $(AM_MAKEFLAGS) install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) - -distclean-generic: - -rm -f $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." - -test -z "$(BUILT_SOURCES)" || rm -f $(BUILT_SOURCES) -clean: clean-am - -clean-am: clean-checkPROGRAMS clean-generic clean-libLTLIBRARIES \ - clean-libtool clean-noinstLTLIBRARIES clean-noinstPROGRAMS \ - mostlyclean-am - -distclean: distclean-am - -rm -f Makefile -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -html: html-am - -info: info-am - -info-am: - -install-data-am: install-includeHEADERS install-man \ - install-nodist_includeHEADERS - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-data-hook - -install-exec-am: install-libLTLIBRARIES - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: install-man3 - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -rm -f Makefile -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -pdf: pdf-am - -pdf-am: - -ps: ps-am - -ps-am: - -uninstall-am: uninstall-includeHEADERS uninstall-info-am \ - uninstall-libLTLIBRARIES uninstall-man \ - uninstall-nodist_includeHEADERS - -uninstall-man: uninstall-man3 - -.PHONY: CTAGS GTAGS all all-am all-local check check-TESTS check-am \ - check-local clean clean-checkPROGRAMS clean-generic \ - clean-libLTLIBRARIES clean-libtool clean-noinstLTLIBRARIES \ - clean-noinstPROGRAMS ctags distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am html html-am info info-am install install-am \ - install-data install-data-am install-exec install-exec-am \ - install-includeHEADERS install-info install-info-am \ - install-libLTLIBRARIES install-man install-man3 \ - install-nodist_includeHEADERS install-strip installcheck \ - installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ - tags uninstall uninstall-am uninstall-includeHEADERS \ - uninstall-info-am uninstall-libLTLIBRARIES uninstall-man \ - uninstall-man3 uninstall-nodist_includeHEADERS - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-hook: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< - -$(LTLIBOBJS) $(libroken_la_OBJECTS): roken.h $(XHEADERS) -.hin.h: - cp $< $@ - -roken.h: make-roken$(EXEEXT) - @./make-roken$(EXEEXT) > tmp.h ;\ - if [ -f roken.h ] && cmp -s tmp.h roken.h ; then rm -f tmp.h ; \ - else rm -f roken.h; mv tmp.h roken.h; fi - -make-roken.c: roken.h.in roken.awk - $(AWK) -f $(srcdir)/roken.awk $(srcdir)/roken.h.in > make-roken.c -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal-0.6.3/lib/roken/acconfig.h b/crypto/heimdal-0.6.3/lib/roken/acconfig.h deleted file mode 100644 index 5fbe685ce3..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/acconfig.h +++ /dev/null @@ -1,36 +0,0 @@ -@BOTTOM@ - -#ifdef BROKEN_REALLOC -#define realloc(X, Y) isoc_realloc((X), (Y)) -#define isoc_realloc(X, Y) ((X) ? realloc((X), (Y)) : malloc(Y)) -#endif - -#ifdef VOID_RETSIGTYPE -#define SIGRETURN(x) return -#else -#define SIGRETURN(x) return (RETSIGTYPE)(x) -#endif - -#define RCSID(msg) \ -static /**/const char *const rcsid[] = { (const char *)rcsid, "\100(#)" msg } - -#undef PROTOTYPES - -/* Maximum values on all known systems */ -#define MaxHostNameLen (64+4) -#define MaxPathLen (1024+4) - -/* - * Define NDBM if you are using the 4.3 ndbm library (which is part of - * libc). If not defined, 4.2 dbm will be assumed. - */ -#if defined(HAVE_DBM_FIRSTKEY) -#define NDBM -#endif - -/* - * Defining this enables lots of useful (and used) extensions on - * glibc-based systems such as Linux - */ - -#define _GNU_SOURCE diff --git a/crypto/heimdal-0.6.3/lib/roken/acinclude.m4 b/crypto/heimdal-0.6.3/lib/roken/acinclude.m4 deleted file mode 100644 index 1d0197c5ce..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/acinclude.m4 +++ /dev/null @@ -1,9 +0,0 @@ -dnl $Id$ -dnl -dnl Only put things that for some reason can't live in the `cf' -dnl directory in this file. -dnl - -dnl $xId: misc.m4,v 1.1 1997/12/14 15:59:04 joda Exp $ -dnl -define(upcase,`echo $1 | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`)dnl diff --git a/crypto/heimdal-0.6.3/lib/roken/base64-test.c b/crypto/heimdal-0.6.3/lib/roken/base64-test.c deleted file mode 100644 index eace04b01a..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/base64-test.c +++ /dev/null @@ -1,99 +0,0 @@ -/* - * Copyright (c) 1999 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: base64-test.c,v 1.2 2001/05/29 13:12:21 assar Exp $"); -#endif - -#include -#include - -int -main(int argc, char **argv) -{ - int numerr = 0; - int numtest = 1; - struct test { - void *data; - size_t len; - const char *result; - } *t, tests[] = { - { "", 0 , "" }, - { "1", 1, "MQ==" }, - { "22", 2, "MjI=" }, - { "333", 3, "MzMz" }, - { "4444", 4, "NDQ0NA==" }, - { "55555", 5, "NTU1NTU=" }, - { "abc:def", 7, "YWJjOmRlZg==" }, - { NULL } - }; - for(t = tests; t->data; t++) { - char *str; - int len; - len = base64_encode(t->data, t->len, &str); - if(strcmp(str, t->result) != 0) { - fprintf(stderr, "failed test %d: %s != %s\n", numtest, - str, t->result); - numerr++; - } - free(str); - str = strdup(t->result); - len = base64_decode(t->result, str); - if(len != t->len) { - fprintf(stderr, "failed test %d: len %d != %d\n", numtest, - len, t->len); - numerr++; - } else if(memcmp(str, t->data, t->len) != 0) { - fprintf(stderr, "failed test %d: data\n", numtest); - numerr++; - } - free(str); - numtest++; - } - - { - char str[32]; - if(base64_decode("M=M=", str) != -1) { - fprintf(stderr, "failed test %d: successful decode of `M=M='\n", - numtest++); - numerr++; - } - if(base64_decode("MQ===", str) != -1) { - fprintf(stderr, "failed test %d: successful decode of `MQ==='\n", - numtest++); - numerr++; - } - } - return numerr; -} diff --git a/crypto/heimdal-0.6.3/lib/roken/base64.c b/crypto/heimdal-0.6.3/lib/roken/base64.c deleted file mode 100644 index 21e79c1190..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/base64.c +++ /dev/null @@ -1,136 +0,0 @@ -/* - * Copyright (c) 1995-2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: base64.c,v 1.5 2001/05/28 17:33:41 joda Exp $"); -#endif -#include -#include -#include "base64.h" - -static char base64_chars[] = - "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; - -static int -pos(char c) -{ - char *p; - for (p = base64_chars; *p; p++) - if (*p == c) - return p - base64_chars; - return -1; -} - -int -base64_encode(const void *data, int size, char **str) -{ - char *s, *p; - int i; - int c; - const unsigned char *q; - - p = s = (char *) malloc(size * 4 / 3 + 4); - if (p == NULL) - return -1; - q = (const unsigned char *) data; - i = 0; - for (i = 0; i < size;) { - c = q[i++]; - c *= 256; - if (i < size) - c += q[i]; - i++; - c *= 256; - if (i < size) - c += q[i]; - i++; - p[0] = base64_chars[(c & 0x00fc0000) >> 18]; - p[1] = base64_chars[(c & 0x0003f000) >> 12]; - p[2] = base64_chars[(c & 0x00000fc0) >> 6]; - p[3] = base64_chars[(c & 0x0000003f) >> 0]; - if (i > size) - p[3] = '='; - if (i > size + 1) - p[2] = '='; - p += 4; - } - *p = 0; - *str = s; - return strlen(s); -} - -#define DECODE_ERROR 0xffffffff - -static unsigned int -token_decode(const char *token) -{ - int i; - unsigned int val = 0; - int marker = 0; - if (strlen(token) < 4) - return DECODE_ERROR; - for (i = 0; i < 4; i++) { - val *= 64; - if (token[i] == '=') - marker++; - else if (marker > 0) - return DECODE_ERROR; - else - val += pos(token[i]); - } - if (marker > 2) - return DECODE_ERROR; - return (marker << 24) | val; -} - -int -base64_decode(const char *str, void *data) -{ - const char *p; - unsigned char *q; - - q = data; - for (p = str; *p && (*p == '=' || strchr(base64_chars, *p)); p += 4) { - unsigned int val = token_decode(p); - unsigned int marker = (val >> 24) & 0xff; - if (val == DECODE_ERROR) - return -1; - *q++ = (val >> 16) & 0xff; - if (marker < 2) - *q++ = (val >> 8) & 0xff; - if (marker < 1) - *q++ = val & 0xff; - } - return q - (unsigned char *) data; -} diff --git a/crypto/heimdal-0.6.3/lib/roken/base64.h b/crypto/heimdal-0.6.3/lib/roken/base64.h deleted file mode 100644 index 5ad1e3b18e..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/base64.h +++ /dev/null @@ -1,42 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: base64.h,v 1.2 1999/12/02 16:58:45 joda Exp $ */ - -#ifndef _BASE64_H_ -#define _BASE64_H_ - -int base64_encode(const void *data, int size, char **str); -int base64_decode(const char *str, void *data); - -#endif diff --git a/crypto/heimdal-0.6.3/lib/roken/bswap.c b/crypto/heimdal-0.6.3/lib/roken/bswap.c deleted file mode 100644 index c57dc6f38f..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/bswap.c +++ /dev/null @@ -1,61 +0,0 @@ -/* - * Copyright (c) 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -#endif -#include "roken.h" - -RCSID("$Id: bswap.c,v 1.3 2001/05/18 15:32:11 joda Exp $"); - -#ifndef HAVE_BSWAP32 - -unsigned int -bswap32 (unsigned int val) -{ - return (val & 0xff) << 24 | - (val & 0xff00) << 8 | - (val & 0xff0000) >> 8 | - (val & 0xff000000) >> 24; -} -#endif - -#ifndef HAVE_BSWAP16 - -unsigned short -bswap16 (unsigned short val) -{ - return (val & 0xff) << 8 | - (val & 0xff00) >> 8; -} -#endif diff --git a/crypto/heimdal-0.6.3/lib/roken/chown.c b/crypto/heimdal-0.6.3/lib/roken/chown.c deleted file mode 100644 index f3d34e3030..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/chown.c +++ /dev/null @@ -1,45 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: chown.c,v 1.3 1999/12/02 16:58:45 joda Exp $"); -#endif - -#include "roken.h" - -int -chown(const char *path, uid_t owner, gid_t group) -{ - return 0; -} diff --git a/crypto/heimdal-0.6.3/lib/roken/concat.c b/crypto/heimdal-0.6.3/lib/roken/concat.c deleted file mode 100644 index ca295c030a..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/concat.c +++ /dev/null @@ -1,112 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: concat.c,v 1.4 1999/12/02 16:58:45 joda Exp $"); -#endif -#include "roken.h" - -int -roken_concat (char *s, size_t len, ...) -{ - int ret; - va_list args; - - va_start(args, len); - ret = roken_vconcat (s, len, args); - va_end(args); - return ret; -} - -int -roken_vconcat (char *s, size_t len, va_list args) -{ - const char *a; - - while ((a = va_arg(args, const char*))) { - size_t n = strlen (a); - - if (n >= len) - return -1; - memcpy (s, a, n); - s += n; - len -= n; - } - *s = '\0'; - return 0; -} - -size_t -roken_vmconcat (char **s, size_t max_len, va_list args) -{ - const char *a; - char *p, *q; - size_t len = 0; - *s = NULL; - p = malloc(1); - if(p == NULL) - return 0; - len = 1; - while ((a = va_arg(args, const char*))) { - size_t n = strlen (a); - - if(max_len && len + n > max_len){ - free(p); - return 0; - } - q = realloc(p, len + n); - if(q == NULL){ - free(p); - return 0; - } - p = q; - memcpy (p + len - 1, a, n); - len += n; - } - p[len - 1] = '\0'; - *s = p; - return len; -} - -size_t -roken_mconcat (char **s, size_t max_len, ...) -{ - int ret; - va_list args; - - va_start(args, max_len); - ret = roken_vmconcat (s, max_len, args); - va_end(args); - return ret; -} diff --git a/crypto/heimdal-0.6.3/lib/roken/copyhostent.c b/crypto/heimdal-0.6.3/lib/roken/copyhostent.c deleted file mode 100644 index a3be6db913..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/copyhostent.c +++ /dev/null @@ -1,102 +0,0 @@ -/* - * Copyright (c) 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: copyhostent.c,v 1.2 1999/12/02 16:58:45 joda Exp $"); -#endif - -#include "roken.h" - -/* - * return a malloced copy of `h' - */ - -struct hostent * -copyhostent (const struct hostent *h) -{ - struct hostent *res; - char **p; - int i, n; - - res = malloc (sizeof (*res)); - if (res == NULL) - return NULL; - res->h_name = NULL; - res->h_aliases = NULL; - res->h_addrtype = h->h_addrtype; - res->h_length = h->h_length; - res->h_addr_list = NULL; - res->h_name = strdup (h->h_name); - if (res->h_name == NULL) { - freehostent (res); - return NULL; - } - for (n = 0, p = h->h_aliases; *p != NULL; ++p) - ++n; - res->h_aliases = malloc ((n + 1) * sizeof(*res->h_aliases)); - if (res->h_aliases == NULL) { - freehostent (res); - return NULL; - } - for (i = 0; i < n + 1; ++i) - res->h_aliases[i] = NULL; - for (i = 0; i < n; ++i) { - res->h_aliases[i] = strdup (h->h_aliases[i]); - if (res->h_aliases[i] == NULL) { - freehostent (res); - return NULL; - } - } - - for (n = 0, p = h->h_addr_list; *p != NULL; ++p) - ++n; - res->h_addr_list = malloc ((n + 1) * sizeof(*res->h_addr_list)); - if (res->h_addr_list == NULL) { - freehostent (res); - return NULL; - } - for (i = 0; i < n + 1; ++i) { - res->h_addr_list[i] = NULL; - } - for (i = 0; i < n; ++i) { - res->h_addr_list[i] = malloc (h->h_length); - if (res->h_addr_list[i] == NULL) { - freehostent (res); - return NULL; - } - memcpy (res->h_addr_list[i], h->h_addr_list[i], h->h_length); - } - return res; -} - diff --git a/crypto/heimdal-0.6.3/lib/roken/daemon.c b/crypto/heimdal-0.6.3/lib/roken/daemon.c deleted file mode 100644 index 758856c8ad..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/daemon.c +++ /dev/null @@ -1,88 +0,0 @@ -/*- - * Copyright (c) 1990, 1993 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#if defined(LIBC_SCCS) && !defined(lint) -static char sccsid[] = "@(#)daemon.c 8.1 (Berkeley) 6/4/93"; -#endif /* LIBC_SCCS and not lint */ - -#ifdef HAVE_CONFIG_H -#include -#endif - -RCSID("$Id: daemon.c,v 1.3 1997/10/04 21:55:48 joda Exp $"); - -#ifndef HAVE_DAEMON - -#ifdef HAVE_FCNTL_H -#include -#endif -#ifdef HAVE_PATHS_H -#include -#endif -#ifdef HAVE_UNISTD_H -#include -#endif - -#include "roken.h" - -int -daemon(int nochdir, int noclose) -{ - int fd; - - switch (fork()) { - case -1: - return (-1); - case 0: - break; - default: - _exit(0); - } - - if (setsid() == -1) - return (-1); - - if (!nochdir) - chdir("/"); - - if (!noclose && (fd = open(_PATH_DEVNULL, O_RDWR, 0)) != -1) { - dup2(fd, STDIN_FILENO); - dup2(fd, STDOUT_FILENO); - dup2(fd, STDERR_FILENO); - if (fd > 2) - close (fd); - } - return (0); -} - -#endif /* HAVE_DAEMON */ diff --git a/crypto/heimdal-0.6.3/lib/roken/ecalloc.c b/crypto/heimdal-0.6.3/lib/roken/ecalloc.c deleted file mode 100644 index 142704f5af..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/ecalloc.c +++ /dev/null @@ -1,56 +0,0 @@ -/* - * Copyright (c) 1999 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: ecalloc.c,v 1.1 2001/06/17 12:09:37 assar Exp $"); -#endif - -#include -#include - -#include - -/* - * Like calloc but never fails. - */ - -void * -ecalloc (size_t number, size_t size) -{ - void *tmp = calloc (number, size); - - if (tmp == NULL && number * size != 0) - errx (1, "calloc %lu failed", (unsigned long)number * size); - return tmp; -} diff --git a/crypto/heimdal-0.6.3/lib/roken/emalloc.c b/crypto/heimdal-0.6.3/lib/roken/emalloc.c deleted file mode 100644 index e2734f3615..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/emalloc.c +++ /dev/null @@ -1,56 +0,0 @@ -/* - * Copyright (c) 1999 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: emalloc.c,v 1.5 2001/06/17 12:07:48 assar Exp $"); -#endif - -#include -#include - -#include - -/* - * Like malloc but never fails. - */ - -void * -emalloc (size_t sz) -{ - void *tmp = malloc (sz); - - if (tmp == NULL && sz != 0) - errx (1, "malloc %lu failed", (unsigned long)sz); - return tmp; -} diff --git a/crypto/heimdal-0.6.3/lib/roken/environment.c b/crypto/heimdal-0.6.3/lib/roken/environment.c deleted file mode 100644 index 62c732c5b4..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/environment.c +++ /dev/null @@ -1,103 +0,0 @@ -/* - * Copyright (c) 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: environment.c,v 1.1 2000/06/21 02:05:03 assar Exp $"); -#endif - -#include -#include -#include "roken.h" - -/* - * return count of environment assignments from `file' and - * list of malloced strings in `env' - */ - -int -read_environment(const char *file, char ***env) -{ - int i, k; - FILE *F; - char **l; - char buf[BUFSIZ], *p, *r; - - if ((F = fopen(file, "r")) == NULL) { - return 0; - } - - i = 0; - if (*env) { - l = *env; - while (*l != NULL) { - i++; - l++; - } - } - l = *env; - /* This is somewhat more relaxed on what it accepts then - * Wietses sysv_environ from K4 was... - */ - while (fgets(buf, BUFSIZ, F) != NULL) { - if (buf[0] == '#') - continue; - - p = strchr(buf, '#'); - if (p != NULL) - *p = '\0'; - - p = buf; - while (*p == ' ' || *p == '\t' || *p == '\n') p++; - if (*p == '\0') - continue; - - k = strlen(p); - if (p[k-1] == '\n') - p[k-1] = '\0'; - - /* Here one should check that is is a 'valid' env string... */ - r = strchr(p, '='); - if (r == NULL) - continue; - - l = realloc(l, (i+1) * sizeof (char *)); - l[i++] = strdup(p); - } - fclose(F); - l = realloc(l, (i+1) * sizeof (char *)); - l[i] = NULL; - *env = l; - return i; -} diff --git a/crypto/heimdal-0.6.3/lib/roken/eread.c b/crypto/heimdal-0.6.3/lib/roken/eread.c deleted file mode 100644 index 9a1b24bd55..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/eread.c +++ /dev/null @@ -1,57 +0,0 @@ -/* - * Copyright (c) 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: eread.c,v 1.2 1999/12/02 16:58:45 joda Exp $"); -#endif - -#include -#include - -#include - -/* - * Like read but never fails (and never returns partial data). - */ - -ssize_t -eread (int fd, void *buf, size_t nbytes) -{ - ssize_t ret; - - ret = net_read (fd, buf, nbytes); - if (ret < 0) - err (1, "read"); - return ret; -} diff --git a/crypto/heimdal-0.6.3/lib/roken/erealloc.c b/crypto/heimdal-0.6.3/lib/roken/erealloc.c deleted file mode 100644 index 8eddd2bb89..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/erealloc.c +++ /dev/null @@ -1,56 +0,0 @@ -/* - * Copyright (c) 1999 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: erealloc.c,v 1.5 2001/06/17 12:08:05 assar Exp $"); -#endif - -#include -#include - -#include - -/* - * Like realloc but never fails. - */ - -void * -erealloc (void *ptr, size_t sz) -{ - void *tmp = realloc (ptr, sz); - - if (tmp == NULL && sz != 0) - errx (1, "realloc %lu failed", (unsigned long)sz); - return tmp; -} diff --git a/crypto/heimdal-0.6.3/lib/roken/err.c b/crypto/heimdal-0.6.3/lib/roken/err.c deleted file mode 100644 index 29b1f7b567..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/err.c +++ /dev/null @@ -1,48 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: err.c,v 1.6 1999/12/02 16:58:45 joda Exp $"); -#endif - -#include "err.h" - -void -err(int eval, const char *fmt, ...) -{ - va_list ap; - va_start(ap, fmt); - verr(eval, fmt, ap); - va_end(ap); -} diff --git a/crypto/heimdal-0.6.3/lib/roken/err.hin b/crypto/heimdal-0.6.3/lib/roken/err.hin deleted file mode 100644 index 1fa7774bd0..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/err.hin +++ /dev/null @@ -1,68 +0,0 @@ -/* - * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: err.hin,v 1.16 2000/12/11 04:40:59 assar Exp $ */ - -#ifndef __ERR_H__ -#define __ERR_H__ - -#include -#include -#include -#include -#include - -extern const char *__progname; - -#if !defined(__GNUC__) && !defined(__attribute__) -#define __attribute__(x) -#endif - -void verr(int eval, const char *fmt, va_list ap) - __attribute__ ((noreturn, format (printf, 2, 0))); -void err(int eval, const char *fmt, ...) - __attribute__ ((noreturn, format (printf, 2, 3))); -void verrx(int eval, const char *fmt, va_list ap) - __attribute__ ((noreturn, format (printf, 2, 0))); -void errx(int eval, const char *fmt, ...) - __attribute__ ((noreturn, format (printf, 2, 3))); -void vwarn(const char *fmt, va_list ap) - __attribute__ ((format (printf, 1, 0))); -void warn(const char *fmt, ...) - __attribute__ ((format (printf, 1, 2))); -void vwarnx(const char *fmt, va_list ap) - __attribute__ ((format (printf, 1, 0))); -void warnx(const char *fmt, ...) - __attribute__ ((format (printf, 1, 2))); - -#endif /* __ERR_H__ */ diff --git a/crypto/heimdal-0.6.3/lib/roken/errx.c b/crypto/heimdal-0.6.3/lib/roken/errx.c deleted file mode 100644 index 2f8ec18dd2..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/errx.c +++ /dev/null @@ -1,48 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: errx.c,v 1.6 1999/12/02 16:58:45 joda Exp $"); -#endif - -#include "err.h" - -void -errx(int eval, const char *fmt, ...) -{ - va_list ap; - va_start(ap, fmt); - verrx(eval, fmt, ap); - va_end(ap); -} diff --git a/crypto/heimdal-0.6.3/lib/roken/esetenv.c b/crypto/heimdal-0.6.3/lib/roken/esetenv.c deleted file mode 100644 index cb357527c3..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/esetenv.c +++ /dev/null @@ -1,48 +0,0 @@ -/* - * Copyright (c) 2000, 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: esetenv.c,v 1.3 2001/01/27 05:28:38 assar Exp $"); -#endif - -#include "roken.h" - -#include - -void -esetenv(const char *var, const char *val, int rewrite) -{ - if (setenv ((char *)var, (char *)val, rewrite)) - errx (1, "failed setting environment variable %s", var); -} diff --git a/crypto/heimdal-0.6.3/lib/roken/estrdup.c b/crypto/heimdal-0.6.3/lib/roken/estrdup.c deleted file mode 100644 index 75d2721bbe..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/estrdup.c +++ /dev/null @@ -1,56 +0,0 @@ -/* - * Copyright (c) 1999 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: estrdup.c,v 1.3 2001/06/17 12:07:56 assar Exp $"); -#endif - -#include -#include - -#include - -/* - * Like strdup but never fails. - */ - -char * -estrdup (const char *str) -{ - char *tmp = strdup (str); - - if (tmp == NULL) - errx (1, "strdup failed"); - return tmp; -} diff --git a/crypto/heimdal-0.6.3/lib/roken/ewrite.c b/crypto/heimdal-0.6.3/lib/roken/ewrite.c deleted file mode 100644 index b2c43de8db..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/ewrite.c +++ /dev/null @@ -1,57 +0,0 @@ -/* - * Copyright (c) 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: ewrite.c,v 1.2 1999/12/02 16:58:45 joda Exp $"); -#endif - -#include -#include - -#include - -/* - * Like write but never fails (and never returns partial data). - */ - -ssize_t -ewrite (int fd, const void *buf, size_t nbytes) -{ - ssize_t ret; - - ret = net_write (fd, buf, nbytes); - if (ret < 0) - err (1, "write"); - return ret; -} diff --git a/crypto/heimdal-0.6.3/lib/roken/fchown.c b/crypto/heimdal-0.6.3/lib/roken/fchown.c deleted file mode 100644 index 61e854691e..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/fchown.c +++ /dev/null @@ -1,45 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: fchown.c,v 1.3 1999/12/02 16:58:46 joda Exp $"); -#endif - -#include "roken.h" - -int -fchown(int fd, uid_t owner, gid_t group) -{ - return 0; -} diff --git a/crypto/heimdal-0.6.3/lib/roken/flock.c b/crypto/heimdal-0.6.3/lib/roken/flock.c deleted file mode 100644 index 13da4f474b..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/flock.c +++ /dev/null @@ -1,87 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -#endif - -#ifndef HAVE_FLOCK -RCSID("$Id: flock.c,v 1.4 1999/12/02 16:58:46 joda Exp $"); - -#include "roken.h" - - -#define OP_MASK (LOCK_SH | LOCK_EX | LOCK_UN) - -int -flock(int fd, int operation) -{ -#if defined(HAVE_FCNTL) && defined(F_SETLK) - struct flock arg; - int code, cmd; - - arg.l_whence = SEEK_SET; - arg.l_start = 0; - arg.l_len = 0; /* means to EOF */ - - if (operation & LOCK_NB) - cmd = F_SETLK; - else - cmd = F_SETLKW; /* Blocking */ - - switch (operation & OP_MASK) { - case LOCK_UN: - arg.l_type = F_UNLCK; - code = fcntl(fd, F_SETLK, &arg); - break; - case LOCK_SH: - arg.l_type = F_RDLCK; - code = fcntl(fd, cmd, &arg); - break; - case LOCK_EX: - arg.l_type = F_WRLCK; - code = fcntl(fd, cmd, &arg); - break; - default: - errno = EINVAL; - code = -1; - break; - } - return code; -#else - return -1; -#endif -} - -#endif - diff --git a/crypto/heimdal-0.6.3/lib/roken/fnmatch.c b/crypto/heimdal-0.6.3/lib/roken/fnmatch.c deleted file mode 100644 index dc01d6ea61..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/fnmatch.c +++ /dev/null @@ -1,173 +0,0 @@ -/* $NetBSD: fnmatch.c,v 1.11 1995/02/27 03:43:06 cgd Exp $ */ - -/* - * Copyright (c) 1989, 1993, 1994 - * The Regents of the University of California. All rights reserved. - * - * This code is derived from software contributed to Berkeley by - * Guido van Rossum. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#if defined(LIBC_SCCS) && !defined(lint) -#if 0 -static char sccsid[] = "@(#)fnmatch.c 8.2 (Berkeley) 4/16/94"; -#else -static char rcsid[] = "$NetBSD: fnmatch.c,v 1.11 1995/02/27 03:43:06 cgd Exp $"; -#endif -#endif /* LIBC_SCCS and not lint */ - -/* - * Function fnmatch() as specified in POSIX 1003.2-1992, section B.6. - * Compares a filename or pathname to a pattern. - */ - -#include -#include - -#define EOS '\0' - -static const char *rangematch (const char *, int, int); - -int -fnmatch(const char *pattern, const char *string, int flags) -{ - const char *stringstart; - char c, test; - - for (stringstart = string;;) - switch (c = *pattern++) { - case EOS: - return (*string == EOS ? 0 : FNM_NOMATCH); - case '?': - if (*string == EOS) - return (FNM_NOMATCH); - if (*string == '/' && (flags & FNM_PATHNAME)) - return (FNM_NOMATCH); - if (*string == '.' && (flags & FNM_PERIOD) && - (string == stringstart || - ((flags & FNM_PATHNAME) && *(string - 1) == '/'))) - return (FNM_NOMATCH); - ++string; - break; - case '*': - c = *pattern; - /* Collapse multiple stars. */ - while (c == '*') - c = *++pattern; - - if (*string == '.' && (flags & FNM_PERIOD) && - (string == stringstart || - ((flags & FNM_PATHNAME) && *(string - 1) == '/'))) - return (FNM_NOMATCH); - - /* Optimize for pattern with * at end or before /. */ - if (c == EOS) - if (flags & FNM_PATHNAME) - return (strchr(string, '/') == NULL ? - 0 : FNM_NOMATCH); - else - return (0); - else if (c == '/' && flags & FNM_PATHNAME) { - if ((string = strchr(string, '/')) == NULL) - return (FNM_NOMATCH); - break; - } - - /* General case, use recursion. */ - while ((test = *string) != EOS) { - if (!fnmatch(pattern, string, flags & ~FNM_PERIOD)) - return (0); - if (test == '/' && flags & FNM_PATHNAME) - break; - ++string; - } - return (FNM_NOMATCH); - case '[': - if (*string == EOS) - return (FNM_NOMATCH); - if (*string == '/' && flags & FNM_PATHNAME) - return (FNM_NOMATCH); - if ((pattern = - rangematch(pattern, *string, flags)) == NULL) - return (FNM_NOMATCH); - ++string; - break; - case '\\': - if (!(flags & FNM_NOESCAPE)) { - if ((c = *pattern++) == EOS) { - c = '\\'; - --pattern; - } - } - /* FALLTHROUGH */ - default: - if (c != *string++) - return (FNM_NOMATCH); - break; - } - /* NOTREACHED */ -} - -static const char * -rangematch(const char *pattern, int test, int flags) -{ - int negate, ok; - char c, c2; - - /* - * A bracket expression starting with an unquoted circumflex - * character produces unspecified results (IEEE 1003.2-1992, - * 3.13.2). This implementation treats it like '!', for - * consistency with the regular expression syntax. - * J.T. Conklin (conklin@ngai.kaleida.com) - */ - if (negate = (*pattern == '!' || *pattern == '^')) - ++pattern; - - for (ok = 0; (c = *pattern++) != ']';) { - if (c == '\\' && !(flags & FNM_NOESCAPE)) - c = *pattern++; - if (c == EOS) - return (NULL); - if (*pattern == '-' - && (c2 = *(pattern+1)) != EOS && c2 != ']') { - pattern += 2; - if (c2 == '\\' && !(flags & FNM_NOESCAPE)) - c2 = *pattern++; - if (c2 == EOS) - return (NULL); - if (c <= test && test <= c2) - ok = 1; - } else if (c == test) - ok = 1; - } - return (ok == negate ? NULL : pattern); -} diff --git a/crypto/heimdal-0.6.3/lib/roken/fnmatch.hin b/crypto/heimdal-0.6.3/lib/roken/fnmatch.hin deleted file mode 100644 index 95c91d600b..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/fnmatch.hin +++ /dev/null @@ -1,49 +0,0 @@ -/* $NetBSD: fnmatch.h,v 1.5 1994/10/26 00:55:53 cgd Exp $ */ - -/*- - * Copyright (c) 1992, 1993 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * @(#)fnmatch.h 8.1 (Berkeley) 6/2/93 - */ - -#ifndef _FNMATCH_H_ -#define _FNMATCH_H_ - -#define FNM_NOMATCH 1 /* Match failed. */ - -#define FNM_NOESCAPE 0x01 /* Disable backslash escaping. */ -#define FNM_PATHNAME 0x02 /* Slash must be matched by slash. */ -#define FNM_PERIOD 0x04 /* Period must be matched by period. */ - -int fnmatch (const char *, const char *, int); - -#endif /* !_FNMATCH_H_ */ diff --git a/crypto/heimdal-0.6.3/lib/roken/freeaddrinfo.c b/crypto/heimdal-0.6.3/lib/roken/freeaddrinfo.c deleted file mode 100644 index 56124e5b94..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/freeaddrinfo.c +++ /dev/null @@ -1,57 +0,0 @@ -/* - * Copyright (c) 1999 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: freeaddrinfo.c,v 1.4 2001/05/11 09:10:32 joda Exp $"); -#endif - -#include "roken.h" - -/* - * free the list of `struct addrinfo' starting at `ai' - */ - -void -freeaddrinfo(struct addrinfo *ai) -{ - struct addrinfo *tofree; - - while(ai != NULL) { - free (ai->ai_canonname); - free (ai->ai_addr); - tofree = ai; - ai = ai->ai_next; - free (tofree); - } -} diff --git a/crypto/heimdal-0.6.3/lib/roken/freehostent.c b/crypto/heimdal-0.6.3/lib/roken/freehostent.c deleted file mode 100644 index 0cd92cd732..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/freehostent.c +++ /dev/null @@ -1,62 +0,0 @@ -/* - * Copyright (c) 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: freehostent.c,v 1.2 1999/12/02 16:58:46 joda Exp $"); -#endif - -#include "roken.h" - -/* - * free a malloced hostent - */ - -void -freehostent (struct hostent *h) -{ - char **p; - - free (h->h_name); - if (h->h_aliases != NULL) { - for (p = h->h_aliases; *p != NULL; ++p) - free (*p); - free (h->h_aliases); - } - if (h->h_addr_list != NULL) { - for (p = h->h_addr_list; *p != NULL; ++p) - free (*p); - free (h->h_addr_list); - } - free (h); -} diff --git a/crypto/heimdal-0.6.3/lib/roken/gai_strerror.c b/crypto/heimdal-0.6.3/lib/roken/gai_strerror.c deleted file mode 100644 index 8e1530fb9e..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/gai_strerror.c +++ /dev/null @@ -1,77 +0,0 @@ -/* - * Copyright (c) 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: gai_strerror.c,v 1.2.20.1 2004/01/15 18:14:17 lha Exp $"); -#endif - -#include "roken.h" - -static struct gai_error { - int code; - char *str; -} errors[] = { -{EAI_NOERROR, "no error"}, -#ifdef EAI_ADDRFAMILY -{EAI_ADDRFAMILY, "address family for nodename not supported"}, -#endif -{EAI_AGAIN, "temporary failure in name resolution"}, -{EAI_BADFLAGS, "invalid value for ai_flags"}, -{EAI_FAIL, "non-recoverable failure in name resolution"}, -{EAI_FAMILY, "ai_family not supported"}, -{EAI_MEMORY, "memory allocation failure"}, -#ifdef EAI_NODATA -{EAI_NODATA, "no address associated with nodename"}, -#endif -{EAI_NONAME, "nodename nor servname provided, or not known"}, -{EAI_SERVICE, "servname not supported for ai_socktype"}, -{EAI_SOCKTYPE, "ai_socktype not supported"}, -{EAI_SYSTEM, "system error returned in errno"}, -{0, NULL}, -}; - -/* - * - */ - -char * -gai_strerror(int ecode) -{ - struct gai_error *g; - - for (g = errors; g->str != NULL; ++g) - if (g->code == ecode) - return g->str; - return "unknown error code in gai_strerror"; -} diff --git a/crypto/heimdal-0.6.3/lib/roken/get_default_username.c b/crypto/heimdal-0.6.3/lib/roken/get_default_username.c deleted file mode 100644 index 10b0863888..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/get_default_username.c +++ /dev/null @@ -1,80 +0,0 @@ -/* - * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: get_default_username.c,v 1.3 1999/12/02 16:58:46 joda Exp $"); -#endif /* HAVE_CONFIG_H */ - -#include "roken.h" - -/* - * Try to return what should be considered the default username or - * NULL if we can't guess at all. - */ - -const char * -get_default_username (void) -{ - const char *user; - - user = getenv ("USER"); - if (user == NULL) - user = getenv ("LOGNAME"); - if (user == NULL) - user = getenv ("USERNAME"); - -#if defined(HAVE_GETLOGIN) && !defined(POSIX_GETLOGIN) - if (user == NULL) { - user = (const char *)getlogin (); - if (user != NULL) - return user; - } -#endif -#ifdef HAVE_PWD_H - { - uid_t uid = getuid (); - struct passwd *pwd; - - if (user != NULL) { - pwd = k_getpwnam (user); - if (pwd != NULL && pwd->pw_uid == uid) - return user; - } - pwd = k_getpwuid (uid); - if (pwd != NULL) - return pwd->pw_name; - } -#endif - return user; -} diff --git a/crypto/heimdal-0.6.3/lib/roken/get_window_size.c b/crypto/heimdal-0.6.3/lib/roken/get_window_size.c deleted file mode 100644 index 4eff8d2d2c..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/get_window_size.c +++ /dev/null @@ -1,102 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: get_window_size.c,v 1.9 1999/12/02 16:58:46 joda Exp $"); -#endif - -#include -#ifdef HAVE_UNISTD_H -#include -#endif -#ifdef HAVE_SYS_TYPES_H -#include -#endif - -#if 0 /* Where were those needed? /confused */ -#ifdef HAVE_SYS_PROC_H -#include -#endif - -#ifdef HAVE_SYS_TTY_H -#include -#endif -#endif - -#ifdef HAVE_TERMIOS_H -#include -#endif - -#include - -int -get_window_size(int fd, struct winsize *wp) -{ - int ret = -1; - - memset(wp, 0, sizeof(*wp)); - -#if defined(TIOCGWINSZ) - ret = ioctl(fd, TIOCGWINSZ, wp); -#elif defined(TIOCGSIZE) - { - struct ttysize ts; - - ret = ioctl(fd, TIOCGSIZE, &ts); - if(ret == 0) { - wp->ws_row = ts.ts_lines; - wp->ws_col = ts.ts_cols; - } - } -#elif defined(HAVE__SCRSIZE) - { - int dst[2]; - - _scrsize(dst); - wp->ws_row = dst[1]; - wp->ws_col = dst[0]; - ret = 0; - } -#endif - if (ret != 0) { - char *s; - if((s = getenv("COLUMNS"))) - wp->ws_col = atoi(s); - if((s = getenv("LINES"))) - wp->ws_row = atoi(s); - if(wp->ws_col > 0 && wp->ws_row > 0) - ret = 0; - } - return ret; -} diff --git a/crypto/heimdal-0.6.3/lib/roken/getaddrinfo-test.c b/crypto/heimdal-0.6.3/lib/roken/getaddrinfo-test.c deleted file mode 100644 index 427408118d..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/getaddrinfo-test.c +++ /dev/null @@ -1,144 +0,0 @@ -/* - * Copyright (c) 1999 - 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: getaddrinfo-test.c,v 1.4 2001/02/20 01:44:54 assar Exp $"); -#endif - -#include "roken.h" -#include "getarg.h" - -static int flags; -static int family; -static int socktype; - -static int version_flag; -static int help_flag; - -static struct getargs args[] = { - {"flags", 0, arg_integer, &flags, "flags", NULL}, - {"family", 0, arg_integer, &family, "family", NULL}, - {"socktype",0, arg_integer, &socktype, "socktype", NULL}, - {"version", 0, arg_flag, &version_flag, "print version",NULL}, - {"help", 0, arg_flag, &help_flag, NULL, NULL} -}; - -static void -usage(int ret) -{ - arg_printusage (args, - sizeof(args) / sizeof(args[0]), - NULL, - "[nodename servname...]"); - exit (ret); -} - -static void -doit (const char *nodename, const char *servname) -{ - struct addrinfo hints; - struct addrinfo *res, *r; - int ret; - - printf ("(%s,%s)... ", nodename ? nodename : "null", servname); - - memset (&hints, 0, sizeof(hints)); - hints.ai_flags = flags; - hints.ai_family = family; - hints.ai_socktype = socktype; - - ret = getaddrinfo (nodename, servname, &hints, &res); - if (ret) { - printf ("error: %s\n", gai_strerror(ret)); - return; - } - printf ("\n"); - - for (r = res; r != NULL; r = r->ai_next) { - char addrstr[256]; - - if (inet_ntop (r->ai_family, - socket_get_address (r->ai_addr), - addrstr, sizeof(addrstr)) == NULL) { - printf ("\tbad address?\n"); - continue; - } - printf ("\t(family = %d, socktype = %d, protocol = %d, " - "address = \"%s\", port = %d", - r->ai_family, r->ai_socktype, r->ai_protocol, - addrstr, - ntohs(socket_get_port (r->ai_addr))); - if (r->ai_canonname) - printf (", canonname = \"%s\"", r->ai_canonname); - printf ("\n"); - } - freeaddrinfo (res); -} - -int -main(int argc, char **argv) -{ - int optind = 0; - int i; - - setprogname (argv[0]); - - if (getarg (args, sizeof(args) / sizeof(args[0]), argc, argv, - &optind)) - usage (1); - - if (help_flag) - usage (0); - - if (version_flag) { - fprintf (stderr, "%s from %s-%s)\n", getprogname(), PACKAGE, VERSION); - return 0; - } - - argc -= optind; - argv += optind; - - if (argc % 2 != 0) - usage (1); - - for (i = 0; i < argc; i += 2) { - const char *nodename = argv[i]; - - if (strcmp (nodename, "null") == 0) - nodename = NULL; - - doit (nodename, argv[i+1]); - } - return 0; -} diff --git a/crypto/heimdal-0.6.3/lib/roken/getaddrinfo.c b/crypto/heimdal-0.6.3/lib/roken/getaddrinfo.c deleted file mode 100644 index 83957bb794..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/getaddrinfo.c +++ /dev/null @@ -1,417 +0,0 @@ -/* - * Copyright (c) 1999 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: getaddrinfo.c,v 1.12 2001/08/17 13:06:57 joda Exp $"); -#endif - -#include "roken.h" - -/* - * uses hints->ai_socktype and hints->ai_protocol - */ - -static int -get_port_protocol_socktype (const char *servname, - const struct addrinfo *hints, - int *port, - int *protocol, - int *socktype) -{ - struct servent *se; - const char *proto_str = NULL; - - *socktype = 0; - - if (hints != NULL && hints->ai_protocol != 0) { - struct protoent *protoent = getprotobynumber (hints->ai_protocol); - - if (protoent == NULL) - return EAI_SOCKTYPE; /* XXX */ - - proto_str = protoent->p_name; - *protocol = protoent->p_proto; - } - - if (hints != NULL) - *socktype = hints->ai_socktype; - - if (*socktype == SOCK_STREAM) { - se = getservbyname (servname, proto_str ? proto_str : "tcp"); - if (proto_str == NULL) - *protocol = IPPROTO_TCP; - } else if (*socktype == SOCK_DGRAM) { - se = getservbyname (servname, proto_str ? proto_str : "udp"); - if (proto_str == NULL) - *protocol = IPPROTO_UDP; - } else if (*socktype == 0) { - if (proto_str != NULL) { - se = getservbyname (servname, proto_str); - } else { - se = getservbyname (servname, "tcp"); - *protocol = IPPROTO_TCP; - *socktype = SOCK_STREAM; - if (se == NULL) { - se = getservbyname (servname, "udp"); - *protocol = IPPROTO_UDP; - *socktype = SOCK_DGRAM; - } - } - } else - return EAI_SOCKTYPE; - - if (se == NULL) { - char *endstr; - - *port = htons(strtol (servname, &endstr, 10)); - if (servname == endstr) - return EAI_NONAME; - } else { - *port = se->s_port; - } - return 0; -} - -static int -add_one (int port, int protocol, int socktype, - struct addrinfo ***ptr, - int (*func)(struct addrinfo *, void *data, int port), - void *data, - char *canonname) -{ - struct addrinfo *a; - int ret; - - a = malloc (sizeof (*a)); - if (a == NULL) - return EAI_MEMORY; - memset (a, 0, sizeof(*a)); - a->ai_flags = 0; - a->ai_next = NULL; - a->ai_protocol = protocol; - a->ai_socktype = socktype; - a->ai_canonname = canonname; - ret = (*func)(a, data, port); - if (ret) { - free (a); - return ret; - } - **ptr = a; - *ptr = &a->ai_next; - return 0; -} - -static int -const_v4 (struct addrinfo *a, void *data, int port) -{ - struct sockaddr_in *sin; - struct in_addr *addr = (struct in_addr *)data; - - a->ai_family = PF_INET; - a->ai_addrlen = sizeof(*sin); - a->ai_addr = malloc (sizeof(*sin)); - if (a->ai_addr == NULL) - return EAI_MEMORY; - sin = (struct sockaddr_in *)a->ai_addr; - memset (sin, 0, sizeof(*sin)); - sin->sin_family = AF_INET; - sin->sin_port = port; - sin->sin_addr = *addr; - return 0; -} - -#ifdef HAVE_IPV6 -static int -const_v6 (struct addrinfo *a, void *data, int port) -{ - struct sockaddr_in6 *sin6; - struct in6_addr *addr = (struct in6_addr *)data; - - a->ai_family = PF_INET6; - a->ai_addrlen = sizeof(*sin6); - a->ai_addr = malloc (sizeof(*sin6)); - if (a->ai_addr == NULL) - return EAI_MEMORY; - sin6 = (struct sockaddr_in6 *)a->ai_addr; - memset (sin6, 0, sizeof(*sin6)); - sin6->sin6_family = AF_INET6; - sin6->sin6_port = port; - sin6->sin6_addr = *addr; - return 0; -} -#endif - -/* this is mostly a hack for some versions of AIX that has a prototype - for in6addr_loopback but no actual symbol in libc */ -#if defined(HAVE_IPV6) && !defined(HAVE_IN6ADDR_LOOPBACK) && defined(IN6ADDR_LOOPBACK_INIT) -#define in6addr_loopback _roken_in6addr_loopback -struct in6_addr in6addr_loopback = IN6ADDR_LOOPBACK_INIT; -#endif - -static int -get_null (const struct addrinfo *hints, - int port, int protocol, int socktype, - struct addrinfo **res) -{ - struct in_addr v4_addr; -#ifdef HAVE_IPV6 - struct in6_addr v6_addr; -#endif - struct addrinfo *first = NULL; - struct addrinfo **current = &first; - int family = PF_UNSPEC; - int ret; - - if (hints != NULL) - family = hints->ai_family; - - if (hints && hints->ai_flags & AI_PASSIVE) { - v4_addr.s_addr = INADDR_ANY; -#ifdef HAVE_IPV6 - v6_addr = in6addr_any; -#endif - } else { - v4_addr.s_addr = htonl(INADDR_LOOPBACK); -#ifdef HAVE_IPV6 - v6_addr = in6addr_loopback; -#endif - } - -#ifdef HAVE_IPV6 - if (family == PF_INET6 || family == PF_UNSPEC) { - ret = add_one (port, protocol, socktype, - ¤t, const_v6, &v6_addr, NULL); - } -#endif - if (family == PF_INET || family == PF_UNSPEC) { - ret = add_one (port, protocol, socktype, - ¤t, const_v4, &v4_addr, NULL); - } - *res = first; - return 0; -} - -static int -add_hostent (int port, int protocol, int socktype, - struct addrinfo ***current, - int (*func)(struct addrinfo *, void *data, int port), - struct hostent *he, int *flags) -{ - int ret; - char *canonname = NULL; - char **h; - - if (*flags & AI_CANONNAME) { - struct hostent *he2 = NULL; - const char *tmp_canon; - - tmp_canon = hostent_find_fqdn (he); - if (strchr (tmp_canon, '.') == NULL) { - int error; - - he2 = getipnodebyaddr (he->h_addr_list[0], he->h_length, - he->h_addrtype, &error); - if (he2 != NULL) { - const char *tmp = hostent_find_fqdn (he2); - - if (strchr (tmp, '.') != NULL) - tmp_canon = tmp; - } - } - - canonname = strdup (tmp_canon); - if (he2 != NULL) - freehostent (he2); - if (canonname == NULL) - return EAI_MEMORY; - } - - for (h = he->h_addr_list; *h != NULL; ++h) { - ret = add_one (port, protocol, socktype, - current, func, *h, canonname); - if (ret) - return ret; - if (*flags & AI_CANONNAME) { - *flags &= ~AI_CANONNAME; - canonname = NULL; - } - } - return 0; -} - -static int -get_number (const char *nodename, - const struct addrinfo *hints, - int port, int protocol, int socktype, - struct addrinfo **res) -{ - struct addrinfo *first = NULL; - struct addrinfo **current = &first; - int family = PF_UNSPEC; - int ret; - - if (hints != NULL) { - family = hints->ai_family; - } - -#ifdef HAVE_IPV6 - if (family == PF_INET6 || family == PF_UNSPEC) { - struct in6_addr v6_addr; - - if (inet_pton (PF_INET6, nodename, &v6_addr) == 1) { - ret = add_one (port, protocol, socktype, - ¤t, const_v6, &v6_addr, NULL); - *res = first; - return ret; - } - } -#endif - if (family == PF_INET || family == PF_UNSPEC) { - struct in_addr v4_addr; - - if (inet_pton (PF_INET, nodename, &v4_addr) == 1) { - ret = add_one (port, protocol, socktype, - ¤t, const_v4, &v4_addr, NULL); - *res = first; - return ret; - } - } - return EAI_NONAME; -} - -static int -get_nodes (const char *nodename, - const struct addrinfo *hints, - int port, int protocol, int socktype, - struct addrinfo **res) -{ - struct addrinfo *first = NULL; - struct addrinfo **current = &first; - int family = PF_UNSPEC; - int flags = 0; - int ret = EAI_NONAME; - int error; - - if (hints != NULL) { - family = hints->ai_family; - flags = hints->ai_flags; - } - -#ifdef HAVE_IPV6 - if (family == PF_INET6 || family == PF_UNSPEC) { - struct hostent *he; - - he = getipnodebyname (nodename, PF_INET6, 0, &error); - - if (he != NULL) { - ret = add_hostent (port, protocol, socktype, - ¤t, const_v6, he, &flags); - freehostent (he); - } - } -#endif - if (family == PF_INET || family == PF_UNSPEC) { - struct hostent *he; - - he = getipnodebyname (nodename, PF_INET, 0, &error); - - if (he != NULL) { - ret = add_hostent (port, protocol, socktype, - ¤t, const_v4, he, &flags); - freehostent (he); - } - } - *res = first; - return ret; -} - -/* - * hints: - * - * struct addrinfo { - * int ai_flags; - * int ai_family; - * int ai_socktype; - * int ai_protocol; - * ... - * }; - */ - -int -getaddrinfo(const char *nodename, - const char *servname, - const struct addrinfo *hints, - struct addrinfo **res) -{ - int ret; - int port = 0; - int protocol = 0; - int socktype = 0; - - *res = NULL; - - if (servname == NULL && nodename == NULL) - return EAI_NONAME; - - if (hints != NULL - && hints->ai_family != PF_UNSPEC - && hints->ai_family != PF_INET -#ifdef HAVE_IPV6 - && hints->ai_family != PF_INET6 -#endif - ) - return EAI_FAMILY; - - if (servname != NULL) { - ret = get_port_protocol_socktype (servname, hints, - &port, &protocol, &socktype); - if (ret) - return ret; - } - if (nodename != NULL) { - ret = get_number (nodename, hints, port, protocol, socktype, res); - if (ret) { - if(hints && hints->ai_flags & AI_NUMERICHOST) - ret = EAI_NONAME; - else - ret = get_nodes (nodename, hints, port, protocol, socktype, - res); - } - } else { - ret = get_null (hints, port, protocol, socktype, res); - } - if (ret) - freeaddrinfo (*res); - return ret; -} diff --git a/crypto/heimdal-0.6.3/lib/roken/getaddrinfo_hostspec.c b/crypto/heimdal-0.6.3/lib/roken/getaddrinfo_hostspec.c deleted file mode 100644 index 7f6b0d1da9..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/getaddrinfo_hostspec.c +++ /dev/null @@ -1,104 +0,0 @@ -/* - * Copyright (c) 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: getaddrinfo_hostspec.c,v 1.3 2000/07/15 12:50:32 joda Exp $"); -#endif - -#include "roken.h" - -/* getaddrinfo via string specifying host and port */ - -int -roken_getaddrinfo_hostspec2(const char *hostspec, - int socktype, - int port, - struct addrinfo **ai) -{ - const char *p; - char portstr[NI_MAXSERV]; - char host[MAXHOSTNAMELEN]; - struct addrinfo hints; - int hostspec_len; - - struct hst { - const char *prefix; - int socktype; - int protocol; - int port; - } *hstp, hst[] = { - { "http://", SOCK_STREAM, IPPROTO_TCP, 80 }, - { "http/", SOCK_STREAM, IPPROTO_TCP, 80 }, - { "tcp/", SOCK_STREAM, IPPROTO_TCP }, - { "udp/", SOCK_DGRAM, IPPROTO_UDP }, - { NULL } - }; - - memset(&hints, 0, sizeof(hints)); - - hints.ai_socktype = socktype; - - for(hstp = hst; hstp->prefix; hstp++) { - if(strncmp(hostspec, hstp->prefix, strlen(hstp->prefix)) == 0) { - hints.ai_socktype = hstp->socktype; - hints.ai_protocol = hstp->protocol; - if(port == 0) - port = hstp->port; - hostspec += strlen(hstp->prefix); - break; - } - } - - p = strchr (hostspec, ':'); - if (p != NULL) { - char *end; - - port = strtol (p + 1, &end, 0); - hostspec_len = p - hostspec; - } else { - hostspec_len = strlen(hostspec); - } - snprintf (portstr, sizeof(portstr), "%u", port); - - snprintf (host, sizeof(host), "%.*s", hostspec_len, hostspec); - return getaddrinfo (host, portstr, &hints, ai); -} - -int -roken_getaddrinfo_hostspec(const char *hostspec, - int port, - struct addrinfo **ai) -{ - return roken_getaddrinfo_hostspec2(hostspec, 0, port, ai); -} diff --git a/crypto/heimdal-0.6.3/lib/roken/getarg.3 b/crypto/heimdal-0.6.3/lib/roken/getarg.3 deleted file mode 100644 index e2f0412835..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/getarg.3 +++ /dev/null @@ -1,341 +0,0 @@ -.\" Copyright (c) 1999 - 2002 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: getarg.3,v 1.7 2003/04/16 13:58:24 lha Exp $ -.Dd September 24, 1999 -.Dt GETARG 3 -.Os ROKEN -.Sh NAME -.Nm getarg , -.Nm arg_printusage -.Nd collect command line options -.Sh SYNOPSIS -.In getarg.h -.Ft int -.Fn getarg "struct getargs *args" "size_t num_args" "int argc" "char **argv" "int *optind" -.Ft void -.Fn arg_printusage "struct getargs *args" "size_t num_args" "const char *progname" "const char *extra_string" -.Sh DESCRIPTION -.Fn getarg -collects any command line options given to a program in an easily used way. -.Fn arg_printusage -pretty-prints the available options, with a short help text. -.Pp -.Fa args -is the option specification to use, and it's an array of -.Fa struct getargs -elements. -.Fa num_args -is the size of -.Fa args -(in elements). -.Fa argc -and -.Fa argv -are the argument count and argument vector to extract option from. -.Fa optind -is a pointer to an integer where the index to the last processed -argument is stored, it must be initialised to the first index (minus -one) to process (normally 0) before the first call. -.Pp -.Fa arg_printusage -take the same -.Fa args -and -.Fa num_args -as getarg; -.Fa progname -is the name of the program (to be used in the help text), and -.Fa extra_string -is a string to print after the actual options to indicate more -arguments. The usefulness of this function is realised only be people -who has used programs that has help strings that doesn't match what -the code does. -.Pp -The -.Fa getargs -struct has the following elements. -.Bd -literal -struct getargs{ - const char *long_name; - char short_name; - enum { arg_integer, - arg_string, - arg_flag, - arg_negative_flag, - arg_strings, - arg_double, - arg_collect - } type; - void *value; - const char *help; - const char *arg_help; -}; -.Ed -.Pp -.Fa long_name -is the long name of the option, it can be -.Dv NULL , -if you don't want a long name. -.Fa short_name -is the characted to use as short option, it can be zero. If the option -has a value the -.Fa value -field gets filled in with that value interpreted as specified by the -.Fa type -field. -.Fa help -is a longer help string for the option as a whole, if it's -.Dv NULL -the help text for the option is omitted (but it's still displayed in -the synopsis). -.Fa arg_help -is a description of the argument, if -.Dv NULL -a default value will be used, depending on the type of the option: -.Pp -.Bl -hang -width arg_negative_flag -.It arg_integer -the argument is a signed integer, and -.Fa value -should point to an -.Fa int . -.It Fa arg_string -the argument is a string, and -.Fa value -should point to a -.Fa char* . -.It Fa arg_flag -the argument is a flag, and -.Fa value -should point to a -.Fa int . -It gets filled in with either zero or one, depending on how the option -is given, the normal case being one. Note that if the option isn't -given, the value isn't altered, so it should be initialised to some -useful default. -.It Fa arg_negative_flag -this is the same as -.Fa arg_flag -but it reverses the meaning of the flag (a given short option clears -the flag), and the synopsis of a long option is negated. -.It Fa arg_strings -the argument can be given multiple times, and the values are collected -in an array; -.Fa value -should be a pointer to a -.Fa struct getarg_strings -structure, which holds a length and a string pointer. -.It Fa arg_double -argument is a double precision floating point value, and -.Fa value -should point to a -.Fa double . -.It Fa arg_collect -allows more fine-grained control of the option parsing process. -.Fa value -should be a pointer to a -.Fa getarg_collect_info -structure: -.Bd -literal -typedef int (*getarg_collect_func)(int short_opt, - int argc, - char **argv, - int *optind, - int *optarg, - void *data); - -typedef struct getarg_collect_info { - getarg_collect_func func; - void *data; -} getarg_collect_info; -.Ed -.Pp -With the -.Fa func -member set to a function to call, and -.Fa data -to some application specific data. The parameters to the collect function are: -.Bl -inset -.It Fa short_flag -non-zero if this call is via a short option flag, zero otherwise -.It Fa argc , argv -the whole argument list -.It Fa optind -pointer to the index in argv where the flag is -.It Fa optarg -pointer to the index in argv[*optind] where the flag name starts -.It Fa data -application specific data -.El -.Pp -You can modify -.Fa *optind , -and -.Fa *optarg , -but to do this correct you (more or less) have to know about the inner -workings of getarg. -.Pp -You can skip parts of arguments by increasing -.Fa *optarg -(you could -implement the -.Fl z Ns Ar 3 -set of flags from -.Nm gzip -with this), or whole argument strings by increasing -.Fa *optind -(let's say you want a flag -.Fl c Ar x y z -to specify a coordinate); if you also have to set -.Fa *optarg -to a sane value. -.Pp -The collect function should return one of -.Dv ARG_ERR_NO_MATCH , ARG_ERR_BAD_ARG , ARG_ERR_NO_ARG -on error, zero otherwise. -.Pp -For your convenience there is a function, -.Fn getarg_optarg , -that returns the traditional argument string, and you pass it all -arguments, sans data, that where given to the collection function. -.Pp -Don't use this more this unless you absolutely have to. -.El -.Pp -Option parsing is similar to what -.Xr getopt -uses. Short options without arguments can be compressed -.Pf ( Fl xyz -is the same as -.Fl x y z ) , -and short -options with arguments take these as either the rest of the -argv-string or as the next option -.Pf ( Fl o Ns Ar foo , -or -.Fl o Ar foo ) . -.Pp -Long option names are prefixed with -- (double dash), and the value -with a = (equal), -.Fl -foo= Ns Ar bar . -Long option flags can either be specified as they are -.Pf ( Fl -help ) , -or with an (boolean parsable) option -.Pf ( Fl -help= Ns Ar yes , -.Fl -help= Ns Ar true , -or similar), or they can also be negated -.Pf ( Fl -no-help -is the same as -.Fl -help= Ns no ) , -and if you're really confused you can do it multiple times -.Pf ( Fl -no-no-help= Ns Ar false , -or even -.Fl -no-no-help= Ns Ar maybe ) . -.Sh EXAMPLE -.Bd -literal -#include -#include -#include - -char *source = "Ouagadougou"; -char *destination; -int weight; -int include_catalog = 1; -int help_flag; - -struct getargs args[] = { - { "source", 's', arg_string, &source, - "source of shippment", "city" }, - { "destination", 'd', arg_string, &destination, - "destination of shippment", "city" }, - { "weight", 'w', arg_integer, &weight, - "weight of shippment", "tons" }, - { "catalog", 'c', arg_negative_flag, &include_catalog, - "include product catalog" }, - { "help", 'h', arg_flag, &help_flag } -}; - -int num_args = sizeof(args) / sizeof(args[0]); /* number of elements in args */ - -const char *progname = "ship++"; - -int -main(int argc, char **argv) -{ - int optind = 0; - if (getarg(args, num_args, argc, argv, &optind)) { - arg_printusage(args, num_args, progname, "stuff..."); - exit (1); - } - if (help_flag) { - arg_printusage(args, num_args, progname, "stuff..."); - exit (0); - } - if (destination == NULL) { - fprintf(stderr, "%s: must specify destination\en", progname); - exit(1); - } - if (strcmp(source, destination) == 0) { - fprintf(stderr, "%s: destination must be different from source\en"); - exit(1); - } - /* include more stuff here ... */ - exit(2); -} -.Ed -.Pp -The output help output from this program looks like this: -.Bd -literal -$ ship++ --help -Usage: ship++ [--source=city] [-s city] [--destination=city] [-d city] - [--weight=tons] [-w tons] [--no-catalog] [-c] [--help] [-h] stuff... --s city, --source=city source of shippment --d city, --destination=city destination of shippment --w tons, --weight=tons weight of shippment --c, --no-catalog include product catalog -.Ed -.Sh BUGS -It should be more flexible, so it would be possible to use other more -complicated option syntaxes, such as what -.Xr ps 1 , -and -.Xr tar 1 , -uses, or the AFS model where you can skip the flag names as long as -the options come in the correct order. -.Pp -Options with multiple arguments should be handled better. -.Pp -Should be integreated with SL. -.Pp -It's very confusing that the struct you pass in is called getargS. -.Sh SEE ALSO -.Xr getopt 3 diff --git a/crypto/heimdal-0.6.3/lib/roken/getarg.c b/crypto/heimdal-0.6.3/lib/roken/getarg.c deleted file mode 100644 index eff81f22d2..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/getarg.c +++ /dev/null @@ -1,587 +0,0 @@ -/* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: getarg.c,v 1.46 2002/08/20 16:23:07 joda Exp $"); -#endif - -#include -#include -#include -#include -#include "getarg.h" - -#define ISFLAG(X) ((X).type == arg_flag || (X).type == arg_negative_flag) - -static size_t -print_arg (char *string, size_t len, int mdoc, int longp, struct getargs *arg) -{ - const char *s; - - *string = '\0'; - - if (ISFLAG(*arg) || (!longp && arg->type == arg_counter)) - return 0; - - if(mdoc){ - if(longp) - strlcat(string, "= Ns", len); - strlcat(string, " Ar ", len); - } else { - if (longp) - strlcat (string, "=", len); - else - strlcat (string, " ", len); - } - - if (arg->arg_help) - s = arg->arg_help; - else if (arg->type == arg_integer || arg->type == arg_counter) - s = "integer"; - else if (arg->type == arg_string) - s = "string"; - else if (arg->type == arg_strings) - s = "strings"; - else if (arg->type == arg_double) - s = "float"; - else - s = ""; - - strlcat(string, s, len); - return 1 + strlen(s); -} - -static void -mandoc_template(struct getargs *args, - size_t num_args, - const char *progname, - const char *extra_string) -{ - int i; - char timestr[64], cmd[64]; - char buf[128]; - const char *p; - time_t t; - - printf(".\\\" Things to fix:\n"); - printf(".\\\" * correct section, and operating system\n"); - printf(".\\\" * remove Op from mandatory flags\n"); - printf(".\\\" * use better macros for arguments (like .Pa for files)\n"); - printf(".\\\"\n"); - t = time(NULL); - strftime(timestr, sizeof(timestr), "%B %e, %Y", localtime(&t)); - printf(".Dd %s\n", timestr); - p = strrchr(progname, '/'); - if(p) p++; else p = progname; - strlcpy(cmd, p, sizeof(cmd)); - strupr(cmd); - - printf(".Dt %s SECTION\n", cmd); - printf(".Os OPERATING_SYSTEM\n"); - printf(".Sh NAME\n"); - printf(".Nm %s\n", p); - printf(".Nd\n"); - printf("in search of a description\n"); - printf(".Sh SYNOPSIS\n"); - printf(".Nm\n"); - for(i = 0; i < num_args; i++){ - /* we seem to hit a limit on number of arguments if doing - short and long flags with arguments -- split on two lines */ - if(ISFLAG(args[i]) || - args[i].short_name == 0 || args[i].long_name == NULL) { - printf(".Op "); - - if(args[i].short_name) { - print_arg(buf, sizeof(buf), 1, 0, args + i); - printf("Fl %c%s", args[i].short_name, buf); - if(args[i].long_name) - printf(" | "); - } - if(args[i].long_name) { - print_arg(buf, sizeof(buf), 1, 1, args + i); - printf("Fl -%s%s%s", - args[i].type == arg_negative_flag ? "no-" : "", - args[i].long_name, buf); - } - printf("\n"); - } else { - print_arg(buf, sizeof(buf), 1, 0, args + i); - printf(".Oo Fl %c%s \\*(Ba Xo\n", args[i].short_name, buf); - print_arg(buf, sizeof(buf), 1, 1, args + i); - printf(".Fl -%s%s\n.Xc\n.Oc\n", args[i].long_name, buf); - } - /* - if(args[i].type == arg_strings) - fprintf (stderr, "..."); - */ - } - if (extra_string && *extra_string) - printf (".Ar %s\n", extra_string); - printf(".Sh DESCRIPTION\n"); - printf("Supported options:\n"); - printf(".Bl -tag -width Ds\n"); - for(i = 0; i < num_args; i++){ - printf(".It Xo\n"); - if(args[i].short_name){ - printf(".Fl %c", args[i].short_name); - print_arg(buf, sizeof(buf), 1, 0, args + i); - printf("%s", buf); - if(args[i].long_name) - printf(" ,"); - printf("\n"); - } - if(args[i].long_name){ - printf(".Fl -%s%s", - args[i].type == arg_negative_flag ? "no-" : "", - args[i].long_name); - print_arg(buf, sizeof(buf), 1, 1, args + i); - printf("%s\n", buf); - } - printf(".Xc\n"); - if(args[i].help) - printf("%s\n", args[i].help); - /* - if(args[i].type == arg_strings) - fprintf (stderr, "..."); - */ - } - printf(".El\n"); - printf(".\\\".Sh ENVIRONMENT\n"); - printf(".\\\".Sh FILES\n"); - printf(".\\\".Sh EXAMPLES\n"); - printf(".\\\".Sh DIAGNOSTICS\n"); - printf(".\\\".Sh SEE ALSO\n"); - printf(".\\\".Sh STANDARDS\n"); - printf(".\\\".Sh HISTORY\n"); - printf(".\\\".Sh AUTHORS\n"); - printf(".\\\".Sh BUGS\n"); -} - -static int -check_column(FILE *f, int col, int len, int columns) -{ - if(col + len > columns) { - fprintf(f, "\n"); - col = fprintf(f, " "); - } - return col; -} - -void -arg_printusage (struct getargs *args, - size_t num_args, - const char *progname, - const char *extra_string) -{ - int i; - size_t max_len = 0; - char buf[128]; - int col = 0, columns; - struct winsize ws; - - if (progname == NULL) - progname = getprogname(); - - if(getenv("GETARGMANDOC")){ - mandoc_template(args, num_args, progname, extra_string); - return; - } - if(get_window_size(2, &ws) == 0) - columns = ws.ws_col; - else - columns = 80; - col = 0; - col += fprintf (stderr, "Usage: %s", progname); - buf[0] = '\0'; - for (i = 0; i < num_args; ++i) { - if(args[i].short_name && ISFLAG(args[i])) { - char s[2]; - if(buf[0] == '\0') - strlcpy(buf, "[-", sizeof(buf)); - s[0] = args[i].short_name; - s[1] = '\0'; - strlcat(buf, s, sizeof(buf)); - } - } - if(buf[0] != '\0') { - strlcat(buf, "]", sizeof(buf)); - col = check_column(stderr, col, strlen(buf) + 1, columns); - col += fprintf(stderr, " %s", buf); - } - - for (i = 0; i < num_args; ++i) { - size_t len = 0; - - if (args[i].long_name) { - buf[0] = '\0'; - strlcat(buf, "[--", sizeof(buf)); - len += 2; - if(args[i].type == arg_negative_flag) { - strlcat(buf, "no-", sizeof(buf)); - len += 3; - } - strlcat(buf, args[i].long_name, sizeof(buf)); - len += strlen(args[i].long_name); - len += print_arg(buf + strlen(buf), sizeof(buf) - strlen(buf), - 0, 1, &args[i]); - strlcat(buf, "]", sizeof(buf)); - if(args[i].type == arg_strings) - strlcat(buf, "...", sizeof(buf)); - col = check_column(stderr, col, strlen(buf) + 1, columns); - col += fprintf(stderr, " %s", buf); - } - if (args[i].short_name && !ISFLAG(args[i])) { - snprintf(buf, sizeof(buf), "[-%c", args[i].short_name); - len += 2; - len += print_arg(buf + strlen(buf), sizeof(buf) - strlen(buf), - 0, 0, &args[i]); - strlcat(buf, "]", sizeof(buf)); - if(args[i].type == arg_strings) - strlcat(buf, "...", sizeof(buf)); - col = check_column(stderr, col, strlen(buf) + 1, columns); - col += fprintf(stderr, " %s", buf); - } - if (args[i].long_name && args[i].short_name) - len += 2; /* ", " */ - max_len = max(max_len, len); - } - if (extra_string) { - col = check_column(stderr, col, strlen(extra_string) + 1, columns); - fprintf (stderr, " %s\n", extra_string); - } else - fprintf (stderr, "\n"); - for (i = 0; i < num_args; ++i) { - if (args[i].help) { - size_t count = 0; - - if (args[i].short_name) { - count += fprintf (stderr, "-%c", args[i].short_name); - print_arg (buf, sizeof(buf), 0, 0, &args[i]); - count += fprintf(stderr, "%s", buf); - } - if (args[i].short_name && args[i].long_name) - count += fprintf (stderr, ", "); - if (args[i].long_name) { - count += fprintf (stderr, "--"); - if (args[i].type == arg_negative_flag) - count += fprintf (stderr, "no-"); - count += fprintf (stderr, "%s", args[i].long_name); - print_arg (buf, sizeof(buf), 0, 1, &args[i]); - count += fprintf(stderr, "%s", buf); - } - while(count++ <= max_len) - putc (' ', stderr); - fprintf (stderr, "%s\n", args[i].help); - } - } -} - -static void -add_string(getarg_strings *s, char *value) -{ - s->strings = realloc(s->strings, (s->num_strings + 1) * sizeof(*s->strings)); - s->strings[s->num_strings] = value; - s->num_strings++; -} - -static int -arg_match_long(struct getargs *args, size_t num_args, - char *argv, int argc, char **rargv, int *goptind) -{ - int i; - char *goptarg = NULL; - int negate = 0; - int partial_match = 0; - struct getargs *partial = NULL; - struct getargs *current = NULL; - int argv_len; - char *p; - int p_len; - - argv_len = strlen(argv); - p = strchr (argv, '='); - if (p != NULL) - argv_len = p - argv; - - for (i = 0; i < num_args; ++i) { - if(args[i].long_name) { - int len = strlen(args[i].long_name); - p = argv; - p_len = argv_len; - negate = 0; - - for (;;) { - if (strncmp (args[i].long_name, p, p_len) == 0) { - if(p_len == len) - current = &args[i]; - else { - ++partial_match; - partial = &args[i]; - } - goptarg = p + p_len; - } else if (ISFLAG(args[i]) && strncmp (p, "no-", 3) == 0) { - negate = !negate; - p += 3; - p_len -= 3; - continue; - } - break; - } - if (current) - break; - } - } - if (current == NULL) { - if (partial_match == 1) - current = partial; - else - return ARG_ERR_NO_MATCH; - } - - if(*goptarg == '\0' - && !ISFLAG(*current) - && current->type != arg_collect - && current->type != arg_counter) - return ARG_ERR_NO_MATCH; - switch(current->type){ - case arg_integer: - { - int tmp; - if(sscanf(goptarg + 1, "%d", &tmp) != 1) - return ARG_ERR_BAD_ARG; - *(int*)current->value = tmp; - return 0; - } - case arg_string: - { - *(char**)current->value = goptarg + 1; - return 0; - } - case arg_strings: - { - add_string((getarg_strings*)current->value, goptarg + 1); - return 0; - } - case arg_flag: - case arg_negative_flag: - { - int *flag = current->value; - if(*goptarg == '\0' || - strcmp(goptarg + 1, "yes") == 0 || - strcmp(goptarg + 1, "true") == 0){ - *flag = !negate; - return 0; - } else if (*goptarg && strcmp(goptarg + 1, "maybe") == 0) { -#ifdef HAVE_RANDOM - *flag = random() & 1; -#else - *flag = rand() & 1; -#endif - } else { - *flag = negate; - return 0; - } - return ARG_ERR_BAD_ARG; - } - case arg_counter : - { - int val; - - if (*goptarg == '\0') - val = 1; - else if(sscanf(goptarg + 1, "%d", &val) != 1) - return ARG_ERR_BAD_ARG; - *(int *)current->value += val; - return 0; - } - case arg_double: - { - double tmp; - if(sscanf(goptarg + 1, "%lf", &tmp) != 1) - return ARG_ERR_BAD_ARG; - *(double*)current->value = tmp; - return 0; - } - case arg_collect:{ - struct getarg_collect_info *c = current->value; - int o = argv - rargv[*goptind]; - return (*c->func)(FALSE, argc, rargv, goptind, &o, c->data); - } - - default: - abort (); - } -} - -static int -arg_match_short (struct getargs *args, size_t num_args, - char *argv, int argc, char **rargv, int *goptind) -{ - int j, k; - - for(j = 1; j > 0 && j < strlen(rargv[*goptind]); j++) { - for(k = 0; k < num_args; k++) { - char *goptarg; - - if(args[k].short_name == 0) - continue; - if(argv[j] == args[k].short_name) { - if(args[k].type == arg_flag) { - *(int*)args[k].value = 1; - break; - } - if(args[k].type == arg_negative_flag) { - *(int*)args[k].value = 0; - break; - } - if(args[k].type == arg_counter) { - ++*(int *)args[k].value; - break; - } - if(args[k].type == arg_collect) { - struct getarg_collect_info *c = args[k].value; - - if((*c->func)(TRUE, argc, rargv, goptind, &j, c->data)) - return ARG_ERR_BAD_ARG; - break; - } - - if(argv[j + 1]) - goptarg = &argv[j + 1]; - else { - ++*goptind; - goptarg = rargv[*goptind]; - } - if(goptarg == NULL) { - --*goptind; - return ARG_ERR_NO_ARG; - } - if(args[k].type == arg_integer) { - int tmp; - if(sscanf(goptarg, "%d", &tmp) != 1) - return ARG_ERR_BAD_ARG; - *(int*)args[k].value = tmp; - return 0; - } else if(args[k].type == arg_string) { - *(char**)args[k].value = goptarg; - return 0; - } else if(args[k].type == arg_strings) { - add_string((getarg_strings*)args[k].value, goptarg); - return 0; - } else if(args[k].type == arg_double) { - double tmp; - if(sscanf(goptarg, "%lf", &tmp) != 1) - return ARG_ERR_BAD_ARG; - *(double*)args[k].value = tmp; - return 0; - } - return ARG_ERR_BAD_ARG; - } - } - if (k == num_args) - return ARG_ERR_NO_MATCH; - } - return 0; -} - -int -getarg(struct getargs *args, size_t num_args, - int argc, char **argv, int *goptind) -{ - int i; - int ret = 0; - -#if defined(HAVE_SRANDOMDEV) - srandomdev(); -#elif defined(HAVE_RANDOM) - srandom(time(NULL)); -#else - srand (time(NULL)); -#endif - (*goptind)++; - for(i = *goptind; i < argc; i++) { - if(argv[i][0] != '-') - break; - if(argv[i][1] == '-'){ - if(argv[i][2] == 0){ - i++; - break; - } - ret = arg_match_long (args, num_args, argv[i] + 2, - argc, argv, &i); - } else { - ret = arg_match_short (args, num_args, argv[i], - argc, argv, &i); - } - if(ret) - break; - } - *goptind = i; - return ret; -} - -void -free_getarg_strings (getarg_strings *s) -{ - free (s->strings); -} - -#if TEST -int foo_flag = 2; -int flag1 = 0; -int flag2 = 0; -int bar_int; -char *baz_string; - -struct getargs args[] = { - { NULL, '1', arg_flag, &flag1, "one", NULL }, - { NULL, '2', arg_flag, &flag2, "two", NULL }, - { "foo", 'f', arg_negative_flag, &foo_flag, "foo", NULL }, - { "bar", 'b', arg_integer, &bar_int, "bar", "seconds"}, - { "baz", 'x', arg_string, &baz_string, "baz", "name" }, -}; - -int main(int argc, char **argv) -{ - int goptind = 0; - while(getarg(args, 5, argc, argv, &goptind)) - printf("Bad arg: %s\n", argv[goptind]); - printf("flag1 = %d\n", flag1); - printf("flag2 = %d\n", flag2); - printf("foo_flag = %d\n", foo_flag); - printf("bar_int = %d\n", bar_int); - printf("baz_flag = %s\n", baz_string); - arg_printusage (args, 5, argv[0], "nothing here"); -} -#endif diff --git a/crypto/heimdal-0.6.3/lib/roken/getarg.cat3 b/crypto/heimdal-0.6.3/lib/roken/getarg.cat3 deleted file mode 100644 index 84611f0440..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/getarg.cat3 +++ /dev/null @@ -1,230 +0,0 @@ - -GETARG(3) UNIX Programmer's Manual GETARG(3) - -NNAAMMEE - ggeettaarrgg, aarrgg__pprriinnttuussaaggee - collect command line options - -SSYYNNOOPPSSIISS - _i_n_t - ggeettaarrgg(_s_t_r_u_c_t _g_e_t_a_r_g_s _*_a_r_g_s, _s_i_z_e___t _n_u_m___a_r_g_s, _i_n_t _a_r_g_c, _c_h_a_r _*_*_a_r_g_v, - _i_n_t _*_o_p_t_i_n_d) - - _v_o_i_d - aarrgg__pprriinnttuussaaggee(_s_t_r_u_c_t _g_e_t_a_r_g_s _*_a_r_g_s, _s_i_z_e___t _n_u_m___a_r_g_s, - _c_o_n_s_t _c_h_a_r _*_p_r_o_g_n_a_m_e, _c_o_n_s_t _c_h_a_r _*_e_x_t_r_a___s_t_r_i_n_g) - -DDEESSCCRRIIPPTTIIOONN - ggeettaarrgg() collects any command line options given to a program in an easi- - ly used way. aarrgg__pprriinnttuussaaggee() pretty-prints the available options, with - a short help text. - - _a_r_g_s is the option specification to use, and it's an array of _s_t_r_u_c_t - _g_e_t_a_r_g_s elements. _n_u_m___a_r_g_s is the size of _a_r_g_s (in elements). _a_r_g_c and - _a_r_g_v are the argument count and argument vector to extract option from. - _o_p_t_i_n_d is a pointer to an integer where the index to the last processed - argument is stored, it must be initialised to the first index (minus one) - to process (normally 0) before the first call. - - _a_r_g___p_r_i_n_t_u_s_a_g_e take the same _a_r_g_s and _n_u_m___a_r_g_s as getarg; _p_r_o_g_n_a_m_e is the - name of the program (to be used in the help text), and _e_x_t_r_a___s_t_r_i_n_g is a - string to print after the actual options to indicate more arguments. The - usefulness of this function is realised only be people who has used pro- - grams that has help strings that doesn't match what the code does. - - The _g_e_t_a_r_g_s struct has the following elements. - - struct getargs{ - const char *long_name; - char short_name; - enum { arg_integer, - arg_string, - arg_flag, - arg_negative_flag, - arg_strings, - arg_double, - arg_collect - } type; - void *value; - const char *help; - const char *arg_help; - }; - - _l_o_n_g___n_a_m_e is the long name of the option, it can be NULL, if you don't - want a long name. _s_h_o_r_t___n_a_m_e is the characted to use as short option, it - can be zero. If the option has a value the _v_a_l_u_e field gets filled in - with that value interpreted as specified by the _t_y_p_e field. _h_e_l_p is a - longer help string for the option as a whole, if it's NULL the help text - for the option is omitted (but it's still displayed in the synopsis). - _a_r_g___h_e_l_p is a description of the argument, if NULL a default value will - be used, depending on the type of the option: - - arg_integer the argument is a signed integer, and _v_a_l_u_e should - point to an _i_n_t. - - _a_r_g___s_t_r_i_n_g the argument is a string, and _v_a_l_u_e should point to a - - _c_h_a_r_*. - - _a_r_g___f_l_a_g the argument is a flag, and _v_a_l_u_e should point to a - _i_n_t. It gets filled in with either zero or one, de- - pending on how the option is given, the normal case - being one. Note that if the option isn't given, the - value isn't altered, so it should be initialised to - some useful default. - - _a_r_g___n_e_g_a_t_i_v_e___f_l_a_g this is the same as _a_r_g___f_l_a_g but it reverses the mean- - ing of the flag (a given short option clears the - flag), and the synopsis of a long option is negated. - - _a_r_g___s_t_r_i_n_g_s the argument can be given multiple times, and the val- - ues are collected in an array; _v_a_l_u_e should be a - pointer to a _s_t_r_u_c_t _g_e_t_a_r_g___s_t_r_i_n_g_s structure, which - holds a length and a string pointer. - - _a_r_g___d_o_u_b_l_e argument is a double precision floating point value, - and _v_a_l_u_e should point to a _d_o_u_b_l_e. - - _a_r_g___c_o_l_l_e_c_t allows more fine-grained control of the option parsing - process. _v_a_l_u_e should be a pointer to a - _g_e_t_a_r_g___c_o_l_l_e_c_t___i_n_f_o structure: - - typedef int (*getarg_collect_func)(int short_opt, - int argc, - char **argv, - int *optind, - int *optarg, - void *data); - - typedef struct getarg_collect_info { - getarg_collect_func func; - void *data; - } getarg_collect_info; - - With the _f_u_n_c member set to a function to call, and - _d_a_t_a to some application specific data. The parameters - to the collect function are: - - _s_h_o_r_t___f_l_a_g non-zero if this call is via a short option - flag, zero otherwise - - _a_r_g_c, _a_r_g_v the whole argument list - - _o_p_t_i_n_d pointer to the index in argv where the flag is - - _o_p_t_a_r_g pointer to the index in argv[*optind] where the - flag name starts - - _d_a_t_a application specific data - - You can modify _*_o_p_t_i_n_d, and _*_o_p_t_a_r_g, but to do this - correct you (more or less) have to know about the in- - ner workings of getarg. - - You can skip parts of arguments by increasing _*_o_p_t_a_r_g - (you could implement the --zz_3 set of flags from ggzziipp - with this), or whole argument strings by increasing - _*_o_p_t_i_n_d (let's say you want a flag --cc _x _y _z to specify - a coordinate); if you also have to set _*_o_p_t_a_r_g to a - sane value. - - The collect function should return one of - ARG_ERR_NO_MATCH, ARG_ERR_BAD_ARG, ARG_ERR_NO_ARG on - error, zero otherwise. - - For your convenience there is a function, - ggeettaarrgg__ooppttaarrgg(), that returns the traditional argument - string, and you pass it all arguments, sans data, that - where given to the collection function. - - Don't use this more this unless you absolutely have - to. - - Option parsing is similar to what getopt uses. Short options without ar- - guments can be compressed (--xxyyzz is the same as --xx --yy --zz), and short op- - tions with arguments take these as either the rest of the argv-string or - as the next option (--oo_f_o_o, or --oo _f_o_o). - - Long option names are prefixed with -- (double dash), and the value with - a = (equal), ----ffoooo==_b_a_r. Long option flags can either be specified as they - are (----hheellpp), or with an (boolean parsable) option (----hheellpp==_y_e_s, - ----hheellpp==_t_r_u_e, or similar), or they can also be negated (----nnoo--hheellpp is the - same as ----hheellpp==no), and if you're really confused you can do it multiple - times (----nnoo--nnoo--hheellpp==_f_a_l_s_e, or even ----nnoo--nnoo--hheellpp==_m_a_y_b_e). - -EEXXAAMMPPLLEE - #include - #include - #include - - char *source = "Ouagadougou"; - char *destination; - int weight; - int include_catalog = 1; - int help_flag; - - struct getargs args[] = { - { "source", 's', arg_string, &source, - "source of shippment", "city" }, - { "destination", 'd', arg_string, &destination, - "destination of shippment", "city" }, - { "weight", 'w', arg_integer, &weight, - "weight of shippment", "tons" }, - { "catalog", 'c', arg_negative_flag, &include_catalog, - "include product catalog" }, - { "help", 'h', arg_flag, &help_flag } - }; - - int num_args = sizeof(args) / sizeof(args[0]); /* number of elements in args */ - - const char *progname = "ship++"; - - int - main(int argc, char **argv) - { - int optind = 0; - if (getarg(args, num_args, argc, argv, &optind)) { - arg_printusage(args, num_args, progname, "stuff..."); - exit (1); - } - if (help_flag) { - arg_printusage(args, num_args, progname, "stuff..."); - exit (0); - } - if (destination == NULL) { - fprintf(stderr, "%s: must specify destination\n", progname); - exit(1); - } - if (strcmp(source, destination) == 0) { - fprintf(stderr, "%s: destination must be different from source\n"); - exit(1); - } - /* include more stuff here ... */ - exit(2); - } - - The output help output from this program looks like this: - - $ ship++ --help - Usage: ship++ [--source=city] [-s city] [--destination=city] [-d city] - [--weight=tons] [-w tons] [--no-catalog] [-c] [--help] [-h] stuff... - -s city, --source=city source of shippment - -d city, --destination=city destination of shippment - -w tons, --weight=tons weight of shippment - -c, --no-catalog include product catalog - -BBUUGGSS - It should be more flexible, so it would be possible to use other more - complicated option syntaxes, such as what ps(1), and tar(1), uses, or - the AFS model where you can skip the flag names as long as the options - come in the correct order. - - Options with multiple arguments should be handled better. - - Should be integreated with SL. - - It's very confusing that the struct you pass in is called getargS. - -SSEEEE AALLSSOO - getopt(3) - - ROKEN September 24, 1999 4 diff --git a/crypto/heimdal-0.6.3/lib/roken/getarg.h b/crypto/heimdal-0.6.3/lib/roken/getarg.h deleted file mode 100644 index c68b66a1d0..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/getarg.h +++ /dev/null @@ -1,91 +0,0 @@ -/* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: getarg.h,v 1.12 2002/04/18 08:50:08 joda Exp $ */ - -#ifndef __GETARG_H__ -#define __GETARG_H__ - -#include - -struct getargs{ - const char *long_name; - char short_name; - enum { arg_integer, - arg_string, - arg_flag, - arg_negative_flag, - arg_strings, - arg_double, - arg_collect, - arg_counter - } type; - void *value; - const char *help; - const char *arg_help; -}; - -enum { - ARG_ERR_NO_MATCH = 1, - ARG_ERR_BAD_ARG, - ARG_ERR_NO_ARG -}; - -typedef struct getarg_strings { - int num_strings; - char **strings; -} getarg_strings; - -typedef int (*getarg_collect_func)(int short_opt, - int argc, - char **argv, - int *goptind, - int *goptarg, - void *data); - -typedef struct getarg_collect_info { - getarg_collect_func func; - void *data; -} getarg_collect_info; - -int getarg(struct getargs *args, size_t num_args, - int argc, char **argv, int *goptind); - -void arg_printusage (struct getargs *args, - size_t num_args, - const char *progname, - const char *extra_string); - -void free_getarg_strings (getarg_strings *); - -#endif /* __GETARG_H__ */ diff --git a/crypto/heimdal-0.6.3/lib/roken/getcap.c b/crypto/heimdal-0.6.3/lib/roken/getcap.c deleted file mode 100644 index 8a29e1f68b..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/getcap.c +++ /dev/null @@ -1,1119 +0,0 @@ -/* $NetBSD: getcap.c,v 1.29 1999/03/29 09:27:29 abs Exp $ */ - -/*- - * Copyright (c) 1992, 1993 - * The Regents of the University of California. All rights reserved. - * - * This code is derived from software contributed to Berkeley by - * Casey Leedom of Lawrence Livermore National Laboratory. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -#endif -#include "roken.h" -RCSID("$Id: getcap.c,v 1.8 2003/04/16 16:23:36 lha Exp $"); - -#include -#include -#if defined(HAVE_DB_185_H) -#include -#elif defined(HAVE_DB_H) -#include -#endif -#include -#include -#include -#include -#include -#include -#include - -#define BFRAG 1024 -#if 0 -#define BSIZE 1024 -#endif -#define ESC ('[' & 037) /* ASCII ESC */ -#define MAX_RECURSION 32 /* maximum getent recursion */ -#define SFRAG 100 /* cgetstr mallocs in SFRAG chunks */ - -#define RECOK (char)0 -#define TCERR (char)1 -#define SHADOW (char)2 - -static size_t topreclen; /* toprec length */ -static char *toprec; /* Additional record specified by cgetset() */ -static int gottoprec; /* Flag indicating retrieval of toprecord */ - -#if defined(HAVE_DBOPEN) && defined(HAVE_DB_H) -#define USE_DB -#endif - -#ifdef USE_DB -static int cdbget (DB *, char **, const char *); -#endif -static int getent (char **, size_t *, char **, int, const char *, int, char *); -static int nfcmp (char *, char *); - - -int cgetset(const char *ent); -char *cgetcap(char *buf, const char *cap, int type); -int cgetent(char **buf, char **db_array, const char *name); -int cgetmatch(const char *buf, const char *name); -int cgetclose(void); -#if 0 -int cgetfirst(char **buf, char **db_array); -int cgetnext(char **bp, char **db_array); -#endif -int cgetstr(char *buf, const char *cap, char **str); -int cgetustr(char *buf, const char *cap, char **str); -int cgetnum(char *buf, const char *cap, long *num); -/* - * Cgetset() allows the addition of a user specified buffer to be added - * to the database array, in effect "pushing" the buffer on top of the - * virtual database. 0 is returned on success, -1 on failure. - */ -int -cgetset(const char *ent) -{ - const char *source, *check; - char *dest; - - if (ent == NULL) { - if (toprec) - free(toprec); - toprec = NULL; - topreclen = 0; - return (0); - } - topreclen = strlen(ent); - if ((toprec = malloc (topreclen + 1)) == NULL) { - errno = ENOMEM; - return (-1); - } - gottoprec = 0; - - source=ent; - dest=toprec; - while (*source) { /* Strip whitespace */ - *dest++ = *source++; /* Do not check first field */ - while (*source == ':') { - check=source+1; - while (*check && (isspace((unsigned char)*check) || - (*check=='\\' && isspace((unsigned char)check[1])))) - ++check; - if( *check == ':' ) - source=check; - else - break; - - } - } - *dest=0; - - return (0); -} - -/* - * Cgetcap searches the capability record buf for the capability cap with - * type `type'. A pointer to the value of cap is returned on success, NULL - * if the requested capability couldn't be found. - * - * Specifying a type of ':' means that nothing should follow cap (:cap:). - * In this case a pointer to the terminating ':' or NUL will be returned if - * cap is found. - * - * If (cap, '@') or (cap, terminator, '@') is found before (cap, terminator) - * return NULL. - */ -char * -cgetcap(char *buf, const char *cap, int type) -{ - char *bp; - const char *cp; - - bp = buf; - for (;;) { - /* - * Skip past the current capability field - it's either the - * name field if this is the first time through the loop, or - * the remainder of a field whose name failed to match cap. - */ - for (;;) - if (*bp == '\0') - return (NULL); - else - if (*bp++ == ':') - break; - - /* - * Try to match (cap, type) in buf. - */ - for (cp = cap; *cp == *bp && *bp != '\0'; cp++, bp++) - continue; - if (*cp != '\0') - continue; - if (*bp == '@') - return (NULL); - if (type == ':') { - if (*bp != '\0' && *bp != ':') - continue; - return(bp); - } - if (*bp != type) - continue; - bp++; - return (*bp == '@' ? NULL : bp); - } - /* NOTREACHED */ -} - -/* - * Cgetent extracts the capability record name from the NULL terminated file - * array db_array and returns a pointer to a malloc'd copy of it in buf. - * Buf must be retained through all subsequent calls to cgetcap, cgetnum, - * cgetflag, and cgetstr, but may then be free'd. 0 is returned on success, - * -1 if the requested record couldn't be found, -2 if a system error was - * encountered (couldn't open/read a file, etc.), and -3 if a potential - * reference loop is detected. - */ -int -cgetent(char **buf, char **db_array, const char *name) -{ - size_t dummy; - - return (getent(buf, &dummy, db_array, -1, name, 0, NULL)); -} - -/* - * Getent implements the functions of cgetent. If fd is non-negative, - * *db_array has already been opened and fd is the open file descriptor. We - * do this to save time and avoid using up file descriptors for tc= - * recursions. - * - * Getent returns the same success/failure codes as cgetent. On success, a - * pointer to a malloc'ed capability record with all tc= capabilities fully - * expanded and its length (not including trailing ASCII NUL) are left in - * *cap and *len. - * - * Basic algorithm: - * + Allocate memory incrementally as needed in chunks of size BFRAG - * for capability buffer. - * + Recurse for each tc=name and interpolate result. Stop when all - * names interpolated, a name can't be found, or depth exceeds - * MAX_RECURSION. - */ -static int -getent(char **cap, size_t *len, char **db_array, int fd, - const char *name, int depth, char *nfield) -{ - char *r_end, *rp = NULL, **db_p; /* pacify gcc */ - int myfd = 0, eof, foundit; - char *record; - int tc_not_resolved; - - /* - * Return with ``loop detected'' error if we've recursed more than - * MAX_RECURSION times. - */ - if (depth > MAX_RECURSION) - return (-3); - - /* - * Check if we have a top record from cgetset(). - */ - if (depth == 0 && toprec != NULL && cgetmatch(toprec, name) == 0) { - size_t len = topreclen + BFRAG; - if ((record = malloc (len)) == NULL) { - errno = ENOMEM; - return (-2); - } - (void)strlcpy(record, toprec, len); - db_p = db_array; - rp = record + topreclen + 1; - r_end = rp + BFRAG; - goto tc_exp; - } - /* - * Allocate first chunk of memory. - */ - if ((record = malloc(BFRAG)) == NULL) { - errno = ENOMEM; - return (-2); - } - r_end = record + BFRAG; - foundit = 0; - /* - * Loop through database array until finding the record. - */ - - for (db_p = db_array; *db_p != NULL; db_p++) { - eof = 0; - - /* - * Open database if not already open. - */ - - if (fd >= 0) { - (void)lseek(fd, (off_t)0, SEEK_SET); - } else { -#ifdef USE_DB - char pbuf[_POSIX_PATH_MAX]; - char *cbuf; - size_t clen; - int retval; - DB *capdbp; - - (void)snprintf(pbuf, sizeof(pbuf), "%s.db", *db_p); - if ((capdbp = dbopen(pbuf, O_RDONLY, 0, DB_HASH, 0)) - != NULL) { - free(record); - retval = cdbget(capdbp, &record, name); - if (retval < 0) { - /* no record available */ - (void)capdbp->close(capdbp); - return (retval); - } - /* save the data; close frees it */ - clen = strlen(record); - cbuf = malloc(clen + 1); - memmove(cbuf, record, clen + 1); - if (capdbp->close(capdbp) < 0) { - free(cbuf); - return (-2); - } - *len = clen; - *cap = cbuf; - return (retval); - } else -#endif - { - fd = open(*db_p, O_RDONLY, 0); - if (fd < 0) { - /* No error on unfound file. */ - continue; - } - myfd = 1; - } - } - /* - * Find the requested capability record ... - */ - { - char buf[BUFSIZ]; - char *b_end, *bp, *cp; - int c, slash; - - /* - * Loop invariants: - * There is always room for one more character in record. - * R_end always points just past end of record. - * Rp always points just past last character in record. - * B_end always points just past last character in buf. - * Bp always points at next character in buf. - * Cp remembers where the last colon was. - */ - b_end = buf; - bp = buf; - cp = 0; - slash = 0; - for (;;) { - - /* - * Read in a line implementing (\, newline) - * line continuation. - */ - rp = record; - for (;;) { - if (bp >= b_end) { - int n; - - n = read(fd, buf, sizeof(buf)); - if (n <= 0) { - if (myfd) - (void)close(fd); - if (n < 0) { - free(record); - return (-2); - } else { - fd = -1; - eof = 1; - break; - } - } - b_end = buf+n; - bp = buf; - } - - c = *bp++; - if (c == '\n') { - if (slash) { - slash = 0; - rp--; - continue; - } else - break; - } - if (slash) { - slash = 0; - cp = 0; - } - if (c == ':') { - /* - * If the field was `empty' (i.e. - * contained only white space), back up - * to the colon (eliminating the - * field). - */ - if (cp) - rp = cp; - else - cp = rp; - } else if (c == '\\') { - slash = 1; - } else if (c != ' ' && c != '\t') { - /* - * Forget where the colon was, as this - * is not an empty field. - */ - cp = 0; - } - *rp++ = c; - - /* - * Enforce loop invariant: if no room - * left in record buffer, try to get - * some more. - */ - if (rp >= r_end) { - u_int pos; - size_t newsize; - - pos = rp - record; - newsize = r_end - record + BFRAG; - record = realloc(record, newsize); - if (record == NULL) { - errno = ENOMEM; - if (myfd) - (void)close(fd); - return (-2); - } - r_end = record + newsize; - rp = record + pos; - } - } - /* Eliminate any white space after the last colon. */ - if (cp) - rp = cp + 1; - /* Loop invariant lets us do this. */ - *rp++ = '\0'; - - /* - * If encountered eof check next file. - */ - if (eof) - break; - - /* - * Toss blank lines and comments. - */ - if (*record == '\0' || *record == '#') - continue; - - /* - * See if this is the record we want ... - */ - if (cgetmatch(record, name) == 0) { - if (nfield == NULL || !nfcmp(nfield, record)) { - foundit = 1; - break; /* found it! */ - } - } - } - } - if (foundit) - break; - } - - if (!foundit) - return (-1); - - /* - * Got the capability record, but now we have to expand all tc=name - * references in it ... - */ - tc_exp: { - char *newicap, *s; - size_t ilen, newilen; - int diff, iret, tclen; - char *icap, *scan, *tc, *tcstart, *tcend; - - /* - * Loop invariants: - * There is room for one more character in record. - * R_end points just past end of record. - * Rp points just past last character in record. - * Scan points at remainder of record that needs to be - * scanned for tc=name constructs. - */ - scan = record; - tc_not_resolved = 0; - for (;;) { - if ((tc = cgetcap(scan, "tc", '=')) == NULL) - break; - - /* - * Find end of tc=name and stomp on the trailing `:' - * (if present) so we can use it to call ourselves. - */ - s = tc; - for (;;) - if (*s == '\0') - break; - else - if (*s++ == ':') { - *(s - 1) = '\0'; - break; - } - tcstart = tc - 3; - tclen = s - tcstart; - tcend = s; - - iret = getent(&icap, &ilen, db_p, fd, tc, depth+1, - NULL); - newicap = icap; /* Put into a register. */ - newilen = ilen; - if (iret != 0) { - /* an error */ - if (iret < -1) { - if (myfd) - (void)close(fd); - free(record); - return (iret); - } - if (iret == 1) - tc_not_resolved = 1; - /* couldn't resolve tc */ - if (iret == -1) { - *(s - 1) = ':'; - scan = s - 1; - tc_not_resolved = 1; - continue; - - } - } - /* not interested in name field of tc'ed record */ - s = newicap; - for (;;) - if (*s == '\0') - break; - else - if (*s++ == ':') - break; - newilen -= s - newicap; - newicap = s; - - /* make sure interpolated record is `:'-terminated */ - s += newilen; - if (*(s-1) != ':') { - *s = ':'; /* overwrite NUL with : */ - newilen++; - } - - /* - * Make sure there's enough room to insert the - * new record. - */ - diff = newilen - tclen; - if (diff >= r_end - rp) { - u_int pos, tcpos, tcposend; - size_t newsize; - - pos = rp - record; - newsize = r_end - record + diff + BFRAG; - tcpos = tcstart - record; - tcposend = tcend - record; - record = realloc(record, newsize); - if (record == NULL) { - errno = ENOMEM; - if (myfd) - (void)close(fd); - free(icap); - return (-2); - } - r_end = record + newsize; - rp = record + pos; - tcstart = record + tcpos; - tcend = record + tcposend; - } - - /* - * Insert tc'ed record into our record. - */ - s = tcstart + newilen; - memmove(s, tcend, (size_t)(rp - tcend)); - memmove(tcstart, newicap, newilen); - rp += diff; - free(icap); - - /* - * Start scan on `:' so next cgetcap works properly - * (cgetcap always skips first field). - */ - scan = s-1; - } - - } - /* - * Close file (if we opened it), give back any extra memory, and - * return capability, length and success. - */ - if (myfd) - (void)close(fd); - *len = rp - record - 1; /* don't count NUL */ - if (r_end > rp) - if ((record = - realloc(record, (size_t)(rp - record))) == NULL) { - errno = ENOMEM; - return (-2); - } - - *cap = record; - if (tc_not_resolved) - return (1); - return (0); -} - -#ifdef USE_DB -static int -cdbget(DB *capdbp, char **bp, const char *name) -{ - DBT key; - DBT data; - - /* LINTED key is not modified */ - key.data = (char *)name; - key.size = strlen(name); - - for (;;) { - /* Get the reference. */ - switch(capdbp->get(capdbp, &key, &data, 0)) { - case -1: - return (-2); - case 1: - return (-1); - } - - /* If not an index to another record, leave. */ - if (((char *)data.data)[0] != SHADOW) - break; - - key.data = (char *)data.data + 1; - key.size = data.size - 1; - } - - *bp = (char *)data.data + 1; - return (((char *)(data.data))[0] == TCERR ? 1 : 0); -} -#endif /* USE_DB */ - -/* - * Cgetmatch will return 0 if name is one of the names of the capability - * record buf, -1 if not. - */ -int -cgetmatch(const char *buf, const char *name) -{ - const char *np, *bp; - - /* - * Start search at beginning of record. - */ - bp = buf; - for (;;) { - /* - * Try to match a record name. - */ - np = name; - for (;;) - if (*np == '\0') { - if (*bp == '|' || *bp == ':' || *bp == '\0') - return (0); - else - break; - } else - if (*bp++ != *np++) - break; - - /* - * Match failed, skip to next name in record. - */ - bp--; /* a '|' or ':' may have stopped the match */ - for (;;) - if (*bp == '\0' || *bp == ':') - return (-1); /* match failed totally */ - else - if (*bp++ == '|') - break; /* found next name */ - } -} - -#if 0 -int -cgetfirst(char **buf, char **db_array) -{ - (void)cgetclose(); - return (cgetnext(buf, db_array)); -} -#endif - -static FILE *pfp; -static int slash; -static char **dbp; - -int -cgetclose(void) -{ - if (pfp != NULL) { - (void)fclose(pfp); - pfp = NULL; - } - dbp = NULL; - gottoprec = 0; - slash = 0; - return(0); -} - -#if 0 -/* - * Cgetnext() gets either the first or next entry in the logical database - * specified by db_array. It returns 0 upon completion of the database, 1 - * upon returning an entry with more remaining, and -1 if an error occurs. - */ -int -cgetnext(char **bp, char **db_array) -{ - size_t len; - int status, done; - char *cp, *line, *rp, *np, buf[BSIZE], nbuf[BSIZE]; - size_t dummy; - - if (dbp == NULL) - dbp = db_array; - - if (pfp == NULL && (pfp = fopen(*dbp, "r")) == NULL) { - (void)cgetclose(); - return (-1); - } - for(;;) { - if (toprec && !gottoprec) { - gottoprec = 1; - line = toprec; - } else { - line = fgetln(pfp, &len); - if (line == NULL && pfp) { - if (ferror(pfp)) { - (void)cgetclose(); - return (-1); - } else { - (void)fclose(pfp); - pfp = NULL; - if (*++dbp == NULL) { - (void)cgetclose(); - return (0); - } else if ((pfp = - fopen(*dbp, "r")) == NULL) { - (void)cgetclose(); - return (-1); - } else - continue; - } - } else - line[len - 1] = '\0'; - if (len == 1) { - slash = 0; - continue; - } - if (isspace((unsigned char)*line) || - *line == ':' || *line == '#' || slash) { - if (line[len - 2] == '\\') - slash = 1; - else - slash = 0; - continue; - } - if (line[len - 2] == '\\') - slash = 1; - else - slash = 0; - } - - - /* - * Line points to a name line. - */ - done = 0; - np = nbuf; - for (;;) { - for (cp = line; *cp != '\0'; cp++) { - if (*cp == ':') { - *np++ = ':'; - done = 1; - break; - } - if (*cp == '\\') - break; - *np++ = *cp; - } - if (done) { - *np = '\0'; - break; - } else { /* name field extends beyond the line */ - line = fgetln(pfp, &len); - if (line == NULL && pfp) { - if (ferror(pfp)) { - (void)cgetclose(); - return (-1); - } - (void)fclose(pfp); - pfp = NULL; - *np = '\0'; - break; - } else - line[len - 1] = '\0'; - } - } - rp = buf; - for(cp = nbuf; *cp != '\0'; cp++) - if (*cp == '|' || *cp == ':') - break; - else - *rp++ = *cp; - - *rp = '\0'; - /* - * XXX - * Last argument of getent here should be nbuf if we want true - * sequential access in the case of duplicates. - * With NULL, getent will return the first entry found - * rather than the duplicate entry record. This is a - * matter of semantics that should be resolved. - */ - status = getent(bp, &dummy, db_array, -1, buf, 0, NULL); - if (status == -2 || status == -3) - (void)cgetclose(); - - return (status + 1); - } - /* NOTREACHED */ -} -#endif - -/* - * Cgetstr retrieves the value of the string capability cap from the - * capability record pointed to by buf. A pointer to a decoded, NUL - * terminated, malloc'd copy of the string is returned in the char * - * pointed to by str. The length of the string not including the trailing - * NUL is returned on success, -1 if the requested string capability - * couldn't be found, -2 if a system error was encountered (storage - * allocation failure). - */ -int -cgetstr(char *buf, const char *cap, char **str) -{ - u_int m_room; - const char *bp; - char *mp; - int len; - char *mem; - - /* - * Find string capability cap - */ - bp = cgetcap(buf, cap, '='); - if (bp == NULL) - return (-1); - - /* - * Conversion / storage allocation loop ... Allocate memory in - * chunks SFRAG in size. - */ - if ((mem = malloc(SFRAG)) == NULL) { - errno = ENOMEM; - return (-2); /* couldn't even allocate the first fragment */ - } - m_room = SFRAG; - mp = mem; - - while (*bp != ':' && *bp != '\0') { - /* - * Loop invariants: - * There is always room for one more character in mem. - * Mp always points just past last character in mem. - * Bp always points at next character in buf. - */ - if (*bp == '^') { - bp++; - if (*bp == ':' || *bp == '\0') - break; /* drop unfinished escape */ - *mp++ = *bp++ & 037; - } else if (*bp == '\\') { - bp++; - if (*bp == ':' || *bp == '\0') - break; /* drop unfinished escape */ - if ('0' <= *bp && *bp <= '7') { - int n, i; - - n = 0; - i = 3; /* maximum of three octal digits */ - do { - n = n * 8 + (*bp++ - '0'); - } while (--i && '0' <= *bp && *bp <= '7'); - *mp++ = n; - } - else switch (*bp++) { - case 'b': case 'B': - *mp++ = '\b'; - break; - case 't': case 'T': - *mp++ = '\t'; - break; - case 'n': case 'N': - *mp++ = '\n'; - break; - case 'f': case 'F': - *mp++ = '\f'; - break; - case 'r': case 'R': - *mp++ = '\r'; - break; - case 'e': case 'E': - *mp++ = ESC; - break; - case 'c': case 'C': - *mp++ = ':'; - break; - default: - /* - * Catches '\', '^', and - * everything else. - */ - *mp++ = *(bp-1); - break; - } - } else - *mp++ = *bp++; - m_room--; - - /* - * Enforce loop invariant: if no room left in current - * buffer, try to get some more. - */ - if (m_room == 0) { - size_t size = mp - mem; - - if ((mem = realloc(mem, size + SFRAG)) == NULL) - return (-2); - m_room = SFRAG; - mp = mem + size; - } - } - *mp++ = '\0'; /* loop invariant let's us do this */ - m_room--; - len = mp - mem - 1; - - /* - * Give back any extra memory and return value and success. - */ - if (m_room != 0) - if ((mem = realloc(mem, (size_t)(mp - mem))) == NULL) - return (-2); - *str = mem; - return (len); -} - -/* - * Cgetustr retrieves the value of the string capability cap from the - * capability record pointed to by buf. The difference between cgetustr() - * and cgetstr() is that cgetustr does not decode escapes but rather treats - * all characters literally. A pointer to a NUL terminated malloc'd - * copy of the string is returned in the char pointed to by str. The - * length of the string not including the trailing NUL is returned on success, - * -1 if the requested string capability couldn't be found, -2 if a system - * error was encountered (storage allocation failure). - */ -int -cgetustr(char *buf, const char *cap, char **str) -{ - u_int m_room; - const char *bp; - char *mp; - int len; - char *mem; - - /* - * Find string capability cap - */ - if ((bp = cgetcap(buf, cap, '=')) == NULL) - return (-1); - - /* - * Conversion / storage allocation loop ... Allocate memory in - * chunks SFRAG in size. - */ - if ((mem = malloc(SFRAG)) == NULL) { - errno = ENOMEM; - return (-2); /* couldn't even allocate the first fragment */ - } - m_room = SFRAG; - mp = mem; - - while (*bp != ':' && *bp != '\0') { - /* - * Loop invariants: - * There is always room for one more character in mem. - * Mp always points just past last character in mem. - * Bp always points at next character in buf. - */ - *mp++ = *bp++; - m_room--; - - /* - * Enforce loop invariant: if no room left in current - * buffer, try to get some more. - */ - if (m_room == 0) { - size_t size = mp - mem; - - if ((mem = realloc(mem, size + SFRAG)) == NULL) - return (-2); - m_room = SFRAG; - mp = mem + size; - } - } - *mp++ = '\0'; /* loop invariant let's us do this */ - m_room--; - len = mp - mem - 1; - - /* - * Give back any extra memory and return value and success. - */ - if (m_room != 0) - if ((mem = realloc(mem, (size_t)(mp - mem))) == NULL) - return (-2); - *str = mem; - return (len); -} - -/* - * Cgetnum retrieves the value of the numeric capability cap from the - * capability record pointed to by buf. The numeric value is returned in - * the long pointed to by num. 0 is returned on success, -1 if the requested - * numeric capability couldn't be found. - */ -int -cgetnum(char *buf, const char *cap, long *num) -{ - long n; - int base, digit; - const char *bp; - - /* - * Find numeric capability cap - */ - bp = cgetcap(buf, cap, '#'); - if (bp == NULL) - return (-1); - - /* - * Look at value and determine numeric base: - * 0x... or 0X... hexadecimal, - * else 0... octal, - * else decimal. - */ - if (*bp == '0') { - bp++; - if (*bp == 'x' || *bp == 'X') { - bp++; - base = 16; - } else - base = 8; - } else - base = 10; - - /* - * Conversion loop ... - */ - n = 0; - for (;;) { - if ('0' <= *bp && *bp <= '9') - digit = *bp - '0'; - else if ('a' <= *bp && *bp <= 'f') - digit = 10 + *bp - 'a'; - else if ('A' <= *bp && *bp <= 'F') - digit = 10 + *bp - 'A'; - else - break; - - if (digit >= base) - break; - - n = n * base + digit; - bp++; - } - - /* - * Return value and success. - */ - *num = n; - return (0); -} - - -/* - * Compare name field of record. - */ -static int -nfcmp(char *nf, char *rec) -{ - char *cp, tmp; - int ret; - - for (cp = rec; *cp != ':'; cp++) - ; - - tmp = *(cp + 1); - *(cp + 1) = '\0'; - ret = strcmp(nf, rec); - *(cp + 1) = tmp; - - return (ret); -} diff --git a/crypto/heimdal-0.6.3/lib/roken/getcwd.c b/crypto/heimdal-0.6.3/lib/roken/getcwd.c deleted file mode 100644 index c1f2610021..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/getcwd.c +++ /dev/null @@ -1,57 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: getcwd.c,v 1.12 1999/12/02 16:58:46 joda Exp $"); -#endif - -#ifdef HAVE_UNISTD_H -#include -#endif -#ifdef HAVE_SYS_PARAM_H -#include -#endif - -#include "roken.h" - -char* -getcwd(char *path, size_t size) -{ - char xxx[MaxPathLen]; - char *ret; - ret = getwd(xxx); - if(ret) - strlcpy(path, xxx, size); - return ret; -} diff --git a/crypto/heimdal-0.6.3/lib/roken/getdtablesize.c b/crypto/heimdal-0.6.3/lib/roken/getdtablesize.c deleted file mode 100644 index 183e8ff745..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/getdtablesize.c +++ /dev/null @@ -1,101 +0,0 @@ -/* - * Copyright (c) 1995-2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: getdtablesize.c,v 1.11 2001/06/20 00:00:38 joda Exp $"); -#endif - -#include "roken.h" - -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef TIME_WITH_SYS_TIME -#include -#include -#elif defined(HAVE_SYS_TIME_H) -#include -#else -#include -#endif -#ifdef HAVE_SYS_PARAM_H -#include -#endif -#ifdef HAVE_UNISTD_H -#include -#endif - -#ifdef HAVE_SYS_RESOURCE_H -#include -#endif - -#ifdef HAVE_SYS_SYSCTL_H -#include -#endif - -int getdtablesize(void) -{ - int files = -1; -#if defined(HAVE_SYSCONF) && defined(_SC_OPEN_MAX) - files = sysconf(_SC_OPEN_MAX); -#else /* !defined(HAVE_SYSCONF) */ -#if defined(HAVE_GETRLIMIT) && defined(RLIMIT_NOFILE) - struct rlimit res; - if (getrlimit(RLIMIT_NOFILE, &res) == 0) - files = res.rlim_cur; -#else /* !definded(HAVE_GETRLIMIT) */ -#if defined(HAVE_SYSCTL) && defined(CTL_KERN) && defined(KERN_MAXFILES) - int mib[2]; - size_t len; - - mib[0] = CTL_KERN; - mib[1] = KERN_MAXFILES; - len = sizeof(files); - sysctl(&mib, 2, &files, sizeof(files), NULL, 0); -#endif /* defined(HAVE_SYSCTL) */ -#endif /* !definded(HAVE_GETRLIMIT) */ -#endif /* !defined(HAVE_SYSCONF) */ - -#ifdef OPEN_MAX - if (files < 0) - files = OPEN_MAX; -#endif - -#ifdef NOFILE - if (files < 0) - files = NOFILE; -#endif - - return files; -} diff --git a/crypto/heimdal-0.6.3/lib/roken/getegid.c b/crypto/heimdal-0.6.3/lib/roken/getegid.c deleted file mode 100644 index b6eab857e4..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/getegid.c +++ /dev/null @@ -1,48 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -#endif -#include "roken.h" - -#ifndef HAVE_GETEGID - -RCSID("$Id: getegid.c,v 1.2 1999/12/02 16:58:46 joda Exp $"); - -int getegid(void) -{ - return getgid(); -} - -#endif diff --git a/crypto/heimdal-0.6.3/lib/roken/geteuid.c b/crypto/heimdal-0.6.3/lib/roken/geteuid.c deleted file mode 100644 index 4bdf531bf9..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/geteuid.c +++ /dev/null @@ -1,48 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -#endif -#include "roken.h" - -#ifndef HAVE_GETEUID - -RCSID("$Id: geteuid.c,v 1.2 1999/12/02 16:58:46 joda Exp $"); - -int geteuid(void) -{ - return getuid(); -} - -#endif diff --git a/crypto/heimdal-0.6.3/lib/roken/getgid.c b/crypto/heimdal-0.6.3/lib/roken/getgid.c deleted file mode 100644 index f2ca01a699..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/getgid.c +++ /dev/null @@ -1,48 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -#endif -#include "roken.h" - -#ifndef HAVE_GETGID - -RCSID("$Id: getgid.c,v 1.2 1999/12/02 16:58:46 joda Exp $"); - -int getgid(void) -{ - return 17; -} - -#endif diff --git a/crypto/heimdal-0.6.3/lib/roken/gethostname.c b/crypto/heimdal-0.6.3/lib/roken/gethostname.c deleted file mode 100644 index 753ba9f1b6..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/gethostname.c +++ /dev/null @@ -1,72 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -#endif -#include "roken.h" - -#ifndef HAVE_GETHOSTNAME - -#ifdef HAVE_SYS_UTSNAME_H -#include -#endif - -/* - * Return the local host's name in "name", up to "namelen" characters. - * "name" will be null-terminated if "namelen" is big enough. - * The return code is 0 on success, -1 on failure. (The calling - * interface is identical to gethostname(2).) - */ - -int -gethostname(char *name, int namelen) -{ -#if defined(HAVE_UNAME) - { - struct utsname utsname; - int ret; - - ret = uname (&utsname); - if (ret < 0) - return ret; - strlcpy (name, utsname.nodename, namelen); - return 0; - } -#else - strlcpy (name, "some.random.host", namelen); - return 0; -#endif -} - -#endif /* GETHOSTNAME */ diff --git a/crypto/heimdal-0.6.3/lib/roken/getifaddrs.c b/crypto/heimdal-0.6.3/lib/roken/getifaddrs.c deleted file mode 100644 index e8c53f83f7..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/getifaddrs.c +++ /dev/null @@ -1,1182 +0,0 @@ -/* - * Copyright (c) 2000 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: getifaddrs.c,v 1.9 2002/09/05 03:36:23 assar Exp $"); -#endif -#include "roken.h" - -#ifdef __osf__ -/* hate */ -struct rtentry; -struct mbuf; -#endif -#ifdef HAVE_NET_IF_H -#include -#endif - -#ifdef HAVE_SYS_SOCKIO_H -#include -#endif /* HAVE_SYS_SOCKIO_H */ - -#ifdef HAVE_NETINET_IN6_VAR_H -#include -#endif /* HAVE_NETINET_IN6_VAR_H */ - -#include - -#ifdef AF_NETLINK - -/* - * The linux - AF_NETLINK version of getifaddrs - from Usagi. - * Linux does not return v6 addresses from SIOCGIFCONF. - */ - -/* $USAGI: ifaddrs.c,v 1.18 2002/03/06 01:50:46 yoshfuji Exp $ */ - -/************************************************************************** - * ifaddrs.c - * Copyright (C)2000 Hideaki YOSHIFUJI, All Rights Reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the author nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "config.h" - -#include -#include -#include -#include -#include - -#include -#include -#include -#include -#include -#include -#include -#include /* the L2 protocols */ -#include -#include -#include -#include -#include - -#define __set_errno(e) (errno = (e)) -#define __close(fd) (close(fd)) -#undef ifa_broadaddr -#define ifa_broadaddr ifa_dstaddr -#define IFA_NETMASK - -/* ====================================================================== */ -struct nlmsg_list{ - struct nlmsg_list *nlm_next; - struct nlmsghdr *nlh; - int size; - time_t seq; -}; - -struct rtmaddr_ifamap { - void *address; - void *local; -#ifdef IFA_NETMASK - void *netmask; -#endif - void *broadcast; -#ifdef HAVE_IFADDRS_IFA_ANYCAST - void *anycast; -#endif - int address_len; - int local_len; -#ifdef IFA_NETMASK - int netmask_len; -#endif - int broadcast_len; -#ifdef HAVE_IFADDRS_IFA_ANYCAST - int anycast_len; -#endif -}; - -/* ====================================================================== */ -static size_t -ifa_sa_len(sa_family_t family, int len) -{ - size_t size; - switch(family){ - case AF_INET: - size = sizeof(struct sockaddr_in); - break; - case AF_INET6: - size = sizeof(struct sockaddr_in6); - break; - case AF_PACKET: - size = (size_t)(((struct sockaddr_ll *)NULL)->sll_addr) + len; - if (size < sizeof(struct sockaddr_ll)) - size = sizeof(struct sockaddr_ll); - break; - default: - size = (size_t)(((struct sockaddr *)NULL)->sa_data) + len; - if (size < sizeof(struct sockaddr)) - size = sizeof(struct sockaddr); - } - return size; -} - -static void -ifa_make_sockaddr(sa_family_t family, - struct sockaddr *sa, - void *p, size_t len, - uint32_t scope, uint32_t scopeid) -{ - if (sa == NULL) return; - switch(family){ - case AF_INET: - memcpy(&((struct sockaddr_in*)sa)->sin_addr, (char *)p, len); - break; - case AF_INET6: - memcpy(&((struct sockaddr_in6*)sa)->sin6_addr, (char *)p, len); - if (IN6_IS_ADDR_LINKLOCAL(p) || - IN6_IS_ADDR_MC_LINKLOCAL(p)){ - ((struct sockaddr_in6*)sa)->sin6_scope_id = scopeid; - } - break; - case AF_PACKET: - memcpy(((struct sockaddr_ll*)sa)->sll_addr, (char *)p, len); - ((struct sockaddr_ll*)sa)->sll_halen = len; - break; - default: - memcpy(sa->sa_data, p, len); /*XXX*/ - break; - } - sa->sa_family = family; -#ifdef HAVE_SOCKADDR_SA_LEN - sa->sa_len = ifa_sa_len(family, len); -#endif -} - -#ifndef IFA_NETMASK -static struct sockaddr * -ifa_make_sockaddr_mask(sa_family_t family, - struct sockaddr *sa, - uint32_t prefixlen) -{ - int i; - char *p = NULL, c; - uint32_t max_prefixlen = 0; - - if (sa == NULL) return NULL; - switch(family){ - case AF_INET: - memset(&((struct sockaddr_in*)sa)->sin_addr, 0, sizeof(((struct sockaddr_in*)sa)->sin_addr)); - p = (char *)&((struct sockaddr_in*)sa)->sin_addr; - max_prefixlen = 32; - break; - case AF_INET6: - memset(&((struct sockaddr_in6*)sa)->sin6_addr, 0, sizeof(((struct sockaddr_in6*)sa)->sin6_addr)); - p = (char *)&((struct sockaddr_in6*)sa)->sin6_addr; -#if 0 /* XXX: fill scope-id? */ - if (IN6_IS_ADDR_LINKLOCAL(p) || - IN6_IS_ADDR_MC_LINKLOCAL(p)){ - ((struct sockaddr_in6*)sa)->sin6_scope_id = scopeid; - } -#endif - max_prefixlen = 128; - break; - default: - return NULL; - } - sa->sa_family = family; -#ifdef HAVE_SOCKADDR_SA_LEN - sa->sa_len = ifa_sa_len(family, len); -#endif - if (p){ - if (prefixlen > max_prefixlen) - prefixlen = max_prefixlen; - for (i=0; i<(prefixlen / 8); i++) - *p++ = 0xff; - c = 0xff; - c <<= (8 - (prefixlen % 8)); - *p = c; - } - return sa; -} -#endif - -/* ====================================================================== */ -static int -nl_sendreq(int sd, int request, int flags, int *seq) -{ - char reqbuf[NLMSG_ALIGN(sizeof(struct nlmsghdr)) + - NLMSG_ALIGN(sizeof(struct rtgenmsg))]; - struct sockaddr_nl nladdr; - struct nlmsghdr *req_hdr; - struct rtgenmsg *req_msg; - time_t t = time(NULL); - - if (seq) *seq = t; - memset(&reqbuf, 0, sizeof(reqbuf)); - req_hdr = (struct nlmsghdr *)reqbuf; - req_msg = (struct rtgenmsg *)NLMSG_DATA(req_hdr); - req_hdr->nlmsg_len = NLMSG_LENGTH(sizeof(*req_msg)); - req_hdr->nlmsg_type = request; - req_hdr->nlmsg_flags = flags | NLM_F_REQUEST; - req_hdr->nlmsg_pid = 0; - req_hdr->nlmsg_seq = t; - req_msg->rtgen_family = AF_UNSPEC; - memset(&nladdr, 0, sizeof(nladdr)); - nladdr.nl_family = AF_NETLINK; - return (sendto(sd, (void *)req_hdr, req_hdr->nlmsg_len, 0, - (struct sockaddr *)&nladdr, sizeof(nladdr))); -} - -static int -nl_recvmsg(int sd, int request, int seq, - void *buf, size_t buflen, - int *flags) -{ - struct msghdr msg; - struct iovec iov = { buf, buflen }; - struct sockaddr_nl nladdr; - int read_len; - - for (;;){ - msg.msg_name = (void *)&nladdr; - msg.msg_namelen = sizeof(nladdr); - msg.msg_iov = &iov; - msg.msg_iovlen = 1; - msg.msg_control = NULL; - msg.msg_controllen = 0; - msg.msg_flags = 0; - read_len = recvmsg(sd, &msg, 0); - if ((read_len < 0 && errno == EINTR) || (msg.msg_flags & MSG_TRUNC)) - continue; - if (flags) *flags = msg.msg_flags; - break; - } - return read_len; -} - -static int -nl_getmsg(int sd, int request, int seq, - struct nlmsghdr **nlhp, - int *done) -{ - struct nlmsghdr *nh; - size_t bufsize = 65536, lastbufsize = 0; - void *buff = NULL; - int result = 0, read_size; - int msg_flags; - pid_t pid = getpid(); - for (;;){ - void *newbuff = realloc(buff, bufsize); - if (newbuff == NULL || bufsize < lastbufsize) { - result = -1; - break; - } - buff = newbuff; - result = read_size = nl_recvmsg(sd, request, seq, buff, bufsize, &msg_flags); - if (read_size < 0 || (msg_flags & MSG_TRUNC)){ - lastbufsize = bufsize; - bufsize *= 2; - continue; - } - if (read_size == 0) break; - nh = (struct nlmsghdr *)buff; - for (nh = (struct nlmsghdr *)buff; - NLMSG_OK(nh, read_size); - nh = (struct nlmsghdr *)NLMSG_NEXT(nh, read_size)){ - if (nh->nlmsg_pid != pid || - nh->nlmsg_seq != seq) - continue; - if (nh->nlmsg_type == NLMSG_DONE){ - (*done)++; - break; /* ok */ - } - if (nh->nlmsg_type == NLMSG_ERROR){ - struct nlmsgerr *nlerr = (struct nlmsgerr *)NLMSG_DATA(nh); - result = -1; - if (nh->nlmsg_len < NLMSG_LENGTH(sizeof(struct nlmsgerr))) - __set_errno(EIO); - else - __set_errno(-nlerr->error); - break; - } - } - break; - } - if (result < 0) - if (buff){ - int saved_errno = errno; - free(buff); - __set_errno(saved_errno); - } - *nlhp = (struct nlmsghdr *)buff; - return result; -} - -static int -nl_getlist(int sd, int seq, - int request, - struct nlmsg_list **nlm_list, - struct nlmsg_list **nlm_end) -{ - struct nlmsghdr *nlh = NULL; - int status; - int done = 0; - - status = nl_sendreq(sd, request, NLM_F_ROOT|NLM_F_MATCH, &seq); - if (status < 0) - return status; - if (seq == 0) - seq = (int)time(NULL); - while(!done){ - status = nl_getmsg(sd, request, seq, &nlh, &done); - if (status < 0) - return status; - if (nlh){ - struct nlmsg_list *nlm_next = (struct nlmsg_list *)malloc(sizeof(struct nlmsg_list)); - if (nlm_next == NULL){ - int saved_errno = errno; - free(nlh); - __set_errno(saved_errno); - status = -1; - } else { - nlm_next->nlm_next = NULL; - nlm_next->nlh = (struct nlmsghdr *)nlh; - nlm_next->size = status; - nlm_next->seq = seq; - if (*nlm_list == NULL){ - *nlm_list = nlm_next; - *nlm_end = nlm_next; - } else { - (*nlm_end)->nlm_next = nlm_next; - *nlm_end = nlm_next; - } - } - } - } - return status >= 0 ? seq : status; -} - -/* ---------------------------------------------------------------------- */ -static void -free_nlmsglist(struct nlmsg_list *nlm0) -{ - struct nlmsg_list *nlm; - int saved_errno; - if (!nlm0) - return; - saved_errno = errno; - for (nlm=nlm0; nlm; nlm=nlm->nlm_next){ - if (nlm->nlh) - free(nlm->nlh); - } - free(nlm0); - __set_errno(saved_errno); -} - -static void -free_data(void *data, void *ifdata) -{ - int saved_errno = errno; - if (data != NULL) free(data); - if (ifdata != NULL) free(ifdata); - __set_errno(saved_errno); -} - -/* ---------------------------------------------------------------------- */ -static void -nl_close(int sd) -{ - int saved_errno = errno; - if (sd >= 0) __close(sd); - __set_errno(saved_errno); -} - -/* ---------------------------------------------------------------------- */ -static int -nl_open(void) -{ - struct sockaddr_nl nladdr; - int sd; - - sd = socket(PF_NETLINK, SOCK_RAW, NETLINK_ROUTE); - if (sd < 0) return -1; - memset(&nladdr, 0, sizeof(nladdr)); - nladdr.nl_family = AF_NETLINK; - if (bind(sd, (struct sockaddr*)&nladdr, sizeof(nladdr)) < 0){ - nl_close(sd); - return -1; - } - return sd; -} - -/* ====================================================================== */ -int getifaddrs(struct ifaddrs **ifap) -{ - int sd; - struct nlmsg_list *nlmsg_list, *nlmsg_end, *nlm; - /* - - - - - - - - - - - - - - - */ - int icnt; - size_t dlen, xlen, nlen; - uint32_t max_ifindex = 0; - - pid_t pid = getpid(); - int seq; - int result; - int build ; /* 0 or 1 */ - -/* ---------------------------------- */ - /* initialize */ - icnt = dlen = xlen = nlen = 0; - nlmsg_list = nlmsg_end = NULL; - - if (ifap) - *ifap = NULL; - -/* ---------------------------------- */ - /* open socket and bind */ - sd = nl_open(); - if (sd < 0) - return -1; - -/* ---------------------------------- */ - /* gather info */ - if ((seq = nl_getlist(sd, 0, RTM_GETLINK, - &nlmsg_list, &nlmsg_end)) < 0){ - free_nlmsglist(nlmsg_list); - nl_close(sd); - return -1; - } - if ((seq = nl_getlist(sd, seq+1, RTM_GETADDR, - &nlmsg_list, &nlmsg_end)) < 0){ - free_nlmsglist(nlmsg_list); - nl_close(sd); - return -1; - } - -/* ---------------------------------- */ - /* Estimate size of result buffer and fill it */ - for (build=0; build<=1; build++){ - struct ifaddrs *ifl = NULL, *ifa = NULL; - struct nlmsghdr *nlh, *nlh0; - char *data = NULL, *xdata = NULL; - void *ifdata = NULL; - char *ifname = NULL, **iflist = NULL; - uint16_t *ifflist = NULL; - struct rtmaddr_ifamap ifamap; - - if (build){ - data = calloc(1, - NLMSG_ALIGN(sizeof(struct ifaddrs[icnt])) - + dlen + xlen + nlen); - ifa = (struct ifaddrs *)data; - ifdata = calloc(1, - NLMSG_ALIGN(sizeof(char *[max_ifindex+1])) - + NLMSG_ALIGN(sizeof(uint16_t [max_ifindex+1]))); - if (ifap != NULL) - *ifap = (ifdata != NULL) ? ifa : NULL; - else{ - free_data(data, ifdata); - result = 0; - break; - } - if (data == NULL || ifdata == NULL){ - free_data(data, ifdata); - result = -1; - break; - } - ifl = NULL; - data += NLMSG_ALIGN(sizeof(struct ifaddrs)) * icnt; - xdata = data + dlen; - ifname = xdata + xlen; - iflist = ifdata; - ifflist = (uint16_t *)(((char *)iflist) + NLMSG_ALIGN(sizeof(char *[max_ifindex+1]))); - } - - for (nlm=nlmsg_list; nlm; nlm=nlm->nlm_next){ - int nlmlen = nlm->size; - if (!(nlh0 = nlm->nlh)) - continue; - for (nlh = nlh0; - NLMSG_OK(nlh, nlmlen); - nlh=NLMSG_NEXT(nlh,nlmlen)){ - struct ifinfomsg *ifim = NULL; - struct ifaddrmsg *ifam = NULL; - struct rtattr *rta; - - size_t nlm_struct_size = 0; - sa_family_t nlm_family = 0; - uint32_t nlm_scope = 0, nlm_index = 0; - size_t sockaddr_size = 0; - uint32_t nlm_prefixlen = 0; - size_t rtasize; - - memset(&ifamap, 0, sizeof(ifamap)); - - /* check if the message is what we want */ - if (nlh->nlmsg_pid != pid || - nlh->nlmsg_seq != nlm->seq) - continue; - if (nlh->nlmsg_type == NLMSG_DONE){ - break; /* ok */ - } - switch (nlh->nlmsg_type){ - case RTM_NEWLINK: - ifim = (struct ifinfomsg *)NLMSG_DATA(nlh); - nlm_struct_size = sizeof(*ifim); - nlm_family = ifim->ifi_family; - nlm_scope = 0; - nlm_index = ifim->ifi_index; - nlm_prefixlen = 0; - if (build) - ifflist[nlm_index] = ifa->ifa_flags = ifim->ifi_flags; - break; - case RTM_NEWADDR: - ifam = (struct ifaddrmsg *)NLMSG_DATA(nlh); - nlm_struct_size = sizeof(*ifam); - nlm_family = ifam->ifa_family; - nlm_scope = ifam->ifa_scope; - nlm_index = ifam->ifa_index; - nlm_prefixlen = ifam->ifa_prefixlen; - if (build) - ifa->ifa_flags = ifflist[nlm_index]; - break; - default: - continue; - } - - if (!build){ - if (max_ifindex < nlm_index) - max_ifindex = nlm_index; - } else { - if (ifl != NULL) - ifl->ifa_next = ifa; - } - - rtasize = NLMSG_PAYLOAD(nlh, nlmlen) - NLMSG_ALIGN(nlm_struct_size); - for (rta = (struct rtattr *)(((char *)NLMSG_DATA(nlh)) + NLMSG_ALIGN(nlm_struct_size)); - RTA_OK(rta, rtasize); - rta = RTA_NEXT(rta, rtasize)){ - struct sockaddr **sap = NULL; - void *rtadata = RTA_DATA(rta); - size_t rtapayload = RTA_PAYLOAD(rta); - socklen_t sa_len; - - switch(nlh->nlmsg_type){ - case RTM_NEWLINK: - switch(rta->rta_type){ - case IFLA_ADDRESS: - case IFLA_BROADCAST: - if (build){ - sap = (rta->rta_type == IFLA_ADDRESS) ? &ifa->ifa_addr : &ifa->ifa_broadaddr; - *sap = (struct sockaddr *)data; - } - sa_len = ifa_sa_len(AF_PACKET, rtapayload); - if (rta->rta_type == IFLA_ADDRESS) - sockaddr_size = NLMSG_ALIGN(sa_len); - if (!build){ - dlen += NLMSG_ALIGN(sa_len); - } else { - memset(*sap, 0, sa_len); - ifa_make_sockaddr(AF_PACKET, *sap, rtadata,rtapayload, 0,0); - ((struct sockaddr_ll *)*sap)->sll_ifindex = nlm_index; - ((struct sockaddr_ll *)*sap)->sll_hatype = ifim->ifi_type; - data += NLMSG_ALIGN(sa_len); - } - break; - case IFLA_IFNAME:/* Name of Interface */ - if (!build) - nlen += NLMSG_ALIGN(rtapayload + 1); - else{ - ifa->ifa_name = ifname; - if (iflist[nlm_index] == NULL) - iflist[nlm_index] = ifa->ifa_name; - strncpy(ifa->ifa_name, rtadata, rtapayload); - ifa->ifa_name[rtapayload] = '\0'; - ifname += NLMSG_ALIGN(rtapayload + 1); - } - break; - case IFLA_STATS:/* Statistics of Interface */ - if (!build) - xlen += NLMSG_ALIGN(rtapayload); - else{ - ifa->ifa_data = xdata; - memcpy(ifa->ifa_data, rtadata, rtapayload); - xdata += NLMSG_ALIGN(rtapayload); - } - break; - case IFLA_UNSPEC: - break; - case IFLA_MTU: - break; - case IFLA_LINK: - break; - case IFLA_QDISC: - break; - default: - } - break; - case RTM_NEWADDR: - if (nlm_family == AF_PACKET) break; - switch(rta->rta_type){ - case IFA_ADDRESS: - ifamap.address = rtadata; - ifamap.address_len = rtapayload; - break; - case IFA_LOCAL: - ifamap.local = rtadata; - ifamap.local_len = rtapayload; - break; - case IFA_BROADCAST: - ifamap.broadcast = rtadata; - ifamap.broadcast_len = rtapayload; - break; -#ifdef HAVE_IFADDRS_IFA_ANYCAST - case IFA_ANYCAST: - ifamap.anycast = rtadata; - ifamap.anycast_len = rtapayload; - break; -#endif - case IFA_LABEL: - if (!build) - nlen += NLMSG_ALIGN(rtapayload + 1); - else{ - ifa->ifa_name = ifname; - if (iflist[nlm_index] == NULL) - iflist[nlm_index] = ifname; - strncpy(ifa->ifa_name, rtadata, rtapayload); - ifa->ifa_name[rtapayload] = '\0'; - ifname += NLMSG_ALIGN(rtapayload + 1); - } - break; - case IFA_UNSPEC: - break; - case IFA_CACHEINFO: - break; - default: - } - } - } - if (nlh->nlmsg_type == RTM_NEWADDR && - nlm_family != AF_PACKET) { - if (!ifamap.local) { - ifamap.local = ifamap.address; - ifamap.local_len = ifamap.address_len; - } - if (!ifamap.address) { - ifamap.address = ifamap.local; - ifamap.address_len = ifamap.local_len; - } - if (ifamap.address_len != ifamap.local_len || - (ifamap.address != NULL && - memcmp(ifamap.address, ifamap.local, ifamap.address_len))) { - /* p2p; address is peer and local is ours */ - ifamap.broadcast = ifamap.address; - ifamap.broadcast_len = ifamap.address_len; - ifamap.address = ifamap.local; - ifamap.address_len = ifamap.local_len; - } - if (ifamap.address) { -#ifndef IFA_NETMASK - sockaddr_size = NLMSG_ALIGN(ifa_sa_len(nlm_family,ifamap.address_len)); -#endif - if (!build) - dlen += NLMSG_ALIGN(ifa_sa_len(nlm_family,ifamap.address_len)); - else { - ifa->ifa_addr = (struct sockaddr *)data; - ifa_make_sockaddr(nlm_family, ifa->ifa_addr, ifamap.address, ifamap.address_len, - nlm_scope, nlm_index); - data += NLMSG_ALIGN(ifa_sa_len(nlm_family, ifamap.address_len)); - } - } -#ifdef IFA_NETMASK - if (ifamap.netmask) { - if (!build) - dlen += NLMSG_ALIGN(ifa_sa_len(nlm_family,ifamap.netmask_len)); - else { - ifa->ifa_netmask = (struct sockaddr *)data; - ifa_make_sockaddr(nlm_family, ifa->ifa_netmask, ifamap.netmask, ifamap.netmask_len, - nlm_scope, nlm_index); - data += NLMSG_ALIGN(ifa_sa_len(nlm_family, ifamap.netmask_len)); - } - } -#endif - if (ifamap.broadcast) { - if (!build) - dlen += NLMSG_ALIGN(ifa_sa_len(nlm_family,ifamap.broadcast_len)); - else { - ifa->ifa_broadaddr = (struct sockaddr *)data; - ifa_make_sockaddr(nlm_family, ifa->ifa_broadaddr, ifamap.broadcast, ifamap.broadcast_len, - nlm_scope, nlm_index); - data += NLMSG_ALIGN(ifa_sa_len(nlm_family, ifamap.broadcast_len)); - } - } -#ifdef HAVE_IFADDRS_IFA_ANYCAST - if (ifamap.anycast) { - if (!build) - dlen += NLMSG_ALIGN(ifa_sa_len(nlm_family,ifamap.anycast_len)); - else { - ifa->ifa_anycast = (struct sockaddr *)data; - ifa_make_sockaddr(nlm_family, ifa->ifa_anyaddr, ifamap.anycast, ifamap.anycast_len, - nlm_scope, nlm_index); - data += NLMSG_ALIGN(ifa_sa_len(nlm_family, ifamap.anycast_len)); - } - } -#endif - } - if (!build){ -#ifndef IFA_NETMASK - dlen += sockaddr_size; -#endif - icnt++; - } else { - if (ifa->ifa_name == NULL) - ifa->ifa_name = iflist[nlm_index]; -#ifndef IFA_NETMASK - if (ifa->ifa_addr && - ifa->ifa_addr->sa_family != AF_UNSPEC && - ifa->ifa_addr->sa_family != AF_PACKET){ - ifa->ifa_netmask = (struct sockaddr *)data; - ifa_make_sockaddr_mask(ifa->ifa_addr->sa_family, ifa->ifa_netmask, nlm_prefixlen); - } - data += sockaddr_size; -#endif - ifl = ifa++; - } - } - } - if (!build){ - if (icnt == 0 && (dlen + nlen + xlen == 0)){ - if (ifap != NULL) - *ifap = NULL; - break; /* cannot found any addresses */ - } - } - else - free_data(NULL, ifdata); - } - -/* ---------------------------------- */ - /* Finalize */ - free_nlmsglist(nlmsg_list); - nl_close(sd); - return 0; -} - -/* ---------------------------------------------------------------------- */ -void -freeifaddrs(struct ifaddrs *ifa) -{ - free(ifa); -} - - -#else /* !AF_NETLINK */ - -/* - * The generic SIOCGIFCONF version. - */ - -static int -getifaddrs2(struct ifaddrs **ifap, - int af, int siocgifconf, int siocgifflags, - size_t ifreq_sz) -{ - int ret; - int fd; - size_t buf_size; - char *buf; - struct ifconf ifconf; - char *p; - size_t sz; - struct sockaddr sa_zero; - struct ifreq *ifr; - struct ifaddrs *start = NULL, **end = &start; - - buf = NULL; - - memset (&sa_zero, 0, sizeof(sa_zero)); - fd = socket(af, SOCK_DGRAM, 0); - if (fd < 0) - return -1; - - buf_size = 8192; - for (;;) { - buf = calloc(1, buf_size); - if (buf == NULL) { - ret = ENOMEM; - goto error_out; - } - ifconf.ifc_len = buf_size; - ifconf.ifc_buf = buf; - - /* - * Solaris returns EINVAL when the buffer is too small. - */ - if (ioctl (fd, siocgifconf, &ifconf) < 0 && errno != EINVAL) { - ret = errno; - goto error_out; - } - /* - * Can the difference between a full and a overfull buf - * be determined? - */ - - if (ifconf.ifc_len < buf_size) - break; - free (buf); - buf_size *= 2; - } - - for (p = ifconf.ifc_buf; - p < ifconf.ifc_buf + ifconf.ifc_len; - p += sz) { - struct ifreq ifreq; - struct sockaddr *sa; - size_t salen; - - ifr = (struct ifreq *)p; - sa = &ifr->ifr_addr; - - sz = ifreq_sz; - salen = sizeof(struct sockaddr); -#ifdef HAVE_STRUCT_SOCKADDR_SA_LEN - salen = sa->sa_len; - sz = max(sz, sizeof(ifr->ifr_name) + sa->sa_len); -#endif -#ifdef SA_LEN - salen = SA_LEN(sa); - sz = max(sz, sizeof(ifr->ifr_name) + SA_LEN(sa)); -#endif - memset (&ifreq, 0, sizeof(ifreq)); - memcpy (ifreq.ifr_name, ifr->ifr_name, sizeof(ifr->ifr_name)); - - if (ioctl(fd, siocgifflags, &ifreq) < 0) { - ret = errno; - goto error_out; - } - - *end = malloc(sizeof(**end)); - if (*end == NULL) { - ret = ENOMEM; - goto error_out; - } - - (*end)->ifa_next = NULL; - (*end)->ifa_name = strdup(ifr->ifr_name); - (*end)->ifa_flags = ifreq.ifr_flags; - (*end)->ifa_addr = malloc(salen); - memcpy((*end)->ifa_addr, sa, salen); - (*end)->ifa_netmask = NULL; - -#if 0 - /* fix these when we actually need them */ - if(ifreq.ifr_flags & IFF_BROADCAST) { - (*end)->ifa_broadaddr = malloc(sizeof(ifr->ifr_broadaddr)); - memcpy((*end)->ifa_broadaddr, &ifr->ifr_broadaddr, - sizeof(ifr->ifr_broadaddr)); - } else if(ifreq.ifr_flags & IFF_POINTOPOINT) { - (*end)->ifa_dstaddr = malloc(sizeof(ifr->ifr_dstaddr)); - memcpy((*end)->ifa_dstaddr, &ifr->ifr_dstaddr, - sizeof(ifr->ifr_dstaddr)); - } else - (*end)->ifa_dstaddr = NULL; -#else - (*end)->ifa_dstaddr = NULL; -#endif - - (*end)->ifa_data = NULL; - - end = &(*end)->ifa_next; - - } - *ifap = start; - close(fd); - free(buf); - return 0; - error_out: - freeifaddrs(start); - close(fd); - free(buf); - errno = ret; - return -1; -} - -#if defined(HAVE_IPV6) && defined(SIOCGLIFCONF) && defined(SIOCGLIFFLAGS) -static int -getlifaddrs2(struct ifaddrs **ifap, - int af, int siocgifconf, int siocgifflags, - size_t ifreq_sz) -{ - int ret; - int fd; - size_t buf_size; - char *buf; - struct lifconf ifconf; - char *p; - size_t sz; - struct sockaddr sa_zero; - struct lifreq *ifr; - struct ifaddrs *start = NULL, **end = &start; - - buf = NULL; - - memset (&sa_zero, 0, sizeof(sa_zero)); - fd = socket(af, SOCK_DGRAM, 0); - if (fd < 0) - return -1; - - buf_size = 8192; - for (;;) { - buf = calloc(1, buf_size); - if (buf == NULL) { - ret = ENOMEM; - goto error_out; - } - ifconf.lifc_family = AF_UNSPEC; - ifconf.lifc_flags = 0; - ifconf.lifc_len = buf_size; - ifconf.lifc_buf = buf; - - /* - * Solaris returns EINVAL when the buffer is too small. - */ - if (ioctl (fd, siocgifconf, &ifconf) < 0 && errno != EINVAL) { - ret = errno; - goto error_out; - } - /* - * Can the difference between a full and a overfull buf - * be determined? - */ - - if (ifconf.lifc_len < buf_size) - break; - free (buf); - buf_size *= 2; - } - - for (p = ifconf.lifc_buf; - p < ifconf.lifc_buf + ifconf.lifc_len; - p += sz) { - struct lifreq ifreq; - struct sockaddr_storage *sa; - size_t salen; - - ifr = (struct lifreq *)p; - sa = &ifr->lifr_addr; - - sz = ifreq_sz; - salen = sizeof(struct sockaddr_storage); -#ifdef HAVE_STRUCT_SOCKADDR_SA_LEN - salen = sa->sa_len; - sz = max(sz, sizeof(ifr->ifr_name) + sa->sa_len); -#endif -#ifdef SA_LEN - salen = SA_LEN(sa); - sz = max(sz, sizeof(ifr->ifr_name) + SA_LEN(sa)); -#endif - memset (&ifreq, 0, sizeof(ifreq)); - memcpy (ifreq.lifr_name, ifr->lifr_name, sizeof(ifr->lifr_name)); - - if (ioctl(fd, siocgifflags, &ifreq) < 0) { - ret = errno; - goto error_out; - } - - *end = malloc(sizeof(**end)); - - (*end)->ifa_next = NULL; - (*end)->ifa_name = strdup(ifr->lifr_name); - (*end)->ifa_flags = ifreq.lifr_flags; - (*end)->ifa_addr = malloc(salen); - memcpy((*end)->ifa_addr, sa, salen); - (*end)->ifa_netmask = NULL; - -#if 0 - /* fix these when we actually need them */ - if(ifreq.ifr_flags & IFF_BROADCAST) { - (*end)->ifa_broadaddr = malloc(sizeof(ifr->ifr_broadaddr)); - memcpy((*end)->ifa_broadaddr, &ifr->ifr_broadaddr, - sizeof(ifr->ifr_broadaddr)); - } else if(ifreq.ifr_flags & IFF_POINTOPOINT) { - (*end)->ifa_dstaddr = malloc(sizeof(ifr->ifr_dstaddr)); - memcpy((*end)->ifa_dstaddr, &ifr->ifr_dstaddr, - sizeof(ifr->ifr_dstaddr)); - } else - (*end)->ifa_dstaddr = NULL; -#else - (*end)->ifa_dstaddr = NULL; -#endif - - (*end)->ifa_data = NULL; - - end = &(*end)->ifa_next; - - } - *ifap = start; - close(fd); - free(buf); - return 0; - error_out: - freeifaddrs(start); - close(fd); - free(buf); - errno = ret; - return -1; -} -#endif /* defined(HAVE_IPV6) && defined(SIOCGLIFCONF) && defined(SIOCGLIFFLAGS) */ - -int -getifaddrs(struct ifaddrs **ifap) -{ - int ret = -1; - errno = ENXIO; -#if defined(AF_INET6) && defined(SIOCGIF6CONF) && defined(SIOCGIF6FLAGS) - if (ret) - ret = getifaddrs2 (ifap, AF_INET6, SIOCGIF6CONF, SIOCGIF6FLAGS, - sizeof(struct in6_ifreq)); -#endif -#if defined(HAVE_IPV6) && defined(SIOCGLIFCONF) && defined(SIOCGLIFFLAGS) - if (ret) - ret = getlifaddrs2 (ifap, AF_INET6, SIOCGLIFCONF, SIOCGLIFFLAGS, - sizeof(struct lifreq)); -#endif -#if defined(HAVE_IPV6) && defined(SIOCGIFCONF) - if (ret) - ret = getifaddrs2 (ifap, AF_INET6, SIOCGIFCONF, SIOCGIFFLAGS, - sizeof(struct ifreq)); -#endif -#if defined(AF_INET) && defined(SIOCGIFCONF) && defined(SIOCGIFFLAGS) - if (ret) - ret = getifaddrs2 (ifap, AF_INET, SIOCGIFCONF, SIOCGIFFLAGS, - sizeof(struct ifreq)); -#endif - return ret; -} - -void -freeifaddrs(struct ifaddrs *ifp) -{ - struct ifaddrs *p, *q; - - for(p = ifp; p; ) { - free(p->ifa_name); - if(p->ifa_addr) - free(p->ifa_addr); - if(p->ifa_dstaddr) - free(p->ifa_dstaddr); - if(p->ifa_netmask) - free(p->ifa_netmask); - if(p->ifa_data) - free(p->ifa_data); - q = p; - p = p->ifa_next; - free(q); - } -} - -#endif /* !AF_NETLINK */ - -#ifdef TEST - -void -print_addr(const char *s, struct sockaddr *sa) -{ - int i; - printf(" %s=%d/", s, sa->sa_family); -#ifdef HAVE_STRUCT_SOCKADDR_SA_LEN - for(i = 0; i < sa->sa_len - ((long)sa->sa_data - (long)&sa->sa_family); i++) - printf("%02x", ((unsigned char*)sa->sa_data)[i]); -#else - for(i = 0; i < sizeof(sa->sa_data); i++) - printf("%02x", ((unsigned char*)sa->sa_data)[i]); -#endif - printf("\n"); -} - -void -print_ifaddrs(struct ifaddrs *x) -{ - struct ifaddrs *p; - - for(p = x; p; p = p->ifa_next) { - printf("%s\n", p->ifa_name); - printf(" flags=%x\n", p->ifa_flags); - if(p->ifa_addr) - print_addr("addr", p->ifa_addr); - if(p->ifa_dstaddr) - print_addr("dstaddr", p->ifa_dstaddr); - if(p->ifa_netmask) - print_addr("netmask", p->ifa_netmask); - printf(" %p\n", p->ifa_data); - } -} - -int -main() -{ - struct ifaddrs *a = NULL, *b; - getifaddrs2(&a, AF_INET, SIOCGIFCONF, SIOCGIFFLAGS, sizeof(struct ifreq)); - print_ifaddrs(a); - printf("---\n"); - getifaddrs(&b); - print_ifaddrs(b); - return 0; -} -#endif diff --git a/crypto/heimdal-0.6.3/lib/roken/getipnodebyaddr.c b/crypto/heimdal-0.6.3/lib/roken/getipnodebyaddr.c deleted file mode 100644 index f22aad7f73..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/getipnodebyaddr.c +++ /dev/null @@ -1,74 +0,0 @@ -/* - * Copyright (c) 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: getipnodebyaddr.c,v 1.2 1999/12/02 16:58:46 joda Exp $"); -#endif - -#include "roken.h" - -/* - * lookup `src, len' (address family `af') in DNS and return a pointer - * to a malloced struct hostent or NULL. - */ - -struct hostent * -getipnodebyaddr (const void *src, size_t len, int af, int *error_num) -{ - struct hostent *tmp; - - tmp = gethostbyaddr (src, len, af); - if (tmp == NULL) { - switch (h_errno) { - case HOST_NOT_FOUND : - case TRY_AGAIN : - case NO_RECOVERY : - *error_num = h_errno; - break; - case NO_DATA : - *error_num = NO_ADDRESS; - break; - default : - *error_num = NO_RECOVERY; - break; - } - return NULL; - } - tmp = copyhostent (tmp); - if (tmp == NULL) { - *error_num = TRY_AGAIN; - return NULL; - } - return tmp; -} diff --git a/crypto/heimdal-0.6.3/lib/roken/getipnodebyname.c b/crypto/heimdal-0.6.3/lib/roken/getipnodebyname.c deleted file mode 100644 index 576feef0ae..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/getipnodebyname.c +++ /dev/null @@ -1,86 +0,0 @@ -/* - * Copyright (c) 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: getipnodebyname.c,v 1.3 1999/12/02 16:58:46 joda Exp $"); -#endif - -#include "roken.h" - -#ifndef HAVE_H_ERRNO -static int h_errno = NO_RECOVERY; -#endif - -/* - * lookup `name' (address family `af') in DNS and return a pointer - * to a malloced struct hostent or NULL. - */ - -struct hostent * -getipnodebyname (const char *name, int af, int flags, int *error_num) -{ - struct hostent *tmp; - -#ifdef HAVE_GETHOSTBYNAME2 - tmp = gethostbyname2 (name, af); -#else - if (af != AF_INET) { - *error_num = NO_ADDRESS; - return NULL; - } - tmp = gethostbyname (name); -#endif - if (tmp == NULL) { - switch (h_errno) { - case HOST_NOT_FOUND : - case TRY_AGAIN : - case NO_RECOVERY : - *error_num = h_errno; - break; - case NO_DATA : - *error_num = NO_ADDRESS; - break; - default : - *error_num = NO_RECOVERY; - break; - } - return NULL; - } - tmp = copyhostent (tmp); - if (tmp == NULL) { - *error_num = TRY_AGAIN; - return NULL; - } - return tmp; -} diff --git a/crypto/heimdal-0.6.3/lib/roken/getnameinfo.c b/crypto/heimdal-0.6.3/lib/roken/getnameinfo.c deleted file mode 100644 index 44fcb04633..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/getnameinfo.c +++ /dev/null @@ -1,127 +0,0 @@ -/* - * Copyright (c) 1999 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: getnameinfo.c,v 1.4 2001/07/09 15:14:19 assar Exp $"); -#endif - -#include "roken.h" - -static int -doit (int af, - const void *addr, - size_t addrlen, - int port, - char *host, size_t hostlen, - char *serv, size_t servlen, - int flags) -{ - if (host != NULL) { - if (flags & NI_NUMERICHOST) { - if (inet_ntop (af, addr, host, hostlen) == NULL) - return EAI_SYSTEM; - } else { - struct hostent *he = gethostbyaddr (addr, - addrlen, - af); - if (he != NULL) { - strlcpy (host, hostent_find_fqdn(he), hostlen); - if (flags & NI_NOFQDN) { - char *dot = strchr (host, '.'); - if (dot != NULL) - *dot = '\0'; - } - } else if (flags & NI_NAMEREQD) { - return EAI_NONAME; - } else if (inet_ntop (af, addr, host, hostlen) == NULL) - return EAI_SYSTEM; - } - } - - if (serv != NULL) { - if (flags & NI_NUMERICSERV) { - snprintf (serv, servlen, "%u", ntohs(port)); - } else { - const char *proto = "tcp"; - struct servent *se; - - if (flags & NI_DGRAM) - proto = "udp"; - - se = getservbyport (port, proto); - if (se == NULL) { - snprintf (serv, servlen, "%u", ntohs(port)); - } else { - strlcpy (serv, se->s_name, servlen); - } - } - } - return 0; -} - -/* - * - */ - -int -getnameinfo(const struct sockaddr *sa, socklen_t salen, - char *host, size_t hostlen, - char *serv, size_t servlen, - int flags) -{ - switch (sa->sa_family) { -#ifdef HAVE_IPV6 - case AF_INET6 : { - const struct sockaddr_in6 *sin6 = (const struct sockaddr_in6 *)sa; - - return doit (AF_INET6, &sin6->sin6_addr, sizeof(sin6->sin6_addr), - sin6->sin6_port, - host, hostlen, - serv, servlen, - flags); - } -#endif - case AF_INET : { - const struct sockaddr_in *sin = (const struct sockaddr_in *)sa; - - return doit (AF_INET, &sin->sin_addr, sizeof(sin->sin_addr), - sin->sin_port, - host, hostlen, - serv, servlen, - flags); - } - default : - return EAI_FAMILY; - } -} diff --git a/crypto/heimdal-0.6.3/lib/roken/getnameinfo_verified.c b/crypto/heimdal-0.6.3/lib/roken/getnameinfo_verified.c deleted file mode 100644 index 0145262986..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/getnameinfo_verified.c +++ /dev/null @@ -1,92 +0,0 @@ -/* - * Copyright (c) 1999 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: getnameinfo_verified.c,v 1.6 2002/09/05 01:36:27 assar Exp $"); -#endif - -#include "roken.h" - -/* - * Try to obtain a verified name for the address in `sa, salen' (much - * similar to getnameinfo). - * Verified in this context means that forwards and backwards lookups - * in DNS are consistent. If that fails, return an error if the - * NI_NAMEREQD flag is set or return the numeric address as a string. - */ - -int -getnameinfo_verified(const struct sockaddr *sa, socklen_t salen, - char *host, size_t hostlen, - char *serv, size_t servlen, - int flags) -{ - int ret; - struct addrinfo *ai, *a; - char servbuf[NI_MAXSERV]; - struct addrinfo hints; - - if (host == NULL) - return EAI_NONAME; - - if (serv == NULL) { - serv = servbuf; - servlen = sizeof(servbuf); - } - - ret = getnameinfo (sa, salen, host, hostlen, serv, servlen, - flags | NI_NUMERICSERV); - if (ret) - goto fail; - - memset (&hints, 0, sizeof(hints)); - hints.ai_socktype = SOCK_STREAM; - ret = getaddrinfo (host, serv, &hints, &ai); - if (ret) - goto fail; - for (a = ai; a != NULL; a = a->ai_next) { - if (a->ai_addrlen == salen - && memcmp (a->ai_addr, sa, salen) == 0) { - freeaddrinfo (ai); - return 0; - } - } - freeaddrinfo (ai); - fail: - if (flags & NI_NAMEREQD) - return EAI_NONAME; - ret = getnameinfo (sa, salen, host, hostlen, serv, servlen, - flags | NI_NUMERICSERV | NI_NUMERICHOST); - return ret; -} diff --git a/crypto/heimdal-0.6.3/lib/roken/getopt.c b/crypto/heimdal-0.6.3/lib/roken/getopt.c deleted file mode 100644 index 45fc350234..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/getopt.c +++ /dev/null @@ -1,128 +0,0 @@ -/* - * Copyright (c) 1987, 1993 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#if defined(LIBC_SCCS) && !defined(lint) -static char sccsid[] = "@(#)getopt.c 8.1 (Berkeley) 6/4/93"; -#endif /* LIBC_SCCS and not lint */ - -#ifndef __STDC__ -#define const -#endif -#include -#include -#include - -/* - * get option letter from argument vector - */ -int opterr = 1, /* if error message should be printed */ - optind = 1, /* index into parent argv vector */ - optopt, /* character checked for validity */ - optreset; /* reset getopt */ -char *optarg; /* argument associated with option */ - -#define BADCH (int)'?' -#define BADARG (int)':' -#define EMSG "" - -int -getopt(nargc, nargv, ostr) - int nargc; - char * const *nargv; - const char *ostr; -{ - static char *place = EMSG; /* option letter processing */ - char *oli; /* option letter list index */ - char *p; - - if (optreset || !*place) { /* update scanning pointer */ - optreset = 0; - if (optind >= nargc || *(place = nargv[optind]) != '-') { - place = EMSG; - return(-1); - } - if (place[1] && *++place == '-') { /* found "--" */ - ++optind; - place = EMSG; - return(-1); - } - } /* option letter okay? */ - if ((optopt = (int)*place++) == (int)':' || - !(oli = strchr(ostr, optopt))) { - /* - * if the user didn't specify '-' as an option, - * assume it means -1 (EOF). - */ - if (optopt == (int)'-') - return(-1); - if (!*place) - ++optind; - if (opterr && *ostr != ':') { - if (!(p = strrchr(*nargv, '/'))) - p = *nargv; - else - ++p; - fprintf(stderr, "%s: illegal option -- %c\n", - p, optopt); - } - return(BADCH); - } - if (*++oli != ':') { /* don't need argument */ - optarg = NULL; - if (!*place) - ++optind; - } - else { /* need an argument */ - if (*place) /* no white space */ - optarg = place; - else if (nargc <= ++optind) { /* no arg */ - place = EMSG; - if (!(p = strrchr(*nargv, '/'))) - p = *nargv; - else - ++p; - if (*ostr == ':') - return(BADARG); - if (opterr) - fprintf(stderr, - "%s: option requires an argument -- %c\n", - p, optopt); - return(BADCH); - } - else /* white space */ - optarg = nargv[optind]; - place = EMSG; - ++optind; - } - return(optopt); /* dump back option letter */ -} diff --git a/crypto/heimdal-0.6.3/lib/roken/getprogname.c b/crypto/heimdal-0.6.3/lib/roken/getprogname.c deleted file mode 100644 index fcd4a40b5a..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/getprogname.c +++ /dev/null @@ -1,58 +0,0 @@ -/* - * Copyright (c) 1995 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: getprogname.c,v 1.1 2001/07/09 14:56:51 assar Exp $"); -#endif - -#include "roken.h" - -#ifndef HAVE___PROGNAME -const char *__progname; -#endif - -#ifndef HAVE_GETPROGNAME -const char * -getprogname(void) -{ - return __progname; -} -#endif /* HAVE_GETPROGNAME */ - -const char * -get_progname (void) -{ - return getprogname (); -} - diff --git a/crypto/heimdal-0.6.3/lib/roken/gettimeofday.c b/crypto/heimdal-0.6.3/lib/roken/gettimeofday.c deleted file mode 100644 index ec8b62f64e..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/gettimeofday.c +++ /dev/null @@ -1,55 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -#endif -#include "roken.h" -#ifndef HAVE_GETTIMEOFDAY - -RCSID("$Id: gettimeofday.c,v 1.8 1999/12/02 16:58:46 joda Exp $"); - -/* - * Simple gettimeofday that only returns seconds. - */ -int -gettimeofday (struct timeval *tp, void *ignore) -{ - time_t t; - - t = time(NULL); - tp->tv_sec = t; - tp->tv_usec = 0; - return 0; -} -#endif diff --git a/crypto/heimdal-0.6.3/lib/roken/getuid.c b/crypto/heimdal-0.6.3/lib/roken/getuid.c deleted file mode 100644 index 6ebce0a810..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/getuid.c +++ /dev/null @@ -1,48 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -#endif -#include "roken.h" - -#ifndef HAVE_GETUID - -RCSID("$Id: getuid.c,v 1.3 1999/12/02 16:58:46 joda Exp $"); - -int getuid(void) -{ - return 17; -} - -#endif diff --git a/crypto/heimdal-0.6.3/lib/roken/getusershell.c b/crypto/heimdal-0.6.3/lib/roken/getusershell.c deleted file mode 100644 index eb990f3be2..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/getusershell.c +++ /dev/null @@ -1,191 +0,0 @@ -/* - * Copyright (c) 1985, 1993 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -#endif - -RCSID("$Id: getusershell.c,v 1.10 2000/05/22 09:11:59 joda Exp $"); - -#ifndef HAVE_GETUSERSHELL - -#include -#include -#include -#ifdef HAVE_PATHS_H -#include -#endif -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_SYS_STAT_H -#include -#endif -#ifdef HAVE_SYS_PARAM_H -#include -#endif - -#ifdef HAVE_USERSEC_H -struct aud_rec; -#include -#endif -#ifdef HAVE_USERCONF_H -#include -#endif - -#ifndef _PATH_SHELLS -#define _PATH_SHELLS "/etc/shells" -#endif - -#ifndef _PATH_BSHELL -#define _PATH_BSHELL "/bin/sh" -#endif - -#ifndef _PATH_CSHELL -#define _PATH_CSHELL "/bin/csh" -#endif - -/* - * Local shells should NOT be added here. They should be added in - * /etc/shells. - */ - -static char *okshells[] = { _PATH_BSHELL, _PATH_CSHELL, NULL }; -static char **curshell, **shells, *strings; -static char **initshells (void); - -/* - * Get a list of shells from _PATH_SHELLS, if it exists. - */ -char * -getusershell() -{ - char *ret; - - if (curshell == NULL) - curshell = initshells(); - ret = *curshell; - if (ret != NULL) - curshell++; - return (ret); -} - -void -endusershell() -{ - if (shells != NULL) - free(shells); - shells = NULL; - if (strings != NULL) - free(strings); - strings = NULL; - curshell = NULL; -} - -void -setusershell() -{ - curshell = initshells(); -} - -static char ** -initshells() -{ - char **sp, *cp; -#ifdef HAVE_GETCONFATTR - char *tmp; - int nsh; -#else - FILE *fp; -#endif - struct stat statb; - - free(shells); - shells = NULL; - free(strings); - strings = NULL; -#ifdef HAVE_GETCONFATTR - if(getconfattr(SC_SYS_LOGIN, SC_SHELLS, &tmp, SEC_LIST) != 0) - return okshells; - - for(cp = tmp, nsh = 0; *cp; cp += strlen(cp) + 1, nsh++); - - shells = calloc(nsh + 1, sizeof(*shells)); - if(shells == NULL) - return okshells; - - strings = malloc(cp - tmp); - if(strings == NULL) { - free(shells); - shells = NULL; - return okshells; - } - memcpy(strings, tmp, cp - tmp); - for(sp = shells, cp = strings; *cp; cp += strlen(cp) + 1, sp++) - *sp = cp; -#else - if ((fp = fopen(_PATH_SHELLS, "r")) == NULL) - return (okshells); - if (fstat(fileno(fp), &statb) == -1) { - fclose(fp); - return (okshells); - } - if ((strings = malloc((u_int)statb.st_size)) == NULL) { - fclose(fp); - return (okshells); - } - shells = calloc((unsigned)statb.st_size / 3, sizeof (char *)); - if (shells == NULL) { - fclose(fp); - free(strings); - strings = NULL; - return (okshells); - } - sp = shells; - cp = strings; - while (fgets(cp, MaxPathLen + 1, fp) != NULL) { - while (*cp != '#' && *cp != '/' && *cp != '\0') - cp++; - if (*cp == '#' || *cp == '\0') - continue; - *sp++ = cp; - while (!isspace(*cp) && *cp != '#' && *cp != '\0') - cp++; - *cp++ = '\0'; - } - fclose(fp); -#endif - *sp = NULL; - return (shells); -} -#endif /* HAVE_GETUSERSHELL */ diff --git a/crypto/heimdal-0.6.3/lib/roken/glob.c b/crypto/heimdal-0.6.3/lib/roken/glob.c deleted file mode 100644 index 295aa2de8e..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/glob.c +++ /dev/null @@ -1,854 +0,0 @@ -/* - * Copyright (c) 1989, 1993 - * The Regents of the University of California. All rights reserved. - * - * This code is derived from software contributed to Berkeley by - * Guido van Rossum. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* - * glob(3) -- a superset of the one defined in POSIX 1003.2. - * - * The [!...] convention to negate a range is supported (SysV, Posix, ksh). - * - * Optional extra services, controlled by flags not defined by POSIX: - * - * GLOB_QUOTE: - * Escaping convention: \ inhibits any special meaning the following - * character might have (except \ at end of string is retained). - * GLOB_MAGCHAR: - * Set in gl_flags if pattern contained a globbing character. - * GLOB_NOMAGIC: - * Same as GLOB_NOCHECK, but it will only append pattern if it did - * not contain any magic characters. [Used in csh style globbing] - * GLOB_ALTDIRFUNC: - * Use alternately specified directory access functions. - * GLOB_TILDE: - * expand ~user/foo to the /home/dir/of/user/foo - * GLOB_BRACE: - * expand {1,2}{a,b} to 1a 1b 2a 2b - * gl_matchc: - * Number of matches in the current invocation of glob. - */ - -#ifdef HAVE_CONFIG_H -#include -#endif - -#ifdef HAVE_SYS_PARAM_H -#include -#endif -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_SYS_STAT_H -#include -#endif - -#include -#ifdef HAVE_DIRENT_H -#include -#endif -#include -#ifdef HAVE_PWD_H -#include -#endif -#include -#include -#include -#ifdef HAVE_UNISTD_H -#include -#endif -#ifdef HAVE_LIMITS_H -#include -#endif - -#include "glob.h" -#include "roken.h" - -#ifndef ARG_MAX -#define ARG_MAX _POSIX_ARG_MAX -#endif - -#define CHAR_DOLLAR '$' -#define CHAR_DOT '.' -#define CHAR_EOS '\0' -#define CHAR_LBRACKET '[' -#define CHAR_NOT '!' -#define CHAR_QUESTION '?' -#define CHAR_QUOTE '\\' -#define CHAR_RANGE '-' -#define CHAR_RBRACKET ']' -#define CHAR_SEP '/' -#define CHAR_STAR '*' -#define CHAR_TILDE '~' -#define CHAR_UNDERSCORE '_' -#define CHAR_LBRACE '{' -#define CHAR_RBRACE '}' -#define CHAR_SLASH '/' -#define CHAR_COMMA ',' - -#ifndef DEBUG - -#define M_QUOTE 0x8000 -#define M_PROTECT 0x4000 -#define M_MASK 0xffff -#define M_ASCII 0x00ff - -typedef u_short Char; - -#else - -#define M_QUOTE 0x80 -#define M_PROTECT 0x40 -#define M_MASK 0xff -#define M_ASCII 0x7f - -typedef char Char; - -#endif - - -#define CHAR(c) ((Char)((c)&M_ASCII)) -#define META(c) ((Char)((c)|M_QUOTE)) -#define M_ALL META('*') -#define M_END META(']') -#define M_NOT META('!') -#define M_ONE META('?') -#define M_RNG META('-') -#define M_SET META('[') -#define ismeta(c) (((c)&M_QUOTE) != 0) - - -static int compare (const void *, const void *); -static void g_Ctoc (const Char *, char *); -static int g_lstat (Char *, struct stat *, glob_t *); -static DIR *g_opendir (Char *, glob_t *); -static Char *g_strchr (const Char *, int); -#ifdef notdef -static Char *g_strcat (Char *, const Char *); -#endif -static int g_stat (Char *, struct stat *, glob_t *); -static int glob0 (const Char *, glob_t *); -static int glob1 (Char *, glob_t *, size_t *); -static int glob2 (Char *, Char *, Char *, glob_t *, size_t *); -static int glob3 (Char *, Char *, Char *, Char *, glob_t *, size_t *); -static int globextend (const Char *, glob_t *, size_t *); -static const Char * globtilde (const Char *, Char *, glob_t *); -static int globexp1 (const Char *, glob_t *); -static int globexp2 (const Char *, const Char *, glob_t *, int *); -static int match (Char *, Char *, Char *); -#ifdef DEBUG -static void qprintf (const char *, Char *); -#endif - -int -glob(const char *pattern, - int flags, - int (*errfunc)(const char *, int), - glob_t *pglob) -{ - const u_char *patnext; - int c; - Char *bufnext, *bufend, patbuf[MaxPathLen+1]; - - patnext = (const u_char *) pattern; - if (!(flags & GLOB_APPEND)) { - pglob->gl_pathc = 0; - pglob->gl_pathv = NULL; - if (!(flags & GLOB_DOOFFS)) - pglob->gl_offs = 0; - } - pglob->gl_flags = flags & ~GLOB_MAGCHAR; - pglob->gl_errfunc = errfunc; - pglob->gl_matchc = 0; - - bufnext = patbuf; - bufend = bufnext + MaxPathLen; - if (flags & GLOB_QUOTE) { - /* Protect the quoted characters. */ - while (bufnext < bufend && (c = *patnext++) != CHAR_EOS) - if (c == CHAR_QUOTE) { - if ((c = *patnext++) == CHAR_EOS) { - c = CHAR_QUOTE; - --patnext; - } - *bufnext++ = c | M_PROTECT; - } - else - *bufnext++ = c; - } - else - while (bufnext < bufend && (c = *patnext++) != CHAR_EOS) - *bufnext++ = c; - *bufnext = CHAR_EOS; - - if (flags & GLOB_BRACE) - return globexp1(patbuf, pglob); - else - return glob0(patbuf, pglob); -} - -/* - * Expand recursively a glob {} pattern. When there is no more expansion - * invoke the standard globbing routine to glob the rest of the magic - * characters - */ -static int globexp1(const Char *pattern, glob_t *pglob) -{ - const Char* ptr = pattern; - int rv; - - /* Protect a single {}, for find(1), like csh */ - if (pattern[0] == CHAR_LBRACE && pattern[1] == CHAR_RBRACE && pattern[2] == CHAR_EOS) - return glob0(pattern, pglob); - - while ((ptr = (const Char *) g_strchr(ptr, CHAR_LBRACE)) != NULL) - if (!globexp2(ptr, pattern, pglob, &rv)) - return rv; - - return glob0(pattern, pglob); -} - - -/* - * Recursive brace globbing helper. Tries to expand a single brace. - * If it succeeds then it invokes globexp1 with the new pattern. - * If it fails then it tries to glob the rest of the pattern and returns. - */ -static int globexp2(const Char *ptr, const Char *pattern, - glob_t *pglob, int *rv) -{ - int i; - Char *lm, *ls; - const Char *pe, *pm, *pl; - Char patbuf[MaxPathLen + 1]; - - /* copy part up to the brace */ - for (lm = patbuf, pm = pattern; pm != ptr; *lm++ = *pm++) - continue; - ls = lm; - - /* Find the balanced brace */ - for (i = 0, pe = ++ptr; *pe; pe++) - if (*pe == CHAR_LBRACKET) { - /* Ignore everything between [] */ - for (pm = pe++; *pe != CHAR_RBRACKET && *pe != CHAR_EOS; pe++) - continue; - if (*pe == CHAR_EOS) { - /* - * We could not find a matching CHAR_RBRACKET. - * Ignore and just look for CHAR_RBRACE - */ - pe = pm; - } - } - else if (*pe == CHAR_LBRACE) - i++; - else if (*pe == CHAR_RBRACE) { - if (i == 0) - break; - i--; - } - - /* Non matching braces; just glob the pattern */ - if (i != 0 || *pe == CHAR_EOS) { - *rv = glob0(patbuf, pglob); - return 0; - } - - for (i = 0, pl = pm = ptr; pm <= pe; pm++) - switch (*pm) { - case CHAR_LBRACKET: - /* Ignore everything between [] */ - for (pl = pm++; *pm != CHAR_RBRACKET && *pm != CHAR_EOS; pm++) - continue; - if (*pm == CHAR_EOS) { - /* - * We could not find a matching CHAR_RBRACKET. - * Ignore and just look for CHAR_RBRACE - */ - pm = pl; - } - break; - - case CHAR_LBRACE: - i++; - break; - - case CHAR_RBRACE: - if (i) { - i--; - break; - } - /* FALLTHROUGH */ - case CHAR_COMMA: - if (i && *pm == CHAR_COMMA) - break; - else { - /* Append the current string */ - for (lm = ls; (pl < pm); *lm++ = *pl++) - continue; - /* - * Append the rest of the pattern after the - * closing brace - */ - for (pl = pe + 1; (*lm++ = *pl++) != CHAR_EOS;) - continue; - - /* Expand the current pattern */ -#ifdef DEBUG - qprintf("globexp2:", patbuf); -#endif - *rv = globexp1(patbuf, pglob); - - /* move after the comma, to the next string */ - pl = pm + 1; - } - break; - - default: - break; - } - *rv = 0; - return 0; -} - - - -/* - * expand tilde from the passwd file. - */ -static const Char * -globtilde(const Char *pattern, Char *patbuf, glob_t *pglob) -{ - struct passwd *pwd; - char *h; - const Char *p; - Char *b; - - if (*pattern != CHAR_TILDE || !(pglob->gl_flags & GLOB_TILDE)) - return pattern; - - /* Copy up to the end of the string or / */ - for (p = pattern + 1, h = (char *) patbuf; *p && *p != CHAR_SLASH; - *h++ = *p++) - continue; - - *h = CHAR_EOS; - - if (((char *) patbuf)[0] == CHAR_EOS) { - /* - * handle a plain ~ or ~/ by expanding $HOME - * first and then trying the password file - */ - if ((h = getenv("HOME")) == NULL) { - if ((pwd = k_getpwuid(getuid())) == NULL) - return pattern; - else - h = pwd->pw_dir; - } - } - else { - /* - * Expand a ~user - */ - if ((pwd = k_getpwnam((char*) patbuf)) == NULL) - return pattern; - else - h = pwd->pw_dir; - } - - /* Copy the home directory */ - for (b = patbuf; *h; *b++ = *h++) - continue; - - /* Append the rest of the pattern */ - while ((*b++ = *p++) != CHAR_EOS) - continue; - - return patbuf; -} - - -/* - * The main glob() routine: compiles the pattern (optionally processing - * quotes), calls glob1() to do the real pattern matching, and finally - * sorts the list (unless unsorted operation is requested). Returns 0 - * if things went well, nonzero if errors occurred. It is not an error - * to find no matches. - */ -static int -glob0(const Char *pattern, glob_t *pglob) -{ - const Char *qpatnext; - int c, err, oldpathc; - Char *bufnext, patbuf[MaxPathLen+1]; - size_t limit = 0; - - qpatnext = globtilde(pattern, patbuf, pglob); - oldpathc = pglob->gl_pathc; - bufnext = patbuf; - - /* We don't need to check for buffer overflow any more. */ - while ((c = *qpatnext++) != CHAR_EOS) { - switch (c) { - case CHAR_LBRACKET: - c = *qpatnext; - if (c == CHAR_NOT) - ++qpatnext; - if (*qpatnext == CHAR_EOS || - g_strchr(qpatnext+1, CHAR_RBRACKET) == NULL) { - *bufnext++ = CHAR_LBRACKET; - if (c == CHAR_NOT) - --qpatnext; - break; - } - *bufnext++ = M_SET; - if (c == CHAR_NOT) - *bufnext++ = M_NOT; - c = *qpatnext++; - do { - *bufnext++ = CHAR(c); - if (*qpatnext == CHAR_RANGE && - (c = qpatnext[1]) != CHAR_RBRACKET) { - *bufnext++ = M_RNG; - *bufnext++ = CHAR(c); - qpatnext += 2; - } - } while ((c = *qpatnext++) != CHAR_RBRACKET); - pglob->gl_flags |= GLOB_MAGCHAR; - *bufnext++ = M_END; - break; - case CHAR_QUESTION: - pglob->gl_flags |= GLOB_MAGCHAR; - *bufnext++ = M_ONE; - break; - case CHAR_STAR: - pglob->gl_flags |= GLOB_MAGCHAR; - /* collapse adjacent stars to one, - * to avoid exponential behavior - */ - if (bufnext == patbuf || bufnext[-1] != M_ALL) - *bufnext++ = M_ALL; - break; - default: - *bufnext++ = CHAR(c); - break; - } - } - *bufnext = CHAR_EOS; -#ifdef DEBUG - qprintf("glob0:", patbuf); -#endif - - if ((err = glob1(patbuf, pglob, &limit)) != 0) - return(err); - - /* - * If there was no match we are going to append the pattern - * if GLOB_NOCHECK was specified or if GLOB_NOMAGIC was specified - * and the pattern did not contain any magic characters - * GLOB_NOMAGIC is there just for compatibility with csh. - */ - if (pglob->gl_pathc == oldpathc && - ((pglob->gl_flags & GLOB_NOCHECK) || - ((pglob->gl_flags & GLOB_NOMAGIC) && - !(pglob->gl_flags & GLOB_MAGCHAR)))) - return(globextend(pattern, pglob, &limit)); - else if (!(pglob->gl_flags & GLOB_NOSORT)) - qsort(pglob->gl_pathv + pglob->gl_offs + oldpathc, - pglob->gl_pathc - oldpathc, sizeof(char *), compare); - return(0); -} - -static int -compare(const void *p, const void *q) -{ - return(strcmp(*(char **)p, *(char **)q)); -} - -static int -glob1(Char *pattern, glob_t *pglob, size_t *limit) -{ - Char pathbuf[MaxPathLen+1]; - - /* A null pathname is invalid -- POSIX 1003.1 sect. 2.4. */ - if (*pattern == CHAR_EOS) - return(0); - return(glob2(pathbuf, pathbuf, pattern, pglob, limit)); -} - -/* - * The functions glob2 and glob3 are mutually recursive; there is one level - * of recursion for each segment in the pattern that contains one or more - * meta characters. - */ - -#ifndef S_ISLNK -#if defined(S_IFLNK) && defined(S_IFMT) -#define S_ISLNK(mode) (((mode) & S_IFMT) == S_IFLNK) -#else -#define S_ISLNK(mode) 0 -#endif -#endif - -static int -glob2(Char *pathbuf, Char *pathend, Char *pattern, glob_t *pglob, - size_t *limit) -{ - struct stat sb; - Char *p, *q; - int anymeta; - - /* - * Loop over pattern segments until end of pattern or until - * segment with meta character found. - */ - for (anymeta = 0;;) { - if (*pattern == CHAR_EOS) { /* End of pattern? */ - *pathend = CHAR_EOS; - if (g_lstat(pathbuf, &sb, pglob)) - return(0); - - if (((pglob->gl_flags & GLOB_MARK) && - pathend[-1] != CHAR_SEP) && (S_ISDIR(sb.st_mode) - || (S_ISLNK(sb.st_mode) && - (g_stat(pathbuf, &sb, pglob) == 0) && - S_ISDIR(sb.st_mode)))) { - *pathend++ = CHAR_SEP; - *pathend = CHAR_EOS; - } - ++pglob->gl_matchc; - return(globextend(pathbuf, pglob, limit)); - } - - /* Find end of next segment, copy tentatively to pathend. */ - q = pathend; - p = pattern; - while (*p != CHAR_EOS && *p != CHAR_SEP) { - if (ismeta(*p)) - anymeta = 1; - *q++ = *p++; - } - - if (!anymeta) { /* No expansion, do next segment. */ - pathend = q; - pattern = p; - while (*pattern == CHAR_SEP) - *pathend++ = *pattern++; - } else /* Need expansion, recurse. */ - return(glob3(pathbuf, pathend, pattern, p, pglob, - limit)); - } - /* NOTREACHED */ -} - -static int -glob3(Char *pathbuf, Char *pathend, Char *pattern, Char *restpattern, - glob_t *pglob, size_t *limit) -{ - struct dirent *dp; - DIR *dirp; - int err; - char buf[MaxPathLen]; - - /* - * The readdirfunc declaration can't be prototyped, because it is - * assigned, below, to two functions which are prototyped in glob.h - * and dirent.h as taking pointers to differently typed opaque - * structures. - */ - struct dirent *(*readdirfunc)(void *); - - *pathend = CHAR_EOS; - errno = 0; - - if ((dirp = g_opendir(pathbuf, pglob)) == NULL) { - /* TODO: don't call for ENOENT or ENOTDIR? */ - if (pglob->gl_errfunc) { - g_Ctoc(pathbuf, buf); - if (pglob->gl_errfunc(buf, errno) || - pglob->gl_flags & GLOB_ERR) - return (GLOB_ABEND); - } - return(0); - } - - err = 0; - - /* Search directory for matching names. */ - if (pglob->gl_flags & GLOB_ALTDIRFUNC) - readdirfunc = pglob->gl_readdir; - else - readdirfunc = (struct dirent *(*)(void *))readdir; - while ((dp = (*readdirfunc)(dirp))) { - u_char *sc; - Char *dc; - - /* Initial CHAR_DOT must be matched literally. */ - if (dp->d_name[0] == CHAR_DOT && *pattern != CHAR_DOT) - continue; - for (sc = (u_char *) dp->d_name, dc = pathend; - (*dc++ = *sc++) != CHAR_EOS;) - continue; - if (!match(pathend, pattern, restpattern)) { - *pathend = CHAR_EOS; - continue; - } - err = glob2(pathbuf, --dc, restpattern, pglob, limit); - if (err) - break; - } - - if (pglob->gl_flags & GLOB_ALTDIRFUNC) - (*pglob->gl_closedir)(dirp); - else - closedir(dirp); - return(err); -} - - -/* - * Extend the gl_pathv member of a glob_t structure to accomodate a new item, - * add the new item, and update gl_pathc. - * - * This assumes the BSD realloc, which only copies the block when its size - * crosses a power-of-two boundary; for v7 realloc, this would cause quadratic - * behavior. - * - * Return 0 if new item added, error code if memory couldn't be allocated. - * - * Invariant of the glob_t structure: - * Either gl_pathc is zero and gl_pathv is NULL; or gl_pathc > 0 and - * gl_pathv points to (gl_offs + gl_pathc + 1) items. - */ -static int -globextend(const Char *path, glob_t *pglob, size_t *limit) -{ - char **pathv; - int i; - size_t newsize, len; - char *copy; - const Char *p; - - newsize = sizeof(*pathv) * (2 + pglob->gl_pathc + pglob->gl_offs); - pathv = pglob->gl_pathv ? - realloc(pglob->gl_pathv, newsize) : - malloc(newsize); - if (pathv == NULL) - return(GLOB_NOSPACE); - - if (pglob->gl_pathv == NULL && pglob->gl_offs > 0) { - /* first time around -- clear initial gl_offs items */ - pathv += pglob->gl_offs; - for (i = pglob->gl_offs; --i >= 0; ) - *--pathv = NULL; - } - pglob->gl_pathv = pathv; - - for (p = path; *p++;) - continue; - len = (size_t)(p - path); - *limit += len; - if ((copy = malloc(len)) != NULL) { - g_Ctoc(path, copy); - pathv[pglob->gl_offs + pglob->gl_pathc++] = copy; - } - pathv[pglob->gl_offs + pglob->gl_pathc] = NULL; - - if ((pglob->gl_flags & GLOB_LIMIT) && (newsize + *limit) >= ARG_MAX) { - errno = 0; - return(GLOB_NOSPACE); - } - - return(copy == NULL ? GLOB_NOSPACE : 0); -} - - -/* - * pattern matching function for filenames. Each occurrence of the * - * pattern causes a recursion level. - */ -static int -match(Char *name, Char *pat, Char *patend) -{ - int ok, negate_range; - Char c, k; - - while (pat < patend) { - c = *pat++; - switch (c & M_MASK) { - case M_ALL: - if (pat == patend) - return(1); - do - if (match(name, pat, patend)) - return(1); - while (*name++ != CHAR_EOS); - return(0); - case M_ONE: - if (*name++ == CHAR_EOS) - return(0); - break; - case M_SET: - ok = 0; - if ((k = *name++) == CHAR_EOS) - return(0); - if ((negate_range = ((*pat & M_MASK) == M_NOT)) != CHAR_EOS) - ++pat; - while (((c = *pat++) & M_MASK) != M_END) - if ((*pat & M_MASK) == M_RNG) { - if (c <= k && k <= pat[1]) - ok = 1; - pat += 2; - } else if (c == k) - ok = 1; - if (ok == negate_range) - return(0); - break; - default: - if (*name++ != c) - return(0); - break; - } - } - return(*name == CHAR_EOS); -} - -/* Free allocated data belonging to a glob_t structure. */ -void -globfree(glob_t *pglob) -{ - int i; - char **pp; - - if (pglob->gl_pathv != NULL) { - pp = pglob->gl_pathv + pglob->gl_offs; - for (i = pglob->gl_pathc; i--; ++pp) - if (*pp) - free(*pp); - free(pglob->gl_pathv); - pglob->gl_pathv = NULL; - } -} - -static DIR * -g_opendir(Char *str, glob_t *pglob) -{ - char buf[MaxPathLen]; - - if (!*str) - strlcpy(buf, ".", sizeof(buf)); - else - g_Ctoc(str, buf); - - if (pglob->gl_flags & GLOB_ALTDIRFUNC) - return((*pglob->gl_opendir)(buf)); - - return(opendir(buf)); -} - -static int -g_lstat(Char *fn, struct stat *sb, glob_t *pglob) -{ - char buf[MaxPathLen]; - - g_Ctoc(fn, buf); - if (pglob->gl_flags & GLOB_ALTDIRFUNC) - return((*pglob->gl_lstat)(buf, sb)); - return(lstat(buf, sb)); -} - -static int -g_stat(Char *fn, struct stat *sb, glob_t *pglob) -{ - char buf[MaxPathLen]; - - g_Ctoc(fn, buf); - if (pglob->gl_flags & GLOB_ALTDIRFUNC) - return((*pglob->gl_stat)(buf, sb)); - return(stat(buf, sb)); -} - -static Char * -g_strchr(const Char *str, int ch) -{ - do { - if (*str == ch) - return (Char *)str; - } while (*str++); - return (NULL); -} - -#ifdef notdef -static Char * -g_strcat(Char *dst, const Char *src) -{ - Char *sdst = dst; - - while (*dst++) - continue; - --dst; - while((*dst++ = *src++) != CHAR_EOS) - continue; - - return (sdst); -} -#endif - -static void -g_Ctoc(const Char *str, char *buf) -{ - char *dc; - - for (dc = buf; (*dc++ = *str++) != CHAR_EOS;) - continue; -} - -#ifdef DEBUG -static void -qprintf(const Char *str, Char *s) -{ - Char *p; - - printf("%s:\n", str); - for (p = s; *p; p++) - printf("%c", CHAR(*p)); - printf("\n"); - for (p = s; *p; p++) - printf("%c", *p & M_PROTECT ? '"' : ' '); - printf("\n"); - for (p = s; *p; p++) - printf("%c", ismeta(*p) ? '_' : ' '); - printf("\n"); -} -#endif diff --git a/crypto/heimdal-0.6.3/lib/roken/glob.hin b/crypto/heimdal-0.6.3/lib/roken/glob.hin deleted file mode 100644 index 98d8796a0b..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/glob.hin +++ /dev/null @@ -1,85 +0,0 @@ -/* - * Copyright (c) 1989, 1993 - * The Regents of the University of California. All rights reserved. - * - * This code is derived from software contributed to Berkeley by - * Guido van Rossum. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * @(#)glob.h 8.1 (Berkeley) 6/2/93 - */ - -#ifndef _GLOB_H_ -#define _GLOB_H_ - -struct stat; -typedef struct { - int gl_pathc; /* Count of total paths so far. */ - int gl_matchc; /* Count of paths matching pattern. */ - int gl_offs; /* Reserved at beginning of gl_pathv. */ - int gl_flags; /* Copy of flags parameter to glob. */ - char **gl_pathv; /* List of paths matching pattern. */ - /* Copy of errfunc parameter to glob. */ - int (*gl_errfunc) (const char *, int); - - /* - * Alternate filesystem access methods for glob; replacement - * versions of closedir(3), readdir(3), opendir(3), stat(2) - * and lstat(2). - */ - void (*gl_closedir) (void *); - struct dirent *(*gl_readdir) (void *); - void *(*gl_opendir) (const char *); - int (*gl_lstat) (const char *, struct stat *); - int (*gl_stat) (const char *, struct stat *); -} glob_t; - -#define GLOB_APPEND 0x0001 /* Append to output from previous call. */ -#define GLOB_DOOFFS 0x0002 /* Use gl_offs. */ -#define GLOB_ERR 0x0004 /* Return on error. */ -#define GLOB_MARK 0x0008 /* Append / to matching directories. */ -#define GLOB_NOCHECK 0x0010 /* Return pattern itself if nothing matches. */ -#define GLOB_NOSORT 0x0020 /* Don't sort. */ - -#define GLOB_ALTDIRFUNC 0x0040 /* Use alternately specified directory funcs. */ -#define GLOB_BRACE 0x0080 /* Expand braces ala csh. */ -#define GLOB_MAGCHAR 0x0100 /* Pattern had globbing characters. */ -#define GLOB_NOMAGIC 0x0200 /* GLOB_NOCHECK without magic chars (csh). */ -#define GLOB_QUOTE 0x0400 /* Quote special chars with \. */ -#define GLOB_TILDE 0x0800 /* Expand tilde names from the passwd file. */ -#define GLOB_LIMIT 0x1000 /* Limit memory used by matches to ARG_MAX */ - -#define GLOB_NOSPACE (-1) /* Malloc call failed. */ -#define GLOB_ABEND (-2) /* Unignored error. */ - -int glob (const char *, int, int (*)(const char *, int), glob_t *); -void globfree (glob_t *); - -#endif /* !_GLOB_H_ */ diff --git a/crypto/heimdal-0.6.3/lib/roken/h_errno.c b/crypto/heimdal-0.6.3/lib/roken/h_errno.c deleted file mode 100644 index c2d4452c32..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/h_errno.c +++ /dev/null @@ -1,41 +0,0 @@ -/* - * Copyright (c) 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: h_errno.c,v 1.1 2001/08/08 03:47:23 assar Exp $"); -#endif - -#ifndef HAVE_H_ERRNO -int h_errno = -17; /* Some magic number */ -#endif diff --git a/crypto/heimdal-0.6.3/lib/roken/hostent_find_fqdn.c b/crypto/heimdal-0.6.3/lib/roken/hostent_find_fqdn.c deleted file mode 100644 index 8e955a4c36..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/hostent_find_fqdn.c +++ /dev/null @@ -1,59 +0,0 @@ -/* - * Copyright (c) 1999 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: hostent_find_fqdn.c,v 1.2 2001/07/10 11:58:23 assar Exp $"); -#endif - -#include "roken.h" - -/* - * Try to find a fqdn (with `.') in he if possible, else return h_name - */ - -const char * -hostent_find_fqdn (const struct hostent *he) -{ - const char *ret = he->h_name; - const char **h; - - if (strchr (ret, '.') == NULL) - for (h = (const char **)he->h_aliases; *h != NULL; ++h) { - if (strchr (*h, '.') != NULL) { - ret = *h; - break; - } - } - return ret; -} diff --git a/crypto/heimdal-0.6.3/lib/roken/hstrerror.c b/crypto/heimdal-0.6.3/lib/roken/hstrerror.c deleted file mode 100644 index 61897cc84e..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/hstrerror.c +++ /dev/null @@ -1,81 +0,0 @@ -/* - * Copyright (c) 1995 - 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: hstrerror.c,v 1.24 2001/08/08 03:47:23 assar Exp $"); -#endif - -#ifndef HAVE_HSTRERROR - -#if (defined(SunOS) && (SunOS >= 50)) -#define hstrerror broken_proto -#endif -#include "roken.h" -#if (defined(SunOS) && (SunOS >= 50)) -#undef hstrerror -#endif - -#if !(defined(HAVE_H_ERRLIST) && defined(HAVE_H_NERR)) -static const char *const h_errlist[] = { - "Resolver Error 0 (no error)", - "Unknown host", /* 1 HOST_NOT_FOUND */ - "Host name lookup failure", /* 2 TRY_AGAIN */ - "Unknown server error", /* 3 NO_RECOVERY */ - "No address associated with name", /* 4 NO_ADDRESS */ -}; - -static -const -int h_nerr = { sizeof h_errlist / sizeof h_errlist[0] }; -#else - -#ifndef HAVE_H_ERRLIST_DECLARATION -extern const char *h_errlist[]; -extern int h_nerr; -#endif - -#endif - -const char * -hstrerror(int herr) -{ - if (0 <= herr && herr < h_nerr) - return h_errlist[herr]; - else if(herr == -17) - return "unknown error"; - else - return "Error number out of range (hstrerror)"; -} - -#endif diff --git a/crypto/heimdal-0.6.3/lib/roken/ifaddrs.hin b/crypto/heimdal-0.6.3/lib/roken/ifaddrs.hin deleted file mode 100644 index d2b9be8ccc..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/ifaddrs.hin +++ /dev/null @@ -1,64 +0,0 @@ -/* - * Copyright (c) 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: ifaddrs.hin,v 1.3 2000/12/11 00:01:13 assar Exp $ */ - -#ifndef __ifaddrs_h__ -#define __ifaddrs_h__ - -/* - * the interface is defined in terms of the fields below, and this is - * sometimes #define'd, so there seems to be no simple way of solving - * this and this seemed the best. */ - -#undef ifa_dstaddr - -struct ifaddrs { - struct ifaddrs *ifa_next; - char *ifa_name; - unsigned int ifa_flags; - struct sockaddr *ifa_addr; - struct sockaddr *ifa_netmask; - struct sockaddr *ifa_dstaddr; - void *ifa_data; -}; - -#ifndef ifa_broadaddr -#define ifa_broadaddr ifa_dstaddr -#endif - -int getifaddrs(struct ifaddrs**); - -void freeifaddrs(struct ifaddrs*); - -#endif /* __ifaddrs_h__ */ diff --git a/crypto/heimdal-0.6.3/lib/roken/inet_aton.c b/crypto/heimdal-0.6.3/lib/roken/inet_aton.c deleted file mode 100644 index cdc6bdd4ed..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/inet_aton.c +++ /dev/null @@ -1,49 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: inet_aton.c,v 1.13 1999/12/05 13:26:20 assar Exp $"); -#endif - -#include "roken.h" - -/* Minimal implementation of inet_aton. - * Cannot distinguish between failure and a local broadcast address. */ - -int -inet_aton(const char *cp, struct in_addr *addr) -{ - addr->s_addr = inet_addr(cp); - return (addr->s_addr == INADDR_NONE) ? 0 : 1; -} diff --git a/crypto/heimdal-0.6.3/lib/roken/inet_ntop.c b/crypto/heimdal-0.6.3/lib/roken/inet_ntop.c deleted file mode 100644 index 63c99a5969..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/inet_ntop.c +++ /dev/null @@ -1,133 +0,0 @@ -/* - * Copyright (c) 1999 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: inet_ntop.c,v 1.5 2001/04/04 23:58:01 assar Exp $"); -#endif - -#include - -/* - * - */ - -static const char * -inet_ntop_v4 (const void *src, char *dst, size_t size) -{ - const char digits[] = "0123456789"; - int i; - struct in_addr *addr = (struct in_addr *)src; - u_long a = ntohl(addr->s_addr); - const char *orig_dst = dst; - - if (size < INET_ADDRSTRLEN) { - errno = ENOSPC; - return NULL; - } - for (i = 0; i < 4; ++i) { - int n = (a >> (24 - i * 8)) & 0xFF; - int non_zerop = 0; - - if (non_zerop || n / 100 > 0) { - *dst++ = digits[n / 100]; - n %= 100; - non_zerop = 1; - } - if (non_zerop || n / 10 > 0) { - *dst++ = digits[n / 10]; - n %= 10; - non_zerop = 1; - } - *dst++ = digits[n]; - if (i != 3) - *dst++ = '.'; - } - *dst++ = '\0'; - return orig_dst; -} - -#ifdef HAVE_IPV6 -static const char * -inet_ntop_v6 (const void *src, char *dst, size_t size) -{ - const char xdigits[] = "0123456789abcdef"; - int i; - const struct in6_addr *addr = (struct in6_addr *)src; - const u_char *ptr = addr->s6_addr; - const char *orig_dst = dst; - - if (size < INET6_ADDRSTRLEN) { - errno = ENOSPC; - return NULL; - } - for (i = 0; i < 8; ++i) { - int non_zerop = 0; - - if (non_zerop || (ptr[0] >> 4)) { - *dst++ = xdigits[ptr[0] >> 4]; - non_zerop = 1; - } - if (non_zerop || (ptr[0] & 0x0F)) { - *dst++ = xdigits[ptr[0] & 0x0F]; - non_zerop = 1; - } - if (non_zerop || (ptr[1] >> 4)) { - *dst++ = xdigits[ptr[1] >> 4]; - non_zerop = 1; - } - *dst++ = xdigits[ptr[1] & 0x0F]; - if (i != 7) - *dst++ = ':'; - ptr += 2; - } - *dst++ = '\0'; - return orig_dst; -} -#endif /* HAVE_IPV6 */ - -const char * -inet_ntop(int af, const void *src, char *dst, size_t size) -{ - switch (af) { - case AF_INET : - return inet_ntop_v4 (src, dst, size); -#ifdef HAVE_IPV6 - case AF_INET6 : - return inet_ntop_v6 (src, dst, size); -#endif - default : - errno = EAFNOSUPPORT; - return NULL; - } -} diff --git a/crypto/heimdal-0.6.3/lib/roken/inet_pton.c b/crypto/heimdal-0.6.3/lib/roken/inet_pton.c deleted file mode 100644 index d9c976c8c7..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/inet_pton.c +++ /dev/null @@ -1,49 +0,0 @@ -/* - * Copyright (c) 1999 - 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: inet_pton.c,v 1.3 2000/07/27 04:56:13 assar Exp $"); -#endif - -#include - -int -inet_pton(int af, const char *src, void *dst) -{ - if (af != AF_INET) { - errno = EAFNOSUPPORT; - return -1; - } - return inet_aton (src, dst); -} diff --git a/crypto/heimdal-0.6.3/lib/roken/initgroups.c b/crypto/heimdal-0.6.3/lib/roken/initgroups.c deleted file mode 100644 index dcf1d08e96..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/initgroups.c +++ /dev/null @@ -1,45 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: initgroups.c,v 1.3 1999/12/02 16:58:47 joda Exp $"); -#endif - -#include "roken.h" - -int -initgroups(const char *name, gid_t basegid) -{ - return 0; -} diff --git a/crypto/heimdal-0.6.3/lib/roken/innetgr.c b/crypto/heimdal-0.6.3/lib/roken/innetgr.c deleted file mode 100644 index 4bc57f93e5..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/innetgr.c +++ /dev/null @@ -1,49 +0,0 @@ -/* - * Copyright (c) 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of KTH nor the names of its contributors may be - * used to endorse or promote products derived from this software without - * specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY - * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR - * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, - * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR - * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF - * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ - -#ifdef HAVE_CONFIG_H -#include -#endif -#include "roken.h" - -#ifndef HAVE_INNETGR - -RCSID("$Id: innetgr.c,v 1.1 1999/03/11 14:04:01 joda Exp $"); - -int -innetgr(const char *netgroup, const char *machine, - const char *user, const char *domain) -{ - return 0; -} -#endif - diff --git a/crypto/heimdal-0.6.3/lib/roken/install-sh b/crypto/heimdal-0.6.3/lib/roken/install-sh deleted file mode 100644 index e9de23842d..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/install-sh +++ /dev/null @@ -1,251 +0,0 @@ -#!/bin/sh -# -# install - install a program, script, or datafile -# This comes from X11R5 (mit/util/scripts/install.sh). -# -# Copyright 1991 by the Massachusetts Institute of Technology -# -# Permission to use, copy, modify, distribute, and sell this software and its -# documentation for any purpose is hereby granted without fee, provided that -# the above copyright notice appear in all copies and that both that -# copyright notice and this permission notice appear in supporting -# documentation, and that the name of M.I.T. not be used in advertising or -# publicity pertaining to distribution of the software without specific, -# written prior permission. M.I.T. makes no representations about the -# suitability of this software for any purpose. It is provided "as is" -# without express or implied warranty. -# -# Calling this script install-sh is preferred over install.sh, to prevent -# `make' implicit rules from creating a file called install from it -# when there is no Makefile. -# -# This script is compatible with the BSD install script, but was written -# from scratch. It can only install one file at a time, a restriction -# shared with many OS's install programs. - - -# set DOITPROG to echo to test this script - -# Don't use :- since 4.3BSD and earlier shells don't like it. -doit="${DOITPROG-}" - - -# put in absolute paths if you don't have them in your path; or use env. vars. - -mvprog="${MVPROG-mv}" -cpprog="${CPPROG-cp}" -chmodprog="${CHMODPROG-chmod}" -chownprog="${CHOWNPROG-chown}" -chgrpprog="${CHGRPPROG-chgrp}" -stripprog="${STRIPPROG-strip}" -rmprog="${RMPROG-rm}" -mkdirprog="${MKDIRPROG-mkdir}" - -transformbasename="" -transform_arg="" -instcmd="$mvprog" -chmodcmd="$chmodprog 0755" -chowncmd="" -chgrpcmd="" -stripcmd="" -rmcmd="$rmprog -f" -mvcmd="$mvprog" -src="" -dst="" -dir_arg="" - -while [ x"$1" != x ]; do - case $1 in - -c) instcmd="$cpprog" - shift - continue;; - - -d) dir_arg=true - shift - continue;; - - -m) chmodcmd="$chmodprog $2" - shift - shift - continue;; - - -o) chowncmd="$chownprog $2" - shift - shift - continue;; - - -g) chgrpcmd="$chgrpprog $2" - shift - shift - continue;; - - -s) stripcmd="$stripprog" - shift - continue;; - - -t=*) transformarg=`echo $1 | sed 's/-t=//'` - shift - continue;; - - -b=*) transformbasename=`echo $1 | sed 's/-b=//'` - shift - continue;; - - *) if [ x"$src" = x ] - then - src=$1 - else - # this colon is to work around a 386BSD /bin/sh bug - : - dst=$1 - fi - shift - continue;; - esac -done - -if [ x"$src" = x ] -then - echo "install: no input file specified" - exit 1 -else - true -fi - -if [ x"$dir_arg" != x ]; then - dst=$src - src="" - - if [ -d $dst ]; then - instcmd=: - chmodcmd="" - else - instcmd=mkdir - fi -else - -# Waiting for this to be detected by the "$instcmd $src $dsttmp" command -# might cause directories to be created, which would be especially bad -# if $src (and thus $dsttmp) contains '*'. - - if [ -f $src -o -d $src ] - then - true - else - echo "install: $src does not exist" - exit 1 - fi - - if [ x"$dst" = x ] - then - echo "install: no destination specified" - exit 1 - else - true - fi - -# If destination is a directory, append the input filename; if your system -# does not like double slashes in filenames, you may need to add some logic - - if [ -d $dst ] - then - dst="$dst"/`basename $src` - else - true - fi -fi - -## this sed command emulates the dirname command -dstdir=`echo $dst | sed -e 's,[^/]*$,,;s,/$,,;s,^$,.,'` - -# Make sure that the destination directory exists. -# this part is taken from Noah Friedman's mkinstalldirs script - -# Skip lots of stat calls in the usual case. -if [ ! -d "$dstdir" ]; then -defaultIFS=' -' -IFS="${IFS-${defaultIFS}}" - -oIFS="${IFS}" -# Some sh's can't handle IFS=/ for some reason. -IFS='%' -set - `echo ${dstdir} | sed -e 's@/@%@g' -e 's@^%@/@'` -IFS="${oIFS}" - -pathcomp='' - -while [ $# -ne 0 ] ; do - pathcomp="${pathcomp}${1}" - shift - - if [ ! -d "${pathcomp}" ] ; - then - $mkdirprog "${pathcomp}" - else - true - fi - - pathcomp="${pathcomp}/" -done -fi - -if [ x"$dir_arg" != x ] -then - $doit $instcmd $dst && - - if [ x"$chowncmd" != x ]; then $doit $chowncmd $dst; else true ; fi && - if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dst; else true ; fi && - if [ x"$stripcmd" != x ]; then $doit $stripcmd $dst; else true ; fi && - if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dst; else true ; fi -else - -# If we're going to rename the final executable, determine the name now. - - if [ x"$transformarg" = x ] - then - dstfile=`basename $dst` - else - dstfile=`basename $dst $transformbasename | - sed $transformarg`$transformbasename - fi - -# don't allow the sed command to completely eliminate the filename - - if [ x"$dstfile" = x ] - then - dstfile=`basename $dst` - else - true - fi - -# Make a temp file name in the proper directory. - - dsttmp=$dstdir/#inst.$$# - -# Move or copy the file name to the temp name - - $doit $instcmd $src $dsttmp && - - trap "rm -f ${dsttmp}" 0 && - -# and set any options; do chmod last to preserve setuid bits - -# If any of these fail, we abort the whole thing. If we want to -# ignore errors from any of these, just make sure not to ignore -# errors from the above "$doit $instcmd $src $dsttmp" command. - - if [ x"$chowncmd" != x ]; then $doit $chowncmd $dsttmp; else true;fi && - if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dsttmp; else true;fi && - if [ x"$stripcmd" != x ]; then $doit $stripcmd $dsttmp; else true;fi && - if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dsttmp; else true;fi && - -# Now rename the file to the real destination. - - $doit $rmcmd -f $dstdir/$dstfile && - $doit $mvcmd $dsttmp $dstdir/$dstfile - -fi && - - -exit 0 diff --git a/crypto/heimdal-0.6.3/lib/roken/iruserok.c b/crypto/heimdal-0.6.3/lib/roken/iruserok.c deleted file mode 100644 index 3b3880bf39..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/iruserok.c +++ /dev/null @@ -1,287 +0,0 @@ -/* - * Copyright (c) 1983, 1993, 1994 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: iruserok.c,v 1.23 1999/12/05 13:27:05 assar Exp $"); -#endif - -#include -#include -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_NETINET_IN_H -#include -#endif -#ifdef HAVE_NETINET_IN6_H -#include -#endif -#ifdef HAVE_NETINET6_IN6_H -#include -#endif -#ifdef HAVE_RPCSVC_YPCLNT_H -#include -#endif - -#include "roken.h" - -int __check_rhosts_file = 1; -char *__rcmd_errstr = 0; - -/* - * Returns "true" if match, 0 if no match. - */ -static -int -__icheckhost(unsigned raddr, const char *lhost) -{ - struct hostent *hp; - u_long laddr; - char **pp; - - /* Try for raw ip address first. */ - if (isdigit((unsigned char)*lhost) - && (long)(laddr = inet_addr(lhost)) != -1) - return (raddr == laddr); - - /* Better be a hostname. */ - if ((hp = gethostbyname(lhost)) == NULL) - return (0); - - /* Spin through ip addresses. */ - for (pp = hp->h_addr_list; *pp; ++pp) - if (memcmp(&raddr, *pp, sizeof(u_long)) == 0) - return (1); - - /* No match. */ - return (0); -} - -/* - * Returns 0 if ok, -1 if not ok. - */ -static -int -__ivaliduser(FILE *hostf, unsigned raddr, const char *luser, - const char *ruser) -{ - char *user, *p; - int ch; - char buf[MaxHostNameLen + 128]; /* host + login */ - char hname[MaxHostNameLen]; - struct hostent *hp; - /* Presumed guilty until proven innocent. */ - int userok = 0, hostok = 0; -#ifdef HAVE_YP_GET_DEFAULT_DOMAIN - char *ypdomain; - - if (yp_get_default_domain(&ypdomain)) - ypdomain = NULL; -#else -#define ypdomain NULL -#endif - /* We need to get the damn hostname back for netgroup matching. */ - if ((hp = gethostbyaddr((char *)&raddr, - sizeof(u_long), - AF_INET)) == NULL) - return (-1); - strlcpy(hname, hp->h_name, sizeof(hname)); - - while (fgets(buf, sizeof(buf), hostf)) { - p = buf; - /* Skip lines that are too long. */ - if (strchr(p, '\n') == NULL) { - while ((ch = getc(hostf)) != '\n' && ch != EOF); - continue; - } - if (*p == '\n' || *p == '#') { - /* comment... */ - continue; - } - while (*p != '\n' && *p != ' ' && *p != '\t' && *p != '\0') { - if (isupper((unsigned char)*p)) - *p = tolower((unsigned char)*p); - p++; - } - if (*p == ' ' || *p == '\t') { - *p++ = '\0'; - while (*p == ' ' || *p == '\t') - p++; - user = p; - while (*p != '\n' && *p != ' ' && - *p != '\t' && *p != '\0') - p++; - } else - user = p; - *p = '\0'; - /* - * Do +/- and +@/-@ checking. This looks really nasty, - * but it matches SunOS's behavior so far as I can tell. - */ - switch(buf[0]) { - case '+': - if (!buf[1]) { /* '+' matches all hosts */ - hostok = 1; - break; - } - if (buf[1] == '@') /* match a host by netgroup */ - hostok = innetgr((char *)&buf[2], - (char *)&hname, NULL, ypdomain); - else /* match a host by addr */ - hostok = __icheckhost(raddr,(char *)&buf[1]); - break; - case '-': /* reject '-' hosts and all their users */ - if (buf[1] == '@') { - if (innetgr((char *)&buf[2], - (char *)&hname, NULL, ypdomain)) - return(-1); - } else { - if (__icheckhost(raddr,(char *)&buf[1])) - return(-1); - } - break; - default: /* if no '+' or '-', do a simple match */ - hostok = __icheckhost(raddr, buf); - break; - } - switch(*user) { - case '+': - if (!*(user+1)) { /* '+' matches all users */ - userok = 1; - break; - } - if (*(user+1) == '@') /* match a user by netgroup */ - userok = innetgr(user+2, NULL, (char *)ruser, - ypdomain); - else /* match a user by direct specification */ - userok = !(strcmp(ruser, user+1)); - break; - case '-': /* if we matched a hostname, */ - if (hostok) { /* check for user field rejections */ - if (!*(user+1)) - return(-1); - if (*(user+1) == '@') { - if (innetgr(user+2, NULL, - (char *)ruser, ypdomain)) - return(-1); - } else { - if (!strcmp(ruser, user+1)) - return(-1); - } - } - break; - default: /* no rejections: try to match the user */ - if (hostok) - userok = !(strcmp(ruser,*user ? user : luser)); - break; - } - if (hostok && userok) - return(0); - } - return (-1); -} - -/* - * New .rhosts strategy: We are passed an ip address. We spin through - * hosts.equiv and .rhosts looking for a match. When the .rhosts only - * has ip addresses, we don't have to trust a nameserver. When it - * contains hostnames, we spin through the list of addresses the nameserver - * gives us and look for a match. - * - * Returns 0 if ok, -1 if not ok. - */ -int -iruserok(unsigned raddr, int superuser, const char *ruser, const char *luser) -{ - char *cp; - struct stat sbuf; - struct passwd *pwd; - FILE *hostf; - uid_t uid; - int first; - char pbuf[MaxPathLen]; - - first = 1; - hostf = superuser ? NULL : fopen(_PATH_HEQUIV, "r"); -again: - if (hostf) { - if (__ivaliduser(hostf, raddr, luser, ruser) == 0) { - fclose(hostf); - return (0); - } - fclose(hostf); - } - if (first == 1 && (__check_rhosts_file || superuser)) { - first = 0; - if ((pwd = k_getpwnam((char*)luser)) == NULL) - return (-1); - snprintf (pbuf, sizeof(pbuf), "%s/.rhosts", pwd->pw_dir); - - /* - * Change effective uid while opening .rhosts. If root and - * reading an NFS mounted file system, can't read files that - * are protected read/write owner only. - */ - uid = geteuid(); - seteuid(pwd->pw_uid); - hostf = fopen(pbuf, "r"); - seteuid(uid); - - if (hostf == NULL) - return (-1); - /* - * If not a regular file, or is owned by someone other than - * user or root or if writeable by anyone but the owner, quit. - */ - cp = NULL; - if (lstat(pbuf, &sbuf) < 0) - cp = ".rhosts lstat failed"; - else if (!S_ISREG(sbuf.st_mode)) - cp = ".rhosts not regular file"; - else if (fstat(fileno(hostf), &sbuf) < 0) - cp = ".rhosts fstat failed"; - else if (sbuf.st_uid && sbuf.st_uid != pwd->pw_uid) - cp = "bad .rhosts owner"; - else if (sbuf.st_mode & (S_IWGRP|S_IWOTH)) - cp = ".rhosts writeable by other than owner"; - /* If there were any problems, quit. */ - if (cp) { - __rcmd_errstr = cp; - fclose(hostf); - return (-1); - } - goto again; - } - return (-1); -} diff --git a/crypto/heimdal-0.6.3/lib/roken/issuid.c b/crypto/heimdal-0.6.3/lib/roken/issuid.c deleted file mode 100644 index 910d85009b..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/issuid.c +++ /dev/null @@ -1,56 +0,0 @@ -/* - * Copyright (c) 1998 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: issuid.c,v 1.4 2001/08/27 23:08:34 assar Exp $"); -#endif - -#include "roken.h" - -int -issuid(void) -{ -#if defined(HAVE_ISSETUGID) - return issetugid(); -#endif -#if defined(HAVE_GETUID) && defined(HAVE_GETEUID) - if(getuid() != geteuid()) - return 1; -#endif -#if defined(HAVE_GETGID) && defined(HAVE_GETEGID) - if(getgid() != getegid()) - return 2; -#endif - return 0; -} diff --git a/crypto/heimdal-0.6.3/lib/roken/k_getpwnam.c b/crypto/heimdal-0.6.3/lib/roken/k_getpwnam.c deleted file mode 100644 index 40681cd2d0..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/k_getpwnam.c +++ /dev/null @@ -1,64 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: k_getpwnam.c,v 1.9 1999/12/02 16:58:47 joda Exp $"); -#endif /* HAVE_CONFIG_H */ - -#include "roken.h" -#ifdef HAVE_SHADOW_H -#include -#endif - -struct passwd * -k_getpwnam (const char *user) -{ - struct passwd *p; - - p = getpwnam (user); -#if defined(HAVE_GETSPNAM) && defined(HAVE_STRUCT_SPWD) - if(p) - { - struct spwd *spwd; - - spwd = getspnam (user); - if (spwd) - p->pw_passwd = spwd->sp_pwdp; - endspent (); - } -#else - endpwent (); -#endif - return p; -} diff --git a/crypto/heimdal-0.6.3/lib/roken/k_getpwuid.c b/crypto/heimdal-0.6.3/lib/roken/k_getpwuid.c deleted file mode 100644 index 1e2ca5476f..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/k_getpwuid.c +++ /dev/null @@ -1,64 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: k_getpwuid.c,v 1.9 1999/12/02 16:58:47 joda Exp $"); -#endif /* HAVE_CONFIG_H */ - -#include "roken.h" -#ifdef HAVE_SHADOW_H -#include -#endif - -struct passwd * -k_getpwuid (uid_t uid) -{ - struct passwd *p; - - p = getpwuid (uid); -#if defined(HAVE_GETSPNAM) && defined(HAVE_STRUCT_SPWD) - if (p) - { - struct spwd *spwd; - - spwd = getspnam (p->pw_name); - if (spwd) - p->pw_passwd = spwd->sp_pwdp; - endspent (); - } -#else - endpwent (); -#endif - return p; -} diff --git a/crypto/heimdal-0.6.3/lib/roken/localtime_r.c b/crypto/heimdal-0.6.3/lib/roken/localtime_r.c deleted file mode 100644 index 43402342f9..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/localtime_r.c +++ /dev/null @@ -1,57 +0,0 @@ -/* - * Copyright (c) 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: localtime_r.c,v 1.2 2002/08/20 13:00:35 joda Exp $"); -#endif - -#include -#include -#include "roken.h" - -#ifndef HAVE_LOCALTIME_R - -struct tm * -localtime_r(const time_t *timer, struct tm *result) -{ - struct tm *tm; - - tm = localtime((time_t *)timer); - if (tm == NULL) - return NULL; - *result = *tm; - return result; -} - -#endif diff --git a/crypto/heimdal-0.6.3/lib/roken/lstat.c b/crypto/heimdal-0.6.3/lib/roken/lstat.c deleted file mode 100644 index 2f03e19d18..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/lstat.c +++ /dev/null @@ -1,45 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: lstat.c,v 1.4 1999/12/02 16:58:51 joda Exp $"); -#endif - -#include "roken.h" - -int -lstat(const char *path, struct stat *buf) -{ - return stat(path, buf); -} diff --git a/crypto/heimdal-0.6.3/lib/roken/memmove.c b/crypto/heimdal-0.6.3/lib/roken/memmove.c deleted file mode 100644 index b77d56af96..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/memmove.c +++ /dev/null @@ -1,64 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: memmove.c,v 1.7 1999/12/02 16:58:51 joda Exp $"); -#endif - -/* - * memmove for systems that doesn't have it - */ - -#ifdef HAVE_SYS_TYPES_H -#include -#endif - -void* memmove(void *s1, const void *s2, size_t n) -{ - char *s=(char*)s2, *d=(char*)s1; - - if(d > s){ - s+=n-1; - d+=n-1; - while(n){ - *d--=*s--; - n--; - } - }else if(d < s) - while(n){ - *d++=*s++; - n--; - } - return s1; -} diff --git a/crypto/heimdal-0.6.3/lib/roken/mini_inetd.c b/crypto/heimdal-0.6.3/lib/roken/mini_inetd.c deleted file mode 100644 index 8c8f72d9de..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/mini_inetd.c +++ /dev/null @@ -1,148 +0,0 @@ -/* - * Copyright (c) 1995 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: mini_inetd.c,v 1.30 2002/02/18 19:08:55 joda Exp $"); -#endif - -#include -#include "roken.h" - -/* - * accept a connection on `s' and pretend it's served by inetd. - */ - -static void -accept_it (int s) -{ - int s2; - - s2 = accept(s, NULL, NULL); - if(s2 < 0) - err (1, "accept"); - close(s); - dup2(s2, STDIN_FILENO); - dup2(s2, STDOUT_FILENO); - /* dup2(s2, STDERR_FILENO); */ - close(s2); -} - -/* - * Listen on a specified port, emulating inetd. - */ - -void -mini_inetd_addrinfo (struct addrinfo *ai) -{ - int ret; - struct addrinfo *a; - int n, nalloc, i; - int *fds; - fd_set orig_read_set, read_set; - int max_fd = -1; - - for (nalloc = 0, a = ai; a != NULL; a = a->ai_next) - ++nalloc; - - fds = malloc (nalloc * sizeof(*fds)); - if (fds == NULL) - errx (1, "mini_inetd: out of memory"); - - FD_ZERO(&orig_read_set); - - for (i = 0, a = ai; a != NULL; a = a->ai_next) { - fds[i] = socket (a->ai_family, a->ai_socktype, a->ai_protocol); - if (fds[i] < 0) { - warn ("socket af = %d", a->ai_family); - continue; - } - socket_set_reuseaddr (fds[i], 1); - if (bind (fds[i], a->ai_addr, a->ai_addrlen) < 0) { - warn ("bind af = %d", a->ai_family); - close(fds[i]); - continue; - } - if (listen (fds[i], SOMAXCONN) < 0) { - warn ("listen af = %d", a->ai_family); - close(fds[i]); - continue; - } - if (fds[i] >= FD_SETSIZE) - errx (1, "fd too large"); - FD_SET(fds[i], &orig_read_set); - max_fd = max(max_fd, fds[i]); - ++i; - } - if (i == 0) - errx (1, "no sockets"); - n = i; - - do { - read_set = orig_read_set; - - ret = select (max_fd + 1, &read_set, NULL, NULL, NULL); - if (ret < 0 && errno != EINTR) - err (1, "select"); - } while (ret <= 0); - - for (i = 0; i < n; ++i) - if (FD_ISSET (fds[i], &read_set)) { - accept_it (fds[i]); - return; - } - abort (); -} - -void -mini_inetd (int port) -{ - int error; - struct addrinfo *ai, hints; - char portstr[NI_MAXSERV]; - - memset (&hints, 0, sizeof(hints)); - hints.ai_flags = AI_PASSIVE; - hints.ai_socktype = SOCK_STREAM; - hints.ai_family = PF_UNSPEC; - - snprintf (portstr, sizeof(portstr), "%d", ntohs(port)); - - error = getaddrinfo (NULL, portstr, &hints, &ai); - if (error) - errx (1, "getaddrinfo: %s", gai_strerror (error)); - - mini_inetd_addrinfo(ai); - - freeaddrinfo(ai); -} diff --git a/crypto/heimdal-0.6.3/lib/roken/missing b/crypto/heimdal-0.6.3/lib/roken/missing deleted file mode 100644 index 7789652e87..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/missing +++ /dev/null @@ -1,190 +0,0 @@ -#! /bin/sh -# Common stub for a few missing GNU programs while installing. -# Copyright (C) 1996, 1997 Free Software Foundation, Inc. -# Franc,ois Pinard , 1996. - -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2, or (at your option) -# any later version. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. - -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA -# 02111-1307, USA. - -if test $# -eq 0; then - echo 1>&2 "Try \`$0 --help' for more information" - exit 1 -fi - -case "$1" in - - -h|--h|--he|--hel|--help) - echo "\ -$0 [OPTION]... PROGRAM [ARGUMENT]... - -Handle \`PROGRAM [ARGUMENT]...' for when PROGRAM is missing, or return an -error status if there is no known handling for PROGRAM. - -Options: - -h, --help display this help and exit - -v, --version output version information and exit - -Supported PROGRAM values: - aclocal touch file \`aclocal.m4' - autoconf touch file \`configure' - autoheader touch file \`config.h.in' - automake touch all \`Makefile.in' files - bison create \`y.tab.[ch]', if possible, from existing .[ch] - flex create \`lex.yy.c', if possible, from existing .c - lex create \`lex.yy.c', if possible, from existing .c - makeinfo touch the output file - yacc create \`y.tab.[ch]', if possible, from existing .[ch]" - ;; - - -v|--v|--ve|--ver|--vers|--versi|--versio|--version) - echo "missing - GNU libit 0.0" - ;; - - -*) - echo 1>&2 "$0: Unknown \`$1' option" - echo 1>&2 "Try \`$0 --help' for more information" - exit 1 - ;; - - aclocal) - echo 1>&2 "\ -WARNING: \`$1' is missing on your system. You should only need it if - you modified \`acinclude.m4' or \`configure.in'. You might want - to install the \`Automake' and \`Perl' packages. Grab them from - any GNU archive site." - touch aclocal.m4 - ;; - - autoconf) - echo 1>&2 "\ -WARNING: \`$1' is missing on your system. You should only need it if - you modified \`configure.in'. You might want to install the - \`Autoconf' and \`GNU m4' packages. Grab them from any GNU - archive site." - touch configure - ;; - - autoheader) - echo 1>&2 "\ -WARNING: \`$1' is missing on your system. You should only need it if - you modified \`acconfig.h' or \`configure.in'. You might want - to install the \`Autoconf' and \`GNU m4' packages. Grab them - from any GNU archive site." - files=`sed -n 's/^[ ]*A[CM]_CONFIG_HEADER(\([^)]*\)).*/\1/p' configure.in` - test -z "$files" && files="config.h" - touch_files= - for f in $files; do - case "$f" in - *:*) touch_files="$touch_files "`echo "$f" | - sed -e 's/^[^:]*://' -e 's/:.*//'`;; - *) touch_files="$touch_files $f.in";; - esac - done - touch $touch_files - ;; - - automake) - echo 1>&2 "\ -WARNING: \`$1' is missing on your system. You should only need it if - you modified \`Makefile.am', \`acinclude.m4' or \`configure.in'. - You might want to install the \`Automake' and \`Perl' packages. - Grab them from any GNU archive site." - find . -type f -name Makefile.am -print | - sed 's/\.am$/.in/' | - while read f; do touch "$f"; done - ;; - - bison|yacc) - echo 1>&2 "\ -WARNING: \`$1' is missing on your system. You should only need it if - you modified a \`.y' file. You may need the \`Bison' package - in order for those modifications to take effect. You can get - \`Bison' from any GNU archive site." - rm -f y.tab.c y.tab.h - if [ $# -ne 1 ]; then - eval LASTARG="\${$#}" - case "$LASTARG" in - *.y) - SRCFILE=`echo "$LASTARG" | sed 's/y$/c/'` - if [ -f "$SRCFILE" ]; then - cp "$SRCFILE" y.tab.c - fi - SRCFILE=`echo "$LASTARG" | sed 's/y$/h/'` - if [ -f "$SRCFILE" ]; then - cp "$SRCFILE" y.tab.h - fi - ;; - esac - fi - if [ ! -f y.tab.h ]; then - echo >y.tab.h - fi - if [ ! -f y.tab.c ]; then - echo 'main() { return 0; }' >y.tab.c - fi - ;; - - lex|flex) - echo 1>&2 "\ -WARNING: \`$1' is missing on your system. You should only need it if - you modified a \`.l' file. You may need the \`Flex' package - in order for those modifications to take effect. You can get - \`Flex' from any GNU archive site." - rm -f lex.yy.c - if [ $# -ne 1 ]; then - eval LASTARG="\${$#}" - case "$LASTARG" in - *.l) - SRCFILE=`echo "$LASTARG" | sed 's/l$/c/'` - if [ -f "$SRCFILE" ]; then - cp "$SRCFILE" lex.yy.c - fi - ;; - esac - fi - if [ ! -f lex.yy.c ]; then - echo 'main() { return 0; }' >lex.yy.c - fi - ;; - - makeinfo) - echo 1>&2 "\ -WARNING: \`$1' is missing on your system. You should only need it if - you modified a \`.texi' or \`.texinfo' file, or any other file - indirectly affecting the aspect of the manual. The spurious - call might also be the consequence of using a buggy \`make' (AIX, - DU, IRIX). You might want to install the \`Texinfo' package or - the \`GNU make' package. Grab either from any GNU archive site." - file=`echo "$*" | sed -n 's/.*-o \([^ ]*\).*/\1/p'` - if test -z "$file"; then - file=`echo "$*" | sed 's/.* \([^ ]*\) *$/\1/'` - file=`sed -n '/^@setfilename/ { s/.* \([^ ]*\) *$/\1/; p; q; }' $file` - fi - touch $file - ;; - - *) - echo 1>&2 "\ -WARNING: \`$1' is needed, and you do not seem to have it handy on your - system. You might have modified some files without having the - proper tools for further handling them. Check the \`README' file, - it often tells you about the needed prerequirements for installing - this package. You may also peek at any GNU archive site, in case - some other package would contain this missing \`$1' program." - exit 1 - ;; -esac - -exit 0 diff --git a/crypto/heimdal-0.6.3/lib/roken/mkinstalldirs b/crypto/heimdal-0.6.3/lib/roken/mkinstalldirs deleted file mode 100644 index 6b3b5fc5d4..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/mkinstalldirs +++ /dev/null @@ -1,40 +0,0 @@ -#! /bin/sh -# mkinstalldirs --- make directory hierarchy -# Author: Noah Friedman -# Created: 1993-05-16 -# Public domain - -# $Id$ - -errstatus=0 - -for file -do - set fnord `echo ":$file" | sed -ne 's/^:\//#/;s/^://;s/\// /g;s/^#/\//;p'` - shift - - pathcomp= - for d - do - pathcomp="$pathcomp$d" - case "$pathcomp" in - -* ) pathcomp=./$pathcomp ;; - esac - - if test ! -d "$pathcomp"; then - echo "mkdir $pathcomp" - - mkdir "$pathcomp" || lasterr=$? - - if test ! -d "$pathcomp"; then - errstatus=$lasterr - fi - fi - - pathcomp="$pathcomp/" - done -done - -exit $errstatus - -# mkinstalldirs ends here diff --git a/crypto/heimdal-0.6.3/lib/roken/mkstemp.c b/crypto/heimdal-0.6.3/lib/roken/mkstemp.c deleted file mode 100644 index 350f4cb7ae..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/mkstemp.c +++ /dev/null @@ -1,84 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -#endif - -#include -#ifdef HAVE_UNISTD_H -#include -#endif -#ifdef HAVE_FCNTL_H -#include -#endif -#include - -RCSID("$Id: mkstemp.c,v 1.3 1999/12/02 16:58:51 joda Exp $"); - -#ifndef HAVE_MKSTEMP - -int -mkstemp(char *template) -{ - int start, i; - pid_t val; - val = getpid(); - start = strlen(template) - 1; - while(template[start] == 'X') { - template[start] = '0' + val % 10; - val /= 10; - start--; - } - - do{ - int fd; - fd = open(template, O_RDWR | O_CREAT | O_EXCL, 0600); - if(fd >= 0 || errno != EEXIST) - return fd; - i = start + 1; - do{ - if(template[i] == 0) - return -1; - template[i]++; - if(template[i] == '9' + 1) - template[i] = 'a'; - if(template[i] <= 'z') - break; - template[i] = 'a'; - i++; - }while(1); - }while(1); -} - -#endif diff --git a/crypto/heimdal-0.6.3/lib/roken/ndbm_wrap.c b/crypto/heimdal-0.6.3/lib/roken/ndbm_wrap.c deleted file mode 100644 index 0a1ab927de..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/ndbm_wrap.c +++ /dev/null @@ -1,216 +0,0 @@ -/* - * Copyright (c) 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: ndbm_wrap.c,v 1.1.8.1 2003/08/29 17:00:34 lha Exp $"); -#endif - -#include "ndbm_wrap.h" -#if defined(HAVE_DB4_DB_H) -#include -#elif defined(HAVE_DB3_DB_H) -#include -#else -#include -#endif - -#include -#include -#include -#include - - -#define DBT2DATUM(DBT, DATUM) do { (DATUM)->dptr = (DBT)->data; (DATUM)->dsize = (DBT)->size; } while(0) -#define DATUM2DBT(DATUM, DBT) do { (DBT)->data = (DATUM)->dptr; (DBT)->size = (DATUM)->dsize; } while(0) -#define RETURN(X) return ((X) == 0) ? 0 : -1 - -#ifdef HAVE_DB3 -static DBC *cursor; -#endif - -#define D(X) ((DB*)(X)) - -void -dbm_close (DBM *db) -{ -#ifdef HAVE_DB3 - D(db)->close(D(db), 0); - cursor = NULL; -#else - D(db)->close(D(db)); -#endif -} - -int -dbm_delete (DBM *db, datum dkey) -{ - DBT key; - DATUM2DBT(&dkey, &key); -#ifdef HAVE_DB3 - RETURN(D(db)->del(D(db), NULL, &key, 0)); -#else - RETURN(D(db)->del(D(db), &key, 0)); -#endif -} - -datum -dbm_fetch (DBM *db, datum dkey) -{ - datum dvalue; - DBT key, value; - DATUM2DBT(&dkey, &key); - if(D(db)->get(D(db), -#ifdef HAVE_DB3 - NULL, -#endif - &key, &value, 0) != 0) - dvalue.dptr = NULL; - else - DBT2DATUM(&value, &dvalue); - - return dvalue; -} - -static datum -dbm_get (DB *db, int flags) -{ - DBT key, value; - datum datum; -#ifdef HAVE_DB3 - if(cursor == NULL) - db->cursor(db, NULL, &cursor, 0); - if(cursor->c_get(cursor, &key, &value, flags) != 0) - datum.dptr = NULL; - else - DBT2DATUM(&value, &datum); -#else - db->seq(db, &key, &value, flags); -#endif - return datum; -} - -#ifndef DB_FIRST -#define DB_FIRST R_FIRST -#define DB_NEXT R_NEXT -#define DB_NOOVERWRITE R_NOOVERWRITE -#define DB_KEYEXIST 1 -#endif - -datum -dbm_firstkey (DBM *db) -{ - return dbm_get(D(db), DB_FIRST); -} - -datum -dbm_nextkey (DBM *db) -{ - return dbm_get(D(db), DB_NEXT); -} - -DBM* -dbm_open (const char *file, int flags, mode_t mode) -{ - DB *db; - int myflags = 0; - char *fn = malloc(strlen(file) + 4); - if(fn == NULL) - return NULL; - strcpy(fn, file); - strcat(fn, ".db"); -#ifdef HAVE_DB3 - if (flags & O_CREAT) - myflags |= DB_CREATE; - - if (flags & O_EXCL) - myflags |= DB_EXCL; - - if (flags & O_RDONLY) - myflags |= DB_RDONLY; - - if (flags & O_TRUNC) - myflags |= DB_TRUNCATE; - if(db_create(&db, NULL, 0) != 0) { - free(fn); - return NULL; - } - -#if (DB_VERSION_MAJOR > 3) && (DB_VERSION_MINOR > 0) - if(db->open(db, NULL, fn, NULL, DB_BTREE, myflags, mode) != 0) { -#else - if(db->open(db, fn, NULL, DB_BTREE, myflags, mode) != 0) { -#endif - free(fn); - db->close(db, 0); - return NULL; - } -#else - db = dbopen(fn, flags, mode, DB_BTREE, NULL); -#endif - free(fn); - return (DBM*)db; -} - -int -dbm_store (DBM *db, datum dkey, datum dvalue, int flags) -{ - int ret; - DBT key, value; - int myflags = 0; - if((flags & DBM_REPLACE) == 0) - myflags |= DB_NOOVERWRITE; - DATUM2DBT(&dkey, &key); - DATUM2DBT(&dvalue, &value); - ret = D(db)->put(D(db), -#ifdef HAVE_DB3 - NULL, -#endif -&key, &value, myflags); - if(ret == DB_KEYEXIST) - return 1; - RETURN(ret); -} - -int -dbm_error (DBM *db) -{ - return 0; -} - -int -dbm_clearerr (DBM *db) -{ - return 0; -} - diff --git a/crypto/heimdal-0.6.3/lib/roken/ndbm_wrap.h b/crypto/heimdal-0.6.3/lib/roken/ndbm_wrap.h deleted file mode 100644 index 77c88b4877..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/ndbm_wrap.h +++ /dev/null @@ -1,83 +0,0 @@ -/* - * Copyright (c) 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: ndbm_wrap.h,v 1.1 2002/04/30 16:37:20 joda Exp $ */ - -#ifndef __ndbm_wrap_h__ -#define __ndbm_wrap_h__ - -#include -#include - -#ifndef dbm_rename -#define dbm_rename(X) __roken_ ## X -#endif - -#define dbm_open dbm_rename(dbm_open) -#define dbm_close dbm_rename(dbm_close) -#define dbm_delete dbm_rename(dbm_delete) -#define dbm_fetch dbm_rename(dbm_fetch) -#define dbm_get dbm_rename(dbm_get) -#define dbm_firstkey dbm_rename(dbm_firstkey) -#define dbm_nextkey dbm_rename(dbm_nextkey) -#define dbm_store dbm_rename(dbm_store) -#define dbm_error dbm_rename(dbm_error) -#define dbm_clearerr dbm_rename(dbm_clearerr) - -#define datum dbm_rename(datum) - -typedef struct { - void *dptr; - size_t dsize; -} datum; - -#define DBM_REPLACE 1 -typedef struct DBM DBM; - -#if 0 -typedef struct { - int dummy; -} DBM; -#endif - -int dbm_clearerr (DBM*); -void dbm_close (DBM*); -int dbm_delete (DBM*, datum); -int dbm_error (DBM*); -datum dbm_fetch (DBM*, datum); -datum dbm_firstkey (DBM*); -datum dbm_nextkey (DBM*); -DBM* dbm_open (const char*, int, mode_t); -int dbm_store (DBM*, datum, datum, int); - -#endif /* __ndbm_wrap_h__ */ diff --git a/crypto/heimdal-0.6.3/lib/roken/net_read.c b/crypto/heimdal-0.6.3/lib/roken/net_read.c deleted file mode 100644 index 6d45bfa547..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/net_read.c +++ /dev/null @@ -1,74 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: net_read.c,v 1.3 1999/12/02 16:58:51 joda Exp $"); -#endif - -#include -#include -#include - -#include - -/* - * Like read but never return partial data. - */ - -ssize_t -net_read (int fd, void *buf, size_t nbytes) -{ - char *cbuf = (char *)buf; - ssize_t count; - size_t rem = nbytes; - - while (rem > 0) { -#ifdef WIN32 - count = recv (fd, cbuf, rem, 0); -#else - count = read (fd, cbuf, rem); -#endif - if (count < 0) { - if (errno == EINTR) - continue; - else - return count; - } else if (count == 0) { - return count; - } - cbuf += count; - rem -= count; - } - return nbytes; -} diff --git a/crypto/heimdal-0.6.3/lib/roken/net_write.c b/crypto/heimdal-0.6.3/lib/roken/net_write.c deleted file mode 100644 index 2f63dbeed1..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/net_write.c +++ /dev/null @@ -1,72 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: net_write.c,v 1.4 1999/12/02 16:58:51 joda Exp $"); -#endif - -#include -#include -#include - -#include - -/* - * Like write but never return partial data. - */ - -ssize_t -net_write (int fd, const void *buf, size_t nbytes) -{ - const char *cbuf = (const char *)buf; - ssize_t count; - size_t rem = nbytes; - - while (rem > 0) { -#ifdef WIN32 - count = send (fd, cbuf, rem, 0); -#else - count = write (fd, cbuf, rem); -#endif - if (count < 0) { - if (errno == EINTR) - continue; - else - return count; - } - cbuf += count; - rem -= count; - } - return nbytes; -} diff --git a/crypto/heimdal-0.6.3/lib/roken/parse_bytes-test.c b/crypto/heimdal-0.6.3/lib/roken/parse_bytes-test.c deleted file mode 100644 index 6583f227f0..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/parse_bytes-test.c +++ /dev/null @@ -1,92 +0,0 @@ -/* - * Copyright (c) 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: parse_bytes-test.c,v 1.3 2001/09/04 09:56:00 assar Exp $"); -#endif - -#include "roken.h" -#include "parse_bytes.h" - -static struct testcase { - int canonicalp; - int val; - const char *def_unit; - const char *str; -} tests[] = { - {0, 0, NULL, "0 bytes"}, - {1, 0, NULL, "0"}, - {0, 1, NULL, "1"}, - {1, 1, NULL, "1 byte"}, - {0, 0, "kilobyte", "0"}, - {0, 1024, "kilobyte", "1"}, - {1, 1024, "kilobyte", "1 kilobyte"}, - {1, 1024 * 1024, NULL, "1 megabyte"}, - {0, 1025, NULL, "1 kilobyte 1"}, - {1, 1025, NULL, "1 kilobyte 1 byte"}, -}; - -int -main(int argc, char **argv) -{ - int i; - int ret = 0; - - for (i = 0; i < sizeof(tests)/sizeof(tests[0]); ++i) { - char buf[256]; - int val = parse_bytes (tests[i].str, tests[i].def_unit); - int len; - - if (val != tests[i].val) { - printf ("parse_bytes (%s, %s) = %d != %d\n", - tests[i].str, - tests[i].def_unit ? tests[i].def_unit : "none", - val, tests[i].val); - ++ret; - } - if (tests[i].canonicalp) { - len = unparse_bytes (tests[i].val, buf, sizeof(buf)); - if (strcmp (tests[i].str, buf) != 0) { - printf ("unparse_bytes (%d) = \"%s\" != \"%s\"\n", - tests[i].val, buf, tests[i].str); - ++ret; - } - } - } - if (ret) { - printf ("%d errors\n", ret); - return 1; - } else - return 0; -} diff --git a/crypto/heimdal-0.6.3/lib/roken/parse_bytes.c b/crypto/heimdal-0.6.3/lib/roken/parse_bytes.c deleted file mode 100644 index b556ddc197..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/parse_bytes.c +++ /dev/null @@ -1,78 +0,0 @@ -/* - * Copyright (c) 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: parse_bytes.c,v 1.4 2003/03/07 15:51:53 lha Exp $"); -#endif - -#include -#include "parse_bytes.h" - -static struct units bytes_units[] = { - { "gigabyte", 1024 * 1024 * 1024 }, - { "gbyte", 1024 * 1024 * 1024 }, - { "GB", 1024 * 1024 * 1024 }, - { "megabyte", 1024 * 1024 }, - { "mbyte", 1024 * 1024 }, - { "MB", 1024 * 1024 }, - { "kilobyte", 1024 }, - { "KB", 1024 }, - { "byte", 1 }, - { NULL, 0 } -}; - -static struct units bytes_short_units[] = { - { "GB", 1024 * 1024 * 1024 }, - { "MB", 1024 * 1024 }, - { "KB", 1024 }, - { NULL, 0 } -}; - -int -parse_bytes (const char *s, const char *def_unit) -{ - return parse_units (s, bytes_units, def_unit); -} - -int -unparse_bytes (int t, char *s, size_t len) -{ - return unparse_units (t, bytes_units, s, len); -} - -int -unparse_bytes_short (int t, char *s, size_t len) -{ - return unparse_units_approx (t, bytes_short_units, s, len); -} diff --git a/crypto/heimdal-0.6.3/lib/roken/parse_bytes.h b/crypto/heimdal-0.6.3/lib/roken/parse_bytes.h deleted file mode 100644 index d7e759da5e..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/parse_bytes.h +++ /dev/null @@ -1,48 +0,0 @@ -/* - * Copyright (c) 1999 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: parse_bytes.h,v 1.3 2001/09/04 09:56:00 assar Exp $ */ - -#ifndef __PARSE_BYTES_H__ -#define __PARSE_BYTES_H__ - -int -parse_bytes (const char *s, const char *def_unit); - -int -unparse_bytes (int t, char *s, size_t len); - -int -unparse_bytes_short (int t, char *s, size_t len); - -#endif /* __PARSE_BYTES_H__ */ diff --git a/crypto/heimdal-0.6.3/lib/roken/parse_reply-test.c b/crypto/heimdal-0.6.3/lib/roken/parse_reply-test.c deleted file mode 100644 index 47e12d182e..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/parse_reply-test.c +++ /dev/null @@ -1,129 +0,0 @@ -/* - * Copyright (c) 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: parse_reply-test.c,v 1.2 2002/09/04 03:25:06 assar Exp $"); -#endif - -#include -#ifdef HAVE_SYS_MMAN_H -#include -#endif -#include - -#include "roken.h" -#include "resolve.h" - -struct dns_reply* -parse_reply(const unsigned char *, size_t); - -enum { MAX_BUF = 36}; - -static struct testcase { - unsigned char buf[MAX_BUF]; - size_t buf_len; -} tests[] = { - {{0x12, 0x67, 0x84, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, - 0x03, 'f', 'o', 'o', 0x00, - 0x00, 0x10, 0x00, 0x01, - 0x03, 'f', 'o', 'o', 0x00, - 0x00, 0x10, 0x00, 0x01, - 0x00, 0x00, 0x12, 0x67, 0xff, 0xff}, 36} -}; - -#ifndef MAP_FAILED -#define MAP_FAILED (-1) -#endif - -static sig_atomic_t val = 0; - -static RETSIGTYPE -segv_handler(int sig) -{ - val = 1; -} - -int -main(int argc, char **argv) -{ -#ifndef HAVE_MMAP - return 77; /* signal to automake that this test - cannot be run */ -#else /* HAVE_MMAP */ - int ret; - int i; - struct sigaction sa; - - sigemptyset (&sa.sa_mask); - sa.sa_flags = 0; - sa.sa_handler = segv_handler; - sigaction (SIGSEGV, &sa, NULL); - - for (i = 0; val == 0 && i < sizeof(tests)/sizeof(tests[0]); ++i) { - const struct testcase *t = &tests[i]; - unsigned char *p1, *p2; - int flags; - int fd; - size_t pagesize = getpagesize(); - unsigned char *buf; - -#ifdef MAP_ANON - flags = MAP_ANON; - fd = -1; -#else - flags = 0; - fd = open ("/dev/zero", O_RDONLY); - if(fd < 0) - err (1, "open /dev/zero"); -#endif - flags |= MAP_PRIVATE; - - p1 = (char *)mmap(0, 2 * pagesize, PROT_READ | PROT_WRITE, - flags, fd, 0); - if (p1 == (unsigned char *)MAP_FAILED) - err (1, "mmap"); - p2 = p1 + pagesize; - ret = mprotect (p2, pagesize, 0); - if (ret < 0) - err (1, "mprotect"); - buf = p2 - t->buf_len; - memcpy (buf, t->buf, t->buf_len); - parse_reply (buf, t->buf_len); - ret = munmap (p1, 2 * pagesize); - if (ret < 0) - err (1, "munmap"); - } - return val; -#endif /* HAVE_MMAP */ -} diff --git a/crypto/heimdal-0.6.3/lib/roken/parse_time.c b/crypto/heimdal-0.6.3/lib/roken/parse_time.c deleted file mode 100644 index deab102fdf..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/parse_time.c +++ /dev/null @@ -1,78 +0,0 @@ -/* - * Copyright (c) 1997, 1998 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: parse_time.c,v 1.6 2003/03/07 15:51:06 lha Exp $"); -#endif - -#include -#include "parse_time.h" - -static struct units time_units[] = { - {"year", 365 * 24 * 60 * 60}, - {"month", 30 * 24 * 60 * 60}, - {"week", 7 * 24 * 60 * 60}, - {"day", 24 * 60 * 60}, - {"hour", 60 * 60}, - {"h", 60 * 60}, - {"minute", 60}, - {"m", 60}, - {"second", 1}, - {"s", 1}, - {NULL, 0}, -}; - -int -parse_time (const char *s, const char *def_unit) -{ - return parse_units (s, time_units, def_unit); -} - -size_t -unparse_time (int t, char *s, size_t len) -{ - return unparse_units (t, time_units, s, len); -} - -size_t -unparse_time_approx (int t, char *s, size_t len) -{ - return unparse_units_approx (t, time_units, s, len); -} - -void -print_time_table (FILE *f) -{ - print_units_table (time_units, f); -} diff --git a/crypto/heimdal-0.6.3/lib/roken/parse_time.h b/crypto/heimdal-0.6.3/lib/roken/parse_time.h deleted file mode 100644 index 55de505dbb..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/parse_time.h +++ /dev/null @@ -1,51 +0,0 @@ -/* - * Copyright (c) 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: parse_time.h,v 1.4 1999/12/02 16:58:51 joda Exp $ */ - -#ifndef __PARSE_TIME_H__ -#define __PARSE_TIME_H__ - -int -parse_time (const char *s, const char *def_unit); - -size_t -unparse_time (int t, char *s, size_t len); - -size_t -unparse_time_approx (int t, char *s, size_t len); - -void -print_time_table (FILE *f); - -#endif /* __PARSE_TIME_H__ */ diff --git a/crypto/heimdal-0.6.3/lib/roken/parse_units.c b/crypto/heimdal-0.6.3/lib/roken/parse_units.c deleted file mode 100644 index 217d55ede8..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/parse_units.c +++ /dev/null @@ -1,327 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: parse_units.c,v 1.14 2001/09/04 09:56:00 assar Exp $"); -#endif - -#include -#include -#include -#include -#include "parse_units.h" - -/* - * Parse string in `s' according to `units' and return value. - * def_unit defines the default unit. - */ - -static int -parse_something (const char *s, const struct units *units, - const char *def_unit, - int (*func)(int res, int val, unsigned mult), - int init, - int accept_no_val_p) -{ - const char *p; - int res = init; - unsigned def_mult = 1; - - if (def_unit != NULL) { - const struct units *u; - - for (u = units; u->name; ++u) { - if (strcasecmp (u->name, def_unit) == 0) { - def_mult = u->mult; - break; - } - } - if (u->name == NULL) - return -1; - } - - p = s; - while (*p) { - double val; - char *next; - const struct units *u, *partial_unit; - size_t u_len; - unsigned partial; - int no_val_p = 0; - - while(isspace((unsigned char)*p) || *p == ',') - ++p; - - val = strtod (p, &next); /* strtol(p, &next, 0); */ - if (p == next) { - val = 0; - if(!accept_no_val_p) - return -1; - no_val_p = 1; - } - p = next; - while (isspace((unsigned char)*p)) - ++p; - if (*p == '\0') { - res = (*func)(res, val, def_mult); - if (res < 0) - return res; - break; - } else if (*p == '+') { - ++p; - val = 1; - } else if (*p == '-') { - ++p; - val = -1; - } - if (no_val_p && val == 0) - val = 1; - u_len = strcspn (p, ", \t"); - partial = 0; - partial_unit = NULL; - if (u_len > 1 && p[u_len - 1] == 's') - --u_len; - for (u = units; u->name; ++u) { - if (strncasecmp (p, u->name, u_len) == 0) { - if (u_len == strlen (u->name)) { - p += u_len; - res = (*func)(res, val, u->mult); - if (res < 0) - return res; - break; - } else { - ++partial; - partial_unit = u; - } - } - } - if (u->name == NULL) { - if (partial == 1) { - p += u_len; - res = (*func)(res, val, partial_unit->mult); - if (res < 0) - return res; - } else { - return -1; - } - } - if (*p == 's') - ++p; - } - return res; -} - -/* - * The string consists of a sequence of `n unit' - */ - -static int -acc_units(int res, int val, unsigned mult) -{ - return res + val * mult; -} - -int -parse_units (const char *s, const struct units *units, - const char *def_unit) -{ - return parse_something (s, units, def_unit, acc_units, 0, 0); -} - -/* - * The string consists of a sequence of `[+-]flag'. `orig' consists - * the original set of flags, those are then modified and returned as - * the function value. - */ - -static int -acc_flags(int res, int val, unsigned mult) -{ - if(val == 1) - return res | mult; - else if(val == -1) - return res & ~mult; - else if (val == 0) - return mult; - else - return -1; -} - -int -parse_flags (const char *s, const struct units *units, - int orig) -{ - return parse_something (s, units, NULL, acc_flags, orig, 1); -} - -/* - * Return a string representation according to `units' of `num' in `s' - * with maximum length `len'. The actual length is the function value. - */ - -static int -unparse_something (int num, const struct units *units, char *s, size_t len, - int (*print) (char *s, size_t len, int div, - const char *name, int rem), - int (*update) (int in, unsigned mult), - const char *zero_string) -{ - const struct units *u; - int ret = 0, tmp; - - if (num == 0) - return snprintf (s, len, "%s", zero_string); - - for (u = units; num > 0 && u->name; ++u) { - int div; - - div = num / u->mult; - if (div) { - num = (*update) (num, u->mult); - tmp = (*print) (s, len, div, u->name, num); - if (tmp < 0) - return tmp; - - len -= tmp; - s += tmp; - ret += tmp; - } - } - return ret; -} - -static int -print_unit (char *s, size_t len, int div, const char *name, int rem) -{ - return snprintf (s, len, "%u %s%s%s", - div, name, - div == 1 ? "" : "s", - rem > 0 ? " " : ""); -} - -static int -update_unit (int in, unsigned mult) -{ - return in % mult; -} - -static int -update_unit_approx (int in, unsigned mult) -{ - if (in / mult > 0) - return 0; - else - return update_unit (in, mult); -} - -int -unparse_units (int num, const struct units *units, char *s, size_t len) -{ - return unparse_something (num, units, s, len, - print_unit, - update_unit, - "0"); -} - -int -unparse_units_approx (int num, const struct units *units, char *s, size_t len) -{ - return unparse_something (num, units, s, len, - print_unit, - update_unit_approx, - "0"); -} - -void -print_units_table (const struct units *units, FILE *f) -{ - const struct units *u, *u2; - unsigned max_sz = 0; - - for (u = units; u->name; ++u) { - max_sz = max(max_sz, strlen(u->name)); - } - - for (u = units; u->name;) { - char buf[1024]; - const struct units *next; - - for (next = u + 1; next->name && next->mult == u->mult; ++next) - ; - - if (next->name) { - for (u2 = next; - u2->name && u->mult % u2->mult != 0; - ++u2) - ; - if (u2->name == NULL) - --u2; - unparse_units (u->mult, u2, buf, sizeof(buf)); - fprintf (f, "1 %*s = %s\n", max_sz, u->name, buf); - } else { - fprintf (f, "1 %s\n", u->name); - } - u = next; - } -} - -static int -print_flag (char *s, size_t len, int div, const char *name, int rem) -{ - return snprintf (s, len, "%s%s", name, rem > 0 ? ", " : ""); -} - -static int -update_flag (int in, unsigned mult) -{ - return in - mult; -} - -int -unparse_flags (int num, const struct units *units, char *s, size_t len) -{ - return unparse_something (num, units, s, len, - print_flag, - update_flag, - ""); -} - -void -print_flags_table (const struct units *units, FILE *f) -{ - const struct units *u; - - for(u = units; u->name; ++u) - fprintf(f, "%s%s", u->name, (u+1)->name ? ", " : "\n"); -} diff --git a/crypto/heimdal-0.6.3/lib/roken/parse_units.h b/crypto/heimdal-0.6.3/lib/roken/parse_units.h deleted file mode 100644 index 2002625267..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/parse_units.h +++ /dev/null @@ -1,71 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: parse_units.h,v 1.8 2003/04/16 17:30:54 lha Exp $ */ - -#ifndef __PARSE_UNITS_H__ -#define __PARSE_UNITS_H__ - -#include -#include - -struct units { - const char *name; - unsigned mult; -}; - -int -parse_units (const char *s, const struct units *units, - const char *def_unit); - -void -print_units_table (const struct units *units, FILE *f); - -int -parse_flags (const char *s, const struct units *units, - int orig); - -int -unparse_units (int num, const struct units *units, char *s, size_t len); - -int -unparse_units_approx (int num, const struct units *units, char *s, - size_t len); - -int -unparse_flags (int num, const struct units *units, char *s, size_t len); - -void -print_flags_table (const struct units *units, FILE *f); - -#endif /* __PARSE_UNITS_H__ */ diff --git a/crypto/heimdal-0.6.3/lib/roken/print_version.c b/crypto/heimdal-0.6.3/lib/roken/print_version.c deleted file mode 100644 index b5ce816eb6..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/print_version.c +++ /dev/null @@ -1,78 +0,0 @@ -/* - * Copyright (c) 1998 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: print_version.c,v 1.8 2001/02/20 01:44:55 assar Exp $"); -#endif -#include "roken.h" - -#include "print_version.h" - -void -print_version(const char *progname) -{ - const char *arg[] = VERSIONLIST; - const int num_args = sizeof(arg) / sizeof(arg[0]); - char *msg; - size_t len = 0; - int i; - - if(progname == NULL) - progname = getprogname(); - - if(num_args == 0) - msg = "no version information"; - else { - for(i = 0; i < num_args; i++) { - if(i > 0) - len += 2; - len += strlen(arg[i]); - } - msg = malloc(len + 1); - if(msg == NULL) { - fprintf(stderr, "%s: out of memory\n", progname); - return; - } - msg[0] = '\0'; - for(i = 0; i < num_args; i++) { - if(i > 0) - strcat(msg, ", "); - strcat(msg, arg[i]); - } - } - fprintf(stderr, "%s (%s)\n", progname, msg); - fprintf(stderr, "Copyright (c) 1999 - 2001 Kungliga Tekniska Högskolan\n"); - if(num_args != 0) - free(msg); -} diff --git a/crypto/heimdal-0.6.3/lib/roken/putenv.c b/crypto/heimdal-0.6.3/lib/roken/putenv.c deleted file mode 100644 index a6bdf6001d..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/putenv.c +++ /dev/null @@ -1,80 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: putenv.c,v 1.7 2000/03/26 23:08:24 assar Exp $"); -#endif - -#include - -extern char **environ; - -/* - * putenv -- - * String points to a string of the form name=value. - * - * Makes the value of the environment variable name equal to - * value by altering an existing variable or creating a new one. - */ - -int -putenv(const char *string) -{ - int i; - const char *eq = (const char *)strchr(string, '='); - int len; - - if (eq == NULL) - return 1; - len = eq - string; - - if(environ == NULL) { - environ = malloc(sizeof(char*)); - if(environ == NULL) - return 1; - environ[0] = NULL; - } - - for(i = 0; environ[i] != NULL; i++) - if(strncmp(string, environ[i], len) == 0) { - environ[i] = string; - return 0; - } - environ = realloc(environ, sizeof(char*) * (i + 2)); - if(environ == NULL) - return 1; - environ[i] = string; - environ[i+1] = NULL; - return 0; -} diff --git a/crypto/heimdal-0.6.3/lib/roken/rcmd.c b/crypto/heimdal-0.6.3/lib/roken/rcmd.c deleted file mode 100644 index 41179484bc..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/rcmd.c +++ /dev/null @@ -1,52 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: rcmd.c,v 1.3 1999/12/02 16:58:51 joda Exp $"); -#endif - -#include "roken.h" -#include - -int -rcmd(char **ahost, - unsigned short inport, - const char *locuser, - const char *remuser, - const char *cmd, - int *fd2p) -{ - fprintf(stderr, "Only kerberized services are implemented\n"); - return -1; -} diff --git a/crypto/heimdal-0.6.3/lib/roken/readv.c b/crypto/heimdal-0.6.3/lib/roken/readv.c deleted file mode 100644 index de2f9ea8af..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/readv.c +++ /dev/null @@ -1,67 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: readv.c,v 1.5 1999/12/02 16:58:52 joda Exp $"); -#endif - -#include "roken.h" - -ssize_t -readv(int d, const struct iovec *iov, int iovcnt) -{ - ssize_t ret, nb; - size_t tot = 0; - int i; - char *buf, *p; - - for(i = 0; i < iovcnt; ++i) - tot += iov[i].iov_len; - buf = malloc(tot); - if (tot != 0 && buf == NULL) { - errno = ENOMEM; - return -1; - } - nb = ret = read (d, buf, tot); - p = buf; - while (nb > 0) { - ssize_t cnt = min(nb, iov->iov_len); - - memcpy (iov->iov_base, p, cnt); - p += cnt; - nb -= cnt; - } - free(buf); - return ret; -} diff --git a/crypto/heimdal-0.6.3/lib/roken/recvmsg.c b/crypto/heimdal-0.6.3/lib/roken/recvmsg.c deleted file mode 100644 index e94ad68c80..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/recvmsg.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: recvmsg.c,v 1.5 1999/12/02 16:58:52 joda Exp $"); -#endif - -#include "roken.h" - -ssize_t -recvmsg(int s, struct msghdr *msg, int flags) -{ - ssize_t ret, nb; - size_t tot = 0; - int i; - char *buf, *p; - struct iovec *iov = msg->msg_iov; - - for(i = 0; i < msg->msg_iovlen; ++i) - tot += iov[i].iov_len; - buf = malloc(tot); - if (tot != 0 && buf == NULL) { - errno = ENOMEM; - return -1; - } - nb = ret = recvfrom (s, buf, tot, flags, msg->msg_name, &msg->msg_namelen); - p = buf; - while (nb > 0) { - ssize_t cnt = min(nb, iov->iov_len); - - memcpy (iov->iov_base, p, cnt); - p += cnt; - nb -= cnt; - ++iov; - } - free(buf); - return ret; -} diff --git a/crypto/heimdal-0.6.3/lib/roken/resolve.c b/crypto/heimdal-0.6.3/lib/roken/resolve.c deleted file mode 100644 index cdbc069e36..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/resolve.c +++ /dev/null @@ -1,664 +0,0 @@ -/* - * Copyright (c) 1995 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -#endif -#include "roken.h" -#ifdef HAVE_ARPA_NAMESER_H -#include -#endif -#ifdef HAVE_RESOLV_H -#include -#endif -#include "resolve.h" - -#include - -RCSID("$Id: resolve.c,v 1.38.2.1 2003/04/22 15:02:47 lha Exp $"); - -#undef HAVE_RES_NSEARCH -#if (defined(HAVE_RES_SEARCH) || defined(HAVE_RES_NSEARCH)) && defined(HAVE_DN_EXPAND) - -#define DECL(X) {#X, T_##X} - -static struct stot{ - const char *name; - int type; -}stot[] = { - DECL(A), - DECL(NS), - DECL(CNAME), - DECL(SOA), - DECL(PTR), - DECL(MX), - DECL(TXT), - DECL(AFSDB), - DECL(SIG), - DECL(KEY), - DECL(SRV), - DECL(NAPTR), - {NULL, 0} -}; - -int _resolve_debug = 0; - -int -dns_string_to_type(const char *name) -{ - struct stot *p = stot; - for(p = stot; p->name; p++) - if(strcasecmp(name, p->name) == 0) - return p->type; - return -1; -} - -const char * -dns_type_to_string(int type) -{ - struct stot *p = stot; - for(p = stot; p->name; p++) - if(type == p->type) - return p->name; - return NULL; -} - -void -dns_free_data(struct dns_reply *r) -{ - struct resource_record *rr; - if(r->q.domain) - free(r->q.domain); - for(rr = r->head; rr;){ - struct resource_record *tmp = rr; - if(rr->domain) - free(rr->domain); - if(rr->u.data) - free(rr->u.data); - rr = rr->next; - free(tmp); - } - free (r); -} - -static int -parse_record(const unsigned char *data, const unsigned char *end_data, - const unsigned char **pp, struct resource_record **rr) -{ - int type, class, ttl, size; - int status; - char host[MAXDNAME]; - const unsigned char *p = *pp; - status = dn_expand(data, end_data, p, host, sizeof(host)); - if(status < 0) - return -1; - if (p + status + 10 > end_data) - return -1; - p += status; - type = (p[0] << 8) | p[1]; - p += 2; - class = (p[0] << 8) | p[1]; - p += 2; - ttl = (p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3]; - p += 4; - size = (p[0] << 8) | p[1]; - p += 2; - - if (p + size > end_data) - return -1; - - *rr = calloc(1, sizeof(**rr)); - if(*rr == NULL) - return -1; - (*rr)->domain = strdup(host); - if((*rr)->domain == NULL) { - free(*rr); - return -1; - } - (*rr)->type = type; - (*rr)->class = class; - (*rr)->ttl = ttl; - (*rr)->size = size; - switch(type){ - case T_NS: - case T_CNAME: - case T_PTR: - status = dn_expand(data, end_data, p, host, sizeof(host)); - if(status < 0) { - free(*rr); - return -1; - } - (*rr)->u.txt = strdup(host); - if((*rr)->u.txt == NULL) { - free(*rr); - return -1; - } - break; - case T_MX: - case T_AFSDB:{ - size_t hostlen; - - status = dn_expand(data, end_data, p + 2, host, sizeof(host)); - if(status < 0){ - free(*rr); - return -1; - } - if (status + 2 > size) { - free(*rr); - return -1; - } - - hostlen = strlen(host); - (*rr)->u.mx = (struct mx_record*)malloc(sizeof(struct mx_record) + - hostlen); - if((*rr)->u.mx == NULL) { - free(*rr); - return -1; - } - (*rr)->u.mx->preference = (p[0] << 8) | p[1]; - strlcpy((*rr)->u.mx->domain, host, hostlen + 1); - break; - } - case T_SRV:{ - size_t hostlen; - status = dn_expand(data, end_data, p + 6, host, sizeof(host)); - if(status < 0){ - free(*rr); - return -1; - } - if (status + 6 > size) { - free(*rr); - return -1; - } - - hostlen = strlen(host); - (*rr)->u.srv = - (struct srv_record*)malloc(sizeof(struct srv_record) + - hostlen); - if((*rr)->u.srv == NULL) { - free(*rr); - return -1; - } - (*rr)->u.srv->priority = (p[0] << 8) | p[1]; - (*rr)->u.srv->weight = (p[2] << 8) | p[3]; - (*rr)->u.srv->port = (p[4] << 8) | p[5]; - strlcpy((*rr)->u.srv->target, host, hostlen + 1); - break; - } - case T_TXT:{ - if(size == 0 || size < *p + 1) { - free(*rr); - return -1; - } - (*rr)->u.txt = (char*)malloc(*p + 1); - if((*rr)->u.txt == NULL) { - free(*rr); - return -1; - } - strncpy((*rr)->u.txt, (char*)p + 1, *p); - (*rr)->u.txt[*p] = '\0'; - break; - } - case T_KEY : { - size_t key_len; - - if (size < 4) { - free(*rr); - return -1; - } - - key_len = size - 4; - (*rr)->u.key = malloc (sizeof(*(*rr)->u.key) + key_len - 1); - if ((*rr)->u.key == NULL) { - free(*rr); - return -1; - } - - (*rr)->u.key->flags = (p[0] << 8) | p[1]; - (*rr)->u.key->protocol = p[2]; - (*rr)->u.key->algorithm = p[3]; - (*rr)->u.key->key_len = key_len; - memcpy ((*rr)->u.key->key_data, p + 4, key_len); - break; - } - case T_SIG : { - size_t sig_len, hostlen; - - if(size <= 18) { - free(*rr); - return -1; - } - status = dn_expand (data, end_data, p + 18, host, sizeof(host)); - if (status < 0) { - free(*rr); - return -1; - } - if (status + 18 > size) { - free(*rr); - return -1; - } - - /* the signer name is placed after the sig_data, to make it - easy to free this struture; the size calculation below - includes the zero-termination if the structure itself. - don't you just love C? - */ - sig_len = size - 18 - status; - hostlen = strlen(host); - (*rr)->u.sig = malloc(sizeof(*(*rr)->u.sig) - + hostlen + sig_len); - if ((*rr)->u.sig == NULL) { - free(*rr); - return -1; - } - (*rr)->u.sig->type = (p[0] << 8) | p[1]; - (*rr)->u.sig->algorithm = p[2]; - (*rr)->u.sig->labels = p[3]; - (*rr)->u.sig->orig_ttl = (p[4] << 24) | (p[5] << 16) - | (p[6] << 8) | p[7]; - (*rr)->u.sig->sig_expiration = (p[8] << 24) | (p[9] << 16) - | (p[10] << 8) | p[11]; - (*rr)->u.sig->sig_inception = (p[12] << 24) | (p[13] << 16) - | (p[14] << 8) | p[15]; - (*rr)->u.sig->key_tag = (p[16] << 8) | p[17]; - (*rr)->u.sig->sig_len = sig_len; - memcpy ((*rr)->u.sig->sig_data, p + 18 + status, sig_len); - (*rr)->u.sig->signer = &(*rr)->u.sig->sig_data[sig_len]; - strlcpy((*rr)->u.sig->signer, host, hostlen + 1); - break; - } - - case T_CERT : { - size_t cert_len; - - if (size < 5) { - free(*rr); - return -1; - } - - cert_len = size - 5; - (*rr)->u.cert = malloc (sizeof(*(*rr)->u.cert) + cert_len - 1); - if ((*rr)->u.cert == NULL) { - free(*rr); - return -1; - } - - (*rr)->u.cert->type = (p[0] << 8) | p[1]; - (*rr)->u.cert->tag = (p[2] << 8) | p[3]; - (*rr)->u.cert->algorithm = p[4]; - (*rr)->u.cert->cert_len = cert_len; - memcpy ((*rr)->u.cert->cert_data, p + 5, cert_len); - break; - } - default: - (*rr)->u.data = (unsigned char*)malloc(size); - if(size != 0 && (*rr)->u.data == NULL) { - free(*rr); - return -1; - } - memcpy((*rr)->u.data, p, size); - } - *pp = p + size; - return 0; -} - -#ifndef TEST_RESOLVE -static -#endif -struct dns_reply* -parse_reply(const unsigned char *data, size_t len) -{ - const unsigned char *p; - int status; - int i; - char host[MAXDNAME]; - const unsigned char *end_data = data + len; - struct dns_reply *r; - struct resource_record **rr; - - r = calloc(1, sizeof(*r)); - if (r == NULL) - return NULL; - - p = data; -#if 0 - /* doesn't work on Crays */ - memcpy(&r->h, p, sizeof(HEADER)); - p += sizeof(HEADER); -#else - memcpy(&r->h, p, 12); /* XXX this will probably be mostly garbage */ - p += 12; -#endif - if(ntohs(r->h.qdcount) != 1) { - free(r); - return NULL; - } - status = dn_expand(data, end_data, p, host, sizeof(host)); - if(status < 0){ - dns_free_data(r); - return NULL; - } - r->q.domain = strdup(host); - if(r->q.domain == NULL) { - dns_free_data(r); - return NULL; - } - if (p + status + 4 > end_data) { - dns_free_data(r); - return NULL; - } - p += status; - r->q.type = (p[0] << 8 | p[1]); - p += 2; - r->q.class = (p[0] << 8 | p[1]); - p += 2; - - rr = &r->head; - for(i = 0; i < ntohs(r->h.ancount); i++) { - if(parse_record(data, end_data, &p, rr) != 0) { - dns_free_data(r); - return NULL; - } - rr = &(*rr)->next; - } - for(i = 0; i < ntohs(r->h.nscount); i++) { - if(parse_record(data, end_data, &p, rr) != 0) { - dns_free_data(r); - return NULL; - } - rr = &(*rr)->next; - } - for(i = 0; i < ntohs(r->h.arcount); i++) { - if(parse_record(data, end_data, &p, rr) != 0) { - dns_free_data(r); - return NULL; - } - rr = &(*rr)->next; - } - *rr = NULL; - return r; -} - -static struct dns_reply * -dns_lookup_int(const char *domain, int rr_class, int rr_type) -{ - unsigned char reply[1024]; - int len; -#ifdef HAVE_RES_NSEARCH - struct __res_state stat; - memset(&stat, 0, sizeof(stat)); - if(res_ninit(&stat)) - return NULL; /* is this the best we can do? */ -#elif defined(HAVE__RES) - u_long old_options = 0; -#endif - - if (_resolve_debug) { -#ifdef HAVE_RES_NSEARCH - stat.options |= RES_DEBUG; -#elif defined(HAVE__RES) - old_options = _res.options; - _res.options |= RES_DEBUG; -#endif - fprintf(stderr, "dns_lookup(%s, %d, %s)\n", domain, - rr_class, dns_type_to_string(rr_type)); - } -#ifdef HAVE_RES_NSEARCH - len = res_nsearch(&stat, domain, rr_class, rr_type, reply, sizeof(reply)); -#else - len = res_search(domain, rr_class, rr_type, reply, sizeof(reply)); -#endif - if (_resolve_debug) { -#if defined(HAVE__RES) && !defined(HAVE_RES_NSEARCH) - _res.options = old_options; -#endif - fprintf(stderr, "dns_lookup(%s, %d, %s) --> %d\n", - domain, rr_class, dns_type_to_string(rr_type), len); - } -#ifdef HAVE_RES_NSEARCH - res_nclose(&stat); -#endif - if(len < 0) { - return NULL; - } else { - len = min(len, sizeof(reply)); - return parse_reply(reply, len); - } -} - -struct dns_reply * -dns_lookup(const char *domain, const char *type_name) -{ - int type; - - type = dns_string_to_type(type_name); - if(type == -1) { - if(_resolve_debug) - fprintf(stderr, "dns_lookup: unknown resource type: `%s'\n", - type_name); - return NULL; - } - return dns_lookup_int(domain, C_IN, type); -} - -static int -compare_srv(const void *a, const void *b) -{ - const struct resource_record *const* aa = a, *const* bb = b; - - if((*aa)->u.srv->priority == (*bb)->u.srv->priority) - return ((*aa)->u.srv->weight - (*bb)->u.srv->weight); - return ((*aa)->u.srv->priority - (*bb)->u.srv->priority); -} - -#ifndef HAVE_RANDOM -#define random() rand() -#endif - -/* try to rearrange the srv-records by the algorithm in RFC2782 */ -void -dns_srv_order(struct dns_reply *r) -{ - struct resource_record **srvs, **ss, **headp; - struct resource_record *rr; - int num_srv = 0; - -#if defined(HAVE_INITSTATE) && defined(HAVE_SETSTATE) - int state[256 / sizeof(int)]; - char *oldstate; -#endif - - for(rr = r->head; rr; rr = rr->next) - if(rr->type == T_SRV) - num_srv++; - - if(num_srv == 0) - return; - - srvs = malloc(num_srv * sizeof(*srvs)); - if(srvs == NULL) - return; /* XXX not much to do here */ - - /* unlink all srv-records from the linked list and put them in - a vector */ - for(ss = srvs, headp = &r->head; *headp; ) - if((*headp)->type == T_SRV) { - *ss = *headp; - *headp = (*headp)->next; - (*ss)->next = NULL; - ss++; - } else - headp = &(*headp)->next; - - /* sort them by priority and weight */ - qsort(srvs, num_srv, sizeof(*srvs), compare_srv); - -#if defined(HAVE_INITSTATE) && defined(HAVE_SETSTATE) - oldstate = initstate(time(NULL), (char*)state, sizeof(state)); -#endif - - headp = &r->head; - - for(ss = srvs; ss < srvs + num_srv; ) { - int sum, rnd, count; - struct resource_record **ee, **tt; - /* find the last record with the same priority and count the - sum of all weights */ - for(sum = 0, tt = ss; tt < srvs + num_srv; tt++) { - if(*tt == NULL) - continue; - if((*tt)->u.srv->priority != (*ss)->u.srv->priority) - break; - sum += (*tt)->u.srv->weight; - } - ee = tt; - /* ss is now the first record of this priority and ee is the - first of the next */ - while(ss < ee) { - rnd = random() % (sum + 1); - for(count = 0, tt = ss; ; tt++) { - if(*tt == NULL) - continue; - count += (*tt)->u.srv->weight; - if(count >= rnd) - break; - } - - assert(tt < ee); - - /* insert the selected record at the tail (of the head) of - the list */ - (*tt)->next = *headp; - *headp = *tt; - headp = &(*tt)->next; - sum -= (*tt)->u.srv->weight; - *tt = NULL; - while(ss < ee && *ss == NULL) - ss++; - } - } - -#if defined(HAVE_INITSTATE) && defined(HAVE_SETSTATE) - setstate(oldstate); -#endif - free(srvs); - return; -} - -#else /* NOT defined(HAVE_RES_SEARCH) && defined(HAVE_DN_EXPAND) */ - -struct dns_reply * -dns_lookup(const char *domain, const char *type_name) -{ - return NULL; -} - -void -dns_free_data(struct dns_reply *r) -{ -} - -void -dns_srv_order(struct dns_reply *r) -{ -} - -#endif - -#ifdef TEST -int -main(int argc, char **argv) -{ - struct dns_reply *r; - struct resource_record *rr; - r = dns_lookup(argv[1], argv[2]); - if(r == NULL){ - printf("No reply.\n"); - return 1; - } - if(r->q.type == T_SRV) - dns_srv_order(r); - - for(rr = r->head; rr;rr=rr->next){ - printf("%-30s %-5s %-6d ", rr->domain, dns_type_to_string(rr->type), rr->ttl); - switch(rr->type){ - case T_NS: - case T_CNAME: - case T_PTR: - printf("%s\n", (char*)rr->u.data); - break; - case T_A: - printf("%s\n", inet_ntoa(*rr->u.a)); - break; - case T_MX: - case T_AFSDB:{ - printf("%d %s\n", rr->u.mx->preference, rr->u.mx->domain); - break; - } - case T_SRV:{ - struct srv_record *srv = rr->u.srv; - printf("%d %d %d %s\n", srv->priority, srv->weight, - srv->port, srv->target); - break; - } - case T_TXT: { - printf("%s\n", rr->u.txt); - break; - } - case T_SIG : { - struct sig_record *sig = rr->u.sig; - const char *type_string = dns_type_to_string (sig->type); - - printf ("type %u (%s), algorithm %u, labels %u, orig_ttl %u, sig_expiration %u, sig_inception %u, key_tag %u, signer %s\n", - sig->type, type_string ? type_string : "", - sig->algorithm, sig->labels, sig->orig_ttl, - sig->sig_expiration, sig->sig_inception, sig->key_tag, - sig->signer); - break; - } - case T_KEY : { - struct key_record *key = rr->u.key; - - printf ("flags %u, protocol %u, algorithm %u\n", - key->flags, key->protocol, key->algorithm); - break; - } - default: - printf("\n"); - break; - } - } - - return 0; -} -#endif diff --git a/crypto/heimdal-0.6.3/lib/roken/resolve.h b/crypto/heimdal-0.6.3/lib/roken/resolve.h deleted file mode 100644 index cb25b7ab44..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/resolve.h +++ /dev/null @@ -1,165 +0,0 @@ -/* - * Copyright (c) 1995 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: resolve.h,v 1.15 2002/08/26 13:30:16 assar Exp $ */ - -#ifndef __RESOLVE_H__ -#define __RESOLVE_H__ - -/* We use these, but they are not always present in */ - -#ifndef T_TXT -#define T_TXT 16 -#endif -#ifndef T_AFSDB -#define T_AFSDB 18 -#endif -#ifndef T_SIG -#define T_SIG 24 -#endif -#ifndef T_KEY -#define T_KEY 25 -#endif -#ifndef T_AAAA -#define T_AAAA 28 -#endif -#ifndef T_SRV -#define T_SRV 33 -#endif -#ifndef T_NAPTR -#define T_NAPTR 35 -#endif -#ifndef T_CERT -#define T_CERT 37 -#endif - -#define dns_query rk_dns_query -#define mx_record rk_mx_record -#define srv_record rk_srv_record -#define key_record rk_key_record -#define sig_record rk_sig_record -#define cert_record rk_cert_record -#define resource_record rk_resource_record -#define dns_reply rk_dns_reply - -#define dns_lookup rk_dns_lookup -#define dns_free_data rk_dns_free_data -#define dns_string_to_type rk_dns_string_to_type -#define dns_type_to_string rk_dns_type_to_string -#define dns_srv_order rk_dns_srv_order - -struct dns_query{ - char *domain; - unsigned type; - unsigned class; -}; - -struct mx_record{ - unsigned preference; - char domain[1]; -}; - -struct srv_record{ - unsigned priority; - unsigned weight; - unsigned port; - char target[1]; -}; - -struct key_record { - unsigned flags; - unsigned protocol; - unsigned algorithm; - size_t key_len; - u_char key_data[1]; -}; - -struct sig_record { - unsigned type; - unsigned algorithm; - unsigned labels; - unsigned orig_ttl; - unsigned sig_expiration; - unsigned sig_inception; - unsigned key_tag; - char *signer; - unsigned sig_len; - char sig_data[1]; /* also includes signer */ -}; - -struct cert_record { - unsigned type; - unsigned tag; - unsigned algorithm; - size_t cert_len; - u_char cert_data[1]; -}; - -struct resource_record{ - char *domain; - unsigned type; - unsigned class; - unsigned ttl; - unsigned size; - union { - void *data; - struct mx_record *mx; - struct mx_record *afsdb; /* mx and afsdb are identical */ - struct srv_record *srv; - struct in_addr *a; - char *txt; - struct key_record *key; - struct cert_record *cert; - struct sig_record *sig; - }u; - struct resource_record *next; -}; - -#ifndef T_A /* XXX if isn't included */ -typedef int HEADER; /* will never be used */ -#endif - -struct dns_reply{ - HEADER h; - struct dns_query q; - struct resource_record *head; -}; - - -struct dns_reply* dns_lookup(const char *, const char *); -void dns_free_data(struct dns_reply *); -int dns_string_to_type(const char *name); -const char *dns_type_to_string(int type); -void dns_srv_order(struct dns_reply*); - -#endif /* __RESOLVE_H__ */ diff --git a/crypto/heimdal-0.6.3/lib/roken/resource.h b/crypto/heimdal-0.6.3/lib/roken/resource.h deleted file mode 100644 index 01cd01d76c..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/resource.h +++ /dev/null @@ -1,15 +0,0 @@ -//{{NO_DEPENDENCIES}} -// Microsoft Developer Studio generated include file. -// Used by roken.rc -// - -// Next default values for new objects -// -#ifdef APSTUDIO_INVOKED -#ifndef APSTUDIO_READONLY_SYMBOLS -#define _APS_NEXT_RESOURCE_VALUE 101 -#define _APS_NEXT_COMMAND_VALUE 40001 -#define _APS_NEXT_CONTROL_VALUE 1000 -#define _APS_NEXT_SYMED_VALUE 101 -#endif -#endif diff --git a/crypto/heimdal-0.6.3/lib/roken/roken-common.h b/crypto/heimdal-0.6.3/lib/roken/roken-common.h deleted file mode 100644 index 6f6d6ccea1..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/roken-common.h +++ /dev/null @@ -1,338 +0,0 @@ -/* - * Copyright (c) 1995 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: roken-common.h,v 1.51.6.1 2004/01/15 18:15:05 lha Exp $ */ - -#ifndef __ROKEN_COMMON_H__ -#define __ROKEN_COMMON_H__ - -#ifdef __cplusplus -#define ROKEN_CPP_START extern "C" { -#define ROKEN_CPP_END } -#else -#define ROKEN_CPP_START -#define ROKEN_CPP_END -#endif - -#ifndef INADDR_NONE -#define INADDR_NONE 0xffffffff -#endif - -#ifndef INADDR_LOOPBACK -#define INADDR_LOOPBACK 0x7f000001 -#endif - -#ifndef SOMAXCONN -#define SOMAXCONN 5 -#endif - -#ifndef STDIN_FILENO -#define STDIN_FILENO 0 -#endif - -#ifndef STDOUT_FILENO -#define STDOUT_FILENO 1 -#endif - -#ifndef STDERR_FILENO -#define STDERR_FILENO 2 -#endif - -#ifndef max -#define max(a,b) (((a)>(b))?(a):(b)) -#endif - -#ifndef min -#define min(a,b) (((a)<(b))?(a):(b)) -#endif - -#ifndef TRUE -#define TRUE 1 -#endif - -#ifndef FALSE -#define FALSE 0 -#endif - -#ifndef LOG_DAEMON -#define openlog(id,option,facility) openlog((id),(option)) -#define LOG_DAEMON 0 -#endif -#ifndef LOG_ODELAY -#define LOG_ODELAY 0 -#endif -#ifndef LOG_NDELAY -#define LOG_NDELAY 0x08 -#endif -#ifndef LOG_CONS -#define LOG_CONS 0 -#endif -#ifndef LOG_AUTH -#define LOG_AUTH 0 -#endif -#ifndef LOG_AUTHPRIV -#define LOG_AUTHPRIV LOG_AUTH -#endif - -#ifndef F_OK -#define F_OK 0 -#endif - -#ifndef O_ACCMODE -#define O_ACCMODE 003 -#endif - -#ifndef _PATH_DEV -#define _PATH_DEV "/dev/" -#endif - -#ifndef _PATH_DEVNULL -#define _PATH_DEVNULL "/dev/null" -#endif - -#ifndef _PATH_HEQUIV -#define _PATH_HEQUIV "/etc/hosts.equiv" -#endif - -#ifndef _PATH_VARRUN -#define _PATH_VARRUN "/var/run/" -#endif - -#ifndef _PATH_BSHELL -#define _PATH_BSHELL "/bin/sh" -#endif - -#ifndef MAXPATHLEN -#define MAXPATHLEN (1024+4) -#endif - -#ifndef SIG_ERR -#define SIG_ERR ((RETSIGTYPE (*)(int))-1) -#endif - -/* - * error code for getipnodeby{name,addr} - */ - -#ifndef HOST_NOT_FOUND -#define HOST_NOT_FOUND 1 -#endif - -#ifndef TRY_AGAIN -#define TRY_AGAIN 2 -#endif - -#ifndef NO_RECOVERY -#define NO_RECOVERY 3 -#endif - -#ifndef NO_DATA -#define NO_DATA 4 -#endif - -#ifndef NO_ADDRESS -#define NO_ADDRESS NO_DATA -#endif - -/* - * error code for getaddrinfo - */ - -#ifndef EAI_NOERROR -#define EAI_NOERROR 0 /* no error */ -#endif - -#ifndef EAI_NONAME - -#define EAI_ADDRFAMILY 1 /* address family for nodename not supported */ -#define EAI_AGAIN 2 /* temporary failure in name resolution */ -#define EAI_BADFLAGS 3 /* invalid value for ai_flags */ -#define EAI_FAIL 4 /* non-recoverable failure in name resolution */ -#define EAI_FAMILY 5 /* ai_family not supported */ -#define EAI_MEMORY 6 /* memory allocation failure */ -#define EAI_NODATA 7 /* no address associated with nodename */ -#define EAI_NONAME 8 /* nodename nor servname provided, or not known */ -#define EAI_SERVICE 9 /* servname not supported for ai_socktype */ -#define EAI_SOCKTYPE 10 /* ai_socktype not supported */ -#define EAI_SYSTEM 11 /* system error returned in errno */ - -#endif /* EAI_NONAME */ - -/* flags for getaddrinfo() */ - -#ifndef AI_PASSIVE -#define AI_PASSIVE 0x01 -#define AI_CANONNAME 0x02 -#endif /* AI_PASSIVE */ - -#ifndef AI_NUMERICHOST -#define AI_NUMERICHOST 0x04 -#endif - -/* flags for getnameinfo() */ - -#ifndef NI_DGRAM -#define NI_DGRAM 0x01 -#define NI_NAMEREQD 0x02 -#define NI_NOFQDN 0x04 -#define NI_NUMERICHOST 0x08 -#define NI_NUMERICSERV 0x10 -#endif - -/* - * constants for getnameinfo - */ - -#ifndef NI_MAXHOST -#define NI_MAXHOST 1025 -#define NI_MAXSERV 32 -#endif - -/* - * constants for inet_ntop - */ - -#ifndef INET_ADDRSTRLEN -#define INET_ADDRSTRLEN 16 -#endif - -#ifndef INET6_ADDRSTRLEN -#define INET6_ADDRSTRLEN 46 -#endif - -/* - * for shutdown(2) - */ - -#ifndef SHUT_RD -#define SHUT_RD 0 -#endif - -#ifndef SHUT_WR -#define SHUT_WR 1 -#endif - -#ifndef SHUT_RDWR -#define SHUT_RDWR 2 -#endif - -#ifndef HAVE___ATTRIBUTE__ -#define __attribute__(x) -#endif - -ROKEN_CPP_START - -#ifndef IRIX4 /* fix for compiler bug */ -#ifdef RETSIGTYPE -typedef RETSIGTYPE (*SigAction)(int); -SigAction signal(int iSig, SigAction pAction); /* BSD compatible */ -#endif -#endif - -int ROKEN_LIB_FUNCTION simple_execve(const char*, char*const[], char*const[]); -int ROKEN_LIB_FUNCTION simple_execvp(const char*, char *const[]); -int ROKEN_LIB_FUNCTION simple_execlp(const char*, ...); -int ROKEN_LIB_FUNCTION simple_execle(const char*, ...); -int ROKEN_LIB_FUNCTION simple_execl(const char *file, ...); - -int ROKEN_LIB_FUNCTION wait_for_process(pid_t); -int ROKEN_LIB_FUNCTION pipe_execv(FILE**, FILE**, FILE**, const char*, ...); - -void ROKEN_LIB_FUNCTION print_version(const char *); - -ssize_t ROKEN_LIB_FUNCTION eread (int fd, void *buf, size_t nbytes); -ssize_t ROKEN_LIB_FUNCTION ewrite (int fd, const void *buf, size_t nbytes); - -struct hostent; - -const char * -hostent_find_fqdn (const struct hostent *he); - -void -esetenv(const char *var, const char *val, int rewrite); - -void -socket_set_address_and_port (struct sockaddr *sa, const void *ptr, int port); - -size_t -socket_addr_size (const struct sockaddr *sa); - -void -socket_set_any (struct sockaddr *sa, int af); - -size_t -socket_sockaddr_size (const struct sockaddr *sa); - -void * -socket_get_address (struct sockaddr *sa); - -int -socket_get_port (const struct sockaddr *sa); - -void -socket_set_port (struct sockaddr *sa, int port); - -void -socket_set_portrange (int sock, int restr, int af); - -void -socket_set_debug (int sock); - -void -socket_set_tos (int sock, int tos); - -void -socket_set_reuseaddr (int sock, int val); - -char ** -vstrcollect(va_list *ap); - -char ** -strcollect(char *first, ...); - -void timevalfix(struct timeval *t1); -void timevaladd(struct timeval *t1, const struct timeval *t2); -void timevalsub(struct timeval *t1, const struct timeval *t2); - -char *pid_file_write (const char *progname); -void pid_file_delete (char **); - -int -read_environment(const char *file, char ***env); - -void warnerr(int doerrno, const char *fmt, va_list ap) - __attribute__ ((format (printf, 2, 0))); - -ROKEN_CPP_END - -#endif /* __ROKEN_COMMON_H__ */ diff --git a/crypto/heimdal-0.6.3/lib/roken/roken.awk b/crypto/heimdal-0.6.3/lib/roken/roken.awk deleted file mode 100644 index 1c1e0c071e..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/roken.awk +++ /dev/null @@ -1,40 +0,0 @@ -# $Id: roken.awk,v 1.9 2003/03/04 10:37:26 lha Exp $ - -BEGIN { - print "#ifdef HAVE_CONFIG_H" - print "#include " - print "#endif" - print "#include " - print "" - print "int main(int argc, char **argv)" - print "{" - print "puts(\"/* This is an OS dependent, generated file */\");" - print "puts(\"\\n\");" - print "puts(\"#ifndef __ROKEN_H__\");" - print "puts(\"#define __ROKEN_H__\");" - print "puts(\"\");" -} - -$1 == "\#ifdef" || $1 == "\#ifndef" || $1 == "\#if" || $1 == "\#else" || $1 == "\#elif" || $1 == "\#endif" || $1 == "#ifdef" || $1 == "#ifndef" || $1 == "#if" || $1 == "#else" || $1 == "#elif" || $1 == "#endif" { - print $0; - next -} - -{ - s = "" - for(i = 1; i <= length; i++){ - x = substr($0, i, 1) - if(x == "\"" || x == "\\") - s = s "\\"; - s = s x; - } - print "puts(\"" s "\");" -} - -END { - print "puts(\"#define ROKEN_VERSION \" VERSION );" - print "puts(\"\");" - print "puts(\"#endif /* __ROKEN_H__ */\");" - print "return 0;" - print "}" -} diff --git a/crypto/heimdal-0.6.3/lib/roken/roken.h.in b/crypto/heimdal-0.6.3/lib/roken/roken.h.in deleted file mode 100644 index 16fc6d844f..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/roken.h.in +++ /dev/null @@ -1,682 +0,0 @@ -/* -*- C -*- */ -/* - * Copyright (c) 1995 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: roken.h.in,v 1.169 2002/08/26 21:43:38 assar Exp $ */ - -#include -#include -#include -#include -#include - -#ifdef _AIX -struct ether_addr; -struct sockaddr_dl; -#endif -#ifdef HAVE_SYS_PARAM_H -#include -#endif -#ifdef HAVE_INTTYPES_H -#include -#endif -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_SYS_BITYPES_H -#include -#endif -#ifdef HAVE_BIND_BITYPES_H -#include -#endif -#ifdef HAVE_NETINET_IN6_MACHTYPES_H -#include -#endif -#ifdef HAVE_UNISTD_H -#include -#endif -#ifdef HAVE_SYS_SOCKET_H -#include -#endif -#ifdef HAVE_SYS_UIO_H -#include -#endif -#ifdef HAVE_GRP_H -#include -#endif -#ifdef HAVE_SYS_STAT_H -#include -#endif -#ifdef HAVE_NETINET_IN_H -#include -#endif -#ifdef HAVE_NETINET_IN6_H -#include -#endif -#ifdef HAVE_NETINET6_IN6_H -#include -#endif -#ifdef HAVE_ARPA_INET_H -#include -#endif -#ifdef HAVE_NETDB_H -#include -#endif -#ifdef HAVE_ARPA_NAMESER_H -#include -#endif -#ifdef HAVE_RESOLV_H -#include -#endif -#ifdef HAVE_SYSLOG_H -#include -#endif -#ifdef HAVE_FCNTL_H -#include -#endif -#ifdef HAVE_ERRNO_H -#include -#endif -#ifdef HAVE_ERR_H -#include -#endif -#ifdef HAVE_TERMIOS_H -#include -#endif -#if defined(HAVE_SYS_IOCTL_H) && SunOS != 40 -#include -#endif -#ifdef TIME_WITH_SYS_TIME -#include -#include -#elif defined(HAVE_SYS_TIME_H) -#include -#else -#include -#endif - -#ifdef HAVE_PATHS_H -#include -#endif - - -#ifndef ROKEN_LIB_FUNCTION -#if defined(__BORLANDC__) -#define ROKEN_LIB_FUNCTION /* not-ready-definition-yet */ -#elif defined(_MSC_VER) -#define ROKEN_LIB_FUNCTION /* not-ready-definition-yet2 */ -#else -#define ROKEN_LIB_FUNCTION -#endif -#endif - -#ifndef HAVE_SSIZE_T -typedef int ssize_t; -#endif - -#include - -ROKEN_CPP_START - -#if !defined(HAVE_SETSID) && defined(HAVE__SETSID) -#define setsid _setsid -#endif - -#ifndef HAVE_PUTENV -int putenv(const char *string); -#endif - -#if !defined(HAVE_SETENV) || defined(NEED_SETENV_PROTO) -int setenv(const char *var, const char *val, int rewrite); -#endif - -#if !defined(HAVE_UNSETENV) || defined(NEED_UNSETENV_PROTO) -void unsetenv(const char *name); -#endif - -#if !defined(HAVE_GETUSERSHELL) || defined(NEED_GETUSERSHELL_PROTO) -char *getusershell(void); -void endusershell(void); -#endif - -#if !defined(HAVE_SNPRINTF) || defined(NEED_SNPRINTF_PROTO) -int snprintf (char *str, size_t sz, const char *format, ...) - __attribute__ ((format (printf, 3, 4))); -#endif - -#if !defined(HAVE_VSNPRINTF) || defined(NEED_VSNPRINTF_PROTO) -int vsnprintf (char *str, size_t sz, const char *format, va_list ap) - __attribute__((format (printf, 3, 0))); -#endif - -#if !defined(HAVE_ASPRINTF) || defined(NEED_ASPRINTF_PROTO) -int asprintf (char **ret, const char *format, ...) - __attribute__ ((format (printf, 2, 3))); -#endif - -#if !defined(HAVE_VASPRINTF) || defined(NEED_VASPRINTF_PROTO) -int vasprintf (char **ret, const char *format, va_list ap) - __attribute__((format (printf, 2, 0))); -#endif - -#if !defined(HAVE_ASNPRINTF) || defined(NEED_ASNPRINTF_PROTO) -int asnprintf (char **ret, size_t max_sz, const char *format, ...) - __attribute__ ((format (printf, 3, 4))); -#endif - -#if !defined(HAVE_VASNPRINTF) || defined(NEED_VASNPRINTF_PROTO) -int vasnprintf (char **ret, size_t max_sz, const char *format, va_list ap) - __attribute__((format (printf, 3, 0))); -#endif - -#ifndef HAVE_STRDUP -char * strdup(const char *old); -#endif - -#if !defined(HAVE_STRNDUP) || defined(NEED_STRNDUP_PROTO) -char * strndup(const char *old, size_t sz); -#endif - -#ifndef HAVE_STRLWR -char * strlwr(char *); -#endif - -#ifndef HAVE_STRNLEN -size_t strnlen(const char*, size_t); -#endif - -#if !defined(HAVE_STRSEP) || defined(NEED_STRSEP_PROTO) -char *strsep(char**, const char*); -#endif - -#if !defined(HAVE_STRSEP_COPY) || defined(NEED_STRSEP_COPY_PROTO) -ssize_t strsep_copy(const char**, const char*, char*, size_t); -#endif - -#ifndef HAVE_STRCASECMP -int strcasecmp(const char *s1, const char *s2); -#endif - -#ifdef NEED_FCLOSE_PROTO -int fclose(FILE *); -#endif - -#ifdef NEED_STRTOK_R_PROTO -char *strtok_r(char *s1, const char *s2, char **lasts); -#endif - -#ifndef HAVE_STRUPR -char * strupr(char *); -#endif - -#ifndef HAVE_STRLCPY -size_t strlcpy (char *dst, const char *src, size_t dst_sz); -#endif - -#ifndef HAVE_STRLCAT -size_t strlcat (char *dst, const char *src, size_t dst_sz); -#endif - -#ifndef HAVE_GETDTABLESIZE -int getdtablesize(void); -#endif - -#if !defined(HAVE_STRERROR) && !defined(strerror) -char *strerror(int eno); -#endif - -#if !defined(HAVE_HSTRERROR) || defined(NEED_HSTRERROR_PROTO) -/* This causes a fatal error under Psoriasis */ -#if !(defined(SunOS) && (SunOS >= 50)) -const char *hstrerror(int herr); -#endif -#endif - -#ifndef HAVE_H_ERRNO_DECLARATION -extern int h_errno; -#endif - -#if !defined(HAVE_INET_ATON) || defined(NEED_INET_ATON_PROTO) -int inet_aton(const char *cp, struct in_addr *adr); -#endif - -#ifndef HAVE_INET_NTOP -const char * -inet_ntop(int af, const void *src, char *dst, size_t size); -#endif - -#ifndef HAVE_INET_PTON -int -inet_pton(int af, const char *src, void *dst); -#endif - -#if !defined(HAVE_GETCWD) -char* getcwd(char *path, size_t size); -#endif - -#ifdef HAVE_PWD_H -#include -struct passwd *k_getpwnam (const char *user); -struct passwd *k_getpwuid (uid_t uid); -#endif - -const char *get_default_username (void); - -#ifndef HAVE_SETEUID -int seteuid(uid_t euid); -#endif - -#ifndef HAVE_SETEGID -int setegid(gid_t egid); -#endif - -#ifndef HAVE_LSTAT -int lstat(const char *path, struct stat *buf); -#endif - -#if !defined(HAVE_MKSTEMP) || defined(NEED_MKSTEMP_PROTO) -int mkstemp(char *); -#endif - -#ifndef HAVE_CGETENT -int cgetent(char **buf, char **db_array, const char *name); -int cgetstr(char *buf, const char *cap, char **str); -#endif - -#ifndef HAVE_INITGROUPS -int initgroups(const char *name, gid_t basegid); -#endif - -#ifndef HAVE_FCHOWN -int fchown(int fd, uid_t owner, gid_t group); -#endif - -#ifndef HAVE_DAEMON -int daemon(int nochdir, int noclose); -#endif - -#ifndef HAVE_INNETGR -int innetgr(const char *netgroup, const char *machine, - const char *user, const char *domain); -#endif - -#ifndef HAVE_CHOWN -int chown(const char *path, uid_t owner, gid_t group); -#endif - -#ifndef HAVE_RCMD -int rcmd(char **ahost, unsigned short inport, const char *locuser, - const char *remuser, const char *cmd, int *fd2p); -#endif - -#if !defined(HAVE_INNETGR) || defined(NEED_INNETGR_PROTO) -int innetgr(const char*, const char*, const char*, const char*); -#endif - -#ifndef HAVE_IRUSEROK -int iruserok(unsigned raddr, int superuser, const char *ruser, - const char *luser); -#endif - -#if !defined(HAVE_GETHOSTNAME) || defined(NEED_GETHOSTNAME_PROTO) -int gethostname(char *name, int namelen); -#endif - -#ifndef HAVE_WRITEV -ssize_t -writev(int d, const struct iovec *iov, int iovcnt); -#endif - -#ifndef HAVE_READV -ssize_t -readv(int d, const struct iovec *iov, int iovcnt); -#endif - -#ifndef HAVE_MKSTEMP -int -mkstemp(char *template); -#endif - -#ifndef HAVE_PIDFILE -void pidfile (const char*); -#endif - -#ifndef HAVE_BSWAP32 -unsigned int bswap32(unsigned int); -#endif - -#ifndef HAVE_BSWAP16 -unsigned short bswap16(unsigned short); -#endif - -#ifndef HAVE_FLOCK -#ifndef LOCK_SH -#define LOCK_SH 1 /* Shared lock */ -#endif -#ifndef LOCK_EX -#define LOCK_EX 2 /* Exclusive lock */ -#endif -#ifndef LOCK_NB -#define LOCK_NB 4 /* Don't block when locking */ -#endif -#ifndef LOCK_UN -#define LOCK_UN 8 /* Unlock */ -#endif - -int flock(int fd, int operation); -#endif /* HAVE_FLOCK */ - -time_t tm2time (struct tm tm, int local); - -int unix_verify_user(char *user, char *password); - -int roken_concat (char *s, size_t len, ...); - -size_t roken_mconcat (char **s, size_t max_len, ...); - -int roken_vconcat (char *s, size_t len, va_list args); - -size_t roken_vmconcat (char **s, size_t max_len, va_list args); - -ssize_t net_write (int fd, const void *buf, size_t nbytes); - -ssize_t net_read (int fd, void *buf, size_t nbytes); - -int issuid(void); - -#ifndef HAVE_STRUCT_WINSIZE -struct winsize { - unsigned short ws_row, ws_col; - unsigned short ws_xpixel, ws_ypixel; -}; -#endif - -int get_window_size(int fd, struct winsize *); - -#ifndef HAVE_VSYSLOG -void vsyslog(int pri, const char *fmt, va_list ap); -#endif - -#ifndef HAVE_OPTARG_DECLARATION -extern char *optarg; -#endif -#ifndef HAVE_OPTIND_DECLARATION -extern int optind; -#endif -#ifndef HAVE_OPTERR_DECLARATION -extern int opterr; -#endif - -#ifndef HAVE___PROGNAME_DECLARATION -extern const char *__progname; -#endif - -#ifndef HAVE_ENVIRON_DECLARATION -extern char **environ; -#endif - -#ifndef HAVE_GETIPNODEBYNAME -struct hostent * -getipnodebyname (const char *name, int af, int flags, int *error_num); -#endif - -#ifndef HAVE_GETIPNODEBYADDR -struct hostent * -getipnodebyaddr (const void *src, size_t len, int af, int *error_num); -#endif - -#ifndef HAVE_FREEHOSTENT -void -freehostent (struct hostent *h); -#endif - -#ifndef HAVE_COPYHOSTENT -struct hostent * -copyhostent (const struct hostent *h); -#endif - -#ifndef HAVE_SOCKLEN_T -typedef int socklen_t; -#endif - -#ifndef HAVE_STRUCT_SOCKADDR_STORAGE - -#ifndef HAVE_SA_FAMILY_T -typedef unsigned short sa_family_t; -#endif - -#ifdef HAVE_IPV6 -#define _SS_MAXSIZE sizeof(struct sockaddr_in6) -#else -#define _SS_MAXSIZE sizeof(struct sockaddr_in) -#endif - -#define _SS_ALIGNSIZE sizeof(unsigned long) - -#if HAVE_STRUCT_SOCKADDR_SA_LEN - -typedef unsigned char roken_sa_family_t; - -#define _SS_PAD1SIZE ((2 * _SS_ALIGNSIZE - sizeof (roken_sa_family_t) - sizeof(unsigned char)) % _SS_ALIGNSIZE) -#define _SS_PAD2SIZE (_SS_MAXSIZE - (sizeof (roken_sa_family_t) + sizeof(unsigned char) + _SS_PAD1SIZE + _SS_ALIGNSIZE)) - -struct sockaddr_storage { - unsigned char ss_len; - roken_sa_family_t ss_family; - char __ss_pad1[_SS_PAD1SIZE]; - unsigned long __ss_align[_SS_PAD2SIZE / sizeof(unsigned long) + 1]; -}; - -#else /* !HAVE_STRUCT_SOCKADDR_SA_LEN */ - -typedef unsigned short roken_sa_family_t; - -#define _SS_PAD1SIZE ((2 * _SS_ALIGNSIZE - sizeof (roken_sa_family_t)) % _SS_ALIGNSIZE) -#define _SS_PAD2SIZE (_SS_MAXSIZE - (sizeof (roken_sa_family_t) + _SS_PAD1SIZE + _SS_ALIGNSIZE)) - -struct sockaddr_storage { - roken_sa_family_t ss_family; - char __ss_pad1[_SS_PAD1SIZE]; - unsigned long __ss_align[_SS_PAD2SIZE / sizeof(unsigned long) + 1]; -}; - -#endif /* HAVE_STRUCT_SOCKADDR_SA_LEN */ - -#endif /* HAVE_STRUCT_SOCKADDR_STORAGE */ - -#ifndef HAVE_STRUCT_ADDRINFO -struct addrinfo { - int ai_flags; - int ai_family; - int ai_socktype; - int ai_protocol; - size_t ai_addrlen; - char *ai_canonname; - struct sockaddr *ai_addr; - struct addrinfo *ai_next; -}; -#endif - -#ifndef HAVE_GETADDRINFO -int -getaddrinfo(const char *nodename, - const char *servname, - const struct addrinfo *hints, - struct addrinfo **res); -#endif - -#ifndef HAVE_GETNAMEINFO -int getnameinfo(const struct sockaddr *sa, socklen_t salen, - char *host, size_t hostlen, - char *serv, size_t servlen, - int flags); -#endif - -#ifndef HAVE_FREEADDRINFO -void -freeaddrinfo(struct addrinfo *ai); -#endif - -#ifndef HAVE_GAI_STRERROR -char * -gai_strerror(int ecode); -#endif - -int -getnameinfo_verified(const struct sockaddr *sa, socklen_t salen, - char *host, size_t hostlen, - char *serv, size_t servlen, - int flags); - -int roken_getaddrinfo_hostspec(const char *, int, struct addrinfo **); -int roken_getaddrinfo_hostspec2(const char *, int, int, struct addrinfo **); - -#ifndef HAVE_STRFTIME -size_t -strftime (char *buf, size_t maxsize, const char *format, - const struct tm *tm); -#endif - -#ifndef HAVE_STRPTIME -char * -strptime (const char *buf, const char *format, struct tm *timeptr); -#endif - -#ifndef HAVE_EMALLOC -void *emalloc (size_t); -#endif -#ifndef HAVE_ECALLOC -void *ecalloc(size_t num, size_t sz); -#endif -#ifndef HAVE_EREALLOC -void *erealloc (void *, size_t); -#endif -#ifndef HAVE_ESTRDUP -char *estrdup (const char *); -#endif - -/* - * kludges and such - */ - -#if 1 -int roken_gethostby_setup(const char*, const char*); -struct hostent* roken_gethostbyname(const char*); -struct hostent* roken_gethostbyaddr(const void*, size_t, int); -#else -#ifdef GETHOSTBYNAME_PROTO_COMPATIBLE -#define roken_gethostbyname(x) gethostbyname(x) -#else -#define roken_gethostbyname(x) gethostbyname((char *)x) -#endif - -#ifdef GETHOSTBYADDR_PROTO_COMPATIBLE -#define roken_gethostbyaddr(a, l, t) gethostbyaddr(a, l, t) -#else -#define roken_gethostbyaddr(a, l, t) gethostbyaddr((char *)a, l, t) -#endif -#endif - -#ifdef GETSERVBYNAME_PROTO_COMPATIBLE -#define roken_getservbyname(x,y) getservbyname(x,y) -#else -#define roken_getservbyname(x,y) getservbyname((char *)x, (char *)y) -#endif - -#ifdef OPENLOG_PROTO_COMPATIBLE -#define roken_openlog(a,b,c) openlog(a,b,c) -#else -#define roken_openlog(a,b,c) openlog((char *)a,b,c) -#endif - -#ifdef GETSOCKNAME_PROTO_COMPATIBLE -#define roken_getsockname(a,b,c) getsockname(a,b,c) -#else -#define roken_getsockname(a,b,c) getsockname(a, b, (void*)c) -#endif - -#ifndef HAVE_SETPROGNAME -void setprogname(const char *argv0); -#endif - -#ifndef HAVE_GETPROGNAME -const char *getprogname(void); -#endif - -void mini_inetd_addrinfo (struct addrinfo*); -void mini_inetd (int port); - -void set_progname(char *argv0); -const char *get_progname(void); - -#ifndef HAVE_LOCALTIME_R -struct tm * -localtime_r(const time_t *timer, struct tm *result); -#endif - -#if !defined(HAVE_STRSVIS) || defined(NEED_STRSVIS_PROTO) -int -strsvis(char *dst, const char *src, int flag, const char *extra); -#endif - -#if !defined(HAVE_STRUNVIS) || defined(NEED_STRUNVIS_PROTO) -int -strunvis(char *dst, const char *src); -#endif - -#if !defined(HAVE_STRVIS) || defined(NEED_STRVIS_PROTO) -int -strvis(char *dst, const char *src, int flag); -#endif - -#if !defined(HAVE_STRVISX) || defined(NEED_STRVISX_PROTO) -int -strvisx(char *dst, const char *src, size_t len, int flag); -#endif - -#if !defined(HAVE_SVIS) || defined(NEED_SVIS_PROTO) -char * -svis(char *dst, int c, int flag, int nextc, const char *extra); -#endif - -#if !defined(HAVE_UNVIS) || defined(NEED_UNVIS_PROTO) -int -unvis(char *cp, int c, int *astate, int flag); -#endif - -#if !defined(HAVE_VIS) || defined(NEED_VIS_PROTO) -char * -vis(char *dst, int c, int flag, int nextc); -#endif - -ROKEN_CPP_END diff --git a/crypto/heimdal-0.6.3/lib/roken/roken_gethostby.c b/crypto/heimdal-0.6.3/lib/roken/roken_gethostby.c deleted file mode 100644 index 6df6c57dd7..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/roken_gethostby.c +++ /dev/null @@ -1,274 +0,0 @@ -/* - * Copyright (c) 1998 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: roken_gethostby.c,v 1.5 1999/12/05 13:16:44 assar Exp $"); -#endif - -#include - -#undef roken_gethostbyname -#undef roken_gethostbyaddr - -static struct sockaddr_in dns_addr; -static char *dns_req; - -static int -make_address(const char *address, struct in_addr *ip) -{ - if(inet_aton(address, ip) == 0){ - /* try to resolve as hostname, it might work if the address we - are trying to lookup is local, for instance a web proxy */ - struct hostent *he = gethostbyname(address); - if(he) { - unsigned char *p = (unsigned char*)he->h_addr; - ip->s_addr = (p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3]; - } else { - return -1; - } - } - return 0; -} - -static int -setup_int(const char *proxy_host, short proxy_port, - const char *dns_host, short dns_port, - const char *dns_path) -{ - memset(&dns_addr, 0, sizeof(dns_addr)); - if(dns_req) - free(dns_req); - if(proxy_host) { - if(make_address(proxy_host, &dns_addr.sin_addr) != 0) - return -1; - dns_addr.sin_port = htons(proxy_port); - asprintf(&dns_req, "http://%s:%d%s", dns_host, dns_port, dns_path); - } else { - if(make_address(dns_host, &dns_addr.sin_addr) != 0) - return -1; - dns_addr.sin_port = htons(dns_port); - asprintf(&dns_req, "%s", dns_path); - } - dns_addr.sin_family = AF_INET; - return 0; -} - -static void -split_spec(const char *spec, char **host, int *port, char **path, int def_port) -{ - char *p; - *host = strdup(spec); - p = strchr(*host, ':'); - if(p) { - *p++ = '\0'; - if(sscanf(p, "%d", port) != 1) - *port = def_port; - } else - *port = def_port; - p = strchr(p ? p : *host, '/'); - if(p) { - if(path) - *path = strdup(p); - *p = '\0'; - }else - if(path) - *path = NULL; -} - - -int -roken_gethostby_setup(const char *proxy_spec, const char *dns_spec) -{ - char *proxy_host = NULL; - int proxy_port; - char *dns_host, *dns_path; - int dns_port; - - int ret = -1; - - split_spec(dns_spec, &dns_host, &dns_port, &dns_path, 80); - if(dns_path == NULL) - goto out; - if(proxy_spec) - split_spec(proxy_spec, &proxy_host, &proxy_port, NULL, 80); - ret = setup_int(proxy_host, proxy_port, dns_host, dns_port, dns_path); -out: - free(proxy_host); - free(dns_host); - free(dns_path); - return ret; -} - - -/* Try to lookup a name or an ip-address using http as transport - mechanism. See the end of this file for an example program. */ -static struct hostent* -roken_gethostby(const char *hostname) -{ - int s; - struct sockaddr_in sin; - char *request; - char buf[1024]; - int offset = 0; - int n; - char *p, *foo; - - if(dns_addr.sin_family == 0) - return NULL; /* no configured host */ - sin = dns_addr; - asprintf(&request, "GET %s?%s HTTP/1.0\r\n\r\n", dns_req, hostname); - if(request == NULL) - return NULL; - s = socket(AF_INET, SOCK_STREAM, 0); - if(s < 0) { - free(request); - return NULL; - } - if(connect(s, (struct sockaddr*)&sin, sizeof(sin)) < 0) { - close(s); - free(request); - return NULL; - } - if(write(s, request, strlen(request)) != strlen(request)) { - close(s); - free(request); - return NULL; - } - free(request); - while(1) { - n = read(s, buf + offset, sizeof(buf) - offset); - if(n <= 0) - break; - offset += n; - } - buf[offset] = '\0'; - close(s); - p = strstr(buf, "\r\n\r\n"); /* find end of header */ - if(p) p += 4; - else return NULL; - foo = NULL; - p = strtok_r(p, " \t\r\n", &foo); - if(p == NULL) - return NULL; - { - /* make a hostent to return */ -#define MAX_ADDRS 16 - static struct hostent he; - static char addrs[4 * MAX_ADDRS]; - static char *addr_list[MAX_ADDRS]; - int num_addrs = 0; - - he.h_name = p; - he.h_aliases = NULL; - he.h_addrtype = AF_INET; - he.h_length = 4; - - while((p = strtok_r(NULL, " \t\r\n", &foo)) && num_addrs < MAX_ADDRS) { - struct in_addr ip; - inet_aton(p, &ip); - ip.s_addr = ntohl(ip.s_addr); - addr_list[num_addrs] = &addrs[num_addrs * 4]; - addrs[num_addrs * 4 + 0] = (ip.s_addr >> 24) & 0xff; - addrs[num_addrs * 4 + 1] = (ip.s_addr >> 16) & 0xff; - addrs[num_addrs * 4 + 2] = (ip.s_addr >> 8) & 0xff; - addrs[num_addrs * 4 + 3] = (ip.s_addr >> 0) & 0xff; - addr_list[++num_addrs] = NULL; - } - he.h_addr_list = addr_list; - return &he; - } -} - -struct hostent* -roken_gethostbyname(const char *hostname) -{ - struct hostent *he; - he = gethostbyname(hostname); - if(he) - return he; - return roken_gethostby(hostname); -} - -struct hostent* -roken_gethostbyaddr(const void *addr, size_t len, int type) -{ - struct in_addr a; - const char *p; - struct hostent *he; - he = gethostbyaddr(addr, len, type); - if(he) - return he; - if(type != AF_INET || len != 4) - return NULL; - p = addr; - a.s_addr = htonl((p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3]); - return roken_gethostby(inet_ntoa(a)); -} - -#if 0 - -/* this program can be used as a cgi `script' to lookup names and - ip-addresses */ - -#include -#include -#include -#include - -int -main(int argc, char **argv) -{ - char *query = getenv("QUERY_STRING"); - char host[MAXHOSTNAMELEN]; - int i; - struct hostent *he; - - printf("Content-type: text/plain\n\n"); - if(query == NULL) - exit(0); - he = gethostbyname(query); - strncpy(host, he->h_name, sizeof(host)); - host[sizeof(host) - 1] = '\0'; - he = gethostbyaddr(he->h_addr, he->h_length, AF_INET); - printf("%s\n", he->h_name); - for(i = 0; he->h_addr_list[i]; i++) { - struct in_addr ip; - unsigned char *p = (unsigned char*)he->h_addr_list[i]; - ip.s_addr = htonl((p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3]); - printf("%s\n", inet_ntoa(ip)); - } - exit(0); -} - -#endif diff --git a/crypto/heimdal-0.6.3/lib/roken/rtbl.c b/crypto/heimdal-0.6.3/lib/roken/rtbl.c deleted file mode 100644 index 5a3bc00e13..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/rtbl.c +++ /dev/null @@ -1,280 +0,0 @@ -/* - * Copyright (c) 2000, 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID ("$Id: rtbl.c,v 1.4 2002/09/04 21:25:09 joda Exp $"); -#endif -#include "roken.h" -#include "rtbl.h" - -struct column_entry { - char *data; -}; - -struct column_data { - char *header; - char *prefix; - int width; - unsigned flags; - size_t num_rows; - struct column_entry *rows; -}; - -struct rtbl_data { - char *column_prefix; - size_t num_columns; - struct column_data **columns; -}; - -rtbl_t -rtbl_create (void) -{ - return calloc (1, sizeof (struct rtbl_data)); -} - -static struct column_data * -rtbl_get_column (rtbl_t table, const char *column) -{ - int i; - for(i = 0; i < table->num_columns; i++) - if(strcmp(table->columns[i]->header, column) == 0) - return table->columns[i]; - return NULL; -} - -void -rtbl_destroy (rtbl_t table) -{ - int i, j; - - for (i = 0; i < table->num_columns; i++) { - struct column_data *c = table->columns[i]; - - for (j = 0; j < c->num_rows; j++) - free (c->rows[j].data); - free (c->rows); - free (c->header); - free (c->prefix); - free (c); - } - free (table->column_prefix); - free (table->columns); - free (table); -} - -int -rtbl_add_column (rtbl_t table, const char *header, unsigned int flags) -{ - struct column_data *col, **tmp; - - tmp = realloc (table->columns, (table->num_columns + 1) * sizeof (*tmp)); - if (tmp == NULL) - return ENOMEM; - table->columns = tmp; - col = malloc (sizeof (*col)); - if (col == NULL) - return ENOMEM; - col->header = strdup (header); - if (col->header == NULL) { - free (col); - return ENOMEM; - } - col->prefix = NULL; - col->width = 0; - col->flags = flags; - col->num_rows = 0; - col->rows = NULL; - table->columns[table->num_columns++] = col; - return 0; -} - -static void -column_compute_width (struct column_data *column) -{ - int i; - - column->width = strlen (column->header); - for (i = 0; i < column->num_rows; i++) - column->width = max (column->width, strlen (column->rows[i].data)); -} - -int -rtbl_set_prefix (rtbl_t table, const char *prefix) -{ - if (table->column_prefix) - free (table->column_prefix); - table->column_prefix = strdup (prefix); - if (table->column_prefix == NULL) - return ENOMEM; - return 0; -} - -int -rtbl_set_column_prefix (rtbl_t table, const char *column, - const char *prefix) -{ - struct column_data *c = rtbl_get_column (table, column); - - if (c == NULL) - return -1; - if (c->prefix) - free (c->prefix); - c->prefix = strdup (prefix); - if (c->prefix == NULL) - return ENOMEM; - return 0; -} - - -static const char * -get_column_prefix (rtbl_t table, struct column_data *c) -{ - if (c == NULL) - return ""; - if (c->prefix) - return c->prefix; - if (table->column_prefix) - return table->column_prefix; - return ""; -} - -int -rtbl_add_column_entry (rtbl_t table, const char *column, const char *data) -{ - struct column_entry row, *tmp; - - struct column_data *c = rtbl_get_column (table, column); - - if (c == NULL) - return -1; - - row.data = strdup (data); - if (row.data == NULL) - return ENOMEM; - tmp = realloc (c->rows, (c->num_rows + 1) * sizeof (*tmp)); - if (tmp == NULL) { - free (row.data); - return ENOMEM; - } - c->rows = tmp; - c->rows[c->num_rows++] = row; - return 0; -} - -int -rtbl_format (rtbl_t table, FILE * f) -{ - int i, j; - - for (i = 0; i < table->num_columns; i++) - column_compute_width (table->columns[i]); - for (i = 0; i < table->num_columns; i++) { - struct column_data *c = table->columns[i]; - - fprintf (f, "%s", get_column_prefix (table, c)); - fprintf (f, "%-*s", (int)c->width, c->header); - } - fprintf (f, "\n"); - - for (j = 0;; j++) { - int flag = 0; - - for (i = 0; flag == 0 && i < table->num_columns; ++i) { - struct column_data *c = table->columns[i]; - - if (c->num_rows > j) { - ++flag; - break; - } - } - if (flag == 0) - break; - - for (i = 0; i < table->num_columns; i++) { - int w; - struct column_data *c = table->columns[i]; - - w = c->width; - - if ((c->flags & RTBL_ALIGN_RIGHT) == 0) - w = -w; - fprintf (f, "%s", get_column_prefix (table, c)); - if (c->num_rows <= j) - fprintf (f, "%*s", w, ""); - else - fprintf (f, "%*s", w, c->rows[j].data); - } - fprintf (f, "\n"); - } - return 0; -} - -#ifdef TEST -int -main (int argc, char **argv) -{ - rtbl_t table; - unsigned int a, b, c, d; - - table = rtbl_create (); - rtbl_add_column (table, "Issued", 0, &a); - rtbl_add_column (table, "Expires", 0, &b); - rtbl_add_column (table, "Foo", RTBL_ALIGN_RIGHT, &d); - rtbl_add_column (table, "Principal", 0, &c); - - rtbl_add_column_entry (table, a, "Jul 7 21:19:29"); - rtbl_add_column_entry (table, b, "Jul 8 07:19:29"); - rtbl_add_column_entry (table, d, "73"); - rtbl_add_column_entry (table, d, "0"); - rtbl_add_column_entry (table, d, "-2000"); - rtbl_add_column_entry (table, c, "krbtgt/NADA.KTH.SE@NADA.KTH.SE"); - - rtbl_add_column_entry (table, a, "Jul 7 21:19:29"); - rtbl_add_column_entry (table, b, "Jul 8 07:19:29"); - rtbl_add_column_entry (table, c, "afs/pdc.kth.se@NADA.KTH.SE"); - - rtbl_add_column_entry (table, a, "Jul 7 21:19:29"); - rtbl_add_column_entry (table, b, "Jul 8 07:19:29"); - rtbl_add_column_entry (table, c, "afs@NADA.KTH.SE"); - - rtbl_set_prefix (table, " "); - rtbl_set_column_prefix (table, a, ""); - - rtbl_format (table, stdout); - - rtbl_destroy (table); - -} - -#endif diff --git a/crypto/heimdal-0.6.3/lib/roken/rtbl.h b/crypto/heimdal-0.6.3/lib/roken/rtbl.h deleted file mode 100644 index 16496a7fd2..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/rtbl.h +++ /dev/null @@ -1,57 +0,0 @@ -/* - * Copyright (c) 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifndef __rtbl_h__ -#define __rtbl_h__ - -struct rtbl_data; -typedef struct rtbl_data *rtbl_t; - -#define RTBL_ALIGN_LEFT 0 -#define RTBL_ALIGN_RIGHT 1 - -rtbl_t rtbl_create (void); - -void rtbl_destroy (rtbl_t); - -int rtbl_set_prefix (rtbl_t, const char*); - -int rtbl_set_column_prefix (rtbl_t, const char*, const char*); - -int rtbl_add_column (rtbl_t, const char*, unsigned int); - -int rtbl_add_column_entry (rtbl_t, const char*, const char*); - -int rtbl_format (rtbl_t, FILE*); - -#endif /* __rtbl_h__ */ diff --git a/crypto/heimdal-0.6.3/lib/roken/sendmsg.c b/crypto/heimdal-0.6.3/lib/roken/sendmsg.c deleted file mode 100644 index 7075bf2142..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/sendmsg.c +++ /dev/null @@ -1,65 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: sendmsg.c,v 1.4 1999/12/02 16:58:52 joda Exp $"); -#endif - -#include "roken.h" - -ssize_t -sendmsg(int s, const struct msghdr *msg, int flags) -{ - ssize_t ret; - size_t tot = 0; - int i; - char *buf, *p; - struct iovec *iov = msg->msg_iov; - - for(i = 0; i < msg->msg_iovlen; ++i) - tot += iov[i].iov_len; - buf = malloc(tot); - if (tot != 0 && buf == NULL) { - errno = ENOMEM; - return -1; - } - p = buf; - for (i = 0; i < msg->msg_iovlen; ++i) { - memcpy (p, iov[i].iov_base, iov[i].iov_len); - p += iov[i].iov_len; - } - ret = sendto (s, buf, tot, flags, msg->msg_name, msg->msg_namelen); - free (buf); - return ret; -} diff --git a/crypto/heimdal-0.6.3/lib/roken/setegid.c b/crypto/heimdal-0.6.3/lib/roken/setegid.c deleted file mode 100644 index 2f46fe4bf8..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/setegid.c +++ /dev/null @@ -1,57 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: setegid.c,v 1.9 1999/12/02 16:58:52 joda Exp $"); -#endif - -#ifdef HAVE_UNISTD_H -#include -#endif - -#include "roken.h" - -int -setegid(gid_t egid) -{ -#ifdef HAVE_SETREGID - return setregid(-1, egid); -#endif - -#ifdef HAVE_SETRESGID - return setresgid(-1, egid, -1); -#endif - - return -1; -} diff --git a/crypto/heimdal-0.6.3/lib/roken/setenv.c b/crypto/heimdal-0.6.3/lib/roken/setenv.c deleted file mode 100644 index 15b58113ea..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/setenv.c +++ /dev/null @@ -1,66 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: setenv.c,v 1.9 1999/12/02 16:58:52 joda Exp $"); -#endif - -#include "roken.h" - -#include -#include - -/* - * This is the easy way out, use putenv to implement setenv. We might - * leak some memory but that is ok since we are usally about to exec - * anyway. - */ - -int -setenv(const char *var, const char *val, int rewrite) -{ - char *t; - - if (!rewrite && getenv(var) != 0) - return 0; - - asprintf (&t, "%s=%s", var, val); - if (t == NULL) - return -1; - - if (putenv(t) == 0) - return 0; - else - return -1; -} diff --git a/crypto/heimdal-0.6.3/lib/roken/seteuid.c b/crypto/heimdal-0.6.3/lib/roken/seteuid.c deleted file mode 100644 index ee68ba785e..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/seteuid.c +++ /dev/null @@ -1,57 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: seteuid.c,v 1.10 1999/12/02 16:58:52 joda Exp $"); -#endif - -#ifdef HAVE_UNISTD_H -#include -#endif - -#include "roken.h" - -int -seteuid(uid_t euid) -{ -#ifdef HAVE_SETREUID - return setreuid(-1, euid); -#endif - -#ifdef HAVE_SETRESUID - return setresuid(-1, euid, -1); -#endif - - return -1; -} diff --git a/crypto/heimdal-0.6.3/lib/roken/setprogname.c b/crypto/heimdal-0.6.3/lib/roken/setprogname.c deleted file mode 100644 index e66deab8b1..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/setprogname.c +++ /dev/null @@ -1,67 +0,0 @@ -/* - * Copyright (c) 1995 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: setprogname.c,v 1.1 2001/07/09 14:56:51 assar Exp $"); -#endif - -#include "roken.h" - -#ifndef HAVE___PROGNAME -extern const char *__progname; -#endif - -#ifndef HAVE_SETPROGNAME -void -setprogname(const char *argv0) -{ -#ifndef HAVE___PROGNAME - char *p; - if(argv0 == NULL) - return; - p = strrchr(argv0, '/'); - if(p == NULL) - p = (char *)argv0; - else - p++; - __progname = p; -#endif -} -#endif /* HAVE_SETPROGNAME */ - -void -set_progname(char *argv0) -{ - setprogname ((const char *)argv0); -} diff --git a/crypto/heimdal-0.6.3/lib/roken/signal.c b/crypto/heimdal-0.6.3/lib/roken/signal.c deleted file mode 100644 index 1d482a0e3d..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/signal.c +++ /dev/null @@ -1,80 +0,0 @@ -/* - * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: signal.c,v 1.12 2000/07/08 12:39:06 assar Exp $"); -#endif - -#include -#include "roken.h" - -/* - * We would like to always use this signal but there is a link error - * on NEXTSTEP - */ -#if !defined(NeXT) && !defined(__APPLE__) -/* - * Bugs: - * - * Do we need any extra hacks for SIGCLD and/or SIGCHLD? - */ - -SigAction -signal(int iSig, SigAction pAction) -{ - struct sigaction saNew, saOld; - - saNew.sa_handler = pAction; - sigemptyset(&saNew.sa_mask); - saNew.sa_flags = 0; - - if (iSig == SIGALRM) - { -#ifdef SA_INTERRUPT - saNew.sa_flags |= SA_INTERRUPT; -#endif - } - else - { -#ifdef SA_RESTART - saNew.sa_flags |= SA_RESTART; -#endif - } - - if (sigaction(iSig, &saNew, &saOld) < 0) - return(SIG_ERR); - - return(saOld.sa_handler); -} -#endif diff --git a/crypto/heimdal-0.6.3/lib/roken/simple_exec.c b/crypto/heimdal-0.6.3/lib/roken/simple_exec.c deleted file mode 100644 index 1f27c00e73..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/simple_exec.c +++ /dev/null @@ -1,254 +0,0 @@ -/* - * Copyright (c) 1998 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: simple_exec.c,v 1.10 2001/06/21 03:38:03 assar Exp $"); -#endif - -#include -#include -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_SYS_WAIT_H -#include -#endif -#ifdef HAVE_UNISTD_H -#include -#endif -#include - -#include - -#define EX_NOEXEC 126 -#define EX_NOTFOUND 127 - -/* return values: - -1 on `unspecified' system errors - -2 on fork failures - -3 on waitpid errors - 0- is return value from subprocess - 126 if the program couldn't be executed - 127 if the program couldn't be found - 128- is 128 + signal that killed subprocess - */ - -int -wait_for_process(pid_t pid) -{ - while(1) { - int status; - - while(waitpid(pid, &status, 0) < 0) - if (errno != EINTR) - return -3; - if(WIFSTOPPED(status)) - continue; - if(WIFEXITED(status)) - return WEXITSTATUS(status); - if(WIFSIGNALED(status)) - return WTERMSIG(status) + 128; - } -} - -int -pipe_execv(FILE **stdin_fd, FILE **stdout_fd, FILE **stderr_fd, - const char *file, ...) -{ - int in_fd[2], out_fd[2], err_fd[2]; - pid_t pid; - va_list ap; - char **argv; - - if(stdin_fd != NULL) - pipe(in_fd); - if(stdout_fd != NULL) - pipe(out_fd); - if(stderr_fd != NULL) - pipe(err_fd); - pid = fork(); - switch(pid) { - case 0: - va_start(ap, file); - argv = vstrcollect(&ap); - va_end(ap); - if(argv == NULL) - exit(-1); - - /* close pipes we're not interested in */ - if(stdin_fd != NULL) - close(in_fd[1]); - if(stdout_fd != NULL) - close(out_fd[0]); - if(stderr_fd != NULL) - close(err_fd[0]); - - /* pipe everything caller doesn't care about to /dev/null */ - if(stdin_fd == NULL) - in_fd[0] = open(_PATH_DEVNULL, O_RDONLY); - if(stdout_fd == NULL) - out_fd[1] = open(_PATH_DEVNULL, O_WRONLY); - if(stderr_fd == NULL) - err_fd[1] = open(_PATH_DEVNULL, O_WRONLY); - - /* move to proper descriptors */ - if(in_fd[0] != STDIN_FILENO) { - dup2(in_fd[0], STDIN_FILENO); - close(in_fd[0]); - } - if(out_fd[1] != STDOUT_FILENO) { - dup2(out_fd[1], STDOUT_FILENO); - close(out_fd[1]); - } - if(err_fd[1] != STDERR_FILENO) { - dup2(err_fd[1], STDERR_FILENO); - close(err_fd[1]); - } - - execv(file, argv); - exit((errno == ENOENT) ? EX_NOTFOUND : EX_NOEXEC); - case -1: - if(stdin_fd != NULL) { - close(in_fd[0]); - close(in_fd[1]); - } - if(stdout_fd != NULL) { - close(out_fd[0]); - close(out_fd[1]); - } - if(stderr_fd != NULL) { - close(err_fd[0]); - close(err_fd[1]); - } - return -2; - default: - if(stdin_fd != NULL) { - close(in_fd[0]); - *stdin_fd = fdopen(in_fd[1], "w"); - } - if(stdout_fd != NULL) { - close(out_fd[1]); - *stdout_fd = fdopen(out_fd[0], "r"); - } - if(stderr_fd != NULL) { - close(err_fd[1]); - *stderr_fd = fdopen(err_fd[0], "r"); - } - } - return pid; -} - -int -simple_execvp(const char *file, char *const args[]) -{ - pid_t pid = fork(); - switch(pid){ - case -1: - return -2; - case 0: - execvp(file, args); - exit((errno == ENOENT) ? EX_NOTFOUND : EX_NOEXEC); - default: - return wait_for_process(pid); - } -} - -/* gee, I'd like a execvpe */ -int -simple_execve(const char *file, char *const args[], char *const envp[]) -{ - pid_t pid = fork(); - switch(pid){ - case -1: - return -2; - case 0: - execve(file, args, envp); - exit((errno == ENOENT) ? EX_NOTFOUND : EX_NOEXEC); - default: - return wait_for_process(pid); - } -} - -int -simple_execlp(const char *file, ...) -{ - va_list ap; - char **argv; - int ret; - - va_start(ap, file); - argv = vstrcollect(&ap); - va_end(ap); - if(argv == NULL) - return -1; - ret = simple_execvp(file, argv); - free(argv); - return ret; -} - -int -simple_execle(const char *file, ... /* ,char *const envp[] */) -{ - va_list ap; - char **argv; - char *const* envp; - int ret; - - va_start(ap, file); - argv = vstrcollect(&ap); - envp = va_arg(ap, char **); - va_end(ap); - if(argv == NULL) - return -1; - ret = simple_execve(file, argv, envp); - free(argv); - return ret; -} - -int -simple_execl(const char *file, ...) -{ - va_list ap; - char **argv; - int ret; - - va_start(ap, file); - argv = vstrcollect(&ap); - va_end(ap); - if(argv == NULL) - return -1; - ret = simple_execve(file, argv, environ); - free(argv); - return ret; -} diff --git a/crypto/heimdal-0.6.3/lib/roken/snprintf-test.c b/crypto/heimdal-0.6.3/lib/roken/snprintf-test.c deleted file mode 100644 index 6904ba612f..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/snprintf-test.c +++ /dev/null @@ -1,238 +0,0 @@ -/* - * Copyright (c) 2000 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of KTH nor the names of its contributors may be - * used to endorse or promote products derived from this software without - * specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY - * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR - * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, - * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR - * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF - * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ - -#ifdef HAVE_CONFIG_H -#include -#endif -#include "roken.h" -#include - -#include "snprintf-test.h" - -RCSID("$Id: snprintf-test.c,v 1.5 2001/09/13 01:01:16 assar Exp $"); - -static int -try (const char *format, ...) -{ - int ret; - va_list ap; - char buf1[256], buf2[256]; - - va_start (ap, format); - ret = vsnprintf (buf1, sizeof(buf1), format, ap); - if (ret >= sizeof(buf1)) - errx (1, "increase buf and try again"); - vsprintf (buf2, format, ap); - ret = strcmp (buf1, buf2); - if (ret) - printf ("failed: format = \"%s\", \"%s\" != \"%s\"\n", - format, buf1, buf2); - va_end (ap); - return ret; -} - -static int -cmp_with_sprintf_int (void) -{ - int tot = 0; - int int_values[] = {INT_MIN, -17, -1, 0, 1, 17, 4711, 65535, INT_MAX}; - int i; - - for (i = 0; i < sizeof(int_values) / sizeof(int_values[0]); ++i) { - tot += try ("%d", int_values[i]); - tot += try ("%x", int_values[i]); - tot += try ("%X", int_values[i]); - tot += try ("%o", int_values[i]); - tot += try ("%#x", int_values[i]); - tot += try ("%#X", int_values[i]); - tot += try ("%#o", int_values[i]); - tot += try ("%10d", int_values[i]); - tot += try ("%10x", int_values[i]); - tot += try ("%10X", int_values[i]); - tot += try ("%10o", int_values[i]); - tot += try ("%#10x", int_values[i]); - tot += try ("%#10X", int_values[i]); - tot += try ("%#10o", int_values[i]); - tot += try ("%-10d", int_values[i]); - tot += try ("%-10x", int_values[i]); - tot += try ("%-10X", int_values[i]); - tot += try ("%-10o", int_values[i]); - tot += try ("%-#10x", int_values[i]); - tot += try ("%-#10X", int_values[i]); - tot += try ("%-#10o", int_values[i]); - } - return tot; -} - -static int -cmp_with_sprintf_long (void) -{ - int tot = 0; - long long_values[] = {LONG_MIN, -17, -1, 0, 1, 17, 4711, 65535, LONG_MAX}; - int i; - - for (i = 0; i < sizeof(long_values) / sizeof(long_values[0]); ++i) { - tot += try ("%ld", long_values[i]); - tot += try ("%lx", long_values[i]); - tot += try ("%lX", long_values[i]); - tot += try ("%lo", long_values[i]); - tot += try ("%#lx", long_values[i]); - tot += try ("%#lX", long_values[i]); - tot += try ("%#lo", long_values[i]); - tot += try ("%10ld", long_values[i]); - tot += try ("%10lx", long_values[i]); - tot += try ("%10lX", long_values[i]); - tot += try ("%10lo", long_values[i]); - tot += try ("%#10lx", long_values[i]); - tot += try ("%#10lX", long_values[i]); - tot += try ("%#10lo", long_values[i]); - tot += try ("%-10ld", long_values[i]); - tot += try ("%-10lx", long_values[i]); - tot += try ("%-10lX", long_values[i]); - tot += try ("%-10lo", long_values[i]); - tot += try ("%-#10lx", long_values[i]); - tot += try ("%-#10lX", long_values[i]); - tot += try ("%-#10lo", long_values[i]); - } - return tot; -} - -#ifdef HAVE_LONG_LONG - -static int -cmp_with_sprintf_long_long (void) -{ - int tot = 0; - long long long_long_values[] = { - ((long long)LONG_MIN) -1, LONG_MIN, -17, -1, - 0, - 1, 17, 4711, 65535, LONG_MAX, ((long long)LONG_MAX) + 1}; - int i; - - for (i = 0; i < sizeof(long_long_values) / sizeof(long_long_values[0]); ++i) { - tot += try ("%lld", long_long_values[i]); - tot += try ("%llx", long_long_values[i]); - tot += try ("%llX", long_long_values[i]); - tot += try ("%llo", long_long_values[i]); - tot += try ("%#llx", long_long_values[i]); - tot += try ("%#llX", long_long_values[i]); - tot += try ("%#llo", long_long_values[i]); - tot += try ("%10lld", long_long_values[i]); - tot += try ("%10llx", long_long_values[i]); - tot += try ("%10llX", long_long_values[i]); - tot += try ("%10llo", long_long_values[i]); - tot += try ("%#10llx", long_long_values[i]); - tot += try ("%#10llX", long_long_values[i]); - tot += try ("%#10llo", long_long_values[i]); - tot += try ("%-10lld", long_long_values[i]); - tot += try ("%-10llx", long_long_values[i]); - tot += try ("%-10llX", long_long_values[i]); - tot += try ("%-10llo", long_long_values[i]); - tot += try ("%-#10llx", long_long_values[i]); - tot += try ("%-#10llX", long_long_values[i]); - tot += try ("%-#10llo", long_long_values[i]); - } - return tot; -} - -#endif - -#if 0 -static int -cmp_with_sprintf_float (void) -{ - int tot = 0; - double double_values[] = {-99999, -999, -17.4, -4.3, -3.0, -1.5, -1, - 0, 0.1, 0.2342374852, 0.2340007, - 3.1415926, 14.7845, 34.24758, 9999, 9999999}; - int i; - - for (i = 0; i < sizeof(double_values) / sizeof(double_values[0]); ++i) { - tot += try ("%f", double_values[i]); - tot += try ("%10f", double_values[i]); - tot += try ("%.2f", double_values[i]); - tot += try ("%7.0f", double_values[i]); - tot += try ("%5.2f", double_values[i]); - tot += try ("%0f", double_values[i]); - tot += try ("%#f", double_values[i]); - tot += try ("%e", double_values[i]); - tot += try ("%10e", double_values[i]); - tot += try ("%.2e", double_values[i]); - tot += try ("%7.0e", double_values[i]); - tot += try ("%5.2e", double_values[i]); - tot += try ("%0e", double_values[i]); - tot += try ("%#e", double_values[i]); - tot += try ("%E", double_values[i]); - tot += try ("%10E", double_values[i]); - tot += try ("%.2E", double_values[i]); - tot += try ("%7.0E", double_values[i]); - tot += try ("%5.2E", double_values[i]); - tot += try ("%0E", double_values[i]); - tot += try ("%#E", double_values[i]); - tot += try ("%g", double_values[i]); - tot += try ("%10g", double_values[i]); - tot += try ("%.2g", double_values[i]); - tot += try ("%7.0g", double_values[i]); - tot += try ("%5.2g", double_values[i]); - tot += try ("%0g", double_values[i]); - tot += try ("%#g", double_values[i]); - tot += try ("%G", double_values[i]); - tot += try ("%10G", double_values[i]); - tot += try ("%.2G", double_values[i]); - tot += try ("%7.0G", double_values[i]); - tot += try ("%5.2G", double_values[i]); - tot += try ("%0G", double_values[i]); - tot += try ("%#G", double_values[i]); - } - return tot; -} -#endif - -static int -test_null (void) -{ - return snprintf (NULL, 0, "foo") != 3; -} - -int -main (int argc, char **argv) -{ - int ret = 0; - - ret += cmp_with_sprintf_int (); - ret += cmp_with_sprintf_long (); -#ifdef HAVE_LONG_LONG - ret += cmp_with_sprintf_long_long (); -#endif - ret += test_null (); - return ret; -} diff --git a/crypto/heimdal-0.6.3/lib/roken/snprintf-test.h b/crypto/heimdal-0.6.3/lib/roken/snprintf-test.h deleted file mode 100644 index 5eb591b2fe..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/snprintf-test.h +++ /dev/null @@ -1,52 +0,0 @@ -/* - * Copyright (c) 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of KTH nor the names of its contributors may be - * used to endorse or promote products derived from this software without - * specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY - * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR - * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, - * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR - * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF - * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* $Id: snprintf-test.h,v 1.2 2001/07/19 18:39:14 assar Exp $ */ - -#ifndef __SNPRINTF_TEST_H__ -#define __SNPRINTF_TEST_H__ - -/* - * we cannot use the real names of the functions when testing, since - * they might have different prototypes as the system functions, hence - * these evil hacks - */ - -#define snprintf test_snprintf -#define asprintf test_asprintf -#define asnprintf test_asnprintf -#define vasprintf test_vasprintf -#define vasnprintf test_vasnprintf -#define vsnprintf test_vsnprintf - -#endif /* __SNPRINTF_TEST_H__ */ diff --git a/crypto/heimdal-0.6.3/lib/roken/snprintf.c b/crypto/heimdal-0.6.3/lib/roken/snprintf.c deleted file mode 100644 index 5e4b85e9c9..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/snprintf.c +++ /dev/null @@ -1,655 +0,0 @@ -/* - * Copyright (c) 1995-2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: snprintf.c,v 1.35 2003/03/26 10:05:48 joda Exp $"); -#endif -#include -#include -#include -#include -#include -#include - -enum format_flags { - minus_flag = 1, - plus_flag = 2, - space_flag = 4, - alternate_flag = 8, - zero_flag = 16 -}; - -/* - * Common state - */ - -struct snprintf_state { - unsigned char *str; - unsigned char *s; - unsigned char *theend; - size_t sz; - size_t max_sz; - void (*append_char)(struct snprintf_state *, unsigned char); - /* XXX - methods */ -}; - -#if TEST_SNPRINTF -#include "snprintf-test.h" -#endif /* TEST_SNPRINTF */ - -#if !defined(HAVE_VSNPRINTF) || defined(TEST_SNPRINTF) -static int -sn_reserve (struct snprintf_state *state, size_t n) -{ - return state->s + n > state->theend; -} - -static void -sn_append_char (struct snprintf_state *state, unsigned char c) -{ - if (!sn_reserve (state, 1)) - *state->s++ = c; -} -#endif - -static int -as_reserve (struct snprintf_state *state, size_t n) -{ - if (state->s + n > state->theend) { - int off = state->s - state->str; - unsigned char *tmp; - - if (state->max_sz && state->sz >= state->max_sz) - return 1; - - state->sz = max(state->sz * 2, state->sz + n); - if (state->max_sz) - state->sz = min(state->sz, state->max_sz); - tmp = realloc (state->str, state->sz); - if (tmp == NULL) - return 1; - state->str = tmp; - state->s = state->str + off; - state->theend = state->str + state->sz - 1; - } - return 0; -} - -static void -as_append_char (struct snprintf_state *state, unsigned char c) -{ - if(!as_reserve (state, 1)) - *state->s++ = c; -} - -/* longest integer types */ - -#ifdef HAVE_LONG_LONG -typedef unsigned long long u_longest; -typedef long long longest; -#else -typedef unsigned long u_longest; -typedef long longest; -#endif - -/* - * is # supposed to do anything? - */ - -static int -use_alternative (int flags, u_longest num, unsigned base) -{ - return flags & alternate_flag && (base == 16 || base == 8) && num != 0; -} - -static int -append_number(struct snprintf_state *state, - u_longest num, unsigned base, const char *rep, - int width, int prec, int flags, int minusp) -{ - int len = 0; - int i; - u_longest n = num; - - /* given precision, ignore zero flag */ - if(prec != -1) - flags &= ~zero_flag; - else - prec = 1; - /* zero value with zero precision -> "" */ - if(prec == 0 && n == 0) - return 0; - do{ - (*state->append_char)(state, rep[n % base]); - ++len; - n /= base; - } while(n); - prec -= len; - /* pad with prec zeros */ - while(prec-- > 0){ - (*state->append_char)(state, '0'); - ++len; - } - /* add length of alternate prefix (added later) to len */ - if(use_alternative(flags, num, base)) - len += base / 8; - /* pad with zeros */ - if(flags & zero_flag){ - width -= len; - if(minusp || (flags & space_flag) || (flags & plus_flag)) - width--; - while(width-- > 0){ - (*state->append_char)(state, '0'); - len++; - } - } - /* add alternate prefix */ - if(use_alternative(flags, num, base)){ - if(base == 16) - (*state->append_char)(state, rep[10] + 23); /* XXX */ - (*state->append_char)(state, '0'); - } - /* add sign */ - if(minusp){ - (*state->append_char)(state, '-'); - ++len; - } else if(flags & plus_flag) { - (*state->append_char)(state, '+'); - ++len; - } else if(flags & space_flag) { - (*state->append_char)(state, ' '); - ++len; - } - if(flags & minus_flag) - /* swap before padding with spaces */ - for(i = 0; i < len / 2; i++){ - char c = state->s[-i-1]; - state->s[-i-1] = state->s[-len+i]; - state->s[-len+i] = c; - } - width -= len; - while(width-- > 0){ - (*state->append_char)(state, ' '); - ++len; - } - if(!(flags & minus_flag)) - /* swap after padding with spaces */ - for(i = 0; i < len / 2; i++){ - char c = state->s[-i-1]; - state->s[-i-1] = state->s[-len+i]; - state->s[-len+i] = c; - } - return len; -} - -/* - * return length - */ - -static int -append_string (struct snprintf_state *state, - const unsigned char *arg, - int width, - int prec, - int flags) -{ - int len = 0; - - if(arg == NULL) - arg = (const unsigned char*)"(null)"; - - if(prec != -1) - width -= prec; - else - width -= strlen((const char *)arg); - if(!(flags & minus_flag)) - while(width-- > 0) { - (*state->append_char) (state, ' '); - ++len; - } - if (prec != -1) { - while (*arg && prec--) { - (*state->append_char) (state, *arg++); - ++len; - } - } else { - while (*arg) { - (*state->append_char) (state, *arg++); - ++len; - } - } - if(flags & minus_flag) - while(width-- > 0) { - (*state->append_char) (state, ' '); - ++len; - } - return len; -} - -static int -append_char(struct snprintf_state *state, - unsigned char arg, - int width, - int flags) -{ - int len = 0; - - while(!(flags & minus_flag) && --width > 0) { - (*state->append_char) (state, ' ') ; - ++len; - } - (*state->append_char) (state, arg); - ++len; - while((flags & minus_flag) && --width > 0) { - (*state->append_char) (state, ' '); - ++len; - } - return 0; -} - -/* - * This can't be made into a function... - */ - -#ifdef HAVE_LONG_LONG - -#define PARSE_INT_FORMAT(res, arg, unsig) \ -if (long_long_flag) \ - res = (unsig long long)va_arg(arg, unsig long long); \ -else if (long_flag) \ - res = (unsig long)va_arg(arg, unsig long); \ -else if (short_flag) \ - res = (unsig short)va_arg(arg, unsig int); \ -else \ - res = (unsig int)va_arg(arg, unsig int) - -#else - -#define PARSE_INT_FORMAT(res, arg, unsig) \ -if (long_flag) \ - res = (unsig long)va_arg(arg, unsig long); \ -else if (short_flag) \ - res = (unsig short)va_arg(arg, unsig int); \ -else \ - res = (unsig int)va_arg(arg, unsig int) - -#endif - -/* - * zyxprintf - return length, as snprintf - */ - -static int -xyzprintf (struct snprintf_state *state, const char *char_format, va_list ap) -{ - const unsigned char *format = (const unsigned char *)char_format; - unsigned char c; - int len = 0; - - while((c = *format++)) { - if (c == '%') { - int flags = 0; - int width = 0; - int prec = -1; - int long_long_flag = 0; - int long_flag = 0; - int short_flag = 0; - - /* flags */ - while((c = *format++)){ - if(c == '-') - flags |= minus_flag; - else if(c == '+') - flags |= plus_flag; - else if(c == ' ') - flags |= space_flag; - else if(c == '#') - flags |= alternate_flag; - else if(c == '0') - flags |= zero_flag; - else if(c == '\'') - ; /* just ignore */ - else - break; - } - - if((flags & space_flag) && (flags & plus_flag)) - flags ^= space_flag; - - if((flags & minus_flag) && (flags & zero_flag)) - flags ^= zero_flag; - - /* width */ - if (isdigit(c)) - do { - width = width * 10 + c - '0'; - c = *format++; - } while(isdigit(c)); - else if(c == '*') { - width = va_arg(ap, int); - c = *format++; - } - - /* precision */ - if (c == '.') { - prec = 0; - c = *format++; - if (isdigit(c)) - do { - prec = prec * 10 + c - '0'; - c = *format++; - } while(isdigit(c)); - else if (c == '*') { - prec = va_arg(ap, int); - c = *format++; - } - } - - /* size */ - - if (c == 'h') { - short_flag = 1; - c = *format++; - } else if (c == 'l') { - long_flag = 1; - c = *format++; - if (c == 'l') { - long_long_flag = 1; - c = *format++; - } - } - - switch (c) { - case 'c' : - append_char(state, va_arg(ap, int), width, flags); - ++len; - break; - case 's' : - len += append_string(state, - va_arg(ap, unsigned char*), - width, - prec, - flags); - break; - case 'd' : - case 'i' : { - longest arg; - u_longest num; - int minusp = 0; - - PARSE_INT_FORMAT(arg, ap, signed); - - if (arg < 0) { - minusp = 1; - num = -arg; - } else - num = arg; - - len += append_number (state, num, 10, "0123456789", - width, prec, flags, minusp); - break; - } - case 'u' : { - u_longest arg; - - PARSE_INT_FORMAT(arg, ap, unsigned); - - len += append_number (state, arg, 10, "0123456789", - width, prec, flags, 0); - break; - } - case 'o' : { - u_longest arg; - - PARSE_INT_FORMAT(arg, ap, unsigned); - - len += append_number (state, arg, 010, "01234567", - width, prec, flags, 0); - break; - } - case 'x' : { - u_longest arg; - - PARSE_INT_FORMAT(arg, ap, unsigned); - - len += append_number (state, arg, 0x10, "0123456789abcdef", - width, prec, flags, 0); - break; - } - case 'X' :{ - u_longest arg; - - PARSE_INT_FORMAT(arg, ap, unsigned); - - len += append_number (state, arg, 0x10, "0123456789ABCDEF", - width, prec, flags, 0); - break; - } - case 'p' : { - unsigned long arg = (unsigned long)va_arg(ap, void*); - - len += append_number (state, arg, 0x10, "0123456789ABCDEF", - width, prec, flags, 0); - break; - } - case 'n' : { - int *arg = va_arg(ap, int*); - *arg = state->s - state->str; - break; - } - case '\0' : - --format; - /* FALLTHROUGH */ - case '%' : - (*state->append_char)(state, c); - ++len; - break; - default : - (*state->append_char)(state, '%'); - (*state->append_char)(state, c); - len += 2; - break; - } - } else { - (*state->append_char) (state, c); - ++len; - } - } - return len; -} - -#if !defined(HAVE_SNPRINTF) || defined(TEST_SNPRINTF) -int -snprintf (char *str, size_t sz, const char *format, ...) -{ - va_list args; - int ret; - - va_start(args, format); - ret = vsnprintf (str, sz, format, args); - va_end(args); - -#ifdef PARANOIA - { - int ret2; - char *tmp; - - tmp = malloc (sz); - if (tmp == NULL) - abort (); - - va_start(args, format); - ret2 = vsprintf (tmp, format, args); - va_end(args); - if (ret != ret2 || strcmp(str, tmp)) - abort (); - free (tmp); - } -#endif - - return ret; -} -#endif - -#if !defined(HAVE_ASPRINTF) || defined(TEST_SNPRINTF) -int -asprintf (char **ret, const char *format, ...) -{ - va_list args; - int val; - - va_start(args, format); - val = vasprintf (ret, format, args); - va_end(args); - -#ifdef PARANOIA - { - int ret2; - char *tmp; - tmp = malloc (val + 1); - if (tmp == NULL) - abort (); - - va_start(args, format); - ret2 = vsprintf (tmp, format, args); - va_end(args); - if (val != ret2 || strcmp(*ret, tmp)) - abort (); - free (tmp); - } -#endif - - return val; -} -#endif - -#if !defined(HAVE_ASNPRINTF) || defined(TEST_SNPRINTF) -int -asnprintf (char **ret, size_t max_sz, const char *format, ...) -{ - va_list args; - int val; - - va_start(args, format); - val = vasnprintf (ret, max_sz, format, args); - -#ifdef PARANOIA - { - int ret2; - char *tmp; - tmp = malloc (val + 1); - if (tmp == NULL) - abort (); - - ret2 = vsprintf (tmp, format, args); - if (val != ret2 || strcmp(*ret, tmp)) - abort (); - free (tmp); - } -#endif - - va_end(args); - return val; -} -#endif - -#if !defined(HAVE_VASPRINTF) || defined(TEST_SNPRINTF) -int -vasprintf (char **ret, const char *format, va_list args) -{ - return vasnprintf (ret, 0, format, args); -} -#endif - - -#if !defined(HAVE_VASNPRINTF) || defined(TEST_SNPRINTF) -int -vasnprintf (char **ret, size_t max_sz, const char *format, va_list args) -{ - int st; - struct snprintf_state state; - - state.max_sz = max_sz; - state.sz = 1; - state.str = malloc(state.sz); - if (state.str == NULL) { - *ret = NULL; - return -1; - } - state.s = state.str; - state.theend = state.s + state.sz - 1; - state.append_char = as_append_char; - - st = xyzprintf (&state, format, args); - if (st > state.sz) { - free (state.str); - *ret = NULL; - return -1; - } else { - char *tmp; - - *state.s = '\0'; - tmp = realloc (state.str, st+1); - if (tmp == NULL) { - free (state.str); - *ret = NULL; - return -1; - } - *ret = tmp; - return st; - } -} -#endif - -#if !defined(HAVE_VSNPRINTF) || defined(TEST_SNPRINTF) -int -vsnprintf (char *str, size_t sz, const char *format, va_list args) -{ - struct snprintf_state state; - int ret; - unsigned char *ustr = (unsigned char *)str; - - state.max_sz = 0; - state.sz = sz; - state.str = ustr; - state.s = ustr; - state.theend = ustr + sz - (sz > 0); - state.append_char = sn_append_char; - - ret = xyzprintf (&state, format, args); - if (state.s != NULL) - *state.s = '\0'; - return ret; -} -#endif diff --git a/crypto/heimdal-0.6.3/lib/roken/socket.c b/crypto/heimdal-0.6.3/lib/roken/socket.c deleted file mode 100644 index bd67013309..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/socket.c +++ /dev/null @@ -1,290 +0,0 @@ -/* - * Copyright (c) 1999 - 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: socket.c,v 1.8 2003/04/15 03:26:51 lha Exp $"); -#endif - -#include -#include - -/* - * Set `sa' to the unitialized address of address family `af' - */ - -void -socket_set_any (struct sockaddr *sa, int af) -{ - switch (af) { - case AF_INET : { - struct sockaddr_in *sin = (struct sockaddr_in *)sa; - - memset (sin, 0, sizeof(*sin)); - sin->sin_family = AF_INET; - sin->sin_port = 0; - sin->sin_addr.s_addr = INADDR_ANY; - break; - } -#ifdef HAVE_IPV6 - case AF_INET6 : { - struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)sa; - - memset (sin6, 0, sizeof(*sin6)); - sin6->sin6_family = AF_INET6; - sin6->sin6_port = 0; - sin6->sin6_addr = in6addr_any; - break; - } -#endif - default : - errx (1, "unknown address family %d", sa->sa_family); - break; - } -} - -/* - * set `sa' to (`ptr', `port') - */ - -void -socket_set_address_and_port (struct sockaddr *sa, const void *ptr, int port) -{ - switch (sa->sa_family) { - case AF_INET : { - struct sockaddr_in *sin = (struct sockaddr_in *)sa; - - memset (sin, 0, sizeof(*sin)); - sin->sin_family = AF_INET; - sin->sin_port = port; - memcpy (&sin->sin_addr, ptr, sizeof(struct in_addr)); - break; - } -#ifdef HAVE_IPV6 - case AF_INET6 : { - struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)sa; - - memset (sin6, 0, sizeof(*sin6)); - sin6->sin6_family = AF_INET6; - sin6->sin6_port = port; - memcpy (&sin6->sin6_addr, ptr, sizeof(struct in6_addr)); - break; - } -#endif - default : - errx (1, "unknown address family %d", sa->sa_family); - break; - } -} - -/* - * Return the size of an address of the type in `sa' - */ - -size_t -socket_addr_size (const struct sockaddr *sa) -{ - switch (sa->sa_family) { - case AF_INET : - return sizeof(struct in_addr); -#ifdef HAVE_IPV6 - case AF_INET6 : - return sizeof(struct in6_addr); -#endif - default : - errx (1, "unknown address family %d", sa->sa_family); - break; - } -} - -/* - * Return the size of a `struct sockaddr' in `sa'. - */ - -size_t -socket_sockaddr_size (const struct sockaddr *sa) -{ - switch (sa->sa_family) { - case AF_INET : - return sizeof(struct sockaddr_in); -#ifdef HAVE_IPV6 - case AF_INET6 : - return sizeof(struct sockaddr_in6); -#endif - default : - errx (1, "unknown address family %d", sa->sa_family); - break; - } -} - -/* - * Return the binary address of `sa'. - */ - -void * -socket_get_address (struct sockaddr *sa) -{ - switch (sa->sa_family) { - case AF_INET : { - struct sockaddr_in *sin = (struct sockaddr_in *)sa; - return &sin->sin_addr; - } -#ifdef HAVE_IPV6 - case AF_INET6 : { - struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)sa; - return &sin6->sin6_addr; - } -#endif - default : - errx (1, "unknown address family %d", sa->sa_family); - break; - } -} - -/* - * Return the port number from `sa'. - */ - -int -socket_get_port (const struct sockaddr *sa) -{ - switch (sa->sa_family) { - case AF_INET : { - const struct sockaddr_in *sin = (const struct sockaddr_in *)sa; - return sin->sin_port; - } -#ifdef HAVE_IPV6 - case AF_INET6 : { - const struct sockaddr_in6 *sin6 = (const struct sockaddr_in6 *)sa; - return sin6->sin6_port; - } -#endif - default : - errx (1, "unknown address family %d", sa->sa_family); - break; - } -} - -/* - * Set the port in `sa' to `port'. - */ - -void -socket_set_port (struct sockaddr *sa, int port) -{ - switch (sa->sa_family) { - case AF_INET : { - struct sockaddr_in *sin = (struct sockaddr_in *)sa; - sin->sin_port = port; - break; - } -#ifdef HAVE_IPV6 - case AF_INET6 : { - struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)sa; - sin6->sin6_port = port; - break; - } -#endif - default : - errx (1, "unknown address family %d", sa->sa_family); - break; - } -} - -/* - * Set the range of ports to use when binding with port = 0. - */ -void -socket_set_portrange (int sock, int restr, int af) -{ -#if defined(IP_PORTRANGE) - if (af == AF_INET) { - int on = restr ? IP_PORTRANGE_HIGH : IP_PORTRANGE_DEFAULT; - if (setsockopt (sock, IPPROTO_IP, IP_PORTRANGE, &on, - sizeof(on)) < 0) - warn ("setsockopt IP_PORTRANGE (ignored)"); - } -#endif -#if defined(IPV6_PORTRANGE) - if (af == AF_INET6) { - int on = restr ? IPV6_PORTRANGE_HIGH : - IPV6_PORTRANGE_DEFAULT; - if (setsockopt (sock, IPPROTO_IPV6, IPV6_PORTRANGE, &on, - sizeof(on)) < 0) - warn ("setsockopt IPV6_PORTRANGE (ignored)"); - } -#endif -} - -/* - * Enable debug on `sock'. - */ - -void -socket_set_debug (int sock) -{ -#if defined(SO_DEBUG) && defined(HAVE_SETSOCKOPT) - int on = 1; - - if (setsockopt (sock, SOL_SOCKET, SO_DEBUG, (void *) &on, sizeof (on)) < 0) - warn ("setsockopt SO_DEBUG (ignored)"); -#endif -} - -/* - * Set the type-of-service of `sock' to `tos'. - */ - -void -socket_set_tos (int sock, int tos) -{ -#if defined(IP_TOS) && defined(HAVE_SETSOCKOPT) - if (setsockopt (sock, IPPROTO_IP, IP_TOS, (void *) &tos, sizeof (int)) < 0) - if (errno != EINVAL) - warn ("setsockopt TOS (ignored)"); -#endif -} - -/* - * set the reuse of addresses on `sock' to `val'. - */ - -void -socket_set_reuseaddr (int sock, int val) -{ -#if defined(SO_REUSEADDR) && defined(HAVE_SETSOCKOPT) - if(setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (void *)&val, - sizeof(val)) < 0) - err (1, "setsockopt SO_REUSEADDR"); -#endif -} diff --git a/crypto/heimdal-0.6.3/lib/roken/strcasecmp.c b/crypto/heimdal-0.6.3/lib/roken/strcasecmp.c deleted file mode 100644 index cde5b3bf92..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/strcasecmp.c +++ /dev/null @@ -1,58 +0,0 @@ -/* - * Copyright (c) 1998 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: strcasecmp.c,v 1.10 2003/04/14 11:26:27 lha Exp $"); -#endif - -#include -#include -#include -#include "roken.h" - -#ifndef HAVE_STRCASECMP - -int -strcasecmp(const char *s1, const char *s2) -{ - while(toupper((unsigned char)*s1) == toupper((unsigned char)*s2)) { - if(*s1 == '\0') - return 0; - s1++; - s2++; - } - return toupper((unsigned char)*s1) - toupper((unsigned char)*s2); -} - -#endif diff --git a/crypto/heimdal-0.6.3/lib/roken/strcollect.c b/crypto/heimdal-0.6.3/lib/roken/strcollect.c deleted file mode 100644 index 1e82ad01b7..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/strcollect.c +++ /dev/null @@ -1,96 +0,0 @@ -/* - * Copyright (c) 1998, 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: strcollect.c,v 1.1 2000/01/09 10:57:43 assar Exp $"); -#endif - -#include -#include -#include -#include -#include - -enum { initial = 10, increment = 5 }; - -static char ** -sub (char **argv, int i, int argc, va_list *ap) -{ - do { - if(i == argc) { - /* realloc argv */ - char **tmp = realloc(argv, (argc + increment) * sizeof(*argv)); - if(tmp == NULL) { - free(argv); - errno = ENOMEM; - return NULL; - } - argv = tmp; - argc += increment; - } - argv[i++] = va_arg(*ap, char*); - } while(argv[i - 1] != NULL); - return argv; -} - -/* - * return a malloced vector of pointers to the strings in `ap' - * terminated by NULL. - */ - -char ** -vstrcollect(va_list *ap) -{ - return sub (NULL, 0, 0, ap); -} - -/* - * - */ - -char ** -strcollect(char *first, ...) -{ - va_list ap; - char **ret = malloc (initial * sizeof(char *)); - - if (ret == NULL) - return ret; - - ret[0] = first; - va_start(ap, first); - ret = sub (ret, 1, initial, &ap); - va_end(ap); - return ret; -} diff --git a/crypto/heimdal-0.6.3/lib/roken/strdup.c b/crypto/heimdal-0.6.3/lib/roken/strdup.c deleted file mode 100644 index 87fb43eb7d..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/strdup.c +++ /dev/null @@ -1,50 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: strdup.c,v 1.10 1999/12/02 16:58:53 joda Exp $"); -#endif -#include -#include - -#ifndef HAVE_STRDUP -char * -strdup(const char *old) -{ - char *t = malloc(strlen(old)+1); - if (t != 0) - strcpy(t, old); - return t; -} -#endif diff --git a/crypto/heimdal-0.6.3/lib/roken/strerror.c b/crypto/heimdal-0.6.3/lib/roken/strerror.c deleted file mode 100644 index 21936d7163..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/strerror.c +++ /dev/null @@ -1,57 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: strerror.c,v 1.10 1999/12/02 16:58:53 joda Exp $"); -#endif - -#include -#include -#include - -extern int sys_nerr; -extern char *sys_errlist[]; - -char* -strerror(int eno) -{ - static char emsg[1024]; - - if(eno < 0 || eno >= sys_nerr) - snprintf(emsg, sizeof(emsg), "Error %d occurred.", eno); - else - snprintf(emsg, sizeof(emsg), "%s", sys_errlist[eno]); - - return emsg; -} diff --git a/crypto/heimdal-0.6.3/lib/roken/strftime.c b/crypto/heimdal-0.6.3/lib/roken/strftime.c deleted file mode 100644 index 985b38aa7d..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/strftime.c +++ /dev/null @@ -1,398 +0,0 @@ -/* - * Copyright (c) 1999 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of KTH nor the names of its contributors may be - * used to endorse or promote products derived from this software without - * specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY - * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR - * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, - * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR - * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF - * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ - -#ifdef HAVE_CONFIG_H -#include -#endif -#include "roken.h" - -RCSID("$Id: strftime.c,v 1.13 2002/08/20 12:42:37 joda Exp $"); - -static const char *abb_weekdays[] = { - "Sun", - "Mon", - "Tue", - "Wed", - "Thu", - "Fri", - "Sat", -}; - -static const char *full_weekdays[] = { - "Sunday", - "Monday", - "Tuesday", - "Wednesday", - "Thursday", - "Friday", - "Saturday", -}; - -static const char *abb_month[] = { - "Jan", - "Feb", - "Mar", - "Apr", - "May", - "Jun", - "Jul", - "Aug", - "Sep", - "Oct", - "Nov", - "Dec" -}; - -static const char *full_month[] = { - "January", - "February", - "Mars", - "April", - "May", - "June", - "July", - "August", - "September", - "October", - "November", - "December" -}; - -static const char *ampm[] = { - "AM", - "PM" -}; - -/* - * Convert hour in [0, 24] to [12 1 - 11 12 1 - 11 12] - */ - -static int -hour_24to12 (int hour) -{ - int ret = hour % 12; - - if (ret == 0) - ret = 12; - return ret; -} - -/* - * Return AM or PM for `hour' - */ - -static const char * -hour_to_ampm (int hour) -{ - return ampm[hour / 12]; -} - -/* - * Return the week number of `tm' (Sunday being the first day of the week) - * as [0, 53] - */ - -static int -week_number_sun (const struct tm *tm) -{ - return (tm->tm_yday + 7 - (tm->tm_yday % 7 - tm->tm_wday + 7) % 7) / 7; -} - -/* - * Return the week number of `tm' (Monday being the first day of the week) - * as [0, 53] - */ - -static int -week_number_mon (const struct tm *tm) -{ - int wday = (tm->tm_wday + 6) % 7; - - return (tm->tm_yday + 7 - (tm->tm_yday % 7 - wday + 7) % 7) / 7; -} - -/* - * Return the week number of `tm' (Monday being the first day of the - * week) as [01, 53]. Week number one is the one that has four or more - * days in that year. - */ - -static int -week_number_mon4 (const struct tm *tm) -{ - int wday = (tm->tm_wday + 6) % 7; - int w1day = (wday - tm->tm_yday % 7 + 7) % 7; - int ret; - - ret = (tm->tm_yday + w1day) / 7; - if (w1day >= 4) - --ret; - if (ret == -1) - ret = 53; - else - ++ret; - return ret; -} - -/* - * - */ - -size_t -strftime (char *buf, size_t maxsize, const char *format, - const struct tm *tm) -{ - size_t n = 0; - int ret; - - while (*format != '\0' && n < maxsize) { - if (*format == '%') { - ++format; - if(*format == 'E' || *format == 'O') - ++format; - switch (*format) { - case 'a' : - ret = snprintf (buf, maxsize - n, - "%s", abb_weekdays[tm->tm_wday]); - break; - case 'A' : - ret = snprintf (buf, maxsize - n, - "%s", full_weekdays[tm->tm_wday]); - break; - case 'h' : - case 'b' : - ret = snprintf (buf, maxsize - n, - "%s", abb_month[tm->tm_mon]); - break; - case 'B' : - ret = snprintf (buf, maxsize - n, - "%s", full_month[tm->tm_mon]); - break; - case 'c' : - ret = snprintf (buf, maxsize - n, - "%d:%02d:%02d %02d:%02d:%02d", - tm->tm_year, - tm->tm_mon + 1, - tm->tm_mday, - tm->tm_hour, - tm->tm_min, - tm->tm_sec); - break; - case 'C' : - ret = snprintf (buf, maxsize - n, - "%02d", (tm->tm_year + 1900) / 100); - break; - case 'd' : - ret = snprintf (buf, maxsize - n, - "%02d", tm->tm_mday); - break; - case 'D' : - ret = snprintf (buf, maxsize - n, - "%02d/%02d/%02d", - tm->tm_mon + 1, - tm->tm_mday, - (tm->tm_year + 1900) % 100); - break; - case 'e' : - ret = snprintf (buf, maxsize - n, - "%2d", tm->tm_mday); - break; - case 'F': - ret = snprintf (buf, maxsize - n, - "%04d-%02d-%02d", tm->tm_year + 1900, - tm->tm_mon + 1, tm->tm_mday); - break; - case 'g': - /* last two digits of week-based year */ - abort(); - case 'G': - /* week-based year */ - abort(); - case 'H' : - ret = snprintf (buf, maxsize - n, - "%02d", tm->tm_hour); - break; - case 'I' : - ret = snprintf (buf, maxsize - n, - "%02d", - hour_24to12 (tm->tm_hour)); - break; - case 'j' : - ret = snprintf (buf, maxsize - n, - "%03d", tm->tm_yday + 1); - break; - case 'k' : - ret = snprintf (buf, maxsize - n, - "%2d", tm->tm_hour); - break; - case 'l' : - ret = snprintf (buf, maxsize - n, - "%2d", - hour_24to12 (tm->tm_hour)); - break; - case 'm' : - ret = snprintf (buf, maxsize - n, - "%02d", tm->tm_mon + 1); - break; - case 'M' : - ret = snprintf (buf, maxsize - n, - "%02d", tm->tm_min); - break; - case 'n' : - ret = snprintf (buf, maxsize - n, "\n"); - break; - case 'p' : - ret = snprintf (buf, maxsize - n, "%s", - hour_to_ampm (tm->tm_hour)); - break; - case 'r' : - ret = snprintf (buf, maxsize - n, - "%02d:%02d:%02d %s", - hour_24to12 (tm->tm_hour), - tm->tm_min, - tm->tm_sec, - hour_to_ampm (tm->tm_hour)); - break; - case 'R' : - ret = snprintf (buf, maxsize - n, - "%02d:%02d", - tm->tm_hour, - tm->tm_min); - - case 's' : - ret = snprintf (buf, maxsize - n, - "%d", (int)mktime((struct tm *)tm)); - break; - case 'S' : - ret = snprintf (buf, maxsize - n, - "%02d", tm->tm_sec); - break; - case 't' : - ret = snprintf (buf, maxsize - n, "\t"); - break; - case 'T' : - case 'X' : - ret = snprintf (buf, maxsize - n, - "%02d:%02d:%02d", - tm->tm_hour, - tm->tm_min, - tm->tm_sec); - break; - case 'u' : - ret = snprintf (buf, maxsize - n, - "%d", (tm->tm_wday == 0) ? 7 : tm->tm_wday); - break; - case 'U' : - ret = snprintf (buf, maxsize - n, - "%02d", week_number_sun (tm)); - break; - case 'V' : - ret = snprintf (buf, maxsize - n, - "%02d", week_number_mon4 (tm)); - break; - case 'w' : - ret = snprintf (buf, maxsize - n, - "%d", tm->tm_wday); - break; - case 'W' : - ret = snprintf (buf, maxsize - n, - "%02d", week_number_mon (tm)); - break; - case 'x' : - ret = snprintf (buf, maxsize - n, - "%d:%02d:%02d", - tm->tm_year, - tm->tm_mon + 1, - tm->tm_mday); - break; - case 'y' : - ret = snprintf (buf, maxsize - n, - "%02d", (tm->tm_year + 1900) % 100); - break; - case 'Y' : - ret = snprintf (buf, maxsize - n, - "%d", tm->tm_year + 1900); - break; - case 'z': - ret = snprintf (buf, maxsize - n, - "%ld", -#if defined(HAVE_STRUCT_TM_TM_GMTOFF) - (long)tm->tm_gmtoff -#elif defined(HAVE_TIMEZONE) -#ifdef HAVE_ALTZONE - tm->tm_isdst ? - (long)altzone : -#endif - (long)timezone -#else -#error Where in timezone chaos are you? -#endif - ); - break; - case 'Z' : - ret = snprintf (buf, maxsize - n, - "%s", - -#if defined(HAVE_STRUCT_TM_TM_ZONE) - tm->tm_zone -#elif defined(HAVE_TIMEZONE) - tzname[tm->tm_isdst] -#else -#error what? -#endif - ); - break; - case '\0' : - --format; - /* FALLTHROUGH */ - case '%' : - ret = snprintf (buf, maxsize - n, - "%%"); - break; - default : - ret = snprintf (buf, maxsize - n, - "%%%c", *format); - break; - } - if (ret < 0 || ret >= maxsize - n) - return 0; - n += ret; - buf += ret; - ++format; - } else { - *buf++ = *format++; - ++n; - } - } - *buf++ = '\0'; - return n; -} diff --git a/crypto/heimdal-0.6.3/lib/roken/strlcat.c b/crypto/heimdal-0.6.3/lib/roken/strlcat.c deleted file mode 100644 index 1366e88f08..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/strlcat.c +++ /dev/null @@ -1,56 +0,0 @@ -/* - * Copyright (c) 1995-2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -#endif -#include "roken.h" - -RCSID("$Id: strlcat.c,v 1.6 2002/08/20 09:46:20 joda Exp $"); - -#ifndef HAVE_STRLCAT - -size_t -strlcat (char *dst, const char *src, size_t dst_sz) -{ - size_t len = strlen(dst); - - if (dst_sz < len) - /* the total size of dst is less than the string it contains; - this could be considered bad input, but we might as well - handle it */ - return len + strlen(src); - - return len + strlcpy (dst + len, src, dst_sz - len); -} -#endif diff --git a/crypto/heimdal-0.6.3/lib/roken/strlcpy.c b/crypto/heimdal-0.6.3/lib/roken/strlcpy.c deleted file mode 100644 index b43dbdeaaf..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/strlcpy.c +++ /dev/null @@ -1,60 +0,0 @@ -/* - * Copyright (c) 1995-2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -#endif -#include "roken.h" - -RCSID("$Id: strlcpy.c,v 1.6 2002/08/20 09:42:08 joda Exp $"); - -#ifndef HAVE_STRLCPY - -size_t -strlcpy (char *dst, const char *src, size_t dst_sz) -{ - size_t n; - - for (n = 0; n < dst_sz; n++) { - if ((*dst++ = *src++) == '\0') - break; - } - - if (n < dst_sz) - return n; - if (n > 0) - *(dst - 1) = '\0'; - return n + strlen (src); -} - -#endif diff --git a/crypto/heimdal-0.6.3/lib/roken/strlwr.c b/crypto/heimdal-0.6.3/lib/roken/strlwr.c deleted file mode 100644 index f2c6a9f5c7..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/strlwr.c +++ /dev/null @@ -1,53 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: strlwr.c,v 1.5 2003/04/14 11:44:34 lha Exp $"); -#endif -#include -#include - -#include - -#ifndef HAVE_STRLWR -char * -strlwr(char *str) -{ - char *s; - - for(s = str; *s; s++) - *s = tolower((unsigned char)*s); - return str; -} -#endif diff --git a/crypto/heimdal-0.6.3/lib/roken/strncasecmp.c b/crypto/heimdal-0.6.3/lib/roken/strncasecmp.c deleted file mode 100644 index a08d9e84bc..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/strncasecmp.c +++ /dev/null @@ -1,62 +0,0 @@ -/* - * Copyright (c) 1998 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: strncasecmp.c,v 1.3 2003/04/14 11:46:04 lha Exp $"); -#endif - -#include -#include -#include - -#ifndef HAVE_STRNCASECMP - -int -strncasecmp(const char *s1, const char *s2, size_t n) -{ - while(n > 0 - && toupper((unsigned char)*s1) == toupper((unsigned char)*s2)) - { - if(*s1 == '\0') - return 0; - s1++; - s2++; - n--; - } - if(n == 0) - return 0; - return toupper((unsigned char)*s1) - toupper((unsigned char)*s2); -} - -#endif diff --git a/crypto/heimdal-0.6.3/lib/roken/strndup.c b/crypto/heimdal-0.6.3/lib/roken/strndup.c deleted file mode 100644 index 31e7e9f6a1..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/strndup.c +++ /dev/null @@ -1,56 +0,0 @@ -/* - * Copyright (c) 1995 - 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: strndup.c,v 1.2 1999/12/02 16:58:53 joda Exp $"); -#endif -#include -#include - -#include - -#ifndef HAVE_STRNDUP -char * -strndup(const char *old, size_t sz) -{ - size_t len = strnlen (old, sz); - char *t = malloc(len + 1); - - if (t != NULL) { - memcpy (t, old, len); - t[len] = '\0'; - } - return t; -} -#endif /* HAVE_STRNDUP */ diff --git a/crypto/heimdal-0.6.3/lib/roken/strnlen.c b/crypto/heimdal-0.6.3/lib/roken/strnlen.c deleted file mode 100644 index fffb3b74f5..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/strnlen.c +++ /dev/null @@ -1,49 +0,0 @@ -/* - * Copyright (c) 1995 - 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: strnlen.c,v 1.7 1999/12/02 16:58:53 joda Exp $"); -#endif - -#include "roken.h" - -size_t -strnlen(const char *s, size_t len) -{ - size_t i; - - for(i = 0; i < len && s[i]; i++) - ; - return i; -} diff --git a/crypto/heimdal-0.6.3/lib/roken/strpftime-test.c b/crypto/heimdal-0.6.3/lib/roken/strpftime-test.c deleted file mode 100644 index 7eb8fb85eb..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/strpftime-test.c +++ /dev/null @@ -1,287 +0,0 @@ -/* - * Copyright (c) 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of KTH nor the names of its contributors may be - * used to endorse or promote products derived from this software without - * specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY - * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR - * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, - * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR - * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF - * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ - -#ifdef HAVE_CONFIG_H -#include -#endif -#include "roken.h" - -RCSID("$Id: strpftime-test.c,v 1.2 1999/11/12 15:29:55 assar Exp $"); - -enum { MAXSIZE = 26 }; - -static struct testcase { - time_t t; - struct { - const char *format; - const char *result; - } vals[MAXSIZE]; -} tests[] = { - {0, - { - {"%A", "Thursday"}, - {"%a", "Thu"}, - {"%B", "January"}, - {"%b", "Jan"}, - {"%C", "19"}, - {"%d", "01"}, - {"%e", " 1"}, - {"%H", "00"}, - {"%I", "12"}, - {"%j", "001"}, - {"%k", " 0"}, - {"%l", "12"}, - {"%M", "00"}, - {"%m", "01"}, - {"%n", "\n"}, - {"%p", "AM"}, - {"%S", "00"}, - {"%t", "\t"}, - {"%w", "4"}, - {"%Y", "1970"}, - {"%y", "70"}, - {"%U", "00"}, - {"%W", "00"}, - {"%V", "01"}, - {"%%", "%"}, - {NULL, NULL}} - }, - {90000, - { - {"%A", "Friday"}, - {"%a", "Fri"}, - {"%B", "January"}, - {"%b", "Jan"}, - {"%C", "19"}, - {"%d", "02"}, - {"%e", " 2"}, - {"%H", "01"}, - {"%I", "01"}, - {"%j", "002"}, - {"%k", " 1"}, - {"%l", " 1"}, - {"%M", "00"}, - {"%m", "01"}, - {"%n", "\n"}, - {"%p", "AM"}, - {"%S", "00"}, - {"%t", "\t"}, - {"%w", "5"}, - {"%Y", "1970"}, - {"%y", "70"}, - {"%U", "00"}, - {"%W", "00"}, - {"%V", "01"}, - {"%%", "%"}, - {NULL, NULL} - } - }, - {216306, - { - {"%A", "Saturday"}, - {"%a", "Sat"}, - {"%B", "January"}, - {"%b", "Jan"}, - {"%C", "19"}, - {"%d", "03"}, - {"%e", " 3"}, - {"%H", "12"}, - {"%I", "12"}, - {"%j", "003"}, - {"%k", "12"}, - {"%l", "12"}, - {"%M", "05"}, - {"%m", "01"}, - {"%n", "\n"}, - {"%p", "PM"}, - {"%S", "06"}, - {"%t", "\t"}, - {"%w", "6"}, - {"%Y", "1970"}, - {"%y", "70"}, - {"%U", "00"}, - {"%W", "00"}, - {"%V", "01"}, - {"%%", "%"}, - {NULL, NULL} - } - }, - {259200, - { - {"%A", "Sunday"}, - {"%a", "Sun"}, - {"%B", "January"}, - {"%b", "Jan"}, - {"%C", "19"}, - {"%d", "04"}, - {"%e", " 4"}, - {"%H", "00"}, - {"%I", "12"}, - {"%j", "004"}, - {"%k", " 0"}, - {"%l", "12"}, - {"%M", "00"}, - {"%m", "01"}, - {"%n", "\n"}, - {"%p", "AM"}, - {"%S", "00"}, - {"%t", "\t"}, - {"%w", "0"}, - {"%Y", "1970"}, - {"%y", "70"}, - {"%U", "01"}, - {"%W", "00"}, - {"%V", "01"}, - {"%%", "%"}, - {NULL, NULL} - } - }, - {915148800, - { - {"%A", "Friday"}, - {"%a", "Fri"}, - {"%B", "January"}, - {"%b", "Jan"}, - {"%C", "19"}, - {"%d", "01"}, - {"%e", " 1"}, - {"%H", "00"}, - {"%I", "12"}, - {"%j", "001"}, - {"%k", " 0"}, - {"%l", "12"}, - {"%M", "00"}, - {"%m", "01"}, - {"%n", "\n"}, - {"%p", "AM"}, - {"%S", "00"}, - {"%t", "\t"}, - {"%w", "5"}, - {"%Y", "1999"}, - {"%y", "99"}, - {"%U", "00"}, - {"%W", "00"}, - {"%V", "53"}, - {"%%", "%"}, - {NULL, NULL}} - }, - {942161105, - { - - {"%A", "Tuesday"}, - {"%a", "Tue"}, - {"%B", "November"}, - {"%b", "Nov"}, - {"%C", "19"}, - {"%d", "09"}, - {"%e", " 9"}, - {"%H", "15"}, - {"%I", "03"}, - {"%j", "313"}, - {"%k", "15"}, - {"%l", " 3"}, - {"%M", "25"}, - {"%m", "11"}, - {"%n", "\n"}, - {"%p", "PM"}, - {"%S", "05"}, - {"%t", "\t"}, - {"%w", "2"}, - {"%Y", "1999"}, - {"%y", "99"}, - {"%U", "45"}, - {"%W", "45"}, - {"%V", "45"}, - {"%%", "%"}, - {NULL, NULL} - } - } -}; - -int -main(int argc, char **argv) -{ - int i, j; - int ret = 0; - - for (i = 0; i < sizeof(tests)/sizeof(tests[0]); ++i) { - struct tm *tm; - - tm = gmtime (&tests[i].t); - - for (j = 0; tests[i].vals[j].format != NULL; ++j) { - char buf[128]; - size_t len; - struct tm tm2; - char *ptr; - - len = strftime (buf, sizeof(buf), tests[i].vals[j].format, tm); - if (len != strlen (buf)) { - printf ("length of strftime(\"%s\") = %d (\"%s\")\n", - tests[i].vals[j].format, len, - buf); - ++ret; - continue; - } - if (strcmp (buf, tests[i].vals[j].result) != 0) { - printf ("result of strftime(\"%s\") = \"%s\" != \"%s\"\n", - tests[i].vals[j].format, buf, - tests[i].vals[j].result); - ++ret; - continue; - } - memset (&tm2, 0, sizeof(tm2)); - ptr = strptime (tests[i].vals[j].result, - tests[i].vals[j].format, - &tm2); - if (ptr == NULL || *ptr != '\0') { - printf ("bad return value from strptime(" - "\"%s\", \"%s\")\n", - tests[i].vals[j].result, - tests[i].vals[j].format); - ++ret; - } - strftime (buf, sizeof(buf), tests[i].vals[j].format, &tm2); - if (strcmp (buf, tests[i].vals[j].result) != 0) { - printf ("reverse of \"%s\" failed: \"%s\" vs \"%s\"\n", - tests[i].vals[j].format, - buf, tests[i].vals[j].result); - ++ret; - } - } - } - if (ret) { - printf ("%d errors\n", ret); - return 1; - } else - return 0; -} diff --git a/crypto/heimdal-0.6.3/lib/roken/strptime.c b/crypto/heimdal-0.6.3/lib/roken/strptime.c deleted file mode 100644 index 36f0822431..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/strptime.c +++ /dev/null @@ -1,444 +0,0 @@ -/* - * Copyright (c) 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of KTH nor the names of its contributors may be - * used to endorse or promote products derived from this software without - * specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY - * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR - * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, - * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR - * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF - * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ - -#ifdef HAVE_CONFIG_H -#include -#endif -#include -#include "roken.h" - -RCSID("$Id: strptime.c,v 1.2 1999/11/12 15:29:55 assar Exp $"); - -static const char *abb_weekdays[] = { - "Sun", - "Mon", - "Tue", - "Wed", - "Thu", - "Fri", - "Sat", - NULL -}; - -static const char *full_weekdays[] = { - "Sunday", - "Monday", - "Tuesday", - "Wednesday", - "Thursday", - "Friday", - "Saturday", - NULL -}; - -static const char *abb_month[] = { - "Jan", - "Feb", - "Mar", - "Apr", - "May", - "Jun", - "Jul", - "Aug", - "Sep", - "Oct", - "Nov", - "Dec", - NULL -}; - -static const char *full_month[] = { - "January", - "February", - "Mars", - "April", - "May", - "June", - "July", - "August", - "September", - "October", - "November", - "December", - NULL, -}; - -static const char *ampm[] = { - "am", - "pm", - NULL -}; - -/* - * Try to match `*buf' to one of the strings in `strs'. Return the - * index of the matching string (or -1 if none). Also advance buf. - */ - -static int -match_string (const char **buf, const char **strs) -{ - int i = 0; - - for (i = 0; strs[i] != NULL; ++i) { - int len = strlen (strs[i]); - - if (strncasecmp (*buf, strs[i], len) == 0) { - *buf += len; - return i; - } - } - return -1; -} - -/* - * tm_year is relative this year */ - -const int tm_year_base = 1900; - -/* - * Return TRUE iff `year' was a leap year. - */ - -static int -is_leap_year (int year) -{ - return (year % 4) == 0 && ((year % 100) != 0 || (year % 400) == 0); -} - -/* - * Return the weekday [0,6] (0 = Sunday) of the first day of `year' - */ - -static int -first_day (int year) -{ - int ret = 4; - - for (; year > 1970; --year) - ret = (ret + 365 + is_leap_year (year) ? 1 : 0) % 7; - return ret; -} - -/* - * Set `timeptr' given `wnum' (week number [0, 53]) - */ - -static void -set_week_number_sun (struct tm *timeptr, int wnum) -{ - int fday = first_day (timeptr->tm_year + tm_year_base); - - timeptr->tm_yday = wnum * 7 + timeptr->tm_wday - fday; - if (timeptr->tm_yday < 0) { - timeptr->tm_wday = fday; - timeptr->tm_yday = 0; - } -} - -/* - * Set `timeptr' given `wnum' (week number [0, 53]) - */ - -static void -set_week_number_mon (struct tm *timeptr, int wnum) -{ - int fday = (first_day (timeptr->tm_year + tm_year_base) + 6) % 7; - - timeptr->tm_yday = wnum * 7 + (timeptr->tm_wday + 6) % 7 - fday; - if (timeptr->tm_yday < 0) { - timeptr->tm_wday = (fday + 1) % 7; - timeptr->tm_yday = 0; - } -} - -/* - * Set `timeptr' given `wnum' (week number [0, 53]) - */ - -static void -set_week_number_mon4 (struct tm *timeptr, int wnum) -{ - int fday = (first_day (timeptr->tm_year + tm_year_base) + 6) % 7; - int offset = 0; - - if (fday < 4) - offset += 7; - - timeptr->tm_yday = offset + (wnum - 1) * 7 + timeptr->tm_wday - fday; - if (timeptr->tm_yday < 0) { - timeptr->tm_wday = fday; - timeptr->tm_yday = 0; - } -} - -/* - * - */ - -char * -strptime (const char *buf, const char *format, struct tm *timeptr) -{ - char c; - - for (; (c = *format) != '\0'; ++format) { - char *s; - int ret; - - if (isspace (c)) { - while (isspace (*buf)) - ++buf; - } else if (c == '%' && format[1] != '\0') { - c = *++format; - if (c == 'E' || c == 'O') - c = *++format; - switch (c) { - case 'A' : - ret = match_string (&buf, full_weekdays); - if (ret < 0) - return NULL; - timeptr->tm_wday = ret; - break; - case 'a' : - ret = match_string (&buf, abb_weekdays); - if (ret < 0) - return NULL; - timeptr->tm_wday = ret; - break; - case 'B' : - ret = match_string (&buf, full_month); - if (ret < 0) - return NULL; - timeptr->tm_mon = ret; - break; - case 'b' : - case 'h' : - ret = match_string (&buf, abb_month); - if (ret < 0) - return NULL; - timeptr->tm_mon = ret; - break; - case 'C' : - ret = strtol (buf, &s, 10); - if (s == buf) - return NULL; - timeptr->tm_year = (ret * 100) - tm_year_base; - buf = s; - break; - case 'c' : - abort (); - case 'D' : /* %m/%d/%y */ - s = strptime (buf, "%m/%d/%y", timeptr); - if (s == NULL) - return NULL; - buf = s; - break; - case 'd' : - case 'e' : - ret = strtol (buf, &s, 10); - if (s == buf) - return NULL; - timeptr->tm_mday = ret; - buf = s; - break; - case 'H' : - case 'k' : - ret = strtol (buf, &s, 10); - if (s == buf) - return NULL; - timeptr->tm_hour = ret; - buf = s; - break; - case 'I' : - case 'l' : - ret = strtol (buf, &s, 10); - if (s == buf) - return NULL; - if (ret == 12) - timeptr->tm_hour = 0; - else - timeptr->tm_hour = ret; - buf = s; - break; - case 'j' : - ret = strtol (buf, &s, 10); - if (s == buf) - return NULL; - timeptr->tm_yday = ret - 1; - buf = s; - break; - case 'm' : - ret = strtol (buf, &s, 10); - if (s == buf) - return NULL; - timeptr->tm_mon = ret - 1; - buf = s; - break; - case 'M' : - ret = strtol (buf, &s, 10); - if (s == buf) - return NULL; - timeptr->tm_min = ret; - buf = s; - break; - case 'n' : - if (*buf == '\n') - ++buf; - else - return NULL; - break; - case 'p' : - ret = match_string (&buf, ampm); - if (ret < 0) - return NULL; - if (timeptr->tm_hour == 0) { - if (ret == 1) - timeptr->tm_hour = 12; - } else - timeptr->tm_hour += 12; - break; - case 'r' : /* %I:%M:%S %p */ - s = strptime (buf, "%I:%M:%S %p", timeptr); - if (s == NULL) - return NULL; - buf = s; - break; - case 'R' : /* %H:%M */ - s = strptime (buf, "%H:%M", timeptr); - if (s == NULL) - return NULL; - buf = s; - break; - case 'S' : - ret = strtol (buf, &s, 10); - if (s == buf) - return NULL; - timeptr->tm_sec = ret; - buf = s; - break; - case 't' : - if (*buf == '\t') - ++buf; - else - return NULL; - break; - case 'T' : /* %H:%M:%S */ - case 'X' : - s = strptime (buf, "%H:%M:%S", timeptr); - if (s == NULL) - return NULL; - buf = s; - break; - case 'u' : - ret = strtol (buf, &s, 10); - if (s == buf) - return NULL; - timeptr->tm_wday = ret - 1; - buf = s; - break; - case 'w' : - ret = strtol (buf, &s, 10); - if (s == buf) - return NULL; - timeptr->tm_wday = ret; - buf = s; - break; - case 'U' : - ret = strtol (buf, &s, 10); - if (s == buf) - return NULL; - set_week_number_sun (timeptr, ret); - buf = s; - break; - case 'V' : - ret = strtol (buf, &s, 10); - if (s == buf) - return NULL; - set_week_number_mon4 (timeptr, ret); - buf = s; - break; - case 'W' : - ret = strtol (buf, &s, 10); - if (s == buf) - return NULL; - set_week_number_mon (timeptr, ret); - buf = s; - break; - case 'x' : - s = strptime (buf, "%Y:%m:%d", timeptr); - if (s == NULL) - return NULL; - buf = s; - break; - case 'y' : - ret = strtol (buf, &s, 10); - if (s == buf) - return NULL; - if (ret < 70) - timeptr->tm_year = 100 + ret; - else - timeptr->tm_year = ret; - buf = s; - break; - case 'Y' : - ret = strtol (buf, &s, 10); - if (s == buf) - return NULL; - timeptr->tm_year = ret - tm_year_base; - buf = s; - break; - case 'Z' : - abort (); - case '\0' : - --format; - /* FALLTHROUGH */ - case '%' : - if (*buf == '%') - ++buf; - else - return NULL; - break; - default : - if (*buf == '%' || *++buf == c) - ++buf; - else - return NULL; - break; - } - } else { - if (*buf == c) - ++buf; - else - return NULL; - } - } - return (char *)buf; -} diff --git a/crypto/heimdal-0.6.3/lib/roken/strsep.c b/crypto/heimdal-0.6.3/lib/roken/strsep.c deleted file mode 100644 index efc714a664..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/strsep.c +++ /dev/null @@ -1,61 +0,0 @@ -/* - * Copyright (c) 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: strsep.c,v 1.3 1999/12/02 16:58:53 joda Exp $"); -#endif - -#include - -#include "roken.h" - -#ifndef HAVE_STRSEP - -char * -strsep(char **str, const char *delim) -{ - char *save = *str; - if(*str == NULL) - return NULL; - *str = *str + strcspn(*str, delim); - if(**str == 0) - *str = NULL; - else{ - **str = 0; - (*str)++; - } - return save; -} - -#endif diff --git a/crypto/heimdal-0.6.3/lib/roken/strsep_copy.c b/crypto/heimdal-0.6.3/lib/roken/strsep_copy.c deleted file mode 100644 index abe973188c..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/strsep_copy.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (c) 2000, 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: strsep_copy.c,v 1.4 2002/08/14 17:20:40 joda Exp $"); -#endif - -#include - -#include "roken.h" - -#ifndef HAVE_STRSEP_COPY - -/* strsep, but with const stringp, so return string in buf */ - -ssize_t -strsep_copy(const char **stringp, const char *delim, char *buf, size_t len) -{ - const char *save = *stringp; - size_t l; - if(save == NULL) - return -1; - *stringp = *stringp + strcspn(*stringp, delim); - l = min(len, *stringp - save); - if(len > 0) { - memcpy(buf, save, l); - buf[l] = '\0'; - } - - l = *stringp - save; - if(**stringp == '\0') - *stringp = NULL; - else - (*stringp)++; - return l; -} - -#endif diff --git a/crypto/heimdal-0.6.3/lib/roken/strtok_r.c b/crypto/heimdal-0.6.3/lib/roken/strtok_r.c deleted file mode 100644 index 45b036aa9f..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/strtok_r.c +++ /dev/null @@ -1,65 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: strtok_r.c,v 1.5 1999/12/02 16:58:53 joda Exp $"); -#endif - -#include - -#include "roken.h" - -#ifndef HAVE_STRTOK_R - -char * -strtok_r(char *s1, const char *s2, char **lasts) -{ - char *ret; - - if (s1 == NULL) - s1 = *lasts; - while(*s1 && strchr(s2, *s1)) - ++s1; - if(*s1 == '\0') - return NULL; - ret = s1; - while(*s1 && !strchr(s2, *s1)) - ++s1; - if(*s1) - *s1++ = '\0'; - *lasts = s1; - return ret; -} - -#endif /* HAVE_STRTOK_R */ diff --git a/crypto/heimdal-0.6.3/lib/roken/strupr.c b/crypto/heimdal-0.6.3/lib/roken/strupr.c deleted file mode 100644 index 9d136e001c..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/strupr.c +++ /dev/null @@ -1,53 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: strupr.c,v 1.5 2003/04/14 11:46:41 lha Exp $"); -#endif -#include -#include - -#include - -#ifndef HAVE_STRUPR -char * -strupr(char *str) -{ - char *s; - - for(s = str; *s; s++) - *s = toupper((unsigned char)*s); - return str; -} -#endif diff --git a/crypto/heimdal-0.6.3/lib/roken/swab.c b/crypto/heimdal-0.6.3/lib/roken/swab.c deleted file mode 100644 index c623bd0708..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/swab.c +++ /dev/null @@ -1,54 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -#endif -#include "roken.h" - -#ifndef HAVE_SWAB - -RCSID("$Id: swab.c,v 1.7 1999/12/02 16:58:53 joda Exp $"); - -void -swab (char *from, char *to, int nbytes) -{ - while(nbytes >= 2) { - *(to + 1) = *from; - *to = *(from + 1); - to += 2; - from += 2; - nbytes -= 2; - } -} -#endif diff --git a/crypto/heimdal-0.6.3/lib/roken/timeval.c b/crypto/heimdal-0.6.3/lib/roken/timeval.c deleted file mode 100644 index ea4dee8618..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/timeval.c +++ /dev/null @@ -1,84 +0,0 @@ -/* - * Copyright (c) 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* - * Timeval stuff - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: timeval.c,v 1.1 2000/03/03 09:02:42 assar Exp $"); -#endif - -#include "roken.h" - -/* - * Make `t1' consistent. - */ - -void -timevalfix(struct timeval *t1) -{ - if (t1->tv_usec < 0) { - t1->tv_sec--; - t1->tv_usec += 1000000; - } - if (t1->tv_usec >= 1000000) { - t1->tv_sec++; - t1->tv_usec -= 1000000; - } -} - -/* - * t1 += t2 - */ - -void -timevaladd(struct timeval *t1, const struct timeval *t2) -{ - t1->tv_sec += t2->tv_sec; - t1->tv_usec += t2->tv_usec; - timevalfix(t1); -} - -/* - * t1 -= t2 - */ - -void -timevalsub(struct timeval *t1, const struct timeval *t2) -{ - t1->tv_sec -= t2->tv_sec; - t1->tv_usec -= t2->tv_usec; - timevalfix(t1); -} diff --git a/crypto/heimdal-0.6.3/lib/roken/tm2time.c b/crypto/heimdal-0.6.3/lib/roken/tm2time.c deleted file mode 100644 index b912e32dae..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/tm2time.c +++ /dev/null @@ -1,61 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: tm2time.c,v 1.7 1999/12/02 16:58:53 joda Exp $"); -#endif - -#ifdef TIME_WITH_SYS_TIME -#include -#include -#elif defined(HAVE_SYS_TIME_H) -#include -#else -#include -#endif -#include "roken.h" - -time_t -tm2time (struct tm tm, int local) -{ - time_t t; - - tm.tm_isdst = -1; - - t = mktime (&tm); - - if (!local) - t += t - mktime (gmtime (&t)); - return t; -} diff --git a/crypto/heimdal-0.6.3/lib/roken/unsetenv.c b/crypto/heimdal-0.6.3/lib/roken/unsetenv.c deleted file mode 100644 index 6d95a513dc..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/unsetenv.c +++ /dev/null @@ -1,70 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: unsetenv.c,v 1.7 1999/12/02 16:58:53 joda Exp $"); -#endif - -#include -#include - -#include "roken.h" - -extern char **environ; - -/* - * unsetenv -- - */ -void -unsetenv(const char *name) -{ - int len; - const char *np; - char **p; - - if (name == 0 || environ == 0) - return; - - for (np = name; *np && *np != '='; np++) - /* nop */; - len = np - name; - - for (p = environ; *p != 0; p++) - if (strncmp(*p, name, len) == 0 && (*p)[len] == '=') - break; - - for (; *p != 0; p++) - *p = *(p + 1); -} - diff --git a/crypto/heimdal-0.6.3/lib/roken/unvis.c b/crypto/heimdal-0.6.3/lib/roken/unvis.c deleted file mode 100644 index 363564c049..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/unvis.c +++ /dev/null @@ -1,288 +0,0 @@ -/* $NetBSD: unvis.c,v 1.19 2000/01/22 22:19:13 mycroft Exp $ */ - -/*- - * Copyright (c) 1989, 1993 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#if 1 -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: unvis.c,v 1.2 2000/12/06 21:41:46 joda Exp $"); -#endif -#include -#ifndef _DIAGASSERT -#define _DIAGASSERT(X) -#endif -#else -#include -#if defined(LIBC_SCCS) && !defined(lint) -#if 0 -static char sccsid[] = "@(#)unvis.c 8.1 (Berkeley) 6/4/93"; -#else -__RCSID("$NetBSD: unvis.c,v 1.19 2000/01/22 22:19:13 mycroft Exp $"); -#endif -#endif /* LIBC_SCCS and not lint */ - -#define __LIBC12_SOURCE__ - -#include "namespace.h" -#endif -#include - -#include -#include -#include -#include - -#if 0 -#ifdef __weak_alias -__weak_alias(strunvis,_strunvis) -__weak_alias(unvis,_unvis) -#endif - -__warn_references(unvis, - "warning: reference to compatibility unvis(); include for correct reference") -#endif - -/* - * decode driven by state machine - */ -#define S_GROUND 0 /* haven't seen escape char */ -#define S_START 1 /* start decoding special sequence */ -#define S_META 2 /* metachar started (M) */ -#define S_META1 3 /* metachar more, regular char (-) */ -#define S_CTRL 4 /* control char started (^) */ -#define S_OCTAL2 5 /* octal digit 2 */ -#define S_OCTAL3 6 /* octal digit 3 */ - -#define isoctal(c) (((u_char)(c)) >= '0' && ((u_char)(c)) <= '7') - -/* - * unvis - decode characters previously encoded by vis - */ -#ifndef HAVE_UNVIS -int -unvis(char *cp, int c, int *astate, int flag) -{ - - _DIAGASSERT(cp != NULL); - _DIAGASSERT(astate != NULL); - - if (flag & UNVIS_END) { - if (*astate == S_OCTAL2 || *astate == S_OCTAL3) { - *astate = S_GROUND; - return (UNVIS_VALID); - } - return (*astate == S_GROUND ? UNVIS_NOCHAR : UNVIS_SYNBAD); - } - - switch (*astate) { - - case S_GROUND: - *cp = 0; - if (c == '\\') { - *astate = S_START; - return (0); - } - *cp = c; - return (UNVIS_VALID); - - case S_START: - switch(c) { - case '\\': - *cp = c; - *astate = S_GROUND; - return (UNVIS_VALID); - case '0': case '1': case '2': case '3': - case '4': case '5': case '6': case '7': - *cp = (c - '0'); - *astate = S_OCTAL2; - return (0); - case 'M': - *cp = (char)0200; - *astate = S_META; - return (0); - case '^': - *astate = S_CTRL; - return (0); - case 'n': - *cp = '\n'; - *astate = S_GROUND; - return (UNVIS_VALID); - case 'r': - *cp = '\r'; - *astate = S_GROUND; - return (UNVIS_VALID); - case 'b': - *cp = '\b'; - *astate = S_GROUND; - return (UNVIS_VALID); - case 'a': - *cp = '\007'; - *astate = S_GROUND; - return (UNVIS_VALID); - case 'v': - *cp = '\v'; - *astate = S_GROUND; - return (UNVIS_VALID); - case 't': - *cp = '\t'; - *astate = S_GROUND; - return (UNVIS_VALID); - case 'f': - *cp = '\f'; - *astate = S_GROUND; - return (UNVIS_VALID); - case 's': - *cp = ' '; - *astate = S_GROUND; - return (UNVIS_VALID); - case 'E': - *cp = '\033'; - *astate = S_GROUND; - return (UNVIS_VALID); - case '\n': - /* - * hidden newline - */ - *astate = S_GROUND; - return (UNVIS_NOCHAR); - case '$': - /* - * hidden marker - */ - *astate = S_GROUND; - return (UNVIS_NOCHAR); - } - *astate = S_GROUND; - return (UNVIS_SYNBAD); - - case S_META: - if (c == '-') - *astate = S_META1; - else if (c == '^') - *astate = S_CTRL; - else { - *astate = S_GROUND; - return (UNVIS_SYNBAD); - } - return (0); - - case S_META1: - *astate = S_GROUND; - *cp |= c; - return (UNVIS_VALID); - - case S_CTRL: - if (c == '?') - *cp |= 0177; - else - *cp |= c & 037; - *astate = S_GROUND; - return (UNVIS_VALID); - - case S_OCTAL2: /* second possible octal digit */ - if (isoctal(c)) { - /* - * yes - and maybe a third - */ - *cp = (*cp << 3) + (c - '0'); - *astate = S_OCTAL3; - return (0); - } - /* - * no - done with current sequence, push back passed char - */ - *astate = S_GROUND; - return (UNVIS_VALIDPUSH); - - case S_OCTAL3: /* third possible octal digit */ - *astate = S_GROUND; - if (isoctal(c)) { - *cp = (*cp << 3) + (c - '0'); - return (UNVIS_VALID); - } - /* - * we were done, push back passed char - */ - return (UNVIS_VALIDPUSH); - - default: - /* - * decoder in unknown state - (probably uninitialized) - */ - *astate = S_GROUND; - return (UNVIS_SYNBAD); - } -} -#endif - -/* - * strunvis - decode src into dst - * - * Number of chars decoded into dst is returned, -1 on error. - * Dst is null terminated. - */ - -#ifndef HAVE_STRUNVIS -int -strunvis(char *dst, const char *src) -{ - char c; - char *start = dst; - int state = 0; - - _DIAGASSERT(src != NULL); - _DIAGASSERT(dst != NULL); - - while ((c = *src++) != '\0') { - again: - switch (unvis(dst, c, &state, 0)) { - case UNVIS_VALID: - dst++; - break; - case UNVIS_VALIDPUSH: - dst++; - goto again; - case 0: - case UNVIS_NOCHAR: - break; - default: - return (-1); - } - } - if (unvis(dst, c, &state, UNVIS_END) == UNVIS_VALID) - dst++; - *dst = '\0'; - return (dst - start); -} -#endif diff --git a/crypto/heimdal-0.6.3/lib/roken/verify.c b/crypto/heimdal-0.6.3/lib/roken/verify.c deleted file mode 100644 index 842fa9a3ae..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/verify.c +++ /dev/null @@ -1,62 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: verify.c,v 1.13 1999/12/02 16:58:53 joda Exp $"); -#endif - -#include -#ifdef HAVE_UNISTD_H -#include -#endif -#ifdef HAVE_CRYPT_H -#include -#endif -#include "roken.h" - -int -unix_verify_user(char *user, char *password) -{ - struct passwd *pw; - - pw = k_getpwnam(user); - if(pw == NULL) - return -1; - if(strlen(pw->pw_passwd) == 0 && strlen(password) == 0) - return 0; - if(strcmp(crypt(password, pw->pw_passwd), pw->pw_passwd) == 0) - return 0; - return -1; -} - diff --git a/crypto/heimdal-0.6.3/lib/roken/verr.c b/crypto/heimdal-0.6.3/lib/roken/verr.c deleted file mode 100644 index 67b4512c9d..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/verr.c +++ /dev/null @@ -1,47 +0,0 @@ -/* - * Copyright (c) 1995 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: verr.c,v 1.10 2001/01/25 12:41:39 assar Exp $"); -#endif - -#include "roken.h" -#include - -void -verr(int eval, const char *fmt, va_list ap) -{ - warnerr(1, fmt, ap); - exit(eval); -} diff --git a/crypto/heimdal-0.6.3/lib/roken/verrx.c b/crypto/heimdal-0.6.3/lib/roken/verrx.c deleted file mode 100644 index 5df5c8ddf8..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/verrx.c +++ /dev/null @@ -1,47 +0,0 @@ -/* - * Copyright (c) 1995 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: verrx.c,v 1.10 2001/01/25 12:41:39 assar Exp $"); -#endif - -#include "roken.h" -#include - -void -verrx(int eval, const char *fmt, va_list ap) -{ - warnerr(0, fmt, ap); - exit(eval); -} diff --git a/crypto/heimdal-0.6.3/lib/roken/vis.c b/crypto/heimdal-0.6.3/lib/roken/vis.c deleted file mode 100644 index 8dd583215d..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/vis.c +++ /dev/null @@ -1,303 +0,0 @@ -/* $NetBSD: vis.c,v 1.19 2000/01/22 22:42:45 mycroft Exp $ */ - -/*- - * Copyright (c) 1999 The NetBSD Foundation, Inc. - * Copyright (c) 1989, 1993 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - - -#if 1 -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: vis.c,v 1.5 2001/09/03 05:37:23 assar Exp $"); -#endif -#include -#ifndef _DIAGASSERT -#define _DIAGASSERT(X) -#endif -#else -#include -#if !defined(lint) -__RCSID("$NetBSD: vis.c,v 1.19 2000/01/22 22:42:45 mycroft Exp $"); -#endif /* not lint */ -#endif - -#if 0 -#include "namespace.h" -#endif -#include - -#include -#include -#include -#include -#include -#include - -#if 0 -#ifdef __weak_alias -__weak_alias(strsvis,_strsvis) -__weak_alias(strsvisx,_strsvisx) -__weak_alias(strvis,_strvis) -__weak_alias(strvisx,_strvisx) -__weak_alias(svis,_svis) -__weak_alias(vis,_vis) -#endif -#endif - -#undef BELL -#if defined(__STDC__) -#define BELL '\a' -#else -#define BELL '\007' -#endif - -#define isoctal(c) (((u_char)(c)) >= '0' && ((u_char)(c)) <= '7') -#define iswhite(c) (c == ' ' || c == '\t' || c == '\n') -#define issafe(c) (c == '\b' || c == BELL || c == '\r') - -#define MAXEXTRAS 5 - - -#define MAKEEXTRALIST(flag, extra) \ -do { \ - char *pextra = extra; \ - if (flag & VIS_SP) *pextra++ = ' '; \ - if (flag & VIS_TAB) *pextra++ = '\t'; \ - if (flag & VIS_NL) *pextra++ = '\n'; \ - if ((flag & VIS_NOSLASH) == 0) *pextra++ = '\\'; \ - *pextra = '\0'; \ -} while (/*CONSTCOND*/0) - -/* - * This is SVIS, the central macro of vis. - * dst: Pointer to the destination buffer - * c: Character to encode - * flag: Flag word - * nextc: The character following 'c' - * extra: Pointer to the list of extra characters to be - * backslash-protected. - */ -#define SVIS(dst, c, flag, nextc, extra) \ -do { \ - int isextra, isc; \ - isextra = strchr(extra, c) != NULL; \ - if (!isextra && \ - isascii((unsigned char)c) && \ - (isgraph((unsigned char)c) || iswhite(c) || \ - ((flag & VIS_SAFE) && issafe(c)))) { \ - *dst++ = c; \ - break; \ - } \ - isc = 0; \ - if (flag & VIS_CSTYLE) { \ - switch (c) { \ - case '\n': \ - isc = 1; *dst++ = '\\'; *dst++ = 'n'; \ - break; \ - case '\r': \ - isc = 1; *dst++ = '\\'; *dst++ = 'r'; \ - break; \ - case '\b': \ - isc = 1; *dst++ = '\\'; *dst++ = 'b'; \ - break; \ - case BELL: \ - isc = 1; *dst++ = '\\'; *dst++ = 'a'; \ - break; \ - case '\v': \ - isc = 1; *dst++ = '\\'; *dst++ = 'v'; \ - break; \ - case '\t': \ - isc = 1; *dst++ = '\\'; *dst++ = 't'; \ - break; \ - case '\f': \ - isc = 1; *dst++ = '\\'; *dst++ = 'f'; \ - break; \ - case ' ': \ - isc = 1; *dst++ = '\\'; *dst++ = 's'; \ - break; \ - case '\0': \ - isc = 1; *dst++ = '\\'; *dst++ = '0'; \ - if (isoctal(nextc)) { \ - *dst++ = '0'; \ - *dst++ = '0'; \ - } \ - } \ - } \ - if (isc) break; \ - if (isextra || ((c & 0177) == ' ') || (flag & VIS_OCTAL)) { \ - *dst++ = '\\'; \ - *dst++ = (u_char)(((unsigned)(u_char)c >> 6) & 03) + '0'; \ - *dst++ = (u_char)(((unsigned)(u_char)c >> 3) & 07) + '0'; \ - *dst++ = (c & 07) + '0'; \ - } else { \ - if ((flag & VIS_NOSLASH) == 0) *dst++ = '\\'; \ - if (c & 0200) { \ - c &= 0177; *dst++ = 'M'; \ - } \ - if (iscntrl((unsigned char)c)) { \ - *dst++ = '^'; \ - if (c == 0177) \ - *dst++ = '?'; \ - else \ - *dst++ = c + '@'; \ - } else { \ - *dst++ = '-'; *dst++ = c; \ - } \ - } \ -} while (/*CONSTCOND*/0) - - -/* - * svis - visually encode characters, also encoding the characters - * pointed to by `extra' - */ -#ifndef HAVE_SVIS -char * -svis(char *dst, int c, int flag, int nextc, const char *extra) -{ - _DIAGASSERT(dst != NULL); - _DIAGASSERT(extra != NULL); - - SVIS(dst, c, flag, nextc, extra); - *dst = '\0'; - return(dst); -} -#endif - - -/* - * strsvis, strsvisx - visually encode characters from src into dst - * - * Extra is a pointer to a \0-terminated list of characters to - * be encoded, too. These functions are useful e. g. to - * encode strings in such a way so that they are not interpreted - * by a shell. - * - * Dst must be 4 times the size of src to account for possible - * expansion. The length of dst, not including the trailing NULL, - * is returned. - * - * Strsvisx encodes exactly len bytes from src into dst. - * This is useful for encoding a block of data. - */ -#ifndef HAVE_STRSVIS -int -strsvis(char *dst, const char *src, int flag, const char *extra) -{ - char c; - char *start; - - _DIAGASSERT(dst != NULL); - _DIAGASSERT(src != NULL); - _DIAGASSERT(extra != NULL); - - for (start = dst; (c = *src++) != '\0'; /* empty */) - SVIS(dst, c, flag, *src, extra); - *dst = '\0'; - return (dst - start); -} -#endif - - -#ifndef HAVE_STRVISX -int -strsvisx(char *dst, const char *src, size_t len, int flag, const char *extra) -{ - char c; - char *start; - - _DIAGASSERT(dst != NULL); - _DIAGASSERT(src != NULL); - _DIAGASSERT(extra != NULL); - - for (start = dst; len > 0; len--) { - c = *src++; - SVIS(dst, c, flag, len ? *src : '\0', extra); - } - *dst = '\0'; - return (dst - start); -} -#endif - - -/* - * vis - visually encode characters - */ -#ifndef HAVE_VIS -char * -vis(char *dst, int c, int flag, int nextc) -{ - char extra[MAXEXTRAS]; - - _DIAGASSERT(dst != NULL); - - MAKEEXTRALIST(flag, extra); - SVIS(dst, c, flag, nextc, extra); - *dst = '\0'; - return (dst); -} -#endif - - -/* - * strvis, strvisx - visually encode characters from src into dst - * - * Dst must be 4 times the size of src to account for possible - * expansion. The length of dst, not including the trailing NULL, - * is returned. - * - * Strvisx encodes exactly len bytes from src into dst. - * This is useful for encoding a block of data. - */ -#ifndef HAVE_STRVIS -int -strvis(char *dst, const char *src, int flag) -{ - char extra[MAXEXTRAS]; - - MAKEEXTRALIST(flag, extra); - return (strsvis(dst, src, flag, extra)); -} -#endif - - -#ifndef HAVE_STRVISX -int -strvisx(char *dst, const char *src, size_t len, int flag) -{ - char extra[MAXEXTRAS]; - - MAKEEXTRALIST(flag, extra); - return (strsvisx(dst, src, len, flag, extra)); -} -#endif diff --git a/crypto/heimdal-0.6.3/lib/roken/vis.hin b/crypto/heimdal-0.6.3/lib/roken/vis.hin deleted file mode 100644 index a9d09da958..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/vis.hin +++ /dev/null @@ -1,86 +0,0 @@ -/* $NetBSD: vis.h,v 1.11 1999/11/25 16:55:50 wennmach Exp $ */ -/* $Id: vis.hin,v 1.1 2000/12/06 21:35:47 joda Exp $ */ - -/*- - * Copyright (c) 1990, 1993 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * @(#)vis.h 8.1 (Berkeley) 6/2/93 - */ - -#ifndef _VIS_H_ -#define _VIS_H_ - -/* - * to select alternate encoding format - */ -#define VIS_OCTAL 0x01 /* use octal \ddd format */ -#define VIS_CSTYLE 0x02 /* use \[nrft0..] where appropiate */ - -/* - * to alter set of characters encoded (default is to encode all - * non-graphic except space, tab, and newline). - */ -#define VIS_SP 0x04 /* also encode space */ -#define VIS_TAB 0x08 /* also encode tab */ -#define VIS_NL 0x10 /* also encode newline */ -#define VIS_WHITE (VIS_SP | VIS_TAB | VIS_NL) -#define VIS_SAFE 0x20 /* only encode "unsafe" characters */ - -/* - * other - */ -#define VIS_NOSLASH 0x40 /* inhibit printing '\' */ - -/* - * unvis return codes - */ -#define UNVIS_VALID 1 /* character valid */ -#define UNVIS_VALIDPUSH 2 /* character valid, push back passed char */ -#define UNVIS_NOCHAR 3 /* valid sequence, no character produced */ -#define UNVIS_SYNBAD -1 /* unrecognized escape sequence */ -#define UNVIS_ERROR -2 /* decoder in unknown state (unrecoverable) */ - -/* - * unvis flags - */ -#define UNVIS_END 1 /* no more characters */ - -char *vis (char *, int, int, int); -char *svis (char *, int, int, int, const char *); -int strvis (char *, const char *, int); -int strsvis (char *, const char *, int, const char *); -int strvisx (char *, const char *, size_t, int); -int strsvisx (char *, const char *, size_t, int, const char *); -int strunvis (char *, const char *); -int unvis (char *, int, int *, int); - -#endif /* !_VIS_H_ */ diff --git a/crypto/heimdal-0.6.3/lib/roken/vsyslog.c b/crypto/heimdal-0.6.3/lib/roken/vsyslog.c deleted file mode 100644 index c72cf3373e..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/vsyslog.c +++ /dev/null @@ -1,115 +0,0 @@ -/* - * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: vsyslog.c,v 1.6 2000/05/22 22:09:25 assar Exp $"); -#endif - -#ifndef HAVE_VSYSLOG - -#include -#include -#include - -#include "roken.h" - -/* - * the theory behind this is that we might be trying to call vsyslog - * when there's no memory left, and we should try to be as useful as - * possible. And the format string should say something about what's - * failing. - */ - -static void -simple_vsyslog(int pri, const char *fmt, va_list ap) -{ - syslog (pri, "%s", fmt); -} - -/* - * do like syslog but with a `va_list' - */ - -void -vsyslog(int pri, const char *fmt, va_list ap) -{ - char *fmt2; - const char *p; - char *p2; - int saved_errno = errno; - int fmt_len = strlen (fmt); - int fmt2_len = fmt_len; - char *buf; - - fmt2 = malloc (fmt_len + 1); - if (fmt2 == NULL) { - simple_vsyslog (pri, fmt, ap); - return; - } - - for (p = fmt, p2 = fmt2; *p != '\0'; ++p) { - if (p[0] == '%' && p[1] == 'm') { - const char *e = strerror (saved_errno); - int e_len = strlen (e); - char *tmp; - int pos; - - pos = p2 - fmt2; - fmt2_len += e_len - 2; - tmp = realloc (fmt2, fmt2_len + 1); - if (tmp == NULL) { - free (fmt2); - simple_vsyslog (pri, fmt, ap); - return; - } - fmt2 = tmp; - p2 = fmt2 + pos; - memmove (p2, e, e_len); - p2 += e_len; - ++p; - } else - *p2++ = *p; - } - *p2 = '\0'; - - vasprintf (&buf, fmt2, ap); - free (fmt2); - if (buf == NULL) { - simple_vsyslog (pri, fmt, ap); - return; - } - syslog (pri, "%s", buf); - free (buf); -} -#endif diff --git a/crypto/heimdal-0.6.3/lib/roken/vwarn.c b/crypto/heimdal-0.6.3/lib/roken/vwarn.c deleted file mode 100644 index 4034b1b8b2..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/vwarn.c +++ /dev/null @@ -1,46 +0,0 @@ -/* - * Copyright (c) 1995 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: vwarn.c,v 1.10 2001/01/25 12:41:39 assar Exp $"); -#endif - -#include "roken.h" -#include - -void -vwarn(const char *fmt, va_list ap) -{ - warnerr(1, fmt, ap); -} diff --git a/crypto/heimdal-0.6.3/lib/roken/vwarnx.c b/crypto/heimdal-0.6.3/lib/roken/vwarnx.c deleted file mode 100644 index 7449a75b3c..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/vwarnx.c +++ /dev/null @@ -1,47 +0,0 @@ -/* - * Copyright (c) 1995 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: vwarnx.c,v 1.10 2001/01/25 12:41:39 assar Exp $"); -#endif - -#include "roken.h" -#include - -void -vwarnx(const char *fmt, va_list ap) -{ - warnerr(0, fmt, ap); -} - diff --git a/crypto/heimdal-0.6.3/lib/roken/warn.c b/crypto/heimdal-0.6.3/lib/roken/warn.c deleted file mode 100644 index d8ee335106..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/warn.c +++ /dev/null @@ -1,48 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: warn.c,v 1.6 1999/12/02 16:58:54 joda Exp $"); -#endif - -#include "err.h" - -void -warn(const char *fmt, ...) -{ - va_list ap; - va_start(ap, fmt); - vwarn(fmt, ap); - va_end(ap); -} diff --git a/crypto/heimdal-0.6.3/lib/roken/warnerr.c b/crypto/heimdal-0.6.3/lib/roken/warnerr.c deleted file mode 100644 index 0509d1909e..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/warnerr.c +++ /dev/null @@ -1,61 +0,0 @@ -/* - * Copyright (c) 1995 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: warnerr.c,v 1.15 2001/07/09 14:56:51 assar Exp $"); -#endif - -#include "roken.h" -#include "err.h" - -void -warnerr(int doerrno, const char *fmt, va_list ap) -{ - int sverrno = errno; - const char *progname = getprogname(); - - if(progname != NULL){ - fprintf(stderr, "%s", progname); - if(fmt != NULL || doerrno) - fprintf(stderr, ": "); - } - if (fmt != NULL){ - vfprintf(stderr, fmt, ap); - if(doerrno) - fprintf(stderr, ": "); - } - if(doerrno) - fprintf(stderr, "%s", strerror(sverrno)); - fprintf(stderr, "\n"); -} diff --git a/crypto/heimdal-0.6.3/lib/roken/warnx.c b/crypto/heimdal-0.6.3/lib/roken/warnx.c deleted file mode 100644 index c991176a9d..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/warnx.c +++ /dev/null @@ -1,48 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: warnx.c,v 1.6 1999/12/02 16:58:54 joda Exp $"); -#endif - -#include "err.h" - -void -warnx(const char *fmt, ...) -{ - va_list ap; - va_start(ap, fmt); - vwarnx(fmt, ap); - va_end(ap); -} diff --git a/crypto/heimdal-0.6.3/lib/roken/write_pid.c b/crypto/heimdal-0.6.3/lib/roken/write_pid.c deleted file mode 100644 index 763b513ef3..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/write_pid.c +++ /dev/null @@ -1,99 +0,0 @@ -/* - * Copyright (c) 1999 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: write_pid.c,v 1.6 2001/09/02 23:58:15 assar Exp $"); -#endif - -#include -#include -#include -#include - -#include "roken.h" - -char * -pid_file_write (const char *progname) -{ - FILE *fp; - char *ret; - - asprintf (&ret, "%s%s.pid", _PATH_VARRUN, progname); - if (ret == NULL) - return NULL; - fp = fopen (ret, "w"); - if (fp == NULL) { - free (ret); - return NULL; - } - fprintf (fp, "%u", (unsigned)getpid()); - fclose (fp); - return ret; -} - -void -pid_file_delete (char **filename) -{ - if (*filename != NULL) { - unlink (*filename); - free (*filename); - *filename = NULL; - } -} - -#ifndef HAVE_PIDFILE -static char *pidfile_path; - -static void -pidfile_cleanup(void) -{ - if(pidfile_path != NULL) - pid_file_delete(&pidfile_path); -} - -void -pidfile(const char *basename) -{ - if(pidfile_path != NULL) - return; - if(basename == NULL) - basename = getprogname(); - pidfile_path = pid_file_write(basename); -#if defined(HAVE_ATEXIT) - atexit(pidfile_cleanup); -#elif defined(HAVE_ON_EXIT) - on_exit(pidfile_cleanup); -#endif -} -#endif diff --git a/crypto/heimdal-0.6.3/lib/roken/writev.c b/crypto/heimdal-0.6.3/lib/roken/writev.c deleted file mode 100644 index e3859bfe33..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/writev.c +++ /dev/null @@ -1,64 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: writev.c,v 1.3 1999/12/02 16:58:54 joda Exp $"); -#endif - -#include "roken.h" - -ssize_t -writev(int d, const struct iovec *iov, int iovcnt) -{ - ssize_t ret; - size_t tot = 0; - int i; - char *buf, *p; - - for(i = 0; i < iovcnt; ++i) - tot += iov[i].iov_len; - buf = malloc(tot); - if (tot != 0 && buf == NULL) { - errno = ENOMEM; - return -1; - } - p = buf; - for (i = 0; i < iovcnt; ++i) { - memcpy (p, iov[i].iov_base, iov[i].iov_len); - p += iov[i].iov_len; - } - ret = write (d, buf, tot); - free (buf); - return ret; -} diff --git a/crypto/heimdal-0.6.3/lib/roken/xdbm.h b/crypto/heimdal-0.6.3/lib/roken/xdbm.h deleted file mode 100644 index 6e65217625..0000000000 --- a/crypto/heimdal-0.6.3/lib/roken/xdbm.h +++ /dev/null @@ -1,52 +0,0 @@ -/* - * Copyright (c) 1995 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: xdbm.h,v 1.15 2002/05/17 16:02:22 joda Exp $ */ - -/* Generic *dbm include file */ - -#ifndef __XDBM_H__ -#define __XDBM_H__ - -#if HAVE_DB_NDBM -#define DB_DBM_HSEARCH 1 -#include -#elif HAVE_NDBM -#if defined(HAVE_GDBM_NDBM_H) -#include -#elif defined(HAVE_NDBM_H) -#include -#endif -#endif /* HAVE_NDBM */ - -#endif /* __XDBM_H__ */ diff --git a/crypto/heimdal-0.6.3/lib/sl/ChangeLog b/crypto/heimdal-0.6.3/lib/sl/ChangeLog deleted file mode 100644 index e25ae812d9..0000000000 --- a/crypto/heimdal-0.6.3/lib/sl/ChangeLog +++ /dev/null @@ -1,192 +0,0 @@ -2002-05-19 Johan Danielsson - - * Makefile.am: just link mk_cmds against libsl; avoids libtool - problem - -2001-07-09 Assar Westerlund - - * Makefile.am: add getprogname.c libss.la:add libcom_err.la noted - by Leif Johansson - -2001-05-17 Assar Westerlund - - * Makefile.am: bump versions to 1:2:1 and 1:4:1 - -2001-05-06 Assar Westerlund - - * roken_rename.h (strdup): add - -2001-03-06 Assar Westerlund - - * Makefile.am: re do the roken-renaming properly - -2001-02-13 Assar Westerlund - - * Makefile.am: add more functions to rename - -2001-01-26 Johan Danielsson - - * sl.h: proto - - * sl.c (sl_command_loop): try to handle user pressing C-c - -2000-12-11 Assar Westerlund - - * Makefile.am (libss_la_LDFLAGS): bump version to 1:2:1 - -2000-08-19 Assar Westerlund - - * Makefile.am: add dependencies for libss/libsl shared libraries - -2000-07-25 Johan Danielsson - - * Makefile.am: bump ss version to 1:1:1 - -2000-06-27 Assar Westerlund - - * parse.y (yyerror): static-ize - * make_cmds.h (error_message, yylex): add prototypes - * lex.l: fix prototypes and kill warnings - -2000-05-24 Assar Westerlund - - * ss.h (SS_ET_COMMAND_NOT_FOUND): add - * ss.c: check allocation and return some other error codes too - -2000-04-29 Assar Westerlund - - * Makefile.in: add LIB_tgetent. From Derrick J Brashear - - -2000-04-03 Assar Westerlund - - * Makefile.am: set version to 1:0:1 - -2000-03-07 Assar Westerlund - - * sl.h (SL_BADCOMMAND): define - (sl_apropos): add prototype - - * sl.c: mandoc-generation - (sl_apropos): stolen from arla - -2000-01-06 Assar Westerlund - - * Makefile.am: bump both versions to 0:1:0 - -1999-12-16 Assar Westerlund - - * parse.y (name2number): not used here. remove. - -Thu Apr 1 17:03:59 1999 Johan Danielsson - - * make_cmds.c: use getarg - -Tue Mar 23 14:36:21 1999 Johan Danielsson - - * Makefile.am: don't rename - -Sun Mar 21 14:13:29 1999 Johan Danielsson - - * Makefile.am: don't roken-rename - -Sat Mar 20 03:43:30 1999 Assar Westerlund - - * parse.y: replace return with YYACCEPT - -Fri Mar 19 14:53:20 1999 Johan Danielsson - - * Makefile.am: add libss; add version-info - -Thu Mar 18 15:07:06 1999 Johan Danielsson - - * Makefile.am: clean lex.c parse.c parse.h - - * Makefile.am: install ss.h - - * Makefile.am: include Makefile.am.common - -Thu Mar 11 15:01:01 1999 Johan Danielsson - - * parse.y: prototype for error_message - -Tue Feb 9 23:45:37 1999 Johan Danielsson - - * Makefile.in: add snprintf.o to make_cmds - -Sun Nov 22 10:46:23 1998 Assar Westerlund - - * sl.c (sl_command_loop): remove unused variable - - * ss.c (ss_error): remove unused variable - - * make_cmds.c: include err.h - (main): remove unused variable - - * Makefile.in (WFLAGS): set - -Sun Sep 27 01:28:21 1998 Assar Westerlund - - * make_cmds.c: clean-up and simplification - -Mon May 25 02:54:13 1998 Assar Westerlund - - * Makefile.in (clean): try to remove shared library debris - - * Makefile.in: make symlink magic work - -Sun Apr 19 10:00:26 1998 Assar Westerlund - - * Makefile.in: add symlink magic for linux - -Sun Apr 5 09:21:43 1998 Assar Westerlund - - * parse.y: define alloca to malloc in case we're using bison but - don't have alloca - -Sat Mar 28 11:39:00 1998 Assar Westerlund - - * sl.c (sl_loop): s/2/1 - -Sat Mar 21 00:46:51 1998 Johan Danielsson - - * sl.c (sl_loop): check that there is at least one argument before - calling sl_command - -Sun Mar 1 05:14:37 1998 Johan Danielsson - - * sl.c (sl_loop): Fix general broken-ness. - - * sl.c: Cleanup printing of help strings. - -Thu Feb 26 02:22:02 1998 Assar Westerlund - - * Makefile.am: @LEXLIB@ - -Sat Feb 21 15:18:21 1998 assar westerlund - - * Makefile.in: set YACC and LEX - -Mon Feb 16 16:08:25 1998 Johan Danielsson - - * Makefile.am: Some fixes for ss/mk_cmds. - -Sun Feb 15 05:12:11 1998 Johan Danielsson - - * Makefile.in: Install libsl under the `libss' name too. Install - mk_cmds, and ss.h. - - * make_cmds.c: A mk_cmds clone that creates SL structures. - - * ss.c: SS compatibility functions. - - * sl.c: Move command line split to function `sl_make_argv'. - -Tue Feb 3 16:45:44 1998 Johan Danielsson - - * sl.c: Add sl_command_loop, that is the loop body of sl_loop. - -Mon Oct 20 01:13:21 1997 Assar Westerlund - - * sl.c (sl_help): actually use the `help' field of `SL_cmd' - diff --git a/crypto/heimdal-0.6.3/lib/sl/Makefile.am b/crypto/heimdal-0.6.3/lib/sl/Makefile.am deleted file mode 100644 index 2589e58708..0000000000 --- a/crypto/heimdal-0.6.3/lib/sl/Makefile.am +++ /dev/null @@ -1,52 +0,0 @@ -# $Id: Makefile.am,v 1.29 2002/08/13 13:48:17 joda Exp $ - -include $(top_srcdir)/Makefile.am.common - -if do_roken_rename -ES = strtok_r.c snprintf.c strdup.c strupr.c getprogname.c -endif - -INCLUDES += $(ROKEN_RENAME) - -YFLAGS = -d - -include_HEADERS = sl.h - -lib_LTLIBRARIES = libsl.la libss.la -libsl_la_LDFLAGS = -version-info 1:2:1 -libss_la_LDFLAGS = -version-info 1:4:1 - -libsl_la_LIBADD = @LIB_readline@ -libss_la_LIBADD = @LIB_readline@ @LIB_com_err@ - -libsl_la_SOURCES = sl_locl.h sl.c $(ES) -libss_la_SOURCES = $(libsl_la_SOURCES) ss.c ss.h - -# install these? - -bin_PROGRAMS = mk_cmds - -mk_cmds_SOURCES = make_cmds.c make_cmds.h parse.y lex.l -mk_cmds_LDADD = libsl.la $(LDADD) - -ssincludedir = $(includedir)/ss -ssinclude_HEADERS = ss.h - -CLEANFILES = lex.c parse.c parse.h snprintf.c strtok_r.c strdup.c strupr.c getprogname.c - -$(mk_cmds_OBJECTS): parse.h parse.c - -LDADD = \ - $(LIB_roken) \ - $(LEXLIB) - -strtok_r.c: - $(LN_S) $(srcdir)/../roken/strtok_r.c . -snprintf.c: - $(LN_S) $(srcdir)/../roken/snprintf.c . -strdup.c: - $(LN_S) $(srcdir)/../roken/strdup.c . -strupr.c: - $(LN_S) $(srcdir)/../roken/strupr.c . -getprogname.c: - $(LN_S) $(srcdir)/../roken/getprogname.c . diff --git a/crypto/heimdal-0.6.3/lib/sl/Makefile.in b/crypto/heimdal-0.6.3/lib/sl/Makefile.in deleted file mode 100644 index a970795b3f..0000000000 --- a/crypto/heimdal-0.6.3/lib/sl/Makefile.in +++ /dev/null @@ -1,920 +0,0 @@ -# Makefile.in generated by automake 1.8.3 from Makefile.am. -# @configure_input@ - -# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004 Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -# $Id: Makefile.am,v 1.29 2002/08/13 13:48:17 joda Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $ - - - -SOURCES = $(libsl_la_SOURCES) $(libss_la_SOURCES) $(mk_cmds_SOURCES) - -srcdir = @srcdir@ -top_srcdir = @top_srcdir@ -VPATH = @srcdir@ -pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -top_builddir = ../.. -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = @INSTALL@ -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_HEADER = $(INSTALL_DATA) -transform = $(program_transform_name) -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_triplet = @host@ -DIST_COMMON = $(include_HEADERS) $(srcdir)/Makefile.am \ - $(srcdir)/Makefile.in $(ssinclude_HEADERS) \ - $(top_srcdir)/Makefile.am.common \ - $(top_srcdir)/cf/Makefile.am.common ChangeLog lex.c parse.c \ - parse.h -bin_PROGRAMS = mk_cmds$(EXEEXT) -subdir = lib/sl -ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \ - $(top_srcdir)/cf/auth-modules.m4 \ - $(top_srcdir)/cf/broken-getaddrinfo.m4 \ - $(top_srcdir)/cf/broken-getnameinfo.m4 \ - $(top_srcdir)/cf/broken-glob.m4 \ - $(top_srcdir)/cf/broken-realloc.m4 \ - $(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \ - $(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \ - $(top_srcdir)/cf/capabilities.m4 \ - $(top_srcdir)/cf/check-compile-et.m4 \ - $(top_srcdir)/cf/check-declaration.m4 \ - $(top_srcdir)/cf/check-getpwnam_r-posix.m4 \ - $(top_srcdir)/cf/check-man.m4 \ - $(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \ - $(top_srcdir)/cf/check-type-extra.m4 \ - $(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \ - $(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \ - $(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \ - $(top_srcdir)/cf/dlopen.m4 \ - $(top_srcdir)/cf/find-func-no-libs.m4 \ - $(top_srcdir)/cf/find-func-no-libs2.m4 \ - $(top_srcdir)/cf/find-func.m4 \ - $(top_srcdir)/cf/find-if-not-broken.m4 \ - $(top_srcdir)/cf/have-struct-field.m4 \ - $(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \ - $(top_srcdir)/cf/krb-bigendian.m4 \ - $(top_srcdir)/cf/krb-func-getlogin.m4 \ - $(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \ - $(top_srcdir)/cf/krb-readline.m4 \ - $(top_srcdir)/cf/krb-struct-spwd.m4 \ - $(top_srcdir)/cf/krb-struct-winsize.m4 \ - $(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \ - $(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \ - $(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \ - $(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \ - $(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \ - $(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \ - $(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in -am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ - $(ACLOCAL_M4) -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -am__installdirs = "$(DESTDIR)$(libdir)" "$(DESTDIR)$(bindir)" "$(DESTDIR)$(includedir)" "$(DESTDIR)$(ssincludedir)" -libLTLIBRARIES_INSTALL = $(INSTALL) -LTLIBRARIES = $(lib_LTLIBRARIES) -libsl_la_DEPENDENCIES = -am__libsl_la_SOURCES_DIST = sl_locl.h sl.c strtok_r.c snprintf.c \ - strdup.c strupr.c getprogname.c -@do_roken_rename_TRUE@am__objects_1 = strtok_r.lo snprintf.lo \ -@do_roken_rename_TRUE@ strdup.lo strupr.lo getprogname.lo -am_libsl_la_OBJECTS = sl.lo $(am__objects_1) -libsl_la_OBJECTS = $(am_libsl_la_OBJECTS) -libss_la_DEPENDENCIES = -am__libss_la_SOURCES_DIST = sl_locl.h sl.c strtok_r.c snprintf.c \ - strdup.c strupr.c getprogname.c ss.c ss.h -am__objects_2 = sl.lo $(am__objects_1) -am_libss_la_OBJECTS = $(am__objects_2) ss.lo -libss_la_OBJECTS = $(am_libss_la_OBJECTS) -binPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -PROGRAMS = $(bin_PROGRAMS) -am_mk_cmds_OBJECTS = make_cmds.$(OBJEXT) parse.$(OBJEXT) lex.$(OBJEXT) -mk_cmds_OBJECTS = $(am_mk_cmds_OBJECTS) -am__DEPENDENCIES_1 = -am__DEPENDENCIES_2 = $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) -mk_cmds_DEPENDENCIES = libsl.la $(am__DEPENDENCIES_2) -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \ - $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ - $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -LEXCOMPILE = $(LEX) $(LFLAGS) $(AM_LFLAGS) -LTLEXCOMPILE = $(LIBTOOL) --mode=compile $(LEX) $(LFLAGS) $(AM_LFLAGS) -YACCCOMPILE = $(YACC) $(YFLAGS) $(AM_YFLAGS) -LTYACCCOMPILE = $(LIBTOOL) --mode=compile $(YACC) $(YFLAGS) \ - $(AM_YFLAGS) -SOURCES = $(libsl_la_SOURCES) $(libss_la_SOURCES) $(mk_cmds_SOURCES) -DIST_SOURCES = $(am__libsl_la_SOURCES_DIST) \ - $(am__libss_la_SOURCES_DIST) $(mk_cmds_SOURCES) -includeHEADERS_INSTALL = $(INSTALL_HEADER) -ssincludeHEADERS_INSTALL = $(INSTALL_HEADER) -HEADERS = $(include_HEADERS) $(ssinclude_HEADERS) -ETAGS = etags -CTAGS = ctags -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) -ACLOCAL = @ACLOCAL@ -AIX4_FALSE = @AIX4_FALSE@ -AIX4_TRUE = @AIX4_TRUE@ -AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@ -AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@ -AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@ -AIX_FALSE = @AIX_FALSE@ -AIX_TRUE = @AIX_TRUE@ -AMTAR = @AMTAR@ -AR = @AR@ -AUTOCONF = @AUTOCONF@ -AUTOHEADER = @AUTOHEADER@ -AUTOMAKE = @AUTOMAKE@ -AWK = @AWK@ -CANONICAL_HOST = @CANONICAL_HOST@ -CATMAN = @CATMAN@ -CATMANEXT = @CATMANEXT@ -CATMAN_FALSE = @CATMAN_FALSE@ -CATMAN_TRUE = @CATMAN_TRUE@ -CC = @CC@ -CFLAGS = @CFLAGS@ -COMPILE_ET = @COMPILE_ET@ -CPP = @CPP@ -CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXFLAGS = @CXXFLAGS@ -CYGPATH_W = @CYGPATH_W@ -DBLIB = @DBLIB@ -DCE_FALSE = @DCE_FALSE@ -DCE_TRUE = @DCE_TRUE@ -DEFS = @DEFS@ -DIR_com_err = @DIR_com_err@ -DIR_des = @DIR_des@ -DIR_roken = @DIR_roken@ -ECHO = @ECHO@ -ECHO_C = @ECHO_C@ -ECHO_N = @ECHO_N@ -ECHO_T = @ECHO_T@ -EGREP = @EGREP@ -EXEEXT = @EXEEXT@ -EXTRA_LIB45 = @EXTRA_LIB45@ -F77 = @F77@ -FFLAGS = @FFLAGS@ -GROFF = @GROFF@ -HAVE_DB1_FALSE = @HAVE_DB1_FALSE@ -HAVE_DB1_TRUE = @HAVE_DB1_TRUE@ -HAVE_DB3_FALSE = @HAVE_DB3_FALSE@ -HAVE_DB3_TRUE = @HAVE_DB3_TRUE@ -HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@ -HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@ -HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@ -HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@ -HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@ -HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@ -HAVE_X_FALSE = @HAVE_X_FALSE@ -HAVE_X_TRUE = @HAVE_X_TRUE@ -INCLUDES_roken = @INCLUDES_roken@ -INCLUDE_des = @INCLUDE_des@ -INCLUDE_hesiod = @INCLUDE_hesiod@ -INCLUDE_krb4 = @INCLUDE_krb4@ -INCLUDE_openldap = @INCLUDE_openldap@ -INCLUDE_readline = @INCLUDE_readline@ -INSTALL_DATA = @INSTALL_DATA@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -IRIX_FALSE = @IRIX_FALSE@ -IRIX_TRUE = @IRIX_TRUE@ -KRB4_FALSE = @KRB4_FALSE@ -KRB4_TRUE = @KRB4_TRUE@ -KRB5_FALSE = @KRB5_FALSE@ -KRB5_TRUE = @KRB5_TRUE@ -LDFLAGS = @LDFLAGS@ -LEX = @LEX@ -LEXLIB = @LEXLIB@ -LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ -LIBOBJS = @LIBOBJS@ -LIBS = @LIBS@ -LIBTOOL = @LIBTOOL@ -LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@ -LIB_NDBM = @LIB_NDBM@ -LIB_XauFileName = @LIB_XauFileName@ -LIB_XauReadAuth = @LIB_XauReadAuth@ -LIB_XauWriteAuth = @LIB_XauWriteAuth@ -LIB_bswap16 = @LIB_bswap16@ -LIB_bswap32 = @LIB_bswap32@ -LIB_com_err = @LIB_com_err@ -LIB_com_err_a = @LIB_com_err_a@ -LIB_com_err_so = @LIB_com_err_so@ -LIB_crypt = @LIB_crypt@ -LIB_db_create = @LIB_db_create@ -LIB_dbm_firstkey = @LIB_dbm_firstkey@ -LIB_dbopen = @LIB_dbopen@ -LIB_des = @LIB_des@ -LIB_des_a = @LIB_des_a@ -LIB_des_appl = @LIB_des_appl@ -LIB_des_so = @LIB_des_so@ -LIB_dlopen = @LIB_dlopen@ -LIB_dn_expand = @LIB_dn_expand@ -LIB_el_init = @LIB_el_init@ -LIB_freeaddrinfo = @LIB_freeaddrinfo@ -LIB_gai_strerror = @LIB_gai_strerror@ -LIB_getaddrinfo = @LIB_getaddrinfo@ -LIB_gethostbyname = @LIB_gethostbyname@ -LIB_gethostbyname2 = @LIB_gethostbyname2@ -LIB_getnameinfo = @LIB_getnameinfo@ -LIB_getpwnam_r = @LIB_getpwnam_r@ -LIB_getsockopt = @LIB_getsockopt@ -LIB_hesiod = @LIB_hesiod@ -LIB_hstrerror = @LIB_hstrerror@ -LIB_kdb = @LIB_kdb@ -LIB_krb4 = @LIB_krb4@ -LIB_krb_disable_debug = @LIB_krb_disable_debug@ -LIB_krb_enable_debug = @LIB_krb_enable_debug@ -LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@ -LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@ -LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@ -LIB_loadquery = @LIB_loadquery@ -LIB_logout = @LIB_logout@ -LIB_logwtmp = @LIB_logwtmp@ -LIB_openldap = @LIB_openldap@ -LIB_openpty = @LIB_openpty@ -LIB_otp = @LIB_otp@ -LIB_pidfile = @LIB_pidfile@ -LIB_readline = @LIB_readline@ -LIB_res_nsearch = @LIB_res_nsearch@ -LIB_res_search = @LIB_res_search@ -LIB_roken = @LIB_roken@ -LIB_security = @LIB_security@ -LIB_setsockopt = @LIB_setsockopt@ -LIB_socket = @LIB_socket@ -LIB_syslog = @LIB_syslog@ -LIB_tgetent = @LIB_tgetent@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -MAINT = @MAINT@ -MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@ -MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@ -MAKEINFO = @MAKEINFO@ -NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ -NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ -NROFF = @NROFF@ -OBJEXT = @OBJEXT@ -OTP_FALSE = @OTP_FALSE@ -OTP_TRUE = @OTP_TRUE@ -PACKAGE = @PACKAGE@ -PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ -PACKAGE_NAME = @PACKAGE_NAME@ -PACKAGE_STRING = @PACKAGE_STRING@ -PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_VERSION = @PACKAGE_VERSION@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -RANLIB = @RANLIB@ -SET_MAKE = @SET_MAKE@ -SHELL = @SHELL@ -STRIP = @STRIP@ -VERSION = @VERSION@ -VOID_RETSIGTYPE = @VOID_RETSIGTYPE@ -WFLAGS = @WFLAGS@ -WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@ -WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@ -X_CFLAGS = @X_CFLAGS@ -X_EXTRA_LIBS = @X_EXTRA_LIBS@ -X_LIBS = @X_LIBS@ -X_PRE_LIBS = @X_PRE_LIBS@ -YACC = @YACC@ -ac_ct_AR = @ac_ct_AR@ -ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ -ac_ct_RANLIB = @ac_ct_RANLIB@ -ac_ct_STRIP = @ac_ct_STRIP@ -am__leading_dot = @am__leading_dot@ -bindir = @bindir@ -build = @build@ -build_alias = @build_alias@ -build_cpu = @build_cpu@ -build_os = @build_os@ -build_vendor = @build_vendor@ -datadir = @datadir@ -do_roken_rename_FALSE = @do_roken_rename_FALSE@ -do_roken_rename_TRUE = @do_roken_rename_TRUE@ -dpagaix_cflags = @dpagaix_cflags@ -dpagaix_ldadd = @dpagaix_ldadd@ -dpagaix_ldflags = @dpagaix_ldflags@ -el_compat_FALSE = @el_compat_FALSE@ -el_compat_TRUE = @el_compat_TRUE@ -exec_prefix = @exec_prefix@ -have_err_h_FALSE = @have_err_h_FALSE@ -have_err_h_TRUE = @have_err_h_TRUE@ -have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@ -have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@ -have_glob_h_FALSE = @have_glob_h_FALSE@ -have_glob_h_TRUE = @have_glob_h_TRUE@ -have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@ -have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@ -have_vis_h_FALSE = @have_vis_h_FALSE@ -have_vis_h_TRUE = @have_vis_h_TRUE@ -host = @host@ -host_alias = @host_alias@ -host_cpu = @host_cpu@ -host_os = @host_os@ -host_vendor = @host_vendor@ -includedir = @includedir@ -infodir = @infodir@ -install_sh = @install_sh@ -libdir = @libdir@ -libexecdir = @libexecdir@ -localstatedir = @localstatedir@ -mandir = @mandir@ -mkdir_p = @mkdir_p@ -oldincludedir = @oldincludedir@ -prefix = @prefix@ -program_transform_name = @program_transform_name@ -sbindir = @sbindir@ -sharedstatedir = @sharedstatedir@ -sysconfdir = @sysconfdir@ -target_alias = @target_alias@ -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(ROKEN_RENAME) -@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME -AM_CFLAGS = $(WFLAGS) -CP = cp -buildinclude = $(top_builddir)/include -LIB_getattr = @LIB_getattr@ -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_setpcred = @LIB_setpcred@ -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -NROFF_MAN = groff -mandoc -Tascii -LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) -@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la - -@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la -@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la -@do_roken_rename_TRUE@ES = strtok_r.c snprintf.c strdup.c strupr.c getprogname.c -YFLAGS = -d -include_HEADERS = sl.h -lib_LTLIBRARIES = libsl.la libss.la -libsl_la_LDFLAGS = -version-info 1:2:1 -libss_la_LDFLAGS = -version-info 1:4:1 -libsl_la_LIBADD = @LIB_readline@ -libss_la_LIBADD = @LIB_readline@ @LIB_com_err@ -libsl_la_SOURCES = sl_locl.h sl.c $(ES) -libss_la_SOURCES = $(libsl_la_SOURCES) ss.c ss.h -mk_cmds_SOURCES = make_cmds.c make_cmds.h parse.y lex.l -mk_cmds_LDADD = libsl.la $(LDADD) -ssincludedir = $(includedir)/ss -ssinclude_HEADERS = ss.h -CLEANFILES = lex.c parse.c parse.h snprintf.c strtok_r.c strdup.c strupr.c getprogname.c -LDADD = \ - $(LIB_roken) \ - $(LEXLIB) - -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .l .lo .o .obj .y -$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps) - @for dep in $?; do \ - case '$(am__configure_deps)' in \ - *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ - exit 1;; \ - esac; \ - done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign --ignore-deps lib/sl/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign --ignore-deps lib/sl/Makefile -.PRECIOUS: Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - @case '$?' in \ - *config.status*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ - *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ - esac; - -$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -install-libLTLIBRARIES: $(lib_LTLIBRARIES) - @$(NORMAL_INSTALL) - test -z "$(libdir)" || $(mkdir_p) "$(DESTDIR)$(libdir)" - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - if test -f $$p; then \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(libdir)/$$f'"; \ - $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(libdir)/$$f"; \ - else :; fi; \ - done - -uninstall-libLTLIBRARIES: - @$(NORMAL_UNINSTALL) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - p="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$p'"; \ - $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$p"; \ - done - -clean-libLTLIBRARIES: - -test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ - test "$$dir" = "$$p" && dir=.; \ - echo "rm -f \"$${dir}/so_locations\""; \ - rm -f "$${dir}/so_locations"; \ - done -libsl.la: $(libsl_la_OBJECTS) $(libsl_la_DEPENDENCIES) - $(LINK) -rpath $(libdir) $(libsl_la_LDFLAGS) $(libsl_la_OBJECTS) $(libsl_la_LIBADD) $(LIBS) -libss.la: $(libss_la_OBJECTS) $(libss_la_DEPENDENCIES) - $(LINK) -rpath $(libdir) $(libss_la_LDFLAGS) $(libss_la_OBJECTS) $(libss_la_LIBADD) $(LIBS) -install-binPROGRAMS: $(bin_PROGRAMS) - @$(NORMAL_INSTALL) - test -z "$(bindir)" || $(mkdir_p) "$(DESTDIR)$(bindir)" - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(bindir)/$$f'"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(bindir)/$$f" || exit 1; \ - else :; fi; \ - done - -uninstall-binPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f '$(DESTDIR)$(bindir)/$$f'"; \ - rm -f "$(DESTDIR)$(bindir)/$$f"; \ - done - -clean-binPROGRAMS: - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -parse.h: parse.c - @if test ! -f $@; then \ - rm -f parse.c; \ - $(MAKE) parse.c; \ - else :; fi -mk_cmds$(EXEEXT): $(mk_cmds_OBJECTS) $(mk_cmds_DEPENDENCIES) - @rm -f mk_cmds$(EXEEXT) - $(LINK) $(mk_cmds_LDFLAGS) $(mk_cmds_OBJECTS) $(mk_cmds_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c $< - -.c.obj: - $(COMPILE) -c `$(CYGPATH_W) '$<'` - -.c.lo: - $(LTCOMPILE) -c -o $@ $< - -.l.c: - $(LEXCOMPILE) $< - sed '/^#/ s|$(LEX_OUTPUT_ROOT)\.c|$@|' $(LEX_OUTPUT_ROOT).c >$@ - rm -f $(LEX_OUTPUT_ROOT).c - -.y.c: - $(YACCCOMPILE) $< - if test -f y.tab.h; then \ - to=`echo "$*_H" | sed \ - -e 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/' \ - -e 's/[^ABCDEFGHIJKLMNOPQRSTUVWXYZ]/_/g'`; \ - sed "/^#/ s/Y_TAB_H/$$to/g" y.tab.h >$*.ht; \ - rm -f y.tab.h; \ - if cmp -s $*.ht $*.h; then \ - rm -f $*.ht ;\ - else \ - mv $*.ht $*.h; \ - fi; \ - fi - if test -f y.output; then \ - mv y.output $*.output; \ - fi - sed '/^#/ s|y\.tab\.c|$@|' y.tab.c >$@t && mv $@t $@ - rm -f y.tab.c - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: -install-includeHEADERS: $(include_HEADERS) - @$(NORMAL_INSTALL) - test -z "$(includedir)" || $(mkdir_p) "$(DESTDIR)$(includedir)" - @list='$(include_HEADERS)'; for p in $$list; do \ - if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(includeHEADERS_INSTALL) '$$d$$p' '$(DESTDIR)$(includedir)/$$f'"; \ - $(includeHEADERS_INSTALL) "$$d$$p" "$(DESTDIR)$(includedir)/$$f"; \ - done - -uninstall-includeHEADERS: - @$(NORMAL_UNINSTALL) - @list='$(include_HEADERS)'; for p in $$list; do \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " rm -f '$(DESTDIR)$(includedir)/$$f'"; \ - rm -f "$(DESTDIR)$(includedir)/$$f"; \ - done -install-ssincludeHEADERS: $(ssinclude_HEADERS) - @$(NORMAL_INSTALL) - test -z "$(ssincludedir)" || $(mkdir_p) "$(DESTDIR)$(ssincludedir)" - @list='$(ssinclude_HEADERS)'; for p in $$list; do \ - if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(ssincludeHEADERS_INSTALL) '$$d$$p' '$(DESTDIR)$(ssincludedir)/$$f'"; \ - $(ssincludeHEADERS_INSTALL) "$$d$$p" "$(DESTDIR)$(ssincludedir)/$$f"; \ - done - -uninstall-ssincludeHEADERS: - @$(NORMAL_UNINSTALL) - @list='$(ssinclude_HEADERS)'; for p in $$list; do \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " rm -f '$(DESTDIR)$(ssincludedir)/$$f'"; \ - rm -f "$(DESTDIR)$(ssincludedir)/$$f"; \ - done - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique -tags: TAGS - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique -ctags: CTAGS -CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ - || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - -distdir: $(DISTFILES) - $(mkdir_p) $(distdir)/../.. $(distdir)/../../cf - @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \ - list='$(DISTFILES)'; for file in $$list; do \ - case $$file in \ - $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \ - $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \ - esac; \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkdir_p) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="$(top_distdir)" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(HEADERS) all-local -install-binPROGRAMS: install-libLTLIBRARIES - -installdirs: - for dir in "$(DESTDIR)$(libdir)" "$(DESTDIR)$(bindir)" "$(DESTDIR)$(includedir)" "$(DESTDIR)$(ssincludedir)"; do \ - test -z "$$dir" || $(mkdir_p) "$$dir"; \ - done -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) - -distclean-generic: - -rm -f $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." - -rm -f parse.h - -rm -f lex.c - -rm -f parse.c -clean: clean-am - -clean-am: clean-binPROGRAMS clean-generic clean-libLTLIBRARIES \ - clean-libtool mostlyclean-am - -distclean: distclean-am - -rm -f Makefile -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -html: html-am - -info: info-am - -info-am: - -install-data-am: install-includeHEADERS install-ssincludeHEADERS - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-data-hook - -install-exec-am: install-binPROGRAMS install-libLTLIBRARIES - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -rm -f Makefile -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -pdf: pdf-am - -pdf-am: - -ps: ps-am - -ps-am: - -uninstall-am: uninstall-binPROGRAMS uninstall-includeHEADERS \ - uninstall-info-am uninstall-libLTLIBRARIES \ - uninstall-ssincludeHEADERS - -.PHONY: CTAGS GTAGS all all-am all-local check check-am check-local \ - clean clean-binPROGRAMS clean-generic clean-libLTLIBRARIES \ - clean-libtool ctags distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am html html-am info info-am install install-am \ - install-binPROGRAMS install-data install-data-am install-exec \ - install-exec-am install-includeHEADERS install-info \ - install-info-am install-libLTLIBRARIES install-man \ - install-ssincludeHEADERS install-strip installcheck \ - installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ - tags uninstall uninstall-am uninstall-binPROGRAMS \ - uninstall-includeHEADERS uninstall-info-am \ - uninstall-libLTLIBRARIES uninstall-ssincludeHEADERS - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-hook: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< - -$(mk_cmds_OBJECTS): parse.h parse.c - -strtok_r.c: - $(LN_S) $(srcdir)/../roken/strtok_r.c . -snprintf.c: - $(LN_S) $(srcdir)/../roken/snprintf.c . -strdup.c: - $(LN_S) $(srcdir)/../roken/strdup.c . -strupr.c: - $(LN_S) $(srcdir)/../roken/strupr.c . -getprogname.c: - $(LN_S) $(srcdir)/../roken/getprogname.c . -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal-0.6.3/lib/sl/lex.l b/crypto/heimdal-0.6.3/lib/sl/lex.l deleted file mode 100644 index 3e394793d8..0000000000 --- a/crypto/heimdal-0.6.3/lib/sl/lex.l +++ /dev/null @@ -1,119 +0,0 @@ -%{ -/* - * Copyright (c) 1998 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#undef ECHO - -#include "make_cmds.h" -#include "parse.h" - -RCSID("$Id: lex.l,v 1.6 2001/09/16 23:10:10 assar Exp $"); - -static unsigned lineno = 1; -static int getstring(void); - -#define YY_NO_UNPUT - -#undef ECHO - -%} - - -%% -command_table { return TABLE; } -request { return REQUEST; } -unknown { return UNKNOWN; } -unimplemented { return UNIMPLEMENTED; } -end { return END; } -#[^\n]* ; -[ \t] ; -\n { lineno++; } -\" { return getstring(); } -[a-zA-Z0-9_]+ { yylval.string = strdup(yytext); return STRING; } -. { return *yytext; } -%% - -#ifndef yywrap /* XXX */ -int -yywrap () -{ - return 1; -} -#endif - -static int -getstring(void) -{ - char x[128]; - int i = 0; - int c; - int backslash = 0; - while((c = input()) != EOF){ - if(backslash) { - if(c == 'n') - c = '\n'; - else if(c == 't') - c = '\t'; - x[i++] = c; - backslash = 0; - continue; - } - if(c == '\n'){ - error_message("unterminated string"); - lineno++; - break; - } - if(c == '\\'){ - backslash++; - continue; - } - if(c == '\"') - break; - x[i++] = c; - } - x[i] = '\0'; - yylval.string = strdup(x); - return STRING; -} - -void -error_message (const char *format, ...) -{ - va_list args; - - va_start (args, format); - fprintf (stderr, "%s:%d: ", filename, lineno); - vfprintf (stderr, format, args); - va_end (args); - numerror++; -} diff --git a/crypto/heimdal-0.6.3/lib/sl/make_cmds.c b/crypto/heimdal-0.6.3/lib/sl/make_cmds.c deleted file mode 100644 index 723dfdcee7..0000000000 --- a/crypto/heimdal-0.6.3/lib/sl/make_cmds.c +++ /dev/null @@ -1,240 +0,0 @@ -/* - * Copyright (c) 1998-1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "make_cmds.h" -#include - -RCSID("$Id: make_cmds.c,v 1.7 2001/02/20 01:44:55 assar Exp $"); - -#include -#include -#include "parse.h" - -int numerror; -extern FILE *yyin; -FILE *c_file; - -extern void yyparse(void); - -#ifdef YYDEBUG -extern int yydebug = 1; -#endif - -char *filename; -char *table_name; - -static struct command_list *commands; - -void -add_command(char *function, - char *help, - struct string_list *aliases, - unsigned flags) -{ - struct command_list *cl = malloc(sizeof(*cl)); - - if (cl == NULL) - err (1, "malloc"); - cl->function = function; - cl->help = help; - cl->aliases = aliases; - cl->flags = flags; - cl->next = NULL; - if(commands) { - *commands->tail = cl; - commands->tail = &cl->next; - return; - } - cl->tail = &cl->next; - commands = cl; -} - -static char * -quote(const char *str) -{ - char buf[1024]; /* XXX */ - const char *p; - char *q; - q = buf; - - *q++ = '\"'; - for(p = str; *p != '\0'; p++) { - if(*p == '\n') { - *q++ = '\\'; - *q++ = 'n'; - continue; - } - if(*p == '\t') { - *q++ = '\\'; - *q++ = 't'; - continue; - } - if(*p == '\"' || *p == '\\') - *q++ = '\\'; - *q++ = *p; - } - *q++ = '\"'; - *q++ = '\0'; - return strdup(buf); -} - -static void -generate_commands(void) -{ - char *base; - char *cfn; - char *p; - - p = strrchr(table_name, '/'); - if(p == NULL) - p = table_name; - else - p++; - - base = strdup (p); - if (base == NULL) - err (1, "strdup"); - - p = strrchr(base, '.'); - if(p) - *p = '\0'; - - asprintf(&cfn, "%s.c", base); - if (cfn == NULL) - err (1, "asprintf"); - - c_file = fopen(cfn, "w"); - if (c_file == NULL) - err (1, "cannot fopen %s", cfn); - - fprintf(c_file, "/* Generated from %s */\n", filename); - fprintf(c_file, "\n"); - fprintf(c_file, "#include \n"); - fprintf(c_file, "#include \n"); - fprintf(c_file, "\n"); - - { - struct command_list *cl, *xl; - char *p, *q; - - for(cl = commands; cl; cl = cl->next) { - for(xl = commands; xl != cl; xl = xl->next) - if(strcmp(cl->function, xl->function) == 0) - break; - if(xl != cl) - continue; - /* XXX hack for ss_quit */ - if(strcmp(cl->function, "ss_quit") == 0) { - fprintf(c_file, "int %s (int, char**);\n", cl->function); - fprintf(c_file, "#define _ss_quit_wrap ss_quit\n\n"); - continue; - } - fprintf(c_file, "void %s (int, char**);\n", cl->function); - fprintf(c_file, "static int _%s_wrap (int argc, char **argv)\n", - cl->function); - fprintf(c_file, "{\n"); - fprintf(c_file, " %s (argc, argv);\n", cl->function); - fprintf(c_file, " return 0;\n"); - fprintf(c_file, "}\n\n"); - } - - fprintf(c_file, "SL_cmd %s[] = {\n", table_name); - for(cl = commands; cl; cl = cl->next) { - struct string_list *sl; - sl = cl->aliases; - p = quote(sl->string); - q = quote(cl->help); - fprintf(c_file, " { %s, _%s_wrap, %s },\n", p, cl->function, q); - free(p); - free(q); - - for(sl = sl->next; sl; sl = sl->next) { - p = quote(sl->string); - fprintf(c_file, " { %s },\n", p); - free(p); - } - } - fprintf(c_file, " { NULL },\n"); - fprintf(c_file, "};\n"); - fprintf(c_file, "\n"); - } - fclose(c_file); - free(base); - free(cfn); -} - -int version_flag; -int help_flag; -struct getargs args[] = { - { "version", 0, arg_flag, &version_flag }, - { "help", 0, arg_flag, &help_flag } -}; -int num_args = sizeof(args) / sizeof(args[0]); - -static void -usage(int code) -{ - arg_printusage(args, num_args, NULL, "command-table"); - exit(code); -} - -int -main(int argc, char **argv) -{ - int optind = 0; - - setprogname(argv[0]); - if(getarg(args, num_args, argc, argv, &optind)) - usage(1); - if(help_flag) - usage(0); - if(version_flag) { - print_version(NULL); - exit(0); - } - - if(argc == optind) - usage(1); - filename = argv[optind]; - yyin = fopen(filename, "r"); - if(yyin == NULL) - err(1, "%s", filename); - - yyparse(); - - generate_commands(); - - if(numerror) - return 1; - return 0; -} diff --git a/crypto/heimdal-0.6.3/lib/sl/make_cmds.h b/crypto/heimdal-0.6.3/lib/sl/make_cmds.h deleted file mode 100644 index 6d64d979f4..0000000000 --- a/crypto/heimdal-0.6.3/lib/sl/make_cmds.h +++ /dev/null @@ -1,76 +0,0 @@ -/* - * Copyright (c) 1998 - 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: make_cmds.h,v 1.3 2000/06/27 02:36:56 assar Exp $ */ - -#ifndef __MAKE_CMDS_H__ -#define __MAKE_CMDS_H__ - -#ifdef HAVE_CONFIG_H -#include -#endif - -#include -#include -#include -#include - -#include - -extern char *filename; -extern char *table_name; -extern int numerror; - -struct command_list { - char *function; - char *help; - struct string_list *aliases; - unsigned flags; - struct command_list *next; - struct command_list **tail; -}; - -struct string_list { - char *string; - struct string_list *next; - struct string_list **tail; -}; - -void add_command(char*, char*, struct string_list*, unsigned); - -void error_message(const char *, ...) - __attribute__ ((format (printf, 1,2))); - -int yylex (void); - -#endif /* __MAKE_CMDS_H__ */ diff --git a/crypto/heimdal-0.6.3/lib/sl/parse.y b/crypto/heimdal-0.6.3/lib/sl/parse.y deleted file mode 100644 index deff933637..0000000000 --- a/crypto/heimdal-0.6.3/lib/sl/parse.y +++ /dev/null @@ -1,167 +0,0 @@ -%{ -/* - * Copyright (c) 1998 - 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "make_cmds.h" -RCSID("$Id: parse.y,v 1.7 2000/06/27 02:37:18 assar Exp $"); - -static void yyerror (char *s); - -struct string_list* append_string(struct string_list*, char*); -void free_string_list(struct string_list *list); -unsigned string_to_flag(const char *); - -/* This is for bison */ - -#if !defined(alloca) && !defined(HAVE_ALLOCA) -#define alloca(x) malloc(x) -#endif - -%} - -%union { - char *string; - unsigned number; - struct string_list *list; -} - -%token TABLE REQUEST UNKNOWN UNIMPLEMENTED END -%token STRING -%type flag flags -%type aliases - -%% - -file : /* */ - | statements - ; - -statements : statement - | statements statement - ; - -statement : TABLE STRING ';' - { - table_name = $2; - } - | REQUEST STRING ',' STRING ',' aliases ',' '(' flags ')' ';' - { - add_command($2, $4, $6, $9); - } - | REQUEST STRING ',' STRING ',' aliases ';' - { - add_command($2, $4, $6, 0); - } - | UNIMPLEMENTED STRING ',' STRING ',' aliases ';' - { - free($2); - free($4); - free_string_list($6); - } - | UNKNOWN aliases ';' - { - free_string_list($2); - } - | END ';' - { - YYACCEPT; - } - ; - -aliases : STRING - { - $$ = append_string(NULL, $1); - } - | aliases ',' STRING - { - $$ = append_string($1, $3); - } - ; - -flags : flag - { - $$ = $1; - } - | flags ',' flag - { - $$ = $1 | $3; - } - ; -flag : STRING - { - $$ = string_to_flag($1); - free($1); - } - ; - - - -%% - -static void -yyerror (char *s) -{ - error_message ("%s\n", s); -} - -struct string_list* -append_string(struct string_list *list, char *str) -{ - struct string_list *sl = malloc(sizeof(*sl)); - sl->string = str; - sl->next = NULL; - if(list) { - *list->tail = sl; - list->tail = &sl->next; - return list; - } - sl->tail = &sl->next; - return sl; -} - -void -free_string_list(struct string_list *list) -{ - while(list) { - struct string_list *sl = list->next; - free(list->string); - free(list); - list = sl; - } -} - -unsigned -string_to_flag(const char *string) -{ - return 0; -} diff --git a/crypto/heimdal-0.6.3/lib/sl/roken_rename.h b/crypto/heimdal-0.6.3/lib/sl/roken_rename.h deleted file mode 100644 index 17837fbaa2..0000000000 --- a/crypto/heimdal-0.6.3/lib/sl/roken_rename.h +++ /dev/null @@ -1,67 +0,0 @@ -/* - * Copyright (c) 1998 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: roken_rename.h,v 1.5 2001/05/06 21:47:54 assar Exp $ */ - -#ifndef __roken_rename_h__ -#define __roken_rename_h__ - -#ifndef HAVE_STRTOK_R -#define strtok_r _sl_strtok_r -#endif -#ifndef HAVE_SNPRINTF -#define snprintf _sl_snprintf -#endif -#ifndef HAVE_ASPRINTF -#define asprintf _sl_asprintf -#endif -#ifndef HAVE_ASNPRINTF -#define asnprintf _sl_asnprintf -#endif -#ifndef HAVE_VASPRINTF -#define vasprintf _sl_vasprintf -#endif -#ifndef HAVE_VASNPRINTF -#define vasnprintf _sl_vasnprintf -#endif -#ifndef HAVE_VSNPRINTF -#define vsnprintf _sl_vsnprintf -#endif -#ifndef HAVE_STRUPR -#define strupr _sl_strupr -#endif -#ifndef HAVE_STRDUP -#define strdup _sl_strdup -#endif - -#endif /* __roken_rename_h__ */ diff --git a/crypto/heimdal-0.6.3/lib/sl/sl.c b/crypto/heimdal-0.6.3/lib/sl/sl.c deleted file mode 100644 index 98b101c5b1..0000000000 --- a/crypto/heimdal-0.6.3/lib/sl/sl.c +++ /dev/null @@ -1,346 +0,0 @@ -/* - * Copyright (c) 1995 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: sl.c,v 1.29 2001/02/20 01:44:55 assar Exp $"); -#endif - -#include "sl_locl.h" -#include - -static size_t -print_sl (FILE *stream, int mdoc, int longp, SL_cmd *c) - __attribute__ ((unused)); - -static size_t -print_sl (FILE *stream, int mdoc, int longp, SL_cmd *c) -{ - if(mdoc){ - if(longp) - fprintf(stream, "= Ns"); - fprintf(stream, " Ar "); - }else - if (longp) - putc ('=', stream); - else - putc (' ', stream); - - return 1; -} - -static void -mandoc_template(SL_cmd *cmds, - const char *extra_string) -{ - SL_cmd *c, *prev; - char timestr[64], cmd[64]; - const char *p; - time_t t; - - printf(".\\\" Things to fix:\n"); - printf(".\\\" * correct section, and operating system\n"); - printf(".\\\" * remove Op from mandatory flags\n"); - printf(".\\\" * use better macros for arguments (like .Pa for files)\n"); - printf(".\\\"\n"); - t = time(NULL); - strftime(timestr, sizeof(timestr), "%b %d, %Y", localtime(&t)); - printf(".Dd %s\n", timestr); - p = strrchr(getprogname(), '/'); - if(p) p++; else p = getprogname(); - strncpy(cmd, p, sizeof(cmd)); - cmd[sizeof(cmd)-1] = '\0'; - strupr(cmd); - - printf(".Dt %s SECTION\n", cmd); - printf(".Os OPERATING_SYSTEM\n"); - printf(".Sh NAME\n"); - printf(".Nm %s\n", p); - printf(".Nd\n"); - printf("in search of a description\n"); - printf(".Sh SYNOPSIS\n"); - printf(".Nm\n"); - for(c = cmds; c->name; ++c) { -/* if (c->func == NULL) - continue; */ - printf(".Op Fl %s", c->name); -/* print_sl(stdout, 1, 0, c);*/ - printf("\n"); - - } - if (extra_string && *extra_string) - printf (".Ar %s\n", extra_string); - printf(".Sh DESCRIPTION\n"); - printf("Supported options:\n"); - printf(".Bl -tag -width Ds\n"); - prev = NULL; - for(c = cmds; c->name; ++c) { - if (c->func) { - if (prev) - printf ("\n%s\n", prev->usage); - - printf (".It Fl %s", c->name); - prev = c; - } else - printf (", %s\n", c->name); - } - if (prev) - printf ("\n%s\n", prev->usage); - - printf(".El\n"); - printf(".\\\".Sh ENVIRONMENT\n"); - printf(".\\\".Sh FILES\n"); - printf(".\\\".Sh EXAMPLES\n"); - printf(".\\\".Sh DIAGNOSTICS\n"); - printf(".\\\".Sh SEE ALSO\n"); - printf(".\\\".Sh STANDARDS\n"); - printf(".\\\".Sh HISTORY\n"); - printf(".\\\".Sh AUTHORS\n"); - printf(".\\\".Sh BUGS\n"); -} - -static SL_cmd * -sl_match (SL_cmd *cmds, char *cmd, int exactp) -{ - SL_cmd *c, *current = NULL, *partial_cmd = NULL; - int partial_match = 0; - - for (c = cmds; c->name; ++c) { - if (c->func) - current = c; - if (strcmp (cmd, c->name) == 0) - return current; - else if (strncmp (cmd, c->name, strlen(cmd)) == 0 && - partial_cmd != current) { - ++partial_match; - partial_cmd = current; - } - } - if (partial_match == 1 && !exactp) - return partial_cmd; - else - return NULL; -} - -void -sl_help (SL_cmd *cmds, int argc, char **argv) -{ - SL_cmd *c, *prev_c; - - if (getenv("SLMANDOC")) { - mandoc_template(cmds, NULL); - return; - } - - if (argc == 1) { - prev_c = NULL; - for (c = cmds; c->name; ++c) { - if (c->func) { - if(prev_c) - printf ("\n\t%s%s", prev_c->usage ? prev_c->usage : "", - prev_c->usage ? "\n" : ""); - prev_c = c; - printf ("%s", c->name); - } else - printf (", %s", c->name); - } - if(prev_c) - printf ("\n\t%s%s", prev_c->usage ? prev_c->usage : "", - prev_c->usage ? "\n" : ""); - } else { - c = sl_match (cmds, argv[1], 0); - if (c == NULL) - printf ("No such command: %s. " - "Try \"help\" for a list of all commands\n", - argv[1]); - else { - printf ("%s\t%s\n", c->name, c->usage); - if(c->help && *c->help) - printf ("%s\n", c->help); - if((++c)->name && c->func == NULL) { - printf ("Synonyms:"); - while (c->name && c->func == NULL) - printf ("\t%s", (c++)->name); - printf ("\n"); - } - } - } -} - -#ifdef HAVE_READLINE - -char *readline(char *prompt); -void add_history(char *p); - -#else - -static char * -readline(char *prompt) -{ - char buf[BUFSIZ]; - printf ("%s", prompt); - fflush (stdout); - if(fgets(buf, sizeof(buf), stdin) == NULL) - return NULL; - if (buf[strlen(buf) - 1] == '\n') - buf[strlen(buf) - 1] = '\0'; - return strdup(buf); -} - -static void -add_history(char *p) -{ -} - -#endif - -int -sl_command(SL_cmd *cmds, int argc, char **argv) -{ - SL_cmd *c; - c = sl_match (cmds, argv[0], 0); - if (c == NULL) - return -1; - return (*c->func)(argc, argv); -} - -struct sl_data { - int max_count; - char **ptr; -}; - -int -sl_make_argv(char *line, int *ret_argc, char ***ret_argv) -{ - char *foo = NULL; - char *p; - int argc, nargv; - char **argv; - - nargv = 10; - argv = malloc(nargv * sizeof(*argv)); - if(argv == NULL) - return ENOMEM; - argc = 0; - - for(p = strtok_r (line, " \t", &foo); - p; - p = strtok_r (NULL, " \t", &foo)) { - if(argc == nargv - 1) { - char **tmp; - nargv *= 2; - tmp = realloc (argv, nargv * sizeof(*argv)); - if (tmp == NULL) { - free(argv); - return ENOMEM; - } - argv = tmp; - } - argv[argc++] = p; - } - argv[argc] = NULL; - *ret_argc = argc; - *ret_argv = argv; - return 0; -} - -static jmp_buf sl_jmp; - -static void sl_sigint(int sig) -{ - longjmp(sl_jmp, 1); -} - -static char *sl_readline(const char *prompt) -{ - char *s; - void (*old)(int); - old = signal(SIGINT, sl_sigint); - if(setjmp(sl_jmp)) - printf("\n"); - s = readline((char*)prompt); - signal(SIGINT, old); - return s; -} - -/* return values: 0 on success, -1 on fatal error, or return value of command */ -int -sl_command_loop(SL_cmd *cmds, const char *prompt, void **data) -{ - int ret = 0; - char *buf; - int argc; - char **argv; - - ret = 0; - buf = sl_readline(prompt); - if(buf == NULL) - return 1; - - if(*buf) - add_history(buf); - ret = sl_make_argv(buf, &argc, &argv); - if(ret) { - fprintf(stderr, "sl_loop: out of memory\n"); - free(buf); - return -1; - } - if (argc >= 1) { - ret = sl_command(cmds, argc, argv); - if(ret == -1) { - printf ("Unrecognized command: %s\n", argv[0]); - ret = 0; - } - } - free(buf); - free(argv); - return ret; -} - -int -sl_loop(SL_cmd *cmds, const char *prompt) -{ - void *data = NULL; - int ret; - while((ret = sl_command_loop(cmds, prompt, &data)) == 0) - ; - return ret; -} - -void -sl_apropos (SL_cmd *cmd, const char *topic) -{ - for (; cmd->name != NULL; ++cmd) - if (cmd->usage != NULL && strstr(cmd->usage, topic) != NULL) - printf ("%-20s%s\n", cmd->name, cmd->usage); -} diff --git a/crypto/heimdal-0.6.3/lib/sl/sl.h b/crypto/heimdal-0.6.3/lib/sl/sl.h deleted file mode 100644 index 5b3e4b7d64..0000000000 --- a/crypto/heimdal-0.6.3/lib/sl/sl.h +++ /dev/null @@ -1,60 +0,0 @@ -/* - * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: sl.h,v 1.9 2001/01/26 14:58:41 joda Exp $ */ - -#ifndef _SL_H -#define _SL_H - -#define SL_BADCOMMAND -1 - -typedef int (*cmd_func)(int, char **); - -struct sl_cmd { - char *name; - cmd_func func; - char *usage; - char *help; -}; - -typedef struct sl_cmd SL_cmd; - -void sl_help (SL_cmd *, int argc, char **argv); -int sl_loop (SL_cmd *, const char *prompt); -int sl_command_loop (SL_cmd *cmds, const char *prompt, void **data); -int sl_command (SL_cmd *cmds, int argc, char **argv); -int sl_make_argv(char*, int*, char***); -void sl_apropos (SL_cmd *cmd, const char *topic); - - -#endif /* _SL_H */ diff --git a/crypto/heimdal-0.6.3/lib/sl/sl_locl.h b/crypto/heimdal-0.6.3/lib/sl/sl_locl.h deleted file mode 100644 index 4bd966003b..0000000000 --- a/crypto/heimdal-0.6.3/lib/sl/sl_locl.h +++ /dev/null @@ -1,46 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: sl_locl.h,v 1.6 1999/12/02 16:58:55 joda Exp $ */ - -#ifdef HAVE_CONFIG_H -#include -#endif -#include -#include -#include -#include - -#include - -#include diff --git a/crypto/heimdal-0.6.3/lib/sl/ss.c b/crypto/heimdal-0.6.3/lib/sl/ss.c deleted file mode 100644 index 7655a9ec36..0000000000 --- a/crypto/heimdal-0.6.3/lib/sl/ss.c +++ /dev/null @@ -1,162 +0,0 @@ -/* - * Copyright (c) 1998 - 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "sl_locl.h" -#include -#include "ss.h" - -RCSID("$Id: ss.c,v 1.6 2000/05/25 00:14:58 assar Exp $"); - -struct ss_subst { - char *name; - char *version; - char *info; - ss_request_table *table; -}; - -static struct ss_subst subsystems[2]; -static int num_subsystems; - -int -ss_create_invocation(const char *subsystem, - const char *version, - const char *info, - ss_request_table *table, - int *code) -{ - struct ss_subst *ss; - - if(num_subsystems >= sizeof(subsystems) / sizeof(subsystems[0])) { - *code = 17; - return 0; - } - ss = &subsystems[num_subsystems]; - ss->name = ss->version = ss->info = NULL; - if (subsystem != NULL) { - ss->name = strdup (subsystem); - if (ss->name == NULL) { - *code = ENOMEM; - return 0; - } - } - if (version != NULL) { - ss->version = strdup (version); - if (ss->version == NULL) { - *code = ENOMEM; - return 0; - } - } - if (info != NULL) { - ss->info = strdup (info); - if (ss->info == NULL) { - *code = ENOMEM; - return 0; - } - } - ss->table = table; - *code = 0; - return num_subsystems++; -} - -void -ss_error (int index, long code, const char *fmt, ...) -{ - va_list ap; - va_start(ap, fmt); - com_err_va (subsystems[index].name, code, fmt, ap); - va_end(ap); -} - -void -ss_perror (int index, long code, const char *msg) -{ - ss_error(index, code, "%s", msg); -} - -int -ss_execute_command(int index, char **argv) -{ - int argc = 0; - int ret; - - while(argv[argc++]); - ret = sl_command(subsystems[index].table, argc, argv); - if (ret == SL_BADCOMMAND) - return SS_ET_COMMAND_NOT_FOUND; - return 0; -} - -int -ss_execute_line (int index, const char *line) -{ - char *buf = strdup(line); - int argc; - char **argv; - int ret; - - if (buf == NULL) - return ENOMEM; - sl_make_argv(buf, &argc, &argv); - ret = sl_command(subsystems[index].table, argc, argv); - free(buf); - if (ret == SL_BADCOMMAND) - return SS_ET_COMMAND_NOT_FOUND; - return 0; -} - -int -ss_listen (int index) -{ - char *prompt = malloc(strlen(subsystems[index].name) + 3); - if (prompt == NULL) - return ENOMEM; - - strcpy(prompt, subsystems[index].name); - strcat(prompt, ": "); - sl_loop(subsystems[index].table, prompt); - free(prompt); - return 0; -} - -int -ss_list_requests(int argc, char **argv /* , int index, void *info */) -{ - sl_help(subsystems[0 /* index */].table, argc, argv); - return 0; -} - -int -ss_quit(int argc, char **argv) -{ - return 1; -} diff --git a/crypto/heimdal-0.6.3/lib/sl/ss.h b/crypto/heimdal-0.6.3/lib/sl/ss.h deleted file mode 100644 index 0149fa18aa..0000000000 --- a/crypto/heimdal-0.6.3/lib/sl/ss.h +++ /dev/null @@ -1,57 +0,0 @@ -/* - * Copyright (c) 1998 - 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ -/* $Id: ss.h,v 1.3 2000/05/25 00:15:21 assar Exp $ */ - -/* SS compatibility for SL */ - -#ifndef __ss_h__ -#define __ss_h__ - -#include - -typedef SL_cmd ss_request_table; - -int ss_create_invocation (const char *, const char *, const char*, - ss_request_table*, int*); - -void ss_error (int, long, const char*, ...); -int ss_execute_command (int, char**); -int ss_execute_line (int, const char*); -int ss_list_requests (int argc, char**); -int ss_listen (int); -void ss_perror (int, long, const char*); -int ss_quit (int argc, char**); - -#define SS_ET_COMMAND_NOT_FOUND (-1) - -#endif /* __ss_h__ */ diff --git a/crypto/heimdal-0.6.3/lib/vers/ChangeLog b/crypto/heimdal-0.6.3/lib/vers/ChangeLog deleted file mode 100644 index f5a869d585..0000000000 --- a/crypto/heimdal-0.6.3/lib/vers/ChangeLog +++ /dev/null @@ -1,42 +0,0 @@ -2003-01-02 Johan Danielsson - - * print_version.c: considerable clean up - - * make-print-version.c: make VERSIONLIST a string instead of an - array of strings - -2002-08-28 Assar Westerlund - - * Makefile.am (make_print_version_LDADD): do not hardcode -ldes, - use $(LIB_des) - -2002-08-19 Johan Danielsson - - * print_version.c: add bug-report message - -2002-05-20 Johan Danielsson - - * print_version.c: update year - -2001-08-24 Assar Westerlund - - * Makefile.am (make_print_version_LDADD): use = instead of += (be - nice to current automake) - -2001-04-21 Johan Danielsson - - * print_version.c: 2001 - -2001-01-31 Assar Westerlund - - * Makefile.am: remove -static turning this into a convenience - library - -2000-11-15 Assar Westerlund - - * Makefile.am: make the library static and don't install it - -2000-07-08 Assar Westerlund - - * make-print-version.c (heimdal_version, krb4_version): const-ize, - based on thorpej@netbsd.org's change to NetBSD diff --git a/crypto/heimdal-0.6.3/lib/vers/Makefile.am b/crypto/heimdal-0.6.3/lib/vers/Makefile.am deleted file mode 100644 index d8816123df..0000000000 --- a/crypto/heimdal-0.6.3/lib/vers/Makefile.am +++ /dev/null @@ -1,28 +0,0 @@ -# $Id: Makefile.am,v 1.5 2002/08/28 22:57:42 assar Exp $ - -include $(top_srcdir)/Makefile.am.common - -CLEANFILES = print_version.h - -noinst_LTLIBRARIES = libvers.la - -build_HEADERZ = vers.h - -noinst_PROGRAMS = make-print-version - -if KRB4 -if KRB5 -## need to link with des here; otherwise, if krb4 is shared the link -## will fail with unresolved references -make_print_version_LDADD = $(LIB_krb4) $(LIB_des) -endif -endif - -libvers_la_SOURCES = print_version.c - -print_version.lo: print_version.h - -print_version.h: make-print-version$(EXEEXT) - ./make-print-version$(EXEEXT) print_version.h - -make-print-version.o: $(top_builddir)/include/version.h diff --git a/crypto/heimdal-0.6.3/lib/vers/Makefile.in b/crypto/heimdal-0.6.3/lib/vers/Makefile.in deleted file mode 100644 index 6af87119fc..0000000000 --- a/crypto/heimdal-0.6.3/lib/vers/Makefile.in +++ /dev/null @@ -1,757 +0,0 @@ -# Makefile.in generated by automake 1.8.3 from Makefile.am. -# @configure_input@ - -# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004 Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -# $Id: Makefile.am,v 1.5 2002/08/28 22:57:42 assar Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $ - - -SOURCES = $(libvers_la_SOURCES) make-print-version.c - -srcdir = @srcdir@ -top_srcdir = @top_srcdir@ -VPATH = @srcdir@ -pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -top_builddir = ../.. -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = @INSTALL@ -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_HEADER = $(INSTALL_DATA) -transform = $(program_transform_name) -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_triplet = @host@ -DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \ - $(top_srcdir)/Makefile.am.common \ - $(top_srcdir)/cf/Makefile.am.common ChangeLog -noinst_PROGRAMS = make-print-version$(EXEEXT) -subdir = lib/vers -ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \ - $(top_srcdir)/cf/auth-modules.m4 \ - $(top_srcdir)/cf/broken-getaddrinfo.m4 \ - $(top_srcdir)/cf/broken-getnameinfo.m4 \ - $(top_srcdir)/cf/broken-glob.m4 \ - $(top_srcdir)/cf/broken-realloc.m4 \ - $(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \ - $(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \ - $(top_srcdir)/cf/capabilities.m4 \ - $(top_srcdir)/cf/check-compile-et.m4 \ - $(top_srcdir)/cf/check-declaration.m4 \ - $(top_srcdir)/cf/check-getpwnam_r-posix.m4 \ - $(top_srcdir)/cf/check-man.m4 \ - $(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \ - $(top_srcdir)/cf/check-type-extra.m4 \ - $(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \ - $(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \ - $(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \ - $(top_srcdir)/cf/dlopen.m4 \ - $(top_srcdir)/cf/find-func-no-libs.m4 \ - $(top_srcdir)/cf/find-func-no-libs2.m4 \ - $(top_srcdir)/cf/find-func.m4 \ - $(top_srcdir)/cf/find-if-not-broken.m4 \ - $(top_srcdir)/cf/have-struct-field.m4 \ - $(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \ - $(top_srcdir)/cf/krb-bigendian.m4 \ - $(top_srcdir)/cf/krb-func-getlogin.m4 \ - $(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \ - $(top_srcdir)/cf/krb-readline.m4 \ - $(top_srcdir)/cf/krb-struct-spwd.m4 \ - $(top_srcdir)/cf/krb-struct-winsize.m4 \ - $(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \ - $(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \ - $(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \ - $(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \ - $(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \ - $(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \ - $(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in -am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ - $(ACLOCAL_M4) -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -LTLIBRARIES = $(noinst_LTLIBRARIES) -libvers_la_LIBADD = -am_libvers_la_OBJECTS = print_version.lo -libvers_la_OBJECTS = $(am_libvers_la_OBJECTS) -PROGRAMS = $(noinst_PROGRAMS) -make_print_version_SOURCES = make-print-version.c -make_print_version_OBJECTS = make-print-version.$(OBJEXT) -am__DEPENDENCIES_1 = -@KRB4_TRUE@@KRB5_TRUE@make_print_version_DEPENDENCIES = \ -@KRB4_TRUE@@KRB5_TRUE@ $(am__DEPENDENCIES_1) \ -@KRB4_TRUE@@KRB5_TRUE@ $(am__DEPENDENCIES_1) -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \ - $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ - $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -SOURCES = $(libvers_la_SOURCES) make-print-version.c -DIST_SOURCES = $(libvers_la_SOURCES) make-print-version.c -ETAGS = etags -CTAGS = ctags -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) -ACLOCAL = @ACLOCAL@ -AIX4_FALSE = @AIX4_FALSE@ -AIX4_TRUE = @AIX4_TRUE@ -AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@ -AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@ -AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@ -AIX_FALSE = @AIX_FALSE@ -AIX_TRUE = @AIX_TRUE@ -AMTAR = @AMTAR@ -AR = @AR@ -AUTOCONF = @AUTOCONF@ -AUTOHEADER = @AUTOHEADER@ -AUTOMAKE = @AUTOMAKE@ -AWK = @AWK@ -CANONICAL_HOST = @CANONICAL_HOST@ -CATMAN = @CATMAN@ -CATMANEXT = @CATMANEXT@ -CATMAN_FALSE = @CATMAN_FALSE@ -CATMAN_TRUE = @CATMAN_TRUE@ -CC = @CC@ -CFLAGS = @CFLAGS@ -COMPILE_ET = @COMPILE_ET@ -CPP = @CPP@ -CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXFLAGS = @CXXFLAGS@ -CYGPATH_W = @CYGPATH_W@ -DBLIB = @DBLIB@ -DCE_FALSE = @DCE_FALSE@ -DCE_TRUE = @DCE_TRUE@ -DEFS = @DEFS@ -DIR_com_err = @DIR_com_err@ -DIR_des = @DIR_des@ -DIR_roken = @DIR_roken@ -ECHO = @ECHO@ -ECHO_C = @ECHO_C@ -ECHO_N = @ECHO_N@ -ECHO_T = @ECHO_T@ -EGREP = @EGREP@ -EXEEXT = @EXEEXT@ -EXTRA_LIB45 = @EXTRA_LIB45@ -F77 = @F77@ -FFLAGS = @FFLAGS@ -GROFF = @GROFF@ -HAVE_DB1_FALSE = @HAVE_DB1_FALSE@ -HAVE_DB1_TRUE = @HAVE_DB1_TRUE@ -HAVE_DB3_FALSE = @HAVE_DB3_FALSE@ -HAVE_DB3_TRUE = @HAVE_DB3_TRUE@ -HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@ -HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@ -HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@ -HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@ -HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@ -HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@ -HAVE_X_FALSE = @HAVE_X_FALSE@ -HAVE_X_TRUE = @HAVE_X_TRUE@ -INCLUDES_roken = @INCLUDES_roken@ -INCLUDE_des = @INCLUDE_des@ -INCLUDE_hesiod = @INCLUDE_hesiod@ -INCLUDE_krb4 = @INCLUDE_krb4@ -INCLUDE_openldap = @INCLUDE_openldap@ -INCLUDE_readline = @INCLUDE_readline@ -INSTALL_DATA = @INSTALL_DATA@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -IRIX_FALSE = @IRIX_FALSE@ -IRIX_TRUE = @IRIX_TRUE@ -KRB4_FALSE = @KRB4_FALSE@ -KRB4_TRUE = @KRB4_TRUE@ -KRB5_FALSE = @KRB5_FALSE@ -KRB5_TRUE = @KRB5_TRUE@ -LDFLAGS = @LDFLAGS@ -LEX = @LEX@ -LEXLIB = @LEXLIB@ -LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ -LIBOBJS = @LIBOBJS@ -LIBS = @LIBS@ -LIBTOOL = @LIBTOOL@ -LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@ -LIB_NDBM = @LIB_NDBM@ -LIB_XauFileName = @LIB_XauFileName@ -LIB_XauReadAuth = @LIB_XauReadAuth@ -LIB_XauWriteAuth = @LIB_XauWriteAuth@ -LIB_bswap16 = @LIB_bswap16@ -LIB_bswap32 = @LIB_bswap32@ -LIB_com_err = @LIB_com_err@ -LIB_com_err_a = @LIB_com_err_a@ -LIB_com_err_so = @LIB_com_err_so@ -LIB_crypt = @LIB_crypt@ -LIB_db_create = @LIB_db_create@ -LIB_dbm_firstkey = @LIB_dbm_firstkey@ -LIB_dbopen = @LIB_dbopen@ -LIB_des = @LIB_des@ -LIB_des_a = @LIB_des_a@ -LIB_des_appl = @LIB_des_appl@ -LIB_des_so = @LIB_des_so@ -LIB_dlopen = @LIB_dlopen@ -LIB_dn_expand = @LIB_dn_expand@ -LIB_el_init = @LIB_el_init@ -LIB_freeaddrinfo = @LIB_freeaddrinfo@ -LIB_gai_strerror = @LIB_gai_strerror@ -LIB_getaddrinfo = @LIB_getaddrinfo@ -LIB_gethostbyname = @LIB_gethostbyname@ -LIB_gethostbyname2 = @LIB_gethostbyname2@ -LIB_getnameinfo = @LIB_getnameinfo@ -LIB_getpwnam_r = @LIB_getpwnam_r@ -LIB_getsockopt = @LIB_getsockopt@ -LIB_hesiod = @LIB_hesiod@ -LIB_hstrerror = @LIB_hstrerror@ -LIB_kdb = @LIB_kdb@ -LIB_krb4 = @LIB_krb4@ -LIB_krb_disable_debug = @LIB_krb_disable_debug@ -LIB_krb_enable_debug = @LIB_krb_enable_debug@ -LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@ -LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@ -LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@ -LIB_loadquery = @LIB_loadquery@ -LIB_logout = @LIB_logout@ -LIB_logwtmp = @LIB_logwtmp@ -LIB_openldap = @LIB_openldap@ -LIB_openpty = @LIB_openpty@ -LIB_otp = @LIB_otp@ -LIB_pidfile = @LIB_pidfile@ -LIB_readline = @LIB_readline@ -LIB_res_nsearch = @LIB_res_nsearch@ -LIB_res_search = @LIB_res_search@ -LIB_roken = @LIB_roken@ -LIB_security = @LIB_security@ -LIB_setsockopt = @LIB_setsockopt@ -LIB_socket = @LIB_socket@ -LIB_syslog = @LIB_syslog@ -LIB_tgetent = @LIB_tgetent@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -MAINT = @MAINT@ -MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@ -MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@ -MAKEINFO = @MAKEINFO@ -NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ -NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ -NROFF = @NROFF@ -OBJEXT = @OBJEXT@ -OTP_FALSE = @OTP_FALSE@ -OTP_TRUE = @OTP_TRUE@ -PACKAGE = @PACKAGE@ -PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ -PACKAGE_NAME = @PACKAGE_NAME@ -PACKAGE_STRING = @PACKAGE_STRING@ -PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_VERSION = @PACKAGE_VERSION@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -RANLIB = @RANLIB@ -SET_MAKE = @SET_MAKE@ -SHELL = @SHELL@ -STRIP = @STRIP@ -VERSION = @VERSION@ -VOID_RETSIGTYPE = @VOID_RETSIGTYPE@ -WFLAGS = @WFLAGS@ -WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@ -WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@ -X_CFLAGS = @X_CFLAGS@ -X_EXTRA_LIBS = @X_EXTRA_LIBS@ -X_LIBS = @X_LIBS@ -X_PRE_LIBS = @X_PRE_LIBS@ -YACC = @YACC@ -ac_ct_AR = @ac_ct_AR@ -ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ -ac_ct_RANLIB = @ac_ct_RANLIB@ -ac_ct_STRIP = @ac_ct_STRIP@ -am__leading_dot = @am__leading_dot@ -bindir = @bindir@ -build = @build@ -build_alias = @build_alias@ -build_cpu = @build_cpu@ -build_os = @build_os@ -build_vendor = @build_vendor@ -datadir = @datadir@ -do_roken_rename_FALSE = @do_roken_rename_FALSE@ -do_roken_rename_TRUE = @do_roken_rename_TRUE@ -dpagaix_cflags = @dpagaix_cflags@ -dpagaix_ldadd = @dpagaix_ldadd@ -dpagaix_ldflags = @dpagaix_ldflags@ -el_compat_FALSE = @el_compat_FALSE@ -el_compat_TRUE = @el_compat_TRUE@ -exec_prefix = @exec_prefix@ -have_err_h_FALSE = @have_err_h_FALSE@ -have_err_h_TRUE = @have_err_h_TRUE@ -have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@ -have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@ -have_glob_h_FALSE = @have_glob_h_FALSE@ -have_glob_h_TRUE = @have_glob_h_TRUE@ -have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@ -have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@ -have_vis_h_FALSE = @have_vis_h_FALSE@ -have_vis_h_TRUE = @have_vis_h_TRUE@ -host = @host@ -host_alias = @host_alias@ -host_cpu = @host_cpu@ -host_os = @host_os@ -host_vendor = @host_vendor@ -includedir = @includedir@ -infodir = @infodir@ -install_sh = @install_sh@ -libdir = @libdir@ -libexecdir = @libexecdir@ -localstatedir = @localstatedir@ -mandir = @mandir@ -mkdir_p = @mkdir_p@ -oldincludedir = @oldincludedir@ -prefix = @prefix@ -program_transform_name = @program_transform_name@ -sbindir = @sbindir@ -sharedstatedir = @sharedstatedir@ -sysconfdir = @sysconfdir@ -target_alias = @target_alias@ -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) -@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME -AM_CFLAGS = $(WFLAGS) -CP = cp -buildinclude = $(top_builddir)/include -LIB_getattr = @LIB_getattr@ -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_setpcred = @LIB_setpcred@ -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -NROFF_MAN = groff -mandoc -Tascii -LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) -@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la - -@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la -@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la -CLEANFILES = print_version.h -noinst_LTLIBRARIES = libvers.la -build_HEADERZ = vers.h -@KRB4_TRUE@@KRB5_TRUE@make_print_version_LDADD = $(LIB_krb4) $(LIB_des) -libvers_la_SOURCES = print_version.c -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps) - @for dep in $?; do \ - case '$(am__configure_deps)' in \ - *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ - exit 1;; \ - esac; \ - done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign --ignore-deps lib/vers/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign --ignore-deps lib/vers/Makefile -.PRECIOUS: Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - @case '$?' in \ - *config.status*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ - *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ - esac; - -$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -clean-noinstLTLIBRARIES: - -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) - @list='$(noinst_LTLIBRARIES)'; for p in $$list; do \ - dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ - test "$$dir" = "$$p" && dir=.; \ - echo "rm -f \"$${dir}/so_locations\""; \ - rm -f "$${dir}/so_locations"; \ - done -libvers.la: $(libvers_la_OBJECTS) $(libvers_la_DEPENDENCIES) - $(LINK) $(libvers_la_LDFLAGS) $(libvers_la_OBJECTS) $(libvers_la_LIBADD) $(LIBS) - -clean-noinstPROGRAMS: - @list='$(noinst_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -make-print-version$(EXEEXT): $(make_print_version_OBJECTS) $(make_print_version_DEPENDENCIES) - @rm -f make-print-version$(EXEEXT) - $(LINK) $(make_print_version_LDFLAGS) $(make_print_version_OBJECTS) $(make_print_version_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c $< - -.c.obj: - $(COMPILE) -c `$(CYGPATH_W) '$<'` - -.c.lo: - $(LTCOMPILE) -c -o $@ $< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique -tags: TAGS - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique -ctags: CTAGS -CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ - || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - -distdir: $(DISTFILES) - $(mkdir_p) $(distdir)/../.. $(distdir)/../../cf - @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \ - list='$(DISTFILES)'; for file in $$list; do \ - case $$file in \ - $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \ - $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \ - esac; \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkdir_p) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="$(top_distdir)" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) all-local -installdirs: -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) - -distclean-generic: - -rm -f $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ - clean-noinstPROGRAMS mostlyclean-am - -distclean: distclean-am - -rm -f Makefile -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -html: html-am - -info: info-am - -info-am: - -install-data-am: - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-data-hook - -install-exec-am: - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -rm -f Makefile -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -pdf: pdf-am - -pdf-am: - -ps: ps-am - -ps-am: - -uninstall-am: uninstall-info-am - -.PHONY: CTAGS GTAGS all all-am all-local check check-am check-local \ - clean clean-generic clean-libtool clean-noinstLTLIBRARIES \ - clean-noinstPROGRAMS ctags distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am html html-am info info-am install install-am \ - install-data install-data-am install-exec install-exec-am \ - install-info install-info-am install-man install-strip \ - installcheck installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ - tags uninstall uninstall-am uninstall-info-am - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-hook: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< - -print_version.lo: print_version.h - -print_version.h: make-print-version$(EXEEXT) - ./make-print-version$(EXEEXT) print_version.h - -make-print-version.o: $(top_builddir)/include/version.h -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal-0.6.3/lib/vers/make-print-version.c b/crypto/heimdal-0.6.3/lib/vers/make-print-version.c deleted file mode 100644 index eab167d05d..0000000000 --- a/crypto/heimdal-0.6.3/lib/vers/make-print-version.c +++ /dev/null @@ -1,71 +0,0 @@ -/* - * Copyright (c) 1998 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: make-print-version.c,v 1.3 2003/01/02 15:31:38 joda Exp $"); -#endif - -#include - -#ifdef KRB5 -extern const char *heimdal_version; -#endif -#ifdef KRB4 -extern const char *krb4_version; -#endif -#include - -int -main(int argc, char **argv) -{ - FILE *f; - if(argc != 2) - return 1; - f = fopen(argv[1], "w"); - if(f == NULL) - return 1; - fprintf(f, "#define VERSIONLIST \""); -#ifdef KRB5 - fprintf(f, "%s", heimdal_version); -#endif -#ifdef KRB4 -#ifdef KRB5 - fprintf(f, ", "); -#endif - fprintf(f, "%s", krb4_version); -#endif - fprintf(f, "\"\n"); - fclose(f); - return 0; -} diff --git a/crypto/heimdal-0.6.3/lib/vers/print_version.c b/crypto/heimdal-0.6.3/lib/vers/print_version.c deleted file mode 100644 index 43f9baa9ab..0000000000 --- a/crypto/heimdal-0.6.3/lib/vers/print_version.c +++ /dev/null @@ -1,55 +0,0 @@ -/* - * Copyright (c) 1998 - 2004 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: print_version.c,v 1.6.2.1 2004/02/12 18:31:33 joda Exp $"); -#endif -#include "roken.h" - -#include "print_version.h" - -void -print_version(const char *progname) -{ - const char *package_list = VERSIONLIST; - - if(progname == NULL) - progname = getprogname(); - - if(*package_list == '\0') - package_list = "no version information"; - fprintf(stderr, "%s (%s)\n", progname, package_list); - fprintf(stderr, "Copyright 1999-2004 Kungliga Tekniska Högskolan\n"); - fprintf(stderr, "Send bug-reports to %s\n", PACKAGE_BUGREPORT); -} diff --git a/crypto/heimdal-0.6.3/lib/vers/vers.h b/crypto/heimdal-0.6.3/lib/vers/vers.h deleted file mode 100644 index cc70355f42..0000000000 --- a/crypto/heimdal-0.6.3/lib/vers/vers.h +++ /dev/null @@ -1,41 +0,0 @@ -/* - * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: vers.h,v 1.1 2000/07/01 19:47:36 assar Exp $ */ - -#ifndef __VERS_H__ -#define __VERS_H__ - -void print_version(const char *); - -#endif /* __VERS_H__ */ diff --git a/crypto/heimdal-0.6.3/ltconfig b/crypto/heimdal-0.6.3/ltconfig deleted file mode 100644 index 91907462a0..0000000000 --- a/crypto/heimdal-0.6.3/ltconfig +++ /dev/null @@ -1,2797 +0,0 @@ -#! /bin/sh - -# ltconfig - Create a system-specific libtool. -# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001 -# Free Software Foundation, Inc. -# Originally by Gordon Matzigkeit , 1996 -# -# This file is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. -# -# As a special exception to the GNU General Public License, if you -# distribute this file as part of a program that contains a -# configuration script generated by Autoconf, you may include it under -# the same distribution terms that you use for the rest of that program. - -# A lot of this script is taken from autoconf-2.10. - -# Check that we are running under the correct shell. -SHELL=${CONFIG_SHELL-/bin/sh} -echo=echo -if test "X$1" = X--no-reexec; then - # Discard the --no-reexec flag, and continue. - shift -elif test "X$1" = X--fallback-echo; then - # Avoid inline document here, it may be left over - : -elif test "X`($echo '\t') 2>/dev/null`" = 'X\t'; then - # Yippee, $echo works! - : -else - # Restart under the correct shell. - exec "$SHELL" "$0" --no-reexec ${1+"$@"} -fi - -if test "X$1" = X--fallback-echo; then - # used as fallback echo - shift - cat </dev/null`} - case X$UNAME in - *-DOS) PATH_SEPARATOR=';' ;; - *) PATH_SEPARATOR=':' ;; - esac -fi - -# The HP-UX ksh and POSIX shell print the target directory to stdout -# if CDPATH is set. -if test "X${CDPATH+set}" = Xset; then CDPATH=:; export CDPATH; fi - -if test "X${echo_test_string+set}" != Xset; then - # find a string as large as possible, as long as the shell can cope with it - for cmd in 'sed 50q "$0"' 'sed 20q "$0"' 'sed 10q "$0"' 'sed 2q "$0"' 'echo test'; do - # expected sizes: less than 2Kb, 1Kb, 512 bytes, 16 bytes, ... - if (echo_test_string="`eval $cmd`") 2>/dev/null && - echo_test_string="`eval $cmd`" && - (test "X$echo_test_string" = "X$echo_test_string") 2>/dev/null; then - break - fi - done -fi - -if test "X`($echo '\t') 2>/dev/null`" = 'X\t' && - echo_testing_string=`($echo "$echo_test_string") 2>/dev/null` && - test "X$echo_testing_string" = "X$echo_test_string"; then - : -else - # The Solaris, AIX, and Digital Unix default echo programs unquote - # backslashes. This makes it impossible to quote backslashes using - # echo "$something" | sed 's/\\/\\\\/g' - # - # So, first we look for a working echo in the user's PATH. - - IFS="${IFS= }"; save_ifs="$IFS"; IFS="${IFS}${PATH_SEPARATOR}" - for dir in $PATH /usr/ucb; do - if (test -f $dir/echo || test -f $dir/echo$ac_exeext) && - test "X`($dir/echo '\t') 2>/dev/null`" = 'X\t' && - echo_testing_string=`($dir/echo "$echo_test_string") 2>/dev/null` && - test "X$echo_testing_string" = "X$echo_test_string"; then - echo="$dir/echo" - break - fi - done - IFS="$save_ifs" - - if test "X$echo" = Xecho; then - # We didn't find a better echo, so look for alternatives. - if test "X`(print -r '\t') 2>/dev/null`" = 'X\t' && - echo_testing_string=`(print -r "$echo_test_string") 2>/dev/null` && - test "X$echo_testing_string" = "X$echo_test_string"; then - # This shell has a builtin print -r that does the trick. - echo='print -r' - elif (test -f /bin/ksh || test -f /bin/ksh$ac_exeext) && - test "X$CONFIG_SHELL" != X/bin/ksh; then - # If we have ksh, try running ltconfig again with it. - ORIGINAL_CONFIG_SHELL="${CONFIG_SHELL-/bin/sh}" - export ORIGINAL_CONFIG_SHELL - CONFIG_SHELL=/bin/ksh - export CONFIG_SHELL - exec "$CONFIG_SHELL" "$0" --no-reexec ${1+"$@"} - else - # Try using printf. - echo='printf %s\n' - if test "X`($echo '\t') 2>/dev/null`" = 'X\t' && - echo_testing_string=`($echo "$echo_test_string") 2>/dev/null` && - test "X$echo_testing_string" = "X$echo_test_string"; then - # Cool, printf works - : - elif echo_testing_string=`("$ORIGINAL_CONFIG_SHELL" "$0" --fallback-echo '\t') 2>/dev/null` && - test "X$echo_testing_string" = 'X\t' && - echo_testing_string=`("$ORIGINAL_CONFIG_SHELL" "$0" --fallback-echo "$echo_test_string") 2>/dev/null` && - test "X$echo_testing_string" = "X$echo_test_string"; then - CONFIG_SHELL="$ORIGINAL_CONFIG_SHELL" - export CONFIG_SHELL - SHELL="$CONFIG_SHELL" - export SHELL - echo="$CONFIG_SHELL $0 --fallback-echo" - elif echo_testing_string=`("$CONFIG_SHELL" "$0" --fallback-echo '\t') 2>/dev/null` && - test "X$echo_testing_string" = 'X\t' && - echo_testing_string=`("$CONFIG_SHELL" "$0" --fallback-echo "$echo_test_string") 2>/dev/null` && - test "X$echo_testing_string" = "X$echo_test_string"; then - echo="$CONFIG_SHELL $0 --fallback-echo" - else - # maybe with a smaller string... - prev=: - - for cmd in 'echo test' 'sed 2q "$0"' 'sed 10q "$0"' 'sed 20q "$0"' 'sed 50q "$0"'; do - if (test "X$echo_test_string" = "X`eval $cmd`") 2>/dev/null; then - break - fi - prev="$cmd" - done - - if test "$prev" != 'sed 50q "$0"'; then - echo_test_string=`eval $prev` - - export echo_test_string - exec "${ORIGINAL_CONFIG_SHELL-${CONFIG_SHELL-/bin/sh}}" "$0" ${1+"$@"} - else - # Oops. We lost completely, so just stick with echo. - echo=echo - fi - fi - fi - fi -fi - -# Sed substitution that helps us do robust quoting. It backslashifies -# metacharacters that are still active within double-quoted strings. -Xsed='sed -e s/^X//' -sed_quote_subst='s/\([\\"\\`$\\\\]\)/\\\1/g' - -# Same as above, but do not quote variable references. -double_quote_subst='s/\([\\"\\`\\\\]\)/\\\1/g' - -# Sed substitution to delay expansion of an escaped shell variable in a -# double_quote_subst'ed string. -delay_variable_subst='s/\\\\\\\\\\\$/\\\\\\$/g' - -# The name of this program. -progname=`$echo "X$0" | $Xsed -e 's%^.*/%%'` - -# Constants: -PROGRAM=ltconfig -PACKAGE=libtool -VERSION=1.4a -TIMESTAMP=" (1.641.2.255 2001/05/22 10:39:30)" -ac_compile='${CC-cc} -c $CFLAGS $CPPFLAGS conftest.$ac_ext 1>&5' -ac_link='${CC-cc} -o conftest $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS 1>&5' -rm="rm -f" - -help="Try \`$progname --help' for more information." - -# Global variables: -default_ofile=libtool -can_build_shared=yes -enable_shared=yes -# All known linkers require a `.a' archive for static linking (except M$VC, -# which needs '.lib'). -enable_static=yes -enable_fast_install=yes -enable_dlopen=unknown -enable_win32_dll=no -pic_mode=default -ltmain= -silent= -srcdir= -ac_config_guess= -ac_config_sub= -host= -build=NONE -nonopt=NONE -ofile="$default_ofile" -verify_host=yes -tagname= -with_gcc=no -with_gnu_ld=no -need_locks=yes -ac_ext=c -libext=a -cache_file= -max_cmd_len= - -## Dependencies to place before and after the object being linked: -predep_objects= -postdep_objects= -predeps= -postdeps= -compiler_lib_search_path= - -## Link characteristics: -allow_undefined_flag= -no_undefined_flag= -need_lib_prefix=unknown -need_version=unknown -# when you set need_version to no, make sure it does not cause -set_version -# flags to be left without arguments -archive_cmds= -archive_expsym_cmds= -old_archive_from_new_cmds= -old_archive_from_expsyms_cmds= -striplib= -old_striplib= -export_dynamic_flag_spec= -whole_archive_flag_spec= -thread_safe_flag_spec= -hardcode_into_libs=no -hardcode_libdir_flag_spec= -hardcode_libdir_separator= -hardcode_direct=no -hardcode_minus_L=no -hardcode_shlibpath_var=unsupported -runpath_var= -link_all_deplibs=unknown -always_export_symbols=no -export_symbols_cmds='$NM $libobjs $convenience | $global_symbol_pipe | sed '\''s/.* //'\'' | sort | uniq > $export_symbols' -# include_expsyms should be a list of space-separated symbols to be *always* -# included in the symbol list -include_expsyms= -# exclude_expsyms can be an egrep regular expression of symbols to exclude -# it will be wrapped by ` (' and `)$', so one must not match beginning or -# end of line. Example: `a|bc|.*d.*' will exclude the symbols `a' and `bc', -# as well as any symbol that contains `d'. -exclude_expsyms="_GLOBAL_OFFSET_TABLE_" -# Although _GLOBAL_OFFSET_TABLE_ is a valid symbol C name, most a.out -# platforms (ab)use it in PIC code, but their linkers get confused if -# the symbol is explicitly referenced. Since portable code cannot -# rely on this symbol name, it's probably fine to never include it in -# preloaded symbol tables. -extract_expsyms_cmds= - -## Tools: -old_AR="$AR" -old_AR_FLAGS="$AR_FLAGS" -old_CC="$CC" -old_CFLAGS="$CFLAGS" -old_CPPFLAGS="$CPPFLAGS" -old_LDFLAGS="$LDFLAGS" -old_LIBS="$LIBS" -old_MAGIC_CMD="$MAGIC_CMD" -old_LD="$LD" -old_LN_S="$LN_S" -old_LTCC="$LTCC" -old_NM="$NM" -old_RANLIB="$RANLIB" -old_STRIP="$STRIP" -old_AS="$AS" -old_DLLTOOL="$DLLTOOL" -old_OBJDUMP="$OBJDUMP" -old_OBJEXT="$OBJEXT" -old_EXEEXT="$EXEEXT" -old_reload_flag="$reload_flag" -old_deplibs_check_method="$deplibs_check_method" -old_file_magic_cmd="$file_magic_cmd" - -# Parse the command line options. -args= -prev= -for option -do - case $option in - -*=*) optarg=`echo "$option" | sed 's/[-_a-zA-Z0-9]*=//'` ;; - *) optarg= ;; - esac - - # If the previous option needs an argument, assign it. - if test -n "$prev"; then - eval "$prev=\$option" - prev= - continue - fi - - case $option in - --help) cat <&2 - echo "$help" 1>&2 - exit 1 - ;; - - *) - if test -z "$ltmain"; then - ltmain="$option" - elif test -z "$host"; then -# This generates an unnecessary warning for sparc-sun-solaris4.1.3_U1 -# if test -n "`echo $option| sed 's/[-a-z0-9.]//g'`"; then -# echo "$progname: warning \`$option' is not a valid host type" 1>&2 -# fi - host="$option" - else - echo "$progname: too many arguments" 1>&2 - echo "$help" 1>&2 - exit 1 - fi ;; - esac -done - -if test -z "$ltmain"; then - echo "$progname: you must specify a LTMAIN file" 1>&2 - echo "$help" 1>&2 - exit 1 -fi - -if test ! -f "$ltmain"; then - echo "$progname: \`$ltmain' does not exist" 1>&2 - echo "$help" 1>&2 - exit 1 -fi - -if test -n "$tagname"; then - # Check whether tagname contains only valid characters - case `$echo "X$tagname" | $Xsed -e 's/[-_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890,/]//g'` in - "") ;; - *) - echo "$progname: invalid tag name: $tagname" 1>&2 - exit 1 - ;; - esac - - if grep "^### BEGIN LIBTOOL TAG CONFIG: $tagname$" < "$ofile" > /dev/null; then - echo "$progname: tag name $tagname already exists" 1>&2 - exit 1 - fi - - if test ! -f "$ofile"; then - echo "$progname: warning: output file \`$ofile' does not exist" 1>&2 - fi - - if test -z "$LTCC"; then - eval "`$SHELL $ofile --config | grep '^LTCC='`" - if test -z "$LTCC"; then - echo "$progname: warning: output file \`$ofile' does not look like a libtool script" 1>&2 - else - echo "$progname: warning: using \`LTCC=$LTCC', extracted from \`$ofile'" 1>&2 - fi - fi -fi - -# Quote any args containing shell metacharacters. -ltconfig_args= -for arg -do - case $arg in - *" "*|*" "*|*[\[\]\~\#\$\^\&\*\(\)\{\}\\\|\;\<\>\?]*) - ltconfig_args="$ltconfig_args '$arg'" ;; - *) ltconfig_args="$ltconfig_args $arg" ;; - esac -done - -# A relevant subset of AC_INIT. - -# File descriptor usage: -# 0 standard input -# 1 file creation -# 2 errors and warnings -# 3 some systems may open it to /dev/tty -# 4 used on the Kubota Titan -# 5 compiler messages saved in config.log -# 6 checking for... messages and results -if test "$silent" = yes; then - exec 6>/dev/null -else - exec 6>&1 -fi -exec 5>>./config.log - -# NLS nuisances. -# Only set LANG and LC_ALL to C if already set. -# These must not be set unconditionally because not all systems understand -# e.g. LANG=C (notably SCO). -if test "X${LC_ALL+set}" = Xset; then LC_ALL=C; export LC_ALL; fi -if test "X${LANG+set}" = Xset; then LANG=C; export LANG; fi - -if test -n "$cache_file" && test -r "$cache_file" && test -f "$cache_file"; then - echo "loading cache $cache_file within ltconfig" - . $cache_file -fi - -if (echo "testing\c"; echo 1,2,3) | grep c >/dev/null; then - # Stardent Vistra SVR4 grep lacks -e, says ghazi@caip.rutgers.edu. - if (echo -n testing; echo 1,2,3) | sed s/-n/xn/ | grep xn >/dev/null; then - ac_n= ac_c=' -' ac_t=' ' - else - ac_n=-n ac_c= ac_t= - fi -else - ac_n= ac_c='\c' ac_t= -fi - -if test -z "$srcdir"; then - # Assume the source directory is the same one as the path to LTMAIN. - srcdir=`$echo "X$ltmain" | $Xsed -e 's%/[^/]*$%%'` - test "$srcdir" = "$ltmain" && srcdir=. -fi - -trap "$rm conftest*; exit 1" 1 2 15 -if test "$verify_host" = yes; then - # Check for config.guess and config.sub. - ac_aux_dir= - for ac_dir in $srcdir $srcdir/.. $srcdir/../..; do - if test -f $ac_dir/config.guess; then - ac_aux_dir=$ac_dir - break - fi - done - if test -z "$ac_aux_dir"; then - echo "$progname: cannot find config.guess in $srcdir $srcdir/.. $srcdir/../.." 1>&2 - echo "$help" 1>&2 - exit 1 - fi - ac_config_guess=$ac_aux_dir/config.guess - ac_config_sub=$ac_aux_dir/config.sub - - # Make sure we can run config.sub. - if $SHELL $ac_config_sub sun4 >/dev/null 2>&1; then : - else - echo "$progname: cannot run $ac_config_sub" 1>&2 - echo "$help" 1>&2 - exit 1 - fi - - echo $ac_n "checking host system type""... $ac_c" 1>&6 - - host_alias=$host - case $host_alias in - "") - # Force config.guess to use the C compiler. - # CC_FOR_BUILD overrides the CC variable in config.guess but I had - # problems with it so do it this way for now. - CC="$LTCC" - - if host_alias=`$SHELL $ac_config_guess`; then : - else - echo "$progname: cannot guess host type; you must specify one" 1>&2 - echo "$help" 1>&2 - exit 1 - fi - - # Restore the C compiler. - CC="$old_CC" - ;; - esac - host=`$SHELL $ac_config_sub $host_alias` - echo "$ac_t$host" 1>&6 - - # Make sure the host verified. - test -z "$host" && exit 1 - - # Check for the build system type - echo $ac_n "checking build system type... $ac_c" 1>&6 - - build_alias=$build - case $build_alias in - NONE) - case $nonopt in - NONE) build_alias=$host_alias ;; - *) build_alias=$nonopt ;; - esac ;; - esac - - build=`$SHELL $ac_config_sub $build_alias` - build_cpu=`echo $build | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\1/'` - build_vendor=`echo $build | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\2/'` - build_os=`echo $build | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\3/'` - echo "$ac_t""$build" 1>&6 - -elif test -z "$host"; then - echo "$progname: you must specify a host type if you use \`--no-verify'" 1>&2 - echo "$help" 1>&2 - exit 1 -else - host_alias=$host - build_alias=$host_alias - build=$host -fi - -if test x"$host" != x"$build"; then - ac_tool_prefix=${host_alias}- -else - ac_tool_prefix= -fi - -host_cpu=`echo $host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\1/'` -host_vendor=`echo $host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\2/'` -host_os=`echo $host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\3/'` - -# Transform linux* to *-*-linux-gnu*, to support old configure scripts. -case $host_os in -linux-gnu*) ;; -linux*) host=`echo $host | sed 's/^\(.*-.*-linux\)\(.*\)$/\1-gnu\2/'` -esac - -case $host_os in -aix3*) - # AIX sometimes has problems with the GCC collect2 program. For some - # reason, if we set the COLLECT_NAMES environment variable, the problems - # vanish in a puff of smoke. - if test "X${COLLECT_NAMES+set}" != Xset; then - COLLECT_NAMES= - export COLLECT_NAMES - fi - ;; -esac - -# Determine commands to create old-style static archives. -old_archive_cmds='$AR $AR_FLAGS $oldlib$oldobjs$old_deplibs' -old_postinstall_cmds='chmod 644 $oldlib' -old_postuninstall_cmds= - -if test -n "$RANLIB"; then - old_archive_cmds="$old_archive_cmds~\$RANLIB \$oldlib" - old_postinstall_cmds="\$RANLIB \$oldlib~$old_postinstall_cmds" -fi - -# Source the script associated with the $tagname tag configuration. -if test -n "$tagname"; then - . $ltmain -else - # FIXME: We should use a variable here - # Configure for a C compiler - . $srcdir/ltcf-c.sh -fi - -# Set sane defaults for various variables -test -z "$AR" && AR=ar -test -z "$AR_FLAGS" && AR_FLAGS=cru -test -z "$AS" && AS=as -test -z "$CC" && CC=cc -test -z "$DLLTOOL" && DLLTOOL=dlltool -test -z "$MAGIC_CMD" && MAGIC_CMD=file -test -z "$LD" && LD=ld -test -z "$LN_S" && LN_S="ln -s" -test -z "$NM" && NM=nm -test -z "$OBJDUMP" && OBJDUMP=objdump -test -z "$RANLIB" && RANLIB=: -test -z "$STRIP" && STRIP=: -test -z "$objext" && objext=o - -echo $ac_n "checking for objdir... $ac_c" 1>&6 -rm -f .libs 2>/dev/null -mkdir .libs 2>/dev/null -if test -d .libs; then - objdir=.libs -else - # MS-DOS does not allow filenames that begin with a dot. - objdir=_libs -fi -rmdir .libs 2>/dev/null -echo "$ac_t$objdir" 1>&6 - -# If no C compiler was specified, use CC. -LTCC=${LTCC-"$CC"} - -# Allow CC to be a program name with arguments. -set dummy $CC -compiler="$2" - -# We assume here that the value for ac_cv_prog_cc_pic will not be cached -# in isolation, and that seeing it set (from the cache) indicates that -# the associated values are set (in the cache) correctly too. -echo $ac_n "checking for $compiler option to produce PIC... $ac_c" 1>&6 -echo "$progname:678:checking for $compiler option to produce PIC" 1>&5 - -if test -z "$ac_cv_prog_cc_pic"; then - echo "$ac_t"none 1>&6 -else - echo "$ac_t""$ac_cv_prog_cc_pic" 1>&6 - - # Check to make sure the pic_flag actually works. - echo $ac_n "checking if $compiler PIC flag $ac_cv_prog_cc_pic works... $ac_c" 1>&6 - echo "$progname:687:checking that $compiler PIC flag $ac_cv_prog_cc_pic works." 1>&5 - if test "X${ac_cv_prog_cc_pic_works+set}" = Xset && \ - test "X${ac_cv_prog_cc_pic_works}" != X; then - echo $ac_n "(cached) $ac_c" 1>&6 - else - ac_cv_prog_cc_pic_works=yes - $rm conftest* - echo $lt_simple_compile_test_code > conftest.$ac_ext - save_CFLAGS="$CFLAGS" - CFLAGS="$CFLAGS $ac_cv_prog_cc_pic -DPIC" - if { (eval echo $progname:697: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>conftest.err; } && test -s conftest.$objext; then - # Append any warnings to the config.log. - cat conftest.err 1>&5 - - case $host_os in - hpux9* | hpux10* | hpux11*) - # On HP-UX, both CC and GCC only warn that PIC is supported... then - # they create non-PIC objects. So, if there were any warnings, we - # assume that PIC is not supported. - if test -s conftest.err; then - ac_cv_prog_cc_pic_works=no - ac_cv_prog_cc_can_build_shared=no - ac_cv_prog_cc_pic= - else - ac_cv_prog_cc_pic_works=yes - ac_cv_prog_cc_pic=" $ac_cv_prog_cc_pic" - fi - ;; - *) - ac_cv_prog_cc_pic_works=yes - ac_cv_prog_cc_pic=" $ac_cv_prog_cc_pic" - ;; - esac - else - # Append any errors to the config.log. - cat conftest.err 1>&5 - ac_cv_prog_cc_pic_works=no - ac_cv_prog_cc_can_build_shared=no - ac_cv_prog_cc_pic= - fi - CFLAGS="$save_CFLAGS" - $rm conftest* - fi - # Belt *and* braces to stop my trousers falling down: - if test "X$ac_cv_prog_cc_pic_works" = Xno; then - ac_cv_prog_cc_pic= - ac_cv_prog_cc_can_build_shared=no - fi - echo "$ac_t""$ac_cv_prog_cc_pic_works" 1>&6 -fi - -# Check for any special shared library compilation flags. -if test -n "$ac_cv_prog_cc_shlib"; then - echo "$progname: warning: \`$CC' requires \`$ac_cv_prog_cc_shlib' to build shared libraries" 1>&2 - if echo "$old_CC $old_CFLAGS " | egrep -e "[ ]$ac_cv_prog_cc_shlib[ ]" >/dev/null; then : - else - echo "$progname: add \`$ac_cv_prog_cc_shlib' to the CC or CFLAGS env variable and reconfigure" 1>&2 - ac_cv_prog_cc_can_build_shared=no - fi -fi - -echo $ac_n "checking if $compiler static flag $ac_cv_prog_cc_static works... $ac_c" 1>&6 -echo "$progname:749: checking if $compiler static flag $ac_cv_prog_cc_static works" >&5 -if test "X${ac_cv_prog_cc_static_works+set}" = Xset && \ - test "X${ac_cv_prog_cc_static_works}" != X; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - $rm conftest* - echo $lt_simple_link_test_code > conftest.$ac_ext - save_LDFLAGS="$LDFLAGS" - LDFLAGS="$LDFLAGS $ac_cv_prog_cc_static" - if { (eval echo $progname:758: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then - ac_cv_prog_cc_static_works=yes - else - ac_cv_prog_cc_static_works=no - ac_cv_prog_cc_static= - fi - LDFLAGS="$save_LDFLAGS" - $rm conftest* -fi -# Belt *and* braces to stop my trousers falling down: -if test "X$ac_cv_prog_cc_static_works" = Xno; then - ac_cv_prog_cc_static= -fi -echo "$ac_t""$ac_cv_prog_cc_static_works" 1>&6 -pic_flag="$ac_cv_prog_cc_pic" -special_shlib_compile_flags="$ac_cv_prog_cc_shlib" -wl="$ac_cv_prog_cc_wl" -link_static_flag="$ac_cv_prog_cc_static" -no_builtin_flag="$ac_cv_prog_cc_no_builtin" -can_build_shared="$ac_cv_prog_cc_can_build_shared" - -# find the maximum length of command line arguments -echo "$progname:780: finding the maximum length of command line arguments" 1>&5 -echo $ac_n "finding the maximum length of command line arguments... $ac_c" 1>&6 -if test "${lt_cv_sys_max_cmd_len+set}" = set; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - i=0 - testring="ABCD" - # If test is not a shell built-in, we'll probably end up computing a - # maximum length that is only half of the actual maximum length, but - # we can't tell. - while test "X"`$CONFIG_SHELL $0 --fallback-echo "X$testring" 2>/dev/null` \ - = "XX$testring" && - new_result=`expr "X$testring" : ".*" 2>&1` && - lt_cv_sys_max_cmd_len=$new_result && - test $i != 18 # 1 MB should be enough - do - i=`expr $i + 1` - testring=$testring$testring - done - testring= - # add a significant safety factor because C++ compilers can tack on massive amounts - # of additional arguments before passing them to the linker. 1/4 should be good. - len=`expr $lt_cv_sys_max_cmd_len \/ 4` - lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len - $len` -fi -echo "$progname:@lineno@: result: $lt_cv_sys_max_cmd_len" 1>&5 -echo "${ac_t}$lt_cv_sys_max_cmd_len" 1>&6 - -if test -n $lt_cv_sys_max_cmd_len ; then - max_cmd_len=$lt_cv_sys_max_cmd_len -else - max_cmd_len=none -fi - -# Check to see if options -o and -c are simultaneously supported by compiler -echo $ac_n "checking if $compiler supports -c -o file.$objext... $ac_c" 1>&6 -if test "${lt_cv_compiler_c_o+set}" = set; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - $rm -r conftest 2>/dev/null - mkdir conftest - cd conftest - $rm conftest* - echo $lt_simple_compile_test_code > conftest.$ac_ext - mkdir out - # According to Tom Tromey, Ian Lance Taylor reported there are C compilers - # that will create temporary files in the current directory regardless of - # the output directory. Thus, making CWD read-only will cause this test - # to fail, enabling locking or at least warning the user not to do parallel - # builds. - chmod -w . - save_CFLAGS="$CFLAGS" - CFLAGS="$CFLAGS -o out/conftest2.$objext" - echo "$progname:833: checking if $compiler supports -c -o file.$objext" >&5 - if { (eval echo $progname:834: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>out/conftest.err; } && test -s out/conftest2.$objext; then - - # The compiler can only warn and ignore the option if not recognized - # So say no if there are warnings - if test -s out/conftest.err; then - lt_cv_compiler_c_o=no - else - lt_cv_compiler_c_o=yes - fi - else - # Append any errors to the config.log. - cat out/conftest.err 1>&5 - lt_cv_compiler_c_o=no - fi - CFLAGS="$save_CFLAGS" - chmod u+w . - $rm conftest* out/* - rmdir out - cd .. - rmdir conftest - $rm -r conftest 2>/dev/null -fi -compiler_c_o=$lt_cv_compiler_c_o -echo "${ac_t}$compiler_c_o" 1>&6 - -# Check to see if we can do hard links to lock some files if needed -hard_links="nottested" -if test "$compiler_c_o" = no && test "$need_locks" != no; then - # do not overwrite the value of need_locks provided by the user - echo $ac_n "checking if we can lock with hard links... $ac_c" 1>&6 - hard_links=yes - $rm conftest* - ln conftest.a conftest.b 2>/dev/null && hard_links=no - touch conftest.a - ln conftest.a conftest.b 2>&5 || hard_links=no - ln conftest.a conftest.b 2>/dev/null && hard_links=no - echo "$ac_t$hard_links" 1>&6 - $rm conftest* - if test "$hard_links" = no; then - echo "*** WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&2 - need_locks=warn - fi -else - need_locks=no -fi - -if test "$with_gcc" = yes; then - # Check to see if options -fno-rtti -fno-exceptions are supported by compiler - echo $ac_n "checking if $compiler supports -fno-rtti -fno-exceptions ... $ac_c" 1>&6 - $rm conftest* - echo $lt_simple_compile_test_code > conftest.$ac_ext - save_CFLAGS="$CFLAGS" - CFLAGS="$CFLAGS -fno-rtti -fno-exceptions -c conftest.$ac_ext" - echo "$progname:887: checking if $compiler supports -fno-rtti -fno-exceptions" >&5 - if { (eval echo $progname:888: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>conftest.err; } && test -s conftest.$objext; then - - # The compiler can only warn and ignore the option if not recognized - # So say no if there are warnings - if test -s conftest.err; then - echo "$ac_t"no 1>&6 - compiler_rtti_exceptions=no - else - echo "$ac_t"yes 1>&6 - compiler_rtti_exceptions=yes - fi - else - # Append any errors to the config.log. - cat conftest.err 1>&5 - compiler_rtti_exceptions=no - echo "$ac_t"no 1>&6 - fi - CFLAGS="$save_CFLAGS" - $rm conftest* - - if test "$compiler_rtti_exceptions" = "yes"; then - no_builtin_flag=' -fno-builtin -fno-rtti -fno-exceptions' - else - no_builtin_flag=' -fno-builtin' - fi - -fi - -# See if the linker supports building shared libraries. -echo $ac_n "checking whether the linker ($LD) supports shared libraries... $ac_c" 1>&6 - -echo "$ac_t$ld_shlibs" 1>&6 -test "$ld_shlibs" = no && can_build_shared=no - -# Check hardcoding attributes. -echo $ac_n "checking how to hardcode library paths into programs... $ac_c" 1>&6 -hardcode_action= -if test -n "$hardcode_libdir_flag_spec" || \ - test -n "$runpath_var"; then - - # We can hardcode non-existant directories. - if test "$hardcode_direct" != no && - # If the only mechanism to avoid hardcoding is shlibpath_var, we - # have to relink, otherwise we might link with an installed library - # when we should be linking with a yet-to-be-installed one - ## test "$hardcode_shlibpath_var" != no && - test "$hardcode_minus_L" != no; then - # Linking always hardcodes the temporary library directory. - hardcode_action=relink - else - # We can link without hardcoding, and we can hardcode nonexisting dirs. - hardcode_action=immediate - fi -else - # We cannot hardcode anything, or else we can only hardcode existing - # directories. - hardcode_action=unsupported -fi -echo "$ac_t$hardcode_action" 1>&6 - -echo $ac_n "checking whether stripping libraries is possible... $ac_c" 1>&6 -if test -n "$STRIP" && $STRIP -V 2>&1 | grep "GNU strip" >/dev/null; then - test -z "$old_striplib" && old_striplib="$STRIP --strip-debug" - test -z "$striplib" && striplib="$STRIP --strip-unneeded" - echo "${ac_t}yes" 1>&6 -else - echo "${ac_t}no" 1>&6 -fi - -case $reload_flag in -"" | " "*) ;; -*) reload_flag=" $reload_flag" ;; -esac -reload_cmds='$LD$reload_flag -o $output$reload_objs' -test -z "$deplibs_check_method" && deplibs_check_method=unknown - -# PORTME Fill in your ld.so characteristics -library_names_spec= -libname_spec='lib$name' -soname_spec= -postinstall_cmds= -postuninstall_cmds= -finish_cmds= -finish_eval= -shlibpath_var= -shlibpath_overrides_runpath=unknown -version_type=none -dynamic_linker="$host_os ld.so" -sys_lib_dlsearch_path_spec="/lib /usr/lib" -sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib" - -echo $ac_n "checking dynamic linker characteristics... $ac_c" 1>&6 -case $host_os in -aix3*) - version_type=linux - library_names_spec='${libname}${release}.so$versuffix $libname.a' - shlibpath_var=LIBPATH - - # AIX 3 has no versioning support, so we append a major version to the name. - soname_spec='${libname}${release}.so$major' - ;; - -aix4* | aix5*) - if test "$host_cpu" = ia64; then - # AIX 5 supports IA64 - library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major $libname.so' - shlibpath_var=LD_LIBRARY_PATH - else - # AIX (on Power*) has no versioning support, so currently we can not hardcode correct - # soname into executable. Probably we can add versioning support to - # collect2, so additional links can be useful in future. - # We preserve .a as extension for shared libraries though AIX4.2 - # and later linker supports .so - if test "$aix_use_runtimelinking" = yes; then - # If using run time linking (on AIX 4.2 or later) use lib.so instead of - # lib.a to let people know that these are not typical AIX shared libraries. - library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major $libname.so' - else - # We preserve .a as extension for shared libraries though AIX4.2 - # and later when we are not doing run time linking. - library_names_spec='${libname}${release}.a $libname.a' - soname_spec='${libname}${release}.so$major.o' - fi - # If we're using GNU nm, then we don't want the "-C" option. - # -C means demangle to AIX nm, but means don't demangle with GNU nm - if $NM -V 2>&1 | egrep '(GNU)' > /dev/null; then - export_symbols_cmds='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$2 == "T") || (\$2 == "D") || (\$2 == "B")) && (substr(\$3,1,1) != ".")) { print \$3 } }'\'' | sort -u > $export_symbols' - else - export_symbols_cmds='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\$2 == "T") || (\$2 == "D") || (\$2 == "B")) && (substr(\$3,1,1) != ".")) { print \$3 } }'\'' | sort -u > $export_symbols' - fi - shlibpath_var=LIBPATH - deplibs_check_method=pass_all - case $host_os in - aix4 | aix4.[01] | aix4.[01].*) - if { echo '#if __GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 97)' - echo ' yes ' - echo '#endif'; } | ${CC} -E - | grep yes > /dev/null; then - : - else - # With GCC up to 2.95.x, collect2 would create an import file - # for dependence libraries. The import file would start with - # the line `#! .'. This would cause the generated library to - # depend on `.', always an invalid library. This was fixed in - # development snapshots of GCC prior to 3.0. - can_build_shared=no - fi - ;; - esac - fi - ;; - -amigaos*) - library_names_spec='$libname.ixlibrary $libname.a' - # Create ${libname}_ixlibrary.a entries in /sys/libs. - finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`$echo "X$lib" | $Xsed -e '\''s%^.*/\([^/]*\)\.ixlibrary$%\1%'\''`; test $rm /sys/libs/${libname}_ixlibrary.a; $show "(cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a)"; (cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a) || exit 1; done' - ;; - -beos*) - library_names_spec='${libname}.so' - dynamic_linker="$host_os ld.so" - shlibpath_var=LIBRARY_PATH - lt_cv_dlopen="load_add_on" - lt_cv_dlopen_libs= - lt_cv_dlopen_self=yes - ;; - -bsdi4*) - version_type=linux - need_version=no - library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major $libname.so' - soname_spec='${libname}${release}.so$major' - finish_cmds='PATH="\$PATH:/sbin" ldconfig $libdir' - shlibpath_var=LD_LIBRARY_PATH - sys_lib_search_path_spec="/shlib /usr/lib /usr/X11/lib /usr/contrib/lib /lib /usr/local/lib" - sys_lib_dlsearch_path_spec="/shlib /usr/lib /usr/local/lib" - export_dynamic_flag_spec=-rdynamic - # the default ld.so.conf also contains /usr/contrib/lib and - # /usr/X11R6/lib (/usr/X11 is a link to /usr/X11R6), but let us allow - # libtool to hard-code these into programs - ;; - -cygwin* | mingw* | pw32*) - version_type=windows - need_version=no - need_lib_prefix=no - case $with_gcc,$host_os in - yes,cygwin*) - library_names_spec='$libname.dll.a' - soname_spec='`echo ${libname} | sed -e 's/^lib/cyg/'``echo ${release} | [sed -e 's/[.]/-/g']`${versuffix}.dll' - postinstall_cmds='dlpath=`bash 2>&1 -c '\''. $dir/${file}i; echo \$dlname'\''`~ - dldir=$destdir/`dirname \$dlpath`~ - test -d \$dldir || mkdir -p \$dldir~ - $install_prog .libs/$dlname \$dldir/$dlname' - postuninstall_cmds='dldll=`bash 2>&1 -c '\''. $file; echo \$dlname'\''`~ - dlpath=$dir/\$dldll; $rm \$dlpath' - ;; - yes,mingw*) - library_names_spec='${libname}`echo ${release} | sed -e 's/[.]/-/g'`${versuffix}.dll' - sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | sed -e "s/^libraries://" -e "s/;/ /g"` - ;; - yes,pw32*) - library_names_spec='`echo ${libname} | sed -e 's/^lib/pw/'``echo ${release} | sed -e 's/[.]/-/g'`${versuffix}.dll' -;; - *) - library_names_spec='${libname}`echo ${release} | sed -e 's/[.]/-/g'`${versuffix}.dll $libname.lib' - ;; - esac - dynamic_linker='Win32 ld.exe' - # FIXME: first we should search . and the directory the executable is in - shlibpath_var=PATH - lt_cv_dlopen="LoadLibrary" - lt_cv_dlopen_libs= - ;; - -darwin* | rhapsody*) - dynamic_linker="$host_os dyld" - version_type=darwin - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}${versuffix}.`test .$module = .yes && echo so || echo dylib` ${libname}${release}${major}.`test .$module = .yes && echo so || echo dylib` ${libname}.`test .$module = .yes && echo so || echo dylib`' - soname_spec='${libname}${release}${major}.`test .$module = .yes && echo so || echo dylib`' - shlibpath_overrides_runpath=yes - shlibpath_var=DYLD_LIBRARY_PATH - ;; - -freebsd1*) - dynamic_linker=no - ;; - -freebsd*) - objformat=`test -x /usr/bin/objformat && /usr/bin/objformat || echo aout` - version_type=sunos - case $objformat in - elf*) - library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major $libname.so' - soname_spec='${libname}${release}.so$major' - need_version=no - need_lc=no - need_lib_prefix=no - ;; - *) - library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major $libname.so' - need_version=yes - ;; - esac - shlibpath_var=LD_LIBRARY_PATH - case $host_os in - freebsd2*) - shlibpath_overrides_runpath=yes - ;; - *) - shlibpath_overrides_runpath=no - hardcode_into_libs=yes - ;; - esac - ;; - -gnu*) - version_type=linux - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so${major} ${libname}.so' - soname_spec='${libname}${release}.so$major' - shlibpath_var=LD_LIBRARY_PATH - hardcode_into_libs=yes - ;; - -hpux9* | hpux10* | hpux11*) - # Give a soname corresponding to the major version so that dld.sl refuses to - # link against other versions. - dynamic_linker="$host_os dld.sl" - version_type=sunos - need_lib_prefix=no - need_version=no - shlibpath_var=SHLIB_PATH - shlibpath_overrides_runpath=no # +s is required to enable SHLIB_PATH - library_names_spec='${libname}${release}.sl$versuffix ${libname}${release}.sl$major $libname.sl' - soname_spec='${libname}${release}.sl$major' - # HP-UX runs *really* slowly unless shared libraries are mode 555. - postinstall_cmds='chmod 555 $lib' - ;; - -irix5* | irix6*) - version_type=sunos - need_lib_prefix=no - need_version=no - soname_spec='${libname}${release}.so$major' - library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major ${libname}${release}.so $libname.so' - case $host_os in - irix5*) - libsuff= shlibsuff= - ;; - *) - case $LD in # libtool.m4 will add one of these switches to LD - *-32|*"-32 ") libsuff= shlibsuff= libmagic=32-bit;; - *-n32|*"-n32 ") libsuff=32 shlibsuff=N32 libmagic=N32;; - *-64|*"-64 ") libsuff=64 shlibsuff=64 libmagic=64-bit;; - *) libsuff= shlibsuff= libmagic=never-match;; - esac - ;; - esac - shlibpath_var=LD_LIBRARY${shlibsuff}_PATH - shlibpath_overrides_runpath=no - sys_lib_search_path_spec="/usr/lib${libsuff} /lib${libsuff} /usr/local/lib${libsuff}" - sys_lib_dlsearch_path_spec="/usr/lib${libsuff} /lib${libsuff}" - ;; - -# No shared lib support for Linux oldld, aout, or coff. -linux-gnuoldld* | linux-gnuaout* | linux-gnucoff*) - dynamic_linker=no - ;; - -# This must be Linux ELF. -linux-gnu*) - version_type=sunos - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major $libname.so' - soname_spec='${libname}${release}.so$major' - finish_cmds='PATH="\$PATH:/sbin" ldconfig -n $libdir' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=no - # This implies no fast_install, which is unacceptable. - # Some rework will be needed to allow for fast_install - # before this can be enabled. - hardcode_into_libs=yes - - # We used to test for /lib/ld.so.1 and disable shared libraries on - # powerpc, because MkLinux only supported shared libraries with the - # GNU dynamic linker. Since this was broken with cross compilers, - # most powerpc-linux boxes support dynamic linking these days and - # people can always --disable-shared, the test was removed, and we - # assume the GNU/Linux dynamic linker is in use. - dynamic_linker='GNU/Linux ld.so' - ;; - -netbsd*) - need_lib_prefix=no - need_version=no - version_type=sunos - if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then - library_names_spec='${libname}${release}.so$versuffix ${libname}.so$versuffix' - finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir' - dynamic_linker='NetBSD (a.out) ld.so' - else - library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major ${libname}${release}.so ${libname}.so' - soname_spec='${libname}${release}.so$major' - dynamic_linker='NetBSD ld.elf_so' - fi - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=yes - hardcode_into_libs=yes - sys_lib_dlsearch_path_spec="/usr/lib" - sys_lib_search_path_spec="/usr/lib" - ;; - -newsos6) - version_type=linux - library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major $libname.so' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=yes - ;; - -openbsd*) - version_type=sunos - if test "$with_gnu_ld" = yes; then - need_lib_prefix=no - need_version=no - fi - library_names_spec='${libname}${release}.so$versuffix ${libname}.so$versuffix' - finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir' - shlibpath_var=LD_LIBRARY_PATH - ;; - -os2*) - libname_spec='$name' - need_lib_prefix=no - library_names_spec='$libname.dll $libname.a' - dynamic_linker='OS/2 ld.exe' - shlibpath_var=LIBPATH - ;; - -osf3* | osf4* | osf5*) - version_type=osf - need_version=no - soname_spec='${libname}${release}.so' - library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so $libname.so' - shlibpath_var=LD_LIBRARY_PATH - sys_lib_search_path_spec="/usr/shlib /usr/ccs/lib /usr/lib/cmplrs/cc /usr/lib /usr/local/lib /var/shlib" - sys_lib_dlsearch_path_spec="$sys_lib_search_path_spec" - ;; - -sco3.2v5*) - version_type=osf - soname_spec='${libname}${release}.so$major' - library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major $libname.so' - shlibpath_var=LD_LIBRARY_PATH - ;; - -solaris*) - version_type=sunos - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major $libname.so' - soname_spec='${libname}${release}.so$major' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=yes - hardcode_into_libs=yes - # ldd complains unless libraries are executable - postinstall_cmds='chmod +x $lib' - ;; - -sunos4*) - version_type=sunos - library_names_spec='${libname}${release}.so$versuffix ${libname}.so$versuffix' - finish_cmds='PATH="\$PATH:/usr/etc" ldconfig $libdir' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=yes - if test "$with_gnu_ld" = yes; then - need_lib_prefix=no - fi - need_version=yes - ;; - -sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*) - version_type=linux - library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major $libname.so' - soname_spec='${libname}${release}.so$major' - shlibpath_var=LD_LIBRARY_PATH - case $host_vendor in - motorola) - need_lib_prefix=no - need_version=no - shlibpath_overrides_runpath=no - sys_lib_search_path_spec='/lib /usr/lib /usr/ccs/lib' - ;; - esac - ;; - -uts4*) - version_type=linux - library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major $libname.so' - soname_spec='${libname}${release}.so$major' - shlibpath_var=LD_LIBRARY_PATH - ;; - -dgux*) - version_type=linux - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major $libname.so' - soname_spec='${libname}${release}.so$major' - shlibpath_var=LD_LIBRARY_PATH - ;; - -sysv4*MP*) - if test -d /usr/nec ;then - version_type=linux - library_names_spec='$libname.so.$versuffix $libname.so.$major $libname.so' - soname_spec='$libname.so.$major' - shlibpath_var=LD_LIBRARY_PATH - fi - ;; - -*) - dynamic_linker=no - ;; -esac -echo "$ac_t$dynamic_linker" 1>&6 -test "$dynamic_linker" = no && can_build_shared=no - -# Check for command to grab the raw symbol name followed by C symbol from nm. -echo $ac_n "checking command to parse $NM output... $ac_c" 1>&6 - -# These are sane defaults that work on at least a few old systems. -# [They come from Ultrix. What could be older than Ultrix?!! ;)] - -# Character class describing NM global symbol codes. -symcode='[BCDEGRST]' - -# Regexp to match symbols that can be accessed directly from C. -sympat='\([_A-Za-z][_A-Za-z0-9]*\)' - -# Transform the above into a raw symbol and a C symbol. -symxfrm='\1 \2\3 \3' - -# Transform an extracted symbol line into a proper C declaration -global_symbol_to_cdecl="sed -n -e 's/^. .* \(.*\)$/extern char \1;/p'" - -# Define system-specific variables. -case $host_os in -aix*) - symcode='[BCDT]' - ;; -cygwin* | mingw* | pw32*) - symcode='[ABCDGISTW]' - ;; -hpux*) # Its linker distinguishes data from code symbols - global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern char \1();/p' -e 's/^$symcode* .* \(.*\)$/extern char \1;/p'" - ;; -irix*) - symcode='[BCDEGRST]' - ;; -solaris* | sysv5*) - symcode='[BDT]' - ;; -sysv4) - symcode='[DFNSTU]' - ;; -esac - -# Handle CRLF in mingw tool chain -opt_cr= -case $host_os in -mingw*) - opt_cr=`echo 'x\{0,1\}' | tr x '\015'` # option cr in regexp - ;; -esac - -# If we're using GNU nm, then use its standard symbol codes. -if $NM -V 2>&1 | egrep '(GNU|with BFD)' > /dev/null; then - symcode='[ABCDGISTW]' -fi - -# Try without a prefix undercore, then with it. -for ac_symprfx in "" "_"; do - - # Write the raw and C identifiers. - global_symbol_pipe="sed -n -e 's/^.*[ ]\($symcode$symcode*\)[ ][ ]*\($ac_symprfx\)$sympat$opt_cr$/$symxfrm/p'" - - # Check to see that the pipe works correctly. - pipe_works=no - $rm conftest* - cat > conftest.$ac_ext <&5 - if { (eval echo $progname:1434: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; } && test -s conftest.$objext; then - # Now try to grab the symbols. - nlist=conftest.nm - if { echo "$progname:1437: eval \"$NM conftest.$objext | $global_symbol_pipe > $nlist\"" >&5; eval "$NM conftest.$objext | $global_symbol_pipe > $nlist 2>&5"; } && test -s "$nlist"; then - - # Try sorting and uniquifying the output. - if sort "$nlist" | uniq > "$nlist"T; then - mv -f "$nlist"T "$nlist" - else - rm -f "$nlist"T - fi - - # Make sure that we snagged all the symbols we need. - if egrep ' nm_test_var$' "$nlist" >/dev/null; then - if egrep ' nm_test_func$' "$nlist" >/dev/null; then - cat < conftest.$ac_ext -#ifdef __cplusplus -extern "C" { -#endif - -EOF - # Now generate the symbol file. - eval "$global_symbol_to_cdecl"' < "$nlist" >> conftest.$ac_ext' - - cat <> conftest.$ac_ext -#if defined (__STDC__) && __STDC__ -# define lt_ptr_t void * -#else -# define lt_ptr_t char * -# define const -#endif - -/* The mapping between symbol names and symbols. */ -const struct { - const char *name; - lt_ptr_t address; -} -lt_preloaded_symbols[] = -{ -EOF - sed "s/^$symcode$symcode* \(.*\) \(.*\)$/ {\"\2\", (lt_ptr_t) \&\2},/" < "$nlist" >> conftest.$ac_ext - cat <<\EOF >> conftest.$ac_ext - {0, (lt_ptr_t) 0} -}; - -#ifdef __cplusplus -} -#endif -EOF - # Now try linking the two files. - mv conftest.$objext conftstm.$objext - save_LIBS="$LIBS" - save_CFLAGS="$CFLAGS" - LIBS="conftstm.$objext" - CFLAGS="$CFLAGS$no_builtin_flag" - if { (eval echo $progname:1489: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then - pipe_works=yes - else - echo "$progname: failed program was:" >&5 - cat conftest.$ac_ext >&5 - fi - LIBS="$save_LIBS" - else - echo "cannot find nm_test_func in $nlist" >&5 - fi - else - echo "cannot find nm_test_var in $nlist" >&5 - fi - else - echo "cannot run $global_symbol_pipe" >&5 - fi - else - echo "$progname: failed program was:" >&5 - cat conftest.$ac_ext >&5 - fi - $rm conftest* conftst* - - # Do not use the global_symbol_pipe unless it works. - if test "$pipe_works" = yes; then - break - else - global_symbol_pipe= - fi -done -if test "$pipe_works" = yes; then - echo "${ac_t}ok" 1>&6 -else - echo "${ac_t}failed" 1>&6 -fi - -if test -z "$global_symbol_pipe"; then - global_symbol_to_cdecl= -fi - -# Report the final consequences. -echo "checking if libtool supports shared libraries... $can_build_shared" 1>&6 - -# Only try to build win32 dlls if AC_LIBTOOL_WIN32_DLL was used in -# configure.in, otherwise build static only libraries. -case $host_os in -cygwin* | mingw* | pw32* | os2*) - if test x$can_build_shared = xyes; then - test x$enable_win32_dll = xno && can_build_shared=no - echo "checking if package supports dlls... $can_build_shared" 1>&6 - fi -;; -esac - -echo $ac_n "checking whether to build shared libraries... $ac_c" 1>&6 -test "$can_build_shared" = "no" && enable_shared=no - -# On AIX, shared libraries and static libraries use the same namespace, and -# are all built from PIC. -case $host_os in -aix3*) - test "$enable_shared" = yes && enable_static=no - if test -n "$RANLIB"; then - archive_cmds="$archive_cmds~\$RANLIB \$lib" - postinstall_cmds='$RANLIB $lib' - fi - ;; - -aix4*) - test "$enable_shared" = yes && enable_static=no - ;; -esac - -echo "$ac_t$enable_shared" 1>&6 - -# Make sure either enable_shared or enable_static is yes. -test "$enable_shared" = yes || enable_static=yes - -echo "checking whether to build static libraries... $enable_static" 1>&6 - -if test "$hardcode_action" = relink; then - # Fast installation is not supported - enable_fast_install=no -elif test "$shlibpath_overrides_runpath" = yes || - test "$enable_shared" = no; then - # Fast installation is not necessary - enable_fast_install=needless -fi - -variables_saved_for_relink="PATH $shlibpath_var $runpath_var" -if test "$with_gcc" = yes; then - variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH" -fi - -# Check whether we must set pic_mode to default -test -z "$pic_flag" && pic_mode=default - -if test "x$enable_dlopen" != xyes; then - enable_dlopen=unknown - enable_dlopen_self=unknown - enable_dlopen_self_static=unknown -else -if test "X${lt_cv_dlopen+set}" != Xset; then - lt_cv_dlopen=no lt_cv_dlopen_libs= -echo $ac_n "checking for dlopen in -ldl""... $ac_c" 1>&6 -echo "$progname:1593: checking for dlopen in -ldl" >&5 -if test "X${ac_cv_lib_dl_dlopen+set}" = Xset; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - ac_save_LIBS="$LIBS" -LIBS="-ldl $LIBS" -cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - ac_cv_lib_dl_dlopen=yes -else - echo "$progname: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - ac_cv_lib_dl_dlopen=no -fi -rm -f conftest* -LIBS="$ac_save_LIBS" - -fi -if test "X$ac_cv_lib_dl_dlopen" = Xyes; then - echo "$ac_t""yes" 1>&6 - lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl" -else - echo "$ac_t""no" 1>&6 -echo $ac_n "checking for dlopen""... $ac_c" 1>&6 -echo "$progname:1632: checking for dlopen" >&5 -if test "X${ac_cv_func_dlopen+set}" = Xset; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - cat > conftest.$ac_ext < -/* Override any gcc2 internal prototype to avoid an error. */ -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char dlopen(); - -int main() { - -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_dlopen) || defined (__stub___dlopen) -choke me -#else -dlopen(); -#endif - -; return 0; } -EOF -if { (eval echo $progname:1662: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - ac_cv_func_dlopen=yes -else - echo "$progname: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - ac_cv_func_dlopen=no -fi -rm -f conftest* -fi -if test "X$ac_cv_func_dlopen" = Xyes; then - echo "$ac_t""yes" 1>&6 - lt_cv_dlopen="dlopen" -else - echo "$ac_t""no" 1>&6 -echo $ac_n "checking for dlopen in -lsvld""... $ac_c" 1>&6 -echo "$progname:1679: checking for dlopen in -lsvld" >&5 -if test "X${ac_cv_lib_svld_dlopen+set}" = Xset; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - ac_save_LIBS="$LIBS" -LIBS="-lsvld $LIBS" -cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - ac_cv_lib_svld_dlopen=yes -else - echo "$progname: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - ac_cv_lib_svld_dlopen=no -fi -rm -f conftest* -LIBS="$ac_save_LIBS" - -fi -if test "X$ac_cv_lib_svld_dlopen" = Xyes; then - echo "$ac_t""yes" 1>&6 - lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-lsvld" -else - echo "$ac_t""no" 1>&6 -echo $ac_n "checking for dld_link in -ldld""... $ac_c" 1>&6 -echo "$progname:1718: checking for dld_link in -ldld" >&5 -if test "X${ac_cv_lib_dld_dld_link+set}" = Xset; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - ac_save_LIBS="$LIBS" -LIBS="-ldld $LIBS" -cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - ac_cv_lib_dld_dld_link=yes -else - echo "$progname: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - ac_cv_lib_dld_dld_link=no -fi -rm -f conftest* -LIBS="$ac_save_LIBS" - -fi -if test "X$ac_cv_lib_dld_dld_link" = Xyes; then - echo "$ac_t""yes" 1>&6 - lt_cv_dlopen="dld_link" lt_cv_dlopen_libs="-ldld" -else - echo "$ac_t""no" 1>&6 -echo $ac_n "checking for shl_load""... $ac_c" 1>&6 -echo "$progname:1757: checking for shl_load" >&5 -if test "X${ac_cv_func_shl_load+set}" = Xset; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - cat > conftest.$ac_ext < -/* Override any gcc2 internal prototype to avoid an error. */ -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char shl_load(); - -int main() { - -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_shl_load) || defined (__stub___shl_load) -choke me -#else -shl_load(); -#endif - -; return 0; } -EOF -if { (eval echo $progname:1787: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - ac_cv_func_shl_load=yes -else - echo "$progname: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - ac_cv_func_shl_load=no -fi -rm -f conftest* -fi - -if test "X$ac_cv_func_shl_load" = Xyes; then - echo "$ac_t""yes" 1>&6 - lt_cv_dlopen="shl_load" -else - echo "$ac_t""no" 1>&6 -echo $ac_n "checking for shl_load in -ldld""... $ac_c" 1>&6 -echo "$progname:1805: checking for shl_load in -ldld" >&5 -if test "X${ac_cv_lib_dld_shl_load+set}" = Xset; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - ac_save_LIBS="$LIBS" -LIBS="-ldld $LIBS" -cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - ac_cv_lib_dld_shl_load=yes -else - echo "$progname: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - ac_cv_lib_dld_shl_load=no -fi -rm -f conftest* -LIBS="$ac_save_LIBS" - -fi -if test "X$ac_cv_lib_dld_shl_load" = Xyes; then - echo "$ac_t""yes" 1>&6 - lt_cv_dlopen="shl_load" lt_cv_dlopen_libs="-ldld" -else - echo "$ac_t""no" 1>&6 -fi - - -fi - - -fi - - -fi - - -fi - -fi - -fi - - if test "x$lt_cv_dlopen" != xno; then - enable_dlopen=yes - else - enable_dlopen=no - fi - - case $lt_cv_dlopen in - dlopen) -for ac_hdr in dlfcn.h; do -ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'` -echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6 -echo "$progname:1873: checking for $ac_hdr" >&5 -if eval "test \"`echo 'X$''{'ac_cv_header_$ac_safe'+set}'`\" = Xset"; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - cat > conftest.$ac_ext < -int fnord = 0; -int main () { return(0); } -EOF -ac_try="$ac_compile >/dev/null 2>conftest.out" -{ (eval echo $progname:1884: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } -ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` -if test -z "$ac_err"; then - rm -rf conftest* - eval "ac_cv_header_$ac_safe=yes" -else - echo "$ac_err" >&5 - echo "$progname: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - eval "ac_cv_header_$ac_safe=no" -fi -rm -f conftest* -fi -if eval "test \"`echo '$ac_cv_header_'$ac_safe`\" = yes"; then - echo "$ac_t""yes" 1>&6 -else - echo "$ac_t""no" 1>&6 -fi -done - - if test "x$ac_cv_header_dlfcn_h" = xyes; then - CPPFLAGS="$CPPFLAGS -DHAVE_DLFCN_H" - fi - eval LDFLAGS=\"\$LDFLAGS $export_dynamic_flag_spec\" - LIBS="$lt_cv_dlopen_libs $LIBS" - - echo $ac_n "checking whether a program can dlopen itself""... $ac_c" 1>&6 -echo "$progname:1912: checking whether a program can dlopen itself" >&5 -if test "X${lt_cv_dlopen_self+set}" = Xset; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - if test "$cross_compiling" = yes; then - lt_cv_dlopen_self=cross - else - cat > conftest.$ac_ext < -#endif - -#include - -#ifdef RTLD_GLOBAL -# define LTDL_GLOBAL RTLD_GLOBAL -#else -# ifdef DL_GLOBAL -# define LTDL_GLOBAL DL_GLOBAL -# else -# define LTDL_GLOBAL 0 -# endif -#endif - -/* We may have to define LTDL_LAZY_OR_NOW in the command line if we - find out it does not work in some platform. */ -#ifndef LTDL_LAZY_OR_NOW -# ifdef RTLD_LAZY -# define LTDL_LAZY_OR_NOW RTLD_LAZY -# else -# ifdef DL_LAZY -# define LTDL_LAZY_OR_NOW DL_LAZY -# else -# ifdef RTLD_NOW -# define LTDL_LAZY_OR_NOW RTLD_NOW -# else -# ifdef DL_NOW -# define LTDL_LAZY_OR_NOW DL_NOW -# else -# define LTDL_LAZY_OR_NOW 0 -# endif -# endif -# endif -# endif -#endif - -void fnord() { int i=42; } -int main() { - void *self, *ptr1, *ptr2; self=dlopen(0,LTDL_GLOBAL|LTDL_LAZY_OR_NOW); - if(self) { ptr1=dlsym(self,"fnord"); ptr2=dlsym(self,"_fnord"); - if(ptr1 || ptr2) { dlclose(self); exit(0); } } exit(1); } - -EOF -if { (eval echo $progname:1967: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest && (./conftest; exit) 2>/dev/null -then - lt_cv_dlopen_self=yes -else - echo "$progname: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -fr conftest* - lt_cv_dlopen_self=no -fi -rm -fr conftest* -fi - -fi - -echo "$ac_t""$lt_cv_dlopen_self" 1>&6 - - if test "$lt_cv_dlopen_self" = yes; then - LDFLAGS="$LDFLAGS $link_static_flag" - echo $ac_n "checking whether a statically linked program can dlopen itself""... $ac_c" 1>&6 -echo "$progname:1986: checking whether a statically linked program can dlopen itself" >&5 -if test "X${lt_cv_dlopen_self_static+set}" = Xset; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - if test "$cross_compiling" = yes; then - lt_cv_dlopen_self_static=cross - else - cat > conftest.$ac_ext < -#endif - -#include - -#ifdef RTLD_GLOBAL -# define LTDL_GLOBAL RTLD_GLOBAL -#else -# ifdef DL_GLOBAL -# define LTDL_GLOBAL DL_GLOBAL -# else -# define LTDL_GLOBAL 0 -# endif -#endif - -/* We may have to define LTDL_LAZY_OR_NOW in the command line if we - find out it does not work in some platform. */ -#ifndef LTDL_LAZY_OR_NOW -# ifdef RTLD_LAZY -# define LTDL_LAZY_OR_NOW RTLD_LAZY -# else -# ifdef DL_LAZY -# define LTDL_LAZY_OR_NOW DL_LAZY -# else -# ifdef RTLD_NOW -# define LTDL_LAZY_OR_NOW RTLD_NOW -# else -# ifdef DL_NOW -# define LTDL_LAZY_OR_NOW DL_NOW -# else -# define LTDL_LAZY_OR_NOW 0 -# endif -# endif -# endif -# endif -#endif - -void fnord() { int i=42; } -int main() { - void *self, *ptr1, *ptr2; self=dlopen(0,LTDL_GLOBAL|LTDL_LAZY_OR_NOW); - if(self) { ptr1=dlsym(self,"fnord"); ptr2=dlsym(self,"_fnord"); - if(ptr1 || ptr2) { dlclose(self); exit(0); } } exit(1); } - -EOF -if { (eval echo $progname:2041: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest && (./conftest; exit) 2>/dev/null -then - lt_cv_dlopen_self_static=yes -else - echo "$progname: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -fr conftest* - lt_cv_dlopen_self_static=no -fi -rm -fr conftest* -fi - -fi - -echo "$ac_t""$lt_cv_dlopen_self_static" 1>&6 -fi - ;; - esac - - case $lt_cv_dlopen_self in - yes|no) enable_dlopen_self=$lt_cv_dlopen_self ;; - *) enable_dlopen_self=unknown ;; - esac - - case $lt_cv_dlopen_self_static in - yes|no) enable_dlopen_self_static=$lt_cv_dlopen_self_static ;; - *) enable_dlopen_self_static=unknown ;; - esac -fi - -# Copy echo and quote the copy, instead of the original, because it is -# used later. -ltecho="$echo" -if test "X$ltecho" = "X$CONFIG_SHELL $0 --fallback-echo"; then - ltecho="$CONFIG_SHELL \$0 --fallback-echo" -fi -LTSHELL="$SHELL" - -LTCONFIG_VERSION="$VERSION" - -# Only quote variables if we're using ltmain.sh. -case $ltmain in -*.sh) - # Now quote all the things that may contain metacharacters. - for var in ltecho old_AR old_AR_FLAGS old_CC old_LTCC old_CFLAGS old_CPPFLAGS \ - old_MAGIC_CMD old_LD old_LDFLAGS old_LIBS \ - old_LN_S old_NM old_RANLIB old_STRIP \ - old_AS old_DLLTOOL old_OBJDUMP \ - old_OBJEXT old_EXEEXT old_reload_flag \ - old_deplibs_check_method old_file_magic_cmd \ - AR AR_FLAGS CC LTCC LD LN_S NM LTSHELL LTCONFIG_VERSION \ - reload_flag reload_cmds wl \ - pic_flag link_static_flag no_builtin_flag export_dynamic_flag_spec \ - thread_safe_flag_spec whole_archive_flag_spec libname_spec \ - library_names_spec soname_spec \ - RANLIB old_archive_cmds old_archive_from_new_cmds old_postinstall_cmds \ - old_postuninstall_cmds archive_cmds archive_expsym_cmds postinstall_cmds \ - postuninstall_cmds extract_expsyms_cmds old_archive_from_expsyms_cmds \ - predep_objects postdep_objects predeps postdeps compiler_lib_search_path \ - old_striplib striplib file_magic_cmd export_symbols_cmds \ - deplibs_check_method allow_undefined_flag no_undefined_flag \ - finish_cmds finish_eval global_symbol_pipe global_symbol_to_cdecl \ - hardcode_libdir_flag_spec hardcode_libdir_separator \ - sys_lib_search_path_spec sys_lib_dlsearch_path_spec \ - compiler_c_o need_locks exclude_expsyms include_expsyms; do - - case $var in - reload_cmds | old_archive_cmds | old_archive_from_new_cmds | \ - old_postinstall_cmds | old_postuninstall_cmds | \ - export_symbols_cmds | archive_cmds | archive_expsym_cmds | \ - extract_expsyms_cmds | old_archive_from_expsyms_cmds | \ - postinstall_cmds | postuninstall_cmds | \ - finish_cmds | sys_lib_search_path_spec | sys_lib_dlsearch_path_spec) - # Double-quote double-evaled strings. - eval "$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$double_quote_subst\" -e \"\$sed_quote_subst\" -e \"\$delay_variable_subst\"\`\\\"" ### testsuite: skip nested quoting test - ;; - *) - eval "$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$sed_quote_subst\"\`\\\"" ### testsuite: skip nested quoting test - ;; - esac - done - - case $ltecho in - *'\$0 --fallback-echo"') - ltecho=`$echo "X$ltecho" | $Xsed -e 's/\\\\\\\$0 --fallback-echo"$/$0 --fallback-echo"/'` - ;; - esac - - if test -z "$tagname"; then - trap "$rm \"$ofile\"; exit 1" 1 2 15 - echo "creating $ofile" - $rm "$ofile" - cat < "$ofile" -#! $SHELL - -# `$echo "$ofile" | sed 's%^.*/%%'` - Provide generalized library-building support services. -# Generated automatically by $PROGRAM (GNU $PACKAGE $VERSION$TIMESTAMP) -# NOTE: Changes made to this file will be lost: look at ltconfig or ltmain.sh. -# -# Copyright (C) 1996-2000 Free Software Foundation, Inc. -# Originally by Gordon Matzigkeit , 1996 -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. -# -# As a special exception to the GNU General Public License, if you -# distribute this file as part of a program that contains a -# configuration script generated by Autoconf, you may include it under -# the same distribution terms that you use for the rest of that program. - -# Sed that helps us avoid accidentally triggering echo(1) options like -n. -Xsed="sed -e s/^X//" - -# The HP-UX ksh and POSIX shell print the target directory to stdout -# if CDPATH is set. -if test "X\${CDPATH+set}" = Xset; then CDPATH=:; export CDPATH; fi - -# The names of the tagged configurations supported by this script. -available_tags= - -### BEGIN LIBTOOL CONFIG -EOF - else - echo "appending configuration tag \"$tagname\" to $ofile" - echo "### BEGIN LIBTOOL TAG CONFIG: $tagname" >> "$ofile" - fi - cfgfile="$ofile" - ;; - -*) - # Double-quote the variables that need it (for aesthetics). - for var in old_AR old_AR_FLAGS old_CC old_LTCC old_CFLAGS old_CPPFLAGS \ - old_MAGIC_CMD old_LD old_LDFLAGS old_LIBS \ - old_LN_S old_NM old_RANLIB old_STRIP \ - old_AS old_DLLTOOL old_OBJDUMP \ - old_OBJEXT old_EXEEXT old_reload_flag \ - old_deplibs_check_method old_file_magic_cmd; do - eval "$var=\\\"\$var\\\"" - done - - # Just create a config file. - cfgfile="$ofile.cfg" - if test -z "$tagname"; then - trap "$rm \"$cfgfile\"; exit 1" 1 2 15 - echo "creating $cfgfile" - $rm "$cfgfile" - cat < "$cfgfile" -# `$echo "$cfgfile" | sed 's%^.*/%%'` - Libtool configuration file. -# Generated automatically by $PROGRAM (GNU $PACKAGE $VERSION$TIMESTAMP) - -### BEGIN LIBTOOL CONFIG -EOF - else - echo "appending to $cfgfile" - echo "### BEGIN LIBTOOL TAG CONFIG: $tagname" >> "$ofile" - fi - ;; -esac - -cat <> "$cfgfile" -# Libtool was configured as follows, on host `(hostname || uname -n) 2>/dev/null | sed 1q`: -# -# AR=$old_AR AR_FLAGS=$old_AR_FLAGS LTCC=$old_LTCC CC=$old_CC \\ -# CFLAGS=$old_CFLAGS CPPFLAGS=$old_CPPFLAGS \\ -# MAGIC_CMD=$old_MAGIC_CMD LD=$old_LD LDFLAGS=$old_LDFLAGS LIBS=$old_LIBS \\ -# LN_S=$old_LN_S NM=$old_NM RANLIB=$old_RANLIB STRIP=$old_STRIP \\ -# AS=$old_AS DLLTOOL=$old_DLLTOOL OBJDUMP=$old_OBJDUMP \\ -# objext=$old_OBJEXT exeext=$old_EXEEXT reload_flag=$old_reload_flag \\ -# deplibs_check_method=$old_deplibs_check_method \\ -# file_magic_cmd=$old_file_magic_cmd \\ -# $0$ltconfig_args -# -# Compiler and other test output produced by $progname, useful for -# debugging $progname, is in ./config.log if it exists. - -# The version of $progname that generated this script. -LTCONFIG_VERSION=$LTCONFIG_VERSION - -# Shell to use when invoking shell scripts. -SHELL=$LTSHELL - -# Whether or not to build shared libraries. -build_libtool_libs=$enable_shared - -# Whether or not to add -lc for building shared libraries. -build_libtool_need_lc=$need_lc - -# Whether or not to build static libraries. -build_old_libs=$enable_static - -# Whether or not to optimize for fast installation. -fast_install=$enable_fast_install - -# The host system. -host_alias=$host_alias -host=$host - -# An echo program that does not interpret backslashes. -echo=$ltecho - -# The archiver. -AR=$AR -AR_FLAGS=$AR_FLAGS - -# A C compiler. -LTCC=$LTCC - -# A language-specific compiler. -CC=$CC - -# Is the compiler the GNU C compiler? -with_gcc=$with_gcc - -# The linker used to build libraries. -LD=$LD - -# Whether we need hard or soft links. -LN_S=$LN_S - -# A BSD-compatible nm program. -NM=$NM - -# A symbol stripping program -STRIP=$STRIP - -# Used to examine libraries when file_magic_cmd begins "file" -MAGIC_CMD=$MAGIC_CMD - -# Used on cygwin: DLL creation program. -DLLTOOL="$DLLTOOL" - -# Used on cygwin: object dumper. -OBJDUMP="$OBJDUMP" - -# Used on cygwin: assembler. -AS="$AS" - -# The name of the directory that contains temporary libtool files. -objdir=$objdir - -# How to create reloadable object files. -reload_flag=$reload_flag -reload_cmds=$reload_cmds - -# How to pass a linker flag through the compiler. -wl=$wl - -# Object file suffix (normally "o"). -objext="$objext" - -# Old archive suffix (normally "a"). -libext="$libext" - -# Executable file suffix (normally ""). -exeext="$exeext" - -# Additional compiler flags for building library objects. -pic_flag=$pic_flag -pic_mode=$pic_mode - -# What is the maximum length of a command? -max_cmd_len=$max_cmd_len - -# Does compiler simultaneously support -c and -o options? -compiler_c_o=$compiler_c_o - -# Must we lock files when doing compilation ? -need_locks=$need_locks - -# Do we need the lib prefix for modules? -need_lib_prefix=$need_lib_prefix - -# Do we need a version for libraries? -need_version=$need_version - -# Whether dlopen is supported. -dlopen_support=$enable_dlopen - -# Whether dlopen of programs is supported. -dlopen_self=$enable_dlopen_self - -# Whether dlopen of statically linked programs is supported. -dlopen_self_static=$enable_dlopen_self_static - -# Compiler flag to prevent dynamic linking. -link_static_flag=$link_static_flag - -# Compiler flag to turn off builtin functions. -no_builtin_flag=$no_builtin_flag - -# Compiler flag to allow reflexive dlopens. -export_dynamic_flag_spec=$export_dynamic_flag_spec - -# Compiler flag to generate shared objects directly from archives. -whole_archive_flag_spec=$whole_archive_flag_spec - -# Compiler flag to generate thread-safe objects. -thread_safe_flag_spec=$thread_safe_flag_spec - -# Library versioning type. -version_type=$version_type - -# Format of library name prefix. -libname_spec=$libname_spec - -# List of archive names. First name is the real one, the rest are links. -# The last name is the one that the linker finds with -lNAME. -library_names_spec=$library_names_spec - -# The coded name of the library, if different from the real name. -soname_spec=$soname_spec - -# Commands used to build and install an old-style archive. -RANLIB=$RANLIB -old_archive_cmds=$old_archive_cmds -old_postinstall_cmds=$old_postinstall_cmds -old_postuninstall_cmds=$old_postuninstall_cmds - -# Create an old-style archive from a shared archive. -old_archive_from_new_cmds=$old_archive_from_new_cmds - -# Create a temporary old-style archive to link instead of a shared archive. -old_archive_from_expsyms_cmds=$old_archive_from_expsyms_cmds - -# Commands used to build and install a shared archive. -archive_cmds=$archive_cmds -archive_expsym_cmds=$archive_expsym_cmds -postinstall_cmds=$postinstall_cmds -postuninstall_cmds=$postuninstall_cmds - -# Commands to strip libraries. -old_striplib=$old_striplib -striplib=$striplib - -# Dependencies to place before the objects being linked to create a -# shared library. -predep_objects=$predep_objects - -# Dependencies to place after the objects being linked to create a -# shared library. -postdep_objects=$postdep_objects - -# Dependencies to place before the objects being linked to create a -# shared library. -predeps=$predeps - -# Dependencies to place after the objects being linked to create a -# shared library. -postdeps=$postdeps - -# The library search path used internally by the compiler when linking -# a shared library. -compiler_lib_search_path=$compiler_lib_search_path - -# Method to check whether dependent libraries are shared objects. -deplibs_check_method=$deplibs_check_method - -# Command to use when deplibs_check_method == file_magic. -file_magic_cmd=$file_magic_cmd - -# Flag that allows shared libraries with undefined symbols to be built. -allow_undefined_flag=$allow_undefined_flag - -# Flag that forces no undefined symbols. -no_undefined_flag=$no_undefined_flag - -# Commands used to finish a libtool library installation in a directory. -finish_cmds=$finish_cmds - -# Same as above, but a single script fragment to be evaled but not shown. -finish_eval=$finish_eval - -# Take the output of nm and produce a listing of raw symbols and C names. -global_symbol_pipe=$global_symbol_pipe - -# Transform the output of nm in a proper C declaration -global_symbol_to_cdecl=$global_symbol_to_cdecl - -# This is the shared library runtime path variable. -runpath_var=$runpath_var - -# This is the shared library path variable. -shlibpath_var=$shlibpath_var - -# Is shlibpath searched before the hard-coded library search path? -shlibpath_overrides_runpath=$shlibpath_overrides_runpath - -# How to hardcode a shared library path into an executable. -hardcode_action=$hardcode_action - -# Whether we should hardcode library paths into libraries. -hardcode_into_libs=$hardcode_into_libs - -# Flag to hardcode \$libdir into a binary during linking. -# This must work even if \$libdir does not exist. -hardcode_libdir_flag_spec=$hardcode_libdir_flag_spec - -# Whether we need a single -rpath flag with a separated argument. -hardcode_libdir_separator=$hardcode_libdir_separator - -# Set to yes if using DIR/libNAME.so during linking hardcodes DIR into the -# resulting binary. -hardcode_direct=$hardcode_direct - -# Set to yes if using the -LDIR flag during linking hardcodes DIR into the -# resulting binary. -hardcode_minus_L=$hardcode_minus_L - -# Set to yes if using SHLIBPATH_VAR=DIR during linking hardcodes DIR into -# the resulting binary. -hardcode_shlibpath_var=$hardcode_shlibpath_var - -# Variables whose values should be saved in libtool wrapper scripts and -# restored at relink time. -variables_saved_for_relink="$variables_saved_for_relink" - -# Whether libtool must link a program against all its dependency libraries. -link_all_deplibs=$link_all_deplibs - -# Compile-time system search path for libraries -sys_lib_search_path_spec=$sys_lib_search_path_spec - -# Run-time system search path for libraries -sys_lib_dlsearch_path_spec=$sys_lib_dlsearch_path_spec - -# Fix the shell variable \$srcfile for the compiler. -fix_srcfile_path="$fix_srcfile_path" - -# Set to yes if exported symbols are required. -always_export_symbols=$always_export_symbols - -# The commands to list exported symbols. -export_symbols_cmds=$export_symbols_cmds - -# The commands to extract the exported symbol list from a shared archive. -extract_expsyms_cmds=$extract_expsyms_cmds - -# Symbols that should not be listed in the preloaded symbols. -exclude_expsyms=$exclude_expsyms - -# Symbols that must always be exported. -include_expsyms=$include_expsyms - -EOF - -if test -z "$tagname"; then - echo '### END LIBTOOL CONFIG' >> "$ofile" -else - echo "### END LIBTOOL TAG CONFIG: $tagname" >> "$ofile" -fi - -case $ltmain in -*.sh) - echo >> "$ofile" - if test -z "$tagname"; then - case $host_os in - aix3*) - cat <<\EOF >> "$ofile" - -# AIX sometimes has problems with the GCC collect2 program. For some -# reason, if we set the COLLECT_NAMES environment variable, the problems -# vanish in a puff of smoke. -if test "X${COLLECT_NAMES+set}" != Xset; then - COLLECT_NAMES= - export COLLECT_NAMES -fi -EOF - ;; - esac - case $host in - *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2*) - cat <<'EOF' >> "$ofile" - # This is a source program that is used to create dlls on Windows - # Don't remove nor modify the starting and closing comments -# /* ltdll.c starts here */ -# #define WIN32_LEAN_AND_MEAN -# #include -# #undef WIN32_LEAN_AND_MEAN -# #include -# -# #ifndef __CYGWIN__ -# # ifdef __CYGWIN32__ -# # define __CYGWIN__ __CYGWIN32__ -# # endif -# #endif -# -# #ifdef __cplusplus -# extern "C" { -# #endif -# BOOL APIENTRY DllMain (HINSTANCE hInst, DWORD reason, LPVOID reserved); -# #ifdef __cplusplus -# } -# #endif -# -# #ifdef __CYGWIN__ -# #include -# DECLARE_CYGWIN_DLL( DllMain ); -# #endif -# HINSTANCE __hDllInstance_base; -# -# BOOL APIENTRY -# DllMain (HINSTANCE hInst, DWORD reason, LPVOID reserved) -# { -# __hDllInstance_base = hInst; -# return TRUE; -# } -# /* ltdll.c ends here */ - # This is a source program that is used to create import libraries - # on Windows for dlls which lack them. Don't remove nor modify the - # starting and closing comments -# /* impgen.c starts here */ -# /* Copyright (C) 1999-2000 Free Software Foundation, Inc. -# -# This file is part of GNU libtool. -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. -# */ -# -# #include /* for printf() */ -# #include /* for open(), lseek(), read() */ -# #include /* for O_RDONLY, O_BINARY */ -# #include /* for strdup() */ -# -# /* O_BINARY isn't required (or even defined sometimes) under Unix */ -# #ifndef O_BINARY -# #define O_BINARY 0 -# #endif -# -# static unsigned int -# pe_get16 (fd, offset) -# int fd; -# int offset; -# { -# unsigned char b[2]; -# lseek (fd, offset, SEEK_SET); -# read (fd, b, 2); -# return b[0] + (b[1]<<8); -# } -# -# static unsigned int -# pe_get32 (fd, offset) -# int fd; -# int offset; -# { -# unsigned char b[4]; -# lseek (fd, offset, SEEK_SET); -# read (fd, b, 4); -# return b[0] + (b[1]<<8) + (b[2]<<16) + (b[3]<<24); -# } -# -# static unsigned int -# pe_as32 (ptr) -# void *ptr; -# { -# unsigned char *b = ptr; -# return b[0] + (b[1]<<8) + (b[2]<<16) + (b[3]<<24); -# } -# -# int -# main (argc, argv) -# int argc; -# char *argv[]; -# { -# int dll; -# unsigned long pe_header_offset, opthdr_ofs, num_entries, i; -# unsigned long export_rva, export_size, nsections, secptr, expptr; -# unsigned long name_rvas, nexp; -# unsigned char *expdata, *erva; -# char *filename, *dll_name; -# -# filename = argv[1]; -# -# dll = open(filename, O_RDONLY|O_BINARY); -# if (dll < 1) -# return 1; -# -# dll_name = filename; -# -# for (i=0; filename[i]; i++) -# if (filename[i] == '/' || filename[i] == '\\' || filename[i] == ':') -# dll_name = filename + i +1; -# -# pe_header_offset = pe_get32 (dll, 0x3c); -# opthdr_ofs = pe_header_offset + 4 + 20; -# num_entries = pe_get32 (dll, opthdr_ofs + 92); -# -# if (num_entries < 1) /* no exports */ -# return 1; -# -# export_rva = pe_get32 (dll, opthdr_ofs + 96); -# export_size = pe_get32 (dll, opthdr_ofs + 100); -# nsections = pe_get16 (dll, pe_header_offset + 4 +2); -# secptr = (pe_header_offset + 4 + 20 + -# pe_get16 (dll, pe_header_offset + 4 + 16)); -# -# expptr = 0; -# for (i = 0; i < nsections; i++) -# { -# char sname[8]; -# unsigned long secptr1 = secptr + 40 * i; -# unsigned long vaddr = pe_get32 (dll, secptr1 + 12); -# unsigned long vsize = pe_get32 (dll, secptr1 + 16); -# unsigned long fptr = pe_get32 (dll, secptr1 + 20); -# lseek(dll, secptr1, SEEK_SET); -# read(dll, sname, 8); -# if (vaddr <= export_rva && vaddr+vsize > export_rva) -# { -# expptr = fptr + (export_rva - vaddr); -# if (export_rva + export_size > vaddr + vsize) -# export_size = vsize - (export_rva - vaddr); -# break; -# } -# } -# -# expdata = (unsigned char*)malloc(export_size); -# lseek (dll, expptr, SEEK_SET); -# read (dll, expdata, export_size); -# erva = expdata - export_rva; -# -# nexp = pe_as32 (expdata+24); -# name_rvas = pe_as32 (expdata+32); -# -# printf ("EXPORTS\n"); -# for (i = 0; i> "$ofile" || (rm -f "$ofile"; exit 1) - # We use sed instead of cat because bash on DJGPP gets confused if - # if finds mixed CR/LF and LF-only lines. Since sed operates in - # text mode, it properly converts lines to CR/LF. This bash problem - # is reportedly fixed, but why not run on old versions too? - - chmod +x "$ofile" - fi - ;; - -*) - # Compile the libtool program. - echo "FIXME: would compile $ltmain" - ;; -esac - -# Update the list of available tags. -if test -n "$tagname"; then - - # Extract list of available tagged configurations in $ofile. - # Note that this assumes the entire list is on one line. - available_tags=`grep "^available_tags=" $ofile | sed -e 's/available_tags=\(.*$\)/\1/' -e 's/\"//g'` - - # Append the new tag name to the list of available tags. - available_tags="$available_tags $tagname" - - # Now substitute the updated of available tags. - if eval "sed -e 's/^available_tags=.*\$/available_tags=\"$available_tags\"/' ${ofile} > ${ofile}.new"; then - mv ${ofile}.new ${ofile} - chmod +x "$ofile" - else - rm -f ${ofile}.new - echo "$progname: unable to update list of available tagged configurations." - exit 1 - fi -fi - -# Don't cache tagged configuration! -test -n "$cache_file" && test -z "$tagname" || exit 0 - -# AC_CACHE_SAVE -trap '' 1 2 15 -cat > confcache <<\EOF -# This file is a shell script that caches the results of configure -# tests run on this system so they can be shared between configure -# scripts and configure runs. It is not useful on other systems. -# If it contains results you don't want to keep, you may remove or edit it. -# -# By default, configure uses ./config.cache as the cache file, -# creating it if it does not exist already. You can give configure -# the --cache-file=FILE option to use a different cache file; that is -# what configure does when it calls configure scripts in -# subdirectories, so they share the cache. -# Giving --cache-file=/dev/null disables caching, for debugging configure. -# config.status only pays attention to the cache file if you give it the -# --recheck option to rerun configure. -# -EOF -# The following way of writing the cache mishandles newlines in values, -# but we know of no workaround that is simple, portable, and efficient. -# So, don't put newlines in cache variables' values. -# Ultrix sh set writes to stderr and can't be redirected directly, -# and sets the high bit in the cache file unless we assign to the vars. -(set) 2>&1 | - case `(ac_space=' '; set | grep ac_space) 2>&1` in - *ac_space=\ *) - # `set' does not quote correctly, so add quotes (double-quote substitution - # turns \\\\ into \\, and sed turns \\ into \). - sed -n \ - -e "s/'/'\\\\''/g" \ - -e "s/^\\([a-zA-Z0-9_]*_cv_[a-zA-Z0-9_]*\\)=\\(.*\\)/\\1=\${\\1='\\2'}/p" - ;; - *) - # `set' quotes correctly as required by POSIX, so do not add quotes. - sed -n -e 's/^\([a-zA-Z0-9_]*_cv_[a-zA-Z0-9_]*\)=\(.*\)/\1=${\1=\2}/p' - ;; - esac >> confcache -if cmp -s $cache_file confcache; then - : -else - if test -w $cache_file; then - echo "updating cache $cache_file" - cat confcache > $cache_file - else - echo "not updating unwritable cache $cache_file" - fi -fi -rm -f confcache - -exit 0 - -# Local Variables: -# mode:shell-script -# sh-indentation:2 -# End: diff --git a/crypto/heimdal-0.6.3/ltmain.sh b/crypto/heimdal-0.6.3/ltmain.sh deleted file mode 100644 index 47fa4f179f..0000000000 --- a/crypto/heimdal-0.6.3/ltmain.sh +++ /dev/null @@ -1,6399 +0,0 @@ -# ltmain.sh - Provide generalized library-building support services. -# NOTE: Changing this file will not affect anything until you rerun configure. -# -# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003 -# Free Software Foundation, Inc. -# Originally by Gordon Matzigkeit , 1996 -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. -# -# As a special exception to the GNU General Public License, if you -# distribute this file as part of a program that contains a -# configuration script generated by Autoconf, you may include it under -# the same distribution terms that you use for the rest of that program. - -# Check that we have a working $echo. -if test "X$1" = X--no-reexec; then - # Discard the --no-reexec flag, and continue. - shift -elif test "X$1" = X--fallback-echo; then - # Avoid inline document here, it may be left over - : -elif test "X`($echo '\t') 2>/dev/null`" = 'X\t'; then - # Yippee, $echo works! - : -else - # Restart under the correct shell, and then maybe $echo will work. - exec $SHELL "$0" --no-reexec ${1+"$@"} -fi - -if test "X$1" = X--fallback-echo; then - # used as fallback echo - shift - cat <&2 - $echo "Fatal configuration error. See the $PACKAGE docs for more information." 1>&2 - exit 1 -fi - -# Global variables. -mode=$default_mode -nonopt= -prev= -prevopt= -run= -show="$echo" -show_help= -execute_dlfiles= -lo2o="s/\\.lo\$/.${objext}/" -o2lo="s/\\.${objext}\$/.lo/" - -##################################### -# Shell function definitions: -# This seems to be the best place for them - -# Need a lot of goo to handle *both* DLLs and import libs -# Has to be a shell function in order to 'eat' the argument -# that is supplied when $file_magic_command is called. -win32_libid () { - win32_libid_type="unknown" - win32_fileres=`file -L $1 2>/dev/null` - case $win32_fileres in - *ar\ archive\ import\ library*) # definitely import - win32_libid_type="x86 archive import" - ;; - *ar\ archive*) # could be an import, or static - if eval $OBJDUMP -f $1 | $SED -e '10q' 2>/dev/null | \ - grep -E 'file format pe-i386(.*architecture: i386)?' >/dev/null ; then - win32_nmres=`eval $NM -f posix -A $1 | \ - sed -n -e '1,100{/ I /{x;/import/!{s/^/import/;h;p;};x;};}'` - if test "X$win32_nmres" = "Ximport" ; then - win32_libid_type="x86 archive import" - else - win32_libid_type="x86 archive static" - fi - fi - ;; - *DLL*) - win32_libid_type="x86 DLL" - ;; - *executable*) # but shell scripts are "executable" too... - case $win32_fileres in - *MS\ Windows\ PE\ Intel*) - win32_libid_type="x86 DLL" - ;; - esac - ;; - esac - $echo $win32_libid_type -} - -# End of Shell function definitions -##################################### - -# Parse our command line options once, thoroughly. -while test "$#" -gt 0 -do - arg="$1" - shift - - case $arg in - -*=*) optarg=`$echo "X$arg" | $Xsed -e 's/[-_a-zA-Z0-9]*=//'` ;; - *) optarg= ;; - esac - - # If the previous option needs an argument, assign it. - if test -n "$prev"; then - case $prev in - execute_dlfiles) - execute_dlfiles="$execute_dlfiles $arg" - ;; - tag) - tagname="$arg" - preserve_args="${preserve_args}=$arg" - - # Check whether tagname contains only valid characters - case $tagname in - *[!-_A-Za-z0-9,/]*) - $echo "$progname: invalid tag name: $tagname" 1>&2 - exit 1 - ;; - esac - - case $tagname in - CC) - # Don't test for the "default" C tag, as we know, it's there, but - # not specially marked. - ;; - *) - if grep "^# ### BEGIN LIBTOOL TAG CONFIG: $tagname$" < "$0" > /dev/null; then - taglist="$taglist $tagname" - # Evaluate the configuration. - eval "`${SED} -n -e '/^# ### BEGIN LIBTOOL TAG CONFIG: '$tagname'$/,/^# ### END LIBTOOL TAG CONFIG: '$tagname'$/p' < $0`" - else - $echo "$progname: ignoring unknown tag $tagname" 1>&2 - fi - ;; - esac - ;; - *) - eval "$prev=\$arg" - ;; - esac - - prev= - prevopt= - continue - fi - - # Have we seen a non-optional argument yet? - case $arg in - --help) - show_help=yes - ;; - - --version) - $echo "$PROGRAM (GNU $PACKAGE) $VERSION$TIMESTAMP" - $echo - $echo "Copyright (C) 2003 Free Software Foundation, Inc." - $echo "This is free software; see the source for copying conditions. There is NO" - $echo "warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." - exit 0 - ;; - - --config) - ${SED} -e '1,/^# ### BEGIN LIBTOOL CONFIG/d' -e '/^# ### END LIBTOOL CONFIG/,$d' $0 - # Now print the configurations for the tags. - for tagname in $taglist; do - ${SED} -n -e "/^# ### BEGIN LIBTOOL TAG CONFIG: $tagname$/,/^# ### END LIBTOOL TAG CONFIG: $tagname$/p" < "$0" - done - exit 0 - ;; - - --debug) - $echo "$progname: enabling shell trace mode" - set -x - preserve_args="$preserve_args $arg" - ;; - - --dry-run | -n) - run=: - ;; - - --features) - $echo "host: $host" - if test "$build_libtool_libs" = yes; then - $echo "enable shared libraries" - else - $echo "disable shared libraries" - fi - if test "$build_old_libs" = yes; then - $echo "enable static libraries" - else - $echo "disable static libraries" - fi - exit 0 - ;; - - --finish) mode="finish" ;; - - --mode) prevopt="--mode" prev=mode ;; - --mode=*) mode="$optarg" ;; - - --preserve-dup-deps) duplicate_deps="yes" ;; - - --quiet | --silent) - show=: - preserve_args="$preserve_args $arg" - ;; - - --tag) prevopt="--tag" prev=tag ;; - --tag=*) - set tag "$optarg" ${1+"$@"} - shift - prev=tag - preserve_args="$preserve_args --tag" - ;; - - -dlopen) - prevopt="-dlopen" - prev=execute_dlfiles - ;; - - -*) - $echo "$modename: unrecognized option \`$arg'" 1>&2 - $echo "$help" 1>&2 - exit 1 - ;; - - *) - nonopt="$arg" - break - ;; - esac -done - -if test -n "$prevopt"; then - $echo "$modename: option \`$prevopt' requires an argument" 1>&2 - $echo "$help" 1>&2 - exit 1 -fi - -# If this variable is set in any of the actions, the command in it -# will be execed at the end. This prevents here-documents from being -# left over by shells. -exec_cmd= - -if test -z "$show_help"; then - - # Infer the operation mode. - if test -z "$mode"; then - $echo "*** Warning: inferring the mode of operation is deprecated." 1>&2 - $echo "*** Future versions of Libtool will require -mode=MODE be specified." 1>&2 - case $nonopt in - *cc | cc* | *++ | gcc* | *-gcc* | g++* | xlc*) - mode=link - for arg - do - case $arg in - -c) - mode=compile - break - ;; - esac - done - ;; - *db | *dbx | *strace | *truss) - mode=execute - ;; - *install*|cp|mv) - mode=install - ;; - *rm) - mode=uninstall - ;; - *) - # If we have no mode, but dlfiles were specified, then do execute mode. - test -n "$execute_dlfiles" && mode=execute - - # Just use the default operation mode. - if test -z "$mode"; then - if test -n "$nonopt"; then - $echo "$modename: warning: cannot infer operation mode from \`$nonopt'" 1>&2 - else - $echo "$modename: warning: cannot infer operation mode without MODE-ARGS" 1>&2 - fi - fi - ;; - esac - fi - - # Only execute mode is allowed to have -dlopen flags. - if test -n "$execute_dlfiles" && test "$mode" != execute; then - $echo "$modename: unrecognized option \`-dlopen'" 1>&2 - $echo "$help" 1>&2 - exit 1 - fi - - # Change the help message to a mode-specific one. - generic_help="$help" - help="Try \`$modename --help --mode=$mode' for more information." - - # These modes are in order of execution frequency so that they run quickly. - case $mode in - # libtool compile mode - compile) - modename="$modename: compile" - # Get the compilation command and the source file. - base_compile= - srcfile="$nonopt" # always keep a non-empty value in "srcfile" - suppress_opt=yes - suppress_output= - arg_mode=normal - libobj= - later= - - for arg - do - case "$arg_mode" in - arg ) - # do not "continue". Instead, add this to base_compile - lastarg="$arg" - arg_mode=normal - ;; - - target ) - libobj="$arg" - arg_mode=normal - continue - ;; - - normal ) - # Accept any command-line options. - case $arg in - -o) - if test -n "$libobj" ; then - $echo "$modename: you cannot specify \`-o' more than once" 1>&2 - exit 1 - fi - arg_mode=target - continue - ;; - - -static | -prefer-pic | -prefer-non-pic) - later="$later $arg" - continue - ;; - - -no-suppress) - suppress_opt=no - continue - ;; - - -Xcompiler) - arg_mode=arg # the next one goes into the "base_compile" arg list - continue # The current "srcfile" will either be retained or - ;; # replaced later. I would guess that would be a bug. - - -Wc,*) - args=`$echo "X$arg" | $Xsed -e "s/^-Wc,//"` - lastarg= - save_ifs="$IFS"; IFS=',' - for arg in $args; do - IFS="$save_ifs" - - # Double-quote args containing other shell metacharacters. - # Many Bourne shells cannot handle close brackets correctly - # in scan sets, so we specify it separately. - case $arg in - *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \ ]*|*]*|"") - arg="\"$arg\"" - ;; - esac - lastarg="$lastarg $arg" - done - IFS="$save_ifs" - lastarg=`$echo "X$lastarg" | $Xsed -e "s/^ //"` - - # Add the arguments to base_compile. - base_compile="$base_compile $lastarg" - continue - ;; - - * ) - # Accept the current argument as the source file. - # The previous "srcfile" becomes the current argument. - # - lastarg="$srcfile" - srcfile="$arg" - ;; - esac # case $arg - ;; - esac # case $arg_mode - - # Aesthetically quote the previous argument. - lastarg=`$echo "X$lastarg" | $Xsed -e "$sed_quote_subst"` - - case $lastarg in - # Double-quote args containing other shell metacharacters. - # Many Bourne shells cannot handle close brackets correctly - # in scan sets, so we specify it separately. - *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \ ]*|*]*|"") - lastarg="\"$lastarg\"" - ;; - esac - - base_compile="$base_compile $lastarg" - done # for arg - - case $arg_mode in - arg) - $echo "$modename: you must specify an argument for -Xcompile" - exit 1 - ;; - target) - $echo "$modename: you must specify a target with \`-o'" 1>&2 - exit 1 - ;; - *) - # Get the name of the library object. - [ -z "$libobj" ] && libobj=`$echo "X$srcfile" | $Xsed -e 's%^.*/%%'` - ;; - esac - - # Recognize several different file suffixes. - # If the user specifies -o file.o, it is replaced with file.lo - xform='[cCFSifmso]' - case $libobj in - *.ada) xform=ada ;; - *.adb) xform=adb ;; - *.ads) xform=ads ;; - *.asm) xform=asm ;; - *.c++) xform=c++ ;; - *.cc) xform=cc ;; - *.ii) xform=ii ;; - *.class) xform=class ;; - *.cpp) xform=cpp ;; - *.cxx) xform=cxx ;; - *.f90) xform=f90 ;; - *.for) xform=for ;; - *.java) xform=java ;; - esac - - libobj=`$echo "X$libobj" | $Xsed -e "s/\.$xform$/.lo/"` - - case $libobj in - *.lo) obj=`$echo "X$libobj" | $Xsed -e "$lo2o"` ;; - *) - $echo "$modename: cannot determine name of library object from \`$libobj'" 1>&2 - exit 1 - ;; - esac - - # Infer tagged configuration to use if any are available and - # if one wasn't chosen via the "--tag" command line option. - # Only attempt this if the compiler in the base compile - # command doesn't match the default compiler. - if test -n "$available_tags" && test -z "$tagname"; then - case $base_compile in - # Blanks in the command may have been stripped by the calling shell, - # but not from the CC environment variable when configure was run. - " $CC "* | "$CC "* | " `$echo $CC` "* | "`$echo $CC` "*) ;; - # Blanks at the start of $base_compile will cause this to fail - # if we don't check for them as well. - *) - for z in $available_tags; do - if grep "^# ### BEGIN LIBTOOL TAG CONFIG: $z$" < "$0" > /dev/null; then - # Evaluate the configuration. - eval "`${SED} -n -e '/^# ### BEGIN LIBTOOL TAG CONFIG: '$z'$/,/^# ### END LIBTOOL TAG CONFIG: '$z'$/p' < $0`" - case "$base_compile " in - "$CC "* | " $CC "* | "`$echo $CC` "* | " `$echo $CC` "*) - # The compiler in the base compile command matches - # the one in the tagged configuration. - # Assume this is the tagged configuration we want. - tagname=$z - break - ;; - esac - fi - done - # If $tagname still isn't set, then no tagged configuration - # was found and let the user know that the "--tag" command - # line option must be used. - if test -z "$tagname"; then - $echo "$modename: unable to infer tagged configuration" - $echo "$modename: specify a tag with \`--tag'" 1>&2 - exit 1 -# else -# $echo "$modename: using $tagname tagged configuration" - fi - ;; - esac - fi - - for arg in $later; do - case $arg in - -static) - build_old_libs=yes - continue - ;; - - -prefer-pic) - pic_mode=yes - continue - ;; - - -prefer-non-pic) - pic_mode=no - continue - ;; - esac - done - - objname=`$echo "X$obj" | $Xsed -e 's%^.*/%%'` - xdir=`$echo "X$obj" | $Xsed -e 's%/[^/]*$%%'` - if test "X$xdir" = "X$obj"; then - xdir= - else - xdir=$xdir/ - fi - lobj=${xdir}$objdir/$objname - - if test -z "$base_compile"; then - $echo "$modename: you must specify a compilation command" 1>&2 - $echo "$help" 1>&2 - exit 1 - fi - - # Delete any leftover library objects. - if test "$build_old_libs" = yes; then - removelist="$obj $lobj $libobj ${libobj}T" - else - removelist="$lobj $libobj ${libobj}T" - fi - - $run $rm $removelist - trap "$run $rm $removelist; exit 1" 1 2 15 - - # On Cygwin there's no "real" PIC flag so we must build both object types - case $host_os in - cygwin* | mingw* | pw32* | os2*) - pic_mode=default - ;; - esac - if test "$pic_mode" = no && test "$deplibs_check_method" != pass_all; then - # non-PIC code in shared libraries is not supported - pic_mode=default - fi - - # Calculate the filename of the output object if compiler does - # not support -o with -c - if test "$compiler_c_o" = no; then - output_obj=`$echo "X$srcfile" | $Xsed -e 's%^.*/%%' -e 's%\.[^.]*$%%'`.${objext} - lockfile="$output_obj.lock" - removelist="$removelist $output_obj $lockfile" - trap "$run $rm $removelist; exit 1" 1 2 15 - else - output_obj= - need_locks=no - lockfile= - fi - - # Lock this critical section if it is needed - # We use this script file to make the link, it avoids creating a new file - if test "$need_locks" = yes; then - until $run ln "$0" "$lockfile" 2>/dev/null; do - $show "Waiting for $lockfile to be removed" - sleep 2 - done - elif test "$need_locks" = warn; then - if test -f "$lockfile"; then - $echo "\ -*** ERROR, $lockfile exists and contains: -`cat $lockfile 2>/dev/null` - -This indicates that another process is trying to use the same -temporary object file, and libtool could not work around it because -your compiler does not support \`-c' and \`-o' together. If you -repeat this compilation, it may succeed, by chance, but you had better -avoid parallel builds (make -j) in this platform, or get a better -compiler." - - $run $rm $removelist - exit 1 - fi - $echo $srcfile > "$lockfile" - fi - - if test -n "$fix_srcfile_path"; then - eval srcfile=\"$fix_srcfile_path\" - fi - - $run $rm "$libobj" "${libobj}T" - - # Create a libtool object file (analogous to a ".la" file), - # but don't create it if we're doing a dry run. - test -z "$run" && cat > ${libobj}T </dev/null`" != "X$srcfile"; then - $echo "\ -*** ERROR, $lockfile contains: -`cat $lockfile 2>/dev/null` - -but it should contain: -$srcfile - -This indicates that another process is trying to use the same -temporary object file, and libtool could not work around it because -your compiler does not support \`-c' and \`-o' together. If you -repeat this compilation, it may succeed, by chance, but you had better -avoid parallel builds (make -j) in this platform, or get a better -compiler." - - $run $rm $removelist - exit 1 - fi - - # Just move the object if needed, then go on to compile the next one - if test -n "$output_obj" && test "X$output_obj" != "X$lobj"; then - $show "$mv $output_obj $lobj" - if $run $mv $output_obj $lobj; then : - else - error=$? - $run $rm $removelist - exit $error - fi - fi - - # Append the name of the PIC object to the libtool object file. - test -z "$run" && cat >> ${libobj}T <> ${libobj}T </dev/null`" != "X$srcfile"; then - $echo "\ -*** ERROR, $lockfile contains: -`cat $lockfile 2>/dev/null` - -but it should contain: -$srcfile - -This indicates that another process is trying to use the same -temporary object file, and libtool could not work around it because -your compiler does not support \`-c' and \`-o' together. If you -repeat this compilation, it may succeed, by chance, but you had better -avoid parallel builds (make -j) in this platform, or get a better -compiler." - - $run $rm $removelist - exit 1 - fi - - # Just move the object if needed - if test -n "$output_obj" && test "X$output_obj" != "X$obj"; then - $show "$mv $output_obj $obj" - if $run $mv $output_obj $obj; then : - else - error=$? - $run $rm $removelist - exit $error - fi - fi - - # Append the name of the non-PIC object the libtool object file. - # Only append if the libtool object file exists. - test -z "$run" && cat >> ${libobj}T <> ${libobj}T < /dev/null; then - # Evaluate the configuration. - eval "`${SED} -n -e '/^# ### BEGIN LIBTOOL TAG CONFIG: '$z'$/,/^# ### END LIBTOOL TAG CONFIG: '$z'$/p' < $0`" - case $base_compile in - "$CC "* | " $CC "* | "`$echo $CC` "* | " `$echo $CC` "*) - # The compiler in $compile_command matches - # the one in the tagged configuration. - # Assume this is the tagged configuration we want. - tagname=$z - break - ;; - esac - fi - done - # If $tagname still isn't set, then no tagged configuration - # was found and let the user know that the "--tag" command - # line option must be used. - if test -z "$tagname"; then - $echo "$modename: unable to infer tagged configuration" - $echo "$modename: specify a tag with \`--tag'" 1>&2 - exit 1 -# else -# $echo "$modename: using $tagname tagged configuration" - fi - ;; - esac - fi - - # We need to know -static, to get the right output filenames. - for arg - do - case $arg in - -all-static | -static) - if test "X$arg" = "X-all-static"; then - if test "$build_libtool_libs" = yes && test -z "$link_static_flag"; then - $echo "$modename: warning: complete static linking is impossible in this configuration" 1>&2 - fi - if test -n "$link_static_flag"; then - dlopen_self=$dlopen_self_static - fi - else - if test -z "$pic_flag" && test -n "$link_static_flag"; then - dlopen_self=$dlopen_self_static - fi - fi - build_libtool_libs=no - build_old_libs=yes - prefer_static_libs=yes - break - ;; - esac - done - - # See if our shared archives depend on static archives. - test -n "$old_archive_from_new_cmds" && build_old_libs=yes - - # Go through the arguments, transforming them on the way. - while test "$#" -gt 0; do - arg="$1" - shift - case $arg in - *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \ ]*|*]*|"") - qarg=\"`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`\" ### testsuite: skip nested quoting test - ;; - *) qarg=$arg ;; - esac - libtool_args="$libtool_args $qarg" - - # If the previous option needs an argument, assign it. - if test -n "$prev"; then - case $prev in - output) - compile_command="$compile_command @OUTPUT@" - finalize_command="$finalize_command @OUTPUT@" - ;; - esac - - case $prev in - dlfiles|dlprefiles) - if test "$preload" = no; then - # Add the symbol object into the linking commands. - compile_command="$compile_command @SYMFILE@" - finalize_command="$finalize_command @SYMFILE@" - preload=yes - fi - case $arg in - *.la | *.lo) ;; # We handle these cases below. - force) - if test "$dlself" = no; then - dlself=needless - export_dynamic=yes - fi - prev= - continue - ;; - self) - if test "$prev" = dlprefiles; then - dlself=yes - elif test "$prev" = dlfiles && test "$dlopen_self" != yes; then - dlself=yes - else - dlself=needless - export_dynamic=yes - fi - prev= - continue - ;; - *) - if test "$prev" = dlfiles; then - dlfiles="$dlfiles $arg" - else - dlprefiles="$dlprefiles $arg" - fi - prev= - continue - ;; - esac - ;; - expsyms) - export_symbols="$arg" - if test ! -f "$arg"; then - $echo "$modename: symbol file \`$arg' does not exist" - exit 1 - fi - prev= - continue - ;; - expsyms_regex) - export_symbols_regex="$arg" - prev= - continue - ;; - inst_prefix) - inst_prefix_dir="$arg" - prev= - continue - ;; - precious_regex) - precious_files_regex="$arg" - prev= - continue - ;; - release) - release="-$arg" - prev= - continue - ;; - objectlist) - if test -f "$arg"; then - save_arg=$arg - moreargs= - for fil in `cat $save_arg` - do -# moreargs="$moreargs $fil" - arg=$fil - # A libtool-controlled object. - - # Check to see that this really is a libtool object. - if (${SED} -e '2q' $arg | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then - pic_object= - non_pic_object= - - # Read the .lo file - # If there is no directory component, then add one. - case $arg in - */* | *\\*) . $arg ;; - *) . ./$arg ;; - esac - - if test -z "$pic_object" || \ - test -z "$non_pic_object" || - test "$pic_object" = none && \ - test "$non_pic_object" = none; then - $echo "$modename: cannot find name of object for \`$arg'" 1>&2 - exit 1 - fi - - # Extract subdirectory from the argument. - xdir=`$echo "X$arg" | $Xsed -e 's%/[^/]*$%%'` - if test "X$xdir" = "X$arg"; then - xdir= - else - xdir="$xdir/" - fi - - if test "$pic_object" != none; then - # Prepend the subdirectory the object is found in. - pic_object="$xdir$pic_object" - - if test "$prev" = dlfiles; then - if test "$build_libtool_libs" = yes && test "$dlopen_support" = yes; then - dlfiles="$dlfiles $pic_object" - prev= - continue - else - # If libtool objects are unsupported, then we need to preload. - prev=dlprefiles - fi - fi - - # CHECK ME: I think I busted this. -Ossama - if test "$prev" = dlprefiles; then - # Preload the old-style object. - dlprefiles="$dlprefiles $pic_object" - prev= - fi - - # A PIC object. - libobjs="$libobjs $pic_object" - arg="$pic_object" - fi - - # Non-PIC object. - if test "$non_pic_object" != none; then - # Prepend the subdirectory the object is found in. - non_pic_object="$xdir$non_pic_object" - - # A standard non-PIC object - non_pic_objects="$non_pic_objects $non_pic_object" - if test -z "$pic_object" || test "$pic_object" = none ; then - arg="$non_pic_object" - fi - fi - else - # Only an error if not doing a dry-run. - if test -z "$run"; then - $echo "$modename: \`$arg' is not a valid libtool object" 1>&2 - exit 1 - else - # Dry-run case. - - # Extract subdirectory from the argument. - xdir=`$echo "X$arg" | $Xsed -e 's%/[^/]*$%%'` - if test "X$xdir" = "X$arg"; then - xdir= - else - xdir="$xdir/" - fi - - pic_object=`$echo "X${xdir}${objdir}/${arg}" | $Xsed -e "$lo2o"` - non_pic_object=`$echo "X${xdir}${arg}" | $Xsed -e "$lo2o"` - libobjs="$libobjs $pic_object" - non_pic_objects="$non_pic_objects $non_pic_object" - fi - fi - done - else - $echo "$modename: link input file \`$save_arg' does not exist" - exit 1 - fi - arg=$save_arg - prev= - continue - ;; - rpath | xrpath) - # We need an absolute path. - case $arg in - [\\/]* | [A-Za-z]:[\\/]*) ;; - *) - $echo "$modename: only absolute run-paths are allowed" 1>&2 - exit 1 - ;; - esac - if test "$prev" = rpath; then - case "$rpath " in - *" $arg "*) ;; - *) rpath="$rpath $arg" ;; - esac - else - case "$xrpath " in - *" $arg "*) ;; - *) xrpath="$xrpath $arg" ;; - esac - fi - prev= - continue - ;; - xcompiler) - compiler_flags="$compiler_flags $qarg" - prev= - compile_command="$compile_command $qarg" - finalize_command="$finalize_command $qarg" - continue - ;; - xlinker) - linker_flags="$linker_flags $qarg" - compiler_flags="$compiler_flags $wl$qarg" - prev= - compile_command="$compile_command $wl$qarg" - finalize_command="$finalize_command $wl$qarg" - continue - ;; - xcclinker) - linker_flags="$linker_flags $qarg" - compiler_flags="$compiler_flags $qarg" - prev= - compile_command="$compile_command $qarg" - finalize_command="$finalize_command $qarg" - continue - ;; - *) - eval "$prev=\"\$arg\"" - prev= - continue - ;; - esac - fi # test -n "$prev" - - prevarg="$arg" - - case $arg in - -all-static) - if test -n "$link_static_flag"; then - compile_command="$compile_command $link_static_flag" - finalize_command="$finalize_command $link_static_flag" - fi - continue - ;; - - -allow-undefined) - # FIXME: remove this flag sometime in the future. - $echo "$modename: \`-allow-undefined' is deprecated because it is the default" 1>&2 - continue - ;; - - -avoid-version) - avoid_version=yes - continue - ;; - - -dlopen) - prev=dlfiles - continue - ;; - - -dlpreopen) - prev=dlprefiles - continue - ;; - - -export-dynamic) - export_dynamic=yes - continue - ;; - - -export-symbols | -export-symbols-regex) - if test -n "$export_symbols" || test -n "$export_symbols_regex"; then - $echo "$modename: more than one -exported-symbols argument is not allowed" - exit 1 - fi - if test "X$arg" = "X-export-symbols"; then - prev=expsyms - else - prev=expsyms_regex - fi - continue - ;; - - -inst-prefix-dir) - prev=inst_prefix - continue - ;; - - # The native IRIX linker understands -LANG:*, -LIST:* and -LNO:* - # so, if we see these flags be careful not to treat them like -L - -L[A-Z][A-Z]*:*) - case $with_gcc/$host in - no/*-*-irix* | /*-*-irix*) - compile_command="$compile_command $arg" - finalize_command="$finalize_command $arg" - ;; - esac - continue - ;; - - -L*) - dir=`$echo "X$arg" | $Xsed -e 's/^-L//'` - # We need an absolute path. - case $dir in - [\\/]* | [A-Za-z]:[\\/]*) ;; - *) - absdir=`cd "$dir" && pwd` - if test -z "$absdir"; then - $echo "$modename: cannot determine absolute directory name of \`$dir'" 1>&2 - exit 1 - fi - dir="$absdir" - ;; - esac - case "$deplibs " in - *" -L$dir "*) ;; - *) - deplibs="$deplibs -L$dir" - lib_search_path="$lib_search_path $dir" - ;; - esac - case $host in - *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2*) - case :$dllsearchpath: in - *":$dir:"*) ;; - *) dllsearchpath="$dllsearchpath:$dir";; - esac - ;; - esac - continue - ;; - - -l*) - if test "X$arg" = "X-lc" || test "X$arg" = "X-lm"; then - case $host in - *-*-cygwin* | *-*-pw32* | *-*-beos*) - # These systems don't actually have a C or math library (as such) - continue - ;; - *-*-mingw* | *-*-os2*) - # These systems don't actually have a C library (as such) - test "X$arg" = "X-lc" && continue - ;; - *-*-openbsd* | *-*-freebsd*) - # Do not include libc due to us having libc/libc_r. - test "X$arg" = "X-lc" && continue - ;; - *-*-rhapsody* | *-*-darwin1.[012]) - # Rhapsody C and math libraries are in the System framework - deplibs="$deplibs -framework System" - continue - esac - elif test "X$arg" = "X-lc_r"; then - case $host in - *-*-openbsd* | *-*-freebsd*) - # Do not include libc_r directly, use -pthread flag. - continue - ;; - esac - fi - deplibs="$deplibs $arg" - continue - ;; - - -mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe) - deplibs="$deplibs $arg" - continue - ;; - - -module) - module=yes - continue - ;; - - # gcc -m* arguments should be passed to the linker via $compiler_flags - # in order to pass architecture information to the linker - # (e.g. 32 vs 64-bit). This may also be accomplished via -Wl,-mfoo - # but this is not reliable with gcc because gcc may use -mfoo to - # select a different linker, different libraries, etc, while - # -Wl,-mfoo simply passes -mfoo to the linker. - -m*) - # Unknown arguments in both finalize_command and compile_command need - # to be aesthetically quoted because they are evaled later. - arg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"` - case $arg in - *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \ ]*|*]*|"") - arg="\"$arg\"" - ;; - esac - compile_command="$compile_command $arg" - finalize_command="$finalize_command $arg" - if test "$with_gcc" = "yes" ; then - compiler_flags="$compiler_flags $arg" - fi - continue - ;; - - -shrext) - prev=shrext - continue - ;; - - -no-fast-install) - fast_install=no - continue - ;; - - -no-install) - case $host in - *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2*) - # The PATH hackery in wrapper scripts is required on Windows - # in order for the loader to find any dlls it needs. - $echo "$modename: warning: \`-no-install' is ignored for $host" 1>&2 - $echo "$modename: warning: assuming \`-no-fast-install' instead" 1>&2 - fast_install=no - ;; - *) no_install=yes ;; - esac - continue - ;; - - -no-undefined) - allow_undefined=no - continue - ;; - - -objectlist) - prev=objectlist - continue - ;; - - -o) prev=output ;; - - -precious-files-regex) - prev=precious_regex - continue - ;; - - -release) - prev=release - continue - ;; - - -rpath) - prev=rpath - continue - ;; - - -R) - prev=xrpath - continue - ;; - - -R*) - dir=`$echo "X$arg" | $Xsed -e 's/^-R//'` - # We need an absolute path. - case $dir in - [\\/]* | [A-Za-z]:[\\/]*) ;; - *) - $echo "$modename: only absolute run-paths are allowed" 1>&2 - exit 1 - ;; - esac - case "$xrpath " in - *" $dir "*) ;; - *) xrpath="$xrpath $dir" ;; - esac - continue - ;; - - -static) - # The effects of -static are defined in a previous loop. - # We used to do the same as -all-static on platforms that - # didn't have a PIC flag, but the assumption that the effects - # would be equivalent was wrong. It would break on at least - # Digital Unix and AIX. - continue - ;; - - -thread-safe) - thread_safe=yes - continue - ;; - - -version-info) - prev=vinfo - continue - ;; - -version-number) - prev=vinfo - vinfo_number=yes - continue - ;; - - -Wc,*) - args=`$echo "X$arg" | $Xsed -e "$sed_quote_subst" -e 's/^-Wc,//'` - arg= - save_ifs="$IFS"; IFS=',' - for flag in $args; do - IFS="$save_ifs" - case $flag in - *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \ ]*|*]*|"") - flag="\"$flag\"" - ;; - esac - arg="$arg $wl$flag" - compiler_flags="$compiler_flags $flag" - done - IFS="$save_ifs" - arg=`$echo "X$arg" | $Xsed -e "s/^ //"` - ;; - - -Wl,*) - args=`$echo "X$arg" | $Xsed -e "$sed_quote_subst" -e 's/^-Wl,//'` - arg= - save_ifs="$IFS"; IFS=',' - for flag in $args; do - IFS="$save_ifs" - case $flag in - *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \ ]*|*]*|"") - flag="\"$flag\"" - ;; - esac - arg="$arg $wl$flag" - compiler_flags="$compiler_flags $wl$flag" - linker_flags="$linker_flags $flag" - done - IFS="$save_ifs" - arg=`$echo "X$arg" | $Xsed -e "s/^ //"` - ;; - - -Xcompiler) - prev=xcompiler - continue - ;; - - -Xlinker) - prev=xlinker - continue - ;; - - -XCClinker) - prev=xcclinker - continue - ;; - - # Some other compiler flag. - -* | +*) - # Unknown arguments in both finalize_command and compile_command need - # to be aesthetically quoted because they are evaled later. - arg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"` - case $arg in - *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \ ]*|*]*|"") - arg="\"$arg\"" - ;; - esac - ;; - - *.$objext) - # A standard object. - objs="$objs $arg" - ;; - - *.lo) - # A libtool-controlled object. - - # Check to see that this really is a libtool object. - if (${SED} -e '2q' $arg | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then - pic_object= - non_pic_object= - - # Read the .lo file - # If there is no directory component, then add one. - case $arg in - */* | *\\*) . $arg ;; - *) . ./$arg ;; - esac - - if test -z "$pic_object" || \ - test -z "$non_pic_object" || - test "$pic_object" = none && \ - test "$non_pic_object" = none; then - $echo "$modename: cannot find name of object for \`$arg'" 1>&2 - exit 1 - fi - - # Extract subdirectory from the argument. - xdir=`$echo "X$arg" | $Xsed -e 's%/[^/]*$%%'` - if test "X$xdir" = "X$arg"; then - xdir= - else - xdir="$xdir/" - fi - - if test "$pic_object" != none; then - # Prepend the subdirectory the object is found in. - pic_object="$xdir$pic_object" - - if test "$prev" = dlfiles; then - if test "$build_libtool_libs" = yes && test "$dlopen_support" = yes; then - dlfiles="$dlfiles $pic_object" - prev= - continue - else - # If libtool objects are unsupported, then we need to preload. - prev=dlprefiles - fi - fi - - # CHECK ME: I think I busted this. -Ossama - if test "$prev" = dlprefiles; then - # Preload the old-style object. - dlprefiles="$dlprefiles $pic_object" - prev= - fi - - # A PIC object. - libobjs="$libobjs $pic_object" - arg="$pic_object" - fi - - # Non-PIC object. - if test "$non_pic_object" != none; then - # Prepend the subdirectory the object is found in. - non_pic_object="$xdir$non_pic_object" - - # A standard non-PIC object - non_pic_objects="$non_pic_objects $non_pic_object" - if test -z "$pic_object" || test "$pic_object" = none ; then - arg="$non_pic_object" - fi - fi - else - # Only an error if not doing a dry-run. - if test -z "$run"; then - $echo "$modename: \`$arg' is not a valid libtool object" 1>&2 - exit 1 - else - # Dry-run case. - - # Extract subdirectory from the argument. - xdir=`$echo "X$arg" | $Xsed -e 's%/[^/]*$%%'` - if test "X$xdir" = "X$arg"; then - xdir= - else - xdir="$xdir/" - fi - - pic_object=`$echo "X${xdir}${objdir}/${arg}" | $Xsed -e "$lo2o"` - non_pic_object=`$echo "X${xdir}${arg}" | $Xsed -e "$lo2o"` - libobjs="$libobjs $pic_object" - non_pic_objects="$non_pic_objects $non_pic_object" - fi - fi - ;; - - *.$libext) - # An archive. - deplibs="$deplibs $arg" - old_deplibs="$old_deplibs $arg" - continue - ;; - - *.la) - # A libtool-controlled library. - - if test "$prev" = dlfiles; then - # This library was specified with -dlopen. - dlfiles="$dlfiles $arg" - prev= - elif test "$prev" = dlprefiles; then - # The library was specified with -dlpreopen. - dlprefiles="$dlprefiles $arg" - prev= - else - deplibs="$deplibs $arg" - fi - continue - ;; - - # Some other compiler argument. - *) - # Unknown arguments in both finalize_command and compile_command need - # to be aesthetically quoted because they are evaled later. - arg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"` - case $arg in - *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \ ]*|*]*|"") - arg="\"$arg\"" - ;; - esac - ;; - esac # arg - - # Now actually substitute the argument into the commands. - if test -n "$arg"; then - compile_command="$compile_command $arg" - finalize_command="$finalize_command $arg" - fi - done # argument parsing loop - - if test -n "$prev"; then - $echo "$modename: the \`$prevarg' option requires an argument" 1>&2 - $echo "$help" 1>&2 - exit 1 - fi - - if test "$export_dynamic" = yes && test -n "$export_dynamic_flag_spec"; then - eval arg=\"$export_dynamic_flag_spec\" - compile_command="$compile_command $arg" - finalize_command="$finalize_command $arg" - fi - - oldlibs= - # calculate the name of the file, without its directory - outputname=`$echo "X$output" | $Xsed -e 's%^.*/%%'` - libobjs_save="$libobjs" - - if test -n "$shlibpath_var"; then - # get the directories listed in $shlibpath_var - eval shlib_search_path=\`\$echo \"X\${$shlibpath_var}\" \| \$Xsed -e \'s/:/ /g\'\` - else - shlib_search_path= - fi - eval sys_lib_search_path=\"$sys_lib_search_path_spec\" - eval sys_lib_dlsearch_path=\"$sys_lib_dlsearch_path_spec\" - - output_objdir=`$echo "X$output" | $Xsed -e 's%/[^/]*$%%'` - if test "X$output_objdir" = "X$output"; then - output_objdir="$objdir" - else - output_objdir="$output_objdir/$objdir" - fi - # Create the object directory. - if test ! -d "$output_objdir"; then - $show "$mkdir $output_objdir" - $run $mkdir $output_objdir - status=$? - if test "$status" -ne 0 && test ! -d "$output_objdir"; then - exit $status - fi - fi - - # Determine the type of output - case $output in - "") - $echo "$modename: you must specify an output file" 1>&2 - $echo "$help" 1>&2 - exit 1 - ;; - *.$libext) linkmode=oldlib ;; - *.lo | *.$objext) linkmode=obj ;; - *.la) linkmode=lib ;; - *) linkmode=prog ;; # Anything else should be a program. - esac - - case $host in - *cygwin* | *mingw* | *pw32*) - # don't eliminate duplcations in $postdeps and $predeps - duplicate_compiler_generated_deps=yes - ;; - *) - duplicate_compiler_generated_deps=$duplicate_deps - ;; - esac - specialdeplibs= - - libs= - # Find all interdependent deplibs by searching for libraries - # that are linked more than once (e.g. -la -lb -la) - for deplib in $deplibs; do - if test "X$duplicate_deps" = "Xyes" ; then - case "$libs " in - *" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;; - esac - fi - libs="$libs $deplib" - done - - if test "$linkmode" = lib; then - libs="$predeps $libs $compiler_lib_search_path $postdeps" - - # Compute libraries that are listed more than once in $predeps - # $postdeps and mark them as special (i.e., whose duplicates are - # not to be eliminated). - pre_post_deps= - if test "X$duplicate_compiler_generated_deps" = "Xyes" ; then - for pre_post_dep in $predeps $postdeps; do - case "$pre_post_deps " in - *" $pre_post_dep "*) specialdeplibs="$specialdeplibs $pre_post_deps" ;; - esac - pre_post_deps="$pre_post_deps $pre_post_dep" - done - fi - pre_post_deps= - fi - - deplibs= - newdependency_libs= - newlib_search_path= - need_relink=no # whether we're linking any uninstalled libtool libraries - notinst_deplibs= # not-installed libtool libraries - notinst_path= # paths that contain not-installed libtool libraries - case $linkmode in - lib) - passes="conv link" - for file in $dlfiles $dlprefiles; do - case $file in - *.la) ;; - *) - $echo "$modename: libraries can \`-dlopen' only libtool libraries: $file" 1>&2 - exit 1 - ;; - esac - done - ;; - prog) - compile_deplibs= - finalize_deplibs= - alldeplibs=no - newdlfiles= - newdlprefiles= - passes="conv scan dlopen dlpreopen link" - ;; - *) passes="conv" - ;; - esac - for pass in $passes; do - if test "$linkmode,$pass" = "lib,link" || - test "$linkmode,$pass" = "prog,scan"; then - libs="$deplibs" - deplibs= - fi - if test "$linkmode" = prog; then - case $pass in - dlopen) libs="$dlfiles" ;; - dlpreopen) libs="$dlprefiles" ;; - link) libs="$deplibs %DEPLIBS% $dependency_libs" ;; - esac - fi - if test "$pass" = dlopen; then - # Collect dlpreopened libraries - save_deplibs="$deplibs" - deplibs= - fi - for deplib in $libs; do - lib= - found=no - case $deplib in - -mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe) - if test "$linkmode,$pass" = "prog,link"; then - compile_deplibs="$deplib $compile_deplibs" - finalize_deplibs="$deplib $finalize_deplibs" - else - deplibs="$deplib $deplibs" - fi - continue - ;; - -l*) - if test "$linkmode" != lib && test "$linkmode" != prog; then - $echo "$modename: warning: \`-l' is ignored for archives/objects" 1>&2 - continue - fi - if test "$pass" = conv; then - deplibs="$deplib $deplibs" - continue - fi - name=`$echo "X$deplib" | $Xsed -e 's/^-l//'` - for searchdir in $newlib_search_path $lib_search_path $sys_lib_search_path $shlib_search_path; do - for search_ext in .la $shrext .so .a; do - # Search the libtool library - lib="$searchdir/lib${name}${search_ext}" - if test -f "$lib"; then - if test "$search_ext" = ".la"; then - found=yes - else - found=no - fi - break 2 - fi - done - done - if test "$found" != yes; then - # deplib doesn't seem to be a libtool library - if test "$linkmode,$pass" = "prog,link"; then - compile_deplibs="$deplib $compile_deplibs" - finalize_deplibs="$deplib $finalize_deplibs" - else - deplibs="$deplib $deplibs" - test "$linkmode" = lib && newdependency_libs="$deplib $newdependency_libs" - fi - continue - else # deplib is a libtool library - # If $allow_libtool_libs_with_static_runtimes && $deplib is a stdlib, - # We need to do some special things here, and not later. - if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then - case " $predeps $postdeps " in - *" $deplib "*) - if (${SED} -e '2q' $lib | - grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then - library_names= - old_library= - case $lib in - */* | *\\*) . $lib ;; - *) . ./$lib ;; - esac - for l in $old_library $library_names; do - ll="$l" - done - if test "X$ll" = "X$old_library" ; then # only static version available - found=no - ladir=`$echo "X$lib" | $Xsed -e 's%/[^/]*$%%'` - test "X$ladir" = "X$lib" && ladir="." - lib=$ladir/$old_library - if test "$linkmode,$pass" = "prog,link"; then - compile_deplibs="$deplib $compile_deplibs" - finalize_deplibs="$deplib $finalize_deplibs" - else - deplibs="$deplib $deplibs" - test "$linkmode" = lib && newdependency_libs="$deplib $newdependency_libs" - fi - continue - fi - fi - ;; - *) ;; - esac - fi - fi - ;; # -l - -L*) - case $linkmode in - lib) - deplibs="$deplib $deplibs" - test "$pass" = conv && continue - newdependency_libs="$deplib $newdependency_libs" - newlib_search_path="$newlib_search_path "`$echo "X$deplib" | $Xsed -e 's/^-L//'` - ;; - prog) - if test "$pass" = conv; then - deplibs="$deplib $deplibs" - continue - fi - if test "$pass" = scan; then - deplibs="$deplib $deplibs" - newlib_search_path="$newlib_search_path "`$echo "X$deplib" | $Xsed -e 's/^-L//'` - else - compile_deplibs="$deplib $compile_deplibs" - finalize_deplibs="$deplib $finalize_deplibs" - fi - ;; - *) - $echo "$modename: warning: \`-L' is ignored for archives/objects" 1>&2 - ;; - esac # linkmode - continue - ;; # -L - -R*) - if test "$pass" = link; then - dir=`$echo "X$deplib" | $Xsed -e 's/^-R//'` - # Make sure the xrpath contains only unique directories. - case "$xrpath " in - *" $dir "*) ;; - *) xrpath="$xrpath $dir" ;; - esac - fi - deplibs="$deplib $deplibs" - continue - ;; - *.la) lib="$deplib" ;; - *.$libext) - if test "$pass" = conv; then - deplibs="$deplib $deplibs" - continue - fi - case $linkmode in - lib) - if test "$deplibs_check_method" != pass_all; then - $echo - $echo "*** Warning: Trying to link with static lib archive $deplib." - $echo "*** I have the capability to make that library automatically link in when" - $echo "*** you link to this library. But I can only do this if you have a" - $echo "*** shared version of the library, which you do not appear to have" - $echo "*** because the file extensions .$libext of this argument makes me believe" - $echo "*** that it is just a static archive that I should not used here." - else - $echo - $echo "*** Warning: Linking the shared library $output against the" - $echo "*** static library $deplib is not portable!" - deplibs="$deplib $deplibs" - fi - continue - ;; - prog) - if test "$pass" != link; then - deplibs="$deplib $deplibs" - else - compile_deplibs="$deplib $compile_deplibs" - finalize_deplibs="$deplib $finalize_deplibs" - fi - continue - ;; - esac # linkmode - ;; # *.$libext - *.lo | *.$objext) - if test "$pass" = conv; then - deplibs="$deplib $deplibs" - elif test "$linkmode" = prog; then - if test "$pass" = dlpreopen || test "$dlopen_support" != yes || test "$build_libtool_libs" = no; then - # If there is no dlopen support or we're linking statically, - # we need to preload. - newdlprefiles="$newdlprefiles $deplib" - compile_deplibs="$deplib $compile_deplibs" - finalize_deplibs="$deplib $finalize_deplibs" - else - newdlfiles="$newdlfiles $deplib" - fi - fi - continue - ;; - %DEPLIBS%) - alldeplibs=yes - continue - ;; - esac # case $deplib - if test "$found" = yes || test -f "$lib"; then : - else - $echo "$modename: cannot find the library \`$lib'" 1>&2 - exit 1 - fi - - # Check to see that this really is a libtool archive. - if (${SED} -e '2q' $lib | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then : - else - $echo "$modename: \`$lib' is not a valid libtool archive" 1>&2 - exit 1 - fi - - ladir=`$echo "X$lib" | $Xsed -e 's%/[^/]*$%%'` - test "X$ladir" = "X$lib" && ladir="." - - dlname= - dlopen= - dlpreopen= - libdir= - library_names= - old_library= - # If the library was installed with an old release of libtool, - # it will not redefine variables installed, or shouldnotlink - installed=yes - shouldnotlink=no - - # Read the .la file - case $lib in - */* | *\\*) . $lib ;; - *) . ./$lib ;; - esac - - if test "$linkmode,$pass" = "lib,link" || - test "$linkmode,$pass" = "prog,scan" || - { test "$linkmode" != prog && test "$linkmode" != lib; }; then - test -n "$dlopen" && dlfiles="$dlfiles $dlopen" - test -n "$dlpreopen" && dlprefiles="$dlprefiles $dlpreopen" - fi - - if test "$pass" = conv; then - # Only check for convenience libraries - deplibs="$lib $deplibs" - if test -z "$libdir"; then - if test -z "$old_library"; then - $echo "$modename: cannot find name of link library for \`$lib'" 1>&2 - exit 1 - fi - # It is a libtool convenience library, so add in its objects. - convenience="$convenience $ladir/$objdir/$old_library" - old_convenience="$old_convenience $ladir/$objdir/$old_library" - tmp_libs= - for deplib in $dependency_libs; do - deplibs="$deplib $deplibs" - if test "X$duplicate_deps" = "Xyes" ; then - case "$tmp_libs " in - *" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;; - esac - fi - tmp_libs="$tmp_libs $deplib" - done - elif test "$linkmode" != prog && test "$linkmode" != lib; then - $echo "$modename: \`$lib' is not a convenience library" 1>&2 - exit 1 - fi - continue - fi # $pass = conv - - - # Get the name of the library we link against. - linklib= - for l in $old_library $library_names; do - linklib="$l" - done - if test -z "$linklib"; then - $echo "$modename: cannot find name of link library for \`$lib'" 1>&2 - exit 1 - fi - - # This library was specified with -dlopen. - if test "$pass" = dlopen; then - if test -z "$libdir"; then - $echo "$modename: cannot -dlopen a convenience library: \`$lib'" 1>&2 - exit 1 - fi - if test -z "$dlname" || test "$dlopen_support" != yes || test "$build_libtool_libs" = no; then - # If there is no dlname, no dlopen support or we're linking - # statically, we need to preload. We also need to preload any - # dependent libraries so libltdl's deplib preloader doesn't - # bomb out in the load deplibs phase. - dlprefiles="$dlprefiles $lib $dependency_libs" - else - newdlfiles="$newdlfiles $lib" - fi - continue - fi # $pass = dlopen - - # We need an absolute path. - case $ladir in - [\\/]* | [A-Za-z]:[\\/]*) abs_ladir="$ladir" ;; - *) - abs_ladir=`cd "$ladir" && pwd` - if test -z "$abs_ladir"; then - $echo "$modename: warning: cannot determine absolute directory name of \`$ladir'" 1>&2 - $echo "$modename: passing it literally to the linker, although it might fail" 1>&2 - abs_ladir="$ladir" - fi - ;; - esac - laname=`$echo "X$lib" | $Xsed -e 's%^.*/%%'` - - # Find the relevant object directory and library name. - if test "X$installed" = Xyes; then - if test ! -f "$libdir/$linklib" && test -f "$abs_ladir/$linklib"; then - $echo "$modename: warning: library \`$lib' was moved." 1>&2 - dir="$ladir" - absdir="$abs_ladir" - libdir="$abs_ladir" - else - dir="$libdir" - absdir="$libdir" - fi - else - dir="$ladir/$objdir" - absdir="$abs_ladir/$objdir" - # Remove this search path later - notinst_path="$notinst_path $abs_ladir" - fi # $installed = yes - name=`$echo "X$laname" | $Xsed -e 's/\.la$//' -e 's/^lib//'` - - # This library was specified with -dlpreopen. - if test "$pass" = dlpreopen; then - if test -z "$libdir"; then - $echo "$modename: cannot -dlpreopen a convenience library: \`$lib'" 1>&2 - exit 1 - fi - # Prefer using a static library (so that no silly _DYNAMIC symbols - # are required to link). - if test -n "$old_library"; then - newdlprefiles="$newdlprefiles $dir/$old_library" - # Otherwise, use the dlname, so that lt_dlopen finds it. - elif test -n "$dlname"; then - newdlprefiles="$newdlprefiles $dir/$dlname" - else - newdlprefiles="$newdlprefiles $dir/$linklib" - fi - fi # $pass = dlpreopen - - if test -z "$libdir"; then - # Link the convenience library - if test "$linkmode" = lib; then - deplibs="$dir/$old_library $deplibs" - elif test "$linkmode,$pass" = "prog,link"; then - compile_deplibs="$dir/$old_library $compile_deplibs" - finalize_deplibs="$dir/$old_library $finalize_deplibs" - else - deplibs="$lib $deplibs" # used for prog,scan pass - fi - continue - fi - - - if test "$linkmode" = prog && test "$pass" != link; then - newlib_search_path="$newlib_search_path $ladir" - deplibs="$lib $deplibs" - - linkalldeplibs=no - if test "$link_all_deplibs" != no || test -z "$library_names" || - test "$build_libtool_libs" = no; then - linkalldeplibs=yes - fi - - tmp_libs= - for deplib in $dependency_libs; do - case $deplib in - -L*) newlib_search_path="$newlib_search_path "`$echo "X$deplib" | $Xsed -e 's/^-L//'`;; ### testsuite: skip nested quoting test - esac - # Need to link against all dependency_libs? - if test "$linkalldeplibs" = yes; then - deplibs="$deplib $deplibs" - else - # Need to hardcode shared library paths - # or/and link against static libraries - newdependency_libs="$deplib $newdependency_libs" - fi - if test "X$duplicate_deps" = "Xyes" ; then - case "$tmp_libs " in - *" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;; - esac - fi - tmp_libs="$tmp_libs $deplib" - done # for deplib - continue - fi # $linkmode = prog... - - if test "$linkmode,$pass" = "prog,link"; then - if test -n "$library_names" && - { test "$prefer_static_libs" = no || test -z "$old_library"; }; then - # We need to hardcode the library path - if test -n "$shlibpath_var"; then - # Make sure the rpath contains only unique directories. - case "$temp_rpath " in - *" $dir "*) ;; - *" $absdir "*) ;; - *) temp_rpath="$temp_rpath $dir" ;; - esac - fi - - # Hardcode the library path. - # Skip directories that are in the system default run-time - # search path. - case " $sys_lib_dlsearch_path " in - *" $absdir "*) ;; - *) - case "$compile_rpath " in - *" $absdir "*) ;; - *) compile_rpath="$compile_rpath $absdir" - esac - ;; - esac - case " $sys_lib_dlsearch_path " in - *" $libdir "*) ;; - *) - case "$finalize_rpath " in - *" $libdir "*) ;; - *) finalize_rpath="$finalize_rpath $libdir" - esac - ;; - esac - fi # $linkmode,$pass = prog,link... - - if test "$alldeplibs" = yes && - { test "$deplibs_check_method" = pass_all || - { test "$build_libtool_libs" = yes && - test -n "$library_names"; }; }; then - # We only need to search for static libraries - continue - fi - fi - - link_static=no # Whether the deplib will be linked statically - if test -n "$library_names" && - { test "$prefer_static_libs" = no || test -z "$old_library"; }; then - if test "$installed" = no; then - notinst_deplibs="$notinst_deplibs $lib" - need_relink=yes - fi - # This is a shared library - - # Warn about portability, can't link against -module's on some systems (darwin) - if test "$shouldnotlink" = yes && test "$pass" = link ; then - $echo - if test "$linkmode" = prog; then - $echo "*** Warning: Linking the executable $output against the loadable module" - else - $echo "*** Warning: Linking the shared library $output against the loadable module" - fi - $echo "*** $linklib is not portable!" - fi - if test "$linkmode" = lib && - test "$hardcode_into_libs" = yes; then - # Hardcode the library path. - # Skip directories that are in the system default run-time - # search path. - case " $sys_lib_dlsearch_path " in - *" $absdir "*) ;; - *) - case "$compile_rpath " in - *" $absdir "*) ;; - *) compile_rpath="$compile_rpath $absdir" - esac - ;; - esac - case " $sys_lib_dlsearch_path " in - *" $libdir "*) ;; - *) - case "$finalize_rpath " in - *" $libdir "*) ;; - *) finalize_rpath="$finalize_rpath $libdir" - esac - ;; - esac - fi - - if test -n "$old_archive_from_expsyms_cmds"; then - # figure out the soname - set dummy $library_names - realname="$2" - shift; shift - libname=`eval \\$echo \"$libname_spec\"` - # use dlname if we got it. it's perfectly good, no? - if test -n "$dlname"; then - soname="$dlname" - elif test -n "$soname_spec"; then - # bleh windows - case $host in - *cygwin* | mingw*) - major=`expr $current - $age` - versuffix="-$major" - ;; - esac - eval soname=\"$soname_spec\" - else - soname="$realname" - fi - - # Make a new name for the extract_expsyms_cmds to use - soroot="$soname" - soname=`$echo $soroot | ${SED} -e 's/^.*\///'` - newlib="libimp-`$echo $soname | ${SED} 's/^lib//;s/\.dll$//'`.a" - - # If the library has no export list, then create one now - if test -f "$output_objdir/$soname-def"; then : - else - $show "extracting exported symbol list from \`$soname'" - save_ifs="$IFS"; IFS='~' - cmds=$extract_expsyms_cmds - for cmd in $cmds; do - IFS="$save_ifs" - eval cmd=\"$cmd\" - $show "$cmd" - $run eval "$cmd" || exit $? - done - IFS="$save_ifs" - fi - - # Create $newlib - if test -f "$output_objdir/$newlib"; then :; else - $show "generating import library for \`$soname'" - save_ifs="$IFS"; IFS='~' - cmds=$old_archive_from_expsyms_cmds - for cmd in $cmds; do - IFS="$save_ifs" - eval cmd=\"$cmd\" - $show "$cmd" - $run eval "$cmd" || exit $? - done - IFS="$save_ifs" - fi - # make sure the library variables are pointing to the new library - dir=$output_objdir - linklib=$newlib - fi # test -n "$old_archive_from_expsyms_cmds" - - if test "$linkmode" = prog || test "$mode" != relink; then - add_shlibpath= - add_dir= - add= - lib_linked=yes - case $hardcode_action in - immediate | unsupported) - if test "$hardcode_direct" = no; then - add="$dir/$linklib" - case $host in - *-*-sco3.2v5* ) add_dir="-L$dir" ;; - *-*-darwin* ) - # if the lib is a module then we can not link against it, someone - # is ignoring the new warnings I added - if /usr/bin/file -L $add 2> /dev/null | grep "bundle" >/dev/null ; then - $echo "** Warning, lib $linklib is a module, not a shared library" - if test -z "$old_library" ; then - $echo - $echo "** And there doesn't seem to be a static archive available" - $echo "** The link will probably fail, sorry" - else - add="$dir/$old_library" - fi - fi - esac - elif test "$hardcode_minus_L" = no; then - case $host in - *-*-sunos*) add_shlibpath="$dir" ;; - esac - add_dir="-L$dir" - add="-l$name" - elif test "$hardcode_shlibpath_var" = no; then - add_shlibpath="$dir" - add="-l$name" - else - lib_linked=no - fi - ;; - relink) - if test "$hardcode_direct" = yes; then - add="$dir/$linklib" - elif test "$hardcode_minus_L" = yes; then - add_dir="-L$dir" - # Try looking first in the location we're being installed to. - if test -n "$inst_prefix_dir"; then - case "$libdir" in - [\\/]*) - add_dir="$add_dir -L$inst_prefix_dir$libdir" - ;; - esac - fi - add="-l$name" - elif test "$hardcode_shlibpath_var" = yes; then - add_shlibpath="$dir" - add="-l$name" - else - lib_linked=no - fi - ;; - *) lib_linked=no ;; - esac - - if test "$lib_linked" != yes; then - $echo "$modename: configuration error: unsupported hardcode properties" - exit 1 - fi - - if test -n "$add_shlibpath"; then - case :$compile_shlibpath: in - *":$add_shlibpath:"*) ;; - *) compile_shlibpath="$compile_shlibpath$add_shlibpath:" ;; - esac - fi - if test "$linkmode" = prog; then - test -n "$add_dir" && compile_deplibs="$add_dir $compile_deplibs" - test -n "$add" && compile_deplibs="$add $compile_deplibs" - else - test -n "$add_dir" && deplibs="$add_dir $deplibs" - test -n "$add" && deplibs="$add $deplibs" - if test "$hardcode_direct" != yes && \ - test "$hardcode_minus_L" != yes && \ - test "$hardcode_shlibpath_var" = yes; then - case :$finalize_shlibpath: in - *":$libdir:"*) ;; - *) finalize_shlibpath="$finalize_shlibpath$libdir:" ;; - esac - fi - fi - fi - - if test "$linkmode" = prog || test "$mode" = relink; then - add_shlibpath= - add_dir= - add= - # Finalize command for both is simple: just hardcode it. - if test "$hardcode_direct" = yes; then - add="$libdir/$linklib" - elif test "$hardcode_minus_L" = yes; then - add_dir="-L$libdir" - add="-l$name" - elif test "$hardcode_shlibpath_var" = yes; then - case :$finalize_shlibpath: in - *":$libdir:"*) ;; - *) finalize_shlibpath="$finalize_shlibpath$libdir:" ;; - esac - add="-l$name" - elif test "$hardcode_automatic" = yes; then - if test -n "$inst_prefix_dir" && test -f "$inst_prefix_dir$libdir/$linklib" ; then - add="$inst_prefix_dir$libdir/$linklib" - else - add="$libdir/$linklib" - fi - else - # We cannot seem to hardcode it, guess we'll fake it. - add_dir="-L$libdir" - # Try looking first in the location we're being installed to. - if test -n "$inst_prefix_dir"; then - case "$libdir" in - [\\/]*) - add_dir="$add_dir -L$inst_prefix_dir$libdir" - ;; - esac - fi - add="-l$name" - fi - - if test "$linkmode" = prog; then - test -n "$add_dir" && finalize_deplibs="$add_dir $finalize_deplibs" - test -n "$add" && finalize_deplibs="$add $finalize_deplibs" - else - test -n "$add_dir" && deplibs="$add_dir $deplibs" - test -n "$add" && deplibs="$add $deplibs" - fi - fi - elif test "$linkmode" = prog; then - # Here we assume that one of hardcode_direct or hardcode_minus_L - # is not unsupported. This is valid on all known static and - # shared platforms. - if test "$hardcode_direct" != unsupported; then - test -n "$old_library" && linklib="$old_library" - compile_deplibs="$dir/$linklib $compile_deplibs" - finalize_deplibs="$dir/$linklib $finalize_deplibs" - else - compile_deplibs="-l$name -L$dir $compile_deplibs" - finalize_deplibs="-l$name -L$dir $finalize_deplibs" - fi - elif test "$build_libtool_libs" = yes; then - # Not a shared library - if test "$deplibs_check_method" != pass_all; then - # We're trying link a shared library against a static one - # but the system doesn't support it. - - # Just print a warning and add the library to dependency_libs so - # that the program can be linked against the static library. - $echo - $echo "*** Warning: This system can not link to static lib archive $lib." - $echo "*** I have the capability to make that library automatically link in when" - $echo "*** you link to this library. But I can only do this if you have a" - $echo "*** shared version of the library, which you do not appear to have." - if test "$module" = yes; then - $echo "*** But as you try to build a module library, libtool will still create " - $echo "*** a static module, that should work as long as the dlopening application" - $echo "*** is linked with the -dlopen flag to resolve symbols at runtime." - if test -z "$global_symbol_pipe"; then - $echo - $echo "*** However, this would only work if libtool was able to extract symbol" - $echo "*** lists from a program, using \`nm' or equivalent, but libtool could" - $echo "*** not find such a program. So, this module is probably useless." - $echo "*** \`nm' from GNU binutils and a full rebuild may help." - fi - if test "$build_old_libs" = no; then - build_libtool_libs=module - build_old_libs=yes - else - build_libtool_libs=no - fi - fi - else - convenience="$convenience $dir/$old_library" - old_convenience="$old_convenience $dir/$old_library" - deplibs="$dir/$old_library $deplibs" - link_static=yes - fi - fi # link shared/static library? - - if test "$linkmode" = lib; then - if test -n "$dependency_libs" && - { test "$hardcode_into_libs" != yes || test "$build_old_libs" = yes || - test "$link_static" = yes; }; then - # Extract -R from dependency_libs - temp_deplibs= - for libdir in $dependency_libs; do - case $libdir in - -R*) temp_xrpath=`$echo "X$libdir" | $Xsed -e 's/^-R//'` - case " $xrpath " in - *" $temp_xrpath "*) ;; - *) xrpath="$xrpath $temp_xrpath";; - esac;; - *) temp_deplibs="$temp_deplibs $libdir";; - esac - done - dependency_libs="$temp_deplibs" - fi - - newlib_search_path="$newlib_search_path $absdir" - # Link against this library - test "$link_static" = no && newdependency_libs="$abs_ladir/$laname $newdependency_libs" - # ... and its dependency_libs - tmp_libs= - for deplib in $dependency_libs; do - newdependency_libs="$deplib $newdependency_libs" - if test "X$duplicate_deps" = "Xyes" ; then - case "$tmp_libs " in - *" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;; - esac - fi - tmp_libs="$tmp_libs $deplib" - done - - if test "$link_all_deplibs" != no; then - # Add the search paths of all dependency libraries - for deplib in $dependency_libs; do - case $deplib in - -L*) path="$deplib" ;; - *.la) - dir=`$echo "X$deplib" | $Xsed -e 's%/[^/]*$%%'` - test "X$dir" = "X$deplib" && dir="." - # We need an absolute path. - case $dir in - [\\/]* | [A-Za-z]:[\\/]*) absdir="$dir" ;; - *) - absdir=`cd "$dir" && pwd` - if test -z "$absdir"; then - $echo "$modename: warning: cannot determine absolute directory name of \`$dir'" 1>&2 - absdir="$dir" - fi - ;; - esac - if grep "^installed=no" $deplib > /dev/null; then - path="$absdir/$objdir" - else - eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $deplib` - if test -z "$libdir"; then - $echo "$modename: \`$deplib' is not a valid libtool archive" 1>&2 - exit 1 - fi - if test "$absdir" != "$libdir"; then - $echo "$modename: warning: \`$deplib' seems to be moved" 1>&2 - fi - path="$absdir" - fi - depdepl= - case $host in - *-*-darwin*) - # we do not want to link against static libs, but need to link against shared - eval deplibrary_names=`${SED} -n -e 's/^library_names=\(.*\)$/\1/p' $deplib` - if test -n "$deplibrary_names" ; then - for tmp in $deplibrary_names ; do - depdepl=$tmp - done - if test -f "$path/$depdepl" ; then - depdepl="$path/$depdepl" - fi - # do not add paths which are already there - case " $newlib_search_path " in - *" $path "*) ;; - *) newlib_search_path="$newlib_search_path $path";; - esac - fi - path="" - ;; - *) - path="-L$path" - ;; - esac - - ;; - -l*) - case $host in - *-*-darwin*) - # Again, we only want to link against shared libraries - eval tmp_libs=`$echo "X$deplib" | $Xsed -e "s,^\-l,,"` - for tmp in $newlib_search_path ; do - if test -f "$tmp/lib$tmp_libs.dylib" ; then - eval depdepl="$tmp/lib$tmp_libs.dylib" - break - fi - done - path="" - ;; - *) continue ;; - esac - ;; - *) continue ;; - esac - case " $deplibs " in - *" $depdepl "*) ;; - *) deplibs="$deplibs $depdepl" ;; - esac - case " $deplibs " in - *" $path "*) ;; - *) deplibs="$deplibs $path" ;; - esac - done - fi # link_all_deplibs != no - fi # linkmode = lib - done # for deplib in $libs - dependency_libs="$newdependency_libs" - if test "$pass" = dlpreopen; then - # Link the dlpreopened libraries before other libraries - for deplib in $save_deplibs; do - deplibs="$deplib $deplibs" - done - fi - if test "$pass" != dlopen; then - if test "$pass" != conv; then - # Make sure lib_search_path contains only unique directories. - lib_search_path= - for dir in $newlib_search_path; do - case "$lib_search_path " in - *" $dir "*) ;; - *) lib_search_path="$lib_search_path $dir" ;; - esac - done - newlib_search_path= - fi - - if test "$linkmode,$pass" != "prog,link"; then - vars="deplibs" - else - vars="compile_deplibs finalize_deplibs" - fi - for var in $vars dependency_libs; do - # Add libraries to $var in reverse order - eval tmp_libs=\"\$$var\" - new_libs= - for deplib in $tmp_libs; do - # FIXME: Pedantically, this is the right thing to do, so - # that some nasty dependency loop isn't accidentally - # broken: - #new_libs="$deplib $new_libs" - # Pragmatically, this seems to cause very few problems in - # practice: - case $deplib in - -L*) new_libs="$deplib $new_libs" ;; - -R*) ;; - *) - # And here is the reason: when a library appears more - # than once as an explicit dependence of a library, or - # is implicitly linked in more than once by the - # compiler, it is considered special, and multiple - # occurrences thereof are not removed. Compare this - # with having the same library being listed as a - # dependency of multiple other libraries: in this case, - # we know (pedantically, we assume) the library does not - # need to be listed more than once, so we keep only the - # last copy. This is not always right, but it is rare - # enough that we require users that really mean to play - # such unportable linking tricks to link the library - # using -Wl,-lname, so that libtool does not consider it - # for duplicate removal. - case " $specialdeplibs " in - *" $deplib "*) new_libs="$deplib $new_libs" ;; - *) - case " $new_libs " in - *" $deplib "*) ;; - *) new_libs="$deplib $new_libs" ;; - esac - ;; - esac - ;; - esac - done - tmp_libs= - for deplib in $new_libs; do - case $deplib in - -L*) - case " $tmp_libs " in - *" $deplib "*) ;; - *) tmp_libs="$tmp_libs $deplib" ;; - esac - ;; - *) tmp_libs="$tmp_libs $deplib" ;; - esac - done - eval $var=\"$tmp_libs\" - done # for var - fi - # Last step: remove runtime libs from dependency_libs (they stay in deplibs) - tmp_libs= - for i in $dependency_libs ; do - case " $predeps $postdeps $compiler_lib_search_path " in - *" $i "*) - i="" - ;; - esac - if test -n "$i" ; then - tmp_libs="$tmp_libs $i" - fi - done - dependency_libs=$tmp_libs - done # for pass - if test "$linkmode" = prog; then - dlfiles="$newdlfiles" - dlprefiles="$newdlprefiles" - fi - - case $linkmode in - oldlib) - if test -n "$deplibs"; then - $echo "$modename: warning: \`-l' and \`-L' are ignored for archives" 1>&2 - fi - - if test -n "$dlfiles$dlprefiles" || test "$dlself" != no; then - $echo "$modename: warning: \`-dlopen' is ignored for archives" 1>&2 - fi - - if test -n "$rpath"; then - $echo "$modename: warning: \`-rpath' is ignored for archives" 1>&2 - fi - - if test -n "$xrpath"; then - $echo "$modename: warning: \`-R' is ignored for archives" 1>&2 - fi - - if test -n "$vinfo"; then - $echo "$modename: warning: \`-version-info/-version-number' is ignored for archives" 1>&2 - fi - - if test -n "$release"; then - $echo "$modename: warning: \`-release' is ignored for archives" 1>&2 - fi - - if test -n "$export_symbols" || test -n "$export_symbols_regex"; then - $echo "$modename: warning: \`-export-symbols' is ignored for archives" 1>&2 - fi - - # Now set the variables for building old libraries. - build_libtool_libs=no - oldlibs="$output" - objs="$objs$old_deplibs" - ;; - - lib) - # Make sure we only generate libraries of the form `libNAME.la'. - case $outputname in - lib*) - name=`$echo "X$outputname" | $Xsed -e 's/\.la$//' -e 's/^lib//'` - eval shared_ext=\"$shrext\" - eval libname=\"$libname_spec\" - ;; - *) - if test "$module" = no; then - $echo "$modename: libtool library \`$output' must begin with \`lib'" 1>&2 - $echo "$help" 1>&2 - exit 1 - fi - if test "$need_lib_prefix" != no; then - # Add the "lib" prefix for modules if required - name=`$echo "X$outputname" | $Xsed -e 's/\.la$//'` - eval shared_ext=\"$shrext\" - eval libname=\"$libname_spec\" - else - libname=`$echo "X$outputname" | $Xsed -e 's/\.la$//'` - fi - ;; - esac - - if test -n "$objs"; then - if test "$deplibs_check_method" != pass_all; then - $echo "$modename: cannot build libtool library \`$output' from non-libtool objects on this host:$objs" 2>&1 - exit 1 - else - $echo - $echo "*** Warning: Linking the shared library $output against the non-libtool" - $echo "*** objects $objs is not portable!" - libobjs="$libobjs $objs" - fi - fi - - if test "$dlself" != no; then - $echo "$modename: warning: \`-dlopen self' is ignored for libtool libraries" 1>&2 - fi - - set dummy $rpath - if test "$#" -gt 2; then - $echo "$modename: warning: ignoring multiple \`-rpath's for a libtool library" 1>&2 - fi - install_libdir="$2" - - oldlibs= - if test -z "$rpath"; then - if test "$build_libtool_libs" = yes; then - # Building a libtool convenience library. - # Some compilers have problems with a `.al' extension so - # convenience libraries should have the same extension an - # archive normally would. - oldlibs="$output_objdir/$libname.$libext $oldlibs" - build_libtool_libs=convenience - build_old_libs=yes - fi - - if test -n "$vinfo"; then - $echo "$modename: warning: \`-version-info/-version-number' is ignored for convenience libraries" 1>&2 - fi - - if test -n "$release"; then - $echo "$modename: warning: \`-release' is ignored for convenience libraries" 1>&2 - fi - else - - # Parse the version information argument. - save_ifs="$IFS"; IFS=':' - set dummy $vinfo 0 0 0 - IFS="$save_ifs" - - if test -n "$8"; then - $echo "$modename: too many parameters to \`-version-info'" 1>&2 - $echo "$help" 1>&2 - exit 1 - fi - - # convert absolute version numbers to libtool ages - # this retains compatibility with .la files and attempts - # to make the code below a bit more comprehensible - - case $vinfo_number in - yes) - number_major="$2" - number_minor="$3" - number_revision="$4" - # - # There are really only two kinds -- those that - # use the current revision as the major version - # and those that subtract age and use age as - # a minor version. But, then there is irix - # which has an extra 1 added just for fun - # - case $version_type in - darwin|linux|osf|windows) - current=`expr $number_major + $number_minor` - age="$number_minor" - revision="$number_revision" - ;; - freebsd-aout|freebsd-elf|sunos) - current="$number_major" - revision="$number_minor" - age="0" - ;; - irix|nonstopux) - current=`expr $number_major + $number_minor - 1` - age="$number_minor" - revision="$number_minor" - ;; - esac - ;; - no) - current="$2" - revision="$3" - age="$4" - ;; - esac - - # Check that each of the things are valid numbers. - case $current in - 0 | [1-9] | [1-9][0-9] | [1-9][0-9][0-9]) ;; - *) - $echo "$modename: CURRENT \`$current' is not a nonnegative integer" 1>&2 - $echo "$modename: \`$vinfo' is not valid version information" 1>&2 - exit 1 - ;; - esac - - case $revision in - 0 | [1-9] | [1-9][0-9] | [1-9][0-9][0-9]) ;; - *) - $echo "$modename: REVISION \`$revision' is not a nonnegative integer" 1>&2 - $echo "$modename: \`$vinfo' is not valid version information" 1>&2 - exit 1 - ;; - esac - - case $age in - 0 | [1-9] | [1-9][0-9] | [1-9][0-9][0-9]) ;; - *) - $echo "$modename: AGE \`$age' is not a nonnegative integer" 1>&2 - $echo "$modename: \`$vinfo' is not valid version information" 1>&2 - exit 1 - ;; - esac - - if test "$age" -gt "$current"; then - $echo "$modename: AGE \`$age' is greater than the current interface number \`$current'" 1>&2 - $echo "$modename: \`$vinfo' is not valid version information" 1>&2 - exit 1 - fi - - # Calculate the version variables. - major= - versuffix= - verstring= - case $version_type in - none) ;; - - darwin) - # Like Linux, but with the current version available in - # verstring for coding it into the library header - major=.`expr $current - $age` - versuffix="$major.$age.$revision" - # Darwin ld doesn't like 0 for these options... - minor_current=`expr $current + 1` - verstring="-compatibility_version $minor_current -current_version $minor_current.$revision" - ;; - - freebsd-aout) - major=".$current" - versuffix=".$current.$revision"; - ;; - - freebsd-elf) - major=".$current" - versuffix=".$current"; - ;; - - irix | nonstopux) - major=`expr $current - $age + 1` - - case $version_type in - nonstopux) verstring_prefix=nonstopux ;; - *) verstring_prefix=sgi ;; - esac - verstring="$verstring_prefix$major.$revision" - - # Add in all the interfaces that we are compatible with. - loop=$revision - while test "$loop" -ne 0; do - iface=`expr $revision - $loop` - loop=`expr $loop - 1` - verstring="$verstring_prefix$major.$iface:$verstring" - done - - # Before this point, $major must not contain `.'. - major=.$major - versuffix="$major.$revision" - ;; - - linux) - major=.`expr $current - $age` - versuffix="$major.$age.$revision" - ;; - - osf) - major=.`expr $current - $age` - versuffix=".$current.$age.$revision" - verstring="$current.$age.$revision" - - # Add in all the interfaces that we are compatible with. - loop=$age - while test "$loop" -ne 0; do - iface=`expr $current - $loop` - loop=`expr $loop - 1` - verstring="$verstring:${iface}.0" - done - - # Make executables depend on our current version. - verstring="$verstring:${current}.0" - ;; - - sunos) - major=".$current" - versuffix=".$current.$revision" - ;; - - windows) - # Use '-' rather than '.', since we only want one - # extension on DOS 8.3 filesystems. - major=`expr $current - $age` - versuffix="-$major" - ;; - - *) - $echo "$modename: unknown library version type \`$version_type'" 1>&2 - $echo "Fatal configuration error. See the $PACKAGE docs for more information." 1>&2 - exit 1 - ;; - esac - - # Clear the version info if we defaulted, and they specified a release. - if test -z "$vinfo" && test -n "$release"; then - major= - case $version_type in - darwin) - # we can't check for "0.0" in archive_cmds due to quoting - # problems, so we reset it completely - verstring= - ;; - *) - verstring="0.0" - ;; - esac - if test "$need_version" = no; then - versuffix= - else - versuffix=".0.0" - fi - fi - - # Remove version info from name if versioning should be avoided - if test "$avoid_version" = yes && test "$need_version" = no; then - major= - versuffix= - verstring="" - fi - - # Check to see if the archive will have undefined symbols. - if test "$allow_undefined" = yes; then - if test "$allow_undefined_flag" = unsupported; then - $echo "$modename: warning: undefined symbols not allowed in $host shared libraries" 1>&2 - build_libtool_libs=no - build_old_libs=yes - fi - else - # Don't allow undefined symbols. - allow_undefined_flag="$no_undefined_flag" - fi - fi - - if test "$mode" != relink; then - # Remove our outputs, but don't remove object files since they - # may have been created when compiling PIC objects. - removelist= - tempremovelist=`$echo "$output_objdir/*"` - for p in $tempremovelist; do - case $p in - *.$objext) - ;; - $output_objdir/$outputname | $output_objdir/$libname.* | $output_objdir/${libname}${release}.*) - if echo $p | $EGREP -e "$precious_files_regex" >/dev/null 2>&1 - then - continue - fi - removelist="$removelist $p" - ;; - *) ;; - esac - done - if test -n "$removelist"; then - $show "${rm}r $removelist" - $run ${rm}r $removelist - fi - fi - - # Now set the variables for building old libraries. - if test "$build_old_libs" = yes && test "$build_libtool_libs" != convenience ; then - oldlibs="$oldlibs $output_objdir/$libname.$libext" - - # Transform .lo files to .o files. - oldobjs="$objs "`$echo "X$libobjs" | $SP2NL | $Xsed -e '/\.'${libext}'$/d' -e "$lo2o" | $NL2SP` - fi - - # Eliminate all temporary directories. - for path in $notinst_path; do - lib_search_path=`$echo "$lib_search_path " | ${SED} -e 's% $path % %g'` - deplibs=`$echo "$deplibs " | ${SED} -e 's% -L$path % %g'` - dependency_libs=`$echo "$dependency_libs " | ${SED} -e 's% -L$path % %g'` - done - - if test -n "$xrpath"; then - # If the user specified any rpath flags, then add them. - temp_xrpath= - for libdir in $xrpath; do - temp_xrpath="$temp_xrpath -R$libdir" - case "$finalize_rpath " in - *" $libdir "*) ;; - *) finalize_rpath="$finalize_rpath $libdir" ;; - esac - done - if test "$hardcode_into_libs" != yes || test "$build_old_libs" = yes; then - dependency_libs="$temp_xrpath $dependency_libs" - fi - fi - - # Make sure dlfiles contains only unique files that won't be dlpreopened - old_dlfiles="$dlfiles" - dlfiles= - for lib in $old_dlfiles; do - case " $dlprefiles $dlfiles " in - *" $lib "*) ;; - *) dlfiles="$dlfiles $lib" ;; - esac - done - - # Make sure dlprefiles contains only unique files - old_dlprefiles="$dlprefiles" - dlprefiles= - for lib in $old_dlprefiles; do - case "$dlprefiles " in - *" $lib "*) ;; - *) dlprefiles="$dlprefiles $lib" ;; - esac - done - - if test "$build_libtool_libs" = yes; then - if test -n "$rpath"; then - case $host in - *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-*-beos*) - # these systems don't actually have a c library (as such)! - ;; - *-*-rhapsody* | *-*-darwin1.[012]) - # Rhapsody C library is in the System framework - deplibs="$deplibs -framework System" - ;; - *-*-netbsd*) - # Don't link with libc until the a.out ld.so is fixed. - ;; - *-*-openbsd* | *-*-freebsd*) - # Do not include libc due to us having libc/libc_r. - test "X$arg" = "X-lc" && continue - ;; - *) - # Add libc to deplibs on all other systems if necessary. - if test "$build_libtool_need_lc" = "yes"; then - deplibs="$deplibs -lc" - fi - ;; - esac - fi - - # Transform deplibs into only deplibs that can be linked in shared. - name_save=$name - libname_save=$libname - release_save=$release - versuffix_save=$versuffix - major_save=$major - # I'm not sure if I'm treating the release correctly. I think - # release should show up in the -l (ie -lgmp5) so we don't want to - # add it in twice. Is that correct? - release="" - versuffix="" - major="" - newdeplibs= - droppeddeps=no - case $deplibs_check_method in - pass_all) - # Don't check for shared/static. Everything works. - # This might be a little naive. We might want to check - # whether the library exists or not. But this is on - # osf3 & osf4 and I'm not really sure... Just - # implementing what was already the behavior. - newdeplibs=$deplibs - ;; - test_compile) - # This code stresses the "libraries are programs" paradigm to its - # limits. Maybe even breaks it. We compile a program, linking it - # against the deplibs as a proxy for the library. Then we can check - # whether they linked in statically or dynamically with ldd. - $rm conftest.c - cat > conftest.c </dev/null` - for potent_lib in $potential_libs; do - # Follow soft links. - if ls -lLd "$potent_lib" 2>/dev/null \ - | grep " -> " >/dev/null; then - continue - fi - # The statement above tries to avoid entering an - # endless loop below, in case of cyclic links. - # We might still enter an endless loop, since a link - # loop can be closed while we follow links, - # but so what? - potlib="$potent_lib" - while test -h "$potlib" 2>/dev/null; do - potliblink=`ls -ld $potlib | ${SED} 's/.* -> //'` - case $potliblink in - [\\/]* | [A-Za-z]:[\\/]*) potlib="$potliblink";; - *) potlib=`$echo "X$potlib" | $Xsed -e 's,[^/]*$,,'`"$potliblink";; - esac - done - if eval $file_magic_cmd \"\$potlib\" 2>/dev/null \ - | ${SED} 10q \ - | $EGREP "$file_magic_regex" > /dev/null; then - newdeplibs="$newdeplibs $a_deplib" - a_deplib="" - break 2 - fi - done - done - fi - if test -n "$a_deplib" ; then - droppeddeps=yes - $echo - $echo "*** Warning: linker path does not have real file for library $a_deplib." - $echo "*** I have the capability to make that library automatically link in when" - $echo "*** you link to this library. But I can only do this if you have a" - $echo "*** shared version of the library, which you do not appear to have" - $echo "*** because I did check the linker path looking for a file starting" - if test -z "$potlib" ; then - $echo "*** with $libname but no candidates were found. (...for file magic test)" - else - $echo "*** with $libname and none of the candidates passed a file format test" - $echo "*** using a file magic. Last file checked: $potlib" - fi - fi - else - # Add a -L argument. - newdeplibs="$newdeplibs $a_deplib" - fi - done # Gone through all deplibs. - ;; - match_pattern*) - set dummy $deplibs_check_method - match_pattern_regex=`expr "$deplibs_check_method" : "$2 \(.*\)"` - for a_deplib in $deplibs; do - name="`expr $a_deplib : '-l\(.*\)'`" - # If $name is empty we are operating on a -L argument. - if test -n "$name" && test "$name" != "0"; then - if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then - case " $predeps $postdeps " in - *" $a_deplib "*) - newdeplibs="$newdeplibs $a_deplib" - a_deplib="" - ;; - esac - fi - if test -n "$a_deplib" ; then - libname=`eval \\$echo \"$libname_spec\"` - for i in $lib_search_path $sys_lib_search_path $shlib_search_path; do - potential_libs=`ls $i/$libname[.-]* 2>/dev/null` - for potent_lib in $potential_libs; do - potlib="$potent_lib" # see symlink-check above in file_magic test - if eval $echo \"$potent_lib\" 2>/dev/null \ - | ${SED} 10q \ - | $EGREP "$match_pattern_regex" > /dev/null; then - newdeplibs="$newdeplibs $a_deplib" - a_deplib="" - break 2 - fi - done - done - fi - if test -n "$a_deplib" ; then - droppeddeps=yes - $echo - $echo "*** Warning: linker path does not have real file for library $a_deplib." - $echo "*** I have the capability to make that library automatically link in when" - $echo "*** you link to this library. But I can only do this if you have a" - $echo "*** shared version of the library, which you do not appear to have" - $echo "*** because I did check the linker path looking for a file starting" - if test -z "$potlib" ; then - $echo "*** with $libname but no candidates were found. (...for regex pattern test)" - else - $echo "*** with $libname and none of the candidates passed a file format test" - $echo "*** using a regex pattern. Last file checked: $potlib" - fi - fi - else - # Add a -L argument. - newdeplibs="$newdeplibs $a_deplib" - fi - done # Gone through all deplibs. - ;; - none | unknown | *) - newdeplibs="" - tmp_deplibs=`$echo "X $deplibs" | $Xsed -e 's/ -lc$//' \ - -e 's/ -[LR][^ ]*//g'` - if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then - for i in $predeps $postdeps ; do - # can't use Xsed below, because $i might contain '/' - tmp_deplibs=`$echo "X $tmp_deplibs" | ${SED} -e "1s,^X,," -e "s,$i,,"` - done - fi - if $echo "X $tmp_deplibs" | $Xsed -e 's/[ ]//g' \ - | grep . >/dev/null; then - $echo - if test "X$deplibs_check_method" = "Xnone"; then - $echo "*** Warning: inter-library dependencies are not supported in this platform." - else - $echo "*** Warning: inter-library dependencies are not known to be supported." - fi - $echo "*** All declared inter-library dependencies are being dropped." - droppeddeps=yes - fi - ;; - esac - versuffix=$versuffix_save - major=$major_save - release=$release_save - libname=$libname_save - name=$name_save - - case $host in - *-*-rhapsody* | *-*-darwin1.[012]) - # On Rhapsody replace the C library is the System framework - newdeplibs=`$echo "X $newdeplibs" | $Xsed -e 's/ -lc / -framework System /'` - ;; - esac - - if test "$droppeddeps" = yes; then - if test "$module" = yes; then - $echo - $echo "*** Warning: libtool could not satisfy all declared inter-library" - $echo "*** dependencies of module $libname. Therefore, libtool will create" - $echo "*** a static module, that should work as long as the dlopening" - $echo "*** application is linked with the -dlopen flag." - if test -z "$global_symbol_pipe"; then - $echo - $echo "*** However, this would only work if libtool was able to extract symbol" - $echo "*** lists from a program, using \`nm' or equivalent, but libtool could" - $echo "*** not find such a program. So, this module is probably useless." - $echo "*** \`nm' from GNU binutils and a full rebuild may help." - fi - if test "$build_old_libs" = no; then - oldlibs="$output_objdir/$libname.$libext" - build_libtool_libs=module - build_old_libs=yes - else - build_libtool_libs=no - fi - else - $echo "*** The inter-library dependencies that have been dropped here will be" - $echo "*** automatically added whenever a program is linked with this library" - $echo "*** or is declared to -dlopen it." - - if test "$allow_undefined" = no; then - $echo - $echo "*** Since this library must not contain undefined symbols," - $echo "*** because either the platform does not support them or" - $echo "*** it was explicitly requested with -no-undefined," - $echo "*** libtool will only create a static version of it." - if test "$build_old_libs" = no; then - oldlibs="$output_objdir/$libname.$libext" - build_libtool_libs=module - build_old_libs=yes - else - build_libtool_libs=no - fi - fi - fi - fi - # Done checking deplibs! - deplibs=$newdeplibs - fi - - # All the library-specific variables (install_libdir is set above). - library_names= - old_library= - dlname= - - # Test again, we may have decided not to build it any more - if test "$build_libtool_libs" = yes; then - if test "$hardcode_into_libs" = yes; then - # Hardcode the library paths - hardcode_libdirs= - dep_rpath= - rpath="$finalize_rpath" - test "$mode" != relink && rpath="$compile_rpath$rpath" - for libdir in $rpath; do - if test -n "$hardcode_libdir_flag_spec"; then - if test -n "$hardcode_libdir_separator"; then - if test -z "$hardcode_libdirs"; then - hardcode_libdirs="$libdir" - else - # Just accumulate the unique libdirs. - case $hardcode_libdir_separator$hardcode_libdirs$hardcode_libdir_separator in - *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*) - ;; - *) - hardcode_libdirs="$hardcode_libdirs$hardcode_libdir_separator$libdir" - ;; - esac - fi - else - eval flag=\"$hardcode_libdir_flag_spec\" - dep_rpath="$dep_rpath $flag" - fi - elif test -n "$runpath_var"; then - case "$perm_rpath " in - *" $libdir "*) ;; - *) perm_rpath="$perm_rpath $libdir" ;; - esac - fi - done - # Substitute the hardcoded libdirs into the rpath. - if test -n "$hardcode_libdir_separator" && - test -n "$hardcode_libdirs"; then - libdir="$hardcode_libdirs" - if test -n "$hardcode_libdir_flag_spec_ld"; then - eval dep_rpath=\"$hardcode_libdir_flag_spec_ld\" - else - eval dep_rpath=\"$hardcode_libdir_flag_spec\" - fi - fi - if test -n "$runpath_var" && test -n "$perm_rpath"; then - # We should set the runpath_var. - rpath= - for dir in $perm_rpath; do - rpath="$rpath$dir:" - done - eval "$runpath_var='$rpath\$$runpath_var'; export $runpath_var" - fi - test -n "$dep_rpath" && deplibs="$dep_rpath $deplibs" - fi - - shlibpath="$finalize_shlibpath" - test "$mode" != relink && shlibpath="$compile_shlibpath$shlibpath" - if test -n "$shlibpath"; then - eval "$shlibpath_var='$shlibpath\$$shlibpath_var'; export $shlibpath_var" - fi - - # Get the real and link names of the library. - eval shared_ext=\"$shrext\" - eval library_names=\"$library_names_spec\" - set dummy $library_names - realname="$2" - shift; shift - - if test -n "$soname_spec"; then - eval soname=\"$soname_spec\" - else - soname="$realname" - fi - if test -z "$dlname"; then - dlname=$soname - fi - - lib="$output_objdir/$realname" - for link - do - linknames="$linknames $link" - done - - # Use standard objects if they are pic - test -z "$pic_flag" && libobjs=`$echo "X$libobjs" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP` - - # Prepare the list of exported symbols - if test -z "$export_symbols"; then - if test "$always_export_symbols" = yes || test -n "$export_symbols_regex"; then - $show "generating symbol list for \`$libname.la'" - export_symbols="$output_objdir/$libname.exp" - $run $rm $export_symbols - cmds=$export_symbols_cmds - save_ifs="$IFS"; IFS='~' - for cmd in $cmds; do - IFS="$save_ifs" - eval cmd=\"$cmd\" - if len=`expr "X$cmd" : ".*"` && - test "$len" -le "$max_cmd_len" || test "$max_cmd_len" -le -1; then - $show "$cmd" - $run eval "$cmd" || exit $? - skipped_export=false - else - # The command line is too long to execute in one step. - $show "using reloadable object file for export list..." - skipped_export=: - fi - done - IFS="$save_ifs" - if test -n "$export_symbols_regex"; then - $show "$EGREP -e \"$export_symbols_regex\" \"$export_symbols\" > \"${export_symbols}T\"" - $run eval '$EGREP -e "$export_symbols_regex" "$export_symbols" > "${export_symbols}T"' - $show "$mv \"${export_symbols}T\" \"$export_symbols\"" - $run eval '$mv "${export_symbols}T" "$export_symbols"' - fi - fi - fi - - if test -n "$export_symbols" && test -n "$include_expsyms"; then - $run eval '$echo "X$include_expsyms" | $SP2NL >> "$export_symbols"' - fi - - tmp_deplibs= - for test_deplib in $deplibs; do - case " $convenience " in - *" $test_deplib "*) ;; - *) - tmp_deplibs="$tmp_deplibs $test_deplib" - ;; - esac - done - deplibs="$tmp_deplibs" - - if test -n "$convenience"; then - if test -n "$whole_archive_flag_spec"; then - save_libobjs=$libobjs - eval libobjs=\"\$libobjs $whole_archive_flag_spec\" - else - gentop="$output_objdir/${outputname}x" - $show "${rm}r $gentop" - $run ${rm}r "$gentop" - $show "$mkdir $gentop" - $run $mkdir "$gentop" - status=$? - if test "$status" -ne 0 && test ! -d "$gentop"; then - exit $status - fi - generated="$generated $gentop" - - for xlib in $convenience; do - # Extract the objects. - case $xlib in - [\\/]* | [A-Za-z]:[\\/]*) xabs="$xlib" ;; - *) xabs=`pwd`"/$xlib" ;; - esac - xlib=`$echo "X$xlib" | $Xsed -e 's%^.*/%%'` - xdir="$gentop/$xlib" - - $show "${rm}r $xdir" - $run ${rm}r "$xdir" - $show "$mkdir $xdir" - $run $mkdir "$xdir" - status=$? - if test "$status" -ne 0 && test ! -d "$xdir"; then - exit $status - fi - # We will extract separately just the conflicting names and we will no - # longer touch any unique names. It is faster to leave these extract - # automatically by $AR in one run. - $show "(cd $xdir && $AR x $xabs)" - $run eval "(cd \$xdir && $AR x \$xabs)" || exit $? - if ($AR t "$xabs" | sort | sort -uc >/dev/null 2>&1); then - : - else - $echo "$modename: warning: object name conflicts; renaming object files" 1>&2 - $echo "$modename: warning: to ensure that they will not overwrite" 1>&2 - $AR t "$xabs" | sort | uniq -cd | while read -r count name - do - i=1 - while test "$i" -le "$count" - do - # Put our $i before any first dot (extension) - # Never overwrite any file - name_to="$name" - while test "X$name_to" = "X$name" || test -f "$xdir/$name_to" - do - name_to=`$echo "X$name_to" | $Xsed -e "s/\([^.]*\)/\1-$i/"` - done - $show "(cd $xdir && $AR xN $i $xabs '$name' && $mv '$name' '$name_to')" - $run eval "(cd \$xdir && $AR xN $i \$xabs '$name' && $mv '$name' '$name_to')" || exit $? - i=`expr $i + 1` - done - done - fi - - libobjs="$libobjs "`find $xdir -name \*.$objext -print -o -name \*.lo -print | $NL2SP` - done - fi - fi - - if test "$thread_safe" = yes && test -n "$thread_safe_flag_spec"; then - eval flag=\"$thread_safe_flag_spec\" - linker_flags="$linker_flags $flag" - fi - - # Make a backup of the uninstalled library when relinking - if test "$mode" = relink; then - $run eval '(cd $output_objdir && $rm ${realname}U && $mv $realname ${realname}U)' || exit $? - fi - - # Do each of the archive commands. - if test "$module" = yes && test -n "$module_cmds" ; then - if test -n "$export_symbols" && test -n "$module_expsym_cmds"; then - eval test_cmds=\"$module_expsym_cmds\" - cmds=$module_expsym_cmds - else - eval test_cmds=\"$module_cmds\" - cmds=$module_cmds - fi - else - if test -n "$export_symbols" && test -n "$archive_expsym_cmds"; then - eval test_cmds=\"$archive_expsym_cmds\" - cmds=$archive_expsym_cmds - else - eval test_cmds=\"$archive_cmds\" - cmds=$archive_cmds - fi - fi - - if test "X$skipped_export" != "X:" && len=`expr "X$test_cmds" : ".*"` && - test "$len" -le "$max_cmd_len" || test "$max_cmd_len" -le -1; then - : - else - # The command line is too long to link in one step, link piecewise. - $echo "creating reloadable object files..." - - # Save the value of $output and $libobjs because we want to - # use them later. If we have whole_archive_flag_spec, we - # want to use save_libobjs as it was before - # whole_archive_flag_spec was expanded, because we can't - # assume the linker understands whole_archive_flag_spec. - # This may have to be revisited, in case too many - # convenience libraries get linked in and end up exceeding - # the spec. - if test -z "$convenience" || test -z "$whole_archive_flag_spec"; then - save_libobjs=$libobjs - fi - save_output=$output - - # Clear the reloadable object creation command queue and - # initialize k to one. - test_cmds= - concat_cmds= - objlist= - delfiles= - last_robj= - k=1 - output=$output_objdir/$save_output-${k}.$objext - # Loop over the list of objects to be linked. - for obj in $save_libobjs - do - eval test_cmds=\"$reload_cmds $objlist $last_robj\" - if test "X$objlist" = X || - { len=`expr "X$test_cmds" : ".*"` && - test "$len" -le "$max_cmd_len"; }; then - objlist="$objlist $obj" - else - # The command $test_cmds is almost too long, add a - # command to the queue. - if test "$k" -eq 1 ; then - # The first file doesn't have a previous command to add. - eval concat_cmds=\"$reload_cmds $objlist $last_robj\" - else - # All subsequent reloadable object files will link in - # the last one created. - eval concat_cmds=\"\$concat_cmds~$reload_cmds $objlist $last_robj\" - fi - last_robj=$output_objdir/$save_output-${k}.$objext - k=`expr $k + 1` - output=$output_objdir/$save_output-${k}.$objext - objlist=$obj - len=1 - fi - done - # Handle the remaining objects by creating one last - # reloadable object file. All subsequent reloadable object - # files will link in the last one created. - test -z "$concat_cmds" || concat_cmds=$concat_cmds~ - eval concat_cmds=\"\${concat_cmds}$reload_cmds $objlist $last_robj\" - - if ${skipped_export-false}; then - $show "generating symbol list for \`$libname.la'" - export_symbols="$output_objdir/$libname.exp" - $run $rm $export_symbols - libobjs=$output - # Append the command to create the export file. - eval concat_cmds=\"\$concat_cmds~$export_symbols_cmds\" - fi - - # Set up a command to remove the reloadale object files - # after they are used. - i=0 - while test "$i" -lt "$k" - do - i=`expr $i + 1` - delfiles="$delfiles $output_objdir/$save_output-${i}.$objext" - done - - $echo "creating a temporary reloadable object file: $output" - - # Loop through the commands generated above and execute them. - save_ifs="$IFS"; IFS='~' - for cmd in $concat_cmds; do - IFS="$save_ifs" - eval cmd=\"$cmd\" - $show "$cmd" - $run eval "$cmd" || exit $? - done - IFS="$save_ifs" - - libobjs=$output - # Restore the value of output. - output=$save_output - - if test -n "$convenience" && test -n "$whole_archive_flag_spec"; then - eval libobjs=\"\$libobjs $whole_archive_flag_spec\" - fi - # Expand the library linking commands again to reset the - # value of $libobjs for piecewise linking. - - # Do each of the archive commands. - if test "$module" = yes && test -n "$module_cmds" ; then - if test -n "$export_symbols" && test -n "$module_expsym_cmds"; then - cmds=$module_expsym_cmds - else - cmds=$module_cmds - fi - else - if test -n "$export_symbols" && test -n "$archive_expsym_cmds"; then - cmds=$archive_expsym_cmds - else - cmds=$archive_cmds - fi - fi - - # Append the command to remove the reloadable object files - # to the just-reset $cmds. - eval cmds=\"\$cmds~\$rm $delfiles\" - fi - save_ifs="$IFS"; IFS='~' - for cmd in $cmds; do - IFS="$save_ifs" - eval cmd=\"$cmd\" - $show "$cmd" - $run eval "$cmd" || exit $? - done - IFS="$save_ifs" - - # Restore the uninstalled library and exit - if test "$mode" = relink; then - $run eval '(cd $output_objdir && $rm ${realname}T && $mv $realname ${realname}T && $mv "$realname"U $realname)' || exit $? - exit 0 - fi - - # Create links to the real library. - for linkname in $linknames; do - if test "$realname" != "$linkname"; then - $show "(cd $output_objdir && $rm $linkname && $LN_S $realname $linkname)" - $run eval '(cd $output_objdir && $rm $linkname && $LN_S $realname $linkname)' || exit $? - fi - done - - # If -module or -export-dynamic was specified, set the dlname. - if test "$module" = yes || test "$export_dynamic" = yes; then - # On all known operating systems, these are identical. - dlname="$soname" - fi - fi - ;; - - obj) - if test -n "$deplibs"; then - $echo "$modename: warning: \`-l' and \`-L' are ignored for objects" 1>&2 - fi - - if test -n "$dlfiles$dlprefiles" || test "$dlself" != no; then - $echo "$modename: warning: \`-dlopen' is ignored for objects" 1>&2 - fi - - if test -n "$rpath"; then - $echo "$modename: warning: \`-rpath' is ignored for objects" 1>&2 - fi - - if test -n "$xrpath"; then - $echo "$modename: warning: \`-R' is ignored for objects" 1>&2 - fi - - if test -n "$vinfo"; then - $echo "$modename: warning: \`-version-info' is ignored for objects" 1>&2 - fi - - if test -n "$release"; then - $echo "$modename: warning: \`-release' is ignored for objects" 1>&2 - fi - - case $output in - *.lo) - if test -n "$objs$old_deplibs"; then - $echo "$modename: cannot build library object \`$output' from non-libtool objects" 1>&2 - exit 1 - fi - libobj="$output" - obj=`$echo "X$output" | $Xsed -e "$lo2o"` - ;; - *) - libobj= - obj="$output" - ;; - esac - - # Delete the old objects. - $run $rm $obj $libobj - - # Objects from convenience libraries. This assumes - # single-version convenience libraries. Whenever we create - # different ones for PIC/non-PIC, this we'll have to duplicate - # the extraction. - reload_conv_objs= - gentop= - # reload_cmds runs $LD directly, so let us get rid of - # -Wl from whole_archive_flag_spec - wl= - - if test -n "$convenience"; then - if test -n "$whole_archive_flag_spec"; then - eval reload_conv_objs=\"\$reload_objs $whole_archive_flag_spec\" - else - gentop="$output_objdir/${obj}x" - $show "${rm}r $gentop" - $run ${rm}r "$gentop" - $show "$mkdir $gentop" - $run $mkdir "$gentop" - status=$? - if test "$status" -ne 0 && test ! -d "$gentop"; then - exit $status - fi - generated="$generated $gentop" - - for xlib in $convenience; do - # Extract the objects. - case $xlib in - [\\/]* | [A-Za-z]:[\\/]*) xabs="$xlib" ;; - *) xabs=`pwd`"/$xlib" ;; - esac - xlib=`$echo "X$xlib" | $Xsed -e 's%^.*/%%'` - xdir="$gentop/$xlib" - - $show "${rm}r $xdir" - $run ${rm}r "$xdir" - $show "$mkdir $xdir" - $run $mkdir "$xdir" - status=$? - if test "$status" -ne 0 && test ! -d "$xdir"; then - exit $status - fi - # We will extract separately just the conflicting names and we will no - # longer touch any unique names. It is faster to leave these extract - # automatically by $AR in one run. - $show "(cd $xdir && $AR x $xabs)" - $run eval "(cd \$xdir && $AR x \$xabs)" || exit $? - if ($AR t "$xabs" | sort | sort -uc >/dev/null 2>&1); then - : - else - $echo "$modename: warning: object name conflicts; renaming object files" 1>&2 - $echo "$modename: warning: to ensure that they will not overwrite" 1>&2 - $AR t "$xabs" | sort | uniq -cd | while read -r count name - do - i=1 - while test "$i" -le "$count" - do - # Put our $i before any first dot (extension) - # Never overwrite any file - name_to="$name" - while test "X$name_to" = "X$name" || test -f "$xdir/$name_to" - do - name_to=`$echo "X$name_to" | $Xsed -e "s/\([^.]*\)/\1-$i/"` - done - $show "(cd $xdir && $AR xN $i $xabs '$name' && $mv '$name' '$name_to')" - $run eval "(cd \$xdir && $AR xN $i \$xabs '$name' && $mv '$name' '$name_to')" || exit $? - i=`expr $i + 1` - done - done - fi - - reload_conv_objs="$reload_objs "`find $xdir -name \*.$objext -print -o -name \*.lo -print | $NL2SP` - done - fi - fi - - # Create the old-style object. - reload_objs="$objs$old_deplibs "`$echo "X$libobjs" | $SP2NL | $Xsed -e '/\.'${libext}$'/d' -e '/\.lib$/d' -e "$lo2o" | $NL2SP`" $reload_conv_objs" ### testsuite: skip nested quoting test - - output="$obj" - cmds=$reload_cmds - save_ifs="$IFS"; IFS='~' - for cmd in $cmds; do - IFS="$save_ifs" - eval cmd=\"$cmd\" - $show "$cmd" - $run eval "$cmd" || exit $? - done - IFS="$save_ifs" - - # Exit if we aren't doing a library object file. - if test -z "$libobj"; then - if test -n "$gentop"; then - $show "${rm}r $gentop" - $run ${rm}r $gentop - fi - - exit 0 - fi - - if test "$build_libtool_libs" != yes; then - if test -n "$gentop"; then - $show "${rm}r $gentop" - $run ${rm}r $gentop - fi - - # Create an invalid libtool object if no PIC, so that we don't - # accidentally link it into a program. - # $show "echo timestamp > $libobj" - # $run eval "echo timestamp > $libobj" || exit $? - exit 0 - fi - - if test -n "$pic_flag" || test "$pic_mode" != default; then - # Only do commands if we really have different PIC objects. - reload_objs="$libobjs $reload_conv_objs" - output="$libobj" - cmds=$reload_cmds - save_ifs="$IFS"; IFS='~' - for cmd in $cmds; do - IFS="$save_ifs" - eval cmd=\"$cmd\" - $show "$cmd" - $run eval "$cmd" || exit $? - done - IFS="$save_ifs" - fi - - if test -n "$gentop"; then - $show "${rm}r $gentop" - $run ${rm}r $gentop - fi - - exit 0 - ;; - - prog) - case $host in - *cygwin*) output=`$echo $output | ${SED} -e 's,.exe$,,;s,$,.exe,'` ;; - esac - if test -n "$vinfo"; then - $echo "$modename: warning: \`-version-info' is ignored for programs" 1>&2 - fi - - if test -n "$release"; then - $echo "$modename: warning: \`-release' is ignored for programs" 1>&2 - fi - - if test "$preload" = yes; then - if test "$dlopen_support" = unknown && test "$dlopen_self" = unknown && - test "$dlopen_self_static" = unknown; then - $echo "$modename: warning: \`AC_LIBTOOL_DLOPEN' not used. Assuming no dlopen support." - fi - fi - - case $host in - *-*-rhapsody* | *-*-darwin1.[012]) - # On Rhapsody replace the C library is the System framework - compile_deplibs=`$echo "X $compile_deplibs" | $Xsed -e 's/ -lc / -framework System /'` - finalize_deplibs=`$echo "X $finalize_deplibs" | $Xsed -e 's/ -lc / -framework System /'` - ;; - esac - - case $host in - *darwin*) - # Don't allow lazy linking, it breaks C++ global constructors - if test "$tagname" = CXX ; then - compile_command="$compile_command ${wl}-bind_at_load" - finalize_command="$finalize_command ${wl}-bind_at_load" - fi - ;; - esac - - compile_command="$compile_command $compile_deplibs" - finalize_command="$finalize_command $finalize_deplibs" - - if test -n "$rpath$xrpath"; then - # If the user specified any rpath flags, then add them. - for libdir in $rpath $xrpath; do - # This is the magic to use -rpath. - case "$finalize_rpath " in - *" $libdir "*) ;; - *) finalize_rpath="$finalize_rpath $libdir" ;; - esac - done - fi - - # Now hardcode the library paths - rpath= - hardcode_libdirs= - for libdir in $compile_rpath $finalize_rpath; do - if test -n "$hardcode_libdir_flag_spec"; then - if test -n "$hardcode_libdir_separator"; then - if test -z "$hardcode_libdirs"; then - hardcode_libdirs="$libdir" - else - # Just accumulate the unique libdirs. - case $hardcode_libdir_separator$hardcode_libdirs$hardcode_libdir_separator in - *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*) - ;; - *) - hardcode_libdirs="$hardcode_libdirs$hardcode_libdir_separator$libdir" - ;; - esac - fi - else - eval flag=\"$hardcode_libdir_flag_spec\" - rpath="$rpath $flag" - fi - elif test -n "$runpath_var"; then - case "$perm_rpath " in - *" $libdir "*) ;; - *) perm_rpath="$perm_rpath $libdir" ;; - esac - fi - case $host in - *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2*) - case :$dllsearchpath: in - *":$libdir:"*) ;; - *) dllsearchpath="$dllsearchpath:$libdir";; - esac - ;; - esac - done - # Substitute the hardcoded libdirs into the rpath. - if test -n "$hardcode_libdir_separator" && - test -n "$hardcode_libdirs"; then - libdir="$hardcode_libdirs" - eval rpath=\" $hardcode_libdir_flag_spec\" - fi - compile_rpath="$rpath" - - rpath= - hardcode_libdirs= - for libdir in $finalize_rpath; do - if test -n "$hardcode_libdir_flag_spec"; then - if test -n "$hardcode_libdir_separator"; then - if test -z "$hardcode_libdirs"; then - hardcode_libdirs="$libdir" - else - # Just accumulate the unique libdirs. - case $hardcode_libdir_separator$hardcode_libdirs$hardcode_libdir_separator in - *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*) - ;; - *) - hardcode_libdirs="$hardcode_libdirs$hardcode_libdir_separator$libdir" - ;; - esac - fi - else - eval flag=\"$hardcode_libdir_flag_spec\" - rpath="$rpath $flag" - fi - elif test -n "$runpath_var"; then - case "$finalize_perm_rpath " in - *" $libdir "*) ;; - *) finalize_perm_rpath="$finalize_perm_rpath $libdir" ;; - esac - fi - done - # Substitute the hardcoded libdirs into the rpath. - if test -n "$hardcode_libdir_separator" && - test -n "$hardcode_libdirs"; then - libdir="$hardcode_libdirs" - eval rpath=\" $hardcode_libdir_flag_spec\" - fi - finalize_rpath="$rpath" - - if test -n "$libobjs" && test "$build_old_libs" = yes; then - # Transform all the library objects into standard objects. - compile_command=`$echo "X$compile_command" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP` - finalize_command=`$echo "X$finalize_command" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP` - fi - - dlsyms= - if test -n "$dlfiles$dlprefiles" || test "$dlself" != no; then - if test -n "$NM" && test -n "$global_symbol_pipe"; then - dlsyms="${outputname}S.c" - else - $echo "$modename: not configured to extract global symbols from dlpreopened files" 1>&2 - fi - fi - - if test -n "$dlsyms"; then - case $dlsyms in - "") ;; - *.c) - # Discover the nlist of each of the dlfiles. - nlist="$output_objdir/${outputname}.nm" - - $show "$rm $nlist ${nlist}S ${nlist}T" - $run $rm "$nlist" "${nlist}S" "${nlist}T" - - # Parse the name list into a source file. - $show "creating $output_objdir/$dlsyms" - - test -z "$run" && $echo > "$output_objdir/$dlsyms" "\ -/* $dlsyms - symbol resolution table for \`$outputname' dlsym emulation. */ -/* Generated by $PROGRAM - GNU $PACKAGE $VERSION$TIMESTAMP */ - -#ifdef __cplusplus -extern \"C\" { -#endif - -/* Prevent the only kind of declaration conflicts we can make. */ -#define lt_preloaded_symbols some_other_symbol - -/* External symbol declarations for the compiler. */\ -" - - if test "$dlself" = yes; then - $show "generating symbol list for \`$output'" - - test -z "$run" && $echo ': @PROGRAM@ ' > "$nlist" - - # Add our own program objects to the symbol list. - progfiles=`$echo "X$objs$old_deplibs" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP` - for arg in $progfiles; do - $show "extracting global C symbols from \`$arg'" - $run eval "$NM $arg | $global_symbol_pipe >> '$nlist'" - done - - if test -n "$exclude_expsyms"; then - $run eval '$EGREP -v " ($exclude_expsyms)$" "$nlist" > "$nlist"T' - $run eval '$mv "$nlist"T "$nlist"' - fi - - if test -n "$export_symbols_regex"; then - $run eval '$EGREP -e "$export_symbols_regex" "$nlist" > "$nlist"T' - $run eval '$mv "$nlist"T "$nlist"' - fi - - # Prepare the list of exported symbols - if test -z "$export_symbols"; then - export_symbols="$output_objdir/$output.exp" - $run $rm $export_symbols - $run eval "${SED} -n -e '/^: @PROGRAM@$/d' -e 's/^.* \(.*\)$/\1/p' "'< "$nlist" > "$export_symbols"' - else - $run eval "${SED} -e 's/\([][.*^$]\)/\\\1/g' -e 's/^/ /' -e 's/$/$/'"' < "$export_symbols" > "$output_objdir/$output.exp"' - $run eval 'grep -f "$output_objdir/$output.exp" < "$nlist" > "$nlist"T' - $run eval 'mv "$nlist"T "$nlist"' - fi - fi - - for arg in $dlprefiles; do - $show "extracting global C symbols from \`$arg'" - name=`$echo "$arg" | ${SED} -e 's%^.*/%%'` - $run eval '$echo ": $name " >> "$nlist"' - $run eval "$NM $arg | $global_symbol_pipe >> '$nlist'" - done - - if test -z "$run"; then - # Make sure we have at least an empty file. - test -f "$nlist" || : > "$nlist" - - if test -n "$exclude_expsyms"; then - $EGREP -v " ($exclude_expsyms)$" "$nlist" > "$nlist"T - $mv "$nlist"T "$nlist" - fi - - # Try sorting and uniquifying the output. - if grep -v "^: " < "$nlist" | - if sort -k 3 /dev/null 2>&1; then - sort -k 3 - else - sort +2 - fi | - uniq > "$nlist"S; then - : - else - grep -v "^: " < "$nlist" > "$nlist"S - fi - - if test -f "$nlist"S; then - eval "$global_symbol_to_cdecl"' < "$nlist"S >> "$output_objdir/$dlsyms"' - else - $echo '/* NONE */' >> "$output_objdir/$dlsyms" - fi - - $echo >> "$output_objdir/$dlsyms" "\ - -#undef lt_preloaded_symbols - -#if defined (__STDC__) && __STDC__ -# define lt_ptr void * -#else -# define lt_ptr char * -# define const -#endif - -/* The mapping between symbol names and symbols. */ -const struct { - const char *name; - lt_ptr address; -} -lt_preloaded_symbols[] = -{\ -" - - eval "$global_symbol_to_c_name_address" < "$nlist" >> "$output_objdir/$dlsyms" - - $echo >> "$output_objdir/$dlsyms" "\ - {0, (lt_ptr) 0} -}; - -/* This works around a problem in FreeBSD linker */ -#ifdef FREEBSD_WORKAROUND -static const void *lt_preloaded_setup() { - return lt_preloaded_symbols; -} -#endif - -#ifdef __cplusplus -} -#endif\ -" - fi - - pic_flag_for_symtable= - case $host in - # compiling the symbol table file with pic_flag works around - # a FreeBSD bug that causes programs to crash when -lm is - # linked before any other PIC object. But we must not use - # pic_flag when linking with -static. The problem exists in - # FreeBSD 2.2.6 and is fixed in FreeBSD 3.1. - *-*-freebsd2*|*-*-freebsd3.0*|*-*-freebsdelf3.0*) - case "$compile_command " in - *" -static "*) ;; - *) pic_flag_for_symtable=" $pic_flag -DFREEBSD_WORKAROUND";; - esac;; - *-*-hpux*) - case "$compile_command " in - *" -static "*) ;; - *) pic_flag_for_symtable=" $pic_flag";; - esac - esac - - # Now compile the dynamic symbol file. - $show "(cd $output_objdir && $LTCC -c$no_builtin_flag$pic_flag_for_symtable \"$dlsyms\")" - $run eval '(cd $output_objdir && $LTCC -c$no_builtin_flag$pic_flag_for_symtable "$dlsyms")' || exit $? - - # Clean up the generated files. - $show "$rm $output_objdir/$dlsyms $nlist ${nlist}S ${nlist}T" - $run $rm "$output_objdir/$dlsyms" "$nlist" "${nlist}S" "${nlist}T" - - # Transform the symbol file into the correct name. - compile_command=`$echo "X$compile_command" | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}S.${objext}%"` - finalize_command=`$echo "X$finalize_command" | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}S.${objext}%"` - ;; - *) - $echo "$modename: unknown suffix for \`$dlsyms'" 1>&2 - exit 1 - ;; - esac - else - # We keep going just in case the user didn't refer to - # lt_preloaded_symbols. The linker will fail if global_symbol_pipe - # really was required. - - # Nullify the symbol file. - compile_command=`$echo "X$compile_command" | $Xsed -e "s% @SYMFILE@%%"` - finalize_command=`$echo "X$finalize_command" | $Xsed -e "s% @SYMFILE@%%"` - fi - - if test "$need_relink" = no || test "$build_libtool_libs" != yes; then - # Replace the output file specification. - compile_command=`$echo "X$compile_command" | $Xsed -e 's%@OUTPUT@%'"$output"'%g'` - link_command="$compile_command$compile_rpath" - - # We have no uninstalled library dependencies, so finalize right now. - $show "$link_command" - $run eval "$link_command" - status=$? - - # Delete the generated files. - if test -n "$dlsyms"; then - $show "$rm $output_objdir/${outputname}S.${objext}" - $run $rm "$output_objdir/${outputname}S.${objext}" - fi - - exit $status - fi - - if test -n "$shlibpath_var"; then - # We should set the shlibpath_var - rpath= - for dir in $temp_rpath; do - case $dir in - [\\/]* | [A-Za-z]:[\\/]*) - # Absolute path. - rpath="$rpath$dir:" - ;; - *) - # Relative path: add a thisdir entry. - rpath="$rpath\$thisdir/$dir:" - ;; - esac - done - temp_rpath="$rpath" - fi - - if test -n "$compile_shlibpath$finalize_shlibpath"; then - compile_command="$shlibpath_var=\"$compile_shlibpath$finalize_shlibpath\$$shlibpath_var\" $compile_command" - fi - if test -n "$finalize_shlibpath"; then - finalize_command="$shlibpath_var=\"$finalize_shlibpath\$$shlibpath_var\" $finalize_command" - fi - - compile_var= - finalize_var= - if test -n "$runpath_var"; then - if test -n "$perm_rpath"; then - # We should set the runpath_var. - rpath= - for dir in $perm_rpath; do - rpath="$rpath$dir:" - done - compile_var="$runpath_var=\"$rpath\$$runpath_var\" " - fi - if test -n "$finalize_perm_rpath"; then - # We should set the runpath_var. - rpath= - for dir in $finalize_perm_rpath; do - rpath="$rpath$dir:" - done - finalize_var="$runpath_var=\"$rpath\$$runpath_var\" " - fi - fi - - if test "$no_install" = yes; then - # We don't need to create a wrapper script. - link_command="$compile_var$compile_command$compile_rpath" - # Replace the output file specification. - link_command=`$echo "X$link_command" | $Xsed -e 's%@OUTPUT@%'"$output"'%g'` - # Delete the old output file. - $run $rm $output - # Link the executable and exit - $show "$link_command" - $run eval "$link_command" || exit $? - exit 0 - fi - - if test "$hardcode_action" = relink; then - # Fast installation is not supported - link_command="$compile_var$compile_command$compile_rpath" - relink_command="$finalize_var$finalize_command$finalize_rpath" - - $echo "$modename: warning: this platform does not like uninstalled shared libraries" 1>&2 - $echo "$modename: \`$output' will be relinked during installation" 1>&2 - else - if test "$fast_install" != no; then - link_command="$finalize_var$compile_command$finalize_rpath" - if test "$fast_install" = yes; then - relink_command=`$echo "X$compile_var$compile_command$compile_rpath" | $Xsed -e 's%@OUTPUT@%\$progdir/\$file%g'` - else - # fast_install is set to needless - relink_command= - fi - else - link_command="$compile_var$compile_command$compile_rpath" - relink_command="$finalize_var$finalize_command$finalize_rpath" - fi - fi - - # Replace the output file specification. - link_command=`$echo "X$link_command" | $Xsed -e 's%@OUTPUT@%'"$output_objdir/$outputname"'%g'` - - # Delete the old output files. - $run $rm $output $output_objdir/$outputname $output_objdir/lt-$outputname - - $show "$link_command" - $run eval "$link_command" || exit $? - - # Now create the wrapper script. - $show "creating $output" - - # Quote the relink command for shipping. - if test -n "$relink_command"; then - # Preserve any variables that may affect compiler behavior - for var in $variables_saved_for_relink; do - if eval test -z \"\${$var+set}\"; then - relink_command="{ test -z \"\${$var+set}\" || unset $var || { $var=; export $var; }; }; $relink_command" - elif eval var_value=\$$var; test -z "$var_value"; then - relink_command="$var=; export $var; $relink_command" - else - var_value=`$echo "X$var_value" | $Xsed -e "$sed_quote_subst"` - relink_command="$var=\"$var_value\"; export $var; $relink_command" - fi - done - relink_command="(cd `pwd`; $relink_command)" - relink_command=`$echo "X$relink_command" | $Xsed -e "$sed_quote_subst"` - fi - - # Quote $echo for shipping. - if test "X$echo" = "X$SHELL $0 --fallback-echo"; then - case $0 in - [\\/]* | [A-Za-z]:[\\/]*) qecho="$SHELL $0 --fallback-echo";; - *) qecho="$SHELL `pwd`/$0 --fallback-echo";; - esac - qecho=`$echo "X$qecho" | $Xsed -e "$sed_quote_subst"` - else - qecho=`$echo "X$echo" | $Xsed -e "$sed_quote_subst"` - fi - - # Only actually do things if our run command is non-null. - if test -z "$run"; then - # win32 will think the script is a binary if it has - # a .exe suffix, so we strip it off here. - case $output in - *.exe) output=`$echo $output|${SED} 's,.exe$,,'` ;; - esac - # test for cygwin because mv fails w/o .exe extensions - case $host in - *cygwin*) - exeext=.exe - outputname=`$echo $outputname|${SED} 's,.exe$,,'` ;; - *) exeext= ;; - esac - case $host in - *cygwin* | *mingw* ) - cwrappersource=`$echo ${objdir}/lt-${output}.c` - cwrapper=`$echo ${output}.exe` - $rm $cwrappersource $cwrapper - trap "$rm $cwrappersource $cwrapper; exit 1" 1 2 15 - - cat > $cwrappersource <> $cwrappersource<<"EOF" -#include -#include -#include -#include -#include -#include - -#if defined(PATH_MAX) -# define LT_PATHMAX PATH_MAX -#elif defined(MAXPATHLEN) -# define LT_PATHMAX MAXPATHLEN -#else -# define LT_PATHMAX 1024 -#endif - -#ifndef DIR_SEPARATOR -#define DIR_SEPARATOR '/' -#endif - -#if defined (_WIN32) || defined (__MSDOS__) || defined (__DJGPP__) || \ - defined (__OS2__) -#define HAVE_DOS_BASED_FILE_SYSTEM -#ifndef DIR_SEPARATOR_2 -#define DIR_SEPARATOR_2 '\\' -#endif -#endif - -#ifndef DIR_SEPARATOR_2 -# define IS_DIR_SEPARATOR(ch) ((ch) == DIR_SEPARATOR) -#else /* DIR_SEPARATOR_2 */ -# define IS_DIR_SEPARATOR(ch) \ - (((ch) == DIR_SEPARATOR) || ((ch) == DIR_SEPARATOR_2)) -#endif /* DIR_SEPARATOR_2 */ - -#define XMALLOC(type, num) ((type *) xmalloc ((num) * sizeof(type))) -#define XFREE(stale) do { \ - if (stale) { free ((void *) stale); stale = 0; } \ -} while (0) - -const char *program_name = NULL; - -void * xmalloc (size_t num); -char * xstrdup (const char *string); -char * basename (const char *name); -char * fnqualify(const char *path); -char * strendzap(char *str, const char *pat); -void lt_fatal (const char *message, ...); - -int -main (int argc, char *argv[]) -{ - char **newargz; - int i; - - program_name = (char *) xstrdup ((char *) basename (argv[0])); - newargz = XMALLOC(char *, argc+2); -EOF - - cat >> $cwrappersource <> $cwrappersource <<"EOF" - newargz[1] = fnqualify(argv[0]); - /* we know the script has the same name, without the .exe */ - /* so make sure newargz[1] doesn't end in .exe */ - strendzap(newargz[1],".exe"); - for (i = 1; i < argc; i++) - newargz[i+1] = xstrdup(argv[i]); - newargz[argc+1] = NULL; -EOF - - cat >> $cwrappersource <> $cwrappersource <<"EOF" -} - -void * -xmalloc (size_t num) -{ - void * p = (void *) malloc (num); - if (!p) - lt_fatal ("Memory exhausted"); - - return p; -} - -char * -xstrdup (const char *string) -{ - return string ? strcpy ((char *) xmalloc (strlen (string) + 1), string) : NULL -; -} - -char * -basename (const char *name) -{ - const char *base; - -#if defined (HAVE_DOS_BASED_FILE_SYSTEM) - /* Skip over the disk name in MSDOS pathnames. */ - if (isalpha (name[0]) && name[1] == ':') - name += 2; -#endif - - for (base = name; *name; name++) - if (IS_DIR_SEPARATOR (*name)) - base = name + 1; - return (char *) base; -} - -char * -fnqualify(const char *path) -{ - size_t size; - char *p; - char tmp[LT_PATHMAX + 1]; - - assert(path != NULL); - - /* Is it qualified already? */ -#if defined (HAVE_DOS_BASED_FILE_SYSTEM) - if (isalpha (path[0]) && path[1] == ':') - return xstrdup (path); -#endif - if (IS_DIR_SEPARATOR (path[0])) - return xstrdup (path); - - /* prepend the current directory */ - /* doesn't handle '~' */ - if (getcwd (tmp, LT_PATHMAX) == NULL) - lt_fatal ("getcwd failed"); - size = strlen(tmp) + 1 + strlen(path) + 1; /* +2 for '/' and '\0' */ - p = XMALLOC(char, size); - sprintf(p, "%s%c%s", tmp, DIR_SEPARATOR, path); - return p; -} - -char * -strendzap(char *str, const char *pat) -{ - size_t len, patlen; - - assert(str != NULL); - assert(pat != NULL); - - len = strlen(str); - patlen = strlen(pat); - - if (patlen <= len) - { - str += len - patlen; - if (strcmp(str, pat) == 0) - *str = '\0'; - } - return str; -} - -static void -lt_error_core (int exit_status, const char * mode, - const char * message, va_list ap) -{ - fprintf (stderr, "%s: %s: ", program_name, mode); - vfprintf (stderr, message, ap); - fprintf (stderr, ".\n"); - - if (exit_status >= 0) - exit (exit_status); -} - -void -lt_fatal (const char *message, ...) -{ - va_list ap; - va_start (ap, message); - lt_error_core (EXIT_FAILURE, "FATAL", message, ap); - va_end (ap); -} -EOF - # we should really use a build-platform specific compiler - # here, but OTOH, the wrappers (shell script and this C one) - # are only useful if you want to execute the "real" binary. - # Since the "real" binary is built for $host, then this - # wrapper might as well be built for $host, too. - $run $LTCC -s -o $cwrapper $cwrappersource - ;; - esac - $rm $output - trap "$rm $output; exit 1" 1 2 15 - - $echo > $output "\ -#! $SHELL - -# $output - temporary wrapper script for $objdir/$outputname -# Generated by $PROGRAM - GNU $PACKAGE $VERSION$TIMESTAMP -# -# The $output program cannot be directly executed until all the libtool -# libraries that it depends on are installed. -# -# This wrapper script should never be moved out of the build directory. -# If it is, it will not operate correctly. - -# Sed substitution that helps us do robust quoting. It backslashifies -# metacharacters that are still active within double-quoted strings. -Xsed='${SED} -e 1s/^X//' -sed_quote_subst='$sed_quote_subst' - -# The HP-UX ksh and POSIX shell print the target directory to stdout -# if CDPATH is set. -if test \"\${CDPATH+set}\" = set; then CDPATH=:; export CDPATH; fi - -relink_command=\"$relink_command\" - -# This environment variable determines our operation mode. -if test \"\$libtool_install_magic\" = \"$magic\"; then - # install mode needs the following variable: - notinst_deplibs='$notinst_deplibs' -else - # When we are sourced in execute mode, \$file and \$echo are already set. - if test \"\$libtool_execute_magic\" != \"$magic\"; then - echo=\"$qecho\" - file=\"\$0\" - # Make sure echo works. - if test \"X\$1\" = X--no-reexec; then - # Discard the --no-reexec flag, and continue. - shift - elif test \"X\`(\$echo '\t') 2>/dev/null\`\" = 'X\t'; then - # Yippee, \$echo works! - : - else - # Restart under the correct shell, and then maybe \$echo will work. - exec $SHELL \"\$0\" --no-reexec \${1+\"\$@\"} - fi - fi\ -" - $echo >> $output "\ - - # Find the directory that this script lives in. - thisdir=\`\$echo \"X\$file\" | \$Xsed -e 's%/[^/]*$%%'\` - test \"x\$thisdir\" = \"x\$file\" && thisdir=. - - # Follow symbolic links until we get to the real thisdir. - file=\`ls -ld \"\$file\" | ${SED} -n 's/.*-> //p'\` - while test -n \"\$file\"; do - destdir=\`\$echo \"X\$file\" | \$Xsed -e 's%/[^/]*\$%%'\` - - # If there was a directory component, then change thisdir. - if test \"x\$destdir\" != \"x\$file\"; then - case \"\$destdir\" in - [\\\\/]* | [A-Za-z]:[\\\\/]*) thisdir=\"\$destdir\" ;; - *) thisdir=\"\$thisdir/\$destdir\" ;; - esac - fi - - file=\`\$echo \"X\$file\" | \$Xsed -e 's%^.*/%%'\` - file=\`ls -ld \"\$thisdir/\$file\" | ${SED} -n 's/.*-> //p'\` - done - - # Try to get the absolute directory name. - absdir=\`cd \"\$thisdir\" && pwd\` - test -n \"\$absdir\" && thisdir=\"\$absdir\" -" - - if test "$fast_install" = yes; then - $echo >> $output "\ - program=lt-'$outputname'$exeext - progdir=\"\$thisdir/$objdir\" - - if test ! -f \"\$progdir/\$program\" || \\ - { file=\`ls -1dt \"\$progdir/\$program\" \"\$progdir/../\$program\" 2>/dev/null | ${SED} 1q\`; \\ - test \"X\$file\" != \"X\$progdir/\$program\"; }; then - - file=\"\$\$-\$program\" - - if test ! -d \"\$progdir\"; then - $mkdir \"\$progdir\" - else - $rm \"\$progdir/\$file\" - fi" - - $echo >> $output "\ - - # relink executable if necessary - if test -n \"\$relink_command\"; then - if relink_command_output=\`eval \$relink_command 2>&1\`; then : - else - $echo \"\$relink_command_output\" >&2 - $rm \"\$progdir/\$file\" - exit 1 - fi - fi - - $mv \"\$progdir/\$file\" \"\$progdir/\$program\" 2>/dev/null || - { $rm \"\$progdir/\$program\"; - $mv \"\$progdir/\$file\" \"\$progdir/\$program\"; } - $rm \"\$progdir/\$file\" - fi" - else - $echo >> $output "\ - program='$outputname' - progdir=\"\$thisdir/$objdir\" -" - fi - - $echo >> $output "\ - - if test -f \"\$progdir/\$program\"; then" - - # Export our shlibpath_var if we have one. - if test "$shlibpath_overrides_runpath" = yes && test -n "$shlibpath_var" && test -n "$temp_rpath"; then - $echo >> $output "\ - # Add our own library path to $shlibpath_var - $shlibpath_var=\"$temp_rpath\$$shlibpath_var\" - - # Some systems cannot cope with colon-terminated $shlibpath_var - # The second colon is a workaround for a bug in BeOS R4 sed - $shlibpath_var=\`\$echo \"X\$$shlibpath_var\" | \$Xsed -e 's/::*\$//'\` - - export $shlibpath_var -" - fi - - # fixup the dll searchpath if we need to. - if test -n "$dllsearchpath"; then - $echo >> $output "\ - # Add the dll search path components to the executable PATH - PATH=$dllsearchpath:\$PATH -" - fi - - $echo >> $output "\ - if test \"\$libtool_execute_magic\" != \"$magic\"; then - # Run the actual program with our arguments. -" - case $host in - # Backslashes separate directories on plain windows - *-*-mingw | *-*-os2*) - $echo >> $output "\ - exec \$progdir\\\\\$program \${1+\"\$@\"} -" - ;; - - *) - $echo >> $output "\ - exec \$progdir/\$program \${1+\"\$@\"} -" - ;; - esac - $echo >> $output "\ - \$echo \"\$0: cannot exec \$program \${1+\"\$@\"}\" - exit 1 - fi - else - # The program doesn't exist. - \$echo \"\$0: error: \$progdir/\$program does not exist\" 1>&2 - \$echo \"This script is just a wrapper for \$program.\" 1>&2 - $echo \"See the $PACKAGE documentation for more information.\" 1>&2 - exit 1 - fi -fi\ -" - chmod +x $output - fi - exit 0 - ;; - esac - - # See if we need to build an old-fashioned archive. - for oldlib in $oldlibs; do - - if test "$build_libtool_libs" = convenience; then - oldobjs="$libobjs_save" - addlibs="$convenience" - build_libtool_libs=no - else - if test "$build_libtool_libs" = module; then - oldobjs="$libobjs_save" - build_libtool_libs=no - else - oldobjs="$old_deplibs $non_pic_objects" - fi - addlibs="$old_convenience" - fi - - if test -n "$addlibs"; then - gentop="$output_objdir/${outputname}x" - $show "${rm}r $gentop" - $run ${rm}r "$gentop" - $show "$mkdir $gentop" - $run $mkdir "$gentop" - status=$? - if test "$status" -ne 0 && test ! -d "$gentop"; then - exit $status - fi - generated="$generated $gentop" - - # Add in members from convenience archives. - for xlib in $addlibs; do - # Extract the objects. - case $xlib in - [\\/]* | [A-Za-z]:[\\/]*) xabs="$xlib" ;; - *) xabs=`pwd`"/$xlib" ;; - esac - xlib=`$echo "X$xlib" | $Xsed -e 's%^.*/%%'` - xdir="$gentop/$xlib" - - $show "${rm}r $xdir" - $run ${rm}r "$xdir" - $show "$mkdir $xdir" - $run $mkdir "$xdir" - status=$? - if test "$status" -ne 0 && test ! -d "$xdir"; then - exit $status - fi - # We will extract separately just the conflicting names and we will no - # longer touch any unique names. It is faster to leave these extract - # automatically by $AR in one run. - $show "(cd $xdir && $AR x $xabs)" - $run eval "(cd \$xdir && $AR x \$xabs)" || exit $? - if ($AR t "$xabs" | sort | sort -uc >/dev/null 2>&1); then - : - else - $echo "$modename: warning: object name conflicts; renaming object files" 1>&2 - $echo "$modename: warning: to ensure that they will not overwrite" 1>&2 - $AR t "$xabs" | sort | uniq -cd | while read -r count name - do - i=1 - while test "$i" -le "$count" - do - # Put our $i before any first dot (extension) - # Never overwrite any file - name_to="$name" - while test "X$name_to" = "X$name" || test -f "$xdir/$name_to" - do - name_to=`$echo "X$name_to" | $Xsed -e "s/\([^.]*\)/\1-$i/"` - done - $show "(cd $xdir && $AR xN $i $xabs '$name' && $mv '$name' '$name_to')" - $run eval "(cd \$xdir && $AR xN $i \$xabs '$name' && $mv '$name' '$name_to')" || exit $? - i=`expr $i + 1` - done - done - fi - - oldobjs="$oldobjs "`find $xdir -name \*.${objext} -print -o -name \*.lo -print | $NL2SP` - done - fi - - # Do each command in the archive commands. - if test -n "$old_archive_from_new_cmds" && test "$build_libtool_libs" = yes; then - cmds=$old_archive_from_new_cmds - else - eval cmds=\"$old_archive_cmds\" - - if len=`expr "X$cmds" : ".*"` && - test "$len" -le "$max_cmd_len" || test "$max_cmd_len" -le -1; then - cmds=$old_archive_cmds - else - # the command line is too long to link in one step, link in parts - $echo "using piecewise archive linking..." - save_RANLIB=$RANLIB - RANLIB=: - objlist= - concat_cmds= - save_oldobjs=$oldobjs - # GNU ar 2.10+ was changed to match POSIX; thus no paths are - # encoded into archives. This makes 'ar r' malfunction in - # this piecewise linking case whenever conflicting object - # names appear in distinct ar calls; check, warn and compensate. - if (for obj in $save_oldobjs - do - $echo "X$obj" | $Xsed -e 's%^.*/%%' - done | sort | sort -uc >/dev/null 2>&1); then - : - else - $echo "$modename: warning: object name conflicts; overriding AR_FLAGS to 'cq'" 1>&2 - $echo "$modename: warning: to ensure that POSIX-compatible ar will work" 1>&2 - AR_FLAGS=cq - fi - # Is there a better way of finding the last object in the list? - for obj in $save_oldobjs - do - last_oldobj=$obj - done - for obj in $save_oldobjs - do - oldobjs="$objlist $obj" - objlist="$objlist $obj" - eval test_cmds=\"$old_archive_cmds\" - if len=`expr "X$test_cmds" : ".*"` && - test "$len" -le "$max_cmd_len"; then - : - else - # the above command should be used before it gets too long - oldobjs=$objlist - if test "$obj" = "$last_oldobj" ; then - RANLIB=$save_RANLIB - fi - test -z "$concat_cmds" || concat_cmds=$concat_cmds~ - eval concat_cmds=\"\${concat_cmds}$old_archive_cmds\" - objlist= - fi - done - RANLIB=$save_RANLIB - oldobjs=$objlist - if test "X$oldobjs" = "X" ; then - eval cmds=\"\$concat_cmds\" - else - eval cmds=\"\$concat_cmds~\$old_archive_cmds\" - fi - fi - fi - save_ifs="$IFS"; IFS='~' - for cmd in $cmds; do - eval cmd=\"$cmd\" - IFS="$save_ifs" - $show "$cmd" - $run eval "$cmd" || exit $? - done - IFS="$save_ifs" - done - - if test -n "$generated"; then - $show "${rm}r$generated" - $run ${rm}r$generated - fi - - # Now create the libtool archive. - case $output in - *.la) - old_library= - test "$build_old_libs" = yes && old_library="$libname.$libext" - $show "creating $output" - - # Preserve any variables that may affect compiler behavior - for var in $variables_saved_for_relink; do - if eval test -z \"\${$var+set}\"; then - relink_command="{ test -z \"\${$var+set}\" || unset $var || { $var=; export $var; }; }; $relink_command" - elif eval var_value=\$$var; test -z "$var_value"; then - relink_command="$var=; export $var; $relink_command" - else - var_value=`$echo "X$var_value" | $Xsed -e "$sed_quote_subst"` - relink_command="$var=\"$var_value\"; export $var; $relink_command" - fi - done - # Quote the link command for shipping. - relink_command="(cd `pwd`; $SHELL $0 $preserve_args --mode=relink $libtool_args @inst_prefix_dir@)" - relink_command=`$echo "X$relink_command" | $Xsed -e "$sed_quote_subst"` - if test "$hardcode_automatic" = yes ; then - relink_command= - fi - # Only create the output if not a dry run. - if test -z "$run"; then - for installed in no yes; do - if test "$installed" = yes; then - if test -z "$install_libdir"; then - break - fi - output="$output_objdir/$outputname"i - # Replace all uninstalled libtool libraries with the installed ones - newdependency_libs= - for deplib in $dependency_libs; do - case $deplib in - *.la) - name=`$echo "X$deplib" | $Xsed -e 's%^.*/%%'` - eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $deplib` - if test -z "$libdir"; then - $echo "$modename: \`$deplib' is not a valid libtool archive" 1>&2 - exit 1 - fi - newdependency_libs="$newdependency_libs $libdir/$name" - ;; - *) newdependency_libs="$newdependency_libs $deplib" ;; - esac - done - dependency_libs="$newdependency_libs" - newdlfiles= - for lib in $dlfiles; do - name=`$echo "X$lib" | $Xsed -e 's%^.*/%%'` - eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $lib` - if test -z "$libdir"; then - $echo "$modename: \`$lib' is not a valid libtool archive" 1>&2 - exit 1 - fi - newdlfiles="$newdlfiles $libdir/$name" - done - dlfiles="$newdlfiles" - newdlprefiles= - for lib in $dlprefiles; do - name=`$echo "X$lib" | $Xsed -e 's%^.*/%%'` - eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $lib` - if test -z "$libdir"; then - $echo "$modename: \`$lib' is not a valid libtool archive" 1>&2 - exit 1 - fi - newdlprefiles="$newdlprefiles $libdir/$name" - done - dlprefiles="$newdlprefiles" - else - newdlfiles= - for lib in $dlfiles; do - case $lib in - [\\/]* | [A-Za-z]:[\\/]*) abs="$lib" ;; - *) abs=`pwd`"/$lib" ;; - esac - newdlfiles="$newdlfiles $abs" - done - dlfiles="$newdlfiles" - newdlprefiles= - for lib in $dlprefiles; do - case $lib in - [\\/]* | [A-Za-z]:[\\/]*) abs="$lib" ;; - *) abs=`pwd`"/$lib" ;; - esac - newdlprefiles="$newdlprefiles $abs" - done - dlprefiles="$newdlprefiles" - fi - $rm $output - # place dlname in correct position for cygwin - tdlname=$dlname - case $host,$output,$installed,$module,$dlname in - *cygwin*,*lai,yes,no,*.dll | *mingw*,*lai,yes,no,*.dll) tdlname=../bin/$dlname ;; - esac - $echo > $output "\ -# $outputname - a libtool library file -# Generated by $PROGRAM - GNU $PACKAGE $VERSION$TIMESTAMP -# -# Please DO NOT delete this file! -# It is necessary for linking the library. - -# The name that we can dlopen(3). -dlname='$tdlname' - -# Names of this library. -library_names='$library_names' - -# The name of the static archive. -old_library='$old_library' - -# Libraries that this one depends upon. -dependency_libs='$dependency_libs' - -# Version information for $libname. -current=$current -age=$age -revision=$revision - -# Is this an already installed library? -installed=$installed - -# Should we warn about portability when linking against -modules? -shouldnotlink=$module - -# Files to dlopen/dlpreopen -dlopen='$dlfiles' -dlpreopen='$dlprefiles' - -# Directory that this library needs to be installed in: -libdir='$install_libdir'" - if test "$installed" = no && test "$need_relink" = yes; then - $echo >> $output "\ -relink_command=\"$relink_command\"" - fi - done - fi - - # Do a symbolic link so that the libtool archive can be found in - # LD_LIBRARY_PATH before the program is installed. - $show "(cd $output_objdir && $rm $outputname && $LN_S ../$outputname $outputname)" - $run eval '(cd $output_objdir && $rm $outputname && $LN_S ../$outputname $outputname)' || exit $? - ;; - esac - exit 0 - ;; - - # libtool install mode - install) - modename="$modename: install" - - # There may be an optional sh(1) argument at the beginning of - # install_prog (especially on Windows NT). - if test "$nonopt" = "$SHELL" || test "$nonopt" = /bin/sh || - # Allow the use of GNU shtool's install command. - $echo "X$nonopt" | $Xsed | grep shtool > /dev/null; then - # Aesthetically quote it. - arg=`$echo "X$nonopt" | $Xsed -e "$sed_quote_subst"` - case $arg in - *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \ ]*|*]*) - arg="\"$arg\"" - ;; - esac - install_prog="$arg " - arg="$1" - shift - else - install_prog= - arg="$nonopt" - fi - - # The real first argument should be the name of the installation program. - # Aesthetically quote it. - arg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"` - case $arg in - *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \ ]*|*]*) - arg="\"$arg\"" - ;; - esac - install_prog="$install_prog$arg" - - # We need to accept at least all the BSD install flags. - dest= - files= - opts= - prev= - install_type= - isdir=no - stripme= - for arg - do - if test -n "$dest"; then - files="$files $dest" - dest="$arg" - continue - fi - - case $arg in - -d) isdir=yes ;; - -f) prev="-f" ;; - -g) prev="-g" ;; - -m) prev="-m" ;; - -o) prev="-o" ;; - -s) - stripme=" -s" - continue - ;; - -*) ;; - - *) - # If the previous option needed an argument, then skip it. - if test -n "$prev"; then - prev= - else - dest="$arg" - continue - fi - ;; - esac - - # Aesthetically quote the argument. - arg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"` - case $arg in - *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \ ]*|*]*) - arg="\"$arg\"" - ;; - esac - install_prog="$install_prog $arg" - done - - if test -z "$install_prog"; then - $echo "$modename: you must specify an install program" 1>&2 - $echo "$help" 1>&2 - exit 1 - fi - - if test -n "$prev"; then - $echo "$modename: the \`$prev' option requires an argument" 1>&2 - $echo "$help" 1>&2 - exit 1 - fi - - if test -z "$files"; then - if test -z "$dest"; then - $echo "$modename: no file or destination specified" 1>&2 - else - $echo "$modename: you must specify a destination" 1>&2 - fi - $echo "$help" 1>&2 - exit 1 - fi - - # Strip any trailing slash from the destination. - dest=`$echo "X$dest" | $Xsed -e 's%/$%%'` - - # Check to see that the destination is a directory. - test -d "$dest" && isdir=yes - if test "$isdir" = yes; then - destdir="$dest" - destname= - else - destdir=`$echo "X$dest" | $Xsed -e 's%/[^/]*$%%'` - test "X$destdir" = "X$dest" && destdir=. - destname=`$echo "X$dest" | $Xsed -e 's%^.*/%%'` - - # Not a directory, so check to see that there is only one file specified. - set dummy $files - if test "$#" -gt 2; then - $echo "$modename: \`$dest' is not a directory" 1>&2 - $echo "$help" 1>&2 - exit 1 - fi - fi - case $destdir in - [\\/]* | [A-Za-z]:[\\/]*) ;; - *) - for file in $files; do - case $file in - *.lo) ;; - *) - $echo "$modename: \`$destdir' must be an absolute directory name" 1>&2 - $echo "$help" 1>&2 - exit 1 - ;; - esac - done - ;; - esac - - # This variable tells wrapper scripts just to set variables rather - # than running their programs. - libtool_install_magic="$magic" - - staticlibs= - future_libdirs= - current_libdirs= - for file in $files; do - - # Do each installation. - case $file in - *.$libext) - # Do the static libraries later. - staticlibs="$staticlibs $file" - ;; - - *.la) - # Check to see that this really is a libtool archive. - if (${SED} -e '2q' $file | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then : - else - $echo "$modename: \`$file' is not a valid libtool archive" 1>&2 - $echo "$help" 1>&2 - exit 1 - fi - - library_names= - old_library= - relink_command= - # If there is no directory component, then add one. - case $file in - */* | *\\*) . $file ;; - *) . ./$file ;; - esac - - # Add the libdir to current_libdirs if it is the destination. - if test "X$destdir" = "X$libdir"; then - case "$current_libdirs " in - *" $libdir "*) ;; - *) current_libdirs="$current_libdirs $libdir" ;; - esac - else - # Note the libdir as a future libdir. - case "$future_libdirs " in - *" $libdir "*) ;; - *) future_libdirs="$future_libdirs $libdir" ;; - esac - fi - - dir=`$echo "X$file" | $Xsed -e 's%/[^/]*$%%'`/ - test "X$dir" = "X$file/" && dir= - dir="$dir$objdir" - - if test -n "$relink_command"; then - # Determine the prefix the user has applied to our future dir. - inst_prefix_dir=`$echo "$destdir" | $SED "s%$libdir\$%%"` - - # Don't allow the user to place us outside of our expected - # location b/c this prevents finding dependent libraries that - # are installed to the same prefix. - # At present, this check doesn't affect windows .dll's that - # are installed into $libdir/../bin (currently, that works fine) - # but it's something to keep an eye on. - if test "$inst_prefix_dir" = "$destdir"; then - $echo "$modename: error: cannot install \`$file' to a directory not ending in $libdir" 1>&2 - exit 1 - fi - - if test -n "$inst_prefix_dir"; then - # Stick the inst_prefix_dir data into the link command. - relink_command=`$echo "$relink_command" | $SED "s%@inst_prefix_dir@%-inst-prefix-dir $inst_prefix_dir%"` - else - relink_command=`$echo "$relink_command" | $SED "s%@inst_prefix_dir@%%"` - fi - - $echo "$modename: warning: relinking \`$file'" 1>&2 - $show "$relink_command" - if $run eval "$relink_command"; then : - else - $echo "$modename: error: relink \`$file' with the above command before installing it" 1>&2 - exit 1 - fi - fi - - # See the names of the shared library. - set dummy $library_names - if test -n "$2"; then - realname="$2" - shift - shift - - srcname="$realname" - test -n "$relink_command" && srcname="$realname"T - - # Install the shared library and build the symlinks. - $show "$install_prog $dir/$srcname $destdir/$realname" - $run eval "$install_prog $dir/$srcname $destdir/$realname" || exit $? - if test -n "$stripme" && test -n "$striplib"; then - $show "$striplib $destdir/$realname" - $run eval "$striplib $destdir/$realname" || exit $? - fi - - if test "$#" -gt 0; then - # Delete the old symlinks, and create new ones. - for linkname - do - if test "$linkname" != "$realname"; then - $show "(cd $destdir && $rm $linkname && $LN_S $realname $linkname)" - $run eval "(cd $destdir && $rm $linkname && $LN_S $realname $linkname)" - fi - done - fi - - # Do each command in the postinstall commands. - lib="$destdir/$realname" - cmds=$postinstall_cmds - save_ifs="$IFS"; IFS='~' - for cmd in $cmds; do - IFS="$save_ifs" - eval cmd=\"$cmd\" - $show "$cmd" - $run eval "$cmd" || exit $? - done - IFS="$save_ifs" - fi - - # Install the pseudo-library for information purposes. - name=`$echo "X$file" | $Xsed -e 's%^.*/%%'` - instname="$dir/$name"i - $show "$install_prog $instname $destdir/$name" - $run eval "$install_prog $instname $destdir/$name" || exit $? - - # Maybe install the static library, too. - test -n "$old_library" && staticlibs="$staticlibs $dir/$old_library" - ;; - - *.lo) - # Install (i.e. copy) a libtool object. - - # Figure out destination file name, if it wasn't already specified. - if test -n "$destname"; then - destfile="$destdir/$destname" - else - destfile=`$echo "X$file" | $Xsed -e 's%^.*/%%'` - destfile="$destdir/$destfile" - fi - - # Deduce the name of the destination old-style object file. - case $destfile in - *.lo) - staticdest=`$echo "X$destfile" | $Xsed -e "$lo2o"` - ;; - *.$objext) - staticdest="$destfile" - destfile= - ;; - *) - $echo "$modename: cannot copy a libtool object to \`$destfile'" 1>&2 - $echo "$help" 1>&2 - exit 1 - ;; - esac - - # Install the libtool object if requested. - if test -n "$destfile"; then - $show "$install_prog $file $destfile" - $run eval "$install_prog $file $destfile" || exit $? - fi - - # Install the old object if enabled. - if test "$build_old_libs" = yes; then - # Deduce the name of the old-style object file. - staticobj=`$echo "X$file" | $Xsed -e "$lo2o"` - - $show "$install_prog $staticobj $staticdest" - $run eval "$install_prog \$staticobj \$staticdest" || exit $? - fi - exit 0 - ;; - - *) - # Figure out destination file name, if it wasn't already specified. - if test -n "$destname"; then - destfile="$destdir/$destname" - else - destfile=`$echo "X$file" | $Xsed -e 's%^.*/%%'` - destfile="$destdir/$destfile" - fi - - # If the file is missing, and there is a .exe on the end, strip it - # because it is most likely a libtool script we actually want to - # install - stripped_ext="" - case $file in - *.exe) - if test ! -f "$file"; then - file=`$echo $file|${SED} 's,.exe$,,'` - stripped_ext=".exe" - fi - ;; - esac - - # Do a test to see if this is really a libtool program. - case $host in - *cygwin*|*mingw*) - wrapper=`$echo $file | ${SED} -e 's,.exe$,,'` - ;; - *) - wrapper=$file - ;; - esac - if (${SED} -e '4q' $wrapper | grep "^# Generated by .*$PACKAGE")>/dev/null 2>&1; then - notinst_deplibs= - relink_command= - - # To insure that "foo" is sourced, and not "foo.exe", - # finese the cygwin/MSYS system by explicitly sourcing "foo." - # which disallows the automatic-append-.exe behavior. - case $build in - *cygwin* | *mingw*) wrapperdot=${wrapper}. ;; - *) wrapperdot=${wrapper} ;; - esac - # If there is no directory component, then add one. - case $file in - */* | *\\*) . ${wrapperdot} ;; - *) . ./${wrapperdot} ;; - esac - - # Check the variables that should have been set. - if test -z "$notinst_deplibs"; then - $echo "$modename: invalid libtool wrapper script \`$wrapper'" 1>&2 - exit 1 - fi - - finalize=yes - for lib in $notinst_deplibs; do - # Check to see that each library is installed. - libdir= - if test -f "$lib"; then - # If there is no directory component, then add one. - case $lib in - */* | *\\*) . $lib ;; - *) . ./$lib ;; - esac - fi - libfile="$libdir/"`$echo "X$lib" | $Xsed -e 's%^.*/%%g'` ### testsuite: skip nested quoting test - if test -n "$libdir" && test ! -f "$libfile"; then - $echo "$modename: warning: \`$lib' has not been installed in \`$libdir'" 1>&2 - finalize=no - fi - done - - relink_command= - # To insure that "foo" is sourced, and not "foo.exe", - # finese the cygwin/MSYS system by explicitly sourcing "foo." - # which disallows the automatic-append-.exe behavior. - case $build in - *cygwin* | *mingw*) wrapperdot=${wrapper}. ;; - *) wrapperdot=${wrapper} ;; - esac - # If there is no directory component, then add one. - case $file in - */* | *\\*) . ${wrapperdot} ;; - *) . ./${wrapperdot} ;; - esac - - outputname= - if test "$fast_install" = no && test -n "$relink_command"; then - if test "$finalize" = yes && test -z "$run"; then - tmpdir="/tmp" - test -n "$TMPDIR" && tmpdir="$TMPDIR" - tmpdir="$tmpdir/libtool-$$" - if $mkdir "$tmpdir" && chmod 700 "$tmpdir"; then : - else - $echo "$modename: error: cannot create temporary directory \`$tmpdir'" 1>&2 - continue - fi - file=`$echo "X$file$stripped_ext" | $Xsed -e 's%^.*/%%'` - outputname="$tmpdir/$file" - # Replace the output file specification. - relink_command=`$echo "X$relink_command" | $Xsed -e 's%@OUTPUT@%'"$outputname"'%g'` - - $show "$relink_command" - if $run eval "$relink_command"; then : - else - $echo "$modename: error: relink \`$file' with the above command before installing it" 1>&2 - ${rm}r "$tmpdir" - continue - fi - file="$outputname" - else - $echo "$modename: warning: cannot relink \`$file'" 1>&2 - fi - else - # Install the binary that we compiled earlier. - file=`$echo "X$file$stripped_ext" | $Xsed -e "s%\([^/]*\)$%$objdir/\1%"` - fi - fi - - # remove .exe since cygwin /usr/bin/install will append another - # one anyways - case $install_prog,$host in - */usr/bin/install*,*cygwin*) - case $file:$destfile in - *.exe:*.exe) - # this is ok - ;; - *.exe:*) - destfile=$destfile.exe - ;; - *:*.exe) - destfile=`$echo $destfile | ${SED} -e 's,.exe$,,'` - ;; - esac - ;; - esac - $show "$install_prog$stripme $file $destfile" - $run eval "$install_prog\$stripme \$file \$destfile" || exit $? - test -n "$outputname" && ${rm}r "$tmpdir" - ;; - esac - done - - for file in $staticlibs; do - name=`$echo "X$file" | $Xsed -e 's%^.*/%%'` - - # Set up the ranlib parameters. - oldlib="$destdir/$name" - - $show "$install_prog $file $oldlib" - $run eval "$install_prog \$file \$oldlib" || exit $? - - if test -n "$stripme" && test -n "$old_striplib"; then - $show "$old_striplib $oldlib" - $run eval "$old_striplib $oldlib" || exit $? - fi - - # Do each command in the postinstall commands. - cmds=$old_postinstall_cmds - save_ifs="$IFS"; IFS='~' - for cmd in $cmds; do - IFS="$save_ifs" - eval cmd=\"$cmd\" - $show "$cmd" - $run eval "$cmd" || exit $? - done - IFS="$save_ifs" - done - - if test -n "$future_libdirs"; then - $echo "$modename: warning: remember to run \`$progname --finish$future_libdirs'" 1>&2 - fi - - if test -n "$current_libdirs"; then - # Maybe just do a dry run. - test -n "$run" && current_libdirs=" -n$current_libdirs" - exec_cmd='$SHELL $0 $preserve_args --finish$current_libdirs' - else - exit 0 - fi - ;; - - # libtool finish mode - finish) - modename="$modename: finish" - libdirs="$nonopt" - admincmds= - - if test -n "$finish_cmds$finish_eval" && test -n "$libdirs"; then - for dir - do - libdirs="$libdirs $dir" - done - - for libdir in $libdirs; do - if test -n "$finish_cmds"; then - # Do each command in the finish commands. - cmds=$finish_cmds - save_ifs="$IFS"; IFS='~' - for cmd in $cmds; do - IFS="$save_ifs" - eval cmd=\"$cmd\" - $show "$cmd" - $run eval "$cmd" || admincmds="$admincmds - $cmd" - done - IFS="$save_ifs" - fi - if test -n "$finish_eval"; then - # Do the single finish_eval. - eval cmds=\"$finish_eval\" - $run eval "$cmds" || admincmds="$admincmds - $cmds" - fi - done - fi - - # Exit here if they wanted silent mode. - test "$show" = : && exit 0 - - $echo "----------------------------------------------------------------------" - $echo "Libraries have been installed in:" - for libdir in $libdirs; do - $echo " $libdir" - done - $echo - $echo "If you ever happen to want to link against installed libraries" - $echo "in a given directory, LIBDIR, you must either use libtool, and" - $echo "specify the full pathname of the library, or use the \`-LLIBDIR'" - $echo "flag during linking and do at least one of the following:" - if test -n "$shlibpath_var"; then - $echo " - add LIBDIR to the \`$shlibpath_var' environment variable" - $echo " during execution" - fi - if test -n "$runpath_var"; then - $echo " - add LIBDIR to the \`$runpath_var' environment variable" - $echo " during linking" - fi - if test -n "$hardcode_libdir_flag_spec"; then - libdir=LIBDIR - eval flag=\"$hardcode_libdir_flag_spec\" - - $echo " - use the \`$flag' linker flag" - fi - if test -n "$admincmds"; then - $echo " - have your system administrator run these commands:$admincmds" - fi - if test -f /etc/ld.so.conf; then - $echo " - have your system administrator add LIBDIR to \`/etc/ld.so.conf'" - fi - $echo - $echo "See any operating system documentation about shared libraries for" - $echo "more information, such as the ld(1) and ld.so(8) manual pages." - $echo "----------------------------------------------------------------------" - exit 0 - ;; - - # libtool execute mode - execute) - modename="$modename: execute" - - # The first argument is the command name. - cmd="$nonopt" - if test -z "$cmd"; then - $echo "$modename: you must specify a COMMAND" 1>&2 - $echo "$help" - exit 1 - fi - - # Handle -dlopen flags immediately. - for file in $execute_dlfiles; do - if test ! -f "$file"; then - $echo "$modename: \`$file' is not a file" 1>&2 - $echo "$help" 1>&2 - exit 1 - fi - - dir= - case $file in - *.la) - # Check to see that this really is a libtool archive. - if (${SED} -e '2q' $file | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then : - else - $echo "$modename: \`$lib' is not a valid libtool archive" 1>&2 - $echo "$help" 1>&2 - exit 1 - fi - - # Read the libtool library. - dlname= - library_names= - - # If there is no directory component, then add one. - case $file in - */* | *\\*) . $file ;; - *) . ./$file ;; - esac - - # Skip this library if it cannot be dlopened. - if test -z "$dlname"; then - # Warn if it was a shared library. - test -n "$library_names" && $echo "$modename: warning: \`$file' was not linked with \`-export-dynamic'" - continue - fi - - dir=`$echo "X$file" | $Xsed -e 's%/[^/]*$%%'` - test "X$dir" = "X$file" && dir=. - - if test -f "$dir/$objdir/$dlname"; then - dir="$dir/$objdir" - else - $echo "$modename: cannot find \`$dlname' in \`$dir' or \`$dir/$objdir'" 1>&2 - exit 1 - fi - ;; - - *.lo) - # Just add the directory containing the .lo file. - dir=`$echo "X$file" | $Xsed -e 's%/[^/]*$%%'` - test "X$dir" = "X$file" && dir=. - ;; - - *) - $echo "$modename: warning \`-dlopen' is ignored for non-libtool libraries and objects" 1>&2 - continue - ;; - esac - - # Get the absolute pathname. - absdir=`cd "$dir" && pwd` - test -n "$absdir" && dir="$absdir" - - # Now add the directory to shlibpath_var. - if eval "test -z \"\$$shlibpath_var\""; then - eval "$shlibpath_var=\"\$dir\"" - else - eval "$shlibpath_var=\"\$dir:\$$shlibpath_var\"" - fi - done - - # This variable tells wrapper scripts just to set shlibpath_var - # rather than running their programs. - libtool_execute_magic="$magic" - - # Check if any of the arguments is a wrapper script. - args= - for file - do - case $file in - -*) ;; - *) - # Do a test to see if this is really a libtool program. - if (${SED} -e '4q' $file | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then - # If there is no directory component, then add one. - case $file in - */* | *\\*) . $file ;; - *) . ./$file ;; - esac - - # Transform arg to wrapped name. - file="$progdir/$program" - fi - ;; - esac - # Quote arguments (to preserve shell metacharacters). - file=`$echo "X$file" | $Xsed -e "$sed_quote_subst"` - args="$args \"$file\"" - done - - if test -z "$run"; then - if test -n "$shlibpath_var"; then - # Export the shlibpath_var. - eval "export $shlibpath_var" - fi - - # Restore saved environment variables - if test "${save_LC_ALL+set}" = set; then - LC_ALL="$save_LC_ALL"; export LC_ALL - fi - if test "${save_LANG+set}" = set; then - LANG="$save_LANG"; export LANG - fi - - # Now prepare to actually exec the command. - exec_cmd="\$cmd$args" - else - # Display what would be done. - if test -n "$shlibpath_var"; then - eval "\$echo \"\$shlibpath_var=\$$shlibpath_var\"" - $echo "export $shlibpath_var" - fi - $echo "$cmd$args" - exit 0 - fi - ;; - - # libtool clean and uninstall mode - clean | uninstall) - modename="$modename: $mode" - rm="$nonopt" - files= - rmforce= - exit_status=0 - - # This variable tells wrapper scripts just to set variables rather - # than running their programs. - libtool_install_magic="$magic" - - for arg - do - case $arg in - -f) rm="$rm $arg"; rmforce=yes ;; - -*) rm="$rm $arg" ;; - *) files="$files $arg" ;; - esac - done - - if test -z "$rm"; then - $echo "$modename: you must specify an RM program" 1>&2 - $echo "$help" 1>&2 - exit 1 - fi - - rmdirs= - - origobjdir="$objdir" - for file in $files; do - dir=`$echo "X$file" | $Xsed -e 's%/[^/]*$%%'` - if test "X$dir" = "X$file"; then - dir=. - objdir="$origobjdir" - else - objdir="$dir/$origobjdir" - fi - name=`$echo "X$file" | $Xsed -e 's%^.*/%%'` - test "$mode" = uninstall && objdir="$dir" - - # Remember objdir for removal later, being careful to avoid duplicates - if test "$mode" = clean; then - case " $rmdirs " in - *" $objdir "*) ;; - *) rmdirs="$rmdirs $objdir" ;; - esac - fi - - # Don't error if the file doesn't exist and rm -f was used. - if (test -L "$file") >/dev/null 2>&1 \ - || (test -h "$file") >/dev/null 2>&1 \ - || test -f "$file"; then - : - elif test -d "$file"; then - exit_status=1 - continue - elif test "$rmforce" = yes; then - continue - fi - - rmfiles="$file" - - case $name in - *.la) - # Possibly a libtool archive, so verify it. - if (${SED} -e '2q' $file | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then - . $dir/$name - - # Delete the libtool libraries and symlinks. - for n in $library_names; do - rmfiles="$rmfiles $objdir/$n" - done - test -n "$old_library" && rmfiles="$rmfiles $objdir/$old_library" - test "$mode" = clean && rmfiles="$rmfiles $objdir/$name $objdir/${name}i" - - if test "$mode" = uninstall; then - if test -n "$library_names"; then - # Do each command in the postuninstall commands. - cmds=$postuninstall_cmds - save_ifs="$IFS"; IFS='~' - for cmd in $cmds; do - IFS="$save_ifs" - eval cmd=\"$cmd\" - $show "$cmd" - $run eval "$cmd" - if test "$?" -ne 0 && test "$rmforce" != yes; then - exit_status=1 - fi - done - IFS="$save_ifs" - fi - - if test -n "$old_library"; then - # Do each command in the old_postuninstall commands. - cmds=$old_postuninstall_cmds - save_ifs="$IFS"; IFS='~' - for cmd in $cmds; do - IFS="$save_ifs" - eval cmd=\"$cmd\" - $show "$cmd" - $run eval "$cmd" - if test "$?" -ne 0 && test "$rmforce" != yes; then - exit_status=1 - fi - done - IFS="$save_ifs" - fi - # FIXME: should reinstall the best remaining shared library. - fi - fi - ;; - - *.lo) - # Possibly a libtool object, so verify it. - if (${SED} -e '2q' $file | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then - - # Read the .lo file - . $dir/$name - - # Add PIC object to the list of files to remove. - if test -n "$pic_object" \ - && test "$pic_object" != none; then - rmfiles="$rmfiles $dir/$pic_object" - fi - - # Add non-PIC object to the list of files to remove. - if test -n "$non_pic_object" \ - && test "$non_pic_object" != none; then - rmfiles="$rmfiles $dir/$non_pic_object" - fi - fi - ;; - - *) - if test "$mode" = clean ; then - noexename=$name - case $file in - *.exe) - file=`$echo $file|${SED} 's,.exe$,,'` - noexename=`$echo $name|${SED} 's,.exe$,,'` - # $file with .exe has already been added to rmfiles, - # add $file without .exe - rmfiles="$rmfiles $file" - ;; - esac - # Do a test to see if this is a libtool program. - if (${SED} -e '4q' $file | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then - relink_command= - . $dir/$noexename - - # note $name still contains .exe if it was in $file originally - # as does the version of $file that was added into $rmfiles - rmfiles="$rmfiles $objdir/$name $objdir/${name}S.${objext}" - if test "$fast_install" = yes && test -n "$relink_command"; then - rmfiles="$rmfiles $objdir/lt-$name" - fi - if test "X$noexename" != "X$name" ; then - rmfiles="$rmfiles $objdir/lt-${noexename}.c" - fi - fi - fi - ;; - esac - $show "$rm $rmfiles" - $run $rm $rmfiles || exit_status=1 - done - objdir="$origobjdir" - - # Try to remove the ${objdir}s in the directories where we deleted files - for dir in $rmdirs; do - if test -d "$dir"; then - $show "rmdir $dir" - $run rmdir $dir >/dev/null 2>&1 - fi - done - - exit $exit_status - ;; - - "") - $echo "$modename: you must specify a MODE" 1>&2 - $echo "$generic_help" 1>&2 - exit 1 - ;; - esac - - if test -z "$exec_cmd"; then - $echo "$modename: invalid operation mode \`$mode'" 1>&2 - $echo "$generic_help" 1>&2 - exit 1 - fi -fi # test -z "$show_help" - -if test -n "$exec_cmd"; then - eval exec $exec_cmd - exit 1 -fi - -# We need to display help for each of the modes. -case $mode in -"") $echo \ -"Usage: $modename [OPTION]... [MODE-ARG]... - -Provide generalized library-building support services. - - --config show all configuration variables - --debug enable verbose shell tracing --n, --dry-run display commands without modifying any files - --features display basic configuration information and exit - --finish same as \`--mode=finish' - --help display this help message and exit - --mode=MODE use operation mode MODE [default=inferred from MODE-ARGS] - --quiet same as \`--silent' - --silent don't print informational messages - --tag=TAG use configuration variables from tag TAG - --version print version information - -MODE must be one of the following: - - clean remove files from the build directory - compile compile a source file into a libtool object - execute automatically set library path, then run a program - finish complete the installation of libtool libraries - install install libraries or executables - link create a library or an executable - uninstall remove libraries from an installed directory - -MODE-ARGS vary depending on the MODE. Try \`$modename --help --mode=MODE' for -a more detailed description of MODE. - -Report bugs to ." - exit 0 - ;; - -clean) - $echo \ -"Usage: $modename [OPTION]... --mode=clean RM [RM-OPTION]... FILE... - -Remove files from the build directory. - -RM is the name of the program to use to delete files associated with each FILE -(typically \`/bin/rm'). RM-OPTIONS are options (such as \`-f') to be passed -to RM. - -If FILE is a libtool library, object or program, all the files associated -with it are deleted. Otherwise, only FILE itself is deleted using RM." - ;; - -compile) - $echo \ -"Usage: $modename [OPTION]... --mode=compile COMPILE-COMMAND... SOURCEFILE - -Compile a source file into a libtool library object. - -This mode accepts the following additional options: - - -o OUTPUT-FILE set the output file name to OUTPUT-FILE - -prefer-pic try to building PIC objects only - -prefer-non-pic try to building non-PIC objects only - -static always build a \`.o' file suitable for static linking - -COMPILE-COMMAND is a command to be used in creating a \`standard' object file -from the given SOURCEFILE. - -The output file name is determined by removing the directory component from -SOURCEFILE, then substituting the C source code suffix \`.c' with the -library object suffix, \`.lo'." - ;; - -execute) - $echo \ -"Usage: $modename [OPTION]... --mode=execute COMMAND [ARGS]... - -Automatically set library path, then run a program. - -This mode accepts the following additional options: - - -dlopen FILE add the directory containing FILE to the library path - -This mode sets the library path environment variable according to \`-dlopen' -flags. - -If any of the ARGS are libtool executable wrappers, then they are translated -into their corresponding uninstalled binary, and any of their required library -directories are added to the library path. - -Then, COMMAND is executed, with ARGS as arguments." - ;; - -finish) - $echo \ -"Usage: $modename [OPTION]... --mode=finish [LIBDIR]... - -Complete the installation of libtool libraries. - -Each LIBDIR is a directory that contains libtool libraries. - -The commands that this mode executes may require superuser privileges. Use -the \`--dry-run' option if you just want to see what would be executed." - ;; - -install) - $echo \ -"Usage: $modename [OPTION]... --mode=install INSTALL-COMMAND... - -Install executables or libraries. - -INSTALL-COMMAND is the installation command. The first component should be -either the \`install' or \`cp' program. - -The rest of the components are interpreted as arguments to that command (only -BSD-compatible install options are recognized)." - ;; - -link) - $echo \ -"Usage: $modename [OPTION]... --mode=link LINK-COMMAND... - -Link object files or libraries together to form another library, or to -create an executable program. - -LINK-COMMAND is a command using the C compiler that you would use to create -a program from several object files. - -The following components of LINK-COMMAND are treated specially: - - -all-static do not do any dynamic linking at all - -avoid-version do not add a version suffix if possible - -dlopen FILE \`-dlpreopen' FILE if it cannot be dlopened at runtime - -dlpreopen FILE link in FILE and add its symbols to lt_preloaded_symbols - -export-dynamic allow symbols from OUTPUT-FILE to be resolved with dlsym(3) - -export-symbols SYMFILE - try to export only the symbols listed in SYMFILE - -export-symbols-regex REGEX - try to export only the symbols matching REGEX - -LLIBDIR search LIBDIR for required installed libraries - -lNAME OUTPUT-FILE requires the installed library libNAME - -module build a library that can dlopened - -no-fast-install disable the fast-install mode - -no-install link a not-installable executable - -no-undefined declare that a library does not refer to external symbols - -o OUTPUT-FILE create OUTPUT-FILE from the specified objects - -objectlist FILE Use a list of object files found in FILE to specify objects - -precious-files-regex REGEX - don't remove output files matching REGEX - -release RELEASE specify package release information - -rpath LIBDIR the created library will eventually be installed in LIBDIR - -R[ ]LIBDIR add LIBDIR to the runtime path of programs and libraries - -static do not do any dynamic linking of libtool libraries - -version-info CURRENT[:REVISION[:AGE]] - specify library version info [each variable defaults to 0] - -All other options (arguments beginning with \`-') are ignored. - -Every other argument is treated as a filename. Files ending in \`.la' are -treated as uninstalled libtool libraries, other files are standard or library -object files. - -If the OUTPUT-FILE ends in \`.la', then a libtool library is created, -only library objects (\`.lo' files) may be specified, and \`-rpath' is -required, except when creating a convenience library. - -If OUTPUT-FILE ends in \`.a' or \`.lib', then a standard library is created -using \`ar' and \`ranlib', or on Windows using \`lib'. - -If OUTPUT-FILE ends in \`.lo' or \`.${objext}', then a reloadable object file -is created, otherwise an executable program is created." - ;; - -uninstall) - $echo \ -"Usage: $modename [OPTION]... --mode=uninstall RM [RM-OPTION]... FILE... - -Remove libraries from an installation directory. - -RM is the name of the program to use to delete files associated with each FILE -(typically \`/bin/rm'). RM-OPTIONS are options (such as \`-f') to be passed -to RM. - -If FILE is a libtool library, all the files associated with it are deleted. -Otherwise, only FILE itself is deleted using RM." - ;; - -*) - $echo "$modename: invalid operation mode \`$mode'" 1>&2 - $echo "$help" 1>&2 - exit 1 - ;; -esac - -$echo -$echo "Try \`$modename --help' for more information about other modes." - -exit 0 - -# The TAGs below are defined such that we never get into a situation -# in which we disable both kinds of libraries. Given conflicting -# choices, we go for a static library, that is the most portable, -# since we can't tell whether shared libraries were disabled because -# the user asked for that or because the platform doesn't support -# them. This is particularly important on AIX, because we don't -# support having both static and shared libraries enabled at the same -# time on that platform, so we default to a shared-only configuration. -# If a disable-shared tag is given, we'll fallback to a static-only -# configuration. But we'll never go from static-only to shared-only. - -# ### BEGIN LIBTOOL TAG CONFIG: disable-shared -build_libtool_libs=no -build_old_libs=yes -# ### END LIBTOOL TAG CONFIG: disable-shared - -# ### BEGIN LIBTOOL TAG CONFIG: disable-static -build_old_libs=`case $build_libtool_libs in yes) $echo no;; *) $echo yes;; esac` -# ### END LIBTOOL TAG CONFIG: disable-static - -# Local Variables: -# mode:shell-script -# sh-indentation:2 -# End: diff --git a/crypto/heimdal-0.6.3/missing b/crypto/heimdal-0.6.3/missing deleted file mode 100644 index e7ef83a1c2..0000000000 --- a/crypto/heimdal-0.6.3/missing +++ /dev/null @@ -1,360 +0,0 @@ -#! /bin/sh -# Common stub for a few missing GNU programs while installing. - -scriptversion=2003-09-02.23 - -# Copyright (C) 1996, 1997, 1999, 2000, 2002, 2003 -# Free Software Foundation, Inc. -# Originally by Fran,cois Pinard , 1996. - -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2, or (at your option) -# any later version. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. - -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA -# 02111-1307, USA. - -# As a special exception to the GNU General Public License, if you -# distribute this file as part of a program that contains a -# configuration script generated by Autoconf, you may include it under -# the same distribution terms that you use for the rest of that program. - -if test $# -eq 0; then - echo 1>&2 "Try \`$0 --help' for more information" - exit 1 -fi - -run=: - -# In the cases where this matters, `missing' is being run in the -# srcdir already. -if test -f configure.ac; then - configure_ac=configure.ac -else - configure_ac=configure.in -fi - -msg="missing on your system" - -case "$1" in ---run) - # Try to run requested program, and just exit if it succeeds. - run= - shift - "$@" && exit 0 - # Exit code 63 means version mismatch. This often happens - # when the user try to use an ancient version of a tool on - # a file that requires a minimum version. In this case we - # we should proceed has if the program had been absent, or - # if --run hadn't been passed. - if test $? = 63; then - run=: - msg="probably too old" - fi - ;; -esac - -# If it does not exist, or fails to run (possibly an outdated version), -# try to emulate it. -case "$1" in - - -h|--h|--he|--hel|--help) - echo "\ -$0 [OPTION]... PROGRAM [ARGUMENT]... - -Handle \`PROGRAM [ARGUMENT]...' for when PROGRAM is missing, or return an -error status if there is no known handling for PROGRAM. - -Options: - -h, --help display this help and exit - -v, --version output version information and exit - --run try to run the given command, and emulate it if it fails - -Supported PROGRAM values: - aclocal touch file \`aclocal.m4' - autoconf touch file \`configure' - autoheader touch file \`config.h.in' - automake touch all \`Makefile.in' files - bison create \`y.tab.[ch]', if possible, from existing .[ch] - flex create \`lex.yy.c', if possible, from existing .c - help2man touch the output file - lex create \`lex.yy.c', if possible, from existing .c - makeinfo touch the output file - tar try tar, gnutar, gtar, then tar without non-portable flags - yacc create \`y.tab.[ch]', if possible, from existing .[ch] - -Send bug reports to ." - ;; - - -v|--v|--ve|--ver|--vers|--versi|--versio|--version) - echo "missing $scriptversion (GNU Automake)" - ;; - - -*) - echo 1>&2 "$0: Unknown \`$1' option" - echo 1>&2 "Try \`$0 --help' for more information" - exit 1 - ;; - - aclocal*) - if test -z "$run" && ($1 --version) > /dev/null 2>&1; then - # We have it, but it failed. - exit 1 - fi - - echo 1>&2 "\ -WARNING: \`$1' is $msg. You should only need it if - you modified \`acinclude.m4' or \`${configure_ac}'. You might want - to install the \`Automake' and \`Perl' packages. Grab them from - any GNU archive site." - touch aclocal.m4 - ;; - - autoconf) - if test -z "$run" && ($1 --version) > /dev/null 2>&1; then - # We have it, but it failed. - exit 1 - fi - - echo 1>&2 "\ -WARNING: \`$1' is $msg. You should only need it if - you modified \`${configure_ac}'. You might want to install the - \`Autoconf' and \`GNU m4' packages. Grab them from any GNU - archive site." - touch configure - ;; - - autoheader) - if test -z "$run" && ($1 --version) > /dev/null 2>&1; then - # We have it, but it failed. - exit 1 - fi - - echo 1>&2 "\ -WARNING: \`$1' is $msg. You should only need it if - you modified \`acconfig.h' or \`${configure_ac}'. You might want - to install the \`Autoconf' and \`GNU m4' packages. Grab them - from any GNU archive site." - files=`sed -n 's/^[ ]*A[CM]_CONFIG_HEADER(\([^)]*\)).*/\1/p' ${configure_ac}` - test -z "$files" && files="config.h" - touch_files= - for f in $files; do - case "$f" in - *:*) touch_files="$touch_files "`echo "$f" | - sed -e 's/^[^:]*://' -e 's/:.*//'`;; - *) touch_files="$touch_files $f.in";; - esac - done - touch $touch_files - ;; - - automake*) - if test -z "$run" && ($1 --version) > /dev/null 2>&1; then - # We have it, but it failed. - exit 1 - fi - - echo 1>&2 "\ -WARNING: \`$1' is $msg. You should only need it if - you modified \`Makefile.am', \`acinclude.m4' or \`${configure_ac}'. - You might want to install the \`Automake' and \`Perl' packages. - Grab them from any GNU archive site." - find . -type f -name Makefile.am -print | - sed 's/\.am$/.in/' | - while read f; do touch "$f"; done - ;; - - autom4te) - if test -z "$run" && ($1 --version) > /dev/null 2>&1; then - # We have it, but it failed. - exit 1 - fi - - echo 1>&2 "\ -WARNING: \`$1' is needed, but is $msg. - You might have modified some files without having the - proper tools for further handling them. - You can get \`$1' as part of \`Autoconf' from any GNU - archive site." - - file=`echo "$*" | sed -n 's/.*--output[ =]*\([^ ]*\).*/\1/p'` - test -z "$file" && file=`echo "$*" | sed -n 's/.*-o[ ]*\([^ ]*\).*/\1/p'` - if test -f "$file"; then - touch $file - else - test -z "$file" || exec >$file - echo "#! /bin/sh" - echo "# Created by GNU Automake missing as a replacement of" - echo "# $ $@" - echo "exit 0" - chmod +x $file - exit 1 - fi - ;; - - bison|yacc) - echo 1>&2 "\ -WARNING: \`$1' $msg. You should only need it if - you modified a \`.y' file. You may need the \`Bison' package - in order for those modifications to take effect. You can get - \`Bison' from any GNU archive site." - rm -f y.tab.c y.tab.h - if [ $# -ne 1 ]; then - eval LASTARG="\${$#}" - case "$LASTARG" in - *.y) - SRCFILE=`echo "$LASTARG" | sed 's/y$/c/'` - if [ -f "$SRCFILE" ]; then - cp "$SRCFILE" y.tab.c - fi - SRCFILE=`echo "$LASTARG" | sed 's/y$/h/'` - if [ -f "$SRCFILE" ]; then - cp "$SRCFILE" y.tab.h - fi - ;; - esac - fi - if [ ! -f y.tab.h ]; then - echo >y.tab.h - fi - if [ ! -f y.tab.c ]; then - echo 'main() { return 0; }' >y.tab.c - fi - ;; - - lex|flex) - echo 1>&2 "\ -WARNING: \`$1' is $msg. You should only need it if - you modified a \`.l' file. You may need the \`Flex' package - in order for those modifications to take effect. You can get - \`Flex' from any GNU archive site." - rm -f lex.yy.c - if [ $# -ne 1 ]; then - eval LASTARG="\${$#}" - case "$LASTARG" in - *.l) - SRCFILE=`echo "$LASTARG" | sed 's/l$/c/'` - if [ -f "$SRCFILE" ]; then - cp "$SRCFILE" lex.yy.c - fi - ;; - esac - fi - if [ ! -f lex.yy.c ]; then - echo 'main() { return 0; }' >lex.yy.c - fi - ;; - - help2man) - if test -z "$run" && ($1 --version) > /dev/null 2>&1; then - # We have it, but it failed. - exit 1 - fi - - echo 1>&2 "\ -WARNING: \`$1' is $msg. You should only need it if - you modified a dependency of a manual page. You may need the - \`Help2man' package in order for those modifications to take - effect. You can get \`Help2man' from any GNU archive site." - - file=`echo "$*" | sed -n 's/.*-o \([^ ]*\).*/\1/p'` - if test -z "$file"; then - file=`echo "$*" | sed -n 's/.*--output=\([^ ]*\).*/\1/p'` - fi - if [ -f "$file" ]; then - touch $file - else - test -z "$file" || exec >$file - echo ".ab help2man is required to generate this page" - exit 1 - fi - ;; - - makeinfo) - if test -z "$run" && (makeinfo --version) > /dev/null 2>&1; then - # We have makeinfo, but it failed. - exit 1 - fi - - echo 1>&2 "\ -WARNING: \`$1' is $msg. You should only need it if - you modified a \`.texi' or \`.texinfo' file, or any other file - indirectly affecting the aspect of the manual. The spurious - call might also be the consequence of using a buggy \`make' (AIX, - DU, IRIX). You might want to install the \`Texinfo' package or - the \`GNU make' package. Grab either from any GNU archive site." - file=`echo "$*" | sed -n 's/.*-o \([^ ]*\).*/\1/p'` - if test -z "$file"; then - file=`echo "$*" | sed 's/.* \([^ ]*\) *$/\1/'` - file=`sed -n '/^@setfilename/ { s/.* \([^ ]*\) *$/\1/; p; q; }' $file` - fi - touch $file - ;; - - tar) - shift - if test -n "$run"; then - echo 1>&2 "ERROR: \`tar' requires --run" - exit 1 - fi - - # We have already tried tar in the generic part. - # Look for gnutar/gtar before invocation to avoid ugly error - # messages. - if (gnutar --version > /dev/null 2>&1); then - gnutar "$@" && exit 0 - fi - if (gtar --version > /dev/null 2>&1); then - gtar "$@" && exit 0 - fi - firstarg="$1" - if shift; then - case "$firstarg" in - *o*) - firstarg=`echo "$firstarg" | sed s/o//` - tar "$firstarg" "$@" && exit 0 - ;; - esac - case "$firstarg" in - *h*) - firstarg=`echo "$firstarg" | sed s/h//` - tar "$firstarg" "$@" && exit 0 - ;; - esac - fi - - echo 1>&2 "\ -WARNING: I can't seem to be able to run \`tar' with the given arguments. - You may want to install GNU tar or Free paxutils, or check the - command line arguments." - exit 1 - ;; - - *) - echo 1>&2 "\ -WARNING: \`$1' is needed, and is $msg. - You might have modified some files without having the - proper tools for further handling them. Check the \`README' file, - it often tells you about the needed prerequisites for installing - this package. You may also peek at any GNU archive site, in case - some other package would contain this missing \`$1' program." - exit 1 - ;; -esac - -exit 0 - -# Local variables: -# eval: (add-hook 'write-file-hooks 'time-stamp) -# time-stamp-start: "scriptversion=" -# time-stamp-format: "%:y-%02m-%02d.%02H" -# time-stamp-end: "$" -# End: diff --git a/crypto/heimdal-0.6.3/mkinstalldirs b/crypto/heimdal-0.6.3/mkinstalldirs deleted file mode 100644 index 6fbe5e1176..0000000000 --- a/crypto/heimdal-0.6.3/mkinstalldirs +++ /dev/null @@ -1,150 +0,0 @@ -#! /bin/sh -# mkinstalldirs --- make directory hierarchy - -scriptversion=2004-02-15.20 - -# Original author: Noah Friedman -# Created: 1993-05-16 -# Public domain. -# -# This file is maintained in Automake, please report -# bugs to or send patches to -# . - -errstatus=0 -dirmode="" - -usage="\ -Usage: mkinstalldirs [-h] [--help] [--version] [-m MODE] DIR ... - -Create each directory DIR (with mode MODE, if specified), including all -leading file name components. - -Report bugs to ." - -# process command line arguments -while test $# -gt 0 ; do - case $1 in - -h | --help | --h*) # -h for help - echo "$usage" - exit 0 - ;; - -m) # -m PERM arg - shift - test $# -eq 0 && { echo "$usage" 1>&2; exit 1; } - dirmode=$1 - shift - ;; - --version) - echo "$0 $scriptversion" - exit 0 - ;; - --) # stop option processing - shift - break - ;; - -*) # unknown option - echo "$usage" 1>&2 - exit 1 - ;; - *) # first non-opt arg - break - ;; - esac -done - -for file -do - if test -d "$file"; then - shift - else - break - fi -done - -case $# in - 0) exit 0 ;; -esac - -# Solaris 8's mkdir -p isn't thread-safe. If you mkdir -p a/b and -# mkdir -p a/c at the same time, both will detect that a is missing, -# one will create a, then the other will try to create a and die with -# a "File exists" error. This is a problem when calling mkinstalldirs -# from a parallel make. We use --version in the probe to restrict -# ourselves to GNU mkdir, which is thread-safe. -case $dirmode in - '') - if mkdir -p --version . >/dev/null 2>&1 && test ! -d ./--version; then - echo "mkdir -p -- $*" - exec mkdir -p -- "$@" - else - # On NextStep and OpenStep, the `mkdir' command does not - # recognize any option. It will interpret all options as - # directories to create, and then abort because `.' already - # exists. - test -d ./-p && rmdir ./-p - test -d ./--version && rmdir ./--version - fi - ;; - *) - if mkdir -m "$dirmode" -p --version . >/dev/null 2>&1 && - test ! -d ./--version; then - echo "mkdir -m $dirmode -p -- $*" - exec mkdir -m "$dirmode" -p -- "$@" - else - # Clean up after NextStep and OpenStep mkdir. - for d in ./-m ./-p ./--version "./$dirmode"; - do - test -d $d && rmdir $d - done - fi - ;; -esac - -for file -do - set fnord `echo ":$file" | sed -ne 's/^:\//#/;s/^://;s/\// /g;s/^#/\//;p'` - shift - - pathcomp= - for d - do - pathcomp="$pathcomp$d" - case $pathcomp in - -*) pathcomp=./$pathcomp ;; - esac - - if test ! -d "$pathcomp"; then - echo "mkdir $pathcomp" - - mkdir "$pathcomp" || lasterr=$? - - if test ! -d "$pathcomp"; then - errstatus=$lasterr - else - if test ! -z "$dirmode"; then - echo "chmod $dirmode $pathcomp" - lasterr="" - chmod "$dirmode" "$pathcomp" || lasterr=$? - - if test ! -z "$lasterr"; then - errstatus=$lasterr - fi - fi - fi - fi - - pathcomp="$pathcomp/" - done -done - -exit $errstatus - -# Local Variables: -# mode: shell-script -# sh-indentation: 2 -# eval: (add-hook 'write-file-hooks 'time-stamp) -# time-stamp-start: "scriptversion=" -# time-stamp-format: "%:y-%02m-%02d.%02H" -# time-stamp-end: "$" -# End: diff --git a/crypto/heimdal-0.6.3/tools/Makefile.am b/crypto/heimdal-0.6.3/tools/Makefile.am deleted file mode 100644 index b7a9d24d8c..0000000000 --- a/crypto/heimdal-0.6.3/tools/Makefile.am +++ /dev/null @@ -1,26 +0,0 @@ -# $Id: Makefile.am,v 1.6 2002/09/09 22:29:26 joda Exp $ - -include $(top_srcdir)/Makefile.am.common - -EXTRA_DIST = krb5-config.1 - -CLEANFILES = krb5-config - -bin_SCRIPTS = krb5-config - -man_MANS = krb5-config.1 - -krb5-config: krb5-config.in - sed -e "s,@PACKAGE\@,$(PACKAGE),g" \ - -e "s,@VERSION\@,$(VERSION),g" \ - -e "s,@prefix\@,$(prefix),g" \ - -e "s,@exec_prefix\@,$(exec_prefix),g" \ - -e "s,@libdir\@,$(libdir),g" \ - -e "s,@includedir\@,$(includedir),g" \ - -e "s,@LIB_crypt\@,$(LIB_crypt),g" \ - -e "s,@LIB_dbopen\@,$(LIB_dbopen),g" \ - -e "s,@INCLUDE_des\@,$(INCLUDE_des),g" \ - -e "s,@LIB_des_appl\@,$(LIB_des_appl),g" \ - -e "s,@LIBS\@,$(LIBS),g" \ - $(srcdir)/krb5-config.in > $@ - chmod +x $@ diff --git a/crypto/heimdal-0.6.3/tools/Makefile.in b/crypto/heimdal-0.6.3/tools/Makefile.in deleted file mode 100644 index 87d8bf5b12..0000000000 --- a/crypto/heimdal-0.6.3/tools/Makefile.in +++ /dev/null @@ -1,733 +0,0 @@ -# Makefile.in generated by automake 1.8.3 from Makefile.am. -# @configure_input@ - -# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004 Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -# $Id: Makefile.am,v 1.6 2002/09/09 22:29:26 joda Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $ - -srcdir = @srcdir@ -top_srcdir = @top_srcdir@ -VPATH = @srcdir@ -pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -top_builddir = .. -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = @INSTALL@ -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_HEADER = $(INSTALL_DATA) -transform = $(program_transform_name) -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_triplet = @host@ -DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \ - $(top_srcdir)/Makefile.am.common \ - $(top_srcdir)/cf/Makefile.am.common -subdir = tools -ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \ - $(top_srcdir)/cf/auth-modules.m4 \ - $(top_srcdir)/cf/broken-getaddrinfo.m4 \ - $(top_srcdir)/cf/broken-getnameinfo.m4 \ - $(top_srcdir)/cf/broken-glob.m4 \ - $(top_srcdir)/cf/broken-realloc.m4 \ - $(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \ - $(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \ - $(top_srcdir)/cf/capabilities.m4 \ - $(top_srcdir)/cf/check-compile-et.m4 \ - $(top_srcdir)/cf/check-declaration.m4 \ - $(top_srcdir)/cf/check-getpwnam_r-posix.m4 \ - $(top_srcdir)/cf/check-man.m4 \ - $(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \ - $(top_srcdir)/cf/check-type-extra.m4 \ - $(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \ - $(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \ - $(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \ - $(top_srcdir)/cf/dlopen.m4 \ - $(top_srcdir)/cf/find-func-no-libs.m4 \ - $(top_srcdir)/cf/find-func-no-libs2.m4 \ - $(top_srcdir)/cf/find-func.m4 \ - $(top_srcdir)/cf/find-if-not-broken.m4 \ - $(top_srcdir)/cf/have-struct-field.m4 \ - $(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \ - $(top_srcdir)/cf/krb-bigendian.m4 \ - $(top_srcdir)/cf/krb-func-getlogin.m4 \ - $(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \ - $(top_srcdir)/cf/krb-readline.m4 \ - $(top_srcdir)/cf/krb-struct-spwd.m4 \ - $(top_srcdir)/cf/krb-struct-winsize.m4 \ - $(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \ - $(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \ - $(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \ - $(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \ - $(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \ - $(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \ - $(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in -am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ - $(ACLOCAL_M4) -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -am__installdirs = "$(DESTDIR)$(bindir)" "$(DESTDIR)$(man1dir)" -binSCRIPT_INSTALL = $(INSTALL_SCRIPT) -SCRIPTS = $(bin_SCRIPTS) -depcomp = -am__depfiles_maybe = -SOURCES = -DIST_SOURCES = -man1dir = $(mandir)/man1 -MANS = $(man_MANS) -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) -ACLOCAL = @ACLOCAL@ -AIX4_FALSE = @AIX4_FALSE@ -AIX4_TRUE = @AIX4_TRUE@ -AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@ -AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@ -AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@ -AIX_FALSE = @AIX_FALSE@ -AIX_TRUE = @AIX_TRUE@ -AMTAR = @AMTAR@ -AR = @AR@ -AUTOCONF = @AUTOCONF@ -AUTOHEADER = @AUTOHEADER@ -AUTOMAKE = @AUTOMAKE@ -AWK = @AWK@ -CANONICAL_HOST = @CANONICAL_HOST@ -CATMAN = @CATMAN@ -CATMANEXT = @CATMANEXT@ -CATMAN_FALSE = @CATMAN_FALSE@ -CATMAN_TRUE = @CATMAN_TRUE@ -CC = @CC@ -CFLAGS = @CFLAGS@ -COMPILE_ET = @COMPILE_ET@ -CPP = @CPP@ -CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXFLAGS = @CXXFLAGS@ -CYGPATH_W = @CYGPATH_W@ -DBLIB = @DBLIB@ -DCE_FALSE = @DCE_FALSE@ -DCE_TRUE = @DCE_TRUE@ -DEFS = @DEFS@ -DIR_com_err = @DIR_com_err@ -DIR_des = @DIR_des@ -DIR_roken = @DIR_roken@ -ECHO = @ECHO@ -ECHO_C = @ECHO_C@ -ECHO_N = @ECHO_N@ -ECHO_T = @ECHO_T@ -EGREP = @EGREP@ -EXEEXT = @EXEEXT@ -EXTRA_LIB45 = @EXTRA_LIB45@ -F77 = @F77@ -FFLAGS = @FFLAGS@ -GROFF = @GROFF@ -HAVE_DB1_FALSE = @HAVE_DB1_FALSE@ -HAVE_DB1_TRUE = @HAVE_DB1_TRUE@ -HAVE_DB3_FALSE = @HAVE_DB3_FALSE@ -HAVE_DB3_TRUE = @HAVE_DB3_TRUE@ -HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@ -HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@ -HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@ -HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@ -HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@ -HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@ -HAVE_X_FALSE = @HAVE_X_FALSE@ -HAVE_X_TRUE = @HAVE_X_TRUE@ -INCLUDES_roken = @INCLUDES_roken@ -INCLUDE_des = @INCLUDE_des@ -INCLUDE_hesiod = @INCLUDE_hesiod@ -INCLUDE_krb4 = @INCLUDE_krb4@ -INCLUDE_openldap = @INCLUDE_openldap@ -INCLUDE_readline = @INCLUDE_readline@ -INSTALL_DATA = @INSTALL_DATA@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -IRIX_FALSE = @IRIX_FALSE@ -IRIX_TRUE = @IRIX_TRUE@ -KRB4_FALSE = @KRB4_FALSE@ -KRB4_TRUE = @KRB4_TRUE@ -KRB5_FALSE = @KRB5_FALSE@ -KRB5_TRUE = @KRB5_TRUE@ -LDFLAGS = @LDFLAGS@ -LEX = @LEX@ -LEXLIB = @LEXLIB@ -LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ -LIBOBJS = @LIBOBJS@ -LIBS = @LIBS@ -LIBTOOL = @LIBTOOL@ -LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@ -LIB_NDBM = @LIB_NDBM@ -LIB_XauFileName = @LIB_XauFileName@ -LIB_XauReadAuth = @LIB_XauReadAuth@ -LIB_XauWriteAuth = @LIB_XauWriteAuth@ -LIB_bswap16 = @LIB_bswap16@ -LIB_bswap32 = @LIB_bswap32@ -LIB_com_err = @LIB_com_err@ -LIB_com_err_a = @LIB_com_err_a@ -LIB_com_err_so = @LIB_com_err_so@ -LIB_crypt = @LIB_crypt@ -LIB_db_create = @LIB_db_create@ -LIB_dbm_firstkey = @LIB_dbm_firstkey@ -LIB_dbopen = @LIB_dbopen@ -LIB_des = @LIB_des@ -LIB_des_a = @LIB_des_a@ -LIB_des_appl = @LIB_des_appl@ -LIB_des_so = @LIB_des_so@ -LIB_dlopen = @LIB_dlopen@ -LIB_dn_expand = @LIB_dn_expand@ -LIB_el_init = @LIB_el_init@ -LIB_freeaddrinfo = @LIB_freeaddrinfo@ -LIB_gai_strerror = @LIB_gai_strerror@ -LIB_getaddrinfo = @LIB_getaddrinfo@ -LIB_gethostbyname = @LIB_gethostbyname@ -LIB_gethostbyname2 = @LIB_gethostbyname2@ -LIB_getnameinfo = @LIB_getnameinfo@ -LIB_getpwnam_r = @LIB_getpwnam_r@ -LIB_getsockopt = @LIB_getsockopt@ -LIB_hesiod = @LIB_hesiod@ -LIB_hstrerror = @LIB_hstrerror@ -LIB_kdb = @LIB_kdb@ -LIB_krb4 = @LIB_krb4@ -LIB_krb_disable_debug = @LIB_krb_disable_debug@ -LIB_krb_enable_debug = @LIB_krb_enable_debug@ -LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@ -LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@ -LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@ -LIB_loadquery = @LIB_loadquery@ -LIB_logout = @LIB_logout@ -LIB_logwtmp = @LIB_logwtmp@ -LIB_openldap = @LIB_openldap@ -LIB_openpty = @LIB_openpty@ -LIB_otp = @LIB_otp@ -LIB_pidfile = @LIB_pidfile@ -LIB_readline = @LIB_readline@ -LIB_res_nsearch = @LIB_res_nsearch@ -LIB_res_search = @LIB_res_search@ -LIB_roken = @LIB_roken@ -LIB_security = @LIB_security@ -LIB_setsockopt = @LIB_setsockopt@ -LIB_socket = @LIB_socket@ -LIB_syslog = @LIB_syslog@ -LIB_tgetent = @LIB_tgetent@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -MAINT = @MAINT@ -MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@ -MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@ -MAKEINFO = @MAKEINFO@ -NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ -NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ -NROFF = @NROFF@ -OBJEXT = @OBJEXT@ -OTP_FALSE = @OTP_FALSE@ -OTP_TRUE = @OTP_TRUE@ -PACKAGE = @PACKAGE@ -PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ -PACKAGE_NAME = @PACKAGE_NAME@ -PACKAGE_STRING = @PACKAGE_STRING@ -PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_VERSION = @PACKAGE_VERSION@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -RANLIB = @RANLIB@ -SET_MAKE = @SET_MAKE@ -SHELL = @SHELL@ -STRIP = @STRIP@ -VERSION = @VERSION@ -VOID_RETSIGTYPE = @VOID_RETSIGTYPE@ -WFLAGS = @WFLAGS@ -WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@ -WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@ -X_CFLAGS = @X_CFLAGS@ -X_EXTRA_LIBS = @X_EXTRA_LIBS@ -X_LIBS = @X_LIBS@ -X_PRE_LIBS = @X_PRE_LIBS@ -YACC = @YACC@ -ac_ct_AR = @ac_ct_AR@ -ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ -ac_ct_RANLIB = @ac_ct_RANLIB@ -ac_ct_STRIP = @ac_ct_STRIP@ -am__leading_dot = @am__leading_dot@ -bindir = @bindir@ -build = @build@ -build_alias = @build_alias@ -build_cpu = @build_cpu@ -build_os = @build_os@ -build_vendor = @build_vendor@ -datadir = @datadir@ -do_roken_rename_FALSE = @do_roken_rename_FALSE@ -do_roken_rename_TRUE = @do_roken_rename_TRUE@ -dpagaix_cflags = @dpagaix_cflags@ -dpagaix_ldadd = @dpagaix_ldadd@ -dpagaix_ldflags = @dpagaix_ldflags@ -el_compat_FALSE = @el_compat_FALSE@ -el_compat_TRUE = @el_compat_TRUE@ -exec_prefix = @exec_prefix@ -have_err_h_FALSE = @have_err_h_FALSE@ -have_err_h_TRUE = @have_err_h_TRUE@ -have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@ -have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@ -have_glob_h_FALSE = @have_glob_h_FALSE@ -have_glob_h_TRUE = @have_glob_h_TRUE@ -have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@ -have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@ -have_vis_h_FALSE = @have_vis_h_FALSE@ -have_vis_h_TRUE = @have_vis_h_TRUE@ -host = @host@ -host_alias = @host_alias@ -host_cpu = @host_cpu@ -host_os = @host_os@ -host_vendor = @host_vendor@ -includedir = @includedir@ -infodir = @infodir@ -install_sh = @install_sh@ -libdir = @libdir@ -libexecdir = @libexecdir@ -localstatedir = @localstatedir@ -mandir = @mandir@ -mkdir_p = @mkdir_p@ -oldincludedir = @oldincludedir@ -prefix = @prefix@ -program_transform_name = @program_transform_name@ -sbindir = @sbindir@ -sharedstatedir = @sharedstatedir@ -sysconfdir = @sysconfdir@ -target_alias = @target_alias@ -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) -@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME -AM_CFLAGS = $(WFLAGS) -CP = cp -buildinclude = $(top_builddir)/include -LIB_getattr = @LIB_getattr@ -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_setpcred = @LIB_setpcred@ -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -NROFF_MAN = groff -mandoc -Tascii -LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) -@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la - -@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la -@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la -EXTRA_DIST = krb5-config.1 -CLEANFILES = krb5-config -bin_SCRIPTS = krb5-config -man_MANS = krb5-config.1 -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c -$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps) - @for dep in $?; do \ - case '$(am__configure_deps)' in \ - *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ - exit 1;; \ - esac; \ - done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign --ignore-deps tools/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign --ignore-deps tools/Makefile -.PRECIOUS: Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - @case '$?' in \ - *config.status*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ - *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ - esac; - -$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -install-binSCRIPTS: $(bin_SCRIPTS) - @$(NORMAL_INSTALL) - test -z "$(bindir)" || $(mkdir_p) "$(DESTDIR)$(bindir)" - @list='$(bin_SCRIPTS)'; for p in $$list; do \ - if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ - if test -f $$d$$p; then \ - f=`echo "$$p" | sed 's|^.*/||;$(transform)'`; \ - echo " $(binSCRIPT_INSTALL) '$$d$$p' '$(DESTDIR)$(bindir)/$$f'"; \ - $(binSCRIPT_INSTALL) "$$d$$p" "$(DESTDIR)$(bindir)/$$f"; \ - else :; fi; \ - done - -uninstall-binSCRIPTS: - @$(NORMAL_UNINSTALL) - @list='$(bin_SCRIPTS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's|^.*/||;$(transform)'`; \ - echo " rm -f '$(DESTDIR)$(bindir)/$$f'"; \ - rm -f "$(DESTDIR)$(bindir)/$$f"; \ - done - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: -install-man1: $(man1_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - test -z "$(man1dir)" || $(mkdir_p) "$(DESTDIR)$(man1dir)" - @list='$(man1_MANS) $(dist_man1_MANS) $(nodist_man1_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.1*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 1*) ;; \ - *) ext='1' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man1dir)/$$inst'"; \ - $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man1dir)/$$inst"; \ - done -uninstall-man1: - @$(NORMAL_UNINSTALL) - @list='$(man1_MANS) $(dist_man1_MANS) $(nodist_man1_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.1*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 1*) ;; \ - *) ext='1' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f '$(DESTDIR)$(man1dir)/$$inst'"; \ - rm -f "$(DESTDIR)$(man1dir)/$$inst"; \ - done -tags: TAGS -TAGS: - -ctags: CTAGS -CTAGS: - - -distdir: $(DISTFILES) - $(mkdir_p) $(distdir)/.. $(distdir)/../cf - @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \ - list='$(DISTFILES)'; for file in $$list; do \ - case $$file in \ - $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \ - $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \ - esac; \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkdir_p) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="$(top_distdir)" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(SCRIPTS) $(MANS) all-local -installdirs: - for dir in "$(DESTDIR)$(bindir)" "$(DESTDIR)$(man1dir)"; do \ - test -z "$$dir" || $(mkdir_p) "$$dir"; \ - done -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) - -distclean-generic: - -rm -f $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-generic clean-libtool mostlyclean-am - -distclean: distclean-am - -rm -f Makefile -distclean-am: clean-am distclean-generic distclean-libtool - -dvi: dvi-am - -dvi-am: - -html: html-am - -info: info-am - -info-am: - -install-data-am: install-man - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-data-hook - -install-exec-am: install-binSCRIPTS - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: install-man1 - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -rm -f Makefile -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-generic mostlyclean-libtool - -pdf: pdf-am - -pdf-am: - -ps: ps-am - -ps-am: - -uninstall-am: uninstall-binSCRIPTS uninstall-info-am uninstall-man - -uninstall-man: uninstall-man1 - -.PHONY: all all-am all-local check check-am check-local clean \ - clean-generic clean-libtool distclean distclean-generic \ - distclean-libtool distdir dvi dvi-am html html-am info info-am \ - install install-am install-binSCRIPTS install-data \ - install-data-am install-exec install-exec-am install-info \ - install-info-am install-man install-man1 install-strip \ - installcheck installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-generic \ - mostlyclean-libtool pdf pdf-am ps ps-am uninstall uninstall-am \ - uninstall-binSCRIPTS uninstall-info-am uninstall-man \ - uninstall-man1 - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-hook: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< - -krb5-config: krb5-config.in - sed -e "s,@PACKAGE\@,$(PACKAGE),g" \ - -e "s,@VERSION\@,$(VERSION),g" \ - -e "s,@prefix\@,$(prefix),g" \ - -e "s,@exec_prefix\@,$(exec_prefix),g" \ - -e "s,@libdir\@,$(libdir),g" \ - -e "s,@includedir\@,$(includedir),g" \ - -e "s,@LIB_crypt\@,$(LIB_crypt),g" \ - -e "s,@LIB_dbopen\@,$(LIB_dbopen),g" \ - -e "s,@INCLUDE_des\@,$(INCLUDE_des),g" \ - -e "s,@LIB_des_appl\@,$(LIB_des_appl),g" \ - -e "s,@LIBS\@,$(LIBS),g" \ - $(srcdir)/krb5-config.in > $@ - chmod +x $@ -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal-0.6.3/tools/build.sh b/crypto/heimdal-0.6.3/tools/build.sh deleted file mode 100644 index fad860836d..0000000000 --- a/crypto/heimdal-0.6.3/tools/build.sh +++ /dev/null @@ -1,212 +0,0 @@ -#!/bin/sh -# -# Build many combinations of kth-krb/heimdal/openssl -# -# $Id: build.sh,v 1.8 2003/04/17 12:55:02 lha Exp $ - -opt_n= #: -make_f= #-j - -heimdal_versions="0.5.2 0.6pre4" -krb4_versions="1.2.2" -openssl_versions="0.9.6i 0.9.7a 0.9.7b" - -make_check_version=".*heimdal-0.6.*" - -# 0.5 dont eat 0.9.7 -dont_build="openssl-0.9.7.*heimdal-0.5.*" -# 1.2 dont eat 0.9.7 -dont_build="openssl-0.9.7.*krb4-1.2.* ${dont_build}" -#yacc problems -dont_build="openssl-0.9.6.*heimdal-0.5.*osf4.* ${dont_build}" -#local openssl 09.7 and broken kuser/Makefile.am -dont_build="openssl-0.9.6.*heimdal-0.5.*freebsd4.8.* ${dont_build}" -failed= - -# Allow override -for a in $HOME . /etc ; do - [ -f $a/.heimdal-build ] && . $a/.heimdal-build -done - -targetdir=${targetdir:-/scratch/heimdal-test} -logfile="${targetdir}/buildlog" - -distdirs="${distdirs} /afs/su.se/home/l/h/lha/Public/openssl" -distdirs="${distdirs} /afs/pdc.kth.se/public/ftp/pub/heimdal/src" -distdirs="${distdirs} /afs/pdc.kth.se/public/ftp/pub/heimdal/src/snapshots" -distdirs="${distdirs} /afs/pdc.kth.se/public/ftp/pub/krb/src" - - -logprint () { - d=`date '+%Y-%m-%d %H:%M:%S'` - echo "${d}: $*" - echo "${d}: --- $*" >> ${logfile} -} - -logerror () { - echo "$*" - exit 1 -} - -find_unzip_prog () { - unzip_prog= - oldIFS="$IFS" - IFS=: - set -- $PATH - IFS="$oldIFS" - for a in $* ; do - if [ -x $a/gzip ] ; then - unzip_prog="$a/gzip -dc" - break - elif [ -x $a/gunzip ] ; then - unzip_prog="$a/gunzip -c" - break - fi - done - [ "$unzip_prog" = "" ] && logerror failed to find unzip program -} - -find_canon_name () { - canon_name= - for a in ${distdirs} ; do - if [ -f $a/config.guess ] ; then - canon_name=`$a/config.guess` - fi - if [ "${canon_name}" != "" ] ; then - break - fi - done - [ "${canon_name}" = "" ] && logerror "cant find config.guess" -} - -do_check_p () { - eval check_var=\$"$1" - for a in ${check_var} ; do - expr "$2${canon_name}" : "${a}" > /dev/null 2>&1 && return 1 - done - return 0 -} - -unpack_tar () { - for a in ${distdirs} ; do - if [ -f $a/$1 ] ; then - ${opt_n} ${unzip_prog} ${a}/$1 | ${opt_n} tar xf - - return 0 - fi - done - logerror "did not find $1" -} - -build () { - real_ver=$1 - prog=$2 - ver=$3 - confprog=$4 - checks=$5 - pv=${prog}-${ver} - mkdir tmp || logerror "failed to build tmpdir" - cd tmp || logerror "failed to change dir to tmpdir" - do_check_p dont_build ${real_ver} || \ - { cd .. ; rmdir tmp ; logprint "not building $1" && return 0 ; } - cd .. || logerror "failed to change back from tmpdir" - rmdir tmp || logerror "failed to remove tmpdir" - logprint "preparing for ${pv}" - ${opt_n} rm -rf ${targetdir}/${prog}-${ver} - ${opt_n} rm -rf ${prog}-${ver} - unpack_tar ${pv}.tar.gz - ${opt_n} cd ${pv} || logerror directory ${pv} not there - logprint "configure ${prog} ${ver} (${confprog})" - ${opt_n} ./${confprog} \ - --prefix=${targetdir}/${pv} >> ${logfile} 2>&1 || \ - { logprint failed to configure ${pv} ; return 1 ; } - logprint "make ${prog} ${ver}" - ${opt_n} make ${make_f} >> ${logfile} 2>&1 || \ - { logprint failed to make ${pv} ; return 1 ; } - ${opt_n} make install >> ${logfile} 2>&1 || \ - { logprint failed to install ${pv} ; return 1 ; } - do_check_p make_check_version ${real_ver} || \ - { ${opt_n} make check >> ${logfile} 2>&1 || return 1 ; } - ${opt_n} cd .. - [ "${checks}" != "" ] && ${opt_n} ${checks} >> ${logfile} 2>&1 - return 0 -} - -find_canon_name - -logprint using host `hostname` -logprint `uname -a` -logprint canonical name ${canon_name} - -logprint clearing logfile -> ${logfile} - -find_unzip_prog - -logprint using target dir ${targetdir} -mkdir -p ${targetdir}/src -cd ${targetdir}/src || exit 1 -rm -rf heimdal* openssl* krb4* - -logprint === building openssl versions -for vo in ${openssl_versions} ; do - build openssl-${vo} openssl $vo config -done - -wssl="--with-openssl=${targetdir}/openssl" -wssli="--with-openssl-include=${targetdir}/openssl" #this is a hack for broken heimdal 0.5.x autoconf test -wossl="--without-openssl" -wk4c="--with-krb4-config=${targetdir}/krb4" -bk4c="/bin/krb4-config" -wok4="--without-krb4" - -logprint === building heimdal w/o krb4 versions -for vo in ${openssl_versions} ; do - for vh in ${heimdal_versions} ; do - v="openssl-${vo}-heimdal-${vh}" - build "${v}" \ - heimdal ${vh} \ - "configure ${wok4} ${wssl}-${vo} ${wssli}-${vo}/include" \ - "${targetdir}/heimdal-${vh}/bin/krb5-config --libs | grep lcrypto" \ || \ - { failed="${failed} ${v}" ; logprint ${v} failed ; } - done -done - -logprint === building krb4 -for vo in ${openssl_versions} ; do - for vk in ${krb4_versions} ; do - v="openssl-${vo}-krb4-${vk}" - build "${v}" \ - krb4 ${vk} \ - "configure ${wssl}-${vo}" \ - "${targetdir}/krb4-${vk}/bin/krb4-config --libs | grep lcrypto"|| \ - { failed="${failed} ${v}" ; logprint ${v} failed ; } - done -done - -logprint === building heimdal with krb4 versions -for vo in ${openssl_versions} ; do - for vk in ${krb4_versions} ; do - for vh in ${heimdal_versions} ; do - v="openssl-${vo}-krb4-${vk}-heimdal-${vh}" - build "${v}" \ - heimdal ${vh} \ - "configure ${wk4c}-${vk}${bk4c} ${wssl}-${vo} ${wssli}-${vo}/include" \ - "${targetdir}/heimdal-${vh}/bin/krb5-config --libs | grep lcrypto && ${targetdir}/heimdal-${vh}/bin/krb5-config --libs | grep krb4" \ - || \ - { failed="${failed} ${v}" ; logprint ${v} failed ; } - done - done -done - -logprint === building heimdal without krb4 and openssl versions -for vh in ${heimdal_versions} ; do - v="des-heimdal-${vh}" - build "${v}" \ - heimdal ${vh} \ - "configure ${wok4} ${wossl}" || \ - { failed="${failed} ${v}" ; logprint ${v} failed ; } -done - -logprint all done -[ "${failed}" != "" ] && logprint "failed: ${failed}" -exit 0 diff --git a/crypto/heimdal-0.6.3/tools/krb5-config.1 b/crypto/heimdal-0.6.3/tools/krb5-config.1 deleted file mode 100644 index 222b760f84..0000000000 --- a/crypto/heimdal-0.6.3/tools/krb5-config.1 +++ /dev/null @@ -1,90 +0,0 @@ -.\" Copyright (c) 2000 - 2001 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: krb5-config.1,v 1.5 2003/02/16 21:10:32 lha Exp $ -.\" -.Dd November 30, 2000 -.Dt KRB5-CONFIG 1 -.Os HEIMDAL -.Sh NAME -.Nm krb5-config -.Nd "give information on how to link code against Heimdal libraries" -.Sh SYNOPSIS -.Nm -.Op Fl -prefix Ns Op = Ns Ar dir -.Op Fl -exec-prefix Ns Op = Ns Ar dir -.Op Fl -libs -.Op Fl -cflags -.Op Ar libraries -.Sh DESCRIPTION -.Nm -tells the application programmer what special flags to use to compile -and link programs against the libraries installed by Heimdal. -.Pp -Options supported: -.Bl -tag -width Ds -.It Fl -prefix Ns Op = Ns Ar dir -Print the prefix if no -.Ar dir -is specified, otherwise set prefix to -.Ar dir . -.It Fl -exec-prefix Ns Op = Ns Ar dir -Print the exec-prefix if no -.Ar dir -is specified, otherwise set exec-prefix to -.Ar dir . -.It Fl -libs -Output the set of libraries that should be linked against. -.It Fl -cflags -Output the set of flags to give to the C compiler when using the -Heimdal libraries. -.El -.Pp -By default -.Nm -will output the set of flags and libraries to be used by a normal -program using the krb5 API. The user can also supply a library to be -used, the supported ones are: -.Bl -tag -width Ds -.It krb5 -(the default) -.It gssapi -use the krb5 gssapi mechanism -.It kadm-client -use the client-side kadmin libraries -.It kadm-server -use the server-side kadmin libraries -.El -.Sh SEE ALSO -.Xr cc 1 -.Sh HISTORY -.Nm -appeared in Heimdal 0.3d. diff --git a/crypto/heimdal-0.6.3/tools/krb5-config.cat1 b/crypto/heimdal-0.6.3/tools/krb5-config.cat1 deleted file mode 100644 index 298f57b6cc..0000000000 --- a/crypto/heimdal-0.6.3/tools/krb5-config.cat1 +++ /dev/null @@ -1,52 +0,0 @@ - -KRB5-CONFIG(1) UNIX Reference Manual KRB5-CONFIG(1) - -NNAAMMEE - kkrrbb55--ccoonnffiigg - give information on how to link code against Heimdal li- - braries - -SSYYNNOOPPSSIISS - kkrrbb55--ccoonnffiigg [----pprreeffiixx[=_d_i_r]] [----eexxeecc--pprreeffiixx[=_d_i_r]] [----lliibbss] [----ccffllaaggss] - [_l_i_b_r_a_r_i_e_s] - -DDEESSCCRRIIPPTTIIOONN - kkrrbb55--ccoonnffiigg tells the application programmer what special flags to use to - compile and link programs against the libraries installed by Heimdal. - - Options supported: - - ----pprreeffiixx[=_d_i_r] - Print the prefix if no _d_i_r is specified, otherwise set prefix to - _d_i_r. - - ----eexxeecc--pprreeffiixx[=_d_i_r] - Print the exec-prefix if no _d_i_r is specified, otherwise set exec- - prefix to _d_i_r. - - ----lliibbss Output the set of libraries that should be linked against. - - ----ccffllaaggss - Output the set of flags to give to the C compiler when using the - Heimdal libraries. - - By default kkrrbb55--ccoonnffiigg will output the set of flags and libraries to be - used by a normal program using the krb5 API. The user can also supply a - library to be used, the supported ones are: - - krb5 (the default) - - gssapi use the krb5 gssapi mechanism - - kadm-client - use the client-side kadmin libraries - - kadm-server - use the server-side kadmin libraries - -SSEEEE AALLSSOO - cc(1) - -HHIISSTTOORRYY - kkrrbb55--ccoonnffiigg appeared in Heimdal 0.3d. - - HEIMDAL November 30, 2000 1 diff --git a/crypto/heimdal-0.6.3/tools/krb5-config.in b/crypto/heimdal-0.6.3/tools/krb5-config.in deleted file mode 100644 index bdaa39754b..0000000000 --- a/crypto/heimdal-0.6.3/tools/krb5-config.in +++ /dev/null @@ -1,110 +0,0 @@ -#!/bin/sh -# $Id: krb5-config.in,v 1.9 2002/09/09 22:29:06 joda Exp $ - -do_libs=no -do_cflags=no -do_usage=no -print_prefix=no -print_exec_prefix=no -library=krb5 - -if test $# -eq 0; then - do_usage=yes - usage_exit=1 -fi - -for i in $*; do - case $i in - --help) - do_usage=yes - usage_exit=0 - ;; - --version) - echo "@PACKAGE@ @VERSION@" - echo '$Id: krb5-config.in,v 1.9 2002/09/09 22:29:06 joda Exp $' - exit 0 - ;; - --prefix=*) - prefix=`echo $i | sed 's/^--prefix=//'` - ;; - --prefix) - print_prefix=yes - ;; - --exec-prefix=*) - exec_prefix=`echo $i | sed 's/^--exec-prefix=//'` - ;; - --exec-prefix) - print_exec_prefix=yes - ;; - --libs) - do_libs=yes - ;; - --cflags) - do_cflags=yes - ;; - krb5) - library=krb5 - ;; - gssapi) - library=gssapi - ;; - kadm-client) - library=kadm-client - ;; - kadm-server) - library=kadm-server - ;; - *) - echo "unknown option: $i" - exit 1 - ;; - esac -done - -if test "$do_usage" = "yes"; then - echo "usage: $0 [options] [libraries]" - echo "options: [--prefix[=dir]] [--exec-prefix[=dir]] [--libs] [--cflags]" - echo "libraries: krb5 gssapi kadm-client kadm-server" - exit $usage_exit -fi - -if test "$prefix" = ""; then - prefix=@prefix@ -fi -if test "$exec_prefix" = ""; then - exec_prefix=@exec_prefix@ -fi - -libdir=@libdir@ -includedir=@includedir@ - -if test "$print_prefix" = "yes"; then - echo $prefix -fi - -if test "$print_exec_prefix" = "yes"; then - echo $exec_prefix -fi - -if test "$do_libs" = "yes"; then - lib_flags="-L${libdir}" - case $library in - gssapi) - lib_flags="$lib_flags -lgssapi" - ;; - kadm-client) - lib_flags="$lib_flags -lkadm5clnt" - ;; - kadm-server) - lib_flags="$lib_flags -lkadm5srv" - ;; - esac - lib_flags="$lib_flags -lkrb5 -lasn1 @LIB_des_appl@ -lroken" - lib_flags="$lib_flags @LIB_crypt@ @LIB_dbopen@ @LIBS@" - echo $lib_flags -fi -if test "$do_cflags" = "yes"; then - echo "-I${includedir} @INCLUDE_des@" -fi - -exit 0 diff --git a/etc/defaults/make.conf b/etc/defaults/make.conf index cbd512ca28..45687ed658 100644 --- a/etc/defaults/make.conf +++ b/etc/defaults/make.conf @@ -177,9 +177,6 @@ THREAD_LIB?= thread_xu # To build the installer as part of buildworld. #WANT_INSTALLER=yes # -# If you want Kerberos 5, define this. -#WANT_KERBEROS= yes -# # If you want to use the k5su utility, define this to have it installed # set-user-ID. #ENABLE_SUID_K5SU= yes diff --git a/etc/defaults/rc.conf b/etc/defaults/rc.conf index 9bfb94f6ee..5998e977b4 100644 --- a/etc/defaults/rc.conf +++ b/etc/defaults/rc.conf @@ -153,16 +153,6 @@ named_program="/usr/sbin/named" # path to named, if you want a different one. named_pidfile="/var/run/named.pid" # Pid file named_chrootdir="/etc/namedb" # Chroot directory (or "" not to auto-chroot it) -# -# kerberos. Do not run the admin daemons on slave servers -# -kerberos5_server_enable="NO" # Run a kerberos 5 master server (or NO). -kerberos5_server_program="/usr/libexec/kdc" # path to kerberos 5 KDC -kadmind5_server_enable="NO" # Run kadmind (or NO) -kadmind5_server_program="/usr/libexec/kadmind" # path to kerberos 5 admin daemon -kpasswdd_server_enable="NO" # Run kpasswdd (or NO) -kpasswdd_server_program="/usr/libexec/kpasswdd" # path to kerberos 5 passwd daemon - rwhod_enable="NO" # Run the rwho daemon (or NO). rwhod_flags="" # Flags for rwhod rarpd_enable="NO" # Run rarpd (or NO). diff --git a/etc/mtree/BSD.var.dist b/etc/mtree/BSD.var.dist index b37abbda7f..6830369903 100644 --- a/etc/mtree/BSD.var.dist +++ b/etc/mtree/BSD.var.dist @@ -50,8 +50,6 @@ .. .. /set gname=wheel mode=0755 - heimdal mode=0700 - .. log .. mail gname=mail mode=0775 diff --git a/etc/newsyslog.conf b/etc/newsyslog.conf index 518c296a3b..d25d67e83e 100644 --- a/etc/newsyslog.conf +++ b/etc/newsyslog.conf @@ -21,7 +21,6 @@ /var/log/cron 600 3 100 * Z /var/log/amd.log 644 7 100 * Z /var/log/auth.log 600 7 100 * Z -/var/log/kerberos.log 600 7 100 * Z /var/log/lpd-errs 644 7 100 * Z /var/log/maillog 640 7 * @T00 Z /var/log/sendmail.st 640 10 * 168 B diff --git a/etc/rc.d/Makefile b/etc/rc.d/Makefile index 73e3ed3c41..81ad248469 100644 --- a/etc/rc.d/Makefile +++ b/etc/rc.d/Makefile @@ -13,7 +13,7 @@ FILES= DAEMON LOGIN NETWORKING SERVERS abi accounting addswap adjkerntz \ fixbootfile fsck ftpd hostapd hostname \ inetd initdiskless initrandom ip6fw ipfilter ipfs ipfw ipmon \ ipnat ipsec ipxrouted isdnd jail \ - kadmind kerberos keyserv kpasswdd \ + kadmind keyserv kpasswdd \ ldconfig local localdaemons lockd lpd \ mixer motd mountcritlocal mountcritremote \ mountd moused mroute6d mrouted msgs \ diff --git a/etc/rc.d/kadmind b/etc/rc.d/kadmind deleted file mode 100644 index 2e86e43133..0000000000 --- a/etc/rc.d/kadmind +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/sh -# -# $FreeBSD: src/etc/rc.d/kadmind,v 1.3 2003/03/08 09:50:10 markm Exp $ -# $DragonFly: src/etc/rc.d/kadmind,v 1.4 2006/10/24 09:24:15 victor Exp $ -# - -# PROVIDE: kadmin -# REQUIRE: kerberos -# BEFORE: DAEMON - -. /etc/rc.subr - -name="kadmind5" -load_rc_config $name -rcvar="kadmind5_server_enable" -unset start_cmd -command="${kadmind5_server_program}" -command_args="&" -required_vars="kerberos5_server_enable" - -run_rc_command "$1" diff --git a/etc/rc.d/kerberos b/etc/rc.d/kerberos deleted file mode 100644 index 42a5e9c06b..0000000000 --- a/etc/rc.d/kerberos +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/sh -# -# $FreeBSD: src/etc/rc.d/kerberos,v 1.3 2003/03/08 09:50:10 markm Exp $ -# $DragonFly: src/etc/rc.d/kerberos,v 1.4 2006/10/24 09:24:15 victor Exp $ -# - -# PROVIDE: kerberos -# REQUIRE: NETWORKING - -. /etc/rc.subr - -name="kerberos5" -load_rc_config $name -rcvar="kerberos5_server_enable" -command="${kerberos5_server_program}" -command_args="&" - -run_rc_command "$1" diff --git a/kerberos5/Makefile b/kerberos5/Makefile deleted file mode 100644 index 0edeaade15..0000000000 --- a/kerberos5/Makefile +++ /dev/null @@ -1,32 +0,0 @@ -# $FreeBSD: src/kerberos5/Makefile,v 1.16 2004/01/31 08:15:52 ru Exp $ -# $DragonFly: src/kerberos5/Makefile,v 1.3 2005/01/16 14:25:45 eirikn Exp $ - -SUBDIR= doc tools lib libexec usr.bin usr.sbin - -# These are the programs which depend on Kerberos. -KPROGS= lib/libpam \ - secure/lib/libssh secure/usr.bin/ssh secure/usr.sbin/sshd - -# This target is used to rebuild these programs WITH Kerberos. -kerberize: -.for entry in ${KPROGS} - cd ${.CURDIR}/../${entry}; \ - ${MAKE} cleandir; \ - ${MAKE} obj; \ - ${MAKE} depend; \ - ${MAKE} all; \ - ${MAKE} install -.endfor - -# This target is used to rebuild these programs WITHOUT Kerberos. -dekerberize: -.for entry in ${KPROGS} - cd ${.CURDIR}/../${entry}; \ - ${MAKE} -DNO_KERBEROS cleandir; \ - ${MAKE} -DNO_KERBEROS obj; \ - ${MAKE} -DNO_KERBEROS depend; \ - ${MAKE} -DNO_KERBEROS all; \ - ${MAKE} -DNO_KERBEROS install -.endfor - -.include diff --git a/kerberos5/Makefile.inc b/kerberos5/Makefile.inc deleted file mode 100644 index 700c66a541..0000000000 --- a/kerberos5/Makefile.inc +++ /dev/null @@ -1,56 +0,0 @@ -# $FreeBSD: src/kerberos5/Makefile.inc,v 1.24 2004/12/21 09:33:44 ru Exp $ -# $DragonFly: src/kerberos5/Makefile.inc,v 1.7 2005/07/14 18:02:33 joerg Exp $ - -NO_LINT= - -KRB5DIR= ${.CURDIR}/../../../crypto/heimdal-0.6.3 - -CFLAGS+= -DHAVE_CONFIG_H -I${.CURDIR}/../../include -CFLAGS+= -DINET6 - -.if defined(WITH_OPENLDAP) -OPENLDAPBASE?= /usr/local -LDAPLDADD= -lldap -llber -LDAPDPADD= ${LDAPLDADD:C;^-l(.*)$;${OPENLDAPBASE}/lib/lib\1.a;} -LDAPCFLAGS= -I${OPENLDAPBASE}/include -DOPENLDAP=1 -LDAPLDFLAGS= -L${OPENLDAPBASE}/lib -Wl,-rpath,${OPENLDAPBASE}/lib -.endif - -.if exists(${.OBJDIR}/../../lib/libvers) -LIBVERS= ${.OBJDIR}/../../lib/libvers/libvers.a -.else -LIBVERS= ${.CURDIR}/../../lib/libvers/libvers.a -.endif - -.if exists(${.OBJDIR}/../../lib/libsl) -LIBSL= ${.OBJDIR}/../../lib/libsl/libsl.a -.else -LIBSL= ${.CURDIR}/../../lib/libsl/libsl.a -.endif - -MAKEPRINTVERSION=${.OBJDIR}/../../tools/make-print-version/make-print-version.nx -MAKEROKEN= ${.OBJDIR}/../../tools/make-roken/make-roken.nx -ASN1COMPILE= ${.OBJDIR}/../../tools/asn1_compile/asn1_compile.nx - -.if defined(SRCS) - -ETSRCS= \ - ${KRB5DIR}/lib/asn1/asn1_err.et \ - ${KRB5DIR}/lib/hdb/hdb_err.et \ - ${KRB5DIR}/lib/kadm5/kadm5_err.et \ - ${KRB5DIR}/lib/krb5/heim_err.et \ - ${KRB5DIR}/lib/krb5/k524_err.et \ - ${KRB5DIR}/lib/krb5/krb5_err.et - -.for ET in ${ETSRCS} -.for _ET in ${ET:T:R} -.if ${SRCS:M${_ET}.[ch]} != "" -.ORDER: ${_ET}.c ${_ET}.h -${_ET}.c ${_ET}.h: ${ET} - compile_et ${.ALLSRC} -CLEANFILES+= ${_ET}.h ${_ET}.c -.endif -.endfor -.endfor - -.endif defined(SRCS) diff --git a/kerberos5/README b/kerberos5/README deleted file mode 100644 index 42e7782884..0000000000 --- a/kerberos5/README +++ /dev/null @@ -1,15 +0,0 @@ -$DragonFly: src/kerberos5/README,v 1.2 2005/01/16 14:25:45 eirikn Exp $ - -This subtree is world-exportable, as it does not contain any -cryptographic code. - -At the time of writing, it did not even contain source code, only -Makefiles and headers. - -Please maintain this "exportable" status quo. - -Thanks! - -MarkM -markm@freebsd.org -20th Sept 1997 diff --git a/kerberos5/doc/Makefile b/kerberos5/doc/Makefile deleted file mode 100644 index 368937575d..0000000000 --- a/kerberos5/doc/Makefile +++ /dev/null @@ -1,7 +0,0 @@ -# $FreeBSD: src/kerberos5/doc/Makefile,v 1.1 2002/07/05 05:47:13 ru Exp $ -# $DragonFly: src/kerberos5/doc/Makefile,v 1.1 2005/01/16 14:25:46 eirikn Exp $ - -INFO= heimdal -SRCDIR= ${.CURDIR}/../../crypto/heimdal-0.6.3/doc - -.include diff --git a/kerberos5/include/config.h b/kerberos5/include/config.h deleted file mode 100644 index 8a0ff7609e..0000000000 --- a/kerberos5/include/config.h +++ /dev/null @@ -1,1429 +0,0 @@ -/* $DragonFly: src/kerberos5/include/config.h,v 1.6 2007/01/23 10:22:55 swildner Exp $ */ -/* include/config.h. Generated by configure. */ -/* include/config.h.in. Generated from configure.in by autoheader. */ - -#ifndef RCSID -#define RCSID(msg) \ -static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg } -#endif - -/* Maximum values on all known systems */ -#define MaxHostNameLen (64+4) -#define MaxPathLen (1024+4) - - - -/* Define if you want authentication support in telnet. */ -#define AUTHENTICATION 1 - -/* path to bin */ -#define BINDIR "/usr/bin" - -/* Define if realloc(NULL) doesn't work. */ -/* #undef BROKEN_REALLOC */ - -/* Define if you want support for DCE/DFS PAG's. */ -/* #undef DCE */ - -/* Define if you want to use DES encryption in telnet. */ -#define DES_ENCRYPTION 1 - -/* Define this to enable diagnostics in telnet. */ -#define DIAGNOSTICS 1 - -/* Define if you want encryption support in telnet. */ -#define ENCRYPTION 1 - -/* define if sys/param.h defines the endiness */ -#define ENDIANESS_IN_SYS_PARAM_H 1 - -/* Define this if you want support for broken ENV_{VAR,VAL} telnets. */ -/* #undef ENV_HACK */ - -/* define if prototype of gethostbyaddr is compatible with struct hostent - *gethostbyaddr(const void *, size_t, int) */ -/* #undef GETHOSTBYADDR_PROTO_COMPATIBLE */ - -/* define if prototype of gethostbyname is compatible with struct hostent - *gethostbyname(const char *) */ -#define GETHOSTBYNAME_PROTO_COMPATIBLE 1 - -/* define if prototype of getservbyname is compatible with struct servent - *getservbyname(const char *, const char *) */ -#define GETSERVBYNAME_PROTO_COMPATIBLE 1 - -/* define if prototype of getsockname is compatible with int getsockname(int, - struct sockaddr*, socklen_t*) */ -#define GETSOCKNAME_PROTO_COMPATIBLE 1 - -/* Define if you have the `altzone' variable. */ -/* #undef HAVE_ALTZONE */ - -/* define if your system declares altzone */ -/* #undef HAVE_ALTZONE_DECLARATION */ - -/* Define to 1 if you have the header file. */ -#define HAVE_ARPA_FTP_H 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_ARPA_INET_H 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_ARPA_NAMESER_H 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_ARPA_TELNET_H 1 - -/* Define to 1 if you have the `asnprintf' function. */ -/* #undef HAVE_ASNPRINTF */ - -/* Define to 1 if you have the `asprintf' function. */ -#define HAVE_ASPRINTF 1 - -/* Define to 1 if you have the `atexit' function. */ -#define HAVE_ATEXIT 1 - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_BIND_BITYPES_H */ - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_BSDSETJMP_H */ - -/* Define to 1 if you have the `bswap16' function. */ -/* #undef HAVE_BSWAP16 */ - -/* Define to 1 if you have the `bswap32' function. */ -/* #undef HAVE_BSWAP32 */ - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_CAPABILITY_H */ - -/* Define to 1 if you have the `cap_set_proc' function. */ -/* #undef HAVE_CAP_SET_PROC */ - -/* Define to 1 if you have the `cgetent' function. */ -#define HAVE_CGETENT 1 - -/* Define if you have the function `chown'. */ -#define HAVE_CHOWN 1 - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_CONFIG_H */ - -/* Define if you have the function `copyhostent'. */ -/* #undef HAVE_COPYHOSTENT */ - -/* Define to 1 if you have the `crypt' function. */ -#define HAVE_CRYPT 1 - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_CRYPT_H */ - -/* Define to 1 if you have the header file. */ -#define HAVE_CURSES_H 1 - -/* Define if you have the function `daemon'. */ -#define HAVE_DAEMON 1 - -/* define if you have a berkeley db1/2 library */ -#define HAVE_DB1 1 - -/* define if you have a berkeley db3/4 library */ -/* #undef HAVE_DB3 */ - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_DB3_DB_H */ - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_DB4_DB_H */ - -/* Define to 1 if you have the `dbm_firstkey' function. */ -#define HAVE_DBM_FIRSTKEY 1 - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_DBM_H */ - -/* Define to 1 if you have the `dbopen' function. */ -#define HAVE_DBOPEN 1 - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_DB_185_H */ - -/* Define to 1 if you have the `db_create' function. */ -/* #undef HAVE_DB_CREATE */ - -/* Define to 1 if you have the header file. */ -#define HAVE_DB_H 1 - -/* define if you have ndbm compat in db */ -/* #undef HAVE_DB_NDBM */ - -/* Define to 1 if you have the header file. */ -#define HAVE_DIRENT_H 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_DLFCN_H 1 - -/* Define to 1 if you have the `dlopen' function. */ -#define HAVE_DLOPEN 1 - -/* Define to 1 if you have the `dn_expand' function. */ -#define HAVE_DN_EXPAND 1 - -/* Define if you have the function `ecalloc'. */ -/* #undef HAVE_ECALLOC */ - -/* Define to 1 if you have the `el_init' function. */ -#define HAVE_EL_INIT 1 - -/* Define if you have the function `emalloc'. */ -/* #undef HAVE_EMALLOC */ - -/* define if your system declares environ */ -/* #undef HAVE_ENVIRON_DECLARATION */ - -/* Define if you have the function `erealloc'. */ -/* #undef HAVE_EREALLOC */ - -/* Define if you have the function `err'. */ -#define HAVE_ERR 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_ERRNO_H 1 - -/* Define if you have the function `errx'. */ -#define HAVE_ERRX 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_ERR_H 1 - -/* Define if you have the function `estrdup'. */ -/* #undef HAVE_ESTRDUP */ - -/* Define if you have the function `fchown'. */ -#define HAVE_FCHOWN 1 - -/* Define to 1 if you have the `fcntl' function. */ -#define HAVE_FCNTL 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_FCNTL_H 1 - -/* Define if you have the function `flock'. */ -#define HAVE_FLOCK 1 - -/* Define if you have the function `fnmatch'. */ -#define HAVE_FNMATCH 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_FNMATCH_H 1 - -/* Define if el_init takes four arguments. */ -#define HAVE_FOUR_VALUED_EL_INIT 1 - -/* define if krb_put_int takes four arguments. */ -/* #undef HAVE_FOUR_VALUED_KRB_PUT_INT */ - -/* Define to 1 if you have the `freeaddrinfo' function. */ -#define HAVE_FREEADDRINFO 1 - -/* Define if you have the function `freehostent'. */ -#define HAVE_FREEHOSTENT 1 - -/* Define to 1 if you have the `gai_strerror' function. */ -#define HAVE_GAI_STRERROR 1 - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_GDBM_NDBM_H */ - -/* Define to 1 if you have the `getaddrinfo' function. */ -#define HAVE_GETADDRINFO 1 - -/* Define to 1 if you have the `getconfattr' function. */ -/* #undef HAVE_GETCONFATTR */ - -/* Define if you have the function `getcwd'. */ -#define HAVE_GETCWD 1 - -/* Define if you have the function `getdtablesize'. */ -#define HAVE_GETDTABLESIZE 1 - -/* Define if you have the function `getegid'. */ -#define HAVE_GETEGID 1 - -/* Define if you have the function `geteuid'. */ -#define HAVE_GETEUID 1 - -/* Define if you have the function `getgid'. */ -#define HAVE_GETGID 1 - -/* Define to 1 if you have the `gethostbyname' function. */ -#define HAVE_GETHOSTBYNAME 1 - -/* Define to 1 if you have the `gethostbyname2' function. */ -#define HAVE_GETHOSTBYNAME2 1 - -/* Define if you have the function `gethostname'. */ -#define HAVE_GETHOSTNAME 1 - -/* Define if you have the function `getifaddrs'. */ -#define HAVE_GETIFADDRS 1 - -/* Define if you have the function `getipnodebyaddr'. */ -#define HAVE_GETIPNODEBYADDR 1 - -/* Define if you have the function `getipnodebyname'. */ -#define HAVE_GETIPNODEBYNAME 1 - -/* Define to 1 if you have the `getlogin' function. */ -#define HAVE_GETLOGIN 1 - -/* Define if you have a working getmsg. */ -/* #undef HAVE_GETMSG */ - -/* Define to 1 if you have the `getnameinfo' function. */ -#define HAVE_GETNAMEINFO 1 - -/* Define if you have the function `getopt'. */ -#define HAVE_GETOPT 1 - -/* Define to 1 if you have the `getpagesize' function. */ -#define HAVE_GETPAGESIZE 1 - -/* Define to 1 if you have the `getprogname' function. */ -#define HAVE_GETPROGNAME 1 - -/* Define to 1 if you have the `getpwnam_r' function. */ -/* #undef HAVE_GETPWNAM_R */ - -/* Define to 1 if you have the `getrlimit' function. */ -#define HAVE_GETRLIMIT 1 - -/* Define to 1 if you have the `getsockopt' function. */ -#define HAVE_GETSOCKOPT 1 - -/* Define to 1 if you have the `getspnam' function. */ -/* #undef HAVE_GETSPNAM */ - -/* Define if you have the function `gettimeofday'. */ -#define HAVE_GETTIMEOFDAY 1 - -/* Define to 1 if you have the `getudbnam' function. */ -/* #undef HAVE_GETUDBNAM */ - -/* Define if you have the function `getuid'. */ -#define HAVE_GETUID 1 - -/* Define if you have the function `getusershell'. */ -#define HAVE_GETUSERSHELL 1 - -/* define if you have a glob() that groks GLOB_BRACE, GLOB_NOCHECK, - GLOB_QUOTE, GLOB_TILDE, and GLOB_LIMIT */ -#define HAVE_GLOB 1 - -/* Define to 1 if you have the `grantpt' function. */ -/* #undef HAVE_GRANTPT */ - -/* Define to 1 if you have the header file. */ -#define HAVE_GRP_H 1 - -/* Define to 1 if you have the `hstrerror' function. */ -#define HAVE_HSTRERROR 1 - -/* Define if you have the `h_errlist' variable. */ -#define HAVE_H_ERRLIST 1 - -/* define if your system declares h_errlist */ -/* #undef HAVE_H_ERRLIST_DECLARATION */ - -/* Define if you have the `h_errno' variable. */ -#define HAVE_H_ERRNO 1 - -/* define if your system declares h_errno */ -#define HAVE_H_ERRNO_DECLARATION 1 - -/* Define if you have the `h_nerr' variable. */ -#define HAVE_H_NERR 1 - -/* define if your system declares h_nerr */ -/* #undef HAVE_H_NERR_DECLARATION */ - -/* Define to 1 if you have the header file. */ -#define HAVE_IFADDRS_H 1 - -/* Define if you have the in6addr_loopback variable */ -#define HAVE_IN6ADDR_LOOPBACK 1 - -/* define */ -#define HAVE_INET_ATON 1 - -/* define */ -#define HAVE_INET_NTOP 1 - -/* define */ -#define HAVE_INET_PTON 1 - -/* Define if you have the function `initgroups'. */ -#define HAVE_INITGROUPS 1 - -/* Define to 1 if you have the `initstate' function. */ -#define HAVE_INITSTATE 1 - -/* Define if you have the function `innetgr'. */ -#define HAVE_INNETGR 1 - -/* Define to 1 if the system has the type `int16_t'. */ -#define HAVE_INT16_T 1 - -/* Define to 1 if the system has the type `int32_t'. */ -#define HAVE_INT32_T 1 - -/* Define to 1 if the system has the type `int64_t'. */ -#define HAVE_INT64_T 1 - -/* Define to 1 if the system has the type `int8_t'. */ -#define HAVE_INT8_T 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_INTTYPES_H 1 - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_IO_H */ - -/* Define if you have IPv6. */ -#define HAVE_IPV6 1 - -/* Define if you have the function `iruserok'. */ -#define HAVE_IRUSEROK 1 - -/* Define to 1 if you have the `issetugid' function. */ -#define HAVE_ISSETUGID 1 - -/* Define to 1 if you have the `krb_disable_debug' function. */ -/* #undef HAVE_KRB_DISABLE_DEBUG */ - -/* Define to 1 if you have the `krb_enable_debug' function. */ -/* #undef HAVE_KRB_ENABLE_DEBUG */ - -/* Define to 1 if you have the `krb_get_kdc_time_diff' function. */ -/* #undef HAVE_KRB_GET_KDC_TIME_DIFF */ - -/* Define to 1 if you have the `krb_get_our_ip_for_realm' function. */ -/* #undef HAVE_KRB_GET_OUR_IP_FOR_REALM */ - -/* Define to 1 if you have the `krb_kdctimeofday' function. */ -/* #undef HAVE_KRB_KDCTIMEOFDAY */ - -/* Define to 1 if you have the header file. */ -#define HAVE_LIBUTIL_H 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_LIMITS_H 1 - -/* Define to 1 if you have the `loadquery' function. */ -/* #undef HAVE_LOADQUERY */ - -/* Define if you have the function `localtime_r'. */ -#define HAVE_LOCALTIME_R 1 - -/* Define to 1 if you have the `logout' function. */ -#define HAVE_LOGOUT 1 - -/* Define to 1 if you have the `logwtmp' function. */ -#define HAVE_LOGWTMP 1 - -/* Define to 1 if the system has the type `long long'. */ -#define HAVE_LONG_LONG 1 - -/* Define if you have the function `lstat'. */ -#define HAVE_LSTAT 1 - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_MAILLOCK_H */ - -/* Define if you have the function `memmove'. */ -#define HAVE_MEMMOVE 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_MEMORY_H 1 - -/* Define if you have the function `mkstemp'. */ -#define HAVE_MKSTEMP 1 - -/* Define to 1 if you have the `mktime' function. */ -#define HAVE_MKTIME 1 - -/* Define to 1 if you have a working `mmap' system call. */ -#define HAVE_MMAP 1 - -/* define if you have a ndbm library */ -#define HAVE_NDBM 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_NDBM_H 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_NETDB_H 1 - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_NETGROUP_H */ - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_NETINET6_IN6_H */ - -/* Define to 1 if you have the header file. */ -#define HAVE_NETINET6_IN6_VAR_H 1 - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_NETINET_IN6_H */ - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_NETINET_IN6_MACHTYPES_H */ - -/* Define to 1 if you have the header file. */ -#define HAVE_NETINET_IN_H 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_NETINET_IN_SYSTM_H 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_NETINET_IP_H 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_NETINET_TCP_H 1 - -/* Define if you want to use Netinfo instead of krb5.conf. */ -/* #undef HAVE_NETINFO */ - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_NETINFO_NI_H */ - -/* Define to 1 if you have the header file. */ -#define HAVE_NET_IF_H 1 - -/* Define if NDBM really is DB (creates files *.db) */ -#define HAVE_NEW_DB 1 - -/* define if you have hash functions like md4_finito() */ -/* #undef HAVE_OLD_HASH_NAMES */ - -/* Define to 1 if you have the `on_exit' function. */ -/* #undef HAVE_ON_EXIT */ - -/* Define to 1 if you have the `openpty' function. */ -#define HAVE_OPENPTY 1 - -/* define to use openssl's libcrypto */ -#define HAVE_OPENSSL 1 - -/* define if your system declares optarg */ -#define HAVE_OPTARG_DECLARATION 1 - -/* define if your system declares opterr */ -#define HAVE_OPTERR_DECLARATION 1 - -/* define if your system declares optind */ -#define HAVE_OPTIND_DECLARATION 1 - -/* define if your system declares optopt */ -#define HAVE_OPTOPT_DECLARATION 1 - -/* Define to enable basic OSF C2 support. */ -/* #undef HAVE_OSFC2 */ - -/* Define to 1 if you have the header file. */ -#define HAVE_PATHS_H 1 - -/* Define to 1 if you have the `pidfile' function. */ -#define HAVE_PIDFILE 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_PTHREAD_H 1 - -/* Define to 1 if you have the `ptsname' function. */ -/* #undef HAVE_PTSNAME */ - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_PTY_H */ - -/* Define if you have the function `putenv'. */ -#define HAVE_PUTENV 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_PWD_H 1 - -/* Define to 1 if you have the `rand' function. */ -#define HAVE_RAND 1 - -/* Define to 1 if you have the `random' function. */ -#define HAVE_RANDOM 1 - -/* Define if you have the function `rcmd'. */ -#define HAVE_RCMD 1 - -/* Define if you have a readline compatible library. */ -/* #undef HAVE_READLINE */ - -/* Define if you have the function `readv'. */ -#define HAVE_READV 1 - -/* Define if you have the function `recvmsg'. */ -#define HAVE_RECVMSG 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_RESOLV_H 1 - -/* Define to 1 if you have the `res_nsearch' function. */ -/* #undef HAVE_RES_NSEARCH */ - -/* Define to 1 if you have the `res_search' function. */ -#define HAVE_RES_SEARCH 1 - -/* Define to 1 if you have the `revoke' function. */ -#define HAVE_REVOKE 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_RPCSVC_YPCLNT_H 1 - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_SAC_H */ - -/* Define to 1 if the system has the type `sa_family_t'. */ -#define HAVE_SA_FAMILY_T 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_SECURITY_PAM_MODULES_H 1 - -/* Define to 1 if you have the `select' function. */ -#define HAVE_SELECT 1 - -/* Define if you have the function `sendmsg'. */ -#define HAVE_SENDMSG 1 - -/* Define if you have the function `setegid'. */ -#define HAVE_SETEGID 1 - -/* Define if you have the function `setenv'. */ -#define HAVE_SETENV 1 - -/* Define if you have the function `seteuid'. */ -#define HAVE_SETEUID 1 - -/* Define to 1 if you have the `setitimer' function. */ -#define HAVE_SETITIMER 1 - -/* Define to 1 if you have the `setlim' function. */ -/* #undef HAVE_SETLIM */ - -/* Define to 1 if you have the `setlogin' function. */ -#define HAVE_SETLOGIN 1 - -/* Define to 1 if you have the `setpcred' function. */ -/* #undef HAVE_SETPCRED */ - -/* Define to 1 if you have the `setpgid' function. */ -#define HAVE_SETPGID 1 - -/* Define to 1 if you have the `setproctitle' function. */ -#define HAVE_SETPROCTITLE 1 - -/* Define to 1 if you have the `setprogname' function. */ -#define HAVE_SETPROGNAME 1 - -/* Define to 1 if you have the `setregid' function. */ -#define HAVE_SETREGID 1 - -/* Define to 1 if you have the `setresgid' function. */ -#define HAVE_SETRESGID 1 - -/* Define to 1 if you have the `setresuid' function. */ -#define HAVE_SETRESUID 1 - -/* Define to 1 if you have the `setreuid' function. */ -#define HAVE_SETREUID 1 - -/* Define to 1 if you have the `setsid' function. */ -#define HAVE_SETSID 1 - -/* Define to 1 if you have the `setsockopt' function. */ -#define HAVE_SETSOCKOPT 1 - -/* Define to 1 if you have the `setstate' function. */ -#define HAVE_SETSTATE 1 - -/* Define to 1 if you have the `setutent' function. */ -/* #undef HAVE_SETUTENT */ - -/* Define to 1 if you have the `sgi_getcapabilitybyname' function. */ -/* #undef HAVE_SGI_GETCAPABILITYBYNAME */ - -/* Define to 1 if you have the header file. */ -#define HAVE_SGTTY_H 1 - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_SHADOW_H */ - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_SIAD_H */ - -/* Define to 1 if you have the `sigaction' function. */ -#define HAVE_SIGACTION 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_SIGNAL_H 1 - -/* define if you have a working snprintf */ -#define HAVE_SNPRINTF 1 - -/* Define to 1 if you have the `socket' function. */ -#define HAVE_SOCKET 1 - -/* Define to 1 if the system has the type `socklen_t'. */ -#define HAVE_SOCKLEN_T 1 - -/* Define to 1 if the system has the type `ssize_t'. */ -#define HAVE_SSIZE_T 1 - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_STANDARDS_H */ - -/* Define to 1 if you have the header file. */ -#define HAVE_STDINT_H 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_STDLIB_H 1 - -/* Define if you have the function `strcasecmp'. */ -#define HAVE_STRCASECMP 1 - -/* Define if you have the function `strdup'. */ -#define HAVE_STRDUP 1 - -/* Define if you have the function `strerror'. */ -#define HAVE_STRERROR 1 - -/* Define if you have the function `strftime'. */ -#define HAVE_STRFTIME 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_STRINGS_H 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_STRING_H 1 - -/* Define if you have the function `strlcat'. */ -#define HAVE_STRLCAT 1 - -/* Define if you have the function `strlcpy'. */ -#define HAVE_STRLCPY 1 - -/* Define if you have the function `strlwr'. */ -/* #undef HAVE_STRLWR */ - -/* Define if you have the function `strncasecmp'. */ -#define HAVE_STRNCASECMP 1 - -/* Define if you have the function `strndup'. */ -#define HAVE_STRNDUP 1 - -/* Define if you have the function `strnlen'. */ -/* #undef HAVE_STRNLEN */ - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_STROPTS_H */ - -/* Define if you have the function `strptime'. */ -#define HAVE_STRPTIME 1 - -/* Define if you have the function `strsep'. */ -#define HAVE_STRSEP 1 - -/* Define if you have the function `strsep_copy'. */ -/* #undef HAVE_STRSEP_COPY */ - -/* Define to 1 if you have the `strstr' function. */ -#define HAVE_STRSTR 1 - -/* Define to 1 if you have the `strsvis' function. */ -/* #undef HAVE_STRSVIS */ - -/* Define if you have the function `strtok_r'. */ -#define HAVE_STRTOK_R 1 - -/* Define to 1 if the system has the type `struct addrinfo'. */ -#define HAVE_STRUCT_ADDRINFO 1 - -/* Define to 1 if the system has the type `struct ifaddrs'. */ -#define HAVE_STRUCT_IFADDRS 1 - -/* Define to 1 if the system has the type `struct iovec'. */ -#define HAVE_STRUCT_IOVEC 1 - -/* Define to 1 if the system has the type `struct msghdr'. */ -#define HAVE_STRUCT_MSGHDR 1 - -/* Define to 1 if the system has the type `struct sockaddr'. */ -#define HAVE_STRUCT_SOCKADDR 1 - -/* Define if struct sockaddr has field sa_len. */ -#define HAVE_STRUCT_SOCKADDR_SA_LEN 1 - -/* Define to 1 if the system has the type `struct sockaddr_storage'. */ -#define HAVE_STRUCT_SOCKADDR_STORAGE 1 - -/* define if you have struct spwd */ -/* #undef HAVE_STRUCT_SPWD */ - -/* Define if struct tm has field tm_gmtoff. */ -#define HAVE_STRUCT_TM_TM_GMTOFF 1 - -/* Define if struct tm has field tm_zone. */ -#define HAVE_STRUCT_TM_TM_ZONE 1 - -/* Define if struct utmpx has field ut_exit. */ -/* #undef HAVE_STRUCT_UTMPX_UT_EXIT */ - -/* Define if struct utmpx has field ut_syslen. */ -/* #undef HAVE_STRUCT_UTMPX_UT_SYSLEN */ - -/* Define if struct utmp has field ut_addr. */ -/* #undef HAVE_STRUCT_UTMP_UT_ADDR */ - -/* Define if struct utmp has field ut_host. */ -/* #undef HAVE_STRUCT_UTMP_UT_HOST */ - -/* Define if struct utmp has field ut_id. */ -/* #undef HAVE_STRUCT_UTMP_UT_ID */ - -/* Define if struct utmp has field ut_pid. */ -/* #undef HAVE_STRUCT_UTMP_UT_PID */ - -/* Define if struct utmp has field ut_type. */ -/* #undef HAVE_STRUCT_UTMP_UT_TYPE */ - -/* Define if struct utmp has field ut_user. */ -/* #undef HAVE_STRUCT_UTMP_UT_USER */ - -/* define if struct winsize is declared in sys/termios.h */ -#define HAVE_STRUCT_WINSIZE 1 - -/* Define to 1 if you have the `strunvis' function. */ -#define HAVE_STRUNVIS 1 - -/* Define if you have the function `strupr'. */ -/* #undef HAVE_STRUPR */ - -/* Define to 1 if you have the `strvis' function. */ -#define HAVE_STRVIS 1 - -/* Define to 1 if you have the `strvisx' function. */ -#define HAVE_STRVISX 1 - -/* Define to 1 if you have the `svis' function. */ -/* #undef HAVE_SVIS */ - -/* Define if you have the function `swab'. */ -#define HAVE_SWAB 1 - -/* Define to 1 if you have the `sysconf' function. */ -#define HAVE_SYSCONF 1 - -/* Define to 1 if you have the `sysctl' function. */ -#define HAVE_SYSCTL 1 - -/* Define to 1 if you have the `syslog' function. */ -#define HAVE_SYSLOG 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_SYSLOG_H 1 - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_SYS_BITYPES_H */ - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_SYS_BSWAP_H */ - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_SYS_CAPABILITY_H */ - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_SYS_CATEGORY_H */ - -/* Define to 1 if you have the header file. */ -#define HAVE_SYS_FILE_H 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_SYS_FILIO_H 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_SYS_IOCCOM_H 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_SYS_IOCTL_H 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_SYS_MMAN_H 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_SYS_PARAM_H 1 - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_SYS_PROC_H */ - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_SYS_PTYIO_H */ - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_SYS_PTYVAR_H */ - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_SYS_PTY_H */ - -/* Define to 1 if you have the header file. */ -#define HAVE_SYS_RESOURCE_H 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_SYS_SELECT_H 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_SYS_SOCKET_H 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_SYS_SOCKIO_H 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_SYS_STAT_H 1 - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_SYS_STREAM_H */ - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_SYS_STROPTS_H */ - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_SYS_STRTTY_H */ - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_SYS_STR_TTY_H */ - -/* Define to 1 if you have the header file. */ -#define HAVE_SYS_SYSCALL_H 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_SYS_SYSCTL_H 1 - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_SYS_TERMIO_H */ - -/* Define to 1 if you have the header file. */ -#define HAVE_SYS_TIMEB_H 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_SYS_TIMES_H 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_SYS_TIME_H 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_SYS_TTY_H 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_SYS_TYPES_H 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_SYS_UIO_H 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_SYS_UN_H 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_SYS_UTSNAME_H 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_SYS_WAIT_H 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_TERMCAP_H 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_TERMIOS_H 1 - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_TERMIO_H */ - -/* Define to 1 if you have the header file. */ -#define HAVE_TERM_H 1 - -/* Define to 1 if you have the `tgetent' function. */ -#define HAVE_TGETENT 1 - -/* Define to 1 if you have the `timegm' function. */ -#define HAVE_TIMEGM 1 - -/* Define if you have the `timezone' variable. */ -#define HAVE_TIMEZONE 1 - -/* define if your system declares timezone */ -#define HAVE_TIMEZONE_DECLARATION 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_TIME_H 1 - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_TMPDIR_H */ - -/* Define to 1 if you have the `ttyname' function. */ -#define HAVE_TTYNAME 1 - -/* Define to 1 if you have the `ttyslot' function. */ -#define HAVE_TTYSLOT 1 - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_UDB_H */ - -/* Define to 1 if the system has the type `uint16_t'. */ -#define HAVE_UINT16_T 1 - -/* Define to 1 if the system has the type `uint32_t'. */ -#define HAVE_UINT32_T 1 - -/* Define to 1 if the system has the type `uint64_t'. */ -#define HAVE_UINT64_T 1 - -/* Define to 1 if the system has the type `uint8_t'. */ -#define HAVE_UINT8_T 1 - -/* Define to 1 if you have the `umask' function. */ -#define HAVE_UMASK 1 - -/* Define to 1 if you have the `uname' function. */ -#define HAVE_UNAME 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_UNISTD_H 1 - -/* Define to 1 if you have the `unlockpt' function. */ -/* #undef HAVE_UNLOCKPT */ - -/* Define if you have the function `unsetenv'. */ -#define HAVE_UNSETENV 1 - -/* Define to 1 if you have the `unvis' function. */ -#define HAVE_UNVIS 1 - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_USERCONF_H */ - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_USERSEC_H */ - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_UTIL_H */ - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_UTMPX_H */ - -/* Define to 1 if you have the header file. */ -#define HAVE_UTMP_H 1 - -/* Define to 1 if the system has the type `u_int16_t'. */ -#define HAVE_U_INT16_T 1 - -/* Define to 1 if the system has the type `u_int32_t'. */ -#define HAVE_U_INT32_T 1 - -/* Define to 1 if the system has the type `u_int64_t'. */ -#define HAVE_U_INT64_T 1 - -/* Define to 1 if the system has the type `u_int8_t'. */ -#define HAVE_U_INT8_T 1 - -/* Define to 1 if you have the `vasnprintf' function. */ -/* #undef HAVE_VASNPRINTF */ - -/* Define to 1 if you have the `vasprintf' function. */ -#define HAVE_VASPRINTF 1 - -/* Define if you have the function `verr'. */ -#define HAVE_VERR 1 - -/* Define if you have the function `verrx'. */ -#define HAVE_VERRX 1 - -/* Define to 1 if you have the `vhangup' function. */ -/* #undef HAVE_VHANGUP */ - -/* Define to 1 if you have the `vis' function. */ -#define HAVE_VIS 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_VIS_H 1 - -/* define if you have a working vsnprintf */ -#define HAVE_VSNPRINTF 1 - -/* Define if you have the function `vsyslog'. */ -#define HAVE_VSYSLOG 1 - -/* Define if you have the function `vwarn'. */ -#define HAVE_VWARN 1 - -/* Define if you have the function `vwarnx'. */ -#define HAVE_VWARNX 1 - -/* Define if you have the function `warn'. */ -#define HAVE_WARN 1 - -/* Define if you have the function `warnx'. */ -#define HAVE_WARNX 1 - -/* Define if you have the function `writev'. */ -#define HAVE_WRITEV 1 - -/* define if struct winsize has ws_xpixel */ -#define HAVE_WS_XPIXEL 1 - -/* define if struct winsize has ws_ypixel */ -#define HAVE_WS_YPIXEL 1 - -/* Define to 1 if you have the `XauFileName' function. */ -#define HAVE_XAUFILENAME 1 - -/* Define to 1 if you have the `XauReadAuth' function. */ -#define HAVE_XAUREADAUTH 1 - -/* Define to 1 if you have the `XauWriteAuth' function. */ -#define HAVE_XAUWRITEAUTH 1 - -/* Define to 1 if you have the `yp_get_default_domain' function. */ -#define HAVE_YP_GET_DEFAULT_DOMAIN 1 - -/* Define to 1 if you have the `_getpty' function. */ -/* #undef HAVE__GETPTY */ - -/* Define if you have the `_res' variable. */ -#define HAVE__RES 1 - -/* define if your system declares _res */ -#define HAVE__RES_DECLARATION 1 - -/* Define to 1 if you have the `_scrsize' function. */ -/* #undef HAVE__SCRSIZE */ - -/* define if your compiler has __attribute__ */ -#define HAVE___ATTRIBUTE__ 1 - -/* Define if you have the `__progname' variable. */ -#define HAVE___PROGNAME 1 - -/* define if your system declares __progname */ -/* #undef HAVE___PROGNAME_DECLARATION */ - -/* Define if you have the hesiod package. */ -/* #undef HESIOD */ - -/* Define if you are running IRIX 4. */ -/* #undef IRIX4 */ - -/* Define if you have the krb4 package. */ -/* #undef KRB4 */ - -/* Enable Kerberos 5 support in applications. */ -#define KRB5 1 - -/* Define if krb_mk_req takes const char * */ -/* #undef KRB_MK_REQ_CONST */ - -/* This is the krb4 sendauth version. */ -/* #undef KRB_SENDAUTH_VERS */ - -/* Define to zero if your krb.h doesn't */ -/* #undef KRB_VERIFY_NOT_SECURE */ - -/* Define to one if your krb.h doesn't */ -/* #undef KRB_VERIFY_SECURE */ - -/* Define to two if your krb.h doesn't */ -/* #undef KRB_VERIFY_SECURE_FAIL */ - -/* path to lib */ -#define LIBDIR "/usr/lib" - -/* path to libexec */ -#define LIBEXECDIR "/usr/libexec" - -/* path to localstate */ -#define LOCALSTATEDIR "/var/heimdal" - -/* define if the system is missing a prototype for asnprintf() */ -#define NEED_ASNPRINTF_PROTO 1 - -/* define if the system is missing a prototype for asprintf() */ -/* #undef NEED_ASPRINTF_PROTO */ - -/* define if the system is missing a prototype for crypt() */ -/* #undef NEED_CRYPT_PROTO */ - -/* define if the system is missing a prototype for gethostname() */ -/* #undef NEED_GETHOSTNAME_PROTO */ - -/* define if the system is missing a prototype for getusershell() */ -/* #undef NEED_GETUSERSHELL_PROTO */ - -/* define if the system is missing a prototype for glob() */ -/* #undef NEED_GLOB_PROTO */ - -/* define if the system is missing a prototype for hstrerror() */ -/* #undef NEED_HSTRERROR_PROTO */ - -/* define if the system is missing a prototype for inet_aton() */ -/* #undef NEED_INET_ATON_PROTO */ - -/* define if the system is missing a prototype for mkstemp() */ -/* #undef NEED_MKSTEMP_PROTO */ - -/* define if the system is missing a prototype for setenv() */ -/* #undef NEED_SETENV_PROTO */ - -/* define if the system is missing a prototype for snprintf() */ -/* #undef NEED_SNPRINTF_PROTO */ - -/* define if the system is missing a prototype for strndup() */ -/* #undef NEED_STRNDUP_PROTO */ - -/* define if the system is missing a prototype for strsep() */ -/* #undef NEED_STRSEP_PROTO */ - -/* define if the system is missing a prototype for strsvis() */ -#define NEED_STRSVIS_PROTO 1 - -/* define if the system is missing a prototype for strtok_r() */ -/* #undef NEED_STRTOK_R_PROTO */ - -/* define if the system is missing a prototype for strunvis() */ -/* #undef NEED_STRUNVIS_PROTO */ - -/* define if the system is missing a prototype for strvisx() */ -/* #undef NEED_STRVISX_PROTO */ - -/* define if the system is missing a prototype for strvis() */ -/* #undef NEED_STRVIS_PROTO */ - -/* define if the system is missing a prototype for svis() */ -#define NEED_SVIS_PROTO 1 - -/* define if the system is missing a prototype for unsetenv() */ -/* #undef NEED_UNSETENV_PROTO */ - -/* define if the system is missing a prototype for unvis() */ -/* #undef NEED_UNVIS_PROTO */ - -/* define if the system is missing a prototype for vasnprintf() */ -#define NEED_VASNPRINTF_PROTO 1 - -/* define if the system is missing a prototype for vasprintf() */ -/* #undef NEED_VASPRINTF_PROTO */ - -/* define if the system is missing a prototype for vis() */ -/* #undef NEED_VIS_PROTO */ - -/* define if the system is missing a prototype for vsnprintf() */ -/* #undef NEED_VSNPRINTF_PROTO */ - -/* Define if you don't want to use mmap. */ -/* #undef NO_MMAP */ - -/* Define this to enable old environment option in telnet. */ -#define OLD_ENVIRON 1 - -/* Define if you have the openldap package. */ -/* #undef OPENLDAP */ - -/* define if prototype of openlog is compatible with void openlog(const char - *, int, int) */ -#define OPENLOG_PROTO_COMPATIBLE 1 - -/* Define if you want OTP support in applications. */ -#define OTP 1 - -/* Name of package */ -#define PACKAGE "heimdal" - -/* Define to the address where bug reports for this package should be sent. */ -#define PACKAGE_BUGREPORT "heimdal-bugs@pdc.kth.se" - -/* Define to the full name of this package. */ -#define PACKAGE_NAME "Heimdal" - -/* Define to the full name and version of this package. */ -#define PACKAGE_STRING "Heimdal 0.6.3" - -/* Define to the one symbol short name of this package. */ -#define PACKAGE_TARNAME "heimdal" - -/* Define to the version of this package. */ -#define PACKAGE_VERSION "0.6.3" - -/* Define if getlogin has POSIX flavour (and not BSD). */ -/* #undef POSIX_GETLOGIN */ - -/* Define if getpwnam_r has POSIX flavour. */ -/* #undef POSIX_GETPWNAM_R */ - -/* Define if you have the readline package. */ -/* #undef READLINE */ - -/* Define as the return type of signal handlers (`int' or `void'). */ -#define RETSIGTYPE void - -/* path to sbin */ -#define SBINDIR "/usr/sbin" - -/* Define to 1 if you have the ANSI C header files. */ -#define STDC_HEADERS 1 - -/* Define if you have streams ptys. */ -/* #undef STREAMSPTY */ - -/* path to sysconf */ -#define SYSCONFDIR "/etc" - -/* Define to what version of SunOS you are running. */ -/* #undef SunOS */ - -/* Define to 1 if you can safely include both and . */ -#define TIME_WITH_SYS_TIME 1 - -/* Define to 1 if your declares `struct tm'. */ -/* #undef TM_IN_SYS_TIME */ - -/* Version number of package */ -#define VERSION "0.6.3" - -/* Define if signal handlers return void. */ -#define VOID_RETSIGTYPE 1 - -/* define if target is big endian */ -/* #undef WORDS_BIGENDIAN */ - -/* Define to 1 if the X Window System is missing or not being used. */ -/* #undef X_DISPLAY_MISSING */ - -/* Define to 1 if `lex' declares `yytext' as a `char *' by default, not a - `char[]'. */ -#define YYTEXT_POINTER 1 - -/* Number of bits in a file offset, on hosts where this is settable. */ -/* #undef _FILE_OFFSET_BITS */ - -/* Define to enable extensions on glibc-based systems such as Linux. */ -#define _GNU_SOURCE 1 - -/* Define for large files, on AIX-style hosts. */ -/* #undef _LARGE_FILES */ - -/* Define to empty if `const' does not conform to ANSI C. */ -/* #undef const */ - -/* Define to `int' if doesn't define. */ -/* #undef gid_t */ - -/* Define to `__inline__' or `__inline' if that's what the C compiler - calls it, or to nothing if 'inline' is not supported under any name. */ -#ifndef __cplusplus -/* #undef inline */ -#endif - -/* Define this to what the type mode_t should be. */ -/* #undef mode_t */ - -/* Define to `long' if does not define. */ -/* #undef off_t */ - -/* Define to `int' if does not define. */ -/* #undef pid_t */ - -/* Define this to what the type sig_atomic_t should be. */ -/* #undef sig_atomic_t */ - -/* Define to `unsigned' if does not define. */ -/* #undef size_t */ - -/* Define to `int' if doesn't define. */ -/* #undef uid_t */ - -#if defined(HAVE_FOUR_VALUED_KRB_PUT_INT) || !defined(KRB4) -#define KRB_PUT_INT(F, T, L, S) krb_put_int((F), (T), (L), (S)) -#else -#define KRB_PUT_INT(F, T, L, S) krb_put_int((F), (T), (S)) -#endif - - - -#if defined(ENCRYPTION) && !defined(AUTHENTICATION) -#define AUTHENTICATION 1 -#endif - -/* Set this to the default system lead string for telnetd - * can contain %-escapes: %s=sysname, %m=machine, %r=os-release - * %v=os-version, %t=tty, %h=hostname, %d=date and time - */ -/* #undef USE_IM */ - -/* Used with login -p */ -/* #undef LOGIN_ARGS */ - -/* set this to a sensible login */ -#ifndef LOGIN_PATH -#define LOGIN_PATH BINDIR "/login" -#endif - - -#ifdef ROKEN_RENAME -#include "roken_rename.h" -#endif - -#ifndef HAVE_KRB_KDCTIMEOFDAY -#define krb_kdctimeofday(X) gettimeofday((X), NULL) -#endif - -#ifndef HAVE_KRB_GET_KDC_TIME_DIFF -#define krb_get_kdc_time_diff() (0) -#endif - -#ifdef VOID_RETSIGTYPE -#define SIGRETURN(x) return -#else -#define SIGRETURN(x) return (RETSIGTYPE)(x) -#endif - -#ifdef BROKEN_REALLOC -#define realloc(X, Y) isoc_realloc((X), (Y)) -#define isoc_realloc(X, Y) ((X) ? realloc((X), (Y)) : malloc(Y)) -#endif - - -#if ENDIANESS_IN_SYS_PARAM_H -# include -# include -# if BYTE_ORDER == BIG_ENDIAN -# define WORDS_BIGENDIAN 1 -# endif -#endif - - -#if _AIX -#define _ALL_SOURCE -/* XXX this is gross, but kills about a gazillion warnings */ -struct ether_addr; -struct sockaddr; -struct sockaddr_dl; -struct sockaddr_in; -#endif - - -/* IRIX 4 braindamage */ -#if IRIX == 4 && !defined(__STDC__) -#define __STDC__ 0 -#endif - diff --git a/kerberos5/include/crypto-headers.h b/kerberos5/include/crypto-headers.h deleted file mode 100644 index 48e9900fbe..0000000000 --- a/kerberos5/include/crypto-headers.h +++ /dev/null @@ -1,11 +0,0 @@ -/* $FreeBSD: src/kerberos5/include/crypto-headers.h,v 1.2 2003/01/21 14:08:24 nectar Exp $ */ -/* $DragonFly: src/kerberos5/include/crypto-headers.h,v 1.3 2005/01/16 14:25:46 eirikn Exp $ */ -#ifndef __crypto_headers_h__ -#define __crypto_headers_h__ -#define OPENSSL_DES_LIBDES_COMPATIBILITY -#include -#include -#include -#include -#include -#endif /* __crypto_headers_h__ */ diff --git a/kerberos5/include/heim_err.h b/kerberos5/include/heim_err.h deleted file mode 100644 index d6d79a6d6d..0000000000 --- a/kerberos5/include/heim_err.h +++ /dev/null @@ -1,41 +0,0 @@ -/* Generated from /home/eirikn/src/kerberos5/lib/libkrb5/../../../crypto/heimdal-0.6.3/lib/krb5/heim_err.et */ -/* $DragonFly: src/kerberos5/include/heim_err.h,v 1.1 2005/01/23 18:55:26 eirikn Exp $ */ -/* $Id: heim_err.et,v 1.12 2001/06/21 03:51:36 assar Exp $ */ - -#ifndef __heim_err_h__ -#define __heim_err_h__ - -#include - -void initialize_heim_error_table_r(struct et_list **); - -void initialize_heim_error_table(void); -#define init_heim_err_tbl initialize_heim_error_table - -typedef enum heim_error_number{ - ERROR_TABLE_BASE_heim = -1980176640, - heim_err_base = -1980176640, - HEIM_ERR_LOG_PARSE = -1980176640, - HEIM_ERR_V4_PRINC_NO_CONV = -1980176639, - HEIM_ERR_SALTTYPE_NOSUPP = -1980176638, - HEIM_ERR_NOHOST = -1980176637, - HEIM_ERR_OPNOTSUPP = -1980176636, - HEIM_ERR_EOF = -1980176635, - HEIM_ERR_BAD_MKEY = -1980176634, - HEIM_ERR_SERVICE_NOMATCH = -1980176633, - HEIM_EAI_UNKNOWN = -1980176512, - HEIM_EAI_ADDRFAMILY = -1980176511, - HEIM_EAI_AGAIN = -1980176510, - HEIM_EAI_BADFLAGS = -1980176509, - HEIM_EAI_FAIL = -1980176508, - HEIM_EAI_FAMILY = -1980176507, - HEIM_EAI_MEMORY = -1980176506, - HEIM_EAI_NODATA = -1980176505, - HEIM_EAI_NONAME = -1980176504, - HEIM_EAI_SERVICE = -1980176503, - HEIM_EAI_SOCKTYPE = -1980176502, - HEIM_EAI_SYSTEM = -1980176501, - heim_num_errors = 140 -} heim_error_number; - -#endif /* __heim_err_h__ */ diff --git a/kerberos5/include/k524_err.h b/kerberos5/include/k524_err.h deleted file mode 100644 index b941365de6..0000000000 --- a/kerberos5/include/k524_err.h +++ /dev/null @@ -1,29 +0,0 @@ -/* Generated from /home/eirikn/src/kerberos5/lib/libkrb5/../../../crypto/heimdal-0.6.3/lib/krb5/k524_err.et */ -/* $DragonFly: src/kerberos5/include/k524_err.h,v 1.1 2005/01/23 18:55:26 eirikn Exp $ */ -/* $Id: k524_err.et,v 1.1 2001/06/20 02:44:11 joda Exp $ */ - -#ifndef __k524_err_h__ -#define __k524_err_h__ - -#include - -void initialize_k524_error_table_r(struct et_list **); - -void initialize_k524_error_table(void); -#define init_k524_err_tbl initialize_k524_error_table - -typedef enum k524_error_number{ - ERROR_TABLE_BASE_k524 = -1750206208, - k524_err_base = -1750206208, - KRB524_BADKEY = -1750206208, - KRB524_BADADDR = -1750206207, - KRB524_BADPRINC = -1750206206, - KRB524_BADREALM = -1750206205, - KRB524_V4ERR = -1750206204, - KRB524_ENCFULL = -1750206203, - KRB524_DECEMPTY = -1750206202, - KRB524_NOTRESP = -1750206201, - k524_num_errors = 8 -} k524_error_number; - -#endif /* __k524_err_h__ */ diff --git a/kerberos5/include/krb5-types.h b/kerberos5/include/krb5-types.h deleted file mode 100644 index 3adad2475a..0000000000 --- a/kerberos5/include/krb5-types.h +++ /dev/null @@ -1,18 +0,0 @@ -/* krb5-types.h -- this file was generated for i386-unknown-freebsd5.0 by - $Id: bits.c,v 1.22 2002/08/28 16:08:44 joda Exp $ */ - -/* $FreeBSD: src/kerberos5/include/krb5-types.h,v 1.3 2002/08/30 21:33:16 nectar Exp $ */ -/* $DragonFly: src/kerberos5/include/krb5-types.h,v 1.3 2005/01/16 14:25:46 eirikn Exp $ */ - -#ifndef __krb5_types_h__ -#define __krb5_types_h__ - -#include -#include -#include - -typedef socklen_t krb5_socklen_t; -#include -typedef ssize_t krb5_ssize_t; - -#endif /* __krb5_types_h__ */ diff --git a/kerberos5/include/krb5_err.h b/kerberos5/include/krb5_err.h deleted file mode 100644 index d890b48093..0000000000 --- a/kerberos5/include/krb5_err.h +++ /dev/null @@ -1,183 +0,0 @@ -/* Generated from /home/eirikn/src/kerberos5/lib/libkrb5/../../../crypto/heimdal-0.6.3/lib/krb5/krb5_err.et */ -/* $DragonFly: src/kerberos5/include/krb5_err.h,v 1.1 2005/01/23 18:55:26 eirikn Exp $ */ -/* $Id: krb5_err.et,v 1.9 2000/04/06 00:41:37 assar Exp $ */ - -#ifndef __krb5_err_h__ -#define __krb5_err_h__ - -#include - -void initialize_krb5_error_table_r(struct et_list **); - -void initialize_krb5_error_table(void); -#define init_krb5_err_tbl initialize_krb5_error_table - -typedef enum krb5_error_number{ - ERROR_TABLE_BASE_krb5 = -1765328384, - krb5_err_base = -1765328384, - KRB5KDC_ERR_NONE = -1765328384, - KRB5KDC_ERR_NAME_EXP = -1765328383, - KRB5KDC_ERR_SERVICE_EXP = -1765328382, - KRB5KDC_ERR_BAD_PVNO = -1765328381, - KRB5KDC_ERR_C_OLD_MAST_KVNO = -1765328380, - KRB5KDC_ERR_S_OLD_MAST_KVNO = -1765328379, - KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN = -1765328378, - KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN = -1765328377, - KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE = -1765328376, - KRB5KDC_ERR_NULL_KEY = -1765328375, - KRB5KDC_ERR_CANNOT_POSTDATE = -1765328374, - KRB5KDC_ERR_NEVER_VALID = -1765328373, - KRB5KDC_ERR_POLICY = -1765328372, - KRB5KDC_ERR_BADOPTION = -1765328371, - KRB5KDC_ERR_ETYPE_NOSUPP = -1765328370, - KRB5KDC_ERR_SUMTYPE_NOSUPP = -1765328369, - KRB5KDC_ERR_PADATA_TYPE_NOSUPP = -1765328368, - KRB5KDC_ERR_TRTYPE_NOSUPP = -1765328367, - KRB5KDC_ERR_CLIENT_REVOKED = -1765328366, - KRB5KDC_ERR_SERVICE_REVOKED = -1765328365, - KRB5KDC_ERR_TGT_REVOKED = -1765328364, - KRB5KDC_ERR_CLIENT_NOTYET = -1765328363, - KRB5KDC_ERR_SERVICE_NOTYET = -1765328362, - KRB5KDC_ERR_KEY_EXPIRED = -1765328361, - KRB5KDC_ERR_PREAUTH_FAILED = -1765328360, - KRB5KDC_ERR_PREAUTH_REQUIRED = -1765328359, - KRB5KDC_ERR_SERVER_NOMATCH = -1765328358, - KRB5KRB_AP_ERR_BAD_INTEGRITY = -1765328353, - KRB5KRB_AP_ERR_TKT_EXPIRED = -1765328352, - KRB5KRB_AP_ERR_TKT_NYV = -1765328351, - KRB5KRB_AP_ERR_REPEAT = -1765328350, - KRB5KRB_AP_ERR_NOT_US = -1765328349, - KRB5KRB_AP_ERR_BADMATCH = -1765328348, - KRB5KRB_AP_ERR_SKEW = -1765328347, - KRB5KRB_AP_ERR_BADADDR = -1765328346, - KRB5KRB_AP_ERR_BADVERSION = -1765328345, - KRB5KRB_AP_ERR_MSG_TYPE = -1765328344, - KRB5KRB_AP_ERR_MODIFIED = -1765328343, - KRB5KRB_AP_ERR_BADORDER = -1765328342, - KRB5KRB_AP_ERR_ILL_CR_TKT = -1765328341, - KRB5KRB_AP_ERR_BADKEYVER = -1765328340, - KRB5KRB_AP_ERR_NOKEY = -1765328339, - KRB5KRB_AP_ERR_MUT_FAIL = -1765328338, - KRB5KRB_AP_ERR_BADDIRECTION = -1765328337, - KRB5KRB_AP_ERR_METHOD = -1765328336, - KRB5KRB_AP_ERR_BADSEQ = -1765328335, - KRB5KRB_AP_ERR_INAPP_CKSUM = -1765328334, - KRB5KRB_AP_PATH_NOT_ACCEPTED = -1765328333, - KRB5KRB_ERR_RESPONSE_TOO_BIG = -1765328332, - KRB5KRB_ERR_GENERIC = -1765328324, - KRB5KRB_ERR_FIELD_TOOLONG = -1765328323, - KDC_ERROR_CLIENT_NOT_TRUSTED = -1765328322, - KDC_ERROR_KDC_NOT_TRUSTED = -1765328321, - KDC_ERROR_INVALID_SIG = -1765328320, - KDC_ERROR_KEY_TOO_WEAK = -1765328319, - KDC_ERROR_CERTIFICATE_MISMATCH = -1765328318, - KRB5_AP_ERR_USER_TO_USER_REQUIRED = -1765328317, - KDC_ERROR_CANT_VERIFY_CERTIFICATE = -1765328316, - KDC_ERROR_INVALID_CERTIFICATE = -1765328315, - KDC_ERROR_REVOKED_CERTIFICATE = -1765328314, - KDC_ERROR_REVOCATION_STATUS_UNKNOWN = -1765328313, - KDC_ERROR_REVOCATION_STATUS_UNAVAILABLE = -1765328312, - KDC_ERROR_CLIENT_NAME_MISMATCH = -1765328311, - KDC_ERROR_KDC_NAME_MISMATCH = -1765328310, - KRB5_ERR_RCSID = -1765328256, - KRB5_LIBOS_BADLOCKFLAG = -1765328255, - KRB5_LIBOS_CANTREADPWD = -1765328254, - KRB5_LIBOS_BADPWDMATCH = -1765328253, - KRB5_LIBOS_PWDINTR = -1765328252, - KRB5_PARSE_ILLCHAR = -1765328251, - KRB5_PARSE_MALFORMED = -1765328250, - KRB5_CONFIG_CANTOPEN = -1765328249, - KRB5_CONFIG_BADFORMAT = -1765328248, - KRB5_CONFIG_NOTENUFSPACE = -1765328247, - KRB5_BADMSGTYPE = -1765328246, - KRB5_CC_BADNAME = -1765328245, - KRB5_CC_UNKNOWN_TYPE = -1765328244, - KRB5_CC_NOTFOUND = -1765328243, - KRB5_CC_END = -1765328242, - KRB5_NO_TKT_SUPPLIED = -1765328241, - KRB5KRB_AP_WRONG_PRINC = -1765328240, - KRB5KRB_AP_ERR_TKT_INVALID = -1765328239, - KRB5_PRINC_NOMATCH = -1765328238, - KRB5_KDCREP_MODIFIED = -1765328237, - KRB5_KDCREP_SKEW = -1765328236, - KRB5_IN_TKT_REALM_MISMATCH = -1765328235, - KRB5_PROG_ETYPE_NOSUPP = -1765328234, - KRB5_PROG_KEYTYPE_NOSUPP = -1765328233, - KRB5_WRONG_ETYPE = -1765328232, - KRB5_PROG_SUMTYPE_NOSUPP = -1765328231, - KRB5_REALM_UNKNOWN = -1765328230, - KRB5_SERVICE_UNKNOWN = -1765328229, - KRB5_KDC_UNREACH = -1765328228, - KRB5_NO_LOCALNAME = -1765328227, - KRB5_MUTUAL_FAILED = -1765328226, - KRB5_RC_TYPE_EXISTS = -1765328225, - KRB5_RC_MALLOC = -1765328224, - KRB5_RC_TYPE_NOTFOUND = -1765328223, - KRB5_RC_UNKNOWN = -1765328222, - KRB5_RC_REPLAY = -1765328221, - KRB5_RC_IO = -1765328220, - KRB5_RC_NOIO = -1765328219, - KRB5_RC_PARSE = -1765328218, - KRB5_RC_IO_EOF = -1765328217, - KRB5_RC_IO_MALLOC = -1765328216, - KRB5_RC_IO_PERM = -1765328215, - KRB5_RC_IO_IO = -1765328214, - KRB5_RC_IO_UNKNOWN = -1765328213, - KRB5_RC_IO_SPACE = -1765328212, - KRB5_TRANS_CANTOPEN = -1765328211, - KRB5_TRANS_BADFORMAT = -1765328210, - KRB5_LNAME_CANTOPEN = -1765328209, - KRB5_LNAME_NOTRANS = -1765328208, - KRB5_LNAME_BADFORMAT = -1765328207, - KRB5_CRYPTO_INTERNAL = -1765328206, - KRB5_KT_BADNAME = -1765328205, - KRB5_KT_UNKNOWN_TYPE = -1765328204, - KRB5_KT_NOTFOUND = -1765328203, - KRB5_KT_END = -1765328202, - KRB5_KT_NOWRITE = -1765328201, - KRB5_KT_IOERR = -1765328200, - KRB5_NO_TKT_IN_RLM = -1765328199, - KRB5DES_BAD_KEYPAR = -1765328198, - KRB5DES_WEAK_KEY = -1765328197, - KRB5_BAD_ENCTYPE = -1765328196, - KRB5_BAD_KEYSIZE = -1765328195, - KRB5_BAD_MSIZE = -1765328194, - KRB5_CC_TYPE_EXISTS = -1765328193, - KRB5_KT_TYPE_EXISTS = -1765328192, - KRB5_CC_IO = -1765328191, - KRB5_FCC_PERM = -1765328190, - KRB5_FCC_NOFILE = -1765328189, - KRB5_FCC_INTERNAL = -1765328188, - KRB5_CC_WRITE = -1765328187, - KRB5_CC_NOMEM = -1765328186, - KRB5_CC_FORMAT = -1765328185, - KRB5_INVALID_FLAGS = -1765328184, - KRB5_NO_2ND_TKT = -1765328183, - KRB5_NOCREDS_SUPPLIED = -1765328182, - KRB5_SENDAUTH_BADAUTHVERS = -1765328181, - KRB5_SENDAUTH_BADAPPLVERS = -1765328180, - KRB5_SENDAUTH_BADRESPONSE = -1765328179, - KRB5_SENDAUTH_REJECTED = -1765328178, - KRB5_PREAUTH_BAD_TYPE = -1765328177, - KRB5_PREAUTH_NO_KEY = -1765328176, - KRB5_PREAUTH_FAILED = -1765328175, - KRB5_RCACHE_BADVNO = -1765328174, - KRB5_CCACHE_BADVNO = -1765328173, - KRB5_KEYTAB_BADVNO = -1765328172, - KRB5_PROG_ATYPE_NOSUPP = -1765328171, - KRB5_RC_REQUIRED = -1765328170, - KRB5_ERR_BAD_HOSTNAME = -1765328169, - KRB5_ERR_HOST_REALM_UNKNOWN = -1765328168, - KRB5_SNAME_UNSUPP_NAMETYPE = -1765328167, - KRB5KRB_AP_ERR_V4_REPLY = -1765328166, - KRB5_REALM_CANT_RESOLVE = -1765328165, - KRB5_TKT_NOT_FORWARDABLE = -1765328164, - KRB5_FWD_BAD_PRINCIPAL = -1765328163, - KRB5_GET_IN_TKT_LOOP = -1765328162, - KRB5_CONFIG_NODEFREALM = -1765328161, - KRB5_SAM_UNSUPPORTED = -1765328160, - KRB5_KT_NAME_TOOLONG = -1765328159, - krb5_num_errors = 226 -} krb5_error_number; - -#endif /* __krb5_err_h__ */ diff --git a/kerberos5/include/version.h b/kerberos5/include/version.h deleted file mode 100644 index 566b8ed641..0000000000 --- a/kerberos5/include/version.h +++ /dev/null @@ -1,3 +0,0 @@ -/* $DragonFly: src/kerberos5/include/version.h,v 1.3 2005/01/16 14:25:46 eirikn Exp $ */ -const char *heimdal_long_version = "@(#)$Version: Heimdal 0.6.3 by eirik on lap.eirikn.net (i386-unknown-dragonfly1.1) Sat Jan 15 17:36:21 GMT 2005 $"; -const char *heimdal_version = "Heimdal 0.6.3"; diff --git a/kerberos5/lib/Makefile b/kerberos5/lib/Makefile deleted file mode 100644 index 06719d5256..0000000000 --- a/kerberos5/lib/Makefile +++ /dev/null @@ -1,7 +0,0 @@ -# $FreeBSD: src/kerberos5/lib/Makefile,v 1.10 2004/01/31 08:15:52 ru Exp $ -# $DragonFly: src/kerberos5/lib/Makefile,v 1.4 2005/01/16 14:25:46 eirikn Exp $ - -SUBDIR= libasn1 libgssapi libhdb libkadm5clnt libkadm5srv \ - libkafs5 libkrb5 libroken libsl libvers - -.include diff --git a/kerberos5/lib/Makefile.inc b/kerberos5/lib/Makefile.inc deleted file mode 100644 index 65a2b85951..0000000000 --- a/kerberos5/lib/Makefile.inc +++ /dev/null @@ -1,10 +0,0 @@ -# $FreeBSD: src/kerberos5/lib/Makefile.inc,v 1.6 2003/10/09 19:48:45 nectar Exp $ -# $DragonFly: src/kerberos5/lib/Makefile.inc,v 1.4 2005/04/21 13:42:33 joerg Exp $ - -SHLIB_MAJOR?= 8 - -CFLAGS+=-I${.OBJDIR}/../../lib/libroken -I${.OBJDIR}/../../lib/libasn1 \ - -I${.OBJDIR}/../../lib/libkrb5 -I${KRB5DIR}/lib/roken \ - -I${KRB5DIR}/lib/krb5 - -.include "../Makefile.inc" diff --git a/kerberos5/lib/libasn1/Makefile b/kerberos5/lib/libasn1/Makefile deleted file mode 100644 index 5c4f8c8e53..0000000000 --- a/kerberos5/lib/libasn1/Makefile +++ /dev/null @@ -1,86 +0,0 @@ -# $FreeBSD: src/kerberos5/lib/libasn1/Makefile,v 1.22 2004/02/05 18:51:48 ru Exp $ -# $DragonFly: src/kerberos5/lib/libasn1/Makefile,v 1.5 2005/01/16 14:25:46 eirikn Exp $ - -LIB= asn1 -INCS= asn1_err.h krb5_asn1.h - -SRCS= asn1_err.c \ - asn1_err.h \ - der_copy.c \ - der_free.c \ - der_get.c \ - der_length.c \ - der_put.c \ - krb5_asn1.h \ - timegm.c \ - ${GEN:S/.x$/.c/} - -CFLAGS+=-I${KRB5DIR}/lib/asn1 -I${KRB5DIR}/lib/roken -I. - -GEN= asn1_APOptions.x \ - asn1_AP_REP.x \ - asn1_AP_REQ.x \ - asn1_AS_REP.x \ - asn1_AS_REQ.x \ - asn1_Authenticator.x \ - asn1_AuthorizationData.x \ - asn1_CKSUMTYPE.x \ - asn1_ChangePasswdDataMS.x \ - asn1_Checksum.x \ - asn1_ENCTYPE.x \ - asn1_ETYPE_INFO.x \ - asn1_ETYPE_INFO_ENTRY.x \ - asn1_EncAPRepPart.x \ - asn1_EncASRepPart.x \ - asn1_EncKDCRepPart.x \ - asn1_EncKrbCredPart.x \ - asn1_EncKrbPrivPart.x \ - asn1_EncTGSRepPart.x \ - asn1_EncTicketPart.x \ - asn1_EncryptedData.x \ - asn1_EncryptionKey.x \ - asn1_HostAddress.x \ - asn1_HostAddresses.x \ - asn1_KDCOptions.x \ - asn1_KDC_REP.x \ - asn1_KDC_REQ.x \ - asn1_KDC_REQ_BODY.x \ - asn1_KRB_CRED.x \ - asn1_KRB_ERROR.x \ - asn1_KRB_PRIV.x \ - asn1_KRB_SAFE.x \ - asn1_KRB_SAFE_BODY.x \ - asn1_KerberosTime.x \ - asn1_KrbCredInfo.x \ - asn1_LR_TYPE.x \ - asn1_LastReq.x \ - asn1_MESSAGE_TYPE.x \ - asn1_METHOD_DATA.x \ - asn1_NAME_TYPE.x \ - asn1_PADATA_TYPE.x \ - asn1_PA_DATA.x \ - asn1_PA_ENC_TS_ENC.x \ - asn1_Principal.x \ - asn1_PrincipalName.x \ - asn1_Realm.x \ - asn1_TGS_REP.x \ - asn1_TGS_REQ.x \ - asn1_Ticket.x \ - asn1_TicketFlags.x \ - asn1_TransitedEncoding.x \ - asn1_UNSIGNED.x - -CLEANFILES= ${GEN} ${GEN:S/.x$/.c/} krb5_asn1.h asn1_files - -.ORDER: ${GEN} krb5_asn1.h -${GEN} krb5_asn1.h: k5.asn1 - ${ASN1COMPILE} ${.ALLSRC:M*.asn1} krb5_asn1 - -.for I in ${GEN} -${I:R}.c: ${I} - cat ${.ALLSRC} > ${.TARGET} -.endfor - -.include - -.PATH: ${KRB5DIR}/lib/asn1 diff --git a/kerberos5/lib/libgssapi/Makefile b/kerberos5/lib/libgssapi/Makefile deleted file mode 100644 index b1b404a1d6..0000000000 --- a/kerberos5/lib/libgssapi/Makefile +++ /dev/null @@ -1,98 +0,0 @@ -# $FreeBSD: src/kerberos5/lib/libgssapi/Makefile,v 1.10 2004/04/04 03:31:05 nectar Exp $ -# $DragonFly: src/kerberos5/lib/libgssapi/Makefile,v 1.4 2005/01/16 14:25:46 eirikn Exp $ - -LIB= gssapi -INCS= gssapi.h -MAN= gss_acquire_cred.3 gssapi.3 - -MLINKS= gss_acquire_cred.3 gss_accept_sec_context.3 \ - gss_acquire_cred.3 gss_add_cred.3 \ - gss_acquire_cred.3 gss_add_oid_set_member.3 \ - gss_acquire_cred.3 gss_canonicalize_name.3 \ - gss_acquire_cred.3 gss_compare_name.3 \ - gss_acquire_cred.3 gss_context_time.3 \ - gss_acquire_cred.3 gss_create_empty_oid_set.3 \ - gss_acquire_cred.3 gss_delete_sec_context.3 \ - gss_acquire_cred.3 gss_display_name.3 \ - gss_acquire_cred.3 gss_display_status.3 \ - gss_acquire_cred.3 gss_duplicate_name.3 \ - gss_acquire_cred.3 gss_export_name.3 \ - gss_acquire_cred.3 gss_export_sec_context.3 \ - gss_acquire_cred.3 gss_get_mic.3 \ - gss_acquire_cred.3 gss_import_name.3 \ - gss_acquire_cred.3 gss_import_sec_context.3 \ - gss_acquire_cred.3 gss_indicate_mechs.3 \ - gss_acquire_cred.3 gss_init_sec_context.3 \ - gss_acquire_cred.3 gss_inquire_context.3 \ - gss_acquire_cred.3 gss_inquire_cred.3 \ - gss_acquire_cred.3 gss_inquire_cred_by_mech.3 \ - gss_acquire_cred.3 gss_inquire_mechs_for_name.3 \ - gss_acquire_cred.3 gss_inquire_names_for_mech.3 \ - gss_acquire_cred.3 gss_krb5_compat_des3_mic.3 \ - gss_acquire_cred.3 gss_krb5_copy_ccache.3 \ - gss_acquire_cred.3 gss_process_context_token.3 \ - gss_acquire_cred.3 gss_release_buffer.3 \ - gss_acquire_cred.3 gss_release_cred.3 \ - gss_acquire_cred.3 gss_release_name.3 \ - gss_acquire_cred.3 gss_release_oid_set.3 \ - gss_acquire_cred.3 gss_seal.3 \ - gss_acquire_cred.3 gss_sign.3 \ - gss_acquire_cred.3 gss_test_oid_set_member.3 \ - gss_acquire_cred.3 gss_unseal.3 \ - gss_acquire_cred.3 gss_unwrap.3 \ - gss_acquire_cred.3 gss_verify.3 \ - gss_acquire_cred.3 gss_verify_mic.3 \ - gss_acquire_cred.3 gss_wrap.3 \ - gss_acquire_cred.3 gss_wrap_size_limit.3 - -SRCS= 8003.c \ - accept_sec_context.c \ - acquire_cred.c \ - add_cred.c \ - add_oid_set_member.c \ - address_to_krb5addr.c \ - arcfour.c \ - canonicalize_name.c \ - compare_name.c \ - compat.c \ - context_time.c \ - copy_ccache.c \ - create_emtpy_oid_set.c \ - decapsulate.c \ - delete_sec_context.c \ - display_name.c \ - display_status.c \ - duplicate_name.c \ - encapsulate.c \ - export_name.c \ - export_sec_context.c \ - external.c \ - get_mic.c \ - gssapi.h \ - import_name.c \ - import_sec_context.c \ - indicate_mechs.c \ - init.c \ - init_sec_context.c \ - inquire_context.c \ - inquire_cred.c \ - inquire_cred_by_mech.c \ - inquire_mechs_for_name.c \ - inquire_names_for_mech.c \ - process_context_token.c \ - release_buffer.c \ - release_cred.c \ - release_name.c \ - release_oid_set.c \ - test_oid_set_member.c \ - unwrap.c \ - v1.c \ - verify_mic.c \ - wrap.c - -CFLAGS+=-I${KRB5DIR}/lib/gssapi -I${KRB5DIR}/lib/krb5 \ - -I${KRB5DIR}/lib/asn1 -I${KRB5DIR}/lib/roken -I. - -.include - -.PATH: ${KRB5DIR}/lib/gssapi diff --git a/kerberos5/lib/libhdb/Makefile b/kerberos5/lib/libhdb/Makefile deleted file mode 100644 index d2b18acce3..0000000000 --- a/kerberos5/lib/libhdb/Makefile +++ /dev/null @@ -1,49 +0,0 @@ -# $FreeBSD: src/kerberos5/lib/libhdb/Makefile,v 1.18 2004/02/05 18:51:49 ru Exp $ -# $DragonFly: src/kerberos5/lib/libhdb/Makefile,v 1.5 2005/01/16 14:25:46 eirikn Exp $ - -LIB= hdb - -INCS= hdb-private.h \ - hdb-protos.h \ - hdb.h \ - hdb_asn1.h \ - hdb_err.h - -SRCS= common.c \ - db.c \ - db3.c \ - hdb-ldap.c \ - hdb.c \ - hdb_asn1.h \ - hdb_err.c \ - hdb_err.h \ - keytab.c \ - mkey.c \ - ndbm.c \ - print.c \ - ${GEN:S/.x$/.c/} - -CFLAGS+=-I${KRB5DIR}/lib/hdb -I${KRB5DIR}/lib/asn1 \ - -I${KRB5DIR}/lib/roken -I. ${LDAPCFLAGS} - -GEN= asn1_Event.x \ - asn1_GENERATION.x \ - asn1_HDBFlags.x \ - asn1_Key.x \ - asn1_Salt.x \ - asn1_hdb_entry.x - -CLEANFILES= ${GEN} ${GEN:S/.x$/.c/} hdb_asn1.h asn1_files - -.ORDER: ${GEN} hdb_asn1.h -${GEN} hdb_asn1.h: hdb.asn1 - ${ASN1COMPILE} ${.ALLSRC:M*.asn1} hdb_asn1 - -.for I in ${GEN} -${I:R}.c: ${I} - cat ${.ALLSRC} > ${.TARGET} -.endfor - -.include - -.PATH: ${KRB5DIR}/lib/hdb diff --git a/kerberos5/lib/libkadm5clnt/Makefile b/kerberos5/lib/libkadm5clnt/Makefile deleted file mode 100644 index fcd321348f..0000000000 --- a/kerberos5/lib/libkadm5clnt/Makefile +++ /dev/null @@ -1,38 +0,0 @@ -# $FreeBSD: src/kerberos5/lib/libkadm5clnt/Makefile,v 1.8 2004/02/05 18:51:49 ru Exp $ -# $DragonFly: src/kerberos5/lib/libkadm5clnt/Makefile,v 1.3 2005/01/16 14:25:46 eirikn Exp $ - -LIB= kadm5clnt - -INCS= admin.h \ - kadm5-private.h \ - kadm5-protos.h \ - kadm5_err.h \ - private.h - -INCSDIR=${INCLUDEDIR}/kadm5 - -SRCS= chpass_c.c \ - client_glue.c \ - common_glue.c \ - create_c.c \ - delete_c.c \ - destroy_c.c \ - flush_c.c \ - free.c \ - get_c.c \ - get_princs_c.c \ - init_c.c \ - kadm5_err.c \ - kadm5_err.h \ - marshall.c \ - modify_c.c \ - privs_c.c \ - randkey_c.c \ - rename_c.c \ - send_recv.c - -CFLAGS+=-I${KRB5DIR}/lib/kadm5 -I${KRB5DIR}/lib/asn1 -I${KRB5DIR}/lib/roken -I. - -.include - -.PATH: ${KRB5DIR}/lib/kadm5 diff --git a/kerberos5/lib/libkadm5srv/Makefile b/kerberos5/lib/libkadm5srv/Makefile deleted file mode 100644 index 973dd1eb86..0000000000 --- a/kerberos5/lib/libkadm5srv/Makefile +++ /dev/null @@ -1,39 +0,0 @@ -# $FreeBSD: src/kerberos5/lib/libkadm5srv/Makefile,v 1.7 2004/02/05 18:51:49 ru Exp $ -# $DragonFly: src/kerberos5/lib/libkadm5srv/Makefile,v 1.3 2005/01/16 14:25:46 eirikn Exp $ - -LIB= kadm5srv - -SRCS= acl.c \ - bump_pw_expire.c \ - chpass_s.c \ - common_glue.c \ - context_s.c \ - create_s.c \ - delete_s.c \ - destroy_s.c \ - ent_setup.c \ - error.c \ - flush_s.c \ - free.c \ - get_princs_s.c \ - get_s.c \ - init_s.c \ - kadm5_err.c \ - kadm5_err.h \ - keys.c \ - log.c \ - marshall.c \ - modify_s.c \ - password_quality.c \ - privs_s.c \ - randkey_s.c \ - rename_s.c \ - server_glue.c \ - set_keys.c \ - set_modifier.c - -CFLAGS+=-I${KRB5DIR}/lib/kadm5 -I${KRB5DIR}/lib/asn1 -I${KRB5DIR}/lib/roken -I. - -.include - -.PATH: ${KRB5DIR}/lib/kadm5 diff --git a/kerberos5/lib/libkafs5/Makefile b/kerberos5/lib/libkafs5/Makefile deleted file mode 100644 index c592e34868..0000000000 --- a/kerberos5/lib/libkafs5/Makefile +++ /dev/null @@ -1,33 +0,0 @@ -# $FreeBSD: src/kerberos5/lib/libkafs5/Makefile,v 1.9 2004/02/05 18:51:49 ru Exp $ -# $DragonFly: src/kerberos5/lib/libkafs5/Makefile,v 1.3 2005/01/16 14:25:46 eirikn Exp $ - -LIB= kafs5 -INCS= kafs.h -MAN= kafs5.3 - -MLINKS= kafs5.3 k_afs_cell_of_file.3 \ - kafs5.3 k_hasafs.3 \ - kafs5.3 k_pioctl.3 \ - kafs5.3 k_setpag.3 \ - kafs5.3 k_unlog.3 \ - kafs5.3 kafs.3 \ - kafs5.3 kafs_set_verbose.3 \ - kafs5.3 kafs_settoken.3 \ - kafs5.3 kafs_settoken5.3 \ - kafs5.3 kafs_settoken_rxkad.3 \ - kafs5.3 krb5_afslog.3 \ - kafs5.3 krb5_afslog_uid.3 \ - kafs5.3 krb_afslog.3 \ - kafs5.3 krb_afslog_uid.3 - -SRCS= afssys.c afskrb5.c common.c -CFLAGS+=-I${KRB5DIR}/lib/kafs -I${KRB5DIR}/lib/krb5 -I${KRB5DIR}/lib/roken - -CLEANFILES= kafs5.3 - -kafs5.3: kafs.3 - sed -e 's/libkafs, -lkafs/libkafs5, -lkafs5/g' ${.ALLSRC} >${.TARGET} - -.include - -.PATH: ${KRB5DIR}/lib/kafs diff --git a/kerberos5/lib/libkrb5/Makefile b/kerberos5/lib/libkrb5/Makefile deleted file mode 100644 index 6ce493a8ec..0000000000 --- a/kerberos5/lib/libkrb5/Makefile +++ /dev/null @@ -1,319 +0,0 @@ -# $FreeBSD: src/kerberos5/lib/libkrb5/Makefile,v 1.17 2004/02/05 18:51:49 ru Exp $ -# $DragonFly: src/kerberos5/lib/libkrb5/Makefile,v 1.4 2005/01/16 14:25:46 eirikn Exp $ - -LIB= krb5 - -INCS= heim_err.h \ - k524_err.h \ - krb5-protos.h \ - krb5-types.h \ - krb5.h \ - krb5_err.h - -MAN= krb5.3 \ - krb5_425_conv_principal.3 \ - krb5_address.3 \ - krb5_aname_to_localname.3 \ - krb5_appdefault.3 \ - krb5_auth_context.3 \ - krb5_build_principal.3 \ - krb5_ccache.3 \ - krb5_config.3 \ - krb5_context.3 \ - krb5_create_checksum.3 \ - krb5_crypto_init.3 \ - krb5_data.3 \ - krb5_encrypt.3 \ - krb5_free_addresses.3 \ - krb5_free_principal.3 \ - krb5_get_all_client_addrs.3 \ - krb5_get_krbhst.3 \ - krb5_init_context.3 \ - krb5_keytab.3 \ - krb5_krbhst_init.3 \ - krb5_kuserok.3 \ - krb5_openlog.3 \ - krb5_parse_name.3 \ - krb5_principal_get_realm.3 \ - krb5_set_default_realm.3 \ - krb5_sname_to_principal.3 \ - krb5_timeofday.3 \ - krb5_unparse_name.3 \ - krb5_verify_user.3 \ - krb5_warn.3 -MAN+= krb5.conf.5 -MAN+= kerberos.8 - -MLINKS= krb5_425_conv_principal.3 krb5_425_conv_principal_ext.3 \ - krb5_425_conv_principal.3 krb5_524_conv_principal.3 \ - krb5_address.3 krb5_addr2sockaddr.3 \ - krb5_address.3 krb5_address_compare.3 \ - krb5_address.3 krb5_address_order.3 \ - krb5_address.3 krb5_address_search.3 \ - krb5_address.3 krb5_addresses.3 \ - krb5_address.3 krb5_anyaddr.3 \ - krb5_address.3 krb5_append_addresses.3 \ - krb5_address.3 krb5_copy_address.3 \ - krb5_address.3 krb5_copy_addresses.3 \ - krb5_address.3 krb5_free_address.3 \ - krb5_address.3 krb5_free_addresses.3 \ - krb5_address.3 krb5_h_addr2addr.3 \ - krb5_address.3 krb5_h_addr2sockaddr.3 \ - krb5_address.3 krb5_make_addrport.3 \ - krb5_address.3 krb5_max_sockaddr_size.3 \ - krb5_address.3 krb5_parse_address.3 \ - krb5_address.3 krb5_print_address.3 \ - krb5_address.3 krb5_sockaddr2address.3 \ - krb5_address.3 krb5_sockaddr2port.3 \ - krb5_address.3 krb5_sockaddr_uninteresting.3 \ - krb5_appdefault.3 krb5_appdefault_boolean.3 \ - krb5_appdefault.3 krb5_appdefault_string.3 \ - krb5_appdefault.3 krb5_appdefault_time.3 \ - krb5_auth_context.3 krb5_auth_con_free.3 \ - krb5_auth_context.3 krb5_auth_con_genaddrs.3 \ - krb5_auth_context.3 krb5_auth_con_getaddrs.3 \ - krb5_auth_context.3 krb5_auth_con_getflags.3 \ - krb5_auth_context.3 krb5_auth_con_getkey.3 \ - krb5_auth_context.3 krb5_auth_con_getlocalsubkey.3 \ - krb5_auth_context.3 krb5_auth_con_getrcache.3 \ - krb5_auth_context.3 krb5_auth_con_getremotesubkey.3 \ - krb5_auth_context.3 krb5_auth_con_getuserkey.3 \ - krb5_auth_context.3 krb5_auth_con_init.3 \ - krb5_auth_context.3 krb5_auth_con_initivector.3 \ - krb5_auth_context.3 krb5_auth_con_setaddrs.3 \ - krb5_auth_context.3 krb5_auth_con_setaddrs_from_fd.3 \ - krb5_auth_context.3 krb5_auth_con_setflags.3 \ - krb5_auth_context.3 krb5_auth_con_setivector.3 \ - krb5_auth_context.3 krb5_auth_con_setkey.3 \ - krb5_auth_context.3 krb5_auth_con_setlocalsubkey.3 \ - krb5_auth_context.3 krb5_auth_con_setrcache.3 \ - krb5_auth_context.3 krb5_auth_con_setremotesubkey.3 \ - krb5_auth_context.3 krb5_auth_con_setuserkey.3 \ - krb5_auth_context.3 krb5_auth_getauthenticator.3 \ - krb5_auth_context.3 krb5_auth_getcksumtype.3 \ - krb5_auth_context.3 krb5_auth_getkeytype.3 \ - krb5_auth_context.3 krb5_auth_getlocalseqnumber.3 \ - krb5_auth_context.3 krb5_auth_getremoteseqnumber.3 \ - krb5_auth_context.3 krb5_auth_setcksumtype.3 \ - krb5_auth_context.3 krb5_auth_setkeytype.3 \ - krb5_auth_context.3 krb5_auth_setlocalseqnumber.3 \ - krb5_auth_context.3 krb5_auth_setremoteseqnumber.3 \ - krb5_build_principal.3 krb5_build_principal_ext.3 \ - krb5_build_principal.3 krb5_build_principal_va.3 \ - krb5_build_principal.3 krb5_build_principal_va_ext.3 \ - krb5_build_principal.3 krb5_make_principal.3 \ - krb5_ccache.3 krb5_cc_close.3 \ - krb5_ccache.3 krb5_cc_copy_cache.3 \ - krb5_ccache.3 krb5_cc_cursor.3 \ - krb5_ccache.3 krb5_cc_default.3 \ - krb5_ccache.3 krb5_cc_default_name.3 \ - krb5_ccache.3 krb5_cc_destroy.3 \ - krb5_ccache.3 krb5_cc_end_seq_get.3 \ - krb5_ccache.3 krb5_cc_gen_new.3 \ - krb5_ccache.3 krb5_cc_get_name.3 \ - krb5_ccache.3 krb5_cc_get_ops.3 \ - krb5_ccache.3 krb5_cc_get_principal.3 \ - krb5_ccache.3 krb5_cc_get_type.3 \ - krb5_ccache.3 krb5_cc_get_version.3 \ - krb5_ccache.3 krb5_cc_initialize.3 \ - krb5_ccache.3 krb5_cc_next_cred.3 \ - krb5_ccache.3 krb5_cc_ops.3 \ - krb5_ccache.3 krb5_cc_register.3 \ - krb5_ccache.3 krb5_cc_remove_cred.3 \ - krb5_ccache.3 krb5_cc_resolve.3 \ - krb5_ccache.3 krb5_cc_retrieve_cred.3 \ - krb5_ccache.3 krb5_cc_set_default_name.3 \ - krb5_ccache.3 krb5_cc_set_flags.3 \ - krb5_ccache.3 krb5_cc_store_cred.3 \ - krb5_ccache.3 krb5_fcc_ops.3 \ - krb5_ccache.3 krb5_mcc_ops.3 \ - krb5_config.3 krb5_config_get_bool_default.3 \ - krb5_config.3 krb5_config_get_int_default.3 \ - krb5_config.3 krb5_config_get_string_default.3 \ - krb5_config.3 krb5_config_get_time_default.3 \ - krb5_create_checksum.3 krb5_checksum_is_collision_proof.3 \ - krb5_create_checksum.3 krb5_checksum_is_keyed.3 \ - krb5_create_checksum.3 krb5_checksumsize.3 \ - krb5_create_checksum.3 krb5_verify_checksum.3 \ - krb5_crypto_init.3 krb5_crypto_destroy.3 \ - krb5_data.3 krb5_copy_data.3 \ - krb5_data.3 krb5_data_alloc.3 \ - krb5_data.3 krb5_data_copy.3 \ - krb5_data.3 krb5_data_free.3 \ - krb5_data.3 krb5_data_realloc.3 \ - krb5_data.3 krb5_data_zero.3 \ - krb5_data.3 krb5_free_data.3 \ - krb5_data.3 krb5_free_data_contents.3 \ - krb5_encrypt.3 krb5_decrypt.3 \ - krb5_encrypt.3 krb5_decrypt_EncryptedData.3 \ - krb5_encrypt.3 krb5_encrypt_EncryptedData.3 \ - krb5_get_all_client_addrs.3 krb5_get_all_server_addrs.3 \ - krb5_get_krbhst.3 krb5_free_krbhst.3 \ - krb5_get_krbhst.3 krb5_get_krb524hst.3 \ - krb5_get_krbhst.3 krb5_get_krb_admin_hst.3 \ - krb5_get_krbhst.3 krb5_get_krb_changepw_hst.3 \ - krb5_init_context.3 krb5_free_context.3 \ - krb5_keytab.3 krb5_keytab_entry.3 \ - krb5_keytab.3 krb5_kt_add_entry.3 \ - krb5_keytab.3 krb5_kt_close.3 \ - krb5_keytab.3 krb5_kt_compare.3 \ - krb5_keytab.3 krb5_kt_copy_entry_contents.3 \ - krb5_keytab.3 krb5_kt_cursor.3 \ - krb5_keytab.3 krb5_kt_default.3 \ - krb5_keytab.3 krb5_kt_default_name.3 \ - krb5_keytab.3 krb5_kt_end_seq_get.3 \ - krb5_keytab.3 krb5_kt_free_entry.3 \ - krb5_keytab.3 krb5_kt_get_entry.3 \ - krb5_keytab.3 krb5_kt_get_name.3 \ - krb5_keytab.3 krb5_kt_get_type.3 \ - krb5_keytab.3 krb5_kt_next_entry.3 \ - krb5_keytab.3 krb5_kt_ops.3 \ - krb5_keytab.3 krb5_kt_read_service_key.3 \ - krb5_keytab.3 krb5_kt_register.3 \ - krb5_keytab.3 krb5_kt_remove_entry.3 \ - krb5_keytab.3 krb5_kt_resolve.3 \ - krb5_keytab.3 krb5_kt_start_seq_get.3 \ - krb5_krbhst_init.3 krb5_krbhst_format_string.3 \ - krb5_krbhst_init.3 krb5_krbhst_free.3 \ - krb5_krbhst_init.3 krb5_krbhst_get_addrinfo.3 \ - krb5_krbhst_init.3 krb5_krbhst_next.3 \ - krb5_krbhst_init.3 krb5_krbhst_next_as_string.3 \ - krb5_krbhst_init.3 krb5_krbhst_reset.3 \ - krb5_openlog.3 krb5_addlog_dest.3 \ - krb5_openlog.3 krb5_addlog_func.3 \ - krb5_openlog.3 krb5_closelog.3 \ - krb5_openlog.3 krb5_initlog.3 \ - krb5_openlog.3 krb5_log.3 \ - krb5_openlog.3 krb5_log_msg.3 \ - krb5_openlog.3 krb5_vlog.3 \ - krb5_openlog.3 krb5_vlog_msg.3 \ - krb5_principal_get_realm.3 krb5_principal_get_comp_string.3 \ - krb5_set_default_realm.3 krb5_free_host_realm.3 \ - krb5_set_default_realm.3 krb5_get_default_realm.3 \ - krb5_set_default_realm.3 krb5_get_default_realms.3 \ - krb5_set_default_realm.3 krb5_get_host_realm.3 \ - krb5_sname_to_principal.3 krb5_sock_to_principal.3 \ - krb5_timeofday.3 krb5_us_timeofday.3 \ - krb5_verify_user.3 krb5_verify_opt_init.3 \ - krb5_verify_user.3 krb5_verify_opt_set_flags.3 \ - krb5_verify_user.3 krb5_verify_opt_set_keytab.3 \ - krb5_verify_user.3 krb5_verify_opt_set_secure.3 \ - krb5_verify_user.3 krb5_verify_opt_set_service.3 \ - krb5_verify_user.3 krb5_verify_user_lrealm.3 \ - krb5_verify_user.3 krb5_verify_user_opt.3 \ - krb5_warn.3 krb5_err.3 \ - krb5_warn.3 krb5_errx.3 \ - krb5_warn.3 krb5_set_warn_dest.3 \ - krb5_warn.3 krb5_verr.3 \ - krb5_warn.3 krb5_verrx.3 \ - krb5_warn.3 krb5_vwarn.3 \ - krb5_warn.3 krb5_vwarnx.3 \ - krb5_warn.3 krb5_warnx.3 - -SRCS= acl.c \ - add_et_list.c \ - addr_families.c \ - aname_to_localname.c \ - appdefault.c \ - asn1_glue.c \ - auth_context.c \ - build_ap_req.c \ - build_auth.c \ - cache.c \ - changepw.c \ - codec.c \ - config_file.c \ - config_file_netinfo.c \ - constants.c \ - context.c \ - convert_creds.c \ - copy_host_realm.c \ - crc.c \ - creds.c \ - crypto.c \ - data.c \ - eai_to_heim_errno.c \ - error_string.c \ - expand_hostname.c \ - fcache.c \ - free.c \ - free_host_realm.c \ - generate_seq_number.c \ - generate_subkey.c \ - get_addrs.c \ - get_cred.c \ - get_default_principal.c \ - get_default_realm.c \ - get_for_creds.c \ - get_host_realm.c \ - get_in_tkt.c \ - get_in_tkt_pw.c \ - get_in_tkt_with_keytab.c \ - get_in_tkt_with_skey.c \ - get_port.c \ - heim_err.c \ - heim_err.h \ - init_creds.c \ - init_creds_pw.c \ - k524_err.c \ - k524_err.h \ - keyblock.c \ - keytab.c \ - keytab_any.c \ - keytab_file.c \ - keytab_keyfile.c \ - keytab_krb4.c \ - keytab_memory.c \ - krb5_err.c \ - krb5_err.h \ - krbhst.c \ - kuserok.c \ - log.c \ - mcache.c \ - misc.c \ - mk_error.c \ - mk_priv.c \ - mk_rep.c \ - mk_req.c \ - mk_req_ext.c \ - mk_safe.c \ - n-fold.c \ - net_read.c \ - net_write.c \ - padata.c \ - principal.c \ - prog_setup.c \ - prompter_posix.c \ - rd_cred.c \ - rd_error.c \ - rd_priv.c \ - rd_rep.c \ - rd_req.c \ - rd_safe.c \ - read_message.c \ - recvauth.c \ - replay.c \ - send_to_kdc.c \ - sendauth.c \ - set_default_realm.c \ - sock_principal.c \ - store.c \ - store_emem.c \ - store_fd.c \ - store_mem.c \ - ticket.c \ - time.c \ - transited.c \ - verify_init.c \ - verify_user.c \ - version.c \ - warn.c \ - write_message.c - -CFLAGS+=-I${KRB5DIR}/lib/krb5 -I${KRB5DIR}/lib/asn1 -I${KRB5DIR}/lib/roken -I. -DPADD+= ${LIBUTIL} -LDADD+= -lutil - -.include - -.PATH: ${KRB5DIR}/lib/krb5 ${.CURDIR}/../../include diff --git a/kerberos5/lib/libroken/Makefile b/kerberos5/lib/libroken/Makefile deleted file mode 100644 index 04ad6c5191..0000000000 --- a/kerberos5/lib/libroken/Makefile +++ /dev/null @@ -1,65 +0,0 @@ -# $FreeBSD: src/kerberos5/lib/libroken/Makefile,v 1.16 2004/02/05 18:51:49 ru Exp $ -# $DragonFly: src/kerberos5/lib/libroken/Makefile,v 1.5 2005/01/16 14:25:46 eirikn Exp $ - -LIB= roken -INCS= roken.h roken-common.h - -SRCS= base64.c \ - bswap.c \ - concat.c \ - copyhostent.c \ - ecalloc.c \ - emalloc.c \ - environment.c \ - eread.c \ - erealloc.c \ - esetenv.c \ - estrdup.c \ - ewrite.c \ - get_default_username.c \ - get_window_size.c \ - getaddrinfo_hostspec.c \ - getarg.c \ - getnameinfo_verified.c \ - hostent_find_fqdn.c \ - issuid.c \ - k_getpwnam.c \ - k_getpwuid.c \ - mini_inetd.c \ - ndbm_wrap.c \ - net_read.c \ - net_write.c \ - parse_bytes.c \ - parse_time.c \ - parse_units.c \ - resolve.c \ - roken.h \ - roken_gethostby.c \ - rtbl.c \ - simple_exec.c \ - snprintf.c \ - socket.c \ - strcollect.c \ - strlwr.c \ - strndup.c \ - strnlen.c \ - strsep_copy.c \ - strupr.c \ - timeval.c \ - tm2time.c \ - unvis.c \ - verify.c \ - vis.c \ - warnerr.c \ - write_pid.c - -CFLAGS+=-I${KRB5DIR}/lib/roken -I. - -CLEANFILES= roken.h - -roken.h: - ${MAKEROKEN} > ${.TARGET} - -.include - -.PATH: ${KRB5DIR}/lib/roken diff --git a/kerberos5/lib/libsl/Makefile b/kerberos5/lib/libsl/Makefile deleted file mode 100644 index 6a0e6db78d..0000000000 --- a/kerberos5/lib/libsl/Makefile +++ /dev/null @@ -1,11 +0,0 @@ -# $FreeBSD: src/kerberos5/lib/libsl/Makefile,v 1.8 2004/02/05 18:51:49 ru Exp $ -# $DragonFly: src/kerberos5/lib/libsl/Makefile,v 1.4 2005/01/16 14:25:46 eirikn Exp $ - -LIB= sl -INTERNALLIB= -SRCS= sl.c -CFLAGS+=-I${KRB5DIR}/lib/sl - -.include - -.PATH: ${KRB5DIR}/lib/sl diff --git a/kerberos5/lib/libvers/Makefile b/kerberos5/lib/libvers/Makefile deleted file mode 100644 index c582f3ceff..0000000000 --- a/kerberos5/lib/libvers/Makefile +++ /dev/null @@ -1,16 +0,0 @@ -# $FreeBSD: src/kerberos5/lib/libvers/Makefile,v 1.8 2004/02/05 18:51:50 ru Exp $ -# $DragonFly: src/kerberos5/lib/libvers/Makefile,v 1.4 2005/01/16 14:25:46 eirikn Exp $ - -LIB= vers -INTERNALLIB= -SRCS= print_version.c print_version.h -CFLAGS+=-I. - -CLEANFILES= print_version.h - -print_version.h: - ${MAKEPRINTVERSION} ${.TARGET} - -.include - -.PATH: ${KRB5DIR}/lib/vers diff --git a/kerberos5/libexec/Makefile b/kerberos5/libexec/Makefile deleted file mode 100644 index 73345e06e8..0000000000 --- a/kerberos5/libexec/Makefile +++ /dev/null @@ -1,6 +0,0 @@ -# $FreeBSD: src/kerberos5/libexec/Makefile,v 1.6 2004/01/30 11:06:48 mr Exp $ -# $DragonFly: src/kerberos5/libexec/Makefile,v 1.3 2005/01/16 14:25:46 eirikn Exp $ - -SUBDIR= ipropd-master ipropd-slave hprop hpropd kadmind kdc kpasswdd - -.include diff --git a/kerberos5/libexec/Makefile.inc b/kerberos5/libexec/Makefile.inc deleted file mode 100644 index 8c01d04b5d..0000000000 --- a/kerberos5/libexec/Makefile.inc +++ /dev/null @@ -1,8 +0,0 @@ -# $FreeBSD: src/kerberos5/libexec/Makefile.inc,v 1.2 2004/02/05 18:51:50 ru Exp $ -# $DragonFly: src/kerberos5/libexec/Makefile.inc,v 1.2 2005/01/16 14:25:46 eirikn Exp $ - -BINDIR= /usr/libexec - -CFLAGS+=-I${.OBJDIR}/../../lib/libroken/ - -.include "../Makefile.inc" diff --git a/kerberos5/libexec/hprop/Makefile b/kerberos5/libexec/hprop/Makefile deleted file mode 100644 index 9412f9fb01..0000000000 --- a/kerberos5/libexec/hprop/Makefile +++ /dev/null @@ -1,16 +0,0 @@ -# $FreeBSD: src/kerberos5/libexec/hprop/Makefile,v 1.15 2004/02/05 18:51:50 ru Exp $ -# $DragonFly: src/kerberos5/libexec/hprop/Makefile,v 1.4 2005/01/16 14:25:46 eirikn Exp $ - -PROG= hprop -MAN= hprop.8 -SRCS= hprop.c mit_dump.c v4_dump.c -CFLAGS+=-I${KRB5DIR}/lib/roken -I${KRB5DIR}/lib/krb5 -I${KRB5DIR}/lib/asn1 -DPADD= ${LIBHDB} ${LIBKRB5} ${LIBROKEN} ${LIBVERS} \ - ${LIBASN1} ${LIBCRYPTO} ${LIBCRYPT} ${LIBCOM_ERR} ${LDAPDPADD} -LDADD= -lhdb -lkrb5 -lroken ${LIBVERS} \ - -lasn1 -lcrypto -lcrypt -lcom_err ${LDAPLDADD} -LDFLAGS=${LDAPLDFLAGS} - -.include - -.PATH: ${KRB5DIR}/kdc diff --git a/kerberos5/libexec/hpropd/Makefile b/kerberos5/libexec/hpropd/Makefile deleted file mode 100644 index 95888db56e..0000000000 --- a/kerberos5/libexec/hpropd/Makefile +++ /dev/null @@ -1,16 +0,0 @@ -# $FreeBSD: src/kerberos5/libexec/hpropd/Makefile,v 1.15 2004/02/05 18:51:50 ru Exp $ -# $DragonFly: src/kerberos5/libexec/hpropd/Makefile,v 1.4 2005/01/16 14:25:46 eirikn Exp $ - -PROG= hpropd -MAN= hpropd.8 -CFLAGS+=-I${KRB5DIR}/lib/roken -I${KRB5DIR}/lib/krb5 -I${KRB5DIR}/lib/asn1 \ - ${LDAPCFLAGS} -DPADD= ${LIBHDB} ${LIBKRB5} ${LIBROKEN} ${LIBVERS} \ - ${LIBASN1} ${LIBCRYPTO} ${LIBCRYPT} ${LIBCOM_ERR} ${LDAPDPADD} -LDADD= -lhdb -lkrb5 -lroken ${LIBVERS} \ - -lasn1 -lcrypto -lcrypt -lcom_err ${LDAPLDADD} -LDFLAGS=${LDAPLDFLAGS} - -.include - -.PATH: ${KRB5DIR}/kdc diff --git a/kerberos5/libexec/ipropd-master/Makefile b/kerberos5/libexec/ipropd-master/Makefile deleted file mode 100644 index c83f08b372..0000000000 --- a/kerberos5/libexec/ipropd-master/Makefile +++ /dev/null @@ -1,17 +0,0 @@ -# $FreeBSD: src/kerberos5/libexec/ipropd-master/Makefile,v 1.17 2004/12/21 08:47:01 ru Exp $ -# $DragonFly: src/kerberos5/libexec/ipropd-master/Makefile,v 1.5 2005/01/16 14:25:46 eirikn Exp $ - -PROG= ipropd-master -NOMAN= -SRCS= ipropd_master.c kadm5_err.h -CFLAGS+=-I${KRB5DIR}/lib/krb5 -I${KRB5DIR}/lib/asn1 -I${KRB5DIR}/lib/roken \ - -I. ${LDAPCFLAGS} -DPADD= ${LIBKADM5SRV} ${LIBHDB} ${LIBKRB5} ${LIBROKEN} ${LIBVERS} \ - ${LIBASN1} ${LIBCRYPTO} ${LIBCRYPT} ${LIBCOM_ERR} ${LDAPDPADD} -LDADD= -lkadm5srv -lhdb -lkrb5 -lroken ${LIBVERS} \ - -lasn1 -lcrypto -lcrypt -lcom_err ${LDAPLDADD} -LDFLAGS=${LDAPLDFLAGS} - -.include - -.PATH: ${KRB5DIR}/lib/kadm5 diff --git a/kerberos5/libexec/ipropd-slave/Makefile b/kerberos5/libexec/ipropd-slave/Makefile deleted file mode 100644 index 48bc58fbd1..0000000000 --- a/kerberos5/libexec/ipropd-slave/Makefile +++ /dev/null @@ -1,17 +0,0 @@ -# $FreeBSD: src/kerberos5/libexec/ipropd-slave/Makefile,v 1.17 2004/12/21 08:47:01 ru Exp $ -# $DragonFly: src/kerberos5/libexec/ipropd-slave/Makefile,v 1.5 2005/01/16 14:25:46 eirikn Exp $ - -PROG= ipropd-slave -NOMAN= -SRCS= ipropd_slave.c kadm5_err.h -CFLAGS+=-I${KRB5DIR}/lib/krb5 -I${KRB5DIR}/lib/asn1 -I${KRB5DIR}/lib/roken \ - -I. ${LDAPCFLAGS} -DPADD= ${LIBKADM5SRV} ${LIBHDB} ${LIBKRB5} ${LIBROKEN} ${LIBVERS} \ - ${LIBASN1} ${LIBCRYPTO} ${LIBCRYPT} ${LIBCOM_ERR} ${LDAPDPADD} -LDADD= -lkadm5srv -lhdb -lkrb5 -lroken ${LIBVERS} \ - -lasn1 -lcrypto -lcrypt -lcom_err ${LDAPLDADD} -LDFLAGS=${LDAPLDFLAGS} - -.include - -.PATH: ${KRB5DIR}/lib/kadm5 diff --git a/kerberos5/libexec/kadmind/Makefile b/kerberos5/libexec/kadmind/Makefile deleted file mode 100644 index 0d0c7357bf..0000000000 --- a/kerberos5/libexec/kadmind/Makefile +++ /dev/null @@ -1,17 +0,0 @@ -# $FreeBSD: src/kerberos5/libexec/kadmind/Makefile,v 1.18 2004/02/05 18:51:50 ru Exp $ -# $DragonFly: src/kerberos5/libexec/kadmind/Makefile,v 1.1 2005/01/16 14:25:46 eirikn Exp $ - -PROG= kadmind -MAN= kadmind.8 -SRCS= kadm_conn.c kadmind.c server.c -CFLAGS+=-I${KRB5DIR}/lib/krb5 -I${KRB5DIR}/lib/asn1 -I${KRB5DIR}/lib/roken \ - ${LDAPCFLAGS} -DPADD= ${LIBKADM5SRV} ${LIBHDB} ${LIBKRB5} ${LIBROKEN} ${LIBVERS} \ - ${LIBASN1} ${LIBCRYPTO} ${LIBCRYPT} ${LIBCOM_ERR} ${LDAPDPADD} -LDADD= -lkadm5srv -lhdb -lkrb5 -lroken ${LIBVERS} \ - -lasn1 -lcrypto -lcrypt -lcom_err ${LDAPLDADD} -LDFLAGS=${LDAPLDFLAGS} - -.include - -.PATH: ${KRB5DIR}/kadmin diff --git a/kerberos5/libexec/kdc/Makefile b/kerberos5/libexec/kdc/Makefile deleted file mode 100644 index 884d7f56e1..0000000000 --- a/kerberos5/libexec/kdc/Makefile +++ /dev/null @@ -1,26 +0,0 @@ -# $FreeBSD: src/kerberos5/libexec/kdc/Makefile,v 1.17 2004/02/05 18:51:51 ru Exp $ -# $DragonFly: src/kerberos5/libexec/kdc/Makefile,v 1.5 2005/01/16 14:25:46 eirikn Exp $ - -PROG= kdc -MAN= kdc.8 - -SRCS= 524.c \ - config.c \ - connect.c \ - kerberos4.c \ - kerberos5.c \ - log.c \ - main.c \ - misc.c - -CFLAGS+=-I${KRB5DIR}/lib/krb5 -I${KRB5DIR}/lib/asn1 -I${KRB5DIR}/lib/roken \ - ${LDAPCFLAGS} -DPADD= ${LIBHDB} ${LIBKRB5} ${LIBROKEN} ${LIBVERS} \ - ${LIBASN1} ${LIBCRYPTO} ${LIBCRYPT} ${LIBCOM_ERR} ${LDAPDPADD} -LDADD= -lhdb -lkrb5 -lroken ${LIBVERS} \ - -lasn1 -lcrypto -lcrypt -lcom_err ${LDAPLDADD} -LDFLAGS=${LDAPLDFLAGS} - -.include - -.PATH: ${KRB5DIR}/kdc diff --git a/kerberos5/libexec/kpasswdd/Makefile b/kerberos5/libexec/kpasswdd/Makefile deleted file mode 100644 index 23b68921fc..0000000000 --- a/kerberos5/libexec/kpasswdd/Makefile +++ /dev/null @@ -1,15 +0,0 @@ -# $FreeBSD: src/kerberos5/libexec/kpasswdd/Makefile,v 1.18 2004/02/05 18:51:51 ru Exp $ -# $DragonFly: src/kerberos5/libexec/kpasswdd/Makefile,v 1.1 2005/01/16 14:25:46 eirikn Exp $ - -PROG= kpasswdd -MAN= kpasswdd.8 -CFLAGS+=-I${KRB5DIR}/lib/roken ${LDAPCFLAGS} -DPADD= ${LIBKADM5SRV} ${LIBHDB} ${LIBKRB5} ${LIBROKEN} ${LIBVERS} \ - ${LIBASN1} ${LIBCRYPTO} ${LIBCRYPT} ${LIBCOM_ERR} ${LDAPDPADD} -LDADD= -lkadm5srv -lhdb -lkrb5 -lroken ${LIBVERS} \ - -lasn1 -lcrypto -lcrypt -lcom_err ${LDAPLDADD} -LDFLAGS=${LDAPLDFLAGS} - -.include - -.PATH: ${KRB5DIR}/kpasswd diff --git a/kerberos5/tools/Makefile b/kerberos5/tools/Makefile deleted file mode 100644 index 9ed5c7991d..0000000000 --- a/kerberos5/tools/Makefile +++ /dev/null @@ -1,8 +0,0 @@ -# $FreeBSD: src/kerberos5/tools/Makefile,v 1.2 2004/02/01 09:30:02 ru Exp $ -# $DragonFly: src/kerberos5/tools/Makefile,v 1.2 2005/07/14 18:02:33 joerg Exp $ - -SUBDIR= make-print-version make-roken asn1_compile - -buildincludes: depend - -.include diff --git a/kerberos5/tools/Makefile.inc b/kerberos5/tools/Makefile.inc deleted file mode 100644 index d1dfdf24cf..0000000000 --- a/kerberos5/tools/Makefile.inc +++ /dev/null @@ -1,4 +0,0 @@ -# $FreeBSD: src/kerberos5/tools/Makefile.inc,v 1.1 2004/01/31 08:15:55 ru Exp $ -# $DragonFly: src/kerberos5/tools/Makefile.inc,v 1.2 2005/07/14 18:02:33 joerg Exp $ - -.include "../Makefile.inc" diff --git a/kerberos5/tools/asn1_compile/Makefile b/kerberos5/tools/asn1_compile/Makefile deleted file mode 100644 index 16f02bda04..0000000000 --- a/kerberos5/tools/asn1_compile/Makefile +++ /dev/null @@ -1,44 +0,0 @@ -# $FreeBSD: src/kerberos5/tools/asn1_compile/Makefile,v 1.5 2004/12/21 08:47:01 ru Exp $ -# $DragonFly: src/kerberos5/tools/asn1_compile/Makefile,v 1.2 2005/07/14 18:02:33 joerg Exp $ - -PROG= asn1_compile -NOMAN= - -NOINCS= - -SRCS= gen.c \ - gen_copy.c \ - gen_decode.c \ - gen_encode.c \ - gen_free.c \ - gen_glue.c \ - gen_length.c \ - hash.c \ - emalloc.c \ - main.c \ - symbol.c \ - getarg.c \ - warnerr.c \ - lex.l \ - parse.y \ - print_version.c \ - print_version.h \ - roken.h \ - get_window_size.c \ - strupr.c - -CFLAGS+=-I${KRB5DIR}/lib/roken -I${KRB5DIR}/lib/asn1 -I. - -CLEANFILES= print_version.h roken.h - -print_version.h: - ${MAKEPRINTVERSION} ${.TARGET} - -roken.h: - ${MAKEROKEN} > ${.TARGET} - -.include - -# There are two print_version.c's, the one we need is in ${KRB5DIR}/lib/vers, -# so the order of paths is important here. -.PATH: ${KRB5DIR}/lib/vers ${KRB5DIR}/lib/roken ${KRB5DIR}/lib/asn1 diff --git a/kerberos5/tools/make-print-version/Makefile b/kerberos5/tools/make-print-version/Makefile deleted file mode 100644 index 2367df5412..0000000000 --- a/kerberos5/tools/make-print-version/Makefile +++ /dev/null @@ -1,9 +0,0 @@ -# $FreeBSD: src/kerberos5/tools/make-print-version/Makefile,v 1.2 2004/12/21 08:47:02 ru Exp $ -# $DragonFly: src/kerberos5/tools/make-print-version/Makefile,v 1.2 2005/07/14 18:02:33 joerg Exp $ - -PROG= make-print-version -NOMAN= - -.include - -.PATH: ${KRB5DIR}/lib/vers diff --git a/kerberos5/tools/make-roken/Makefile b/kerberos5/tools/make-roken/Makefile deleted file mode 100644 index d2219864de..0000000000 --- a/kerberos5/tools/make-roken/Makefile +++ /dev/null @@ -1,12 +0,0 @@ -# $FreeBSD: src/kerberos5/tools/make-roken/Makefile,v 1.2 2004/12/21 08:47:02 ru Exp $ -# $DragonFly: src/kerberos5/tools/make-roken/Makefile,v 1.2 2005/07/14 18:02:33 joerg Exp $ - -PROG= make-roken -NOMAN= - -CLEANFILES= make-roken.c - -.include - -make-roken.c: ${KRB5DIR}/lib/roken/roken.awk ${KRB5DIR}/lib/roken/roken.h.in - awk -f ${.ALLSRC} > ${.TARGET} diff --git a/kerberos5/usr.bin/Makefile b/kerberos5/usr.bin/Makefile deleted file mode 100644 index 8fcb396ae6..0000000000 --- a/kerberos5/usr.bin/Makefile +++ /dev/null @@ -1,7 +0,0 @@ -# $FreeBSD: src/kerberos5/usr.bin/Makefile,v 1.11 2004/01/31 08:15:56 ru Exp $ -# $DragonFly: src/kerberos5/usr.bin/Makefile,v 1.3 2005/01/16 14:25:47 eirikn Exp $ - -SUBDIR= kadmin kdestroy kinit klist kpasswd krb5-config ksu \ - verify_krb5_conf - -.include diff --git a/kerberos5/usr.bin/Makefile.inc b/kerberos5/usr.bin/Makefile.inc deleted file mode 100644 index e03511b7c3..0000000000 --- a/kerberos5/usr.bin/Makefile.inc +++ /dev/null @@ -1,8 +0,0 @@ -# $FreeBSD: src/kerberos5/usr.bin/Makefile.inc,v 1.1.1.1 2000/01/15 21:38:04 markm Exp $ -# $DragonFly: src/kerberos5/usr.bin/Makefile.inc,v 1.3 2005/01/16 14:25:47 eirikn Exp $ - -BINDIR= /usr/bin - -CFLAGS+=-I${.OBJDIR}/../../lib/libroken/ - -.include "../Makefile.inc" diff --git a/kerberos5/usr.bin/kadmin/Makefile b/kerberos5/usr.bin/kadmin/Makefile deleted file mode 100644 index 0d7660eb4a..0000000000 --- a/kerberos5/usr.bin/kadmin/Makefile +++ /dev/null @@ -1,36 +0,0 @@ -# $FreeBSD: src/kerberos5/usr.bin/kadmin/Makefile,v 1.18 2004/02/05 18:51:51 ru Exp $ -# $DragonFly: src/kerberos5/usr.bin/kadmin/Makefile,v 1.2 2007/01/20 19:01:45 dillon Exp $ - -PROG= kadmin -MAN= kadmin.8 - -SRCS= ank.c \ - cpw.c \ - del.c \ - del_enctype.c \ - dump.c \ - ext.c \ - get.c \ - init.c \ - kadmin.c \ - load.c \ - mod.c \ - random_password.c \ - rename.c \ - util.c - -CFLAGS+=-I${KRB5DIR}/lib/asn1 -I${KRB5DIR}/lib/krb5 -I${KRB5DIR}/lib/roken \ - -I${KRB5DIR}/lib/sl ${LDAPCFLAGS} -DPADD= ${LIBKADM5CLNT} ${LIBKADM5SRV} ${LIBHDB} ${LIBKRB5} \ - ${LIBSL} ${LIBROKEN} ${LIBVERS} ${LIBASN1} \ - ${LIBCRYPTO} ${LIBCRYPT} ${LIBCOM_ERR} \ - ${LIBREADLINE} ${LIBNCURSES} ${LDAPDPADD} -LDADD= -lkadm5clnt -lkadm5srv -lhdb -lkrb5 \ - ${LIBSL} -lroken ${LIBVERS} -lasn1 \ - -lcrypto -lcrypt -lcom_err \ - -lncurses ${LDAPLDADD} -LDFLAGS=${LDAPLDFLAGS} - -.include - -.PATH: ${KRB5DIR}/kadmin diff --git a/kerberos5/usr.bin/kdestroy/Makefile b/kerberos5/usr.bin/kdestroy/Makefile deleted file mode 100644 index 719b7f69dd..0000000000 --- a/kerberos5/usr.bin/kdestroy/Makefile +++ /dev/null @@ -1,13 +0,0 @@ -# $FreeBSD: src/kerberos5/usr.bin/kdestroy/Makefile,v 1.15 2004/02/05 18:51:51 ru Exp $ -# $DragonFly: src/kerberos5/usr.bin/kdestroy/Makefile,v 1.1 2005/01/16 14:25:47 eirikn Exp $ - -PROG= kdestroy -CFLAGS+=-I${KRB5DIR}/lib/roken -DPADD= ${LIBKAFS5} ${LIBKRB5} ${LIBROKEN} ${LIBVERS} \ - ${LIBASN1} ${LIBCRYPTO} ${LIBCRYPT} ${LIBCOM_ERR} -LDADD= -lkafs5 -lkrb5 -lroken ${LIBVERS} \ - -lasn1 -lcrypto -lcrypt -lcom_err - -.include - -.PATH: ${KRB5DIR}/kuser diff --git a/kerberos5/usr.bin/kinit/Makefile b/kerberos5/usr.bin/kinit/Makefile deleted file mode 100644 index fc0cdd8f21..0000000000 --- a/kerberos5/usr.bin/kinit/Makefile +++ /dev/null @@ -1,13 +0,0 @@ -# $FreeBSD: src/kerberos5/usr.bin/kinit/Makefile,v 1.15 2004/02/05 18:51:51 ru Exp $ -# $DragonFly: src/kerberos5/usr.bin/kinit/Makefile,v 1.1 2005/01/16 14:25:47 eirikn Exp $ - -PROG= kinit -CFLAGS+=-I${KRB5DIR}/lib/roken -DPADD= ${LIBKAFS5} ${LIBKRB5} ${LIBROKEN} ${LIBVERS} \ - ${LIBASN1} ${LIBCRYPTO} ${LIBCRYPT} ${LIBCOM_ERR} -LDADD= -lkafs5 -lkrb5 -lroken ${LIBVERS} \ - -lasn1 -lcrypto -lcrypt -lcom_err - -.include - -.PATH: ${KRB5DIR}/kuser diff --git a/kerberos5/usr.bin/klist/Makefile b/kerberos5/usr.bin/klist/Makefile deleted file mode 100644 index 0cd05719b6..0000000000 --- a/kerberos5/usr.bin/klist/Makefile +++ /dev/null @@ -1,13 +0,0 @@ -# $FreeBSD: src/kerberos5/usr.bin/klist/Makefile,v 1.15 2004/02/05 18:51:51 ru Exp $ -# $DragonFly: src/kerberos5/usr.bin/klist/Makefile,v 1.1 2005/01/16 14:25:47 eirikn Exp $ - -PROG= klist -CFLAGS+=-I${KRB5DIR}/lib/roken -DPADD= ${LIBKAFS5} ${LIBKRB5} ${LIBROKEN} ${LIBVERS} \ - ${LIBASN1} ${LIBCRYPTO} ${LIBCRYPT} ${LIBCOM_ERR} -LDADD= -lkafs5 -lkrb5 -lroken ${LIBVERS} \ - -lasn1 -lcrypto -lcrypt -lcom_err - -.include - -.PATH: ${KRB5DIR}/kuser diff --git a/kerberos5/usr.bin/kpasswd/Makefile b/kerberos5/usr.bin/kpasswd/Makefile deleted file mode 100644 index a89dee0b2c..0000000000 --- a/kerberos5/usr.bin/kpasswd/Makefile +++ /dev/null @@ -1,13 +0,0 @@ -# $FreeBSD: src/kerberos5/usr.bin/kpasswd/Makefile,v 1.14 2004/02/05 18:51:52 ru Exp $ -# $DragonFly: src/kerberos5/usr.bin/kpasswd/Makefile,v 1.1 2005/01/16 14:25:47 eirikn Exp $ - -PROG= kpasswd -CFLAGS+=-I${KRB5DIR}/lib/roken -DPADD= ${LIBKRB5} ${LIBROKEN} ${LIBVERS} \ - ${LIBASN1} ${LIBCRYPTO} ${LIBCRYPT} ${LIBCOM_ERR} -LDADD= -lkrb5 -lroken ${LIBVERS} \ - -lasn1 -lcrypto -lcrypt -lcom_err - -.include - -.PATH: ${KRB5DIR}/kpasswd diff --git a/kerberos5/usr.bin/krb5-config/Makefile b/kerberos5/usr.bin/krb5-config/Makefile deleted file mode 100644 index e280909d06..0000000000 --- a/kerberos5/usr.bin/krb5-config/Makefile +++ /dev/null @@ -1,25 +0,0 @@ -# $FreeBSD: src/kerberos5/usr.bin/krb5-config/Makefile,v 1.14 2004/04/13 16:41:00 nectar Exp $ -# $DragonFly: src/kerberos5/usr.bin/krb5-config/Makefile,v 1.3 2005/01/16 14:25:47 eirikn Exp $ - -SCRIPTS=krb5-config -MAN= krb5-config.1 - -CLEANFILES= krb5-config - -krb5-config: krb5-config.in - sed -e "s,@PACKAGE\@,DragonFly heimdal,g" \ - -e "s,@VERSION\@,0.6.1,g" \ - -e "s,@prefix\@,/usr,g" \ - -e "s,@exec_prefix\@,/usr,g" \ - -e "s,@libdir\@,${LIBDIR},g" \ - -e "s,@includedir\@,${INCLUDEDIR},g" \ - -e "s,@LIB_crypt\@,-lcrypt,g" \ - -e "s,@LIB_dbopen\@,,g" \ - -e "s,@LIB_des_appl\@,-lcrypto,g" \ - -e "s,@LIBS\@,-lcom_err,g" \ - -e "s,@INCLUDE_des@,,g" \ - ${.ALLSRC} > ${.TARGET} - -.include - -.PATH: ${KRB5DIR}/tools diff --git a/kerberos5/usr.bin/ksu/Makefile b/kerberos5/usr.bin/ksu/Makefile deleted file mode 100644 index cb5b1fef6d..0000000000 --- a/kerberos5/usr.bin/ksu/Makefile +++ /dev/null @@ -1,19 +0,0 @@ -# $FreeBSD: src/kerberos5/usr.bin/ksu/Makefile,v 1.15 2004/12/21 08:47:02 ru Exp $ -# $DragonFly: src/kerberos5/usr.bin/ksu/Makefile,v 1.1 2005/01/16 14:25:47 eirikn Exp $ - -PROG= ksu -.if defined(ENABLE_SUID_K5SU) -BINMODE=4555 -PRECIOUSPROG= -.endif -NOMAN= -SRCS= su.c -CFLAGS+=-I${KRB5DIR}/lib/roken -DPADD= ${LIBKAFS5} ${LIBKRB5} ${LIBROKEN} ${LIBVERS} \ - ${LIBASN1} ${LIBCRYPTO} ${LIBCRYPT} ${LIBCOM_ERR} -LDADD= -lkafs5 -lkrb5 -lroken ${LIBVERS} \ - -lasn1 -lcrypto -lcrypt -lcom_err - -.include - -.PATH: ${KRB5DIR}/appl/su diff --git a/kerberos5/usr.bin/verify_krb5_conf/Makefile b/kerberos5/usr.bin/verify_krb5_conf/Makefile deleted file mode 100644 index 368aaa6c8a..0000000000 --- a/kerberos5/usr.bin/verify_krb5_conf/Makefile +++ /dev/null @@ -1,14 +0,0 @@ -# $FreeBSD: src/kerberos5/usr.bin/verify_krb5_conf/Makefile,v 1.3 2004/02/05 18:51:52 ru Exp $ -# $DragonFly: src/kerberos5/usr.bin/verify_krb5_conf/Makefile,v 1.1 2005/01/16 14:25:47 eirikn Exp $ - -PROG= verify_krb5_conf -MAN= verify_krb5_conf.8 -CFLAGS+=-I${KRB5DIR}/lib/asn1 -I${KRB5DIR}/lib/krb5 -I${KRB5DIR}/lib/roken -DPADD= ${LIBKAFS5} ${LIBKRB5} ${LIBROKEN} ${LIBVERS} \ - ${LIBASN1} ${LIBCRYPTO} ${LIBCRYPT} ${LIBCOM_ERR} -LDADD= -lkafs5 -lkrb5 -lroken ${LIBVERS} \ - -lasn1 -lcrypto -lcrypt -lcom_err - -.include - -.PATH: ${KRB5DIR}/lib/krb5 diff --git a/kerberos5/usr.sbin/Makefile b/kerberos5/usr.sbin/Makefile deleted file mode 100644 index a7acb15437..0000000000 --- a/kerberos5/usr.sbin/Makefile +++ /dev/null @@ -1,6 +0,0 @@ -# $FreeBSD: src/kerberos5/usr.sbin/Makefile,v 1.3 2003/03/09 21:56:55 markm Exp $ -# $DragonFly: src/kerberos5/usr.sbin/Makefile,v 1.3 2005/01/16 14:25:47 eirikn Exp $ - -SUBDIR= kstash ktutil - -.include diff --git a/kerberos5/usr.sbin/Makefile.inc b/kerberos5/usr.sbin/Makefile.inc deleted file mode 100644 index 41abf84396..0000000000 --- a/kerberos5/usr.sbin/Makefile.inc +++ /dev/null @@ -1,8 +0,0 @@ -# $FreeBSD: src/kerberos5/usr.sbin/Makefile.inc,v 1.1.1.1 2000/01/24 19:56:25 markm Exp $ -# $DragonFly: src/kerberos5/usr.sbin/Makefile.inc,v 1.3 2005/01/16 14:25:47 eirikn Exp $ - -BINDIR= /usr/sbin - -CFLAGS+=-I${.OBJDIR}/../../lib/libroken/ - -.include "../Makefile.inc" diff --git a/kerberos5/usr.sbin/kstash/Makefile b/kerberos5/usr.sbin/kstash/Makefile deleted file mode 100644 index 3a10254d0c..0000000000 --- a/kerberos5/usr.sbin/kstash/Makefile +++ /dev/null @@ -1,16 +0,0 @@ -# $FreeBSD: src/kerberos5/usr.sbin/kstash/Makefile,v 1.16 2004/02/05 18:51:52 ru Exp $ -# $DragonFly: src/kerberos5/usr.sbin/kstash/Makefile,v 1.1 2005/01/16 14:25:47 eirikn Exp $ - -PROG= kstash -MAN= kstash.8 -CFLAGS+=-I${KRB5DIR}/lib/asn1 -I${KRB5DIR}/lib/krb5 -I${KRB5DIR}/lib/roken \ - ${LDAPCFLAGS} -DPADD= ${LIBHDB} ${LIBKRB5} ${LIBROKEN} ${LIBVERS} \ - ${LIBASN1} ${LIBCRYPTO} ${LIBCRYPT} ${LIBCOM_ERR} ${LDAPDPADD} -LDADD= -lhdb -lkrb5 -lroken ${LIBVERS} \ - -lasn1 -lcrypto -lcrypt -lcom_err ${LDAPLDADD} -LDFLAGS=${LDAPLDFLAGS} - -.include - -.PATH: ${KRB5DIR}/kdc diff --git a/kerberos5/usr.sbin/ktutil/Makefile b/kerberos5/usr.sbin/ktutil/Makefile deleted file mode 100644 index 21d0bf5306..0000000000 --- a/kerberos5/usr.sbin/ktutil/Makefile +++ /dev/null @@ -1,27 +0,0 @@ -# $FreeBSD: src/kerberos5/usr.sbin/ktutil/Makefile,v 1.17 2004/02/05 18:51:52 ru Exp $ -# $DragonFly: src/kerberos5/usr.sbin/ktutil/Makefile,v 1.5 2007/01/20 19:01:46 dillon Exp $ - -PROG= ktutil -MAN= ktutil.8 - -SRCS= add.c \ - change.c \ - copy.c \ - get.c \ - ktutil.c \ - list.c \ - purge.c \ - remove.c \ - rename.c - -CFLAGS+=-I${KRB5DIR}/lib/roken -I${KRB5DIR}/lib/sl -DPADD= ${LIBKADM5CLNT} ${LIBKRB5} ${LIBSL} ${LIBROKEN} ${LIBVERS} \ - ${LIBASN1} ${LIBCRYPTO} ${LIBCRYPT} ${LIBCOM_ERR} \ - ${LIBREADLINE} ${LIBNCURSES} -LDADD= -lkadm5clnt -lkrb5 ${LIBSL} -lroken ${LIBVERS} \ - -lasn1 -lcrypto -lcrypt -lcom_err \ - -lncurses - -.include - -.PATH: ${KRB5DIR}/admin diff --git a/lib/libtelnet/Makefile b/lib/libtelnet/Makefile index 657357a3c4..3256a7da48 100644 --- a/lib/libtelnet/Makefile +++ b/lib/libtelnet/Makefile @@ -15,10 +15,4 @@ SRCS+= encrypt.c auth.c enc_des.c sra.c pk.c CFLAGS+= -DENCRYPTION -DAUTHENTICATION -DSRA .endif -.if defined(WANT_KERBEROS) -SRCS+= kerberos5.c -CFLAGS+= -DKRB5 -I${KRB5DIR}/lib/krb5 -I${KRB5OBJDIR} -I${ASN1OBJDIR} -CFLAGS+= -DFORWARD -Dnet_write=telnet_net_write -.endif - .include diff --git a/lib/pam_module/Makefile b/lib/pam_module/Makefile index cd13aee30a..b5196f9a3e 100644 --- a/lib/pam_module/Makefile +++ b/lib/pam_module/Makefile @@ -23,8 +23,4 @@ SUBDIR= pam_chroot \ pam_tacplus \ pam_unix -.if defined(WANT_KERBEROS) && !defined(NO_CRYPT) && !defined(NO_OPENSSL) -SUBDIR+=pam_krb5 pam_ksu -.endif - .include diff --git a/libexec/telnetd/Makefile b/libexec/telnetd/Makefile index a1b15d54f3..ad2d795b84 100644 --- a/libexec/telnetd/Makefile +++ b/libexec/telnetd/Makefile @@ -32,10 +32,4 @@ DPADD+= ${LIBCRYPTO} ${LIBCRYPT} ${LIBPAM} LDADD+= -lcrypto -lcrypt ${MINUSLPAM} .endif -.if defined(WANT_KERBEROS) -CFLAGS+= -DKRB5 -DFORWARD -Dnet_write=telnet_net_write -DPADD+= ${LIBKRB5} ${LIBASN1} ${LIBROKEN} ${LIBCOM_ERR} -LDADD+= -lkrb5 -lasn1 -lroken -lcom_err -.endif - .include diff --git a/sbin/mount_nfs/Makefile b/sbin/mount_nfs/Makefile index 3f05d8bf94..0b16f83233 100644 --- a/sbin/mount_nfs/Makefile +++ b/sbin/mount_nfs/Makefile @@ -12,10 +12,4 @@ UMNTALL= ${.CURDIR}/../../usr.sbin/rpc.umntall CFLAGS+= -DNFS -I${MOUNT} -I${UMNTALL} .PATH: ${MOUNT} ${UMNTALL} -.if exists(${DESTDIR}/usr/lib/libkrb.a) && defined(WANT_KERBEROS) -CFLAGS+=-DKERBEROS -DPADD= ${LIBKRB} ${LIBCRYPTO} -LDADD= -lkrb -lcrypto -.endif - .include diff --git a/secure/lib/libssh/Makefile b/secure/lib/libssh/Makefile index 7b8a13dca7..78bac5bc69 100644 --- a/secure/lib/libssh/Makefile +++ b/secure/lib/libssh/Makefile @@ -19,10 +19,6 @@ SRCS+= version.c MAN= moduli.5 -.if defined(WANT_KERBEROS) -CFLAGS+= -DKRB5 -DHEIMDAL -.endif - DPADD+= ${LIBZ} LDADD+= -lz diff --git a/secure/usr.bin/ssh/Makefile b/secure/usr.bin/ssh/Makefile index 63445df5b0..4744bbb0e0 100644 --- a/secure/usr.bin/ssh/Makefile +++ b/secure/usr.bin/ssh/Makefile @@ -11,12 +11,6 @@ SRCS= channels.c clientloop.c kex.c misc.c monitor_fdpass.c mux.c packet.c \ readconf.c ssh.c sshconnect.c sshconnect1.c sshconnect2.c sshtty.c \ uidswap.c -.if defined(WANT_KERBEROS) -CFLAGS+= -DKRB5 -DHEIMDAL -LDADD+= -lkrb5 -lasn1 -lcom_err -lmd -L${.OBJDIR}/../../../kerberos5/lib/libroken -lroken -lcrypt -DPADD+= ${LIBKRB5} ${LIBCOM_ERR} ${LIBASN1} ${LIBMD} ${LIBCRYPT} -.endif - .if defined(X11BASE) CFLAGS+= -DXAUTH_PATH=\"${X11BASE}/bin/xauth\" .endif diff --git a/secure/usr.sbin/sshd/Makefile b/secure/usr.sbin/sshd/Makefile index 3376691acb..ce9f82eee7 100644 --- a/secure/usr.sbin/sshd/Makefile +++ b/secure/usr.sbin/sshd/Makefile @@ -24,13 +24,6 @@ CFLAGS+=-DCUSTOM_SYS_AUTH_PASSWD CFLAGS+=-DUSE_PAM -DHAVE_SECURITY_PAM_APPL_H \ -DHAVE_PAM_GETENVLIST -DHAVE_PAM_PUTENV -.if defined(WANT_KERBEROS) -CFLAGS+= -DKRB5 -DHEIMDAL -SRCS+= auth-krb5.c -LDADD+= -lkrb5 -lasn1 -lcom_err -lmd -L${.OBJDIR}/../../../kerberos5/lib/libroken -lroken -DPADD+= ${LIBKRB5} ${LIBCOM_ERR} ${LIBASN1} ${LIBMD} -.endif - LDADD+= -lopie -lmd DPADD+= ${LIBOPIE} ${LIBMD} diff --git a/share/man/man5/rc.conf.5 b/share/man/man5/rc.conf.5 index 44590376e2..6fb02f27f6 100644 --- a/share/man/man5/rc.conf.5 +++ b/share/man/man5/rc.conf.5 @@ -1145,50 +1145,6 @@ If left empty will not be run in a .Xr chroot 8 environment. -.It Va kerberos5_server_enable -.Pq Vt bool -Set to -.Dq Li YES -to start a Kerberos 5 authentication server at boot time. -.It Va kerberos5_server_program -.Pq Vt str -If -.Va kerberos5_server_enable -is set to -.Dq Li YES -this is the path to Kerberos 5 Authentication Server. -.It Va kadmind5_server_enable -.Pq Vt bool -Set to -.Dq Li YES -to start -.Xr kadmind 8 , -the Kerberos 5 Administration Daemon; set to -.Dq Li NO -on a slave server. -.It Va kadmind5_server_program -.Pq Vt str -If -.Va kadmind5_server_enable -is set to -.Dq Li YES -this is the path to Kerberos 5 Administration Daemon. -.It Va kpasswdd_server_enable -.Pq Vt bool -Set to -.Dq Li YES -to start -.Xr kpasswdd 8 , -the Kerberos 5 Password-Changing Daemon; set to -.Dq Li NO -on a slave server. -.It Va kpasswdd_server_program -.Pq Vt str -If -.Va kpasswdd_server_enable -is set to -.Dq Li YES -this is the path to Kerberos 5 Password-Changing Daemon. .It Va rwhod_enable .Pq Vt bool If set to diff --git a/share/man/man7/hier.7 b/share/man/man7/hier.7 index 37cfd00a03..a5389daf0f 100644 --- a/share/man/man7/hier.7 +++ b/share/man/man7/hier.7 @@ -536,7 +536,7 @@ see .Bx , third-party, and/or local source files .Pp -.Bl -tag -width ".Pa kerberos5/" -compact +.Bl -tag -width ".Pa nrelease/" -compact .It Pa bin/ source code for files in .Pa /bin @@ -555,8 +555,6 @@ Utilities covered by the GNU General Public License .It Pa include/ source code for files in .Pa /usr/include -.It Pa kerberos5/ -source code for kerberos version 5 .It Pa lib/ source code for files in .Pa /usr/lib @@ -642,9 +640,6 @@ empty directory used by for privilege separation .It Pa games/ misc. game status and score files -.It Pa heimdal/ -kerberos server databases; see -.Xr kdc 8 .It Pa log/ misc. system log files .Pp diff --git a/usr.bin/telnet/Makefile b/usr.bin/telnet/Makefile index 82b213ddc7..bb49876dc1 100644 --- a/usr.bin/telnet/Makefile +++ b/usr.bin/telnet/Makefile @@ -30,10 +30,4 @@ DPADD+= ${LIBCRYPTO} ${LIBCRYPT} ${LIBPAM} LDADD+= -lcrypto -lcrypt ${MINUSLPAM} .endif -.if defined(WANT_KERBEROS) -CFLAGS+= -DKRB5 -DFORWARD -Dnet_write=telnet_net_write -DPADD+= ${LIBKRB5} ${LIBASN1} ${LIBCOM_ERR} ${LIBROKEN} -LDADD+= -lkrb5 -lasn1 -lcom_err -lroken -.endif - .include